diff --git a/modules-mls-contrib.conf b/modules-mls-contrib.conf
index f93bd1b..1784416 100644
--- a/modules-mls-contrib.conf
+++ b/modules-mls-contrib.conf
@@ -25,13 +25,6 @@ afs = module
# Policy for aide
#
aide = module
-
-# Layer: services
-# Module: aisexec
-#
-# RHCS - Red Hat Cluster Suite
-#
-aisexec = module
# Layer: admin
# Module: alsa
@@ -286,13 +279,6 @@ comsat = module
#consolekit = module
# Layer: services
-# Module: corosync
-#
-# Corosync Cluster Engine Executive
-#
-corosync = module
-
-# Layer: services
# Module: courier
#
# IMAP and POP3 email servers
@@ -1154,13 +1140,6 @@ readahead = module
remotelogin = module
# Layer: services
-# Module: rgmanager
-#
-# Red Hat Resource Group Manager
-#
-rgmanager = module
-
-# Layer: services
# Module: rhcs
#
# RHCS - Red Hat Cluster Suite
diff --git a/modules-targeted-contrib.conf b/modules-targeted-contrib.conf
index 3892c69..e88980a 100644
--- a/modules-targeted-contrib.conf
+++ b/modules-targeted-contrib.conf
@@ -39,13 +39,6 @@ aiccu = module
# Policy for aide
#
aide = module
-
-# Layer: services
-# Module: aisexec
-#
-# RHCS - Red Hat Cluster Suite
-#
-aisexec = module
# Layer: services
# Module: ajaxterm
@@ -385,13 +378,6 @@ condor = module
consolekit = module
# Layer: services
-# Module: corosync
-#
-# Corosync Cluster Engine Executive
-#
-corosync = module
-
-# Layer: services
# Module: couchdb
#
# Apache CouchDB database server
@@ -1279,13 +1265,6 @@ openvpn = module
#
openvswitch = module
-# Layer: services
-# Module: pacemaker
-#
-# pacemaker
-#
-pacemaker = module
-
prelude = module
# Layer: services
@@ -1559,20 +1538,6 @@ realmd = module
remotelogin = module
# Layer: services
-# Module: rgmanager
-#
-# Red Hat Resource Group Manager
-#
-rgmanager = module
-
-# Layer: services
-# Module: rgmanager
-#
-# rgmanager
-#
-rgmanager = module
-
-# Layer: services
# Module: rhcs
#
# RHCS - Red Hat Cluster Suite
diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch
index e134722..4a010e7 100644
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@@ -1035,7 +1035,7 @@ index 7a6f06f..bf04b0a 100644
-/usr/sbin/grub -- gen_context(system_u:object_r:bootloader_exec_t,s0)
+/var/lib/os-prober(/.*)? gen_context(system_u:object_r:bootloader_var_lib_t,s0)
diff --git a/policy/modules/admin/bootloader.if b/policy/modules/admin/bootloader.if
-index cc8df9d..5e914db 100644
+index cc8df9d..34c2a4e 100644
--- a/policy/modules/admin/bootloader.if
+++ b/policy/modules/admin/bootloader.if
@@ -19,6 +19,24 @@ interface(`bootloader_domtrans',`
@@ -1063,7 +1063,7 @@ index cc8df9d..5e914db 100644
########################################
## <summary>
## Execute bootloader interactively and do
-@@ -38,30 +56,21 @@ interface(`bootloader_domtrans',`
+@@ -38,16 +56,26 @@ interface(`bootloader_domtrans',`
#
interface(`bootloader_run',`
gen_require(`
@@ -1077,34 +1077,84 @@ index cc8df9d..5e914db 100644
+
bootloader_domtrans($1)
- roleattribute $2 bootloader_roles;
--')
++
++ role $2 types bootloader_t;
++
++ ifdef(`distro_redhat',`
++ # for mke2fs
++ mount_run(bootloader_t, $2)
++ ')
+ ')
--########################################
--## <summary>
+ ########################################
+ ## <summary>
-## Execute bootloader in the caller domain.
--## </summary>
--## <param name="domain">
--## <summary>
--## Domain allowed access.
--## </summary>
--## </param>
--#
++## Read the bootloader configuration file.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -55,36 +83,37 @@ interface(`bootloader_run',`
+ ## </summary>
+ ## </param>
+ #
-interface(`bootloader_exec',`
-- gen_require(`
++interface(`bootloader_read_config',`
+ gen_require(`
- type bootloader_exec_t;
-- ')
-+ role $2 types bootloader_t;
++ type bootloader_etc_t;
+ ')
- corecmd_search_bin($1)
- can_exec($1, bootloader_exec_t)
-+ ifdef(`distro_redhat',`
-+ # for mke2fs
-+ mount_run(bootloader_t, $2)
-+ ')
++ allow $1 bootloader_etc_t:file read_file_perms;
')
########################################
-@@ -119,7 +128,7 @@ interface(`bootloader_rw_tmp_files',`
+ ## <summary>
+-## Read the bootloader configuration file.
++## Read and write the bootloader
++## configuration file.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+ ## Domain allowed access.
+ ## </summary>
+ ## </param>
++## <rolecap/>
+ #
+-interface(`bootloader_read_config',`
++interface(`bootloader_rw_config',`
+ gen_require(`
+ type bootloader_etc_t;
+ ')
+
+- allow $1 bootloader_etc_t:file read_file_perms;
++ allow $1 bootloader_etc_t:file rw_file_perms;
+ ')
+
+ ########################################
+ ## <summary>
+-## Read and write the bootloader
++## Manage the bootloader
+ ## configuration file.
+ ## </summary>
+ ## <param name="domain">
+@@ -94,12 +123,12 @@ interface(`bootloader_read_config',`
+ ## </param>
+ ## <rolecap/>
+ #
+-interface(`bootloader_rw_config',`
++interface(`bootloader_manage_config',`
+ gen_require(`
+ type bootloader_etc_t;
+ ')
+
+- allow $1 bootloader_etc_t:file rw_file_perms;
++ manage_files_pattern($1, bootloader_etc_t, bootloader_etc_t)
+ ')
+
+ ########################################
+@@ -119,7 +148,7 @@ interface(`bootloader_rw_tmp_files',`
')
files_search_tmp($1)
@@ -1113,7 +1163,7 @@ index cc8df9d..5e914db 100644
')
########################################
-@@ -141,3 +150,22 @@ interface(`bootloader_create_runtime_file',`
+@@ -141,3 +170,24 @@ interface(`bootloader_create_runtime_file',`
allow $1 boot_runtime_t:file { create_file_perms rw_file_perms };
files_boot_filetrans($1, boot_runtime_t, file)
')
@@ -1133,8 +1183,10 @@ index cc8df9d..5e914db 100644
+ type bootloader_etc_t;
+ ')
+
++ files_etc_filetrans($1,bootloader_etc_t,file, "grub")
+ files_etc_filetrans($1,bootloader_etc_t,file, "lilo.conf")
+ files_etc_filetrans($1,bootloader_etc_t,file, "yaboot.conf")
++ files_etc_filetrans($1,bootloader_etc_t,file, "zipl.conf")
+')
diff --git a/policy/modules/admin/bootloader.te b/policy/modules/admin/bootloader.te
index e3dbbb8..f766e86 100644
@@ -2965,7 +3017,7 @@ index 7590165..19aaaed 100644
+ fs_mounton_fusefs(seunshare_domain)
+')
diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
-index 644d4d7..5be2ae6 100644
+index 644d4d7..330ed39 100644
--- a/policy/modules/kernel/corecommands.fc
+++ b/policy/modules/kernel/corecommands.fc
@@ -1,9 +1,10 @@
@@ -3023,7 +3075,17 @@ index 644d4d7..5be2ae6 100644
/etc/sysconfig/crond -- gen_context(system_u:object_r:bin_t,s0)
/etc/sysconfig/init -- gen_context(system_u:object_r:bin_t,s0)
/etc/sysconfig/libvirtd -- gen_context(system_u:object_r:bin_t,s0)
-@@ -134,10 +143,11 @@ ifdef(`distro_debian',`
+@@ -116,6 +125,9 @@ ifdef(`distro_redhat',`
+
+ /etc/vmware-tools(/.*)? gen_context(system_u:object_r:bin_t,s0)
+
++
++/etc/wdmd\.d/checkquorum\.wdmd gen_context(system_u:object_r:bin_t,s0)
++
+ /etc/X11/xdm/GiveConsole -- gen_context(system_u:object_r:bin_t,s0)
+ /etc/X11/xdm/TakeConsole -- gen_context(system_u:object_r:bin_t,s0)
+ /etc/X11/xdm/Xsetup_0 -- gen_context(system_u:object_r:bin_t,s0)
+@@ -134,10 +146,11 @@ ifdef(`distro_debian',`
/lib/readahead(/.*)? gen_context(system_u:object_r:bin_t,s0)
/lib/security/pam_krb5/pam_krb5_storetmp -- gen_context(system_u:object_r:bin_t,s0)
@@ -3036,7 +3098,7 @@ index 644d4d7..5be2ae6 100644
ifdef(`distro_gentoo',`
/lib/dhcpcd/dhcpcd-run-hooks -- gen_context(system_u:object_r:bin_t,s0)
-@@ -151,7 +161,7 @@ ifdef(`distro_gentoo',`
+@@ -151,7 +164,7 @@ ifdef(`distro_gentoo',`
#
# /sbin
#
@@ -3045,7 +3107,7 @@ index 644d4d7..5be2ae6 100644
/sbin/.* gen_context(system_u:object_r:bin_t,s0)
/sbin/insmod_ksymoops_clean -- gen_context(system_u:object_r:bin_t,s0)
/sbin/mkfs\.cramfs -- gen_context(system_u:object_r:bin_t,s0)
-@@ -167,6 +177,7 @@ ifdef(`distro_gentoo',`
+@@ -167,6 +180,7 @@ ifdef(`distro_gentoo',`
/opt/(.*/)?sbin(/.*)? gen_context(system_u:object_r:bin_t,s0)
/opt/google/talkplugin(/.*)? gen_context(system_u:object_r:bin_t,s0)
@@ -3053,7 +3115,7 @@ index 644d4d7..5be2ae6 100644
/opt/gutenprint/cups/lib/filter(/.*)? gen_context(system_u:object_r:bin_t,s0)
-@@ -178,33 +189,49 @@ ifdef(`distro_gentoo',`
+@@ -178,33 +192,49 @@ ifdef(`distro_gentoo',`
/opt/vmware/workstation/lib/lib/wrapper-gtk24\.sh -- gen_context(system_u:object_r:bin_t,s0)
')
@@ -3112,7 +3174,7 @@ index 644d4d7..5be2ae6 100644
/usr/lib/dpkg/.+ -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/emacsen-common/.* gen_context(system_u:object_r:bin_t,s0)
/usr/lib/gimp/.*/plug-ins(/.*)? gen_context(system_u:object_r:bin_t,s0)
-@@ -215,18 +242,28 @@ ifdef(`distro_gentoo',`
+@@ -215,18 +245,28 @@ ifdef(`distro_gentoo',`
/usr/lib/mailman/mail(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/lib/mediawiki/math/texvc.* gen_context(system_u:object_r:bin_t,s0)
/usr/lib/misc/sftp-server -- gen_context(system_u:object_r:bin_t,s0)
@@ -3148,7 +3210,7 @@ index 644d4d7..5be2ae6 100644
/usr/lib/xfce4/exo-1/exo-compose-mail-1 -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/xfce4/exo-1/exo-helper-1 -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/xfce4/panel/migrate -- gen_context(system_u:object_r:bin_t,s0)
-@@ -241,10 +278,15 @@ ifdef(`distro_gentoo',`
+@@ -241,10 +281,15 @@ ifdef(`distro_gentoo',`
/usr/lib/debug/sbin(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/debug/usr/bin(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/debug/usr/sbin(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
@@ -3164,7 +3226,7 @@ index 644d4d7..5be2ae6 100644
/usr/lib/[^/]*/run-mozilla\.sh -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/[^/]*/mozilla-xremote-client -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/thunderbird.*/mozilla-xremote-client -- gen_context(system_u:object_r:bin_t,s0)
-@@ -257,10 +299,17 @@ ifdef(`distro_gentoo',`
+@@ -257,10 +302,17 @@ ifdef(`distro_gentoo',`
/usr/libexec/openssh/sftp-server -- gen_context(system_u:object_r:bin_t,s0)
@@ -3185,7 +3247,7 @@ index 644d4d7..5be2ae6 100644
/usr/sbin/scponlyc -- gen_context(system_u:object_r:shell_exec_t,s0)
/usr/sbin/sesh -- gen_context(system_u:object_r:shell_exec_t,s0)
/usr/sbin/smrsh -- gen_context(system_u:object_r:shell_exec_t,s0)
-@@ -276,10 +325,15 @@ ifdef(`distro_gentoo',`
+@@ -276,10 +328,15 @@ ifdef(`distro_gentoo',`
/usr/share/cluster/.*\.sh gen_context(system_u:object_r:bin_t,s0)
/usr/share/cluster/ocf-shellfuncs -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/cluster/svclib_nfslock -- gen_context(system_u:object_r:bin_t,s0)
@@ -3201,7 +3263,7 @@ index 644d4d7..5be2ae6 100644
/usr/share/gnucash/finance-quote-check -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/gnucash/finance-quote-helper -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/hal/device-manager/hal-device-manager -- gen_context(system_u:object_r:bin_t,s0)
-@@ -294,16 +348,22 @@ ifdef(`distro_gentoo',`
+@@ -294,16 +351,22 @@ ifdef(`distro_gentoo',`
/usr/share/selinux/devel/policygentool -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/smolt/client(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/share/shorewall/compiler\.pl -- gen_context(system_u:object_r:bin_t,s0)
@@ -3226,7 +3288,7 @@ index 644d4d7..5be2ae6 100644
ifdef(`distro_debian',`
/usr/lib/ConsoleKit/.* -- gen_context(system_u:object_r:bin_t,s0)
-@@ -321,20 +381,27 @@ ifdef(`distro_redhat', `
+@@ -321,20 +384,27 @@ ifdef(`distro_redhat', `
/etc/gdm/[^/]+ -d gen_context(system_u:object_r:bin_t,s0)
/etc/gdm/[^/]+/.* gen_context(system_u:object_r:bin_t,s0)
@@ -3255,7 +3317,7 @@ index 644d4d7..5be2ae6 100644
/usr/share/pwlib/make/ptlib-config -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/pydict/pydict\.py -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/rhn/rhn_applet/applet\.py -- gen_context(system_u:object_r:bin_t,s0)
-@@ -383,11 +450,15 @@ ifdef(`distro_suse', `
+@@ -383,11 +453,15 @@ ifdef(`distro_suse', `
#
# /var
#
@@ -3272,7 +3334,7 @@ index 644d4d7..5be2ae6 100644
/usr/lib/yp/.+ -- gen_context(system_u:object_r:bin_t,s0)
/var/qmail/bin -d gen_context(system_u:object_r:bin_t,s0)
-@@ -397,3 +468,12 @@ ifdef(`distro_suse', `
+@@ -397,3 +471,12 @@ ifdef(`distro_suse', `
ifdef(`distro_suse',`
/var/lib/samba/bin/.+ gen_context(system_u:object_r:bin_t,s0)
')
@@ -10806,10 +10868,10 @@ index 148d87a..822f6be 100644
allow files_unconfined_type file_type:file execmod;
')
diff --git a/policy/modules/kernel/filesystem.fc b/policy/modules/kernel/filesystem.fc
-index cda5588..91a633a 100644
+index cda5588..3035829 100644
--- a/policy/modules/kernel/filesystem.fc
+++ b/policy/modules/kernel/filesystem.fc
-@@ -1,3 +1,7 @@
+@@ -1,9 +1,13 @@
+# ecryptfs does not support xattr
+HOME_DIR/\.ecryptfs(/.*)? gen_context(system_u:object_r:ecryptfs_t,s0)
+HOME_DIR/\.Private(/.*)? gen_context(system_u:object_r:ecryptfs_t,s0)
@@ -10817,6 +10879,13 @@ index cda5588..91a633a 100644
/cgroup -d gen_context(system_u:object_r:cgroup_t,s0)
/cgroup/.* <<none>>
+ /dev/hugepages -d gen_context(system_u:object_r:hugetlbfs_t,s0)
+ /dev/hugepages(/.*)? <<none>>
+-/dev/shm -d gen_context(system_u:object_r:tmpfs_t,s0)
++/dev/shm -d gen_context(system_u:object_r:tmpfs_t,s0-mls_systemhigh)
+ /dev/shm/.* <<none>>
+
+ /lib/udev/devices/hugepages -d gen_context(system_u:object_r:hugetlbfs_t,s0)
@@ -14,3 +18,10 @@
# for systemd systems:
/sys/fs/cgroup -d gen_context(system_u:object_r:cgroup_t,s0)
@@ -12112,7 +12181,7 @@ index 8416beb..60b2ce1 100644
+ fs_tmpfs_filetrans($1, cgroup_t, lnk_file, "cpuacct")
+')
diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te
-index 9e603f5..6a95769 100644
+index 9e603f5..3c5f139 100644
--- a/policy/modules/kernel/filesystem.te
+++ b/policy/modules/kernel/filesystem.te
@@ -33,6 +33,7 @@ fs_use_xattr jffs2 gen_context(system_u:object_r:fs_t,s0);
@@ -12181,15 +12250,16 @@ index 9e603f5..6a95769 100644
#
# tmpfs_t is the type for tmpfs filesystems
-@@ -176,6 +181,7 @@ fs_type(tmpfs_t)
+@@ -176,6 +181,8 @@ fs_type(tmpfs_t)
files_type(tmpfs_t)
files_mountpoint(tmpfs_t)
files_poly_parent(tmpfs_t)
+dev_associate(tmpfs_t)
++mls_trusted_object(tmpfs_t)
# Use a transition SID based on the allocating task SID and the
# filesystem SID to label inodes in the following filesystem types,
-@@ -255,6 +261,8 @@ genfscon udf / gen_context(system_u:object_r:iso9660_t,s0)
+@@ -255,6 +262,8 @@ genfscon udf / gen_context(system_u:object_r:iso9660_t,s0)
type removable_t;
allow removable_t noxattrfs:filesystem associate;
fs_noxattr_type(removable_t)
@@ -12198,7 +12268,7 @@ index 9e603f5..6a95769 100644
files_mountpoint(removable_t)
#
-@@ -274,6 +282,7 @@ genfscon ncpfs / gen_context(system_u:object_r:nfs_t,s0)
+@@ -274,6 +283,7 @@ genfscon ncpfs / gen_context(system_u:object_r:nfs_t,s0)
genfscon reiserfs / gen_context(system_u:object_r:nfs_t,s0)
genfscon panfs / gen_context(system_u:object_r:nfs_t,s0)
genfscon gadgetfs / gen_context(system_u:object_r:nfs_t,s0)
@@ -26439,7 +26509,7 @@ index 5dfa44b..aa4d8fc 100644
optional_policy(`
diff --git a/policy/modules/system/libraries.fc b/policy/modules/system/libraries.fc
-index 73bb3c0..e96fdf3 100644
+index 73bb3c0..dbd708d 100644
--- a/policy/modules/system/libraries.fc
+++ b/policy/modules/system/libraries.fc
@@ -1,3 +1,4 @@
@@ -26599,7 +26669,7 @@ index 73bb3c0..e96fdf3 100644
/usr/(.*/)?intellinux/SPPlugins/ADMPlugin\.apl -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-@@ -299,17 +309,151 @@ HOME_DIR/.mozilla/plugins/nprhapengine\.so.* -- gen_context(system_u:object_r:te
+@@ -299,17 +309,154 @@ HOME_DIR/.mozilla/plugins/nprhapengine\.so.* -- gen_context(system_u:object_r:te
#
/var/cache/ldconfig(/.*)? gen_context(system_u:object_r:ldconfig_cache_t,s0)
@@ -26612,6 +26682,9 @@ index 73bb3c0..e96fdf3 100644
/var/mailman/pythonlib(/.*)?/.+\.so(\..*)? -- gen_context(system_u:object_r:lib_t,s0)
++/var/named/chroot/lib(/.*)? gen_context(system_u:object_r:lib_t,s0)
++/var/named/chroot/usr/lib(/.*)? gen_context(system_u:object_r:lib_t,s0)
++
+/usr/lib/pgsql/.*\.so.* -- gen_context(system_u:object_r:lib_t,s0)
+/usr/lib/pgsql/test/regress/.*\.so.* -- gen_context(system_u:object_r:lib_t,s0)
+/var/lib/spamassassin/compiled/.*\.so.* -- gen_context(system_u:object_r:lib_t,s0)
@@ -28610,7 +28683,7 @@ index e8c59a5..ea56d23 100644
')
diff --git a/policy/modules/system/miscfiles.fc b/policy/modules/system/miscfiles.fc
-index 9fe8e01..d5fe55a 100644
+index 9fe8e01..06fa481 100644
--- a/policy/modules/system/miscfiles.fc
+++ b/policy/modules/system/miscfiles.fc
@@ -9,11 +9,13 @@ ifdef(`distro_gentoo',`
@@ -28641,17 +28714,23 @@ index 9fe8e01..d5fe55a 100644
/usr/man(/.*)? gen_context(system_u:object_r:man_t,s0)
/usr/share/ca-certificates(/.*)? gen_context(system_u:object_r:cert_t,s0)
-@@ -77,8 +74,9 @@ ifdef(`distro_redhat',`
+@@ -77,7 +74,7 @@ ifdef(`distro_redhat',`
/var/cache/fontconfig(/.*)? gen_context(system_u:object_r:fonts_cache_t,s0)
/var/cache/fonts(/.*)? gen_context(system_u:object_r:tetex_data_t,s0)
-/var/cache/man(/.*)? gen_context(system_u:object_r:man_cache_t,s0)
-
+
-+/var/named/chroot/etc/localtime -- gen_context(system_u:object_r:cert_t,s0)
+
/var/named/chroot/etc/pki(/.*)? gen_context(system_u:object_r:cert_t,s0)
- /var/spool/abrt-upload(/.*)? gen_context(system_u:object_r:public_content_rw_t,s0)
+@@ -90,6 +87,7 @@ ifdef(`distro_debian',`
+ ')
+
+ ifdef(`distro_redhat',`
++/var/named/chroot/etc/localtime -- gen_context(system_u:object_r:locale_t,s0)
+ /var/empty/sshd/etc/localtime -- gen_context(system_u:object_r:locale_t,s0)
+ /var/spool/postfix/etc/localtime -- gen_context(system_u:object_r:locale_t,s0)
+ ')
diff --git a/policy/modules/system/miscfiles.if b/policy/modules/system/miscfiles.if
index fc28bc3..2f33076 100644
--- a/policy/modules/system/miscfiles.if
@@ -35242,7 +35321,7 @@ index db75976..65191bd 100644
+
+/var/run/user(/.*)? gen_context(system_u:object_r:user_tmp_t,s0)
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
-index 3c5dba7..6c2548e 100644
+index 3c5dba7..ba7a400 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -30,9 +30,11 @@ template(`userdom_base_user_template',`
@@ -36038,7 +36117,12 @@ index 3c5dba7..6c2548e 100644
')
optional_policy(`
-@@ -646,19 +814,16 @@ template(`userdom_common_user_template',`
+@@ -642,23 +810,21 @@ template(`userdom_common_user_template',`
+ optional_policy(`
+ mpd_manage_user_data_content($1_t)
+ mpd_relabel_user_data_content($1_t)
++ mpd_stream_connect($1_t)
+ ')
# for running depmod as part of the kernel packaging process
optional_policy(`
@@ -36062,7 +36146,7 @@ index 3c5dba7..6c2548e 100644
mysql_stream_connect($1_t)
')
')
-@@ -671,7 +836,7 @@ template(`userdom_common_user_template',`
+@@ -671,7 +837,7 @@ template(`userdom_common_user_template',`
optional_policy(`
# to allow monitoring of pcmcia status
@@ -36071,7 +36155,7 @@ index 3c5dba7..6c2548e 100644
')
optional_policy(`
-@@ -680,9 +845,9 @@ template(`userdom_common_user_template',`
+@@ -680,9 +846,9 @@ template(`userdom_common_user_template',`
')
optional_policy(`
@@ -36084,7 +36168,7 @@ index 3c5dba7..6c2548e 100644
')
')
-@@ -693,32 +858,36 @@ template(`userdom_common_user_template',`
+@@ -693,32 +859,36 @@ template(`userdom_common_user_template',`
')
optional_policy(`
@@ -36132,7 +36216,7 @@ index 3c5dba7..6c2548e 100644
')
')
-@@ -743,17 +912,33 @@ template(`userdom_common_user_template',`
+@@ -743,17 +913,33 @@ template(`userdom_common_user_template',`
template(`userdom_login_user_template', `
gen_require(`
class context contains;
@@ -36170,7 +36254,7 @@ index 3c5dba7..6c2548e 100644
userdom_change_password_template($1)
-@@ -761,82 +946,99 @@ template(`userdom_login_user_template', `
+@@ -761,82 +947,99 @@ template(`userdom_login_user_template', `
#
# User domain Local policy
#
@@ -36306,7 +36390,7 @@ index 3c5dba7..6c2548e 100644
')
')
-@@ -868,6 +1070,12 @@ template(`userdom_restricted_user_template',`
+@@ -868,6 +1071,12 @@ template(`userdom_restricted_user_template',`
typeattribute $1_t unpriv_userdomain;
domain_interactive_fd($1_t)
@@ -36319,7 +36403,7 @@ index 3c5dba7..6c2548e 100644
##############################
#
# Local policy
-@@ -908,41 +1116,97 @@ template(`userdom_restricted_xwindows_user_template',`
+@@ -908,41 +1117,97 @@ template(`userdom_restricted_xwindows_user_template',`
# Local policy
#
@@ -36430,7 +36514,7 @@ index 3c5dba7..6c2548e 100644
')
optional_policy(`
-@@ -951,12 +1215,29 @@ template(`userdom_restricted_xwindows_user_template',`
+@@ -951,12 +1216,29 @@ template(`userdom_restricted_xwindows_user_template',`
')
optional_policy(`
@@ -36461,7 +36545,7 @@ index 3c5dba7..6c2548e 100644
')
#######################################
-@@ -990,27 +1271,33 @@ template(`userdom_unpriv_user_template', `
+@@ -990,27 +1272,33 @@ template(`userdom_unpriv_user_template', `
#
# Inherit rules for ordinary users.
@@ -36499,7 +36583,7 @@ index 3c5dba7..6c2548e 100644
fs_manage_noxattr_fs_files($1_t)
fs_manage_noxattr_fs_dirs($1_t)
# Write floppies
-@@ -1021,23 +1308,59 @@ template(`userdom_unpriv_user_template', `
+@@ -1021,23 +1309,59 @@ template(`userdom_unpriv_user_template', `
')
')
@@ -36569,7 +36653,7 @@ index 3c5dba7..6c2548e 100644
')
# Run pppd in pppd_t by default for user
-@@ -1046,7 +1369,9 @@ template(`userdom_unpriv_user_template', `
+@@ -1046,7 +1370,9 @@ template(`userdom_unpriv_user_template', `
')
optional_policy(`
@@ -36580,7 +36664,7 @@ index 3c5dba7..6c2548e 100644
')
')
-@@ -1082,7 +1407,7 @@ template(`userdom_unpriv_user_template', `
+@@ -1082,7 +1408,7 @@ template(`userdom_unpriv_user_template', `
template(`userdom_admin_user_template',`
gen_require(`
attribute admindomain;
@@ -36589,7 +36673,7 @@ index 3c5dba7..6c2548e 100644
')
##############################
-@@ -1109,6 +1434,7 @@ template(`userdom_admin_user_template',`
+@@ -1109,6 +1435,7 @@ template(`userdom_admin_user_template',`
#
allow $1_t self:capability ~{ sys_module audit_control audit_write };
@@ -36597,7 +36681,7 @@ index 3c5dba7..6c2548e 100644
allow $1_t self:process { setexec setfscreate };
allow $1_t self:netlink_audit_socket nlmsg_readpriv;
allow $1_t self:tun_socket create;
-@@ -1117,6 +1443,9 @@ template(`userdom_admin_user_template',`
+@@ -1117,6 +1444,9 @@ template(`userdom_admin_user_template',`
# Skip authentication when pam_rootok is specified.
allow $1_t self:passwd rootok;
@@ -36607,7 +36691,7 @@ index 3c5dba7..6c2548e 100644
kernel_read_software_raid_state($1_t)
kernel_getattr_core_if($1_t)
kernel_getattr_message_if($1_t)
-@@ -1131,6 +1460,7 @@ template(`userdom_admin_user_template',`
+@@ -1131,6 +1461,7 @@ template(`userdom_admin_user_template',`
kernel_sigstop_unlabeled($1_t)
kernel_signull_unlabeled($1_t)
kernel_sigchld_unlabeled($1_t)
@@ -36615,7 +36699,7 @@ index 3c5dba7..6c2548e 100644
corenet_tcp_bind_generic_port($1_t)
# allow setting up tunnels
-@@ -1148,10 +1478,14 @@ template(`userdom_admin_user_template',`
+@@ -1148,10 +1479,14 @@ template(`userdom_admin_user_template',`
dev_rename_all_blk_files($1_t)
dev_rename_all_chr_files($1_t)
dev_create_generic_symlinks($1_t)
@@ -36630,7 +36714,7 @@ index 3c5dba7..6c2548e 100644
domain_dontaudit_ptrace_all_domains($1_t)
# signal all domains:
domain_kill_all_domains($1_t)
-@@ -1162,29 +1496,38 @@ template(`userdom_admin_user_template',`
+@@ -1162,29 +1497,38 @@ template(`userdom_admin_user_template',`
domain_sigchld_all_domains($1_t)
# for lsof
domain_getattr_all_sockets($1_t)
@@ -36673,7 +36757,7 @@ index 3c5dba7..6c2548e 100644
# The following rule is temporary until such time that a complete
# policy management infrastructure is in place so that an administrator
-@@ -1194,6 +1537,8 @@ template(`userdom_admin_user_template',`
+@@ -1194,6 +1538,8 @@ template(`userdom_admin_user_template',`
# But presently necessary for installing the file_contexts file.
seutil_manage_bin_policy($1_t)
@@ -36682,7 +36766,7 @@ index 3c5dba7..6c2548e 100644
userdom_manage_user_home_content_dirs($1_t)
userdom_manage_user_home_content_files($1_t)
userdom_manage_user_home_content_symlinks($1_t)
-@@ -1201,13 +1546,17 @@ template(`userdom_admin_user_template',`
+@@ -1201,13 +1547,17 @@ template(`userdom_admin_user_template',`
userdom_manage_user_home_content_sockets($1_t)
userdom_user_home_dir_filetrans_user_home_content($1_t, { dir file lnk_file fifo_file sock_file })
@@ -36701,7 +36785,7 @@ index 3c5dba7..6c2548e 100644
optional_policy(`
postgresql_unconfined($1_t)
')
-@@ -1253,6 +1602,8 @@ template(`userdom_security_admin_template',`
+@@ -1253,6 +1603,8 @@ template(`userdom_security_admin_template',`
dev_relabel_all_dev_nodes($1)
files_create_boot_flag($1)
@@ -36710,7 +36794,7 @@ index 3c5dba7..6c2548e 100644
# Necessary for managing /boot/efi
fs_manage_dos_files($1)
-@@ -1265,8 +1616,10 @@ template(`userdom_security_admin_template',`
+@@ -1265,8 +1617,10 @@ template(`userdom_security_admin_template',`
selinux_set_enforce_mode($1)
selinux_set_all_booleans($1)
selinux_set_parameters($1)
@@ -36722,7 +36806,7 @@ index 3c5dba7..6c2548e 100644
auth_relabel_shadow($1)
init_exec($1)
-@@ -1277,29 +1630,31 @@ template(`userdom_security_admin_template',`
+@@ -1277,29 +1631,31 @@ template(`userdom_security_admin_template',`
logging_read_audit_config($1)
seutil_manage_bin_policy($1)
@@ -36765,7 +36849,7 @@ index 3c5dba7..6c2548e 100644
')
optional_policy(`
-@@ -1360,14 +1715,17 @@ interface(`userdom_user_home_content',`
+@@ -1360,14 +1716,17 @@ interface(`userdom_user_home_content',`
gen_require(`
attribute user_home_content_type;
type user_home_t;
@@ -36784,7 +36868,7 @@ index 3c5dba7..6c2548e 100644
')
########################################
-@@ -1408,6 +1766,51 @@ interface(`userdom_user_tmpfs_file',`
+@@ -1408,6 +1767,51 @@ interface(`userdom_user_tmpfs_file',`
## <summary>
## Allow domain to attach to TUN devices created by administrative users.
## </summary>
@@ -36836,7 +36920,7 @@ index 3c5dba7..6c2548e 100644
## <param name="domain">
## <summary>
## Domain allowed access.
-@@ -1512,11 +1915,31 @@ interface(`userdom_search_user_home_dirs',`
+@@ -1512,11 +1916,31 @@ interface(`userdom_search_user_home_dirs',`
')
allow $1 user_home_dir_t:dir search_dir_perms;
@@ -36868,7 +36952,7 @@ index 3c5dba7..6c2548e 100644
## Do not audit attempts to search user home directories.
## </summary>
## <desc>
-@@ -1558,6 +1981,14 @@ interface(`userdom_list_user_home_dirs',`
+@@ -1558,6 +1982,14 @@ interface(`userdom_list_user_home_dirs',`
allow $1 user_home_dir_t:dir list_dir_perms;
files_search_home($1)
@@ -36883,7 +36967,7 @@ index 3c5dba7..6c2548e 100644
')
########################################
-@@ -1573,9 +2004,11 @@ interface(`userdom_list_user_home_dirs',`
+@@ -1573,9 +2005,11 @@ interface(`userdom_list_user_home_dirs',`
interface(`userdom_dontaudit_list_user_home_dirs',`
gen_require(`
type user_home_dir_t;
@@ -36895,7 +36979,7 @@ index 3c5dba7..6c2548e 100644
')
########################################
-@@ -1632,6 +2065,42 @@ interface(`userdom_relabelto_user_home_dirs',`
+@@ -1632,6 +2066,42 @@ interface(`userdom_relabelto_user_home_dirs',`
allow $1 user_home_dir_t:dir relabelto;
')
@@ -36938,7 +37022,7 @@ index 3c5dba7..6c2548e 100644
########################################
## <summary>
## Create directories in the home dir root with
-@@ -1711,6 +2180,8 @@ interface(`userdom_dontaudit_search_user_home_content',`
+@@ -1711,6 +2181,8 @@ interface(`userdom_dontaudit_search_user_home_content',`
')
dontaudit $1 user_home_t:dir search_dir_perms;
@@ -36947,7 +37031,7 @@ index 3c5dba7..6c2548e 100644
')
########################################
-@@ -1744,10 +2215,12 @@ interface(`userdom_list_all_user_home_content',`
+@@ -1744,10 +2216,12 @@ interface(`userdom_list_all_user_home_content',`
#
interface(`userdom_list_user_home_content',`
gen_require(`
@@ -36962,7 +37046,7 @@ index 3c5dba7..6c2548e 100644
')
########################################
-@@ -1772,7 +2245,7 @@ interface(`userdom_manage_user_home_content_dirs',`
+@@ -1772,7 +2246,7 @@ interface(`userdom_manage_user_home_content_dirs',`
########################################
## <summary>
@@ -36971,7 +37055,7 @@ index 3c5dba7..6c2548e 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1780,19 +2253,17 @@ interface(`userdom_manage_user_home_content_dirs',`
+@@ -1780,19 +2254,17 @@ interface(`userdom_manage_user_home_content_dirs',`
## </summary>
## </param>
#
@@ -36995,7 +37079,7 @@ index 3c5dba7..6c2548e 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1800,31 +2271,31 @@ interface(`userdom_delete_all_user_home_content_dirs',`
+@@ -1800,31 +2272,31 @@ interface(`userdom_delete_all_user_home_content_dirs',`
## </summary>
## </param>
#
@@ -37035,7 +37119,7 @@ index 3c5dba7..6c2548e 100644
')
########################################
-@@ -1848,6 +2319,25 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',`
+@@ -1848,6 +2320,25 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',`
########################################
## <summary>
@@ -37061,7 +37145,7 @@ index 3c5dba7..6c2548e 100644
## Mmap user home files.
## </summary>
## <param name="domain">
-@@ -1878,14 +2368,36 @@ interface(`userdom_mmap_user_home_content_files',`
+@@ -1878,14 +2369,36 @@ interface(`userdom_mmap_user_home_content_files',`
interface(`userdom_read_user_home_content_files',`
gen_require(`
type user_home_dir_t, user_home_t;
@@ -37099,7 +37183,7 @@ index 3c5dba7..6c2548e 100644
## Do not audit attempts to read user home files.
## </summary>
## <param name="domain">
-@@ -1896,11 +2408,14 @@ interface(`userdom_read_user_home_content_files',`
+@@ -1896,11 +2409,14 @@ interface(`userdom_read_user_home_content_files',`
#
interface(`userdom_dontaudit_read_user_home_content_files',`
gen_require(`
@@ -37117,7 +37201,7 @@ index 3c5dba7..6c2548e 100644
')
########################################
-@@ -1941,7 +2456,25 @@ interface(`userdom_dontaudit_write_user_home_content_files',`
+@@ -1941,7 +2457,25 @@ interface(`userdom_dontaudit_write_user_home_content_files',`
########################################
## <summary>
@@ -37144,7 +37228,7 @@ index 3c5dba7..6c2548e 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1951,17 +2484,15 @@ interface(`userdom_dontaudit_write_user_home_content_files',`
+@@ -1951,17 +2485,15 @@ interface(`userdom_dontaudit_write_user_home_content_files',`
#
interface(`userdom_delete_all_user_home_content_files',`
gen_require(`
@@ -37165,7 +37249,7 @@ index 3c5dba7..6c2548e 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1969,12 +2500,48 @@ interface(`userdom_delete_all_user_home_content_files',`
+@@ -1969,12 +2501,48 @@ interface(`userdom_delete_all_user_home_content_files',`
## </summary>
## </param>
#
@@ -37216,7 +37300,7 @@ index 3c5dba7..6c2548e 100644
')
########################################
-@@ -2010,8 +2577,7 @@ interface(`userdom_read_user_home_content_symlinks',`
+@@ -2010,8 +2578,7 @@ interface(`userdom_read_user_home_content_symlinks',`
type user_home_dir_t, user_home_t;
')
@@ -37226,7 +37310,7 @@ index 3c5dba7..6c2548e 100644
')
########################################
-@@ -2027,20 +2593,14 @@ interface(`userdom_read_user_home_content_symlinks',`
+@@ -2027,20 +2594,14 @@ interface(`userdom_read_user_home_content_symlinks',`
#
interface(`userdom_exec_user_home_content_files',`
gen_require(`
@@ -37251,7 +37335,7 @@ index 3c5dba7..6c2548e 100644
########################################
## <summary>
-@@ -2123,7 +2683,7 @@ interface(`userdom_manage_user_home_content_symlinks',`
+@@ -2123,7 +2684,7 @@ interface(`userdom_manage_user_home_content_symlinks',`
########################################
## <summary>
@@ -37260,7 +37344,7 @@ index 3c5dba7..6c2548e 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2131,19 +2691,17 @@ interface(`userdom_manage_user_home_content_symlinks',`
+@@ -2131,19 +2692,17 @@ interface(`userdom_manage_user_home_content_symlinks',`
## </summary>
## </param>
#
@@ -37284,7 +37368,7 @@ index 3c5dba7..6c2548e 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2151,12 +2709,12 @@ interface(`userdom_delete_all_user_home_content_symlinks',`
+@@ -2151,12 +2710,12 @@ interface(`userdom_delete_all_user_home_content_symlinks',`
## </summary>
## </param>
#
@@ -37300,7 +37384,7 @@ index 3c5dba7..6c2548e 100644
')
########################################
-@@ -2393,11 +2951,11 @@ interface(`userdom_dontaudit_manage_user_tmp_dirs',`
+@@ -2393,11 +2952,11 @@ interface(`userdom_dontaudit_manage_user_tmp_dirs',`
#
interface(`userdom_read_user_tmp_files',`
gen_require(`
@@ -37315,7 +37399,7 @@ index 3c5dba7..6c2548e 100644
files_search_tmp($1)
')
-@@ -2417,7 +2975,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',`
+@@ -2417,7 +2976,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',`
type user_tmp_t;
')
@@ -37324,7 +37408,7 @@ index 3c5dba7..6c2548e 100644
')
########################################
-@@ -2664,6 +3222,25 @@ interface(`userdom_tmp_filetrans_user_tmp',`
+@@ -2664,6 +3223,25 @@ interface(`userdom_tmp_filetrans_user_tmp',`
files_tmp_filetrans($1, user_tmp_t, $2, $3)
')
@@ -37350,7 +37434,7 @@ index 3c5dba7..6c2548e 100644
########################################
## <summary>
## Read user tmpfs files.
-@@ -2680,13 +3257,14 @@ interface(`userdom_read_user_tmpfs_files',`
+@@ -2680,13 +3258,14 @@ interface(`userdom_read_user_tmpfs_files',`
')
read_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
@@ -37366,7 +37450,7 @@ index 3c5dba7..6c2548e 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2707,7 +3285,7 @@ interface(`userdom_rw_user_tmpfs_files',`
+@@ -2707,7 +3286,7 @@ interface(`userdom_rw_user_tmpfs_files',`
########################################
## <summary>
@@ -37375,7 +37459,7 @@ index 3c5dba7..6c2548e 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2715,19 +3293,17 @@ interface(`userdom_rw_user_tmpfs_files',`
+@@ -2715,19 +3294,17 @@ interface(`userdom_rw_user_tmpfs_files',`
## </summary>
## </param>
#
@@ -37398,7 +37482,7 @@ index 3c5dba7..6c2548e 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2735,25 +3311,43 @@ interface(`userdom_manage_user_tmpfs_files',`
+@@ -2735,25 +3312,43 @@ interface(`userdom_manage_user_tmpfs_files',`
## </summary>
## </param>
#
@@ -37448,7 +37532,7 @@ index 3c5dba7..6c2548e 100644
gen_require(`
type user_tty_device_t;
')
-@@ -2817,6 +3411,24 @@ interface(`userdom_use_user_ttys',`
+@@ -2817,6 +3412,24 @@ interface(`userdom_use_user_ttys',`
########################################
## <summary>
@@ -37473,7 +37557,7 @@ index 3c5dba7..6c2548e 100644
## Read and write a user domain pty.
## </summary>
## <param name="domain">
-@@ -2835,22 +3447,34 @@ interface(`userdom_use_user_ptys',`
+@@ -2835,22 +3448,34 @@ interface(`userdom_use_user_ptys',`
########################################
## <summary>
@@ -37516,7 +37600,7 @@ index 3c5dba7..6c2548e 100644
## </desc>
## <param name="domain">
## <summary>
-@@ -2859,14 +3483,33 @@ interface(`userdom_use_user_ptys',`
+@@ -2859,14 +3484,33 @@ interface(`userdom_use_user_ptys',`
## </param>
## <infoflow type="both" weight="10"/>
#
@@ -37554,7 +37638,7 @@ index 3c5dba7..6c2548e 100644
')
########################################
-@@ -2885,8 +3528,27 @@ interface(`userdom_dontaudit_use_user_terminals',`
+@@ -2885,8 +3529,27 @@ interface(`userdom_dontaudit_use_user_terminals',`
type user_tty_device_t, user_devpts_t;
')
@@ -37584,7 +37668,7 @@ index 3c5dba7..6c2548e 100644
')
########################################
-@@ -2958,69 +3620,68 @@ interface(`userdom_spec_domtrans_unpriv_users',`
+@@ -2958,69 +3621,68 @@ interface(`userdom_spec_domtrans_unpriv_users',`
allow unpriv_userdomain $1:process sigchld;
')
@@ -37685,7 +37769,7 @@ index 3c5dba7..6c2548e 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -3028,12 +3689,12 @@ interface(`userdom_manage_unpriv_user_semaphores',`
+@@ -3028,12 +3690,12 @@ interface(`userdom_manage_unpriv_user_semaphores',`
## </summary>
## </param>
#
@@ -37700,7 +37784,7 @@ index 3c5dba7..6c2548e 100644
')
########################################
-@@ -3097,7 +3758,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
+@@ -3097,7 +3759,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
domain_entry_file_spec_domtrans($1, unpriv_userdomain)
allow unpriv_userdomain $1:fd use;
@@ -37709,7 +37793,7 @@ index 3c5dba7..6c2548e 100644
allow unpriv_userdomain $1:process sigchld;
')
-@@ -3113,29 +3774,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
+@@ -3113,29 +3775,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
#
interface(`userdom_search_user_home_content',`
gen_require(`
@@ -37743,7 +37827,7 @@ index 3c5dba7..6c2548e 100644
')
########################################
-@@ -3217,7 +3862,7 @@ interface(`userdom_dontaudit_use_user_ptys',`
+@@ -3217,7 +3863,7 @@ interface(`userdom_dontaudit_use_user_ptys',`
type user_devpts_t;
')
@@ -37752,7 +37836,7 @@ index 3c5dba7..6c2548e 100644
')
########################################
-@@ -3272,7 +3917,64 @@ interface(`userdom_write_user_tmp_files',`
+@@ -3272,7 +3918,64 @@ interface(`userdom_write_user_tmp_files',`
type user_tmp_t;
')
@@ -37818,7 +37902,7 @@ index 3c5dba7..6c2548e 100644
')
########################################
-@@ -3290,7 +3992,7 @@ interface(`userdom_dontaudit_use_user_ttys',`
+@@ -3290,7 +3993,7 @@ interface(`userdom_dontaudit_use_user_ttys',`
type user_tty_device_t;
')
@@ -37827,7 +37911,7 @@ index 3c5dba7..6c2548e 100644
')
########################################
-@@ -3309,6 +4011,7 @@ interface(`userdom_read_all_users_state',`
+@@ -3309,6 +4012,7 @@ interface(`userdom_read_all_users_state',`
')
read_files_pattern($1, userdomain, userdomain)
@@ -37835,7 +37919,7 @@ index 3c5dba7..6c2548e 100644
kernel_search_proc($1)
')
-@@ -3385,6 +4088,42 @@ interface(`userdom_signal_all_users',`
+@@ -3385,6 +4089,42 @@ interface(`userdom_signal_all_users',`
allow $1 userdomain:process signal;
')
@@ -37878,7 +37962,7 @@ index 3c5dba7..6c2548e 100644
########################################
## <summary>
## Send a SIGCHLD signal to all user domains.
-@@ -3405,6 +4144,24 @@ interface(`userdom_sigchld_all_users',`
+@@ -3405,6 +4145,24 @@ interface(`userdom_sigchld_all_users',`
########################################
## <summary>
@@ -37903,7 +37987,7 @@ index 3c5dba7..6c2548e 100644
## Create keys for all user domains.
## </summary>
## <param name="domain">
-@@ -3439,3 +4196,1355 @@ interface(`userdom_dbus_send_all_users',`
+@@ -3439,3 +4197,1355 @@ interface(`userdom_dbus_send_all_users',`
allow $1 userdomain:dbus send_msg;
')
diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch
index 0c2bc63..867dc4d 100644
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@@ -9389,7 +9389,7 @@ index 5ded72d..f6b854c 100644
domain_system_change_exemption($1)
role_transition $2 ccs_initrc_exec_t system_r;
diff --git a/ccs.te b/ccs.te
-index b85b53b..a37eebd 100644
+index b85b53b..476aaa3 100644
--- a/ccs.te
+++ b/ccs.te
@@ -37,7 +37,7 @@ files_pid_file(ccs_var_run_t)
@@ -9426,6 +9426,16 @@ index b85b53b..a37eebd 100644
sysnet_dns_name_resolve(ccs_t)
userdom_manage_unpriv_user_shared_mem(ccs_t)
+@@ -115,8 +112,7 @@ ifdef(`hide_broken_symptoms',`
+ ')
+
+ optional_policy(`
+- aisexec_stream_connect(ccs_t)
+- corosync_stream_connect(ccs_t)
++ rhcs_stream_connect_cluster(ccs_t)
+ ')
+
+ optional_policy(`
diff --git a/cdrecord.te b/cdrecord.te
index 55fb26a..a7555c0 100644
--- a/cdrecord.te
@@ -10985,18 +10995,20 @@ index b59c592..4b8cddc 100644
optional_policy(`
daemontools_service_domain(clockspeed_srv_t, clockspeed_srv_exec_t)
diff --git a/clogd.te b/clogd.te
-index 29782b8..c614d47 100644
+index 29782b8..685edff 100644
--- a/clogd.te
+++ b/clogd.te
-@@ -41,8 +41,6 @@ storage_raw_write_fixed_disk(clogd_t)
+@@ -41,9 +41,6 @@ storage_raw_write_fixed_disk(clogd_t)
logging_send_syslog_msg(clogd_t)
-miscfiles_read_localization(clogd_t)
-
optional_policy(`
- aisexec_stream_connect(clogd_t)
- corosync_stream_connect(clogd_t)
+- aisexec_stream_connect(clogd_t)
+- corosync_stream_connect(clogd_t)
++ rhcs_stream_connect_cluster(clogd_t)
+ ')
diff --git a/cloudform.fc b/cloudform.fc
new file mode 100644
index 0000000..8a40857
@@ -11584,7 +11596,7 @@ index 954309e..f4db2ca 100644
')
+
diff --git a/collectd.te b/collectd.te
-index 6471fa8..4704562 100644
+index 6471fa8..45f1622 100644
--- a/collectd.te
+++ b/collectd.te
@@ -26,6 +26,9 @@ files_type(collectd_var_lib_t)
@@ -11597,7 +11609,18 @@ index 6471fa8..4704562 100644
apache_content_template(collectd)
########################################
-@@ -57,13 +60,9 @@ dev_read_sysfs(collectd_t)
+@@ -48,21 +51,18 @@ files_pid_filetrans(collectd_t, collectd_var_run_t, file)
+
+ domain_use_interactive_fds(collectd_t)
+
+-kernel_read_network_state(collectd_t)
+-kernel_read_net_sysctls(collectd_t)
+-kernel_read_system_state(collectd_t)
++kernel_read_all_sysctls(collectd_t)
++kernel_read_all_proc(collectd_t)
+
+ dev_read_rand(collectd_t)
+ dev_read_sysfs(collectd_t)
dev_read_urand(collectd_t)
files_getattr_all_dirs(collectd_t)
@@ -11607,13 +11630,16 @@ index 6471fa8..4704562 100644
fs_getattr_all_fs(collectd_t)
-miscfiles_read_localization(collectd_t)
--
++init_read_utmp(collectd_t)
+
logging_send_syslog_msg(collectd_t)
- sysnet_dns_name_resolve(collectd_t)
-@@ -88,3 +87,4 @@ optional_policy(`
+@@ -87,4 +87,7 @@ optional_policy(`
+ read_files_pattern(httpd_collectd_script_t, collectd_var_lib_t, collectd_var_lib_t)
list_dirs_pattern(httpd_collectd_script_t, collectd_var_lib_t, collectd_var_lib_t)
miscfiles_setattr_fonts_cache_dirs(httpd_collectd_script_t)
++
++ auth_read_passwd(httpd_collectd_script_t)
')
+
diff --git a/colord.fc b/colord.fc
@@ -20586,7 +20612,7 @@ index dbcac59..66d42bb 100644
+ admin_pattern($1, dovecot_passwd_t)
')
diff --git a/dovecot.te b/dovecot.te
-index a7bfaf0..9697f9d 100644
+index a7bfaf0..d16e5e8 100644
--- a/dovecot.te
+++ b/dovecot.te
@@ -1,4 +1,4 @@
@@ -20779,14 +20805,14 @@ index a7bfaf0..9697f9d 100644
-userdom_dontaudit_use_unpriv_user_fds(dovecot_t)
-userdom_use_user_terminals(dovecot_t)
--
++logging_send_syslog_msg(dovecot_t)
+
-tunable_policy(`use_nfs_home_dirs',`
- fs_manage_nfs_dirs(dovecot_t)
- fs_manage_nfs_files(dovecot_t)
- fs_manage_nfs_symlinks(dovecot_t)
-')
-+logging_send_syslog_msg(dovecot_t)
-
+-
-tunable_policy(`use_samba_home_dirs',`
- fs_manage_cifs_dirs(dovecot_t)
- fs_manage_cifs_files(dovecot_t)
@@ -20836,7 +20862,7 @@ index a7bfaf0..9697f9d 100644
sendmail_domtrans(dovecot_t)
')
-@@ -221,46 +213,57 @@ optional_policy(`
+@@ -221,46 +213,59 @@ optional_policy(`
########################################
#
@@ -20856,6 +20882,8 @@ index a7bfaf0..9697f9d 100644
+read_files_pattern(dovecot_auth_t, dovecot_etc_t, dovecot_etc_t)
+read_lnk_files_pattern(dovecot_auth_t, dovecot_etc_t, dovecot_etc_t)
+
++manage_files_pattern(dovecot_auth_t, dovecot_var_run_t, dovecot_var_run_t)
++
manage_dirs_pattern(dovecot_auth_t, dovecot_auth_tmp_t, dovecot_auth_tmp_t)
manage_files_pattern(dovecot_auth_t, dovecot_auth_tmp_t, dovecot_auth_tmp_t)
files_tmp_filetrans(dovecot_auth_t, dovecot_auth_tmp_t, { file dir })
@@ -20904,7 +20932,7 @@ index a7bfaf0..9697f9d 100644
mysql_stream_connect(dovecot_auth_t)
mysql_read_config(dovecot_auth_t)
mysql_tcp_connect(dovecot_auth_t)
-@@ -272,14 +275,21 @@ optional_policy(`
+@@ -272,14 +277,21 @@ optional_policy(`
optional_policy(`
postfix_manage_private_sockets(dovecot_auth_t)
@@ -20927,7 +20955,7 @@ index a7bfaf0..9697f9d 100644
allow dovecot_deliver_t dovecot_cert_t:dir search_dir_perms;
append_files_pattern(dovecot_deliver_t, dovecot_var_log_t, dovecot_var_log_t)
-@@ -289,35 +299,41 @@ manage_files_pattern(dovecot_deliver_t, dovecot_deliver_tmp_t, dovecot_deliver_t
+@@ -289,35 +301,41 @@ manage_files_pattern(dovecot_deliver_t, dovecot_deliver_tmp_t, dovecot_deliver_t
files_tmp_filetrans(dovecot_deliver_t, dovecot_deliver_tmp_t, { file dir })
allow dovecot_deliver_t dovecot_var_run_t:dir list_dir_perms;
@@ -20986,7 +21014,7 @@ index a7bfaf0..9697f9d 100644
mta_read_queue(dovecot_deliver_t)
')
-@@ -326,5 +342,6 @@ optional_policy(`
+@@ -326,5 +344,6 @@ optional_policy(`
')
optional_policy(`
@@ -22131,16 +22159,33 @@ index 0872e50..d49f5ad 100644
userdom_dontaudit_search_user_home_dirs(fail2ban_client_t)
userdom_use_user_terminals(fail2ban_client_t)
diff --git a/fcoe.te b/fcoe.te
-index 79b9273..dc7e983 100644
+index 79b9273..76b7ed5 100644
--- a/fcoe.te
+++ b/fcoe.te
-@@ -31,7 +31,6 @@ manage_files_pattern(fcoemon_t, fcoemon_var_run_t, fcoemon_var_run_t)
+@@ -20,20 +20,20 @@ files_pid_file(fcoemon_var_run_t)
+ # Local policy
+ #
+
+-allow fcoemon_t self:capability { dac_override kill net_admin };
++allow fcoemon_t self:capability { net_admin net_raw dac_override };
+ allow fcoemon_t self:fifo_file rw_fifo_file_perms;
+ allow fcoemon_t self:unix_stream_socket { accept listen };
+ allow fcoemon_t self:netlink_socket create_socket_perms;
+ allow fcoemon_t self:netlink_route_socket create_netlink_socket_perms;
++allow fcoemon_t self:packet_socket create_socket_perms;
++allow fcoemon_t self:udp_socket create_socket_perms;
+
+ manage_dirs_pattern(fcoemon_t, fcoemon_var_run_t, fcoemon_var_run_t)
+ manage_files_pattern(fcoemon_t, fcoemon_var_run_t, fcoemon_var_run_t)
manage_sock_files_pattern(fcoemon_t, fcoemon_var_run_t, fcoemon_var_run_t)
files_pid_filetrans(fcoemon_t, fcoemon_var_run_t, { dir file })
-files_read_etc_files(fcoemon_t)
+-
+-dev_read_sysfs(fcoemon_t)
++dev_rw_sysfs(fcoemon_t)
- dev_read_sysfs(fcoemon_t)
+ logging_send_syslog_msg(fcoemon_t)
diff --git a/fetchmail.fc b/fetchmail.fc
index 2486e2a..ea07c4f 100644
@@ -29820,7 +29865,7 @@ index 182ab8b..8b1d9c2 100644
+')
+
diff --git a/kdumpgui.te b/kdumpgui.te
-index e7f5c81..fb73b38 100644
+index e7f5c81..8ff6f51 100644
--- a/kdumpgui.te
+++ b/kdumpgui.te
@@ -1,4 +1,4 @@
@@ -29829,7 +29874,7 @@ index e7f5c81..fb73b38 100644
########################################
#
-@@ -7,61 +7,65 @@ policy_module(kdumpgui, 1.1.4)
+@@ -7,77 +7,73 @@ policy_module(kdumpgui, 1.1.4)
type kdumpgui_t;
type kdumpgui_exec_t;
@@ -29900,19 +29945,20 @@ index e7f5c81..fb73b38 100644
init_dontaudit_read_all_script_files(kdumpgui_t)
+init_access_check(kdumpgui_t)
-+
+
+-optional_policy(`
+- bootloader_exec(kdumpgui_t)
+- bootloader_rw_config(kdumpgui_t)
+-')
+userdom_dontaudit_search_admin_dir(kdumpgui_t)
optional_policy(`
- bootloader_exec(kdumpgui_t)
-@@ -69,15 +73,7 @@ optional_policy(`
+- consoletype_exec(kdumpgui_t)
++ bootloader_exec(kdumpgui_t)
++ bootloader_manage_config(kdumpgui_t)
')
optional_policy(`
-- consoletype_exec(kdumpgui_t)
--')
--
--optional_policy(`
dbus_system_domain(kdumpgui_t, kdumpgui_exec_t)
-
- optional_policy(`
@@ -34764,10 +34810,10 @@ index 89409eb..64ac6f0 100644
/var/spool/postfix/spamass(/.*)? gen_context(system_u:object_r:spamass_milter_data_t,s0)
+/var/spool/opendkim(/.*)? gen_context(system_u:object_r:dkim_milter_data_t,s0)
diff --git a/milter.if b/milter.if
-index cba62db..bdf319a 100644
+index cba62db..562833a 100644
--- a/milter.if
+++ b/milter.if
-@@ -1,47 +1,59 @@
+@@ -1,47 +1,43 @@
-## <summary>Milter mail filters.</summary>
+## <summary>Milter mail filters</summary>
@@ -34811,29 +34857,13 @@ index cba62db..bdf319a 100644
- # Policy
- #
+ # Allow communication with MTA over a unix-domain socket
-+ # Note: usage with TCP sockets requires additional policy
++ manage_sock_files_pattern($1_milter_t, $1_milter_data_t, $1_milter_data_t)
-- manage_files_pattern($1_milter_t, $1_milter_data_t, $1_milter_data_t)
-+ allow $1_milter_t self:fifo_file rw_fifo_file_perms;
-+
-+ # Allow communication with MTA over a TCP socket
-+ allow $1_milter_t self:tcp_socket create_stream_socket_perms;
-+
-+ # Allow communication with MTA over a unix-domain socket
- manage_sock_files_pattern($1_milter_t, $1_milter_data_t, $1_milter_data_t)
++ # Create other data files and directories in the data directory
+ manage_files_pattern($1_milter_t, $1_milter_data_t, $1_milter_data_t)
+- manage_sock_files_pattern($1_milter_t, $1_milter_data_t, $1_milter_data_t)
- auth_use_nsswitch($1_milter_t)
-+ # Create other data files and directories in the data directory
-+ manage_files_pattern($1_milter_t, $1_milter_data_t, $1_milter_data_t)
-+
-+ kernel_dontaudit_read_system_state($1_milter_t)
-+
-+ corenet_tcp_bind_generic_node($1_milter_t)
-+ corenet_tcp_bind_milter_port($1_milter_t)
-+
-+ files_read_etc_files($1_milter_t)
-+
-+
+ logging_send_syslog_msg($1_milter_t)
')
@@ -34845,7 +34875,7 @@ index cba62db..bdf319a 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -55,12 +67,13 @@ interface(`milter_stream_connect_all',`
+@@ -55,12 +51,13 @@ interface(`milter_stream_connect_all',`
')
files_search_pids($1)
@@ -34860,7 +34890,7 @@ index cba62db..bdf319a 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -73,13 +86,31 @@ interface(`milter_getattr_all_sockets',`
+@@ -73,13 +70,31 @@ interface(`milter_getattr_all_sockets',`
attribute milter_data_type;
')
@@ -34894,7 +34924,7 @@ index cba62db..bdf319a 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -97,3 +128,22 @@ interface(`milter_manage_spamass_state',`
+@@ -97,3 +112,22 @@ interface(`milter_manage_spamass_state',`
manage_dirs_pattern($1, spamass_milter_state_t, spamass_milter_state_t)
manage_lnk_files_pattern($1, spamass_milter_state_t, spamass_milter_state_t)
')
@@ -34918,10 +34948,10 @@ index cba62db..bdf319a 100644
+ delete_files_pattern($1, dkim_milter_data_t, dkim_milter_data_t)
+')
diff --git a/milter.te b/milter.te
-index 92508b2..38c718c 100644
+index 92508b2..db83591 100644
--- a/milter.te
+++ b/milter.te
-@@ -1,77 +1,96 @@
+@@ -1,77 +1,110 @@
-policy_module(milter, 1.4.2)
+policy_module(milter, 1.4.0)
@@ -34952,38 +34982,59 @@ index 92508b2..38c718c 100644
type spamass_milter_state_t;
files_type(spamass_milter_state_t)
++
#######################################
#
-# Common local policy
-+# dkim-milter local policy
++# milter domains local policy
#
--allow milter_domains self:fifo_file rw_fifo_file_perms;
++# Allow communication with MTA over a unix-domain socket
++# Note: usage with TCP sockets requires additional policy
++
+ allow milter_domains self:fifo_file rw_fifo_file_perms;
-allow milter_domains self:tcp_socket { accept listen };
-+allow dkim_milter_t self:capability { kill setgid setuid };
-+allow dkim_milter_t self:process signal;
-+allow dkim_milter_t self:tcp_socket create_stream_socket_perms;
-+allow dkim_milter_t self:unix_stream_socket create_stream_socket_perms;
++
++# Allow communication with MTA over a TCP socket
++allow milter_domains self:tcp_socket create_stream_socket_perms;
--kernel_dontaudit_read_system_state(milter_domains)
-+read_files_pattern(dkim_milter_t, dkim_milter_private_key_t, dkim_milter_private_key_t)
+ kernel_dontaudit_read_system_state(milter_domains)
-corenet_all_recvfrom_unlabeled(milter_domains)
-corenet_all_recvfrom_netlabel(milter_domains)
-corenet_tcp_sendrecv_generic_if(milter_domains)
-corenet_tcp_sendrecv_generic_node(milter_domains)
--corenet_tcp_bind_generic_node(milter_domains)
-+kernel_read_kernel_sysctls(dkim_milter_t)
-
--corenet_tcp_bind_milter_port(milter_domains)
+ corenet_tcp_bind_generic_node(milter_domains)
+-
+ corenet_tcp_bind_milter_port(milter_domains)
-corenet_tcp_sendrecv_all_ports(milter_domains)
-+auth_use_nsswitch(dkim_milter_t)
-miscfiles_read_localization(milter_domains)
-+sysnet_dns_name_resolve(dkim_milter_t)
++dev_read_rand(milter_domains)
++dev_read_urand(milter_domains)
++
++mta_read_config(milter_domains)
++
++sysnet_read_config(greylist_milter_t)
++
++#######################################
++#
++# dkim-milter local policy
++#
++
++allow dkim_milter_t self:capability { kill setgid setuid };
++allow dkim_milter_t self:process signal;
++allow dkim_milter_t self:tcp_socket create_stream_socket_perms;
++allow dkim_milter_t self:unix_stream_socket create_stream_socket_perms;
-logging_send_syslog_msg(milter_domains)
-+mta_read_config(dkim_milter_t)
++read_files_pattern(dkim_milter_t, dkim_milter_private_key_t, dkim_milter_private_key_t)
++
++kernel_read_kernel_sysctls(dkim_milter_t)
++
++auth_use_nsswitch(dkim_milter_t)
++
++sysnet_dns_name_resolve(dkim_milter_t)
########################################
#
@@ -35015,9 +35066,7 @@ index 92508b2..38c718c 100644
-corenet_sendrecv_kismet_server_packets(greylist_milter_t)
-corenet_tcp_bind_kismet_port(greylist_milter_t)
-corenet_tcp_sendrecv_kismet_port(greylist_milter_t)
-+dev_read_rand(greylist_milter_t)
-+dev_read_urand(greylist_milter_t)
-
+-
corecmd_exec_bin(greylist_milter_t)
corecmd_exec_shell(greylist_milter_t)
@@ -35033,20 +35082,15 @@ index 92508b2..38c718c 100644
+# The milter runs from /var/lib/milter-greylist and maintains files there
files_search_var_lib(greylist_milter_t)
+-mta_read_config(greylist_milter_t)
+-
+-miscfiles_read_localization(greylist_milter_t)
+# Look up username for dropping privs
+auth_use_nsswitch(greylist_milter_t)
-+
-+# Config is in /etc/mail/greylist.conf
- mta_read_config(greylist_milter_t)
-
--miscfiles_read_localization(greylist_milter_t)
-+
-+sysnet_read_config(greylist_milter_t)
-+
optional_policy(`
mysql_stream_connect(greylist_milter_t)
-@@ -79,30 +98,48 @@ optional_policy(`
+@@ -79,30 +112,45 @@ optional_policy(`
########################################
#
@@ -35063,11 +35107,9 @@ index 92508b2..38c718c 100644
+# The milter's socket directory lives under /var/spool
files_search_spool(regex_milter_t)
+-mta_read_config(regex_milter_t)
+# Look up username for dropping privs
+auth_use_nsswitch(regex_milter_t)
-+
-+# Config is in /etc/mail/milter-regex.conf
- mta_read_config(regex_milter_t)
########################################
#
@@ -37585,11 +37627,47 @@ index 6a306ee..7131f6f 100644
+tunable_policy(`selinuxuser_execmod',`
+ userdom_execmod_user_home_files(mozilla_plugin_t)
')
+diff --git a/mpd.fc b/mpd.fc
+index 313ce52..6aa46d2 100644
+--- a/mpd.fc
++++ b/mpd.fc
+@@ -9,3 +9,5 @@
+ /var/lib/mpd/playlists(/.*)? gen_context(system_u:object_r:mpd_data_t,s0)
+
+ /var/log/mpd(/.*)? gen_context(system_u:object_r:mpd_log_t,s0)
++
++/var/run/mpd(/.*)? gen_context(system_u:object_r:mpd_var_run_t,s0)
diff --git a/mpd.if b/mpd.if
-index 5fa77c7..a0e8661 100644
+index 5fa77c7..2e01c7d 100644
--- a/mpd.if
+++ b/mpd.if
-@@ -344,9 +344,13 @@ interface(`mpd_admin',`
+@@ -322,6 +322,25 @@ interface(`mpd_manage_lib_dirs',`
+
+ ########################################
+ ## <summary>
++## Connect to mpd over a unix stream socket.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`mpd_stream_connect',`
++ gen_require(`
++ type mpd_t, mpd_var_run_t;
++ ')
++
++ files_search_pids($1)
++ stream_connect_pattern($1, mpd_var_run_t, mpd_var_run_t, mpd_t)
++')
++
++########################################
++## <summary>
+ ## All of the rules required to
+ ## administrate an mpd environment.
+ ## </summary>
+@@ -344,9 +363,13 @@ interface(`mpd_admin',`
type mpd_tmpfs_t, mpd_tmp_t, mpd_user_data_t;
')
@@ -37605,10 +37683,20 @@ index 5fa77c7..a0e8661 100644
domain_system_change_exemption($1)
role_transition $2 mpd_initrc_exec_t system_r;
diff --git a/mpd.te b/mpd.te
-index 7c8afcc..200cec1 100644
+index 7c8afcc..0f46305 100644
--- a/mpd.te
+++ b/mpd.te
-@@ -74,6 +74,7 @@ allow mpd_t self:unix_stream_socket { accept connectto listen };
+@@ -62,6 +62,9 @@ files_type(mpd_var_lib_t)
+ type mpd_user_data_t;
+ userdom_user_home_content(mpd_user_data_t) # customizable
+
++type mpd_var_run_t;
++files_pid_file(mpd_var_run_t)
++
+ ########################################
+ #
+ # Local policy
+@@ -74,6 +77,7 @@ allow mpd_t self:unix_stream_socket { accept connectto listen };
allow mpd_t self:unix_dgram_socket sendto;
allow mpd_t self:tcp_socket { accept listen };
allow mpd_t self:netlink_kobject_uevent_socket create_socket_perms;
@@ -37616,7 +37704,19 @@ index 7c8afcc..200cec1 100644
allow mpd_t mpd_data_t:dir manage_dir_perms;
allow mpd_t mpd_data_t:file manage_file_perms;
-@@ -110,7 +111,6 @@ kernel_read_kernel_sysctls(mpd_t)
+@@ -104,13 +108,18 @@ manage_files_pattern(mpd_t, mpd_var_lib_t, mpd_var_lib_t)
+ manage_lnk_files_pattern(mpd_t, mpd_var_lib_t, mpd_var_lib_t)
+ files_var_lib_filetrans(mpd_t, mpd_var_lib_t, dir)
+
++manage_files_pattern(mpd_t, mpd_var_run_t, mpd_var_run_t)
++manage_dirs_pattern(mpd_t, mpd_var_run_t, mpd_var_run_t)
++manage_sock_files_pattern(mpd_t, mpd_var_run_t, mpd_var_run_t)
++manage_lnk_files_pattern(mpd_t, mpd_var_run_t, mpd_var_run_t)
++files_pid_filetrans(mpd_t, mpd_var_run_t, { file dir sock_file })
++
+ kernel_getattr_proc(mpd_t)
+ kernel_read_system_state(mpd_t)
+ kernel_read_kernel_sysctls(mpd_t)
corecmd_exec_bin(mpd_t)
@@ -37624,7 +37724,7 @@ index 7c8afcc..200cec1 100644
corenet_all_recvfrom_netlabel(mpd_t)
corenet_tcp_sendrecv_generic_if(mpd_t)
corenet_tcp_sendrecv_generic_node(mpd_t)
-@@ -139,7 +139,6 @@ dev_read_sound(mpd_t)
+@@ -139,7 +148,6 @@ dev_read_sound(mpd_t)
dev_write_sound(mpd_t)
dev_read_sysfs(mpd_t)
@@ -37632,7 +37732,7 @@ index 7c8afcc..200cec1 100644
fs_getattr_all_fs(mpd_t)
fs_list_inotifyfs(mpd_t)
-@@ -150,7 +149,9 @@ auth_use_nsswitch(mpd_t)
+@@ -150,7 +158,9 @@ auth_use_nsswitch(mpd_t)
logging_send_syslog_msg(mpd_t)
@@ -37643,7 +37743,7 @@ index 7c8afcc..200cec1 100644
tunable_policy(`mpd_enable_homedirs',`
userdom_search_user_home_dirs(mpd_t)
-@@ -199,6 +200,16 @@ optional_policy(`
+@@ -199,6 +209,16 @@ optional_policy(`
')
optional_policy(`
@@ -39848,10 +39948,18 @@ index b744fe3..4c1b6a8 100644
init_labeled_script_domtrans($1, munin_initrc_exec_t)
domain_system_change_exemption($1)
diff --git a/munin.te b/munin.te
-index 97370e4..d5f13d8 100644
+index 97370e4..f076c38 100644
--- a/munin.te
+++ b/munin.te
-@@ -45,7 +45,7 @@ munin_plugin_template(unconfined)
+@@ -40,12 +40,15 @@ munin_plugin_template(services)
+ munin_plugin_template(system)
+ munin_plugin_template(unconfined)
+
++type httpd_munin_script_tmp_t;
++files_tmp_file(httpd_munin_script_tmp_t)
++
+ ################################
+ #
# Common munin plugin local policy
#
@@ -39860,7 +39968,7 @@ index 97370e4..d5f13d8 100644
allow munin_plugin_domain self:fifo_file rw_fifo_file_perms;
allow munin_plugin_domain munin_t:tcp_socket rw_socket_perms;
-@@ -58,24 +58,16 @@ allow munin_plugin_domain munin_var_lib_t:dir search_dir_perms;
+@@ -58,24 +61,16 @@ allow munin_plugin_domain munin_var_lib_t:dir search_dir_perms;
manage_files_pattern(munin_plugin_domain, munin_plugin_state_t, munin_plugin_state_t)
@@ -39885,7 +39993,7 @@ index 97370e4..d5f13d8 100644
optional_policy(`
nscd_use(munin_plugin_domain)
')
-@@ -114,7 +106,7 @@ manage_dirs_pattern(munin_t, munin_var_lib_t, munin_var_lib_t)
+@@ -114,7 +109,7 @@ manage_dirs_pattern(munin_t, munin_var_lib_t, munin_var_lib_t)
manage_files_pattern(munin_t, munin_var_lib_t, munin_var_lib_t)
manage_lnk_files_pattern(munin_t, munin_var_lib_t, munin_var_lib_t)
@@ -39894,7 +40002,7 @@ index 97370e4..d5f13d8 100644
manage_dirs_pattern(munin_t, munin_var_run_t, munin_var_run_t)
manage_files_pattern(munin_t, munin_var_run_t, munin_var_run_t)
-@@ -130,7 +122,6 @@ kernel_read_all_sysctls(munin_t)
+@@ -130,7 +125,6 @@ kernel_read_all_sysctls(munin_t)
corecmd_exec_bin(munin_t)
corecmd_exec_shell(munin_t)
@@ -39902,7 +40010,7 @@ index 97370e4..d5f13d8 100644
corenet_all_recvfrom_netlabel(munin_t)
corenet_tcp_sendrecv_generic_if(munin_t)
corenet_tcp_sendrecv_generic_node(munin_t)
-@@ -153,7 +144,6 @@ domain_use_interactive_fds(munin_t)
+@@ -153,7 +147,6 @@ domain_use_interactive_fds(munin_t)
domain_read_all_domains_state(munin_t)
files_read_etc_runtime_files(munin_t)
@@ -39910,7 +40018,7 @@ index 97370e4..d5f13d8 100644
files_list_spool(munin_t)
fs_getattr_all_fs(munin_t)
-@@ -165,7 +155,6 @@ logging_send_syslog_msg(munin_t)
+@@ -165,7 +158,6 @@ logging_send_syslog_msg(munin_t)
logging_read_all_logs(munin_t)
miscfiles_read_fonts(munin_t)
@@ -39918,19 +40026,21 @@ index 97370e4..d5f13d8 100644
miscfiles_setattr_fonts_cache_dirs(munin_t)
sysnet_exec_ifconfig(munin_t)
-@@ -179,6 +168,11 @@ optional_policy(`
- manage_dirs_pattern(munin_t, httpd_munin_content_t, httpd_munin_content_t)
- manage_files_pattern(munin_t, httpd_munin_content_t, httpd_munin_content_t)
- apache_search_sys_content(munin_t)
-+
-+ read_files_pattern(httpd_munin_script_t, munin_var_lib_t, munin_var_lib_t)
-+ read_files_pattern(httpd_munin_script_t, munin_etc_t, munin_etc_t)
-+
-+ files_search_var_lib(httpd_munin_script_t)
- ')
+@@ -173,13 +165,6 @@ sysnet_exec_ifconfig(munin_t)
+ userdom_dontaudit_use_unpriv_user_fds(munin_t)
+ userdom_dontaudit_search_user_home_dirs(munin_t)
+
+-optional_policy(`
+- apache_content_template(munin)
+-
+- manage_dirs_pattern(munin_t, httpd_munin_content_t, httpd_munin_content_t)
+- manage_files_pattern(munin_t, httpd_munin_content_t, httpd_munin_content_t)
+- apache_search_sys_content(munin_t)
+-')
optional_policy(`
-@@ -213,7 +207,6 @@ optional_policy(`
+ cron_system_entry(munin_t, munin_exec_t)
+@@ -213,7 +198,6 @@ optional_policy(`
optional_policy(`
postfix_list_spool(munin_t)
@@ -39938,7 +40048,7 @@ index 97370e4..d5f13d8 100644
')
optional_policy(`
-@@ -246,17 +239,17 @@ corenet_sendrecv_hddtemp_client_packets(disk_munin_plugin_t)
+@@ -246,17 +230,17 @@ corenet_sendrecv_hddtemp_client_packets(disk_munin_plugin_t)
corenet_tcp_connect_hddtemp_port(disk_munin_plugin_t)
corenet_tcp_sendrecv_hddtemp_port(disk_munin_plugin_t)
@@ -39960,7 +40070,7 @@ index 97370e4..d5f13d8 100644
sysnet_read_config(disk_munin_plugin_t)
-@@ -275,27 +268,36 @@ optional_policy(`
+@@ -275,27 +259,36 @@ optional_policy(`
allow mail_munin_plugin_t self:capability dac_override;
@@ -40001,7 +40111,7 @@ index 97370e4..d5f13d8 100644
')
optional_policy(`
-@@ -353,7 +355,11 @@ optional_policy(`
+@@ -353,7 +346,11 @@ optional_policy(`
')
optional_policy(`
@@ -40014,11 +40124,37 @@ index 97370e4..d5f13d8 100644
')
optional_policy(`
-@@ -413,3 +419,4 @@ optional_policy(`
+@@ -413,3 +410,30 @@ optional_policy(`
optional_policy(`
unconfined_domain(unconfined_munin_plugin_t)
')
+
++
++#######################################
++#
++# Munin CGI script local policy
++#
++
++apache_content_template(munin)
++
++manage_dirs_pattern(munin_t, httpd_munin_content_t, httpd_munin_content_t)
++manage_files_pattern(munin_t, httpd_munin_content_t, httpd_munin_content_t)
++
++manage_dirs_pattern(httpd_munin_script_t, httpd_munin_script_tmp_t, httpd_munin_script_tmp_t)
++manage_files_pattern(httpd_munin_script_t, httpd_munin_script_tmp_t,httpd_munin_script_tmp_t)
++
++read_files_pattern(httpd_munin_script_t, munin_var_lib_t, munin_var_lib_t)
++read_files_pattern(httpd_munin_script_t, munin_etc_t, munin_etc_t)
++
++allow httpd_munin_script_t munin_log_t:file read_file_perms;
++
++files_search_var_lib(httpd_munin_script_t)
++
++auth_read_passwd(httpd_munin_script_t)
++
++optional_policy(`
++ apache_search_sys_content(munin_t)
++')
diff --git a/mysql.fc b/mysql.fc
index c48dc17..43f60de 100644
--- a/mysql.fc
@@ -49745,7 +49881,7 @@ index d2fc677..22b745a 100644
+ logging_send_syslog_msg(pegasus_openlmi_$1_t)
')
diff --git a/pegasus.te b/pegasus.te
-index 7bcf327..0ff4cb5 100644
+index 7bcf327..850de84 100644
--- a/pegasus.te
+++ b/pegasus.te
@@ -1,17 +1,16 @@
@@ -49905,7 +50041,7 @@ index 7bcf327..0ff4cb5 100644
+')
+
+optional_policy(`
-+ corosync_stream_connect(pegasus_t)
++ rhcs_stream_connect_cluster(pegasus_t)
')
optional_policy(`
@@ -56910,7 +57046,7 @@ index 00edeab..166e9c3 100644
+ read_files_pattern($1, procmail_home_t, procmail_home_t)
')
diff --git a/procmail.te b/procmail.te
-index d447152..6f83f03 100644
+index d447152..5940a04 100644
--- a/procmail.te
+++ b/procmail.te
@@ -1,4 +1,4 @@
@@ -56945,12 +57081,13 @@ index d447152..6f83f03 100644
allow procmail_t procmail_log_t:dir setattr_dir_perms;
create_files_pattern(procmail_t, procmail_log_t, procmail_log_t)
append_files_pattern(procmail_t, procmail_log_t, procmail_log_t)
-@@ -40,59 +44,71 @@ logging_log_filetrans(procmail_t, procmail_log_t, { file dir })
+@@ -40,59 +44,72 @@ logging_log_filetrans(procmail_t, procmail_log_t, { file dir })
allow procmail_t procmail_tmp_t:file manage_file_perms;
files_tmp_filetrans(procmail_t, procmail_tmp_t, file)
-can_exec(procmail_t, procmail_exec_t)
-
++kernel_read_network_state(procmail_t)
kernel_read_system_state(procmail_t)
kernel_read_kernel_sysctls(procmail_t)
@@ -57044,7 +57181,7 @@ index d447152..6f83f03 100644
')
optional_policy(`
-@@ -100,12 +116,7 @@ optional_policy(`
+@@ -100,12 +117,7 @@ optional_policy(`
')
optional_policy(`
@@ -57058,7 +57195,7 @@ index d447152..6f83f03 100644
')
optional_policy(`
-@@ -113,16 +124,17 @@ optional_policy(`
+@@ -113,16 +125,17 @@ optional_policy(`
')
optional_policy(`
@@ -57081,7 +57218,7 @@ index d447152..6f83f03 100644
')
optional_policy(`
-@@ -131,6 +143,8 @@ optional_policy(`
+@@ -131,6 +144,8 @@ optional_policy(`
')
optional_policy(`
@@ -60879,7 +61016,7 @@ index cd51b96..f7e9c70 100644
+ admin_pattern($1, qpidd_var_run_t)
')
diff --git a/qpid.te b/qpid.te
-index 76f5b39..599b6cd 100644
+index 76f5b39..53f9a64 100644
--- a/qpid.te
+++ b/qpid.te
@@ -37,37 +37,40 @@ manage_dirs_pattern(qpidd_t, qpidd_tmpfs_t, qpidd_tmpfs_t)
@@ -60929,7 +61066,8 @@ index 76f5b39..599b6cd 100644
sysnet_dns_name_resolve(qpidd_t)
optional_policy(`
- corosync_stream_connect(qpidd_t)
+- corosync_stream_connect(qpidd_t)
++ rhcs_stream_connect_cluster(qpidd_t)
')
+
diff --git a/quantum.fc b/quantum.fc
@@ -63522,10 +63660,10 @@ index b418d1c..1ad9c12 100644
xen_domtrans_xm(rgmanager_t)
')
diff --git a/rhcs.fc b/rhcs.fc
-index 47de2d6..d022603 100644
+index 47de2d6..1f5dbf8 100644
--- a/rhcs.fc
+++ b/rhcs.fc
-@@ -1,31 +1,31 @@
+@@ -1,31 +1,74 @@
-/etc/rc\.d/init\.d/dlm -- gen_context(system_u:object_r:dlm_controld_initrc_exec_t,s0)
-/etc/rc\.d/init\.d/foghorn -- gen_context(system_u:object_r:foghorn_initrc_exec_t,s0)
+/usr/sbin/dlm_controld -- gen_context(system_u:object_r:dlm_controld_exec_t,s0)
@@ -63580,8 +63718,51 @@ index 47de2d6..d022603 100644
+/var/run/gfs_controld\.pid -- gen_context(system_u:object_r:gfs_controld_var_run_t,s0)
+/var/run/groupd\.pid -- gen_context(system_u:object_r:groupd_var_run_t,s0)
+/var/run/qdiskd\.pid -- gen_context(system_u:object_r:qdiskd_var_run_t,s0)
++
++# cluster administrative domains file spec
++/etc/rc\.d/init\.d/openais -- gen_context(system_u:object_r:cluster_initrc_exec_t,s0)
++/etc/rc\.d/init\.d/cpglockd -- gen_context(system_u:object_r:cluster_initrc_exec_t,s0)
++/etc/rc\.d/init\.d/corosync -- gen_context(system_u:object_r:cluster_initrc_exec_t,s0)
++/etc/rc\.d/init\.d/rgmanager -- gen_context(system_u:object_r:cluster_initrc_exec_t,s0)
++/etc/rc\.d/init\.d/heartbeat -- gen_context(system_u:object_r:cluster_initrc_exec_t,s0)
++/etc/rc\.d/init\.d/pacemaker -- gen_context(system_u:object_r:cluster_initrc_exec_t,s0)
++
++/usr/lib/systemd/system/corosync.* -- gen_context(system_u:object_r:cluster_unit_file_t,s0)
++/usr/lib/systemd/system/pacemaker.* -- gen_context(system_u:object_r:cluster_unit_file_t,s0)
++
++/usr/sbin/aisexec -- gen_context(system_u:object_r:cluster_exec_t,s0)
++/usr/sbin/corosync -- gen_context(system_u:object_r:cluster_exec_t,s0)
++/usr/sbin/corosync-notifyd -- gen_context(system_u:object_r:cluster_exec_t,s0)
++/usr/sbin/cpglockd -- gen_context(system_u:object_r:cluster_exec_t,s0)
++/usr/sbin/ccs_tool -- gen_context(system_u:object_r:cluster_exec_t,s0)
++/usr/sbin/cman_tool -- gen_context(system_u:object_r:cluster_exec_t,s0)
++/usr/sbin/rgmanager -- gen_context(system_u:object_r:cluster_exec_t,s0)
++/usr/sbin/pacemakerd -- gen_context(system_u:object_r:cluster_exec_t,s0)
++
++/usr/lib/heartbeat(/.*)? gen_context(system_u:object_r:cluster_var_lib_t,s0)
++/usr/lib/heartbeat/heartbeat -- gen_context(system_u:object_r:cluster_exec_t,s0)
++/var/lib/heartbeat(/.*)? gen_context(system_u:object_r:cluster_var_lib_t,s0)
++/var/lib/corosync(/.*)? gen_context(system_u:object_r:cluster_var_lib_t,s0)
++/var/lib/openais(/.*)? gen_context(system_u:object_r:cluster_var_lib_t,s0)
++/var/lib/pacemaker(/.*)? gen_context(system_u:object_r:cluster_var_lib_t,s0)
++/var/lib/pengine(/.*)? gen_context(system_u:object_r:cluster_var_lib_t,s0)
++
++/var/run/aisexec.* gen_context(system_u:object_r:cluster_var_run_t,s0)
++/var/run/cman_.* -s gen_context(system_u:object_r:cluster_var_run_t,s0)
++/var/run/cluster/rgmanager\.sk -s gen_context(system_u:object_r:cluster_var_run_t,s0)
++/var/run/cpglockd\.pid -- gen_context(system_u:object_r:cluster_var_run_t,s0)
++/var/run/corosync\.pid -- gen_context(system_u:object_r:cluster_var_run_t,s0)
++/var/run/crm(/.*)? gen_context(system_u:object_r:cluster_var_run_t,s0)
++/var/run/heartbeat(/.*)? gen_context(system_u:object_r:cluster_var_run_t,s0)
++/var/run/rgmanager\.pid -- gen_context(system_u:object_r:cluster_var_run_t,s0)
++/var/run/rsctmp(/.*)? gen_context(system_u:object_r:cluster_var_run_t,s0)
++
++/var/log/cluster/aisexec\.log.* -- gen_context(system_u:object_r:cluster_var_log_t,s0)
++/var/log/cluster/cpglockd\.log.* -- gen_context(system_u:object_r:cluster_var_log_t,s0)
++/var/log/cluster/corosync\.log.* -- gen_context(system_u:object_r:cluster_var_log_t,s0)
++/var/log/cluster/rgmanager\.log.* -- gen_context(system_u:object_r:cluster_var_log_t,s0)
diff --git a/rhcs.if b/rhcs.if
-index 56bc01f..aee7ba7 100644
+index 56bc01f..f0a05e8 100644
--- a/rhcs.if
+++ b/rhcs.if
@@ -1,19 +1,19 @@
@@ -63943,7 +64124,7 @@ index 56bc01f..aee7ba7 100644
')
######################################
-@@ -446,52 +456,77 @@ interface(`rhcs_domtrans_qdiskd',`
+@@ -446,52 +456,303 @@ interface(`rhcs_domtrans_qdiskd',`
########################################
## <summary>
@@ -63991,31 +64172,104 @@ index 56bc01f..aee7ba7 100644
- allow $1 cluster_domain:process { ptrace signal_perms };
- ps_process_pattern($1, cluster_domain)
--
++ files_search_var_lib($1)
++ read_files_pattern($1, cluster_var_lib_t, cluster_var_lib_t)
++')
++
++#####################################
++## <summary>
++## Allow domain to manage cluster lib files
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`rhcs_manage_cluster_lib_files',`
++ gen_require(`
++ type cluster_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ manage_files_pattern($1, cluster_var_lib_t, cluster_var_lib_t)
++')
+
- init_labeled_script_domtrans($1, { dlm_controld_initrc_exec_t foghorn_initrc_exec_t })
- domain_system_change_exemption($1)
- role_transition $2 { dlm_controld_initrc_exec_t foghorn_initrc_exec_t } system_r;
- allow $2 system_r;
--
++####################################
++## <summary>
++## Allow domain to relabel cluster lib files
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`rhcs_relabel_cluster_lib_files',`
++ gen_require(`
++ type cluster_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ relabelto_files_pattern($1, cluster_var_lib_t, cluster_var_lib_t)
++ relabelfrom_files_pattern($1, cluster_var_lib_t, cluster_var_lib_t)
++')
+
- files_search_pids($1)
- admin_pattern($1, cluster_pid)
--
++######################################
++## <summary>
++## Execute a domain transition to run cluster administrative domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`rhcs_domtrans_cluster',`
++ gen_require(`
++ type cluster_t, cluster_exec_t;
++ ')
+
- files_search_locks($1)
- admin_pattern($1, fenced_lock_t)
--
++ corecmd_search_bin($1)
++ domtrans_pattern($1, cluster_exec_t, cluster_t)
++')
+
- files_search_tmp($1)
- admin_pattern($1, fenced_tmp_t)
--
- files_search_var_lib($1)
++#######################################
++## <summary>
++## Execute cluster init scripts in
++## the init script domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`rhcs_initrc_domtrans_cluster',`
++ gen_require(`
++ type cluster_initrc_exec_t;
++ ')
+
+- files_search_var_lib($1)
- admin_pattern($1, qdiskd_var_lib_t)
-+ read_files_pattern($1, cluster_var_lib_t, cluster_var_lib_t)
++ init_labeled_script_domtrans($1, cluster_initrc_exec_t)
+')
- fs_search_tmpfs($1)
- admin_pattern($1, cluster_tmpfs)
+#####################################
+## <summary>
-+## Allow domain to manage cluster lib files
++## Execute cluster in the caller domain.
+## </summary>
+## <param name="domain">
+## <summary>
@@ -64023,20 +64277,18 @@ index 56bc01f..aee7ba7 100644
+## </summary>
+## </param>
+#
-+interface(`rhcs_manage_cluster_lib_files',`
++interface(`rhcs_exec_cluster',`
+ gen_require(`
-+ type cluster_var_lib_t;
++ type cluster_exec_t;
+ ')
-
-- logging_search_logs($1)
-- admin_pattern($1, cluster_log)
-+ files_search_var_lib($1)
-+ manage_files_pattern($1, cluster_var_lib_t, cluster_var_lib_t)
++
++ corecmd_search_bin($1)
++ can_exec($1, cluster_exec_t)
+')
+
-+####################################
++######################################
+## <summary>
-+## Allow domain to relabel cluster lib files
++## Read cluster log files.
+## </summary>
+## <param name="domain">
+## <summary>
@@ -64044,53 +64296,464 @@ index 56bc01f..aee7ba7 100644
+## </summary>
+## </param>
+#
-+interface(`rhcs_relabel_cluster_lib_files',`
++interface(`rhcs_read_log_cluster',`
+ gen_require(`
-+ type cluster_var_lib_t;
++ type cluster_var_log_t;
+ ')
+
-+ files_search_var_lib($1)
-+ relabelto_files_pattern($1, cluster_var_lib_t, cluster_var_lib_t)
-+ relabelfrom_files_pattern($1, cluster_var_lib_t, cluster_var_lib_t)
++ logging_search_logs($1)
++ list_dirs_pattern($1, cluster_var_log_t, cluster_var_log_t)
++ read_files_pattern($1, cluster_var_log_t, cluster_var_log_t)
++')
++
++######################################
++## <summary>
++## Setattr cluster log files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`rhcs_setattr_log_cluster',`
++ gen_require(`
++ type cluster_var_log_t;
++ ')
++
++ setattr_files_pattern($1, cluster_var_log_t, cluster_var_log_t)
++')
++
++#####################################
++## <summary>
++## Allow manage cluster tmp files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`rhcs_manage_cluster_tmp_files',`
++ gen_require(`
++ type cluster_tmp_t;
++ ')
++
++ files_search_tmp($1)
++ manage_files_pattern($1, cluster_tmp_t, cluster_tmp_t)
++')
++
++#####################################
++## <summary>
++## Allow the specified domain to read/write cluster's tmpfs files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`rhcs_rw_cluster_tmpfs',`
++ gen_require(`
++ type cluster_tmpfs_t;
++ ')
++
++ rw_files_pattern($1, cluster_tmpfs_t, cluster_tmpfs_t)
++')
++
++#####################################
++## <summary>
++## Allow manage cluster tmpfs files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`rhcs_manage_cluster_tmpfs_files',`
++ gen_require(`
++ type rgmanager_tmpfs_t;
++ ')
++
++ fs_search_tmpfs($1)
++ manage_files_pattern($1, cluster_tmpfs_t, cluster_tmpfs_t)
++')
++
++#######################################
++## <summary>
++## Execute cluster server in the cluster domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`rhcs_systemctl_cluster',`
++ gen_require(`
++ type cluster_t;
++ type cluster_unit_file_t;
++ ')
++
++ systemd_exec_systemctl($1)
++ allow $1 cluster_unit_file_t:file read_file_perms;
++ allow $1 cluster_unit_file_t:service manage_service_perms;
++
++ ps_process_pattern($1, cluster_t)
++')
++
++#####################################
++## <summary>
++## All of the rules required to administrate
++## an cluster environment
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <param name="role">
++## <summary>
++## The role to be allowed to manage the rgmanager domain.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`rhcs_admin_cluster',`
++ gen_require(`
++ type cluster_t, cluster_initrc_exec_t, cluster_tmp_t;
++ type cluster_tmpfs_t, cluster_var_log_t, cluster_var_run_t;
++ type cluster_unit_file_t;
++ ')
++
++ allow $1 cluster_t:process signal_perms;
++ ps_process_pattern($1, cluster_t)
++
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 cluster_t:process ptrace;
++ ')
++
++ init_labeled_script_domtrans($1, cluster_initrc_exec_t)
++ domain_system_change_exemption($1)
++ role_transition $2 cluster_initrc_exec_t system_r;
++ allow $2 system_r;
++
++ files_list_tmp($1)
++ admin_pattern($1, cluster_tmp_t)
++
++ admin_pattern($1, cluster_tmpfs_t)
++
++ logging_list_logs($1)
++ admin_pattern($1, cluster_var_log_t)
++
++ files_list_pids($1)
++ admin_pattern($1, cluster_var_run_t)
+
+- logging_search_logs($1)
+- admin_pattern($1, cluster_log)
++ rhcs_systemctl_cluster($1)
++ admin_pattern($1, cluster_unit_file_t)
++ allow $1 cluster_unit_file_t:service all_service_perms;
')
diff --git a/rhcs.te b/rhcs.te
-index 2c2de9a..d8bf297 100644
+index 2c2de9a..a1461c9 100644
--- a/rhcs.te
+++ b/rhcs.te
-@@ -50,6 +50,10 @@ rhcs_domain_template(qdiskd)
+@@ -20,6 +20,27 @@ gen_tunable(fenced_can_network_connect, false)
+ ## </desc>
+ gen_tunable(fenced_can_ssh, false)
+
++## <desc>
++## <p>
++## Allow cluster administrative domains to connect to the network using TCP.
++## </p>
++## </desc>
++gen_tunable(cluster_can_network_connect, false)
++
++## <desc>
++## <p>
++## Allow cluster administrative domains to manage all files on a system.
++## </p>
++## </desc>
++gen_tunable(cluster_manage_all_files, false)
++
++## <desc>
++## <p>
++## Allow cluster administrative cluster domains memcheck-amd64- to use executable memory
++## </p>
++## </desc>
++gen_tunable(cluster_use_execmem, false)
++
+ attribute cluster_domain;
+ attribute cluster_log;
+ attribute cluster_pid;
+@@ -50,28 +71,259 @@ rhcs_domain_template(qdiskd)
type qdiskd_var_lib_t;
files_type(qdiskd_var_lib_t)
-+# type for cluster lib files
++# cluster_t is a new domain for administrative generic cluster services
++# (rgmanager, corosync, hearbeat, cman, pacemaker)
++rhcs_domain_template(cluster)
++
++typealias cluster_t alias { aisexec_t corosync_t pacemaker_t rgmanager_t };
++typealias cluster_exec_t alias { aisexec_exec_t corosync_exec_t pacemaker_exec_t rgmanager_exec_t };
++typealias cluster_tmpfs_t alias { aisexec_tmpfs_t corosync_tmpfs_t pacemaker_tmpfs_t rgmanager_tmpfs_t };
++typealias cluster_var_log_t alias { aisexec_var_log_t corosync_var_log_t rgmanager_var_log_t };
++typealias cluster_var_run_t alias { aisexec_var_run_t corosync_var_run_t pacemaker_var_run_t rgmanager_var_run_t };
++
++type cluster_initrc_exec_t;
++typealias cluster_initrc_exec_t alias { aisexec_initrc_exec_t corosync_initrc_exec_t pacemaker rgmanager_initrc_exec_t };
++init_script_file(cluster_initrc_exec_t)
++
++type cluster_tmp_t;
++typealias cluster_tmp_t alias { aisexec_tmp_t corosync_tmp_t pacemaker_tmp_t rgmanager_tmp_t };
++files_tmp_file(cluster_tmp_t)
++
+type cluster_var_lib_t;
++typealias cluster_var_lib_t alias { aisexec_var_lib_t corosync_var_lib_t pacemaker_var_lib_t rgmanager_var_lib_t };
+files_type(cluster_var_lib_t)
+
++type cluster_unit_file_t;
++typealias cluster_unit_file_t alias { corosync_unit_file_t pacemaker_unit_file_t };
++systemd_unit_file(cluster_unit_file_t)
++
#####################################
#
# Common cluster domains local policy
-@@ -62,10 +66,6 @@ allow cluster_domain self:fifo_file rw_fifo_file_perms;
+ #
+
+ allow cluster_domain self:capability sys_nice;
+-allow cluster_domain self:process setsched;
++allow cluster_domain self:process { signal setsched };
+ allow cluster_domain self:sem create_sem_perms;
+ allow cluster_domain self:fifo_file rw_fifo_file_perms;
allow cluster_domain self:unix_stream_socket create_stream_socket_perms;
allow cluster_domain self:unix_dgram_socket create_socket_perms;
-logging_send_syslog_msg(cluster_domain)
--
++optional_policy(`
++ ccs_stream_connect(cluster_domain)
++')
++
++optional_policy(`
++ dbus_system_bus_client(cluster_domain)
++')
++
++#####################################
++#
++# cluster domain local policy
++#
+
-miscfiles_read_localization(cluster_domain)
--
++allow cluster_t self:capability { dac_override fowner setuid setgid sys_nice sys_admin sys_resource ipc_lock ipc_owner };
++# for hearbeat
++allow cluster_t self:capability { net_raw chown };
++allow cluster_t self:capability2 block_suspend;
++allow cluster_t self:process { setpgid setrlimit setsched signull };
++
++allow cluster_t self:tcp_socket create_stream_socket_perms;
++allow cluster_t self:shm create_shm_perms;
++
++manage_dirs_pattern(cluster_t, cluster_tmp_t, cluster_tmp_t)
++manage_files_pattern(cluster_t, cluster_tmp_t, cluster_tmp_t)
++files_tmp_filetrans(cluster_t, cluster_tmp_t, { file dir })
++
++can_exec(cluster_t, cluster_var_lib_t)
++manage_files_pattern(cluster_t, cluster_var_lib_t,cluster_var_lib_t)
++manage_dirs_pattern(cluster_t, cluster_var_lib_t,cluster_var_lib_t)
++manage_sock_files_pattern(cluster_t, cluster_var_lib_t,cluster_var_lib_t)
++manage_fifo_files_pattern(cluster_t, cluster_var_lib_t,cluster_var_lib_t)
++files_var_lib_filetrans(cluster_t,cluster_var_lib_t, { file dir fifo_file sock_file })
++
++can_exec(cluster_t, cluster_exec_t)
++
++kernel_kill(cluster_t)
++kernel_read_all_sysctls(cluster_t)
++kernel_read_system_state(cluster_t)
++kernel_rw_rpc_sysctls(cluster_t)
++kernel_search_debugfs(cluster_t)
++kernel_search_network_state(cluster_t)
++
++corecmd_exec_bin(cluster_t)
++corecmd_exec_shell(cluster_t)
++
++corenet_all_recvfrom_unlabeled(cluster_t)
++corenet_all_recvfrom_netlabel(cluster_t)
++corenet_udp_sendrecv_generic_if(cluster_t)
++corenet_udp_sendrecv_generic_node(cluster_t)
++corenet_udp_bind_generic_node(cluster_t)
++
++corenet_sendrecv_netsupport_server_packets(cluster_t)
++corenet_udp_bind_netsupport_port(cluster_t)
++corenet_udp_sendrecv_netsupport_port(cluster_t)
++
++corenet_sendrecv_cluster_server_packets(cluster_t)
++corenet_udp_bind_cluster_port(cluster_t)
++corenet_udp_sendrecv_cluster_port(cluster_t)
++
++# need to write to /dev/misc/dlm-contro
++dev_rw_dlm_control(cluster_t)
++dev_setattr_dlm_control(cluster_t)
++dev_read_sysfs(cluster_t)
++dev_read_rand(cluster_t)
++dev_read_urand(cluster_t)
++
++domain_read_all_domains_state(cluster_t)
++
++fs_getattr_xattr_fs(cluster_t)
++fs_getattr_all_fs(cluster_t)
++
++storage_raw_read_fixed_disk(cluster_t)
++
++term_getattr_pty_fs(cluster_t)
++
++files_manage_mounttab(cluster_t)
++# needed by resources scripts
++files_read_non_security_files(cluster_t)
++auth_dontaudit_getattr_shadow(cluster_t)
++
++init_domtrans_script(cluster_t)
++init_initrc_domain(cluster_t)
++init_read_script_state(cluster_t)
++init_rw_script_tmp_files(cluster_t)
++init_manage_script_status_files(cluster_t)
++
++userdom_read_user_tmp_files(cluster_t)
++userdom_delete_user_tmpfs_files(cluster_t)
++userdom_rw_user_tmpfs_files(cluster_t)
++userdom_kill_all_users(cluster_t)
++
++tunable_policy(`cluster_can_network_connect',`
++ corenet_tcp_connect_all_ports(cluster_t)
++')
++
++tunable_policy(`cluster_manage_all_files',`
++ files_create_var_run_dirs(cluster_t)
++ files_getattr_all_symlinks(cluster_t)
++ files_list_all(cluster_t)
++ files_manage_mnt_dirs(cluster_t)
++ files_manage_mnt_files(cluster_t)
++ files_manage_mnt_symlinks(cluster_t)
++ files_manage_isid_type_files(cluster_t)
++ files_manage_isid_type_dirs(cluster_t)
++ fs_manage_tmpfs_files(cluster_t)
++')
+
optional_policy(`
- ccs_stream_connect(cluster_domain)
- ')
-@@ -74,6 +74,10 @@ optional_policy(`
- corosync_stream_connect(cluster_domain)
+- ccs_stream_connect(cluster_domain)
++ ccs_read_config(cluster_t)
')
+ optional_policy(`
+- corosync_stream_connect(cluster_domain)
++ cmirrord_rw_shm(cluster_t)
++')
++
+optional_policy(`
-+ dbus_system_bus_client(cluster_domain)
++ consoletype_exec(cluster_t)
++')
++
++optional_policy(`
++ lvm_domtrans(cluster_t)
++ lvm_rw_clvmd_tmpfs_files(cluster_t)
++ lvm_delete_clvmd_tmpfs_files(cluster_t)
++')
++
++optional_policy(`
++ fstools_domtrans(cluster_t)
++')
++
++
++optional_policy(`
++ hostname_exec(cluster_t)
++')
++
++optional_policy(`
++ ccs_manage_config(cluster_t)
++ ccs_stream_connect(cluster_t)
++')
++
++optional_policy(`
++ ldap_systemctl(cluster_t)
++')
++
++optional_policy(`
++ mount_domtrans(cluster_t)
++')
++
++optional_policy(`
++ mysql_domtrans_mysql_safe(cluster_t)
++ mysql_stream_connect(cluster_t)
++')
++
++optional_policy(`
++ netutils_domtrans(cluster_t)
++ netutils_domtrans_ping(cluster_t)
++')
++
++optional_policy(`
++ postgresql_signal(cluster_t)
+')
+
++optional_policy(`
++ rhcs_getattr_fenced(cluster_t)
++ rhcs_rw_cluster_shm(cluster_t)
++ rhcs_rw_cluster_semaphores(cluster_t)
++ rhcs_stream_connect_cluster(cluster_t)
++ rhcs_relabel_cluster_lib_files(cluster_t)
++')
++
++optional_policy(`
++ rdisc_exec(cluster_t)
++')
++
++optional_policy(`
++ ricci_dontaudit_rw_modcluster_pipes(cluster_t)
++')
++
++optional_policy(`
++ rpc_systemctl_nfsd(cluster_t)
++ rpc_systemctl_rpcd(cluster_t)
++
++ rpc_domtrans_nfsd(cluster_t)
++ rpc_domtrans_rpcd(cluster_t)
++ rpc_manage_nfs_state_data(cluster_t)
++')
++
++optional_policy(`
++ samba_manage_var_files(cluster_t)
++ samba_rw_config(cluster_t)
++ samba_signal_smbd(cluster_t)
++ samba_signal_nmbd(cluster_t)
++')
++
++optional_policy(`
++ sysnet_domtrans_ifconfig(cluster_t)
++')
++
++optional_policy(`
++ udev_read_db(cluster_t)
++')
++
++optional_policy(`
++ virt_stream_connect(cluster_t)
++')
++
++optional_policy(`
++ unconfined_domain(cluster_t)
++')
++
++optional_policy(`
++ wdmd_rw_tmpfs(cluster_t)
++')
++
++optional_policy(`
++ xen_domtrans_xm(cluster_t)
+ ')
+
#####################################
- #
- # dlm_controld local policy
-@@ -98,6 +102,12 @@ fs_manage_configfs_dirs(dlm_controld_t)
+@@ -98,6 +350,12 @@ fs_manage_configfs_dirs(dlm_controld_t)
init_rw_script_tmp_files(dlm_controld_t)
@@ -64103,7 +64766,7 @@ index 2c2de9a..d8bf297 100644
#######################################
#
# fenced local policy
-@@ -105,9 +115,13 @@ init_rw_script_tmp_files(dlm_controld_t)
+@@ -105,9 +363,13 @@ init_rw_script_tmp_files(dlm_controld_t)
allow fenced_t self:capability { sys_rawio sys_resource };
allow fenced_t self:process { getsched signal_perms };
@@ -64118,7 +64781,7 @@ index 2c2de9a..d8bf297 100644
manage_files_pattern(fenced_t, fenced_lock_t, fenced_lock_t)
files_lock_filetrans(fenced_t, fenced_lock_t, file)
-@@ -118,9 +132,8 @@ files_tmp_filetrans(fenced_t, fenced_tmp_t, { file fifo_file dir })
+@@ -118,9 +380,8 @@ files_tmp_filetrans(fenced_t, fenced_tmp_t, { file fifo_file dir })
stream_connect_pattern(fenced_t, groupd_var_run_t, groupd_var_run_t, groupd_t)
@@ -64129,7 +64792,7 @@ index 2c2de9a..d8bf297 100644
corecmd_exec_bin(fenced_t)
corecmd_exec_shell(fenced_t)
-@@ -148,9 +161,7 @@ corenet_tcp_sendrecv_http_port(fenced_t)
+@@ -148,9 +409,7 @@ corenet_tcp_sendrecv_http_port(fenced_t)
dev_read_sysfs(fenced_t)
dev_read_urand(fenced_t)
@@ -64140,7 +64803,7 @@ index 2c2de9a..d8bf297 100644
storage_raw_read_fixed_disk(fenced_t)
storage_raw_write_fixed_disk(fenced_t)
-@@ -160,7 +171,7 @@ term_getattr_pty_fs(fenced_t)
+@@ -160,7 +419,7 @@ term_getattr_pty_fs(fenced_t)
term_use_generic_ptys(fenced_t)
term_use_ptmx(fenced_t)
@@ -64149,7 +64812,7 @@ index 2c2de9a..d8bf297 100644
tunable_policy(`fenced_can_network_connect',`
corenet_sendrecv_all_client_packets(fenced_t)
-@@ -190,10 +201,6 @@ optional_policy(`
+@@ -190,10 +449,6 @@ optional_policy(`
')
optional_policy(`
@@ -64160,7 +64823,7 @@ index 2c2de9a..d8bf297 100644
lvm_domtrans(fenced_t)
lvm_read_config(fenced_t)
')
-@@ -203,6 +210,13 @@ optional_policy(`
+@@ -203,6 +458,13 @@ optional_policy(`
snmp_manage_var_lib_dirs(fenced_t)
')
@@ -64174,7 +64837,7 @@ index 2c2de9a..d8bf297 100644
#######################################
#
# foghorn local policy
-@@ -223,7 +237,8 @@ corenet_tcp_sendrecv_agentx_port(foghorn_t)
+@@ -223,7 +485,8 @@ corenet_tcp_sendrecv_agentx_port(foghorn_t)
dev_read_urand(foghorn_t)
@@ -64184,7 +64847,7 @@ index 2c2de9a..d8bf297 100644
optional_policy(`
dbus_connect_system_bus(foghorn_t)
-@@ -257,6 +272,8 @@ storage_getattr_removable_dev(gfs_controld_t)
+@@ -257,6 +520,8 @@ storage_getattr_removable_dev(gfs_controld_t)
init_rw_script_tmp_files(gfs_controld_t)
@@ -64193,7 +64856,7 @@ index 2c2de9a..d8bf297 100644
optional_policy(`
lvm_exec(gfs_controld_t)
dev_rw_lvm_control(gfs_controld_t)
-@@ -275,10 +292,10 @@ domtrans_pattern(groupd_t, fenced_exec_t, fenced_t)
+@@ -275,10 +540,10 @@ domtrans_pattern(groupd_t, fenced_exec_t, fenced_t)
dev_list_sysfs(groupd_t)
@@ -64206,7 +64869,7 @@ index 2c2de9a..d8bf297 100644
######################################
#
# qdiskd local policy
-@@ -321,6 +338,8 @@ storage_raw_write_fixed_disk(qdiskd_t)
+@@ -321,6 +586,8 @@ storage_raw_write_fixed_disk(qdiskd_t)
auth_use_nsswitch(qdiskd_t)
@@ -65218,7 +65881,7 @@ index 2ab3ed1..23d579c 100644
role_transition $2 ricci_initrc_exec_t system_r;
allow $2 system_r;
diff --git a/ricci.te b/ricci.te
-index 9702ed2..fa21335 100644
+index 9702ed2..eeb9e48 100644
--- a/ricci.te
+++ b/ricci.te
@@ -115,7 +115,6 @@ kernel_read_system_state(ricci_t)
@@ -65246,20 +65909,31 @@ index 9702ed2..fa21335 100644
sysnet_dns_name_resolve(ricci_t)
optional_policy(`
-@@ -235,9 +231,9 @@ init_domtrans_script(ricci_modcluster_t)
+@@ -235,13 +231,8 @@ init_domtrans_script(ricci_modcluster_t)
logging_send_syslog_msg(ricci_modcluster_t)
-miscfiles_read_localization(ricci_modcluster_t)
-
-ricci_stream_connect_modclusterd(ricci_modcluster_t)
-+optional_policy(`
+-
+ optional_policy(`
+- aisexec_stream_connect(ricci_modcluster_t)
+- corosync_stream_connect(ricci_modcluster_t)
+ ricci_stream_connect_modclusterd(ricci_modcluster_t)
-+')
+ ')
optional_policy(`
- aisexec_stream_connect(ricci_modcluster_t)
-@@ -336,8 +332,6 @@ locallogin_dontaudit_use_fds(ricci_modclusterd_t)
+@@ -271,7 +262,7 @@ optional_policy(`
+ ')
+
+ optional_policy(`
+- rgmanager_stream_connect(ricci_modcluster_t)
++ rhcs_stream_connect_cluster(ricci_modcluster_t)
+ ')
+
+ ########################################
+@@ -336,23 +327,16 @@ locallogin_dontaudit_use_fds(ricci_modclusterd_t)
logging_send_syslog_msg(ricci_modclusterd_t)
@@ -65268,7 +65942,23 @@ index 9702ed2..fa21335 100644
sysnet_domtrans_ifconfig(ricci_modclusterd_t)
optional_policy(`
-@@ -374,12 +368,10 @@ corecmd_exec_bin(ricci_modlog_t)
+- aisexec_stream_connect(ricci_modclusterd_t)
+- corosync_stream_connect(ricci_modclusterd_t)
+-')
+-
+-optional_policy(`
+ ccs_domtrans(ricci_modclusterd_t)
+ ccs_stream_connect(ricci_modclusterd_t)
+ ccs_read_config(ricci_modclusterd_t)
+ ')
+
+ optional_policy(`
+- rgmanager_stream_connect(ricci_modclusterd_t)
++ rhcs_stream_connect_cluster(ricci_modclusterd_t)
+ ')
+
+ optional_policy(`
+@@ -374,12 +358,10 @@ corecmd_exec_bin(ricci_modlog_t)
domain_read_all_domains_state(ricci_modlog_t)
@@ -65281,7 +65971,7 @@ index 9702ed2..fa21335 100644
optional_policy(`
nscd_dontaudit_search_pid(ricci_modlog_t)
-@@ -401,9 +393,8 @@ kernel_read_kernel_sysctls(ricci_modrpm_t)
+@@ -401,9 +383,8 @@ kernel_read_kernel_sysctls(ricci_modrpm_t)
corecmd_exec_bin(ricci_modrpm_t)
files_search_usr(ricci_modrpm_t)
@@ -65292,7 +65982,7 @@ index 9702ed2..fa21335 100644
optional_policy(`
oddjob_system_entry(ricci_modrpm_t, ricci_modrpm_exec_t)
-@@ -428,14 +419,13 @@ kernel_read_system_state(ricci_modservice_t)
+@@ -428,14 +409,13 @@ kernel_read_system_state(ricci_modservice_t)
corecmd_exec_bin(ricci_modservice_t)
corecmd_exec_shell(ricci_modservice_t)
@@ -65308,7 +65998,7 @@ index 9702ed2..fa21335 100644
optional_policy(`
ccs_read_config(ricci_modservice_t)
-@@ -460,7 +450,6 @@ optional_policy(`
+@@ -460,7 +440,6 @@ optional_policy(`
allow ricci_modstorage_t self:capability { mknod sys_nice };
allow ricci_modstorage_t self:process { setsched signal };
@@ -65316,7 +66006,7 @@ index 9702ed2..fa21335 100644
allow ricci_modstorage_t self:fifo_file rw_fifo_file_perms;
kernel_read_kernel_sysctls(ricci_modstorage_t)
-@@ -480,16 +469,21 @@ domain_read_all_domains_state(ricci_modstorage_t)
+@@ -480,21 +459,21 @@ domain_read_all_domains_state(ricci_modstorage_t)
files_manage_etc_files(ricci_modstorage_t)
files_read_etc_runtime_files(ricci_modstorage_t)
@@ -65334,13 +66024,18 @@ index 9702ed2..fa21335 100644
term_dontaudit_use_console(ricci_modstorage_t)
-logging_send_syslog_msg(ricci_modstorage_t)
+-
+-miscfiles_read_localization(ricci_modstorage_t)
+auth_use_nsswitch(ricci_modstorage_t)
--miscfiles_read_localization(ricci_modstorage_t)
+-optional_policy(`
+- aisexec_stream_connect(ricci_modstorage_t)
+- corosync_stream_connect(ricci_modstorage_t)
+-')
+logging_send_syslog_msg(ricci_modstorage_t)
optional_policy(`
- aisexec_stream_connect(ricci_modstorage_t)
+ ccs_stream_connect(ricci_modstorage_t)
diff --git a/rlogin.fc b/rlogin.fc
index f111877..e361ee9 100644
--- a/rlogin.fc
@@ -66099,7 +66794,7 @@ index 3bd6446..a61764b 100644
+ allow $1 var_lib_nfs_t:file relabel_file_perms;
')
diff --git a/rpc.te b/rpc.te
-index e5212e6..37860b7 100644
+index e5212e6..699925d 100644
--- a/rpc.te
+++ b/rpc.te
@@ -1,4 +1,4 @@
@@ -66288,25 +66983,25 @@ index e5212e6..37860b7 100644
optional_policy(`
- nis_read_ypserv_config(rpcd_t)
+ domain_unconfined_signal(rpcd_t)
++')
++
++optional_policy(`
++ quota_manage_db(rpcd_t)
')
optional_policy(`
- quota_manage_db_files(rpcd_t)
-+ quota_manage_db(rpcd_t)
++ nis_read_ypserv_config(rpcd_t)
')
optional_policy(`
- rgmanager_manage_tmp_files(rpcd_t)
-+ nis_read_ypserv_config(rpcd_t)
++ quota_read_db(rpcd_t)
')
optional_policy(`
- unconfined_signal(rpcd_t)
-+ quota_read_db(rpcd_t)
-+')
-+
-+optional_policy(`
-+ rgmanager_manage_tmp_files(rpcd_t)
++ rhcs_manage_cluster_tmp_files(rpcd_t)
')
########################################
@@ -68164,7 +68859,7 @@ index f1140ef..c5bd83a 100644
+ files_etc_filetrans($1, rsync_etc_t, $2, $3)
')
diff --git a/rsync.te b/rsync.te
-index e3e7c96..2574954 100644
+index e3e7c96..68cba2d 100644
--- a/rsync.te
+++ b/rsync.te
@@ -1,4 +1,4 @@
@@ -68173,7 +68868,7 @@ index e3e7c96..2574954 100644
########################################
#
-@@ -6,67 +6,60 @@ policy_module(rsync, 1.12.2)
+@@ -6,67 +6,46 @@ policy_module(rsync, 1.12.2)
#
## <desc>
@@ -68182,12 +68877,12 @@ index e3e7c96..2574954 100644
-## cifs file systems.
-## </p>
+## <p>
-+## Allow rsync servers to share cifs files systems
++## Allow rsync to run as a client
+## </p>
## </desc>
- gen_tunable(rsync_use_cifs, false)
-
- ## <desc>
+-gen_tunable(rsync_use_cifs, false)
+-
+-## <desc>
-## <p>
-## Determine whether rsync can
-## use fuse file systems.
@@ -68200,11 +68895,9 @@ index e3e7c96..2574954 100644
-## Determine whether rsync can use
-## nfs file systems.
-## </p>
-+## <p>
-+## Allow rsync servers to share nfs files systems
-+## </p>
- ## </desc>
- gen_tunable(rsync_use_nfs, false)
+-## </desc>
+-gen_tunable(rsync_use_nfs, false)
++gen_tunable(rsync_client, false)
## <desc>
-## <p>
@@ -68212,10 +68905,11 @@ index e3e7c96..2574954 100644
-## run as a client
-## </p>
+## <p>
-+## Allow rsync to run as a client
++## Allow rsync to export any files/directories read only.
+## </p>
## </desc>
- gen_tunable(rsync_client, false)
+-gen_tunable(rsync_client, false)
++gen_tunable(rsync_export_all_ro, false)
## <desc>
-## <p>
@@ -68223,21 +68917,15 @@ index e3e7c96..2574954 100644
-## export all content read only.
-## </p>
+## <p>
-+## Allow rsync to export any files/directories read only.
-+## </p>
- ## </desc>
- gen_tunable(rsync_export_all_ro, false)
-
- ## <desc>
-+## <p>
+## Allow rsync to modify public files
+## used for public file transfer services. Files/Directories must be
+## labeled public_content_rw_t.
+## </p>
-+## </desc>
+ ## </desc>
+-gen_tunable(rsync_export_all_ro, false)
+gen_tunable(rsync_anon_write, false)
-+
-+## <desc>
+
+ ## <desc>
## <p>
-## Determine whether rsync can modify
-## public files used for public file
@@ -68268,7 +68956,7 @@ index e3e7c96..2574954 100644
files_type(rsync_data_t)
type rsync_log_t;
-@@ -86,15 +79,25 @@ files_pid_file(rsync_var_run_t)
+@@ -86,15 +65,25 @@ files_pid_file(rsync_var_run_t)
allow rsync_t self:capability { chown dac_read_search dac_override fowner fsetid setuid setgid sys_chroot };
allow rsync_t self:process signal_perms;
allow rsync_t self:fifo_file rw_fifo_file_perms;
@@ -68299,7 +68987,7 @@ index e3e7c96..2574954 100644
logging_log_filetrans(rsync_t, rsync_log_t, file)
manage_dirs_pattern(rsync_t, rsync_tmp_t, rsync_tmp_t)
-@@ -108,91 +111,76 @@ kernel_read_kernel_sysctls(rsync_t)
+@@ -108,91 +97,76 @@ kernel_read_kernel_sysctls(rsync_t)
kernel_read_system_state(rsync_t)
kernel_read_network_state(rsync_t)
@@ -75129,7 +75817,7 @@ index 7a9cc9d..86cbca9 100644
init_labeled_script_domtrans($1, snmpd_initrc_exec_t)
domain_system_change_exemption($1)
diff --git a/snmp.te b/snmp.te
-index 81864ce..a56b827 100644
+index 81864ce..54a1bc6 100644
--- a/snmp.te
+++ b/snmp.te
@@ -27,11 +27,13 @@ files_type(snmpd_var_lib_t)
@@ -75195,6 +75883,15 @@ index 81864ce..a56b827 100644
seutil_dontaudit_search_config(snmpd_t)
+@@ -131,7 +133,7 @@ optional_policy(`
+ ')
+
+ optional_policy(`
+- corosync_stream_connect(snmpd_t)
++ rhcs_stream_connect_cluster(snmpd_t)
+ ')
+
+ optional_policy(`
diff --git a/snort.if b/snort.if
index 7d86b34..5f58180 100644
--- a/snort.if
@@ -86819,18 +87516,23 @@ index 1e3aec0..d17ff39 100644
+
')
diff --git a/wdmd.te b/wdmd.te
-index ebbdaf6..63c53ba 100644
+index ebbdaf6..956f8f0 100644
--- a/wdmd.te
+++ b/wdmd.te
-@@ -51,8 +51,6 @@ auth_use_nsswitch(wdmd_t)
+@@ -51,10 +51,8 @@ auth_use_nsswitch(wdmd_t)
logging_send_syslog_msg(wdmd_t)
-miscfiles_read_localization(wdmd_t)
-
optional_policy(`
- corosync_initrc_domtrans(wdmd_t)
- corosync_stream_connect(wdmd_t)
+- corosync_initrc_domtrans(wdmd_t)
+- corosync_stream_connect(wdmd_t)
+- corosync_rw_tmpfs(wdmd_t)
++ rhcs_initrc_domtrans_cluster(wdmd_t)
++ rhcs_stream_connect_cluster(wdmd_t)
++ rhcs_rw_cluster_tmpfs(wdmd_t)
+ ')
diff --git a/webadm.te b/webadm.te
index 708254f..d26f598 100644
--- a/webadm.te
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 45f4167..1d8a7f4 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.12.1
-Release: 16%{?dist}
+Release: 18%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -230,7 +230,7 @@ if [ $? = 0 -a "${SELINUXTYPE}" = %1 -a -f ${FILE_CONTEXT}.pre ]; then \
rm -f ${FILE_CONTEXT}.pre; \
fi; \
/sbin/restorecon -e /run/media -R /root /var/log /var/run /etc/passwd* /etc/group* /etc/*shadow* 2> /dev/null; \
-/sbin/restorecon -R /home/*/.cache /home/*/.config 2> /dev/null;
+/sbin/restorecon -R /home/*/.cache /home/*/.config 2> /dev/null; \
%define preInstall() \
if [ $1 -ne 1 ] && [ -s /etc/selinux/config ]; then \
@@ -253,7 +253,7 @@ fi;
. %{_sysconfdir}/selinux/config; \
if [ -e /etc/selinux/%2/.rebuild ]; then \
rm /etc/selinux/%2/.rebuild; \
- (cd /etc/selinux/%2/modules/active/modules; rm -f shutdown.pp amavis.pp clamav.pp gnomeclock.pp matahari.pp xfs.pp kudzu.pp kerneloops.pp execmem.pp openoffice.pp ada.pp tzdata.pp hal.pp hotplug.pp howl.pp java.pp mono.pp moilscanner.pp gamin.pp audio_entropy.pp audioentropy.pp iscsid.pp polkit_auth.pp polkit.pp rtkit_daemon.pp ModemManager.pp telepathysofiasip.pp ethereal.pp passanger.pp qpidd.pp pyzor.pp razor.pp pki-selinux.pp phpfpm.pp consoletype.pp ctdbd.pp fcoemon.pp isnsd.pp l2tp.pp ) \
+ (cd /etc/selinux/%2/modules/active/modules; rm -f shutdown.pp amavis.pp clamav.pp gnomeclock.pp matahari.pp xfs.pp kudzu.pp kerneloops.pp execmem.pp openoffice.pp ada.pp tzdata.pp hal.pp hotplug.pp howl.pp java.pp mono.pp moilscanner.pp gamin.pp audio_entropy.pp audioentropy.pp iscsid.pp polkit_auth.pp polkit.pp rtkit_daemon.pp ModemManager.pp telepathysofiasip.pp ethereal.pp passanger.pp qpidd.pp pyzor.pp razor.pp pki-selinux.pp phpfpm.pp consoletype.pp ctdbd.pp fcoemon.pp isnsd.pp l2tp.pp rgmanager.pp corosync.pp aisexec.pp pacemaker.pp ) \
/usr/sbin/semodule -B -n -s %2; \
else \
touch /etc/selinux/%2/modules/active/modules/sandbox.disabled \
@@ -526,6 +526,12 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Mon Mar 4 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-18
+- Fix POSTIN scriptlet
+
+* Fri Mar 1 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-17
+- Merge rgmanger, corosync,pacemaker,aisexec policies to cluster_t in rhcs.pp
+
* Wed Feb 27 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-16
- Fix authconfig.py labeling
- Make any domains that write homedir content do it correctly