diff --git a/Changelog b/Changelog
index 9cf3910..72baf6d 100644
--- a/Changelog
+++ b/Changelog
@@ -1,3 +1,4 @@
+- Unconditional staff and user oidentd home config access from Dominick Grift.
- Conditional mmap_zero support from Dominick Grift.
- Added devtmpfs support.
- Dbadm updates from KaiGai Kohei.
diff --git a/policy/modules/admin/certwatch.te b/policy/modules/admin/certwatch.te
index 86644f0..cec5c56 100644
--- a/policy/modules/admin/certwatch.te
+++ b/policy/modules/admin/certwatch.te
@@ -1,4 +1,4 @@
-policy_module(certwatch, 1.5.1)
+policy_module(certwatch, 1.5.2)
########################################
#
diff --git a/policy/modules/admin/firstboot.te b/policy/modules/admin/firstboot.te
index fd55ce2..bfda8e9 100644
--- a/policy/modules/admin/firstboot.te
+++ b/policy/modules/admin/firstboot.te
@@ -1,4 +1,4 @@
-policy_module(firstboot, 1.11.1)
+policy_module(firstboot, 1.11.2)
gen_require(`
class passwd rootok;
diff --git a/policy/modules/admin/smoltclient.te b/policy/modules/admin/smoltclient.te
index 35f2bb0..f48e9dd 100644
--- a/policy/modules/admin/smoltclient.te
+++ b/policy/modules/admin/smoltclient.te
@@ -1,4 +1,4 @@
-policy_module(smoltclient,1.0.0)
+policy_module(smoltclient, 1.0.1)
########################################
#
@@ -18,7 +18,7 @@ files_tmp_file(smoltclient_tmp_t)
# Local policy
#
-allow smoltclient_t self:process { setsched getsched };
+allow smoltclient_t self:process { setsched getsched };
allow smoltclient_t self:fifo_file rw_fifo_file_perms;
allow smoltclient_t self:tcp_socket create_socket_perms;
diff --git a/policy/modules/apps/awstats.te b/policy/modules/apps/awstats.te
index 31397a3..25b6f5a 100644
--- a/policy/modules/apps/awstats.te
+++ b/policy/modules/apps/awstats.te
@@ -1,4 +1,4 @@
-policy_module(awstats, 1.2.0)
+policy_module(awstats, 1.2.1)
########################################
#
diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te
index 06b7974..b0d95d4 100644
--- a/policy/modules/roles/staff.te
+++ b/policy/modules/roles/staff.te
@@ -1,4 +1,4 @@
-policy_module(staff, 2.1.1)
+policy_module(staff, 2.1.2)
########################################
#
@@ -53,27 +53,40 @@ optional_policy(`
')
optional_policy(`
- mozilla_run_plugin(staff_t, staff_r)
+ auditadm_role_change(staff_r)
')
optional_policy(`
- auditadm_role_change(staff_r)
+ dbadm_role_change(staff_r)
')
optional_policy(`
- dbadm_role_change(staff_r)
+ accountsd_dbus_chat(staff_t)
+ accountsd_read_lib_files(staff_t)
')
optional_policy(`
- logadm_role_change(staff_r)
+ gnomeclock_dbus_chat(staff_t)
')
optional_policy(`
- webadm_role_change(staff_r)
+ firewallgui_dbus_chat(staff_t)
+')
+
+optional_policy(`
+ lpd_list_spool(staff_t)
')
optional_policy(`
- kerneloops_manage_tmp_files(staff_t)
+ kerneloops_dbus_chat(staff_t)
+')
+
+optional_policy(`
+ logadm_role_change(staff_r)
+')
+
+optional_policy(`
+ mozilla_run_plugin(staff_t, staff_r)
')
optional_policy(`
@@ -86,15 +99,19 @@ optional_policy(`
')
optional_policy(`
- secadm_role_change(staff_r)
+ rtkit_scheduled(staff_t)
')
optional_policy(`
- unconfined_role_change(staff_r)
+ rpm_dbus_chat(staff_usertype)
')
optional_policy(`
- rtkit_scheduled(staff_t)
+ secadm_role_change(staff_r)
+')
+
+optional_policy(`
+ sandbox_transition(staff_t, staff_r)
')
optional_policy(`
@@ -102,6 +119,16 @@ optional_policy(`
')
optional_policy(`
+ sysadm_role_change(staff_r)
+ userdom_dontaudit_use_user_terminals(staff_t)
+')
+optional_policy(`
+ setroubleshoot_stream_connect(staff_t)
+ setroubleshoot_dbus_chat(staff_t)
+ setroubleshoot_dbus_chat_fixit(staff_t)
+')
+
+optional_policy(`
ssh_role_template(staff, staff_r, staff_t)
')
@@ -110,12 +137,23 @@ optional_policy(`
')
optional_policy(`
- sysadm_role_change(staff_r)
- userdom_dontaudit_use_user_terminals(staff_t)
+ telepathy_dbus_session_role(staff_r, staff_t)
')
optional_policy(`
- telepathy_dbus_session_role(staff_r, staff_t)
+ userhelper_console_role_template(staff, staff_r, staff_usertype)
+')
+
+optional_policy(`
+ unconfined_role_change(staff_r)
+')
+
+optional_policy(`
+ virt_stream_connect(staff_t)
+')
+
+optional_policy(`
+ webadm_role_change(staff_r)
')
optional_policy(`
@@ -235,46 +273,3 @@ ifndef(`distro_redhat',`
wireshark_role(staff_r, staff_t)
')
')
-
-optional_policy(`
- accountsd_dbus_chat(staff_t)
- accountsd_read_lib_files(staff_t)
-')
-
-optional_policy(`
- gnomeclock_dbus_chat(staff_t)
-')
-
-optional_policy(`
- firewallgui_dbus_chat(staff_t)
-')
-
-optional_policy(`
- lpd_list_spool(staff_t)
-')
-
-optional_policy(`
- kerneloops_dbus_chat(staff_t)
-')
-
-optional_policy(`
- rpm_dbus_chat(staff_usertype)
-')
-
-optional_policy(`
- sandbox_transition(staff_t, staff_r)
-')
-
-optional_policy(`
- setroubleshoot_stream_connect(staff_t)
- setroubleshoot_dbus_chat(staff_t)
- setroubleshoot_dbus_chat_fixit(staff_t)
-')
-
-optional_policy(`
- virt_stream_connect(staff_t)
-')
-
-optional_policy(`
- userhelper_console_role_template(staff, staff_r, staff_usertype)
-')
diff --git a/policy/modules/roles/unprivuser.te b/policy/modules/roles/unprivuser.te
index aac3fe1..2932c13 100644
--- a/policy/modules/roles/unprivuser.te
+++ b/policy/modules/roles/unprivuser.te
@@ -1,4 +1,4 @@
-policy_module(unprivuser, 2.1.1)
+policy_module(unprivuser, 2.1.2)
# this module should be named user, but that is
# a compile error since user is a keyword.
@@ -19,6 +19,11 @@ optional_policy(`
')
optional_policy(`
+ oident_manage_user_content(user_t)
+ oident_relabel_user_content(user_t)
+')
+
+optional_policy(`
mozilla_run_plugin(user_t, user_r)
')
@@ -39,11 +44,11 @@ optional_policy(`
')
optional_policy(`
- telepathy_dbus_session_role(user_r, user_t)
+ setroubleshoot_dontaudit_stream_connect(user_t)
')
optional_policy(`
- setroubleshoot_dontaudit_stream_connect(user_t)
+ telepathy_dbus_session_role(user_r, user_t)
')
optional_policy(`
@@ -53,7 +58,7 @@ optional_policy(`
ifndef(`distro_redhat',`
optional_policy(`
auth_role(user_r, user_t)
- ')
+ ')
optional_policy(`
bluetooth_role(user_r, user_t)
@@ -70,7 +75,7 @@ ifndef(`distro_redhat',`
optional_policy(`
dbus_role_template(user, user_r, user_t)
')
-
+
optional_policy(`
evolution_role(user_r, user_t)
')
@@ -120,11 +125,6 @@ ifndef(`distro_redhat',`
')
optional_policy(`
- oident_manage_user_content(user_t)
- oident_relabel_user_content(user_t)
- ')
-
- optional_policy(`
postgresql_role(user_r, user_t)
')
diff --git a/policy/modules/services/amavis.if b/policy/modules/services/amavis.if
index de26af5..ceb2142 100644
--- a/policy/modules/services/amavis.if
+++ b/policy/modules/services/amavis.if
@@ -208,7 +208,7 @@ interface(`amavis_create_pid_files',`
########################################
## <summary>
-## All of the rules required to administrate
+## All of the rules required to administrate
## an amavis environment
## </summary>
## <param name="domain">
diff --git a/policy/modules/services/amavis.te b/policy/modules/services/amavis.te
index 31f4612..c3a1903 100644
--- a/policy/modules/services/amavis.te
+++ b/policy/modules/services/amavis.te
@@ -95,7 +95,7 @@ logging_log_filetrans(amavis_t, amavis_var_log_t, { sock_file file dir })
manage_dirs_pattern(amavis_t, amavis_var_run_t, amavis_var_run_t)
manage_files_pattern(amavis_t, amavis_var_run_t, amavis_var_run_t)
manage_sock_files_pattern(amavis_t, amavis_var_run_t, amavis_var_run_t)
-files_pid_filetrans(amavis_t, amavis_var_run_t, { file sock_file dir })
+files_pid_filetrans(amavis_t, amavis_var_run_t, { dir file sock_file })
kernel_read_kernel_sysctls(amavis_t)
# amavis tries to access /proc/self/stat, /etc/shadow and /root - perl...
diff --git a/policy/modules/services/arpwatch.te b/policy/modules/services/arpwatch.te
index f31b5c9..3be8b9b 100644
--- a/policy/modules/services/arpwatch.te
+++ b/policy/modules/services/arpwatch.te
@@ -1,4 +1,4 @@
-policy_module(arpwatch, 1.9.0)
+policy_module(arpwatch, 1.9.1)
########################################
#
diff --git a/policy/modules/services/canna.te b/policy/modules/services/canna.te
index b819a47..a0dfd2f 100644
--- a/policy/modules/services/canna.te
+++ b/policy/modules/services/canna.te
@@ -1,4 +1,4 @@
-policy_module(canna, 1.10.0)
+policy_module(canna, 1.10.1)
########################################
#
diff --git a/policy/modules/services/certmaster.if b/policy/modules/services/certmaster.if
index f9335fb..fa62787 100644
--- a/policy/modules/services/certmaster.if
+++ b/policy/modules/services/certmaster.if
@@ -20,7 +20,7 @@ interface(`certmaster_domtrans',`
####################################
## <summary>
-## Execute certmaster.
+## Execute certmaster in the caller domain.
## </summary>
## <param name="domain">
## <summary>
@@ -98,7 +98,7 @@ interface(`certmaster_manage_log',`
########################################
## <summary>
-## All of the rules required to administrate
+## All of the rules required to administrate
## an snort environment
## </summary>
## <param name="domain">
diff --git a/policy/modules/services/certmaster.te b/policy/modules/services/certmaster.te
index da60c93..4aef864 100644
--- a/policy/modules/services/certmaster.te
+++ b/policy/modules/services/certmaster.te
@@ -1,4 +1,4 @@
-policy_module(certmaster, 1.1.1)
+policy_module(certmaster, 1.1.2)
########################################
#
diff --git a/policy/modules/services/certmonger.te b/policy/modules/services/certmonger.te
index 261a37c..1a65b5e 100644
--- a/policy/modules/services/certmonger.te
+++ b/policy/modules/services/certmonger.te
@@ -1,4 +1,4 @@
-policy_module(certmonger, 1.0.0)
+policy_module(certmonger, 1.0.1)
########################################
#
diff --git a/policy/modules/services/courier.if b/policy/modules/services/courier.if
index efbc8af..9971337 100644
--- a/policy/modules/services/courier.if
+++ b/policy/modules/services/courier.if
@@ -42,6 +42,7 @@ template(`courier_domain_template',`
manage_files_pattern(courier_$1_t, courier_var_run_t, courier_var_run_t)
manage_lnk_files_pattern(courier_$1_t, courier_var_run_t, courier_var_run_t)
manage_sock_files_pattern(courier_$1_t, courier_var_run_t, courier_var_run_t)
+ files_search_pids(courier_$1_t)
files_pid_filetrans(courier_$1_t, courier_var_run_t, dir)
kernel_read_system_state(courier_$1_t)
diff --git a/policy/modules/services/courier.te b/policy/modules/services/courier.te
index 72901d8..37f4810 100644
--- a/policy/modules/services/courier.te
+++ b/policy/modules/services/courier.te
@@ -1,4 +1,4 @@
-policy_module(courier, 1.9.0)
+policy_module(courier, 1.9.1)
########################################
#
diff --git a/policy/modules/services/dcc.te b/policy/modules/services/dcc.te
index 0cb9ac9..8bab059 100644
--- a/policy/modules/services/dcc.te
+++ b/policy/modules/services/dcc.te
@@ -1,4 +1,4 @@
-policy_module(dcc, 1.9.0)
+policy_module(dcc, 1.9.1)
########################################
#
@@ -233,7 +233,7 @@ files_tmp_filetrans(dccd_t, dccd_tmp_t, { file dir })
manage_dirs_pattern(dccd_t, dccd_var_run_t, dccd_var_run_t)
manage_files_pattern(dccd_t, dccd_var_run_t, dccd_var_run_t)
-files_pid_filetrans(dccd_t, dccd_var_run_t, { file dir })
+files_pid_filetrans(dccd_t, dccd_var_run_t, { dir file })
kernel_read_system_state(dccd_t)
kernel_read_kernel_sysctls(dccd_t)
diff --git a/policy/modules/services/djbdns.te b/policy/modules/services/djbdns.te
index bd97d09..e723266 100644
--- a/policy/modules/services/djbdns.te
+++ b/policy/modules/services/djbdns.te
@@ -1,4 +1,4 @@
-policy_module(djbdns, 1.4.0)
+policy_module(djbdns, 1.4.1)
########################################
#
@@ -7,10 +7,11 @@ policy_module(djbdns, 1.4.0)
type djbdns_axfrdns_t;
type djbdns_axfrdns_exec_t;
-type djbdns_axfrdns_conf_t;
domain_type(djbdns_axfrdns_t)
domain_entry_file(djbdns_axfrdns_t, djbdns_axfrdns_exec_t)
role system_r types djbdns_axfrdns_t;
+
+type djbdns_axfrdns_conf_t;
files_config_file(djbdns_axfrdns_conf_t)
djbdns_daemontools_domain_template(dnscache)
diff --git a/policy/modules/services/fetchmail.te b/policy/modules/services/fetchmail.te
index 5f5b57b..870d101 100644
--- a/policy/modules/services/fetchmail.te
+++ b/policy/modules/services/fetchmail.te
@@ -1,4 +1,4 @@
-policy_module(fetchmail, 1.10.0)
+policy_module(fetchmail, 1.10.1)
########################################
#
diff --git a/policy/modules/services/icecast.te b/policy/modules/services/icecast.te
index 4992511..80befb0 100644
--- a/policy/modules/services/icecast.te
+++ b/policy/modules/services/icecast.te
@@ -1,4 +1,4 @@
-policy_module(icecast, 1.0.0)
+policy_module(icecast, 1.0.1)
########################################
#
diff --git a/policy/modules/services/nslcd.te b/policy/modules/services/nslcd.te
index b314c0d..34eee5f 100644
--- a/policy/modules/services/nslcd.te
+++ b/policy/modules/services/nslcd.te
@@ -1,4 +1,4 @@
-policy_module(nslcd, 1.1.0)
+policy_module(nslcd, 1.1.1)
########################################
#
diff --git a/policy/modules/services/nut.te b/policy/modules/services/nut.te
index 35b9bfa..b40e1e7 100644
--- a/policy/modules/services/nut.te
+++ b/policy/modules/services/nut.te
@@ -1,4 +1,4 @@
-policy_module(nut, 1.1.0)
+policy_module(nut, 1.1.1)
########################################
#
@@ -41,7 +41,7 @@ read_files_pattern(nut_upsd_t, nut_conf_t, nut_conf_t)
manage_files_pattern(nut_upsd_t, nut_var_run_t, nut_var_run_t)
manage_dirs_pattern(nut_upsd_t, nut_var_run_t, nut_var_run_t)
manage_sock_files_pattern(nut_upsd_t, nut_var_run_t, nut_var_run_t)
-files_pid_filetrans(nut_upsd_t, nut_var_run_t, { file sock_file dir })
+files_pid_filetrans(nut_upsd_t, nut_var_run_t, { dir file sock_file })
kernel_read_kernel_sysctls(nut_upsd_t)
diff --git a/policy/modules/services/openct.te b/policy/modules/services/openct.te
index 975deca..78722e7 100644
--- a/policy/modules/services/openct.te
+++ b/policy/modules/services/openct.te
@@ -1,4 +1,4 @@
-policy_module(openct, 1.4.0)
+policy_module(openct, 1.4.1)
########################################
#
@@ -23,7 +23,7 @@ allow openct_t self:process signal_perms;
manage_dirs_pattern(openct_t, openct_var_run_t, openct_var_run_t)
manage_files_pattern(openct_t, openct_var_run_t, openct_var_run_t)
manage_sock_files_pattern(openct_t, openct_var_run_t, openct_var_run_t)
-files_pid_filetrans(openct_t, openct_var_run_t, { file sock_file dir })
+files_pid_filetrans(openct_t, openct_var_run_t, { dir file sock_file })
kernel_read_kernel_sysctls(openct_t)
kernel_list_proc(openct_t)
diff --git a/policy/modules/services/pcscd.te b/policy/modules/services/pcscd.te
index da06e9f..3116191 100644
--- a/policy/modules/services/pcscd.te
+++ b/policy/modules/services/pcscd.te
@@ -1,4 +1,4 @@
-policy_module(pcscd, 1.6.0)
+policy_module(pcscd, 1.6.1)
########################################
#
@@ -44,7 +44,6 @@ corenet_tcp_connect_http_port(pcscd_t)
dev_rw_generic_usb_dev(pcscd_t)
dev_rw_smartcard(pcscd_t)
dev_rw_usbfs(pcscd_t)
-dev_list_sysfs(pcscd_t)
dev_read_sysfs(pcscd_t)
files_read_etc_files(pcscd_t)
diff --git a/policy/modules/services/postgresql.te b/policy/modules/services/postgresql.te
index 0ed1671..4a85c12 100644
--- a/policy/modules/services/postgresql.te
+++ b/policy/modules/services/postgresql.te
@@ -1,4 +1,4 @@
-policy_module(postgresql, 1.11.0)
+policy_module(postgresql, 1.11.1)
gen_require(`
class db_database all_db_database_perms;
@@ -205,7 +205,7 @@ fs_tmpfs_filetrans(postgresql_t, postgresql_tmp_t, { dir file lnk_file sock_file
manage_dirs_pattern(postgresql_t, postgresql_var_run_t, postgresql_var_run_t)
manage_files_pattern(postgresql_t, postgresql_var_run_t, postgresql_var_run_t)
manage_sock_files_pattern(postgresql_t, postgresql_var_run_t, postgresql_var_run_t)
-files_pid_filetrans(postgresql_t, postgresql_var_run_t, { file dir })
+files_pid_filetrans(postgresql_t, postgresql_var_run_t, { dir file })
kernel_read_kernel_sysctls(postgresql_t)
kernel_read_system_state(postgresql_t)
@@ -352,7 +352,6 @@ allow sepgsql_client_type sepgsql_secret_blob_t:db_blob getattr;
# Therefore, the following rule is applied for any domains which can connect SE-PostgreSQL.
dontaudit { postgresql_t sepgsql_admin_type sepgsql_client_type sepgsql_unconfined_type } { sepgsql_table_type -sepgsql_sysobj_table_type }:db_tuple { use select update insert delete };
-
########################################
#
# Rules common to administrator clients
diff --git a/policy/modules/services/postgrey.te b/policy/modules/services/postgrey.te
index afaf453..6e8c3c8 100644
--- a/policy/modules/services/postgrey.te
+++ b/policy/modules/services/postgrey.te
@@ -1,4 +1,4 @@
-policy_module(postgrey, 1.7.0)
+policy_module(postgrey, 1.7.1)
########################################
#
@@ -50,7 +50,7 @@ files_var_lib_filetrans(postgrey_t, postgrey_var_lib_t, file)
manage_dirs_pattern(postgrey_t, postgrey_var_run_t, postgrey_var_run_t)
manage_files_pattern(postgrey_t, postgrey_var_run_t, postgrey_var_run_t)
manage_sock_files_pattern(postgrey_t, postgrey_var_run_t, postgrey_var_run_t)
-files_pid_filetrans(postgrey_t, postgrey_var_run_t, { file sock_file dir })
+files_pid_filetrans(postgrey_t, postgrey_var_run_t, { dir file sock_file })
kernel_read_system_state(postgrey_t)
kernel_read_kernel_sysctls(postgrey_t)
diff --git a/policy/modules/services/prelude.te b/policy/modules/services/prelude.te
index 3a12d03..7e84587 100644
--- a/policy/modules/services/prelude.te
+++ b/policy/modules/services/prelude.te
@@ -1,4 +1,4 @@
-policy_module(prelude, 1.2.0)
+policy_module(prelude, 1.2.1)
########################################
#
diff --git a/policy/modules/services/radvd.te b/policy/modules/services/radvd.te
index 2943342..54b3cd3 100644
--- a/policy/modules/services/radvd.te
+++ b/policy/modules/services/radvd.te
@@ -1,4 +1,4 @@
-policy_module(radvd, 1.12.0)
+policy_module(radvd, 1.12.1)
########################################
#
@@ -35,7 +35,7 @@ allow radvd_t radvd_etc_t:file read_file_perms;
manage_dirs_pattern(radvd_t, radvd_var_run_t, radvd_var_run_t)
manage_files_pattern(radvd_t, radvd_var_run_t, radvd_var_run_t)
-files_pid_filetrans(radvd_t, radvd_var_run_t, { file dir })
+files_pid_filetrans(radvd_t, radvd_var_run_t, { dir file })
kernel_read_kernel_sysctls(radvd_t)
kernel_rw_net_sysctls(radvd_t)
diff --git a/policy/modules/services/snort.te b/policy/modules/services/snort.te
index 814a47a..d7f4bd4 100644
--- a/policy/modules/services/snort.te
+++ b/policy/modules/services/snort.te
@@ -1,4 +1,4 @@
-policy_module(snort, 1.9.0)
+policy_module(snort, 1.9.1)
########################################
#
diff --git a/policy/modules/services/stunnel.te b/policy/modules/services/stunnel.te
index 733250d..7ecb27b 100644
--- a/policy/modules/services/stunnel.te
+++ b/policy/modules/services/stunnel.te
@@ -1,4 +1,4 @@
-policy_module(stunnel, 1.9.0)
+policy_module(stunnel, 1.9.1)
########################################
#
@@ -48,7 +48,7 @@ files_tmp_filetrans(stunnel_t, stunnel_tmp_t, { file dir })
manage_dirs_pattern(stunnel_t, stunnel_var_run_t, stunnel_var_run_t)
manage_files_pattern(stunnel_t, stunnel_var_run_t, stunnel_var_run_t)
-files_pid_filetrans(stunnel_t, stunnel_var_run_t, { file dir })
+files_pid_filetrans(stunnel_t, stunnel_var_run_t, { dir file })
kernel_read_kernel_sysctls(stunnel_t)
kernel_read_system_state(stunnel_t)
diff --git a/policy/modules/services/zabbix.te b/policy/modules/services/zabbix.te
index 2ae7a3d..b8dd21a 100644
--- a/policy/modules/services/zabbix.te
+++ b/policy/modules/services/zabbix.te
@@ -1,4 +1,4 @@
-policy_module(zabbix, 1.2.0)
+policy_module(zabbix, 1.2.1)
########################################
#
@@ -37,7 +37,7 @@ logging_log_filetrans(zabbix_t, zabbix_log_t, file)
# pid file
manage_dirs_pattern(zabbix_t, zabbix_var_run_t, zabbix_var_run_t)
manage_files_pattern(zabbix_t, zabbix_var_run_t, zabbix_var_run_t)
-files_pid_filetrans(zabbix_t, zabbix_var_run_t, { file dir })
+files_pid_filetrans(zabbix_t, zabbix_var_run_t, { dir file })
files_read_etc_files(zabbix_t)
diff --git a/policy/modules/services/zebra.te b/policy/modules/services/zebra.te
index 9939bff..c349adc 100644
--- a/policy/modules/services/zebra.te
+++ b/policy/modules/services/zebra.te
@@ -1,4 +1,4 @@
-policy_module(zebra, 1.11.0)
+policy_module(zebra, 1.11.1)
########################################
#
@@ -64,7 +64,7 @@ files_tmp_filetrans(zebra_t, zebra_tmp_t, sock_file)
manage_dirs_pattern(zebra_t, zebra_var_run_t, zebra_var_run_t)
manage_files_pattern(zebra_t, zebra_var_run_t, zebra_var_run_t)
manage_sock_files_pattern(zebra_t, zebra_var_run_t, zebra_var_run_t)
-files_pid_filetrans(zebra_t, zebra_var_run_t, { file sock_file dir })
+files_pid_filetrans(zebra_t, zebra_var_run_t, { dir file sock_file })
kernel_read_system_state(zebra_t)
kernel_read_network_state(zebra_t)