diff --git a/booleans-targeted.conf b/booleans-targeted.conf
index 9973c32..50c1fe5 100644
--- a/booleans-targeted.conf
+++ b/booleans-targeted.conf
@@ -104,7 +104,7 @@ httpd_ssi_exec = false
# Allow http daemon to communicate with the TTY
#
-httpd_tty_comm = false
+httpd_tty_comm = true
# Run CGI in the main httpd domain
#
diff --git a/policy-F14.patch b/policy-F14.patch
index 0e002d9..2b4238e 100644
--- a/policy-F14.patch
+++ b/policy-F14.patch
@@ -206,7 +206,7 @@ index 3316f6e..f85244d 100644
+gen_tunable(allow_console_login,false)
+
diff --git a/policy/mcs b/policy/mcs
-index af90ef2..fbd2c40 100644
+index af90ef2..9fef0f8 100644
--- a/policy/mcs
+++ b/policy/mcs
@@ -86,10 +86,10 @@ mlsconstrain file { create relabelto }
@@ -222,14 +222,15 @@ index af90ef2..fbd2c40 100644
(( h1 dom h2 ) and ( l2 eq h2 ));
mlsconstrain process { transition dyntransition }
-@@ -98,7 +98,7 @@ mlsconstrain process { transition dyntransition }
- mlsconstrain process { ptrace }
- (( h1 dom h2) or ( t1 == mcsptraceall ));
-
--mlsconstrain process { sigkill sigstop }
-+mlsconstrain process { signal sigkill sigstop }
+@@ -101,6 +101,9 @@ mlsconstrain process { ptrace }
+ mlsconstrain process { sigkill sigstop }
(( h1 dom h2 ) or ( t1 == mcskillall ));
++mlsconstrain process { signal }
++ (( h1 dom h2 ) or ( t1 != mcsuntrustedproc ));
++
+ #
+ # MCS policy for SELinux-enabled databases
#
diff --git a/policy/modules/admin/anaconda.te b/policy/modules/admin/anaconda.te
index f76ed8a..9a9526a 100644
@@ -1172,7 +1173,7 @@ index 95dbcf3..bdba9c5 100644
optional_policy(`
java_domtrans_unconfined(rpm_script_t)
diff --git a/policy/modules/admin/shorewall.if b/policy/modules/admin/shorewall.if
-index 0948921..b83f3db 100644
+index 0948921..f198119 100644
--- a/policy/modules/admin/shorewall.if
+++ b/policy/modules/admin/shorewall.if
@@ -18,6 +18,24 @@ interface(`shorewall_domtrans',`
@@ -1239,20 +1240,30 @@ index 0948921..b83f3db 100644
')
allow $1 shorewall_t:process { ptrace signal_perms };
-@@ -153,12 +191,12 @@ interface(`shorewall_admin',`
- files_search_locks($1)
+@@ -147,18 +185,18 @@ interface(`shorewall_admin',`
+ role_transition $2 shorewall_initrc_exec_t system_r;
+ allow $2 system_r;
+
+- files_search_etc($1)
++ files_list_etc($1)
+ admin_pattern($1, shorewall_etc_t)
+
+- files_search_locks($1)
++ files_list_locks($1)
admin_pattern($1, shorewall_lock_t)
- files_search_pids($1)
- admin_pattern($1, shorewall_var_run_t)
-
- files_search_var_lib($1)
+- files_search_var_lib($1)
++ files_list_var_lib($1)
admin_pattern($1, shorewall_var_lib_t)
-+ logging_search_logs($1)
+- files_search_tmp($1)
++ logging_list_logs($1)
+ admin_pattern($1, shorewall_log_t)
+
- files_search_tmp($1)
++ files_list_tmp($1)
admin_pattern($1, shorewall_tmp_t)
')
diff --git a/policy/modules/admin/shorewall.te b/policy/modules/admin/shorewall.te
@@ -1391,10 +1402,10 @@ index d2c068d..914e1ac 100644
##
##
diff --git a/policy/modules/admin/shutdown.te b/policy/modules/admin/shutdown.te
-index 51f7c3a..707fb3d 100644
+index 51f7c3a..eb63a79 100644
--- a/policy/modules/admin/shutdown.te
+++ b/policy/modules/admin/shutdown.te
-@@ -36,6 +36,8 @@ files_pid_filetrans(shutdown_t, shutdown_var_run_t, file)
+@@ -36,15 +36,17 @@ files_pid_filetrans(shutdown_t, shutdown_var_run_t, file)
files_read_etc_files(shutdown_t)
files_read_generic_pids(shutdown_t)
@@ -1403,6 +1414,17 @@ index 51f7c3a..707fb3d 100644
term_use_all_terms(shutdown_t)
auth_use_nsswitch(shutdown_t)
+ auth_write_login_records(shutdown_t)
+
+-init_dontaudit_write_utmp(shutdown_t)
+-init_read_utmp(shutdown_t)
++init_rw_utmp(shutdown_t)
+ init_telinit(shutdown_t)
+
++logging_search_logs(shutdown_t)
+ logging_send_audit_msgs(shutdown_t)
+
+ miscfiles_read_localization(shutdown_t)
@@ -55,5 +57,10 @@ optional_policy(`
')
@@ -2230,7 +2252,7 @@ index 00a19e3..46db5ff 100644
+/usr/libexec/gnome-system-monitor-mechanism -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
+
diff --git a/policy/modules/apps/gnome.if b/policy/modules/apps/gnome.if
-index f5afe78..250935a 100644
+index f5afe78..594dc0f 100644
--- a/policy/modules/apps/gnome.if
+++ b/policy/modules/apps/gnome.if
@@ -37,8 +37,7 @@ interface(`gnome_role',`
@@ -2243,7 +2265,7 @@ index f5afe78..250935a 100644
##
##
##
-@@ -46,19 +45,276 @@ interface(`gnome_role',`
+@@ -46,37 +45,313 @@ interface(`gnome_role',`
##
##
#
@@ -2284,11 +2306,12 @@ index f5afe78..250935a 100644
+## Dontaudit search gnome homedir content (.config)
+##
+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
+ ##
+ ## Domain allowed access.
+ ##
+ ##
+ #
+-template(`gnome_read_gconf_config',`
+interface(`gnome_dontaudit_search_config',`
+ gen_require(`
+ attribute gnome_home_type;
@@ -2522,10 +2545,15 @@ index f5afe78..250935a 100644
+## read gconf config files
+##
+##
- ##
- ## Domain allowed access.
- ##
-@@ -71,12 +327,31 @@ template(`gnome_read_gconf_config',`
++##
++## Domain allowed access.
++##
++##
++#
++interface(`gnome_read_gconf_config',`
+ gen_require(`
+ type gconf_etc_t;
+ ')
allow $1 gconf_etc_t:dir list_dir_perms;
read_files_pattern($1, gconf_etc_t, gconf_etc_t)
@@ -2709,7 +2737,7 @@ index f5afe78..250935a 100644
##
#
-interface(`gnome_manage_config',`
-+template(`gnome_list_home_config',`
++interface(`gnome_list_home_config',`
gen_require(`
- type gnome_home_t;
+ type config_home_t;
@@ -2749,7 +2777,7 @@ index f5afe78..250935a 100644
+##
+##
+#
-+template(`gnome_read_home_config',`
++interface(`gnome_read_home_config',`
+ gen_require(`
+ type config_home_t;
+ ')
@@ -3672,7 +3700,7 @@ index 9a6d67d..47aa143 100644
## mozilla over dbus.
##
diff --git a/policy/modules/apps/mozilla.te b/policy/modules/apps/mozilla.te
-index cbf4bec..7c260fa 100644
+index cbf4bec..0a9a921 100644
--- a/policy/modules/apps/mozilla.te
+++ b/policy/modules/apps/mozilla.te
@@ -25,6 +25,7 @@ files_config_file(mozilla_conf_t)
@@ -3745,7 +3773,7 @@ index cbf4bec..7c260fa 100644
pulseaudio_exec(mozilla_t)
pulseaudio_stream_connect(mozilla_t)
pulseaudio_manage_home_files(mozilla_t)
-@@ -266,3 +291,89 @@ optional_policy(`
+@@ -266,3 +291,90 @@ optional_policy(`
optional_policy(`
thunderbird_domtrans(mozilla_t)
')
@@ -3824,6 +3852,7 @@ index cbf4bec..7c260fa 100644
+ nsplugin_rw_exec(mozilla_plugin_t)
+ nsplugin_manage_home_dirs(mozilla_plugin_t)
+ nsplugin_manage_home_files(mozilla_plugin_t)
++ nsplugin_signal(mozilla_plugin_t)
+')
+
+optional_policy(`
@@ -3937,10 +3966,10 @@ index 0000000..63abc5c
+/usr/lib(64)?/mozilla/plugins-wrapped(/.*)? gen_context(system_u:object_r:nsplugin_rw_t,s0)
diff --git a/policy/modules/apps/nsplugin.if b/policy/modules/apps/nsplugin.if
new file mode 100644
-index 0000000..c779d44
+index 0000000..9439746
--- /dev/null
+++ b/policy/modules/apps/nsplugin.if
-@@ -0,0 +1,392 @@
+@@ -0,0 +1,411 @@
+
+## policy for nsplugin
+
@@ -4111,6 +4140,7 @@ index 0000000..c779d44
+ allow $1 nsplugin_t:unix_stream_socket connectto;
+ allow nsplugin_t $1:process signal;
+')
++
+#######################################
+##
+## The per role template for the nsplugin module.
@@ -4333,6 +4363,24 @@ index 0000000..c779d44
+ allow $2 nsplugin_exec_t:file entrypoint;
+ domtrans_pattern($1, nsplugin_exec_t, $2)
+')
++
++########################################
++##
++## Send generic signals to user nsplugin processes.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`nsplugin_signal',`
++ gen_require(`
++ type nsplugin_t;
++ ')
++
++ allow $1 nsplugin_t:process signal;
++')
diff --git a/policy/modules/apps/nsplugin.te b/policy/modules/apps/nsplugin.te
new file mode 100644
index 0000000..7bc0dcf
@@ -5118,10 +5166,10 @@ index 0000000..15778fd
+# No types are sandbox_exec_t
diff --git a/policy/modules/apps/sandbox.if b/policy/modules/apps/sandbox.if
new file mode 100644
-index 0000000..5dd356f
+index 0000000..587c440
--- /dev/null
+++ b/policy/modules/apps/sandbox.if
-@@ -0,0 +1,336 @@
+@@ -0,0 +1,339 @@
+
+## policy for sandbox
+
@@ -5214,6 +5262,7 @@ index 0000000..5dd356f
+ application_type($1_t)
+
+ mls_rangetrans_target($1_t)
++ mcs_untrusted_proc($1_t)
+
+ type $1_file_t, sandbox_file_type;
+ files_type($1_file_t)
@@ -5247,6 +5296,7 @@ index 0000000..5dd356f
+
+ type $1_t, sandbox_x_domain;
+ application_type($1_t)
++ mcs_untrusted_proc($1_t)
+
+ type $1_file_t, sandbox_file_type;
+ files_type($1_file_t)
@@ -5269,6 +5319,7 @@ index 0000000..5dd356f
+
+ type $1_client_t, sandbox_x_domain;
+ application_type($1_client_t)
++ mcs_untrusted_proc($1_t)
+
+ type $1_client_tmpfs_t, sandbox_tmpfs_type;
+ files_tmpfs_file($1_client_tmpfs_t)
@@ -7898,7 +7949,7 @@ index 3517db2..bd4c23d 100644
+/nsr(/.*)? gen_context(system_u:object_r:var_t,s0)
+/nsr/logs(/.*)? gen_context(system_u:object_r:var_log_t,s0)
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
-index 5302dac..96a406d 100644
+index 5302dac..000c53a 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -1053,10 +1053,8 @@ interface(`files_relabel_all_files',`
@@ -8221,7 +8272,32 @@ index 5302dac..96a406d 100644
## Read and write files in the /var directory.
##
##
-@@ -5138,12 +5373,12 @@ interface(`files_getattr_generic_locks',`
+@@ -5053,6 +5288,24 @@ interface(`files_manage_mounttab',`
+
+ ########################################
+ ##
++## List generic lock directories.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`files_list_locks',`
++ gen_require(`
++ type var_t, var_lock_t;
++ ')
++
++ list_dirs_pattern($1, var_t, var_lock_t)
++')
++
++########################################
++##
+ ## Search the locks directory (/var/lock).
+ ##
+ ##
+@@ -5138,12 +5391,12 @@ interface(`files_getattr_generic_locks',`
##
#
interface(`files_delete_generic_locks',`
@@ -8239,7 +8315,7 @@ index 5302dac..96a406d 100644
')
########################################
-@@ -5317,6 +5552,43 @@ interface(`files_search_pids',`
+@@ -5317,6 +5570,43 @@ interface(`files_search_pids',`
search_dirs_pattern($1, var_t, var_run_t)
')
@@ -8283,7 +8359,7 @@ index 5302dac..96a406d 100644
########################################
##
## Do not audit attempts to search
-@@ -5524,6 +5796,26 @@ interface(`files_dontaudit_ioctl_all_pids',`
+@@ -5524,6 +5814,26 @@ interface(`files_dontaudit_ioctl_all_pids',`
########################################
##
@@ -8310,7 +8386,7 @@ index 5302dac..96a406d 100644
## Read all process ID files.
##
##
-@@ -5541,6 +5833,7 @@ interface(`files_read_all_pids',`
+@@ -5541,6 +5851,7 @@ interface(`files_read_all_pids',`
list_dirs_pattern($1, var_t, pidfile)
read_files_pattern($1, pidfile, pidfile)
@@ -8318,7 +8394,7 @@ index 5302dac..96a406d 100644
')
########################################
-@@ -5826,3 +6119,229 @@ interface(`files_unconfined',`
+@@ -5826,3 +6137,229 @@ interface(`files_unconfined',`
typeattribute $1 files_unconfined_type;
')
@@ -9197,6 +9273,51 @@ index e4f98ce..806026c 100644
########################################
#
# Unlabeled process local policy
+diff --git a/policy/modules/kernel/mcs.if b/policy/modules/kernel/mcs.if
+index f52faaf..3d62385 100644
+--- a/policy/modules/kernel/mcs.if
++++ b/policy/modules/kernel/mcs.if
+@@ -102,3 +102,30 @@ interface(`mcs_process_set_categories',`
+
+ typeattribute $1 mcssetcats;
+ ')
++
++########################################
++##
++## Make specified process type MCS untrusted.
++##
++##
++##
++## Make specified process type MCS untrusted. This
++## prevents this process from sending signals to other processes
++## with different mcs labels
++## object.
++##
++##
++##
++##
++## The type of the process.
++##
++##
++#
++interface(`mcs_untrusted_proc',`
++ gen_require(`
++ attribute mcsuntrustedproc;
++ ')
++
++ typeattribute $1 mcsuntrustedproc;
++')
++
+diff --git a/policy/modules/kernel/mcs.te b/policy/modules/kernel/mcs.te
+index 0e5b661..dbf577f 100644
+--- a/policy/modules/kernel/mcs.te
++++ b/policy/modules/kernel/mcs.te
+@@ -10,3 +10,5 @@ attribute mcsptraceall;
+ attribute mcssetcats;
+ attribute mcswriteall;
+ attribute mcsreadall;
++attribute mcsuntrustedproc;
++
diff --git a/policy/modules/kernel/selinux.if b/policy/modules/kernel/selinux.if
index f8b357c..bc1ed0f 100644
--- a/policy/modules/kernel/selinux.if
@@ -10707,10 +10828,10 @@ index 0000000..8b2cdf3
+
diff --git a/policy/modules/roles/unconfineduser.te b/policy/modules/roles/unconfineduser.te
new file mode 100644
-index 0000000..799db36
+index 0000000..a09ca52
--- /dev/null
+++ b/policy/modules/roles/unconfineduser.te
-@@ -0,0 +1,475 @@
+@@ -0,0 +1,478 @@
+policy_module(unconfineduser, 1.0.0)
+
+########################################
@@ -11084,8 +11205,11 @@ index 0000000..799db36
+')
+
+optional_policy(`
++ optional_policy(`
++ samba_run_unconfined_net(unconfined_t, unconfined_r)
++ ')
++
+ samba_role_notrans(unconfined_r)
-+ samba_run_unconfined_net(unconfined_t, unconfined_r)
+# samba_run_winbind_helper(unconfined_t, unconfined_r)
+ samba_run_smbcontrol(unconfined_t, unconfined_r)
+')
@@ -11426,7 +11550,7 @@ index 1bd5812..3b3ba64 100644
/var/spool/abrt(/.*)? gen_context(system_u:object_r:abrt_var_cache_t,s0)
diff --git a/policy/modules/services/abrt.if b/policy/modules/services/abrt.if
-index 0b827c5..022c079 100644
+index 0b827c5..8961dba 100644
--- a/policy/modules/services/abrt.if
+++ b/policy/modules/services/abrt.if
@@ -71,6 +71,7 @@ interface(`abrt_read_state',`
@@ -11501,8 +11625,32 @@ index 0b827c5..022c079 100644
#####################################
##
## All of the rules required to administrate
+@@ -286,18 +326,18 @@ interface(`abrt_admin',`
+ role_transition $2 abrt_initrc_exec_t system_r;
+ allow $2 system_r;
+
+- files_search_etc($1)
++ files_list_etc($1)
+ admin_pattern($1, abrt_etc_t)
+
+- logging_search_logs($1)
++ logging_list_logs($1)
+ admin_pattern($1, abrt_var_log_t)
+
+- files_search_var($1)
++ files_list_var($1)
+ admin_pattern($1, abrt_var_cache_t)
+
+- files_search_pids($1)
++ files_list_pids($1)
+ admin_pattern($1, abrt_var_run_t)
+
+- files_search_tmp($1)
++ files_list_tmp($1)
+ admin_pattern($1, abrt_tmp_t)
+ ')
diff --git a/policy/modules/services/abrt.te b/policy/modules/services/abrt.te
-index 98646c4..2bd70ae 100644
+index 98646c4..5be7dc8 100644
--- a/policy/modules/services/abrt.te
+++ b/policy/modules/services/abrt.te
@@ -5,6 +5,14 @@ policy_module(abrt, 1.1.1)
@@ -11510,10 +11658,10 @@ index 98646c4..2bd70ae 100644
#
+##
-+##
-+## Allow ABRT to modify public files
-+## used for public file transfer services.
-+##
++##
++## Allow ABRT to modify public files
++## used for public file transfer services.
++##
+##
+gen_tunable(abrt_anon_write, false)
+
@@ -11571,7 +11719,7 @@ index 98646c4..2bd70ae 100644
+userdom_dontaudit_read_admin_home_files(abrt_t)
+
+tunable_policy(`abrt_anon_write',`
-+ miscfiles_manage_public_files(abrt_t)
++ miscfiles_manage_public_files(abrt_t)
+')
+
+optional_policy(`
@@ -11580,21 +11728,19 @@ index 98646c4..2bd70ae 100644
optional_policy(`
dbus_system_domain(abrt_t, abrt_exec_t)
-@@ -150,7 +170,12 @@ optional_policy(`
+@@ -150,6 +170,11 @@ optional_policy(`
')
optional_policy(`
-- policykit_dbus_chat(abrt_t)
+ nsplugin_read_rw_files(abrt_t)
+ nsplugin_read_home(abrt_t)
+')
+
+optional_policy(`
-+ policykit_dbus_chat(abrt_t)
+ policykit_dbus_chat(abrt_t)
policykit_domtrans_auth(abrt_t)
policykit_read_lib(abrt_t)
- policykit_read_reload(abrt_t)
-@@ -178,6 +203,12 @@ optional_policy(`
+@@ -178,12 +203,18 @@ optional_policy(`
')
optional_policy(`
@@ -11607,6 +11753,13 @@ index 98646c4..2bd70ae 100644
sssd_stream_connect(abrt_t)
')
+ ########################################
+ #
+-# abrt--helper local policy
++# abrt-helper local policy
+ #
+
+ allow abrt_helper_t self:capability { chown setgid sys_nice };
@@ -203,6 +234,7 @@ read_lnk_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t)
domain_read_all_domains_state(abrt_helper_t)
@@ -11615,37 +11768,51 @@ index 98646c4..2bd70ae 100644
fs_list_inotifyfs(abrt_helper_t)
fs_getattr_all_fs(abrt_helper_t)
-@@ -217,11 +249,26 @@ term_dontaudit_use_all_ttys(abrt_helper_t)
+@@ -216,7 +248,8 @@ miscfiles_read_localization(abrt_helper_t)
+ term_dontaudit_use_all_ttys(abrt_helper_t)
term_dontaudit_use_all_ptys(abrt_helper_t)
- ifdef(`hide_broken_symptoms', `
+-ifdef(`hide_broken_symptoms', `
++ifdef(`hide_broken_symptoms',`
+ domain_dontaudit_leaks(abrt_helper_t)
userdom_dontaudit_read_user_home_content_files(abrt_helper_t)
userdom_dontaudit_read_user_tmp_files(abrt_helper_t)
-+ optional_policy(`
-+ rpm_dontaudit_leaks(abrt_helper_t)
-+ ')
dev_dontaudit_read_all_blk_files(abrt_helper_t)
- dev_dontaudit_read_all_chr_files(abrt_helper_t)
+@@ -224,4 +257,18 @@ ifdef(`hide_broken_symptoms', `
dev_dontaudit_write_all_chr_files(abrt_helper_t)
dev_dontaudit_write_all_blk_files(abrt_helper_t)
fs_dontaudit_rw_anon_inodefs_files(abrt_helper_t)
- ')
+
++ optional_policy(`
++ rpm_dontaudit_leaks(abrt_helper_t)
++ ')
++')
+
-+ifdef(`hide_broken_symptoms', `
++ifdef(`hide_broken_symptoms',`
+ gen_require(`
-+ attribute domain;
++ attribute domain;
+ ')
+
-+ allow abrt_t self:capability sys_resource;
++ allow abrt_t self:capability sys_resource;
+ allow abrt_t domain:file write;
+ allow abrt_t domain:process setrlimit;
-+')
+ ')
diff --git a/policy/modules/services/accountsd.if b/policy/modules/services/accountsd.if
-index c0f858d..b46f76f 100644
+index c0f858d..fe060aa 100644
--- a/policy/modules/services/accountsd.if
+++ b/policy/modules/services/accountsd.if
+@@ -5,9 +5,9 @@
+ ## Execute a domain transition to run accountsd.
+ ##
+ ##
+-##
++##
+ ## Domain allowed access.
+-##
++##
+ ##
+ #
+ interface(`accountsd_domtrans',`
@@ -138,7 +138,7 @@ interface(`accountsd_admin',`
type accountsd_t;
')
@@ -11693,20 +11860,20 @@ index 8559cdc..49c0cc8 100644
# Allow afs_admin to restart the afs service
afs_initrc_domtrans($1)
diff --git a/policy/modules/services/afs.te b/policy/modules/services/afs.te
-index de8b791..9ec36b9 100644
+index de8b791..7e2cdf2 100644
--- a/policy/modules/services/afs.te
+++ b/policy/modules/services/afs.te
-@@ -82,6 +82,10 @@ files_var_filetrans(afs_t, afs_cache_t, { file dir })
+@@ -107,6 +107,10 @@ miscfiles_read_localization(afs_t)
- kernel_rw_afs_state(afs_t)
+ sysnet_dns_name_resolve(afs_t)
-+ifdef(`hide_broken_symptoms', `
++ifdef(`hide_broken_symptoms',`
+ kernel_rw_unlabeled_files(afs_t)
+')
+
- corenet_all_recvfrom_unlabeled(afs_t)
- corenet_all_recvfrom_netlabel(afs_t)
- corenet_tcp_sendrecv_generic_if(afs_t)
+ ########################################
+ #
+ # AFS bossserver local policy
diff --git a/policy/modules/services/aiccu.fc b/policy/modules/services/aiccu.fc
new file mode 100644
index 0000000..069518f
@@ -11721,10 +11888,10 @@ index 0000000..069518f
+/var/run/aiccu\.pid -- gen_context(system_u:object_r:aiccu_var_run_t,s0)
diff --git a/policy/modules/services/aiccu.if b/policy/modules/services/aiccu.if
new file mode 100644
-index 0000000..420c856
+index 0000000..6bf0ad6
--- /dev/null
+++ b/policy/modules/services/aiccu.if
-@@ -0,0 +1,118 @@
+@@ -0,0 +1,116 @@
+## Automatic IPv6 Connectivity Client Utility.
+
+########################################
@@ -11732,9 +11899,9 @@ index 0000000..420c856
+## Execute a domain transition to run aiccu.
+##
+##
-+##
++##
+## Domain allowed to transition.
-+##
++##
+##
+#
+interface(`aiccu_domtrans',`
@@ -11746,7 +11913,6 @@ index 0000000..420c856
+ corecmd_search_bin($1)
+')
+
-+
+########################################
+##
+## Execute aiccu server in the aiccu domain.
@@ -11805,7 +11971,6 @@ index 0000000..420c856
+ files_search_pids($1)
+')
+
-+
+########################################
+##
+## All of the rules required to administrate
@@ -11838,14 +12003,14 @@ index 0000000..420c856
+ allow $2 system_r;
+
+ admin_pattern($1, aiccu_etc_t)
-+ files_search_etc($1)
++ files_list_etc($1)
+
+ admin_pattern($1, aiccu_var_run_t)
-+ files_search_pids($1)
++ files_list_pids($1)
+')
diff --git a/policy/modules/services/aiccu.te b/policy/modules/services/aiccu.te
new file mode 100644
-index 0000000..416c49e
+index 0000000..4b9dc88
--- /dev/null
+++ b/policy/modules/services/aiccu.te
@@ -0,0 +1,71 @@
@@ -11886,8 +12051,8 @@ index 0000000..416c49e
+
+allow aiccu_t aiccu_etc_t:file read_file_perms;
+
-+manage_dirs_pattern(aiccu_t, aiccu_var_run_t, aiccu_var_run_t)
-+manage_files_pattern(aiccu_t, aiccu_var_run_t, aiccu_var_run_t)
++manage_dirs_pattern(aiccu_t, aiccu_var_run_t, aiccu_var_run_t)
++manage_files_pattern(aiccu_t, aiccu_var_run_t, aiccu_var_run_t)
+files_pid_filetrans(aiccu_t, aiccu_var_run_t, { file dir })
+
+kernel_read_system_state(aiccu_t)
@@ -11920,6 +12085,34 @@ index 0000000..416c49e
+
+sysnet_domtrans_ifconfig(aiccu_t)
+sysnet_dns_name_resolve(aiccu_t)
+diff --git a/policy/modules/services/aide.if b/policy/modules/services/aide.if
+index 838d25b..0b0db39 100644
+--- a/policy/modules/services/aide.if
++++ b/policy/modules/services/aide.if
+@@ -33,6 +33,7 @@ interface(`aide_domtrans',`
+ ## The role to allow the AIDE domain.
+ ##
+ ##
++##
+ #
+ interface(`aide_run',`
+ gen_require(`
+diff --git a/policy/modules/services/aisexec.if b/policy/modules/services/aisexec.if
+index 0370dba..af5d229 100644
+--- a/policy/modules/services/aisexec.if
++++ b/policy/modules/services/aisexec.if
+@@ -5,9 +5,9 @@
+ ## Execute a domain transition to run aisexec.
+ ##
+ ##
+-##
++##
+ ## Domain allowed to transition.
+-##
++##
+ ##
+ #
+ interface(`aisexec_domtrans',`
diff --git a/policy/modules/services/aisexec.te b/policy/modules/services/aisexec.te
index 97c9cae..c24bd66 100644
--- a/policy/modules/services/aisexec.te
@@ -11957,11 +12150,10 @@ index 0000000..aeb1888
+/var/run/ajaxterm\.pid -- gen_context(system_u:object_r:ajaxterm_var_run_t,s0)
diff --git a/policy/modules/services/ajaxterm.if b/policy/modules/services/ajaxterm.if
new file mode 100644
-index 0000000..581ae6e
+index 0000000..8e6e2c3
--- /dev/null
+++ b/policy/modules/services/ajaxterm.if
-@@ -0,0 +1,72 @@
-+
+@@ -0,0 +1,68 @@
+## policy for ajaxterm
+
+########################################
@@ -11969,9 +12161,9 @@ index 0000000..581ae6e
+## Execute a domain transition to run ajaxterm.
+##
+##
-+##
++##
+## Domain allowed access.
-+##
++##
+##
+#
+interface(`ajaxterm_domtrans',`
@@ -11982,14 +12174,13 @@ index 0000000..581ae6e
+ domtrans_pattern($1, ajaxterm_exec_t, ajaxterm_t)
+')
+
-+
+########################################
+##
+## Execute ajaxterm server in the ajaxterm domain.
+##
+##
+##
-+## The type of the process performing this action.
++## Domain allowed to transition.
+##
+##
+#
@@ -12020,8 +12211,7 @@ index 0000000..581ae6e
+#
+interface(`ajaxterm_admin',`
+ gen_require(`
-+ type ajaxterm_t;
-+ type ajaxterm_initrc_exec_t;
++ type ajaxterm_t, ajaxterm_initrc_exec_t;
+ ')
+
+ allow $1 ajaxterm_t:process { ptrace signal_perms };
@@ -12031,15 +12221,14 @@ index 0000000..581ae6e
+ domain_system_change_exemption($1)
+ role_transition $2 ajaxterm_initrc_exec_t system_r;
+ allow $2 system_r;
-+
+')
diff --git a/policy/modules/services/ajaxterm.te b/policy/modules/services/ajaxterm.te
new file mode 100644
-index 0000000..3441758
+index 0000000..cf6af13
--- /dev/null
+++ b/policy/modules/services/ajaxterm.te
@@ -0,0 +1,56 @@
-+policy_module(ajaxterm,1.0.0)
++policy_module(ajaxterm, 1.0.0)
+
+########################################
+#
@@ -12071,7 +12260,7 @@ index 0000000..3441758
+allow ajaxterm_t self:unix_stream_socket create_stream_socket_perms;
+allow ajaxterm_t self:tcp_socket create_stream_socket_perms;
+
-+allow ajaxterm_t ajaxterm_devpts_t:chr_file { rw_chr_file_perms setattr getattr relabelfrom };
++allow ajaxterm_t ajaxterm_devpts_t:chr_file { rw_chr_file_perms setattr_chr_file_perms relabelfrom };
+term_create_pty(ajaxterm_t, ajaxterm_devpts_t)
+
+manage_dirs_pattern(ajaxterm_t, ajaxterm_var_run_t, ajaxterm_var_run_t)
@@ -12095,6 +12284,41 @@ index 0000000..3441758
+miscfiles_read_localization(ajaxterm_t)
+
+sysnet_dns_name_resolve(ajaxterm_t)
+diff --git a/policy/modules/services/amavis.if b/policy/modules/services/amavis.if
+index ceb2142..e31d92a 100644
+--- a/policy/modules/services/amavis.if
++++ b/policy/modules/services/amavis.if
+@@ -183,7 +183,7 @@ interface(`amavis_setattr_pid_files',`
+ type amavis_var_run_t;
+ ')
+
+- allow $1 amavis_var_run_t:file setattr;
++ allow $1 amavis_var_run_t:file setattr_file_perms;
+ files_search_pids($1)
+ ')
+
+diff --git a/policy/modules/services/amavis.te b/policy/modules/services/amavis.te
+index c3a1903..ec40291 100644
+--- a/policy/modules/services/amavis.te
++++ b/policy/modules/services/amavis.te
+@@ -76,7 +76,7 @@ files_search_spool(amavis_t)
+
+ # tmp files
+ manage_files_pattern(amavis_t, amavis_tmp_t, amavis_tmp_t)
+-allow amavis_t amavis_tmp_t:dir setattr;
++allow amavis_t amavis_tmp_t:dir setattr_dir_perms;
+ files_tmp_filetrans(amavis_t, amavis_tmp_t, file)
+
+ # var/lib files for amavis
+@@ -86,7 +86,7 @@ manage_sock_files_pattern(amavis_t, amavis_var_lib_t, amavis_var_lib_t)
+ files_search_var_lib(amavis_t)
+
+ # log files
+-allow amavis_t amavis_var_log_t:dir setattr;
++allow amavis_t amavis_var_log_t:dir setattr_dir_perms;
+ manage_files_pattern(amavis_t, amavis_var_log_t, amavis_var_log_t)
+ manage_sock_files_pattern(amavis_t, amavis_var_log_t, amavis_var_log_t)
+ logging_log_filetrans(amavis_t, amavis_var_log_t, { sock_file file dir })
diff --git a/policy/modules/services/apache.fc b/policy/modules/services/apache.fc
index 9e39aa5..8603d4d 100644
--- a/policy/modules/services/apache.fc
@@ -12163,16 +12387,17 @@ index 9e39aa5..8603d4d 100644
+/var/www/svn/hooks(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
+/var/www/svn/conf(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
diff --git a/policy/modules/services/apache.if b/policy/modules/services/apache.if
-index c9e1a44..2244b11 100644
+index c9e1a44..ba64143 100644
--- a/policy/modules/services/apache.if
+++ b/policy/modules/services/apache.if
-@@ -13,17 +13,14 @@
+@@ -13,17 +13,13 @@
#
template(`apache_content_template',`
gen_require(`
- attribute httpdcontent;
- attribute httpd_exec_scripts;
- attribute httpd_script_exec_type;
+- attribute httpd_exec_scripts;
+- attribute httpd_script_exec_type;
++ attribute httpd_exec_scripts, httpd_script_exec_type;
type httpd_t, httpd_suexec_t, httpd_log_t;
+ type httpd_sys_content_t;
')
@@ -12186,7 +12411,7 @@ index c9e1a44..2244b11 100644
typealias httpd_$1_content_t alias httpd_$1_script_ro_t;
files_type(httpd_$1_content_t)
-@@ -36,16 +33,18 @@ template(`apache_content_template',`
+@@ -36,25 +32,25 @@ template(`apache_content_template',`
domain_type(httpd_$1_script_t)
role system_r types httpd_$1_script_t;
@@ -12207,16 +12432,17 @@ index c9e1a44..2244b11 100644
typealias httpd_$1_ra_content_t alias { httpd_$1_script_ra_t httpd_$1_content_ra_t };
files_type(httpd_$1_ra_content_t)
-@@ -54,7 +53,7 @@ template(`apache_content_template',`
- domtrans_pattern(httpd_suexec_t, httpd_$1_script_exec_t, httpd_$1_script_t)
+ read_files_pattern(httpd_t, httpd_$1_content_t, httpd_$1_htaccess_t)
+- domtrans_pattern(httpd_suexec_t, httpd_$1_script_exec_t, httpd_$1_script_t)
+-
allow httpd_t { httpd_$1_content_t httpd_$1_rw_content_t httpd_$1_script_exec_t }:dir search_dir_perms;
- allow httpd_suexec_t { httpd_$1_content_t httpd_$1_content_t httpd_$1_rw_content_t httpd_$1_script_exec_t }:dir search_dir_perms;
+ allow httpd_suexec_t { httpd_$1_content_t httpd_$1_rw_content_t httpd_$1_script_exec_t }:dir search_dir_perms;
allow httpd_$1_script_t self:fifo_file rw_file_perms;
allow httpd_$1_script_t self:unix_stream_socket connectto;
-@@ -86,7 +85,6 @@ template(`apache_content_template',`
+@@ -86,7 +82,6 @@ template(`apache_content_template',`
manage_lnk_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
manage_fifo_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
manage_sock_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
@@ -12224,7 +12450,7 @@ index c9e1a44..2244b11 100644
kernel_dontaudit_search_sysctl(httpd_$1_script_t)
kernel_dontaudit_search_kernel_sysctl(httpd_$1_script_t)
-@@ -95,6 +93,7 @@ template(`apache_content_template',`
+@@ -95,6 +90,7 @@ template(`apache_content_template',`
dev_read_urand(httpd_$1_script_t)
corecmd_exec_all_executables(httpd_$1_script_t)
@@ -12232,7 +12458,7 @@ index c9e1a44..2244b11 100644
files_exec_etc_files(httpd_$1_script_t)
files_read_etc_files(httpd_$1_script_t)
-@@ -108,19 +107,6 @@ template(`apache_content_template',`
+@@ -108,19 +104,6 @@ template(`apache_content_template',`
seutil_dontaudit_search_config(httpd_$1_script_t)
@@ -12252,7 +12478,7 @@ index c9e1a44..2244b11 100644
# Allow the web server to run scripts and serve pages
tunable_policy(`httpd_builtin_scripting',`
manage_dirs_pattern(httpd_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
-@@ -140,6 +126,7 @@ template(`apache_content_template',`
+@@ -140,26 +123,36 @@ template(`apache_content_template',`
allow httpd_t httpd_$1_content_t:dir list_dir_perms;
read_files_pattern(httpd_t, httpd_$1_content_t, httpd_$1_content_t)
read_lnk_files_pattern(httpd_t, httpd_$1_content_t, httpd_$1_content_t)
@@ -12260,7 +12486,10 @@ index c9e1a44..2244b11 100644
')
tunable_policy(`httpd_enable_cgi',`
-@@ -148,14 +135,19 @@ template(`apache_content_template',`
+ allow httpd_$1_script_t httpd_$1_script_exec_t:file entrypoint;
+
++ domtrans_pattern(httpd_suexec_t, httpd_$1_script_exec_t, httpd_$1_script_t)
++
# privileged users run the script:
domtrans_pattern(httpd_exec_scripts, httpd_$1_script_exec_t, httpd_$1_script_t)
@@ -12280,7 +12509,13 @@ index c9e1a44..2244b11 100644
allow httpd_$1_script_t httpd_t:fd use;
allow httpd_$1_script_t httpd_t:process sigchld;
-@@ -172,6 +164,7 @@ template(`apache_content_template',`
+
++ dontaudit httpd_$1_script_t httpd_t:tcp_socket { read write };
++
+ kernel_read_system_state(httpd_$1_script_t)
+
+ dev_read_urand(httpd_$1_script_t)
+@@ -172,6 +165,7 @@ template(`apache_content_template',`
libs_read_lib_files(httpd_$1_script_t)
miscfiles_read_localization(httpd_$1_script_t)
@@ -12288,7 +12523,7 @@ index c9e1a44..2244b11 100644
')
optional_policy(`
-@@ -182,15 +175,13 @@ template(`apache_content_template',`
+@@ -182,10 +176,6 @@ template(`apache_content_template',`
optional_policy(`
postgresql_unpriv_client(httpd_$1_script_t)
@@ -12299,14 +12534,27 @@ index c9e1a44..2244b11 100644
')
optional_policy(`
- nscd_socket_use(httpd_$1_script_t)
+@@ -211,16 +201,15 @@ template(`apache_content_template',`
+ interface(`apache_role',`
+ gen_require(`
+ attribute httpdcontent;
+- type httpd_user_content_t, httpd_user_htaccess_t;
+- type httpd_user_script_t, httpd_user_script_exec_t;
+- type httpd_user_ra_content_t, httpd_user_rw_content_t;
++ type httpd_user_content_t, httpd_user_htaccess_t, httpd_user_script_t;
++ type httpd_user_ra_content_t, httpd_user_rw_content_t, httpd_user_script_exec_t;
')
-+
-+ dontaudit httpd_$1_script_t httpd_t:tcp_socket { read write };
- ')
- ########################################
-@@ -229,6 +220,13 @@ interface(`apache_role',`
+ role $1 types httpd_user_script_t;
+
+ allow $2 httpd_user_content_t:{ dir file lnk_file } { relabelto relabelfrom };
+
+- allow $2 httpd_user_htaccess_t:file { manage_file_perms relabelto relabelfrom };
++ allow $2 httpd_user_htaccess_t:file { manage_file_perms relabel_file_perms };
+
+ manage_dirs_pattern($2, httpd_user_ra_content_t, httpd_user_ra_content_t)
+ manage_files_pattern($2, httpd_user_ra_content_t, httpd_user_ra_content_t)
+@@ -229,6 +218,13 @@ interface(`apache_role',`
relabel_files_pattern($2, httpd_user_ra_content_t, httpd_user_ra_content_t)
relabel_lnk_files_pattern($2, httpd_user_ra_content_t, httpd_user_ra_content_t)
@@ -12320,7 +12568,7 @@ index c9e1a44..2244b11 100644
manage_dirs_pattern($2, httpd_user_rw_content_t, httpd_user_rw_content_t)
manage_files_pattern($2, httpd_user_rw_content_t, httpd_user_rw_content_t)
manage_lnk_files_pattern($2, httpd_user_rw_content_t, httpd_user_rw_content_t)
-@@ -243,6 +241,8 @@ interface(`apache_role',`
+@@ -243,6 +239,8 @@ interface(`apache_role',`
relabel_files_pattern($2, httpd_user_script_exec_t, httpd_user_script_exec_t)
relabel_lnk_files_pattern($2, httpd_user_script_exec_t, httpd_user_script_exec_t)
@@ -12329,33 +12577,33 @@ index c9e1a44..2244b11 100644
tunable_policy(`httpd_enable_cgi',`
# If a user starts a script by hand it gets the proper context
domtrans_pattern($2, httpd_user_script_exec_t, httpd_user_script_t)
-@@ -312,6 +312,25 @@ interface(`apache_domtrans',`
+@@ -312,6 +310,25 @@ interface(`apache_domtrans',`
domtrans_pattern($1, httpd_exec_t, httpd_t)
')
+######################################
+##
-+## Allow the specified domain to execute apache
-+## in the caller domain.
++## Allow the specified domain to execute apache
++## in the caller domain.
+##
+##
-+##
-+## Domain allowed access.
-+##
++##
++## Domain allowed access.
++##
+##
+#
+interface(`apache_exec',`
-+ gen_require(`
-+ type httpd_exec_t;
-+ ')
++ gen_require(`
++ type httpd_exec_t;
++ ')
+
-+ can_exec($1, httpd_exec_t)
++ can_exec($1, httpd_exec_t)
+')
+
#######################################
##
## Send a generic signal to apache.
-@@ -400,7 +419,7 @@ interface(`apache_dontaudit_rw_fifo_file',`
+@@ -400,7 +417,7 @@ interface(`apache_dontaudit_rw_fifo_file',`
type httpd_t;
')
@@ -12364,7 +12612,16 @@ index c9e1a44..2244b11 100644
')
########################################
-@@ -526,6 +545,25 @@ interface(`apache_rw_cache_files',`
+@@ -482,7 +499,7 @@ interface(`apache_setattr_cache_dirs',`
+ type httpd_cache_t;
+ ')
+
+- allow $1 httpd_cache_t:dir setattr;
++ allow $1 httpd_cache_t:dir setattr_dir_perms;
+ ')
+
+ ########################################
+@@ -526,6 +543,25 @@ interface(`apache_rw_cache_files',`
########################################
##
## Allow the specified domain to delete
@@ -12390,7 +12647,16 @@ index c9e1a44..2244b11 100644
## Apache cache.
##
##
-@@ -740,6 +778,25 @@ interface(`apache_dontaudit_search_modules',`
+@@ -694,7 +730,7 @@ interface(`apache_dontaudit_append_log',`
+ type httpd_log_t;
+ ')
+
+- dontaudit $1 httpd_log_t:file { getattr append };
++ dontaudit $1 httpd_log_t:file append_file_perms;
+ ')
+
+ ########################################
+@@ -740,6 +776,25 @@ interface(`apache_dontaudit_search_modules',`
########################################
##
@@ -12416,7 +12682,7 @@ index c9e1a44..2244b11 100644
## Allow the specified domain to list
## the contents of the apache modules
## directory.
-@@ -756,6 +813,7 @@ interface(`apache_list_modules',`
+@@ -756,6 +811,7 @@ interface(`apache_list_modules',`
')
allow $1 httpd_modules_t:dir list_dir_perms;
@@ -12424,7 +12690,7 @@ index c9e1a44..2244b11 100644
')
########################################
-@@ -814,6 +872,7 @@ interface(`apache_list_sys_content',`
+@@ -814,6 +870,7 @@ interface(`apache_list_sys_content',`
')
list_dirs_pattern($1, httpd_sys_content_t, httpd_sys_content_t)
@@ -12432,57 +12698,51 @@ index c9e1a44..2244b11 100644
files_search_var($1)
')
-@@ -836,11 +895,80 @@ interface(`apache_manage_sys_content',`
- ')
-
- files_search_var($1)
-+ apache_search_sys_content($1)
- manage_dirs_pattern($1, httpd_sys_content_t, httpd_sys_content_t)
- manage_files_pattern($1, httpd_sys_content_t, httpd_sys_content_t)
+@@ -841,6 +898,74 @@ interface(`apache_manage_sys_content',`
manage_lnk_files_pattern($1, httpd_sys_content_t, httpd_sys_content_t)
')
+######################################
+##
-+## Allow the specified domain to read
-+## apache system content rw files.
++## Allow the specified domain to read
++## apache system content rw files.
+##
+##
-+##
-+## Domain allowed access.
-+##
++##
++## Domain allowed access.
++##
+##
+##
+#
+interface(`apache_read_sys_content_rw_files',`
-+ gen_require(`
++ gen_require(`
+ type httpd_sys_rw_content_t;
+ ')
+
-+ read_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
++ read_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
+')
+
+######################################
+##
-+## Allow the specified domain to manage
-+## apache system content rw files.
++## Allow the specified domain to manage
++## apache system content rw files.
+##
+##
-+##
-+## Domain allowed access.
-+##
++##
++## Domain allowed access.
++##
+##
+##
+#
+interface(`apache_manage_sys_content_rw',`
-+ gen_require(`
++ gen_require(`
+ type httpd_sys_rw_content_t;
+ ')
+
-+ files_search_var($1)
-+ manage_dirs_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
-+ manage_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
-+ manage_lnk_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
++ files_search_var($1)
++ manage_dirs_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
++ manage_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
++ manage_lnk_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
+')
+
+########################################
@@ -12513,11 +12773,12 @@ index c9e1a44..2244b11 100644
########################################
##
## Execute all web scripts in the system
-@@ -858,6 +986,11 @@ interface(`apache_domtrans_sys_script',`
+@@ -857,7 +982,11 @@ interface(`apache_manage_sys_content',`
+ interface(`apache_domtrans_sys_script',`
gen_require(`
attribute httpdcontent;
- type httpd_sys_script_t;
-+ type httpd_sys_content_t;
+- type httpd_sys_script_t;
++ type httpd_sys_script_t, httpd_sys_content_t;
+ ')
+
+ tunable_policy(`httpd_enable_cgi',`
@@ -12525,7 +12786,19 @@ index c9e1a44..2244b11 100644
')
tunable_policy(`httpd_enable_cgi && httpd_unified',`
-@@ -945,7 +1078,7 @@ interface(`apache_read_squirrelmail_data',`
+@@ -916,9 +1045,10 @@ interface(`apache_domtrans_all_scripts',`
+ ##
+ ##
+ ##
+-## Role allowed access..
++## Role allowed access.
+ ##
+ ##
++##
+ #
+ interface(`apache_run_all_scripts',`
+ gen_require(`
+@@ -945,7 +1075,7 @@ interface(`apache_read_squirrelmail_data',`
type httpd_squirrelmail_t;
')
@@ -12534,33 +12807,33 @@ index c9e1a44..2244b11 100644
')
########################################
-@@ -1086,6 +1219,25 @@ interface(`apache_read_tmp_files',`
+@@ -1086,6 +1216,25 @@ interface(`apache_read_tmp_files',`
read_files_pattern($1, httpd_tmp_t, httpd_tmp_t)
')
+######################################
+##
-+## Dontaudit attempts to read and write
-+## apache tmp files.
++## Dontaudit attempts to read and write
++## apache tmp files.
+##
+##
-+##
-+## Domain allowed access.
-+##
++##
++## Domain to not audit.
++##
+##
+#
+interface(`apache_dontaudit_rw_tmp_files',`
-+ gen_require(`
-+ type httpd_tmp_t;
-+ ')
++ gen_require(`
++ type httpd_tmp_t;
++ ')
+
-+ dontaudit $1 httpd_tmp_t:file { read write };
++ dontaudit $1 httpd_tmp_t:file { read write };
+')
+
########################################
##
## Dontaudit attempts to write
-@@ -1102,7 +1254,7 @@ interface(`apache_dontaudit_write_tmp_files',`
+@@ -1102,7 +1251,7 @@ interface(`apache_dontaudit_write_tmp_files',`
type httpd_tmp_t;
')
@@ -12569,38 +12842,66 @@ index c9e1a44..2244b11 100644
')
########################################
-@@ -1172,7 +1324,7 @@ interface(`apache_admin',`
- type httpd_modules_t, httpd_lock_t;
- type httpd_var_run_t, httpd_php_tmp_t;
+@@ -1165,17 +1314,14 @@ interface(`apache_cgi_domain',`
+ #
+ interface(`apache_admin',`
+ gen_require(`
+- attribute httpdcontent;
+- attribute httpd_script_exec_type;
+-
++ attribute httpdcontent, httpd_script_exec_type;
+ type httpd_t, httpd_config_t, httpd_log_t;
+- type httpd_modules_t, httpd_lock_t;
+- type httpd_var_run_t, httpd_php_tmp_t;
++ type httpd_modules_t, httpd_lock_t, httpd_bool_t;
++ type httpd_var_run_t, httpd_php_tmp_t, httpd_initrc_exec_t;
type httpd_suexec_tmp_t, httpd_tmp_t;
- type httpd_initrc_exec_t;
-+ type httpd_initrc_exec_t, httpd_bool_t;
')
- allow $1 httpd_t:process { getattr ptrace signal_perms };
-@@ -1202,12 +1354,43 @@ interface(`apache_admin',`
+- allow $1 httpd_t:process { getattr ptrace signal_perms };
++ allow $1 httpd_t:process { ptrace signal_perms };
+ ps_process_pattern($1, httpd_t)
- kernel_search_proc($1)
- allow $1 httpd_t:dir list_dir_perms;
--
-+ ps_process_pattern($1, httpd_t)
- read_lnk_files_pattern($1, httpd_t, httpd_t)
+ init_labeled_script_domtrans($1, httpd_initrc_exec_t)
+@@ -1186,10 +1332,10 @@ interface(`apache_admin',`
+ apache_manage_all_content($1)
+ miscfiles_manage_public_files($1)
+
+- files_search_etc($1)
++ files_list_etc($1)
+ admin_pattern($1, httpd_config_t)
+
+- logging_search_logs($1)
++ logging_list_logs($1)
+ admin_pattern($1, httpd_log_t)
+ admin_pattern($1, httpd_modules_t)
+@@ -1200,14 +1346,41 @@ interface(`apache_admin',`
+ admin_pattern($1, httpd_var_run_t)
+ files_pid_filetrans($1, httpd_var_run_t, file)
+
+- kernel_search_proc($1)
+- allow $1 httpd_t:dir list_dir_perms;
+-
+- read_lnk_files_pattern($1, httpd_t, httpd_t)
+-
admin_pattern($1, httpdcontent)
admin_pattern($1, httpd_script_exec_type)
+
+ seutil_domtrans_setfiles($1)
+
++ files_list_tmp($1)
admin_pattern($1, httpd_tmp_t)
admin_pattern($1, httpd_php_tmp_t)
admin_pattern($1, httpd_suexec_tmp_t)
+
-+ifdef(`TODO',`
-+ apache_set_booleans($1, $2, $3, httpd_bool_t )
-+ seutil_setsebool_role_template($1, $3, $2)
-+ allow httpd_setsebool_t httpd_bool_t:dir list_dir_perms;
-+ allow httpd_setsebool_t httpd_bool_t:file rw_file_perms;
-+')
++ ifdef(`TODO',`
++ apache_set_booleans($1, $2, $3, httpd_bool_t)
++ seutil_setsebool_role_template($1, $3, $2)
++ allow httpd_setsebool_t httpd_bool_t:dir list_dir_perms;
++ allow httpd_setsebool_t httpd_bool_t:file rw_file_perms;
++ ')
+')
+
+########################################
@@ -12609,7 +12910,7 @@ index c9e1a44..2244b11 100644
+##
+##
+##
-+## Domain allowed access.
++## Domain to not audit.
+##
+##
+#
@@ -12619,155 +12920,267 @@ index c9e1a44..2244b11 100644
+ ')
+
+ dontaudit $1 httpd_t:fifo_file rw_inherited_fifo_file_perms;
-+ dontaudit $1 httpd_t:tcp_socket { read write };
++ dontaudit $1 httpd_t:tcp_socket { read write };
+ dontaudit $1 httpd_t:unix_dgram_socket { read write };
+ dontaudit $1 httpd_t:unix_stream_socket { read write };
')
diff --git a/policy/modules/services/apache.te b/policy/modules/services/apache.te
-index 08dfa0c..86641dd 100644
+index 08dfa0c..300dffb 100644
--- a/policy/modules/services/apache.te
+++ b/policy/modules/services/apache.te
-@@ -18,6 +18,8 @@ policy_module(apache, 2.2.0)
+@@ -18,130 +18,195 @@ policy_module(apache, 2.2.0)
# Declarations
#
+selinux_genbool(httpd_bool_t)
+
##
- ##
- ## Allow Apache to modify public files
-@@ -36,6 +38,20 @@ gen_tunable(allow_httpd_mod_auth_pam, false)
+-##
+-## Allow Apache to modify public files
+-## used for public file transfer services. Directories/Files must
+-## be labeled public_content_rw_t.
+-##
++##
++## Allow Apache to modify public files
++## used for public file transfer services. Directories/Files must
++## be labeled public_content_rw_t.
++##
+ ##
+ gen_tunable(allow_httpd_anon_write, false)
##
- ##
-+## Allow httpd scripts and modules execmem/execstack
-+##
+-##
+-## Allow Apache to use mod_auth_pam
+-##
++##
++## Allow Apache to use mod_auth_pam
++##
+ ##
+ gen_tunable(allow_httpd_mod_auth_pam, false)
+
+ ##
+-##
+-## Allow httpd to use built in scripting (usually php)
+-##
++##
++## Allow Apache to use mod_auth_pam
++##
++##
++gen_tunable(allow_httpd_mod_auth_ntlm_winbind, false)
++
++##
++##
++## Allow httpd scripts and modules execmem/execstack
++##
+##
+gen_tunable(httpd_execmem, false)
+
+##
-+##
-+## Allow httpd daemon to change system limits
-+##
++##
++## Allow httpd daemon to change system limits
++##
+##
+gen_tunable(httpd_setrlimit, false)
+
+##
-+##
- ## Allow httpd to use built in scripting (usually php)
- ##
++##
++## Allow httpd to use built in scripting (usually php)
++##
##
-@@ -43,13 +59,20 @@ gen_tunable(httpd_builtin_scripting, false)
+ gen_tunable(httpd_builtin_scripting, false)
##
- ##
+-##
-## Allow HTTPD scripts and modules to connect to the network using TCP.
-+## Allow HTTPD scripts and modules to connect to the network using any TCP port.
- ##
+-##
++##
++## Allow HTTPD scripts and modules to connect to the network using any TCP port.
++##
##
gen_tunable(httpd_can_network_connect, false)
##
- ##
-+## Allow HTTPD scripts and modules to connect to cobbler over the network.
-+##
+-##
+-## Allow HTTPD scripts and modules to connect to databases over the network.
+-##
++##
++## Allow HTTPD scripts and modules to connect to cobbler over the network.
++##
+##
+gen_tunable(httpd_can_network_connect_cobbler, false)
+
+##
-+##
- ## Allow HTTPD scripts and modules to connect to databases over the network.
- ##
++##
++## Allow HTTPD scripts and modules to connect to databases over the network.
++##
##
-@@ -57,6 +80,13 @@ gen_tunable(httpd_can_network_connect_db, false)
+ gen_tunable(httpd_can_network_connect_db, false)
##
- ##
-+## Allow httpd to connect to memcache server
-+##
+-##
+-## Allow httpd to act as a relay
+-##
++##
++## Allow httpd to connect to memcache server
++##
+##
+gen_tunable(httpd_can_network_memcache, false)
+
+##
-+##
- ## Allow httpd to act as a relay
- ##
++##
++## Allow httpd to act as a relay
++##
##
-@@ -71,6 +101,13 @@ gen_tunable(httpd_can_sendmail, false)
+ gen_tunable(httpd_can_network_relay, false)
##
- ##
-+## Allow http daemon to check spam
-+##
+-##
+-## Allow http daemon to send mail
+-##
++##
++## Allow http daemon to send mail
++##
+ ##
+ gen_tunable(httpd_can_sendmail, false)
+
+ ##
+-##
+-## Allow Apache to communicate with avahi service via dbus
+-##
++##
++## Allow http daemon to check spam
++##
+##
+gen_tunable(httpd_can_check_spam, false)
+
+##
-+##
- ## Allow Apache to communicate with avahi service via dbus
- ##
++##
++## Allow Apache to communicate with avahi service via dbus
++##
##
-@@ -78,7 +115,7 @@ gen_tunable(httpd_dbus_avahi, false)
+ gen_tunable(httpd_dbus_avahi, false)
##
- ##
+-##
-## Allow httpd cgi support
-+## Allow httpd to execute cgi scripts
- ##
+-##
++##
++## Allow httpd to execute cgi scripts
++##
##
gen_tunable(httpd_enable_cgi, false)
-@@ -100,6 +137,13 @@ gen_tunable(httpd_enable_homedirs, false)
##
- ##
-+## Allow httpd to read user content
-+##
+-##
+-## Allow httpd to act as a FTP server by
+-## listening on the ftp port.
+-##
++##
++## Allow httpd to act as a FTP server by
++## listening on the ftp port.
++##
+ ##
+ gen_tunable(httpd_enable_ftp_server, false)
+
+ ##
+-##
+-## Allow httpd to read home directories
+-##
++##
++## Allow httpd to read home directories
++##
+ ##
+ gen_tunable(httpd_enable_homedirs, false)
+
+ ##
+-##
+-## Allow HTTPD to run SSI executables in the same domain as system CGI scripts.
+-##
++##
++## Allow httpd to read user content
++##
+##
+gen_tunable(httpd_read_user_content, false)
+
+##
-+##
- ## Allow HTTPD to run SSI executables in the same domain as system CGI scripts.
- ##
++##
++## Allow HTTPD to run SSI executables in the same domain as system CGI scripts.
++##
##
-@@ -107,6 +151,13 @@ gen_tunable(httpd_ssi_exec, false)
+ gen_tunable(httpd_ssi_exec, false)
##
- ##
-+## Allow Apache to execute tmp content.
-+##
+-##
+-## Unify HTTPD to communicate with the terminal.
+-## Needed for entering the passphrase for certificates at
+-## the terminal.
+-##
++##
++## Allow Apache to execute tmp content.
++##
+##
+gen_tunable(httpd_tmp_exec, false)
+
+##
-+##
- ## Unify HTTPD to communicate with the terminal.
- ## Needed for entering the passphrase for certificates at
- ## the terminal.
-@@ -130,7 +181,7 @@ gen_tunable(httpd_use_cifs, false)
++##
++## Unify HTTPD to communicate with the terminal.
++## Needed for entering the passphrase for certificates at
++## the terminal.
++##
+ ##
+ gen_tunable(httpd_tty_comm, false)
##
- ##
+-##
+-## Unify HTTPD handling of all content files.
+-##
++##
++## Unify HTTPD handling of all content files.
++##
+ ##
+ gen_tunable(httpd_unified, false)
+
+ ##
+-##
+-## Allow httpd to access cifs file systems
+-##
++##
++## Allow httpd to access cifs file systems
++##
+ ##
+ gen_tunable(httpd_use_cifs, false)
+
+ ##
+-##
-## Allow httpd to run gpg
-+## Allow httpd to run gpg in gpg-web domain
- ##
+-##
++##
++## Allow httpd to run gpg in gpg-web domain
++##
##
gen_tunable(httpd_use_gpg, false)
-@@ -142,6 +193,13 @@ gen_tunable(httpd_use_gpg, false)
+
+ ##
+-##
+-## Allow httpd to access nfs file systems
+-##
++##
++## Allow httpd to access nfs file systems
++##
##
gen_tunable(httpd_use_nfs, false)
+##
-+##
-+## Allow apache scripts to write to public content. Directories/Files must be labeled public_rw_content_t.
-+##
++##
++## Allow apache scripts to write to public content. Directories/Files must be labeled public_rw_content_t.
++##
+##
+gen_tunable(allow_httpd_sys_script_anon_write, false)
+
attribute httpdcontent;
attribute httpd_user_content_type;
-@@ -216,7 +274,10 @@ files_tmp_file(httpd_suexec_tmp_t)
+@@ -216,7 +281,17 @@ files_tmp_file(httpd_suexec_tmp_t)
# setup the system domain for system CGI scripts
apache_content_template(sys)
@@ -12776,10 +13189,17 @@ index 08dfa0c..86641dd 100644
+typeattribute httpd_sys_content_t httpdcontent; # customizable
+typeattribute httpd_sys_rw_content_t httpdcontent; # customizable
+typeattribute httpd_sys_ra_content_t httpdcontent; # customizable
++
++# Removal of fastcgi, will cause problems without the following
++typealias httpd_sys_script_exec_t alias httpd_fastcgi_script_exec_t;
++typealias httpd_sys_content_t alias { httpd_fastcgi_content_t httpd_fastcgi_script_ro_t };
++typealias httpd_sys_rw_content_t alias { httpd_fastcgi_rw_content_t httpd_fastcgi_script_rw_t };
++typealias httpd_sys_ra_content_t alias httpd_fastcgi_script_ra_t;
++typealias httpd_sys_script_t alias httpd_fastcgi_script_t;
type httpd_tmp_t;
files_tmp_file(httpd_tmp_t)
-@@ -226,6 +287,10 @@ files_tmpfs_file(httpd_tmpfs_t)
+@@ -226,6 +301,10 @@ files_tmpfs_file(httpd_tmpfs_t)
apache_content_template(user)
ubac_constrained(httpd_user_script_t)
@@ -12790,7 +13210,7 @@ index 08dfa0c..86641dd 100644
userdom_user_home_content(httpd_user_content_t)
userdom_user_home_content(httpd_user_htaccess_t)
userdom_user_home_content(httpd_user_script_exec_t)
-@@ -233,6 +298,7 @@ userdom_user_home_content(httpd_user_ra_content_t)
+@@ -233,6 +312,7 @@ userdom_user_home_content(httpd_user_ra_content_t)
userdom_user_home_content(httpd_user_rw_content_t)
typeattribute httpd_user_script_t httpd_script_domains;
typealias httpd_user_content_t alias { httpd_staff_content_t httpd_sysadm_content_t };
@@ -12798,7 +13218,17 @@ index 08dfa0c..86641dd 100644
typealias httpd_user_content_t alias { httpd_auditadm_content_t httpd_secadm_content_t };
typealias httpd_user_content_t alias { httpd_staff_script_ro_t httpd_sysadm_script_ro_t };
typealias httpd_user_content_t alias { httpd_auditadm_script_ro_t httpd_secadm_script_ro_t };
-@@ -286,6 +352,7 @@ allow httpd_t self:udp_socket create_socket_perms;
+@@ -254,6 +334,9 @@ files_type(httpd_var_lib_t)
+ type httpd_var_run_t;
+ files_pid_file(httpd_var_run_t)
+
++# Removal of fastcgi, will cause problems without the following
++typealias httpd_var_run_t alias httpd_fastcgi_var_run_t;
++
+ # File Type of squirrelmail attachments
+ type squirrelmail_spool_t;
+ files_tmp_file(squirrelmail_spool_t)
+@@ -286,6 +369,7 @@ allow httpd_t self:udp_socket create_socket_perms;
manage_dirs_pattern(httpd_t, httpd_cache_t, httpd_cache_t)
manage_files_pattern(httpd_t, httpd_cache_t, httpd_cache_t)
manage_lnk_files_pattern(httpd_t, httpd_cache_t, httpd_cache_t)
@@ -12806,7 +13236,7 @@ index 08dfa0c..86641dd 100644
# Allow the httpd_t to read the web servers config files
allow httpd_t httpd_config_t:dir list_dir_perms;
-@@ -355,6 +422,7 @@ manage_lnk_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
+@@ -355,6 +439,7 @@ manage_lnk_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
kernel_read_kernel_sysctls(httpd_t)
# for modules that want to access /proc/meminfo
kernel_read_system_state(httpd_t)
@@ -12814,7 +13244,7 @@ index 08dfa0c..86641dd 100644
corenet_all_recvfrom_unlabeled(httpd_t)
corenet_all_recvfrom_netlabel(httpd_t)
-@@ -365,8 +433,10 @@ corenet_udp_sendrecv_generic_node(httpd_t)
+@@ -365,8 +450,10 @@ corenet_udp_sendrecv_generic_node(httpd_t)
corenet_tcp_sendrecv_all_ports(httpd_t)
corenet_udp_sendrecv_all_ports(httpd_t)
corenet_tcp_bind_generic_node(httpd_t)
@@ -12825,7 +13255,7 @@ index 08dfa0c..86641dd 100644
corenet_sendrecv_http_server_packets(httpd_t)
# Signal self for shutdown
corenet_tcp_connect_http_port(httpd_t)
-@@ -378,12 +448,12 @@ dev_rw_crypto(httpd_t)
+@@ -378,12 +465,12 @@ dev_rw_crypto(httpd_t)
fs_getattr_all_fs(httpd_t)
fs_search_auto_mountpoints(httpd_t)
@@ -12841,7 +13271,7 @@ index 08dfa0c..86641dd 100644
domain_use_interactive_fds(httpd_t)
-@@ -402,6 +472,10 @@ files_read_etc_files(httpd_t)
+@@ -402,6 +489,10 @@ files_read_etc_files(httpd_t)
files_read_var_lib_symlinks(httpd_t)
fs_search_auto_mountpoints(httpd_sys_script_t)
@@ -12852,7 +13282,7 @@ index 08dfa0c..86641dd 100644
libs_read_lib_files(httpd_t)
-@@ -416,16 +490,31 @@ seutil_dontaudit_search_config(httpd_t)
+@@ -416,34 +507,70 @@ seutil_dontaudit_search_config(httpd_t)
userdom_use_unpriv_users_fds(httpd_t)
@@ -12872,24 +13302,23 @@ index 08dfa0c..86641dd 100644
- auth_domtrans_chk_passwd(httpd_t)
+ auth_domtrans_chkpwd(httpd_t)
+ logging_send_audit_msgs(httpd_t)
-+')
+ ')
+
-+##
-+##
-+## Allow Apache to use mod_auth_pam
-+##
-+##
-+gen_tunable(allow_httpd_mod_auth_ntlm_winbind, false)
+optional_policy(`
-+tunable_policy(`allow_httpd_mod_auth_ntlm_winbind',`
++ tunable_policy(`allow_httpd_mod_auth_ntlm_winbind',`
+ samba_domtrans_winbind_helper(httpd_t)
- ')
++ ')
')
-@@ -433,19 +522,35 @@ tunable_policy(`httpd_can_network_connect',`
+ tunable_policy(`httpd_can_network_connect',`
corenet_tcp_connect_all_ports(httpd_t)
')
++tunable_policy(`httpd_can_network_connect_db',`
++ corenet_tcp_connect_mssql_port(httpd_t)
++ corenet_sendrecv_mssql_client_packets(httpd_t)
++')
++
+tunable_policy(`httpd_can_network_memcache',`
+ corenet_tcp_connect_memcache_port(httpd_t)
+')
@@ -12909,20 +13338,24 @@ index 08dfa0c..86641dd 100644
+ corenet_sendrecv_squid_client_packets(httpd_t)
+')
+
++tunable_policy(`httpd_execmem',`
++ allow httpd_t self:process { execmem execstack };
++ allow httpd_sys_script_t self:process { execmem execstack };
++ allow httpd_suexec_t self:process { execmem execstack };
++')
++
+tunable_policy(`httpd_enable_cgi && httpd_unified',`
+ allow httpd_sys_script_t httpd_sys_content_t:file entrypoint;
+ filetrans_pattern(httpd_sys_script_t, httpd_sys_content_t, httpd_sys_rw_content_t, { file dir lnk_file })
+ can_exec(httpd_sys_script_t, httpd_sys_content_t)
- ')
-
++')
++
+tunable_policy(`allow_httpd_sys_script_anon_write',`
+ miscfiles_manage_public_files(httpd_sys_script_t)
-+')
-+
- tunable_policy(`httpd_enable_cgi && httpd_use_nfs',`
- fs_nfs_domtrans(httpd_t, httpd_sys_script_t)
')
-@@ -456,6 +561,10 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',`
+
+ tunable_policy(`httpd_enable_cgi && httpd_use_nfs',`
+@@ -456,6 +583,10 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',`
tunable_policy(`httpd_enable_cgi && httpd_unified && httpd_builtin_scripting',`
domtrans_pattern(httpd_t, httpdcontent, httpd_sys_script_t)
@@ -12933,20 +13366,22 @@ index 08dfa0c..86641dd 100644
manage_dirs_pattern(httpd_t, httpdcontent, httpdcontent)
manage_files_pattern(httpd_t, httpdcontent, httpdcontent)
-@@ -470,11 +579,25 @@ tunable_policy(`httpd_enable_homedirs',`
- userdom_read_user_home_content_files(httpd_t)
+@@ -466,8 +597,12 @@ tunable_policy(`httpd_enable_ftp_server',`
+ corenet_tcp_bind_ftp_port(httpd_t)
')
+-tunable_policy(`httpd_enable_homedirs',`
+- userdom_read_user_home_content_files(httpd_t)
+tunable_policy(`httpd_tmp_exec && httpd_builtin_scripting',`
-+ can_exec(httpd_t, httpd_tmp_t)
++ can_exec(httpd_t, httpd_tmp_t)
+')
+
+tunable_policy(`httpd_tmp_exec && httpd_enable_cgi',`
-+ can_exec(httpd_sys_script_t, httpd_tmp_t)
-+')
-+
++ can_exec(httpd_sys_script_t, httpd_tmp_t)
+ ')
+
tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
- fs_read_nfs_files(httpd_t)
+@@ -475,6 +610,12 @@ tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
fs_read_nfs_symlinks(httpd_t)
')
@@ -12959,7 +13394,7 @@ index 08dfa0c..86641dd 100644
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
fs_read_cifs_files(httpd_t)
fs_read_cifs_symlinks(httpd_t)
-@@ -484,7 +607,16 @@ tunable_policy(`httpd_can_sendmail',`
+@@ -484,7 +625,16 @@ tunable_policy(`httpd_can_sendmail',`
# allow httpd to connect to mail servers
corenet_tcp_connect_smtp_port(httpd_t)
corenet_sendrecv_smtp_client_packets(httpd_t)
@@ -12976,7 +13411,7 @@ index 08dfa0c..86641dd 100644
')
tunable_policy(`httpd_ssi_exec',`
-@@ -500,8 +632,10 @@ tunable_policy(`httpd_ssi_exec',`
+@@ -500,8 +650,10 @@ tunable_policy(`httpd_ssi_exec',`
# are dontaudited here.
tunable_policy(`httpd_tty_comm',`
userdom_use_user_terminals(httpd_t)
@@ -12987,7 +13422,7 @@ index 08dfa0c..86641dd 100644
')
optional_policy(`
-@@ -513,7 +647,13 @@ optional_policy(`
+@@ -513,7 +665,13 @@ optional_policy(`
')
optional_policy(`
@@ -13002,7 +13437,7 @@ index 08dfa0c..86641dd 100644
')
optional_policy(`
-@@ -528,7 +668,7 @@ optional_policy(`
+@@ -528,7 +686,7 @@ optional_policy(`
daemontools_service_domain(httpd_t, httpd_exec_t)
')
@@ -13011,7 +13446,7 @@ index 08dfa0c..86641dd 100644
dbus_system_bus_client(httpd_t)
tunable_policy(`httpd_dbus_avahi',`
-@@ -537,8 +677,12 @@ optional_policy(`
+@@ -537,8 +695,12 @@ optional_policy(`
')
optional_policy(`
@@ -13025,7 +13460,7 @@ index 08dfa0c..86641dd 100644
')
')
-@@ -557,6 +701,7 @@ optional_policy(`
+@@ -557,6 +719,7 @@ optional_policy(`
optional_policy(`
# Allow httpd to work with mysql
@@ -13033,7 +13468,7 @@ index 08dfa0c..86641dd 100644
mysql_stream_connect(httpd_t)
mysql_rw_db_sockets(httpd_t)
-@@ -567,6 +712,7 @@ optional_policy(`
+@@ -567,6 +730,7 @@ optional_policy(`
optional_policy(`
nagios_read_config(httpd_t)
@@ -13041,37 +13476,24 @@ index 08dfa0c..86641dd 100644
')
optional_policy(`
-@@ -577,12 +723,29 @@ optional_policy(`
+@@ -577,6 +741,16 @@ optional_policy(`
')
optional_policy(`
-+ passenger_domtrans(httpd_t)
-+ passenger_manage_pid_content(httpd_t)
-+ passenger_read_lib_files(httpd_t)
++ passenger_domtrans(httpd_t)
++ passenger_manage_pid_content(httpd_t)
++ passenger_read_lib_files(httpd_t)
+')
+
+optional_policy(`
+ rpc_search_nfs_state_data(httpd_t)
+')
+
-+tunable_policy(`httpd_execmem',`
-+ allow httpd_t self:process { execmem execstack };
-+ allow httpd_sys_script_t self:process { execmem execstack };
-+ allow httpd_suexec_t self:process { execmem execstack };
-+')
-+
+optional_policy(`
# Allow httpd to work with postgresql
postgresql_stream_connect(httpd_t)
postgresql_unpriv_client(httpd_t)
-
- tunable_policy(`httpd_can_network_connect_db',`
- postgresql_tcp_connect(httpd_t)
-+ postgresql_tcp_connect(httpd_sys_script_t)
- ')
- ')
-
-@@ -591,6 +754,11 @@ optional_policy(`
+@@ -591,6 +765,11 @@ optional_policy(`
')
optional_policy(`
@@ -13083,7 +13505,7 @@ index 08dfa0c..86641dd 100644
snmp_dontaudit_read_snmp_var_lib_files(httpd_t)
snmp_dontaudit_write_snmp_var_lib_files(httpd_t)
')
-@@ -603,6 +771,10 @@ optional_policy(`
+@@ -603,6 +782,10 @@ optional_policy(`
yam_read_content(httpd_t)
')
@@ -13094,7 +13516,7 @@ index 08dfa0c..86641dd 100644
########################################
#
# Apache helper local policy
-@@ -618,6 +790,10 @@ logging_send_syslog_msg(httpd_helper_t)
+@@ -618,6 +801,10 @@ logging_send_syslog_msg(httpd_helper_t)
userdom_use_user_terminals(httpd_helper_t)
@@ -13105,12 +13527,57 @@ index 08dfa0c..86641dd 100644
########################################
#
# Apache PHP script local policy
-@@ -699,17 +875,18 @@ manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
+@@ -654,28 +841,27 @@ libs_exec_lib_files(httpd_php_t)
+ userdom_use_unpriv_users_fds(httpd_php_t)
+
+ tunable_policy(`httpd_can_network_connect_db',`
+- corenet_tcp_connect_mysqld_port(httpd_t)
+- corenet_sendrecv_mysqld_client_packets(httpd_t)
+- corenet_tcp_connect_mysqld_port(httpd_sys_script_t)
+- corenet_sendrecv_mysqld_client_packets(httpd_sys_script_t)
+- corenet_tcp_connect_mysqld_port(httpd_suexec_t)
+- corenet_sendrecv_mysqld_client_packets(httpd_suexec_t)
+-
+- corenet_tcp_connect_mssql_port(httpd_t)
+- corenet_sendrecv_mssql_client_packets(httpd_t)
+- corenet_tcp_connect_mssql_port(httpd_sys_script_t)
+- corenet_sendrecv_mssql_client_packets(httpd_sys_script_t)
+- corenet_tcp_connect_mssql_port(httpd_suexec_t)
+- corenet_sendrecv_mssql_client_packets(httpd_suexec_t)
++ corenet_tcp_connect_mssql_port(httpd_php_t)
++ corenet_sendrecv_mssql_client_packets(httpd_php_t)
+ ')
+
+ optional_policy(`
+ mysql_stream_connect(httpd_php_t)
++ mysql_rw_db_sockets(httpd_php_t)
+ mysql_read_config(httpd_php_t)
++
++ tunable_policy(`httpd_can_network_connect_db',`
++ mysql_tcp_connect(httpd_php_t)
++ ')
+ ')
+
+ optional_policy(`
+ postgresql_stream_connect(httpd_php_t)
++ postgresql_unpriv_client(httpd_php_t)
++
++ tunable_policy(`httpd_can_network_connect_db',`
++ postgresql_tcp_connect(httpd_php_t)
++ ')
+ ')
+
+ ########################################
+@@ -699,17 +885,22 @@ manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
manage_files_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
files_tmp_filetrans(httpd_suexec_t, httpd_suexec_tmp_t, { file dir })
+can_exec(httpd_suexec_t, httpd_sys_script_exec_t)
+
++read_files_pattern(httpd_suexec_t, httpd_user_content_t, httpd_user_content_t)
++read_files_pattern(httpd_suexec_t, httpd_user_rw_content_t, httpd_user_rw_content_t)
++read_files_pattern(httpd_suexec_t, httpd_user_ra_content_t, httpd_user_ra_content_t)
++
kernel_read_kernel_sysctls(httpd_suexec_t)
kernel_list_proc(httpd_suexec_t)
kernel_read_proc_symlinks(httpd_suexec_t)
@@ -13127,15 +13594,17 @@ index 08dfa0c..86641dd 100644
files_read_etc_files(httpd_suexec_t)
files_read_usr_files(httpd_suexec_t)
-@@ -740,10 +917,21 @@ tunable_policy(`httpd_can_network_connect',`
+@@ -740,10 +931,20 @@ tunable_policy(`httpd_can_network_connect',`
corenet_sendrecv_all_client_packets(httpd_suexec_t)
')
-+read_files_pattern(httpd_suexec_t, httpd_user_content_t, httpd_user_content_t)
-+read_files_pattern(httpd_suexec_t, httpd_user_rw_content_t, httpd_user_rw_content_t)
-+read_files_pattern(httpd_suexec_t, httpd_user_ra_content_t, httpd_user_ra_content_t)
++tunable_policy(`httpd_can_network_connect_db',`
++ corenet_tcp_connect_mssql_port(httpd_suexec_t)
++ corenet_sendrecv_mssql_client_packets(httpd_suexec_t)
++')
+
+domain_entry_file(httpd_sys_script_t, httpd_sys_content_t)
++
tunable_policy(`httpd_enable_cgi && httpd_unified',`
allow httpd_sys_script_t httpdcontent:file entrypoint;
domtrans_pattern(httpd_suexec_t, httpdcontent, httpd_sys_script_t)
@@ -13144,13 +13613,10 @@ index 08dfa0c..86641dd 100644
+ manage_files_pattern(httpd_sys_script_t, httpdcontent, httpdcontent)
+ manage_sock_files_pattern(httpd_sys_script_t, httpdcontent, httpdcontent)
+ manage_lnk_files_pattern(httpd_sys_script_t, httpdcontent, httpdcontent)
-+')
-+tunable_policy(`httpd_enable_cgi',`
-+ domtrans_pattern(httpd_suexec_t, httpd_user_script_t, httpd_user_script_t)
')
tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
-@@ -769,6 +957,12 @@ optional_policy(`
+@@ -769,6 +970,25 @@ optional_policy(`
dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write };
')
@@ -13158,12 +13624,25 @@ index 08dfa0c..86641dd 100644
+ mysql_stream_connect(httpd_suexec_t)
+ mysql_rw_db_sockets(httpd_suexec_t)
+ mysql_read_config(httpd_suexec_t)
++
++ tunable_policy(`httpd_can_network_connect_db',`
++ mysql_tcp_connect(httpd_suexec_t)
++ ')
++')
++
++optional_policy(`
++ postgresql_stream_connect(httpd_suexec_t)
++ postgresql_unpriv_client(httpd_suexec_t)
++
++ tunable_policy(`httpd_can_network_connect_db',`
++ postgresql_tcp_connect(httpd_suexec_t)
++ ')
+')
+
########################################
#
# Apache system script local policy
-@@ -792,9 +986,13 @@ kernel_read_kernel_sysctls(httpd_sys_script_t)
+@@ -792,9 +1012,13 @@ kernel_read_kernel_sysctls(httpd_sys_script_t)
files_search_var_lib(httpd_sys_script_t)
files_search_spool(httpd_sys_script_t)
@@ -13177,14 +13656,19 @@ index 08dfa0c..86641dd 100644
ifdef(`distro_redhat',`
allow httpd_sys_script_t httpd_log_t:file append_file_perms;
')
-@@ -803,6 +1001,28 @@ tunable_policy(`httpd_can_sendmail',`
+@@ -803,6 +1027,33 @@ tunable_policy(`httpd_can_sendmail',`
mta_send_mail(httpd_sys_script_t)
')
+optional_policy(`
-+ tunable_policy(`httpd_can_sendmail && httpd_can_check_spam',`
-+ spamassassin_domtrans_client(httpd_t)
-+ ')
++ tunable_policy(`httpd_can_sendmail && httpd_can_check_spam',`
++ spamassassin_domtrans_client(httpd_t)
++ ')
++')
++
++tunable_policy(`httpd_can_network_connect_db',`
++ corenet_tcp_connect_mssql_port(httpd_sys_script_t)
++ corenet_sendrecv_mssql_client_packets(httpd_sys_script_t)
+')
+
+fs_cifs_entry_type(httpd_sys_script_t)
@@ -13206,10 +13690,23 @@ index 08dfa0c..86641dd 100644
tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
allow httpd_sys_script_t self:tcp_socket create_stream_socket_perms;
allow httpd_sys_script_t self:udp_socket create_socket_perms;
-@@ -830,6 +1050,16 @@ tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
+@@ -822,7 +1073,7 @@ tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
+ ')
+
+ tunable_policy(`httpd_enable_homedirs',`
+- userdom_read_user_home_content_files(httpd_sys_script_t)
++ userdom_search_user_home_dirs(httpd_sys_script_t)
+ ')
+
+ tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
+@@ -830,6 +1081,20 @@ tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
fs_read_nfs_symlinks(httpd_sys_script_t)
')
++tunable_policy(`httpd_read_user_content',`
++ userdom_read_user_home_content_files(httpd_sys_script_t)
++')
++
+tunable_policy(`httpd_use_cifs',`
+ fs_manage_cifs_dirs(httpd_sys_script_t)
+ fs_manage_cifs_files(httpd_sys_script_t)
@@ -13223,15 +13720,28 @@ index 08dfa0c..86641dd 100644
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
fs_read_cifs_files(httpd_sys_script_t)
fs_read_cifs_symlinks(httpd_sys_script_t)
-@@ -842,6 +1072,7 @@ optional_policy(`
+@@ -842,10 +1107,20 @@ optional_policy(`
optional_policy(`
mysql_stream_connect(httpd_sys_script_t)
mysql_rw_db_sockets(httpd_sys_script_t)
+ mysql_read_config(httpd_sys_script_t)
++
++ tunable_policy(`httpd_can_network_connect_db',`
++ mysql_tcp_connect(httpd_sys_script_t)
++ ')
')
optional_policy(`
-@@ -891,11 +1122,33 @@ optional_policy(`
+ postgresql_stream_connect(httpd_sys_script_t)
++ postgresql_unpriv_client(httpd_sys_script_t)
++
++ tunable_policy(`httpd_can_network_connect_db',`
++ postgresql_tcp_connect(httpd_sys_script_t)
++ ')
+ ')
+
+ ########################################
+@@ -891,11 +1166,21 @@ optional_policy(`
tunable_policy(`httpd_enable_cgi && httpd_unified',`
allow httpd_user_script_t httpdcontent:file entrypoint;
@@ -13249,25 +13759,66 @@ index 08dfa0c..86641dd 100644
+ userdom_search_user_home_content(httpd_t)
+ userdom_search_user_home_content(httpd_suexec_t)
+ userdom_search_user_home_content(httpd_user_script_t)
- ')
-+
-+tunable_policy(`httpd_read_user_content',`
-+ userdom_read_user_home_content_files(httpd_user_script_t)
-+ userdom_read_user_home_content_files(httpd_suexec_t)
+')
+
-+tunable_policy(`httpd_read_user_content && httpd_builtin_scripting',`
++tunable_policy(`httpd_read_user_content',`
+ userdom_read_user_home_content_files(httpd_t)
-+')
-+
-+# Removal of fastcgi, will cause problems without the following
-+typealias httpd_sys_script_exec_t alias httpd_fastcgi_script_exec_t;
-+typealias httpd_sys_content_t alias { httpd_fastcgi_content_t httpd_fastcgi_script_ro_t };
-+typealias httpd_sys_rw_content_t alias { httpd_fastcgi_rw_content_t httpd_fastcgi_script_rw_t };
-+typealias httpd_sys_ra_content_t alias httpd_fastcgi_script_ra_t;
-+typealias httpd_sys_script_t alias httpd_fastcgi_script_t;
-+typealias httpd_var_run_t alias httpd_fastcgi_var_run_t;
-+
++ userdom_read_user_home_content_files(httpd_suexec_t)
++ userdom_read_user_home_content_files(httpd_user_script_t)
+ ')
+diff --git a/policy/modules/services/apcupsd.if b/policy/modules/services/apcupsd.if
+index e342775..d3451b8 100644
+--- a/policy/modules/services/apcupsd.if
++++ b/policy/modules/services/apcupsd.if
+@@ -5,9 +5,9 @@
+ ## Execute a domain transition to run apcupsd.
+ ##
+ ##
+-##
++##
+ ## Domain allowed to transition.
+-##
++##
+ ##
+ #
+ interface(`apcupsd_domtrans',`
+@@ -83,9 +83,9 @@ interface(`apcupsd_read_log',`
+ ## apcupsd log files.
+ ##
+ ##
+-##
++##
+ ## Domain allowed access.
+-##
++##
+ ##
+ #
+ interface(`apcupsd_append_log',`
+@@ -103,9 +103,9 @@ interface(`apcupsd_append_log',`
+ ## Execute a domain transition to run httpd_apcupsd_cgi_script.
+ ##
+ ##
+-##
++##
+ ## Domain allowed to transition.
+-##
++##
+ ##
+ #
+ interface(`apcupsd_cgi_script_domtrans',`
+@@ -140,10 +140,8 @@ interface(`apcupsd_cgi_script_domtrans',`
+ #
+ interface(`apcupsd_admin',`
+ gen_require(`
+- type apcupsd_t, apcupsd_tmp_t;
+- type apcupsd_log_t, apcupsd_lock_t;
+- type apcupsd_var_run_t;
+- type apcupsd_initrc_exec_t;
++ type apcupsd_t, apcupsd_tmp_t, apcupsd_log_t;
++ type apcupsd_lock_t, apcupsd_var_run_t, apcupsd_initrc_exec_t;
+ ')
+
+ allow $1 apcupsd_t:process { ptrace signal_perms };
diff --git a/policy/modules/services/apcupsd.te b/policy/modules/services/apcupsd.te
index 67c91aa..472ddad 100644
--- a/policy/modules/services/apcupsd.te
@@ -13283,11 +13834,49 @@ index 67c91aa..472ddad 100644
mta_send_mail(apcupsd_t)
mta_system_content(apcupsd_tmp_t)
')
+diff --git a/policy/modules/services/apm.if b/policy/modules/services/apm.if
+index 1ea99b2..49e6c74 100644
+--- a/policy/modules/services/apm.if
++++ b/policy/modules/services/apm.if
+@@ -52,7 +52,7 @@ interface(`apm_write_pipes',`
+ type apmd_t;
+ ')
+
+- allow $1 apmd_t:fifo_file write;
++ allow $1 apmd_t:fifo_file write_fifo_file_perms;
+ ')
+
+ ########################################
+@@ -89,7 +89,7 @@ interface(`apm_append_log',`
+ ')
+
+ logging_search_logs($1)
+- allow $1 apmd_log_t:file append;
++ allow $1 apmd_log_t:file append_file_perms;
+ ')
+
+ ########################################
+@@ -108,6 +108,5 @@ interface(`apm_stream_connect',`
+ ')
+
+ files_search_pids($1)
+- allow $1 apmd_var_run_t:sock_file write;
+- allow $1 apmd_t:unix_stream_socket connectto;
++ stream_connect_pattern($1, apmd_var_run_t, apmd_var_run_t, apmd_t)
+ ')
diff --git a/policy/modules/services/apm.te b/policy/modules/services/apm.te
-index 1c8c27e..c7cba00 100644
+index 1c8c27e..62bc936 100644
--- a/policy/modules/services/apm.te
+++ b/policy/modules/services/apm.te
-@@ -62,6 +62,7 @@ allow apmd_t self:capability { sys_admin sys_nice sys_time kill mknod };
+@@ -4,6 +4,7 @@ policy_module(apm, 1.11.0)
+ #
+ # Declarations
+ #
++
+ type apmd_t;
+ type apmd_exec_t;
+ init_daemon_domain(apmd_t, apmd_exec_t)
+@@ -62,6 +63,7 @@ allow apmd_t self:capability { sys_admin sys_nice sys_time kill mknod };
dontaudit apmd_t self:capability { setuid dac_override dac_read_search sys_ptrace sys_tty_config };
allow apmd_t self:process { signal_perms getsession };
allow apmd_t self:fifo_file rw_fifo_file_perms;
@@ -13295,7 +13884,7 @@ index 1c8c27e..c7cba00 100644
allow apmd_t self:unix_dgram_socket create_socket_perms;
allow apmd_t self:unix_stream_socket create_stream_socket_perms;
-@@ -81,6 +82,7 @@ kernel_rw_all_sysctls(apmd_t)
+@@ -81,6 +83,7 @@ kernel_rw_all_sysctls(apmd_t)
kernel_read_system_state(apmd_t)
kernel_write_proc_files(apmd_t)
@@ -13303,7 +13892,7 @@ index 1c8c27e..c7cba00 100644
dev_read_realtime_clock(apmd_t)
dev_read_urand(apmd_t)
dev_rw_apm_bios(apmd_t)
-@@ -142,9 +144,8 @@ ifdef(`distro_redhat',`
+@@ -142,9 +145,8 @@ ifdef(`distro_redhat',`
can_exec(apmd_t, apmd_var_run_t)
@@ -13314,7 +13903,7 @@ index 1c8c27e..c7cba00 100644
')
optional_policy(`
-@@ -155,6 +156,15 @@ ifdef(`distro_redhat',`
+@@ -155,6 +157,15 @@ ifdef(`distro_redhat',`
netutils_domtrans(apmd_t)
')
@@ -13388,10 +13977,18 @@ index b9e94c4..608e3a1 100644
')
diff --git a/policy/modules/services/automount.if b/policy/modules/services/automount.if
-index d80a16b..f384848 100644
+index d80a16b..a43e006 100644
--- a/policy/modules/services/automount.if
+++ b/policy/modules/services/automount.if
-@@ -68,7 +68,8 @@ interface(`automount_read_state',`
+@@ -29,7 +29,6 @@ interface(`automount_domtrans',`
+ ##
+ ##
+ #
+-#
+ interface(`automount_signal',`
+ gen_require(`
+ type automount_t;
+@@ -68,7 +67,8 @@ interface(`automount_read_state',`
type automount_t;
')
@@ -13401,7 +13998,16 @@ index d80a16b..f384848 100644
')
########################################
-@@ -149,7 +150,7 @@ interface(`automount_admin',`
+@@ -123,7 +123,7 @@ interface(`automount_dontaudit_getattr_tmp_dirs',`
+ type automount_tmp_t;
+ ')
+
+- dontaudit $1 automount_tmp_t:dir getattr;
++ dontaudit $1 automount_tmp_t:dir getattr_dir_perms;
+ ')
+
+ ########################################
+@@ -149,7 +149,7 @@ interface(`automount_admin',`
type automount_var_run_t, automount_initrc_exec_t;
')
@@ -13423,7 +14029,7 @@ index 39799db..6189565 100644
userdom_dontaudit_use_unpriv_user_fds(automount_t)
diff --git a/policy/modules/services/avahi.if b/policy/modules/services/avahi.if
-index 210ca0b..e51354d 100644
+index 210ca0b..11e1ba9 100644
--- a/policy/modules/services/avahi.if
+++ b/policy/modules/services/avahi.if
@@ -90,6 +90,7 @@ interface(`avahi_dbus_chat',`
@@ -13434,8 +14040,18 @@ index 210ca0b..e51354d 100644
allow $1 avahi_t:dbus send_msg;
allow avahi_t $1:dbus send_msg;
')
+@@ -150,8 +151,7 @@ interface(`avahi_dontaudit_search_pid',`
+ #
+ interface(`avahi_admin',`
+ gen_require(`
+- type avahi_t, avahi_var_run_t;
+- type avahi_initrc_exec_t;
++ type avahi_t, avahi_var_run_t, avahi_initrc_exec_t;
+ ')
+
+ allow $1 avahi_t:process { ptrace signal_perms };
diff --git a/policy/modules/services/avahi.te b/policy/modules/services/avahi.te
-index b7bf6f0..803adbf 100644
+index b7bf6f0..52dcf09 100644
--- a/policy/modules/services/avahi.te
+++ b/policy/modules/services/avahi.te
@@ -37,10 +37,11 @@ manage_dirs_pattern(avahi_t, avahi_var_lib_t, avahi_var_lib_t)
@@ -13445,16 +14061,44 @@ index b7bf6f0..803adbf 100644
+manage_dirs_pattern(avahi_t, avahi_var_run_t, avahi_var_run_t)
manage_files_pattern(avahi_t, avahi_var_run_t, avahi_var_run_t)
manage_sock_files_pattern(avahi_t, avahi_var_run_t, avahi_var_run_t)
- allow avahi_t avahi_var_run_t:dir setattr;
+-allow avahi_t avahi_var_run_t:dir setattr;
-files_pid_filetrans(avahi_t, avahi_var_run_t, file)
++allow avahi_t avahi_var_run_t:dir setattr_dir_perms;
+files_pid_filetrans(avahi_t, avahi_var_run_t, { dir file })
kernel_read_system_state(avahi_t)
kernel_read_kernel_sysctls(avahi_t)
diff --git a/policy/modules/services/bind.if b/policy/modules/services/bind.if
-index 44a1e3d..71f5514 100644
+index 44a1e3d..7e9d2fb 100644
--- a/policy/modules/services/bind.if
+++ b/policy/modules/services/bind.if
+@@ -186,7 +186,7 @@ interface(`bind_write_config',`
+ ')
+
+ write_files_pattern($1, named_conf_t, named_conf_t)
+- allow $1 named_conf_t:file setattr;
++ allow $1 named_conf_t:file setattr_file_perms;
+ ')
+
+ ########################################
+@@ -266,7 +266,7 @@ interface(`bind_setattr_pid_dirs',`
+ type named_var_run_t;
+ ')
+
+- allow $1 named_var_run_t:dir setattr;
++ allow $1 named_var_run_t:dir setattr_dir_perms;
+ ')
+
+ ########################################
+@@ -284,7 +284,7 @@ interface(`bind_setattr_zone_dirs',`
+ type named_zone_t;
+ ')
+
+- allow $1 named_zone_t:dir setattr;
++ allow $1 named_zone_t:dir setattr_dir_perms;
+ ')
+
+ ########################################
@@ -308,6 +308,27 @@ interface(`bind_read_zone',`
########################################
@@ -13483,19 +14127,21 @@ index 44a1e3d..71f5514 100644
## Manage BIND zone files.
##
##
-@@ -359,9 +380,9 @@ interface(`bind_udp_chat_named',`
+@@ -359,10 +380,9 @@ interface(`bind_udp_chat_named',`
interface(`bind_admin',`
gen_require(`
type named_t, named_tmp_t, named_log_t;
- type named_conf_t, named_var_lib_t, named_var_run_t;
-+ type named_conf_t, named_var_run_t;
- type named_cache_t, named_zone_t;
+- type named_cache_t, named_zone_t;
- type dnssec_t, ndc_t;
+- type named_initrc_exec_t;
++ type named_conf_t, named_var_run_t, named_cache_t;
++ type named_zone_t, named_initrc_exec_t;
+ type dnssec_t, ndc_t, named_keytab_t;
- type named_initrc_exec_t;
')
-@@ -391,8 +412,7 @@ interface(`bind_admin',`
+ allow $1 named_t:process { ptrace signal_perms };
+@@ -391,8 +411,7 @@ interface(`bind_admin',`
admin_pattern($1, named_zone_t)
admin_pattern($1, dnssec_t)
@@ -13506,9 +14152,24 @@ index 44a1e3d..71f5514 100644
files_list_pids($1)
admin_pattern($1, named_var_run_t)
diff --git a/policy/modules/services/bind.te b/policy/modules/services/bind.te
-index 4deca04..ece1f1f 100644
+index 4deca04..0bde225 100644
--- a/policy/modules/services/bind.te
+++ b/policy/modules/services/bind.te
+@@ -6,10 +6,10 @@ policy_module(bind, 1.11.0)
+ #
+
+ ##
+-##
+-## Allow BIND to write the master zone files.
+-## Generally this is used for dynamic DNS or zone transfers.
+-##
++##
++## Allow BIND to write the master zone files.
++## Generally this is used for dynamic DNS or zone transfers.
++##
+ ##
+ gen_tunable(named_write_master_zones, false)
+
@@ -89,9 +89,10 @@ manage_dirs_pattern(named_t, named_tmp_t, named_tmp_t)
manage_files_pattern(named_t, named_tmp_t, named_tmp_t)
files_tmp_filetrans(named_t, named_tmp_t, { file dir })
@@ -13521,14 +14182,53 @@ index 4deca04..ece1f1f 100644
# read zone files
allow named_t named_zone_t:dir list_dir_perms;
+@@ -201,12 +202,12 @@ allow ndc_t self:tcp_socket create_socket_perms;
+ allow ndc_t self:netlink_route_socket r_netlink_socket_perms;
+
+ allow ndc_t dnssec_t:file read_file_perms;
+-allow ndc_t dnssec_t:lnk_file { getattr read };
++allow ndc_t dnssec_t:lnk_file read_lnk_file_perms;
+
+ stream_connect_pattern(ndc_t, named_var_run_t, named_var_run_t, named_t)
+
+ allow ndc_t named_conf_t:file read_file_perms;
+-allow ndc_t named_conf_t:lnk_file { getattr read };
++allow ndc_t named_conf_t:lnk_file read_lnk_file_perms;
+
+ allow ndc_t named_zone_t:dir search_dir_perms;
+
+@@ -244,7 +245,7 @@ term_dontaudit_use_console(ndc_t)
+
+ # for /etc/rndc.key
+ ifdef(`distro_redhat',`
+- allow ndc_t named_conf_t:dir search;
++ allow ndc_t named_conf_t:dir search_dir_perms;
+ ')
+
+ optional_policy(`
+diff --git a/policy/modules/services/bitlbee.if b/policy/modules/services/bitlbee.if
+index ed4e7a2..a64d94d 100644
+--- a/policy/modules/services/bitlbee.if
++++ b/policy/modules/services/bitlbee.if
+@@ -6,7 +6,7 @@
+ ##
+ ##
+ ##
+-## Domain allowed accesss.
++## Domain allowed accesss.
+ ##
+ ##
+ #
diff --git a/policy/modules/services/bitlbee.te b/policy/modules/services/bitlbee.te
-index f42cdfc..e74f728 100644
+index f42cdfc..2ba2d1f 100644
--- a/policy/modules/services/bitlbee.te
+++ b/policy/modules/services/bitlbee.te
-@@ -27,6 +27,7 @@ files_type(bitlbee_var_t)
- # Local policy
+@@ -26,7 +26,8 @@ files_type(bitlbee_var_t)
#
+ # Local policy
#
+-#
++
+allow bitlbee_t self:capability { setgid setuid };
allow bitlbee_t self:udp_socket create_socket_perms;
@@ -13545,10 +14245,36 @@ index f42cdfc..e74f728 100644
sysnet_dns_name_resolve(bitlbee_t)
diff --git a/policy/modules/services/bluetooth.if b/policy/modules/services/bluetooth.if
-index 3e45431..328302d 100644
+index 3e45431..fa57a6f 100644
--- a/policy/modules/services/bluetooth.if
+++ b/policy/modules/services/bluetooth.if
-@@ -117,6 +117,27 @@ interface(`bluetooth_dbus_chat',`
+@@ -14,6 +14,7 @@
+ ## User domain for the role
+ ##
+ ##
++##
+ #
+ interface(`bluetooth_role',`
+ gen_require(`
+@@ -27,7 +28,7 @@ interface(`bluetooth_role',`
+
+ # allow ps to show cdrecord and allow the user to kill it
+ ps_process_pattern($2, bluetooth_helper_t)
+- allow $2 bluetooth_helper_t:process signal;
++ allow $2 bluetooth_helper_t:process { ptrace signal_perms };
+
+ manage_dirs_pattern($2, bluetooth_helper_tmp_t, bluetooth_helper_tmp_t)
+ manage_files_pattern($2, bluetooth_helper_tmp_t, bluetooth_helper_tmp_t)
+@@ -91,7 +92,7 @@ interface(`bluetooth_read_config',`
+ type bluetooth_conf_t;
+ ')
+
+- allow $1 bluetooth_conf_t:file { getattr read ioctl };
++ allow $1 bluetooth_conf_t:file read_file_perms;
+ ')
+
+ ########################################
+@@ -117,6 +118,27 @@ interface(`bluetooth_dbus_chat',`
########################################
##
@@ -13576,15 +14302,37 @@ index 3e45431..328302d 100644
## Execute bluetooth_helper in the bluetooth_helper domain. (Deprecated)
##
##
-@@ -194,7 +215,7 @@ interface(`bluetooth_dontaudit_read_helper_state',`
+@@ -157,7 +179,7 @@ interface(`bluetooth_run_helper',`
+
+ ########################################
+ ##
+-## Read bluetooth helper state files.
++## Do not audit attempts to read bluetooth helper state files.
+ ##
+ ##
+ ##
+@@ -170,8 +192,8 @@ interface(`bluetooth_dontaudit_read_helper_state',`
+ type bluetooth_helper_t;
+ ')
+
+- dontaudit $1 bluetooth_helper_t:dir search;
+- dontaudit $1 bluetooth_helper_t:file { read getattr };
++ dontaudit $1 bluetooth_helper_t:dir search_dir_perms;
++ dontaudit $1 bluetooth_helper_t:file read_file_perms;
+ ')
+
+ ########################################
+@@ -194,9 +216,8 @@ interface(`bluetooth_dontaudit_read_helper_state',`
interface(`bluetooth_admin',`
gen_require(`
type bluetooth_t, bluetooth_tmp_t, bluetooth_lock_t;
- type bluetooth_spool_t, bluetooth_var_lib_t, bluetooth_var_run_t;
-+ type bluetooth_var_lib_t, bluetooth_var_run_t;
++ type bluetooth_var_lib_t, bluetooth_var_run_t, bluetooth_initrc_exec_t;
type bluetooth_conf_t, bluetooth_conf_rw_t;
- type bluetooth_initrc_exec_t;
+- type bluetooth_initrc_exec_t;
')
+
+ allow $1 bluetooth_t:process { ptrace signal_perms };
@@ -217,9 +238,6 @@ interface(`bluetooth_admin',`
admin_pattern($1, bluetooth_conf_t)
admin_pattern($1, bluetooth_conf_rw_t)
@@ -13595,6 +14343,18 @@ index 3e45431..328302d 100644
files_list_var_lib($1)
admin_pattern($1, bluetooth_var_lib_t)
+diff --git a/policy/modules/services/bluetooth.te b/policy/modules/services/bluetooth.te
+index 215b86b..08afbb9 100644
+--- a/policy/modules/services/bluetooth.te
++++ b/policy/modules/services/bluetooth.te
+@@ -4,6 +4,7 @@ policy_module(bluetooth, 3.3.0)
+ #
+ # Declarations
+ #
++
+ type bluetooth_t;
+ type bluetooth_exec_t;
+ init_daemon_domain(bluetooth_t, bluetooth_exec_t)
diff --git a/policy/modules/services/boinc.fc b/policy/modules/services/boinc.fc
new file mode 100644
index 0000000..c095160
@@ -13611,11 +14371,10 @@ index 0000000..c095160
+/var/lib/boinc/slots(/.*)? gen_context(system_u:object_r:boinc_project_var_lib_t,s0)
diff --git a/policy/modules/services/boinc.if b/policy/modules/services/boinc.if
new file mode 100644
-index 0000000..272bf74
+index 0000000..fa9b95a
--- /dev/null
+++ b/policy/modules/services/boinc.if
-@@ -0,0 +1,151 @@
-+
+@@ -0,0 +1,150 @@
+## policy for boinc
+
+########################################
@@ -13623,9 +14382,9 @@ index 0000000..272bf74
+## Execute a domain transition to run boinc.
+##
+##
-+##
++##
+## Domain allowed to transition.
-+##
++##
+##
+#
+interface(`boinc_domtrans',`
@@ -13638,20 +14397,20 @@ index 0000000..272bf74
+
+#######################################
+##
-+## Execute boinc server in the boinc domain.
++## Execute boinc server in the boinc domain.
+##
+##
-+##
-+## Domain allowed access.
-+##
++##
++## Domain allowed access.
++##
+##
+#
+interface(`boinc_initrc_domtrans',`
-+ gen_require(`
-+ type boinc_initrc_exec_t;
-+ ')
++ gen_require(`
++ type boinc_initrc_exec_t;
++ ')
+
-+ init_labeled_script_domtrans($1, boinc_initrc_exec_t)
++ init_labeled_script_domtrans($1, boinc_initrc_exec_t)
+')
+
+########################################
@@ -13689,7 +14448,7 @@ index 0000000..272bf74
+ ')
+
+ files_search_var_lib($1)
-+ read_files_pattern($1, boinc_var_lib_t, boinc_var_lib_t)
++ read_files_pattern($1, boinc_var_lib_t, boinc_var_lib_t)
+')
+
+########################################
@@ -13709,7 +14468,7 @@ index 0000000..272bf74
+ ')
+
+ files_search_var_lib($1)
-+ manage_files_pattern($1, boinc_var_lib_t, boinc_var_lib_t)
++ manage_files_pattern($1, boinc_var_lib_t, boinc_var_lib_t)
+')
+
+########################################
@@ -13727,9 +14486,10 @@ index 0000000..272bf74
+ type boinc_var_lib_t;
+ ')
+
-+ manage_dirs_pattern($1, boinc_var_lib_t, boinc_var_lib_t)
-+ manage_files_pattern($1, boinc_var_lib_t, boinc_var_lib_t)
-+ manage_lnk_files_pattern($1, boinc_var_lib_t, boinc_var_lib_t)
++ files_search_var_lib($1)
++ manage_dirs_pattern($1, boinc_var_lib_t, boinc_var_lib_t)
++ manage_files_pattern($1, boinc_var_lib_t, boinc_var_lib_t)
++ manage_lnk_files_pattern($1, boinc_var_lib_t, boinc_var_lib_t)
+')
+
+########################################
@@ -13751,8 +14511,7 @@ index 0000000..272bf74
+#
+interface(`boinc_admin',`
+ gen_require(`
-+ type boinc_t, boinc_initrc_exec_t;
-+ type boinc_var_lib_t;
++ type boinc_t, boinc_initrc_exec_t, boinc_var_lib_t;
+ ')
+
+ allow $1 boinc_t:process { ptrace signal_perms };
@@ -13762,17 +14521,17 @@ index 0000000..272bf74
+ domain_system_change_exemption($1)
+ role_transition $2 boinc_initrc_exec_t system_r;
+ allow $2 system_r;
-+
++
+ files_list_var_lib($1)
+ admin_pattern($1, boinc_var_lib_t)
+')
diff --git a/policy/modules/services/boinc.te b/policy/modules/services/boinc.te
new file mode 100644
-index 0000000..aaf0ba3
+index 0000000..c9622ef
--- /dev/null
+++ b/policy/modules/services/boinc.te
-@@ -0,0 +1,153 @@
-+policy_module(boinc,1.0.0)
+@@ -0,0 +1,166 @@
++policy_module(boinc, 1.0.0)
+
+########################################
+#
@@ -13801,6 +14560,9 @@ index 0000000..aaf0ba3
+
+permissive boinc_project_t;
+
++type boinc_project_tmp_t;
++files_tmp_file(boinc_project_tmp_t)
++
+type boinc_project_var_lib_t;
+files_type(boinc_project_var_lib_t)
+
@@ -13823,15 +14585,15 @@ index 0000000..aaf0ba3
+files_tmp_filetrans(boinc_t, boinc_tmp_t, { dir file })
+
+manage_files_pattern(boinc_t, boinc_tmpfs_t, boinc_tmpfs_t)
-+fs_tmpfs_filetrans(boinc_t, boinc_tmpfs_t,file)
++fs_tmpfs_filetrans(boinc_t, boinc_tmpfs_t, file)
+
-+exec_files_pattern(boinc_t, boinc_var_lib_t, boinc_var_lib_t)
-+manage_dirs_pattern(boinc_t, boinc_var_lib_t, boinc_var_lib_t)
-+manage_files_pattern(boinc_t, boinc_var_lib_t, boinc_var_lib_t)
-+filetrans_pattern(boinc_t, boinc_var_lib_t, boinc_project_var_lib_t, { dir })
++exec_files_pattern(boinc_t, boinc_var_lib_t, boinc_var_lib_t)
++manage_dirs_pattern(boinc_t, boinc_var_lib_t, boinc_var_lib_t)
++manage_files_pattern(boinc_t, boinc_var_lib_t, boinc_var_lib_t)
++filetrans_pattern(boinc_t, boinc_var_lib_t, boinc_project_var_lib_t, dir)
+
-+manage_dirs_pattern(boinc_t, boinc_project_var_lib_t, boinc_project_var_lib_t)
-+manage_files_pattern(boinc_t, boinc_project_var_lib_t, boinc_project_var_lib_t)
++manage_dirs_pattern(boinc_t, boinc_project_var_lib_t, boinc_project_var_lib_t)
++manage_files_pattern(boinc_t, boinc_project_var_lib_t, boinc_project_var_lib_t)
+
+kernel_read_system_state(boinc_t)
+
@@ -13894,16 +14656,20 @@ index 0000000..aaf0ba3
+
+allow boinc_project_t self:fifo_file rw_fifo_file_perms;
+
++manage_dirs_pattern(boinc_project_t, boinc_project_tmp_t, boinc_project_tmp_t)
++manage_files_pattern(boinc_project_t, boinc_project_tmp_t, boinc_project_tmp_t)
++files_tmp_filetrans(boinc_project_t, boinc_project_tmp_t, { dir file })
++
+allow boinc_project_t boinc_project_var_lib_t:file entrypoint;
-+exec_files_pattern(boinc_project_t, boinc_project_var_lib_t, boinc_project_var_lib_t)
-+manage_dirs_pattern(boinc_project_t, boinc_project_var_lib_t, boinc_project_var_lib_t)
-+manage_files_pattern(boinc_project_t, boinc_project_var_lib_t, boinc_project_var_lib_t)
++exec_files_pattern(boinc_project_t, boinc_project_var_lib_t, boinc_project_var_lib_t)
++manage_dirs_pattern(boinc_project_t, boinc_project_var_lib_t, boinc_project_var_lib_t)
++manage_files_pattern(boinc_project_t, boinc_project_var_lib_t, boinc_project_var_lib_t)
+files_var_lib_filetrans(boinc_project_t, boinc_project_var_lib_t, { file dir })
+
+allow boinc_project_t boinc_project_var_lib_t:file execmod;
+
+allow boinc_project_t boinc_t:shm rw_shm_perms;
-+allow boinc_project_t boinc_tmpfs_t:file { read write };
++allow boinc_project_t boinc_tmpfs_t:file rw_inherited_file_perms;
+
+list_dirs_pattern(boinc_project_t, boinc_var_lib_t, boinc_var_lib_t)
+rw_files_pattern(boinc_project_t, boinc_var_lib_t, boinc_var_lib_t)
@@ -13918,13 +14684,19 @@ index 0000000..aaf0ba3
+
+corenet_tcp_connect_boinc_port(boinc_project_t)
+
++dev_read_rand(boinc_project_t)
+dev_read_urand(boinc_project_t)
++dev_read_sysfs(boinc_project_t)
+dev_rw_xserver_misc(boinc_project_t)
+
+files_read_etc_files(boinc_project_t)
+
++miscfiles_read_fonts(boinc_project_t)
+miscfiles_read_localization(boinc_project_t)
+
++optional_policy(`
++ java_exec(boinc_project_t)
++')
diff --git a/policy/modules/services/bugzilla.fc b/policy/modules/services/bugzilla.fc
new file mode 100644
index 0000000..18f37e2
@@ -13937,10 +14709,10 @@ index 0000000..18f37e2
+/var/lib/bugzilla(/.*)? gen_context(system_u:object_r:httpd_bugzilla_rw_content_t,s0)
diff --git a/policy/modules/services/bugzilla.if b/policy/modules/services/bugzilla.if
new file mode 100644
-index 0000000..922c4ba
+index 0000000..3964548
--- /dev/null
+++ b/policy/modules/services/bugzilla.if
-@@ -0,0 +1,81 @@
+@@ -0,0 +1,80 @@
+## Bugzilla server
+
+########################################
@@ -14000,10 +14772,9 @@ index 0000000..922c4ba
+#
+interface(`bugzilla_admin',`
+ gen_require(`
-+ type httpd_bugzilla_script_t;
-+ type httpd_bugzilla_content_t, httpd_bugzilla_ra_content_t;
-+ type httpd_bugzilla_rw_content_t, httpd_bugzilla_tmp_t;
-+ type httpd_bugzilla_script_exec_t, httpd_bugzilla_htaccess_t;
++ type httpd_bugzilla_script_t, httpd_bugzilla_content_t, httpd_bugzilla_ra_content_t;
++ type httpd_bugzilla_rw_content_t, httpd_bugzilla_tmp_t, httpd_bugzilla_script_exec_t;
++ type httpd_bugzilla_htaccess_t;
+ ')
+
+ allow $1 httpd_bugzilla_script_t:process { ptrace signal_perms };
@@ -14012,9 +14783,9 @@ index 0000000..922c4ba
+ files_list_tmp($1)
+ admin_pattern($1, httpd_bugzilla_tmp_t)
+
-+ files_search_var_lib(httpd_bugzilla_script_t)
++ files_list_var_lib(httpd_bugzilla_script_t)
+
-+ apache_search_sys_content($1)
++ apache_list_sys_content($1)
+ admin_pattern($1, httpd_bugzilla_script_exec_t)
+ admin_pattern($1, httpd_bugzilla_script_t)
+ admin_pattern($1, httpd_bugzilla_content_t)
@@ -14024,10 +14795,10 @@ index 0000000..922c4ba
+')
diff --git a/policy/modules/services/bugzilla.te b/policy/modules/services/bugzilla.te
new file mode 100644
-index 0000000..d31736b
+index 0000000..c63c8fa
--- /dev/null
+++ b/policy/modules/services/bugzilla.te
-@@ -0,0 +1,56 @@
+@@ -0,0 +1,55 @@
+policy_module(bugzilla, 1.0)
+
+########################################
@@ -14083,7 +14854,6 @@ index 0000000..d31736b
+optional_policy(`
+ postgresql_stream_connect(httpd_bugzilla_script_t)
+')
-+
diff --git a/policy/modules/services/cachefilesd.fc b/policy/modules/services/cachefilesd.fc
new file mode 100644
index 0000000..24d9837
@@ -14121,10 +14891,10 @@ index 0000000..24d9837
+/var/run/cachefilesd\.pid -- gen_context(system_u:object_r:cachefiles_var_t,s0)
diff --git a/policy/modules/services/cachefilesd.if b/policy/modules/services/cachefilesd.if
new file mode 100644
-index 0000000..89d19e0
+index 0000000..3b41945
--- /dev/null
+++ b/policy/modules/services/cachefilesd.if
-@@ -0,0 +1,41 @@
+@@ -0,0 +1,35 @@
+###############################################################################
+#
+# Copyright (C) 2006 Red Hat, Inc. All Rights Reserved.
@@ -14141,7 +14911,6 @@ index 0000000..89d19e0
+#
+# Define the policy interface for the CacheFiles userspace management daemon.
+#
-+
+## policy for cachefilesd
+
+########################################
@@ -14149,9 +14918,9 @@ index 0000000..89d19e0
+## Execute a domain transition to run cachefilesd.
+##
+##
-+##
++##
+## Domain allowed to transition.
-+##
++##
+##
+#
+interface(`cachefilesd_domtrans',`
@@ -14159,19 +14928,14 @@ index 0000000..89d19e0
+ type cachefilesd_t, cachefilesd_exec_t;
+ ')
+
-+ domain_auto_trans($1,cachefilesd_exec_t,cachefilesd_t)
-+
-+ allow $1 cachefilesd_t:fd use;
-+ allow cachefilesd_t $1:fd use;
-+ allow cachefilesd_t $1:fifo_file rw_file_perms;
-+ allow cachefilesd_t $1:process sigchld;
++ domtrans_pattern($1, cachefilesd_exec_t, cachefilesd_t)
+')
diff --git a/policy/modules/services/cachefilesd.te b/policy/modules/services/cachefilesd.te
new file mode 100644
-index 0000000..e67f987
+index 0000000..575c16e
--- /dev/null
+++ b/policy/modules/services/cachefilesd.te
-@@ -0,0 +1,146 @@
+@@ -0,0 +1,143 @@
+###############################################################################
+#
+# Copyright (C) 2006, 2010 Red Hat, Inc. All Rights Reserved.
@@ -14191,7 +14955,7 @@ index 0000000..e67f987
+# cache, on behalf of the processes accessing the cache through a network
+# filesystem such as NFS
+#
-+policy_module(cachefilesd,1.0.17)
++policy_module(cachefilesd, 1.0.17)
+
+###############################################################################
+#
@@ -14216,7 +14980,6 @@ index 0000000..e67f987
+#
+type cachefilesd_t;
+type cachefilesd_exec_t;
-+domain_type(cachefilesd_t)
+init_daemon_domain(cachefilesd_t, cachefilesd_exec_t)
+
+#
@@ -14252,36 +15015,33 @@ index 0000000..e67f987
+# Check in /usr/share/selinux/devel/include/ for macros to use instead of allow
+# rules.
+#
-+allow cachefilesd_t self : capability { setuid setgid sys_admin dac_override };
-+
-+# Basic access
-+files_read_etc_files(cachefilesd_t)
-+libs_use_ld_so(cachefilesd_t)
-+libs_use_shared_libs(cachefilesd_t)
-+miscfiles_read_localization(cachefilesd_t)
-+logging_send_syslog_msg(cachefilesd_t)
-+init_dontaudit_use_script_ptys(cachefilesd_t)
-+term_dontaudit_use_generic_ptys(cachefilesd_t)
-+term_dontaudit_getattr_unallocated_ttys(cachefilesd_t)
++allow cachefilesd_t self:capability { setuid setgid sys_admin dac_override };
+
+# Allow manipulation of pid file
+allow cachefilesd_t cachefilesd_var_run_t:file create_file_perms;
-+manage_files_pattern(cachefilesd_t,cachefilesd_var_run_t, cachefilesd_var_run_t)
-+manage_dirs_pattern(cachefilesd_t,cachefilesd_var_run_t, cachefilesd_var_run_t)
-+files_pid_file(cachefilesd_var_run_t)
-+files_pid_filetrans(cachefilesd_t,cachefilesd_var_run_t,file)
++manage_files_pattern(cachefilesd_t, cachefilesd_var_run_t, cachefilesd_var_run_t)
++manage_dirs_pattern(cachefilesd_t, cachefilesd_var_run_t, cachefilesd_var_run_t)
++files_pid_filetrans(cachefilesd_t, cachefilesd_var_run_t, file)
+files_create_as_is_all_files(cachefilesd_t)
+
+# Allow access to cachefiles device file
-+allow cachefilesd_t cachefiles_dev_t : chr_file rw_file_perms;
++allow cachefilesd_t cachefiles_dev_t:chr_file rw_file_perms;
+
+# Allow access to cache superstructure
-+allow cachefilesd_t cachefiles_var_t : dir { rw_dir_perms rmdir };
-+allow cachefilesd_t cachefiles_var_t : file { getattr rename unlink };
++allow cachefilesd_t cachefiles_var_t:dir { rw_dir_perms delete_dir_perms };
++allow cachefilesd_t cachefiles_var_t:file { rename delete_file_perms };
+
+# Permit statfs on the backing filesystem
+fs_getattr_xattr_fs(cachefilesd_t)
+
++# Basic access
++files_read_etc_files(cachefilesd_t)
++miscfiles_read_localization(cachefilesd_t)
++logging_send_syslog_msg(cachefilesd_t)
++init_dontaudit_use_script_ptys(cachefilesd_t)
++term_dontaudit_use_generic_ptys(cachefilesd_t)
++term_dontaudit_getattr_unallocated_ttys(cachefilesd_t)
++
+###############################################################################
+#
+# When cachefilesd invokes the kernel module to begin caching, it has to tell
@@ -14293,14 +15053,14 @@ index 0000000..e67f987
+# (1) the security context used by the module to access files in the cache,
+# as set by the 'secctx' command in /etc/cachefilesd.conf, and
+#
-+allow cachefilesd_t cachefiles_kernel_t : kernel_service { use_as_override };
++allow cachefilesd_t cachefiles_kernel_t:kernel_service { use_as_override };
+
+#
+# (2) the label that will be assigned to new files and directories created in
+# the cache by the module, which will be the same as the label on the
+# directory pointed to by the 'dir' command.
+#
-+allow cachefilesd_t cachefiles_var_t : kernel_service { create_files_as };
++allow cachefilesd_t cachefiles_var_t:kernel_service { create_files_as };
+
+###############################################################################
+#
@@ -14310,18 +15070,66 @@ index 0000000..e67f987
+# cache.
+#
+allow cachefiles_kernel_t self:capability { dac_override dac_read_search };
-+allow cachefiles_kernel_t initrc_t:process sigchld;
+
-+manage_dirs_pattern(cachefiles_kernel_t,cachefiles_var_t, cachefiles_var_t)
-+manage_files_pattern(cachefiles_kernel_t,cachefiles_var_t, cachefiles_var_t)
++manage_dirs_pattern(cachefiles_kernel_t, cachefiles_var_t, cachefiles_var_t)
++manage_files_pattern(cachefiles_kernel_t, cachefiles_var_t, cachefiles_var_t)
+
+fs_getattr_xattr_fs(cachefiles_kernel_t)
+
+dev_search_sysfs(cachefiles_kernel_t)
++
++init_sigchld_script(cachefiles_kernel_t)
+diff --git a/policy/modules/services/canna.te b/policy/modules/services/canna.te
+index a0dfd2f..d60e2bf 100644
+--- a/policy/modules/services/canna.te
++++ b/policy/modules/services/canna.te
+@@ -34,7 +34,7 @@ allow canna_t self:unix_dgram_socket create_stream_socket_perms;
+ allow canna_t self:tcp_socket create_stream_socket_perms;
+
+ manage_files_pattern(canna_t, canna_log_t, canna_log_t)
+-allow canna_t canna_log_t:dir setattr;
++allow canna_t canna_log_t:dir setattr_dir_perms;
+ logging_log_filetrans(canna_t, canna_log_t, { file dir })
+
+ manage_dirs_pattern(canna_t, canna_var_lib_t, canna_var_lib_t)
+diff --git a/policy/modules/services/ccs.if b/policy/modules/services/ccs.if
+index 6ee2cc8..3105b09 100644
+--- a/policy/modules/services/ccs.if
++++ b/policy/modules/services/ccs.if
+@@ -5,9 +5,9 @@
+ ## Execute a domain transition to run ccs.
+ ##
+ ##
+-##
++##
+ ## Domain allowed to transition.
+-##
++##
+ ##
+ #
+ interface(`ccs_domtrans',`
diff --git a/policy/modules/services/ccs.te b/policy/modules/services/ccs.te
-index 4c90b57..bffe6b6 100644
+index 4c90b57..8d7e14e 100644
--- a/policy/modules/services/ccs.te
+++ b/policy/modules/services/ccs.te
+@@ -61,7 +61,7 @@ manage_dirs_pattern(ccs_t, ccs_var_lib_t, ccs_var_lib_t)
+ manage_files_pattern(ccs_t, ccs_var_lib_t, ccs_var_lib_t)
+ files_var_lib_filetrans(ccs_t, ccs_var_lib_t, { file dir })
+
+-allow ccs_t ccs_var_log_t:dir setattr;
++allow ccs_t ccs_var_log_t:dir setattr_dir_perms;
+ manage_files_pattern(ccs_t, ccs_var_log_t, ccs_var_log_t)
+ manage_sock_files_pattern(ccs_t, ccs_var_log_t, ccs_var_log_t)
+ logging_log_filetrans(ccs_t, ccs_var_log_t, { sock_file file dir })
+@@ -107,7 +107,7 @@ sysnet_dns_name_resolve(ccs_t)
+ userdom_manage_unpriv_user_shared_mem(ccs_t)
+ userdom_manage_unpriv_user_semaphores(ccs_t)
+
+-ifdef(`hide_broken_symptoms', `
++ifdef(`hide_broken_symptoms',`
+ corecmd_dontaudit_write_bin_dirs(ccs_t)
+ files_manage_isid_type_files(ccs_t)
+ ')
@@ -118,5 +118,10 @@ optional_policy(`
')
@@ -14333,10 +15141,71 @@ index 4c90b57..bffe6b6 100644
+optional_policy(`
unconfined_use_fds(ccs_t)
')
+diff --git a/policy/modules/services/certmaster.if b/policy/modules/services/certmaster.if
+index fa62787..ffd0da5 100644
+--- a/policy/modules/services/certmaster.if
++++ b/policy/modules/services/certmaster.if
+@@ -5,9 +5,9 @@
+ ## Execute a domain transition to run certmaster.
+ ##
+ ##
+-##
++##
+ ## Domain allowed to transition.
+-##
++##
+ ##
+ #
+ interface(`certmaster_domtrans',`
+@@ -108,7 +108,7 @@ interface(`certmaster_manage_log',`
+ ##
+ ##
+ ##
+-## The role to be allowed to manage the syslog domain.
++## Role allowed access.
+ ##
+ ##
+ ##
+@@ -116,8 +116,7 @@ interface(`certmaster_manage_log',`
+ interface(`certmaster_admin',`
+ gen_require(`
+ type certmaster_t, certmaster_var_run_t, certmaster_var_lib_t;
+- type certmaster_etc_rw_t, certmaster_var_log_t;
+- type certmaster_initrc_exec_t;
++ type certmaster_etc_rw_t, certmaster_var_log_t, certmaster_initrc_exec_t;
+ ')
+
+ allow $1 certmaster_t:process { ptrace signal_perms };
+@@ -129,8 +128,8 @@ interface(`certmaster_admin',`
+ allow $2 system_r;
+
+ files_list_etc($1)
+- miscfiles_manage_generic_cert_dirs($1)
+- miscfiles_manage_generic_cert_files($1)
++ miscfiles_manage_generic_cert_dirs($1)
++ miscfiles_manage_generic_cert_files($1)
+
+ admin_pattern($1, certmaster_etc_rw_t)
+
diff --git a/policy/modules/services/certmaster.te b/policy/modules/services/certmaster.te
-index 73f03ff..4aef864 100644
+index 73f03ff..dbfd0a6 100644
--- a/policy/modules/services/certmaster.te
+++ b/policy/modules/services/certmaster.te
+@@ -43,12 +43,12 @@ files_var_lib_filetrans(certmaster_t, certmaster_var_lib_t, { file dir })
+
+ # log files
+ manage_files_pattern(certmaster_t, certmaster_var_log_t, certmaster_var_log_t)
+-logging_log_filetrans(certmaster_t, certmaster_var_log_t, file )
++logging_log_filetrans(certmaster_t, certmaster_var_log_t, file)
+
+ # pid file
+ manage_files_pattern(certmaster_t, certmaster_var_run_t, certmaster_var_run_t)
+ manage_sock_files_pattern(certmaster_t, certmaster_var_run_t, certmaster_var_run_t)
+-files_pid_filetrans(certmaster_t ,certmaster_var_run_t, { file sock_file })
++files_pid_filetrans(certmaster_t, certmaster_var_run_t, { file sock_file })
+
+ # read meminfo
+ kernel_read_system_state(certmaster_t)
@@ -60,6 +60,7 @@ corenet_tcp_bind_generic_node(certmaster_t)
corenet_tcp_bind_certmaster_port(certmaster_t)
@@ -14345,6 +15214,100 @@ index 73f03ff..4aef864 100644
files_list_var(certmaster_t)
files_search_var_lib(certmaster_t)
+diff --git a/policy/modules/services/certmonger.if b/policy/modules/services/certmonger.if
+index 7a6e5ba..d664be8 100644
+--- a/policy/modules/services/certmonger.if
++++ b/policy/modules/services/certmonger.if
+@@ -5,9 +5,9 @@
+ ## Execute a domain transition to run certmonger.
+ ##
+ ##
+-##
++##
+ ## Domain allowed to transition.
+-##
++##
+ ##
+ #
+ interface(`certmonger_domtrans',`
+@@ -166,9 +166,9 @@ interface(`certmonger_admin',`
+ role_transition $2 certmonger_initrc_exec_t system_r;
+ allow $2 system_r;
+
+- files_search_var_lib($1)
++ files_list_var_lib($1)
+ admin_pattern($1, certmonger_var_lib_t)
+
+- files_search_pids($1)
++ files_list_pids($1)
+ admin_pattern($1, certmonger_var_run_t)
+ ')
+diff --git a/policy/modules/services/certmonger.te b/policy/modules/services/certmonger.te
+index 1a65b5e..1c87fb3 100644
+--- a/policy/modules/services/certmonger.te
++++ b/policy/modules/services/certmonger.te
+@@ -32,7 +32,7 @@ allow certmonger_t self:netlink_route_socket r_netlink_socket_perms;
+
+ manage_dirs_pattern(certmonger_t, certmonger_var_lib_t, certmonger_var_lib_t)
+ manage_files_pattern(certmonger_t, certmonger_var_lib_t, certmonger_var_lib_t)
+-files_var_lib_filetrans(certmonger_t, certmonger_var_lib_t, { file dir } )
++files_var_lib_filetrans(certmonger_t, certmonger_var_lib_t, { file dir })
+
+ manage_dirs_pattern(certmonger_t, certmonger_var_run_t, certmonger_var_run_t)
+ manage_files_pattern(certmonger_t, certmonger_var_run_t, certmonger_var_run_t)
+diff --git a/policy/modules/services/cgroup.if b/policy/modules/services/cgroup.if
+index d020c93..e5cbcef 100644
+--- a/policy/modules/services/cgroup.if
++++ b/policy/modules/services/cgroup.if
+@@ -6,9 +6,9 @@
+ ## CG Clear.
+ ##
+ ##
+-##
++##
+ ## Domain allowed to transition.
+-##
++##
+ ##
+ #
+ interface(`cgroup_domtrans_cgclear',`
+@@ -26,9 +26,9 @@ interface(`cgroup_domtrans_cgclear',`
+ ## CG config parser.
+ ##
+ ##
+-##
++##
+ ## Domain allowed to transition.
+-##
++##
+ ##
+ #
+ interface(`cgroup_domtrans_cgconfig',`
+@@ -65,9 +65,9 @@ interface(`cgroup_initrc_domtrans_cgconfig',`
+ ## CG rules engine daemon.
+ ##
+ ##
+-##
++##
+ ## Domain allowed to transition.
+-##
++##
+ ##
+ #
+ interface(`cgroup_domtrans_cgred',`
+@@ -182,10 +182,10 @@ interface(`cgroup_admin',`
+
+ admin_pattern($1, cgconfig_etc_t)
+ admin_pattern($1, cgrules_etc_t)
+- files_search_etc($1)
++ files_list_etc($1)
+
+ admin_pattern($1, cgred_var_run_t)
+- files_search_pids($1)
++ files_list_pids($1)
+
+ cgroup_initrc_domtrans_cgconfig($1)
+ domain_system_change_exemption($1)
diff --git a/policy/modules/services/cgroup.te b/policy/modules/services/cgroup.te
index 8ca2333..63a18fc 100644
--- a/policy/modules/services/cgroup.te
@@ -14370,7 +15333,7 @@ index 8ca2333..63a18fc 100644
allow cgconfig_t cgconfig_etc_t:file read_file_perms;
diff --git a/policy/modules/services/chronyd.if b/policy/modules/services/chronyd.if
-index 9a0da94..5a98145 100644
+index 9a0da94..2ede737 100644
--- a/policy/modules/services/chronyd.if
+++ b/policy/modules/services/chronyd.if
@@ -19,6 +19,24 @@ interface(`chronyd_domtrans',`
@@ -14383,7 +15346,7 @@ index 9a0da94..5a98145 100644
+##
+##
+##
-+## Domain allowed access.
++## Domain allowed to transition.
+##
+##
+#
@@ -14463,16 +15426,37 @@ index 9a0da94..5a98145 100644
####################################
##
## All of the rules required to administrate
-@@ -77,6 +153,7 @@ interface(`chronyd_admin',`
+@@ -75,9 +151,9 @@ interface(`chronyd_read_log',`
+ #
+ interface(`chronyd_admin',`
gen_require(`
- type chronyd_t, chronyd_var_log_t;
- type chronyd_var_run_t, chronyd_var_lib_t;
-+ type chronyd_tmpfs_t;
- type chronyd_initrc_exec_t, chronyd_keys_t;
+- type chronyd_t, chronyd_var_log_t;
+- type chronyd_var_run_t, chronyd_var_lib_t;
+- type chronyd_initrc_exec_t, chronyd_keys_t;
++ type chronyd_t, chronyd_var_log_t, chronyd_var_run_t;
++ type chronyd_var_lib_t, chronyd_tmpfs_t, chronyd_initrc_exec_t;
++ type chronyd_keys_t;
')
-@@ -100,6 +177,5 @@ interface(`chronyd_admin',`
- files_search_pids($1)
+ allow $1 chronyd_t:process { ptrace signal_perms };
+@@ -88,18 +164,17 @@ interface(`chronyd_admin',`
+ role_transition $2 chronyd_initrc_exec_t system_r;
+ allow $2 system_r;
+
+- files_search_etc($1)
++ files_list_etc($1)
+ admin_pattern($1, chronyd_keys_t)
+
+- logging_search_logs($1)
++ logging_list_logs($1)
+ admin_pattern($1, chronyd_var_log_t)
+
+- files_search_var_lib($1)
++ files_list_var_lib($1)
+ admin_pattern($1, chronyd_var_lib_t)
+
+- files_search_pids($1)
++ files_list_pids($1)
admin_pattern($1, chronyd_var_run_t)
- files_search_tmp($1)
@@ -14512,10 +15496,47 @@ index fa82327..7f4ca47 100644
corenet_udp_bind_ntp_port(chronyd_t)
# bind to udp/323
corenet_udp_bind_chronyd_port(chronyd_t)
+diff --git a/policy/modules/services/clamav.if b/policy/modules/services/clamav.if
+index 1f11572..01b02f3 100644
+--- a/policy/modules/services/clamav.if
++++ b/policy/modules/services/clamav.if
+@@ -33,6 +33,7 @@ interface(`clamav_stream_connect',`
+ type clamd_t, clamd_var_run_t;
+ ')
+
++ files_search_pids($1)
+ stream_connect_pattern($1, clamd_var_run_t, clamd_var_run_t, clamd_t)
+ ')
+
+@@ -151,9 +152,8 @@ interface(`clamav_exec_clamscan',`
+ interface(`clamav_admin',`
+ gen_require(`
+ type clamd_t, clamd_etc_t, clamd_tmp_t;
+- type clamd_var_log_t, clamd_var_lib_t;
+- type clamd_var_run_t, clamscan_t, clamscan_tmp_t;
+- type clamd_initrc_exec_t;
++ type clamd_var_log_t, clamd_var_lib_t, clamd_var_run_t;
++ type clamscan_t, clamscan_tmp_t, clamd_initrc_exec_t;
+ type freshclam_t, freshclam_var_log_t;
+ ')
+
diff --git a/policy/modules/services/clamav.te b/policy/modules/services/clamav.te
-index 8c36027..16598a4 100644
+index 8c36027..f9af97c 100644
--- a/policy/modules/services/clamav.te
+++ b/policy/modules/services/clamav.te
+@@ -1,9 +1,9 @@
+ policy_module(clamav, 1.8.1)
+
+ ##
+-##
+-## Allow clamd to use JIT compiler
+-##
++##
++## Allow clamd to use JIT compiler
++##
+ ##
+ gen_tunable(clamd_use_jit, false)
+
@@ -80,6 +80,7 @@ manage_files_pattern(clamd_t, clamd_tmp_t, clamd_tmp_t)
files_tmp_filetrans(clamd_t, clamd_tmp_t, { file dir })
@@ -14540,18 +15561,21 @@ index 8c36027..16598a4 100644
tunable_policy(`clamd_use_jit',`
allow clamd_t self:process execmem;
+-', `
+ allow clamscan_t self:process execmem;
- ', `
++',`
dontaudit clamd_t self:process execmem;
+ dontaudit clamscan_t self:process execmem;
')
########################################
-@@ -179,9 +183,15 @@ files_pid_filetrans(freshclam_t, clamd_var_run_t, file)
+@@ -178,10 +182,16 @@ files_pid_filetrans(freshclam_t, clamd_var_run_t, file)
+
# log files (own logfiles only)
manage_files_pattern(freshclam_t, freshclam_var_log_t, freshclam_var_log_t)
- allow freshclam_t freshclam_var_log_t:dir setattr;
+-allow freshclam_t freshclam_var_log_t:dir setattr;
-allow freshclam_t clamd_var_log_t:dir search_dir_perms;
++allow freshclam_t freshclam_var_log_t:dir setattr_dir_perms;
+read_files_pattern(freshclam_t, clamd_var_log_t, clamd_var_log_t)
logging_log_filetrans(freshclam_t, freshclam_var_log_t, file)
@@ -14572,15 +15596,29 @@ index 8c36027..16598a4 100644
corenet_sendrecv_http_client_packets(freshclam_t)
dev_read_rand(freshclam_t)
-@@ -207,6 +218,8 @@ miscfiles_read_localization(freshclam_t)
+@@ -207,16 +218,18 @@ miscfiles_read_localization(freshclam_t)
clamav_stream_connect(freshclam_t)
+-optional_policy(`
+- cron_system_entry(freshclam_t, freshclam_exec_t)
+-')
+userdom_stream_connect(freshclam_t)
-+
- optional_policy(`
- cron_system_entry(freshclam_t, freshclam_exec_t)
+
+ tunable_policy(`clamd_use_jit',`
+ allow freshclam_t self:process execmem;
+-', `
++',`
+ dontaudit freshclam_t self:process execmem;
')
+
++optional_policy(`
++ cron_system_entry(freshclam_t, freshclam_exec_t)
++')
++
+ ########################################
+ #
+ # clamscam local policy
@@ -251,6 +264,7 @@ corenet_tcp_sendrecv_clamd_port(clamscan_t)
corenet_tcp_connect_clamd_port(clamscan_t)
@@ -14589,6 +15627,43 @@ index 8c36027..16598a4 100644
files_read_etc_files(clamscan_t)
files_read_etc_runtime_files(clamscan_t)
+diff --git a/policy/modules/services/clogd.if b/policy/modules/services/clogd.if
+index c0a66a4..e438c5f 100644
+--- a/policy/modules/services/clogd.if
++++ b/policy/modules/services/clogd.if
+@@ -5,9 +5,9 @@
+ ## Execute a domain transition to run clogd.
+ ##
+ ##
+-##
++##
+ ## Domain allowed to transition.
+-##
++##
+ ##
+ #
+ interface(`clogd_domtrans',`
+diff --git a/policy/modules/services/clogd.te b/policy/modules/services/clogd.te
+index 6077339..d10acd2 100644
+--- a/policy/modules/services/clogd.te
++++ b/policy/modules/services/clogd.te
+@@ -23,7 +23,6 @@ files_pid_file(clogd_var_run_t)
+
+ allow clogd_t self:capability { net_admin mknod };
+ allow clogd_t self:process signal;
+-
+ allow clogd_t self:sem create_sem_perms;
+ allow clogd_t self:shm create_shm_perms;
+ allow clogd_t self:netlink_socket create_socket_perms;
+@@ -36,7 +35,7 @@ fs_tmpfs_filetrans(clogd_t, clogd_tmpfs_t, { dir file })
+ # pid files
+ manage_files_pattern(clogd_t, clogd_var_run_t, clogd_var_run_t)
+ manage_sock_files_pattern(clogd_t, clogd_var_run_t, clogd_var_run_t)
+-files_pid_filetrans(clogd_t, clogd_var_run_t, { file })
++files_pid_filetrans(clogd_t, clogd_var_run_t, file)
+
+ dev_read_lvm_control(clogd_t)
+ dev_manage_generic_blk_files(clogd_t)
diff --git a/policy/modules/services/cmirrord.fc b/policy/modules/services/cmirrord.fc
new file mode 100644
index 0000000..e500fa5
@@ -14603,11 +15678,10 @@ index 0000000..e500fa5
+/var/run/cmirrord\.pid -- gen_context(system_u:object_r:cmirrord_var_run_t,s0)
diff --git a/policy/modules/services/cmirrord.if b/policy/modules/services/cmirrord.if
new file mode 100644
-index 0000000..d5b410f
+index 0000000..756ac91
--- /dev/null
+++ b/policy/modules/services/cmirrord.if
-@@ -0,0 +1,118 @@
-+
+@@ -0,0 +1,113 @@
+## policy for cmirrord
+
+########################################
@@ -14615,9 +15689,9 @@ index 0000000..d5b410f
+## Execute a domain transition to run cmirrord.
+##
+##
-+##
++##
+## Domain allowed to transition.
-+##
++##
+##
+#
+interface(`cmirrord_domtrans',`
@@ -14667,26 +15741,25 @@ index 0000000..d5b410f
+
+#######################################
+##
-+## Read and write to cmirrord shared memory.
++## Read and write to cmirrord shared memory.
+##
+##
-+##
++##
+## Domain allowed access.
-+##
++##
+##
+#
+interface(`cmirrord_rw_shm',`
-+ gen_require(`
-+ type cmirrord_t;
-+ type cmirrord_tmpfs_t;
-+ ')
++ gen_require(`
++ type cmirrord_t, cmirrord_tmpfs_t;
++ ')
+
-+ allow $1 cmirrord_t:shm { rw_shm_perms destroy };
-+ allow $1 cmirrord_tmpfs_t:dir list_dir_perms;
-+ rw_files_pattern($1, cmirrord_tmpfs_t, cmirrord_tmpfs_t)
++ allow $1 cmirrord_t:shm { rw_shm_perms destroy };
++ allow $1 cmirrord_tmpfs_t:dir list_dir_perms;
++ rw_files_pattern($1, cmirrord_tmpfs_t, cmirrord_tmpfs_t)
+ delete_files_pattern($1, cmirrord_tmpfs_t, cmirrord_tmpfs_t)
+ read_lnk_files_pattern($1, cmirrord_tmpfs_t, cmirrord_tmpfs_t)
-+ fs_search_tmpfs($1)
++ fs_search_tmpfs($1)
+')
+
+########################################
@@ -14708,9 +15781,7 @@ index 0000000..d5b410f
+#
+interface(`cmirrord_admin',`
+ gen_require(`
-+ type cmirrord_t;
-+ type cmirrord_initrc_exec_t;
-+ type cmirrord_var_run_t;
++ type cmirrord_t, cmirrord_initrc_exec_t, cmirrord_var_run_t;
+ ')
+
+ allow $1 cmirrord_t:process { ptrace signal_perms };
@@ -14721,17 +15792,16 @@ index 0000000..d5b410f
+ role_transition $2 cmirrord_initrc_exec_t system_r;
+ allow $2 system_r;
+
-+ files_search_pids($1)
++ files_list_pids($1)
+ admin_pattern($1, cmirrord_var_run_t)
-+
+')
diff --git a/policy/modules/services/cmirrord.te b/policy/modules/services/cmirrord.te
new file mode 100644
-index 0000000..bb7d429
+index 0000000..a2c7134
--- /dev/null
+++ b/policy/modules/services/cmirrord.te
-@@ -0,0 +1,55 @@
-+policy_module(cmirrord,1.0.0)
+@@ -0,0 +1,53 @@
++policy_module(cmirrord, 1.0.0)
+
+########################################
+#
@@ -14759,9 +15829,7 @@ index 0000000..bb7d429
+allow cmirrord_t self:capability { net_admin kill };
+dontaudit cmirrord_t self:capability sys_tty_config;
+allow cmirrord_t self:process signal;
-+
+allow cmirrord_t self:fifo_file rw_fifo_file_perms;
-+
+allow cmirrord_t self:sem create_sem_perms;
+allow cmirrord_t self:shm create_shm_perms;
+allow cmirrord_t self:netlink_socket create_socket_perms;
@@ -14773,7 +15841,7 @@ index 0000000..bb7d429
+
+manage_dirs_pattern(cmirrord_t, cmirrord_var_run_t, cmirrord_var_run_t)
+manage_files_pattern(cmirrord_t, cmirrord_var_run_t, cmirrord_var_run_t)
-+files_pid_filetrans(cmirrord_t, cmirrord_var_run_t, { file })
++files_pid_filetrans(cmirrord_t, cmirrord_var_run_t, file)
+
+domain_use_interactive_fds(cmirrord_t)
+
@@ -14784,7 +15852,7 @@ index 0000000..bb7d429
+miscfiles_read_localization(cmirrord_t)
+
+optional_policy(`
-+ corosync_stream_connect(cmirrord_t)
++ corosync_stream_connect(cmirrord_t)
+')
diff --git a/policy/modules/services/cobbler.fc b/policy/modules/services/cobbler.fc
index 1cf6c4e..90c60df 100644
@@ -14829,9 +15897,40 @@ index 1cf6c4e..90c60df 100644
-/var/lib/cobbler(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t, s0)
-/var/log/cobbler(/.*)? gen_context(system_u:object_r:cobbler_var_log_t, s0)
diff --git a/policy/modules/services/cobbler.if b/policy/modules/services/cobbler.if
-index 293e08d..b2198bb 100644
+index 293e08d..e3787fb 100644
--- a/policy/modules/services/cobbler.if
+++ b/policy/modules/services/cobbler.if
+@@ -1,12 +1,12 @@
+ ## Cobbler installation server.
+ ##
+ ##
+-## Cobbler is a Linux installation server that allows for
+-## rapid setup of network installation environments. It
+-## glues together and automates many associated Linux
+-## tasks so you do not have to hop between lots of various
+-## commands and applications when rolling out new systems,
+-## and, in some cases, changing existing ones.
++## Cobbler is a Linux installation server that allows for
++## rapid setup of network installation environments. It
++## glues together and automates many associated Linux
++## tasks so you do not have to hop between lots of various
++## commands and applications when rolling out new systems,
++## and, in some cases, changing existing ones.
+ ##
+ ##
+
+@@ -15,9 +15,9 @@
+ ## Execute a domain transition to run cobblerd.
+ ##
+ ##
+-##
++##
+ ## Domain allowed to transition.
+-##
++##
+ ##
+ #
+ interface(`cobblerd_domtrans',`
@@ -26,6 +26,7 @@ interface(`cobblerd_domtrans',`
')
@@ -14922,7 +16021,7 @@ index 293e08d..b2198bb 100644
+##
+##
+##
-+## Domain allowed access.
++## Domain to not audit.
+##
+##
+#
@@ -14939,13 +16038,13 @@ index 293e08d..b2198bb 100644
## All of the rules required to administrate
## an cobblerd environment
##
-@@ -162,10 +186,13 @@ interface(`cobblerd_admin',`
+@@ -161,25 +185,34 @@ interface(`cobbler_manage_lib_files',`
+ interface(`cobblerd_admin',`
gen_require(`
type cobblerd_t, cobbler_var_lib_t, cobbler_var_log_t;
- type cobbler_etc_t, cobblerd_initrc_exec_t;
-+ type httpd_cobbler_content_t;
-+ type httpd_cobbler_content_ra_t;
-+ type httpd_cobbler_content_rw_t;
+- type cobbler_etc_t, cobblerd_initrc_exec_t;
++ type cobbler_etc_t, cobblerd_initrc_exec_t, httpd_cobbler_content_t;
++ type httpd_cobbler_content_ra_t, httpd_cobbler_content_rw_t;
')
- allow $1 cobblerd_t:process { ptrace signal_perms getattr };
@@ -14953,13 +16052,18 @@ index 293e08d..b2198bb 100644
+ allow $1 cobblerd_t:process { ptrace signal_perms };
+ ps_process_pattern($1, cobblerd_t)
- files_search_etc($1)
+- files_search_etc($1)
++ files_list_etc($1)
admin_pattern($1, cobbler_etc_t)
-@@ -176,10 +203,18 @@ interface(`cobblerd_admin',`
- logging_search_logs($1)
+
+ files_list_var_lib($1)
+ admin_pattern($1, cobbler_var_lib_t)
+
+- logging_search_logs($1)
++ logging_list_logs($1)
admin_pattern($1, cobbler_var_log_t)
-+ apache_search_sys_content($1)
++ apache_list_sys_content($1)
+ admin_pattern($1, httpd_cobbler_content_t)
+ admin_pattern($1, httpd_cobbler_content_ra_t)
admin_pattern($1, httpd_cobbler_content_rw_t)
@@ -14975,38 +16079,49 @@ index 293e08d..b2198bb 100644
+ ')
')
diff --git a/policy/modules/services/cobbler.te b/policy/modules/services/cobbler.te
-index 0258b48..6a6d7d7 100644
+index 0258b48..c4d678b 100644
--- a/policy/modules/services/cobbler.te
+++ b/policy/modules/services/cobbler.te
-@@ -12,6 +12,28 @@ policy_module(cobbler, 1.1.0)
- ##
+@@ -6,13 +6,35 @@ policy_module(cobbler, 1.1.0)
+ #
+
+ ##
+-##
+-## Allow Cobbler to modify public files
+-## used for public file transfer services.
+-##
++##
++## Allow Cobbler to modify public files
++## used for public file transfer services.
++##
##
gen_tunable(cobbler_anon_write, false)
-+
+
+##
-+##
-+## Allow Cobbler to connect to the
-+## network using TCP.
-+##
++##
++## Allow Cobbler to connect to the
++## network using TCP.
++##
+##
+gen_tunable(cobbler_can_network_connect, false)
+
+##
-+##
-+## Allow Cobbler to access cifs file systems.
-+##
++##
++## Allow Cobbler to access cifs file systems.
++##
+##
+gen_tunable(cobbler_use_cifs, false)
+
+##
-+##
-+## Allow Cobbler to access nfs file systems.
-+##
++##
++## Allow Cobbler to access nfs file systems.
++##
+##
+gen_tunable(cobbler_use_nfs, false)
-
++
type cobblerd_t;
type cobblerd_exec_t;
+ init_daemon_domain(cobblerd_t, cobblerd_exec_t)
@@ -26,25 +48,40 @@ files_config_file(cobbler_etc_t)
type cobbler_var_log_t;
logging_log_file(cobbler_var_log_t)
@@ -15186,9 +16301,21 @@ index 0258b48..6a6d7d7 100644
########################################
diff --git a/policy/modules/services/consolekit.if b/policy/modules/services/consolekit.if
-index 42c6bd7..51afa67 100644
+index 42c6bd7..53b10e3 100644
--- a/policy/modules/services/consolekit.if
+++ b/policy/modules/services/consolekit.if
+@@ -5,9 +5,9 @@
+ ## Execute a domain transition to run consolekit.
+ ##
+ ##
+-##
++##
+ ## Domain allowed to transition.
+-##
++##
+ ##
+ #
+ interface(`consolekit_domtrans',`
@@ -95,3 +95,22 @@ interface(`consolekit_read_pid_files',`
files_search_pids($1)
read_files_pattern($1, consolekit_var_run_t, consolekit_var_run_t)
@@ -15213,7 +16340,7 @@ index 42c6bd7..51afa67 100644
+ list_dirs_pattern($1, consolekit_var_run_t, consolekit_var_run_t)
+')
diff --git a/policy/modules/services/consolekit.te b/policy/modules/services/consolekit.te
-index daf151d..cc2058b 100644
+index daf151d..16c0746 100644
--- a/policy/modules/services/consolekit.te
+++ b/policy/modules/services/consolekit.te
@@ -15,6 +15,9 @@ logging_log_file(consolekit_log_t)
@@ -15248,19 +16375,18 @@ index daf151d..cc2058b 100644
dbus_system_domain(consolekit_t, consolekit_exec_t)
optional_policy(`
-@@ -99,16 +109,21 @@ optional_policy(`
+@@ -99,6 +109,10 @@ optional_policy(`
')
optional_policy(`
-- policykit_dbus_chat(consolekit_t)
+ networkmanager_append_log(consolekit_t)
+')
+
+optional_policy(`
-+ policykit_dbus_chat(consolekit_t)
+ policykit_dbus_chat(consolekit_t)
policykit_domtrans_auth(consolekit_t)
policykit_read_lib(consolekit_t)
- policykit_read_reload(consolekit_t)
+@@ -106,9 +120,10 @@ optional_policy(`
')
optional_policy(`
@@ -15293,7 +16419,7 @@ index 3a6d7eb..2098ee9 100644
/var/lib/corosync(/.*)? gen_context(system_u:object_r:corosync_var_lib_t,s0)
diff --git a/policy/modules/services/corosync.if b/policy/modules/services/corosync.if
-index 5220c9d..05f7296 100644
+index 5220c9d..a2e6830 100644
--- a/policy/modules/services/corosync.if
+++ b/policy/modules/services/corosync.if
@@ -18,6 +18,25 @@ interface(`corosync_domtrans',`
@@ -15302,28 +16428,28 @@ index 5220c9d..05f7296 100644
+######################################
+##
-+## Execute corosync in the caller domain.
++## Execute corosync in the caller domain.
+##
+##
-+##
-+## Domain allowed to transition.
-+##
++##
++## Domain allowed access.
++##
+##
+#
+interface(`corosync_exec',`
-+ gen_require(`
-+ type corosync_exec_t;
-+ ')
++ gen_require(`
++ type corosync_exec_t;
++ ')
+
-+ corecmd_search_bin($1)
-+ can_exec($1, corosync_exec_t)
++ corecmd_search_bin($1)
++ can_exec($1, corosync_exec_t)
+')
+
#######################################
##
## Allow the specified domain to read corosync's log files.
diff --git a/policy/modules/services/corosync.te b/policy/modules/services/corosync.te
-index 7d2cf85..ed9dd2f 100644
+index 7d2cf85..c3620a0 100644
--- a/policy/modules/services/corosync.te
+++ b/policy/modules/services/corosync.te
@@ -32,8 +32,8 @@ files_pid_file(corosync_var_run_t)
@@ -15365,7 +16491,7 @@ index 7d2cf85..ed9dd2f 100644
auth_use_nsswitch(corosync_t)
-@@ -83,19 +88,36 @@ logging_send_syslog_msg(corosync_t)
+@@ -83,19 +88,32 @@ logging_send_syslog_msg(corosync_t)
miscfiles_read_localization(corosync_t)
@@ -15373,10 +16499,6 @@ index 7d2cf85..ed9dd2f 100644
userdom_rw_user_tmpfs_files(corosync_t)
optional_policy(`
-+ gen_require(`
-+ attribute unconfined_services;
-+ ')
-+
+ fs_manage_tmpfs_files(corosync_t)
+ init_manage_script_status_files(corosync_t)
+')
@@ -15406,6 +16528,55 @@ index 7d2cf85..ed9dd2f 100644
')
optional_policy(`
+diff --git a/policy/modules/services/courier.if b/policy/modules/services/courier.if
+index 9971337..f081899 100644
+--- a/policy/modules/services/courier.if
++++ b/policy/modules/services/courier.if
+@@ -138,6 +138,7 @@ interface(`courier_read_config',`
+ type courier_etc_t;
+ ')
+
++ files_search_etc($1)
+ read_files_pattern($1, courier_etc_t, courier_etc_t)
+ ')
+
+@@ -157,6 +158,7 @@ interface(`courier_manage_spool_dirs',`
+ type courier_spool_t;
+ ')
+
++ files_search_spool($1)
+ manage_dirs_pattern($1, courier_spool_t, courier_spool_t)
+ ')
+
+@@ -176,6 +178,7 @@ interface(`courier_manage_spool_files',`
+ type courier_spool_t;
+ ')
+
++ files_search_spool($1)
+ manage_files_pattern($1, courier_spool_t, courier_spool_t)
+ ')
+
+@@ -194,6 +197,7 @@ interface(`courier_read_spool',`
+ type courier_spool_t;
+ ')
+
++ files_search_spool($1)
+ read_files_pattern($1, courier_spool_t, courier_spool_t)
+ ')
+
+diff --git a/policy/modules/services/courier.te b/policy/modules/services/courier.te
+index 37f4810..cc93958 100644
+--- a/policy/modules/services/courier.te
++++ b/policy/modules/services/courier.te
+@@ -93,7 +93,7 @@ allow courier_pop_t courier_authdaemon_t:process sigchld;
+ allow courier_pop_t courier_tcpd_t:{ unix_stream_socket tcp_socket } rw_stream_socket_perms;
+
+ # inherits file handle - should it?
+-allow courier_pop_t courier_var_lib_t:file { read write };
++allow courier_pop_t courier_var_lib_t:file rw_inherited_file_perms;
+
+ miscfiles_read_localization(courier_pop_t)
+
diff --git a/policy/modules/services/cron.fc b/policy/modules/services/cron.fc
index 2eefc08..3e8ad69 100644
--- a/policy/modules/services/cron.fc
@@ -15428,7 +16599,7 @@ index 2eefc08..3e8ad69 100644
+
+/var/log/mcelog.* -- gen_context(system_u:object_r:cron_log_t,s0)
diff --git a/policy/modules/services/cron.if b/policy/modules/services/cron.if
-index 35241ed..9822074 100644
+index 35241ed..b6402c9 100644
--- a/policy/modules/services/cron.if
+++ b/policy/modules/services/cron.if
@@ -12,6 +12,11 @@
@@ -15458,6 +16629,15 @@ index 35241ed..9822074 100644
# create files in /var/spool/cron
manage_files_pattern($1_t, { cron_spool_t user_cron_spool_t }, user_cron_spool_t)
+@@ -43,7 +52,7 @@ template(`cron_common_crontab_template',`
+ files_list_spool($1_t)
+
+ # crontab signals crond by updating the mtime on the spooldir
+- allow $1_t cron_spool_t:dir setattr;
++ allow $1_t cron_spool_t:dir setattr_dir_perms;
+
+ kernel_read_system_state($1_t)
+
@@ -62,6 +71,7 @@ template(`cron_common_crontab_template',`
logging_send_syslog_msg($1_t)
@@ -15474,16 +16654,20 @@ index 35241ed..9822074 100644
tunable_policy(`fcron_crond',`
# fcron wants an instant update of a crontab change for the administrator
-@@ -106,6 +117,8 @@ template(`cron_common_crontab_template',`
+@@ -102,10 +113,12 @@ template(`cron_common_crontab_template',`
+ ## User domain for the role
+ ##
+ ##
++##
+ #
interface(`cron_role',`
gen_require(`
type cronjob_t, crontab_t, crontab_exec_t;
-+ type user_cron_spool_t;
-+ type crond_t;
++ type user_cron_spool_t, crond_t;
')
role $1 types { cronjob_t crontab_t };
-@@ -116,6 +129,13 @@ interface(`cron_role',`
+@@ -116,9 +129,16 @@ interface(`cron_role',`
# Transition from the user domain to the derived domain.
domtrans_pattern($2, crontab_exec_t, crontab_t)
@@ -15496,8 +16680,27 @@ index 35241ed..9822074 100644
+
# crontab shows up in user ps
ps_process_pattern($2, crontab_t)
- allow $2 crontab_t:process signal;
-@@ -154,27 +174,14 @@ interface(`cron_role',`
+- allow $2 crontab_t:process signal;
++ allow $2 crontab_t:process { ptrace signal_perms };
+
+ # Run helper programs as the user domain
+ #corecmd_bin_domtrans(crontab_t, $2)
+@@ -132,9 +152,8 @@ interface(`cron_role',`
+ ')
+
+ dbus_stub(cronjob_t)
+-
+ allow cronjob_t $2:dbus send_msg;
+- ')
++ ')
+ ')
+
+ ########################################
+@@ -151,29 +170,18 @@ interface(`cron_role',`
+ ## User domain for the role
+ ##
+ ##
++##
#
interface(`cron_unconfined_role',`
gen_require(`
@@ -15510,7 +16713,7 @@ index 35241ed..9822074 100644
# cronjob shows up in user ps
ps_process_pattern($2, unconfined_cronjob_t)
-
+-
- # Transition from the user domain to the derived domain.
- domtrans_pattern($2, crontab_exec_t, crontab_t)
-
@@ -15523,10 +16726,58 @@ index 35241ed..9822074 100644
- #corecmd_shell_domtrans(crontab_t, $2)
- corecmd_exec_bin(crontab_t)
- corecmd_exec_shell(crontab_t)
--
++ allow $2 unconfined_cronjob_t:process { ptrace signal_perms };
+
optional_policy(`
gen_require(`
- class dbus send_msg;
+@@ -181,9 +189,8 @@ interface(`cron_unconfined_role',`
+ ')
+
+ dbus_stub(unconfined_cronjob_t)
+-
+ allow unconfined_cronjob_t $2:dbus send_msg;
+- ')
++ ')
+ ')
+
+ ########################################
+@@ -200,6 +207,7 @@ interface(`cron_unconfined_role',`
+ ## User domain for the role
+ ##
+ ##
++##
+ #
+ interface(`cron_admin_role',`
+ gen_require(`
+@@ -220,7 +228,7 @@ interface(`cron_admin_role',`
+
+ # crontab shows up in user ps
+ ps_process_pattern($2, admin_crontab_t)
+- allow $2 admin_crontab_t:process signal;
++ allow $2 admin_crontab_t:process { ptrace signal_perms };
+
+ # Run helper programs as the user domain
+ #corecmd_bin_domtrans(admin_crontab_t, $2)
+@@ -234,9 +242,8 @@ interface(`cron_admin_role',`
+ ')
+
+ dbus_stub(admin_cronjob_t)
+-
+ allow cronjob_t $2:dbus send_msg;
+- ')
++ ')
+ ')
+
+ ########################################
+@@ -304,7 +311,7 @@ interface(`cron_exec',`
+
+ ########################################
+ ##
+-## Execute crond server in the nscd domain.
++## Execute crond server in the crond domain.
+ ##
+ ##
+ ##
@@ -408,7 +415,43 @@ interface(`cron_rw_pipes',`
type crond_t;
')
@@ -15572,7 +16823,24 @@ index 35241ed..9822074 100644
')
########################################
-@@ -554,7 +597,7 @@ interface(`cron_rw_system_job_pipes',`
+@@ -481,6 +524,7 @@ interface(`cron_manage_pid_files',`
+ type crond_var_run_t;
+ ')
+
++ files_search_pids($1)
+ manage_files_pattern($1, crond_var_run_t, crond_var_run_t)
+ ')
+
+@@ -536,7 +580,7 @@ interface(`cron_write_system_job_pipes',`
+ type system_cronjob_t;
+ ')
+
+- allow $1 system_cronjob_t:file write;
++ allow $1 system_cronjob_t:fifo_file write;
+ ')
+
+ ########################################
+@@ -554,7 +598,7 @@ interface(`cron_rw_system_job_pipes',`
type system_cronjob_t;
')
@@ -15581,7 +16849,7 @@ index 35241ed..9822074 100644
')
########################################
-@@ -587,11 +630,14 @@ interface(`cron_rw_system_job_stream_sockets',`
+@@ -587,11 +631,14 @@ interface(`cron_rw_system_job_stream_sockets',`
#
interface(`cron_read_system_job_tmp_files',`
gen_require(`
@@ -15597,7 +16865,7 @@ index 35241ed..9822074 100644
')
########################################
-@@ -627,7 +673,47 @@ interface(`cron_dontaudit_append_system_job_tmp_files',`
+@@ -627,7 +674,47 @@ interface(`cron_dontaudit_append_system_job_tmp_files',`
interface(`cron_dontaudit_write_system_job_tmp_files',`
gen_require(`
type system_cronjob_tmp_t;
@@ -15623,8 +16891,8 @@ index 35241ed..9822074 100644
+ type system_cronjob_var_lib_t;
+ ')
+
-+
-+ read_files_pattern($1, system_cronjob_var_lib_t, system_cronjob_var_lib_t)
++ files_search_var_lib($1)
++ read_files_pattern($1, system_cronjob_var_lib_t, system_cronjob_var_lib_t)
+')
+
+########################################
@@ -15642,13 +16910,40 @@ index 35241ed..9822074 100644
+ type system_cronjob_var_lib_t;
+ ')
+
-+
-+ manage_files_pattern($1, system_cronjob_var_lib_t, system_cronjob_var_lib_t)
++ files_search_var_lib($1)
++ manage_files_pattern($1, system_cronjob_var_lib_t, system_cronjob_var_lib_t)
')
diff --git a/policy/modules/services/cron.te b/policy/modules/services/cron.te
-index f35b243..45f5a6f 100644
+index f35b243..2a7f7f4 100644
--- a/policy/modules/services/cron.te
+++ b/policy/modules/services/cron.te
+@@ -10,18 +10,18 @@ gen_require(`
+ #
+
+ ##
+-##
+-## Allow system cron jobs to relabel filesystem
+-## for restoring file contexts.
+-##
++##
++## Allow system cron jobs to relabel filesystem
++## for restoring file contexts.
++##
+ ##
+ gen_tunable(cron_can_relabel, false)
+
+ ##
+-##
+-## Enable extra rules in the cron domain
+-## to support fcron.
+-##
++##
++## Enable extra rules in the cron domain
++## to support fcron.
++##
+ ##
+ gen_tunable(fcron_crond, false)
+
@@ -63,9 +63,12 @@ init_script_file(crond_initrc_exec_t)
type crond_tmp_t;
@@ -15678,7 +16973,18 @@ index f35b243..45f5a6f 100644
type system_cronjob_lock_t alias system_crond_lock_t;
files_lock_file(system_cronjob_lock_t)
-@@ -108,6 +113,14 @@ typealias user_cron_spool_t alias { staff_cron_spool_t sysadm_cron_spool_t uncon
+@@ -94,10 +99,6 @@ files_lock_file(system_cronjob_lock_t)
+ type system_cronjob_tmp_t alias system_crond_tmp_t;
+ files_tmp_file(system_cronjob_tmp_t)
+
+-ifdef(`enable_mcs',`
+- init_ranged_daemon_domain(crond_t, crond_exec_t, s0 - mcs_systemhigh)
+-')
+-
+ type unconfined_cronjob_t;
+ domain_type(unconfined_cronjob_t)
+ domain_cron_exemption_target(unconfined_cronjob_t)
+@@ -108,6 +109,18 @@ typealias user_cron_spool_t alias { staff_cron_spool_t sysadm_cron_spool_t uncon
typealias user_cron_spool_t alias { auditadm_cron_spool_t secadm_cron_spool_t };
files_type(user_cron_spool_t)
ubac_constrained(user_cron_spool_t)
@@ -15690,9 +16996,31 @@ index f35b243..45f5a6f 100644
+
+type system_cronjob_var_run_t;
+files_pid_file(system_cronjob_var_run_t)
++
++ifdef(`enable_mcs',`
++ init_ranged_daemon_domain(crond_t, crond_exec_t, s0 - mcs_systemhigh)
++')
########################################
#
+@@ -115,7 +128,7 @@ ubac_constrained(user_cron_spool_t)
+ #
+
+ # Allow our crontab domain to unlink a user cron spool file.
+-allow admin_crontab_t user_cron_spool_t:file { getattr read unlink };
++allow admin_crontab_t user_cron_spool_t:file { read_file_perms delete_file_perms };
+
+ # Manipulate other users crontab.
+ selinux_get_fs_mount(admin_crontab_t)
+@@ -125,7 +138,7 @@ selinux_compute_create_context(admin_crontab_t)
+ selinux_compute_relabel_context(admin_crontab_t)
+ selinux_compute_user_contexts(admin_crontab_t)
+
+-tunable_policy(`fcron_crond', `
++tunable_policy(`fcron_crond',`
+ # fcron wants an instant update of a crontab change for the administrator
+ # also crontab does a security check for crontab -u
+ allow admin_crontab_t self:process setfscreate;
@@ -138,7 +151,7 @@ tunable_policy(`fcron_crond', `
allow crond_t self:capability { dac_override setgid setuid sys_nice dac_read_search };
@@ -15732,27 +17060,40 @@ index f35b243..45f5a6f 100644
ifdef(`distro_debian',`
# pam_limits is used
-@@ -240,8 +259,17 @@ ifdef(`distro_redhat', `
+@@ -232,7 +251,7 @@ ifdef(`distro_debian',`
+ ')
+ ')
+
+-ifdef(`distro_redhat', `
++ifdef(`distro_redhat',`
+ # Run the rpm program in the rpm_t domain. Allow creation of RPM log files
+ # via redirection of standard out.
+ optional_policy(`
+@@ -240,16 +259,39 @@ ifdef(`distro_redhat', `
')
')
-tunable_policy(`fcron_crond', `
-- allow crond_t system_cron_spool_t:file manage_file_perms;
+tunable_policy(`allow_polyinstantiation',`
+ files_polyinstantiate_all(crond_t)
+')
+
-+optional_policy(`
++tunable_policy(`fcron_crond',`
+ allow crond_t system_cron_spool_t:file manage_file_perms;
+ ')
+
+ optional_policy(`
+ apache_search_sys_content(crond_t)
+')
+
+optional_policy(`
-+ djbdns_search_tinydns_keys(crond_t)
-+ djbdns_link_tinydns_keys(crond_t)
- ')
-
- optional_policy(`
-@@ -250,6 +278,20 @@ optional_policy(`
++ djbdns_search_tinydns_keys(crond_t)
++ djbdns_link_tinydns_keys(crond_t)
++')
++
++optional_policy(`
+ locallogin_search_keys(crond_t)
+ locallogin_link_keys(crond_t)
')
optional_policy(`
@@ -15765,10 +17106,6 @@ index f35b243..45f5a6f 100644
+ mono_domtrans(crond_t)
+')
+
-+tunable_policy(`fcron_crond', `
-+ allow crond_t system_cron_spool_t:file manage_file_perms;
-+')
-+
+optional_policy(`
amanda_search_var_lib(crond_t)
')
@@ -15806,7 +17143,7 @@ index f35b243..45f5a6f 100644
# This is to handle /var/lib/misc directory. Used currently
# by prelink var/lib files for cron
-allow system_cronjob_t cron_var_lib_t:file manage_file_perms;
-+allow system_cronjob_t cron_var_lib_t:file { manage_file_perms relabelfrom relabelto };
++allow system_cronjob_t cron_var_lib_t:file { manage_file_perms relabel_file_perms };
files_var_lib_filetrans(system_cronjob_t, cron_var_lib_t, file)
+allow system_cronjob_t cron_var_run_t:file manage_file_perms;
@@ -15859,9 +17196,12 @@ index f35b243..45f5a6f 100644
init_use_script_fds(system_cronjob_t)
init_read_utmp(system_cronjob_t)
-@@ -410,6 +474,8 @@ seutil_read_config(system_cronjob_t)
+@@ -408,8 +472,10 @@ miscfiles_manage_man_pages(system_cronjob_t)
- ifdef(`distro_redhat', `
+ seutil_read_config(system_cronjob_t)
+
+-ifdef(`distro_redhat', `
++ifdef(`distro_redhat',`
# Run the rpm program in the rpm_t domain. Allow creation of RPM log files
+ allow crond_t system_cron_spool_t:file manage_file_perms;
+
@@ -15948,7 +17288,7 @@ index f35b243..45f5a6f 100644
userdom_user_home_dir_filetrans_user_home_content(system_cronjob_t, { dir file lnk_file fifo_file sock_file })
')
-@@ -590,7 +682,10 @@ userdom_manage_user_home_content_sockets(cronjob_t)
+@@ -590,9 +682,12 @@ userdom_manage_user_home_content_sockets(cronjob_t)
#userdom_user_home_dir_filetrans_user_home_content(cronjob_t, notdevfile_class_set)
list_dirs_pattern(crond_t, user_cron_spool_t, user_cron_spool_t)
@@ -15957,8 +17297,11 @@ index f35b243..45f5a6f 100644
+read_lnk_files_pattern(crond_t, user_cron_spool_t, user_cron_spool_t)
+allow crond_t user_cron_spool_t:file manage_lnk_file_perms;
- tunable_policy(`fcron_crond', `
+-tunable_policy(`fcron_crond', `
++tunable_policy(`fcron_crond',`
allow crond_t user_cron_spool_t:file manage_file_perms;
+ ')
+
diff --git a/policy/modules/services/cups.fc b/policy/modules/services/cups.fc
index 1b492ed..286ec9e 100644
--- a/policy/modules/services/cups.fc
@@ -15974,7 +17317,7 @@ index 1b492ed..286ec9e 100644
+
+/usr/local/linuxprinter/ppd(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
diff --git a/policy/modules/services/cups.if b/policy/modules/services/cups.if
-index 305ddf4..fb3454a 100644
+index 305ddf4..777091a 100644
--- a/policy/modules/services/cups.if
+++ b/policy/modules/services/cups.if
@@ -190,10 +190,12 @@ interface(`cups_dbus_chat_config',`
@@ -15990,21 +17333,23 @@ index 305ddf4..fb3454a 100644
read_files_pattern($1, cupsd_etc_t, cupsd_rw_etc_t)
')
-@@ -314,11 +316,12 @@ interface(`cups_stream_connect_ptal',`
+@@ -314,11 +316,10 @@ interface(`cups_stream_connect_ptal',`
interface(`cups_admin',`
gen_require(`
type cupsd_t, cupsd_tmp_t, cupsd_lpd_tmp_t;
- type cupsd_etc_t, cupsd_log_t, cupsd_spool_t;
-+ type cupsd_etc_t, cupsd_log_t;
- type cupsd_config_var_run_t, cupsd_lpd_var_run_t;
- type cupsd_var_run_t, ptal_etc_t;
- type ptal_var_run_t, hplip_var_run_t;
- type cupsd_initrc_exec_t;
-+ type hplip_etc_t;
+- type cupsd_config_var_run_t, cupsd_lpd_var_run_t;
+- type cupsd_var_run_t, ptal_etc_t;
+- type ptal_var_run_t, hplip_var_run_t;
+- type cupsd_initrc_exec_t;
++ type cupsd_etc_t, cupsd_log_t, hplip_etc_t;
++ type cupsd_config_var_run_t, cupsd_lpd_var_run_t, cupsd_initrc_exec_t;
++ type cupsd_var_run_t, ptal_etc_t, hplip_var_run_t;
++ type ptal_var_run_t;
')
allow $1 cupsd_t:process { ptrace signal_perms };
-@@ -341,15 +344,14 @@ interface(`cups_admin',`
+@@ -341,15 +342,14 @@ interface(`cups_admin',`
admin_pattern($1, cupsd_lpd_var_run_t)
@@ -16023,7 +17368,7 @@ index 305ddf4..fb3454a 100644
admin_pattern($1, ptal_etc_t)
diff --git a/policy/modules/services/cups.te b/policy/modules/services/cups.te
-index 0f28095..11e74af 100644
+index 0f28095..b3ab30f 100644
--- a/policy/modules/services/cups.te
+++ b/policy/modules/services/cups.te
@@ -15,6 +15,7 @@ files_pid_file(cupsd_config_var_run_t)
@@ -16050,10 +17395,12 @@ index 0f28095..11e74af 100644
manage_files_pattern(cupsd_t, cupsd_log_t, cupsd_log_t)
allow cupsd_t cupsd_log_t:dir setattr;
logging_log_filetrans(cupsd_t, cupsd_log_t, { file dir })
-@@ -147,10 +150,11 @@ manage_fifo_files_pattern(cupsd_t, cupsd_tmp_t, cupsd_tmp_t)
+@@ -146,11 +149,12 @@ manage_files_pattern(cupsd_t, cupsd_tmp_t, cupsd_tmp_t)
+ manage_fifo_files_pattern(cupsd_t, cupsd_tmp_t, cupsd_tmp_t)
files_tmp_filetrans(cupsd_t, cupsd_tmp_t, { file dir fifo_file })
- allow cupsd_t cupsd_var_run_t:dir setattr;
+-allow cupsd_t cupsd_var_run_t:dir setattr;
++allow cupsd_t cupsd_var_run_t:dir setattr_dir_perms;
+manage_dirs_pattern(cupsd_t, cupsd_var_run_t, cupsd_var_run_t)
manage_files_pattern(cupsd_t, cupsd_var_run_t, cupsd_var_run_t)
manage_sock_files_pattern(cupsd_t, cupsd_var_run_t, cupsd_var_run_t)
@@ -16063,6 +17410,15 @@ index 0f28095..11e74af 100644
allow cupsd_t hplip_t:process { signal sigkill };
+@@ -159,7 +163,7 @@ read_files_pattern(cupsd_t, hplip_etc_t, hplip_etc_t)
+ allow cupsd_t hplip_var_run_t:file read_file_perms;
+
+ stream_connect_pattern(cupsd_t, ptal_var_run_t, ptal_var_run_t, ptal_t)
+-allow cupsd_t ptal_var_run_t : sock_file setattr;
++allow cupsd_t ptal_var_run_t:sock_file setattr_sock_file_perms;
+
+ kernel_read_system_state(cupsd_t)
+ kernel_read_network_state(cupsd_t)
@@ -297,8 +301,10 @@ optional_policy(`
hal_dbus_chat(cupsd_t)
')
@@ -16104,7 +17460,7 @@ index 0f28095..11e74af 100644
hal_domtrans(cupsd_config_t)
hal_read_tmp_files(cupsd_config_t)
hal_dontaudit_use_fds(hplip_t)
-@@ -587,13 +599,19 @@ auth_use_nsswitch(cups_pdf_t)
+@@ -587,14 +599,16 @@ auth_use_nsswitch(cups_pdf_t)
miscfiles_read_localization(cups_pdf_t)
miscfiles_read_fonts(cups_pdf_t)
@@ -16118,22 +17474,98 @@ index 0f28095..11e74af 100644
lpd_manage_spool(cups_pdf_t)
+-
+ tunable_policy(`use_nfs_home_dirs',`
+ fs_search_auto_mountpoints(cups_pdf_t)
+ fs_manage_nfs_dirs(cups_pdf_t)
+@@ -606,6 +620,10 @@ tunable_policy(`use_samba_home_dirs',`
+ fs_manage_cifs_files(cups_pdf_t)
+ ')
+
+optional_policy(`
+ gnome_read_config(cups_pdf_t)
+')
++
+ ########################################
+ #
+ # HPLIP local policy
+@@ -639,7 +657,7 @@ manage_files_pattern(hplip_t, hplip_var_lib_t, hplip_var_lib_t)
+ manage_lnk_files_pattern(hplip_t, hplip_var_lib_t, hplip_var_lib_t)
- tunable_policy(`use_nfs_home_dirs',`
- fs_search_auto_mountpoints(cups_pdf_t)
+ manage_fifo_files_pattern(hplip_t, hplip_tmp_t, hplip_tmp_t)
+-files_tmp_filetrans(hplip_t, hplip_tmp_t, fifo_file )
++files_tmp_filetrans(hplip_t, hplip_tmp_t, fifo_file)
+
+ manage_files_pattern(hplip_t, hplip_var_run_t, hplip_var_run_t)
+ files_pid_filetrans(hplip_t, hplip_var_run_t, file)
+diff --git a/policy/modules/services/cvs.if b/policy/modules/services/cvs.if
+index c43ff4c..5bf3e60 100644
+--- a/policy/modules/services/cvs.if
++++ b/policy/modules/services/cvs.if
+@@ -58,9 +58,8 @@ interface(`cvs_exec',`
+ #
+ interface(`cvs_admin',`
+ gen_require(`
+- type cvs_t, cvs_tmp_t;
++ type cvs_t, cvs_tmp_t, cvs_initrc_exec_t;
+ type cvs_data_t, cvs_var_run_t;
+- type cvs_initrc_exec_t;
+ ')
+
+ allow $1 cvs_t:process { ptrace signal_perms };
diff --git a/policy/modules/services/cvs.te b/policy/modules/services/cvs.te
-index 88e7e97..9e8d14b 100644
+index 88e7e97..e18dc0b 100644
--- a/policy/modules/services/cvs.te
+++ b/policy/modules/services/cvs.te
+@@ -6,9 +6,9 @@ policy_module(cvs, 1.9.0)
+ #
+
+ ##
+-##
+-## Allow cvs daemon to read shadow
+-##
++##
++## Allow cvs daemon to read shadow
++##
+ ##
+ gen_tunable(allow_cvs_read_shadow, false)
+
+@@ -35,12 +35,12 @@ files_pid_file(cvs_var_run_t)
+ # Local policy
+ #
+
++allow cvs_t self:capability { setuid setgid };
+ allow cvs_t self:process signal_perms;
+ allow cvs_t self:fifo_file rw_fifo_file_perms;
+ allow cvs_t self:tcp_socket connected_stream_socket_perms;
+ # for identd; cjp: this should probably only be inetd_child rules?
+ allow cvs_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
+-allow cvs_t self:capability { setuid setgid };
+
+ manage_dirs_pattern(cvs_t, cvs_data_t, cvs_data_t)
+ manage_files_pattern(cvs_t, cvs_data_t, cvs_data_t)
@@ -112,4 +112,5 @@ optional_policy(`
read_files_pattern(httpd_cvs_script_t, cvs_data_t, cvs_data_t)
manage_dirs_pattern(httpd_cvs_script_t, cvs_tmp_t, cvs_tmp_t)
manage_files_pattern(httpd_cvs_script_t, cvs_tmp_t, cvs_tmp_t)
+ files_tmp_filetrans(httpd_cvs_script_t, cvs_tmp_t, { file dir })
')
+diff --git a/policy/modules/services/cyphesis.if b/policy/modules/services/cyphesis.if
+index 9d44538..7e9057e 100644
+--- a/policy/modules/services/cyphesis.if
++++ b/policy/modules/services/cyphesis.if
+@@ -5,9 +5,9 @@
+ ## Execute a domain transition to run cyphesis.
+ ##
+ ##
+-##
++##
+ ## Domain allowed to transition.
+-##
++##
+ ##
+ #
+ interface(`cyphesis_domtrans',`
diff --git a/policy/modules/services/cyphesis.te b/policy/modules/services/cyphesis.te
index 346f926..1f789f8 100644
--- a/policy/modules/services/cyphesis.te
@@ -16172,21 +17604,22 @@ index e182bf4..f80e725 100644
snmp_dontaudit_write_snmp_var_lib_files(cyrus_t)
snmp_stream_connect(cyrus_t)
diff --git a/policy/modules/services/dbus.if b/policy/modules/services/dbus.if
-index 39e901a..7852441 100644
+index 39e901a..74fa3d6 100644
--- a/policy/modules/services/dbus.if
+++ b/policy/modules/services/dbus.if
-@@ -42,8 +42,10 @@ template(`dbus_role_template',`
+@@ -41,9 +41,9 @@ interface(`dbus_stub',`
+ template(`dbus_role_template',`
gen_require(`
class dbus { send_msg acquire_svc };
-
-+ attribute dbusd_unconfined;
- attribute session_bus_type;
+-
+- attribute session_bus_type;
++ attribute dbusd_unconfined, session_bus_type;
type system_dbusd_t, session_dbusd_tmp_t, dbusd_exec_t, dbusd_etc_t;
+ type $1_t;
')
##############################
-@@ -76,7 +78,7 @@ template(`dbus_role_template',`
+@@ -76,7 +76,7 @@ template(`dbus_role_template',`
allow $3 $1_dbusd_t:unix_stream_socket connectto;
# SE-DBus specific permissions
@@ -16195,8 +17628,14 @@ index 39e901a..7852441 100644
allow $3 system_dbusd_t:dbus { send_msg acquire_svc };
allow $1_dbusd_t dbusd_etc_t:dir list_dir_perms;
-@@ -91,7 +93,7 @@ template(`dbus_role_template',`
- allow $3 $1_dbusd_t:process { signull sigkill signal };
+@@ -88,14 +88,15 @@ template(`dbus_role_template',`
+ files_tmp_filetrans($1_dbusd_t, session_dbusd_tmp_t, { file dir })
+
+ domtrans_pattern($3, dbusd_exec_t, $1_dbusd_t)
+- allow $3 $1_dbusd_t:process { signull sigkill signal };
++
++ ps_process_pattern($3, $1_dbusd_t)
++ allow $3 $1_dbusd_t:process { ptrace signal_perms };
# cjp: this seems very broken
- corecmd_bin_domtrans($1_dbusd_t, $3)
@@ -16204,7 +17643,20 @@ index 39e901a..7852441 100644
allow $1_dbusd_t $3:process sigkill;
allow $3 $1_dbusd_t:fd use;
allow $3 $1_dbusd_t:fifo_file rw_fifo_file_perms;
-@@ -149,17 +151,25 @@ template(`dbus_role_template',`
+- allow $3 $1_dbusd_t:process sigchld;
+
+ kernel_read_system_state($1_dbusd_t)
+ kernel_read_kernel_sysctls($1_dbusd_t)
+@@ -116,7 +117,7 @@ template(`dbus_role_template',`
+
+ dev_read_urand($1_dbusd_t)
+
+- domain_use_interactive_fds($1_dbusd_t)
++ domain_use_interactive_fds($1_dbusd_t)
+ domain_read_all_domains_state($1_dbusd_t)
+
+ files_read_etc_files($1_dbusd_t)
+@@ -149,17 +150,25 @@ template(`dbus_role_template',`
term_use_all_terms($1_dbusd_t)
@@ -16214,7 +17666,8 @@ index 39e901a..7852441 100644
+ userdom_manage_user_home_content_files($1_dbusd_t)
+ userdom_user_home_dir_filetrans_user_home_content($1_dbusd_t, { dir file })
- ifdef(`hide_broken_symptoms', `
+- ifdef(`hide_broken_symptoms', `
++ ifdef(`hide_broken_symptoms',`
dontaudit $3 $1_dbusd_t:netlink_selinux_socket { read write };
')
@@ -16231,7 +17684,7 @@ index 39e901a..7852441 100644
xserver_use_xdm_fds($1_dbusd_t)
xserver_rw_xdm_pipes($1_dbusd_t)
')
-@@ -181,10 +191,12 @@ interface(`dbus_system_bus_client',`
+@@ -181,10 +190,12 @@ interface(`dbus_system_bus_client',`
type system_dbusd_t, system_dbusd_t;
type system_dbusd_var_run_t, system_dbusd_var_lib_t;
class dbus send_msg;
@@ -16244,7 +17697,7 @@ index 39e901a..7852441 100644
read_files_pattern($1, system_dbusd_var_lib_t, system_dbusd_var_lib_t)
files_search_var_lib($1)
-@@ -431,13 +443,26 @@ interface(`dbus_system_domain',`
+@@ -431,14 +442,27 @@ interface(`dbus_system_domain',`
domtrans_pattern(system_dbusd_t, $2, $1)
@@ -16260,6 +17713,7 @@ index 39e901a..7852441 100644
+ userdom_dontaudit_search_admin_dir($1)
userdom_read_all_users_state($1)
+- ifdef(`hide_broken_symptoms', `
+ optional_policy(`
+ rpm_script_dbus_chat($1)
+ ')
@@ -16268,10 +17722,11 @@ index 39e901a..7852441 100644
+ unconfined_dbus_send($1)
+ ')
+
- ifdef(`hide_broken_symptoms', `
++ ifdef(`hide_broken_symptoms',`
dontaudit $1 system_dbusd_t:netlink_selinux_socket { read write };
')
-@@ -479,3 +504,22 @@ interface(`dbus_unconfined',`
+ ')
+@@ -479,3 +503,22 @@ interface(`dbus_unconfined',`
typeattribute $1 dbusd_unconfined;
')
@@ -16291,11 +17746,11 @@ index 39e901a..7852441 100644
+ type system_dbusd_var_run_t;
+ ')
+
++ files_search_pids($1)
+ delete_files_pattern($1, system_dbusd_var_run_t, system_dbusd_var_run_t)
+')
-+
diff --git a/policy/modules/services/dbus.te b/policy/modules/services/dbus.te
-index b354128..c725cae 100644
+index b354128..d9416fc 100644
--- a/policy/modules/services/dbus.te
+++ b/policy/modules/services/dbus.te
@@ -74,9 +74,10 @@ files_tmp_filetrans(system_dbusd_t, system_dbusd_tmp_t, { file dir })
@@ -16320,11 +17775,10 @@ index b354128..c725cae 100644
logging_send_audit_msgs(system_dbusd_t)
logging_send_syslog_msg(system_dbusd_t)
-@@ -141,7 +144,15 @@ optional_policy(`
+@@ -141,6 +144,14 @@ optional_policy(`
')
optional_policy(`
-- policykit_dbus_chat(system_dbusd_t)
+ gnome_exec_gconf(system_dbusd_t)
+')
+
@@ -16333,10 +17787,9 @@ index b354128..c725cae 100644
+')
+
+optional_policy(`
-+ policykit_dbus_chat(system_dbusd_t)
+ policykit_dbus_chat(system_dbusd_t)
policykit_domtrans_auth(system_dbusd_t)
policykit_search_lib(system_dbusd_t)
- ')
@@ -158,5 +169,12 @@ optional_policy(`
#
# Unconfined access to this module
@@ -16351,8 +17804,91 @@ index b354128..c725cae 100644
+ xserver_rw_xdm_pipes(session_bus_type)
+ xserver_append_xdm_home_files(session_bus_type)
+')
+diff --git a/policy/modules/services/dcc.if b/policy/modules/services/dcc.if
+index 784753e..bf65e7d 100644
+--- a/policy/modules/services/dcc.if
++++ b/policy/modules/services/dcc.if
+@@ -168,6 +168,6 @@ interface(`dcc_stream_connect_dccifd',`
+ type dcc_var_t, dccifd_var_run_t, dccifd_t;
+ ')
+
+- files_search_var($1)
++ files_search_pids($1)
+ stream_connect_pattern($1, dcc_var_t, dccifd_var_run_t, dccifd_t)
+ ')
+diff --git a/policy/modules/services/ddclient.if b/policy/modules/services/ddclient.if
+index 0a1a61b..da508f4 100644
+--- a/policy/modules/services/ddclient.if
++++ b/policy/modules/services/ddclient.if
+@@ -64,8 +64,8 @@ interface(`ddclient_run',`
+ interface(`ddclient_admin',`
+ gen_require(`
+ type ddclient_t, ddclient_etc_t, ddclient_log_t;
+- type ddclient_var_t, ddclient_var_lib_t;
+- type ddclient_var_run_t, ddclient_initrc_exec_t;
++ type ddclient_var_t, ddclient_var_lib_t, ddclient_initrc_exec_t;
++ type ddclient_var_run_t;
+ ')
+
+ allow $1 ddclient_t:process { ptrace signal_perms };
+diff --git a/policy/modules/services/denyhosts.if b/policy/modules/services/denyhosts.if
+index 567865f..9c9e65c 100644
+--- a/policy/modules/services/denyhosts.if
++++ b/policy/modules/services/denyhosts.if
+@@ -13,12 +13,12 @@
+ ## Execute a domain transition to run denyhosts.
+ ##
+ ##
+-##
++##
+ ## Domain allowed to transition.
+-##
++##
+ ##
+ #
+-interface(`denyhosts_domtrans', `
++interface(`denyhosts_domtrans',`
+ gen_require(`
+ type denyhosts_t, denyhosts_exec_t;
+ ')
+@@ -36,7 +36,7 @@ interface(`denyhosts_domtrans', `
+ ##
+ ##
+ #
+-interface(`denyhosts_initrc_domtrans', `
++interface(`denyhosts_initrc_domtrans',`
+ gen_require(`
+ type denyhosts_initrc_exec_t;
+ ')
+@@ -59,8 +59,9 @@ interface(`denyhosts_initrc_domtrans', `
+ ## Role allowed access.
+ ##
+ ##
++##
+ #
+-interface(`denyhosts_admin', `
++interface(`denyhosts_admin',`
+ gen_require(`
+ type denyhosts_t, denyhosts_var_lib_t, denyhosts_var_lock_t;
+ type denyhosts_var_log_t, denyhosts_initrc_exec_t;
+@@ -74,12 +75,12 @@ interface(`denyhosts_admin', `
+ role_transition $2 denyhosts_initrc_exec_t system_r;
+ allow $2 system_r;
+
+- files_search_var_lib($1)
++ files_list_var_lib($1)
+ admin_pattern($1, denyhosts_var_lib_t)
+
+- logging_search_logs($1)
++ logging_list_logs($1)
+ admin_pattern($1, denyhosts_var_log_t)
+
+- files_search_locks($1)
++ files_list_locks($1)
+ admin_pattern($1, denyhosts_var_lock_t)
+ ')
diff --git a/policy/modules/services/denyhosts.te b/policy/modules/services/denyhosts.te
-index 8ba9425..d53ee7e 100644
+index 8ba9425..b10da2c 100644
--- a/policy/modules/services/denyhosts.te
+++ b/policy/modules/services/denyhosts.te
@@ -25,7 +25,8 @@ logging_log_file(denyhosts_var_log_t)
@@ -16392,13 +17928,42 @@ index 8ba9425..d53ee7e 100644
')
+
+optional_policy(`
-+ gnome_dontaudit_search_config(denyhosts_t)
++ gnome_dontaudit_search_config(denyhosts_t)
+')
diff --git a/policy/modules/services/devicekit.if b/policy/modules/services/devicekit.if
-index f706b99..70cf018 100644
+index f706b99..ab2edfc 100644
--- a/policy/modules/services/devicekit.if
+++ b/policy/modules/services/devicekit.if
-@@ -165,13 +165,13 @@ interface(`devicekit_admin',`
+@@ -5,9 +5,9 @@
+ ## Execute a domain transition to run devicekit.
+ ##
+ ##
+-##
++##
+ ## Domain allowed to transition.
+-##
++##
+ ##
+ #
+ interface(`devicekit_domtrans',`
+@@ -147,16 +147,6 @@ interface(`devicekit_read_pid_files',`
+ ## Domain allowed access.
+ ##
+ ##
+-##
+-##
+-## The role to be allowed to manage the devicekit domain.
+-##
+-##
+-##
+-##
+-## The type of the user terminal.
+-##
+-##
+ ##
+ #
+ interface(`devicekit_admin',`
+@@ -165,21 +155,21 @@ interface(`devicekit_admin',`
type devicekit_var_lib_t, devicekit_var_run_t, devicekit_tmp_t;
')
@@ -16415,8 +17980,19 @@ index f706b99..70cf018 100644
ps_process_pattern($1, devicekit_power_t)
admin_pattern($1, devicekit_tmp_t)
+- files_search_tmp($1)
++ files_list_tmp($1)
+
+ admin_pattern($1, devicekit_var_lib_t)
+- files_search_var_lib($1)
++ files_list_var_lib($1)
+
+ admin_pattern($1, devicekit_var_run_t)
+- files_search_pids($1)
++ files_list_pids($1)
+ ')
diff --git a/policy/modules/services/devicekit.te b/policy/modules/services/devicekit.te
-index f231f17..6cee08f 100644
+index f231f17..58416a0 100644
--- a/policy/modules/services/devicekit.te
+++ b/policy/modules/services/devicekit.te
@@ -75,10 +75,12 @@ manage_dirs_pattern(devicekit_disk_t, devicekit_var_lib_t, devicekit_var_lib_t)
@@ -16511,7 +18087,7 @@ index f231f17..6cee08f 100644
hal_domtrans_mac(devicekit_power_t)
hal_manage_log(devicekit_power_t)
hal_manage_pid_dirs(devicekit_power_t)
-@@ -280,5 +303,10 @@ optional_policy(`
+@@ -280,5 +303,9 @@ optional_policy(`
')
optional_policy(`
@@ -16521,11 +18097,19 @@ index f231f17..6cee08f 100644
+optional_policy(`
vbetool_domtrans(devicekit_power_t)
')
-+
diff --git a/policy/modules/services/dhcp.if b/policy/modules/services/dhcp.if
-index 5e2cea8..aa4da1d 100644
+index 5e2cea8..7e129ff 100644
--- a/policy/modules/services/dhcp.if
+++ b/policy/modules/services/dhcp.if
+@@ -36,7 +36,7 @@ interface(`dhcpd_setattr_state_files',`
+ ')
+
+ sysnet_search_dhcp_state($1)
+- allow $1 dhcpd_state_t:file setattr;
++ allow $1 dhcpd_state_t:file setattr_file_perms;
+ ')
+
+ ########################################
@@ -77,7 +77,7 @@ interface(`dhcpd_initrc_domtrans',`
#
interface(`dhcpd_admin',`
@@ -16551,17 +18135,78 @@ index d4424ad..a307b51 100644
dbus_connect_system_bus(dhcpd_t)
')
diff --git a/policy/modules/services/djbdns.te b/policy/modules/services/djbdns.te
-index 0c6a473..e723266 100644
+index 0c6a473..51e2ce8 100644
--- a/policy/modules/services/djbdns.te
+++ b/policy/modules/services/djbdns.te
-@@ -23,6 +23,8 @@ djbdns_daemontools_domain_template(tinydns)
+@@ -23,9 +23,6 @@ djbdns_daemontools_domain_template(tinydns)
# Local policy for axfrdns component
#
-+files_config_file(djbdns_axfrdns_conf_t)
+-daemontools_ipc_domain(djbdns_axfrdns_t)
+-daemontools_read_svc(djbdns_axfrdns_t)
+-
+ allow djbdns_axfrdns_t self:capability { setuid setgid sys_chroot };
+
+ allow djbdns_axfrdns_t djbdns_axfrdns_conf_t:dir list_dir_perms;
+@@ -39,6 +36,9 @@ allow djbdns_axfrdns_t djbdns_tinydns_conf_t:file read_file_perms;
+
+ files_search_var(djbdns_axfrdns_t)
+
++daemontools_ipc_domain(djbdns_axfrdns_t)
++daemontools_read_svc(djbdns_axfrdns_t)
+
- daemontools_ipc_domain(djbdns_axfrdns_t)
- daemontools_read_svc(djbdns_axfrdns_t)
+ ucspitcp_service_domain(djbdns_axfrdns_t, djbdns_axfrdns_exec_t)
+
+ ########################################
+diff --git a/policy/modules/services/dnsmasq.if b/policy/modules/services/dnsmasq.if
+index 9bd812b..c808b31 100644
+--- a/policy/modules/services/dnsmasq.if
++++ b/policy/modules/services/dnsmasq.if
+@@ -101,9 +101,9 @@ interface(`dnsmasq_kill',`
+ ## Read dnsmasq config files.
+ ##
+ ##
+-##
++##
+ ## Domain allowed access.
+-##
++##
+ ##
+ #
+ interface(`dnsmasq_read_config',`
+@@ -120,9 +120,9 @@ interface(`dnsmasq_read_config',`
+ ## Write to dnsmasq config files.
+ ##
+ ##
+-##
++##
+ ## Domain allowed access.
+-##
++##
+ ##
+ #
+ interface(`dnsmasq_write_config',`
+@@ -144,12 +144,12 @@ interface(`dnsmasq_write_config',`
+ ##
+ ##
+ #
+-#
+ interface(`dnsmasq_delete_pid_files',`
+ gen_require(`
+ type dnsmasq_var_run_t;
+ ')
+
++ files_search_pids($1)
+ delete_files_pattern($1, dnsmasq_var_run_t, dnsmasq_var_run_t)
+ ')
+
+@@ -169,6 +169,7 @@ interface(`dnsmasq_read_pid_files',`
+ type dnsmasq_var_run_t;
+ ')
+
++ files_search_pids($1)
+ read_files_pattern($1, dnsmasq_var_run_t, dnsmasq_var_run_t)
+ ')
diff --git a/policy/modules/services/dnsmasq.te b/policy/modules/services/dnsmasq.te
index fdaeeba..a50a8a7 100644
@@ -16592,27 +18237,50 @@ index bfc880b..9a1dcba 100644
')
diff --git a/policy/modules/services/dovecot.if b/policy/modules/services/dovecot.if
-index e1d7dc5..09f6f30 100644
+index e1d7dc5..ee51a19 100644
--- a/policy/modules/services/dovecot.if
+++ b/policy/modules/services/dovecot.if
-@@ -93,12 +93,14 @@ interface(`dovecot_dontaudit_unlink_lib_files',`
+@@ -9,13 +9,13 @@
+ ## Domain allowed access.
+ ##
+ ##
+-##
+ #
+ interface(`dovecot_stream_connect_auth',`
+ gen_require(`
+ type dovecot_auth_t, dovecot_var_run_t;
+ ')
+
++ files_search_pids($1)
+ stream_connect_pattern($1, dovecot_var_run_t, dovecot_var_run_t, dovecot_auth_t)
+ ')
+
+@@ -52,6 +52,7 @@ interface(`dovecot_manage_spool',`
+ type dovecot_spool_t;
+ ')
+
++ files_search_spool($1)
+ manage_files_pattern($1, dovecot_spool_t, dovecot_spool_t)
+ manage_lnk_files_pattern($1, dovecot_spool_t, dovecot_spool_t)
+ ')
+@@ -93,12 +94,10 @@ interface(`dovecot_dontaudit_unlink_lib_files',`
#
interface(`dovecot_admin',`
gen_require(`
- type dovecot_t, dovecot_etc_t, dovecot_log_t;
-+ type dovecot_t, dovecot_etc_t, dovecot_auth_tmp_t;
- type dovecot_spool_t, dovecot_var_lib_t;
+- type dovecot_spool_t, dovecot_var_lib_t;
- type dovecot_var_run_t;
-+ type dovecot_var_run_t, dovecot_tmp_t;
-+ type dovecot_var_log_t;
-
- type dovecot_cert_t, dovecot_passwd_t;
- type dovecot_initrc_exec_t;
-+ type dovecot_keytab_t;
+-
+- type dovecot_cert_t, dovecot_passwd_t;
+- type dovecot_initrc_exec_t;
++ type dovecot_t, dovecot_etc_t, dovecot_auth_tmp_t;
++ type dovecot_spool_t, dovecot_var_lib_t, dovecot_var_log_t;
++ type dovecot_var_run_t, dovecot_tmp_t, dovecot_keytab_t;
++ type dovecot_cert_t, dovecot_passwd_t, dovecot_initrc_exec_t;
')
allow $1 dovecot_t:process { ptrace signal_perms };
-@@ -112,8 +114,11 @@ interface(`dovecot_admin',`
+@@ -112,8 +111,11 @@ interface(`dovecot_admin',`
files_list_etc($1)
admin_pattern($1, dovecot_etc_t)
@@ -16626,7 +18294,7 @@ index e1d7dc5..09f6f30 100644
files_list_spool($1)
admin_pattern($1, dovecot_spool_t)
-@@ -121,6 +126,9 @@ interface(`dovecot_admin',`
+@@ -121,6 +123,9 @@ interface(`dovecot_admin',`
files_list_var_lib($1)
admin_pattern($1, dovecot_var_lib_t)
@@ -16637,7 +18305,7 @@ index e1d7dc5..09f6f30 100644
admin_pattern($1, dovecot_var_run_t)
diff --git a/policy/modules/services/dovecot.te b/policy/modules/services/dovecot.te
-index cbe14e4..64bc566 100644
+index cbe14e4..aff2296 100644
--- a/policy/modules/services/dovecot.te
+++ b/policy/modules/services/dovecot.te
@@ -18,7 +18,7 @@ type dovecot_auth_tmp_t;
@@ -16695,8 +18363,8 @@ index cbe14e4..64bc566 100644
')
optional_policy(`
-+ postfix_manage_private_sockets(dovecot_t)
-+ postfix_search_spool(dovecot_t)
++ postfix_manage_private_sockets(dovecot_t)
++ postfix_search_spool(dovecot_t)
+')
+
+optional_policy(`
@@ -16763,9 +18431,21 @@ index 298f066..c2570df 100644
/var/log/exim[0-9]?(/.*)? gen_context(system_u:object_r:exim_log_t,s0)
/var/run/exim[0-9]?\.pid -- gen_context(system_u:object_r:exim_var_run_t,s0)
diff --git a/policy/modules/services/exim.if b/policy/modules/services/exim.if
-index 6bef7f8..1685c5d 100644
+index 6bef7f8..464669c 100644
--- a/policy/modules/services/exim.if
+++ b/policy/modules/services/exim.if
+@@ -5,9 +5,9 @@
+ ## Execute a domain transition to run exim.
+ ##
+ ##
+-##
++##
+ ## Domain allowed to transition.
+-##
++##
+ ##
+ #
+ interface(`exim_domtrans',`
@@ -20,6 +20,24 @@ interface(`exim_domtrans',`
########################################
@@ -16774,11 +18454,11 @@ index 6bef7f8..1685c5d 100644
+##
+##
+##
-+## Domain allowed access.
++## Domain allowed to transition.
+##
+##
+#
-+interface(`exim_initrc_domtrans', `
++interface(`exim_initrc_domtrans',`
+ gen_require(`
+ type exim_initrc_exec_t;
+ ')
@@ -16791,6 +18471,18 @@ index 6bef7f8..1685c5d 100644
## Do not audit attempts to read,
## exim tmp files
##
+@@ -101,9 +119,9 @@ interface(`exim_read_log',`
+ ## exim log files.
+ ##
+ ##
+-##
++##
+ ## Domain allowed access.
+-##
++##
+ ##
+ #
+ interface(`exim_append_log',`
@@ -194,3 +212,46 @@ interface(`exim_manage_spool_files',`
manage_files_pattern($1, exim_spool_t, exim_spool_t)
files_search_spool($1)
@@ -16812,10 +18504,10 @@ index 6bef7f8..1685c5d 100644
+##
+##
+#
-+interface(`exim_admin', `
++interface(`exim_admin',`
+ gen_require(`
-+ type exim_t, exim_initrc_exec_t, exim_log_t;
-+ type exim_tmp_t, exim_spool_t, exim_var_run_t;
++ type exim_t, exim_initrc_exec_t, exim_log_t;
++ type exim_tmp_t, exim_spool_t, exim_var_run_t;
+ ')
+
+ allow $1 exim_t:process { ptrace signal_perms };
@@ -16826,22 +18518,57 @@ index 6bef7f8..1685c5d 100644
+ role_transition $2 exim_initrc_exec_t system_r;
+ allow $2 system_r;
+
-+ logging_search_logs($1)
++ logging_list_logs($1)
+ admin_pattern($1, exim_log_t)
+
-+ files_search_tmp($1)
++ files_list_tmp($1)
+ admin_pattern($1, exim_tmp_t)
+
-+ files_search_spool($1)
++ files_list_spool($1)
+ admin_pattern($1, exim_spool_t)
+
-+ files_search_pids($1)
++ files_list_pids($1)
+ admin_pattern($1, exim_var_run_t)
+')
diff --git a/policy/modules/services/exim.te b/policy/modules/services/exim.te
-index f28f64b..6c819a3 100644
+index f28f64b..18c3c33 100644
--- a/policy/modules/services/exim.te
+++ b/policy/modules/services/exim.te
+@@ -6,24 +6,24 @@ policy_module(exim, 1.5.0)
+ #
+
+ ##
+-##
+-## Allow exim to connect to databases (postgres, mysql)
+-##
++##
++## Allow exim to connect to databases (postgres, mysql)
++##
+ ##
+ gen_tunable(exim_can_connect_db, false)
+
+ ##
+-##
+-## Allow exim to read unprivileged user files.
+-##
++##
++## Allow exim to read unprivileged user files.
++##
+ ##
+ gen_tunable(exim_read_user_files, false)
+
+ ##
+-##
+-## Allow exim to create, read, write, and delete
+-## unprivileged user files.
+-##
++##
++## Allow exim to create, read, write, and delete
++## unprivileged user files.
++##
+ ##
+ gen_tunable(exim_manage_user_files, false)
+
@@ -35,6 +35,9 @@ mta_mailserver_user_agent(exim_t)
application_executable_file(exim_exec_t)
mta_agent_executable(exim_exec_t)
@@ -16856,7 +18583,7 @@ index f28f64b..6c819a3 100644
')
optional_policy(`
-+ nagios_search_spool(exim_t)
++ nagios_search_spool(exim_t)
+')
+
+optional_policy(`
@@ -16872,9 +18599,33 @@ index f28f64b..6c819a3 100644
optional_policy(`
diff --git a/policy/modules/services/fail2ban.if b/policy/modules/services/fail2ban.if
-index f590a1f..e4261f5 100644
+index f590a1f..87f6bfb 100644
--- a/policy/modules/services/fail2ban.if
+++ b/policy/modules/services/fail2ban.if
+@@ -5,9 +5,9 @@
+ ## Execute a domain transition to run fail2ban.
+ ##
+ ##
+-##
++##
+ ## Domain allowed to transition.
+-##
++##
+ ##
+ #
+ interface(`fail2ban_domtrans',`
+@@ -102,9 +102,9 @@ interface(`fail2ban_read_log',`
+ ## fail2ban log files.
+ ##
+ ##
+-##
++##
+ ## Domain allowed access.
+-##
++##
+ ##
+ #
+ interface(`fail2ban_append_log',`
@@ -138,6 +138,26 @@ interface(`fail2ban_read_pid_files',`
########################################
@@ -16902,15 +18653,35 @@ index f590a1f..e4261f5 100644
## All of the rules required to administrate
## an fail2ban environment
##
+@@ -155,8 +175,8 @@ interface(`fail2ban_read_pid_files',`
+ #
+ interface(`fail2ban_admin',`
+ gen_require(`
+- type fail2ban_t, fail2ban_log_t;
+- type fail2ban_var_run_t, fail2ban_initrc_exec_t;
++ type fail2ban_t, fail2ban_log_t, fail2ban_initrc_exec_t;
++ type fail2ban_var_run_t;
+ ')
+
+ allow $1 fail2ban_t:process { ptrace signal_perms };
diff --git a/policy/modules/services/fail2ban.te b/policy/modules/services/fail2ban.te
-index 2a69e5e..fd30b02 100644
+index 2a69e5e..7c5bf19 100644
--- a/policy/modules/services/fail2ban.te
+++ b/policy/modules/services/fail2ban.te
+@@ -36,7 +36,7 @@ allow fail2ban_t self:unix_dgram_socket create_socket_perms;
+ allow fail2ban_t self:tcp_socket create_stream_socket_perms;
+
+ # log files
+-allow fail2ban_t fail2ban_log_t:dir setattr;
++allow fail2ban_t fail2ban_log_t:dir setattr_dir_perms;
+ manage_files_pattern(fail2ban_t, fail2ban_log_t, fail2ban_log_t)
+ logging_log_filetrans(fail2ban_t, fail2ban_log_t, file)
+
@@ -94,5 +94,9 @@ optional_policy(`
')
optional_policy(`
-+ gnome_dontaudit_search_config(fail2ban_t)
++ gnome_dontaudit_search_config(fail2ban_t)
+')
+
+optional_policy(`
@@ -16928,6 +18699,27 @@ index 6537214..7d64c0a 100644
ps_process_pattern($1, fetchmail_t)
files_list_etc($1)
+diff --git a/policy/modules/services/fprintd.if b/policy/modules/services/fprintd.if
+index ebad8c4..c02062c 100644
+--- a/policy/modules/services/fprintd.if
++++ b/policy/modules/services/fprintd.if
+@@ -5,9 +5,9 @@
+ ## Execute a domain transition to run fprintd.
+ ##
+ ##
+-##
++##
+ ## Domain allowed to transition.
+-##
++##
+ ##
+ #
+ interface(`fprintd_domtrans',`
+@@ -38,4 +38,3 @@ interface(`fprintd_dbus_chat',`
+ allow $1 fprintd_t:dbus send_msg;
+ allow fprintd_t $1:dbus send_msg;
+ ')
+-
diff --git a/policy/modules/services/fprintd.te b/policy/modules/services/fprintd.te
index 7df52c7..899feaf 100644
--- a/policy/modules/services/fprintd.te
@@ -16959,33 +18751,164 @@ index 69dcd2a..a9a9116 100644
/var/log/xferlog.* -- gen_context(system_u:object_r:xferlog_t,s0)
/var/log/xferreport.* -- gen_context(system_u:object_r:xferlog_t,s0)
+/usr/libexec/webmin/vsftpd/webalizer/xfer_log -- gen_context(system_u:object_r:xferlog_t,s0)
+diff --git a/policy/modules/services/ftp.if b/policy/modules/services/ftp.if
+index bc27421..26cc64b 100644
+--- a/policy/modules/services/ftp.if
++++ b/policy/modules/services/ftp.if
+@@ -53,25 +53,6 @@ interface(`ftp_read_config',`
+
+ ########################################
+ ##
+-## Execute FTP daemon entry point programs.
+-##
+-##
+-##
+-## Domain allowed access.
+-##
+-##
+-#
+-interface(`ftp_check_exec',`
+- gen_require(`
+- type ftpd_exec_t;
+- ')
+-
+- corecmd_search_bin($1)
+- allow $1 ftpd_exec_t:file { getattr execute };
+-')
+-
+-########################################
+-##
+ ## Read FTP transfer logs
+ ##
+ ##
+@@ -171,9 +152,8 @@ interface(`ftp_dyntrans_sftpd',`
+ interface(`ftp_admin',`
+ gen_require(`
+ type ftpd_t, ftpdctl_t, ftpd_tmp_t;
+- type ftpd_etc_t, ftpd_lock_t;
++ type ftpd_etc_t, ftpd_lock_t, ftpd_initrc_exec_t;
+ type ftpd_var_run_t, xferlog_t;
+- type ftpd_initrc_exec_t;
+ ')
+
+ allow $1 ftpd_t:process { ptrace signal_perms };
diff --git a/policy/modules/services/ftp.te b/policy/modules/services/ftp.te
-index 8a74a83..34a0014 100644
+index 8a74a83..2284f4e 100644
--- a/policy/modules/services/ftp.te
+++ b/policy/modules/services/ftp.te
-@@ -40,6 +40,13 @@ gen_tunable(allow_ftpd_use_nfs, false)
+@@ -6,70 +6,85 @@ policy_module(ftp, 1.12.0)
+ #
##
- ##
-+## Allow ftp servers to use connect to mysql database
-+##
+-##
+-## Allow ftp servers to upload files, used for public file
+-## transfer services. Directories must be labeled
+-## public_content_rw_t.
+-##
++##
++## Allow ftp servers to upload files, used for public file
++## transfer services. Directories must be labeled
++## public_content_rw_t.
++##
+ ##
+ gen_tunable(allow_ftpd_anon_write, false)
+
+ ##
+-##
+-## Allow ftp servers to login to local users and
+-## read/write all files on the system, governed by DAC.
+-##
++##
++## Allow ftp servers to login to local users and
++## read/write all files on the system, governed by DAC.
++##
+ ##
+ gen_tunable(allow_ftpd_full_access, false)
+
+ ##
+-##
+-## Allow ftp servers to use cifs
+-## used for public file transfer services.
+-##
++##
++## Allow ftp servers to use cifs
++## used for public file transfer services.
++##
+ ##
+ gen_tunable(allow_ftpd_use_cifs, false)
+
+ ##
+-##
+-## Allow ftp servers to use nfs
+-## used for public file transfer services.
+-##
++##
++## Allow ftp servers to use nfs
++## used for public file transfer services.
++##
+ ##
+ gen_tunable(allow_ftpd_use_nfs, false)
+
+ ##
+-##
+-## Allow ftp to read and write files in the user home directories
+-##
++##
++## Allow ftp servers to use connect to mysql database
++##
+##
+gen_tunable(ftpd_connect_db, false)
+
+##
-+##
- ## Allow ftp to read and write files in the user home directories
- ##
++##
++## Allow ftp to read and write files in the user home directories
++##
##
-@@ -70,6 +77,14 @@ gen_tunable(sftpd_enable_homedirs, false)
+ gen_tunable(ftp_home_dir, false)
+
+ ##
+-##
+-## Allow anon internal-sftp to upload files, used for
+-## public file transfer services. Directories must be labeled
+-## public_content_rw_t.
+-##
++##
++## Allow anon internal-sftp to upload files, used for
++## public file transfer services. Directories must be labeled
++## public_content_rw_t.
++##
+ ##
+ gen_tunable(sftpd_anon_write, false)
+
+ ##
+-##
+-## Allow sftp-internal to read and write files
+-## in the user home directories
+-##
++##
++## Allow sftp-internal to read and write files
++## in the user home directories
++##
+ ##
+ gen_tunable(sftpd_enable_homedirs, false)
+
+ ##
+-##
+-## Allow sftp-internal to login to local users and
+-## read/write all files on the system, governed by DAC.
+-##
++##
++## Allow sftp-internal to login to local users and
++## read/write all files on the system, governed by DAC.
++##
##
gen_tunable(sftpd_full_access, false)
+##
-+##
-+## Allow interlnal-sftp to read and write files
-+## in the user ssh home directories.
-+##
++##
++## Allow interlnal-sftp to read and write files
++## in the user ssh home directories.
++##
+##
+gen_tunable(sftpd_write_ssh_home, false)
+
@@ -17020,6 +18943,22 @@ index 8a74a83..34a0014 100644
manage_dirs_pattern(ftpd_t, ftpd_tmpfs_t, ftpd_tmpfs_t)
manage_files_pattern(ftpd_t, ftpd_tmpfs_t, ftpd_tmpfs_t)
+@@ -163,13 +181,13 @@ fs_tmpfs_filetrans(ftpd_t, ftpd_tmpfs_t, { dir file lnk_file sock_file fifo_file
+ manage_dirs_pattern(ftpd_t, ftpd_var_run_t, ftpd_var_run_t)
+ manage_files_pattern(ftpd_t, ftpd_var_run_t, ftpd_var_run_t)
+ manage_sock_files_pattern(ftpd_t, ftpd_var_run_t, ftpd_var_run_t)
+-files_pid_filetrans(ftpd_t, ftpd_var_run_t, { file dir} )
++files_pid_filetrans(ftpd_t, ftpd_var_run_t, { file dir })
+
+ # proftpd requires the client side to bind a socket so that
+ # it can stat the socket to perform access control decisions,
+ # since getsockopt with SO_PEERCRED is not available on all
+ # proftpd-supported OSs
+-allow ftpd_t ftpdctl_tmp_t:sock_file { getattr unlink };
++allow ftpd_t ftpdctl_tmp_t:sock_file delete_sock_file_perms;
+
+ # Create and modify /var/log/xferlog.
+ manage_files_pattern(ftpd_t, xferlog_t, xferlog_t)
@@ -270,10 +288,13 @@ tunable_policy(`ftp_home_dir',`
# allow access to /home
files_list_home(ftpd_t)
@@ -17031,10 +18970,10 @@ index 8a74a83..34a0014 100644
+ userdom_manage_user_home_content(ftpd_t)
+ userdom_manage_user_tmp_files(ftpd_t)
+ userdom_tmp_filetrans_user_tmp(ftpd_t, file)
-+', `
-+ # Needed for permissive mode, to make sure everything gets labeled correctly
-+ userdom_user_home_dir_filetrans_pattern(ftpd_t, { dir file lnk_file })
-+ files_tmp_filetrans(ftpd_t, ftpd_tmp_t, { file dir })
++',`
++ # Needed for permissive mode, to make sure everything gets labeled correctly
++ userdom_user_home_dir_filetrans_pattern(ftpd_t, { dir file lnk_file })
++ files_tmp_filetrans(ftpd_t, ftpd_tmp_t, { file dir })
')
tunable_policy(`ftp_home_dir && use_nfs_home_dirs',`
@@ -17054,34 +18993,41 @@ index 8a74a83..34a0014 100644
+')
+
+tunable_policy(`ftpd_connect_db',`
-+ corenet_tcp_connect_mysqld_port(ftpd_t)
-+ corenet_tcp_connect_postgresql_port(ftpd_t)
++ mysql_tcp_connect(ftpd_t)
++ postgresql_tcp_connect(ftpd_t)
+')
+
+optional_policy(`
inetd_tcp_service_domain(ftpd_t, ftpd_exec_t)
optional_policy(`
-@@ -362,21 +400,33 @@ userdom_use_user_terminals(ftpdctl_t)
- #
- # sftpd local policy
- #
--
- files_read_etc_files(sftpd_t)
+@@ -347,10 +385,11 @@ optional_policy(`
+
+ # Allow ftpdctl to talk to ftpd over a socket connection
+ stream_connect_pattern(ftpdctl_t, ftpd_var_run_t, ftpd_var_run_t, ftpd_t)
++files_search_pids(ftpdctl_t)
+ # ftpdctl creates a socket so that the daemon can perform
+ # access control decisions (see comments in ftpd_t rules above)
+-allow ftpdctl_t ftpdctl_tmp_t:sock_file { create setattr };
++allow ftpdctl_t ftpdctl_tmp_t:sock_file manage_sock_file_perms;
+ files_tmp_filetrans(ftpdctl_t, ftpdctl_tmp_t, sock_file)
+
+ # Allow ftpdctl to read config files
+@@ -368,15 +407,28 @@ files_read_etc_files(sftpd_t)
# allow read access to /home by default
userdom_read_user_home_content_files(sftpd_t)
userdom_read_user_home_content_symlinks(sftpd_t)
+userdom_dontaudit_list_admin_dir(sftpd_t)
+
+tunable_policy(`sftpd_full_access',`
-+ allow sftpd_t self:capability { dac_override dac_read_search };
-+ fs_read_noxattr_fs_files(sftpd_t)
-+ auth_manage_all_files_except_shadow(sftpd_t)
++ allow sftpd_t self:capability { dac_override dac_read_search };
++ fs_read_noxattr_fs_files(sftpd_t)
++ auth_manage_all_files_except_shadow(sftpd_t)
+')
+
+tunable_policy(`sftpd_write_ssh_home',`
-+ ssh_manage_home_files(sftpd_t)
++ ssh_manage_home_files(sftpd_t)
+')
tunable_policy(`sftpd_enable_homedirs',`
@@ -17094,23 +19040,37 @@ index 8a74a83..34a0014 100644
- userdom_user_home_dir_filetrans_user_home_content(sftpd_t, { dir file })
+ userdom_read_user_home_content_files(sftpd_t)
+ userdom_manage_user_home_content(sftpd_t)
-+', `
-+ # Needed for permissive mode, to make sure everything gets labeled correctly
-+ userdom_user_home_dir_filetrans_pattern(sftpd_t, { dir file lnk_file })
++',`
++ # Needed for permissive mode, to make sure everything gets labeled correctly
++ userdom_user_home_dir_filetrans_pattern(sftpd_t, { dir file lnk_file })
')
tunable_policy(`sftpd_enable_homedirs && use_nfs_home_dirs',`
+diff --git a/policy/modules/services/gatekeeper.te b/policy/modules/services/gatekeeper.te
+index 99a94de..6dbc203 100644
+--- a/policy/modules/services/gatekeeper.te
++++ b/policy/modules/services/gatekeeper.te
+@@ -33,7 +33,7 @@ allow gatekeeper_t self:fifo_file rw_fifo_file_perms;
+ allow gatekeeper_t self:tcp_socket create_stream_socket_perms;
+ allow gatekeeper_t self:udp_socket create_socket_perms;
+
+-allow gatekeeper_t gatekeeper_etc_t:lnk_file { getattr read };
++allow gatekeeper_t gatekeeper_etc_t:lnk_file read_lnk_file_perms;
+ allow gatekeeper_t gatekeeper_etc_t:file read_file_perms;
+ files_search_etc(gatekeeper_t)
+
diff --git a/policy/modules/services/git.fc b/policy/modules/services/git.fc
-index 54f0737..7ab4c92 100644
+index 54f0737..28b71f6 100644
--- a/policy/modules/services/git.fc
+++ b/policy/modules/services/git.fc
-@@ -1,3 +1,12 @@
-+HOME_DIR/public_git(/.*)? gen_context(system_u:object_r:git_session_content_t, s0)
-+HOME_DIR/\.gitconfig -- gen_context(system_u:object_r:git_session_content_t, s0)
+@@ -1,3 +1,13 @@
++HOME_DIR/public_git(/.*)? gen_context(system_u:object_r:git_session_content_t,s0)
++HOME_DIR/\.gitaliases -- gen_context(system_u:object_r:git_session_content_t,s0)
++HOME_DIR/\.gitconfig -- gen_context(system_u:object_r:git_session_content_t,s0)
+
-+/srv/git(/.*)? gen_context(system_u:object_r:git_system_content_t, s0)
++/srv/git(/.*)? gen_context(system_u:object_r:git_system_content_t,s0)
+
-+/usr/libexec/git-core/git-daemon -- gen_context(system_u:object_r:gitd_exec_t, s0)
++/usr/libexec/git-core/git-daemon -- gen_context(system_u:object_r:gitd_exec_t,s0)
+
/var/cache/cgit(/.*)? gen_context(system_u:object_r:httpd_git_rw_content_t,s0)
/var/lib/git(/.*)? gen_context(system_u:object_r:httpd_git_content_t,s0)
@@ -17118,18 +19078,18 @@ index 54f0737..7ab4c92 100644
+/var/www/git(/.*)? gen_context(system_u:object_r:httpd_git_content_t,s0)
+/var/www/git/gitweb.cgi gen_context(system_u:object_r:httpd_git_script_exec_t,s0)
diff --git a/policy/modules/services/git.if b/policy/modules/services/git.if
-index 458aac6..63742a3 100644
+index 458aac6..3780650 100644
--- a/policy/modules/services/git.if
+++ b/policy/modules/services/git.if
-@@ -1 +1,525 @@
+@@ -1 +1,520 @@
-## GIT revision control system
+## Fast Version Control System.
+##
+##
-+## A really simple TCP git daemon that normally listens on
-+## port DEFAULT_GIT_PORT aka 9418. It waits for a
-+## connection asking for a service, and will serve that
-+## service if it is enabled.
++## A really simple TCP git daemon that normally listens on
++## port DEFAULT_GIT_PORT aka 9418. It waits for a
++## connection asking for a service, and will serve that
++## service if it is enabled.
+##
+##
+
@@ -17150,8 +19110,7 @@ index 458aac6..63742a3 100644
+#
+interface(`git_session_role',`
+ gen_require(`
-+ type git_session_t, gitd_exec_t;
-+ type git_session_content_t;
++ type git_session_t, gitd_exec_t, git_session_content_t;
+ ')
+
+ ########################################
@@ -17184,10 +19143,8 @@ index 458aac6..63742a3 100644
+##
+#
+template(`git_content_template',`
-+
+ gen_require(`
-+ attribute git_system_content;
-+ attribute git_content;
++ attribute git_system_content, git_content;
+ ')
+
+ ########################################
@@ -17211,7 +19168,6 @@ index 458aac6..63742a3 100644
+##
+#
+template(`git_role_template',`
-+
+ gen_require(`
+ class context contains;
+ role system_r;
@@ -17647,9 +19603,8 @@ index 458aac6..63742a3 100644
+ relabel_files_pattern($1, git_session_content_t, git_session_content_t)
+ userdom_search_user_home_dirs($1)
+')
-+
diff --git a/policy/modules/services/git.te b/policy/modules/services/git.te
-index 7382f85..cf17085 100644
+index 7382f85..8d10fc5 100644
--- a/policy/modules/services/git.te
+++ b/policy/modules/services/git.te
@@ -1,8 +1,192 @@
@@ -17657,23 +19612,23 @@ index 7382f85..cf17085 100644
+policy_module(git, 1.0.3)
+
+##
-+##
-+## Allow Git daemon system to search home directories.
-+##
++##
++## Allow Git daemon system to search home directories.
++##
+##
+gen_tunable(git_system_enable_homedirs, false)
+
+##
-+##
-+## Allow Git daemon system to access cifs file systems.
-+##
++##
++## Allow Git daemon system to access cifs file systems.
++##
+##
+gen_tunable(git_system_use_cifs, false)
+
+##
-+##
-+## Allow Git daemon system to access nfs file systems.
-+##
++##
++## Allow Git daemon system to access nfs file systems.
++##
+##
+gen_tunable(git_system_use_nfs, false)
+
@@ -17687,6 +19642,7 @@ index 7382f85..cf17085 100644
+attribute git_content;
+
+type gitd_exec_t;
++application_executable_file(gitd_exec_t)
+
+########################################
+#
@@ -17707,10 +19663,10 @@ index 7382f85..cf17085 100644
+#
+
+##
-+##
-+## Allow Git daemon session to bind
-+## tcp sockets to all unreserved ports.
-+##
++##
++## Allow Git daemon session to bind
++## tcp sockets to all unreserved ports.
++##
+##
+gen_tunable(git_session_bind_all_unreserved_ports, false)
+
@@ -17775,37 +19731,35 @@ index 7382f85..cf17085 100644
+read_files_pattern(git_system_t, git_content, git_content)
+files_search_var_lib(git_system_t)
+
-+tunable_policy(`git_system_enable_homedirs', `
++tunable_policy(`git_system_enable_homedirs',`
+ userdom_search_user_home_dirs(git_system_t)
+')
+
-+tunable_policy(`git_system_enable_homedirs && use_nfs_home_dirs', `
++tunable_policy(`git_system_enable_homedirs && use_nfs_home_dirs',`
+ fs_list_nfs(git_system_t)
+ fs_read_nfs_files(git_system_t)
+')
+
-+tunable_policy(`git_system_enable_homedirs && use_samba_home_dirs', `
++tunable_policy(`git_system_enable_homedirs && use_samba_home_dirs',`
+ fs_list_cifs(git_system_t)
+ fs_read_cifs_files(git_system_t)
+')
+
-+tunable_policy(`git_system_use_cifs', `
++tunable_policy(`git_system_use_cifs',`
+ fs_list_cifs(git_system_t)
+ fs_read_cifs_files(git_system_t)
+')
+
-+tunable_policy(`git_system_use_nfs', `
++tunable_policy(`git_system_use_nfs',`
+ fs_list_nfs(git_system_t)
+ fs_read_nfs_files(git_system_t)
+')
-
- ########################################
- #
--# Declarations
++
++########################################
++#
+# Git daemon session repository private policy.
- #
-
--apache_content_template(git)
++#
++
+allow git_session_t self:tcp_socket { accept listen };
+
+list_dirs_pattern(git_session_t, git_session_content_t, git_session_content_t)
@@ -17814,17 +19768,17 @@ index 7382f85..cf17085 100644
+
+userdom_use_user_terminals(git_session_t)
+
-+tunable_policy(`git_session_bind_all_unreserved_ports', `
++tunable_policy(`git_session_bind_all_unreserved_ports',`
+ corenet_tcp_bind_all_unreserved_ports(git_session_t)
+ corenet_sendrecv_generic_server_packets(git_session_t)
+')
+
-+tunable_policy(`use_nfs_home_dirs', `
++tunable_policy(`use_nfs_home_dirs',`
+ fs_list_nfs(git_session_t)
+ fs_read_nfs_files(git_session_t)
+')
+
-+tunable_policy(`use_samba_home_dirs', `
++tunable_policy(`use_samba_home_dirs',`
+ fs_list_cifs(git_session_t)
+ fs_read_cifs_files(git_session_t)
+')
@@ -17839,15 +19793,16 @@ index 7382f85..cf17085 100644
+ git_read_all_content_files(httpd_git_script_t)
+ files_dontaudit_getattr_tmp_dirs(httpd_git_script_t)
+')
-+
-+########################################
-+#
+
+ ########################################
+ #
+-# Declarations
+# Git-shell private policy.
-+#
-+
+ #
+
+-apache_content_template(git)
+git_role_template(git_shell)
+gen_user(git_shell_u, user, git_shell_r, s0, s0)
-+
diff --git a/policy/modules/services/gnomeclock.fc b/policy/modules/services/gnomeclock.fc
index 462de63..a8ce02e 100644
--- a/policy/modules/services/gnomeclock.fc
@@ -17858,9 +19813,21 @@ index 462de63..a8ce02e 100644
+/usr/libexec/gsd-datetime-mechanism -- gen_context(system_u:object_r:gnomeclock_exec_t,s0)
+
diff --git a/policy/modules/services/gnomeclock.if b/policy/modules/services/gnomeclock.if
-index 671d8fd..da0e844 100644
+index 671d8fd..b1f8f93 100644
--- a/policy/modules/services/gnomeclock.if
+++ b/policy/modules/services/gnomeclock.if
+@@ -5,9 +5,9 @@
+ ## Execute a domain transition to run gnomeclock.
+ ##
+ ##
+-##
++##
+ ## Domain allowed to transition.
+-##
++##
+ ##
+ #
+ interface(`gnomeclock_domtrans',`
@@ -63,3 +63,24 @@ interface(`gnomeclock_dbus_chat',`
allow $1 gnomeclock_t:dbus send_msg;
allow gnomeclock_t $1:dbus send_msg;
@@ -17873,7 +19840,7 @@ index 671d8fd..da0e844 100644
+##
+##
+##
-+## Domain allowed access.
++## Domain to not audit.
+##
+##
+#
@@ -17886,6 +19853,46 @@ index 671d8fd..da0e844 100644
+ dontaudit $1 gnomeclock_t:dbus send_msg;
+ dontaudit gnomeclock_t $1:dbus send_msg;
+')
+diff --git a/policy/modules/services/gpm.if b/policy/modules/services/gpm.if
+index 7d97298..d6b2959 100644
+--- a/policy/modules/services/gpm.if
++++ b/policy/modules/services/gpm.if
+@@ -16,8 +16,8 @@ interface(`gpm_stream_connect',`
+ type gpmctl_t, gpm_t;
+ ')
+
+- allow $1 gpmctl_t:sock_file rw_sock_file_perms;
+- allow $1 gpm_t:unix_stream_socket connectto;
++ dev_list_all_dev_nodes($1)
++ stream_connect_pattern($1, gpmctl_t, gpmctl_t, gpm_t)
+ ')
+
+ ########################################
+@@ -37,7 +37,7 @@ interface(`gpm_getattr_gpmctl',`
+ ')
+
+ dev_list_all_dev_nodes($1)
+- allow $1 gpmctl_t:sock_file getattr;
++ allow $1 gpmctl_t:sock_file getattr_sock_file_perms;
+ ')
+
+ ########################################
+@@ -57,7 +57,7 @@ interface(`gpm_dontaudit_getattr_gpmctl',`
+ type gpmctl_t;
+ ')
+
+- dontaudit $1 gpmctl_t:sock_file getattr;
++ dontaudit $1 gpmctl_t:sock_file getattr_sock_file_perms;
+ ')
+
+ ########################################
+@@ -77,5 +77,5 @@ interface(`gpm_setattr_gpmctl',`
+ ')
+
+ dev_list_all_dev_nodes($1)
+- allow $1 gpmctl_t:sock_file setattr;
++ allow $1 gpmctl_t:sock_file setattr_sock_file_perms;
+ ')
diff --git a/policy/modules/services/gpsd.te b/policy/modules/services/gpsd.te
index 03742d8..7b9c543 100644
--- a/policy/modules/services/gpsd.te
@@ -17902,10 +19909,35 @@ index 03742d8..7b9c543 100644
')
diff --git a/policy/modules/services/hal.if b/policy/modules/services/hal.if
-index 7cf6763..0d50d0d 100644
+index 7cf6763..26de57a 100644
--- a/policy/modules/services/hal.if
+++ b/policy/modules/services/hal.if
-@@ -51,6 +51,7 @@ interface(`hal_read_state',`
+@@ -20,24 +20,6 @@ interface(`hal_domtrans',`
+
+ ########################################
+ ##
+-## Get the attributes of a hal process.
+-##
+-##
+-##
+-## Domain allowed access.
+-##
+-##
+-#
+-interface(`hal_getattr',`
+- gen_require(`
+- type hald_t;
+- ')
+-
+- allow $1 hald_t:process getattr;
+-')
+-
+-########################################
+-##
+ ## Read hal system state
+ ##
+ ##
+@@ -51,6 +33,7 @@ interface(`hal_read_state',`
type hald_t;
')
@@ -17913,11 +19945,47 @@ index 7cf6763..0d50d0d 100644
ps_process_pattern($1, hald_t)
')
-@@ -377,6 +378,25 @@ interface(`hal_read_pid_files',`
+@@ -87,7 +70,7 @@ interface(`hal_use_fds',`
+ type hald_t;
+ ')
+
+- allow $1 hald_t:fd use;
++ allow $1 hald_t:fd use;
+ ')
+
+ ########################################
+@@ -105,7 +88,7 @@ interface(`hal_dontaudit_use_fds',`
+ type hald_t;
+ ')
+
+- dontaudit $1 hald_t:fd use;
++ dontaudit $1 hald_t:fd use;
+ ')
+
+ ########################################
+@@ -124,7 +107,7 @@ interface(`hal_rw_pipes',`
+ type hald_t;
+ ')
+
+- allow $1 hald_t:fifo_file rw_fifo_file_perms;
++ allow $1 hald_t:fifo_file rw_fifo_file_perms;
+ ')
+
+ ########################################
+@@ -143,7 +126,7 @@ interface(`hal_dontaudit_rw_pipes',`
+ type hald_t;
+ ')
+
+- dontaudit $1 hald_t:fifo_file rw_fifo_file_perms;
++ dontaudit $1 hald_t:fifo_file rw_fifo_file_perms;
+ ')
+
+ ########################################
+@@ -377,6 +360,25 @@ interface(`hal_read_pid_files',`
########################################
##
-+## Do not audit attempts to read
++## Do not audit attempts to read
+## hald PID files.
+##
+##
@@ -17939,7 +20007,7 @@ index 7cf6763..0d50d0d 100644
## Read/Write hald PID files.
##
##
-@@ -431,3 +451,27 @@ interface(`hal_manage_pid_files',`
+@@ -431,3 +433,25 @@ interface(`hal_manage_pid_files',`
files_search_pids($1)
manage_files_pattern($1, hald_var_run_t, hald_var_run_t)
')
@@ -17956,19 +20024,17 @@ index 7cf6763..0d50d0d 100644
+#
+interface(`hal_dontaudit_leaks',`
+ gen_require(`
-+ type hald_log_t;
-+ type hald_t;
-+ type hald_var_run_t;
++ type hald_log_t, hald_t, hald_var_run_t;
+ ')
+
-+ dontaudit $1 hald_t:fd use;
++ dontaudit $1 hald_t:fd use;
+ dontaudit $1 hald_log_t:file rw_inherited_file_perms;
-+ dontaudit $1 hald_t:fifo_file rw_inherited_fifo_file_perms;
++ dontaudit $1 hald_t:fifo_file rw_inherited_fifo_file_perms;
+ dontaudit hald_t $1:socket_class_set { read write };
+ dontaudit $1 hald_var_run_t:file read_inherited_file_perms;
+')
diff --git a/policy/modules/services/hal.te b/policy/modules/services/hal.te
-index 24c6253..e72b063 100644
+index 24c6253..ae0b05b 100644
--- a/policy/modules/services/hal.te
+++ b/policy/modules/services/hal.te
@@ -54,6 +54,9 @@ files_pid_file(hald_var_run_t)
@@ -18019,7 +20085,17 @@ index 24c6253..e72b063 100644
optional_policy(`
alsa_domtrans(hald_t)
-@@ -268,6 +278,10 @@ optional_policy(`
+@@ -252,8 +262,7 @@ optional_policy(`
+ ')
+
+ optional_policy(`
+- dbus_system_bus_client(hald_t)
+- dbus_connect_system_bus(hald_t)
++ dbus_system_domain(hald_t, hald_exec_t)
+
+ init_dbus_chat_script(hald_t)
+
+@@ -268,6 +277,10 @@ optional_policy(`
')
optional_policy(`
@@ -18030,18 +20106,27 @@ index 24c6253..e72b063 100644
gpm_dontaudit_getattr_gpmctl(hald_t)
')
-@@ -318,6 +332,10 @@ optional_policy(`
+@@ -302,7 +315,7 @@ optional_policy(`
+ ')
+
+ optional_policy(`
+- policykit_dbus_chat(hald_t)
++ policykit_dbus_chat(hald_t)
+ policykit_domtrans_auth(hald_t)
+ policykit_domtrans_resolve(hald_t)
+ policykit_read_lib(hald_t)
+@@ -318,6 +331,10 @@ optional_policy(`
')
optional_policy(`
+ shutdown_domtrans(hald_t)
-+')
++')
+
+optional_policy(`
udev_domtrans(hald_t)
udev_read_db(hald_t)
')
-@@ -338,6 +356,10 @@ optional_policy(`
+@@ -338,6 +355,10 @@ optional_policy(`
virt_manage_images(hald_t)
')
@@ -18052,7 +20137,7 @@ index 24c6253..e72b063 100644
########################################
#
# Hal acl local policy
-@@ -358,6 +380,7 @@ files_search_var_lib(hald_acl_t)
+@@ -358,6 +379,7 @@ files_search_var_lib(hald_acl_t)
manage_dirs_pattern(hald_acl_t, hald_var_run_t, hald_var_run_t)
manage_files_pattern(hald_acl_t, hald_var_run_t, hald_var_run_t)
files_pid_filetrans(hald_acl_t, hald_var_run_t, { dir file })
@@ -18060,11 +20145,20 @@ index 24c6253..e72b063 100644
corecmd_exec_bin(hald_acl_t)
-@@ -470,6 +493,10 @@ files_read_usr_files(hald_keymap_t)
+@@ -388,7 +410,7 @@ logging_send_syslog_msg(hald_acl_t)
+ miscfiles_read_localization(hald_acl_t)
+
+ optional_policy(`
+- policykit_dbus_chat(hald_acl_t)
++ policykit_dbus_chat(hald_acl_t)
+ policykit_domtrans_auth(hald_acl_t)
+ policykit_read_lib(hald_acl_t)
+ policykit_read_reload(hald_acl_t)
+@@ -470,6 +492,10 @@ files_read_usr_files(hald_keymap_t)
miscfiles_read_localization(hald_keymap_t)
-+# This is caused by a bug in hald and PolicyKit.
++# This is caused by a bug in hald and PolicyKit.
+# Should be removed when this is fixed
+cron_read_system_job_lib_files(hald_t)
+
@@ -18072,22 +20166,57 @@ index 24c6253..e72b063 100644
#
# Local hald dccm policy
diff --git a/policy/modules/services/hddtemp.if b/policy/modules/services/hddtemp.if
-index 87b4531..777b036 100644
+index 87b4531..db2d189 100644
--- a/policy/modules/services/hddtemp.if
+++ b/policy/modules/services/hddtemp.if
-@@ -70,8 +70,4 @@ interface(`hddtemp_admin',`
+@@ -69,9 +69,5 @@ interface(`hddtemp_admin',`
+ allow $2 system_r;
admin_pattern($1, hddtemp_etc_t)
- files_search_etc($1)
+- files_search_etc($1)
-
- allow $1 hddtemp_t:dir list_dir_perms;
- read_lnk_files_pattern($1, hddtemp_t, hddtemp_t)
- kernel_search_proc($1)
++ files_list_etc($1)
')
+diff --git a/policy/modules/services/hddtemp.te b/policy/modules/services/hddtemp.te
+index 267bb4c..1647fc4 100644
+--- a/policy/modules/services/hddtemp.te
++++ b/policy/modules/services/hddtemp.te
+@@ -46,4 +46,3 @@ storage_raw_read_fixed_disk(hddtemp_t)
+ logging_send_syslog_msg(hddtemp_t)
+
+ miscfiles_read_localization(hddtemp_t)
+-
diff --git a/policy/modules/services/icecast.if b/policy/modules/services/icecast.if
-index ecab47a..3aa86f3 100644
+index ecab47a..40affd8 100644
--- a/policy/modules/services/icecast.if
+++ b/policy/modules/services/icecast.if
+@@ -5,9 +5,9 @@
+ ## Execute a domain transition to run icecast.
+ ##
+ ##
+-##
++##
+ ## Domain allowed to transition.
+-##
++##
+ ##
+ #
+ interface(`icecast_domtrans',`
+@@ -118,9 +118,9 @@ interface(`icecast_read_log',`
+ ## icecast log files.
+ ##
+ ##
+-##
++##
+ ## Domain allowed access.
+-##
++##
+ ##
+ #
+ interface(`icecast_append_log',`
@@ -173,6 +173,7 @@ interface(`icecast_admin',`
type icecast_t, icecast_initrc_exec_t;
')
@@ -18096,8 +20225,16 @@ index ecab47a..3aa86f3 100644
ps_process_pattern($1, icecast_t)
# Allow icecast_t to restart the apache service
+@@ -182,7 +183,5 @@ interface(`icecast_admin',`
+ allow $2 system_r;
+
+ icecast_manage_pid_files($1)
+-
+ icecast_manage_log($1)
+-
+ ')
diff --git a/policy/modules/services/icecast.te b/policy/modules/services/icecast.te
-index f368bf3..80befb0 100644
+index f368bf3..6bf7cc3 100644
--- a/policy/modules/services/icecast.te
+++ b/policy/modules/services/icecast.te
@@ -5,6 +5,14 @@ policy_module(icecast, 1.0.1)
@@ -18105,16 +20242,25 @@ index f368bf3..80befb0 100644
#
+##
-+##
-+## Allow icecast to connect to all ports, not just
-+## sound ports.
-+##
++##
++## Allow icecast to connect to all ports, not just
++## sound ports.
++##
+##
+gen_tunable(icecast_connect_any, false)
+
type icecast_t;
type icecast_exec_t;
init_daemon_domain(icecast_t, icecast_exec_t)
+@@ -31,7 +39,7 @@ allow icecast_t self:tcp_socket create_stream_socket_perms;
+
+ manage_dirs_pattern(icecast_t, icecast_log_t, icecast_log_t)
+ manage_files_pattern(icecast_t, icecast_log_t, icecast_log_t)
+-logging_log_filetrans(icecast_t, icecast_log_t, { file dir } )
++logging_log_filetrans(icecast_t, icecast_log_t, { file dir })
+
+ manage_dirs_pattern(icecast_t, icecast_var_run_t, icecast_var_run_t)
+ manage_files_pattern(icecast_t, icecast_var_run_t, icecast_var_run_t)
@@ -40,6 +48,13 @@ files_pid_filetrans(icecast_t, icecast_var_run_t, { file dir })
kernel_read_system_state(icecast_t)
@@ -18129,11 +20275,114 @@ index f368bf3..80befb0 100644
# Init script handling
domain_use_interactive_fds(icecast_t)
+diff --git a/policy/modules/services/ifplugd.if b/policy/modules/services/ifplugd.if
+index dfb4232..7665429 100644
+--- a/policy/modules/services/ifplugd.if
++++ b/policy/modules/services/ifplugd.if
+@@ -5,9 +5,9 @@
+ ## Execute a domain transition to run ifplugd.
+ ##
+ ##
+-##
++##
+ ## Domain allowed to transition.
+-##
++##
+ ##
+ #
+ interface(`ifplugd_domtrans',`
+@@ -113,8 +113,8 @@ interface(`ifplugd_read_pid_files',`
+ #
+ interface(`ifplugd_admin',`
+ gen_require(`
+- type ifplugd_t, ifplugd_etc_t;
+- type ifplugd_var_run_t, ifplugd_initrc_exec_t;
++ type ifplugd_t, ifplugd_etc_t, ifplugd_var_run_t;
++ type ifplugd_initrc_exec_t;
+ ')
+
+ allow $1 ifplugd_t:process { ptrace signal_perms };
+diff --git a/policy/modules/services/inetd.if b/policy/modules/services/inetd.if
+index df48e5e..6985546 100644
+--- a/policy/modules/services/inetd.if
++++ b/policy/modules/services/inetd.if
+@@ -55,7 +55,6 @@ interface(`inetd_core_service_domain',`
+ ##
+ #
+ interface(`inetd_tcp_service_domain',`
+-
+ gen_require(`
+ type inetd_t;
+ ')
+diff --git a/policy/modules/services/inn.if b/policy/modules/services/inn.if
+index ebc9e0d..2f3d8dc 100644
+--- a/policy/modules/services/inn.if
++++ b/policy/modules/services/inn.if
+@@ -93,6 +93,7 @@ interface(`inn_read_config',`
+ type innd_etc_t;
+ ')
+
++ files_search_etc($1)
+ allow $1 innd_etc_t:dir list_dir_perms;
+ allow $1 innd_etc_t:file read_file_perms;
+ allow $1 innd_etc_t:lnk_file read_lnk_file_perms;
+@@ -113,6 +114,7 @@ interface(`inn_read_news_lib',`
+ type innd_var_lib_t;
+ ')
+
++ files_search_var_lib($1)
+ allow $1 innd_var_lib_t:dir list_dir_perms;
+ allow $1 innd_var_lib_t:file read_file_perms;
+ allow $1 innd_var_lib_t:lnk_file read_lnk_file_perms;
+@@ -133,6 +135,7 @@ interface(`inn_read_news_spool',`
+ type news_spool_t;
+ ')
+
++ files_search_spool($1)
+ allow $1 news_spool_t:dir list_dir_perms;
+ allow $1 news_spool_t:file read_file_perms;
+ allow $1 news_spool_t:lnk_file read_lnk_file_perms;
+@@ -195,8 +198,8 @@ interface(`inn_domtrans',`
+ interface(`inn_admin',`
+ gen_require(`
+ type innd_t, innd_etc_t, innd_log_t;
+- type news_spool_t, innd_var_lib_t;
+- type innd_var_run_t, innd_initrc_exec_t;
++ type news_spool_t, innd_var_lib_t, innd_var_run_t;
++ type innd_initrc_exec_t;
+ ')
+
+ allow $1 innd_t:process { ptrace signal_perms };
diff --git a/policy/modules/services/inn.te b/policy/modules/services/inn.te
-index 9fab1dc..05119f7 100644
+index 9fab1dc..dc7dd01 100644
--- a/policy/modules/services/inn.te
+++ b/policy/modules/services/inn.te
-@@ -56,7 +56,7 @@ files_var_lib_filetrans(innd_t, innd_var_lib_t, file)
+@@ -4,6 +4,7 @@ policy_module(inn, 1.9.0)
+ #
+ # Declarations
+ #
++
+ type innd_t;
+ type innd_exec_t;
+ init_daemon_domain(innd_t, innd_exec_t)
+@@ -30,6 +31,7 @@ files_mountpoint(news_spool_t)
+ #
+ # Local policy
+ #
++
+ allow innd_t self:capability { dac_override kill setgid setuid };
+ dontaudit innd_t self:capability sys_tty_config;
+ allow innd_t self:process { setsched signal_perms };
+@@ -46,7 +48,7 @@ read_lnk_files_pattern(innd_t, innd_etc_t, innd_etc_t)
+ can_exec(innd_t, innd_exec_t)
+
+ manage_files_pattern(innd_t, innd_log_t, innd_log_t)
+-allow innd_t innd_log_t:dir setattr;
++allow innd_t innd_log_t:dir setattr_dir_perms;
+ logging_log_filetrans(innd_t, innd_log_t, file)
+
+ manage_dirs_pattern(innd_t, innd_var_lib_t, innd_var_lib_t)
+@@ -56,7 +58,7 @@ files_var_lib_filetrans(innd_t, innd_var_lib_t, file)
manage_dirs_pattern(innd_t, innd_var_run_t, innd_var_run_t)
manage_files_pattern(innd_t, innd_var_run_t, innd_var_run_t)
manage_sock_files_pattern(innd_t, innd_var_run_t, innd_var_run_t)
@@ -18142,7 +20391,7 @@ index 9fab1dc..05119f7 100644
manage_dirs_pattern(innd_t, news_spool_t, news_spool_t)
manage_files_pattern(innd_t, news_spool_t, news_spool_t)
-@@ -105,6 +105,7 @@ sysnet_read_config(innd_t)
+@@ -105,6 +107,7 @@ sysnet_read_config(innd_t)
userdom_dontaudit_use_unpriv_user_fds(innd_t)
userdom_dontaudit_search_user_home_dirs(innd_t)
@@ -18170,139 +20419,132 @@ index 4c9acec..908eb91 100644
/var/lib/jabber(/.*)? gen_context(system_u:object_r:jabberd_var_lib_t,s0)
/var/log/jabber(/.*)? gen_context(system_u:object_r:jabberd_log_t,s0)
diff --git a/policy/modules/services/jabber.if b/policy/modules/services/jabber.if
-index 9878499..f17e629 100644
+index 9878499..9167dc9 100644
--- a/policy/modules/services/jabber.if
+++ b/policy/modules/services/jabber.if
-@@ -1,17 +1,96 @@
+@@ -1,8 +1,82 @@
## Jabber instant messaging server
-########################################
+#######################################
- ##
--## Connect to jabber over a TCP socket (Deprecated)
-+## Execute a domain transition to run jabberd services
- ##
- ##
--##
--## Domain allowed access.
--##
+##
-+## Domain allowed to transition.
++## Execute a domain transition to run jabberd services
+##
++##
++##
++## Domain allowed to transition.
++##
+##
+#
+interface(`jabber_domtrans_jabberd',`
-+ gen_require(`
-+ type jabberd_t, jabberd_exec_t;
-+ ')
++ gen_require(`
++ type jabberd_t, jabberd_exec_t;
++ ')
+
-+ domtrans_pattern($1, jabberd_exec_t, jabberd_t)
++ domtrans_pattern($1, jabberd_exec_t, jabberd_t)
+')
+
+######################################
+##
-+## Execute a domain transition to run jabberd router service
++## Execute a domain transition to run jabberd router service
+##
+##
-+##
-+## Domain allowed to transition.
-+##
++##
++## Domain allowed to transition.
++##
+##
+#
+interface(`jabber_domtrans_jabberd_router',`
-+ gen_require(`
-+ type jabberd_router_t, jabberd_router_exec_t;
-+ ')
++ gen_require(`
++ type jabberd_router_t, jabberd_router_exec_t;
++ ')
+
-+ domtrans_pattern($1, jabberd_router_exec_t, jabberd_router_t)
++ domtrans_pattern($1, jabberd_router_exec_t, jabberd_router_t)
+')
+
+#######################################
+##
-+## Read jabberd lib files.
++## Read jabberd lib files.
+##
+##
-+##
-+## Domain allowed access.
-+##
- ##
- #
--interface(`jabber_tcp_connect',`
-- refpolicywarn(`$0($*) has been deprecated.')
++##
++## Domain allowed access.
++##
++##
++#
+interface(`jabberd_read_lib_files',`
-+ gen_require(`
-+ type jabberd_var_lib_t;
-+ ')
++ gen_require(`
++ type jabberd_var_lib_t;
++ ')
+
-+ files_search_var_lib($1)
-+ read_files_pattern($1, jabberd_var_lib_t, jabberd_var_lib_t)
++ files_search_var_lib($1)
++ read_files_pattern($1, jabberd_var_lib_t, jabberd_var_lib_t)
+')
+
+#######################################
-+##
-+## Dontaudit inherited read jabberd lib files.
+ ##
+-## Connect to jabber over a TCP socket (Deprecated)
++## Dontaudit inherited read jabberd lib files.
+##
+##
-+##
-+## Domain to not audit.
-+##
++##
++## Domain to not audit.
++##
+##
+#
+interface(`jabberd_dontaudit_read_lib_files',`
-+ gen_require(`
-+ type jabberd_var_lib_t;
-+ ')
++ gen_require(`
++ type jabberd_var_lib_t;
++ ')
+
-+ dontaudit $1 jabberd_var_lib_t:file read_inherited_file_perms;
++ dontaudit $1 jabberd_var_lib_t:file read_inherited_file_perms;
+')
+
+#######################################
+##
-+## Create, read, write, and delete
-+## jabberd lib files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
++## Create, read, write, and delete
++## jabberd lib files.
+ ##
+ ##
+ ##
+@@ -10,8 +84,13 @@
+ ##
+ ##
+ #
+-interface(`jabber_tcp_connect',`
+- refpolicywarn(`$0($*) has been deprecated.')
+interface(`jabberd_manage_lib_files',`
-+ gen_require(`
-+ type jabberd_var_lib_t;
-+ ')
++ gen_require(`
++ type jabberd_var_lib_t;
++ ')
+
-+ files_search_var_lib($1)
-+ manage_files_pattern($1, jabberd_var_lib_t, jabberd_var_lib_t)
++ files_search_var_lib($1)
++ manage_files_pattern($1, jabberd_var_lib_t, jabberd_var_lib_t)
')
########################################
-@@ -35,11 +114,15 @@ interface(`jabber_admin',`
+@@ -34,12 +113,15 @@ interface(`jabber_tcp_connect',`
+ interface(`jabber_admin',`
gen_require(`
type jabberd_t, jabberd_log_t, jabberd_var_lib_t;
- type jabberd_var_run_t, jabberd_initrc_exec_t;
-+ type jabberd_router_t;
+- type jabberd_var_run_t, jabberd_initrc_exec_t;
++ type jabberd_var_run_t, jabberd_initrc_exec_t, jabberd_router_t;
')
allow $1 jabberd_t:process { ptrace signal_perms };
ps_process_pattern($1, jabberd_t)
+ allow $1 jabberd_router_t:process { ptrace signal_perms };
-+ ps_process_pattern($1, jabberd_router_t)
++ ps_process_pattern($1, jabberd_router_t)
+
init_labeled_script_domtrans($1, jabberd_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 jabberd_initrc_exec_t system_r;
diff --git a/policy/modules/services/jabber.te b/policy/modules/services/jabber.te
-index da2127e..975bbcd 100644
+index da2127e..5f8840f 100644
--- a/policy/modules/services/jabber.te
+++ b/policy/modules/services/jabber.te
-@@ -1,3 +1,4 @@
-+
- policy_module(jabber, 1.8.0)
-
- ########################################
-@@ -5,13 +6,19 @@ policy_module(jabber, 1.8.0)
+@@ -5,13 +5,19 @@ policy_module(jabber, 1.8.0)
# Declarations
#
@@ -18323,7 +20565,7 @@ index da2127e..975bbcd 100644
type jabberd_log_t;
logging_log_file(jabberd_log_t)
-@@ -21,40 +28,78 @@ files_type(jabberd_var_lib_t)
+@@ -21,40 +27,78 @@ files_type(jabberd_var_lib_t)
type jabberd_var_run_t;
files_pid_file(jabberd_var_run_t)
@@ -18354,10 +20596,14 @@ index da2127e..975bbcd 100644
+# log and pid files are moved into /var/lib/jabberd in the newer version of jabberd
+manage_files_pattern(jabberd_domain, jabberd_log_t, jabberd_log_t)
+logging_log_filetrans(jabberd_domain, jabberd_log_t, { file dir })
-+
+
+-manage_files_pattern(jabberd_t, jabberd_var_lib_t, jabberd_var_lib_t)
+-files_var_lib_filetrans(jabberd_t, jabberd_var_lib_t, file)
+manage_files_pattern(jabberd_domain, jabberd_var_run_t, jabberd_var_run_t)
+files_pid_filetrans(jabberd_domain, jabberd_var_run_t, file)
-+
+
+-manage_files_pattern(jabberd_t, jabberd_log_t, jabberd_log_t)
+-logging_log_filetrans(jabberd_t, jabberd_log_t, { file dir })
+corenet_all_recvfrom_unlabeled(jabberd_domain)
+corenet_all_recvfrom_netlabel(jabberd_domain)
+corenet_tcp_sendrecv_generic_if(jabberd_domain)
@@ -18379,32 +20625,28 @@ index da2127e..975bbcd 100644
+miscfiles_read_localization(jabberd_domain)
+
+sysnet_read_config(jabberd_domain)
-
--manage_files_pattern(jabberd_t, jabberd_var_lib_t, jabberd_var_lib_t)
--files_var_lib_filetrans(jabberd_t, jabberd_var_lib_t, file)
++
+######################################
+#
+# Local policy for jabberd-router
+#
-+
+
+-manage_files_pattern(jabberd_t, jabberd_var_run_t, jabberd_var_run_t)
+-files_pid_filetrans(jabberd_t, jabberd_var_run_t, file)
+allow jabberd_router_t self:netlink_route_socket r_netlink_socket_perms;
+
+corenet_tcp_bind_jabber_router_port(jabberd_router_t)
+corenet_sendrecv_jabber_router_server_packets(jabberd_router_t)
-
--manage_files_pattern(jabberd_t, jabberd_log_t, jabberd_log_t)
--logging_log_filetrans(jabberd_t, jabberd_log_t, { file dir })
++
+optional_policy(`
-+ kerberos_use(jabberd_router_t)
++ kerberos_use(jabberd_router_t)
+')
+
+########################################
+#
+# Local policy for jabberd
+#
-
--manage_files_pattern(jabberd_t, jabberd_var_run_t, jabberd_var_run_t)
--files_pid_filetrans(jabberd_t, jabberd_var_run_t, file)
++
+allow jabberd_t self:capability dac_override;
+dontaudit jabberd_t self:capability sys_tty_config;
@@ -18426,7 +20668,7 @@ index da2127e..975bbcd 100644
corenet_tcp_bind_jabber_client_port(jabberd_t)
corenet_tcp_bind_jabber_interserver_port(jabberd_t)
corenet_sendrecv_jabber_client_server_packets(jabberd_t)
-@@ -66,18 +111,9 @@ dev_read_rand(jabberd_t)
+@@ -66,18 +110,9 @@ dev_read_rand(jabberd_t)
domain_use_interactive_fds(jabberd_t)
@@ -18458,10 +20700,102 @@ index 3525d24..e5db539 100644
/etc/rc\.d/init\.d/kprop -- gen_context(system_u:object_r:kerberos_initrc_exec_t,s0)
/etc/rc\.d/init\.d/krb524d -- gen_context(system_u:object_r:kerberos_initrc_exec_t,s0)
/etc/rc\.d/init\.d/krb5kdc -- gen_context(system_u:object_r:kerberos_initrc_exec_t,s0)
+diff --git a/policy/modules/services/kerberos.if b/policy/modules/services/kerberos.if
+index 604f67b..8c72504 100644
+--- a/policy/modules/services/kerberos.if
++++ b/policy/modules/services/kerberos.if
+@@ -26,9 +26,9 @@
+ ## Execute kadmind in the current domain
+ ##
+ ##
+-##
++##
+ ## Domain allowed access.
+-##
++##
+ ##
+ #
+ interface(`kerberos_exec_kadmind',`
+@@ -44,9 +44,9 @@ interface(`kerberos_exec_kadmind',`
+ ## Execute a domain transition to run kpropd.
+ ##
+ ##
+-##
++##
+ ## Domain allowed to transition.
+-##
++##
+ ##
+ #
+ interface(`kerberos_domtrans_kpropd',`
+@@ -69,8 +69,7 @@ interface(`kerberos_domtrans_kpropd',`
+ #
+ interface(`kerberos_use',`
+ gen_require(`
+- type krb5_conf_t, krb5kdc_conf_t;
+- type krb5_host_rcache_t;
++ type krb5_conf_t, krb5kdc_conf_t, krb5_host_rcache_t;
+ ')
+
+ files_search_etc($1)
+@@ -103,7 +102,7 @@ interface(`kerberos_use',`
+ corenet_sendrecv_kerberos_client_packets($1)
+ corenet_sendrecv_ocsp_client_packets($1)
+
+- allow $1 krb5_host_rcache_t:file getattr;
++ allow $1 krb5_host_rcache_t:file getattr_file_perms;
+ ')
+
+ optional_policy(`
+@@ -235,7 +234,7 @@ template(`kerberos_keytab_template',`
+ type $1_keytab_t;
+ files_type($1_keytab_t)
+
+- allow $2 $1_keytab_t:file read_file_perms;
++ allow $2 $1_keytab_t:file read_file_perms;
+
+ kerberos_read_keytab($2)
+ kerberos_use($2)
+@@ -338,9 +337,8 @@ interface(`kerberos_admin',`
+ type kadmind_t, krb5kdc_t, kerberos_initrc_exec_t;
+ type kadmind_log_t, kadmind_tmp_t, kadmind_var_run_t;
+ type krb5_conf_t, krb5_keytab_t, krb5kdc_conf_t;
+- type krb5kdc_principal_t, krb5kdc_tmp_t;
++ type krb5kdc_principal_t, krb5kdc_tmp_t, kpropd_t;
+ type krb5kdc_var_run_t, krb5_host_rcache_t;
+- type kpropd_t;
+ ')
+
+ allow $1 kadmind_t:process { ptrace signal_perms };
diff --git a/policy/modules/services/kerberos.te b/policy/modules/services/kerberos.te
-index 8edc29b..225e33f 100644
+index 8edc29b..744e7d6 100644
--- a/policy/modules/services/kerberos.te
+++ b/policy/modules/services/kerberos.te
+@@ -6,9 +6,9 @@ policy_module(kerberos, 1.11.0)
+ #
+
+ ##
+-##
+-## Allow confined applications to run with kerberos.
+-##
++##
++## Allow confined applications to run with kerberos.
++##
+ ##
+ gen_tunable(allow_kerberos, false)
+
+@@ -93,9 +93,9 @@ allow kadmind_t krb5_conf_t:file read_file_perms;
+ dontaudit kadmind_t krb5_conf_t:file write;
+
+ read_files_pattern(kadmind_t, krb5kdc_conf_t, krb5kdc_conf_t)
+-dontaudit kadmind_t krb5kdc_conf_t:file { write setattr };
++dontaudit kadmind_t krb5kdc_conf_t:file { write_file_perms setattr_file_perms };
+
+-allow kadmind_t krb5kdc_lock_t:file { rw_file_perms setattr };
++allow kadmind_t krb5kdc_lock_t:file { rw_file_perms setattr_file_perms };
+
+ allow kadmind_t krb5kdc_principal_t:file manage_file_perms;
+ filetrans_pattern(kadmind_t, krb5kdc_conf_t, krb5kdc_principal_t, file)
@@ -126,10 +126,13 @@ corenet_udp_sendrecv_all_ports(kadmind_t)
corenet_tcp_bind_generic_node(kadmind_t)
corenet_udp_bind_generic_node(kadmind_t)
@@ -18484,7 +20818,13 @@ index 8edc29b..225e33f 100644
miscfiles_read_localization(kadmind_t)
seutil_read_file_contexts(kadmind_t)
-@@ -198,8 +202,7 @@ allow krb5kdc_t krb5kdc_lock_t:file { rw_file_perms setattr };
+@@ -193,13 +197,12 @@ can_exec(krb5kdc_t, krb5kdc_exec_t)
+ read_files_pattern(krb5kdc_t, krb5kdc_conf_t, krb5kdc_conf_t)
+ dontaudit krb5kdc_t krb5kdc_conf_t:file write;
+
+-allow krb5kdc_t krb5kdc_lock_t:file { rw_file_perms setattr };
++allow krb5kdc_t krb5kdc_lock_t:file { rw_file_perms setattr_file_perms };
+
allow krb5kdc_t krb5kdc_log_t:file manage_file_perms;
logging_log_filetrans(krb5kdc_t, krb5kdc_log_t, file)
@@ -18502,6 +20842,46 @@ index 8edc29b..225e33f 100644
miscfiles_read_localization(krb5kdc_t)
seutil_read_file_contexts(krb5kdc_t)
+diff --git a/policy/modules/services/kerneloops.if b/policy/modules/services/kerneloops.if
+index 835b16b..dd32883 100644
+--- a/policy/modules/services/kerneloops.if
++++ b/policy/modules/services/kerneloops.if
+@@ -5,15 +5,14 @@
+ ## Execute a domain transition to run kerneloops.
+ ##
+ ##
+-##
++##
+ ## Domain allowed to transition.
+-##
++##
+ ##
+ #
+ interface(`kerneloops_domtrans',`
+ gen_require(`
+- type kerneloops_t;
+- type kerneloops_exec_t;
++ type kerneloops_t, kerneloops_exec_t;
+ ')
+
+ domtrans_pattern($1, kerneloops_exec_t, kerneloops_t)
+@@ -99,8 +98,7 @@ interface(`kerneloops_manage_tmp_files',`
+ #
+ interface(`kerneloops_admin',`
+ gen_require(`
+- type kerneloops_t, kerneloops_initrc_exec_t;
+- type kerneloops_tmp_t;
++ type kerneloops_t, kerneloops_initrc_exec_t, kerneloops_tmp_t;
+ ')
+
+ allow $1 kerneloops_t:process { ptrace signal_perms };
+@@ -111,5 +109,6 @@ interface(`kerneloops_admin',`
+ role_transition $2 kerneloops_initrc_exec_t system_r;
+ allow $2 system_r;
+
++ files_list_tmp($1)
+ admin_pattern($1, kerneloops_tmp_t)
+ ')
diff --git a/policy/modules/services/ksmtuned.fc b/policy/modules/services/ksmtuned.fc
index 9c0c835..8360166 100644
--- a/policy/modules/services/ksmtuned.fc
@@ -18513,10 +20893,28 @@ index 9c0c835..8360166 100644
+
+/var/log/ksmtuned.* gen_context(system_u:object_r:ksmtuned_log_t,s0)
diff --git a/policy/modules/services/ksmtuned.if b/policy/modules/services/ksmtuned.if
-index 6fd0b4c..d17f349 100644
+index 6fd0b4c..b733e45 100644
--- a/policy/modules/services/ksmtuned.if
+++ b/policy/modules/services/ksmtuned.if
-@@ -60,7 +60,7 @@ interface(`ksmtuned_admin',`
+@@ -5,9 +5,9 @@
+ ## Execute a domain transition to run ksmtuned.
+ ##
+ ##
+-##
++##
+ ## Domain allowed to transition.
+-##
++##
+ ##
+ #
+ interface(`ksmtuned_domtrans',`
+@@ -55,12 +55,11 @@ interface(`ksmtuned_initrc_domtrans',`
+ #
+ interface(`ksmtuned_admin',`
+ gen_require(`
+- type ksmtuned_t, ksmtuned_var_run_t;
+- type ksmtuned_initrc_exec_t;
++ type ksmtuned_t, ksmtuned_var_run_t, ksmtuned_initrc_exec_t;
')
allow $1 ksmtuned_t:process { ptrace signal_perms };
@@ -18525,8 +20923,14 @@ index 6fd0b4c..d17f349 100644
files_list_pids($1)
admin_pattern($1, ksmtuned_var_run_t)
+@@ -70,5 +69,4 @@ interface(`ksmtuned_admin',`
+ domain_system_change_exemption($1)
+ role_transition $2 ksmtuned_initrc_exec_t system_r;
+ allow $2 system_r;
+-
+ ')
diff --git a/policy/modules/services/ksmtuned.te b/policy/modules/services/ksmtuned.te
-index a73b7a1..ffe035c 100644
+index a73b7a1..01adbed 100644
--- a/policy/modules/services/ksmtuned.te
+++ b/policy/modules/services/ksmtuned.te
@@ -9,6 +9,9 @@ type ksmtuned_t;
@@ -18550,7 +20954,7 @@ index a73b7a1..ffe035c 100644
manage_files_pattern(ksmtuned_t, ksmtuned_var_run_t, ksmtuned_var_run_t)
files_pid_filetrans(ksmtuned_t, ksmtuned_var_run_t, file)
-@@ -31,9 +38,15 @@ kernel_read_system_state(ksmtuned_t)
+@@ -31,9 +38,14 @@ kernel_read_system_state(ksmtuned_t)
dev_rw_sysfs(ksmtuned_t)
domain_read_all_domains_state(ksmtuned_t)
@@ -18565,7 +20969,6 @@ index a73b7a1..ffe035c 100644
+term_use_all_terms(ksmtuned_t)
+
miscfiles_read_localization(ksmtuned_t)
-+
diff --git a/policy/modules/services/ldap.fc b/policy/modules/services/ldap.fc
index c62f23e..335fda1 100644
--- a/policy/modules/services/ldap.fc
@@ -18586,54 +20989,52 @@ index c62f23e..335fda1 100644
/var/run/slapd\.pid -- gen_context(system_u:object_r:slapd_var_run_t,s0)
+/var/run/slapd.* -s gen_context(system_u:object_r:slapd_var_run_t,s0)
diff --git a/policy/modules/services/ldap.if b/policy/modules/services/ldap.if
-index 3aa8fa7..d15f94d 100644
+index 3aa8fa7..c51c1f6 100644
--- a/policy/modules/services/ldap.if
+++ b/policy/modules/services/ldap.if
-@@ -1,5 +1,43 @@
+@@ -1,5 +1,41 @@
## OpenLDAP directory server
+#######################################
+##
-+## Execute OpenLDAP in the ldap domain.
++## Execute OpenLDAP in the ldap domain.
+##
+##
-+##
-+## Domain allowed access.
-+##
++##
++## Domain allowed access.
++##
+##
+#
+interface(`ldap_domtrans',`
-+ gen_require(`
-+ type slapd_t, slapd_exec_t;
-+ ')
-+
-+ domtrans_pattern($1, slapd_exec_t, slapd_t)
++ gen_require(`
++ type slapd_t, slapd_exec_t;
++ ')
+
++ domtrans_pattern($1, slapd_exec_t, slapd_t)
+')
+
+#######################################
+##
-+## Execute OpenLDAP server in the ldap domain.
++## Execute OpenLDAP server in the ldap domain.
+##
+##
-+##
-+## Domain allowed access.
-+##
++##
++## Domain allowed access.
++##
+##
+#
+interface(`ldap_initrc_domtrans',`
-+ gen_require(`
-+ type slapd_initrc_exec_t;
-+ ')
++ gen_require(`
++ type slapd_initrc_exec_t;
++ ')
+
-+ init_labeled_script_domtrans($1, slapd_initrc_exec_t)
++ init_labeled_script_domtrans($1, slapd_initrc_exec_t)
+')
+
-+
########################################
##
## Read the contents of the OpenLDAP
-@@ -21,6 +59,25 @@ interface(`ldap_list_db',`
+@@ -21,6 +57,25 @@ interface(`ldap_list_db',`
########################################
##
@@ -18659,7 +21060,7 @@ index 3aa8fa7..d15f94d 100644
## Read the OpenLDAP configuration files.
##
##
-@@ -69,8 +126,30 @@ interface(`ldap_stream_connect',`
+@@ -69,8 +124,30 @@ interface(`ldap_stream_connect',`
')
files_search_pids($1)
@@ -18692,8 +21093,16 @@ index 3aa8fa7..d15f94d 100644
')
########################################
+@@ -110,6 +187,7 @@ interface(`ldap_admin',`
+
+ admin_pattern($1, slapd_lock_t)
+
++ files_list_var_lib($1)
+ admin_pattern($1, slapd_replog_t)
+
+ files_list_tmp($1)
diff --git a/policy/modules/services/ldap.te b/policy/modules/services/ldap.te
-index 64fd1ff..ee5e345 100644
+index 64fd1ff..10c2d54 100644
--- a/policy/modules/services/ldap.te
+++ b/policy/modules/services/ldap.te
@@ -10,7 +10,7 @@ type slapd_exec_t;
@@ -18734,7 +21143,7 @@ index 64fd1ff..ee5e345 100644
files_tmp_filetrans(slapd_t, slapd_tmp_t, { file dir })
+manage_files_pattern(slapd_t, slapd_tmpfs_t, slapd_tmpfs_t)
-+fs_tmpfs_filetrans(slapd_t, slapd_tmpfs_t,file)
++fs_tmpfs_filetrans(slapd_t, slapd_tmpfs_t, file)
+
+manage_dirs_pattern(slapd_t, slapd_var_run_t, slapd_var_run_t)
manage_files_pattern(slapd_t, slapd_var_run_t, slapd_var_run_t)
@@ -18744,6 +21153,91 @@ index 64fd1ff..ee5e345 100644
kernel_read_system_state(slapd_t)
kernel_read_kernel_sysctls(slapd_t)
+diff --git a/policy/modules/services/likewise.if b/policy/modules/services/likewise.if
+index 771e04b..81d98b3 100644
+--- a/policy/modules/services/likewise.if
++++ b/policy/modules/services/likewise.if
+@@ -63,7 +63,7 @@ template(`likewise_domain_template',`
+ allow $1_t self:tcp_socket create_stream_socket_perms;
+ allow $1_t self:udp_socket create_socket_perms;
+
+- allow $1_t likewise_var_lib_t:dir setattr;
++ allow $1_t likewise_var_lib_t:dir setattr_dir_perms;
+
+ manage_files_pattern($1_t, $1_var_run_t, $1_var_run_t)
+ files_pid_filetrans($1_t, $1_var_run_t, file)
+diff --git a/policy/modules/services/likewise.te b/policy/modules/services/likewise.te
+index ae9d49f..65e6d81 100644
+--- a/policy/modules/services/likewise.te
++++ b/policy/modules/services/likewise.te
+@@ -205,7 +205,7 @@ stream_connect_pattern(lwsmd_t, likewise_var_lib_t, lwregd_var_socket_t, lwregd_
+ # Likewise DC location service local policy
+ #
+
+-allow netlogond_t self:capability {dac_override};
++allow netlogond_t self:capability dac_override;
+
+ manage_files_pattern(netlogond_t, likewise_etc_t, likewise_etc_t)
+
+diff --git a/policy/modules/services/lircd.if b/policy/modules/services/lircd.if
+index 418cc81..5cfe950 100644
+--- a/policy/modules/services/lircd.if
++++ b/policy/modules/services/lircd.if
+@@ -5,9 +5,9 @@
+ ## Execute a domain transition to run lircd.
+ ##
+ ##
+-##
++##
+ ## Domain allowed to transition.
+-##
++##
+ ##
+ #
+ interface(`lircd_domtrans',`
+@@ -16,7 +16,6 @@ interface(`lircd_domtrans',`
+ ')
+
+ domain_auto_trans($1, lircd_exec_t, lircd_t)
+-
+ ')
+
+ ######################################
+@@ -44,9 +43,9 @@ interface(`lircd_stream_connect',`
+ ## Read lircd etc file
+ ##
+ ##
+-##
++##
+ ## Domain allowed access.
+-##
++##
+ ##
+ #
+ interface(`lircd_read_config',`
+@@ -76,8 +75,8 @@ interface(`lircd_read_config',`
+ #
+ interface(`lircd_admin',`
+ gen_require(`
+- type lircd_t, lircd_var_run_t;
+- type lircd_initrc_exec_t, lircd_etc_t;
++ type lircd_t, lircd_var_run_t, lircd_etc_t;
++ type lircd_initrc_exec_t;
+ ')
+
+ allow $1 lircd_t:process { ptrace signal_perms };
+@@ -88,9 +87,9 @@ interface(`lircd_admin',`
+ role_transition $2 lircd_initrc_exec_t system_r;
+ allow $2 system_r;
+
+- files_search_etc($1)
++ files_list_etc($1)
+ admin_pattern($1, lircd_etc_t)
+
+- files_search_pids($1)
++ files_list_pids($1)
+ admin_pattern($1, lircd_var_run_t)
+ ')
diff --git a/policy/modules/services/lircd.te b/policy/modules/services/lircd.te
index 6a78de1..02f6985 100644
--- a/policy/modules/services/lircd.te
@@ -18775,10 +21269,27 @@ index 6a78de1..02f6985 100644
dev_filetrans_lirc(lircd_t)
dev_rw_lirc(lircd_t)
diff --git a/policy/modules/services/lpd.if b/policy/modules/services/lpd.if
-index a4f32f5..d801ec0 100644
+index a4f32f5..ea7dca0 100644
--- a/policy/modules/services/lpd.if
+++ b/policy/modules/services/lpd.if
-@@ -153,7 +153,7 @@ interface(`lpd_relabel_spool',`
+@@ -14,6 +14,7 @@
+ ## User domain for the role
+ ##
+ ##
++##
+ #
+ interface(`lpd_role',`
+ gen_require(`
+@@ -27,7 +28,7 @@ interface(`lpd_role',`
+ dontaudit lpr_t $2:unix_stream_socket { read write };
+
+ ps_process_pattern($2, lpr_t)
+- allow $2 lpr_t:process signull;
++ allow $2 lpr_t:process { ptrace signal_perms };
+
+ optional_policy(`
+ cups_read_config($2)
+@@ -153,7 +154,7 @@ interface(`lpd_relabel_spool',`
')
files_search_spool($1)
@@ -18787,10 +21298,41 @@ index a4f32f5..d801ec0 100644
')
########################################
+@@ -186,7 +187,7 @@ interface(`lpd_read_config',`
+ ##
+ ##
+ #
+-template(`lpd_domtrans_lpr',`
++interface(`lpd_domtrans_lpr',`
+ gen_require(`
+ type lpr_t, lpr_exec_t;
+ ')
diff --git a/policy/modules/services/lpd.te b/policy/modules/services/lpd.te
-index 93c14ca..4d31118 100644
+index 93c14ca..80671d9 100644
--- a/policy/modules/services/lpd.te
+++ b/policy/modules/services/lpd.te
+@@ -6,9 +6,9 @@ policy_module(lpd, 1.12.0)
+ #
+
+ ##
+-##
+-## Use lpd server instead of cups
+-##
++##
++## Use lpd server instead of cups
++##
+ ##
+ gen_tunable(use_lpd_server, false)
+
+@@ -80,7 +80,7 @@ rw_files_pattern(checkpc_t, print_spool_t, print_spool_t)
+ delete_files_pattern(checkpc_t, print_spool_t, print_spool_t)
+ files_search_spool(checkpc_t)
+
+-allow checkpc_t printconf_t:file getattr;
++allow checkpc_t printconf_t:file getattr_file_perms;
+ allow checkpc_t printconf_t:dir list_dir_perms;
+
+ kernel_read_system_state(checkpc_t)
@@ -145,9 +145,10 @@ manage_dirs_pattern(lpd_t, lpd_tmp_t, lpd_tmp_t)
manage_files_pattern(lpd_t, lpd_tmp_t, lpd_tmp_t)
files_tmp_filetrans(lpd_t, lpd_tmp_t, { file dir })
@@ -18803,6 +21345,24 @@ index 93c14ca..4d31118 100644
# Write to /var/spool/lpd.
manage_files_pattern(lpd_t, print_spool_t, print_spool_t)
+@@ -283,13 +284,13 @@ userdom_read_user_tmp_files(lpr_t)
+
+ tunable_policy(`use_lpd_server',`
+ # lpr can run in lightweight mode, without a local print spooler.
+- allow lpr_t lpd_var_run_t:dir search;
+- allow lpr_t lpd_var_run_t:sock_file write;
++ allow lpr_t lpd_var_run_t:dir search_dir_perms;
++ allow lpr_t lpd_var_run_t:sock_file write_sock_file_perms;
+ files_read_var_files(lpr_t)
+
+ # Connect to lpd via a Unix domain socket.
+- allow lpr_t printer_t:sock_file rw_sock_file_perms;
+- allow lpr_t lpd_t:unix_stream_socket connectto;
++ allow lpr_t printer_t:sock_file read_sock_file_perms;
++ stream_connect_pattern(lpr_t, printer_t, printer_t, lpd_t)
+ # Send SIGHUP to lpd.
+ allow lpr_t lpd_t:process signal;
+
@@ -308,12 +309,14 @@ tunable_policy(`use_lpd_server',`
')
@@ -18819,9 +21379,18 @@ index 93c14ca..4d31118 100644
fs_read_cifs_files(lpr_t)
fs_read_cifs_symlinks(lpr_t)
diff --git a/policy/modules/services/mailman.if b/policy/modules/services/mailman.if
-index 67c7fdd..19bcae2 100644
+index 67c7fdd..84b7626 100644
--- a/policy/modules/services/mailman.if
+++ b/policy/modules/services/mailman.if
+@@ -16,7 +16,7 @@
+ ##
+ ##
+ #
+-template(`mailman_domain_template', `
++template(`mailman_domain_template',`
+ type mailman_$1_t;
+ domain_type(mailman_$1_t)
+ role system_r types mailman_$1_t;
@@ -74,7 +74,7 @@ template(`mailman_domain_template', `
corecmd_exec_all_executables(mailman_$1_t)
@@ -18832,9 +21401,21 @@ index 67c7fdd..19bcae2 100644
files_list_var_lib(mailman_$1_t)
files_read_var_lib_symlinks(mailman_$1_t)
diff --git a/policy/modules/services/mailman.te b/policy/modules/services/mailman.te
-index af4d572..ac97ed9 100644
+index af4d572..96e3c80 100644
--- a/policy/modules/services/mailman.te
+++ b/policy/modules/services/mailman.te
+@@ -61,9 +61,9 @@ optional_policy(`
+ # Mailman mail local policy
+ #
+
+-allow mailman_mail_t self:unix_dgram_socket create_socket_perms;
+-allow mailman_mail_t self:process { signal signull };
+ allow mailman_mail_t self:capability { kill dac_override setuid setgid sys_tty_config };
++allow mailman_mail_t self:process { signal signull };
++allow mailman_mail_t self:unix_dgram_socket create_socket_perms;
+
+ manage_dirs_pattern(mailman_mail_t, mailman_archive_t, mailman_archive_t)
+ manage_files_pattern(mailman_mail_t, mailman_archive_t, mailman_archive_t)
@@ -81,6 +81,10 @@ optional_policy(`
')
@@ -18854,22 +21435,43 @@ index af4d572..ac97ed9 100644
\ No newline at end of file
+')
diff --git a/policy/modules/services/memcached.if b/policy/modules/services/memcached.if
-index db4fd6f..ee60e59 100644
+index db4fd6f..5008a6c 100644
--- a/policy/modules/services/memcached.if
+++ b/policy/modules/services/memcached.if
-@@ -59,6 +59,7 @@ interface(`memcached_admin',`
+@@ -5,15 +5,14 @@
+ ## Execute a domain transition to run memcached.
+ ##
+ ##
+-##
++##
+ ## Domain allowed to transition.
+-##
++##
+ ##
+ #
+ interface(`memcached_domtrans',`
gen_require(`
- type memcached_t;
- type memcached_initrc_exec_t;
-+ type memcached_var_run_t;
+- type memcached_t;
+- type memcached_exec_t;
++ type memcached_t, memcached_exec_t;
+ ')
+
+ domtrans_pattern($1, memcached_exec_t, memcached_t)
+@@ -57,8 +56,7 @@ interface(`memcached_read_pid_files',`
+ #
+ interface(`memcached_admin',`
+ gen_require(`
+- type memcached_t;
+- type memcached_initrc_exec_t;
++ type memcached_t, memcached_initrc_exec_t, memcached_var_run_t;
')
allow $1 memcached_t:process { ptrace signal_perms };
-@@ -69,5 +70,6 @@ interface(`memcached_admin',`
+@@ -69,5 +67,6 @@ interface(`memcached_admin',`
role_transition $2 memcached_initrc_exec_t system_r;
allow $2 system_r;
-+ files_search_pids($1)
++ files_list_pids($1)
admin_pattern($1, memcached_var_run_t)
')
diff --git a/policy/modules/services/milter.fc b/policy/modules/services/milter.fc
@@ -18892,7 +21494,7 @@ index 55a3e2f..613c69d 100644
/var/run/milter-greylist\.pid -- gen_context(system_u:object_r:greylist_milter_data_t,s0)
/var/run/spamass-milter(/.*)? gen_context(system_u:object_r:spamass_milter_data_t,s0)
diff --git a/policy/modules/services/milter.if b/policy/modules/services/milter.if
-index ed1af3c..a000225 100644
+index ed1af3c..d7e81f3 100644
--- a/policy/modules/services/milter.if
+++ b/policy/modules/services/milter.if
@@ -37,6 +37,8 @@ template(`milter_template',`
@@ -18904,7 +21506,22 @@ index ed1af3c..a000225 100644
miscfiles_read_localization($1_milter_t)
logging_send_syslog_msg($1_milter_t)
-@@ -82,6 +84,24 @@ interface(`milter_getattr_all_sockets',`
+@@ -57,7 +59,7 @@ interface(`milter_stream_connect_all',`
+ attribute milter_data_type, milter_domains;
+ ')
+
+- getattr_dirs_pattern($1, milter_data_type, milter_data_type)
++ files_search_pids($1)
+ stream_connect_pattern($1, milter_data_type, milter_data_type, milter_domains)
+ ')
+
+@@ -76,12 +78,29 @@ interface(`milter_getattr_all_sockets',`
+ attribute milter_data_type;
+ ')
+
+- getattr_dirs_pattern($1, milter_data_type, milter_data_type)
+ getattr_sock_files_pattern($1, milter_data_type, milter_data_type)
+ ')
########################################
##
@@ -18929,31 +21546,31 @@ index ed1af3c..a000225 100644
## Manage spamassassin milter state
##
##
-@@ -100,3 +120,22 @@ interface(`milter_manage_spamass_state',`
+@@ -100,3 +119,22 @@ interface(`milter_manage_spamass_state',`
manage_dirs_pattern($1, spamass_milter_state_t, spamass_milter_state_t)
manage_lnk_files_pattern($1, spamass_milter_state_t, spamass_milter_state_t)
')
+
+#######################################
+##
-+## Delete dkim-milter PID files.
++## Delete dkim-milter PID files.
+##
+##
-+##
-+## Domain allowed access.
-+##
++##
++## Domain allowed access.
++##
+##
+#
+interface(`milter_delete_dkim_pid_files',`
-+ gen_require(`
-+ type dkim_milter_data_t;
-+ ')
++ gen_require(`
++ type dkim_milter_data_t;
++ ')
+
-+ files_search_pids($1)
-+ delete_files_pattern($1, dkim_milter_data_t, dkim_milter_data_t)
++ files_search_pids($1)
++ delete_files_pattern($1, dkim_milter_data_t, dkim_milter_data_t)
+')
diff --git a/policy/modules/services/milter.te b/policy/modules/services/milter.te
-index 1b6dea0..6ba48ff 100644
+index 1b6dea0..f42a489 100644
--- a/policy/modules/services/milter.te
+++ b/policy/modules/services/milter.te
@@ -9,6 +9,13 @@ policy_module(milter, 1.2.1)
@@ -18970,7 +21587,7 @@ index 1b6dea0..6ba48ff 100644
# currently-supported milters are milter-greylist, milter-regex and spamass-milter
milter_template(greylist)
milter_template(regex)
-@@ -20,6 +27,23 @@ milter_template(spamass)
+@@ -20,11 +27,27 @@ milter_template(spamass)
type spamass_milter_state_t;
files_type(spamass_milter_state_t)
@@ -18980,7 +21597,6 @@ index 1b6dea0..6ba48ff 100644
+#
+
+allow dkim_milter_t self:capability { kill setgid setuid };
-+
+allow dkim_milter_t self:unix_stream_socket create_stream_socket_perms;
+
+read_files_pattern(dkim_milter_t, dkim_milter_private_key_t, dkim_milter_private_key_t)
@@ -18994,6 +21610,35 @@ index 1b6dea0..6ba48ff 100644
########################################
#
# milter-greylist local policy
+-# ensure smtp clients retry mail like real MTAs and not spamware
+-# http://hcpnet.free.fr/milter-greylist/
++# ensure smtp clients retry mail like real MTAs and not spamware
++# http://hcpnet.free.fr/milter-greylist/
+ #
+
+ # It removes any existing socket (not owned by root) whilst running as root,
+@@ -52,8 +75,8 @@ mta_read_config(greylist_milter_t)
+ ########################################
+ #
+ # milter-regex local policy
+-# filter emails using regular expressions
+-# http://www.benzedrine.cx/milter-regex.html
++# filter emails using regular expressions
++# http://www.benzedrine.cx/milter-regex.html
+ #
+
+ # It removes any existing socket (not owned by root) whilst running as root
+@@ -72,8 +95,8 @@ mta_read_config(regex_milter_t)
+ ########################################
+ #
+ # spamass-milter local policy
+-# pipe emails through SpamAssassin
+-# http://savannah.nongnu.org/projects/spamass-milt/
++# pipe emails through SpamAssassin
++# http://savannah.nongnu.org/projects/spamass-milt/
+ #
+
+ # The milter runs from /var/lib/spamass-milter
diff --git a/policy/modules/services/mock.fc b/policy/modules/services/mock.fc
new file mode 100644
index 0000000..42bb2a3
@@ -19008,11 +21653,10 @@ index 0000000..42bb2a3
+/var/cache/mock(/.*)? gen_context(system_u:object_r:mock_cache_t,s0)
diff --git a/policy/modules/services/mock.if b/policy/modules/services/mock.if
new file mode 100644
-index 0000000..5a1698c
+index 0000000..d76fb11
--- /dev/null
+++ b/policy/modules/services/mock.if
-@@ -0,0 +1,238 @@
-+
+@@ -0,0 +1,236 @@
+## policy for mock
+
+########################################
@@ -19020,9 +21664,9 @@ index 0000000..5a1698c
+## Execute a domain transition to run mock.
+##
+##
-+##
++##
+## Domain allowed to transition.
-+##
++##
+##
+#
+interface(`mock_domtrans',`
@@ -19033,7 +21677,6 @@ index 0000000..5a1698c
+ domtrans_pattern($1, mock_exec_t, mock_t)
+')
+
-+
+########################################
+##
+## Search mock lib directories.
@@ -19069,7 +21712,7 @@ index 0000000..5a1698c
+ ')
+
+ files_search_var_lib($1)
-+ read_files_pattern($1, mock_var_lib_t, mock_var_lib_t)
++ read_files_pattern($1, mock_var_lib_t, mock_var_lib_t)
+')
+
+########################################
@@ -19089,7 +21732,7 @@ index 0000000..5a1698c
+ ')
+
+ files_search_var_lib($1)
-+ manage_files_pattern($1, mock_var_lib_t, mock_var_lib_t)
++ manage_files_pattern($1, mock_var_lib_t, mock_var_lib_t)
+')
+
+########################################
@@ -19108,7 +21751,7 @@ index 0000000..5a1698c
+ ')
+
+ files_search_var_lib($1)
-+ manage_dirs_pattern($1, mock_var_lib_t, mock_var_lib_t)
++ manage_dirs_pattern($1, mock_var_lib_t, mock_var_lib_t)
+')
+
+#########################################
@@ -19127,7 +21770,7 @@ index 0000000..5a1698c
+ ')
+
+ files_search_var_lib($1)
-+ manage_lnk_files_pattern($1, mock_var_lib_t, mock_var_lib_t)
++ manage_lnk_files_pattern($1, mock_var_lib_t, mock_var_lib_t)
+')
+
+########################################
@@ -19146,7 +21789,7 @@ index 0000000..5a1698c
+ ')
+
+ files_search_var_lib($1)
-+ manage_chr_files_pattern($1, mock_var_lib_t, mock_var_lib_t)
++ manage_chr_files_pattern($1, mock_var_lib_t, mock_var_lib_t)
+')
+
+########################################
@@ -19164,6 +21807,7 @@ index 0000000..5a1698c
+## The role to be allowed the mock domain.
+##
+##
++##
+#
+interface(`mock_run',`
+ gen_require(`
@@ -19188,10 +21832,11 @@ index 0000000..5a1698c
+## User domain for the role
+##
+##
++##
+#
+interface(`mock_role',`
+ gen_require(`
-+ type mock_t;
++ type mock_t;
+ ')
+
+ role $1 types mock_t;
@@ -19199,7 +21844,7 @@ index 0000000..5a1698c
+ mock_domtrans($2)
+
+ ps_process_pattern($2, mock_t)
-+ allow $2 mock_t:process signal;
++ allow $2 mock_t:process { ptrace signal_perms };
+')
+
+#######################################
@@ -19239,23 +21884,21 @@ index 0000000..5a1698c
+#
+interface(`mock_admin',`
+ gen_require(`
-+ type mock_t;
-+ type mock_var_lib_t;
++ type mock_t, mock_var_lib_t;
+ ')
+
+ allow $1 mock_t:process { ptrace signal_perms };
+ ps_process_pattern($1, mock_t)
+
-+ files_search_var_lib($1)
++ files_list_var_lib($1)
+ admin_pattern($1, mock_var_lib_t)
-+
+')
diff --git a/policy/modules/services/mock.te b/policy/modules/services/mock.te
new file mode 100644
-index 0000000..6f8fda5
+index 0000000..b05a9cd
--- /dev/null
+++ b/policy/modules/services/mock.te
-@@ -0,0 +1,98 @@
+@@ -0,0 +1,99 @@
+policy_module(mock,1.0.0)
+
+########################################
@@ -19285,6 +21928,7 @@ index 0000000..6f8fda5
+#
+# mock local policy
+#
++
+allow mock_t self:capability { sys_admin setfcap setuid sys_ptrace sys_chroot chown audit_write dac_override sys_nice mknod fsetid setgid fowner };
+allow mock_t self:process { siginh noatsecure signull transition rlimitinh setsched setpgid sigkill };
+dontaudit mock_t self:process { siginh noatsecure rlimitinh };
@@ -19298,14 +21942,14 @@ index 0000000..6f8fda5
+
+manage_dirs_pattern(mock_t, mock_tmp_t, mock_tmp_t)
+manage_files_pattern(mock_t, mock_tmp_t, mock_tmp_t)
-+files_tmp_filetrans(mock_t, mock_tmp_t, { dir file } )
++files_tmp_filetrans(mock_t, mock_tmp_t, { dir file })
+can_exec(mock_t, mock_tmp_t)
+
+manage_dirs_pattern(mock_t, mock_var_lib_t, mock_var_lib_t)
+manage_files_pattern(mock_t, mock_var_lib_t, mock_var_lib_t)
+manage_lnk_files_pattern(mock_t, mock_var_lib_t, mock_var_lib_t)
+manage_chr_files_pattern(mock_t, mock_var_lib_t, mock_var_lib_t)
-+files_var_lib_filetrans(mock_t, mock_var_lib_t, { dir file } )
++files_var_lib_filetrans(mock_t, mock_var_lib_t, { dir file })
+can_exec(mock_t, mock_var_lib_t)
+allow mock_t mock_var_lib_t:dir mounton;
+
@@ -19354,6 +21998,22 @@ index 0000000..6f8fda5
+optional_policy(`
+ apache_read_sys_content_rw_files(mock_t)
+')
+diff --git a/policy/modules/services/modemmanager.if b/policy/modules/services/modemmanager.if
+index 3368699..7a7fc02 100644
+--- a/policy/modules/services/modemmanager.if
++++ b/policy/modules/services/modemmanager.if
+@@ -5,9 +5,9 @@
+ ## Execute a domain transition to run modemmanager.
+ ##
+ ##
+-##
++##
+ ## Domain allowed to transition.
+-##
++##
+ ##
+ #
+ interface(`modemmanager_domtrans',`
diff --git a/policy/modules/services/modemmanager.te b/policy/modules/services/modemmanager.te
index b3ace16..3dd940c 100644
--- a/policy/modules/services/modemmanager.te
@@ -19387,27 +22047,36 @@ index b3ace16..3dd940c 100644
udev_read_db(modemmanager_t)
')
diff --git a/policy/modules/services/mojomojo.if b/policy/modules/services/mojomojo.if
-index 657a9fc..cf7968d 100644
+index 657a9fc..88e7330 100644
--- a/policy/modules/services/mojomojo.if
+++ b/policy/modules/services/mojomojo.if
-@@ -21,13 +21,16 @@ interface(`mojomojo_admin',`
+@@ -19,18 +19,20 @@
+ #
+ interface(`mojomojo_admin',`
gen_require(`
- type httpd_mojomojo_script_t;
- type httpd_mojomojo_content_t, httpd_mojomojo_ra_content_t;
+- type httpd_mojomojo_script_t;
+- type httpd_mojomojo_content_t, httpd_mojomojo_ra_content_t;
- type httpd_mojomojo_rw_content_t;
-+ type httpd_mojomojo_rw_content_t, httpd_mojomojo_tmp_t;
- type httpd_mojomojo_script_exec_t, httpd_mojomojo_htaccess_t;
+- type httpd_mojomojo_script_exec_t, httpd_mojomojo_htaccess_t;
++ type httpd_mojomojo_script_t, httpd_mojomojo_content_t, httpd_mojomojo_ra_content_t;
++ type httpd_mojomojo_rw_content_t, httpd_mojomojo_tmp_t, httpd_mojomojo_htaccess_t;
++ type httpd_mojomojo_script_exec_t;
')
allow $1 httpd_mojomojo_script_t:process { ptrace signal_perms };
ps_process_pattern($1, httpd_mojomojo_script_t)
+- files_search_var_lib(httpd_mojomojo_script_t)
+ files_list_tmp($1)
+ admin_pattern($1, httpd_mojomojo_tmp_t)
-+
- files_search_var_lib(httpd_mojomojo_script_t)
- apache_search_sys_content($1)
+- apache_search_sys_content($1)
++ files_list_var_lib(httpd_mojomojo_script_t)
++
++ apache_list_sys_content($1)
+ admin_pattern($1, httpd_mojomojo_script_exec_t)
+ admin_pattern($1, httpd_mojomojo_script_t)
+ admin_pattern($1, httpd_mojomojo_content_t)
diff --git a/policy/modules/services/mojomojo.te b/policy/modules/services/mojomojo.te
index 83f002c..ed69996 100644
--- a/policy/modules/services/mojomojo.te
@@ -19451,11 +22120,10 @@ index 0000000..564b22d
+/var/lib/mpd/playlists(/.*)? gen_context(system_u:object_r:mpd_data_t,s0)
diff --git a/policy/modules/services/mpd.if b/policy/modules/services/mpd.if
new file mode 100644
-index 0000000..5599d14
+index 0000000..311aaed
--- /dev/null
+++ b/policy/modules/services/mpd.if
-@@ -0,0 +1,273 @@
-+
+@@ -0,0 +1,267 @@
+## policy for daemon for playing music
+
+########################################
@@ -19463,9 +22131,9 @@ index 0000000..5599d14
+## Execute a domain transition to run mpd.
+##
+##
-+##
++##
+## Domain allowed to transition.
-+##
++##
+##
+#
+interface(`mpd_domtrans',`
@@ -19476,7 +22144,6 @@ index 0000000..5599d14
+ domtrans_pattern($1, mpd_exec_t, mpd_t)
+')
+
-+
+########################################
+##
+## Execute mpd server in the mpd domain.
@@ -19497,79 +22164,79 @@ index 0000000..5599d14
+
+#######################################
+##
-+## Read mpd data files.
++## Read mpd data files.
+##
+##
-+##
-+## Domain allowed access.
-+##
++##
++## Domain allowed access.
++##
+##
+#
+interface(`mpd_read_data_files',`
-+ gen_require(`
-+ type mpd_data_t;
-+ ')
++ gen_require(`
++ type mpd_data_t;
++ ')
+
+ mpd_search_lib($1)
-+ read_files_pattern($1, mpd_data_t, mpd_data_t)
++ read_files_pattern($1, mpd_data_t, mpd_data_t)
+')
+
+#######################################
+##
-+## Read mpd tmpfs files.
++## Read mpd tmpfs files.
+##
+##
-+##
-+## Domain allowed access.
-+##
++##
++## Domain allowed access.
++##
+##
+#
+interface(`mpd_read_tmpfs_files',`
-+ gen_require(`
-+ type mpd_tmpfs_t;
-+ ')
++ gen_require(`
++ type mpd_tmpfs_t;
++ ')
+
+ fs_search_tmpfs($1)
-+ read_files_pattern($1, mpd_tmpfs_t, mpd_tmpfs_t)
++ read_files_pattern($1, mpd_tmpfs_t, mpd_tmpfs_t)
+')
+
+###################################
+##
-+## Manage mpd tmpfs files.
++## Manage mpd tmpfs files.
+##
+##
-+##
-+## Domain allowed access.
-+##
++##
++## Domain allowed access.
++##
+##
+#
+interface(`mpd_manage_tmpfs_files',`
-+ gen_require(`
-+ type mpd_tmpfs_t;
-+ ')
++ gen_require(`
++ type mpd_tmpfs_t;
++ ')
+
+ fs_search_tmpfs($1)
-+ manage_files_pattern($1, mpd_tmpfs_t, mpd_tmpfs_t)
-+ manage_lnk_files_pattern($1, mpd_tmpfs_t, mpd_tmpfs_t)
++ manage_files_pattern($1, mpd_tmpfs_t, mpd_tmpfs_t)
++ manage_lnk_files_pattern($1, mpd_tmpfs_t, mpd_tmpfs_t)
+')
+
+######################################
+##
-+## Manage mpd data files.
++## Manage mpd data files.
+##
+##
-+##
-+## Domain allowed access.
-+##
++##
++## Domain allowed access.
++##
+##
+#
+interface(`mpd_manage_data_files',`
-+ gen_require(`
-+ type mpd_data_t;
-+ ')
++ gen_require(`
++ type mpd_data_t;
++ ')
+
-+ mpd_search_lib($1)
-+ manage_files_pattern($1, mpd_data_t, mpd_data_t)
++ mpd_search_lib($1)
++ manage_files_pattern($1, mpd_data_t, mpd_data_t)
+')
+
+########################################
@@ -19607,7 +22274,7 @@ index 0000000..5599d14
+ ')
+
+ files_search_var_lib($1)
-+ read_files_pattern($1, mpd_var_lib_t, mpd_var_lib_t)
++ read_files_pattern($1, mpd_var_lib_t, mpd_var_lib_t)
+')
+
+########################################
@@ -19627,36 +22294,37 @@ index 0000000..5599d14
+ ')
+
+ files_search_var_lib($1)
-+ manage_files_pattern($1, mpd_var_lib_t, mpd_var_lib_t)
++ manage_files_pattern($1, mpd_var_lib_t, mpd_var_lib_t)
+')
+
+#######################################
+##
-+## Create an object in the root directory, with a private
-+## type using a type transition.
++## Create an object in the root directory, with a private
++## type using a type transition.
+##
+##
-+##
-+## Domain allowed access.
-+##
++##
++## Domain allowed access.
++##
+##
+##
-+##
-+## The type of the object to be created.
-+##
++##
++## The type of the object to be created.
++##
+##
+##
-+##
-+## The object class of the object being created.
-+##
++##
++## The object class of the object being created.
++##
+##
+#
+interface(`mpd_var_lib_filetrans',`
-+ gen_require(`
-+ type mpd_var_lib_t;
-+ ')
++ gen_require(`
++ type mpd_var_lib_t;
++ ')
+
-+ filetrans_pattern($1, mpd_var_lib_t, $2, $3)
++ files_search_var_lib($1)
++ filetrans_pattern($1, mpd_var_lib_t, $2, $3)
+')
+
+########################################
@@ -19675,7 +22343,7 @@ index 0000000..5599d14
+ ')
+
+ files_search_var_lib($1)
-+ manage_dirs_pattern($1, mpd_var_lib_t, mpd_var_lib_t)
++ manage_dirs_pattern($1, mpd_var_lib_t, mpd_var_lib_t)
+')
+
+########################################
@@ -19697,12 +22365,8 @@ index 0000000..5599d14
+#
+interface(`mpd_admin',`
+ gen_require(`
-+ type mpd_t;
-+ type mpd_initrc_exec_t;
-+ type mpd_etc_t;
-+ type mpd_data_t;
-+ type mpd_log_t;
-+ type mpd_var_lib_t;
++ type mpd_t, mpd_initrc_exec_t, mpd_etc_t;
++ type mpd_data_t, mpd_log_t, mpd_var_lib_t;
+ type mpd_tmpfs_t;
+ ')
+
@@ -19715,26 +22379,25 @@ index 0000000..5599d14
+ allow $2 system_r;
+
+ admin_pattern($1, mpd_etc_t)
-+ files_search_etc($1)
++ files_list_etc($1)
+
-+ files_search_var_lib($1)
++ files_list_var_lib($1)
+ admin_pattern($1, mpd_var_lib_t)
-+
-+ mpd_search_lib($1)
++
+ admin_pattern($1, mpd_data_t)
+
+ admin_pattern($1, mpd_log_t)
+
-+ fs_search_tmpfs($1)
++ fs_list_tmpfs($1)
+ admin_pattern($1, mpd_tmpfs_t)
+')
diff --git a/policy/modules/services/mpd.te b/policy/modules/services/mpd.te
new file mode 100644
-index 0000000..71464f6
+index 0000000..84bc8bb
--- /dev/null
+++ b/policy/modules/services/mpd.te
-@@ -0,0 +1,111 @@
-+policy_module(mpd,1.0.0)
+@@ -0,0 +1,110 @@
++policy_module(mpd, 1.0.0)
+
+########################################
+#
@@ -19777,7 +22440,6 @@ index 0000000..71464f6
+#cjp: dac_override bug in mpd relating to mpd.log file
+allow mpd_t self:capability { dac_override kill setgid setuid };
+allow mpd_t self:process { getsched setsched setrlimit signal signull };
-+
+allow mpd_t self:fifo_file rw_fifo_file_perms;
+allow mpd_t self:unix_stream_socket { connectto create_stream_socket_perms };
+allow mpd_t self:tcp_socket create_stream_socket_perms;
@@ -19838,12 +22500,12 @@ index 0000000..71464f6
+
+optional_policy(`
+ pulseaudio_exec(mpd_t)
-+ pulseaudio_stream_connect(mpd_t)
-+ pulseaudio_signull(mpd_t)
++ pulseaudio_stream_connect(mpd_t)
++ pulseaudio_signull(mpd_t)
+')
+
+optional_policy(`
-+ udev_read_db(mpd_t)
++ udev_read_db(mpd_t)
+')
diff --git a/policy/modules/services/mta.fc b/policy/modules/services/mta.fc
index 256166a..c526ce8 100644
@@ -19867,10 +22529,38 @@ index 256166a..c526ce8 100644
/usr/lib(64)?/sendmail -- gen_context(system_u:object_r:sendmail_exec_t,s0)
diff --git a/policy/modules/services/mta.if b/policy/modules/services/mta.if
-index 343cee3..a9ebda2 100644
+index 343cee3..2f948ad 100644
--- a/policy/modules/services/mta.if
+++ b/policy/modules/services/mta.if
-@@ -220,6 +220,25 @@ interface(`mta_agent_executable',`
+@@ -37,9 +37,9 @@ interface(`mta_stub',`
+ ## is the prefix for user_t).
+ ##
+ ##
++##
+ #
+ template(`mta_base_mail_template',`
+-
+ gen_require(`
+ attribute user_mail_domain;
+ type sendmail_exec_t;
+@@ -158,6 +158,7 @@ template(`mta_base_mail_template',`
+ ## User domain for the role
+ ##
+ ##
++##
+ #
+ interface(`mta_role',`
+ gen_require(`
+@@ -169,7 +170,7 @@ interface(`mta_role',`
+
+ # Transition from the user domain to the derived domain.
+ domtrans_pattern($2, sendmail_exec_t, user_mail_t)
+- allow $2 sendmail_exec_t:lnk_file { getattr read };
++ allow $2 sendmail_exec_t:lnk_file read_lnk_file_perms;
+
+ allow mta_user_agent $2:fd use;
+ allow mta_user_agent $2:process sigchld;
+@@ -220,6 +221,25 @@ interface(`mta_agent_executable',`
application_executable_file($1)
')
@@ -19879,23 +22569,31 @@ index 343cee3..a9ebda2 100644
+## Dontaudit read and write an leaked file descriptors
+##
+##
-+##
-+## Domain allowed access.
-+##
++##
++## Domain to not audit.
++##
+##
+#
+interface(`mta_dontaudit_leaks_system_mail',`
-+ gen_require(`
-+ type system_mail_t;
-+ ')
++ gen_require(`
++ type system_mail_t;
++ ')
+
-+ dontaudit $1 system_mail_t:fifo_file write;
-+ dontaudit $1 system_mail_t:tcp_socket { read write };
++ dontaudit $1 system_mail_t:fifo_file write;
++ dontaudit $1 system_mail_t:tcp_socket { read write };
+')
+
########################################
##
## Make the specified type by a system MTA.
+@@ -306,7 +326,6 @@ interface(`mta_mailserver_sender',`
+ interface(`mta_mailserver_delivery',`
+ gen_require(`
+ attribute mailserver_delivery;
+- type mail_spool_t;
+ ')
+
+ typeattribute $1 mailserver_delivery;
@@ -330,12 +349,6 @@ interface(`mta_mailserver_user_agent',`
')
@@ -19909,18 +22607,29 @@ index 343cee3..a9ebda2 100644
')
########################################
-@@ -362,6 +375,10 @@ interface(`mta_send_mail',`
+@@ -350,9 +363,8 @@ interface(`mta_mailserver_user_agent',`
+ #
+ interface(`mta_send_mail',`
+ gen_require(`
+- attribute mta_user_agent;
++ attribute mta_user_agent, mta_exec_type;
+ type system_mail_t;
+- attribute mta_exec_type;
+ ')
+
+ allow $1 mta_exec_type:lnk_file read_lnk_file_perms;
+@@ -362,6 +374,10 @@ interface(`mta_send_mail',`
allow mta_user_agent $1:fd use;
allow mta_user_agent $1:process sigchld;
allow mta_user_agent $1:fifo_file rw_fifo_file_perms;
+
-+ ifdef(`hide_broken_symptoms', `
++ ifdef(`hide_broken_symptoms',`
+ dontaudit system_mail_t $1:socket_class_set { read write };
+ ')
')
########################################
-@@ -391,12 +408,15 @@ interface(`mta_send_mail',`
+@@ -391,12 +407,15 @@ interface(`mta_send_mail',`
#
interface(`mta_sendmail_domtrans',`
gen_require(`
@@ -19938,7 +22647,15 @@ index 343cee3..a9ebda2 100644
')
########################################
-@@ -420,6 +440,25 @@ interface(`mta_signal_system_mail',`
+@@ -409,7 +428,6 @@ interface(`mta_sendmail_domtrans',`
+ ##
+ ##
+ #
+-#
+ interface(`mta_signal_system_mail',`
+ gen_require(`
+ type system_mail_t;
+@@ -420,6 +438,24 @@ interface(`mta_signal_system_mail',`
########################################
##
@@ -19950,7 +22667,6 @@ index 343cee3..a9ebda2 100644
+##
+##
+#
-+#
+interface(`mta_kill_system_mail',`
+ gen_require(`
+ type system_mail_t;
@@ -19964,26 +22680,57 @@ index 343cee3..a9ebda2 100644
## Execute sendmail in the caller domain.
##
##
-@@ -474,7 +513,8 @@ interface(`mta_write_config',`
+@@ -474,7 +510,8 @@ interface(`mta_write_config',`
type etc_mail_t;
')
- write_files_pattern($1, etc_mail_t, etc_mail_t)
+ manage_files_pattern($1, etc_mail_t, etc_mail_t)
-+ allow $1 etc_mail_t:file setattr;
++ allow $1 etc_mail_t:file setattr_file_perms;
')
########################################
-@@ -698,7 +738,7 @@ interface(`mta_rw_spool',`
+@@ -552,7 +589,7 @@ interface(`mta_rw_aliases',`
+ ')
+
+ files_search_etc($1)
+- allow $1 etc_aliases_t:file { rw_file_perms setattr };
++ allow $1 etc_aliases_t:file { rw_file_perms setattr_file_perms };
+ ')
+
+ #######################################
+@@ -646,8 +683,8 @@ interface(`mta_dontaudit_getattr_spool_files',`
+
+ files_dontaudit_search_spool($1)
+ dontaudit $1 mail_spool_t:dir search_dir_perms;
+- dontaudit $1 mail_spool_t:lnk_file read;
+- dontaudit $1 mail_spool_t:file getattr;
++ dontaudit $1 mail_spool_t:lnk_file read_lnk_file_perms;
++ dontaudit $1 mail_spool_t:file getattr_file_perms;
+ ')
+
+ #######################################
+@@ -697,8 +734,8 @@ interface(`mta_rw_spool',`
+
files_search_spool($1)
allow $1 mail_spool_t:dir list_dir_perms;
- allow $1 mail_spool_t:file setattr;
+- allow $1 mail_spool_t:file setattr;
- rw_files_pattern($1, mail_spool_t, mail_spool_t)
++ allow $1 mail_spool_t:file setattr_file_perms;
+ manage_files_pattern($1, mail_spool_t, mail_spool_t)
read_lnk_files_pattern($1, mail_spool_t, mail_spool_t)
')
-@@ -899,3 +939,43 @@ interface(`mta_rw_user_mail_stream_sockets',`
+@@ -838,7 +875,7 @@ interface(`mta_dontaudit_rw_queue',`
+ ')
+
+ dontaudit $1 mqueue_spool_t:dir search_dir_perms;
+- dontaudit $1 mqueue_spool_t:file { getattr read write };
++ dontaudit $1 mqueue_spool_t:file rw_file_perms;
+ ')
+
+ ########################################
+@@ -899,3 +936,50 @@ interface(`mta_rw_user_mail_stream_sockets',`
allow $1 user_mail_domain:unix_stream_socket rw_socket_perms;
')
@@ -20005,30 +22752,37 @@ index 343cee3..a9ebda2 100644
+##
+#
+interface(`mta_filetrans_aliases',`
++ gen_require(`
++ type etc_aliases_t;
++ ')
++
+ filetrans_pattern($1, $2, etc_aliases_t, file)
+')
+
+######################################
+##
-+## ALlow domain to read mail content in the homedir
++## ALlow domain to read mail content in the homedir
+##
+##
-+##
-+## Domain allowed access.
-+##
++##
++## Domain allowed access.
++##
+##
+#
+interface(`mta_read_home',`
-+ gen_require(`
-+ type mail_home_t;
-+ ')
++ gen_require(`
++ type mail_home_t;
++ ')
+
-+ userdom_search_user_home_dirs($1)
-+ userdom_search_admin_dir($1)
-+ read_files_pattern($1, mail_home_t, mail_home_t)
++ userdom_search_user_home_dirs($1)
++ read_files_pattern($1, mail_home_t, mail_home_t)
++
++ ifdef(`distro_redhat',`
++ userdom_search_admin_dir($1)
++ ')
+')
diff --git a/policy/modules/services/mta.te b/policy/modules/services/mta.te
-index 64268e4..f99b9fc 100644
+index 64268e4..36e64e9 100644
--- a/policy/modules/services/mta.te
+++ b/policy/modules/services/mta.te
@@ -20,8 +20,8 @@ files_type(etc_aliases_t)
@@ -20075,7 +22829,7 @@ index 64268e4..f99b9fc 100644
optional_policy(`
apache_read_squirrelmail_data(system_mail_t)
-@@ -92,6 +82,12 @@ optional_policy(`
+@@ -92,17 +82,28 @@ optional_policy(`
apache_dontaudit_rw_stream_sockets(system_mail_t)
apache_dontaudit_rw_tcp_sockets(system_mail_t)
apache_dontaudit_rw_sys_script_stream_sockets(system_mail_t)
@@ -20088,7 +22842,12 @@ index 64268e4..f99b9fc 100644
')
optional_policy(`
-@@ -103,6 +99,11 @@ optional_policy(`
+ arpwatch_manage_tmp_files(system_mail_t)
+
+- ifdef(`hide_broken_symptoms', `
++ ifdef(`hide_broken_symptoms',`
+ arpwatch_dontaudit_rw_packet_sockets(system_mail_t)
+ ')
')
optional_policy(`
@@ -20164,6 +22923,15 @@ index 64268e4..f99b9fc 100644
smartmon_read_tmp_files(system_mail_t)
')
+@@ -199,7 +194,7 @@ optional_policy(`
+ arpwatch_search_data(mailserver_delivery)
+ arpwatch_manage_tmp_files(mta_user_agent)
+
+- ifdef(`hide_broken_symptoms', `
++ ifdef(`hide_broken_symptoms',`
+ arpwatch_dontaudit_rw_packet_sockets(mta_user_agent)
+ ')
+
@@ -220,7 +215,8 @@ append_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
create_lnk_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
read_lnk_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
@@ -20191,7 +22959,7 @@ index 64268e4..f99b9fc 100644
domain_use_interactive_fds(user_mail_t)
userdom_use_user_terminals(user_mail_t)
-@@ -292,3 +293,44 @@ optional_policy(`
+@@ -292,3 +293,42 @@ optional_policy(`
postfix_read_config(user_mail_t)
postfix_list_spool(user_mail_t)
')
@@ -20216,8 +22984,6 @@ index 64268e4..f99b9fc 100644
+kernel_read_network_state(user_mail_domain)
+kernel_request_load_module(user_mail_domain)
+
-+
-+
+optional_policy(`
+ # postfix needs this for newaliases
+ files_getattr_tmp_dirs(user_mail_domain)
@@ -20249,7 +23015,7 @@ index fd71d69..bad9920 100644
/var/run/munin(/.*)? gen_context(system_u:object_r:munin_var_run_t,s0)
/var/www/html/munin(/.*)? gen_context(system_u:object_r:httpd_munin_content_t,s0)
diff --git a/policy/modules/services/munin.if b/policy/modules/services/munin.if
-index c358d8f..dda8ca9 100644
+index c358d8f..92c9dca 100644
--- a/policy/modules/services/munin.if
+++ b/policy/modules/services/munin.if
@@ -13,10 +13,11 @@
@@ -20266,12 +23032,11 @@ index c358d8f..dda8ca9 100644
type $1_munin_plugin_exec_t;
typealias $1_munin_plugin_t alias munin_$1_plugin_t;
typealias $1_munin_plugin_exec_t alias munin_$1_plugin_exec_t;
-@@ -36,17 +37,8 @@ template(`munin_plugin_template',`
+@@ -36,17 +37,7 @@ template(`munin_plugin_template',`
# automatic transition rules from munin domain
# to specific munin plugin domain
domtrans_pattern(munin_t, $1_munin_plugin_exec_t, $1_munin_plugin_t)
-+ allow munin_t $1_munin_plugin_t:process signal;
-
+-
- allow $1_munin_plugin_t munin_exec_t:file read_file_perms;
- allow $1_munin_plugin_t munin_t:tcp_socket rw_socket_perms;
-
@@ -20282,10 +23047,11 @@ index c358d8f..dda8ca9 100644
- corecmd_exec_bin($1_munin_plugin_t)
-
- miscfiles_read_localization($1_munin_plugin_t)
++ allow munin_t $1_munin_plugin_t:process signal;
')
########################################
-@@ -65,9 +57,8 @@ interface(`munin_stream_connect',`
+@@ -65,9 +56,8 @@ interface(`munin_stream_connect',`
type munin_var_run_t, munin_t;
')
@@ -20296,33 +23062,48 @@ index c358d8f..dda8ca9 100644
')
#######################################
-@@ -92,6 +83,24 @@ interface(`munin_read_config',`
+@@ -88,10 +78,28 @@ interface(`munin_read_config',`
+
+ allow $1 munin_etc_t:dir list_dir_perms;
+ allow $1 munin_etc_t:file read_file_perms;
+- allow $1 munin_etc_t:lnk_file { getattr read };
++ allow $1 munin_etc_t:lnk_file read_lnk_file_perms;
files_search_etc($1)
')
+######################################
+##
-+## dontaudit read and write an leaked file descriptors
++## dontaudit read and write an leaked file descriptors
+##
+##
-+##
-+## Domain allowed access.
-+##
++##
++## Domain to not audit.
++##
+##
+#
+interface(`munin_dontaudit_leaks',`
-+ gen_require(`
-+ type munin_t;
-+ ')
++ gen_require(`
++ type munin_t;
++ ')
+
-+ dontaudit $1 munin_t:tcp_socket { read write };
++ dontaudit $1 munin_t:tcp_socket { read write };
+')
+
#######################################
##
## Append to the munin log.
+@@ -172,8 +180,7 @@ interface(`munin_admin',`
+ gen_require(`
+ type munin_t, munin_etc_t, munin_tmp_t;
+ type munin_log_t, munin_var_lib_t, munin_var_run_t;
+- type httpd_munin_content_t;
+- type munin_initrc_exec_t;
++ type httpd_munin_content_t, munin_initrc_exec_t;
+ ')
+
+ allow $1 munin_t:process { ptrace signal_perms };
diff --git a/policy/modules/services/munin.te b/policy/modules/services/munin.te
-index f17583b..13d365d 100644
+index f17583b..6f8b0fd 100644
--- a/policy/modules/services/munin.te
+++ b/policy/modules/services/munin.te
@@ -5,6 +5,8 @@ policy_module(munin, 1.8.0)
@@ -20395,7 +23176,7 @@ index f17583b..13d365d 100644
# local policy for disk plugins
#
-+allow munin_disk_plugin_t self:capability { sys_admin sys_rawio };
++allow munin_disk_plugin_t self:capability { sys_admin sys_rawio };
allow disk_munin_plugin_t self:tcp_socket create_stream_socket_perms;
rw_files_pattern(disk_munin_plugin_t, munin_var_lib_t, munin_var_lib_t)
@@ -20503,7 +23284,7 @@ index f17583b..13d365d 100644
+
+miscfiles_read_localization(munin_plugin_domain)
diff --git a/policy/modules/services/mysql.if b/policy/modules/services/mysql.if
-index e9c0982..b81e257 100644
+index e9c0982..4d3b208 100644
--- a/policy/modules/services/mysql.if
+++ b/policy/modules/services/mysql.if
@@ -73,6 +73,7 @@ interface(`mysql_stream_connect',`
@@ -20514,11 +23295,65 @@ index e9c0982..b81e257 100644
stream_connect_pattern($1, mysqld_var_run_t, mysqld_var_run_t, mysqld_t)
stream_connect_pattern($1, mysqld_db_t, mysqld_var_run_t, mysqld_t)
')
+@@ -252,7 +253,7 @@ interface(`mysql_write_log',`
+ ')
+
+ logging_search_logs($1)
+- allow $1 mysqld_log_t:file { write_file_perms setattr };
++ allow $1 mysqld_log_t:file { write_file_perms setattr_file_perms };
+ ')
+
+ ######################################
+@@ -329,10 +330,9 @@ interface(`mysql_search_pid_files',`
+ #
+ interface(`mysql_admin',`
+ gen_require(`
+- type mysqld_t, mysqld_var_run_t;
+- type mysqld_tmp_t, mysqld_db_t;
+- type mysqld_etc_t, mysqld_log_t;
+- type mysqld_initrc_exec_t;
++ type mysqld_t, mysqld_var_run_t, mysqld_initrc_exec_t;
++ type mysqld_tmp_t, mysqld_db_t, mysqld_log_t;
++ type mysqld_etc_t;
+ ')
+
+ allow $1 mysqld_t:process { ptrace signal_perms };
+@@ -343,13 +343,17 @@ interface(`mysql_admin',`
+ role_transition $2 mysqld_initrc_exec_t system_r;
+ allow $2 system_r;
+
++ files_list_pids($1)
+ admin_pattern($1, mysqld_var_run_t)
+
+ admin_pattern($1, mysqld_db_t)
+
++ files_list_etc($1)
+ admin_pattern($1, mysqld_etc_t)
+
++ logging_list_logs($1)
+ admin_pattern($1, mysqld_log_t)
+
++ files_list_tmp($1)
+ admin_pattern($1, mysqld_tmp_t)
+ ')
diff --git a/policy/modules/services/mysql.te b/policy/modules/services/mysql.te
-index 0a0d63c..b370d53 100644
+index 0a0d63c..086df22 100644
--- a/policy/modules/services/mysql.te
+++ b/policy/modules/services/mysql.te
-@@ -64,6 +64,7 @@ allow mysqld_t self:udp_socket create_socket_perms;
+@@ -6,9 +6,9 @@ policy_module(mysql, 1.12.0)
+ #
+
+ ##
+-##
+-## Allow mysqld to connect to all ports
+-##
++##
++## Allow mysqld to connect to all ports
++##
+ ##
+ gen_tunable(mysql_connect_any, false)
+
+@@ -64,11 +64,12 @@ allow mysqld_t self:udp_socket create_socket_perms;
manage_dirs_pattern(mysqld_t, mysqld_db_t, mysqld_db_t)
manage_files_pattern(mysqld_t, mysqld_db_t, mysqld_db_t)
@@ -20526,6 +23361,12 @@ index 0a0d63c..b370d53 100644
manage_lnk_files_pattern(mysqld_t, mysqld_db_t, mysqld_db_t)
files_var_lib_filetrans(mysqld_t, mysqld_db_t, { dir file lnk_file })
+ allow mysqld_t mysqld_etc_t:file read_file_perms;
+-allow mysqld_t mysqld_etc_t:lnk_file { getattr read };
++allow mysqld_t mysqld_etc_t:lnk_file read_lnk_file_perms;
+ allow mysqld_t mysqld_etc_t:dir list_dir_perms;
+
+ allow mysqld_t mysqld_log_t:file manage_file_perms;
@@ -78,9 +79,10 @@ manage_dirs_pattern(mysqld_t, mysqld_tmp_t, mysqld_tmp_t)
manage_files_pattern(mysqld_t, mysqld_tmp_t, mysqld_tmp_t)
files_tmp_filetrans(mysqld_t, mysqld_tmp_t, { file dir })
@@ -20538,15 +23379,25 @@ index 0a0d63c..b370d53 100644
kernel_read_system_state(mysqld_t)
kernel_read_kernel_sysctls(mysqld_t)
-@@ -156,6 +158,7 @@ optional_policy(`
+@@ -127,8 +129,7 @@ userdom_dontaudit_use_unpriv_user_fds(mysqld_t)
+ userdom_read_user_home_content_files(mysqld_t)
+
+ ifdef(`distro_redhat',`
+- # because Fedora has the sock_file in the database directory
+- type_transition mysqld_t mysqld_db_t:sock_file mysqld_var_run_t;
++ filetrans_pattern(mysqld_t, mysqld_db_t, mysqld_var_run_t, sock_file)
+ ')
+
+ tunable_policy(`mysql_connect_any',`
+@@ -155,6 +156,7 @@ optional_policy(`
+
allow mysqld_safe_t self:capability { chown dac_override fowner kill };
dontaudit mysqld_safe_t self:capability sys_ptrace;
- allow mysqld_safe_t self:fifo_file rw_fifo_file_perms;
+allow mysqld_safe_t self:process { setsched getsched setrlimit };
+ allow mysqld_safe_t self:fifo_file rw_fifo_file_perms;
read_lnk_files_pattern(mysqld_safe_t, mysqld_db_t, mysqld_db_t)
-
-@@ -175,6 +178,7 @@ dev_list_sysfs(mysqld_safe_t)
+@@ -175,6 +177,7 @@ dev_list_sysfs(mysqld_safe_t)
domain_read_all_domains_state(mysqld_safe_t)
@@ -20555,10 +23406,38 @@ index 0a0d63c..b370d53 100644
files_read_usr_files(mysqld_safe_t)
files_dontaudit_getattr_all_dirs(mysqld_safe_t)
diff --git a/policy/modules/services/nagios.if b/policy/modules/services/nagios.if
-index 8581040..e3c8272 100644
+index 8581040..89e1edf 100644
--- a/policy/modules/services/nagios.if
+++ b/policy/modules/services/nagios.if
-@@ -159,6 +159,26 @@ interface(`nagios_read_tmp_files',`
+@@ -12,10 +12,8 @@
+ ##
+ #
+ template(`nagios_plugin_template',`
+-
+ gen_require(`
+- type nagios_t, nrpe_t;
+- type nagios_log_t;
++ type nagios_t, nrpe_t, nagios_log_t;
+ ')
+
+ type nagios_$1_plugin_t;
+@@ -26,6 +24,7 @@ template(`nagios_plugin_template',`
+ allow nagios_$1_plugin_t self:fifo_file rw_fifo_file_perms;
+
+ domtrans_pattern(nrpe_t, nagios_$1_plugin_exec_t, nagios_$1_plugin_t)
++ allow nrpe_t nagios_$1_plugin_t:process { signal sigkill };
+
+ # needed by command.cfg
+ domtrans_pattern(nagios_t, nagios_$1_plugin_exec_t, nagios_$1_plugin_t)
+@@ -49,7 +48,6 @@ template(`nagios_plugin_template',`
+ ## Domain to not audit.
+ ##
+ ##
+-##
+ #
+ interface(`nagios_dontaudit_rw_pipes',`
+ gen_require(`
+@@ -159,6 +157,26 @@ interface(`nagios_read_tmp_files',`
########################################
##
@@ -20585,8 +23464,23 @@ index 8581040..e3c8272 100644
## Execute the nagios NRPE with
## a domain transition.
##
+@@ -195,11 +213,9 @@ interface(`nagios_domtrans_nrpe',`
+ #
+ interface(`nagios_admin',`
+ gen_require(`
+- type nagios_t, nrpe_t;
+- type nagios_tmp_t, nagios_log_t;
+- type nagios_etc_t, nrpe_etc_t;
+- type nagios_spool_t, nagios_var_run_t;
+- type nagios_initrc_exec_t;
++ type nagios_t, nrpe_t, nagios_initrc_exec_t;
++ type nagios_tmp_t, nagios_log_t, nagios_var_run_t;
++ type nagios_etc_t, nrpe_etc_t, nagios_spool_t;
+ ')
+
+ allow $1 nagios_t:process { ptrace signal_perms };
diff --git a/policy/modules/services/nagios.te b/policy/modules/services/nagios.te
-index da5b33d..1029389 100644
+index da5b33d..61a3920 100644
--- a/policy/modules/services/nagios.te
+++ b/policy/modules/services/nagios.te
@@ -107,13 +107,11 @@ files_read_etc_files(nagios_t)
@@ -20617,7 +23511,31 @@ index da5b33d..1029389 100644
netutils_kill_ping(nagios_t)
')
-@@ -340,6 +338,8 @@ files_read_usr_files(nagios_services_plugin_t)
+@@ -143,6 +141,7 @@ optional_policy(`
+ #
+ # Nagios CGI local policy
+ #
++
+ optional_policy(`
+ apache_content_template(nagios)
+ typealias httpd_nagios_script_t alias nagios_cgi_t;
+@@ -270,7 +269,6 @@ files_getattr_all_file_type_fs(nagios_admin_plugin_t)
+ #
+
+ allow nagios_mail_plugin_t self:capability { setuid setgid dac_override };
+-
+ allow nagios_mail_plugin_t self:netlink_route_socket r_netlink_socket_perms;
+ allow nagios_mail_plugin_t self:tcp_socket create_stream_socket_perms;
+ allow nagios_mail_plugin_t self:udp_socket create_socket_perms;
+@@ -323,7 +321,6 @@ storage_raw_read_fixed_disk(nagios_checkdisk_plugin_t)
+
+ allow nagios_services_plugin_t self:capability { net_bind_service net_raw };
+ allow nagios_services_plugin_t self:process { signal sigkill };
+-
+ allow nagios_services_plugin_t self:tcp_socket create_stream_socket_perms;
+ allow nagios_services_plugin_t self:udp_socket create_socket_perms;
+
+@@ -340,6 +337,8 @@ files_read_usr_files(nagios_services_plugin_t)
optional_policy(`
netutils_domtrans_ping(nagios_services_plugin_t)
@@ -20642,19 +23560,33 @@ index 386543b..d15cc4b 100644
/sbin/wpa_cli -- gen_context(system_u:object_r:wpa_cli_exec_t,s0)
diff --git a/policy/modules/services/networkmanager.if b/policy/modules/services/networkmanager.if
-index 2324d9e..1a1bfe4 100644
+index 2324d9e..8069487 100644
--- a/policy/modules/services/networkmanager.if
+++ b/policy/modules/services/networkmanager.if
-@@ -137,6 +137,27 @@ interface(`networkmanager_dbus_chat',`
+@@ -43,9 +43,9 @@ interface(`networkmanager_rw_packet_sockets',`
+ ## Allow caller to relabel tun_socket
+ ##
+ ##
+-##
+-## Domain allowed access.
+-##
++##
++## Domain allowed access.
++##
+ ##
+ #
+ interface(`networkmanager_attach_tun_iface',`
+@@ -137,6 +137,28 @@ interface(`networkmanager_dbus_chat',`
########################################
##
-+## Send and receive messages from
-+## NetworkManager over dbus.
++## Do not audit attempts to send and
++## receive messages from NetworkManager
++## over dbus.
+##
+##
+##
-+## Domain allowed access.
++## Domain to not audit.
+##
+##
+#
@@ -20673,7 +23605,7 @@ index 2324d9e..1a1bfe4 100644
## Send a generic signal to NetworkManager
##
##
-@@ -191,3 +212,50 @@ interface(`networkmanager_read_pid_files',`
+@@ -191,3 +213,50 @@ interface(`networkmanager_read_pid_files',`
files_search_pids($1)
allow $1 NetworkManager_var_run_t:file read_file_perms;
')
@@ -20685,12 +23617,12 @@ index 2324d9e..1a1bfe4 100644
+##
+##
+##
-+## Domain allowed access.
++## Domain allowed to transition.
+##
+##
+##
+##
-+## The role to be allowed the NetworkManager domain.
++## Role allowed access.
+##
+##
+##
@@ -20845,9 +23777,18 @@ index 15448d5..0c97dab 100644
/var/yp(/.*)? gen_context(system_u:object_r:var_yp_t,s0)
diff --git a/policy/modules/services/nis.if b/policy/modules/services/nis.if
-index abe3f7f..c42c268 100644
+index abe3f7f..995a6cb 100644
--- a/policy/modules/services/nis.if
+++ b/policy/modules/services/nis.if
+@@ -34,7 +34,7 @@ interface(`nis_use_ypbind_uncond',`
+ allow $1 self:udp_socket create_socket_perms;
+
+ allow $1 var_yp_t:dir list_dir_perms;
+- allow $1 var_yp_t:lnk_file { getattr read };
++ allow $1 var_yp_t:lnk_file read_lnk_file_perms;
+ allow $1 var_yp_t:file read_file_perms;
+
+ corenet_all_recvfrom_unlabeled($1)
@@ -49,12 +49,12 @@ interface(`nis_use_ypbind_uncond',`
corenet_udp_bind_generic_node($1)
corenet_tcp_bind_generic_port($1)
@@ -20864,14 +23805,96 @@ index abe3f7f..c42c268 100644
corenet_tcp_connect_generic_port($1)
corenet_dontaudit_tcp_connect_all_ports($1)
corenet_sendrecv_portmap_client_packets($1)
-diff --git a/policy/modules/services/nscd.if b/policy/modules/services/nscd.if
-index 85188dc..ded2734 100644
---- a/policy/modules/services/nscd.if
-+++ b/policy/modules/services/nscd.if
-@@ -121,6 +121,24 @@ interface(`nscd_socket_use',`
+@@ -243,25 +243,6 @@ interface(`nis_read_ypbind_pid',`
########################################
##
+-## Delete ypbind pid files.
+-##
+-##
+-##
+-## Domain allowed access.
+-##
+-##
+-#
+-interface(`nis_delete_ypbind_pid',`
+- gen_require(`
+- type ypbind_t;
+- ')
+-
+- # TODO: add delete pid from dir call to files
+- allow $1 ypbind_t:file unlink;
+-')
+-
+-########################################
+-##
+ ## Read ypserv configuration files.
+ ##
+ ##
+@@ -354,10 +335,10 @@ interface(`nis_initrc_domtrans_ypbind',`
+ #
+ interface(`nis_admin',`
+ gen_require(`
+- type ypbind_t, yppasswdd_t, ypserv_t, ypxfr_t;
++ type ypbind_t, yppasswdd_t, ypserv_t;
+ type ypbind_tmp_t, ypserv_tmp_t, ypserv_conf_t;
+ type ypbind_var_run_t, yppasswdd_var_run_t, ypserv_var_run_t;
+- type ypbind_initrc_exec_t, nis_initrc_exec_t;
++ type ypbind_initrc_exec_t, nis_initrc_exec_t, ypxfr_t;
+ ')
+
+ allow $1 ypbind_t:process { ptrace signal_perms };
+diff --git a/policy/modules/services/nis.te b/policy/modules/services/nis.te
+index 4876cae..5f2ba87 100644
+--- a/policy/modules/services/nis.te
++++ b/policy/modules/services/nis.te
+@@ -55,10 +55,11 @@ files_pid_file(ypxfr_var_run_t)
+ ########################################
+ #
+ # ypbind local policy
++#
+
+ dontaudit ypbind_t self:capability { net_admin sys_tty_config };
+-allow ypbind_t self:fifo_file rw_fifo_file_perms;
+ allow ypbind_t self:process signal_perms;
++allow ypbind_t self:fifo_file rw_fifo_file_perms;
+ allow ypbind_t self:{ unix_dgram_socket unix_stream_socket } create_socket_perms;
+ allow ypbind_t self:netlink_route_socket r_netlink_socket_perms;
+ allow ypbind_t self:tcp_socket create_stream_socket_perms;
+@@ -142,8 +143,8 @@ optional_policy(`
+
+ allow yppasswdd_t self:capability dac_override;
+ dontaudit yppasswdd_t self:capability sys_tty_config;
+-allow yppasswdd_t self:fifo_file rw_fifo_file_perms;
+ allow yppasswdd_t self:process { getsched setfscreate signal_perms };
++allow yppasswdd_t self:fifo_file rw_fifo_file_perms;
+ allow yppasswdd_t self:unix_dgram_socket create_socket_perms;
+ allow yppasswdd_t self:unix_stream_socket create_stream_socket_perms;
+ allow yppasswdd_t self:netlink_route_socket r_netlink_socket_perms;
+@@ -224,8 +225,8 @@ optional_policy(`
+ #
+
+ dontaudit ypserv_t self:capability sys_tty_config;
+-allow ypserv_t self:fifo_file rw_fifo_file_perms;
+ allow ypserv_t self:process signal_perms;
++allow ypserv_t self:fifo_file rw_fifo_file_perms;
+ allow ypserv_t self:unix_dgram_socket create_socket_perms;
+ allow ypserv_t self:unix_stream_socket create_stream_socket_perms;
+ allow ypserv_t self:netlink_route_socket r_netlink_socket_perms;
+diff --git a/policy/modules/services/nscd.if b/policy/modules/services/nscd.if
+index 85188dc..99cefb8 100644
+--- a/policy/modules/services/nscd.if
++++ b/policy/modules/services/nscd.if
+@@ -116,7 +116,25 @@ interface(`nscd_socket_use',`
+ dontaudit $1 nscd_t:nscd { getserv shmempwd shmemgrp shmemhost shmemserv };
+ files_search_pids($1)
+ stream_connect_pattern($1, nscd_var_run_t, nscd_var_run_t, nscd_t)
+- dontaudit $1 nscd_var_run_t:file { getattr read };
++ dontaudit $1 nscd_var_run_t:file read_file_perms;
++')
++
++########################################
++##
+## Use nscd services
+##
+##
@@ -20886,14 +23909,28 @@ index 85188dc..ded2734 100644
+ ',`
+ nscd_socket_use($1)
+ ')
-+')
+ ')
+
+ ########################################
+@@ -146,11 +164,14 @@ interface(`nscd_shm_use',`
+ # nscd_socket_domain macro. need to investigate
+ # if they are all actually required
+ allow $1 self:unix_stream_socket create_stream_socket_perms;
+- allow $1 nscd_t:unix_stream_socket connectto;
+- allow $1 nscd_var_run_t:sock_file rw_file_perms;
+
-+########################################
-+##
- ## Use NSCD services by mapping the database from
- ## an inherited NSCD file descriptor.
- ##
-@@ -168,7 +186,7 @@ interface(`nscd_dontaudit_search_pid',`
++ # dg: This may not be required.
++ allow $1 nscd_var_run_t:sock_file read_sock_file_perms;
++
++ stream_connect_pattern($1, nscd_var_run_t, nscd_var_run_t, nscd_t)
+ files_search_pids($1)
+ allow $1 nscd_t:nscd { getpwd getgrp gethost };
+- dontaudit $1 nscd_var_run_t:file { getattr read };
++ dontaudit $1 nscd_var_run_t:file read_file_perms;
+ ')
+
+ ########################################
+@@ -168,7 +189,7 @@ interface(`nscd_dontaudit_search_pid',`
type nscd_var_run_t;
')
@@ -20902,8 +23939,16 @@ index 85188dc..ded2734 100644
')
########################################
+@@ -224,6 +245,7 @@ interface(`nscd_unconfined',`
+ ## Role allowed access.
+ ##
+ ##
++##
+ #
+ interface(`nscd_run',`
+ gen_require(`
diff --git a/policy/modules/services/nscd.te b/policy/modules/services/nscd.te
-index 7936e09..6a174f5 100644
+index 7936e09..6b54db7 100644
--- a/policy/modules/services/nscd.te
+++ b/policy/modules/services/nscd.te
@@ -1,9 +1,16 @@
@@ -20915,9 +23960,9 @@ index 7936e09..6a174f5 100644
')
+##
-+##
-+## Allow confined applications to use nscd shared memory.
-+##
++##
++## Allow confined applications to use nscd shared memory.
++##
+##
+gen_tunable(nscd_use_shm, false)
+
@@ -20964,7 +24009,7 @@ index 7936e09..6a174f5 100644
cron_read_system_job_tmp_files(nscd_t)
')
-@@ -127,3 +140,16 @@ optional_policy(`
+@@ -127,3 +140,17 @@ optional_policy(`
xen_dontaudit_rw_unix_stream_sockets(nscd_t)
xen_append_log(nscd_t)
')
@@ -20974,6 +24019,7 @@ index 7936e09..6a174f5 100644
+ samba_append_log(nscd_t)
+ samba_dontaudit_use_fds(nscd_t)
+ ')
++
+ samba_read_config(nscd_t)
+ samba_read_var_files(nscd_t)
+')
@@ -20982,29 +24028,57 @@ index 7936e09..6a174f5 100644
+ unconfined_dontaudit_rw_packet_sockets(nscd_t)
+')
diff --git a/policy/modules/services/nslcd.if b/policy/modules/services/nslcd.if
-index 23c769c..b94add1 100644
+index 23c769c..be5a5b4 100644
--- a/policy/modules/services/nslcd.if
+++ b/policy/modules/services/nslcd.if
+@@ -5,9 +5,9 @@
+ ## Execute a domain transition to run nslcd.
+ ##
+ ##
+-##
++##
+ ## Domain allowed to transition.
+-##
++##
+ ##
+ #
+ interface(`nslcd_domtrans',`
+@@ -93,8 +93,8 @@ interface(`nslcd_stream_connect',`
+ #
+ interface(`nslcd_admin',`
+ gen_require(`
+- type nslcd_t, nslcd_initrc_exec_t;
+- type nslcd_conf_t, nslcd_var_run_t;
++ type nslcd_t, nslcd_initrc_exec_t, nslcd_var_run_t;
++ type nslcd_conf_t;
+ ')
+
+ ps_process_pattern($1, nslcd_t)
@@ -106,9 +106,9 @@ interface(`nslcd_admin',`
role_transition $2 nslcd_initrc_exec_t system_r;
allow $2 system_r;
- manage_files_pattern($1, nslcd_conf_t, nslcd_conf_t)
-+ files_search_etc($1)
++ files_list_etc($1)
+ admin_pattern($1, nslcd_conf_t)
- manage_dirs_pattern($1, nslcd_var_run_t, nslcd_var_run_t)
- manage_files_pattern($1, nslcd_var_run_t, nslcd_var_run_t)
- manage_lnk_files_pattern($1, nslcd_var_run_t, nslcd_var_run_t)
-+ files_search_pids($1)
++ files_list_pids($1)
+ admin_pattern($1, nslcd_var_run_t, nslcd_var_run_t)
')
diff --git a/policy/modules/services/ntp.if b/policy/modules/services/ntp.if
-index e80f8c0..6b240d9 100644
+index e80f8c0..694b002 100644
--- a/policy/modules/services/ntp.if
+++ b/policy/modules/services/ntp.if
-@@ -144,7 +144,7 @@ interface(`ntp_admin',`
- type ntpd_initrc_exec_t;
+@@ -140,11 +140,10 @@ interface(`ntp_rw_shm',`
+ interface(`ntp_admin',`
+ gen_require(`
+ type ntpd_t, ntpd_tmp_t, ntpd_log_t;
+- type ntpd_key_t, ntpd_var_run_t;
+- type ntpd_initrc_exec_t;
++ type ntpd_key_t, ntpd_var_run_t, ntpd_initrc_exec_t;
')
- allow $1 ntpd_t:process { ptrace signal_perms getattr };
@@ -21030,17 +24104,35 @@ index c61adc8..b5b5992 100644
term_use_ptmx(ntpd_t)
diff --git a/policy/modules/services/nx.if b/policy/modules/services/nx.if
-index 79a225c..b1384ad 100644
+index 79a225c..cbb2bce 100644
--- a/policy/modules/services/nx.if
+++ b/policy/modules/services/nx.if
-@@ -35,6 +35,7 @@ interface(`nx_read_home_files',`
+@@ -33,8 +33,10 @@ interface(`nx_read_home_files',`
+ type nx_server_home_ssh_t, nx_server_var_lib_t;
+ ')
++ files_search_var_lib($1)
allow $1 nx_server_var_lib_t:dir search_dir_perms;
read_files_pattern($1, nx_server_home_ssh_t, nx_server_home_ssh_t)
+ read_lnk_files_pattern($1, nx_server_home_ssh_t, nx_server_home_ssh_t)
')
########################################
+@@ -52,6 +54,7 @@ interface(`nx_search_var_lib',`
+ type nx_server_var_lib_t;
+ ')
+
++ files_search_var_lib($1)
+ allow $1 nx_server_var_lib_t:dir search_dir_perms;
+ ')
+
+@@ -81,5 +84,6 @@ interface(`nx_var_lib_filetrans',`
+ type nx_server_var_lib_t;
+ ')
+
++ files_search_var_lib($1)
+ filetrans_pattern($1, nx_server_var_lib_t, $2, $3)
+ ')
diff --git a/policy/modules/services/nx.te b/policy/modules/services/nx.te
index ebb9582..c1825de 100644
--- a/policy/modules/services/nx.te
@@ -21076,30 +24168,42 @@ index bdf8c89..5ee1598 100644
/usr/sbin/oddjobd -- gen_context(system_u:object_r:oddjob_exec_t,s0)
diff --git a/policy/modules/services/oddjob.if b/policy/modules/services/oddjob.if
-index bd76ec2..ca33ae3 100644
+index bd76ec2..ca6517b 100644
--- a/policy/modules/services/oddjob.if
+++ b/policy/modules/services/oddjob.if
+@@ -9,9 +9,9 @@
+ ## Execute a domain transition to run oddjob.
+ ##
+ ##
+-##
++##
+ ## Domain allowed to transition.
+-##
++##
+ ##
+ #
+ interface(`oddjob_domtrans',`
@@ -22,6 +22,25 @@ interface(`oddjob_domtrans',`
domtrans_pattern($1, oddjob_exec_t, oddjob_t)
')
+#####################################
+##
-+## Do not audit attempts to read and write
-+## oddjob fifo file.
++## Do not audit attempts to read and write
++## oddjob fifo file.
+##
+##
-+##
-+## Domain to not audit.
-+##
++##
++## Domain to not audit.
++##
+##
+#
+interface(`oddjob_dontaudit_rw_fifo_file',`
-+ gen_require(`
-+ type shutdown_t;
-+ ')
++ gen_require(`
++ type oddjob_t;
++ ')
+
-+ dontaudit $1 oddjob_t:fifo_file rw_inherited_fifo_file_perms;
++ dontaudit $1 oddjob_t:fifo_file rw_inherited_fifo_file_perms;
+')
+
########################################
@@ -21119,20 +24223,20 @@ index bd76ec2..ca33ae3 100644
+######################################
+##
-+## Send a SIGCHLD signal to oddjob.
++## Send a SIGCHLD signal to oddjob.
+##
+##
-+##
-+## Domain allowed access.
-+##
++##
++## Domain allowed access.
++##
+##
+#
+interface(`oddjob_sigchld',`
-+ gen_require(`
-+ type oddjob_t;
-+ ')
++ gen_require(`
++ type oddjob_t;
++ ')
+
-+ allow $1 oddjob_t:process sigchld;
++ allow $1 oddjob_t:process sigchld;
+')
+
########################################
@@ -21153,6 +24257,75 @@ index cadfc63..ef6919f 100644
+userdom_manage_user_home_content_dirs(oddjob_mkhomedir_t)
+userdom_manage_user_home_content(oddjob_mkhomedir_t)
+diff --git a/policy/modules/services/oident.if b/policy/modules/services/oident.if
+index bb4fae5..b1b5e51 100644
+--- a/policy/modules/services/oident.if
++++ b/policy/modules/services/oident.if
+@@ -18,7 +18,7 @@
+ ##
+ ##
+ #
+-interface(`oident_read_user_content', `
++interface(`oident_read_user_content',`
+ gen_require(`
+ type oidentd_home_t;
+ ')
+@@ -38,7 +38,7 @@ interface(`oident_read_user_content', `
+ ##
+ ##
+ #
+-interface(`oident_manage_user_content', `
++interface(`oident_manage_user_content',`
+ gen_require(`
+ type oidentd_home_t;
+ ')
+@@ -58,7 +58,7 @@ interface(`oident_manage_user_content', `
+ ##
+ ##
+ #
+-interface(`oident_relabel_user_content', `
++interface(`oident_relabel_user_content',`
+ gen_require(`
+ type oidentd_home_t;
+ ')
+@@ -66,3 +66,37 @@ interface(`oident_relabel_user_content', `
+ allow $1 oidentd_home_t:file relabel_file_perms;
+ userdom_search_user_home_dirs($1)
+ ')
++
++########################################
++##
++## All of the rules required to administrate
++## an oident environment
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++##
++## Role allowed access.
++##
++##
++##
++#
++interface(`oident_admin',`
++ gen_require(`
++ type oidentd_t, oidentd_initrc_exec_t, oidentd_config_t;
++ ')
++
++ allow $1 oidentd_t:process { ptrace signal_perms };
++ ps_process_pattern($1, oidentd_t)
++
++ init_labeled_script_domtrans($1, oidentd_initrc_exec_t)
++ domain_system_change_exemption($1)
++ role_transition $2 oidentd_initrc_exec_t system_r;
++ allow $2 system_r;
++
++ files_list_etc($1)
++ admin_pattern($1, oidentd_config_t)
++')
diff --git a/policy/modules/services/oident.te b/policy/modules/services/oident.te
index 0a244b1..9097656 100644
--- a/policy/modules/services/oident.te
@@ -21165,6 +24338,34 @@ index 0a244b1..9097656 100644
logging_send_syslog_msg(oidentd_t)
+diff --git a/policy/modules/services/openct.if b/policy/modules/services/openct.if
+index 9d0a67b..9197ef0 100644
+--- a/policy/modules/services/openct.if
++++ b/policy/modules/services/openct.if
+@@ -23,9 +23,9 @@ interface(`openct_signull',`
+ ## Execute openct in the caller domain.
+ ##
+ ##
+-##
++##
+ ## Domain allowed access.
+-##
++##
+ ##
+ #
+ interface(`openct_exec',`
+@@ -42,9 +42,9 @@ interface(`openct_exec',`
+ ## Execute a domain transition to run openct.
+ ##
+ ##
+-##
++##
+ ## Domain allowed to transition.
+-##
++##
+ ##
+ #
+ interface(`openct_domtrans',`
diff --git a/policy/modules/services/openvpn.te b/policy/modules/services/openvpn.te
index 8b550f4..ba7c06b 100644
--- a/policy/modules/services/openvpn.te
@@ -21242,17 +24443,31 @@ index 8b550f4..ba7c06b 100644
+ unconfined_attach_tun_iface(openvpn_t)
+')
diff --git a/policy/modules/services/pads.if b/policy/modules/services/pads.if
-index 8ac407e..4452d3b 100644
+index 8ac407e..8235fb6 100644
--- a/policy/modules/services/pads.if
+++ b/policy/modules/services/pads.if
+@@ -25,10 +25,10 @@
+ ##
+ ##
+ #
+-interface(`pads_admin', `
++interface(`pads_admin',`
+ gen_require(`
+- type pads_t, pads_config_t;
+- type pads_var_run_t, pads_initrc_exec_t;
++ type pads_t, pads_config_t, pads_initrc_exec_t;
++ type pads_var_run_t;
+ ')
+
+ allow $1 pads_t:process { ptrace signal_perms };
@@ -39,6 +39,9 @@ interface(`pads_admin', `
role_transition $2 pads_initrc_exec_t system_r;
allow $2 system_r;
-+ files_search_pids($1)
++ files_list_pids($1)
admin_pattern($1, pads_var_run_t)
+
-+ files_search_etc($1)
++ files_list_etc($1)
admin_pattern($1, pads_config_t)
')
diff --git a/policy/modules/services/passenger.fc b/policy/modules/services/passenger.fc
@@ -21269,27 +24484,26 @@ index 0000000..8d00972
+/var/run/passenger(/.*)? gen_context(system_u:object_r:passenger_var_run_t,s0)
diff --git a/policy/modules/services/passenger.if b/policy/modules/services/passenger.if
new file mode 100644
-index 0000000..7ca90f6
+index 0000000..66f9799
--- /dev/null
+++ b/policy/modules/services/passenger.if
-@@ -0,0 +1,69 @@
+@@ -0,0 +1,67 @@
+## Passenger policy
+
+######################################
+##
-+## Execute passenger in the passenger domain.
++## Execute passenger in the passenger domain.
+##
+##
-+##
-+## The type of the process performing this action.
-+##
++##
++## Domain allowed to transition.
++##
+##
+#
+interface(`passenger_domtrans',`
-+ gen_require(`
-+ type passenger_t;
-+ type passenger_exec_t;
-+ ')
++ gen_require(`
++ type passenger_t, passenger_exec_t;
++ ')
+
+ allow $1 self:capability { fowner fsetid };
+
@@ -21302,46 +24516,45 @@ index 0000000..7ca90f6
+
+######################################
+##
-+## Manage passenger var_run content.
++## Manage passenger var_run content.
+##
+##
-+##
-+## Domain allowed access.
-+##
++##
++## Domain allowed access.
++##
+##
+#
+interface(`passenger_manage_pid_content',`
-+ gen_require(`
-+ type passenger_var_run_t;
-+ ')
++ gen_require(`
++ type passenger_var_run_t;
++ ')
+
-+ files_search_pids($1)
++ files_search_pids($1)
+ manage_dirs_pattern($1, passenger_var_run_t, passenger_var_run_t)
-+ manage_files_pattern($1, passenger_var_run_t, passenger_var_run_t)
++ manage_files_pattern($1, passenger_var_run_t, passenger_var_run_t)
+ manage_fifo_files_pattern($1, passenger_var_run_t, passenger_var_run_t)
+ manage_sock_files_pattern($1, passenger_var_run_t, passenger_var_run_t)
+')
+
+########################################
+##
-+## Read passenger lib files
++## Read passenger lib files
+##
+##
-+##
-+## Domain to not audit.
-+##
++##
++## Domain allowed access.
++##
+##
+#
+interface(`passenger_read_lib_files',`
-+ gen_require(`
-+ type passenger_var_lib_t;
-+ ')
++ gen_require(`
++ type passenger_var_lib_t;
++ ')
+
+ files_search_var_lib($1)
-+ read_files_pattern($1, passenger_var_lib_t, passenger_var_lib_t)
-+ read_lnk_files_pattern($1, passenger_var_lib_t, passenger_var_lib_t)
++ read_files_pattern($1, passenger_var_lib_t, passenger_var_lib_t)
++ read_lnk_files_pattern($1, passenger_var_lib_t, passenger_var_lib_t)
+')
-+
diff --git a/policy/modules/services/passenger.te b/policy/modules/services/passenger.te
new file mode 100644
index 0000000..9cb0d1c
@@ -21416,6 +24629,22 @@ index 0000000..9cb0d1c
+ apache_append_log(passenger_t)
+ apache_read_sys_content(passenger_t)
+')
+diff --git a/policy/modules/services/pcscd.if b/policy/modules/services/pcscd.if
+index 1c2a091..ea5ae69 100644
+--- a/policy/modules/services/pcscd.if
++++ b/policy/modules/services/pcscd.if
+@@ -5,9 +5,9 @@
+ ## Execute a domain transition to run pcscd.
+ ##
+ ##
+-##
++##
+ ## Domain allowed to transition.
+-##
++##
+ ##
+ #
+ interface(`pcscd_domtrans',`
diff --git a/policy/modules/services/pegasus.te b/policy/modules/services/pegasus.te
index 3185114..e2e2f67 100644
--- a/policy/modules/services/pegasus.te
@@ -21501,6 +24730,41 @@ index 3185114..e2e2f67 100644
+ xen_stream_connect(pegasus_t)
+ xen_stream_connect_xenstore(pegasus_t)
+')
+diff --git a/policy/modules/services/pingd.if b/policy/modules/services/pingd.if
+index 8688aae..1bfd8d2 100644
+--- a/policy/modules/services/pingd.if
++++ b/policy/modules/services/pingd.if
+@@ -5,9 +5,9 @@
+ ## Execute a domain transition to run pingd.
+ ##
+ ##
+-##
++##
+ ## Domain allowed to transition.
+-##
++##
+ ##
+ #
+ interface(`pingd_domtrans',`
+@@ -55,7 +55,6 @@ interface(`pingd_manage_config',`
+ files_search_etc($1)
+ manage_dirs_pattern($1, pingd_etc_t, pingd_etc_t)
+ manage_files_pattern($1, pingd_etc_t, pingd_etc_t)
+-
+ ')
+
+ #######################################
+@@ -77,8 +76,8 @@ interface(`pingd_manage_config',`
+ #
+ interface(`pingd_admin',`
+ gen_require(`
+- type pingd_t, pingd_etc_t;
+- type pingd_initrc_exec_t, pingd_modules_t;
++ type pingd_t, pingd_etc_t, pingd_modules_t;
++ type pingd_initrc_exec_t;
+ ')
+
+ allow $1 pingd_t:process { ptrace signal_perms };
diff --git a/policy/modules/services/piranha.fc b/policy/modules/services/piranha.fc
new file mode 100644
index 0000000..2c7e06f
@@ -21535,51 +24799,49 @@ index 0000000..2c7e06f
+
diff --git a/policy/modules/services/piranha.if b/policy/modules/services/piranha.if
new file mode 100644
-index 0000000..8ecd276
+index 0000000..6403c17
--- /dev/null
+++ b/policy/modules/services/piranha.if
-@@ -0,0 +1,175 @@
-+
+@@ -0,0 +1,173 @@
+## policy for piranha
+
+#######################################
+##
-+## Creates types and rules for a basic
-+## cluster init daemon domain.
++## Creates types and rules for a basic
++## cluster init daemon domain.
+##
+##
-+##
-+## Prefix for the domain.
-+##
++##
++## Prefix for the domain.
++##
+##
+#
+template(`piranha_domain_template',`
-+
-+ gen_require(`
-+ attribute piranha_domain;
-+ ')
++ gen_require(`
++ attribute piranha_domain;
++ ')
+
+ ##############################
-+ #
-+ # piranha_$1_t declarations
-+ #
++ #
++ # piranha_$1_t declarations
++ #
+
+ type piranha_$1_t, piranha_domain;
+ type piranha_$1_exec_t;
+ init_daemon_domain(piranha_$1_t, piranha_$1_exec_t)
+
+ # pid files
-+ type piranha_$1_var_run_t;
-+ files_pid_file(piranha_$1_var_run_t)
++ type piranha_$1_var_run_t;
++ files_pid_file(piranha_$1_var_run_t)
+
+ ##############################
-+ #
-+ # piranha_$1_t local policy
-+ #
++ #
++ # piranha_$1_t local policy
++ #
+
-+ manage_files_pattern(piranha_$1_t, piranha_$1_var_run_t, piranha_$1_var_run_t)
++ manage_files_pattern(piranha_$1_t, piranha_$1_var_run_t, piranha_$1_var_run_t)
+ manage_dirs_pattern(piranha_$1_t, piranha_$1_var_run_t, piranha_$1_var_run_t)
-+ files_pid_filetrans(piranha_$1_t, piranha_$1_var_run_t, { file })
++ files_pid_filetrans(piranha_$1_t, piranha_$1_var_run_t, { dir file })
+')
+
+########################################
@@ -21587,9 +24849,9 @@ index 0000000..8ecd276
+## Execute a domain transition to run fos.
+##
+##
-+##
++##
+## Domain allowed to transition.
-+##
++##
+##
+#
+interface(`piranha_domtrans_fos',`
@@ -21602,56 +24864,56 @@ index 0000000..8ecd276
+
+#######################################
+##
-+## Execute a domain transition to run lvsd.
++## Execute a domain transition to run lvsd.
+##
+##
-+##
-+## Domain allowed to transition.
-+##
++##
++## Domain allowed to transition.
++##
+##
+#
+interface(`piranha_domtrans_lvs',`
-+ gen_require(`
-+ type piranha_lvs_t, piranha_lvs_exec_t;
-+ ')
++ gen_require(`
++ type piranha_lvs_t, piranha_lvs_exec_t;
++ ')
+
-+ domtrans_pattern($1, piranha_lvs_exec_t, piranha_lvs_t)
++ domtrans_pattern($1, piranha_lvs_exec_t, piranha_lvs_t)
+')
+
+#######################################
+##
-+## Execute a domain transition to run pulse.
++## Execute a domain transition to run pulse.
+##
+##
-+##
-+## Domain allowed to transition.
-+##
++##
++## Domain allowed to transition.
++##
+##
+#
+interface(`piranha_domtrans_pulse',`
-+ gen_require(`
-+ type piranha_pulse_t, piranha_pulse_exec_t;
-+ ')
++ gen_require(`
++ type piranha_pulse_t, piranha_pulse_exec_t;
++ ')
+
-+ domtrans_pattern($1, piranha_pulse_exec_t, piranha_pulse_t)
++ domtrans_pattern($1, piranha_pulse_exec_t, piranha_pulse_t)
+')
+
+#######################################
+##
-+## Execute pulse server in the pulse domain.
++## Execute pulse server in the pulse domain.
+##
+##
-+##
-+## Domain allowed access.
-+##
++##
++## Domain allowed to transition.
++##
+##
+#
+interface(`piranha_pulse_initrc_domtrans',`
-+ gen_require(`
-+ type piranha_pulse_initrc_exec_t;
-+ ')
++ gen_require(`
++ type piranha_pulse_initrc_exec_t;
++ ')
+
-+ init_labeled_script_domtrans($1, piranha_pulse_initrc_exec_t)
++ init_labeled_script_domtrans($1, piranha_pulse_initrc_exec_t)
+')
+
+########################################
@@ -21671,7 +24933,7 @@ index 0000000..8ecd276
+ ')
+
+ logging_search_logs($1)
-+ read_files_pattern($1, piranha_log_t, piranha_log_t)
++ read_files_pattern($1, piranha_log_t, piranha_log_t)
+')
+
+########################################
@@ -21680,9 +24942,9 @@ index 0000000..8ecd276
+## piranha log files.
+##
+##
-+##
-+## Domain allowed to transition.
-+##
++##
++## Domain allowed access.
++##
+##
+#
+interface(`piranha_append_log',`
@@ -21700,7 +24962,7 @@ index 0000000..8ecd276
+##
+##
+##
-+## Domain to not audit.
++## Domain allowed access.
+##
+##
+#
@@ -21710,9 +24972,9 @@ index 0000000..8ecd276
+ ')
+
+ logging_search_logs($1)
-+ manage_dirs_pattern($1, piranha_log_t, piranha_log_t)
-+ manage_files_pattern($1, piranha_log_t, piranha_log_t)
-+ manage_lnk_files_pattern($1, piranha_log_t, piranha_log_t)
++ manage_dirs_pattern($1, piranha_log_t, piranha_log_t)
++ manage_files_pattern($1, piranha_log_t, piranha_log_t)
++ manage_lnk_files_pattern($1, piranha_log_t, piranha_log_t)
+')
diff --git a/policy/modules/services/piranha.te b/policy/modules/services/piranha.te
new file mode 100644
@@ -21941,10 +25203,153 @@ index 0000000..0a5f27d
+
+sysnet_read_config(piranha_domain)
diff --git a/policy/modules/services/plymouthd.if b/policy/modules/services/plymouthd.if
-index 9759ed8..fecc0dc 100644
+index 9759ed8..07dd3ff 100644
--- a/policy/modules/services/plymouthd.if
+++ b/policy/modules/services/plymouthd.if
-@@ -249,12 +249,14 @@ interface(`plymouthd_admin', `
+@@ -5,12 +5,12 @@
+ ## Execute a domain transition to run plymouthd.
+ ##
+ ##
+-##
++##
+ ## Domain allowed to transition.
+-##
++##
+ ##
+ #
+-interface(`plymouthd_domtrans', `
++interface(`plymouthd_domtrans',`
+ gen_require(`
+ type plymouthd_t, plymouthd_exec_t;
+ ')
+@@ -23,12 +23,12 @@ interface(`plymouthd_domtrans', `
+ ## Execute the plymoth daemon in the current domain
+ ##
+ ##
+-##
++##
+ ## Domain allowed access.
+-##
++##
+ ##
+ #
+-interface(`plymouthd_exec', `
++interface(`plymouthd_exec',`
+ gen_require(`
+ type plymouthd_exec_t;
+ ')
+@@ -47,7 +47,7 @@ interface(`plymouthd_exec', `
+ ##
+ ##
+ #
+-interface(`plymouthd_stream_connect', `
++interface(`plymouthd_stream_connect',`
+ gen_require(`
+ type plymouthd_t;
+ ')
+@@ -60,12 +60,12 @@ interface(`plymouthd_stream_connect', `
+ ## Execute the plymoth command in the current domain
+ ##
+ ##
+-##
++##
+ ## Domain allowed access.
+-##
++##
+ ##
+ #
+-interface(`plymouthd_exec_plymouth', `
++interface(`plymouthd_exec_plymouth',`
+ gen_require(`
+ type plymouth_exec_t;
+ ')
+@@ -78,12 +78,12 @@ interface(`plymouthd_exec_plymouth', `
+ ## Execute a domain transition to run plymouthd.
+ ##
+ ##
+-##
++##
+ ## Domain allowed to transition.
+-##
++##
+ ##
+ #
+-interface(`plymouthd_domtrans_plymouth', `
++interface(`plymouthd_domtrans_plymouth',`
+ gen_require(`
+ type plymouth_t, plymouth_exec_t;
+ ')
+@@ -101,7 +101,7 @@ interface(`plymouthd_domtrans_plymouth', `
+ ##
+ ##
+ #
+-interface(`plymouthd_search_spool', `
++interface(`plymouthd_search_spool',`
+ gen_require(`
+ type plymouthd_spool_t;
+ ')
+@@ -120,7 +120,7 @@ interface(`plymouthd_search_spool', `
+ ##
+ ##
+ #
+-interface(`plymouthd_read_spool_files', `
++interface(`plymouthd_read_spool_files',`
+ gen_require(`
+ type plymouthd_spool_t;
+ ')
+@@ -140,7 +140,7 @@ interface(`plymouthd_read_spool_files', `
+ ##
+ ##
+ #
+-interface(`plymouthd_manage_spool_files', `
++interface(`plymouthd_manage_spool_files',`
+ gen_require(`
+ type plymouthd_spool_t;
+ ')
+@@ -159,7 +159,7 @@ interface(`plymouthd_manage_spool_files', `
+ ##
+ ##
+ #
+-interface(`plymouthd_search_lib', `
++interface(`plymouthd_search_lib',`
+ gen_require(`
+ type plymouthd_var_lib_t;
+ ')
+@@ -178,7 +178,7 @@ interface(`plymouthd_search_lib', `
+ ##
+ ##
+ #
+-interface(`plymouthd_read_lib_files', `
++interface(`plymouthd_read_lib_files',`
+ gen_require(`
+ type plymouthd_var_lib_t;
+ ')
+@@ -198,7 +198,7 @@ interface(`plymouthd_read_lib_files', `
+ ##
+ ##
+ #
+-interface(`plymouthd_manage_lib_files', `
++interface(`plymouthd_manage_lib_files',`
+ gen_require(`
+ type plymouthd_var_lib_t;
+ ')
+@@ -217,7 +217,7 @@ interface(`plymouthd_manage_lib_files', `
+ ##
+ ##
+ #
+-interface(`plymouthd_read_pid_files', `
++interface(`plymouthd_read_pid_files',`
+ gen_require(`
+ type plymouthd_var_run_t;
+ ')
+@@ -243,18 +243,20 @@ interface(`plymouthd_read_pid_files', `
+ ##
+ ##
+ #
+-interface(`plymouthd_admin', `
++interface(`plymouthd_admin',`
+ gen_require(`
+ type plymouthd_t, plymouthd_spool_t, plymouthd_var_lib_t;
type plymouthd_var_run_t;
')
@@ -21953,12 +25358,12 @@ index 9759ed8..fecc0dc 100644
+ allow $1 plymouthd_t:process { ptrace signal_perms };
+ ps_process_pattern($1, plymouthd_t)
-+ files_search_var_lib($1)
++ files_list_var_lib($1)
admin_pattern($1, plymouthd_spool_t)
admin_pattern($1, plymouthd_var_lib_t)
-+ files_search_pids($1)
++ files_list_pids($1)
admin_pattern($1, plymouthd_var_run_t)
')
diff --git a/policy/modules/services/plymouthd.te b/policy/modules/services/plymouthd.te
@@ -22008,10 +25413,10 @@ index 27c739c..c65d18f 100644
/var/run/PolicyKit(/.*)? gen_context(system_u:object_r:policykit_var_run_t,s0)
diff --git a/policy/modules/services/policykit.if b/policy/modules/services/policykit.if
-index 48ff1e8..29c9906 100644
+index 48ff1e8..13cdc77 100644
--- a/policy/modules/services/policykit.if
+++ b/policy/modules/services/policykit.if
-@@ -17,12 +17,37 @@ interface(`policykit_dbus_chat',`
+@@ -17,18 +17,43 @@ interface(`policykit_dbus_chat',`
class dbus send_msg;
')
@@ -22023,10 +25428,11 @@ index 48ff1e8..29c9906 100644
########################################
##
+-## Execute a domain transition to run polkit_auth.
+## Send and receive messages from
+## policykit over dbus.
-+##
-+##
+ ##
+ ##
+##
+## Domain allowed access.
+##
@@ -22045,11 +25451,26 @@ index 48ff1e8..29c9906 100644
+')
+
+########################################
-+##
- ## Execute a domain transition to run polkit_auth.
+ ##
+-## Domain allowed to transition.
++## Execute a domain transition to run polkit_auth.
##
- ##
-@@ -62,6 +87,9 @@ interface(`policykit_run_auth',`
++##
++##
++## Domain allowed to transition.
++##
+ ##
+ #
+ interface(`policykit_domtrans_auth',`
+@@ -54,6 +79,7 @@ interface(`policykit_domtrans_auth',`
+ ## Role allowed access.
+ ##
+ ##
++##
+ #
+ interface(`policykit_run_auth',`
+ gen_require(`
+@@ -62,6 +88,9 @@ interface(`policykit_run_auth',`
policykit_domtrans_auth($1)
role $2 types policykit_auth_t;
@@ -22059,7 +25480,31 @@ index 48ff1e8..29c9906 100644
')
########################################
-@@ -206,4 +234,47 @@ interface(`policykit_read_lib',`
+@@ -69,9 +98,9 @@ interface(`policykit_run_auth',`
+ ## Execute a domain transition to run polkit_grant.
+ ##
+ ##
+-##
++##
+ ## Domain allowed to transition.
+-##
++##
+ ##
+ #
+ interface(`policykit_domtrans_grant',`
+@@ -155,9 +184,9 @@ interface(`policykit_rw_reload',`
+ ## Execute a domain transition to run polkit_resolve.
+ ##
+ ##
+-##
++##
+ ## Domain allowed to transition.
+-##
++##
+ ##
+ #
+ interface(`policykit_domtrans_resolve',`
+@@ -206,4 +235,48 @@ interface(`policykit_read_lib',`
files_search_var_lib($1)
read_files_pattern($1, policykit_var_lib_t, policykit_var_lib_t)
@@ -22090,14 +25535,15 @@ index 48ff1e8..29c9906 100644
+ policykit_read_reload($2)
+ policykit_dbus_chat($2)
+')
++
+########################################
+##
+## Send generic signal to policy_auth
+##
+##
-+##
++##
+## Domain allowed to transition.
-+##
++##
+##
+#
+interface(`policykit_signal_auth',`
@@ -22313,7 +25759,7 @@ index c69d047..1d9fa76 100644
/sbin/portreserve -- gen_context(system_u:object_r:portreserve_exec_t,s0)
diff --git a/policy/modules/services/portreserve.if b/policy/modules/services/portreserve.if
-index 10300a0..d91c1f5 100644
+index 10300a0..7385056 100644
--- a/policy/modules/services/portreserve.if
+++ b/policy/modules/services/portreserve.if
@@ -18,6 +18,24 @@ interface(`portreserve_domtrans',`
@@ -22326,11 +25772,11 @@ index 10300a0..d91c1f5 100644
+##
+##
+##
-+## Domain allowed access.
++## Domain allowed to transition.
+##
+##
+#
-+interface(`portreserve_initrc_domtrans', `
++interface(`portreserve_initrc_domtrans',`
+ gen_require(`
+ type portreserve_initrc_exec_t;
+ ')
@@ -22341,7 +25787,23 @@ index 10300a0..d91c1f5 100644
#######################################
##
## Allow the specified domain to read
-@@ -64,3 +82,40 @@ interface(`portreserve_manage_config',`
+@@ -29,7 +47,6 @@ interface(`portreserve_domtrans',`
+ ##
+ ##
+ ##
+-##
+ #
+ interface(`portreserve_read_config',`
+ gen_require(`
+@@ -52,7 +69,6 @@ interface(`portreserve_read_config',`
+ ## Domain allowed access.
+ ##
+ ##
+-##
+ #
+ interface(`portreserve_manage_config',`
+ gen_require(`
+@@ -64,3 +80,41 @@ interface(`portreserve_manage_config',`
manage_files_pattern($1, portreserve_etc_t, portreserve_etc_t)
read_lnk_files_pattern($1, portreserve_etc_t, portreserve_etc_t)
')
@@ -22361,25 +25823,26 @@ index 10300a0..d91c1f5 100644
+## Role allowed access.
+##
+##
++##
+#
-+interface(`portreserve_admin', `
++interface(`portreserve_admin',`
+ gen_require(`
-+ type portreserve_t, portreserve_etc_t;
-+ type portreserve_initrc_exec_t, portreserve_var_run_t;
++ type portreserve_t, portreserve_etc_t, portreserve_var_run_t;
++ type portreserve_initrc_exec_t;
+ ')
+
+ allow $1 portreserve_t:process { ptrace signal_perms };
+ ps_process_pattern($1, portreserve_t)
-+
++
+ portreserve_initrc_domtrans($1)
+ domain_system_change_exemption($1)
+ role_transition $2 portreserve_initrc_exec_t system_r;
+ allow $2 system_r;
+
-+ files_search_etc($1)
++ files_list_etc($1)
+ admin_pattern($1, portreserve_etc_t)
+
-+ files_search_pids($1)
++ files_list_pids($1)
+ admin_pattern($1, portreserve_var_run_t)
+')
diff --git a/policy/modules/services/portreserve.te b/policy/modules/services/portreserve.te
@@ -22435,9 +25898,18 @@ index 55e62d2..c114a40 100644
/usr/sbin/postfix -- gen_context(system_u:object_r:postfix_master_exec_t,s0)
/usr/sbin/postkick -- gen_context(system_u:object_r:postfix_master_exec_t,s0)
diff --git a/policy/modules/services/postfix.if b/policy/modules/services/postfix.if
-index 46bee12..cfcbac7 100644
+index 46bee12..7391f7e 100644
--- a/policy/modules/services/postfix.if
+++ b/policy/modules/services/postfix.if
+@@ -50,7 +50,7 @@ template(`postfix_domain_template',`
+
+ can_exec(postfix_$1_t, postfix_$1_exec_t)
+
+- allow postfix_$1_t postfix_exec_t:file { mmap_file_perms lock ioctl };
++ allow postfix_$1_t postfix_exec_t:file { mmap_file_perms lock };
+
+ allow postfix_$1_t postfix_master_t:process sigchld;
+
@@ -77,6 +77,7 @@ template(`postfix_domain_template',`
files_read_etc_files(postfix_$1_t)
@@ -22446,7 +25918,27 @@ index 46bee12..cfcbac7 100644
files_read_usr_symlinks(postfix_$1_t)
files_search_spool(postfix_$1_t)
files_getattr_tmp_dirs(postfix_$1_t)
-@@ -376,6 +377,25 @@ interface(`postfix_domtrans_master',`
+@@ -272,7 +273,8 @@ interface(`postfix_read_local_state',`
+ type postfix_local_t;
+ ')
+
+- read_files_pattern($1, postfix_local_t, postfix_local_t)
++ kernel_search_proc($1)
++ ps_process_pattern($1, postfix_local_t)
+ ')
+
+ ########################################
+@@ -290,7 +292,8 @@ interface(`postfix_read_master_state',`
+ type postfix_master_t;
+ ')
+
+- read_files_pattern($1, postfix_master_t, postfix_master_t)
++ kernel_search_proc($1)
++ ps_process_pattern($1, postfix_master_t)
+ ')
+
+ ########################################
+@@ -376,6 +379,25 @@ interface(`postfix_domtrans_master',`
domtrans_pattern($1, postfix_master_exec_t, postfix_master_t)
')
@@ -22461,7 +25953,7 @@ index 46bee12..cfcbac7 100644
+##
+##
+#
-+interface(`postfix_initrc_domtrans', `
++interface(`postfix_initrc_domtrans',`
+ gen_require(`
+ type postfix_initrc_exec_t;
+ ')
@@ -22472,7 +25964,15 @@ index 46bee12..cfcbac7 100644
########################################
##
## Execute the master postfix program in the
-@@ -529,6 +549,25 @@ interface(`postfix_domtrans_smtp',`
+@@ -404,7 +426,6 @@ interface(`postfix_exec_master',`
+ ## Domain allowed access.
+ ##
+ ##
+-##
+ #
+ interface(`postfix_stream_connect_master',`
+ gen_require(`
+@@ -529,6 +550,25 @@ interface(`postfix_domtrans_smtp',`
########################################
##
@@ -22498,7 +25998,7 @@ index 46bee12..cfcbac7 100644
## Search postfix mail spool directories.
##
##
-@@ -539,10 +578,10 @@ interface(`postfix_domtrans_smtp',`
+@@ -539,10 +579,10 @@ interface(`postfix_domtrans_smtp',`
#
interface(`postfix_search_spool',`
gen_require(`
@@ -22511,7 +26011,7 @@ index 46bee12..cfcbac7 100644
files_search_spool($1)
')
-@@ -558,10 +597,10 @@ interface(`postfix_search_spool',`
+@@ -558,10 +598,10 @@ interface(`postfix_search_spool',`
#
interface(`postfix_list_spool',`
gen_require(`
@@ -22524,7 +26024,7 @@ index 46bee12..cfcbac7 100644
files_search_spool($1)
')
-@@ -577,11 +616,11 @@ interface(`postfix_list_spool',`
+@@ -577,11 +617,11 @@ interface(`postfix_list_spool',`
#
interface(`postfix_read_spool_files',`
gen_require(`
@@ -22538,7 +26038,7 @@ index 46bee12..cfcbac7 100644
')
########################################
-@@ -596,11 +635,11 @@ interface(`postfix_read_spool_files',`
+@@ -596,11 +636,11 @@ interface(`postfix_read_spool_files',`
#
interface(`postfix_manage_spool_files',`
gen_require(`
@@ -22552,7 +26052,7 @@ index 46bee12..cfcbac7 100644
')
########################################
-@@ -621,3 +660,101 @@ interface(`postfix_domtrans_user_mail_handler',`
+@@ -621,3 +661,98 @@ interface(`postfix_domtrans_user_mail_handler',`
typeattribute $1 postfix_user_domtrans;
')
@@ -22572,19 +26072,16 @@ index 46bee12..cfcbac7 100644
+## Role allowed access.
+##
+##
++##
+#
-+interface(`postfix_admin', `
++interface(`postfix_admin',`
+ gen_require(`
-+ type postfix_bounce_t, postfix_cleanup_t, postfix_local_t;
-+ type postfix_master_t, postfix_pickup_t, postfix_qmgr_t;
-+ type postfix_smtpd_t;
-+
+ attribute postfix_spool_type;
-+
++ type postfix_bounce_t, postfix_cleanup_t, postfix_local_t;
++ type postfix_master_t, postfix_pickup_t, postfix_qmgr_t;
+ type postfix_initrc_exec_t, postfix_data_t, postfix_etc_t;
-+ type postfix_var_run_t;
-+
+ type postfix_map_tmp_t, postfix_prng_t, postfix_public_t;
++ type postfix_smtpd_t, postfix_var_run_t;
+ ')
+
+ allow $1 postfix_bounce_t:process { ptrace signal_perms };
@@ -22608,9 +26105,9 @@ index 46bee12..cfcbac7 100644
+ allow $1 postfix_smtpd_t:process { ptrace signal_perms };
+ ps_process_pattern($1, postfix_smtpd_t)
+
-+ postfix_run_map($1,$2)
-+ postfix_run_postdrop($1,$2)
-+
++ postfix_run_map($1, $2)
++ postfix_run_postdrop($1, $2)
++
+ postfix_initrc_domtrans($1)
+ domain_system_change_exemption($1)
+ role_transition $2 postfix_initrc_exec_t system_r;
@@ -22621,12 +26118,12 @@ index 46bee12..cfcbac7 100644
+ files_list_etc($1)
+ admin_pattern($1, postfix_etc_t)
+
-+ files_search_spool($1)
-+ admin_pattern($1,postfix_spool_type)
++ files_list_spool($1)
++ admin_pattern($1, postfix_spool_type)
+
+ admin_pattern($1, postfix_var_run_t)
+
-+ files_search_tmp($1)
++ files_list_tmp($1)
+ admin_pattern($1, postfix_map_tmp_t)
+
+ admin_pattern($1, postfix_prng_t)
@@ -22641,9 +26138,10 @@ index 46bee12..cfcbac7 100644
+##
+##
+##
-+## Domain allowed access.
++## Domain allowed to transition.
+##
+##
++##
+#
+interface(`postfix_run_postdrop',`
+ gen_require(`
@@ -22653,7 +26151,6 @@ index 46bee12..cfcbac7 100644
+ postfix_domtrans_postdrop($1)
+ role $2 types postfix_postdrop_t;
+')
-+
diff --git a/policy/modules/services/postfix.te b/policy/modules/services/postfix.te
index 06e37d4..87043e1 100644
--- a/policy/modules/services/postfix.te
@@ -22826,10 +26323,97 @@ index 06e37d4..87043e1 100644
+userdom_manage_user_home_content(postfix_virtual_t)
+userdom_home_filetrans_user_home_dir(postfix_virtual_t)
+userdom_user_home_dir_filetrans_user_home_content(postfix_virtual_t, {file dir })
+diff --git a/policy/modules/services/postfixpolicyd.if b/policy/modules/services/postfixpolicyd.if
+index feae93b..d960d3f 100644
+--- a/policy/modules/services/postfixpolicyd.if
++++ b/policy/modules/services/postfixpolicyd.if
+@@ -20,8 +20,7 @@
+ interface(`postfixpolicyd_admin',`
+ gen_require(`
+ type postfix_policyd_t, postfix_policyd_conf_t;
+- type postfix_policyd_var_run_t;
+- type postfix_policyd_initrc_exec_t;
++ type postfix_policyd_var_run_t, postfix_policyd_initrc_exec_t;
+ ')
+
+ allow $1 postfix_policyd_t:process { ptrace signal_perms };
diff --git a/policy/modules/services/postgresql.if b/policy/modules/services/postgresql.if
-index 539a7c9..2c6b723 100644
+index 539a7c9..4782bdb 100644
--- a/policy/modules/services/postgresql.if
+++ b/policy/modules/services/postgresql.if
+@@ -10,7 +10,7 @@
+ ##
+ ##
+ ##
+-##
++##
+ ## The type of the user domain.
+ ##
+ ##
+@@ -45,14 +45,6 @@ interface(`postgresql_role',`
+ # Client local policy
+ #
+
+- tunable_policy(`sepgsql_enable_users_ddl',`
+- allow $2 user_sepgsql_table_t:db_table { create drop setattr };
+- allow $2 user_sepgsql_table_t:db_column { create drop setattr };
+-
+- allow $2 user_sepgsql_sysobj_t:db_tuple { update insert delete };
+- allow $2 user_sepgsql_proc_exec_t:db_procedure { create drop setattr };
+- ')
+-
+ allow $2 user_sepgsql_table_t:db_table { getattr use select update insert delete lock };
+ allow $2 user_sepgsql_table_t:db_column { getattr use select update insert };
+ allow $2 user_sepgsql_table_t:db_tuple { use select update insert delete };
+@@ -69,6 +61,14 @@ interface(`postgresql_role',`
+
+ allow $2 sepgsql_trusted_proc_t:process transition;
+ type_transition $2 sepgsql_trusted_proc_exec_t:process sepgsql_trusted_proc_t;
++
++ tunable_policy(`sepgsql_enable_users_ddl',`
++ allow $2 user_sepgsql_table_t:db_table { create drop setattr };
++ allow $2 user_sepgsql_table_t:db_column { create drop setattr };
++
++ allow $2 user_sepgsql_sysobj_t:db_tuple { update insert delete };
++ allow $2 user_sepgsql_proc_exec_t:db_procedure { create drop setattr };
++ ')
+ ')
+
+ ########################################
+@@ -195,7 +195,7 @@ interface(`postgresql_search_db',`
+ type postgresql_db_t;
+ ')
+
+- allow $1 postgresql_db_t:dir search;
++ allow $1 postgresql_db_t:dir search_dir_perms;
+ ')
+
+ ########################################
+@@ -207,6 +207,7 @@ interface(`postgresql_search_db',`
+ ## Domain allowed access.
+ ##
+ ##
++#
+ interface(`postgresql_manage_db',`
+ gen_require(`
+ type postgresql_db_t;
+@@ -214,7 +215,7 @@ interface(`postgresql_manage_db',`
+
+ allow $1 postgresql_db_t:dir rw_dir_perms;
+ allow $1 postgresql_db_t:file rw_file_perms;
+- allow $1 postgresql_db_t:lnk_file { getattr read };
++ allow $1 postgresql_db_t:lnk_file read_lnk_file_perms;
+ ')
+
+ ########################################
+@@ -304,7 +305,6 @@ interface(`postgresql_tcp_connect',`
+ ## Domain allowed access.
+ ##
+ ##
+-##
+ #
+ interface(`postgresql_stream_connect',`
+ gen_require(`
@@ -312,10 +312,8 @@ interface(`postgresql_stream_connect',`
')
@@ -22839,24 +26423,76 @@ index 539a7c9..2c6b723 100644
- # Some versions of postgresql put the sock file in /tmp
- allow $1 postgresql_tmp_t:sock_file write;
+ files_search_tmp($1)
-+ stream_connect_pattern($1, { postgresql_var_run_t postgresql_tmp_t}, { postgresql_var_run_t postgresql_tmp_t}, postgresql_t)
++ stream_connect_pattern($1, { postgresql_var_run_t postgresql_tmp_t }, { postgresql_var_run_t postgresql_tmp_t }, postgresql_t)
')
########################################
-@@ -441,10 +439,13 @@ interface(`postgresql_admin',`
+@@ -361,13 +359,6 @@ interface(`postgresql_unpriv_client',`
+ type_transition $1 sepgsql_trusted_proc_exec_t:process sepgsql_trusted_proc_t;
+ allow $1 sepgsql_trusted_proc_t:process transition;
+- tunable_policy(`sepgsql_enable_users_ddl',`
+- allow $1 unpriv_sepgsql_table_t:db_table { create drop setattr };
+- allow $1 unpriv_sepgsql_table_t:db_column { create drop setattr };
+- allow $1 unpriv_sepgsql_sysobj_t:db_tuple { update insert delete };
+- allow $1 unpriv_sepgsql_proc_exec_t:db_procedure { create drop setattr };
+- ')
+-
+ allow $1 unpriv_sepgsql_table_t:db_table { getattr use select update insert delete lock };
+ allow $1 unpriv_sepgsql_table_t:db_column { getattr use select update insert };
+ allow $1 unpriv_sepgsql_table_t:db_tuple { use select update insert delete };
+@@ -381,6 +372,13 @@ interface(`postgresql_unpriv_client',`
+
+ allow $1 unpriv_sepgsql_blob_t:db_blob { create drop getattr setattr read write import export };
+ type_transition $1 sepgsql_database_type:db_blob unpriv_sepgsql_blob_t;
++
++ tunable_policy(`sepgsql_enable_users_ddl',`
++ allow $1 unpriv_sepgsql_table_t:db_table { create drop setattr };
++ allow $1 unpriv_sepgsql_table_t:db_column { create drop setattr };
++ allow $1 unpriv_sepgsql_sysobj_t:db_tuple { update insert delete };
++ allow $1 unpriv_sepgsql_proc_exec_t:db_procedure { create drop setattr };
++ ')
+ ')
+
+ ########################################
+@@ -420,13 +418,10 @@ interface(`postgresql_unconfined',`
+ #
+ interface(`postgresql_admin',`
+ gen_require(`
+- attribute sepgsql_admin_type;
+- attribute sepgsql_client_type;
+-
+- type postgresql_t, postgresql_var_run_t;
+- type postgresql_tmp_t, postgresql_db_t;
+- type postgresql_etc_t, postgresql_log_t;
+- type postgresql_initrc_exec_t;
++ attribute sepgsql_admin_type, sepgsql_client_type;
++ type postgresql_t, postgresql_var_run_t, postgresql_initrc_exec_t;
++ type postgresql_tmp_t, postgresql_db_t, postgresql_log_t;
++ type postgresql_etc_t;
+ ')
+
+ typeattribute $1 sepgsql_admin_type;
+@@ -439,14 +434,19 @@ interface(`postgresql_admin',`
+ role_transition $2 postgresql_initrc_exec_t system_r;
+ allow $2 system_r;
+
++ files_list_pids($1)
admin_pattern($1, postgresql_var_run_t)
-+ files_search_var_lib($1)
++ files_list_var_lib($1)
admin_pattern($1, postgresql_db_t)
-+ files_search_etc($1)
++ files_list_etc($1)
admin_pattern($1, postgresql_etc_t)
-+ logging_search_logs($1)
++ logging_list_logs($1)
admin_pattern($1, postgresql_log_t)
++ files_list_tmp($1)
admin_pattern($1, postgresql_tmp_t)
+
+ postgresql_tcp_connect($1)
diff --git a/policy/modules/services/postgresql.te b/policy/modules/services/postgresql.te
index 39abf57..4a85c12 100644
--- a/policy/modules/services/postgresql.te
@@ -22871,28 +26507,120 @@ index 39abf57..4a85c12 100644
files_read_etc_runtime_files(postgresql_t)
files_read_usr_files(postgresql_t)
+diff --git a/policy/modules/services/postgrey.if b/policy/modules/services/postgrey.if
+index ad15fde..6f55445 100644
+--- a/policy/modules/services/postgrey.if
++++ b/policy/modules/services/postgrey.if
+@@ -15,9 +15,9 @@ interface(`postgrey_stream_connect',`
+ type postgrey_var_run_t, postgrey_t, postgrey_spool_t;
+ ')
+
+- stream_connect_pattern($1, postgrey_var_run_t, postgrey_var_run_t, postgrey_t)
+- stream_connect_pattern($1, postgrey_spool_t, postgrey_spool_t, postgrey_t)
++ stream_connect_pattern($1, { postgrey_spool_t postgrey_var_run_t }, { postgrey_spool_t postgrey_var_run_t }, postgrey_t)
+ files_search_pids($1)
++ files_search_spool($1)
+ ')
+
+ ########################################
+@@ -35,6 +35,7 @@ interface(`postgrey_search_spool',`
+ type postgrey_spool_t;
+ ')
+
++ files_search_spool($1)
+ allow $1 postgrey_spool_t:dir search_dir_perms;
+ ')
+
+@@ -57,9 +58,8 @@ interface(`postgrey_search_spool',`
+ #
+ interface(`postgrey_admin',`
+ gen_require(`
+- type postgrey_t, postgrey_etc_t;
++ type postgrey_t, postgrey_etc_t, postgrey_initrc_exec_t;
+ type postgrey_var_lib_t, postgrey_var_run_t;
+- type postgrey_initrc_exec_t;
+ ')
+
+ allow $1 postgrey_t:process { ptrace signal_perms };
diff --git a/policy/modules/services/ppp.if b/policy/modules/services/ppp.if
-index b524673..f916c76 100644
+index b524673..09699d1 100644
--- a/policy/modules/services/ppp.if
+++ b/policy/modules/services/ppp.if
-@@ -360,7 +360,7 @@ interface(`ppp_admin',`
- type pppd_initrc_exec_t;
+@@ -66,7 +66,6 @@ interface(`ppp_sigchld',`
+ ##
+ ##
+ #
+-#
+ interface(`ppp_kill',`
+ gen_require(`
+ type pppd_t;
+@@ -180,8 +179,7 @@ interface(`ppp_run',`
+ ')
+
+ ppp_domtrans($1)
+- role $2 types pppd_t;
+- role $2 types pptp_t;
++ role $2 types { pppd_t pptp_t };
+
+ optional_policy(`
+ ddclient_run(pppd_t, $2)
+@@ -281,6 +279,7 @@ interface(`ppp_read_pid_files',`
+ type pppd_var_run_t;
+ ')
+
++ files_search_pids($1)
+ allow $1 pppd_var_run_t:file read_file_perms;
+ ')
+
+@@ -299,6 +298,7 @@ interface(`ppp_manage_pid_files',`
+ type pppd_var_run_t;
+ ')
+
++ files_search_pids($1)
+ allow $1 pppd_var_run_t:file manage_file_perms;
+ ')
+
+@@ -353,16 +353,17 @@ interface(`ppp_initrc_domtrans',`
+ interface(`ppp_admin',`
+ gen_require(`
+ type pppd_t, pppd_tmp_t, pppd_log_t, pppd_lock_t;
+- type pppd_etc_t, pppd_secret_t;
+- type pppd_etc_rw_t, pppd_var_run_t;
+-
++ type pppd_etc_t, pppd_secret_t, pppd_var_run_t;
+ type pptp_t, pptp_log_t, pptp_var_run_t;
+- type pppd_initrc_exec_t;
++ type pppd_initrc_exec_t, pppd_etc_rw_t;
')
- allow $1 pppd_t:process { ptrace signal_perms getattr };
+ allow $1 pppd_t:process { ptrace signal_perms };
ps_process_pattern($1, pppd_t)
++ allow $1 pptp_t:process { ptrace signal_perms };
++ ps_process_pattern($1, pptp_t)
++
ppp_initrc_domtrans($1)
-@@ -386,7 +386,7 @@ interface(`ppp_admin',`
+ domain_system_change_exemption($1)
+ role_transition $2 pppd_initrc_exec_t system_r;
+@@ -374,6 +375,7 @@ interface(`ppp_admin',`
+ logging_list_logs($1)
+ admin_pattern($1, pppd_log_t)
+
++ files_list_locks($1)
+ admin_pattern($1, pppd_lock_t)
+
+ files_list_etc($1)
+@@ -386,9 +388,6 @@ interface(`ppp_admin',`
files_list_pids($1)
admin_pattern($1, pppd_var_run_t)
- allow $1 pptp_t:process { ptrace signal_perms getattr };
-+ allow $1 pptp_t:process { ptrace signal_perms };
- ps_process_pattern($1, pptp_t)
-
+- ps_process_pattern($1, pptp_t)
+-
admin_pattern($1, pptp_log_t)
+
+ admin_pattern($1, pptp_var_run_t)
diff --git a/policy/modules/services/ppp.te b/policy/modules/services/ppp.te
index 2af42e7..74f07f8 100644
--- a/policy/modules/services/ppp.te
@@ -22939,32 +26667,106 @@ index 2af42e7..74f07f8 100644
kernel_list_proc(pptp_t)
kernel_read_kernel_sysctls(pptp_t)
diff --git a/policy/modules/services/prelude.if b/policy/modules/services/prelude.if
-index 2316653..e4d8797 100644
+index 2316653..77ef768 100644
--- a/policy/modules/services/prelude.if
+++ b/policy/modules/services/prelude.if
-@@ -136,9 +136,16 @@ interface(`prelude_admin',`
+@@ -5,9 +5,9 @@
+ ## Execute a domain transition to run prelude.
+ ##
+ ##
+-##
++##
+ ## Domain allowed to transition.
+-##
++##
+ ##
+ #
+ interface(`prelude_domtrans',`
+@@ -23,9 +23,9 @@ interface(`prelude_domtrans',`
+ ## Execute a domain transition to run prelude_audisp.
+ ##
+ ##
+-##
++##
+ ## Domain allowed to transition.
+-##
++##
+ ##
+ #
+ interface(`prelude_domtrans_audisp',`
+@@ -41,9 +41,9 @@ interface(`prelude_domtrans_audisp',`
+ ## Signal the prelude_audisp domain.
+ ##
+ ##
+-##
++##
+ ## Domain allowed acccess.
+-##
++##
+ ##
+ #
+ interface(`prelude_signal_audisp',`
+@@ -78,9 +78,9 @@ interface(`prelude_read_spool',`
+ ## Manage to prelude-manager spool files.
+ ##
+ ##
+-##
++##
+ ## Domain allowed access.
+-##
++##
+ ##
+ #
+ interface(`prelude_manage_spool',`
+@@ -112,13 +112,10 @@ interface(`prelude_manage_spool',`
+ #
+ interface(`prelude_admin',`
+ gen_require(`
+- type prelude_t, prelude_spool_t;
+- type prelude_var_run_t, prelude_var_lib_t;
+- type prelude_audisp_t, prelude_audisp_var_run_t;
+- type prelude_initrc_exec_t;
+-
+- type prelude_lml_t, prelude_lml_tmp_t;
+- type prelude_lml_var_run_t;
++ type prelude_t, prelude_spool_t, prelude_initrc_exec_t;
++ type prelude_var_run_t, prelude_var_lib_t, prelude_lml_var_run_t;
++ type prelude_audisp_t, prelude_audisp_var_run_t, prelude_lml_tmp_t;
++ type prelude_lml_t;
+ ')
+
+ allow $1 prelude_t:process { ptrace signal_perms };
+@@ -135,10 +132,17 @@ interface(`prelude_admin',`
+ role_transition $2 prelude_initrc_exec_t system_r;
allow $2 system_r;
++ files_list_spool($1)
admin_pattern($1, prelude_spool_t)
+
-+ files_search_var_lib($1)
++ files_list_var_lib($1)
admin_pattern($1, prelude_var_lib_t)
+
-+ files_search_pids($1)
++ files_list_pids($1)
admin_pattern($1, prelude_var_run_t)
admin_pattern($1, prelude_audisp_var_run_t)
-+
-+ files_search_tmp($1)
- admin_pattern($1, prelude_lml_tmp_t)
-+
+- admin_pattern($1, prelude_lml_tmp_t)
admin_pattern($1, prelude_lml_var_run_t)
++
++ files_list_tmp($1)
++ admin_pattern($1, prelude_lml_tmp_t)
')
diff --git a/policy/modules/services/privoxy.if b/policy/modules/services/privoxy.if
-index 1da26dc..c8f6cb5 100644
+index 1da26dc..7221526 100644
--- a/policy/modules/services/privoxy.if
+++ b/policy/modules/services/privoxy.if
-@@ -24,7 +24,7 @@ interface(`privoxy_admin',`
- type privoxy_initrc_exec_t;
+@@ -19,12 +19,11 @@
+ #
+ interface(`privoxy_admin',`
+ gen_require(`
+- type privoxy_t, privoxy_log_t;
++ type privoxy_t, privoxy_log_t, privoxy_initrc_exec_t;
+ type privoxy_etc_rw_t, privoxy_var_run_t;
+- type privoxy_initrc_exec_t;
')
- allow $1 privoxy_t:process { ptrace signal_perms getattr };
@@ -23000,10 +26802,10 @@ index 1343621..4b36a13 100644
/usr/bin/procmail -- gen_context(system_u:object_r:procmail_exec_t,s0)
diff --git a/policy/modules/services/procmail.if b/policy/modules/services/procmail.if
-index b64b02f..5bfbd7b 100644
+index b64b02f..166e9c3 100644
--- a/policy/modules/services/procmail.if
+++ b/policy/modules/services/procmail.if
-@@ -77,3 +77,23 @@ interface(`procmail_rw_tmp_files',`
+@@ -77,3 +77,22 @@ interface(`procmail_rw_tmp_files',`
files_search_tmp($1)
rw_files_pattern($1, procmail_tmp_t, procmail_tmp_t)
')
@@ -23023,10 +26825,9 @@ index b64b02f..5bfbd7b 100644
+ type procmail_home_t;
+ ')
+
-+ userdom_search_user_home_dirs($1)
++ userdom_search_user_home_dirs($1)
+ read_files_pattern($1, procmail_home_t, procmail_home_t)
+')
-+
diff --git a/policy/modules/services/procmail.te b/policy/modules/services/procmail.te
index 29b9295..b558811 100644
--- a/policy/modules/services/procmail.te
@@ -23080,10 +26881,27 @@ index 29b9295..b558811 100644
pyzor_signal(procmail_t)
')
diff --git a/policy/modules/services/psad.if b/policy/modules/services/psad.if
-index bc329d1..a5ec9f5 100644
+index bc329d1..d1a3745 100644
--- a/policy/modules/services/psad.if
+++ b/policy/modules/services/psad.if
-@@ -176,6 +176,26 @@ interface(`psad_append_log',`
+@@ -91,7 +91,6 @@ interface(`psad_manage_config',`
+ files_search_etc($1)
+ manage_dirs_pattern($1, psad_etc_t, psad_etc_t)
+ manage_files_pattern($1, psad_etc_t, psad_etc_t)
+-
+ ')
+
+ ########################################
+@@ -115,7 +114,7 @@ interface(`psad_read_pid_files',`
+
+ ########################################
+ ##
+-## Read psad PID files.
++## Read and write psad PID files.
+ ##
+ ##
+ ##
+@@ -176,6 +175,26 @@ interface(`psad_append_log',`
########################################
##
@@ -23110,15 +26928,39 @@ index bc329d1..a5ec9f5 100644
## Read and write psad fifo files.
##
##
-@@ -234,7 +254,7 @@ interface(`psad_admin',`
+@@ -233,7 +252,7 @@ interface(`psad_rw_tmp_files',`
+ interface(`psad_admin',`
gen_require(`
type psad_t, psad_var_run_t, psad_var_log_t;
- type psad_initrc_exec_t, psad_var_lib_t;
-- type psad_tmp_t;
-+ type psad_tmp_t, psad_etc_t;
+- type psad_initrc_exec_t, psad_var_lib_t;
++ type psad_initrc_exec_t, psad_var_lib_t, psad_etc_t;
+ type psad_tmp_t;
')
- allow $1 psad_t:process { ptrace signal_perms };
+@@ -245,18 +264,18 @@ interface(`psad_admin',`
+ role_transition $2 psad_initrc_exec_t system_r;
+ allow $2 system_r;
+
+- files_search_etc($1)
++ files_list_etc($1)
+ admin_pattern($1, psad_etc_t)
+
+- files_search_pids($1)
++ files_list_pids($1)
+ admin_pattern($1, psad_var_run_t)
+
+- logging_search_logs($1)
++ logging_list_logs($1)
+ admin_pattern($1, psad_var_log_t)
+
+- files_search_var_lib($1)
++ files_list_var_lib($1)
+ admin_pattern($1, psad_var_lib_t)
+
+- files_search_tmp($1)
++ files_list_tmp($1)
+ admin_pattern($1, psad_tmp_t)
+ ')
diff --git a/policy/modules/services/psad.te b/policy/modules/services/psad.te
index d4000e0..c23cd14 100644
--- a/policy/modules/services/psad.te
@@ -23143,6 +26985,19 @@ index d4000e0..c23cd14 100644
fs_getattr_all_fs(psad_t)
+diff --git a/policy/modules/services/puppet.if b/policy/modules/services/puppet.if
+index 2855a44..0456b11 100644
+--- a/policy/modules/services/puppet.if
++++ b/policy/modules/services/puppet.if
+@@ -21,7 +21,7 @@
+ ##
+ ##
+ #
+-interface(`puppet_rw_tmp', `
++interface(`puppet_rw_tmp',`
+ gen_require(`
+ type puppet_tmp_t;
+ ')
diff --git a/policy/modules/services/puppet.te b/policy/modules/services/puppet.te
index 64c5f95..9587224 100644
--- a/policy/modules/services/puppet.te
@@ -23219,10 +27074,27 @@ index d4a7750..705196e 100644
/usr/bin/pyzor -- gen_context(system_u:object_r:pyzor_exec_t,s0)
/usr/bin/pyzord -- gen_context(system_u:object_r:pyzord_exec_t,s0)
diff --git a/policy/modules/services/pyzor.if b/policy/modules/services/pyzor.if
-index 494f7e2..6443f30 100644
+index 494f7e2..aa3d0b4 100644
--- a/policy/modules/services/pyzor.if
+++ b/policy/modules/services/pyzor.if
-@@ -88,3 +88,50 @@ interface(`pyzor_exec',`
+@@ -14,6 +14,7 @@
+ ## User domain for the role
+ ##
+ ##
++##
+ #
+ interface(`pyzor_role',`
+ gen_require(`
+@@ -28,7 +29,7 @@ interface(`pyzor_role',`
+
+ # allow ps to show pyzor and allow the user to kill it
+ ps_process_pattern($2, pyzor_t)
+- allow $2 pyzor_t:process signal;
++ allow $2 pyzor_t:process { ptrace signal_perms };
+ ')
+
+ ########################################
+@@ -88,3 +89,47 @@ interface(`pyzor_exec',`
corecmd_search_bin($1)
can_exec($1, pyzor_exec_t)
')
@@ -23247,13 +27119,12 @@ index 494f7e2..6443f30 100644
+interface(`pyzor_admin',`
+ gen_require(`
+ type pyzord_t, pyzor_tmp_t, pyzord_log_t;
-+ type pyzor_etc_t, pyzor_var_lib_t;
-+ type pyzord_initrc_exec_t;
++ type pyzor_etc_t, pyzor_var_lib_t, pyzord_initrc_exec_t;
+ ')
+
+ allow $1 pyzord_t:process { ptrace signal_perms };
+ ps_process_pattern($1, pyzord_t)
-+
++
+ init_labeled_script_domtrans($1, pyzord_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 pyzord_initrc_exec_t system_r;
@@ -23271,8 +27142,6 @@ index 494f7e2..6443f30 100644
+ files_list_var_lib($1)
+ admin_pattern($1, pyzor_var_lib_t)
+')
-+
-+
diff --git a/policy/modules/services/pyzor.te b/policy/modules/services/pyzor.te
index cd683f9..2f03bad 100644
--- a/policy/modules/services/pyzor.te
@@ -23341,6 +27210,42 @@ index cd683f9..2f03bad 100644
userdom_dontaudit_search_user_home_dirs(pyzor_t)
optional_policy(`
+diff --git a/policy/modules/services/qmail.if b/policy/modules/services/qmail.if
+index a55bf44..77a25f5 100644
+--- a/policy/modules/services/qmail.if
++++ b/policy/modules/services/qmail.if
+@@ -62,14 +62,13 @@ interface(`qmail_domtrans_inject',`
+ type qmail_inject_t, qmail_inject_exec_t;
+ ')
+
++ corecmd_search_bin($1)
+ domtrans_pattern($1, qmail_inject_exec_t, qmail_inject_t)
+
+ ifdef(`distro_debian',`
+ files_search_usr($1)
+- corecmd_search_bin($1)
+ ',`
+ files_search_var($1)
+- corecmd_search_bin($1)
+ ')
+ ')
+
+@@ -88,14 +87,13 @@ interface(`qmail_domtrans_queue',`
+ type qmail_queue_t, qmail_queue_exec_t;
+ ')
+
++ corecmd_search_bin($1)
+ domtrans_pattern($1, qmail_queue_exec_t, qmail_queue_t)
+
+ ifdef(`distro_debian',`
+ files_search_usr($1)
+- corecmd_search_bin($1)
+ ',`
+ files_search_var($1)
+- corecmd_search_bin($1)
+ ')
+ ')
+
diff --git a/policy/modules/services/qmail.te b/policy/modules/services/qmail.te
index 355b2a2..1b01d75 100644
--- a/policy/modules/services/qmail.te
@@ -23373,11 +27278,10 @@ index 0000000..f3b89e4
+/var/run/qpidd\.pid gen_context(system_u:object_r:qpidd_var_run_t,s0)
diff --git a/policy/modules/services/qpidd.if b/policy/modules/services/qpidd.if
new file mode 100644
-index 0000000..5dbca44
+index 0000000..c403abc
--- /dev/null
+++ b/policy/modules/services/qpidd.if
-@@ -0,0 +1,236 @@
-+
+@@ -0,0 +1,228 @@
+## policy for qpidd
+
+########################################
@@ -23385,9 +27289,9 @@ index 0000000..5dbca44
+## Execute a domain transition to run qpidd.
+##
+##
-+##
++##
+## Domain allowed to transition.
-+##
++##
+##
+#
+interface(`qpidd_domtrans',`
@@ -23398,7 +27302,6 @@ index 0000000..5dbca44
+ domtrans_pattern($1, qpidd_exec_t, qpidd_t)
+')
+
-+
+########################################
+##
+## Execute qpidd server in the qpidd domain.
@@ -23451,12 +27354,12 @@ index 0000000..5dbca44
+ type qpidd_var_run_t;
+ ')
+
-+ manage_dirs_pattern($1, qpidd_var_run_t, qpidd_var_run_t)
-+ manage_files_pattern($1, qpidd_var_run_t, qpidd_var_run_t)
-+ manage_lnk_files_pattern($1, qpidd_var_run_t, qpidd_var_run_t)
++ files_search_pids($1)
++ manage_dirs_pattern($1, qpidd_var_run_t, qpidd_var_run_t)
++ manage_files_pattern($1, qpidd_var_run_t, qpidd_var_run_t)
++ manage_lnk_files_pattern($1, qpidd_var_run_t, qpidd_var_run_t)
+')
+
-+
+########################################
+##
+## Search qpidd lib directories.
@@ -23492,7 +27395,7 @@ index 0000000..5dbca44
+ ')
+
+ files_search_var_lib($1)
-+ read_files_pattern($1, qpidd_var_lib_t, qpidd_var_lib_t)
++ read_files_pattern($1, qpidd_var_lib_t, qpidd_var_lib_t)
+')
+
+########################################
@@ -23512,7 +27415,7 @@ index 0000000..5dbca44
+ ')
+
+ files_search_var_lib($1)
-+ manage_files_pattern($1, qpidd_var_lib_t, qpidd_var_lib_t)
++ manage_files_pattern($1, qpidd_var_lib_t, qpidd_var_lib_t)
+')
+
+########################################
@@ -23530,12 +27433,12 @@ index 0000000..5dbca44
+ type qpidd_var_lib_t;
+ ')
+
-+ manage_dirs_pattern($1, qpidd_var_lib_t, qpidd_var_lib_t)
-+ manage_files_pattern($1, qpidd_var_lib_t, qpidd_var_lib_t)
-+ manage_lnk_files_pattern($1, qpidd_var_lib_t, qpidd_var_lib_t)
++ files_search_var_lib($1)
++ manage_dirs_pattern($1, qpidd_var_lib_t, qpidd_var_lib_t)
++ manage_files_pattern($1, qpidd_var_lib_t, qpidd_var_lib_t)
++ manage_lnk_files_pattern($1, qpidd_var_lib_t, qpidd_var_lib_t)
+')
+
-+
+########################################
+##
+## All of the rules required to administrate
@@ -23555,16 +27458,11 @@ index 0000000..5dbca44
+#
+interface(`qpidd_admin',`
+ gen_require(`
-+ type qpidd_t;
++ type qpidd_t, qpidd_initrc_exec_t;
+ ')
+
+ allow $1 qpidd_t:process { ptrace signal_perms };
+ ps_process_pattern($1, qpidd_t)
-+
-+
-+ gen_require(`
-+ type qpidd_initrc_exec_t;
-+ ')
+
+ # Allow qpidd_t to restart the apache service
+ qpidd_initrc_domtrans($1)
@@ -23575,43 +27473,42 @@ index 0000000..5dbca44
+ qpidd_manage_var_run($1)
+
+ qpidd_manage_var_lib($1)
-+
+')
+
+#####################################
+##
-+## Allow read and write access to qpidd semaphores.
++## Allow read and write access to qpidd semaphores.
+##
+##
-+##
-+## Domain allowed access.
-+##
++##
++## Domain allowed access.
++##
+##
+#
+interface(`qpidd_rw_semaphores',`
-+ gen_require(`
-+ type qpidd_t;
-+ ')
++ gen_require(`
++ type qpidd_t;
++ ')
+
-+ allow $1 qpidd_t:sem rw_sem_perms;
++ allow $1 qpidd_t:sem rw_sem_perms;
+')
+
+########################################
+##
-+## Read and write to qpidd shared memory.
++## Read and write to qpidd shared memory.
+##
+##
-+##
-+## Domain allowed access.
-+##
++##
++## Domain allowed access.
++##
+##
+#
+interface(`qpidd_rw_shm',`
-+ gen_require(`
-+ type qpidd_t;
-+ ')
++ gen_require(`
++ type qpidd_t;
++ ')
+
-+ allow $1 qpidd_t:shm rw_shm_perms;
++ allow $1 qpidd_t:shm rw_shm_perms;
+')
diff --git a/policy/modules/services/qpidd.te b/policy/modules/services/qpidd.te
new file mode 100644
@@ -23723,6 +27620,21 @@ index db6296a..b3f1fd3 100644
samba_read_var_files(radiusd_t)
')
+diff --git a/policy/modules/services/radvd.if b/policy/modules/services/radvd.if
+index be05bff..2bd662a 100644
+--- a/policy/modules/services/radvd.if
++++ b/policy/modules/services/radvd.if
+@@ -19,8 +19,8 @@
+ #
+ interface(`radvd_admin',`
+ gen_require(`
+- type radvd_t, radvd_etc_t;
+- type radvd_var_run_t, radvd_initrc_exec_t;
++ type radvd_t, radvd_etc_t, radvd_initrc_exec_t;
++ type radvd_var_run_t;
+ ')
+
+ allow $1 radvd_t:process { ptrace signal_perms };
diff --git a/policy/modules/services/razor.fc b/policy/modules/services/razor.fc
index 1efba0c..71d657c 100644
--- a/policy/modules/services/razor.fc
@@ -23733,10 +27645,44 @@ index 1efba0c..71d657c 100644
/etc/razor(/.*)? gen_context(system_u:object_r:razor_etc_t,s0)
diff --git a/policy/modules/services/razor.if b/policy/modules/services/razor.if
-index f04a595..13ad2fe 100644
+index f04a595..3203212 100644
--- a/policy/modules/services/razor.if
+++ b/policy/modules/services/razor.if
-@@ -157,3 +157,44 @@ interface(`razor_domtrans',`
+@@ -26,6 +26,7 @@ template(`razor_common_domain_template',`
+ gen_require(`
+ type razor_exec_t, razor_etc_t, razor_log_t, razor_var_lib_t;
+ ')
++
+ type $1_t;
+ domain_type($1_t)
+ domain_entry_file($1_t, razor_exec_t)
+@@ -46,7 +47,7 @@ template(`razor_common_domain_template',`
+ # Read system config file
+ allow $1_t razor_etc_t:dir list_dir_perms;
+ allow $1_t razor_etc_t:file read_file_perms;
+- allow $1_t razor_etc_t:lnk_file { getattr read };
++ allow $1_t razor_etc_t:lnk_file read_lnk_file_perms;
+
+ manage_dirs_pattern($1_t, razor_log_t, razor_log_t)
+ manage_files_pattern($1_t, razor_log_t, razor_log_t)
+@@ -117,6 +118,7 @@ template(`razor_common_domain_template',`
+ ## User domain for the role
+ ##
+ ##
++##
+ #
+ interface(`razor_role',`
+ gen_require(`
+@@ -130,7 +132,7 @@ interface(`razor_role',`
+
+ # allow ps to show razor and allow the user to kill it
+ ps_process_pattern($2, razor_t)
+- allow $2 razor_t:process signal;
++ allow $2 razor_t:process { ptrace signal_perms };
+
+ manage_dirs_pattern($2, razor_home_t, razor_home_t)
+ manage_files_pattern($2, razor_home_t, razor_home_t)
+@@ -157,3 +159,43 @@ interface(`razor_domtrans',`
domtrans_pattern($1, razor_exec_t, razor_t)
')
@@ -23752,7 +27698,7 @@ index f04a595..13ad2fe 100644
+##
+##
+#
-+template(`razor_manage_user_home_files',`
++interface(`razor_manage_user_home_files',`
+ gen_require(`
+ type razor_home_t;
+ ')
@@ -23780,7 +27726,6 @@ index f04a595..13ad2fe 100644
+ files_search_var_lib($1)
+ read_files_pattern($1, razor_var_lib_t, razor_var_lib_t)
+')
-+
diff --git a/policy/modules/services/razor.te b/policy/modules/services/razor.te
index 340a6c0..eaa8706 100644
--- a/policy/modules/services/razor.te
@@ -23880,9 +27825,21 @@ index 3c97ef0..c025d59 100644
/var/log/cluster/rgmanager\.log -- gen_context(system_u:object_r:rgmanager_var_log_t,s0)
diff --git a/policy/modules/services/rgmanager.if b/policy/modules/services/rgmanager.if
-index 7dc38d1..aaf7c85 100644
+index 7dc38d1..9c2c963 100644
--- a/policy/modules/services/rgmanager.if
+++ b/policy/modules/services/rgmanager.if
+@@ -5,9 +5,9 @@
+ ## Execute a domain transition to run rgmanager.
+ ##
+ ##
+-##
++##
+ ## Domain allowed to transition.
+-##
++##
+ ##
+ #
+ interface(`rgmanager_domtrans',`
@@ -75,3 +75,64 @@ interface(`rgmanager_manage_tmpfs_files',`
fs_search_tmpfs($1)
manage_files_pattern($1, rgmanager_tmpfs_t, rgmanager_tmpfs_t)
@@ -23890,20 +27847,20 @@ index 7dc38d1..aaf7c85 100644
+
+#######################################
+##
-+## Allow read and write access to rgmanager semaphores.
++## Allow read and write access to rgmanager semaphores.
+##
+##
-+##
-+## Domain allowed access.
-+##
++##
++## Domain allowed access.
++##
+##
+#
+interface(`rgmanager_rw_semaphores',`
-+ gen_require(`
-+ type rgmanager_t;
-+ ')
++ gen_require(`
++ type rgmanager_t;
++ ')
+
-+ allow $1 rgmanager_t:sem { unix_read unix_write associate read write };
++ allow $1 rgmanager_t:sem rw_sem_perms;
+')
+
+######################################
@@ -23912,9 +27869,9 @@ index 7dc38d1..aaf7c85 100644
+## an rgmanager environment
+##
+##
-+##
++##
+## Domain allowed access.
-+##
++##
+##
+##
+##
@@ -23927,7 +27884,7 @@ index 7dc38d1..aaf7c85 100644
+ gen_require(`
+ type rgmanager_t, rgmanager_initrc_exec_t, rgmanager_tmp_t;
+ type rgmanager_tmpfs_t, rgmanager_var_log_t, rgmanager_var_run_t;
-+ ')
++ ')
+
+ allow $1 rgmanager_t:process { ptrace signal_perms };
+ ps_process_pattern($1, rgmanager_t)
@@ -23937,15 +27894,15 @@ index 7dc38d1..aaf7c85 100644
+ role_transition $2 rgmanager_initrc_exec_t system_r;
+ allow $2 system_r;
+
-+ files_search_tmp($1)
++ files_list_tmp($1)
+ admin_pattern($1, rgmanager_tmp_t)
+
+ admin_pattern($1, rgmanager_tmpfs_t)
+
-+ logging_search_logs($1)
++ logging_list_logs($1)
+ admin_pattern($1, rgmanager_var_log_t)
+
-+ files_search_pids($1)
++ files_list_pids($1)
+ admin_pattern($1, rgmanager_var_run_t)
+')
diff --git a/policy/modules/services/rgmanager.te b/policy/modules/services/rgmanager.te
@@ -24034,19 +27991,19 @@ index c2ba53b..d862e7e 100644
/var/log/cluster/fenced\.log.* -- gen_context(system_u:object_r:fenced_var_log_t,s0)
/var/log/cluster/gfs_controld\.log.* -- gen_context(system_u:object_r:gfs_controld_var_log_t,s0)
diff --git a/policy/modules/services/rhcs.if b/policy/modules/services/rhcs.if
-index de37806..d8b97c2 100644
+index de37806..229a3c7 100644
--- a/policy/modules/services/rhcs.if
+++ b/policy/modules/services/rhcs.if
-@@ -14,6 +14,8 @@
+@@ -13,7 +13,7 @@
+ #
template(`rhcs_domain_template',`
gen_require(`
- attribute cluster_domain;
-+ attribute cluster_tmpfs;
-+ attribute cluster_pid;
+- attribute cluster_domain;
++ attribute cluster_domain, cluster_tmpfs, cluster_pid;
')
##############################
-@@ -25,13 +27,13 @@ template(`rhcs_domain_template',`
+@@ -25,13 +25,13 @@ template(`rhcs_domain_template',`
type $1_exec_t;
init_daemon_domain($1_t, $1_exec_t)
@@ -24062,7 +28019,38 @@ index de37806..d8b97c2 100644
files_pid_file($1_var_run_t)
##############################
-@@ -335,6 +337,67 @@ interface(`rhcs_rw_groupd_shm',`
+@@ -51,7 +51,6 @@ template(`rhcs_domain_template',`
+ manage_fifo_files_pattern($1_t, $1_var_run_t, $1_var_run_t)
+ manage_sock_files_pattern($1_t, $1_var_run_t, $1_var_run_t)
+ files_pid_filetrans($1_t, $1_var_run_t, { file fifo_file })
+-
+ ')
+
+ ######################################
+@@ -59,9 +58,9 @@ template(`rhcs_domain_template',`
+ ## Execute a domain transition to run dlm_controld.
+ ##
+ ##
+-##
++##
+ ## Domain allowed to transition.
+-##
++##
+ ##
+ #
+ interface(`rhcs_domtrans_dlm_controld',`
+@@ -169,9 +168,8 @@ interface(`rhcs_stream_connect_fenced',`
+ type fenced_var_run_t, fenced_t;
+ ')
+
+- allow $1 fenced_t:unix_stream_socket connectto;
+- allow $1 fenced_var_run_t:sock_file { getattr write };
+ files_search_pids($1)
++ stream_connect_pattern($1, fenced_var_run_t, fenced_var_run_t, fenced_t)
+ ')
+
+ #####################################
+@@ -335,6 +333,65 @@ interface(`rhcs_rw_groupd_shm',`
manage_files_pattern($1, groupd_tmpfs_t, groupd_tmpfs_t)
')
@@ -24078,8 +28066,7 @@ index de37806..d8b97c2 100644
+#
+interface(`rhcs_rw_cluster_shm',`
+ gen_require(`
-+ attribute cluster_domain;
-+ attribute cluster_tmpfs;
++ attribute cluster_domain, cluster_tmpfs;
+ ')
+
+ allow $1 cluster_domain:shm { rw_shm_perms destroy };
@@ -24090,47 +28077,46 @@ index de37806..d8b97c2 100644
+
+####################################
+##
-+## Read and write access to cluster domains semaphores.
++## Read and write access to cluster domains semaphores.
+##
+##
-+##
-+## Domain allowed access.
-+##
++##
++## Domain allowed access.
++##
+##
+#
+interface(`rhcs_rw_cluster_semaphores',`
-+ gen_require(`
++ gen_require(`
+ attribute cluster_domain;
-+ ')
++ ')
+
-+ allow $1 cluster_domain:sem { rw_sem_perms destroy };
++ allow $1 cluster_domain:sem { rw_sem_perms destroy };
+')
+
+####################################
+##
-+## Connect to cluster domains over a unix domain
-+## stream socket.
++## Connect to cluster domains over a unix domain
++## stream socket.
+##
+##
-+##
-+## Domain allowed access.
-+##
++##
++## Domain allowed access.
++##
+##
+#
+interface(`rhcs_stream_connect_cluster',`
-+ gen_require(`
-+ attribute cluster_domain;
-+ attribute cluster_pid;
-+ ')
++ gen_require(`
++ attribute cluster_domain, cluster_pid;
++ ')
+
-+ files_search_pids($1)
-+ stream_connect_pattern($1, cluster_pid, cluster_pid, cluster_domain)
++ files_search_pids($1)
++ stream_connect_pattern($1, cluster_pid, cluster_pid, cluster_domain)
+')
+
######################################
##
## Execute a domain transition to run qdiskd.
-@@ -353,3 +416,40 @@ interface(`rhcs_domtrans_qdiskd',`
+@@ -353,3 +410,41 @@ interface(`rhcs_domtrans_qdiskd',`
corecmd_search_bin($1)
domtrans_pattern($1, qdiskd_exec_t, qdiskd_t)
')
@@ -24150,26 +28136,27 @@ index de37806..d8b97c2 100644
+ type qdiskd_tmpfs_t;
+ ')
+
++ fs_search_tmpfs($1)
+ allow $1 qdiskd_tmpfs_t:file read_file_perms;
+')
+
+######################################
+##
-+## Allow domain to read cluster lib files
++## Allow domain to read cluster lib files
+##
+##
-+##
-+## Domain allowed access.
-+##
++##
++## Domain allowed access.
++##
+##
+#
+interface(`rhcs_read_cluster_lib_files',`
-+ gen_require(`
-+ type cluster_var_lib_t;
-+ ')
++ gen_require(`
++ type cluster_var_lib_t;
++ ')
+
-+ files_search_var_lib($1)
-+ read_files_pattern($1, cluster_var_lib_t, cluster_var_lib_t)
++ files_search_var_lib($1)
++ read_files_pattern($1, cluster_var_lib_t, cluster_var_lib_t)
+')
diff --git a/policy/modules/services/rhcs.te b/policy/modules/services/rhcs.te
index 93c896a..1ebc84d 100644
@@ -24289,6 +28276,17 @@ index 93c896a..1ebc84d 100644
+optional_policy(`
corosync_stream_connect(cluster_domain)
')
+diff --git a/policy/modules/services/rhgb.if b/policy/modules/services/rhgb.if
+index 96efae7..793a29f 100644
+--- a/policy/modules/services/rhgb.if
++++ b/policy/modules/services/rhgb.if
+@@ -194,5 +194,6 @@ interface(`rhgb_rw_tmpfs_files',`
+ type rhgb_tmpfs_t;
+ ')
+
++ fs_search_tmpfs($1)
+ allow $1 rhgb_tmpfs_t:file rw_file_perms;
+ ')
diff --git a/policy/modules/services/ricci.fc b/policy/modules/services/ricci.fc
index 5b08327..ed5dc05 100644
--- a/policy/modules/services/ricci.fc
@@ -24301,48 +28299,80 @@ index 5b08327..ed5dc05 100644
/usr/libexec/ricci-modlog -- gen_context(system_u:object_r:ricci_modlog_exec_t,s0)
/usr/libexec/ricci-modrpm -- gen_context(system_u:object_r:ricci_modrpm_exec_t,s0)
diff --git a/policy/modules/services/ricci.if b/policy/modules/services/ricci.if
-index f7826f9..ecc341c 100644
+index f7826f9..3128dd8 100644
--- a/policy/modules/services/ricci.if
+++ b/policy/modules/services/ricci.if
-@@ -18,6 +18,24 @@ interface(`ricci_domtrans',`
+@@ -5,9 +5,9 @@
+ ## Execute a domain transition to run ricci.
+ ##
+ ##
+-##
++##
+ ## Domain allowed to transition.
+-##
++##
+ ##
+ #
+ interface(`ricci_domtrans',`
+@@ -18,14 +18,32 @@ interface(`ricci_domtrans',`
domtrans_pattern($1, ricci_exec_t, ricci_t)
')
+#######################################
+##
-+## Execute ricci server in the ricci domain.
++## Execute ricci server in the ricci domain.
+##
+##
-+##
-+## Domain allowed access.
-+##
++##
++## Domain allowed access.
++##
+##
+#
-+interface(`ricci_initrc_domtrans', `
-+ gen_require(`
-+ type ricci_initrc_exec_t;
-+ ')
++interface(`ricci_initrc_domtrans',`
++ gen_require(`
++ type ricci_initrc_exec_t;
++ ')
+
-+ init_labeled_script_domtrans($1, ricci_initrc_exec_t)
++ init_labeled_script_domtrans($1, ricci_initrc_exec_t)
+')
+
########################################
##
## Execute a domain transition to run ricci_modcluster.
-@@ -90,8 +108,25 @@ interface(`ricci_stream_connect_modclusterd',`
+ ##
+ ##
+-##
++##
+ ## Domain allowed to transition.
+-##
++##
+ ##
+ #
+ interface(`ricci_domtrans_modcluster',`
+@@ -71,7 +89,7 @@ interface(`ricci_dontaudit_rw_modcluster_pipes',`
+ type ricci_modcluster_t;
+ ')
+
+- dontaudit $1 ricci_modcluster_t:fifo_file { read write };
++ dontaudit $1 ricci_modcluster_t:fifo_file rw_inherited_fifo_file_perms;
+ ')
+
+ ########################################
+@@ -90,18 +108,36 @@ interface(`ricci_stream_connect_modclusterd',`
')
files_search_pids($1)
- allow $1 ricci_modcluster_var_run_t:sock_file write;
- allow $1 ricci_modclusterd_t:unix_stream_socket connectto;
+ stream_connect_pattern($1, ricci_modcluster_var_run_t, ricci_modcluster_var_run_t, ricci_modclusterd_t)
-+')
-+
-+########################################
-+##
+ ')
+
+ ########################################
+ ##
+-## Execute a domain transition to run ricci_modlog.
+## Read and write to ricci_modcluserd temporary file system.
-+##
-+##
+ ##
+ ##
+##
+## Domain allowed access.
+##
@@ -24353,33 +28383,81 @@ index f7826f9..ecc341c 100644
+ type ricci_modcluserd_tmpfs_t;
+ ')
+
++ fs_search_tmpfs($1)
+ allow $1 ricci_modcluserd_tmpfs_t:file rw_file_perms;
- ')
-
- ########################################
-@@ -165,3 +200,67 @@ interface(`ricci_domtrans_modstorage',`
++')
++
++########################################
+ ##
+-## Domain allowed to transition.
++## Execute a domain transition to run ricci_modlog.
+ ##
++##
++##
++## Domain allowed to transition.
++##
+ ##
+ #
+ interface(`ricci_domtrans_modlog',`
+@@ -117,9 +153,9 @@ interface(`ricci_domtrans_modlog',`
+ ## Execute a domain transition to run ricci_modrpm.
+ ##
+ ##
+-##
++##
+ ## Domain allowed to transition.
+-##
++##
+ ##
+ #
+ interface(`ricci_domtrans_modrpm',`
+@@ -135,9 +171,9 @@ interface(`ricci_domtrans_modrpm',`
+ ## Execute a domain transition to run ricci_modservice.
+ ##
+ ##
+-##
++##
+ ## Domain allowed to transition.
+-##
++##
+ ##
+ #
+ interface(`ricci_domtrans_modservice',`
+@@ -153,9 +189,9 @@ interface(`ricci_domtrans_modservice',`
+ ## Execute a domain transition to run ricci_modstorage.
+ ##
+ ##
+-##
++##
+ ## Domain allowed to transition.
+-##
++##
+ ##
+ #
+ interface(`ricci_domtrans_modstorage',`
+@@ -165,3 +201,67 @@ interface(`ricci_domtrans_modstorage',`
domtrans_pattern($1, ricci_modstorage_exec_t, ricci_modstorage_t)
')
+
+####################################
+##
-+## Allow the specified domain to manage ricci's lib files.
++## Allow the specified domain to manage ricci's lib files.
+##
+##
-+##
-+## Domain allowed access.
-+##
++##
++## Domain allowed access.
++##
+##
+#
+interface(`ricci_manage_lib_files',`
-+ gen_require(`
-+ type ricci_var_lib_t;
-+ ')
++ gen_require(`
++ type ricci_var_lib_t;
++ ')
+
-+ files_search_var_lib($1)
-+ manage_dirs_pattern($1, ricci_var_lib_t, ricci_var_lib_t)
-+ manage_files_pattern($1, ricci_var_lib_t, ricci_var_lib_t)
++ files_search_var_lib($1)
++ manage_dirs_pattern($1, ricci_var_lib_t, ricci_var_lib_t)
++ manage_files_pattern($1, ricci_var_lib_t, ricci_var_lib_t)
+')
+
+########################################
@@ -24413,16 +28491,16 @@ index f7826f9..ecc341c 100644
+ role_transition $2 ricci_initrc_exec_t system_r;
+ allow $2 system_r;
+
-+ files_search_tmp($1)
++ files_list_tmp($1)
+ admin_pattern($1, ricci_tmp_t)
-+
-+ files_search_var_lib($1)
++
++ files_list_var_lib($1)
+ admin_pattern($1, ricci_var_lib_t)
+
-+ logging_search_logs($1)
++ logging_list_logs($1)
+ admin_pattern($1, ricci_var_log_t)
+
-+ files_search_pids($1)
++ files_list_pids($1)
+ admin_pattern($1, ricci_var_run_t)
+')
diff --git a/policy/modules/services/ricci.te b/policy/modules/services/ricci.te
@@ -24553,10 +28631,41 @@ index 779fa44..29a5d0d 100644
remotelogin_domtrans(rlogind_t)
remotelogin_signal(rlogind_t)
diff --git a/policy/modules/services/rpc.if b/policy/modules/services/rpc.if
-index cda37bb..b65be0c 100644
+index cda37bb..28e7576 100644
--- a/policy/modules/services/rpc.if
+++ b/policy/modules/services/rpc.if
-@@ -246,6 +246,26 @@ interface(`rpc_domtrans_rpcd',`
+@@ -32,7 +32,11 @@ interface(`rpc_stub',`
+ ##
+ ##
+ #
+-template(`rpc_domain_template', `
++template(`rpc_domain_template',`
++ gen_require(`
++ type var_lib_nfs_t;
++ ')
++
+ ########################################
+ #
+ # Declarations
+@@ -152,7 +156,7 @@ interface(`rpc_dontaudit_getattr_exports',`
+ type exports_t;
+ ')
+
+- dontaudit $1 exports_t:file getattr;
++ dontaudit $1 exports_t:file getattr_file_perms;
+ ')
+
+ ########################################
+@@ -188,7 +192,7 @@ interface(`rpc_write_exports',`
+ type exports_t;
+ ')
+
+- allow $1 exports_t:file write;
++ allow $1 exports_t:file write_file_perms;
+ ')
+
+ ########################################
+@@ -246,6 +250,26 @@ interface(`rpc_domtrans_rpcd',`
allow rpcd_t $1:process signal;
')
@@ -24583,7 +28692,25 @@ index cda37bb..b65be0c 100644
#######################################
##
## Execute domain in rpcd domain.
-@@ -414,4 +434,5 @@ interface(`rpc_manage_nfs_state_data',`
+@@ -282,7 +306,7 @@ interface(`rpc_read_nfs_content',`
+
+ allow $1 { nfsd_ro_t nfsd_rw_t }:dir list_dir_perms;
+ allow $1 { nfsd_ro_t nfsd_rw_t }:file read_file_perms;
+- allow $1 { nfsd_ro_t nfsd_rw_t }:lnk_file { getattr read };
++ allow $1 { nfsd_ro_t nfsd_rw_t }:lnk_file read_lnk_file_perms;
+ ')
+
+ ########################################
+@@ -375,7 +399,7 @@ interface(`rpc_search_nfs_state_data',`
+ ')
+
+ files_search_var_lib($1)
+- allow $1 var_lib_nfs_t:dir search;
++ allow $1 var_lib_nfs_t:dir search_dir_perms;
+ ')
+
+ ########################################
+@@ -414,4 +438,5 @@ interface(`rpc_manage_nfs_state_data',`
files_search_var_lib($1)
manage_files_pattern($1, var_lib_nfs_t, var_lib_nfs_t)
@@ -24669,9 +28796,21 @@ index f5c47d6..5a965e9 100644
/var/run/rpc.statd\.pid -- gen_context(system_u:object_r:rpcbind_var_run_t,s0)
diff --git a/policy/modules/services/rpcbind.if b/policy/modules/services/rpcbind.if
-index a96249c..5a4d69d 100644
+index a96249c..0458ba7 100644
--- a/policy/modules/services/rpcbind.if
+++ b/policy/modules/services/rpcbind.if
+@@ -5,9 +5,9 @@
+ ## Execute a domain transition to run rpcbind.
+ ##
+ ##
+-##
++##
+ ## Domain allowed to transition.
+-##
++##
+ ##
+ #
+ interface(`rpcbind_domtrans',`
@@ -34,8 +34,7 @@ interface(`rpcbind_stream_connect',`
')
@@ -24692,10 +28831,10 @@ index a96249c..5a4d69d 100644
role_transition $2 rpcbind_initrc_exec_t system_r;
allow $2 system_r;
+
-+ files_search_var_lib($1)
++ files_list_var_lib($1)
+ admin_pattern($1, rpcbind_var_lib_t)
+
-+ files_search_pids($1)
++ files_list_pids($1)
+ admin_pattern($1, rpcbind_var_run_t)
')
diff --git a/policy/modules/services/rpcbind.te b/policy/modules/services/rpcbind.te
@@ -24732,9 +28871,21 @@ index 0b405d1..49a4283 100644
tunable_policy(`use_nfs_home_dirs',`
fs_read_nfs_files(rshd_t)
diff --git a/policy/modules/services/rsync.if b/policy/modules/services/rsync.if
-index 3386f29..eefa329 100644
+index 3386f29..b28cae5 100644
--- a/policy/modules/services/rsync.if
+++ b/policy/modules/services/rsync.if
+@@ -109,9 +109,9 @@ interface(`rsync_exec',`
+ ## Read rsync config files.
+ ##
+ ##
+-##
++##
+ ## Domain allowed access.
+-##
++##
+ ##
+ #
+ interface(`rsync_read_config',`
@@ -119,7 +119,7 @@ interface(`rsync_read_config',`
type rsync_etc_t;
')
@@ -24744,23 +28895,35 @@ index 3386f29..eefa329 100644
files_search_etc($1)
')
+@@ -128,9 +128,9 @@ interface(`rsync_read_config',`
+ ## Write to rsync config files.
+ ##
+ ##
+-##
++##
+ ## Domain allowed access.
+-##
++##
+ ##
+ #
+ interface(`rsync_write_config',`
@@ -138,6 +138,49 @@ interface(`rsync_write_config',`
type rsync_etc_t;
')
- allow $1 rsync_etc_t:file read_file_perms;
+ write_files_pattern($1, rsync_etc_t, rsync_etc_t)
- files_search_etc($1)
- ')
++ files_search_etc($1)
++')
+
+########################################
+##
+## Manage rsync config files.
+##
+##
-+##
-+## Domain allowed.
-+##
++##
++## Domain allowed access.
++##
+##
+#
+interface(`rsync_manage_config',`
@@ -24769,8 +28932,8 @@ index 3386f29..eefa329 100644
+ ')
+
+ manage_files_pattern($1, rsync_etc_t, rsync_etc_t)
-+ files_search_etc($1)
-+')
+ files_search_etc($1)
+ ')
+
+########################################
+##
@@ -24859,9 +29022,21 @@ index 39015ae..5e7b7cf 100644
+
auth_can_read_shadow_passwords(rsync_t)
diff --git a/policy/modules/services/rtkit.if b/policy/modules/services/rtkit.if
-index 46dad1f..21079f8 100644
+index 46dad1f..d632bc0 100644
--- a/policy/modules/services/rtkit.if
+++ b/policy/modules/services/rtkit.if
+@@ -5,9 +5,9 @@
+ ## Execute a domain transition to run rtkit_daemon.
+ ##
+ ##
+-##
++##
+ ## Domain allowed to transition.
+-##
++##
+ ##
+ #
+ interface(`rtkit_daemon_domtrans',`
@@ -41,6 +41,27 @@ interface(`rtkit_daemon_dbus_chat',`
########################################
@@ -24871,7 +29046,7 @@ index 46dad1f..21079f8 100644
+##
+##
+##
-+## Domain allowed access.
++## Domain to not audit.
+##
+##
+#
@@ -24890,6 +29065,14 @@ index 46dad1f..21079f8 100644
## Allow rtkit to control scheduling for your process
##
##
+@@ -54,6 +75,7 @@ interface(`rtkit_scheduled',`
+ type rtkit_daemon_t;
+ ')
+
++ kernel_search_proc($1)
+ ps_process_pattern(rtkit_daemon_t, $1)
+ allow rtkit_daemon_t $1:process { getsched setsched };
+ rtkit_daemon_dbus_chat($1)
diff --git a/policy/modules/services/rtkit.te b/policy/modules/services/rtkit.te
index 6f8e268..7d64285 100644
--- a/policy/modules/services/rtkit.te
@@ -24902,6 +29085,22 @@ index 6f8e268..7d64285 100644
########################################
#
+diff --git a/policy/modules/services/rwho.if b/policy/modules/services/rwho.if
+index 71ea0ea..664e68e 100644
+--- a/policy/modules/services/rwho.if
++++ b/policy/modules/services/rwho.if
+@@ -5,9 +5,9 @@
+ ## Execute a domain transition to run rwho.
+ ##
+ ##
+-##
++##
+ ## Domain allowed to transition.
+-##
++##
+ ##
+ #
+ interface(`rwho_domtrans',`
diff --git a/policy/modules/services/rwho.te b/policy/modules/services/rwho.te
index a07b2f4..d78daf4 100644
--- a/policy/modules/services/rwho.te
@@ -24929,7 +29128,7 @@ index 69a6074..73db5ba 100644
+/var/lib/samba/scripts(/.*)? gen_context(system_u:object_r:samba_unconfined_script_exec_t,s0)
+')
diff --git a/policy/modules/services/samba.if b/policy/modules/services/samba.if
-index 82cb169..84732e5 100644
+index 82cb169..9e72970 100644
--- a/policy/modules/services/samba.if
+++ b/policy/modules/services/samba.if
@@ -79,6 +79,25 @@ interface(`samba_domtrans_net',`
@@ -24940,7 +29139,7 @@ index 82cb169..84732e5 100644
+##
+##
+##
-+## Domain allowed access.
++## Domain allowed to transition.
+##
+##
+#
@@ -24973,7 +29172,7 @@ index 82cb169..84732e5 100644
+##
+##
+#
-+template(`samba_role_notrans',`
++interface(`samba_role_notrans',`
+ gen_require(`
+ type smbd_t;
+ ')
@@ -24988,7 +29187,7 @@ index 82cb169..84732e5 100644
+##
+##
+##
-+## Domain allowed access.
++## Domain allowed to transition.
+##
+##
+##
@@ -25010,15 +29209,42 @@ index 82cb169..84732e5 100644
########################################
##
## Execute smbmount in the smbmount domain.
-@@ -412,6 +476,7 @@ interface(`samba_manage_var_files',`
- files_search_var($1)
+@@ -327,7 +391,6 @@ interface(`samba_search_var',`
+ type samba_var_t;
+ ')
+
+- files_search_var($1)
+ files_search_var_lib($1)
+ allow $1 samba_var_t:dir search_dir_perms;
+ ')
+@@ -348,7 +411,6 @@ interface(`samba_read_var_files',`
+ type samba_var_t;
+ ')
+
+- files_search_var($1)
+ files_search_var_lib($1)
+ read_files_pattern($1, samba_var_t, samba_var_t)
+ ')
+@@ -388,7 +450,6 @@ interface(`samba_rw_var_files',`
+ type samba_var_t;
+ ')
+
+- files_search_var($1)
+ files_search_var_lib($1)
+ rw_files_pattern($1, samba_var_t, samba_var_t)
+ ')
+@@ -409,9 +470,9 @@ interface(`samba_manage_var_files',`
+ type samba_var_t;
+ ')
+
+- files_search_var($1)
files_search_var_lib($1)
manage_files_pattern($1, samba_var_t, samba_var_t)
+ manage_lnk_files_pattern($1, samba_var_t, samba_var_t)
')
########################################
-@@ -419,15 +484,14 @@ interface(`samba_manage_var_files',`
+@@ -419,15 +480,14 @@ interface(`samba_manage_var_files',`
## Execute a domain transition to run smbcontrol.
##
##
@@ -25037,7 +29263,7 @@ index 82cb169..84732e5 100644
')
domtrans_pattern($1, smbcontrol_exec_t, smbcontrol_t)
-@@ -564,6 +628,7 @@ interface(`samba_domtrans_winbind_helper',`
+@@ -564,6 +624,7 @@ interface(`samba_domtrans_winbind_helper',`
')
domtrans_pattern($1, winbind_helper_exec_t, winbind_helper_t)
@@ -25045,7 +29271,7 @@ index 82cb169..84732e5 100644
')
########################################
-@@ -644,6 +709,37 @@ interface(`samba_stream_connect_winbind',`
+@@ -644,6 +705,37 @@ interface(`samba_stream_connect_winbind',`
########################################
##
@@ -25083,7 +29309,7 @@ index 82cb169..84732e5 100644
## All of the rules required to administrate
## an samba environment
##
-@@ -661,21 +757,13 @@ interface(`samba_stream_connect_winbind',`
+@@ -661,21 +753,12 @@ interface(`samba_stream_connect_winbind',`
#
interface(`samba_admin',`
gen_require(`
@@ -25096,21 +29322,22 @@ index 82cb169..84732e5 100644
- type samba_etc_t, samba_share_t;
- type samba_secrets_t;
-
-+ type nmbd_t, nmbd_var_run_t, smbd_var_run_t;
-+ type smbd_t, smbd_tmp_t, samba_secrets_t;
-+ type samba_initrc_exec_t, samba_log_t, samba_var_t;
-+ type samba_etc_t, samba_share_t, winbind_log_t;
- type swat_var_run_t, swat_tmp_t;
+- type swat_var_run_t, swat_tmp_t;
-
- type winbind_var_run_t, winbind_tmp_t;
+- type winbind_var_run_t, winbind_tmp_t;
- type winbind_log_t;
-
- type samba_initrc_exec_t;
-+ type samba_unconfined_script_t, samba_unconfined_script_exec_t;
++ type nmbd_t, nmbd_var_run_t, smbd_var_run_t;
++ type smbd_t, smbd_tmp_t, samba_secrets_t;
++ type samba_initrc_exec_t, samba_log_t, samba_var_t;
++ type samba_etc_t, samba_share_t, winbind_log_t;
++ type swat_var_run_t, swat_tmp_t, samba_unconfined_script_exec_t;
++ type winbind_var_run_t, winbind_tmp_t, samba_unconfined_script_t;
')
allow $1 smbd_t:process { ptrace signal_perms };
-@@ -684,6 +772,9 @@ interface(`samba_admin',`
+@@ -684,6 +767,9 @@ interface(`samba_admin',`
allow $1 nmbd_t:process { ptrace signal_perms };
ps_process_pattern($1, nmbd_t)
@@ -25120,7 +29347,7 @@ index 82cb169..84732e5 100644
samba_run_smbcontrol($1, $2, $3)
samba_run_winbind_helper($1, $2, $3)
samba_run_smbmount($1, $2, $3)
-@@ -709,9 +800,6 @@ interface(`samba_admin',`
+@@ -709,9 +795,6 @@ interface(`samba_admin',`
admin_pattern($1, samba_var_t)
files_list_var($1)
@@ -25130,14 +29357,14 @@ index 82cb169..84732e5 100644
admin_pattern($1, smbd_var_run_t)
files_list_pids($1)
-@@ -727,4 +815,5 @@ interface(`samba_admin',`
+@@ -727,4 +810,5 @@ interface(`samba_admin',`
admin_pattern($1, winbind_tmp_t)
admin_pattern($1, winbind_var_run_t)
+ admin_pattern($1, samba_unconfined_script_exec_t)
')
diff --git a/policy/modules/services/samba.te b/policy/modules/services/samba.te
-index e30bb63..2a5981d 100644
+index e30bb63..85203da 100644
--- a/policy/modules/services/samba.te
+++ b/policy/modules/services/samba.te
@@ -152,9 +152,6 @@ domain_entry_file(winbind_helper_t, winbind_helper_exec_t)
@@ -25229,15 +29456,25 @@ index e30bb63..2a5981d 100644
read_files_pattern(nmbd_t, samba_etc_t, samba_etc_t)
read_lnk_files_pattern(nmbd_t, samba_etc_t, samba_etc_t)
-@@ -567,6 +562,7 @@ allow smbcontrol_t smbd_t:process signal;
+@@ -560,13 +555,13 @@ allow smbcontrol_t self:fifo_file rw_file_perms;
+ allow smbcontrol_t self:unix_stream_socket create_stream_socket_perms;
+ allow smbcontrol_t nmbd_t:process { signal signull };
++read_files_pattern(smbcontrol_t, nmbd_var_run_t, nmbd_var_run_t)
+
+-allow smbcontrol_t nmbd_var_run_t:file { read lock };
+-
+-allow smbcontrol_t smbd_t:process signal;
+-
++allow smbcontrol_t smbd_t:process { signal signull };
++read_files_pattern(smbcontrol_t, smbd_var_run_t, smbd_var_run_t)
allow smbcontrol_t winbind_t:process { signal signull };
+files_search_var_lib(smbcontrol_t)
samba_read_config(smbcontrol_t)
samba_rw_var_files(smbcontrol_t)
samba_search_var(smbcontrol_t)
-@@ -677,7 +673,7 @@ samba_domtrans_nmbd(swat_t)
+@@ -677,7 +672,7 @@ samba_domtrans_nmbd(swat_t)
allow swat_t nmbd_t:process { signal signull };
allow nmbd_t swat_t:process signal;
@@ -25246,7 +29483,7 @@ index e30bb63..2a5981d 100644
allow swat_t smbd_port_t:tcp_socket name_bind;
-@@ -692,12 +688,14 @@ manage_files_pattern(swat_t, samba_log_t, samba_log_t)
+@@ -692,12 +687,14 @@ manage_files_pattern(swat_t, samba_log_t, samba_log_t)
manage_files_pattern(swat_t, samba_etc_t, samba_secrets_t)
manage_files_pattern(swat_t, samba_var_t, samba_var_t)
@@ -25261,7 +29498,7 @@ index e30bb63..2a5981d 100644
manage_dirs_pattern(swat_t, swat_tmp_t, swat_tmp_t)
manage_files_pattern(swat_t, swat_tmp_t, swat_tmp_t)
-@@ -710,6 +708,7 @@ allow swat_t winbind_exec_t:file mmap_file_perms;
+@@ -710,6 +707,7 @@ allow swat_t winbind_exec_t:file mmap_file_perms;
domtrans_pattern(swat_t, winbind_exec_t, winbind_t)
allow swat_t winbind_t:process { signal signull };
@@ -25269,7 +29506,7 @@ index e30bb63..2a5981d 100644
allow swat_t winbind_var_run_t:dir { write add_name remove_name };
allow swat_t winbind_var_run_t:sock_file { create unlink };
-@@ -754,6 +753,8 @@ logging_search_logs(swat_t)
+@@ -754,6 +752,8 @@ logging_search_logs(swat_t)
miscfiles_read_localization(swat_t)
@@ -25278,7 +29515,7 @@ index e30bb63..2a5981d 100644
optional_policy(`
cups_read_rw_config(swat_t)
cups_stream_connect(swat_t)
-@@ -806,14 +807,14 @@ rw_files_pattern(winbind_t, smbd_tmp_t, smbd_tmp_t)
+@@ -806,14 +806,14 @@ rw_files_pattern(winbind_t, smbd_tmp_t, smbd_tmp_t)
allow winbind_t winbind_log_t:file manage_file_perms;
logging_log_filetrans(winbind_t, winbind_log_t, file)
@@ -25298,7 +29535,7 @@ index e30bb63..2a5981d 100644
kernel_read_kernel_sysctls(winbind_t)
kernel_read_system_state(winbind_t)
-@@ -833,6 +834,7 @@ corenet_udp_sendrecv_all_ports(winbind_t)
+@@ -833,6 +833,7 @@ corenet_udp_sendrecv_all_ports(winbind_t)
corenet_tcp_bind_generic_node(winbind_t)
corenet_udp_bind_generic_node(winbind_t)
corenet_tcp_connect_smbd_port(winbind_t)
@@ -25306,7 +29543,7 @@ index e30bb63..2a5981d 100644
corenet_tcp_connect_epmap_port(winbind_t)
corenet_tcp_connect_all_unreserved_ports(winbind_t)
-@@ -922,6 +924,18 @@ optional_policy(`
+@@ -922,6 +923,18 @@ optional_policy(`
#
optional_policy(`
@@ -25325,7 +29562,7 @@ index e30bb63..2a5981d 100644
type samba_unconfined_script_t;
type samba_unconfined_script_exec_t;
domain_type(samba_unconfined_script_t)
-@@ -932,9 +946,12 @@ optional_policy(`
+@@ -932,9 +945,12 @@ optional_policy(`
allow smbd_t samba_unconfined_script_exec_t:dir search_dir_perms;
allow smbd_t samba_unconfined_script_exec_t:file ioctl;
@@ -25387,7 +29624,7 @@ index a86ec50..ef4199b 100644
/var/log/mail(/.*)? gen_context(system_u:object_r:sendmail_log_t,s0)
diff --git a/policy/modules/services/sendmail.if b/policy/modules/services/sendmail.if
-index 7e94c7c..cf9fdcd 100644
+index 7e94c7c..5700fb8 100644
--- a/policy/modules/services/sendmail.if
+++ b/policy/modules/services/sendmail.if
@@ -51,10 +51,24 @@ interface(`sendmail_domtrans',`
@@ -25395,7 +29632,10 @@ index 7e94c7c..cf9fdcd 100644
mta_sendmail_domtrans($1, sendmail_t)
+')
-+
+
+- allow sendmail_t $1:fd use;
+- allow sendmail_t $1:fifo_file rw_file_perms;
+- allow sendmail_t $1:process sigchld;
+#######################################
+##
+## Execute sendmail in the sendmail domain.
@@ -25410,10 +29650,7 @@ index 7e94c7c..cf9fdcd 100644
+ gen_require(`
+ type sendmail_initrc_exec_t;
+ ')
-
-- allow sendmail_t $1:fd use;
-- allow sendmail_t $1:fifo_file rw_file_perms;
-- allow sendmail_t $1:process sigchld;
++
+ init_labeled_script_domtrans($1, sendmail_initrc_exec_t)
')
@@ -25460,7 +29697,7 @@ index 7e94c7c..cf9fdcd 100644
+#
+interface(`sendmail_admin',`
+ gen_require(`
-+ type sendmail_t, sendmail_initrc_exec_t, sendmail_log_t;
++ type sendmail_t, sendmail_initrc_exec_t, sendmail_log_t;
+ type sendmail_tmp_t, sendmail_var_run_t, unconfined_sendmail_t;
+ type mail_spool_t;
+ ')
@@ -25475,16 +29712,16 @@ index 7e94c7c..cf9fdcd 100644
+ domain_system_change_exemption($1)
+ role_transition $2 sendmail_initrc_exec_t system_r;
+
-+ logging_search_logs($1)
++ logging_list_logs($1)
+ admin_pattern($1, sendmail_log_t)
+
-+ files_search_tmp($1)
++ files_list_tmp($1)
+ admin_pattern($1, sendmail_tmp_t)
+
-+ files_search_pids($1)
++ files_list_pids($1)
+ admin_pattern($1, sendmail_var_run_t)
+
-+ files_search_spool($1)
++ files_list_spool($1)
+ admin_pattern($1, mail_spool_t)
+')
diff --git a/policy/modules/services/sendmail.te b/policy/modules/services/sendmail.te
@@ -25554,7 +29791,7 @@ index 22dac1f..b6781d5 100644
+ unconfined_domain_noaudit(unconfined_sendmail_t)
')
diff --git a/policy/modules/services/setroubleshoot.if b/policy/modules/services/setroubleshoot.if
-index 22dfeb4..a7fbedc 100644
+index 22dfeb4..d9f5dbc 100644
--- a/policy/modules/services/setroubleshoot.if
+++ b/policy/modules/services/setroubleshoot.if
@@ -105,6 +105,25 @@ interface(`setroubleshoot_dbus_chat_fixit',`
@@ -25583,16 +29820,17 @@ index 22dfeb4..a7fbedc 100644
## All of the rules required to administrate
## an setroubleshoot environment
##
-@@ -117,7 +136,7 @@ interface(`setroubleshoot_dbus_chat_fixit',`
+@@ -117,15 +136,15 @@ interface(`setroubleshoot_dbus_chat_fixit',`
#
interface(`setroubleshoot_admin',`
gen_require(`
- type setroubleshootd_t, setroubleshoot_log_t;
-+ type setroubleshootd_t, setroubleshoot_var_log_t;
- type setroubleshoot_var_lib_t, setroubleshoot_var_run_t;
+- type setroubleshoot_var_lib_t, setroubleshoot_var_run_t;
++ type setroubleshootd_t, setroubleshoot_var_log_t, setroubleshoot_var_run_t;
++ type setroubleshoot_var_lib_t;
')
-@@ -125,7 +144,7 @@ interface(`setroubleshoot_admin',`
+ allow $1 setroubleshootd_t:process { ptrace signal_perms };
ps_process_pattern($1, setroubleshootd_t)
logging_list_logs($1)
@@ -25750,7 +29988,7 @@ index 623c8fa..ac10740 100644
/var/run/snmpd(/.*)? gen_context(system_u:object_r:snmpd_var_run_t,s0)
/var/run/snmpd\.pid -- gen_context(system_u:object_r:snmpd_var_run_t,s0)
diff --git a/policy/modules/services/snmp.if b/policy/modules/services/snmp.if
-index 275f9fb..6aa68d8 100644
+index 275f9fb..bfdf197 100644
--- a/policy/modules/services/snmp.if
+++ b/policy/modules/services/snmp.if
@@ -11,12 +11,12 @@
@@ -25790,8 +30028,14 @@ index 275f9fb..6aa68d8 100644
')
########################################
-@@ -128,7 +130,7 @@ interface(`snmp_admin',`
- type snmpd_initrc_exec_t;
+@@ -123,12 +125,11 @@ interface(`snmp_dontaudit_write_snmp_var_lib_files',`
+ #
+ interface(`snmp_admin',`
+ gen_require(`
+- type snmpd_t, snmpd_log_t;
++ type snmpd_t, snmpd_log_t, snmpd_initrc_exec_t;
+ type snmpd_var_lib_t, snmpd_var_run_t;
+- type snmpd_initrc_exec_t;
')
- allow $1 snmpd_t:process { ptrace signal_perms getattr };
@@ -25832,7 +30076,7 @@ index 3d8d1b3..b5cd366 100644
auth_use_nsswitch(snmpd_t)
auth_read_all_dirs_except_shadow(snmpd_t)
diff --git a/policy/modules/services/snort.if b/policy/modules/services/snort.if
-index c117e8b..215f425 100644
+index c117e8b..88ebedb 100644
--- a/policy/modules/services/snort.if
+++ b/policy/modules/services/snort.if
@@ -5,9 +5,9 @@
@@ -25847,6 +30091,36 @@ index c117e8b..215f425 100644
##
#
interface(`snort_domtrans',`
+@@ -50,11 +50,11 @@ interface(`snort_admin',`
+ allow $2 system_r;
+
+ admin_pattern($1, snort_etc_t)
+- files_search_etc($1)
++ files_list_etc($1)
+
+ admin_pattern($1, snort_log_t)
+- logging_search_logs($1)
++ logging_list_logs($1)
+
+ admin_pattern($1, snort_var_run_t)
+- files_search_pids($1)
++ files_list_pids($1)
+ ')
+diff --git a/policy/modules/services/soundserver.if b/policy/modules/services/soundserver.if
+index 93fe7bf..4a15633 100644
+--- a/policy/modules/services/soundserver.if
++++ b/policy/modules/services/soundserver.if
+@@ -33,9 +33,8 @@ interface(`soundserver_tcp_connect',`
+ #
+ interface(`soundserver_admin',`
+ gen_require(`
+- type soundd_t, soundd_etc_t;
++ type soundd_t, soundd_etc_t, soundd_initrc_exec_t;
+ type soundd_tmp_t, soundd_var_run_t;
+- type soundd_initrc_exec_t;
+ ')
+
+ allow $1 soundd_t:process { ptrace signal_perms };
diff --git a/policy/modules/services/spamassassin.fc b/policy/modules/services/spamassassin.fc
index 6b3abf9..540981f 100644
--- a/policy/modules/services/spamassassin.fc
@@ -26357,7 +30631,7 @@ index 9d40380..9ad4eff 100644
optional_policy(`
diff --git a/policy/modules/services/squid.if b/policy/modules/services/squid.if
-index d2496bd..dc4f590 100644
+index d2496bd..1d0c078 100644
--- a/policy/modules/services/squid.if
+++ b/policy/modules/services/squid.if
@@ -71,7 +71,7 @@ interface(`squid_rw_stream_sockets',`
@@ -26377,6 +30651,16 @@ index d2496bd..dc4f590 100644
#
interface(`squid_dontaudit_search_cache',`
gen_require(`
+@@ -207,8 +206,7 @@ interface(`squid_use',`
+ interface(`squid_admin',`
+ gen_require(`
+ type squid_t, squid_cache_t, squid_conf_t;
+- type squid_log_t, squid_var_run_t;
+- type squid_initrc_exec_t;
++ type squid_log_t, squid_var_run_t, squid_initrc_exec_t;
+ ')
+
+ allow $1 squid_t:process { ptrace signal_perms };
diff --git a/policy/modules/services/ssh.fc b/policy/modules/services/ssh.fc
index 078bcd7..dd706b0 100644
--- a/policy/modules/services/ssh.fc
@@ -27300,7 +31584,7 @@ index 9fa94e4..0a0074c 100644
tunable_policy(`tor_bind_all_unreserved_ports', `
diff --git a/policy/modules/services/tuned.if b/policy/modules/services/tuned.if
-index 54b8605..329f139 100644
+index 54b8605..752697f 100644
--- a/policy/modules/services/tuned.if
+++ b/policy/modules/services/tuned.if
@@ -5,9 +5,9 @@
@@ -27325,6 +31609,14 @@ index 54b8605..329f139 100644
')
allow $1 tuned_t:process { ptrace signal_perms };
+@@ -124,6 +123,6 @@ interface(`tuned_admin',`
+ role_transition $2 tuned_initrc_exec_t system_r;
+ allow $2 system_r;
+
+- files_search_pids($1)
++ files_list_pids($1)
+ admin_pattern($1, tuned_var_run_t)
+ ')
diff --git a/policy/modules/services/tuned.te b/policy/modules/services/tuned.te
index db9d2a5..b3983a9 100644
--- a/policy/modules/services/tuned.te
@@ -27385,7 +31677,7 @@ index a0794bf..dd23a9c 100644
+')
+
diff --git a/policy/modules/services/ulogd.if b/policy/modules/services/ulogd.if
-index b078bf7..e3c66d8 100644
+index b078bf7..fd72fe8 100644
--- a/policy/modules/services/ulogd.if
+++ b/policy/modules/services/ulogd.if
@@ -5,9 +5,9 @@
@@ -27423,6 +31715,21 @@ index b078bf7..e3c66d8 100644
')
allow $1 ulogd_t:process { ptrace signal_perms };
+@@ -132,12 +131,12 @@ interface(`ulogd_admin',`
+ role_transition $2 ulogd_initrc_exec_t system_r;
+ allow $2 system_r;
+
+- files_search_etc($1)
++ files_list_etc($1)
+ admin_pattern($1, ulogd_etc_t)
+
+ logging_list_logs($1)
+ admin_pattern($1, ulogd_var_log_t)
+
+- files_search_usr($1)
++ files_list_usr($1)
+ admin_pattern($1, ulogd_modules_t)
+ ')
diff --git a/policy/modules/services/ulogd.te b/policy/modules/services/ulogd.te
index eeaa641..eb4d8d5 100644
--- a/policy/modules/services/ulogd.te
@@ -27545,7 +31852,7 @@ index b775aaf..ec1562b 100644
#
# UUX Local policy
diff --git a/policy/modules/services/varnishd.if b/policy/modules/services/varnishd.if
-index b4d90ac..e0f819e 100644
+index b4d90ac..fe5ce10 100644
--- a/policy/modules/services/varnishd.if
+++ b/policy/modules/services/varnishd.if
@@ -21,7 +21,7 @@ interface(`varnishd_domtrans',`
@@ -27563,7 +31870,7 @@ index b4d90ac..e0f819e 100644
+#####################################
+##
-+## Read varnish lib files.
++## Read varnish lib files.
+##
+##
+##
@@ -27588,17 +31895,20 @@ index b4d90ac..e0f819e 100644
interface(`varnishd_admin_varnishlog',`
gen_require(`
- type varnishlog_t;
-+ type varnishlog_t, varnishlog_initrc_exec_t;
- type varnishlog_var_run_t, varnishlog_log_t;
+- type varnishlog_var_run_t, varnishlog_log_t;
- type varnishlog_initrc_exec_t;
++ type varnishlog_t, varnishlog_initrc_exec_t, varnishlog_log_t;
++ type varnishlog_var_run_t;
')
allow $1 varnishlog_t:process { ptrace signal_perms };
-@@ -146,11 +164,10 @@ interface(`varnishd_admin_varnishlog',`
+@@ -145,12 +163,11 @@ interface(`varnishd_admin_varnishlog',`
+ role_transition $2 varnishlog_initrc_exec_t system_r;
allow $2 system_r;
- files_search_pids($1)
+- files_search_pids($1)
- admin_pattern($1, varnishlog_var_run_t)
++ files_list_pids($1)
+ admin_pattern($1, varnishlog_var_run_t)
logging_list_logs($1)
@@ -27616,9 +31926,24 @@ index b4d90ac..e0f819e 100644
type varnishd_initrc_exec_t;
')
-@@ -196,5 +213,4 @@ interface(`varnishd_admin',`
+@@ -185,16 +202,15 @@ interface(`varnishd_admin',`
+ role_transition $2 varnishd_initrc_exec_t system_r;
+ allow $2 system_r;
+
+- files_search_var_lib($1)
++ files_list_var_lib($1)
+ admin_pattern($1, varnishd_var_lib_t)
- files_search_tmp($1)
+- files_search_etc($1)
++ files_list_etc($1)
+ admin_pattern($1, varnishd_etc_t)
+
+- files_search_pids($1)
++ files_list_pids($1)
+ admin_pattern($1, varnishd_var_run_t)
+
+- files_search_tmp($1)
++ files_list_tmp($1)
admin_pattern($1, varnishd_tmp_t)
-
')
@@ -27758,10 +32083,10 @@ index 2124b6a..be4b00f 100644
/var/vdsm(/.*)? gen_context(system_u:object_r:virt_var_run_t,s0)
diff --git a/policy/modules/services/virt.if b/policy/modules/services/virt.if
-index 7c5d8d8..e584e21 100644
+index 7c5d8d8..dbdc0e0 100644
--- a/policy/modules/services/virt.if
+++ b/policy/modules/services/virt.if
-@@ -14,13 +14,13 @@
+@@ -14,13 +14,14 @@
template(`virt_domain_template',`
gen_require(`
type virtd_t;
@@ -27774,10 +32099,11 @@ index 7c5d8d8..e584e21 100644
domain_type($1_t)
domain_user_exemption_target($1_t)
+ mls_rangetrans_target($1_t)
++ mcs_untrusted_proc($1_t)
role system_r types $1_t;
type $1_devpts_t;
-@@ -35,17 +35,18 @@ template(`virt_domain_template',`
+@@ -35,17 +36,18 @@ template(`virt_domain_template',`
type $1_image_t, virt_image_type;
files_type($1_image_t)
dev_node($1_image_t)
@@ -27800,7 +32126,7 @@ index 7c5d8d8..e584e21 100644
manage_dirs_pattern($1_t, $1_tmp_t, $1_tmp_t)
manage_files_pattern($1_t, $1_tmp_t, $1_tmp_t)
-@@ -57,18 +58,6 @@ template(`virt_domain_template',`
+@@ -57,18 +59,6 @@ template(`virt_domain_template',`
manage_lnk_files_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t)
fs_tmpfs_filetrans($1_t, $1_tmpfs_t, { dir file lnk_file })
@@ -27819,7 +32145,7 @@ index 7c5d8d8..e584e21 100644
optional_policy(`
xserver_rw_shm($1_t)
')
-@@ -101,9 +90,9 @@ interface(`virt_image',`
+@@ -101,9 +91,9 @@ interface(`virt_image',`
## Execute a domain transition to run virt.
##
##
@@ -27831,7 +32157,7 @@ index 7c5d8d8..e584e21 100644
##
#
interface(`virt_domtrans',`
-@@ -164,13 +153,13 @@ interface(`virt_attach_tun_iface',`
+@@ -164,13 +154,13 @@ interface(`virt_attach_tun_iface',`
#
interface(`virt_read_config',`
gen_require(`
@@ -27847,7 +32173,7 @@ index 7c5d8d8..e584e21 100644
')
########################################
-@@ -185,13 +174,13 @@ interface(`virt_read_config',`
+@@ -185,13 +175,13 @@ interface(`virt_read_config',`
#
interface(`virt_manage_config',`
gen_require(`
@@ -27863,7 +32189,7 @@ index 7c5d8d8..e584e21 100644
')
########################################
-@@ -231,6 +220,24 @@ interface(`virt_read_content',`
+@@ -231,6 +221,24 @@ interface(`virt_read_content',`
########################################
##
@@ -27888,7 +32214,7 @@ index 7c5d8d8..e584e21 100644
## Read virt PID files.
##
##
-@@ -308,6 +315,24 @@ interface(`virt_read_lib_files',`
+@@ -308,6 +316,24 @@ interface(`virt_read_lib_files',`
########################################
##
@@ -27913,7 +32239,7 @@ index 7c5d8d8..e584e21 100644
## Create, read, write, and delete
## virt lib files.
##
-@@ -352,9 +377,9 @@ interface(`virt_read_log',`
+@@ -352,9 +378,9 @@ interface(`virt_read_log',`
## virt log files.
##
##
@@ -27925,7 +32251,7 @@ index 7c5d8d8..e584e21 100644
##
#
interface(`virt_append_log',`
-@@ -424,6 +449,24 @@ interface(`virt_read_images',`
+@@ -424,6 +450,24 @@ interface(`virt_read_images',`
########################################
##
@@ -27950,7 +32276,7 @@ index 7c5d8d8..e584e21 100644
## Create, read, write, and delete
## svirt cache files.
##
-@@ -433,15 +476,15 @@ interface(`virt_read_images',`
+@@ -433,15 +477,15 @@ interface(`virt_read_images',`
##
##
#
@@ -27971,7 +32297,7 @@ index 7c5d8d8..e584e21 100644
')
########################################
-@@ -516,3 +559,51 @@ interface(`virt_admin',`
+@@ -516,3 +560,51 @@ interface(`virt_admin',`
virt_manage_log($1)
')
@@ -28012,7 +32338,7 @@ index 7c5d8d8..e584e21 100644
+##
+##
+##
-+## Domain allowed access.
++## Domain to not audit.
+##
+##
+#
@@ -28491,22 +32817,20 @@ index 0000000..7667c31
+/var/lib/vnstat(/.*)? gen_context(system_u:object_r:vnstatd_var_lib_t,s0)
diff --git a/policy/modules/services/vnstatd.if b/policy/modules/services/vnstatd.if
new file mode 100644
-index 0000000..85dba86
+index 0000000..14f8906
--- /dev/null
+++ b/policy/modules/services/vnstatd.if
-@@ -0,0 +1,150 @@
-+
+@@ -0,0 +1,144 @@
+## policy for vnstatd
+
-+
+########################################
+##
+## Execute a domain transition to run vnstatd.
+##
+##
-+##
++##
+## Domain allowed access.
-+##
++##
+##
+#
+interface(`vnstatd_domtrans',`
@@ -28517,16 +32841,14 @@ index 0000000..85dba86
+ domtrans_pattern($1, vnstatd_exec_t, vnstatd_t)
+')
+
-+
-+
+########################################
+##
+## Execute a domain transition to run vnstat.
+##
+##
-+##
++##
+## Domain allowed access.
-+##
++##
+##
+#
+interface(`vnstatd_domtrans_vnstat',`
@@ -28572,7 +32894,7 @@ index 0000000..85dba86
+ ')
+
+ files_search_var_lib($1)
-+ read_files_pattern($1, vnstatd_var_lib_t, vnstatd_var_lib_t)
++ read_files_pattern($1, vnstatd_var_lib_t, vnstatd_var_lib_t)
+')
+
+########################################
@@ -28592,7 +32914,7 @@ index 0000000..85dba86
+ ')
+
+ files_search_var_lib($1)
-+ manage_files_pattern($1, vnstatd_var_lib_t, vnstatd_var_lib_t)
++ manage_files_pattern($1, vnstatd_var_lib_t, vnstatd_var_lib_t)
+')
+
+########################################
@@ -28611,7 +32933,7 @@ index 0000000..85dba86
+ ')
+
+ files_search_var_lib($1)
-+ manage_dirs_pattern($1, vnstatd_var_lib_t, vnstatd_var_lib_t)
++ manage_dirs_pattern($1, vnstatd_var_lib_t, vnstatd_var_lib_t)
+')
+
+
@@ -28634,16 +32956,14 @@ index 0000000..85dba86
+#
+interface(`vnstatd_admin',`
+ gen_require(`
-+ type vnstatd_t;
-+ type vnstatd_var_lib_t;
++ type vnstatd_t, vnstatd_var_lib_t;
+ ')
+
+ allow $1 vnstatd_t:process { ptrace signal_perms };
+ ps_process_pattern($1, vnstatd_t)
+
-+ files_search_var_lib($1)
++ files_list_var_lib($1)
+ admin_pattern($1, vnstatd_var_lib_t)
-+
+')
diff --git a/policy/modules/services/vnstatd.te b/policy/modules/services/vnstatd.te
new file mode 100644
@@ -28885,7 +33205,7 @@ index 6f1e3c7..39c2bb3 100644
+/var/lib/pqsql/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0)
+
diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if
-index da2601a..f34a53f 100644
+index da2601a..61cc021 100644
--- a/policy/modules/services/xserver.if
+++ b/policy/modules/services/xserver.if
@@ -19,9 +19,10 @@
@@ -28919,7 +33239,7 @@ index da2601a..f34a53f 100644
manage_files_pattern($2, user_fonts_cache_t, user_fonts_cache_t)
stream_connect_pattern($2, xserver_tmp_t, xserver_tmp_t, xserver_t)
-+ allow $2 xserver_tmp_t:sock_file unlink;
++ allow $2 xserver_tmp_t:sock_file delete_sock_file_perms;
files_search_tmp($2)
# Communicate via System V shared memory.
@@ -28949,7 +33269,7 @@ index da2601a..f34a53f 100644
dev_rw_xserver_misc($2)
dev_rw_power_management($2)
-@@ -89,14 +96,14 @@ interface(`xserver_restricted_role',`
+@@ -89,14 +96,15 @@ interface(`xserver_restricted_role',`
dev_write_misc($2)
# open office is looking for the following
dev_getattr_agp_dev($2)
@@ -28960,13 +33280,14 @@ index da2601a..f34a53f 100644
miscfiles_read_fonts($2)
+ miscfiles_setattr_fonts_cache_dirs($2)
++ miscfiles_read_hwdata($2)
xserver_common_x_domain_template(user, $2)
- xserver_unconfined($2)
xserver_xsession_entry_type($2)
xserver_dontaudit_write_log($2)
xserver_stream_connect_xdm($2)
-@@ -107,11 +114,19 @@ interface(`xserver_restricted_role',`
+@@ -107,11 +115,23 @@ interface(`xserver_restricted_role',`
# Needed for escd, remove if we get escd policy
xserver_manage_xdm_tmp_files($2)
@@ -28983,10 +33304,14 @@ index da2601a..f34a53f 100644
+ tunable_policy(`user_direct_dri',`
+ dev_rw_dri($2)
+ ')
++
++ optional_policy(`
++ gnome_read_gconf_config($2)
++ ')
')
########################################
-@@ -143,13 +158,15 @@ interface(`xserver_role',`
+@@ -143,13 +163,15 @@ interface(`xserver_role',`
allow $2 xserver_tmpfs_t:file rw_file_perms;
allow $2 iceauth_home_t:file manage_file_perms;
@@ -29004,7 +33329,7 @@ index da2601a..f34a53f 100644
relabel_dirs_pattern($2, user_fonts_t, user_fonts_t)
relabel_files_pattern($2, user_fonts_t, user_fonts_t)
-@@ -162,7 +179,6 @@ interface(`xserver_role',`
+@@ -162,7 +184,6 @@ interface(`xserver_role',`
manage_files_pattern($2, user_fonts_config_t, user_fonts_config_t)
relabel_dirs_pattern($2, user_fonts_config_t, user_fonts_config_t)
relabel_files_pattern($2, user_fonts_config_t, user_fonts_config_t)
@@ -29012,7 +33337,7 @@ index da2601a..f34a53f 100644
')
#######################################
-@@ -197,7 +213,7 @@ interface(`xserver_ro_session',`
+@@ -197,7 +218,7 @@ interface(`xserver_ro_session',`
allow $1 xserver_t:process signal;
# Read /tmp/.X0-lock
@@ -29021,7 +33346,25 @@ index da2601a..f34a53f 100644
# Client read xserver shm
allow $1 xserver_t:fd use;
-@@ -291,12 +307,12 @@ interface(`xserver_user_client',`
+@@ -227,7 +248,7 @@ interface(`xserver_rw_session',`
+ type xserver_t, xserver_tmpfs_t;
+ ')
+
+- xserver_ro_session($1,$2)
++ xserver_ro_session($1, $2)
+ allow $1 xserver_t:shm rw_shm_perms;
+ allow $1 xserver_tmpfs_t:file rw_file_perms;
+ ')
+@@ -255,7 +276,7 @@ interface(`xserver_non_drawing_client',`
+
+ allow $1 self:x_gc { create setattr };
+
+- allow $1 xdm_var_run_t:dir search;
++ allow $1 xdm_var_run_t:dir search_dir_perms;
+ allow $1 xserver_t:unix_stream_socket connectto;
+
+ allow $1 xextension_t:x_extension { query use };
+@@ -291,13 +312,13 @@ interface(`xserver_user_client',`
allow $1 self:unix_stream_socket { connectto create_stream_socket_perms };
# Read .Xauthority file
@@ -29033,11 +33376,19 @@ index da2601a..f34a53f 100644
# for when /tmp/.X11-unix is created by the system
allow $1 xdm_t:fd use;
- allow $1 xdm_t:fifo_file { getattr read write ioctl };
+- allow $1 xdm_tmp_t:dir search;
+ allow $1 xdm_t:fifo_file rw_inherited_fifo_file_perms;
- allow $1 xdm_tmp_t:dir search;
++ allow $1 xdm_tmp_t:dir search_dir_perms;
allow $1 xdm_tmp_t:sock_file { read write };
dontaudit $1 xdm_t:tcp_socket { read write };
-@@ -347,14 +363,19 @@ template(`xserver_common_x_domain_template',`
+
+@@ -342,19 +363,23 @@ interface(`xserver_user_client',`
+ #
+ template(`xserver_common_x_domain_template',`
+ gen_require(`
+- type root_xdrawable_t;
++ type root_xdrawable_t, xdm_t, xserver_t;
+ type xproperty_t, $1_xproperty_t;
type xevent_t, client_xevent_t;
type input_xevent_t, $1_input_xevent_t;
@@ -29055,11 +33406,10 @@ index da2601a..f34a53f 100644
+ class x_screen { saver_setattr saver_hide saver_show };
+ class x_pointer { get_property set_property manage };
+ class x_keyboard { read manage };
-+ type xdm_t, xserver_t;
')
##############################
-@@ -386,6 +407,15 @@ template(`xserver_common_x_domain_template',`
+@@ -386,6 +411,15 @@ template(`xserver_common_x_domain_template',`
allow $2 xevent_t:{ x_event x_synthetic_event } receive;
# dont audit send failures
dontaudit $2 input_xevent_type:x_event send;
@@ -29075,7 +33425,18 @@ index da2601a..f34a53f 100644
')
#######################################
-@@ -458,9 +488,9 @@ template(`xserver_user_x_domain_template',`
+@@ -444,8 +478,8 @@ template(`xserver_object_types_template',`
+ #
+ template(`xserver_user_x_domain_template',`
+ gen_require(`
+- type xdm_t, xdm_tmp_t;
+- type xauth_home_t, iceauth_home_t, xserver_t, xserver_tmpfs_t;
++ type xdm_t, xdm_tmp_t, xserver_tmpfs_t;
++ type xauth_home_t, iceauth_home_t, xserver_t;
+ ')
+
+ allow $2 self:shm create_shm_perms;
+@@ -458,9 +492,9 @@ template(`xserver_user_x_domain_template',`
# for when /tmp/.X11-unix is created by the system
allow $2 xdm_t:fd use;
@@ -29087,7 +33448,7 @@ index da2601a..f34a53f 100644
dontaudit $2 xdm_t:tcp_socket { read write };
# Allow connections to X server.
-@@ -472,20 +502,25 @@ template(`xserver_user_x_domain_template',`
+@@ -472,20 +506,25 @@ template(`xserver_user_x_domain_template',`
# for .xsession-errors
userdom_dontaudit_write_user_home_content_files($2)
@@ -29115,7 +33476,7 @@ index da2601a..f34a53f 100644
')
########################################
-@@ -517,6 +552,7 @@ interface(`xserver_use_user_fonts',`
+@@ -517,6 +556,7 @@ interface(`xserver_use_user_fonts',`
# Read per user fonts
allow $1 user_fonts_t:dir list_dir_perms;
allow $1 user_fonts_t:file read_file_perms;
@@ -29123,7 +33484,7 @@ index da2601a..f34a53f 100644
# Manipulate the global font cache
manage_dirs_pattern($1, user_fonts_cache_t, user_fonts_cache_t)
-@@ -545,6 +581,28 @@ interface(`xserver_domtrans_xauth',`
+@@ -545,6 +585,28 @@ interface(`xserver_domtrans_xauth',`
')
domtrans_pattern($1, xauth_exec_t, xauth_t)
@@ -29152,7 +33513,7 @@ index da2601a..f34a53f 100644
')
########################################
-@@ -598,6 +656,7 @@ interface(`xserver_read_user_xauth',`
+@@ -598,6 +660,7 @@ interface(`xserver_read_user_xauth',`
allow $1 xauth_home_t:file read_file_perms;
userdom_search_user_home_dirs($1)
@@ -29160,7 +33521,7 @@ index da2601a..f34a53f 100644
')
########################################
-@@ -615,7 +674,7 @@ interface(`xserver_setattr_console_pipes',`
+@@ -615,7 +678,7 @@ interface(`xserver_setattr_console_pipes',`
type xconsole_device_t;
')
@@ -29169,7 +33530,7 @@ index da2601a..f34a53f 100644
')
########################################
-@@ -651,7 +710,7 @@ interface(`xserver_use_xdm_fds',`
+@@ -651,7 +714,7 @@ interface(`xserver_use_xdm_fds',`
type xdm_t;
')
@@ -29178,7 +33539,7 @@ index da2601a..f34a53f 100644
')
########################################
-@@ -670,7 +729,7 @@ interface(`xserver_dontaudit_use_xdm_fds',`
+@@ -670,7 +733,7 @@ interface(`xserver_dontaudit_use_xdm_fds',`
type xdm_t;
')
@@ -29187,7 +33548,7 @@ index da2601a..f34a53f 100644
')
########################################
-@@ -688,7 +747,7 @@ interface(`xserver_rw_xdm_pipes',`
+@@ -688,7 +751,7 @@ interface(`xserver_rw_xdm_pipes',`
type xdm_t;
')
@@ -29196,7 +33557,7 @@ index da2601a..f34a53f 100644
')
########################################
-@@ -703,12 +762,11 @@ interface(`xserver_rw_xdm_pipes',`
+@@ -703,12 +766,11 @@ interface(`xserver_rw_xdm_pipes',`
##
#
interface(`xserver_dontaudit_rw_xdm_pipes',`
@@ -29210,7 +33571,7 @@ index da2601a..f34a53f 100644
')
########################################
-@@ -724,11 +782,13 @@ interface(`xserver_dontaudit_rw_xdm_pipes',`
+@@ -724,11 +786,12 @@ interface(`xserver_dontaudit_rw_xdm_pipes',`
#
interface(`xserver_stream_connect_xdm',`
gen_require(`
@@ -29219,13 +33580,13 @@ index da2601a..f34a53f 100644
')
files_search_tmp($1)
+- stream_connect_pattern($1, xdm_tmp_t, xdm_tmp_t, xdm_t)
+ files_search_pids($1)
- stream_connect_pattern($1, xdm_tmp_t, xdm_tmp_t, xdm_t)
-+ stream_connect_pattern($1, xdm_var_run_t, xdm_var_run_t, xdm_t)
++ stream_connect_pattern($1, { xdm_tmp_t xdm_var_run_t }, { xdm_tmp_t xdm_var_run_t }, xdm_t)
')
########################################
-@@ -765,7 +825,7 @@ interface(`xserver_setattr_xdm_tmp_dirs',`
+@@ -765,7 +828,7 @@ interface(`xserver_setattr_xdm_tmp_dirs',`
type xdm_tmp_t;
')
@@ -29234,7 +33595,7 @@ index da2601a..f34a53f 100644
')
########################################
-@@ -805,7 +865,7 @@ interface(`xserver_read_xdm_pid',`
+@@ -805,7 +868,7 @@ interface(`xserver_read_xdm_pid',`
')
files_search_pids($1)
@@ -29243,7 +33604,7 @@ index da2601a..f34a53f 100644
')
########################################
-@@ -897,7 +957,7 @@ interface(`xserver_getattr_log',`
+@@ -897,7 +960,7 @@ interface(`xserver_getattr_log',`
')
logging_search_logs($1)
@@ -29252,7 +33613,7 @@ index da2601a..f34a53f 100644
')
########################################
-@@ -916,7 +976,7 @@ interface(`xserver_dontaudit_write_log',`
+@@ -916,7 +979,7 @@ interface(`xserver_dontaudit_write_log',`
type xserver_log_t;
')
@@ -29261,7 +33622,7 @@ index da2601a..f34a53f 100644
')
########################################
-@@ -963,6 +1023,44 @@ interface(`xserver_read_xkb_libs',`
+@@ -963,6 +1026,45 @@ interface(`xserver_read_xkb_libs',`
########################################
##
@@ -29280,6 +33641,7 @@ index da2601a..f34a53f 100644
+
+ files_search_etc($1)
+ read_files_pattern($1, xdm_etc_t, xdm_etc_t)
++ read_lnk_files_pattern($1, xdm_etc_t, xdm_etc_t)
+')
+
+########################################
@@ -29306,7 +33668,7 @@ index da2601a..f34a53f 100644
## Read xdm temporary files.
##
##
-@@ -976,7 +1074,7 @@ interface(`xserver_read_xdm_tmp_files',`
+@@ -976,7 +1078,7 @@ interface(`xserver_read_xdm_tmp_files',`
type xdm_tmp_t;
')
@@ -29315,7 +33677,7 @@ index da2601a..f34a53f 100644
read_files_pattern($1, xdm_tmp_t, xdm_tmp_t)
')
-@@ -1052,7 +1150,7 @@ interface(`xserver_dontaudit_getattr_xdm_tmp_sockets',`
+@@ -1052,7 +1154,7 @@ interface(`xserver_dontaudit_getattr_xdm_tmp_sockets',`
type xdm_tmp_t;
')
@@ -29324,7 +33686,7 @@ index da2601a..f34a53f 100644
')
########################################
-@@ -1070,8 +1168,10 @@ interface(`xserver_domtrans',`
+@@ -1070,8 +1172,10 @@ interface(`xserver_domtrans',`
type xserver_t, xserver_exec_t;
')
@@ -29336,7 +33698,7 @@ index da2601a..f34a53f 100644
')
########################################
-@@ -1185,6 +1285,7 @@ interface(`xserver_stream_connect',`
+@@ -1185,6 +1289,7 @@ interface(`xserver_stream_connect',`
files_search_tmp($1)
stream_connect_pattern($1, xserver_tmp_t, xserver_tmp_t, xserver_t)
@@ -29344,7 +33706,7 @@ index da2601a..f34a53f 100644
')
########################################
-@@ -1210,7 +1311,7 @@ interface(`xserver_read_tmp_files',`
+@@ -1210,7 +1315,7 @@ interface(`xserver_read_tmp_files',`
##
## Interface to provide X object permissions on a given X server to
## an X client domain. Gives the domain permission to read the
@@ -29353,7 +33715,7 @@ index da2601a..f34a53f 100644
##
##
##
-@@ -1220,13 +1321,23 @@ interface(`xserver_read_tmp_files',`
+@@ -1220,13 +1325,23 @@ interface(`xserver_read_tmp_files',`
#
interface(`xserver_manage_core_devices',`
gen_require(`
@@ -29378,7 +33740,7 @@ index da2601a..f34a53f 100644
')
########################################
-@@ -1243,10 +1354,331 @@ interface(`xserver_manage_core_devices',`
+@@ -1243,10 +1358,331 @@ interface(`xserver_manage_core_devices',`
#
interface(`xserver_unconfined',`
gen_require(`
@@ -29573,7 +33935,7 @@ index da2601a..f34a53f 100644
+##
+##
+#
-+template(`xserver_read_user_iceauth',`
++interface(`xserver_read_user_iceauth',`
+ gen_require(`
+ type iceauth_home_t;
+ ')
@@ -30704,7 +35066,7 @@ index 0000000..56cb5af
+/var/run/zarafa-monitor\.pid -- gen_context(system_u:object_r:zarafa_monitor_var_run_t,s0)
diff --git a/policy/modules/services/zarafa.if b/policy/modules/services/zarafa.if
new file mode 100644
-index 0000000..78fc104
+index 0000000..4f2dde8
--- /dev/null
+++ b/policy/modules/services/zarafa.if
@@ -0,0 +1,102 @@
@@ -30808,7 +35170,7 @@ index 0000000..78fc104
+ ')
+
+ files_search_var_lib($1)
-+ stream_connect_pattern($1, zarafa_server_t, zarafa_server_var_run_t, zarafa_server_t)
++ stream_connect_pattern($1, zarafa_server_var_run_t, zarafa_server_var_run_t, zarafa_server_t)
+')
diff --git a/policy/modules/services/zarafa.te b/policy/modules/services/zarafa.te
new file mode 100644
@@ -30950,7 +35312,7 @@ index 0000000..3509088
+ apache_content_template(zarafa)
+')
diff --git a/policy/modules/services/zebra.if b/policy/modules/services/zebra.if
-index 6b87605..5860687 100644
+index 6b87605..347f754 100644
--- a/policy/modules/services/zebra.if
+++ b/policy/modules/services/zebra.if
@@ -38,8 +38,7 @@ interface(`zebra_stream_connect',`
@@ -30963,8 +35325,18 @@ index 6b87605..5860687 100644
')
########################################
+@@ -62,8 +61,7 @@ interface(`zebra_stream_connect',`
+ interface(`zebra_admin',`
+ gen_require(`
+ type zebra_t, zebra_tmp_t, zebra_log_t;
+- type zebra_conf_t, zebra_var_run_t;
+- type zebra_initrc_exec_t;
++ type zebra_conf_t, zebra_var_run_t, zebra_initrc_exec_t;
+ ')
+
+ allow $1 zebra_t:process { ptrace signal_perms };
diff --git a/policy/modules/services/zosremote.if b/policy/modules/services/zosremote.if
-index 702e768..1d24e1e 100644
+index 702e768..13f0eef 100644
--- a/policy/modules/services/zosremote.if
+++ b/policy/modules/services/zosremote.if
@@ -5,9 +5,9 @@
@@ -30979,6 +35351,14 @@ index 702e768..1d24e1e 100644
##
#
interface(`zosremote_domtrans',`
+@@ -34,6 +34,7 @@ interface(`zosremote_domtrans',`
+ ## Role allowed access.
+ ##
+ ##
++##
+ #
+ interface(`zosremote_run',`
+ gen_require(`
diff --git a/policy/modules/system/application.if b/policy/modules/system/application.if
index ac50333..108595b 100644
--- a/policy/modules/system/application.if
@@ -31053,7 +35433,7 @@ index 1c4b1e7..2997dd7 100644
/var/lib/pam_ssh(/.*)? gen_context(system_u:object_r:var_auth_t,s0)
diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if
-index bea0ade..5819211 100644
+index bea0ade..c411b5e 100644
--- a/policy/modules/system/authlogin.if
+++ b/policy/modules/system/authlogin.if
@@ -57,6 +57,8 @@ interface(`auth_use_pam',`
@@ -31192,7 +35572,33 @@ index bea0ade..5819211 100644
typeattribute $1 can_relabelto_shadow_passwords;
')
-@@ -874,6 +921,26 @@ interface(`auth_exec_pam',`
+@@ -736,6 +783,25 @@ interface(`auth_rw_faillog',`
+ allow $1 faillog_t:file rw_file_perms;
+ ')
+
++########################################
++##
++## Manage the login failure log.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`auth_manage_faillog',`
++ gen_require(`
++ type faillog_t;
++ ')
++
++ logging_search_logs($1)
++ allow $1 faillog_t:file manage_file_perms;
++')
++
+ #######################################
+ ##
+ ## Read the last logins log.
+@@ -874,6 +940,26 @@ interface(`auth_exec_pam',`
########################################
##
@@ -31219,7 +35625,7 @@ index bea0ade..5819211 100644
## Manage var auth files. Used by various other applications
## and pam applets etc.
##
-@@ -1500,6 +1567,8 @@ interface(`auth_manage_login_records',`
+@@ -1500,6 +1586,8 @@ interface(`auth_manage_login_records',`
#
interface(`auth_use_nsswitch',`
@@ -31228,7 +35634,7 @@ index bea0ade..5819211 100644
files_list_var_lib($1)
# read /etc/nsswitch.conf
-@@ -1531,7 +1600,15 @@ interface(`auth_use_nsswitch',`
+@@ -1531,7 +1619,15 @@ interface(`auth_use_nsswitch',`
')
optional_policy(`
@@ -31620,7 +36026,7 @@ index 9775375..b338481 100644
#
# /var
diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
-index f6aafe7..447aaec 100644
+index f6aafe7..666a58f 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -105,7 +105,11 @@ interface(`init_domain',`
@@ -31857,7 +36263,21 @@ index f6aafe7..447aaec 100644
domtrans_pattern($1, $2, initrc_t)
files_search_etc($1)
')
-@@ -1338,6 +1434,27 @@ interface(`init_dbus_send_script',`
+@@ -1111,12 +1207,7 @@ interface(`init_read_script_state',`
+ ')
+
+ kernel_search_proc($1)
+- read_files_pattern($1, initrc_t, initrc_t)
+- read_lnk_files_pattern($1, initrc_t, initrc_t)
+- list_dirs_pattern($1, initrc_t, initrc_t)
+-
+- # should move this to separate interface
+- allow $1 initrc_t:process getattr;
++ ps_process_pattern($1, initrc_t)
+ ')
+
+ ########################################
+@@ -1338,6 +1429,27 @@ interface(`init_dbus_send_script',`
########################################
##
## Send and receive messages from
@@ -31885,7 +36305,7 @@ index f6aafe7..447aaec 100644
## init scripts over dbus.
##
##
-@@ -1424,6 +1541,25 @@ interface(`init_getattr_script_status_files',`
+@@ -1424,6 +1536,25 @@ interface(`init_getattr_script_status_files',`
########################################
##
@@ -31911,7 +36331,7 @@ index f6aafe7..447aaec 100644
## Do not audit attempts to read init script
## status files.
##
-@@ -1637,7 +1773,7 @@ interface(`init_dontaudit_rw_utmp',`
+@@ -1637,7 +1768,7 @@ interface(`init_dontaudit_rw_utmp',`
type initrc_var_run_t;
')
@@ -31920,7 +36340,7 @@ index f6aafe7..447aaec 100644
')
########################################
-@@ -1712,3 +1848,94 @@ interface(`init_udp_recvfrom_all_daemons',`
+@@ -1712,3 +1843,94 @@ interface(`init_udp_recvfrom_all_daemons',`
')
corenet_udp_recvfrom_labeled($1, daemon)
')
@@ -32016,7 +36436,7 @@ index f6aafe7..447aaec 100644
+ allow $1 init_t:unix_stream_socket rw_stream_socket_perms;
+')
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
-index 698c11e..1b6733f 100644
+index 698c11e..d7abdd1 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -16,6 +16,27 @@ gen_require(`
@@ -32340,7 +36760,15 @@ index 698c11e..1b6733f 100644
selinux_get_enforce_mode(initrc_t)
-@@ -394,13 +519,14 @@ logging_read_audit_config(initrc_t)
+@@ -380,6 +505,7 @@ auth_read_pam_pid(initrc_t)
+ auth_delete_pam_pid(initrc_t)
+ auth_delete_pam_console_data(initrc_t)
+ auth_use_nsswitch(initrc_t)
++auth_manage_faillog(initrc_t)
+
+ libs_rw_ld_so_cache(initrc_t)
+ libs_exec_lib_files(initrc_t)
+@@ -394,13 +520,14 @@ logging_read_audit_config(initrc_t)
miscfiles_read_localization(initrc_t)
# slapd needs to read cert files from its initscript
@@ -32356,7 +36784,7 @@ index 698c11e..1b6733f 100644
userdom_read_user_home_content_files(initrc_t)
# Allow access to the sysadm TTYs. Note that this will give access to the
# TTYs to any process in the initrc_t domain. Therefore, daemons and such
-@@ -473,7 +599,7 @@ ifdef(`distro_redhat',`
+@@ -473,7 +600,7 @@ ifdef(`distro_redhat',`
# Red Hat systems seem to have a stray
# fd open from the initrd
@@ -32365,7 +36793,7 @@ index 698c11e..1b6733f 100644
files_dontaudit_read_root_files(initrc_t)
# These seem to be from the initrd
-@@ -519,6 +645,19 @@ ifdef(`distro_redhat',`
+@@ -519,6 +646,19 @@ ifdef(`distro_redhat',`
optional_policy(`
bind_manage_config_dirs(initrc_t)
bind_write_config(initrc_t)
@@ -32385,7 +36813,7 @@ index 698c11e..1b6733f 100644
')
optional_policy(`
-@@ -526,10 +665,17 @@ ifdef(`distro_redhat',`
+@@ -526,10 +666,17 @@ ifdef(`distro_redhat',`
rpc_write_exports(initrc_t)
rpc_manage_nfs_state_data(initrc_t)
')
@@ -32403,7 +36831,7 @@ index 698c11e..1b6733f 100644
')
optional_policy(`
-@@ -544,6 +690,35 @@ ifdef(`distro_suse',`
+@@ -544,6 +691,35 @@ ifdef(`distro_suse',`
')
')
@@ -32439,7 +36867,7 @@ index 698c11e..1b6733f 100644
optional_policy(`
amavis_search_lib(initrc_t)
amavis_setattr_pid_files(initrc_t)
-@@ -556,6 +731,8 @@ optional_policy(`
+@@ -556,6 +732,8 @@ optional_policy(`
optional_policy(`
apache_read_config(initrc_t)
apache_list_modules(initrc_t)
@@ -32448,7 +36876,7 @@ index 698c11e..1b6733f 100644
')
optional_policy(`
-@@ -572,6 +749,7 @@ optional_policy(`
+@@ -572,6 +750,7 @@ optional_policy(`
optional_policy(`
cgroup_stream_connect_cgred(initrc_t)
@@ -32456,7 +36884,7 @@ index 698c11e..1b6733f 100644
')
optional_policy(`
-@@ -584,6 +762,11 @@ optional_policy(`
+@@ -584,6 +763,11 @@ optional_policy(`
')
optional_policy(`
@@ -32468,7 +36896,7 @@ index 698c11e..1b6733f 100644
dev_getattr_printer_dev(initrc_t)
cups_read_log(initrc_t)
-@@ -600,6 +783,9 @@ optional_policy(`
+@@ -600,6 +784,9 @@ optional_policy(`
dbus_connect_system_bus(initrc_t)
dbus_system_bus_client(initrc_t)
dbus_read_config(initrc_t)
@@ -32478,7 +36906,7 @@ index 698c11e..1b6733f 100644
optional_policy(`
consolekit_dbus_chat(initrc_t)
-@@ -701,7 +887,13 @@ optional_policy(`
+@@ -701,7 +888,13 @@ optional_policy(`
')
optional_policy(`
@@ -32492,7 +36920,7 @@ index 698c11e..1b6733f 100644
mta_dontaudit_read_spool_symlinks(initrc_t)
')
-@@ -724,6 +916,10 @@ optional_policy(`
+@@ -724,6 +917,10 @@ optional_policy(`
')
optional_policy(`
@@ -32503,7 +36931,7 @@ index 698c11e..1b6733f 100644
postgresql_manage_db(initrc_t)
postgresql_read_config(initrc_t)
')
-@@ -745,6 +941,10 @@ optional_policy(`
+@@ -745,6 +942,10 @@ optional_policy(`
')
optional_policy(`
@@ -32514,7 +36942,7 @@ index 698c11e..1b6733f 100644
fs_write_ramfs_sockets(initrc_t)
fs_search_ramfs(initrc_t)
-@@ -766,8 +966,6 @@ optional_policy(`
+@@ -766,8 +967,6 @@ optional_policy(`
# bash tries ioctl for some reason
files_dontaudit_ioctl_all_pids(initrc_t)
@@ -32523,7 +36951,7 @@ index 698c11e..1b6733f 100644
')
optional_policy(`
-@@ -776,14 +974,21 @@ optional_policy(`
+@@ -776,14 +975,21 @@ optional_policy(`
')
optional_policy(`
@@ -32545,7 +36973,7 @@ index 698c11e..1b6733f 100644
optional_policy(`
ssh_dontaudit_read_server_keys(initrc_t)
-@@ -805,11 +1010,19 @@ optional_policy(`
+@@ -805,11 +1011,19 @@ optional_policy(`
')
optional_policy(`
@@ -32566,7 +36994,7 @@ index 698c11e..1b6733f 100644
ifdef(`distro_redhat',`
# system-config-services causes avc messages that should be dontaudited
-@@ -819,6 +1032,25 @@ optional_policy(`
+@@ -819,6 +1033,25 @@ optional_policy(`
optional_policy(`
mono_domtrans(initrc_t)
')
@@ -32592,7 +37020,7 @@ index 698c11e..1b6733f 100644
')
optional_policy(`
-@@ -844,3 +1076,55 @@ optional_policy(`
+@@ -844,3 +1077,55 @@ optional_policy(`
optional_policy(`
zebra_read_config(initrc_t)
')
@@ -33126,6 +37554,18 @@ index 1d1c399..3ab3a47 100644
- tgtd_rw_semaphores(iscsid_t)
+ tgtd_manage_semaphores(iscsid_t)
')
+diff --git a/policy/modules/system/kdump.if b/policy/modules/system/kdump.if
+index 4198ff5..672d323 100644
+--- a/policy/modules/system/kdump.if
++++ b/policy/modules/system/kdump.if
+@@ -106,6 +106,6 @@ interface(`kdump_admin',`
+ role_transition $2 kdump_initrc_exec_t system_r;
+ allow $2 system_r;
+
+- files_search_etc($1)
++ files_list_etc($1)
+ admin_pattern($1, kdump_etc_t)
+ ')
diff --git a/policy/modules/system/kdump.te b/policy/modules/system/kdump.te
index 57c645b..7682697 100644
--- a/policy/modules/system/kdump.te
diff --git a/selinux-policy.spec b/selinux-policy.spec
index cf315b4..61e9c1a 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -20,7 +20,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.9.5
-Release: 2%{?dist}
+Release: 3%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -469,6 +469,9 @@ exit 0
%endif
%changelog
+* Wed Sep 21 2010 Dan Walsh 3.9.5-3
+- Fix up Xguest policy
+
* Thu Sep 16 2010 Dan Walsh 3.9.5-2
- Add vnstat policy
- allow libvirt to send audit messages