diff --git a/file_contexts.subs_dist b/file_contexts.subs_dist
index 252cfd3..92c8c4f 100644
--- a/file_contexts.subs_dist
+++ b/file_contexts.subs_dist
@@ -10,3 +10,5 @@
/usr/local/lib32 /usr/lib
/etc/systemd/system /usr/lib/systemd/system
/var/lib/xguest/home /home
+/var/home /home
+/var/root /root
diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch
index b4f3b28..da6c7d0 100644
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@@ -8720,7 +8720,7 @@ index 6a1e4d1..84e8030 100644
+ dontaudit $1 domain:dir_file_class_set audit_access;
')
diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te
-index cf04cb5..23627f4 100644
+index cf04cb5..0b3704b 100644
--- a/policy/modules/kernel/domain.te
+++ b/policy/modules/kernel/domain.te
@@ -4,6 +4,29 @@ policy_module(domain, 1.11.0)
@@ -8761,7 +8761,7 @@ index cf04cb5..23627f4 100644
# Transitions only allowed from domains to other domains
neverallow domain ~domain:process { transition dyntransition };
-@@ -86,23 +110,45 @@ neverallow ~{ domain unlabeled_t } *:process *;
+@@ -86,23 +110,46 @@ neverallow ~{ domain unlabeled_t } *:process *;
allow domain self:dir list_dir_perms;
allow domain self:lnk_file { read_lnk_file_perms lock ioctl };
allow domain self:file rw_file_perms;
@@ -8798,6 +8798,7 @@ index cf04cb5..23627f4 100644
+files_read_inherited_tmp_files(domain)
+files_append_inherited_tmp_files(domain)
+files_read_all_base_ro_files(domain)
++files_dontaduit_getattr_kernel_symbol_table(domain)
+
+# All executables should be able to search the directory they are in
+corecmd_search_bin(domain)
@@ -8808,7 +8809,7 @@ index cf04cb5..23627f4 100644
ifdef(`hide_broken_symptoms',`
# This check is in the general socket
-@@ -121,8 +167,18 @@ tunable_policy(`global_ssp',`
+@@ -121,8 +168,18 @@ tunable_policy(`global_ssp',`
')
optional_policy(`
@@ -8827,7 +8828,7 @@ index cf04cb5..23627f4 100644
')
optional_policy(`
-@@ -133,6 +189,9 @@ optional_policy(`
+@@ -133,6 +190,9 @@ optional_policy(`
optional_policy(`
xserver_dontaudit_use_xdm_fds(domain)
xserver_dontaudit_rw_xdm_pipes(domain)
@@ -8837,7 +8838,7 @@ index cf04cb5..23627f4 100644
')
########################################
-@@ -147,12 +206,18 @@ optional_policy(`
+@@ -147,12 +207,18 @@ optional_policy(`
# Use/sendto/connectto sockets created by any domain.
allow unconfined_domain_type domain:{ socket_class_set socket key_socket } *;
@@ -8857,7 +8858,7 @@ index cf04cb5..23627f4 100644
# Create/access any System V IPC objects.
allow unconfined_domain_type domain:{ sem msgq shm } *;
-@@ -166,5 +231,334 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock };
+@@ -166,5 +232,342 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock };
# act on all domains keys
allow unconfined_domain_type domain:key *;
@@ -9124,6 +9125,10 @@ index cf04cb5..23627f4 100644
+ cron_rw_system_job_pipes(domain)
+')
+
++optional_policy(`
++ devicekit_dbus_chat_power(domain)
++')
++
+ifdef(`hide_broken_symptoms',`
+ dontaudit domain self:udp_socket listen;
+ allow domain domain:key { link search };
@@ -9192,6 +9197,10 @@ index cf04cb5..23627f4 100644
+ prelink_exec(domain)
+ ')
+')
++
++optional_policy(`
++ unconfined_server_stream_connect(domain)
++')
diff --git a/policy/modules/kernel/files.fc b/policy/modules/kernel/files.fc
index b876c48..27f60c6 100644
--- a/policy/modules/kernel/files.fc
@@ -9443,7 +9452,7 @@ index b876c48..27f60c6 100644
+/nsr(/.*)? gen_context(system_u:object_r:var_t,s0)
+/nsr/logs(/.*)? gen_context(system_u:object_r:var_log_t,s0)
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
-index f962f76..fa8cdcb 100644
+index f962f76..1517625 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -19,6 +19,136 @@
@@ -11449,7 +11458,32 @@ index f962f76..fa8cdcb 100644
')
########################################
-@@ -5241,6 +6319,24 @@ interface(`files_list_var',`
+@@ -5112,6 +6190,24 @@ interface(`files_create_kernel_symbol_table',`
+
+ ########################################
+ ##
++## Dontaudit getattr attempts on the system.map file
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`files_dontaduit_getattr_kernel_symbol_table',`
++ gen_require(`
++ type system_map_t;
++ ')
++
++ dontaudit $1 system_map_t:file getattr;
++')
++
++########################################
++##
+ ## Read system.map in the /boot directory.
+ ##
+ ##
+@@ -5241,6 +6337,24 @@ interface(`files_list_var',`
########################################
##
@@ -11474,7 +11508,7 @@ index f962f76..fa8cdcb 100644
## Create, read, write, and delete directories
## in the /var directory.
##
-@@ -5527,6 +6623,25 @@ interface(`files_rw_var_lib_dirs',`
+@@ -5527,6 +6641,25 @@ interface(`files_rw_var_lib_dirs',`
########################################
##
@@ -11500,7 +11534,7 @@ index f962f76..fa8cdcb 100644
## Create objects in the /var/lib directory
##
##
-@@ -5596,6 +6711,25 @@ interface(`files_read_var_lib_symlinks',`
+@@ -5596,6 +6729,25 @@ interface(`files_read_var_lib_symlinks',`
read_lnk_files_pattern($1, { var_t var_lib_t }, var_lib_t)
')
@@ -11526,7 +11560,7 @@ index f962f76..fa8cdcb 100644
# cjp: the next two interfaces really need to be fixed
# in some way. They really neeed their own types.
-@@ -5641,7 +6775,7 @@ interface(`files_manage_mounttab',`
+@@ -5641,7 +6793,7 @@ interface(`files_manage_mounttab',`
########################################
##
@@ -11535,7 +11569,7 @@ index f962f76..fa8cdcb 100644
##
##
##
-@@ -5649,12 +6783,13 @@ interface(`files_manage_mounttab',`
+@@ -5649,12 +6801,13 @@ interface(`files_manage_mounttab',`
##
##
#
@@ -11551,7 +11585,7 @@ index f962f76..fa8cdcb 100644
')
########################################
-@@ -5672,6 +6807,7 @@ interface(`files_search_locks',`
+@@ -5672,6 +6825,7 @@ interface(`files_search_locks',`
type var_t, var_lock_t;
')
@@ -11559,7 +11593,7 @@ index f962f76..fa8cdcb 100644
allow $1 var_lock_t:lnk_file read_lnk_file_perms;
search_dirs_pattern($1, var_t, var_lock_t)
')
-@@ -5698,7 +6834,26 @@ interface(`files_dontaudit_search_locks',`
+@@ -5698,7 +6852,26 @@ interface(`files_dontaudit_search_locks',`
########################################
##
@@ -11587,7 +11621,7 @@ index f962f76..fa8cdcb 100644
##
##
##
-@@ -5706,13 +6861,12 @@ interface(`files_dontaudit_search_locks',`
+@@ -5706,13 +6879,12 @@ interface(`files_dontaudit_search_locks',`
##
##
#
@@ -11604,7 +11638,7 @@ index f962f76..fa8cdcb 100644
')
########################################
-@@ -5731,7 +6885,7 @@ interface(`files_rw_lock_dirs',`
+@@ -5731,7 +6903,7 @@ interface(`files_rw_lock_dirs',`
type var_t, var_lock_t;
')
@@ -11613,7 +11647,7 @@ index f962f76..fa8cdcb 100644
rw_dirs_pattern($1, var_t, var_lock_t)
')
-@@ -5764,7 +6918,6 @@ interface(`files_create_lock_dirs',`
+@@ -5764,7 +6936,6 @@ interface(`files_create_lock_dirs',`
## Domain allowed access.
##
##
@@ -11621,7 +11655,7 @@ index f962f76..fa8cdcb 100644
#
interface(`files_relabel_all_lock_dirs',`
gen_require(`
-@@ -5779,7 +6932,7 @@ interface(`files_relabel_all_lock_dirs',`
+@@ -5779,7 +6950,7 @@ interface(`files_relabel_all_lock_dirs',`
########################################
##
@@ -11630,7 +11664,7 @@ index f962f76..fa8cdcb 100644
##
##
##
-@@ -5787,13 +6940,33 @@ interface(`files_relabel_all_lock_dirs',`
+@@ -5787,13 +6958,33 @@ interface(`files_relabel_all_lock_dirs',`
##
##
#
@@ -11665,7 +11699,7 @@ index f962f76..fa8cdcb 100644
allow $1 var_lock_t:dir list_dir_perms;
getattr_files_pattern($1, var_lock_t, var_lock_t)
')
-@@ -5809,13 +6982,12 @@ interface(`files_getattr_generic_locks',`
+@@ -5809,13 +7000,12 @@ interface(`files_getattr_generic_locks',`
##
#
interface(`files_delete_generic_locks',`
@@ -11683,7 +11717,7 @@ index f962f76..fa8cdcb 100644
')
########################################
-@@ -5834,9 +7006,7 @@ interface(`files_manage_generic_locks',`
+@@ -5834,9 +7024,7 @@ interface(`files_manage_generic_locks',`
type var_t, var_lock_t;
')
@@ -11694,7 +11728,7 @@ index f962f76..fa8cdcb 100644
manage_files_pattern($1, var_lock_t, var_lock_t)
')
-@@ -5878,8 +7048,7 @@ interface(`files_read_all_locks',`
+@@ -5878,8 +7066,7 @@ interface(`files_read_all_locks',`
type var_t, var_lock_t;
')
@@ -11704,7 +11738,7 @@ index f962f76..fa8cdcb 100644
allow $1 lockfile:dir list_dir_perms;
read_files_pattern($1, lockfile, lockfile)
read_lnk_files_pattern($1, lockfile, lockfile)
-@@ -5901,8 +7070,7 @@ interface(`files_manage_all_locks',`
+@@ -5901,8 +7088,7 @@ interface(`files_manage_all_locks',`
type var_t, var_lock_t;
')
@@ -11714,7 +11748,7 @@ index f962f76..fa8cdcb 100644
manage_dirs_pattern($1, lockfile, lockfile)
manage_files_pattern($1, lockfile, lockfile)
manage_lnk_files_pattern($1, lockfile, lockfile)
-@@ -5939,8 +7107,7 @@ interface(`files_lock_filetrans',`
+@@ -5939,8 +7125,7 @@ interface(`files_lock_filetrans',`
type var_t, var_lock_t;
')
@@ -11724,7 +11758,7 @@ index f962f76..fa8cdcb 100644
filetrans_pattern($1, var_lock_t, $2, $3, $4)
')
-@@ -5979,7 +7146,7 @@ interface(`files_setattr_pid_dirs',`
+@@ -5979,7 +7164,7 @@ interface(`files_setattr_pid_dirs',`
type var_run_t;
')
@@ -11733,7 +11767,7 @@ index f962f76..fa8cdcb 100644
allow $1 var_run_t:dir setattr;
')
-@@ -5999,10 +7166,48 @@ interface(`files_search_pids',`
+@@ -5999,22 +7184,60 @@ interface(`files_search_pids',`
type var_t, var_run_t;
')
@@ -11742,16 +11776,23 @@ index f962f76..fa8cdcb 100644
search_dirs_pattern($1, var_t, var_run_t)
')
+-########################################
+######################################
-+##
+ ##
+-## Do not audit attempts to search
+-## the /var/run directory.
+## Add and remove entries from pid directories.
-+##
-+##
+ ##
+ ##
+-##
+-## Domain to not audit.
+-##
+##
+## Domain allowed access.
+##
-+##
-+#
+ ##
+ #
+-interface(`files_dontaudit_search_pids',`
+interface(`files_rw_pid_dirs',`
+ gen_require(`
+ type var_run_t;
@@ -11779,21 +11820,30 @@ index f962f76..fa8cdcb 100644
+ allow $1 var_run_t:dir create_dir_perms;
+')
+
- ########################################
- ##
- ## Do not audit attempts to search
-@@ -6025,12 +7230,31 @@ interface(`files_dontaudit_search_pids',`
++########################################
++##
++## Do not audit attempts to search
++## the /var/run directory.
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`files_dontaudit_search_pids',`
+ gen_require(`
+ type var_run_t;
+ ')
+@@ -6025,6 +7248,25 @@ interface(`files_dontaudit_search_pids',`
########################################
##
--## List the contents of the runtime process
--## ID directories (/var/run).
+## Do not audit attempts to search
+## the all /var/run directory.
- ##
- ##
- ##
--## Domain allowed access.
++##
++##
++##
+## Domain to not audit.
+##
+##
@@ -11808,16 +11858,10 @@ index f962f76..fa8cdcb 100644
+
+########################################
+##
-+## List the contents of the runtime process
-+## ID directories (/var/run).
-+##
-+##
-+##
-+## Domain allowed access.
- ##
- ##
- #
-@@ -6039,7 +7263,7 @@ interface(`files_list_pids',`
+ ## List the contents of the runtime process
+ ## ID directories (/var/run).
+ ##
+@@ -6039,7 +7281,7 @@ interface(`files_list_pids',`
type var_t, var_run_t;
')
@@ -11826,7 +11870,7 @@ index f962f76..fa8cdcb 100644
list_dirs_pattern($1, var_t, var_run_t)
')
-@@ -6058,7 +7282,7 @@ interface(`files_read_generic_pids',`
+@@ -6058,7 +7300,7 @@ interface(`files_read_generic_pids',`
type var_t, var_run_t;
')
@@ -11835,7 +11879,7 @@ index f962f76..fa8cdcb 100644
list_dirs_pattern($1, var_t, var_run_t)
read_files_pattern($1, var_run_t, var_run_t)
')
-@@ -6078,7 +7302,7 @@ interface(`files_write_generic_pid_pipes',`
+@@ -6078,7 +7320,7 @@ interface(`files_write_generic_pid_pipes',`
type var_run_t;
')
@@ -11844,7 +11888,7 @@ index f962f76..fa8cdcb 100644
allow $1 var_run_t:fifo_file write;
')
-@@ -6140,7 +7364,6 @@ interface(`files_pid_filetrans',`
+@@ -6140,7 +7382,6 @@ interface(`files_pid_filetrans',`
')
allow $1 var_t:dir search_dir_perms;
@@ -11852,7 +11896,7 @@ index f962f76..fa8cdcb 100644
filetrans_pattern($1, var_run_t, $2, $3, $4)
')
-@@ -6169,6 +7392,24 @@ interface(`files_pid_filetrans_lock_dir',`
+@@ -6169,6 +7410,24 @@ interface(`files_pid_filetrans_lock_dir',`
########################################
##
@@ -11877,7 +11921,7 @@ index f962f76..fa8cdcb 100644
## Read and write generic process ID files.
##
##
-@@ -6182,7 +7423,7 @@ interface(`files_rw_generic_pids',`
+@@ -6182,7 +7441,7 @@ interface(`files_rw_generic_pids',`
type var_t, var_run_t;
')
@@ -11886,7 +11930,7 @@ index f962f76..fa8cdcb 100644
list_dirs_pattern($1, var_t, var_run_t)
rw_files_pattern($1, var_run_t, var_run_t)
')
-@@ -6249,55 +7490,43 @@ interface(`files_dontaudit_ioctl_all_pids',`
+@@ -6249,55 +7508,43 @@ interface(`files_dontaudit_ioctl_all_pids',`
########################################
##
@@ -11949,7 +11993,7 @@ index f962f76..fa8cdcb 100644
##
##
##
-@@ -6305,42 +7534,35 @@ interface(`files_delete_all_pids',`
+@@ -6305,42 +7552,35 @@ interface(`files_delete_all_pids',`
##
##
#
@@ -11999,7 +12043,7 @@ index f962f76..fa8cdcb 100644
##
##
##
-@@ -6348,18 +7570,18 @@ interface(`files_manage_all_pids',`
+@@ -6348,18 +7588,18 @@ interface(`files_manage_all_pids',`
##
##
#
@@ -12023,7 +12067,7 @@ index f962f76..fa8cdcb 100644
##
##
##
-@@ -6367,37 +7589,40 @@ interface(`files_mounton_all_poly_members',`
+@@ -6367,37 +7607,40 @@ interface(`files_mounton_all_poly_members',`
##
##
#
@@ -12075,7 +12119,7 @@ index f962f76..fa8cdcb 100644
##
##
##
-@@ -6405,18 +7630,17 @@ interface(`files_dontaudit_search_spool',`
+@@ -6405,18 +7648,17 @@ interface(`files_dontaudit_search_spool',`
##
##
#
@@ -12098,7 +12142,7 @@ index f962f76..fa8cdcb 100644
##
##
##
-@@ -6424,18 +7648,18 @@ interface(`files_list_spool',`
+@@ -6424,18 +7666,18 @@ interface(`files_list_spool',`
##
##
#
@@ -12122,7 +12166,7 @@ index f962f76..fa8cdcb 100644
##
##
##
-@@ -6443,19 +7667,18 @@ interface(`files_manage_generic_spool_dirs',`
+@@ -6443,19 +7685,18 @@ interface(`files_manage_generic_spool_dirs',`
##
##
#
@@ -12147,7 +12191,7 @@ index f962f76..fa8cdcb 100644
##
##
##
-@@ -6463,55 +7686,130 @@ interface(`files_read_generic_spool',`
+@@ -6463,55 +7704,43 @@ interface(`files_read_generic_spool',`
##
##
#
@@ -12175,46 +12219,101 @@ index f962f76..fa8cdcb 100644
##
##
-##
+-##
+-## Type to which the created node will be transitioned.
+-##
+-##
+-##
+-##
+-## Object class(es) (single or set including {}) for which this
+-## the transition will occur.
+-##
+-##
+-##
+-##
+-## The name of the object being created.
+-##
+-##
+##
-+#
+ #
+-interface(`files_spool_filetrans',`
+interface(`files_delete_all_pids',`
-+ gen_require(`
+ gen_require(`
+- type var_t, var_spool_t;
+ attribute pidfile;
+ type var_t, var_run_t;
-+ ')
-+
+ ')
+
+ files_search_pids($1)
-+ allow $1 var_t:dir search_dir_perms;
+ allow $1 var_t:dir search_dir_perms;
+- filetrans_pattern($1, var_spool_t, $2, $3, $4)
+ allow $1 var_run_t:dir rmdir;
+ allow $1 var_run_t:lnk_file delete_lnk_file_perms;
+ delete_files_pattern($1, pidfile, pidfile)
+ delete_fifo_files_pattern($1, pidfile, pidfile)
+ delete_sock_files_pattern($1, pidfile, { pidfile var_run_t })
-+')
-+
-+########################################
-+##
+ ')
+
+ ########################################
+ ##
+-## Allow access to manage all polyinstantiated
+-## directories on the system.
+## Delete all process ID directories.
-+##
-+##
+ ##
+ ##
##
--## Type to which the created node will be transitioned.
-+## Domain allowed access.
+@@ -6519,53 +7748,68 @@ interface(`files_spool_filetrans',`
##
##
--##
-+#
+ #
+-interface(`files_polyinstantiate_all',`
+interface(`files_delete_all_pid_dirs',`
-+ gen_require(`
+ gen_require(`
+- attribute polydir, polymember, polyparent;
+- type poly_t;
+ attribute pidfile;
+ type var_t, var_run_t;
-+ ')
-+
+ ')
+
+- # Need to give access to /selinux/member
+- selinux_compute_member($1)
+-
+- # Need sys_admin capability for mounting
+- allow $1 self:capability { chown fsetid sys_admin fowner };
+-
+- # Need to give access to the directories to be polyinstantiated
+- allow $1 polydir:dir { create open getattr search write add_name setattr mounton rmdir };
+-
+- # Need to give access to the polyinstantiated subdirectories
+- allow $1 polymember:dir search_dir_perms;
+-
+- # Need to give access to parent directories where original
+- # is remounted for polyinstantiation aware programs (like gdm)
+- allow $1 polyparent:dir { getattr mounton };
+-
+- # Need to give permission to create directories where applicable
+- allow $1 self:process setfscreate;
+- allow $1 polymember: dir { create setattr relabelto };
+- allow $1 polydir: dir { write add_name open };
+- allow $1 polyparent:dir { open read write remove_name add_name relabelfrom relabelto };
+-
+- # Default type for mountpoints
+- allow $1 poly_t:dir { create mounton };
+- fs_unmount_xattr_fs($1)
+-
+- fs_mount_tmpfs($1)
+- fs_unmount_tmpfs($1)
+ files_search_pids($1)
+ allow $1 var_t:dir search_dir_perms;
+ delete_dirs_pattern($1, pidfile, pidfile)
+')
-+
+
+- ifdef(`distro_redhat',`
+- # namespace.init
+- files_search_tmp($1)
+- files_search_home($1)
+- corecmd_exec_bin($1)
+- seutil_domtrans_setfiles($1)
+########################################
+##
+## Make the specified type a file
@@ -12247,129 +12346,80 @@ index f962f76..fa8cdcb 100644
+##
+##
+##
- ##
--## Object class(es) (single or set including {}) for which this
--## the transition will occur.
++##
+## Type of the file to be used as a
+## spool file.
- ##
- ##
--##
++##
++##
+##
+#
+interface(`files_spool_file',`
+ gen_require(`
+ attribute spoolfile;
-+ ')
+ ')
+
+ files_type($1)
+ typeattribute $1 spoolfile;
-+')
-+
-+########################################
-+##
-+## Create all spool sockets
-+##
-+##
- ##
--## The name of the object being created.
-+## Domain allowed access.
- ##
- ##
- #
--interface(`files_spool_filetrans',`
-+interface(`files_create_all_spool_sockets',`
- gen_require(`
-- type var_t, var_spool_t;
-+ attribute spoolfile;
- ')
-
-- allow $1 var_t:dir search_dir_perms;
-- filetrans_pattern($1, var_spool_t, $2, $3, $4)
-+ allow $1 spoolfile:sock_file create_sock_file_perms;
')
########################################
##
--## Allow access to manage all polyinstantiated
--## directories on the system.
-+## Delete all spool sockets
+-## Unconfined access to files.
++## Create all spool sockets
##
##
##
-@@ -6519,64 +7817,767 @@ interface(`files_spool_filetrans',`
+@@ -6573,10 +7817,785 @@ interface(`files_polyinstantiate_all',`
##
##
#
--interface(`files_polyinstantiate_all',`
-+interface(`files_delete_all_spool_sockets',`
+-interface(`files_unconfined',`
++interface(`files_create_all_spool_sockets',`
gen_require(`
-- attribute polydir, polymember, polyparent;
-- type poly_t;
+- attribute files_unconfined_type;
+ attribute spoolfile;
')
-- # Need to give access to /selinux/member
-- selinux_compute_member($1)
--
-- # Need sys_admin capability for mounting
-- allow $1 self:capability { chown fsetid sys_admin fowner };
--
-- # Need to give access to the directories to be polyinstantiated
-- allow $1 polydir:dir { create open getattr search write add_name setattr mounton rmdir };
--
-- # Need to give access to the polyinstantiated subdirectories
-- allow $1 polymember:dir search_dir_perms;
--
-- # Need to give access to parent directories where original
-- # is remounted for polyinstantiation aware programs (like gdm)
-- allow $1 polyparent:dir { getattr mounton };
--
-- # Need to give permission to create directories where applicable
-- allow $1 self:process setfscreate;
-- allow $1 polymember: dir { create setattr relabelto };
-- allow $1 polydir: dir { write add_name open };
-- allow $1 polyparent:dir { open read write remove_name add_name relabelfrom relabelto };
--
-- # Default type for mountpoints
-- allow $1 poly_t:dir { create mounton };
-- fs_unmount_xattr_fs($1)
--
-- fs_mount_tmpfs($1)
-- fs_unmount_tmpfs($1)
--
-- ifdef(`distro_redhat',`
-- # namespace.init
-- files_search_tmp($1)
-- files_search_home($1)
-- corecmd_exec_bin($1)
-- seutil_domtrans_setfiles($1)
-- ')
+- typeattribute $1 files_unconfined_type;
++ allow $1 spoolfile:sock_file create_sock_file_perms;
++')
++
++########################################
++##
++## Delete all spool sockets
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`files_delete_all_spool_sockets',`
++ gen_require(`
++ attribute spoolfile;
++ ')
++
+ allow $1 spoolfile:sock_file delete_sock_file_perms;
- ')
-
- ########################################
- ##
--## Unconfined access to files.
++')
++
++########################################
++##
+## Relabel to and from all spool
+## directory types.
- ##
- ##
- ##
- ## Domain allowed access.
- ##
- ##
++##
++##
++##
++## Domain allowed access.
++##
++##
+##
- #
--interface(`files_unconfined',`
++#
+interface(`files_relabel_all_spool_dirs',`
- gen_require(`
-- attribute files_unconfined_type;
++ gen_require(`
+ attribute spoolfile;
+ type var_t;
- ')
-
-- typeattribute $1 files_unconfined_type;
++ ')
++
+ relabel_dirs_pattern($1, spoolfile, spoolfile)
+')
+
@@ -29328,7 +29378,7 @@ index 79a45f6..9a14d49 100644
+ files_etc_filetrans($1, machineid_t, file, "machine-id" )
+')
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
-index 17eda24..afe80c5 100644
+index 17eda24..c15f72a 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -11,10 +11,31 @@ gen_require(`
@@ -29799,7 +29849,7 @@ index 17eda24..afe80c5 100644
')
optional_policy(`
-@@ -216,7 +501,30 @@ optional_policy(`
+@@ -216,7 +501,31 @@ optional_policy(`
')
optional_policy(`
@@ -29827,10 +29877,11 @@ index 17eda24..afe80c5 100644
+optional_policy(`
unconfined_domain(init_t)
+ domain_named_filetrans(init_t)
++ unconfined_server_domtrans(init_t)
')
########################################
-@@ -225,9 +533,9 @@ optional_policy(`
+@@ -225,9 +534,9 @@ optional_policy(`
#
allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
@@ -29842,7 +29893,7 @@ index 17eda24..afe80c5 100644
allow initrc_t self:passwd rootok;
allow initrc_t self:key manage_key_perms;
-@@ -258,12 +566,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
+@@ -258,12 +567,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
allow initrc_t initrc_var_run_t:file manage_file_perms;
files_pid_filetrans(initrc_t, initrc_var_run_t, file)
@@ -29859,7 +29910,7 @@ index 17eda24..afe80c5 100644
manage_dirs_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
manage_files_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
-@@ -279,23 +591,36 @@ kernel_change_ring_buffer_level(initrc_t)
+@@ -279,23 +592,36 @@ kernel_change_ring_buffer_level(initrc_t)
kernel_clear_ring_buffer(initrc_t)
kernel_get_sysvipc_info(initrc_t)
kernel_read_all_sysctls(initrc_t)
@@ -29902,7 +29953,7 @@ index 17eda24..afe80c5 100644
corenet_tcp_sendrecv_all_ports(initrc_t)
corenet_udp_sendrecv_all_ports(initrc_t)
corenet_tcp_connect_all_ports(initrc_t)
-@@ -303,9 +628,11 @@ corenet_sendrecv_all_client_packets(initrc_t)
+@@ -303,9 +629,11 @@ corenet_sendrecv_all_client_packets(initrc_t)
dev_read_rand(initrc_t)
dev_read_urand(initrc_t)
@@ -29914,7 +29965,7 @@ index 17eda24..afe80c5 100644
dev_rw_sysfs(initrc_t)
dev_list_usbfs(initrc_t)
dev_read_framebuffer(initrc_t)
-@@ -313,8 +640,10 @@ dev_write_framebuffer(initrc_t)
+@@ -313,8 +641,10 @@ dev_write_framebuffer(initrc_t)
dev_read_realtime_clock(initrc_t)
dev_read_sound_mixer(initrc_t)
dev_write_sound_mixer(initrc_t)
@@ -29925,7 +29976,7 @@ index 17eda24..afe80c5 100644
dev_delete_lvm_control_dev(initrc_t)
dev_manage_generic_symlinks(initrc_t)
dev_manage_generic_files(initrc_t)
-@@ -322,8 +651,7 @@ dev_manage_generic_files(initrc_t)
+@@ -322,8 +652,7 @@ dev_manage_generic_files(initrc_t)
dev_delete_generic_symlinks(initrc_t)
dev_getattr_all_blk_files(initrc_t)
dev_getattr_all_chr_files(initrc_t)
@@ -29935,7 +29986,7 @@ index 17eda24..afe80c5 100644
domain_kill_all_domains(initrc_t)
domain_signal_all_domains(initrc_t)
-@@ -332,7 +660,6 @@ domain_sigstop_all_domains(initrc_t)
+@@ -332,7 +661,6 @@ domain_sigstop_all_domains(initrc_t)
domain_sigchld_all_domains(initrc_t)
domain_read_all_domains_state(initrc_t)
domain_getattr_all_domains(initrc_t)
@@ -29943,7 +29994,7 @@ index 17eda24..afe80c5 100644
domain_getsession_all_domains(initrc_t)
domain_use_interactive_fds(initrc_t)
# for lsof which is used by alsa shutdown:
-@@ -340,6 +667,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
+@@ -340,6 +668,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
domain_dontaudit_getattr_all_tcp_sockets(initrc_t)
domain_dontaudit_getattr_all_dgram_sockets(initrc_t)
domain_dontaudit_getattr_all_pipes(initrc_t)
@@ -29951,7 +30002,7 @@ index 17eda24..afe80c5 100644
files_getattr_all_dirs(initrc_t)
files_getattr_all_files(initrc_t)
-@@ -347,14 +675,15 @@ files_getattr_all_symlinks(initrc_t)
+@@ -347,14 +676,15 @@ files_getattr_all_symlinks(initrc_t)
files_getattr_all_pipes(initrc_t)
files_getattr_all_sockets(initrc_t)
files_purge_tmp(initrc_t)
@@ -29969,7 +30020,7 @@ index 17eda24..afe80c5 100644
files_read_usr_files(initrc_t)
files_manage_urandom_seed(initrc_t)
files_manage_generic_spool(initrc_t)
-@@ -364,8 +693,12 @@ files_list_isid_type_dirs(initrc_t)
+@@ -364,8 +694,12 @@ files_list_isid_type_dirs(initrc_t)
files_mounton_isid_type_dirs(initrc_t)
files_list_default(initrc_t)
files_mounton_default(initrc_t)
@@ -29983,7 +30034,7 @@ index 17eda24..afe80c5 100644
fs_list_inotifyfs(initrc_t)
fs_register_binary_executable_type(initrc_t)
# rhgb-console writes to ramfs
-@@ -375,10 +708,11 @@ fs_mount_all_fs(initrc_t)
+@@ -375,10 +709,11 @@ fs_mount_all_fs(initrc_t)
fs_unmount_all_fs(initrc_t)
fs_remount_all_fs(initrc_t)
fs_getattr_all_fs(initrc_t)
@@ -29997,7 +30048,7 @@ index 17eda24..afe80c5 100644
mcs_process_set_categories(initrc_t)
mls_file_read_all_levels(initrc_t)
-@@ -387,8 +721,10 @@ mls_process_read_up(initrc_t)
+@@ -387,8 +722,10 @@ mls_process_read_up(initrc_t)
mls_process_write_down(initrc_t)
mls_rangetrans_source(initrc_t)
mls_fd_share_all_levels(initrc_t)
@@ -30008,7 +30059,7 @@ index 17eda24..afe80c5 100644
storage_getattr_fixed_disk_dev(initrc_t)
storage_setattr_fixed_disk_dev(initrc_t)
-@@ -398,6 +734,7 @@ term_use_all_terms(initrc_t)
+@@ -398,6 +735,7 @@ term_use_all_terms(initrc_t)
term_reset_tty_labels(initrc_t)
auth_rw_login_records(initrc_t)
@@ -30016,7 +30067,7 @@ index 17eda24..afe80c5 100644
auth_setattr_login_records(initrc_t)
auth_rw_lastlog(initrc_t)
auth_read_pam_pid(initrc_t)
-@@ -416,20 +753,18 @@ logging_read_all_logs(initrc_t)
+@@ -416,20 +754,18 @@ logging_read_all_logs(initrc_t)
logging_append_all_logs(initrc_t)
logging_read_audit_config(initrc_t)
@@ -30040,7 +30091,7 @@ index 17eda24..afe80c5 100644
ifdef(`distro_debian',`
dev_setattr_generic_dirs(initrc_t)
-@@ -451,7 +786,6 @@ ifdef(`distro_gentoo',`
+@@ -451,7 +787,6 @@ ifdef(`distro_gentoo',`
allow initrc_t self:process setfscreate;
dev_create_null_dev(initrc_t)
dev_create_zero_dev(initrc_t)
@@ -30048,7 +30099,7 @@ index 17eda24..afe80c5 100644
term_create_console_dev(initrc_t)
# unfortunately /sbin/rc does stupid tricks
-@@ -486,6 +820,10 @@ ifdef(`distro_gentoo',`
+@@ -486,6 +821,10 @@ ifdef(`distro_gentoo',`
sysnet_setattr_config(initrc_t)
optional_policy(`
@@ -30059,7 +30110,7 @@ index 17eda24..afe80c5 100644
alsa_read_lib(initrc_t)
')
-@@ -506,7 +844,7 @@ ifdef(`distro_redhat',`
+@@ -506,7 +845,7 @@ ifdef(`distro_redhat',`
# Red Hat systems seem to have a stray
# fd open from the initrd
@@ -30068,7 +30119,7 @@ index 17eda24..afe80c5 100644
files_dontaudit_read_root_files(initrc_t)
# These seem to be from the initrd
-@@ -521,6 +859,7 @@ ifdef(`distro_redhat',`
+@@ -521,6 +860,7 @@ ifdef(`distro_redhat',`
files_create_boot_dirs(initrc_t)
files_create_boot_flag(initrc_t)
files_rw_boot_symlinks(initrc_t)
@@ -30076,7 +30127,7 @@ index 17eda24..afe80c5 100644
# wants to read /.fonts directory
files_read_default_files(initrc_t)
files_mountpoint(initrc_tmp_t)
-@@ -541,6 +880,7 @@ ifdef(`distro_redhat',`
+@@ -541,6 +881,7 @@ ifdef(`distro_redhat',`
miscfiles_rw_localization(initrc_t)
miscfiles_setattr_localization(initrc_t)
miscfiles_relabel_localization(initrc_t)
@@ -30084,7 +30135,7 @@ index 17eda24..afe80c5 100644
miscfiles_read_fonts(initrc_t)
miscfiles_read_hwdata(initrc_t)
-@@ -550,8 +890,44 @@ ifdef(`distro_redhat',`
+@@ -550,8 +891,44 @@ ifdef(`distro_redhat',`
')
optional_policy(`
@@ -30129,7 +30180,7 @@ index 17eda24..afe80c5 100644
')
optional_policy(`
-@@ -559,14 +935,31 @@ ifdef(`distro_redhat',`
+@@ -559,14 +936,31 @@ ifdef(`distro_redhat',`
rpc_write_exports(initrc_t)
rpc_manage_nfs_state_data(initrc_t)
')
@@ -30161,7 +30212,7 @@ index 17eda24..afe80c5 100644
')
')
-@@ -577,6 +970,39 @@ ifdef(`distro_suse',`
+@@ -577,6 +971,39 @@ ifdef(`distro_suse',`
')
')
@@ -30201,7 +30252,7 @@ index 17eda24..afe80c5 100644
optional_policy(`
amavis_search_lib(initrc_t)
amavis_setattr_pid_files(initrc_t)
-@@ -589,6 +1015,8 @@ optional_policy(`
+@@ -589,6 +1016,8 @@ optional_policy(`
optional_policy(`
apache_read_config(initrc_t)
apache_list_modules(initrc_t)
@@ -30210,7 +30261,7 @@ index 17eda24..afe80c5 100644
')
optional_policy(`
-@@ -610,6 +1038,7 @@ optional_policy(`
+@@ -610,6 +1039,7 @@ optional_policy(`
optional_policy(`
cgroup_stream_connect_cgred(initrc_t)
@@ -30218,7 +30269,7 @@ index 17eda24..afe80c5 100644
')
optional_policy(`
-@@ -626,6 +1055,17 @@ optional_policy(`
+@@ -626,6 +1056,17 @@ optional_policy(`
')
optional_policy(`
@@ -30236,7 +30287,7 @@ index 17eda24..afe80c5 100644
dev_getattr_printer_dev(initrc_t)
cups_read_log(initrc_t)
-@@ -642,9 +1082,13 @@ optional_policy(`
+@@ -642,9 +1083,13 @@ optional_policy(`
dbus_connect_system_bus(initrc_t)
dbus_system_bus_client(initrc_t)
dbus_read_config(initrc_t)
@@ -30250,7 +30301,7 @@ index 17eda24..afe80c5 100644
')
optional_policy(`
-@@ -657,15 +1101,11 @@ optional_policy(`
+@@ -657,15 +1102,11 @@ optional_policy(`
')
optional_policy(`
@@ -30268,7 +30319,7 @@ index 17eda24..afe80c5 100644
')
optional_policy(`
-@@ -686,6 +1126,15 @@ optional_policy(`
+@@ -686,6 +1127,15 @@ optional_policy(`
')
optional_policy(`
@@ -30284,7 +30335,7 @@ index 17eda24..afe80c5 100644
inn_exec_config(initrc_t)
')
-@@ -726,6 +1175,7 @@ optional_policy(`
+@@ -726,6 +1176,7 @@ optional_policy(`
lpd_list_spool(initrc_t)
lpd_read_config(initrc_t)
@@ -30292,7 +30343,7 @@ index 17eda24..afe80c5 100644
')
optional_policy(`
-@@ -743,7 +1193,13 @@ optional_policy(`
+@@ -743,7 +1194,13 @@ optional_policy(`
')
optional_policy(`
@@ -30307,7 +30358,7 @@ index 17eda24..afe80c5 100644
mta_dontaudit_read_spool_symlinks(initrc_t)
')
-@@ -766,6 +1222,10 @@ optional_policy(`
+@@ -766,6 +1223,10 @@ optional_policy(`
')
optional_policy(`
@@ -30318,7 +30369,7 @@ index 17eda24..afe80c5 100644
postgresql_manage_db(initrc_t)
postgresql_read_config(initrc_t)
')
-@@ -775,10 +1235,20 @@ optional_policy(`
+@@ -775,10 +1236,20 @@ optional_policy(`
')
optional_policy(`
@@ -30339,7 +30390,7 @@ index 17eda24..afe80c5 100644
quota_manage_flags(initrc_t)
')
-@@ -787,6 +1257,10 @@ optional_policy(`
+@@ -787,6 +1258,10 @@ optional_policy(`
')
optional_policy(`
@@ -30350,7 +30401,7 @@ index 17eda24..afe80c5 100644
fs_write_ramfs_sockets(initrc_t)
fs_search_ramfs(initrc_t)
-@@ -808,8 +1282,6 @@ optional_policy(`
+@@ -808,8 +1283,6 @@ optional_policy(`
# bash tries ioctl for some reason
files_dontaudit_ioctl_all_pids(initrc_t)
@@ -30359,7 +30410,7 @@ index 17eda24..afe80c5 100644
')
optional_policy(`
-@@ -818,6 +1290,10 @@ optional_policy(`
+@@ -818,6 +1291,10 @@ optional_policy(`
')
optional_policy(`
@@ -30370,7 +30421,7 @@ index 17eda24..afe80c5 100644
# shorewall-init script run /var/lib/shorewall/firewall
shorewall_lib_domtrans(initrc_t)
')
-@@ -827,10 +1303,12 @@ optional_policy(`
+@@ -827,10 +1304,12 @@ optional_policy(`
squid_manage_logs(initrc_t)
')
@@ -30383,7 +30434,7 @@ index 17eda24..afe80c5 100644
optional_policy(`
ssh_dontaudit_read_server_keys(initrc_t)
-@@ -857,21 +1335,60 @@ optional_policy(`
+@@ -857,21 +1336,60 @@ optional_policy(`
')
optional_policy(`
@@ -30445,7 +30496,7 @@ index 17eda24..afe80c5 100644
')
optional_policy(`
-@@ -887,6 +1404,10 @@ optional_policy(`
+@@ -887,6 +1405,10 @@ optional_policy(`
')
optional_policy(`
@@ -30456,7 +30507,7 @@ index 17eda24..afe80c5 100644
# Set device ownerships/modes.
xserver_setattr_console_pipes(initrc_t)
-@@ -897,3 +1418,218 @@ optional_policy(`
+@@ -897,3 +1419,218 @@ optional_policy(`
optional_policy(`
zebra_read_config(initrc_t)
')
@@ -39234,10 +39285,10 @@ index 0000000..1d9bdfd
+')
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
new file mode 100644
-index 0000000..9785384
+index 0000000..e4b127c
--- /dev/null
+++ b/policy/modules/system/systemd.te
-@@ -0,0 +1,635 @@
+@@ -0,0 +1,636 @@
+policy_module(systemd, 1.0.0)
+
+#######################################
@@ -39532,6 +39583,7 @@ index 0000000..9785384
+mls_file_upgrade(systemd_tmpfiles_t)
+
+selinux_get_enforce_mode(systemd_tmpfiles_t)
++selinux_setcheckreqprot(systemd_tmpfiles_t)
+
+auth_manage_faillog(systemd_tmpfiles_t)
+auth_relabel_faillog(systemd_tmpfiles_t)
@@ -40465,7 +40517,7 @@ index 0abaf84..8b34dbc 100644
-/usr/lib/openoffice/program/[^/]+\.bin -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
-')
diff --git a/policy/modules/system/unconfined.if b/policy/modules/system/unconfined.if
-index 5ca20a9..01e03ec 100644
+index 5ca20a9..7bbabfc 100644
--- a/policy/modules/system/unconfined.if
+++ b/policy/modules/system/unconfined.if
@@ -12,53 +12,57 @@
@@ -40576,7 +40628,7 @@ index 5ca20a9..01e03ec 100644
')
########################################
-@@ -175,414 +185,5 @@ interface(`unconfined_alias_domain',`
+@@ -175,381 +185,12 @@ interface(`unconfined_alias_domain',`
##
#
interface(`unconfined_execmem_alias_program',`
@@ -40949,54 +41001,64 @@ index 5ca20a9..01e03ec 100644
- ')
-
- allow $1 unconfined_t:dbus send_msg;
--')
--
--########################################
--##
++ refpolicywarn(`$0() has been deprecated.')
+ ')
+
+ ########################################
+ ##
-## Send and receive messages from
-## unconfined_t over dbus.
--##
--##
--##
--## Domain allowed access.
--##
--##
--#
++## Connect to unconfined_server with a unix socket.
+ ##
+ ##
+ ##
+@@ -557,20 +198,19 @@ interface(`unconfined_dbus_send',`
+ ##
+ ##
+ #
-interface(`unconfined_dbus_chat',`
-- gen_require(`
++interface(`unconfined_server_stream_connect',`
+ gen_require(`
- type unconfined_t;
- class dbus send_msg;
-- ')
--
++ type unconfined_server_t;
+ ')
+
- allow $1 unconfined_t:dbus send_msg;
- allow unconfined_t $1:dbus send_msg;
--')
--
--########################################
--##
++ files_search_pids($1)
++ files_write_generic_pid_pipes($1)
++ allow $1 unconfined_server_t:unix_stream_socket { getattr connectto };
+ ')
+
+ ########################################
+ ##
-## Connect to the the unconfined DBUS
-## for service (acquire_svc).
--##
--##
--##
--## Domain allowed access.
--##
--##
--#
++## Connect to unconfined_server with a unix socket.
+ ##
+ ##
+ ##
+@@ -578,11 +218,10 @@ interface(`unconfined_dbus_chat',`
+ ##
+ ##
+ #
-interface(`unconfined_dbus_connect',`
-- gen_require(`
++interface(`unconfined_server_domtrans',`
+ gen_require(`
- type unconfined_t;
- class dbus acquire_svc;
-- ')
--
++ type unconfined_server_t;
+ ')
+
- allow $1 unconfined_t:dbus acquire_svc;
-+ refpolicywarn(`$0() has been deprecated.')
++ corecmd_bin_domtrans($1, unconfined_server_t)
')
diff --git a/policy/modules/system/unconfined.te b/policy/modules/system/unconfined.te
-index 5fe902d..61f19e9 100644
+index 5fe902d..fe042f9 100644
--- a/policy/modules/system/unconfined.te
+++ b/policy/modules/system/unconfined.te
-@@ -1,207 +1,7 @@
+@@ -1,207 +1,15 @@
-policy_module(unconfined, 3.5.1)
+policy_module(unconfined, 3.5.0)
@@ -41004,7 +41066,8 @@ index 5fe902d..61f19e9 100644
#
# Declarations
#
--
++attribute unconfined_services;
+
-# usage in this module of types created by these
-# calls is not correct, however we dont currently
-# have another method to add access to these types
@@ -41012,10 +41075,13 @@ index 5fe902d..61f19e9 100644
-userdom_manage_home_role(unconfined_r, unconfined_t)
-userdom_manage_tmp_role(unconfined_r, unconfined_t)
-userdom_manage_tmpfs_role(unconfined_r, unconfined_t)
--
++type unconfined_service_t;
++domain_type(unconfined_service_t)
+
-type unconfined_exec_t;
-init_system_domain(unconfined_t, unconfined_exec_t)
--
++unconfined_domain(unconfined_service_t)
+
-type unconfined_execmem_t;
-type unconfined_execmem_exec_t;
-init_system_domain(unconfined_execmem_t, unconfined_execmem_exec_t)
@@ -41205,7 +41271,8 @@ index 5fe902d..61f19e9 100644
-optional_policy(`
- unconfined_dbus_chat(unconfined_execmem_t)
-')
-+attribute unconfined_services;
++corecmd_bin_entry_type(unconfined_service_t)
++corecmd_shell_entry_type(unconfined_service_t)
diff --git a/policy/modules/system/userdomain.fc b/policy/modules/system/userdomain.fc
index db75976..e4eb903 100644
--- a/policy/modules/system/userdomain.fc
diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch
index a40e705..421c075 100644
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@@ -10427,7 +10427,7 @@ index a3760bc..a570048 100644
+
+init_sigchld_script(cachefiles_kernel_t)
diff --git a/calamaris.if b/calamaris.if
-index cd9c528..9de38c4 100644
+index cd9c528..ba793b7 100644
--- a/calamaris.if
+++ b/calamaris.if
@@ -42,7 +42,7 @@ interface(`calamaris_run',`
@@ -10435,7 +10435,7 @@ index cd9c528..9de38c4 100644
')
- lightsquid_domtrans($1)
-+ clamd_domtrans($1)
++ calamaris_domtrans($1)
roleattribute $2 calamaris_roles;
')
@@ -11186,10 +11186,10 @@ index 0000000..57866f6
+HOME_DIR/\.cache/chromium(/.*)? gen_context(system_u:object_r:chrome_sandbox_home_t,s0)
diff --git a/chrome.if b/chrome.if
new file mode 100644
-index 0000000..5977d96
+index 0000000..8ea5b7c
--- /dev/null
+++ b/chrome.if
-@@ -0,0 +1,134 @@
+@@ -0,0 +1,133 @@
+
+## policy for chrome
+
@@ -11276,9 +11276,8 @@ index 0000000..5977d96
+
+ allow chrome_sandbox_t $2:unix_dgram_socket { read write };
+ allow $2 chrome_sandbox_t:unix_dgram_socket { read write };
-+ allow chrome_sandbox_t $2:unix_stream_socket rw_inherited_sock_file_perms;;
-+ dontaudit chrome_sandbox_t $2:unix_stream_socket shutdown;
-+ allow chrome_sandbox_nacl_t $2:unix_stream_socket rw_inherited_sock_file_perms;
++ allow chrome_sandbox_t $2:unix_stream_socket rw_socket_perms;;
++ allow chrome_sandbox_nacl_t $2:unix_stream_socket rw_socket_perms;
+ allow $2 chrome_sandbox_nacl_t:unix_stream_socket { getattr read write };
+ allow $2 chrome_sandbox_t:unix_stream_socket { getattr read write };
+
@@ -19280,7 +19279,7 @@ index dda905b..31f269b 100644
/var/named/chroot/var/run/dbus(/.*)? gen_context(system_u:object_r:system_dbusd_var_run_t,s0)
+')
diff --git a/dbus.if b/dbus.if
-index 62d22cb..ff0c9da 100644
+index 62d22cb..2d33fcd 100644
--- a/dbus.if
+++ b/dbus.if
@@ -1,4 +1,4 @@
@@ -19802,7 +19801,7 @@ index 62d22cb..ff0c9da 100644
##
##
## Type to be used as a domain.
-@@ -397,81 +403,66 @@ interface(`dbus_manage_lib_files',`
+@@ -397,81 +403,67 @@ interface(`dbus_manage_lib_files',`
##
##
##
@@ -19827,6 +19826,7 @@ index 62d22cb..ff0c9da 100644
+ domain_entry_file($1, $2)
+
+ domtrans_pattern(system_dbusd_t, $2, $1)
++ init_system_domain($1, $2)
+
+ ps_process_pattern($1, system_dbusd_t)
+
@@ -19911,7 +19911,7 @@ index 62d22cb..ff0c9da 100644
##
##
##
-@@ -479,18 +470,18 @@ interface(`dbus_spec_session_domain',`
+@@ -479,18 +471,18 @@ interface(`dbus_spec_session_domain',`
##
##
#
@@ -19935,7 +19935,7 @@ index 62d22cb..ff0c9da 100644
##
##
##
-@@ -498,98 +489,80 @@ interface(`dbus_connect_system_bus',`
+@@ -498,98 +490,80 @@ interface(`dbus_connect_system_bus',`
##
##
#
@@ -20062,7 +20062,7 @@ index 62d22cb..ff0c9da 100644
##
##
##
-@@ -597,28 +570,32 @@ interface(`dbus_use_system_bus_fds',`
+@@ -597,28 +571,32 @@ interface(`dbus_use_system_bus_fds',`
##
##
#
@@ -23074,10 +23074,10 @@ index c7bb4e7..e6fe2f40 100644
sysnet_etc_filetrans_config(dnssec_triggerd_t)
diff --git a/docker.fc b/docker.fc
new file mode 100644
-index 0000000..1c4ac02
+index 0000000..fd679a1
--- /dev/null
+++ b/docker.fc
-@@ -0,0 +1,17 @@
+@@ -0,0 +1,18 @@
+/usr/bin/docker -- gen_context(system_u:object_r:docker_exec_t,s0)
+
+/usr/lib/systemd/system/docker.service -- gen_context(system_u:object_r:docker_unit_file_t,s0)
@@ -23086,6 +23086,7 @@ index 0000000..1c4ac02
+
+/var/run/docker\.pid -- gen_context(system_u:object_r:docker_var_run_t,s0)
+/var/run/docker\.sock -s gen_context(system_u:object_r:docker_var_run_t,s0)
++/var/run/docker-client(/.*)? gen_context(system_u:object_r:docker_var_run_t,s0)
+
+/var/lock/lxc(/.*)? gen_context(system_u:object_r:docker_lock_t,s0)
+
@@ -23097,10 +23098,10 @@ index 0000000..1c4ac02
+/var/lib/docker/.*/config\.env gen_context(system_u:object_r:docker_share_t,s0)
diff --git a/docker.if b/docker.if
new file mode 100644
-index 0000000..cc6846a
+index 0000000..89401fe
--- /dev/null
+++ b/docker.if
-@@ -0,0 +1,323 @@
+@@ -0,0 +1,324 @@
+
+## The open-source application container engine.
+
@@ -23372,6 +23373,7 @@ index 0000000..cc6846a
+
+ files_pid_filetrans($1, docker_var_run_t, file, "docker.pid")
+ files_pid_filetrans($1, docker_var_run_t, sock_file, "docker.sock")
++ files_pid_filetrans($1, docker_var_run_t, dir, "docker-client")
+ logging_log_filetrans($1, docker_log_t, dir, "lxc")
+ files_var_lib_filetrans($1, docker_var_lib_t, dir, "docker")
+ filetrans_pattern($1, docker_var_lib_t, docker_share_t, file, "config.env")
@@ -23426,10 +23428,10 @@ index 0000000..cc6846a
+')
diff --git a/docker.te b/docker.te
new file mode 100644
-index 0000000..18e4ef8
+index 0000000..a1e6966
--- /dev/null
+++ b/docker.te
-@@ -0,0 +1,236 @@
+@@ -0,0 +1,239 @@
+policy_module(docker, 1.0.0)
+
+########################################
@@ -23508,6 +23510,7 @@ index 0000000..18e4ef8
+manage_fifo_files_pattern(docker_t, docker_tmpfs_t, docker_tmpfs_t)
+manage_chr_files_pattern(docker_t, docker_tmpfs_t, docker_tmpfs_t)
+fs_tmpfs_filetrans(docker_t, docker_tmpfs_t, { dir file })
++allow docker_t docker_tmpfs_t:chr_file mounton;
+
+manage_dirs_pattern(docker_t, docker_share_t, docker_share_t)
+manage_files_pattern(docker_t, docker_share_t, docker_share_t)
@@ -23640,6 +23643,8 @@ index 0000000..18e4ef8
+
+modutils_domtrans_insmod(docker_t)
+
++userdom_stream_connect(docker_t)
++
+optional_policy(`
+ dbus_system_bus_client(docker_t)
+ init_dbus_chat(docker_t)
@@ -28542,7 +28547,7 @@ index e39de43..6a6db28 100644
+/usr/libexec/gnome-system-monitor-mechanism -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
+/usr/libexec/kde(3|4)/ksysguardprocesslist_helper -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
diff --git a/gnome.if b/gnome.if
-index ab09d61..edd1c94 100644
+index ab09d61..d0bfef0 100644
--- a/gnome.if
+++ b/gnome.if
@@ -1,52 +1,78 @@
@@ -30013,7 +30018,7 @@ index ab09d61..edd1c94 100644
+#
+interface(`gnome_create_home_config_dirs',`
+ gen_require(`
-+ type cache_home_t;
++ type config_home_t;
+ ')
+
+ allow $1 config_home_t:dir create_dir_perms;
@@ -33047,7 +33052,7 @@ index 0000000..9278f85
+
diff --git a/ipa.if b/ipa.if
new file mode 100644
-index 0000000..c6cf456
+index 0000000..deb738f
--- /dev/null
+++ b/ipa.if
@@ -0,0 +1,21 @@
@@ -33065,7 +33070,7 @@ index 0000000..c6cf456
+#
+interface(`ipa_domtrans_otpd',`
+ gen_require(`
-+ type ipa_otpd_t, ipa_otpd_t_exec_t;
++ type ipa_otpd_t, ipa_otpd_exec_t;
+ ')
+
+ corecmd_search_bin($1)
@@ -53910,7 +53915,7 @@ index 379af96..fac7d7b 100644
+/var/www/nut-cgi-bin/upsset\.cgi -- gen_context(system_u:object_r:nutups_cgi_script_exec_t,s0)
+/var/www/nut-cgi-bin/upsstats\.cgi -- gen_context(system_u:object_r:nutups_cgi_script_exec_t,s0)
diff --git a/nut.if b/nut.if
-index 57c0161..54bd4d7 100644
+index 57c0161..dae3360 100644
--- a/nut.if
+++ b/nut.if
@@ -1,39 +1,24 @@
@@ -53966,7 +53971,7 @@ index 57c0161..54bd4d7 100644
- files_search_pids($1)
- admin_pattern($1, nut_var_run_t)
-+ ps_process_pattern($1, swift_t)
++ ps_process_pattern($1, nut_t)
')
diff --git a/nut.te b/nut.te
index 5b2cb0d..249224e 100644
@@ -58594,10 +58599,10 @@ index 0000000..9b8cb6b
+/var/run/pmcd\.socket -- gen_context(system_u:object_r:pcp_var_run_t,s0)
diff --git a/pcp.if b/pcp.if
new file mode 100644
-index 0000000..4f074cb
+index 0000000..f099f7c
--- /dev/null
+++ b/pcp.if
-@@ -0,0 +1,100 @@
+@@ -0,0 +1,121 @@
+## The pcp command summarizes the status of a Performance Co-Pilot (PCP) installation
+
+######################################
@@ -58698,12 +58703,33 @@ index 0000000..4f074cb
+ corecmd_search_bin($1)
+ can_exec($1, pcp_pmie_exec_t)
+')
++
++########################################
++##
++## Allow the specified domain to execute pcp_pmlogger
++## in the caller domain.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`pcp_pmlogger_exec',`
++ gen_require(`
++ type pcp_pmlogger_exec_t;
++ ')
++
++ corecmd_search_bin($1)
++ can_exec($1, pcp_pmlogger_exec_t)
++')
++
diff --git a/pcp.te b/pcp.te
new file mode 100644
-index 0000000..8ec3a48
+index 0000000..d21c5d7
--- /dev/null
+++ b/pcp.te
-@@ -0,0 +1,164 @@
+@@ -0,0 +1,192 @@
+policy_module(pcp, 1.0.0)
+
+########################################
@@ -58769,6 +58795,8 @@ index 0000000..8ec3a48
+
+dev_read_urand(pcp_domain)
+
++files_read_etc_files(pcp_domain)
++
+fs_getattr_all_fs(pcp_domain)
+
+auth_read_passwd(pcp_domain)
@@ -58786,6 +58814,8 @@ index 0000000..8ec3a48
+allow pcp_pmcd_t self:netlink_route_socket create_socket_perms;
+allow pcp_pmcd_t self:unix_dgram_socket create_socket_perms;;
+
++auth_use_nsswitch(pcp_pmcd_t)
++
+kernel_read_network_state(pcp_pmcd_t)
+kernel_read_system_state(pcp_pmcd_t)
+kernel_read_state(pcp_pmcd_t)
@@ -58807,9 +58837,9 @@ index 0000000..8ec3a48
+fs_getattr_all_dirs(pcp_pmcd_t)
+fs_list_cgroup_dirs(pcp_pmcd_t)
+
-+storage_getattr_fixed_disk_dev(pcp_pmcd_t)
++logging_send_syslog_msg(pcp_pmcd_t)
+
-+auth_use_nsswitch(pcp_pmcd_t)
++storage_getattr_fixed_disk_dev(pcp_pmcd_t)
+
+optional_policy(`
+ dbus_system_bus_client(pcp_pmcd_t)
@@ -58826,9 +58856,12 @@ index 0000000..8ec3a48
+
+allow pcp_pmproxy_t self:process setsched;
+allow pcp_pmproxy_t self:netlink_route_socket create_socket_perms;
++allow pcp_pmproxy_t self:unix_dgram_socket create_socket_perms;
+
+auth_use_nsswitch(pcp_pmproxy_t)
+
++logging_send_syslog_msg(pcp_pmproxy_t)
++
+########################################
+#
+# pcp_pmwebd local policy
@@ -58842,21 +58875,27 @@ index 0000000..8ec3a48
+#
+
+allow pcp_pmmgr_t self:process { setpgid };
-+
++allow pcp_pmmgr_t self:unix_dgram_socket create_socket_perms;
+allow pcp_pmmgr_t pcp_pmcd_t:unix_stream_socket connectto;
+
+kernel_read_system_state(pcp_pmmgr_t)
+
++auth_use_nsswitch(pcp_pmmgr_t)
++
+corenet_udp_bind_dey_sapi_port(pcp_pmmgr_t)
+
++corenet_tcp_bind_commplex_link_port(pcp_pmmgr_t)
++corenet_tcp_bind_dey_sapi_port(pcp_pmmgr_t)
++
+corenet_tcp_connect_all_ephemeral_ports(pcp_pmmgr_t)
+
+corecmd_exec_bin(pcp_pmmgr_t)
+
-+auth_use_nsswitch(pcp_pmmgr_t)
++logging_send_syslog_msg(pcp_pmmgr_t)
+
+optional_policy(`
+ pcp_pmie_exec(pcp_pmmgr_t)
++ pcp_pmlogger_exec(pcp_pmmgr_t)
+')
+
+########################################
@@ -58868,11 +58907,35 @@ index 0000000..8ec3a48
+
+allow pcp_pmie_t pcp_pmcd_t:unix_stream_socket connectto;
+
++corenet_tcp_connect_all_ephemeral_ports(pcp_pmie_t)
++
++########################################
++#
++# pcp_pmlogger local policy
++#
++
++allow pcp_pmlogger_t self:process setpgid;
++allow pcp_pmlogger_t self:netlink_route_socket {create_socket_perms nlmsg_read };
++
++allow pcp_pmlogger_t pcp_pmcd_t:unix_stream_socket connectto;
++
++corenet_tcp_bind_dey_sapi_port(pcp_pmlogger_t)
++corenet_tcp_bind_generic_node(pcp_pmlogger_t)
++
diff --git a/pcscd.if b/pcscd.if
-index 43d50f9..7f77d32 100644
+index 43d50f9..6b1544f 100644
--- a/pcscd.if
+++ b/pcscd.if
-@@ -50,7 +50,7 @@ interface(`pcscd_read_pid_files',`
+@@ -17,6 +17,8 @@ interface(`pcscd_domtrans',`
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, pcscd_exec_t, pcscd_t)
++
++ ps_process_pattern(pcscd_t, $1)
+ ')
+
+ ########################################
+@@ -50,7 +52,7 @@ interface(`pcscd_read_pid_files',`
')
files_search_pids($1)
@@ -58882,7 +58945,7 @@ index 43d50f9..7f77d32 100644
########################################
diff --git a/pcscd.te b/pcscd.te
-index 1fb1964..c5ec0c4 100644
+index 1fb1964..36eb845 100644
--- a/pcscd.te
+++ b/pcscd.te
@@ -22,10 +22,11 @@ init_daemon_run_dir(pcscd_var_run_t, "pcscd")
@@ -58925,7 +58988,18 @@ index 1fb1964..c5ec0c4 100644
sysnet_dns_name_resolve(pcscd_t)
optional_policy(`
-@@ -85,3 +82,7 @@ optional_policy(`
+@@ -73,6 +70,10 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ policykit_dbus_chat(pcscd_t)
++')
++
++optional_policy(`
+ openct_stream_connect(pcscd_t)
+ openct_read_pid_files(pcscd_t)
+ openct_signull(pcscd_t)
+@@ -85,3 +86,8 @@ optional_policy(`
optional_policy(`
udev_read_db(pcscd_t)
')
@@ -58933,6 +59007,7 @@ index 1fb1964..c5ec0c4 100644
+optional_policy(`
+ virt_rw_svirt_dev(pcscd_t)
+')
++
diff --git a/pegasus.fc b/pegasus.fc
index dfd46e4..d40433a 100644
--- a/pegasus.fc
@@ -74056,7 +74131,7 @@ index e240ac9..638d6b4 100644
+
+/var/run/redis(/.*)? gen_context(system_u:object_r:redis_var_run_t,s0)
diff --git a/redis.if b/redis.if
-index 16c8ecb..9fc0cb9 100644
+index 16c8ecb..2640ab5 100644
--- a/redis.if
+++ b/redis.if
@@ -1,9 +1,224 @@
@@ -74273,7 +74348,7 @@ index 16c8ecb..9fc0cb9 100644
+ ')
+
+ systemd_exec_systemctl($1)
-+ systemd_read_fifo_file_password_run($1)
++ systemd_read_fifo_file_passwd_run($1)
+ allow $1 redis_unit_file_t:file read_file_perms;
+ allow $1 redis_unit_file_t:service manage_service_perms;
+
@@ -88175,7 +88250,7 @@ index 0000000..94105ee
+')
diff --git a/snapper.te b/snapper.te
new file mode 100644
-index 0000000..838f907
+index 0000000..a299f53
--- /dev/null
+++ b/snapper.te
@@ -0,0 +1,66 @@
@@ -88193,8 +88268,8 @@ index 0000000..838f907
+type snapperd_log_t;
+logging_log_file(snapperd_log_t)
+
-+type snappperd_conf_t;
-+files_config_file(snappperd_conf_t)
++type snapperd_conf_t;
++files_config_file(snapperd_conf_t)
+
+type snapperd_data_t;
+files_type(snapperd_data_t)
@@ -98851,7 +98926,7 @@ index facdee8..fddb027 100644
+ virt_stream_connect($1)
')
diff --git a/virt.te b/virt.te
-index f03dcf5..81e9d56 100644
+index f03dcf5..2a43838 100644
--- a/virt.te
+++ b/virt.te
@@ -1,150 +1,197 @@
@@ -100188,7 +100263,7 @@ index f03dcf5..81e9d56 100644
+# virt_lxc local policy
#
+allow virtd_lxc_t self:capability { dac_override net_admin net_raw setpcap chown sys_admin sys_boot sys_resource setuid sys_nice setgid };
-+allow virtd_lxc_t self:process { transition setpgid signal_perms };
++allow virtd_lxc_t self:process { setsockcreate transition setpgid signal_perms };
+allow virtd_lxc_t self:capability2 compromise_kernel;
-allow virtd_lxc_t self:capability { dac_override net_admin net_raw setpcap chown sys_admin sys_boot sys_resource };
@@ -100971,7 +101046,7 @@ index 0000000..5726cdb
+/usr/lib/systemd/system/vmtoolsd.* -- gen_context(system_u:object_r:vmtools_unit_file_t,s0)
diff --git a/vmtools.if b/vmtools.if
new file mode 100644
-index 0000000..044be2f
+index 0000000..82fc528
--- /dev/null
+++ b/vmtools.if
@@ -0,0 +1,78 @@
@@ -101042,7 +101117,7 @@ index 0000000..044be2f
+ ps_process_pattern($1, vmtools_t)
+
+ tunable_policy(`deny_ptrace',`',`
-+ allow $1 ninfod_t:process ptrace;
++ allow $1 vmtools_t:process ptrace;
+ ')
+
+ vmtools_systemctl($1)
@@ -105172,7 +105247,7 @@ index 0000000..ceaa219
+/var/spool/zoneminder-upload(/.*)? gen_context(system_u:object_r:zoneminder_spool_t,s0)
diff --git a/zoneminder.if b/zoneminder.if
new file mode 100644
-index 0000000..d02a6f4
+index 0000000..e0604c7
--- /dev/null
+++ b/zoneminder.if
@@ -0,0 +1,374 @@
@@ -105385,7 +105460,7 @@ index 0000000..d02a6f4
+#
+interface(`zoneminder_manage_lib_sock_files',`
+ gen_require(`
-+ type sock_var_lib_t;
++ type zoneminder_sock_var_lib_t;
+ ')
+ files_search_var_lib($1)
+ manage_sock_files_pattern($1, zoneminder_var_lib_t, zoneminder_var_lib_t)
diff --git a/selinux-policy.spec b/selinux-policy.spec
index a1af035..4c8c1dd 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.13.1
-Release: 23%{?dist}
+Release: 24%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -69,6 +69,8 @@ SELinux Base package
%ghost %config(noreplace) %{_sysconfdir}/selinux/config
%ghost %{_sysconfdir}/sysconfig/selinux
%{_usr}/lib/tmpfiles.d/selinux-policy.conf
+%attr(0755, root, root) %dir %{_rpmconfigdir}
+%attr(0755, root, root) %dir %{_rpmconfigdir}/macros.d
%{_rpmconfigdir}/macros.d/macros.selinux-policy
%package sandbox
@@ -578,7 +580,36 @@ SELinux Reference policy mls base module.
%endif
%changelog
-* Mon Feb 11 2014 Miroslav Grepl 3.13.1-23
+* Fri Feb 14 2014 Miroslav Grepl 3.13.1-24
+- Dontaudit rendom domains listing /proc and hittping system_map_t
+- devicekit_power sends out a signal to all processes on the message bus when power is going down
+- Modify xdm_write_home to allow create also links as xdm_home_t if the boolean is on true
+- systemd_tmpfiles_t needs to _setcheckreqprot
+- Add unconfined_server to be run by init_t when it executes files labeled bin_t, or usr_t, allow all domains to communicate with it
+- Fixed snapperd policy
+- Fixed broken interfaces
+- Should use rw_socket_perms rather then sock_file on a unix_stream_socket
+- Fixed bugsfor pcp policy
+- pcscd seems to be using policy kit and looking at domains proc data that transition to it
+- Allow dbus_system_domains to be started by init
+- Fixed some interfaces
+- Addopt corenet rules for unbound-anchor to rpm_script_t
+- Allow runuser to send send audit messages.
+- Allow postfix-local to search .forward in munin lib dirs
+- Allow udisks to connect to D-Bus
+- Allow spamd to connect to spamd port
+- Fix syntax error in snapper.te
+- Dontaudit osad to search gconf home files
+- Allow rhsmcertd to manage /etc/sysconf/rhn director
+- Fix pcp labeling to accept /usr/bin for all daemon binaries
+- Fix mcelog_read_log() interface
+- Allow iscsid to manage iscsi lib files
+- Allow snapper domtrans to lvm_t. Add support for /etc/snapper and allow snapperd to manage it.
+- Allow ABRT to read puppet certs
+- Allow virtd_lxc_t to specify the label of a socket
+- New version of docker requires more access
+
+* Mon Feb 10 2014 Miroslav Grepl 3.13.1-23
- Addopt corenet rules for unbound-anchor to rpm_script_t
- Allow runuser to send send audit messages.
- Allow postfix-local to search .forward in munin lib dirs