diff --git a/policy-F16.patch b/policy-F16.patch
index 8275a64..eab41fe 100644
--- a/policy-F16.patch
+++ b/policy-F16.patch
@@ -1620,7 +1620,7 @@ index 75ce30f..63310a1 100644
+ cron_use_system_job_fds(logwatch_mail_t)
+')
diff --git a/policy/modules/admin/mcelog.fc b/policy/modules/admin/mcelog.fc
-index 56c43c0..0641226 100644
+index 56c43c0..409bbfc 100644
--- a/policy/modules/admin/mcelog.fc
+++ b/policy/modules/admin/mcelog.fc
@@ -1 +1,5 @@
@@ -1628,9 +1628,9 @@ index 56c43c0..0641226 100644
+
+/var/log/mcelog.* -- gen_context(system_u:object_r:mcelog_log_t,s0)
+
-+/var/run/mcelog-client -s gen_context(system_u:object_r:mcelog_var_run_t,s0)
++/var/run/mcelog.* gen_context(system_u:object_r:mcelog_var_run_t,s0)
diff --git a/policy/modules/admin/mcelog.te b/policy/modules/admin/mcelog.te
-index 5671977..ea06507 100644
+index 5671977..8ddc091 100644
--- a/policy/modules/admin/mcelog.te
+++ b/policy/modules/admin/mcelog.te
@@ -7,8 +7,14 @@ policy_module(mcelog, 1.1.0)
@@ -1660,7 +1660,7 @@ index 5671977..ea06507 100644
+manage_files_pattern(mcelog_t, mcelog_var_run_t, mcelog_var_run_t)
+manage_dirs_pattern(mcelog_t, mcelog_var_run_t, mcelog_var_run_t)
+manage_sock_files_pattern(mcelog_t, mcelog_var_run_t, mcelog_var_run_t)
-+files_pid_filetrans(mcelog_t, mcelog_var_run_t, sock_file )
++files_pid_filetrans(mcelog_t, mcelog_var_run_t, { dir file sock_file } )
+
kernel_read_system_state(mcelog_t)
@@ -2151,7 +2151,7 @@ index 93ec175..0e42018 100644
')
')
diff --git a/policy/modules/admin/prelink.te b/policy/modules/admin/prelink.te
-index af55369..ec838bd 100644
+index af55369..5d940f8 100644
--- a/policy/modules/admin/prelink.te
+++ b/policy/modules/admin/prelink.te
@@ -36,7 +36,7 @@ files_type(prelink_var_lib_t)
@@ -2219,7 +2219,7 @@ index af55369..ec838bd 100644
+')
+
+optional_policy(`
-+ nsplugin_manage_rw_files(prelink_t)
++ mozilla_plugin_manage_rw_files(prelink_t)
+')
+
+optional_policy(`
@@ -7505,10 +7505,31 @@ index 0000000..169421f
+')
+
diff --git a/policy/modules/apps/kdumpgui.te b/policy/modules/apps/kdumpgui.te
-index 2dde73a..8ebd16b 100644
+index 2dde73a..1b16fa4 100644
--- a/policy/modules/apps/kdumpgui.te
+++ b/policy/modules/apps/kdumpgui.te
-@@ -36,6 +36,8 @@ files_manage_etc_runtime_files(kdumpgui_t)
+@@ -9,6 +9,9 @@ type kdumpgui_t;
+ type kdumpgui_exec_t;
+ dbus_system_domain(kdumpgui_t, kdumpgui_exec_t)
+
++type kdumpgui_tmp_t;
++files_tmp_file(kdumpgui_tmp_t)
++
+ ######################################
+ #
+ # system-config-kdump local policy
+@@ -18,6 +21,10 @@ allow kdumpgui_t self:capability { net_admin sys_admin sys_rawio };
+ allow kdumpgui_t self:fifo_file rw_fifo_file_perms;
+ allow kdumpgui_t self:netlink_kobject_uevent_socket create_socket_perms;
+
++manage_dirs_pattern(kdumpgui_t, kdumpgui_tmp_t, kdumpgui_tmp_t)
++manage_files_pattern(kdumpgui_t, kdumpgui_tmp_t, kdumpgui_tmp_t)
++files_tmp_filetrans(kdumpgui_t, kdumpgui_tmp_t, { dir file })
++
+ kernel_read_system_state(kdumpgui_t)
+ kernel_read_network_state(kdumpgui_t)
+
+@@ -36,6 +43,8 @@ files_manage_etc_runtime_files(kdumpgui_t)
files_etc_filetrans_etc_runtime(kdumpgui_t, file)
files_read_usr_files(kdumpgui_t)
@@ -7517,20 +7538,28 @@ index 2dde73a..8ebd16b 100644
storage_raw_read_fixed_disk(kdumpgui_t)
storage_raw_write_fixed_disk(kdumpgui_t)
-@@ -47,6 +49,12 @@ miscfiles_read_localization(kdumpgui_t)
+@@ -45,8 +54,20 @@ logging_send_syslog_msg(kdumpgui_t)
+ miscfiles_read_localization(kdumpgui_t)
+
++mount_exec(kdumpgui_t)
++
init_dontaudit_read_all_script_files(kdumpgui_t)
+userdom_dontaudit_search_admin_dir(kdumpgui_t)
+
+optional_policy(`
++ bootloader_exec(kdumpgui_t)
++')
++
++optional_policy(`
+ consoletype_exec(kdumpgui_t)
+')
+
optional_policy(`
consoletype_exec(kdumpgui_t)
')
-@@ -58,6 +66,7 @@ optional_policy(`
+@@ -58,6 +79,7 @@ optional_policy(`
optional_policy(`
kdump_manage_config(kdumpgui_t)
kdump_initrc_domtrans(kdumpgui_t)
@@ -7684,18 +7713,32 @@ index 0bac996..ca2388d 100644
+userdom_use_inherited_user_terminals(lockdev_t)
diff --git a/policy/modules/apps/mozilla.fc b/policy/modules/apps/mozilla.fc
-index 93ac529..35b51ab 100644
+index 93ac529..800b5c8 100644
--- a/policy/modules/apps/mozilla.fc
+++ b/policy/modules/apps/mozilla.fc
-@@ -1,6 +1,7 @@
+@@ -1,8 +1,14 @@
HOME_DIR/\.galeon(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
HOME_DIR/\.java(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
HOME_DIR/\.mozilla(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
+HOME_DIR/\.thunderbird(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
HOME_DIR/\.netscape(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
HOME_DIR/\.phoenix(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
++HOME_DIR/\.adobe(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
++HOME_DIR/\.macromedia(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
++HOME_DIR/\.gnash(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
++HOME_DIR/\.gcjwebplugin(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
++HOME_DIR/\.icedteaplugin(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
+
+ #
+ # /bin
+@@ -14,16 +20,24 @@ HOME_DIR/\.phoenix(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
+ /usr/bin/epiphany -- gen_context(system_u:object_r:mozilla_exec_t,s0)
+ /usr/bin/mozilla-[0-9].* -- gen_context(system_u:object_r:mozilla_exec_t,s0)
+ /usr/bin/mozilla-bin-[0-9].* -- gen_context(system_u:object_r:mozilla_exec_t,s0)
++/usr/bin/nspluginscan -- gen_context(system_u:object_r:mozilla_plugin_exec_t,s0)
++/usr/bin/nspluginviewer -- gen_context(system_u:object_r:mozilla_plugin_exec_t,s0)
++/usr/lib/nspluginwrapper/npviewer.bin -- gen_context(system_u:object_r:mozilla_plugin_exec_t,s0)
-@@ -18,12 +19,12 @@ HOME_DIR/\.phoenix(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
#
# /lib
#
@@ -7716,9 +7759,14 @@ index 93ac529..35b51ab 100644
+/usr/lib/firefox[^/]*/mozilla-.* -- gen_context(system_u:object_r:mozilla_exec_t,s0)
+/usr/lib/[^/]*firefox[^/]*/firefox-bin -- gen_context(system_u:object_r:mozilla_exec_t,s0)
+/usr/lib/[^/]*firefox[^/]*/firefox -- gen_context(system_u:object_r:mozilla_exec_t,s0)
++
+/usr/lib/xulrunner[^/]*/plugin-container -- gen_context(system_u:object_r:mozilla_plugin_exec_t,s0)
++
++/usr/lib/mozilla/plugins-wrapped(/.*)? gen_context(system_u:object_r:mozilla_plugin_rw_t,s0)
++
++/usr/lib/nspluginwrapper/plugin-config -- gen_context(system_u:object_r:mozilla_plugin_config_exec_t,s0)
diff --git a/policy/modules/apps/mozilla.if b/policy/modules/apps/mozilla.if
-index fbb5c5a..b9b8ac2 100644
+index fbb5c5a..aa15d05 100644
--- a/policy/modules/apps/mozilla.if
+++ b/policy/modules/apps/mozilla.if
@@ -29,6 +29,8 @@ interface(`mozilla_role',`
@@ -7756,16 +7804,18 @@ index fbb5c5a..b9b8ac2 100644
')
########################################
-@@ -197,12 +207,21 @@ interface(`mozilla_domtrans',`
+@@ -197,12 +207,23 @@ interface(`mozilla_domtrans',`
#
interface(`mozilla_domtrans_plugin',`
gen_require(`
- type mozilla_plugin_t, mozilla_plugin_exec_t, mozilla_plugin_tmpfs_t;
+ type mozilla_plugin_t, mozilla_plugin_exec_t;
++ type mozilla_plugin_config_t, mozilla_plugin_config_exec_t;
class dbus send_msg;
')
domtrans_pattern($1, mozilla_plugin_exec_t, mozilla_plugin_t)
++ domtrans_pattern($1, mozilla_plugin_config_exec_t, mozilla_plugin_config_t)
allow mozilla_plugin_t $1:process signull;
+ allow $1 mozilla_plugin_t:unix_stream_socket { connectto rw_socket_perms };
+ allow $1 mozilla_plugin_t:fd use;
@@ -7779,10 +7829,13 @@ index fbb5c5a..b9b8ac2 100644
')
########################################
-@@ -230,6 +249,25 @@ interface(`mozilla_run_plugin',`
- role $2 types mozilla_plugin_t;
- ')
+@@ -228,6 +249,27 @@ interface(`mozilla_run_plugin',`
+ mozilla_domtrans_plugin($1)
+ role $2 types mozilla_plugin_t;
++ role $2 types mozilla_plugin_config_t;
++')
++
+#######################################
+##
+## Execute qemu unconfined programs in the role.
@@ -7800,12 +7853,11 @@ index fbb5c5a..b9b8ac2 100644
+ ')
+
+ role $1 types mozilla_plugin_t;
-+')
-+
++ role $1 types mozilla_plugin_config_t;
+ ')
+
########################################
- ##
- ## Send and receive messages from
-@@ -269,9 +307,27 @@ interface(`mozilla_rw_tcp_sockets',`
+@@ -269,9 +311,27 @@ interface(`mozilla_rw_tcp_sockets',`
allow $1 mozilla_t:tcp_socket rw_socket_perms;
')
@@ -7834,7 +7886,7 @@ index fbb5c5a..b9b8ac2 100644
##
##
##
-@@ -279,28 +335,28 @@ interface(`mozilla_rw_tcp_sockets',`
+@@ -279,28 +339,48 @@ interface(`mozilla_rw_tcp_sockets',`
##
##
#
@@ -7865,24 +7917,47 @@ index fbb5c5a..b9b8ac2 100644
gen_require(`
- type mozilla_plugin_tmpfs_t;
+ type mozilla_plugin_t;
++ ')
++
++ dontaudit $1 mozilla_plugin_t:unix_stream_socket { read write };
++')
++
++########################################
++##
++## Create, read, write, and delete
++## mozilla_plugin rw files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`mozilla_plugin_manage_rw_files',`
++ gen_require(`
++ type mozilla_plugin_rw_t;
')
- allow $1 mozilla_plugin_tmpfs_t:file unlink;
-+ dontaudit $1 mozilla_plugin_t:unix_stream_socket { read write };
++ allow $1 mozilla_plugin_rw_t:file manage_file_perms;
++ allow $1 mozilla_plugin_rw_t:dir rw_dir_perms;
')
diff --git a/policy/modules/apps/mozilla.te b/policy/modules/apps/mozilla.te
-index 2e9318b..add01a5 100644
+index 2e9318b..344f2e4 100644
--- a/policy/modules/apps/mozilla.te
+++ b/policy/modules/apps/mozilla.te
-@@ -25,6 +25,7 @@ files_config_file(mozilla_conf_t)
+@@ -23,8 +23,9 @@ type mozilla_conf_t;
+ files_config_file(mozilla_conf_t)
+
type mozilla_home_t;
- typealias mozilla_home_t alias { user_mozilla_home_t staff_mozilla_home_t sysadm_mozilla_home_t };
+-typealias mozilla_home_t alias { user_mozilla_home_t staff_mozilla_home_t sysadm_mozilla_home_t };
++typealias mozilla_home_t alias { user_mozilla_home_t staff_mozilla_home_t sysadm_mozilla_home_t nsplugin_home_t };
typealias mozilla_home_t alias { auditadm_mozilla_home_t secadm_mozilla_home_t };
+files_poly_member(mozilla_home_t)
userdom_user_home_content(mozilla_home_t)
type mozilla_plugin_t;
-@@ -33,10 +34,12 @@ application_domain(mozilla_plugin_t, mozilla_plugin_exec_t)
+@@ -33,13 +34,22 @@ application_domain(mozilla_plugin_t, mozilla_plugin_exec_t)
role system_r types mozilla_plugin_t;
type mozilla_plugin_tmp_t;
@@ -7895,7 +7970,17 @@ index 2e9318b..add01a5 100644
files_tmpfs_file(mozilla_plugin_tmpfs_t)
ubac_constrained(mozilla_plugin_tmpfs_t)
-@@ -111,7 +114,9 @@ corenet_raw_sendrecv_generic_node(mozilla_t)
++type mozilla_plugin_rw_t alias nsplugin_rw_t;
++files_type(mozilla_plugin_rw_t)
++
++type mozilla_plugin_config_t;
++type mozilla_plugin_config_exec_t;
++application_domain(mozilla_plugin_config_t, mozilla_plugin_config_exec_t)
++
+ type mozilla_tmp_t;
+ files_tmp_file(mozilla_tmp_t)
+ ubac_constrained(mozilla_tmp_t)
+@@ -111,7 +121,9 @@ corenet_raw_sendrecv_generic_node(mozilla_t)
corenet_tcp_sendrecv_http_port(mozilla_t)
corenet_tcp_sendrecv_http_cache_port(mozilla_t)
corenet_tcp_sendrecv_squid_port(mozilla_t)
@@ -7905,7 +7990,7 @@ index 2e9318b..add01a5 100644
corenet_tcp_sendrecv_ipp_port(mozilla_t)
corenet_tcp_connect_http_port(mozilla_t)
corenet_tcp_connect_http_cache_port(mozilla_t)
-@@ -156,6 +161,8 @@ fs_rw_tmpfs_files(mozilla_t)
+@@ -156,6 +168,8 @@ fs_rw_tmpfs_files(mozilla_t)
term_dontaudit_getattr_pty_dirs(mozilla_t)
@@ -7914,7 +7999,7 @@ index 2e9318b..add01a5 100644
logging_send_syslog_msg(mozilla_t)
miscfiles_read_fonts(mozilla_t)
-@@ -165,27 +172,21 @@ miscfiles_dontaudit_setattr_fonts_dirs(mozilla_t)
+@@ -165,27 +179,21 @@ miscfiles_dontaudit_setattr_fonts_dirs(mozilla_t)
# Browse the web, connect to printer
sysnet_dns_name_resolve(mozilla_t)
@@ -7948,7 +8033,7 @@ index 2e9318b..add01a5 100644
# Uploads, local html
tunable_policy(`mozilla_read_content && use_nfs_home_dirs',`
-@@ -262,6 +263,7 @@ optional_policy(`
+@@ -262,6 +270,7 @@ optional_policy(`
optional_policy(`
gnome_stream_connect_gconf(mozilla_t)
gnome_manage_config(mozilla_t)
@@ -7956,17 +8041,18 @@ index 2e9318b..add01a5 100644
')
optional_policy(`
-@@ -278,7 +280,8 @@ optional_policy(`
+@@ -278,10 +287,6 @@ optional_policy(`
')
optional_policy(`
- nscd_socket_use(mozilla_t)
-+ nsplugin_manage_rw(mozilla_t)
-+ nsplugin_manage_home_files(mozilla_t)
- ')
-
- optional_policy(`
-@@ -296,16 +299,19 @@ optional_policy(`
+-')
+-
+-optional_policy(`
+ pulseaudio_exec(mozilla_t)
+ pulseaudio_stream_connect(mozilla_t)
+ pulseaudio_manage_home_files(mozilla_t)
+@@ -296,16 +301,19 @@ optional_policy(`
# mozilla_plugin local policy
#
@@ -7990,7 +8076,7 @@ index 2e9318b..add01a5 100644
can_exec(mozilla_plugin_t, mozilla_home_t)
read_files_pattern(mozilla_plugin_t, mozilla_home_t, mozilla_home_t)
-@@ -313,8 +319,10 @@ read_files_pattern(mozilla_plugin_t, mozilla_home_t, mozilla_home_t)
+@@ -313,8 +321,10 @@ read_files_pattern(mozilla_plugin_t, mozilla_home_t, mozilla_home_t)
manage_dirs_pattern(mozilla_plugin_t, mozilla_plugin_tmp_t, mozilla_plugin_tmp_t)
manage_files_pattern(mozilla_plugin_t, mozilla_plugin_tmp_t, mozilla_plugin_tmp_t)
manage_fifo_files_pattern(mozilla_plugin_t, mozilla_plugin_tmp_t, mozilla_plugin_tmp_t)
@@ -8003,7 +8089,18 @@ index 2e9318b..add01a5 100644
manage_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t)
manage_lnk_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t)
-@@ -332,11 +340,9 @@ kernel_request_load_module(mozilla_plugin_t)
+@@ -322,6 +332,10 @@ manage_fifo_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plug
+ manage_sock_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t)
+ fs_tmpfs_filetrans(mozilla_plugin_t, mozilla_plugin_tmpfs_t, { file lnk_file sock_file fifo_file })
+
++allow mozilla_plugin_t mozilla_plugin_rw_t:dir list_dir_perms;
++read_lnk_files_pattern(mozilla_plugin_t, mozilla_plugin_rw_t, mozilla_plugin_rw_t)
++read_files_pattern(mozilla_plugin_t, mozilla_plugin_rw_t, mozilla_plugin_rw_t)
++
+ can_exec(mozilla_plugin_t, mozilla_exec_t)
+
+ kernel_read_kernel_sysctls(mozilla_plugin_t)
+@@ -332,11 +346,9 @@ kernel_request_load_module(mozilla_plugin_t)
corecmd_exec_bin(mozilla_plugin_t)
corecmd_exec_shell(mozilla_plugin_t)
@@ -8017,7 +8114,7 @@ index 2e9318b..add01a5 100644
corenet_tcp_connect_pulseaudio_port(mozilla_plugin_t)
corenet_tcp_connect_http_port(mozilla_plugin_t)
corenet_tcp_connect_http_cache_port(mozilla_plugin_t)
-@@ -344,6 +350,11 @@ corenet_tcp_connect_squid_port(mozilla_plugin_t)
+@@ -344,6 +356,11 @@ corenet_tcp_connect_squid_port(mozilla_plugin_t)
corenet_tcp_connect_ipp_port(mozilla_plugin_t)
corenet_tcp_connect_mmcc_port(mozilla_plugin_t)
corenet_tcp_connect_speech_port(mozilla_plugin_t)
@@ -8029,7 +8126,7 @@ index 2e9318b..add01a5 100644
dev_read_rand(mozilla_plugin_t)
dev_read_urand(mozilla_plugin_t)
-@@ -385,33 +396,29 @@ term_getattr_all_ttys(mozilla_plugin_t)
+@@ -385,33 +402,30 @@ term_getattr_all_ttys(mozilla_plugin_t)
term_getattr_all_ptys(mozilla_plugin_t)
userdom_rw_user_tmpfs_files(mozilla_plugin_t)
@@ -8046,6 +8143,7 @@ index 2e9318b..add01a5 100644
userdom_read_user_home_content_symlinks(mozilla_plugin_t)
+userdom_read_home_certs(mozilla_plugin_t)
+userdom_dontaudit_write_home_certs(mozilla_plugin_t)
++userdom_read_home_audio_files(mozilla_plugin_t)
-tunable_policy(`allow_execmem',`
- allow mozilla_plugin_t self:process { execmem execstack };
@@ -8055,15 +8153,15 @@ index 2e9318b..add01a5 100644
tunable_policy(`allow_execstack',`
- allow mozilla_plugin_t self:process { execstack };
-+ allow mozilla_plugin_t self:process execstack;
- ')
-
+-')
+-
-tunable_policy(`use_nfs_home_dirs',`
- fs_manage_nfs_dirs(mozilla_plugin_t)
- fs_manage_nfs_files(mozilla_plugin_t)
- fs_manage_nfs_symlinks(mozilla_plugin_t)
--')
--
++ allow mozilla_plugin_t self:process execstack;
+ ')
+
-tunable_policy(`use_samba_home_dirs',`
- fs_manage_cifs_dirs(mozilla_plugin_t)
- fs_manage_cifs_files(mozilla_plugin_t)
@@ -8073,7 +8171,7 @@ index 2e9318b..add01a5 100644
optional_policy(`
alsa_read_rw_config(mozilla_plugin_t)
-@@ -425,7 +432,13 @@ optional_policy(`
+@@ -425,7 +439,13 @@ optional_policy(`
')
optional_policy(`
@@ -8087,23 +8185,15 @@ index 2e9318b..add01a5 100644
')
optional_policy(`
-@@ -438,7 +451,14 @@ optional_policy(`
+@@ -438,18 +458,89 @@ optional_policy(`
')
optional_policy(`
- pcscd_stream_connect(mozilla_plugin_t)
-+ nsplugin_domtrans(mozilla_plugin_t)
-+ nsplugin_rw_exec(mozilla_plugin_t)
-+ nsplugin_manage_home_dirs(mozilla_plugin_t)
-+ nsplugin_manage_home_files(mozilla_plugin_t)
-+ nsplugin_user_home_dir_filetrans(mozilla_plugin_t, dir)
-+ nsplugin_user_home_filetrans(mozilla_plugin_t, file)
-+ nsplugin_read_rw_files(mozilla_plugin_t);
-+ nsplugin_signal(mozilla_plugin_t)
- ')
-
- optional_policy(`
-@@ -446,10 +466,27 @@ optional_policy(`
+-')
+-
+-optional_policy(`
+ pulseaudio_exec(mozilla_plugin_t)
pulseaudio_stream_connect(mozilla_plugin_t)
pulseaudio_setattr_home_dir(mozilla_plugin_t)
pulseaudio_manage_home_files(mozilla_plugin_t)
@@ -8129,8 +8219,66 @@ index 2e9318b..add01a5 100644
+ xserver_read_user_iceauth(mozilla_plugin_t)
+ xserver_read_user_xauth(mozilla_plugin_t)
+ xserver_append_xdm_home_files(mozilla_plugin_t);
- ')
++')
++
++########################################
++#
++# mozilla_plugin_config local policy
++#
++
++allow mozilla_plugin_config_t self:capability { dac_override dac_read_search sys_nice setuid setgid };
++allow mozilla_plugin_config_t self:process { setsched signal_perms getsched execmem };
++
++allow mozilla_plugin_config_t self:fifo_file rw_file_perms;
++allow mozilla_plugin_config_t self:unix_stream_socket create_stream_socket_perms;
++
++manage_files_pattern(mozilla_plugin_config_t, mozilla_home_t, mozilla_home_t)
++
++dev_search_sysfs(mozilla_plugin_config_t)
++dev_read_urand(mozilla_plugin_config_t)
++dev_dontaudit_read_rand(mozilla_plugin_config_t)
++dev_dontaudit_rw_dri(mozilla_plugin_config_t)
++
++fs_search_auto_mountpoints(mozilla_plugin_config_t)
++fs_list_inotifyfs(mozilla_plugin_config_t)
++
++can_exec(mozilla_plugin_config_t, mozilla_plugin_rw_t)
++manage_dirs_pattern(mozilla_plugin_config_t, mozilla_plugin_rw_t, mozilla_plugin_rw_t)
++manage_files_pattern(mozilla_plugin_config_t, mozilla_plugin_rw_t, mozilla_plugin_rw_t)
++manage_lnk_files_pattern(mozilla_plugin_config_t, mozilla_plugin_rw_t, mozilla_plugin_rw_t)
++
++manage_dirs_pattern(mozilla_plugin_config_t, mozilla_home_t, mozilla_home_t)
++manage_files_pattern(mozilla_plugin_config_t, mozilla_home_t, mozilla_home_t)
++manage_lnk_files_pattern(mozilla_plugin_config_t, mozilla_home_t, mozilla_home_t)
+
++corecmd_exec_bin(mozilla_plugin_config_t)
++corecmd_exec_shell(mozilla_plugin_config_t)
++
++kernel_read_system_state(mozilla_plugin_config_t)
++kernel_request_load_module(mozilla_plugin_config_t)
++
++domain_use_interactive_fds(mozilla_plugin_config_t)
++
++files_read_etc_files(mozilla_plugin_config_t)
++files_read_usr_files(mozilla_plugin_config_t)
++files_dontaudit_search_home(mozilla_plugin_config_t)
++files_list_tmp(mozilla_plugin_config_t)
++
++auth_use_nsswitch(mozilla_plugin_config_t)
++
++miscfiles_read_localization(mozilla_plugin_config_t)
++miscfiles_read_fonts(mozilla_plugin_config_t)
++
++userdom_search_user_home_content(mozilla_plugin_config_t)
++userdom_read_user_home_content_symlinks(mozilla_plugin_config_t)
++userdom_read_user_home_content_files(mozilla_plugin_config_t)
++userdom_dontaudit_search_admin_dir(mozilla_plugin_config_t)
++
++domtrans_pattern(mozilla_plugin_config_t, mozilla_plugin_exec_t, mozilla_plugin_t)
++
++optional_policy(`
++ xserver_use_user_fonts(mozilla_plugin_config_t)
+ ')
diff --git a/policy/modules/apps/mplayer.if b/policy/modules/apps/mplayer.if
index d8ea41d..8bdc526 100644
--- a/policy/modules/apps/mplayer.if
@@ -8422,10 +8570,10 @@ index 0000000..8d7c751
+')
diff --git a/policy/modules/apps/namespace.te b/policy/modules/apps/namespace.te
new file mode 100644
-index 0000000..bb6b61e
+index 0000000..6d4ec21
--- /dev/null
+++ b/policy/modules/apps/namespace.te
-@@ -0,0 +1,38 @@
+@@ -0,0 +1,40 @@
+policy_module(namespace,1.0.0)
+
+########################################
@@ -8459,6 +8607,8 @@ index 0000000..bb6b61e
+
+miscfiles_read_localization(namespace_init_t)
+
++term_use_console(namespace_init_t)
++
+userdom_manage_user_home_content_dirs(namespace_init_t)
+userdom_manage_user_home_content_files(namespace_init_t)
+userdom_relabelto_user_home_dirs(namespace_init_t)
@@ -8961,10 +9111,10 @@ index 0000000..fce899a
+')
diff --git a/policy/modules/apps/nsplugin.te b/policy/modules/apps/nsplugin.te
new file mode 100644
-index 0000000..cc6b555
+index 0000000..eeb5955
--- /dev/null
+++ b/policy/modules/apps/nsplugin.te
-@@ -0,0 +1,327 @@
+@@ -0,0 +1,328 @@
+policy_module(nsplugin, 1.0.0)
+
+########################################
@@ -9131,6 +9281,7 @@ index 0000000..cc6b555
+userdom_read_user_tmp_files(nsplugin_t)
+userdom_write_user_tmp_sockets(nsplugin_t)
+userdom_dontaudit_append_user_home_content_files(nsplugin_t)
++userdom_read_home_audio_files(nsplugin_t)
+
+optional_policy(`
+ alsa_read_rw_config(nsplugin_t)
@@ -11622,10 +11773,10 @@ index 0000000..5554dc9
+
diff --git a/policy/modules/apps/thumb.te b/policy/modules/apps/thumb.te
new file mode 100644
-index 0000000..01584ce
+index 0000000..b23b488
--- /dev/null
+++ b/policy/modules/apps/thumb.te
-@@ -0,0 +1,81 @@
+@@ -0,0 +1,82 @@
+policy_module(thumb, 1.0.0)
+
+########################################
@@ -11663,6 +11814,7 @@ index 0000000..01584ce
+manage_dirs_pattern(thumb_t, thumb_tmp_t, thumb_tmp_t)
+exec_files_pattern(thumb_t, thumb_tmp_t, thumb_tmp_t)
+files_tmp_filetrans(thumb_t, thumb_tmp_t, { file dir })
++userdom_user_tmp_filetrans(thumb_t, thumb_tmp_t, { file dir })
+
+kernel_read_system_state(thumb_t)
+
@@ -12402,7 +12554,7 @@ index 223ad43..d95e720 100644
rsync_exec(yam_t)
')
diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
-index 3fae11a..0b0896b 100644
+index 3fae11a..37d3b99 100644
--- a/policy/modules/kernel/corecommands.fc
+++ b/policy/modules/kernel/corecommands.fc
@@ -97,8 +97,6 @@ ifdef(`distro_redhat',`
@@ -12517,20 +12669,20 @@ index 3fae11a..0b0896b 100644
+/usr/lib/nagios/plugins(/.*)? gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/netsaint/plugins(/.*)? gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/news/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
-+/usr/lib/nspluginwrapper/np.* gen_context(system_u:object_r:bin_t,s0)
++/usr/lib/nspluginwrapper/np.* gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/portage/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
-+/usr/lib/pm-utils(/.*)? gen_context(system_u:object_r:bin_t,s0)
++/usr/lib/pm-utils(/.*)? gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/rpm/rpmd -- gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/rpm/rpmk -- gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/rpm/rpmq -- gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/rpm/rpmv -- gen_context(system_u:object_r:bin_t,s0)
-+/usr/lib/sftp-server -- gen_context(system_u:object_r:bin_t,s0)
-+/usr/lib/vte/gnome-pty-helper -- gen_context(system_u:object_r:bin_t,s0)
-+
++/usr/lib/sftp-server -- gen_context(system_u:object_r:bin_t,s0)
++/usr/lib/vte/gnome-pty-helper -- gen_context(system_u:object_r:bin_t,s0)
++/usr/lib/yaboot/addnote -- gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/debug/bin(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
-+/usr/lib/debug/sbin(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
-+/usr/lib/debug/usr/bin(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
-+/usr/lib/debug/usr/sbin(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
++/usr/lib/debug/sbin(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
++/usr/lib/debug/usr/bin(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
++/usr/lib/debug/usr/sbin(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
+
+/usr/lib/[^/]*thunderbird[^/]*/thunderbird -- gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/[^/]*thunderbird[^/]*/thunderbird-bin -- gen_context(system_u:object_r:bin_t,s0)
@@ -12628,22 +12780,29 @@ index 3fae11a..0b0896b 100644
/usr/share/apache2/[^/]* -- gen_context(system_u:object_r:bin_t,s0)
')
-@@ -375,8 +391,9 @@ ifdef(`distro_suse', `
+@@ -375,8 +391,8 @@ ifdef(`distro_suse', `
/var/ftp/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
/var/lib/asterisk/agi-bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
+-/usr/lib/yp/.+ -- gen_context(system_u:object_r:bin_t,s0)
+-/usr/lib64/yp/.+ -- gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/ruby/gems(/.*)?/helper-scripts(/.*)? gen_context(system_u:object_r:bin_t,s0)
+
- /usr/lib/yp/.+ -- gen_context(system_u:object_r:bin_t,s0)
--/usr/lib64/yp/.+ -- gen_context(system_u:object_r:bin_t,s0)
/var/qmail/bin -d gen_context(system_u:object_r:bin_t,s0)
/var/qmail/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
-@@ -385,3 +402,4 @@ ifdef(`distro_suse', `
+@@ -385,3 +401,11 @@ ifdef(`distro_suse', `
ifdef(`distro_suse',`
/var/lib/samba/bin/.+ gen_context(system_u:object_r:bin_t,s0)
')
-+/usr/lib/ruby/gems/.*/agents(/.*)? gen_context(system_u:object_r:bin_t,s0)
++
++#
++# /usr/lib
++#
++
++/usr/lib/ruby/gems/.*/agents(/.*)? gen_context(system_u:object_r:bin_t,s0)
++/usr/lib/virtualbox/VBoxManage -- gen_context(system_u:object_r:bin_t,s0)
++/usr/lib/yp/.+ -- gen_context(system_u:object_r:bin_t,s0)
diff --git a/policy/modules/kernel/corecommands.if b/policy/modules/kernel/corecommands.if
index 9e9263a..650e796 100644
--- a/policy/modules/kernel/corecommands.if
@@ -12716,7 +12875,7 @@ index 9e9263a..650e796 100644
manage_lnk_files_pattern($1, bin_t, bin_t)
')
diff --git a/policy/modules/kernel/corenetwork.if.in b/policy/modules/kernel/corenetwork.if.in
-index 4f3b542..cf422f4 100644
+index 4f3b542..f4e36ee 100644
--- a/policy/modules/kernel/corenetwork.if.in
+++ b/policy/modules/kernel/corenetwork.if.in
@@ -615,6 +615,24 @@ interface(`corenet_raw_sendrecv_all_if',`
@@ -12833,10 +12992,10 @@ index 4f3b542..cf422f4 100644
+#
+interface(`corenet_dccp_sendrecv_generic_port',`
+ gen_require(`
-+ type port_t;
++ type port_t, unreserved_port_t;
+ ')
+
-+ allow $1 port_t:dccp_socket { send_msg recv_msg };
++ allow $1 { port_t unreserved_port_t }:dccp_socket { send_msg recv_msg };
+')
+
+########################################
@@ -12844,10 +13003,19 @@ index 4f3b542..cf422f4 100644
## Send and receive TCP network traffic on generic ports.
##
##
-@@ -1175,6 +1265,26 @@ interface(`corenet_tcp_sendrecv_generic_port',`
-
- ########################################
- ##
+@@ -1167,10 +1257,30 @@ interface(`corenet_raw_bind_all_nodes',`
+ #
+ interface(`corenet_tcp_sendrecv_generic_port',`
+ gen_require(`
+- type port_t;
++ type port_t, unreserved_port_t;
++ ')
++
++ allow $1 { port_t unreserved_port_t }:tcp_socket { send_msg recv_msg };
++')
++
++########################################
++##
+## Do not audit attempts to send and
+## receive DCCP network traffic on
+## generic ports.
@@ -12860,17 +13028,53 @@ index 4f3b542..cf422f4 100644
+#
+interface(`corenet_dontaudit_dccp_sendrecv_generic_port',`
+ gen_require(`
-+ type port_t;
-+ ')
-+
-+ dontaudit $1 port_t:dccp_socket { send_msg recv_msg };
-+')
-+
-+########################################
-+##
- ## Do not audit send and receive TCP network traffic on generic ports.
- ##
- ##
++ type port_t, unreserved_port_t;
+ ')
+
+- allow $1 port_t:tcp_socket { send_msg recv_msg };
++ dontaudit $1 { port_t unreserved_port_t }:dccp_socket { send_msg recv_msg };
+ ')
+
+ ########################################
+@@ -1185,10 +1295,10 @@ interface(`corenet_tcp_sendrecv_generic_port',`
+ #
+ interface(`corenet_dontaudit_tcp_sendrecv_generic_port',`
+ gen_require(`
+- type port_t;
++ type port_t, unreserved_port_t;
+ ')
+
+- dontaudit $1 port_t:tcp_socket { send_msg recv_msg };
++ dontaudit $1 { port_t unreserved_port_t }:tcp_socket { send_msg recv_msg };
+ ')
+
+ ########################################
+@@ -1203,10 +1313,10 @@ interface(`corenet_dontaudit_tcp_sendrecv_generic_port',`
+ #
+ interface(`corenet_udp_send_generic_port',`
+ gen_require(`
+- type port_t;
++ type port_t, unreserved_port_t;
+ ')
+
+- allow $1 port_t:udp_socket send_msg;
++ allow $1 { port_t unreserved_port_t }:udp_socket send_msg;
+ ')
+
+ ########################################
+@@ -1221,10 +1331,10 @@ interface(`corenet_udp_send_generic_port',`
+ #
+ interface(`corenet_udp_receive_generic_port',`
+ gen_require(`
+- type port_t;
++ type port_t, unreserved_port_t;
+ ')
+
+- allow $1 port_t:udp_socket recv_msg;
++ allow $1 { port_t unreserved_port_t }:udp_socket recv_msg;
+ ')
+
+ ########################################
@@ -1244,6 +1354,26 @@ interface(`corenet_udp_sendrecv_generic_port',`
########################################
@@ -12885,11 +13089,11 @@ index 4f3b542..cf422f4 100644
+#
+interface(`corenet_dccp_bind_generic_port',`
+ gen_require(`
-+ type port_t;
++ type port_t, unreserved_port_t;
+ attribute defined_port_type;
+ ')
+
-+ allow $1 port_t:dccp_socket name_bind;
++ allow $1 { port_t unreserved_port_t }:dccp_socket name_bind;
+ dontaudit $1 defined_port_type:dccp_socket name_bind;
+')
+
@@ -12898,16 +13102,17 @@ index 4f3b542..cf422f4 100644
## Bind TCP sockets to generic ports.
##
##
-@@ -1255,11 +1385,30 @@ interface(`corenet_udp_sendrecv_generic_port',`
+@@ -1254,12 +1384,31 @@ interface(`corenet_udp_sendrecv_generic_port',`
+ #
interface(`corenet_tcp_bind_generic_port',`
gen_require(`
- type port_t;
+- type port_t;
- attribute port_type;
++ type port_t, unreserved_port_t;
+ attribute defined_port_type;
- ')
-
- allow $1 port_t:tcp_socket name_bind;
-- dontaudit $1 { port_type -port_t }:tcp_socket name_bind;
++ ')
++
++ allow $1 { port_t unreserved_port_t }:tcp_socket name_bind;
+ dontaudit $1 defined_port_type:tcp_socket name_bind;
+')
+
@@ -12924,23 +13129,39 @@ index 4f3b542..cf422f4 100644
+#
+interface(`corenet_dontaudit_dccp_bind_generic_port',`
+ gen_require(`
-+ type port_t;
-+ ')
-+
-+ dontaudit $1 port_t:dccp_socket name_bind;
++ type port_t, unreserved_port_t;
+ ')
+
+- allow $1 port_t:tcp_socket name_bind;
+- dontaudit $1 { port_type -port_t }:tcp_socket name_bind;
++ dontaudit $1 { port_t unreserved_port_t }:dccp_socket name_bind;
+ ')
+
+ ########################################
+@@ -1274,10 +1423,10 @@ interface(`corenet_tcp_bind_generic_port',`
+ #
+ interface(`corenet_dontaudit_tcp_bind_generic_port',`
+ gen_require(`
+- type port_t;
++ type port_t, unreserved_port_t;
+ ')
+
+- dontaudit $1 port_t:tcp_socket name_bind;
++ dontaudit $1 { port_t unreserved_port_t }:tcp_socket name_bind;
')
########################################
-@@ -1293,11 +1442,29 @@ interface(`corenet_dontaudit_tcp_bind_generic_port',`
+@@ -1292,12 +1441,30 @@ interface(`corenet_dontaudit_tcp_bind_generic_port',`
+ #
interface(`corenet_udp_bind_generic_port',`
gen_require(`
- type port_t;
+- type port_t;
- attribute port_type;
++ type port_t, unreserved_port_t;
+ attribute defined_port_type;
- ')
-
- allow $1 port_t:udp_socket name_bind;
-- dontaudit $1 { port_type -port_t }:udp_socket name_bind;
++ ')
++
++ allow $1 { port_t unreserved_port_t }:udp_socket name_bind;
+ dontaudit $1 defined_port_type:udp_socket name_bind;
+')
+
@@ -12956,17 +13177,28 @@ index 4f3b542..cf422f4 100644
+#
+interface(`corenet_dccp_connect_generic_port',`
+ gen_require(`
-+ type port_t;
-+ ')
-+
-+ allow $1 port_t:dccp_socket name_connect;
- ')
++ type port_t, unreserved_port_t;
+ ')
- ########################################
-@@ -1320,6 +1487,24 @@ interface(`corenet_tcp_connect_generic_port',`
+- allow $1 port_t:udp_socket name_bind;
+- dontaudit $1 { port_type -port_t }:udp_socket name_bind;
++ allow $1 { port_t unreserved_port_t }:dccp_socket name_connect;
+ ')
########################################
- ##
+@@ -1312,10 +1479,28 @@ interface(`corenet_udp_bind_generic_port',`
+ #
+ interface(`corenet_tcp_connect_generic_port',`
+ gen_require(`
+- type port_t;
++ type port_t, unreserved_port_t;
++ ')
++
++ allow $1 { port_t unreserved_port_t }:tcp_socket name_connect;
++')
++
++########################################
++##
+## Send and receive DCCP network traffic on all ports.
+##
+##
@@ -12978,16 +13210,13 @@ index 4f3b542..cf422f4 100644
+interface(`corenet_dccp_sendrecv_all_ports',`
+ gen_require(`
+ attribute port_type;
-+ ')
-+
+ ')
+
+- allow $1 port_t:tcp_socket name_connect;
+ allow $1 port_type:dccp_socket { send_msg recv_msg };
-+')
-+
-+########################################
-+##
- ## Send and receive TCP network traffic on all ports.
- ##
- ##
+ ')
+
+ ########################################
@@ -1439,6 +1624,25 @@ interface(`corenet_udp_sendrecv_all_ports',`
########################################
@@ -13212,7 +13441,7 @@ index 4f3b542..cf422f4 100644
##
##
##
-@@ -1729,9 +2007,63 @@ interface(`corenet_tcp_sendrecv_all_reserved_ports',`
+@@ -1729,17 +2007,17 @@ interface(`corenet_tcp_sendrecv_all_reserved_ports',`
##
##
#
@@ -13221,14 +13450,36 @@ index 4f3b542..cf422f4 100644
gen_require(`
- attribute reserved_port_type;
+ type reserved_port_t;
-+ ')
-+
+ ')
+
+- allow $1 reserved_port_type:udp_socket send_msg;
+ allow $1 reserved_port_t:tcp_socket name_connect;
+ ')
+
+ ########################################
+ ##
+-## Receive UDP network traffic on all reserved ports.
++## Send and receive DCCP network traffic on all reserved ports.
+ ##
+ ##
+ ##
+@@ -1747,12 +2025,66 @@ interface(`corenet_udp_send_all_reserved_ports',`
+ ##
+ ##
+ #
+-interface(`corenet_udp_receive_all_reserved_ports',`
++interface(`corenet_dccp_sendrecv_all_reserved_ports',`
+ gen_require(`
+ attribute reserved_port_type;
+ ')
+
+- allow $1 reserved_port_type:udp_socket recv_msg;
++ allow $1 reserved_port_type:dccp_socket { send_msg recv_msg };
+')
+
+########################################
+##
-+## Send and receive DCCP network traffic on all reserved ports.
++## Send and receive TCP network traffic on all reserved ports.
+##
+##
+##
@@ -13236,17 +13487,17 @@ index 4f3b542..cf422f4 100644
+##
+##
+#
-+interface(`corenet_dccp_sendrecv_all_reserved_ports',`
++interface(`corenet_tcp_sendrecv_all_reserved_ports',`
+ gen_require(`
+ attribute reserved_port_type;
+ ')
+
-+ allow $1 reserved_port_type:dccp_socket { send_msg recv_msg };
++ allow $1 reserved_port_type:tcp_socket { send_msg recv_msg };
+')
+
+########################################
+##
-+## Send and receive TCP network traffic on all reserved ports.
++## Send UDP network traffic on all reserved ports.
+##
+##
+##
@@ -13254,17 +13505,17 @@ index 4f3b542..cf422f4 100644
+##
+##
+#
-+interface(`corenet_tcp_sendrecv_all_reserved_ports',`
++interface(`corenet_udp_send_all_reserved_ports',`
+ gen_require(`
+ attribute reserved_port_type;
+ ')
+
-+ allow $1 reserved_port_type:tcp_socket { send_msg recv_msg };
++ allow $1 reserved_port_type:udp_socket send_msg;
+')
+
+########################################
+##
-+## Send UDP network traffic on all reserved ports.
++## Receive UDP network traffic on all reserved ports.
+##
+##
+##
@@ -13272,12 +13523,15 @@ index 4f3b542..cf422f4 100644
+##
+##
+#
-+interface(`corenet_udp_send_all_reserved_ports',`
++interface(`corenet_udp_receive_all_reserved_ports',`
+ gen_require(`
+ attribute reserved_port_type;
- ')
++ ')
++
++ allow $1 reserved_port_type:udp_socket recv_msg;
+ ')
- allow $1 reserved_port_type:udp_socket send_msg;
+ ########################################
@@ -1772,6 +2104,25 @@ interface(`corenet_udp_sendrecv_all_reserved_ports',`
########################################
@@ -13373,9 +13627,8 @@ index 4f3b542..cf422f4 100644
gen_require(`
- attribute port_type, reserved_port_type;
+ attribute unreserved_port_type;
- ')
-
-- allow $1 { port_type -reserved_port_type }:udp_socket name_bind;
++ ')
++
+ allow $1 unreserved_port_type:udp_socket name_bind;
+')
+
@@ -13428,8 +13681,9 @@ index 4f3b542..cf422f4 100644
+interface(`corenet_dccp_connect_all_reserved_ports',`
+ gen_require(`
+ attribute reserved_port_type;
-+ ')
-+
+ ')
+
+- allow $1 { port_type -reserved_port_type }:udp_socket name_bind;
+ allow $1 reserved_port_type:dccp_socket name_connect;
')
@@ -14280,7 +14534,7 @@ index 6cf8784..b48524e 100644
+#
+/sys(/.*)? gen_context(system_u:object_r:sysfs_t,s0)
diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
-index f820f3b..39b1056 100644
+index f820f3b..cc3f02e 100644
--- a/policy/modules/kernel/devices.if
+++ b/policy/modules/kernel/devices.if
@@ -146,14 +146,33 @@ interface(`dev_relabel_all_dev_nodes',`
@@ -14786,33 +15040,39 @@ index f820f3b..39b1056 100644
## Search the sysfs directories.
##
##
-@@ -3902,25 +4176,6 @@ interface(`dev_dontaudit_write_sysfs_dirs',`
+@@ -3902,21 +4176,26 @@ interface(`dev_dontaudit_write_sysfs_dirs',`
########################################
##
-## Create, read, write, and delete sysfs
-## directories.
--##
--##
--##
--## Domain allowed access.
--##
--##
--#
++## Read cpu online hardware state information.
+ ##
++##
++##
++## Allow the specified domain to read /sys/devices/system/cpu/online file.
++##
++##
+ ##
+ ##
+ ## Domain allowed access.
+ ##
+ ##
+ #
-interface(`dev_manage_sysfs_dirs',`
-- gen_require(`
++interface(`dev_read_cpu_online',`
+ gen_require(`
- type sysfs_t;
-- ')
--
++ type cpu_online_t;
+ ')
+
- manage_dirs_pattern($1, sysfs_t, sysfs_t)
--')
--
--########################################
--##
- ## Read hardware state information.
- ##
- ##
-@@ -3972,6 +4227,42 @@ interface(`dev_rw_sysfs',`
++ dev_search_sysfs($1)
++ read_files_pattern($1, cpu_online_t, cpu_online_t)
+ ')
+
+ ########################################
+@@ -3972,6 +4251,42 @@ interface(`dev_rw_sysfs',`
########################################
##
@@ -14855,7 +15115,7 @@ index f820f3b..39b1056 100644
## Read and write the TPM device.
##
##
-@@ -4069,6 +4360,25 @@ interface(`dev_write_urand',`
+@@ -4069,6 +4384,25 @@ interface(`dev_write_urand',`
########################################
##
@@ -14881,7 +15141,7 @@ index f820f3b..39b1056 100644
## Getattr generic the USB devices.
##
##
-@@ -4103,6 +4413,24 @@ interface(`dev_setattr_generic_usb_dev',`
+@@ -4103,6 +4437,24 @@ interface(`dev_setattr_generic_usb_dev',`
setattr_chr_files_pattern($1, device_t, usb_device_t)
')
@@ -14906,7 +15166,7 @@ index f820f3b..39b1056 100644
########################################
##
## Read generic the USB devices.
-@@ -4495,6 +4823,24 @@ interface(`dev_rw_vhost',`
+@@ -4495,6 +4847,24 @@ interface(`dev_rw_vhost',`
########################################
##
@@ -14931,7 +15191,7 @@ index f820f3b..39b1056 100644
## Read and write VMWare devices.
##
##
-@@ -4695,6 +5041,26 @@ interface(`dev_rw_xserver_misc',`
+@@ -4695,6 +5065,26 @@ interface(`dev_rw_xserver_misc',`
########################################
##
@@ -14958,7 +15218,7 @@ index f820f3b..39b1056 100644
## Read and write to the zero device (/dev/zero).
##
##
-@@ -4784,3 +5150,812 @@ interface(`dev_unconfined',`
+@@ -4784,3 +5174,812 @@ interface(`dev_unconfined',`
typeattribute $1 devices_unconfined_type;
')
@@ -15772,7 +16032,7 @@ index f820f3b..39b1056 100644
+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "card9")
+')
diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te
-index 08f01e7..1c2562c 100644
+index 08f01e7..112bebb 100644
--- a/policy/modules/kernel/devices.te
+++ b/policy/modules/kernel/devices.te
@@ -108,6 +108,7 @@ dev_node(ksm_device_t)
@@ -15796,7 +16056,18 @@ index 08f01e7..1c2562c 100644
type lvm_control_t;
dev_node(lvm_control_t)
-@@ -265,6 +272,7 @@ dev_node(v4l_device_t)
+@@ -218,6 +225,10 @@ files_mountpoint(sysfs_t)
+ fs_type(sysfs_t)
+ genfscon sysfs / gen_context(system_u:object_r:sysfs_t,s0)
+
++type cpu_online_t;
++allow cpu_online_t sysfs_t:filesystem associate;
++genfscon sysfs /devices/system/cpu/online gen_context(system_u:object_r:cpu_online_t,s0)
++
+ #
+ # Type for /dev/tpm
+ #
+@@ -265,6 +276,7 @@ dev_node(v4l_device_t)
#
type vhost_device_t;
dev_node(vhost_device_t)
@@ -15804,7 +16075,7 @@ index 08f01e7..1c2562c 100644
# Type for vmware devices.
type vmware_device_t;
-@@ -310,5 +318,5 @@ files_associate_tmp(device_node)
+@@ -310,5 +322,5 @@ files_associate_tmp(device_node)
#
allow devices_unconfined_type self:capability sys_rawio;
@@ -15899,7 +16170,7 @@ index 6a1e4d1..3ded83e 100644
+ dontaudit $1 domain:socket_class_set { read write };
')
diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te
-index fae1ab1..f9a1bcc 100644
+index fae1ab1..facd6a8 100644
--- a/policy/modules/kernel/domain.te
+++ b/policy/modules/kernel/domain.te
@@ -4,6 +4,21 @@ policy_module(domain, 1.9.1)
@@ -15924,7 +16195,7 @@ index fae1ab1..f9a1bcc 100644
##
##
-@@ -87,14 +102,17 @@ allow domain self:dir list_dir_perms;
+@@ -87,22 +102,36 @@ allow domain self:dir list_dir_perms;
allow domain self:lnk_file { read_lnk_file_perms lock ioctl };
allow domain self:file rw_file_perms;
kernel_read_proc_symlinks(domain)
@@ -15942,8 +16213,10 @@ index fae1ab1..f9a1bcc 100644
+allow domain self:process { fork getsched sigchld };
# Use trusted objects in /dev
++dev_read_cpu_online(domain)
dev_rw_null(domain)
-@@ -103,6 +121,16 @@ term_use_controlling_term(domain)
+ dev_rw_zero(domain)
+ term_use_controlling_term(domain)
# list the root directory
files_list_root(domain)
@@ -15960,7 +16233,7 @@ index fae1ab1..f9a1bcc 100644
tunable_policy(`global_ssp',`
# enable reading of urandom for all domains:
-@@ -113,8 +141,13 @@ tunable_policy(`global_ssp',`
+@@ -113,8 +142,13 @@ tunable_policy(`global_ssp',`
')
optional_policy(`
@@ -15974,7 +16247,7 @@ index fae1ab1..f9a1bcc 100644
')
optional_policy(`
-@@ -125,6 +158,8 @@ optional_policy(`
+@@ -125,6 +159,8 @@ optional_policy(`
optional_policy(`
xserver_dontaudit_use_xdm_fds(domain)
xserver_dontaudit_rw_xdm_pipes(domain)
@@ -15983,7 +16256,7 @@ index fae1ab1..f9a1bcc 100644
')
########################################
-@@ -143,8 +178,13 @@ allow unconfined_domain_type domain:{ socket_class_set socket key_socket } *;
+@@ -143,8 +179,13 @@ allow unconfined_domain_type domain:{ socket_class_set socket key_socket } *;
allow unconfined_domain_type domain:fd use;
allow unconfined_domain_type domain:fifo_file rw_file_perms;
@@ -15998,7 +16271,7 @@ index fae1ab1..f9a1bcc 100644
# Create/access any System V IPC objects.
allow unconfined_domain_type domain:{ sem msgq shm } *;
-@@ -158,5 +198,217 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock };
+@@ -158,5 +199,219 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock };
# act on all domains keys
allow unconfined_domain_type domain:key *;
@@ -16012,7 +16285,9 @@ index fae1ab1..f9a1bcc 100644
+term_filetrans_all_named_dev(unconfined_domain_type)
+
+optional_policy(`
-+ authlogin_filetrans_named_content(unconfined_domain_type)
++ auth_filetrans_named_content(unconfined_domain_type)
++ auth_filetrans_admin_home_content(unconfined_domain_type)
++ auth_filetrans_home_content(unconfined_domain_type)
+')
+
+optional_policy(`
@@ -18178,7 +18453,7 @@ index ff006ea..b682bcf 100644
+ dontaudit $1 file_type:dir_file_class_set write;
+')
diff --git a/policy/modules/kernel/files.te b/policy/modules/kernel/files.te
-index 22821ff..20251b0 100644
+index 22821ff..4e8d594 100644
--- a/policy/modules/kernel/files.te
+++ b/policy/modules/kernel/files.te
@@ -10,7 +10,9 @@ attribute files_unconfined_type;
@@ -18214,7 +18489,15 @@ index 22821ff..20251b0 100644
files_type(etc_runtime_t)
#Temporarily in policy until FC5 dissappears
typealias etc_runtime_t alias firstboot_rw_t;
-@@ -167,6 +178,7 @@ files_mountpoint(var_lib_t)
+@@ -133,6 +144,7 @@ files_mountpoint(src_t)
+ #
+ type system_map_t;
+ files_type(system_map_t)
++procs_type(system_map_t)
+ genfscon proc /kallsyms gen_context(system_u:object_r:system_map_t,s0)
+
+ #
+@@ -167,6 +179,7 @@ files_mountpoint(var_lib_t)
#
type var_lock_t;
files_lock_file(var_lock_t)
@@ -18222,7 +18505,7 @@ index 22821ff..20251b0 100644
#
# var_run_t is the type of /var/run, usually
-@@ -181,6 +193,7 @@ files_mountpoint(var_run_t)
+@@ -181,6 +194,7 @@ files_mountpoint(var_run_t)
#
type var_spool_t;
files_tmp_file(var_spool_t)
@@ -18863,7 +19146,7 @@ index f125dc2..3c6e827 100644
########################################
#
diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
-index 6346378..8c500cd 100644
+index 6346378..4845190 100644
--- a/policy/modules/kernel/kernel.if
+++ b/policy/modules/kernel/kernel.if
@@ -345,13 +345,8 @@ interface(`kernel_load_module',`
@@ -19042,7 +19325,7 @@ index 6346378..8c500cd 100644
## Unconfined access to kernel module resources.
##
##
-@@ -2962,4 +3057,25 @@ interface(`kernel_unconfined',`
+@@ -2962,4 +3057,43 @@ interface(`kernel_unconfined',`
')
typeattribute $1 kern_unconfined;
@@ -19068,6 +19351,24 @@ index 6346378..8c500cd 100644
+ allow $1 kernel_t:unix_stream_socket connectto;
+')
+
++########################################
++##
++## Make the specified type usable for regular entries in proc
++##
++##
++##
++## Type to be used for /proc entries.
++##
++##
++#
++interface(`procs_type',`
++ gen_require(`
++ attribute proc_type
++ ')
++
++ typeattribute $1 proc_type;
++')
++
diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
index d91c62f..8852535 100644
--- a/policy/modules/kernel/kernel.te
@@ -21252,7 +21553,7 @@ index 2be17d2..de3c13e 100644
+ userdom_execmod_user_home_files(staff_usertype)
+')
diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
-index e14b961..0d1af63 100644
+index e14b961..b8f0df4 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
@@ -5,13 +5,6 @@ policy_module(sysadm, 2.2.1)
@@ -21356,12 +21657,13 @@ index e14b961..0d1af63 100644
certwatch_run(sysadm_t, sysadm_r)
')
-@@ -110,11 +140,19 @@ optional_policy(`
+@@ -110,11 +140,20 @@ optional_policy(`
')
optional_policy(`
- consoletype_run(sysadm_t, sysadm_r)
+ cron_admin_role(sysadm_r, sysadm_t)
++ cron_role(sysadm_r, sysadm_t)
')
optional_policy(`
@@ -21378,7 +21680,7 @@ index e14b961..0d1af63 100644
')
optional_policy(`
-@@ -128,6 +166,10 @@ optional_policy(`
+@@ -128,6 +167,10 @@ optional_policy(`
')
optional_policy(`
@@ -21389,7 +21691,7 @@ index e14b961..0d1af63 100644
dmesg_exec(sysadm_t)
')
-@@ -163,6 +205,13 @@ optional_policy(`
+@@ -163,6 +206,13 @@ optional_policy(`
ipsec_stream_connect(sysadm_t)
# for lsof
ipsec_getattr_key_sockets(sysadm_t)
@@ -21403,7 +21705,7 @@ index e14b961..0d1af63 100644
')
optional_policy(`
-@@ -170,15 +219,20 @@ optional_policy(`
+@@ -170,15 +220,20 @@ optional_policy(`
')
optional_policy(`
@@ -21427,7 +21729,7 @@ index e14b961..0d1af63 100644
')
optional_policy(`
-@@ -198,22 +252,20 @@ optional_policy(`
+@@ -198,22 +253,20 @@ optional_policy(`
modutils_run_depmod(sysadm_t, sysadm_r)
modutils_run_insmod(sysadm_t, sysadm_r)
modutils_run_update_mods(sysadm_t, sysadm_r)
@@ -21456,7 +21758,7 @@ index e14b961..0d1af63 100644
')
optional_policy(`
-@@ -225,25 +277,47 @@ optional_policy(`
+@@ -225,25 +278,47 @@ optional_policy(`
')
optional_policy(`
@@ -21504,7 +21806,7 @@ index e14b961..0d1af63 100644
portage_run(sysadm_t, sysadm_r)
portage_run_gcc_config(sysadm_t, sysadm_r)
')
-@@ -253,31 +327,32 @@ optional_policy(`
+@@ -253,31 +328,32 @@ optional_policy(`
')
optional_policy(`
@@ -21544,7 +21846,7 @@ index e14b961..0d1af63 100644
')
optional_policy(`
-@@ -302,12 +377,18 @@ optional_policy(`
+@@ -302,12 +378,18 @@ optional_policy(`
')
optional_policy(`
@@ -21564,7 +21866,7 @@ index e14b961..0d1af63 100644
')
optional_policy(`
-@@ -332,7 +413,10 @@ optional_policy(`
+@@ -332,7 +414,10 @@ optional_policy(`
')
optional_policy(`
@@ -21576,7 +21878,7 @@ index e14b961..0d1af63 100644
')
optional_policy(`
-@@ -343,19 +427,15 @@ optional_policy(`
+@@ -343,19 +428,15 @@ optional_policy(`
')
optional_policy(`
@@ -21598,7 +21900,7 @@ index e14b961..0d1af63 100644
')
optional_policy(`
-@@ -367,45 +447,45 @@ optional_policy(`
+@@ -367,45 +448,45 @@ optional_policy(`
')
optional_policy(`
@@ -21655,7 +21957,7 @@ index e14b961..0d1af63 100644
auth_role(sysadm_r, sysadm_t)
')
-@@ -418,10 +498,6 @@ ifndef(`distro_redhat',`
+@@ -418,10 +499,6 @@ ifndef(`distro_redhat',`
')
optional_policy(`
@@ -21666,7 +21968,7 @@ index e14b961..0d1af63 100644
dbus_role_template(sysadm, sysadm_r, sysadm_t)
')
-@@ -439,6 +515,7 @@ ifndef(`distro_redhat',`
+@@ -439,6 +516,7 @@ ifndef(`distro_redhat',`
optional_policy(`
gnome_role(sysadm_r, sysadm_t)
@@ -21674,7 +21976,7 @@ index e14b961..0d1af63 100644
')
optional_policy(`
-@@ -446,11 +523,66 @@ ifndef(`distro_redhat',`
+@@ -446,11 +524,66 @@ ifndef(`distro_redhat',`
')
optional_policy(`
@@ -22361,10 +22663,10 @@ index 0000000..bac0dc0
+
diff --git a/policy/modules/roles/unconfineduser.te b/policy/modules/roles/unconfineduser.te
new file mode 100644
-index 0000000..11ad8fb
+index 0000000..35524d6
--- /dev/null
+++ b/policy/modules/roles/unconfineduser.te
-@@ -0,0 +1,394 @@
+@@ -0,0 +1,379 @@
+policy_module(unconfineduser, 1.0.0)
+
+########################################
@@ -22375,13 +22677,6 @@ index 0000000..11ad8fb
+
+##
+##
-+## allow unconfined users to transition to the nsplugin domains when running nspluginviewer
-+##
-+##
-+gen_tunable(allow_unconfined_nsplugin_transition, false)
-+
-+##
-+##
+## allow unconfined users to transition to the chrome sandbox domains when running chrome-sandbox
+##
+##
@@ -22495,14 +22790,6 @@ index 0000000..11ad8fb
+ attribute unconfined_usertype;
+ ')
+
-+ nsplugin_role_notrans(unconfined_r, unconfined_usertype)
-+ optional_policy(`
-+ tunable_policy(`allow_unconfined_nsplugin_transition',`
-+ nsplugin_domtrans(unconfined_usertype)
-+ nsplugin_domtrans_config(unconfined_usertype)
-+ ')
-+ ')
-+
+ optional_policy(`
+ abrt_dbus_chat(unconfined_usertype)
+ abrt_run_helper(unconfined_usertype, unconfined_r)
@@ -22937,7 +23224,7 @@ index 0ecc786..3e7e984 100644
userdom_dontaudit_search_user_home_dirs(webadm_t)
diff --git a/policy/modules/roles/xguest.te b/policy/modules/roles/xguest.te
-index e88b95f..6f176f9 100644
+index e88b95f..0258e24 100644
--- a/policy/modules/roles/xguest.te
+++ b/policy/modules/roles/xguest.te
@@ -14,14 +14,14 @@ gen_tunable(xguest_mount_media, true)
@@ -23007,7 +23294,7 @@ index e88b95f..6f176f9 100644
')
')
-@@ -76,23 +86,101 @@ optional_policy(`
+@@ -76,23 +86,97 @@ optional_policy(`
')
optional_policy(`
@@ -23028,9 +23315,10 @@ index e88b95f..6f176f9 100644
optional_policy(`
- java_role(xguest_r, xguest_t)
+ apache_role(xguest_r, xguest_t)
-+')
-+
-+optional_policy(`
+ ')
+
+ optional_policy(`
+- mozilla_role(xguest_r, xguest_t)
+ gnome_role(xguest_r, xguest_t)
+')
+
@@ -23043,11 +23331,6 @@ index e88b95f..6f176f9 100644
+')
+
+optional_policy(`
-+ nsplugin_role(xguest_r, xguest_t)
- ')
-
- optional_policy(`
-- mozilla_role(xguest_r, xguest_t)
+ pcscd_read_pub_files(xguest_usertype)
+ pcscd_stream_connect(xguest_usertype)
+')
@@ -23096,7 +23379,7 @@ index e88b95f..6f176f9 100644
+ corenet_tcp_connect_speech_port(xguest_usertype)
+ corenet_tcp_sendrecv_transproxy_port(xguest_usertype)
+ corenet_tcp_connect_transproxy_port(xguest_usertype)
-+ ')
+ ')
+
+ #optional_policy(`
+ # telepathy_dbus_session_role(xguest_r, xguest_t)
@@ -23106,7 +23389,7 @@ index e88b95f..6f176f9 100644
+optional_policy(`
+ gen_require(`
+ type mozilla_t;
- ')
++ ')
+
+ allow xguest_t mozilla_t:process transition;
+ role xguest_r types mozilla_t;
@@ -23392,7 +23675,7 @@ index 0b827c5..d83d4dc 100644
+ dontaudit $1 abrt_t:sock_file write;
+')
diff --git a/policy/modules/services/abrt.te b/policy/modules/services/abrt.te
-index 30861ec..d5a9038 100644
+index 30861ec..a1cbdb4 100644
--- a/policy/modules/services/abrt.te
+++ b/policy/modules/services/abrt.te
@@ -5,7 +5,25 @@ policy_module(abrt, 1.2.0)
@@ -23539,7 +23822,7 @@ index 30861ec..d5a9038 100644
fs_list_inotifyfs(abrt_t)
fs_getattr_all_fs(abrt_t)
-@@ -131,22 +185,31 @@ fs_read_nfs_files(abrt_t)
+@@ -131,22 +185,26 @@ fs_read_nfs_files(abrt_t)
fs_read_nfs_symlinks(abrt_t)
fs_search_all(abrt_t)
@@ -23559,24 +23842,20 @@ index 30861ec..d5a9038 100644
+tunable_policy(`abrt_anon_write',`
+ miscfiles_manage_public_files(abrt_t)
+')
-+
-+optional_policy(`
-+ apache_list_modules(abrt_t)
-+ apache_read_modules(abrt_t)
-+')
optional_policy(`
- dbus_system_domain(abrt_t, abrt_exec_t)
+- dbus_system_domain(abrt_t, abrt_exec_t)
++ apache_list_modules(abrt_t)
++ apache_read_modules(abrt_t)
')
optional_policy(`
- nis_use_ypbind(abrt_t)
-+ nsplugin_read_rw_files(abrt_t)
-+ nsplugin_read_home(abrt_t)
++ dbus_system_domain(abrt_t, abrt_exec_t)
')
optional_policy(`
-@@ -167,6 +230,7 @@ optional_policy(`
+@@ -167,6 +225,7 @@ optional_policy(`
rpm_exec(abrt_t)
rpm_dontaudit_manage_db(abrt_t)
rpm_manage_cache(abrt_t)
@@ -23584,7 +23863,7 @@ index 30861ec..d5a9038 100644
rpm_manage_pid_files(abrt_t)
rpm_read_db(abrt_t)
rpm_signull(abrt_t)
-@@ -178,12 +242,35 @@ optional_policy(`
+@@ -178,12 +237,35 @@ optional_policy(`
')
optional_policy(`
@@ -23621,7 +23900,7 @@ index 30861ec..d5a9038 100644
#
allow abrt_helper_t self:capability { chown setgid sys_nice };
-@@ -200,23 +287,22 @@ files_var_filetrans(abrt_helper_t, abrt_var_cache_t, { file dir })
+@@ -200,23 +282,22 @@ files_var_filetrans(abrt_helper_t, abrt_var_cache_t, { file dir })
read_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t)
read_lnk_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t)
@@ -23650,7 +23929,7 @@ index 30861ec..d5a9038 100644
userdom_dontaudit_read_user_home_content_files(abrt_helper_t)
userdom_dontaudit_read_user_tmp_files(abrt_helper_t)
dev_dontaudit_read_all_blk_files(abrt_helper_t)
-@@ -224,4 +310,128 @@ ifdef(`hide_broken_symptoms', `
+@@ -224,4 +305,128 @@ ifdef(`hide_broken_symptoms', `
dev_dontaudit_write_all_chr_files(abrt_helper_t)
dev_dontaudit_write_all_blk_files(abrt_helper_t)
fs_dontaudit_rw_anon_inodefs_files(abrt_helper_t)
@@ -23658,7 +23937,7 @@ index 30861ec..d5a9038 100644
+ optional_policy(`
+ rpm_dontaudit_leaks(abrt_helper_t)
+ ')
-+')
+ ')
+
+ifdef(`hide_broken_symptoms',`
+ gen_require(`
@@ -23736,7 +24015,7 @@ index 30861ec..d5a9038 100644
+
+optional_policy(`
+ mock_domtrans(abrt_retrace_worker_t)
- ')
++')
+
+########################################
+#
@@ -29923,7 +30202,7 @@ index 0000000..f2968f8
+/var/run/iwhd\.pid -- gen_context(system_u:object_r:iwhd_var_run_t,s0)
diff --git a/policy/modules/services/cloudform.if b/policy/modules/services/cloudform.if
new file mode 100644
-index 0000000..6451167
+index 0000000..7f55959
--- /dev/null
+++ b/policy/modules/services/cloudform.if
@@ -0,0 +1,40 @@
@@ -29960,12 +30239,12 @@ index 0000000..6451167
+##
+##
+#
-+template(`cloudform_exec_mongod',`
++interface(`cloudform_exec_mongod',`
+ gen_require(`
-+ type mogod_exec_t;
++ type mongod_exec_t;
+ ')
+
-+ can_exec($1, mogod_exec_t)
++ can_exec($1, mongod_exec_t)
+')
diff --git a/policy/modules/services/cloudform.te b/policy/modules/services/cloudform.te
new file mode 100644
@@ -30896,10 +31175,10 @@ index 0000000..40a0157
+
diff --git a/policy/modules/services/collectd.te b/policy/modules/services/collectd.te
new file mode 100644
-index 0000000..2ee2be0
+index 0000000..e4d7098
--- /dev/null
+++ b/policy/modules/services/collectd.te
-@@ -0,0 +1,77 @@
+@@ -0,0 +1,79 @@
+policy_module(collectd, 1.0.0)
+
+########################################
@@ -30973,12 +31252,14 @@ index 0000000..2ee2be0
+
+optional_policy(`
+ apache_content_template(collectd)
-+
++
++ read_files_pattern(httpd_collectd_script_t, collectd_var_lib_t, collectd_var_lib_t)
++ list_dirs_pattern(httpd_collectd_script_t, collectd_var_lib_t, collectd_var_lib_t)
+ miscfiles_setattr_fonts_cache_dirs(httpd_collectd_script_t)
+')
+
diff --git a/policy/modules/services/colord.te b/policy/modules/services/colord.te
-index 74505cc..e7c70b5 100644
+index 74505cc..145a4eb 100644
--- a/policy/modules/services/colord.te
+++ b/policy/modules/services/colord.te
@@ -23,6 +23,7 @@ files_type(colord_var_lib_t)
@@ -31013,7 +31294,7 @@ index 74505cc..e7c70b5 100644
dev_read_video_dev(colord_t)
dev_write_video_dev(colord_t)
dev_rw_printer(colord_t)
-@@ -65,21 +73,23 @@ files_list_mnt(colord_t)
+@@ -65,21 +73,24 @@ files_list_mnt(colord_t)
files_read_etc_files(colord_t)
files_read_usr_files(colord_t)
@@ -31032,6 +31313,7 @@ index 74505cc..e7c70b5 100644
miscfiles_read_localization(colord_t)
-sysnet_dns_name_resolve(colord_t)
++fs_getattr_tmpfs(colord_t)
+userdom_rw_user_tmpfs_files(colord_t)
-tunable_policy(`use_nfs_home_dirs',`
@@ -31045,18 +31327,20 @@ index 74505cc..e7c70b5 100644
optional_policy(`
cups_read_config(colord_t)
-@@ -89,6 +99,10 @@ optional_policy(`
+@@ -89,6 +100,12 @@ optional_policy(`
')
optional_policy(`
+ gnome_read_home_icc_data_content(colord_t)
++ # Fixes lots of breakage in F16 on upgrade
++ gnome_read_generic_data_home_files(colord_t)
+')
+
+optional_policy(`
policykit_dbus_chat(colord_t)
policykit_domtrans_auth(colord_t)
policykit_read_lib(colord_t)
-@@ -96,5 +110,16 @@ optional_policy(`
+@@ -96,5 +113,16 @@ optional_policy(`
')
optional_policy(`
@@ -31185,10 +31469,10 @@ index fd15dfe..d33cc41 100644
+ ps_process_pattern($1, consolekit_t)
+')
diff --git a/policy/modules/services/consolekit.te b/policy/modules/services/consolekit.te
-index e67a003..d45381d 100644
+index e67a003..8bd4751 100644
--- a/policy/modules/services/consolekit.te
+++ b/policy/modules/services/consolekit.te
-@@ -15,12 +15,16 @@ logging_log_file(consolekit_log_t)
+@@ -15,12 +15,19 @@ logging_log_file(consolekit_log_t)
type consolekit_var_run_t;
files_pid_file(consolekit_var_run_t)
@@ -31202,11 +31486,14 @@ index e67a003..d45381d 100644
-allow consolekit_t self:capability { chown setuid setgid sys_tty_config dac_override sys_nice sys_ptrace };
+allow consolekit_t self:capability { chown setuid setgid sys_tty_config dac_override sys_nice };
++tunable_policy(`deny_ptrace',`',`
++ allow consolekit_t self:capability sys_ptrace;
++')
+
allow consolekit_t self:process { getsched signal };
allow consolekit_t self:fifo_file rw_fifo_file_perms;
allow consolekit_t self:unix_stream_socket create_stream_socket_perms;
-@@ -69,17 +73,23 @@ logging_send_audit_msgs(consolekit_t)
+@@ -69,17 +76,23 @@ logging_send_audit_msgs(consolekit_t)
miscfiles_read_localization(consolekit_t)
@@ -31235,7 +31522,7 @@ index e67a003..d45381d 100644
')
optional_policy(`
-@@ -99,6 +109,10 @@ optional_policy(`
+@@ -99,6 +112,10 @@ optional_policy(`
')
optional_policy(`
@@ -31246,7 +31533,7 @@ index e67a003..d45381d 100644
policykit_dbus_chat(consolekit_t)
policykit_domtrans_auth(consolekit_t)
policykit_read_lib(consolekit_t)
-@@ -106,9 +120,10 @@ optional_policy(`
+@@ -106,9 +123,10 @@ optional_policy(`
')
optional_policy(`
@@ -31259,7 +31546,7 @@ index e67a003..d45381d 100644
xserver_read_xdm_pid(consolekit_t)
xserver_read_user_xauth(consolekit_t)
xserver_non_drawing_client(consolekit_t)
-@@ -125,5 +140,8 @@ optional_policy(`
+@@ -125,5 +143,8 @@ optional_policy(`
optional_policy(`
#reading .Xauthity
@@ -32147,7 +32434,7 @@ index 35241ed..7a0913c 100644
+ manage_files_pattern($1, system_cronjob_var_lib_t, system_cronjob_var_lib_t)
')
diff --git a/policy/modules/services/cron.te b/policy/modules/services/cron.te
-index f7583ab..a2e960c 100644
+index f7583ab..230cbb2 100644
--- a/policy/modules/services/cron.te
+++ b/policy/modules/services/cron.te
@@ -10,18 +10,18 @@ gen_require(`
@@ -32310,13 +32597,24 @@ index f7583ab..a2e960c 100644
files_read_usr_files(crond_t)
files_read_etc_runtime_files(crond_t)
-@@ -203,11 +223,17 @@ files_list_usr(crond_t)
+@@ -203,11 +223,28 @@ files_list_usr(crond_t)
files_search_var_lib(crond_t)
files_search_default(crond_t)
+fs_manage_cgroup_dirs(crond_t)
+fs_manage_cgroup_files(crond_t)
+
++# needed by "crontab -e"
++mls_file_read_all_levels(crond_t)
++mls_file_write_all_levels(crond_t)
++
++# needed because of kernel check of transition
++mls_process_set_level(crond_t)
++
++# to make cronjob working
++mls_fd_share_all_levels(crond_t)
++mls_trusted_object(crond_t)
++
+init_read_state(crond_t)
init_rw_utmp(crond_t)
init_spec_domtrans_script(crond_t)
@@ -32328,7 +32626,7 @@ index f7583ab..a2e960c 100644
logging_send_syslog_msg(crond_t)
logging_set_loginuid(crond_t)
-@@ -220,8 +246,11 @@ miscfiles_read_localization(crond_t)
+@@ -220,8 +257,11 @@ miscfiles_read_localization(crond_t)
userdom_use_unpriv_users_fds(crond_t)
# Not sure why this is needed
userdom_list_user_home_dirs(crond_t)
@@ -32340,7 +32638,7 @@ index f7583ab..a2e960c 100644
ifdef(`distro_debian',`
# pam_limits is used
-@@ -233,7 +262,7 @@ ifdef(`distro_debian',`
+@@ -233,7 +273,7 @@ ifdef(`distro_debian',`
')
')
@@ -32349,7 +32647,7 @@ index f7583ab..a2e960c 100644
# Run the rpm program in the rpm_t domain. Allow creation of RPM log files
# via redirection of standard out.
optional_policy(`
-@@ -250,11 +279,27 @@ tunable_policy(`fcron_crond', `
+@@ -250,11 +290,27 @@ tunable_policy(`fcron_crond', `
')
optional_policy(`
@@ -32377,7 +32675,7 @@ index f7583ab..a2e960c 100644
amanda_search_var_lib(crond_t)
')
-@@ -264,6 +309,8 @@ optional_policy(`
+@@ -264,6 +320,8 @@ optional_policy(`
optional_policy(`
hal_dbus_chat(crond_t)
@@ -32386,7 +32684,7 @@ index f7583ab..a2e960c 100644
')
optional_policy(`
-@@ -286,15 +333,25 @@ optional_policy(`
+@@ -286,15 +344,25 @@ optional_policy(`
')
optional_policy(`
@@ -32412,7 +32710,7 @@ index f7583ab..a2e960c 100644
allow system_cronjob_t self:process { signal_perms getsched setsched };
allow system_cronjob_t self:fifo_file rw_fifo_file_perms;
allow system_cronjob_t self:passwd rootok;
-@@ -306,10 +363,19 @@ logging_log_filetrans(system_cronjob_t, cron_log_t, file)
+@@ -306,10 +374,19 @@ logging_log_filetrans(system_cronjob_t, cron_log_t, file)
# This is to handle /var/lib/misc directory. Used currently
# by prelink var/lib files for cron
@@ -32433,7 +32731,7 @@ index f7583ab..a2e960c 100644
# The entrypoint interface is not used as this is not
# a regular entrypoint. Since crontab files are
# not directly executed, crond must ensure that
-@@ -329,6 +395,7 @@ allow crond_t system_cronjob_t:fd use;
+@@ -329,6 +406,7 @@ allow crond_t system_cronjob_t:fd use;
allow system_cronjob_t crond_t:fd use;
allow system_cronjob_t crond_t:fifo_file rw_file_perms;
allow system_cronjob_t crond_t:process sigchld;
@@ -32441,7 +32739,7 @@ index f7583ab..a2e960c 100644
# Write /var/lock/makewhatis.lock.
allow system_cronjob_t system_cronjob_lock_t:file manage_file_perms;
-@@ -340,9 +407,13 @@ manage_lnk_files_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t)
+@@ -340,9 +418,13 @@ manage_lnk_files_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t)
filetrans_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t, { file lnk_file })
files_tmp_filetrans(system_cronjob_t, system_cronjob_tmp_t, file)
@@ -32456,7 +32754,7 @@ index f7583ab..a2e960c 100644
kernel_read_kernel_sysctls(system_cronjob_t)
kernel_read_system_state(system_cronjob_t)
-@@ -365,6 +436,7 @@ corenet_udp_sendrecv_all_ports(system_cronjob_t)
+@@ -365,6 +447,7 @@ corenet_udp_sendrecv_all_ports(system_cronjob_t)
dev_getattr_all_blk_files(system_cronjob_t)
dev_getattr_all_chr_files(system_cronjob_t)
dev_read_urand(system_cronjob_t)
@@ -32464,7 +32762,7 @@ index f7583ab..a2e960c 100644
fs_getattr_all_fs(system_cronjob_t)
fs_getattr_all_files(system_cronjob_t)
-@@ -391,6 +463,7 @@ files_dontaudit_search_pids(system_cronjob_t)
+@@ -391,6 +474,7 @@ files_dontaudit_search_pids(system_cronjob_t)
# Access other spool directories like
# /var/spool/anacron and /var/spool/slrnpull.
files_manage_generic_spool(system_cronjob_t)
@@ -32472,7 +32770,7 @@ index f7583ab..a2e960c 100644
init_use_script_fds(system_cronjob_t)
init_read_utmp(system_cronjob_t)
-@@ -413,8 +486,10 @@ miscfiles_manage_man_pages(system_cronjob_t)
+@@ -413,8 +497,10 @@ miscfiles_manage_man_pages(system_cronjob_t)
seutil_read_config(system_cronjob_t)
@@ -32484,7 +32782,7 @@ index f7583ab..a2e960c 100644
# via redirection of standard out.
optional_policy(`
rpm_manage_log(system_cronjob_t)
-@@ -439,6 +514,8 @@ optional_policy(`
+@@ -439,6 +525,8 @@ optional_policy(`
apache_read_config(system_cronjob_t)
apache_read_log(system_cronjob_t)
apache_read_sys_content(system_cronjob_t)
@@ -32493,7 +32791,7 @@ index f7583ab..a2e960c 100644
')
optional_policy(`
-@@ -446,6 +523,14 @@ optional_policy(`
+@@ -446,6 +534,14 @@ optional_policy(`
')
optional_policy(`
@@ -32508,7 +32806,7 @@ index f7583ab..a2e960c 100644
ftp_read_log(system_cronjob_t)
')
-@@ -456,6 +541,10 @@ optional_policy(`
+@@ -456,6 +552,10 @@ optional_policy(`
')
optional_policy(`
@@ -32519,7 +32817,7 @@ index f7583ab..a2e960c 100644
lpd_list_spool(system_cronjob_t)
')
-@@ -464,7 +553,9 @@ optional_policy(`
+@@ -464,7 +564,9 @@ optional_policy(`
')
optional_policy(`
@@ -32529,7 +32827,7 @@ index f7583ab..a2e960c 100644
')
optional_policy(`
-@@ -480,7 +571,7 @@ optional_policy(`
+@@ -480,7 +582,7 @@ optional_policy(`
prelink_manage_lib(system_cronjob_t)
prelink_manage_log(system_cronjob_t)
prelink_read_cache(system_cronjob_t)
@@ -32538,7 +32836,7 @@ index f7583ab..a2e960c 100644
')
optional_policy(`
-@@ -495,6 +586,7 @@ optional_policy(`
+@@ -495,6 +597,7 @@ optional_policy(`
optional_policy(`
spamassassin_manage_lib_files(system_cronjob_t)
@@ -32546,7 +32844,7 @@ index f7583ab..a2e960c 100644
')
optional_policy(`
-@@ -502,7 +594,13 @@ optional_policy(`
+@@ -502,7 +605,13 @@ optional_policy(`
')
optional_policy(`
@@ -32560,7 +32858,7 @@ index f7583ab..a2e960c 100644
userdom_user_home_dir_filetrans_user_home_content(system_cronjob_t, { dir file lnk_file fifo_file sock_file })
')
-@@ -595,9 +693,12 @@ userdom_manage_user_home_content_sockets(cronjob_t)
+@@ -595,9 +704,12 @@ userdom_manage_user_home_content_sockets(cronjob_t)
#userdom_user_home_dir_filetrans_user_home_content(cronjob_t, notdevfile_class_set)
list_dirs_pattern(crond_t, user_cron_spool_t, user_cron_spool_t)
@@ -49897,10 +50195,10 @@ index 48ff1e8..be00a65 100644
+ allow $1 policykit_auth_t:process signal;
')
diff --git a/policy/modules/services/policykit.te b/policy/modules/services/policykit.te
-index 1e7169d..a16f7d7 100644
+index 1e7169d..c2771dd 100644
--- a/policy/modules/services/policykit.te
+++ b/policy/modules/services/policykit.te
-@@ -5,47 +5,69 @@ policy_module(policykit, 1.1.0)
+@@ -5,47 +5,73 @@ policy_module(policykit, 1.1.0)
# Declarations
#
@@ -49967,6 +50265,10 @@ index 1e7169d..a16f7d7 100644
-allow policykit_t self:process getattr;
-allow policykit_t self:fifo_file rw_file_perms;
+allow policykit_t self:capability { dac_override dac_read_search setgid setuid };
++tunable_policy(`deny_ptrace',`',`
++ allow policykit_t self:capability sys_ptrace;
++')
++
+allow policykit_t self:process { getsched signal };
allow policykit_t self:unix_dgram_socket create_socket_perms;
-allow policykit_t self:unix_stream_socket create_stream_socket_perms;
@@ -49982,7 +50284,7 @@ index 1e7169d..a16f7d7 100644
rw_files_pattern(policykit_t, policykit_reload_t, policykit_reload_t)
policykit_domtrans_resolve(policykit_t)
-@@ -56,56 +78,101 @@ manage_dirs_pattern(policykit_t, policykit_var_run_t, policykit_var_run_t)
+@@ -56,56 +82,101 @@ manage_dirs_pattern(policykit_t, policykit_var_run_t, policykit_var_run_t)
manage_files_pattern(policykit_t, policykit_var_run_t, policykit_var_run_t)
files_pid_filetrans(policykit_t, policykit_var_run_t, { file dir })
@@ -50096,7 +50398,7 @@ index 1e7169d..a16f7d7 100644
dbus_session_bus_client(policykit_auth_t)
optional_policy(`
-@@ -118,14 +185,21 @@ optional_policy(`
+@@ -118,14 +189,21 @@ optional_policy(`
hal_read_state(policykit_auth_t)
')
@@ -50120,7 +50422,7 @@ index 1e7169d..a16f7d7 100644
allow policykit_grant_t self:unix_dgram_socket create_socket_perms;
allow policykit_grant_t self:unix_stream_socket create_stream_socket_perms;
-@@ -145,19 +219,18 @@ manage_files_pattern(policykit_grant_t, policykit_var_lib_t, policykit_var_lib_t
+@@ -145,19 +223,18 @@ manage_files_pattern(policykit_grant_t, policykit_var_lib_t, policykit_var_lib_t
files_read_etc_files(policykit_grant_t)
files_read_usr_files(policykit_grant_t)
@@ -50145,7 +50447,7 @@ index 1e7169d..a16f7d7 100644
consolekit_dbus_chat(policykit_grant_t)
')
')
-@@ -167,9 +240,8 @@ optional_policy(`
+@@ -167,9 +244,8 @@ optional_policy(`
# polkit_resolve local policy
#
@@ -50157,7 +50459,7 @@ index 1e7169d..a16f7d7 100644
allow policykit_resolve_t self:unix_dgram_socket create_socket_perms;
allow policykit_resolve_t self:unix_stream_socket create_stream_socket_perms;
-@@ -185,13 +257,9 @@ corecmd_search_bin(policykit_resolve_t)
+@@ -185,13 +261,9 @@ corecmd_search_bin(policykit_resolve_t)
files_read_etc_files(policykit_resolve_t)
files_read_usr_files(policykit_resolve_t)
@@ -50172,7 +50474,7 @@ index 1e7169d..a16f7d7 100644
userdom_read_all_users_state(policykit_resolve_t)
-@@ -207,4 +275,3 @@ optional_policy(`
+@@ -207,4 +279,3 @@ optional_policy(`
kernel_search_proc(policykit_resolve_t)
hal_read_state(policykit_resolve_t)
')
@@ -58175,10 +58477,10 @@ index 0000000..0d53457
+')
diff --git a/policy/modules/services/sanlock.te b/policy/modules/services/sanlock.te
new file mode 100644
-index 0000000..0c1e385
+index 0000000..96adff5
--- /dev/null
+++ b/policy/modules/services/sanlock.te
-@@ -0,0 +1,72 @@
+@@ -0,0 +1,100 @@
+policy_module(sanlock,1.0.0)
+
+########################################
@@ -58186,6 +58488,20 @@ index 0000000..0c1e385
+# Declarations
+#
+
++##
++##
++## Allow confined virtual guests to manage nfs files
++##
++##
++gen_tunable(sanlock_use_nfs, false)
++
++##
++##
++## Allow confined virtual guests to manage cifs files
++##
++##
++gen_tunable(sanlock_use_samba, false)
++
+type sanlock_t;
+type sanlock_exec_t;
+init_daemon_domain(sanlock_t, sanlock_exec_t)
@@ -58242,6 +58558,20 @@ index 0000000..0c1e385
+
+miscfiles_read_localization(sanlock_t)
+
++tunable_policy(`sanlock_use_nfs',`
++ fs_manage_nfs_dirs(sanlock_t)
++ fs_manage_nfs_files(sanlock_t)
++ fs_manage_nfs_named_sockets(sanlock_t)
++ fs_read_nfs_symlinks(sanlock_t)
++')
++
++tunable_policy(`sanlock_use_samba',`
++ fs_manage_cifs_dirs(sanlock_t)
++ fs_manage_cifs_files(sanlock_t)
++ fs_manage_cifs_named_sockets(sanlock_t)
++ fs_read_cifs_symlinks(sanlock_t)
++')
++
+optional_policy(`
+ wdmd_stream_connect(sanlock_t)
+')
@@ -60674,7 +61004,7 @@ index 22adaca..d6a4b77 100644
+ userdom_user_home_dir_filetrans($1, ssh_home_t, dir, ".shosts")
+')
diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
-index 2dad3c8..e93db05 100644
+index 2dad3c8..12ad27c 100644
--- a/policy/modules/services/ssh.te
+++ b/policy/modules/services/ssh.te
@@ -6,26 +6,44 @@ policy_module(ssh, 2.2.0)
@@ -60830,7 +61160,7 @@ index 2dad3c8..e93db05 100644
dev_read_urand(ssh_t)
fs_getattr_all_fs(ssh_t)
-@@ -162,31 +186,29 @@ logging_read_generic_logs(ssh_t)
+@@ -162,31 +186,24 @@ logging_read_generic_logs(ssh_t)
auth_use_nsswitch(ssh_t)
miscfiles_read_localization(ssh_t)
@@ -60862,19 +61192,16 @@ index 2dad3c8..e93db05 100644
-tunable_policy(`use_nfs_home_dirs',`
- fs_manage_nfs_dirs(ssh_t)
- fs_manage_nfs_files(ssh_t)
-+ domtrans_pattern(ssh_t, ssh_keysign_exec_t, ssh_keysign_t)
- ')
-
+-')
+-
-tunable_policy(`use_samba_home_dirs',`
- fs_manage_cifs_dirs(ssh_t)
- fs_manage_cifs_files(ssh_t)
-+tunable_policy(`use_fusefs_home_dirs',`
-+ fs_manage_fusefs_dirs(ssh_t)
-+ fs_manage_fusefs_files(ssh_t)
++ domtrans_pattern(ssh_t, ssh_keysign_exec_t, ssh_keysign_t)
')
# for port forwarding
-@@ -196,10 +218,15 @@ tunable_policy(`user_tcp_server',`
+@@ -196,10 +213,15 @@ tunable_policy(`user_tcp_server',`
')
optional_policy(`
@@ -60890,7 +61217,7 @@ index 2dad3c8..e93db05 100644
##############################
#
# ssh_keysign_t local policy
-@@ -209,19 +236,14 @@ tunable_policy(`allow_ssh_keysign',`
+@@ -209,19 +231,14 @@ tunable_policy(`allow_ssh_keysign',`
allow ssh_keysign_t self:capability { setgid setuid };
allow ssh_keysign_t self:unix_stream_socket create_socket_perms;
@@ -60912,7 +61239,7 @@ index 2dad3c8..e93db05 100644
#################################
#
# sshd local policy
-@@ -232,33 +254,44 @@ optional_policy(`
+@@ -232,33 +249,44 @@ optional_policy(`
# so a tunnel can point to another ssh tunnel
allow sshd_t self:netlink_route_socket r_netlink_socket_perms;
allow sshd_t self:key { search link write };
@@ -60966,7 +61293,7 @@ index 2dad3c8..e93db05 100644
')
optional_policy(`
-@@ -266,11 +299,24 @@ optional_policy(`
+@@ -266,11 +294,24 @@ optional_policy(`
')
optional_policy(`
@@ -60992,7 +61319,7 @@ index 2dad3c8..e93db05 100644
')
optional_policy(`
-@@ -284,6 +330,15 @@ optional_policy(`
+@@ -284,6 +325,15 @@ optional_policy(`
')
optional_policy(`
@@ -61008,7 +61335,7 @@ index 2dad3c8..e93db05 100644
unconfined_shell_domtrans(sshd_t)
')
-@@ -292,26 +347,26 @@ optional_policy(`
+@@ -292,26 +342,26 @@ optional_policy(`
')
ifdef(`TODO',`
@@ -61021,10 +61348,6 @@ index 2dad3c8..e93db05 100644
-
- optional_policy(`
- domain_trans(sshd_t, xauth_exec_t, userdomain)
-- ')
--',`
-- optional_policy(`
-- domain_trans(sshd_t, xauth_exec_t, unpriv_userdomain)
+ tunable_policy(`ssh_sysadm_login',`
+ # Relabel and access ptys created by sshd
+ # ioctl is necessary for logout() processing for utmp entry and for w to
@@ -61045,6 +61368,10 @@ index 2dad3c8..e93db05 100644
+ # some versions of sshd on the new SE Linux require setattr
+ allow sshd_t userpty_type:chr_file { relabelto rw_inherited_chr_file_perms setattr_chr_file_perms };
')
+-',`
+- optional_policy(`
+- domain_trans(sshd_t, xauth_exec_t, unpriv_userdomain)
+- ')
- # Relabel and access ptys created by sshd
- # ioctl is necessary for logout() processing for utmp entry and for w to
- # display the tty.
@@ -61054,7 +61381,7 @@ index 2dad3c8..e93db05 100644
') dnl endif TODO
########################################
-@@ -322,19 +377,26 @@ tunable_policy(`ssh_sysadm_login',`
+@@ -322,19 +372,26 @@ tunable_policy(`ssh_sysadm_login',`
# ssh_keygen_t is the type of the ssh-keygen program when run at install time
# and by sysadm_t
@@ -61082,7 +61409,7 @@ index 2dad3c8..e93db05 100644
dev_read_urand(ssh_keygen_t)
term_dontaudit_use_console(ssh_keygen_t)
-@@ -351,15 +413,84 @@ auth_use_nsswitch(ssh_keygen_t)
+@@ -351,15 +408,86 @@ auth_use_nsswitch(ssh_keygen_t)
logging_send_syslog_msg(ssh_keygen_t)
userdom_dontaudit_use_unpriv_user_fds(ssh_keygen_t)
@@ -61157,7 +61484,9 @@ index 2dad3c8..e93db05 100644
+')
+
+tunable_policy(`ssh_chroot_rw_homedirs && use_fusefs_home_dirs',`
++ fs_manage_fusefs_dirs(chroot_user_t)
+ fs_manage_fusefs_files(chroot_user_t)
++ fs_manage_fusefs_symlinks(chroot_user_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
@@ -65979,7 +66308,7 @@ index 130ced9..b6fb17a 100644
+ userdom_admin_home_dir_filetrans($1, user_fonts_cache_t, dir, ".fontconfig")
+')
diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
-index 143c893..ab908aa 100644
+index 143c893..a3e787d 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -26,27 +26,50 @@ gen_require(`
@@ -66204,7 +66533,7 @@ index 143c893..ab908aa 100644
')
########################################
-@@ -252,45 +310,82 @@ tunable_policy(`use_samba_home_dirs',`
+@@ -252,45 +310,78 @@ tunable_policy(`use_samba_home_dirs',`
# Xauth local policy
#
@@ -66281,10 +66610,6 @@ index 143c893..ab908aa 100644
-tunable_policy(`use_samba_home_dirs',`
- fs_manage_cifs_files(xauth_t)
-+tunable_policy(`use_fusefs_home_dirs',`
-+ fs_manage_fusefs_files(xauth_t)
-+')
-+
+userdom_home_manager(xauth_t)
+
+ifdef(`hide_broken_symptoms',`
@@ -66297,7 +66622,7 @@ index 143c893..ab908aa 100644
')
optional_policy(`
-@@ -305,19 +400,40 @@ optional_policy(`
+@@ -305,19 +396,40 @@ optional_policy(`
#
allow xdm_t self:capability { setgid setuid sys_resource kill sys_tty_config mknod chown dac_override dac_read_search fowner fsetid ipc_owner sys_nice sys_rawio net_bind_service };
@@ -66341,7 +66666,7 @@ index 143c893..ab908aa 100644
# Allow gdm to run gdm-binary
can_exec(xdm_t, xdm_exec_t)
-@@ -325,43 +441,63 @@ can_exec(xdm_t, xdm_exec_t)
+@@ -325,43 +437,63 @@ can_exec(xdm_t, xdm_exec_t)
allow xdm_t xdm_lock_t:file manage_file_perms;
files_lock_filetrans(xdm_t, xdm_lock_t, file)
@@ -66411,7 +66736,7 @@ index 143c893..ab908aa 100644
# connect to xdm xserver over stream socket
stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t)
-@@ -370,18 +506,26 @@ stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t)
+@@ -370,18 +502,26 @@ stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t)
delete_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t)
delete_sock_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t)
@@ -66439,7 +66764,7 @@ index 143c893..ab908aa 100644
corenet_all_recvfrom_unlabeled(xdm_t)
corenet_all_recvfrom_netlabel(xdm_t)
-@@ -393,38 +537,49 @@ corenet_tcp_sendrecv_all_ports(xdm_t)
+@@ -393,38 +533,49 @@ corenet_tcp_sendrecv_all_ports(xdm_t)
corenet_udp_sendrecv_all_ports(xdm_t)
corenet_tcp_bind_generic_node(xdm_t)
corenet_udp_bind_generic_node(xdm_t)
@@ -66493,7 +66818,7 @@ index 143c893..ab908aa 100644
files_read_etc_files(xdm_t)
files_read_var_files(xdm_t)
-@@ -435,9 +590,25 @@ files_list_mnt(xdm_t)
+@@ -435,9 +586,25 @@ files_list_mnt(xdm_t)
files_read_usr_files(xdm_t)
# Poweroff wants to create the /poweroff file when run from xdm
files_create_boot_flag(xdm_t)
@@ -66519,7 +66844,7 @@ index 143c893..ab908aa 100644
storage_dontaudit_read_fixed_disk(xdm_t)
storage_dontaudit_write_fixed_disk(xdm_t)
-@@ -446,28 +617,37 @@ storage_dontaudit_raw_read_removable_device(xdm_t)
+@@ -446,28 +613,37 @@ storage_dontaudit_raw_read_removable_device(xdm_t)
storage_dontaudit_raw_write_removable_device(xdm_t)
storage_dontaudit_setattr_removable_dev(xdm_t)
storage_dontaudit_rw_scsi_generic(xdm_t)
@@ -66559,7 +66884,7 @@ index 143c893..ab908aa 100644
userdom_dontaudit_use_unpriv_user_fds(xdm_t)
userdom_create_all_users_keys(xdm_t)
-@@ -476,24 +656,48 @@ userdom_read_user_home_content_files(xdm_t)
+@@ -476,24 +652,43 @@ userdom_read_user_home_content_files(xdm_t)
# Search /proc for any user domain processes.
userdom_read_all_users_state(xdm_t)
userdom_signal_all_users(xdm_t)
@@ -66583,11 +66908,6 @@ index 143c893..ab908aa 100644
+ifdef(`distro_rhel4',`
+ allow xdm_t self:process { execheap execmem };
+')
-+
-+tunable_policy(`use_fusefs_home_dirs',`
-+ fs_manage_fusefs_dirs(xdm_t)
-+ fs_manage_fusefs_files(xdm_t)
-+')
tunable_policy(`use_nfs_home_dirs',`
- fs_manage_nfs_dirs(xdm_t)
@@ -66614,7 +66934,7 @@ index 143c893..ab908aa 100644
tunable_policy(`xdm_sysadm_login',`
userdom_xsession_spec_domtrans_all_users(xdm_t)
# FIXME:
-@@ -507,11 +711,21 @@ tunable_policy(`xdm_sysadm_login',`
+@@ -507,11 +702,21 @@ tunable_policy(`xdm_sysadm_login',`
')
optional_policy(`
@@ -66636,7 +66956,7 @@ index 143c893..ab908aa 100644
')
optional_policy(`
-@@ -519,12 +733,63 @@ optional_policy(`
+@@ -519,12 +724,63 @@ optional_policy(`
')
optional_policy(`
@@ -66700,7 +67020,7 @@ index 143c893..ab908aa 100644
hostname_exec(xdm_t)
')
-@@ -542,28 +807,69 @@ optional_policy(`
+@@ -542,28 +798,69 @@ optional_policy(`
')
optional_policy(`
@@ -66779,7 +67099,7 @@ index 143c893..ab908aa 100644
')
optional_policy(`
-@@ -575,6 +881,14 @@ optional_policy(`
+@@ -575,6 +872,14 @@ optional_policy(`
')
optional_policy(`
@@ -66794,7 +67114,7 @@ index 143c893..ab908aa 100644
xfs_stream_connect(xdm_t)
')
-@@ -600,6 +914,7 @@ allow xserver_t input_xevent_t:x_event send;
+@@ -600,6 +905,7 @@ allow xserver_t input_xevent_t:x_event send;
# NVIDIA Needs execstack
allow xserver_t self:capability { dac_override fowner fsetid setgid setuid ipc_owner sys_rawio sys_admin sys_nice sys_tty_config mknod net_bind_service };
@@ -66802,7 +67122,7 @@ index 143c893..ab908aa 100644
dontaudit xserver_t self:capability chown;
allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow xserver_t self:fd use;
-@@ -613,8 +928,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
+@@ -613,8 +919,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow xserver_t self:tcp_socket create_stream_socket_perms;
allow xserver_t self:udp_socket create_socket_perms;
@@ -66818,7 +67138,7 @@ index 143c893..ab908aa 100644
manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
manage_sock_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
-@@ -633,12 +955,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
+@@ -633,12 +946,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
files_search_var_lib(xserver_t)
@@ -66840,7 +67160,7 @@ index 143c893..ab908aa 100644
kernel_read_system_state(xserver_t)
kernel_read_device_sysctls(xserver_t)
-@@ -646,6 +975,7 @@ kernel_read_modprobe_sysctls(xserver_t)
+@@ -646,6 +966,7 @@ kernel_read_modprobe_sysctls(xserver_t)
# Xorg wants to check if kernel is tainted
kernel_read_kernel_sysctls(xserver_t)
kernel_write_proc_files(xserver_t)
@@ -66848,7 +67168,7 @@ index 143c893..ab908aa 100644
# Run helper programs in xserver_t.
corecmd_exec_bin(xserver_t)
-@@ -672,21 +1002,28 @@ dev_rw_apm_bios(xserver_t)
+@@ -672,21 +993,28 @@ dev_rw_apm_bios(xserver_t)
dev_rw_agp(xserver_t)
dev_rw_framebuffer(xserver_t)
dev_manage_dri_dev(xserver_t)
@@ -66879,7 +67199,7 @@ index 143c893..ab908aa 100644
# brought on by rhgb
files_search_mnt(xserver_t)
-@@ -697,8 +1034,13 @@ fs_getattr_xattr_fs(xserver_t)
+@@ -697,8 +1025,13 @@ fs_getattr_xattr_fs(xserver_t)
fs_search_nfs(xserver_t)
fs_search_auto_mountpoints(xserver_t)
fs_search_ramfs(xserver_t)
@@ -66893,7 +67213,7 @@ index 143c893..ab908aa 100644
selinux_validate_context(xserver_t)
selinux_compute_access_vector(xserver_t)
-@@ -711,8 +1053,6 @@ init_getpgid(xserver_t)
+@@ -711,8 +1044,6 @@ init_getpgid(xserver_t)
term_setattr_unallocated_ttys(xserver_t)
term_use_unallocated_ttys(xserver_t)
@@ -66902,7 +67222,7 @@ index 143c893..ab908aa 100644
locallogin_use_fds(xserver_t)
logging_send_syslog_msg(xserver_t)
-@@ -720,11 +1060,12 @@ logging_send_audit_msgs(xserver_t)
+@@ -720,11 +1051,12 @@ logging_send_audit_msgs(xserver_t)
miscfiles_read_localization(xserver_t)
miscfiles_read_fonts(xserver_t)
@@ -66917,7 +67237,7 @@ index 143c893..ab908aa 100644
userdom_search_user_home_dirs(xserver_t)
userdom_use_user_ttys(xserver_t)
-@@ -778,16 +1119,40 @@ optional_policy(`
+@@ -778,16 +1110,40 @@ optional_policy(`
')
optional_policy(`
@@ -66959,7 +67279,7 @@ index 143c893..ab908aa 100644
unconfined_domtrans(xserver_t)
')
-@@ -796,6 +1161,10 @@ optional_policy(`
+@@ -796,6 +1152,10 @@ optional_policy(`
')
optional_policy(`
@@ -66970,7 +67290,7 @@ index 143c893..ab908aa 100644
xfs_stream_connect(xserver_t)
')
-@@ -811,10 +1180,10 @@ allow xserver_t xdm_t:shm rw_shm_perms;
+@@ -811,10 +1171,10 @@ allow xserver_t xdm_t:shm rw_shm_perms;
# NB we do NOT allow xserver_t xdm_var_lib_t:dir, only access to an open
# handle of a file inside the dir!!!
@@ -66984,7 +67304,7 @@ index 143c893..ab908aa 100644
# Label pid and temporary files with derived types.
manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
-@@ -822,7 +1191,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
+@@ -822,7 +1182,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
manage_sock_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
# Run xkbcomp.
@@ -66993,7 +67313,7 @@ index 143c893..ab908aa 100644
can_exec(xserver_t, xkb_var_lib_t)
# VNC v4 module in X server
-@@ -835,26 +1204,21 @@ init_use_fds(xserver_t)
+@@ -835,26 +1195,21 @@ init_use_fds(xserver_t)
# to read ROLE_home_t - examine this in more detail
# (xauth?)
userdom_read_user_home_content_files(xserver_t)
@@ -67028,7 +67348,7 @@ index 143c893..ab908aa 100644
')
optional_policy(`
-@@ -862,6 +1226,10 @@ optional_policy(`
+@@ -862,6 +1217,10 @@ optional_policy(`
rhgb_rw_tmpfs_files(xserver_t)
')
@@ -67039,7 +67359,7 @@ index 143c893..ab908aa 100644
########################################
#
# Rules common to all X window domains
-@@ -905,7 +1273,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
+@@ -905,7 +1264,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
allow x_domain root_xdrawable_t:x_drawable { getattr setattr list_child add_child remove_child send receive hide show };
# operations allowed on my windows
allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive };
@@ -67048,7 +67368,7 @@ index 143c893..ab908aa 100644
# operations allowed on all windows
allow x_domain x_domain:x_drawable { getattr get_property set_property remove_child };
-@@ -959,11 +1327,31 @@ allow x_domain self:x_resource { read write };
+@@ -959,11 +1318,31 @@ allow x_domain self:x_resource { read write };
# can mess with the screensaver
allow x_domain xserver_t:x_screen { getattr saver_getattr };
@@ -67080,7 +67400,7 @@ index 143c893..ab908aa 100644
tunable_policy(`! xserver_object_manager',`
# should be xserver_unconfined(x_domain),
# but typeattribute doesnt work in conditionals
-@@ -985,18 +1373,31 @@ tunable_policy(`! xserver_object_manager',`
+@@ -985,18 +1364,31 @@ tunable_policy(`! xserver_object_manager',`
allow x_domain xevent_type:{ x_event x_synthetic_event } *;
')
@@ -67549,10 +67869,16 @@ index c6fdab7..41198a4 100644
cron_sigchld(application_domain_type)
')
diff --git a/policy/modules/system/authlogin.fc b/policy/modules/system/authlogin.fc
-index 28ad538..bb64dec 100644
+index 28ad538..c547c84 100644
--- a/policy/modules/system/authlogin.fc
+++ b/policy/modules/system/authlogin.fc
-@@ -5,7 +5,12 @@
+@@ -1,3 +1,5 @@
++HOME_DIR/\.google_authenticator gen_context(system_u:object_r:auth_home_t,s0)
++/root/\.google_authenticator gen_context(system_u:object_r:auth_home_t,s0)
+
+ /bin/login -- gen_context(system_u:object_r:login_exec_t,s0)
+
+@@ -5,7 +7,12 @@
/etc/group\.lock -- gen_context(system_u:object_r:shadow_t,s0)
/etc/gshadow.* -- gen_context(system_u:object_r:shadow_t,s0)
/etc/passwd\.lock -- gen_context(system_u:object_r:shadow_t,s0)
@@ -67565,22 +67891,23 @@ index 28ad538..bb64dec 100644
/sbin/pam_console_apply -- gen_context(system_u:object_r:pam_console_exec_t,s0)
/sbin/pam_timestamp_check -- gen_context(system_u:object_r:pam_exec_t,s0)
-@@ -30,6 +35,7 @@ ifdef(`distro_gentoo', `
+@@ -30,6 +37,8 @@ ifdef(`distro_gentoo', `
/var/lib/abl(/.*)? gen_context(system_u:object_r:var_auth_t,s0)
/var/lib/pam_ssh(/.*)? gen_context(system_u:object_r:var_auth_t,s0)
+/var/lib/pam_shield(/.*)? gen_context(system_u:object_r:var_auth_t,s0)
++/var/lib/google-authenticator(/.*)? gen_context(system_u:object_r:var_auth_t,s0)
/var/log/btmp.* -- gen_context(system_u:object_r:faillog_t,s0)
/var/log/dmesg -- gen_context(system_u:object_r:var_log_t,s0)
-@@ -45,5 +51,4 @@ ifdef(`distro_gentoo', `
+@@ -45,5 +54,4 @@ ifdef(`distro_gentoo', `
/var/run/pam_ssh(/.*)? gen_context(system_u:object_r:var_auth_t,s0)
/var/run/sepermit(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0)
/var/run/sudo(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0)
-/var/run/user(/.*)? gen_context(system_u:object_r:var_auth_t,s0)
/var/(db|lib|adm)/sudo(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0)
diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if
-index 73554ec..131195d 100644
+index 73554ec..5551d16 100644
--- a/policy/modules/system/authlogin.if
+++ b/policy/modules/system/authlogin.if
@@ -57,6 +57,8 @@ interface(`auth_use_pam',`
@@ -67611,11 +67938,12 @@ index 73554ec..131195d 100644
')
########################################
-@@ -95,9 +107,12 @@ interface(`auth_use_pam',`
+@@ -95,9 +107,13 @@ interface(`auth_use_pam',`
interface(`auth_login_pgm_domain',`
gen_require(`
type var_auth_t, auth_cache_t;
+ attribute polydomain;
++ type auth_home_t;
')
domain_type($1)
@@ -67624,7 +67952,7 @@ index 73554ec..131195d 100644
domain_subj_id_change_exemption($1)
domain_role_change_exemption($1)
domain_obj_id_change_exemption($1)
-@@ -105,14 +120,17 @@ interface(`auth_login_pgm_domain',`
+@@ -105,14 +121,17 @@ interface(`auth_login_pgm_domain',`
# Needed for pam_selinux_permit to cleanup properly
domain_read_all_domains_state($1)
@@ -67642,7 +67970,15 @@ index 73554ec..131195d 100644
manage_files_pattern($1, var_auth_t, var_auth_t)
manage_dirs_pattern($1, auth_cache_t, auth_cache_t)
-@@ -123,13 +141,20 @@ interface(`auth_login_pgm_domain',`
+@@ -120,16 +139,28 @@ interface(`auth_login_pgm_domain',`
+ manage_sock_files_pattern($1, auth_cache_t, auth_cache_t)
+ files_var_filetrans($1, auth_cache_t, dir)
+
++ manage_dirs_pattern($1, auth_home_t, auth_home_t)
++ manage_files_pattern($1, auth_home_t, auth_home_t)
++ auth_filetrans_admin_home_content($1)
++ auth_filetrans_home_content($1)
++
# needed for afs - https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=253321
kernel_rw_afs_state($1)
@@ -67664,7 +68000,7 @@ index 73554ec..131195d 100644
selinux_get_fs_mount($1)
selinux_validate_context($1)
-@@ -145,6 +170,8 @@ interface(`auth_login_pgm_domain',`
+@@ -145,6 +176,8 @@ interface(`auth_login_pgm_domain',`
mls_process_set_level($1)
mls_fd_share_all_levels($1)
@@ -67673,7 +68009,7 @@ index 73554ec..131195d 100644
auth_use_pam($1)
init_rw_utmp($1)
-@@ -155,13 +182,87 @@ interface(`auth_login_pgm_domain',`
+@@ -155,13 +188,87 @@ interface(`auth_login_pgm_domain',`
seutil_read_config($1)
seutil_read_default_contexts($1)
@@ -67763,7 +68099,7 @@ index 73554ec..131195d 100644
## Use the login program as an entry point program.
##
##
-@@ -368,13 +469,15 @@ interface(`auth_domtrans_chk_passwd',`
+@@ -368,13 +475,15 @@ interface(`auth_domtrans_chk_passwd',`
')
optional_policy(`
@@ -67780,7 +68116,7 @@ index 73554ec..131195d 100644
')
########################################
-@@ -421,6 +524,25 @@ interface(`auth_run_chk_passwd',`
+@@ -421,6 +530,25 @@ interface(`auth_run_chk_passwd',`
auth_domtrans_chk_passwd($1)
role $2 types chkpwd_t;
@@ -67806,7 +68142,7 @@ index 73554ec..131195d 100644
')
########################################
-@@ -440,7 +562,6 @@ interface(`auth_domtrans_upd_passwd',`
+@@ -440,7 +568,6 @@ interface(`auth_domtrans_upd_passwd',`
domtrans_pattern($1, updpwd_exec_t, updpwd_t)
auth_dontaudit_read_shadow($1)
@@ -67814,7 +68150,7 @@ index 73554ec..131195d 100644
')
########################################
-@@ -637,6 +758,10 @@ interface(`auth_manage_shadow',`
+@@ -637,6 +764,10 @@ interface(`auth_manage_shadow',`
allow $1 shadow_t:file manage_file_perms;
typeattribute $1 can_read_shadow_passwords, can_write_shadow_passwords;
@@ -67825,7 +68161,7 @@ index 73554ec..131195d 100644
')
#######################################
-@@ -736,7 +861,50 @@ interface(`auth_rw_faillog',`
+@@ -736,7 +867,50 @@ interface(`auth_rw_faillog',`
')
logging_search_logs($1)
@@ -67877,7 +68213,7 @@ index 73554ec..131195d 100644
')
#######################################
-@@ -932,9 +1100,30 @@ interface(`auth_manage_var_auth',`
+@@ -932,9 +1106,30 @@ interface(`auth_manage_var_auth',`
')
files_search_var($1)
@@ -67911,7 +68247,7 @@ index 73554ec..131195d 100644
')
########################################
-@@ -1387,6 +1576,25 @@ interface(`auth_setattr_login_records',`
+@@ -1387,6 +1582,25 @@ interface(`auth_setattr_login_records',`
########################################
##
@@ -67937,7 +68273,7 @@ index 73554ec..131195d 100644
## Read login records files (/var/log/wtmp).
##
##
-@@ -1537,37 +1745,49 @@ interface(`auth_manage_login_records',`
+@@ -1537,37 +1751,49 @@ interface(`auth_manage_login_records',`
logging_rw_generic_log_dirs($1)
allow $1 wtmp_t:file manage_file_perms;
@@ -67997,7 +68333,7 @@ index 73554ec..131195d 100644
##
##
##
-@@ -1575,87 +1795,150 @@ interface(`auth_relabel_login_records',`
+@@ -1575,87 +1801,189 @@ interface(`auth_relabel_login_records',`
## Domain allowed access.
##
##
@@ -68006,11 +68342,6 @@ index 73554ec..131195d 100644
-interface(`auth_use_nsswitch',`
-
- files_list_var_lib($1)
--
-- # read /etc/nsswitch.conf
-- files_read_etc_files($1)
--
-- miscfiles_read_generic_certs($1)
+interface(`auth_unconfined',`
+ gen_require(`
+ attribute can_read_shadow_passwords;
@@ -68018,15 +68349,14 @@ index 73554ec..131195d 100644
+ attribute can_relabelto_shadow_passwords;
+ ')
-- sysnet_dns_name_resolve($1)
-- sysnet_use_ldap($1)
+- # read /etc/nsswitch.conf
+- files_read_etc_files($1)
+ typeattribute $1 can_read_shadow_passwords;
+ typeattribute $1 can_write_shadow_passwords;
+ typeattribute $1 can_relabelto_shadow_passwords;
+')
-- optional_policy(`
-- avahi_stream_connect($1)
+- miscfiles_read_generic_certs($1)
+########################################
+##
+## Transition to authlogin named content
@@ -68037,17 +68367,16 @@ index 73554ec..131195d 100644
+##
+##
+#
-+interface(`authlogin_filetrans_named_content',`
++interface(`auth_filetrans_named_content',`
+ gen_require(`
+ type shadow_t;
+ type passwd_file_t;
+ type faillog_t;
+ type wtmp_t;
- ')
++ ')
-- optional_policy(`
-- ldap_stream_connect($1)
-- ')
+- sysnet_dns_name_resolve($1)
+- sysnet_use_ldap($1)
+ files_etc_filetrans($1, passwd_file_t, file, "group")
+ files_etc_filetrans($1, passwd_file_t, file, "group-")
+ files_etc_filetrans($1, passwd_file_t, file, "passwd")
@@ -68065,8 +68394,8 @@ index 73554ec..131195d 100644
+ logging_log_named_filetrans($1, wtmp_t, file, "wtmp")
+')
-- optional_policy(`
-- likewise_stream_connect_lsassd($1)
+- optional_policy(`
+- avahi_stream_connect($1)
+########################################
+##
+## Get the attributes of the passwd passwords file.
@@ -68083,14 +68412,14 @@ index 73554ec..131195d 100644
')
- optional_policy(`
-- kerberos_use($1)
+- ldap_stream_connect($1)
- ')
+ files_search_etc($1)
+ allow $1 passwd_file_t:file getattr;
+')
-- optional_policy(`
-- nis_use_ypbind($1)
+- optional_policy(`
+- likewise_stream_connect_lsassd($1)
+########################################
+##
+## Do not audit attempts to get the attributes
@@ -68108,13 +68437,13 @@ index 73554ec..131195d 100644
')
- optional_policy(`
-- nscd_socket_use($1)
+- kerberos_use($1)
- ')
+ dontaudit $1 passwd_file_t:file getattr;
+')
- optional_policy(`
-- nslcd_stream_connect($1)
+- nis_use_ypbind($1)
+########################################
+##
+## Read the passwd passwords file (/etc/passwd)
@@ -68131,15 +68460,13 @@ index 73554ec..131195d 100644
')
- optional_policy(`
-- sssd_stream_connect($1)
+- nscd_socket_use($1)
- ')
+ allow $1 passwd_file_t:file read_file_perms;
+')
- optional_policy(`
-- samba_stream_connect_winbind($1)
-- samba_read_var_files($1)
-- samba_dontaudit_write_var_files($1)
+- nslcd_stream_connect($1)
+########################################
+##
+## Do not audit attempts to read the passwd
@@ -68155,15 +68482,65 @@ index 73554ec..131195d 100644
+ gen_require(`
+ type passwd_file_t;
')
-+
+
+- optional_policy(`
+- sssd_stream_connect($1)
+ dontaudit $1 passwd_file_t:file read_file_perms;
++')
++
++########################################
++##
++## Create, read, write, and delete the passwd
++## password file.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`auth_manage_passwd',`
++ gen_require(`
++ type passwd_file_t;
+ ')
+
+- optional_policy(`
+- samba_stream_connect_winbind($1)
+- samba_read_var_files($1)
+- samba_dontaudit_write_var_files($1)
++ files_rw_etc_dirs($1)
++ allow $1 passwd_file_t:file manage_file_perms;
++ files_etc_filetrans($1, passwd_file_t, file, "passwd")
++ files_etc_filetrans($1, passwd_file_t, file, "passwd-")
++ files_etc_filetrans($1, passwd_file_t, file, "ptmptmp")
++ files_etc_filetrans($1, passwd_file_t, file, "group")
++ files_etc_filetrans($1, passwd_file_t, file, "group-")
++')
++
++########################################
++##
++## Create auth directory in the /root directory
++## with an correct label.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`auth_filetrans_admin_home_content',`
++ gen_require(`
++ type auth_home_t;
+ ')
++
++ userdom_admin_home_dir_filetrans($1, auth_home_t, file, ".google_authenticator")
')
########################################
##
-## Unconfined access to the authlogin module.
-+## Create, read, write, and delete the passwd
-+## password file.
++## Create auth directory in the user home directory
++## with an correct label.
##
-##
-##
@@ -68182,30 +68559,25 @@ index 73554ec..131195d 100644
##
#
-interface(`auth_unconfined',`
-+interface(`auth_manage_passwd',`
++interface(`auth_filetrans_home_content',`
++
gen_require(`
- attribute can_read_shadow_passwords;
- attribute can_write_shadow_passwords;
- attribute can_relabelto_shadow_passwords;
-+ type passwd_file_t;
++ type auth_home_t;
')
- typeattribute $1 can_read_shadow_passwords;
- typeattribute $1 can_write_shadow_passwords;
- typeattribute $1 can_relabelto_shadow_passwords;
-+ files_rw_etc_dirs($1)
-+ allow $1 passwd_file_t:file manage_file_perms;
-+ files_etc_filetrans($1, passwd_file_t, file, "passwd")
-+ files_etc_filetrans($1, passwd_file_t, file, "passwd-")
-+ files_etc_filetrans($1, passwd_file_t, file, "ptmptmp")
-+ files_etc_filetrans($1, passwd_file_t, file, "group")
-+ files_etc_filetrans($1, passwd_file_t, file, "group-")
++ userdom_user_home_dir_filetrans($1, auth_home_t, file, ".google_authenticator")
')
diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te
-index b7a5f00..39d91d4 100644
+index b7a5f00..93188ef 100644
--- a/policy/modules/system/authlogin.te
+++ b/policy/modules/system/authlogin.te
-@@ -5,9 +5,25 @@ policy_module(authlogin, 2.2.1)
+@@ -5,22 +5,42 @@ policy_module(authlogin, 2.2.1)
# Declarations
#
@@ -68227,11 +68599,21 @@ index b7a5f00..39d91d4 100644
attribute can_write_shadow_passwords;
attribute can_relabelto_shadow_passwords;
+attribute polydomain;
-+attribute nsswitch_domain;
++attribute nsswitch_domain;<
type auth_cache_t;
logging_log_file(auth_cache_t)
-@@ -21,6 +37,7 @@ role system_r types chkpwd_t;
+
++type auth_home_t;
++userdom_user_home_content(auth_home_t)
++
+ type chkpwd_t, can_read_shadow_passwords;
+ type chkpwd_exec_t;
+ typealias chkpwd_t alias { user_chkpwd_t staff_chkpwd_t sysadm_chkpwd_t };
+-typealias chkpwd_t alias { auditadm_chkpwd_t secadm_chkpwd_t };
++typealias chkpwd_t alias { auditadm_chkpwd_t secadm_chkpwd_t system_chkpwd_t };
+ application_domain(chkpwd_t, chkpwd_exec_t)
+ role system_r types chkpwd_t;
type faillog_t;
logging_log_file(faillog_t)
@@ -68239,7 +68621,7 @@ index b7a5f00..39d91d4 100644
type lastlog_t;
logging_log_file(lastlog_t)
-@@ -55,6 +72,9 @@ neverallow ~can_read_shadow_passwords shadow_t:file read;
+@@ -55,6 +75,9 @@ neverallow ~can_read_shadow_passwords shadow_t:file read;
neverallow ~can_write_shadow_passwords shadow_t:file { create write };
neverallow ~can_relabelto_shadow_passwords shadow_t:file relabelto;
@@ -68249,7 +68631,7 @@ index b7a5f00..39d91d4 100644
type updpwd_t;
type updpwd_exec_t;
domain_type(updpwd_t)
-@@ -100,6 +120,8 @@ dev_read_urand(chkpwd_t)
+@@ -100,6 +123,8 @@ dev_read_urand(chkpwd_t)
files_read_etc_files(chkpwd_t)
# for nscd
files_dontaudit_search_var(chkpwd_t)
@@ -68258,7 +68640,7 @@ index b7a5f00..39d91d4 100644
fs_dontaudit_getattr_xattr_fs(chkpwd_t)
-@@ -118,7 +140,7 @@ miscfiles_read_localization(chkpwd_t)
+@@ -118,7 +143,7 @@ miscfiles_read_localization(chkpwd_t)
seutil_read_config(chkpwd_t)
seutil_dontaudit_use_newrole_fds(chkpwd_t)
@@ -68267,7 +68649,7 @@ index b7a5f00..39d91d4 100644
ifdef(`distro_ubuntu',`
optional_policy(`
-@@ -332,6 +354,7 @@ kernel_read_system_state(updpwd_t)
+@@ -332,6 +357,7 @@ kernel_read_system_state(updpwd_t)
dev_read_urand(updpwd_t)
files_manage_etc_files(updpwd_t)
@@ -68275,7 +68657,7 @@ index b7a5f00..39d91d4 100644
term_dontaudit_use_console(updpwd_t)
term_dontaudit_use_unallocated_ttys(updpwd_t)
-@@ -343,7 +366,7 @@ logging_send_syslog_msg(updpwd_t)
+@@ -343,7 +369,7 @@ logging_send_syslog_msg(updpwd_t)
miscfiles_read_localization(updpwd_t)
@@ -68284,7 +68666,7 @@ index b7a5f00..39d91d4 100644
ifdef(`distro_ubuntu',`
optional_policy(`
-@@ -371,13 +394,15 @@ term_dontaudit_use_all_ttys(utempter_t)
+@@ -371,13 +397,15 @@ term_dontaudit_use_all_ttys(utempter_t)
term_dontaudit_use_all_ptys(utempter_t)
term_dontaudit_use_ptmx(utempter_t)
@@ -68301,7 +68683,7 @@ index b7a5f00..39d91d4 100644
# Allow utemper to write to /tmp/.xses-*
userdom_write_user_tmp_files(utempter_t)
-@@ -388,10 +413,74 @@ ifdef(`distro_ubuntu',`
+@@ -388,10 +416,74 @@ ifdef(`distro_ubuntu',`
')
optional_policy(`
@@ -68785,7 +69167,7 @@ index 354ce93..b8b14b9 100644
')
+/var/run/systemd(/.*)? gen_context(system_u:object_r:init_var_run_t,s0)
diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
-index 94fd8dd..2409206 100644
+index 94fd8dd..ef5a3c8 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -79,6 +79,44 @@ interface(`init_script_domain',`
@@ -68823,10 +69205,10 @@ index 94fd8dd..2409206 100644
+ domtrans_pattern(init_t,$2,$1)
+ allow init_t $1:unix_stream_socket create_stream_socket_perms;
+ allow init_t $1:unix_dgram_socket create_socket_perms;
-+ allow $1 init_t:unix_stream_socket ioctl;
++ allow $1 init_t:unix_stream_socket ioctl;
+ allow $1 init_t:unix_dgram_socket sendto;
-+ # need write to /var/run/systemd/notify
-+ init_write_pid_socket($1)
++ # need write to /var/run/systemd/notify
++ init_write_pid_socket($1)
+ ')
+')
+
@@ -69715,7 +70097,7 @@ index 94fd8dd..2409206 100644
+ read_fifo_files_pattern($1, init_var_run_t, init_var_run_t)
+')
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
-index 29a9565..5ee6a57 100644
+index 29a9565..4e87d49 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -16,6 +16,34 @@ gen_require(`
@@ -70666,7 +71048,7 @@ index 29a9565..5ee6a57 100644
+ allow daemon init_t:unix_dgram_socket sendto;
+ # need write to /var/run/systemd/notify
+ init_write_pid_socket(daemon)
-+ dontaudit daemon init_t:unix_stream_socket { read ioctl getattr };
++ allow daemon init_t:unix_stream_socket { append write read getattr ioctl };
+')
+
+# daemons started from init will
@@ -70712,7 +71094,7 @@ index 29a9565..5ee6a57 100644
+ allow init_t systemprocess:unix_stream_socket create_stream_socket_perms;
+ allow init_t systemprocess:unix_dgram_socket create_socket_perms;
+ allow systemprocess init_t:unix_dgram_socket sendto;
-+ dontaudit systemprocess init_t:unix_stream_socket { read getattr ioctl };
++ allow systemprocess init_t:unix_stream_socket { append write read getattr ioctl };
+')
+
+ifdef(`hide_broken_symptoms',`
@@ -73615,7 +73997,7 @@ index 8b5c196..da41726 100644
+ role $2 types showmount_t;
')
diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te
-index 15832c7..f1121f7 100644
+index 15832c7..b90b726 100644
--- a/policy/modules/system/mount.te
+++ b/policy/modules/system/mount.te
@@ -17,17 +17,29 @@ type mount_exec_t;
@@ -73658,8 +74040,8 @@ index 15832c7..f1121f7 100644
# setuid/setgid needed to mount cifs
-allow mount_t self:capability { ipc_lock sys_rawio sys_admin dac_override chown sys_tty_config setuid setgid };
-+allow mount_t self:capability { fsetid fowner ipc_lock setpcap sys_rawio sys_resource sys_admin dac_override dac_read_search chown sys_tty_config setuid setgid };
-+allow mount_t self:process { getcap getsched setcap setrlimit signal };
++allow mount_t self:capability { fsetid fowner ipc_lock setpcap sys_rawio sys_resource sys_admin dac_override dac_read_search chown sys_tty_config setuid setgid sys_nice };
++allow mount_t self:process { getcap getsched setsched setcap setrlimit signal };
+tunable_policy(`deny_ptrace',`',`
+ allow mount_t self:process ptrace;
+')
@@ -73720,7 +74102,7 @@ index 15832c7..f1121f7 100644
dev_dontaudit_rw_generic_chr_files(mount_t)
domain_use_interactive_fds(mount_t)
-+domain_dontaudit_search_all_domains_state(mount_t)
++domain_read_all_domains_state(mount_t)
files_search_all(mount_t)
files_read_etc_files(mount_t)
@@ -77889,7 +78271,7 @@ index db75976..ce61aed 100644
+
+/var/run/user(/.*)? gen_context(system_u:object_r:user_tmp_t,s0)
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
-index 4b2878a..0b3811d 100644
+index 4b2878a..290f54e 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -30,9 +30,11 @@ template(`userdom_base_user_template',`
@@ -78403,7 +78785,7 @@ index 4b2878a..0b3811d 100644
##############################
#
-@@ -500,73 +595,81 @@ template(`userdom_common_user_template',`
+@@ -500,73 +595,83 @@ template(`userdom_common_user_template',`
# evolution and gnome-session try to create a netlink socket
dontaudit $1_t self:netlink_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown };
dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write };
@@ -78503,6 +78885,8 @@ index 4b2878a..0b3811d 100644
+ auth_read_login_records($1_usertype)
+ auth_run_pam($1_t,$1_r)
+ auth_run_utempter($1_t,$1_r)
++ auth_filetrans_admin_home_content($1_t)
++ auth_filetrans_home_content($1_t)
- init_read_utmp($1_t)
+ init_read_utmp($1_usertype)
@@ -78527,7 +78911,7 @@ index 4b2878a..0b3811d 100644
')
tunable_policy(`user_ttyfile_stat',`
-@@ -574,67 +677,117 @@ template(`userdom_common_user_template',`
+@@ -574,67 +679,113 @@ template(`userdom_common_user_template',`
')
optional_policy(`
@@ -78659,14 +79043,10 @@ index 4b2878a..0b3811d 100644
+ mta_rw_spool($1_usertype)
+ mta_manage_queue($1_usertype)
+ mta_filetrans_home_content($1_usertype)
-+ ')
-+
-+ optional_policy(`
-+ nsplugin_role($1_r, $1_usertype)
')
optional_policy(`
-@@ -650,40 +803,52 @@ template(`userdom_common_user_template',`
+@@ -650,40 +801,52 @@ template(`userdom_common_user_template',`
optional_policy(`
# to allow monitoring of pcmcia status
@@ -78730,18 +79110,18 @@ index 4b2878a..0b3811d 100644
')
')
-@@ -712,13 +877,26 @@ template(`userdom_login_user_template', `
+@@ -712,13 +875,26 @@ template(`userdom_login_user_template', `
userdom_base_user_template($1)
- userdom_manage_home_role($1_r, $1_t)
+ userdom_manage_home_role($1_r, $1_usertype)
++
++ userdom_manage_tmp_role($1_r, $1_usertype)
++ userdom_manage_tmpfs_role($1_r, $1_usertype)
- userdom_manage_tmp_role($1_r, $1_t)
- userdom_manage_tmpfs_role($1_r, $1_t)
-+ userdom_manage_tmp_role($1_r, $1_usertype)
-+ userdom_manage_tmpfs_role($1_r, $1_usertype)
-+
+ ifelse(`$1',`unconfined',`',`
+ gen_tunable(allow_$1_exec_content, true)
+
@@ -78762,7 +79142,7 @@ index 4b2878a..0b3811d 100644
userdom_change_password_template($1)
-@@ -730,78 +908,82 @@ template(`userdom_login_user_template', `
+@@ -730,78 +906,82 @@ template(`userdom_login_user_template', `
allow $1_t self:capability { setgid chown fowner };
dontaudit $1_t self:capability { sys_nice fsetid };
@@ -78837,10 +79217,10 @@ index 4b2878a..0b3811d 100644
- miscfiles_exec_tetex_data($1_t)
+ miscfiles_read_tetex_data($1_usertype)
+ miscfiles_exec_tetex_data($1_usertype)
-+
-+ seutil_read_config($1_usertype)
- seutil_read_config($1_t)
++ seutil_read_config($1_usertype)
++
+ optional_policy(`
+ cups_read_config($1_usertype)
+ cups_stream_connect($1_usertype)
@@ -78879,7 +79259,7 @@ index 4b2878a..0b3811d 100644
')
')
-@@ -833,6 +1015,9 @@ template(`userdom_restricted_user_template',`
+@@ -833,6 +1013,9 @@ template(`userdom_restricted_user_template',`
typeattribute $1_t unpriv_userdomain;
domain_interactive_fd($1_t)
@@ -78889,7 +79269,7 @@ index 4b2878a..0b3811d 100644
##############################
#
# Local policy
-@@ -874,45 +1059,114 @@ template(`userdom_restricted_xwindows_user_template',`
+@@ -874,45 +1057,114 @@ template(`userdom_restricted_xwindows_user_template',`
#
auth_role($1_r, $1_t)
@@ -79015,7 +79395,7 @@ index 4b2878a..0b3811d 100644
')
')
-@@ -947,7 +1201,7 @@ template(`userdom_unpriv_user_template', `
+@@ -947,7 +1199,7 @@ template(`userdom_unpriv_user_template', `
#
# Inherit rules for ordinary users.
@@ -79024,7 +79404,7 @@ index 4b2878a..0b3811d 100644
userdom_common_user_template($1)
##############################
-@@ -956,12 +1210,15 @@ template(`userdom_unpriv_user_template', `
+@@ -956,12 +1208,15 @@ template(`userdom_unpriv_user_template', `
#
# port access is audited even if dac would not have allowed it, so dontaudit it here
@@ -79042,7 +79422,7 @@ index 4b2878a..0b3811d 100644
files_read_kernel_symbol_table($1_t)
ifndef(`enable_mls',`
-@@ -978,23 +1235,60 @@ template(`userdom_unpriv_user_template', `
+@@ -978,23 +1233,60 @@ template(`userdom_unpriv_user_template', `
')
')
@@ -79112,7 +79492,7 @@ index 4b2878a..0b3811d 100644
')
# Run pppd in pppd_t by default for user
-@@ -1003,7 +1297,9 @@ template(`userdom_unpriv_user_template', `
+@@ -1003,7 +1295,9 @@ template(`userdom_unpriv_user_template', `
')
optional_policy(`
@@ -79123,7 +79503,7 @@ index 4b2878a..0b3811d 100644
')
')
-@@ -1039,7 +1335,7 @@ template(`userdom_unpriv_user_template', `
+@@ -1039,7 +1333,7 @@ template(`userdom_unpriv_user_template', `
template(`userdom_admin_user_template',`
gen_require(`
attribute admindomain;
@@ -79132,7 +79512,7 @@ index 4b2878a..0b3811d 100644
')
##############################
-@@ -1065,7 +1361,11 @@ template(`userdom_admin_user_template',`
+@@ -1065,7 +1359,11 @@ template(`userdom_admin_user_template',`
# $1_t local policy
#
@@ -79145,7 +79525,7 @@ index 4b2878a..0b3811d 100644
allow $1_t self:process { setexec setfscreate };
allow $1_t self:netlink_audit_socket nlmsg_readpriv;
allow $1_t self:tun_socket create;
-@@ -1074,6 +1374,9 @@ template(`userdom_admin_user_template',`
+@@ -1074,6 +1372,9 @@ template(`userdom_admin_user_template',`
# Skip authentication when pam_rootok is specified.
allow $1_t self:passwd rootok;
@@ -79155,7 +79535,7 @@ index 4b2878a..0b3811d 100644
kernel_read_software_raid_state($1_t)
kernel_getattr_core_if($1_t)
kernel_getattr_message_if($1_t)
-@@ -1088,6 +1391,7 @@ template(`userdom_admin_user_template',`
+@@ -1088,6 +1389,7 @@ template(`userdom_admin_user_template',`
kernel_sigstop_unlabeled($1_t)
kernel_signull_unlabeled($1_t)
kernel_sigchld_unlabeled($1_t)
@@ -79163,7 +79543,7 @@ index 4b2878a..0b3811d 100644
corenet_tcp_bind_generic_port($1_t)
# allow setting up tunnels
-@@ -1105,10 +1409,13 @@ template(`userdom_admin_user_template',`
+@@ -1105,10 +1407,13 @@ template(`userdom_admin_user_template',`
dev_rename_all_blk_files($1_t)
dev_rename_all_chr_files($1_t)
dev_create_generic_symlinks($1_t)
@@ -79177,7 +79557,7 @@ index 4b2878a..0b3811d 100644
domain_dontaudit_ptrace_all_domains($1_t)
# signal all domains:
domain_kill_all_domains($1_t)
-@@ -1119,29 +1426,38 @@ template(`userdom_admin_user_template',`
+@@ -1119,29 +1424,38 @@ template(`userdom_admin_user_template',`
domain_sigchld_all_domains($1_t)
# for lsof
domain_getattr_all_sockets($1_t)
@@ -79220,7 +79600,7 @@ index 4b2878a..0b3811d 100644
# The following rule is temporary until such time that a complete
# policy management infrastructure is in place so that an administrator
-@@ -1151,6 +1467,8 @@ template(`userdom_admin_user_template',`
+@@ -1151,6 +1465,8 @@ template(`userdom_admin_user_template',`
# But presently necessary for installing the file_contexts file.
seutil_manage_bin_policy($1_t)
@@ -79229,7 +79609,7 @@ index 4b2878a..0b3811d 100644
userdom_manage_user_home_content_dirs($1_t)
userdom_manage_user_home_content_files($1_t)
userdom_manage_user_home_content_symlinks($1_t)
-@@ -1210,6 +1528,8 @@ template(`userdom_security_admin_template',`
+@@ -1210,6 +1526,8 @@ template(`userdom_security_admin_template',`
dev_relabel_all_dev_nodes($1)
files_create_boot_flag($1)
@@ -79238,7 +79618,7 @@ index 4b2878a..0b3811d 100644
# Necessary for managing /boot/efi
fs_manage_dos_files($1)
-@@ -1222,8 +1542,9 @@ template(`userdom_security_admin_template',`
+@@ -1222,8 +1540,9 @@ template(`userdom_security_admin_template',`
selinux_set_enforce_mode($1)
selinux_set_all_booleans($1)
selinux_set_parameters($1)
@@ -79249,7 +79629,7 @@ index 4b2878a..0b3811d 100644
auth_relabel_shadow($1)
init_exec($1)
-@@ -1234,13 +1555,24 @@ template(`userdom_security_admin_template',`
+@@ -1234,13 +1553,24 @@ template(`userdom_security_admin_template',`
logging_read_audit_config($1)
seutil_manage_bin_policy($1)
@@ -79278,7 +79658,7 @@ index 4b2878a..0b3811d 100644
')
optional_policy(`
-@@ -1251,12 +1583,12 @@ template(`userdom_security_admin_template',`
+@@ -1251,12 +1581,12 @@ template(`userdom_security_admin_template',`
dmesg_exec($1)
')
@@ -79294,7 +79674,7 @@ index 4b2878a..0b3811d 100644
')
optional_policy(`
-@@ -1279,11 +1611,60 @@ template(`userdom_security_admin_template',`
+@@ -1279,11 +1609,60 @@ template(`userdom_security_admin_template',`
interface(`userdom_user_home_content',`
gen_require(`
type user_home_t;
@@ -79355,7 +79735,7 @@ index 4b2878a..0b3811d 100644
ubac_constrained($1)
')
-@@ -1395,6 +1776,7 @@ interface(`userdom_search_user_home_dirs',`
+@@ -1395,6 +1774,7 @@ interface(`userdom_search_user_home_dirs',`
')
allow $1 user_home_dir_t:dir search_dir_perms;
@@ -79363,15 +79743,11 @@ index 4b2878a..0b3811d 100644
files_search_home($1)
')
-@@ -1441,11 +1823,19 @@ interface(`userdom_list_user_home_dirs',`
+@@ -1441,6 +1821,14 @@ interface(`userdom_list_user_home_dirs',`
allow $1 user_home_dir_t:dir list_dir_perms;
files_search_home($1)
--')
-
--########################################
--##
--## Do not audit attempts to list user home subdirectories.
++
+ tunable_policy(`use_nfs_home_dirs',`
+ fs_list_nfs($1)
+ ')
@@ -79379,15 +79755,10 @@ index 4b2878a..0b3811d 100644
+ tunable_policy(`use_samba_home_dirs',`
+ fs_list_cifs($1)
+ ')
-+')
-+
-+########################################
-+##
-+## Do not audit attempts to list user home subdirectories.
- ##
- ##
- ##
-@@ -1456,9 +1846,11 @@ interface(`userdom_list_user_home_dirs',`
+ ')
+
+ ########################################
+@@ -1456,9 +1844,11 @@ interface(`userdom_list_user_home_dirs',`
interface(`userdom_dontaudit_list_user_home_dirs',`
gen_require(`
type user_home_dir_t;
@@ -79399,7 +79770,7 @@ index 4b2878a..0b3811d 100644
')
########################################
-@@ -1515,6 +1907,42 @@ interface(`userdom_relabelto_user_home_dirs',`
+@@ -1515,6 +1905,42 @@ interface(`userdom_relabelto_user_home_dirs',`
allow $1 user_home_dir_t:dir relabelto;
')
@@ -79442,7 +79813,7 @@ index 4b2878a..0b3811d 100644
########################################
##
## Create directories in the home dir root with
-@@ -1589,6 +2017,8 @@ interface(`userdom_dontaudit_search_user_home_content',`
+@@ -1589,6 +2015,8 @@ interface(`userdom_dontaudit_search_user_home_content',`
')
dontaudit $1 user_home_t:dir search_dir_perms;
@@ -79451,7 +79822,7 @@ index 4b2878a..0b3811d 100644
')
########################################
-@@ -1603,10 +2033,12 @@ interface(`userdom_dontaudit_search_user_home_content',`
+@@ -1603,10 +2031,12 @@ interface(`userdom_dontaudit_search_user_home_content',`
#
interface(`userdom_list_user_home_content',`
gen_require(`
@@ -79466,7 +79837,7 @@ index 4b2878a..0b3811d 100644
')
########################################
-@@ -1649,6 +2081,43 @@ interface(`userdom_delete_user_home_content_dirs',`
+@@ -1649,6 +2079,43 @@ interface(`userdom_delete_user_home_content_dirs',`
########################################
##
@@ -79510,7 +79881,7 @@ index 4b2878a..0b3811d 100644
## Do not audit attempts to set the
## attributes of user home files.
##
-@@ -1668,6 +2137,25 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',`
+@@ -1668,6 +2135,25 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',`
########################################
##
@@ -79536,7 +79907,7 @@ index 4b2878a..0b3811d 100644
## Mmap user home files.
##
##
-@@ -1700,12 +2188,32 @@ interface(`userdom_read_user_home_content_files',`
+@@ -1700,12 +2186,32 @@ interface(`userdom_read_user_home_content_files',`
type user_home_dir_t, user_home_t;
')
@@ -79569,7 +79940,7 @@ index 4b2878a..0b3811d 100644
## Do not audit attempts to read user home files.
##
##
-@@ -1716,11 +2224,14 @@ interface(`userdom_read_user_home_content_files',`
+@@ -1716,11 +2222,14 @@ interface(`userdom_read_user_home_content_files',`
#
interface(`userdom_dontaudit_read_user_home_content_files',`
gen_require(`
@@ -79587,7 +79958,7 @@ index 4b2878a..0b3811d 100644
')
########################################
-@@ -1779,6 +2290,60 @@ interface(`userdom_delete_user_home_content_files',`
+@@ -1779,6 +2288,60 @@ interface(`userdom_delete_user_home_content_files',`
########################################
##
@@ -79648,7 +80019,7 @@ index 4b2878a..0b3811d 100644
## Do not audit attempts to write user home files.
##
##
-@@ -1810,8 +2375,7 @@ interface(`userdom_read_user_home_content_symlinks',`
+@@ -1810,8 +2373,7 @@ interface(`userdom_read_user_home_content_symlinks',`
type user_home_dir_t, user_home_t;
')
@@ -79658,7 +80029,7 @@ index 4b2878a..0b3811d 100644
')
########################################
-@@ -1827,21 +2391,15 @@ interface(`userdom_read_user_home_content_symlinks',`
+@@ -1827,20 +2389,14 @@ interface(`userdom_read_user_home_content_symlinks',`
#
interface(`userdom_exec_user_home_content_files',`
gen_require(`
@@ -79672,19 +80043,18 @@ index 4b2878a..0b3811d 100644
-
- tunable_policy(`use_nfs_home_dirs',`
- fs_exec_nfs_files($1)
+- ')
+-
+- tunable_policy(`use_samba_home_dirs',`
+- fs_exec_cifs_files($1)
+ exec_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type)
+ dontaudit $1 user_home_type:sock_file execute;
')
-
-- tunable_policy(`use_samba_home_dirs',`
-- fs_exec_cifs_files($1)
-- ')
-')
--
+
########################################
##
- ## Do not audit attempts to execute user home files.
-@@ -1941,6 +2499,24 @@ interface(`userdom_delete_user_home_content_symlinks',`
+@@ -1941,6 +2497,24 @@ interface(`userdom_delete_user_home_content_symlinks',`
########################################
##
@@ -79709,7 +80079,7 @@ index 4b2878a..0b3811d 100644
## Create, read, write, and delete named pipes
## in a user home subdirectory.
##
-@@ -2008,7 +2584,7 @@ interface(`userdom_user_home_dir_filetrans',`
+@@ -2008,7 +2582,7 @@ interface(`userdom_user_home_dir_filetrans',`
type user_home_dir_t;
')
@@ -79718,7 +80088,7 @@ index 4b2878a..0b3811d 100644
files_search_home($1)
')
-@@ -2039,7 +2615,7 @@ interface(`userdom_user_home_content_filetrans',`
+@@ -2039,7 +2613,7 @@ interface(`userdom_user_home_content_filetrans',`
type user_home_dir_t, user_home_t;
')
@@ -79727,7 +80097,7 @@ index 4b2878a..0b3811d 100644
allow $1 user_home_dir_t:dir search_dir_perms;
files_search_home($1)
')
-@@ -2182,7 +2758,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',`
+@@ -2182,7 +2756,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',`
type user_tmp_t;
')
@@ -79736,7 +80106,7 @@ index 4b2878a..0b3811d 100644
')
########################################
-@@ -2390,7 +2966,7 @@ interface(`userdom_user_tmp_filetrans',`
+@@ -2390,7 +2964,7 @@ interface(`userdom_user_tmp_filetrans',`
type user_tmp_t;
')
@@ -79745,7 +80115,7 @@ index 4b2878a..0b3811d 100644
files_search_tmp($1)
')
-@@ -2419,6 +2995,25 @@ interface(`userdom_tmp_filetrans_user_tmp',`
+@@ -2419,6 +2993,25 @@ interface(`userdom_tmp_filetrans_user_tmp',`
files_tmp_filetrans($1, user_tmp_t, $2)
')
@@ -79771,7 +80141,7 @@ index 4b2878a..0b3811d 100644
########################################
##
## Read user tmpfs files.
-@@ -2435,13 +3030,14 @@ interface(`userdom_read_user_tmpfs_files',`
+@@ -2435,13 +3028,14 @@ interface(`userdom_read_user_tmpfs_files',`
')
read_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
@@ -79787,7 +80157,7 @@ index 4b2878a..0b3811d 100644
##
##
##
-@@ -2462,7 +3058,7 @@ interface(`userdom_rw_user_tmpfs_files',`
+@@ -2462,7 +3056,7 @@ interface(`userdom_rw_user_tmpfs_files',`
########################################
##
@@ -79796,7 +80166,7 @@ index 4b2878a..0b3811d 100644
##
##
##
-@@ -2470,14 +3066,30 @@ interface(`userdom_rw_user_tmpfs_files',`
+@@ -2470,14 +3064,30 @@ interface(`userdom_rw_user_tmpfs_files',`
##
##
#
@@ -79831,7 +80201,7 @@ index 4b2878a..0b3811d 100644
')
########################################
-@@ -2572,6 +3184,24 @@ interface(`userdom_use_user_ttys',`
+@@ -2572,6 +3182,24 @@ interface(`userdom_use_user_ttys',`
########################################
##
@@ -79856,7 +80226,7 @@ index 4b2878a..0b3811d 100644
## Read and write a user domain pty.
##
##
-@@ -2590,22 +3220,34 @@ interface(`userdom_use_user_ptys',`
+@@ -2590,22 +3218,34 @@ interface(`userdom_use_user_ptys',`
########################################
##
@@ -79899,7 +80269,7 @@ index 4b2878a..0b3811d 100644
##
##
##
-@@ -2614,14 +3256,33 @@ interface(`userdom_use_user_ptys',`
+@@ -2614,14 +3254,33 @@ interface(`userdom_use_user_ptys',`
##
##
#
@@ -79937,7 +80307,7 @@ index 4b2878a..0b3811d 100644
')
########################################
-@@ -2640,36 +3301,32 @@ interface(`userdom_dontaudit_use_user_terminals',`
+@@ -2640,8 +3299,27 @@ interface(`userdom_dontaudit_use_user_terminals',`
type user_tty_device_t, user_devpts_t;
')
@@ -79945,129 +80315,50 @@ index 4b2878a..0b3811d 100644
- dontaudit $1 user_devpts_t:chr_file rw_term_perms;
+ dontaudit $1 user_tty_device_t:chr_file rw_inherited_term_perms;
+ dontaudit $1 user_devpts_t:chr_file rw_inherited_term_perms;
- ')
-
++')
+
- ########################################
- ##
--## Execute a shell in all user domains. This
--## is an explicit transition, requiring the
--## caller to use setexeccon().
++
++########################################
++##
+## Get attributes of user domain tty and pty.
- ##
- ##
- ##
--## Domain allowed to transition.
++##
++##
++##
+## Domain allowed access.
- ##
- ##
- #
--interface(`userdom_spec_domtrans_all_users',`
++##
++##
++#
+interface(`userdom_getattr_user_terminals',`
- gen_require(`
-- attribute userdomain;
++ gen_require(`
+ type user_tty_device_t, user_devpts_t;
- ')
-
-- corecmd_shell_spec_domtrans($1, userdomain)
-- allow userdomain $1:fd use;
-- allow userdomain $1:fifo_file rw_file_perms;
-- allow userdomain $1:process sigchld;
++ ')
++
+ allow $1 { user_tty_device_t user_devpts_t }:chr_file getattr_chr_file_perms;
')
########################################
- ##
--## Execute an Xserver session in all unprivileged user domains. This
-+## Execute a shell in all user domains. This
- ## is an explicit transition, requiring the
- ## caller to use setexeccon().
- ##
-@@ -2679,12 +3336,12 @@ interface(`userdom_spec_domtrans_all_users',`
- ##
- ##
- #
--interface(`userdom_xsession_spec_domtrans_all_users',`
-+interface(`userdom_spec_domtrans_all_users',`
- gen_require(`
- attribute userdomain;
- ')
-
-- xserver_xsession_spec_domtrans($1, userdomain)
-+ corecmd_shell_spec_domtrans($1, userdomain)
- allow userdomain $1:fd use;
- allow userdomain $1:fifo_file rw_file_perms;
- allow userdomain $1:process sigchld;
-@@ -2692,7 +3349,7 @@ interface(`userdom_xsession_spec_domtrans_all_users',`
-
- ########################################
- ##
--## Execute a shell in all unprivileged user domains. This
-+## Execute an Xserver session in all unprivileged user domains. This
- ## is an explicit transition, requiring the
- ## caller to use setexeccon().
- ##
-@@ -2702,20 +3359,20 @@ interface(`userdom_xsession_spec_domtrans_all_users',`
- ##
- ##
- #
--interface(`userdom_spec_domtrans_unpriv_users',`
-+interface(`userdom_xsession_spec_domtrans_all_users',`
- gen_require(`
-- attribute unpriv_userdomain;
-+ attribute userdomain;
- ')
-
-- corecmd_shell_spec_domtrans($1, unpriv_userdomain)
-- allow unpriv_userdomain $1:fd use;
-- allow unpriv_userdomain $1:fifo_file rw_file_perms;
-- allow unpriv_userdomain $1:process sigchld;
-+ xserver_xsession_spec_domtrans($1, userdomain)
-+ allow userdomain $1:fd use;
-+ allow userdomain $1:fifo_file rw_file_perms;
-+ allow userdomain $1:process sigchld;
- ')
-
- ########################################
- ##
--## Execute an Xserver session in all unprivileged user domains. This
-+## Execute a shell in all unprivileged user domains. This
- ## is an explicit transition, requiring the
- ## caller to use setexeccon().
- ##
-@@ -2725,57 +3382,61 @@ interface(`userdom_spec_domtrans_unpriv_users',`
- ##
- ##
- #
--interface(`userdom_xsession_spec_domtrans_unpriv_users',`
-+interface(`userdom_spec_domtrans_unpriv_users',`
- gen_require(`
- attribute unpriv_userdomain;
- ')
-
-- xserver_xsession_spec_domtrans($1, unpriv_userdomain)
-+ corecmd_shell_spec_domtrans($1, unpriv_userdomain)
- allow unpriv_userdomain $1:fd use;
- allow unpriv_userdomain $1:fifo_file rw_file_perms;
+@@ -2713,45 +3391,45 @@ interface(`userdom_spec_domtrans_unpriv_users',`
allow unpriv_userdomain $1:process sigchld;
')
--#######################################
+-########################################
+#####################################
##
--## Read and write unpriviledged user SysV sempaphores.
+-## Execute an Xserver session in all unprivileged user domains. This
+-## is an explicit transition, requiring the
+-## caller to use setexeccon().
+## Allow domain dyntrans to unpriv userdomain.
##
##
-##
--## Domain allowed access.
+-## Domain allowed to transition.
-##
+##
+## Domain allowed access.
+##
##
#
--interface(`userdom_rw_unpriv_user_semaphores',`
+-interface(`userdom_xsession_spec_domtrans_unpriv_users',`
- gen_require(`
- attribute unpriv_userdomain;
- ')
@@ -80076,13 +80367,17 @@ index 4b2878a..0b3811d 100644
+ attribute unpriv_userdomain;
+ ')
-- allow $1 unpriv_userdomain:sem rw_sem_perms;
+- xserver_xsession_spec_domtrans($1, unpriv_userdomain)
+- allow unpriv_userdomain $1:fd use;
+- allow unpriv_userdomain $1:fifo_file rw_file_perms;
+- allow unpriv_userdomain $1:process sigchld;
+ allow $1 unpriv_userdomain:process dyntransition;
')
- ########################################
+-#######################################
++########################################
##
--## Manage unpriviledged user SysV sempaphores.
+-## Read and write unpriviledged user SysV sempaphores.
+## Execute an Xserver session in all unprivileged user domains. This
+## is an explicit transition, requiring the
+## caller to use setexeccon().
@@ -80094,44 +80389,47 @@ index 4b2878a..0b3811d 100644
##
##
#
--interface(`userdom_manage_unpriv_user_semaphores',`
+-interface(`userdom_rw_unpriv_user_semaphores',`
+interface(`userdom_xsession_spec_domtrans_unpriv_users',`
gen_require(`
attribute unpriv_userdomain;
')
-- allow $1 unpriv_userdomain:sem create_sem_perms;
+- allow $1 unpriv_userdomain:sem rw_sem_perms;
+ xserver_xsession_spec_domtrans($1, unpriv_userdomain)
+ allow unpriv_userdomain $1:fd use;
+ allow unpriv_userdomain $1:fifo_file rw_file_perms;
+ allow unpriv_userdomain $1:process sigchld;
')
+ ########################################
+@@ -2772,25 +3450,6 @@ interface(`userdom_manage_unpriv_user_semaphores',`
+ allow $1 unpriv_userdomain:sem create_sem_perms;
+ ')
+
-#######################################
-+########################################
- ##
+-##
-## Read and write unpriviledged user SysV shared
-## memory segments.
-+## Manage unpriviledged user SysV sempaphores.
- ##
- ##
- ##
-@@ -2783,12 +3444,12 @@ interface(`userdom_manage_unpriv_user_semaphores',`
- ##
- ##
- #
+-##
+-##
+-##
+-## Domain allowed access.
+-##
+-##
+-#
-interface(`userdom_rw_unpriv_user_shared_mem',`
-+interface(`userdom_manage_unpriv_user_semaphores',`
- gen_require(`
- attribute unpriv_userdomain;
- ')
-
+- gen_require(`
+- attribute unpriv_userdomain;
+- ')
+-
- allow $1 unpriv_userdomain:shm rw_shm_perms;
-+ allow $1 unpriv_userdomain:sem create_sem_perms;
- ')
-
+-')
+-
########################################
-@@ -2852,7 +3513,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
+ ##
+ ## Manage unpriviledged user SysV shared
+@@ -2852,7 +3511,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
domain_entry_file_spec_domtrans($1, unpriv_userdomain)
allow unpriv_userdomain $1:fd use;
@@ -80140,7 +80438,7 @@ index 4b2878a..0b3811d 100644
allow unpriv_userdomain $1:process sigchld;
')
-@@ -2868,29 +3529,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
+@@ -2868,29 +3527,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
#
interface(`userdom_search_user_home_content',`
gen_require(`
@@ -80174,7 +80472,7 @@ index 4b2878a..0b3811d 100644
')
########################################
-@@ -2972,7 +3617,7 @@ interface(`userdom_dontaudit_use_user_ptys',`
+@@ -2972,7 +3615,7 @@ interface(`userdom_dontaudit_use_user_ptys',`
type user_devpts_t;
')
@@ -80183,7 +80481,7 @@ index 4b2878a..0b3811d 100644
')
########################################
-@@ -3027,7 +3672,45 @@ interface(`userdom_write_user_tmp_files',`
+@@ -3027,7 +3670,45 @@ interface(`userdom_write_user_tmp_files',`
type user_tmp_t;
')
@@ -80230,7 +80528,7 @@ index 4b2878a..0b3811d 100644
')
########################################
-@@ -3045,7 +3728,7 @@ interface(`userdom_dontaudit_use_user_ttys',`
+@@ -3045,7 +3726,7 @@ interface(`userdom_dontaudit_use_user_ttys',`
type user_tty_device_t;
')
@@ -80239,7 +80537,7 @@ index 4b2878a..0b3811d 100644
')
########################################
-@@ -3064,6 +3747,7 @@ interface(`userdom_read_all_users_state',`
+@@ -3064,6 +3745,7 @@ interface(`userdom_read_all_users_state',`
')
read_files_pattern($1, userdomain, userdomain)
@@ -80247,7 +80545,7 @@ index 4b2878a..0b3811d 100644
kernel_search_proc($1)
')
-@@ -3142,6 +3826,24 @@ interface(`userdom_signal_all_users',`
+@@ -3142,6 +3824,24 @@ interface(`userdom_signal_all_users',`
########################################
##
@@ -80272,7 +80570,7 @@ index 4b2878a..0b3811d 100644
## Send a SIGCHLD signal to all user domains.
##
##
-@@ -3160,6 +3862,24 @@ interface(`userdom_sigchld_all_users',`
+@@ -3160,6 +3860,24 @@ interface(`userdom_sigchld_all_users',`
########################################
##
@@ -80297,7 +80595,7 @@ index 4b2878a..0b3811d 100644
## Create keys for all user domains.
##
##
-@@ -3194,3 +3914,1186 @@ interface(`userdom_dbus_send_all_users',`
+@@ -3194,3 +3912,1186 @@ interface(`userdom_dbus_send_all_users',`
allow $1 userdomain:dbus send_msg;
')
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 9b66cd0..cdb778b 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -17,7 +17,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.10.0
-Release: 58%{?dist}
+Release: 59%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -470,6 +470,16 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Wed Nov 23 2011 Miroslav Grepl 3.10.0-59
+- Allow mcelog_t to create dir and file in /var/run and label it correctly
+- Allow dbus to manage fusefs
+- Mount needs to read process state when mounting gluster file systems
+- Allow collectd-web to read collectd lib files
+- Allow daemons and system processes started by init to read/write the unix_stream_socket passed in from as stdin/stdout/stderr
+- Allow colord to get the attributes of tmpfs filesystem
+- Add sanlock_use_nfs and sanlock_use_samba booleans
+- Add bin_t label for /usr/lib/virtualbox/VBoxManage
+
* Wed Nov 16 2011 Miroslav Grepl 3.10.0-58
- Add ssh_dontaudit_search_home_dir
- Changes to allow namespace_init_t to work