diff --git a/container-selinux.tgz b/container-selinux.tgz
index 4927c34..99a1c17 100644
Binary files a/container-selinux.tgz and b/container-selinux.tgz differ
diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch
index 0b8dd19..98851bf 100644
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@@ -3854,13 +3854,6 @@ index 759016583..1b9a61d18 100644
+tunable_policy(`use_fusefs_home_dirs',`
+ fs_mounton_fusefs(seunshare_domain)
')
-diff --git a/policy/modules/contrib b/policy/modules/contrib
-index 298b88741..b35f071ea 160000
---- a/policy/modules/contrib
-+++ b/policy/modules/contrib
-@@ -1 +1 @@
--Subproject commit 298b887411b663a7da40a7a465915a7352bac80d
-+Subproject commit b35f071eace9e06117f78cdda3dd6692388dff6f
diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
index 33e0f8dad..6fd767031 100644
--- a/policy/modules/kernel/corecommands.fc
@@ -6701,10 +6694,10 @@ index 3f6e16889..abd046c56 100644
+ifelse(`$2',`',`',`declare_ibendportcons($1_ibendport_t,shift($*))')dnl
+')
diff --git a/policy/modules/kernel/devices.fc b/policy/modules/kernel/devices.fc
-index b31c05491..c3fd31813 100644
+index b31c05491..4e585f24c 100644
--- a/policy/modules/kernel/devices.fc
+++ b/policy/modules/kernel/devices.fc
-@@ -15,15 +15,18 @@
+@@ -15,15 +15,19 @@
/dev/atibm -c gen_context(system_u:object_r:mouse_device_t,s0)
/dev/audio.* -c gen_context(system_u:object_r:sound_device_t,s0)
/dev/autofs.* -c gen_context(system_u:object_r:autofs_device_t,s0)
@@ -6719,13 +6712,14 @@ index b31c05491..c3fd31813 100644
+/dev/dlm.* -c gen_context(system_u:object_r:dlm_control_device_t,s0)
+/dev/dmfm.* -c gen_context(system_u:object_r:sound_device_t,s0)
/dev/dmmidi.* -c gen_context(system_u:object_r:sound_device_t,s0)
++/dev/drm_dp_aux.* -c gen_context(system_u:object_r:xserver_misc_device_t,s0)
/dev/dsp.* -c gen_context(system_u:object_r:sound_device_t,s0)
+/dev/ecryptfs -c gen_context(system_u:object_r:ecryptfs_device_t,mls_systemhigh)
+/dev/ptp.* -c gen_context(system_u:object_r:clock_device_t,s0)
/dev/efirtc -c gen_context(system_u:object_r:clock_device_t,s0)
/dev/elographics/e2201 -c gen_context(system_u:object_r:mouse_device_t,s0)
/dev/em8300.* -c gen_context(system_u:object_r:v4l_device_t,s0)
-@@ -42,8 +45,15 @@
+@@ -42,8 +46,15 @@
/dev/hpet -c gen_context(system_u:object_r:clock_device_t,s0)
/dev/hw_random -c gen_context(system_u:object_r:random_device_t,s0)
/dev/hwrng -c gen_context(system_u:object_r:random_device_t,s0)
@@ -6741,7 +6735,7 @@ index b31c05491..c3fd31813 100644
/dev/ipmi[0-9]+ -c gen_context(system_u:object_r:ipmi_device_t,s0)
/dev/ipmi/[0-9]+ -c gen_context(system_u:object_r:ipmi_device_t,s0)
/dev/irlpt[0-9]+ -c gen_context(system_u:object_r:printer_device_t,s0)
-@@ -61,8 +71,10 @@
+@@ -61,8 +72,10 @@
/dev/loop-control -c gen_context(system_u:object_r:loop_control_device_t,s0)
/dev/lp.* -c gen_context(system_u:object_r:printer_device_t,s0)
/dev/mcelog -c gen_context(system_u:object_r:kmsg_device_t,mls_systemhigh)
@@ -6753,7 +6747,7 @@ index b31c05491..c3fd31813 100644
/dev/mergemem -c gen_context(system_u:object_r:memory_device_t,mls_systemhigh)
/dev/mga_vid.* -c gen_context(system_u:object_r:xserver_misc_device_t,s0)
/dev/mice -c gen_context(system_u:object_r:mouse_device_t,s0)
-@@ -72,7 +84,9 @@
+@@ -72,7 +85,9 @@
/dev/mixer.* -c gen_context(system_u:object_r:sound_device_t,s0)
/dev/mmetfgrab -c gen_context(system_u:object_r:scanner_device_t,s0)
/dev/modem -c gen_context(system_u:object_r:modem_device_t,s0)
@@ -6763,7 +6757,7 @@ index b31c05491..c3fd31813 100644
/dev/msr.* -c gen_context(system_u:object_r:cpu_device_t,s0)
/dev/net/vhost -c gen_context(system_u:object_r:vhost_device_t,s0)
/dev/network_latency -c gen_context(system_u:object_r:netcontrol_device_t,s0)
-@@ -80,7 +94,10 @@
+@@ -80,7 +95,10 @@
/dev/noz.* -c gen_context(system_u:object_r:modem_device_t,s0)
/dev/null -c gen_context(system_u:object_r:null_device_t,s0)
/dev/nvidia.* -c gen_context(system_u:object_r:xserver_misc_device_t,s0)
@@ -6774,7 +6768,7 @@ index b31c05491..c3fd31813 100644
/dev/oldmem -c gen_context(system_u:object_r:memory_device_t,mls_systemhigh)
/dev/opengl -c gen_context(system_u:object_r:xserver_misc_device_t,s0)
/dev/par.* -c gen_context(system_u:object_r:printer_device_t,s0)
-@@ -90,9 +107,11 @@
+@@ -90,9 +108,11 @@
/dev/pmu -c gen_context(system_u:object_r:power_device_t,s0)
/dev/port -c gen_context(system_u:object_r:memory_device_t,mls_systemhigh)
/dev/pps.* -c gen_context(system_u:object_r:clock_device_t,s0)
@@ -6786,7 +6780,7 @@ index b31c05491..c3fd31813 100644
/dev/radio.* -c gen_context(system_u:object_r:v4l_device_t,s0)
/dev/random -c gen_context(system_u:object_r:random_device_t,s0)
/dev/raw1394.* -c gen_context(system_u:object_r:v4l_device_t,s0)
-@@ -106,6 +125,7 @@
+@@ -106,6 +126,7 @@
/dev/snapshot -c gen_context(system_u:object_r:apm_bios_t,s0)
/dev/sndstat -c gen_context(system_u:object_r:sound_device_t,s0)
/dev/sonypi -c gen_context(system_u:object_r:v4l_device_t,s0)
@@ -6794,7 +6788,7 @@ index b31c05491..c3fd31813 100644
/dev/tlk[0-3] -c gen_context(system_u:object_r:v4l_device_t,s0)
/dev/tpm[0-9]* -c gen_context(system_u:object_r:tpm_device_t,s0)
/dev/uinput -c gen_context(system_u:object_r:event_device_t,s0)
-@@ -118,6 +138,15 @@
+@@ -118,6 +139,15 @@
ifdef(`distro_suse', `
/dev/usbscanner -c gen_context(system_u:object_r:scanner_device_t,s0)
')
@@ -6810,7 +6804,7 @@ index b31c05491..c3fd31813 100644
/dev/vhost-net -c gen_context(system_u:object_r:vhost_device_t,s0)
/dev/vbi.* -c gen_context(system_u:object_r:v4l_device_t,s0)
/dev/vbox.* -c gen_context(system_u:object_r:xserver_misc_device_t,s0)
-@@ -129,12 +158,14 @@ ifdef(`distro_suse', `
+@@ -129,12 +159,14 @@ ifdef(`distro_suse', `
/dev/vttuner -c gen_context(system_u:object_r:v4l_device_t,s0)
/dev/vtx.* -c gen_context(system_u:object_r:v4l_device_t,s0)
/dev/watchdog.* -c gen_context(system_u:object_r:watchdog_device_t,s0)
@@ -6825,7 +6819,7 @@ index b31c05491..c3fd31813 100644
/dev/card.* -c gen_context(system_u:object_r:xserver_misc_device_t,s0)
/dev/cmx.* -c gen_context(system_u:object_r:smartcard_device_t,s0)
-@@ -169,18 +200,27 @@ ifdef(`distro_suse', `
+@@ -169,18 +201,27 @@ ifdef(`distro_suse', `
/dev/s(ou)?nd/.* -c gen_context(system_u:object_r:sound_device_t,s0)
@@ -6853,7 +6847,7 @@ index b31c05491..c3fd31813 100644
ifdef(`distro_debian',`
# this is a static /dev dir "backup mount"
-@@ -198,12 +238,27 @@ ifdef(`distro_debian',`
+@@ -198,12 +239,27 @@ ifdef(`distro_debian',`
/lib/udev/devices/null -c gen_context(system_u:object_r:null_device_t,s0)
/lib/udev/devices/zero -c gen_context(system_u:object_r:zero_device_t,s0)
@@ -6884,7 +6878,7 @@ index b31c05491..c3fd31813 100644
+/usr/lib/udev/devices/null -c gen_context(system_u:object_r:null_device_t,s0)
+/usr/lib/udev/devices/zero -c gen_context(system_u:object_r:zero_device_t,s0)
diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
-index 76f285ea6..1de2a51f0 100644
+index 76f285ea6..e689c2c5b 100644
--- a/policy/modules/kernel/devices.if
+++ b/policy/modules/kernel/devices.if
@@ -143,13 +143,32 @@ interface(`dev_relabel_all_dev_nodes',`
@@ -7634,7 +7628,32 @@ index 76f285ea6..1de2a51f0 100644
## Get the attributes of the framebuffer device node.
## </summary>
## <param name="domain">
-@@ -2402,7 +2837,7 @@ interface(`dev_filetrans_lirc',`
+@@ -2126,6 +2561,24 @@ interface(`dev_write_framebuffer',`
+
+ ########################################
+ ## <summary>
++## Mmap the framebuffer.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`dev_map_framebuffer',`
++ gen_require(`
++ type framebuf_device_t;
++ ')
++
++ allow $1 framebuf_device_t:file map;
++')
++
++########################################
++## <summary>
+ ## Read and write the framebuffer.
+ ## </summary>
+ ## <param name="domain">
+@@ -2402,7 +2855,7 @@ interface(`dev_filetrans_lirc',`
########################################
## <summary>
@@ -7643,7 +7662,7 @@ index 76f285ea6..1de2a51f0 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2410,17 +2845,17 @@ interface(`dev_filetrans_lirc',`
+@@ -2410,17 +2863,17 @@ interface(`dev_filetrans_lirc',`
## </summary>
## </param>
#
@@ -7665,7 +7684,7 @@ index 76f285ea6..1de2a51f0 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2428,17 +2863,17 @@ interface(`dev_getattr_lvm_control',`
+@@ -2428,17 +2881,17 @@ interface(`dev_getattr_lvm_control',`
## </summary>
## </param>
#
@@ -7687,7 +7706,7 @@ index 76f285ea6..1de2a51f0 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2446,17 +2881,17 @@ interface(`dev_read_lvm_control',`
+@@ -2446,17 +2899,17 @@ interface(`dev_read_lvm_control',`
## </summary>
## </param>
#
@@ -7709,7 +7728,7 @@ index 76f285ea6..1de2a51f0 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2464,17 +2899,17 @@ interface(`dev_rw_lvm_control',`
+@@ -2464,17 +2917,17 @@ interface(`dev_rw_lvm_control',`
## </summary>
## </param>
#
@@ -7731,7 +7750,7 @@ index 76f285ea6..1de2a51f0 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2482,35 +2917,35 @@ interface(`dev_dontaudit_rw_lvm_control',`
+@@ -2482,35 +2935,35 @@ interface(`dev_dontaudit_rw_lvm_control',`
## </summary>
## </param>
#
@@ -7776,7 +7795,7 @@ index 76f285ea6..1de2a51f0 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2518,62 +2953,53 @@ interface(`dev_dontaudit_getattr_memory_dev',`
+@@ -2518,62 +2971,189 @@ interface(`dev_dontaudit_getattr_memory_dev',`
## </summary>
## </param>
#
@@ -7850,41 +7869,33 @@ index 76f285ea6..1de2a51f0 100644
## <summary>
-## Read and execute raw memory devices (e.g. /dev/mem).
+## Delete the lvm control device.
- ## </summary>
- ## <param name="domain">
- ## <summary>
-@@ -2581,32 +3007,168 @@ interface(`dev_write_raw_memory',`
- ## </summary>
- ## </param>
- #
--interface(`dev_rx_raw_memory',`
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
+interface(`dev_delete_lvm_control_dev',`
- gen_require(`
-- type device_t, memory_device_t;
++ gen_require(`
+ type device_t, lvm_control_t;
- ')
-
-- dev_read_raw_memory($1)
-- allow $1 memory_device_t:chr_file execute;
++ ')
++
+ delete_chr_files_pattern($1, device_t, lvm_control_t)
- ')
-
- ########################################
- ## <summary>
--## Write and execute raw memory devices (e.g. /dev/mem).
++')
++
++########################################
++## <summary>
+## dontaudit getattr raw memory devices (e.g. /dev/mem).
- ## </summary>
- ## <param name="domain">
- ## <summary>
--## Domain allowed access.
++## </summary>
++## <param name="domain">
++## <summary>
+## Domain to not audit.
- ## </summary>
- ## </param>
- #
--interface(`dev_wx_raw_memory',`
++## </summary>
++## </param>
++#
+interface(`dev_dontaudit_getattr_memory_dev',`
- gen_require(`
-- type device_t, memory_device_t;
++ gen_require(`
+ type memory_device_t;
+ ')
+
@@ -7994,35 +8005,19 @@ index 76f285ea6..1de2a51f0 100644
+########################################
+## <summary>
+## Read and execute raw memory devices (e.g. /dev/mem).
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`dev_rx_raw_memory',`
-+ gen_require(`
-+ type device_t, memory_device_t;
-+ ')
-+
-+ dev_read_raw_memory($1)
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -2587,7 +3167,7 @@ interface(`dev_rx_raw_memory',`
+ ')
+
+ dev_read_raw_memory($1)
+- allow $1 memory_device_t:chr_file execute;
+ allow $1 memory_device_t:chr_file { map execute };
-+')
-+
-+########################################
-+## <summary>
-+## Write and execute raw memory devices (e.g. /dev/mem).
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`dev_wx_raw_memory',`
-+ gen_require(`
-+ type device_t, memory_device_t;
+ ')
+
+ ########################################
+@@ -2606,7 +3186,7 @@ interface(`dev_wx_raw_memory',`
')
dev_write_raw_memory($1)
@@ -8031,7 +8026,7 @@ index 76f285ea6..1de2a51f0 100644
')
########################################
-@@ -2725,7 +3287,7 @@ interface(`dev_write_misc',`
+@@ -2725,7 +3305,7 @@ interface(`dev_write_misc',`
## </summary>
## <param name="domain">
## <summary>
@@ -8040,7 +8035,7 @@ index 76f285ea6..1de2a51f0 100644
## </summary>
## </param>
#
-@@ -2811,6 +3373,78 @@ interface(`dev_rw_modem',`
+@@ -2811,6 +3391,78 @@ interface(`dev_rw_modem',`
########################################
## <summary>
@@ -8119,7 +8114,7 @@ index 76f285ea6..1de2a51f0 100644
## Get the attributes of the mouse devices.
## </summary>
## <param name="domain">
-@@ -2903,20 +3537,20 @@ interface(`dev_getattr_mtrr_dev',`
+@@ -2903,20 +3555,20 @@ interface(`dev_getattr_mtrr_dev',`
########################################
## <summary>
@@ -8144,7 +8139,7 @@ index 76f285ea6..1de2a51f0 100644
## </p>
## </desc>
## <param name="domain">
-@@ -2925,43 +3559,34 @@ interface(`dev_getattr_mtrr_dev',`
+@@ -2925,43 +3577,34 @@ interface(`dev_getattr_mtrr_dev',`
## </summary>
## </param>
#
@@ -8200,7 +8195,7 @@ index 76f285ea6..1de2a51f0 100644
## range registers (MTRR).
## </summary>
## <param name="domain">
-@@ -2970,13 +3595,32 @@ interface(`dev_write_mtrr',`
+@@ -2970,13 +3613,32 @@ interface(`dev_write_mtrr',`
## </summary>
## </param>
#
@@ -8236,7 +8231,7 @@ index 76f285ea6..1de2a51f0 100644
')
########################################
-@@ -3144,44 +3788,43 @@ interface(`dev_create_null_dev',`
+@@ -3144,44 +3806,43 @@ interface(`dev_create_null_dev',`
########################################
## <summary>
@@ -8292,7 +8287,7 @@ index 76f285ea6..1de2a51f0 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -3189,12 +3832,105 @@ interface(`dev_rw_nvram',`
+@@ -3189,9 +3850,102 @@ interface(`dev_rw_nvram',`
## </summary>
## </param>
#
@@ -8301,9 +8296,8 @@ index 76f285ea6..1de2a51f0 100644
gen_require(`
- type device_t, printer_device_t;
+ type nvme_device_t;
- ')
-
-- getattr_chr_files_pattern($1, device_t, printer_device_t)
++ ')
++
+ read_chr_files_pattern($1, device_t, nvme_device_t)
+ read_blk_files_pattern($1, device_t, nvme_device_t)
+')
@@ -8395,13 +8389,10 @@ index 76f285ea6..1de2a51f0 100644
+interface(`dev_getattr_printer_dev',`
+ gen_require(`
+ type device_t, printer_device_t;
-+ ')
-+
-+ getattr_chr_files_pattern($1, device_t, printer_device_t)
- ')
+ ')
- ########################################
-@@ -3254,7 +3990,25 @@ interface(`dev_rw_printer',`
+ getattr_chr_files_pattern($1, device_t, printer_device_t)
+@@ -3254,7 +4008,25 @@ interface(`dev_rw_printer',`
########################################
## <summary>
@@ -8428,7 +8419,7 @@ index 76f285ea6..1de2a51f0 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -3262,12 +4016,13 @@ interface(`dev_rw_printer',`
+@@ -3262,12 +4034,13 @@ interface(`dev_rw_printer',`
## </summary>
## </param>
#
@@ -8445,7 +8436,7 @@ index 76f285ea6..1de2a51f0 100644
')
########################################
-@@ -3399,7 +4154,7 @@ interface(`dev_dontaudit_read_rand',`
+@@ -3399,7 +4172,7 @@ interface(`dev_dontaudit_read_rand',`
########################################
## <summary>
@@ -8454,7 +8445,7 @@ index 76f285ea6..1de2a51f0 100644
## number generator devices (e.g., /dev/random)
## </summary>
## <param name="domain">
-@@ -3413,7 +4168,7 @@ interface(`dev_dontaudit_append_rand',`
+@@ -3413,7 +4186,7 @@ interface(`dev_dontaudit_append_rand',`
type random_device_t;
')
@@ -8463,7 +8454,7 @@ index 76f285ea6..1de2a51f0 100644
')
########################################
-@@ -3633,6 +4388,7 @@ interface(`dev_read_sound',`
+@@ -3633,6 +4406,7 @@ interface(`dev_read_sound',`
')
read_chr_files_pattern($1, device_t, sound_device_t)
@@ -8471,7 +8462,7 @@ index 76f285ea6..1de2a51f0 100644
')
########################################
-@@ -3669,6 +4425,7 @@ interface(`dev_read_sound_mixer',`
+@@ -3669,6 +4443,7 @@ interface(`dev_read_sound_mixer',`
')
read_chr_files_pattern($1, device_t, sound_device_t)
@@ -8479,7 +8470,7 @@ index 76f285ea6..1de2a51f0 100644
')
########################################
-@@ -3855,7 +4612,7 @@ interface(`dev_getattr_sysfs_dirs',`
+@@ -3855,7 +4630,7 @@ interface(`dev_getattr_sysfs_dirs',`
########################################
## <summary>
@@ -8488,7 +8479,7 @@ index 76f285ea6..1de2a51f0 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -3863,91 +4620,89 @@ interface(`dev_getattr_sysfs_dirs',`
+@@ -3863,91 +4638,89 @@ interface(`dev_getattr_sysfs_dirs',`
## </summary>
## </param>
#
@@ -8599,7 +8590,7 @@ index 76f285ea6..1de2a51f0 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -3955,68 +4710,53 @@ interface(`dev_dontaudit_write_sysfs_dirs',`
+@@ -3955,68 +4728,53 @@ interface(`dev_dontaudit_write_sysfs_dirs',`
## </summary>
## </param>
#
@@ -8678,7 +8669,7 @@ index 76f285ea6..1de2a51f0 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -4024,114 +4764,97 @@ interface(`dev_rw_sysfs',`
+@@ -4024,114 +4782,97 @@ interface(`dev_rw_sysfs',`
## </summary>
## </param>
#
@@ -8823,7 +8814,7 @@ index 76f285ea6..1de2a51f0 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -4139,35 +4862,50 @@ interface(`dev_getattr_generic_usb_dev',`
+@@ -4139,35 +4880,50 @@ interface(`dev_getattr_generic_usb_dev',`
## </summary>
## </param>
#
@@ -8882,7 +8873,7 @@ index 76f285ea6..1de2a51f0 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -4175,12 +4913,278 @@ interface(`dev_read_generic_usb_dev',`
+@@ -4175,17 +4931,20 @@ interface(`dev_read_generic_usb_dev',`
## </summary>
## </param>
#
@@ -8894,22 +8885,25 @@ index 76f285ea6..1de2a51f0 100644
')
- rw_chr_files_pattern($1, device_t, usb_device_t)
+-')
+ rw_files_pattern($1, sysfs_t, sysfs_t)
+ read_lnk_files_pattern($1, sysfs_t, sysfs_t)
+
+ list_dirs_pattern($1, sysfs_t, sysfs_t)
+')
-+
-+########################################
-+## <summary>
+
+ ########################################
+ ## <summary>
+-## Relabel generic the USB devices.
+## Relabel hardware state directories.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -4193,17 +4952,226 @@ interface(`dev_rw_generic_usb_dev',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`dev_relabel_generic_usb_dev',`
+interface(`dev_relabel_sysfs_dirs',`
+ gen_require(`
+ type sysfs_t;
@@ -9120,16 +9114,81 @@ index 76f285ea6..1de2a51f0 100644
+## </param>
+#
+interface(`dev_setattr_generic_usb_dev',`
+ gen_require(`
+ type usb_device_t;
+ ')
+
+- relabel_chr_files_pattern($1, device_t, usb_device_t)
++ setattr_chr_files_pattern($1, device_t, usb_device_t)
+ ')
+
+ ########################################
+ ## <summary>
+-## Read USB monitor devices.
++## Read generic the USB devices.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -4211,17 +5179,17 @@ interface(`dev_relabel_generic_usb_dev',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`dev_read_usbmon_dev',`
++interface(`dev_read_generic_usb_dev',`
+ gen_require(`
+- type device_t, usbmon_device_t;
++ type usb_device_t;
+ ')
+
+- read_chr_files_pattern($1, device_t, usbmon_device_t)
++ read_chr_files_pattern($1, device_t, usb_device_t)
+ ')
+
+ ########################################
+ ## <summary>
+-## Write USB monitor devices.
++## Read and write generic the USB devices.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -4229,17 +5197,17 @@ interface(`dev_read_usbmon_dev',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`dev_write_usbmon_dev',`
++interface(`dev_rw_generic_usb_dev',`
+ gen_require(`
+- type device_t, usbmon_device_t;
++ type device_t, usb_device_t;
+ ')
+
+- write_chr_files_pattern($1, device_t, usbmon_device_t)
++ rw_chr_files_pattern($1, device_t, usb_device_t)
+ ')
+
+ ########################################
+ ## <summary>
+-## Mount a usbfs filesystem.
++## Relabel generic the USB devices.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -4247,35 +5215,536 @@ interface(`dev_write_usbmon_dev',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`dev_mount_usbfs',`
++interface(`dev_relabel_generic_usb_dev',`
+ gen_require(`
+ type usb_device_t;
+ ')
+
-+ setattr_chr_files_pattern($1, device_t, usb_device_t)
++ relabel_chr_files_pattern($1, device_t, usb_device_t)
+')
+
+########################################
+## <summary>
-+## Read generic the USB devices.
++## Read USB monitor devices.
+## </summary>
+## <param name="domain">
+## <summary>
@@ -9137,17 +9196,17 @@ index 76f285ea6..1de2a51f0 100644
+## </summary>
+## </param>
+#
-+interface(`dev_read_generic_usb_dev',`
++interface(`dev_read_usbmon_dev',`
+ gen_require(`
-+ type usb_device_t;
++ type device_t, usbmon_device_t;
+ ')
+
-+ read_chr_files_pattern($1, device_t, usb_device_t)
++ read_chr_files_pattern($1, device_t, usbmon_device_t)
+')
+
+########################################
+## <summary>
-+## Read and write generic the USB devices.
++## Mmap USB monitor devices.
+## </summary>
+## <param name="domain">
+## <summary>
@@ -9155,20 +9214,44 @@ index 76f285ea6..1de2a51f0 100644
+## </summary>
+## </param>
+#
-+interface(`dev_rw_generic_usb_dev',`
++interface(`dev_map_usbmon_dev',`
+ gen_require(`
-+ type device_t, usb_device_t;
++ type usbmon_device_t;
+ ')
+
-+ rw_chr_files_pattern($1, device_t, usb_device_t)
- ')
-
- ########################################
-@@ -4249,33 +5253,462 @@ interface(`dev_write_usbmon_dev',`
- #
- interface(`dev_mount_usbfs',`
- gen_require(`
-- type usbfs_t;
++ allow $1 usbmon_device_t:chr_file map;
++')
++
++########################################
++## <summary>
++## Write USB monitor devices.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`dev_write_usbmon_dev',`
++ gen_require(`
++ type device_t, usbmon_device_t;
++ ')
++
++ write_chr_files_pattern($1, device_t, usbmon_device_t)
++')
++
++########################################
++## <summary>
++## Mount a usbfs filesystem.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`dev_mount_usbfs',`
++ gen_require(`
+ type usbfs_t;
+ ')
+
@@ -9597,7 +9680,8 @@ index 76f285ea6..1de2a51f0 100644
+## </param>
+#
+interface(`dev_rw_vfio_dev',`
-+ gen_require(`
+ gen_require(`
+- type usbfs_t;
+ type device_t, vfio_device_t;
')
@@ -9636,7 +9720,7 @@ index 76f285ea6..1de2a51f0 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -4283,36 +5716,35 @@ interface(`dev_associate_usbfs',`
+@@ -4283,36 +5752,35 @@ interface(`dev_associate_usbfs',`
## </summary>
## </param>
#
@@ -9682,7 +9766,7 @@ index 76f285ea6..1de2a51f0 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -4320,17 +5752,18 @@ interface(`dev_dontaudit_getattr_usbfs_dirs',`
+@@ -4320,17 +5788,18 @@ interface(`dev_dontaudit_getattr_usbfs_dirs',`
## </summary>
## </param>
#
@@ -9705,7 +9789,7 @@ index 76f285ea6..1de2a51f0 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -4338,20 +5771,17 @@ interface(`dev_search_usbfs',`
+@@ -4338,20 +5807,17 @@ interface(`dev_search_usbfs',`
## </summary>
## </param>
#
@@ -9730,7 +9814,7 @@ index 76f285ea6..1de2a51f0 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -4359,19 +5789,17 @@ interface(`dev_list_usbfs',`
+@@ -4359,19 +5825,17 @@ interface(`dev_list_usbfs',`
## </summary>
## </param>
#
@@ -9754,7 +9838,7 @@ index 76f285ea6..1de2a51f0 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -4379,19 +5807,17 @@ interface(`dev_setattr_usbfs_files',`
+@@ -4379,19 +5843,17 @@ interface(`dev_setattr_usbfs_files',`
## </summary>
## </param>
#
@@ -9778,7 +9862,7 @@ index 76f285ea6..1de2a51f0 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -4399,19 +5825,17 @@ interface(`dev_read_usbfs',`
+@@ -4399,19 +5861,17 @@ interface(`dev_read_usbfs',`
## </summary>
## </param>
#
@@ -9802,7 +9886,7 @@ index 76f285ea6..1de2a51f0 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -4419,17 +5843,18 @@ interface(`dev_rw_usbfs',`
+@@ -4419,17 +5879,18 @@ interface(`dev_rw_usbfs',`
## </summary>
## </param>
#
@@ -9826,7 +9910,7 @@ index 76f285ea6..1de2a51f0 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -4437,36 +5862,41 @@ interface(`dev_getattr_video_dev',`
+@@ -4437,36 +5898,41 @@ interface(`dev_getattr_video_dev',`
## </summary>
## </param>
#
@@ -9878,7 +9962,7 @@ index 76f285ea6..1de2a51f0 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -4474,36 +5904,35 @@ interface(`dev_dontaudit_getattr_video_dev',`
+@@ -4474,36 +5940,35 @@ interface(`dev_dontaudit_getattr_video_dev',`
## </summary>
## </param>
#
@@ -9924,7 +10008,7 @@ index 76f285ea6..1de2a51f0 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -4511,35 +5940,36 @@ interface(`dev_dontaudit_setattr_video_dev',`
+@@ -4511,35 +5976,36 @@ interface(`dev_dontaudit_setattr_video_dev',`
## </summary>
## </param>
#
@@ -9970,7 +10054,7 @@ index 76f285ea6..1de2a51f0 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -4547,17 +5977,19 @@ interface(`dev_write_video_dev',`
+@@ -4547,17 +6013,19 @@ interface(`dev_write_video_dev',`
## </summary>
## </param>
#
@@ -9994,7 +10078,7 @@ index 76f285ea6..1de2a51f0 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -4565,17 +5997,17 @@ interface(`dev_rw_vhost',`
+@@ -4565,17 +6033,17 @@ interface(`dev_rw_vhost',`
## </summary>
## </param>
#
@@ -10016,7 +10100,7 @@ index 76f285ea6..1de2a51f0 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -4583,18 +6015,18 @@ interface(`dev_rw_vmware',`
+@@ -4583,18 +6051,18 @@ interface(`dev_rw_vmware',`
## </summary>
## </param>
#
@@ -10040,7 +10124,7 @@ index 76f285ea6..1de2a51f0 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -4602,17 +6034,18 @@ interface(`dev_rwx_vmware',`
+@@ -4602,17 +6070,18 @@ interface(`dev_rwx_vmware',`
## </summary>
## </param>
#
@@ -10063,7 +10147,7 @@ index 76f285ea6..1de2a51f0 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -4620,17 +6053,17 @@ interface(`dev_read_watchdog',`
+@@ -4620,17 +6089,17 @@ interface(`dev_read_watchdog',`
## </summary>
## </param>
#
@@ -10085,7 +10169,7 @@ index 76f285ea6..1de2a51f0 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -4638,35 +6071,36 @@ interface(`dev_write_watchdog',`
+@@ -4638,35 +6107,36 @@ interface(`dev_write_watchdog',`
## </summary>
## </param>
#
@@ -10131,7 +10215,7 @@ index 76f285ea6..1de2a51f0 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -4674,41 +6108,35 @@ interface(`dev_rw_xen',`
+@@ -4674,41 +6144,35 @@ interface(`dev_rw_xen',`
## </summary>
## </param>
#
@@ -10181,7 +10265,7 @@ index 76f285ea6..1de2a51f0 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -4716,17 +6144,17 @@ interface(`dev_filetrans_xen',`
+@@ -4716,17 +6180,17 @@ interface(`dev_filetrans_xen',`
## </summary>
## </param>
#
@@ -10203,7 +10287,7 @@ index 76f285ea6..1de2a51f0 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -4734,17 +6162,18 @@ interface(`dev_getattr_xserver_misc_dev',`
+@@ -4734,17 +6198,18 @@ interface(`dev_getattr_xserver_misc_dev',`
## </summary>
## </param>
#
@@ -10226,7 +10310,7 @@ index 76f285ea6..1de2a51f0 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -4752,17 +6181,17 @@ interface(`dev_setattr_xserver_misc_dev',`
+@@ -4752,17 +6217,17 @@ interface(`dev_setattr_xserver_misc_dev',`
## </summary>
## </param>
#
@@ -10248,7 +10332,7 @@ index 76f285ea6..1de2a51f0 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -4770,17 +6199,17 @@ interface(`dev_rw_xserver_misc',`
+@@ -4770,17 +6235,17 @@ interface(`dev_rw_xserver_misc',`
## </summary>
## </param>
#
@@ -10270,7 +10354,7 @@ index 76f285ea6..1de2a51f0 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -4788,18 +6217,17 @@ interface(`dev_rw_zero',`
+@@ -4788,18 +6253,17 @@ interface(`dev_rw_zero',`
## </summary>
## </param>
#
@@ -10293,7 +10377,7 @@ index 76f285ea6..1de2a51f0 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -4807,47 +6235,912 @@ interface(`dev_rwx_zero',`
+@@ -4807,47 +6271,912 @@ interface(`dev_rwx_zero',`
## </summary>
## </param>
#
@@ -17439,7 +17523,7 @@ index d7c11a0b3..f521a50f8 100644
/var/run/shm/.* <<none>>
-')
diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
-index 8416beb43..0444eacf4 100644
+index 8416beb43..1cc0d9ad9 100644
--- a/policy/modules/kernel/filesystem.if
+++ b/policy/modules/kernel/filesystem.if
@@ -577,6 +577,24 @@ interface(`fs_mount_cgroup', `
@@ -17779,7 +17863,35 @@ index 8416beb43..0444eacf4 100644
')
########################################
-@@ -1542,48 +1740,48 @@ interface(`fs_cifs_domtrans',`
+@@ -1363,6 +1561,27 @@ interface(`fs_exec_cifs_files',`
+
+ ########################################
+ ## <summary>
++## Mmap files on a CIFS or SMB
++## network filesystem, in the caller
++## domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`fs_map_cifs_files',`
++ gen_require(`
++ type cifs_t;
++ ')
++
++ allow $1 cifs_t:file map;
++')
++
++########################################
++## <summary>
+ ## Create, read, write, and delete directories
+ ## on a CIFS or SMB network filesystem.
+ ## </summary>
+@@ -1542,48 +1761,48 @@ interface(`fs_cifs_domtrans',`
domain_auto_transition_pattern($1, cifs_t, $2)
')
@@ -17845,7 +17957,7 @@ index 8416beb43..0444eacf4 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1591,19 +1789,18 @@ interface(`fs_manage_configfs_files',`
+@@ -1591,19 +1810,18 @@ interface(`fs_manage_configfs_files',`
## </summary>
## </param>
#
@@ -17871,7 +17983,7 @@ index 8416beb43..0444eacf4 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1611,18 +1808,18 @@ interface(`fs_mount_dos_fs',`
+@@ -1611,18 +1829,18 @@ interface(`fs_mount_dos_fs',`
## </summary>
## </param>
#
@@ -17896,7 +18008,7 @@ index 8416beb43..0444eacf4 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1630,38 +1827,37 @@ interface(`fs_remount_dos_fs',`
+@@ -1630,38 +1848,37 @@ interface(`fs_remount_dos_fs',`
## </summary>
## </param>
#
@@ -17947,7 +18059,7 @@ index 8416beb43..0444eacf4 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1669,17 +1865,18 @@ interface(`fs_getattr_dos_fs',`
+@@ -1669,17 +1886,18 @@ interface(`fs_getattr_dos_fs',`
## </summary>
## </param>
#
@@ -17971,7 +18083,7 @@ index 8416beb43..0444eacf4 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1687,17 +1884,17 @@ interface(`fs_relabelfrom_dos_fs',`
+@@ -1687,17 +1905,17 @@ interface(`fs_relabelfrom_dos_fs',`
## </summary>
## </param>
#
@@ -17993,7 +18105,7 @@ index 8416beb43..0444eacf4 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1705,18 +1902,18 @@ interface(`fs_search_dos',`
+@@ -1705,18 +1923,151 @@ interface(`fs_search_dos',`
## </summary>
## </param>
#
@@ -18014,60 +18126,52 @@ index 8416beb43..0444eacf4 100644
-## on a DOS filesystem.
+## Mount a DOS filesystem, such as
+## FAT32 or NTFS.
- ## </summary>
- ## <param name="domain">
- ## <summary>
-@@ -1724,17 +1921,19 @@ interface(`fs_list_dos',`
- ## </summary>
- ## </param>
- #
--interface(`fs_manage_dos_dirs',`
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
+interface(`fs_mount_dos_fs',`
- gen_require(`
- type dosfs_t;
- ')
-
-- manage_dirs_pattern($1, dosfs_t, dosfs_t)
++ gen_require(`
++ type dosfs_t;
++ ')
++
+ allow $1 dosfs_t:filesystem mount;
- ')
-
- ########################################
- ## <summary>
--## Read files on a DOS filesystem.
++')
++
++########################################
++## <summary>
+## Remount a DOS filesystem, such as
+## FAT32 or NTFS. This allows
+## some mount options to be changed.
- ## </summary>
- ## <param name="domain">
- ## <summary>
-@@ -1742,18 +1941,18 @@ interface(`fs_manage_dos_dirs',`
- ## </summary>
- ## </param>
- #
--interface(`fs_read_dos_files',`
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
+interface(`fs_remount_dos_fs',`
- gen_require(`
- type dosfs_t;
- ')
-
-- read_files_pattern($1, dosfs_t, dosfs_t)
++ gen_require(`
++ type dosfs_t;
++ ')
++
+ allow $1 dosfs_t:filesystem remount;
- ')
-
- ########################################
- ## <summary>
--## Create, read, write, and delete files
--## on a DOS filesystem.
++')
++
++########################################
++## <summary>
+## Unmount a DOS filesystem, such as
+## FAT32 or NTFS.
- ## </summary>
- ## <param name="domain">
- ## <summary>
-@@ -1761,7 +1960,138 @@ interface(`fs_read_dos_files',`
- ## </summary>
- ## </param>
- #
--interface(`fs_manage_dos_files',`
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
+interface(`fs_unmount_dos_fs',`
+ gen_require(`
+ type dosfs_t;
@@ -18155,6 +18259,14 @@ index 8416beb43..0444eacf4 100644
+## <summary>
+## Create, read, write, and delete dirs
+## on a DOS filesystem.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -1734,6 +2085,24 @@ interface(`fs_manage_dos_dirs',`
+
+ ########################################
+ ## <summary>
++## Mmap files on a DOS filesystem.
+## </summary>
+## <param name="domain">
+## <summary>
@@ -18162,48 +18274,20 @@ index 8416beb43..0444eacf4 100644
+## </summary>
+## </param>
+#
-+interface(`fs_manage_dos_dirs',`
-+ gen_require(`
-+ type dosfs_t;
-+ ')
-+
-+ manage_dirs_pattern($1, dosfs_t, dosfs_t)
-+')
-+
-+########################################
-+## <summary>
-+## Read files on a DOS filesystem.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`fs_read_dos_files',`
++interface(`fs_map_dos_files',`
+ gen_require(`
+ type dosfs_t;
+ ')
+
-+ read_files_pattern($1, dosfs_t, dosfs_t)
++ allow $1 dosfs_t:file map;
+')
+
+########################################
+## <summary>
-+## Create, read, write, and delete files
-+## on a DOS filesystem.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`fs_manage_dos_files',`
- gen_require(`
- type dosfs_t;
- ')
-@@ -1793,45 +2123,110 @@ interface(`fs_read_eventpollfs',`
+ ## Read files on a DOS filesystem.
+ ## </summary>
+ ## <param name="domain">
+@@ -1793,137 +2162,336 @@ interface(`fs_read_eventpollfs',`
refpolicywarn(`$0($*) has been deprecated.')
')
@@ -18302,39 +18386,46 @@ index 8416beb43..0444eacf4 100644
+## Do not audit attempts to create,
+## read, write, and delete files
+## on a FUSEFS filesystem.
-+## </summary>
-+## <param name="domain">
-+## <summary>
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+-## Domain allowed access.
+## Domain to not audit.
-+## </summary>
-+## </param>
-+#
+ ## </summary>
+ ## </param>
+ #
+-interface(`fs_mounton_fusefs',`
+interface(`fs_dontaudit_manage_ecryptfs_files',`
-+ gen_require(`
+ gen_require(`
+- type fusefs_t;
+ type ecryptfs_t;
-+ ')
-+
+ ')
+
+- allow $1 fusefs_t:dir mounton;
+ dontaudit $1 ecryptfs_t:file manage_file_perms;
-+')
-+
-+########################################
-+## <summary>
+ ')
+
+ ########################################
+ ## <summary>
+-## Search directories
+-## on a FUSEFS filesystem.
+## Read symbolic links on a FUSEFS filesystem.
## </summary>
## <param name="domain">
## <summary>
-@@ -1839,115 +2234,875 @@ interface(`fs_unmount_fusefs',`
+ ## Domain allowed access.
## </summary>
## </param>
+-## <rolecap/>
#
--interface(`fs_mounton_fusefs',`
+-interface(`fs_search_fusefs',`
+interface(`fs_read_ecryptfs_symlinks',`
gen_require(`
- type fusefs_t;
+ type ecryptfs_t;
')
-- allow $1 fusefs_t:dir mounton;
+- allow $1 fusefs_t:dir search_dir_perms;
+ allow $1 ecryptfs_t:dir list_dir_perms;
+ read_lnk_files_pattern($1, ecryptfs_t, ecryptfs_t)
+')
@@ -18358,32 +18449,32 @@ index 8416beb43..0444eacf4 100644
########################################
## <summary>
--## Search directories
--## on a FUSEFS filesystem.
+-## Do not audit attempts to list the contents
+-## of directories on a FUSEFS filesystem.
+## Manage symbolic links on a FUSEFS filesystem.
## </summary>
## <param name="domain">
## <summary>
- ## Domain allowed access.
+-## Domain to not audit.
++## Domain allowed access.
## </summary>
## </param>
--## <rolecap/>
#
--interface(`fs_search_fusefs',`
+-interface(`fs_dontaudit_list_fusefs',`
+interface(`fs_manage_ecryptfs_symlinks',`
gen_require(`
- type fusefs_t;
+ type ecryptfs_t;
')
-- allow $1 fusefs_t:dir search_dir_perms;
+- dontaudit $1 fusefs_t:dir list_dir_perms;
+ manage_lnk_files_pattern($1, ecryptfs_t, ecryptfs_t)
')
########################################
## <summary>
--## Do not audit attempts to list the contents
--## of directories on a FUSEFS filesystem.
+-## Create, read, write, and delete directories
+-## on a FUSEFS filesystem.
+## Execute a file on a FUSE filesystem
+## in the specified domain.
## </summary>
@@ -18408,7 +18499,7 @@ index 8416beb43..0444eacf4 100644
+## </desc>
## <param name="domain">
## <summary>
--## Domain to not audit.
+-## Domain allowed access.
+## Domain allowed to transition.
+## </summary>
+## </param>
@@ -18417,48 +18508,26 @@ index 8416beb43..0444eacf4 100644
+## The type of the new process.
## </summary>
## </param>
+-## <rolecap/>
#
--interface(`fs_dontaudit_list_fusefs',`
+-interface(`fs_manage_fusefs_dirs',`
+interface(`fs_ecryptfs_domtrans',`
gen_require(`
- type fusefs_t;
+ type ecryptfs_t;
')
-- dontaudit $1 fusefs_t:dir list_dir_perms;
+- allow $1 fusefs_t:dir manage_dir_perms;
+ allow $1 ecryptfs_t:dir search_dir_perms;
+ domain_auto_transition_pattern($1, ecryptfs_t, $2)
')
########################################
## <summary>
--## Create, read, write, and delete directories
--## on a FUSEFS filesystem.
-+## Mount a FUSE filesystem.
- ## </summary>
- ## <param name="domain">
- ## <summary>
- ## Domain allowed access.
- ## </summary>
- ## </param>
--## <rolecap/>
- #
--interface(`fs_manage_fusefs_dirs',`
-+interface(`fs_mount_fusefs',`
- gen_require(`
- type fusefs_t;
- ')
-
-- allow $1 fusefs_t:dir manage_dir_perms;
-+ allow $1 fusefs_t:filesystem mount;
- ')
-
- ########################################
- ## <summary>
-## Do not audit attempts to create, read,
-## write, and delete directories
-## on a FUSEFS filesystem.
-+## Unmount a FUSE filesystem.
++## Mount a FUSE filesystem.
## </summary>
## <param name="domain">
## <summary>
@@ -18468,18 +18537,35 @@ index 8416beb43..0444eacf4 100644
## </param>
#
-interface(`fs_dontaudit_manage_fusefs_dirs',`
-+interface(`fs_unmount_fusefs',`
++interface(`fs_mount_fusefs',`
gen_require(`
type fusefs_t;
')
- dontaudit $1 fusefs_t:dir manage_dir_perms;
++ allow $1 fusefs_t:filesystem mount;
++')
++
++########################################
++## <summary>
++## Unmount a FUSE filesystem.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`fs_unmount_fusefs',`
++ gen_require(`
++ type fusefs_t;
++ ')
++
+ allow $1 fusefs_t:filesystem unmount;
- ')
-
- ########################################
- ## <summary>
--## Read, a FUSEFS filesystem.
++')
++
++########################################
++## <summary>
+## Mounton a FUSEFS filesystem.
+## </summary>
+## <param name="domain">
@@ -18573,17 +18659,14 @@ index 8416beb43..0444eacf4 100644
+ ')
+
+ dontaudit $1 fusefs_t:dir manage_dir_perms;
-+')
-+
-+########################################
-+## <summary>
-+## Read, a FUSEFS filesystem.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
+ ')
+
+ ########################################
+@@ -1935,19 +2503,645 @@ interface(`fs_dontaudit_manage_fusefs_dirs',`
+ ## Domain allowed access.
+ ## </summary>
+ ## </param>
+-## <rolecap/>
+## <rolecap/>
+#
+interface(`fs_read_fusefs_files',`
@@ -19204,13 +19287,12 @@ index 8416beb43..0444eacf4 100644
+## <summary>
+## Unmount an iso9660 filesystem, which
+## is usually used on CDs.
- ## </summary>
- ## <param name="domain">
- ## <summary>
- ## Domain allowed access.
- ## </summary>
- ## </param>
--## <rolecap/>
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
#
-interface(`fs_read_fusefs_files',`
+interface(`fs_unmount_iso9660_fs',`
@@ -19231,7 +19313,7 @@ index 8416beb43..0444eacf4 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1956,57 +3111,59 @@ interface(`fs_read_fusefs_files',`
+@@ -1956,57 +3150,59 @@ interface(`fs_read_fusefs_files',`
## </param>
## <rolecap/>
#
@@ -19308,7 +19390,7 @@ index 8416beb43..0444eacf4 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2014,19 +3171,17 @@ interface(`fs_dontaudit_manage_fusefs_files',`
+@@ -2014,19 +3210,17 @@ interface(`fs_dontaudit_manage_fusefs_files',`
## </summary>
## </param>
#
@@ -19332,7 +19414,7 @@ index 8416beb43..0444eacf4 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2034,17 +3189,17 @@ interface(`fs_read_fusefs_symlinks',`
+@@ -2034,17 +3228,17 @@ interface(`fs_read_fusefs_symlinks',`
## </summary>
## </param>
#
@@ -19354,7 +19436,7 @@ index 8416beb43..0444eacf4 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2052,17 +3207,17 @@ interface(`fs_getattr_hugetlbfs',`
+@@ -2052,17 +3246,17 @@ interface(`fs_getattr_hugetlbfs',`
## </summary>
## </param>
#
@@ -19376,7 +19458,7 @@ index 8416beb43..0444eacf4 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2070,17 +3225,17 @@ interface(`fs_list_hugetlbfs',`
+@@ -2070,17 +3264,17 @@ interface(`fs_list_hugetlbfs',`
## </summary>
## </param>
#
@@ -19398,7 +19480,7 @@ index 8416beb43..0444eacf4 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2088,35 +3243,39 @@ interface(`fs_manage_hugetlbfs_dirs',`
+@@ -2088,35 +3282,39 @@ interface(`fs_manage_hugetlbfs_dirs',`
## </summary>
## </param>
#
@@ -19448,7 +19530,7 @@ index 8416beb43..0444eacf4 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2124,89 +3283,78 @@ interface(`fs_associate_hugetlbfs',`
+@@ -2124,89 +3322,78 @@ interface(`fs_associate_hugetlbfs',`
## </summary>
## </param>
#
@@ -19569,7 +19651,7 @@ index 8416beb43..0444eacf4 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2214,19 +3362,21 @@ interface(`fs_hugetlbfs_filetrans',`
+@@ -2214,19 +3401,21 @@ interface(`fs_hugetlbfs_filetrans',`
## </summary>
## </param>
#
@@ -19597,7 +19679,7 @@ index 8416beb43..0444eacf4 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2234,18 +3384,19 @@ interface(`fs_mount_iso9660_fs',`
+@@ -2234,18 +3423,19 @@ interface(`fs_mount_iso9660_fs',`
## </summary>
## </param>
#
@@ -19622,7 +19704,7 @@ index 8416beb43..0444eacf4 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2253,38 +3404,41 @@ interface(`fs_remount_iso9660_fs',`
+@@ -2253,38 +3443,41 @@ interface(`fs_remount_iso9660_fs',`
## </summary>
## </param>
#
@@ -19676,7 +19758,7 @@ index 8416beb43..0444eacf4 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2292,19 +3446,21 @@ interface(`fs_getattr_iso9660_fs',`
+@@ -2292,19 +3485,21 @@ interface(`fs_getattr_iso9660_fs',`
## </summary>
## </param>
#
@@ -19704,7 +19786,7 @@ index 8416beb43..0444eacf4 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2312,16 +3468,15 @@ interface(`fs_getattr_iso9660_files',`
+@@ -2312,16 +3507,15 @@ interface(`fs_getattr_iso9660_files',`
## </summary>
## </param>
#
@@ -19725,7 +19807,7 @@ index 8416beb43..0444eacf4 100644
########################################
## <summary>
## Mount a NFS filesystem.
-@@ -2398,6 +3553,24 @@ interface(`fs_getattr_nfs',`
+@@ -2398,6 +3592,24 @@ interface(`fs_getattr_nfs',`
########################################
## <summary>
@@ -19750,7 +19832,7 @@ index 8416beb43..0444eacf4 100644
## Search directories on a NFS filesystem.
## </summary>
## <param name="domain">
-@@ -2485,6 +3658,7 @@ interface(`fs_read_nfs_files',`
+@@ -2485,6 +3697,7 @@ interface(`fs_read_nfs_files',`
type nfs_t;
')
@@ -19758,7 +19840,7 @@ index 8416beb43..0444eacf4 100644
allow $1 nfs_t:dir list_dir_perms;
read_files_pattern($1, nfs_t, nfs_t)
')
-@@ -2518,73 +3692,148 @@ interface(`fs_dontaudit_read_nfs_files',`
+@@ -2518,73 +3731,148 @@ interface(`fs_dontaudit_read_nfs_files',`
## </summary>
## </param>
#
@@ -19926,7 +20008,7 @@ index 8416beb43..0444eacf4 100644
')
########################################
-@@ -2603,7 +3852,7 @@ interface(`fs_dontaudit_rw_nfs_files',`
+@@ -2603,7 +3891,7 @@ interface(`fs_dontaudit_rw_nfs_files',`
type nfs_t;
')
@@ -19935,7 +20017,7 @@ index 8416beb43..0444eacf4 100644
')
########################################
-@@ -2627,7 +3876,7 @@ interface(`fs_read_nfs_symlinks',`
+@@ -2627,7 +3915,7 @@ interface(`fs_read_nfs_symlinks',`
########################################
## <summary>
@@ -19944,7 +20026,7 @@ index 8416beb43..0444eacf4 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2719,6 +3968,65 @@ interface(`fs_search_rpc',`
+@@ -2719,6 +4007,65 @@ interface(`fs_search_rpc',`
########################################
## <summary>
@@ -20010,7 +20092,7 @@ index 8416beb43..0444eacf4 100644
## Search removable storage directories.
## </summary>
## <param name="domain">
-@@ -2741,7 +4049,7 @@ interface(`fs_search_removable',`
+@@ -2741,7 +4088,7 @@ interface(`fs_search_removable',`
## </summary>
## <param name="domain">
## <summary>
@@ -20019,7 +20101,7 @@ index 8416beb43..0444eacf4 100644
## </summary>
## </param>
#
-@@ -2777,7 +4085,7 @@ interface(`fs_read_removable_files',`
+@@ -2777,7 +4124,7 @@ interface(`fs_read_removable_files',`
## </summary>
## <param name="domain">
## <summary>
@@ -20028,7 +20110,7 @@ index 8416beb43..0444eacf4 100644
## </summary>
## </param>
#
-@@ -2970,6 +4278,7 @@ interface(`fs_manage_nfs_dirs',`
+@@ -2970,6 +4317,7 @@ interface(`fs_manage_nfs_dirs',`
type nfs_t;
')
@@ -20036,7 +20118,7 @@ index 8416beb43..0444eacf4 100644
allow $1 nfs_t:dir manage_dir_perms;
')
-@@ -3010,11 +4319,31 @@ interface(`fs_manage_nfs_files',`
+@@ -3010,11 +4358,31 @@ interface(`fs_manage_nfs_files',`
type nfs_t;
')
@@ -20068,7 +20150,7 @@ index 8416beb43..0444eacf4 100644
## Do not audit attempts to create,
## read, write, and delete files
## on a NFS filesystem.
-@@ -3050,6 +4379,7 @@ interface(`fs_manage_nfs_symlinks',`
+@@ -3050,6 +4418,7 @@ interface(`fs_manage_nfs_symlinks',`
type nfs_t;
')
@@ -20076,7 +20158,7 @@ index 8416beb43..0444eacf4 100644
manage_lnk_files_pattern($1, nfs_t, nfs_t)
')
-@@ -3137,6 +4467,24 @@ interface(`fs_nfs_domtrans',`
+@@ -3137,6 +4506,24 @@ interface(`fs_nfs_domtrans',`
########################################
## <summary>
@@ -20101,7 +20183,7 @@ index 8416beb43..0444eacf4 100644
## Mount a NFS server pseudo filesystem.
## </summary>
## <param name="domain">
-@@ -3239,15 +4587,198 @@ interface(`fs_search_nfsd_fs',`
+@@ -3239,15 +4626,198 @@ interface(`fs_search_nfsd_fs',`
#
interface(`fs_list_nfsd_fs',`
gen_require(`
@@ -20303,7 +20385,7 @@ index 8416beb43..0444eacf4 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -3255,35 +4786,35 @@ interface(`fs_list_nfsd_fs',`
+@@ -3255,35 +4825,35 @@ interface(`fs_list_nfsd_fs',`
## </summary>
## </param>
#
@@ -20348,7 +20430,7 @@ index 8416beb43..0444eacf4 100644
## </summary>
## <param name="type">
## <summary>
-@@ -3291,12 +4822,12 @@ interface(`fs_rw_nfsd_fs',`
+@@ -3291,12 +4861,12 @@ interface(`fs_rw_nfsd_fs',`
## </summary>
## </param>
#
@@ -20364,7 +20446,7 @@ index 8416beb43..0444eacf4 100644
')
########################################
-@@ -3392,7 +4923,7 @@ interface(`fs_search_ramfs',`
+@@ -3392,7 +4962,7 @@ interface(`fs_search_ramfs',`
########################################
## <summary>
@@ -20373,7 +20455,7 @@ index 8416beb43..0444eacf4 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -3429,7 +4960,7 @@ interface(`fs_manage_ramfs_dirs',`
+@@ -3429,7 +4999,7 @@ interface(`fs_manage_ramfs_dirs',`
########################################
## <summary>
@@ -20382,7 +20464,7 @@ index 8416beb43..0444eacf4 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -3447,7 +4978,7 @@ interface(`fs_dontaudit_read_ramfs_files',`
+@@ -3447,7 +5017,7 @@ interface(`fs_dontaudit_read_ramfs_files',`
########################################
## <summary>
@@ -20391,7 +20473,7 @@ index 8416beb43..0444eacf4 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -3779,6 +5310,24 @@ interface(`fs_mount_tmpfs',`
+@@ -3779,6 +5349,24 @@ interface(`fs_mount_tmpfs',`
########################################
## <summary>
@@ -20416,7 +20498,7 @@ index 8416beb43..0444eacf4 100644
## Remount a tmpfs filesystem.
## </summary>
## <param name="domain">
-@@ -3815,6 +5364,24 @@ interface(`fs_unmount_tmpfs',`
+@@ -3815,6 +5403,24 @@ interface(`fs_unmount_tmpfs',`
########################################
## <summary>
@@ -20441,7 +20523,7 @@ index 8416beb43..0444eacf4 100644
## Get the attributes of a tmpfs
## filesystem.
## </summary>
-@@ -3908,7 +5475,7 @@ interface(`fs_dontaudit_getattr_tmpfs_dirs',`
+@@ -3908,7 +5514,7 @@ interface(`fs_dontaudit_getattr_tmpfs_dirs',`
########################################
## <summary>
@@ -20450,7 +20532,7 @@ index 8416beb43..0444eacf4 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -3916,17 +5483,17 @@ interface(`fs_dontaudit_getattr_tmpfs_dirs',`
+@@ -3916,17 +5522,17 @@ interface(`fs_dontaudit_getattr_tmpfs_dirs',`
## </summary>
## </param>
#
@@ -20471,7 +20553,7 @@ index 8416beb43..0444eacf4 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -3934,17 +5501,17 @@ interface(`fs_mounton_tmpfs',`
+@@ -3934,17 +5540,17 @@ interface(`fs_mounton_tmpfs',`
## </summary>
## </param>
#
@@ -20492,7 +20574,7 @@ index 8416beb43..0444eacf4 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -3952,17 +5519,36 @@ interface(`fs_setattr_tmpfs_dirs',`
+@@ -3952,17 +5558,36 @@ interface(`fs_setattr_tmpfs_dirs',`
## </summary>
## </param>
#
@@ -20532,7 +20614,7 @@ index 8416beb43..0444eacf4 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -3970,31 +5556,48 @@ interface(`fs_search_tmpfs',`
+@@ -3970,31 +5595,48 @@ interface(`fs_search_tmpfs',`
## </summary>
## </param>
#
@@ -20588,7 +20670,7 @@ index 8416beb43..0444eacf4 100644
')
########################################
-@@ -4057,23 +5660,170 @@ interface(`fs_dontaudit_write_tmpfs_dirs',`
+@@ -4057,23 +5699,170 @@ interface(`fs_dontaudit_write_tmpfs_dirs',`
## </param>
## <param name="name" optional="true">
## <summary>
@@ -20765,7 +20847,7 @@ index 8416beb43..0444eacf4 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -4081,18 +5831,18 @@ interface(`fs_tmpfs_filetrans',`
+@@ -4081,18 +5870,18 @@ interface(`fs_tmpfs_filetrans',`
## </summary>
## </param>
#
@@ -20788,7 +20870,7 @@ index 8416beb43..0444eacf4 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -4100,54 +5850,53 @@ interface(`fs_dontaudit_getattr_tmpfs_files',`
+@@ -4100,54 +5889,53 @@ interface(`fs_dontaudit_getattr_tmpfs_files',`
## </summary>
## </param>
#
@@ -20855,7 +20937,7 @@ index 8416beb43..0444eacf4 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -4155,17 +5904,18 @@ interface(`fs_read_tmpfs_files',`
+@@ -4155,17 +5943,18 @@ interface(`fs_read_tmpfs_files',`
## </summary>
## </param>
#
@@ -20877,7 +20959,7 @@ index 8416beb43..0444eacf4 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -4173,17 +5923,18 @@ interface(`fs_rw_tmpfs_files',`
+@@ -4173,17 +5962,18 @@ interface(`fs_rw_tmpfs_files',`
## </summary>
## </param>
#
@@ -20899,7 +20981,7 @@ index 8416beb43..0444eacf4 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -4191,37 +5942,36 @@ interface(`fs_read_tmpfs_symlinks',`
+@@ -4191,37 +5981,36 @@ interface(`fs_read_tmpfs_symlinks',`
## </summary>
## </param>
#
@@ -20945,7 +21027,7 @@ index 8416beb43..0444eacf4 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -4229,18 +5979,18 @@ interface(`fs_dontaudit_use_tmpfs_chr_dev',`
+@@ -4229,18 +6018,18 @@ interface(`fs_dontaudit_use_tmpfs_chr_dev',`
## </summary>
## </param>
#
@@ -20967,7 +21049,7 @@ index 8416beb43..0444eacf4 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -4248,18 +5998,19 @@ interface(`fs_relabel_tmpfs_chr_file',`
+@@ -4248,18 +6037,19 @@ interface(`fs_relabel_tmpfs_chr_file',`
## </summary>
## </param>
#
@@ -20991,7 +21073,7 @@ index 8416beb43..0444eacf4 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -4267,32 +6018,31 @@ interface(`fs_rw_tmpfs_blk_files',`
+@@ -4267,32 +6057,31 @@ interface(`fs_rw_tmpfs_blk_files',`
## </summary>
## </param>
#
@@ -21030,7 +21112,7 @@ index 8416beb43..0444eacf4 100644
')
########################################
-@@ -4407,6 +6157,25 @@ interface(`fs_search_xenfs',`
+@@ -4407,6 +6196,25 @@ interface(`fs_search_xenfs',`
allow $1 xenfs_t:dir search_dir_perms;
')
@@ -21056,7 +21138,7 @@ index 8416beb43..0444eacf4 100644
########################################
## <summary>
## Create, read, write, and delete directories
-@@ -4503,6 +6272,8 @@ interface(`fs_mount_all_fs',`
+@@ -4503,6 +6311,8 @@ interface(`fs_mount_all_fs',`
')
allow $1 filesystem_type:filesystem mount;
@@ -21065,7 +21147,7 @@ index 8416beb43..0444eacf4 100644
')
########################################
-@@ -4549,7 +6320,7 @@ interface(`fs_unmount_all_fs',`
+@@ -4549,7 +6359,7 @@ interface(`fs_unmount_all_fs',`
## <desc>
## <p>
## Allow the specified domain to
@@ -21074,7 +21156,7 @@ index 8416beb43..0444eacf4 100644
## Example attributes:
## </p>
## <ul>
-@@ -4596,6 +6367,26 @@ interface(`fs_dontaudit_getattr_all_fs',`
+@@ -4596,6 +6406,26 @@ interface(`fs_dontaudit_getattr_all_fs',`
########################################
## <summary>
@@ -21101,7 +21183,7 @@ index 8416beb43..0444eacf4 100644
## Get the quotas of all filesystems.
## </summary>
## <param name="domain">
-@@ -4671,6 +6462,25 @@ interface(`fs_getattr_all_dirs',`
+@@ -4671,6 +6501,25 @@ interface(`fs_getattr_all_dirs',`
########################################
## <summary>
@@ -21127,7 +21209,7 @@ index 8416beb43..0444eacf4 100644
## Search all directories with a filesystem type.
## </summary>
## <param name="domain">
-@@ -4912,3 +6722,176 @@ interface(`fs_unconfined',`
+@@ -4912,3 +6761,176 @@ interface(`fs_unconfined',`
typeattribute $1 filesystem_unconfined_type;
')
@@ -26193,7 +26275,7 @@ index ff9243078..36740eab3 100644
## <summary>
## Execute a generic bin program in the sysadm domain.
diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
-index 2522ca6c0..c8ef8c8e4 100644
+index 2522ca6c0..b1c6b714d 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
@@ -5,39 +5,107 @@ policy_module(sysadm, 2.6.1)
@@ -26561,7 +26643,7 @@ index 2522ca6c0..c8ef8c8e4 100644
portage_run(sysadm_t, sysadm_r)
portage_run_fetch(sysadm_t, sysadm_r)
portage_run_gcc_config(sysadm_t, sysadm_r)
-@@ -266,35 +410,46 @@ optional_policy(`
+@@ -266,35 +410,47 @@ optional_policy(`
')
optional_policy(`
@@ -26588,6 +26670,7 @@ index 2522ca6c0..c8ef8c8e4 100644
optional_policy(`
- rpc_domtrans_nfsd(sysadm_t)
+ puppet_run_puppetca(sysadm_t, sysadm_r)
++ puppet_run(sysadm_t, sysadm_r)
')
optional_policy(`
@@ -26615,7 +26698,7 @@ index 2522ca6c0..c8ef8c8e4 100644
')
optional_policy(`
-@@ -308,6 +463,7 @@ optional_policy(`
+@@ -308,6 +464,7 @@ optional_policy(`
optional_policy(`
screen_role_template(sysadm, sysadm_r, sysadm_t)
@@ -26623,7 +26706,7 @@ index 2522ca6c0..c8ef8c8e4 100644
')
optional_policy(`
-@@ -315,12 +471,20 @@ optional_policy(`
+@@ -315,12 +472,20 @@ optional_policy(`
')
optional_policy(`
@@ -26645,7 +26728,7 @@ index 2522ca6c0..c8ef8c8e4 100644
')
optional_policy(`
-@@ -345,30 +509,38 @@ optional_policy(`
+@@ -345,30 +510,38 @@ optional_policy(`
')
optional_policy(`
@@ -26693,7 +26776,7 @@ index 2522ca6c0..c8ef8c8e4 100644
')
optional_policy(`
-@@ -380,10 +552,6 @@ optional_policy(`
+@@ -380,10 +553,6 @@ optional_policy(`
')
optional_policy(`
@@ -26704,7 +26787,7 @@ index 2522ca6c0..c8ef8c8e4 100644
usermanage_run_admin_passwd(sysadm_t, sysadm_r)
usermanage_run_groupadd(sysadm_t, sysadm_r)
usermanage_run_useradd(sysadm_t, sysadm_r)
-@@ -391,6 +559,9 @@ optional_policy(`
+@@ -391,6 +560,9 @@ optional_policy(`
optional_policy(`
virt_stream_connect(sysadm_t)
@@ -26714,7 +26797,7 @@ index 2522ca6c0..c8ef8c8e4 100644
')
optional_policy(`
-@@ -398,31 +569,34 @@ optional_policy(`
+@@ -398,31 +570,34 @@ optional_policy(`
')
optional_policy(`
@@ -26755,7 +26838,7 @@ index 2522ca6c0..c8ef8c8e4 100644
auth_role(sysadm_r, sysadm_t)
')
-@@ -435,10 +609,6 @@ ifndef(`distro_redhat',`
+@@ -435,10 +610,6 @@ ifndef(`distro_redhat',`
')
optional_policy(`
@@ -26766,7 +26849,7 @@ index 2522ca6c0..c8ef8c8e4 100644
dbus_role_template(sysadm, sysadm_r, sysadm_t)
optional_policy(`
-@@ -459,15 +629,79 @@ ifndef(`distro_redhat',`
+@@ -459,15 +630,79 @@ ifndef(`distro_redhat',`
')
optional_policy(`
@@ -30529,7 +30612,7 @@ index 8274418c6..a47fd0b4d 100644
+/var/lib/pqsql/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0)
+
diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if
-index 6bf0ecc2d..75b2f31f9 100644
+index 6bf0ecc2d..a6b6087eb 100644
--- a/policy/modules/services/xserver.if
+++ b/policy/modules/services/xserver.if
@@ -18,100 +18,36 @@
@@ -31033,7 +31116,7 @@ index 6bf0ecc2d..75b2f31f9 100644
')
########################################
-@@ -765,11 +816,92 @@ interface(`xserver_manage_xdm_spool_files',`
+@@ -765,16 +816,19 @@ interface(`xserver_manage_xdm_spool_files',`
#
interface(`xserver_stream_connect_xdm',`
gen_require(`
@@ -31046,187 +31129,342 @@ index 6bf0ecc2d..75b2f31f9 100644
+ files_search_pids($1)
+ stream_connect_pattern($1, { xdm_var_run_t }, { xdm_var_run_t }, xdm_t)
+ userdom_stream_connect($1)
-+')
-+
-+########################################
-+## <summary>
+ ')
+
+ ########################################
+ ## <summary>
+-## Read xdm-writable configuration files.
+## Allow domain to append XDM unix domain
+## stream socket.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -782,18 +836,18 @@ interface(`xserver_stream_connect_xdm',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`xserver_read_xdm_rw_config',`
+
+interface(`xserver_append_xdm_stream_socket',`
-+ gen_require(`
+ gen_require(`
+- type xdm_rw_etc_t;
+ type xdm_t;
-+ ')
-+
+ ')
+
+- files_search_etc($1)
+- allow $1 xdm_rw_etc_t:file read_file_perms;
+ allow $1 xdm_t:unix_stream_socket append;
-+')
-+
-+########################################
-+## <summary>
+ ')
+
+ ########################################
+ ## <summary>
+-## Set the attributes of XDM temporary directories.
+## Read XDM files in user home directories.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -801,18 +855,18 @@ interface(`xserver_read_xdm_rw_config',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`xserver_setattr_xdm_tmp_dirs',`
+interface(`xserver_read_xdm_home_files',`
-+ gen_require(`
+ gen_require(`
+- type xdm_tmp_t;
+ type xdm_home_t;
-+ ')
-+
+ ')
+
+- allow $1 xdm_tmp_t:dir setattr;
+ userdom_search_user_home_dirs($1)
+ allow $1 xdm_home_t:file read_file_perms;
-+')
-+
-+########################################
-+## <summary>
+ ')
+
+ ########################################
+ ## <summary>
+-## Create a named socket in a XDM
+-## temporary directory.
+## Read xserver configuration files.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -820,19 +874,19 @@ interface(`xserver_setattr_xdm_tmp_dirs',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`xserver_create_xdm_tmp_sockets',`
+interface(`xserver_read_config',`
-+ gen_require(`
+ gen_require(`
+- type xdm_tmp_t;
+ type xserver_etc_t;
-+ ')
-+
+ ')
+
+- files_search_tmp($1)
+- allow $1 xdm_tmp_t:dir list_dir_perms;
+- create_sock_files_pattern($1, xdm_tmp_t, xdm_tmp_t)
+ files_search_etc($1)
+ read_files_pattern($1, xserver_etc_t, xserver_etc_t)
+ read_lnk_files_pattern($1, xserver_etc_t, xserver_etc_t)
-+')
-+
-+########################################
-+## <summary>
+ ')
+
+ ########################################
+ ## <summary>
+-## Read XDM pid files.
+## Manage xserver configuration files.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -840,18 +894,19 @@ interface(`xserver_create_xdm_tmp_sockets',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`xserver_read_xdm_pid',`
+interface(`xserver_manage_config',`
-+ gen_require(`
+ gen_require(`
+- type xdm_var_run_t;
+ type xserver_etc_t;
-+ ')
-+
+ ')
+
+- files_search_pids($1)
+- allow $1 xdm_var_run_t:file read_file_perms;
+ files_search_etc($1)
+ manage_files_pattern($1, xserver_etc_t, xserver_etc_t)
+ manage_lnk_files_pattern($1, xserver_etc_t, xserver_etc_t)
')
########################################
-@@ -793,6 +925,21 @@ interface(`xserver_read_xdm_rw_config',`
+ ## <summary>
+-## Read XDM var lib files.
++## Read xdm-writable configuration files.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -859,110 +914,79 @@ interface(`xserver_read_xdm_pid',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`xserver_read_xdm_lib_files',`
++interface(`xserver_read_xdm_rw_config',`
+ gen_require(`
+- type xdm_var_lib_t;
++ type xdm_rw_etc_t;
+ ')
+
+- allow $1 xdm_var_lib_t:file read_file_perms;
++ files_search_etc($1)
++ allow $1 xdm_rw_etc_t:file read_file_perms;
+ ')
########################################
## <summary>
+-## Make an X session script an entrypoint for the specified domain.
+## Search XDM temporary directories.
-+## </summary>
-+## <param name="domain">
-+## <summary>
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+-## The domain for which the shell is an entrypoint.
+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
+ ## </summary>
+ ## </param>
+ #
+-interface(`xserver_xsession_entry_type',`
+- gen_require(`
+- type xsession_exec_t;
+- ')
+-
+- domain_entry_file($1, xsession_exec_t)
+interface(`xserver_search_xdm_tmp_dirs',`
+ refpolicywarn(`$0() has been deprecated, please use userdom_search_user_tmp_dirs instead.')
+ userdom_search_user_tmp_dirs($1)
-+')
-+
-+########################################
-+## <summary>
- ## Set the attributes of XDM temporary directories.
+ ')
+
+ ########################################
+ ## <summary>
+-## Execute an X session in the target domain. This
+-## is an explicit transition, requiring the
+-## caller to use setexeccon().
++## Set the attributes of XDM temporary directories.
## </summary>
+-## <desc>
+-## <p>
+-## Execute an Xsession in the target domain. This
+-## is an explicit transition, requiring the
+-## caller to use setexeccon().
+-## </p>
+-## <p>
+-## No interprocess communication (signals, pipes,
+-## etc.) is provided by this interface since
+-## the domains are not owned by this module.
+-## </p>
+-## </desc>
## <param name="domain">
-@@ -802,11 +949,23 @@ interface(`xserver_read_xdm_rw_config',`
+ ## <summary>
+-## Domain allowed to transition.
+-## </summary>
+-## </param>
+-## <param name="target_domain">
+-## <summary>
+-## The type of the shell process.
++## Domain allowed access.
+ ## </summary>
## </param>
#
- interface(`xserver_setattr_xdm_tmp_dirs',`
+-interface(`xserver_xsession_spec_domtrans',`
- gen_require(`
-- type xdm_tmp_t;
+- type xsession_exec_t;
- ')
+-
+- domain_trans($1, xsession_exec_t, $2)
++interface(`xserver_setattr_xdm_tmp_dirs',`
+ refpolicywarn(`$0() has been deprecated, please use userdom_dontaudit_setattr_user_tmp instead.')
+ userdom_dontaudit_setattr_user_tmp($1)
-+')
+ ')
-- allow $1 xdm_tmp_t:dir setattr;
-+########################################
-+## <summary>
+ ########################################
+ ## <summary>
+-## Get the attributes of X server logs.
+## Dont audit attempts to set the attributes of XDM temporary directories.
-+## </summary>
-+## <param name="domain">
-+## <summary>
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+-## Domain allowed access.
+## Domain to not audit.
-+## </summary>
-+## </param>
-+#
+ ## </summary>
+ ## </param>
+ #
+-interface(`xserver_getattr_log',`
+- gen_require(`
+- type xserver_log_t;
+- ')
+-
+- logging_search_logs($1)
+- allow $1 xserver_log_t:file getattr;
+interface(`xserver_dontaudit_xdm_tmp_dirs',`
+ refpolicywarn(`$0() has been deprecated, please use userdom_dontaudit_setattr_user_tmp instead.')
+ userdom_dontaudit_setattr_user_tmp($1)
')
########################################
-@@ -821,13 +980,8 @@ interface(`xserver_setattr_xdm_tmp_dirs',`
+ ## <summary>
+-## Do not audit attempts to write the X server
+-## log files.
++## Create a named socket in a XDM
++## temporary directory.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+-## Domain to not audit.
++## Domain allowed access.
+ ## </summary>
## </param>
#
- interface(`xserver_create_xdm_tmp_sockets',`
+-interface(`xserver_dontaudit_write_log',`
- gen_require(`
-- type xdm_tmp_t;
+- type xserver_log_t;
- ')
-
-- files_search_tmp($1)
-- allow $1 xdm_tmp_t:dir list_dir_perms;
-- create_sock_files_pattern($1, xdm_tmp_t, xdm_tmp_t)
+- dontaudit $1 xserver_log_t:file { append write };
++interface(`xserver_create_xdm_tmp_sockets',`
+ refpolicywarn(`$0() has been deprecated, please use userdom_create_user_tmp_sockets instead.')
+ userdom_create_user_tmp_sockets($1)
')
########################################
-@@ -846,7 +1000,26 @@ interface(`xserver_read_xdm_pid',`
+ ## <summary>
+-## Delete X server log files.
++## Read XDM pid files.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -970,20 +994,18 @@ interface(`xserver_dontaudit_write_log',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`xserver_delete_log',`
++interface(`xserver_read_xdm_pid',`
+ gen_require(`
+- type xserver_log_t;
++ type xdm_var_run_t;
')
- files_search_pids($1)
-- allow $1 xdm_var_run_t:file read_file_perms;
+- logging_search_logs($1)
+- allow $1 xserver_log_t:dir list_dir_perms;
+- delete_files_pattern($1, xserver_log_t, xserver_log_t)
+- delete_fifo_files_pattern($1, xserver_log_t, xserver_log_t)
++ files_search_pids($1)
+ read_files_pattern($1, xdm_var_run_t, xdm_var_run_t)
-+')
-+
+ ')
+
+ ########################################
+ ## <summary>
+-## Read X keyboard extension libraries.
++## Mmap XDM pid files.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -991,39 +1013,562 @@ interface(`xserver_delete_log',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`xserver_read_xkb_libs',`
++interface(`xserver_map_xdm_pid',`
+ gen_require(`
+- type xkb_var_lib_t;
++ type xdm_var_run_t;
+ ')
+
+- files_search_var_lib($1)
+- allow $1 xkb_var_lib_t:dir list_dir_perms;
+- read_files_pattern($1, xkb_var_lib_t, xkb_var_lib_t)
+- read_lnk_files_pattern($1, xkb_var_lib_t, xkb_var_lib_t)
++ allow $1 xdm_var_run_t:file map;
+ ')
+
+-########################################
+######################################
-+## <summary>
+ ## <summary>
+-## Read xdm temporary files.
+## Dontaudit Read XDM pid files.
-+## </summary>
-+## <param name="domain">
+ ## </summary>
+ ## <param name="domain">
+-## <summary>
+-## Domain allowed access.
+-## </summary>
+## <summary>
+## Domain to not audit.
+## </summary>
-+## </param>
-+#
+ ## </param>
+ #
+-interface(`xserver_read_xdm_tmp_files',`
+- gen_require(`
+- type xdm_tmp_t;
+- ')
+interface(`xserver_dontaudit_read_xdm_pid',`
+ gen_require(`
+ type xdm_var_run_t;
+ ')
-+
+
+- files_search_tmp($1)
+- read_files_pattern($1, xdm_tmp_t, xdm_tmp_t)
+ dontaudit $1 xdm_var_run_t:dir search_dir_perms;
+ dontaudit $1 xdm_var_run_t:file read_file_perms;
')
########################################
-@@ -864,7 +1037,26 @@ interface(`xserver_read_xdm_lib_files',`
- type xdm_var_lib_t;
- ')
-
-- allow $1 xdm_var_lib_t:file read_file_perms;
+ ## <summary>
+-## Do not audit attempts to read xdm temporary files.
++## Read XDM var lib files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`xserver_read_xdm_lib_files',`
++ gen_require(`
++ type xdm_var_lib_t;
++ ')
++
+ read_files_pattern($1, xdm_var_lib_t, xdm_var_lib_t)
+ read_lnk_files_pattern($1, xdm_var_lib_t, xdm_var_lib_t)
+')
@@ -31247,126 +31485,211 @@ index 6bf0ecc2d..75b2f31f9 100644
+ ')
+
+ allow $1 xdm_var_lib_t:file { read_inherited_file_perms map };
- ')
-
- ########################################
-@@ -938,17 +1130,36 @@ interface(`xserver_getattr_log',`
- ')
-
- logging_search_logs($1)
-- allow $1 xserver_log_t:file getattr;
-+ allow $1 xserver_log_t:file getattr_file_perms;
- ')
-
--########################################
-+#######################################
- ## <summary>
--## Do not audit attempts to write the X server
--## log files.
-+## Allow domain to read X server logs.
- ## </summary>
- ## <param name="domain">
--## <summary>
--## Domain to not audit.
-+## <summary>
-+## Domain allowed access.
-+## </summary>
++')
++
++########################################
++## <summary>
++## Make an X session script an entrypoint for the specified domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## The domain for which the shell is an entrypoint.
++## </summary>
+## </param>
+#
-+interface(`xserver_read_log',`
-+ gen_require(`
-+ type xserver_log_t;
-+ ')
++interface(`xserver_xsession_entry_type',`
++ gen_require(`
++ type xsession_exec_t;
++ ')
+
-+ logging_search_logs($1)
-+ allow $1 xserver_log_t:file read_file_perms;
++ domain_entry_file($1, xsession_exec_t)
+')
+
+########################################
+## <summary>
-+## Do not audit attempts to write the X server
-+## log files.
++## Execute an X session in the target domain. This
++## is an explicit transition, requiring the
++## caller to use setexeccon().
+## </summary>
++## <desc>
++## <p>
++## Execute an Xsession in the target domain. This
++## is an explicit transition, requiring the
++## caller to use setexeccon().
++## </p>
++## <p>
++## No interprocess communication (signals, pipes,
++## etc.) is provided by this interface since
++## the domains are not owned by this module.
++## </p>
++## </desc>
+## <param name="domain">
+## <summary>
-+## Domain to not audit.
- ## </summary>
- ## </param>
- #
-@@ -957,7 +1168,7 @@ interface(`xserver_dontaudit_write_log',`
- type xserver_log_t;
- ')
-
-- dontaudit $1 xserver_log_t:file { append write };
-+ dontaudit $1 xserver_log_t:file rw_inherited_file_perms;
- ')
-
- ########################################
-@@ -1004,7 +1215,7 @@ interface(`xserver_read_xkb_libs',`
-
- ########################################
- ## <summary>
--## Read xdm temporary files.
++## Domain allowed to transition.
++## </summary>
++## </param>
++## <param name="target_domain">
++## <summary>
++## The type of the shell process.
++## </summary>
++## </param>
++#
++interface(`xserver_xsession_spec_domtrans',`
++ gen_require(`
++ type xsession_exec_t;
++ ')
++
++ domain_trans($1, xsession_exec_t, $2)
++')
++
++########################################
++## <summary>
++## Get the attributes of X server logs.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`xserver_getattr_log',`
++ gen_require(`
++ type xserver_log_t;
++ ')
++
++ logging_search_logs($1)
++ allow $1 xserver_log_t:file getattr_file_perms;
++')
++
++#######################################
++## <summary>
++## Allow domain to read X server logs.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`xserver_read_log',`
++ gen_require(`
++ type xserver_log_t;
++ ')
++
++ logging_search_logs($1)
++ allow $1 xserver_log_t:file read_file_perms;
++')
++
++########################################
++## <summary>
++## Do not audit attempts to write the X server
++## log files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain to not audit.
++## </summary>
++## </param>
++#
++interface(`xserver_dontaudit_write_log',`
++ gen_require(`
++ type xserver_log_t;
++ ')
++
++ dontaudit $1 xserver_log_t:file rw_inherited_file_perms;
++')
++
++########################################
++## <summary>
++## Delete X server log files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`xserver_delete_log',`
++ gen_require(`
++ type xserver_log_t;
++ ')
++
++ logging_search_logs($1)
++ allow $1 xserver_log_t:dir list_dir_perms;
++ delete_files_pattern($1, xserver_log_t, xserver_log_t)
++ delete_fifo_files_pattern($1, xserver_log_t, xserver_log_t)
++')
++
++########################################
++## <summary>
++## Read X keyboard extension libraries.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`xserver_read_xkb_libs',`
++ gen_require(`
++ type xkb_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ allow $1 xkb_var_lib_t:dir list_dir_perms;
++ read_files_pattern($1, xkb_var_lib_t, xkb_var_lib_t)
++ read_lnk_files_pattern($1, xkb_var_lib_t, xkb_var_lib_t)
++')
++
++########################################
++## <summary>
+## Manage X keyboard extension libraries.
- ## </summary>
- ## <param name="domain">
- ## <summary>
-@@ -1012,51 +1223,117 @@ interface(`xserver_read_xkb_libs',`
- ## </summary>
- ## </param>
- #
--interface(`xserver_read_xdm_tmp_files',`
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
+interface(`xserver_manage_xkb_libs',`
- gen_require(`
-- type xdm_tmp_t;
++ gen_require(`
+ type xkb_var_lib_t;
- ')
-
-- files_search_tmp($1)
-- read_files_pattern($1, xdm_tmp_t, xdm_tmp_t)
++ ')
++
+ files_search_var_lib($1)
+ allow $1 xkb_var_lib_t:dir list_dir_perms;
+ manage_files_pattern($1, xkb_var_lib_t, xkb_var_lib_t)
- ')
-
- ########################################
- ## <summary>
--## Do not audit attempts to read xdm temporary files.
++')
++
++########################################
++## <summary>
+## dontaudit access checks X keyboard extension libraries.
- ## </summary>
- ## <param name="domain">
- ## <summary>
--## Domain to not audit.
++## </summary>
++## <param name="domain">
++## <summary>
+## Domain allowed access.
- ## </summary>
- ## </param>
- #
--interface(`xserver_dontaudit_read_xdm_tmp_files',`
++## </summary>
++## </param>
++#
+interface(`xserver_dontaudit_xkb_libs_access',`
- gen_require(`
-- type xdm_tmp_t;
++ gen_require(`
+ type xkb_var_lib_t;
- ')
-
-- dontaudit $1 xdm_tmp_t:dir search_dir_perms;
-- dontaudit $1 xdm_tmp_t:file read_file_perms;
++ ')
++
+ dontaudit $1 xkb_var_lib_t:dir audit_access;
+ dontaudit $1 xkb_var_lib_t:file audit_access;
- ')
-
- ########################################
- ## <summary>
--## Read write xdm temporary files.
++')
++
++########################################
++## <summary>
+## Read xdm config files.
- ## </summary>
- ## <param name="domain">
- ## <summary>
--## Domain allowed access.
++## </summary>
++## <param name="domain">
++## <summary>
+## Domain to not audit
- ## </summary>
- ## </param>
- #
--interface(`xserver_rw_xdm_tmp_files',`
++## </summary>
++## </param>
++#
+interface(`xserver_read_xdm_etc_files',`
+ gen_require(`
+ type xdm_etc_t;
@@ -31388,13 +31711,10 @@ index 6bf0ecc2d..75b2f31f9 100644
+## </param>
+#
+interface(`xserver_manage_xdm_etc_files',`
- gen_require(`
-- type xdm_tmp_t;
++ gen_require(`
+ type xdm_etc_t;
- ')
-
-- allow $1 xdm_tmp_t:dir search_dir_perms;
-- allow $1 xdm_tmp_t:file rw_file_perms;
++ ')
++
+ files_search_etc($1)
+ manage_files_pattern($1, xdm_etc_t, xdm_etc_t)
+')
@@ -31442,16 +31762,19 @@ index 6bf0ecc2d..75b2f31f9 100644
+interface(`xserver_rw_xdm_tmp_files',`
+ refpolicywarn(`$0() has been deprecated, please use userdom_rw_user_tmpfs_files instead.')
+ userdom_rw_user_tmpfs_files($1)
- ')
-
- ########################################
-@@ -1070,11 +1347,38 @@ interface(`xserver_rw_xdm_tmp_files',`
- ## </param>
- #
- interface(`xserver_manage_xdm_tmp_files',`
-- gen_require(`
-- type xdm_tmp_t;
-- ')
++')
++
++########################################
++## <summary>
++## Create, read, write, and delete xdm temporary files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`xserver_manage_xdm_tmp_files',`
+ refpolicywarn(`$0() has been deprecated, please use userdom_manage_user_tmp_files instead.')
+ userdom_manage_user_tmp_files($1)
+')
@@ -31470,8 +31793,7 @@ index 6bf0ecc2d..75b2f31f9 100644
+ refpolicywarn(`$0() has been deprecated, please use userdom_relabel_user_tmp_dirs instead.')
+ userdom_relabel_user_tmp_dirs($1)
+')
-
-- manage_files_pattern($1, xdm_tmp_t, xdm_tmp_t)
++
+########################################
+## <summary>
+## Create, read, write, and delete xdm temporary dirs.
@@ -31485,30 +31807,41 @@ index 6bf0ecc2d..75b2f31f9 100644
+interface(`xserver_manage_xdm_tmp_dirs',`
+ refpolicywarn(`$0() has been deprecated, please use userdom_manage_user_tmp_dirs instead.')
+ userdom_manage_user_tmp_dirs($1)
- ')
-
- ########################################
-@@ -1089,11 +1393,8 @@ interface(`xserver_manage_xdm_tmp_files',`
- ## </param>
- #
- interface(`xserver_dontaudit_getattr_xdm_tmp_sockets',`
-- gen_require(`
-- type xdm_tmp_t;
-- ')
--
-- dontaudit $1 xdm_tmp_t:sock_file getattr;
++')
++
++########################################
++## <summary>
++## Do not audit attempts to get the attributes of
++## xdm temporary named sockets.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain to not audit.
++## </summary>
++## </param>
++#
++interface(`xserver_dontaudit_getattr_xdm_tmp_sockets',`
+ refpolicywarn(`$0() has been deprecated, please use userdom_dontaudit_user_getattr_tmp_sockets instead.')
+ userdom_dontaudit_user_getattr_tmp_sockets($1)
- ')
-
- ########################################
-@@ -1111,8 +1412,28 @@ interface(`xserver_domtrans',`
- type xserver_t, xserver_exec_t;
- ')
-
-- allow $1 xserver_t:process siginh;
++')
++
++########################################
++## <summary>
++## Execute the X server in the X server domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`xserver_domtrans',`
++ gen_require(`
++ type xserver_t, xserver_exec_t;
++ ')
++
+ allow $1 xserver_t:process siginh;
- domtrans_pattern($1, xserver_exec_t, xserver_t)
++ domtrans_pattern($1, xserver_exec_t, xserver_t)
+
+ allow xserver_t $1:process getpgid;
+')
@@ -31529,13 +31862,28 @@ index 6bf0ecc2d..75b2f31f9 100644
+ ')
+
+ can_exec($1, xserver_exec_t)
- ')
-
- ########################################
-@@ -1135,6 +1456,24 @@ interface(`xserver_signal',`
-
- ########################################
- ## <summary>
++')
++
++########################################
++## <summary>
++## Signal X servers
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`xserver_signal',`
++ gen_require(`
++ type xserver_t;
++ ')
++
++ allow $1 xserver_t:process signal;
++')
++
++########################################
++## <summary>
+## Send a null signal to xdm processes.
+## </summary>
+## <param name="domain">
@@ -31554,14 +31902,63 @@ index 6bf0ecc2d..75b2f31f9 100644
+
+########################################
+## <summary>
- ## Kill X servers
- ## </summary>
- ## <param name="domain">
-@@ -1210,6 +1549,25 @@ interface(`xserver_dontaudit_rw_stream_sockets',`
-
- ########################################
- ## <summary>
-+## Do not audit attempts to read and write xdm
++## Kill X servers
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`xserver_kill',`
++ gen_require(`
++ type xserver_t;
++ ')
++
++ allow $1 xserver_t:process sigkill;
++')
++
++########################################
++## <summary>
++## Read and write X server Sys V Shared
++## memory segments.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`xserver_rw_shm',`
++ gen_require(`
++ type xserver_t;
++ ')
++
++ allow $1 xserver_t:shm rw_shm_perms;
++')
++
++########################################
++## <summary>
++## Do not audit attempts to read and write to
++## X server sockets.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain to not audit.
++## </summary>
++## </param>
++#
++interface(`xserver_dontaudit_rw_tcp_sockets',`
++ gen_require(`
++ type xserver_t;
++ ')
++
++ dontaudit $1 xserver_t:tcp_socket { read write };
++')
++
++########################################
++## <summary>
++## Do not audit attempts to read and write X server
+## unix domain stream sockets.
+## </summary>
+## <param name="domain">
@@ -31570,6 +31967,26 @@ index 6bf0ecc2d..75b2f31f9 100644
+## </summary>
+## </param>
+#
++interface(`xserver_dontaudit_rw_stream_sockets',`
++ gen_require(`
++ type xserver_t;
++ ')
++
++ dontaudit $1 xserver_t:unix_stream_socket { read write };
++')
++
++########################################
++## <summary>
++## Do not audit attempts to read and write xdm
++## unix domain stream sockets.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -1031,18 +1576,245 @@ interface(`xserver_read_xdm_tmp_files',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`xserver_dontaudit_read_xdm_tmp_files',`
+interface(`xserver_dontaudit_xdm_rw_stream_sockets',`
+ gen_require(`
+ type xdm_t;
@@ -31580,13 +31997,22 @@ index 6bf0ecc2d..75b2f31f9 100644
+
+########################################
+## <summary>
- ## Connect to the X server over a unix domain
- ## stream socket.
- ## </summary>
-@@ -1226,6 +1584,26 @@ interface(`xserver_stream_connect',`
-
- files_search_tmp($1)
- stream_connect_pattern($1, xserver_tmp_t, xserver_tmp_t, xserver_t)
++## Connect to the X server over a unix domain
++## stream socket.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`xserver_stream_connect',`
++ gen_require(`
++ type xserver_t, xserver_tmp_t;
++ ')
++
++ files_search_tmp($1)
++ stream_connect_pattern($1, xserver_tmp_t, xserver_tmp_t, xserver_t)
+ allow xserver_t $1:shm rw_shm_perms;
+')
+
@@ -31607,27 +32033,45 @@ index 6bf0ecc2d..75b2f31f9 100644
+ ')
+
+ stream_connect_pattern($1, xserver_tmp_t, xserver_tmp_t, xserver_t)
- ')
-
- ########################################
-@@ -1251,7 +1629,7 @@ interface(`xserver_read_tmp_files',`
- ## <summary>
- ## Interface to provide X object permissions on a given X server to
- ## an X client domain. Gives the domain permission to read the
--## virtual core keyboard and virtual core pointer devices.
++')
++
++########################################
++## <summary>
++## Read X server temporary files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`xserver_read_tmp_files',`
++ gen_require(`
++ type xserver_tmp_t;
++ ')
++
++ allow $1 xserver_tmp_t:file read_file_perms;
++ files_search_tmp($1)
++')
++
++########################################
++## <summary>
++## Interface to provide X object permissions on a given X server to
++## an X client domain. Gives the domain permission to read the
+## virtual core keyboard and virtual core pointer devices.
- ## </summary>
- ## <param name="domain">
- ## <summary>
-@@ -1261,13 +1639,27 @@ interface(`xserver_read_tmp_files',`
- #
- interface(`xserver_manage_core_devices',`
- gen_require(`
-- type xserver_t;
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`xserver_manage_core_devices',`
++ gen_require(`
+ type xserver_t, root_xdrawable_t, xevent_t;
- class x_device all_x_device_perms;
- class x_pointer all_x_pointer_perms;
- class x_keyboard all_x_keyboard_perms;
++ class x_device all_x_device_perms;
++ class x_pointer all_x_pointer_perms;
++ class x_keyboard all_x_keyboard_perms;
+ class x_screen all_x_screen_perms;
+ class x_drawable { manage };
+ attribute x_domain;
@@ -31635,9 +32079,9 @@ index 6bf0ecc2d..75b2f31f9 100644
+ class x_resource all_x_resource_perms;
+ class x_synthetic_event all_x_synthetic_event_perms;
+ class x_cursor all_x_cursor_perms;
- ')
-
- allow $1 xserver_t:{ x_device x_pointer x_keyboard } *;
++ ')
++
++ allow $1 xserver_t:{ x_device x_pointer x_keyboard } *;
+ allow $1 xserver_t:{ x_screen } setattr;
+
+ allow $1 x_domain:x_cursor all_x_cursor_perms;
@@ -31645,21 +32089,28 @@ index 6bf0ecc2d..75b2f31f9 100644
+ allow $1 x_domain:x_resource all_x_resource_perms;
+ allow $1 root_xdrawable_t:x_drawable all_x_drawable_perms;
+ allow $1 xevent_t:x_synthetic_event all_x_synthetic_event_perms;
- ')
-
- ########################################
-@@ -1284,10 +1676,662 @@ interface(`xserver_manage_core_devices',`
- #
- interface(`xserver_unconfined',`
- gen_require(`
-- attribute x_domain;
-- attribute xserver_unconfined_type;
++')
++
++########################################
++## <summary>
++## Interface to provide X object permissions on a given X server to
++## an X client domain. Gives the domain complete control over the
++## display.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`xserver_unconfined',`
++ gen_require(`
+ attribute x_domain, xserver_unconfined_type;
- ')
-
- typeattribute $1 x_domain;
- typeattribute $1 xserver_unconfined_type;
- ')
++ ')
++
++ typeattribute $1 x_domain;
++ typeattribute $1 xserver_unconfined_type;
++')
+
+########################################
+## <summary>
@@ -31763,115 +32214,144 @@ index 6bf0ecc2d..75b2f31f9 100644
+## </param>
+#
+interface(`xserver_xdm_manage_spool',`
-+ gen_require(`
+ gen_require(`
+- type xdm_tmp_t;
+ type xdm_spool_t;
-+ ')
-+
+ ')
+
+- dontaudit $1 xdm_tmp_t:dir search_dir_perms;
+- dontaudit $1 xdm_tmp_t:file read_file_perms;
+ files_search_spool($1)
+ manage_files_pattern($1, xdm_spool_t, xdm_spool_t)
-+')
-+
-+########################################
-+## <summary>
+ ')
+
+ ########################################
+ ## <summary>
+-## Read write xdm temporary files.
+## Send and receive messages from
+## xdm over dbus.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -1050,18 +1822,20 @@ interface(`xserver_dontaudit_read_xdm_tmp_files',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`xserver_rw_xdm_tmp_files',`
+interface(`xserver_dbus_chat_xdm',`
-+ gen_require(`
+ gen_require(`
+- type xdm_tmp_t;
+ type xdm_t;
+ class dbus send_msg;
-+ ')
-+
+ ')
+
+- allow $1 xdm_tmp_t:dir search_dir_perms;
+- allow $1 xdm_tmp_t:file rw_file_perms;
+ allow $1 xdm_t:dbus send_msg;
+ allow xdm_t $1:dbus send_msg;
-+')
-+
-+########################################
-+## <summary>
+ ')
+
+ ########################################
+ ## <summary>
+-## Create, read, write, and delete xdm temporary files.
+## Send and receive messages from
+## xdm over dbus.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -1069,55 +1843,57 @@ interface(`xserver_rw_xdm_tmp_files',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`xserver_manage_xdm_tmp_files',`
+interface(`xserver_dbus_chat',`
-+ gen_require(`
+ gen_require(`
+- type xdm_tmp_t;
+ type xserver_t;
+ class dbus send_msg;
-+ ')
-+
+ ')
+
+- manage_files_pattern($1, xdm_tmp_t, xdm_tmp_t)
+ allow $1 xserver_t:dbus send_msg;
+ allow xserver_t $1:dbus send_msg;
-+')
-+
-+########################################
-+## <summary>
+ ')
+
+ ########################################
+ ## <summary>
+-## Do not audit attempts to get the attributes of
+-## xdm temporary named sockets.
+## Read xserver files created in /var/run
-+## </summary>
-+## <param name="domain">
-+## <summary>
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+-## Domain to not audit.
+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
+ ## </summary>
+ ## </param>
+ #
+-interface(`xserver_dontaudit_getattr_xdm_tmp_sockets',`
+interface(`xserver_read_pid',`
-+ gen_require(`
+ gen_require(`
+- type xdm_tmp_t;
+ type xserver_var_run_t;
-+ ')
-+
+ ')
+
+- dontaudit $1 xdm_tmp_t:sock_file getattr;
+ files_search_pids($1)
+ read_files_pattern($1, xserver_var_run_t, xserver_var_run_t)
-+')
-+
-+########################################
-+## <summary>
+ ')
+
+ ########################################
+ ## <summary>
+-## Execute the X server in the X server domain.
+## Execute xserver files created in /var/run
-+## </summary>
-+## <param name="domain">
-+## <summary>
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+-## Domain allowed to transition.
+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
+ ## </summary>
+ ## </param>
+ #
+-interface(`xserver_domtrans',`
+interface(`xserver_exec_pid',`
-+ gen_require(`
+ gen_require(`
+- type xserver_t, xserver_exec_t;
+ type xserver_var_run_t;
-+ ')
-+
+ ')
+
+- allow $1 xserver_t:process siginh;
+- domtrans_pattern($1, xserver_exec_t, xserver_t)
+ files_search_pids($1)
+ exec_files_pattern($1, xserver_var_run_t, xserver_var_run_t)
-+')
-+
-+########################################
-+## <summary>
+ ')
+
+ ########################################
+ ## <summary>
+-## Signal X servers
+## Write xserver files created in /var/run
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -1125,17 +1901,73 @@ interface(`xserver_domtrans',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`xserver_signal',`
+interface(`xserver_write_pid',`
-+ gen_require(`
+ gen_require(`
+- type xserver_t;
+ type xserver_var_run_t;
-+ ')
-+
+ ')
+
+- allow $1 xserver_t:process signal;
+ files_search_pids($1)
+ write_files_pattern($1, xserver_var_run_t, xserver_var_run_t)
-+')
-+
-+########################################
-+## <summary>
+ ')
+
+ ########################################
+ ## <summary>
+-## Kill X servers
+## Allow append the xdm
+## log files.
+## </summary>
@@ -31928,71 +32408,89 @@ index 6bf0ecc2d..75b2f31f9 100644
+########################################
+## <summary>
+## Read a user Iceauthority domain.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -1143,18 +1975,18 @@ interface(`xserver_signal',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`xserver_kill',`
+interface(`xserver_read_user_iceauth',`
-+ gen_require(`
+ gen_require(`
+- type xserver_t;
+ type iceauth_home_t;
-+ ')
-+
+ ')
+
+- allow $1 xserver_t:process sigkill;
+ # Read .Iceauthority file
+ allow $1 iceauth_home_t:file read_file_perms;
-+')
-+
-+########################################
-+## <summary>
+ ')
+
+ ########################################
+ ## <summary>
+-## Read and write X server Sys V Shared
+-## memory segments.
+## Read/write inherited user homedir fonts.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -1162,132 +1994,362 @@ interface(`xserver_kill',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`xserver_rw_shm',`
+interface(`xserver_rw_inherited_user_fonts',`
-+ gen_require(`
+ gen_require(`
+- type xserver_t;
+ type user_fonts_t, user_fonts_config_t;
-+ ')
-+
+ ')
+
+- allow $1 xserver_t:shm rw_shm_perms;
+ allow $1 user_fonts_t:file rw_inherited_file_perms;
+ allow $1 user_fonts_t:file read_lnk_file_perms;
+
+ allow $1 user_fonts_config_t:file rw_inherited_file_perms;
-+')
-+
-+########################################
-+## <summary>
+ ')
+
+ ########################################
+ ## <summary>
+-## Do not audit attempts to read and write to
+-## X server sockets.
+## Search XDM var lib dirs.
-+## </summary>
-+## <param name="domain">
-+## <summary>
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+-## Domain to not audit.
+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
+ ## </summary>
+ ## </param>
+ #
+-interface(`xserver_dontaudit_rw_tcp_sockets',`
+interface(`xserver_search_xdm_lib',`
-+ gen_require(`
+ gen_require(`
+- type xserver_t;
+ type xdm_var_lib_t;
-+ ')
-+
+ ')
+
+- dontaudit $1 xserver_t:tcp_socket { read write };
+ allow $1 xdm_var_lib_t:dir search_dir_perms;
-+')
-+
-+########################################
-+## <summary>
+ ')
+
+ ########################################
+ ## <summary>
+-## Do not audit attempts to read and write X server
+-## unix domain stream sockets.
+## Make an X executable an entrypoint for the specified domain.
-+## </summary>
-+## <param name="domain">
-+## <summary>
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+-## Domain to not audit.
+## The domain for which the shell is an entrypoint.
-+## </summary>
-+## </param>
-+#
+ ## </summary>
+ ## </param>
+ #
+-interface(`xserver_dontaudit_rw_stream_sockets',`
+interface(`xserver_entry_type',`
+ gen_require(`
+ type xserver_exec_t;
@@ -32019,99 +32517,128 @@ index 6bf0ecc2d..75b2f31f9 100644
+## <rolecap/>
+#
+interface(`xserver_run',`
-+ gen_require(`
-+ type xserver_t;
-+ ')
-+
+ gen_require(`
+ type xserver_t;
+ ')
+
+- dontaudit $1 xserver_t:unix_stream_socket { read write };
+ xserver_domtrans($1)
+ role $2 types xserver_t;
-+')
-+
-+########################################
-+## <summary>
+ ')
+
+ ########################################
+ ## <summary>
+-## Connect to the X server over a unix domain
+-## stream socket.
+## Execute xsever in the xserver domain, and
+## allow the specified role the xserver domain.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+ ## Domain allowed access.
+ ## </summary>
+ ## </param>
+## <param name="role">
+## <summary>
+## The role to be allowed the xserver domain.
+## </summary>
+## </param>
+## <rolecap/>
-+#
+ #
+-interface(`xserver_stream_connect',`
+interface(`xserver_run_xauth',`
-+ gen_require(`
+ gen_require(`
+- type xserver_t, xserver_tmp_t;
+ type xauth_t;
-+ ')
-+
+ ')
+
+- files_search_tmp($1)
+- stream_connect_pattern($1, xserver_tmp_t, xserver_tmp_t, xserver_t)
+ xserver_domtrans_xauth($1)
+ role $2 types xauth_t;
-+')
-+
-+########################################
-+## <summary>
+ ')
+
+ ########################################
+ ## <summary>
+-## Read X server temporary files.
+## Read user homedir fonts.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+ ## Domain allowed access.
+ ## </summary>
+ ## </param>
+## <rolecap/>
-+#
+ #
+-interface(`xserver_read_tmp_files',`
+interface(`xserver_read_home_fonts',`
-+ gen_require(`
+ gen_require(`
+- type xserver_tmp_t;
+ type user_fonts_t, user_fonts_config_t;
-+ ')
-+
+ ')
+
+- allow $1 xserver_tmp_t:file read_file_perms;
+- files_search_tmp($1)
+ list_dirs_pattern($1, user_fonts_t, user_fonts_t)
+ read_files_pattern($1, user_fonts_t, user_fonts_t)
+ read_lnk_files_pattern($1, user_fonts_t, user_fonts_t)
+
+ read_files_pattern($1, user_fonts_config_t, user_fonts_config_t)
-+')
-+
-+########################################
-+## <summary>
+ ')
+
+ ########################################
+ ## <summary>
+-## Interface to provide X object permissions on a given X server to
+-## an X client domain. Gives the domain permission to read the
+-## virtual core keyboard and virtual core pointer devices.
+## Manage user fonts dir.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+ ## Domain allowed access.
+ ## </summary>
+ ## </param>
+## <rolecap/>
-+#
+ #
+-interface(`xserver_manage_core_devices',`
+interface(`xserver_manage_user_fonts_dir',`
-+ gen_require(`
+ gen_require(`
+- type xserver_t;
+- class x_device all_x_device_perms;
+- class x_pointer all_x_pointer_perms;
+- class x_keyboard all_x_keyboard_perms;
+ type user_fonts_t;
-+ ')
-+
+ ')
+
+- allow $1 xserver_t:{ x_device x_pointer x_keyboard } *;
+ manage_dirs_pattern($1, user_fonts_t, user_fonts_t)
+ files_tmp_filetrans($1, user_fonts_t, dir, ".font-unix")
-+')
-+
-+########################################
-+## <summary>
+ ')
+
+ ########################################
+ ## <summary>
+-## Interface to provide X object permissions on a given X server to
+-## an X client domain. Gives the domain complete control over the
+-## display.
+## Manage user homedir fonts.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+ ## Domain allowed access.
+ ## </summary>
+ ## </param>
+## <rolecap/>
-+#
+ #
+-interface(`xserver_unconfined',`
+interface(`xserver_manage_home_fonts',`
-+ gen_require(`
+ gen_require(`
+- attribute x_domain;
+- attribute xserver_unconfined_type;
+ type user_fonts_t, user_fonts_config_t, user_fonts_cache_t;
-+ ')
-+
+ ')
+
+- typeattribute $1 x_domain;
+- typeattribute $1 xserver_unconfined_type;
+ manage_dirs_pattern($1, user_fonts_t, user_fonts_t)
+ manage_files_pattern($1, user_fonts_t, user_fonts_t)
+ manage_lnk_files_pattern($1, user_fonts_t, user_fonts_t)
@@ -32293,7 +32820,7 @@ index 6bf0ecc2d..75b2f31f9 100644
+ ')
+
+ dontaudit $1 xserver_log_t:dir search_dir_perms;
-+')
+ ')
+
+########################################
+## <summary>
@@ -35072,7 +35599,7 @@ index 3efd5b669..a8cb6df3d 100644
+ allow $1 login_pgm:key manage_key_perms;
+')
diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te
-index 09b791dcc..498375fcf 100644
+index 09b791dcc..c6721f846 100644
--- a/policy/modules/system/authlogin.te
+++ b/policy/modules/system/authlogin.te
@@ -5,6 +5,19 @@ policy_module(authlogin, 2.5.1)
@@ -35156,7 +35683,7 @@ index 09b791dcc..498375fcf 100644
type updpwd_t;
type updpwd_exec_t;
domain_type(updpwd_t)
-@@ -90,7 +112,7 @@ logging_log_file(wtmp_t)
+@@ -90,11 +112,11 @@ logging_log_file(wtmp_t)
# Check password local policy
#
@@ -35165,6 +35692,11 @@ index 09b791dcc..498375fcf 100644
dontaudit chkpwd_t self:capability sys_tty_config;
allow chkpwd_t self:process { getattr signal };
+-allow chkpwd_t shadow_t:file read_file_perms;
++allow chkpwd_t shadow_t:file { read_file_perms map };
+ files_list_etc(chkpwd_t)
+
+ kernel_read_crypto_sysctls(chkpwd_t)
@@ -109,6 +131,9 @@ dev_read_urand(chkpwd_t)
files_read_etc_files(chkpwd_t)
# for nscd
@@ -38209,7 +38741,7 @@ index 79a45f62e..0244681f0 100644
+')
+
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
-index 17eda2480..fecc37500 100644
+index 17eda2480..5bff55bd3 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -11,10 +11,31 @@ gen_require(`
@@ -38534,7 +39066,7 @@ index 17eda2480..fecc37500 100644
ifdef(`distro_gentoo',`
allow init_t self:process { getcap setcap };
-@@ -186,29 +350,303 @@ ifdef(`distro_gentoo',`
+@@ -186,29 +350,304 @@ ifdef(`distro_gentoo',`
')
ifdef(`distro_redhat',`
@@ -38762,6 +39294,7 @@ index 17eda2480..fecc37500 100644
+systemd_read_unit_files(initrc_t)
+systemd_login_status(init_t)
+systemd_map_networkd_exec_files(init_t)
++systemd_map_resolved_exec_files(init_t)
+
+create_sock_files_pattern(init_t, init_sock_file_type, init_sock_file_type)
+
@@ -38847,7 +39380,7 @@ index 17eda2480..fecc37500 100644
')
optional_policy(`
-@@ -216,7 +654,35 @@ optional_policy(`
+@@ -216,7 +655,35 @@ optional_policy(`
')
optional_policy(`
@@ -38884,7 +39417,7 @@ index 17eda2480..fecc37500 100644
')
########################################
-@@ -225,9 +691,9 @@ optional_policy(`
+@@ -225,9 +692,9 @@ optional_policy(`
#
allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
@@ -38896,7 +39429,7 @@ index 17eda2480..fecc37500 100644
allow initrc_t self:passwd rootok;
allow initrc_t self:key manage_key_perms;
-@@ -258,12 +724,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
+@@ -258,12 +725,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
allow initrc_t initrc_var_run_t:file manage_file_perms;
files_pid_filetrans(initrc_t, initrc_var_run_t, file)
@@ -38913,7 +39446,7 @@ index 17eda2480..fecc37500 100644
manage_dirs_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
manage_files_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
-@@ -279,23 +749,36 @@ kernel_change_ring_buffer_level(initrc_t)
+@@ -279,23 +750,36 @@ kernel_change_ring_buffer_level(initrc_t)
kernel_clear_ring_buffer(initrc_t)
kernel_get_sysvipc_info(initrc_t)
kernel_read_all_sysctls(initrc_t)
@@ -38956,7 +39489,7 @@ index 17eda2480..fecc37500 100644
corenet_tcp_sendrecv_all_ports(initrc_t)
corenet_udp_sendrecv_all_ports(initrc_t)
corenet_tcp_connect_all_ports(initrc_t)
-@@ -303,9 +786,11 @@ corenet_sendrecv_all_client_packets(initrc_t)
+@@ -303,9 +787,11 @@ corenet_sendrecv_all_client_packets(initrc_t)
dev_read_rand(initrc_t)
dev_read_urand(initrc_t)
@@ -38968,7 +39501,7 @@ index 17eda2480..fecc37500 100644
dev_rw_sysfs(initrc_t)
dev_list_usbfs(initrc_t)
dev_read_framebuffer(initrc_t)
-@@ -313,8 +798,10 @@ dev_write_framebuffer(initrc_t)
+@@ -313,8 +799,10 @@ dev_write_framebuffer(initrc_t)
dev_read_realtime_clock(initrc_t)
dev_read_sound_mixer(initrc_t)
dev_write_sound_mixer(initrc_t)
@@ -38979,7 +39512,7 @@ index 17eda2480..fecc37500 100644
dev_delete_lvm_control_dev(initrc_t)
dev_manage_generic_symlinks(initrc_t)
dev_manage_generic_files(initrc_t)
-@@ -322,8 +809,7 @@ dev_manage_generic_files(initrc_t)
+@@ -322,8 +810,7 @@ dev_manage_generic_files(initrc_t)
dev_delete_generic_symlinks(initrc_t)
dev_getattr_all_blk_files(initrc_t)
dev_getattr_all_chr_files(initrc_t)
@@ -38989,7 +39522,7 @@ index 17eda2480..fecc37500 100644
domain_kill_all_domains(initrc_t)
domain_signal_all_domains(initrc_t)
-@@ -332,7 +818,6 @@ domain_sigstop_all_domains(initrc_t)
+@@ -332,7 +819,6 @@ domain_sigstop_all_domains(initrc_t)
domain_sigchld_all_domains(initrc_t)
domain_read_all_domains_state(initrc_t)
domain_getattr_all_domains(initrc_t)
@@ -38997,7 +39530,7 @@ index 17eda2480..fecc37500 100644
domain_getsession_all_domains(initrc_t)
domain_use_interactive_fds(initrc_t)
# for lsof which is used by alsa shutdown:
-@@ -340,6 +825,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
+@@ -340,6 +826,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
domain_dontaudit_getattr_all_tcp_sockets(initrc_t)
domain_dontaudit_getattr_all_dgram_sockets(initrc_t)
domain_dontaudit_getattr_all_pipes(initrc_t)
@@ -39005,7 +39538,7 @@ index 17eda2480..fecc37500 100644
files_getattr_all_dirs(initrc_t)
files_getattr_all_files(initrc_t)
-@@ -347,14 +833,15 @@ files_getattr_all_symlinks(initrc_t)
+@@ -347,14 +834,15 @@ files_getattr_all_symlinks(initrc_t)
files_getattr_all_pipes(initrc_t)
files_getattr_all_sockets(initrc_t)
files_purge_tmp(initrc_t)
@@ -39023,7 +39556,7 @@ index 17eda2480..fecc37500 100644
files_read_usr_files(initrc_t)
files_manage_urandom_seed(initrc_t)
files_manage_generic_spool(initrc_t)
-@@ -364,8 +851,12 @@ files_list_isid_type_dirs(initrc_t)
+@@ -364,8 +852,12 @@ files_list_isid_type_dirs(initrc_t)
files_mounton_isid_type_dirs(initrc_t)
files_list_default(initrc_t)
files_mounton_default(initrc_t)
@@ -39037,7 +39570,7 @@ index 17eda2480..fecc37500 100644
fs_list_inotifyfs(initrc_t)
fs_register_binary_executable_type(initrc_t)
# rhgb-console writes to ramfs
-@@ -375,10 +866,11 @@ fs_mount_all_fs(initrc_t)
+@@ -375,10 +867,11 @@ fs_mount_all_fs(initrc_t)
fs_unmount_all_fs(initrc_t)
fs_remount_all_fs(initrc_t)
fs_getattr_all_fs(initrc_t)
@@ -39051,7 +39584,7 @@ index 17eda2480..fecc37500 100644
mcs_process_set_categories(initrc_t)
mls_file_read_all_levels(initrc_t)
-@@ -387,8 +879,10 @@ mls_process_read_up(initrc_t)
+@@ -387,8 +880,10 @@ mls_process_read_up(initrc_t)
mls_process_write_down(initrc_t)
mls_rangetrans_source(initrc_t)
mls_fd_share_all_levels(initrc_t)
@@ -39062,7 +39595,7 @@ index 17eda2480..fecc37500 100644
storage_getattr_fixed_disk_dev(initrc_t)
storage_setattr_fixed_disk_dev(initrc_t)
-@@ -398,6 +892,7 @@ term_use_all_terms(initrc_t)
+@@ -398,6 +893,7 @@ term_use_all_terms(initrc_t)
term_reset_tty_labels(initrc_t)
auth_rw_login_records(initrc_t)
@@ -39070,7 +39603,7 @@ index 17eda2480..fecc37500 100644
auth_setattr_login_records(initrc_t)
auth_rw_lastlog(initrc_t)
auth_read_pam_pid(initrc_t)
-@@ -416,20 +911,18 @@ logging_read_all_logs(initrc_t)
+@@ -416,20 +912,18 @@ logging_read_all_logs(initrc_t)
logging_append_all_logs(initrc_t)
logging_read_audit_config(initrc_t)
@@ -39094,7 +39627,7 @@ index 17eda2480..fecc37500 100644
ifdef(`distro_debian',`
dev_setattr_generic_dirs(initrc_t)
-@@ -451,7 +944,6 @@ ifdef(`distro_gentoo',`
+@@ -451,7 +945,6 @@ ifdef(`distro_gentoo',`
allow initrc_t self:process setfscreate;
dev_create_null_dev(initrc_t)
dev_create_zero_dev(initrc_t)
@@ -39102,7 +39635,7 @@ index 17eda2480..fecc37500 100644
term_create_console_dev(initrc_t)
# unfortunately /sbin/rc does stupid tricks
-@@ -486,6 +978,10 @@ ifdef(`distro_gentoo',`
+@@ -486,6 +979,10 @@ ifdef(`distro_gentoo',`
sysnet_setattr_config(initrc_t)
optional_policy(`
@@ -39113,7 +39646,7 @@ index 17eda2480..fecc37500 100644
alsa_read_lib(initrc_t)
')
-@@ -506,7 +1002,7 @@ ifdef(`distro_redhat',`
+@@ -506,7 +1003,7 @@ ifdef(`distro_redhat',`
# Red Hat systems seem to have a stray
# fd open from the initrd
@@ -39122,7 +39655,7 @@ index 17eda2480..fecc37500 100644
files_dontaudit_read_root_files(initrc_t)
# These seem to be from the initrd
-@@ -521,6 +1017,7 @@ ifdef(`distro_redhat',`
+@@ -521,6 +1018,7 @@ ifdef(`distro_redhat',`
files_create_boot_dirs(initrc_t)
files_create_boot_flag(initrc_t)
files_rw_boot_symlinks(initrc_t)
@@ -39130,7 +39663,7 @@ index 17eda2480..fecc37500 100644
# wants to read /.fonts directory
files_read_default_files(initrc_t)
files_mountpoint(initrc_tmp_t)
-@@ -541,6 +1038,7 @@ ifdef(`distro_redhat',`
+@@ -541,6 +1039,7 @@ ifdef(`distro_redhat',`
miscfiles_rw_localization(initrc_t)
miscfiles_setattr_localization(initrc_t)
miscfiles_relabel_localization(initrc_t)
@@ -39138,7 +39671,7 @@ index 17eda2480..fecc37500 100644
miscfiles_read_fonts(initrc_t)
miscfiles_read_hwdata(initrc_t)
-@@ -550,8 +1048,44 @@ ifdef(`distro_redhat',`
+@@ -550,8 +1049,44 @@ ifdef(`distro_redhat',`
')
optional_policy(`
@@ -39183,7 +39716,7 @@ index 17eda2480..fecc37500 100644
')
optional_policy(`
-@@ -559,14 +1093,31 @@ ifdef(`distro_redhat',`
+@@ -559,14 +1094,31 @@ ifdef(`distro_redhat',`
rpc_write_exports(initrc_t)
rpc_manage_nfs_state_data(initrc_t)
')
@@ -39215,7 +39748,7 @@ index 17eda2480..fecc37500 100644
')
')
-@@ -577,6 +1128,39 @@ ifdef(`distro_suse',`
+@@ -577,6 +1129,39 @@ ifdef(`distro_suse',`
')
')
@@ -39255,7 +39788,7 @@ index 17eda2480..fecc37500 100644
optional_policy(`
amavis_search_lib(initrc_t)
amavis_setattr_pid_files(initrc_t)
-@@ -589,6 +1173,8 @@ optional_policy(`
+@@ -589,6 +1174,8 @@ optional_policy(`
optional_policy(`
apache_read_config(initrc_t)
apache_list_modules(initrc_t)
@@ -39264,7 +39797,7 @@ index 17eda2480..fecc37500 100644
')
optional_policy(`
-@@ -610,6 +1196,7 @@ optional_policy(`
+@@ -610,6 +1197,7 @@ optional_policy(`
optional_policy(`
cgroup_stream_connect_cgred(initrc_t)
@@ -39272,7 +39805,7 @@ index 17eda2480..fecc37500 100644
')
optional_policy(`
-@@ -626,6 +1213,17 @@ optional_policy(`
+@@ -626,6 +1214,17 @@ optional_policy(`
')
optional_policy(`
@@ -39290,7 +39823,7 @@ index 17eda2480..fecc37500 100644
dev_getattr_printer_dev(initrc_t)
cups_read_log(initrc_t)
-@@ -642,9 +1240,13 @@ optional_policy(`
+@@ -642,9 +1241,13 @@ optional_policy(`
dbus_connect_system_bus(initrc_t)
dbus_system_bus_client(initrc_t)
dbus_read_config(initrc_t)
@@ -39304,7 +39837,7 @@ index 17eda2480..fecc37500 100644
')
optional_policy(`
-@@ -657,15 +1259,11 @@ optional_policy(`
+@@ -657,15 +1260,11 @@ optional_policy(`
')
optional_policy(`
@@ -39322,7 +39855,7 @@ index 17eda2480..fecc37500 100644
')
optional_policy(`
-@@ -686,6 +1284,15 @@ optional_policy(`
+@@ -686,6 +1285,15 @@ optional_policy(`
')
optional_policy(`
@@ -39338,7 +39871,7 @@ index 17eda2480..fecc37500 100644
inn_exec_config(initrc_t)
')
-@@ -726,6 +1333,7 @@ optional_policy(`
+@@ -726,6 +1334,7 @@ optional_policy(`
lpd_list_spool(initrc_t)
lpd_read_config(initrc_t)
@@ -39346,7 +39879,7 @@ index 17eda2480..fecc37500 100644
')
optional_policy(`
-@@ -743,7 +1351,13 @@ optional_policy(`
+@@ -743,7 +1352,13 @@ optional_policy(`
')
optional_policy(`
@@ -39361,7 +39894,7 @@ index 17eda2480..fecc37500 100644
mta_dontaudit_read_spool_symlinks(initrc_t)
')
-@@ -766,6 +1380,10 @@ optional_policy(`
+@@ -766,6 +1381,10 @@ optional_policy(`
')
optional_policy(`
@@ -39372,7 +39905,7 @@ index 17eda2480..fecc37500 100644
postgresql_manage_db(initrc_t)
postgresql_read_config(initrc_t)
')
-@@ -775,10 +1393,20 @@ optional_policy(`
+@@ -775,10 +1394,20 @@ optional_policy(`
')
optional_policy(`
@@ -39393,7 +39926,7 @@ index 17eda2480..fecc37500 100644
quota_manage_flags(initrc_t)
')
-@@ -787,6 +1415,10 @@ optional_policy(`
+@@ -787,6 +1416,10 @@ optional_policy(`
')
optional_policy(`
@@ -39404,7 +39937,7 @@ index 17eda2480..fecc37500 100644
fs_write_ramfs_sockets(initrc_t)
fs_search_ramfs(initrc_t)
-@@ -808,8 +1440,6 @@ optional_policy(`
+@@ -808,8 +1441,6 @@ optional_policy(`
# bash tries ioctl for some reason
files_dontaudit_ioctl_all_pids(initrc_t)
@@ -39413,7 +39946,7 @@ index 17eda2480..fecc37500 100644
')
optional_policy(`
-@@ -818,6 +1448,10 @@ optional_policy(`
+@@ -818,6 +1449,10 @@ optional_policy(`
')
optional_policy(`
@@ -39424,7 +39957,7 @@ index 17eda2480..fecc37500 100644
# shorewall-init script run /var/lib/shorewall/firewall
shorewall_lib_domtrans(initrc_t)
')
-@@ -827,10 +1461,12 @@ optional_policy(`
+@@ -827,10 +1462,12 @@ optional_policy(`
squid_manage_logs(initrc_t)
')
@@ -39437,7 +39970,7 @@ index 17eda2480..fecc37500 100644
optional_policy(`
ssh_dontaudit_read_server_keys(initrc_t)
-@@ -857,21 +1493,62 @@ optional_policy(`
+@@ -857,21 +1494,63 @@ optional_policy(`
')
optional_policy(`
@@ -39446,6 +39979,7 @@ index 17eda2480..fecc37500 100644
+ virt_noatsecure(init_t)
+ virt_rlimitinh(init_t)
+ virt_transition_svirt_sandbox(init_t, system_r)
++ virt_manage_sandbox_files(init_t)
+')
+
+optional_policy(`
@@ -39501,7 +40035,7 @@ index 17eda2480..fecc37500 100644
')
optional_policy(`
-@@ -887,6 +1564,10 @@ optional_policy(`
+@@ -887,6 +1566,10 @@ optional_policy(`
')
optional_policy(`
@@ -39512,7 +40046,7 @@ index 17eda2480..fecc37500 100644
# Set device ownerships/modes.
xserver_setattr_console_pipes(initrc_t)
-@@ -897,3 +1578,218 @@ optional_policy(`
+@@ -897,3 +1580,218 @@ optional_policy(`
optional_policy(`
zebra_read_config(initrc_t)
')
@@ -40036,7 +40570,7 @@ index 0d4c8d35e..537aa4274 100644
+ ps_process_pattern($1, ipsec_mgmt_t)
+')
diff --git a/policy/modules/system/ipsec.te b/policy/modules/system/ipsec.te
-index 312cd0417..07a92cc93 100644
+index 312cd0417..45c4b21dc 100644
--- a/policy/modules/system/ipsec.te
+++ b/policy/modules/system/ipsec.te
@@ -48,6 +48,9 @@ init_system_domain(ipsec_mgmt_t, ipsec_mgmt_exec_t)
@@ -40152,7 +40686,7 @@ index 312cd0417..07a92cc93 100644
dev_read_sysfs(ipsec_t)
dev_read_rand(ipsec_t)
-@@ -157,22 +180,32 @@ files_dontaudit_search_home(ipsec_t)
+@@ -157,22 +180,34 @@ files_dontaudit_search_home(ipsec_t)
fs_getattr_all_fs(ipsec_t)
fs_search_auto_mountpoints(ipsec_t)
@@ -40172,7 +40706,8 @@ index 312cd0417..07a92cc93 100644
logging_send_syslog_msg(ipsec_t)
-miscfiles_read_localization(ipsec_t)
--
++miscfiles_map_generic_certs(ipsec_t)
+
sysnet_domtrans_ifconfig(ipsec_t)
+sysnet_manage_config(ipsec_t)
+sysnet_etc_filetrans_config(ipsec_t)
@@ -40187,7 +40722,7 @@ index 312cd0417..07a92cc93 100644
optional_policy(`
seutil_sigchld_newrole(ipsec_t)
-@@ -182,19 +215,30 @@ optional_policy(`
+@@ -182,19 +217,30 @@ optional_policy(`
udev_read_db(ipsec_t)
')
@@ -40222,7 +40757,7 @@ index 312cd0417..07a92cc93 100644
allow ipsec_mgmt_t ipsec_mgmt_lock_t:file manage_file_perms;
files_lock_filetrans(ipsec_mgmt_t, ipsec_mgmt_lock_t, file)
-@@ -208,12 +252,14 @@ logging_log_filetrans(ipsec_mgmt_t, ipsec_log_t, file)
+@@ -208,12 +254,14 @@ logging_log_filetrans(ipsec_mgmt_t, ipsec_log_t, file)
allow ipsec_mgmt_t ipsec_mgmt_var_run_t:file manage_file_perms;
files_pid_filetrans(ipsec_mgmt_t, ipsec_mgmt_var_run_t, file)
@@ -40238,7 +40773,7 @@ index 312cd0417..07a92cc93 100644
# _realsetup needs to be able to cat /var/run/pluto.pid,
# run ps on that pid, and delete the file
-@@ -246,6 +292,16 @@ kernel_read_kernel_sysctls(ipsec_mgmt_t)
+@@ -246,6 +294,16 @@ kernel_read_kernel_sysctls(ipsec_mgmt_t)
kernel_getattr_core_if(ipsec_mgmt_t)
kernel_getattr_message_if(ipsec_mgmt_t)
@@ -40255,7 +40790,7 @@ index 312cd0417..07a92cc93 100644
files_read_kernel_symbol_table(ipsec_mgmt_t)
files_getattr_kernel_modules(ipsec_mgmt_t)
-@@ -255,6 +311,8 @@ files_getattr_kernel_modules(ipsec_mgmt_t)
+@@ -255,6 +313,8 @@ files_getattr_kernel_modules(ipsec_mgmt_t)
corecmd_exec_bin(ipsec_mgmt_t)
corecmd_exec_shell(ipsec_mgmt_t)
@@ -40264,7 +40799,7 @@ index 312cd0417..07a92cc93 100644
dev_read_rand(ipsec_mgmt_t)
dev_read_urand(ipsec_mgmt_t)
-@@ -269,6 +327,7 @@ domain_dontaudit_rw_all_key_sockets(ipsec_mgmt_t)
+@@ -269,6 +329,7 @@ domain_dontaudit_rw_all_key_sockets(ipsec_mgmt_t)
files_read_etc_files(ipsec_mgmt_t)
files_exec_etc_files(ipsec_mgmt_t)
files_read_etc_runtime_files(ipsec_mgmt_t)
@@ -40272,7 +40807,7 @@ index 312cd0417..07a92cc93 100644
files_read_usr_files(ipsec_mgmt_t)
files_dontaudit_getattr_default_dirs(ipsec_mgmt_t)
files_dontaudit_getattr_default_files(ipsec_mgmt_t)
-@@ -278,9 +337,10 @@ fs_getattr_xattr_fs(ipsec_mgmt_t)
+@@ -278,9 +339,10 @@ fs_getattr_xattr_fs(ipsec_mgmt_t)
fs_list_tmpfs(ipsec_mgmt_t)
term_use_console(ipsec_mgmt_t)
@@ -40284,7 +40819,7 @@ index 312cd0417..07a92cc93 100644
init_read_utmp(ipsec_mgmt_t)
init_use_script_ptys(ipsec_mgmt_t)
-@@ -288,17 +348,28 @@ init_exec_script_files(ipsec_mgmt_t)
+@@ -288,17 +350,28 @@ init_exec_script_files(ipsec_mgmt_t)
init_use_fds(ipsec_mgmt_t)
init_labeled_script_domtrans(ipsec_mgmt_t, ipsec_initrc_exec_t)
@@ -40318,7 +40853,7 @@ index 312cd0417..07a92cc93 100644
optional_policy(`
consoletype_exec(ipsec_mgmt_t)
-@@ -322,6 +393,10 @@ optional_policy(`
+@@ -322,6 +395,10 @@ optional_policy(`
')
optional_policy(`
@@ -40329,7 +40864,7 @@ index 312cd0417..07a92cc93 100644
modutils_domtrans_insmod(ipsec_mgmt_t)
')
-@@ -335,7 +410,7 @@ optional_policy(`
+@@ -335,7 +412,7 @@ optional_policy(`
#
allow racoon_t self:capability { net_admin net_bind_service };
@@ -40338,7 +40873,7 @@ index 312cd0417..07a92cc93 100644
allow racoon_t self:unix_dgram_socket { connect create ioctl write };
allow racoon_t self:netlink_selinux_socket { bind create read };
allow racoon_t self:udp_socket create_socket_perms;
-@@ -370,13 +445,12 @@ kernel_request_load_module(racoon_t)
+@@ -370,13 +447,12 @@ kernel_request_load_module(racoon_t)
corecmd_exec_shell(racoon_t)
corecmd_exec_bin(racoon_t)
@@ -40358,7 +40893,7 @@ index 312cd0417..07a92cc93 100644
corenet_udp_bind_isakmp_port(racoon_t)
corenet_udp_bind_ipsecnat_port(racoon_t)
-@@ -401,10 +475,10 @@ locallogin_use_fds(racoon_t)
+@@ -401,10 +477,10 @@ locallogin_use_fds(racoon_t)
logging_send_syslog_msg(racoon_t)
logging_send_audit_msgs(racoon_t)
@@ -40371,7 +40906,7 @@ index 312cd0417..07a92cc93 100644
auth_can_read_shadow_passwords(racoon_t)
tunable_policy(`racoon_read_shadow',`
auth_tunable_read_shadow(racoon_t)
-@@ -438,9 +512,8 @@ corenet_setcontext_all_spds(setkey_t)
+@@ -438,9 +514,8 @@ corenet_setcontext_all_spds(setkey_t)
locallogin_use_fds(setkey_t)
@@ -41828,7 +42363,7 @@ index b50c5fe81..9eacd9ba1 100644
+/var/webmin(/.*)? gen_context(system_u:object_r:var_log_t,s0)
+
diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if
-index 4e9488463..2db173f77 100644
+index 4e9488463..c54641fbb 100644
--- a/policy/modules/system/logging.if
+++ b/policy/modules/system/logging.if
@@ -81,6 +81,24 @@ interface(`logging_dontaudit_send_audit_msgs',`
@@ -42212,16 +42747,18 @@ index 4e9488463..2db173f77 100644
')
########################################
-@@ -859,7 +1136,7 @@ interface(`logging_manage_all_logs',`
+@@ -858,8 +1135,9 @@ interface(`logging_manage_all_logs',`
+ ')
files_search_var($1)
++ manage_dirs_pattern($1, logfile, logfile)
manage_files_pattern($1, logfile, logfile)
- read_lnk_files_pattern($1, logfile, logfile)
+ manage_lnk_files_pattern($1, logfile, logfile)
')
########################################
-@@ -880,11 +1157,69 @@ interface(`logging_read_generic_logs',`
+@@ -880,11 +1158,69 @@ interface(`logging_read_generic_logs',`
files_search_var($1)
allow $1 var_log_t:dir list_dir_perms;
@@ -42291,7 +42828,7 @@ index 4e9488463..2db173f77 100644
## Write generic log files.
## </summary>
## <param name="domain">
-@@ -905,6 +1240,24 @@ interface(`logging_write_generic_logs',`
+@@ -905,6 +1241,24 @@ interface(`logging_write_generic_logs',`
########################################
## <summary>
@@ -42316,7 +42853,7 @@ index 4e9488463..2db173f77 100644
## Dontaudit Write generic log files.
## </summary>
## <param name="domain">
-@@ -984,11 +1337,16 @@ interface(`logging_admin_audit',`
+@@ -984,11 +1338,16 @@ interface(`logging_admin_audit',`
type auditd_t, auditd_etc_t, auditd_log_t;
type auditd_var_run_t;
type auditd_initrc_exec_t;
@@ -42334,7 +42871,7 @@ index 4e9488463..2db173f77 100644
manage_dirs_pattern($1, auditd_etc_t, auditd_etc_t)
manage_files_pattern($1, auditd_etc_t, auditd_etc_t)
-@@ -1004,6 +1362,55 @@ interface(`logging_admin_audit',`
+@@ -1004,6 +1363,55 @@ interface(`logging_admin_audit',`
domain_system_change_exemption($1)
role_transition $2 auditd_initrc_exec_t system_r;
allow $2 system_r;
@@ -42390,7 +42927,7 @@ index 4e9488463..2db173f77 100644
')
########################################
-@@ -1032,10 +1439,15 @@ interface(`logging_admin_syslog',`
+@@ -1032,10 +1440,15 @@ interface(`logging_admin_syslog',`
type syslogd_initrc_exec_t;
')
@@ -42408,7 +42945,7 @@ index 4e9488463..2db173f77 100644
manage_dirs_pattern($1, klogd_var_run_t, klogd_var_run_t)
manage_files_pattern($1, klogd_var_run_t, klogd_var_run_t)
-@@ -1057,6 +1469,8 @@ interface(`logging_admin_syslog',`
+@@ -1057,6 +1470,8 @@ interface(`logging_admin_syslog',`
manage_files_pattern($1, syslogd_var_run_t, syslogd_var_run_t)
logging_manage_all_logs($1)
@@ -42417,7 +42954,7 @@ index 4e9488463..2db173f77 100644
init_labeled_script_domtrans($1, syslogd_initrc_exec_t)
domain_system_change_exemption($1)
-@@ -1085,3 +1499,110 @@ interface(`logging_admin',`
+@@ -1085,3 +1500,110 @@ interface(`logging_admin',`
logging_admin_audit($1, $2)
logging_admin_syslog($1, $2)
')
@@ -43848,7 +44385,7 @@ index 9fe8e01e3..6aa1ea05a 100644
/var/spool/postfix/etc/localtime -- gen_context(system_u:object_r:locale_t,s0)
')
diff --git a/policy/modules/system/miscfiles.if b/policy/modules/system/miscfiles.if
-index fc28bc31b..1701f0861 100644
+index fc28bc31b..73fc71dbc 100644
--- a/policy/modules/system/miscfiles.if
+++ b/policy/modules/system/miscfiles.if
@@ -67,6 +67,27 @@ interface(`miscfiles_read_all_certs',`
@@ -43966,7 +44503,7 @@ index fc28bc31b..1701f0861 100644
## Manage SSL certificates.
## </summary>
## <param name="domain">
-@@ -191,6 +269,7 @@ interface(`miscfiles_read_fonts',`
+@@ -191,11 +269,13 @@ interface(`miscfiles_read_fonts',`
allow $1 fonts_t:dir list_dir_perms;
read_files_pattern($1, fonts_t, fonts_t)
@@ -43974,7 +44511,13 @@ index fc28bc31b..1701f0861 100644
read_lnk_files_pattern($1, fonts_t, fonts_t)
allow $1 fonts_cache_t:dir list_dir_perms;
-@@ -414,6 +493,7 @@ interface(`miscfiles_read_localization',`
+ read_files_pattern($1, fonts_cache_t, fonts_cache_t)
+ read_lnk_files_pattern($1, fonts_cache_t, fonts_cache_t)
++ allow $1 fonts_cache_t:file map;
+ ')
+
+ ########################################
+@@ -414,6 +494,7 @@ interface(`miscfiles_read_localization',`
allow $1 locale_t:dir list_dir_perms;
read_files_pattern($1, locale_t, locale_t)
read_lnk_files_pattern($1, locale_t, locale_t)
@@ -43982,7 +44525,7 @@ index fc28bc31b..1701f0861 100644
')
########################################
-@@ -434,6 +514,7 @@ interface(`miscfiles_rw_localization',`
+@@ -434,6 +515,7 @@ interface(`miscfiles_rw_localization',`
files_search_usr($1)
allow $1 locale_t:dir list_dir_perms;
rw_files_pattern($1, locale_t, locale_t)
@@ -43990,7 +44533,7 @@ index fc28bc31b..1701f0861 100644
')
########################################
-@@ -453,6 +534,7 @@ interface(`miscfiles_relabel_localization',`
+@@ -453,6 +535,7 @@ interface(`miscfiles_relabel_localization',`
files_search_usr($1)
relabel_files_pattern($1, locale_t, locale_t)
@@ -43998,7 +44541,7 @@ index fc28bc31b..1701f0861 100644
')
########################################
-@@ -470,7 +552,6 @@ interface(`miscfiles_legacy_read_localization',`
+@@ -470,7 +553,6 @@ interface(`miscfiles_legacy_read_localization',`
type locale_t;
')
@@ -44006,7 +44549,7 @@ index fc28bc31b..1701f0861 100644
allow $1 locale_t:file execute;
')
-@@ -531,6 +612,10 @@ interface(`miscfiles_read_man_pages',`
+@@ -531,6 +613,10 @@ interface(`miscfiles_read_man_pages',`
allow $1 { man_cache_t man_t }:dir list_dir_perms;
read_files_pattern($1, { man_cache_t man_t }, { man_cache_t man_t })
read_lnk_files_pattern($1, { man_cache_t man_t }, { man_cache_t man_t })
@@ -44017,7 +44560,7 @@ index fc28bc31b..1701f0861 100644
')
########################################
-@@ -554,6 +639,29 @@ interface(`miscfiles_delete_man_pages',`
+@@ -554,6 +640,29 @@ interface(`miscfiles_delete_man_pages',`
delete_dirs_pattern($1, { man_cache_t man_t }, { man_cache_t man_t })
delete_files_pattern($1, { man_cache_t man_t }, { man_cache_t man_t })
delete_lnk_files_pattern($1, { man_cache_t man_t }, { man_cache_t man_t })
@@ -44047,7 +44590,7 @@ index fc28bc31b..1701f0861 100644
')
########################################
-@@ -622,6 +730,30 @@ interface(`miscfiles_manage_man_cache',`
+@@ -622,6 +731,30 @@ interface(`miscfiles_manage_man_cache',`
########################################
## <summary>
@@ -44078,7 +44621,7 @@ index fc28bc31b..1701f0861 100644
## Read public files used for file
## transfer services.
## </summary>
-@@ -784,8 +916,11 @@ interface(`miscfiles_etc_filetrans_localization',`
+@@ -784,8 +917,11 @@ interface(`miscfiles_etc_filetrans_localization',`
type locale_t;
')
@@ -44092,7 +44635,7 @@ index fc28bc31b..1701f0861 100644
')
########################################
-@@ -809,3 +944,81 @@ interface(`miscfiles_manage_localization',`
+@@ -809,3 +945,81 @@ interface(`miscfiles_manage_localization',`
manage_lnk_files_pattern($1, locale_t, locale_t)
')
@@ -48621,10 +49164,10 @@ index 000000000..121b42208
+/var/run/initramfs(/.*)? <<none>>
diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
new file mode 100644
-index 000000000..dc06d3b3f
+index 000000000..a739a2645
--- /dev/null
+++ b/policy/modules/system/systemd.if
-@@ -0,0 +1,1898 @@
+@@ -0,0 +1,1916 @@
+## <summary>SELinux policy for systemd components</summary>
+
+######################################
@@ -50523,12 +51066,30 @@ index 000000000..dc06d3b3f
+
+ allow $1 systemd_networkd_exec_t:file map;
+')
++
++########################################
++## <summary>
++## Mmap systemd_resolved_exec_t files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`systemd_map_resolved_exec_files',`
++ gen_require(`
++ type systemd_resolved_exec_t;
++ ')
++
++ allow $1 systemd_resolved_exec_t:file map;
++')
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
new file mode 100644
-index 000000000..598ce3fca
+index 000000000..621b8cffc
--- /dev/null
+++ b/policy/modules/system/systemd.te
-@@ -0,0 +1,1041 @@
+@@ -0,0 +1,1042 @@
+policy_module(systemd, 1.0.0)
+
+#######################################
@@ -50596,6 +51157,7 @@ index 000000000..598ce3fca
+files_pid_file(systemd_bootchart_var_run_t)
+
+systemd_domain_template(systemd_resolved)
++init_nnp_daemon_domain(systemd_resolved_t)
+
+type systemd_resolved_var_run_t;
+files_pid_file(systemd_resolved_var_run_t)
@@ -52993,7 +53555,7 @@ index db7597682..c54480a1d 100644
+/var/tmp/hsperfdata_root gen_context(system_u:object_r:user_tmp_t,s0)
+
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
-index 9dc60c6c0..562afbe9a 100644
+index 9dc60c6c0..3f5aa5f3b 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -30,9 +30,11 @@ template(`userdom_base_user_template',`
@@ -55352,7 +55914,15 @@ index 9dc60c6c0..562afbe9a 100644
########################################
## <summary>
-@@ -2120,7 +2950,7 @@ interface(`userdom_manage_user_home_content_symlinks',`
+@@ -2075,6 +2905,7 @@ interface(`userdom_manage_user_home_content_files',`
+
+ manage_files_pattern($1, user_home_t, user_home_t)
+ allow $1 user_home_dir_t:dir search_dir_perms;
++ allow $1 user_home_t:file map;
+ files_search_home($1)
+ ')
+
+@@ -2120,7 +2951,7 @@ interface(`userdom_manage_user_home_content_symlinks',`
########################################
## <summary>
@@ -55361,7 +55931,7 @@ index 9dc60c6c0..562afbe9a 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2128,19 +2958,17 @@ interface(`userdom_manage_user_home_content_symlinks',`
+@@ -2128,19 +2959,17 @@ interface(`userdom_manage_user_home_content_symlinks',`
## </summary>
## </param>
#
@@ -55385,7 +55955,7 @@ index 9dc60c6c0..562afbe9a 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2148,12 +2976,12 @@ interface(`userdom_delete_all_user_home_content_symlinks',`
+@@ -2148,12 +2977,12 @@ interface(`userdom_delete_all_user_home_content_symlinks',`
## </summary>
## </param>
#
@@ -55401,7 +55971,7 @@ index 9dc60c6c0..562afbe9a 100644
')
########################################
-@@ -2388,18 +3216,54 @@ interface(`userdom_dontaudit_manage_user_tmp_dirs',`
+@@ -2388,18 +3217,54 @@ interface(`userdom_dontaudit_manage_user_tmp_dirs',`
## </summary>
## </param>
#
@@ -55459,7 +56029,7 @@ index 9dc60c6c0..562afbe9a 100644
## Do not audit attempts to read users
## temporary files.
## </summary>
-@@ -2414,7 +3278,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',`
+@@ -2414,7 +3279,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',`
type user_tmp_t;
')
@@ -55468,7 +56038,7 @@ index 9dc60c6c0..562afbe9a 100644
')
########################################
-@@ -2455,6 +3319,25 @@ interface(`userdom_rw_user_tmp_files',`
+@@ -2455,6 +3320,25 @@ interface(`userdom_rw_user_tmp_files',`
rw_files_pattern($1, user_tmp_t, user_tmp_t)
files_search_tmp($1)
')
@@ -55494,7 +56064,7 @@ index 9dc60c6c0..562afbe9a 100644
########################################
## <summary>
-@@ -2538,7 +3421,7 @@ interface(`userdom_manage_user_tmp_files',`
+@@ -2538,7 +3422,7 @@ interface(`userdom_manage_user_tmp_files',`
########################################
## <summary>
## Create, read, write, and delete user
@@ -55503,7 +56073,7 @@ index 9dc60c6c0..562afbe9a 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2546,19 +3429,19 @@ interface(`userdom_manage_user_tmp_files',`
+@@ -2546,19 +3430,19 @@ interface(`userdom_manage_user_tmp_files',`
## </summary>
## </param>
#
@@ -55526,7 +56096,7 @@ index 9dc60c6c0..562afbe9a 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2566,19 +3449,19 @@ interface(`userdom_manage_user_tmp_symlinks',`
+@@ -2566,19 +3450,19 @@ interface(`userdom_manage_user_tmp_symlinks',`
## </summary>
## </param>
#
@@ -55549,7 +56119,7 @@ index 9dc60c6c0..562afbe9a 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2586,20 +3469,61 @@ interface(`userdom_manage_user_tmp_pipes',`
+@@ -2586,20 +3470,61 @@ interface(`userdom_manage_user_tmp_pipes',`
## </summary>
## </param>
#
@@ -55616,7 +56186,7 @@ index 9dc60c6c0..562afbe9a 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2661,6 +3585,21 @@ interface(`userdom_tmp_filetrans_user_tmp',`
+@@ -2661,6 +3586,21 @@ interface(`userdom_tmp_filetrans_user_tmp',`
files_tmp_filetrans($1, user_tmp_t, $2, $3)
')
@@ -55638,7 +56208,7 @@ index 9dc60c6c0..562afbe9a 100644
########################################
## <summary>
## Read user tmpfs files.
-@@ -2672,18 +3611,13 @@ interface(`userdom_tmp_filetrans_user_tmp',`
+@@ -2672,18 +3612,13 @@ interface(`userdom_tmp_filetrans_user_tmp',`
## </param>
#
interface(`userdom_read_user_tmpfs_files',`
@@ -55660,7 +56230,7 @@ index 9dc60c6c0..562afbe9a 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2692,19 +3626,13 @@ interface(`userdom_read_user_tmpfs_files',`
+@@ -2692,19 +3627,13 @@ interface(`userdom_read_user_tmpfs_files',`
## </param>
#
interface(`userdom_rw_user_tmpfs_files',`
@@ -55683,7 +56253,7 @@ index 9dc60c6c0..562afbe9a 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2713,13 +3641,56 @@ interface(`userdom_rw_user_tmpfs_files',`
+@@ -2713,13 +3642,56 @@ interface(`userdom_rw_user_tmpfs_files',`
## </param>
#
interface(`userdom_manage_user_tmpfs_files',`
@@ -55744,7 +56314,7 @@ index 9dc60c6c0..562afbe9a 100644
')
########################################
-@@ -2814,6 +3785,24 @@ interface(`userdom_use_user_ttys',`
+@@ -2814,6 +3786,24 @@ interface(`userdom_use_user_ttys',`
########################################
## <summary>
@@ -55769,7 +56339,7 @@ index 9dc60c6c0..562afbe9a 100644
## Read and write a user domain pty.
## </summary>
## <param name="domain">
-@@ -2832,22 +3821,34 @@ interface(`userdom_use_user_ptys',`
+@@ -2832,22 +3822,34 @@ interface(`userdom_use_user_ptys',`
########################################
## <summary>
@@ -55812,7 +56382,7 @@ index 9dc60c6c0..562afbe9a 100644
## </desc>
## <param name="domain">
## <summary>
-@@ -2856,14 +3857,33 @@ interface(`userdom_use_user_ptys',`
+@@ -2856,14 +3858,33 @@ interface(`userdom_use_user_ptys',`
## </param>
## <infoflow type="both" weight="10"/>
#
@@ -55850,7 +56420,7 @@ index 9dc60c6c0..562afbe9a 100644
')
########################################
-@@ -2882,8 +3902,27 @@ interface(`userdom_dontaudit_use_user_terminals',`
+@@ -2882,8 +3903,27 @@ interface(`userdom_dontaudit_use_user_terminals',`
type user_tty_device_t, user_devpts_t;
')
@@ -55880,7 +56450,7 @@ index 9dc60c6c0..562afbe9a 100644
')
########################################
-@@ -2955,6 +3994,42 @@ interface(`userdom_spec_domtrans_unpriv_users',`
+@@ -2955,6 +3995,42 @@ interface(`userdom_spec_domtrans_unpriv_users',`
allow unpriv_userdomain $1:process sigchld;
')
@@ -55923,7 +56493,7 @@ index 9dc60c6c0..562afbe9a 100644
########################################
## <summary>
## Execute an Xserver session in all unprivileged user domains. This
-@@ -2978,24 +4053,6 @@ interface(`userdom_xsession_spec_domtrans_unpriv_users',`
+@@ -2978,24 +4054,6 @@ interface(`userdom_xsession_spec_domtrans_unpriv_users',`
allow unpriv_userdomain $1:process sigchld;
')
@@ -55948,7 +56518,7 @@ index 9dc60c6c0..562afbe9a 100644
########################################
## <summary>
## Manage unpriviledged user SysV sempaphores.
-@@ -3014,9 +4071,9 @@ interface(`userdom_manage_unpriv_user_semaphores',`
+@@ -3014,9 +4072,9 @@ interface(`userdom_manage_unpriv_user_semaphores',`
allow $1 unpriv_userdomain:sem create_sem_perms;
')
@@ -55960,7 +56530,7 @@ index 9dc60c6c0..562afbe9a 100644
## memory segments.
## </summary>
## <param name="domain">
-@@ -3025,17 +4082,17 @@ interface(`userdom_manage_unpriv_user_semaphores',`
+@@ -3025,17 +4083,17 @@ interface(`userdom_manage_unpriv_user_semaphores',`
## </summary>
## </param>
#
@@ -55981,7 +56551,7 @@ index 9dc60c6c0..562afbe9a 100644
## memory segments.
## </summary>
## <param name="domain">
-@@ -3044,12 +4101,12 @@ interface(`userdom_rw_unpriv_user_shared_mem',`
+@@ -3044,12 +4102,12 @@ interface(`userdom_rw_unpriv_user_shared_mem',`
## </summary>
## </param>
#
@@ -55996,7 +56566,7 @@ index 9dc60c6c0..562afbe9a 100644
')
########################################
-@@ -3094,7 +4151,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
+@@ -3094,7 +4152,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
domain_entry_file_spec_domtrans($1, unpriv_userdomain)
allow unpriv_userdomain $1:fd use;
@@ -56005,7 +56575,7 @@ index 9dc60c6c0..562afbe9a 100644
allow unpriv_userdomain $1:process sigchld;
')
-@@ -3110,29 +4167,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
+@@ -3110,29 +4168,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
#
interface(`userdom_search_user_home_content',`
gen_require(`
@@ -56039,7 +56609,7 @@ index 9dc60c6c0..562afbe9a 100644
')
########################################
-@@ -3214,7 +4255,25 @@ interface(`userdom_dontaudit_use_user_ptys',`
+@@ -3214,7 +4256,25 @@ interface(`userdom_dontaudit_use_user_ptys',`
type user_devpts_t;
')
@@ -56066,7 +56636,7 @@ index 9dc60c6c0..562afbe9a 100644
')
########################################
-@@ -3269,12 +4328,13 @@ interface(`userdom_write_user_tmp_files',`
+@@ -3269,12 +4329,13 @@ interface(`userdom_write_user_tmp_files',`
type user_tmp_t;
')
@@ -56082,7 +56652,7 @@ index 9dc60c6c0..562afbe9a 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -3282,46 +4342,122 @@ interface(`userdom_write_user_tmp_files',`
+@@ -3282,46 +4343,122 @@ interface(`userdom_write_user_tmp_files',`
## </summary>
## </param>
#
@@ -56218,7 +56788,7 @@ index 9dc60c6c0..562afbe9a 100644
')
allow $1 userdomain:process getattr;
-@@ -3382,6 +4518,42 @@ interface(`userdom_signal_all_users',`
+@@ -3382,6 +4519,42 @@ interface(`userdom_signal_all_users',`
allow $1 userdomain:process signal;
')
@@ -56261,7 +56831,7 @@ index 9dc60c6c0..562afbe9a 100644
########################################
## <summary>
## Send a SIGCHLD signal to all user domains.
-@@ -3402,6 +4574,60 @@ interface(`userdom_sigchld_all_users',`
+@@ -3402,6 +4575,60 @@ interface(`userdom_sigchld_all_users',`
########################################
## <summary>
@@ -56322,7 +56892,7 @@ index 9dc60c6c0..562afbe9a 100644
## Create keys for all user domains.
## </summary>
## <param name="domain">
-@@ -3435,4 +4661,1835 @@ interface(`userdom_dbus_send_all_users',`
+@@ -3435,4 +4662,1853 @@ interface(`userdom_dbus_send_all_users',`
')
allow $1 userdomain:dbus send_msg;
@@ -57303,6 +57873,24 @@ index 9dc60c6c0..562afbe9a 100644
+
+########################################
+## <summary>
++## mmap system SSL certificates in the users homedir.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`userdom_map_home_certs',`
++ gen_require(`
++ type home_cert_t;
++ ')
++
++ allow $1 home_cert_t:file map;
++')
++
++########################################
++## <summary>
+## Manage system SSL certificates in the users homedir.
+## </summary>
+## <param name="domain">
@@ -58159,7 +58747,7 @@ index 9dc60c6c0..562afbe9a 100644
+ ')
')
diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te
-index f4ac38dc7..f3819687f 100644
+index f4ac38dc7..0fce86e80 100644
--- a/policy/modules/system/userdomain.te
+++ b/policy/modules/system/userdomain.te
@@ -7,48 +7,43 @@ policy_module(userdomain, 4.9.1)
@@ -58248,7 +58836,7 @@ index f4ac38dc7..f3819687f 100644
type user_home_dir_t alias { staff_home_dir_t sysadm_home_dir_t secadm_home_dir_t auditadm_home_dir_t unconfined_home_dir_t };
fs_associate_tmpfs(user_home_dir_t)
files_type(user_home_dir_t)
-@@ -70,26 +83,397 @@ ubac_constrained(user_home_dir_t)
+@@ -70,26 +83,399 @@ ubac_constrained(user_home_dir_t)
type user_home_t alias { staff_home_t sysadm_home_t secadm_home_t auditadm_home_t unconfined_home_t };
typealias user_home_t alias { staff_untrusted_content_t sysadm_untrusted_content_t secadm_untrusted_content_t auditadm_untrusted_content_t unconfined_untrusted_content_t };
@@ -58397,12 +58985,14 @@ index f4ac38dc7..f3819687f 100644
+ fs_manage_cifs_dirs(userdom_home_manager_type)
+ fs_manage_cifs_files(userdom_home_manager_type)
+ fs_manage_cifs_symlinks(userdom_home_manager_type)
++ fs_map_cifs_files(userdom_home_manager_type)
+')
+
+tunable_policy(`use_fusefs_home_dirs',`
+ fs_manage_fusefs_dirs(userdom_home_manager_type)
+ fs_manage_fusefs_files(userdom_home_manager_type)
+ fs_manage_fusefs_symlinks(userdom_home_manager_type)
++ fs_mmap_fusefs_files(userdom_home_manager_type)
+')
+
+tunable_policy(`use_ecryptfs_home_dirs',`
diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch
index 72de4e2..3e59f8b 100644
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@@ -3302,10 +3302,10 @@ index 000000000..36251b926
+')
diff --git a/antivirus.te b/antivirus.te
new file mode 100644
-index 000000000..547ee89dd
+index 000000000..1d22415a4
--- /dev/null
+++ b/antivirus.te
-@@ -0,0 +1,275 @@
+@@ -0,0 +1,276 @@
+policy_module(antivirus, 1.0.0)
+
+########################################
@@ -3389,6 +3389,7 @@ index 000000000..547ee89dd
+manage_dirs_pattern(antivirus_domain, antivirus_db_t, antivirus_db_t)
+manage_lnk_files_pattern(antivirus_domain, antivirus_db_t, antivirus_db_t)
+manage_sock_files_pattern(antivirus_domain, antivirus_db_t, antivirus_db_t)
++allow antivirus_t antivirus_db_t:file map;
+
+manage_files_pattern(antivirus_domain, antivirus_home_t, antivirus_home_t)
+manage_dirs_pattern(antivirus_domain, antivirus_home_t, antivirus_home_t)
@@ -8635,7 +8636,7 @@ index 50c9b9c87..533a555a2 100644
+ allow $1 arpwatch_unit_file_t:service all_service_perms;
')
diff --git a/arpwatch.te b/arpwatch.te
-index 2d7bf345b..766a91a41 100644
+index 2d7bf345b..bb5b35fe4 100644
--- a/arpwatch.te
+++ b/arpwatch.te
@@ -21,6 +21,9 @@ files_tmp_file(arpwatch_tmp_t)
@@ -8648,16 +8649,19 @@ index 2d7bf345b..766a91a41 100644
########################################
#
# Local policy
-@@ -33,6 +36,8 @@ allow arpwatch_t self:unix_stream_socket { accept listen };
+@@ -31,8 +34,10 @@ dontaudit arpwatch_t self:capability sys_tty_config;
+ allow arpwatch_t self:process signal_perms;
+ allow arpwatch_t self:unix_stream_socket { accept listen };
allow arpwatch_t self:tcp_socket { accept listen };
- allow arpwatch_t self:packet_socket create_socket_perms;
+-allow arpwatch_t self:packet_socket create_socket_perms;
++allow arpwatch_t self:packet_socket { create_socket_perms map };
allow arpwatch_t self:socket create_socket_perms;
+allow arpwatch_t self:netlink_socket create_socket_perms;
+allow arpwatch_t self:netlink_netfilter_socket create_socket_perms;
manage_dirs_pattern(arpwatch_t, arpwatch_data_t, arpwatch_data_t)
manage_files_pattern(arpwatch_t, arpwatch_data_t, arpwatch_data_t)
-@@ -45,11 +50,23 @@ files_tmp_filetrans(arpwatch_t, arpwatch_tmp_t, { file dir })
+@@ -45,13 +50,26 @@ files_tmp_filetrans(arpwatch_t, arpwatch_tmp_t, { file dir })
manage_files_pattern(arpwatch_t, arpwatch_var_run_t, arpwatch_var_run_t)
files_pid_filetrans(arpwatch_t, arpwatch_var_run_t, file)
@@ -8681,8 +8685,11 @@ index 2d7bf345b..766a91a41 100644
+
dev_read_sysfs(arpwatch_t)
dev_read_usbmon_dev(arpwatch_t)
++dev_map_usbmon_dev(arpwatch_t)
dev_rw_generic_usb_dev(arpwatch_t)
-@@ -59,15 +76,12 @@ fs_search_auto_mountpoints(arpwatch_t)
+
+ fs_getattr_all_fs(arpwatch_t)
+@@ -59,15 +77,12 @@ fs_search_auto_mountpoints(arpwatch_t)
domain_use_interactive_fds(arpwatch_t)
@@ -11707,10 +11714,10 @@ index 1b22262d5..d9ea246a1 100644
+ ')
')
diff --git a/bugzilla.te b/bugzilla.te
-index 18623e39e..c62f617e1 100644
+index 18623e39e..300b2b0c0 100644
--- a/bugzilla.te
+++ b/bugzilla.te
-@@ -6,42 +6,55 @@ policy_module(bugzilla, 1.1.0)
+@@ -6,42 +6,57 @@ policy_module(bugzilla, 1.1.0)
#
apache_content_template(bugzilla)
@@ -11725,7 +11732,9 @@ index 18623e39e..c62f617e1 100644
#
-allow httpd_bugzilla_script_t self:tcp_socket { accept listen };
++allow bugzilla_script_t self:netlink_route_socket create_netlink_socket_perms;
+allow bugzilla_script_t self:tcp_socket { accept listen };
++allow bugzilla_script_t self:udp_socket create_socket_perms;
+
+corenet_all_recvfrom_netlabel(bugzilla_script_t)
+corenet_tcp_sendrecv_generic_if(bugzilla_script_t)
@@ -16275,7 +16284,7 @@ index 8e27a37c1..c69be28b9 100644
+ ps_process_pattern($1, colord_t)
+')
diff --git a/colord.te b/colord.te
-index 9f2dfb233..5f29a909f 100644
+index 9f2dfb233..e8a9f990a 100644
--- a/colord.te
+++ b/colord.te
@@ -8,6 +8,7 @@ policy_module(colord, 1.1.0)
@@ -16382,7 +16391,7 @@ index 9f2dfb233..5f29a909f 100644
')
optional_policy(`
-@@ -134,6 +145,23 @@ optional_policy(`
+@@ -134,6 +145,24 @@ optional_policy(`
')
optional_policy(`
@@ -16401,6 +16410,7 @@ index 9f2dfb233..5f29a909f 100644
+ xserver_read_inherited_xdm_lib_files(colord_t)
+ # allow to read /run/initial-setup-$username
+ xserver_read_xdm_pid(colord_t)
++ xserver_map_xdm_pid(colord_t)
+')
+
+optional_policy(`
@@ -21748,7 +21758,7 @@ index 3023be7f6..5afde8039 100644
+ files_var_filetrans($1, cupsd_rw_etc_t, dir, "cups")
')
diff --git a/cups.te b/cups.te
-index c91813ccb..dd52ab6ad 100644
+index c91813ccb..a4f635cb9 100644
--- a/cups.te
+++ b/cups.te
@@ -5,19 +5,31 @@ policy_module(cups, 1.16.2)
@@ -21941,10 +21951,10 @@ index c91813ccb..dd52ab6ad 100644
files_pid_filetrans(cupsd_t, cupsd_var_run_t, { dir fifo_file file })
-allow cupsd_t hplip_t:process { signal sigkill };
+-
+-read_files_pattern(cupsd_t, hplip_etc_t, hplip_etc_t)
+allow cupsd_t cupsd_unit_file_t:file read_file_perms;
--read_files_pattern(cupsd_t, hplip_etc_t, hplip_etc_t)
--
-allow cupsd_t hplip_var_run_t:file read_file_perms;
stream_connect_pattern(cupsd_t, ptal_var_run_t, ptal_var_run_t, ptal_t)
@@ -22292,7 +22302,7 @@ index c91813ccb..dd52ab6ad 100644
optional_policy(`
inetd_service_domain(cupsd_lpd_t, cupsd_lpd_exec_t)
')
-@@ -549,9 +609,9 @@ optional_policy(`
+@@ -549,9 +609,12 @@ optional_policy(`
# Pdf local policy
#
@@ -22301,10 +22311,13 @@ index c91813ccb..dd52ab6ad 100644
+allow cups_pdf_t self:capability { chown fowner fsetid setuid setgid dac_read_search };
allow cups_pdf_t self:unix_stream_socket create_stream_socket_perms;
+allow cups_pdf_t cupsd_rw_etc_t:dir search;
++
++
++allow cups_pdf_t cupsd_etc_t:dir list_dir_perms;
append_files_pattern(cups_pdf_t, cupsd_log_t, cupsd_log_t)
create_files_pattern(cups_pdf_t, cupsd_log_t, cupsd_log_t)
-@@ -566,148 +626,23 @@ fs_search_auto_mountpoints(cups_pdf_t)
+@@ -566,148 +629,23 @@ fs_search_auto_mountpoints(cups_pdf_t)
kernel_read_system_state(cups_pdf_t)
@@ -22333,13 +22346,11 @@ index c91813ccb..dd52ab6ad 100644
- fs_manage_cifs_dirs(cups_pdf_t)
- fs_manage_cifs_files(cups_pdf_t)
-')
-+userdom_home_manager(cups_pdf_t)
-
- optional_policy(`
+-
+-optional_policy(`
- lpd_manage_spool(cups_pdf_t)
-+ gnome_read_config(cups_pdf_t)
- ')
-
+-')
+-
-########################################
-#
-# HPLIP local policy
@@ -22441,11 +22452,13 @@ index c91813ccb..dd52ab6ad 100644
- lpd_read_config(hplip_t)
- lpd_manage_spool(hplip_t)
-')
--
--optional_policy(`
++userdom_home_manager(cups_pdf_t)
+
+ optional_policy(`
- seutil_sigchld_newrole(hplip_t)
--')
--
++ gnome_read_config(cups_pdf_t)
+ ')
+
-optional_policy(`
- snmp_read_snmp_var_lib_files(hplip_t)
-')
@@ -22456,7 +22469,7 @@ index c91813ccb..dd52ab6ad 100644
########################################
#
-@@ -735,7 +670,6 @@ kernel_read_kernel_sysctls(ptal_t)
+@@ -735,7 +673,6 @@ kernel_read_kernel_sysctls(ptal_t)
kernel_list_proc(ptal_t)
kernel_read_proc_symlinks(ptal_t)
@@ -22464,7 +22477,7 @@ index c91813ccb..dd52ab6ad 100644
corenet_all_recvfrom_netlabel(ptal_t)
corenet_tcp_sendrecv_generic_if(ptal_t)
corenet_tcp_sendrecv_generic_node(ptal_t)
-@@ -745,13 +679,11 @@ corenet_sendrecv_ptal_server_packets(ptal_t)
+@@ -745,13 +682,11 @@ corenet_sendrecv_ptal_server_packets(ptal_t)
corenet_tcp_bind_ptal_port(ptal_t)
corenet_tcp_sendrecv_ptal_port(ptal_t)
@@ -22478,7 +22491,7 @@ index c91813ccb..dd52ab6ad 100644
files_read_etc_runtime_files(ptal_t)
fs_getattr_all_fs(ptal_t)
-@@ -759,8 +691,6 @@ fs_search_auto_mountpoints(ptal_t)
+@@ -759,8 +694,6 @@ fs_search_auto_mountpoints(ptal_t)
logging_send_syslog_msg(ptal_t)
@@ -22487,7 +22500,7 @@ index c91813ccb..dd52ab6ad 100644
sysnet_read_config(ptal_t)
userdom_dontaudit_use_unpriv_user_fds(ptal_t)
-@@ -773,3 +703,4 @@ optional_policy(`
+@@ -773,3 +706,4 @@ optional_policy(`
optional_policy(`
udev_read_db(ptal_t)
')
@@ -32813,7 +32826,7 @@ index 1e29af196..6c64f55c3 100644
+ userdom_user_home_dir_filetrans($1, git_user_content_t, dir, "public_git")
+')
diff --git a/git.te b/git.te
-index dc49c715e..54df5e36e 100644
+index dc49c715e..e25890c3d 100644
--- a/git.te
+++ b/git.te
@@ -49,14 +49,6 @@ gen_tunable(git_session_users, false)
@@ -32898,7 +32911,7 @@ index dc49c715e..54df5e36e 100644
')
tunable_policy(`git_system_enable_homedirs && use_nfs_home_dirs',`
-@@ -215,48 +218,52 @@ tunable_policy(`git_system_use_nfs',`
+@@ -215,48 +218,53 @@ tunable_policy(`git_system_use_nfs',`
# CGI policy
#
@@ -32914,6 +32927,7 @@ index dc49c715e..54df5e36e 100644
+list_dirs_pattern(git_script_t, { git_sys_content_t git_user_content_t }, { git_sys_content_t git_user_content_t })
+read_files_pattern(git_script_t, { git_sys_content_t git_user_content_t }, { git_sys_content_t git_user_content_t })
+files_search_var_lib(git_script_t)
++allow git_script_t git_sys_content_t:file map;
-auth_use_nsswitch(httpd_git_script_t)
+auth_use_nsswitch(git_script_t)
@@ -32973,7 +32987,7 @@ index dc49c715e..54df5e36e 100644
')
########################################
-@@ -266,12 +273,9 @@ tunable_policy(`git_cgi_use_nfs',`
+@@ -266,12 +274,9 @@ tunable_policy(`git_cgi_use_nfs',`
allow git_daemon self:fifo_file rw_fifo_file_perms;
@@ -37998,6 +38012,16 @@ index 000000000..800eb43a1
+ kerberos_keytab_template(gssproxy, gssproxy_t)
+ kerberos_manage_host_rcache(gssproxy_t)
+')
+diff --git a/guest.if b/guest.if
+index ad1653f9a..ff424b8e7 100644
+--- a/guest.if
++++ b/guest.if
+@@ -1,4 +1,4 @@
+-## <summary>Least privledge terminal user role.</summary>
++## <summary>Least privileged terminal user role.</summary>
+
+ ########################################
+ ## <summary>
diff --git a/guest.te b/guest.te
index 19cdbe1d7..060577633 100644
--- a/guest.te
@@ -47901,7 +47925,7 @@ index dd8e01af3..9cd6b0b8e 100644
## <param name="domain">
## <summary>
diff --git a/logrotate.te b/logrotate.te
-index be0ab84b3..af94fb163 100644
+index be0ab84b3..a1dd2bcb9 100644
--- a/logrotate.te
+++ b/logrotate.te
@@ -5,16 +5,33 @@ policy_module(logrotate, 1.15.0)
@@ -48139,17 +48163,18 @@ index be0ab84b3..af94fb163 100644
fail2ban_stream_connect(logrotate_t)
')
-@@ -178,7 +257,8 @@ optional_policy(`
+@@ -178,7 +257,9 @@ optional_policy(`
')
optional_policy(`
- chronyd_read_key_files(logrotate_t)
++ chronyd_domtrans_chronyc(logrotate_t)
+ chronyd_read_keys(logrotate_t)
+ chronyd_manage_pid(logrotate_t)
')
optional_policy(`
-@@ -198,17 +278,18 @@ optional_policy(`
+@@ -198,17 +279,18 @@ optional_policy(`
')
optional_policy(`
@@ -48171,7 +48196,7 @@ index be0ab84b3..af94fb163 100644
')
optional_policy(`
-@@ -216,6 +297,14 @@ optional_policy(`
+@@ -216,6 +298,14 @@ optional_policy(`
')
optional_policy(`
@@ -48186,7 +48211,7 @@ index be0ab84b3..af94fb163 100644
samba_exec_log(logrotate_t)
')
-@@ -228,26 +317,50 @@ optional_policy(`
+@@ -228,26 +318,50 @@ optional_policy(`
')
optional_policy(`
@@ -50230,7 +50255,7 @@ index 327f3f726..d6ae4eab6 100644
+ ')
')
diff --git a/mandb.te b/mandb.te
-index e6136fd37..afaa79b11 100644
+index e6136fd37..6975de1e6 100644
--- a/mandb.te
+++ b/mandb.te
@@ -10,22 +10,46 @@ roleattribute system_r mandb_roles;
@@ -50299,6 +50324,15 @@ index e6136fd37..afaa79b11 100644
ifdef(`distro_debian',`
optional_policy(`
+@@ -55,3 +82,8 @@ ifdef(`distro_debian',`
+ optional_policy(`
+ cron_system_entry(mandb_t, mandb_exec_t)
+ ')
++
++optional_policy(`
++ sssd_read_public_files(mandb_t)
++ sssd_stream_connect(mandb_t)
++')
diff --git a/mcelog.if b/mcelog.if
index f89651e75..c73214d81 100644
--- a/mcelog.if
@@ -55567,7 +55601,7 @@ index f42896cbf..fce39c1ce 100644
+/var/spool/mail(/.*)? gen_context(system_u:object_r:mail_spool_t,s0)
+/var/spool/smtpd(/.*)? gen_context(system_u:object_r:mail_spool_t,s0)
diff --git a/mta.if b/mta.if
-index ed81cac5a..4ea31b5e2 100644
+index ed81cac5a..120f913ab 100644
--- a/mta.if
+++ b/mta.if
@@ -1,4 +1,4 @@
@@ -56364,10 +56398,12 @@ index ed81cac5a..4ea31b5e2 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -911,45 +897,9 @@ interface(`mta_manage_spool',`
+@@ -909,47 +895,12 @@ interface(`mta_manage_spool',`
+ manage_dirs_pattern($1, mail_spool_t, mail_spool_t)
+ manage_files_pattern($1, mail_spool_t, mail_spool_t)
manage_lnk_files_pattern($1, mail_spool_t, mail_spool_t)
- ')
-
+-')
+-
-#######################################
-## <summary>
-## Create specified objects in the
@@ -56402,8 +56438,9 @@ index ed81cac5a..4ea31b5e2 100644
-
- files_search_spool($1)
- filetrans_pattern($1, mqueue_spool_t, $2, $3, $4)
--')
--
++ allow $1 mail_spool_t:file map;
+ ')
+
########################################
## <summary>
-## Search mail queue directories.
@@ -56411,7 +56448,7 @@ index ed81cac5a..4ea31b5e2 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -968,7 +918,7 @@ interface(`mta_search_queue',`
+@@ -968,7 +919,7 @@ interface(`mta_search_queue',`
#######################################
## <summary>
@@ -56420,7 +56457,7 @@ index ed81cac5a..4ea31b5e2 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -981,13 +931,13 @@ interface(`mta_list_queue',`
+@@ -981,13 +932,13 @@ interface(`mta_list_queue',`
type mqueue_spool_t;
')
@@ -56436,7 +56473,7 @@ index ed81cac5a..4ea31b5e2 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1000,14 +950,14 @@ interface(`mta_read_queue',`
+@@ -1000,14 +951,14 @@ interface(`mta_read_queue',`
type mqueue_spool_t;
')
@@ -56453,7 +56490,7 @@ index ed81cac5a..4ea31b5e2 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1027,7 +977,7 @@ interface(`mta_dontaudit_rw_queue',`
+@@ -1027,7 +978,7 @@ interface(`mta_dontaudit_rw_queue',`
########################################
## <summary>
## Create, read, write, and delete
@@ -56462,7 +56499,7 @@ index ed81cac5a..4ea31b5e2 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1047,6 +997,41 @@ interface(`mta_manage_queue',`
+@@ -1047,6 +998,41 @@ interface(`mta_manage_queue',`
#######################################
## <summary>
@@ -56504,7 +56541,7 @@ index ed81cac5a..4ea31b5e2 100644
## Read sendmail binary.
## </summary>
## <param name="domain">
-@@ -1055,6 +1040,7 @@ interface(`mta_manage_queue',`
+@@ -1055,6 +1041,7 @@ interface(`mta_manage_queue',`
## </summary>
## </param>
#
@@ -56512,7 +56549,7 @@ index ed81cac5a..4ea31b5e2 100644
interface(`mta_read_sendmail_bin',`
gen_require(`
type sendmail_exec_t;
-@@ -1065,8 +1051,8 @@ interface(`mta_read_sendmail_bin',`
+@@ -1065,8 +1052,8 @@ interface(`mta_read_sendmail_bin',`
#######################################
## <summary>
@@ -56523,7 +56560,7 @@ index ed81cac5a..4ea31b5e2 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1081,3 +1067,228 @@ interface(`mta_rw_user_mail_stream_sockets',`
+@@ -1081,3 +1068,228 @@ interface(`mta_rw_user_mail_stream_sockets',`
allow $1 user_mail_domain:unix_stream_socket rw_socket_perms;
')
@@ -57844,10 +57881,10 @@ index b70870816..e2a5280c3 100644
+ apache_search_sys_content(munin_t)
+')
diff --git a/mysql.fc b/mysql.fc
-index 06f8666df..2accd90d2 100644
+index 06f8666df..0256ba244 100644
--- a/mysql.fc
+++ b/mysql.fc
-@@ -1,27 +1,46 @@
+@@ -1,27 +1,47 @@
-HOME_DIR/\.my\.cnf -- gen_context(system_u:object_r:mysqld_home_t,s0)
-
-/etc/my\.cnf -- gen_context(system_u:object_r:mysqld_etc_t,s0)
@@ -57881,6 +57918,7 @@ index 06f8666df..2accd90d2 100644
+# /usr
+#
/usr/bin/mysqld_safe -- gen_context(system_u:object_r:mysqld_safe_exec_t,s0)
++/usr/bin/mysqld_safe_helper -- gen_context(system_u:object_r:mysqld_exec_t,s0)
/usr/bin/mysql_upgrade -- gen_context(system_u:object_r:mysqld_exec_t,s0)
/usr/libexec/mysqld -- gen_context(system_u:object_r:mysqld_exec_t,s0)
@@ -58464,7 +58502,7 @@ index 687af38bb..5381f1b39 100644
+ mysql_stream_connect($1)
')
diff --git a/mysql.te b/mysql.te
-index 7584bbe7c..327af4639 100644
+index 7584bbe7c..da5e85fc6 100644
--- a/mysql.te
+++ b/mysql.te
@@ -6,20 +6,22 @@ policy_module(mysql, 1.14.1)
@@ -58515,7 +58553,7 @@ index 7584bbe7c..327af4639 100644
type mysqld_initrc_exec_t;
init_script_file(mysqld_initrc_exec_t)
-@@ -62,28 +66,30 @@ files_pid_file(mysqlmanagerd_var_run_t)
+@@ -62,83 +66,102 @@ files_pid_file(mysqlmanagerd_var_run_t)
# Local policy
#
@@ -58553,7 +58591,12 @@ index 7584bbe7c..327af4639 100644
logging_log_filetrans(mysqld_t, mysqld_log_t, { dir file })
manage_dirs_pattern(mysqld_t, mysqld_tmp_t, mysqld_tmp_t)
-@@ -95,50 +101,66 @@ manage_files_pattern(mysqld_t, mysqld_var_run_t, mysqld_var_run_t)
+ manage_files_pattern(mysqld_t, mysqld_tmp_t, mysqld_tmp_t)
+ files_tmp_filetrans(mysqld_t, mysqld_tmp_t, { file dir })
++allow mysqld_t mysqld_tmp_t:file map;
+
+ manage_dirs_pattern(mysqld_t, mysqld_var_run_t, mysqld_var_run_t)
+ manage_files_pattern(mysqld_t, mysqld_var_run_t, mysqld_var_run_t)
manage_sock_files_pattern(mysqld_t, mysqld_var_run_t, mysqld_var_run_t)
files_pid_filetrans(mysqld_t, mysqld_var_run_t, { dir file sock_file })
@@ -58638,7 +58681,7 @@ index 7584bbe7c..327af4639 100644
')
optional_policy(`
-@@ -146,6 +168,10 @@ optional_policy(`
+@@ -146,6 +169,10 @@ optional_policy(`
')
optional_policy(`
@@ -58649,7 +58692,7 @@ index 7584bbe7c..327af4639 100644
seutil_sigchld_newrole(mysqld_t)
')
-@@ -155,21 +181,20 @@ optional_policy(`
+@@ -155,21 +182,20 @@ optional_policy(`
#######################################
#
@@ -58677,7 +58720,7 @@ index 7584bbe7c..327af4639 100644
list_dirs_pattern(mysqld_safe_t, mysqld_log_t, mysqld_log_t)
manage_files_pattern(mysqld_safe_t, mysqld_log_t, mysqld_log_t)
-@@ -177,9 +202,7 @@ manage_lnk_files_pattern(mysqld_safe_t, mysqld_log_t, mysqld_log_t)
+@@ -177,9 +203,7 @@ manage_lnk_files_pattern(mysqld_safe_t, mysqld_log_t, mysqld_log_t)
logging_log_filetrans(mysqld_safe_t, mysqld_log_t, file)
manage_files_pattern(mysqld_safe_t, mysqld_var_run_t, mysqld_var_run_t)
@@ -58688,7 +58731,7 @@ index 7584bbe7c..327af4639 100644
kernel_read_system_state(mysqld_safe_t)
kernel_read_kernel_sysctls(mysqld_safe_t)
-@@ -187,21 +210,29 @@ kernel_read_kernel_sysctls(mysqld_safe_t)
+@@ -187,21 +211,29 @@ kernel_read_kernel_sysctls(mysqld_safe_t)
corecmd_exec_bin(mysqld_safe_t)
corecmd_exec_shell(mysqld_safe_t)
@@ -58724,7 +58767,7 @@ index 7584bbe7c..327af4639 100644
optional_policy(`
hostname_exec(mysqld_safe_t)
-@@ -209,20 +240,21 @@ optional_policy(`
+@@ -209,20 +241,21 @@ optional_policy(`
########################################
#
@@ -58753,7 +58796,7 @@ index 7584bbe7c..327af4639 100644
domtrans_pattern(mysqlmanagerd_t, mysqld_exec_t, mysqld_t)
-@@ -230,31 +262,20 @@ manage_files_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t)
+@@ -230,31 +263,20 @@ manage_files_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t)
manage_sock_files_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t)
filetrans_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t, { file sock_file })
@@ -61257,7 +61300,7 @@ index 86dc29dfa..cb39739a5 100644
+ logging_log_filetrans($1, NetworkManager_var_lib_t, file, "wpa_supplicant.log")
')
diff --git a/networkmanager.te b/networkmanager.te
-index 55f20095e..3299cc6c7 100644
+index 55f20095e..768b6d003 100644
--- a/networkmanager.te
+++ b/networkmanager.te
@@ -1,4 +1,4 @@
@@ -61354,7 +61397,7 @@ index 55f20095e..3299cc6c7 100644
manage_dirs_pattern(NetworkManager_t, NetworkManager_etc_rw_t, NetworkManager_etc_rw_t)
manage_files_pattern(NetworkManager_t, NetworkManager_etc_rw_t, NetworkManager_etc_rw_t)
filetrans_pattern(NetworkManager_t, NetworkManager_etc_t, NetworkManager_etc_rw_t, { dir file })
-@@ -68,30 +102,30 @@ create_files_pattern(NetworkManager_t, NetworkManager_log_t, NetworkManager_log_
+@@ -68,30 +102,32 @@ create_files_pattern(NetworkManager_t, NetworkManager_log_t, NetworkManager_log_
setattr_files_pattern(NetworkManager_t, NetworkManager_log_t, NetworkManager_log_t)
logging_log_filetrans(NetworkManager_t, NetworkManager_log_t, file)
@@ -61387,10 +61430,12 @@ index 55f20095e..3299cc6c7 100644
+kernel_signull(NetworkManager_t)
-corenet_all_recvfrom_unlabeled(NetworkManager_t)
++corenet_ib_manage_subnet_unlabeled_endports(NetworkManager_t)
++corenet_ib_access_unlabeled_pkeys(NetworkManager_t)
corenet_all_recvfrom_netlabel(NetworkManager_t)
corenet_tcp_sendrecv_generic_if(NetworkManager_t)
corenet_udp_sendrecv_generic_if(NetworkManager_t)
-@@ -102,36 +136,24 @@ corenet_raw_sendrecv_generic_node(NetworkManager_t)
+@@ -102,36 +138,24 @@ corenet_raw_sendrecv_generic_node(NetworkManager_t)
corenet_tcp_sendrecv_all_ports(NetworkManager_t)
corenet_udp_sendrecv_all_ports(NetworkManager_t)
corenet_udp_bind_generic_node(NetworkManager_t)
@@ -61432,7 +61477,7 @@ index 55f20095e..3299cc6c7 100644
fs_getattr_all_fs(NetworkManager_t)
fs_search_auto_mountpoints(NetworkManager_t)
fs_list_inotifyfs(NetworkManager_t)
-@@ -140,18 +162,36 @@ mls_file_read_all_levels(NetworkManager_t)
+@@ -140,18 +164,36 @@ mls_file_read_all_levels(NetworkManager_t)
selinux_dontaudit_search_fs(NetworkManager_t)
@@ -61470,7 +61515,7 @@ index 55f20095e..3299cc6c7 100644
seutil_read_config(NetworkManager_t)
-@@ -166,21 +206,37 @@ sysnet_kill_dhcpc(NetworkManager_t)
+@@ -166,21 +208,37 @@ sysnet_kill_dhcpc(NetworkManager_t)
sysnet_read_dhcpc_state(NetworkManager_t)
sysnet_delete_dhcpc_state(NetworkManager_t)
sysnet_search_dhcp_state(NetworkManager_t)
@@ -61512,7 +61557,7 @@ index 55f20095e..3299cc6c7 100644
')
optional_policy(`
-@@ -196,10 +252,6 @@ optional_policy(`
+@@ -196,10 +254,6 @@ optional_policy(`
')
optional_policy(`
@@ -61523,7 +61568,7 @@ index 55f20095e..3299cc6c7 100644
consoletype_exec(NetworkManager_t)
')
-@@ -210,31 +262,34 @@ optional_policy(`
+@@ -210,31 +264,34 @@ optional_policy(`
optional_policy(`
dbus_system_domain(NetworkManager_t, NetworkManager_exec_t)
@@ -61566,7 +61611,7 @@ index 55f20095e..3299cc6c7 100644
')
optional_policy(`
-@@ -246,10 +301,26 @@ optional_policy(`
+@@ -246,10 +303,26 @@ optional_policy(`
')
optional_policy(`
@@ -61593,7 +61638,7 @@ index 55f20095e..3299cc6c7 100644
')
optional_policy(`
-@@ -257,15 +328,19 @@ optional_policy(`
+@@ -257,15 +330,19 @@ optional_policy(`
')
optional_policy(`
@@ -61615,7 +61660,7 @@ index 55f20095e..3299cc6c7 100644
')
optional_policy(`
-@@ -274,10 +349,17 @@ optional_policy(`
+@@ -274,10 +351,17 @@ optional_policy(`
nscd_signull(NetworkManager_t)
nscd_kill(NetworkManager_t)
nscd_initrc_domtrans(NetworkManager_t)
@@ -61633,7 +61678,7 @@ index 55f20095e..3299cc6c7 100644
')
optional_policy(`
-@@ -286,9 +368,12 @@ optional_policy(`
+@@ -286,9 +370,12 @@ optional_policy(`
openvpn_kill(NetworkManager_t)
openvpn_signal(NetworkManager_t)
openvpn_signull(NetworkManager_t)
@@ -61646,7 +61691,7 @@ index 55f20095e..3299cc6c7 100644
policykit_domtrans_auth(NetworkManager_t)
policykit_read_lib(NetworkManager_t)
policykit_read_reload(NetworkManager_t)
-@@ -296,7 +381,7 @@ optional_policy(`
+@@ -296,7 +383,7 @@ optional_policy(`
')
optional_policy(`
@@ -61655,7 +61700,7 @@ index 55f20095e..3299cc6c7 100644
')
optional_policy(`
-@@ -307,6 +392,7 @@ optional_policy(`
+@@ -307,6 +394,7 @@ optional_policy(`
ppp_signal(NetworkManager_t)
ppp_signull(NetworkManager_t)
ppp_read_config(NetworkManager_t)
@@ -61663,7 +61708,7 @@ index 55f20095e..3299cc6c7 100644
')
optional_policy(`
-@@ -320,14 +406,21 @@ optional_policy(`
+@@ -320,14 +408,21 @@ optional_policy(`
')
optional_policy(`
@@ -61690,7 +61735,7 @@ index 55f20095e..3299cc6c7 100644
')
optional_policy(`
-@@ -338,12 +431,23 @@ optional_policy(`
+@@ -338,12 +433,23 @@ optional_policy(`
vpn_relabelfrom_tun_socket(NetworkManager_t)
')
@@ -61715,7 +61760,7 @@ index 55f20095e..3299cc6c7 100644
allow wpa_cli_t self:unix_dgram_socket create_socket_perms;
allow wpa_cli_t NetworkManager_t:unix_dgram_socket sendto;
-@@ -357,6 +461,4 @@ rw_sock_files_pattern(wpa_cli_t, NetworkManager_var_run_t, NetworkManager_var_ru
+@@ -357,6 +463,4 @@ rw_sock_files_pattern(wpa_cli_t, NetworkManager_var_run_t, NetworkManager_var_ru
init_dontaudit_use_fds(wpa_cli_t)
init_use_script_ptys(wpa_cli_t)
@@ -62168,7 +62213,7 @@ index 46e55c3ff..afe399a0e 100644
+ allow $1 nis_unit_file_t:service all_service_perms;
')
diff --git a/nis.te b/nis.te
-index 3a6b0352e..062e20c8c 100644
+index 3a6b0352e..6aecea23d 100644
--- a/nis.te
+++ b/nis.te
@@ -5,8 +5,6 @@ policy_module(nis, 1.12.0)
@@ -62282,7 +62327,16 @@ index 3a6b0352e..062e20c8c 100644
init_dbus_chat_script(ypbind_t)
optional_policy(`
-@@ -145,11 +144,12 @@ optional_policy(`
+@@ -140,16 +139,21 @@ optional_policy(`
+ udev_read_db(ypbind_t)
+ ')
+
++optional_policy(`
++ rpcbind_stream_connect(ypbind_t)
++')
++
+ ########################################
+ #
# yppasswdd local policy
#
@@ -62297,7 +62351,7 @@ index 3a6b0352e..062e20c8c 100644
allow yppasswdd_t self:netlink_route_socket r_netlink_socket_perms;
allow yppasswdd_t self:tcp_socket create_stream_socket_perms;
allow yppasswdd_t self:udp_socket create_socket_perms;
-@@ -160,14 +160,13 @@ files_pid_filetrans(yppasswdd_t, yppasswdd_var_run_t, file)
+@@ -160,14 +164,13 @@ files_pid_filetrans(yppasswdd_t, yppasswdd_var_run_t, file)
manage_files_pattern(yppasswdd_t, var_yp_t, var_yp_t)
manage_lnk_files_pattern(yppasswdd_t, var_yp_t, var_yp_t)
@@ -62313,7 +62367,7 @@ index 3a6b0352e..062e20c8c 100644
corenet_all_recvfrom_netlabel(yppasswdd_t)
corenet_tcp_sendrecv_generic_if(yppasswdd_t)
corenet_udp_sendrecv_generic_if(yppasswdd_t)
-@@ -177,23 +176,13 @@ corenet_tcp_sendrecv_all_ports(yppasswdd_t)
+@@ -177,23 +180,13 @@ corenet_tcp_sendrecv_all_ports(yppasswdd_t)
corenet_udp_sendrecv_all_ports(yppasswdd_t)
corenet_tcp_bind_generic_node(yppasswdd_t)
corenet_udp_bind_generic_node(yppasswdd_t)
@@ -62339,7 +62393,7 @@ index 3a6b0352e..062e20c8c 100644
dev_read_sysfs(yppasswdd_t)
fs_getattr_all_fs(yppasswdd_t)
-@@ -202,12 +191,20 @@ fs_search_auto_mountpoints(yppasswdd_t)
+@@ -202,12 +195,20 @@ fs_search_auto_mountpoints(yppasswdd_t)
selinux_get_fs_mount(yppasswdd_t)
auth_manage_shadow(yppasswdd_t)
@@ -62361,7 +62415,7 @@ index 3a6b0352e..062e20c8c 100644
sysnet_read_config(yppasswdd_t)
-@@ -219,6 +216,14 @@ optional_policy(`
+@@ -219,6 +220,14 @@ optional_policy(`
')
optional_policy(`
@@ -62376,7 +62430,7 @@ index 3a6b0352e..062e20c8c 100644
seutil_sigchld_newrole(yppasswdd_t)
')
-@@ -234,7 +239,8 @@ optional_policy(`
+@@ -234,7 +243,8 @@ optional_policy(`
dontaudit ypserv_t self:capability sys_tty_config;
allow ypserv_t self:fifo_file rw_fifo_file_perms;
allow ypserv_t self:process signal_perms;
@@ -62386,7 +62440,7 @@ index 3a6b0352e..062e20c8c 100644
allow ypserv_t self:netlink_route_socket r_netlink_socket_perms;
allow ypserv_t self:tcp_socket connected_stream_socket_perms;
allow ypserv_t self:udp_socket create_socket_perms;
-@@ -254,7 +260,6 @@ kernel_read_kernel_sysctls(ypserv_t)
+@@ -254,7 +264,6 @@ kernel_read_kernel_sysctls(ypserv_t)
kernel_list_proc(ypserv_t)
kernel_read_proc_symlinks(ypserv_t)
@@ -62394,7 +62448,7 @@ index 3a6b0352e..062e20c8c 100644
corenet_all_recvfrom_netlabel(ypserv_t)
corenet_tcp_sendrecv_generic_if(ypserv_t)
corenet_udp_sendrecv_generic_if(ypserv_t)
-@@ -264,31 +269,28 @@ corenet_tcp_sendrecv_all_ports(ypserv_t)
+@@ -264,31 +273,28 @@ corenet_tcp_sendrecv_all_ports(ypserv_t)
corenet_udp_sendrecv_all_ports(ypserv_t)
corenet_tcp_bind_generic_node(ypserv_t)
corenet_udp_bind_generic_node(ypserv_t)
@@ -62433,7 +62487,7 @@ index 3a6b0352e..062e20c8c 100644
nis_domtrans_ypxfr(ypserv_t)
-@@ -310,8 +312,8 @@ optional_policy(`
+@@ -310,8 +316,8 @@ optional_policy(`
# ypxfr local policy
#
@@ -62444,7 +62498,7 @@ index 3a6b0352e..062e20c8c 100644
allow ypxfr_t self:tcp_socket create_stream_socket_perms;
allow ypxfr_t self:udp_socket create_socket_perms;
allow ypxfr_t self:netlink_route_socket r_netlink_socket_perms;
-@@ -326,7 +328,6 @@ allow ypxfr_t ypserv_conf_t:file read_file_perms;
+@@ -326,7 +332,6 @@ allow ypxfr_t ypserv_conf_t:file read_file_perms;
manage_files_pattern(ypxfr_t, ypxfr_var_run_t, ypxfr_var_run_t)
files_pid_filetrans(ypxfr_t, ypxfr_var_run_t, file)
@@ -62452,7 +62506,7 @@ index 3a6b0352e..062e20c8c 100644
corenet_all_recvfrom_netlabel(ypxfr_t)
corenet_tcp_sendrecv_generic_if(ypxfr_t)
corenet_udp_sendrecv_generic_if(ypxfr_t)
-@@ -336,23 +337,19 @@ corenet_tcp_sendrecv_all_ports(ypxfr_t)
+@@ -336,23 +341,19 @@ corenet_tcp_sendrecv_all_ports(ypxfr_t)
corenet_udp_sendrecv_all_ports(ypxfr_t)
corenet_tcp_bind_generic_node(ypxfr_t)
corenet_udp_bind_generic_node(ypxfr_t)
@@ -68803,10 +68857,10 @@ index 000000000..45de66477
+')
diff --git a/opensm.te b/opensm.te
new file mode 100644
-index 000000000..87c86edb9
+index 000000000..81c7870cf
--- /dev/null
+++ b/opensm.te
-@@ -0,0 +1,46 @@
+@@ -0,0 +1,49 @@
+policy_module(opensm, 1.0.0)
+
+########################################
@@ -68846,6 +68900,9 @@ index 000000000..87c86edb9
+
+auth_use_nsswitch(opensm_t)
+
++corenet_ib_access_unlabeled_pkeys(opensm_t)
++corenet_ib_manage_subnet_unlabeled_endports(opensm_t)
++
+corecmd_exec_bin(opensm_t)
+
+dev_read_sysfs(opensm_t)
@@ -68854,10 +68911,10 @@ index 000000000..87c86edb9
+
+logging_send_syslog_msg(opensm_t)
diff --git a/openvpn.fc b/openvpn.fc
-index 300213f83..4cdfe097c 100644
+index 300213f83..4fd25a689 100644
--- a/openvpn.fc
+++ b/openvpn.fc
-@@ -1,10 +1,13 @@
+@@ -1,12 +1,16 @@
/etc/openvpn(/.*)? gen_context(system_u:object_r:openvpn_etc_t,s0)
+/etc/openvpn/scripts(/.*)? gen_context(system_u:object_r:openvpn_unconfined_script_exec_t,s0)
/etc/openvpn/ipp\.txt -- gen_context(system_u:object_r:openvpn_etc_rw_t,s0)
@@ -68871,6 +68928,9 @@ index 300213f83..4cdfe097c 100644
/var/log/openvpn-status\.log.* -- gen_context(system_u:object_r:openvpn_status_t,s0)
/var/log/openvpn.* gen_context(system_u:object_r:openvpn_var_log_t,s0)
+ /var/run/openvpn(/.*)? gen_context(system_u:object_r:openvpn_var_run_t,s0)
++/var/run/openvpn-server(/.*)? gen_context(system_u:object_r:openvpn_var_run_t,s0)
+ /var/run/openvpn\.client.* -- gen_context(system_u:object_r:openvpn_var_run_t,s0)
diff --git a/openvpn.if b/openvpn.if
index 6837e9a2b..8d6e33b00 100644
--- a/openvpn.if
@@ -68962,7 +69022,7 @@ index 6837e9a2b..8d6e33b00 100644
domain_system_change_exemption($1)
role_transition $2 openvpn_initrc_exec_t system_r;
diff --git a/openvpn.te b/openvpn.te
-index 63957a362..91dead6e7 100644
+index 63957a362..970f6f03c 100644
--- a/openvpn.te
+++ b/openvpn.te
@@ -6,6 +6,13 @@ policy_module(openvpn, 1.12.2)
@@ -69104,7 +69164,7 @@ index 63957a362..91dead6e7 100644
')
tunable_policy(`openvpn_enable_homedirs && use_nfs_home_dirs',`
-@@ -164,10 +192,20 @@ tunable_policy(`openvpn_can_network_connect',`
+@@ -164,10 +192,21 @@ tunable_policy(`openvpn_can_network_connect',`
')
optional_policy(`
@@ -69119,13 +69179,14 @@ index 63957a362..91dead6e7 100644
+ networkmanager_stream_connect(openvpn_t)
+ networkmanager_manage_pid_files(openvpn_t)
+ networkmanager_manage_pid_sock_files(openvpn_t)
++ networkmanager_attach_tun_iface(openvpn_t)
+')
+
+optional_policy(`
dbus_system_bus_client(openvpn_t)
dbus_connect_system_bus(openvpn_t)
-@@ -175,3 +213,27 @@ optional_policy(`
+@@ -175,3 +214,27 @@ optional_policy(`
networkmanager_dbus_chat(openvpn_t)
')
')
@@ -71149,10 +71210,10 @@ index 000000000..abb250dba
+')
diff --git a/pcp.te b/pcp.te
new file mode 100644
-index 000000000..89e89b240
+index 000000000..7ce81f1bd
--- /dev/null
+++ b/pcp.te
-@@ -0,0 +1,315 @@
+@@ -0,0 +1,319 @@
+policy_module(pcp, 1.0.0)
+
+########################################
@@ -71445,6 +71506,10 @@ index 000000000..89e89b240
+allow pcp_pmlogger_t pcp_pmcd_t:unix_stream_socket connectto;
+allow pcp_pmlogger_t self:unix_dgram_socket create_socket_perms;
+
++allow pcp_pmlogger_t pcp_pmlogger_exec_t:file execute_no_trans;
++
++dontaudit pcp_pmlogger_t self:cap_userns { sys_ptrace };
++
+kernel_read_system_state(pcp_pmlogger_t)
+kernel_read_network_state(pcp_pmlogger_t)
+
@@ -73601,10 +73666,10 @@ index 000000000..47cd0f8ba
+/usr/lib/systemd/system/pki-tomcat.* gen_context(system_u:object_r:pki_tomcat_unit_file_t,s0)
diff --git a/pki.if b/pki.if
new file mode 100644
-index 000000000..f69ae0298
+index 000000000..0a7951358
--- /dev/null
+++ b/pki.if
-@@ -0,0 +1,503 @@
+@@ -0,0 +1,523 @@
+
+## <summary>policy for pki</summary>
+
@@ -74108,6 +74173,26 @@ index 000000000..f69ae0298
+
+ ps_process_pattern($1, pki_tomcat_t)
+')
++
++########################################
++## <summary>
++## Create, read, write, and delete
++## pki tomcat pid files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`pki_manage_tomcat_pid',`
++ gen_require(`
++ type pki_tomcat_var_run_t;
++ ')
++
++ files_search_pids($1)
++ manage_files_pattern($1, pki_tomcat_var_run_t, pki_tomcat_var_run_t)
++')
diff --git a/pki.te b/pki.te
new file mode 100644
index 000000000..701ebda54
@@ -74741,7 +74826,7 @@ index 30e751f18..61feb3a81 100644
admin_pattern($1, plymouthd_var_run_t)
')
diff --git a/plymouthd.te b/plymouthd.te
-index 3078ce905..a1f9e1aa1 100644
+index 3078ce905..66ecfd9d2 100644
--- a/plymouthd.te
+++ b/plymouthd.te
@@ -15,7 +15,7 @@ type plymouthd_exec_t;
@@ -74781,7 +74866,13 @@ index 3078ce905..a1f9e1aa1 100644
logging_log_filetrans(plymouthd_t, plymouthd_var_log_t, { file dir })
manage_dirs_pattern(plymouthd_t, plymouthd_var_run_t, plymouthd_var_run_t)
-@@ -70,19 +69,27 @@ domain_use_interactive_fds(plymouthd_t)
+@@ -65,24 +64,33 @@ dev_rw_dri(plymouthd_t)
+ dev_read_sysfs(plymouthd_t)
+ dev_read_framebuffer(plymouthd_t)
+ dev_write_framebuffer(plymouthd_t)
++dev_map_framebuffer(plymouthd_t)
+
+ domain_use_interactive_fds(plymouthd_t)
fs_getattr_all_fs(plymouthd_t)
@@ -74814,7 +74905,7 @@ index 3078ce905..a1f9e1aa1 100644
')
optional_policy(`
-@@ -90,35 +97,37 @@ optional_policy(`
+@@ -90,35 +98,37 @@ optional_policy(`
')
optional_policy(`
@@ -81420,10 +81511,10 @@ index 45843b55c..4d1adace5 100644
+ ps_process_pattern($1, pulseaudio_t)
')
diff --git a/pulseaudio.te b/pulseaudio.te
-index 6643b49c2..22214f676 100644
+index 6643b49c2..6c374240b 100644
--- a/pulseaudio.te
+++ b/pulseaudio.te
-@@ -8,61 +8,50 @@ policy_module(pulseaudio, 1.6.0)
+@@ -8,61 +8,51 @@ policy_module(pulseaudio, 1.6.0)
attribute pulseaudio_client;
attribute pulseaudio_tmpfsfile;
@@ -81492,6 +81583,7 @@ index 6643b49c2..22214f676 100644
+manage_lnk_files_pattern(pulseaudio_t, pulseaudio_home_t, pulseaudio_home_t)
+userdom_search_user_home_dirs(pulseaudio_t)
+pulseaudio_filetrans_home_content(pulseaudio_t)
++allow pulseaudio_t pulseaudio_home_t:file map;
-manage_dirs_pattern(pulseaudio_t, pulseaudio_tmpfs_t, pulseaudio_tmpfs_t)
-manage_files_pattern(pulseaudio_t, pulseaudio_tmpfs_t, pulseaudio_tmpfs_t)
@@ -81503,7 +81595,7 @@ index 6643b49c2..22214f676 100644
manage_dirs_pattern(pulseaudio_t, pulseaudio_var_lib_t, pulseaudio_var_lib_t)
manage_files_pattern(pulseaudio_t, pulseaudio_var_lib_t, pulseaudio_var_lib_t)
-@@ -72,10 +61,7 @@ files_var_lib_filetrans(pulseaudio_t, pulseaudio_var_lib_t, { dir file })
+@@ -72,10 +62,7 @@ files_var_lib_filetrans(pulseaudio_t, pulseaudio_var_lib_t, { dir file })
manage_dirs_pattern(pulseaudio_t, pulseaudio_var_run_t, pulseaudio_var_run_t)
manage_files_pattern(pulseaudio_t, pulseaudio_var_run_t, pulseaudio_var_run_t)
manage_sock_files_pattern(pulseaudio_t, pulseaudio_var_run_t, pulseaudio_var_run_t)
@@ -81515,7 +81607,7 @@ index 6643b49c2..22214f676 100644
can_exec(pulseaudio_t, pulseaudio_exec_t)
-@@ -85,62 +71,58 @@ kernel_read_kernel_sysctls(pulseaudio_t)
+@@ -85,62 +72,58 @@ kernel_read_kernel_sysctls(pulseaudio_t)
corecmd_exec_bin(pulseaudio_t)
@@ -81597,7 +81689,7 @@ index 6643b49c2..22214f676 100644
')
optional_policy(`
-@@ -153,8 +135,9 @@ optional_policy(`
+@@ -153,8 +136,9 @@ optional_policy(`
optional_policy(`
dbus_system_domain(pulseaudio_t, pulseaudio_exec_t)
@@ -81609,7 +81701,7 @@ index 6643b49c2..22214f676 100644
optional_policy(`
consolekit_dbus_chat(pulseaudio_t)
-@@ -174,29 +157,49 @@ optional_policy(`
+@@ -174,29 +158,49 @@ optional_policy(`
')
optional_policy(`
@@ -81661,7 +81753,7 @@ index 6643b49c2..22214f676 100644
#
# Client local policy
#
-@@ -210,8 +213,6 @@ delete_files_pattern(pulseaudio_client, pulseaudio_tmpfsfile, pulseaudio_tmpfsfi
+@@ -210,8 +214,6 @@ delete_files_pattern(pulseaudio_client, pulseaudio_tmpfsfile, pulseaudio_tmpfsfi
fs_getattr_tmpfs(pulseaudio_client)
@@ -81670,7 +81762,7 @@ index 6643b49c2..22214f676 100644
corenet_tcp_sendrecv_generic_if(pulseaudio_client)
corenet_tcp_sendrecv_generic_node(pulseaudio_client)
-@@ -220,38 +221,33 @@ corenet_tcp_connect_pulseaudio_port(pulseaudio_client)
+@@ -220,38 +222,33 @@ corenet_tcp_connect_pulseaudio_port(pulseaudio_client)
corenet_tcp_sendrecv_pulseaudio_port(pulseaudio_client)
pulseaudio_stream_connect(pulseaudio_client)
@@ -81763,10 +81855,10 @@ index d68e26d1f..3b08cfd9d 100644
+/var/log/puppet(/.*)? gen_context(system_u:object_r:puppet_log_t,s0)
+/var/run/puppet(/.*)? gen_context(system_u:object_r:puppet_var_run_t,s0)
diff --git a/puppet.if b/puppet.if
-index 7cb8b1f9c..bef72173b 100644
+index 7cb8b1f9c..4c805a42e 100644
--- a/puppet.if
+++ b/puppet.if
-@@ -1,4 +1,32 @@
+@@ -1,4 +1,52 @@
-## <summary>Configuration management system.</summary>
+## <summary>Puppet client daemon</summary>
+## <desc>
@@ -81797,103 +81889,148 @@ index 7cb8b1f9c..bef72173b 100644
+ corecmd_search_bin($1)
+ domtrans_pattern($1, puppetmaster_exec_t, puppetmaster_t)
+')
++
++########################################
++## <summary>
++## Execute puppet in the puppet
++## domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`puppet_domtrans',`
++ gen_require(`
++ type puppet_t, puppet_exec_t;
++ ')
++
++ corecmd_search_bin($1)
++ domtrans_pattern($1, puppet_exec_t, puppet_t)
++')
########################################
## <summary>
-@@ -40,16 +68,19 @@ interface(`puppet_domtrans_puppetca',`
+@@ -22,7 +70,7 @@ interface(`puppet_domtrans_puppetca',`
+
+ #####################################
+ ## <summary>
+-## Execute puppetca in the puppetca
++## Execute puppet in the puppet
+ ## domain and allow the specified
+ ## role the puppetca domain.
+ ## </summary>
+@@ -38,39 +86,49 @@ interface(`puppet_domtrans_puppetca',`
+ ## </param>
+ ## <rolecap/>
#
- interface(`puppet_run_puppetca',`
+-interface(`puppet_run_puppetca',`
++interface(`puppet_run',`
gen_require(`
- attribute_role puppetca_roles;
-+ type puppetca_t, puppetca_exec_t;
++ type puppet_t, puppet_exec_t;
')
- puppet_domtrans_puppetca($1)
+- puppet_domtrans_puppetca($1)
- roleattribute $2 puppetca_roles;
-+ role $2 types puppetca_t;
++ puppet_domtrans($1)
++ role $2 types puppet_t;
')
-####################################
-+################################################
++#####################################
## <summary>
-## Read puppet configuration content.
-+## Read / Write to Puppet temp files. Puppet uses
-+## some system binaries (groupadd, etc) that run in
-+## a non-puppet domain and redirects output into temp
-+## files.
++## Execute puppetca in the puppetca
++## domain and allow the specified
++## role the puppetca domain.
## </summary>
## <param name="domain">
## <summary>
-@@ -57,15 +88,13 @@ interface(`puppet_run_puppetca',`
+-## Domain allowed access.
++## Domain allowed to transition.
## </summary>
## </param>
++## <param name="role">
++## <summary>
++## Role allowed access.
++## </summary>
++## </param>
++## <rolecap/>
#
-interface(`puppet_read_config',`
-+interface(`puppet_rw_tmp', `
++interface(`puppet_run_puppetca',`
gen_require(`
- type puppet_etc_t;
-+ type puppet_tmp_t;
++ type puppetca_t, puppetca_exec_t;
')
- files_search_etc($1)
- allow $1 puppet_etc_t:dir list_dir_perms;
- allow $1 puppet_etc_t:file read_file_perms;
- allow $1 puppet_etc_t:lnk_file read_lnk_file_perms;
-+ allow $1 puppet_tmp_t:file rw_inherited_file_perms;
-+ files_search_tmp($1)
++ puppet_domtrans_puppetca($1)
++ role $2 types puppetca_t;
')
++
################################################
-@@ -78,158 +107,165 @@ interface(`puppet_read_config',`
+ ## <summary>
+-## Read Puppet lib files.
++## Read / Write to Puppet temp files. Puppet uses
++## some system binaries (groupadd, etc) that run in
++## a non-puppet domain and redirects output into temp
++## files.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -78,19 +136,18 @@ interface(`puppet_read_config',`
## </summary>
## </param>
#
-interface(`puppet_read_lib_files',`
-+interface(`puppet_read_lib',`
++interface(`puppet_rw_tmp', `
gen_require(`
- type puppet_var_lib_t;
+- type puppet_var_lib_t;
++ type puppet_tmp_t;
')
- files_search_var_lib($1)
- read_files_pattern($1, puppet_var_lib_t, puppet_var_lib_t)
-+ files_search_var_lib($1)
+- read_files_pattern($1, puppet_var_lib_t, puppet_var_lib_t)
++ allow $1 puppet_tmp_t:file rw_inherited_file_perms;
++ files_search_tmp($1)
')
- ###############################################
+-###############################################
++################################################
## <summary>
-## Create, read, write, and delete
-## puppet lib files.
-+## Manage Puppet lib files.
++## Read Puppet lib files.
## </summary>
## <param name="domain">
--## <summary>
--## Domain allowed access.
--## </summary>
-+## <summary>
-+## Domain allowed access.
-+## </summary>
+ ## <summary>
+@@ -98,138 +155,165 @@ interface(`puppet_read_lib_files',`
+ ## </summary>
## </param>
#
-interface(`puppet_manage_lib_files',`
-- gen_require(`
-- type puppet_var_lib_t;
-- ')
-+interface(`puppet_manage_lib',`
-+ gen_require(`
-+ type puppet_var_lib_t;
-+ ')
++interface(`puppet_read_lib',`
+ gen_require(`
+ type puppet_var_lib_t;
+ ')
-- files_search_var_lib($1)
++ read_files_pattern($1, puppet_var_lib_t, puppet_var_lib_t)
+ files_search_var_lib($1)
- manage_files_pattern($1, puppet_var_lib_t, puppet_var_lib_t)
-+ manage_files_pattern($1, puppet_var_lib_t, puppet_var_lib_t)
-+ files_search_var_lib($1)
')
-#####################################
-+######################################
++###############################################
## <summary>
-## Append puppet log files.
-+## Allow the specified domain to search puppet's log files.
++## Manage Puppet lib files.
## </summary>
## <param name="domain">
-## <summary>
@@ -81908,21 +82045,22 @@ index 7cb8b1f9c..bef72173b 100644
- gen_require(`
- type puppet_log_t;
- ')
-+interface(`puppet_search_log',`
++interface(`puppet_manage_lib',`
+ gen_require(`
-+ type puppet_log_t;
++ type puppet_var_lib_t;
+ ')
- logging_search_logs($1)
- append_files_pattern($1, puppet_log_t, puppet_log_t)
-+ logging_search_logs($1)
-+ allow $1 puppet_log_t:dir search_dir_perms;
++ manage_files_pattern($1, puppet_var_lib_t, puppet_var_lib_t)
++ files_search_var_lib($1)
')
- #####################################
+-#####################################
++######################################
## <summary>
-## Create puppet log files.
-+## Allow the specified domain to read puppet's log files.
++## Allow the specified domain to search puppet's log files.
## </summary>
## <param name="domain">
-## <summary>
@@ -81937,7 +82075,7 @@ index 7cb8b1f9c..bef72173b 100644
- gen_require(`
- type puppet_log_t;
- ')
-+interface(`puppet_read_log',`
++interface(`puppet_search_log',`
+ gen_require(`
+ type puppet_log_t;
+ ')
@@ -81945,13 +82083,13 @@ index 7cb8b1f9c..bef72173b 100644
- logging_search_logs($1)
- create_files_pattern($1, puppet_log_t, puppet_log_t)
+ logging_search_logs($1)
-+ read_files_pattern($1, puppet_log_t, puppet_log_t)
++ allow $1 puppet_log_t:dir search_dir_perms;
')
#####################################
## <summary>
-## Read puppet log files.
-+## Allow the specified domain to create puppet's log files.
++## Allow the specified domain to read puppet's log files.
## </summary>
## <param name="domain">
-## <summary>
@@ -81966,22 +82104,21 @@ index 7cb8b1f9c..bef72173b 100644
- gen_require(`
- type puppet_log_t;
- ')
-+interface(`puppet_create_log',`
++interface(`puppet_read_log',`
+ gen_require(`
+ type puppet_log_t;
+ ')
- logging_search_logs($1)
-- read_files_pattern($1, puppet_log_t, puppet_log_t)
+ logging_search_logs($1)
-+ create_files_pattern($1, puppet_log_t, puppet_log_t)
+ read_files_pattern($1, puppet_log_t, puppet_log_t)
')
-################################################
-+####################################
++#####################################
## <summary>
-## Read and write to puppet tempoprary files.
-+## Allow the specified domain to append puppet's log files.
++## Allow the specified domain to create puppet's log files.
## </summary>
## <param name="domain">
-## <summary>
@@ -81996,7 +82133,7 @@ index 7cb8b1f9c..bef72173b 100644
- gen_require(`
- type puppet_tmp_t;
- ')
-+interface(`puppet_append_log',`
++interface(`puppet_create_log',`
+ gen_require(`
+ type puppet_log_t;
+ ')
@@ -82004,7 +82141,7 @@ index 7cb8b1f9c..bef72173b 100644
- files_search_tmp($1)
- allow $1 puppet_tmp_t:file rw_file_perms;
+ logging_search_logs($1)
-+ append_files_pattern($1, puppet_log_t, puppet_log_t)
++ create_files_pattern($1, puppet_log_t, puppet_log_t)
')
-########################################
@@ -82012,7 +82149,7 @@ index 7cb8b1f9c..bef72173b 100644
## <summary>
-## All of the rules required to
-## administrate an puppet environment.
-+## Allow the specified domain to manage puppet's log files.
++## Allow the specified domain to append puppet's log files.
## </summary>
## <param name="domain">
-## <summary>
@@ -82036,19 +82173,36 @@ index 7cb8b1f9c..bef72173b 100644
- type puppet_var_run_t, puppetmaster_tmp_t;
- type puppet_t, puppetca_t, puppetmaster_t;
- ')
--
-- allow $1 { puppet_t puppetca_t puppetmaster_t }:process { ptrace signal_perms };
-- ps_process_pattern($1, { puppet_t puppetca_t puppetmaster_t })
-+interface(`puppet_manage_log',`
++interface(`puppet_append_log',`
+ gen_require(`
+ type puppet_log_t;
+ ')
+- allow $1 { puppet_t puppetca_t puppetmaster_t }:process { ptrace signal_perms };
+- ps_process_pattern($1, { puppet_t puppetca_t puppetmaster_t })
++ logging_search_logs($1)
++ append_files_pattern($1, puppet_log_t, puppet_log_t)
++')
+
- init_labeled_script_domtrans($1, { puppet_initrc_exec_t puppetmaster_initrc_exec_t })
- domain_system_change_exemption($1)
- role_transition $2 { puppet_initrc_exec_t puppetmaster_initrc_exec_t } system_r;
- allow $2 system_r;
--
++####################################
++## <summary>
++## Allow the specified domain to manage puppet's log files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`puppet_manage_log',`
++ gen_require(`
++ type puppet_log_t;
++ ')
+
- files_search_etc($1)
- admin_pattern($1, puppet_etc_t)
+ logging_search_logs($1)
@@ -84765,7 +84919,7 @@ index fe2adf8ae..f7e9c70b0 100644
+ admin_pattern($1, qpidd_var_run_t)
')
diff --git a/qpid.te b/qpid.te
-index 83eb09ef6..8f641fc92 100644
+index 83eb09ef6..a5e7068f6 100644
--- a/qpid.te
+++ b/qpid.te
@@ -12,6 +12,9 @@ init_daemon_domain(qpidd_t, qpidd_exec_t)
@@ -84778,7 +84932,7 @@ index 83eb09ef6..8f641fc92 100644
type qpidd_tmpfs_t;
files_tmpfs_file(qpidd_tmpfs_t)
-@@ -33,41 +36,57 @@ allow qpidd_t self:shm create_shm_perms;
+@@ -33,41 +36,58 @@ allow qpidd_t self:shm create_shm_perms;
allow qpidd_t self:tcp_socket { accept listen };
allow qpidd_t self:unix_stream_socket { accept listen };
@@ -84797,6 +84951,7 @@ index 83eb09ef6..8f641fc92 100644
+manage_files_pattern(qpidd_t, qpidd_var_lib_t, qpidd_var_lib_t)
+manage_lnk_files_pattern(qpidd_t, qpidd_var_lib_t, qpidd_var_lib_t)
+files_var_lib_filetrans(qpidd_t, qpidd_var_lib_t, { file dir lnk_file })
++allow qpidd_t qpidd_var_lib_t:file map;
-manage_dirs_pattern(qpidd_t, qpidd_var_run_t, qpidd_var_run_t)
-manage_files_pattern(qpidd_t, qpidd_var_run_t, qpidd_var_run_t)
@@ -86712,10 +86867,10 @@ index 951db7f1b..65666b765 100644
+ allow $1 mdadm_var_run_t:sock_file relabel_sock_file_perms;
')
diff --git a/raid.te b/raid.te
-index c99753f2c..082d5f686 100644
+index c99753f2c..e465414a3 100644
--- a/raid.te
+++ b/raid.te
-@@ -15,54 +15,104 @@ role mdadm_roles types mdadm_t;
+@@ -15,54 +15,105 @@ role mdadm_roles types mdadm_t;
type mdadm_initrc_exec_t;
init_script_file(mdadm_initrc_exec_t)
@@ -86748,6 +86903,7 @@ index c99753f2c..082d5f686 100644
-allow mdadm_t self:process { getsched setsched signal_perms };
+allow mdadm_t self:capability { dac_read_search sys_admin ipc_lock };
+dontaudit mdadm_t self:capability { sys_tty_config sys_ptrace };
++dontaudit mdadm_t self:cap_userns { sys_ptrace };
+allow mdadm_t self:process { getsched setsched sigchld sigkill sigstop signull signal };
allow mdadm_t self:fifo_file rw_fifo_file_perms;
allow mdadm_t self:netlink_kobject_uevent_socket create_socket_perms;
@@ -86830,7 +86986,7 @@ index c99753f2c..082d5f686 100644
mls_file_read_all_levels(mdadm_t)
mls_file_write_all_levels(mdadm_t)
-@@ -71,15 +121,25 @@ storage_dev_filetrans_fixed_disk(mdadm_t)
+@@ -71,15 +122,25 @@ storage_dev_filetrans_fixed_disk(mdadm_t)
storage_manage_fixed_disk(mdadm_t)
storage_read_scsi_generic(mdadm_t)
storage_write_scsi_generic(mdadm_t)
@@ -86857,7 +87013,7 @@ index c99753f2c..082d5f686 100644
userdom_dontaudit_use_unpriv_user_fds(mdadm_t)
userdom_dontaudit_search_user_home_content(mdadm_t)
-@@ -90,17 +150,38 @@ optional_policy(`
+@@ -90,17 +151,38 @@ optional_policy(`
')
optional_policy(`
@@ -93642,7 +93798,7 @@ index 0bf13c220..2ee527f2a 100644
+ allow nfsd_t $1:dbus send_msg;
+')
diff --git a/rpc.te b/rpc.te
-index 2da9fca2f..f06eb2732 100644
+index 2da9fca2f..03471672e 100644
--- a/rpc.te
+++ b/rpc.te
@@ -6,22 +6,27 @@ policy_module(rpc, 1.15.1)
@@ -94028,10 +94184,14 @@ index 2da9fca2f..f06eb2732 100644
')
optional_policy(`
-@@ -314,9 +398,12 @@ optional_policy(`
+@@ -314,9 +398,16 @@ optional_policy(`
')
optional_policy(`
++ realmd_read_var_lib(gssd_t)
++')
++
++optional_policy(`
+ gssproxy_stream_connect(gssd_t)
+')
+optional_policy(`
@@ -96833,7 +96993,7 @@ index b8b66ff4d..a93346efe 100644
+/var/lib/samba/scripts(/.*)? gen_context(system_u:object_r:samba_unconfined_script_exec_t,s0)
+')
diff --git a/samba.if b/samba.if
-index 50d07fb2e..e1474fde7 100644
+index 50d07fb2e..a15cd5b6b 100644
--- a/samba.if
+++ b/samba.if
@@ -1,8 +1,12 @@
@@ -97213,13 +97373,14 @@ index 50d07fb2e..e1474fde7 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -421,33 +538,55 @@ interface(`samba_manage_var_files',`
+@@ -421,33 +538,56 @@ interface(`samba_manage_var_files',`
')
files_search_var_lib($1)
+ files_search_var_lib($1)
manage_files_pattern($1, samba_var_t, samba_var_t)
+ manage_lnk_files_pattern($1, samba_var_t, samba_var_t)
++ allow $1 samba_var_t:file { map};
')
########################################
@@ -97276,7 +97437,7 @@ index 50d07fb2e..e1474fde7 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -462,16 +601,16 @@ interface(`samba_domtrans_smbcontrol',`
+@@ -462,16 +602,16 @@ interface(`samba_domtrans_smbcontrol',`
#
interface(`samba_run_smbcontrol',`
gen_require(`
@@ -97296,7 +97457,7 @@ index 50d07fb2e..e1474fde7 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -488,9 +627,27 @@ interface(`samba_domtrans_smbd',`
+@@ -488,9 +628,27 @@ interface(`samba_domtrans_smbd',`
domtrans_pattern($1, smbd_exec_t, smbd_t)
')
@@ -97325,7 +97486,7 @@ index 50d07fb2e..e1474fde7 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -505,10 +662,26 @@ interface(`samba_signal_smbd',`
+@@ -505,10 +663,26 @@ interface(`samba_signal_smbd',`
allow $1 smbd_t:process signal;
')
@@ -97354,7 +97515,7 @@ index 50d07fb2e..e1474fde7 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -526,7 +699,7 @@ interface(`samba_dontaudit_use_fds',`
+@@ -526,7 +700,7 @@ interface(`samba_dontaudit_use_fds',`
########################################
## <summary>
@@ -97363,7 +97524,7 @@ index 50d07fb2e..e1474fde7 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -544,7 +717,7 @@ interface(`samba_write_smbmount_tcp_sockets',`
+@@ -544,7 +718,7 @@ interface(`samba_write_smbmount_tcp_sockets',`
########################################
## <summary>
@@ -97372,7 +97533,7 @@ index 50d07fb2e..e1474fde7 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -560,49 +733,47 @@ interface(`samba_rw_smbmount_tcp_sockets',`
+@@ -560,49 +734,47 @@ interface(`samba_rw_smbmount_tcp_sockets',`
allow $1 smbmount_t:tcp_socket { read write };
')
@@ -97441,7 +97602,7 @@ index 50d07fb2e..e1474fde7 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -618,16 +789,16 @@ interface(`samba_getattr_winbind_exec',`
+@@ -618,16 +790,16 @@ interface(`samba_getattr_winbind_exec',`
#
interface(`samba_run_winbind_helper',`
gen_require(`
@@ -97461,7 +97622,7 @@ index 50d07fb2e..e1474fde7 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -637,17 +808,71 @@ interface(`samba_run_winbind_helper',`
+@@ -637,17 +809,71 @@ interface(`samba_run_winbind_helper',`
#
interface(`samba_read_winbind_pid',`
gen_require(`
@@ -97537,7 +97698,7 @@ index 50d07fb2e..e1474fde7 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -657,17 +882,61 @@ interface(`samba_read_winbind_pid',`
+@@ -657,17 +883,61 @@ interface(`samba_read_winbind_pid',`
#
interface(`samba_stream_connect_winbind',`
gen_require(`
@@ -97604,7 +97765,7 @@ index 50d07fb2e..e1474fde7 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -676,7 +945,7 @@ interface(`samba_stream_connect_winbind',`
+@@ -676,7 +946,7 @@ interface(`samba_stream_connect_winbind',`
## </param>
## <param name="role">
## <summary>
@@ -97613,7 +97774,7 @@ index 50d07fb2e..e1474fde7 100644
## </summary>
## </param>
## <rolecap/>
-@@ -689,11 +958,30 @@ interface(`samba_admin',`
+@@ -689,11 +959,30 @@ interface(`samba_admin',`
type samba_etc_t, samba_share_t, samba_initrc_exec_t;
type swat_var_run_t, swat_tmp_t, winbind_log_t;
type winbind_var_run_t, winbind_tmp_t;
@@ -97647,7 +97808,7 @@ index 50d07fb2e..e1474fde7 100644
init_labeled_script_domtrans($1, samba_initrc_exec_t)
domain_system_change_exemption($1)
-@@ -703,23 +991,34 @@ interface(`samba_admin',`
+@@ -703,23 +992,34 @@ interface(`samba_admin',`
files_list_etc($1)
admin_pattern($1, { samba_etc_t smbd_keytab_t })
@@ -111850,10 +112011,10 @@ index 000000000..d371f62f6
+')
diff --git a/thumb.te b/thumb.te
new file mode 100644
-index 000000000..a34bf9b9f
+index 000000000..1b34bc7b6
--- /dev/null
+++ b/thumb.te
-@@ -0,0 +1,174 @@
+@@ -0,0 +1,175 @@
+policy_module(thumb, 1.0.0)
+
+########################################
@@ -111946,6 +112107,7 @@ index 000000000..a34bf9b9f
+fs_getattr_all_fs(thumb_t)
+fs_read_dos_files(thumb_t)
+fs_rw_inherited_tmpfs_files(thumb_t)
++fs_map_dos_files(thumb_t)
+
+auth_read_passwd(thumb_t)
+
@@ -112995,10 +113157,10 @@ index 000000000..e5cec8fda
+')
diff --git a/tomcat.te b/tomcat.te
new file mode 100644
-index 000000000..6db6edad3
+index 000000000..6ebd1ea7c
--- /dev/null
+++ b/tomcat.te
-@@ -0,0 +1,126 @@
+@@ -0,0 +1,127 @@
+policy_module(tomcat, 1.0.0)
+
+########################################
@@ -113036,6 +113198,7 @@ index 000000000..6db6edad3
+ pki_manage_tomcat_lib(tomcat_t)
+ pki_manage_tomcat_etc_rw(tomcat_t)
+ pki_search_log_dirs(tomcat_t)
++ pki_manage_tomcat_pid(tomcat_t)
+ pki_manage_tomcat_log(tomcat_t)
+ pki_manage_common_files(tomcat_t)
+ pki_exec_common_files(tomcat_t)
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 0fbaeed..fcd5987 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.13.1
-Release: 305%{?dist}
+Release: 306%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -717,6 +717,47 @@ exit 0
%endif
%changelog
+* Wed Dec 13 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-306
+- Allow thumb_t domain to dosfs_t BZ(1517720)
+- Allow gssd_t to read realmd_var_lib_t files BZ(1521125)
+- Allow domain transition from logrotate_t to chronyc_t BZ(1436013)
+- Allow git_script_t to mmap git_sys_content_t BZ(1517541)
+- Label /usr/bin/mysqld_safe_helper as mysqld_exec_t instead of bin_t BZ(1464803)
+- Label /run/openvpn-server/ as openvpn_var_run_t BZ(1478642)
+- Allow colord_t to mmap xdm pid files BZ(1518382)
+- Allow arpwatch to mmap usbmon device BZ(152456)
+- Allow mandb_t to read public sssd files BZ(1514093)
+- Allow ypbind_t stream connect to rpcbind_t domain BZ(1508659)
+- Allow qpid to map files.
+- Allow plymouthd_t to mmap firamebuf device BZ(1517405)
+- Dontaudit pcp_pmlogger_t to sys_ptrace capability BZ(1416611)
+- Update mta_manage_spool() interface to allow caller domain also mmap mta_spool_t files BZ(1517449)
+- Allow antivirus_t domain to mmap antivirus_db_t files BZ(1516816)
+- Allow cups_pdf_t domain to read cupd_etc_t dirs BZ(1516282)
+- Allow openvpn_t domain to relabel networkmanager tun device BZ(1436048)
+- Allow mysqld_t to mmap mysqld_tmp_t files BZ(1516899)
+- Update samba_manage_var_files() interface by adding map permission. BZ(1517125)
+- Allow pcp_pmlogger_t domain to execute itself. BZ(1517395)
+- Dontaudit sys_ptrace capability for mdadm_t BZ(1515849)
+- Allow pulseaudio_t domain to mmap pulseaudio_home_t files BZ(1515956)
+- Allow bugzilla_script_t domain to create netlink route sockets and udp sockets BZ(1427019)
+- Add interface fs_map_dos_files()
+- Update interface userdom_manage_user_home_content_files() to allow caller domain to mmap user_home_t files. BZ(1519729)
+- Add interface xserver_map_xdm_pid() BZ(1518382)
+- Add new interface dev_map_usbmon_dev() BZ(1524256)
+- Update miscfiles_read_fonts() interface to allow also mmap fonts_cache_t for caller domains BZ(1521137)
+- Allow ipsec_t to mmap cert_t and home_cert_t files BZ(1519810)
+- Fix typo in filesystem.if
+- Add interface dev_map_framebuffer()
+- Allow chkpwd command to mmap /etc/shadow BZ(1513704)
+- Fix systemd-resolved to run properly with SELinux in enforcing state BZ(1517529)
+- Allow thumb_t domain to mmap fusefs_t files BZ(1517517)
+- Allow userdom_home_reader_type attribute to mmap cifs_t files BZ(1517125)
+- Add interface fs_map_cifs_files()
+- Merge pull request #207 from rhatdan/labels
+- Merge pull request #208 from rhatdan/logdir
+- Allow domains that manage logfiles to man logdirs
+
* Fri Nov 24 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-305
- Make ganesha nfs server