diff --git a/modules-targeted.conf b/modules-targeted.conf
index 3930c6f..078c411 100644
--- a/modules-targeted.conf
+++ b/modules-targeted.conf
@@ -2451,3 +2451,10 @@ rabbitmq = module
# cloudform daemons
#
cloudform = module
+
+# Layer: services
+# Module: obex
+#
+# policy for obex-data-server
+#
+obex = module
diff --git a/policy-F16.patch b/policy-F16.patch
index 98113bd..c5aacca 100644
--- a/policy-F16.patch
+++ b/policy-F16.patch
@@ -2148,10 +2148,10 @@ index 0000000..bd83148
+## <summary>No Interfaces</summary>
diff --git a/policy/modules/admin/permissivedomains.te b/policy/modules/admin/permissivedomains.te
new file mode 100644
-index 0000000..35ae1db
+index 0000000..14d8b32
--- /dev/null
+++ b/policy/modules/admin/permissivedomains.te
-@@ -0,0 +1,36 @@
+@@ -0,0 +1,44 @@
+policy_module(permissivedomains,17)
+
+
@@ -2188,6 +2188,14 @@ index 0000000..35ae1db
+ permissive dnssec_trigger_t;
+')
+
++
++optional_policy(`
++ gen_require(`
++ type obex_t;
++ ')
++
++ permissive obex_t;
++')
diff --git a/policy/modules/admin/portage.fc b/policy/modules/admin/portage.fc
index db46387..b665b08 100644
--- a/policy/modules/admin/portage.fc
@@ -2948,7 +2956,7 @@ index d33daa8..8ba0f86 100644
+ allow rpm_script_t $1:process sigchld;
+')
diff --git a/policy/modules/admin/rpm.te b/policy/modules/admin/rpm.te
-index 47a8f7d..a485d76 100644
+index 47a8f7d..8bc5a27 100644
--- a/policy/modules/admin/rpm.te
+++ b/policy/modules/admin/rpm.te
@@ -1,10 +1,11 @@
@@ -3023,7 +3031,15 @@ index 47a8f7d..a485d76 100644
auth_dontaudit_read_shadow(rpm_t)
auth_use_nsswitch(rpm_t)
-@@ -173,11 +193,13 @@ domain_dontaudit_getattr_all_packet_sockets(rpm_t)
+@@ -164,7 +184,6 @@ rpm_domtrans_script(rpm_t)
+
+ domain_read_all_domains_state(rpm_t)
+ domain_getattr_all_domains(rpm_t)
+-domain_dontaudit_ptrace_all_domains(rpm_t)
+ domain_use_interactive_fds(rpm_t)
+ domain_dontaudit_getattr_all_pipes(rpm_t)
+ domain_dontaudit_getattr_all_tcp_sockets(rpm_t)
+@@ -173,11 +192,13 @@ domain_dontaudit_getattr_all_packet_sockets(rpm_t)
domain_dontaudit_getattr_all_raw_sockets(rpm_t)
domain_dontaudit_getattr_all_stream_sockets(rpm_t)
domain_dontaudit_getattr_all_dgram_sockets(rpm_t)
@@ -3037,7 +3053,7 @@ index 47a8f7d..a485d76 100644
libs_exec_ld_so(rpm_t)
libs_exec_lib_files(rpm_t)
-@@ -185,11 +207,13 @@ libs_domtrans_ldconfig(rpm_t)
+@@ -185,11 +206,13 @@ libs_domtrans_ldconfig(rpm_t)
logging_send_syslog_msg(rpm_t)
@@ -3052,7 +3068,7 @@ index 47a8f7d..a485d76 100644
userdom_use_unpriv_users_fds(rpm_t)
optional_policy(`
-@@ -207,6 +231,7 @@ optional_policy(`
+@@ -207,6 +230,7 @@ optional_policy(`
optional_policy(`
networkmanager_dbus_chat(rpm_t)
')
@@ -3060,7 +3076,7 @@ index 47a8f7d..a485d76 100644
')
optional_policy(`
-@@ -214,7 +239,7 @@ optional_policy(`
+@@ -214,7 +238,7 @@ optional_policy(`
')
optional_policy(`
@@ -3069,7 +3085,7 @@ index 47a8f7d..a485d76 100644
# yum-updatesd requires this
unconfined_dbus_chat(rpm_t)
unconfined_dbus_chat(rpm_script_t)
-@@ -225,7 +250,8 @@ optional_policy(`
+@@ -225,7 +249,8 @@ optional_policy(`
# rpm-script Local policy
#
@@ -3079,7 +3095,7 @@ index 47a8f7d..a485d76 100644
allow rpm_script_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execheap };
allow rpm_script_t self:fd use;
allow rpm_script_t self:fifo_file rw_fifo_file_perms;
-@@ -257,12 +283,18 @@ manage_sock_files_pattern(rpm_script_t, rpm_script_tmpfs_t, rpm_script_tmpfs_t)
+@@ -257,12 +282,18 @@ manage_sock_files_pattern(rpm_script_t, rpm_script_tmpfs_t, rpm_script_tmpfs_t)
fs_tmpfs_filetrans(rpm_script_t, rpm_script_tmpfs_t, { dir file lnk_file sock_file fifo_file })
can_exec(rpm_script_t, rpm_script_tmpfs_t)
@@ -3098,7 +3114,15 @@ index 47a8f7d..a485d76 100644
dev_list_sysfs(rpm_script_t)
# ideally we would not need this
-@@ -299,15 +331,17 @@ storage_raw_write_fixed_disk(rpm_script_t)
+@@ -282,7 +313,6 @@ fs_unmount_xattr_fs(rpm_script_t)
+ fs_search_auto_mountpoints(rpm_script_t)
+
+ mcs_killall(rpm_script_t)
+-mcs_ptrace_all(rpm_script_t)
+
+ mls_file_read_all_levels(rpm_script_t)
+ mls_file_write_all_levels(rpm_script_t)
+@@ -299,19 +329,20 @@ storage_raw_write_fixed_disk(rpm_script_t)
term_getattr_unallocated_ttys(rpm_script_t)
term_list_ptys(rpm_script_t)
@@ -3119,7 +3143,11 @@ index 47a8f7d..a485d76 100644
domain_read_all_domains_state(rpm_script_t)
domain_getattr_all_domains(rpm_script_t)
-@@ -331,23 +365,24 @@ libs_domtrans_ldconfig(rpm_script_t)
+-domain_dontaudit_ptrace_all_domains(rpm_script_t)
+ domain_use_interactive_fds(rpm_script_t)
+ domain_signal_all_domains(rpm_script_t)
+ domain_signull_all_domains(rpm_script_t)
+@@ -331,23 +362,24 @@ libs_domtrans_ldconfig(rpm_script_t)
logging_send_syslog_msg(rpm_script_t)
miscfiles_read_localization(rpm_script_t)
@@ -3148,7 +3176,7 @@ index 47a8f7d..a485d76 100644
allow rpm_script_t self:process execmem;
')
-@@ -368,6 +403,11 @@ optional_policy(`
+@@ -368,6 +400,11 @@ optional_policy(`
')
optional_policy(`
@@ -3160,7 +3188,7 @@ index 47a8f7d..a485d76 100644
tzdata_domtrans(rpm_t)
tzdata_domtrans(rpm_script_t)
')
-@@ -377,7 +417,7 @@ optional_policy(`
+@@ -377,7 +414,7 @@ optional_policy(`
')
optional_policy(`
@@ -4941,10 +4969,10 @@ index 0000000..1553356
+')
diff --git a/policy/modules/apps/chrome.te b/policy/modules/apps/chrome.te
new file mode 100644
-index 0000000..bd1abf4
+index 0000000..8b8f735
--- /dev/null
+++ b/policy/modules/apps/chrome.te
-@@ -0,0 +1,186 @@
+@@ -0,0 +1,182 @@
+policy_module(chrome,1.0.0)
+
+########################################
@@ -4976,10 +5004,6 @@ index 0000000..bd1abf4
+# chrome_sandbox local policy
+#
+allow chrome_sandbox_t self:capability { chown dac_override fsetid setgid setuid sys_admin sys_chroot };
-+tunable_policy(`deny_ptrace',`',`
-+ allow chrome_sandbox_t self:capability sys_ptrace;
-+')
-+
+allow chrome_sandbox_t self:process { signal_perms setrlimit execmem execstack };
+allow chrome_sandbox_t self:process setsched;
+allow chrome_sandbox_t self:fifo_file manage_file_perms;
@@ -5089,7 +5113,7 @@ index 0000000..bd1abf4
+# chrome_sandbox_nacl local policy
+#
+
-+allow chrome_sandbox_nacl_t self:process execmem;
++allow chrome_sandbox_nacl_t self:process { execmem setsched };
+allow chrome_sandbox_nacl_t self:fifo_file manage_fifo_file_perms;
+allow chrome_sandbox_nacl_t self:unix_stream_socket create_stream_socket_perms;
+allow chrome_sandbox_nacl_t self:shm create_shm_perms;
@@ -5099,7 +5123,7 @@ index 0000000..bd1abf4
+
+allow chrome_sandbox_nacl_t chrome_sandbox_t:shm rw_shm_perms;
+allow chrome_sandbox_nacl_t chrome_sandbox_tmpfs_t:file rw_inherited_file_perms;
-+allow chrome_sandbox_t chrome_sandbox_nacl_t:process share;
++allow chrome_sandbox_t chrome_sandbox_nacl_t:process { sigkill sigstop signull signal share };
+
+manage_files_pattern(chrome_sandbox_nacl_t, chrome_sandbox_tmpfs_t, chrome_sandbox_tmpfs_t)
+fs_tmpfs_filetrans(chrome_sandbox_nacl_t, chrome_sandbox_tmpfs_t, file)
@@ -7261,7 +7285,7 @@ index 40e0a2a..46cc164 100644
## <summary>
## Send generic signals to user gpg processes.
diff --git a/policy/modules/apps/gpg.te b/policy/modules/apps/gpg.te
-index 9050e8c..80f8c31 100644
+index 9050e8c..9cbbfd4 100644
--- a/policy/modules/apps/gpg.te
+++ b/policy/modules/apps/gpg.te
@@ -4,6 +4,7 @@ policy_module(gpg, 2.4.0)
@@ -7319,7 +7343,15 @@ index 9050e8c..80f8c31 100644
manage_dirs_pattern(gpg_t, gpg_agent_tmp_t, gpg_agent_tmp_t)
manage_files_pattern(gpg_t, gpg_agent_tmp_t, gpg_agent_tmp_t)
-@@ -123,22 +139,26 @@ logging_send_syslog_msg(gpg_t)
+@@ -84,6 +100,7 @@ domtrans_pattern(gpg_t, gpg_agent_exec_t, gpg_agent_t)
+ domtrans_pattern(gpg_t, gpg_helper_exec_t, gpg_helper_t)
+
+ allow gpg_t gpg_secret_t:dir create_dir_perms;
++manage_sock_files_pattern(gpg_t, gpg_secret_t, gpg_secret_t)
+ manage_files_pattern(gpg_t, gpg_secret_t, gpg_secret_t)
+ manage_lnk_files_pattern(gpg_t, gpg_secret_t, gpg_secret_t)
+ userdom_user_home_dir_filetrans(gpg_t, gpg_secret_t, dir)
+@@ -123,22 +140,26 @@ logging_send_syslog_msg(gpg_t)
miscfiles_read_localization(gpg_t)
@@ -7354,7 +7386,7 @@ index 9050e8c..80f8c31 100644
')
optional_policy(`
-@@ -147,15 +167,19 @@ optional_policy(`
+@@ -147,15 +168,19 @@ optional_policy(`
')
optional_policy(`
@@ -7378,7 +7410,7 @@ index 9050e8c..80f8c31 100644
########################################
#
# GPG helper local policy
-@@ -191,7 +215,7 @@ files_read_etc_files(gpg_helper_t)
+@@ -191,7 +216,7 @@ files_read_etc_files(gpg_helper_t)
auth_use_nsswitch(gpg_helper_t)
@@ -7387,7 +7419,7 @@ index 9050e8c..80f8c31 100644
tunable_policy(`use_nfs_home_dirs',`
fs_dontaudit_rw_nfs_files(gpg_helper_t)
-@@ -205,11 +229,12 @@ tunable_policy(`use_samba_home_dirs',`
+@@ -205,15 +230,17 @@ tunable_policy(`use_samba_home_dirs',`
#
# GPG agent local policy
#
@@ -7401,7 +7433,12 @@ index 9050e8c..80f8c31 100644
allow gpg_agent_t self:fifo_file rw_fifo_file_perms;
# read and write ~/.gnupg (gpg-agent stores secret keys in ~/.gnupg/private-keys-v1.d )
-@@ -239,34 +264,25 @@ fs_dontaudit_list_inotifyfs(gpg_agent_t)
+ manage_dirs_pattern(gpg_agent_t, gpg_secret_t, gpg_secret_t)
++manage_sock_files_pattern(gpg_agent_t, gpg_secret_t, gpg_secret_t)
+ manage_files_pattern(gpg_agent_t, gpg_secret_t, gpg_secret_t)
+ manage_lnk_files_pattern(gpg_agent_t, gpg_secret_t, gpg_secret_t)
+
+@@ -239,34 +266,25 @@ fs_dontaudit_list_inotifyfs(gpg_agent_t)
miscfiles_read_localization(gpg_agent_t)
# Write to the user domain tty.
@@ -7440,7 +7477,15 @@ index 9050e8c..80f8c31 100644
optional_policy(`
mozilla_dontaudit_rw_user_home_files(gpg_agent_t)
-@@ -332,13 +348,15 @@ miscfiles_read_localization(gpg_pinentry_t)
+@@ -301,6 +319,7 @@ fs_tmpfs_filetrans(gpg_pinentry_t, gpg_pinentry_tmpfs_t, { file dir })
+ # read /proc/meminfo
+ kernel_read_system_state(gpg_pinentry_t)
+
++corecmd_exec_shell(gpg_pinentry_t)
+ corecmd_exec_bin(gpg_pinentry_t)
+
+ corenet_all_recvfrom_netlabel(gpg_pinentry_t)
+@@ -332,13 +351,15 @@ miscfiles_read_localization(gpg_pinentry_t)
# for .Xauthority
userdom_read_user_home_content_files(gpg_pinentry_t)
userdom_read_user_tmpfs_files(gpg_pinentry_t)
@@ -7461,7 +7506,7 @@ index 9050e8c..80f8c31 100644
')
optional_policy(`
-@@ -347,6 +365,12 @@ optional_policy(`
+@@ -347,6 +368,12 @@ optional_policy(`
')
optional_policy(`
@@ -7474,7 +7519,7 @@ index 9050e8c..80f8c31 100644
pulseaudio_exec(gpg_pinentry_t)
pulseaudio_rw_home_files(gpg_pinentry_t)
pulseaudio_setattr_home_dir(gpg_pinentry_t)
-@@ -356,4 +380,28 @@ optional_policy(`
+@@ -356,4 +383,28 @@ optional_policy(`
optional_policy(`
xserver_user_x_domain_template(gpg_pinentry, gpg_pinentry_t, gpg_pinentry_tmpfs_t)
@@ -7866,18 +7911,14 @@ index b2e27ec..c324f94 100644
## </summary>
## <param name="domain">
diff --git a/policy/modules/apps/livecd.te b/policy/modules/apps/livecd.te
-index a0be4ef..a3d8afd 100644
+index a0be4ef..2c088f5 100644
--- a/policy/modules/apps/livecd.te
+++ b/policy/modules/apps/livecd.te
-@@ -20,16 +20,36 @@ files_tmp_file(livecd_tmp_t)
+@@ -20,16 +20,32 @@ files_tmp_file(livecd_tmp_t)
dontaudit livecd_t self:capability2 mac_admin;
-domain_ptrace_all_domains(livecd_t)
-+tunable_policy(`deny_ptrace',`',`
-+ domain_ptrace_all_domains(livecd_t)
-+')
-+
+domain_interactive_fd(livecd_t)
manage_dirs_pattern(livecd_t, livecd_tmp_t, livecd_tmp_t)
@@ -7976,6 +8017,19 @@ index 0bac996..ca2388d 100644
-userdom_use_user_terminals(lockdev_t)
+userdom_use_inherited_user_terminals(lockdev_t)
+diff --git a/policy/modules/apps/mono.te b/policy/modules/apps/mono.te
+index dff0f12..ecab36d 100644
+--- a/policy/modules/apps/mono.te
++++ b/policy/modules/apps/mono.te
+@@ -15,7 +15,7 @@ init_system_domain(mono_t, mono_exec_t)
+ # Local policy
+ #
+
+-allow mono_t self:process { ptrace signal getsched execheap execmem execstack };
++allow mono_t self:process { signal getsched execheap execmem execstack };
+
+ init_dbus_chat_script(mono_t)
+
diff --git a/policy/modules/apps/mozilla.fc b/policy/modules/apps/mozilla.fc
index 93ac529..4c0895e 100644
--- a/policy/modules/apps/mozilla.fc
@@ -12881,7 +12935,7 @@ index 223ad43..d95e720 100644
rsync_exec(yam_t)
')
diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
-index 3fae11a..68b6a44 100644
+index 3fae11a..c2ef1eb 100644
--- a/policy/modules/kernel/corecommands.fc
+++ b/policy/modules/kernel/corecommands.fc
@@ -1,7 +1,7 @@
@@ -12893,7 +12947,19 @@ index 3fae11a..68b6a44 100644
/bin/.* gen_context(system_u:object_r:bin_t,s0)
/bin/d?ash -- gen_context(system_u:object_r:shell_exec_t,s0)
/bin/bash -- gen_context(system_u:object_r:shell_exec_t,s0)
-@@ -97,8 +97,6 @@ ifdef(`distro_redhat',`
+@@ -71,6 +71,11 @@ ifdef(`distro_redhat',`
+ /etc/kde/env(/.*)? gen_context(system_u:object_r:bin_t,s0)
+ /etc/kde/shutdown(/.*)? gen_context(system_u:object_r:bin_t,s0)
+
++/etc/lxdm/LoginReady -- gen_context(system_u:object_r:bin_t,s0)
++/etc/lxdm/Post.* -- gen_context(system_u:object_r:bin_t,s0)
++/etc/lxdm/Pre.* -- gen_context(system_u:object_r:bin_t,s0)
++/etc/lxdm/Xsession -- gen_context(system_u:object_r:bin_t,s0)
++
+ /etc/mail/make -- gen_context(system_u:object_r:bin_t,s0)
+ /etc/mcelog/cache-error-trigger -- gen_context(system_u:object_r:bin_t,s0)
+ /etc/mcelog/triggers(/.*)? gen_context(system_u:object_r:bin_t,s0)
+@@ -97,8 +102,6 @@ ifdef(`distro_redhat',`
/etc/rc\.d/init\.d/functions -- gen_context(system_u:object_r:bin_t,s0)
@@ -12902,7 +12968,7 @@ index 3fae11a..68b6a44 100644
/etc/sysconfig/crond -- gen_context(system_u:object_r:bin_t,s0)
/etc/sysconfig/init -- gen_context(system_u:object_r:bin_t,s0)
/etc/sysconfig/libvirtd -- gen_context(system_u:object_r:bin_t,s0)
-@@ -130,18 +128,14 @@ ifdef(`distro_debian',`
+@@ -130,18 +133,14 @@ ifdef(`distro_debian',`
/lib/readahead(/.*)? gen_context(system_u:object_r:bin_t,s0)
/lib/security/pam_krb5/pam_krb5_storetmp -- gen_context(system_u:object_r:bin_t,s0)
@@ -12923,7 +12989,7 @@ index 3fae11a..68b6a44 100644
/lib/rcscripts/addons(/.*)? gen_context(system_u:object_r:bin_t,s0)
/lib/rcscripts/sh(/.*)? gen_context(system_u:object_r:bin_t,s0)
-@@ -152,7 +146,7 @@ ifdef(`distro_gentoo',`
+@@ -152,7 +151,7 @@ ifdef(`distro_gentoo',`
#
# /sbin
#
@@ -12932,7 +12998,7 @@ index 3fae11a..68b6a44 100644
/sbin/.* gen_context(system_u:object_r:bin_t,s0)
/sbin/insmod_ksymoops_clean -- gen_context(system_u:object_r:bin_t,s0)
/sbin/mkfs\.cramfs -- gen_context(system_u:object_r:bin_t,s0)
-@@ -168,6 +162,7 @@ ifdef(`distro_gentoo',`
+@@ -168,6 +167,7 @@ ifdef(`distro_gentoo',`
/opt/(.*/)?sbin(/.*)? gen_context(system_u:object_r:bin_t,s0)
/opt/google/talkplugin(/.*)? gen_context(system_u:object_r:bin_t,s0)
@@ -12940,7 +13006,7 @@ index 3fae11a..68b6a44 100644
/opt/gutenprint/cups/lib/filter(/.*)? gen_context(system_u:object_r:bin_t,s0)
-@@ -179,67 +174,92 @@ ifdef(`distro_gentoo',`
+@@ -179,67 +179,92 @@ ifdef(`distro_gentoo',`
/opt/vmware/workstation/lib/lib/wrapper-gtk24\.sh -- gen_context(system_u:object_r:bin_t,s0)
')
@@ -13078,7 +13144,7 @@ index 3fae11a..68b6a44 100644
/usr/libexec(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/libexec/git-core/git-shell -- gen_context(system_u:object_r:shell_exec_t,s0)
-@@ -247,11 +267,18 @@ ifdef(`distro_gentoo',`
+@@ -247,11 +272,18 @@ ifdef(`distro_gentoo',`
/usr/libexec/openssh/sftp-server -- gen_context(system_u:object_r:bin_t,s0)
@@ -13098,7 +13164,7 @@ index 3fae11a..68b6a44 100644
/usr/sbin/scponlyc -- gen_context(system_u:object_r:shell_exec_t,s0)
/usr/sbin/sesh -- gen_context(system_u:object_r:shell_exec_t,s0)
/usr/sbin/smrsh -- gen_context(system_u:object_r:shell_exec_t,s0)
-@@ -267,6 +294,10 @@ ifdef(`distro_gentoo',`
+@@ -267,6 +299,10 @@ ifdef(`distro_gentoo',`
/usr/share/cluster/.*\.sh gen_context(system_u:object_r:bin_t,s0)
/usr/share/cluster/ocf-shellfuncs -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/cluster/svclib_nfslock -- gen_context(system_u:object_r:bin_t,s0)
@@ -13109,7 +13175,7 @@ index 3fae11a..68b6a44 100644
/usr/share/e16/misc(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/share/gedit-2/plugins/externaltools/tools(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/share/gitolite/hooks/common/update -- gen_context(system_u:object_r:bin_t,s0)
-@@ -286,15 +317,19 @@ ifdef(`distro_gentoo',`
+@@ -286,15 +322,19 @@ ifdef(`distro_gentoo',`
/usr/share/smolt/client(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/share/shorewall/compiler\.pl -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/shorewall/configpath -- gen_context(system_u:object_r:bin_t,s0)
@@ -13130,7 +13196,7 @@ index 3fae11a..68b6a44 100644
ifdef(`distro_gentoo', `
/usr/.*-.*-linux-gnu/gcc-bin/.*(/.*)? gen_context(system_u:object_r:bin_t,s0)
-@@ -306,10 +341,11 @@ ifdef(`distro_redhat', `
+@@ -306,10 +346,11 @@ ifdef(`distro_redhat', `
/etc/gdm/[^/]+ -d gen_context(system_u:object_r:bin_t,s0)
/etc/gdm/[^/]+/.* gen_context(system_u:object_r:bin_t,s0)
@@ -13144,7 +13210,7 @@ index 3fae11a..68b6a44 100644
/usr/lib/vmware-tools/(s)?bin32(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/lib/vmware-tools/(s)?bin64(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/share/authconfig/authconfig-gtk\.py -- gen_context(system_u:object_r:bin_t,s0)
-@@ -319,9 +355,11 @@ ifdef(`distro_redhat', `
+@@ -319,9 +360,11 @@ ifdef(`distro_redhat', `
/usr/share/clamav/clamd-gen -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/clamav/freshclam-sleep -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/createrepo(/.*)? gen_context(system_u:object_r:bin_t,s0)
@@ -13156,7 +13222,7 @@ index 3fae11a..68b6a44 100644
/usr/share/pwlib/make/ptlib-config -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/pydict/pydict\.py -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/rhn/rhn_applet/applet\.py -- gen_context(system_u:object_r:bin_t,s0)
-@@ -363,7 +401,7 @@ ifdef(`distro_redhat', `
+@@ -363,7 +406,7 @@ ifdef(`distro_redhat', `
ifdef(`distro_suse', `
/usr/lib/cron/run-crons -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/samba/classic/.* -- gen_context(system_u:object_r:bin_t,s0)
@@ -13165,7 +13231,7 @@ index 3fae11a..68b6a44 100644
/usr/share/apache2/[^/]* -- gen_context(system_u:object_r:bin_t,s0)
')
-@@ -375,8 +413,9 @@ ifdef(`distro_suse', `
+@@ -375,8 +418,9 @@ ifdef(`distro_suse', `
/var/ftp/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
/var/lib/asterisk/agi-bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
@@ -13177,7 +13243,7 @@ index 3fae11a..68b6a44 100644
/var/qmail/bin -d gen_context(system_u:object_r:bin_t,s0)
/var/qmail/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
-@@ -385,3 +424,12 @@ ifdef(`distro_suse', `
+@@ -385,3 +429,12 @@ ifdef(`distro_suse', `
ifdef(`distro_suse',`
/var/lib/samba/bin/.+ gen_context(system_u:object_r:bin_t,s0)
')
@@ -13189,7 +13255,7 @@ index 3fae11a..68b6a44 100644
+/usr/lib/iscan/network -- gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/ruby/gems/.*/agents(/.*)? gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/virtualbox/VBoxManage -- gen_context(system_u:object_r:bin_t,s0)
-+/usr/lib/yp/.+ -- gen_context(system_u:object_r:bin_t,s0)
++/usr/lib/yp/.+ -- gen_context(system_u:object_r:bin_t,s0)
diff --git a/policy/modules/kernel/corecommands.if b/policy/modules/kernel/corecommands.if
index 9e9263a..650e796 100644
--- a/policy/modules/kernel/corecommands.if
@@ -14949,7 +15015,7 @@ index 6cf8784..2354089 100644
+/usr/lib/udev/devices/null -c gen_context(system_u:object_r:null_device_t,s0)
+/usr/lib/udev/devices/zero -c gen_context(system_u:object_r:zero_device_t,s0)
diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
-index f820f3b..85b04c0 100644
+index f820f3b..f27e256 100644
--- a/policy/modules/kernel/devices.if
+++ b/policy/modules/kernel/devices.if
@@ -143,13 +143,32 @@ interface(`dev_relabel_all_dev_nodes',`
@@ -15687,7 +15753,7 @@ index f820f3b..85b04c0 100644
## Read and write to the zero device (/dev/zero).
## </summary>
## <param name="domain">
-@@ -4784,3 +5216,822 @@ interface(`dev_unconfined',`
+@@ -4784,3 +5216,842 @@ interface(`dev_unconfined',`
typeattribute $1 devices_unconfined_type;
')
@@ -15939,6 +16005,26 @@ index f820f3b..85b04c0 100644
+ filetrans_pattern($1, device_t, usb_device_t, chr_file, "007")
+ filetrans_pattern($1, device_t, usb_device_t, chr_file, "008")
+ filetrans_pattern($1, device_t, usb_device_t, chr_file, "009")
++ filetrans_pattern($1, device_t, usb_device_t, chr_file, "010")
++ filetrans_pattern($1, device_t, usb_device_t, chr_file, "011")
++ filetrans_pattern($1, device_t, usb_device_t, chr_file, "012")
++ filetrans_pattern($1, device_t, usb_device_t, chr_file, "013")
++ filetrans_pattern($1, device_t, usb_device_t, chr_file, "014")
++ filetrans_pattern($1, device_t, usb_device_t, chr_file, "015")
++ filetrans_pattern($1, device_t, usb_device_t, chr_file, "016")
++ filetrans_pattern($1, device_t, usb_device_t, chr_file, "017")
++ filetrans_pattern($1, device_t, usb_device_t, chr_file, "018")
++ filetrans_pattern($1, device_t, usb_device_t, chr_file, "019")
++ filetrans_pattern($1, device_t, usb_device_t, chr_file, "020")
++ filetrans_pattern($1, device_t, usb_device_t, chr_file, "021")
++ filetrans_pattern($1, device_t, usb_device_t, chr_file, "022")
++ filetrans_pattern($1, device_t, usb_device_t, chr_file, "023")
++ filetrans_pattern($1, device_t, usb_device_t, chr_file, "024")
++ filetrans_pattern($1, device_t, usb_device_t, chr_file, "025")
++ filetrans_pattern($1, device_t, usb_device_t, chr_file, "026")
++ filetrans_pattern($1, device_t, usb_device_t, chr_file, "027")
++ filetrans_pattern($1, device_t, usb_device_t, chr_file, "028")
++ filetrans_pattern($1, device_t, usb_device_t, chr_file, "029")
+ filetrans_pattern($1, device_t, clock_device_t, chr_file, "gtrsc0")
+ filetrans_pattern($1, device_t, clock_device_t, chr_file, "gtrsc1")
+ filetrans_pattern($1, device_t, clock_device_t, chr_file, "gtrsc2")
@@ -16657,7 +16743,7 @@ index 6a1e4d1..3ded83e 100644
+ dontaudit $1 domain:socket_class_set { read write };
')
diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te
-index fae1ab1..b3fbad5 100644
+index fae1ab1..6a2f06f 100644
--- a/policy/modules/kernel/domain.te
+++ b/policy/modules/kernel/domain.te
@@ -4,6 +4,21 @@ policy_module(domain, 1.9.1)
@@ -16758,7 +16844,7 @@ index fae1ab1..b3fbad5 100644
# Create/access any System V IPC objects.
allow unconfined_domain_type domain:{ sem msgq shm } *;
-@@ -158,5 +199,223 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock };
+@@ -158,5 +199,222 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock };
# act on all domains keys
allow unconfined_domain_type domain:key *;
@@ -16981,7 +17067,6 @@ index fae1ab1..b3fbad5 100644
+')
+
+dontaudit domain domain:process { noatsecure siginh rlimitinh } ;
-+dontaudit domain self:capability sys_ptrace;
diff --git a/policy/modules/kernel/files.fc b/policy/modules/kernel/files.fc
index c19518a..04ef731 100644
--- a/policy/modules/kernel/files.fc
@@ -17105,7 +17190,7 @@ index c19518a..04ef731 100644
+/nsr(/.*)? gen_context(system_u:object_r:var_t,s0)
+/nsr/logs(/.*)? gen_context(system_u:object_r:var_log_t,s0)
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
-index ff006ea..6af09db 100644
+index ff006ea..3a7eb38 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -55,6 +55,7 @@
@@ -17855,7 +17940,33 @@ index ff006ea..6af09db 100644
')
########################################
-@@ -5304,6 +5702,25 @@ interface(`files_manage_mounttab',`
+@@ -5259,6 +5657,25 @@ interface(`files_read_var_lib_symlinks',`
+ read_lnk_files_pattern($1, { var_t var_lib_t }, var_lib_t)
+ ')
+
++########################################
++## <summary>
++## manage generic symbolic links
++## in the /var/lib directory.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`files_manage_var_lib_symlinks',`
++ gen_require(`
++ type var_lib_t;
++ ')
++
++ manage_lnk_files_pattern($1,var_lib_t,var_lib_t)
++')
++
+ # cjp: the next two interfaces really need to be fixed
+ # in some way. They really neeed their own types.
+
+@@ -5304,6 +5721,25 @@ interface(`files_manage_mounttab',`
########################################
## <summary>
@@ -17881,7 +17992,7 @@ index ff006ea..6af09db 100644
## Search the locks directory (/var/lock).
## </summary>
## <param name="domain">
-@@ -5317,6 +5734,8 @@ interface(`files_search_locks',`
+@@ -5317,6 +5753,8 @@ interface(`files_search_locks',`
type var_t, var_lock_t;
')
@@ -17890,7 +18001,7 @@ index ff006ea..6af09db 100644
search_dirs_pattern($1, var_t, var_lock_t)
')
-@@ -5336,12 +5755,14 @@ interface(`files_dontaudit_search_locks',`
+@@ -5336,12 +5774,14 @@ interface(`files_dontaudit_search_locks',`
type var_lock_t;
')
@@ -17906,7 +18017,7 @@ index ff006ea..6af09db 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -5349,12 +5770,30 @@ interface(`files_dontaudit_search_locks',`
+@@ -5349,12 +5789,30 @@ interface(`files_dontaudit_search_locks',`
## </summary>
## </param>
#
@@ -17939,7 +18050,7 @@ index ff006ea..6af09db 100644
')
########################################
-@@ -5373,6 +5812,7 @@ interface(`files_rw_lock_dirs',`
+@@ -5373,6 +5831,7 @@ interface(`files_rw_lock_dirs',`
type var_t, var_lock_t;
')
@@ -17947,7 +18058,7 @@ index ff006ea..6af09db 100644
rw_dirs_pattern($1, var_t, var_lock_t)
')
-@@ -5385,7 +5825,6 @@ interface(`files_rw_lock_dirs',`
+@@ -5385,7 +5844,6 @@ interface(`files_rw_lock_dirs',`
## Domain allowed access.
## </summary>
## </param>
@@ -17955,7 +18066,7 @@ index ff006ea..6af09db 100644
#
interface(`files_relabel_all_lock_dirs',`
gen_require(`
-@@ -5412,7 +5851,7 @@ interface(`files_getattr_generic_locks',`
+@@ -5412,7 +5870,7 @@ interface(`files_getattr_generic_locks',`
type var_t, var_lock_t;
')
@@ -17964,7 +18075,7 @@ index ff006ea..6af09db 100644
allow $1 var_lock_t:dir list_dir_perms;
getattr_files_pattern($1, var_lock_t, var_lock_t)
')
-@@ -5428,12 +5867,12 @@ interface(`files_getattr_generic_locks',`
+@@ -5428,12 +5886,12 @@ interface(`files_getattr_generic_locks',`
## </param>
#
interface(`files_delete_generic_locks',`
@@ -17981,7 +18092,7 @@ index ff006ea..6af09db 100644
')
########################################
-@@ -5452,7 +5891,7 @@ interface(`files_manage_generic_locks',`
+@@ -5452,7 +5910,7 @@ interface(`files_manage_generic_locks',`
type var_t, var_lock_t;
')
@@ -17990,7 +18101,7 @@ index ff006ea..6af09db 100644
manage_files_pattern($1, var_lock_t, var_lock_t)
')
-@@ -5493,7 +5932,7 @@ interface(`files_read_all_locks',`
+@@ -5493,7 +5951,7 @@ interface(`files_read_all_locks',`
type var_t, var_lock_t;
')
@@ -17999,7 +18110,7 @@ index ff006ea..6af09db 100644
allow $1 lockfile:dir list_dir_perms;
read_files_pattern($1, lockfile, lockfile)
read_lnk_files_pattern($1, lockfile, lockfile)
-@@ -5515,7 +5954,7 @@ interface(`files_manage_all_locks',`
+@@ -5515,7 +5973,7 @@ interface(`files_manage_all_locks',`
type var_t, var_lock_t;
')
@@ -18008,7 +18119,7 @@ index ff006ea..6af09db 100644
manage_dirs_pattern($1, lockfile, lockfile)
manage_files_pattern($1, lockfile, lockfile)
manage_lnk_files_pattern($1, lockfile, lockfile)
-@@ -5547,8 +5986,8 @@ interface(`files_lock_filetrans',`
+@@ -5547,8 +6005,8 @@ interface(`files_lock_filetrans',`
type var_t, var_lock_t;
')
@@ -18019,7 +18130,7 @@ index ff006ea..6af09db 100644
')
########################################
-@@ -5608,6 +6047,43 @@ interface(`files_search_pids',`
+@@ -5608,6 +6066,43 @@ interface(`files_search_pids',`
search_dirs_pattern($1, var_t, var_run_t)
')
@@ -18063,7 +18174,7 @@ index ff006ea..6af09db 100644
########################################
## <summary>
## Do not audit attempts to search
-@@ -5629,6 +6105,25 @@ interface(`files_dontaudit_search_pids',`
+@@ -5629,6 +6124,25 @@ interface(`files_dontaudit_search_pids',`
########################################
## <summary>
@@ -18089,7 +18200,7 @@ index ff006ea..6af09db 100644
## List the contents of the runtime process
## ID directories (/var/run).
## </summary>
-@@ -5736,7 +6231,7 @@ interface(`files_pid_filetrans',`
+@@ -5736,7 +6250,7 @@ interface(`files_pid_filetrans',`
')
allow $1 var_t:dir search_dir_perms;
@@ -18098,7 +18209,7 @@ index ff006ea..6af09db 100644
')
########################################
-@@ -5815,29 +6310,25 @@ interface(`files_dontaudit_ioctl_all_pids',`
+@@ -5815,29 +6329,25 @@ interface(`files_dontaudit_ioctl_all_pids',`
########################################
## <summary>
@@ -18132,7 +18243,7 @@ index ff006ea..6af09db 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -5845,42 +6336,35 @@ interface(`files_read_all_pids',`
+@@ -5845,42 +6355,35 @@ interface(`files_read_all_pids',`
## </summary>
## </param>
#
@@ -18182,7 +18293,7 @@ index ff006ea..6af09db 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -5888,20 +6372,17 @@ interface(`files_delete_all_pids',`
+@@ -5888,20 +6391,17 @@ interface(`files_delete_all_pids',`
## </summary>
## </param>
#
@@ -18206,7 +18317,7 @@ index ff006ea..6af09db 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -5909,56 +6390,59 @@ interface(`files_delete_all_pid_dirs',`
+@@ -5909,56 +6409,59 @@ interface(`files_delete_all_pid_dirs',`
## </summary>
## </param>
#
@@ -18282,7 +18393,7 @@ index ff006ea..6af09db 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -5966,18 +6450,17 @@ interface(`files_list_spool',`
+@@ -5966,18 +6469,17 @@ interface(`files_list_spool',`
## </summary>
## </param>
#
@@ -18305,7 +18416,7 @@ index ff006ea..6af09db 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -5985,19 +6468,18 @@ interface(`files_manage_generic_spool_dirs',`
+@@ -5985,19 +6487,18 @@ interface(`files_manage_generic_spool_dirs',`
## </summary>
## </param>
#
@@ -18330,7 +18441,7 @@ index ff006ea..6af09db 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -6005,70 +6487,333 @@ interface(`files_read_generic_spool',`
+@@ -6005,50 +6506,313 @@ interface(`files_read_generic_spool',`
## </summary>
## </param>
#
@@ -18387,30 +18498,20 @@ index ff006ea..6af09db 100644
-## Allow access to manage all polyinstantiated
-## directories on the system.
+## Delete all process IDs.
- ## </summary>
- ## <param name="domain">
- ## <summary>
- ## Domain allowed access.
- ## </summary>
- ## </param>
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
+## <rolecap/>
- #
--interface(`files_polyinstantiate_all',`
++#
+interface(`files_delete_all_pids',`
- gen_require(`
-- attribute polydir, polymember, polyparent;
-- type poly_t;
++ gen_require(`
+ attribute pidfile;
+ type var_t, var_run_t;
- ')
-
-- # Need to give access to /selinux/member
-- selinux_compute_member($1)
--
-- # Need sys_admin capability for mounting
-- allow $1 self:capability { chown fsetid sys_admin fowner };
--
-- # Need to give access to the directories to be polyinstantiated
++ ')
++
+ allow $1 var_t:dir search_dir_perms;
+ allow $1 var_run_t:dir rmdir;
+ allow $1 var_run_t:lnk_file delete_lnk_file_perms;
@@ -18674,30 +18775,10 @@ index ff006ea..6af09db 100644
+## <summary>
+## Allow access to manage all polyinstantiated
+## directories on the system.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`files_polyinstantiate_all',`
-+ gen_require(`
-+ attribute polydir, polymember, polyparent;
-+ type poly_t;
-+ ')
-+
-+ # Need to give access to /selinux/member
-+ selinux_compute_member($1)
-+
-+ # Need sys_admin capability for mounting
-+ allow $1 self:capability { chown fsetid sys_admin fowner };
-+
-+ # Need to give access to the directories to be polyinstantiated
- allow $1 polydir:dir { create open getattr search write add_name setattr mounton rmdir };
-
- # Need to give access to the polyinstantiated subdirectories
-@@ -6117,3 +6862,284 @@ interface(`files_unconfined',`
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -6117,3 +6881,284 @@ interface(`files_unconfined',`
typeattribute $1 files_unconfined_type;
')
@@ -23392,7 +23473,7 @@ index 0000000..bac0dc0
+
diff --git a/policy/modules/roles/unconfineduser.te b/policy/modules/roles/unconfineduser.te
new file mode 100644
-index 0000000..c42d440
+index 0000000..c21c9a4
--- /dev/null
+++ b/policy/modules/roles/unconfineduser.te
@@ -0,0 +1,383 @@
@@ -23420,7 +23501,7 @@ index 0000000..c42d440
+
+## <desc>
+## <p>
-+## Allow vidio playing tools to run unconfined
++## Allow video playing tools to run unconfined
+## </p>
+## </desc>
+gen_tunable(unconfined_mplayer, false)
@@ -26204,10 +26285,10 @@ index 6480167..2ad693a 100644
+ filetrans_pattern($1, { httpd_user_content_t httpd_user_script_exec_t }, httpd_user_htaccess_t, file, ".htaccess")
')
diff --git a/policy/modules/services/apache.te b/policy/modules/services/apache.te
-index 3136c6a..1aa2421 100644
+index 3136c6a..d6944c1 100644
--- a/policy/modules/services/apache.te
+++ b/policy/modules/services/apache.te
-@@ -18,136 +18,226 @@ policy_module(apache, 2.2.1)
+@@ -18,136 +18,233 @@ policy_module(apache, 2.2.1)
# Declarations
#
@@ -26256,6 +26337,13 @@ index 3136c6a..1aa2421 100644
+
+## <desc>
+## <p>
++## Allow httpd processes to manage IPA content
++## </p>
++## </desc>
++gen_tunable(httpd_manage_ipa, false)
++
++## <desc>
++## <p>
+## Allow httpd daemon to change system limits
+## </p>
+## </desc>
@@ -26330,17 +26418,17 @@ index 3136c6a..1aa2421 100644
+## </desc>
+gen_tunable(httpd_can_connect_zabbix, false)
+
-+## <desc>
+ ## <desc>
+-## <p>
+-## Allow Apache to communicate with avahi service via dbus
+-## </p>
+## <p>
+## Allow http daemon to check spam
+## </p>
+## </desc>
+gen_tunable(httpd_can_check_spam, false)
+
- ## <desc>
--## <p>
--## Allow Apache to communicate with avahi service via dbus
--## </p>
++## <desc>
+## <p>
+## Allow Apache to communicate with avahi service via dbus
+## </p>
@@ -26490,7 +26578,7 @@ index 3136c6a..1aa2421 100644
attribute httpd_script_exec_type;
attribute httpd_user_script_exec_type;
-@@ -166,7 +256,7 @@ files_type(httpd_cache_t)
+@@ -166,7 +263,7 @@ files_type(httpd_cache_t)
# httpd_config_t is the type given to the configuration files
type httpd_config_t;
@@ -26499,7 +26587,7 @@ index 3136c6a..1aa2421 100644
type httpd_helper_t;
type httpd_helper_exec_t;
-@@ -177,6 +267,9 @@ role system_r types httpd_helper_t;
+@@ -177,6 +274,9 @@ role system_r types httpd_helper_t;
type httpd_initrc_exec_t;
init_script_file(httpd_initrc_exec_t)
@@ -26509,7 +26597,7 @@ index 3136c6a..1aa2421 100644
type httpd_lock_t;
files_lock_file(httpd_lock_t)
-@@ -216,7 +309,21 @@ files_tmp_file(httpd_suexec_tmp_t)
+@@ -216,7 +316,21 @@ files_tmp_file(httpd_suexec_tmp_t)
# setup the system domain for system CGI scripts
apache_content_template(sys)
@@ -26532,7 +26620,7 @@ index 3136c6a..1aa2421 100644
type httpd_tmp_t;
files_tmp_file(httpd_tmp_t)
-@@ -226,6 +333,10 @@ files_tmpfs_file(httpd_tmpfs_t)
+@@ -226,6 +340,10 @@ files_tmpfs_file(httpd_tmpfs_t)
apache_content_template(user)
ubac_constrained(httpd_user_script_t)
@@ -26543,7 +26631,7 @@ index 3136c6a..1aa2421 100644
userdom_user_home_content(httpd_user_content_t)
userdom_user_home_content(httpd_user_htaccess_t)
userdom_user_home_content(httpd_user_script_exec_t)
-@@ -233,6 +344,7 @@ userdom_user_home_content(httpd_user_ra_content_t)
+@@ -233,6 +351,7 @@ userdom_user_home_content(httpd_user_ra_content_t)
userdom_user_home_content(httpd_user_rw_content_t)
typeattribute httpd_user_script_t httpd_script_domains;
typealias httpd_user_content_t alias { httpd_staff_content_t httpd_sysadm_content_t };
@@ -26551,7 +26639,7 @@ index 3136c6a..1aa2421 100644
typealias httpd_user_content_t alias { httpd_auditadm_content_t httpd_secadm_content_t };
typealias httpd_user_content_t alias { httpd_staff_script_ro_t httpd_sysadm_script_ro_t };
typealias httpd_user_content_t alias { httpd_auditadm_script_ro_t httpd_secadm_script_ro_t };
-@@ -254,14 +366,23 @@ files_type(httpd_var_lib_t)
+@@ -254,14 +373,23 @@ files_type(httpd_var_lib_t)
type httpd_var_run_t;
files_pid_file(httpd_var_run_t)
@@ -26575,7 +26663,7 @@ index 3136c6a..1aa2421 100644
########################################
#
# Apache server local policy
-@@ -281,11 +402,13 @@ allow httpd_t self:unix_dgram_socket { create_socket_perms sendto };
+@@ -281,11 +409,13 @@ allow httpd_t self:unix_dgram_socket { create_socket_perms sendto };
allow httpd_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow httpd_t self:tcp_socket create_stream_socket_perms;
allow httpd_t self:udp_socket create_socket_perms;
@@ -26589,7 +26677,7 @@ index 3136c6a..1aa2421 100644
# Allow the httpd_t to read the web servers config files
allow httpd_t httpd_config_t:dir list_dir_perms;
-@@ -329,8 +452,9 @@ allow httpd_t httpd_sys_script_t:unix_stream_socket connectto;
+@@ -329,8 +459,9 @@ allow httpd_t httpd_sys_script_t:unix_stream_socket connectto;
manage_dirs_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
manage_files_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
@@ -26600,7 +26688,7 @@ index 3136c6a..1aa2421 100644
manage_dirs_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t)
manage_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t)
-@@ -355,6 +479,9 @@ manage_lnk_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
+@@ -355,6 +486,9 @@ manage_lnk_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
kernel_read_kernel_sysctls(httpd_t)
# for modules that want to access /proc/meminfo
kernel_read_system_state(httpd_t)
@@ -26610,7 +26698,7 @@ index 3136c6a..1aa2421 100644
corenet_all_recvfrom_unlabeled(httpd_t)
corenet_all_recvfrom_netlabel(httpd_t)
-@@ -365,11 +492,15 @@ corenet_udp_sendrecv_generic_node(httpd_t)
+@@ -365,11 +499,15 @@ corenet_udp_sendrecv_generic_node(httpd_t)
corenet_tcp_sendrecv_all_ports(httpd_t)
corenet_udp_sendrecv_all_ports(httpd_t)
corenet_tcp_bind_generic_node(httpd_t)
@@ -26627,7 +26715,7 @@ index 3136c6a..1aa2421 100644
dev_read_sysfs(httpd_t)
dev_read_rand(httpd_t)
-@@ -378,12 +509,12 @@ dev_rw_crypto(httpd_t)
+@@ -378,12 +516,12 @@ dev_rw_crypto(httpd_t)
fs_getattr_all_fs(httpd_t)
fs_search_auto_mountpoints(httpd_t)
@@ -26643,7 +26731,7 @@ index 3136c6a..1aa2421 100644
domain_use_interactive_fds(httpd_t)
-@@ -391,6 +522,7 @@ files_dontaudit_getattr_all_pids(httpd_t)
+@@ -391,6 +529,7 @@ files_dontaudit_getattr_all_pids(httpd_t)
files_read_usr_files(httpd_t)
files_list_mnt(httpd_t)
files_search_spool(httpd_t)
@@ -26651,7 +26739,7 @@ index 3136c6a..1aa2421 100644
files_read_var_lib_files(httpd_t)
files_search_home(httpd_t)
files_getattr_home_dir(httpd_t)
-@@ -402,48 +534,101 @@ files_read_etc_files(httpd_t)
+@@ -402,48 +541,101 @@ files_read_etc_files(httpd_t)
files_read_var_lib_symlinks(httpd_t)
fs_search_auto_mountpoints(httpd_sys_script_t)
@@ -26755,7 +26843,7 @@ index 3136c6a..1aa2421 100644
')
tunable_policy(`httpd_enable_cgi && httpd_use_nfs',`
-@@ -456,25 +641,55 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',`
+@@ -456,25 +648,55 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',`
tunable_policy(`httpd_enable_cgi && httpd_unified && httpd_builtin_scripting',`
domtrans_pattern(httpd_t, httpdcontent, httpd_sys_script_t)
@@ -26813,7 +26901,7 @@ index 3136c6a..1aa2421 100644
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
fs_read_cifs_files(httpd_t)
fs_read_cifs_symlinks(httpd_t)
-@@ -484,7 +699,16 @@ tunable_policy(`httpd_can_sendmail',`
+@@ -484,7 +706,16 @@ tunable_policy(`httpd_can_sendmail',`
# allow httpd to connect to mail servers
corenet_tcp_connect_smtp_port(httpd_t)
corenet_sendrecv_smtp_client_packets(httpd_t)
@@ -26830,7 +26918,7 @@ index 3136c6a..1aa2421 100644
')
tunable_policy(`httpd_ssi_exec',`
-@@ -499,9 +723,19 @@ tunable_policy(`httpd_ssi_exec',`
+@@ -499,9 +730,19 @@ tunable_policy(`httpd_ssi_exec',`
# to run correctly without this permission, so the permission
# are dontaudited here.
tunable_policy(`httpd_tty_comm',`
@@ -26851,7 +26939,7 @@ index 3136c6a..1aa2421 100644
')
optional_policy(`
-@@ -513,7 +747,13 @@ optional_policy(`
+@@ -513,7 +754,13 @@ optional_policy(`
')
optional_policy(`
@@ -26866,7 +26954,7 @@ index 3136c6a..1aa2421 100644
')
optional_policy(`
-@@ -528,7 +768,19 @@ optional_policy(`
+@@ -528,7 +775,19 @@ optional_policy(`
daemontools_service_domain(httpd_t, httpd_exec_t)
')
@@ -26887,7 +26975,7 @@ index 3136c6a..1aa2421 100644
dbus_system_bus_client(httpd_t)
tunable_policy(`httpd_dbus_avahi',`
-@@ -537,8 +789,13 @@ optional_policy(`
+@@ -537,8 +796,13 @@ optional_policy(`
')
optional_policy(`
@@ -26902,7 +26990,7 @@ index 3136c6a..1aa2421 100644
')
')
-@@ -556,7 +813,13 @@ optional_policy(`
+@@ -556,7 +820,21 @@ optional_policy(`
')
optional_policy(`
@@ -26911,12 +26999,20 @@ index 3136c6a..1aa2421 100644
+')
+
+optional_policy(`
++ memcached_stream_connect(httpd_t)
++
++ tunable_policy(`httpd_manage_ipa',`
++ memcached_manage_pid_files(httpd_t)
++ ')
++')
++
++optional_policy(`
# Allow httpd to work with mysql
+ mysql_read_config(httpd_t)
mysql_stream_connect(httpd_t)
mysql_rw_db_sockets(httpd_t)
-@@ -567,6 +830,7 @@ optional_policy(`
+@@ -567,6 +845,7 @@ optional_policy(`
optional_policy(`
nagios_read_config(httpd_t)
@@ -26924,7 +27020,7 @@ index 3136c6a..1aa2421 100644
')
optional_policy(`
-@@ -577,6 +841,20 @@ optional_policy(`
+@@ -577,6 +856,20 @@ optional_policy(`
')
optional_policy(`
@@ -26945,7 +27041,7 @@ index 3136c6a..1aa2421 100644
# Allow httpd to work with postgresql
postgresql_stream_connect(httpd_t)
postgresql_unpriv_client(httpd_t)
-@@ -591,6 +869,11 @@ optional_policy(`
+@@ -591,6 +884,11 @@ optional_policy(`
')
optional_policy(`
@@ -26957,7 +27053,7 @@ index 3136c6a..1aa2421 100644
snmp_dontaudit_read_snmp_var_lib_files(httpd_t)
snmp_dontaudit_write_snmp_var_lib_files(httpd_t)
')
-@@ -603,6 +886,12 @@ optional_policy(`
+@@ -603,6 +901,12 @@ optional_policy(`
yam_read_content(httpd_t)
')
@@ -26970,7 +27066,7 @@ index 3136c6a..1aa2421 100644
########################################
#
# Apache helper local policy
-@@ -616,7 +905,11 @@ allow httpd_helper_t httpd_log_t:file append_file_perms;
+@@ -616,7 +920,11 @@ allow httpd_helper_t httpd_log_t:file append_file_perms;
logging_send_syslog_msg(httpd_helper_t)
@@ -26983,7 +27079,7 @@ index 3136c6a..1aa2421 100644
########################################
#
-@@ -654,28 +947,30 @@ libs_exec_lib_files(httpd_php_t)
+@@ -654,28 +962,30 @@ libs_exec_lib_files(httpd_php_t)
userdom_use_unpriv_users_fds(httpd_php_t)
tunable_policy(`httpd_can_network_connect_db',`
@@ -27027,7 +27123,7 @@ index 3136c6a..1aa2421 100644
')
########################################
-@@ -685,6 +980,8 @@ optional_policy(`
+@@ -685,6 +995,8 @@ optional_policy(`
allow httpd_suexec_t self:capability { setuid setgid };
allow httpd_suexec_t self:process signal_perms;
@@ -27036,7 +27132,7 @@ index 3136c6a..1aa2421 100644
allow httpd_suexec_t self:unix_stream_socket create_stream_socket_perms;
domtrans_pattern(httpd_t, httpd_suexec_exec_t, httpd_suexec_t)
-@@ -699,17 +996,22 @@ manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
+@@ -699,17 +1011,22 @@ manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
manage_files_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
files_tmp_filetrans(httpd_suexec_t, httpd_suexec_tmp_t, { file dir })
@@ -27062,7 +27158,7 @@ index 3136c6a..1aa2421 100644
files_read_etc_files(httpd_suexec_t)
files_read_usr_files(httpd_suexec_t)
-@@ -740,13 +1042,31 @@ tunable_policy(`httpd_can_network_connect',`
+@@ -740,13 +1057,31 @@ tunable_policy(`httpd_can_network_connect',`
corenet_sendrecv_all_client_packets(httpd_suexec_t)
')
@@ -27095,7 +27191,7 @@ index 3136c6a..1aa2421 100644
fs_read_nfs_files(httpd_suexec_t)
fs_read_nfs_symlinks(httpd_suexec_t)
fs_exec_nfs_files(httpd_suexec_t)
-@@ -769,6 +1089,25 @@ optional_policy(`
+@@ -769,6 +1104,25 @@ optional_policy(`
dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write };
')
@@ -27121,7 +27217,7 @@ index 3136c6a..1aa2421 100644
########################################
#
# Apache system script local policy
-@@ -789,12 +1128,17 @@ read_lnk_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_sp
+@@ -789,12 +1143,17 @@ read_lnk_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_sp
kernel_read_kernel_sysctls(httpd_sys_script_t)
@@ -27139,7 +27235,7 @@ index 3136c6a..1aa2421 100644
ifdef(`distro_redhat',`
allow httpd_sys_script_t httpd_log_t:file append_file_perms;
')
-@@ -803,18 +1147,50 @@ tunable_policy(`httpd_can_sendmail',`
+@@ -803,18 +1162,50 @@ tunable_policy(`httpd_can_sendmail',`
mta_send_mail(httpd_sys_script_t)
')
@@ -27196,7 +27292,7 @@ index 3136c6a..1aa2421 100644
corenet_tcp_sendrecv_all_ports(httpd_sys_script_t)
corenet_udp_sendrecv_all_ports(httpd_sys_script_t)
corenet_tcp_connect_all_ports(httpd_sys_script_t)
-@@ -822,14 +1198,29 @@ tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
+@@ -822,14 +1213,29 @@ tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
')
tunable_policy(`httpd_enable_homedirs',`
@@ -27227,7 +27323,7 @@ index 3136c6a..1aa2421 100644
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
fs_read_cifs_files(httpd_sys_script_t)
fs_read_cifs_symlinks(httpd_sys_script_t)
-@@ -842,10 +1233,20 @@ optional_policy(`
+@@ -842,10 +1248,20 @@ optional_policy(`
optional_policy(`
mysql_stream_connect(httpd_sys_script_t)
mysql_rw_db_sockets(httpd_sys_script_t)
@@ -27248,7 +27344,7 @@ index 3136c6a..1aa2421 100644
')
########################################
-@@ -891,11 +1292,135 @@ optional_policy(`
+@@ -891,11 +1307,135 @@ optional_policy(`
tunable_policy(`httpd_enable_cgi && httpd_unified',`
allow httpd_user_script_t httpdcontent:file entrypoint;
@@ -27493,7 +27589,7 @@ index 1ea99b2..3582863 100644
+ stream_connect_pattern($1, apmd_var_run_t, apmd_var_run_t, apmd_t)
')
diff --git a/policy/modules/services/apm.te b/policy/modules/services/apm.te
-index 1c8c27e..01d69d4 100644
+index 1c8c27e..29bb904 100644
--- a/policy/modules/services/apm.te
+++ b/policy/modules/services/apm.te
@@ -4,6 +4,7 @@ policy_module(apm, 1.11.0)
@@ -27534,7 +27630,15 @@ index 1c8c27e..01d69d4 100644
dev_read_realtime_clock(apmd_t)
dev_read_urand(apmd_t)
dev_rw_apm_bios(apmd_t)
-@@ -114,6 +118,8 @@ files_dontaudit_getattr_all_symlinks(apmd_t) # Excessive?
+@@ -101,7 +105,6 @@ selinux_search_fs(apmd_t)
+ corecmd_exec_all_executables(apmd_t)
+
+ domain_read_all_domains_state(apmd_t)
+-domain_dontaudit_ptrace_all_domains(apmd_t)
+ domain_use_interactive_fds(apmd_t)
+ domain_dontaudit_getattr_all_sockets(apmd_t)
+ domain_dontaudit_getattr_all_key_sockets(apmd_t) # Excessive?
+@@ -114,6 +117,8 @@ files_dontaudit_getattr_all_symlinks(apmd_t) # Excessive?
files_dontaudit_getattr_all_pipes(apmd_t) # Excessive?
files_dontaudit_getattr_all_sockets(apmd_t) # Excessive?
@@ -27543,7 +27647,7 @@ index 1c8c27e..01d69d4 100644
init_domtrans_script(apmd_t)
init_rw_utmp(apmd_t)
init_telinit(apmd_t)
-@@ -127,10 +133,8 @@ logging_send_audit_msgs(apmd_t)
+@@ -127,10 +132,8 @@ logging_send_audit_msgs(apmd_t)
miscfiles_read_localization(apmd_t)
miscfiles_read_hwdata(apmd_t)
@@ -27555,7 +27659,7 @@ index 1c8c27e..01d69d4 100644
userdom_dontaudit_use_unpriv_user_fds(apmd_t)
userdom_dontaudit_search_user_home_dirs(apmd_t)
-@@ -142,9 +146,8 @@ ifdef(`distro_redhat',`
+@@ -142,9 +145,8 @@ ifdef(`distro_redhat',`
can_exec(apmd_t, apmd_var_run_t)
@@ -27566,7 +27670,7 @@ index 1c8c27e..01d69d4 100644
')
optional_policy(`
-@@ -155,6 +158,15 @@ ifdef(`distro_redhat',`
+@@ -155,6 +157,15 @@ ifdef(`distro_redhat',`
netutils_domtrans(apmd_t)
')
@@ -27582,7 +27686,7 @@ index 1c8c27e..01d69d4 100644
',`
# for ifconfig which is run all the time
kernel_dontaudit_search_sysctl(apmd_t)
-@@ -181,6 +193,12 @@ optional_policy(`
+@@ -181,6 +192,12 @@ optional_policy(`
')
optional_policy(`
@@ -27595,7 +27699,7 @@ index 1c8c27e..01d69d4 100644
dbus_system_bus_client(apmd_t)
optional_policy(`
-@@ -201,7 +219,8 @@ optional_policy(`
+@@ -201,7 +218,8 @@ optional_policy(`
')
optional_policy(`
@@ -27605,7 +27709,7 @@ index 1c8c27e..01d69d4 100644
')
optional_policy(`
-@@ -209,8 +228,9 @@ optional_policy(`
+@@ -209,8 +227,9 @@ optional_policy(`
pcmcia_domtrans_cardctl(apmd_t)
')
@@ -27616,7 +27720,7 @@ index 1c8c27e..01d69d4 100644
')
optional_policy(`
-@@ -219,10 +239,6 @@ optional_policy(`
+@@ -219,10 +238,6 @@ optional_policy(`
')
optional_policy(`
@@ -28926,10 +29030,10 @@ index 0000000..9fe3f9e
+')
diff --git a/policy/modules/services/boinc.te b/policy/modules/services/boinc.te
new file mode 100644
-index 0000000..040aa2e
+index 0000000..dac00da
--- /dev/null
+++ b/policy/modules/services/boinc.te
-@@ -0,0 +1,171 @@
+@@ -0,0 +1,167 @@
+policy_module(boinc, 1.0.0)
+
+########################################
@@ -29068,10 +29172,6 @@ index 0000000..040aa2e
+allow boinc_project_t self:process { setpgid setsched signal signull sigkill sigstop };
+allow boinc_project_t self:process { execmem execstack };
+
-+tunable_policy(`deny_ptrace',`',`
-+ allow boinc_project_t self:process ptrace;
-+')
-+
+manage_dirs_pattern(boinc_project_t, boinc_project_tmp_t, boinc_project_tmp_t)
+manage_files_pattern(boinc_project_t, boinc_project_tmp_t, boinc_project_tmp_t)
+files_tmp_filetrans(boinc_project_t, boinc_project_tmp_t, { dir file })
@@ -29944,7 +30044,7 @@ index 6ee2cc8..b509c40 100644
## <param name="domain">
## <summary>
diff --git a/policy/modules/services/ccs.te b/policy/modules/services/ccs.te
-index 4c90b57..418eb6b 100644
+index 4c90b57..2e3fb03 100644
--- a/policy/modules/services/ccs.te
+++ b/policy/modules/services/ccs.te
@@ -10,7 +10,7 @@ type ccs_exec_t;
@@ -29956,7 +30056,15 @@ index 4c90b57..418eb6b 100644
type ccs_tmp_t;
files_tmp_file(ccs_tmp_t)
-@@ -61,7 +61,7 @@ manage_dirs_pattern(ccs_t, ccs_var_lib_t, ccs_var_lib_t)
+@@ -34,7 +34,6 @@ files_pid_file(ccs_var_run_t)
+
+ allow ccs_t self:capability { ipc_owner ipc_lock sys_nice sys_resource sys_admin };
+ allow ccs_t self:process { signal setrlimit setsched };
+-dontaudit ccs_t self:process ptrace;
+ allow ccs_t self:fifo_file rw_fifo_file_perms;
+ allow ccs_t self:unix_stream_socket { connectto create_stream_socket_perms };
+ allow ccs_t self:unix_dgram_socket create_socket_perms;
+@@ -61,7 +60,7 @@ manage_dirs_pattern(ccs_t, ccs_var_lib_t, ccs_var_lib_t)
manage_files_pattern(ccs_t, ccs_var_lib_t, ccs_var_lib_t)
files_var_lib_filetrans(ccs_t, ccs_var_lib_t, { file dir })
@@ -29965,7 +30073,7 @@ index 4c90b57..418eb6b 100644
manage_files_pattern(ccs_t, ccs_var_log_t, ccs_var_log_t)
manage_sock_files_pattern(ccs_t, ccs_var_log_t, ccs_var_log_t)
logging_log_filetrans(ccs_t, ccs_var_log_t, { sock_file file dir })
-@@ -97,6 +97,7 @@ files_read_etc_files(ccs_t)
+@@ -97,6 +96,7 @@ files_read_etc_files(ccs_t)
files_read_etc_runtime_files(ccs_t)
init_rw_script_tmp_files(ccs_t)
@@ -29973,7 +30081,7 @@ index 4c90b57..418eb6b 100644
logging_send_syslog_msg(ccs_t)
-@@ -107,7 +108,7 @@ sysnet_dns_name_resolve(ccs_t)
+@@ -107,7 +107,7 @@ sysnet_dns_name_resolve(ccs_t)
userdom_manage_unpriv_user_shared_mem(ccs_t)
userdom_manage_unpriv_user_semaphores(ccs_t)
@@ -29982,7 +30090,7 @@ index 4c90b57..418eb6b 100644
corecmd_dontaudit_write_bin_dirs(ccs_t)
files_manage_isid_type_files(ccs_t)
')
-@@ -118,5 +119,10 @@ optional_policy(`
+@@ -118,5 +118,10 @@ optional_policy(`
')
optional_policy(`
@@ -32485,10 +32593,10 @@ index fd15dfe..d33cc41 100644
+ ps_process_pattern($1, consolekit_t)
+')
diff --git a/policy/modules/services/consolekit.te b/policy/modules/services/consolekit.te
-index e67a003..8bd4751 100644
+index e67a003..f5b76dd 100644
--- a/policy/modules/services/consolekit.te
+++ b/policy/modules/services/consolekit.te
-@@ -15,12 +15,19 @@ logging_log_file(consolekit_log_t)
+@@ -15,12 +15,16 @@ logging_log_file(consolekit_log_t)
type consolekit_var_run_t;
files_pid_file(consolekit_var_run_t)
@@ -32502,43 +32610,53 @@ index e67a003..8bd4751 100644
-allow consolekit_t self:capability { chown setuid setgid sys_tty_config dac_override sys_nice sys_ptrace };
+allow consolekit_t self:capability { chown setuid setgid sys_tty_config dac_override sys_nice };
-+tunable_policy(`deny_ptrace',`',`
-+ allow consolekit_t self:capability sys_ptrace;
-+')
+
allow consolekit_t self:process { getsched signal };
allow consolekit_t self:fifo_file rw_fifo_file_perms;
allow consolekit_t self:unix_stream_socket create_stream_socket_perms;
-@@ -69,17 +76,23 @@ logging_send_audit_msgs(consolekit_t)
+@@ -43,7 +47,6 @@ dev_read_sysfs(consolekit_t)
+
+ domain_read_all_domains_state(consolekit_t)
+ domain_use_interactive_fds(consolekit_t)
+-domain_dontaudit_ptrace_all_domains(consolekit_t)
+
+ files_read_etc_files(consolekit_t)
+ files_read_usr_files(consolekit_t)
+@@ -53,8 +56,6 @@ files_search_all_mountpoints(consolekit_t)
+
+ fs_list_inotifyfs(consolekit_t)
+
+-mcs_ptrace_all(consolekit_t)
+-
+ term_use_all_terms(consolekit_t)
+
+ auth_use_nsswitch(consolekit_t)
+@@ -69,17 +70,17 @@ logging_send_audit_msgs(consolekit_t)
miscfiles_read_localization(consolekit_t)
+systemd_exec_systemctl(consolekit_t)
+
-+# consolekit needs to be able to ptrace all logged in users
+userdom_read_all_users_state(consolekit_t)
-+userdom_ptrace_all_users(consolekit_t)
userdom_dontaudit_read_user_home_content_files(consolekit_t)
+userdom_dontaudit_getattr_admin_home_files(consolekit_t)
userdom_read_user_tmp_files(consolekit_t)
-hal_ptrace(consolekit_t)
-+userdom_home_reader(consolekit_t)
-
+-
-tunable_policy(`use_nfs_home_dirs',`
- fs_read_nfs_files(consolekit_t)
-+optional_policy(`
-+ cron_read_system_job_lib_files(consolekit_t)
- ')
+-')
++userdom_home_reader(consolekit_t)
-tunable_policy(`use_samba_home_dirs',`
- fs_read_cifs_files(consolekit_t)
+optional_policy(`
-+ hal_ptrace(consolekit_t)
++ cron_read_system_job_lib_files(consolekit_t)
')
optional_policy(`
-@@ -99,6 +112,10 @@ optional_policy(`
+@@ -99,6 +100,10 @@ optional_policy(`
')
optional_policy(`
@@ -32549,7 +32667,7 @@ index e67a003..8bd4751 100644
policykit_dbus_chat(consolekit_t)
policykit_domtrans_auth(consolekit_t)
policykit_read_lib(consolekit_t)
-@@ -106,9 +123,10 @@ optional_policy(`
+@@ -106,9 +111,10 @@ optional_policy(`
')
optional_policy(`
@@ -32562,13 +32680,11 @@ index e67a003..8bd4751 100644
xserver_read_xdm_pid(consolekit_t)
xserver_read_user_xauth(consolekit_t)
xserver_non_drawing_client(consolekit_t)
-@@ -125,5 +143,8 @@ optional_policy(`
+@@ -124,6 +130,5 @@ optional_policy(`
+ ')
optional_policy(`
- #reading .Xauthity
-+ tunable_policy(`deny_ptrace',`',`
-+ unconfined_ptrace(consolekit_t)
-+ ')
+- #reading .Xauthity
unconfined_stream_connect(consolekit_t)
')
diff --git a/policy/modules/services/corosync.fc b/policy/modules/services/corosync.fc
@@ -34495,7 +34611,7 @@ index 305ddf4..c9de648 100644
admin_pattern($1, ptal_etc_t)
diff --git a/policy/modules/services/cups.te b/policy/modules/services/cups.te
-index 0f28095..f4f2dc5 100644
+index 0f28095..03f22e6 100644
--- a/policy/modules/services/cups.te
+++ b/policy/modules/services/cups.te
@@ -15,6 +15,7 @@ files_pid_file(cupsd_config_var_run_t)
@@ -34676,7 +34792,15 @@ index 0f28095..f4f2dc5 100644
policykit_dbus_chat(cupsd_config_t)
userdom_read_all_users_state(cupsd_config_t)
')
-@@ -587,23 +616,22 @@ auth_use_nsswitch(cups_pdf_t)
+@@ -537,6 +566,7 @@ corenet_udp_sendrecv_all_ports(cupsd_lpd_t)
+ corenet_tcp_bind_generic_node(cupsd_lpd_t)
+ corenet_udp_bind_generic_node(cupsd_lpd_t)
+ corenet_tcp_connect_ipp_port(cupsd_lpd_t)
++corenet_tcp_connect_printer_port(cupsd_lpd_t)
+
+ dev_read_urand(cupsd_lpd_t)
+ dev_read_rand(cupsd_lpd_t)
+@@ -587,23 +617,22 @@ auth_use_nsswitch(cups_pdf_t)
miscfiles_read_localization(cups_pdf_t)
miscfiles_read_fonts(cups_pdf_t)
@@ -34709,7 +34833,7 @@ index 0f28095..f4f2dc5 100644
')
########################################
-@@ -639,7 +667,7 @@ manage_files_pattern(hplip_t, hplip_var_lib_t, hplip_var_lib_t)
+@@ -639,7 +668,7 @@ manage_files_pattern(hplip_t, hplip_var_lib_t, hplip_var_lib_t)
manage_lnk_files_pattern(hplip_t, hplip_var_lib_t, hplip_var_lib_t)
manage_fifo_files_pattern(hplip_t, hplip_tmp_t, hplip_tmp_t)
@@ -34718,7 +34842,7 @@ index 0f28095..f4f2dc5 100644
manage_files_pattern(hplip_t, hplip_var_run_t, hplip_var_run_t)
files_pid_filetrans(hplip_t, hplip_var_run_t, file)
-@@ -685,6 +713,7 @@ domain_use_interactive_fds(hplip_t)
+@@ -685,6 +714,7 @@ domain_use_interactive_fds(hplip_t)
files_read_etc_files(hplip_t)
files_read_etc_runtime_files(hplip_t)
files_read_usr_files(hplip_t)
@@ -34726,7 +34850,7 @@ index 0f28095..f4f2dc5 100644
logging_send_syslog_msg(hplip_t)
-@@ -696,8 +725,10 @@ userdom_dontaudit_use_unpriv_user_fds(hplip_t)
+@@ -696,8 +726,10 @@ userdom_dontaudit_use_unpriv_user_fds(hplip_t)
userdom_dontaudit_search_user_home_dirs(hplip_t)
userdom_dontaudit_search_user_home_content(hplip_t)
@@ -35304,7 +35428,7 @@ index 1a1becd..115133d 100644
+ dontaudit $1 session_bus_type:dbus send_msg;
')
diff --git a/policy/modules/services/dbus.te b/policy/modules/services/dbus.te
-index 1bff6ee..c9396db 100644
+index 1bff6ee..4327f89 100644
--- a/policy/modules/services/dbus.te
+++ b/policy/modules/services/dbus.te
@@ -10,6 +10,7 @@ gen_require(`
@@ -35455,7 +35579,7 @@ index 1bff6ee..c9396db 100644
#
+dontaudit session_bus_type self:capability sys_resource;
+allow session_bus_type self:process { getattr sigkill signal };
-+dontaudit session_bus_type self:process { ptrace setrlimit };
++dontaudit session_bus_type self:process setrlimit;
+allow session_bus_type self:file { getattr read write };
+allow session_bus_type self:fifo_file rw_fifo_file_perms;
+allow session_bus_type self:dbus { send_msg acquire_svc };
@@ -35756,20 +35880,29 @@ index 567865f..3a57eb9 100644
admin_pattern($1, denyhosts_var_lock_t)
')
diff --git a/policy/modules/services/denyhosts.te b/policy/modules/services/denyhosts.te
-index 8ba9425..555058a 100644
+index 8ba9425..ca29d0a 100644
--- a/policy/modules/services/denyhosts.te
+++ b/policy/modules/services/denyhosts.te
-@@ -25,7 +25,8 @@ logging_log_file(denyhosts_var_log_t)
+@@ -25,7 +25,9 @@ logging_log_file(denyhosts_var_log_t)
#
# DenyHosts personal policy.
#
-
+# Bug #588563
+allow denyhosts_t self:capability sys_tty_config;
++allow denyhosts_t self:fifo_file rw_fifo_file_perms;
allow denyhosts_t self:netlink_route_socket create_netlink_socket_perms;
allow denyhosts_t self:tcp_socket create_socket_perms;
allow denyhosts_t self:udp_socket create_socket_perms;
-@@ -53,20 +54,30 @@ corenet_tcp_sendrecv_generic_if(denyhosts_t)
+@@ -45,6 +47,7 @@ logging_log_filetrans(denyhosts_t, denyhosts_var_log_t, file)
+
+ kernel_read_system_state(denyhosts_t)
+
++corecmd_exec_shell(denyhosts_t)
+ corecmd_exec_bin(denyhosts_t)
+
+ corenet_all_recvfrom_unlabeled(denyhosts_t)
+@@ -53,20 +56,30 @@ corenet_tcp_sendrecv_generic_if(denyhosts_t)
corenet_tcp_sendrecv_generic_node(denyhosts_t)
corenet_tcp_bind_generic_node(denyhosts_t)
corenet_tcp_connect_smtp_port(denyhosts_t)
@@ -39265,7 +39398,7 @@ index f590a1f..eb6f870 100644
+ admin_pattern($1, fail2ban_tmp_t)
')
diff --git a/policy/modules/services/fail2ban.te b/policy/modules/services/fail2ban.te
-index 2a69e5e..c7a0911 100644
+index 2a69e5e..afb6deb 100644
--- a/policy/modules/services/fail2ban.te
+++ b/policy/modules/services/fail2ban.te
@@ -23,12 +23,19 @@ files_type(fail2ban_var_lib_t)
@@ -39329,7 +39462,7 @@ index 2a69e5e..c7a0911 100644
optional_policy(`
apache_read_log(fail2ban_t)
')
-@@ -94,5 +110,38 @@ optional_policy(`
+@@ -94,5 +110,43 @@ optional_policy(`
')
optional_policy(`
@@ -39368,6 +39501,11 @@ index 2a69e5e..c7a0911 100644
+files_search_pids(fail2ban_client_t)
+
+miscfiles_read_localization(fail2ban_client_t)
++
++optional_policy(`
++ gnome_dontaudit_search_config(fail2ban_client_t)
++')
++
diff --git a/policy/modules/services/fcoemon.fc b/policy/modules/services/fcoemon.fc
new file mode 100644
index 0000000..83279fb
@@ -41914,7 +42052,7 @@ index 7cf6763..4a7bc56 100644
+ dontaudit $1 hald_var_run_t:file read_inherited_file_perms;
+')
diff --git a/policy/modules/services/hal.te b/policy/modules/services/hal.te
-index 24c6253..6fdb0cd 100644
+index 24c6253..c31f21c 100644
--- a/policy/modules/services/hal.te
+++ b/policy/modules/services/hal.te
@@ -54,6 +54,9 @@ files_pid_file(hald_var_run_t)
@@ -41953,7 +42091,11 @@ index 24c6253..6fdb0cd 100644
dev_rw_generic_usb_dev(hald_t)
dev_setattr_generic_usb_dev(hald_t)
dev_setattr_usbfs_files(hald_t)
-@@ -140,6 +144,7 @@ domain_dontaudit_ptrace_all_domains(hald_t)
+@@ -136,10 +140,10 @@ dev_read_video_dev(hald_t)
+
+ domain_use_interactive_fds(hald_t)
+ domain_read_all_domains_state(hald_t)
+-domain_dontaudit_ptrace_all_domains(hald_t)
files_exec_etc_files(hald_t)
files_read_etc_files(hald_t)
@@ -41961,7 +42103,7 @@ index 24c6253..6fdb0cd 100644
files_rw_etc_runtime_files(hald_t)
files_manage_mnt_dirs(hald_t)
files_manage_mnt_files(hald_t)
-@@ -165,6 +170,7 @@ fs_manage_fusefs_dirs(hald_t)
+@@ -165,6 +169,7 @@ fs_manage_fusefs_dirs(hald_t)
fs_rw_removable_blk_files(hald_t)
files_getattr_all_mountpoints(hald_t)
@@ -41969,7 +42111,7 @@ index 24c6253..6fdb0cd 100644
mls_file_read_all_levels(hald_t)
-@@ -186,8 +192,6 @@ term_use_unallocated_ttys(hald_t)
+@@ -186,8 +191,6 @@ term_use_unallocated_ttys(hald_t)
auth_use_nsswitch(hald_t)
@@ -41978,7 +42120,7 @@ index 24c6253..6fdb0cd 100644
init_domtrans_script(hald_t)
init_read_utmp(hald_t)
#hal runs shutdown, probably need a shutdown domain
-@@ -204,20 +208,25 @@ logging_search_logs(hald_t)
+@@ -204,20 +207,25 @@ logging_search_logs(hald_t)
miscfiles_read_localization(hald_t)
miscfiles_read_hwdata(hald_t)
@@ -42008,7 +42150,7 @@ index 24c6253..6fdb0cd 100644
optional_policy(`
alsa_domtrans(hald_t)
-@@ -252,8 +261,7 @@ optional_policy(`
+@@ -252,8 +260,7 @@ optional_policy(`
')
optional_policy(`
@@ -42018,7 +42160,7 @@ index 24c6253..6fdb0cd 100644
init_dbus_chat_script(hald_t)
-@@ -263,15 +271,28 @@ optional_policy(`
+@@ -263,15 +270,28 @@ optional_policy(`
')
optional_policy(`
@@ -42047,7 +42189,7 @@ index 24c6253..6fdb0cd 100644
hotplug_read_config(hald_t)
')
-@@ -280,6 +301,11 @@ optional_policy(`
+@@ -280,6 +300,11 @@ optional_policy(`
')
optional_policy(`
@@ -42059,7 +42201,7 @@ index 24c6253..6fdb0cd 100644
mount_domtrans(hald_t)
')
-@@ -302,7 +328,7 @@ optional_policy(`
+@@ -302,7 +327,7 @@ optional_policy(`
')
optional_policy(`
@@ -42068,7 +42210,7 @@ index 24c6253..6fdb0cd 100644
policykit_domtrans_auth(hald_t)
policykit_domtrans_resolve(hald_t)
policykit_read_lib(hald_t)
-@@ -318,6 +344,10 @@ optional_policy(`
+@@ -318,6 +343,10 @@ optional_policy(`
')
optional_policy(`
@@ -42079,7 +42221,7 @@ index 24c6253..6fdb0cd 100644
udev_domtrans(hald_t)
udev_read_db(hald_t)
')
-@@ -338,6 +368,10 @@ optional_policy(`
+@@ -338,6 +367,10 @@ optional_policy(`
virt_manage_images(hald_t)
')
@@ -42090,7 +42232,7 @@ index 24c6253..6fdb0cd 100644
########################################
#
# Hal acl local policy
-@@ -358,6 +392,7 @@ files_search_var_lib(hald_acl_t)
+@@ -358,6 +391,7 @@ files_search_var_lib(hald_acl_t)
manage_dirs_pattern(hald_acl_t, hald_var_run_t, hald_var_run_t)
manage_files_pattern(hald_acl_t, hald_var_run_t, hald_var_run_t)
files_pid_filetrans(hald_acl_t, hald_var_run_t, { dir file })
@@ -42098,7 +42240,7 @@ index 24c6253..6fdb0cd 100644
corecmd_exec_bin(hald_acl_t)
-@@ -388,7 +423,7 @@ logging_send_syslog_msg(hald_acl_t)
+@@ -388,7 +422,7 @@ logging_send_syslog_msg(hald_acl_t)
miscfiles_read_localization(hald_acl_t)
optional_policy(`
@@ -42107,7 +42249,7 @@ index 24c6253..6fdb0cd 100644
policykit_domtrans_auth(hald_acl_t)
policykit_read_lib(hald_acl_t)
policykit_read_reload(hald_acl_t)
-@@ -470,6 +505,12 @@ files_read_usr_files(hald_keymap_t)
+@@ -470,6 +504,12 @@ files_read_usr_files(hald_keymap_t)
miscfiles_read_localization(hald_keymap_t)
@@ -42120,7 +42262,7 @@ index 24c6253..6fdb0cd 100644
########################################
#
# Local hald dccm policy
-@@ -524,7 +565,9 @@ files_read_usr_files(hald_dccm_t)
+@@ -524,7 +564,9 @@ files_read_usr_files(hald_dccm_t)
miscfiles_read_localization(hald_dccm_t)
@@ -44120,6 +44262,20 @@ index 64fd1ff..0f5d0b7 100644
logging_send_syslog_msg(slapd_t)
+diff --git a/policy/modules/services/likewise.fc b/policy/modules/services/likewise.fc
+index 057a4e4..57491fc 100644
+--- a/policy/modules/services/likewise.fc
++++ b/policy/modules/services/likewise.fc
+@@ -20,7 +20,8 @@
+ /usr/sbin/netlogond -- gen_context(system_u:object_r:netlogond_exec_t,s0)
+ /usr/sbin/srvsvcd -- gen_context(system_u:object_r:srvsvcd_exec_t,s0)
+
+-/var/lib/likewise-open(/.*)? gen_context(system_u:object_r:likewise_var_lib_t,s0)
++/var/lib/likewise-open(/.*)? gen_context(system_u:object_r:likewise_var_lib_t,s0)
++/var/lib/likewise(/.*)? gen_context(system_u:object_r:likewise_var_lib_t,s0)
+ /var/lib/likewise-open/\.lsassd -s gen_context(system_u:object_r:lsassd_var_socket_t,s0)
+ /var/lib/likewise-open/\.lwiod -s gen_context(system_u:object_r:lwiod_var_socket_t,s0)
+ /var/lib/likewise-open/\.regsd -s gen_context(system_u:object_r:lwregd_var_socket_t,s0)
diff --git a/policy/modules/services/likewise.if b/policy/modules/services/likewise.if
index 771e04b..81d98b3 100644
--- a/policy/modules/services/likewise.if
@@ -45463,7 +45619,7 @@ index 4d69477..d3b4f39 100644
+/var/run/ipa_memcached(/.*)? gen_context(system_u:object_r:memcached_var_run_t,s0)
/var/run/memcached(/.*)? gen_context(system_u:object_r:memcached_var_run_t,s0)
diff --git a/policy/modules/services/memcached.if b/policy/modules/services/memcached.if
-index db4fd6f..ce07b3f 100644
+index db4fd6f..a32c2f3 100644
--- a/policy/modules/services/memcached.if
+++ b/policy/modules/services/memcached.if
@@ -5,15 +5,14 @@
@@ -45485,7 +45641,52 @@ index db4fd6f..ce07b3f 100644
')
domtrans_pattern($1, memcached_exec_t, memcached_t)
-@@ -57,17 +56,20 @@ interface(`memcached_read_pid_files',`
+@@ -40,6 +39,44 @@ interface(`memcached_read_pid_files',`
+
+ ########################################
+ ## <summary>
++## Manage memcached PID files
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`memcached_manage_pid_files',`
++ gen_require(`
++ type memcached_var_run_t;
++ ')
++
++ files_search_pids($1)
++ manage_files_pattern($1, memcached_var_run_t, memcached_var_run_t, memcached_t)
++')
++
++########################################
++## <summary>
++## Connect to memcached over a unix stream socket.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`memcached_stream_connect',`
++ gen_require(`
++ type memcached_t, memcached_var_run_t;
++ ')
++
++ files_search_pids($1)
++ stream_connect_pattern($1, memcached_var_run_t, memcached_var_run_t, memcached_t)
++')
++
++########################################
++## <summary>
+ ## All of the rules required to administrate
+ ## an memcached environment
+ ## </summary>
+@@ -57,17 +94,20 @@ interface(`memcached_read_pid_files',`
#
interface(`memcached_admin',`
gen_require(`
@@ -48804,7 +49005,7 @@ index 15448d5..62284bf 100644
+/usr/lib/systemd/system/yppasswdd\.service -- gen_context(system_u:object_r:nis_unit_file_t,s0)
+/usr/lib/systemd/system/ypxfrd\.service -- gen_context(system_u:object_r:nis_unit_file_t,s0)
diff --git a/policy/modules/services/nis.if b/policy/modules/services/nis.if
-index abe3f7f..7c7f939 100644
+index abe3f7f..4b891ee 100644
--- a/policy/modules/services/nis.if
+++ b/policy/modules/services/nis.if
@@ -34,7 +34,7 @@ interface(`nis_use_ypbind_uncond',`
@@ -48925,7 +49126,7 @@ index abe3f7f..7c7f939 100644
- type ypbind_t, yppasswdd_t, ypserv_t, ypxfr_t;
- type ypbind_tmp_t, ypserv_tmp_t, ypserv_conf_t;
+ type ypbind_t, yppasswdd_t, ypserv_t;
-+ type ypserv_tmp_t, ypserv_conf_t;
++ type ypserv_conf_t;
type ypbind_var_run_t, yppasswdd_var_run_t, ypserv_var_run_t;
- type ypbind_initrc_exec_t, nis_initrc_exec_t;
+ type ypbind_initrc_exec_t, nis_initrc_exec_t, ypxfr_t;
@@ -48954,7 +49155,7 @@ index abe3f7f..7c7f939 100644
ps_process_pattern($1, ypxfr_t)
nis_initrc_domtrans($1)
-@@ -379,18 +416,18 @@ interface(`nis_admin',`
+@@ -379,18 +416,15 @@ interface(`nis_admin',`
role_transition $2 ypbind_initrc_exec_t system_r;
allow $2 system_r;
@@ -48970,14 +49171,13 @@ index abe3f7f..7c7f939 100644
files_list_etc($1)
admin_pattern($1, ypserv_conf_t)
-+ files_list_tmp($1)
- admin_pattern($1, ypserv_tmp_t)
-
+- admin_pattern($1, ypserv_tmp_t)
+-
admin_pattern($1, ypserv_var_run_t)
+ nis_systemctl($1)
')
diff --git a/policy/modules/services/nis.te b/policy/modules/services/nis.te
-index 4876cae..de34d17 100644
+index 4876cae..e29f5d6 100644
--- a/policy/modules/services/nis.te
+++ b/policy/modules/services/nis.te
@@ -18,12 +18,12 @@ init_daemon_domain(ypbind_t, ypbind_exec_t)
@@ -48996,16 +49196,19 @@ index 4876cae..de34d17 100644
type yppasswdd_t;
type yppasswdd_exec_t;
init_daemon_domain(yppasswdd_t, yppasswdd_exec_t)
-@@ -37,7 +37,7 @@ type ypserv_exec_t;
+@@ -37,10 +37,7 @@ type ypserv_exec_t;
init_daemon_domain(ypserv_t, ypserv_exec_t)
type ypserv_conf_t;
-files_type(ypserv_conf_t)
+-
+-type ypserv_tmp_t;
+-files_tmp_file(ypserv_tmp_t)
+files_config_file(ypserv_conf_t)
- type ypserv_tmp_t;
- files_tmp_file(ypserv_tmp_t)
-@@ -52,22 +52,22 @@ init_daemon_domain(ypxfr_t, ypxfr_exec_t)
+ type ypserv_var_run_t;
+ files_pid_file(ypserv_var_run_t)
+@@ -52,22 +49,22 @@ init_daemon_domain(ypxfr_t, ypxfr_exec_t)
type ypxfr_var_run_t;
files_pid_file(ypxfr_var_run_t)
@@ -49033,7 +49236,7 @@ index 4876cae..de34d17 100644
manage_files_pattern(ypbind_t, ypbind_var_run_t, ypbind_var_run_t)
files_pid_filetrans(ypbind_t, ypbind_var_run_t, file)
-@@ -142,8 +142,8 @@ optional_policy(`
+@@ -142,8 +139,8 @@ optional_policy(`
allow yppasswdd_t self:capability dac_override;
dontaudit yppasswdd_t self:capability sys_tty_config;
@@ -49043,7 +49246,7 @@ index 4876cae..de34d17 100644
allow yppasswdd_t self:unix_dgram_socket create_socket_perms;
allow yppasswdd_t self:unix_stream_socket create_stream_socket_perms;
allow yppasswdd_t self:netlink_route_socket r_netlink_socket_perms;
-@@ -211,6 +211,10 @@ optional_policy(`
+@@ -211,6 +208,10 @@ optional_policy(`
')
optional_policy(`
@@ -49054,7 +49257,7 @@ index 4876cae..de34d17 100644
seutil_sigchld_newrole(yppasswdd_t)
')
-@@ -224,8 +228,8 @@ optional_policy(`
+@@ -224,8 +225,8 @@ optional_policy(`
#
dontaudit ypserv_t self:capability sys_tty_config;
@@ -49064,6 +49267,17 @@ index 4876cae..de34d17 100644
allow ypserv_t self:unix_dgram_socket create_socket_perms;
allow ypserv_t self:unix_stream_socket create_stream_socket_perms;
allow ypserv_t self:netlink_route_socket r_netlink_socket_perms;
+@@ -236,10 +237,6 @@ manage_files_pattern(ypserv_t, var_yp_t, var_yp_t)
+
+ allow ypserv_t ypserv_conf_t:file read_file_perms;
+
+-manage_dirs_pattern(ypserv_t, ypserv_tmp_t, ypserv_tmp_t)
+-manage_files_pattern(ypserv_t, ypserv_tmp_t, ypserv_tmp_t)
+-files_tmp_filetrans(ypserv_t, ypserv_tmp_t, { file dir })
+-
+ manage_files_pattern(ypserv_t, ypserv_var_run_t, ypserv_var_run_t)
+ files_pid_filetrans(ypserv_t, ypserv_var_run_t, file)
+
diff --git a/policy/modules/services/nova.fc b/policy/modules/services/nova.fc
new file mode 100644
index 0000000..4af11e2
@@ -50176,6 +50390,97 @@ index b4c5f86..0f1549d 100644
optional_policy(`
cron_system_entry(oav_update_t, oav_update_exec_t)
+diff --git a/policy/modules/services/obex.fc b/policy/modules/services/obex.fc
+new file mode 100644
+index 0000000..eebfda8
+--- /dev/null
++++ b/policy/modules/services/obex.fc
+@@ -0,0 +1,4 @@
++
++
++/usr/bin/obex-data-server -- gen_context(system_u:object_r:obex_exec_t,s0)
++
+diff --git a/policy/modules/services/obex.if b/policy/modules/services/obex.if
+new file mode 100644
+index 0000000..2d78f06
+--- /dev/null
++++ b/policy/modules/services/obex.if
+@@ -0,0 +1,43 @@
++## <summary>SELinux policy for obex-data-server</summary>
++
++
++
++########################################
++## <summary>
++## Transition to obex.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`obex_domtrans',`
++ gen_require(`
++ type obex_t, obex_exec_t;
++ ')
++
++ corecmd_search_bin($1)
++ domtrans_pattern($1, obex_exec_t, obex_t)
++')
++
++########################################
++## <summary>
++## Send and receive messages from
++## obex over dbus.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`obex_dbus_chat',`
++ gen_require(`
++ type obex_t;
++ class dbus send_msg;
++ ')
++
++ allow $1 obex_t:dbus send_msg;
++ allow obex_t $1:dbus send_msg;
++')
+diff --git a/policy/modules/services/obex.te b/policy/modules/services/obex.te
+new file mode 100644
+index 0000000..4a6f24c
+--- /dev/null
++++ b/policy/modules/services/obex.te
+@@ -0,0 +1,26 @@
++policy_module(obex,1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++type obex_t;
++type obex_exec_t;
++dbus_system_domain(obex_t, obex_exec_t)
++
++########################################
++#
++# obex local policy
++#
++
++allow obex_t self:fifo_file rw_fifo_file_perms;
++
++dev_read_urand(obex_t)
++
++files_read_etc_files(obex_t)
++
++logging_send_syslog_msg(obex_t)
++
++miscfiles_read_localization(obex_t)
++
diff --git a/policy/modules/services/oddjob.fc b/policy/modules/services/oddjob.fc
index bdf8c89..0132b08 100644
--- a/policy/modules/services/oddjob.fc
@@ -51181,10 +51486,10 @@ index 0000000..548d0a2
+')
diff --git a/policy/modules/services/piranha.te b/policy/modules/services/piranha.te
new file mode 100644
-index 0000000..1c69a1a
+index 0000000..ad76682
--- /dev/null
+++ b/policy/modules/services/piranha.te
-@@ -0,0 +1,304 @@
+@@ -0,0 +1,300 @@
+policy_module(piranha, 1.0.0)
+
+########################################
@@ -51253,9 +51558,6 @@ index 0000000..1c69a1a
+
+allow piranha_web_t self:capability { setuid sys_nice kill setgid };
+allow piranha_web_t self:process { getsched setsched signal signull };
-+tunable_policy(`deny_ptrace',`',`
-+ allow piranha_web_t self:process ptrace;
-+')
+
+allow piranha_web_t self:rawip_socket create_socket_perms;
+allow piranha_web_t self:netlink_route_socket r_netlink_socket_perms;
@@ -51384,7 +51686,6 @@ index 0000000..1c69a1a
+
+domain_read_all_domains_state(piranha_pulse_t)
+domain_getattr_all_domains(piranha_pulse_t)
-+#domain_dontaudit_ptrace_all_domains(piranha_pulse_t)
+
+fs_getattr_all_fs(piranha_pulse_t)
+
@@ -51971,10 +52272,10 @@ index 48ff1e8..be00a65 100644
+ allow $1 policykit_auth_t:process signal;
')
diff --git a/policy/modules/services/policykit.te b/policy/modules/services/policykit.te
-index 1e7169d..a8b2f63 100644
+index 1e7169d..9438cc4 100644
--- a/policy/modules/services/policykit.te
+++ b/policy/modules/services/policykit.te
-@@ -5,47 +5,73 @@ policy_module(policykit, 1.1.0)
+@@ -5,47 +5,69 @@ policy_module(policykit, 1.1.0)
# Declarations
#
@@ -52041,10 +52342,6 @@ index 1e7169d..a8b2f63 100644
-allow policykit_t self:process getattr;
-allow policykit_t self:fifo_file rw_file_perms;
+allow policykit_t self:capability { dac_override dac_read_search setgid setuid };
-+tunable_policy(`deny_ptrace',`',`
-+ allow policykit_t self:capability sys_ptrace;
-+')
-+
+allow policykit_t self:process { getsched signal };
allow policykit_t self:unix_dgram_socket create_socket_perms;
-allow policykit_t self:unix_stream_socket create_stream_socket_perms;
@@ -52060,7 +52357,7 @@ index 1e7169d..a8b2f63 100644
rw_files_pattern(policykit_t, policykit_reload_t, policykit_reload_t)
policykit_domtrans_resolve(policykit_t)
-@@ -56,56 +82,107 @@ manage_dirs_pattern(policykit_t, policykit_var_run_t, policykit_var_run_t)
+@@ -56,56 +78,107 @@ manage_dirs_pattern(policykit_t, policykit_var_run_t, policykit_var_run_t)
manage_files_pattern(policykit_t, policykit_var_run_t, policykit_var_run_t)
files_pid_filetrans(policykit_t, policykit_var_run_t, { file dir })
@@ -52180,7 +52477,7 @@ index 1e7169d..a8b2f63 100644
dbus_session_bus_client(policykit_auth_t)
optional_policy(`
-@@ -118,14 +195,21 @@ optional_policy(`
+@@ -118,14 +191,21 @@ optional_policy(`
hal_read_state(policykit_auth_t)
')
@@ -52204,7 +52501,7 @@ index 1e7169d..a8b2f63 100644
allow policykit_grant_t self:unix_dgram_socket create_socket_perms;
allow policykit_grant_t self:unix_stream_socket create_stream_socket_perms;
-@@ -145,19 +229,18 @@ manage_files_pattern(policykit_grant_t, policykit_var_lib_t, policykit_var_lib_t
+@@ -145,19 +225,18 @@ manage_files_pattern(policykit_grant_t, policykit_var_lib_t, policykit_var_lib_t
files_read_etc_files(policykit_grant_t)
files_read_usr_files(policykit_grant_t)
@@ -52229,7 +52526,7 @@ index 1e7169d..a8b2f63 100644
consolekit_dbus_chat(policykit_grant_t)
')
')
-@@ -167,9 +250,8 @@ optional_policy(`
+@@ -167,9 +246,8 @@ optional_policy(`
# polkit_resolve local policy
#
@@ -52241,7 +52538,7 @@ index 1e7169d..a8b2f63 100644
allow policykit_resolve_t self:unix_dgram_socket create_socket_perms;
allow policykit_resolve_t self:unix_stream_socket create_stream_socket_perms;
-@@ -185,13 +267,9 @@ corecmd_search_bin(policykit_resolve_t)
+@@ -185,14 +263,8 @@ corecmd_search_bin(policykit_resolve_t)
files_read_etc_files(policykit_resolve_t)
files_read_usr_files(policykit_resolve_t)
@@ -52252,11 +52549,11 @@ index 1e7169d..a8b2f63 100644
-logging_send_syslog_msg(policykit_resolve_t)
-
-miscfiles_read_localization(policykit_resolve_t)
-+mcs_ptrace_all(policykit_resolve_t)
-
+-
userdom_read_all_users_state(policykit_resolve_t)
-@@ -207,4 +285,3 @@ optional_policy(`
+ optional_policy(`
+@@ -207,4 +279,3 @@ optional_policy(`
kernel_search_proc(policykit_resolve_t)
hal_read_state(policykit_resolve_t)
')
@@ -52480,10 +52777,10 @@ index 0000000..7dc2c0c
+')
diff --git a/policy/modules/services/polipo.te b/policy/modules/services/polipo.te
new file mode 100644
-index 0000000..d958b53
+index 0000000..87e8372
--- /dev/null
+++ b/policy/modules/services/polipo.te
-@@ -0,0 +1,149 @@
+@@ -0,0 +1,160 @@
+policy_module(polipo, 1.0.0)
+
+########################################
@@ -52532,6 +52829,13 @@ index 0000000..d958b53
+## </desc>
+gen_tunable(polipo_session_send_syslog_msg, false)
+
++## <desc>
++## <p>
++## Allow polipo to connect to all ports > 1023
++## </p>
++## </desc>
++gen_tunable(polipo_connect_all_unreserved, false)
++
+attribute polipo_daemon;
+
+type polipo_t, polipo_daemon;
@@ -52603,6 +52907,10 @@ index 0000000..d958b53
+
+logging_send_syslog_msg(polipo_t)
+
++tunable_policy(`polipo_connect_all_unreserved',`
++ corenet_tcp_connect_all_unreserved_ports(polipo_t)
++')
++
+tunable_policy(`polipo_use_cifs',`
+ fs_manage_cifs_files(polipo_t)
+')
@@ -56276,7 +56584,7 @@ index 5a9630c..bedca3a 100644
+ manage_files_pattern($1, qpidd_tmpfs_t, qpidd_tmpfs_t)
')
diff --git a/policy/modules/services/qpid.te b/policy/modules/services/qpid.te
-index cb7ecb5..08d19e6 100644
+index cb7ecb5..2b3f6f9 100644
--- a/policy/modules/services/qpid.te
+++ b/policy/modules/services/qpid.te
@@ -12,12 +12,15 @@ init_daemon_domain(qpidd_t, qpidd_exec_t)
@@ -56297,7 +56605,7 @@ index cb7ecb5..08d19e6 100644
########################################
#
# qpidd local policy
-@@ -30,27 +33,34 @@ allow qpidd_t self:shm create_shm_perms;
+@@ -30,27 +33,35 @@ allow qpidd_t self:shm create_shm_perms;
allow qpidd_t self:tcp_socket create_stream_socket_perms;
allow qpidd_t self:unix_stream_socket create_stream_socket_perms;
@@ -56328,6 +56636,7 @@ index cb7ecb5..08d19e6 100644
-corenet_tcp_bind_generic_node(qpidd_t)
corenet_tcp_bind_amqp_port(qpidd_t)
+corenet_tcp_bind_matahari_port(qpidd_t)
++corenet_tcp_connect_amqp_port(qpidd_t)
+dev_read_sysfs(qpidd_t)
dev_read_urand(qpidd_t)
@@ -56337,7 +56646,7 @@ index cb7ecb5..08d19e6 100644
logging_send_syslog_msg(qpidd_t)
-@@ -61,3 +71,8 @@ sysnet_dns_name_resolve(qpidd_t)
+@@ -61,3 +72,8 @@ sysnet_dns_name_resolve(qpidd_t)
optional_policy(`
corosync_stream_connect(qpidd_t)
')
@@ -57096,7 +57405,7 @@ index 7dc38d1..808f9c6 100644
+ admin_pattern($1, rgmanager_var_run_t)
+')
diff --git a/policy/modules/services/rgmanager.te b/policy/modules/services/rgmanager.te
-index 00fa514..d3d5f2b 100644
+index 00fa514..4a9758b 100644
--- a/policy/modules/services/rgmanager.te
+++ b/policy/modules/services/rgmanager.te
@@ -6,17 +6,19 @@ policy_module(rgmanager, 1.0.0)
@@ -57123,18 +57432,17 @@ index 00fa514..d3d5f2b 100644
type rgmanager_tmp_t;
files_tmp_file(rgmanager_tmp_t)
-@@ -35,9 +37,8 @@ files_pid_file(rgmanager_var_run_t)
+@@ -35,9 +37,7 @@ files_pid_file(rgmanager_var_run_t)
#
allow rgmanager_t self:capability { dac_override net_raw sys_resource sys_admin sys_nice ipc_lock };
-dontaudit rgmanager_t self:capability { sys_ptrace };
allow rgmanager_t self:process { setsched signal };
-dontaudit rgmanager_t self:process { ptrace };
-+dontaudit rgmanager_t self:process ptrace;
allow rgmanager_t self:fifo_file rw_fifo_file_perms;
allow rgmanager_t self:unix_stream_socket { create_stream_socket_perms };
-@@ -55,11 +56,14 @@ fs_tmpfs_filetrans(rgmanager_t, rgmanager_tmpfs_t, { dir file })
+@@ -55,11 +55,14 @@ fs_tmpfs_filetrans(rgmanager_t, rgmanager_tmpfs_t, { dir file })
manage_files_pattern(rgmanager_t, rgmanager_var_log_t, rgmanager_var_log_t)
logging_log_filetrans(rgmanager_t, rgmanager_var_log_t, { file })
@@ -57150,7 +57458,7 @@ index 00fa514..d3d5f2b 100644
kernel_read_system_state(rgmanager_t)
kernel_rw_rpc_sysctls(rgmanager_t)
kernel_search_debugfs(rgmanager_t)
-@@ -67,7 +71,6 @@ kernel_search_network_state(rgmanager_t)
+@@ -67,7 +70,6 @@ kernel_search_network_state(rgmanager_t)
corecmd_exec_bin(rgmanager_t)
corecmd_exec_shell(rgmanager_t)
@@ -57158,9 +57466,11 @@ index 00fa514..d3d5f2b 100644
# need to write to /dev/misc/dlm-control
dev_rw_dlm_control(rgmanager_t)
-@@ -78,29 +81,35 @@ domain_read_all_domains_state(rgmanager_t)
+@@ -76,31 +78,36 @@ dev_search_sysfs(rgmanager_t)
+
+ domain_read_all_domains_state(rgmanager_t)
domain_getattr_all_domains(rgmanager_t)
- domain_dontaudit_ptrace_all_domains(rgmanager_t)
+-domain_dontaudit_ptrace_all_domains(rgmanager_t)
-files_list_all(rgmanager_t)
+files_create_var_run_dirs(rgmanager_t)
@@ -57198,7 +57508,7 @@ index 00fa514..d3d5f2b 100644
tunable_policy(`rgmanager_can_network_connect',`
corenet_tcp_connect_all_ports(rgmanager_t)
-@@ -118,6 +127,14 @@ optional_policy(`
+@@ -118,6 +125,14 @@ optional_policy(`
')
optional_policy(`
@@ -57213,7 +57523,7 @@ index 00fa514..d3d5f2b 100644
fstools_domtrans(rgmanager_t)
')
-@@ -140,6 +157,16 @@ optional_policy(`
+@@ -140,6 +155,16 @@ optional_policy(`
')
optional_policy(`
@@ -57230,7 +57540,7 @@ index 00fa514..d3d5f2b 100644
mysql_domtrans_mysql_safe(rgmanager_t)
mysql_stream_connect(rgmanager_t)
')
-@@ -165,6 +192,8 @@ optional_policy(`
+@@ -165,6 +190,8 @@ optional_policy(`
optional_policy(`
rpc_initrc_domtrans_nfsd(rgmanager_t)
rpc_initrc_domtrans_rpcd(rgmanager_t)
@@ -58611,7 +58921,7 @@ index f7826f9..23d579c 100644
+ admin_pattern($1, ricci_var_run_t)
+')
diff --git a/policy/modules/services/ricci.te b/policy/modules/services/ricci.te
-index 33e72e8..7582159 100644
+index 33e72e8..8e98863 100644
--- a/policy/modules/services/ricci.te
+++ b/policy/modules/services/ricci.te
@@ -7,9 +7,11 @@ policy_module(ricci, 1.7.0)
@@ -58783,7 +59093,15 @@ index 33e72e8..7582159 100644
nscd_dontaudit_search_pid(ricci_modservice_t)
')
-@@ -444,22 +470,22 @@ files_read_etc_runtime_files(ricci_modstorage_t)
+@@ -418,7 +444,6 @@ optional_policy(`
+ #
+
+ allow ricci_modstorage_t self:process { setsched signal };
+-dontaudit ricci_modstorage_t self:process ptrace;
+ allow ricci_modstorage_t self:capability { mknod sys_nice };
+ allow ricci_modstorage_t self:fifo_file rw_fifo_file_perms;
+ allow ricci_modstorage_t self:unix_dgram_socket create_socket_perms;
+@@ -444,22 +469,22 @@ files_read_etc_runtime_files(ricci_modstorage_t)
files_read_usr_files(ricci_modstorage_t)
files_read_kernel_modules(ricci_modstorage_t)
@@ -58813,7 +59131,7 @@ index 33e72e8..7582159 100644
optional_policy(`
aisexec_stream_connect(ricci_modstorage_t)
corosync_stream_connect(ricci_modstorage_t)
-@@ -471,12 +497,24 @@ optional_policy(`
+@@ -471,12 +496,24 @@ optional_policy(`
')
optional_policy(`
@@ -61724,7 +62042,7 @@ index 275f9fb..f1343b7 100644
init_labeled_script_domtrans($1, snmpd_initrc_exec_t)
domain_system_change_exemption($1)
diff --git a/policy/modules/services/snmp.te b/policy/modules/services/snmp.te
-index 3d8d1b3..73fdfdc 100644
+index 3d8d1b3..035a27f 100644
--- a/policy/modules/services/snmp.te
+++ b/policy/modules/services/snmp.te
@@ -4,6 +4,7 @@ policy_module(snmp, 1.11.0)
@@ -61776,7 +62094,15 @@ index 3d8d1b3..73fdfdc 100644
corecmd_exec_bin(snmpd_t)
corecmd_exec_shell(snmpd_t)
-@@ -94,15 +98,19 @@ files_search_home(snmpd_t)
+@@ -83,7 +87,6 @@ dev_getattr_usbfs_dirs(snmpd_t)
+ domain_use_interactive_fds(snmpd_t)
+ domain_signull_all_domains(snmpd_t)
+ domain_read_all_domains_state(snmpd_t)
+-domain_dontaudit_ptrace_all_domains(snmpd_t)
+ domain_exec_all_entry_files(snmpd_t)
+
+ files_read_etc_files(snmpd_t)
+@@ -94,15 +97,19 @@ files_search_home(snmpd_t)
fs_getattr_all_dirs(snmpd_t)
fs_getattr_all_fs(snmpd_t)
fs_search_auto_mountpoints(snmpd_t)
@@ -61797,7 +62123,7 @@ index 3d8d1b3..73fdfdc 100644
logging_send_syslog_msg(snmpd_t)
-@@ -115,7 +123,7 @@ sysnet_read_config(snmpd_t)
+@@ -115,7 +122,7 @@ sysnet_read_config(snmpd_t)
userdom_dontaudit_use_unpriv_user_fds(snmpd_t)
userdom_dontaudit_search_user_home_dirs(snmpd_t)
@@ -63330,10 +63656,10 @@ index 22adaca..6ec295a 100644
+ userdom_user_home_dir_filetrans($1, ssh_home_t, dir, ".shosts")
+')
diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
-index 2dad3c8..cf94c2b 100644
+index 2dad3c8..4a63fae 100644
--- a/policy/modules/services/ssh.te
+++ b/policy/modules/services/ssh.te
-@@ -6,26 +6,44 @@ policy_module(ssh, 2.2.0)
+@@ -6,26 +6,37 @@ policy_module(ssh, 2.2.0)
#
## <desc>
@@ -63354,13 +63680,6 @@ index 2dad3c8..cf94c2b 100644
+gen_tunable(ssh_sysadm_login, false)
+
+## <desc>
-+## <p>
-+## allow sshd to forward port connections
-+## </p>
-+## </desc>
-+gen_tunable(sshd_forward_ports, false)
-+
-+## <desc>
## <p>
-## Allow ssh logins as sysadm_r:sysadm_t
+## Allow ssh with chroot env to read and write files
@@ -63384,7 +63703,7 @@ index 2dad3c8..cf94c2b 100644
type sshd_exec_t;
corecmd_executable_file(sshd_exec_t)
-@@ -33,17 +51,12 @@ corecmd_executable_file(sshd_exec_t)
+@@ -33,17 +44,12 @@ corecmd_executable_file(sshd_exec_t)
ssh_server_template(sshd)
init_daemon_domain(sshd_t, sshd_exec_t)
@@ -63405,7 +63724,7 @@ index 2dad3c8..cf94c2b 100644
type ssh_t;
type ssh_exec_t;
typealias ssh_t alias { user_ssh_t staff_ssh_t sysadm_ssh_t };
-@@ -76,8 +89,12 @@ ubac_constrained(ssh_tmpfs_t)
+@@ -76,8 +82,12 @@ ubac_constrained(ssh_tmpfs_t)
type ssh_home_t;
typealias ssh_home_t alias { home_ssh_t user_ssh_home_t user_home_ssh_t staff_home_ssh_t sysadm_home_ssh_t };
typealias ssh_home_t alias { auditadm_home_ssh_t secadm_home_ssh_t };
@@ -63419,7 +63738,7 @@ index 2dad3c8..cf94c2b 100644
##############################
#
-@@ -88,6 +105,7 @@ allow ssh_t self:capability { setuid setgid dac_override dac_read_search };
+@@ -88,6 +98,7 @@ allow ssh_t self:capability { setuid setgid dac_override dac_read_search };
allow ssh_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow ssh_t self:fd use;
allow ssh_t self:fifo_file rw_fifo_file_perms;
@@ -63427,7 +63746,7 @@ index 2dad3c8..cf94c2b 100644
allow ssh_t self:unix_dgram_socket { create_socket_perms sendto };
allow ssh_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow ssh_t self:shm create_shm_perms;
-@@ -95,15 +113,11 @@ allow ssh_t self:sem create_sem_perms;
+@@ -95,15 +106,11 @@ allow ssh_t self:sem create_sem_perms;
allow ssh_t self:msgq create_msgq_perms;
allow ssh_t self:msg { send receive };
allow ssh_t self:tcp_socket create_stream_socket_perms;
@@ -63444,7 +63763,7 @@ index 2dad3c8..cf94c2b 100644
manage_files_pattern(ssh_t, ssh_tmpfs_t, ssh_tmpfs_t)
manage_lnk_files_pattern(ssh_t, ssh_tmpfs_t, ssh_tmpfs_t)
manage_fifo_files_pattern(ssh_t, ssh_tmpfs_t, ssh_tmpfs_t)
-@@ -113,20 +127,26 @@ fs_tmpfs_filetrans(ssh_t, ssh_tmpfs_t, { dir file lnk_file sock_file fifo_file }
+@@ -113,20 +120,26 @@ fs_tmpfs_filetrans(ssh_t, ssh_tmpfs_t, { dir file lnk_file sock_file fifo_file }
manage_dirs_pattern(ssh_t, ssh_home_t, ssh_home_t)
manage_sock_files_pattern(ssh_t, ssh_home_t, ssh_home_t)
userdom_user_home_dir_filetrans(ssh_t, ssh_home_t, { dir sock_file })
@@ -63474,7 +63793,7 @@ index 2dad3c8..cf94c2b 100644
kernel_read_kernel_sysctls(ssh_t)
kernel_read_system_state(ssh_t)
-@@ -138,7 +158,11 @@ corenet_tcp_sendrecv_generic_node(ssh_t)
+@@ -138,7 +151,11 @@ corenet_tcp_sendrecv_generic_node(ssh_t)
corenet_tcp_sendrecv_all_ports(ssh_t)
corenet_tcp_connect_ssh_port(ssh_t)
corenet_sendrecv_ssh_client_packets(ssh_t)
@@ -63486,7 +63805,7 @@ index 2dad3c8..cf94c2b 100644
dev_read_urand(ssh_t)
fs_getattr_all_fs(ssh_t)
-@@ -162,31 +186,24 @@ logging_read_generic_logs(ssh_t)
+@@ -162,31 +179,24 @@ logging_read_generic_logs(ssh_t)
auth_use_nsswitch(ssh_t)
miscfiles_read_localization(ssh_t)
@@ -63527,7 +63846,7 @@ index 2dad3c8..cf94c2b 100644
')
# for port forwarding
-@@ -196,10 +213,15 @@ tunable_policy(`user_tcp_server',`
+@@ -196,10 +206,15 @@ tunable_policy(`user_tcp_server',`
')
optional_policy(`
@@ -63543,7 +63862,7 @@ index 2dad3c8..cf94c2b 100644
##############################
#
# ssh_keysign_t local policy
-@@ -209,19 +231,14 @@ tunable_policy(`allow_ssh_keysign',`
+@@ -209,19 +224,14 @@ tunable_policy(`allow_ssh_keysign',`
allow ssh_keysign_t self:capability { setgid setuid };
allow ssh_keysign_t self:unix_stream_socket create_socket_perms;
@@ -63565,7 +63884,7 @@ index 2dad3c8..cf94c2b 100644
#################################
#
# sshd local policy
-@@ -232,33 +249,44 @@ optional_policy(`
+@@ -232,33 +242,39 @@ optional_policy(`
# so a tunnel can point to another ssh tunnel
allow sshd_t self:netlink_route_socket r_netlink_socket_perms;
allow sshd_t self:key { search link write };
@@ -63596,11 +63915,6 @@ index 2dad3c8..cf94c2b 100644
+userdom_signal_unpriv_users(sshd_t)
+userdom_dyntransition_unpriv_users(sshd_t)
+
-+tunable_policy(`sshd_forward_ports',`
-+ corenet_tcp_bind_all_unreserved_ports(sshd_t)
-+ corenet_tcp_connect_all_ports(sshd_t)
-+')
-+
tunable_policy(`ssh_sysadm_login',`
# Relabel and access ptys created by sshd
# ioctl is necessary for logout() processing for utmp entry and for w to
@@ -63619,7 +63933,7 @@ index 2dad3c8..cf94c2b 100644
')
optional_policy(`
-@@ -266,11 +294,24 @@ optional_policy(`
+@@ -266,11 +282,24 @@ optional_policy(`
')
optional_policy(`
@@ -63645,7 +63959,7 @@ index 2dad3c8..cf94c2b 100644
')
optional_policy(`
-@@ -284,6 +325,15 @@ optional_policy(`
+@@ -284,6 +313,15 @@ optional_policy(`
')
optional_policy(`
@@ -63661,7 +63975,7 @@ index 2dad3c8..cf94c2b 100644
unconfined_shell_domtrans(sshd_t)
')
-@@ -292,26 +342,26 @@ optional_policy(`
+@@ -292,26 +330,26 @@ optional_policy(`
')
ifdef(`TODO',`
@@ -63707,7 +64021,7 @@ index 2dad3c8..cf94c2b 100644
') dnl endif TODO
########################################
-@@ -322,19 +372,26 @@ tunable_policy(`ssh_sysadm_login',`
+@@ -322,19 +360,26 @@ tunable_policy(`ssh_sysadm_login',`
# ssh_keygen_t is the type of the ssh-keygen program when run at install time
# and by sysadm_t
@@ -63735,7 +64049,7 @@ index 2dad3c8..cf94c2b 100644
dev_read_urand(ssh_keygen_t)
term_dontaudit_use_console(ssh_keygen_t)
-@@ -351,9 +408,11 @@ auth_use_nsswitch(ssh_keygen_t)
+@@ -351,9 +396,11 @@ auth_use_nsswitch(ssh_keygen_t)
logging_send_syslog_msg(ssh_keygen_t)
userdom_dontaudit_use_unpriv_user_fds(ssh_keygen_t)
@@ -63749,7 +64063,7 @@ index 2dad3c8..cf94c2b 100644
')
optional_policy(`
-@@ -363,3 +422,77 @@ optional_policy(`
+@@ -363,3 +410,77 @@ optional_policy(`
optional_policy(`
udev_read_db(ssh_keygen_t)
')
@@ -64599,7 +64913,7 @@ index 54b8605..a04f013 100644
admin_pattern($1, tuned_var_run_t)
')
diff --git a/policy/modules/services/tuned.te b/policy/modules/services/tuned.te
-index db9d2a5..1aebd23 100644
+index db9d2a5..7f1a022 100644
--- a/policy/modules/services/tuned.te
+++ b/policy/modules/services/tuned.te
@@ -24,6 +24,7 @@ files_pid_file(tuned_var_run_t)
@@ -64619,7 +64933,16 @@ index db9d2a5..1aebd23 100644
# to allow cpu tuning
dev_rw_netcontrol(tuned_t)
-@@ -58,6 +59,10 @@ optional_policy(`
+@@ -47,6 +48,8 @@ files_read_etc_files(tuned_t)
+ files_read_usr_files(tuned_t)
+ files_dontaudit_search_home(tuned_t)
+
++auth_use_nsswitch(tuned_t)
++
+ logging_send_syslog_msg(tuned_t)
+
+ miscfiles_read_localization(tuned_t)
+@@ -58,6 +61,10 @@ optional_policy(`
fstools_domtrans(tuned_t)
')
@@ -68682,7 +69005,7 @@ index 130ced9..51e7627 100644
+ userdom_admin_home_dir_filetrans($1, user_fonts_cache_t, dir, ".fontconfig")
+')
diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
-index 143c893..a3e787d 100644
+index 143c893..163158e 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -26,27 +26,50 @@ gen_require(`
@@ -68996,17 +69319,13 @@ index 143c893..a3e787d 100644
')
optional_policy(`
-@@ -305,19 +396,40 @@ optional_policy(`
+@@ -305,19 +396,36 @@ optional_policy(`
#
allow xdm_t self:capability { setgid setuid sys_resource kill sys_tty_config mknod chown dac_override dac_read_search fowner fsetid ipc_owner sys_nice sys_rawio net_bind_service };
-allow xdm_t self:process { setexec setpgid getsched setsched setrlimit signal_perms setkeycreate };
+
+allow xdm_t self:process { setexec setpgid getattr getcap setcap getsched getsession setsched setrlimit signal_perms setkeycreate };
-+tunable_policy(`deny_ptrace',`',`
-+ allow xdm_t self:process ptrace;
-+')
-+
allow xdm_t self:fifo_file rw_fifo_file_perms;
allow xdm_t self:shm create_shm_perms;
allow xdm_t self:sem create_sem_perms;
@@ -69040,7 +69359,7 @@ index 143c893..a3e787d 100644
# Allow gdm to run gdm-binary
can_exec(xdm_t, xdm_exec_t)
-@@ -325,43 +437,63 @@ can_exec(xdm_t, xdm_exec_t)
+@@ -325,43 +433,63 @@ can_exec(xdm_t, xdm_exec_t)
allow xdm_t xdm_lock_t:file manage_file_perms;
files_lock_filetrans(xdm_t, xdm_lock_t, file)
@@ -69110,7 +69429,7 @@ index 143c893..a3e787d 100644
# connect to xdm xserver over stream socket
stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t)
-@@ -370,18 +502,26 @@ stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t)
+@@ -370,18 +498,26 @@ stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t)
delete_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t)
delete_sock_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t)
@@ -69138,7 +69457,7 @@ index 143c893..a3e787d 100644
corenet_all_recvfrom_unlabeled(xdm_t)
corenet_all_recvfrom_netlabel(xdm_t)
-@@ -393,38 +533,49 @@ corenet_tcp_sendrecv_all_ports(xdm_t)
+@@ -393,38 +529,48 @@ corenet_tcp_sendrecv_all_ports(xdm_t)
corenet_udp_sendrecv_all_ports(xdm_t)
corenet_tcp_bind_generic_node(xdm_t)
corenet_udp_bind_generic_node(xdm_t)
@@ -69186,13 +69505,12 @@ index 143c893..a3e787d 100644
domain_use_interactive_fds(xdm_t)
# Do not audit denied probes of /proc.
domain_dontaudit_read_all_domains_state(xdm_t)
-+domain_dontaudit_ptrace_all_domains(xdm_t)
+domain_dontaudit_signal_all_domains(xdm_t)
+domain_dontaudit_getattr_all_entry_files(xdm_t)
files_read_etc_files(xdm_t)
files_read_var_files(xdm_t)
-@@ -435,9 +586,25 @@ files_list_mnt(xdm_t)
+@@ -435,9 +581,25 @@ files_list_mnt(xdm_t)
files_read_usr_files(xdm_t)
# Poweroff wants to create the /poweroff file when run from xdm
files_create_boot_flag(xdm_t)
@@ -69218,7 +69536,7 @@ index 143c893..a3e787d 100644
storage_dontaudit_read_fixed_disk(xdm_t)
storage_dontaudit_write_fixed_disk(xdm_t)
-@@ -446,28 +613,37 @@ storage_dontaudit_raw_read_removable_device(xdm_t)
+@@ -446,28 +608,37 @@ storage_dontaudit_raw_read_removable_device(xdm_t)
storage_dontaudit_raw_write_removable_device(xdm_t)
storage_dontaudit_setattr_removable_dev(xdm_t)
storage_dontaudit_rw_scsi_generic(xdm_t)
@@ -69258,7 +69576,7 @@ index 143c893..a3e787d 100644
userdom_dontaudit_use_unpriv_user_fds(xdm_t)
userdom_create_all_users_keys(xdm_t)
-@@ -476,24 +652,43 @@ userdom_read_user_home_content_files(xdm_t)
+@@ -476,24 +647,43 @@ userdom_read_user_home_content_files(xdm_t)
# Search /proc for any user domain processes.
userdom_read_all_users_state(xdm_t)
userdom_signal_all_users(xdm_t)
@@ -69308,7 +69626,7 @@ index 143c893..a3e787d 100644
tunable_policy(`xdm_sysadm_login',`
userdom_xsession_spec_domtrans_all_users(xdm_t)
# FIXME:
-@@ -507,11 +702,21 @@ tunable_policy(`xdm_sysadm_login',`
+@@ -507,11 +697,21 @@ tunable_policy(`xdm_sysadm_login',`
')
optional_policy(`
@@ -69330,7 +69648,7 @@ index 143c893..a3e787d 100644
')
optional_policy(`
-@@ -519,12 +724,63 @@ optional_policy(`
+@@ -519,12 +719,63 @@ optional_policy(`
')
optional_policy(`
@@ -69394,7 +69712,7 @@ index 143c893..a3e787d 100644
hostname_exec(xdm_t)
')
-@@ -542,28 +798,69 @@ optional_policy(`
+@@ -542,28 +793,69 @@ optional_policy(`
')
optional_policy(`
@@ -69473,7 +69791,7 @@ index 143c893..a3e787d 100644
')
optional_policy(`
-@@ -575,6 +872,14 @@ optional_policy(`
+@@ -575,6 +867,14 @@ optional_policy(`
')
optional_policy(`
@@ -69488,7 +69806,7 @@ index 143c893..a3e787d 100644
xfs_stream_connect(xdm_t)
')
-@@ -600,6 +905,7 @@ allow xserver_t input_xevent_t:x_event send;
+@@ -600,6 +900,7 @@ allow xserver_t input_xevent_t:x_event send;
# NVIDIA Needs execstack
allow xserver_t self:capability { dac_override fowner fsetid setgid setuid ipc_owner sys_rawio sys_admin sys_nice sys_tty_config mknod net_bind_service };
@@ -69496,7 +69814,7 @@ index 143c893..a3e787d 100644
dontaudit xserver_t self:capability chown;
allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow xserver_t self:fd use;
-@@ -613,8 +919,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
+@@ -613,8 +914,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow xserver_t self:tcp_socket create_stream_socket_perms;
allow xserver_t self:udp_socket create_socket_perms;
@@ -69512,7 +69830,7 @@ index 143c893..a3e787d 100644
manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
manage_sock_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
-@@ -633,12 +946,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
+@@ -633,12 +941,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
files_search_var_lib(xserver_t)
@@ -69534,7 +69852,7 @@ index 143c893..a3e787d 100644
kernel_read_system_state(xserver_t)
kernel_read_device_sysctls(xserver_t)
-@@ -646,6 +966,7 @@ kernel_read_modprobe_sysctls(xserver_t)
+@@ -646,6 +961,7 @@ kernel_read_modprobe_sysctls(xserver_t)
# Xorg wants to check if kernel is tainted
kernel_read_kernel_sysctls(xserver_t)
kernel_write_proc_files(xserver_t)
@@ -69542,7 +69860,7 @@ index 143c893..a3e787d 100644
# Run helper programs in xserver_t.
corecmd_exec_bin(xserver_t)
-@@ -672,21 +993,28 @@ dev_rw_apm_bios(xserver_t)
+@@ -672,21 +988,28 @@ dev_rw_apm_bios(xserver_t)
dev_rw_agp(xserver_t)
dev_rw_framebuffer(xserver_t)
dev_manage_dri_dev(xserver_t)
@@ -69573,7 +69891,7 @@ index 143c893..a3e787d 100644
# brought on by rhgb
files_search_mnt(xserver_t)
-@@ -697,8 +1025,13 @@ fs_getattr_xattr_fs(xserver_t)
+@@ -697,8 +1020,13 @@ fs_getattr_xattr_fs(xserver_t)
fs_search_nfs(xserver_t)
fs_search_auto_mountpoints(xserver_t)
fs_search_ramfs(xserver_t)
@@ -69587,7 +69905,7 @@ index 143c893..a3e787d 100644
selinux_validate_context(xserver_t)
selinux_compute_access_vector(xserver_t)
-@@ -711,8 +1044,6 @@ init_getpgid(xserver_t)
+@@ -711,8 +1039,6 @@ init_getpgid(xserver_t)
term_setattr_unallocated_ttys(xserver_t)
term_use_unallocated_ttys(xserver_t)
@@ -69596,7 +69914,7 @@ index 143c893..a3e787d 100644
locallogin_use_fds(xserver_t)
logging_send_syslog_msg(xserver_t)
-@@ -720,11 +1051,12 @@ logging_send_audit_msgs(xserver_t)
+@@ -720,11 +1046,12 @@ logging_send_audit_msgs(xserver_t)
miscfiles_read_localization(xserver_t)
miscfiles_read_fonts(xserver_t)
@@ -69611,7 +69929,7 @@ index 143c893..a3e787d 100644
userdom_search_user_home_dirs(xserver_t)
userdom_use_user_ttys(xserver_t)
-@@ -778,16 +1110,40 @@ optional_policy(`
+@@ -778,16 +1105,40 @@ optional_policy(`
')
optional_policy(`
@@ -69653,7 +69971,7 @@ index 143c893..a3e787d 100644
unconfined_domtrans(xserver_t)
')
-@@ -796,6 +1152,10 @@ optional_policy(`
+@@ -796,6 +1147,10 @@ optional_policy(`
')
optional_policy(`
@@ -69664,7 +69982,7 @@ index 143c893..a3e787d 100644
xfs_stream_connect(xserver_t)
')
-@@ -811,10 +1171,10 @@ allow xserver_t xdm_t:shm rw_shm_perms;
+@@ -811,10 +1166,10 @@ allow xserver_t xdm_t:shm rw_shm_perms;
# NB we do NOT allow xserver_t xdm_var_lib_t:dir, only access to an open
# handle of a file inside the dir!!!
@@ -69678,7 +69996,7 @@ index 143c893..a3e787d 100644
# Label pid and temporary files with derived types.
manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
-@@ -822,7 +1182,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
+@@ -822,7 +1177,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
manage_sock_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
# Run xkbcomp.
@@ -69687,7 +70005,7 @@ index 143c893..a3e787d 100644
can_exec(xserver_t, xkb_var_lib_t)
# VNC v4 module in X server
-@@ -835,26 +1195,21 @@ init_use_fds(xserver_t)
+@@ -835,26 +1190,21 @@ init_use_fds(xserver_t)
# to read ROLE_home_t - examine this in more detail
# (xauth?)
userdom_read_user_home_content_files(xserver_t)
@@ -69722,7 +70040,7 @@ index 143c893..a3e787d 100644
')
optional_policy(`
-@@ -862,6 +1217,10 @@ optional_policy(`
+@@ -862,6 +1212,10 @@ optional_policy(`
rhgb_rw_tmpfs_files(xserver_t)
')
@@ -69733,7 +70051,7 @@ index 143c893..a3e787d 100644
########################################
#
# Rules common to all X window domains
-@@ -905,7 +1264,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
+@@ -905,7 +1259,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
allow x_domain root_xdrawable_t:x_drawable { getattr setattr list_child add_child remove_child send receive hide show };
# operations allowed on my windows
allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive };
@@ -69742,7 +70060,7 @@ index 143c893..a3e787d 100644
# operations allowed on all windows
allow x_domain x_domain:x_drawable { getattr get_property set_property remove_child };
-@@ -959,11 +1318,31 @@ allow x_domain self:x_resource { read write };
+@@ -959,11 +1313,31 @@ allow x_domain self:x_resource { read write };
# can mess with the screensaver
allow x_domain xserver_t:x_screen { getattr saver_getattr };
@@ -69774,7 +70092,7 @@ index 143c893..a3e787d 100644
tunable_policy(`! xserver_object_manager',`
# should be xserver_unconfined(x_domain),
# but typeattribute doesnt work in conditionals
-@@ -985,18 +1364,31 @@ tunable_policy(`! xserver_object_manager',`
+@@ -985,18 +1359,31 @@ tunable_policy(`! xserver_object_manager',`
allow x_domain xevent_type:{ x_event x_synthetic_event } *;
')
@@ -69914,7 +70232,7 @@ index c9981d1..75a7d17 100644
init_labeled_script_domtrans($1, zabbix_initrc_exec_t)
domain_system_change_exemption($1)
diff --git a/policy/modules/services/zabbix.te b/policy/modules/services/zabbix.te
-index 7f88f5f..4d704e8 100644
+index 7f88f5f..7d8a06e 100644
--- a/policy/modules/services/zabbix.te
+++ b/policy/modules/services/zabbix.te
@@ -5,6 +5,13 @@ policy_module(zabbix, 1.3.1)
@@ -69972,7 +70290,7 @@ index 7f88f5f..4d704e8 100644
# shared memory
rw_files_pattern(zabbix_t, zabbix_tmpfs_t, zabbix_tmpfs_t)
fs_tmpfs_filetrans(zabbix_t, zabbix_tmpfs_t, file)
-@@ -58,25 +75,53 @@ manage_dirs_pattern(zabbix_t, zabbix_var_run_t, zabbix_var_run_t)
+@@ -58,25 +75,55 @@ manage_dirs_pattern(zabbix_t, zabbix_var_run_t, zabbix_var_run_t)
manage_files_pattern(zabbix_t, zabbix_var_run_t, zabbix_var_run_t)
files_pid_filetrans(zabbix_t, zabbix_var_run_t, { dir file })
@@ -69984,8 +70302,10 @@ index 7f88f5f..4d704e8 100644
+
corenet_tcp_bind_generic_node(zabbix_t)
corenet_tcp_bind_zabbix_port(zabbix_t)
-+#needed by zabbix-server-mysql
++# needed by zabbix-server-mysql
+corenet_tcp_connect_http_port(zabbix_t)
++# to monitor ftp urls
++corenet_tcp_connect_ftp_port(zabbix_t)
+
+dev_read_urand(zabbix_t)
@@ -70001,8 +70321,8 @@ index 7f88f5f..4d704e8 100644
zabbix_agent_tcp_connect(zabbix_t)
+tunable_policy(`zabbix_can_network',`
-+ corenet_tcp_connect_all_unreserved_ports(zabbix_t)
-+ corenet_tcp_connect_all_ephemeral_ports(zabbix_t)
++ corenet_tcp_connect_all_unreserved_ports(zabbix_t)
++ corenet_tcp_connect_all_ephemeral_ports(zabbix_t)
+')
+
optional_policy(`
@@ -70028,7 +70348,7 @@ index 7f88f5f..4d704e8 100644
########################################
#
# zabbix agent local policy
-@@ -134,3 +179,4 @@ sysnet_dns_name_resolve(zabbix_agent_t)
+@@ -134,3 +181,4 @@ sysnet_dns_name_resolve(zabbix_agent_t)
# Network access to zabbix server
zabbix_tcp_connect(zabbix_agent_t)
@@ -73194,7 +73514,7 @@ index 94fd8dd..5a52670 100644
+ read_fifo_files_pattern($1, init_var_run_t, init_var_run_t)
+')
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
-index 29a9565..2a26b46 100644
+index 29a9565..26fe806 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -16,6 +16,34 @@ gen_require(`
@@ -73634,7 +73954,7 @@ index 29a9565..2a26b46 100644
dev_delete_lvm_control_dev(initrc_t)
dev_manage_generic_symlinks(initrc_t)
dev_manage_generic_files(initrc_t)
-@@ -298,13 +520,13 @@ dev_manage_generic_files(initrc_t)
+@@ -298,17 +520,16 @@ dev_manage_generic_files(initrc_t)
dev_delete_generic_symlinks(initrc_t)
dev_getattr_all_blk_files(initrc_t)
dev_getattr_all_chr_files(initrc_t)
@@ -73650,7 +73970,11 @@ index 29a9565..2a26b46 100644
domain_sigchld_all_domains(initrc_t)
domain_read_all_domains_state(initrc_t)
domain_getattr_all_domains(initrc_t)
-@@ -316,6 +538,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
+-domain_dontaudit_ptrace_all_domains(initrc_t)
+ domain_getsession_all_domains(initrc_t)
+ domain_use_interactive_fds(initrc_t)
+ # for lsof which is used by alsa shutdown:
+@@ -316,6 +537,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
domain_dontaudit_getattr_all_tcp_sockets(initrc_t)
domain_dontaudit_getattr_all_dgram_sockets(initrc_t)
domain_dontaudit_getattr_all_pipes(initrc_t)
@@ -73658,7 +73982,7 @@ index 29a9565..2a26b46 100644
files_getattr_all_dirs(initrc_t)
files_getattr_all_files(initrc_t)
-@@ -323,8 +546,10 @@ files_getattr_all_symlinks(initrc_t)
+@@ -323,8 +545,10 @@ files_getattr_all_symlinks(initrc_t)
files_getattr_all_pipes(initrc_t)
files_getattr_all_sockets(initrc_t)
files_purge_tmp(initrc_t)
@@ -73670,7 +73994,7 @@ index 29a9565..2a26b46 100644
files_delete_all_pids(initrc_t)
files_delete_all_pid_dirs(initrc_t)
files_read_etc_files(initrc_t)
-@@ -340,8 +565,12 @@ files_list_isid_type_dirs(initrc_t)
+@@ -340,8 +564,12 @@ files_list_isid_type_dirs(initrc_t)
files_mounton_isid_type_dirs(initrc_t)
files_list_default(initrc_t)
files_mounton_default(initrc_t)
@@ -73684,7 +74008,7 @@ index 29a9565..2a26b46 100644
fs_list_inotifyfs(initrc_t)
fs_register_binary_executable_type(initrc_t)
# rhgb-console writes to ramfs
-@@ -351,8 +580,12 @@ fs_mount_all_fs(initrc_t)
+@@ -351,9 +579,12 @@ fs_mount_all_fs(initrc_t)
fs_unmount_all_fs(initrc_t)
fs_remount_all_fs(initrc_t)
fs_getattr_all_fs(initrc_t)
@@ -73692,12 +74016,13 @@ index 29a9565..2a26b46 100644
+fs_getattr_nfsd_files(initrc_t)
# initrc_t needs to do a pidof which requires ptrace
+-mcs_ptrace_all(initrc_t)
+mcs_file_read_all(initrc_t)
+mcs_file_write_all(initrc_t)
- mcs_ptrace_all(initrc_t)
mcs_killall(initrc_t)
mcs_process_set_categories(initrc_t)
-@@ -363,6 +596,7 @@ mls_process_read_up(initrc_t)
+
+@@ -363,6 +594,7 @@ mls_process_read_up(initrc_t)
mls_process_write_down(initrc_t)
mls_rangetrans_source(initrc_t)
mls_fd_share_all_levels(initrc_t)
@@ -73705,7 +74030,7 @@ index 29a9565..2a26b46 100644
selinux_get_enforce_mode(initrc_t)
-@@ -374,6 +608,7 @@ term_use_all_terms(initrc_t)
+@@ -374,6 +606,7 @@ term_use_all_terms(initrc_t)
term_reset_tty_labels(initrc_t)
auth_rw_login_records(initrc_t)
@@ -73713,7 +74038,7 @@ index 29a9565..2a26b46 100644
auth_setattr_login_records(initrc_t)
auth_rw_lastlog(initrc_t)
auth_read_pam_pid(initrc_t)
-@@ -394,18 +629,17 @@ logging_read_audit_config(initrc_t)
+@@ -394,18 +627,17 @@ logging_read_audit_config(initrc_t)
miscfiles_read_localization(initrc_t)
# slapd needs to read cert files from its initscript
@@ -73735,7 +74060,7 @@ index 29a9565..2a26b46 100644
ifdef(`distro_debian',`
dev_setattr_generic_dirs(initrc_t)
-@@ -458,6 +692,10 @@ ifdef(`distro_gentoo',`
+@@ -458,6 +690,10 @@ ifdef(`distro_gentoo',`
sysnet_setattr_config(initrc_t)
optional_policy(`
@@ -73746,7 +74071,7 @@ index 29a9565..2a26b46 100644
alsa_read_lib(initrc_t)
')
-@@ -478,7 +716,7 @@ ifdef(`distro_redhat',`
+@@ -478,7 +714,7 @@ ifdef(`distro_redhat',`
# Red Hat systems seem to have a stray
# fd open from the initrd
@@ -73755,7 +74080,7 @@ index 29a9565..2a26b46 100644
files_dontaudit_read_root_files(initrc_t)
# These seem to be from the initrd
-@@ -493,6 +731,7 @@ ifdef(`distro_redhat',`
+@@ -493,6 +729,7 @@ ifdef(`distro_redhat',`
files_create_boot_dirs(initrc_t)
files_create_boot_flag(initrc_t)
files_rw_boot_symlinks(initrc_t)
@@ -73763,7 +74088,7 @@ index 29a9565..2a26b46 100644
# wants to read /.fonts directory
files_read_default_files(initrc_t)
files_mountpoint(initrc_tmp_t)
-@@ -522,8 +761,35 @@ ifdef(`distro_redhat',`
+@@ -522,8 +759,35 @@ ifdef(`distro_redhat',`
')
optional_policy(`
@@ -73799,7 +74124,7 @@ index 29a9565..2a26b46 100644
')
optional_policy(`
-@@ -531,10 +797,22 @@ ifdef(`distro_redhat',`
+@@ -531,10 +795,22 @@ ifdef(`distro_redhat',`
rpc_write_exports(initrc_t)
rpc_manage_nfs_state_data(initrc_t)
')
@@ -73822,7 +74147,7 @@ index 29a9565..2a26b46 100644
')
optional_policy(`
-@@ -549,6 +827,39 @@ ifdef(`distro_suse',`
+@@ -549,6 +825,39 @@ ifdef(`distro_suse',`
')
')
@@ -73862,7 +74187,7 @@ index 29a9565..2a26b46 100644
optional_policy(`
amavis_search_lib(initrc_t)
amavis_setattr_pid_files(initrc_t)
-@@ -561,6 +872,8 @@ optional_policy(`
+@@ -561,6 +870,8 @@ optional_policy(`
optional_policy(`
apache_read_config(initrc_t)
apache_list_modules(initrc_t)
@@ -73871,7 +74196,7 @@ index 29a9565..2a26b46 100644
')
optional_policy(`
-@@ -577,6 +890,7 @@ optional_policy(`
+@@ -577,6 +888,7 @@ optional_policy(`
optional_policy(`
cgroup_stream_connect_cgred(initrc_t)
@@ -73879,7 +74204,7 @@ index 29a9565..2a26b46 100644
')
optional_policy(`
-@@ -589,6 +903,17 @@ optional_policy(`
+@@ -589,6 +901,17 @@ optional_policy(`
')
optional_policy(`
@@ -73897,7 +74222,7 @@ index 29a9565..2a26b46 100644
dev_getattr_printer_dev(initrc_t)
cups_read_log(initrc_t)
-@@ -605,9 +930,13 @@ optional_policy(`
+@@ -605,9 +928,13 @@ optional_policy(`
dbus_connect_system_bus(initrc_t)
dbus_system_bus_client(initrc_t)
dbus_read_config(initrc_t)
@@ -73911,7 +74236,7 @@ index 29a9565..2a26b46 100644
')
optional_policy(`
-@@ -632,6 +961,10 @@ optional_policy(`
+@@ -632,6 +959,10 @@ optional_policy(`
')
optional_policy(`
@@ -73922,7 +74247,7 @@ index 29a9565..2a26b46 100644
gpm_setattr_gpmctl(initrc_t)
')
-@@ -649,6 +982,11 @@ optional_policy(`
+@@ -649,6 +980,11 @@ optional_policy(`
')
optional_policy(`
@@ -73934,7 +74259,7 @@ index 29a9565..2a26b46 100644
inn_exec_config(initrc_t)
')
-@@ -689,6 +1027,7 @@ optional_policy(`
+@@ -689,6 +1025,7 @@ optional_policy(`
lpd_list_spool(initrc_t)
lpd_read_config(initrc_t)
@@ -73942,7 +74267,7 @@ index 29a9565..2a26b46 100644
')
optional_policy(`
-@@ -706,7 +1045,13 @@ optional_policy(`
+@@ -706,7 +1043,13 @@ optional_policy(`
')
optional_policy(`
@@ -73956,7 +74281,7 @@ index 29a9565..2a26b46 100644
mta_dontaudit_read_spool_symlinks(initrc_t)
')
-@@ -729,6 +1074,10 @@ optional_policy(`
+@@ -729,6 +1072,10 @@ optional_policy(`
')
optional_policy(`
@@ -73967,7 +74292,7 @@ index 29a9565..2a26b46 100644
postgresql_manage_db(initrc_t)
postgresql_read_config(initrc_t)
')
-@@ -738,10 +1087,20 @@ optional_policy(`
+@@ -738,10 +1085,20 @@ optional_policy(`
')
optional_policy(`
@@ -73988,7 +74313,7 @@ index 29a9565..2a26b46 100644
quota_manage_flags(initrc_t)
')
-@@ -750,6 +1109,10 @@ optional_policy(`
+@@ -750,6 +1107,10 @@ optional_policy(`
')
optional_policy(`
@@ -73999,7 +74324,7 @@ index 29a9565..2a26b46 100644
fs_write_ramfs_sockets(initrc_t)
fs_search_ramfs(initrc_t)
-@@ -771,8 +1134,6 @@ optional_policy(`
+@@ -771,8 +1132,6 @@ optional_policy(`
# bash tries ioctl for some reason
files_dontaudit_ioctl_all_pids(initrc_t)
@@ -74008,7 +74333,7 @@ index 29a9565..2a26b46 100644
')
optional_policy(`
-@@ -781,6 +1142,10 @@ optional_policy(`
+@@ -781,6 +1140,10 @@ optional_policy(`
')
optional_policy(`
@@ -74019,7 +74344,7 @@ index 29a9565..2a26b46 100644
# shorewall-init script run /var/lib/shorewall/firewall
shorewall_lib_domtrans(initrc_t)
')
-@@ -790,10 +1155,12 @@ optional_policy(`
+@@ -790,10 +1153,12 @@ optional_policy(`
squid_manage_logs(initrc_t)
')
@@ -74032,7 +74357,7 @@ index 29a9565..2a26b46 100644
optional_policy(`
ssh_dontaudit_read_server_keys(initrc_t)
-@@ -805,7 +1172,6 @@ optional_policy(`
+@@ -805,7 +1170,6 @@ optional_policy(`
')
optional_policy(`
@@ -74040,7 +74365,7 @@ index 29a9565..2a26b46 100644
udev_manage_pid_files(initrc_t)
udev_manage_rules_files(initrc_t)
')
-@@ -815,11 +1181,26 @@ optional_policy(`
+@@ -815,11 +1179,25 @@ optional_policy(`
')
optional_policy(`
@@ -74062,13 +74387,12 @@ index 29a9565..2a26b46 100644
+ mcs_file_write_all(initrc_t)
+ mcs_socket_write_all_levels(initrc_t)
+ mcs_killall(initrc_t)
-+ mcs_ptrace_all(initrc_t)
+
+ files_tmp_filetrans(initrc_t, initrc_tmp_t, { dir_file_class_set })
ifdef(`distro_redhat',`
# system-config-services causes avc messages that should be dontaudited
-@@ -829,6 +1210,18 @@ optional_policy(`
+@@ -829,6 +1207,18 @@ optional_policy(`
optional_policy(`
mono_domtrans(initrc_t)
')
@@ -74087,7 +74411,7 @@ index 29a9565..2a26b46 100644
')
optional_policy(`
-@@ -844,6 +1237,10 @@ optional_policy(`
+@@ -844,6 +1234,10 @@ optional_policy(`
')
optional_policy(`
@@ -74098,7 +74422,7 @@ index 29a9565..2a26b46 100644
# Set device ownerships/modes.
xserver_setattr_console_pipes(initrc_t)
-@@ -854,3 +1251,161 @@ optional_policy(`
+@@ -854,3 +1248,161 @@ optional_policy(`
optional_policy(`
zebra_read_config(initrc_t)
')
@@ -75316,7 +75640,7 @@ index 808ba93..4ff705d 100644
+ files_etc_filetrans($1, ld_so_cache_t, file, "ld.so.preload~")
+')
diff --git a/policy/modules/system/libraries.te b/policy/modules/system/libraries.te
-index e5836d3..eae9427 100644
+index e5836d3..cc8dabb 100644
--- a/policy/modules/system/libraries.te
+++ b/policy/modules/system/libraries.te
@@ -61,7 +61,7 @@ allow ldconfig_t self:capability { dac_override sys_chroot };
@@ -75328,7 +75652,14 @@ index e5836d3..eae9427 100644
files_etc_filetrans(ldconfig_t, ld_so_cache_t, file)
manage_dirs_pattern(ldconfig_t, ldconfig_tmp_t, ldconfig_tmp_t)
-@@ -79,6 +79,7 @@ corecmd_search_bin(ldconfig_t)
+@@ -75,10 +75,14 @@ kernel_read_system_state(ldconfig_t)
+
+ fs_getattr_xattr_fs(ldconfig_t)
+
++files_list_var_lib(ldconfig_t)
++files_manage_var_lib_symlinks(ldconfig_t)
++
+ corecmd_search_bin(ldconfig_t)
domain_use_interactive_fds(ldconfig_t)
@@ -75336,7 +75667,7 @@ index e5836d3..eae9427 100644
files_search_var_lib(ldconfig_t)
files_read_etc_files(ldconfig_t)
files_read_usr_files(ldconfig_t)
-@@ -94,7 +95,8 @@ miscfiles_read_localization(ldconfig_t)
+@@ -94,7 +98,8 @@ miscfiles_read_localization(ldconfig_t)
logging_send_syslog_msg(ldconfig_t)
@@ -75346,7 +75677,7 @@ index e5836d3..eae9427 100644
userdom_use_all_users_fds(ldconfig_t)
ifdef(`distro_ubuntu',`
-@@ -103,6 +105,12 @@ ifdef(`distro_ubuntu',`
+@@ -103,6 +108,12 @@ ifdef(`distro_ubuntu',`
')
')
@@ -75359,7 +75690,7 @@ index e5836d3..eae9427 100644
ifdef(`hide_broken_symptoms',`
ifdef(`distro_gentoo',`
# leaked fds from portage
-@@ -114,6 +122,9 @@ ifdef(`hide_broken_symptoms',`
+@@ -114,6 +125,9 @@ ifdef(`hide_broken_symptoms',`
')
')
@@ -75369,7 +75700,7 @@ index e5836d3..eae9427 100644
optional_policy(`
unconfined_dontaudit_rw_tcp_sockets(ldconfig_t)
')
-@@ -131,6 +142,10 @@ optional_policy(`
+@@ -131,6 +145,10 @@ optional_policy(`
')
optional_policy(`
@@ -75380,7 +75711,7 @@ index e5836d3..eae9427 100644
puppet_rw_tmp(ldconfig_t)
')
-@@ -141,6 +156,3 @@ optional_policy(`
+@@ -141,6 +159,3 @@ optional_policy(`
rpm_manage_script_tmp_files(ldconfig_t)
')
@@ -75944,10 +76275,10 @@ index 831b909..118f708 100644
init_labeled_script_domtrans($1, syslogd_initrc_exec_t)
domain_system_change_exemption($1)
diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
-index b6ec597..dc551f4 100644
+index b6ec597..709fc74 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
-@@ -5,6 +5,13 @@ policy_module(logging, 1.17.2)
+@@ -5,6 +5,20 @@ policy_module(logging, 1.17.2)
# Declarations
#
@@ -75958,10 +76289,17 @@ index b6ec597..dc551f4 100644
+## </desc>
+gen_tunable(logging_syslogd_can_sendmail, false)
+
++## <desc>
++## <p>
++## Allow syslogd the ability to read/write terminals
++## </p>
++## </desc>
++gen_tunable(logging_syslogd_use_tty, false)
++
attribute logfile;
type auditctl_t;
-@@ -20,6 +27,7 @@ files_security_file(auditd_log_t)
+@@ -20,6 +34,7 @@ files_security_file(auditd_log_t)
files_security_mountpoint(auditd_log_t)
type audit_spool_t;
@@ -75969,7 +76307,7 @@ index b6ec597..dc551f4 100644
files_security_file(audit_spool_t)
files_security_mountpoint(audit_spool_t)
-@@ -64,6 +72,7 @@ files_config_file(syslog_conf_t)
+@@ -64,6 +79,7 @@ files_config_file(syslog_conf_t)
type syslogd_t;
type syslogd_exec_t;
init_daemon_domain(syslogd_t, syslogd_exec_t)
@@ -75977,7 +76315,7 @@ index b6ec597..dc551f4 100644
type syslogd_initrc_exec_t;
init_script_file(syslogd_initrc_exec_t)
-@@ -111,7 +120,7 @@ domain_use_interactive_fds(auditctl_t)
+@@ -111,7 +127,7 @@ domain_use_interactive_fds(auditctl_t)
mls_file_read_all_levels(auditctl_t)
@@ -75986,7 +76324,7 @@ index b6ec597..dc551f4 100644
init_dontaudit_use_fds(auditctl_t)
-@@ -183,16 +192,19 @@ logging_send_syslog_msg(auditd_t)
+@@ -183,16 +199,19 @@ logging_send_syslog_msg(auditd_t)
logging_domtrans_dispatcher(auditd_t)
logging_signal_dispatcher(auditd_t)
@@ -76007,7 +76345,7 @@ index b6ec597..dc551f4 100644
userdom_dontaudit_use_unpriv_user_fds(auditd_t)
userdom_dontaudit_search_user_home_dirs(auditd_t)
-@@ -237,10 +249,17 @@ corecmd_exec_shell(audisp_t)
+@@ -237,10 +256,17 @@ corecmd_exec_shell(audisp_t)
domain_use_interactive_fds(audisp_t)
@@ -76025,7 +76363,7 @@ index b6ec597..dc551f4 100644
logging_send_syslog_msg(audisp_t)
-@@ -250,6 +269,10 @@ sysnet_dns_name_resolve(audisp_t)
+@@ -250,6 +276,10 @@ sysnet_dns_name_resolve(audisp_t)
optional_policy(`
dbus_system_bus_client(audisp_t)
@@ -76036,7 +76374,7 @@ index b6ec597..dc551f4 100644
')
########################################
-@@ -280,11 +303,20 @@ corenet_sendrecv_audit_client_packets(audisp_remote_t)
+@@ -280,11 +310,20 @@ corenet_sendrecv_audit_client_packets(audisp_remote_t)
files_read_etc_files(audisp_remote_t)
@@ -76057,7 +76395,7 @@ index b6ec597..dc551f4 100644
sysnet_dns_name_resolve(audisp_remote_t)
########################################
-@@ -354,11 +386,12 @@ optional_policy(`
+@@ -354,11 +393,12 @@ optional_policy(`
# chown fsetid for syslog-ng
# sys_admin for the integrated klog of syslog-ng and metalog
# cjp: why net_admin!
@@ -76072,7 +76410,7 @@ index b6ec597..dc551f4 100644
# receive messages to be logged
allow syslogd_t self:unix_dgram_socket create_socket_perms;
allow syslogd_t self:unix_stream_socket create_stream_socket_perms;
-@@ -376,6 +409,7 @@ files_pid_filetrans(syslogd_t, devlog_t, sock_file)
+@@ -376,6 +416,7 @@ files_pid_filetrans(syslogd_t, devlog_t, sock_file)
# create/append log files.
manage_files_pattern(syslogd_t, var_log_t, var_log_t)
rw_fifo_files_pattern(syslogd_t, var_log_t, var_log_t)
@@ -76080,7 +76418,7 @@ index b6ec597..dc551f4 100644
# Allow access for syslog-ng
allow syslogd_t var_log_t:dir { create setattr };
-@@ -385,9 +419,15 @@ manage_dirs_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t)
+@@ -385,9 +426,15 @@ manage_dirs_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t)
manage_files_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t)
files_tmp_filetrans(syslogd_t, syslogd_tmp_t, { dir file })
@@ -76096,10 +76434,15 @@ index b6ec597..dc551f4 100644
# manage pid file
manage_files_pattern(syslogd_t, syslogd_var_run_t, syslogd_var_run_t)
files_pid_filetrans(syslogd_t, syslogd_var_run_t, file)
-@@ -426,10 +466,22 @@ corenet_sendrecv_syslogd_server_packets(syslogd_t)
+@@ -426,10 +473,27 @@ corenet_sendrecv_syslogd_server_packets(syslogd_t)
corenet_sendrecv_postgresql_client_packets(syslogd_t)
corenet_sendrecv_mysqld_client_packets(syslogd_t)
++tunable_policy(`logging_syslogd_use_tty',`
++ term_use_all_ttys(syslogd_t)
++ term_use_all_ptys(syslogd_t)
++')
++
+tunable_policy(`logging_syslogd_can_sendmail',`
+ # support for ommail module to send logs via mail
+ corenet_tcp_connect_smtp_port(syslogd_t)
@@ -76119,7 +76462,7 @@ index b6ec597..dc551f4 100644
files_read_etc_files(syslogd_t)
files_read_usr_files(syslogd_t)
-@@ -447,7 +499,9 @@ mls_file_write_all_levels(syslogd_t) # Need to be able to write to /var/run/ and
+@@ -447,7 +511,9 @@ mls_file_write_all_levels(syslogd_t) # Need to be able to write to /var/run/ and
term_write_console(syslogd_t)
# Allow syslog to a terminal
term_write_unallocated_ttys(syslogd_t)
@@ -76129,7 +76472,7 @@ index b6ec597..dc551f4 100644
# for sending messages to logged in users
init_read_utmp(syslogd_t)
init_dontaudit_write_utmp(syslogd_t)
-@@ -459,6 +513,7 @@ init_use_fds(syslogd_t)
+@@ -459,6 +525,7 @@ init_use_fds(syslogd_t)
# cjp: this doesnt make sense
logging_send_syslog_msg(syslogd_t)
@@ -76137,7 +76480,7 @@ index b6ec597..dc551f4 100644
miscfiles_read_localization(syslogd_t)
-@@ -496,11 +551,20 @@ optional_policy(`
+@@ -496,11 +563,20 @@ optional_policy(`
')
optional_policy(`
@@ -76365,7 +76708,7 @@ index 58bc27f..51e9872 100644
+ allow $1 lvm_var_run_t:fifo_file rw_inherited_fifo_file_perms;
+')
diff --git a/policy/modules/system/lvm.te b/policy/modules/system/lvm.te
-index a0a0ebf..653277a 100644
+index a0a0ebf..c5c9312 100644
--- a/policy/modules/system/lvm.te
+++ b/policy/modules/system/lvm.te
@@ -12,6 +12,9 @@ init_daemon_domain(clvmd_t, clvmd_exec_t)
@@ -76387,7 +76730,14 @@ index a0a0ebf..653277a 100644
type lvm_lock_t;
files_lock_file(lvm_lock_t)
-@@ -56,6 +59,10 @@ allow clvmd_t self:unix_stream_socket { connectto create_stream_socket_perms };
+@@ -49,13 +52,16 @@ files_tmp_file(lvm_tmp_t)
+ allow clvmd_t self:capability { sys_nice chown ipc_lock sys_admin mknod };
+ dontaudit clvmd_t self:capability sys_tty_config;
+ allow clvmd_t self:process { signal_perms setsched };
+-dontaudit clvmd_t self:process ptrace;
+ allow clvmd_t self:socket create_socket_perms;
+ allow clvmd_t self:fifo_file rw_fifo_file_perms;
+ allow clvmd_t self:unix_stream_socket { connectto create_stream_socket_perms };
allow clvmd_t self:tcp_socket create_stream_socket_perms;
allow clvmd_t self:udp_socket create_socket_perms;
@@ -76398,7 +76748,7 @@ index a0a0ebf..653277a 100644
manage_files_pattern(clvmd_t, clvmd_var_run_t, clvmd_var_run_t)
files_pid_filetrans(clvmd_t, clvmd_var_run_t, file)
-@@ -141,6 +148,11 @@ ifdef(`distro_redhat',`
+@@ -141,6 +147,11 @@ ifdef(`distro_redhat',`
')
optional_policy(`
@@ -76410,7 +76760,7 @@ index a0a0ebf..653277a 100644
ccs_stream_connect(clvmd_t)
')
-@@ -167,9 +179,10 @@ optional_policy(`
+@@ -167,9 +178,10 @@ optional_policy(`
# net_admin for multipath
allow lvm_t self:capability { dac_override fowner ipc_lock sys_admin sys_nice mknod chown sys_resource sys_rawio net_admin };
dontaudit lvm_t self:capability sys_tty_config;
@@ -76422,7 +76772,7 @@ index a0a0ebf..653277a 100644
allow lvm_t self:file rw_file_perms;
allow lvm_t self:fifo_file manage_fifo_file_perms;
allow lvm_t self:unix_dgram_socket create_socket_perms;
-@@ -191,8 +204,9 @@ read_lnk_files_pattern(lvm_t, lvm_exec_t, lvm_exec_t)
+@@ -191,8 +203,9 @@ read_lnk_files_pattern(lvm_t, lvm_exec_t, lvm_exec_t)
can_exec(lvm_t, lvm_exec_t)
# Creating lock files
@@ -76433,7 +76783,7 @@ index a0a0ebf..653277a 100644
manage_dirs_pattern(lvm_t, lvm_var_lib_t, lvm_var_lib_t)
manage_files_pattern(lvm_t, lvm_var_lib_t, lvm_var_lib_t)
-@@ -200,8 +214,9 @@ files_var_lib_filetrans(lvm_t, lvm_var_lib_t, { dir file })
+@@ -200,8 +213,9 @@ files_var_lib_filetrans(lvm_t, lvm_var_lib_t, { dir file })
manage_dirs_pattern(lvm_t, lvm_var_run_t, lvm_var_run_t)
manage_files_pattern(lvm_t, lvm_var_run_t, lvm_var_run_t)
@@ -76444,7 +76794,7 @@ index a0a0ebf..653277a 100644
read_files_pattern(lvm_t, lvm_etc_t, lvm_etc_t)
read_lnk_files_pattern(lvm_t, lvm_etc_t, lvm_etc_t)
-@@ -213,11 +228,13 @@ files_search_mnt(lvm_t)
+@@ -213,11 +227,13 @@ files_search_mnt(lvm_t)
kernel_get_sysvipc_info(lvm_t)
kernel_read_system_state(lvm_t)
@@ -76458,7 +76808,7 @@ index a0a0ebf..653277a 100644
kernel_search_debugfs(lvm_t)
corecmd_exec_bin(lvm_t)
-@@ -228,11 +245,13 @@ dev_delete_generic_dirs(lvm_t)
+@@ -228,11 +244,13 @@ dev_delete_generic_dirs(lvm_t)
dev_read_rand(lvm_t)
dev_read_urand(lvm_t)
dev_rw_lvm_control(lvm_t)
@@ -76473,7 +76823,7 @@ index a0a0ebf..653277a 100644
# cjp: this has no effect since LVM does not
# have lnk_file relabelto for anything else.
# perhaps this should be blk_files?
-@@ -244,6 +263,7 @@ dev_dontaudit_getattr_generic_chr_files(lvm_t)
+@@ -244,6 +262,7 @@ dev_dontaudit_getattr_generic_chr_files(lvm_t)
dev_dontaudit_getattr_generic_blk_files(lvm_t)
dev_dontaudit_getattr_generic_pipes(lvm_t)
dev_create_generic_dirs(lvm_t)
@@ -76481,7 +76831,7 @@ index a0a0ebf..653277a 100644
domain_use_interactive_fds(lvm_t)
domain_read_all_domains_state(lvm_t)
-@@ -253,17 +273,21 @@ files_read_etc_files(lvm_t)
+@@ -253,17 +272,21 @@ files_read_etc_files(lvm_t)
files_read_etc_runtime_files(lvm_t)
# for when /usr is not mounted:
files_dontaudit_search_isid_type_dirs(lvm_t)
@@ -76504,7 +76854,7 @@ index a0a0ebf..653277a 100644
selinux_get_fs_mount(lvm_t)
selinux_validate_context(lvm_t)
-@@ -283,7 +307,7 @@ storage_dev_filetrans_fixed_disk(lvm_t)
+@@ -283,7 +306,7 @@ storage_dev_filetrans_fixed_disk(lvm_t)
# Access raw devices and old /dev/lvm (c 109,0). Is this needed?
storage_manage_fixed_disk(lvm_t)
@@ -76513,7 +76863,7 @@ index a0a0ebf..653277a 100644
init_use_fds(lvm_t)
init_dontaudit_getattr_initctl(lvm_t)
-@@ -292,6 +316,8 @@ init_read_script_state(lvm_t)
+@@ -292,6 +315,8 @@ init_read_script_state(lvm_t)
logging_send_syslog_msg(lvm_t)
@@ -76522,7 +76872,7 @@ index a0a0ebf..653277a 100644
miscfiles_read_localization(lvm_t)
seutil_read_config(lvm_t)
-@@ -299,7 +325,10 @@ seutil_read_file_contexts(lvm_t)
+@@ -299,7 +324,10 @@ seutil_read_file_contexts(lvm_t)
seutil_search_default_contexts(lvm_t)
seutil_sigchld_newrole(lvm_t)
@@ -76533,7 +76883,7 @@ index a0a0ebf..653277a 100644
ifdef(`distro_redhat',`
# this is from the initrd:
-@@ -311,6 +340,11 @@ ifdef(`distro_redhat',`
+@@ -311,6 +339,11 @@ ifdef(`distro_redhat',`
')
optional_policy(`
@@ -76545,7 +76895,7 @@ index a0a0ebf..653277a 100644
bootloader_rw_tmp_files(lvm_t)
')
-@@ -331,14 +365,27 @@ optional_policy(`
+@@ -331,14 +364,27 @@ optional_policy(`
')
optional_policy(`
@@ -77310,7 +77660,7 @@ index 8b5c196..da41726 100644
+ role $2 types showmount_t;
')
diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te
-index 15832c7..aa18423 100644
+index 15832c7..5c5ecf6 100644
--- a/policy/modules/system/mount.te
+++ b/policy/modules/system/mount.te
@@ -17,17 +17,29 @@ type mount_exec_t;
@@ -77348,24 +77698,20 @@ index 15832c7..aa18423 100644
########################################
#
-@@ -35,7 +47,15 @@ application_domain(unconfined_mount_t, mount_exec_t)
+@@ -35,7 +47,11 @@ application_domain(unconfined_mount_t, mount_exec_t)
#
# setuid/setgid needed to mount cifs
-allow mount_t self:capability { ipc_lock sys_rawio sys_admin dac_override chown sys_tty_config setuid setgid };
+allow mount_t self:capability { fsetid fowner ipc_lock setpcap sys_rawio sys_resource sys_admin dac_override dac_read_search chown sys_tty_config setuid setgid sys_nice };
+allow mount_t self:process { getcap getsched setsched setcap setrlimit signal };
-+tunable_policy(`deny_ptrace',`',`
-+ allow mount_t self:process ptrace;
-+')
-+
+allow mount_t self:fifo_file rw_fifo_file_perms;
+allow mount_t self:unix_stream_socket create_stream_socket_perms;
+allow mount_t self:unix_dgram_socket create_socket_perms;
allow mount_t mount_loopback_t:file read_file_perms;
-@@ -46,9 +66,24 @@ can_exec(mount_t, mount_exec_t)
+@@ -46,9 +62,24 @@ can_exec(mount_t, mount_exec_t)
files_tmp_filetrans(mount_t, mount_tmp_t, { file dir })
@@ -77391,7 +77737,7 @@ index 15832c7..aa18423 100644
kernel_dontaudit_write_debugfs_dirs(mount_t)
kernel_dontaudit_write_proc_dirs(mount_t)
# To load binfmt_misc kernel module
-@@ -57,65 +92,94 @@ kernel_request_load_module(mount_t)
+@@ -57,65 +88,94 @@ kernel_request_load_module(mount_t)
# required for mount.smbfs
corecmd_exec_bin(mount_t)
@@ -77495,7 +77841,7 @@ index 15832c7..aa18423 100644
logging_send_syslog_msg(mount_t)
-@@ -126,6 +190,8 @@ sysnet_use_portmap(mount_t)
+@@ -126,6 +186,8 @@ sysnet_use_portmap(mount_t)
seutil_read_config(mount_t)
userdom_use_all_users_fds(mount_t)
@@ -77504,7 +77850,7 @@ index 15832c7..aa18423 100644
ifdef(`distro_redhat',`
optional_policy(`
-@@ -141,26 +207,28 @@ ifdef(`distro_ubuntu',`
+@@ -141,26 +203,28 @@ ifdef(`distro_ubuntu',`
')
')
@@ -77543,7 +77889,7 @@ index 15832c7..aa18423 100644
corenet_tcp_bind_generic_port(mount_t)
corenet_udp_bind_generic_port(mount_t)
corenet_tcp_bind_reserved_port(mount_t)
-@@ -174,6 +242,8 @@ optional_policy(`
+@@ -174,6 +238,8 @@ optional_policy(`
fs_search_rpc(mount_t)
rpc_stub(mount_t)
@@ -77552,7 +77898,7 @@ index 15832c7..aa18423 100644
')
optional_policy(`
-@@ -181,6 +251,28 @@ optional_policy(`
+@@ -181,6 +247,28 @@ optional_policy(`
')
optional_policy(`
@@ -77581,7 +77927,7 @@ index 15832c7..aa18423 100644
ifdef(`hide_broken_symptoms',`
# for a bug in the X server
rhgb_dontaudit_rw_stream_sockets(mount_t)
-@@ -188,21 +280,88 @@ optional_policy(`
+@@ -188,21 +276,88 @@ optional_policy(`
')
')
@@ -77625,20 +77971,20 @@ index 15832c7..aa18423 100644
+optional_policy(`
+ ssh_exec(mount_t)
+')
-+
-+optional_policy(`
+
+ optional_policy(`
+- files_etc_filetrans_etc_runtime(unconfined_mount_t, file)
+- unconfined_domain(unconfined_mount_t)
+ usbmuxd_stream_connect(mount_t)
-+')
+ ')
+
+optional_policy(`
+ userhelper_exec_console(mount_t)
+')
-
- optional_policy(`
-- files_etc_filetrans_etc_runtime(unconfined_mount_t, file)
-- unconfined_domain(unconfined_mount_t)
++
++optional_policy(`
+ virt_read_blk_images(mount_t)
- ')
++')
+
+optional_policy(`
+ vmware_exec_host(mount_t)
@@ -77716,10 +78062,10 @@ index 9cf0e56..2b5260a 100644
/var/run/cardmgr\.pid -- gen_context(system_u:object_r:cardmgr_var_run_t,s0)
diff --git a/policy/modules/system/pcmcia.te b/policy/modules/system/pcmcia.te
-index 4d06ae3..e81b7ac 100644
+index 4d06ae3..3f7c716 100644
--- a/policy/modules/system/pcmcia.te
+++ b/policy/modules/system/pcmcia.te
-@@ -62,9 +62,8 @@ dev_read_urand(cardmgr_t)
+@@ -62,9 +62,7 @@ dev_read_urand(cardmgr_t)
domain_use_interactive_fds(cardmgr_t)
# Read /proc/PID directories for all domains (for fuser).
@@ -77727,11 +78073,10 @@ index 4d06ae3..e81b7ac 100644
-domain_getattr_confined_domains(cardmgr_t)
-domain_dontaudit_ptrace_confined_domains(cardmgr_t)
+domain_read_all_domains_state(cardmgr_t)
-+domain_dontaudit_ptrace_all_domains(cardmgr_t)
# cjp: these look excessive:
domain_dontaudit_getattr_all_pipes(cardmgr_t)
domain_dontaudit_getattr_all_sockets(cardmgr_t)
-@@ -98,18 +97,20 @@ logging_send_syslog_msg(cardmgr_t)
+@@ -98,18 +96,20 @@ logging_send_syslog_msg(cardmgr_t)
miscfiles_read_localization(cardmgr_t)
@@ -78849,16 +79194,17 @@ index 7ed9819..ac8b214 100644
+ unconfined_domain(setfiles_mac_t)
')
diff --git a/policy/modules/system/setrans.fc b/policy/modules/system/setrans.fc
-index bea4629..427e5f6 100644
+index bea4629..06e2834 100644
--- a/policy/modules/system/setrans.fc
+++ b/policy/modules/system/setrans.fc
-@@ -2,4 +2,6 @@
+@@ -2,4 +2,7 @@
/sbin/mcstransd -- gen_context(system_u:object_r:setrans_exec_t,s0)
+/usr/sbin/mcstransd -- gen_context(system_u:object_r:setrans_exec_t,s0)
+
/var/run/setrans(/.*)? gen_context(system_u:object_r:setrans_var_run_t,mls_systemhigh)
++/var/run/mcstransd\.pid gen_context(system_u:object_r:setrans_var_run_t,mls_systemhigh)
diff --git a/policy/modules/system/setrans.te b/policy/modules/system/setrans.te
index 1447687..cdc0223 100644
--- a/policy/modules/system/setrans.te
@@ -79190,7 +79536,7 @@ index ff80d0a..22c9f0d 100644
+ files_etc_filetrans($1, net_conf_t, file, "yp.conf")
+')
diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
-index 34d0ec5..58f8e6e 100644
+index 34d0ec5..9291d3a 100644
--- a/policy/modules/system/sysnetwork.te
+++ b/policy/modules/system/sysnetwork.te
@@ -5,6 +5,13 @@ policy_module(sysnetwork, 1.11.2)
@@ -79217,7 +79563,7 @@ index 34d0ec5..58f8e6e 100644
type dhcpc_state_t;
files_type(dhcpc_state_t)
-@@ -34,17 +44,20 @@ init_system_domain(ifconfig_t, ifconfig_exec_t)
+@@ -34,18 +44,17 @@ init_system_domain(ifconfig_t, ifconfig_exec_t)
role system_r types ifconfig_t;
type net_conf_t alias resolv_conf_t;
@@ -79234,14 +79580,12 @@ index 34d0ec5..58f8e6e 100644
# for access("/etc/bashrc", X_OK) on Red Hat
dontaudit dhcpc_t self:capability { dac_read_search sys_module };
-allow dhcpc_t self:process { getsched getcap setcap setfscreate ptrace signal_perms };
+-
+allow dhcpc_t self:process { getsched getcap setcap setfscreate signal_perms };
-+tunable_policy(`deny_ptrace',`',`
-+ allow dhcpc_t self:process ptrace;
-+')
-
allow dhcpc_t self:fifo_file rw_fifo_file_perms;
allow dhcpc_t self:tcp_socket create_stream_socket_perms;
-@@ -57,8 +70,11 @@ read_lnk_files_pattern(dhcpc_t, dhcp_etc_t, dhcp_etc_t)
+ allow dhcpc_t self:udp_socket create_socket_perms;
+@@ -57,8 +66,11 @@ read_lnk_files_pattern(dhcpc_t, dhcp_etc_t, dhcp_etc_t)
exec_files_pattern(dhcpc_t, dhcp_etc_t, dhcp_etc_t)
allow dhcpc_t dhcp_state_t:file read_file_perms;
@@ -79253,7 +79597,7 @@ index 34d0ec5..58f8e6e 100644
# create pid file
manage_files_pattern(dhcpc_t, dhcpc_var_run_t, dhcpc_var_run_t)
-@@ -66,6 +82,8 @@ files_pid_filetrans(dhcpc_t, dhcpc_var_run_t, file)
+@@ -66,6 +78,8 @@ files_pid_filetrans(dhcpc_t, dhcpc_var_run_t, file)
# Allow read/write to /etc/resolv.conf and /etc/ntp.conf. Note that any files
# in /etc created by dhcpcd will be labelled net_conf_t.
@@ -79262,7 +79606,7 @@ index 34d0ec5..58f8e6e 100644
sysnet_manage_config(dhcpc_t)
files_etc_filetrans(dhcpc_t, net_conf_t, file)
-@@ -91,25 +109,28 @@ corecmd_exec_shell(dhcpc_t)
+@@ -91,25 +105,28 @@ corecmd_exec_shell(dhcpc_t)
corenet_all_recvfrom_unlabeled(dhcpc_t)
corenet_all_recvfrom_netlabel(dhcpc_t)
@@ -79299,7 +79643,7 @@ index 34d0ec5..58f8e6e 100644
domain_use_interactive_fds(dhcpc_t)
domain_dontaudit_read_all_domains_state(dhcpc_t)
-@@ -129,14 +150,17 @@ term_dontaudit_use_all_ptys(dhcpc_t)
+@@ -129,14 +146,17 @@ term_dontaudit_use_all_ptys(dhcpc_t)
term_dontaudit_use_unallocated_ttys(dhcpc_t)
term_dontaudit_use_generic_ptys(dhcpc_t)
@@ -79319,7 +79663,7 @@ index 34d0ec5..58f8e6e 100644
userdom_use_user_terminals(dhcpc_t)
userdom_dontaudit_search_user_home_dirs(dhcpc_t)
-@@ -151,7 +175,18 @@ ifdef(`distro_ubuntu',`
+@@ -151,7 +171,18 @@ ifdef(`distro_ubuntu',`
')
optional_policy(`
@@ -79339,7 +79683,7 @@ index 34d0ec5..58f8e6e 100644
')
optional_policy(`
-@@ -171,6 +206,8 @@ optional_policy(`
+@@ -171,6 +202,8 @@ optional_policy(`
optional_policy(`
hal_dontaudit_rw_dgram_sockets(dhcpc_t)
@@ -79348,7 +79692,7 @@ index 34d0ec5..58f8e6e 100644
')
optional_policy(`
-@@ -192,17 +229,31 @@ optional_policy(`
+@@ -192,17 +225,31 @@ optional_policy(`
')
optional_policy(`
@@ -79380,7 +79724,7 @@ index 34d0ec5..58f8e6e 100644
')
optional_policy(`
-@@ -213,6 +264,11 @@ optional_policy(`
+@@ -213,6 +260,11 @@ optional_policy(`
optional_policy(`
seutil_sigchld_newrole(dhcpc_t)
seutil_dontaudit_search_config(dhcpc_t)
@@ -79392,7 +79736,7 @@ index 34d0ec5..58f8e6e 100644
')
optional_policy(`
-@@ -255,6 +311,7 @@ allow ifconfig_t self:msgq create_msgq_perms;
+@@ -255,6 +307,7 @@ allow ifconfig_t self:msgq create_msgq_perms;
allow ifconfig_t self:msg { send receive };
# Create UDP sockets, necessary when called from dhcpc
allow ifconfig_t self:udp_socket create_socket_perms;
@@ -79400,7 +79744,7 @@ index 34d0ec5..58f8e6e 100644
# for /sbin/ip
allow ifconfig_t self:packet_socket create_socket_perms;
allow ifconfig_t self:netlink_route_socket create_netlink_socket_perms;
-@@ -276,8 +333,12 @@ dev_read_urand(ifconfig_t)
+@@ -276,8 +329,12 @@ dev_read_urand(ifconfig_t)
domain_use_interactive_fds(ifconfig_t)
@@ -79413,7 +79757,7 @@ index 34d0ec5..58f8e6e 100644
fs_getattr_xattr_fs(ifconfig_t)
fs_search_auto_mountpoints(ifconfig_t)
-@@ -290,7 +351,7 @@ term_dontaudit_use_all_ptys(ifconfig_t)
+@@ -290,7 +347,7 @@ term_dontaudit_use_all_ptys(ifconfig_t)
term_dontaudit_use_ptmx(ifconfig_t)
term_dontaudit_use_generic_ptys(ifconfig_t)
@@ -79422,7 +79766,7 @@ index 34d0ec5..58f8e6e 100644
init_use_fds(ifconfig_t)
init_use_script_ptys(ifconfig_t)
-@@ -301,11 +362,11 @@ logging_send_syslog_msg(ifconfig_t)
+@@ -301,11 +358,11 @@ logging_send_syslog_msg(ifconfig_t)
miscfiles_read_localization(ifconfig_t)
@@ -79437,7 +79781,7 @@ index 34d0ec5..58f8e6e 100644
userdom_use_all_users_fds(ifconfig_t)
ifdef(`distro_ubuntu',`
-@@ -314,7 +375,18 @@ ifdef(`distro_ubuntu',`
+@@ -314,7 +371,18 @@ ifdef(`distro_ubuntu',`
')
')
@@ -79456,7 +79800,7 @@ index 34d0ec5..58f8e6e 100644
optional_policy(`
dev_dontaudit_rw_cardmgr(ifconfig_t)
')
-@@ -325,8 +397,14 @@ ifdef(`hide_broken_symptoms',`
+@@ -325,8 +393,14 @@ ifdef(`hide_broken_symptoms',`
')
optional_policy(`
@@ -79471,7 +79815,7 @@ index 34d0ec5..58f8e6e 100644
')
optional_policy(`
-@@ -335,7 +413,15 @@ optional_policy(`
+@@ -335,7 +409,15 @@ optional_policy(`
')
optional_policy(`
@@ -79488,7 +79832,7 @@ index 34d0ec5..58f8e6e 100644
')
optional_policy(`
-@@ -356,3 +442,9 @@ optional_policy(`
+@@ -356,3 +438,9 @@ optional_policy(`
xen_append_log(ifconfig_t)
xen_dontaudit_rw_unix_stream_sockets(ifconfig_t)
')
@@ -80086,7 +80430,7 @@ index 0000000..19ba4e1
+
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
new file mode 100644
-index 0000000..6677509
+index 0000000..40e1dcc
--- /dev/null
+++ b/policy/modules/system/systemd.te
@@ -0,0 +1,393 @@
@@ -80150,7 +80494,7 @@ index 0000000..6677509
+#
+
+# dac_override is for /run/user/$USER ($USER ownership is $USER:$USER)
-+allow systemd_logind_t self:capability { chown dac_override fowner };
++allow systemd_logind_t self:capability { chown dac_override fowner sys_tty_config };
+allow systemd_logind_t self:process getcap;
+allow systemd_logind_t self:netlink_kobject_uevent_socket create_socket_perms;
+allow systemd_logind_t self:unix_dgram_socket create_socket_perms;
@@ -80728,7 +81072,7 @@ index 025348a..c15e57c 100644
+')
+
diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
-index d88f7c3..fb3d00c 100644
+index d88f7c3..7983cfa 100644
--- a/policy/modules/system/udev.te
+++ b/policy/modules/system/udev.te
@@ -17,14 +17,12 @@ init_daemon_domain(udev_t, udev_exec_t)
@@ -80747,7 +81091,7 @@ index d88f7c3..fb3d00c 100644
ifdef(`enable_mcs',`
kernel_ranged_domtrans_to(udev_t, udev_exec_t, s0 - mcs_systemhigh)
-@@ -36,9 +34,19 @@ ifdef(`enable_mcs',`
+@@ -36,9 +34,15 @@ ifdef(`enable_mcs',`
# Local policy
#
@@ -80762,14 +81106,10 @@ index d88f7c3..fb3d00c 100644
+')
+
+allow udev_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
-+tunable_policy(`deny_ptrace',`',`
-+ allow udev_t self:process ptrace;
-+')
-+
allow udev_t self:process { execmem setfscreate };
allow udev_t self:fd use;
allow udev_t self:fifo_file rw_fifo_file_perms;
-@@ -52,6 +60,7 @@ allow udev_t self:unix_dgram_socket sendto;
+@@ -52,6 +56,7 @@ allow udev_t self:unix_dgram_socket sendto;
allow udev_t self:unix_stream_socket connectto;
allow udev_t self:netlink_kobject_uevent_socket create_socket_perms;
allow udev_t self:rawip_socket create_socket_perms;
@@ -80777,7 +81117,7 @@ index d88f7c3..fb3d00c 100644
allow udev_t udev_exec_t:file write;
can_exec(udev_t, udev_exec_t)
-@@ -62,31 +71,34 @@ can_exec(udev_t, udev_helper_exec_t)
+@@ -62,31 +67,34 @@ can_exec(udev_t, udev_helper_exec_t)
# read udev config
allow udev_t udev_etc_t:file read_file_perms;
@@ -80819,7 +81159,7 @@ index d88f7c3..fb3d00c 100644
#https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=235182
kernel_rw_net_sysctls(udev_t)
-@@ -97,6 +109,7 @@ corecmd_exec_all_executables(udev_t)
+@@ -97,6 +105,7 @@ corecmd_exec_all_executables(udev_t)
dev_rw_sysfs(udev_t)
dev_manage_all_dev_nodes(udev_t)
@@ -80827,14 +81167,14 @@ index d88f7c3..fb3d00c 100644
dev_rw_generic_files(udev_t)
dev_delete_generic_files(udev_t)
dev_search_usbfs(udev_t)
-@@ -105,21 +118,31 @@ dev_relabel_all_dev_nodes(udev_t)
+@@ -105,23 +114,30 @@ dev_relabel_all_dev_nodes(udev_t)
# preserved, instead of short circuiting the relabel
dev_relabel_generic_symlinks(udev_t)
dev_manage_generic_symlinks(udev_t)
+dev_filetrans_all_named_dev(udev_t)
domain_read_all_domains_state(udev_t)
- domain_dontaudit_ptrace_all_domains(udev_t) #pidof triggers these
+-domain_dontaudit_ptrace_all_domains(udev_t) #pidof triggers these
files_read_usr_files(udev_t)
files_read_etc_runtime_files(udev_t)
@@ -80855,12 +81195,14 @@ index d88f7c3..fb3d00c 100644
fs_getattr_all_fs(udev_t)
fs_list_inotifyfs(udev_t)
fs_rw_anon_inodefs_files(udev_t)
+-
+-mcs_ptrace_all(udev_t)
+fs_list_auto_mountpoints(udev_t)
+fs_list_hugetlbfs(udev_t)
- mcs_ptrace_all(udev_t)
-
-@@ -143,6 +166,7 @@ auth_use_nsswitch(udev_t)
+ mls_file_read_all_levels(udev_t)
+ mls_file_write_all_levels(udev_t)
+@@ -143,6 +159,7 @@ auth_use_nsswitch(udev_t)
init_read_utmp(udev_t)
init_dontaudit_write_utmp(udev_t)
init_getattr_initctl(udev_t)
@@ -80868,7 +81210,7 @@ index d88f7c3..fb3d00c 100644
logging_search_logs(udev_t)
logging_send_syslog_msg(udev_t)
-@@ -154,6 +178,8 @@ miscfiles_read_hwdata(udev_t)
+@@ -154,6 +171,8 @@ miscfiles_read_hwdata(udev_t)
modutils_domtrans_insmod(udev_t)
# read modules.inputmap:
modutils_read_module_deps(udev_t)
@@ -80877,7 +81219,7 @@ index d88f7c3..fb3d00c 100644
seutil_read_config(udev_t)
seutil_read_default_contexts(udev_t)
-@@ -169,6 +195,8 @@ sysnet_signal_dhcpc(udev_t)
+@@ -169,6 +188,8 @@ sysnet_signal_dhcpc(udev_t)
sysnet_manage_config(udev_t)
sysnet_etc_filetrans_config(udev_t)
@@ -80886,7 +81228,7 @@ index d88f7c3..fb3d00c 100644
userdom_dontaudit_search_user_home_content(udev_t)
ifdef(`distro_gentoo',`
-@@ -186,8 +214,9 @@ ifdef(`distro_redhat',`
+@@ -186,8 +207,9 @@ ifdef(`distro_redhat',`
fs_manage_tmpfs_chr_files(udev_t)
fs_relabel_tmpfs_blk_file(udev_t)
fs_relabel_tmpfs_chr_file(udev_t)
@@ -80897,7 +81239,7 @@ index d88f7c3..fb3d00c 100644
# for arping used for static IP addresses on PCMCIA ethernet
netutils_domtrans(udev_t)
-@@ -216,11 +245,16 @@ optional_policy(`
+@@ -216,11 +238,16 @@ optional_policy(`
')
optional_policy(`
@@ -80914,7 +81256,7 @@ index d88f7c3..fb3d00c 100644
')
optional_policy(`
-@@ -230,10 +264,20 @@ optional_policy(`
+@@ -230,10 +257,20 @@ optional_policy(`
optional_policy(`
devicekit_read_pid_files(udev_t)
devicekit_dgram_send(udev_t)
@@ -80935,7 +81277,7 @@ index d88f7c3..fb3d00c 100644
')
optional_policy(`
-@@ -259,6 +303,10 @@ optional_policy(`
+@@ -259,6 +296,10 @@ optional_policy(`
')
optional_policy(`
@@ -80946,7 +81288,7 @@ index d88f7c3..fb3d00c 100644
openct_read_pid_files(udev_t)
openct_domtrans(udev_t)
')
-@@ -273,6 +321,11 @@ optional_policy(`
+@@ -273,6 +314,11 @@ optional_policy(`
')
optional_policy(`
@@ -80958,7 +81300,7 @@ index d88f7c3..fb3d00c 100644
unconfined_signal(udev_t)
')
-@@ -285,6 +338,7 @@ optional_policy(`
+@@ -285,6 +331,7 @@ optional_policy(`
kernel_read_xen_state(udev_t)
xen_manage_log(udev_t)
xen_read_image_files(udev_t)
@@ -85659,7 +86001,7 @@ index 77d41b6..138efd8 100644
files_search_pids($1)
diff --git a/policy/modules/system/xen.te b/policy/modules/system/xen.te
-index 4350ba0..9ab107b 100644
+index 4350ba0..29cee30 100644
--- a/policy/modules/system/xen.te
+++ b/policy/modules/system/xen.te
@@ -4,6 +4,7 @@ policy_module(xen, 1.10.1)
@@ -85701,7 +86043,7 @@ index 4350ba0..9ab107b 100644
# Do we need to allow execution of qemu-dm?
tunable_policy(`xend_run_qemu',`
allow qemu_dm_t self:capability sys_resource;
-@@ -208,9 +209,13 @@ tunable_policy(`xend_run_qemu',`
+@@ -208,10 +209,13 @@ tunable_policy(`xend_run_qemu',`
# xend local policy
#
@@ -85709,15 +86051,24 @@ index 4350ba0..9ab107b 100644
-dontaudit xend_t self:capability { sys_ptrace };
+allow xend_t self:capability { dac_override ipc_lock net_admin setuid sys_admin sys_nice sys_tty_config net_raw };
allow xend_t self:process { signal sigkill };
+-dontaudit xend_t self:process ptrace;
+
+# needed by qemu_dm
+allow xend_t self:capability sys_resource;
+allow xend_t self:process setrlimit;
+
- dontaudit xend_t self:process ptrace;
# internal communication is often done using fifo and unix sockets.
allow xend_t self:fifo_file rw_fifo_file_perms;
-@@ -320,13 +325,9 @@ locallogin_dontaudit_use_fds(xend_t)
+ allow xend_t self:unix_stream_socket create_stream_socket_perms;
+@@ -299,7 +303,6 @@ dev_rw_sysfs(xend_t)
+ dev_rw_xen(xend_t)
+
+ domain_dontaudit_read_all_domains_state(xend_t)
+-domain_dontaudit_ptrace_all_domains(xend_t)
+
+ files_read_etc_files(xend_t)
+ files_read_kernel_symbol_table(xend_t)
+@@ -320,13 +323,9 @@ locallogin_dontaudit_use_fds(xend_t)
logging_send_syslog_msg(xend_t)
@@ -85731,7 +86082,7 @@ index 4350ba0..9ab107b 100644
sysnet_domtrans_dhcpc(xend_t)
sysnet_signal_dhcpc(xend_t)
sysnet_domtrans_ifconfig(xend_t)
-@@ -339,8 +340,6 @@ userdom_dontaudit_search_user_home_dirs(xend_t)
+@@ -339,8 +338,6 @@ userdom_dontaudit_search_user_home_dirs(xend_t)
xen_stream_connect_xenstore(xend_t)
@@ -85740,7 +86091,7 @@ index 4350ba0..9ab107b 100644
optional_policy(`
brctl_domtrans(xend_t)
')
-@@ -349,6 +348,22 @@ optional_policy(`
+@@ -349,6 +346,22 @@ optional_policy(`
consoletype_exec(xend_t)
')
@@ -85763,7 +86114,16 @@ index 4350ba0..9ab107b 100644
########################################
#
# Xen console local policy
-@@ -413,9 +428,10 @@ manage_dirs_pattern(xenstored_t, xenstored_tmp_t, xenstored_tmp_t)
+@@ -374,8 +387,6 @@ dev_rw_xen(xenconsoled_t)
+ dev_filetrans_xen(xenconsoled_t)
+ dev_rw_sysfs(xenconsoled_t)
+
+-domain_dontaudit_ptrace_all_domains(xenconsoled_t)
+-
+ files_read_etc_files(xenconsoled_t)
+ files_read_usr_files(xenconsoled_t)
+
+@@ -413,9 +424,10 @@ manage_dirs_pattern(xenstored_t, xenstored_tmp_t, xenstored_tmp_t)
files_tmp_filetrans(xenstored_t, xenstored_tmp_t, { file dir })
# pid file
@@ -85775,7 +86135,7 @@ index 4350ba0..9ab107b 100644
# log files
manage_dirs_pattern(xenstored_t, xenstored_var_log_t, xenstored_var_log_t)
-@@ -442,9 +458,11 @@ files_read_etc_files(xenstored_t)
+@@ -442,9 +454,11 @@ files_read_etc_files(xenstored_t)
files_read_usr_files(xenstored_t)
@@ -85787,7 +86147,7 @@ index 4350ba0..9ab107b 100644
init_use_fds(xenstored_t)
init_use_script_ptys(xenstored_t)
-@@ -457,96 +475,9 @@ xen_append_log(xenstored_t)
+@@ -457,96 +471,9 @@ xen_append_log(xenstored_t)
########################################
#
@@ -85884,7 +86244,7 @@ index 4350ba0..9ab107b 100644
#Should have a boolean wrapping these
fs_list_auto_mountpoints(xend_t)
files_search_mnt(xend_t)
-@@ -559,8 +490,4 @@ optional_policy(`
+@@ -559,8 +486,4 @@ optional_policy(`
fs_manage_nfs_files(xend_t)
fs_read_nfs_symlinks(xend_t)
')
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 4827ad9..414b53b 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -16,7 +16,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.10.0
-Release: 81.2%{?dist}
+Release: 82%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -471,6 +471,21 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Fri Feb 3 2012 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-82
+- Allow gpg and gpg_agent to store sock_file in gpg_secret_t directory
+- lxdm startup scripts should be labeled bin_t, so confined users will work
+- mcstransd now creates a pid, needs back port to F16
+- qpidd should be allowed to connect to the amqp port
+- Label devices 010-029 as usb devices
+- ypserv packager says ypserv does not use tmp_t so removing selinux policy types
+- Remove all ptrace commands that I believe are caused by the kernel/ps avcs
+- Add initial Obex policy
+- Add logging_syslogd_use_tty boolean
+- Add polipo_connect_all_unreserved bolean
+- Allow zabbix to connect to ftp port
+- Allow systemd-logind to be able to switch VTs
+- Allow apache to communicate with memcached through a sock_file
+
* Tue Jan 31 2012 Dan Walsh <dwalsh@redhat.com> 3.10.0-81.2
- Fix file_context.subs_dist for now to work with pre usrmove