+ ##
+@@ -4113,6 +5037,25 @@ interface(`dev_write_urand',`
########################################
##
@@ -8340,7 +8316,7 @@ index 76f285e..0aef35e 100644
## Getattr generic the USB devices.
##
##
-@@ -4123,7 +5023,7 @@ interface(`dev_write_urand',`
+@@ -4123,7 +5066,7 @@ interface(`dev_write_urand',`
#
interface(`dev_getattr_generic_usb_dev',`
gen_require(`
@@ -8349,33 +8325,149 @@ index 76f285e..0aef35e 100644
')
getattr_chr_files_pattern($1, device_t, usb_device_t)
-@@ -4330,28 +5230,180 @@ interface(`dev_search_usbfs',`
+@@ -4409,9 +5352,9 @@ interface(`dev_rw_usbfs',`
+ read_lnk_files_pattern($1, usbfs_t, usbfs_t)
+ ')
+
+-########################################
++######################################
+ ##
+-## Get the attributes of video4linux devices.
++## Read and write userio device.
+ ##
+ ##
+ ##
+@@ -4419,17 +5362,17 @@ interface(`dev_rw_usbfs',`
+ ##
+ ##
+ #
+-interface(`dev_getattr_video_dev',`
++interface(`dev_rw_userio_dev',`
+ gen_require(`
+- type device_t, v4l_device_t;
++ type device_t, userio_device_t;
+ ')
+
+- getattr_chr_files_pattern($1, device_t, v4l_device_t)
++ rw_chr_files_pattern($1, device_t, userio_device_t)
+ ')
+
+-######################################
++########################################
+ ##
+-## Read and write userio device.
++## Get the attributes of video4linux devices.
+ ##
+ ##
+ ##
+@@ -4437,12 +5380,12 @@ interface(`dev_getattr_video_dev',`
+ ##
+ ##
+ #
+-interface(`dev_rw_userio_dev',`
++interface(`dev_getattr_video_dev',`
+ gen_require(`
+- type device_t, userio_device_t;
++ type device_t, v4l_device_t;
+ ')
+
+- rw_chr_files_pattern($1, device_t, userio_device_t)
++ getattr_chr_files_pattern($1, device_t, v4l_device_t)
+ ')
+
+ ########################################
+@@ -4539,7 +5482,7 @@ interface(`dev_write_video_dev',`
+
+ ########################################
+ ##
+-## Allow read/write the vhost net device
++## Get the attributes of vfio devices.
+ ##
+ ##
+ ##
+@@ -4547,35 +5490,36 @@ interface(`dev_write_video_dev',`
+ ##
+ ##
+ #
+-interface(`dev_rw_vhost',`
++interface(`dev_getattr_vfio_dev',`
+ gen_require(`
+- type device_t, vhost_device_t;
++ type device_t, vfio_device_t;
+ ')
+
+- rw_chr_files_pattern($1, device_t, vhost_device_t)
++ getattr_chr_files_pattern($1, device_t, vfio_device_t)
+ ')
+
+ ########################################
+ ##
+-## Read and write VMWare devices.
++## Do not audit attempts to get the attributes
++## of vfio device nodes.
+ ##
+ ##
+ ##
+-## Domain allowed access.
++## Domain to not audit.
+ ##
+ ##
+ #
+-interface(`dev_rw_vmware',`
++interface(`dev_dontaudit_getattr_vfio_dev',`
+ gen_require(`
+- type device_t, vmware_device_t;
++ type vfio_device_t;
+ ')
+
+- rw_chr_files_pattern($1, device_t, vmware_device_t)
++ dontaudit $1 vfio_device_t:chr_file getattr;
+ ')
########################################
##
--## Allow caller to get a list of usb hardware.
-+## Allow caller to get a list of usb hardware.
+-## Read, write, and mmap VMWare devices.
++## Set the attributes of vfio device nodes.
+ ##
+ ##
+ ##
+@@ -4583,12 +5527,157 @@ interface(`dev_rw_vmware',`
+ ##
+ ##
+ #
+-interface(`dev_rwx_vmware',`
++interface(`dev_setattr_vfio_dev',`
+ gen_require(`
+- type device_t, vmware_device_t;
++ type device_t, vfio_device_t;
+ ')
+
+- dev_rw_vmware($1)
++ setattr_chr_files_pattern($1, device_t, vfio_device_t)
++')
++
++########################################
++##
++## Do not audit attempts to set the attributes
++## of vfio device nodes.
+##
+##
+##
-+## Domain allowed access.
++## Domain to not audit.
+##
+##
+#
-+interface(`dev_list_usbfs',`
++interface(`dev_dontaudit_setattr_vfio_dev',`
+ gen_require(`
-+ type usbfs_t;
++ type vfio_device_t;
+ ')
+
-+ read_lnk_files_pattern($1, usbfs_t, usbfs_t)
-+ getattr_files_pattern($1, usbfs_t, usbfs_t)
-+
-+ list_dirs_pattern($1, usbfs_t, usbfs_t)
++ dontaudit $1 vfio_device_t:chr_file setattr;
+')
+
+########################################
+##
-+## Set the attributes of usbfs filesystem.
++## Read the vfio devices.
+##
+##
+##
@@ -8383,19 +8475,17 @@ index 76f285e..0aef35e 100644
+##
+##
+#
-+interface(`dev_setattr_usbfs_files',`
++interface(`dev_read_vfio_dev',`
+ gen_require(`
-+ type usbfs_t;
++ type device_t, vfio_device_t;
+ ')
+
-+ setattr_files_pattern($1, usbfs_t, usbfs_t)
-+ list_dirs_pattern($1, usbfs_t, usbfs_t)
++ read_chr_files_pattern($1, device_t, vfio_device_t)
+')
+
+########################################
+##
-+## Read USB hardware information using
-+## the usbfs filesystem interface.
++## Write the vfio devices.
+##
+##
+##
@@ -8403,19 +8493,17 @@ index 76f285e..0aef35e 100644
+##
+##
+#
-+interface(`dev_read_usbfs',`
++interface(`dev_write_vfio_dev',`
+ gen_require(`
-+ type usbfs_t;
++ type device_t, vfio_device_t;
+ ')
+
-+ read_files_pattern($1, usbfs_t, usbfs_t)
-+ read_lnk_files_pattern($1, usbfs_t, usbfs_t)
-+ list_dirs_pattern($1, usbfs_t, usbfs_t)
++ write_chr_files_pattern($1, device_t, vfio_device_t)
+')
+
+########################################
+##
-+## Allow caller to modify usb hardware configuration files.
++## Read and write the VFIO devices.
+##
+##
+##
@@ -8423,19 +8511,17 @@ index 76f285e..0aef35e 100644
+##
+##
+#
-+interface(`dev_rw_usbfs',`
++interface(`dev_rw_vfio_dev',`
+ gen_require(`
-+ type usbfs_t;
++ type device_t, vfio_device_t;
+ ')
+
-+ list_dirs_pattern($1, usbfs_t, usbfs_t)
-+ rw_files_pattern($1, usbfs_t, usbfs_t)
-+ read_lnk_files_pattern($1, usbfs_t, usbfs_t)
++ rw_chr_files_pattern($1, device_t, vfio_device_t)
+')
+
-+######################################
++########################################
+##
-+## Read and write userio device.
++## Allow read/write the vhost net device
+##
+##
+##
@@ -8443,17 +8529,17 @@ index 76f285e..0aef35e 100644
+##
+##
+#
-+interface(`dev_rw_userio_dev',`
++interface(`dev_rw_vhost',`
+ gen_require(`
-+ type device_t, userio_device_t;
++ type device_t, vhost_device_t;
+ ')
+
-+ rw_chr_files_pattern($1, device_t, userio_device_t)
++ rw_chr_files_pattern($1, device_t, vhost_device_t)
+')
+
+########################################
+##
-+## Get the attributes of video4linux devices.
++## Allow read/write inheretid the vhost net device
+##
+##
+##
@@ -8461,36 +8547,35 @@ index 76f285e..0aef35e 100644
+##
+##
+#
-+interface(`dev_getattr_video_dev',`
++interface(`dev_rw_inherited_vhost',`
+ gen_require(`
-+ type device_t, v4l_device_t;
++ type device_t, vhost_device_t;
+ ')
+
-+ getattr_chr_files_pattern($1, device_t, v4l_device_t)
++ allow $1 vhost_device_t:chr_file rw_inherited_chr_file_perms;
+')
+
+########################################
+##
-+## Do not audit attempts to get the attributes
-+## of video4linux device nodes.
++## Read and write VMWare devices.
+##
+##
+##
-+## Domain to not audit.
++## Domain allowed access.
+##
+##
+#
-+interface(`dev_dontaudit_getattr_video_dev',`
++interface(`dev_rw_vmware',`
+ gen_require(`
-+ type v4l_device_t;
++ type device_t, vmware_device_t;
+ ')
+
-+ dontaudit $1 v4l_device_t:chr_file getattr;
++ rw_chr_files_pattern($1, device_t, vmware_device_t)
+')
+
+########################################
+##
-+## Set the attributes of video4linux device nodes.
++## Read, write, and mmap VMWare devices.
+##
+##
+##
@@ -8498,296 +8583,16 @@ index 76f285e..0aef35e 100644
+##
+##
+#
-+interface(`dev_setattr_video_dev',`
++interface(`dev_rwx_vmware',`
+ gen_require(`
-+ type device_t, v4l_device_t;
++ type device_t, vmware_device_t;
+ ')
+
-+ setattr_chr_files_pattern($1, device_t, v4l_device_t)
-+')
-+
-+########################################
-+##
-+## Do not audit attempts to set the attributes
-+## of video4linux device nodes.
- ##
- ##
- ##
--## Domain allowed access.
-+## Domain to not audit.
- ##
- ##
- #
--interface(`dev_list_usbfs',`
-+interface(`dev_dontaudit_setattr_video_dev',`
- gen_require(`
-- type usbfs_t;
-+ type v4l_device_t;
- ')
-
-- read_lnk_files_pattern($1, usbfs_t, usbfs_t)
-- getattr_files_pattern($1, usbfs_t, usbfs_t)
--
-- list_dirs_pattern($1, usbfs_t, usbfs_t)
-+ dontaudit $1 v4l_device_t:chr_file setattr;
++ dev_rw_vmware($1)
+ allow $1 vmware_device_t:chr_file execute;
')
- ########################################
- ##
--## Set the attributes of usbfs filesystem.
-+## Read the video4linux devices.
- ##
- ##
- ##
-@@ -4359,19 +5411,17 @@ interface(`dev_list_usbfs',`
- ##
- ##
- #
--interface(`dev_setattr_usbfs_files',`
-+interface(`dev_read_video_dev',`
- gen_require(`
-- type usbfs_t;
-+ type device_t, v4l_device_t;
- ')
-
-- setattr_files_pattern($1, usbfs_t, usbfs_t)
-- list_dirs_pattern($1, usbfs_t, usbfs_t)
-+ read_chr_files_pattern($1, device_t, v4l_device_t)
- ')
-
- ########################################
- ##
--## Read USB hardware information using
--## the usbfs filesystem interface.
-+## Write the video4linux devices.
- ##
- ##
- ##
-@@ -4379,19 +5429,17 @@ interface(`dev_setattr_usbfs_files',`
- ##
- ##
- #
--interface(`dev_read_usbfs',`
-+interface(`dev_write_video_dev',`
- gen_require(`
-- type usbfs_t;
-+ type device_t, v4l_device_t;
- ')
-
-- read_files_pattern($1, usbfs_t, usbfs_t)
-- read_lnk_files_pattern($1, usbfs_t, usbfs_t)
-- list_dirs_pattern($1, usbfs_t, usbfs_t)
-+ write_chr_files_pattern($1, device_t, v4l_device_t)
- ')
-
- ########################################
- ##
--## Allow caller to modify usb hardware configuration files.
-+## Get the attributes of vfio devices.
- ##
- ##
- ##
-@@ -4399,37 +5447,36 @@ interface(`dev_read_usbfs',`
- ##
- ##
- #
--interface(`dev_rw_usbfs',`
-+interface(`dev_getattr_vfio_dev',`
- gen_require(`
-- type usbfs_t;
-+ type device_t, vfio_device_t;
- ')
-
-- list_dirs_pattern($1, usbfs_t, usbfs_t)
-- rw_files_pattern($1, usbfs_t, usbfs_t)
-- read_lnk_files_pattern($1, usbfs_t, usbfs_t)
-+ getattr_chr_files_pattern($1, device_t, vfio_device_t)
- ')
-
- ########################################
- ##
--## Get the attributes of video4linux devices.
-+## Do not audit attempts to get the attributes
-+## of vfio device nodes.
- ##
- ##
- ##
--## Domain allowed access.
-+## Domain to not audit.
- ##
- ##
- #
--interface(`dev_getattr_video_dev',`
-+interface(`dev_dontaudit_getattr_vfio_dev',`
- gen_require(`
-- type device_t, v4l_device_t;
-+ type vfio_device_t;
- ')
-
-- getattr_chr_files_pattern($1, device_t, v4l_device_t)
-+ dontaudit $1 vfio_device_t:chr_file getattr;
- ')
-
--######################################
-+########################################
- ##
--## Read and write userio device.
-+## Set the attributes of vfio device nodes.
- ##
- ##
- ##
-@@ -4437,18 +5484,18 @@ interface(`dev_getattr_video_dev',`
- ##
- ##
- #
--interface(`dev_rw_userio_dev',`
-+interface(`dev_setattr_vfio_dev',`
- gen_require(`
-- type device_t, userio_device_t;
-+ type device_t, vfio_device_t;
- ')
-
-- rw_chr_files_pattern($1, device_t, userio_device_t)
-+ setattr_chr_files_pattern($1, device_t, vfio_device_t)
- ')
-
- ########################################
- ##
--## Do not audit attempts to get the attributes
--## of video4linux device nodes.
-+## Do not audit attempts to set the attributes
-+## of vfio device nodes.
- ##
- ##
- ##
-@@ -4456,17 +5503,17 @@ interface(`dev_rw_userio_dev',`
- ##
- ##
- #
--interface(`dev_dontaudit_getattr_video_dev',`
-+interface(`dev_dontaudit_setattr_vfio_dev',`
- gen_require(`
-- type v4l_device_t;
-+ type vfio_device_t;
- ')
-
-- dontaudit $1 v4l_device_t:chr_file getattr;
-+ dontaudit $1 vfio_device_t:chr_file setattr;
- ')
-
- ########################################
- ##
--## Set the attributes of video4linux device nodes.
-+## Read the vfio devices.
- ##
- ##
- ##
-@@ -4474,36 +5521,35 @@ interface(`dev_dontaudit_getattr_video_dev',`
- ##
- ##
- #
--interface(`dev_setattr_video_dev',`
-+interface(`dev_read_vfio_dev',`
- gen_require(`
-- type device_t, v4l_device_t;
-+ type device_t, vfio_device_t;
- ')
-
-- setattr_chr_files_pattern($1, device_t, v4l_device_t)
-+ read_chr_files_pattern($1, device_t, vfio_device_t)
- ')
-
- ########################################
- ##
--## Do not audit attempts to set the attributes
--## of video4linux device nodes.
-+## Write the vfio devices.
- ##
- ##
- ##
--## Domain to not audit.
-+## Domain allowed access.
- ##
- ##
- #
--interface(`dev_dontaudit_setattr_video_dev',`
-+interface(`dev_write_vfio_dev',`
- gen_require(`
-- type v4l_device_t;
-+ type device_t, vfio_device_t;
- ')
-
-- dontaudit $1 v4l_device_t:chr_file setattr;
-+ write_chr_files_pattern($1, device_t, vfio_device_t)
- ')
-
- ########################################
- ##
--## Read the video4linux devices.
-+## Read and write the VFIO devices.
- ##
- ##
- ##
-@@ -4511,17 +5557,17 @@ interface(`dev_dontaudit_setattr_video_dev',`
- ##
- ##
- #
--interface(`dev_read_video_dev',`
-+interface(`dev_rw_vfio_dev',`
- gen_require(`
-- type device_t, v4l_device_t;
-+ type device_t, vfio_device_t;
- ')
-
-- read_chr_files_pattern($1, device_t, v4l_device_t)
-+ rw_chr_files_pattern($1, device_t, vfio_device_t)
- ')
-
- ########################################
- ##
--## Write the video4linux devices.
-+## Allow read/write the vhost net device
- ##
- ##
- ##
-@@ -4529,17 +5575,17 @@ interface(`dev_read_video_dev',`
- ##
- ##
- #
--interface(`dev_write_video_dev',`
-+interface(`dev_rw_vhost',`
- gen_require(`
-- type device_t, v4l_device_t;
-+ type device_t, vhost_device_t;
- ')
-
-- write_chr_files_pattern($1, device_t, v4l_device_t)
-+ rw_chr_files_pattern($1, device_t, vhost_device_t)
- ')
-
- ########################################
- ##
--## Allow read/write the vhost net device
-+## Allow read/write inheretid the vhost net device
- ##
- ##
- ##
-@@ -4547,12 +5593,12 @@ interface(`dev_write_video_dev',`
- ##
- ##
- #
--interface(`dev_rw_vhost',`
-+interface(`dev_rw_inherited_vhost',`
- gen_require(`
- type device_t, vhost_device_t;
- ')
-
-- rw_chr_files_pattern($1, device_t, vhost_device_t)
-+ allow $1 vhost_device_t:chr_file rw_inherited_chr_file_perms;
- ')
-
- ########################################
-@@ -4630,6 +5676,24 @@ interface(`dev_write_watchdog',`
+@@ -4630,6 +5719,24 @@ interface(`dev_write_watchdog',`
########################################
##
@@ -8812,7 +8617,7 @@ index 76f285e..0aef35e 100644
## Read and write the the wireless device.
##
##
-@@ -4762,6 +5826,44 @@ interface(`dev_rw_xserver_misc',`
+@@ -4762,6 +5869,44 @@ interface(`dev_rw_xserver_misc',`
########################################
##
@@ -8857,7 +8662,7 @@ index 76f285e..0aef35e 100644
## Read and write to the zero device (/dev/zero).
##
##
-@@ -4851,3 +5953,1020 @@ interface(`dev_unconfined',`
+@@ -4851,3 +5996,1020 @@ interface(`dev_unconfined',`
typeattribute $1 devices_unconfined_type;
')
@@ -10364,7 +10169,7 @@ index 6a1e4d1..26e5558 100644
+ dontaudit $1 domain:dir_file_class_set audit_access;
')
diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te
-index cf04cb5..b5fe8e5 100644
+index cf04cb5..0715228 100644
--- a/policy/modules/kernel/domain.te
+++ b/policy/modules/kernel/domain.te
@@ -4,17 +4,41 @@ policy_module(domain, 1.11.0)
@@ -10497,8 +10302,11 @@ index cf04cb5..b5fe8e5 100644
')
########################################
-@@ -147,12 +217,18 @@ optional_policy(`
+@@ -145,14 +215,21 @@ optional_policy(`
+ # be used on an attribute.
+
# Use/sendto/connectto sockets created by any domain.
++allow unconfined_domain_type self:cap_userns all_cap_userns_perms;
allow unconfined_domain_type domain:{ socket_class_set socket key_socket } *;
+allow unconfined_domain_type domain:system all_system_perms;
@@ -10517,7 +10325,7 @@ index cf04cb5..b5fe8e5 100644
# Create/access any System V IPC objects.
allow unconfined_domain_type domain:{ sem msgq shm } *;
-@@ -160,11 +236,379 @@ allow unconfined_domain_type domain:msg { send receive };
+@@ -160,11 +237,379 @@ allow unconfined_domain_type domain:msg { send receive };
# For /proc/pid
allow unconfined_domain_type domain:dir list_dir_perms;
@@ -18093,7 +17901,7 @@ index d7c11a0..6b3331d 100644
/var/run/shm/.* <>
-')
diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
-index 8416beb..440c63f 100644
+index 8416beb..20099cd 100644
--- a/policy/modules/kernel/filesystem.if
+++ b/policy/modules/kernel/filesystem.if
@@ -631,6 +631,27 @@ interface(`fs_getattr_cgroup',`
@@ -18592,7 +18400,7 @@ index 8416beb..440c63f 100644
##
##
##
-@@ -1878,96 +2122,759 @@ interface(`fs_search_fusefs',`
+@@ -1878,135 +2122,151 @@ interface(`fs_search_fusefs',`
##
##
#
@@ -18698,6 +18506,7 @@ index 8416beb..440c63f 100644
-#
-interface(`fs_exec_fusefs_files',`
- gen_require(`
+- type fusefs_t;
+##
+##
+## Execute a file on a FUSE filesystem
@@ -18731,88 +18540,110 @@ index 8416beb..440c63f 100644
+interface(`fs_ecryptfs_domtrans',`
+ gen_require(`
+ type ecryptfs_t;
-+ ')
-+
+ ')
+
+- exec_files_pattern($1, fusefs_t, fusefs_t)
+ allow $1 ecryptfs_t:dir search_dir_perms;
+ domain_auto_transition_pattern($1, ecryptfs_t, $2)
-+')
-+
-+########################################
-+##
+ ')
+
+ ########################################
+ ##
+-## Create, read, write, and delete files
+-## on a FUSEFS filesystem.
+## Mount a FUSE filesystem.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
+ ##
+ ##
+ ##
+ ## Domain allowed access.
+ ##
+ ##
+-##
+ #
+-interface(`fs_manage_fusefs_files',`
+interface(`fs_mount_fusefs',`
-+ gen_require(`
-+ type fusefs_t;
-+ ')
-+
+ gen_require(`
+ type fusefs_t;
+ ')
+
+- manage_files_pattern($1, fusefs_t, fusefs_t)
+ allow $1 fusefs_t:filesystem mount;
-+')
-+
-+########################################
-+##
+ ')
+
+ ########################################
+ ##
+-## Do not audit attempts to create,
+-## read, write, and delete files
+-## on a FUSEFS filesystem.
+## Unmount a FUSE filesystem.
-+##
-+##
-+##
+ ##
+ ##
+ ##
+-## Domain to not audit.
+## Domain allowed access.
-+##
-+##
-+#
+ ##
+ ##
+ #
+-interface(`fs_dontaudit_manage_fusefs_files',`
+interface(`fs_unmount_fusefs',`
-+ gen_require(`
-+ type fusefs_t;
-+ ')
-+
+ gen_require(`
+ type fusefs_t;
+ ')
+
+- dontaudit $1 fusefs_t:file manage_file_perms;
+ allow $1 fusefs_t:filesystem unmount;
-+')
-+
-+########################################
-+##
+ ')
+
+ ########################################
+ ##
+-## Read symbolic links on a FUSEFS filesystem.
+## Mounton a FUSEFS filesystem.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
+ ##
+ ##
+ ##
+@@ -2014,145 +2274,194 @@ interface(`fs_dontaudit_manage_fusefs_files',`
+ ##
+ ##
+ #
+-interface(`fs_read_fusefs_symlinks',`
+interface(`fs_mounton_fusefs',`
-+ gen_require(`
-+ type fusefs_t;
-+ ')
-+
+ gen_require(`
+ type fusefs_t;
+ ')
+
+- allow $1 fusefs_t:dir list_dir_perms;
+- read_lnk_files_pattern($1, fusefs_t, fusefs_t)
+ allow $1 fusefs_t:dir mounton;
-+')
-+
-+########################################
-+##
+ ')
+
+ ########################################
+ ##
+-## Get the attributes of an hugetlbfs
+-## filesystem.
+## Search directories
+## on a FUSEFS filesystem.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
+ ##
+ ##
+ ##
+ ## Domain allowed access.
+ ##
+ ##
+##
-+#
+ #
+-interface(`fs_getattr_hugetlbfs',`
+interface(`fs_search_fusefs',`
-+ gen_require(`
+ gen_require(`
+- type hugetlbfs_t;
+ type fusefs_t;
-+ ')
-+
+ ')
+
+- allow $1 hugetlbfs_t:filesystem getattr;
+ allow $1 fusefs_t:dir search_dir_perms;
-+')
-+
-+########################################
-+##
+ ')
+
+ ########################################
+ ##
+-## List hugetlbfs.
+## Do not audit attempts to list the contents
+## of directories on a FUSEFS filesystem.
+##
@@ -18834,24 +18665,28 @@ index 8416beb..440c63f 100644
+##
+## Create, read, write, and delete directories
+## on a FUSEFS filesystem.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
+ ##
+ ##
+ ##
+ ## Domain allowed access.
+ ##
+ ##
+##
-+#
+ #
+-interface(`fs_list_hugetlbfs',`
+interface(`fs_manage_fusefs_dirs',`
-+ gen_require(`
+ gen_require(`
+- type hugetlbfs_t;
+ type fusefs_t;
-+ ')
-+
+ ')
+
+- allow $1 hugetlbfs_t:dir list_dir_perms;
+ allow $1 fusefs_t:dir manage_dir_perms;
-+')
-+
-+########################################
-+##
+ ')
+
+ ########################################
+ ##
+-## Manage hugetlbfs dirs.
+## Do not audit attempts to create, read,
+## write, and delete directories
+## on a FUSEFS filesystem.
@@ -18873,129 +18708,157 @@ index 8416beb..440c63f 100644
+########################################
+##
+## Read, a FUSEFS filesystem.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
+ ##
+ ##
+ ##
+ ## Domain allowed access.
+ ##
+ ##
+##
-+#
+ #
+-interface(`fs_manage_hugetlbfs_dirs',`
+interface(`fs_read_fusefs_files',`
-+ gen_require(`
+ gen_require(`
+- type hugetlbfs_t;
+ type fusefs_t;
-+ ')
-+
+ ')
+
+- manage_dirs_pattern($1, hugetlbfs_t, hugetlbfs_t)
+ read_files_pattern($1, fusefs_t, fusefs_t)
-+')
-+
-+########################################
-+##
+ ')
+
+ ########################################
+ ##
+-## Read and write hugetlbfs files.
+## Execute files on a FUSEFS filesystem.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
+ ##
+ ##
+ ##
+ ## Domain allowed access.
+ ##
+ ##
+##
-+#
+ #
+-interface(`fs_rw_hugetlbfs_files',`
+interface(`fs_exec_fusefs_files',`
-+ gen_require(`
+ gen_require(`
+- type hugetlbfs_t;
+ type fusefs_t;
-+ ')
-+
+ ')
+
+- rw_files_pattern($1, hugetlbfs_t, hugetlbfs_t)
+ exec_files_pattern($1, fusefs_t, fusefs_t)
-+')
-+
-+########################################
-+##
+ ')
+
+ ########################################
+ ##
+-## Allow the type to associate to hugetlbfs filesystems.
+## Make general progams in FUSEFS an entrypoint for
+## the specified domain.
-+##
+ ##
+-##
+##
-+##
+ ##
+-## The type of the object to be associated.
+## The domain for which fusefs_t is an entrypoint.
-+##
-+##
-+#
+ ##
+ ##
+ #
+-interface(`fs_associate_hugetlbfs',`
+interface(`fs_fusefs_entry_type',`
-+ gen_require(`
+ gen_require(`
+- type hugetlbfs_t;
+ type fusefs_t;
-+ ')
-+
+ ')
+
+- allow $1 hugetlbfs_t:filesystem associate;
+ domain_entry_file($1, fusefs_t)
-+')
-+
-+########################################
-+##
+ ')
+
+ ########################################
+ ##
+-## Search inotifyfs filesystem.
+## Make general progams in FUSEFS an entrypoint for
+## the specified domain.
-+##
-+##
-+##
+ ##
+ ##
+ ##
+-## Domain allowed access.
+## The domain for which fusefs_t is an entrypoint.
-+##
-+##
-+#
+ ##
+ ##
+ #
+-interface(`fs_search_inotifyfs',`
+interface(`fs_fusefs_entrypoint',`
-+ gen_require(`
+ gen_require(`
+- type inotifyfs_t;
+ type fusefs_t;
-+ ')
-+
+ ')
+
+- allow $1 inotifyfs_t:dir search_dir_perms;
+ allow $1 fusefs_t:file entrypoint;
-+')
-+
-+########################################
-+##
+ ')
+
+ ########################################
+ ##
+-## List inotifyfs filesystem.
+## Create, read, write, and delete files
+## on a FUSEFS filesystem.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
+ ##
+ ##
+ ##
+ ## Domain allowed access.
+ ##
+ ##
+##
-+#
+ #
+-interface(`fs_list_inotifyfs',`
+interface(`fs_manage_fusefs_files',`
-+ gen_require(`
- type fusefs_t;
+ gen_require(`
+- type inotifyfs_t;
++ type fusefs_t;
')
-- exec_files_pattern($1, fusefs_t, fusefs_t)
+- allow $1 inotifyfs_t:dir list_dir_perms;
+ manage_files_pattern($1, fusefs_t, fusefs_t)
-+')
-+
-+########################################
-+##
+ ')
+
+ ########################################
+ ##
+-## Dontaudit List inotifyfs filesystem.
+## Do not audit attempts to create,
+## read, write, and delete files
+## on a FUSEFS filesystem.
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
+ ##
+ ##
+ ##
+@@ -2160,73 +2469,118 @@ interface(`fs_list_inotifyfs',`
+ ##
+ ##
+ #
+-interface(`fs_dontaudit_list_inotifyfs',`
+interface(`fs_dontaudit_manage_fusefs_files',`
-+ gen_require(`
+ gen_require(`
+- type inotifyfs_t;
+ type fusefs_t;
-+ ')
-+
+ ')
+
+- dontaudit $1 inotifyfs_t:dir list_dir_perms;
+ dontaudit $1 fusefs_t:file manage_file_perms;
-+')
-+
-+########################################
-+##
+ ')
+
+ ########################################
+ ##
+-## Create an object in a hugetlbfs filesystem, with a private
+-## type using a type transition.
+## Read symbolic links on a FUSEFS filesystem.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
+ ##
+ ##
+ ##
+ ## Domain allowed access.
+ ##
+ ##
+-##
+#
+interface(`fs_read_fusefs_symlinks',`
+ gen_require(`
@@ -19011,10 +18874,12 @@ index 8416beb..440c63f 100644
+## Manage symbolic links on a FUSEFS filesystem.
+##
+##
-+##
+ ##
+-## The type of the object to be created.
+## Domain allowed access.
-+##
-+##
+ ##
+ ##
+-##
+#
+interface(`fs_manage_fusefs_symlinks',`
+ gen_require(`
@@ -19049,78 +18914,101 @@ index 8416beb..440c63f 100644
+##
+##
+##
-+##
+ ##
+-## The object class of the object being created.
+## Domain allowed to transition.
-+##
-+##
+ ##
+ ##
+-##
+##
-+##
+ ##
+-## The name of the object being created.
+## The type of the new process.
-+##
-+##
-+#
+ ##
+ ##
+ #
+-interface(`fs_hugetlbfs_filetrans',`
+interface(`fs_fusefs_domtrans',`
-+ gen_require(`
+ gen_require(`
+- type hugetlbfs_t;
+ type fusefs_t;
-+ ')
-+
+ ')
+
+- allow $2 hugetlbfs_t:filesystem associate;
+- filetrans_pattern($1, hugetlbfs_t, $2, $3, $4)
+ allow $1 fusefs_t:dir search_dir_perms;
+ domain_auto_transition_pattern($1, fusefs_t, $2)
-+')
-+
-+########################################
-+##
+ ')
+
+ ########################################
+ ##
+-## Mount an iso9660 filesystem, which
+-## is usually used on CDs.
+## Get the attributes of a FUSEFS filesystem.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
+ ##
+ ##
+ ##
+ ## Domain allowed access.
+ ##
+ ##
+##
-+#
+ #
+-interface(`fs_mount_iso9660_fs',`
+interface(`fs_getattr_fusefs',`
-+ gen_require(`
+ gen_require(`
+- type iso9660_t;
+ type fusefs_t;
-+ ')
-+
+ ')
+
+- allow $1 iso9660_t:filesystem mount;
+ allow $1 fusefs_t:filesystem getattr;
-+')
-+
-+########################################
-+##
+ ')
+
+ ########################################
+ ##
+-## Remount an iso9660 filesystem, which
+-## is usually used on CDs. This allows
+-## some mount options to be changed.
+## Get the attributes of an hugetlbfs
+## filesystem.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
+ ##
+ ##
+ ##
+@@ -2234,18 +2588,17 @@ interface(`fs_mount_iso9660_fs',`
+ ##
+ ##
+ #
+-interface(`fs_remount_iso9660_fs',`
+interface(`fs_getattr_hugetlbfs',`
-+ gen_require(`
+ gen_require(`
+- type iso9660_t;
+ type hugetlbfs_t;
-+ ')
-+
+ ')
+
+- allow $1 iso9660_t:filesystem remount;
+ allow $1 hugetlbfs_t:filesystem getattr;
-+')
-+
-+########################################
-+##
+ ')
+
+ ########################################
+ ##
+-## Unmount an iso9660 filesystem, which
+-## is usually used on CDs.
+## List hugetlbfs.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
+ ##
+ ##
+ ##
+@@ -2253,38 +2606,611 @@ interface(`fs_remount_iso9660_fs',`
+ ##
+ ##
+ #
+-interface(`fs_unmount_iso9660_fs',`
+interface(`fs_list_hugetlbfs',`
-+ gen_require(`
+ gen_require(`
+- type iso9660_t;
+ type hugetlbfs_t;
-+ ')
-+
+ ')
+
+- allow $1 iso9660_t:filesystem unmount;
+ allow $1 hugetlbfs_t:dir list_dir_perms;
+')
+
@@ -19379,244 +19267,197 @@ index 8416beb..440c63f 100644
+ ')
+
+ allow $1 iso9660_t:filesystem unmount;
- ')
-
- ########################################
- ##
--## Create, read, write, and delete files
--## on a FUSEFS filesystem.
++')
++
++########################################
++##
+## Get the attributes of an iso9660
+## filesystem, which is usually used on CDs.
- ##
- ##
- ##
-@@ -1976,37 +2883,38 @@ interface(`fs_exec_fusefs_files',`
- ##
- ##
- #
--interface(`fs_manage_fusefs_files',`
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++#
+interface(`fs_getattr_iso9660_fs',`
- gen_require(`
-- type fusefs_t;
++ gen_require(`
+ type iso9660_t;
- ')
-
-- manage_files_pattern($1, fusefs_t, fusefs_t)
++ ')
++
+ allow $1 iso9660_t:filesystem getattr;
- ')
-
- ########################################
- ##
--## Do not audit attempts to create,
--## read, write, and delete files
--## on a FUSEFS filesystem.
++')
++
++########################################
++##
+## Read files on an iso9660 filesystem, which
+## is usually used on CDs.
- ##
- ##
- ##
--## Domain to not audit.
++##
++##
++##
+## Domain allowed access.
- ##
- ##
- #
--interface(`fs_dontaudit_manage_fusefs_files',`
++##
++##
++#
+interface(`fs_getattr_iso9660_files',`
- gen_require(`
-- type fusefs_t;
++ gen_require(`
+ type iso9660_t;
- ')
-
-- dontaudit $1 fusefs_t:file manage_file_perms;
++ ')
++
+ allow $1 iso9660_t:dir list_dir_perms;
+ allow $1 iso9660_t:file getattr;
- ')
-
- ########################################
- ##
--## Read symbolic links on a FUSEFS filesystem.
++')
++
++########################################
++##
+## Read files on an iso9660 filesystem, which
+## is usually used on CDs.
- ##
- ##
- ##
-@@ -2014,19 +2922,20 @@ interface(`fs_dontaudit_manage_fusefs_files',`
- ##
- ##
- #
--interface(`fs_read_fusefs_symlinks',`
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
+interface(`fs_read_iso9660_files',`
- gen_require(`
-- type fusefs_t;
++ gen_require(`
+ type iso9660_t;
- ')
-
-- allow $1 fusefs_t:dir list_dir_perms;
-- read_lnk_files_pattern($1, fusefs_t, fusefs_t)
++ ')
++
+ allow $1 iso9660_t:dir list_dir_perms;
+ read_files_pattern($1, iso9660_t, iso9660_t)
+ read_lnk_files_pattern($1, iso9660_t, iso9660_t)
- ')
-
++')
+
- ########################################
- ##
--## Get the attributes of an hugetlbfs
--## filesystem.
++
++########################################
++##
+## Mount kdbus filesystems.
- ##
- ##
- ##
-@@ -2034,17 +2943,17 @@ interface(`fs_read_fusefs_symlinks',`
- ##
- ##
- #
--interface(`fs_getattr_hugetlbfs',`
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
+interface(`fs_mount_kdbus', `
- gen_require(`
-- type hugetlbfs_t;
++ gen_require(`
+ type kdbusfs_t;
- ')
-
-- allow $1 hugetlbfs_t:filesystem getattr;
++ ')
++
+ allow $1 kdbusfs_t:filesystem mount;
- ')
-
- ########################################
- ##
--## List hugetlbfs.
++')
++
++########################################
++##
+## Remount kdbus filesystems.
- ##
- ##
- ##
-@@ -2052,17 +2961,17 @@ interface(`fs_getattr_hugetlbfs',`
- ##
- ##
- #
--interface(`fs_list_hugetlbfs',`
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
+interface(`fs_remount_kdbus', `
- gen_require(`
-- type hugetlbfs_t;
++ gen_require(`
+ type kdbusfs_t;
- ')
-
-- allow $1 hugetlbfs_t:dir list_dir_perms;
++ ')
++
+ allow $1 kdbusfs_t:filesystem remount;
- ')
-
- ########################################
- ##
--## Manage hugetlbfs dirs.
++')
++
++########################################
++##
+## Unmount kdbus filesystems.
- ##
- ##
- ##
-@@ -2070,17 +2979,17 @@ interface(`fs_list_hugetlbfs',`
- ##
- ##
- #
--interface(`fs_manage_hugetlbfs_dirs',`
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
+interface(`fs_unmount_kdbus', `
- gen_require(`
-- type hugetlbfs_t;
++ gen_require(`
+ type kdbusfs_t;
- ')
-
-- manage_dirs_pattern($1, hugetlbfs_t, hugetlbfs_t)
++ ')
++
+ allow $1 kdbusfs_t:filesystem unmount;
- ')
-
- ########################################
- ##
--## Read and write hugetlbfs files.
++')
++
++########################################
++##
+## Get attributes of kdbus filesystems.
- ##
- ##
- ##
-@@ -2088,35 +2997,38 @@ interface(`fs_manage_hugetlbfs_dirs',`
- ##
- ##
- #
--interface(`fs_rw_hugetlbfs_files',`
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
+interface(`fs_getattr_kdbus',`
- gen_require(`
-- type hugetlbfs_t;
++ gen_require(`
+ type kdbusfs_t;
- ')
-
-- rw_files_pattern($1, hugetlbfs_t, hugetlbfs_t)
++ ')
++
+ allow $1 kdbusfs_t:filesystem getattr;
- ')
-
- ########################################
- ##
--## Allow the type to associate to hugetlbfs filesystems.
++')
++
++########################################
++##
+## Search kdbusfs directories.
- ##
--##
++##
+##
- ##
--## The type of the object to be associated.
++##
+## Domain allowed access.
- ##
- ##
- #
--interface(`fs_associate_hugetlbfs',`
++##
++##
++#
+interface(`fs_search_kdbus_dirs',`
- gen_require(`
-- type hugetlbfs_t;
++ gen_require(`
+ type kdbusfs_t;
+
- ')
-
-- allow $1 hugetlbfs_t:filesystem associate;
++ ')
++
+ search_dirs_pattern($1, kdbusfs_t, kdbusfs_t)
+ fs_search_tmpfs($1)
+ dev_search_sysfs($1)
- ')
-
- ########################################
- ##
--## Search inotifyfs filesystem.
++')
++
++########################################
++##
+## Relabel kdbusfs directories.
- ##
- ##
- ##
-@@ -2124,17 +3036,18 @@ interface(`fs_associate_hugetlbfs',`
- ##
- ##
- #
--interface(`fs_search_inotifyfs',`
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
+interface(`fs_relabel_kdbus_dirs',`
- gen_require(`
-- type inotifyfs_t;
++ gen_require(`
+ type cgroup_t;
+
- ')
-
-- allow $1 inotifyfs_t:dir search_dir_perms;
++ ')
++
+ relabel_dirs_pattern($1, kdbusfs_t, kdbusfs_t)
- ')
-
- ########################################
- ##
--## List inotifyfs filesystem.
++')
++
++########################################
++##
+## List kdbusfs directories.
- ##
- ##
- ##
-@@ -2142,71 +3055,78 @@ interface(`fs_search_inotifyfs',`
- ##
- ##
- #
--interface(`fs_list_inotifyfs',`
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
+interface(`fs_list_kdbus_dirs',`
- gen_require(`
-- type inotifyfs_t;
++ gen_require(`
+ type kdbusfs_t;
- ')
-
-- allow $1 inotifyfs_t:dir list_dir_perms;
++ ')
++
+ list_dirs_pattern($1, kdbusfs_t, kdbusfs_t)
+ fs_search_tmpfs($1)
+ dev_search_sysfs($1)
@@ -19639,149 +19480,106 @@ index 8416beb..440c63f 100644
+
+ dontaudit $1 kdbusfs_t:dir search_dir_perms;
+ dev_dontaudit_search_sysfs($1)
- ')
-
- ########################################
- ##
--## Dontaudit List inotifyfs filesystem.
++')
++
++########################################
++##
+## Delete kdbusfs directories.
- ##
- ##
- ##
--## Domain to not audit.
++##
++##
++##
+## Domain allowed access.
- ##
- ##
- #
--interface(`fs_dontaudit_list_inotifyfs',`
++##
++##
++#
+interface(`fs_delete_kdbus_dirs', `
- gen_require(`
-- type inotifyfs_t;
++ gen_require(`
+ type kdbusfs_t;
- ')
-
-- dontaudit $1 inotifyfs_t:dir list_dir_perms;
++ ')
++
+ delete_dirs_pattern($1, kdbusfs_t, kdbusfs_t)
+ fs_search_tmpfs($1)
+ dev_search_sysfs($1)
- ')
-
- ########################################
- ##
--## Create an object in a hugetlbfs filesystem, with a private
--## type using a type transition.
++')
++
++########################################
++##
+## Manage kdbusfs directories.
- ##
- ##
- ##
- ## Domain allowed access.
- ##
- ##
--##
--##
--## The type of the object to be created.
--##
--##
--##
--##
--## The object class of the object being created.
--##
--##
--##
--##
--## The name of the object being created.
--##
--##
- #
--interface(`fs_hugetlbfs_filetrans',`
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
+interface(`fs_manage_kdbus_dirs',`
- gen_require(`
-- type hugetlbfs_t;
-- ')
++ gen_require(`
+ type kdbusfs_t;
-
-- allow $2 hugetlbfs_t:filesystem associate;
-- filetrans_pattern($1, hugetlbfs_t, $2, $3, $4)
++
+ ')
+ manage_dirs_pattern($1, kdbusfs_t, kdbusfs_t)
+ fs_search_tmpfs($1)
+ dev_search_sysfs($1)
- ')
-
- ########################################
- ##
--## Mount an iso9660 filesystem, which
--## is usually used on CDs.
++')
++
++########################################
++##
+## Read kdbusfs files.
- ##
- ##
- ##
-@@ -2214,19 +3134,21 @@ interface(`fs_hugetlbfs_filetrans',`
- ##
- ##
- #
--interface(`fs_mount_iso9660_fs',`
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
+interface(`fs_read_kdbus_files',`
- gen_require(`
-- type iso9660_t;
++ gen_require(`
+ type cgroup_t;
+
- ')
-
-- allow $1 iso9660_t:filesystem mount;
++ ')
++
+ read_files_pattern($1, kdbusfs_t, kdbusfs_t)
+ read_lnk_files_pattern($1, kdbusfs_t, kdbusfs_t)
+ fs_search_tmpfs($1)
+ dev_search_sysfs($1)
- ')
-
- ########################################
- ##
--## Remount an iso9660 filesystem, which
--## is usually used on CDs. This allows
--## some mount options to be changed.
++')
++
++########################################
++##
+## Write kdbusfs files.
- ##
- ##
- ##
-@@ -2234,18 +3156,19 @@ interface(`fs_mount_iso9660_fs',`
- ##
- ##
- #
--interface(`fs_remount_iso9660_fs',`
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
+interface(`fs_write_kdbus_files', `
- gen_require(`
-- type iso9660_t;
++ gen_require(`
+ type kdbusfs_t;
- ')
-
-- allow $1 iso9660_t:filesystem remount;
++ ')
++
+ write_files_pattern($1, kdbusfs_t, kdbusfs_t)
+ fs_search_tmpfs($1)
+ dev_search_sysfs($1)
- ')
-
- ########################################
- ##
--## Unmount an iso9660 filesystem, which
--## is usually used on CDs.
++')
++
++########################################
++##
+## Read and write kdbusfs files.
- ##
- ##
- ##
-@@ -2253,38 +3176,41 @@ interface(`fs_remount_iso9660_fs',`
- ##
- ##
- #
--interface(`fs_unmount_iso9660_fs',`
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
+interface(`fs_rw_kdbus_files',`
- gen_require(`
-- type iso9660_t;
++ gen_require(`
+ type kdbusfs_t;
+
- ')
-
-- allow $1 iso9660_t:filesystem unmount;
++ ')
++
+ read_lnk_files_pattern($1, kdbusfs_t, kdbusfs_t)
+ rw_files_pattern($1, kdbusfs_t, kdbusfs_t)
+ fs_search_tmpfs($1)
@@ -19897,272 +19695,119 @@ index 8416beb..440c63f 100644
## Search directories on a NFS filesystem.
##
##
-@@ -2439,152 +3384,228 @@ interface(`fs_list_nfs',`
- ##
- ##
- ##
--## Domain to not audit.
-+## Domain to not audit.
+@@ -2485,6 +3430,7 @@ interface(`fs_read_nfs_files',`
+ type nfs_t;
+ ')
+
++ fs_search_auto_mountpoints($1)
+ allow $1 nfs_t:dir list_dir_perms;
+ read_files_pattern($1, nfs_t, nfs_t)
+ ')
+@@ -2523,6 +3469,7 @@ interface(`fs_write_nfs_files',`
+ type nfs_t;
+ ')
+
++ fs_search_auto_mountpoints($1)
+ allow $1 nfs_t:dir list_dir_perms;
+ write_files_pattern($1, nfs_t, nfs_t)
+ ')
+@@ -2549,6 +3496,44 @@ interface(`fs_exec_nfs_files',`
+
+ ########################################
+ ##
++## Make general progams in nfs an entrypoint for
++## the specified domain.
++##
++##
++##
++## The domain for which nfs_t is an entrypoint.
+##
+##
+#
-+interface(`fs_dontaudit_list_nfs',`
++interface(`fs_nfs_entry_type',`
+ gen_require(`
+ type nfs_t;
+ ')
+
-+ dontaudit $1 nfs_t:dir list_dir_perms;
++ domain_entry_file($1, nfs_t)
+')
+
+########################################
+##
-+## Mounton a NFS filesystem.
++## Make general progams in NFS an entrypoint for
++## the specified domain.
+##
+##
+##
-+## Domain allowed access.
++## The domain for which nfs_t is an entrypoint.
+##
+##
+#
-+interface(`fs_mounton_nfs',`
++interface(`fs_nfs_entrypoint',`
+ gen_require(`
+ type nfs_t;
+ ')
+
-+ allow $1 nfs_t:dir mounton;
++ allow $1 nfs_t:file entrypoint;
+')
+
+########################################
+##
-+## Read files on a NFS filesystem.
+ ## Append files
+ ## on a NFS filesystem.
+ ##
+@@ -2569,7 +3554,7 @@ interface(`fs_append_nfs_files',`
+
+ ########################################
+ ##
+-## dontaudit Append files
++## Do not audit attempts to append files
+ ## on a NFS filesystem.
+ ##
+ ##
+@@ -2589,6 +3574,42 @@ interface(`fs_dontaudit_append_nfs_files',`
+
+ ########################################
+ ##
++## Read inherited files on a NFS filesystem.
+##
+##
+##
+## Domain allowed access.
+##
+##
-+##
+#
-+interface(`fs_read_nfs_files',`
++interface(`fs_read_inherited_nfs_files',`
+ gen_require(`
+ type nfs_t;
+ ')
+
-+ fs_search_auto_mountpoints($1)
-+ allow $1 nfs_t:dir list_dir_perms;
-+ read_files_pattern($1, nfs_t, nfs_t)
++ allow $1 nfs_t:file read_inherited_file_perms;
+')
+
+########################################
+##
-+## Do not audit attempts to read
-+## files on a NFS filesystem.
++## Read/write inherited files on a NFS filesystem.
+##
+##
+##
-+## Domain to not audit.
++## Domain allowed access.
+##
+##
+#
-+interface(`fs_dontaudit_read_nfs_files',`
++interface(`fs_rw_inherited_nfs_files',`
+ gen_require(`
+ type nfs_t;
+ ')
+
-+ dontaudit $1 nfs_t:file read_file_perms;
++ allow $1 nfs_t:file rw_inherited_file_perms;
+')
+
+########################################
+##
-+## Read files on a NFS filesystem.
-+##
-+##
-+##
-+## Domain allowed access.
- ##
- ##
- #
--interface(`fs_dontaudit_list_nfs',`
-+interface(`fs_write_nfs_files',`
- gen_require(`
- type nfs_t;
- ')
-
-- dontaudit $1 nfs_t:dir list_dir_perms;
-+ fs_search_auto_mountpoints($1)
-+ allow $1 nfs_t:dir list_dir_perms;
-+ write_files_pattern($1, nfs_t, nfs_t)
- ')
-
- ########################################
- ##
--## Mounton a NFS filesystem.
-+## Execute files on a NFS filesystem.
- ##
- ##
- ##
- ## Domain allowed access.
- ##
- ##
-+##
- #
--interface(`fs_mounton_nfs',`
-+interface(`fs_exec_nfs_files',`
- gen_require(`
- type nfs_t;
- ')
-
-- allow $1 nfs_t:dir mounton;
-+ allow $1 nfs_t:dir list_dir_perms;
-+ exec_files_pattern($1, nfs_t, nfs_t)
- ')
-
- ########################################
- ##
--## Read files on a NFS filesystem.
-+## Make general progams in nfs an entrypoint for
-+## the specified domain.
- ##
- ##
- ##
--## Domain allowed access.
-+## The domain for which nfs_t is an entrypoint.
- ##
- ##
--##
- #
--interface(`fs_read_nfs_files',`
-+interface(`fs_nfs_entry_type',`
- gen_require(`
- type nfs_t;
- ')
-
-- allow $1 nfs_t:dir list_dir_perms;
-- read_files_pattern($1, nfs_t, nfs_t)
-+ domain_entry_file($1, nfs_t)
- ')
-
- ########################################
- ##
--## Do not audit attempts to read
--## files on a NFS filesystem.
-+## Make general progams in NFS an entrypoint for
-+## the specified domain.
- ##
- ##
- ##
--## Domain to not audit.
-+## The domain for which nfs_t is an entrypoint.
- ##
- ##
- #
--interface(`fs_dontaudit_read_nfs_files',`
-+interface(`fs_nfs_entrypoint',`
- gen_require(`
- type nfs_t;
- ')
-
-- dontaudit $1 nfs_t:file read_file_perms;
-+ allow $1 nfs_t:file entrypoint;
- ')
-
- ########################################
- ##
--## Read files on a NFS filesystem.
-+## Append files
-+## on a NFS filesystem.
- ##
- ##
- ##
- ## Domain allowed access.
- ##
- ##
-+##
- #
--interface(`fs_write_nfs_files',`
-+interface(`fs_append_nfs_files',`
- gen_require(`
- type nfs_t;
- ')
-
-- allow $1 nfs_t:dir list_dir_perms;
-- write_files_pattern($1, nfs_t, nfs_t)
-+ append_files_pattern($1, nfs_t, nfs_t)
- ')
-
- ########################################
- ##
--## Execute files on a NFS filesystem.
-+## Do not audit attempts to append files
-+## on a NFS filesystem.
- ##
- ##
- ##
--## Domain allowed access.
-+## Domain to not audit.
- ##
- ##
- ##
- #
--interface(`fs_exec_nfs_files',`
-+interface(`fs_dontaudit_append_nfs_files',`
- gen_require(`
- type nfs_t;
- ')
-
-- allow $1 nfs_t:dir list_dir_perms;
-- exec_files_pattern($1, nfs_t, nfs_t)
-+ dontaudit $1 nfs_t:file append_file_perms;
- ')
-
- ########################################
- ##
--## Append files
--## on a NFS filesystem.
-+## Read inherited files on a NFS filesystem.
- ##
- ##
- ##
- ## Domain allowed access.
- ##
- ##
--##
- #
--interface(`fs_append_nfs_files',`
-+interface(`fs_read_inherited_nfs_files',`
- gen_require(`
- type nfs_t;
- ')
-
-- append_files_pattern($1, nfs_t, nfs_t)
-+ allow $1 nfs_t:file read_inherited_file_perms;
- ')
-
- ########################################
- ##
--## dontaudit Append files
--## on a NFS filesystem.
-+## Read/write inherited files on a NFS filesystem.
+ ## Do not audit attempts to read or
+ ## write files on a NFS filesystem.
##
- ##
- ##
--## Domain to not audit.
-+## Domain allowed access.
- ##
- ##
--##
- #
--interface(`fs_dontaudit_append_nfs_files',`
-+interface(`fs_rw_inherited_nfs_files',`
- gen_require(`
- type nfs_t;
- ')
-
-- dontaudit $1 nfs_t:file append_file_perms;
-+ allow $1 nfs_t:file rw_inherited_file_perms;
- ')
-
- ########################################
@@ -2603,7 +3624,7 @@ interface(`fs_dontaudit_rw_nfs_files',`
type nfs_t;
')
@@ -20314,38 +19959,26 @@ index 8416beb..440c63f 100644
## Mount a NFS server pseudo filesystem.
##
##
-@@ -3263,7 +4364,25 @@ interface(`fs_getattr_nfsd_files',`
- getattr_files_pattern($1, nfsd_fs_t, nfsd_fs_t)
- ')
-
--########################################
-+#######################################
-+##
-+## read files on an nfsd filesystem
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`fs_read_nfsd_files',`
-+ gen_require(`
-+ type nfsd_fs_t;
-+ ')
+@@ -3182,18 +4283,108 @@ interface(`fs_remount_nfsd_fs',`
+ ##
+ ##
+ #
+-interface(`fs_unmount_nfsd_fs',`
+- gen_require(`
+- type nfsd_fs_t;
+- ')
++interface(`fs_unmount_nfsd_fs',`
++ gen_require(`
++ type nfsd_fs_t;
++ ')
+
-+ read_files_pattern($1, nfsd_fs_t, nfsd_fs_t)
++ allow $1 nfsd_fs_t:filesystem unmount;
+')
+
-+#######################################
- ##
- ## Read and write NFS server files.
- ##
-@@ -3283,6 +4402,78 @@ interface(`fs_rw_nfsd_fs',`
-
- ########################################
- ##
-+## Getattr files on an nsfs filesystem
++########################################
++##
++## Get the attributes of a NFS server
++## pseudo filesystem.
+##
+##
+##
@@ -20353,35 +19986,35 @@ index 8416beb..440c63f 100644
+##
+##
+#
-+interface(`fs_getattr_nsfs_files',`
++interface(`fs_getattr_nfsd_fs',`
+ gen_require(`
-+ type nsfs_t;
++ type nfsd_fs_t;
+ ')
+
-+ getattr_files_pattern($1, nsfs_t, nsfs_t)
++ allow $1 nfsd_fs_t:filesystem getattr;
+')
+
-+#######################################
++########################################
+##
-+## Read nsfs inodes (e.g. /proc/pid/ns/uts)
++## Search NFS server directories.
+##
+##
-+##
-+## Domain allowed access.
-+##
++##
++## Domain allowed access.
++##
+##
+#
-+interface(`fs_read_nsfs_files',`
++interface(`fs_search_nfsd_fs',`
+ gen_require(`
-+ type nsfs_t;
-+ ')
++ type nfsd_fs_t;
++ ')
+
-+ allow $1 nsfs_t:file read_file_perms;
++ allow $1 nfsd_fs_t:dir search_dir_perms;
+')
+
-+#######################################
++########################################
+##
-+## Read and write nsfs inodes (e.g. /proc/pid/ns/uts)
++## List NFS server directories.
+##
+##
+##
@@ -20389,17 +20022,17 @@ index 8416beb..440c63f 100644
+##
+##
+#
-+interface(`fs_rw_nsfs_files',`
++interface(`fs_list_nfsd_fs',`
+ gen_require(`
-+ type nsfs_t;
++ type nfsd_fs_t;
+ ')
+
-+ rw_files_pattern($1, nsfs_t, nsfs_t)
++ allow $1 nfsd_fs_t:dir list_dir_perms;
+')
+
+########################################
+##
-+## Manage NFS server files.
++## Getattr files on an nfsd filesystem
+##
+##
+##
@@ -20407,19 +20040,150 @@ index 8416beb..440c63f 100644
+##
+##
+#
-+interface(`fs_manage_nfsd_fs',`
++interface(`fs_getattr_nfsd_files',`
+ gen_require(`
+ type nfsd_fs_t;
+ ')
+
-+ manage_files_pattern($1, nfsd_fs_t, nfsd_fs_t)
++ getattr_files_pattern($1, nfsd_fs_t, nfsd_fs_t)
+')
+
-+########################################
++#######################################
+##
- ## Allow the type to associate to ramfs filesystems.
++## read files on an nfsd filesystem
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`fs_read_nfsd_files',`
++ gen_require(`
++ type nfsd_fs_t;
++ ')
+
+- allow $1 nfsd_fs_t:filesystem unmount;
++ read_files_pattern($1, nfsd_fs_t, nfsd_fs_t)
+ ')
+
+-########################################
++#######################################
+ ##
+-## Get the attributes of a NFS server
+-## pseudo filesystem.
++## Read and write NFS server files.
##
- ##
+ ##
+ ##
+@@ -3201,17 +4392,17 @@ interface(`fs_unmount_nfsd_fs',`
+ ##
+ ##
+ #
+-interface(`fs_getattr_nfsd_fs',`
++interface(`fs_rw_nfsd_fs',`
+ gen_require(`
+ type nfsd_fs_t;
+ ')
+
+- allow $1 nfsd_fs_t:filesystem getattr;
++ rw_files_pattern($1, nfsd_fs_t, nfsd_fs_t)
+ ')
+
+ ########################################
+ ##
+-## Search NFS server directories.
++## Getattr files on an nsfs filesystem
+ ##
+ ##
+ ##
+@@ -3219,35 +4410,35 @@ interface(`fs_getattr_nfsd_fs',`
+ ##
+ ##
+ #
+-interface(`fs_search_nfsd_fs',`
++interface(`fs_getattr_nsfs_files',`
+ gen_require(`
+- type nfsd_fs_t;
++ type nsfs_t;
+ ')
+
+- allow $1 nfsd_fs_t:dir search_dir_perms;
++ getattr_files_pattern($1, nsfs_t, nsfs_t)
+ ')
+
+-########################################
++#######################################
+ ##
+-## List NFS server directories.
++## Read nsfs inodes (e.g. /proc/pid/ns/uts)
+ ##
+ ##
+-##
+-## Domain allowed access.
+-##
++##
++## Domain allowed access.
++##
+ ##
+ #
+-interface(`fs_list_nfsd_fs',`
++interface(`fs_read_nsfs_files',`
+ gen_require(`
+- type nfsd_fs_t;
+- ')
++ type nsfs_t;
++ ')
+
+- allow $1 nfsd_fs_t:dir list_dir_perms;
++ allow $1 nsfs_t:file read_file_perms;
+ ')
+
+-########################################
++#######################################
+ ##
+-## Getattr files on an nfsd filesystem
++## Read and write nsfs inodes (e.g. /proc/pid/ns/uts)
+ ##
+ ##
+ ##
+@@ -3255,17 +4446,17 @@ interface(`fs_list_nfsd_fs',`
+ ##
+ ##
+ #
+-interface(`fs_getattr_nfsd_files',`
++interface(`fs_rw_nsfs_files',`
+ gen_require(`
+- type nfsd_fs_t;
++ type nsfs_t;
+ ')
+
+- getattr_files_pattern($1, nfsd_fs_t, nfsd_fs_t)
++ rw_files_pattern($1, nsfs_t, nsfs_t)
+ ')
+
+ ########################################
+ ##
+-## Read and write NFS server files.
++## Manage NFS server files.
+ ##
+ ##
+ ##
+@@ -3273,12 +4464,12 @@ interface(`fs_getattr_nfsd_files',`
+ ##
+ ##
+ #
+-interface(`fs_rw_nfsd_fs',`
++interface(`fs_manage_nfsd_fs',`
+ gen_require(`
+ type nfsd_fs_t;
+ ')
+
+- rw_files_pattern($1, nfsd_fs_t, nfsd_fs_t)
++ manage_files_pattern($1, nfsd_fs_t, nfsd_fs_t)
+ ')
+
+ ########################################
@@ -3392,7 +4583,7 @@ interface(`fs_search_ramfs',`
########################################
@@ -20497,186 +20261,116 @@ index 8416beb..440c63f 100644
## Get the attributes of a tmpfs
## filesystem.
##
-@@ -3866,12 +5093,49 @@ interface(`fs_relabelfrom_tmpfs',`
- type tmpfs_t;
- ')
-
-- allow $1 tmpfs_t:filesystem relabelfrom;
-+ allow $1 tmpfs_t:filesystem relabelfrom;
-+')
-+
-+########################################
-+##
-+## Get the attributes of tmpfs directories.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`fs_getattr_tmpfs_dirs',`
-+ gen_require(`
-+ type tmpfs_t;
-+ ')
-+
-+ allow $1 tmpfs_t:dir getattr;
-+')
-+
-+########################################
-+##
-+## Do not audit attempts to get the attributes
-+## of tmpfs directories.
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`fs_dontaudit_getattr_tmpfs_dirs',`
-+ gen_require(`
-+ type tmpfs_t;
-+ ')
-+
-+ dontaudit $1 tmpfs_t:dir getattr;
- ')
+@@ -3908,7 +5135,7 @@ interface(`fs_dontaudit_getattr_tmpfs_dirs',`
########################################
##
--## Get the attributes of tmpfs directories.
+-## Mount on tmpfs directories.
+## Set the attributes of tmpfs directories.
##
##
##
-@@ -3879,36 +5143,35 @@ interface(`fs_relabelfrom_tmpfs',`
+@@ -3916,17 +5143,17 @@ interface(`fs_dontaudit_getattr_tmpfs_dirs',`
##
##
#
--interface(`fs_getattr_tmpfs_dirs',`
+-interface(`fs_mounton_tmpfs',`
+interface(`fs_setattr_tmpfs_dirs',`
gen_require(`
type tmpfs_t;
')
-- allow $1 tmpfs_t:dir getattr;
+- allow $1 tmpfs_t:dir mounton;
+ allow $1 tmpfs_t:dir setattr;
')
########################################
##
--## Do not audit attempts to get the attributes
--## of tmpfs directories.
+-## Set the attributes of tmpfs directories.
+## Search tmpfs directories.
##
##
##
--## Domain to not audit.
-+## Domain allowed access.
+@@ -3934,17 +5161,17 @@ interface(`fs_mounton_tmpfs',`
##
##
#
--interface(`fs_dontaudit_getattr_tmpfs_dirs',`
+-interface(`fs_setattr_tmpfs_dirs',`
+interface(`fs_search_tmpfs',`
gen_require(`
type tmpfs_t;
')
-- dontaudit $1 tmpfs_t:dir getattr;
+- allow $1 tmpfs_t:dir setattr;
+ allow $1 tmpfs_t:dir search_dir_perms;
')
########################################
##
--## Mount on tmpfs directories.
+-## Search tmpfs directories.
+## List the contents of generic tmpfs directories.
##
##
##
-@@ -3916,35 +5179,36 @@ interface(`fs_dontaudit_getattr_tmpfs_dirs',`
+@@ -3952,17 +5179,36 @@ interface(`fs_setattr_tmpfs_dirs',`
##
##
#
--interface(`fs_mounton_tmpfs',`
+-interface(`fs_search_tmpfs',`
+interface(`fs_list_tmpfs',`
gen_require(`
type tmpfs_t;
')
-- allow $1 tmpfs_t:dir mounton;
+- allow $1 tmpfs_t:dir search_dir_perms;
+ allow $1 tmpfs_t:dir list_dir_perms;
')
########################################
##
--## Set the attributes of tmpfs directories.
+-## List the contents of generic tmpfs directories.
+## Do not audit attempts to list the
+## contents of generic tmpfs directories.
- ##
- ##
- ##
--## Domain allowed access.
++##
++##
++##
+## Domain to not audit.
- ##
- ##
- #
--interface(`fs_setattr_tmpfs_dirs',`
++##
++##
++#
+interface(`fs_dontaudit_list_tmpfs',`
- gen_require(`
- type tmpfs_t;
- ')
-
-- allow $1 tmpfs_t:dir setattr;
++ gen_require(`
++ type tmpfs_t;
++ ')
++
+ dontaudit $1 tmpfs_t:dir list_dir_perms;
- ')
-
- ########################################
- ##
--## Search tmpfs directories.
++')
++
++########################################
++##
+## Relabel directory on tmpfs filesystems.
##
##
##
-@@ -3952,17 +5216,17 @@ interface(`fs_setattr_tmpfs_dirs',`
- ##
- ##
- #
--interface(`fs_search_tmpfs',`
-+interface(`fs_relabel_tmpfs_dirs',`
- gen_require(`
- type tmpfs_t;
- ')
-
-- allow $1 tmpfs_t:dir search_dir_perms;
-+ relabel_dirs_pattern($1, tmpfs_t, tmpfs_t)
- ')
-
- ########################################
- ##
--## List the contents of generic tmpfs directories.
-+## Relabel fifo_file on tmpfs filesystems.
- ##
- ##
- ##
-@@ -3970,31 +5234,30 @@ interface(`fs_search_tmpfs',`
+@@ -3970,31 +5216,48 @@ interface(`fs_search_tmpfs',`
##
##
#
-interface(`fs_list_tmpfs',`
-+interface(`fs_relabel_tmpfs_fifo_files',`
++interface(`fs_relabel_tmpfs_dirs',`
gen_require(`
type tmpfs_t;
')
- allow $1 tmpfs_t:dir list_dir_perms;
-+ relabel_fifo_files_pattern($1, tmpfs_t, tmpfs_t)
++ relabel_dirs_pattern($1, tmpfs_t, tmpfs_t)
')
########################################
##
-## Do not audit attempts to list the
-## contents of generic tmpfs directories.
-+## Relabel files on tmpfs filesystems.
++## Relabel fifo_file on tmpfs filesystems.
##
##
##
@@ -20686,64 +20380,67 @@ index 8416beb..440c63f 100644
##
#
-interface(`fs_dontaudit_list_tmpfs',`
-+interface(`fs_relabel_tmpfs_files',`
++interface(`fs_relabel_tmpfs_fifo_files',`
gen_require(`
type tmpfs_t;
')
- dontaudit $1 tmpfs_t:dir list_dir_perms;
++ relabel_fifo_files_pattern($1, tmpfs_t, tmpfs_t)
++')
++
++########################################
++##
++## Relabel files on tmpfs filesystems.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`fs_relabel_tmpfs_files',`
++ gen_require(`
++ type tmpfs_t;
++ ')
++
+ relabel_files_pattern($1, tmpfs_t, tmpfs_t)
')
########################################
-@@ -4105,7 +5368,7 @@ interface(`fs_dontaudit_rw_tmpfs_files',`
+@@ -4066,33 +5329,161 @@ interface(`fs_tmpfs_filetrans',`
type tmpfs_t;
')
-- dontaudit $1 tmpfs_t:file rw_file_perms;
-+ dontaudit $1 tmpfs_t:file rw_inherited_file_perms;
- ')
-
- ########################################
-@@ -4165,6 +5428,24 @@ interface(`fs_rw_tmpfs_files',`
-
- ########################################
- ##
-+## Read and write generic tmpfs files.
+- allow $2 tmpfs_t:filesystem associate;
+- filetrans_pattern($1, tmpfs_t, $2, $3, $4)
++ allow $2 tmpfs_t:filesystem associate;
++ filetrans_pattern($1, tmpfs_t, $2, $3, $4)
++')
++
++########################################
++##
++## Do not audit attempts to getattr
++## generic tmpfs files.
+##
+##
+##
-+## Domain allowed access.
++## Domain to not audit.
+##
+##
+#
-+interface(`fs_rw_inherited_tmpfs_files',`
++interface(`fs_dontaudit_getattr_tmpfs_files',`
+ gen_require(`
+ type tmpfs_t;
+ ')
+
-+ allow $1 tmpfs_t:file { read write };
++ dontaudit $1 tmpfs_t:file getattr;
+')
+
+########################################
+##
- ## Read tmpfs link files.
- ##
- ##
-@@ -4202,7 +5483,7 @@ interface(`fs_rw_tmpfs_chr_files',`
-
- ########################################
- ##
--## dontaudit Read and write character nodes on tmpfs filesystems.
-+## Do not audit attempts to read and write character nodes on tmpfs filesystems.
- ##
- ##
- ##
-@@ -4221,6 +5502,60 @@ interface(`fs_dontaudit_use_tmpfs_chr_dev',`
-
- ########################################
- ##
-+## Do not audit attempts to create character nodes on tmpfs filesystems.
++## Do not audit attempts to read or write
++## generic tmpfs files.
+##
+##
+##
@@ -20751,60 +20448,54 @@ index 8416beb..440c63f 100644
+##
+##
+#
-+interface(`fs_dontaudit_create_tmpfs_chr_dev',`
++interface(`fs_dontaudit_rw_tmpfs_files',`
+ gen_require(`
+ type tmpfs_t;
+ ')
+
-+ dontaudit $1 tmpfs_t:chr_file create;
++ dontaudit $1 tmpfs_t:file rw_inherited_file_perms;
+')
+
+########################################
+##
-+## Do not audit attempts to dontaudit read block nodes on tmpfs filesystems.
++## Create, read, write, and delete
++## auto moutpoints.
+##
+##
+##
-+## Domain to not audit.
++## Domain allowed access.
+##
+##
+#
-+interface(`fs_dontaudit_read_tmpfs_blk_dev',`
++interface(`fs_manage_auto_mountpoints',`
+ gen_require(`
-+ type tmpfs_t;
++ type autofs_t;
+ ')
+
-+ dontaudit $1 tmpfs_t:blk_file read_blk_file_perms;
++ allow $1 autofs_t:dir manage_dir_perms;
+')
+
+########################################
+##
-+## Do not audit attempts to read files on tmpfs filesystems.
++## Read generic tmpfs files.
+##
+##
+##
-+## Domain to not audit.
++## Domain allowed access.
+##
+##
+#
-+interface(`fs_dontaudit_read_tmpfs_files',`
++interface(`fs_read_tmpfs_files',`
+ gen_require(`
+ type tmpfs_t;
+ ')
+
-+ dontaudit $1 tmpfs_t:blk_file read;
++ read_files_pattern($1, tmpfs_t, tmpfs_t)
+')
+
+########################################
+##
- ## Relabel character nodes on tmpfs filesystems.
- ##
- ##
-@@ -4278,6 +5613,44 @@ interface(`fs_relabel_tmpfs_blk_file',`
-
- ########################################
- ##
-+## Relabel sock nodes on tmpfs filesystems.
++## Read and write generic tmpfs files.
+##
+##
+##
@@ -20812,18 +20503,17 @@ index 8416beb..440c63f 100644
+##
+##
+#
-+interface(`fs_relabel_tmpfs_sock_file',`
++interface(`fs_rw_tmpfs_files',`
+ gen_require(`
+ type tmpfs_t;
+ ')
+
-+ allow $1 tmpfs_t:dir list_dir_perms;
-+ relabel_sock_files_pattern($1, tmpfs_t, tmpfs_t)
++ rw_files_pattern($1, tmpfs_t, tmpfs_t)
+')
+
+########################################
+##
-+## Delete generic files in tmpfs directory.
++## Read and write generic tmpfs files.
+##
+##
+##
@@ -20831,46 +20521,307 @@ index 8416beb..440c63f 100644
+##
+##
+#
-+interface(`fs_delete_tmpfs_files',`
++interface(`fs_rw_inherited_tmpfs_files',`
+ gen_require(`
+ type tmpfs_t;
+ ')
+
-+ allow $1 tmpfs_t:dir del_entry_dir_perms;
-+ allow $1 tmpfs_t:file_class_set delete_file_perms;
++ allow $1 tmpfs_t:file { read write };
+')
+
+########################################
+##
- ## Read and write, create and delete generic
- ## files on tmpfs filesystems.
- ##
-@@ -4297,6 +5670,25 @@ interface(`fs_manage_tmpfs_files',`
-
- ########################################
- ##
-+## Execute files on a tmpfs filesystem.
++## Read tmpfs link files.
+##
+##
+##
+## Domain allowed access.
+##
+##
-+##
+#
-+interface(`fs_exec_tmpfs_files',`
++interface(`fs_read_tmpfs_symlinks',`
+ gen_require(`
+ type tmpfs_t;
+ ')
+
-+ exec_files_pattern($1, tmpfs_t, tmpfs_t)
-+')
-+
-+########################################
-+##
- ## Read and write, create and delete symbolic
- ## links on tmpfs filesystems.
++ read_lnk_files_pattern($1, tmpfs_t, tmpfs_t)
+ ')
+
+ ########################################
+ ##
+-## Do not audit attempts to getattr
+-## generic tmpfs files.
++## Read and write character nodes on tmpfs filesystems.
+ ##
+ ##
+ ##
+-## Domain to not audit.
++## Domain allowed access.
+ ##
+ ##
+ #
+-interface(`fs_dontaudit_getattr_tmpfs_files',`
++interface(`fs_rw_tmpfs_chr_files',`
+ gen_require(`
+ type tmpfs_t;
+ ')
+
+- dontaudit $1 tmpfs_t:file getattr;
++ allow $1 tmpfs_t:dir list_dir_perms;
++ rw_chr_files_pattern($1, tmpfs_t, tmpfs_t)
+ ')
+
+ ########################################
+ ##
+-## Do not audit attempts to read or write
+-## generic tmpfs files.
++## Do not audit attempts to read and write character nodes on tmpfs filesystems.
+ ##
+ ##
+ ##
+@@ -4100,72 +5491,72 @@ interface(`fs_dontaudit_getattr_tmpfs_files',`
+ ##
+ ##
+ #
+-interface(`fs_dontaudit_rw_tmpfs_files',`
++interface(`fs_dontaudit_use_tmpfs_chr_dev',`
+ gen_require(`
+ type tmpfs_t;
+ ')
+
+- dontaudit $1 tmpfs_t:file rw_file_perms;
++ dontaudit $1 tmpfs_t:dir list_dir_perms;
++ dontaudit $1 tmpfs_t:chr_file rw_chr_file_perms;
+ ')
+
+ ########################################
+ ##
+-## Create, read, write, and delete
+-## auto moutpoints.
++## Do not audit attempts to create character nodes on tmpfs filesystems.
+ ##
+ ##
+ ##
+-## Domain allowed access.
++## Domain to not audit.
+ ##
+ ##
+ #
+-interface(`fs_manage_auto_mountpoints',`
++interface(`fs_dontaudit_create_tmpfs_chr_dev',`
+ gen_require(`
+- type autofs_t;
++ type tmpfs_t;
+ ')
+
+- allow $1 autofs_t:dir manage_dir_perms;
++ dontaudit $1 tmpfs_t:chr_file create;
+ ')
+
+ ########################################
+ ##
+-## Read generic tmpfs files.
++## Do not audit attempts to dontaudit read block nodes on tmpfs filesystems.
+ ##
+ ##
+ ##
+-## Domain allowed access.
++## Domain to not audit.
+ ##
+ ##
+ #
+-interface(`fs_read_tmpfs_files',`
++interface(`fs_dontaudit_read_tmpfs_blk_dev',`
+ gen_require(`
+ type tmpfs_t;
+ ')
+
+- read_files_pattern($1, tmpfs_t, tmpfs_t)
++ dontaudit $1 tmpfs_t:blk_file read_blk_file_perms;
+ ')
+
+ ########################################
+ ##
+-## Read and write generic tmpfs files.
++## Do not audit attempts to read files on tmpfs filesystems.
+ ##
+ ##
+ ##
+-## Domain allowed access.
++## Domain to not audit.
+ ##
+ ##
+ #
+-interface(`fs_rw_tmpfs_files',`
++interface(`fs_dontaudit_read_tmpfs_files',`
+ gen_require(`
+ type tmpfs_t;
+ ')
+
+- rw_files_pattern($1, tmpfs_t, tmpfs_t)
++ dontaudit $1 tmpfs_t:blk_file read;
+ ')
+
+ ########################################
+ ##
+-## Read tmpfs link files.
++## Relabel character nodes on tmpfs filesystems.
+ ##
+ ##
+ ##
+@@ -4173,17 +5564,18 @@ interface(`fs_rw_tmpfs_files',`
+ ##
+ ##
+ #
+-interface(`fs_read_tmpfs_symlinks',`
++interface(`fs_relabel_tmpfs_chr_file',`
+ gen_require(`
+ type tmpfs_t;
+ ')
+
+- read_lnk_files_pattern($1, tmpfs_t, tmpfs_t)
++ allow $1 tmpfs_t:dir list_dir_perms;
++ relabel_chr_files_pattern($1, tmpfs_t, tmpfs_t)
+ ')
+
+ ########################################
+ ##
+-## Read and write character nodes on tmpfs filesystems.
++## Read and write block nodes on tmpfs filesystems.
+ ##
+ ##
+ ##
+@@ -4191,37 +5583,37 @@ interface(`fs_read_tmpfs_symlinks',`
+ ##
+ ##
+ #
+-interface(`fs_rw_tmpfs_chr_files',`
++interface(`fs_rw_tmpfs_blk_files',`
+ gen_require(`
+ type tmpfs_t;
+ ')
+
+ allow $1 tmpfs_t:dir list_dir_perms;
+- rw_chr_files_pattern($1, tmpfs_t, tmpfs_t)
++ rw_blk_files_pattern($1, tmpfs_t, tmpfs_t)
+ ')
+
+ ########################################
+ ##
+-## dontaudit Read and write character nodes on tmpfs filesystems.
++## Relabel block nodes on tmpfs filesystems.
+ ##
+ ##
+ ##
+-## Domain to not audit.
++## Domain allowed access.
+ ##
+ ##
+ #
+-interface(`fs_dontaudit_use_tmpfs_chr_dev',`
++interface(`fs_relabel_tmpfs_blk_file',`
+ gen_require(`
+ type tmpfs_t;
+ ')
+
+- dontaudit $1 tmpfs_t:dir list_dir_perms;
+- dontaudit $1 tmpfs_t:chr_file rw_chr_file_perms;
++ allow $1 tmpfs_t:dir list_dir_perms;
++ relabel_blk_files_pattern($1, tmpfs_t, tmpfs_t)
+ ')
+
+ ########################################
+ ##
+-## Relabel character nodes on tmpfs filesystems.
++## Relabel sock nodes on tmpfs filesystems.
+ ##
+ ##
+ ##
+@@ -4229,18 +5621,18 @@ interface(`fs_dontaudit_use_tmpfs_chr_dev',`
+ ##
+ ##
+ #
+-interface(`fs_relabel_tmpfs_chr_file',`
++interface(`fs_relabel_tmpfs_sock_file',`
+ gen_require(`
+ type tmpfs_t;
+ ')
+
+ allow $1 tmpfs_t:dir list_dir_perms;
+- relabel_chr_files_pattern($1, tmpfs_t, tmpfs_t)
++ relabel_sock_files_pattern($1, tmpfs_t, tmpfs_t)
+ ')
+
+ ########################################
+ ##
+-## Read and write block nodes on tmpfs filesystems.
++## Delete generic files in tmpfs directory.
+ ##
+ ##
+ ##
+@@ -4248,18 +5640,19 @@ interface(`fs_relabel_tmpfs_chr_file',`
+ ##
+ ##
+ #
+-interface(`fs_rw_tmpfs_blk_files',`
++interface(`fs_delete_tmpfs_files',`
+ gen_require(`
+ type tmpfs_t;
+ ')
+
+- allow $1 tmpfs_t:dir list_dir_perms;
+- rw_blk_files_pattern($1, tmpfs_t, tmpfs_t)
++ allow $1 tmpfs_t:dir del_entry_dir_perms;
++ allow $1 tmpfs_t:file_class_set delete_file_perms;
+ ')
+
+ ########################################
+ ##
+-## Relabel block nodes on tmpfs filesystems.
++## Read and write, create and delete generic
++## files on tmpfs filesystems.
+ ##
+ ##
+ ##
+@@ -4267,32 +5660,31 @@ interface(`fs_rw_tmpfs_blk_files',`
+ ##
+ ##
+ #
+-interface(`fs_relabel_tmpfs_blk_file',`
++interface(`fs_manage_tmpfs_files',`
+ gen_require(`
+ type tmpfs_t;
+ ')
+
+- allow $1 tmpfs_t:dir list_dir_perms;
+- relabel_blk_files_pattern($1, tmpfs_t, tmpfs_t)
++ manage_files_pattern($1, tmpfs_t, tmpfs_t)
+ ')
+
+ ########################################
+ ##
+-## Read and write, create and delete generic
+-## files on tmpfs filesystems.
++## Execute files on a tmpfs filesystem.
##
+ ##
+ ##
+ ## Domain allowed access.
+ ##
+ ##
++##
+ #
+-interface(`fs_manage_tmpfs_files',`
++interface(`fs_exec_tmpfs_files',`
+ gen_require(`
+ type tmpfs_t;
+ ')
+
+- manage_files_pattern($1, tmpfs_t, tmpfs_t)
++ exec_files_pattern($1, tmpfs_t, tmpfs_t)
+ ')
+
+ ########################################
@@ -4407,6 +5799,25 @@ interface(`fs_search_xenfs',`
allow $1 xenfs_t:dir search_dir_perms;
')
@@ -20968,7 +20919,7 @@ index 8416beb..440c63f 100644
## Search all directories with a filesystem type.
##
##
-@@ -4912,3 +6364,82 @@ interface(`fs_unconfined',`
+@@ -4912,3 +6364,173 @@ interface(`fs_unconfined',`
typeattribute $1 filesystem_unconfined_type;
')
@@ -21051,6 +21002,97 @@ index 8416beb..440c63f 100644
+ rw_sock_files_pattern($1, onload_fs_t, onload_fs_t)
+')
+
++########################################
++##
++## Read and write tracefs_t files
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`fs_rw_tracefs_files',`
++ gen_require(`
++ type tracefs_t;
++ ')
++
++ rw_files_pattern($1, tracefs_t, tracefs_t)
++')
++
++########################################
++##
++## Create, read, write, and delete dirs
++## labeled as tracefs_t.
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++#
++interface(`fs_manage_tracefs_dirs',`
++ gen_require(`
++ type tracefs_t;
++ ')
++
++ manage_dirs_pattern($1, tracefs_t, tracefs_t)
++')
++
++########################################
++##
++## Mount tracefs filesystems.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`fs_mount_tracefs', `
++ gen_require(`
++ type tracefs_t;
++ ')
++
++ allow $1 tracefs_t:filesystem mount;
++')
++
++########################################
++##
++## Remount tracefs filesystems.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`fs_remount_tracefs', `
++ gen_require(`
++ type tracefs_t;
++ ')
++
++ allow $1 tracefs_t:filesystem remount;
++')
++
++########################################
++##
++## Unmount tracefs filesystems.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`fs_unmount_tracefs', `
++ gen_require(`
++ type cgroup_t;
++ ')
++
++ allow $1 tracefs_t:filesystem unmount;
++')
diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te
index e7d1738..59c1cb8 100644
--- a/policy/modules/kernel/filesystem.te
@@ -27069,10 +27111,10 @@ index 0000000..15b42ae
+
diff --git a/policy/modules/roles/unconfineduser.te b/policy/modules/roles/unconfineduser.te
new file mode 100644
-index 0000000..bca9f3c
+index 0000000..270e9a8
--- /dev/null
+++ b/policy/modules/roles/unconfineduser.te
-@@ -0,0 +1,349 @@
+@@ -0,0 +1,350 @@
+policy_module(unconfineduser, 1.0.0)
+
+########################################
@@ -27381,6 +27423,7 @@ index 0000000..bca9f3c
+
+optional_policy(`
+ oddjob_run_mkhomedir(unconfined_t, unconfined_r)
++ oddjob_run(unconfined_t, unconfined_r)
+')
+
+optional_policy(`
@@ -28285,7 +28328,7 @@ index 76d9f66..7528851 100644
+/root/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0)
+/root/\.shosts gen_context(system_u:object_r:ssh_home_t,s0)
diff --git a/policy/modules/services/ssh.if b/policy/modules/services/ssh.if
-index fe0c682..0ac21a6 100644
+index fe0c682..d55811f 100644
--- a/policy/modules/services/ssh.if
+++ b/policy/modules/services/ssh.if
@@ -32,10 +32,11 @@
@@ -28459,15 +28502,18 @@ index fe0c682..0ac21a6 100644
auth_rw_login_records($1_t)
auth_rw_faillog($1_t)
-@@ -234,6 +264,7 @@ template(`ssh_server_template', `
+@@ -233,7 +263,10 @@ template(`ssh_server_template', `
+ # for sshd subsystems, such as sftp-server.
corecmd_getattr_bin_files($1_t)
++ dev_rw_crypto($1_t)
++
domain_interactive_fd($1_t)
+ domain_dyntrans_type($1_t)
files_read_etc_files($1_t)
files_read_etc_runtime_files($1_t)
-@@ -241,35 +272,33 @@ template(`ssh_server_template', `
+@@ -241,35 +274,33 @@ template(`ssh_server_template', `
logging_search_logs($1_t)
@@ -28514,7 +28560,7 @@ index fe0c682..0ac21a6 100644
')
########################################
-@@ -292,14 +321,15 @@ template(`ssh_server_template', `
+@@ -292,14 +323,15 @@ template(`ssh_server_template', `
## User domain for the role
##
##
@@ -28531,7 +28577,7 @@ index fe0c682..0ac21a6 100644
')
##############################
-@@ -328,103 +358,56 @@ template(`ssh_role_template',`
+@@ -328,103 +360,56 @@ template(`ssh_role_template',`
# allow ps to show ssh
ps_process_pattern($3, ssh_t)
@@ -28631,12 +28677,12 @@ index fe0c682..0ac21a6 100644
- # transition back to normal privs upon exec
- fs_cifs_domtrans($1_ssh_agent_t, $3)
- ')
-+ userdom_home_manager($1_ssh_agent_t)
-
+-
- optional_policy(`
- nis_use_ypbind($1_ssh_agent_t)
- ')
--
++ userdom_home_manager($1_ssh_agent_t)
+
- optional_policy(`
- xserver_use_xdm_fds($1_ssh_agent_t)
- xserver_rw_xdm_pipes($1_ssh_agent_t)
@@ -28645,7 +28691,7 @@ index fe0c682..0ac21a6 100644
')
########################################
-@@ -496,8 +479,27 @@ interface(`ssh_read_pipes',`
+@@ -496,8 +481,27 @@ interface(`ssh_read_pipes',`
type sshd_t;
')
@@ -28674,7 +28720,7 @@ index fe0c682..0ac21a6 100644
########################################
##
## Read and write a ssh server unnamed pipe.
-@@ -513,7 +515,7 @@ interface(`ssh_rw_pipes',`
+@@ -513,7 +517,7 @@ interface(`ssh_rw_pipes',`
type sshd_t;
')
@@ -28683,7 +28729,7 @@ index fe0c682..0ac21a6 100644
')
########################################
-@@ -605,6 +607,24 @@ interface(`ssh_domtrans',`
+@@ -605,6 +609,24 @@ interface(`ssh_domtrans',`
########################################
##
@@ -28708,7 +28754,7 @@ index fe0c682..0ac21a6 100644
## Execute the ssh client in the caller domain.
##
##
-@@ -637,7 +657,7 @@ interface(`ssh_setattr_key_files',`
+@@ -637,7 +659,7 @@ interface(`ssh_setattr_key_files',`
type sshd_key_t;
')
@@ -28717,7 +28763,7 @@ index fe0c682..0ac21a6 100644
files_search_pids($1)
')
-@@ -662,6 +682,42 @@ interface(`ssh_agent_exec',`
+@@ -662,6 +684,42 @@ interface(`ssh_agent_exec',`
########################################
##
@@ -28760,7 +28806,7 @@ index fe0c682..0ac21a6 100644
## Read ssh home directory content
##
##
-@@ -701,6 +757,68 @@ interface(`ssh_domtrans_keygen',`
+@@ -701,6 +759,68 @@ interface(`ssh_domtrans_keygen',`
########################################
##
@@ -28829,7 +28875,7 @@ index fe0c682..0ac21a6 100644
## Read ssh server keys
##
##
-@@ -714,7 +832,26 @@ interface(`ssh_dontaudit_read_server_keys',`
+@@ -714,7 +834,26 @@ interface(`ssh_dontaudit_read_server_keys',`
type sshd_key_t;
')
@@ -28857,7 +28903,7 @@ index fe0c682..0ac21a6 100644
')
######################################
-@@ -754,3 +891,151 @@ interface(`ssh_delete_tmp',`
+@@ -754,3 +893,151 @@ interface(`ssh_delete_tmp',`
files_search_tmp($1)
delete_files_pattern($1, sshd_tmp_t, sshd_tmp_t)
')
@@ -37274,7 +37320,7 @@ index 79a45f6..9926eaf 100644
+ allow $1 init_var_lib_t:dir search_dir_perms;
+')
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
-index 17eda24..4616101 100644
+index 17eda24..5bee7df 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -11,10 +11,31 @@ gen_require(`
@@ -37385,20 +37431,21 @@ index 17eda24..4616101 100644
type initrc_devpts_t;
term_pty(initrc_devpts_t)
-@@ -98,7 +146,11 @@ ifdef(`enable_mls',`
+@@ -98,7 +146,12 @@ ifdef(`enable_mls',`
#
# Use capabilities. old rule:
-allow init_t self:capability ~sys_module;
+allow init_t self:capability ~{ audit_control audit_write sys_module };
+allow init_t self:capability2 ~{ mac_admin mac_override };
++allow init_t self:cap_userns all_cap_userns_perms;
+allow init_t self:tcp_socket { listen accept };
+allow init_t self:packet_socket create_socket_perms;
+allow init_t self:key manage_key_perms;
# is ~sys_module really needed? observed:
# sys_boot
# sys_tty_config
-@@ -108,14 +160,43 @@ allow init_t self:capability ~sys_module;
+@@ -108,14 +161,45 @@ allow init_t self:capability ~sys_module;
allow init_t self:fifo_file rw_fifo_file_perms;
@@ -37440,6 +37487,8 @@ index 17eda24..4616101 100644
+files_pid_filetrans(init_t, init_var_run_t, { dir file })
+allow init_t init_var_run_t:dir mounton;
+allow init_t init_var_run_t:sock_file relabelto;
++allow init_t init_var_run_t:blk_file getattr;
++allow init_t init_var_run_t:chr_file getattr;
+
+allow init_t machineid_t:file manage_file_perms;
+files_pid_filetrans(init_t, machineid_t, file, "machine-id")
@@ -37448,7 +37497,7 @@ index 17eda24..4616101 100644
allow init_t initctl_t:fifo_file manage_fifo_file_perms;
dev_filetrans(init_t, initctl_t, fifo_file)
-@@ -125,13 +206,23 @@ allow init_t initrc_var_run_t:file { rw_file_perms setattr };
+@@ -125,13 +209,23 @@ allow init_t initrc_var_run_t:file { rw_file_perms setattr };
kernel_read_system_state(init_t)
kernel_share_state(init_t)
@@ -37473,7 +37522,7 @@ index 17eda24..4616101 100644
domain_getpgid_all_domains(init_t)
domain_kill_all_domains(init_t)
-@@ -139,14 +230,24 @@ domain_signal_all_domains(init_t)
+@@ -139,14 +233,24 @@ domain_signal_all_domains(init_t)
domain_signull_all_domains(init_t)
domain_sigstop_all_domains(init_t)
domain_sigchld_all_domains(init_t)
@@ -37499,7 +37548,7 @@ index 17eda24..4616101 100644
# file descriptors inherited from the rootfs:
files_dontaudit_rw_root_files(init_t)
files_dontaudit_rw_root_chr_files(init_t)
-@@ -155,29 +256,68 @@ fs_list_inotifyfs(init_t)
+@@ -155,29 +259,68 @@ fs_list_inotifyfs(init_t)
# cjp: this may be related to /dev/log
fs_write_ramfs_sockets(init_t)
@@ -37573,7 +37622,7 @@ index 17eda24..4616101 100644
ifdef(`distro_gentoo',`
allow init_t self:process { getcap setcap };
-@@ -186,29 +326,264 @@ ifdef(`distro_gentoo',`
+@@ -186,29 +329,264 @@ ifdef(`distro_gentoo',`
')
ifdef(`distro_redhat',`
@@ -37847,7 +37896,7 @@ index 17eda24..4616101 100644
')
optional_policy(`
-@@ -216,7 +591,30 @@ optional_policy(`
+@@ -216,7 +594,30 @@ optional_policy(`
')
optional_policy(`
@@ -37879,7 +37928,7 @@ index 17eda24..4616101 100644
')
########################################
-@@ -225,9 +623,9 @@ optional_policy(`
+@@ -225,9 +626,9 @@ optional_policy(`
#
allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
@@ -37891,7 +37940,7 @@ index 17eda24..4616101 100644
allow initrc_t self:passwd rootok;
allow initrc_t self:key manage_key_perms;
-@@ -258,12 +656,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
+@@ -258,12 +659,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
allow initrc_t initrc_var_run_t:file manage_file_perms;
files_pid_filetrans(initrc_t, initrc_var_run_t, file)
@@ -37908,7 +37957,7 @@ index 17eda24..4616101 100644
manage_dirs_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
manage_files_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
-@@ -279,23 +681,36 @@ kernel_change_ring_buffer_level(initrc_t)
+@@ -279,23 +684,36 @@ kernel_change_ring_buffer_level(initrc_t)
kernel_clear_ring_buffer(initrc_t)
kernel_get_sysvipc_info(initrc_t)
kernel_read_all_sysctls(initrc_t)
@@ -37951,7 +38000,7 @@ index 17eda24..4616101 100644
corenet_tcp_sendrecv_all_ports(initrc_t)
corenet_udp_sendrecv_all_ports(initrc_t)
corenet_tcp_connect_all_ports(initrc_t)
-@@ -303,9 +718,11 @@ corenet_sendrecv_all_client_packets(initrc_t)
+@@ -303,9 +721,11 @@ corenet_sendrecv_all_client_packets(initrc_t)
dev_read_rand(initrc_t)
dev_read_urand(initrc_t)
@@ -37963,7 +38012,7 @@ index 17eda24..4616101 100644
dev_rw_sysfs(initrc_t)
dev_list_usbfs(initrc_t)
dev_read_framebuffer(initrc_t)
-@@ -313,8 +730,10 @@ dev_write_framebuffer(initrc_t)
+@@ -313,8 +733,10 @@ dev_write_framebuffer(initrc_t)
dev_read_realtime_clock(initrc_t)
dev_read_sound_mixer(initrc_t)
dev_write_sound_mixer(initrc_t)
@@ -37974,7 +38023,7 @@ index 17eda24..4616101 100644
dev_delete_lvm_control_dev(initrc_t)
dev_manage_generic_symlinks(initrc_t)
dev_manage_generic_files(initrc_t)
-@@ -322,8 +741,7 @@ dev_manage_generic_files(initrc_t)
+@@ -322,8 +744,7 @@ dev_manage_generic_files(initrc_t)
dev_delete_generic_symlinks(initrc_t)
dev_getattr_all_blk_files(initrc_t)
dev_getattr_all_chr_files(initrc_t)
@@ -37984,7 +38033,7 @@ index 17eda24..4616101 100644
domain_kill_all_domains(initrc_t)
domain_signal_all_domains(initrc_t)
-@@ -332,7 +750,6 @@ domain_sigstop_all_domains(initrc_t)
+@@ -332,7 +753,6 @@ domain_sigstop_all_domains(initrc_t)
domain_sigchld_all_domains(initrc_t)
domain_read_all_domains_state(initrc_t)
domain_getattr_all_domains(initrc_t)
@@ -37992,7 +38041,7 @@ index 17eda24..4616101 100644
domain_getsession_all_domains(initrc_t)
domain_use_interactive_fds(initrc_t)
# for lsof which is used by alsa shutdown:
-@@ -340,6 +757,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
+@@ -340,6 +760,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
domain_dontaudit_getattr_all_tcp_sockets(initrc_t)
domain_dontaudit_getattr_all_dgram_sockets(initrc_t)
domain_dontaudit_getattr_all_pipes(initrc_t)
@@ -38000,7 +38049,7 @@ index 17eda24..4616101 100644
files_getattr_all_dirs(initrc_t)
files_getattr_all_files(initrc_t)
-@@ -347,14 +765,15 @@ files_getattr_all_symlinks(initrc_t)
+@@ -347,14 +768,15 @@ files_getattr_all_symlinks(initrc_t)
files_getattr_all_pipes(initrc_t)
files_getattr_all_sockets(initrc_t)
files_purge_tmp(initrc_t)
@@ -38018,7 +38067,7 @@ index 17eda24..4616101 100644
files_read_usr_files(initrc_t)
files_manage_urandom_seed(initrc_t)
files_manage_generic_spool(initrc_t)
-@@ -364,8 +783,12 @@ files_list_isid_type_dirs(initrc_t)
+@@ -364,8 +786,12 @@ files_list_isid_type_dirs(initrc_t)
files_mounton_isid_type_dirs(initrc_t)
files_list_default(initrc_t)
files_mounton_default(initrc_t)
@@ -38032,7 +38081,7 @@ index 17eda24..4616101 100644
fs_list_inotifyfs(initrc_t)
fs_register_binary_executable_type(initrc_t)
# rhgb-console writes to ramfs
-@@ -375,10 +798,11 @@ fs_mount_all_fs(initrc_t)
+@@ -375,10 +801,11 @@ fs_mount_all_fs(initrc_t)
fs_unmount_all_fs(initrc_t)
fs_remount_all_fs(initrc_t)
fs_getattr_all_fs(initrc_t)
@@ -38046,7 +38095,7 @@ index 17eda24..4616101 100644
mcs_process_set_categories(initrc_t)
mls_file_read_all_levels(initrc_t)
-@@ -387,8 +811,10 @@ mls_process_read_up(initrc_t)
+@@ -387,8 +814,10 @@ mls_process_read_up(initrc_t)
mls_process_write_down(initrc_t)
mls_rangetrans_source(initrc_t)
mls_fd_share_all_levels(initrc_t)
@@ -38057,7 +38106,7 @@ index 17eda24..4616101 100644
storage_getattr_fixed_disk_dev(initrc_t)
storage_setattr_fixed_disk_dev(initrc_t)
-@@ -398,6 +824,7 @@ term_use_all_terms(initrc_t)
+@@ -398,6 +827,7 @@ term_use_all_terms(initrc_t)
term_reset_tty_labels(initrc_t)
auth_rw_login_records(initrc_t)
@@ -38065,7 +38114,7 @@ index 17eda24..4616101 100644
auth_setattr_login_records(initrc_t)
auth_rw_lastlog(initrc_t)
auth_read_pam_pid(initrc_t)
-@@ -416,20 +843,18 @@ logging_read_all_logs(initrc_t)
+@@ -416,20 +846,18 @@ logging_read_all_logs(initrc_t)
logging_append_all_logs(initrc_t)
logging_read_audit_config(initrc_t)
@@ -38089,7 +38138,7 @@ index 17eda24..4616101 100644
ifdef(`distro_debian',`
dev_setattr_generic_dirs(initrc_t)
-@@ -451,7 +876,6 @@ ifdef(`distro_gentoo',`
+@@ -451,7 +879,6 @@ ifdef(`distro_gentoo',`
allow initrc_t self:process setfscreate;
dev_create_null_dev(initrc_t)
dev_create_zero_dev(initrc_t)
@@ -38097,7 +38146,7 @@ index 17eda24..4616101 100644
term_create_console_dev(initrc_t)
# unfortunately /sbin/rc does stupid tricks
-@@ -486,6 +910,10 @@ ifdef(`distro_gentoo',`
+@@ -486,6 +913,10 @@ ifdef(`distro_gentoo',`
sysnet_setattr_config(initrc_t)
optional_policy(`
@@ -38108,7 +38157,7 @@ index 17eda24..4616101 100644
alsa_read_lib(initrc_t)
')
-@@ -506,7 +934,7 @@ ifdef(`distro_redhat',`
+@@ -506,7 +937,7 @@ ifdef(`distro_redhat',`
# Red Hat systems seem to have a stray
# fd open from the initrd
@@ -38117,7 +38166,7 @@ index 17eda24..4616101 100644
files_dontaudit_read_root_files(initrc_t)
# These seem to be from the initrd
-@@ -521,6 +949,7 @@ ifdef(`distro_redhat',`
+@@ -521,6 +952,7 @@ ifdef(`distro_redhat',`
files_create_boot_dirs(initrc_t)
files_create_boot_flag(initrc_t)
files_rw_boot_symlinks(initrc_t)
@@ -38125,7 +38174,7 @@ index 17eda24..4616101 100644
# wants to read /.fonts directory
files_read_default_files(initrc_t)
files_mountpoint(initrc_tmp_t)
-@@ -541,6 +970,7 @@ ifdef(`distro_redhat',`
+@@ -541,6 +973,7 @@ ifdef(`distro_redhat',`
miscfiles_rw_localization(initrc_t)
miscfiles_setattr_localization(initrc_t)
miscfiles_relabel_localization(initrc_t)
@@ -38133,7 +38182,7 @@ index 17eda24..4616101 100644
miscfiles_read_fonts(initrc_t)
miscfiles_read_hwdata(initrc_t)
-@@ -550,8 +980,44 @@ ifdef(`distro_redhat',`
+@@ -550,8 +983,44 @@ ifdef(`distro_redhat',`
')
optional_policy(`
@@ -38178,7 +38227,7 @@ index 17eda24..4616101 100644
')
optional_policy(`
-@@ -559,14 +1025,31 @@ ifdef(`distro_redhat',`
+@@ -559,14 +1028,31 @@ ifdef(`distro_redhat',`
rpc_write_exports(initrc_t)
rpc_manage_nfs_state_data(initrc_t)
')
@@ -38210,7 +38259,7 @@ index 17eda24..4616101 100644
')
')
-@@ -577,6 +1060,39 @@ ifdef(`distro_suse',`
+@@ -577,6 +1063,39 @@ ifdef(`distro_suse',`
')
')
@@ -38250,7 +38299,7 @@ index 17eda24..4616101 100644
optional_policy(`
amavis_search_lib(initrc_t)
amavis_setattr_pid_files(initrc_t)
-@@ -589,6 +1105,8 @@ optional_policy(`
+@@ -589,6 +1108,8 @@ optional_policy(`
optional_policy(`
apache_read_config(initrc_t)
apache_list_modules(initrc_t)
@@ -38259,7 +38308,7 @@ index 17eda24..4616101 100644
')
optional_policy(`
-@@ -610,6 +1128,7 @@ optional_policy(`
+@@ -610,6 +1131,7 @@ optional_policy(`
optional_policy(`
cgroup_stream_connect_cgred(initrc_t)
@@ -38267,7 +38316,7 @@ index 17eda24..4616101 100644
')
optional_policy(`
-@@ -626,6 +1145,17 @@ optional_policy(`
+@@ -626,6 +1148,17 @@ optional_policy(`
')
optional_policy(`
@@ -38285,7 +38334,7 @@ index 17eda24..4616101 100644
dev_getattr_printer_dev(initrc_t)
cups_read_log(initrc_t)
-@@ -642,9 +1172,13 @@ optional_policy(`
+@@ -642,9 +1175,13 @@ optional_policy(`
dbus_connect_system_bus(initrc_t)
dbus_system_bus_client(initrc_t)
dbus_read_config(initrc_t)
@@ -38299,7 +38348,7 @@ index 17eda24..4616101 100644
')
optional_policy(`
-@@ -657,15 +1191,11 @@ optional_policy(`
+@@ -657,15 +1194,11 @@ optional_policy(`
')
optional_policy(`
@@ -38317,7 +38366,7 @@ index 17eda24..4616101 100644
')
optional_policy(`
-@@ -686,6 +1216,15 @@ optional_policy(`
+@@ -686,6 +1219,15 @@ optional_policy(`
')
optional_policy(`
@@ -38333,7 +38382,7 @@ index 17eda24..4616101 100644
inn_exec_config(initrc_t)
')
-@@ -726,6 +1265,7 @@ optional_policy(`
+@@ -726,6 +1268,7 @@ optional_policy(`
lpd_list_spool(initrc_t)
lpd_read_config(initrc_t)
@@ -38341,7 +38390,7 @@ index 17eda24..4616101 100644
')
optional_policy(`
-@@ -743,7 +1283,13 @@ optional_policy(`
+@@ -743,7 +1286,13 @@ optional_policy(`
')
optional_policy(`
@@ -38356,7 +38405,7 @@ index 17eda24..4616101 100644
mta_dontaudit_read_spool_symlinks(initrc_t)
')
-@@ -766,6 +1312,10 @@ optional_policy(`
+@@ -766,6 +1315,10 @@ optional_policy(`
')
optional_policy(`
@@ -38367,7 +38416,7 @@ index 17eda24..4616101 100644
postgresql_manage_db(initrc_t)
postgresql_read_config(initrc_t)
')
-@@ -775,10 +1325,20 @@ optional_policy(`
+@@ -775,10 +1328,20 @@ optional_policy(`
')
optional_policy(`
@@ -38388,7 +38437,7 @@ index 17eda24..4616101 100644
quota_manage_flags(initrc_t)
')
-@@ -787,6 +1347,10 @@ optional_policy(`
+@@ -787,6 +1350,10 @@ optional_policy(`
')
optional_policy(`
@@ -38399,7 +38448,7 @@ index 17eda24..4616101 100644
fs_write_ramfs_sockets(initrc_t)
fs_search_ramfs(initrc_t)
-@@ -808,8 +1372,6 @@ optional_policy(`
+@@ -808,8 +1375,6 @@ optional_policy(`
# bash tries ioctl for some reason
files_dontaudit_ioctl_all_pids(initrc_t)
@@ -38408,7 +38457,7 @@ index 17eda24..4616101 100644
')
optional_policy(`
-@@ -818,6 +1380,10 @@ optional_policy(`
+@@ -818,6 +1383,10 @@ optional_policy(`
')
optional_policy(`
@@ -38419,7 +38468,7 @@ index 17eda24..4616101 100644
# shorewall-init script run /var/lib/shorewall/firewall
shorewall_lib_domtrans(initrc_t)
')
-@@ -827,10 +1393,12 @@ optional_policy(`
+@@ -827,10 +1396,12 @@ optional_policy(`
squid_manage_logs(initrc_t)
')
@@ -38432,7 +38481,7 @@ index 17eda24..4616101 100644
optional_policy(`
ssh_dontaudit_read_server_keys(initrc_t)
-@@ -857,21 +1425,62 @@ optional_policy(`
+@@ -857,21 +1428,62 @@ optional_policy(`
')
optional_policy(`
@@ -38496,7 +38545,7 @@ index 17eda24..4616101 100644
')
optional_policy(`
-@@ -887,6 +1496,10 @@ optional_policy(`
+@@ -887,6 +1499,10 @@ optional_policy(`
')
optional_policy(`
@@ -38507,7 +38556,7 @@ index 17eda24..4616101 100644
# Set device ownerships/modes.
xserver_setattr_console_pipes(initrc_t)
-@@ -897,3 +1510,218 @@ optional_policy(`
+@@ -897,3 +1513,218 @@ optional_policy(`
optional_policy(`
zebra_read_config(initrc_t)
')
@@ -39504,7 +39553,7 @@ index c42fbc3..bf211db 100644
+ files_pid_filetrans($1, iptables_var_run_t, file, "xtables.lock")
+')
diff --git a/policy/modules/system/iptables.te b/policy/modules/system/iptables.te
-index be8ed1e..e336bc1 100644
+index be8ed1e..fa11d0f 100644
--- a/policy/modules/system/iptables.te
+++ b/policy/modules/system/iptables.te
@@ -16,15 +16,18 @@ role iptables_roles types iptables_t;
@@ -39529,10 +39578,11 @@ index be8ed1e..e336bc1 100644
########################################
#
# Iptables local policy
-@@ -35,25 +38,32 @@ dontaudit iptables_t self:capability sys_tty_config;
+@@ -35,25 +38,33 @@ dontaudit iptables_t self:capability sys_tty_config;
allow iptables_t self:fifo_file rw_fifo_file_perms;
allow iptables_t self:process { sigchld sigkill sigstop signull signal };
allow iptables_t self:netlink_socket create_socket_perms;
++allow iptables_t self:netlink_generic_socket create_socket_perms;
+allow iptables_t self:netlink_netfilter_socket create_socket_perms;
allow iptables_t self:rawip_socket create_socket_perms;
@@ -39565,7 +39615,7 @@ index be8ed1e..e336bc1 100644
kernel_use_fds(iptables_t)
# needed by ipvsadm
-@@ -64,19 +74,23 @@ corenet_relabelto_all_packets(iptables_t)
+@@ -64,19 +75,23 @@ corenet_relabelto_all_packets(iptables_t)
corenet_dontaudit_rw_tun_tap_dev(iptables_t)
dev_read_sysfs(iptables_t)
@@ -39591,7 +39641,7 @@ index be8ed1e..e336bc1 100644
auth_use_nsswitch(iptables_t)
-@@ -85,15 +99,14 @@ init_use_script_ptys(iptables_t)
+@@ -85,15 +100,14 @@ init_use_script_ptys(iptables_t)
# to allow rules to be saved on reboot:
init_rw_script_tmp_files(iptables_t)
init_rw_script_stream_sockets(iptables_t)
@@ -39609,7 +39659,7 @@ index be8ed1e..e336bc1 100644
userdom_use_all_users_fds(iptables_t)
ifdef(`hide_broken_symptoms',`
-@@ -102,6 +115,9 @@ ifdef(`hide_broken_symptoms',`
+@@ -102,6 +116,9 @@ ifdef(`hide_broken_symptoms',`
optional_policy(`
fail2ban_append_log(iptables_t)
@@ -39619,7 +39669,7 @@ index be8ed1e..e336bc1 100644
')
optional_policy(`
-@@ -110,6 +126,13 @@ optional_policy(`
+@@ -110,6 +127,13 @@ optional_policy(`
')
optional_policy(`
@@ -39633,7 +39683,7 @@ index be8ed1e..e336bc1 100644
modutils_run_insmod(iptables_t, iptables_roles)
')
-@@ -124,6 +147,16 @@ optional_policy(`
+@@ -124,6 +148,16 @@ optional_policy(`
optional_policy(`
psad_rw_tmp_files(iptables_t)
@@ -39650,7 +39700,7 @@ index be8ed1e..e336bc1 100644
')
optional_policy(`
-@@ -135,9 +168,9 @@ optional_policy(`
+@@ -135,9 +169,9 @@ optional_policy(`
')
optional_policy(`
@@ -39697,7 +39747,7 @@ index 0000000..c814795
+fs_manage_kdbus_dirs(systemd_logind_t)
+fs_manage_kdbus_files(systemd_logind_t)
diff --git a/policy/modules/system/libraries.fc b/policy/modules/system/libraries.fc
-index 73bb3c0..8cf7041 100644
+index 73bb3c0..549c41b 100644
--- a/policy/modules/system/libraries.fc
+++ b/policy/modules/system/libraries.fc
@@ -1,3 +1,4 @@
@@ -39798,7 +39848,7 @@ index 73bb3c0..8cf7041 100644
-/usr/(local/)?.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:lib_t,s0)
-/usr/(local/)?lib(64)?/wine/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/(local/)?lib(64)?/(sse2/)?libfame-.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-+/usr/lib/systemd/libsystemd-shared-231\.so.* -- gen_context(system_u:object_r:lib_t,s0)
++/usr/lib/systemd/libsystemd-shared-[0-9]+\.so.* -- gen_context(system_u:object_r:lib_t,s0)
+
+/usr/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:lib_t,s0)
+/usr/lib/wine/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -48855,10 +48905,10 @@ index 0000000..16cd1ac
+')
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
new file mode 100644
-index 0000000..a111f4d
+index 0000000..8654fdf
--- /dev/null
+++ b/policy/modules/system/systemd.te
-@@ -0,0 +1,960 @@
+@@ -0,0 +1,965 @@
+policy_module(systemd, 1.0.0)
+
+#######################################
@@ -49226,6 +49276,8 @@ index 0000000..a111f4d
+allow systemd_networkd_t self:udp_socket create_socket_perms;
+allow systemd_networkd_t self:rawip_socket create_socket_perms;
+
++allow init_t systemd_networkd_t:netlink_route_socket create_netlink_socket_perms;
++
+manage_files_pattern(systemd_networkd_t, systemd_networkd_var_run_t, systemd_networkd_var_run_t)
+manage_lnk_files_pattern(systemd_networkd_t, systemd_networkd_var_run_t, systemd_networkd_var_run_t)
+manage_dirs_pattern(systemd_networkd_t, systemd_networkd_var_run_t, systemd_networkd_var_run_t)
@@ -49693,6 +49745,7 @@ index 0000000..a111f4d
+#
+# systemd_coredump domains
+#
++allow systemd_coredump_t self:cap_userns sys_ptrace;
+
+manage_files_pattern(systemd_coredump_t, systemd_coredump_tmpfs_t, systemd_coredump_tmpfs_t)
+fs_tmpfs_filetrans(systemd_coredump_t, systemd_coredump_tmpfs_t, file )
@@ -49812,6 +49865,8 @@ index 0000000..a111f4d
+# systemd_modules_load domain
+#
+
++allow systemd_modules_load_t self:capability sys_module;
++
+kernel_dgram_send(systemd_modules_load_t)
+
+dev_read_sysfs(systemd_modules_load_t)
@@ -51234,7 +51289,7 @@ index db75976..c54480a 100644
+/var/tmp/hsperfdata_root gen_context(system_u:object_r:user_tmp_t,s0)
+
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
-index 9dc60c6..236692c 100644
+index 9dc60c6..420907f 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -30,9 +30,11 @@ template(`userdom_base_user_template',`
@@ -52240,7 +52295,7 @@ index 9dc60c6..236692c 100644
userdom_change_password_template($1)
-@@ -761,82 +1012,112 @@ template(`userdom_login_user_template', `
+@@ -761,82 +1012,113 @@ template(`userdom_login_user_template', `
#
# User domain Local policy
#
@@ -52376,6 +52431,7 @@ index 9dc60c6..236692c 100644
optional_policy(`
- quota_dontaudit_getattr_db($1_t)
+ oddjob_run_mkhomedir($1_t, $1_r)
++ oddjob_run($1_t, $1_r)
')
+ optional_policy(`
@@ -52389,7 +52445,7 @@ index 9dc60c6..236692c 100644
')
')
-@@ -868,6 +1149,12 @@ template(`userdom_restricted_user_template',`
+@@ -868,6 +1150,12 @@ template(`userdom_restricted_user_template',`
typeattribute $1_t unpriv_userdomain;
domain_interactive_fd($1_t)
@@ -52402,7 +52458,7 @@ index 9dc60c6..236692c 100644
##############################
#
# Local policy
-@@ -907,53 +1194,137 @@ template(`userdom_restricted_xwindows_user_template',`
+@@ -907,53 +1195,137 @@ template(`userdom_restricted_xwindows_user_template',`
#
# Local policy
#
@@ -52554,7 +52610,7 @@ index 9dc60c6..236692c 100644
')
#######################################
-@@ -987,27 +1358,33 @@ template(`userdom_unpriv_user_template', `
+@@ -987,27 +1359,33 @@ template(`userdom_unpriv_user_template', `
#
# Inherit rules for ordinary users.
@@ -52592,7 +52648,7 @@ index 9dc60c6..236692c 100644
fs_manage_noxattr_fs_files($1_t)
fs_manage_noxattr_fs_dirs($1_t)
# Write floppies
-@@ -1018,23 +1395,63 @@ template(`userdom_unpriv_user_template', `
+@@ -1018,23 +1396,63 @@ template(`userdom_unpriv_user_template', `
')
')
@@ -52666,7 +52722,7 @@ index 9dc60c6..236692c 100644
')
# Run pppd in pppd_t by default for user
-@@ -1043,7 +1460,9 @@ template(`userdom_unpriv_user_template', `
+@@ -1043,7 +1461,9 @@ template(`userdom_unpriv_user_template', `
')
optional_policy(`
@@ -52677,7 +52733,7 @@ index 9dc60c6..236692c 100644
')
')
-@@ -1079,7 +1498,9 @@ template(`userdom_unpriv_user_template', `
+@@ -1079,7 +1499,9 @@ template(`userdom_unpriv_user_template', `
template(`userdom_admin_user_template',`
gen_require(`
attribute admindomain;
@@ -52688,7 +52744,7 @@ index 9dc60c6..236692c 100644
')
##############################
-@@ -1095,6 +1516,7 @@ template(`userdom_admin_user_template',`
+@@ -1095,6 +1517,7 @@ template(`userdom_admin_user_template',`
role system_r types $1_t;
typeattribute $1_t admindomain;
@@ -52696,7 +52752,7 @@ index 9dc60c6..236692c 100644
ifdef(`direct_sysadm_daemon',`
domain_system_change_exemption($1_t)
-@@ -1105,14 +1527,8 @@ template(`userdom_admin_user_template',`
+@@ -1105,14 +1528,8 @@ template(`userdom_admin_user_template',`
# $1_t local policy
#
@@ -52713,7 +52769,7 @@ index 9dc60c6..236692c 100644
kernel_read_software_raid_state($1_t)
kernel_getattr_core_if($1_t)
-@@ -1128,6 +1544,8 @@ template(`userdom_admin_user_template',`
+@@ -1128,6 +1545,8 @@ template(`userdom_admin_user_template',`
kernel_sigstop_unlabeled($1_t)
kernel_signull_unlabeled($1_t)
kernel_sigchld_unlabeled($1_t)
@@ -52722,7 +52778,7 @@ index 9dc60c6..236692c 100644
corenet_tcp_bind_generic_port($1_t)
# allow setting up tunnels
-@@ -1145,10 +1563,15 @@ template(`userdom_admin_user_template',`
+@@ -1145,10 +1564,15 @@ template(`userdom_admin_user_template',`
dev_rename_all_blk_files($1_t)
dev_rename_all_chr_files($1_t)
dev_create_generic_symlinks($1_t)
@@ -52738,7 +52794,7 @@ index 9dc60c6..236692c 100644
domain_dontaudit_ptrace_all_domains($1_t)
# signal all domains:
domain_kill_all_domains($1_t)
-@@ -1159,29 +1582,40 @@ template(`userdom_admin_user_template',`
+@@ -1159,29 +1583,40 @@ template(`userdom_admin_user_template',`
domain_sigchld_all_domains($1_t)
# for lsof
domain_getattr_all_sockets($1_t)
@@ -52783,7 +52839,7 @@ index 9dc60c6..236692c 100644
# The following rule is temporary until such time that a complete
# policy management infrastructure is in place so that an administrator
-@@ -1191,6 +1625,8 @@ template(`userdom_admin_user_template',`
+@@ -1191,6 +1626,8 @@ template(`userdom_admin_user_template',`
# But presently necessary for installing the file_contexts file.
seutil_manage_bin_policy($1_t)
@@ -52792,7 +52848,7 @@ index 9dc60c6..236692c 100644
userdom_manage_user_home_content_dirs($1_t)
userdom_manage_user_home_content_files($1_t)
userdom_manage_user_home_content_symlinks($1_t)
-@@ -1198,13 +1634,21 @@ template(`userdom_admin_user_template',`
+@@ -1198,13 +1635,21 @@ template(`userdom_admin_user_template',`
userdom_manage_user_home_content_sockets($1_t)
userdom_user_home_dir_filetrans_user_home_content($1_t, { dir file lnk_file fifo_file sock_file })
@@ -52815,7 +52871,7 @@ index 9dc60c6..236692c 100644
optional_policy(`
postgresql_unconfined($1_t)
')
-@@ -1240,7 +1684,7 @@ template(`userdom_admin_user_template',`
+@@ -1240,7 +1685,7 @@ template(`userdom_admin_user_template',`
##
##
#
@@ -52824,7 +52880,7 @@ index 9dc60c6..236692c 100644
allow $1 self:capability { dac_read_search dac_override };
corecmd_exec_shell($1)
-@@ -1250,6 +1694,8 @@ template(`userdom_security_admin_template',`
+@@ -1250,6 +1695,8 @@ template(`userdom_security_admin_template',`
dev_relabel_all_dev_nodes($1)
files_create_boot_flag($1)
@@ -52833,7 +52889,7 @@ index 9dc60c6..236692c 100644
# Necessary for managing /boot/efi
fs_manage_dos_files($1)
-@@ -1262,8 +1708,10 @@ template(`userdom_security_admin_template',`
+@@ -1262,8 +1709,10 @@ template(`userdom_security_admin_template',`
selinux_set_enforce_mode($1)
selinux_set_all_booleans($1)
selinux_set_parameters($1)
@@ -52845,7 +52901,7 @@ index 9dc60c6..236692c 100644
auth_relabel_shadow($1)
init_exec($1)
-@@ -1274,29 +1722,31 @@ template(`userdom_security_admin_template',`
+@@ -1274,29 +1723,31 @@ template(`userdom_security_admin_template',`
logging_read_audit_config($1)
seutil_manage_bin_policy($1)
@@ -52888,7 +52944,7 @@ index 9dc60c6..236692c 100644
')
optional_policy(`
-@@ -1357,14 +1807,17 @@ interface(`userdom_user_home_content',`
+@@ -1357,14 +1808,17 @@ interface(`userdom_user_home_content',`
gen_require(`
attribute user_home_content_type;
type user_home_t;
@@ -52907,7 +52963,7 @@ index 9dc60c6..236692c 100644
')
########################################
-@@ -1397,12 +1850,52 @@ interface(`userdom_user_tmp_file',`
+@@ -1397,12 +1851,52 @@ interface(`userdom_user_tmp_file',`
##
#
interface(`userdom_user_tmpfs_file',`
@@ -52961,7 +53017,7 @@ index 9dc60c6..236692c 100644
## Allow domain to attach to TUN devices created by administrative users.
##
##
-@@ -1509,11 +2002,31 @@ interface(`userdom_search_user_home_dirs',`
+@@ -1509,11 +2003,31 @@ interface(`userdom_search_user_home_dirs',`
')
allow $1 user_home_dir_t:dir search_dir_perms;
@@ -52993,7 +53049,7 @@ index 9dc60c6..236692c 100644
## Do not audit attempts to search user home directories.
##
##
-@@ -1555,6 +2068,14 @@ interface(`userdom_list_user_home_dirs',`
+@@ -1555,6 +2069,14 @@ interface(`userdom_list_user_home_dirs',`
allow $1 user_home_dir_t:dir list_dir_perms;
files_search_home($1)
@@ -53008,7 +53064,7 @@ index 9dc60c6..236692c 100644
')
########################################
-@@ -1570,9 +2091,11 @@ interface(`userdom_list_user_home_dirs',`
+@@ -1570,9 +2092,11 @@ interface(`userdom_list_user_home_dirs',`
interface(`userdom_dontaudit_list_user_home_dirs',`
gen_require(`
type user_home_dir_t;
@@ -53020,7 +53076,7 @@ index 9dc60c6..236692c 100644
')
########################################
-@@ -1613,6 +2136,24 @@ interface(`userdom_manage_user_home_dirs',`
+@@ -1613,6 +2137,24 @@ interface(`userdom_manage_user_home_dirs',`
########################################
##
@@ -53045,7 +53101,7 @@ index 9dc60c6..236692c 100644
## Relabel to user home directories.
##
##
-@@ -1631,6 +2172,59 @@ interface(`userdom_relabelto_user_home_dirs',`
+@@ -1631,6 +2173,59 @@ interface(`userdom_relabelto_user_home_dirs',`
########################################
##
@@ -53105,7 +53161,7 @@ index 9dc60c6..236692c 100644
## Create directories in the home dir root with
## the user home directory type.
##
-@@ -1704,10 +2298,12 @@ interface(`userdom_user_home_domtrans',`
+@@ -1704,10 +2299,12 @@ interface(`userdom_user_home_domtrans',`
#
interface(`userdom_dontaudit_search_user_home_content',`
gen_require(`
@@ -53120,7 +53176,7 @@ index 9dc60c6..236692c 100644
')
########################################
-@@ -1741,10 +2337,12 @@ interface(`userdom_list_all_user_home_content',`
+@@ -1741,10 +2338,12 @@ interface(`userdom_list_all_user_home_content',`
#
interface(`userdom_list_user_home_content',`
gen_require(`
@@ -53135,7 +53191,7 @@ index 9dc60c6..236692c 100644
')
########################################
-@@ -1769,7 +2367,7 @@ interface(`userdom_manage_user_home_content_dirs',`
+@@ -1769,7 +2368,7 @@ interface(`userdom_manage_user_home_content_dirs',`
########################################
##
@@ -53144,7 +53200,7 @@ index 9dc60c6..236692c 100644
##
##
##
-@@ -1777,19 +2375,17 @@ interface(`userdom_manage_user_home_content_dirs',`
+@@ -1777,19 +2376,17 @@ interface(`userdom_manage_user_home_content_dirs',`
##
##
#
@@ -53168,7 +53224,7 @@ index 9dc60c6..236692c 100644
##
##
##
-@@ -1797,55 +2393,55 @@ interface(`userdom_delete_all_user_home_content_dirs',`
+@@ -1797,55 +2394,55 @@ interface(`userdom_delete_all_user_home_content_dirs',`
##
##
#
@@ -53239,7 +53295,7 @@ index 9dc60c6..236692c 100644
##
##
##
-@@ -1853,18 +2449,19 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',`
+@@ -1853,18 +2450,19 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',`
##
##
#
@@ -53267,7 +53323,7 @@ index 9dc60c6..236692c 100644
##
##
##
-@@ -1872,18 +2469,71 @@ interface(`userdom_mmap_user_home_content_files',`
+@@ -1872,18 +2470,71 @@ interface(`userdom_mmap_user_home_content_files',`
##
##
#
@@ -53347,7 +53403,7 @@ index 9dc60c6..236692c 100644
##
##
##
-@@ -1891,13 +2541,113 @@ interface(`userdom_read_user_home_content_files',`
+@@ -1891,13 +2542,113 @@ interface(`userdom_read_user_home_content_files',`
##
##
#
@@ -53464,7 +53520,7 @@ index 9dc60c6..236692c 100644
')
########################################
-@@ -1938,7 +2688,7 @@ interface(`userdom_dontaudit_write_user_home_content_files',`
+@@ -1938,7 +2689,7 @@ interface(`userdom_dontaudit_write_user_home_content_files',`
########################################
##
@@ -53473,7 +53529,7 @@ index 9dc60c6..236692c 100644
##
##
##
-@@ -1946,10 +2696,9 @@ interface(`userdom_dontaudit_write_user_home_content_files',`
+@@ -1946,10 +2697,9 @@ interface(`userdom_dontaudit_write_user_home_content_files',`
##
##
#
@@ -53486,7 +53542,7 @@ index 9dc60c6..236692c 100644
')
userdom_search_user_home_content($1)
-@@ -1958,7 +2707,7 @@ interface(`userdom_delete_all_user_home_content_files',`
+@@ -1958,7 +2708,7 @@ interface(`userdom_delete_all_user_home_content_files',`
########################################
##
@@ -53495,7 +53551,7 @@ index 9dc60c6..236692c 100644
##
##
##
-@@ -1966,12 +2715,66 @@ interface(`userdom_delete_all_user_home_content_files',`
+@@ -1966,12 +2716,66 @@ interface(`userdom_delete_all_user_home_content_files',`
##
##
#
@@ -53564,7 +53620,7 @@ index 9dc60c6..236692c 100644
')
########################################
-@@ -2007,8 +2810,7 @@ interface(`userdom_read_user_home_content_symlinks',`
+@@ -2007,8 +2811,7 @@ interface(`userdom_read_user_home_content_symlinks',`
type user_home_dir_t, user_home_t;
')
@@ -53574,7 +53630,7 @@ index 9dc60c6..236692c 100644
')
########################################
-@@ -2024,20 +2826,14 @@ interface(`userdom_read_user_home_content_symlinks',`
+@@ -2024,20 +2827,14 @@ interface(`userdom_read_user_home_content_symlinks',`
#
interface(`userdom_exec_user_home_content_files',`
gen_require(`
@@ -53599,7 +53655,7 @@ index 9dc60c6..236692c 100644
########################################
##
-@@ -2120,7 +2916,7 @@ interface(`userdom_manage_user_home_content_symlinks',`
+@@ -2120,7 +2917,7 @@ interface(`userdom_manage_user_home_content_symlinks',`
########################################
##
@@ -53608,7 +53664,7 @@ index 9dc60c6..236692c 100644
##
##
##
-@@ -2128,19 +2924,17 @@ interface(`userdom_manage_user_home_content_symlinks',`
+@@ -2128,19 +2925,17 @@ interface(`userdom_manage_user_home_content_symlinks',`
##
##
#
@@ -53632,7 +53688,7 @@ index 9dc60c6..236692c 100644
##
##
##
-@@ -2148,12 +2942,12 @@ interface(`userdom_delete_all_user_home_content_symlinks',`
+@@ -2148,12 +2943,12 @@ interface(`userdom_delete_all_user_home_content_symlinks',`
##
##
#
@@ -53648,7 +53704,7 @@ index 9dc60c6..236692c 100644
')
########################################
-@@ -2388,18 +3182,54 @@ interface(`userdom_dontaudit_manage_user_tmp_dirs',`
+@@ -2388,18 +3183,54 @@ interface(`userdom_dontaudit_manage_user_tmp_dirs',`
##
##
#
@@ -53706,7 +53762,7 @@ index 9dc60c6..236692c 100644
## Do not audit attempts to read users
## temporary files.
##
-@@ -2414,7 +3244,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',`
+@@ -2414,7 +3245,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',`
type user_tmp_t;
')
@@ -53715,7 +53771,7 @@ index 9dc60c6..236692c 100644
')
########################################
-@@ -2455,6 +3285,25 @@ interface(`userdom_rw_user_tmp_files',`
+@@ -2455,6 +3286,25 @@ interface(`userdom_rw_user_tmp_files',`
rw_files_pattern($1, user_tmp_t, user_tmp_t)
files_search_tmp($1)
')
@@ -53741,7 +53797,7 @@ index 9dc60c6..236692c 100644
########################################
##
-@@ -2538,7 +3387,27 @@ interface(`userdom_manage_user_tmp_files',`
+@@ -2538,7 +3388,27 @@ interface(`userdom_manage_user_tmp_files',`
########################################
##
## Create, read, write, and delete user
@@ -53770,7 +53826,7 @@ index 9dc60c6..236692c 100644
##
##
##
-@@ -2566,6 +3435,27 @@ interface(`userdom_manage_user_tmp_symlinks',`
+@@ -2566,6 +3436,27 @@ interface(`userdom_manage_user_tmp_symlinks',`
##
##
#
@@ -53798,7 +53854,7 @@ index 9dc60c6..236692c 100644
interface(`userdom_manage_user_tmp_pipes',`
gen_require(`
type user_tmp_t;
-@@ -2661,6 +3551,21 @@ interface(`userdom_tmp_filetrans_user_tmp',`
+@@ -2661,6 +3552,21 @@ interface(`userdom_tmp_filetrans_user_tmp',`
files_tmp_filetrans($1, user_tmp_t, $2, $3)
')
@@ -53820,7 +53876,7 @@ index 9dc60c6..236692c 100644
########################################
##
## Read user tmpfs files.
-@@ -2672,18 +3577,13 @@ interface(`userdom_tmp_filetrans_user_tmp',`
+@@ -2672,18 +3578,13 @@ interface(`userdom_tmp_filetrans_user_tmp',`
##
#
interface(`userdom_read_user_tmpfs_files',`
@@ -53842,7 +53898,7 @@ index 9dc60c6..236692c 100644
##
##
##
-@@ -2692,19 +3592,13 @@ interface(`userdom_read_user_tmpfs_files',`
+@@ -2692,19 +3593,13 @@ interface(`userdom_read_user_tmpfs_files',`
##
#
interface(`userdom_rw_user_tmpfs_files',`
@@ -53865,7 +53921,7 @@ index 9dc60c6..236692c 100644
##
##
##
-@@ -2713,13 +3607,56 @@ interface(`userdom_rw_user_tmpfs_files',`
+@@ -2713,13 +3608,56 @@ interface(`userdom_rw_user_tmpfs_files',`
##
#
interface(`userdom_manage_user_tmpfs_files',`
@@ -53926,7 +53982,7 @@ index 9dc60c6..236692c 100644
')
########################################
-@@ -2814,6 +3751,24 @@ interface(`userdom_use_user_ttys',`
+@@ -2814,6 +3752,24 @@ interface(`userdom_use_user_ttys',`
########################################
##
@@ -53951,7 +54007,7 @@ index 9dc60c6..236692c 100644
## Read and write a user domain pty.
##
##
-@@ -2832,22 +3787,34 @@ interface(`userdom_use_user_ptys',`
+@@ -2832,22 +3788,34 @@ interface(`userdom_use_user_ptys',`
########################################
##
@@ -53994,7 +54050,7 @@ index 9dc60c6..236692c 100644
##
##