##
@@ -43859,10 +43970,11 @@ index e2b538b..fe99b11 100644
attribute admindomain;
+attribute login_userdomain;
++attribute confined_admindomain;
# all user domains
attribute userdomain;
-@@ -58,6 +52,24 @@ attribute unpriv_userdomain;
+@@ -58,6 +53,24 @@ attribute unpriv_userdomain;
attribute user_home_content_type;
@@ -43887,7 +43999,7 @@ index e2b538b..fe99b11 100644
type user_home_dir_t alias { staff_home_dir_t sysadm_home_dir_t secadm_home_dir_t auditadm_home_dir_t unconfined_home_dir_t };
fs_associate_tmpfs(user_home_dir_t)
files_type(user_home_dir_t)
-@@ -70,26 +82,227 @@ ubac_constrained(user_home_dir_t)
+@@ -70,26 +83,359 @@ ubac_constrained(user_home_dir_t)
type user_home_t alias { staff_home_t sysadm_home_t secadm_home_t auditadm_home_t unconfined_home_t };
typealias user_home_t alias { staff_untrusted_content_t sysadm_untrusted_content_t secadm_untrusted_content_t auditadm_untrusted_content_t unconfined_untrusted_content_t };
@@ -44117,6 +44229,138 @@ index e2b538b..fe99b11 100644
+ xserver_filetrans_home_content(userdom_filetrans_type)
+ xserver_filetrans_admin_home_content(userdom_filetrans_type)
+')
++
++############################################################
++# Local Policy Confined Admin
++#
++gen_require(`
++ class context contains;
++')
++
++corecmd_shell_entry_type(confined_admindomain)
++corecmd_bin_entry_type(confined_admindomain)
++
++term_user_pty(confined_admindomain, user_devpts_t)
++term_user_tty(confined_admindomain, user_tty_device_t)
++term_dontaudit_getattr_generic_ptys(confined_admindomain)
++
++allow confined_admindomain self:process { signal_perms getsched setsched share getpgid setpgid getcap setcap getsession getattr };
++tunable_policy(`deny_ptrace',`',`
++ allow confined_admindomain self:process ptrace;
++')
++allow confined_admindomain self:fd use;
++allow confined_admindomain self:key manage_key_perms;
++
++allow confined_admindomain self:fifo_file rw_fifo_file_perms;
++allow confined_admindomain self:unix_dgram_socket { create_socket_perms sendto };
++allow confined_admindomain self:unix_stream_socket { create_stream_socket_perms connectto };
++allow confined_admindomain self:shm create_shm_perms;
++allow confined_admindomain self:sem create_sem_perms;
++allow confined_admindomain self:msgq create_msgq_perms;
++allow confined_admindomain self:msg { send receive };
++allow confined_admindomain self:context contains;
++dontaudit confined_admindomain self:socket create;
++
++allow confined_admindomain user_devpts_t:chr_file { setattr rw_chr_file_perms };
++term_create_pty(confined_admindomain, user_devpts_t)
++# avoid annoying messages on terminal hangup on role change
++dontaudit confined_admindomain user_devpts_t:chr_file ioctl;
++
++allow confined_admindomain user_tty_device_t:chr_file { setattr rw_chr_file_perms };
++# avoid annoying messages on terminal hangup on role change
++dontaudit confined_admindomain user_tty_device_t:chr_file ioctl;
++
++application_exec_all(confined_admindomain)
++
++kernel_read_kernel_sysctls(confined_admindomain)
++kernel_read_all_sysctls(confined_admindomain)
++kernel_dontaudit_list_unlabeled(confined_admindomain)
++kernel_dontaudit_getattr_unlabeled_files(confined_admindomain)
++kernel_dontaudit_getattr_unlabeled_symlinks(confined_admindomain)
++kernel_dontaudit_getattr_unlabeled_pipes(confined_admindomain)
++kernel_dontaudit_getattr_unlabeled_sockets(confined_admindomain)
++kernel_dontaudit_getattr_unlabeled_blk_files(confined_admindomain)
++kernel_dontaudit_getattr_unlabeled_chr_files(confined_admindomain)
++kernel_dontaudit_list_proc(confined_admindomain)
++
++dev_dontaudit_getattr_all_blk_files(confined_admindomain)
++dev_dontaudit_getattr_all_chr_files(confined_admindomain)
++dev_getattr_mtrr_dev(confined_admindomain)
++
++# When the user domain runs ps, there will be a number of access
++# denials when ps tries to search /proc. Do not audit these denials.
++domain_dontaudit_read_all_domains_state(confined_admindomain)
++domain_dontaudit_getattr_all_domains(confined_admindomain)
++domain_dontaudit_getsession_all_domains(confined_admindomain)
++dev_dontaudit_all_access_check(confined_admindomain)
++
++files_read_etc_files(confined_admindomain)
++files_list_mnt(confined_admindomain)
++files_list_var(confined_admindomain)
++files_read_mnt_files(confined_admindomain)
++files_dontaudit_all_access_check(confined_admindomain)
++files_read_etc_runtime_files(confined_admindomain)
++files_read_usr_files(confined_admindomain)
++files_read_usr_src_files(confined_admindomain)
++# Read directories and files with the readable_t type.
++# This type is a general type for "world"-readable files.
++files_list_world_readable(confined_admindomain)
++files_read_world_readable_files(confined_admindomain)
++files_read_world_readable_symlinks(confined_admindomain)
++files_read_world_readable_pipes(confined_admindomain)
++files_read_world_readable_sockets(confined_admindomain)
++# old broswer_domain():
++files_dontaudit_getattr_all_dirs(confined_admindomain)
++files_dontaudit_list_non_security(confined_admindomain)
++files_dontaudit_getattr_all_files(confined_admindomain)
++files_dontaudit_getattr_non_security_symlinks(confined_admindomain)
++files_dontaudit_getattr_non_security_pipes(confined_admindomain)
++files_dontaudit_getattr_non_security_sockets(confined_admindomain)
++files_dontaudit_setattr_etc_runtime_files(confined_admindomain)
++
++files_exec_usr_files(confined_admindomain)
++
++fs_list_cgroup_dirs(confined_admindomain)
++fs_dontaudit_rw_cgroup_files(confined_admindomain)
++
++storage_rw_fuse(confined_admindomain)
++
++init_stream_connect(confined_admindomain)
++# The library functions always try to open read-write first,
++# then fall back to read-only if it fails.
++init_dontaudit_rw_utmp(confined_admindomain)
++
++libs_exec_ld_so(confined_admindomain)
++
++miscfiles_read_generic_certs(confined_admindomain)
++
++miscfiles_read_all_certs(confined_admindomain)
++miscfiles_read_public_files(confined_admindomain)
++
++systemd_dbus_chat_logind(confined_admindomain)
++systemd_read_logind_sessions_files(confined_admindomain)
++systemd_write_inhibit_pipes(confined_admindomain)
++systemd_write_inherited_logind_sessions_pipes(confined_admindomain)
++systemd_login_read_pid_files(confined_admindomain)
++tunable_policy(`deny_execmem',`', `
++ # Allow loading DSOs that require executable stack.
++ allow confined_admindomain self:process execmem;
++')
++
++tunable_policy(`selinuxuser_execstack',`
++ # Allow making the stack executable via mprotect.
++ allow confined_admindomain self:process execstack;
++')
++
++optional_policy(`
++ fs_list_cgroup_dirs(confined_admindomain)
++')
++
++optional_policy(`
++ ssh_rw_stream_sockets(confined_admindomain)
++ ssh_delete_tmp(confined_admindomain)
++ ssh_signal(confined_admindomain)
++')
diff --git a/policy/support/misc_patterns.spt b/policy/support/misc_patterns.spt
index e79d545..101086d 100644
--- a/policy/support/misc_patterns.spt
diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch
index 3ce3069..3ce5e12 100644
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@@ -3007,10 +3007,10 @@ index 0000000..784557c
+ spamassassin_read_pid_files(antivirus_domain)
+')
diff --git a/apache.fc b/apache.fc
-index 550a69e..842225c 100644
+index 550a69e..66ba451 100644
--- a/apache.fc
+++ b/apache.fc
-@@ -1,161 +1,199 @@
+@@ -1,161 +1,200 @@
-HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_user_content_t,s0)
-HOME_DIR/((www)|(web)|(public_html))/cgi-bin(/.+)? gen_context(system_u:object_r:httpd_user_script_exec_t,s0)
+HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_user_content_t,s0)
@@ -3076,6 +3076,7 @@ index 550a69e..842225c 100644
+/srv/([^/]*/)?www(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
+/srv/([^/]*/)?www/logs(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
+/srv/gallery2(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
++/srv/gallery2/smarty(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
-/usr/bin/htsslpass -- gen_context(system_u:object_r:httpd_helper_exec_t,s0)
-/usr/bin/mongrel_rails -- gen_context(system_u:object_r:httpd_exec_t,s0)
@@ -4706,7 +4707,7 @@ index 83e899c..fac6fe5 100644
+ filetrans_pattern($1, { httpd_user_content_t httpd_user_script_exec_t }, httpd_user_htaccess_t, file, ".htaccess")
')
diff --git a/apache.te b/apache.te
-index 1a82e29..217ba9e 100644
+index 1a82e29..19bd545 100644
--- a/apache.te
+++ b/apache.te
@@ -1,297 +1,367 @@
@@ -5685,7 +5686,7 @@ index 1a82e29..217ba9e 100644
')
tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
-@@ -619,68 +772,43 @@ tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
+@@ -619,68 +772,44 @@ tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
fs_read_nfs_symlinks(httpd_t)
')
@@ -5730,6 +5731,7 @@ index 1a82e29..217ba9e 100644
+ corenet_sendrecv_pop_client_packets(httpd_t)
mta_send_mail(httpd_t)
mta_signal_system_mail(httpd_t)
++ postfix_rw_spool_maildrop_files(httpd_t)
')
-optional_policy(`
@@ -5775,7 +5777,7 @@ index 1a82e29..217ba9e 100644
')
tunable_policy(`httpd_setrlimit',`
-@@ -690,49 +818,48 @@ tunable_policy(`httpd_setrlimit',`
+@@ -690,49 +819,48 @@ tunable_policy(`httpd_setrlimit',`
tunable_policy(`httpd_ssi_exec',`
corecmd_shell_domtrans(httpd_t, httpd_sys_script_t)
@@ -5856,7 +5858,7 @@ index 1a82e29..217ba9e 100644
')
optional_policy(`
-@@ -743,14 +870,6 @@ optional_policy(`
+@@ -743,14 +871,6 @@ optional_policy(`
ccs_read_config(httpd_t)
')
@@ -5871,7 +5873,7 @@ index 1a82e29..217ba9e 100644
optional_policy(`
cron_system_entry(httpd_t, httpd_exec_t)
-@@ -765,6 +884,23 @@ optional_policy(`
+@@ -765,6 +885,23 @@ optional_policy(`
')
optional_policy(`
@@ -5895,7 +5897,7 @@ index 1a82e29..217ba9e 100644
dbus_system_bus_client(httpd_t)
tunable_policy(`httpd_dbus_avahi',`
-@@ -781,34 +917,46 @@ optional_policy(`
+@@ -781,34 +918,46 @@ optional_policy(`
')
optional_policy(`
@@ -5953,7 +5955,7 @@ index 1a82e29..217ba9e 100644
tunable_policy(`httpd_manage_ipa',`
memcached_manage_pid_files(httpd_t)
-@@ -816,8 +964,18 @@ optional_policy(`
+@@ -816,8 +965,18 @@ optional_policy(`
')
optional_policy(`
@@ -5972,7 +5974,7 @@ index 1a82e29..217ba9e 100644
tunable_policy(`httpd_can_network_connect_db',`
mysql_tcp_connect(httpd_t)
-@@ -826,6 +984,7 @@ optional_policy(`
+@@ -826,6 +985,7 @@ optional_policy(`
optional_policy(`
nagios_read_config(httpd_t)
@@ -5980,7 +5982,7 @@ index 1a82e29..217ba9e 100644
')
optional_policy(`
-@@ -836,20 +995,39 @@ optional_policy(`
+@@ -836,20 +996,39 @@ optional_policy(`
')
optional_policy(`
@@ -6026,7 +6028,7 @@ index 1a82e29..217ba9e 100644
')
optional_policy(`
-@@ -857,19 +1035,35 @@ optional_policy(`
+@@ -857,19 +1036,35 @@ optional_policy(`
')
optional_policy(`
@@ -6062,7 +6064,7 @@ index 1a82e29..217ba9e 100644
udev_read_db(httpd_t)
')
-@@ -877,65 +1071,170 @@ optional_policy(`
+@@ -877,65 +1072,170 @@ optional_policy(`
yam_read_content(httpd_t)
')
@@ -6255,7 +6257,7 @@ index 1a82e29..217ba9e 100644
files_dontaudit_search_pids(httpd_suexec_t)
files_search_home(httpd_suexec_t)
-@@ -944,123 +1243,74 @@ auth_use_nsswitch(httpd_suexec_t)
+@@ -944,123 +1244,74 @@ auth_use_nsswitch(httpd_suexec_t)
logging_search_logs(httpd_suexec_t)
logging_send_syslog_msg(httpd_suexec_t)
@@ -6410,7 +6412,7 @@ index 1a82e29..217ba9e 100644
mysql_read_config(httpd_suexec_t)
tunable_policy(`httpd_can_network_connect_db',`
-@@ -1077,172 +1327,104 @@ optional_policy(`
+@@ -1077,172 +1328,104 @@ optional_policy(`
')
')
@@ -6646,7 +6648,7 @@ index 1a82e29..217ba9e 100644
')
tunable_policy(`httpd_read_user_content',`
-@@ -1250,64 +1432,74 @@ tunable_policy(`httpd_read_user_content',`
+@@ -1250,64 +1433,74 @@ tunable_policy(`httpd_read_user_content',`
')
tunable_policy(`httpd_use_cifs',`
@@ -6743,7 +6745,7 @@ index 1a82e29..217ba9e 100644
########################################
#
-@@ -1315,8 +1507,15 @@ miscfiles_read_localization(httpd_rotatelogs_t)
+@@ -1315,8 +1508,15 @@ miscfiles_read_localization(httpd_rotatelogs_t)
#
optional_policy(`
@@ -6760,7 +6762,7 @@ index 1a82e29..217ba9e 100644
')
########################################
-@@ -1324,49 +1523,38 @@ optional_policy(`
+@@ -1324,49 +1524,38 @@ optional_policy(`
# User content local policy
#
@@ -6825,7 +6827,7 @@ index 1a82e29..217ba9e 100644
kernel_read_system_state(httpd_passwd_t)
corecmd_exec_bin(httpd_passwd_t)
-@@ -1376,38 +1564,99 @@ dev_read_urand(httpd_passwd_t)
+@@ -1376,38 +1565,99 @@ dev_read_urand(httpd_passwd_t)
domain_use_interactive_fds(httpd_passwd_t)
@@ -16917,7 +16919,7 @@ index b25b01d..e99c5c6 100644
')
+
diff --git a/ctdb.te b/ctdb.te
-index 6ce66e7..f8e9ecc 100644
+index 6ce66e7..03bc338 100644
--- a/ctdb.te
+++ b/ctdb.te
@@ -24,6 +24,9 @@ files_tmp_file(ctdbd_tmp_t)
@@ -16930,7 +16932,7 @@ index 6ce66e7..f8e9ecc 100644
type ctdbd_var_run_t;
files_pid_file(ctdbd_var_run_t)
-@@ -33,6 +36,7 @@ files_pid_file(ctdbd_var_run_t)
+@@ -33,12 +36,14 @@ files_pid_file(ctdbd_var_run_t)
#
allow ctdbd_t self:capability { chown ipc_lock net_admin net_raw sys_nice };
@@ -16938,7 +16940,14 @@ index 6ce66e7..f8e9ecc 100644
allow ctdbd_t self:process { setpgid signal_perms setsched };
allow ctdbd_t self:fifo_file rw_fifo_file_perms;
allow ctdbd_t self:unix_stream_socket { accept connectto listen };
-@@ -59,6 +63,11 @@ manage_dirs_pattern(ctdbd_t, ctdbd_var_lib_t, ctdbd_var_lib_t)
+ allow ctdbd_t self:netlink_route_socket r_netlink_socket_perms;
+ allow ctdbd_t self:packet_socket create_socket_perms;
+ allow ctdbd_t self:tcp_socket create_stream_socket_perms;
++allow ctdbd_t self:udp_socket create_socket_perms;
+
+ append_files_pattern(ctdbd_t, ctdbd_log_t, ctdbd_log_t)
+ create_files_pattern(ctdbd_t, ctdbd_log_t, ctdbd_log_t)
+@@ -59,6 +64,11 @@ manage_dirs_pattern(ctdbd_t, ctdbd_var_lib_t, ctdbd_var_lib_t)
manage_files_pattern(ctdbd_t, ctdbd_var_lib_t, ctdbd_var_lib_t)
files_var_lib_filetrans(ctdbd_t, ctdbd_var_lib_t, dir)
@@ -16950,7 +16959,7 @@ index 6ce66e7..f8e9ecc 100644
manage_dirs_pattern(ctdbd_t, ctdbd_var_run_t, ctdbd_var_run_t)
manage_files_pattern(ctdbd_t, ctdbd_var_run_t, ctdbd_var_run_t)
files_pid_filetrans(ctdbd_t, ctdbd_var_run_t, dir)
-@@ -72,9 +81,11 @@ corenet_all_recvfrom_netlabel(ctdbd_t)
+@@ -72,9 +82,11 @@ corenet_all_recvfrom_netlabel(ctdbd_t)
corenet_tcp_sendrecv_generic_if(ctdbd_t)
corenet_tcp_sendrecv_generic_node(ctdbd_t)
corenet_tcp_bind_generic_node(ctdbd_t)
@@ -16962,7 +16971,7 @@ index 6ce66e7..f8e9ecc 100644
corenet_tcp_sendrecv_ctdb_port(ctdbd_t)
corecmd_exec_bin(ctdbd_t)
-@@ -85,12 +96,12 @@ dev_read_urand(ctdbd_t)
+@@ -85,12 +97,12 @@ dev_read_urand(ctdbd_t)
domain_dontaudit_read_all_domains_state(ctdbd_t)
@@ -16977,7 +16986,7 @@ index 6ce66e7..f8e9ecc 100644
miscfiles_read_public_files(ctdbd_t)
optional_policy(`
-@@ -109,6 +120,7 @@ optional_policy(`
+@@ -109,6 +121,7 @@ optional_policy(`
samba_initrc_domtrans(ctdbd_t)
samba_domtrans_net(ctdbd_t)
samba_rw_var_files(ctdbd_t)
@@ -18265,10 +18274,18 @@ index 98a2d6a..fff0987 100644
fs_getattr_all_fs(dante_t)
diff --git a/dbadm.te b/dbadm.te
-index a67870a..76435d4 100644
+index a67870a..f7c0e61 100644
--- a/dbadm.te
+++ b/dbadm.te
-@@ -30,7 +30,7 @@ userdom_base_user_template(dbadm)
+@@ -23,14 +23,14 @@ gen_tunable(dbadm_read_user_files, false)
+
+ role dbadm_r;
+
+-userdom_base_user_template(dbadm)
++userdom_confined_admin_template(dbadm)
+
+ ########################################
+ #
# Local policy
#
@@ -22154,7 +22171,7 @@ index dbcac59..66d42bb 100644
+ admin_pattern($1, dovecot_passwd_t)
')
diff --git a/dovecot.te b/dovecot.te
-index a7bfaf0..934045c 100644
+index a7bfaf0..d4a79a1 100644
--- a/dovecot.te
+++ b/dovecot.te
@@ -1,4 +1,4 @@
@@ -22408,7 +22425,7 @@ index a7bfaf0..934045c 100644
sendmail_domtrans(dovecot_t)
')
-@@ -221,46 +214,63 @@ optional_policy(`
+@@ -221,46 +214,65 @@ optional_policy(`
########################################
#
@@ -22465,6 +22482,8 @@ index a7bfaf0..934045c 100644
sysnet_use_ldap(dovecot_auth_t)
++systemd_login_read_pid_files(dovecot_auth_t)
++
+userdom_getattr_user_home_dirs(dovecot_auth_t)
+
optional_policy(`
@@ -22481,7 +22500,7 @@ index a7bfaf0..934045c 100644
mysql_stream_connect(dovecot_auth_t)
mysql_read_config(dovecot_auth_t)
mysql_tcp_connect(dovecot_auth_t)
-@@ -271,15 +281,30 @@ optional_policy(`
+@@ -271,15 +283,30 @@ optional_policy(`
')
optional_policy(`
@@ -22513,7 +22532,7 @@ index a7bfaf0..934045c 100644
allow dovecot_deliver_t dovecot_cert_t:dir search_dir_perms;
append_files_pattern(dovecot_deliver_t, dovecot_var_log_t, dovecot_var_log_t)
-@@ -289,35 +314,43 @@ manage_files_pattern(dovecot_deliver_t, dovecot_deliver_tmp_t, dovecot_deliver_t
+@@ -289,35 +316,43 @@ manage_files_pattern(dovecot_deliver_t, dovecot_deliver_tmp_t, dovecot_deliver_t
files_tmp_filetrans(dovecot_deliver_t, dovecot_deliver_tmp_t, { file dir })
allow dovecot_deliver_t dovecot_var_run_t:dir list_dir_perms;
@@ -22574,7 +22593,7 @@ index a7bfaf0..934045c 100644
mta_read_queue(dovecot_deliver_t)
')
-@@ -326,5 +359,6 @@ optional_policy(`
+@@ -326,5 +361,6 @@ optional_policy(`
')
optional_policy(`
@@ -23359,7 +23378,7 @@ index 6041113..ef3b449 100644
role_transition $2 exim_initrc_exec_t system_r;
allow $2 system_r;
diff --git a/exim.te b/exim.te
-index 19325ce..b5c157f 100644
+index 19325ce..3e86b12 100644
--- a/exim.te
+++ b/exim.te
@@ -49,7 +49,7 @@ type exim_log_t;
@@ -23416,18 +23435,19 @@ index 19325ce..b5c157f 100644
')
optional_policy(`
-@@ -192,8 +190,9 @@ optional_policy(`
+@@ -192,11 +190,6 @@ optional_policy(`
')
optional_policy(`
- mailman_read_data_files(exim_t)
-+ mailman_manage_data_files(exim_t)
- mailman_domtrans(exim_t)
-+ mailman_read_log(exim_t)
+- mailman_domtrans(exim_t)
+-')
+-
+-optional_policy(`
+ nagios_search_spool(exim_t)
')
- optional_policy(`
-@@ -218,6 +217,7 @@ optional_policy(`
+@@ -218,6 +211,7 @@ optional_policy(`
optional_policy(`
procmail_domtrans(exim_t)
@@ -35143,7 +35163,7 @@ index ee0c7cc..c54e3d2 100644
+ allow $1 slapd_unit_file_t:service all_service_perms;
')
diff --git a/ldap.te b/ldap.te
-index d7d9b09..562c288 100644
+index d7d9b09..b93f460 100644
--- a/ldap.te
+++ b/ldap.te
@@ -21,6 +21,9 @@ files_config_file(slapd_etc_t)
@@ -35156,6 +35176,15 @@ index d7d9b09..562c288 100644
type slapd_lock_t;
files_lock_file(slapd_lock_t)
+@@ -44,7 +47,7 @@ files_pid_file(slapd_var_run_t)
+ # Local policy
+ #
+
+-allow slapd_t self:capability { kill setgid setuid net_raw dac_override dac_read_search };
++allow slapd_t self:capability { kill setgid setuid net_raw dac_override dac_read_search sys_resource };
+ dontaudit slapd_t self:capability sys_tty_config;
+ allow slapd_t self:process setsched;
+ allow slapd_t self:fifo_file rw_fifo_file_perms;
@@ -88,7 +91,6 @@ files_pid_filetrans(slapd_t, slapd_var_run_t, { dir file sock_file })
kernel_read_system_state(slapd_t)
kernel_read_kernel_sysctls(slapd_t)
@@ -40492,7 +40521,7 @@ index 6194b80..1e67988 100644
')
+
diff --git a/mozilla.te b/mozilla.te
-index 6a306ee..2356e2b 100644
+index 6a306ee..11a0f02 100644
--- a/mozilla.te
+++ b/mozilla.te
@@ -1,4 +1,4 @@
@@ -40766,12 +40795,12 @@ index 6a306ee..2356e2b 100644
-
-userdom_manage_user_tmp_dirs(mozilla_t)
-userdom_manage_user_tmp_files(mozilla_t)
-+userdom_use_inherited_user_ptys(mozilla_t)
-
+-
-userdom_manage_user_home_content_dirs(mozilla_t)
-userdom_manage_user_home_content_files(mozilla_t)
-userdom_user_home_dir_filetrans_user_home_content(mozilla_t, { dir file })
--
++userdom_use_inherited_user_ptys(mozilla_t)
+
-userdom_write_user_tmp_sockets(mozilla_t)
-
-mozilla_run_plugin(mozilla_t, mozilla_roles)
@@ -40901,34 +40930,34 @@ index 6a306ee..2356e2b 100644
- gnome_home_filetrans_gnome_home(mozilla_t, dir, ".gnome2_private")
+ gnome_manage_config(mozilla_t)
+ gnome_manage_gconf_home_files(mozilla_t)
++')
++
++optional_policy(`
++ java_domtrans(mozilla_t)
')
optional_policy(`
- java_exec(mozilla_t)
- java_manage_generic_home_content(mozilla_t)
- java_home_filetrans_java_home(mozilla_t, dir, ".java")
-+ java_domtrans(mozilla_t)
++ lpd_domtrans_lpr(mozilla_t)
')
optional_policy(`
- lpd_run_lpr(mozilla_t, mozilla_roles)
-+ lpd_domtrans_lpr(mozilla_t)
++ mplayer_domtrans(mozilla_t)
++ mplayer_read_user_home_files(mozilla_t)
')
optional_policy(`
- mplayer_exec(mozilla_t)
- mplayer_manage_generic_home_content(mozilla_t)
- mplayer_home_filetrans_mplayer_home(mozilla_t, dir, ".mplayer")
-+ mplayer_domtrans(mozilla_t)
-+ mplayer_read_user_home_files(mozilla_t)
++ nscd_socket_use(mozilla_t)
')
optional_policy(`
- pulseaudio_run(mozilla_t, mozilla_roles)
-+ nscd_socket_use(mozilla_t)
-+')
-+
-+optional_policy(`
+ #pulseaudio_role(mozilla_roles, mozilla_t)
+ pulseaudio_exec(mozilla_t)
+ pulseaudio_stream_connect(mozilla_t)
@@ -41019,12 +41048,12 @@ index 6a306ee..2356e2b 100644
allow mozilla_plugin_t mozilla_plugin_rw_t:dir list_dir_perms;
-allow mozilla_plugin_t mozilla_plugin_rw_t:file read_file_perms;
-allow mozilla_plugin_t mozilla_plugin_rw_t:lnk_file read_lnk_file_perms;
+-
+-dgram_send_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t, mozilla_t)
+-stream_connect_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t, mozilla_t)
+read_lnk_files_pattern(mozilla_plugin_t, mozilla_plugin_rw_t, mozilla_plugin_rw_t)
+read_files_pattern(mozilla_plugin_t, mozilla_plugin_rw_t, mozilla_plugin_rw_t)
--dgram_send_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t, mozilla_t)
--stream_connect_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t, mozilla_t)
--
-can_exec(mozilla_plugin_t, { mozilla_exec_t mozilla_plugin_home_t mozilla_plugin_tmp_t })
+can_exec(mozilla_plugin_t, mozilla_exec_t)
@@ -41195,12 +41224,12 @@ index 6a306ee..2356e2b 100644
-userdom_manage_user_tmp_dirs(mozilla_plugin_t)
-userdom_manage_user_tmp_files(mozilla_plugin_t)
-+systemd_read_logind_sessions_files(mozilla_plugin_t)
-
+-
-userdom_manage_user_home_content_dirs(mozilla_plugin_t)
-userdom_manage_user_home_content_files(mozilla_plugin_t)
-userdom_user_home_dir_filetrans_user_home_content(mozilla_plugin_t, { dir file })
--
++systemd_read_logind_sessions_files(mozilla_plugin_t)
+
-userdom_write_user_tmp_sockets(mozilla_plugin_t)
+term_getattr_all_ttys(mozilla_plugin_t)
+term_getattr_all_ptys(mozilla_plugin_t)
@@ -41224,30 +41253,30 @@ index 6a306ee..2356e2b 100644
-ifndef(`enable_mls',`
- fs_list_dos(mozilla_plugin_t)
- fs_read_dos_files(mozilla_plugin_t)
+-
+- fs_search_removable(mozilla_plugin_t)
+- fs_read_removable_files(mozilla_plugin_t)
+- fs_read_removable_symlinks(mozilla_plugin_t)
+userdom_read_user_home_content_files(mozilla_plugin_t)
+userdom_read_user_home_content_symlinks(mozilla_plugin_t)
+userdom_read_home_certs(mozilla_plugin_t)
+userdom_read_home_audio_files(mozilla_plugin_t)
+userdom_exec_user_tmp_files(mozilla_plugin_t)
-- fs_search_removable(mozilla_plugin_t)
-- fs_read_removable_files(mozilla_plugin_t)
-- fs_read_removable_symlinks(mozilla_plugin_t)
-+userdom_home_manager(mozilla_plugin_t)
-
- fs_read_iso9660_files(mozilla_plugin_t)
-+tunable_policy(`mozilla_plugin_can_network_connect',`
-+ corenet_tcp_connect_all_ports(mozilla_plugin_t)
- ')
-
+-')
+-
-tunable_policy(`allow_execmem',`
- allow mozilla_plugin_t self:process execmem;
-')
--
++userdom_home_manager(mozilla_plugin_t)
+
-tunable_policy(`mozilla_execstack',`
- allow mozilla_plugin_t self:process { execmem execstack };
--')
--
++tunable_policy(`mozilla_plugin_can_network_connect',`
++ corenet_tcp_connect_all_ports(mozilla_plugin_t)
+ ')
+
-tunable_policy(`use_nfs_home_dirs',`
- fs_manage_nfs_dirs(mozilla_plugin_t)
- fs_manage_nfs_files(mozilla_plugin_t)
@@ -41332,7 +41361,7 @@ index 6a306ee..2356e2b 100644
')
optional_policy(`
-@@ -568,108 +568,128 @@ optional_policy(`
+@@ -568,108 +568,130 @@ optional_policy(`
')
optional_policy(`
@@ -41370,14 +41399,13 @@ index 6a306ee..2356e2b 100644
-manage_dirs_pattern(mozilla_plugin_config_t, { mozilla_home_t mozilla_plugin_home_t }, { mozilla_home_t mozilla_plugin_home_t })
-manage_files_pattern(mozilla_plugin_config_t, { mozilla_home_t mozilla_plugin_home_t }, mozilla_plugin_home_t)
-manage_lnk_files_pattern(mozilla_plugin_config_t, { mozilla_home_t mozilla_plugin_home_t }, mozilla_plugin_home_t)
-+allow mozilla_plugin_config_t self:fifo_file rw_file_perms;
-+allow mozilla_plugin_config_t self:unix_stream_socket create_stream_socket_perms;
-
+-
-userdom_user_home_dir_filetrans(mozilla_plugin_config_t, mozilla_home_t, dir, ".galeon")
-userdom_user_home_dir_filetrans(mozilla_plugin_config_t, mozilla_home_t, dir, ".mozilla")
-userdom_user_home_dir_filetrans(mozilla_plugin_config_t, mozilla_home_t, dir, ".netscape")
-userdom_user_home_dir_filetrans(mozilla_plugin_config_t, mozilla_home_t, dir, ".phoenix")
-+ps_process_pattern(mozilla_plugin_config_t,mozilla_plugin_t)
++allow mozilla_plugin_config_t self:fifo_file rw_file_perms;
++allow mozilla_plugin_config_t self:unix_stream_socket create_stream_socket_perms;
-userdom_user_home_dir_filetrans(mozilla_plugin_config_t, mozilla_plugin_home_t, dir, ".adobe")
-userdom_user_home_dir_filetrans(mozilla_plugin_config_t, mozilla_plugin_home_t, dir, ".macromedia")
@@ -41387,36 +41415,40 @@ index 6a306ee..2356e2b 100644
-userdom_user_home_dir_filetrans(mozilla_plugin_config_t, mozilla_plugin_home_t, dir, ".spicec")
-userdom_user_home_dir_filetrans(mozilla_plugin_config_t, mozilla_plugin_home_t, dir, ".ICAClient")
-userdom_user_home_dir_filetrans(mozilla_plugin_config_t, mozilla_plugin_home_t, dir, "zimbrauserdata")
++ps_process_pattern(mozilla_plugin_config_t,mozilla_plugin_t)
+
+-filetrans_pattern(mozilla_plugin_config_t, mozilla_home_t, mozilla_plugin_home_t, dir, "plugins")
+dev_read_sysfs(mozilla_plugin_config_t)
+dev_read_urand(mozilla_plugin_config_t)
+dev_dontaudit_read_rand(mozilla_plugin_config_t)
+dev_dontaudit_rw_dri(mozilla_plugin_config_t)
--filetrans_pattern(mozilla_plugin_config_t, mozilla_home_t, mozilla_plugin_home_t, dir, "plugins")
+-can_exec(mozilla_plugin_config_t, { mozilla_plugin_rw_t mozilla_plugin_home_t })
+fs_search_auto_mountpoints(mozilla_plugin_config_t)
+fs_list_inotifyfs(mozilla_plugin_config_t)
--can_exec(mozilla_plugin_config_t, { mozilla_plugin_rw_t mozilla_plugin_home_t })
+-ps_process_pattern(mozilla_plugin_config_t, mozilla_plugin_t)
+-
+-kernel_read_system_state(mozilla_plugin_config_t)
+-kernel_request_load_module(mozilla_plugin_config_t)
+can_exec(mozilla_plugin_config_t, mozilla_plugin_rw_t)
+manage_dirs_pattern(mozilla_plugin_config_t, mozilla_plugin_rw_t, mozilla_plugin_rw_t)
+manage_files_pattern(mozilla_plugin_config_t, mozilla_plugin_rw_t, mozilla_plugin_rw_t)
+manage_lnk_files_pattern(mozilla_plugin_config_t, mozilla_plugin_rw_t, mozilla_plugin_rw_t)
-
--ps_process_pattern(mozilla_plugin_config_t, mozilla_plugin_t)
++
+manage_dirs_pattern(mozilla_plugin_config_t, mozilla_home_t, mozilla_home_t)
+manage_files_pattern(mozilla_plugin_config_t, mozilla_home_t, mozilla_home_t)
+manage_lnk_files_pattern(mozilla_plugin_config_t, mozilla_home_t, mozilla_home_t)
+manage_fifo_files_pattern(mozilla_plugin_config_t, mozilla_home_t, mozilla_home_t)
+mozilla_filetrans_home_content(mozilla_plugin_t)
-
--kernel_read_system_state(mozilla_plugin_config_t)
--kernel_request_load_module(mozilla_plugin_config_t)
++
+manage_dirs_pattern(mozilla_plugin_config_t, mozilla_plugin_tmp_t, mozilla_plugin_tmp_t)
+manage_files_pattern(mozilla_plugin_config_t, mozilla_plugin_tmp_t, mozilla_plugin_tmp_t)
+manage_lnk_files_pattern(mozilla_plugin_config_t, mozilla_plugin_tmp_t, mozilla_plugin_tmp_t)
+files_tmp_filetrans(mozilla_plugin_config_t, mozilla_plugin_tmp_t, { dir file fifo_file sock_file lnk_file })
+userdom_user_tmp_filetrans(mozilla_plugin_config_t, mozilla_plugin_tmp_t, { dir file })
+mozilla_filetrans_home_content(mozilla_plugin_config_t)
++dontaudit mozilla_plugin_t mozilla_plugin_tmp_t:file relabelfrom;
corecmd_exec_bin(mozilla_plugin_config_t)
corecmd_exec_shell(mozilla_plugin_config_t)
@@ -41510,6 +41542,7 @@ index 6a306ee..2356e2b 100644
- automount_dontaudit_getattr_tmp_dirs(mozilla_plugin_config_t)
+tunable_policy(`mozilla_plugin_use_spice',`
+ dev_rw_generic_usb_dev(mozilla_plugin_t)
++ corenet_tcp_bind_vnc_port(mozilla_plugin_t)
')
-optional_policy(`
@@ -43037,7 +43070,7 @@ index ed81cac..566684a 100644
+ mta_filetrans_admin_home_content($1)
+')
diff --git a/mta.te b/mta.te
-index afd2fad..363dd67 100644
+index afd2fad..79fe381 100644
--- a/mta.te
+++ b/mta.te
@@ -1,4 +1,4 @@
@@ -43243,11 +43276,11 @@ index afd2fad..363dd67 100644
+
+allow system_mail_t mail_home_t:file manage_file_perms;
+userdom_admin_home_dir_filetrans(system_mail_t, mail_home_t, file)
-
--userdom_use_user_terminals(system_mail_t)
+
-+logging_append_all_logs(system_mail_t)
+
++logging_append_all_logs(system_mail_t)
+
+-userdom_use_user_terminals(system_mail_t)
+logging_send_syslog_msg(system_mail_t)
optional_policy(`
@@ -43453,7 +43486,7 @@ index afd2fad..363dd67 100644
files_search_var_lib(mailserver_delivery)
mailman_domtrans(mailserver_delivery)
-@@ -387,24 +276,165 @@ optional_policy(`
+@@ -387,24 +276,173 @@ optional_policy(`
########################################
#
@@ -43626,6 +43659,14 @@ index afd2fad..363dd67 100644
+ antivirus_stream_connect(user_mail_domain)
+ antivirus_stream_connect(mta_user_agent)
+')
++
++optional_policy(`
++ mailman_manage_data_files(mailserver_domain)
++ mailman_domtrans(mailserver_domain)
++ mailman_append_log(mailserver_domain)
++ mailman_read_log(mailserver_domain)
++')
++
diff --git a/munin.fc b/munin.fc
index eb4b72a..4968324 100644
--- a/munin.fc
@@ -54649,7 +54690,7 @@ index d2fc677..ded726f 100644
')
+
diff --git a/pegasus.te b/pegasus.te
-index 7bcf327..073dbf3 100644
+index 7bcf327..ba2f9bb 100644
--- a/pegasus.te
+++ b/pegasus.te
@@ -1,17 +1,16 @@
@@ -54673,7 +54714,7 @@ index 7bcf327..073dbf3 100644
type pegasus_cache_t;
files_type(pegasus_cache_t)
-@@ -30,20 +29,256 @@ files_type(pegasus_mof_t)
+@@ -30,20 +29,260 @@ files_type(pegasus_mof_t)
type pegasus_var_run_t;
files_pid_file(pegasus_var_run_t)
@@ -54814,6 +54855,8 @@ index 7bcf327..073dbf3 100644
+
+allow pegasus_openlmi_system_t self:netlink_route_socket r_netlink_socket_perms;;
+
++kernel_read_network_state(pegasus_openlmi_system_t)
++
+dev_rw_sysfs(pegasus_openlmi_system_t)
+dev_read_urand(pegasus_openlmi_system_t)
+
@@ -54861,6 +54904,7 @@ index 7bcf327..073dbf3 100644
+files_tmp_filetrans(pegasus_openlmi_storage_tmp_t, pegasus_openlmi_storage_tmp_t, { file dir})
+
+kernel_read_all_sysctls(pegasus_openlmi_storage_t)
++kernel_get_sysvipc_info(pegasus_openlmi_storage_t)
+
+dev_read_rand(pegasus_openlmi_storage_t)
+dev_read_urand(pegasus_openlmi_storage_t)
@@ -54872,7 +54916,8 @@ index 7bcf327..073dbf3 100644
+
+seutil_read_file_contexts(pegasus_openlmi_storage_t)
+
-+storage_rw_inherited_fixed_disk_dev(pegasus_openlmi_storage_t)
++storage_raw_read_fixed_disk(pegasus_openlmi_storage_t)
++storage_raw_write_fixed_disk(pegasus_openlmi_storage_t)
+
+fs_getattr_all_fs(pegasus_openlmi_storage_t)
+
@@ -54935,7 +54980,7 @@ index 7bcf327..073dbf3 100644
allow pegasus_t pegasus_conf_t:lnk_file read_lnk_file_perms;
manage_dirs_pattern(pegasus_t, pegasus_cache_t, pegasus_cache_t)
-@@ -54,22 +289,22 @@ files_var_filetrans(pegasus_t, pegasus_cache_t, { dir file lnk_file })
+@@ -54,22 +293,22 @@ files_var_filetrans(pegasus_t, pegasus_cache_t, { dir file lnk_file })
manage_dirs_pattern(pegasus_t, pegasus_data_t, pegasus_data_t)
manage_files_pattern(pegasus_t, pegasus_data_t, pegasus_data_t)
manage_lnk_files_pattern(pegasus_t, pegasus_data_t, pegasus_data_t)
@@ -54966,7 +55011,7 @@ index 7bcf327..073dbf3 100644
kernel_read_network_state(pegasus_t)
kernel_read_kernel_sysctls(pegasus_t)
-@@ -80,27 +315,21 @@ kernel_read_net_sysctls(pegasus_t)
+@@ -80,27 +319,21 @@ kernel_read_net_sysctls(pegasus_t)
kernel_read_xen_state(pegasus_t)
kernel_write_xen_state(pegasus_t)
@@ -54999,7 +55044,7 @@ index 7bcf327..073dbf3 100644
corecmd_exec_bin(pegasus_t)
corecmd_exec_shell(pegasus_t)
-@@ -114,6 +343,7 @@ files_getattr_all_dirs(pegasus_t)
+@@ -114,6 +347,7 @@ files_getattr_all_dirs(pegasus_t)
auth_use_nsswitch(pegasus_t)
auth_domtrans_chk_passwd(pegasus_t)
@@ -55007,7 +55052,7 @@ index 7bcf327..073dbf3 100644
domain_use_interactive_fds(pegasus_t)
domain_read_all_domains_state(pegasus_t)
-@@ -128,18 +358,25 @@ init_stream_connect_script(pegasus_t)
+@@ -128,18 +362,25 @@ init_stream_connect_script(pegasus_t)
logging_send_audit_msgs(pegasus_t)
logging_send_syslog_msg(pegasus_t)
@@ -55039,7 +55084,7 @@ index 7bcf327..073dbf3 100644
')
optional_policy(`
-@@ -151,16 +388,24 @@ optional_policy(`
+@@ -151,16 +392,24 @@ optional_policy(`
')
optional_policy(`
@@ -55068,7 +55113,7 @@ index 7bcf327..073dbf3 100644
')
optional_policy(`
-@@ -168,7 +413,7 @@ optional_policy(`
+@@ -168,7 +417,7 @@ optional_policy(`
')
optional_policy(`
@@ -55322,10 +55367,10 @@ index 0000000..20ea9f5
+
diff --git a/piranha.if b/piranha.if
new file mode 100644
-index 0000000..8d681d1
+index 0000000..cf54103
--- /dev/null
+++ b/piranha.if
-@@ -0,0 +1,179 @@
+@@ -0,0 +1,187 @@
+## policy for piranha
+
+#######################################
@@ -55353,6 +55398,10 @@ index 0000000..8d681d1
+ type piranha_$1_exec_t;
+ init_daemon_domain(piranha_$1_t, piranha_$1_exec_t)
+
++ # tmpfs files
++ type piranha_$1_tmpfs_t, piranha_tmpfs;
++ files_tmpfs_file(piranha_$1_tmpfs_t)
++
+ # pid files
+ type piranha_$1_var_run_t;
+ files_pid_file(piranha_$1_var_run_t)
@@ -55362,6 +55411,10 @@ index 0000000..8d681d1
+ # piranha_$1_t local policy
+ #
+
++ manage_dirs_pattern(piranha_$1_t, piranha_$1_tmpfs_t, piranha_$1_tmpfs_t)
++ manage_files_pattern(piranha_$1_t, piranha_$1_tmpfs_t, piranha_$1_tmpfs_t)
++ fs_tmpfs_filetrans(piranha_$1_t, piranha_$1_tmpfs_t, { dir file })
++
+ manage_files_pattern(piranha_$1_t, piranha_$1_var_run_t, piranha_$1_var_run_t)
+ manage_dirs_pattern(piranha_$1_t, piranha_$1_var_run_t, piranha_$1_var_run_t)
+ files_pid_filetrans(piranha_$1_t, piranha_$1_var_run_t, { dir file })
@@ -55507,10 +55560,10 @@ index 0000000..8d681d1
+')
diff --git a/piranha.te b/piranha.te
new file mode 100644
-index 0000000..34e591f
+index 0000000..a989aea
--- /dev/null
+++ b/piranha.te
-@@ -0,0 +1,293 @@
+@@ -0,0 +1,292 @@
+policy_module(piranha, 1.0.0)
+
+########################################
@@ -55526,6 +55579,7 @@ index 0000000..34e591f
+gen_tunable(piranha_lvs_can_network_connect, false)
+
+attribute piranha_domain;
++attribute piranha_tmpfs;
+
+piranha_domain_template(fos)
+
@@ -55538,9 +55592,6 @@ index 0000000..34e591f
+
+piranha_domain_template(web)
+
-+type piranha_web_tmpfs_t;
-+files_tmpfs_file(piranha_web_tmpfs_t)
-+
+type piranha_web_conf_t;
+files_config_file(piranha_web_conf_t)
+
@@ -55602,10 +55653,6 @@ index 0000000..34e591f
+manage_files_pattern(piranha_web_t, piranha_web_tmp_t, piranha_web_tmp_t)
+files_tmp_filetrans(piranha_web_t, piranha_web_tmp_t, { file dir })
+
-+manage_dirs_pattern(piranha_web_t, piranha_web_tmpfs_t, piranha_web_tmpfs_t)
-+manage_files_pattern(piranha_web_t, piranha_web_tmpfs_t, piranha_web_tmpfs_t)
-+fs_tmpfs_filetrans(piranha_web_t, piranha_web_tmpfs_t, { dir file })
-+
+piranha_pulse_initrc_domtrans(piranha_web_t)
+
+kernel_read_kernel_sysctls(piranha_web_t)
@@ -55655,6 +55702,9 @@ index 0000000..34e591f
+allow piranha_lvs_t self:unix_dgram_socket create_socket_perms;
+allow piranha_lvs_t self:rawip_socket create_socket_perms;
+
++manage_files_pattern(piranha_lvs_t, piranha_pulse_tmpfs_t,piranha_pulse_tmpfs_t)
++manage_dirs_pattern(piranha_lvs_t, piranha_pulse_tmpfs_t,piranha_pulse_tmpfs_t)
++
+kernel_read_kernel_sysctls(piranha_lvs_t)
+
+# needed by nanny
@@ -55788,6 +55838,9 @@ index 0000000..34e591f
+
+read_files_pattern(piranha_domain, piranha_etc_rw_t, piranha_etc_rw_t)
+
++manage_files_pattern(piranha_pulse_t, piranha_tmpfs,piranha_tmpfs)
++manage_dirs_pattern(piranha_pulse_t, piranha_tmpfs ,piranha_tmpfs)
++
+kernel_read_network_state(piranha_domain)
+
+corenet_tcp_sendrecv_generic_if(piranha_domain)
@@ -55799,7 +55852,6 @@ index 0000000..34e591f
+corenet_tcp_bind_generic_node(piranha_domain)
+corenet_udp_bind_generic_node(piranha_domain)
+
-+
+corecmd_exec_bin(piranha_domain)
+corecmd_exec_shell(piranha_domain)
+
@@ -58689,7 +58741,7 @@ index c0e8785..c0e0959 100644
+/var/spool/postfix/bounce(/.*)? gen_context(system_u:object_r:postfix_spool_bounce_t,s0)
/var/spool/postfix/flush(/.*)? gen_context(system_u:object_r:postfix_spool_flush_t,s0)
diff --git a/postfix.if b/postfix.if
-index 2e23946..e9ac366 100644
+index 2e23946..0b76d72 100644
--- a/postfix.if
+++ b/postfix.if
@@ -1,4 +1,4 @@
@@ -59029,8 +59081,10 @@ index 2e23946..e9ac366 100644
')
+
-+########################################
-+##
+ ########################################
+ ##
+-## Execute the master postfix program
+-## in the caller domain.
+## Execute the master postfix in the postfix master domain.
+##
+##
@@ -59047,10 +59101,8 @@ index 2e23946..e9ac366 100644
+ init_labeled_script_domtrans($1, postfix_initrc_exec_t)
+')
+
- ########################################
- ##
--## Execute the master postfix program
--## in the caller domain.
++########################################
++##
+## Execute the master postfix program in the
+## caller domain.
##
@@ -59148,15 +59200,18 @@ index 2e23946..e9ac366 100644
##
-## Domain allowed access.
+## Domain allowed to transition.
-+##
-+##
+ ##
+ ##
+##
+##
+## The role to be allowed the iptables domain.
+##
+##
+##
-+#
+ #
+-interface(`posftix_exec_postqueue',`
+- refpolicywarn(`$0($*) has been deprecated.')
+- postfix_exec_postqueue($1)
+
+interface(`postfix_run_postqueue',`
+ gen_require(`
@@ -59166,8 +59221,8 @@ index 2e23946..e9ac366 100644
+ postfix_domtrans_postqueue($1)
+ role $2 types postfix_postqueue_t;
+ allow postfix_postqueue_t $1:unix_stream_socket { read write getattr };
-+')
-+
+ ')
+
+########################################
+##
+## Execute postfix_postgqueue in the postfix_postgqueue domain.
@@ -59194,18 +59249,15 @@ index 2e23946..e9ac366 100644
+##
+##
+## Domain allowed to transition.
- ##
- ##
++##
++##
+##
+##
+## Role allowed access.
+##
+##
+##
- #
--interface(`posftix_exec_postqueue',`
-- refpolicywarn(`$0($*) has been deprecated.')
-- postfix_exec_postqueue($1)
++#
+interface(`postfix_run_postgqueue',`
+ gen_require(`
+ type postfix_postgqueue_t;
@@ -59213,8 +59265,8 @@ index 2e23946..e9ac366 100644
+
+ postfix_domtrans_postgqueue($1)
+ role $2 types postfix_postgqueue_t;
- ')
-
++')
++
+
#######################################
##
@@ -59346,7 +59398,7 @@ index 2e23946..e9ac366 100644
##
##
##
-@@ -665,11 +718,31 @@ interface(`postfix_read_spool_files',`
+@@ -665,11 +718,50 @@ interface(`postfix_read_spool_files',`
#
interface(`postfix_manage_spool_files',`
gen_require(`
@@ -59361,6 +59413,25 @@ index 2e23946..e9ac366 100644
+
+#######################################
+##
++## Read, write, and delete postfix maildrop spool files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`postfix_rw_spool_maildrop_files',`
++ gen_require(`
++ type postfix_spool_maildrop_t;
++ ')
++
++ files_search_spool($1)
++ rw_files_pattern($1, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
++')
++
++#######################################
++##
+## Create, read, write, and delete postfix maildrop spool files.
+##
+##
@@ -59380,7 +59451,7 @@ index 2e23946..e9ac366 100644
')
########################################
-@@ -693,8 +766,8 @@ interface(`postfix_domtrans_user_mail_handler',`
+@@ -693,8 +785,8 @@ interface(`postfix_domtrans_user_mail_handler',`
########################################
##
@@ -59391,7 +59462,7 @@ index 2e23946..e9ac366 100644
##
##
##
-@@ -710,37 +783,137 @@ interface(`postfix_domtrans_user_mail_handler',`
+@@ -710,37 +802,137 @@ interface(`postfix_domtrans_user_mail_handler',`
#
interface(`postfix_admin',`
gen_require(`
@@ -59550,7 +59621,7 @@ index 2e23946..e9ac366 100644
+ postfix_config_filetrans($1, postfix_prng_t, file, "prng_exch")
')
diff --git a/postfix.te b/postfix.te
-index 191a66f..2177e93 100644
+index 191a66f..f19bca4 100644
--- a/postfix.te
+++ b/postfix.te
@@ -1,4 +1,4 @@
@@ -59732,8 +59803,9 @@ index 191a66f..2177e93 100644
-########################################
-#
-# Common postfix user domain local policy
--#
--
++# Postfix master process local policy
+ #
+
-allow postfix_user_domains self:capability dac_override;
-
-domain_use_interactive_fds(postfix_user_domains)
@@ -59741,9 +59813,8 @@ index 191a66f..2177e93 100644
-########################################
-#
-# Master local policy
-+# Postfix master process local policy
- #
-
+-#
+-
-allow postfix_master_t self:capability { chown dac_override kill fowner setgid setuid sys_tty_config };
+# chown is to set the correct ownership of queue dirs
+allow postfix_master_t self:capability { chown dac_override kill setgid setuid net_bind_service sys_tty_config };
@@ -59767,10 +59838,10 @@ index 191a66f..2177e93 100644
-allow postfix_master_t postfix_map_exec_t:file { mmap_file_perms ioctl lock };
+allow postfix_master_t postfix_map_exec_t:file { mmap_file_perms lock };
++
++allow postfix_master_t postfix_postdrop_exec_t:file getattr_file_perms;
-allow postfix_master_t { postfix_postdrop_exec_t postfix_postqueue_exec_t }:file getattr_file_perms;
-+allow postfix_master_t postfix_postdrop_exec_t:file getattr_file_perms;
-+
+allow postfix_master_t postfix_postqueue_exec_t:file getattr_file_perms;
+
+manage_files_pattern(postfix_master_t, postfix_private_t, postfix_private_t)
@@ -59811,29 +59882,29 @@ index 191a66f..2177e93 100644
-manage_sock_files_pattern(postfix_master_t, postfix_public_t, postfix_public_t)
-setattr_dirs_pattern(postfix_master_t, postfix_public_t, postfix_public_t)
-filetrans_pattern(postfix_master_t, postfix_spool_t, postfix_public_t, dir, "public")
--
+
-create_dirs_pattern(postfix_master_t, postfix_spool_t, postfix_spool_maildrop_t)
-delete_files_pattern(postfix_master_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
-rename_files_pattern(postfix_master_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
-setattr_dirs_pattern(postfix_master_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
-filetrans_pattern(postfix_master_t, postfix_spool_t, postfix_spool_maildrop_t, dir, "maildrop")
++manage_files_pattern(postfix_master_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
-create_dirs_pattern(postfix_master_t, postfix_spool_t, postfix_var_run_t)
-setattr_dirs_pattern(postfix_master_t, postfix_var_run_t, postfix_var_run_t)
-filetrans_pattern(postfix_master_t, postfix_spool_t, postfix_var_run_t, dir, "pid")
--
--can_exec(postfix_master_t, postfix_exec_t)
-+manage_files_pattern(postfix_master_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
++kernel_read_all_sysctls(postfix_master_t)
+-can_exec(postfix_master_t, postfix_exec_t)
+-
-domtrans_pattern(postfix_master_t, postfix_postqueue_exec_t, postfix_postqueue_t)
-domtrans_pattern(postfix_master_t, postfix_showq_exec_t, postfix_showq_t)
-+kernel_read_all_sysctls(postfix_master_t)
-
+-
-corenet_all_recvfrom_unlabeled(postfix_master_t)
corenet_all_recvfrom_netlabel(postfix_master_t)
corenet_tcp_sendrecv_generic_if(postfix_master_t)
corenet_udp_sendrecv_generic_if(postfix_master_t)
-@@ -263,50 +165,44 @@ corenet_tcp_sendrecv_generic_node(postfix_master_t)
+@@ -263,64 +165,50 @@ corenet_tcp_sendrecv_generic_node(postfix_master_t)
corenet_udp_sendrecv_generic_node(postfix_master_t)
corenet_tcp_sendrecv_all_ports(postfix_master_t)
corenet_udp_sendrecv_all_ports(postfix_master_t)
@@ -59893,32 +59964,30 @@ index 191a66f..2177e93 100644
mta_read_sendmail_bin(postfix_master_t)
mta_getattr_spool(postfix_master_t)
+-optional_policy(`
+- cyrus_stream_connect(postfix_master_t)
+-')
+-
+-optional_policy(`
+- kerberos_keytab_template(postfix, postfix_t)
+ifdef(`distro_redhat',`
+ # for newer main.cf that uses /etc/aliases
+ mta_manage_aliases(postfix_master_t)
+ mta_etc_filetrans_aliases(postfix_master_t)
-+')
-+
- optional_policy(`
- cyrus_stream_connect(postfix_master_t)
- ')
-@@ -316,14 +212,11 @@ optional_policy(`
')
optional_policy(`
-+# for postalias
- mailman_manage_data_files(postfix_master_t)
+- mailman_manage_data_files(postfix_master_t)
++ cyrus_stream_connect(postfix_master_t)
')
optional_policy(`
- mysql_stream_connect(postfix_master_t)
--')
--
--optional_policy(`
- postgrey_search_spool(postfix_master_t)
++ kerberos_keytab_template(postfix, postfix_t)
')
-@@ -333,12 +226,14 @@ optional_policy(`
+ optional_policy(`
+@@ -333,12 +221,14 @@ optional_policy(`
########################################
#
@@ -59935,7 +60004,7 @@ index 191a66f..2177e93 100644
manage_dirs_pattern(postfix_bounce_t, postfix_spool_t, postfix_spool_t)
manage_files_pattern(postfix_bounce_t, postfix_spool_t, postfix_spool_t)
-@@ -355,37 +250,34 @@ manage_lnk_files_pattern(postfix_bounce_t, postfix_spool_bounce_t, postfix_spool
+@@ -355,37 +245,34 @@ manage_lnk_files_pattern(postfix_bounce_t, postfix_spool_bounce_t, postfix_spool
########################################
#
@@ -59982,7 +60051,7 @@ index 191a66f..2177e93 100644
optional_policy(`
mailman_read_data_files(postfix_cleanup_t)
-@@ -393,36 +285,50 @@ optional_policy(`
+@@ -393,36 +280,50 @@ optional_policy(`
########################################
#
@@ -60042,7 +60111,7 @@ index 191a66f..2177e93 100644
')
optional_policy(`
-@@ -434,6 +340,7 @@ optional_policy(`
+@@ -434,6 +335,7 @@ optional_policy(`
')
optional_policy(`
@@ -60050,7 +60119,7 @@ index 191a66f..2177e93 100644
mailman_manage_data_files(postfix_local_t)
mailman_append_log(postfix_local_t)
mailman_read_log(postfix_local_t)
-@@ -444,6 +351,10 @@ optional_policy(`
+@@ -444,6 +346,10 @@ optional_policy(`
')
optional_policy(`
@@ -60061,7 +60130,7 @@ index 191a66f..2177e93 100644
procmail_domtrans(postfix_local_t)
')
-@@ -458,15 +369,17 @@ optional_policy(`
+@@ -458,15 +364,17 @@ optional_policy(`
########################################
#
@@ -60085,7 +60154,7 @@ index 191a66f..2177e93 100644
manage_dirs_pattern(postfix_map_t, postfix_map_tmp_t, postfix_map_tmp_t)
manage_files_pattern(postfix_map_t, postfix_map_tmp_t, postfix_map_tmp_t)
-@@ -476,14 +389,15 @@ kernel_read_kernel_sysctls(postfix_map_t)
+@@ -476,14 +384,15 @@ kernel_read_kernel_sysctls(postfix_map_t)
kernel_dontaudit_list_proc(postfix_map_t)
kernel_dontaudit_read_system_state(postfix_map_t)
@@ -60105,7 +60174,7 @@ index 191a66f..2177e93 100644
corecmd_list_bin(postfix_map_t)
corecmd_read_bin_symlinks(postfix_map_t)
-@@ -492,7 +406,6 @@ corecmd_read_bin_pipes(postfix_map_t)
+@@ -492,7 +401,6 @@ corecmd_read_bin_pipes(postfix_map_t)
corecmd_read_bin_sockets(postfix_map_t)
files_list_home(postfix_map_t)
@@ -60113,7 +60182,7 @@ index 191a66f..2177e93 100644
files_read_etc_runtime_files(postfix_map_t)
files_dontaudit_search_var(postfix_map_t)
-@@ -500,21 +413,22 @@ auth_use_nsswitch(postfix_map_t)
+@@ -500,21 +408,22 @@ auth_use_nsswitch(postfix_map_t)
logging_send_syslog_msg(postfix_map_t)
@@ -60139,7 +60208,7 @@ index 191a66f..2177e93 100644
stream_connect_pattern(postfix_pickup_t, postfix_private_t, postfix_private_t, postfix_master_t)
rw_fifo_files_pattern(postfix_pickup_t, postfix_public_t, postfix_public_t)
-@@ -524,16 +438,15 @@ allow postfix_pickup_t postfix_spool_t:dir list_dir_perms;
+@@ -524,16 +433,15 @@ allow postfix_pickup_t postfix_spool_t:dir list_dir_perms;
read_files_pattern(postfix_pickup_t, postfix_spool_t, postfix_spool_t)
delete_files_pattern(postfix_pickup_t, postfix_spool_t, postfix_spool_t)
@@ -60159,7 +60228,7 @@ index 191a66f..2177e93 100644
#
allow postfix_pipe_t self:process setrlimit;
-@@ -576,19 +489,26 @@ optional_policy(`
+@@ -576,19 +484,26 @@ optional_policy(`
########################################
#
@@ -60191,7 +60260,7 @@ index 191a66f..2177e93 100644
term_dontaudit_use_all_ptys(postfix_postdrop_t)
term_dontaudit_use_all_ttys(postfix_postdrop_t)
-@@ -603,10 +523,7 @@ optional_policy(`
+@@ -603,10 +518,7 @@ optional_policy(`
cron_system_entry(postfix_postdrop_t, postfix_postdrop_exec_t)
')
@@ -60203,7 +60272,7 @@ index 191a66f..2177e93 100644
optional_policy(`
fstools_read_pipes(postfix_postdrop_t)
')
-@@ -621,17 +538,24 @@ optional_policy(`
+@@ -621,17 +533,24 @@ optional_policy(`
#######################################
#
@@ -60231,7 +60300,7 @@ index 191a66f..2177e93 100644
init_sigchld_script(postfix_postqueue_t)
init_use_script_fds(postfix_postqueue_t)
-@@ -647,67 +571,77 @@ optional_policy(`
+@@ -647,67 +566,77 @@ optional_policy(`
########################################
#
@@ -60327,7 +60396,7 @@ index 191a66f..2177e93 100644
')
optional_policy(`
-@@ -720,29 +654,30 @@ optional_policy(`
+@@ -720,29 +649,30 @@ optional_policy(`
########################################
#
@@ -60366,7 +60435,7 @@ index 191a66f..2177e93 100644
optional_policy(`
dovecot_stream_connect_auth(postfix_smtpd_t)
dovecot_stream_connect(postfix_smtpd_t)
-@@ -754,6 +689,7 @@ optional_policy(`
+@@ -754,6 +684,7 @@ optional_policy(`
optional_policy(`
milter_stream_connect_all(postfix_smtpd_t)
@@ -60374,7 +60443,7 @@ index 191a66f..2177e93 100644
')
optional_policy(`
-@@ -764,31 +700,99 @@ optional_policy(`
+@@ -764,31 +695,99 @@ optional_policy(`
sasl_connect(postfix_smtpd_t)
')
@@ -77187,7 +77256,7 @@ index aee75af..a6bab06 100644
+ allow $1 samba_unit_file_t:service all_service_perms;
')
diff --git a/samba.te b/samba.te
-index 57c034b..b2225a3 100644
+index 57c034b..9e91107 100644
--- a/samba.te
+++ b/samba.te
@@ -1,4 +1,4 @@
@@ -77817,7 +77886,7 @@ index 57c034b..b2225a3 100644
kernel_getattr_core_if(nmbd_t)
kernel_getattr_message_if(nmbd_t)
-@@ -542,52 +555,40 @@ kernel_read_network_state(nmbd_t)
+@@ -542,52 +555,41 @@ kernel_read_network_state(nmbd_t)
kernel_read_software_raid_state(nmbd_t)
kernel_read_system_state(nmbd_t)
@@ -77879,10 +77948,11 @@ index 57c034b..b2225a3 100644
- files_manage_non_auth_files(nmbd_t)
+optional_policy(`
+ ctdbd_stream_connect(nmbd_t)
++ ctdbd_manage_var_files(nmbd_t)
')
optional_policy(`
-@@ -600,19 +601,26 @@ optional_policy(`
+@@ -600,19 +602,26 @@ optional_policy(`
########################################
#
@@ -77914,7 +77984,7 @@ index 57c034b..b2225a3 100644
samba_search_var(smbcontrol_t)
samba_read_winbind_pid(smbcontrol_t)
-@@ -620,16 +628,12 @@ domain_use_interactive_fds(smbcontrol_t)
+@@ -620,16 +629,12 @@ domain_use_interactive_fds(smbcontrol_t)
dev_read_urand(smbcontrol_t)
@@ -77932,7 +78002,7 @@ index 57c034b..b2225a3 100644
optional_policy(`
ctdbd_stream_connect(smbcontrol_t)
-@@ -637,22 +641,23 @@ optional_policy(`
+@@ -637,22 +642,23 @@ optional_policy(`
########################################
#
@@ -77964,7 +78034,7 @@ index 57c034b..b2225a3 100644
allow smbmount_t samba_secrets_t:file manage_file_perms;
-@@ -661,26 +666,22 @@ manage_files_pattern(smbmount_t, samba_var_t, samba_var_t)
+@@ -661,26 +667,22 @@ manage_files_pattern(smbmount_t, samba_var_t, samba_var_t)
manage_lnk_files_pattern(smbmount_t, samba_var_t, samba_var_t)
files_var_filetrans(smbmount_t, samba_var_t, dir, "samba")
@@ -78000,7 +78070,7 @@ index 57c034b..b2225a3 100644
fs_getattr_cifs(smbmount_t)
fs_mount_cifs(smbmount_t)
-@@ -692,58 +693,77 @@ fs_read_cifs_files(smbmount_t)
+@@ -692,58 +694,77 @@ fs_read_cifs_files(smbmount_t)
storage_raw_read_fixed_disk(smbmount_t)
storage_raw_write_fixed_disk(smbmount_t)
@@ -78092,7 +78162,7 @@ index 57c034b..b2225a3 100644
manage_dirs_pattern(swat_t, swat_tmp_t, swat_tmp_t)
manage_files_pattern(swat_t, swat_tmp_t, swat_tmp_t)
-@@ -752,17 +772,13 @@ files_tmp_filetrans(swat_t, swat_tmp_t, { file dir })
+@@ -752,17 +773,13 @@ files_tmp_filetrans(swat_t, swat_tmp_t, { file dir })
manage_files_pattern(swat_t, swat_var_run_t, swat_var_run_t)
files_pid_filetrans(swat_t, swat_var_run_t, file)
@@ -78116,7 +78186,7 @@ index 57c034b..b2225a3 100644
kernel_read_kernel_sysctls(swat_t)
kernel_read_system_state(swat_t)
-@@ -770,36 +786,25 @@ kernel_read_network_state(swat_t)
+@@ -770,36 +787,25 @@ kernel_read_network_state(swat_t)
corecmd_search_bin(swat_t)
@@ -78159,7 +78229,7 @@ index 57c034b..b2225a3 100644
auth_domtrans_chk_passwd(swat_t)
auth_use_nsswitch(swat_t)
-@@ -811,10 +816,11 @@ logging_send_syslog_msg(swat_t)
+@@ -811,10 +817,11 @@ logging_send_syslog_msg(swat_t)
logging_send_audit_msgs(swat_t)
logging_search_logs(swat_t)
@@ -78173,7 +78243,7 @@ index 57c034b..b2225a3 100644
optional_policy(`
cups_read_rw_config(swat_t)
cups_stream_connect(swat_t)
-@@ -834,16 +840,19 @@ optional_policy(`
+@@ -834,16 +841,19 @@ optional_policy(`
#
allow winbind_t self:capability { dac_override ipc_lock setuid sys_nice };
@@ -78197,7 +78267,7 @@ index 57c034b..b2225a3 100644
allow winbind_t samba_etc_t:dir list_dir_perms;
read_files_pattern(winbind_t, samba_etc_t, samba_etc_t)
-@@ -853,9 +862,7 @@ manage_files_pattern(winbind_t, samba_etc_t, samba_secrets_t)
+@@ -853,9 +863,7 @@ manage_files_pattern(winbind_t, samba_etc_t, samba_secrets_t)
filetrans_pattern(winbind_t, samba_etc_t, samba_secrets_t, file)
manage_dirs_pattern(winbind_t, samba_log_t, samba_log_t)
@@ -78208,7 +78278,7 @@ index 57c034b..b2225a3 100644
manage_lnk_files_pattern(winbind_t, samba_log_t, samba_log_t)
manage_dirs_pattern(winbind_t, samba_var_t, samba_var_t)
-@@ -866,23 +873,21 @@ files_var_filetrans(winbind_t, samba_var_t, dir, "samba")
+@@ -866,23 +874,21 @@ files_var_filetrans(winbind_t, samba_var_t, dir, "samba")
rw_files_pattern(winbind_t, smbd_tmp_t, smbd_tmp_t)
@@ -78238,7 +78308,7 @@ index 57c034b..b2225a3 100644
manage_sock_files_pattern(winbind_t, smbd_var_run_t, smbd_var_run_t)
kernel_read_network_state(winbind_t)
-@@ -891,13 +896,17 @@ kernel_read_system_state(winbind_t)
+@@ -891,13 +897,17 @@ kernel_read_system_state(winbind_t)
corecmd_exec_bin(winbind_t)
@@ -78259,7 +78329,7 @@ index 57c034b..b2225a3 100644
corenet_tcp_connect_smbd_port(winbind_t)
corenet_tcp_connect_epmap_port(winbind_t)
corenet_tcp_connect_all_unreserved_ports(winbind_t)
-@@ -905,10 +914,6 @@ corenet_tcp_connect_all_unreserved_ports(winbind_t)
+@@ -905,10 +915,6 @@ corenet_tcp_connect_all_unreserved_ports(winbind_t)
dev_read_sysfs(winbind_t)
dev_read_urand(winbind_t)
@@ -78270,7 +78340,7 @@ index 57c034b..b2225a3 100644
fs_getattr_all_fs(winbind_t)
fs_search_auto_mountpoints(winbind_t)
-@@ -917,26 +922,39 @@ auth_domtrans_chk_passwd(winbind_t)
+@@ -917,26 +923,39 @@ auth_domtrans_chk_passwd(winbind_t)
auth_use_nsswitch(winbind_t)
auth_manage_cache(winbind_t)
@@ -78312,7 +78382,7 @@ index 57c034b..b2225a3 100644
')
optional_policy(`
-@@ -952,31 +970,29 @@ optional_policy(`
+@@ -952,31 +971,29 @@ optional_policy(`
# Winbind helper local policy
#
@@ -78350,7 +78420,7 @@ index 57c034b..b2225a3 100644
optional_policy(`
apache_append_log(winbind_helper_t)
-@@ -990,25 +1006,38 @@ optional_policy(`
+@@ -990,25 +1007,38 @@ optional_policy(`
########################################
#
@@ -82821,10 +82891,10 @@ index 0000000..52450c7
+')
diff --git a/smsd.te b/smsd.te
new file mode 100644
-index 0000000..92c3638
+index 0000000..1fad7b8
--- /dev/null
+++ b/smsd.te
-@@ -0,0 +1,72 @@
+@@ -0,0 +1,73 @@
+policy_module(smsd, 1.0.0)
+
+########################################
@@ -82882,6 +82952,7 @@ index 0000000..92c3638
+manage_files_pattern(smsd_t, smsd_spool_t, smsd_spool_t)
+manage_lnk_files_pattern(smsd_t, smsd_spool_t, smsd_spool_t)
+files_spool_filetrans(smsd_t, smsd_spool_t, { dir })
++can_exec(smsd_t, smsd_spool_t)
+
+manage_dirs_pattern(smsd_t, smsd_tmp_t, smsd_tmp_t)
+manage_files_pattern(smsd_t, smsd_tmp_t, smsd_tmp_t)
@@ -88707,10 +88778,10 @@ index 0000000..8b2dfff
+')
diff --git a/thumb.te b/thumb.te
new file mode 100644
-index 0000000..ec3eb8f
+index 0000000..1a7c61d
--- /dev/null
+++ b/thumb.te
-@@ -0,0 +1,147 @@
+@@ -0,0 +1,148 @@
+policy_module(thumb, 1.0.0)
+
+########################################
@@ -88759,6 +88830,7 @@ index 0000000..ec3eb8f
+userdom_user_home_dir_filetrans(thumb_t, thumb_home_t, dir, ".thumbnails")
+userdom_user_home_dir_filetrans(thumb_t, thumb_home_t, file, "missfont.log")
+userdom_dontaudit_access_check_user_content(thumb_t)
++userdom_rw_inherited_user_tmpfs_files(thumb_t)
+
+manage_files_pattern(thumb_t, thumb_tmp_t, thumb_tmp_t)
+manage_dirs_pattern(thumb_t, thumb_tmp_t, thumb_tmp_t)
@@ -93208,7 +93280,7 @@ index 9dec06c..73549fd 100644
+ virt_stream_connect($1)
')
diff --git a/virt.te b/virt.te
-index 1f22fba..64b3da9 100644
+index 1f22fba..a77dab1 100644
--- a/virt.te
+++ b/virt.te
@@ -1,147 +1,167 @@
@@ -94113,7 +94185,7 @@ index 1f22fba..64b3da9 100644
kernel_read_xen_state(virtd_t)
kernel_write_xen_state(virtd_t)
-@@ -737,44 +602,262 @@ optional_policy(`
+@@ -737,44 +602,264 @@ optional_policy(`
udev_read_db(virtd_t)
')
@@ -94149,6 +94221,14 @@ index 1f22fba..64b3da9 100644
-manage_files_pattern(virsh_t, virt_image_type, virt_image_type)
-manage_blk_files_pattern(virsh_t, virt_image_type, virt_image_type)
-manage_lnk_files_pattern(virsh_t, virt_image_type, virt_image_type)
++kernel_read_net_sysctls(virt_domain)
+
+-manage_dirs_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
+-manage_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
+-manage_chr_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
+-manage_lnk_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
+-manage_sock_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
+-manage_fifo_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
+userdom_search_user_home_content(virt_domain)
+userdom_read_user_home_content_symlinks(virt_domain)
+userdom_read_all_users_state(virt_domain)
@@ -94159,19 +94239,14 @@ index 1f22fba..64b3da9 100644
+filetrans_pattern(virt_domain, virt_home_t, svirt_home_t, { dir sock_file file })
+stream_connect_pattern(virt_domain, svirt_home_t, svirt_home_t, virtd_t)
--manage_dirs_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
--manage_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
--manage_chr_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
--manage_lnk_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
--manage_sock_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
--manage_fifo_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
+-manage_dirs_pattern(virsh_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t)
+-manage_files_pattern(virsh_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t)
+-filetrans_pattern(virsh_t, virt_var_run_t, virtd_lxc_var_run_t, dir, "lxc")
+manage_dirs_pattern(virt_domain, virt_cache_t, virt_cache_t)
+manage_files_pattern(virt_domain, virt_cache_t, virt_cache_t)
+files_var_filetrans(virt_domain, virt_cache_t, { file dir })
--manage_dirs_pattern(virsh_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t)
--manage_files_pattern(virsh_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t)
--filetrans_pattern(virsh_t, virt_var_run_t, virtd_lxc_var_run_t, dir, "lxc")
+-dontaudit virsh_t virt_var_lib_t:file read_file_perms;
+read_lnk_files_pattern(virt_domain, virt_image_t, virt_image_t)
+
+manage_dirs_pattern(virt_domain, svirt_image_t, svirt_image_t)
@@ -94203,13 +94278,12 @@ index 1f22fba..64b3da9 100644
+
+dontaudit virtd_t virt_domain:process { siginh noatsecure rlimitinh };
--dontaudit virsh_t virt_var_lib_t:file read_file_perms;
-+dontaudit virt_domain virt_tmpfs_type:file { read write };
-
-allow virsh_t svirt_lxc_domain:process transition;
-+append_files_pattern(virt_domain, virt_log_t, virt_log_t)
++dontaudit virt_domain virt_tmpfs_type:file { read write };
-can_exec(virsh_t, virsh_exec_t)
++append_files_pattern(virt_domain, virt_log_t, virt_log_t)
++
+append_files_pattern(virt_domain, virt_var_lib_t, virt_var_lib_t)
+
+corecmd_exec_bin(virt_domain)
@@ -94304,7 +94378,7 @@ index 1f22fba..64b3da9 100644
+ fs_read_fusefs_symlinks(virt_domain)
+ fs_getattr_fusefs(virt_domain)
+')
-
++
+tunable_policy(`virt_use_nfs',`
+ fs_manage_nfs_dirs(virt_domain)
+ fs_manage_nfs_files(virt_domain)
@@ -94312,7 +94386,7 @@ index 1f22fba..64b3da9 100644
+ fs_read_nfs_symlinks(virt_domain)
+ fs_getattr_nfs(virt_domain)
+')
-+
+
+tunable_policy(`virt_use_samba',`
+ fs_manage_cifs_dirs(virt_domain)
+ fs_manage_cifs_files(virt_domain)
@@ -94398,7 +94472,7 @@ index 1f22fba..64b3da9 100644
kernel_read_system_state(virsh_t)
kernel_read_network_state(virsh_t)
kernel_read_kernel_sysctls(virsh_t)
-@@ -785,25 +868,18 @@ kernel_write_xen_state(virsh_t)
+@@ -785,25 +870,18 @@ kernel_write_xen_state(virsh_t)
corecmd_exec_bin(virsh_t)
corecmd_exec_shell(virsh_t)
@@ -94425,7 +94499,7 @@ index 1f22fba..64b3da9 100644
fs_getattr_all_fs(virsh_t)
fs_manage_xenfs_dirs(virsh_t)
-@@ -812,23 +888,23 @@ fs_search_auto_mountpoints(virsh_t)
+@@ -812,23 +890,23 @@ fs_search_auto_mountpoints(virsh_t)
storage_raw_read_fixed_disk(virsh_t)
@@ -94458,7 +94532,7 @@ index 1f22fba..64b3da9 100644
tunable_policy(`virt_use_nfs',`
fs_manage_nfs_dirs(virsh_t)
-@@ -847,14 +923,20 @@ optional_policy(`
+@@ -847,14 +925,20 @@ optional_policy(`
')
optional_policy(`
@@ -94480,7 +94554,7 @@ index 1f22fba..64b3da9 100644
xen_stream_connect(virsh_t)
xen_stream_connect_xenstore(virsh_t)
')
-@@ -879,49 +961,65 @@ optional_policy(`
+@@ -879,49 +963,65 @@ optional_policy(`
kernel_read_xen_state(virsh_ssh_t)
kernel_write_xen_state(virsh_ssh_t)
@@ -94564,7 +94638,7 @@ index 1f22fba..64b3da9 100644
corecmd_exec_bin(virtd_lxc_t)
corecmd_exec_shell(virtd_lxc_t)
-@@ -933,17 +1031,16 @@ dev_read_urand(virtd_lxc_t)
+@@ -933,17 +1033,16 @@ dev_read_urand(virtd_lxc_t)
domain_use_interactive_fds(virtd_lxc_t)
@@ -94584,7 +94658,7 @@ index 1f22fba..64b3da9 100644
fs_getattr_all_fs(virtd_lxc_t)
fs_manage_tmpfs_dirs(virtd_lxc_t)
fs_manage_tmpfs_chr_files(virtd_lxc_t)
-@@ -955,8 +1052,23 @@ fs_rw_cgroup_files(virtd_lxc_t)
+@@ -955,8 +1054,23 @@ fs_rw_cgroup_files(virtd_lxc_t)
fs_unmount_all_fs(virtd_lxc_t)
fs_relabelfrom_tmpfs(virtd_lxc_t)
@@ -94608,7 +94682,7 @@ index 1f22fba..64b3da9 100644
selinux_get_enforce_mode(virtd_lxc_t)
selinux_get_fs_mount(virtd_lxc_t)
selinux_validate_context(virtd_lxc_t)
-@@ -965,194 +1077,238 @@ selinux_compute_create_context(virtd_lxc_t)
+@@ -965,194 +1079,238 @@ selinux_compute_create_context(virtd_lxc_t)
selinux_compute_relabel_context(virtd_lxc_t)
selinux_compute_user_contexts(virtd_lxc_t)
@@ -94983,7 +95057,7 @@ index 1f22fba..64b3da9 100644
allow virt_qmf_t self:tcp_socket create_stream_socket_perms;
allow virt_qmf_t self:netlink_route_socket create_netlink_socket_perms;
-@@ -1165,12 +1321,12 @@ dev_read_sysfs(virt_qmf_t)
+@@ -1165,12 +1323,12 @@ dev_read_sysfs(virt_qmf_t)
dev_read_rand(virt_qmf_t)
dev_read_urand(virt_qmf_t)
@@ -94998,7 +95072,7 @@ index 1f22fba..64b3da9 100644
sysnet_read_config(virt_qmf_t)
optional_policy(`
-@@ -1183,9 +1339,8 @@ optional_policy(`
+@@ -1183,9 +1341,8 @@ optional_policy(`
########################################
#
@@ -95009,7 +95083,7 @@ index 1f22fba..64b3da9 100644
allow virt_bridgehelper_t self:process { setcap getcap };
allow virt_bridgehelper_t self:capability { setpcap setgid setuid net_admin };
allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms;
-@@ -1198,5 +1353,194 @@ kernel_read_network_state(virt_bridgehelper_t)
+@@ -1198,5 +1355,194 @@ kernel_read_network_state(virt_bridgehelper_t)
corenet_rw_tun_tap_dev(virt_bridgehelper_t)
@@ -97854,6 +97928,27 @@ index d837e88..910aeec 100644
userdom_use_unpriv_users_fds(yam_t)
userdom_search_user_home_dirs(yam_t)
+diff --git a/zabbix.fc b/zabbix.fc
+index ce10cb1..3181728 100644
+--- a/zabbix.fc
++++ b/zabbix.fc
+@@ -4,11 +4,15 @@
+ /usr/bin/zabbix_server -- gen_context(system_u:object_r:zabbix_exec_t,s0)
+ /usr/bin/zabbix_agentd -- gen_context(system_u:object_r:zabbix_agent_exec_t,s0)
+
+-/usr/sbin/zabbix_server -- gen_context(system_u:object_r:zabbix_exec_t,s0)
+ /usr/sbin/zabbix_agentd -- gen_context(system_u:object_r:zabbix_agent_exec_t,s0)
++/usr/sbin/zabbix_server -- gen_context(system_u:object_r:zabbix_exec_t,s0)
+ /usr/sbin/zabbix_server_mysql -- gen_context(system_u:object_r:zabbix_exec_t,s0)
+ /usr/sbin/zabbix_server_pgsql -- gen_context(system_u:object_r:zabbix_exec_t,s0)
+ /usr/sbin/zabbix_server_sqlite3 -- gen_context(system_u:object_r:zabbix_exec_t,s0)
++/usr/sbin/zabbix_proxy -- gen_context(system_u:object_r:zabbix_exec_t,s0)
++/usr/sbin/zabbix_proxy_mysql -- gen_context(system_u:object_r:zabbix_exec_t,s0)
++/usr/sbin/zabbix_proxy_pgsql -- gen_context(system_u:object_r:zabbix_exec_t,s0)
++/usr/sbin/zabbix_proxy_sqlite3 -- gen_context(system_u:object_r:zabbix_exec_t,s0)
+
+ /var/log/zabbix(/.*)? gen_context(system_u:object_r:zabbix_log_t,s0)
+
diff --git a/zabbix.if b/zabbix.if
index dd63de0..38ce620 100644
--- a/zabbix.if
@@ -98017,10 +98112,10 @@ index dd63de0..38ce620 100644
- admin_pattern($1, zabbix_tmpfs_t)
')
diff --git a/zabbix.te b/zabbix.te
-index 46e4cd3..dea93eb 100644
+index 46e4cd3..79317e6 100644
--- a/zabbix.te
+++ b/zabbix.te
-@@ -6,7 +6,7 @@ policy_module(zabbix, 1.5.3)
+@@ -6,21 +6,23 @@ policy_module(zabbix, 1.5.3)
#
##
@@ -98029,9 +98124,64 @@ index 46e4cd3..dea93eb 100644
## Determine whether zabbix can
## connect to all TCP ports
##
-@@ -52,11 +52,10 @@ allow zabbix_t self:sem create_sem_perms;
- allow zabbix_t self:shm create_shm_perms;
- allow zabbix_t self:tcp_socket create_stream_socket_perms;
+ ##
+ gen_tunable(zabbix_can_network, false)
+
+-type zabbix_t;
++attribute zabbix_domain;
++
++type zabbix_t, zabbix_domain;
+ type zabbix_exec_t;
+ init_daemon_domain(zabbix_t, zabbix_exec_t)
+
+ type zabbix_initrc_exec_t;
+ init_script_file(zabbix_initrc_exec_t)
+
+-type zabbix_agent_t;
++type zabbix_agent_t, zabbix_domain;
+ type zabbix_agent_exec_t;
+ init_daemon_domain(zabbix_agent_t, zabbix_agent_exec_t)
+
+@@ -41,22 +43,40 @@ files_pid_file(zabbix_var_run_t)
+
+ ########################################
+ #
++# zabbix domain local policy
++#
++
++allow zabbix_domain self:capability { setuid setgid };
++allow zabbix_domain self:process { setpgid setsched getsched signal_perms };
++allow zabbix_domain self:fifo_file rw_fifo_file_perms;
++allow zabbix_domain self:sem create_sem_perms;
++allow zabbix_domain self:shm create_shm_perms;
++allow zabbix_domain self:tcp_socket { accept listen };
++allow zabbix_domain self:unix_stream_socket create_stream_socket_perms;
++
++kernel_read_all_sysctls(zabbix_domain)
++
++corenet_tcp_sendrecv_generic_if(zabbix_domain)
++corenet_tcp_sendrecv_generic_node(zabbix_domain)
++corenet_tcp_bind_generic_node(zabbix_domain)
++
++corecmd_exec_shell(zabbix_domain)
++corecmd_exec_bin(zabbix_domain)
++
++dev_read_sysfs(zabbix_domain)
++dev_read_urand(zabbix_domain)
++
++########################################
++#
+ # Local policy
+ #
+
+-allow zabbix_t self:capability { dac_read_search dac_override setuid setgid };
+-allow zabbix_t self:process { setsched signal_perms };
+-allow zabbix_t self:fifo_file rw_fifo_file_perms;
+-allow zabbix_t self:unix_stream_socket create_stream_socket_perms;
+-allow zabbix_t self:sem create_sem_perms;
+-allow zabbix_t self:shm create_shm_perms;
+-allow zabbix_t self:tcp_socket create_stream_socket_perms;
++allow zabbix_t self:capability { dac_read_search dac_override };
-allow zabbix_t zabbix_log_t:dir setattr_dir_perms;
-append_files_pattern(zabbix_t, zabbix_log_t, zabbix_log_t)
@@ -98045,10 +98195,29 @@ index 46e4cd3..dea93eb 100644
manage_dirs_pattern(zabbix_t, zabbix_tmp_t, zabbix_tmp_t)
manage_files_pattern(zabbix_t, zabbix_tmp_t, zabbix_tmp_t)
-@@ -95,12 +94,8 @@ corecmd_exec_shell(zabbix_t)
+@@ -70,13 +90,9 @@ manage_files_pattern(zabbix_t, zabbix_var_run_t, zabbix_var_run_t)
+ files_pid_filetrans(zabbix_t, zabbix_var_run_t, { dir file })
+
+ kernel_read_system_state(zabbix_t)
+-kernel_read_kernel_sysctls(zabbix_t)
- dev_read_urand(zabbix_t)
+ corenet_all_recvfrom_unlabeled(zabbix_t)
+ corenet_all_recvfrom_netlabel(zabbix_t)
+-corenet_tcp_sendrecv_generic_if(zabbix_t)
+-corenet_tcp_sendrecv_generic_node(zabbix_t)
+-corenet_tcp_bind_generic_node(zabbix_t)
+ corenet_sendrecv_ftp_client_packets(zabbix_t)
+ corenet_tcp_connect_ftp_port(zabbix_t)
+@@ -90,17 +106,8 @@ corenet_sendrecv_zabbix_server_packets(zabbix_t)
+ corenet_tcp_bind_zabbix_port(zabbix_t)
+ corenet_tcp_sendrecv_zabbix_port(zabbix_t)
+
+-corecmd_exec_bin(zabbix_t)
+-corecmd_exec_shell(zabbix_t)
+-
+-dev_read_urand(zabbix_t)
+-
-files_read_usr_files(zabbix_t)
-
auth_use_nsswitch(zabbix_t)
@@ -98058,7 +98227,7 @@ index 46e4cd3..dea93eb 100644
zabbix_agent_tcp_connect(zabbix_t)
tunable_policy(`zabbix_can_network',`
-@@ -110,12 +105,11 @@ tunable_policy(`zabbix_can_network',`
+@@ -110,12 +117,11 @@ tunable_policy(`zabbix_can_network',`
')
optional_policy(`
@@ -98073,7 +98242,7 @@ index 46e4cd3..dea93eb 100644
')
optional_policy(`
-@@ -125,6 +119,7 @@ optional_policy(`
+@@ -125,6 +131,7 @@ optional_policy(`
optional_policy(`
snmp_read_snmp_var_lib_files(zabbix_t)
@@ -98081,18 +98250,18 @@ index 46e4cd3..dea93eb 100644
')
########################################
-@@ -133,17 +128,14 @@ optional_policy(`
+@@ -132,18 +139,7 @@ optional_policy(`
+ # Agent local policy
#
- allow zabbix_agent_t self:capability { setuid setgid };
+-allow zabbix_agent_t self:capability { setuid setgid };
-allow zabbix_agent_t self:process { setsched getsched signal };
-+allow zabbix_agent_t self:process { setpgid setsched getsched signal };
- allow zabbix_agent_t self:fifo_file rw_fifo_file_perms;
- allow zabbix_agent_t self:sem create_sem_perms;
- allow zabbix_agent_t self:shm create_shm_perms;
- allow zabbix_agent_t self:tcp_socket { accept listen };
- allow zabbix_agent_t self:unix_stream_socket create_stream_socket_perms;
-
+-allow zabbix_agent_t self:fifo_file rw_fifo_file_perms;
+-allow zabbix_agent_t self:sem create_sem_perms;
+-allow zabbix_agent_t self:shm create_shm_perms;
+-allow zabbix_agent_t self:tcp_socket { accept listen };
+-allow zabbix_agent_t self:unix_stream_socket create_stream_socket_perms;
+-
-append_files_pattern(zabbix_agent_t, zabbix_log_t, zabbix_log_t)
-create_files_pattern(zabbix_agent_t, zabbix_log_t, zabbix_log_t)
-setattr_files_pattern(zabbix_agent_t, zabbix_log_t, zabbix_log_t)
@@ -98101,16 +98270,26 @@ index 46e4cd3..dea93eb 100644
rw_files_pattern(zabbix_agent_t, zabbix_tmpfs_t, zabbix_tmpfs_t)
fs_tmpfs_filetrans(zabbix_agent_t, zabbix_tmpfs_t, file)
-@@ -154,6 +146,8 @@ files_pid_filetrans(zabbix_agent_t, zabbix_var_run_t, file)
- kernel_read_all_sysctls(zabbix_agent_t)
- kernel_read_system_state(zabbix_agent_t)
+@@ -151,16 +147,12 @@ fs_tmpfs_filetrans(zabbix_agent_t, zabbix_tmpfs_t, file)
+ manage_files_pattern(zabbix_agent_t, zabbix_var_run_t, zabbix_var_run_t)
+ files_pid_filetrans(zabbix_agent_t, zabbix_var_run_t, file)
-+corecmd_exec_shell(zabbix_agent_t)
-+corecmd_exec_bin(zabbix_agent_t)
- corecmd_read_all_executables(zabbix_agent_t)
+-kernel_read_all_sysctls(zabbix_agent_t)
+ kernel_read_system_state(zabbix_agent_t)
+-corecmd_read_all_executables(zabbix_agent_t)
+-
corenet_all_recvfrom_unlabeled(zabbix_agent_t)
-@@ -182,7 +176,6 @@ domain_search_all_domains_state(zabbix_agent_t)
+ corenet_all_recvfrom_netlabel(zabbix_agent_t)
+-corenet_tcp_sendrecv_generic_if(zabbix_agent_t)
+-corenet_tcp_sendrecv_generic_node(zabbix_agent_t)
+-corenet_tcp_bind_generic_node(zabbix_agent_t)
++
++corecmd_read_all_executables(zabbix_agent_t)
+
+ corenet_sendrecv_zabbix_agent_server_packets(zabbix_agent_t)
+ corenet_tcp_bind_zabbix_agent_port(zabbix_agent_t)
+@@ -182,7 +174,6 @@ domain_search_all_domains_state(zabbix_agent_t)
files_getattr_all_dirs(zabbix_agent_t)
files_getattr_all_files(zabbix_agent_t)
files_read_all_symlinks(zabbix_agent_t)
@@ -98118,7 +98297,7 @@ index 46e4cd3..dea93eb 100644
fs_getattr_all_fs(zabbix_agent_t)
-@@ -190,8 +183,11 @@ init_read_utmp(zabbix_agent_t)
+@@ -190,8 +181,11 @@ init_read_utmp(zabbix_agent_t)
logging_search_logs(zabbix_agent_t)
diff --git a/selinux-policy.spec b/selinux-policy.spec
index b037589..e751845 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.12.1
-Release: 89%{?dist}
+Release: 90%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -572,6 +572,36 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Thu Oct 17 2013 Miroslav Grepl