+ ##
+@@ -87,14 +102,17 @@ allow domain self:dir list_dir_perms;
+ allow domain self:lnk_file { read_lnk_file_perms lock ioctl };
+ allow domain self:file rw_file_perms;
+ kernel_read_proc_symlinks(domain)
++kernel_read_crypto_sysctls(domain)
++
+ # Every domain gets the key ring, so we should default
+ # to no one allowed to look at it; afs kernel support creates
+ # a keyring
+ kernel_dontaudit_search_key(domain)
+ kernel_dontaudit_link_key(domain)
++kernel_dontaudit_search_debugfs(domain)
+
+ # create child processes in the domain
+-allow domain self:process { fork sigchld };
++allow domain self:process { fork getsched sigchld };
+
+ # Use trusted objects in /dev
+ dev_rw_null(domain)
+@@ -103,6 +121,16 @@ term_use_controlling_term(domain)
+
+ # list the root directory
+ files_list_root(domain)
++# allow all domains to search through default_t directory, since users sometimes
++# place labels within these directories. (samba_share_t) for example.
++files_search_default(domain)
++
++# All executables should be able to search the directory they are in
++corecmd_search_bin(domain)
++
++tunable_policy(`domain_kernel_load_modules',`
++ kernel_request_load_module(domain)
++')
+
+ tunable_policy(`global_ssp',`
+ # enable reading of urandom for all domains:
+@@ -113,8 +141,13 @@ tunable_policy(`global_ssp',`
+ ')
+
+ optional_policy(`
++ afs_rw_cache(domain)
++')
++
++optional_policy(`
+ libs_use_ld_so(domain)
+ libs_use_shared_libs(domain)
++ libs_read_lib_files(domain)
+ ')
+
+ optional_policy(`
+@@ -125,6 +158,8 @@ optional_policy(`
+ optional_policy(`
+ xserver_dontaudit_use_xdm_fds(domain)
+ xserver_dontaudit_rw_xdm_pipes(domain)
++ xserver_dontaudit_append_xdm_home_files(domain)
++ xserver_dontaudit_write_log(domain)
+ ')
+
+ ########################################
+@@ -143,6 +178,8 @@ allow unconfined_domain_type domain:{ socket_class_set socket key_socket } *;
+ allow unconfined_domain_type domain:fd use;
+ allow unconfined_domain_type domain:fifo_file rw_file_perms;
+
++allow unconfined_domain_type unconfined_domain_type:dbus send_msg;
++
+ # Act upon any other process.
+ allow unconfined_domain_type domain:process ~{ transition dyntransition execmem execstack execheap };
+
+@@ -160,3 +197,81 @@ allow unconfined_domain_type domain:key *;
+
+ # receive from all domains over labeled networking
+ domain_all_recvfrom_all_domains(unconfined_domain_type)
++
++selinux_getattr_fs(domain)
++selinux_search_fs(domain)
++selinux_dontaudit_read_fs(domain)
++
++seutil_dontaudit_read_config(domain)
++
++init_sigchld(domain)
++init_signull(domain)
++
++ifdef(`distro_redhat',`
++ files_search_mnt(domain)
++ optional_policy(`
++ unconfined_use_fds(domain)
++ ')
++')
++
++# these seem questionable:
++
++optional_policy(`
++ abrt_domtrans_helper(domain)
++ abrt_read_pid_files(domain)
++ abrt_read_state(domain)
++ abrt_signull(domain)
++ abrt_stream_connect(domain)
++')
++
++optional_policy(`
++ rpm_use_fds(domain)
++ rpm_read_pipes(domain)
++ rpm_search_log(domain)
++ rpm_append_tmp_files(domain)
++ rpm_dontaudit_leaks(domain)
++ rpm_read_script_tmp_files(domain)
++ rpm_inherited_fifo(domain)
++')
++
++optional_policy(`
++ sosreport_append_tmp_files(domain)
++')
++
++tunable_policy(`allow_domain_fd_use',`
++ # Allow all domains to use fds past to them
++ allow domain domain:fd use;
++')
++
++optional_policy(`
++ cron_dontaudit_write_system_job_tmp_files(domain)
++ cron_rw_pipes(domain)
++ cron_rw_system_job_pipes(domain)
++')
++
++ifdef(`hide_broken_symptoms',`
++ dontaudit domain self:udp_socket listen;
++ allow domain domain:key { link search };
++')
++
++optional_policy(`
++ hal_dontaudit_read_pid_files(domain)
++')
++
++optional_policy(`
++ ifdef(`hide_broken_symptoms',`
++ afs_rw_udp_sockets(domain)
++ ')
++')
++
++optional_policy(`
++ ssh_rw_pipes(domain)
++')
++
++optional_policy(`
++ unconfined_dontaudit_rw_pipes(domain)
++ unconfined_sigchld(domain)
++')
++
++# broken kernel
++dontaudit can_change_object_identity can_change_object_identity:key link;
+diff --git a/policy/modules/kernel/files.fc b/policy/modules/kernel/files.fc
+index 3517db2..bd4c23d 100644
+--- a/policy/modules/kernel/files.fc
++++ b/policy/modules/kernel/files.fc
+@@ -18,6 +18,7 @@ ifdef(`distro_redhat',`
+ /fsckoptions -- gen_context(system_u:object_r:etc_runtime_t,s0)
+ /halt -- gen_context(system_u:object_r:etc_runtime_t,s0)
+ /poweroff -- gen_context(system_u:object_r:etc_runtime_t,s0)
++/[^/]+ -- gen_context(system_u:object_r:etc_runtime_t,s0)
+ ')
+
+ ifdef(`distro_suse',`
+@@ -64,6 +65,13 @@ ifdef(`distro_suse',`
+ /etc/reader\.conf -- gen_context(system_u:object_r:etc_runtime_t,s0)
+ /etc/smartd\.conf.* -- gen_context(system_u:object_r:etc_runtime_t,s0)
+
++/etc/sysctl\.conf(\.old)? -- gen_context(system_u:object_r:system_conf_t,s0)
++/etc/sysconfig/ebtables.* -- gen_context(system_u:object_r:system_conf_t,s0)
++/etc/sysconfig/ip6?tables.* -- gen_context(system_u:object_r:system_conf_t,s0)
++/etc/sysconfig/ipvsadm.* -- gen_context(system_u:object_r:system_conf_t,s0)
++/etc/sysconfig/system-config-firewall.* -- gen_context(system_u:object_r:system_conf_t,s0)
++
++
+ /etc/cups/client\.conf -- gen_context(system_u:object_r:etc_t,s0)
+
+ /etc/ipsec\.d/examples(/.*)? gen_context(system_u:object_r:etc_t,s0)
+@@ -74,7 +82,8 @@ ifdef(`distro_suse',`
+
+ /etc/sysconfig/hwconf -- gen_context(system_u:object_r:etc_runtime_t,s0)
+ /etc/sysconfig/iptables\.save -- gen_context(system_u:object_r:etc_runtime_t,s0)
+-/etc/sysconfig/firstboot -- gen_context(system_u:object_r:etc_runtime_t,s0)
++
++/etc/xorg\.conf\.d/00-system-setup-keyboard\.conf -- gen_context(system_u:object_r:etc_runtime_t,s0)
+
+ ifdef(`distro_gentoo', `
+ /etc/profile\.env -- gen_context(system_u:object_r:etc_runtime_t,s0)
+@@ -95,7 +104,7 @@ ifdef(`distro_suse',`
+ # HOME_ROOT
+ # expanded by genhomedircon
+ #
+-HOME_ROOT -d gen_context(system_u:object_r:home_root_t,s0-mls_systemhigh)
++HOME_ROOT gen_context(system_u:object_r:home_root_t,s0-mls_systemhigh)
+ HOME_ROOT/\.journal <>
+ HOME_ROOT/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh)
+ HOME_ROOT/lost\+found/.* <>
+@@ -159,6 +168,12 @@ HOME_ROOT/lost\+found/.* <>
+ /proc -d <>
+ /proc/.* <>
+
++ifdef(`distro_redhat',`
++/rhev -d gen_context(system_u:object_r:mnt_t,s0)
++/rhev(/[^/]*)? -d gen_context(system_u:object_r:mnt_t,s0)
++/rhev/[^/]*/.* <>
++')
++
+ #
+ # /selinux
+ #
+@@ -172,12 +187,6 @@ HOME_ROOT/lost\+found/.* <>
+ /srv/.* gen_context(system_u:object_r:var_t,s0)
+
+ #
+-# /sys
+-#
+-/sys -d <>
+-/sys/.* <>
+-
+-#
+ # /tmp
+ #
+ /tmp -d gen_context(system_u:object_r:tmp_t,s0-mls_systemhigh)
+@@ -217,7 +226,6 @@ HOME_ROOT/lost\+found/.* <>
+
+ ifndef(`distro_redhat',`
+ /usr/local/src(/.*)? gen_context(system_u:object_r:src_t,s0)
+-
+ /usr/src(/.*)? gen_context(system_u:object_r:src_t,s0)
+ /usr/src/kernels/.+/lib(/.*)? gen_context(system_u:object_r:usr_t,s0)
+ ')
+@@ -233,6 +241,8 @@ ifndef(`distro_redhat',`
+
+ /var/ftp/etc(/.*)? gen_context(system_u:object_r:etc_t,s0)
+
++/var/named/chroot/etc(/.*)? gen_context(system_u:object_r:etc_t,s0)
++
+ /var/lib(/.*)? gen_context(system_u:object_r:var_lib_t,s0)
+
+ /var/lib/nfs/rpc_pipefs(/.*)? <>
+@@ -249,7 +259,7 @@ ifndef(`distro_redhat',`
+ /var/spool(/.*)? gen_context(system_u:object_r:var_spool_t,s0)
+ /var/spool/postfix/etc(/.*)? gen_context(system_u:object_r:etc_t,s0)
+
+-/var/tmp -d gen_context(system_u:object_r:tmp_t,s0-mls_systemhigh)
++/var/tmp gen_context(system_u:object_r:tmp_t,s0-mls_systemhigh)
+ /var/tmp/.* <>
+ /var/tmp/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh)
+ /var/tmp/lost\+found/.* <>
+@@ -258,3 +268,5 @@ ifndef(`distro_redhat',`
+ ifdef(`distro_debian',`
+ /var/run/motd -- gen_context(system_u:object_r:etc_runtime_t,s0)
+ ')
++/nsr(/.*)? gen_context(system_u:object_r:var_t,s0)
++/nsr/logs(/.*)? gen_context(system_u:object_r:var_log_t,s0)
+diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
+index 5302dac..5dcb9ad 100644
+--- a/policy/modules/kernel/files.if
++++ b/policy/modules/kernel/files.if
+@@ -1053,10 +1053,8 @@ interface(`files_relabel_all_files',`
+ relabel_lnk_files_pattern($1, { file_type $2 }, { file_type $2 })
+ relabel_fifo_files_pattern($1, { file_type $2 }, { file_type $2 })
+ relabel_sock_files_pattern($1, { file_type $2 }, { file_type $2 })
+- # this is only relabelfrom since there should be no
+- # device nodes with file types.
+- relabelfrom_blk_files_pattern($1, { file_type $2 }, { file_type $2 })
+- relabelfrom_chr_files_pattern($1, { file_type $2 }, { file_type $2 })
++ relabel_blk_files_pattern($1, { file_type $2 }, { file_type $2 })
++ relabel_chr_files_pattern($1, { file_type $2 }, { file_type $2 })
+
+ # satisfy the assertions:
+ seutil_relabelto_bin_policy($1)
+@@ -1446,6 +1444,60 @@ interface(`files_dontaudit_search_all_mountpoints',`
+
+ ########################################
+ ##
++## Do not audit listing of all mount points.
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`files_dontaudit_list_all_mountpoints',`
++ gen_require(`
++ attribute mountpoint;
++ ')
++
++ dontaudit $1 mountpoint:dir list_dir_perms;
++')
++
++########################################
++##
++## Write all mount points.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`files_write_all_mountpoints',`
++ gen_require(`
++ attribute mountpoint;
++ ')
++
++ allow $1 mountpoint:dir write;
++')
++
++########################################
++##
++## Write all file type directories.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`files_write_all_dirs',`
++ gen_require(`
++ attribute file_type;
++ ')
++
++ allow $1 file_type:dir write;
++')
++
++########################################
++##
+ ## List the contents of the root directory.
+ ##
+ ##
+@@ -1836,6 +1888,25 @@ interface(`files_relabelfrom_boot_files',`
+ relabelfrom_files_pattern($1, boot_t, boot_t)
+ ')
+
++######################################
++##
++## Read symbolic links
++## in the /boot directory.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`files_read_boot_symlinks',`
++ gen_require(`
++ type boot_t;
++ ')
++
++ read_lnk_files_pattern($1, boot_t, boot_t)
++')
++
+ ########################################
+ ##
+ ## Read and write symbolic links
+@@ -2435,6 +2506,24 @@ interface(`files_delete_etc_files',`
+
+ ########################################
+ ##
++## Remove entries from the etc directory.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`files_delete_etc_dir_entry',`
++ gen_require(`
++ type etc_t;
++ ')
++
++ allow $1 etc_t:dir del_entry_dir_perms;
++')
++
++########################################
++##
+ ## Execute generic files in /etc.
+ ##
+ ##
+@@ -2605,6 +2694,24 @@ interface(`files_read_etc_runtime_files',`
+
+ ########################################
+ ##
++## Do not audit attempts to set the attributes of the etc_runtime files
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`files_dontaudit_setattr_etc_runtime_files',`
++ gen_require(`
++ type etc_runtime_t;
++ ')
++
++ dontaudit $1 etc_runtime_t:file setattr;
++')
++
++########################################
++##
+ ## Do not audit attempts to read files
+ ## in /etc that are dynamically
+ ## created on boot, such as mtab.
+@@ -3086,6 +3193,7 @@ interface(`files_getattr_home_dir',`
+ ')
+
+ allow $1 home_root_t:dir getattr;
++ allow $1 home_root_t:lnk_file getattr;
+ ')
+
+ ########################################
+@@ -3106,6 +3214,7 @@ interface(`files_dontaudit_getattr_home_dir',`
+ ')
+
+ dontaudit $1 home_root_t:dir getattr;
++ dontaudit $1 home_root_t:lnk_file getattr;
+ ')
+
+ ########################################
+@@ -3347,6 +3456,24 @@ interface(`files_list_mnt',`
+ allow $1 mnt_t:dir list_dir_perms;
+ ')
+
++######################################
++##
++## dontaudit List the contents of /mnt.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`files_dontaudit_list_mnt',`
++ gen_require(`
++ type mnt_t;
++ ')
++
++ dontaudit $1 mnt_t:dir list_dir_perms;
++')
++
+ ########################################
+ ##
+ ## Mount a filesystem on /mnt.
+@@ -3420,6 +3547,24 @@ interface(`files_read_mnt_files',`
+ read_files_pattern($1, mnt_t, mnt_t)
+ ')
+
++######################################
++##
++## Read symbolic links in /mnt.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`files_read_mnt_symlinks',`
++ gen_require(`
++ type mnt_t;
++ ')
++
++ read_lnk_files_pattern($1, mnt_t, mnt_t)
++')
++
+ ########################################
+ ##
+ ## Create, read, write, and delete symbolic links in /mnt.
+@@ -3711,6 +3856,100 @@ interface(`files_read_world_readable_sockets',`
+ allow $1 readable_t:sock_file read_sock_file_perms;
+ ')
+
++#######################################
++##
++## Read manageable system configuration files in /etc
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++#
++interface(`files_read_system_conf_files',`
++ gen_require(`
++ type etc_t, system_conf_t;
++ ')
++
++ allow $1 etc_t:dir list_dir_perms;
++ read_files_pattern($1, etc_t, system_conf_t)
++ read_lnk_files_pattern($1, etc_t, system_conf_t)
++')
++
++######################################
++##
++## Manage manageable system configuration files in /etc.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`files_manage_system_conf_files',`
++ gen_require(`
++ type etc_t, system_conf_t;
++ ')
++
++ manage_files_pattern($1, { etc_t system_conf_t }, system_conf_t)
++')
++
++######################################
++##
++## Relabel manageable system configuration files in /etc.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`files_relabelto_system_conf_files',`
++ gen_require(`
++ type usr_t;
++ ')
++
++ relabelto_files_pattern($1, system_conf_t, system_conf_t)
++')
++
++######################################
++##
++## Relabel manageable system configuration files in /etc.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`files_relabelfrom_system_conf_files',`
++ gen_require(`
++ type usr_t;
++ ')
++
++ relabelfrom_files_pattern($1, system_conf_t, system_conf_t)
++')
++
++###################################
++##
++## Create files in /etc with the type used for
++## the manageable system config files.
++##
++##
++##
++## The type of the process performing this action.
++##
++##
++#
++interface(`files_etc_filetrans_system_conf',`
++ gen_require(`
++ type etc_t, system_conf_t;
++ ')
++
++ filetrans_pattern($1, etc_t, system_conf_t, file)
++')
++
+ ########################################
+ ##
+ ## Allow the specified type to associate
+@@ -3896,6 +4135,32 @@ interface(`files_manage_generic_tmp_dirs',`
+
+ ########################################
+ ##
++## Allow shared library text relocations in tmp files.
++##
++##
++##
++## Allow shared library text relocations in tmp files.
++##
++##
++## This is added to support java policy.
++##
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`files_execmod_tmp',`
++ gen_require(`
++ attribute tmpfile;
++ ')
++
++ allow $1 tmpfile:file execmod;
++')
++
++########################################
++##
+ ## Manage temporary files and directories in /tmp.
+ ##
+ ##
+@@ -3950,6 +4215,42 @@ interface(`files_rw_generic_tmp_sockets',`
+
+ ########################################
+ ##
++## Relabel a dir from the type used in /tmp.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`files_relabelfrom_tmp_dirs',`
++ gen_require(`
++ type tmp_t;
++ ')
++
++ relabelfrom_dirs_pattern($1, tmp_t, tmp_t)
++')
++
++########################################
++##
++## Relabel a file from the type used in /tmp.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`files_relabelfrom_tmp_files',`
++ gen_require(`
++ type tmp_t;
++ ')
++
++ relabelfrom_files_pattern($1, tmp_t, tmp_t)
++')
++
++########################################
++##
+ ## Set the attributes of all tmp directories.
+ ##
+ ##
+@@ -4109,6 +4410,13 @@ interface(`files_purge_tmp',`
+ delete_lnk_files_pattern($1, tmpfile, tmpfile)
+ delete_fifo_files_pattern($1, tmpfile, tmpfile)
+ delete_sock_files_pattern($1, tmpfile, tmpfile)
++ files_delete_isid_type_dirs($1)
++ files_delete_isid_type_files($1)
++ files_delete_isid_type_symlinks($1)
++ files_delete_isid_type_fifo_files($1)
++ files_delete_isid_type_sock_files($1)
++ files_delete_isid_type_blk_files($1)
++ files_delete_isid_type_chr_files($1)
+ ')
+
+ ########################################
+@@ -4718,6 +5026,24 @@ interface(`files_read_var_files',`
+
+ ########################################
+ ##
++## Append files in the /var directory.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`files_append_var_files',`
++ gen_require(`
++ type var_t;
++ ')
++
++ append_files_pattern($1, var_t, var_t)
++')
++
++########################################
++##
+ ## Read and write files in the /var directory.
+ ##
+ ##
+@@ -5053,6 +5379,24 @@ interface(`files_manage_mounttab',`
+
+ ########################################
+ ##
++## List generic lock directories.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`files_list_locks',`
++ gen_require(`
++ type var_t, var_lock_t;
++ ')
++
++ list_dirs_pattern($1, var_t, var_lock_t)
++')
++
++########################################
++##
+ ## Search the locks directory (/var/lock).
+ ##
+ ##
+@@ -5138,12 +5482,12 @@ interface(`files_getattr_generic_locks',`
+ ##
+ #
+ interface(`files_delete_generic_locks',`
+- gen_require(`
++ gen_require(`
+ type var_t, var_lock_t;
+- ')
++ ')
+
+- allow $1 var_t:dir search_dir_perms;
+- delete_files_pattern($1, var_lock_t, var_lock_t)
++ allow $1 var_t:dir search_dir_perms;
++ delete_files_pattern($1, var_lock_t, var_lock_t)
+ ')
+
+ ########################################
+@@ -5189,6 +5533,27 @@ interface(`files_delete_all_locks',`
+
+ ########################################
+ ##
++## Relabel all lock files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++#
++interface(`files_relabel_all_lock_dirs',`
++ gen_require(`
++ attribute lockfile;
++ type var_t;
++ ')
++
++ allow $1 var_t:dir search_dir_perms;
++ relabel_dirs_pattern($1, lockfile, lockfile)
++')
++
++########################################
++##
+ ## Read all lock files.
+ ##
+ ##
+@@ -5317,23 +5682,60 @@ interface(`files_search_pids',`
+ search_dirs_pattern($1, var_t, var_run_t)
+ ')
+
+-########################################
++######################################
+ ##
+-## Do not audit attempts to search
+-## the /var/run directory.
++## Add and remove entries from pid directories.
+ ##
+ ##
+-##
+-## Domain to not audit.
+-##
++##
++## Domain allowed access.
++##
+ ##
+ #
+-interface(`files_dontaudit_search_pids',`
+- gen_require(`
+- type var_run_t;
+- ')
++interface(`files_rw_pid_dirs',`
++ gen_require(`
++ type var_run_t;
++ ')
+
+- dontaudit $1 var_run_t:dir search_dir_perms;
++ allow $1 var_run_t:dir rw_dir_perms;
++')
++
++#######################################
++##
++## Create generic pid directory.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`files_create_var_run_dirs',`
++ gen_require(`
++ type var_t, var_run_t;
++ ')
++
++ allow $1 var_t:dir search_dir_perms;
++ allow $1 var_run_t:dir create_dir_perms;
++')
++
++########################################
++##
++## Do not audit attempts to search
++## the /var/run directory.
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`files_dontaudit_search_pids',`
++ gen_require(`
++ type var_run_t;
++ ')
++
++ dontaudit $1 var_run_t:dir search_dir_perms;
+ ')
+
+ ########################################
+@@ -5524,6 +5926,62 @@ interface(`files_dontaudit_ioctl_all_pids',`
+
+ ########################################
+ ##
++## Relable all pid directories
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`files_relabel_all_pid_dirs',`
++ gen_require(`
++ attribute pidfile;
++ ')
++
++ relabel_dirs_pattern($1, pidfile, pidfile)
++')
++
++########################################
++##
++## Delete all pid sockets
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`files_unlink_all_pid_sockets',`
++ gen_require(`
++ attribute pidfile;
++ ')
++
++ allow $1 pidfile:sock_file delete_sock_file_perms;
++')
++
++########################################
++##
++## manage all pidfile directories
++## in the /var/run directory.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`files_manage_all_pid_dirs',`
++ gen_require(`
++ attribute pidfile;
++ ')
++
++ manage_dirs_pattern($1,pidfile,pidfile)
++')
++
++
++########################################
++##
+ ## Read all process ID files.
+ ##
+ ##
+@@ -5541,6 +5999,44 @@ interface(`files_read_all_pids',`
+
+ list_dirs_pattern($1, var_t, pidfile)
+ read_files_pattern($1, pidfile, pidfile)
++ read_lnk_files_pattern($1, pidfile, pidfile)
++')
++
++########################################
++##
++## Relable all pid files
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`files_relabel_all_pid_files',`
++ gen_require(`
++ attribute pidfile;
++ ')
++
++ relabel_files_pattern($1, pidfile, pidfile)
++')
++
++########################################
++##
++## manage all pidfiles
++## in the /var/run directory.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`files_manage_all_pids',`
++ gen_require(`
++ attribute pidfile;
++ ')
++
++ manage_files_pattern($1,pidfile,pidfile)
+ ')
+
+ ########################################
+@@ -5826,3 +6322,247 @@ interface(`files_unconfined',`
+
+ typeattribute $1 files_unconfined_type;
+ ')
++
++########################################
++##
++## Create a core files in /
++##
++##
++##
++## Create a core file in /,
++##
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++#
++interface(`files_manage_root_files',`
++ gen_require(`
++ type root_t;
++ ')
++
++ manage_files_pattern($1, root_t, root_t)
++')
++
++########################################
++##
++## Create a default directory
++##
++##
++##
++## Create a default_t direcrory
++##
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++#
++interface(`files_create_default_dir',`
++ gen_require(`
++ type default_t;
++ ')
++
++ allow $1 default_t:dir create;
++')
++
++########################################
++##
++## Create, default_t objects with an automatic
++## type transition.
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++##
++## The class of the object being created.
++##
++##
++#
++interface(`files_root_filetrans_default',`
++ gen_require(`
++ type root_t, default_t;
++ ')
++
++ filetrans_pattern($1, root_t, default_t, $2)
++')
++
++########################################
++##
++## manage generic symbolic links
++## in the /var/run directory.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`files_manage_generic_pids_symlinks',`
++ gen_require(`
++ type var_run_t;
++ ')
++
++ manage_lnk_files_pattern($1,var_run_t,var_run_t)
++')
++
++########################################
++##
++## Do not audit attempts to getattr
++## all tmpfs files.
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`files_dontaudit_getattr_tmpfs_files',`
++ gen_require(`
++ attribute tmpfsfile;
++ ')
++
++ allow $1 tmpfsfile:file getattr;
++')
++
++########################################
++##
++## Allow read write all tmpfs files
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`files_rw_tmpfs_files',`
++ gen_require(`
++ attribute tmpfsfile;
++ ')
++
++ allow $1 tmpfsfile:file { read write };
++')
++
++########################################
++##
++## Do not audit attempts to read security files
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`files_dontaudit_read_security_files',`
++ gen_require(`
++ attribute security_file_type;
++ ')
++
++ dontaudit $1 security_file_type:file read_file_perms;
++')
++
++########################################
++##
++## rw any files inherited from another process
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++#
++interface(`files_rw_all_inherited_files',`
++ gen_require(`
++ attribute file_type;
++ ')
++
++ allow $1 { file_type $2 }:file rw_inherited_file_perms;
++ allow $1 { file_type $2 }:fifo_file rw_inherited_fifo_file_perms;
++ allow $1 { file_type $2 }:sock_file rw_inherited_sock_file_perms;
++ allow $1 { file_type $2 }:chr_file rw_inherited_chr_file_perms;
++')
++
++########################################
++##
++## Allow any file point to be the entrypoint of this domain
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++#
++interface(`files_entrypoint_all_files',`
++ gen_require(`
++ attribute file_type;
++ ')
++ allow $1 file_type:file entrypoint;
++')
++
++########################################
++##
++## Do not audit attempts to rw inherited file perms
++## of non security files.
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`files_dontaudit_all_non_security_leaks',`
++ gen_require(`
++ attribute non_security_file_type;
++ ')
++
++ dontaudit $1 non_security_file_type:file_class_set rw_inherited_file_perms;
++')
++
++########################################
++##
++## Do not audit attempts to read or write
++## all leaked files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`files_dontaudit_leaks',`
++ gen_require(`
++ attribute file_type;
++ ')
++
++ dontaudit $1 file_type:file rw_inherited_file_perms;
++ dontaudit $1 file_type:lnk_file { read };
++')
++
++########################################
++##
++## Allow domain to create_file_ass all types
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`files_create_as_is_all_files',`
++ gen_require(`
++ attribute file_type;
++ class kernel_service create_files_as;
++ ')
++
++ allow $1 file_type:kernel_service create_files_as;
++')
+diff --git a/policy/modules/kernel/files.te b/policy/modules/kernel/files.te
+index 07352a5..12e9ecf 100644
+--- a/policy/modules/kernel/files.te
++++ b/policy/modules/kernel/files.te
+@@ -11,6 +11,7 @@ attribute lockfile;
+ attribute mountpoint;
+ attribute pidfile;
+ attribute configfile;
++attribute etcfile;
+
+ # For labeling types that are to be polyinstantiated
+ attribute polydir;
+@@ -58,12 +59,21 @@ files_type(etc_t)
+ typealias etc_t alias automount_etc_t;
+ typealias etc_t alias snmpd_etc_t;
+
++# system_conf_t is a new type of various
++# files in /etc/ that can be managed and
++# created by several domains.
++#
++type system_conf_t, configfile;
++files_type(system_conf_t)
++# compatibility aliases for removed type:
++typealias system_conf_t alias iptables_conf_t;
++
+ #
+ # etc_runtime_t is the type of various
+ # files in /etc that are automatically
+ # generated during initialization.
+ #
+-type etc_runtime_t;
++type etc_runtime_t, configfile;
+ files_type(etc_runtime_t)
+ #Temporarily in policy until FC5 dissappears
+ typealias etc_runtime_t alias firstboot_rw_t;
+diff --git a/policy/modules/kernel/filesystem.fc b/policy/modules/kernel/filesystem.fc
+index 59bae6a..2e55e71 100644
+--- a/policy/modules/kernel/filesystem.fc
++++ b/policy/modules/kernel/filesystem.fc
+@@ -2,5 +2,16 @@
+ /dev/shm/.* <>
+
+ /cgroup -d gen_context(system_u:object_r:cgroup_t,s0)
++/cgroup/.* <>
+
++/lib/udev/devices/hugepages -d gen_context(system_u:object_r:hugetlbfs_t,s0)
++/lib/udev/devices/hugepages/.* <>
++
++/lib/udev/devices/shm -d gen_context(system_u:object_r:tmpfs_t,s0)
++/lib/udev/devices/shm/.* <>
++
++/sys/fs/cgroup -d gen_context(system_u:object_r:cgroup_t,s0)
+ /sys/fs/cgroup(/.*)? <>
++
++/dev/hugepages -d gen_context(system_u:object_r:hugetlbfs_t,s0)
++/dev/hugepages(/.*)? <>
+diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
+index 437a42a..54a884b 100644
+--- a/policy/modules/kernel/filesystem.if
++++ b/policy/modules/kernel/filesystem.if
+@@ -646,11 +646,31 @@ interface(`fs_search_cgroup_dirs',`
+ ')
+
+ search_dirs_pattern($1, cgroup_t, cgroup_t)
++ fs_search_tmpfs($1)
+ dev_search_sysfs($1)
+ ')
+
+ ########################################
+ ##
++## Relabelto cgroup directories.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`fs_relabelto_cgroup_dirs',`
++ gen_require(`
++ type cgroup_t;
++
++ ')
++
++ relabelto_dirs_pattern($1, cgroup_t, cgroup_t)
++')
++
++########################################
++##
+ ## list cgroup directories.
+ ##
+ ##
+@@ -665,6 +685,7 @@ interface(`fs_list_cgroup_dirs', `
+ ')
+
+ list_dirs_pattern($1, cgroup_t, cgroup_t)
++ fs_search_tmpfs($1)
+ dev_search_sysfs($1)
+ ')
+
+@@ -684,6 +705,7 @@ interface(`fs_delete_cgroup_dirs', `
+ ')
+
+ delete_dirs_pattern($1, cgroup_t, cgroup_t)
++ fs_search_tmpfs($1)
+ dev_search_sysfs($1)
+ ')
+
+@@ -704,6 +726,7 @@ interface(`fs_manage_cgroup_dirs',`
+ ')
+
+ manage_dirs_pattern($1, cgroup_t, cgroup_t)
++ fs_search_tmpfs($1)
+ dev_search_sysfs($1)
+ ')
+
+@@ -724,6 +747,7 @@ interface(`fs_read_cgroup_files',`
+ ')
+
+ read_files_pattern($1, cgroup_t, cgroup_t)
++ fs_search_tmpfs($1)
+ dev_search_sysfs($1)
+ ')
+
+@@ -743,6 +767,7 @@ interface(`fs_write_cgroup_files', `
+ ')
+
+ write_files_pattern($1, cgroup_t, cgroup_t)
++ fs_search_tmpfs($1)
+ dev_search_sysfs($1)
+ ')
+
+@@ -763,6 +788,7 @@ interface(`fs_rw_cgroup_files',`
+ ')
+
+ rw_files_pattern($1, cgroup_t, cgroup_t)
++ fs_search_tmpfs($1)
+ dev_search_sysfs($1)
+ ')
+
+@@ -803,6 +829,7 @@ interface(`fs_manage_cgroup_files',`
+ ')
+
+ manage_files_pattern($1, cgroup_t, cgroup_t)
++ fs_search_tmpfs($1)
+ dev_search_sysfs($1)
+ ')
+
+@@ -1227,6 +1254,24 @@ interface(`fs_dontaudit_append_cifs_files',`
+
+ ########################################
+ ##
++## Read inherited files on a CIFS or SMB filesystem.
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`fs_read_inherited_cifs_files',`
++ gen_require(`
++ type cifs_t;
++ ')
++
++ allow $1 cifs_t:file read_inherited_file_perms;
++')
++
++########################################
++##
+ ## Do not audit attempts to read or
+ ## write files on a CIFS or SMB filesystem.
+ ##
+@@ -1241,7 +1286,7 @@ interface(`fs_dontaudit_rw_cifs_files',`
+ type cifs_t;
+ ')
+
+- dontaudit $1 cifs_t:file rw_file_perms;
++ dontaudit $1 cifs_t:file rw_inherited_file_perms;
+ ')
+
+ ########################################
+@@ -1504,6 +1549,25 @@ interface(`fs_cifs_domtrans',`
+ domain_auto_transition_pattern($1, cifs_t, $2)
+ ')
+
++########################################
++##
++## Make general progams in cifs an entrypoint for
++## the specified domain.
++##
++##
++##
++## The domain for which cifs_t is an entrypoint.
++##
++##
++#
++interface(`fs_cifs_entry_type',`
++ gen_require(`
++ type cifs_t;
++ ')
++
++ domain_entry_file($1, cifs_t)
++')
++
+ #######################################
+ ##
+ ## Create, read, write, and delete dirs
+@@ -1931,7 +1995,26 @@ interface(`fs_read_fusefs_symlinks',`
+
+ ########################################
+ ##
+-## Read and write hugetlbfs files.
++## Get the attributes of an hugetlbfs
++## filesystem;
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`fs_getattr_hugetlbfs',`
++ gen_require(`
++ type hugetlbfs_t;
++ ')
++
++ allow $1 hugetlbfs_t:filesystem getattr;
++')
++
++########################################
++##
++## R/W hugetlbfs files.
+ ##
+ ##
+ ##
+@@ -1946,6 +2029,41 @@ interface(`fs_rw_hugetlbfs_files',`
+
+ rw_files_pattern($1, hugetlbfs_t, hugetlbfs_t)
+ ')
++########################################
++##
++## Manage hugetlbfs dirs.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`fs_manage_hugetlbfs_dirs',`
++ gen_require(`
++ type hugetlbfs_t;
++ ')
++
++ manage_dirs_pattern($1, hugetlbfs_t, hugetlbfs_t)
++')
++
++########################################
++##
++## List hugetlbfs dirs
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`fs_list_hugetlbfs',`
++ gen_require(`
++ type hugetlbfs_t;
++ ')
++
++ allow $1 hugetlbfs_t:dir list_dir_perms;
++')
+
+ ########################################
+ ##
+@@ -1999,6 +2117,7 @@ interface(`fs_list_inotifyfs',`
+ ')
+
+ allow $1 inotifyfs_t:dir list_dir_perms;
++ fs_read_anon_inodefs_files($1)
+ ')
+
+ ########################################
+@@ -2395,6 +2514,25 @@ interface(`fs_exec_nfs_files',`
+
+ ########################################
+ ##
++## Make general progams in nfs an entrypoint for
++## the specified domain.
++##
++##
++##
++## The domain for which nfs_t is an entrypoint.
++##
++##
++#
++interface(`fs_nfs_entry_type',`
++ gen_require(`
++ type nfs_t;
++ ')
++
++ domain_entry_file($1, nfs_t)
++')
++
++########################################
++##
+ ## Append files
+ ## on a NFS filesystem.
+ ##
+@@ -2435,6 +2573,24 @@ interface(`fs_dontaudit_append_nfs_files',`
+
+ ########################################
+ ##
++## Read inherited files on a NFS filesystem.
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`fs_read_inherited_nfs_files',`
++ gen_require(`
++ type nfs_t;
++ ')
++
++ allow $1 nfs_t:file read_inherited_file_perms;
++')
++
++########################################
++##
+ ## Do not audit attempts to read or
+ ## write files on a NFS filesystem.
+ ##
+@@ -2449,7 +2605,7 @@ interface(`fs_dontaudit_rw_nfs_files',`
+ type nfs_t;
+ ')
+
+- dontaudit $1 nfs_t:file rw_file_perms;
++ dontaudit $1 nfs_t:file rw_inherited_file_perms;
+ ')
+
+ ########################################
+@@ -2637,6 +2793,24 @@ interface(`fs_dontaudit_read_removable_files',`
+
+ ########################################
+ ##
++## Do not audit attempts to write removable storage files.
++##
++##
++##
++## Domain not to audit.
++##
++##
++#
++interface(`fs_dontaudit_write_removable_files',`
++ gen_require(`
++ type removable_t;
++ ')
++
++ dontaudit $1 removable_t:file write_file_perms;
++')
++
++########################################
++##
+ ## Read removable storage symbolic links.
+ ##
+ ##
+@@ -2845,7 +3019,7 @@ interface(`fs_dontaudit_manage_nfs_files',`
+ #########################################
+ ##
+ ## Create, read, write, and delete symbolic links
+-## on a CIFS or SMB network filesystem.
++## on a NFS network filesystem.
+ ##
+ ##
+ ##
+@@ -3970,6 +4144,42 @@ interface(`fs_dontaudit_use_tmpfs_chr_dev',`
+
+ ########################################
+ ##
++## dontaudit Read and write block nodes on tmpfs filesystems.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`fs_dontaudit_read_tmpfs_blk_dev',`
++ gen_require(`
++ type tmpfs_t;
++ ')
++
++ dontaudit $1 tmpfs_t:blk_file read_blk_file_perms;
++')
++
++########################################
++##
++## Relabelfrom directory on tmpfs filesystems.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`fs_relabelfrom_tmpfs_dir',`
++ gen_require(`
++ type tmpfs_t;
++ ')
++
++ relabelfrom_dirs_pattern($1, tmpfs_t, tmpfs_t)
++')
++
++########################################
++##
+ ## Relabel character nodes on tmpfs filesystems.
+ ##
+ ##
+@@ -4252,6 +4462,8 @@ interface(`fs_mount_all_fs',`
+ ')
+
+ allow $1 filesystem_type:filesystem mount;
++# Mount checks write access on the dir
++ allow $1 filesystem_type:dir write;
+ ')
+
+ ########################################
+@@ -4662,3 +4874,24 @@ interface(`fs_unconfined',`
+
+ typeattribute $1 filesystem_unconfined_type;
+ ')
++
++########################################
++##
++## Do not audit attempts to read or write
++## all leaked filesystems files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`fs_dontaudit_leaks',`
++ gen_require(`
++ attribute filesystem_type;
++ ')
++
++ dontaudit $1 filesystem_type:file rw_inherited_file_perms;
++ dontaudit $1 filesystem_type:lnk_file { read };
++')
++
+diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te
+index 0dff98e..7f1a558 100644
+--- a/policy/modules/kernel/filesystem.te
++++ b/policy/modules/kernel/filesystem.te
+@@ -52,6 +52,7 @@ type anon_inodefs_t;
+ fs_type(anon_inodefs_t)
+ files_mountpoint(anon_inodefs_t)
+ genfscon anon_inodefs / gen_context(system_u:object_r:anon_inodefs_t,s0)
++mls_trusted_object(anon_inodefs_t)
+
+ type bdev_t;
+ fs_type(bdev_t)
+@@ -67,10 +68,11 @@ fs_type(capifs_t)
+ files_mountpoint(capifs_t)
+ genfscon capifs / gen_context(system_u:object_r:capifs_t,s0)
+
+-type cgroup_t;
++type cgroup_t alias cgroupfs_t;
+ fs_type(cgroup_t)
+ files_type(cgroup_t)
+ files_mountpoint(cgroup_t)
++dev_associate_sysfs(cgroup_t)
+ genfscon cgroup / gen_context(system_u:object_r:cgroup_t,s0)
+
+ type configfs_t;
+@@ -100,12 +102,22 @@ type hugetlbfs_t;
+ fs_type(hugetlbfs_t)
+ files_mountpoint(hugetlbfs_t)
+ fs_use_trans hugetlbfs gen_context(system_u:object_r:hugetlbfs_t,s0);
++dev_associate(hugetlbfs_t)
+
+ type ibmasmfs_t;
+ fs_type(ibmasmfs_t)
+ allow ibmasmfs_t self:filesystem associate;
+ genfscon ibmasmfs / gen_context(system_u:object_r:ibmasmfs_t,s0)
+
++#
++# infinibandeventfs fs
++#
++
++type infinibandeventfs_t;
++fs_type(infinibandeventfs_t)
++allow infinibandeventfs_t self:filesystem associate;
++genfscon infinibandeventfs / gen_context(system_u:object_r:infinibandeventfs_t,s0)
++
+ type inotifyfs_t;
+ fs_type(inotifyfs_t)
+ genfscon inotifyfs / gen_context(system_u:object_r:inotifyfs_t,s0)
+@@ -148,6 +160,12 @@ fs_type(squash_t)
+ genfscon squash / gen_context(system_u:object_r:squash_t,s0)
+ files_mountpoint(squash_t)
+
++type sysv_t;
++fs_noxattr_type(sysv_t)
++files_mountpoint(sysv_t)
++genfscon sysv / gen_context(system_u:object_r:sysv_t,s0)
++genfscon v7 / gen_context(system_u:object_r:sysv_t,s0)
++
+ type vmblock_t;
+ fs_noxattr_type(vmblock_t)
+ files_mountpoint(vmblock_t)
+@@ -168,6 +186,7 @@ fs_type(tmpfs_t)
+ files_type(tmpfs_t)
+ files_mountpoint(tmpfs_t)
+ files_poly_parent(tmpfs_t)
++dev_associate(tmpfs_t)
+
+ # Use a transition SID based on the allocating task SID and the
+ # filesystem SID to label inodes in the following filesystem types,
+@@ -247,6 +266,8 @@ genfscon udf / gen_context(system_u:object_r:iso9660_t,s0)
+ type removable_t;
+ allow removable_t noxattrfs:filesystem associate;
+ fs_noxattr_type(removable_t)
++files_type(removable_t)
++dev_node(removable_t)
+ files_mountpoint(removable_t)
+
+ #
+diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
+index ed7667a..10c14fe 100644
+--- a/policy/modules/kernel/kernel.if
++++ b/policy/modules/kernel/kernel.if
+@@ -698,6 +698,46 @@ interface(`kernel_read_debugfs',`
+
+ ########################################
+ ##
++## Read/Write information from the debugging filesystem.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`kernel_rw_debugfs',`
++ gen_require(`
++ type debugfs_t;
++ ')
++
++ rw_files_pattern($1, debugfs_t, debugfs_t)
++ read_lnk_files_pattern($1, debugfs_t, debugfs_t)
++ list_dirs_pattern($1, debugfs_t, debugfs_t)
++')
++
++########################################
++##
++## Manage information from the debugging filesystem.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`kernel_manage_debugfs',`
++ gen_require(`
++ type debugfs_t;
++ ')
++
++ manage_files_pattern($1, debugfs_t, debugfs_t)
++ read_lnk_files_pattern($1, debugfs_t, debugfs_t)
++ list_dirs_pattern($1, debugfs_t, debugfs_t)
++')
++
++########################################
++##
+ ## Mount a kernel VM filesystem.
+ ##
+ ##
+@@ -1977,7 +2017,7 @@ interface(`kernel_dontaudit_list_all_sysctls',`
+ ')
+
+ dontaudit $1 sysctl_type:dir list_dir_perms;
+- dontaudit $1 sysctl_type:file getattr;
++ dontaudit $1 sysctl_type:file read_file_perms;
+ ')
+
+ ########################################
+@@ -2380,6 +2420,24 @@ interface(`kernel_rw_unlabeled_blk_files',`
+
+ ########################################
+ ##
++## Read and write unlabeled sockets.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`kernel_rw_unlabeled_socket',`
++ gen_require(`
++ type unlabeled_t;
++ ')
++
++ allow $1 unlabeled_t:socket rw_socket_perms;
++')
++
++########################################
++##
+ ## Do not audit attempts by caller to get attributes for
+ ## unlabeled character devices.
+ ##
+@@ -2845,6 +2903,24 @@ interface(`kernel_relabelfrom_unlabeled_database',`
+
+ ########################################
+ ##
++## Relabel to unlabeled context .
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`kernel_relabelto_unlabeled',`
++ gen_require(`
++ type unlabeled_t;
++ ')
++
++ allow $1 unlabeled_t:dir_file_class_set relabelto;
++')
++
++########################################
++##
+ ## Unconfined access to kernel module resources.
+ ##
+ ##
+@@ -2860,3 +2936,23 @@ interface(`kernel_unconfined',`
+
+ typeattribute $1 kern_unconfined;
+ ')
++
++########################################
++##
++## Allow the specified domain to connect to
++## the kernel with a unix socket.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`kernel_stream_connect',`
++ gen_require(`
++ type kernel_t;
++ ')
++
++ allow $1 kernel_t:unix_stream_socket connectto;
++')
++
+diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
+index e4f98ce..806026c 100644
+--- a/policy/modules/kernel/kernel.te
++++ b/policy/modules/kernel/kernel.te
+@@ -156,6 +156,7 @@ genfscon proc /sys/dev gen_context(system_u:object_r:sysctl_dev_t,s0)
+ #
+ type unlabeled_t;
+ sid unlabeled gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
++fs_associate(unlabeled_t)
+
+ # These initial sids are no longer used, and can be removed:
+ sid any_socket gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
+@@ -254,7 +255,8 @@ fs_unmount_all_fs(kernel_t)
+
+ selinux_load_policy(kernel_t)
+
+-term_use_console(kernel_t)
++term_use_all_terms(kernel_t)
++term_use_ptmx(kernel_t)
+
+ corecmd_exec_shell(kernel_t)
+ corecmd_list_bin(kernel_t)
+@@ -268,19 +270,29 @@ files_list_root(kernel_t)
+ files_list_etc(kernel_t)
+ files_list_home(kernel_t)
+ files_read_usr_files(kernel_t)
++files_manage_mounttab(kernel_t)
++files_manage_generic_spool_dirs(kernel_t)
+
+ mcs_process_set_categories(kernel_t)
++mcs_file_read_all(kernel_t)
++mcs_file_write_all(kernel_t)
+
+ mls_process_read_up(kernel_t)
+ mls_process_write_down(kernel_t)
+ mls_file_write_all_levels(kernel_t)
+ mls_file_read_all_levels(kernel_t)
++mls_socket_write_all_levels(kernel_t)
++mls_fd_share_all_levels(kernel_t)
++
++logging_manage_generic_logs(kernel_t)
+
+ ifdef(`distro_redhat',`
+ # Bugzilla 222337
+ fs_rw_tmpfs_chr_files(kernel_t)
+ ')
+
++userdom_user_home_dir_filetrans_user_home_content(kernel_t, { file dir })
++
+ optional_policy(`
+ hotplug_search_config(kernel_t)
+ ')
+@@ -357,6 +369,10 @@ optional_policy(`
+ unconfined_domain_noaudit(kernel_t)
+ ')
+
++optional_policy(`
++ xserver_xdm_manage_spool(kernel_t)
++')
++
+ ########################################
+ #
+ # Unlabeled process local policy
+diff --git a/policy/modules/kernel/mcs.if b/policy/modules/kernel/mcs.if
+index f52faaf..3d62385 100644
+--- a/policy/modules/kernel/mcs.if
++++ b/policy/modules/kernel/mcs.if
+@@ -102,3 +102,30 @@ interface(`mcs_process_set_categories',`
+
+ typeattribute $1 mcssetcats;
+ ')
++
++########################################
++##
++## Make specified process type MCS untrusted.
++##
++##
++##
++## Make specified process type MCS untrusted. This
++## prevents this process from sending signals to other processes
++## with different mcs labels
++## object.
++##
++##
++##
++##
++## The type of the process.
++##
++##
++#
++interface(`mcs_untrusted_proc',`
++ gen_require(`
++ attribute mcsuntrustedproc;
++ ')
++
++ typeattribute $1 mcsuntrustedproc;
++')
++
+diff --git a/policy/modules/kernel/mcs.te b/policy/modules/kernel/mcs.te
+index 0e5b661..dbf577f 100644
+--- a/policy/modules/kernel/mcs.te
++++ b/policy/modules/kernel/mcs.te
+@@ -10,3 +10,5 @@ attribute mcsptraceall;
+ attribute mcssetcats;
+ attribute mcswriteall;
+ attribute mcsreadall;
++attribute mcsuntrustedproc;
++
+diff --git a/policy/modules/kernel/selinux.if b/policy/modules/kernel/selinux.if
+index 786449a..a2e1cbc 100644
+--- a/policy/modules/kernel/selinux.if
++++ b/policy/modules/kernel/selinux.if
+@@ -40,7 +40,7 @@ interface(`selinux_labeled_boolean',`
+
+ # because of this statement, any module which
+ # calls this interface must be in the base module:
+- genfscon selinuxfs /booleans/$2 gen_context(system_u:object_r:$1,s0)
++# genfscon selinuxfs /booleans/$2 gen_context(system_u:object_r:$1,s0)
+ ')
+
+ ########################################
+@@ -257,6 +257,7 @@ interface(`selinux_dontaudit_read_fs',`
+ type security_t;
+ ')
+
++ selinux_dontaudit_getattr_fs($1)
+ dontaudit $1 security_t:dir search_dir_perms;
+ dontaudit $1 security_t:file read_file_perms;
+ ')
+@@ -278,6 +279,7 @@ interface(`selinux_get_enforce_mode',`
+ type security_t;
+ ')
+
++ selinux_get_fs_mount($1)
+ allow $1 security_t:dir list_dir_perms;
+ allow $1 security_t:file read_file_perms;
+ ')
+@@ -459,6 +461,7 @@ interface(`selinux_set_all_booleans',`
+ ')
+
+ allow $1 security_t:dir list_dir_perms;
++ allow $1 boolean_type:dir list_dir_perms;
+ allow $1 boolean_type:file rw_file_perms;
+
+ if(!secure_mode_policyload) {
+@@ -677,3 +680,24 @@ interface(`selinux_unconfined',`
+
+ typeattribute $1 selinux_unconfined_type;
+ ')
++
++########################################
++##
++## Generate a file context for a boolean type
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`selinux_genbool',`
++ gen_require(`
++ attribute boolean_type;
++ ')
++
++ type $1, boolean_type;
++ fs_type($1)
++ mls_trusted_object($1)
++')
++
+diff --git a/policy/modules/kernel/storage.fc b/policy/modules/kernel/storage.fc
+index a9b8982..811b859 100644
+--- a/policy/modules/kernel/storage.fc
++++ b/policy/modules/kernel/storage.fc
+@@ -77,3 +77,6 @@ ifdef(`distro_redhat', `
+ /dev/scramdisk/.* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
+
+ /dev/usb/rio500 -c gen_context(system_u:object_r:removable_device_t,s0)
++
++/lib/udev/devices/loop.* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
++/lib/udev/devices/fuse -c gen_context(system_u:object_r:fuse_device_t,s0)
+diff --git a/policy/modules/kernel/storage.if b/policy/modules/kernel/storage.if
+index 3723150..bde6daa 100644
+--- a/policy/modules/kernel/storage.if
++++ b/policy/modules/kernel/storage.if
+@@ -101,6 +101,8 @@ interface(`storage_raw_read_fixed_disk',`
+ dev_list_all_dev_nodes($1)
+ allow $1 fixed_disk_device_t:blk_file read_blk_file_perms;
+ allow $1 fixed_disk_device_t:chr_file read_chr_file_perms;
++ #577012
++ allow $1 fixed_disk_device_t:lnk_file read_lnk_file_perms;
+ typeattribute $1 fixed_disk_raw_read;
+ ')
+
+@@ -203,6 +205,8 @@ interface(`storage_create_fixed_disk_dev',`
+ type fixed_disk_device_t;
+ ')
+
++ allow $1 self:capability mknod;
++
+ allow $1 fixed_disk_device_t:blk_file create_blk_file_perms;
+ dev_add_entry_generic_dirs($1)
+ ')
+diff --git a/policy/modules/kernel/terminal.fc b/policy/modules/kernel/terminal.fc
+index 3994e57..ee146ae 100644
+--- a/policy/modules/kernel/terminal.fc
++++ b/policy/modules/kernel/terminal.fc
+@@ -40,3 +40,5 @@ ifdef(`distro_gentoo',`
+ # used by init scripts to initally populate udev /dev
+ /lib/udev/devices/console -c gen_context(system_u:object_r:console_device_t,s0)
+ ')
++
++/lib/udev/devices/pts -d gen_context(system_u:object_r:devpts_t,s0-mls_systemhigh)
+diff --git a/policy/modules/kernel/terminal.if b/policy/modules/kernel/terminal.if
+index 492bf76..87a6942 100644
+--- a/policy/modules/kernel/terminal.if
++++ b/policy/modules/kernel/terminal.if
+@@ -292,9 +292,11 @@ interface(`term_use_console',`
+ interface(`term_dontaudit_use_console',`
+ gen_require(`
+ type console_device_t;
++ type tty_device_t;
+ ')
+
+- dontaudit $1 console_device_t:chr_file rw_chr_file_perms;
++ dontaudit $1 console_device_t:chr_file rw_inherited_chr_file_perms;
++ dontaudit $1 tty_device_t:chr_file rw_inherited_chr_file_perms;
+ ')
+
+ ########################################
+@@ -334,7 +336,7 @@ interface(`term_relabel_console',`
+ ')
+
+ dev_list_all_dev_nodes($1)
+- allow $1 console_device_t:chr_file { relabelfrom relabelto };
++ allow $1 console_device_t:chr_file relabel_chr_file_perms;
+ ')
+
+ ########################################
+@@ -848,7 +850,7 @@ interface(`term_dontaudit_use_all_ptys',`
+ attribute ptynode;
+ ')
+
+- dontaudit $1 ptynode:chr_file { rw_term_perms lock append };
++ dontaudit $1 ptynode:chr_file { rw_inherited_term_perms lock append };
+ ')
+
+ ########################################
+@@ -1116,7 +1118,7 @@ interface(`term_relabel_unallocated_ttys',`
+ ')
+
+ dev_list_all_dev_nodes($1)
+- allow $1 tty_device_t:chr_file { relabelfrom relabelto };
++ allow $1 tty_device_t:chr_file relabel_chr_file_perms;
+ ')
+
+ ########################################
+@@ -1215,7 +1217,7 @@ interface(`term_dontaudit_use_unallocated_ttys',`
+ type tty_device_t;
+ ')
+
+- dontaudit $1 tty_device_t:chr_file rw_chr_file_perms;
++ dontaudit $1 tty_device_t:chr_file rw_inherited_chr_file_perms;
+ ')
+
+ ########################################
+@@ -1231,11 +1233,13 @@ interface(`term_dontaudit_use_unallocated_ttys',`
+ #
+ interface(`term_getattr_all_ttys',`
+ gen_require(`
++ type tty_device_t;
+ attribute ttynode;
+ ')
+
+ dev_list_all_dev_nodes($1)
+ allow $1 ttynode:chr_file getattr;
++ allow $1 tty_device_t:chr_file getattr;
+ ')
+
+ ########################################
+@@ -1252,10 +1256,12 @@ interface(`term_getattr_all_ttys',`
+ interface(`term_dontaudit_getattr_all_ttys',`
+ gen_require(`
+ attribute ttynode;
++ type tty_device_t;
+ ')
+
+ dev_list_all_dev_nodes($1)
+ dontaudit $1 ttynode:chr_file getattr;
++ dontaudit $1 tty_device_t:chr_file getattr;
+ ')
+
+ ########################################
+@@ -1294,7 +1300,7 @@ interface(`term_relabel_all_ttys',`
+ ')
+
+ dev_list_all_dev_nodes($1)
+- allow $1 ttynode:chr_file { relabelfrom relabelto };
++ allow $1 ttynode:chr_file relabel_chr_file_perms;
+ ')
+
+ ########################################
+@@ -1352,7 +1358,7 @@ interface(`term_dontaudit_use_all_ttys',`
+ attribute ttynode;
+ ')
+
+- dontaudit $1 ttynode:chr_file rw_chr_file_perms;
++ dontaudit $1 ttynode:chr_file rw_inherited_chr_file_perms;
+ ')
+
+ ########################################
+diff --git a/policy/modules/kernel/terminal.te b/policy/modules/kernel/terminal.te
+index 646bbcf..a5deade 100644
+--- a/policy/modules/kernel/terminal.te
++++ b/policy/modules/kernel/terminal.te
+@@ -29,6 +29,7 @@ files_mountpoint(devpts_t)
+ fs_associate_tmpfs(devpts_t)
+ fs_type(devpts_t)
+ fs_use_trans devpts gen_context(system_u:object_r:devpts_t,s0);
++dev_associate(devpts_t)
+
+ #
+ # devtty_t is the type of /dev/tty.
+diff --git a/policy/modules/roles/auditadm.te b/policy/modules/roles/auditadm.te
+index b0d5b27..a96f2e6 100644
+--- a/policy/modules/roles/auditadm.te
++++ b/policy/modules/roles/auditadm.te
+@@ -28,10 +28,13 @@ logging_manage_audit_log(auditadm_t)
+ logging_manage_audit_config(auditadm_t)
+ logging_run_auditctl(auditadm_t, auditadm_r)
+ logging_run_auditd(auditadm_t, auditadm_r)
++logging_stream_connect_syslog(auditadm_t)
+
+ seutil_run_runinit(auditadm_t, auditadm_r)
+ seutil_read_bin_policy(auditadm_t)
+
++userdom_dontaudit_search_admin_dir(auditadm_t)
++
+ optional_policy(`
+ consoletype_exec(auditadm_t)
+ ')
+diff --git a/policy/modules/roles/dbadm.te b/policy/modules/roles/dbadm.te
+index 1875064..e9c9277 100644
+--- a/policy/modules/roles/dbadm.te
++++ b/policy/modules/roles/dbadm.te
+@@ -37,6 +37,7 @@ files_list_var(dbadm_t)
+ selinux_get_enforce_mode(dbadm_t)
+
+ logging_send_syslog_msg(dbadm_t)
++logging_send_audit_msgs(dbadm_t)
+
+ userdom_dontaudit_search_user_home_dirs(dbadm_t)
+
+@@ -58,3 +59,7 @@ optional_policy(`
+ optional_policy(`
+ postgresql_admin(dbadm_t, dbadm_r)
+ ')
++
++optional_policy(`
++ sudo_role_template(dbadm, dbadm_r, dbadm_t)
++')
+diff --git a/policy/modules/roles/guest.te b/policy/modules/roles/guest.te
+index 531c616..f332441 100644
+--- a/policy/modules/roles/guest.te
++++ b/policy/modules/roles/guest.te
+@@ -9,9 +9,15 @@ role guest_r;
+
+ userdom_restricted_user_template(guest)
+
++kernel_read_system_state(guest_t)
++
+ ########################################
+ #
+ # Local policy
+ #
+
+-#gen_user(guest_u,, guest_r, s0, s0)
++optional_policy(`
++ apache_role(guest_r, guest_t)
++')
++
++gen_user(guest_u, user, guest_r, s0, s0)
+diff --git a/policy/modules/roles/secadm.te b/policy/modules/roles/secadm.te
+index 5a3d720..924baee 100644
+--- a/policy/modules/roles/secadm.te
++++ b/policy/modules/roles/secadm.te
+@@ -9,6 +9,8 @@ role secadm_r;
+
+ userdom_unpriv_user_template(secadm)
+ userdom_security_admin_template(secadm_t, secadm_r)
++userdom_inherit_append_admin_home_files(secadm_t)
++userdom_read_admin_home_files(secadm_t)
+
+ ########################################
+ #
+diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te
+index d62886d..cc51f57 100644
+--- a/policy/modules/roles/staff.te
++++ b/policy/modules/roles/staff.te
+@@ -8,12 +8,46 @@ policy_module(staff, 2.1.4)
+ role staff_r;
+
+ userdom_unpriv_user_template(staff)
++fs_exec_noxattr(staff_t)
++
++# needed for sandbox
++allow staff_t self:process setexec;
+
+ ########################################
+ #
+ # Local policy
+ #
+
++kernel_read_ring_buffer(staff_usertype)
++kernel_getattr_core_if(staff_usertype)
++kernel_getattr_message_if(staff_usertype)
++kernel_read_software_raid_state(staff_usertype)
++kernel_read_fs_sysctls(staff_usertype)
++
++domain_read_all_domains_state(staff_usertype)
++domain_getattr_all_domains(staff_usertype)
++domain_obj_id_change_exemption(staff_t)
++
++files_read_kernel_modules(staff_usertype)
++
++seutil_read_module_store(staff_t)
++seutil_run_newrole(staff_t, staff_r)
++
++term_use_unallocated_ttys(staff_usertype)
++
++auth_domtrans_pam_console(staff_t)
++
++init_dbus_chat(staff_t)
++init_dbus_chat_script(staff_t)
++
++miscfiles_read_hwdata(staff_usertype)
++
++modutils_read_module_config(staff_usertype)
++modutils_read_module_deps(staff_usertype)
++
++netutils_run_ping(staff_t, staff_r)
++netutils_signal_ping(staff_t)
++
+ optional_policy(`
+ apache_role(staff_r, staff_t)
+ ')
+@@ -27,25 +61,104 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ accountsd_dbus_chat(staff_t)
++ accountsd_read_lib_files(staff_t)
++')
++
++optional_policy(`
++ gnomeclock_dbus_chat(staff_t)
++')
++
++optional_policy(`
++ firewallgui_dbus_chat(staff_t)
++')
++
++optional_policy(`
++ lpd_list_spool(staff_t)
++')
++
++optional_policy(`
++ kerneloops_dbus_chat(staff_t)
++')
++
++optional_policy(`
++ logadm_role_change(staff_r)
++')
++
++optional_policy(`
++ mozilla_run_plugin(staff_t, staff_r)
++')
++
++optional_policy(`
++ oident_manage_user_content(staff_t)
++ oident_relabel_user_content(staff_t)
++')
++
++optional_policy(`
+ postgresql_role(staff_r, staff_t)
+ ')
+
+ optional_policy(`
++ rtkit_scheduled(staff_t)
++')
++
++optional_policy(`
++ rpm_dbus_chat(staff_usertype)
++')
++
++optional_policy(`
+ secadm_role_change(staff_r)
+ ')
+
+ optional_policy(`
+- ssh_role_template(staff, staff_r, staff_t)
++ sandbox_transition(staff_t, staff_r)
+ ')
+
+ optional_policy(`
+- sudo_role_template(staff, staff_r, staff_t)
++ screen_role_template(staff, staff_r, staff_t)
+ ')
+
+ optional_policy(`
+ sysadm_role_change(staff_r)
+ userdom_dontaudit_use_user_terminals(staff_t)
+ ')
++optional_policy(`
++ setroubleshoot_stream_connect(staff_t)
++ setroubleshoot_dbus_chat(staff_t)
++ setroubleshoot_dbus_chat_fixit(staff_t)
++')
++
++optional_policy(`
++ ssh_role_template(staff, staff_r, staff_t)
++')
++
++optional_policy(`
++ sudo_role_template(staff, staff_r, staff_t)
++')
++
++optional_policy(`
++ telepathy_dbus_session_role(staff_r, staff_t)
++')
++
++optional_policy(`
++ userhelper_console_role_template(staff, staff_r, staff_usertype)
++')
++
++optional_policy(`
++ unconfined_role_change(staff_r)
++')
++
++optional_policy(`
++ virt_stream_connect(staff_t)
++')
++
++optional_policy(`
++ vnstatd_read_lib_files(staff_t)
++')
++
++optional_policy(`
++ webadm_role_change(staff_r)
++')
+
+ optional_policy(`
+ vlock_run(staff_t, staff_r)
+@@ -137,10 +250,6 @@ ifndef(`distro_redhat',`
+ ')
+
+ optional_policy(`
+- screen_role_template(staff, staff_r, staff_t)
+- ')
+-
+- optional_policy(`
+ spamassassin_role(staff_r, staff_t)
+ ')
+
+diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
+index d5e88be..ab4b892 100644
+--- a/policy/modules/roles/sysadm.te
++++ b/policy/modules/roles/sysadm.te
+@@ -24,20 +24,41 @@ ifndef(`enable_mls',`
+ #
+ # Local policy
+ #
++kernel_read_fs_sysctls(sysadm_t)
+
+ corecmd_exec_shell(sysadm_t)
+
++domain_dontaudit_read_all_domains_state(sysadm_t)
++
++files_read_kernel_modules(sysadm_t)
++
+ mls_process_read_up(sysadm_t)
++mls_file_read_to_clearance(sysadm_t)
++mls_process_write_to_clearance(sysadm_t)
+
+ ubac_process_exempt(sysadm_t)
+ ubac_file_exempt(sysadm_t)
+ ubac_fd_exempt(sysadm_t)
+
++application_exec(sysadm_t)
++
+ init_exec(sysadm_t)
++init_exec_script_files(sysadm_t)
++init_dbus_chat(sysadm_t)
++init_script_role_transition(sysadm_r)
++
++modutils_read_module_deps(sysadm_t)
++
++miscfiles_read_hwdata(sysadm_t)
+
+ # Add/remove user home directories
+ userdom_manage_user_home_dirs(sysadm_t)
+ userdom_home_filetrans_user_home_dir(sysadm_t)
++userdom_manage_user_tmp_dirs(sysadm_t)
++userdom_manage_user_tmp_files(sysadm_t)
++userdom_manage_user_tmp_symlinks(sysadm_t)
++userdom_manage_user_tmp_chr_files(sysadm_t)
++userdom_manage_user_tmp_blk_files(sysadm_t)
+
+ ifdef(`direct_sysadm_daemon',`
+ optional_policy(`
+@@ -55,6 +76,7 @@ ifndef(`enable_mls',`
+ logging_manage_audit_log(sysadm_t)
+ logging_manage_audit_config(sysadm_t)
+ logging_run_auditctl(sysadm_t, sysadm_r)
++ logging_stream_connect_syslog(sysadm_t)
+ ')
+
+ tunable_policy(`allow_ptrace',`
+@@ -69,7 +91,6 @@ optional_policy(`
+ apache_run_helper(sysadm_t, sysadm_r)
+ #apache_run_all_scripts(sysadm_t, sysadm_r)
+ #apache_domtrans_sys_script(sysadm_t)
+- apache_role(sysadm_r, sysadm_t)
+ ')
+
+ optional_policy(`
+@@ -98,6 +119,10 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ certmonger_dbus_chat(sysadm_t)
++')
++
++optional_policy(`
+ certwatch_run(sysadm_t, sysadm_r)
+ ')
+
+@@ -114,7 +139,7 @@ optional_policy(`
+ ')
+
+ optional_policy(`
+- cvs_exec(sysadm_t)
++ daemonstools_run_start(sysadm_t, sysadm_r)
+ ')
+
+ optional_policy(`
+@@ -163,6 +188,13 @@ optional_policy(`
+ ipsec_stream_connect(sysadm_t)
+ # for lsof
+ ipsec_getattr_key_sockets(sysadm_t)
++ ipsec_run_setkey(sysadm_t, sysadm_r)
++ ipsec_run_racoon(sysadm_t, sysadm_r)
++ ipsec_stream_connect_racoon(sysadm_t)
++
++ optional_policy(`
++ ipsec_mgmt_dbus_chat(sysadm_t)
++ ')
+ ')
+
+ optional_policy(`
+@@ -170,15 +202,15 @@ optional_policy(`
+ ')
+
+ optional_policy(`
+- kudzu_run(sysadm_t, sysadm_r)
++ kerberos_exec_kadmind(sysadm_t)
+ ')
+
+ optional_policy(`
+- libs_run_ldconfig(sysadm_t, sysadm_r)
++ kudzu_run(sysadm_t, sysadm_r)
+ ')
+
+ optional_policy(`
+- lockdev_role(sysadm_r, sysadm_t)
++ libs_run_ldconfig(sysadm_t, sysadm_r)
+ ')
+
+ optional_policy(`
+@@ -202,14 +234,7 @@ optional_policy(`
+
+ optional_policy(`
+ mount_run(sysadm_t, sysadm_r)
+-')
+-
+-optional_policy(`
+- mozilla_role(sysadm_r, sysadm_t)
+-')
+-
+-optional_policy(`
+- mplayer_role(sysadm_r, sysadm_t)
++ mount_run_showmount(sysadm_t, sysadm_r)
+ ')
+
+ optional_policy(`
+@@ -225,6 +250,10 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ ncftool_run(sysadm_t, sysadm_r)
++')
++
++optional_policy(`
+ netutils_run(sysadm_t, sysadm_r)
+ netutils_run_ping(sysadm_t, sysadm_r)
+ netutils_run_traceroute(sysadm_t, sysadm_r)
+@@ -253,7 +282,7 @@ optional_policy(`
+ ')
+
+ optional_policy(`
+- pyzor_role(sysadm_r, sysadm_t)
++ prelink_run(sysadm_t, sysadm_r)
+ ')
+
+ optional_policy(`
+@@ -265,10 +294,6 @@ optional_policy(`
+ ')
+
+ optional_policy(`
+- razor_role(sysadm_r, sysadm_t)
+-')
+-
+-optional_policy(`
+ rpc_domtrans_nfsd(sysadm_t)
+ ')
+
+@@ -276,9 +301,6 @@ optional_policy(`
+ rpm_run(sysadm_t, sysadm_r)
+ ')
+
+-optional_policy(`
+- rssh_role(sysadm_r, sysadm_t)
+-')
+
+ optional_policy(`
+ rsync_exec(sysadm_t)
+@@ -303,7 +325,7 @@ optional_policy(`
+ ')
+
+ optional_policy(`
+- spamassassin_role(sysadm_r, sysadm_t)
++ shutdown_run(sysadm_t, sysadm_r)
+ ')
+
+ optional_policy(`
+@@ -328,10 +350,6 @@ optional_policy(`
+ ')
+
+ optional_policy(`
+- thunderbird_role(sysadm_r, sysadm_t)
+-')
+-
+-optional_policy(`
+ tripwire_run_siggen(sysadm_t, sysadm_r)
+ tripwire_run_tripwire(sysadm_t, sysadm_r)
+ tripwire_run_twadmin(sysadm_t, sysadm_r)
+@@ -339,18 +357,10 @@ optional_policy(`
+ ')
+
+ optional_policy(`
+- tvtime_role(sysadm_r, sysadm_t)
+-')
+-
+-optional_policy(`
+ tzdata_domtrans(sysadm_t)
+ ')
+
+ optional_policy(`
+- uml_role(sysadm_r, sysadm_t)
+-')
+-
+-optional_policy(`
+ unconfined_domtrans(sysadm_t)
+ ')
+
+@@ -363,17 +373,14 @@ optional_policy(`
+ ')
+
+ optional_policy(`
+- userhelper_role_template(sysadm, sysadm_r, sysadm_t)
+-')
+-
+-optional_policy(`
+ usermanage_run_admin_passwd(sysadm_t, sysadm_r)
+ usermanage_run_groupadd(sysadm_t, sysadm_r)
+ usermanage_run_useradd(sysadm_t, sysadm_r)
+ ')
+
++
+ optional_policy(`
+- vmware_role(sysadm_r, sysadm_t)
++ vpn_run(sysadm_t, sysadm_r)
+ ')
+
+ optional_policy(`
+@@ -385,7 +392,7 @@ optional_policy(`
+ ')
+
+ optional_policy(`
+- wireshark_role(sysadm_r, sysadm_t)
++ virt_stream_connect(sysadm_t)
+ ')
+
+ optional_policy(`
+@@ -400,8 +407,15 @@ optional_policy(`
+ yam_run(sysadm_t, sysadm_r)
+ ')
+
++optional_policy(`
++ zebra_stream_connect(sysadm_t)
++')
++
+ ifndef(`distro_redhat',`
+ optional_policy(`
++ apache_role(sysadm_r, sysadm_t)
++ ')
++ optional_policy(`
+ auth_role(sysadm_r, sysadm_t)
+ ')
+
+@@ -448,5 +462,60 @@ ifndef(`distro_redhat',`
+ optional_policy(`
+ java_role(sysadm_r, sysadm_t)
+ ')
+-')
+
++ optional_policy(`
++ lockdev_role(sysadm_r, sysadm_t)
++ ')
++
++ optional_policy(`
++ mozilla_role(sysadm_r, sysadm_t)
++ ')
++
++ optional_policy(`
++ mplayer_role(sysadm_r, sysadm_t)
++ ')
++
++ optional_policy(`
++ pyzor_role(sysadm_r, sysadm_t)
++ ')
++
++ optional_policy(`
++ razor_role(sysadm_r, sysadm_t)
++ ')
++
++ optional_policy(`
++ rssh_role(sysadm_r, sysadm_t)
++ ')
++
++ optional_policy(`
++ spamassassin_role(sysadm_r, sysadm_t)
++ ')
++
++ optional_policy(`
++ thunderbird_role(sysadm_r, sysadm_t)
++ ')
++
++ optional_policy(`
++ tvtime_role(sysadm_r, sysadm_t)
++ ')
++
++ optional_policy(`
++ uml_role(sysadm_r, sysadm_t)
++ ')
++
++ optional_policy(`
++ userhelper_role_template(sysadm, sysadm_r, sysadm_t)
++ ')
++
++ optional_policy(`
++ vmware_role(sysadm_r, sysadm_t)
++ ')
++
++ optional_policy(`
++ wireshark_role(sysadm_r, sysadm_t)
++ ')
++
++ optional_policy(`
++ xserver_role(sysadm_r, sysadm_t)
++ ')
++')
+diff --git a/policy/modules/roles/unconfineduser.fc b/policy/modules/roles/unconfineduser.fc
+new file mode 100644
+index 0000000..0e8654b
+--- /dev/null
++++ b/policy/modules/roles/unconfineduser.fc
+@@ -0,0 +1,8 @@
++# Add programs here which should not be confined by SELinux
++# e.g.:
++# /usr/local/bin/appsrv -- gen_context(system_u:object_r:unconfined_exec_t,s0)
++# For the time being until someone writes a sane policy, we need initrc to transition to unconfined_t
++/usr/bin/vncserver -- gen_context(system_u:object_r:unconfined_exec_t,s0)
++
++/usr/sbin/xrdp -- gen_context(system_u:object_r:unconfined_exec_t,s0)
++/usr/sbin/xrdp-sesman -- gen_context(system_u:object_r:unconfined_exec_t,s0)
+diff --git a/policy/modules/roles/unconfineduser.if b/policy/modules/roles/unconfineduser.if
+new file mode 100644
+index 0000000..8b2cdf3
+--- /dev/null
++++ b/policy/modules/roles/unconfineduser.if
+@@ -0,0 +1,687 @@
++## Unconfiend user role
++
++########################################
++##
++## Change from the unconfineduser role.
++##
++##
++##
++## Change from the unconfineduser role to
++## the specified role.
++##
++##
++## This is an interface to support third party modules
++## and its use is not allowed in upstream reference
++## policy.
++##
++##
++##
++##
++## Role allowed access.
++##
++##
++##
++#
++interface(`unconfined_role_change_to',`
++ gen_require(`
++ role unconfined_r;
++ ')
++
++ allow unconfined_r $1;
++')
++
++########################################
++##
++## Transition to the unconfined domain.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`unconfined_domtrans',`
++ gen_require(`
++ type unconfined_t, unconfined_exec_t;
++ ')
++
++ domtrans_pattern($1,unconfined_exec_t,unconfined_t)
++')
++
++########################################
++##
++## Execute specified programs in the unconfined domain.
++##
++##
++##
++## The type of the process performing this action.
++##
++##
++##
++##
++## The role to allow the unconfined domain.
++##
++##
++#
++interface(`unconfined_run',`
++ gen_require(`
++ type unconfined_t;
++ ')
++
++ unconfined_domtrans($1)
++ role $2 types unconfined_t;
++')
++
++########################################
++##
++## Transition to the unconfined domain by executing a shell.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`unconfined_shell_domtrans',`
++ gen_require(`
++ attribute unconfined_login_domain;
++ ')
++ typeattribute $1 unconfined_login_domain;
++')
++
++########################################
++##
++## Allow unconfined to execute the specified program in
++## the specified domain.
++##
++##
++##
++## Allow unconfined to execute the specified program in
++## the specified domain.
++##
++##
++## This is a interface to support third party modules
++## and its use is not allowed in upstream reference
++## policy.
++##
++##
++##
++##
++## Domain to execute in.
++##
++##
++##
++##
++## Domain entry point file.
++##
++##
++#
++interface(`unconfined_domtrans_to',`
++ gen_require(`
++ type unconfined_t;
++ ')
++
++ domtrans_pattern(unconfined_t,$2,$1)
++')
++
++########################################
++##
++## Allow unconfined to execute the specified program in
++## the specified domain. Allow the specified domain the
++## unconfined role and use of unconfined user terminals.
++##
++##
++##
++## Allow unconfined to execute the specified program in
++## the specified domain. Allow the specified domain the
++## unconfined role and use of unconfined user terminals.
++##
++##
++## This is a interface to support third party modules
++## and its use is not allowed in upstream reference
++## policy.
++##
++##
++##
++##
++## Domain to execute in.
++##
++##
++##
++##
++## Domain entry point file.
++##
++##
++#
++interface(`unconfined_run_to',`
++ gen_require(`
++ type unconfined_t;
++ role unconfined_r;
++ ')
++
++ domtrans_pattern(unconfined_t,$2,$1)
++ role unconfined_r types $1;
++ userdom_use_user_terminals($1)
++')
++
++########################################
++##
++## Inherit file descriptors from the unconfined domain.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`unconfined_use_fds',`
++ gen_require(`
++ type unconfined_t;
++ ')
++
++ allow $1 unconfined_t:fd use;
++')
++
++########################################
++##
++## Send a SIGCHLD signal to the unconfined domain.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`unconfined_sigchld',`
++ gen_require(`
++ type unconfined_t;
++ ')
++
++ allow $1 unconfined_t:process sigchld;
++')
++
++########################################
++##
++## Send a SIGNULL signal to the unconfined domain.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`unconfined_signull',`
++ gen_require(`
++ type unconfined_t;
++ ')
++
++ allow $1 unconfined_t:process signull;
++')
++
++########################################
++##
++## Send a SIGNULL signal to the unconfined execmem domain.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`unconfined_execmem_signull',`
++ gen_require(`
++ type unconfined_execmem_t;
++ ')
++
++ allow $1 unconfined_execmem_t:process signull;
++')
++
++########################################
++##
++## Send a signal to the unconfined execmem domain.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`unconfined_execmem_signal',`
++ gen_require(`
++ type unconfined_execmem_t;
++ ')
++
++ allow $1 unconfined_execmem_t:process signal;
++')
++
++########################################
++##
++## Send generic signals to the unconfined domain.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`unconfined_signal',`
++ gen_require(`
++ type unconfined_t;
++ ')
++
++ allow $1 unconfined_t:process signal;
++')
++
++########################################
++##
++## Read unconfined domain unnamed pipes.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`unconfined_read_pipes',`
++ gen_require(`
++ type unconfined_t;
++ ')
++
++ allow $1 unconfined_t:fifo_file read_fifo_file_perms;
++')
++
++########################################
++##
++## Do not audit attempts to read unconfined domain unnamed pipes.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`unconfined_dontaudit_read_pipes',`
++ gen_require(`
++ type unconfined_t;
++ ')
++
++ dontaudit $1 unconfined_t:fifo_file read;
++')
++
++########################################
++##
++## Read and write unconfined domain unnamed pipes.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`unconfined_rw_pipes',`
++ gen_require(`
++ type unconfined_t;
++ ')
++
++ allow $1 unconfined_t:fifo_file rw_fifo_file_perms;
++')
++
++########################################
++##
++## Do not audit attempts to read and write
++## unconfined domain unnamed pipes.
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`unconfined_dontaudit_rw_pipes',`
++ gen_require(`
++ type unconfined_t;
++ ')
++
++ dontaudit $1 unconfined_t:fifo_file rw_file_perms;
++')
++
++########################################
++##
++## Do not audit attempts to read and write
++## unconfined domain stream.
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`unconfined_dontaudit_rw_stream',`
++ gen_require(`
++ type unconfined_t;
++ ')
++
++ dontaudit $1 unconfined_t:unix_stream_socket rw_socket_perms;
++')
++
++########################################
++##
++## Connect to the unconfined domain using
++## a unix domain stream socket.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`unconfined_stream_connect',`
++ gen_require(`
++ type unconfined_t;
++ ')
++
++ allow $1 unconfined_t:unix_stream_socket connectto;
++')
++
++########################################
++##
++## Do not audit attempts to read or write
++## unconfined domain tcp sockets.
++##
++##
++##
++## Do not audit attempts to read or write
++## unconfined domain tcp sockets.
++##
++##
++## This interface was added due to a broken
++## symptom in ldconfig.
++##
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`unconfined_dontaudit_rw_tcp_sockets',`
++ gen_require(`
++ type unconfined_t;
++ ')
++
++ dontaudit $1 unconfined_t:tcp_socket { read write };
++')
++
++########################################
++##
++## Do not audit attempts to read or write
++## unconfined domain packet sockets.
++##
++##
++##
++## Do not audit attempts to read or write
++## unconfined domain packet sockets.
++##
++##
++## This interface was added due to a broken
++## symptom.
++##
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`unconfined_dontaudit_rw_packet_sockets',`
++ gen_require(`
++ type unconfined_t;
++ ')
++
++ dontaudit $1 unconfined_t:packet_socket { read write };
++')
++
++########################################
++##
++## Create keys for the unconfined domain.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`unconfined_create_keys',`
++ gen_require(`
++ type unconfined_t;
++ ')
++
++ allow $1 unconfined_t:key create;
++')
++
++########################################
++##
++## Send messages to the unconfined domain over dbus.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`unconfined_dbus_send',`
++ gen_require(`
++ type unconfined_t;
++ class dbus send_msg;
++ ')
++
++ allow $1 unconfined_t:dbus send_msg;
++')
++
++########################################
++##
++## Send and receive messages from
++## unconfined_t over dbus.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`unconfined_dbus_chat',`
++ gen_require(`
++ type unconfined_t;
++ class dbus send_msg;
++ ')
++
++ allow $1 unconfined_t:dbus send_msg;
++ allow unconfined_t $1:dbus send_msg;
++')
++
++########################################
++##
++## Connect to the the unconfined DBUS
++## for service (acquire_svc).
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`unconfined_dbus_connect',`
++ gen_require(`
++ type unconfined_t;
++ class dbus acquire_svc;
++ ')
++
++ allow $1 unconfined_t:dbus acquire_svc;
++')
++
++########################################
++##
++## Allow ptrace of unconfined domain
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`unconfined_ptrace',`
++ gen_require(`
++ type unconfined_t;
++ ')
++
++ allow $1 unconfined_t:process ptrace;
++')
++
++########################################
++##
++## Read and write to unconfined shared memory.
++##
++##
++##
++## The type of the process performing this action.
++##
++##
++#
++interface(`unconfined_rw_shm',`
++ gen_require(`
++ type unconfined_t;
++ ')
++
++ allow $1 unconfined_t:shm rw_shm_perms;
++')
++
++########################################
++##
++## Read and write to unconfined execmem shared memory.
++##
++##
++##
++## The type of the process performing this action.
++##
++##
++#
++interface(`unconfined_execmem_rw_shm',`
++ gen_require(`
++ type unconfined_execmem_t;
++ ')
++
++ allow $1 unconfined_execmem_t:shm rw_shm_perms;
++')
++
++########################################
++##
++## Transition to the unconfined_execmem domain.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`unconfined_execmem_domtrans',`
++
++ gen_require(`
++ type unconfined_execmem_t;
++ ')
++
++ execmem_domtrans($1, unconfined_execmem_t)
++')
++
++########################################
++##
++## execute the execmem applications
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`unconfined_execmem_exec',`
++
++ gen_require(`
++ type execmem_exec_t;
++ ')
++
++ can_exec($1, execmem_exec_t)
++')
++
++########################################
++##
++## Allow apps to set rlimits on userdomain
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`unconfined_set_rlimitnh',`
++ gen_require(`
++ type unconfined_t;
++ ')
++
++ allow $1 unconfined_t:process rlimitinh;
++')
++
++########################################
++##
++## Get the process group of unconfined.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`unconfined_getpgid',`
++ gen_require(`
++ type unconfined_t;
++ ')
++
++ allow $1 unconfined_t:process getpgid;
++')
++
++########################################
++##
++## Change to the unconfined role.
++##
++##
++##
++## Role allowed access.
++##
++##
++##
++#
++interface(`unconfined_role_change',`
++ gen_require(`
++ role unconfined_r;
++ ')
++
++ allow $1 unconfined_r;
++')
++
++########################################
++##
++## Allow domain to attach to TUN devices created by unconfined_t users.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`unconfined_attach_tun_iface',`
++ gen_require(`
++ type unconfined_t;
++ ')
++
++ allow $1 unconfined_t:tun_socket relabelfrom;
++ allow $1 self:tun_socket relabelto;
++')
++
+diff --git a/policy/modules/roles/unconfineduser.te b/policy/modules/roles/unconfineduser.te
+new file mode 100644
+index 0000000..31bbe95
+--- /dev/null
++++ b/policy/modules/roles/unconfineduser.te
+@@ -0,0 +1,489 @@
++policy_module(unconfineduser, 1.0.0)
++
++########################################
++#
++# Declarations
++#
++attribute unconfined_login_domain;
++
++##
++##
++## Transition unconfined user to the nsplugin domains when running nspluginviewer
++##
++##
++gen_tunable(allow_unconfined_nsplugin_transition, false)
++
++##
++##
++## Transition unconfined user to the mozilla plugin domain when running xulrunner plugin-container.
++##
++##
++gen_tunable(unconfined_mozilla_plugin_transition, false)
++
++##
++##
++## Allow vidio playing tools to tun unconfined
++##
++##
++gen_tunable(unconfined_mplayer, false)
++
++##
++##
++## Allow a user to login as an unconfined domain
++##
++##
++gen_tunable(unconfined_login, true)
++
++##
++##
++## Transition to confined qemu domains from unconfined user
++##
++##
++gen_tunable(allow_unconfined_qemu_transition, false)
++
++# usage in this module of types created by these
++# calls is not correct, however we dont currently
++# have another method to add access to these types
++userdom_base_user_template(unconfined)
++userdom_manage_home_role(unconfined_r, unconfined_t)
++userdom_manage_tmp_role(unconfined_r, unconfined_t)
++userdom_manage_tmpfs_role(unconfined_r, unconfined_t)
++userdom_unpriv_usertype(unconfined, unconfined_t)
++
++type unconfined_exec_t;
++init_system_domain(unconfined_t, unconfined_exec_t)
++role unconfined_r types unconfined_t;
++role_transition system_r unconfined_exec_t unconfined_r;
++allow system_r unconfined_r;
++
++domain_user_exemption_target(unconfined_t)
++allow system_r unconfined_r;
++allow unconfined_r system_r;
++init_script_role_transition(unconfined_r)
++role system_r types unconfined_t;
++typealias unconfined_t alias unconfined_crontab_t;
++
++type unconfined_notrans_t;
++type unconfined_notrans_exec_t;
++init_system_domain(unconfined_notrans_t, unconfined_notrans_exec_t)
++role unconfined_r types unconfined_notrans_t;
++
++########################################
++#
++# Local policy
++#
++
++dontaudit unconfined_t self:dir write;
++dontaudit unconfined_t self:file setattr;
++
++allow unconfined_t self:system syslog_read;
++dontaudit unconfined_t self:capability sys_module;
++
++files_create_boot_flag(unconfined_t)
++files_create_default_dir(unconfined_t)
++files_root_filetrans_default(unconfined_t, dir)
++
++mcs_killall(unconfined_t)
++mcs_ptrace_all(unconfined_t)
++mls_file_write_all_levels(unconfined_t)
++
++init_run_daemon(unconfined_t, unconfined_r)
++init_domtrans_script(unconfined_t)
++init_telinit(unconfined_t)
++
++libs_run_ldconfig(unconfined_t, unconfined_r)
++
++logging_send_syslog_msg(unconfined_t)
++logging_run_auditctl(unconfined_t, unconfined_r)
++
++mount_run_unconfined(unconfined_t, unconfined_r)
++# Unconfined running as system_r
++mount_domtrans_unconfined(unconfined_t)
++
++seutil_run_setsebool(unconfined_t, unconfined_r)
++seutil_run_setfiles(unconfined_t, unconfined_r)
++seutil_run_semanage(unconfined_t, unconfined_r)
++
++unconfined_domain_noaudit(unconfined_t)
++
++userdom_user_home_dir_filetrans_user_home_content(unconfined_t, { dir file lnk_file fifo_file sock_file })
++
++usermanage_run_passwd(unconfined_t, unconfined_r)
++usermanage_run_chfn(unconfined_t, unconfined_r)
++
++tunable_policy(`allow_execmem',`
++ allow unconfined_t self:process execmem;
++')
++
++tunable_policy(`allow_execmem && allow_execstack',`
++ allow unconfined_t self:process execstack;
++')
++
++tunable_policy(`allow_execmod',`
++ userdom_execmod_user_home_files(unconfined_usertype)
++')
++
++tunable_policy(`unconfined_login',`
++ corecmd_shell_domtrans(unconfined_login_domain,unconfined_t)
++ allow unconfined_t unconfined_login_domain:fd use;
++ allow unconfined_t unconfined_login_domain:fifo_file rw_file_perms;
++ allow unconfined_t unconfined_login_domain:process sigchld;
++')
++
++optional_policy(`
++ gen_require(`
++ attribute unconfined_usertype;
++ ')
++
++ nsplugin_role_notrans(unconfined_r, unconfined_usertype)
++ optional_policy(`
++ tunable_policy(`allow_unconfined_nsplugin_transition',`
++ nsplugin_domtrans(unconfined_usertype)
++ nsplugin_domtrans_config(unconfined_usertype)
++ ')
++ ')
++
++ optional_policy(`
++ abrt_dbus_chat(unconfined_usertype)
++ abrt_run_helper(unconfined_usertype, unconfined_r)
++ ')
++
++ optional_policy(`
++ avahi_dbus_chat(unconfined_usertype)
++ ')
++
++ optional_policy(`
++ certmonger_dbus_chat(unconfined_usertype)
++ ')
++
++ optional_policy(`
++ devicekit_dbus_chat(unconfined_usertype)
++ devicekit_dbus_chat_disk(unconfined_usertype)
++ devicekit_dbus_chat_power(unconfined_usertype)
++ ')
++
++ optional_policy(`
++ hal_dbus_chat(unconfined_usertype)
++ ')
++
++ optional_policy(`
++ networkmanager_dbus_chat(unconfined_usertype)
++ ')
++
++ optional_policy(`
++ policykit_role(unconfined_r, unconfined_usertype)
++ ')
++
++ optional_policy(`
++ rtkit_scheduled(unconfined_usertype)
++ ')
++
++ optional_policy(`
++ setroubleshoot_dbus_chat(unconfined_usertype)
++ setroubleshoot_dbus_chat_fixit(unconfined_t)
++ ')
++
++ optional_policy(`
++ sandbox_transition(unconfined_usertype, unconfined_r)
++ ')
++
++ optional_policy(`
++ shutdown_run(unconfined_t, unconfined_r)
++ ')
++
++ optional_policy(`
++ tzdata_run(unconfined_usertype, unconfined_r)
++ ')
++
++ optional_policy(`
++ gen_require(`
++ type user_tmpfs_t;
++ ')
++
++ xserver_rw_session(unconfined_usertype, user_tmpfs_t)
++ xserver_run_xauth(unconfined_usertype, unconfined_r)
++ xserver_dbus_chat_xdm(unconfined_usertype)
++ ')
++')
++
++ifdef(`distro_gentoo',`
++ seutil_run_runinit(unconfined_t, unconfined_r)
++ seutil_init_script_run_runinit(unconfined_t, unconfined_r)
++')
++
++optional_policy(`
++ accountsd_dbus_chat(unconfined_t)
++')
++
++optional_policy(`
++ ada_run(unconfined_t, unconfined_r)
++')
++
++optional_policy(`
++ alsa_run(unconfined_t, unconfined_r)
++')
++
++optional_policy(`
++ apache_run_helper(unconfined_t, unconfined_r)
++')
++
++optional_policy(`
++ bind_run_ndc(unconfined_t, unconfined_r)
++')
++
++optional_policy(`
++ bootloader_run(unconfined_t, unconfined_r)
++')
++
++optional_policy(`
++ cron_unconfined_role(unconfined_r, unconfined_t)
++')
++
++optional_policy(`
++ chrome_role(unconfined_r, unconfined_usertype)
++')
++
++optional_policy(`
++ dbus_role_template(unconfined, unconfined_r, unconfined_t)
++
++ optional_policy(`
++ unconfined_domain(unconfined_dbusd_t)
++ unconfined_execmem_domtrans(unconfined_dbusd_t)
++
++ optional_policy(`
++ xserver_rw_shm(unconfined_dbusd_t)
++ ')
++ ')
++
++ init_dbus_chat(unconfined_usertype)
++ init_dbus_chat_script(unconfined_usertype)
++
++ dbus_stub(unconfined_t)
++
++ optional_policy(`
++ bluetooth_dbus_chat(unconfined_usertype)
++ ')
++
++ optional_policy(`
++ consolekit_dbus_chat(unconfined_usertype)
++ ')
++
++ optional_policy(`
++ cups_dbus_chat_config(unconfined_usertype)
++ ')
++
++ optional_policy(`
++ fprintd_dbus_chat(unconfined_usertype)
++ ')
++
++ optional_policy(`
++ gnomeclock_dbus_chat(unconfined_usertype)
++ gnome_dbus_chat_gconfdefault(unconfined_usertype)
++ ')
++
++ optional_policy(`
++ ipsec_mgmt_dbus_chat(unconfined_usertype)
++ ')
++
++ optional_policy(`
++ kerneloops_dbus_chat(unconfined_usertype)
++ ')
++
++ optional_policy(`
++ oddjob_dbus_chat(unconfined_usertype)
++ ')
++
++ optional_policy(`
++ vpn_dbus_chat(unconfined_usertype)
++ ')
++')
++
++optional_policy(`
++ firewallgui_dbus_chat(unconfined_usertype)
++')
++
++optional_policy(`
++ firstboot_run(unconfined_t, unconfined_r)
++')
++
++optional_policy(`
++ ftp_run_ftpdctl(unconfined_t, unconfined_r)
++')
++
++optional_policy(`
++ gpsd_run(unconfined_t, unconfined_r)
++')
++
++optional_policy(`
++ java_run_unconfined(unconfined_t, unconfined_r)
++')
++
++optional_policy(`
++ livecd_run(unconfined_t, unconfined_r)
++')
++
++optional_policy(`
++ lpd_run_checkpc(unconfined_t, unconfined_r)
++')
++
++optional_policy(`
++ modutils_run_update_mods(unconfined_t, unconfined_r)
++')
++
++optional_policy(`
++ mono_role_template(unconfined, unconfined_r, unconfined_t)
++ unconfined_domain_noaudit(unconfined_mono_t)
++ role system_r types unconfined_mono_t;
++')
++
++
++optional_policy(`
++ mozilla_role_plugin(unconfined_r)
++
++ tunable_policy(`unconfined_mozilla_plugin_transition', `
++ mozilla_domtrans_plugin(unconfined_usertype)
++ ')
++')
++
++optional_policy(`
++ ncftool_run(unconfined_t, unconfined_r)
++')
++
++optional_policy(`
++ oddjob_run_mkhomedir(unconfined_t, unconfined_r)
++')
++
++optional_policy(`
++ prelink_run(unconfined_t, unconfined_r)
++')
++
++optional_policy(`
++ portmap_run_helper(unconfined_t, unconfined_r)
++')
++
++#optional_policy(`
++# ppp_run(unconfined_t, unconfined_r)
++#')
++
++optional_policy(`
++ qemu_unconfined_role(unconfined_r)
++
++ tunable_policy(`allow_unconfined_qemu_transition',`
++ qemu_domtrans(unconfined_t)
++ ',`
++ qemu_domtrans_unconfined(unconfined_t)
++ ')
++')
++
++optional_policy(`
++ rpm_run(unconfined_t, unconfined_r)
++ # Allow SELinux aware applications to request rpm_script execution
++ rpm_transition_script(unconfined_t)
++ rpm_dbus_chat(unconfined_t)
++')
++
++optional_policy(`
++ optional_policy(`
++ samba_run_unconfined_net(unconfined_t, unconfined_r)
++ ')
++
++ samba_role_notrans(unconfined_r)
++# samba_run_winbind_helper(unconfined_t, unconfined_r)
++ samba_run_smbcontrol(unconfined_t, unconfined_r)
++')
++
++optional_policy(`
++ sendmail_run_unconfined(unconfined_t, unconfined_r)
++')
++
++optional_policy(`
++ sysnet_run_dhcpc(unconfined_t, unconfined_r)
++ sysnet_dbus_chat_dhcpc(unconfined_t)
++ sysnet_role_transition_dhcpc(unconfined_r)
++')
++
++optional_policy(`
++ telepathy_dbus_session_role(unconfined_r, unconfined_t)
++')
++
++optional_policy(`
++ vbetool_run(unconfined_t, unconfined_r)
++')
++
++optional_policy(`
++ virt_transition_svirt(unconfined_t, unconfined_r)
++')
++
++optional_policy(`
++ vpn_run(unconfined_t, unconfined_r)
++')
++
++optional_policy(`
++ webalizer_run(unconfined_t, unconfined_r)
++')
++
++optional_policy(`
++ wine_run(unconfined_t, unconfined_r)
++')
++
++optional_policy(`
++ xserver_run(unconfined_t, unconfined_r)
++')
++
++########################################
++#
++# Unconfined Execmem Local policy
++#
++
++optional_policy(`
++ execmem_role_template(unconfined, unconfined_r, unconfined_t)
++ typealias unconfined_execmem_t alias execmem_t;
++ typealias unconfined_execmem_t alias unconfined_openoffice_t;
++ unconfined_domain_noaudit(unconfined_execmem_t)
++ allow unconfined_execmem_t unconfined_t:process transition;
++ rpm_transition_script(unconfined_execmem_t)
++ role system_r types unconfined_execmem_t;
++
++ optional_policy(`
++ init_dbus_chat_script(unconfined_execmem_t)
++ dbus_system_bus_client(unconfined_execmem_t)
++ unconfined_dbus_chat(unconfined_execmem_t)
++ unconfined_dbus_connect(unconfined_execmem_t)
++ ')
++
++ optional_policy(`
++ tunable_policy(`allow_unconfined_nsplugin_transition',`', `
++ nsplugin_exec_domtrans(unconfined_t, unconfined_execmem_t)
++ ')
++ ')
++
++ optional_policy(`
++ tunable_policy(`unconfined_login',`
++ mplayer_exec_domtrans(unconfined_t, unconfined_execmem_t)
++ ')
++ ')
++
++ optional_policy(`
++ openoffice_exec_domtrans(unconfined_t, unconfined_execmem_t)
++ ')
++')
++
++########################################
++#
++# Unconfined notrans Local policy
++#
++
++allow unconfined_notrans_t self:process { execstack execmem };
++unconfined_domain_noaudit(unconfined_notrans_t)
++userdom_unpriv_usertype(unconfined, unconfined_notrans_t)
++domtrans_pattern(unconfined_t, unconfined_notrans_exec_t, unconfined_notrans_t)
++# Allow SELinux aware applications to request rpm_script execution
++rpm_transition_script(unconfined_notrans_t)
++domain_ptrace_all_domains(unconfined_notrans_t)
++
++########################################
++#
++# Unconfined mount local policy
++#
++
++gen_user(unconfined_u, user, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)
+diff --git a/policy/modules/roles/unprivuser.te b/policy/modules/roles/unprivuser.te
+index 606a257..ea81c3f 100644
+--- a/policy/modules/roles/unprivuser.te
++++ b/policy/modules/roles/unprivuser.te
+@@ -12,15 +12,46 @@ role user_r;
+
+ userdom_unpriv_user_template(user)
+
++fs_exec_noxattr(user_t)
++
+ optional_policy(`
+ apache_role(user_r, user_t)
+ ')
+
+ optional_policy(`
++ oident_manage_user_content(user_t)
++ oident_relabel_user_content(user_t)
++')
++
++optional_policy(`
++ mozilla_run_plugin(user_t, user_r)
++')
++
++optional_policy(`
++ rpm_dontaudit_dbus_chat(user_t)
++')
++
++optional_policy(`
++ rtkit_scheduled(user_t)
++')
++
++optional_policy(`
++ sandbox_transition(user_t, user_r)
++')
++
++optional_policy(`
+ screen_role_template(user, user_r, user_t)
+ ')
+
+ optional_policy(`
++ setroubleshoot_dontaudit_stream_connect(user_t)
++')
++
++optional_policy(`
++ telepathy_dbus_session_role(user_r, user_t)
++')
++
++optional_policy(`
+ vlock_run(user_t, user_r)
+ ')
+
+@@ -114,7 +145,7 @@ ifndef(`distro_redhat',`
+ ')
+
+ optional_policy(`
+- spamassassin_role(user_r, user_t)
++ spamassassin_role(user_r, user_t)
+ ')
+
+ optional_policy(`
+diff --git a/policy/modules/roles/webadm.te b/policy/modules/roles/webadm.te
+index 0ecc786..dbf2710 100644
+--- a/policy/modules/roles/webadm.te
++++ b/policy/modules/roles/webadm.te
+@@ -38,6 +38,7 @@ selinux_get_enforce_mode(webadm_t)
+ seutil_domtrans_setfiles(webadm_t)
+
+ logging_send_syslog_msg(webadm_t)
++logging_send_audit_msgs(webadm_t)
+
+ userdom_dontaudit_search_user_home_dirs(webadm_t)
+
+diff --git a/policy/modules/roles/xguest.te b/policy/modules/roles/xguest.te
+index e88b95f..b8b5c15 100644
+--- a/policy/modules/roles/xguest.te
++++ b/policy/modules/roles/xguest.te
+@@ -14,7 +14,7 @@ gen_tunable(xguest_mount_media, true)
+
+ ##
+ ##
+-## Allow xguest to configure Network Manager
++## Allow xguest to configure Network Manager and connect to apache ports
+ ##
+ ##
+ gen_tunable(xguest_connect_network, true)
+@@ -29,12 +29,12 @@ gen_tunable(xguest_use_bluetooth, true)
+ role xguest_r;
+
+ userdom_restricted_xwindows_user_template(xguest)
++sysnet_dns_name_resolve(xguest_t)
+
+ ########################################
+ #
+ # Local policy
+ #
+-
+ ifndef(`enable_mls',`
+ fs_exec_noxattr(xguest_t)
+
+@@ -48,12 +48,21 @@ ifndef(`enable_mls',`
+ storage_raw_read_removable_device(xguest_t)
+ ')
+ ')
++# Dontaudit fusermount
++mount_dontaudit_exec_fusermount(xguest_t)
++
++allow xguest_t self:process execmem;
++kernel_dontaudit_request_load_module(xguest_t)
++
++tunable_policy(`allow_execstack',`
++ allow xguest_t self:process execstack;
++')
+
+ # Allow mounting of file systems
+ optional_policy(`
+ tunable_policy(`xguest_mount_media',`
+ kernel_read_fs_sysctls(xguest_t)
+-
++ kernel_request_load_module(xguest_t)
+ files_dontaudit_getattr_boot_dirs(xguest_t)
+ files_search_mnt(xguest_t)
+
+@@ -62,10 +71,9 @@ optional_policy(`
+ fs_manage_noxattr_fs_dirs(xguest_t)
+ fs_getattr_noxattr_fs(xguest_t)
+ fs_read_noxattr_fs_symlinks(xguest_t)
++ fs_mount_fusefs(xguest_t)
+
+ auth_list_pam_console_data(xguest_t)
+-
+- init_read_utmp(xguest_t)
+ ')
+ ')
+
+@@ -76,23 +84,95 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ chrome_role(xguest_r, xguest_usertype)
++')
++
++
++optional_policy(`
+ hal_dbus_chat(xguest_t)
+ ')
+
+ optional_policy(`
+- java_role(xguest_r, xguest_t)
++ apache_role(xguest_r, xguest_t)
++')
++
++optional_policy(`
++ gnomeclock_dontaudit_dbus_chat(xguest_t)
+ ')
+
+ optional_policy(`
+- mozilla_role(xguest_r, xguest_t)
++ java_role_template(xguest, xguest_r, xguest_t)
++')
++
++optional_policy(`
++ mono_role_template(xguest, xguest_r, xguest_t)
++')
++
++optional_policy(`
++ mozilla_run_plugin(xguest_t, xguest_r)
++')
++
++optional_policy(`
++ nsplugin_role(xguest_r, xguest_t)
++')
++
++optional_policy(`
++ pcscd_read_pub_files(xguest_usertype)
++ pcscd_stream_connect(xguest_usertype)
+ ')
+
+ optional_policy(`
+ tunable_policy(`xguest_connect_network',`
++ kernel_read_network_state(xguest_usertype)
++
+ networkmanager_dbus_chat(xguest_t)
+- corenet_tcp_connect_pulseaudio_port(xguest_t)
+- corenet_tcp_connect_ipp_port(xguest_t)
++ networkmanager_read_lib_files(xguest_t)
++ corenet_tcp_connect_pulseaudio_port(xguest_usertype)
++ corenet_all_recvfrom_unlabeled(xguest_usertype)
++ corenet_all_recvfrom_netlabel(xguest_usertype)
++ corenet_tcp_sendrecv_generic_if(xguest_usertype)
++ corenet_raw_sendrecv_generic_if(xguest_usertype)
++ corenet_tcp_sendrecv_generic_node(xguest_usertype)
++ corenet_raw_sendrecv_generic_node(xguest_usertype)
++ corenet_tcp_sendrecv_http_port(xguest_usertype)
++ corenet_tcp_sendrecv_http_cache_port(xguest_usertype)
++ corenet_tcp_sendrecv_squid_port(xguest_usertype)
++ corenet_tcp_sendrecv_ftp_port(xguest_usertype)
++ corenet_tcp_sendrecv_ipp_port(xguest_usertype)
++ corenet_tcp_connect_http_port(xguest_usertype)
++ corenet_tcp_connect_http_cache_port(xguest_usertype)
++ corenet_tcp_connect_squid_port(xguest_usertype)
++ corenet_tcp_connect_flash_port(xguest_usertype)
++ corenet_tcp_connect_ftp_port(xguest_usertype)
++ corenet_tcp_connect_ipp_port(xguest_usertype)
++ corenet_tcp_connect_generic_port(xguest_usertype)
++ corenet_tcp_connect_soundd_port(xguest_usertype)
++ corenet_sendrecv_http_client_packets(xguest_usertype)
++ corenet_sendrecv_http_cache_client_packets(xguest_usertype)
++ corenet_sendrecv_squid_client_packets(xguest_usertype)
++ corenet_sendrecv_ftp_client_packets(xguest_usertype)
++ corenet_sendrecv_ipp_client_packets(xguest_usertype)
++ corenet_sendrecv_generic_client_packets(xguest_usertype)
++ # Should not need other ports
++ corenet_dontaudit_tcp_sendrecv_generic_port(xguest_usertype)
++ corenet_dontaudit_tcp_bind_generic_port(xguest_usertype)
++ corenet_tcp_connect_speech_port(xguest_usertype)
++ corenet_tcp_sendrecv_transproxy_port(xguest_usertype)
++ corenet_tcp_connect_transproxy_port(xguest_usertype)
++ ')
++
++ optional_policy(`
++ telepathy_dbus_session_role(xguest_r, xguest_t)
++ ')
++')
++
++optional_policy(`
++ gen_require(`
++ type mozilla_t;
+ ')
++
++ allow xguest_t mozilla_t:process transition;
++ role xguest_r types mozilla_t;
+ ')
+
+-#gen_user(xguest_u,, xguest_r, s0, s0)
++gen_user(xguest_u, user, xguest_r, s0, s0)
+diff --git a/policy/modules/services/abrt.fc b/policy/modules/services/abrt.fc
+index 1bd5812..3b3ba64 100644
+--- a/policy/modules/services/abrt.fc
++++ b/policy/modules/services/abrt.fc
+@@ -15,6 +15,7 @@
+
+ /var/run/abrt\.pid -- gen_context(system_u:object_r:abrt_var_run_t,s0)
+ /var/run/abrtd?\.lock -- gen_context(system_u:object_r:abrt_var_run_t,s0)
++/var/run/abrtd?\.socket -- gen_context(system_u:object_r:abrt_var_run_t,s0)
+ /var/run/abrt(/.*)? gen_context(system_u:object_r:abrt_var_run_t,s0)
+
+ /var/spool/abrt(/.*)? gen_context(system_u:object_r:abrt_var_cache_t,s0)
+diff --git a/policy/modules/services/abrt.if b/policy/modules/services/abrt.if
+index 0b827c5..8961dba 100644
+--- a/policy/modules/services/abrt.if
++++ b/policy/modules/services/abrt.if
+@@ -71,6 +71,7 @@ interface(`abrt_read_state',`
+ type abrt_t;
+ ')
+
++ kernel_search_proc($1)
+ ps_process_pattern($1, abrt_t)
+ ')
+
+@@ -130,6 +131,10 @@ interface(`abrt_domtrans_helper',`
+ ')
+
+ domtrans_pattern($1, abrt_helper_exec_t, abrt_helper_t)
++
++ ifdef(`hide_broken_symptoms', `
++ dontaudit abrt_helper_t $1:socket_class_set { read write };
++ ')
+ ')
+
+ ########################################
+@@ -160,8 +165,25 @@ interface(`abrt_run_helper',`
+
+ ########################################
+ ##
+-## Send and receive messages from
+-## abrt over dbus.
++## Append abrt cache
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`abrt_cache_append',`
++ gen_require(`
++ type abrt_var_cache_t;
++ ')
++
++ append_files_pattern($1, abrt_var_cache_t, abrt_var_cache_t)
++')
++
++########################################
++##
++## Manage abrt cache
+ ##
+ ##
+ ##
+@@ -253,6 +275,24 @@ interface(`abrt_manage_pid_files',`
+ manage_files_pattern($1, abrt_var_run_t, abrt_var_run_t)
+ ')
+
++########################################
++##
++## Read and write abrt fifo files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`abrt_rw_fifo_file',`
++ gen_require(`
++ type abrt_t;
++ ')
++
++ allow $1 abrt_t:fifo_file rw_inherited_fifo_file_perms;
++')
++
+ #####################################
+ ##
+ ## All of the rules required to administrate
+@@ -286,18 +326,18 @@ interface(`abrt_admin',`
+ role_transition $2 abrt_initrc_exec_t system_r;
+ allow $2 system_r;
+
+- files_search_etc($1)
++ files_list_etc($1)
+ admin_pattern($1, abrt_etc_t)
+
+- logging_search_logs($1)
++ logging_list_logs($1)
+ admin_pattern($1, abrt_var_log_t)
+
+- files_search_var($1)
++ files_list_var($1)
+ admin_pattern($1, abrt_var_cache_t)
+
+- files_search_pids($1)
++ files_list_pids($1)
+ admin_pattern($1, abrt_var_run_t)
+
+- files_search_tmp($1)
++ files_list_tmp($1)
+ admin_pattern($1, abrt_tmp_t)
+ ')
+diff --git a/policy/modules/services/abrt.te b/policy/modules/services/abrt.te
+index 98646c4..5be7dc8 100644
+--- a/policy/modules/services/abrt.te
++++ b/policy/modules/services/abrt.te
+@@ -5,6 +5,14 @@ policy_module(abrt, 1.1.1)
+ # Declarations
+ #
+
++##
++##
++## Allow ABRT to modify public files
++## used for public file transfer services.
++##
++##
++gen_tunable(abrt_anon_write, false)
++
+ type abrt_t;
+ type abrt_exec_t;
+ init_daemon_domain(abrt_t, abrt_exec_t)
+@@ -50,7 +58,7 @@ ifdef(`enable_mcs',`
+
+ allow abrt_t self:capability { chown kill setuid setgid sys_nice dac_override };
+ dontaudit abrt_t self:capability sys_rawio;
+-allow abrt_t self:process { signal signull setsched getsched };
++allow abrt_t self:process { sigkill signal signull setsched getsched };
+
+ allow abrt_t self:fifo_file rw_fifo_file_perms;
+ allow abrt_t self:tcp_socket create_stream_socket_perms;
+@@ -69,6 +77,7 @@ logging_log_filetrans(abrt_t, abrt_var_log_t, file)
+ manage_dirs_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t)
+ manage_files_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t)
+ files_tmp_filetrans(abrt_t, abrt_tmp_t, { file dir })
++can_exec(abrt_t, abrt_tmp_t)
+
+ # abrt var/cache files
+ manage_files_pattern(abrt_t, abrt_var_cache_t, abrt_var_cache_t)
+@@ -82,7 +91,7 @@ manage_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t)
+ manage_dirs_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t)
+ manage_sock_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t)
+ manage_lnk_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t)
+-files_pid_filetrans(abrt_t, abrt_var_run_t, { file dir })
++files_pid_filetrans(abrt_t, abrt_var_run_t, { file dir sock_file })
+
+ kernel_read_ring_buffer(abrt_t)
+ kernel_read_system_state(abrt_t)
+@@ -121,6 +130,8 @@ files_read_generic_tmp_files(abrt_t)
+ files_read_kernel_modules(abrt_t)
+ files_dontaudit_list_default(abrt_t)
+ files_dontaudit_read_default_files(abrt_t)
++files_dontaudit_read_all_symlinks(abrt_t)
++files_dontaudit_getattr_all_sockets(abrt_t)
+
+ fs_list_inotifyfs(abrt_t)
+ fs_getattr_all_fs(abrt_t)
+@@ -131,7 +142,7 @@ fs_read_nfs_files(abrt_t)
+ fs_read_nfs_symlinks(abrt_t)
+ fs_search_all(abrt_t)
+
+-sysnet_read_config(abrt_t)
++sysnet_dns_name_resolve(abrt_t)
+
+ logging_read_generic_logs(abrt_t)
+ logging_send_syslog_msg(abrt_t)
+@@ -140,6 +151,15 @@ miscfiles_read_generic_certs(abrt_t)
+ miscfiles_read_localization(abrt_t)
+
+ userdom_dontaudit_read_user_home_content_files(abrt_t)
++userdom_dontaudit_read_admin_home_files(abrt_t)
++
++tunable_policy(`abrt_anon_write',`
++ miscfiles_manage_public_files(abrt_t)
++')
++
++optional_policy(`
++ apache_read_modules(abrt_t)
++')
+
+ optional_policy(`
+ dbus_system_domain(abrt_t, abrt_exec_t)
+@@ -150,6 +170,11 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ nsplugin_read_rw_files(abrt_t)
++ nsplugin_read_home(abrt_t)
++')
++
++optional_policy(`
+ policykit_dbus_chat(abrt_t)
+ policykit_domtrans_auth(abrt_t)
+ policykit_read_lib(abrt_t)
+@@ -178,12 +203,18 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ sosreport_domtrans(abrt_t)
++ sosreport_read_tmp_files(abrt_t)
++ sosreport_delete_tmp_files(abrt_t)
++')
++
++optional_policy(`
+ sssd_stream_connect(abrt_t)
+ ')
+
+ ########################################
+ #
+-# abrt--helper local policy
++# abrt-helper local policy
+ #
+
+ allow abrt_helper_t self:capability { chown setgid sys_nice };
+@@ -203,6 +234,7 @@ read_lnk_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t)
+ domain_read_all_domains_state(abrt_helper_t)
+
+ files_read_etc_files(abrt_helper_t)
++files_dontaudit_all_non_security_leaks(abrt_helper_t)
+
+ fs_list_inotifyfs(abrt_helper_t)
+ fs_getattr_all_fs(abrt_helper_t)
+@@ -216,7 +248,8 @@ miscfiles_read_localization(abrt_helper_t)
+ term_dontaudit_use_all_ttys(abrt_helper_t)
+ term_dontaudit_use_all_ptys(abrt_helper_t)
+
+-ifdef(`hide_broken_symptoms', `
++ifdef(`hide_broken_symptoms',`
++ domain_dontaudit_leaks(abrt_helper_t)
+ userdom_dontaudit_read_user_home_content_files(abrt_helper_t)
+ userdom_dontaudit_read_user_tmp_files(abrt_helper_t)
+ dev_dontaudit_read_all_blk_files(abrt_helper_t)
+@@ -224,4 +257,18 @@ ifdef(`hide_broken_symptoms', `
+ dev_dontaudit_write_all_chr_files(abrt_helper_t)
+ dev_dontaudit_write_all_blk_files(abrt_helper_t)
+ fs_dontaudit_rw_anon_inodefs_files(abrt_helper_t)
++
++ optional_policy(`
++ rpm_dontaudit_leaks(abrt_helper_t)
++ ')
++')
++
++ifdef(`hide_broken_symptoms',`
++ gen_require(`
++ attribute domain;
++ ')
++
++ allow abrt_t self:capability sys_resource;
++ allow abrt_t domain:file write;
++ allow abrt_t domain:process setrlimit;
+ ')
+diff --git a/policy/modules/services/accountsd.if b/policy/modules/services/accountsd.if
+index c0f858d..d639ae0 100644
+--- a/policy/modules/services/accountsd.if
++++ b/policy/modules/services/accountsd.if
+@@ -5,9 +5,9 @@
+ ## Execute a domain transition to run accountsd.
+ ##
+ ##
+-##
++##
+ ## Domain allowed access.
+-##
++##
+ ##
+ #
+ interface(`accountsd_domtrans',`
+@@ -25,7 +25,7 @@ interface(`accountsd_domtrans',`
+ ##
+ ##
+ ##
+-## Domain allowed access.
++## Domain to not audit.
+ ##
+ ##
+ #
+@@ -138,7 +138,7 @@ interface(`accountsd_admin',`
+ type accountsd_t;
+ ')
+
+- allow $1 accountsd_t:process { ptrace signal_perms getattr };
++ allow $1 accountsd_t:process { ptrace signal_perms };
+ ps_process_pattern($1, accountsd_t)
+
+ accountsd_manage_lib_files($1)
+diff --git a/policy/modules/services/accountsd.te b/policy/modules/services/accountsd.te
+index 1632f10..2724c11 100644
+--- a/policy/modules/services/accountsd.te
++++ b/policy/modules/services/accountsd.te
+@@ -8,6 +8,8 @@ policy_module(accountsd, 1.0.0)
+ type accountsd_t;
+ type accountsd_exec_t;
+ dbus_system_domain(accountsd_t, accountsd_exec_t)
++init_daemon_domain(accountsd_t, accountsd_exec_t)
++role system_r types accountsd_t;
+
+ type accountsd_var_lib_t;
+ files_type(accountsd_var_lib_t)
+@@ -55,3 +57,8 @@ optional_policy(`
+ optional_policy(`
+ policykit_dbus_chat(accountsd_t)
+ ')
++
++optional_policy(`
++ xserver_dbus_chat_xdm(accountsd_t)
++ xserver_manage_xdm_etc_files(accountsd_t)
++')
+diff --git a/policy/modules/services/afs.if b/policy/modules/services/afs.if
+index 8559cdc..49c0cc8 100644
+--- a/policy/modules/services/afs.if
++++ b/policy/modules/services/afs.if
+@@ -97,8 +97,8 @@ interface(`afs_admin',`
+ type afs_t, afs_initrc_exec_t;
+ ')
+
+- allow $1 afs_t:process { ptrace signal_perms getattr };
+- read_files_pattern($1, afs_t, afs_t)
++ allow $1 afs_t:process { ptrace signal_perms };
++ ps_process_pattern($1, afs_t)
+
+ # Allow afs_admin to restart the afs service
+ afs_initrc_domtrans($1)
+diff --git a/policy/modules/services/afs.te b/policy/modules/services/afs.te
+index de8b791..7e2cdf2 100644
+--- a/policy/modules/services/afs.te
++++ b/policy/modules/services/afs.te
+@@ -107,6 +107,10 @@ miscfiles_read_localization(afs_t)
+
+ sysnet_dns_name_resolve(afs_t)
+
++ifdef(`hide_broken_symptoms',`
++ kernel_rw_unlabeled_files(afs_t)
++')
++
+ ########################################
+ #
+ # AFS bossserver local policy
+diff --git a/policy/modules/services/aiccu.fc b/policy/modules/services/aiccu.fc
+new file mode 100644
+index 0000000..069518f
+--- /dev/null
++++ b/policy/modules/services/aiccu.fc
+@@ -0,0 +1,6 @@
++/etc/aiccu.conf -- gen_context(system_u:object_r:aiccu_etc_t,s0)
++/etc/rc\.d/init\.d/aiccu -- gen_context(system_u:object_r:aiccu_initrc_exec_t,s0)
++
++/usr/sbin/aiccu -- gen_context(system_u:object_r:aiccu_exec_t,s0)
++
++/var/run/aiccu\.pid -- gen_context(system_u:object_r:aiccu_var_run_t,s0)
+diff --git a/policy/modules/services/aiccu.if b/policy/modules/services/aiccu.if
+new file mode 100644
+index 0000000..6bf0ad6
+--- /dev/null
++++ b/policy/modules/services/aiccu.if
+@@ -0,0 +1,116 @@
++## Automatic IPv6 Connectivity Client Utility.
++
++########################################
++##
++## Execute a domain transition to run aiccu.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`aiccu_domtrans',`
++ gen_require(`
++ type aiccu_t, aiccu_exec_t;
++ ')
++
++ domtrans_pattern($1, aiccu_exec_t, aiccu_t)
++ corecmd_search_bin($1)
++')
++
++########################################
++##
++## Execute aiccu server in the aiccu domain.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`aiccu_initrc_domtrans',`
++ gen_require(`
++ type aiccu_initrc_exec_t;
++ ')
++
++ init_labeled_script_domtrans($1, aiccu_initrc_exec_t)
++')
++
++########################################
++##
++## Read aiccu PID files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`aiccu_read_pid_files',`
++ gen_require(`
++ type aiccu_var_run_t;
++ ')
++
++ allow $1 aiccu_var_run_t:file read_file_perms;
++ files_search_pids($1)
++')
++
++########################################
++##
++## Manage aiccu PID files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`aiccu_manage_var_run',`
++ gen_require(`
++ type aiccu_var_run_t;
++ ')
++
++ manage_dirs_pattern($1, aiccu_var_run_t, aiccu_var_run_t)
++ manage_files_pattern($1, aiccu_var_run_t, aiccu_var_run_t)
++ manage_lnk_files_pattern($1, aiccu_var_run_t, aiccu_var_run_t)
++ files_search_pids($1)
++')
++
++########################################
++##
++## All of the rules required to administrate
++## an aiccu environment
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++##
++## Role allowed access.
++##
++##
++##
++#
++interface(`aiccu_admin',`
++ gen_require(`
++ type aiccu_t, aiccu_initrc_exec_t, aiccu_etc_t;
++ type aiccu_var_run_t;
++ ')
++
++ allow $1 aiccu_t:process { ptrace signal_perms };
++ ps_process_pattern($1, aiccu_t)
++
++ aiccu_initrc_domtrans($1)
++ domain_system_change_exemption($1)
++ role_transition $2 aiccu_initrc_exec_t system_r;
++ allow $2 system_r;
++
++ admin_pattern($1, aiccu_etc_t)
++ files_list_etc($1)
++
++ admin_pattern($1, aiccu_var_run_t)
++ files_list_pids($1)
++')
+diff --git a/policy/modules/services/aiccu.te b/policy/modules/services/aiccu.te
+new file mode 100644
+index 0000000..4b9dc88
+--- /dev/null
++++ b/policy/modules/services/aiccu.te
+@@ -0,0 +1,71 @@
++policy_module(aiccu, 1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++type aiccu_t;
++type aiccu_exec_t;
++init_daemon_domain(aiccu_t, aiccu_exec_t)
++
++type aiccu_initrc_exec_t;
++init_script_file(aiccu_initrc_exec_t)
++
++type aiccu_etc_t;
++files_config_file(aiccu_etc_t)
++
++type aiccu_var_run_t;
++files_pid_file(aiccu_var_run_t)
++
++########################################
++#
++# aiccu local policy
++#
++
++allow aiccu_t self:capability { kill net_admin net_raw };
++dontaudit aiccu_t self:capability sys_tty_config;
++allow aiccu_t self:process signal;
++allow aiccu_t self:fifo_file rw_fifo_file_perms;
++allow aiccu_t self:netlink_route_socket create_netlink_socket_perms;
++allow aiccu_t self:tcp_socket create_stream_socket_perms;
++allow aiccu_t self:tun_socket create_socket_perms;
++allow aiccu_t self:udp_socket create_stream_socket_perms;
++allow aiccu_t self:unix_stream_socket create_stream_socket_perms;
++
++allow aiccu_t aiccu_etc_t:file read_file_perms;
++
++manage_dirs_pattern(aiccu_t, aiccu_var_run_t, aiccu_var_run_t)
++manage_files_pattern(aiccu_t, aiccu_var_run_t, aiccu_var_run_t)
++files_pid_filetrans(aiccu_t, aiccu_var_run_t, { file dir })
++
++kernel_read_system_state(aiccu_t)
++
++corecmd_exec_shell(aiccu_t)
++
++corenet_all_recvfrom_netlabel(aiccu_t)
++corenet_all_recvfrom_unlabeled(aiccu_t)
++corenet_tcp_bind_generic_node(aiccu_t)
++corenet_tcp_sendrecv_generic_if(aiccu_t)
++corenet_tcp_sendrecv_generic_node(aiccu_t)
++corenet_tcp_sendrecv_generic_port(aiccu_t)
++corenet_sendrecv_sixxsconfig_client_packets(aiccu_t)
++corenet_tcp_sendrecv_sixxsconfig_port(aiccu_t)
++corenet_tcp_connect_sixxsconfig_port(aiccu_t)
++corenet_rw_tun_tap_dev(aiccu_t)
++
++domain_use_interactive_fds(aiccu_t)
++
++dev_read_rand(aiccu_t)
++dev_read_urand(aiccu_t)
++
++files_read_etc_files(aiccu_t)
++
++logging_send_syslog_msg(aiccu_t)
++
++miscfiles_read_localization(aiccu_t)
++
++modutils_domtrans_insmod(aiccu_t)
++
++sysnet_domtrans_ifconfig(aiccu_t)
++sysnet_dns_name_resolve(aiccu_t)
+diff --git a/policy/modules/services/aide.if b/policy/modules/services/aide.if
+index 838d25b..0b0db39 100644
+--- a/policy/modules/services/aide.if
++++ b/policy/modules/services/aide.if
+@@ -33,6 +33,7 @@ interface(`aide_domtrans',`
+ ## The role to allow the AIDE domain.
+ ##
+ ##
++##
+ #
+ interface(`aide_run',`
+ gen_require(`
+diff --git a/policy/modules/services/aisexec.if b/policy/modules/services/aisexec.if
+index 0370dba..af5d229 100644
+--- a/policy/modules/services/aisexec.if
++++ b/policy/modules/services/aisexec.if
+@@ -5,9 +5,9 @@
+ ## Execute a domain transition to run aisexec.
+ ##
+ ##
+-##
++##
+ ## Domain allowed to transition.
+-##
++##
+ ##
+ #
+ interface(`aisexec_domtrans',`
+diff --git a/policy/modules/services/aisexec.te b/policy/modules/services/aisexec.te
+index 97c9cae..c24bd66 100644
+--- a/policy/modules/services/aisexec.te
++++ b/policy/modules/services/aisexec.te
+@@ -32,7 +32,7 @@ files_pid_file(aisexec_var_run_t)
+ # aisexec local policy
+ #
+
+-allow aisexec_t self:capability { sys_nice sys_resource ipc_lock };
++allow aisexec_t self:capability { sys_nice sys_resource ipc_lock ipc_owner };
+ allow aisexec_t self:process { setrlimit setsched signal };
+ allow aisexec_t self:fifo_file rw_fifo_file_perms;
+ allow aisexec_t self:sem create_sem_perms;
+@@ -81,6 +81,9 @@ logging_send_syslog_msg(aisexec_t)
+
+ miscfiles_read_localization(aisexec_t)
+
++userdom_rw_semaphores(aisexec_t)
++userdom_rw_unpriv_user_shared_mem(aisexec_t)
++
+ optional_policy(`
+ ccs_stream_connect(aisexec_t)
+ ')
+diff --git a/policy/modules/services/ajaxterm.fc b/policy/modules/services/ajaxterm.fc
+new file mode 100644
+index 0000000..aeb1888
+--- /dev/null
++++ b/policy/modules/services/ajaxterm.fc
+@@ -0,0 +1,6 @@
++
++/etc/rc\.d/init\.d/ajaxterm -- gen_context(system_u:object_r:ajaxterm_initrc_exec_t,s0)
++
++/usr/share/ajaxterm/ajaxterm\.py -- gen_context(system_u:object_r:ajaxterm_exec_t,s0)
++
++/var/run/ajaxterm\.pid -- gen_context(system_u:object_r:ajaxterm_var_run_t,s0)
+diff --git a/policy/modules/services/ajaxterm.if b/policy/modules/services/ajaxterm.if
+new file mode 100644
+index 0000000..8e6e2c3
+--- /dev/null
++++ b/policy/modules/services/ajaxterm.if
+@@ -0,0 +1,68 @@
++## policy for ajaxterm
++
++########################################
++##
++## Execute a domain transition to run ajaxterm.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`ajaxterm_domtrans',`
++ gen_require(`
++ type ajaxterm_t, ajaxterm_exec_t;
++ ')
++
++ domtrans_pattern($1, ajaxterm_exec_t, ajaxterm_t)
++')
++
++########################################
++##
++## Execute ajaxterm server in the ajaxterm domain.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`ajaxterm_initrc_domtrans',`
++ gen_require(`
++ type ajaxterm_initrc_exec_t;
++ ')
++
++ init_labeled_script_domtrans($1, ajaxterm_initrc_exec_t)
++')
++
++########################################
++##
++## All of the rules required to administrate
++## an ajaxterm environment
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++##
++## Role allowed access.
++##
++##
++##
++#
++interface(`ajaxterm_admin',`
++ gen_require(`
++ type ajaxterm_t, ajaxterm_initrc_exec_t;
++ ')
++
++ allow $1 ajaxterm_t:process { ptrace signal_perms };
++ ps_process_pattern($1, ajaxterm_t)
++
++ ajaxterm_initrc_domtrans($1)
++ domain_system_change_exemption($1)
++ role_transition $2 ajaxterm_initrc_exec_t system_r;
++ allow $2 system_r;
++')
+diff --git a/policy/modules/services/ajaxterm.te b/policy/modules/services/ajaxterm.te
+new file mode 100644
+index 0000000..cf6af13
+--- /dev/null
++++ b/policy/modules/services/ajaxterm.te
+@@ -0,0 +1,56 @@
++policy_module(ajaxterm, 1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++type ajaxterm_t;
++type ajaxterm_exec_t;
++init_daemon_domain(ajaxterm_t, ajaxterm_exec_t)
++
++type ajaxterm_initrc_exec_t;
++init_script_file(ajaxterm_initrc_exec_t)
++
++type ajaxterm_var_run_t;
++files_pid_file(ajaxterm_var_run_t)
++
++type ajaxterm_devpts_t;
++term_login_pty(ajaxterm_devpts_t)
++
++permissive ajaxterm_t;
++
++########################################
++#
++# ajaxterm local policy
++#
++allow ajaxterm_t self:capability setuid;
++allow ajaxterm_t self:process setpgid;
++allow ajaxterm_t self:fifo_file rw_fifo_file_perms;
++allow ajaxterm_t self:unix_stream_socket create_stream_socket_perms;
++allow ajaxterm_t self:tcp_socket create_stream_socket_perms;
++
++allow ajaxterm_t ajaxterm_devpts_t:chr_file { rw_chr_file_perms setattr_chr_file_perms relabelfrom };
++term_create_pty(ajaxterm_t, ajaxterm_devpts_t)
++
++manage_dirs_pattern(ajaxterm_t, ajaxterm_var_run_t, ajaxterm_var_run_t)
++manage_files_pattern(ajaxterm_t, ajaxterm_var_run_t, ajaxterm_var_run_t)
++files_pid_filetrans(ajaxterm_t, ajaxterm_var_run_t, { file dir })
++
++kernel_read_system_state(ajaxterm_t)
++
++corecmd_exec_bin(ajaxterm_t)
++
++corenet_tcp_bind_generic_node(ajaxterm_t)
++corenet_tcp_bind_ajaxterm_port(ajaxterm_t)
++
++dev_read_urand(ajaxterm_t)
++
++domain_use_interactive_fds(ajaxterm_t)
++
++files_read_etc_files(ajaxterm_t)
++files_read_usr_files(ajaxterm_t)
++
++miscfiles_read_localization(ajaxterm_t)
++
++sysnet_dns_name_resolve(ajaxterm_t)
+diff --git a/policy/modules/services/amavis.if b/policy/modules/services/amavis.if
+index ceb2142..e31d92a 100644
+--- a/policy/modules/services/amavis.if
++++ b/policy/modules/services/amavis.if
+@@ -183,7 +183,7 @@ interface(`amavis_setattr_pid_files',`
+ type amavis_var_run_t;
+ ')
+
+- allow $1 amavis_var_run_t:file setattr;
++ allow $1 amavis_var_run_t:file setattr_file_perms;
+ files_search_pids($1)
+ ')
+
+diff --git a/policy/modules/services/amavis.te b/policy/modules/services/amavis.te
+index c3a1903..ec40291 100644
+--- a/policy/modules/services/amavis.te
++++ b/policy/modules/services/amavis.te
+@@ -76,7 +76,7 @@ files_search_spool(amavis_t)
+
+ # tmp files
+ manage_files_pattern(amavis_t, amavis_tmp_t, amavis_tmp_t)
+-allow amavis_t amavis_tmp_t:dir setattr;
++allow amavis_t amavis_tmp_t:dir setattr_dir_perms;
+ files_tmp_filetrans(amavis_t, amavis_tmp_t, file)
+
+ # var/lib files for amavis
+@@ -86,7 +86,7 @@ manage_sock_files_pattern(amavis_t, amavis_var_lib_t, amavis_var_lib_t)
+ files_search_var_lib(amavis_t)
+
+ # log files
+-allow amavis_t amavis_var_log_t:dir setattr;
++allow amavis_t amavis_var_log_t:dir setattr_dir_perms;
+ manage_files_pattern(amavis_t, amavis_var_log_t, amavis_var_log_t)
+ manage_sock_files_pattern(amavis_t, amavis_var_log_t, amavis_var_log_t)
+ logging_log_filetrans(amavis_t, amavis_var_log_t, { sock_file file dir })
+diff --git a/policy/modules/services/apache.fc b/policy/modules/services/apache.fc
+index 9e39aa5..3bfac20 100644
+--- a/policy/modules/services/apache.fc
++++ b/policy/modules/services/apache.fc
+@@ -2,7 +2,7 @@ HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_u
+
+ /etc/apache(2)?(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
+ /etc/apache-ssl(2)?(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
+-/etc/drupal(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
++/etc/drupal(6)?(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+ /etc/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
+ /etc/httpd(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
+ /etc/httpd/conf/keytab -- gen_context(system_u:object_r:httpd_keytab_t,s0)
+@@ -24,7 +24,6 @@ HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_u
+
+ /usr/lib/apache-ssl/.+ -- gen_context(system_u:object_r:httpd_exec_t,s0)
+ /usr/lib/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
+-/usr/lib/dirsrv/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
+ /usr/lib(64)?/apache(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0)
+ /usr/lib(64)?/apache2/modules(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0)
+ /usr/lib(64)?/apache(2)?/suexec(2)? -- gen_context(system_u:object_r:httpd_suexec_exec_t,s0)
+@@ -43,8 +42,7 @@ ifdef(`distro_suse', `
+ /usr/sbin/httpd2-.* -- gen_context(system_u:object_r:httpd_exec_t,s0)
+ ')
+
+-/usr/share/dirsrv(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
+-/usr/share/drupal(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
++/usr/share/drupal(6)?(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
+ /usr/share/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
+ /usr/share/icecast(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
+ /usr/share/mythweb(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
+@@ -74,7 +72,8 @@ ifdef(`distro_suse', `
+
+ /var/lib/cacti/rra(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
+ /var/lib/dav(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
+-/var/lib/drupal(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
++/var/lib/dokuwiki(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
++/var/lib/drupal(6)?(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+ /var/lib/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
+ /var/lib/httpd(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
+ /var/lib/php/session(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0)
+@@ -86,7 +85,6 @@ ifdef(`distro_suse', `
+ /var/log/cgiwrap\.log.* -- gen_context(system_u:object_r:httpd_log_t,s0)
+ /var/log/httpd(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
+ /var/log/lighttpd(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
+-/var/log/piranha(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
+
+ ifdef(`distro_debian', `
+ /var/log/horde2(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
+@@ -109,3 +107,22 @@ ifdef(`distro_debian', `
+ /var/www/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
+ /var/www/icons(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
+ /var/www/perl(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
++
++/var/www/html/[^/]*/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
++
++/var/www/html/configuration\.php gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
++
++/var/www/gallery/albums(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
++
++/var/lib/koji(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
++/var/lib/pootle/po(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
++/var/lib/rt3/data/RT-Shredder(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
++
++/var/www/svn(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
++/var/www/svn/hooks(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
++/var/www/svn/conf(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
++
++/var/log/dirsrv/admin-serv(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
++
++/var/run/dirsrv/admin-serv.* gen_context(system_u:object_r:httpd_var_run_t,s0)
++/opt/dirsrv/var/run/dirsrv/dsgw/cookies(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0)
+diff --git a/policy/modules/services/apache.if b/policy/modules/services/apache.if
+index c9e1a44..ef353c7 100644
+--- a/policy/modules/services/apache.if
++++ b/policy/modules/services/apache.if
+@@ -13,17 +13,13 @@
+ #
+ template(`apache_content_template',`
+ gen_require(`
+- attribute httpdcontent;
+- attribute httpd_exec_scripts;
+- attribute httpd_script_exec_type;
++ attribute httpd_exec_scripts, httpd_script_exec_type;
+ type httpd_t, httpd_suexec_t, httpd_log_t;
++ type httpd_sys_content_t;
+ ')
+- # allow write access to public file transfer
+- # services files.
+- gen_tunable(allow_httpd_$1_script_anon_write, false)
+
+ #This type is for webpages
+- type httpd_$1_content_t, httpdcontent; # customizable
++ type httpd_$1_content_t; # customizable;
+ typealias httpd_$1_content_t alias httpd_$1_script_ro_t;
+ files_type(httpd_$1_content_t)
+
+@@ -36,32 +32,32 @@ template(`apache_content_template',`
+ domain_type(httpd_$1_script_t)
+ role system_r types httpd_$1_script_t;
+
++ search_dirs_pattern(httpd_$1_script_t, httpd_sys_content_t, httpd_script_exec_type)
++
+ # This type is used for executable scripts files
+ type httpd_$1_script_exec_t, httpd_script_exec_type; # customizable;
+ corecmd_shell_entry_type(httpd_$1_script_t)
+ domain_entry_file(httpd_$1_script_t, httpd_$1_script_exec_t)
+
+- type httpd_$1_rw_content_t, httpdcontent; # customizable
++ type httpd_$1_rw_content_t; # customizable
+ typealias httpd_$1_rw_content_t alias { httpd_$1_script_rw_t httpd_$1_content_rw_t };
+ files_type(httpd_$1_rw_content_t)
+
+- type httpd_$1_ra_content_t, httpdcontent; # customizable
++ type httpd_$1_ra_content_t; # customizable
+ typealias httpd_$1_ra_content_t alias { httpd_$1_script_ra_t httpd_$1_content_ra_t };
+ files_type(httpd_$1_ra_content_t)
+
+ read_files_pattern(httpd_t, httpd_$1_content_t, httpd_$1_htaccess_t)
+
+- domtrans_pattern(httpd_suexec_t, httpd_$1_script_exec_t, httpd_$1_script_t)
+-
+ allow httpd_t { httpd_$1_content_t httpd_$1_rw_content_t httpd_$1_script_exec_t }:dir search_dir_perms;
+- allow httpd_suexec_t { httpd_$1_content_t httpd_$1_content_t httpd_$1_rw_content_t httpd_$1_script_exec_t }:dir search_dir_perms;
++ allow httpd_suexec_t { httpd_$1_content_t httpd_$1_rw_content_t httpd_$1_script_exec_t }:dir search_dir_perms;
+
+ allow httpd_$1_script_t self:fifo_file rw_file_perms;
+ allow httpd_$1_script_t self:unix_stream_socket connectto;
+
+ allow httpd_$1_script_t httpd_t:fifo_file write;
+ # apache should set close-on-exec
+- dontaudit httpd_$1_script_t httpd_t:unix_stream_socket { read write };
++ apache_dontaudit_leaks(httpd_$1_script_t)
+
+ # Allow the script process to search the cgi directory, and users directory
+ allow httpd_$1_script_t httpd_$1_content_t:dir search_dir_perms;
+@@ -86,7 +82,6 @@ template(`apache_content_template',`
+ manage_lnk_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
+ manage_fifo_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
+ manage_sock_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
+- files_tmp_filetrans(httpd_$1_script_t, httpd_$1_rw_content_t, { dir file lnk_file sock_file fifo_file })
+
+ kernel_dontaudit_search_sysctl(httpd_$1_script_t)
+ kernel_dontaudit_search_kernel_sysctl(httpd_$1_script_t)
+@@ -95,6 +90,7 @@ template(`apache_content_template',`
+ dev_read_urand(httpd_$1_script_t)
+
+ corecmd_exec_all_executables(httpd_$1_script_t)
++ application_exec_all(httpd_$1_script_t)
+
+ files_exec_etc_files(httpd_$1_script_t)
+ files_read_etc_files(httpd_$1_script_t)
+@@ -108,19 +104,6 @@ template(`apache_content_template',`
+
+ seutil_dontaudit_search_config(httpd_$1_script_t)
+
+- tunable_policy(`httpd_enable_cgi && httpd_unified',`
+- allow httpd_$1_script_t httpdcontent:file entrypoint;
+-
+- manage_dirs_pattern(httpd_$1_script_t, httpdcontent, httpdcontent)
+- manage_files_pattern(httpd_$1_script_t, httpdcontent, httpdcontent)
+- manage_lnk_files_pattern(httpd_$1_script_t, httpdcontent, httpdcontent)
+- can_exec(httpd_$1_script_t, httpdcontent)
+- ')
+-
+- tunable_policy(`allow_httpd_$1_script_anon_write',`
+- miscfiles_manage_public_files(httpd_$1_script_t)
+- ')
+-
+ # Allow the web server to run scripts and serve pages
+ tunable_policy(`httpd_builtin_scripting',`
+ manage_dirs_pattern(httpd_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
+@@ -140,26 +123,36 @@ template(`apache_content_template',`
+ allow httpd_t httpd_$1_content_t:dir list_dir_perms;
+ read_files_pattern(httpd_t, httpd_$1_content_t, httpd_$1_content_t)
+ read_lnk_files_pattern(httpd_t, httpd_$1_content_t, httpd_$1_content_t)
++ allow httpd_t httpd_$1_script_t:unix_stream_socket connectto;
+ ')
+
+ tunable_policy(`httpd_enable_cgi',`
+ allow httpd_$1_script_t httpd_$1_script_exec_t:file entrypoint;
+
++ domtrans_pattern(httpd_suexec_t, httpd_$1_script_exec_t, httpd_$1_script_t)
++
+ # privileged users run the script:
+ domtrans_pattern(httpd_exec_scripts, httpd_$1_script_exec_t, httpd_$1_script_t)
+
++ allow httpd_exec_scripts httpd_$1_script_exec_t:file read_file_perms;
++
+ # apache runs the script:
+ domtrans_pattern(httpd_t, httpd_$1_script_exec_t, httpd_$1_script_t)
+
++ allow httpd_t httpd_$1_script_exec_t:file read_file_perms;
++
+ allow httpd_t httpd_$1_script_t:process { signal sigkill sigstop };
+ allow httpd_t httpd_$1_script_exec_t:dir list_dir_perms;
+
+ allow httpd_$1_script_t self:process { setsched signal_perms };
+ allow httpd_$1_script_t self:unix_stream_socket create_stream_socket_perms;
++ allow httpd_$1_script_t self:unix_dgram_socket create_socket_perms;
+
+ allow httpd_$1_script_t httpd_t:fd use;
+ allow httpd_$1_script_t httpd_t:process sigchld;
+
++ dontaudit httpd_$1_script_t httpd_t:tcp_socket { read write };
++
+ kernel_read_system_state(httpd_$1_script_t)
+
+ dev_read_urand(httpd_$1_script_t)
+@@ -172,6 +165,7 @@ template(`apache_content_template',`
+ libs_read_lib_files(httpd_$1_script_t)
+
+ miscfiles_read_localization(httpd_$1_script_t)
++ allow httpd_$1_script_t httpd_sys_content_t:dir search_dir_perms;
+ ')
+
+ optional_policy(`
+@@ -182,10 +176,6 @@ template(`apache_content_template',`
+
+ optional_policy(`
+ postgresql_unpriv_client(httpd_$1_script_t)
+-
+- tunable_policy(`httpd_enable_cgi && httpd_can_network_connect_db',`
+- postgresql_tcp_connect(httpd_$1_script_t)
+- ')
+ ')
+
+ optional_policy(`
+@@ -211,16 +201,15 @@ template(`apache_content_template',`
+ interface(`apache_role',`
+ gen_require(`
+ attribute httpdcontent;
+- type httpd_user_content_t, httpd_user_htaccess_t;
+- type httpd_user_script_t, httpd_user_script_exec_t;
+- type httpd_user_ra_content_t, httpd_user_rw_content_t;
++ type httpd_user_content_t, httpd_user_htaccess_t, httpd_user_script_t;
++ type httpd_user_ra_content_t, httpd_user_rw_content_t, httpd_user_script_exec_t;
+ ')
+
+ role $1 types httpd_user_script_t;
+
+ allow $2 httpd_user_content_t:{ dir file lnk_file } { relabelto relabelfrom };
+
+- allow $2 httpd_user_htaccess_t:file { manage_file_perms relabelto relabelfrom };
++ allow $2 httpd_user_htaccess_t:file { manage_file_perms relabel_file_perms };
+
+ manage_dirs_pattern($2, httpd_user_ra_content_t, httpd_user_ra_content_t)
+ manage_files_pattern($2, httpd_user_ra_content_t, httpd_user_ra_content_t)
+@@ -229,6 +218,13 @@ interface(`apache_role',`
+ relabel_files_pattern($2, httpd_user_ra_content_t, httpd_user_ra_content_t)
+ relabel_lnk_files_pattern($2, httpd_user_ra_content_t, httpd_user_ra_content_t)
+
++ manage_dirs_pattern($2, httpd_user_content_t, httpd_user_content_t)
++ manage_files_pattern($2, httpd_user_content_t, httpd_user_content_t)
++ manage_lnk_files_pattern($2, httpd_user_content_t, httpd_user_content_t)
++ relabel_dirs_pattern($2, httpd_user_content_t, httpd_user_content_t)
++ relabel_files_pattern($2, httpd_user_content_t, httpd_user_content_t)
++ relabel_lnk_files_pattern($2, httpd_user_content_t, httpd_user_content_t)
++
+ manage_dirs_pattern($2, httpd_user_rw_content_t, httpd_user_rw_content_t)
+ manage_files_pattern($2, httpd_user_rw_content_t, httpd_user_rw_content_t)
+ manage_lnk_files_pattern($2, httpd_user_rw_content_t, httpd_user_rw_content_t)
+@@ -243,6 +239,8 @@ interface(`apache_role',`
+ relabel_files_pattern($2, httpd_user_script_exec_t, httpd_user_script_exec_t)
+ relabel_lnk_files_pattern($2, httpd_user_script_exec_t, httpd_user_script_exec_t)
+
++ apache_exec_modules($2)
++
+ tunable_policy(`httpd_enable_cgi',`
+ # If a user starts a script by hand it gets the proper context
+ domtrans_pattern($2, httpd_user_script_exec_t, httpd_user_script_t)
+@@ -312,6 +310,25 @@ interface(`apache_domtrans',`
+ domtrans_pattern($1, httpd_exec_t, httpd_t)
+ ')
+
++######################################
++##
++## Allow the specified domain to execute apache
++## in the caller domain.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`apache_exec',`
++ gen_require(`
++ type httpd_exec_t;
++ ')
++
++ can_exec($1, httpd_exec_t)
++')
++
+ #######################################
+ ##
+ ## Send a generic signal to apache.
+@@ -400,7 +417,7 @@ interface(`apache_dontaudit_rw_fifo_file',`
+ type httpd_t;
+ ')
+
+- dontaudit $1 httpd_t:fifo_file rw_fifo_file_perms;
++ dontaudit $1 httpd_t:fifo_file rw_inherited_fifo_file_perms;
+ ')
+
+ ########################################
+@@ -482,7 +499,7 @@ interface(`apache_setattr_cache_dirs',`
+ type httpd_cache_t;
+ ')
+
+- allow $1 httpd_cache_t:dir setattr;
++ allow $1 httpd_cache_t:dir setattr_dir_perms;
+ ')
+
+ ########################################
+@@ -526,6 +543,25 @@ interface(`apache_rw_cache_files',`
+ ########################################
+ ##
+ ## Allow the specified domain to delete
++## Apache cache dirs.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`apache_delete_cache_dirs',`
++ gen_require(`
++ type httpd_cache_t;
++ ')
++
++ delete_dirs_pattern($1, httpd_cache_t, httpd_cache_t)
++')
++
++########################################
++##
++## Allow the specified domain to delete
+ ## Apache cache.
+ ##
+ ##
+@@ -544,6 +580,27 @@ interface(`apache_delete_cache_files',`
+
+ ########################################
+ ##
++## Allow the specified domain to search
++## apache configuration dirs.
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++#
++interface(`apache_search_config',`
++ gen_require(`
++ type httpd_config_t;
++ ')
++
++ files_search_etc($1)
++ allow $1 httpd_config_t:dir search_dir_perms;
++')
++
++########################################
++##
+ ## Allow the specified domain to read
+ ## apache configuration files.
+ ##
+@@ -694,7 +751,7 @@ interface(`apache_dontaudit_append_log',`
+ type httpd_log_t;
+ ')
+
+- dontaudit $1 httpd_log_t:file { getattr append };
++ dontaudit $1 httpd_log_t:file append_file_perms;
+ ')
+
+ ########################################
+@@ -740,6 +797,25 @@ interface(`apache_dontaudit_search_modules',`
+
+ ########################################
+ ##
++## Allow the specified domain to read
++## the apache module directories.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`apache_read_modules',`
++ gen_require(`
++ type httpd_modules_t;
++ ')
++
++ read_files_pattern($1, httpd_modules_t, httpd_modules_t)
++')
++
++########################################
++##
+ ## Allow the specified domain to list
+ ## the contents of the apache modules
+ ## directory.
+@@ -756,6 +832,7 @@ interface(`apache_list_modules',`
+ ')
+
+ allow $1 httpd_modules_t:dir list_dir_perms;
++ read_lnk_files_pattern($1, httpd_modules_t, httpd_modules_t)
+ ')
+
+ ########################################
+@@ -814,6 +891,7 @@ interface(`apache_list_sys_content',`
+ ')
+
+ list_dirs_pattern($1, httpd_sys_content_t, httpd_sys_content_t)
++ read_lnk_files_pattern($1, httpd_sys_content_t, httpd_sys_content_t)
+ files_search_var($1)
+ ')
+
+@@ -841,6 +919,74 @@ interface(`apache_manage_sys_content',`
+ manage_lnk_files_pattern($1, httpd_sys_content_t, httpd_sys_content_t)
+ ')
+
++######################################
++##
++## Allow the specified domain to read
++## apache system content rw files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++#
++interface(`apache_read_sys_content_rw_files',`
++ gen_require(`
++ type httpd_sys_rw_content_t;
++ ')
++
++ read_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
++')
++
++######################################
++##
++## Allow the specified domain to manage
++## apache system content rw files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++#
++interface(`apache_manage_sys_content_rw',`
++ gen_require(`
++ type httpd_sys_rw_content_t;
++ ')
++
++ files_search_var($1)
++ manage_dirs_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
++ manage_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
++ manage_lnk_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
++')
++
++########################################
++##
++## Allow the specified domain to delete
++## apache system content rw files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++#
++interface(`apache_delete_sys_content_rw',`
++ gen_require(`
++ type httpd_sys_rw_content_t;
++ ')
++
++ files_search_tmp($1)
++ delete_dirs_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
++ delete_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
++ delete_lnk_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
++ delete_fifo_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
++ delete_sock_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
++')
++
+ ########################################
+ ##
+ ## Execute all web scripts in the system
+@@ -857,7 +1003,11 @@ interface(`apache_manage_sys_content',`
+ interface(`apache_domtrans_sys_script',`
+ gen_require(`
+ attribute httpdcontent;
+- type httpd_sys_script_t;
++ type httpd_sys_script_t, httpd_sys_content_t;
++ ')
++
++ tunable_policy(`httpd_enable_cgi',`
++ domtrans_pattern($1, httpd_sys_script_exec_t, httpd_sys_script_t)
+ ')
+
+ tunable_policy(`httpd_enable_cgi && httpd_unified',`
+@@ -916,9 +1066,10 @@ interface(`apache_domtrans_all_scripts',`
+ ##
+ ##
+ ##
+-## Role allowed access..
++## Role allowed access.
+ ##
+ ##
++##
+ #
+ interface(`apache_run_all_scripts',`
+ gen_require(`
+@@ -945,7 +1096,7 @@ interface(`apache_read_squirrelmail_data',`
+ type httpd_squirrelmail_t;
+ ')
+
+- allow $1 httpd_squirrelmail_t:file read_file_perms;
++ read_files_pattern($1, httpd_squirrelmail_t, httpd_squirrelmail_t)
+ ')
+
+ ########################################
+@@ -1086,6 +1237,25 @@ interface(`apache_read_tmp_files',`
+ read_files_pattern($1, httpd_tmp_t, httpd_tmp_t)
+ ')
+
++######################################
++##
++## Dontaudit attempts to read and write
++## apache tmp files.
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`apache_dontaudit_rw_tmp_files',`
++ gen_require(`
++ type httpd_tmp_t;
++ ')
++
++ dontaudit $1 httpd_tmp_t:file { read write };
++')
++
+ ########################################
+ ##
+ ## Dontaudit attempts to write
+@@ -1102,7 +1272,7 @@ interface(`apache_dontaudit_write_tmp_files',`
+ type httpd_tmp_t;
+ ')
+
+- dontaudit $1 httpd_tmp_t:file write_file_perms;
++ dontaudit $1 httpd_tmp_t:file write;
+ ')
+
+ ########################################
+@@ -1165,17 +1335,14 @@ interface(`apache_cgi_domain',`
+ #
+ interface(`apache_admin',`
+ gen_require(`
+- attribute httpdcontent;
+- attribute httpd_script_exec_type;
+-
++ attribute httpdcontent, httpd_script_exec_type;
+ type httpd_t, httpd_config_t, httpd_log_t;
+- type httpd_modules_t, httpd_lock_t;
+- type httpd_var_run_t, httpd_php_tmp_t;
++ type httpd_modules_t, httpd_lock_t, httpd_bool_t;
++ type httpd_var_run_t, httpd_php_tmp_t, httpd_initrc_exec_t;
+ type httpd_suexec_tmp_t, httpd_tmp_t;
+- type httpd_initrc_exec_t;
+ ')
+
+- allow $1 httpd_t:process { getattr ptrace signal_perms };
++ allow $1 httpd_t:process { ptrace signal_perms };
+ ps_process_pattern($1, httpd_t)
+
+ init_labeled_script_domtrans($1, httpd_initrc_exec_t)
+@@ -1186,10 +1353,10 @@ interface(`apache_admin',`
+ apache_manage_all_content($1)
+ miscfiles_manage_public_files($1)
+
+- files_search_etc($1)
++ files_list_etc($1)
+ admin_pattern($1, httpd_config_t)
+
+- logging_search_logs($1)
++ logging_list_logs($1)
+ admin_pattern($1, httpd_log_t)
+
+ admin_pattern($1, httpd_modules_t)
+@@ -1200,14 +1367,43 @@ interface(`apache_admin',`
+ admin_pattern($1, httpd_var_run_t)
+ files_pid_filetrans($1, httpd_var_run_t, file)
+
+- kernel_search_proc($1)
+- allow $1 httpd_t:dir list_dir_perms;
+-
+- read_lnk_files_pattern($1, httpd_t, httpd_t)
+-
+ admin_pattern($1, httpdcontent)
+ admin_pattern($1, httpd_script_exec_type)
++
++ seutil_domtrans_setfiles($1)
++
++ files_list_tmp($1)
+ admin_pattern($1, httpd_tmp_t)
+ admin_pattern($1, httpd_php_tmp_t)
+ admin_pattern($1, httpd_suexec_tmp_t)
++
++ ifdef(`TODO',`
++ apache_set_booleans($1, $2, $3, httpd_bool_t)
++ seutil_setsebool_role_template($1, $3, $2)
++ allow httpd_setsebool_t httpd_bool_t:dir list_dir_perms;
++ allow httpd_setsebool_t httpd_bool_t:file rw_file_perms;
++ ')
++')
++
++########################################
++##
++## dontaudit read and write an leaked file descriptors
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`apache_dontaudit_leaks',`
++ gen_require(`
++ type httpd_t;
++ type httpd_tmp_t;
++ ')
++
++ dontaudit $1 httpd_t:fifo_file rw_inherited_fifo_file_perms;
++ dontaudit $1 httpd_t:tcp_socket { read write };
++ dontaudit $1 httpd_t:unix_dgram_socket { read write };
++ dontaudit $1 httpd_t:unix_stream_socket { read write };
++ dontaudit $1 httpd_tmp_t:file { read write };
+ ')
+diff --git a/policy/modules/services/apache.te b/policy/modules/services/apache.te
+index 08dfa0c..973fdf0 100644
+--- a/policy/modules/services/apache.te
++++ b/policy/modules/services/apache.te
+@@ -18,130 +18,195 @@ policy_module(apache, 2.2.0)
+ # Declarations
+ #
+
++selinux_genbool(httpd_bool_t)
++
+ ##
+-##
+-## Allow Apache to modify public files
+-## used for public file transfer services. Directories/Files must
+-## be labeled public_content_rw_t.
+-##
++##
++## Allow Apache to modify public files
++## used for public file transfer services. Directories/Files must
++## be labeled public_content_rw_t.
++##
+ ##
+ gen_tunable(allow_httpd_anon_write, false)
+
+ ##
+-##
+-## Allow Apache to use mod_auth_pam
+-##
++##
++## Allow Apache to use mod_auth_pam
++##
+ ##
+ gen_tunable(allow_httpd_mod_auth_pam, false)
+
+ ##
+-##
+-## Allow httpd to use built in scripting (usually php)
+-##
++##
++## Allow Apache to use mod_auth_ntlm_winbind
++##
++##
++gen_tunable(allow_httpd_mod_auth_ntlm_winbind, false)
++
++##
++##
++## Allow httpd scripts and modules execmem/execstack
++##
++##
++gen_tunable(httpd_execmem, false)
++
++##
++##
++## Allow httpd daemon to change system limits
++##
++##
++gen_tunable(httpd_setrlimit, false)
++
++##
++##
++## Allow httpd to use built in scripting (usually php)
++##
+ ##
+ gen_tunable(httpd_builtin_scripting, false)
+
+ ##
+-##
+-## Allow HTTPD scripts and modules to connect to the network using TCP.
+-##
++##
++## Allow HTTPD scripts and modules to connect to the network using any TCP port.
++##
+ ##
+ gen_tunable(httpd_can_network_connect, false)
+
+ ##
+-##
+-## Allow HTTPD scripts and modules to connect to databases over the network.
+-##
++##
++## Allow HTTPD scripts and modules to connect to cobbler over the network.
++##
++##
++gen_tunable(httpd_can_network_connect_cobbler, false)
++
++##
++##
++## Allow HTTPD scripts and modules to connect to databases over the network.
++##
+ ##
+ gen_tunable(httpd_can_network_connect_db, false)
+
+ ##
+-##
+-## Allow httpd to act as a relay
+-##
++##
++## Allow httpd to connect to memcache server
++##
++##
++gen_tunable(httpd_can_network_memcache, false)
++
++##
++##
++## Allow httpd to act as a relay
++##
+ ##
+ gen_tunable(httpd_can_network_relay, false)
+
+ ##
+-##
+-## Allow http daemon to send mail
+-##
++##
++## Allow http daemon to send mail
++##
+ ##
+ gen_tunable(httpd_can_sendmail, false)
+
+ ##
+-##
+-## Allow Apache to communicate with avahi service via dbus
+-##
++##
++## Allow http daemon to check spam
++##
++##
++gen_tunable(httpd_can_check_spam, false)
++
++##
++##
++## Allow Apache to communicate with avahi service via dbus
++##
+ ##
+ gen_tunable(httpd_dbus_avahi, false)
+
+ ##
+-##
+-## Allow httpd cgi support
+-##
++##
++## Allow httpd to execute cgi scripts
++##
+ ##
+ gen_tunable(httpd_enable_cgi, false)
+
+ ##
+-##
+-## Allow httpd to act as a FTP server by
+-## listening on the ftp port.
+-##
++##
++## Allow httpd to act as a FTP server by
++## listening on the ftp port.
++##
+ ##
+ gen_tunable(httpd_enable_ftp_server, false)
+
+ ##
+-##
+-## Allow httpd to read home directories
+-##
++##
++## Allow httpd to read home directories
++##
+ ##
+ gen_tunable(httpd_enable_homedirs, false)
+
+ ##
+-##
+-## Allow HTTPD to run SSI executables in the same domain as system CGI scripts.
+-##
++##
++## Allow httpd to read user content
++##
++##
++gen_tunable(httpd_read_user_content, false)
++
++##
++##
++## Allow HTTPD to run SSI executables in the same domain as system CGI scripts.
++##
+ ##
+ gen_tunable(httpd_ssi_exec, false)
+
+ ##
+-##
+-## Unify HTTPD to communicate with the terminal.
+-## Needed for entering the passphrase for certificates at
+-## the terminal.
+-##
++##
++## Allow Apache to execute tmp content.
++##
++##
++gen_tunable(httpd_tmp_exec, false)
++
++##
++##
++## Unify HTTPD to communicate with the terminal.
++## Needed for entering the passphrase for certificates at
++## the terminal.
++##
+ ##
+ gen_tunable(httpd_tty_comm, false)
+
+ ##
+-##
+-## Unify HTTPD handling of all content files.
+-##
++##
++## Unify HTTPD handling of all content files.
++##
+ ##
+ gen_tunable(httpd_unified, false)
+
+ ##
+-##
+-## Allow httpd to access cifs file systems
+-##
++##
++## Allow httpd to access cifs file systems
++##
+ ##
+ gen_tunable(httpd_use_cifs, false)
+
+ ##
+-##
+-## Allow httpd to run gpg
+-##
++##
++## Allow httpd to run gpg in gpg-web domain
++##
+ ##
+ gen_tunable(httpd_use_gpg, false)
+
+ ##
+-##
+-## Allow httpd to access nfs file systems
+-##
++##
++## Allow httpd to access nfs file systems
++##
+ ##
+ gen_tunable(httpd_use_nfs, false)
+
++##
++##
++## Allow apache scripts to write to public content. Directories/Files must be labeled public_rw_content_t.
++##
++##
++gen_tunable(allow_httpd_sys_script_anon_write, false)
++
+ attribute httpdcontent;
+ attribute httpd_user_content_type;
+
+@@ -216,7 +281,17 @@ files_tmp_file(httpd_suexec_tmp_t)
+
+ # setup the system domain for system CGI scripts
+ apache_content_template(sys)
+-typealias httpd_sys_content_t alias ntop_http_content_t;
++
++typeattribute httpd_sys_content_t httpdcontent; # customizable
++typeattribute httpd_sys_rw_content_t httpdcontent; # customizable
++typeattribute httpd_sys_ra_content_t httpdcontent; # customizable
++
++# Removal of fastcgi, will cause problems without the following
++typealias httpd_sys_script_exec_t alias httpd_fastcgi_script_exec_t;
++typealias httpd_sys_content_t alias { httpd_fastcgi_content_t httpd_fastcgi_script_ro_t };
++typealias httpd_sys_rw_content_t alias { httpd_fastcgi_rw_content_t httpd_fastcgi_script_rw_t };
++typealias httpd_sys_ra_content_t alias httpd_fastcgi_script_ra_t;
++typealias httpd_sys_script_t alias httpd_fastcgi_script_t;
+
+ type httpd_tmp_t;
+ files_tmp_file(httpd_tmp_t)
+@@ -226,6 +301,10 @@ files_tmpfs_file(httpd_tmpfs_t)
+
+ apache_content_template(user)
+ ubac_constrained(httpd_user_script_t)
++typeattribute httpd_user_content_t httpdcontent;
++typeattribute httpd_user_rw_content_t httpdcontent;
++typeattribute httpd_user_ra_content_t httpdcontent;
++
+ userdom_user_home_content(httpd_user_content_t)
+ userdom_user_home_content(httpd_user_htaccess_t)
+ userdom_user_home_content(httpd_user_script_exec_t)
+@@ -233,6 +312,7 @@ userdom_user_home_content(httpd_user_ra_content_t)
+ userdom_user_home_content(httpd_user_rw_content_t)
+ typeattribute httpd_user_script_t httpd_script_domains;
+ typealias httpd_user_content_t alias { httpd_staff_content_t httpd_sysadm_content_t };
++typealias httpd_user_content_t alias httpd_unconfined_content_t;
+ typealias httpd_user_content_t alias { httpd_auditadm_content_t httpd_secadm_content_t };
+ typealias httpd_user_content_t alias { httpd_staff_script_ro_t httpd_sysadm_script_ro_t };
+ typealias httpd_user_content_t alias { httpd_auditadm_script_ro_t httpd_secadm_script_ro_t };
+@@ -254,6 +334,9 @@ files_type(httpd_var_lib_t)
+ type httpd_var_run_t;
+ files_pid_file(httpd_var_run_t)
+
++# Removal of fastcgi, will cause problems without the following
++typealias httpd_var_run_t alias httpd_fastcgi_var_run_t;
++
+ # File Type of squirrelmail attachments
+ type squirrelmail_spool_t;
+ files_tmp_file(squirrelmail_spool_t)
+@@ -281,11 +364,13 @@ allow httpd_t self:unix_dgram_socket { create_socket_perms sendto };
+ allow httpd_t self:unix_stream_socket { create_stream_socket_perms connectto };
+ allow httpd_t self:tcp_socket create_stream_socket_perms;
+ allow httpd_t self:udp_socket create_socket_perms;
++dontaudit httpd_t self:netlink_audit_socket create_socket_perms;
+
+ # Allow httpd_t to put files in /var/cache/httpd etc
+ manage_dirs_pattern(httpd_t, httpd_cache_t, httpd_cache_t)
+ manage_files_pattern(httpd_t, httpd_cache_t, httpd_cache_t)
+ manage_lnk_files_pattern(httpd_t, httpd_cache_t, httpd_cache_t)
++files_var_filetrans(httpd_t, httpd_cache_t, { file dir })
+
+ # Allow the httpd_t to read the web servers config files
+ allow httpd_t httpd_config_t:dir list_dir_perms;
+@@ -355,6 +440,7 @@ manage_lnk_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
+ kernel_read_kernel_sysctls(httpd_t)
+ # for modules that want to access /proc/meminfo
+ kernel_read_system_state(httpd_t)
++kernel_search_network_sysctl(httpd_t)
+
+ corenet_all_recvfrom_unlabeled(httpd_t)
+ corenet_all_recvfrom_netlabel(httpd_t)
+@@ -365,8 +451,10 @@ corenet_udp_sendrecv_generic_node(httpd_t)
+ corenet_tcp_sendrecv_all_ports(httpd_t)
+ corenet_udp_sendrecv_all_ports(httpd_t)
+ corenet_tcp_bind_generic_node(httpd_t)
++corenet_udp_bind_generic_node(httpd_t)
+ corenet_tcp_bind_http_port(httpd_t)
+ corenet_tcp_bind_http_cache_port(httpd_t)
++corenet_tcp_bind_ntop_port(httpd_t)
+ corenet_sendrecv_http_server_packets(httpd_t)
+ # Signal self for shutdown
+ corenet_tcp_connect_http_port(httpd_t)
+@@ -378,12 +466,12 @@ dev_rw_crypto(httpd_t)
+
+ fs_getattr_all_fs(httpd_t)
+ fs_search_auto_mountpoints(httpd_t)
++fs_read_iso9660_files(httpd_t)
++fs_read_anon_inodefs_files(httpd_t)
+
+ auth_use_nsswitch(httpd_t)
+
+-# execute perl
+-corecmd_exec_bin(httpd_t)
+-corecmd_exec_shell(httpd_t)
++application_exec_all(httpd_t)
+
+ domain_use_interactive_fds(httpd_t)
+
+@@ -402,6 +490,10 @@ files_read_etc_files(httpd_t)
+ files_read_var_lib_symlinks(httpd_t)
+
+ fs_search_auto_mountpoints(httpd_sys_script_t)
++# php uploads a file to /tmp and then execs programs to acton them
++manage_dirs_pattern(httpd_sys_script_t, httpd_tmp_t, httpd_tmp_t)
++manage_files_pattern(httpd_sys_script_t, httpd_tmp_t, httpd_tmp_t)
++files_tmp_filetrans(httpd_sys_script_t, httpd_sys_rw_content_t, { dir file lnk_file sock_file fifo_file })
+
+ libs_read_lib_files(httpd_t)
+
+@@ -416,34 +508,71 @@ seutil_dontaudit_search_config(httpd_t)
+
+ userdom_use_unpriv_users_fds(httpd_t)
+
++tunable_policy(`httpd_setrlimit',`
++ allow httpd_t self:process setrlimit;
++ allow httpd_t self:capability sys_resource;
++')
++
+ tunable_policy(`allow_httpd_anon_write',`
+ miscfiles_manage_public_files(httpd_t)
+ ')
+
+-ifdef(`TODO', `
+ #
+ # We need optionals to be able to be within booleans to make this work
+ #
+ tunable_policy(`allow_httpd_mod_auth_pam',`
+- auth_domtrans_chk_passwd(httpd_t)
++ auth_domtrans_chkpwd(httpd_t)
++ logging_send_audit_msgs(httpd_t)
+ ')
++
++optional_policy(`
++ tunable_policy(`allow_httpd_mod_auth_ntlm_winbind',`
++ samba_domtrans_winbind_helper(httpd_t)
++ ')
+ ')
+
+ tunable_policy(`httpd_can_network_connect',`
+ corenet_tcp_connect_all_ports(httpd_t)
+ ')
+
++tunable_policy(`httpd_can_network_connect_db',`
++ corenet_tcp_connect_mssql_port(httpd_t)
++ corenet_sendrecv_mssql_client_packets(httpd_t)
++')
++
++tunable_policy(`httpd_can_network_memcache',`
++ corenet_tcp_connect_memcache_port(httpd_t)
++')
++
+ tunable_policy(`httpd_can_network_relay',`
+ # allow httpd to work as a relay
+ corenet_tcp_connect_gopher_port(httpd_t)
+ corenet_tcp_connect_ftp_port(httpd_t)
+ corenet_tcp_connect_http_port(httpd_t)
+ corenet_tcp_connect_http_cache_port(httpd_t)
++ corenet_tcp_connect_squid_port(httpd_t)
+ corenet_tcp_connect_memcache_port(httpd_t)
+ corenet_sendrecv_gopher_client_packets(httpd_t)
+ corenet_sendrecv_ftp_client_packets(httpd_t)
+ corenet_sendrecv_http_client_packets(httpd_t)
+ corenet_sendrecv_http_cache_client_packets(httpd_t)
++ corenet_sendrecv_squid_client_packets(httpd_t)
++')
++
++tunable_policy(`httpd_execmem',`
++ allow httpd_t self:process { execmem execstack };
++ allow httpd_sys_script_t self:process { execmem execstack };
++ allow httpd_suexec_t self:process { execmem execstack };
++')
++
++tunable_policy(`httpd_enable_cgi && httpd_unified',`
++ allow httpd_sys_script_t httpd_sys_content_t:file entrypoint;
++ filetrans_pattern(httpd_sys_script_t, httpd_sys_content_t, httpd_sys_rw_content_t, { file dir lnk_file })
++ can_exec(httpd_sys_script_t, httpd_sys_content_t)
++')
++
++tunable_policy(`allow_httpd_sys_script_anon_write',`
++ miscfiles_manage_public_files(httpd_sys_script_t)
+ ')
+
+ tunable_policy(`httpd_enable_cgi && httpd_use_nfs',`
+@@ -456,6 +585,10 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',`
+
+ tunable_policy(`httpd_enable_cgi && httpd_unified && httpd_builtin_scripting',`
+ domtrans_pattern(httpd_t, httpdcontent, httpd_sys_script_t)
++ filetrans_pattern(httpd_t, httpd_sys_content_t, httpd_sys_rw_content_t, { file dir lnk_file })
++ manage_dirs_pattern(httpd_t, httpdcontent, httpd_sys_rw_content_t)
++ manage_files_pattern(httpd_t, httpdcontent, httpd_sys_rw_content_t)
++ manage_lnk_files_pattern(httpd_t, httpdcontent, httpd_sys_rw_content_t)
+
+ manage_dirs_pattern(httpd_t, httpdcontent, httpdcontent)
+ manage_files_pattern(httpd_t, httpdcontent, httpdcontent)
+@@ -466,8 +599,12 @@ tunable_policy(`httpd_enable_ftp_server',`
+ corenet_tcp_bind_ftp_port(httpd_t)
+ ')
+
+-tunable_policy(`httpd_enable_homedirs',`
+- userdom_read_user_home_content_files(httpd_t)
++tunable_policy(`httpd_tmp_exec && httpd_builtin_scripting',`
++ can_exec(httpd_t, httpd_tmp_t)
++')
++
++tunable_policy(`httpd_tmp_exec && httpd_enable_cgi',`
++ can_exec(httpd_sys_script_t, httpd_tmp_t)
+ ')
+
+ tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
+@@ -475,6 +612,12 @@ tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
+ fs_read_nfs_symlinks(httpd_t)
+ ')
+
++tunable_policy(`httpd_use_nfs',`
++ fs_manage_nfs_dirs(httpd_t)
++ fs_manage_nfs_files(httpd_t)
++ fs_manage_nfs_symlinks(httpd_t)
++')
++
+ tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
+ fs_read_cifs_files(httpd_t)
+ fs_read_cifs_symlinks(httpd_t)
+@@ -484,7 +627,16 @@ tunable_policy(`httpd_can_sendmail',`
+ # allow httpd to connect to mail servers
+ corenet_tcp_connect_smtp_port(httpd_t)
+ corenet_sendrecv_smtp_client_packets(httpd_t)
++ corenet_tcp_connect_pop_port(httpd_t)
++ corenet_sendrecv_pop_client_packets(httpd_t)
+ mta_send_mail(httpd_t)
++ mta_signal_system_mail(httpd_t)
++')
++
++tunable_policy(`httpd_use_cifs',`
++ fs_manage_cifs_dirs(httpd_t)
++ fs_manage_cifs_files(httpd_t)
++ fs_manage_cifs_symlinks(httpd_t)
+ ')
+
+ tunable_policy(`httpd_ssi_exec',`
+@@ -500,8 +652,10 @@ tunable_policy(`httpd_ssi_exec',`
+ # are dontaudited here.
+ tunable_policy(`httpd_tty_comm',`
+ userdom_use_user_terminals(httpd_t)
++ userdom_use_user_terminals(httpd_suexec_t)
+ ',`
+ userdom_dontaudit_use_user_terminals(httpd_t)
++ userdom_dontaudit_use_user_terminals(httpd_suexec_t)
+ ')
+
+ optional_policy(`
+@@ -513,7 +667,13 @@ optional_policy(`
+ ')
+
+ optional_policy(`
+- cobbler_search_lib(httpd_t)
++ cobbler_list_config(httpd_t)
++ cobbler_read_config(httpd_t)
++ cobbler_read_lib_files(httpd_t)
++
++ tunable_policy(`httpd_can_network_connect_cobbler',`
++ corenet_tcp_connect_cobbler_port(httpd_t)
++ ')
+ ')
+
+ optional_policy(`
+@@ -528,7 +688,18 @@ optional_policy(`
+ daemontools_service_domain(httpd_t, httpd_exec_t)
+ ')
+
+- optional_policy(`
++optional_policy(`
++ dirsrv_manage_config(httpd_t)
++ dirsrv_manage_log(httpd_t)
++ dirsrv_manage_var_run(httpd_t)
++ dirsrv_read_share(httpd_t)
++ dirsrv_signal(httpd_t)
++ dirsrv_signull(httpd_t)
++ dirsrvadmin_manage_config(httpd_t)
++ dirsrvadmin_manage_tmp(httpd_t)
++')
++
++optional_policy(`
+ dbus_system_bus_client(httpd_t)
+
+ tunable_policy(`httpd_dbus_avahi',`
+@@ -537,8 +708,12 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ gitosis_read_lib_files(httpd_t)
++')
++
++optional_policy(`
+ tunable_policy(`httpd_enable_cgi && httpd_use_gpg',`
+- gpg_domtrans(httpd_t)
++ gpg_domtrans_web(httpd_t)
+ ')
+ ')
+
+@@ -556,7 +731,13 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ mediawiki_read_tmp_files(httpd_t)
++ mediawiki_delete_tmp_files(httpd_t)
++')
++
++optional_policy(`
+ # Allow httpd to work with mysql
++ mysql_read_config(httpd_t)
+ mysql_stream_connect(httpd_t)
+ mysql_rw_db_sockets(httpd_t)
+
+@@ -567,6 +748,7 @@ optional_policy(`
+
+ optional_policy(`
+ nagios_read_config(httpd_t)
++ nagios_read_log(httpd_t)
+ ')
+
+ optional_policy(`
+@@ -577,6 +759,16 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ passenger_domtrans(httpd_t)
++ passenger_manage_pid_content(httpd_t)
++ passenger_read_lib_files(httpd_t)
++')
++
++optional_policy(`
++ rpc_search_nfs_state_data(httpd_t)
++')
++
++optional_policy(`
+ # Allow httpd to work with postgresql
+ postgresql_stream_connect(httpd_t)
+ postgresql_unpriv_client(httpd_t)
+@@ -591,6 +783,11 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ smokeping_read_lib_files(httpd_t)
++')
++
++optional_policy(`
++ files_dontaudit_rw_usr_dirs(httpd_t)
+ snmp_dontaudit_read_snmp_var_lib_files(httpd_t)
+ snmp_dontaudit_write_snmp_var_lib_files(httpd_t)
+ ')
+@@ -603,6 +800,10 @@ optional_policy(`
+ yam_read_content(httpd_t)
+ ')
+
++optional_policy(`
++ zarafa_stream_connect_server(httpd_t)
++')
++
+ ########################################
+ #
+ # Apache helper local policy
+@@ -618,6 +819,10 @@ logging_send_syslog_msg(httpd_helper_t)
+
+ userdom_use_user_terminals(httpd_helper_t)
+
++tunable_policy(`httpd_tty_comm',`
++ userdom_use_user_terminals(httpd_helper_t)
++')
++
+ ########################################
+ #
+ # Apache PHP script local policy
+@@ -654,28 +859,27 @@ libs_exec_lib_files(httpd_php_t)
+ userdom_use_unpriv_users_fds(httpd_php_t)
+
+ tunable_policy(`httpd_can_network_connect_db',`
+- corenet_tcp_connect_mysqld_port(httpd_t)
+- corenet_sendrecv_mysqld_client_packets(httpd_t)
+- corenet_tcp_connect_mysqld_port(httpd_sys_script_t)
+- corenet_sendrecv_mysqld_client_packets(httpd_sys_script_t)
+- corenet_tcp_connect_mysqld_port(httpd_suexec_t)
+- corenet_sendrecv_mysqld_client_packets(httpd_suexec_t)
+-
+- corenet_tcp_connect_mssql_port(httpd_t)
+- corenet_sendrecv_mssql_client_packets(httpd_t)
+- corenet_tcp_connect_mssql_port(httpd_sys_script_t)
+- corenet_sendrecv_mssql_client_packets(httpd_sys_script_t)
+- corenet_tcp_connect_mssql_port(httpd_suexec_t)
+- corenet_sendrecv_mssql_client_packets(httpd_suexec_t)
++ corenet_tcp_connect_mssql_port(httpd_php_t)
++ corenet_sendrecv_mssql_client_packets(httpd_php_t)
+ ')
+
+ optional_policy(`
+ mysql_stream_connect(httpd_php_t)
++ mysql_rw_db_sockets(httpd_php_t)
+ mysql_read_config(httpd_php_t)
++
++ tunable_policy(`httpd_can_network_connect_db',`
++ mysql_tcp_connect(httpd_php_t)
++ ')
+ ')
+
+ optional_policy(`
+ postgresql_stream_connect(httpd_php_t)
++ postgresql_unpriv_client(httpd_php_t)
++
++ tunable_policy(`httpd_can_network_connect_db',`
++ postgresql_tcp_connect(httpd_php_t)
++ ')
+ ')
+
+ ########################################
+@@ -699,17 +903,22 @@ manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
+ manage_files_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
+ files_tmp_filetrans(httpd_suexec_t, httpd_suexec_tmp_t, { file dir })
+
++can_exec(httpd_suexec_t, httpd_sys_script_exec_t)
++
++read_files_pattern(httpd_suexec_t, httpd_user_content_t, httpd_user_content_t)
++read_files_pattern(httpd_suexec_t, httpd_user_rw_content_t, httpd_user_rw_content_t)
++read_files_pattern(httpd_suexec_t, httpd_user_ra_content_t, httpd_user_ra_content_t)
++
+ kernel_read_kernel_sysctls(httpd_suexec_t)
+ kernel_list_proc(httpd_suexec_t)
+ kernel_read_proc_symlinks(httpd_suexec_t)
+
+ dev_read_urand(httpd_suexec_t)
+
++fs_read_iso9660_files(httpd_suexec_t)
+ fs_search_auto_mountpoints(httpd_suexec_t)
+
+-# for shell scripts
+-corecmd_exec_bin(httpd_suexec_t)
+-corecmd_exec_shell(httpd_suexec_t)
++application_exec_all(httpd_suexec_t)
+
+ files_read_etc_files(httpd_suexec_t)
+ files_read_usr_files(httpd_suexec_t)
+@@ -740,10 +949,20 @@ tunable_policy(`httpd_can_network_connect',`
+ corenet_sendrecv_all_client_packets(httpd_suexec_t)
+ ')
+
++tunable_policy(`httpd_can_network_connect_db',`
++ corenet_tcp_connect_mssql_port(httpd_suexec_t)
++ corenet_sendrecv_mssql_client_packets(httpd_suexec_t)
++')
++
++domain_entry_file(httpd_sys_script_t, httpd_sys_content_t)
++
+ tunable_policy(`httpd_enable_cgi && httpd_unified',`
+ allow httpd_sys_script_t httpdcontent:file entrypoint;
+ domtrans_pattern(httpd_suexec_t, httpdcontent, httpd_sys_script_t)
+-
++ manage_dirs_pattern(httpd_sys_script_t, httpdcontent, httpdcontent)
++ manage_files_pattern(httpd_sys_script_t, httpdcontent, httpdcontent)
++ manage_sock_files_pattern(httpd_sys_script_t, httpdcontent, httpdcontent)
++ manage_lnk_files_pattern(httpd_sys_script_t, httpdcontent, httpdcontent)
+ ')
+
+ tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
+@@ -769,6 +988,25 @@ optional_policy(`
+ dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write };
+ ')
+
++optional_policy(`
++ mysql_stream_connect(httpd_suexec_t)
++ mysql_rw_db_sockets(httpd_suexec_t)
++ mysql_read_config(httpd_suexec_t)
++
++ tunable_policy(`httpd_can_network_connect_db',`
++ mysql_tcp_connect(httpd_suexec_t)
++ ')
++')
++
++optional_policy(`
++ postgresql_stream_connect(httpd_suexec_t)
++ postgresql_unpriv_client(httpd_suexec_t)
++
++ tunable_policy(`httpd_can_network_connect_db',`
++ postgresql_tcp_connect(httpd_suexec_t)
++ ')
++')
++
+ ########################################
+ #
+ # Apache system script local policy
+@@ -792,9 +1030,13 @@ kernel_read_kernel_sysctls(httpd_sys_script_t)
+ files_search_var_lib(httpd_sys_script_t)
+ files_search_spool(httpd_sys_script_t)
+
++logging_inherit_append_all_logs(httpd_sys_script_t)
++
+ # Should we add a boolean?
+ apache_domtrans_rotatelogs(httpd_sys_script_t)
+
++auth_use_nsswitch(httpd_sys_script_t)
++
+ ifdef(`distro_redhat',`
+ allow httpd_sys_script_t httpd_log_t:file append_file_perms;
+ ')
+@@ -803,6 +1045,33 @@ tunable_policy(`httpd_can_sendmail',`
+ mta_send_mail(httpd_sys_script_t)
+ ')
+
++optional_policy(`
++ tunable_policy(`httpd_can_sendmail && httpd_can_check_spam',`
++ spamassassin_domtrans_client(httpd_t)
++ ')
++')
++
++tunable_policy(`httpd_can_network_connect_db',`
++ corenet_tcp_connect_mssql_port(httpd_sys_script_t)
++ corenet_sendrecv_mssql_client_packets(httpd_sys_script_t)
++')
++
++fs_cifs_entry_type(httpd_sys_script_t)
++fs_read_iso9660_files(httpd_sys_script_t)
++fs_nfs_entry_type(httpd_sys_script_t)
++
++tunable_policy(`httpd_use_nfs',`
++ fs_manage_nfs_dirs(httpd_sys_script_t)
++ fs_manage_nfs_files(httpd_sys_script_t)
++ fs_manage_nfs_symlinks(httpd_sys_script_t)
++ fs_exec_nfs_files(httpd_sys_script_t)
++
++ fs_manage_nfs_dirs(httpd_suexec_t)
++ fs_manage_nfs_files(httpd_suexec_t)
++ fs_manage_nfs_symlinks(httpd_suexec_t)
++ fs_exec_nfs_files(httpd_suexec_t)
++')
++
+ tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
+ allow httpd_sys_script_t self:tcp_socket create_stream_socket_perms;
+ allow httpd_sys_script_t self:udp_socket create_socket_perms;
+@@ -822,7 +1091,7 @@ tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
+ ')
+
+ tunable_policy(`httpd_enable_homedirs',`
+- userdom_read_user_home_content_files(httpd_sys_script_t)
++ userdom_search_user_home_dirs(httpd_sys_script_t)
+ ')
+
+ tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
+@@ -830,6 +1099,20 @@ tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
+ fs_read_nfs_symlinks(httpd_sys_script_t)
+ ')
+
++tunable_policy(`httpd_read_user_content',`
++ userdom_read_user_home_content_files(httpd_sys_script_t)
++')
++
++tunable_policy(`httpd_use_cifs',`
++ fs_manage_cifs_dirs(httpd_sys_script_t)
++ fs_manage_cifs_files(httpd_sys_script_t)
++ fs_manage_cifs_symlinks(httpd_sys_script_t)
++ fs_manage_cifs_dirs(httpd_suexec_t)
++ fs_manage_cifs_files(httpd_suexec_t)
++ fs_manage_cifs_symlinks(httpd_suexec_t)
++ fs_exec_cifs_files(httpd_suexec_t)
++')
++
+ tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
+ fs_read_cifs_files(httpd_sys_script_t)
+ fs_read_cifs_symlinks(httpd_sys_script_t)
+@@ -842,10 +1125,20 @@ optional_policy(`
+ optional_policy(`
+ mysql_stream_connect(httpd_sys_script_t)
+ mysql_rw_db_sockets(httpd_sys_script_t)
++ mysql_read_config(httpd_sys_script_t)
++
++ tunable_policy(`httpd_can_network_connect_db',`
++ mysql_tcp_connect(httpd_sys_script_t)
++ ')
+ ')
+
+ optional_policy(`
+ postgresql_stream_connect(httpd_sys_script_t)
++ postgresql_unpriv_client(httpd_sys_script_t)
++
++ tunable_policy(`httpd_can_network_connect_db',`
++ postgresql_tcp_connect(httpd_sys_script_t)
++ ')
+ ')
+
+ ########################################
+@@ -891,11 +1184,21 @@ optional_policy(`
+
+ tunable_policy(`httpd_enable_cgi && httpd_unified',`
+ allow httpd_user_script_t httpdcontent:file entrypoint;
++ manage_dirs_pattern(httpd_user_script_t, httpd_user_content_t, httpd_user_content_t)
++ manage_files_pattern(httpd_user_script_t, httpd_user_content_t, httpd_user_content_t)
++ manage_dirs_pattern(httpd_user_script_t, httpd_user_ra_content_t, httpd_user_ra_content_t)
++ manage_files_pattern(httpd_user_script_t, httpd_user_ra_content_t, httpd_user_ra_content_t)
+ ')
+
+ # allow accessing files/dirs below the users home dir
+ tunable_policy(`httpd_enable_homedirs',`
+- userdom_search_user_home_dirs(httpd_t)
+- userdom_search_user_home_dirs(httpd_suexec_t)
+- userdom_search_user_home_dirs(httpd_user_script_t)
++ userdom_search_user_home_content(httpd_t)
++ userdom_search_user_home_content(httpd_suexec_t)
++ userdom_search_user_home_content(httpd_user_script_t)
++')
++
++tunable_policy(`httpd_read_user_content',`
++ userdom_read_user_home_content_files(httpd_t)
++ userdom_read_user_home_content_files(httpd_suexec_t)
++ userdom_read_user_home_content_files(httpd_user_script_t)
+ ')
+diff --git a/policy/modules/services/apcupsd.te b/policy/modules/services/apcupsd.te
+index 3b7d9eb..6a7073b 100644
+--- a/policy/modules/services/apcupsd.te
++++ b/policy/modules/services/apcupsd.te
+@@ -94,6 +94,10 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ shutdown_domtrans(apcupsd_t)
++')
++
++optional_policy(`
+ mta_send_mail(apcupsd_t)
+ mta_system_content(apcupsd_tmp_t)
+ ')
+diff --git a/policy/modules/services/apm.if b/policy/modules/services/apm.if
+index 1ea99b2..49e6c74 100644
+--- a/policy/modules/services/apm.if
++++ b/policy/modules/services/apm.if
+@@ -52,7 +52,7 @@ interface(`apm_write_pipes',`
+ type apmd_t;
+ ')
+
+- allow $1 apmd_t:fifo_file write;
++ allow $1 apmd_t:fifo_file write_fifo_file_perms;
+ ')
+
+ ########################################
+@@ -89,7 +89,7 @@ interface(`apm_append_log',`
+ ')
+
+ logging_search_logs($1)
+- allow $1 apmd_log_t:file append;
++ allow $1 apmd_log_t:file append_file_perms;
+ ')
+
+ ########################################
+@@ -108,6 +108,5 @@ interface(`apm_stream_connect',`
+ ')
+
+ files_search_pids($1)
+- allow $1 apmd_var_run_t:sock_file write;
+- allow $1 apmd_t:unix_stream_socket connectto;
++ stream_connect_pattern($1, apmd_var_run_t, apmd_var_run_t, apmd_t)
+ ')
+diff --git a/policy/modules/services/apm.te b/policy/modules/services/apm.te
+index 1c8c27e..62bc936 100644
+--- a/policy/modules/services/apm.te
++++ b/policy/modules/services/apm.te
+@@ -4,6 +4,7 @@ policy_module(apm, 1.11.0)
+ #
+ # Declarations
+ #
++
+ type apmd_t;
+ type apmd_exec_t;
+ init_daemon_domain(apmd_t, apmd_exec_t)
+@@ -62,6 +63,7 @@ allow apmd_t self:capability { sys_admin sys_nice sys_time kill mknod };
+ dontaudit apmd_t self:capability { setuid dac_override dac_read_search sys_ptrace sys_tty_config };
+ allow apmd_t self:process { signal_perms getsession };
+ allow apmd_t self:fifo_file rw_fifo_file_perms;
++allow apmd_t self:netlink_socket create_socket_perms;
+ allow apmd_t self:unix_dgram_socket create_socket_perms;
+ allow apmd_t self:unix_stream_socket create_stream_socket_perms;
+
+@@ -81,6 +83,7 @@ kernel_rw_all_sysctls(apmd_t)
+ kernel_read_system_state(apmd_t)
+ kernel_write_proc_files(apmd_t)
+
++dev_read_input(apmd_t)
+ dev_read_realtime_clock(apmd_t)
+ dev_read_urand(apmd_t)
+ dev_rw_apm_bios(apmd_t)
+@@ -142,9 +145,8 @@ ifdef(`distro_redhat',`
+
+ can_exec(apmd_t, apmd_var_run_t)
+
+- # ifconfig_exec_t needs to be run in its own domain for Red Hat
+ optional_policy(`
+- sysnet_domtrans_ifconfig(apmd_t)
++ fstools_domtrans(apmd_t)
+ ')
+
+ optional_policy(`
+@@ -155,6 +157,15 @@ ifdef(`distro_redhat',`
+ netutils_domtrans(apmd_t)
+ ')
+
++ # ifconfig_exec_t needs to be run in its own domain for Red Hat
++ optional_policy(`
++ sssd_search_lib(apmd_t)
++ ')
++
++ optional_policy(`
++ sysnet_domtrans_ifconfig(apmd_t)
++ ')
++
+ ',`
+ # for ifconfig which is run all the time
+ kernel_dontaudit_search_sysctl(apmd_t)
+diff --git a/policy/modules/services/arpwatch.if b/policy/modules/services/arpwatch.if
+index c804110..bdefbe1 100644
+--- a/policy/modules/services/arpwatch.if
++++ b/policy/modules/services/arpwatch.if
+@@ -137,7 +137,7 @@ interface(`arpwatch_admin',`
+ type arpwatch_initrc_exec_t;
+ ')
+
+- allow $1 arpwatch_t:process { ptrace signal_perms getattr };
++ allow $1 arpwatch_t:process { ptrace signal_perms };
+ ps_process_pattern($1, arpwatch_t)
+
+ arpwatch_initrc_domtrans($1)
+diff --git a/policy/modules/services/asterisk.if b/policy/modules/services/asterisk.if
+index 8b8143e..c1a2b96 100644
+--- a/policy/modules/services/asterisk.if
++++ b/policy/modules/services/asterisk.if
+@@ -64,7 +64,7 @@ interface(`asterisk_admin',`
+ type asterisk_initrc_exec_t;
+ ')
+
+- allow $1 asterisk_t:process { ptrace signal_perms getattr };
++ allow $1 asterisk_t:process { ptrace signal_perms };
+ ps_process_pattern($1, asterisk_t)
+
+ init_labeled_script_domtrans($1, asterisk_initrc_exec_t)
+diff --git a/policy/modules/services/automount.if b/policy/modules/services/automount.if
+index d80a16b..a43e006 100644
+--- a/policy/modules/services/automount.if
++++ b/policy/modules/services/automount.if
+@@ -29,7 +29,6 @@ interface(`automount_domtrans',`
+ ##
+ ##
+ #
+-#
+ interface(`automount_signal',`
+ gen_require(`
+ type automount_t;
+@@ -68,7 +67,8 @@ interface(`automount_read_state',`
+ type automount_t;
+ ')
+
+- read_files_pattern($1, automount_t, automount_t)
++ kernel_search_proc($1)
++ ps_process_pattern($1, automount_t)
+ ')
+
+ ########################################
+@@ -123,7 +123,7 @@ interface(`automount_dontaudit_getattr_tmp_dirs',`
+ type automount_tmp_t;
+ ')
+
+- dontaudit $1 automount_tmp_t:dir getattr;
++ dontaudit $1 automount_tmp_t:dir getattr_dir_perms;
+ ')
+
+ ########################################
+@@ -149,7 +149,7 @@ interface(`automount_admin',`
+ type automount_var_run_t, automount_initrc_exec_t;
+ ')
+
+- allow $1 automount_t:process { ptrace signal_perms getattr };
++ allow $1 automount_t:process { ptrace signal_perms };
+ ps_process_pattern($1, automount_t)
+
+ init_labeled_script_domtrans($1, automount_initrc_exec_t)
+diff --git a/policy/modules/services/automount.te b/policy/modules/services/automount.te
+index 39799db..6189565 100644
+--- a/policy/modules/services/automount.te
++++ b/policy/modules/services/automount.te
+@@ -145,6 +145,7 @@ miscfiles_read_generic_certs(automount_t)
+
+ # Run mount in the mount_t domain.
+ mount_domtrans(automount_t)
++mount_domtrans_showmount(automount_t)
+ mount_signal(automount_t)
+
+ userdom_dontaudit_use_unpriv_user_fds(automount_t)
+diff --git a/policy/modules/services/avahi.if b/policy/modules/services/avahi.if
+index 61c74bc..c6b0498 100644
+--- a/policy/modules/services/avahi.if
++++ b/policy/modules/services/avahi.if
+@@ -90,6 +90,7 @@ interface(`avahi_dbus_chat',`
+ class dbus send_msg;
+ ')
+
++ allow avahi_t $1:file read;
+ allow $1 avahi_t:dbus send_msg;
+ allow avahi_t $1:dbus send_msg;
+ ')
+diff --git a/policy/modules/services/bind.if b/policy/modules/services/bind.if
+index 44a1e3d..7e9d2fb 100644
+--- a/policy/modules/services/bind.if
++++ b/policy/modules/services/bind.if
+@@ -186,7 +186,7 @@ interface(`bind_write_config',`
+ ')
+
+ write_files_pattern($1, named_conf_t, named_conf_t)
+- allow $1 named_conf_t:file setattr;
++ allow $1 named_conf_t:file setattr_file_perms;
+ ')
+
+ ########################################
+@@ -266,7 +266,7 @@ interface(`bind_setattr_pid_dirs',`
+ type named_var_run_t;
+ ')
+
+- allow $1 named_var_run_t:dir setattr;
++ allow $1 named_var_run_t:dir setattr_dir_perms;
+ ')
+
+ ########################################
+@@ -284,7 +284,7 @@ interface(`bind_setattr_zone_dirs',`
+ type named_zone_t;
+ ')
+
+- allow $1 named_zone_t:dir setattr;
++ allow $1 named_zone_t:dir setattr_dir_perms;
+ ')
+
+ ########################################
+@@ -308,6 +308,27 @@ interface(`bind_read_zone',`
+
+ ########################################
+ ##
++## Read BIND zone files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`bind_read_log',`
++ gen_require(`
++ type named_zone_t;
++ type named_log_t;
++ ')
++
++ files_search_var($1)
++ allow $1 named_zone_t:dir search_dir_perms;
++ read_files_pattern($1, named_log_t, named_log_t)
++')
++
++########################################
++##
+ ## Manage BIND zone files.
+ ##
+ ##
+@@ -359,10 +380,9 @@ interface(`bind_udp_chat_named',`
+ interface(`bind_admin',`
+ gen_require(`
+ type named_t, named_tmp_t, named_log_t;
+- type named_conf_t, named_var_lib_t, named_var_run_t;
+- type named_cache_t, named_zone_t;
+- type dnssec_t, ndc_t;
+- type named_initrc_exec_t;
++ type named_conf_t, named_var_run_t, named_cache_t;
++ type named_zone_t, named_initrc_exec_t;
++ type dnssec_t, ndc_t, named_keytab_t;
+ ')
+
+ allow $1 named_t:process { ptrace signal_perms };
+@@ -391,8 +411,7 @@ interface(`bind_admin',`
+ admin_pattern($1, named_zone_t)
+ admin_pattern($1, dnssec_t)
+
+- files_list_var_lib($1)
+- admin_pattern($1, named_var_lib_t)
++ admin_pattern($1, named_keytab_t)
+
+ files_list_pids($1)
+ admin_pattern($1, named_var_run_t)
+diff --git a/policy/modules/services/bind.te b/policy/modules/services/bind.te
+index 4deca04..0bde225 100644
+--- a/policy/modules/services/bind.te
++++ b/policy/modules/services/bind.te
+@@ -6,10 +6,10 @@ policy_module(bind, 1.11.0)
+ #
+
+ ##
+-##
+-## Allow BIND to write the master zone files.
+-## Generally this is used for dynamic DNS or zone transfers.
+-##
++##
++## Allow BIND to write the master zone files.
++## Generally this is used for dynamic DNS or zone transfers.
++##
+ ##
+ gen_tunable(named_write_master_zones, false)
+
+@@ -89,9 +89,10 @@ manage_dirs_pattern(named_t, named_tmp_t, named_tmp_t)
+ manage_files_pattern(named_t, named_tmp_t, named_tmp_t)
+ files_tmp_filetrans(named_t, named_tmp_t, { file dir })
+
++manage_dirs_pattern(named_t, named_var_run_t, named_var_run_t)
+ manage_files_pattern(named_t, named_var_run_t, named_var_run_t)
+ manage_sock_files_pattern(named_t, named_var_run_t, named_var_run_t)
+-files_pid_filetrans(named_t, named_var_run_t, { file sock_file })
++files_pid_filetrans(named_t, named_var_run_t, { file sock_file dir })
+
+ # read zone files
+ allow named_t named_zone_t:dir list_dir_perms;
+@@ -201,12 +202,12 @@ allow ndc_t self:tcp_socket create_socket_perms;
+ allow ndc_t self:netlink_route_socket r_netlink_socket_perms;
+
+ allow ndc_t dnssec_t:file read_file_perms;
+-allow ndc_t dnssec_t:lnk_file { getattr read };
++allow ndc_t dnssec_t:lnk_file read_lnk_file_perms;
+
+ stream_connect_pattern(ndc_t, named_var_run_t, named_var_run_t, named_t)
+
+ allow ndc_t named_conf_t:file read_file_perms;
+-allow ndc_t named_conf_t:lnk_file { getattr read };
++allow ndc_t named_conf_t:lnk_file read_lnk_file_perms;
+
+ allow ndc_t named_zone_t:dir search_dir_perms;
+
+@@ -244,7 +245,7 @@ term_dontaudit_use_console(ndc_t)
+
+ # for /etc/rndc.key
+ ifdef(`distro_redhat',`
+- allow ndc_t named_conf_t:dir search;
++ allow ndc_t named_conf_t:dir search_dir_perms;
+ ')
+
+ optional_policy(`
+diff --git a/policy/modules/services/bluetooth.if b/policy/modules/services/bluetooth.if
+index 3e45431..fa57a6f 100644
+--- a/policy/modules/services/bluetooth.if
++++ b/policy/modules/services/bluetooth.if
+@@ -14,6 +14,7 @@
+ ## User domain for the role
+ ##
+ ##
++##
+ #
+ interface(`bluetooth_role',`
+ gen_require(`
+@@ -27,7 +28,7 @@ interface(`bluetooth_role',`
+
+ # allow ps to show cdrecord and allow the user to kill it
+ ps_process_pattern($2, bluetooth_helper_t)
+- allow $2 bluetooth_helper_t:process signal;
++ allow $2 bluetooth_helper_t:process { ptrace signal_perms };
+
+ manage_dirs_pattern($2, bluetooth_helper_tmp_t, bluetooth_helper_tmp_t)
+ manage_files_pattern($2, bluetooth_helper_tmp_t, bluetooth_helper_tmp_t)
+@@ -91,7 +92,7 @@ interface(`bluetooth_read_config',`
+ type bluetooth_conf_t;
+ ')
+
+- allow $1 bluetooth_conf_t:file { getattr read ioctl };
++ allow $1 bluetooth_conf_t:file read_file_perms;
+ ')
+
+ ########################################
+@@ -117,6 +118,27 @@ interface(`bluetooth_dbus_chat',`
+
+ ########################################
+ ##
++## dontaudit Send and receive messages from
++## bluetooth over dbus.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`bluetooth_dontaudit_dbus_chat',`
++ gen_require(`
++ type bluetooth_t;
++ class dbus send_msg;
++ ')
++
++ dontaudit $1 bluetooth_t:dbus send_msg;
++ dontaudit bluetooth_t $1:dbus send_msg;
++')
++
++########################################
++##
+ ## Execute bluetooth_helper in the bluetooth_helper domain. (Deprecated)
+ ##
+ ##
+@@ -157,7 +179,7 @@ interface(`bluetooth_run_helper',`
+
+ ########################################
+ ##
+-## Read bluetooth helper state files.
++## Do not audit attempts to read bluetooth helper state files.
+ ##
+ ##
+ ##
+@@ -170,8 +192,8 @@ interface(`bluetooth_dontaudit_read_helper_state',`
+ type bluetooth_helper_t;
+ ')
+
+- dontaudit $1 bluetooth_helper_t:dir search;
+- dontaudit $1 bluetooth_helper_t:file { read getattr };
++ dontaudit $1 bluetooth_helper_t:dir search_dir_perms;
++ dontaudit $1 bluetooth_helper_t:file read_file_perms;
+ ')
+
+ ########################################
+@@ -194,9 +216,8 @@ interface(`bluetooth_dontaudit_read_helper_state',`
+ interface(`bluetooth_admin',`
+ gen_require(`
+ type bluetooth_t, bluetooth_tmp_t, bluetooth_lock_t;
+- type bluetooth_spool_t, bluetooth_var_lib_t, bluetooth_var_run_t;
++ type bluetooth_var_lib_t, bluetooth_var_run_t, bluetooth_initrc_exec_t;
+ type bluetooth_conf_t, bluetooth_conf_rw_t;
+- type bluetooth_initrc_exec_t;
+ ')
+
+ allow $1 bluetooth_t:process { ptrace signal_perms };
+@@ -217,9 +238,6 @@ interface(`bluetooth_admin',`
+ admin_pattern($1, bluetooth_conf_t)
+ admin_pattern($1, bluetooth_conf_rw_t)
+
+- files_list_spool($1)
+- admin_pattern($1, bluetooth_spool_t)
+-
+ files_list_var_lib($1)
+ admin_pattern($1, bluetooth_var_lib_t)
+
+diff --git a/policy/modules/services/bluetooth.te b/policy/modules/services/bluetooth.te
+index 215b86b..913d2a9 100644
+--- a/policy/modules/services/bluetooth.te
++++ b/policy/modules/services/bluetooth.te
+@@ -4,6 +4,7 @@ policy_module(bluetooth, 3.3.0)
+ #
+ # Declarations
+ #
++
+ type bluetooth_t;
+ type bluetooth_exec_t;
+ init_daemon_domain(bluetooth_t, bluetooth_exec_t)
+@@ -99,6 +100,11 @@ kernel_request_load_module(bluetooth_t)
+ #search debugfs - redhat bug 548206
+ kernel_search_debugfs(bluetooth_t)
+
++ifdef(`hide_broken_symptoms', `
++ kernel_rw_unlabeled_socket(bluetooth_t)
++ dev_rw_generic_chr_files(bluetooth_t)
++')
++
+ corenet_all_recvfrom_unlabeled(bluetooth_t)
+ corenet_all_recvfrom_netlabel(bluetooth_t)
+ corenet_tcp_sendrecv_generic_if(bluetooth_t)
+@@ -147,6 +153,10 @@ userdom_dontaudit_use_user_terminals(bluetooth_t)
+ userdom_dontaudit_search_user_home_dirs(bluetooth_t)
+
+ optional_policy(`
++ devicekit_dbus_chat_power(bluetooth_t)
++')
++
++optional_policy(`
+ dbus_system_bus_client(bluetooth_t)
+ dbus_connect_system_bus(bluetooth_t)
+
+diff --git a/policy/modules/services/boinc.fc b/policy/modules/services/boinc.fc
+new file mode 100644
+index 0000000..c095160
+--- /dev/null
++++ b/policy/modules/services/boinc.fc
+@@ -0,0 +1,8 @@
++
++/etc/rc\.d/init\.d/boinc-client -- gen_context(system_u:object_r:boinc_initrc_exec_t,s0)
++
++/usr/bin/boinc_client -- gen_context(system_u:object_r:boinc_exec_t,s0)
++
++/var/lib/boinc(/.*)? gen_context(system_u:object_r:boinc_var_lib_t,s0)
++/var/lib/boinc/projects(/.*)? gen_context(system_u:object_r:boinc_project_var_lib_t,s0)
++/var/lib/boinc/slots(/.*)? gen_context(system_u:object_r:boinc_project_var_lib_t,s0)
+diff --git a/policy/modules/services/boinc.if b/policy/modules/services/boinc.if
+new file mode 100644
+index 0000000..fa9b95a
+--- /dev/null
++++ b/policy/modules/services/boinc.if
+@@ -0,0 +1,150 @@
++## policy for boinc
++
++########################################
++##
++## Execute a domain transition to run boinc.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`boinc_domtrans',`
++ gen_require(`
++ type boinc_t, boinc_exec_t;
++ ')
++
++ domtrans_pattern($1, boinc_exec_t, boinc_t)
++')
++
++#######################################
++##
++## Execute boinc server in the boinc domain.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`boinc_initrc_domtrans',`
++ gen_require(`
++ type boinc_initrc_exec_t;
++ ')
++
++ init_labeled_script_domtrans($1, boinc_initrc_exec_t)
++')
++
++########################################
++##
++## Search boinc lib directories.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`boinc_search_lib',`
++ gen_require(`
++ type boinc_var_lib_t;
++ ')
++
++ allow $1 boinc_var_lib_t:dir search_dir_perms;
++ files_search_var_lib($1)
++')
++
++########################################
++##
++## Read boinc lib files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`boinc_read_lib_files',`
++ gen_require(`
++ type boinc_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ read_files_pattern($1, boinc_var_lib_t, boinc_var_lib_t)
++')
++
++########################################
++##
++## Create, read, write, and delete
++## boinc lib files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`boinc_manage_lib_files',`
++ gen_require(`
++ type boinc_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ manage_files_pattern($1, boinc_var_lib_t, boinc_var_lib_t)
++')
++
++########################################
++##
++## Manage boinc var_lib files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`boinc_manage_var_lib',`
++ gen_require(`
++ type boinc_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ manage_dirs_pattern($1, boinc_var_lib_t, boinc_var_lib_t)
++ manage_files_pattern($1, boinc_var_lib_t, boinc_var_lib_t)
++ manage_lnk_files_pattern($1, boinc_var_lib_t, boinc_var_lib_t)
++')
++
++########################################
++##
++## All of the rules required to administrate
++## an boinc environment.
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++##
++## Role allowed access.
++##
++##
++##
++#
++interface(`boinc_admin',`
++ gen_require(`
++ type boinc_t, boinc_initrc_exec_t, boinc_var_lib_t;
++ ')
++
++ allow $1 boinc_t:process { ptrace signal_perms };
++ ps_process_pattern($1, boinc_t)
++
++ boinc_initrc_domtrans($1)
++ domain_system_change_exemption($1)
++ role_transition $2 boinc_initrc_exec_t system_r;
++ allow $2 system_r;
++
++ files_list_var_lib($1)
++ admin_pattern($1, boinc_var_lib_t)
++')
+diff --git a/policy/modules/services/boinc.te b/policy/modules/services/boinc.te
+new file mode 100644
+index 0000000..4bc3f06
+--- /dev/null
++++ b/policy/modules/services/boinc.te
+@@ -0,0 +1,167 @@
++policy_module(boinc, 1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++type boinc_t;
++type boinc_exec_t;
++init_daemon_domain(boinc_t, boinc_exec_t)
++
++type boinc_initrc_exec_t;
++init_script_file(boinc_initrc_exec_t)
++
++type boinc_tmp_t;
++files_tmp_file(boinc_tmp_t)
++
++type boinc_tmpfs_t;
++files_tmpfs_file(boinc_tmpfs_t)
++
++type boinc_var_lib_t;
++files_type(boinc_var_lib_t)
++
++type boinc_project_t;
++domain_type(boinc_project_t)
++role system_r types boinc_project_t;
++
++permissive boinc_project_t;
++
++type boinc_project_tmp_t;
++files_tmp_file(boinc_project_tmp_t)
++
++type boinc_project_var_lib_t;
++files_type(boinc_project_var_lib_t)
++
++########################################
++#
++# boinc local policy
++#
++
++allow boinc_t self:capability { kill };
++allow boinc_t self:process { setsched sigkill };
++
++allow boinc_t self:fifo_file rw_fifo_file_perms;
++allow boinc_t self:unix_stream_socket create_stream_socket_perms;
++allow boinc_t self:tcp_socket create_stream_socket_perms;
++allow boinc_t self:sem create_sem_perms;
++allow boinc_t self:shm create_shm_perms;
++
++manage_dirs_pattern(boinc_t, boinc_tmp_t, boinc_tmp_t)
++manage_files_pattern(boinc_t, boinc_tmp_t, boinc_tmp_t)
++files_tmp_filetrans(boinc_t, boinc_tmp_t, { dir file })
++
++manage_files_pattern(boinc_t, boinc_tmpfs_t, boinc_tmpfs_t)
++fs_tmpfs_filetrans(boinc_t, boinc_tmpfs_t, file)
++
++exec_files_pattern(boinc_t, boinc_var_lib_t, boinc_var_lib_t)
++manage_dirs_pattern(boinc_t, boinc_var_lib_t, boinc_var_lib_t)
++manage_files_pattern(boinc_t, boinc_var_lib_t, boinc_var_lib_t)
++filetrans_pattern(boinc_t, boinc_var_lib_t, boinc_project_var_lib_t, dir)
++
++manage_dirs_pattern(boinc_t, boinc_project_var_lib_t, boinc_project_var_lib_t)
++manage_files_pattern(boinc_t, boinc_project_var_lib_t, boinc_project_var_lib_t)
++
++kernel_read_system_state(boinc_t)
++
++files_getattr_all_dirs(boinc_t)
++files_getattr_all_files(boinc_t)
++
++corecmd_exec_bin(boinc_t)
++corecmd_exec_shell(boinc_t)
++
++corenet_all_recvfrom_unlabeled(boinc_t)
++corenet_all_recvfrom_netlabel(boinc_t)
++corenet_tcp_sendrecv_generic_if(boinc_t)
++corenet_udp_sendrecv_generic_if(boinc_t)
++corenet_tcp_sendrecv_generic_node(boinc_t)
++corenet_udp_sendrecv_generic_node(boinc_t)
++corenet_tcp_sendrecv_all_ports(boinc_t)
++corenet_udp_sendrecv_all_ports(boinc_t)
++corenet_tcp_bind_generic_node(boinc_t)
++corenet_udp_bind_generic_node(boinc_t)
++corenet_tcp_bind_boinc_port(boinc_t)
++corenet_tcp_connect_boinc_port(boinc_t)
++corenet_tcp_connect_http_port(boinc_t)
++corenet_tcp_connect_http_cache_port(boinc_t)
++
++dev_list_sysfs(boinc_t)
++dev_read_rand(boinc_t)
++dev_read_urand(boinc_t)
++dev_read_sysfs(boinc_t)
++
++domain_read_all_domains_state(boinc_t)
++
++files_dontaudit_getattr_boot_dirs(boinc_t)
++
++files_read_etc_files(boinc_t)
++files_read_usr_files(boinc_t)
++
++fs_getattr_all_fs(boinc_t)
++
++term_dontaudit_getattr_ptmx(boinc_t)
++
++miscfiles_read_localization(boinc_t)
++miscfiles_read_generic_certs(boinc_t)
++
++logging_send_syslog_msg(boinc_t)
++
++sysnet_dns_name_resolve(boinc_t)
++
++mta_send_mail(boinc_t)
++
++########################################
++#
++# boinc-projects local policy
++#
++
++domtrans_pattern(boinc_t, boinc_project_var_lib_t, boinc_project_t)
++allow boinc_t boinc_project_t:process sigkill;
++
++allow boinc_project_t self:process { ptrace setsched signal signull sigkill sigstop };
++allow boinc_project_t self:process { execmem execstack };
++
++allow boinc_project_t self:fifo_file rw_fifo_file_perms;
++allow boinc_project_t self:sem create_sem_perms;
++
++manage_dirs_pattern(boinc_project_t, boinc_project_tmp_t, boinc_project_tmp_t)
++manage_files_pattern(boinc_project_t, boinc_project_tmp_t, boinc_project_tmp_t)
++files_tmp_filetrans(boinc_project_t, boinc_project_tmp_t, { dir file })
++
++allow boinc_project_t boinc_project_var_lib_t:file entrypoint;
++exec_files_pattern(boinc_project_t, boinc_project_var_lib_t, boinc_project_var_lib_t)
++manage_dirs_pattern(boinc_project_t, boinc_project_var_lib_t, boinc_project_var_lib_t)
++manage_files_pattern(boinc_project_t, boinc_project_var_lib_t, boinc_project_var_lib_t)
++files_var_lib_filetrans(boinc_project_t, boinc_project_var_lib_t, { file dir })
++
++allow boinc_project_t boinc_project_var_lib_t:file execmod;
++
++allow boinc_project_t boinc_t:shm rw_shm_perms;
++allow boinc_project_t boinc_tmpfs_t:file rw_inherited_file_perms;
++
++list_dirs_pattern(boinc_project_t, boinc_var_lib_t, boinc_var_lib_t)
++rw_files_pattern(boinc_project_t, boinc_var_lib_t, boinc_var_lib_t)
++
++kernel_read_system_state(boinc_project_t)
++kernel_read_kernel_sysctls(boinc_project_t)
++kernel_search_vm_sysctl(boinc_project_t)
++kernel_read_network_state(boinc_project_t)
++
++corecmd_exec_bin(boinc_project_t)
++corecmd_exec_shell(boinc_project_t)
++
++corenet_tcp_connect_boinc_port(boinc_project_t)
++
++dev_read_rand(boinc_project_t)
++dev_read_urand(boinc_project_t)
++dev_read_sysfs(boinc_project_t)
++dev_rw_xserver_misc(boinc_project_t)
++
++files_read_etc_files(boinc_project_t)
++
++miscfiles_read_fonts(boinc_project_t)
++miscfiles_read_localization(boinc_project_t)
++
++optional_policy(`
++ java_exec(boinc_project_t)
++')
+diff --git a/policy/modules/services/bugzilla.fc b/policy/modules/services/bugzilla.fc
+new file mode 100644
+index 0000000..18f37e2
+--- /dev/null
++++ b/policy/modules/services/bugzilla.fc
+@@ -0,0 +1,4 @@
++
++/usr/share/bugzilla(/.*)? -d gen_context(system_u:object_r:httpd_bugzilla_content_t,s0)
++/usr/share/bugzilla(/.*)? -- gen_context(system_u:object_r:httpd_bugzilla_script_exec_t,s0)
++/var/lib/bugzilla(/.*)? gen_context(system_u:object_r:httpd_bugzilla_rw_content_t,s0)
+diff --git a/policy/modules/services/bugzilla.if b/policy/modules/services/bugzilla.if
+new file mode 100644
+index 0000000..3964548
+--- /dev/null
++++ b/policy/modules/services/bugzilla.if
+@@ -0,0 +1,80 @@
++## Bugzilla server
++
++########################################
++##
++## Allow the specified domain to search
++## bugzilla directories.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`bugzilla_search_dirs',`
++ gen_require(`
++ type httpd_bugzilla_content_t;
++ ')
++
++ allow $1 httpd_bugzilla_content_t:dir search_dir_perms;
++')
++
++########################################
++##
++## Do not audit attempts to read and write
++## bugzilla script unix domain stream sockets.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`bugzilla_dontaudit_rw_script_stream_sockets',`
++ gen_require(`
++ type httpd_bugzilla_script_t;
++ ')
++
++ dontaudit $1 httpd_bugzilla_script_t:unix_stream_socket { read write };
++')
++
++########################################
++##
++## All of the rules required to administrate
++## an bugzilla environment
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++##
++## The role to be allowed to manage the bugzilla domain.
++##
++##
++##
++#
++interface(`bugzilla_admin',`
++ gen_require(`
++ type httpd_bugzilla_script_t, httpd_bugzilla_content_t, httpd_bugzilla_ra_content_t;
++ type httpd_bugzilla_rw_content_t, httpd_bugzilla_tmp_t, httpd_bugzilla_script_exec_t;
++ type httpd_bugzilla_htaccess_t;
++ ')
++
++ allow $1 httpd_bugzilla_script_t:process { ptrace signal_perms };
++ ps_process_pattern($1, httpd_bugzilla_script_t)
++
++ files_list_tmp($1)
++ admin_pattern($1, httpd_bugzilla_tmp_t)
++
++ files_list_var_lib(httpd_bugzilla_script_t)
++
++ apache_list_sys_content($1)
++ admin_pattern($1, httpd_bugzilla_script_exec_t)
++ admin_pattern($1, httpd_bugzilla_script_t)
++ admin_pattern($1, httpd_bugzilla_content_t)
++ admin_pattern($1, httpd_bugzilla_htaccess_t)
++ admin_pattern($1, httpd_bugzilla_rw_content_t)
++ admin_pattern($1, httpd_bugzilla_ra_content_t)
++')
+diff --git a/policy/modules/services/bugzilla.te b/policy/modules/services/bugzilla.te
+new file mode 100644
+index 0000000..c63c8fa
+--- /dev/null
++++ b/policy/modules/services/bugzilla.te
+@@ -0,0 +1,55 @@
++policy_module(bugzilla, 1.0)
++
++########################################
++#
++# Declarations
++#
++
++apache_content_template(bugzilla)
++
++type httpd_bugzilla_tmp_t;
++files_tmp_file(httpd_bugzilla_tmp_t)
++
++########################################
++#
++# bugzilla local policy
++#
++
++allow httpd_bugzilla_script_t self:netlink_route_socket r_netlink_socket_perms;
++allow httpd_bugzilla_script_t self:tcp_socket create_stream_socket_perms;
++allow httpd_bugzilla_script_t self:udp_socket create_socket_perms;
++
++corenet_all_recvfrom_unlabeled(httpd_bugzilla_script_t)
++corenet_all_recvfrom_netlabel(httpd_bugzilla_script_t)
++corenet_tcp_sendrecv_all_if(httpd_bugzilla_script_t)
++corenet_udp_sendrecv_all_if(httpd_bugzilla_script_t)
++corenet_tcp_sendrecv_all_nodes(httpd_bugzilla_script_t)
++corenet_udp_sendrecv_all_nodes(httpd_bugzilla_script_t)
++corenet_tcp_sendrecv_all_ports(httpd_bugzilla_script_t)
++corenet_udp_sendrecv_all_ports(httpd_bugzilla_script_t)
++corenet_tcp_connect_postgresql_port(httpd_bugzilla_script_t)
++corenet_tcp_connect_mysqld_port(httpd_bugzilla_script_t)
++corenet_tcp_connect_http_port(httpd_bugzilla_script_t)
++corenet_tcp_connect_smtp_port(httpd_bugzilla_script_t)
++corenet_sendrecv_postgresql_client_packets(httpd_bugzilla_script_t)
++corenet_sendrecv_mysqld_client_packets(httpd_bugzilla_script_t)
++
++manage_dirs_pattern(httpd_bugzilla_script_t, httpd_bugzilla_tmp_t, httpd_bugzilla_tmp_t)
++manage_files_pattern(httpd_bugzilla_script_t, httpd_bugzilla_tmp_t, httpd_bugzilla_tmp_t)
++files_tmp_filetrans(httpd_bugzilla_script_t, httpd_bugzilla_tmp_t, { file dir })
++
++files_search_var_lib(httpd_bugzilla_script_t)
++
++mta_send_mail(httpd_bugzilla_script_t)
++
++sysnet_read_config(httpd_bugzilla_script_t)
++sysnet_use_ldap(httpd_bugzilla_script_t)
++
++optional_policy(`
++ mysql_search_db(httpd_bugzilla_script_t)
++ mysql_stream_connect(httpd_bugzilla_script_t)
++')
++
++optional_policy(`
++ postgresql_stream_connect(httpd_bugzilla_script_t)
++')
+diff --git a/policy/modules/services/cachefilesd.fc b/policy/modules/services/cachefilesd.fc
+new file mode 100644
+index 0000000..24d9837
+--- /dev/null
++++ b/policy/modules/services/cachefilesd.fc
+@@ -0,0 +1,29 @@
++###############################################################################
++#
++# Copyright (C) 2006 Red Hat, Inc. All Rights Reserved.
++# Written by David Howells (dhowells@redhat.com)
++# Karl MacMillan (kmacmill@redhat.com)
++#
++# This program is free software; you can redistribute it and/or
++# modify it under the terms of the GNU General Public License
++# as published by the Free Software Foundation; either version
++# 2 of the License, or (at your option) any later version.
++#
++###############################################################################
++
++#
++# Define the contexts to be assigned to various files and directories of
++# importance to the CacheFiles kernel module and userspace management daemon.
++#
++
++# cachefilesd executable will have:
++# label: system_u:object_r:cachefilesd_exec_t
++# MLS sensitivity: s0
++# MCS categories:
++
++/sbin/cachefilesd -- gen_context(system_u:object_r:cachefilesd_exec_t,s0)
++/dev/cachefiles -c gen_context(system_u:object_r:cachefiles_dev_t,s0)
++/var/fscache(/.*)? gen_context(system_u:object_r:cachefiles_var_t,s0)
++/var/cache/fscache(/.*)? gen_context(system_u:object_r:cachefiles_var_t,s0)
++
++/var/run/cachefilesd\.pid -- gen_context(system_u:object_r:cachefiles_var_t,s0)
+diff --git a/policy/modules/services/cachefilesd.if b/policy/modules/services/cachefilesd.if
+new file mode 100644
+index 0000000..3b41945
+--- /dev/null
++++ b/policy/modules/services/cachefilesd.if
+@@ -0,0 +1,35 @@
++###############################################################################
++#
++# Copyright (C) 2006 Red Hat, Inc. All Rights Reserved.
++# Written by David Howells (dhowells@redhat.com)
++# Karl MacMillan (kmacmill@redhat.com)
++#
++# This program is free software; you can redistribute it and/or
++# modify it under the terms of the GNU General Public License
++# as published by the Free Software Foundation; either version
++# 2 of the License, or (at your option) any later version.
++#
++###############################################################################
++
++#
++# Define the policy interface for the CacheFiles userspace management daemon.
++#
++## policy for cachefilesd
++
++########################################
++##
++## Execute a domain transition to run cachefilesd.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`cachefilesd_domtrans',`
++ gen_require(`
++ type cachefilesd_t, cachefilesd_exec_t;
++ ')
++
++ domtrans_pattern($1, cachefilesd_exec_t, cachefilesd_t)
++')
+diff --git a/policy/modules/services/cachefilesd.te b/policy/modules/services/cachefilesd.te
+new file mode 100644
+index 0000000..575c16e
+--- /dev/null
++++ b/policy/modules/services/cachefilesd.te
+@@ -0,0 +1,143 @@
++###############################################################################
++#
++# Copyright (C) 2006, 2010 Red Hat, Inc. All Rights Reserved.
++# Written by David Howells (dhowells@redhat.com)
++# Karl MacMillan (kmacmill@redhat.com)
++#
++# This program is free software; you can redistribute it and/or
++# modify it under the terms of the GNU General Public License
++# as published by the Free Software Foundation; either version
++# 2 of the License, or (at your option) any later version.
++#
++###############################################################################
++
++#
++# This security policy governs access by the CacheFiles kernel module and
++# userspace management daemon to the files and directories in the on-disk
++# cache, on behalf of the processes accessing the cache through a network
++# filesystem such as NFS
++#
++policy_module(cachefilesd, 1.0.17)
++
++###############################################################################
++#
++# Declarations
++#
++
++#
++# Files in the cache are created by the cachefiles module with security ID
++# cachefiles_var_t
++#
++type cachefiles_var_t;
++files_type(cachefiles_var_t)
++
++#
++# The /dev/cachefiles character device has security ID cachefiles_dev_t
++#
++type cachefiles_dev_t;
++dev_node(cachefiles_dev_t)
++
++#
++# The cachefilesd daemon normally runs with security ID cachefilesd_t
++#
++type cachefilesd_t;
++type cachefilesd_exec_t;
++init_daemon_domain(cachefilesd_t, cachefilesd_exec_t)
++
++#
++# The cachefilesd daemon pid file context
++#
++type cachefilesd_var_run_t;
++files_pid_file(cachefilesd_var_run_t)
++
++#
++# The CacheFiles kernel module causes processes accessing the cache files to do
++# so acting as security ID cachefiles_kernel_t
++#
++type cachefiles_kernel_t;
++domain_type(cachefiles_kernel_t)
++domain_obj_id_change_exemption(cachefiles_kernel_t)
++role system_r types cachefiles_kernel_t;
++
++###############################################################################
++#
++# Permit RPM to deal with files in the cache
++#
++rpm_use_script_fds(cachefilesd_t)
++
++###############################################################################
++#
++# cachefilesd local policy
++#
++# These define what cachefilesd is permitted to do. This doesn't include very
++# much: startup stuff, logging, pid file, scanning the cache superstructure and
++# deleting files from the cache. It is not permitted to read/write files in
++# the cache.
++#
++# Check in /usr/share/selinux/devel/include/ for macros to use instead of allow
++# rules.
++#
++allow cachefilesd_t self:capability { setuid setgid sys_admin dac_override };
++
++# Allow manipulation of pid file
++allow cachefilesd_t cachefilesd_var_run_t:file create_file_perms;
++manage_files_pattern(cachefilesd_t, cachefilesd_var_run_t, cachefilesd_var_run_t)
++manage_dirs_pattern(cachefilesd_t, cachefilesd_var_run_t, cachefilesd_var_run_t)
++files_pid_filetrans(cachefilesd_t, cachefilesd_var_run_t, file)
++files_create_as_is_all_files(cachefilesd_t)
++
++# Allow access to cachefiles device file
++allow cachefilesd_t cachefiles_dev_t:chr_file rw_file_perms;
++
++# Allow access to cache superstructure
++allow cachefilesd_t cachefiles_var_t:dir { rw_dir_perms delete_dir_perms };
++allow cachefilesd_t cachefiles_var_t:file { rename delete_file_perms };
++
++# Permit statfs on the backing filesystem
++fs_getattr_xattr_fs(cachefilesd_t)
++
++# Basic access
++files_read_etc_files(cachefilesd_t)
++miscfiles_read_localization(cachefilesd_t)
++logging_send_syslog_msg(cachefilesd_t)
++init_dontaudit_use_script_ptys(cachefilesd_t)
++term_dontaudit_use_generic_ptys(cachefilesd_t)
++term_dontaudit_getattr_unallocated_ttys(cachefilesd_t)
++
++###############################################################################
++#
++# When cachefilesd invokes the kernel module to begin caching, it has to tell
++# the kernel module the security context in which it should act, and this
++# policy has to approve that.
++#
++# There are two parts to this:
++#
++# (1) the security context used by the module to access files in the cache,
++# as set by the 'secctx' command in /etc/cachefilesd.conf, and
++#
++allow cachefilesd_t cachefiles_kernel_t:kernel_service { use_as_override };
++
++#
++# (2) the label that will be assigned to new files and directories created in
++# the cache by the module, which will be the same as the label on the
++# directory pointed to by the 'dir' command.
++#
++allow cachefilesd_t cachefiles_var_t:kernel_service { create_files_as };
++
++###############################################################################
++#
++# cachefiles kernel module local policy
++#
++# This governs what the kernel module is allowed to do the contents of the
++# cache.
++#
++allow cachefiles_kernel_t self:capability { dac_override dac_read_search };
++
++manage_dirs_pattern(cachefiles_kernel_t, cachefiles_var_t, cachefiles_var_t)
++manage_files_pattern(cachefiles_kernel_t, cachefiles_var_t, cachefiles_var_t)
++
++fs_getattr_xattr_fs(cachefiles_kernel_t)
++
++dev_search_sysfs(cachefiles_kernel_t)
++
++init_sigchld_script(cachefiles_kernel_t)
+diff --git a/policy/modules/services/canna.te b/policy/modules/services/canna.te
+index a0dfd2f..d60e2bf 100644
+--- a/policy/modules/services/canna.te
++++ b/policy/modules/services/canna.te
+@@ -34,7 +34,7 @@ allow canna_t self:unix_dgram_socket create_stream_socket_perms;
+ allow canna_t self:tcp_socket create_stream_socket_perms;
+
+ manage_files_pattern(canna_t, canna_log_t, canna_log_t)
+-allow canna_t canna_log_t:dir setattr;
++allow canna_t canna_log_t:dir setattr_dir_perms;
+ logging_log_filetrans(canna_t, canna_log_t, { file dir })
+
+ manage_dirs_pattern(canna_t, canna_var_lib_t, canna_var_lib_t)
+diff --git a/policy/modules/services/ccs.if b/policy/modules/services/ccs.if
+index 6ee2cc8..3105b09 100644
+--- a/policy/modules/services/ccs.if
++++ b/policy/modules/services/ccs.if
+@@ -5,9 +5,9 @@
+ ## Execute a domain transition to run ccs.
+ ##
+ ##
+-##
++##
+ ## Domain allowed to transition.
+-##
++##
+ ##
+ #
+ interface(`ccs_domtrans',`
+diff --git a/policy/modules/services/ccs.te b/policy/modules/services/ccs.te
+index 4c90b57..8d7e14e 100644
+--- a/policy/modules/services/ccs.te
++++ b/policy/modules/services/ccs.te
+@@ -61,7 +61,7 @@ manage_dirs_pattern(ccs_t, ccs_var_lib_t, ccs_var_lib_t)
+ manage_files_pattern(ccs_t, ccs_var_lib_t, ccs_var_lib_t)
+ files_var_lib_filetrans(ccs_t, ccs_var_lib_t, { file dir })
+
+-allow ccs_t ccs_var_log_t:dir setattr;
++allow ccs_t ccs_var_log_t:dir setattr_dir_perms;
+ manage_files_pattern(ccs_t, ccs_var_log_t, ccs_var_log_t)
+ manage_sock_files_pattern(ccs_t, ccs_var_log_t, ccs_var_log_t)
+ logging_log_filetrans(ccs_t, ccs_var_log_t, { sock_file file dir })
+@@ -107,7 +107,7 @@ sysnet_dns_name_resolve(ccs_t)
+ userdom_manage_unpriv_user_shared_mem(ccs_t)
+ userdom_manage_unpriv_user_semaphores(ccs_t)
+
+-ifdef(`hide_broken_symptoms', `
++ifdef(`hide_broken_symptoms',`
+ corecmd_dontaudit_write_bin_dirs(ccs_t)
+ files_manage_isid_type_files(ccs_t)
+ ')
+@@ -118,5 +118,10 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ qpidd_rw_semaphores(ccs_t)
++ qpidd_rw_shm(ccs_t)
++')
++
++optional_policy(`
+ unconfined_use_fds(ccs_t)
+ ')
+diff --git a/policy/modules/services/certmaster.if b/policy/modules/services/certmaster.if
+index fa62787..ffd0da5 100644
+--- a/policy/modules/services/certmaster.if
++++ b/policy/modules/services/certmaster.if
+@@ -5,9 +5,9 @@
+ ## Execute a domain transition to run certmaster.
+ ##
+ ##
+-##
++##
+ ## Domain allowed to transition.
+-##
++##
+ ##
+ #
+ interface(`certmaster_domtrans',`
+@@ -108,7 +108,7 @@ interface(`certmaster_manage_log',`
+ ##
+ ##
+ ##
+-## The role to be allowed to manage the syslog domain.
++## Role allowed access.
+ ##
+ ##
+ ##
+@@ -116,8 +116,7 @@ interface(`certmaster_manage_log',`
+ interface(`certmaster_admin',`
+ gen_require(`
+ type certmaster_t, certmaster_var_run_t, certmaster_var_lib_t;
+- type certmaster_etc_rw_t, certmaster_var_log_t;
+- type certmaster_initrc_exec_t;
++ type certmaster_etc_rw_t, certmaster_var_log_t, certmaster_initrc_exec_t;
+ ')
+
+ allow $1 certmaster_t:process { ptrace signal_perms };
+@@ -129,8 +128,8 @@ interface(`certmaster_admin',`
+ allow $2 system_r;
+
+ files_list_etc($1)
+- miscfiles_manage_generic_cert_dirs($1)
+- miscfiles_manage_generic_cert_files($1)
++ miscfiles_manage_generic_cert_dirs($1)
++ miscfiles_manage_generic_cert_files($1)
+
+ admin_pattern($1, certmaster_etc_rw_t)
+
+diff --git a/policy/modules/services/certmaster.te b/policy/modules/services/certmaster.te
+index 73f03ff..dbfd0a6 100644
+--- a/policy/modules/services/certmaster.te
++++ b/policy/modules/services/certmaster.te
+@@ -43,12 +43,12 @@ files_var_lib_filetrans(certmaster_t, certmaster_var_lib_t, { file dir })
+
+ # log files
+ manage_files_pattern(certmaster_t, certmaster_var_log_t, certmaster_var_log_t)
+-logging_log_filetrans(certmaster_t, certmaster_var_log_t, file )
++logging_log_filetrans(certmaster_t, certmaster_var_log_t, file)
+
+ # pid file
+ manage_files_pattern(certmaster_t, certmaster_var_run_t, certmaster_var_run_t)
+ manage_sock_files_pattern(certmaster_t, certmaster_var_run_t, certmaster_var_run_t)
+-files_pid_filetrans(certmaster_t ,certmaster_var_run_t, { file sock_file })
++files_pid_filetrans(certmaster_t, certmaster_var_run_t, { file sock_file })
+
+ # read meminfo
+ kernel_read_system_state(certmaster_t)
+@@ -60,6 +60,7 @@ corenet_tcp_bind_generic_node(certmaster_t)
+ corenet_tcp_bind_certmaster_port(certmaster_t)
+
+ files_search_etc(certmaster_t)
++files_read_usr_files(certmaster_t)
+ files_list_var(certmaster_t)
+ files_search_var_lib(certmaster_t)
+
+diff --git a/policy/modules/services/certmonger.if b/policy/modules/services/certmonger.if
+index 7a6e5ba..d664be8 100644
+--- a/policy/modules/services/certmonger.if
++++ b/policy/modules/services/certmonger.if
+@@ -5,9 +5,9 @@
+ ## Execute a domain transition to run certmonger.
+ ##
+ ##
+-##
++##
+ ## Domain allowed to transition.
+-##
++##
+ ##
+ #
+ interface(`certmonger_domtrans',`
+@@ -166,9 +166,9 @@ interface(`certmonger_admin',`
+ role_transition $2 certmonger_initrc_exec_t system_r;
+ allow $2 system_r;
+
+- files_search_var_lib($1)
++ files_list_var_lib($1)
+ admin_pattern($1, certmonger_var_lib_t)
+
+- files_search_pids($1)
++ files_list_pids($1)
+ admin_pattern($1, certmonger_var_run_t)
+ ')
+diff --git a/policy/modules/services/certmonger.te b/policy/modules/services/certmonger.te
+index 1a65b5e..e281c74 100644
+--- a/policy/modules/services/certmonger.te
++++ b/policy/modules/services/certmonger.te
+@@ -24,6 +24,7 @@ files_type(certmonger_var_lib_t)
+ #
+
+ allow certmonger_t self:capability { kill sys_nice };
++dontaudit certmonger_t self:capability sys_tty_config;
+ allow certmonger_t self:process { getsched setsched sigkill };
+ allow certmonger_t self:fifo_file rw_file_perms;
+ allow certmonger_t self:unix_stream_socket create_stream_socket_perms;
+@@ -32,7 +33,7 @@ allow certmonger_t self:netlink_route_socket r_netlink_socket_perms;
+
+ manage_dirs_pattern(certmonger_t, certmonger_var_lib_t, certmonger_var_lib_t)
+ manage_files_pattern(certmonger_t, certmonger_var_lib_t, certmonger_var_lib_t)
+-files_var_lib_filetrans(certmonger_t, certmonger_var_lib_t, { file dir } )
++files_var_lib_filetrans(certmonger_t, certmonger_var_lib_t, { file dir })
+
+ manage_dirs_pattern(certmonger_t, certmonger_var_run_t, certmonger_var_run_t)
+ manage_files_pattern(certmonger_t, certmonger_var_run_t, certmonger_var_run_t)
+@@ -51,6 +52,8 @@ files_read_etc_files(certmonger_t)
+ files_read_usr_files(certmonger_t)
+ files_list_tmp(certmonger_t)
+
++auth_rw_cache(certmonger_t)
++
+ logging_send_syslog_msg(certmonger_t)
+
+ miscfiles_read_localization(certmonger_t)
+@@ -58,6 +61,16 @@ miscfiles_manage_generic_cert_files(certmonger_t)
+
+ sysnet_dns_name_resolve(certmonger_t)
+
++userdom_search_user_home_content(certmonger_t)
++
++optional_policy(`
++ apache_search_config(certmonger_t)
++')
++
++optional_policy(`
++ bind_search_cache(certmonger_t)
++')
++
+ optional_policy(`
+ dbus_system_bus_client(certmonger_t)
+ dbus_connect_system_bus(certmonger_t)
+@@ -68,5 +81,7 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ pcscd_read_pub_files(certmonger_t)
+ pcscd_stream_connect(certmonger_t)
+ ')
++
+diff --git a/policy/modules/services/cgroup.if b/policy/modules/services/cgroup.if
+index d020c93..e5cbcef 100644
+--- a/policy/modules/services/cgroup.if
++++ b/policy/modules/services/cgroup.if
+@@ -6,9 +6,9 @@
+ ## CG Clear.
+ ##
+ ##
+-##
++##
+ ## Domain allowed to transition.
+-##
++##
+ ##
+ #
+ interface(`cgroup_domtrans_cgclear',`
+@@ -26,9 +26,9 @@ interface(`cgroup_domtrans_cgclear',`
+ ## CG config parser.
+ ##
+ ##
+-##
++##
+ ## Domain allowed to transition.
+-##
++##
+ ##
+ #
+ interface(`cgroup_domtrans_cgconfig',`
+@@ -65,9 +65,9 @@ interface(`cgroup_initrc_domtrans_cgconfig',`
+ ## CG rules engine daemon.
+ ##
+ ##
+-##
++##
+ ## Domain allowed to transition.
+-##
++##
+ ##
+ #
+ interface(`cgroup_domtrans_cgred',`
+@@ -182,10 +182,10 @@ interface(`cgroup_admin',`
+
+ admin_pattern($1, cgconfig_etc_t)
+ admin_pattern($1, cgrules_etc_t)
+- files_search_etc($1)
++ files_list_etc($1)
+
+ admin_pattern($1, cgred_var_run_t)
+- files_search_pids($1)
++ files_list_pids($1)
+
+ cgroup_initrc_domtrans_cgconfig($1)
+ domain_system_change_exemption($1)
+diff --git a/policy/modules/services/cgroup.te b/policy/modules/services/cgroup.te
+index 8ca2333..63a18fc 100644
+--- a/policy/modules/services/cgroup.te
++++ b/policy/modules/services/cgroup.te
+@@ -22,8 +22,8 @@ files_pid_file(cgred_var_run_t)
+ type cgrules_etc_t;
+ files_config_file(cgrules_etc_t)
+
+-type cgconfig_t;
+-type cgconfig_exec_t;
++type cgconfig_t alias cgconfigparser_t;
++type cgconfig_exec_t alias cgconfigparser_exec_t;
+ init_daemon_domain(cgconfig_t, cgconfig_exec_t)
+
+ type cgconfig_initrc_exec_t;
+@@ -52,7 +52,7 @@ fs_unmount_cgroup(cgclear_t)
+ # cgconfig personal policy.
+ #
+
+-allow cgconfig_t self:capability { chown sys_admin };
++allow cgconfig_t self:capability { dac_override fowner chown sys_admin };
+
+ allow cgconfig_t cgconfig_etc_t:file read_file_perms;
+
+diff --git a/policy/modules/services/chronyd.if b/policy/modules/services/chronyd.if
+index 9a0da94..2ede737 100644
+--- a/policy/modules/services/chronyd.if
++++ b/policy/modules/services/chronyd.if
+@@ -19,6 +19,24 @@ interface(`chronyd_domtrans',`
+ domtrans_pattern($1, chronyd_exec_t, chronyd_t)
+ ')
+
++########################################
++##
++## Execute chronyd server in the chronyd domain.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`chronyd_initrc_domtrans',`
++ gen_require(`
++ type chronyd_initrc_exec_t;
++ ')
++
++ init_labeled_script_domtrans($1, chronyd_initrc_exec_t)
++')
++
+ ####################################
+ ##
+ ## Execute chronyd
+@@ -56,6 +74,64 @@ interface(`chronyd_read_log',`
+ read_files_pattern($1, chronyd_var_log_t, chronyd_var_log_t)
+ ')
+
++########################################
++##
++## Read and write chronyd shared memory.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`chronyd_rw_shm',`
++ gen_require(`
++ type chronyd_t, chronyd_tmpfs_t;
++ ')
++
++ allow $1 chronyd_t:shm rw_shm_perms;
++ allow $1 chronyd_tmpfs_t:dir list_dir_perms;
++ rw_files_pattern($1, chronyd_tmpfs_t, chronyd_tmpfs_t)
++ read_lnk_files_pattern($1, chronyd_tmpfs_t, chronyd_tmpfs_t)
++ fs_search_tmpfs($1)
++')
++
++########################################
++##
++## Read chronyd keys files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`chronyd_read_keys',`
++ gen_require(`
++ type chronyd_keys_t;
++ ')
++
++ read_files_pattern($1, chronyd_keys_t, chronyd_keys_t)
++')
++
++########################################
++##
++## Append chronyd keys files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`chronyd_append_keys',`
++ gen_require(`
++ type chronyd_keys_t;
++ ')
++
++ append_files_pattern($1, chronyd_keys_t, chronyd_keys_t)
++')
++
+ ####################################
+ ##
+ ## All of the rules required to administrate
+@@ -75,9 +151,9 @@ interface(`chronyd_read_log',`
+ #
+ interface(`chronyd_admin',`
+ gen_require(`
+- type chronyd_t, chronyd_var_log_t;
+- type chronyd_var_run_t, chronyd_var_lib_t;
+- type chronyd_initrc_exec_t, chronyd_keys_t;
++ type chronyd_t, chronyd_var_log_t, chronyd_var_run_t;
++ type chronyd_var_lib_t, chronyd_tmpfs_t, chronyd_initrc_exec_t;
++ type chronyd_keys_t;
+ ')
+
+ allow $1 chronyd_t:process { ptrace signal_perms };
+@@ -88,18 +164,17 @@ interface(`chronyd_admin',`
+ role_transition $2 chronyd_initrc_exec_t system_r;
+ allow $2 system_r;
+
+- files_search_etc($1)
++ files_list_etc($1)
+ admin_pattern($1, chronyd_keys_t)
+
+- logging_search_logs($1)
++ logging_list_logs($1)
+ admin_pattern($1, chronyd_var_log_t)
+
+- files_search_var_lib($1)
++ files_list_var_lib($1)
+ admin_pattern($1, chronyd_var_lib_t)
+
+- files_search_pids($1)
++ files_list_pids($1)
+ admin_pattern($1, chronyd_var_run_t)
+
+- files_search_tmp($1)
+- admin_pattern($1, chronyd_tmp_t)
++ admin_pattern($1, chronyd_tmpfs_t)
+ ')
+diff --git a/policy/modules/services/chronyd.te b/policy/modules/services/chronyd.te
+index fa82327..7f4ca47 100644
+--- a/policy/modules/services/chronyd.te
++++ b/policy/modules/services/chronyd.te
+@@ -15,6 +15,9 @@ init_script_file(chronyd_initrc_exec_t)
+ type chronyd_keys_t;
+ files_type(chronyd_keys_t)
+
++type chronyd_tmpfs_t;
++files_tmpfs_file(chronyd_tmpfs_t)
++
+ type chronyd_var_lib_t;
+ files_type(chronyd_var_lib_t)
+
+@@ -37,6 +40,10 @@ allow chronyd_t self:unix_dgram_socket create_socket_perms;
+
+ allow chronyd_t chronyd_keys_t:file read_file_perms;
+
++manage_dirs_pattern(chronyd_t, chronyd_tmpfs_t, chronyd_tmpfs_t)
++manage_files_pattern(chronyd_t, chronyd_tmpfs_t, chronyd_tmpfs_t)
++fs_tmpfs_filetrans(chronyd_t, chronyd_tmpfs_t, { dir file })
++
+ manage_files_pattern(chronyd_t, chronyd_var_lib_t, chronyd_var_lib_t)
+ manage_dirs_pattern(chronyd_t, chronyd_var_lib_t, chronyd_var_lib_t)
+ manage_sock_files_pattern(chronyd_t, chronyd_var_lib_t, chronyd_var_lib_t)
+@@ -50,6 +57,7 @@ manage_files_pattern(chronyd_t, chronyd_var_run_t, chronyd_var_run_t)
+ manage_dirs_pattern(chronyd_t, chronyd_var_run_t, chronyd_var_run_t)
+ files_pid_filetrans(chronyd_t, chronyd_var_run_t, file)
+
++corenet_udp_bind_generic_node(chronyd_t)
+ corenet_udp_bind_ntp_port(chronyd_t)
+ # bind to udp/323
+ corenet_udp_bind_chronyd_port(chronyd_t)
+diff --git a/policy/modules/services/clamav.if b/policy/modules/services/clamav.if
+index 1f11572..7f6a7ab 100644
+--- a/policy/modules/services/clamav.if
++++ b/policy/modules/services/clamav.if
+@@ -33,6 +33,7 @@ interface(`clamav_stream_connect',`
+ type clamd_t, clamd_var_run_t;
+ ')
+
++ files_search_pids($1)
+ stream_connect_pattern($1, clamd_var_run_t, clamd_var_run_t, clamd_t)
+ ')
+
+@@ -49,12 +50,12 @@ interface(`clamav_stream_connect',`
+ #
+ interface(`clamav_append_log',`
+ gen_require(`
+- type clamav_log_t;
++ type clamav_var_log_t;
+ ')
+
+ logging_search_logs($1)
+- allow $1 clamav_log_t:dir list_dir_perms;
+- append_files_pattern($1, clamav_log_t, clamav_log_t)
++ allow $1 clamav_var_log_t:dir list_dir_perms;
++ append_files_pattern($1, clamav_var_log_t, clamav_var_log_t)
+ ')
+
+ ########################################
+@@ -151,9 +152,8 @@ interface(`clamav_exec_clamscan',`
+ interface(`clamav_admin',`
+ gen_require(`
+ type clamd_t, clamd_etc_t, clamd_tmp_t;
+- type clamd_var_log_t, clamd_var_lib_t;
+- type clamd_var_run_t, clamscan_t, clamscan_tmp_t;
+- type clamd_initrc_exec_t;
++ type clamd_var_log_t, clamd_var_lib_t, clamd_var_run_t;
++ type clamscan_t, clamscan_tmp_t, clamd_initrc_exec_t;
+ type freshclam_t, freshclam_var_log_t;
+ ')
+
+diff --git a/policy/modules/services/clamav.te b/policy/modules/services/clamav.te
+index 8c36027..532fa91 100644
+--- a/policy/modules/services/clamav.te
++++ b/policy/modules/services/clamav.te
+@@ -1,9 +1,9 @@
+ policy_module(clamav, 1.8.1)
+
+ ##
+-##
+-## Allow clamd to use JIT compiler
+-##
++##
++## Allow clamd to use JIT compiler
++##
+ ##
+ gen_tunable(clamd_use_jit, false)
+
+@@ -64,6 +64,8 @@ logging_log_file(freshclam_var_log_t)
+
+ allow clamd_t self:capability { kill setgid setuid dac_override };
+ dontaudit clamd_t self:capability sys_tty_config;
++allow clamd_t self:process signal;
++
+ allow clamd_t self:fifo_file rw_fifo_file_perms;
+ allow clamd_t self:unix_stream_socket { create_stream_socket_perms connectto };
+ allow clamd_t self:unix_dgram_socket create_socket_perms;
+@@ -80,6 +82,7 @@ manage_files_pattern(clamd_t, clamd_tmp_t, clamd_tmp_t)
+ files_tmp_filetrans(clamd_t, clamd_tmp_t, { file dir })
+
+ # var/lib files for clamd
++manage_sock_files_pattern(clamd_t, clamd_var_lib_t, clamd_var_lib_t)
+ manage_dirs_pattern(clamd_t, clamd_var_lib_t, clamd_var_lib_t)
+ manage_files_pattern(clamd_t, clamd_var_lib_t, clamd_var_lib_t)
+
+@@ -89,9 +92,10 @@ manage_files_pattern(clamd_t, clamd_var_log_t, clamd_var_log_t)
+ logging_log_filetrans(clamd_t, clamd_var_log_t, { dir file })
+
+ # pid file
++manage_dirs_pattern(clamd_t, clamd_var_run_t, clamd_var_run_t)
+ manage_files_pattern(clamd_t, clamd_var_run_t, clamd_var_run_t)
+ manage_sock_files_pattern(clamd_t, clamd_var_run_t, clamd_var_run_t)
+-files_pid_filetrans(clamd_t, clamd_var_run_t, { file dir })
++files_pid_filetrans(clamd_t, clamd_var_run_t, { sock_file file dir })
+
+ kernel_dontaudit_list_proc(clamd_t)
+ kernel_read_sysctl(clamd_t)
+@@ -147,8 +151,10 @@ optional_policy(`
+
+ tunable_policy(`clamd_use_jit',`
+ allow clamd_t self:process execmem;
+-', `
++ allow clamscan_t self:process execmem;
++',`
+ dontaudit clamd_t self:process execmem;
++ dontaudit clamscan_t self:process execmem;
+ ')
+
+ ########################################
+@@ -178,10 +184,16 @@ files_pid_filetrans(freshclam_t, clamd_var_run_t, file)
+
+ # log files (own logfiles only)
+ manage_files_pattern(freshclam_t, freshclam_var_log_t, freshclam_var_log_t)
+-allow freshclam_t freshclam_var_log_t:dir setattr;
+-allow freshclam_t clamd_var_log_t:dir search_dir_perms;
++allow freshclam_t freshclam_var_log_t:dir setattr_dir_perms;
++read_files_pattern(freshclam_t, clamd_var_log_t, clamd_var_log_t)
+ logging_log_filetrans(freshclam_t, freshclam_var_log_t, file)
+
++kernel_read_kernel_sysctls(freshclam_t)
++kernel_read_system_state(freshclam_t)
++
++corecmd_exec_shell(freshclam_t)
++corecmd_exec_bin(freshclam_t)
++
+ corenet_all_recvfrom_unlabeled(freshclam_t)
+ corenet_all_recvfrom_netlabel(freshclam_t)
+ corenet_tcp_sendrecv_generic_if(freshclam_t)
+@@ -189,6 +201,7 @@ corenet_tcp_sendrecv_generic_node(freshclam_t)
+ corenet_tcp_sendrecv_all_ports(freshclam_t)
+ corenet_tcp_sendrecv_clamd_port(freshclam_t)
+ corenet_tcp_connect_http_port(freshclam_t)
++corenet_tcp_connect_clamd_port(freshclam_t)
+ corenet_sendrecv_http_client_packets(freshclam_t)
+
+ dev_read_rand(freshclam_t)
+@@ -207,16 +220,18 @@ miscfiles_read_localization(freshclam_t)
+
+ clamav_stream_connect(freshclam_t)
+
+-optional_policy(`
+- cron_system_entry(freshclam_t, freshclam_exec_t)
+-')
++userdom_stream_connect(freshclam_t)
+
+ tunable_policy(`clamd_use_jit',`
+ allow freshclam_t self:process execmem;
+-', `
++',`
+ dontaudit freshclam_t self:process execmem;
+ ')
+
++optional_policy(`
++ cron_system_entry(freshclam_t, freshclam_exec_t)
++')
++
+ ########################################
+ #
+ # clamscam local policy
+@@ -251,6 +266,7 @@ corenet_tcp_sendrecv_clamd_port(clamscan_t)
+ corenet_tcp_connect_clamd_port(clamscan_t)
+
+ kernel_read_kernel_sysctls(clamscan_t)
++kernel_read_system_state(clamscan_t)
+
+ files_read_etc_files(clamscan_t)
+ files_read_etc_runtime_files(clamscan_t)
+diff --git a/policy/modules/services/clogd.if b/policy/modules/services/clogd.if
+index c0a66a4..e438c5f 100644
+--- a/policy/modules/services/clogd.if
++++ b/policy/modules/services/clogd.if
+@@ -5,9 +5,9 @@
+ ## Execute a domain transition to run clogd.
+ ##
+ ##
+-##
++##
+ ## Domain allowed to transition.
+-##
++##
+ ##
+ #
+ interface(`clogd_domtrans',`
+diff --git a/policy/modules/services/clogd.te b/policy/modules/services/clogd.te
+index 6077339..d10acd2 100644
+--- a/policy/modules/services/clogd.te
++++ b/policy/modules/services/clogd.te
+@@ -23,7 +23,6 @@ files_pid_file(clogd_var_run_t)
+
+ allow clogd_t self:capability { net_admin mknod };
+ allow clogd_t self:process signal;
+-
+ allow clogd_t self:sem create_sem_perms;
+ allow clogd_t self:shm create_shm_perms;
+ allow clogd_t self:netlink_socket create_socket_perms;
+@@ -36,7 +35,7 @@ fs_tmpfs_filetrans(clogd_t, clogd_tmpfs_t, { dir file })
+ # pid files
+ manage_files_pattern(clogd_t, clogd_var_run_t, clogd_var_run_t)
+ manage_sock_files_pattern(clogd_t, clogd_var_run_t, clogd_var_run_t)
+-files_pid_filetrans(clogd_t, clogd_var_run_t, { file })
++files_pid_filetrans(clogd_t, clogd_var_run_t, file)
+
+ dev_read_lvm_control(clogd_t)
+ dev_manage_generic_blk_files(clogd_t)
+diff --git a/policy/modules/services/cmirrord.fc b/policy/modules/services/cmirrord.fc
+new file mode 100644
+index 0000000..e500fa5
+--- /dev/null
++++ b/policy/modules/services/cmirrord.fc
+@@ -0,0 +1,6 @@
++
++/etc/rc\.d/init\.d/cmirrord -- gen_context(system_u:object_r:cmirrord_initrc_exec_t,s0)
++
++/usr/sbin/cmirrord -- gen_context(system_u:object_r:cmirrord_exec_t,s0)
++
++/var/run/cmirrord\.pid -- gen_context(system_u:object_r:cmirrord_var_run_t,s0)
+diff --git a/policy/modules/services/cmirrord.if b/policy/modules/services/cmirrord.if
+new file mode 100644
+index 0000000..756ac91
+--- /dev/null
++++ b/policy/modules/services/cmirrord.if
+@@ -0,0 +1,113 @@
++## policy for cmirrord
++
++########################################
++##
++## Execute a domain transition to run cmirrord.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`cmirrord_domtrans',`
++ gen_require(`
++ type cmirrord_t, cmirrord_exec_t;
++ ')
++
++ domtrans_pattern($1, cmirrord_exec_t, cmirrord_t)
++')
++
++########################################
++##
++## Execute cmirrord server in the cmirrord domain.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`cmirrord_initrc_domtrans',`
++ gen_require(`
++ type cmirrord_initrc_exec_t;
++ ')
++
++ init_labeled_script_domtrans($1, cmirrord_initrc_exec_t)
++')
++
++########################################
++##
++## Read cmirrord PID files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`cmirrord_read_pid_files',`
++ gen_require(`
++ type cmirrord_var_run_t;
++ ')
++
++ files_search_pids($1)
++ allow $1 cmirrord_var_run_t:file read_file_perms;
++')
++
++#######################################
++##
++## Read and write to cmirrord shared memory.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`cmirrord_rw_shm',`
++ gen_require(`
++ type cmirrord_t, cmirrord_tmpfs_t;
++ ')
++
++ allow $1 cmirrord_t:shm { rw_shm_perms destroy };
++ allow $1 cmirrord_tmpfs_t:dir list_dir_perms;
++ rw_files_pattern($1, cmirrord_tmpfs_t, cmirrord_tmpfs_t)
++ delete_files_pattern($1, cmirrord_tmpfs_t, cmirrord_tmpfs_t)
++ read_lnk_files_pattern($1, cmirrord_tmpfs_t, cmirrord_tmpfs_t)
++ fs_search_tmpfs($1)
++')
++
++########################################
++##
++## All of the rules required to administrate
++## an cmirrord environment
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++##
++## Role allowed access.
++##
++##
++##
++#
++interface(`cmirrord_admin',`
++ gen_require(`
++ type cmirrord_t, cmirrord_initrc_exec_t, cmirrord_var_run_t;
++ ')
++
++ allow $1 cmirrord_t:process { ptrace signal_perms };
++ ps_process_pattern($1, cmirrord_t)
++
++ cmirrord_initrc_domtrans($1)
++ domain_system_change_exemption($1)
++ role_transition $2 cmirrord_initrc_exec_t system_r;
++ allow $2 system_r;
++
++ files_list_pids($1)
++ admin_pattern($1, cmirrord_var_run_t)
++')
+diff --git a/policy/modules/services/cmirrord.te b/policy/modules/services/cmirrord.te
+new file mode 100644
+index 0000000..a2c7134
+--- /dev/null
++++ b/policy/modules/services/cmirrord.te
+@@ -0,0 +1,53 @@
++policy_module(cmirrord, 1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++type cmirrord_t;
++type cmirrord_exec_t;
++init_daemon_domain(cmirrord_t, cmirrord_exec_t)
++
++type cmirrord_initrc_exec_t;
++init_script_file(cmirrord_initrc_exec_t)
++
++type cmirrord_tmpfs_t;
++files_tmpfs_file(cmirrord_tmpfs_t)
++
++type cmirrord_var_run_t;
++files_pid_file(cmirrord_var_run_t)
++
++########################################
++#
++# cmirrord local policy
++#
++
++allow cmirrord_t self:capability { net_admin kill };
++dontaudit cmirrord_t self:capability sys_tty_config;
++allow cmirrord_t self:process signal;
++allow cmirrord_t self:fifo_file rw_fifo_file_perms;
++allow cmirrord_t self:sem create_sem_perms;
++allow cmirrord_t self:shm create_shm_perms;
++allow cmirrord_t self:netlink_socket create_socket_perms;
++allow cmirrord_t self:unix_stream_socket create_stream_socket_perms;
++
++manage_dirs_pattern(cmirrord_t, cmirrord_tmpfs_t, cmirrord_tmpfs_t)
++manage_files_pattern(cmirrord_t, cmirrord_tmpfs_t, cmirrord_tmpfs_t)
++fs_tmpfs_filetrans(cmirrord_t, cmirrord_tmpfs_t, { dir file })
++
++manage_dirs_pattern(cmirrord_t, cmirrord_var_run_t, cmirrord_var_run_t)
++manage_files_pattern(cmirrord_t, cmirrord_var_run_t, cmirrord_var_run_t)
++files_pid_filetrans(cmirrord_t, cmirrord_var_run_t, file)
++
++domain_use_interactive_fds(cmirrord_t)
++
++files_read_etc_files(cmirrord_t)
++
++logging_send_syslog_msg(cmirrord_t)
++
++miscfiles_read_localization(cmirrord_t)
++
++optional_policy(`
++ corosync_stream_connect(cmirrord_t)
++')
+diff --git a/policy/modules/services/cobbler.fc b/policy/modules/services/cobbler.fc
+index 1cf6c4e..90c60df 100644
+--- a/policy/modules/services/cobbler.fc
++++ b/policy/modules/services/cobbler.fc
+@@ -1,7 +1,32 @@
+-/etc/cobbler(/.*)? gen_context(system_u:object_r:cobbler_etc_t, s0)
+-/etc/rc\.d/init\.d/cobblerd -- gen_context(system_u:object_r:cobblerd_initrc_exec_t, s0)
+
+-/usr/bin/cobblerd -- gen_context(system_u:object_r:cobblerd_exec_t, s0)
++/etc/cobbler(/.*)? gen_context(system_u:object_r:cobbler_etc_t,s0)
++
++/etc/rc\.d/init\.d/cobblerd -- gen_context(system_u:object_r:cobblerd_initrc_exec_t,s0)
++
++/usr/bin/cobblerd -- gen_context(system_u:object_r:cobblerd_exec_t,s0)
++
++/var/lib/cobbler(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0)
++
++/var/lib/tftpboot/etc(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0)
++/var/lib/tftpboot/images(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0)
++/var/lib/tftpboot/memdisk -- gen_context(system_u:object_r:cobbler_var_lib_t,s0)
++/var/lib/tftpboot/menu\.c32 -- gen_context(system_u:object_r:cobbler_var_lib_t,s0)
++/var/lib/tftpboot/ppc(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0)
++/var/lib/tftpboot/pxelinux\.0 -- gen_context(system_u:object_r:cobbler_var_lib_t,s0)
++/var/lib/tftpboot/pxelinux\.cfg(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0)
++/var/lib/tftpboot/s390x(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0)
++/var/lib/tftpboot/yaboot -- gen_context(system_u:object_r:cobbler_var_lib_t,s0)
++
++/var/log/cobbler(/.*)? gen_context(system_u:object_r:cobbler_var_log_t,s0)
++
++# This should removable when cobbler package installs /var/www/cobbler/rendered
++/var/www/cobbler(/.*)? gen_context(system_u:object_r:httpd_cobbler_content_t,s0)
++
++/var/www/cobbler/images(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0)
++/var/www/cobbler/ks_mirror(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0)
++/var/www/cobbler/links(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0)
++/var/www/cobbler/localmirror(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0)
++/var/www/cobbler/pub(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0)
++/var/www/cobbler/rendered(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0)
++/var/www/cobbler/repo_mirror(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0)
+
+-/var/lib/cobbler(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t, s0)
+-/var/log/cobbler(/.*)? gen_context(system_u:object_r:cobbler_var_log_t, s0)
+diff --git a/policy/modules/services/cobbler.if b/policy/modules/services/cobbler.if
+index 293e08d..e3787fb 100644
+--- a/policy/modules/services/cobbler.if
++++ b/policy/modules/services/cobbler.if
+@@ -1,12 +1,12 @@
+ ## Cobbler installation server.
+ ##
+ ##
+-## Cobbler is a Linux installation server that allows for
+-## rapid setup of network installation environments. It
+-## glues together and automates many associated Linux
+-## tasks so you do not have to hop between lots of various
+-## commands and applications when rolling out new systems,
+-## and, in some cases, changing existing ones.
++## Cobbler is a Linux installation server that allows for
++## rapid setup of network installation environments. It
++## glues together and automates many associated Linux
++## tasks so you do not have to hop between lots of various
++## commands and applications when rolling out new systems,
++## and, in some cases, changing existing ones.
+ ##
+ ##
+
+@@ -15,9 +15,9 @@
+ ## Execute a domain transition to run cobblerd.
+ ##
+ ##
+-##
++##
+ ## Domain allowed to transition.
+-##
++##
+ ##
+ #
+ interface(`cobblerd_domtrans',`
+@@ -26,6 +26,7 @@ interface(`cobblerd_domtrans',`
+ ')
+
+ domtrans_pattern($1, cobblerd_exec_t, cobblerd_t)
++ corecmd_search_bin($1)
+ ')
+
+ ########################################
+@@ -48,7 +49,7 @@ interface(`cobblerd_initrc_domtrans',`
+
+ ########################################
+ ##
+-## Read Cobbler content in /etc
++## List Cobbler configuration.
+ ##
+ ##
+ ##
+@@ -56,19 +57,18 @@ interface(`cobblerd_initrc_domtrans',`
+ ##
+ ##
+ #
+-interface(`cobbler_read_config',`
++interface(`cobbler_list_config',`
+ gen_require(`
+ type cobbler_etc_t;
+ ')
+
+- read_files_pattern($1, cobbler_etc_t, cobbler_etc_t);
++ list_dirs_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t)
+ files_search_etc($1)
+ ')
+
+ ########################################
+ ##
+-## Do not audit attempts to read and write
+-## Cobbler log files (leaked fd).
++## Read Cobbler configuration files.
+ ##
+ ##
+ ##
+@@ -76,12 +76,13 @@ interface(`cobbler_read_config',`
+ ##
+ ##
+ #
+-interface(`cobbler_dontaudit_rw_log',`
++interface(`cobbler_read_config',`
+ gen_require(`
+- type cobbler_var_log_t;
++ type cobbler_etc_t;
+ ')
+
+- dontaudit $1 cobbler_var_log_t:file rw_file_perms;
++ read_files_pattern($1, cobbler_etc_t, cobbler_etc_t)
++ files_search_etc($1)
+ ')
+
+ ########################################
+@@ -100,6 +101,7 @@ interface(`cobbler_search_lib',`
+ ')
+
+ search_dirs_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t)
++ read_lnk_files_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t)
+ files_search_var_lib($1)
+ ')
+
+@@ -119,6 +121,7 @@ interface(`cobbler_read_lib_files',`
+ ')
+
+ read_files_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t)
++ read_lnk_files_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t)
+ files_search_var_lib($1)
+ ')
+
+@@ -137,12 +140,33 @@ interface(`cobbler_manage_lib_files',`
+ type cobbler_var_lib_t;
+ ')
+
++ manage_dirs_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t)
+ manage_files_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t)
++ manage_lnk_files_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t)
+ files_search_var_lib($1)
+ ')
+
+ ########################################
+ ##
++## Do not audit attempts to read and write
++## Cobbler log files (leaked fd).
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`cobbler_dontaudit_rw_log',`
++ gen_require(`
++ type cobbler_var_log_t;
++ ')
++
++ dontaudit $1 cobbler_var_log_t:file rw_inherited_file_perms;
++')
++
++########################################
++##
+ ## All of the rules required to administrate
+ ## an cobblerd environment
+ ##
+@@ -161,25 +185,34 @@ interface(`cobbler_manage_lib_files',`
+ interface(`cobblerd_admin',`
+ gen_require(`
+ type cobblerd_t, cobbler_var_lib_t, cobbler_var_log_t;
+- type cobbler_etc_t, cobblerd_initrc_exec_t;
++ type cobbler_etc_t, cobblerd_initrc_exec_t, httpd_cobbler_content_t;
++ type httpd_cobbler_content_ra_t, httpd_cobbler_content_rw_t;
+ ')
+
+- allow $1 cobblerd_t:process { ptrace signal_perms getattr };
+- read_files_pattern($1, cobblerd_t, cobblerd_t)
++ allow $1 cobblerd_t:process { ptrace signal_perms };
++ ps_process_pattern($1, cobblerd_t)
+
+- files_search_etc($1)
++ files_list_etc($1)
+ admin_pattern($1, cobbler_etc_t)
+
+ files_list_var_lib($1)
+ admin_pattern($1, cobbler_var_lib_t)
+
+- logging_search_logs($1)
++ logging_list_logs($1)
+ admin_pattern($1, cobbler_var_log_t)
+
++ apache_list_sys_content($1)
++ admin_pattern($1, httpd_cobbler_content_t)
++ admin_pattern($1, httpd_cobbler_content_ra_t)
+ admin_pattern($1, httpd_cobbler_content_rw_t)
+
+ cobblerd_initrc_domtrans($1)
+ domain_system_change_exemption($1)
+ role_transition $2 cobblerd_initrc_exec_t system_r;
+ allow $2 system_r;
++
++ optional_policy(`
++ # traverse /var/lib/tftpdir to get to cobbler_var_lib_t there.
++ tftp_search_rw_content($1)
++ ')
+ ')
+diff --git a/policy/modules/services/cobbler.te b/policy/modules/services/cobbler.te
+index 0258b48..8fde016 100644
+--- a/policy/modules/services/cobbler.te
++++ b/policy/modules/services/cobbler.te
+@@ -6,13 +6,35 @@ policy_module(cobbler, 1.1.0)
+ #
+
+ ##
+-##
+-## Allow Cobbler to modify public files
+-## used for public file transfer services.
+-##
++##
++## Allow Cobbler to modify public files
++## used for public file transfer services.
++##
+ ##
+ gen_tunable(cobbler_anon_write, false)
+
++##
++##
++## Allow Cobbler to connect to the
++## network using TCP.
++##
++##
++gen_tunable(cobbler_can_network_connect, false)
++
++##
++##
++## Allow Cobbler to access cifs file systems.
++##
++##
++gen_tunable(cobbler_use_cifs, false)
++
++##
++##
++## Allow Cobbler to access nfs file systems.
++##
++##
++gen_tunable(cobbler_use_nfs, false)
++
+ type cobblerd_t;
+ type cobblerd_exec_t;
+ init_daemon_domain(cobblerd_t, cobblerd_exec_t)
+@@ -26,25 +48,40 @@ files_config_file(cobbler_etc_t)
+ type cobbler_var_log_t;
+ logging_log_file(cobbler_var_log_t)
+
+-type cobbler_var_lib_t;
++type cobbler_var_lib_t alias cobbler_content_t;
+ files_type(cobbler_var_lib_t)
+
++type cobbler_tmp_t;
++files_tmp_file(cobbler_tmp_t)
++
+ ########################################
+ #
+ # Cobbler personal policy.
+ #
+
+-allow cobblerd_t self:capability { chown dac_override fowner sys_nice };
++allow cobblerd_t self:capability { chown dac_override fowner fsetid sys_nice };
++dontaudit cobblerd_t self:capability { sys_ptrace sys_tty_config };
++
+ allow cobblerd_t self:process { getsched setsched signal };
+ allow cobblerd_t self:fifo_file rw_fifo_file_perms;
++allow cobblerd_t self:netlink_route_socket create_netlink_socket_perms;
+ allow cobblerd_t self:tcp_socket create_stream_socket_perms;
++allow cobblerd_t self:udp_socket create_socket_perms;
++allow cobblerd_t self:unix_dgram_socket create_socket_perms;
+
+ list_dirs_pattern(cobblerd_t, cobbler_etc_t, cobbler_etc_t)
+ read_files_pattern(cobblerd_t, cobbler_etc_t, cobbler_etc_t)
+
++# Something that runs in the cobberd_t domain tries to relabelfrom cobbler_var_lib_t dir to httpd_sys_content_t.
++dontaudit cobblerd_t cobbler_var_lib_t:dir relabel_dir_perms;
++
+ manage_dirs_pattern(cobblerd_t, cobbler_var_lib_t, cobbler_var_lib_t)
+ manage_files_pattern(cobblerd_t, cobbler_var_lib_t, cobbler_var_lib_t)
+-files_var_lib_filetrans(cobblerd_t, cobbler_var_lib_t, { dir file })
++manage_lnk_files_pattern(cobblerd_t, cobbler_var_lib_t, cobbler_var_lib_t)
++files_var_lib_filetrans(cobblerd_t, cobbler_var_lib_t, { dir file lnk_file })
++
++# Something really needs to write to cobbler.log. Ideally this should not be happening.
++allow cobblerd_t cobbler_var_log_t:file write;
+
+ append_files_pattern(cobblerd_t, cobbler_var_log_t, cobbler_var_log_t)
+ create_files_pattern(cobblerd_t, cobbler_var_log_t, cobbler_var_log_t)
+@@ -52,7 +89,12 @@ read_files_pattern(cobblerd_t, cobbler_var_log_t, cobbler_var_log_t)
+ setattr_files_pattern(cobblerd_t, cobbler_var_log_t, cobbler_var_log_t)
+ logging_log_filetrans(cobblerd_t, cobbler_var_log_t, file)
+
++manage_dirs_pattern(cobblerd_t, cobbler_tmp_t, cobbler_tmp_t)
++manage_files_pattern(cobblerd_t, cobbler_tmp_t, cobbler_tmp_t)
++files_tmp_filetrans(cobblerd_t, cobbler_tmp_t, { dir file })
++
+ kernel_read_system_state(cobblerd_t)
++kernel_dontaudit_search_network_state(cobblerd_t)
+
+ corecmd_exec_bin(cobblerd_t)
+ corecmd_exec_shell(cobblerd_t)
+@@ -65,26 +107,75 @@ corenet_tcp_bind_generic_node(cobblerd_t)
+ corenet_tcp_sendrecv_generic_if(cobblerd_t)
+ corenet_tcp_sendrecv_generic_node(cobblerd_t)
+ corenet_tcp_sendrecv_generic_port(cobblerd_t)
++corenet_tcp_sendrecv_cobbler_port(cobblerd_t)
++# sync and rsync to ftp and http are permitted by default, for any other media use cobbler_can_network_connect.
++corenet_tcp_connect_ftp_port(cobblerd_t)
++corenet_tcp_sendrecv_ftp_port(cobblerd_t)
++corenet_sendrecv_ftp_client_packets(cobblerd_t)
++corenet_tcp_connect_http_port(cobblerd_t)
++corenet_tcp_sendrecv_http_port(cobblerd_t)
++corenet_sendrecv_http_client_packets(cobblerd_t)
+
+ dev_read_urand(cobblerd_t)
+
++domain_dontaudit_exec_all_entry_files(cobblerd_t)
++domain_dontaudit_read_all_domains_state(cobblerd_t)
++
++files_read_etc_files(cobblerd_t)
++# mtab
++files_read_etc_runtime_files(cobblerd_t)
+ files_read_usr_files(cobblerd_t)
+ files_list_boot(cobblerd_t)
++files_read_boot_files(cobblerd_t)
+ files_list_tmp(cobblerd_t)
+-# read /etc/nsswitch.conf
+-files_read_etc_files(cobblerd_t)
++
++# read from mounted images (install media)
++fs_read_iso9660_files(cobblerd_t)
++
++init_dontaudit_read_all_script_files(cobblerd_t)
++
++term_use_console(cobblerd_t)
+
+ miscfiles_read_localization(cobblerd_t)
+ miscfiles_read_public_files(cobblerd_t)
+
++selinux_dontaudit_read_fs(cobblerd_t)
++
+ sysnet_read_config(cobblerd_t)
+ sysnet_rw_dhcp_config(cobblerd_t)
+ sysnet_write_config(cobblerd_t)
+
++userdom_dontaudit_use_user_terminals(cobblerd_t)
++userdom_dontaudit_search_user_home_dirs(cobblerd_t)
++userdom_dontaudit_search_admin_dir(cobblerd_t)
++
+ tunable_policy(`cobbler_anon_write',`
+ miscfiles_manage_public_files(cobblerd_t)
+ ')
+
++tunable_policy(`cobbler_can_network_connect',`
++ corenet_tcp_connect_all_ports(cobblerd_t)
++ corenet_tcp_sendrecv_all_ports(cobblerd_t)
++ corenet_sendrecv_all_client_packets(cobblerd_t)
++')
++
++tunable_policy(`cobbler_use_cifs',`
++ fs_manage_cifs_dirs(cobblerd_t)
++ fs_manage_cifs_files(cobblerd_t)
++ fs_manage_cifs_symlinks(cobblerd_t)
++')
++
++tunable_policy(`cobbler_use_nfs',`
++ fs_manage_nfs_dirs(cobblerd_t)
++ fs_manage_nfs_files(cobblerd_t)
++ fs_manage_nfs_symlinks(cobblerd_t)
++')
++
++optional_policy(`
++ # Cobbler traverses /var/www to get to /var/www/cobbler/*
++ apache_search_sys_content(cobblerd_t)
++')
++
+ optional_policy(`
+ bind_read_config(cobblerd_t)
+ bind_write_config(cobblerd_t)
+@@ -95,6 +186,10 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ certmaster_exec(cobblerd_t)
++')
++
++optional_policy(`
+ dhcpd_domtrans(cobblerd_t)
+ dhcpd_initrc_domtrans(cobblerd_t)
+ ')
+@@ -106,16 +201,28 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ gnome_dontaudit_search_config(cobblerd_t)
++')
++
++optional_policy(`
+ rpm_exec(cobblerd_t)
+ ')
+
+ optional_policy(`
+- rsync_read_config(cobblerd_t)
+- rsync_write_config(cobblerd_t)
++ rsync_exec(cobblerd_t)
++ rsync_manage_config(cobblerd_t)
++ # cobbler creates /etc/rsync.conf if its not there.
++ rsync_filetrans_config(cobblerd_t, file)
+ ')
+
+ optional_policy(`
+- tftp_manage_rw_content(cobblerd_t)
++ # Cobbler puts objects in both /var/lib/tftpdir as well as /var/lib/tftpdir/images.
++ # tftp_manage_rw_content(cobblerd_t) can be used instead if:
++ # 1. cobbler package installs /var/lib/tftpdir/images.
++ # 2. no FILES in /var/lib/TFTPDIR are hard linked.
++ # Cobbler also creates other directories in /var/lib/tftpdir (etc, s390x, ppc, pxelinux.cfg)
++ # are any of those hard linked?
++ tftp_filetrans_tftpdir(cobblerd_t, cobbler_var_lib_t, { dir file })
+ ')
+
+ ########################################
+@@ -124,5 +231,6 @@ optional_policy(`
+ #
+
+ apache_content_template(cobbler)
++list_dirs_pattern(cobblerd_t, httpd_cobbler_content_t, httpd_cobbler_content_t)
+ manage_dirs_pattern(cobblerd_t, httpd_cobbler_content_rw_t, httpd_cobbler_content_rw_t)
+ manage_files_pattern(cobblerd_t, httpd_cobbler_content_rw_t, httpd_cobbler_content_rw_t)
+diff --git a/policy/modules/services/consolekit.if b/policy/modules/services/consolekit.if
+index 42c6bd7..8f23087 100644
+--- a/policy/modules/services/consolekit.if
++++ b/policy/modules/services/consolekit.if
+@@ -5,9 +5,9 @@
+ ## Execute a domain transition to run consolekit.
+ ##
+ ##
+-##
++##
+ ## Domain allowed to transition.
+-##
++##
+ ##
+ #
+ interface(`consolekit_domtrans',`
+@@ -20,6 +20,27 @@ interface(`consolekit_domtrans',`
+
+ ########################################
+ ##
++## dontaudit Send and receive messages from
++## consolekit over dbus.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`consolekit_dontaudit_dbus_chat',`
++ gen_require(`
++ type consolekit_t;
++ class dbus send_msg;
++ ')
++
++ dontaudit $1 consolekit_t:dbus send_msg;
++ dontaudit consolekit_t $1:dbus send_msg;
++')
++
++########################################
++##
+ ## Send and receive messages from
+ ## consolekit over dbus.
+ ##
+@@ -41,6 +62,24 @@ interface(`consolekit_dbus_chat',`
+
+ ########################################
+ ##
++## Dontaudit attempts to read consolekit log files.
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`consolekit_dontaudit_read_log',`
++ gen_require(`
++ type consolekit_log_t;
++ ')
++
++ dontaudit $1 consolekit_log_t:file read_file_perms;
++')
++
++########################################
++##
+ ## Read consolekit log files.
+ ##
+ ##
+@@ -95,3 +134,22 @@ interface(`consolekit_read_pid_files',`
+ files_search_pids($1)
+ read_files_pattern($1, consolekit_var_run_t, consolekit_var_run_t)
+ ')
++
++########################################
++##
++## List consolekit PID files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`consolekit_list_pid_files',`
++ gen_require(`
++ type consolekit_var_run_t;
++ ')
++
++ files_search_pids($1)
++ list_dirs_pattern($1, consolekit_var_run_t, consolekit_var_run_t)
++')
+diff --git a/policy/modules/services/consolekit.te b/policy/modules/services/consolekit.te
+index daf151d..16c0746 100644
+--- a/policy/modules/services/consolekit.te
++++ b/policy/modules/services/consolekit.te
+@@ -15,6 +15,9 @@ logging_log_file(consolekit_log_t)
+ type consolekit_var_run_t;
+ files_pid_file(consolekit_var_run_t)
+
++type consolekit_tmpfs_t;
++files_tmpfs_file(consolekit_tmpfs_t)
++
+ ########################################
+ #
+ # consolekit local policy
+@@ -69,7 +72,10 @@ logging_send_audit_msgs(consolekit_t)
+
+ miscfiles_read_localization(consolekit_t)
+
++# consolekit needs to be able to ptrace all logged in users
++userdom_ptrace_all_users(consolekit_t)
+ userdom_dontaudit_read_user_home_content_files(consolekit_t)
++userdom_dontaudit_getattr_admin_home_files(consolekit_t)
+ userdom_read_user_tmp_files(consolekit_t)
+
+ hal_ptrace(consolekit_t)
+@@ -83,6 +89,10 @@ tunable_policy(`use_samba_home_dirs',`
+ ')
+
+ optional_policy(`
++ cron_read_system_job_lib_files(consolekit_t)
++')
++
++optional_policy(`
+ dbus_system_domain(consolekit_t, consolekit_exec_t)
+
+ optional_policy(`
+@@ -99,6 +109,10 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ networkmanager_append_log(consolekit_t)
++')
++
++optional_policy(`
+ policykit_dbus_chat(consolekit_t)
+ policykit_domtrans_auth(consolekit_t)
+ policykit_read_lib(consolekit_t)
+@@ -106,9 +120,10 @@ optional_policy(`
+ ')
+
+ optional_policy(`
+- type consolekit_tmpfs_t;
+- files_tmpfs_file(consolekit_tmpfs_t)
++ shutdown_domtrans(consolekit_t)
++')
+
++optional_policy(`
+ xserver_read_xdm_pid(consolekit_t)
+ xserver_read_user_xauth(consolekit_t)
+ xserver_non_drawing_client(consolekit_t)
+@@ -125,5 +140,6 @@ optional_policy(`
+
+ optional_policy(`
+ #reading .Xauthity
++ unconfined_ptrace(consolekit_t)
+ unconfined_stream_connect(consolekit_t)
+ ')
+diff --git a/policy/modules/services/corosync.fc b/policy/modules/services/corosync.fc
+index 3a6d7eb..2098ee9 100644
+--- a/policy/modules/services/corosync.fc
++++ b/policy/modules/services/corosync.fc
+@@ -3,6 +3,7 @@
+ /usr/sbin/corosync -- gen_context(system_u:object_r:corosync_exec_t,s0)
+
+ /usr/sbin/ccs_tool -- gen_context(system_u:object_r:corosync_exec_t,s0)
++/usr/sbin/cman_tool -- gen_context(system_u:object_r:corosync_exec_t,s0)
+
+ /var/lib/corosync(/.*)? gen_context(system_u:object_r:corosync_var_lib_t,s0)
+
+diff --git a/policy/modules/services/corosync.if b/policy/modules/services/corosync.if
+index 5220c9d..a2e6830 100644
+--- a/policy/modules/services/corosync.if
++++ b/policy/modules/services/corosync.if
+@@ -18,6 +18,25 @@ interface(`corosync_domtrans',`
+ domtrans_pattern($1, corosync_exec_t, corosync_t)
+ ')
+
++######################################
++##
++## Execute corosync in the caller domain.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`corosync_exec',`
++ gen_require(`
++ type corosync_exec_t;
++ ')
++
++ corecmd_search_bin($1)
++ can_exec($1, corosync_exec_t)
++')
++
+ #######################################
+ ##
+ ## Allow the specified domain to read corosync's log files.
+diff --git a/policy/modules/services/corosync.te b/policy/modules/services/corosync.te
+index 7d2cf85..6c733f8 100644
+--- a/policy/modules/services/corosync.te
++++ b/policy/modules/services/corosync.te
+@@ -32,8 +32,8 @@ files_pid_file(corosync_var_run_t)
+ # corosync local policy
+ #
+
+-allow corosync_t self:capability { sys_nice sys_resource ipc_lock };
+-allow corosync_t self:process { setrlimit setsched signal };
++allow corosync_t self:capability { dac_override setuid sys_nice sys_ptrace sys_resource ipc_lock };
++allow corosync_t self:process { setpgid setrlimit setsched signal signull };
+
+ allow corosync_t self:fifo_file rw_fifo_file_perms;
+ allow corosync_t self:sem create_sem_perms;
+@@ -41,6 +41,8 @@ allow corosync_t self:unix_stream_socket { create_stream_socket_perms connectto
+ allow corosync_t self:unix_dgram_socket create_socket_perms;
+ allow corosync_t self:udp_socket create_socket_perms;
+
++can_exec(corosync_t, corosync_exec_t)
++
+ manage_dirs_pattern(corosync_t, corosync_tmp_t, corosync_tmp_t)
+ manage_files_pattern(corosync_t, corosync_tmp_t, corosync_tmp_t)
+ files_tmp_filetrans(corosync_t, corosync_tmp_t, { file dir })
+@@ -63,8 +65,11 @@ manage_sock_files_pattern(corosync_t, corosync_var_run_t, corosync_var_run_t)
+ files_pid_filetrans(corosync_t, corosync_var_run_t, { file sock_file })
+
+ kernel_read_system_state(corosync_t)
++kernel_read_network_state(corosync_t)
++kernel_read_net_sysctls(corosync_t)
+
+ corecmd_exec_bin(corosync_t)
++corecmd_exec_shell(corosync_t)
+
+ corenet_udp_bind_netsupport_port(corosync_t)
+
+@@ -73,6 +78,7 @@ dev_read_urand(corosync_t)
+ domain_read_all_domains_state(corosync_t)
+
+ files_manage_mounttab(corosync_t)
++files_read_usr_files(corosync_t)
+
+ auth_use_nsswitch(corosync_t)
+
+@@ -83,19 +89,36 @@ logging_send_syslog_msg(corosync_t)
+
+ miscfiles_read_localization(corosync_t)
+
++userdom_delete_user_tmpfs_files(corosync_t)
+ userdom_rw_user_tmpfs_files(corosync_t)
+
+ optional_policy(`
++ fs_manage_tmpfs_files(corosync_t)
++ init_manage_script_status_files(corosync_t)
++')
++
++optional_policy(`
+ ccs_read_config(corosync_t)
+ ')
+
+ optional_policy(`
+- # to communication with RHCS
+- rhcs_rw_dlm_controld_semaphores(corosync_t)
++ cmirrord_rw_shm(corosync_t)
++')
+
+- rhcs_rw_fenced_semaphores(corosync_t)
++optional_policy(`
++ drbd_domtrans(corosync_t)
++')
++
++optional_policy(`
++ lvm_rw_clvmd_tmpfs_files(corosync_t)
++')
+
+- rhcs_rw_gfs_controld_semaphores(corosync_t)
++optional_policy(`
++ # to communication with RHCS
++ rhcs_rw_cluster_shm(corosync_t)
++ rhcs_rw_cluster_semaphores(corosync_t)
++ rhcs_stream_connect_cluster(corosync_t)
++ rhcs_read_cluster_lib_files(corosync_t)
+ ')
+
+ optional_policy(`
+diff --git a/policy/modules/services/courier.if b/policy/modules/services/courier.if
+index 9971337..f081899 100644
+--- a/policy/modules/services/courier.if
++++ b/policy/modules/services/courier.if
+@@ -138,6 +138,7 @@ interface(`courier_read_config',`
+ type courier_etc_t;
+ ')
+
++ files_search_etc($1)
+ read_files_pattern($1, courier_etc_t, courier_etc_t)
+ ')
+
+@@ -157,6 +158,7 @@ interface(`courier_manage_spool_dirs',`
+ type courier_spool_t;
+ ')
+
++ files_search_spool($1)
+ manage_dirs_pattern($1, courier_spool_t, courier_spool_t)
+ ')
+
+@@ -176,6 +178,7 @@ interface(`courier_manage_spool_files',`
+ type courier_spool_t;
+ ')
+
++ files_search_spool($1)
+ manage_files_pattern($1, courier_spool_t, courier_spool_t)
+ ')
+
+@@ -194,6 +197,7 @@ interface(`courier_read_spool',`
+ type courier_spool_t;
+ ')
+
++ files_search_spool($1)
+ read_files_pattern($1, courier_spool_t, courier_spool_t)
+ ')
+
+diff --git a/policy/modules/services/courier.te b/policy/modules/services/courier.te
+index 37f4810..cc93958 100644
+--- a/policy/modules/services/courier.te
++++ b/policy/modules/services/courier.te
+@@ -93,7 +93,7 @@ allow courier_pop_t courier_authdaemon_t:process sigchld;
+ allow courier_pop_t courier_tcpd_t:{ unix_stream_socket tcp_socket } rw_stream_socket_perms;
+
+ # inherits file handle - should it?
+-allow courier_pop_t courier_var_lib_t:file { read write };
++allow courier_pop_t courier_var_lib_t:file rw_inherited_file_perms;
+
+ miscfiles_read_localization(courier_pop_t)
+
+diff --git a/policy/modules/services/cron.fc b/policy/modules/services/cron.fc
+index 2eefc08..3e8ad69 100644
+--- a/policy/modules/services/cron.fc
++++ b/policy/modules/services/cron.fc
+@@ -14,7 +14,7 @@
+ /var/run/anacron\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0)
+ /var/run/atd\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0)
+ /var/run/crond?\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0)
+-/var/run/crond\.reboot -- gen_context(system_u:object_r:crond_var_run_t,s0)
++/var/run/crond?\.reboot -- gen_context(system_u:object_r:crond_var_run_t,s0)
+ /var/run/fcron\.fifo -s gen_context(system_u:object_r:crond_var_run_t,s0)
+ /var/run/fcron\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0)
+
+@@ -45,3 +45,7 @@ ifdef(`distro_suse', `
+ /var/spool/fcron/systab\.orig -- gen_context(system_u:object_r:system_cron_spool_t,s0)
+ /var/spool/fcron/systab -- gen_context(system_u:object_r:system_cron_spool_t,s0)
+ /var/spool/fcron/new\.systab -- gen_context(system_u:object_r:system_cron_spool_t,s0)
++
++/var/lib/glpi/files(/.*)? gen_context(system_u:object_r:cron_var_lib_t,s0)
++
++/var/log/mcelog.* -- gen_context(system_u:object_r:cron_log_t,s0)
+diff --git a/policy/modules/services/cron.if b/policy/modules/services/cron.if
+index 35241ed..b6402c9 100644
+--- a/policy/modules/services/cron.if
++++ b/policy/modules/services/cron.if
+@@ -12,6 +12,11 @@
+ ##
+ #
+ template(`cron_common_crontab_template',`
++ gen_require(`
++ type crond_t, crond_var_run_t, crontab_exec_t;
++ type cron_spool_t, user_cron_spool_t;
++ ')
++
+ ##############################
+ #
+ # Declarations
+@@ -34,8 +39,12 @@ template(`cron_common_crontab_template',`
+ allow $1_t self:process { setsched signal_perms };
+ allow $1_t self:fifo_file rw_fifo_file_perms;
+
+- allow $1_t $1_tmp_t:file manage_file_perms;
+- files_tmp_filetrans($1_t, $1_tmp_t, file)
++ allow $1_t crond_t:process signal;
++ allow $1_t crond_var_run_t:file read_file_perms;
++
++ manage_dirs_pattern($1_t, $1_tmp_t, $1_tmp_t)
++ manage_files_pattern($1_t, $1_tmp_t, $1_tmp_t)
++ files_tmp_filetrans($1_t, $1_tmp_t, { dir file })
+
+ # create files in /var/spool/cron
+ manage_files_pattern($1_t, { cron_spool_t user_cron_spool_t }, user_cron_spool_t)
+@@ -43,7 +52,7 @@ template(`cron_common_crontab_template',`
+ files_list_spool($1_t)
+
+ # crontab signals crond by updating the mtime on the spooldir
+- allow $1_t cron_spool_t:dir setattr;
++ allow $1_t cron_spool_t:dir setattr_dir_perms;
+
+ kernel_read_system_state($1_t)
+
+@@ -62,6 +71,7 @@ template(`cron_common_crontab_template',`
+
+ logging_send_syslog_msg($1_t)
+ logging_send_audit_msgs($1_t)
++ logging_set_loginuid($1_t)
+
+ init_dontaudit_write_utmp($1_t)
+ init_read_utmp($1_t)
+@@ -76,6 +86,7 @@ template(`cron_common_crontab_template',`
+ userdom_use_user_terminals($1_t)
+ # Read user crontabs
+ userdom_read_user_home_content_files($1_t)
++ userdom_read_user_home_content_symlinks($1_t)
+
+ tunable_policy(`fcron_crond',`
+ # fcron wants an instant update of a crontab change for the administrator
+@@ -102,10 +113,12 @@ template(`cron_common_crontab_template',`
+ ## User domain for the role
+ ##
+ ##
++##
+ #
+ interface(`cron_role',`
+ gen_require(`
+ type cronjob_t, crontab_t, crontab_exec_t;
++ type user_cron_spool_t, crond_t;
+ ')
+
+ role $1 types { cronjob_t crontab_t };
+@@ -116,9 +129,16 @@ interface(`cron_role',`
+ # Transition from the user domain to the derived domain.
+ domtrans_pattern($2, crontab_exec_t, crontab_t)
+
++ allow crond_t $2:process transition;
++ dontaudit crond_t $2:process { noatsecure siginh rlimitinh };
++ allow $2 crond_t:process sigchld;
++
++ # needs to be authorized SELinux context for cron
++ allow $2 user_cron_spool_t:file entrypoint;
++
+ # crontab shows up in user ps
+ ps_process_pattern($2, crontab_t)
+- allow $2 crontab_t:process signal;
++ allow $2 crontab_t:process { ptrace signal_perms };
+
+ # Run helper programs as the user domain
+ #corecmd_bin_domtrans(crontab_t, $2)
+@@ -132,9 +152,8 @@ interface(`cron_role',`
+ ')
+
+ dbus_stub(cronjob_t)
+-
+ allow cronjob_t $2:dbus send_msg;
+- ')
++ ')
+ ')
+
+ ########################################
+@@ -151,29 +170,18 @@ interface(`cron_role',`
+ ## User domain for the role
+ ##
+ ##
++##
+ #
+ interface(`cron_unconfined_role',`
+ gen_require(`
+- type unconfined_cronjob_t, crontab_t, crontab_tmp_t, crontab_exec_t;
++ type unconfined_cronjob_t;
+ ')
+
+- role $1 types { unconfined_cronjob_t crontab_t };
++ role $1 types unconfined_cronjob_t;
+
+ # cronjob shows up in user ps
+ ps_process_pattern($2, unconfined_cronjob_t)
+-
+- # Transition from the user domain to the derived domain.
+- domtrans_pattern($2, crontab_exec_t, crontab_t)
+-
+- # crontab shows up in user ps
+- ps_process_pattern($2, crontab_t)
+- allow $2 crontab_t:process signal;
+-
+- # Run helper programs as the user domain
+- #corecmd_bin_domtrans(crontab_t, $2)
+- #corecmd_shell_domtrans(crontab_t, $2)
+- corecmd_exec_bin(crontab_t)
+- corecmd_exec_shell(crontab_t)
++ allow $2 unconfined_cronjob_t:process { ptrace signal_perms };
+
+ optional_policy(`
+ gen_require(`
+@@ -181,9 +189,8 @@ interface(`cron_unconfined_role',`
+ ')
+
+ dbus_stub(unconfined_cronjob_t)
+-
+ allow unconfined_cronjob_t $2:dbus send_msg;
+- ')
++ ')
+ ')
+
+ ########################################
+@@ -200,6 +207,7 @@ interface(`cron_unconfined_role',`
+ ## User domain for the role
+ ##
+ ##
++##
+ #
+ interface(`cron_admin_role',`
+ gen_require(`
+@@ -220,7 +228,7 @@ interface(`cron_admin_role',`
+
+ # crontab shows up in user ps
+ ps_process_pattern($2, admin_crontab_t)
+- allow $2 admin_crontab_t:process signal;
++ allow $2 admin_crontab_t:process { ptrace signal_perms };
+
+ # Run helper programs as the user domain
+ #corecmd_bin_domtrans(admin_crontab_t, $2)
+@@ -234,9 +242,8 @@ interface(`cron_admin_role',`
+ ')
+
+ dbus_stub(admin_cronjob_t)
+-
+ allow cronjob_t $2:dbus send_msg;
+- ')
++ ')
+ ')
+
+ ########################################
+@@ -304,7 +311,7 @@ interface(`cron_exec',`
+
+ ########################################
+ ##
+-## Execute crond server in the nscd domain.
++## Execute crond server in the crond domain.
+ ##
+ ##
+ ##
+@@ -408,7 +415,43 @@ interface(`cron_rw_pipes',`
+ type crond_t;
+ ')
+
+- allow $1 crond_t:fifo_file { getattr read write };
++ allow $1 crond_t:fifo_file rw_inherited_fifo_file_perms;
++')
++
++########################################
++##
++## Read and write inherited user spool files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`cron_rw_inherited_user_spool_files',`
++ gen_require(`
++ type user_cron_spool_t;
++ ')
++
++ allow $1 user_cron_spool_t:file rw_inherited_file_perms;
++')
++
++########################################
++##
++## Read and write inherited spool files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`cron_rw_inherited_spool_files',`
++ gen_require(`
++ type cron_spool_t;
++ ')
++
++ allow $1 cron_spool_t:file rw_inherited_file_perms;
+ ')
+
+ ########################################
+@@ -481,6 +524,7 @@ interface(`cron_manage_pid_files',`
+ type crond_var_run_t;
+ ')
+
++ files_search_pids($1)
+ manage_files_pattern($1, crond_var_run_t, crond_var_run_t)
+ ')
+
+@@ -536,7 +580,7 @@ interface(`cron_write_system_job_pipes',`
+ type system_cronjob_t;
+ ')
+
+- allow $1 system_cronjob_t:file write;
++ allow $1 system_cronjob_t:fifo_file write;
+ ')
+
+ ########################################
+@@ -554,7 +598,7 @@ interface(`cron_rw_system_job_pipes',`
+ type system_cronjob_t;
+ ')
+
+- allow $1 system_cronjob_t:fifo_file rw_fifo_file_perms;
++ allow $1 system_cronjob_t:fifo_file rw_inherited_fifo_file_perms;
+ ')
+
+ ########################################
+@@ -587,11 +631,14 @@ interface(`cron_rw_system_job_stream_sockets',`
+ #
+ interface(`cron_read_system_job_tmp_files',`
+ gen_require(`
+- type system_cronjob_tmp_t;
++ type system_cronjob_tmp_t, cron_var_run_t;
+ ')
+
+ files_search_tmp($1)
+ allow $1 system_cronjob_tmp_t:file read_file_perms;
++
++ files_search_pids($1)
++ allow $1 cron_var_run_t:file read_file_perms;
+ ')
+
+ ########################################
+@@ -627,7 +674,47 @@ interface(`cron_dontaudit_append_system_job_tmp_files',`
+ interface(`cron_dontaudit_write_system_job_tmp_files',`
+ gen_require(`
+ type system_cronjob_tmp_t;
++ type cron_var_run_t;
+ ')
+
+ dontaudit $1 system_cronjob_tmp_t:file write_file_perms;
++ dontaudit $1 cron_var_run_t:file write_file_perms;
++')
++
++########################################
++##
++## Read temporary files from the system cron jobs.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`cron_read_system_job_lib_files',`
++ gen_require(`
++ type system_cronjob_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ read_files_pattern($1, system_cronjob_var_lib_t, system_cronjob_var_lib_t)
++')
++
++########################################
++##
++## Manage files from the system cron jobs.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`cron_manage_system_job_lib_files',`
++ gen_require(`
++ type system_cronjob_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ manage_files_pattern($1, system_cronjob_var_lib_t, system_cronjob_var_lib_t)
+ ')
+diff --git a/policy/modules/services/cron.te b/policy/modules/services/cron.te
+index f35b243..2a7f7f4 100644
+--- a/policy/modules/services/cron.te
++++ b/policy/modules/services/cron.te
+@@ -10,18 +10,18 @@ gen_require(`
+ #
+
+ ##
+-##
+-## Allow system cron jobs to relabel filesystem
+-## for restoring file contexts.
+-##
++##
++## Allow system cron jobs to relabel filesystem
++## for restoring file contexts.
++##
+ ##
+ gen_tunable(cron_can_relabel, false)
+
+ ##
+-##
+-## Enable extra rules in the cron domain
+-## to support fcron.
+-##
++##
++## Enable extra rules in the cron domain
++## to support fcron.
++##
+ ##
+ gen_tunable(fcron_crond, false)
+
+@@ -63,9 +63,12 @@ init_script_file(crond_initrc_exec_t)
+
+ type crond_tmp_t;
+ files_tmp_file(crond_tmp_t)
++files_poly_parent(crond_tmp_t)
++mta_system_content(crond_tmp_t)
+
+ type crond_var_run_t;
+ files_pid_file(crond_var_run_t)
++mta_system_content(crond_var_run_t)
+
+ type crontab_exec_t;
+ application_executable_file(crontab_exec_t)
+@@ -79,6 +82,7 @@ typealias crontab_t alias { user_crontab_t staff_crontab_t };
+ typealias crontab_t alias { auditadm_crontab_t secadm_crontab_t };
+ typealias crontab_tmp_t alias { user_crontab_tmp_t staff_crontab_tmp_t };
+ typealias crontab_tmp_t alias { auditadm_crontab_tmp_t secadm_crontab_tmp_t };
++allow admin_crontab_t crond_t:process signal;
+
+ type system_cron_spool_t, cron_spool_type;
+ files_type(system_cron_spool_t)
+@@ -87,6 +91,7 @@ type system_cronjob_t alias system_crond_t;
+ init_daemon_domain(system_cronjob_t, anacron_exec_t)
+ corecmd_shell_entry_type(system_cronjob_t)
+ role system_r types system_cronjob_t;
++domtrans_pattern(crond_t, anacron_exec_t, system_cronjob_t)
+
+ type system_cronjob_lock_t alias system_crond_lock_t;
+ files_lock_file(system_cronjob_lock_t)
+@@ -94,10 +99,6 @@ files_lock_file(system_cronjob_lock_t)
+ type system_cronjob_tmp_t alias system_crond_tmp_t;
+ files_tmp_file(system_cronjob_tmp_t)
+
+-ifdef(`enable_mcs',`
+- init_ranged_daemon_domain(crond_t, crond_exec_t, s0 - mcs_systemhigh)
+-')
+-
+ type unconfined_cronjob_t;
+ domain_type(unconfined_cronjob_t)
+ domain_cron_exemption_target(unconfined_cronjob_t)
+@@ -108,6 +109,18 @@ typealias user_cron_spool_t alias { staff_cron_spool_t sysadm_cron_spool_t uncon
+ typealias user_cron_spool_t alias { auditadm_cron_spool_t secadm_cron_spool_t };
+ files_type(user_cron_spool_t)
+ ubac_constrained(user_cron_spool_t)
++mta_system_content(user_cron_spool_t)
++
++type system_cronjob_var_lib_t;
++files_type(system_cronjob_var_lib_t)
++typealias system_cronjob_var_lib_t alias system_crond_var_lib_t;
++
++type system_cronjob_var_run_t;
++files_pid_file(system_cronjob_var_run_t)
++
++ifdef(`enable_mcs',`
++ init_ranged_daemon_domain(crond_t, crond_exec_t, s0 - mcs_systemhigh)
++')
+
+ ########################################
+ #
+@@ -115,7 +128,7 @@ ubac_constrained(user_cron_spool_t)
+ #
+
+ # Allow our crontab domain to unlink a user cron spool file.
+-allow admin_crontab_t user_cron_spool_t:file { getattr read unlink };
++allow admin_crontab_t user_cron_spool_t:file { read_file_perms delete_file_perms };
+
+ # Manipulate other users crontab.
+ selinux_get_fs_mount(admin_crontab_t)
+@@ -125,7 +138,7 @@ selinux_compute_create_context(admin_crontab_t)
+ selinux_compute_relabel_context(admin_crontab_t)
+ selinux_compute_user_contexts(admin_crontab_t)
+
+-tunable_policy(`fcron_crond', `
++tunable_policy(`fcron_crond',`
+ # fcron wants an instant update of a crontab change for the administrator
+ # also crontab does a security check for crontab -u
+ allow admin_crontab_t self:process setfscreate;
+@@ -138,7 +151,7 @@ tunable_policy(`fcron_crond', `
+
+ allow crond_t self:capability { dac_override setgid setuid sys_nice dac_read_search };
+ dontaudit crond_t self:capability { sys_resource sys_tty_config };
+-allow crond_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
++allow crond_t self:process ~{ ptrace setcurrent setexec setfscreate execmem execstack execheap };
+ allow crond_t self:process { setexec setfscreate };
+ allow crond_t self:fd use;
+ allow crond_t self:fifo_file rw_fifo_file_perms;
+@@ -193,6 +206,8 @@ corecmd_list_bin(crond_t)
+ corecmd_read_bin_symlinks(crond_t)
+
+ domain_use_interactive_fds(crond_t)
++domain_subj_id_change_exemption(crond_t)
++domain_role_change_exemption(crond_t)
+
+ files_read_usr_files(crond_t)
+ files_read_etc_runtime_files(crond_t)
+@@ -208,7 +223,9 @@ init_spec_domtrans_script(crond_t)
+
+ auth_use_nsswitch(crond_t)
+
++logging_send_audit_msgs(crond_t)
+ logging_send_syslog_msg(crond_t)
++logging_set_loginuid(crond_t)
+
+ seutil_read_config(crond_t)
+ seutil_read_default_contexts(crond_t)
+@@ -219,8 +236,10 @@ miscfiles_read_localization(crond_t)
+ userdom_use_unpriv_users_fds(crond_t)
+ # Not sure why this is needed
+ userdom_list_user_home_dirs(crond_t)
++userdom_create_all_users_keys(crond_t)
+
+ mta_send_mail(crond_t)
++mta_system_content(cron_spool_t)
+
+ ifdef(`distro_debian',`
+ # pam_limits is used
+@@ -232,7 +251,7 @@ ifdef(`distro_debian',`
+ ')
+ ')
+
+-ifdef(`distro_redhat', `
++ifdef(`distro_redhat',`
+ # Run the rpm program in the rpm_t domain. Allow creation of RPM log files
+ # via redirection of standard out.
+ optional_policy(`
+@@ -240,16 +259,39 @@ ifdef(`distro_redhat', `
+ ')
+ ')
+
+-tunable_policy(`fcron_crond', `
++tunable_policy(`allow_polyinstantiation',`
++ files_polyinstantiate_all(crond_t)
++')
++
++tunable_policy(`fcron_crond',`
+ allow crond_t system_cron_spool_t:file manage_file_perms;
+ ')
+
+ optional_policy(`
++ apache_search_sys_content(crond_t)
++')
++
++optional_policy(`
++ djbdns_search_tinydns_keys(crond_t)
++ djbdns_link_tinydns_keys(crond_t)
++')
++
++optional_policy(`
+ locallogin_search_keys(crond_t)
+ locallogin_link_keys(crond_t)
+ ')
+
+ optional_policy(`
++ # these should probably be unconfined_crond_t
++ dbus_system_bus_client(crond_t)
++ init_dbus_send_script(crond_t)
++')
++
++optional_policy(`
++ mono_domtrans(crond_t)
++')
++
++optional_policy(`
+ amanda_search_var_lib(crond_t)
+ ')
+
+@@ -259,6 +301,8 @@ optional_policy(`
+
+ optional_policy(`
+ hal_dbus_chat(crond_t)
++ hal_write_log(crond_t)
++ hal_dbus_chat(system_cronjob_t)
+ ')
+
+ optional_policy(`
+@@ -284,12 +328,18 @@ optional_policy(`
+ udev_read_db(crond_t)
+ ')
+
++optional_policy(`
++ vnstatd_search_lib(crond_t)
++')
++
+ ########################################
+ #
+ # System cron process domain
+ #
+
+ allow system_cronjob_t self:capability { dac_override dac_read_search chown setgid setuid fowner net_bind_service fsetid sys_nice };
++dontaudit system_cronjob_t self:capability sys_ptrace;
++
+ allow system_cronjob_t self:process { signal_perms getsched setsched };
+ allow system_cronjob_t self:fifo_file rw_fifo_file_perms;
+ allow system_cronjob_t self:passwd rootok;
+@@ -301,10 +351,17 @@ logging_log_filetrans(system_cronjob_t, cron_log_t, file)
+
+ # This is to handle /var/lib/misc directory. Used currently
+ # by prelink var/lib files for cron
+-allow system_cronjob_t cron_var_lib_t:file manage_file_perms;
++allow system_cronjob_t cron_var_lib_t:file { manage_file_perms relabel_file_perms };
+ files_var_lib_filetrans(system_cronjob_t, cron_var_lib_t, file)
+
++allow system_cronjob_t cron_var_run_t:file manage_file_perms;
++files_pid_filetrans(system_cronjob_t, cron_var_run_t, file)
++
+ allow system_cronjob_t system_cron_spool_t:file read_file_perms;
++
++# anacron forces the following
++manage_files_pattern(system_cronjob_t, system_cron_spool_t, system_cron_spool_t)
++
+ # The entrypoint interface is not used as this is not
+ # a regular entrypoint. Since crontab files are
+ # not directly executed, crond must ensure that
+@@ -324,6 +381,7 @@ allow crond_t system_cronjob_t:fd use;
+ allow system_cronjob_t crond_t:fd use;
+ allow system_cronjob_t crond_t:fifo_file rw_file_perms;
+ allow system_cronjob_t crond_t:process sigchld;
++allow crond_t system_cronjob_t:key manage_key_perms;
+
+ # Write /var/lock/makewhatis.lock.
+ allow system_cronjob_t system_cronjob_lock_t:file manage_file_perms;
+@@ -335,9 +393,13 @@ manage_lnk_files_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t)
+ filetrans_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t, { file lnk_file })
+ files_tmp_filetrans(system_cronjob_t, system_cronjob_tmp_t, file)
+
++# var/lib files for system_crond
++files_search_var_lib(system_cronjob_t)
++manage_files_pattern(system_cronjob_t, system_cronjob_var_lib_t, system_cronjob_var_lib_t)
++
+ # Read from /var/spool/cron.
+ allow system_cronjob_t cron_spool_t:dir list_dir_perms;
+-allow system_cronjob_t cron_spool_t:file read_file_perms;
++allow system_cronjob_t cron_spool_t:file rw_file_perms;
+
+ kernel_read_kernel_sysctls(system_cronjob_t)
+ kernel_read_system_state(system_cronjob_t)
+@@ -360,6 +422,7 @@ corenet_udp_sendrecv_all_ports(system_cronjob_t)
+ dev_getattr_all_blk_files(system_cronjob_t)
+ dev_getattr_all_chr_files(system_cronjob_t)
+ dev_read_urand(system_cronjob_t)
++dev_read_sysfs(system_cronjob_t)
+
+ fs_getattr_all_fs(system_cronjob_t)
+ fs_getattr_all_files(system_cronjob_t)
+@@ -386,6 +449,7 @@ files_dontaudit_search_pids(system_cronjob_t)
+ # Access other spool directories like
+ # /var/spool/anacron and /var/spool/slrnpull.
+ files_manage_generic_spool(system_cronjob_t)
++files_create_boot_flag(system_cronjob_t)
+
+ init_use_script_fds(system_cronjob_t)
+ init_read_utmp(system_cronjob_t)
+@@ -408,8 +472,10 @@ miscfiles_manage_man_pages(system_cronjob_t)
+
+ seutil_read_config(system_cronjob_t)
+
+-ifdef(`distro_redhat', `
++ifdef(`distro_redhat',`
+ # Run the rpm program in the rpm_t domain. Allow creation of RPM log files
++ allow crond_t system_cron_spool_t:file manage_file_perms;
++
+ # via redirection of standard out.
+ optional_policy(`
+ rpm_manage_log(system_cronjob_t)
+@@ -434,6 +500,8 @@ optional_policy(`
+ apache_read_config(system_cronjob_t)
+ apache_read_log(system_cronjob_t)
+ apache_read_sys_content(system_cronjob_t)
++ apache_delete_cache_dirs(system_cronjob_t)
++ apache_delete_cache_files(system_cronjob_t)
+ ')
+
+ optional_policy(`
+@@ -441,6 +509,14 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ dbus_system_bus_client(system_cronjob_t)
++')
++
++optional_policy(`
++ exim_read_spool_files(system_cronjob_t)
++')
++
++optional_policy(`
+ ftp_read_log(system_cronjob_t)
+ ')
+
+@@ -451,15 +527,24 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ livecd_read_tmp_files(system_cronjob_t)
++')
++
++optional_policy(`
+ lpd_list_spool(system_cronjob_t)
+ ')
+
+ optional_policy(`
++ mono_domtrans(system_cronjob_t)
++')
++
++optional_policy(`
+ mrtg_append_create_logs(system_cronjob_t)
+ ')
+
+ optional_policy(`
+ mta_send_mail(system_cronjob_t)
++ mta_system_content(system_cron_spool_t)
+ ')
+
+ optional_policy(`
+@@ -475,7 +560,7 @@ optional_policy(`
+ prelink_manage_lib(system_cronjob_t)
+ prelink_manage_log(system_cronjob_t)
+ prelink_read_cache(system_cronjob_t)
+- prelink_relabelfrom_lib(system_cronjob_t)
++ prelink_relabel_lib(system_cronjob_t)
+ ')
+
+ optional_policy(`
+@@ -490,6 +575,7 @@ optional_policy(`
+
+ optional_policy(`
+ spamassassin_manage_lib_files(system_cronjob_t)
++ spamassassin_manage_home_client(system_cronjob_t)
+ ')
+
+ optional_policy(`
+@@ -497,7 +583,13 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ unconfined_domain(crond_t)
+ unconfined_domain(system_cronjob_t)
++')
++
++optional_policy(`
++ unconfined_shell_domtrans(crond_t)
++ unconfined_dbus_send(crond_t)
+ userdom_user_home_dir_filetrans_user_home_content(system_cronjob_t, { dir file lnk_file fifo_file sock_file })
+ ')
+
+@@ -590,9 +682,12 @@ userdom_manage_user_home_content_sockets(cronjob_t)
+ #userdom_user_home_dir_filetrans_user_home_content(cronjob_t, notdevfile_class_set)
+
+ list_dirs_pattern(crond_t, user_cron_spool_t, user_cron_spool_t)
++rw_dirs_pattern(crond_t, user_cron_spool_t, user_cron_spool_t)
+ read_files_pattern(crond_t, user_cron_spool_t, user_cron_spool_t)
++read_lnk_files_pattern(crond_t, user_cron_spool_t, user_cron_spool_t)
++allow crond_t user_cron_spool_t:file manage_lnk_file_perms;
+
+-tunable_policy(`fcron_crond', `
++tunable_policy(`fcron_crond',`
+ allow crond_t user_cron_spool_t:file manage_file_perms;
+ ')
+
+diff --git a/policy/modules/services/cups.fc b/policy/modules/services/cups.fc
+index 1b492ed..286ec9e 100644
+--- a/policy/modules/services/cups.fc
++++ b/policy/modules/services/cups.fc
+@@ -71,3 +71,9 @@
+ /var/run/ptal-mlcd(/.*)? gen_context(system_u:object_r:ptal_var_run_t,s0)
+ /var/run/udev-configure-printer(/.*)? gen_context(system_u:object_r:cupsd_config_var_run_t,s0)
+ /var/turboprint(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0)
++
++/usr/local/Brother/fax/.*\.log gen_context(system_u:object_r:cupsd_log_t,s0)
++/usr/local/Brother/(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
++/usr/local/Printer/(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
++
++/usr/local/linuxprinter/ppd(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+diff --git a/policy/modules/services/cups.if b/policy/modules/services/cups.if
+index 305ddf4..777091a 100644
+--- a/policy/modules/services/cups.if
++++ b/policy/modules/services/cups.if
+@@ -190,10 +190,12 @@ interface(`cups_dbus_chat_config',`
+ interface(`cups_read_config',`
+ gen_require(`
+ type cupsd_etc_t, cupsd_rw_etc_t;
++ type hplip_etc_t;
+ ')
+
+ files_search_etc($1)
+ read_files_pattern($1, cupsd_etc_t, cupsd_etc_t)
++ read_files_pattern($1, hplip_etc_t, hplip_etc_t)
+ read_files_pattern($1, cupsd_etc_t, cupsd_rw_etc_t)
+ ')
+
+@@ -314,11 +316,10 @@ interface(`cups_stream_connect_ptal',`
+ interface(`cups_admin',`
+ gen_require(`
+ type cupsd_t, cupsd_tmp_t, cupsd_lpd_tmp_t;
+- type cupsd_etc_t, cupsd_log_t, cupsd_spool_t;
+- type cupsd_config_var_run_t, cupsd_lpd_var_run_t;
+- type cupsd_var_run_t, ptal_etc_t;
+- type ptal_var_run_t, hplip_var_run_t;
+- type cupsd_initrc_exec_t;
++ type cupsd_etc_t, cupsd_log_t, hplip_etc_t;
++ type cupsd_config_var_run_t, cupsd_lpd_var_run_t, cupsd_initrc_exec_t;
++ type cupsd_var_run_t, ptal_etc_t, hplip_var_run_t;
++ type ptal_var_run_t;
+ ')
+
+ allow $1 cupsd_t:process { ptrace signal_perms };
+@@ -341,15 +342,14 @@ interface(`cups_admin',`
+
+ admin_pattern($1, cupsd_lpd_var_run_t)
+
+- admin_pattern($1, cupsd_spool_t)
+- files_list_spool($1)
+-
+ admin_pattern($1, cupsd_tmp_t)
+ files_list_tmp($1)
+
+ admin_pattern($1, cupsd_var_run_t)
+ files_list_pids($1)
+
++ admin_pattern($1, hplip_etc_t)
++
+ admin_pattern($1, hplip_var_run_t)
+
+ admin_pattern($1, ptal_etc_t)
+diff --git a/policy/modules/services/cups.te b/policy/modules/services/cups.te
+index 0f28095..cf33683 100644
+--- a/policy/modules/services/cups.te
++++ b/policy/modules/services/cups.te
+@@ -15,6 +15,7 @@ files_pid_file(cupsd_config_var_run_t)
+ type cupsd_t;
+ type cupsd_exec_t;
+ init_daemon_domain(cupsd_t, cupsd_exec_t)
++mls_trusted_object(cupsd_t)
+
+ type cupsd_etc_t;
+ files_config_file(cupsd_etc_t)
+@@ -123,6 +124,7 @@ read_lnk_files_pattern(cupsd_t, cupsd_etc_t, cupsd_etc_t)
+ files_search_etc(cupsd_t)
+
+ manage_files_pattern(cupsd_t, cupsd_interface_t, cupsd_interface_t)
++can_exec(cupsd_t, cupsd_interface_t)
+
+ manage_dirs_pattern(cupsd_t, cupsd_etc_t, cupsd_rw_etc_t)
+ manage_files_pattern(cupsd_t, cupsd_etc_t, cupsd_rw_etc_t)
+@@ -137,6 +139,7 @@ allow cupsd_t cupsd_exec_t:lnk_file read_lnk_file_perms;
+ allow cupsd_t cupsd_lock_t:file manage_file_perms;
+ files_lock_filetrans(cupsd_t, cupsd_lock_t, file)
+
++manage_dirs_pattern(cupsd_t, cupsd_log_t, cupsd_log_t)
+ manage_files_pattern(cupsd_t, cupsd_log_t, cupsd_log_t)
+ allow cupsd_t cupsd_log_t:dir setattr;
+ logging_log_filetrans(cupsd_t, cupsd_log_t, { file dir })
+@@ -146,11 +149,12 @@ manage_files_pattern(cupsd_t, cupsd_tmp_t, cupsd_tmp_t)
+ manage_fifo_files_pattern(cupsd_t, cupsd_tmp_t, cupsd_tmp_t)
+ files_tmp_filetrans(cupsd_t, cupsd_tmp_t, { file dir fifo_file })
+
+-allow cupsd_t cupsd_var_run_t:dir setattr;
++allow cupsd_t cupsd_var_run_t:dir setattr_dir_perms;
++manage_dirs_pattern(cupsd_t, cupsd_var_run_t, cupsd_var_run_t)
+ manage_files_pattern(cupsd_t, cupsd_var_run_t, cupsd_var_run_t)
+ manage_sock_files_pattern(cupsd_t, cupsd_var_run_t, cupsd_var_run_t)
+ manage_fifo_files_pattern(cupsd_t, cupsd_var_run_t, cupsd_var_run_t)
+-files_pid_filetrans(cupsd_t, cupsd_var_run_t, { file fifo_file })
++files_pid_filetrans(cupsd_t, cupsd_var_run_t, { dir file fifo_file })
+
+ allow cupsd_t hplip_t:process { signal sigkill };
+
+@@ -159,7 +163,7 @@ read_files_pattern(cupsd_t, hplip_etc_t, hplip_etc_t)
+ allow cupsd_t hplip_var_run_t:file read_file_perms;
+
+ stream_connect_pattern(cupsd_t, ptal_var_run_t, ptal_var_run_t, ptal_t)
+-allow cupsd_t ptal_var_run_t : sock_file setattr;
++allow cupsd_t ptal_var_run_t:sock_file setattr_sock_file_perms;
+
+ kernel_read_system_state(cupsd_t)
+ kernel_read_network_state(cupsd_t)
+@@ -297,8 +301,10 @@ optional_policy(`
+ hal_dbus_chat(cupsd_t)
+ ')
+
++ # talk to processes that do not have policy
+ optional_policy(`
+ unconfined_dbus_chat(cupsd_t)
++ files_write_generic_pid_pipes(cupsd_t)
+ ')
+ ')
+
+@@ -371,8 +377,9 @@ files_tmp_filetrans(cupsd_config_t, cupsd_tmp_t, { lnk_file file dir })
+
+ allow cupsd_config_t cupsd_var_run_t:file read_file_perms;
+
++manage_dirs_pattern(cupsd_config_t, cupsd_config_var_run_t, cupsd_config_var_run_t)
+ manage_files_pattern(cupsd_config_t, cupsd_config_var_run_t, cupsd_config_var_run_t)
+-files_pid_filetrans(cupsd_config_t, cupsd_config_var_run_t, file)
++files_pid_filetrans(cupsd_config_t, cupsd_config_var_run_t, { dir file })
+
+ domtrans_pattern(cupsd_config_t, hplip_exec_t, hplip_t)
+
+@@ -425,6 +432,7 @@ seutil_dontaudit_search_config(cupsd_config_t)
+
+ userdom_dontaudit_use_unpriv_user_fds(cupsd_config_t)
+ userdom_dontaudit_search_user_home_dirs(cupsd_config_t)
++userdom_rw_user_tmp_files(cupsd_config_t)
+
+ cups_stream_connect(cupsd_config_t)
+
+@@ -453,6 +461,10 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ gnome_dontaudit_search_config(cupsd_config_t)
++')
++
++optional_policy(`
+ hal_domtrans(cupsd_config_t)
+ hal_read_tmp_files(cupsd_config_t)
+ hal_dontaudit_use_fds(hplip_t)
+@@ -587,14 +599,16 @@ auth_use_nsswitch(cups_pdf_t)
+
+ miscfiles_read_localization(cups_pdf_t)
+ miscfiles_read_fonts(cups_pdf_t)
++miscfiles_setattr_fonts_cache_dirs(cups_pdf_t)
+
+ userdom_home_filetrans_user_home_dir(cups_pdf_t)
++userdom_user_home_dir_filetrans_pattern(cups_pdf_t, { file dir })
+ userdom_manage_user_home_content_dirs(cups_pdf_t)
+ userdom_manage_user_home_content_files(cups_pdf_t)
++userdom_dontaudit_search_admin_dir(cups_pdf_t)
+
+ lpd_manage_spool(cups_pdf_t)
+
+-
+ tunable_policy(`use_nfs_home_dirs',`
+ fs_search_auto_mountpoints(cups_pdf_t)
+ fs_manage_nfs_dirs(cups_pdf_t)
+@@ -606,6 +620,10 @@ tunable_policy(`use_samba_home_dirs',`
+ fs_manage_cifs_files(cups_pdf_t)
+ ')
+
++optional_policy(`
++ gnome_read_config(cups_pdf_t)
++')
++
+ ########################################
+ #
+ # HPLIP local policy
+@@ -639,7 +657,7 @@ manage_files_pattern(hplip_t, hplip_var_lib_t, hplip_var_lib_t)
+ manage_lnk_files_pattern(hplip_t, hplip_var_lib_t, hplip_var_lib_t)
+
+ manage_fifo_files_pattern(hplip_t, hplip_tmp_t, hplip_tmp_t)
+-files_tmp_filetrans(hplip_t, hplip_tmp_t, fifo_file )
++files_tmp_filetrans(hplip_t, hplip_tmp_t, fifo_file)
+
+ manage_files_pattern(hplip_t, hplip_var_run_t, hplip_var_run_t)
+ files_pid_filetrans(hplip_t, hplip_var_run_t, file)
+@@ -685,6 +703,7 @@ domain_use_interactive_fds(hplip_t)
+ files_read_etc_files(hplip_t)
+ files_read_etc_runtime_files(hplip_t)
+ files_read_usr_files(hplip_t)
++files_dontaudit_write_usr_dirs(hplip_t)
+
+ logging_send_syslog_msg(hplip_t)
+
+diff --git a/policy/modules/services/cvs.if b/policy/modules/services/cvs.if
+index c43ff4c..5bf3e60 100644
+--- a/policy/modules/services/cvs.if
++++ b/policy/modules/services/cvs.if
+@@ -58,9 +58,8 @@ interface(`cvs_exec',`
+ #
+ interface(`cvs_admin',`
+ gen_require(`
+- type cvs_t, cvs_tmp_t;
++ type cvs_t, cvs_tmp_t, cvs_initrc_exec_t;
+ type cvs_data_t, cvs_var_run_t;
+- type cvs_initrc_exec_t;
+ ')
+
+ allow $1 cvs_t:process { ptrace signal_perms };
+diff --git a/policy/modules/services/cvs.te b/policy/modules/services/cvs.te
+index 88e7e97..e18dc0b 100644
+--- a/policy/modules/services/cvs.te
++++ b/policy/modules/services/cvs.te
+@@ -6,9 +6,9 @@ policy_module(cvs, 1.9.0)
+ #
+
+ ##
+-##
+-## Allow cvs daemon to read shadow
+-##
++##
++## Allow cvs daemon to read shadow
++##
+ ##
+ gen_tunable(allow_cvs_read_shadow, false)
+
+@@ -35,12 +35,12 @@ files_pid_file(cvs_var_run_t)
+ # Local policy
+ #
+
++allow cvs_t self:capability { setuid setgid };
+ allow cvs_t self:process signal_perms;
+ allow cvs_t self:fifo_file rw_fifo_file_perms;
+ allow cvs_t self:tcp_socket connected_stream_socket_perms;
+ # for identd; cjp: this should probably only be inetd_child rules?
+ allow cvs_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
+-allow cvs_t self:capability { setuid setgid };
+
+ manage_dirs_pattern(cvs_t, cvs_data_t, cvs_data_t)
+ manage_files_pattern(cvs_t, cvs_data_t, cvs_data_t)
+@@ -112,4 +112,5 @@ optional_policy(`
+ read_files_pattern(httpd_cvs_script_t, cvs_data_t, cvs_data_t)
+ manage_dirs_pattern(httpd_cvs_script_t, cvs_tmp_t, cvs_tmp_t)
+ manage_files_pattern(httpd_cvs_script_t, cvs_tmp_t, cvs_tmp_t)
++ files_tmp_filetrans(httpd_cvs_script_t, cvs_tmp_t, { file dir })
+ ')
+diff --git a/policy/modules/services/cyphesis.if b/policy/modules/services/cyphesis.if
+index 9d44538..7e9057e 100644
+--- a/policy/modules/services/cyphesis.if
++++ b/policy/modules/services/cyphesis.if
+@@ -5,9 +5,9 @@
+ ## Execute a domain transition to run cyphesis.
+ ##
+ ##
+-##
++##
+ ## Domain allowed to transition.
+-##
++##
+ ##
+ #
+ interface(`cyphesis_domtrans',`
+diff --git a/policy/modules/services/cyrus.te b/policy/modules/services/cyrus.te
+index e182bf4..f80e725 100644
+--- a/policy/modules/services/cyrus.te
++++ b/policy/modules/services/cyrus.te
+@@ -26,7 +26,7 @@ files_pid_file(cyrus_var_run_t)
+ # Local policy
+ #
+
+-allow cyrus_t self:capability { dac_override net_bind_service setgid setuid sys_resource };
++allow cyrus_t self:capability { fsetid dac_override net_bind_service setgid setuid sys_resource };
+ dontaudit cyrus_t self:capability sys_tty_config;
+ allow cyrus_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+ allow cyrus_t self:process setrlimit;
+@@ -135,6 +135,7 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ files_dontaudit_write_usr_dirs(cyrus_t)
+ snmp_read_snmp_var_lib_files(cyrus_t)
+ snmp_dontaudit_write_snmp_var_lib_files(cyrus_t)
+ snmp_stream_connect(cyrus_t)
+diff --git a/policy/modules/services/dbus.if b/policy/modules/services/dbus.if
+index 0d5711c..27a2b36 100644
+--- a/policy/modules/services/dbus.if
++++ b/policy/modules/services/dbus.if
+@@ -41,9 +41,9 @@ interface(`dbus_stub',`
+ template(`dbus_role_template',`
+ gen_require(`
+ class dbus { send_msg acquire_svc };
+-
+- attribute session_bus_type;
++ attribute dbusd_unconfined, session_bus_type;
+ type system_dbusd_t, session_dbusd_tmp_t, dbusd_exec_t, dbusd_etc_t;
++ type $1_t;
+ ')
+
+ ##############################
+@@ -52,8 +52,7 @@ template(`dbus_role_template',`
+ #
+
+ type $1_dbusd_t, session_bus_type;
+- domain_type($1_dbusd_t)
+- domain_entry_file($1_dbusd_t, dbusd_exec_t)
++ application_domain($1_dbusd_t, dbusd_exec_t)
+ ubac_constrained($1_dbusd_t)
+ role $2 types $1_dbusd_t;
+
+@@ -76,7 +75,7 @@ template(`dbus_role_template',`
+ allow $3 $1_dbusd_t:unix_stream_socket connectto;
+
+ # SE-DBus specific permissions
+- allow $3 $1_dbusd_t:dbus { send_msg acquire_svc };
++ allow { dbusd_unconfined $3 } $1_dbusd_t:dbus { send_msg acquire_svc };
+ allow $3 system_dbusd_t:dbus { send_msg acquire_svc };
+
+ allow $1_dbusd_t dbusd_etc_t:dir list_dir_perms;
+@@ -88,14 +87,15 @@ template(`dbus_role_template',`
+ files_tmp_filetrans($1_dbusd_t, session_dbusd_tmp_t, { file dir })
+
+ domtrans_pattern($3, dbusd_exec_t, $1_dbusd_t)
+- allow $3 $1_dbusd_t:process { signull sigkill signal };
++
++ ps_process_pattern($3, $1_dbusd_t)
++ allow $3 $1_dbusd_t:process { ptrace signal_perms };
+
+ # cjp: this seems very broken
+- corecmd_bin_domtrans($1_dbusd_t, $3)
++ corecmd_bin_domtrans($1_dbusd_t, $1_t)
+ allow $1_dbusd_t $3:process sigkill;
+ allow $3 $1_dbusd_t:fd use;
+ allow $3 $1_dbusd_t:fifo_file rw_fifo_file_perms;
+- allow $3 $1_dbusd_t:process sigchld;
+
+ kernel_read_system_state($1_dbusd_t)
+ kernel_read_kernel_sysctls($1_dbusd_t)
+@@ -116,7 +116,7 @@ template(`dbus_role_template',`
+
+ dev_read_urand($1_dbusd_t)
+
+- domain_use_interactive_fds($1_dbusd_t)
++ domain_use_interactive_fds($1_dbusd_t)
+ domain_read_all_domains_state($1_dbusd_t)
+
+ files_read_etc_files($1_dbusd_t)
+@@ -149,17 +149,25 @@ template(`dbus_role_template',`
+
+ term_use_all_terms($1_dbusd_t)
+
+- userdom_read_user_home_content_files($1_dbusd_t)
++ userdom_dontaudit_search_admin_dir($1_dbusd_t)
++ userdom_manage_user_home_content_dirs($1_dbusd_t)
++ userdom_manage_user_home_content_files($1_dbusd_t)
++ userdom_user_home_dir_filetrans_user_home_content($1_dbusd_t, { dir file })
+
+- ifdef(`hide_broken_symptoms', `
++ ifdef(`hide_broken_symptoms',`
+ dontaudit $3 $1_dbusd_t:netlink_selinux_socket { read write };
+ ')
+
+ optional_policy(`
++ gnome_read_gconf_home_files($1_dbusd_t)
++ ')
++
++ optional_policy(`
+ hal_dbus_chat($1_dbusd_t)
+ ')
+
+ optional_policy(`
++ xserver_search_xdm_lib($1_dbusd_t)
+ xserver_use_xdm_fds($1_dbusd_t)
+ xserver_rw_xdm_pipes($1_dbusd_t)
+ ')
+@@ -181,10 +189,12 @@ interface(`dbus_system_bus_client',`
+ type system_dbusd_t, system_dbusd_t;
+ type system_dbusd_var_run_t, system_dbusd_var_lib_t;
+ class dbus send_msg;
++ attribute dbusd_unconfined;
+ ')
+
+ # SE-DBus specific permissions
+ allow $1 { system_dbusd_t self }:dbus send_msg;
++ allow { system_dbusd_t dbusd_unconfined } $1:dbus send_msg;
+
+ read_files_pattern($1, system_dbusd_var_lib_t, system_dbusd_var_lib_t)
+ files_search_var_lib($1)
+@@ -431,14 +441,27 @@ interface(`dbus_system_domain',`
+
+ domtrans_pattern(system_dbusd_t, $2, $1)
+
++ fs_search_all($1)
++
+ dbus_system_bus_client($1)
+ dbus_connect_system_bus($1)
+
++ init_stream_connect($1)
++
+ ps_process_pattern(system_dbusd_t, $1)
+
++ userdom_dontaudit_search_admin_dir($1)
+ userdom_read_all_users_state($1)
+
+- ifdef(`hide_broken_symptoms', `
++ optional_policy(`
++ rpm_script_dbus_chat($1)
++ ')
++
++ optional_policy(`
++ unconfined_dbus_send($1)
++ ')
++
++ ifdef(`hide_broken_symptoms',`
+ dontaudit $1 system_dbusd_t:netlink_selinux_socket { read write };
+ ')
+ ')
+@@ -497,3 +520,22 @@ interface(`dbus_unconfined',`
+
+ typeattribute $1 dbusd_unconfined;
+ ')
++
++########################################
++##
++## Delete all dbus pid files
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`dbus_delete_pid_files',`
++ gen_require(`
++ type system_dbusd_var_run_t;
++ ')
++
++ files_search_pids($1)
++ delete_files_pattern($1, system_dbusd_var_run_t, system_dbusd_var_run_t)
++')
+diff --git a/policy/modules/services/dbus.te b/policy/modules/services/dbus.te
+index 9ce6713..ea78dc1 100644
+--- a/policy/modules/services/dbus.te
++++ b/policy/modules/services/dbus.te
+@@ -74,9 +74,10 @@ files_tmp_filetrans(system_dbusd_t, system_dbusd_tmp_t, { file dir })
+
+ read_files_pattern(system_dbusd_t, system_dbusd_var_lib_t, system_dbusd_var_lib_t)
+
++manage_dirs_pattern(system_dbusd_t, system_dbusd_var_run_t, system_dbusd_var_run_t)
+ manage_files_pattern(system_dbusd_t, system_dbusd_var_run_t, system_dbusd_var_run_t)
+ manage_sock_files_pattern(system_dbusd_t, system_dbusd_var_run_t, system_dbusd_var_run_t)
+-files_pid_filetrans(system_dbusd_t, system_dbusd_var_run_t, file)
++files_pid_filetrans(system_dbusd_t, system_dbusd_var_run_t, { file dir })
+
+ kernel_read_system_state(system_dbusd_t)
+ kernel_read_kernel_sysctls(system_dbusd_t)
+@@ -121,7 +122,9 @@ files_read_usr_files(system_dbusd_t)
+
+ init_use_fds(system_dbusd_t)
+ init_use_script_ptys(system_dbusd_t)
++init_bin_domtrans_spec(system_dbusd_t)
+ init_domtrans_script(system_dbusd_t)
++init_rw_stream_sockets(system_dbusd_t)
+
+ logging_send_audit_msgs(system_dbusd_t)
+ logging_send_syslog_msg(system_dbusd_t)
+@@ -141,6 +144,14 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ gnome_exec_gconf(system_dbusd_t)
++')
++
++optional_policy(`
++ networkmanager_initrc_domtrans(system_dbusd_t)
++')
++
++optional_policy(`
+ policykit_dbus_chat(system_dbusd_t)
+ policykit_domtrans_auth(system_dbusd_t)
+ policykit_search_lib(system_dbusd_t)
+@@ -158,5 +169,12 @@ optional_policy(`
+ #
+ # Unconfined access to this module
+ #
+-
+ allow dbusd_unconfined session_bus_type:dbus all_dbus_perms;
++allow dbusd_unconfined dbusd_unconfined:dbus all_dbus_perms;
++allow session_bus_type dbusd_unconfined:dbus send_msg;
++
++optional_policy(`
++ xserver_use_xdm_fds(session_bus_type)
++ xserver_rw_xdm_pipes(session_bus_type)
++ xserver_append_xdm_home_files(session_bus_type)
++')
+diff --git a/policy/modules/services/dcc.if b/policy/modules/services/dcc.if
+index 784753e..bf65e7d 100644
+--- a/policy/modules/services/dcc.if
++++ b/policy/modules/services/dcc.if
+@@ -168,6 +168,6 @@ interface(`dcc_stream_connect_dccifd',`
+ type dcc_var_t, dccifd_var_run_t, dccifd_t;
+ ')
+
+- files_search_var($1)
++ files_search_pids($1)
+ stream_connect_pattern($1, dcc_var_t, dccifd_var_run_t, dccifd_t)
+ ')
+diff --git a/policy/modules/services/ddclient.if b/policy/modules/services/ddclient.if
+index 0a1a61b..da508f4 100644
+--- a/policy/modules/services/ddclient.if
++++ b/policy/modules/services/ddclient.if
+@@ -64,8 +64,8 @@ interface(`ddclient_run',`
+ interface(`ddclient_admin',`
+ gen_require(`
+ type ddclient_t, ddclient_etc_t, ddclient_log_t;
+- type ddclient_var_t, ddclient_var_lib_t;
+- type ddclient_var_run_t, ddclient_initrc_exec_t;
++ type ddclient_var_t, ddclient_var_lib_t, ddclient_initrc_exec_t;
++ type ddclient_var_run_t;
+ ')
+
+ allow $1 ddclient_t:process { ptrace signal_perms };
+diff --git a/policy/modules/services/denyhosts.if b/policy/modules/services/denyhosts.if
+index 567865f..9c9e65c 100644
+--- a/policy/modules/services/denyhosts.if
++++ b/policy/modules/services/denyhosts.if
+@@ -13,12 +13,12 @@
+ ## Execute a domain transition to run denyhosts.
+ ##
+ ##
+-##
++##
+ ## Domain allowed to transition.
+-##
++##
+ ##
+ #
+-interface(`denyhosts_domtrans', `
++interface(`denyhosts_domtrans',`
+ gen_require(`
+ type denyhosts_t, denyhosts_exec_t;
+ ')
+@@ -36,7 +36,7 @@ interface(`denyhosts_domtrans', `
+ ##