+ ##
+@@ -87,14 +102,17 @@ allow domain self:dir list_dir_perms;
+ allow domain self:lnk_file { read_lnk_file_perms lock ioctl };
+ allow domain self:file rw_file_perms;
+ kernel_read_proc_symlinks(domain)
++kernel_read_crypto_sysctls(domain)
++
+ # Every domain gets the key ring, so we should default
+ # to no one allowed to look at it; afs kernel support creates
+ # a keyring
+ kernel_dontaudit_search_key(domain)
+ kernel_dontaudit_link_key(domain)
++kernel_dontaudit_search_debugfs(domain)
+
+ # create child processes in the domain
+-allow domain self:process { fork sigchld };
++allow domain self:process { fork getsched sigchld };
+
+ # Use trusted objects in /dev
+ dev_rw_null(domain)
+@@ -103,6 +121,16 @@ term_use_controlling_term(domain)
+
+ # list the root directory
+ files_list_root(domain)
++# allow all domains to search through default_t directory, since users sometimes
++# place labels within these directories. (samba_share_t) for example.
++files_search_default(domain)
++
++# All executables should be able to search the directory they are in
++corecmd_search_bin(domain)
++
++tunable_policy(`domain_kernel_load_modules',`
++ kernel_request_load_module(domain)
++')
+
+ tunable_policy(`global_ssp',`
+ # enable reading of urandom for all domains:
+@@ -113,8 +141,13 @@ tunable_policy(`global_ssp',`
+ ')
+
+ optional_policy(`
++ afs_rw_cache(domain)
++')
++
++optional_policy(`
+ libs_use_ld_so(domain)
+ libs_use_shared_libs(domain)
++ libs_read_lib_files(domain)
+ ')
+
+ optional_policy(`
+@@ -125,6 +158,8 @@ optional_policy(`
+ optional_policy(`
+ xserver_dontaudit_use_xdm_fds(domain)
+ xserver_dontaudit_rw_xdm_pipes(domain)
++ xserver_dontaudit_append_xdm_home_files(domain)
++ xserver_dontaudit_write_log(domain)
+ ')
+
+ ########################################
+@@ -143,6 +178,8 @@ allow unconfined_domain_type domain:{ socket_class_set socket key_socket } *;
+ allow unconfined_domain_type domain:fd use;
+ allow unconfined_domain_type domain:fifo_file rw_file_perms;
+
++allow unconfined_domain_type unconfined_domain_type:dbus send_msg;
++
+ # Act upon any other process.
+ allow unconfined_domain_type domain:process ~{ transition dyntransition execmem execstack execheap };
+
+@@ -160,3 +197,89 @@ allow unconfined_domain_type domain:key *;
+
+ # receive from all domains over labeled networking
+ domain_all_recvfrom_all_domains(unconfined_domain_type)
++
++selinux_getattr_fs(domain)
++selinux_search_fs(domain)
++selinux_dontaudit_read_fs(domain)
++
++optional_policy(`
++ seutil_dontaudit_read_config(domain)
++')
++
++optional_policy(`
++ init_sigchld(domain)
++ init_signull(domain)
++')
++
++ifdef(`distro_redhat',`
++ files_search_mnt(domain)
++ optional_policy(`
++ unconfined_use_fds(domain)
++ ')
++')
++
++# these seem questionable:
++
++optional_policy(`
++ abrt_domtrans_helper(domain)
++ abrt_read_pid_files(domain)
++ abrt_read_state(domain)
++ abrt_signull(domain)
++ abrt_stream_connect(domain)
++')
++
++optional_policy(`
++ rpm_use_fds(domain)
++ rpm_read_pipes(domain)
++ rpm_search_log(domain)
++ rpm_append_tmp_files(domain)
++ rpm_dontaudit_leaks(domain)
++ rpm_read_script_tmp_files(domain)
++ rpm_inherited_fifo(domain)
++')
++
++optional_policy(`
++ sosreport_append_tmp_files(domain)
++')
++
++tunable_policy(`allow_domain_fd_use',`
++ # Allow all domains to use fds past to them
++ allow domain domain:fd use;
++')
++
++optional_policy(`
++ cron_dontaudit_write_system_job_tmp_files(domain)
++ cron_rw_pipes(domain)
++ cron_rw_system_job_pipes(domain)
++')
++
++ifdef(`hide_broken_symptoms',`
++ dontaudit domain self:udp_socket listen;
++ allow domain domain:key { link search };
++')
++
++optional_policy(`
++ hal_dontaudit_read_pid_files(domain)
++')
++
++optional_policy(`
++ ipsec_match_default_spd(domain)
++')
++
++optional_policy(`
++ ifdef(`hide_broken_symptoms',`
++ afs_rw_udp_sockets(domain)
++ ')
++')
++
++optional_policy(`
++ ssh_rw_pipes(domain)
++')
++
++optional_policy(`
++ unconfined_dontaudit_rw_pipes(domain)
++ unconfined_sigchld(domain)
++')
++
++# broken kernel
++dontaudit can_change_object_identity can_change_object_identity:key link;
+diff --git a/policy/modules/kernel/files.fc b/policy/modules/kernel/files.fc
+index 16108f6..33ea07b 100644
+--- a/policy/modules/kernel/files.fc
++++ b/policy/modules/kernel/files.fc
+@@ -18,6 +18,7 @@ ifdef(`distro_redhat',`
+ /fsckoptions -- gen_context(system_u:object_r:etc_runtime_t,s0)
+ /halt -- gen_context(system_u:object_r:etc_runtime_t,s0)
+ /poweroff -- gen_context(system_u:object_r:etc_runtime_t,s0)
++/[^/]+ -- gen_context(system_u:object_r:etc_runtime_t,s0)
+ ')
+
+ ifdef(`distro_suse',`
+@@ -57,6 +58,13 @@ ifdef(`distro_suse',`
+ /etc/mtab\.fuselock -- gen_context(system_u:object_r:etc_runtime_t,s0)
+ /etc/nohotplug -- gen_context(system_u:object_r:etc_runtime_t,s0)
+ /etc/nologin.* -- gen_context(system_u:object_r:etc_runtime_t,s0)
++/etc/securetty -- gen_context(system_u:object_r:etc_runtime_t,s0)
++
++/etc/sysctl\.conf(\.old)? -- gen_context(system_u:object_r:system_conf_t,s0)
++/etc/sysconfig/ebtables.* -- gen_context(system_u:object_r:system_conf_t,s0)
++/etc/sysconfig/ip6?tables.* -- gen_context(system_u:object_r:system_conf_t,s0)
++/etc/sysconfig/ipvsadm.* -- gen_context(system_u:object_r:system_conf_t,s0)
++/etc/sysconfig/system-config-firewall.* -- gen_context(system_u:object_r:system_conf_t,s0)
+
+ /etc/cups/client\.conf -- gen_context(system_u:object_r:etc_t,s0)
+
+@@ -68,7 +76,10 @@ ifdef(`distro_suse',`
+
+ /etc/sysconfig/hwconf -- gen_context(system_u:object_r:etc_runtime_t,s0)
+ /etc/sysconfig/iptables\.save -- gen_context(system_u:object_r:etc_runtime_t,s0)
+-/etc/sysconfig/firstboot -- gen_context(system_u:object_r:etc_runtime_t,s0)
++
++/etc/xorg\.conf\.d/00-system-setup-keyboard\.conf -- gen_context(system_u:object_r:etc_runtime_t,s0)
++/etc/X11/xorg\.conf\.d/00-system-setup-keyboard\.conf -- gen_context(system_u:object_r:etc_runtime_t,s0)
++
+
+ ifdef(`distro_gentoo', `
+ /etc/profile\.env -- gen_context(system_u:object_r:etc_runtime_t,s0)
+@@ -89,7 +100,7 @@ ifdef(`distro_suse',`
+ # HOME_ROOT
+ # expanded by genhomedircon
+ #
+-HOME_ROOT -d gen_context(system_u:object_r:home_root_t,s0-mls_systemhigh)
++HOME_ROOT gen_context(system_u:object_r:home_root_t,s0-mls_systemhigh)
+ HOME_ROOT/\.journal <>
+ HOME_ROOT/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh)
+ HOME_ROOT/lost\+found/.* <>
+@@ -153,6 +164,12 @@ HOME_ROOT/lost\+found/.* <>
+ /proc -d <>
+ /proc/.* <>
+
++ifdef(`distro_redhat',`
++/rhev -d gen_context(system_u:object_r:mnt_t,s0)
++/rhev(/[^/]*)? -d gen_context(system_u:object_r:mnt_t,s0)
++/rhev/[^/]*/.* <>
++')
++
+ #
+ # /selinux
+ #
+@@ -166,12 +183,6 @@ HOME_ROOT/lost\+found/.* <>
+ /srv/.* gen_context(system_u:object_r:var_t,s0)
+
+ #
+-# /sys
+-#
+-/sys -d <>
+-/sys/.* <>
+-
+-#
+ # /tmp
+ #
+ /tmp -d gen_context(system_u:object_r:tmp_t,s0-mls_systemhigh)
+@@ -211,7 +222,6 @@ HOME_ROOT/lost\+found/.* <>
+
+ ifndef(`distro_redhat',`
+ /usr/local/src(/.*)? gen_context(system_u:object_r:src_t,s0)
+-
+ /usr/src(/.*)? gen_context(system_u:object_r:src_t,s0)
+ /usr/src/kernels/.+/lib(/.*)? gen_context(system_u:object_r:usr_t,s0)
+ ')
+@@ -227,6 +237,8 @@ ifndef(`distro_redhat',`
+
+ /var/ftp/etc(/.*)? gen_context(system_u:object_r:etc_t,s0)
+
++/var/named/chroot/etc(/.*)? gen_context(system_u:object_r:etc_t,s0)
++
+ /var/lib(/.*)? gen_context(system_u:object_r:var_lib_t,s0)
+
+ /var/lib/nfs/rpc_pipefs(/.*)? <>
+@@ -243,7 +255,7 @@ ifndef(`distro_redhat',`
+ /var/spool(/.*)? gen_context(system_u:object_r:var_spool_t,s0)
+ /var/spool/postfix/etc(/.*)? gen_context(system_u:object_r:etc_t,s0)
+
+-/var/tmp -d gen_context(system_u:object_r:tmp_t,s0-mls_systemhigh)
++/var/tmp gen_context(system_u:object_r:tmp_t,s0-mls_systemhigh)
+ /var/tmp/.* <>
+ /var/tmp/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh)
+ /var/tmp/lost\+found/.* <>
+@@ -252,3 +264,7 @@ ifndef(`distro_redhat',`
+ ifdef(`distro_debian',`
+ /var/run/motd -- gen_context(system_u:object_r:etc_runtime_t,s0)
+ ')
++/nsr(/.*)? gen_context(system_u:object_r:var_t,s0)
++/nsr/logs(/.*)? gen_context(system_u:object_r:var_log_t,s0)
++
++/usr/lib/debug(/.*)? <>
+diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
+index 958ca84..32a3f1d 100644
+--- a/policy/modules/kernel/files.if
++++ b/policy/modules/kernel/files.if
+@@ -1053,10 +1053,8 @@ interface(`files_relabel_all_files',`
+ relabel_lnk_files_pattern($1, { file_type $2 }, { file_type $2 })
+ relabel_fifo_files_pattern($1, { file_type $2 }, { file_type $2 })
+ relabel_sock_files_pattern($1, { file_type $2 }, { file_type $2 })
+- # this is only relabelfrom since there should be no
+- # device nodes with file types.
+- relabelfrom_blk_files_pattern($1, { file_type $2 }, { file_type $2 })
+- relabelfrom_chr_files_pattern($1, { file_type $2 }, { file_type $2 })
++ relabel_blk_files_pattern($1, { file_type $2 }, { file_type $2 })
++ relabel_chr_files_pattern($1, { file_type $2 }, { file_type $2 })
+
+ # satisfy the assertions:
+ seutil_relabelto_bin_policy($1)
+@@ -1410,6 +1408,24 @@ interface(`files_getattr_all_mountpoints',`
+
+ ########################################
+ ##
++## Set the attributes of all mount points.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`files_setattr_all_mountpoints',`
++ gen_require(`
++ attribute mountpoint;
++ ')
++
++ allow $1 mountpoint:dir setattr;
++')
++
++########################################
++##
+ ## Search all mount points.
+ ##
+ ##
+@@ -1446,6 +1462,60 @@ interface(`files_dontaudit_search_all_mountpoints',`
+
+ ########################################
+ ##
++## Do not audit listing of all mount points.
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`files_dontaudit_list_all_mountpoints',`
++ gen_require(`
++ attribute mountpoint;
++ ')
++
++ dontaudit $1 mountpoint:dir list_dir_perms;
++')
++
++########################################
++##
++## Write all mount points.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`files_write_all_mountpoints',`
++ gen_require(`
++ attribute mountpoint;
++ ')
++
++ allow $1 mountpoint:dir write;
++')
++
++########################################
++##
++## Write all file type directories.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`files_write_all_dirs',`
++ gen_require(`
++ attribute file_type;
++ ')
++
++ allow $1 file_type:dir write;
++')
++
++########################################
++##
+ ## List the contents of the root directory.
+ ##
+ ##
+@@ -1731,6 +1801,24 @@ interface(`files_list_boot',`
+ allow $1 boot_t:dir list_dir_perms;
+ ')
+
++#######################################
++##
++## Dontaudit List the /boot directory.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`files_dontaudit_list_boot',`
++ gen_require(`
++ type boot_t;
++ ')
++
++ dontaudit $1 boot_t:dir list_dir_perms;
++')
++
+ ########################################
+ ##
+ ## Create directories in /boot
+@@ -1854,6 +1942,25 @@ interface(`files_relabelfrom_boot_files',`
+ relabelfrom_files_pattern($1, boot_t, boot_t)
+ ')
+
++######################################
++##
++## Read symbolic links
++## in the /boot directory.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`files_read_boot_symlinks',`
++ gen_require(`
++ type boot_t;
++ ')
++
++ read_lnk_files_pattern($1, boot_t, boot_t)
++')
++
+ ########################################
+ ##
+ ## Read and write symbolic links
+@@ -2453,6 +2560,24 @@ interface(`files_delete_etc_files',`
+
+ ########################################
+ ##
++## Remove entries from the etc directory.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`files_delete_etc_dir_entry',`
++ gen_require(`
++ type etc_t;
++ ')
++
++ allow $1 etc_t:dir del_entry_dir_perms;
++')
++
++########################################
++##
+ ## Execute generic files in /etc.
+ ##
+ ##
+@@ -2583,6 +2708,31 @@ interface(`files_create_boot_flag',`
+
+ ########################################
+ ##
++## Delete a boot flag.
++##
++##
++##
++## Delete a boot flag, such as
++## /.autorelabel and /.autofsck.
++##
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++#
++interface(`files_delete_boot_flag',`
++ gen_require(`
++ type root_t, etc_runtime_t;
++ ')
++
++ delete_files_pattern($1, root_t, etc_runtime_t)
++')
++
++########################################
++##
+ ## Read files in /etc that are dynamically
+ ## created on boot, such as mtab.
+ ##
+@@ -2623,6 +2773,24 @@ interface(`files_read_etc_runtime_files',`
+
+ ########################################
+ ##
++## Do not audit attempts to set the attributes of the etc_runtime files
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`files_dontaudit_setattr_etc_runtime_files',`
++ gen_require(`
++ type etc_runtime_t;
++ ')
++
++ dontaudit $1 etc_runtime_t:file setattr;
++')
++
++########################################
++##
+ ## Do not audit attempts to read files
+ ## in /etc that are dynamically
+ ## created on boot, such as mtab.
+@@ -3104,6 +3272,7 @@ interface(`files_getattr_home_dir',`
+ ')
+
+ allow $1 home_root_t:dir getattr;
++ allow $1 home_root_t:lnk_file getattr;
+ ')
+
+ ########################################
+@@ -3124,6 +3293,7 @@ interface(`files_dontaudit_getattr_home_dir',`
+ ')
+
+ dontaudit $1 home_root_t:dir getattr;
++ dontaudit $1 home_root_t:lnk_file getattr;
+ ')
+
+ ########################################
+@@ -3287,6 +3457,24 @@ interface(`files_dontaudit_getattr_lost_found_dirs',`
+ dontaudit $1 lost_found_t:dir getattr;
+ ')
+
++#######################################
++##
++## List the contents of /tmp/lost-found
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`files_list_lost_found_dirs',`
++ gen_require(`
++ type lost_found_t;
++ ')
++
++ allow $1 lost_found_t:dir list_dir_perms;
++')
++
+ ########################################
+ ##
+ ## Create, read, write, and delete objects in
+@@ -3365,6 +3553,43 @@ interface(`files_list_mnt',`
+ allow $1 mnt_t:dir list_dir_perms;
+ ')
+
++######################################
++##
++## dontaudit List the contents of /mnt.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`files_dontaudit_list_mnt',`
++ gen_require(`
++ type mnt_t;
++ ')
++
++ dontaudit $1 mnt_t:dir list_dir_perms;
++')
++
++########################################
++##
++## Do not audit attempts to check the
++## write access on mnt files
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`files_dontaudit_access_check_mnt',`
++ gen_require(`
++ type mnt_t;
++ ')
++
++ dontaudit $1 mnt_t:file_class_set audit_access;
++')
++
+ ########################################
+ ##
+ ## Mount a filesystem on /mnt.
+@@ -3438,6 +3663,24 @@ interface(`files_read_mnt_files',`
+ read_files_pattern($1, mnt_t, mnt_t)
+ ')
+
++######################################
++##
++## Read symbolic links in /mnt.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`files_read_mnt_symlinks',`
++ gen_require(`
++ type mnt_t;
++ ')
++
++ read_lnk_files_pattern($1, mnt_t, mnt_t)
++')
++
+ ########################################
+ ##
+ ## Create, read, write, and delete symbolic links in /mnt.
+@@ -3729,6 +3972,99 @@ interface(`files_read_world_readable_sockets',`
+ allow $1 readable_t:sock_file read_sock_file_perms;
+ ')
+
++#######################################
++##
++## Read manageable system configuration files in /etc
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`files_read_system_conf_files',`
++ gen_require(`
++ type etc_t, system_conf_t;
++ ')
++
++ allow $1 etc_t:dir list_dir_perms;
++ read_files_pattern($1, etc_t, system_conf_t)
++ read_lnk_files_pattern($1, etc_t, system_conf_t)
++')
++
++######################################
++##
++## Manage manageable system configuration files in /etc.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`files_manage_system_conf_files',`
++ gen_require(`
++ type etc_t, system_conf_t;
++ ')
++
++ manage_files_pattern($1, { etc_t system_conf_t }, system_conf_t)
++')
++
++######################################
++##
++## Relabel manageable system configuration files in /etc.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`files_relabelto_system_conf_files',`
++ gen_require(`
++ type usr_t;
++ ')
++
++ relabelto_files_pattern($1, system_conf_t, system_conf_t)
++')
++
++######################################
++##
++## Relabel manageable system configuration files in /etc.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`files_relabelfrom_system_conf_files',`
++ gen_require(`
++ type usr_t;
++ ')
++
++ relabelfrom_files_pattern($1, system_conf_t, system_conf_t)
++')
++
++###################################
++##
++## Create files in /etc with the type used for
++## the manageable system config files.
++##
++##
++##
++## The type of the process performing this action.
++##
++##
++#
++interface(`files_etc_filetrans_system_conf',`
++ gen_require(`
++ type etc_t, system_conf_t;
++ ')
++
++ filetrans_pattern($1, etc_t, system_conf_t, file)
++')
++
+ ########################################
+ ##
+ ## Allow the specified type to associate
+@@ -3914,6 +4250,32 @@ interface(`files_manage_generic_tmp_dirs',`
+
+ ########################################
+ ##
++## Allow shared library text relocations in tmp files.
++##
++##
++##
++## Allow shared library text relocations in tmp files.
++##
++##
++## This is added to support java policy.
++##
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`files_execmod_tmp',`
++ gen_require(`
++ attribute tmpfile;
++ ')
++
++ allow $1 tmpfile:file execmod;
++')
++
++########################################
++##
+ ## Manage temporary files and directories in /tmp.
+ ##
+ ##
+@@ -3968,7 +4330,7 @@ interface(`files_rw_generic_tmp_sockets',`
+
+ ########################################
+ ##
+-## Set the attributes of all tmp directories.
++## Relabel a dir from the type used in /tmp.
+ ##
+ ##
+ ##
+@@ -3976,17 +4338,17 @@ interface(`files_rw_generic_tmp_sockets',`
+ ##
+ ##
+ #
+-interface(`files_setattr_all_tmp_dirs',`
++interface(`files_relabelfrom_tmp_dirs',`
+ gen_require(`
+- attribute tmpfile;
++ type tmp_t;
+ ')
+
+- allow $1 tmpfile:dir { search_dir_perms setattr };
++ relabelfrom_dirs_pattern($1, tmp_t, tmp_t)
+ ')
+
+ ########################################
+ ##
+-## List all tmp directories.
++## Relabel a file from the type used in /tmp.
+ ##
+ ##
+ ##
+@@ -3994,45 +4356,123 @@ interface(`files_setattr_all_tmp_dirs',`
+ ##
+ ##
+ #
+-interface(`files_list_all_tmp',`
++interface(`files_relabelfrom_tmp_files',`
+ gen_require(`
+- attribute tmpfile;
++ type tmp_t;
+ ')
+
+- allow $1 tmpfile:dir list_dir_perms;
++ relabelfrom_files_pattern($1, tmp_t, tmp_t)
+ ')
+
+ ########################################
+ ##
+-## Do not audit attempts to get the attributes
+-## of all tmp files.
++## Relabel all tmp dirs.
+ ##
+ ##
+ ##
+-## Domain not to audit.
++## Domain allowed access.
+ ##
+ ##
++##
+ #
+-interface(`files_dontaudit_getattr_all_tmp_files',`
++interface(`files_relabel_all_tmp_dirs',`
+ gen_require(`
+ attribute tmpfile;
++ type var_t;
+ ')
+
+- dontaudit $1 tmpfile:file getattr;
++ allow $1 var_t:dir search_dir_perms;
++ relabel_dirs_pattern($1, tmpfile, tmpfile)
+ ')
+
+ ########################################
+ ##
+-## Allow attempts to get the attributes
+-## of all tmp files.
++## Relabel all tmp files.
+ ##
+ ##
+ ##
+ ## Domain allowed access.
+ ##
+ ##
++##
+ #
+-interface(`files_getattr_all_tmp_files',`
++interface(`files_relabel_all_tmp_files',`
++ gen_require(`
++ attribute tmpfile;
++ type var_t;
++ ')
++
++ allow $1 var_t:dir search_dir_perms;
++ relabel_files_pattern($1, tmpfile, tmpfile)
++')
++
++########################################
++##
++## Set the attributes of all tmp directories.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`files_setattr_all_tmp_dirs',`
++ gen_require(`
++ attribute tmpfile;
++ ')
++
++ allow $1 tmpfile:dir { search_dir_perms setattr };
++')
++
++########################################
++##
++## List all tmp directories.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`files_list_all_tmp',`
++ gen_require(`
++ attribute tmpfile;
++ ')
++
++ allow $1 tmpfile:dir list_dir_perms;
++')
++
++########################################
++##
++## Do not audit attempts to get the attributes
++## of all tmp files.
++##
++##
++##
++## Domain not to audit.
++##
++##
++#
++interface(`files_dontaudit_getattr_all_tmp_files',`
++ gen_require(`
++ attribute tmpfile;
++ ')
++
++ dontaudit $1 tmpfile:file getattr;
++')
++
++########################################
++##
++## Allow attempts to get the attributes
++## of all tmp files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`files_getattr_all_tmp_files',`
+ gen_require(`
+ attribute tmpfile;
+ ')
+@@ -4127,6 +4567,15 @@ interface(`files_purge_tmp',`
+ delete_lnk_files_pattern($1, tmpfile, tmpfile)
+ delete_fifo_files_pattern($1, tmpfile, tmpfile)
+ delete_sock_files_pattern($1, tmpfile, tmpfile)
++ delete_chr_files_pattern($1, tmpfile, tmpfile)
++ delete_blk_files_pattern($1, tmpfile, tmpfile)
++ files_delete_isid_type_dirs($1)
++ files_delete_isid_type_files($1)
++ files_delete_isid_type_symlinks($1)
++ files_delete_isid_type_fifo_files($1)
++ files_delete_isid_type_sock_files($1)
++ files_delete_isid_type_blk_files($1)
++ files_delete_isid_type_chr_files($1)
+ ')
+
+ ########################################
+@@ -4736,6 +5185,24 @@ interface(`files_read_var_files',`
+
+ ########################################
+ ##
++## Append files in the /var directory.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`files_append_var_files',`
++ gen_require(`
++ type var_t;
++ ')
++
++ append_files_pattern($1, var_t, var_t)
++')
++
++########################################
++##
+ ## Read and write files in the /var directory.
+ ##
+ ##
+@@ -5071,6 +5538,24 @@ interface(`files_manage_mounttab',`
+
+ ########################################
+ ##
++## List generic lock directories.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`files_list_locks',`
++ gen_require(`
++ type var_t, var_lock_t;
++ ')
++
++ list_dirs_pattern($1, var_t, var_lock_t)
++')
++
++########################################
++##
+ ## Search the locks directory (/var/lock).
+ ##
+ ##
+@@ -5156,12 +5641,12 @@ interface(`files_getattr_generic_locks',`
+ ##
+ #
+ interface(`files_delete_generic_locks',`
+- gen_require(`
++ gen_require(`
+ type var_t, var_lock_t;
+- ')
++ ')
+
+- allow $1 var_t:dir search_dir_perms;
+- delete_files_pattern($1, var_lock_t, var_lock_t)
++ allow $1 var_t:dir search_dir_perms;
++ delete_files_pattern($1, var_lock_t, var_lock_t)
+ ')
+
+ ########################################
+@@ -5207,6 +5692,27 @@ interface(`files_delete_all_locks',`
+
+ ########################################
+ ##
++## Relabel all lock files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++#
++interface(`files_relabel_all_lock_dirs',`
++ gen_require(`
++ attribute lockfile;
++ type var_t;
++ ')
++
++ allow $1 var_t:dir search_dir_perms;
++ relabel_dirs_pattern($1, lockfile, lockfile)
++')
++
++########################################
++##
+ ## Read all lock files.
+ ##
+ ##
+@@ -5335,6 +5841,43 @@ interface(`files_search_pids',`
+ search_dirs_pattern($1, var_t, var_run_t)
+ ')
+
++######################################
++##
++## Add and remove entries from pid directories.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`files_rw_pid_dirs',`
++ gen_require(`
++ type var_run_t;
++ ')
++
++ allow $1 var_run_t:dir rw_dir_perms;
++')
++
++#######################################
++##
++## Create generic pid directory.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`files_create_var_run_dirs',`
++ gen_require(`
++ type var_t, var_run_t;
++ ')
++
++ allow $1 var_t:dir search_dir_perms;
++ allow $1 var_run_t:dir create_dir_perms;
++')
++
+ ########################################
+ ##
+ ## Do not audit attempts to search
+@@ -5542,6 +6085,62 @@ interface(`files_dontaudit_ioctl_all_pids',`
+
+ ########################################
+ ##
++## Relable all pid directories
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`files_relabel_all_pid_dirs',`
++ gen_require(`
++ attribute pidfile;
++ ')
++
++ relabel_dirs_pattern($1, pidfile, pidfile)
++')
++
++########################################
++##
++## Delete all pid sockets
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`files_unlink_all_pid_sockets',`
++ gen_require(`
++ attribute pidfile;
++ ')
++
++ allow $1 pidfile:sock_file delete_sock_file_perms;
++')
++
++########################################
++##
++## manage all pidfile directories
++## in the /var/run directory.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`files_manage_all_pid_dirs',`
++ gen_require(`
++ attribute pidfile;
++ ')
++
++ manage_dirs_pattern($1,pidfile,pidfile)
++')
++
++
++########################################
++##
+ ## Read all process ID files.
+ ##
+ ##
+@@ -5559,6 +6158,44 @@ interface(`files_read_all_pids',`
+
+ list_dirs_pattern($1, var_t, pidfile)
+ read_files_pattern($1, pidfile, pidfile)
++ read_lnk_files_pattern($1, pidfile, pidfile)
++')
++
++########################################
++##
++## Relable all pid files
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`files_relabel_all_pid_files',`
++ gen_require(`
++ attribute pidfile;
++ ')
++
++ relabel_files_pattern($1, pidfile, pidfile)
++')
++
++########################################
++##
++## manage all pidfiles
++## in the /var/run directory.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`files_manage_all_pids',`
++ gen_require(`
++ attribute pidfile;
++ ')
++
++ manage_files_pattern($1,pidfile,pidfile)
+ ')
+
+ ########################################
+@@ -5844,3 +6481,284 @@ interface(`files_unconfined',`
+
+ typeattribute $1 files_unconfined_type;
+ ')
++
++########################################
++##
++## Create a core files in /
++##
++##
++##
++## Create a core file in /,
++##
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++#
++interface(`files_manage_root_files',`
++ gen_require(`
++ type root_t;
++ ')
++
++ manage_files_pattern($1, root_t, root_t)
++')
++
++########################################
++##
++## Create a default directory
++##
++##
++##
++## Create a default_t direcrory
++##
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++#
++interface(`files_create_default_dir',`
++ gen_require(`
++ type default_t;
++ ')
++
++ allow $1 default_t:dir create;
++')
++
++########################################
++##
++## Create, default_t objects with an automatic
++## type transition.
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++##
++## The class of the object being created.
++##
++##
++#
++interface(`files_root_filetrans_default',`
++ gen_require(`
++ type root_t, default_t;
++ ')
++
++ filetrans_pattern($1, root_t, default_t, $2)
++')
++
++########################################
++##
++## manage generic symbolic links
++## in the /var/run directory.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`files_manage_generic_pids_symlinks',`
++ gen_require(`
++ type var_run_t;
++ ')
++
++ manage_lnk_files_pattern($1,var_run_t,var_run_t)
++')
++
++########################################
++##
++## Do not audit attempts to getattr
++## all tmpfs files.
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`files_dontaudit_getattr_tmpfs_files',`
++ gen_require(`
++ attribute tmpfsfile;
++ ')
++
++ allow $1 tmpfsfile:file getattr;
++')
++
++########################################
++##
++## Allow read write all tmpfs files
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`files_rw_tmpfs_files',`
++ gen_require(`
++ attribute tmpfsfile;
++ ')
++
++ allow $1 tmpfsfile:file { read write };
++')
++
++########################################
++##
++## Do not audit attempts to read security files
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`files_dontaudit_read_security_files',`
++ gen_require(`
++ attribute security_file_type;
++ ')
++
++ dontaudit $1 security_file_type:file read_file_perms;
++')
++
++########################################
++##
++## rw any files inherited from another process
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++#
++interface(`files_rw_all_inherited_files',`
++ gen_require(`
++ attribute file_type;
++ ')
++
++ allow $1 { file_type $2 }:file rw_inherited_file_perms;
++ allow $1 { file_type $2 }:fifo_file rw_inherited_fifo_file_perms;
++ allow $1 { file_type $2 }:sock_file rw_inherited_sock_file_perms;
++ allow $1 { file_type $2 }:chr_file rw_inherited_chr_file_perms;
++')
++
++########################################
++##
++## Allow any file point to be the entrypoint of this domain
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++#
++interface(`files_entrypoint_all_files',`
++ gen_require(`
++ attribute file_type;
++ ')
++ allow $1 file_type:file entrypoint;
++')
++
++########################################
++##
++## Do not audit attempts to rw inherited file perms
++## of non security files.
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`files_dontaudit_all_non_security_leaks',`
++ gen_require(`
++ attribute non_security_file_type;
++ ')
++
++ dontaudit $1 non_security_file_type:file_class_set rw_inherited_file_perms;
++')
++
++########################################
++##
++## Do not audit attempts to read or write
++## all leaked files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`files_dontaudit_leaks',`
++ gen_require(`
++ attribute file_type;
++ ')
++
++ dontaudit $1 file_type:file rw_inherited_file_perms;
++ dontaudit $1 file_type:lnk_file { read };
++')
++
++########################################
++##
++## Allow domain to create_file_ass all types
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`files_create_as_is_all_files',`
++ gen_require(`
++ attribute file_type;
++ class kernel_service create_files_as;
++ ')
++
++ allow $1 file_type:kernel_service create_files_as;
++')
++
++########################################
++##
++## Do not audit attempts to check the
++## write access on all files
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`files_dontaudit_all_access_check',`
++ gen_require(`
++ attribute file_type;
++ ')
++
++ dontaudit $1 file_type:file_class_set audit_access;
++')
++
++########################################
++##
++## Do not audit attempts to write to all files
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`files_dontaudit_write_all_files',`
++ gen_require(`
++ attribute file_type;
++ ')
++
++ dontaudit $1 file_type:dir_file_class_set write;
++')
+diff --git a/policy/modules/kernel/files.te b/policy/modules/kernel/files.te
+index 6e01635..212a736 100644
+--- a/policy/modules/kernel/files.te
++++ b/policy/modules/kernel/files.te
+@@ -11,6 +11,7 @@ attribute lockfile;
+ attribute mountpoint;
+ attribute pidfile;
+ attribute configfile;
++attribute etcfile;
+
+ # For labeling types that are to be polyinstantiated
+ attribute polydir;
+@@ -58,12 +59,21 @@ files_type(etc_t)
+ typealias etc_t alias automount_etc_t;
+ typealias etc_t alias snmpd_etc_t;
+
++# system_conf_t is a new type of various
++# files in /etc/ that can be managed and
++# created by several domains.
++#
++type system_conf_t, configfile;
++files_type(system_conf_t)
++# compatibility aliases for removed type:
++typealias system_conf_t alias iptables_conf_t;
++
+ #
+ # etc_runtime_t is the type of various
+ # files in /etc that are automatically
+ # generated during initialization.
+ #
+-type etc_runtime_t;
++type etc_runtime_t, configfile;
+ files_type(etc_runtime_t)
+ #Temporarily in policy until FC5 dissappears
+ typealias etc_runtime_t alias firstboot_rw_t;
+diff --git a/policy/modules/kernel/filesystem.fc b/policy/modules/kernel/filesystem.fc
+index 59bae6a..2e55e71 100644
+--- a/policy/modules/kernel/filesystem.fc
++++ b/policy/modules/kernel/filesystem.fc
+@@ -2,5 +2,16 @@
+ /dev/shm/.* <>
+
+ /cgroup -d gen_context(system_u:object_r:cgroup_t,s0)
++/cgroup/.* <>
+
++/lib/udev/devices/hugepages -d gen_context(system_u:object_r:hugetlbfs_t,s0)
++/lib/udev/devices/hugepages/.* <>
++
++/lib/udev/devices/shm -d gen_context(system_u:object_r:tmpfs_t,s0)
++/lib/udev/devices/shm/.* <>
++
++/sys/fs/cgroup -d gen_context(system_u:object_r:cgroup_t,s0)
+ /sys/fs/cgroup(/.*)? <>
++
++/dev/hugepages -d gen_context(system_u:object_r:hugetlbfs_t,s0)
++/dev/hugepages(/.*)? <>
+diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
+index dfe361a..40bfd0f 100644
+--- a/policy/modules/kernel/filesystem.if
++++ b/policy/modules/kernel/filesystem.if
+@@ -646,11 +646,31 @@ interface(`fs_search_cgroup_dirs',`
+ ')
+
+ search_dirs_pattern($1, cgroup_t, cgroup_t)
++ fs_search_tmpfs($1)
+ dev_search_sysfs($1)
+ ')
+
+ ########################################
+ ##
++## Relabelto cgroup directories.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`fs_relabelto_cgroup_dirs',`
++ gen_require(`
++ type cgroup_t;
++
++ ')
++
++ relabelto_dirs_pattern($1, cgroup_t, cgroup_t)
++')
++
++########################################
++##
+ ## list cgroup directories.
+ ##
+ ##
+@@ -665,6 +685,7 @@ interface(`fs_list_cgroup_dirs', `
+ ')
+
+ list_dirs_pattern($1, cgroup_t, cgroup_t)
++ fs_search_tmpfs($1)
+ dev_search_sysfs($1)
+ ')
+
+@@ -684,6 +705,7 @@ interface(`fs_delete_cgroup_dirs', `
+ ')
+
+ delete_dirs_pattern($1, cgroup_t, cgroup_t)
++ fs_search_tmpfs($1)
+ dev_search_sysfs($1)
+ ')
+
+@@ -704,6 +726,7 @@ interface(`fs_manage_cgroup_dirs',`
+ ')
+
+ manage_dirs_pattern($1, cgroup_t, cgroup_t)
++ fs_search_tmpfs($1)
+ dev_search_sysfs($1)
+ ')
+
+@@ -724,6 +747,7 @@ interface(`fs_read_cgroup_files',`
+ ')
+
+ read_files_pattern($1, cgroup_t, cgroup_t)
++ fs_search_tmpfs($1)
+ dev_search_sysfs($1)
+ ')
+
+@@ -743,6 +767,7 @@ interface(`fs_write_cgroup_files', `
+ ')
+
+ write_files_pattern($1, cgroup_t, cgroup_t)
++ fs_search_tmpfs($1)
+ dev_search_sysfs($1)
+ ')
+
+@@ -763,6 +788,7 @@ interface(`fs_rw_cgroup_files',`
+ ')
+
+ rw_files_pattern($1, cgroup_t, cgroup_t)
++ fs_search_tmpfs($1)
+ dev_search_sysfs($1)
+ ')
+
+@@ -803,6 +829,7 @@ interface(`fs_manage_cgroup_files',`
+ ')
+
+ manage_files_pattern($1, cgroup_t, cgroup_t)
++ fs_search_tmpfs($1)
+ dev_search_sysfs($1)
+ ')
+
+@@ -1052,6 +1079,24 @@ interface(`fs_list_noxattr_fs',`
+
+ ########################################
+ ##
++## Do not audit Read all noxattrfs directories.
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`fs_dontaudit_list_noxattr_fs',`
++ gen_require(`
++ attribute noxattrfs;
++ ')
++
++ dontaudit $1 noxattrfs:dir list_dir_perms;
++')
++
++########################################
++##
+ ## Create, read, write, and delete all noxattrfs directories.
+ ##
+ ##
+@@ -1088,6 +1133,42 @@ interface(`fs_read_noxattr_fs_files',`
+
+ ########################################
+ ##
++## Read/Write all inherited noxattrfs files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`fs_rw_inherited_noxattr_fs_files',`
++ gen_require(`
++ attribute noxattrfs;
++ ')
++
++ allow $1 noxattrfs:file rw_inherited_file_perms;
++')
++
++########################################
++##
++## Do not audit read all noxattrfs files.
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`fs_dontaudit_read_noxattr_fs_files',`
++ gen_require(`
++ attribute noxattrfs;
++ ')
++
++ dontaudit $1 noxattrfs:file read_file_perms;
++')
++
++########################################
++##
+ ## Dont audit attempts to write to noxattrfs files.
+ ##
+ ##
+@@ -1227,6 +1308,42 @@ interface(`fs_dontaudit_append_cifs_files',`
+
+ ########################################
+ ##
++## Read inherited files on a CIFS or SMB filesystem.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`fs_read_inherited_cifs_files',`
++ gen_require(`
++ type cifs_t;
++ ')
++
++ allow $1 cifs_t:file read_inherited_file_perms;
++')
++
++########################################
++##
++## Read/Write inherited files on a CIFS or SMB filesystem.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`fs_rw_inherited_cifs_files',`
++ gen_require(`
++ type cifs_t;
++ ')
++
++ allow $1 cifs_t:file rw_inherited_file_perms;
++')
++
++########################################
++##
+ ## Do not audit attempts to read or
+ ## write files on a CIFS or SMB filesystem.
+ ##
+@@ -1241,7 +1358,7 @@ interface(`fs_dontaudit_rw_cifs_files',`
+ type cifs_t;
+ ')
+
+- dontaudit $1 cifs_t:file rw_file_perms;
++ dontaudit $1 cifs_t:file rw_inherited_file_perms;
+ ')
+
+ ########################################
+@@ -1504,6 +1621,25 @@ interface(`fs_cifs_domtrans',`
+ domain_auto_transition_pattern($1, cifs_t, $2)
+ ')
+
++########################################
++##
++## Make general progams in cifs an entrypoint for
++## the specified domain.
++##
++##
++##
++## The domain for which cifs_t is an entrypoint.
++##
++##
++#
++interface(`fs_cifs_entry_type',`
++ gen_require(`
++ type cifs_t;
++ ')
++
++ domain_entry_file($1, cifs_t)
++')
++
+ #######################################
+ ##
+ ## Create, read, write, and delete dirs
+@@ -1659,6 +1795,25 @@ interface(`fs_search_dos',`
+
+ ########################################
+ ##
++## list dirs
++## on a DOS filesystem.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`fs_list_dos_dirs',`
++ gen_require(`
++ type dosfs_t;
++ ')
++
++ list_dirs_pattern($1, dosfs_t, dosfs_t)
++')
++
++########################################
++##
+ ## Create, read, write, and delete dirs
+ ## on a DOS filesystem.
+ ##
+@@ -1774,6 +1929,24 @@ interface(`fs_unmount_fusefs',`
+
+ ########################################
+ ##
++## Mounton a FUSEFS filesystem.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`fs_mounton_fusefs',`
++ gen_require(`
++ type fusefs_t;
++ ')
++
++ allow $1 fusefs_t:dir mounton;
++')
++
++########################################
++##
+ ## Search directories
+ ## on a FUSEFS filesystem.
+ ##
+@@ -1892,6 +2065,26 @@ interface(`fs_manage_fusefs_files',`
+
+ ########################################
+ ##
++## Execute files on a FUSEFS filesystem.
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++#
++interface(`fs_exec_fusefs_files',`
++ gen_require(`
++ type fusefs_t;
++ ')
++
++ allow $1 fusefs_t:dir list_dir_perms;
++ exec_files_pattern($1, fusefs_t, fusefs_t)
++')
++
++########################################
++##
+ ## Do not audit attempts to create,
+ ## read, write, and delete files
+ ## on a FUSEFS filesystem.
+@@ -1931,7 +2124,26 @@ interface(`fs_read_fusefs_symlinks',`
+
+ ########################################
+ ##
+-## Read and write hugetlbfs files.
++## Get the attributes of an hugetlbfs
++## filesystem;
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`fs_getattr_hugetlbfs',`
++ gen_require(`
++ type hugetlbfs_t;
++ ')
++
++ allow $1 hugetlbfs_t:filesystem getattr;
++')
++
++########################################
++##
++## R/W hugetlbfs files.
+ ##
+ ##
+ ##
+@@ -1946,6 +2158,41 @@ interface(`fs_rw_hugetlbfs_files',`
+
+ rw_files_pattern($1, hugetlbfs_t, hugetlbfs_t)
+ ')
++########################################
++##
++## Manage hugetlbfs dirs.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`fs_manage_hugetlbfs_dirs',`
++ gen_require(`
++ type hugetlbfs_t;
++ ')
++
++ manage_dirs_pattern($1, hugetlbfs_t, hugetlbfs_t)
++')
++
++########################################
++##
++## List hugetlbfs dirs
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`fs_list_hugetlbfs',`
++ gen_require(`
++ type hugetlbfs_t;
++ ')
++
++ allow $1 hugetlbfs_t:dir list_dir_perms;
++')
+
+ ########################################
+ ##
+@@ -1999,6 +2246,7 @@ interface(`fs_list_inotifyfs',`
+ ')
+
+ allow $1 inotifyfs_t:dir list_dir_perms;
++ fs_read_anon_inodefs_files($1)
+ ')
+
+ ########################################
+@@ -2331,6 +2579,7 @@ interface(`fs_read_nfs_files',`
+ type nfs_t;
+ ')
+
++ fs_search_auto_mountpoints($1)
+ allow $1 nfs_t:dir list_dir_perms;
+ read_files_pattern($1, nfs_t, nfs_t)
+ ')
+@@ -2369,6 +2618,7 @@ interface(`fs_write_nfs_files',`
+ type nfs_t;
+ ')
+
++ fs_search_auto_mountpoints($1)
+ allow $1 nfs_t:dir list_dir_perms;
+ write_files_pattern($1, nfs_t, nfs_t)
+ ')
+@@ -2395,6 +2645,25 @@ interface(`fs_exec_nfs_files',`
+
+ ########################################
+ ##
++## Make general progams in nfs an entrypoint for
++## the specified domain.
++##
++##
++##
++## The domain for which nfs_t is an entrypoint.
++##
++##
++#
++interface(`fs_nfs_entry_type',`
++ gen_require(`
++ type nfs_t;
++ ')
++
++ domain_entry_file($1, nfs_t)
++')
++
++########################################
++##
+ ## Append files
+ ## on a NFS filesystem.
+ ##
+@@ -2435,6 +2704,42 @@ interface(`fs_dontaudit_append_nfs_files',`
+
+ ########################################
+ ##
++## Read inherited files on a NFS filesystem.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`fs_read_inherited_nfs_files',`
++ gen_require(`
++ type nfs_t;
++ ')
++
++ allow $1 nfs_t:file read_inherited_file_perms;
++')
++
++########################################
++##
++## Read/write inherited files on a NFS filesystem.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`fs_rw_inherited_nfs_files',`
++ gen_require(`
++ type nfs_t;
++ ')
++
++ allow $1 nfs_t:file rw_inherited_file_perms;
++')
++
++########################################
++##
+ ## Do not audit attempts to read or
+ ## write files on a NFS filesystem.
+ ##
+@@ -2449,7 +2754,7 @@ interface(`fs_dontaudit_rw_nfs_files',`
+ type nfs_t;
+ ')
+
+- dontaudit $1 nfs_t:file rw_file_perms;
++ dontaudit $1 nfs_t:file rw_inherited_file_perms;
+ ')
+
+ ########################################
+@@ -2637,6 +2942,24 @@ interface(`fs_dontaudit_read_removable_files',`
+
+ ########################################
+ ##
++## Do not audit attempts to write removable storage files.
++##
++##
++##
++## Domain not to audit.
++##
++##
++#
++interface(`fs_dontaudit_write_removable_files',`
++ gen_require(`
++ type removable_t;
++ ')
++
++ dontaudit $1 removable_t:file write_file_perms;
++')
++
++########################################
++##
+ ## Read removable storage symbolic links.
+ ##
+ ##
+@@ -2653,6 +2976,25 @@ interface(`fs_read_removable_symlinks',`
+ read_lnk_files_pattern($1, removable_t, removable_t)
+ ')
+
++######################################
++##
++## Read block nodes on removable filesystems.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`fs_read_removable_blk_files',`
++ gen_require(`
++ type removable_t;
++ ')
++
++ allow $1 removable_t:dir list_dir_perms;
++ read_blk_files_pattern($1, removable_t, removable_t)
++')
++
+ ########################################
+ ##
+ ## Read and write block nodes on removable filesystems.
+@@ -2779,6 +3121,7 @@ interface(`fs_manage_nfs_dirs',`
+ type nfs_t;
+ ')
+
++ fs_search_auto_mountpoints($1)
+ allow $1 nfs_t:dir manage_dir_perms;
+ ')
+
+@@ -2819,6 +3162,7 @@ interface(`fs_manage_nfs_files',`
+ type nfs_t;
+ ')
+
++ fs_search_auto_mountpoints($1)
+ manage_files_pattern($1, nfs_t, nfs_t)
+ ')
+
+@@ -2845,7 +3189,7 @@ interface(`fs_dontaudit_manage_nfs_files',`
+ #########################################
+ ##
+ ## Create, read, write, and delete symbolic links
+-## on a CIFS or SMB network filesystem.
++## on a NFS network filesystem.
+ ##
+ ##
+ ##
+@@ -2859,6 +3203,7 @@ interface(`fs_manage_nfs_symlinks',`
+ type nfs_t;
+ ')
+
++ fs_search_auto_mountpoints($1)
+ manage_lnk_files_pattern($1, nfs_t, nfs_t)
+ ')
+
+@@ -3989,6 +4334,42 @@ interface(`fs_dontaudit_use_tmpfs_chr_dev',`
+
+ ########################################
+ ##
++## dontaudit Read and write block nodes on tmpfs filesystems.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`fs_dontaudit_read_tmpfs_blk_dev',`
++ gen_require(`
++ type tmpfs_t;
++ ')
++
++ dontaudit $1 tmpfs_t:blk_file read_blk_file_perms;
++')
++
++########################################
++##
++## Relabelfrom directory on tmpfs filesystems.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`fs_relabelfrom_tmpfs_dir',`
++ gen_require(`
++ type tmpfs_t;
++ ')
++
++ relabelfrom_dirs_pattern($1, tmpfs_t, tmpfs_t)
++')
++
++########################################
++##
+ ## Relabel character nodes on tmpfs filesystems.
+ ##
+ ##
+@@ -4271,6 +4652,8 @@ interface(`fs_mount_all_fs',`
+ ')
+
+ allow $1 filesystem_type:filesystem mount;
++# Mount checks write access on the dir
++ allow $1 filesystem_type:dir write;
+ ')
+
+ ########################################
+@@ -4681,3 +5064,24 @@ interface(`fs_unconfined',`
+
+ typeattribute $1 filesystem_unconfined_type;
+ ')
++
++########################################
++##
++## Do not audit attempts to read or write
++## all leaked filesystems files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`fs_dontaudit_leaks',`
++ gen_require(`
++ attribute filesystem_type;
++ ')
++
++ dontaudit $1 filesystem_type:file rw_inherited_file_perms;
++ dontaudit $1 filesystem_type:lnk_file { read };
++')
++
+diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te
+index e49c148..4d6bbf4 100644
+--- a/policy/modules/kernel/filesystem.te
++++ b/policy/modules/kernel/filesystem.te
+@@ -52,6 +52,7 @@ type anon_inodefs_t;
+ fs_type(anon_inodefs_t)
+ files_mountpoint(anon_inodefs_t)
+ genfscon anon_inodefs / gen_context(system_u:object_r:anon_inodefs_t,s0)
++mls_trusted_object(anon_inodefs_t)
+
+ type bdev_t;
+ fs_type(bdev_t)
+@@ -67,10 +68,11 @@ fs_type(capifs_t)
+ files_mountpoint(capifs_t)
+ genfscon capifs / gen_context(system_u:object_r:capifs_t,s0)
+
+-type cgroup_t;
++type cgroup_t alias cgroupfs_t;
+ fs_type(cgroup_t)
+ files_type(cgroup_t)
+ files_mountpoint(cgroup_t)
++dev_associate_sysfs(cgroup_t)
+ genfscon cgroup / gen_context(system_u:object_r:cgroup_t,s0)
+
+ type configfs_t;
+@@ -100,12 +102,22 @@ type hugetlbfs_t;
+ fs_type(hugetlbfs_t)
+ files_mountpoint(hugetlbfs_t)
+ fs_use_trans hugetlbfs gen_context(system_u:object_r:hugetlbfs_t,s0);
++dev_associate(hugetlbfs_t)
+
+ type ibmasmfs_t;
+ fs_type(ibmasmfs_t)
+ allow ibmasmfs_t self:filesystem associate;
+ genfscon ibmasmfs / gen_context(system_u:object_r:ibmasmfs_t,s0)
+
++#
++# infinibandeventfs fs
++#
++
++type infinibandeventfs_t;
++fs_type(infinibandeventfs_t)
++allow infinibandeventfs_t self:filesystem associate;
++genfscon infinibandeventfs / gen_context(system_u:object_r:infinibandeventfs_t,s0)
++
+ type inotifyfs_t;
+ fs_type(inotifyfs_t)
+ genfscon inotifyfs / gen_context(system_u:object_r:inotifyfs_t,s0)
+@@ -148,6 +160,12 @@ fs_type(squash_t)
+ genfscon squash / gen_context(system_u:object_r:squash_t,s0)
+ files_mountpoint(squash_t)
+
++type sysv_t;
++fs_noxattr_type(sysv_t)
++files_mountpoint(sysv_t)
++genfscon sysv / gen_context(system_u:object_r:sysv_t,s0)
++genfscon v7 / gen_context(system_u:object_r:sysv_t,s0)
++
+ type vmblock_t;
+ fs_noxattr_type(vmblock_t)
+ files_mountpoint(vmblock_t)
+@@ -168,6 +186,7 @@ fs_type(tmpfs_t)
+ files_type(tmpfs_t)
+ files_mountpoint(tmpfs_t)
+ files_poly_parent(tmpfs_t)
++dev_associate(tmpfs_t)
+
+ # Use a transition SID based on the allocating task SID and the
+ # filesystem SID to label inodes in the following filesystem types,
+@@ -247,6 +266,8 @@ genfscon udf / gen_context(system_u:object_r:iso9660_t,s0)
+ type removable_t;
+ allow removable_t noxattrfs:filesystem associate;
+ fs_noxattr_type(removable_t)
++files_type(removable_t)
++dev_node(removable_t)
+ files_mountpoint(removable_t)
+
+ #
+@@ -266,6 +287,7 @@ genfscon ncpfs / gen_context(system_u:object_r:nfs_t,s0)
+ genfscon reiserfs / gen_context(system_u:object_r:nfs_t,s0)
+ genfscon panfs / gen_context(system_u:object_r:nfs_t,s0)
+ genfscon gadgetfs / gen_context(system_u:object_r:nfs_t,s0)
++genfscon 9p / gen_context(system_u:object_r:nfs_t,s0)
+
+ ########################################
+ #
+diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
+index 069d36c..78a81b3 100644
+--- a/policy/modules/kernel/kernel.if
++++ b/policy/modules/kernel/kernel.if
+@@ -735,6 +735,26 @@ interface(`kernel_dontaudit_write_debugfs_dirs',`
+
+ ########################################
+ ##
++## Manage information from the debugging filesystem.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`kernel_manage_debugfs',`
++ gen_require(`
++ type debugfs_t;
++ ')
++
++ manage_files_pattern($1, debugfs_t, debugfs_t)
++ read_lnk_files_pattern($1, debugfs_t, debugfs_t)
++ list_dirs_pattern($1, debugfs_t, debugfs_t)
++')
++
++########################################
++##
+ ## Mount a kernel VM filesystem.
+ ##
+ ##
+@@ -863,6 +883,25 @@ interface(`kernel_dontaudit_write_proc_dirs',`
+
+ ########################################
+ ##
++## Do not audit attempts to setattr
++## directories in /proc.
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`kernel_dontaudit_setattr_proc_dirs',`
++ gen_require(`
++ type proc_t;
++ ')
++
++ dontaudit $1 proc_t:dir setattr;
++')
++
++########################################
++##
+ ## Get the attributes of files in /proc.
+ ##
+ ##
+@@ -2033,7 +2072,7 @@ interface(`kernel_dontaudit_list_all_sysctls',`
+ ')
+
+ dontaudit $1 sysctl_type:dir list_dir_perms;
+- dontaudit $1 sysctl_type:file getattr;
++ dontaudit $1 sysctl_type:file read_file_perms;
+ ')
+
+ ########################################
+@@ -2436,6 +2475,24 @@ interface(`kernel_rw_unlabeled_blk_files',`
+
+ ########################################
+ ##
++## Read and write unlabeled sockets.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`kernel_rw_unlabeled_socket',`
++ gen_require(`
++ type unlabeled_t;
++ ')
++
++ allow $1 unlabeled_t:socket rw_socket_perms;
++')
++
++########################################
++##
+ ## Do not audit attempts by caller to get attributes for
+ ## unlabeled character devices.
+ ##
+@@ -2580,7 +2637,7 @@ interface(`kernel_sendrecv_unlabeled_association',`
+ allow $1 unlabeled_t:association { sendto recvfrom };
+
+ # temporary hack until labeling on packets is supported
+- allow $1 unlabeled_t:packet { send recv };
++# allow $1 unlabeled_t:packet { send recv };
+ ')
+
+ ########################################
+@@ -2754,6 +2811,33 @@ interface(`kernel_raw_recvfrom_unlabeled',`
+
+ allow $1 unlabeled_t:rawip_socket recvfrom;
+ ')
++########################################
++##
++## Read/Write Raw IP packets from an unlabeled connection.
++##
++##
++##
++## Receive Raw IP packets from an unlabeled connection.
++##
++##
++## The corenetwork interface corenet_raw_recv_unlabeled() should
++## be used instead of this one.
++##
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`kernel_rw_unlabeled_rawip_socket',`
++ gen_require(`
++ type unlabeled_t;
++ ')
++
++ allow $1 unlabeled_t:rawip_socket rw_socket_perms;
++')
++
+
+ ########################################
+ ##
+@@ -2909,6 +2993,24 @@ interface(`kernel_relabelfrom_unlabeled_database',`
+
+ ########################################
+ ##
++## Relabel to unlabeled context .
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`kernel_relabelto_unlabeled',`
++ gen_require(`
++ type unlabeled_t;
++ ')
++
++ allow $1 unlabeled_t:dir_file_class_set relabelto;
++')
++
++########################################
++##
+ ## Unconfined access to kernel module resources.
+ ##
+ ##
+@@ -2924,3 +3026,23 @@ interface(`kernel_unconfined',`
+
+ typeattribute $1 kern_unconfined;
+ ')
++
++########################################
++##
++## Allow the specified domain to connect to
++## the kernel with a unix socket.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`kernel_stream_connect',`
++ gen_require(`
++ type kernel_t;
++ ')
++
++ allow $1 kernel_t:unix_stream_socket connectto;
++')
++
+diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
+index 5001b89..160976e 100644
+--- a/policy/modules/kernel/kernel.te
++++ b/policy/modules/kernel/kernel.te
+@@ -50,6 +50,8 @@ sid kernel gen_context(system_u:system_r:kernel_t,mls_systemhigh)
+
+ type debugfs_t;
+ fs_type(debugfs_t)
++files_mountpoint(debugfs_t)
++
+ allow debugfs_t self:filesystem associate;
+ genfscon debugfs / gen_context(system_u:object_r:debugfs_t,s0)
+
+@@ -156,6 +158,7 @@ genfscon proc /sys/dev gen_context(system_u:object_r:sysctl_dev_t,s0)
+ #
+ type unlabeled_t;
+ sid unlabeled gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
++fs_associate(unlabeled_t)
+
+ # These initial sids are no longer used, and can be removed:
+ sid any_socket gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
+@@ -254,7 +257,8 @@ fs_unmount_all_fs(kernel_t)
+
+ selinux_load_policy(kernel_t)
+
+-term_use_console(kernel_t)
++term_use_all_terms(kernel_t)
++term_use_ptmx(kernel_t)
+
+ corecmd_exec_shell(kernel_t)
+ corecmd_list_bin(kernel_t)
+@@ -268,19 +272,28 @@ files_list_root(kernel_t)
+ files_list_etc(kernel_t)
+ files_list_home(kernel_t)
+ files_read_usr_files(kernel_t)
++files_manage_mounttab(kernel_t)
++files_manage_generic_spool_dirs(kernel_t)
+
+ mcs_process_set_categories(kernel_t)
++mcs_file_read_all(kernel_t)
++mcs_file_write_all(kernel_t)
++mcs_socket_write_all_levels(kernel_t)
+
+ mls_process_read_up(kernel_t)
+ mls_process_write_down(kernel_t)
++mls_file_downgrade(kernel_t)
+ mls_file_write_all_levels(kernel_t)
+ mls_file_read_all_levels(kernel_t)
++mls_socket_write_all_levels(kernel_t)
++mls_fd_share_all_levels(kernel_t)
+
+ ifdef(`distro_redhat',`
+ # Bugzilla 222337
+ fs_rw_tmpfs_chr_files(kernel_t)
+ ')
+
++
+ optional_policy(`
+ hotplug_search_config(kernel_t)
+ ')
+@@ -296,6 +309,11 @@ optional_policy(`
+
+ optional_policy(`
+ logging_send_syslog_msg(kernel_t)
++ logging_manage_generic_logs(kernel_t)
++')
++
++optional_policy(`
++ userdom_user_home_dir_filetrans_user_home_content(kernel_t, { file dir })
+ ')
+
+ optional_policy(`
+@@ -357,6 +375,10 @@ optional_policy(`
+ unconfined_domain_noaudit(kernel_t)
+ ')
+
++optional_policy(`
++ xserver_xdm_manage_spool(kernel_t)
++')
++
+ ########################################
+ #
+ # Unlabeled process local policy
+diff --git a/policy/modules/kernel/mcs.if b/policy/modules/kernel/mcs.if
+index f52faaf..6bb6529 100644
+--- a/policy/modules/kernel/mcs.if
++++ b/policy/modules/kernel/mcs.if
+@@ -102,3 +102,49 @@ interface(`mcs_process_set_categories',`
+
+ typeattribute $1 mcssetcats;
+ ')
++
++########################################
++##
++## Make specified process type MCS untrusted.
++##
++##
++##
++## Make specified process type MCS untrusted. This
++## prevents this process from sending signals to other processes
++## with different mcs labels
++## object.
++##
++##
++##
++##
++## The type of the process.
++##
++##
++#
++interface(`mcs_untrusted_proc',`
++ gen_require(`
++ attribute mcsuntrustedproc;
++ ')
++
++ typeattribute $1 mcsuntrustedproc;
++')
++
++########################################
++##
++## Make specified domain MCS trusted
++## for writing to sockets at any level.
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++#
++interface(`mcs_socket_write_all_levels',`
++ gen_require(`
++ attribute mcsnetwrite;
++ ')
++
++ typeattribute $1 mcsnetwrite;
++')
+diff --git a/policy/modules/kernel/mcs.te b/policy/modules/kernel/mcs.te
+index 0e5b661..3168d72 100644
+--- a/policy/modules/kernel/mcs.te
++++ b/policy/modules/kernel/mcs.te
+@@ -10,3 +10,5 @@ attribute mcsptraceall;
+ attribute mcssetcats;
+ attribute mcswriteall;
+ attribute mcsreadall;
++attribute mcsuntrustedproc;
++attribute mcsnetwrite;
+diff --git a/policy/modules/kernel/selinux.if b/policy/modules/kernel/selinux.if
+index 786449a..e8ebc76 100644
+--- a/policy/modules/kernel/selinux.if
++++ b/policy/modules/kernel/selinux.if
+@@ -40,7 +40,7 @@ interface(`selinux_labeled_boolean',`
+
+ # because of this statement, any module which
+ # calls this interface must be in the base module:
+- genfscon selinuxfs /booleans/$2 gen_context(system_u:object_r:$1,s0)
++# genfscon selinuxfs /booleans/$2 gen_context(system_u:object_r:$1,s0)
+ ')
+
+ ########################################
+@@ -257,6 +257,7 @@ interface(`selinux_dontaudit_read_fs',`
+ type security_t;
+ ')
+
++ selinux_dontaudit_getattr_fs($1)
+ dontaudit $1 security_t:dir search_dir_perms;
+ dontaudit $1 security_t:file read_file_perms;
+ ')
+@@ -278,6 +279,7 @@ interface(`selinux_get_enforce_mode',`
+ type security_t;
+ ')
+
++ selinux_get_fs_mount($1)
+ allow $1 security_t:dir list_dir_perms;
+ allow $1 security_t:file read_file_perms;
+ ')
+@@ -358,6 +360,26 @@ interface(`selinux_load_policy',`
+
+ ########################################
+ ##
++## Allow caller to read the policy from the kernel.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`selinux_read_policy',`
++ gen_require(`
++ type security_t;
++ ')
++
++ allow $1 security_t:dir list_dir_perms;
++ allow $1 security_t:file read_file_perms;
++ allow $1 security_t:security read_policy;
++')
++
++########################################
++##
+ ## Allow caller to set the state of Booleans to
+ ## enable or disable conditional portions of the policy. (Deprecated)
+ ##
+@@ -459,6 +481,7 @@ interface(`selinux_set_all_booleans',`
+ ')
+
+ allow $1 security_t:dir list_dir_perms;
++ allow $1 boolean_type:dir list_dir_perms;
+ allow $1 boolean_type:file rw_file_perms;
+
+ if(!secure_mode_policyload) {
+@@ -677,3 +700,24 @@ interface(`selinux_unconfined',`
+
+ typeattribute $1 selinux_unconfined_type;
+ ')
++
++########################################
++##
++## Generate a file context for a boolean type
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`selinux_genbool',`
++ gen_require(`
++ attribute boolean_type;
++ ')
++
++ type $1, boolean_type;
++ fs_type($1)
++ mls_trusted_object($1)
++')
++
+diff --git a/policy/modules/kernel/storage.fc b/policy/modules/kernel/storage.fc
+index a9b8982..57c4a6a 100644
+--- a/policy/modules/kernel/storage.fc
++++ b/policy/modules/kernel/storage.fc
+@@ -12,6 +12,7 @@
+ /dev/cdu.* -b gen_context(system_u:object_r:removable_device_t,s0)
+ /dev/cm20.* -b gen_context(system_u:object_r:removable_device_t,s0)
+ /dev/dasd[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
++/dev/dasd[^/]* -c gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
+ /dev/dm-[0-9]+ -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
+ /dev/drbd[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
+ /dev/etherd/.+ -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
+@@ -77,3 +78,6 @@ ifdef(`distro_redhat', `
+ /dev/scramdisk/.* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
+
+ /dev/usb/rio500 -c gen_context(system_u:object_r:removable_device_t,s0)
++
++/lib/udev/devices/loop.* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
++/lib/udev/devices/fuse -c gen_context(system_u:object_r:fuse_device_t,s0)
+diff --git a/policy/modules/kernel/storage.if b/policy/modules/kernel/storage.if
+index 3723150..d6d1dbe 100644
+--- a/policy/modules/kernel/storage.if
++++ b/policy/modules/kernel/storage.if
+@@ -101,6 +101,8 @@ interface(`storage_raw_read_fixed_disk',`
+ dev_list_all_dev_nodes($1)
+ allow $1 fixed_disk_device_t:blk_file read_blk_file_perms;
+ allow $1 fixed_disk_device_t:chr_file read_chr_file_perms;
++ #577012
++ allow $1 fixed_disk_device_t:lnk_file read_lnk_file_perms;
+ typeattribute $1 fixed_disk_raw_read;
+ ')
+
+@@ -203,7 +205,10 @@ interface(`storage_create_fixed_disk_dev',`
+ type fixed_disk_device_t;
+ ')
+
++ allow $1 self:capability mknod;
++
+ allow $1 fixed_disk_device_t:blk_file create_blk_file_perms;
++ allow $1 fixed_disk_device_t:chr_file create_chr_file_perms;
+ dev_add_entry_generic_dirs($1)
+ ')
+
+diff --git a/policy/modules/kernel/terminal.fc b/policy/modules/kernel/terminal.fc
+index 3994e57..a1923fe 100644
+--- a/policy/modules/kernel/terminal.fc
++++ b/policy/modules/kernel/terminal.fc
+@@ -6,6 +6,7 @@
+ /dev/console -c gen_context(system_u:object_r:console_device_t,s0)
+ /dev/cu.* -c gen_context(system_u:object_r:tty_device_t,s0)
+ /dev/dcbri[0-9]+ -c gen_context(system_u:object_r:tty_device_t,s0)
++/dev/hpilo/[^/]* -c gen_context(system_u:object_r:tty_device_t,s0)
+ /dev/hvc.* -c gen_context(system_u:object_r:tty_device_t,s0)
+ /dev/hvsi.* -c gen_context(system_u:object_r:tty_device_t,s0)
+ /dev/i2c[^/]* -c gen_context(system_u:object_r:tty_device_t,s0)
+@@ -18,6 +19,7 @@
+ /dev/slamr[0-9]+ -c gen_context(system_u:object_r:tty_device_t,s0)
+ /dev/tty -c gen_context(system_u:object_r:devtty_t,s0)
+ /dev/ttySG.* -c gen_context(system_u:object_r:tty_device_t,s0)
++/dev/vport[0-9]p[0-9]+ -c gen_context(system_u:object_r:virtio_device_t,s0)
+ /dev/xvc[^/]* -c gen_context(system_u:object_r:tty_device_t,s0)
+
+ /dev/pty/.* -c gen_context(system_u:object_r:bsdpty_device_t,s0)
+@@ -40,3 +42,5 @@ ifdef(`distro_gentoo',`
+ # used by init scripts to initally populate udev /dev
+ /lib/udev/devices/console -c gen_context(system_u:object_r:console_device_t,s0)
+ ')
++
++/lib/udev/devices/pts -d gen_context(system_u:object_r:devpts_t,s0-mls_systemhigh)
+diff --git a/policy/modules/kernel/terminal.if b/policy/modules/kernel/terminal.if
+index f3acfee..eceb42d 100644
+--- a/policy/modules/kernel/terminal.if
++++ b/policy/modules/kernel/terminal.if
+@@ -208,6 +208,27 @@ interface(`term_use_all_terms',`
+
+ ########################################
+ ##
++## Read and write the inherited console, all inherited
++## ttys and ptys.
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++#
++interface(`term_use_all_inherited_terms',`
++ gen_require(`
++ attribute ttynode, ptynode;
++ type console_device_t, devpts_t, tty_device_t;
++ ')
++
++ allow $1 { devpts_t console_device_t tty_device_t ttynode ptynode }:chr_file rw_inherited_term_perms;
++')
++
++########################################
++##
+ ## Write to the console.
+ ##
+ ##
+@@ -274,7 +295,6 @@ interface(`term_dontaudit_read_console',`
+ ## Domain allowed access.
+ ##
+ ##
+-##
+ #
+ interface(`term_use_console',`
+ gen_require(`
+@@ -299,9 +319,11 @@ interface(`term_use_console',`
+ interface(`term_dontaudit_use_console',`
+ gen_require(`
+ type console_device_t;
++ type tty_device_t;
+ ')
+
+- dontaudit $1 console_device_t:chr_file rw_chr_file_perms;
++ dontaudit $1 console_device_t:chr_file rw_inherited_chr_file_perms;
++ dontaudit $1 tty_device_t:chr_file rw_inherited_chr_file_perms;
+ ')
+
+ ########################################
+@@ -341,7 +363,7 @@ interface(`term_relabel_console',`
+ ')
+
+ dev_list_all_dev_nodes($1)
+- allow $1 console_device_t:chr_file { relabelfrom relabelto };
++ allow $1 console_device_t:chr_file relabel_chr_file_perms;
+ ')
+
+ ########################################
+@@ -658,6 +680,25 @@ interface(`term_use_controlling_term',`
+ allow $1 devtty_t:chr_file { rw_term_perms lock append };
+ ')
+
++#######################################
++##
++## Allow attempts to get attributes
++## on the pty multiplexor (/dev/ptmx).
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`term_getattr_ptmx',`
++ gen_require(`
++ type ptmx_t;
++ ')
++
++ allow $1 ptmx_t:chr_file getattr;
++')
++
+ ########################################
+ ##
+ ## Do not audit attempts to get attributes
+@@ -842,6 +883,26 @@ interface(`term_use_all_ptys',`
+
+ ########################################
+ ##
++## Read and write all inherited ptys.
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++#
++interface(`term_use_all_inherited_ptys',`
++ gen_require(`
++ attribute ptynode;
++ type devpts_t;
++ ')
++
++ allow $1 ptynode:chr_file { rw_inherited_term_perms lock };
++')
++
++########################################
++##
+ ## Do not audit attempts to read or write any ptys.
+ ##
+ ##
+@@ -855,7 +916,7 @@ interface(`term_dontaudit_use_all_ptys',`
+ attribute ptynode;
+ ')
+
+- dontaudit $1 ptynode:chr_file { rw_term_perms lock append };
++ dontaudit $1 ptynode:chr_file { rw_inherited_term_perms lock append };
+ ')
+
+ ########################################
+@@ -1123,7 +1184,7 @@ interface(`term_relabel_unallocated_ttys',`
+ ')
+
+ dev_list_all_dev_nodes($1)
+- allow $1 tty_device_t:chr_file { relabelfrom relabelto };
++ allow $1 tty_device_t:chr_file relabel_chr_file_perms;
+ ')
+
+ ########################################
+@@ -1222,7 +1283,7 @@ interface(`term_dontaudit_use_unallocated_ttys',`
+ type tty_device_t;
+ ')
+
+- dontaudit $1 tty_device_t:chr_file rw_chr_file_perms;
++ dontaudit $1 tty_device_t:chr_file rw_inherited_chr_file_perms;
+ ')
+
+ ########################################
+@@ -1238,11 +1299,13 @@ interface(`term_dontaudit_use_unallocated_ttys',`
+ #
+ interface(`term_getattr_all_ttys',`
+ gen_require(`
++ type tty_device_t;
+ attribute ttynode;
+ ')
+
+ dev_list_all_dev_nodes($1)
+ allow $1 ttynode:chr_file getattr;
++ allow $1 tty_device_t:chr_file getattr;
+ ')
+
+ ########################################
+@@ -1259,10 +1322,12 @@ interface(`term_getattr_all_ttys',`
+ interface(`term_dontaudit_getattr_all_ttys',`
+ gen_require(`
+ attribute ttynode;
++ type tty_device_t;
+ ')
+
+ dev_list_all_dev_nodes($1)
+ dontaudit $1 ttynode:chr_file getattr;
++ dontaudit $1 tty_device_t:chr_file getattr;
+ ')
+
+ ########################################
+@@ -1301,7 +1366,7 @@ interface(`term_relabel_all_ttys',`
+ ')
+
+ dev_list_all_dev_nodes($1)
+- allow $1 ttynode:chr_file { relabelfrom relabelto };
++ allow $1 ttynode:chr_file relabel_chr_file_perms;
+ ')
+
+ ########################################
+@@ -1340,7 +1405,27 @@ interface(`term_use_all_ttys',`
+ ')
+
+ dev_list_all_dev_nodes($1)
+- allow $1 ttynode:chr_file rw_chr_file_perms;
++ allow $1 ttynode:chr_file rw_term_perms;
++')
++
++########################################
++##
++## Read and write all inherited ttys.
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++#
++interface(`term_use_all_inherited_ttys',`
++ gen_require(`
++ attribute ttynode;
++ ')
++
++ dev_list_all_dev_nodes($1)
++ allow $1 ttynode:chr_file rw_inherited_term_perms;
+ ')
+
+ ########################################
+@@ -1359,7 +1444,7 @@ interface(`term_dontaudit_use_all_ttys',`
+ attribute ttynode;
+ ')
+
+- dontaudit $1 ttynode:chr_file rw_chr_file_perms;
++ dontaudit $1 ttynode:chr_file rw_inherited_chr_file_perms;
+ ')
+
+ ########################################
+@@ -1475,3 +1560,22 @@ interface(`term_dontaudit_use_all_user_ttys',`
+ refpolicywarn(`$0() is deprecated, use term_dontaudit_use_all_ttys() instead.')
+ term_dontaudit_use_all_ttys($1)
+ ')
++
++#####################################
++##
++## Read from and write to the virtio console.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`term_use_virtio_console',`
++ gen_require(`
++ type virtio_device_t;
++ ')
++
++ dev_list_all_dev_nodes($1)
++ allow $1 virtio_device_t:chr_file rw_chr_file_perms;
++')
+diff --git a/policy/modules/kernel/terminal.te b/policy/modules/kernel/terminal.te
+index 361692e..0f09fb5 100644
+--- a/policy/modules/kernel/terminal.te
++++ b/policy/modules/kernel/terminal.te
+@@ -29,6 +29,7 @@ files_mountpoint(devpts_t)
+ fs_associate_tmpfs(devpts_t)
+ fs_type(devpts_t)
+ fs_use_trans devpts gen_context(system_u:object_r:devpts_t,s0);
++dev_associate(devpts_t)
+
+ #
+ # devtty_t is the type of /dev/tty.
+@@ -56,3 +57,9 @@ dev_node(tty_device_t)
+ #
+ type usbtty_device_t, serial_device;
+ dev_node(usbtty_device_t)
++
++#
++# virtio_device_t is the type of /dev/vport[0-9]p[0-9]
++#
++type virtio_device_t, serial_device;
++dev_node(virtio_device_t)
+diff --git a/policy/modules/kernel/unlabelednet.fc b/policy/modules/kernel/unlabelednet.fc
+new file mode 100644
+index 0000000..f310b9d
+--- /dev/null
++++ b/policy/modules/kernel/unlabelednet.fc
+@@ -0,0 +1 @@
++# No unlabelednet file contexts.
+diff --git a/policy/modules/kernel/unlabelednet.if b/policy/modules/kernel/unlabelednet.if
+new file mode 100644
+index 0000000..0ce0470
+--- /dev/null
++++ b/policy/modules/kernel/unlabelednet.if
+@@ -0,0 +1 @@
++## Policy for allowing confined domains to use unlabeled_t packets
+diff --git a/policy/modules/kernel/unlabelednet.te b/policy/modules/kernel/unlabelednet.te
+new file mode 100644
+index 0000000..e1ebd1a
+--- /dev/null
++++ b/policy/modules/kernel/unlabelednet.te
+@@ -0,0 +1,3 @@
++policy_module(unlabelednet, 1.0)
++
++corenet_enable_unlabeled_packets()
+diff --git a/policy/modules/roles/auditadm.te b/policy/modules/roles/auditadm.te
+index 0faef68..4264c9c 100644
+--- a/policy/modules/roles/auditadm.te
++++ b/policy/modules/roles/auditadm.te
+@@ -22,16 +22,21 @@ corecmd_exec_shell(auditadm_t)
+
+ domain_kill_all_domains(auditadm_t)
+
++selinux_read_policy(auditadm_t)
++
+ logging_send_syslog_msg(auditadm_t)
+ logging_read_generic_logs(auditadm_t)
+ logging_manage_audit_log(auditadm_t)
+ logging_manage_audit_config(auditadm_t)
+ logging_run_auditctl(auditadm_t, auditadm_r)
+ logging_run_auditd(auditadm_t, auditadm_r)
++logging_stream_connect_syslog(auditadm_t)
+
+ seutil_run_runinit(auditadm_t, auditadm_r)
+ seutil_read_bin_policy(auditadm_t)
+
++userdom_dontaudit_search_admin_dir(auditadm_t)
++
+ optional_policy(`
+ consoletype_exec(auditadm_t)
+ ')
+diff --git a/policy/modules/roles/dbadm.te b/policy/modules/roles/dbadm.te
+index 1875064..e9c9277 100644
+--- a/policy/modules/roles/dbadm.te
++++ b/policy/modules/roles/dbadm.te
+@@ -37,6 +37,7 @@ files_list_var(dbadm_t)
+ selinux_get_enforce_mode(dbadm_t)
+
+ logging_send_syslog_msg(dbadm_t)
++logging_send_audit_msgs(dbadm_t)
+
+ userdom_dontaudit_search_user_home_dirs(dbadm_t)
+
+@@ -58,3 +59,7 @@ optional_policy(`
+ optional_policy(`
+ postgresql_admin(dbadm_t, dbadm_r)
+ ')
++
++optional_policy(`
++ sudo_role_template(dbadm, dbadm_r, dbadm_t)
++')
+diff --git a/policy/modules/roles/guest.te b/policy/modules/roles/guest.te
+index 1cb7311..1de82b2 100644
+--- a/policy/modules/roles/guest.te
++++ b/policy/modules/roles/guest.te
+@@ -9,9 +9,15 @@ role guest_r;
+
+ userdom_restricted_user_template(guest)
+
++kernel_read_system_state(guest_t)
++
+ ########################################
+ #
+ # Local policy
+ #
+
+-#gen_user(guest_u,, guest_r, s0, s0)
++optional_policy(`
++ apache_role(guest_r, guest_t)
++')
++
++gen_user(guest_u, user, guest_r, s0, s0)
+diff --git a/policy/modules/roles/secadm.te b/policy/modules/roles/secadm.te
+index be4de58..cce681a 100644
+--- a/policy/modules/roles/secadm.te
++++ b/policy/modules/roles/secadm.te
+@@ -9,6 +9,8 @@ role secadm_r;
+
+ userdom_unpriv_user_template(secadm)
+ userdom_security_admin_template(secadm_t, secadm_r)
++userdom_inherit_append_admin_home_files(secadm_t)
++userdom_read_admin_home_files(secadm_t)
+
+ ########################################
+ #
+diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te
+index 2be17d2..093b48d 100644
+--- a/policy/modules/roles/staff.te
++++ b/policy/modules/roles/staff.te
+@@ -8,12 +8,48 @@ policy_module(staff, 2.2.0)
+ role staff_r;
+
+ userdom_unpriv_user_template(staff)
++fs_exec_noxattr(staff_t)
++
++# needed for sandbox
++allow staff_t self:process setexec;
+
+ ########################################
+ #
+ # Local policy
+ #
+
++kernel_read_ring_buffer(staff_usertype)
++kernel_getattr_core_if(staff_usertype)
++kernel_getattr_message_if(staff_usertype)
++kernel_read_software_raid_state(staff_usertype)
++kernel_read_fs_sysctls(staff_usertype)
++
++domain_read_all_domains_state(staff_usertype)
++domain_getattr_all_domains(staff_usertype)
++domain_obj_id_change_exemption(staff_t)
++
++files_read_kernel_modules(staff_usertype)
++
++seutil_read_module_store(staff_t)
++seutil_run_newrole(staff_t, staff_r)
++
++term_use_unallocated_ttys(staff_usertype)
++
++auth_domtrans_pam_console(staff_t)
++
++init_dbus_chat(staff_t)
++init_dbus_chat_script(staff_t)
++
++miscfiles_read_hwdata(staff_usertype)
++
++ifndef(`enable_mls',`
++ selinux_read_policy(staff_t)
++')
++
++optional_policy(`
++ abrt_cache_read(staff_t)
++')
++
+ optional_policy(`
+ apache_role(staff_r, staff_t)
+ ')
+@@ -27,25 +63,137 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ accountsd_dbus_chat(staff_t)
++ accountsd_read_lib_files(staff_t)
++')
++
++optional_policy(`
++ colord_dbus_chat(staff_t)
++')
++
++optional_policy(`
++ gnomeclock_dbus_chat(staff_t)
++')
++
++optional_policy(`
++ firewallgui_dbus_chat(staff_t)
++')
++
++optional_policy(`
++ gnome_role(staff_r, staff_t)
++ gnome_role_gkeyringd(staff, staff_r, staff_t)
++')
++
++optional_policy(`
++ lpd_list_spool(staff_t)
++')
++
++optional_policy(`
++ mock_role(staff_r, staff_t)
++')
++
++optional_policy(`
++ kerneloops_dbus_chat(staff_t)
++')
++
++optional_policy(`
++ logadm_role_change(staff_r)
++')
++
++optional_policy(`
++ mozilla_run_plugin(staff_t, staff_r)
++')
++
++optional_policy(`
++ modutils_read_module_config(staff_usertype)
++ modutils_read_module_deps(staff_usertype)
++')
++
++optional_policy(`
++ netutils_run_ping(staff_t, staff_r)
++ netutils_run_traceroute(staff_t, staff_r)
++ netutils_signal_ping(staff_t)
++ netutils_kill_ping(staff_t)
++')
++
++optional_policy(`
++ oident_manage_user_content(staff_t)
++ oident_relabel_user_content(staff_t)
++')
++
++optional_policy(`
++ mysql_exec(staff_t)
++')
++
++optional_policy(`
+ postgresql_role(staff_r, staff_t)
+ ')
+
+ optional_policy(`
++ qemu_run(staff_t, staff_r)
++')
++
++optional_policy(`
++ rtkit_scheduled(staff_t)
++')
++
++optional_policy(`
++ rpm_dbus_chat(staff_usertype)
++')
++
++optional_policy(`
+ secadm_role_change(staff_r)
+ ')
+
+ optional_policy(`
+- ssh_role_template(staff, staff_r, staff_t)
++ sandbox_transition(staff_t, staff_r)
+ ')
+
+ optional_policy(`
+- sudo_role_template(staff, staff_r, staff_t)
++ screen_role_template(staff, staff_r, staff_t)
+ ')
+
+ optional_policy(`
+ sysadm_role_change(staff_r)
+ userdom_dontaudit_use_user_terminals(staff_t)
+ ')
++optional_policy(`
++ setroubleshoot_stream_connect(staff_t)
++ setroubleshoot_dbus_chat(staff_t)
++ setroubleshoot_dbus_chat_fixit(staff_t)
++')
++
++optional_policy(`
++ ssh_role_template(staff, staff_r, staff_t)
++')
++
++optional_policy(`
++ sudo_role_template(staff, staff_r, staff_t)
++')
++
++optional_policy(`
++ telepathy_dbus_session_role(staff_r, staff_t)
++')
++
++optional_policy(`
++ userhelper_console_role_template(staff, staff_r, staff_usertype)
++')
++
++optional_policy(`
++ unconfined_role_change(staff_r)
++')
++
++optional_policy(`
++ virt_stream_connect(staff_t)
++')
++
++optional_policy(`
++ vnstatd_read_lib_files(staff_t)
++')
++
++optional_policy(`
++ webadm_role_change(staff_r)
++')
+
+ optional_policy(`
+ vlock_run(staff_t, staff_r)
+@@ -89,10 +237,6 @@ ifndef(`distro_redhat',`
+ ')
+
+ optional_policy(`
+- gnome_role(staff_r, staff_t)
+- ')
+-
+- optional_policy(`
+ gpg_role(staff_r, staff_t)
+ ')
+
+@@ -137,10 +281,6 @@ ifndef(`distro_redhat',`
+ ')
+
+ optional_policy(`
+- screen_role_template(staff, staff_r, staff_t)
+- ')
+-
+- optional_policy(`
+ spamassassin_role(staff_r, staff_t)
+ ')
+
+@@ -172,3 +312,7 @@ ifndef(`distro_redhat',`
+ wireshark_role(staff_r, staff_t)
+ ')
+ ')
++
++tunable_policy(`allow_execmod',`
++ userdom_execmod_user_home_files(staff_usertype)
++')
+diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
+index 4a8d146..d721e34 100644
+--- a/policy/modules/roles/sysadm.te
++++ b/policy/modules/roles/sysadm.te
+@@ -24,20 +24,40 @@ ifndef(`enable_mls',`
+ #
+ # Local policy
+ #
++kernel_read_fs_sysctls(sysadm_t)
+
+ corecmd_exec_shell(sysadm_t)
+
++domain_dontaudit_read_all_domains_state(sysadm_t)
++
++files_read_kernel_modules(sysadm_t)
++
+ mls_process_read_up(sysadm_t)
++mls_file_read_to_clearance(sysadm_t)
++mls_process_write_to_clearance(sysadm_t)
+
+ ubac_process_exempt(sysadm_t)
+ ubac_file_exempt(sysadm_t)
+ ubac_fd_exempt(sysadm_t)
+
++application_exec(sysadm_t)
++
+ init_exec(sysadm_t)
++init_exec_script_files(sysadm_t)
++init_dbus_chat(sysadm_t)
++init_script_role_transition(sysadm_r)
++
++
++miscfiles_read_hwdata(sysadm_t)
+
+ # Add/remove user home directories
+ userdom_manage_user_home_dirs(sysadm_t)
+ userdom_home_filetrans_user_home_dir(sysadm_t)
++userdom_manage_user_tmp_dirs(sysadm_t)
++userdom_manage_user_tmp_files(sysadm_t)
++userdom_manage_user_tmp_symlinks(sysadm_t)
++userdom_manage_user_tmp_chr_files(sysadm_t)
++userdom_manage_user_tmp_blk_files(sysadm_t)
+
+ ifdef(`direct_sysadm_daemon',`
+ optional_policy(`
+@@ -55,6 +75,7 @@ ifndef(`enable_mls',`
+ logging_manage_audit_log(sysadm_t)
+ logging_manage_audit_config(sysadm_t)
+ logging_run_auditctl(sysadm_t, sysadm_r)
++ logging_stream_connect_syslog(sysadm_t)
+ ')
+
+ tunable_policy(`allow_ptrace',`
+@@ -69,7 +90,6 @@ optional_policy(`
+ apache_run_helper(sysadm_t, sysadm_r)
+ #apache_run_all_scripts(sysadm_t, sysadm_r)
+ #apache_domtrans_sys_script(sysadm_t)
+- apache_role(sysadm_r, sysadm_t)
+ ')
+
+ optional_policy(`
+@@ -98,6 +118,10 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ certmonger_dbus_chat(sysadm_t)
++')
++
++optional_policy(`
+ certwatch_run(sysadm_t, sysadm_r)
+ ')
+
+@@ -114,7 +138,7 @@ optional_policy(`
+ ')
+
+ optional_policy(`
+- cvs_exec(sysadm_t)
++ daemonstools_run_start(sysadm_t, sysadm_r)
+ ')
+
+ optional_policy(`
+@@ -124,6 +148,10 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ dbus_role_template(sysadm, sysadm_r, sysadm_t)
++')
++
++optional_policy(`
+ ddcprobe_run(sysadm_t, sysadm_r)
+ ')
+
+@@ -163,6 +191,13 @@ optional_policy(`
+ ipsec_stream_connect(sysadm_t)
+ # for lsof
+ ipsec_getattr_key_sockets(sysadm_t)
++ ipsec_run_setkey(sysadm_t, sysadm_r)
++ ipsec_run_racoon(sysadm_t, sysadm_r)
++ ipsec_stream_connect_racoon(sysadm_t)
++
++ optional_policy(`
++ ipsec_mgmt_dbus_chat(sysadm_t)
++ ')
+ ')
+
+ optional_policy(`
+@@ -170,15 +205,15 @@ optional_policy(`
+ ')
+
+ optional_policy(`
+- kudzu_run(sysadm_t, sysadm_r)
++ kerberos_exec_kadmind(sysadm_t)
+ ')
+
+ optional_policy(`
+- libs_run_ldconfig(sysadm_t, sysadm_r)
++ kudzu_run(sysadm_t, sysadm_r)
+ ')
+
+ optional_policy(`
+- lockdev_role(sysadm_r, sysadm_t)
++ libs_run_ldconfig(sysadm_t, sysadm_r)
+ ')
+
+ optional_policy(`
+@@ -198,18 +233,12 @@ optional_policy(`
+ modutils_run_depmod(sysadm_t, sysadm_r)
+ modutils_run_insmod(sysadm_t, sysadm_r)
+ modutils_run_update_mods(sysadm_t, sysadm_r)
++ modutils_read_module_deps(sysadm_t)
+ ')
+
+ optional_policy(`
+ mount_run(sysadm_t, sysadm_r)
+-')
+-
+-optional_policy(`
+- mozilla_role(sysadm_r, sysadm_t)
+-')
+-
+-optional_policy(`
+- mplayer_role(sysadm_r, sysadm_t)
++ mount_run_showmount(sysadm_t, sysadm_r)
+ ')
+
+ optional_policy(`
+@@ -225,6 +254,10 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ ncftool_run(sysadm_t, sysadm_r)
++')
++
++optional_policy(`
+ netutils_run(sysadm_t, sysadm_r)
+ netutils_run_ping(sysadm_t, sysadm_r)
+ netutils_run_traceroute(sysadm_t, sysadm_r)
+@@ -253,7 +286,7 @@ optional_policy(`
+ ')
+
+ optional_policy(`
+- pyzor_role(sysadm_r, sysadm_t)
++ prelink_run(sysadm_t, sysadm_r)
+ ')
+
+ optional_policy(`
+@@ -265,20 +298,14 @@ optional_policy(`
+ ')
+
+ optional_policy(`
+- razor_role(sysadm_r, sysadm_t)
+-')
+-
+-optional_policy(`
+ rpc_domtrans_nfsd(sysadm_t)
+ ')
+
+ optional_policy(`
+ rpm_run(sysadm_t, sysadm_r)
++ rpm_dbus_chat(sysadm_t, sysadm_r)
+ ')
+
+-optional_policy(`
+- rssh_role(sysadm_r, sysadm_t)
+-')
+
+ optional_policy(`
+ rsync_exec(sysadm_t)
+@@ -307,7 +334,7 @@ optional_policy(`
+ ')
+
+ optional_policy(`
+- spamassassin_role(sysadm_r, sysadm_t)
++ shutdown_run(sysadm_t, sysadm_r)
+ ')
+
+ optional_policy(`
+@@ -332,10 +359,6 @@ optional_policy(`
+ ')
+
+ optional_policy(`
+- thunderbird_role(sysadm_r, sysadm_t)
+-')
+-
+-optional_policy(`
+ tripwire_run_siggen(sysadm_t, sysadm_r)
+ tripwire_run_tripwire(sysadm_t, sysadm_r)
+ tripwire_run_twadmin(sysadm_t, sysadm_r)
+@@ -343,19 +366,15 @@ optional_policy(`
+ ')
+
+ optional_policy(`
+- tvtime_role(sysadm_r, sysadm_t)
+-')
+-
+-optional_policy(`
+ tzdata_domtrans(sysadm_t)
+ ')
+
+ optional_policy(`
+- uml_role(sysadm_r, sysadm_t)
++ unconfined_domtrans(sysadm_t)
+ ')
+
+ optional_policy(`
+- unconfined_domtrans(sysadm_t)
++ udev_run(sysadm_t, sysadm_r)
+ ')
+
+ optional_policy(`
+@@ -367,17 +386,14 @@ optional_policy(`
+ ')
+
+ optional_policy(`
+- userhelper_role_template(sysadm, sysadm_r, sysadm_t)
+-')
+-
+-optional_policy(`
+ usermanage_run_admin_passwd(sysadm_t, sysadm_r)
+ usermanage_run_groupadd(sysadm_t, sysadm_r)
+ usermanage_run_useradd(sysadm_t, sysadm_r)
+ ')
+
++
+ optional_policy(`
+- vmware_role(sysadm_r, sysadm_t)
++ vpn_run(sysadm_t, sysadm_r)
+ ')
+
+ optional_policy(`
+@@ -389,7 +405,7 @@ optional_policy(`
+ ')
+
+ optional_policy(`
+- wireshark_role(sysadm_r, sysadm_t)
++ virt_stream_connect(sysadm_t)
+ ')
+
+ optional_policy(`
+@@ -404,8 +420,15 @@ optional_policy(`
+ yam_run(sysadm_t, sysadm_r)
+ ')
+
++optional_policy(`
++ zebra_stream_connect(sysadm_t)
++')
++
+ ifndef(`distro_redhat',`
+ optional_policy(`
++ apache_role(sysadm_r, sysadm_t)
++ ')
++ optional_policy(`
+ auth_role(sysadm_r, sysadm_t)
+ ')
+
+@@ -452,5 +475,60 @@ ifndef(`distro_redhat',`
+ optional_policy(`
+ java_role(sysadm_r, sysadm_t)
+ ')
+-')
+
++ optional_policy(`
++ lockdev_role(sysadm_r, sysadm_t)
++ ')
++
++ optional_policy(`
++ mozilla_role(sysadm_r, sysadm_t)
++ ')
++
++ optional_policy(`
++ mplayer_role(sysadm_r, sysadm_t)
++ ')
++
++ optional_policy(`
++ pyzor_role(sysadm_r, sysadm_t)
++ ')
++
++ optional_policy(`
++ razor_role(sysadm_r, sysadm_t)
++ ')
++
++ optional_policy(`
++ rssh_role(sysadm_r, sysadm_t)
++ ')
++
++ optional_policy(`
++ spamassassin_role(sysadm_r, sysadm_t)
++ ')
++
++ optional_policy(`
++ thunderbird_role(sysadm_r, sysadm_t)
++ ')
++
++ optional_policy(`
++ tvtime_role(sysadm_r, sysadm_t)
++ ')
++
++ optional_policy(`
++ uml_role(sysadm_r, sysadm_t)
++ ')
++
++ optional_policy(`
++ userhelper_role_template(sysadm, sysadm_r, sysadm_t)
++ ')
++
++ optional_policy(`
++ vmware_role(sysadm_r, sysadm_t)
++ ')
++
++ optional_policy(`
++ wireshark_role(sysadm_r, sysadm_t)
++ ')
++
++ optional_policy(`
++ xserver_role(sysadm_r, sysadm_t)
++ ')
++')
+diff --git a/policy/modules/roles/unconfineduser.fc b/policy/modules/roles/unconfineduser.fc
+new file mode 100644
+index 0000000..0e8654b
+--- /dev/null
++++ b/policy/modules/roles/unconfineduser.fc
+@@ -0,0 +1,8 @@
++# Add programs here which should not be confined by SELinux
++# e.g.:
++# /usr/local/bin/appsrv -- gen_context(system_u:object_r:unconfined_exec_t,s0)
++# For the time being until someone writes a sane policy, we need initrc to transition to unconfined_t
++/usr/bin/vncserver -- gen_context(system_u:object_r:unconfined_exec_t,s0)
++
++/usr/sbin/xrdp -- gen_context(system_u:object_r:unconfined_exec_t,s0)
++/usr/sbin/xrdp-sesman -- gen_context(system_u:object_r:unconfined_exec_t,s0)
+diff --git a/policy/modules/roles/unconfineduser.if b/policy/modules/roles/unconfineduser.if
+new file mode 100644
+index 0000000..8b2cdf3
+--- /dev/null
++++ b/policy/modules/roles/unconfineduser.if
+@@ -0,0 +1,687 @@
++## Unconfiend user role
++
++########################################
++##
++## Change from the unconfineduser role.
++##
++##
++##
++## Change from the unconfineduser role to
++## the specified role.
++##
++##
++## This is an interface to support third party modules
++## and its use is not allowed in upstream reference
++## policy.
++##
++##
++##
++##
++## Role allowed access.
++##
++##
++##
++#
++interface(`unconfined_role_change_to',`
++ gen_require(`
++ role unconfined_r;
++ ')
++
++ allow unconfined_r $1;
++')
++
++########################################
++##
++## Transition to the unconfined domain.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`unconfined_domtrans',`
++ gen_require(`
++ type unconfined_t, unconfined_exec_t;
++ ')
++
++ domtrans_pattern($1,unconfined_exec_t,unconfined_t)
++')
++
++########################################
++##
++## Execute specified programs in the unconfined domain.
++##
++##
++##
++## The type of the process performing this action.
++##
++##
++##
++##
++## The role to allow the unconfined domain.
++##
++##
++#
++interface(`unconfined_run',`
++ gen_require(`
++ type unconfined_t;
++ ')
++
++ unconfined_domtrans($1)
++ role $2 types unconfined_t;
++')
++
++########################################
++##
++## Transition to the unconfined domain by executing a shell.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`unconfined_shell_domtrans',`
++ gen_require(`
++ attribute unconfined_login_domain;
++ ')
++ typeattribute $1 unconfined_login_domain;
++')
++
++########################################
++##
++## Allow unconfined to execute the specified program in
++## the specified domain.
++##
++##
++##
++## Allow unconfined to execute the specified program in
++## the specified domain.
++##
++##
++## This is a interface to support third party modules
++## and its use is not allowed in upstream reference
++## policy.
++##
++##
++##
++##
++## Domain to execute in.
++##
++##
++##
++##
++## Domain entry point file.
++##
++##
++#
++interface(`unconfined_domtrans_to',`
++ gen_require(`
++ type unconfined_t;
++ ')
++
++ domtrans_pattern(unconfined_t,$2,$1)
++')
++
++########################################
++##
++## Allow unconfined to execute the specified program in
++## the specified domain. Allow the specified domain the
++## unconfined role and use of unconfined user terminals.
++##
++##
++##
++## Allow unconfined to execute the specified program in
++## the specified domain. Allow the specified domain the
++## unconfined role and use of unconfined user terminals.
++##
++##
++## This is a interface to support third party modules
++## and its use is not allowed in upstream reference
++## policy.
++##
++##
++##
++##
++## Domain to execute in.
++##
++##
++##
++##
++## Domain entry point file.
++##
++##
++#
++interface(`unconfined_run_to',`
++ gen_require(`
++ type unconfined_t;
++ role unconfined_r;
++ ')
++
++ domtrans_pattern(unconfined_t,$2,$1)
++ role unconfined_r types $1;
++ userdom_use_user_terminals($1)
++')
++
++########################################
++##
++## Inherit file descriptors from the unconfined domain.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`unconfined_use_fds',`
++ gen_require(`
++ type unconfined_t;
++ ')
++
++ allow $1 unconfined_t:fd use;
++')
++
++########################################
++##
++## Send a SIGCHLD signal to the unconfined domain.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`unconfined_sigchld',`
++ gen_require(`
++ type unconfined_t;
++ ')
++
++ allow $1 unconfined_t:process sigchld;
++')
++
++########################################
++##
++## Send a SIGNULL signal to the unconfined domain.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`unconfined_signull',`
++ gen_require(`
++ type unconfined_t;
++ ')
++
++ allow $1 unconfined_t:process signull;
++')
++
++########################################
++##
++## Send a SIGNULL signal to the unconfined execmem domain.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`unconfined_execmem_signull',`
++ gen_require(`
++ type unconfined_execmem_t;
++ ')
++
++ allow $1 unconfined_execmem_t:process signull;
++')
++
++########################################
++##
++## Send a signal to the unconfined execmem domain.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`unconfined_execmem_signal',`
++ gen_require(`
++ type unconfined_execmem_t;
++ ')
++
++ allow $1 unconfined_execmem_t:process signal;
++')
++
++########################################
++##
++## Send generic signals to the unconfined domain.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`unconfined_signal',`
++ gen_require(`
++ type unconfined_t;
++ ')
++
++ allow $1 unconfined_t:process signal;
++')
++
++########################################
++##
++## Read unconfined domain unnamed pipes.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`unconfined_read_pipes',`
++ gen_require(`
++ type unconfined_t;
++ ')
++
++ allow $1 unconfined_t:fifo_file read_fifo_file_perms;
++')
++
++########################################
++##
++## Do not audit attempts to read unconfined domain unnamed pipes.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`unconfined_dontaudit_read_pipes',`
++ gen_require(`
++ type unconfined_t;
++ ')
++
++ dontaudit $1 unconfined_t:fifo_file read;
++')
++
++########################################
++##
++## Read and write unconfined domain unnamed pipes.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`unconfined_rw_pipes',`
++ gen_require(`
++ type unconfined_t;
++ ')
++
++ allow $1 unconfined_t:fifo_file rw_fifo_file_perms;
++')
++
++########################################
++##
++## Do not audit attempts to read and write
++## unconfined domain unnamed pipes.
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`unconfined_dontaudit_rw_pipes',`
++ gen_require(`
++ type unconfined_t;
++ ')
++
++ dontaudit $1 unconfined_t:fifo_file rw_file_perms;
++')
++
++########################################
++##
++## Do not audit attempts to read and write
++## unconfined domain stream.
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`unconfined_dontaudit_rw_stream',`
++ gen_require(`
++ type unconfined_t;
++ ')
++
++ dontaudit $1 unconfined_t:unix_stream_socket rw_socket_perms;
++')
++
++########################################
++##
++## Connect to the unconfined domain using
++## a unix domain stream socket.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`unconfined_stream_connect',`
++ gen_require(`
++ type unconfined_t;
++ ')
++
++ allow $1 unconfined_t:unix_stream_socket connectto;
++')
++
++########################################
++##
++## Do not audit attempts to read or write
++## unconfined domain tcp sockets.
++##
++##
++##
++## Do not audit attempts to read or write
++## unconfined domain tcp sockets.
++##
++##
++## This interface was added due to a broken
++## symptom in ldconfig.
++##
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`unconfined_dontaudit_rw_tcp_sockets',`
++ gen_require(`
++ type unconfined_t;
++ ')
++
++ dontaudit $1 unconfined_t:tcp_socket { read write };
++')
++
++########################################
++##
++## Do not audit attempts to read or write
++## unconfined domain packet sockets.
++##
++##
++##
++## Do not audit attempts to read or write
++## unconfined domain packet sockets.
++##
++##
++## This interface was added due to a broken
++## symptom.
++##
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`unconfined_dontaudit_rw_packet_sockets',`
++ gen_require(`
++ type unconfined_t;
++ ')
++
++ dontaudit $1 unconfined_t:packet_socket { read write };
++')
++
++########################################
++##
++## Create keys for the unconfined domain.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`unconfined_create_keys',`
++ gen_require(`
++ type unconfined_t;
++ ')
++
++ allow $1 unconfined_t:key create;
++')
++
++########################################
++##
++## Send messages to the unconfined domain over dbus.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`unconfined_dbus_send',`
++ gen_require(`
++ type unconfined_t;
++ class dbus send_msg;
++ ')
++
++ allow $1 unconfined_t:dbus send_msg;
++')
++
++########################################
++##
++## Send and receive messages from
++## unconfined_t over dbus.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`unconfined_dbus_chat',`
++ gen_require(`
++ type unconfined_t;
++ class dbus send_msg;
++ ')
++
++ allow $1 unconfined_t:dbus send_msg;
++ allow unconfined_t $1:dbus send_msg;
++')
++
++########################################
++##
++## Connect to the the unconfined DBUS
++## for service (acquire_svc).
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`unconfined_dbus_connect',`
++ gen_require(`
++ type unconfined_t;
++ class dbus acquire_svc;
++ ')
++
++ allow $1 unconfined_t:dbus acquire_svc;
++')
++
++########################################
++##
++## Allow ptrace of unconfined domain
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`unconfined_ptrace',`
++ gen_require(`
++ type unconfined_t;
++ ')
++
++ allow $1 unconfined_t:process ptrace;
++')
++
++########################################
++##
++## Read and write to unconfined shared memory.
++##
++##
++##
++## The type of the process performing this action.
++##
++##
++#
++interface(`unconfined_rw_shm',`
++ gen_require(`
++ type unconfined_t;
++ ')
++
++ allow $1 unconfined_t:shm rw_shm_perms;
++')
++
++########################################
++##
++## Read and write to unconfined execmem shared memory.
++##
++##
++##
++## The type of the process performing this action.
++##
++##
++#
++interface(`unconfined_execmem_rw_shm',`
++ gen_require(`
++ type unconfined_execmem_t;
++ ')
++
++ allow $1 unconfined_execmem_t:shm rw_shm_perms;
++')
++
++########################################
++##
++## Transition to the unconfined_execmem domain.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`unconfined_execmem_domtrans',`
++
++ gen_require(`
++ type unconfined_execmem_t;
++ ')
++
++ execmem_domtrans($1, unconfined_execmem_t)
++')
++
++########################################
++##
++## execute the execmem applications
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`unconfined_execmem_exec',`
++
++ gen_require(`
++ type execmem_exec_t;
++ ')
++
++ can_exec($1, execmem_exec_t)
++')
++
++########################################
++##
++## Allow apps to set rlimits on userdomain
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`unconfined_set_rlimitnh',`
++ gen_require(`
++ type unconfined_t;
++ ')
++
++ allow $1 unconfined_t:process rlimitinh;
++')
++
++########################################
++##
++## Get the process group of unconfined.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`unconfined_getpgid',`
++ gen_require(`
++ type unconfined_t;
++ ')
++
++ allow $1 unconfined_t:process getpgid;
++')
++
++########################################
++##
++## Change to the unconfined role.
++##
++##
++##
++## Role allowed access.
++##
++##
++##
++#
++interface(`unconfined_role_change',`
++ gen_require(`
++ role unconfined_r;
++ ')
++
++ allow $1 unconfined_r;
++')
++
++########################################
++##
++## Allow domain to attach to TUN devices created by unconfined_t users.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`unconfined_attach_tun_iface',`
++ gen_require(`
++ type unconfined_t;
++ ')
++
++ allow $1 unconfined_t:tun_socket relabelfrom;
++ allow $1 self:tun_socket relabelto;
++')
++
+diff --git a/policy/modules/roles/unconfineduser.te b/policy/modules/roles/unconfineduser.te
+new file mode 100644
+index 0000000..77c513d
+--- /dev/null
++++ b/policy/modules/roles/unconfineduser.te
+@@ -0,0 +1,499 @@
++policy_module(unconfineduser, 1.0.0)
++
++########################################
++#
++# Declarations
++#
++attribute unconfined_login_domain;
++
++##
++##
++## allow unconfined users to transition to the nsplugin domains when running nspluginviewer
++##
++##
++gen_tunable(allow_unconfined_nsplugin_transition, false)
++
++##
++##
++## Allow unconfined users to transition to the Mozilla plugin domain when running xulrunner plugin-container.
++##
++##
++gen_tunable(unconfined_mozilla_plugin_transition, false)
++
++##
++##
++## Allow vidio playing tools to tun unconfined
++##
++##
++gen_tunable(unconfined_mplayer, false)
++
++##
++##
++## Allow a user to login as an unconfined domain
++##
++##
++gen_tunable(unconfined_login, true)
++
++##
++##
++## Transition to confined qemu domains from unconfined user
++##
++##
++gen_tunable(allow_unconfined_qemu_transition, false)
++
++# usage in this module of types created by these
++# calls is not correct, however we dont currently
++# have another method to add access to these types
++userdom_base_user_template(unconfined)
++userdom_manage_home_role(unconfined_r, unconfined_t)
++userdom_manage_tmp_role(unconfined_r, unconfined_t)
++userdom_manage_tmpfs_role(unconfined_r, unconfined_t)
++userdom_unpriv_usertype(unconfined, unconfined_t)
++
++type unconfined_exec_t;
++init_system_domain(unconfined_t, unconfined_exec_t)
++role unconfined_r types unconfined_t;
++role_transition system_r unconfined_exec_t unconfined_r;
++allow system_r unconfined_r;
++
++domain_user_exemption_target(unconfined_t)
++allow system_r unconfined_r;
++allow unconfined_r system_r;
++init_script_role_transition(unconfined_r)
++role system_r types unconfined_t;
++typealias unconfined_t alias unconfined_crontab_t;
++
++type unconfined_notrans_t;
++type unconfined_notrans_exec_t;
++init_system_domain(unconfined_notrans_t, unconfined_notrans_exec_t)
++role unconfined_r types unconfined_notrans_t;
++
++########################################
++#
++# Local policy
++#
++
++dontaudit unconfined_t self:dir write;
++dontaudit unconfined_t self:file setattr;
++
++allow unconfined_t self:system syslog_read;
++dontaudit unconfined_t self:capability sys_module;
++
++kernel_rw_unlabeled_socket(unconfined_t)
++kernel_rw_unlabeled_rawip_socket(unconfined_t)
++
++files_create_boot_flag(unconfined_t)
++files_create_default_dir(unconfined_t)
++files_root_filetrans_default(unconfined_t, dir)
++
++mcs_killall(unconfined_t)
++mcs_ptrace_all(unconfined_t)
++mls_file_write_all_levels(unconfined_t)
++
++init_run_daemon(unconfined_t, unconfined_r)
++init_domtrans_script(unconfined_t)
++init_telinit(unconfined_t)
++
++libs_run_ldconfig(unconfined_t, unconfined_r)
++
++logging_send_syslog_msg(unconfined_t)
++logging_run_auditctl(unconfined_t, unconfined_r)
++
++optional_policy(`
++ mount_run_unconfined(unconfined_t, unconfined_r)
++ # Unconfined running as system_r
++ mount_domtrans_unconfined(unconfined_t)
++')
++
++seutil_run_setsebool(unconfined_t, unconfined_r)
++seutil_run_setfiles(unconfined_t, unconfined_r)
++seutil_run_semanage(unconfined_t, unconfined_r)
++
++unconfined_domain_noaudit(unconfined_t)
++
++userdom_user_home_dir_filetrans_user_home_content(unconfined_t, { dir file lnk_file fifo_file sock_file })
++
++usermanage_run_passwd(unconfined_t, unconfined_r)
++usermanage_run_chfn(unconfined_t, unconfined_r)
++
++tunable_policy(`allow_execmem',`
++ allow unconfined_t self:process execmem;
++')
++
++tunable_policy(`allow_execmem && allow_execstack',`
++ allow unconfined_t self:process execstack;
++')
++
++tunable_policy(`allow_execmod',`
++ userdom_execmod_user_home_files(unconfined_usertype)
++')
++
++tunable_policy(`unconfined_login',`
++ corecmd_shell_domtrans(unconfined_login_domain,unconfined_t)
++ allow unconfined_t unconfined_login_domain:fd use;
++ allow unconfined_t unconfined_login_domain:fifo_file rw_file_perms;
++ allow unconfined_t unconfined_login_domain:process sigchld;
++')
++
++optional_policy(`
++ gen_require(`
++ attribute unconfined_usertype;
++ ')
++
++ nsplugin_role_notrans(unconfined_r, unconfined_usertype)
++ optional_policy(`
++ tunable_policy(`allow_unconfined_nsplugin_transition',`
++ nsplugin_domtrans(unconfined_usertype)
++ nsplugin_domtrans_config(unconfined_usertype)
++ ')
++ ')
++
++ optional_policy(`
++ abrt_dbus_chat(unconfined_usertype)
++ abrt_run_helper(unconfined_usertype, unconfined_r)
++ ')
++
++ optional_policy(`
++ avahi_dbus_chat(unconfined_usertype)
++ ')
++
++ optional_policy(`
++ certmonger_dbus_chat(unconfined_usertype)
++ ')
++
++ optional_policy(`
++ devicekit_dbus_chat(unconfined_usertype)
++ devicekit_dbus_chat_disk(unconfined_usertype)
++ devicekit_dbus_chat_power(unconfined_usertype)
++ ')
++
++ optional_policy(`
++ hal_dbus_chat(unconfined_usertype)
++ ')
++
++ optional_policy(`
++ networkmanager_dbus_chat(unconfined_usertype)
++ ')
++
++ optional_policy(`
++ policykit_role(unconfined_r, unconfined_usertype)
++ ')
++
++ optional_policy(`
++ rtkit_scheduled(unconfined_usertype)
++ ')
++
++ optional_policy(`
++ setroubleshoot_dbus_chat(unconfined_usertype)
++ setroubleshoot_dbus_chat_fixit(unconfined_t)
++ ')
++
++ optional_policy(`
++ sandbox_transition(unconfined_usertype, unconfined_r)
++ ')
++
++ optional_policy(`
++ shutdown_run(unconfined_t, unconfined_r)
++ ')
++
++ optional_policy(`
++ tzdata_run(unconfined_usertype, unconfined_r)
++ ')
++
++ optional_policy(`
++ gen_require(`
++ type user_tmpfs_t;
++ ')
++
++ xserver_rw_session(unconfined_usertype, user_tmpfs_t)
++ xserver_run_xauth(unconfined_usertype, unconfined_r)
++ xserver_dbus_chat_xdm(unconfined_usertype)
++ ')
++')
++
++ifdef(`distro_gentoo',`
++ seutil_run_runinit(unconfined_t, unconfined_r)
++ seutil_init_script_run_runinit(unconfined_t, unconfined_r)
++')
++
++optional_policy(`
++ accountsd_dbus_chat(unconfined_t)
++')
++
++optional_policy(`
++ ada_run(unconfined_t, unconfined_r)
++')
++
++optional_policy(`
++ alsa_run(unconfined_t, unconfined_r)
++')
++
++optional_policy(`
++ apache_run_helper(unconfined_t, unconfined_r)
++')
++
++optional_policy(`
++ bind_run_ndc(unconfined_t, unconfined_r)
++')
++
++optional_policy(`
++ bootloader_run(unconfined_t, unconfined_r)
++')
++
++optional_policy(`
++ cron_unconfined_role(unconfined_r, unconfined_t)
++')
++
++optional_policy(`
++ chrome_role(unconfined_r, unconfined_usertype)
++')
++
++optional_policy(`
++ dbus_role_template(unconfined, unconfined_r, unconfined_t)
++
++ optional_policy(`
++ unconfined_domain(unconfined_dbusd_t)
++ unconfined_execmem_domtrans(unconfined_dbusd_t)
++
++ optional_policy(`
++ xserver_rw_shm(unconfined_dbusd_t)
++ ')
++ ')
++
++ init_dbus_chat(unconfined_usertype)
++ init_dbus_chat_script(unconfined_usertype)
++
++ dbus_stub(unconfined_t)
++
++ optional_policy(`
++ bluetooth_dbus_chat(unconfined_usertype)
++ ')
++
++ optional_policy(`
++ consolekit_dbus_chat(unconfined_usertype)
++ ')
++
++ optional_policy(`
++ cups_dbus_chat_config(unconfined_usertype)
++ ')
++
++ optional_policy(`
++ fprintd_dbus_chat(unconfined_usertype)
++ ')
++
++ optional_policy(`
++ gnomeclock_dbus_chat(unconfined_usertype)
++ gnome_dbus_chat_gconfdefault(unconfined_usertype)
++ ')
++
++ optional_policy(`
++ ipsec_mgmt_dbus_chat(unconfined_usertype)
++ ')
++
++ optional_policy(`
++ kerneloops_dbus_chat(unconfined_usertype)
++ ')
++
++ optional_policy(`
++ oddjob_dbus_chat(unconfined_usertype)
++ ')
++
++ optional_policy(`
++ vpn_dbus_chat(unconfined_usertype)
++ ')
++')
++
++optional_policy(`
++ firewallgui_dbus_chat(unconfined_usertype)
++')
++
++optional_policy(`
++ firstboot_run(unconfined_t, unconfined_r)
++')
++
++optional_policy(`
++ ftp_run_ftpdctl(unconfined_t, unconfined_r)
++')
++
++optional_policy(`
++ gpsd_run(unconfined_t, unconfined_r)
++')
++
++optional_policy(`
++ java_run_unconfined(unconfined_t, unconfined_r)
++')
++
++optional_policy(`
++ livecd_run(unconfined_t, unconfined_r)
++')
++
++optional_policy(`
++ lpd_run_checkpc(unconfined_t, unconfined_r)
++')
++
++optional_policy(`
++ mock_role(unconfined_r, unconfined_t)
++')
++
++optional_policy(`
++ modutils_run_update_mods(unconfined_t, unconfined_r)
++')
++
++optional_policy(`
++ mono_role_template(unconfined, unconfined_r, unconfined_t)
++ unconfined_domain_noaudit(unconfined_mono_t)
++ role system_r types unconfined_mono_t;
++')
++
++
++optional_policy(`
++ mozilla_role_plugin(unconfined_r)
++
++ tunable_policy(`unconfined_mozilla_plugin_transition', `
++ mozilla_domtrans_plugin(unconfined_usertype)
++ ')
++')
++
++optional_policy(`
++ ncftool_run(unconfined_t, unconfined_r)
++')
++
++optional_policy(`
++ oddjob_run_mkhomedir(unconfined_t, unconfined_r)
++')
++
++optional_policy(`
++ prelink_run(unconfined_t, unconfined_r)
++')
++
++optional_policy(`
++ portmap_run_helper(unconfined_t, unconfined_r)
++')
++
++#optional_policy(`
++# ppp_run(unconfined_t, unconfined_r)
++#')
++
++optional_policy(`
++ qemu_unconfined_role(unconfined_r)
++
++ tunable_policy(`allow_unconfined_qemu_transition',`
++ qemu_domtrans(unconfined_t)
++ ',`
++ qemu_domtrans_unconfined(unconfined_t)
++ ')
++')
++
++optional_policy(`
++ rpm_run(unconfined_t, unconfined_r)
++ # Allow SELinux aware applications to request rpm_script execution
++ rpm_transition_script(unconfined_t)
++ rpm_dbus_chat(unconfined_t)
++')
++
++optional_policy(`
++ optional_policy(`
++ samba_run_unconfined_net(unconfined_t, unconfined_r)
++ ')
++
++ samba_role_notrans(unconfined_r)
++# samba_run_winbind_helper(unconfined_t, unconfined_r)
++ samba_run_smbcontrol(unconfined_t, unconfined_r)
++')
++
++optional_policy(`
++ sendmail_run_unconfined(unconfined_t, unconfined_r)
++')
++
++optional_policy(`
++ sysnet_run_dhcpc(unconfined_t, unconfined_r)
++ sysnet_dbus_chat_dhcpc(unconfined_t)
++ sysnet_role_transition_dhcpc(unconfined_r)
++')
++
++optional_policy(`
++ telepathy_dbus_session_role(unconfined_r, unconfined_t)
++')
++
++optional_policy(`
++ vbetool_run(unconfined_t, unconfined_r)
++')
++
++optional_policy(`
++ virt_transition_svirt(unconfined_t, unconfined_r)
++')
++
++optional_policy(`
++ vpn_run(unconfined_t, unconfined_r)
++')
++
++optional_policy(`
++ webalizer_run(unconfined_t, unconfined_r)
++')
++
++optional_policy(`
++ wine_run(unconfined_t, unconfined_r)
++')
++
++optional_policy(`
++ xserver_run(unconfined_t, unconfined_r)
++')
++
++########################################
++#
++# Unconfined Execmem Local policy
++#
++
++optional_policy(`
++ execmem_role_template(unconfined, unconfined_r, unconfined_t)
++ typealias unconfined_execmem_t alias execmem_t;
++ typealias unconfined_execmem_t alias unconfined_openoffice_t;
++ unconfined_domain_noaudit(unconfined_execmem_t)
++ allow unconfined_execmem_t unconfined_t:process transition;
++ rpm_transition_script(unconfined_execmem_t)
++ role system_r types unconfined_execmem_t;
++
++ optional_policy(`
++ init_dbus_chat_script(unconfined_execmem_t)
++ dbus_system_bus_client(unconfined_execmem_t)
++ unconfined_dbus_chat(unconfined_execmem_t)
++ unconfined_dbus_connect(unconfined_execmem_t)
++ ')
++
++ optional_policy(`
++ tunable_policy(`allow_unconfined_nsplugin_transition',`', `
++ nsplugin_exec_domtrans(unconfined_t, unconfined_execmem_t)
++ ')
++ ')
++
++ optional_policy(`
++ tunable_policy(`unconfined_login',`
++ mplayer_exec_domtrans(unconfined_t, unconfined_execmem_t)
++ ')
++ ')
++
++ optional_policy(`
++ openoffice_exec_domtrans(unconfined_t, unconfined_execmem_t)
++ ')
++')
++
++########################################
++#
++# Unconfined notrans Local policy
++#
++
++allow unconfined_notrans_t self:process { execstack execmem };
++unconfined_domain_noaudit(unconfined_notrans_t)
++userdom_unpriv_usertype(unconfined, unconfined_notrans_t)
++domtrans_pattern(unconfined_t, unconfined_notrans_exec_t, unconfined_notrans_t)
++# Allow SELinux aware applications to request rpm_script execution
++rpm_transition_script(unconfined_notrans_t)
++domain_ptrace_all_domains(unconfined_notrans_t)
++
++########################################
++#
++# Unconfined mount local policy
++#
++
++gen_user(unconfined_u, user, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)
++
+diff --git a/policy/modules/roles/unprivuser.te b/policy/modules/roles/unprivuser.te
+index e5bfdd4..df42caf 100644
+--- a/policy/modules/roles/unprivuser.te
++++ b/policy/modules/roles/unprivuser.te
+@@ -12,15 +12,68 @@ role user_r;
+
+ userdom_unpriv_user_template(user)
+
++fs_exec_noxattr(user_t)
++
++tunable_policy(`allow_execmod',`
++ userdom_execmod_user_home_files(user_usertype)
++')
++
++optional_policy(`
++ abrt_cache_read(user_t)
++')
++
+ optional_policy(`
+ apache_role(user_r, user_t)
+ ')
+
+ optional_policy(`
++ colord_dbus_chat(user_t)
++')
++
++optional_policy(`
++ gnome_role(user_r, user_t)
++ #gnome_role_gkeyringd(user, user_r, user_t)
++')
++
++optional_policy(`
++ oident_manage_user_content(user_t)
++ oident_relabel_user_content(user_t)
++')
++
++optional_policy(`
++ mozilla_run_plugin(user_t, user_r)
++')
++
++optional_policy(`
++ netutils_run_ping_cond(user_t, user_r)
++ netutils_run_traceroute_cond(user_t, user_r)
++')
++
++optional_policy(`
++ rpm_dontaudit_dbus_chat(user_t)
++')
++
++optional_policy(`
++ rtkit_scheduled(user_t)
++')
++
++optional_policy(`
++ sandbox_transition(user_t, user_r)
++')
++
++optional_policy(`
+ screen_role_template(user, user_r, user_t)
+ ')
+
+ optional_policy(`
++ setroubleshoot_dontaudit_stream_connect(user_t)
++')
++
++optional_policy(`
++ telepathy_dbus_session_role(user_r, user_t)
++')
++
++optional_policy(`
+ vlock_run(user_t, user_r)
+ ')
+
+@@ -62,10 +115,6 @@ ifndef(`distro_redhat',`
+ ')
+
+ optional_policy(`
+- gnome_role(user_r, user_t)
+- ')
+-
+- optional_policy(`
+ gpg_role(user_r, user_t)
+ ')
+
+@@ -118,7 +167,7 @@ ifndef(`distro_redhat',`
+ ')
+
+ optional_policy(`
+- spamassassin_role(user_r, user_t)
++ spamassassin_role(user_r, user_t)
+ ')
+
+ optional_policy(`
+@@ -157,3 +206,4 @@ ifndef(`distro_redhat',`
+ wireshark_role(user_r, user_t)
+ ')
+ ')
++
+diff --git a/policy/modules/roles/webadm.te b/policy/modules/roles/webadm.te
+index 0ecc786..dbf2710 100644
+--- a/policy/modules/roles/webadm.te
++++ b/policy/modules/roles/webadm.te
+@@ -38,6 +38,7 @@ selinux_get_enforce_mode(webadm_t)
+ seutil_domtrans_setfiles(webadm_t)
+
+ logging_send_syslog_msg(webadm_t)
++logging_send_audit_msgs(webadm_t)
+
+ userdom_dontaudit_search_user_home_dirs(webadm_t)
+
+diff --git a/policy/modules/roles/xguest.te b/policy/modules/roles/xguest.te
+index e88b95f..95e5a6e 100644
+--- a/policy/modules/roles/xguest.te
++++ b/policy/modules/roles/xguest.te
+@@ -14,14 +14,14 @@ gen_tunable(xguest_mount_media, true)
+
+ ##
+ ##
+-## Allow xguest to configure Network Manager
++## Allow xguest users to configure Network Manager and connect to apache ports
+ ##
+ ##
+ gen_tunable(xguest_connect_network, true)
+
+ ##
+ ##
+-## Allow xguest to use blue tooth devices
++## Allow xguest users to use blue tooth devices
+ ##
+ ##
+ gen_tunable(xguest_use_bluetooth, true)
+@@ -29,12 +29,12 @@ gen_tunable(xguest_use_bluetooth, true)
+ role xguest_r;
+
+ userdom_restricted_xwindows_user_template(xguest)
++sysnet_dns_name_resolve(xguest_t)
+
+ ########################################
+ #
+ # Local policy
+ #
+-
+ ifndef(`enable_mls',`
+ fs_exec_noxattr(xguest_t)
+
+@@ -49,11 +49,23 @@ ifndef(`enable_mls',`
+ ')
+ ')
+
++optional_policy(`
++ # Dontaudit fusermount
++ mount_dontaudit_exec_fusermount(xguest_t)
++')
++
++allow xguest_t self:process execmem;
++kernel_dontaudit_request_load_module(xguest_t)
++
++tunable_policy(`allow_execstack',`
++ allow xguest_t self:process execstack;
++')
++
+ # Allow mounting of file systems
+ optional_policy(`
+ tunable_policy(`xguest_mount_media',`
+ kernel_read_fs_sysctls(xguest_t)
+-
++ kernel_request_load_module(xguest_t)
+ files_dontaudit_getattr_boot_dirs(xguest_t)
+ files_search_mnt(xguest_t)
+
+@@ -62,10 +74,9 @@ optional_policy(`
+ fs_manage_noxattr_fs_dirs(xguest_t)
+ fs_getattr_noxattr_fs(xguest_t)
+ fs_read_noxattr_fs_symlinks(xguest_t)
++ fs_mount_fusefs(xguest_t)
+
+ auth_list_pam_console_data(xguest_t)
+-
+- init_read_utmp(xguest_t)
+ ')
+ ')
+
+@@ -76,23 +87,99 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ chrome_role(xguest_r, xguest_usertype)
++')
++
++optional_policy(`
+ hal_dbus_chat(xguest_t)
+ ')
+
+ optional_policy(`
+- java_role(xguest_r, xguest_t)
++ apache_role(xguest_r, xguest_t)
++')
++
++optional_policy(`
++ gnome_role(xguest_r, xguest_t)
++ #gnome_role_gkeyringd(xguest, xguest_r, xguest_t)
++')
++
++optional_policy(`
++ gnomeclock_dontaudit_dbus_chat(xguest_t)
++')
++
++optional_policy(`
++ java_role_template(xguest, xguest_r, xguest_t)
++')
++
++optional_policy(`
++ mono_role_template(xguest, xguest_r, xguest_t)
+ ')
+
+ optional_policy(`
+- mozilla_role(xguest_r, xguest_t)
++ mozilla_run_plugin(xguest_t, xguest_r)
++')
++
++optional_policy(`
++ nsplugin_role(xguest_r, xguest_t)
++')
++
++optional_policy(`
++ pcscd_read_pub_files(xguest_usertype)
++ pcscd_stream_connect(xguest_usertype)
+ ')
+
+ optional_policy(`
+ tunable_policy(`xguest_connect_network',`
++ kernel_read_network_state(xguest_usertype)
++
+ networkmanager_dbus_chat(xguest_t)
+- corenet_tcp_connect_pulseaudio_port(xguest_t)
+- corenet_tcp_connect_ipp_port(xguest_t)
++ networkmanager_read_lib_files(xguest_t)
++ corenet_tcp_connect_pulseaudio_port(xguest_usertype)
++ corenet_all_recvfrom_unlabeled(xguest_usertype)
++ corenet_all_recvfrom_netlabel(xguest_usertype)
++ corenet_tcp_sendrecv_generic_if(xguest_usertype)
++ corenet_raw_sendrecv_generic_if(xguest_usertype)
++ corenet_tcp_sendrecv_generic_node(xguest_usertype)
++ corenet_raw_sendrecv_generic_node(xguest_usertype)
++ corenet_tcp_sendrecv_http_port(xguest_usertype)
++ corenet_tcp_sendrecv_http_cache_port(xguest_usertype)
++ corenet_tcp_sendrecv_squid_port(xguest_usertype)
++ corenet_tcp_sendrecv_ftp_port(xguest_usertype)
++ corenet_tcp_sendrecv_ipp_port(xguest_usertype)
++ corenet_tcp_connect_http_port(xguest_usertype)
++ corenet_tcp_connect_http_cache_port(xguest_usertype)
++ corenet_tcp_connect_squid_port(xguest_usertype)
++ corenet_tcp_connect_flash_port(xguest_usertype)
++ corenet_tcp_connect_ftp_port(xguest_usertype)
++ corenet_tcp_connect_ipp_port(xguest_usertype)
++ corenet_tcp_connect_generic_port(xguest_usertype)
++ corenet_tcp_connect_soundd_port(xguest_usertype)
++ corenet_sendrecv_http_client_packets(xguest_usertype)
++ corenet_sendrecv_http_cache_client_packets(xguest_usertype)
++ corenet_sendrecv_squid_client_packets(xguest_usertype)
++ corenet_sendrecv_ftp_client_packets(xguest_usertype)
++ corenet_sendrecv_ipp_client_packets(xguest_usertype)
++ corenet_sendrecv_generic_client_packets(xguest_usertype)
++ # Should not need other ports
++ corenet_dontaudit_tcp_sendrecv_generic_port(xguest_usertype)
++ corenet_dontaudit_tcp_bind_generic_port(xguest_usertype)
++ corenet_tcp_connect_speech_port(xguest_usertype)
++ corenet_tcp_sendrecv_transproxy_port(xguest_usertype)
++ corenet_tcp_connect_transproxy_port(xguest_usertype)
+ ')
++
++ optional_policy(`
++ telepathy_dbus_session_role(xguest_r, xguest_t)
++ ')
++')
++
++optional_policy(`
++ gen_require(`
++ type mozilla_t;
++ ')
++
++ allow xguest_t mozilla_t:process transition;
++ role xguest_r types mozilla_t;
+ ')
+
+-#gen_user(xguest_u,, xguest_r, s0, s0)
++gen_user(xguest_u, user, xguest_r, s0, s0)
+diff --git a/policy/modules/services/abrt.fc b/policy/modules/services/abrt.fc
+index 1bd5812..3b3ba64 100644
+--- a/policy/modules/services/abrt.fc
++++ b/policy/modules/services/abrt.fc
+@@ -15,6 +15,7 @@
+
+ /var/run/abrt\.pid -- gen_context(system_u:object_r:abrt_var_run_t,s0)
+ /var/run/abrtd?\.lock -- gen_context(system_u:object_r:abrt_var_run_t,s0)
++/var/run/abrtd?\.socket -- gen_context(system_u:object_r:abrt_var_run_t,s0)
+ /var/run/abrt(/.*)? gen_context(system_u:object_r:abrt_var_run_t,s0)
+
+ /var/spool/abrt(/.*)? gen_context(system_u:object_r:abrt_var_cache_t,s0)
+diff --git a/policy/modules/services/abrt.if b/policy/modules/services/abrt.if
+index 0b827c5..9a82e8d 100644
+--- a/policy/modules/services/abrt.if
++++ b/policy/modules/services/abrt.if
+@@ -71,6 +71,7 @@ interface(`abrt_read_state',`
+ type abrt_t;
+ ')
+
++ kernel_search_proc($1)
+ ps_process_pattern($1, abrt_t)
+ ')
+
+@@ -130,6 +131,10 @@ interface(`abrt_domtrans_helper',`
+ ')
+
+ domtrans_pattern($1, abrt_helper_exec_t, abrt_helper_t)
++
++ ifdef(`hide_broken_symptoms', `
++ dontaudit abrt_helper_t $1:socket_class_set { read write };
++ ')
+ ')
+
+ ########################################
+@@ -160,8 +165,44 @@ interface(`abrt_run_helper',`
+
+ ########################################
+ ##
+-## Send and receive messages from
+-## abrt over dbus.
++## Read abrt cache
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`abrt_cache_read',`
++ gen_require(`
++ type abrt_var_cache_t;
++ ')
++
++ read_files_pattern($1, abrt_var_cache_t, abrt_var_cache_t)
++ read_lnk_files_pattern($1, abrt_var_cache_t, abrt_var_cache_t)
++')
++
++########################################
++##
++## Append abrt cache
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`abrt_cache_append',`
++ gen_require(`
++ type abrt_var_cache_t;
++ ')
++
++ append_files_pattern($1, abrt_var_cache_t, abrt_var_cache_t)
++')
++
++########################################
++##
++## Manage abrt cache
+ ##
+ ##
+ ##
+@@ -253,6 +294,24 @@ interface(`abrt_manage_pid_files',`
+ manage_files_pattern($1, abrt_var_run_t, abrt_var_run_t)
+ ')
+
++########################################
++##
++## Read and write abrt fifo files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`abrt_rw_fifo_file',`
++ gen_require(`
++ type abrt_t;
++ ')
++
++ allow $1 abrt_t:fifo_file rw_inherited_fifo_file_perms;
++')
++
+ #####################################
+ ##
+ ## All of the rules required to administrate
+@@ -286,18 +345,18 @@ interface(`abrt_admin',`
+ role_transition $2 abrt_initrc_exec_t system_r;
+ allow $2 system_r;
+
+- files_search_etc($1)
++ files_list_etc($1)
+ admin_pattern($1, abrt_etc_t)
+
+- logging_search_logs($1)
++ logging_list_logs($1)
+ admin_pattern($1, abrt_var_log_t)
+
+- files_search_var($1)
++ files_list_var($1)
+ admin_pattern($1, abrt_var_cache_t)
+
+- files_search_pids($1)
++ files_list_pids($1)
+ admin_pattern($1, abrt_var_run_t)
+
+- files_search_tmp($1)
++ files_list_tmp($1)
+ admin_pattern($1, abrt_tmp_t)
+ ')
+diff --git a/policy/modules/services/abrt.te b/policy/modules/services/abrt.te
+index 30861ec..d3996c8 100644
+--- a/policy/modules/services/abrt.te
++++ b/policy/modules/services/abrt.te
+@@ -5,6 +5,14 @@ policy_module(abrt, 1.2.0)
+ # Declarations
+ #
+
++##
++##
++## Allow ABRT to modify public files
++## used for public file transfer services.
++##
++##
++gen_tunable(abrt_anon_write, false)
++
+ type abrt_t;
+ type abrt_exec_t;
+ init_daemon_domain(abrt_t, abrt_exec_t)
+@@ -50,7 +58,7 @@ ifdef(`enable_mcs',`
+
+ allow abrt_t self:capability { chown kill setuid setgid sys_nice dac_override };
+ dontaudit abrt_t self:capability sys_rawio;
+-allow abrt_t self:process { signal signull setsched getsched };
++allow abrt_t self:process { sigkill signal signull setsched getsched };
+
+ allow abrt_t self:fifo_file rw_fifo_file_perms;
+ allow abrt_t self:tcp_socket create_stream_socket_perms;
+@@ -59,6 +67,7 @@ allow abrt_t self:unix_dgram_socket create_socket_perms;
+ allow abrt_t self:netlink_route_socket r_netlink_socket_perms;
+
+ # abrt etc files
++list_dirs_pattern(abrt_t, abrt_etc_t, abrt_etc_t)
+ rw_files_pattern(abrt_t, abrt_etc_t, abrt_etc_t)
+
+ # log file
+@@ -69,6 +78,7 @@ logging_log_filetrans(abrt_t, abrt_var_log_t, file)
+ manage_dirs_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t)
+ manage_files_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t)
+ files_tmp_filetrans(abrt_t, abrt_tmp_t, { file dir })
++can_exec(abrt_t, abrt_tmp_t)
+
+ # abrt var/cache files
+ manage_files_pattern(abrt_t, abrt_var_cache_t, abrt_var_cache_t)
+@@ -82,7 +92,7 @@ manage_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t)
+ manage_dirs_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t)
+ manage_sock_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t)
+ manage_lnk_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t)
+-files_pid_filetrans(abrt_t, abrt_var_run_t, { file dir })
++files_pid_filetrans(abrt_t, abrt_var_run_t, { file dir sock_file })
+
+ kernel_read_ring_buffer(abrt_t)
+ kernel_read_system_state(abrt_t)
+@@ -113,7 +123,8 @@ domain_read_all_domains_state(abrt_t)
+ domain_signull_all_domains(abrt_t)
+
+ files_getattr_all_files(abrt_t)
+-files_read_etc_files(abrt_t)
++files_read_config_files(abrt_t)
++files_read_etc_runtime_files(abrt_t)
+ files_read_var_symlinks(abrt_t)
+ files_read_var_lib_files(abrt_t)
+ files_read_usr_files(abrt_t)
+@@ -121,6 +132,8 @@ files_read_generic_tmp_files(abrt_t)
+ files_read_kernel_modules(abrt_t)
+ files_dontaudit_list_default(abrt_t)
+ files_dontaudit_read_default_files(abrt_t)
++files_dontaudit_read_all_symlinks(abrt_t)
++files_dontaudit_getattr_all_sockets(abrt_t)
+
+ fs_list_inotifyfs(abrt_t)
+ fs_getattr_all_fs(abrt_t)
+@@ -131,7 +144,7 @@ fs_read_nfs_files(abrt_t)
+ fs_read_nfs_symlinks(abrt_t)
+ fs_search_all(abrt_t)
+
+-sysnet_read_config(abrt_t)
++sysnet_dns_name_resolve(abrt_t)
+
+ logging_read_generic_logs(abrt_t)
+ logging_send_syslog_msg(abrt_t)
+@@ -140,6 +153,15 @@ miscfiles_read_generic_certs(abrt_t)
+ miscfiles_read_localization(abrt_t)
+
+ userdom_dontaudit_read_user_home_content_files(abrt_t)
++userdom_dontaudit_read_admin_home_files(abrt_t)
++
++tunable_policy(`abrt_anon_write',`
++ miscfiles_manage_public_files(abrt_t)
++')
++
++optional_policy(`
++ apache_read_modules(abrt_t)
++')
+
+ optional_policy(`
+ dbus_system_domain(abrt_t, abrt_exec_t)
+@@ -150,6 +172,11 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ nsplugin_read_rw_files(abrt_t)
++ nsplugin_read_home(abrt_t)
++')
++
++optional_policy(`
+ policykit_dbus_chat(abrt_t)
+ policykit_domtrans_auth(abrt_t)
+ policykit_read_lib(abrt_t)
+@@ -167,6 +194,7 @@ optional_policy(`
+ rpm_exec(abrt_t)
+ rpm_dontaudit_manage_db(abrt_t)
+ rpm_manage_cache(abrt_t)
++ rpm_manage_log(abrt_t)
+ rpm_manage_pid_files(abrt_t)
+ rpm_read_db(abrt_t)
+ rpm_signull(abrt_t)
+@@ -178,12 +206,18 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ sosreport_domtrans(abrt_t)
++ sosreport_read_tmp_files(abrt_t)
++ sosreport_delete_tmp_files(abrt_t)
++')
++
++optional_policy(`
+ sssd_stream_connect(abrt_t)
+ ')
+
+ ########################################
+ #
+-# abrt--helper local policy
++# abrt-helper local policy
+ #
+
+ allow abrt_helper_t self:capability { chown setgid sys_nice };
+@@ -203,6 +237,7 @@ read_lnk_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t)
+ domain_read_all_domains_state(abrt_helper_t)
+
+ files_read_etc_files(abrt_helper_t)
++files_dontaudit_all_non_security_leaks(abrt_helper_t)
+
+ fs_list_inotifyfs(abrt_helper_t)
+ fs_getattr_all_fs(abrt_helper_t)
+@@ -216,7 +251,8 @@ miscfiles_read_localization(abrt_helper_t)
+ term_dontaudit_use_all_ttys(abrt_helper_t)
+ term_dontaudit_use_all_ptys(abrt_helper_t)
+
+-ifdef(`hide_broken_symptoms', `
++ifdef(`hide_broken_symptoms',`
++ domain_dontaudit_leaks(abrt_helper_t)
+ userdom_dontaudit_read_user_home_content_files(abrt_helper_t)
+ userdom_dontaudit_read_user_tmp_files(abrt_helper_t)
+ dev_dontaudit_read_all_blk_files(abrt_helper_t)
+@@ -224,4 +260,18 @@ ifdef(`hide_broken_symptoms', `
+ dev_dontaudit_write_all_chr_files(abrt_helper_t)
+ dev_dontaudit_write_all_blk_files(abrt_helper_t)
+ fs_dontaudit_rw_anon_inodefs_files(abrt_helper_t)
++
++ optional_policy(`
++ rpm_dontaudit_leaks(abrt_helper_t)
++ ')
++')
++
++ifdef(`hide_broken_symptoms',`
++ gen_require(`
++ attribute domain;
++ ')
++
++ allow abrt_t self:capability sys_resource;
++ allow abrt_t domain:file write;
++ allow abrt_t domain:process setrlimit;
+ ')
+diff --git a/policy/modules/services/accountsd.if b/policy/modules/services/accountsd.if
+index c0f858d..d639ae0 100644
+--- a/policy/modules/services/accountsd.if
++++ b/policy/modules/services/accountsd.if
+@@ -5,9 +5,9 @@
+ ## Execute a domain transition to run accountsd.
+ ##
+ ##
+-##
++##
+ ## Domain allowed access.
+-##
++##
+ ##
+ #
+ interface(`accountsd_domtrans',`
+@@ -25,7 +25,7 @@ interface(`accountsd_domtrans',`
+ ##
+ ##
+ ##
+-## Domain allowed access.
++## Domain to not audit.
+ ##
+ ##
+ #
+@@ -138,7 +138,7 @@ interface(`accountsd_admin',`
+ type accountsd_t;
+ ')
+
+- allow $1 accountsd_t:process { ptrace signal_perms getattr };
++ allow $1 accountsd_t:process { ptrace signal_perms };
+ ps_process_pattern($1, accountsd_t)
+
+ accountsd_manage_lib_files($1)
+diff --git a/policy/modules/services/accountsd.te b/policy/modules/services/accountsd.te
+index 1632f10..f6e570c 100644
+--- a/policy/modules/services/accountsd.te
++++ b/policy/modules/services/accountsd.te
+@@ -8,6 +8,8 @@ policy_module(accountsd, 1.0.0)
+ type accountsd_t;
+ type accountsd_exec_t;
+ dbus_system_domain(accountsd_t, accountsd_exec_t)
++init_daemon_domain(accountsd_t, accountsd_exec_t)
++role system_r types accountsd_t;
+
+ type accountsd_var_lib_t;
+ files_type(accountsd_var_lib_t)
+@@ -32,6 +34,7 @@ files_read_usr_files(accountsd_t)
+ files_read_mnt_files(accountsd_t)
+
+ fs_list_inotifyfs(accountsd_t)
++fs_getattr_xattr_fs(accountsd_t)
+ fs_read_noxattr_fs_files(accountsd_t)
+
+ auth_use_nsswitch(accountsd_t)
+@@ -55,3 +58,8 @@ optional_policy(`
+ optional_policy(`
+ policykit_dbus_chat(accountsd_t)
+ ')
++
++optional_policy(`
++ xserver_dbus_chat_xdm(accountsd_t)
++ xserver_manage_xdm_etc_files(accountsd_t)
++')
+diff --git a/policy/modules/services/afs.if b/policy/modules/services/afs.if
+index 8559cdc..49c0cc8 100644
+--- a/policy/modules/services/afs.if
++++ b/policy/modules/services/afs.if
+@@ -97,8 +97,8 @@ interface(`afs_admin',`
+ type afs_t, afs_initrc_exec_t;
+ ')
+
+- allow $1 afs_t:process { ptrace signal_perms getattr };
+- read_files_pattern($1, afs_t, afs_t)
++ allow $1 afs_t:process { ptrace signal_perms };
++ ps_process_pattern($1, afs_t)
+
+ # Allow afs_admin to restart the afs service
+ afs_initrc_domtrans($1)
+diff --git a/policy/modules/services/afs.te b/policy/modules/services/afs.te
+index a496fde..847609a 100644
+--- a/policy/modules/services/afs.te
++++ b/policy/modules/services/afs.te
+@@ -107,6 +107,10 @@ miscfiles_read_localization(afs_t)
+
+ sysnet_dns_name_resolve(afs_t)
+
++ifdef(`hide_broken_symptoms',`
++ kernel_rw_unlabeled_files(afs_t)
++')
++
+ ########################################
+ #
+ # AFS bossserver local policy
+diff --git a/policy/modules/services/aiccu.fc b/policy/modules/services/aiccu.fc
+new file mode 100644
+index 0000000..069518f
+--- /dev/null
++++ b/policy/modules/services/aiccu.fc
+@@ -0,0 +1,6 @@
++/etc/aiccu.conf -- gen_context(system_u:object_r:aiccu_etc_t,s0)
++/etc/rc\.d/init\.d/aiccu -- gen_context(system_u:object_r:aiccu_initrc_exec_t,s0)
++
++/usr/sbin/aiccu -- gen_context(system_u:object_r:aiccu_exec_t,s0)
++
++/var/run/aiccu\.pid -- gen_context(system_u:object_r:aiccu_var_run_t,s0)
+diff --git a/policy/modules/services/aiccu.if b/policy/modules/services/aiccu.if
+new file mode 100644
+index 0000000..6bf0ad6
+--- /dev/null
++++ b/policy/modules/services/aiccu.if
+@@ -0,0 +1,116 @@
++## Automatic IPv6 Connectivity Client Utility.
++
++########################################
++##
++## Execute a domain transition to run aiccu.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`aiccu_domtrans',`
++ gen_require(`
++ type aiccu_t, aiccu_exec_t;
++ ')
++
++ domtrans_pattern($1, aiccu_exec_t, aiccu_t)
++ corecmd_search_bin($1)
++')
++
++########################################
++##
++## Execute aiccu server in the aiccu domain.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`aiccu_initrc_domtrans',`
++ gen_require(`
++ type aiccu_initrc_exec_t;
++ ')
++
++ init_labeled_script_domtrans($1, aiccu_initrc_exec_t)
++')
++
++########################################
++##
++## Read aiccu PID files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`aiccu_read_pid_files',`
++ gen_require(`
++ type aiccu_var_run_t;
++ ')
++
++ allow $1 aiccu_var_run_t:file read_file_perms;
++ files_search_pids($1)
++')
++
++########################################
++##
++## Manage aiccu PID files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`aiccu_manage_var_run',`
++ gen_require(`
++ type aiccu_var_run_t;
++ ')
++
++ manage_dirs_pattern($1, aiccu_var_run_t, aiccu_var_run_t)
++ manage_files_pattern($1, aiccu_var_run_t, aiccu_var_run_t)
++ manage_lnk_files_pattern($1, aiccu_var_run_t, aiccu_var_run_t)
++ files_search_pids($1)
++')
++
++########################################
++##
++## All of the rules required to administrate
++## an aiccu environment
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++##
++## Role allowed access.
++##
++##
++##
++#
++interface(`aiccu_admin',`
++ gen_require(`
++ type aiccu_t, aiccu_initrc_exec_t, aiccu_etc_t;
++ type aiccu_var_run_t;
++ ')
++
++ allow $1 aiccu_t:process { ptrace signal_perms };
++ ps_process_pattern($1, aiccu_t)
++
++ aiccu_initrc_domtrans($1)
++ domain_system_change_exemption($1)
++ role_transition $2 aiccu_initrc_exec_t system_r;
++ allow $2 system_r;
++
++ admin_pattern($1, aiccu_etc_t)
++ files_list_etc($1)
++
++ admin_pattern($1, aiccu_var_run_t)
++ files_list_pids($1)
++')
+diff --git a/policy/modules/services/aiccu.te b/policy/modules/services/aiccu.te
+new file mode 100644
+index 0000000..dda9c93
+--- /dev/null
++++ b/policy/modules/services/aiccu.te
+@@ -0,0 +1,75 @@
++policy_module(aiccu, 1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++type aiccu_t;
++type aiccu_exec_t;
++init_daemon_domain(aiccu_t, aiccu_exec_t)
++
++type aiccu_initrc_exec_t;
++init_script_file(aiccu_initrc_exec_t)
++
++type aiccu_etc_t;
++files_config_file(aiccu_etc_t)
++
++type aiccu_var_run_t;
++files_pid_file(aiccu_var_run_t)
++
++########################################
++#
++# aiccu local policy
++#
++
++allow aiccu_t self:capability { kill net_admin net_raw };
++dontaudit aiccu_t self:capability sys_tty_config;
++allow aiccu_t self:process signal;
++allow aiccu_t self:fifo_file rw_fifo_file_perms;
++allow aiccu_t self:netlink_route_socket create_netlink_socket_perms;
++allow aiccu_t self:tcp_socket create_stream_socket_perms;
++allow aiccu_t self:tun_socket create_socket_perms;
++allow aiccu_t self:udp_socket create_stream_socket_perms;
++allow aiccu_t self:unix_stream_socket create_stream_socket_perms;
++
++allow aiccu_t aiccu_etc_t:file read_file_perms;
++
++manage_dirs_pattern(aiccu_t, aiccu_var_run_t, aiccu_var_run_t)
++manage_files_pattern(aiccu_t, aiccu_var_run_t, aiccu_var_run_t)
++files_pid_filetrans(aiccu_t, aiccu_var_run_t, { file dir })
++
++kernel_read_system_state(aiccu_t)
++
++corecmd_exec_shell(aiccu_t)
++
++corenet_all_recvfrom_netlabel(aiccu_t)
++corenet_all_recvfrom_unlabeled(aiccu_t)
++corenet_tcp_bind_generic_node(aiccu_t)
++corenet_tcp_sendrecv_generic_if(aiccu_t)
++corenet_tcp_sendrecv_generic_node(aiccu_t)
++corenet_tcp_sendrecv_generic_port(aiccu_t)
++corenet_sendrecv_sixxsconfig_client_packets(aiccu_t)
++corenet_tcp_sendrecv_sixxsconfig_port(aiccu_t)
++corenet_tcp_connect_sixxsconfig_port(aiccu_t)
++corenet_rw_tun_tap_dev(aiccu_t)
++
++domain_use_interactive_fds(aiccu_t)
++
++dev_read_rand(aiccu_t)
++dev_read_urand(aiccu_t)
++
++files_read_etc_files(aiccu_t)
++
++logging_send_syslog_msg(aiccu_t)
++
++miscfiles_read_localization(aiccu_t)
++
++optional_policy(`
++ modutils_domtrans_insmod(aiccu_t)
++')
++
++optional_policy(`
++ sysnet_domtrans_ifconfig(aiccu_t)
++ sysnet_dns_name_resolve(aiccu_t)
++')
+diff --git a/policy/modules/services/aide.if b/policy/modules/services/aide.if
+index 838d25b..0b0db39 100644
+--- a/policy/modules/services/aide.if
++++ b/policy/modules/services/aide.if
+@@ -33,6 +33,7 @@ interface(`aide_domtrans',`
+ ## The role to allow the AIDE domain.
+ ##
+ ##
++##
+ #
+ interface(`aide_run',`
+ gen_require(`
+diff --git a/policy/modules/services/aide.te b/policy/modules/services/aide.te
+index 2509dd2..615e957 100644
+--- a/policy/modules/services/aide.te
++++ b/policy/modules/services/aide.te
+@@ -39,4 +39,4 @@ logging_send_syslog_msg(aide_t)
+
+ seutil_use_newrole_fds(aide_t)
+
+-userdom_use_user_terminals(aide_t)
++userdom_use_inherited_user_terminals(aide_t)
+diff --git a/policy/modules/services/aisexec.if b/policy/modules/services/aisexec.if
+index 0370dba..af5d229 100644
+--- a/policy/modules/services/aisexec.if
++++ b/policy/modules/services/aisexec.if
+@@ -5,9 +5,9 @@
+ ## Execute a domain transition to run aisexec.
+ ##
+ ##
+-##
++##
+ ## Domain allowed to transition.
+-##
++##
+ ##
+ #
+ interface(`aisexec_domtrans',`
+diff --git a/policy/modules/services/aisexec.te b/policy/modules/services/aisexec.te
+index 97c9cae..c24bd66 100644
+--- a/policy/modules/services/aisexec.te
++++ b/policy/modules/services/aisexec.te
+@@ -32,7 +32,7 @@ files_pid_file(aisexec_var_run_t)
+ # aisexec local policy
+ #
+
+-allow aisexec_t self:capability { sys_nice sys_resource ipc_lock };
++allow aisexec_t self:capability { sys_nice sys_resource ipc_lock ipc_owner };
+ allow aisexec_t self:process { setrlimit setsched signal };
+ allow aisexec_t self:fifo_file rw_fifo_file_perms;
+ allow aisexec_t self:sem create_sem_perms;
+@@ -81,6 +81,9 @@ logging_send_syslog_msg(aisexec_t)
+
+ miscfiles_read_localization(aisexec_t)
+
++userdom_rw_semaphores(aisexec_t)
++userdom_rw_unpriv_user_shared_mem(aisexec_t)
++
+ optional_policy(`
+ ccs_stream_connect(aisexec_t)
+ ')
+diff --git a/policy/modules/services/ajaxterm.fc b/policy/modules/services/ajaxterm.fc
+new file mode 100644
+index 0000000..aeb1888
+--- /dev/null
++++ b/policy/modules/services/ajaxterm.fc
+@@ -0,0 +1,6 @@
++
++/etc/rc\.d/init\.d/ajaxterm -- gen_context(system_u:object_r:ajaxterm_initrc_exec_t,s0)
++
++/usr/share/ajaxterm/ajaxterm\.py -- gen_context(system_u:object_r:ajaxterm_exec_t,s0)
++
++/var/run/ajaxterm\.pid -- gen_context(system_u:object_r:ajaxterm_var_run_t,s0)
+diff --git a/policy/modules/services/ajaxterm.if b/policy/modules/services/ajaxterm.if
+new file mode 100644
+index 0000000..0f3fc36
+--- /dev/null
++++ b/policy/modules/services/ajaxterm.if
+@@ -0,0 +1,86 @@
++## policy for ajaxterm
++
++########################################
++##
++## Execute a domain transition to run ajaxterm.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`ajaxterm_domtrans',`
++ gen_require(`
++ type ajaxterm_t, ajaxterm_exec_t;
++ ')
++
++ domtrans_pattern($1, ajaxterm_exec_t, ajaxterm_t)
++')
++
++########################################
++##
++## Execute ajaxterm server in the ajaxterm domain.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`ajaxterm_initrc_domtrans',`
++ gen_require(`
++ type ajaxterm_initrc_exec_t;
++ ')
++
++ init_labeled_script_domtrans($1, ajaxterm_initrc_exec_t)
++')
++
++#######################################
++##
++## Read and write the ajaxterm pty type.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`ajaxterm_rw_ptys',`
++ gen_require(`
++ type ajaxterm_devpts_t;
++ ')
++
++ allow $1 ajaxterm_devpts_t:chr_file rw_inherited_term_perms;
++')
++
++########################################
++##
++## All of the rules required to administrate
++## an ajaxterm environment
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++##
++## Role allowed access.
++##
++##
++##
++#
++interface(`ajaxterm_admin',`
++ gen_require(`
++ type ajaxterm_t, ajaxterm_initrc_exec_t;
++ ')
++
++ allow $1 ajaxterm_t:process { ptrace signal_perms };
++ ps_process_pattern($1, ajaxterm_t)
++
++ ajaxterm_initrc_domtrans($1)
++ domain_system_change_exemption($1)
++ role_transition $2 ajaxterm_initrc_exec_t system_r;
++ allow $2 system_r;
++')
+diff --git a/policy/modules/services/ajaxterm.te b/policy/modules/services/ajaxterm.te
+new file mode 100644
+index 0000000..3d0fd88
+--- /dev/null
++++ b/policy/modules/services/ajaxterm.te
+@@ -0,0 +1,64 @@
++policy_module(ajaxterm, 1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++type ajaxterm_t;
++type ajaxterm_exec_t;
++init_daemon_domain(ajaxterm_t, ajaxterm_exec_t)
++
++type ajaxterm_initrc_exec_t;
++init_script_file(ajaxterm_initrc_exec_t)
++
++type ajaxterm_var_run_t;
++files_pid_file(ajaxterm_var_run_t)
++
++type ajaxterm_devpts_t;
++term_login_pty(ajaxterm_devpts_t)
++
++########################################
++#
++# ajaxterm local policy
++#
++allow ajaxterm_t self:capability setuid;
++allow ajaxterm_t self:process { setpgid signal };
++allow ajaxterm_t self:fifo_file rw_fifo_file_perms;
++allow ajaxterm_t self:unix_stream_socket create_stream_socket_perms;
++allow ajaxterm_t self:tcp_socket create_stream_socket_perms;
++
++allow ajaxterm_t ajaxterm_devpts_t:chr_file { rw_chr_file_perms setattr_chr_file_perms relabelfrom };
++term_create_pty(ajaxterm_t, ajaxterm_devpts_t)
++
++manage_dirs_pattern(ajaxterm_t, ajaxterm_var_run_t, ajaxterm_var_run_t)
++manage_files_pattern(ajaxterm_t, ajaxterm_var_run_t, ajaxterm_var_run_t)
++files_pid_filetrans(ajaxterm_t, ajaxterm_var_run_t, { file dir })
++
++kernel_read_system_state(ajaxterm_t)
++
++corecmd_exec_bin(ajaxterm_t)
++
++corenet_tcp_bind_generic_node(ajaxterm_t)
++corenet_tcp_bind_ajaxterm_port(ajaxterm_t)
++
++dev_read_urand(ajaxterm_t)
++
++domain_use_interactive_fds(ajaxterm_t)
++
++files_read_etc_files(ajaxterm_t)
++files_read_usr_files(ajaxterm_t)
++
++miscfiles_read_localization(ajaxterm_t)
++
++sysnet_dns_name_resolve(ajaxterm_t)
++
++#######################################
++#
++# SSH component local policy
++#
++
++optional_policy(`
++ ssh_basic_client_template(ajaxterm, ajaxterm_t, system_r)
++')
++
+diff --git a/policy/modules/services/amavis.if b/policy/modules/services/amavis.if
+index ceb2142..e31d92a 100644
+--- a/policy/modules/services/amavis.if
++++ b/policy/modules/services/amavis.if
+@@ -183,7 +183,7 @@ interface(`amavis_setattr_pid_files',`
+ type amavis_var_run_t;
+ ')
+
+- allow $1 amavis_var_run_t:file setattr;
++ allow $1 amavis_var_run_t:file setattr_file_perms;
+ files_search_pids($1)
+ ')
+
+diff --git a/policy/modules/services/amavis.te b/policy/modules/services/amavis.te
+index c3a1903..19fb14a 100644
+--- a/policy/modules/services/amavis.te
++++ b/policy/modules/services/amavis.te
+@@ -47,7 +47,7 @@ files_type(amavis_spool_t)
+
+ allow amavis_t self:capability { kill chown dac_override setgid setuid };
+ dontaudit amavis_t self:capability sys_tty_config;
+-allow amavis_t self:process { signal sigchld signull };
++allow amavis_t self:process { signal sigchld sigkill signull };
+ allow amavis_t self:fifo_file rw_fifo_file_perms;
+ allow amavis_t self:unix_stream_socket create_stream_socket_perms;
+ allow amavis_t self:unix_dgram_socket create_socket_perms;
+@@ -76,7 +76,7 @@ files_search_spool(amavis_t)
+
+ # tmp files
+ manage_files_pattern(amavis_t, amavis_tmp_t, amavis_tmp_t)
+-allow amavis_t amavis_tmp_t:dir setattr;
++allow amavis_t amavis_tmp_t:dir setattr_dir_perms;
+ files_tmp_filetrans(amavis_t, amavis_tmp_t, file)
+
+ # var/lib files for amavis
+@@ -86,7 +86,7 @@ manage_sock_files_pattern(amavis_t, amavis_var_lib_t, amavis_var_lib_t)
+ files_search_var_lib(amavis_t)
+
+ # log files
+-allow amavis_t amavis_var_log_t:dir setattr;
++allow amavis_t amavis_var_log_t:dir setattr_dir_perms;
+ manage_files_pattern(amavis_t, amavis_var_log_t, amavis_var_log_t)
+ manage_sock_files_pattern(amavis_t, amavis_var_log_t, amavis_var_log_t)
+ logging_log_filetrans(amavis_t, amavis_var_log_t, { sock_file file dir })
+@@ -105,6 +105,7 @@ kernel_dontaudit_read_system_state(amavis_t)
+
+ # find perl
+ corecmd_exec_bin(amavis_t)
++corecmd_exec_shell(amavis_t)
+
+ corenet_all_recvfrom_unlabeled(amavis_t)
+ corenet_all_recvfrom_netlabel(amavis_t)
+@@ -152,24 +153,32 @@ sysnet_use_ldap(amavis_t)
+
+ userdom_dontaudit_search_user_home_dirs(amavis_t)
+
+-# Cron handling
+-cron_use_fds(amavis_t)
+-cron_use_system_job_fds(amavis_t)
+-cron_rw_pipes(amavis_t)
+-
+-mta_read_config(amavis_t)
+-
+ optional_policy(`
+ clamav_stream_connect(amavis_t)
+ clamav_domtrans_clamscan(amavis_t)
+ ')
+
+ optional_policy(`
++ #Cron handling
++ cron_use_fds(amavis_t)
++ cron_use_system_job_fds(amavis_t)
++ cron_rw_pipes(amavis_t)
++')
++
++optional_policy(`
+ dcc_domtrans_client(amavis_t)
+ dcc_stream_connect_dccifd(amavis_t)
+ ')
+
+ optional_policy(`
++ mta_read_config(amavis_t)
++')
++
++optional_policy(`
++ nslcd_stream_connect(amavis_t)
++')
++
++optional_policy(`
+ postfix_read_config(amavis_t)
+ ')
+
+diff --git a/policy/modules/services/apache.fc b/policy/modules/services/apache.fc
+index 9e39aa5..7ba3b11 100644
+--- a/policy/modules/services/apache.fc
++++ b/policy/modules/services/apache.fc
+@@ -2,7 +2,7 @@ HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_u
+
+ /etc/apache(2)?(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
+ /etc/apache-ssl(2)?(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
+-/etc/drupal(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
++/etc/drupal(6)?(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+ /etc/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
+ /etc/httpd(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
+ /etc/httpd/conf/keytab -- gen_context(system_u:object_r:httpd_keytab_t,s0)
+@@ -24,7 +24,6 @@ HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_u
+
+ /usr/lib/apache-ssl/.+ -- gen_context(system_u:object_r:httpd_exec_t,s0)
+ /usr/lib/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
+-/usr/lib/dirsrv/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
+ /usr/lib(64)?/apache(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0)
+ /usr/lib(64)?/apache2/modules(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0)
+ /usr/lib(64)?/apache(2)?/suexec(2)? -- gen_context(system_u:object_r:httpd_suexec_exec_t,s0)
+@@ -43,8 +42,9 @@ ifdef(`distro_suse', `
+ /usr/sbin/httpd2-.* -- gen_context(system_u:object_r:httpd_exec_t,s0)
+ ')
+
+-/usr/share/dirsrv(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
+-/usr/share/drupal(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
++/usr/share/drupal(6)?(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
++/usr/share/doc/ghc/html(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
++
+ /usr/share/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
+ /usr/share/icecast(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
+ /usr/share/mythweb(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
+@@ -74,7 +74,8 @@ ifdef(`distro_suse', `
+
+ /var/lib/cacti/rra(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
+ /var/lib/dav(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
+-/var/lib/drupal(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
++/var/lib/dokuwiki(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
++/var/lib/drupal(6)?(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+ /var/lib/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
+ /var/lib/httpd(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
+ /var/lib/php/session(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0)
+@@ -86,7 +87,6 @@ ifdef(`distro_suse', `
+ /var/log/cgiwrap\.log.* -- gen_context(system_u:object_r:httpd_log_t,s0)
+ /var/log/httpd(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
+ /var/log/lighttpd(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
+-/var/log/piranha(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
+
+ ifdef(`distro_debian', `
+ /var/log/horde2(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
+@@ -109,3 +109,22 @@ ifdef(`distro_debian', `
+ /var/www/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
+ /var/www/icons(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
+ /var/www/perl(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
++
++/var/www/html/[^/]*/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
++
++/var/www/html/configuration\.php gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
++
++/var/www/gallery/albums(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
++
++/var/lib/koji(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
++/var/lib/pootle/po(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
++/var/lib/rt3/data/RT-Shredder(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
++
++/var/www/svn(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
++/var/www/svn/hooks(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
++/var/www/svn/conf(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
++
++/var/log/dirsrv/admin-serv(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
++
++/var/run/dirsrv/admin-serv.* gen_context(system_u:object_r:httpd_var_run_t,s0)
++/opt/dirsrv/var/run/dirsrv/dsgw/cookies(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0)
+diff --git a/policy/modules/services/apache.if b/policy/modules/services/apache.if
+index 6480167..09c61a0 100644
+--- a/policy/modules/services/apache.if
++++ b/policy/modules/services/apache.if
+@@ -13,17 +13,13 @@
+ #
+ template(`apache_content_template',`
+ gen_require(`
+- attribute httpdcontent;
+- attribute httpd_exec_scripts;
+- attribute httpd_script_exec_type;
++ attribute httpd_exec_scripts, httpd_script_exec_type;
+ type httpd_t, httpd_suexec_t, httpd_log_t;
++ type httpd_sys_content_t;
+ ')
+- # allow write access to public file transfer
+- # services files.
+- gen_tunable(allow_httpd_$1_script_anon_write, false)
+
+ #This type is for webpages
+- type httpd_$1_content_t, httpdcontent; # customizable
++ type httpd_$1_content_t; # customizable;
+ typealias httpd_$1_content_t alias httpd_$1_script_ro_t;
+ files_type(httpd_$1_content_t)
+
+@@ -36,32 +32,32 @@ template(`apache_content_template',`
+ domain_type(httpd_$1_script_t)
+ role system_r types httpd_$1_script_t;
+
++ search_dirs_pattern(httpd_$1_script_t, httpd_sys_content_t, httpd_script_exec_type)
++
+ # This type is used for executable scripts files
+ type httpd_$1_script_exec_t, httpd_script_exec_type; # customizable;
+ corecmd_shell_entry_type(httpd_$1_script_t)
+ domain_entry_file(httpd_$1_script_t, httpd_$1_script_exec_t)
+
+- type httpd_$1_rw_content_t, httpdcontent; # customizable
++ type httpd_$1_rw_content_t; # customizable
+ typealias httpd_$1_rw_content_t alias { httpd_$1_script_rw_t httpd_$1_content_rw_t };
+ files_type(httpd_$1_rw_content_t)
+
+- type httpd_$1_ra_content_t, httpdcontent; # customizable
++ type httpd_$1_ra_content_t; # customizable
+ typealias httpd_$1_ra_content_t alias { httpd_$1_script_ra_t httpd_$1_content_ra_t };
+ files_type(httpd_$1_ra_content_t)
+
+ read_files_pattern(httpd_t, httpd_$1_content_t, httpd_$1_htaccess_t)
+
+- domtrans_pattern(httpd_suexec_t, httpd_$1_script_exec_t, httpd_$1_script_t)
+-
+ allow httpd_t { httpd_$1_content_t httpd_$1_rw_content_t httpd_$1_script_exec_t }:dir search_dir_perms;
+- allow httpd_suexec_t { httpd_$1_content_t httpd_$1_content_t httpd_$1_rw_content_t httpd_$1_script_exec_t }:dir search_dir_perms;
++ allow httpd_suexec_t { httpd_$1_content_t httpd_$1_rw_content_t httpd_$1_script_exec_t }:dir search_dir_perms;
+
+ allow httpd_$1_script_t self:fifo_file rw_file_perms;
+ allow httpd_$1_script_t self:unix_stream_socket connectto;
+
+ allow httpd_$1_script_t httpd_t:fifo_file write;
+ # apache should set close-on-exec
+- dontaudit httpd_$1_script_t httpd_t:unix_stream_socket { read write };
++ apache_dontaudit_leaks(httpd_$1_script_t)
+
+ # Allow the script process to search the cgi directory, and users directory
+ allow httpd_$1_script_t httpd_$1_content_t:dir search_dir_perms;
+@@ -86,7 +82,6 @@ template(`apache_content_template',`
+ manage_lnk_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
+ manage_fifo_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
+ manage_sock_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
+- files_tmp_filetrans(httpd_$1_script_t, httpd_$1_rw_content_t, { dir file lnk_file sock_file fifo_file })
+
+ kernel_dontaudit_search_sysctl(httpd_$1_script_t)
+ kernel_dontaudit_search_kernel_sysctl(httpd_$1_script_t)
+@@ -95,6 +90,7 @@ template(`apache_content_template',`
+ dev_read_urand(httpd_$1_script_t)
+
+ corecmd_exec_all_executables(httpd_$1_script_t)
++ application_exec_all(httpd_$1_script_t)
+
+ files_exec_etc_files(httpd_$1_script_t)
+ files_read_etc_files(httpd_$1_script_t)
+@@ -108,19 +104,6 @@ template(`apache_content_template',`
+
+ seutil_dontaudit_search_config(httpd_$1_script_t)
+
+- tunable_policy(`httpd_enable_cgi && httpd_unified',`
+- allow httpd_$1_script_t httpdcontent:file entrypoint;
+-
+- manage_dirs_pattern(httpd_$1_script_t, httpdcontent, httpdcontent)
+- manage_files_pattern(httpd_$1_script_t, httpdcontent, httpdcontent)
+- manage_lnk_files_pattern(httpd_$1_script_t, httpdcontent, httpdcontent)
+- can_exec(httpd_$1_script_t, httpdcontent)
+- ')
+-
+- tunable_policy(`allow_httpd_$1_script_anon_write',`
+- miscfiles_manage_public_files(httpd_$1_script_t)
+- ')
+-
+ # Allow the web server to run scripts and serve pages
+ tunable_policy(`httpd_builtin_scripting',`
+ manage_dirs_pattern(httpd_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
+@@ -140,26 +123,36 @@ template(`apache_content_template',`
+ allow httpd_t httpd_$1_content_t:dir list_dir_perms;
+ read_files_pattern(httpd_t, httpd_$1_content_t, httpd_$1_content_t)
+ read_lnk_files_pattern(httpd_t, httpd_$1_content_t, httpd_$1_content_t)
++ allow httpd_t httpd_$1_script_t:unix_stream_socket connectto;
+ ')
+
+ tunable_policy(`httpd_enable_cgi',`
+ allow httpd_$1_script_t httpd_$1_script_exec_t:file entrypoint;
+
++ domtrans_pattern(httpd_suexec_t, httpd_$1_script_exec_t, httpd_$1_script_t)
++
+ # privileged users run the script:
+ domtrans_pattern(httpd_exec_scripts, httpd_$1_script_exec_t, httpd_$1_script_t)
+
++ allow httpd_exec_scripts httpd_$1_script_exec_t:file read_file_perms;
++
+ # apache runs the script:
+ domtrans_pattern(httpd_t, httpd_$1_script_exec_t, httpd_$1_script_t)
+
++ allow httpd_t httpd_$1_script_exec_t:file read_file_perms;
++
+ allow httpd_t httpd_$1_script_t:process { signal sigkill sigstop };
+ allow httpd_t httpd_$1_script_exec_t:dir list_dir_perms;
+
+ allow httpd_$1_script_t self:process { setsched signal_perms };
+ allow httpd_$1_script_t self:unix_stream_socket create_stream_socket_perms;
++ allow httpd_$1_script_t self:unix_dgram_socket create_socket_perms;
+
+ allow httpd_$1_script_t httpd_t:fd use;
+ allow httpd_$1_script_t httpd_t:process sigchld;
+
++ dontaudit httpd_$1_script_t httpd_t:tcp_socket { read write };
++
+ kernel_read_system_state(httpd_$1_script_t)
+
+ dev_read_urand(httpd_$1_script_t)
+@@ -172,6 +165,7 @@ template(`apache_content_template',`
+ libs_read_lib_files(httpd_$1_script_t)
+
+ miscfiles_read_localization(httpd_$1_script_t)
++ allow httpd_$1_script_t httpd_sys_content_t:dir search_dir_perms;
+ ')
+
+ optional_policy(`
+@@ -182,10 +176,6 @@ template(`apache_content_template',`
+
+ optional_policy(`
+ postgresql_unpriv_client(httpd_$1_script_t)
+-
+- tunable_policy(`httpd_enable_cgi && httpd_can_network_connect_db',`
+- postgresql_tcp_connect(httpd_$1_script_t)
+- ')
+ ')
+
+ optional_policy(`
+@@ -211,9 +201,8 @@ template(`apache_content_template',`
+ interface(`apache_role',`
+ gen_require(`
+ attribute httpdcontent;
+- type httpd_user_content_t, httpd_user_htaccess_t;
+- type httpd_user_script_t, httpd_user_script_exec_t;
+- type httpd_user_ra_content_t, httpd_user_rw_content_t;
++ type httpd_user_content_t, httpd_user_htaccess_t, httpd_user_script_t;
++ type httpd_user_ra_content_t, httpd_user_rw_content_t, httpd_user_script_exec_t;
+ ')
+
+ role $1 types httpd_user_script_t;
+@@ -234,6 +223,13 @@ interface(`apache_role',`
+ relabel_files_pattern($2, httpd_user_ra_content_t, httpd_user_ra_content_t)
+ relabel_lnk_files_pattern($2, httpd_user_ra_content_t, httpd_user_ra_content_t)
+
++ manage_dirs_pattern($2, httpd_user_content_t, httpd_user_content_t)
++ manage_files_pattern($2, httpd_user_content_t, httpd_user_content_t)
++ manage_lnk_files_pattern($2, httpd_user_content_t, httpd_user_content_t)
++ relabel_dirs_pattern($2, httpd_user_content_t, httpd_user_content_t)
++ relabel_files_pattern($2, httpd_user_content_t, httpd_user_content_t)
++ relabel_lnk_files_pattern($2, httpd_user_content_t, httpd_user_content_t)
++
+ manage_dirs_pattern($2, httpd_user_rw_content_t, httpd_user_rw_content_t)
+ manage_files_pattern($2, httpd_user_rw_content_t, httpd_user_rw_content_t)
+ manage_lnk_files_pattern($2, httpd_user_rw_content_t, httpd_user_rw_content_t)
+@@ -248,6 +244,8 @@ interface(`apache_role',`
+ relabel_files_pattern($2, httpd_user_script_exec_t, httpd_user_script_exec_t)
+ relabel_lnk_files_pattern($2, httpd_user_script_exec_t, httpd_user_script_exec_t)
+
++ apache_exec_modules($2)
++
+ tunable_policy(`httpd_enable_cgi',`
+ # If a user starts a script by hand it gets the proper context
+ domtrans_pattern($2, httpd_user_script_exec_t, httpd_user_script_t)
+@@ -317,6 +315,25 @@ interface(`apache_domtrans',`
+ domtrans_pattern($1, httpd_exec_t, httpd_t)
+ ')
+
++######################################
++##
++## Allow the specified domain to execute apache
++## in the caller domain.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`apache_exec',`
++ gen_require(`
++ type httpd_exec_t;
++ ')
++
++ can_exec($1, httpd_exec_t)
++')
++
+ #######################################
+ ##
+ ## Send a generic signal to apache.
+@@ -405,7 +422,7 @@ interface(`apache_dontaudit_rw_fifo_file',`
+ type httpd_t;
+ ')
+
+- dontaudit $1 httpd_t:fifo_file rw_fifo_file_perms;
++ dontaudit $1 httpd_t:fifo_file rw_inherited_fifo_file_perms;
+ ')
+
+ ########################################
+@@ -487,7 +504,7 @@ interface(`apache_setattr_cache_dirs',`
+ type httpd_cache_t;
+ ')
+
+- allow $1 httpd_cache_t:dir setattr;
++ allow $1 httpd_cache_t:dir setattr_dir_perms;
+ ')
+
+ ########################################
+@@ -531,6 +548,25 @@ interface(`apache_rw_cache_files',`
+ ########################################
+ ##
+ ## Allow the specified domain to delete
++## Apache cache dirs.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`apache_delete_cache_dirs',`
++ gen_require(`
++ type httpd_cache_t;
++ ')
++
++ delete_dirs_pattern($1, httpd_cache_t, httpd_cache_t)
++')
++
++########################################
++##
++## Allow the specified domain to delete
+ ## Apache cache.
+ ##
+ ##
+@@ -549,6 +585,26 @@ interface(`apache_delete_cache_files',`
+
+ ########################################
+ ##
++## Allow the specified domain to search
++## apache configuration dirs.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`apache_search_config',`
++ gen_require(`
++ type httpd_config_t;
++ ')
++
++ files_search_etc($1)
++ allow $1 httpd_config_t:dir search_dir_perms;
++')
++
++########################################
++##
+ ## Allow the specified domain to read
+ ## apache configuration files.
+ ##
+@@ -699,7 +755,7 @@ interface(`apache_dontaudit_append_log',`
+ type httpd_log_t;
+ ')
+
+- dontaudit $1 httpd_log_t:file { getattr append };
++ dontaudit $1 httpd_log_t:file append_file_perms;
+ ')
+
+ ########################################
+@@ -745,6 +801,25 @@ interface(`apache_dontaudit_search_modules',`
+
+ ########################################
+ ##
++## Allow the specified domain to read
++## the apache module directories.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`apache_read_modules',`
++ gen_require(`
++ type httpd_modules_t;
++ ')
++
++ read_files_pattern($1, httpd_modules_t, httpd_modules_t)
++')
++
++########################################
++##
+ ## Allow the specified domain to list
+ ## the contents of the apache modules
+ ## directory.
+@@ -761,6 +836,7 @@ interface(`apache_list_modules',`
+ ')
+
+ allow $1 httpd_modules_t:dir list_dir_perms;
++ read_lnk_files_pattern($1, httpd_modules_t, httpd_modules_t)
+ ')
+
+ ########################################
+@@ -819,6 +895,7 @@ interface(`apache_list_sys_content',`
+ ')
+
+ list_dirs_pattern($1, httpd_sys_content_t, httpd_sys_content_t)
++ read_lnk_files_pattern($1, httpd_sys_content_t, httpd_sys_content_t)
+ files_search_var($1)
+ ')
+
+@@ -846,6 +923,74 @@ interface(`apache_manage_sys_content',`
+ manage_lnk_files_pattern($1, httpd_sys_content_t, httpd_sys_content_t)
+ ')
+
++######################################
++##
++## Allow the specified domain to read
++## apache system content rw files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++#
++interface(`apache_read_sys_content_rw_files',`
++ gen_require(`
++ type httpd_sys_rw_content_t;
++ ')
++
++ read_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
++')
++
++######################################
++##
++## Allow the specified domain to manage
++## apache system content rw files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++#
++interface(`apache_manage_sys_content_rw',`
++ gen_require(`
++ type httpd_sys_rw_content_t;
++ ')
++
++ files_search_var($1)
++ manage_dirs_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
++ manage_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
++ manage_lnk_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
++')
++
++########################################
++##
++## Allow the specified domain to delete
++## apache system content rw files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++#
++interface(`apache_delete_sys_content_rw',`
++ gen_require(`
++ type httpd_sys_rw_content_t;
++ ')
++
++ files_search_tmp($1)
++ delete_dirs_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
++ delete_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
++ delete_lnk_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
++ delete_fifo_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
++ delete_sock_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
++')
++
+ ########################################
+ ##
+ ## Execute all web scripts in the system
+@@ -862,7 +1007,11 @@ interface(`apache_manage_sys_content',`
+ interface(`apache_domtrans_sys_script',`
+ gen_require(`
+ attribute httpdcontent;
+- type httpd_sys_script_t;
++ type httpd_sys_script_t, httpd_sys_content_t;
++ ')
++
++ tunable_policy(`httpd_enable_cgi',`
++ domtrans_pattern($1, httpd_sys_script_exec_t, httpd_sys_script_t)
+ ')
+
+ tunable_policy(`httpd_enable_cgi && httpd_unified',`
+@@ -921,9 +1070,10 @@ interface(`apache_domtrans_all_scripts',`
+ ##
+ ##
+ ##
+-## Role allowed access..
++## Role allowed access.
+ ##
+ ##
++##
+ #
+ interface(`apache_run_all_scripts',`
+ gen_require(`
+@@ -950,7 +1100,7 @@ interface(`apache_read_squirrelmail_data',`
+ type httpd_squirrelmail_t;
+ ')
+
+- allow $1 httpd_squirrelmail_t:file read_file_perms;
++ read_files_pattern($1, httpd_squirrelmail_t, httpd_squirrelmail_t)
+ ')
+
+ ########################################
+@@ -1091,6 +1241,25 @@ interface(`apache_read_tmp_files',`
+ read_files_pattern($1, httpd_tmp_t, httpd_tmp_t)
+ ')
+
++######################################
++##
++## Dontaudit attempts to read and write
++## apache tmp files.
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`apache_dontaudit_rw_tmp_files',`
++ gen_require(`
++ type httpd_tmp_t;
++ ')
++
++ dontaudit $1 httpd_tmp_t:file { read write };
++')
++
+ ########################################
+ ##
+ ## Dontaudit attempts to write
+@@ -1107,7 +1276,7 @@ interface(`apache_dontaudit_write_tmp_files',`
+ type httpd_tmp_t;
+ ')
+
+- dontaudit $1 httpd_tmp_t:file write_file_perms;
++ dontaudit $1 httpd_tmp_t:file write;
+ ')
+
+ ########################################
+@@ -1170,17 +1339,14 @@ interface(`apache_cgi_domain',`
+ #
+ interface(`apache_admin',`
+ gen_require(`
+- attribute httpdcontent;
+- attribute httpd_script_exec_type;
+-
++ attribute httpdcontent, httpd_script_exec_type;
+ type httpd_t, httpd_config_t, httpd_log_t;
+- type httpd_modules_t, httpd_lock_t;
+- type httpd_var_run_t, httpd_php_tmp_t;
++ type httpd_modules_t, httpd_lock_t, httpd_bool_t;
++ type httpd_var_run_t, httpd_php_tmp_t, httpd_initrc_exec_t;
+ type httpd_suexec_tmp_t, httpd_tmp_t;
+- type httpd_initrc_exec_t;
+ ')
+
+- allow $1 httpd_t:process { getattr ptrace signal_perms };
++ allow $1 httpd_t:process { ptrace signal_perms };
+ ps_process_pattern($1, httpd_t)
+
+ init_labeled_script_domtrans($1, httpd_initrc_exec_t)
+@@ -1191,10 +1357,10 @@ interface(`apache_admin',`
+ apache_manage_all_content($1)
+ miscfiles_manage_public_files($1)
+
+- files_search_etc($1)
++ files_list_etc($1)
+ admin_pattern($1, httpd_config_t)
+
+- logging_search_logs($1)
++ logging_list_logs($1)
+ admin_pattern($1, httpd_log_t)
+
+ admin_pattern($1, httpd_modules_t)
+@@ -1205,14 +1371,43 @@ interface(`apache_admin',`
+ admin_pattern($1, httpd_var_run_t)
+ files_pid_filetrans($1, httpd_var_run_t, file)
+
+- kernel_search_proc($1)
+- allow $1 httpd_t:dir list_dir_perms;
+-
+- read_lnk_files_pattern($1, httpd_t, httpd_t)
+-
+ admin_pattern($1, httpdcontent)
+ admin_pattern($1, httpd_script_exec_type)
++
++ seutil_domtrans_setfiles($1)
++
++ files_list_tmp($1)
+ admin_pattern($1, httpd_tmp_t)
+ admin_pattern($1, httpd_php_tmp_t)
+ admin_pattern($1, httpd_suexec_tmp_t)
++
++ ifdef(`TODO',`
++ apache_set_booleans($1, $2, $3, httpd_bool_t)
++ seutil_setsebool_role_template($1, $3, $2)
++ allow httpd_setsebool_t httpd_bool_t:dir list_dir_perms;
++ allow httpd_setsebool_t httpd_bool_t:file rw_file_perms;
++ ')
++')
++
++########################################
++##
++## dontaudit read and write an leaked file descriptors
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`apache_dontaudit_leaks',`
++ gen_require(`
++ type httpd_t;
++ type httpd_tmp_t;
++ ')
++
++ dontaudit $1 httpd_t:fifo_file rw_inherited_fifo_file_perms;
++ dontaudit $1 httpd_t:tcp_socket { read write };
++ dontaudit $1 httpd_t:unix_dgram_socket { read write };
++ dontaudit $1 httpd_t:unix_stream_socket { read write };
++ dontaudit $1 httpd_tmp_t:file { read write };
+ ')
+diff --git a/policy/modules/services/apache.te b/policy/modules/services/apache.te
+index 3136c6a..1bf05a6 100644
+--- a/policy/modules/services/apache.te
++++ b/policy/modules/services/apache.te
+@@ -18,130 +18,195 @@ policy_module(apache, 2.2.1)
+ # Declarations
+ #
+
++selinux_genbool(httpd_bool_t)
++
+ ##
+-##
+-## Allow Apache to modify public files
+-## used for public file transfer services. Directories/Files must
+-## be labeled public_content_rw_t.
+-##
++##
++## Allow Apache to modify public files
++## used for public file transfer services. Directories/Files must
++## be labeled public_content_rw_t.
++##
+ ##
+ gen_tunable(allow_httpd_anon_write, false)
+
+ ##
+-##
+-## Allow Apache to use mod_auth_pam
+-##
++##
++## Allow Apache to use mod_auth_pam
++##
+ ##
+ gen_tunable(allow_httpd_mod_auth_pam, false)
+
+ ##
+-##
+-## Allow httpd to use built in scripting (usually php)
+-##
++##
++## Allow Apache to use mod_auth_ntlm_winbind
++##
++##
++gen_tunable(allow_httpd_mod_auth_ntlm_winbind, false)
++
++##
++##
++## Allow httpd scripts and modules execmem/execstack
++##
++##
++gen_tunable(httpd_execmem, false)
++
++##
++##
++## Allow httpd daemon to change system limits
++##
++##
++gen_tunable(httpd_setrlimit, false)
++
++##
++##
++## Allow httpd to use built in scripting (usually php)
++##
+ ##
+ gen_tunable(httpd_builtin_scripting, false)
+
+ ##
+-##
+-## Allow HTTPD scripts and modules to connect to the network using TCP.
+-##
++##
++## Allow HTTPD scripts and modules to connect to the network using any TCP port.
++##
+ ##
+ gen_tunable(httpd_can_network_connect, false)
+
+ ##
+-##
+-## Allow HTTPD scripts and modules to connect to databases over the network.
+-##
++##
++## Allow HTTPD scripts and modules to connect to cobbler over the network.
++##
++##
++gen_tunable(httpd_can_network_connect_cobbler, false)
++
++##
++##
++## Allow HTTPD scripts and modules to connect to databases over the network.
++##
+ ##
+ gen_tunable(httpd_can_network_connect_db, false)
+
+ ##
+-##
+-## Allow httpd to act as a relay
+-##
++##
++## Allow httpd to connect to memcache server
++##
++##
++gen_tunable(httpd_can_network_memcache, false)
++
++##
++##
++## Allow httpd to act as a relay
++##
+ ##
+ gen_tunable(httpd_can_network_relay, false)
+
+ ##
+-##
+-## Allow http daemon to send mail
+-##
++##
++## Allow http daemon to send mail
++##
+ ##
+ gen_tunable(httpd_can_sendmail, false)
+
+ ##
+-##
+-## Allow Apache to communicate with avahi service via dbus
+-##
++##
++## Allow http daemon to check spam
++##
++##
++gen_tunable(httpd_can_check_spam, false)
++
++##
++##
++## Allow Apache to communicate with avahi service via dbus
++##
+ ##
+ gen_tunable(httpd_dbus_avahi, false)
+
+ ##
+-##
+-## Allow httpd cgi support
+-##
++##
++## Allow httpd to execute cgi scripts
++##
+ ##
+ gen_tunable(httpd_enable_cgi, false)
+
+ ##
+-##
+-## Allow httpd to act as a FTP server by
+-## listening on the ftp port.
+-##
++##
++## Allow httpd to act as a FTP server by
++## listening on the ftp port.
++##
+ ##
+ gen_tunable(httpd_enable_ftp_server, false)
+
+ ##
+-##
+-## Allow httpd to read home directories
+-##
++##
++## Allow httpd to read home directories
++##
+ ##
+ gen_tunable(httpd_enable_homedirs, false)
+
+ ##
+-##
+-## Allow HTTPD to run SSI executables in the same domain as system CGI scripts.
+-##
++##
++## Allow httpd to read user content
++##
++##
++gen_tunable(httpd_read_user_content, false)
++
++##
++##
++## Allow HTTPD to run SSI executables in the same domain as system CGI scripts.
++##
+ ##
+ gen_tunable(httpd_ssi_exec, false)
+
+ ##
+-##
+-## Unify HTTPD to communicate with the terminal.
+-## Needed for entering the passphrase for certificates at
+-## the terminal.
+-##
++##
++## Allow Apache to execute tmp content.
++##
++##
++gen_tunable(httpd_tmp_exec, false)
++
++##
++##
++## Unify HTTPD to communicate with the terminal.
++## Needed for entering the passphrase for certificates at
++## the terminal.
++##
+ ##
+ gen_tunable(httpd_tty_comm, false)
+
+ ##
+-##
+-## Unify HTTPD handling of all content files.
+-##
++##
++## Unify HTTPD handling of all content files.
++##
+ ##
+ gen_tunable(httpd_unified, false)
+
+ ##
+-##
+-## Allow httpd to access cifs file systems
+-##
++##
++## Allow httpd to access cifs file systems
++##
+ ##
+ gen_tunable(httpd_use_cifs, false)
+
+ ##
+-##
+-## Allow httpd to run gpg
+-##
++##
++## Allow httpd to run gpg in gpg-web domain
++##
+ ##
+ gen_tunable(httpd_use_gpg, false)
+
+ ##
+-##
+-## Allow httpd to access nfs file systems
+-##
++##
++## Allow httpd to access nfs file systems
++##
+ ##
+ gen_tunable(httpd_use_nfs, false)
+
++##
++##
++## Allow apache scripts to write to public content. Directories/Files must be labeled public_rw_content_t.
++##
++##
++gen_tunable(allow_httpd_sys_script_anon_write, false)
++
+ attribute httpdcontent;
+ attribute httpd_user_content_type;
+
+@@ -166,7 +231,7 @@ files_type(httpd_cache_t)
+
+ # httpd_config_t is the type given to the configuration files
+ type httpd_config_t;
+-files_type(httpd_config_t)
++files_config_file(httpd_config_t)
+
+ type httpd_helper_t;
+ type httpd_helper_exec_t;
+@@ -216,7 +281,17 @@ files_tmp_file(httpd_suexec_tmp_t)
+
+ # setup the system domain for system CGI scripts
+ apache_content_template(sys)
+-typealias httpd_sys_content_t alias ntop_http_content_t;
++
++typeattribute httpd_sys_content_t httpdcontent; # customizable
++typeattribute httpd_sys_rw_content_t httpdcontent; # customizable
++typeattribute httpd_sys_ra_content_t httpdcontent; # customizable
++
++# Removal of fastcgi, will cause problems without the following
++typealias httpd_sys_script_exec_t alias httpd_fastcgi_script_exec_t;
++typealias httpd_sys_content_t alias { httpd_fastcgi_content_t httpd_fastcgi_script_ro_t };
++typealias httpd_sys_rw_content_t alias { httpd_fastcgi_rw_content_t httpd_fastcgi_script_rw_t };
++typealias httpd_sys_ra_content_t alias httpd_fastcgi_script_ra_t;
++typealias httpd_sys_script_t alias httpd_fastcgi_script_t;
+
+ type httpd_tmp_t;
+ files_tmp_file(httpd_tmp_t)
+@@ -226,6 +301,10 @@ files_tmpfs_file(httpd_tmpfs_t)
+
+ apache_content_template(user)
+ ubac_constrained(httpd_user_script_t)
++typeattribute httpd_user_content_t httpdcontent;
++typeattribute httpd_user_rw_content_t httpdcontent;
++typeattribute httpd_user_ra_content_t httpdcontent;
++
+ userdom_user_home_content(httpd_user_content_t)
+ userdom_user_home_content(httpd_user_htaccess_t)
+ userdom_user_home_content(httpd_user_script_exec_t)
+@@ -233,6 +312,7 @@ userdom_user_home_content(httpd_user_ra_content_t)
+ userdom_user_home_content(httpd_user_rw_content_t)
+ typeattribute httpd_user_script_t httpd_script_domains;
+ typealias httpd_user_content_t alias { httpd_staff_content_t httpd_sysadm_content_t };
++typealias httpd_user_content_t alias httpd_unconfined_content_t;
+ typealias httpd_user_content_t alias { httpd_auditadm_content_t httpd_secadm_content_t };
+ typealias httpd_user_content_t alias { httpd_staff_script_ro_t httpd_sysadm_script_ro_t };
+ typealias httpd_user_content_t alias { httpd_auditadm_script_ro_t httpd_secadm_script_ro_t };
+@@ -254,6 +334,9 @@ files_type(httpd_var_lib_t)
+ type httpd_var_run_t;
+ files_pid_file(httpd_var_run_t)
+
++# Removal of fastcgi, will cause problems without the following
++typealias httpd_var_run_t alias httpd_fastcgi_var_run_t;
++
+ # File Type of squirrelmail attachments
+ type squirrelmail_spool_t;
+ files_tmp_file(squirrelmail_spool_t)
+@@ -281,11 +364,13 @@ allow httpd_t self:unix_dgram_socket { create_socket_perms sendto };
+ allow httpd_t self:unix_stream_socket { create_stream_socket_perms connectto };
+ allow httpd_t self:tcp_socket create_stream_socket_perms;
+ allow httpd_t self:udp_socket create_socket_perms;
++dontaudit httpd_t self:netlink_audit_socket create_socket_perms;
+
+ # Allow httpd_t to put files in /var/cache/httpd etc
+ manage_dirs_pattern(httpd_t, httpd_cache_t, httpd_cache_t)
+ manage_files_pattern(httpd_t, httpd_cache_t, httpd_cache_t)
+ manage_lnk_files_pattern(httpd_t, httpd_cache_t, httpd_cache_t)
++files_var_filetrans(httpd_t, httpd_cache_t, { file dir })
+
+ # Allow the httpd_t to read the web servers config files
+ allow httpd_t httpd_config_t:dir list_dir_perms;
+@@ -329,8 +414,9 @@ allow httpd_t httpd_sys_script_t:unix_stream_socket connectto;
+
+ manage_dirs_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
+ manage_files_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
++manage_sock_files_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
+ manage_lnk_files_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
+-files_tmp_filetrans(httpd_t, httpd_tmp_t, { file dir lnk_file })
++files_tmp_filetrans(httpd_t, httpd_tmp_t, { file dir lnk_file sock_file })
+
+ manage_dirs_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t)
+ manage_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t)
+@@ -355,6 +441,7 @@ manage_lnk_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
+ kernel_read_kernel_sysctls(httpd_t)
+ # for modules that want to access /proc/meminfo
+ kernel_read_system_state(httpd_t)
++kernel_search_network_sysctl(httpd_t)
+
+ corenet_all_recvfrom_unlabeled(httpd_t)
+ corenet_all_recvfrom_netlabel(httpd_t)
+@@ -365,8 +452,10 @@ corenet_udp_sendrecv_generic_node(httpd_t)
+ corenet_tcp_sendrecv_all_ports(httpd_t)
+ corenet_udp_sendrecv_all_ports(httpd_t)
+ corenet_tcp_bind_generic_node(httpd_t)
++corenet_udp_bind_generic_node(httpd_t)
+ corenet_tcp_bind_http_port(httpd_t)
+ corenet_tcp_bind_http_cache_port(httpd_t)
++corenet_tcp_bind_ntop_port(httpd_t)
+ corenet_sendrecv_http_server_packets(httpd_t)
+ # Signal self for shutdown
+ corenet_tcp_connect_http_port(httpd_t)
+@@ -378,12 +467,12 @@ dev_rw_crypto(httpd_t)
+
+ fs_getattr_all_fs(httpd_t)
+ fs_search_auto_mountpoints(httpd_t)
++fs_read_iso9660_files(httpd_t)
++fs_read_anon_inodefs_files(httpd_t)
+
+ auth_use_nsswitch(httpd_t)
+
+-# execute perl
+-corecmd_exec_bin(httpd_t)
+-corecmd_exec_shell(httpd_t)
++application_exec_all(httpd_t)
+
+ domain_use_interactive_fds(httpd_t)
+
+@@ -391,6 +480,7 @@ files_dontaudit_getattr_all_pids(httpd_t)
+ files_read_usr_files(httpd_t)
+ files_list_mnt(httpd_t)
+ files_search_spool(httpd_t)
++files_read_var_symlinks(httpd_t)
+ files_read_var_lib_files(httpd_t)
+ files_search_home(httpd_t)
+ files_getattr_home_dir(httpd_t)
+@@ -402,6 +492,10 @@ files_read_etc_files(httpd_t)
+ files_read_var_lib_symlinks(httpd_t)
+
+ fs_search_auto_mountpoints(httpd_sys_script_t)
++# php uploads a file to /tmp and then execs programs to acton them
++manage_dirs_pattern(httpd_sys_script_t, httpd_tmp_t, httpd_tmp_t)
++manage_files_pattern(httpd_sys_script_t, httpd_tmp_t, httpd_tmp_t)
++files_tmp_filetrans(httpd_sys_script_t, httpd_sys_rw_content_t, { dir file lnk_file sock_file fifo_file })
+
+ libs_read_lib_files(httpd_t)
+
+@@ -416,34 +510,73 @@ seutil_dontaudit_search_config(httpd_t)
+
+ userdom_use_unpriv_users_fds(httpd_t)
+
++tunable_policy(`httpd_setrlimit',`
++ allow httpd_t self:process setrlimit;
++ allow httpd_t self:capability sys_resource;
++')
++
+ tunable_policy(`allow_httpd_anon_write',`
+ miscfiles_manage_public_files(httpd_t)
+ ')
+
+-ifdef(`TODO', `
+ #
+ # We need optionals to be able to be within booleans to make this work
+ #
+ tunable_policy(`allow_httpd_mod_auth_pam',`
+- auth_domtrans_chk_passwd(httpd_t)
++ auth_domtrans_chkpwd(httpd_t)
++ logging_send_audit_msgs(httpd_t)
+ ')
++
++optional_policy(`
++ tunable_policy(`allow_httpd_mod_auth_ntlm_winbind',`
++ samba_domtrans_winbind_helper(httpd_t)
++ ')
+ ')
+
+ tunable_policy(`httpd_can_network_connect',`
+ corenet_tcp_connect_all_ports(httpd_t)
+ ')
+
++tunable_policy(`httpd_can_network_connect_db',`
++ corenet_tcp_connect_mssql_port(httpd_t)
++ corenet_sendrecv_mssql_client_packets(httpd_t)
++ corenet_tcp_connect_oracledb_port(httpd_t)
++ corenet_sendrecv_oracledb_client_packets(httpd_t)
++')
++
++tunable_policy(`httpd_can_network_memcache',`
++ corenet_tcp_connect_memcache_port(httpd_t)
++')
++
+ tunable_policy(`httpd_can_network_relay',`
+ # allow httpd to work as a relay
+ corenet_tcp_connect_gopher_port(httpd_t)
+ corenet_tcp_connect_ftp_port(httpd_t)
+ corenet_tcp_connect_http_port(httpd_t)
+ corenet_tcp_connect_http_cache_port(httpd_t)
++ corenet_tcp_connect_squid_port(httpd_t)
+ corenet_tcp_connect_memcache_port(httpd_t)
+ corenet_sendrecv_gopher_client_packets(httpd_t)
+ corenet_sendrecv_ftp_client_packets(httpd_t)
+ corenet_sendrecv_http_client_packets(httpd_t)
+ corenet_sendrecv_http_cache_client_packets(httpd_t)
++ corenet_sendrecv_squid_client_packets(httpd_t)
++')
++
++tunable_policy(`httpd_execmem',`
++ allow httpd_t self:process { execmem execstack };
++ allow httpd_sys_script_t self:process { execmem execstack };
++ allow httpd_suexec_t self:process { execmem execstack };
++')
++
++tunable_policy(`httpd_enable_cgi && httpd_unified',`
++ allow httpd_sys_script_t httpd_sys_content_t:file entrypoint;
++ filetrans_pattern(httpd_sys_script_t, httpd_sys_content_t, httpd_sys_rw_content_t, { file dir lnk_file })
++ can_exec(httpd_sys_script_t, httpd_sys_content_t)
++')
++
++tunable_policy(`allow_httpd_sys_script_anon_write',`
++ miscfiles_manage_public_files(httpd_sys_script_t)
+ ')
+
+ tunable_policy(`httpd_enable_cgi && httpd_use_nfs',`
+@@ -456,6 +589,10 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',`
+
+ tunable_policy(`httpd_enable_cgi && httpd_unified && httpd_builtin_scripting',`
+ domtrans_pattern(httpd_t, httpdcontent, httpd_sys_script_t)
++ filetrans_pattern(httpd_t, httpd_sys_content_t, httpd_sys_rw_content_t, { file dir lnk_file })
++ manage_dirs_pattern(httpd_t, httpdcontent, httpd_sys_rw_content_t)
++ manage_files_pattern(httpd_t, httpdcontent, httpd_sys_rw_content_t)
++ manage_lnk_files_pattern(httpd_t, httpdcontent, httpd_sys_rw_content_t)
+
+ manage_dirs_pattern(httpd_t, httpdcontent, httpdcontent)
+ manage_files_pattern(httpd_t, httpdcontent, httpdcontent)
+@@ -466,15 +603,27 @@ tunable_policy(`httpd_enable_ftp_server',`
+ corenet_tcp_bind_ftp_port(httpd_t)
+ ')
+
+-tunable_policy(`httpd_enable_homedirs',`
+- userdom_read_user_home_content_files(httpd_t)
++tunable_policy(`httpd_tmp_exec && httpd_builtin_scripting',`
++ can_exec(httpd_t, httpd_tmp_t)
++')
++
++tunable_policy(`httpd_tmp_exec && httpd_enable_cgi',`
++ can_exec(httpd_sys_script_t, httpd_tmp_t)
+ ')
+
+ tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
++ fs_list_auto_mountpoints(httpd_t)
+ fs_read_nfs_files(httpd_t)
+ fs_read_nfs_symlinks(httpd_t)
+ ')
+
++tunable_policy(`httpd_use_nfs',`
++ fs_list_auto_mountpoints(httpd_t)
++ fs_manage_nfs_dirs(httpd_t)
++ fs_manage_nfs_files(httpd_t)
++ fs_manage_nfs_symlinks(httpd_t)
++')
++
+ tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
+ fs_read_cifs_files(httpd_t)
+ fs_read_cifs_symlinks(httpd_t)
+@@ -484,7 +633,16 @@ tunable_policy(`httpd_can_sendmail',`
+ # allow httpd to connect to mail servers
+ corenet_tcp_connect_smtp_port(httpd_t)
+ corenet_sendrecv_smtp_client_packets(httpd_t)
++ corenet_tcp_connect_pop_port(httpd_t)
++ corenet_sendrecv_pop_client_packets(httpd_t)
+ mta_send_mail(httpd_t)
++ mta_signal_system_mail(httpd_t)
++')
++
++tunable_policy(`httpd_use_cifs',`
++ fs_manage_cifs_dirs(httpd_t)
++ fs_manage_cifs_files(httpd_t)
++ fs_manage_cifs_symlinks(httpd_t)
+ ')
+
+ tunable_policy(`httpd_ssi_exec',`
+@@ -499,9 +657,11 @@ tunable_policy(`httpd_ssi_exec',`
+ # to run correctly without this permission, so the permission
+ # are dontaudited here.
+ tunable_policy(`httpd_tty_comm',`
+- userdom_use_user_terminals(httpd_t)
++ userdom_use_inherited_user_terminals(httpd_t)
++ userdom_use_inherited_user_terminals(httpd_suexec_t)
+ ',`
+ userdom_dontaudit_use_user_terminals(httpd_t)
++ userdom_dontaudit_use_user_terminals(httpd_suexec_t)
+ ')
+
+ optional_policy(`
+@@ -513,7 +673,13 @@ optional_policy(`
+ ')
+
+ optional_policy(`
+- cobbler_search_lib(httpd_t)
++ cobbler_list_config(httpd_t)
++ cobbler_read_config(httpd_t)
++ cobbler_read_lib_files(httpd_t)
++
++ tunable_policy(`httpd_can_network_connect_cobbler',`
++ corenet_tcp_connect_cobbler_port(httpd_t)
++ ')
+ ')
+
+ optional_policy(`
+@@ -528,7 +694,18 @@ optional_policy(`
+ daemontools_service_domain(httpd_t, httpd_exec_t)
+ ')
+
+- optional_policy(`
++optional_policy(`
++ dirsrv_manage_config(httpd_t)
++ dirsrv_manage_log(httpd_t)
++ dirsrv_manage_var_run(httpd_t)
++ dirsrv_read_share(httpd_t)
++ dirsrv_signal(httpd_t)
++ dirsrv_signull(httpd_t)
++ dirsrvadmin_manage_config(httpd_t)
++ dirsrvadmin_manage_tmp(httpd_t)
++')
++
++optional_policy(`
+ dbus_system_bus_client(httpd_t)
+
+ tunable_policy(`httpd_dbus_avahi',`
+@@ -537,8 +714,13 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ git_read_generic_system_content_files(httpd_t)
++ gitosis_read_lib_files(httpd_t)
++')
++
++optional_policy(`
+ tunable_policy(`httpd_enable_cgi && httpd_use_gpg',`
+- gpg_domtrans(httpd_t)
++ gpg_domtrans_web(httpd_t)
+ ')
+ ')
+
+@@ -556,7 +738,13 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ mediawiki_read_tmp_files(httpd_t)
++ mediawiki_delete_tmp_files(httpd_t)
++')
++
++optional_policy(`
+ # Allow httpd to work with mysql
++ mysql_read_config(httpd_t)
+ mysql_stream_connect(httpd_t)
+ mysql_rw_db_sockets(httpd_t)
+
+@@ -567,6 +755,7 @@ optional_policy(`
+
+ optional_policy(`
+ nagios_read_config(httpd_t)
++ nagios_read_log(httpd_t)
+ ')
+
+ optional_policy(`
+@@ -577,6 +766,16 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ passenger_domtrans(httpd_t)
++ passenger_manage_pid_content(httpd_t)
++ passenger_read_lib_files(httpd_t)
++')
++
++optional_policy(`
++ rpc_search_nfs_state_data(httpd_t)
++')
++
++optional_policy(`
+ # Allow httpd to work with postgresql
+ postgresql_stream_connect(httpd_t)
+ postgresql_unpriv_client(httpd_t)
+@@ -591,6 +790,11 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ smokeping_read_lib_files(httpd_t)
++')
++
++optional_policy(`
++ files_dontaudit_rw_usr_dirs(httpd_t)
+ snmp_dontaudit_read_snmp_var_lib_files(httpd_t)
+ snmp_dontaudit_write_snmp_var_lib_files(httpd_t)
+ ')
+@@ -603,6 +807,11 @@ optional_policy(`
+ yam_read_content(httpd_t)
+ ')
+
++optional_policy(`
++ zarafa_stream_connect_server(httpd_t)
++ zarafa_search_config(httpd_t)
++')
++
+ ########################################
+ #
+ # Apache helper local policy
+@@ -616,7 +825,11 @@ allow httpd_helper_t httpd_log_t:file append_file_perms;
+
+ logging_send_syslog_msg(httpd_helper_t)
+
+-userdom_use_user_terminals(httpd_helper_t)
++userdom_use_inherited_user_terminals(httpd_helper_t)
++
++tunable_policy(`httpd_tty_comm',`
++ userdom_use_inherited_user_terminals(httpd_helper_t)
++')
+
+ ########################################
+ #
+@@ -654,28 +867,29 @@ libs_exec_lib_files(httpd_php_t)
+ userdom_use_unpriv_users_fds(httpd_php_t)
+
+ tunable_policy(`httpd_can_network_connect_db',`
+- corenet_tcp_connect_mysqld_port(httpd_t)
+- corenet_sendrecv_mysqld_client_packets(httpd_t)
+- corenet_tcp_connect_mysqld_port(httpd_sys_script_t)
+- corenet_sendrecv_mysqld_client_packets(httpd_sys_script_t)
+- corenet_tcp_connect_mysqld_port(httpd_suexec_t)
+- corenet_sendrecv_mysqld_client_packets(httpd_suexec_t)
+-
+- corenet_tcp_connect_mssql_port(httpd_t)
+- corenet_sendrecv_mssql_client_packets(httpd_t)
+- corenet_tcp_connect_mssql_port(httpd_sys_script_t)
+- corenet_sendrecv_mssql_client_packets(httpd_sys_script_t)
+- corenet_tcp_connect_mssql_port(httpd_suexec_t)
+- corenet_sendrecv_mssql_client_packets(httpd_suexec_t)
++ corenet_tcp_connect_mssql_port(httpd_php_t)
++ corenet_sendrecv_mssql_client_packets(httpd_php_t)
++ corenet_tcp_connect_oracledb_port(httpd_php_t)
++ corenet_sendrecv_oracledb_client_packets(httpd_php_t)
+ ')
+
+ optional_policy(`
+ mysql_stream_connect(httpd_php_t)
++ mysql_rw_db_sockets(httpd_php_t)
+ mysql_read_config(httpd_php_t)
++
++ tunable_policy(`httpd_can_network_connect_db',`
++ mysql_tcp_connect(httpd_php_t)
++ ')
+ ')
+
+ optional_policy(`
+ postgresql_stream_connect(httpd_php_t)
++ postgresql_unpriv_client(httpd_php_t)
++
++ tunable_policy(`httpd_can_network_connect_db',`
++ postgresql_tcp_connect(httpd_php_t)
++ ')
+ ')
+
+ ########################################
+@@ -699,17 +913,22 @@ manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
+ manage_files_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
+ files_tmp_filetrans(httpd_suexec_t, httpd_suexec_tmp_t, { file dir })
+
++can_exec(httpd_suexec_t, httpd_sys_script_exec_t)
++
++read_files_pattern(httpd_suexec_t, httpd_user_content_t, httpd_user_content_t)
++read_files_pattern(httpd_suexec_t, httpd_user_rw_content_t, httpd_user_rw_content_t)
++read_files_pattern(httpd_suexec_t, httpd_user_ra_content_t, httpd_user_ra_content_t)
++
+ kernel_read_kernel_sysctls(httpd_suexec_t)
+ kernel_list_proc(httpd_suexec_t)
+ kernel_read_proc_symlinks(httpd_suexec_t)
+
+ dev_read_urand(httpd_suexec_t)
+
++fs_read_iso9660_files(httpd_suexec_t)
+ fs_search_auto_mountpoints(httpd_suexec_t)
+
+-# for shell scripts
+-corecmd_exec_bin(httpd_suexec_t)
+-corecmd_exec_shell(httpd_suexec_t)
++application_exec_all(httpd_suexec_t)
+
+ files_read_etc_files(httpd_suexec_t)
+ files_read_usr_files(httpd_suexec_t)
+@@ -740,13 +959,26 @@ tunable_policy(`httpd_can_network_connect',`
+ corenet_sendrecv_all_client_packets(httpd_suexec_t)
+ ')
+
++tunable_policy(`httpd_can_network_connect_db',`
++ corenet_tcp_connect_mssql_port(httpd_suexec_t)
++ corenet_sendrecv_mssql_client_packets(httpd_suexec_t)
++ corenet_tcp_connect_oracledb_port(httpd_suexec_t)
++ corenet_sendrecv_oracledb_client_packets(httpd_suexec_t)
++')
++
++domain_entry_file(httpd_sys_script_t, httpd_sys_content_t)
++
+ tunable_policy(`httpd_enable_cgi && httpd_unified',`
+ allow httpd_sys_script_t httpdcontent:file entrypoint;
+ domtrans_pattern(httpd_suexec_t, httpdcontent, httpd_sys_script_t)
+-
++ manage_dirs_pattern(httpd_sys_script_t, httpdcontent, httpdcontent)
++ manage_files_pattern(httpd_sys_script_t, httpdcontent, httpdcontent)
++ manage_sock_files_pattern(httpd_sys_script_t, httpdcontent, httpdcontent)
++ manage_lnk_files_pattern(httpd_sys_script_t, httpdcontent, httpdcontent)
+ ')
+
+ tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
++ fs_list_auto_mountpoints(httpd_suexec_t)
+ fs_read_nfs_files(httpd_suexec_t)
+ fs_read_nfs_symlinks(httpd_suexec_t)
+ fs_exec_nfs_files(httpd_suexec_t)
+@@ -769,6 +1001,25 @@ optional_policy(`
+ dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write };
+ ')
+
++optional_policy(`
++ mysql_stream_connect(httpd_suexec_t)
++ mysql_rw_db_sockets(httpd_suexec_t)
++ mysql_read_config(httpd_suexec_t)
++
++ tunable_policy(`httpd_can_network_connect_db',`
++ mysql_tcp_connect(httpd_suexec_t)
++ ')
++')
++
++optional_policy(`
++ postgresql_stream_connect(httpd_suexec_t)
++ postgresql_unpriv_client(httpd_suexec_t)
++
++ tunable_policy(`httpd_can_network_connect_db',`
++ postgresql_tcp_connect(httpd_suexec_t)
++ ')
++')
++
+ ########################################
+ #
+ # Apache system script local policy
+@@ -789,12 +1040,17 @@ read_lnk_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_sp
+
+ kernel_read_kernel_sysctls(httpd_sys_script_t)
+
++files_read_var_symlinks(httpd_sys_script_t)
+ files_search_var_lib(httpd_sys_script_t)
+ files_search_spool(httpd_sys_script_t)
+
++logging_inherit_append_all_logs(httpd_sys_script_t)
++
+ # Should we add a boolean?
+ apache_domtrans_rotatelogs(httpd_sys_script_t)
+
++auth_use_nsswitch(httpd_sys_script_t)
++
+ ifdef(`distro_redhat',`
+ allow httpd_sys_script_t httpd_log_t:file append_file_perms;
+ ')
+@@ -803,18 +1059,49 @@ tunable_policy(`httpd_can_sendmail',`
+ mta_send_mail(httpd_sys_script_t)
+ ')
+
++optional_policy(`
++ tunable_policy(`httpd_can_sendmail && httpd_can_check_spam',`
++ spamassassin_domtrans_client(httpd_t)
++ ')
++')
++
++tunable_policy(`httpd_can_network_connect_db',`
++ corenet_tcp_connect_mssql_port(httpd_sys_script_t)
++ corenet_sendrecv_mssql_client_packets(httpd_sys_script_t)
++ corenet_tcp_connect_oracledb_port(httpd_sys_script_t)
++ corenet_sendrecv_oracledb_client_packets(httpd_sys_script_t)
++')
++
++fs_cifs_entry_type(httpd_sys_script_t)
++fs_read_iso9660_files(httpd_sys_script_t)
++fs_nfs_entry_type(httpd_sys_script_t)
++
++tunable_policy(`httpd_use_nfs',`
++ fs_list_auto_mountpoints(httpd_sys_script_t)
++ fs_manage_nfs_dirs(httpd_sys_script_t)
++ fs_manage_nfs_files(httpd_sys_script_t)
++ fs_manage_nfs_symlinks(httpd_sys_script_t)
++ fs_exec_nfs_files(httpd_sys_script_t)
++
++ fs_list_auto_mountpoints(httpd_suexec_t)
++ fs_manage_nfs_dirs(httpd_suexec_t)
++ fs_manage_nfs_files(httpd_suexec_t)
++ fs_manage_nfs_symlinks(httpd_suexec_t)
++ fs_exec_nfs_files(httpd_suexec_t)
++')
++
+ tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
+ allow httpd_sys_script_t self:tcp_socket create_stream_socket_perms;
+ allow httpd_sys_script_t self:udp_socket create_socket_perms;
+
+- corenet_tcp_bind_all_nodes(httpd_sys_script_t)
+- corenet_udp_bind_all_nodes(httpd_sys_script_t)
++ corenet_tcp_bind_generic_node(httpd_sys_script_t)
++ corenet_udp_bind_generic_node(httpd_sys_script_t)
+ corenet_all_recvfrom_unlabeled(httpd_sys_script_t)
+ corenet_all_recvfrom_netlabel(httpd_sys_script_t)
+- corenet_tcp_sendrecv_all_if(httpd_sys_script_t)
+- corenet_udp_sendrecv_all_if(httpd_sys_script_t)
+- corenet_tcp_sendrecv_all_nodes(httpd_sys_script_t)
+- corenet_udp_sendrecv_all_nodes(httpd_sys_script_t)
++ corenet_tcp_sendrecv_generic_if(httpd_sys_script_t)
++ corenet_udp_sendrecv_generic_if(httpd_sys_script_t)
++ corenet_tcp_sendrecv_generic_node(httpd_sys_script_t)
++ corenet_udp_sendrecv_generic_node(httpd_sys_script_t)
+ corenet_tcp_sendrecv_all_ports(httpd_sys_script_t)
+ corenet_udp_sendrecv_all_ports(httpd_sys_script_t)
+ corenet_tcp_connect_all_ports(httpd_sys_script_t)
+@@ -822,14 +1109,29 @@ tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
+ ')
+
+ tunable_policy(`httpd_enable_homedirs',`
+- userdom_read_user_home_content_files(httpd_sys_script_t)
++ userdom_search_user_home_dirs(httpd_sys_script_t)
+ ')
+
+ tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
++ fs_list_auto_mountpoints(httpd_sys_script_t)
+ fs_read_nfs_files(httpd_sys_script_t)
+ fs_read_nfs_symlinks(httpd_sys_script_t)
+ ')
+
++tunable_policy(`httpd_read_user_content',`
++ userdom_read_user_home_content_files(httpd_sys_script_t)
++')
++
++tunable_policy(`httpd_use_cifs',`
++ fs_manage_cifs_dirs(httpd_sys_script_t)
++ fs_manage_cifs_files(httpd_sys_script_t)
++ fs_manage_cifs_symlinks(httpd_sys_script_t)
++ fs_manage_cifs_dirs(httpd_suexec_t)
++ fs_manage_cifs_files(httpd_suexec_t)
++ fs_manage_cifs_symlinks(httpd_suexec_t)
++ fs_exec_cifs_files(httpd_suexec_t)
++')
++
+ tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
+ fs_read_cifs_files(httpd_sys_script_t)
+ fs_read_cifs_symlinks(httpd_sys_script_t)
+@@ -842,10 +1144,20 @@ optional_policy(`
+ optional_policy(`
+ mysql_stream_connect(httpd_sys_script_t)
+ mysql_rw_db_sockets(httpd_sys_script_t)
++ mysql_read_config(httpd_sys_script_t)
++
++ tunable_policy(`httpd_can_network_connect_db',`
++ mysql_tcp_connect(httpd_sys_script_t)
++ ')
+ ')
+
+ optional_policy(`
+ postgresql_stream_connect(httpd_sys_script_t)
++ postgresql_unpriv_client(httpd_sys_script_t)
++
++ tunable_policy(`httpd_can_network_connect_db',`
++ postgresql_tcp_connect(httpd_sys_script_t)
++ ')
+ ')
+
+ ########################################
+@@ -891,11 +1203,21 @@ optional_policy(`
+
+ tunable_policy(`httpd_enable_cgi && httpd_unified',`
+ allow httpd_user_script_t httpdcontent:file entrypoint;
++ manage_dirs_pattern(httpd_user_script_t, httpd_user_content_t, httpd_user_content_t)
++ manage_files_pattern(httpd_user_script_t, httpd_user_content_t, httpd_user_content_t)
++ manage_dirs_pattern(httpd_user_script_t, httpd_user_ra_content_t, httpd_user_ra_content_t)
++ manage_files_pattern(httpd_user_script_t, httpd_user_ra_content_t, httpd_user_ra_content_t)
+ ')
+
+ # allow accessing files/dirs below the users home dir
+ tunable_policy(`httpd_enable_homedirs',`
+- userdom_search_user_home_dirs(httpd_t)
+- userdom_search_user_home_dirs(httpd_suexec_t)
+- userdom_search_user_home_dirs(httpd_user_script_t)
++ userdom_search_user_home_content(httpd_t)
++ userdom_search_user_home_content(httpd_suexec_t)
++ userdom_search_user_home_content(httpd_user_script_t)
++')
++
++tunable_policy(`httpd_read_user_content',`
++ userdom_read_user_home_content_files(httpd_t)
++ userdom_read_user_home_content_files(httpd_suexec_t)
++ userdom_read_user_home_content_files(httpd_user_script_t)
+ ')
+diff --git a/policy/modules/services/apcupsd.fc b/policy/modules/services/apcupsd.fc
+index cd07b96..a87d1dd 100644
+--- a/policy/modules/services/apcupsd.fc
++++ b/policy/modules/services/apcupsd.fc
+@@ -13,3 +13,4 @@
+ /var/www/apcupsd/upsfstats\.cgi -- gen_context(system_u:object_r:httpd_apcupsd_cgi_script_exec_t,s0)
+ /var/www/apcupsd/upsimage\.cgi -- gen_context(system_u:object_r:httpd_apcupsd_cgi_script_exec_t,s0)
+ /var/www/apcupsd/upsstats\.cgi -- gen_context(system_u:object_r:httpd_apcupsd_cgi_script_exec_t,s0)
++/var/www/cgi-bin/apcgui(/.*)? gen_context(system_u:object_r:httpd_apcupsd_cgi_script_exec_t,s0)
+diff --git a/policy/modules/services/apcupsd.te b/policy/modules/services/apcupsd.te
+index d052bf0..ec55314 100644
+--- a/policy/modules/services/apcupsd.te
++++ b/policy/modules/services/apcupsd.te
+@@ -87,13 +87,17 @@ miscfiles_read_localization(apcupsd_t)
+
+ sysnet_dns_name_resolve(apcupsd_t)
+
+-userdom_use_user_ttys(apcupsd_t)
++userdom_use_inherited_user_ttys(apcupsd_t)
+
+ optional_policy(`
+ hostname_exec(apcupsd_t)
+ ')
+
+ optional_policy(`
++ shutdown_domtrans(apcupsd_t)
++')
++
++optional_policy(`
+ mta_send_mail(apcupsd_t)
+ mta_system_content(apcupsd_tmp_t)
+ ')
+diff --git a/policy/modules/services/apm.if b/policy/modules/services/apm.if
+index 1ea99b2..49e6c74 100644
+--- a/policy/modules/services/apm.if
++++ b/policy/modules/services/apm.if
+@@ -52,7 +52,7 @@ interface(`apm_write_pipes',`
+ type apmd_t;
+ ')
+
+- allow $1 apmd_t:fifo_file write;
++ allow $1 apmd_t:fifo_file write_fifo_file_perms;
+ ')
+
+ ########################################
+@@ -89,7 +89,7 @@ interface(`apm_append_log',`
+ ')
+
+ logging_search_logs($1)
+- allow $1 apmd_log_t:file append;
++ allow $1 apmd_log_t:file append_file_perms;
+ ')
+
+ ########################################
+@@ -108,6 +108,5 @@ interface(`apm_stream_connect',`
+ ')
+
+ files_search_pids($1)
+- allow $1 apmd_var_run_t:sock_file write;
+- allow $1 apmd_t:unix_stream_socket connectto;
++ stream_connect_pattern($1, apmd_var_run_t, apmd_var_run_t, apmd_t)
+ ')
+diff --git a/policy/modules/services/apm.te b/policy/modules/services/apm.te
+index 1c8c27e..6ddb10d 100644
+--- a/policy/modules/services/apm.te
++++ b/policy/modules/services/apm.te
+@@ -4,6 +4,7 @@ policy_module(apm, 1.11.0)
+ #
+ # Declarations
+ #
++
+ type apmd_t;
+ type apmd_exec_t;
+ init_daemon_domain(apmd_t, apmd_exec_t)
+@@ -45,7 +46,7 @@ dev_rw_apm_bios(apm_t)
+
+ fs_getattr_xattr_fs(apm_t)
+
+-term_use_all_terms(apm_t)
++term_use_all_inherited_terms(apm_t)
+
+ domain_use_interactive_fds(apm_t)
+
+@@ -62,6 +63,7 @@ allow apmd_t self:capability { sys_admin sys_nice sys_time kill mknod };
+ dontaudit apmd_t self:capability { setuid dac_override dac_read_search sys_ptrace sys_tty_config };
+ allow apmd_t self:process { signal_perms getsession };
+ allow apmd_t self:fifo_file rw_fifo_file_perms;
++allow apmd_t self:netlink_socket create_socket_perms;
+ allow apmd_t self:unix_dgram_socket create_socket_perms;
+ allow apmd_t self:unix_stream_socket create_stream_socket_perms;
+
+@@ -81,6 +83,8 @@ kernel_rw_all_sysctls(apmd_t)
+ kernel_read_system_state(apmd_t)
+ kernel_write_proc_files(apmd_t)
+
++dev_read_input(apmd_t)
++dev_read_mouse(apmd_t)
+ dev_read_realtime_clock(apmd_t)
+ dev_read_urand(apmd_t)
+ dev_rw_apm_bios(apmd_t)
+@@ -127,9 +131,6 @@ logging_send_audit_msgs(apmd_t)
+ miscfiles_read_localization(apmd_t)
+ miscfiles_read_hwdata(apmd_t)
+
+-modutils_domtrans_insmod(apmd_t)
+-modutils_read_module_config(apmd_t)
+-
+ seutil_dontaudit_read_config(apmd_t)
+
+ userdom_dontaudit_use_unpriv_user_fds(apmd_t)
+@@ -142,9 +143,8 @@ ifdef(`distro_redhat',`
+
+ can_exec(apmd_t, apmd_var_run_t)
+
+- # ifconfig_exec_t needs to be run in its own domain for Red Hat
+ optional_policy(`
+- sysnet_domtrans_ifconfig(apmd_t)
++ fstools_domtrans(apmd_t)
+ ')
+
+ optional_policy(`
+@@ -155,6 +155,15 @@ ifdef(`distro_redhat',`
+ netutils_domtrans(apmd_t)
+ ')
+
++ # ifconfig_exec_t needs to be run in its own domain for Red Hat
++ optional_policy(`
++ sssd_search_lib(apmd_t)
++ ')
++
++ optional_policy(`
++ sysnet_domtrans_ifconfig(apmd_t)
++ ')
++
+ ',`
+ # for ifconfig which is run all the time
+ kernel_dontaudit_search_sysctl(apmd_t)
+@@ -205,6 +214,11 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ modutils_domtrans_insmod(apmd_t)
++ modutils_read_module_config(apmd_t)
++')
++
++optional_policy(`
+ pcmcia_domtrans_cardmgr(apmd_t)
+ pcmcia_domtrans_cardctl(apmd_t)
+ ')
+@@ -218,9 +232,9 @@ optional_policy(`
+ udev_read_state(apmd_t) #necessary?
+ ')
+
+-optional_policy(`
+- unconfined_domain(apmd_t)
+-')
++#optional_policy(`
++# unconfined_domain(apmd_t)
++#')
+
+ optional_policy(`
+ vbetool_domtrans(apmd_t)
+diff --git a/policy/modules/services/arpwatch.if b/policy/modules/services/arpwatch.if
+index c804110..bdefbe1 100644
+--- a/policy/modules/services/arpwatch.if
++++ b/policy/modules/services/arpwatch.if
+@@ -137,7 +137,7 @@ interface(`arpwatch_admin',`
+ type arpwatch_initrc_exec_t;
+ ')
+
+- allow $1 arpwatch_t:process { ptrace signal_perms getattr };
++ allow $1 arpwatch_t:process { ptrace signal_perms };
+ ps_process_pattern($1, arpwatch_t)
+
+ arpwatch_initrc_domtrans($1)
+diff --git a/policy/modules/services/arpwatch.te b/policy/modules/services/arpwatch.te
+index 804135f..af04567 100644
+--- a/policy/modules/services/arpwatch.te
++++ b/policy/modules/services/arpwatch.te
+@@ -47,8 +47,9 @@ manage_files_pattern(arpwatch_t, arpwatch_var_run_t, arpwatch_var_run_t)
+ files_pid_filetrans(arpwatch_t, arpwatch_var_run_t, file)
+
+ kernel_read_network_state(arpwatch_t)
++# meminfo
++kernel_read_system_state(arpwatch_t)
+ kernel_read_kernel_sysctls(arpwatch_t)
+-kernel_list_proc(arpwatch_t)
+ kernel_read_proc_symlinks(arpwatch_t)
+ kernel_request_load_module(arpwatch_t)
+
+diff --git a/policy/modules/services/asterisk.if b/policy/modules/services/asterisk.if
+index 8b8143e..c1a2b96 100644
+--- a/policy/modules/services/asterisk.if
++++ b/policy/modules/services/asterisk.if
+@@ -64,7 +64,7 @@ interface(`asterisk_admin',`
+ type asterisk_initrc_exec_t;
+ ')
+
+- allow $1 asterisk_t:process { ptrace signal_perms getattr };
++ allow $1 asterisk_t:process { ptrace signal_perms };
+ ps_process_pattern($1, asterisk_t)
+
+ init_labeled_script_domtrans($1, asterisk_initrc_exec_t)
+diff --git a/policy/modules/services/asterisk.te b/policy/modules/services/asterisk.te
+index b3b0176..99f98ff 100644
+--- a/policy/modules/services/asterisk.te
++++ b/policy/modules/services/asterisk.te
+@@ -76,10 +76,11 @@ fs_tmpfs_filetrans(asterisk_t, asterisk_tmpfs_t, { dir file lnk_file sock_file f
+ manage_files_pattern(asterisk_t, asterisk_var_lib_t, asterisk_var_lib_t)
+ files_var_lib_filetrans(asterisk_t, asterisk_var_lib_t, file)
+
++manage_dirs_pattern(asterisk_t, asterisk_var_run_t, asterisk_var_run_t)
+ manage_files_pattern(asterisk_t, asterisk_var_run_t, asterisk_var_run_t)
+ manage_fifo_files_pattern(asterisk_t, asterisk_var_run_t, asterisk_var_run_t)
+ manage_sock_files_pattern(asterisk_t, asterisk_var_run_t, asterisk_var_run_t)
+-files_pid_filetrans(asterisk_t, asterisk_var_run_t, file)
++files_pid_filetrans(asterisk_t, asterisk_var_run_t, { dir file })
+
+ kernel_read_system_state(asterisk_t)
+ kernel_read_kernel_sysctls(asterisk_t)
+@@ -108,6 +109,7 @@ corenet_tcp_bind_generic_port(asterisk_t)
+ corenet_udp_bind_generic_port(asterisk_t)
+ corenet_dontaudit_udp_bind_all_ports(asterisk_t)
+ corenet_sendrecv_generic_server_packets(asterisk_t)
++corenet_tcp_connect_festival_port(asterisk_t)
+ corenet_tcp_connect_postgresql_port(asterisk_t)
+ corenet_tcp_connect_snmp_port(asterisk_t)
+ corenet_tcp_connect_sip_port(asterisk_t)
+diff --git a/policy/modules/services/automount.if b/policy/modules/services/automount.if
+index d80a16b..a43e006 100644
+--- a/policy/modules/services/automount.if
++++ b/policy/modules/services/automount.if
+@@ -29,7 +29,6 @@ interface(`automount_domtrans',`
+ ##
+ ##
+ #
+-#
+ interface(`automount_signal',`
+ gen_require(`
+ type automount_t;
+@@ -68,7 +67,8 @@ interface(`automount_read_state',`
+ type automount_t;
+ ')
+
+- read_files_pattern($1, automount_t, automount_t)
++ kernel_search_proc($1)
++ ps_process_pattern($1, automount_t)
+ ')
+
+ ########################################
+@@ -123,7 +123,7 @@ interface(`automount_dontaudit_getattr_tmp_dirs',`
+ type automount_tmp_t;
+ ')
+
+- dontaudit $1 automount_tmp_t:dir getattr;
++ dontaudit $1 automount_tmp_t:dir getattr_dir_perms;
+ ')
+
+ ########################################
+@@ -149,7 +149,7 @@ interface(`automount_admin',`
+ type automount_var_run_t, automount_initrc_exec_t;
+ ')
+
+- allow $1 automount_t:process { ptrace signal_perms getattr };
++ allow $1 automount_t:process { ptrace signal_perms };
+ ps_process_pattern($1, automount_t)
+
+ init_labeled_script_domtrans($1, automount_initrc_exec_t)
+diff --git a/policy/modules/services/automount.te b/policy/modules/services/automount.te
+index 39799db..d174b05 100644
+--- a/policy/modules/services/automount.te
++++ b/policy/modules/services/automount.te
+@@ -143,9 +143,6 @@ logging_search_logs(automount_t)
+ miscfiles_read_localization(automount_t)
+ miscfiles_read_generic_certs(automount_t)
+
+-# Run mount in the mount_t domain.
+-mount_domtrans(automount_t)
+-mount_signal(automount_t)
+
+ userdom_dontaudit_use_unpriv_user_fds(automount_t)
+ userdom_dontaudit_search_user_home_dirs(automount_t)
+@@ -155,6 +152,13 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ # Run mount in the mount_t domain.
++ mount_domtrans(automount_t)
++ mount_domtrans_showmount(automount_t)
++ mount_signal(automount_t)
++')
++
++optional_policy(`
+ fstools_domtrans(automount_t)
+ ')
+
+diff --git a/policy/modules/services/avahi.if b/policy/modules/services/avahi.if
+index 61c74bc..c6b0498 100644
+--- a/policy/modules/services/avahi.if
++++ b/policy/modules/services/avahi.if
+@@ -90,6 +90,7 @@ interface(`avahi_dbus_chat',`
+ class dbus send_msg;
+ ')
+
++ allow avahi_t $1:file read;
+ allow $1 avahi_t:dbus send_msg;
+ allow avahi_t $1:dbus send_msg;
+ ')
+diff --git a/policy/modules/services/avahi.te b/policy/modules/services/avahi.te
+index a7a0e71..5352ef6 100644
+--- a/policy/modules/services/avahi.te
++++ b/policy/modules/services/avahi.te
+@@ -17,6 +17,7 @@ files_pid_file(avahi_var_lib_t)
+
+ type avahi_var_run_t;
+ files_pid_file(avahi_var_run_t)
++init_sock_file(avahi_var_run_t)
+
+ ########################################
+ #
+@@ -46,6 +47,7 @@ files_pid_filetrans(avahi_t, avahi_var_run_t, { dir file })
+ kernel_read_system_state(avahi_t)
+ kernel_read_kernel_sysctls(avahi_t)
+ kernel_read_network_state(avahi_t)
++kernel_request_load_module(avahi_t)
+
+ corecmd_exec_bin(avahi_t)
+ corecmd_exec_shell(avahi_t)
+@@ -104,6 +106,10 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ rpcbind_signull(avahi_t)
++')
++
++optional_policy(`
+ seutil_sigchld_newrole(avahi_t)
+ ')
+
+diff --git a/policy/modules/services/bind.if b/policy/modules/services/bind.if
+index 44a1e3d..7e9d2fb 100644
+--- a/policy/modules/services/bind.if
++++ b/policy/modules/services/bind.if
+@@ -186,7 +186,7 @@ interface(`bind_write_config',`
+ ')
+
+ write_files_pattern($1, named_conf_t, named_conf_t)
+- allow $1 named_conf_t:file setattr;
++ allow $1 named_conf_t:file setattr_file_perms;
+ ')
+
+ ########################################
+@@ -266,7 +266,7 @@ interface(`bind_setattr_pid_dirs',`
+ type named_var_run_t;
+ ')
+
+- allow $1 named_var_run_t:dir setattr;
++ allow $1 named_var_run_t:dir setattr_dir_perms;
+ ')
+
+ ########################################
+@@ -284,7 +284,7 @@ interface(`bind_setattr_zone_dirs',`
+ type named_zone_t;
+ ')
+
+- allow $1 named_zone_t:dir setattr;
++ allow $1 named_zone_t:dir setattr_dir_perms;
+ ')
+
+ ########################################
+@@ -308,6 +308,27 @@ interface(`bind_read_zone',`
+
+ ########################################
+ ##
++## Read BIND zone files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`bind_read_log',`
++ gen_require(`
++ type named_zone_t;
++ type named_log_t;
++ ')
++
++ files_search_var($1)
++ allow $1 named_zone_t:dir search_dir_perms;
++ read_files_pattern($1, named_log_t, named_log_t)
++')
++
++########################################
++##
+ ## Manage BIND zone files.
+ ##
+ ##
+@@ -359,10 +380,9 @@ interface(`bind_udp_chat_named',`
+ interface(`bind_admin',`
+ gen_require(`
+ type named_t, named_tmp_t, named_log_t;
+- type named_conf_t, named_var_lib_t, named_var_run_t;
+- type named_cache_t, named_zone_t;
+- type dnssec_t, ndc_t;
+- type named_initrc_exec_t;
++ type named_conf_t, named_var_run_t, named_cache_t;
++ type named_zone_t, named_initrc_exec_t;
++ type dnssec_t, ndc_t, named_keytab_t;
+ ')
+
+ allow $1 named_t:process { ptrace signal_perms };
+@@ -391,8 +411,7 @@ interface(`bind_admin',`
+ admin_pattern($1, named_zone_t)
+ admin_pattern($1, dnssec_t)
+
+- files_list_var_lib($1)
+- admin_pattern($1, named_var_lib_t)
++ admin_pattern($1, named_keytab_t)
+
+ files_list_pids($1)
+ admin_pattern($1, named_var_run_t)
+diff --git a/policy/modules/services/bind.te b/policy/modules/services/bind.te
+index 4deca04..14d5f4c 100644
+--- a/policy/modules/services/bind.te
++++ b/policy/modules/services/bind.te
+@@ -6,10 +6,10 @@ policy_module(bind, 1.11.0)
+ #
+
+ ##
+-##
+-## Allow BIND to write the master zone files.
+-## Generally this is used for dynamic DNS or zone transfers.
+-##
++##
++## Allow BIND to write the master zone files.
++## Generally this is used for dynamic DNS or zone transfers.
++##
+ ##
+ gen_tunable(named_write_master_zones, false)
+
+@@ -27,7 +27,7 @@ init_system_domain(named_t, named_checkconf_exec_t)
+
+ # A type for configuration files of named.
+ type named_conf_t;
+-files_type(named_conf_t)
++files_config_file(named_conf_t)
+ files_mountpoint(named_conf_t)
+
+ # for secondary zone files
+@@ -89,9 +89,10 @@ manage_dirs_pattern(named_t, named_tmp_t, named_tmp_t)
+ manage_files_pattern(named_t, named_tmp_t, named_tmp_t)
+ files_tmp_filetrans(named_t, named_tmp_t, { file dir })
+
++manage_dirs_pattern(named_t, named_var_run_t, named_var_run_t)
+ manage_files_pattern(named_t, named_var_run_t, named_var_run_t)
+ manage_sock_files_pattern(named_t, named_var_run_t, named_var_run_t)
+-files_pid_filetrans(named_t, named_var_run_t, { file sock_file })
++files_pid_filetrans(named_t, named_var_run_t, { file sock_file dir })
+
+ # read zone files
+ allow named_t named_zone_t:dir list_dir_perms;
+@@ -201,12 +202,12 @@ allow ndc_t self:tcp_socket create_socket_perms;
+ allow ndc_t self:netlink_route_socket r_netlink_socket_perms;
+
+ allow ndc_t dnssec_t:file read_file_perms;
+-allow ndc_t dnssec_t:lnk_file { getattr read };
++allow ndc_t dnssec_t:lnk_file read_lnk_file_perms;
+
+ stream_connect_pattern(ndc_t, named_var_run_t, named_var_run_t, named_t)
+
+ allow ndc_t named_conf_t:file read_file_perms;
+-allow ndc_t named_conf_t:lnk_file { getattr read };
++allow ndc_t named_conf_t:lnk_file read_lnk_file_perms;
+
+ allow ndc_t named_zone_t:dir search_dir_perms;
+
+@@ -238,13 +239,13 @@ miscfiles_read_localization(ndc_t)
+ sysnet_read_config(ndc_t)
+ sysnet_dns_name_resolve(ndc_t)
+
+-userdom_use_user_terminals(ndc_t)
++userdom_use_inherited_user_terminals(ndc_t)
+
+ term_dontaudit_use_console(ndc_t)
+
+ # for /etc/rndc.key
+ ifdef(`distro_redhat',`
+- allow ndc_t named_conf_t:dir search;
++ allow ndc_t named_conf_t:dir search_dir_perms;
+ ')
+
+ optional_policy(`
+diff --git a/policy/modules/services/bitlbee.fc b/policy/modules/services/bitlbee.fc
+index 0197980..f8bce2c 100644
+--- a/policy/modules/services/bitlbee.fc
++++ b/policy/modules/services/bitlbee.fc
+@@ -4,3 +4,6 @@
+ /usr/sbin/bitlbee -- gen_context(system_u:object_r:bitlbee_exec_t,s0)
+
+ /var/lib/bitlbee(/.*)? gen_context(system_u:object_r:bitlbee_var_t,s0)
++
++/var/run/bitlbee\.pid -- gen_context(system_u:object_r:bitlbee_var_run_t,s0)
++/var/run/bitlbee\.sock -s gen_context(system_u:object_r:bitlbee_var_run_t,s0)
+diff --git a/policy/modules/services/bitlbee.te b/policy/modules/services/bitlbee.te
+index f4e7ad3..68aebc4 100644
+--- a/policy/modules/services/bitlbee.te
++++ b/policy/modules/services/bitlbee.te
+@@ -22,29 +22,40 @@ files_tmp_file(bitlbee_tmp_t)
+ type bitlbee_var_t;
+ files_type(bitlbee_var_t)
+
++type bitlbee_var_run_t;
++files_type(bitlbee_var_run_t)
++
+ ########################################
+ #
+ # Local policy
+ #
+
+-allow bitlbee_t self:capability { setgid setuid };
+-allow bitlbee_t self:process signal;
++allow bitlbee_t self:capability { setgid setuid sys_nice };
++allow bitlbee_t self:process { setsched signal };
++
++allow bitlbee_t self:fifo_file rw_fifo_file_perms;
+ allow bitlbee_t self:udp_socket create_socket_perms;
+ allow bitlbee_t self:tcp_socket { create_stream_socket_perms connected_stream_socket_perms };
+ allow bitlbee_t self:unix_stream_socket create_stream_socket_perms;
+-allow bitlbee_t self:fifo_file rw_fifo_file_perms;
++allow bitlbee_t self:netlink_route_socket r_netlink_socket_perms;
+
+ bitlbee_read_config(bitlbee_t)
+
+ # tmp files
+ manage_files_pattern(bitlbee_t, bitlbee_tmp_t, bitlbee_tmp_t)
+-files_tmp_filetrans(bitlbee_t, bitlbee_tmp_t, file)
++manage_dirs_pattern(bitlbee_t, bitlbee_tmp_t, bitlbee_tmp_t)
++files_tmp_filetrans(bitlbee_t, bitlbee_tmp_t, { dir file })
+
+ # user account information is read and edited at runtime; give the usual
+ # r/w access to bitlbee_var_t
+ manage_files_pattern(bitlbee_t, bitlbee_var_t, bitlbee_var_t)
+ files_var_lib_filetrans(bitlbee_t, bitlbee_var_t, file)
+
++manage_dirs_pattern(bitlbee_t, bitlbee_var_run_t, bitlbee_var_run_t)
++manage_files_pattern(bitlbee_t, bitlbee_var_run_t, bitlbee_var_run_t)
++manage_sock_files_pattern(bitlbee_t, bitlbee_var_run_t, bitlbee_var_run_t)
++files_pid_filetrans(bitlbee_t, bitlbee_var_run_t, { dir file sock_file })
++
+ kernel_read_system_state(bitlbee_t)
+
+ corenet_all_recvfrom_unlabeled(bitlbee_t)
+@@ -52,6 +63,7 @@ corenet_udp_sendrecv_generic_if(bitlbee_t)
+ corenet_udp_sendrecv_generic_node(bitlbee_t)
+ corenet_tcp_sendrecv_generic_if(bitlbee_t)
+ corenet_tcp_sendrecv_generic_node(bitlbee_t)
++corenet_tcp_bind_generic_node(bitlbee_t)
+ # Allow bitlbee to connect to jabber servers
+ corenet_tcp_connect_jabber_client_port(bitlbee_t)
+ corenet_tcp_sendrecv_jabber_client_port(bitlbee_t)
+diff --git a/policy/modules/services/bluetooth.if b/policy/modules/services/bluetooth.if
+index 3e45431..fa57a6f 100644
+--- a/policy/modules/services/bluetooth.if
++++ b/policy/modules/services/bluetooth.if
+@@ -14,6 +14,7 @@
+ ## User domain for the role
+ ##
+ ##
++##
+ #
+ interface(`bluetooth_role',`
+ gen_require(`
+@@ -27,7 +28,7 @@ interface(`bluetooth_role',`
+
+ # allow ps to show cdrecord and allow the user to kill it
+ ps_process_pattern($2, bluetooth_helper_t)
+- allow $2 bluetooth_helper_t:process signal;
++ allow $2 bluetooth_helper_t:process { ptrace signal_perms };
+
+ manage_dirs_pattern($2, bluetooth_helper_tmp_t, bluetooth_helper_tmp_t)
+ manage_files_pattern($2, bluetooth_helper_tmp_t, bluetooth_helper_tmp_t)
+@@ -91,7 +92,7 @@ interface(`bluetooth_read_config',`
+ type bluetooth_conf_t;
+ ')
+
+- allow $1 bluetooth_conf_t:file { getattr read ioctl };
++ allow $1 bluetooth_conf_t:file read_file_perms;
+ ')
+
+ ########################################
+@@ -117,6 +118,27 @@ interface(`bluetooth_dbus_chat',`
+
+ ########################################
+ ##
++## dontaudit Send and receive messages from
++## bluetooth over dbus.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`bluetooth_dontaudit_dbus_chat',`
++ gen_require(`
++ type bluetooth_t;
++ class dbus send_msg;
++ ')
++
++ dontaudit $1 bluetooth_t:dbus send_msg;
++ dontaudit bluetooth_t $1:dbus send_msg;
++')
++
++########################################
++##
+ ## Execute bluetooth_helper in the bluetooth_helper domain. (Deprecated)
+ ##
+ ##
+@@ -157,7 +179,7 @@ interface(`bluetooth_run_helper',`
+
+ ########################################
+ ##
+-## Read bluetooth helper state files.
++## Do not audit attempts to read bluetooth helper state files.
+ ##
+ ##
+ ##
+@@ -170,8 +192,8 @@ interface(`bluetooth_dontaudit_read_helper_state',`
+ type bluetooth_helper_t;
+ ')
+
+- dontaudit $1 bluetooth_helper_t:dir search;
+- dontaudit $1 bluetooth_helper_t:file { read getattr };
++ dontaudit $1 bluetooth_helper_t:dir search_dir_perms;
++ dontaudit $1 bluetooth_helper_t:file read_file_perms;
+ ')
+
+ ########################################
+@@ -194,9 +216,8 @@ interface(`bluetooth_dontaudit_read_helper_state',`
+ interface(`bluetooth_admin',`
+ gen_require(`
+ type bluetooth_t, bluetooth_tmp_t, bluetooth_lock_t;
+- type bluetooth_spool_t, bluetooth_var_lib_t, bluetooth_var_run_t;
++ type bluetooth_var_lib_t, bluetooth_var_run_t, bluetooth_initrc_exec_t;
+ type bluetooth_conf_t, bluetooth_conf_rw_t;
+- type bluetooth_initrc_exec_t;
+ ')
+
+ allow $1 bluetooth_t:process { ptrace signal_perms };
+@@ -217,9 +238,6 @@ interface(`bluetooth_admin',`
+ admin_pattern($1, bluetooth_conf_t)
+ admin_pattern($1, bluetooth_conf_rw_t)
+
+- files_list_spool($1)
+- admin_pattern($1, bluetooth_spool_t)
+-
+ files_list_var_lib($1)
+ admin_pattern($1, bluetooth_var_lib_t)
+
+diff --git a/policy/modules/services/bluetooth.te b/policy/modules/services/bluetooth.te
+index 215b86b..4a3569f 100644
+--- a/policy/modules/services/bluetooth.te
++++ b/policy/modules/services/bluetooth.te
+@@ -4,12 +4,13 @@ policy_module(bluetooth, 3.3.0)
+ #
+ # Declarations
+ #
++
+ type bluetooth_t;
+ type bluetooth_exec_t;
+ init_daemon_domain(bluetooth_t, bluetooth_exec_t)
+
+ type bluetooth_conf_t;
+-files_type(bluetooth_conf_t)
++files_config_file(bluetooth_conf_t)
+
+ type bluetooth_conf_rw_t;
+ files_type(bluetooth_conf_rw_t)
+@@ -99,6 +100,11 @@ kernel_request_load_module(bluetooth_t)
+ #search debugfs - redhat bug 548206
+ kernel_search_debugfs(bluetooth_t)
+
++ifdef(`hide_broken_symptoms', `
++ kernel_rw_unlabeled_socket(bluetooth_t)
++ dev_rw_generic_chr_files(bluetooth_t)
++')
++
+ corenet_all_recvfrom_unlabeled(bluetooth_t)
+ corenet_all_recvfrom_netlabel(bluetooth_t)
+ corenet_tcp_sendrecv_generic_if(bluetooth_t)
+@@ -147,6 +153,10 @@ userdom_dontaudit_use_user_terminals(bluetooth_t)
+ userdom_dontaudit_search_user_home_dirs(bluetooth_t)
+
+ optional_policy(`
++ devicekit_dbus_chat_power(bluetooth_t)
++')
++
++optional_policy(`
+ dbus_system_bus_client(bluetooth_t)
+ dbus_connect_system_bus(bluetooth_t)
+
+diff --git a/policy/modules/services/boinc.fc b/policy/modules/services/boinc.fc
+new file mode 100644
+index 0000000..c095160
+--- /dev/null
++++ b/policy/modules/services/boinc.fc
+@@ -0,0 +1,8 @@
++
++/etc/rc\.d/init\.d/boinc-client -- gen_context(system_u:object_r:boinc_initrc_exec_t,s0)
++
++/usr/bin/boinc_client -- gen_context(system_u:object_r:boinc_exec_t,s0)
++
++/var/lib/boinc(/.*)? gen_context(system_u:object_r:boinc_var_lib_t,s0)
++/var/lib/boinc/projects(/.*)? gen_context(system_u:object_r:boinc_project_var_lib_t,s0)
++/var/lib/boinc/slots(/.*)? gen_context(system_u:object_r:boinc_project_var_lib_t,s0)
+diff --git a/policy/modules/services/boinc.if b/policy/modules/services/boinc.if
+new file mode 100644
+index 0000000..fa9b95a
+--- /dev/null
++++ b/policy/modules/services/boinc.if
+@@ -0,0 +1,150 @@
++## policy for boinc
++
++########################################
++##
++## Execute a domain transition to run boinc.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`boinc_domtrans',`
++ gen_require(`
++ type boinc_t, boinc_exec_t;
++ ')
++
++ domtrans_pattern($1, boinc_exec_t, boinc_t)
++')
++
++#######################################
++##
++## Execute boinc server in the boinc domain.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`boinc_initrc_domtrans',`
++ gen_require(`
++ type boinc_initrc_exec_t;
++ ')
++
++ init_labeled_script_domtrans($1, boinc_initrc_exec_t)
++')
++
++########################################
++##
++## Search boinc lib directories.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`boinc_search_lib',`
++ gen_require(`
++ type boinc_var_lib_t;
++ ')
++
++ allow $1 boinc_var_lib_t:dir search_dir_perms;
++ files_search_var_lib($1)
++')
++
++########################################
++##
++## Read boinc lib files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`boinc_read_lib_files',`
++ gen_require(`
++ type boinc_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ read_files_pattern($1, boinc_var_lib_t, boinc_var_lib_t)
++')
++
++########################################
++##
++## Create, read, write, and delete
++## boinc lib files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`boinc_manage_lib_files',`
++ gen_require(`
++ type boinc_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ manage_files_pattern($1, boinc_var_lib_t, boinc_var_lib_t)
++')
++
++########################################
++##
++## Manage boinc var_lib files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`boinc_manage_var_lib',`
++ gen_require(`
++ type boinc_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ manage_dirs_pattern($1, boinc_var_lib_t, boinc_var_lib_t)
++ manage_files_pattern($1, boinc_var_lib_t, boinc_var_lib_t)
++ manage_lnk_files_pattern($1, boinc_var_lib_t, boinc_var_lib_t)
++')
++
++########################################
++##
++## All of the rules required to administrate
++## an boinc environment.
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++##
++## Role allowed access.
++##
++##
++##
++#
++interface(`boinc_admin',`
++ gen_require(`
++ type boinc_t, boinc_initrc_exec_t, boinc_var_lib_t;
++ ')
++
++ allow $1 boinc_t:process { ptrace signal_perms };
++ ps_process_pattern($1, boinc_t)
++
++ boinc_initrc_domtrans($1)
++ domain_system_change_exemption($1)
++ role_transition $2 boinc_initrc_exec_t system_r;
++ allow $2 system_r;
++
++ files_list_var_lib($1)
++ admin_pattern($1, boinc_var_lib_t)
++')
+diff --git a/policy/modules/services/boinc.te b/policy/modules/services/boinc.te
+new file mode 100644
+index 0000000..11ad49a
+--- /dev/null
++++ b/policy/modules/services/boinc.te
+@@ -0,0 +1,171 @@
++policy_module(boinc, 1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++type boinc_t;
++type boinc_exec_t;
++init_daemon_domain(boinc_t, boinc_exec_t)
++
++type boinc_initrc_exec_t;
++init_script_file(boinc_initrc_exec_t)
++
++type boinc_tmp_t;
++files_tmp_file(boinc_tmp_t)
++
++type boinc_tmpfs_t;
++files_tmpfs_file(boinc_tmpfs_t)
++
++type boinc_var_lib_t;
++files_type(boinc_var_lib_t)
++
++type boinc_project_t;
++domain_type(boinc_project_t)
++role system_r types boinc_project_t;
++
++type boinc_project_tmp_t;
++files_tmp_file(boinc_project_tmp_t)
++
++type boinc_project_var_lib_t;
++files_type(boinc_project_var_lib_t)
++
++########################################
++#
++# boinc local policy
++#
++
++allow boinc_t self:capability { kill };
++allow boinc_t self:process { setsched sigkill };
++
++allow boinc_t self:fifo_file rw_fifo_file_perms;
++allow boinc_t self:unix_stream_socket create_stream_socket_perms;
++allow boinc_t self:tcp_socket create_stream_socket_perms;
++allow boinc_t self:sem create_sem_perms;
++allow boinc_t self:shm create_shm_perms;
++
++manage_dirs_pattern(boinc_t, boinc_tmp_t, boinc_tmp_t)
++manage_files_pattern(boinc_t, boinc_tmp_t, boinc_tmp_t)
++files_tmp_filetrans(boinc_t, boinc_tmp_t, { dir file })
++
++manage_files_pattern(boinc_t, boinc_tmpfs_t, boinc_tmpfs_t)
++fs_tmpfs_filetrans(boinc_t, boinc_tmpfs_t, file)
++
++exec_files_pattern(boinc_t, boinc_var_lib_t, boinc_var_lib_t)
++manage_dirs_pattern(boinc_t, boinc_var_lib_t, boinc_var_lib_t)
++manage_files_pattern(boinc_t, boinc_var_lib_t, boinc_var_lib_t)
++filetrans_pattern(boinc_t, boinc_var_lib_t, boinc_project_var_lib_t, dir)
++
++manage_dirs_pattern(boinc_t, boinc_project_var_lib_t, boinc_project_var_lib_t)
++manage_files_pattern(boinc_t, boinc_project_var_lib_t, boinc_project_var_lib_t)
++
++# needs read /proc/interrupts
++kernel_read_system_state(boinc_t)
++
++files_getattr_all_dirs(boinc_t)
++files_getattr_all_files(boinc_t)
++
++corecmd_exec_bin(boinc_t)
++corecmd_exec_shell(boinc_t)
++
++corenet_all_recvfrom_unlabeled(boinc_t)
++corenet_all_recvfrom_netlabel(boinc_t)
++corenet_tcp_sendrecv_generic_if(boinc_t)
++corenet_udp_sendrecv_generic_if(boinc_t)
++corenet_tcp_sendrecv_generic_node(boinc_t)
++corenet_udp_sendrecv_generic_node(boinc_t)
++corenet_tcp_sendrecv_all_ports(boinc_t)
++corenet_udp_sendrecv_all_ports(boinc_t)
++corenet_tcp_bind_generic_node(boinc_t)
++corenet_udp_bind_generic_node(boinc_t)
++corenet_tcp_bind_boinc_port(boinc_t)
++corenet_tcp_connect_boinc_port(boinc_t)
++corenet_tcp_connect_http_port(boinc_t)
++corenet_tcp_connect_http_cache_port(boinc_t)
++
++dev_list_sysfs(boinc_t)
++dev_read_rand(boinc_t)
++dev_read_urand(boinc_t)
++dev_read_sysfs(boinc_t)
++
++domain_read_all_domains_state(boinc_t)
++
++files_dontaudit_getattr_boot_dirs(boinc_t)
++
++files_read_etc_files(boinc_t)
++files_read_usr_files(boinc_t)
++
++fs_getattr_all_fs(boinc_t)
++
++term_getattr_all_ptys(boinc_t)
++term_getattr_unallocated_ttys(boinc_t)
++
++init_read_utmp(boinc_t)
++
++miscfiles_read_localization(boinc_t)
++miscfiles_read_generic_certs(boinc_t)
++
++logging_send_syslog_msg(boinc_t)
++
++sysnet_dns_name_resolve(boinc_t)
++
++mta_send_mail(boinc_t)
++
++########################################
++#
++# boinc-projects local policy
++#
++
++domtrans_pattern(boinc_t, boinc_project_var_lib_t, boinc_project_t)
++allow boinc_t boinc_project_t:process sigkill;
++
++allow boinc_project_t self:process { ptrace setpgid setsched signal signull sigkill sigstop };
++allow boinc_project_t self:process { execmem execstack };
++
++allow boinc_project_t self:fifo_file rw_fifo_file_perms;
++allow boinc_project_t self:sem create_sem_perms;
++
++manage_dirs_pattern(boinc_project_t, boinc_project_tmp_t, boinc_project_tmp_t)
++manage_files_pattern(boinc_project_t, boinc_project_tmp_t, boinc_project_tmp_t)
++files_tmp_filetrans(boinc_project_t, boinc_project_tmp_t, { dir file })
++
++allow boinc_project_t boinc_project_var_lib_t:file entrypoint;
++exec_files_pattern(boinc_project_t, boinc_project_var_lib_t, boinc_project_var_lib_t)
++manage_dirs_pattern(boinc_project_t, boinc_project_var_lib_t, boinc_project_var_lib_t)
++manage_files_pattern(boinc_project_t, boinc_project_var_lib_t, boinc_project_var_lib_t)
++files_var_lib_filetrans(boinc_project_t, boinc_project_var_lib_t, { file dir })
++
++allow boinc_project_t boinc_project_var_lib_t:file execmod;
++
++allow boinc_project_t boinc_t:shm rw_shm_perms;
++allow boinc_project_t boinc_tmpfs_t:file rw_inherited_file_perms;
++
++list_dirs_pattern(boinc_project_t, boinc_var_lib_t, boinc_var_lib_t)
++rw_files_pattern(boinc_project_t, boinc_var_lib_t, boinc_var_lib_t)
++
++kernel_read_system_state(boinc_project_t)
++kernel_read_kernel_sysctls(boinc_project_t)
++kernel_search_vm_sysctl(boinc_project_t)
++kernel_read_network_state(boinc_project_t)
++
++corecmd_exec_bin(boinc_project_t)
++corecmd_exec_shell(boinc_project_t)
++
++corenet_tcp_connect_boinc_port(boinc_project_t)
++
++dev_read_rand(boinc_project_t)
++dev_read_urand(boinc_project_t)
++dev_read_sysfs(boinc_project_t)
++dev_rw_xserver_misc(boinc_project_t)
++
++files_read_etc_files(boinc_project_t)
++files_read_etc_runtime_files(boinc_project_t)
++files_read_usr_files(boinc_project_t)
++
++miscfiles_read_fonts(boinc_project_t)
++miscfiles_read_localization(boinc_project_t)
++
++optional_policy(`
++ java_exec(boinc_project_t)
++')
+diff --git a/policy/modules/services/bugzilla.fc b/policy/modules/services/bugzilla.fc
+new file mode 100644
+index 0000000..18f37e2
+--- /dev/null
++++ b/policy/modules/services/bugzilla.fc
+@@ -0,0 +1,4 @@
++
++/usr/share/bugzilla(/.*)? -d gen_context(system_u:object_r:httpd_bugzilla_content_t,s0)
++/usr/share/bugzilla(/.*)? -- gen_context(system_u:object_r:httpd_bugzilla_script_exec_t,s0)
++/var/lib/bugzilla(/.*)? gen_context(system_u:object_r:httpd_bugzilla_rw_content_t,s0)
+diff --git a/policy/modules/services/bugzilla.if b/policy/modules/services/bugzilla.if
+new file mode 100644
+index 0000000..3964548
+--- /dev/null
++++ b/policy/modules/services/bugzilla.if
+@@ -0,0 +1,80 @@
++## Bugzilla server
++
++########################################
++##
++## Allow the specified domain to search
++## bugzilla directories.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`bugzilla_search_dirs',`
++ gen_require(`
++ type httpd_bugzilla_content_t;
++ ')
++
++ allow $1 httpd_bugzilla_content_t:dir search_dir_perms;
++')
++
++########################################
++##
++## Do not audit attempts to read and write
++## bugzilla script unix domain stream sockets.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`bugzilla_dontaudit_rw_script_stream_sockets',`
++ gen_require(`
++ type httpd_bugzilla_script_t;
++ ')
++
++ dontaudit $1 httpd_bugzilla_script_t:unix_stream_socket { read write };
++')
++
++########################################
++##
++## All of the rules required to administrate
++## an bugzilla environment
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++##
++## The role to be allowed to manage the bugzilla domain.
++##
++##
++##
++#
++interface(`bugzilla_admin',`
++ gen_require(`
++ type httpd_bugzilla_script_t, httpd_bugzilla_content_t, httpd_bugzilla_ra_content_t;
++ type httpd_bugzilla_rw_content_t, httpd_bugzilla_tmp_t, httpd_bugzilla_script_exec_t;
++ type httpd_bugzilla_htaccess_t;
++ ')
++
++ allow $1 httpd_bugzilla_script_t:process { ptrace signal_perms };
++ ps_process_pattern($1, httpd_bugzilla_script_t)
++
++ files_list_tmp($1)
++ admin_pattern($1, httpd_bugzilla_tmp_t)
++
++ files_list_var_lib(httpd_bugzilla_script_t)
++
++ apache_list_sys_content($1)
++ admin_pattern($1, httpd_bugzilla_script_exec_t)
++ admin_pattern($1, httpd_bugzilla_script_t)
++ admin_pattern($1, httpd_bugzilla_content_t)
++ admin_pattern($1, httpd_bugzilla_htaccess_t)
++ admin_pattern($1, httpd_bugzilla_rw_content_t)
++ admin_pattern($1, httpd_bugzilla_ra_content_t)
++')
+diff --git a/policy/modules/services/bugzilla.te b/policy/modules/services/bugzilla.te
+new file mode 100644
+index 0000000..5fa8122
+--- /dev/null
++++ b/policy/modules/services/bugzilla.te
+@@ -0,0 +1,57 @@
++policy_module(bugzilla, 1.0)
++
++########################################
++#
++# Declarations
++#
++
++apache_content_template(bugzilla)
++
++type httpd_bugzilla_tmp_t;
++files_tmp_file(httpd_bugzilla_tmp_t)
++
++########################################
++#
++# bugzilla local policy
++#
++
++allow httpd_bugzilla_script_t self:netlink_route_socket r_netlink_socket_perms;
++allow httpd_bugzilla_script_t self:tcp_socket create_stream_socket_perms;
++allow httpd_bugzilla_script_t self:udp_socket create_socket_perms;
++
++corenet_all_recvfrom_unlabeled(httpd_bugzilla_script_t)
++corenet_all_recvfrom_netlabel(httpd_bugzilla_script_t)
++corenet_tcp_sendrecv_generic_if(httpd_bugzilla_script_t)
++corenet_udp_sendrecv_generic_if(httpd_bugzilla_script_t)
++corenet_tcp_sendrecv_generic_node(httpd_bugzilla_script_t)
++corenet_udp_sendrecv_generic_node(httpd_bugzilla_script_t)
++corenet_tcp_sendrecv_all_ports(httpd_bugzilla_script_t)
++corenet_udp_sendrecv_all_ports(httpd_bugzilla_script_t)
++corenet_tcp_connect_postgresql_port(httpd_bugzilla_script_t)
++corenet_tcp_connect_mysqld_port(httpd_bugzilla_script_t)
++corenet_tcp_connect_http_port(httpd_bugzilla_script_t)
++corenet_tcp_connect_smtp_port(httpd_bugzilla_script_t)
++corenet_sendrecv_postgresql_client_packets(httpd_bugzilla_script_t)
++corenet_sendrecv_mysqld_client_packets(httpd_bugzilla_script_t)
++
++manage_dirs_pattern(httpd_bugzilla_script_t, httpd_bugzilla_tmp_t, httpd_bugzilla_tmp_t)
++manage_files_pattern(httpd_bugzilla_script_t, httpd_bugzilla_tmp_t, httpd_bugzilla_tmp_t)
++files_tmp_filetrans(httpd_bugzilla_script_t, httpd_bugzilla_tmp_t, { file dir })
++
++files_search_var_lib(httpd_bugzilla_script_t)
++
++sysnet_read_config(httpd_bugzilla_script_t)
++sysnet_use_ldap(httpd_bugzilla_script_t)
++
++optional_policy(`
++ mta_send_mail(httpd_bugzilla_script_t)
++')
++
++optional_policy(`
++ mysql_search_db(httpd_bugzilla_script_t)
++ mysql_stream_connect(httpd_bugzilla_script_t)
++')
++
++optional_policy(`
++ postgresql_stream_connect(httpd_bugzilla_script_t)
++')
+diff --git a/policy/modules/services/cachefilesd.fc b/policy/modules/services/cachefilesd.fc
+new file mode 100644
+index 0000000..24d9837
+--- /dev/null
++++ b/policy/modules/services/cachefilesd.fc
+@@ -0,0 +1,29 @@
++###############################################################################
++#
++# Copyright (C) 2006 Red Hat, Inc. All Rights Reserved.
++# Written by David Howells (dhowells@redhat.com)
++# Karl MacMillan (kmacmill@redhat.com)
++#
++# This program is free software; you can redistribute it and/or
++# modify it under the terms of the GNU General Public License
++# as published by the Free Software Foundation; either version
++# 2 of the License, or (at your option) any later version.
++#
++###############################################################################
++
++#
++# Define the contexts to be assigned to various files and directories of
++# importance to the CacheFiles kernel module and userspace management daemon.
++#
++
++# cachefilesd executable will have:
++# label: system_u:object_r:cachefilesd_exec_t
++# MLS sensitivity: s0
++# MCS categories:
++
++/sbin/cachefilesd -- gen_context(system_u:object_r:cachefilesd_exec_t,s0)
++/dev/cachefiles -c gen_context(system_u:object_r:cachefiles_dev_t,s0)
++/var/fscache(/.*)? gen_context(system_u:object_r:cachefiles_var_t,s0)
++/var/cache/fscache(/.*)? gen_context(system_u:object_r:cachefiles_var_t,s0)
++
++/var/run/cachefilesd\.pid -- gen_context(system_u:object_r:cachefiles_var_t,s0)
+diff --git a/policy/modules/services/cachefilesd.if b/policy/modules/services/cachefilesd.if
+new file mode 100644
+index 0000000..3b41945
+--- /dev/null
++++ b/policy/modules/services/cachefilesd.if
+@@ -0,0 +1,35 @@
++###############################################################################
++#
++# Copyright (C) 2006 Red Hat, Inc. All Rights Reserved.
++# Written by David Howells (dhowells@redhat.com)
++# Karl MacMillan (kmacmill@redhat.com)
++#
++# This program is free software; you can redistribute it and/or
++# modify it under the terms of the GNU General Public License
++# as published by the Free Software Foundation; either version
++# 2 of the License, or (at your option) any later version.
++#
++###############################################################################
++
++#
++# Define the policy interface for the CacheFiles userspace management daemon.
++#
++## policy for cachefilesd
++
++########################################
++##
++## Execute a domain transition to run cachefilesd.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`cachefilesd_domtrans',`
++ gen_require(`
++ type cachefilesd_t, cachefilesd_exec_t;
++ ')
++
++ domtrans_pattern($1, cachefilesd_exec_t, cachefilesd_t)
++')
+diff --git a/policy/modules/services/cachefilesd.te b/policy/modules/services/cachefilesd.te
+new file mode 100644
+index 0000000..e7d2a5b
+--- /dev/null
++++ b/policy/modules/services/cachefilesd.te
+@@ -0,0 +1,145 @@
++###############################################################################
++#
++# Copyright (C) 2006, 2010 Red Hat, Inc. All Rights Reserved.
++# Written by David Howells (dhowells@redhat.com)
++# Karl MacMillan (kmacmill@redhat.com)
++#
++# This program is free software; you can redistribute it and/or
++# modify it under the terms of the GNU General Public License
++# as published by the Free Software Foundation; either version
++# 2 of the License, or (at your option) any later version.
++#
++###############################################################################
++
++#
++# This security policy governs access by the CacheFiles kernel module and
++# userspace management daemon to the files and directories in the on-disk
++# cache, on behalf of the processes accessing the cache through a network
++# filesystem such as NFS
++#
++policy_module(cachefilesd, 1.0.17)
++
++###############################################################################
++#
++# Declarations
++#
++
++#
++# Files in the cache are created by the cachefiles module with security ID
++# cachefiles_var_t
++#
++type cachefiles_var_t;
++files_type(cachefiles_var_t)
++
++#
++# The /dev/cachefiles character device has security ID cachefiles_dev_t
++#
++type cachefiles_dev_t;
++dev_node(cachefiles_dev_t)
++
++#
++# The cachefilesd daemon normally runs with security ID cachefilesd_t
++#
++type cachefilesd_t;
++type cachefilesd_exec_t;
++init_daemon_domain(cachefilesd_t, cachefilesd_exec_t)
++
++#
++# The cachefilesd daemon pid file context
++#
++type cachefilesd_var_run_t;
++files_pid_file(cachefilesd_var_run_t)
++
++#
++# The CacheFiles kernel module causes processes accessing the cache files to do
++# so acting as security ID cachefiles_kernel_t
++#
++type cachefiles_kernel_t;
++domain_type(cachefiles_kernel_t)
++domain_obj_id_change_exemption(cachefiles_kernel_t)
++role system_r types cachefiles_kernel_t;
++
++###############################################################################
++#
++# Permit RPM to deal with files in the cache
++#
++optional_policy(`
++ rpm_use_script_fds(cachefilesd_t)
++')
++
++###############################################################################
++#
++# cachefilesd local policy
++#
++# These define what cachefilesd is permitted to do. This doesn't include very
++# much: startup stuff, logging, pid file, scanning the cache superstructure and
++# deleting files from the cache. It is not permitted to read/write files in
++# the cache.
++#
++# Check in /usr/share/selinux/devel/include/ for macros to use instead of allow
++# rules.
++#
++allow cachefilesd_t self:capability { setuid setgid sys_admin dac_override };
++
++# Allow manipulation of pid file
++allow cachefilesd_t cachefilesd_var_run_t:file create_file_perms;
++manage_files_pattern(cachefilesd_t, cachefilesd_var_run_t, cachefilesd_var_run_t)
++manage_dirs_pattern(cachefilesd_t, cachefilesd_var_run_t, cachefilesd_var_run_t)
++files_pid_filetrans(cachefilesd_t, cachefilesd_var_run_t, file)
++files_create_as_is_all_files(cachefilesd_t)
++
++# Allow access to cachefiles device file
++allow cachefilesd_t cachefiles_dev_t:chr_file rw_file_perms;
++
++# Allow access to cache superstructure
++allow cachefilesd_t cachefiles_var_t:dir { rw_dir_perms delete_dir_perms };
++allow cachefilesd_t cachefiles_var_t:file { rename delete_file_perms };
++
++# Permit statfs on the backing filesystem
++fs_getattr_xattr_fs(cachefilesd_t)
++
++# Basic access
++files_read_etc_files(cachefilesd_t)
++miscfiles_read_localization(cachefilesd_t)
++logging_send_syslog_msg(cachefilesd_t)
++init_dontaudit_use_script_ptys(cachefilesd_t)
++term_dontaudit_use_generic_ptys(cachefilesd_t)
++term_dontaudit_getattr_unallocated_ttys(cachefilesd_t)
++
++###############################################################################
++#
++# When cachefilesd invokes the kernel module to begin caching, it has to tell
++# the kernel module the security context in which it should act, and this
++# policy has to approve that.
++#
++# There are two parts to this:
++#
++# (1) the security context used by the module to access files in the cache,
++# as set by the 'secctx' command in /etc/cachefilesd.conf, and
++#
++allow cachefilesd_t cachefiles_kernel_t:kernel_service { use_as_override };
++
++#
++# (2) the label that will be assigned to new files and directories created in
++# the cache by the module, which will be the same as the label on the
++# directory pointed to by the 'dir' command.
++#
++allow cachefilesd_t cachefiles_var_t:kernel_service { create_files_as };
++
++###############################################################################
++#
++# cachefiles kernel module local policy
++#
++# This governs what the kernel module is allowed to do the contents of the
++# cache.
++#
++allow cachefiles_kernel_t self:capability { dac_override dac_read_search };
++
++manage_dirs_pattern(cachefiles_kernel_t, cachefiles_var_t, cachefiles_var_t)
++manage_files_pattern(cachefiles_kernel_t, cachefiles_var_t, cachefiles_var_t)
++
++fs_getattr_xattr_fs(cachefiles_kernel_t)
++
++dev_search_sysfs(cachefiles_kernel_t)
++
++init_sigchld_script(cachefiles_kernel_t)
+diff --git a/policy/modules/services/canna.te b/policy/modules/services/canna.te
+index 1d25efe..1b16191 100644
+--- a/policy/modules/services/canna.te
++++ b/policy/modules/services/canna.te
+@@ -34,7 +34,7 @@ allow canna_t self:unix_dgram_socket create_stream_socket_perms;
+ allow canna_t self:tcp_socket create_stream_socket_perms;
+
+ manage_files_pattern(canna_t, canna_log_t, canna_log_t)
+-allow canna_t canna_log_t:dir setattr;
++allow canna_t canna_log_t:dir setattr_dir_perms;
+ logging_log_filetrans(canna_t, canna_log_t, { file dir })
+
+ manage_dirs_pattern(canna_t, canna_var_lib_t, canna_var_lib_t)
+diff --git a/policy/modules/services/ccs.if b/policy/modules/services/ccs.if
+index 6ee2cc8..3105b09 100644
+--- a/policy/modules/services/ccs.if
++++ b/policy/modules/services/ccs.if
+@@ -5,9 +5,9 @@
+ ## Execute a domain transition to run ccs.
+ ##
+ ##
+-##
++##
+ ## Domain allowed to transition.
+-##
++##
+ ##
+ #
+ interface(`ccs_domtrans',`
+diff --git a/policy/modules/services/ccs.te b/policy/modules/services/ccs.te
+index 4c90b57..af806c2 100644
+--- a/policy/modules/services/ccs.te
++++ b/policy/modules/services/ccs.te
+@@ -10,7 +10,7 @@ type ccs_exec_t;
+ init_daemon_domain(ccs_t, ccs_exec_t)
+
+ type cluster_conf_t;
+-files_type(cluster_conf_t)
++files_config_file(cluster_conf_t)
+
+ type ccs_tmp_t;
+ files_tmp_file(ccs_tmp_t)
+@@ -61,7 +61,7 @@ manage_dirs_pattern(ccs_t, ccs_var_lib_t, ccs_var_lib_t)
+ manage_files_pattern(ccs_t, ccs_var_lib_t, ccs_var_lib_t)
+ files_var_lib_filetrans(ccs_t, ccs_var_lib_t, { file dir })
+
+-allow ccs_t ccs_var_log_t:dir setattr;
++allow ccs_t ccs_var_log_t:dir setattr_dir_perms;
+ manage_files_pattern(ccs_t, ccs_var_log_t, ccs_var_log_t)
+ manage_sock_files_pattern(ccs_t, ccs_var_log_t, ccs_var_log_t)
+ logging_log_filetrans(ccs_t, ccs_var_log_t, { sock_file file dir })
+@@ -107,7 +107,7 @@ sysnet_dns_name_resolve(ccs_t)
+ userdom_manage_unpriv_user_shared_mem(ccs_t)
+ userdom_manage_unpriv_user_semaphores(ccs_t)
+
+-ifdef(`hide_broken_symptoms', `
++ifdef(`hide_broken_symptoms',`
+ corecmd_dontaudit_write_bin_dirs(ccs_t)
+ files_manage_isid_type_files(ccs_t)
+ ')
+@@ -118,5 +118,10 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ qpidd_rw_semaphores(ccs_t)
++ qpidd_rw_shm(ccs_t)
++')
++
++optional_policy(`
+ unconfined_use_fds(ccs_t)
+ ')
+diff --git a/policy/modules/services/certmaster.if b/policy/modules/services/certmaster.if
+index fa62787..ffd0da5 100644
+--- a/policy/modules/services/certmaster.if
++++ b/policy/modules/services/certmaster.if
+@@ -5,9 +5,9 @@
+ ## Execute a domain transition to run certmaster.
+ ##
+ ##
+-##
++##
+ ## Domain allowed to transition.
+-##
++##
+ ##
+ #
+ interface(`certmaster_domtrans',`
+@@ -108,7 +108,7 @@ interface(`certmaster_manage_log',`
+ ##
+ ##
+ ##
+-## The role to be allowed to manage the syslog domain.
++## Role allowed access.
+ ##
+ ##
+ ##
+@@ -116,8 +116,7 @@ interface(`certmaster_manage_log',`
+ interface(`certmaster_admin',`
+ gen_require(`
+ type certmaster_t, certmaster_var_run_t, certmaster_var_lib_t;
+- type certmaster_etc_rw_t, certmaster_var_log_t;
+- type certmaster_initrc_exec_t;
++ type certmaster_etc_rw_t, certmaster_var_log_t, certmaster_initrc_exec_t;
+ ')
+
+ allow $1 certmaster_t:process { ptrace signal_perms };
+@@ -129,8 +128,8 @@ interface(`certmaster_admin',`
+ allow $2 system_r;
+
+ files_list_etc($1)
+- miscfiles_manage_generic_cert_dirs($1)
+- miscfiles_manage_generic_cert_files($1)
++ miscfiles_manage_generic_cert_dirs($1)
++ miscfiles_manage_generic_cert_files($1)
+
+ admin_pattern($1, certmaster_etc_rw_t)
+
+diff --git a/policy/modules/services/certmaster.te b/policy/modules/services/certmaster.te
+index 3384132..daef4e1 100644
+--- a/policy/modules/services/certmaster.te
++++ b/policy/modules/services/certmaster.te
+@@ -43,23 +43,23 @@ files_var_lib_filetrans(certmaster_t, certmaster_var_lib_t, { file dir })
+
+ # log files
+ manage_files_pattern(certmaster_t, certmaster_var_log_t, certmaster_var_log_t)
+-logging_log_filetrans(certmaster_t, certmaster_var_log_t, file )
++logging_log_filetrans(certmaster_t, certmaster_var_log_t, file)
+
+ # pid file
+ manage_files_pattern(certmaster_t, certmaster_var_run_t, certmaster_var_run_t)
+ manage_sock_files_pattern(certmaster_t, certmaster_var_run_t, certmaster_var_run_t)
+-files_pid_filetrans(certmaster_t ,certmaster_var_run_t, { file sock_file })
++files_pid_filetrans(certmaster_t, certmaster_var_run_t, { file sock_file })
+
+ # read meminfo
+ kernel_read_system_state(certmaster_t)
+
+-corecmd_search_bin(certmaster_t)
+-corecmd_getattr_bin_files(certmaster_t)
++corecmd_exec_bin(certmaster_t)
+
+ corenet_tcp_bind_generic_node(certmaster_t)
+ corenet_tcp_bind_certmaster_port(certmaster_t)
+
+ files_search_etc(certmaster_t)
++files_read_usr_files(certmaster_t)
+ files_list_var(certmaster_t)
+ files_search_var_lib(certmaster_t)
+
+diff --git a/policy/modules/services/certmonger.if b/policy/modules/services/certmonger.if
+index 7a6e5ba..d664be8 100644
+--- a/policy/modules/services/certmonger.if
++++ b/policy/modules/services/certmonger.if
+@@ -5,9 +5,9 @@
+ ## Execute a domain transition to run certmonger.
+ ##
+ ##
+-##
++##
+ ## Domain allowed to transition.
+-##
++##
+ ##
+ #
+ interface(`certmonger_domtrans',`
+@@ -166,9 +166,9 @@ interface(`certmonger_admin',`
+ role_transition $2 certmonger_initrc_exec_t system_r;
+ allow $2 system_r;
+
+- files_search_var_lib($1)
++ files_list_var_lib($1)
+ admin_pattern($1, certmonger_var_lib_t)
+
+- files_search_pids($1)
++ files_list_pids($1)
+ admin_pattern($1, certmonger_var_run_t)
+ ')
+diff --git a/policy/modules/services/certmonger.te b/policy/modules/services/certmonger.te
+index c3e3f79..3e78d4e 100644
+--- a/policy/modules/services/certmonger.te
++++ b/policy/modules/services/certmonger.te
+@@ -23,7 +23,8 @@ files_type(certmonger_var_lib_t)
+ # certmonger local policy
+ #
+
+-allow certmonger_t self:capability { kill sys_nice };
++allow certmonger_t self:capability { dac_override dac_read_search kill sys_nice };
++dontaudit certmonger_t self:capability sys_tty_config;
+ allow certmonger_t self:process { getsched setsched sigkill };
+ allow certmonger_t self:fifo_file rw_file_perms;
+ allow certmonger_t self:unix_stream_socket create_stream_socket_perms;
+@@ -32,16 +33,19 @@ allow certmonger_t self:netlink_route_socket r_netlink_socket_perms;
+
+ manage_dirs_pattern(certmonger_t, certmonger_var_lib_t, certmonger_var_lib_t)
+ manage_files_pattern(certmonger_t, certmonger_var_lib_t, certmonger_var_lib_t)
+-files_var_lib_filetrans(certmonger_t, certmonger_var_lib_t, { file dir } )
++files_var_lib_filetrans(certmonger_t, certmonger_var_lib_t, { file dir })
+
+ manage_dirs_pattern(certmonger_t, certmonger_var_run_t, certmonger_var_run_t)
+ manage_files_pattern(certmonger_t, certmonger_var_run_t, certmonger_var_run_t)
+ files_pid_filetrans(certmonger_t, certmonger_var_run_t, { file dir })
+
++corecmd_exec_bin(certmonger_t)
++
+ corenet_tcp_sendrecv_generic_if(certmonger_t)
+ corenet_tcp_sendrecv_generic_node(certmonger_t)
+ corenet_tcp_sendrecv_all_ports(certmonger_t)
+ corenet_tcp_connect_certmaster_port(certmonger_t)
++corenet_tcp_connect_http_port(certmonger_t)
+
+ dev_read_urand(certmonger_t)
+
+@@ -51,6 +55,8 @@ files_read_etc_files(certmonger_t)
+ files_read_usr_files(certmonger_t)
+ files_list_tmp(certmonger_t)
+
++auth_rw_cache(certmonger_t)
++
+ logging_send_syslog_msg(certmonger_t)
+
+ miscfiles_read_localization(certmonger_t)
+@@ -58,15 +64,32 @@ miscfiles_manage_generic_cert_files(certmonger_t)
+
+ sysnet_dns_name_resolve(certmonger_t)
+
++userdom_search_user_home_content(certmonger_t)
++
++optional_policy(`
++ apache_search_config(certmonger_t)
++')
++
++optional_policy(`
++ bind_search_cache(certmonger_t)
++')
++
+ optional_policy(`
+ dbus_system_bus_client(certmonger_t)
+ dbus_connect_system_bus(certmonger_t)
+ ')
+
+ optional_policy(`
++ dirsrv_manage_config(certmonger_t)
++')
++
++optional_policy(`
+ kerberos_use(certmonger_t)
++ kerberos_read_keytab(certmonger_t)
+ ')
+
+ optional_policy(`
++ pcscd_read_pub_files(certmonger_t)
+ pcscd_stream_connect(certmonger_t)
+ ')
++
+diff --git a/policy/modules/services/cgroup.fc b/policy/modules/services/cgroup.fc
+index 420c9d3..b6bb46c 100644
+--- a/policy/modules/services/cgroup.fc
++++ b/policy/modules/services/cgroup.fc
+@@ -11,4 +11,5 @@
+ /sbin/cgrulesengd -- gen_context(system_u:object_r:cgred_exec_t,s0)
+ /sbin/cgclear -- gen_context(system_u:object_r:cgclear_exec_t,s0)
+
++/var/log/cgrulesengd\.log -- gen_context(system_u:object_r:cgred_log_t,s0)
+ /var/run/cgred.* gen_context(system_u:object_r:cgred_var_run_t,s0)
+diff --git a/policy/modules/services/cgroup.if b/policy/modules/services/cgroup.if
+index d020c93..e5cbcef 100644
+--- a/policy/modules/services/cgroup.if
++++ b/policy/modules/services/cgroup.if
+@@ -6,9 +6,9 @@
+ ## CG Clear.
+ ##
+ ##
+-##
++##
+ ## Domain allowed to transition.
+-##
++##
+ ##
+ #
+ interface(`cgroup_domtrans_cgclear',`
+@@ -26,9 +26,9 @@ interface(`cgroup_domtrans_cgclear',`
+ ## CG config parser.
+ ##
+ ##
+-##
++##
+ ## Domain allowed to transition.
+-##
++##
+ ##
+ #
+ interface(`cgroup_domtrans_cgconfig',`
+@@ -65,9 +65,9 @@ interface(`cgroup_initrc_domtrans_cgconfig',`
+ ## CG rules engine daemon.
+ ##
+ ##
+-##
++##
+ ## Domain allowed to transition.
+-##
++##
+ ##
+ #
+ interface(`cgroup_domtrans_cgred',`
+@@ -182,10 +182,10 @@ interface(`cgroup_admin',`
+
+ admin_pattern($1, cgconfig_etc_t)
+ admin_pattern($1, cgrules_etc_t)
+- files_search_etc($1)
++ files_list_etc($1)
+
+ admin_pattern($1, cgred_var_run_t)
+- files_search_pids($1)
++ files_list_pids($1)
+
+ cgroup_initrc_domtrans_cgconfig($1)
+ domain_system_change_exemption($1)
+diff --git a/policy/modules/services/cgroup.te b/policy/modules/services/cgroup.te
+index 8ca2333..09a114b 100644
+--- a/policy/modules/services/cgroup.te
++++ b/policy/modules/services/cgroup.te
+@@ -16,14 +16,17 @@ init_daemon_domain(cgred_t, cgred_exec_t)
+ type cgred_initrc_exec_t;
+ init_script_file(cgred_initrc_exec_t)
+
++type cgred_log_t;
++logging_log_file(cgred_log_t)
++
+ type cgred_var_run_t;
+ files_pid_file(cgred_var_run_t)
+
+ type cgrules_etc_t;
+ files_config_file(cgrules_etc_t)
+
+-type cgconfig_t;
+-type cgconfig_exec_t;
++type cgconfig_t alias cgconfigparser_t;
++type cgconfig_exec_t alias cgconfigparser_exec_t;
+ init_daemon_domain(cgconfig_t, cgconfig_exec_t)
+
+ type cgconfig_initrc_exec_t;
+@@ -36,8 +39,7 @@ files_config_file(cgconfig_etc_t)
+ #
+ # cgclear personal policy.
+ #
+-
+-allow cgclear_t self:capability sys_admin;
++allow cgclear_t self:capability { dac_read_search dac_override sys_admin };
+
+ kernel_read_system_state(cgclear_t)
+
+@@ -52,7 +54,7 @@ fs_unmount_cgroup(cgclear_t)
+ # cgconfig personal policy.
+ #
+
+-allow cgconfig_t self:capability { chown sys_admin };
++allow cgconfig_t self:capability { dac_override fowner fsetid chown sys_admin sys_tty_config };
+
+ allow cgconfig_t cgconfig_etc_t:file read_file_perms;
+
+@@ -67,18 +69,22 @@ fs_manage_cgroup_dirs(cgconfig_t)
+ fs_manage_cgroup_files(cgconfig_t)
+ fs_mount_cgroup(cgconfig_t)
+ fs_mounton_cgroup(cgconfig_t)
++fs_unmount_cgroup(cgconfig_t)
+
+ ########################################
+ #
+ # cgred personal policy.
+ #
+
+-allow cgred_t self:capability { net_admin sys_admin sys_ptrace dac_override };
++allow cgred_t self:capability { chown fsetid net_admin sys_admin sys_ptrace dac_override };
+ allow cgred_t self:netlink_socket { write bind create read };
+ allow cgred_t self:unix_dgram_socket { write create connect };
+
+ allow cgred_t cgrules_etc_t:file read_file_perms;
+
++manage_files_pattern(cgred_t, cgred_log_t, cgred_log_t)
++logging_log_filetrans(cgred_t, cgred_log_t, file)
++
+ # rc script creates pid file
+ manage_files_pattern(cgred_t, cgred_var_run_t, cgred_var_run_t)
+ manage_sock_files_pattern(cgred_t, cgred_var_run_t, cgred_var_run_t)
+diff --git a/policy/modules/services/chronyd.if b/policy/modules/services/chronyd.if
+index 9a0da94..2ede737 100644
+--- a/policy/modules/services/chronyd.if
++++ b/policy/modules/services/chronyd.if
+@@ -19,6 +19,24 @@ interface(`chronyd_domtrans',`
+ domtrans_pattern($1, chronyd_exec_t, chronyd_t)
+ ')
+
++########################################
++##
++## Execute chronyd server in the chronyd domain.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`chronyd_initrc_domtrans',`
++ gen_require(`
++ type chronyd_initrc_exec_t;
++ ')
++
++ init_labeled_script_domtrans($1, chronyd_initrc_exec_t)
++')
++
+ ####################################
+ ##
+ ## Execute chronyd
+@@ -56,6 +74,64 @@ interface(`chronyd_read_log',`
+ read_files_pattern($1, chronyd_var_log_t, chronyd_var_log_t)
+ ')
+
++########################################
++##
++## Read and write chronyd shared memory.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`chronyd_rw_shm',`
++ gen_require(`
++ type chronyd_t, chronyd_tmpfs_t;
++ ')
++
++ allow $1 chronyd_t:shm rw_shm_perms;
++ allow $1 chronyd_tmpfs_t:dir list_dir_perms;
++ rw_files_pattern($1, chronyd_tmpfs_t, chronyd_tmpfs_t)
++ read_lnk_files_pattern($1, chronyd_tmpfs_t, chronyd_tmpfs_t)
++ fs_search_tmpfs($1)
++')
++
++########################################
++##
++## Read chronyd keys files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`chronyd_read_keys',`
++ gen_require(`
++ type chronyd_keys_t;
++ ')
++
++ read_files_pattern($1, chronyd_keys_t, chronyd_keys_t)
++')
++
++########################################
++##
++## Append chronyd keys files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`chronyd_append_keys',`
++ gen_require(`
++ type chronyd_keys_t;
++ ')
++
++ append_files_pattern($1, chronyd_keys_t, chronyd_keys_t)
++')
++
+ ####################################
+ ##
+ ## All of the rules required to administrate
+@@ -75,9 +151,9 @@ interface(`chronyd_read_log',`
+ #
+ interface(`chronyd_admin',`
+ gen_require(`
+- type chronyd_t, chronyd_var_log_t;
+- type chronyd_var_run_t, chronyd_var_lib_t;
+- type chronyd_initrc_exec_t, chronyd_keys_t;
++ type chronyd_t, chronyd_var_log_t, chronyd_var_run_t;
++ type chronyd_var_lib_t, chronyd_tmpfs_t, chronyd_initrc_exec_t;
++ type chronyd_keys_t;
+ ')
+
+ allow $1 chronyd_t:process { ptrace signal_perms };
+@@ -88,18 +164,17 @@ interface(`chronyd_admin',`
+ role_transition $2 chronyd_initrc_exec_t system_r;
+ allow $2 system_r;
+
+- files_search_etc($1)
++ files_list_etc($1)
+ admin_pattern($1, chronyd_keys_t)
+
+- logging_search_logs($1)
++ logging_list_logs($1)
+ admin_pattern($1, chronyd_var_log_t)
+
+- files_search_var_lib($1)
++ files_list_var_lib($1)
+ admin_pattern($1, chronyd_var_lib_t)
+
+- files_search_pids($1)
++ files_list_pids($1)
+ admin_pattern($1, chronyd_var_run_t)
+
+- files_search_tmp($1)
+- admin_pattern($1, chronyd_tmp_t)
++ admin_pattern($1, chronyd_tmpfs_t)
+ ')
+diff --git a/policy/modules/services/chronyd.te b/policy/modules/services/chronyd.te
+index fa82327..db20d26 100644
+--- a/policy/modules/services/chronyd.te
++++ b/policy/modules/services/chronyd.te
+@@ -15,6 +15,9 @@ init_script_file(chronyd_initrc_exec_t)
+ type chronyd_keys_t;
+ files_type(chronyd_keys_t)
+
++type chronyd_tmpfs_t;
++files_tmpfs_file(chronyd_tmpfs_t)
++
+ type chronyd_var_lib_t;
+ files_type(chronyd_var_lib_t)
+
+@@ -34,9 +37,14 @@ allow chronyd_t self:process { getcap setcap setrlimit };
+ allow chronyd_t self:shm create_shm_perms;
+ allow chronyd_t self:udp_socket create_socket_perms;
+ allow chronyd_t self:unix_dgram_socket create_socket_perms;
++allow chronyd_t self:fifo_file rw_fifo_file_perms;
+
+ allow chronyd_t chronyd_keys_t:file read_file_perms;
+
++manage_dirs_pattern(chronyd_t, chronyd_tmpfs_t, chronyd_tmpfs_t)
++manage_files_pattern(chronyd_t, chronyd_tmpfs_t, chronyd_tmpfs_t)
++fs_tmpfs_filetrans(chronyd_t, chronyd_tmpfs_t, { dir file })
++
+ manage_files_pattern(chronyd_t, chronyd_var_lib_t, chronyd_var_lib_t)
+ manage_dirs_pattern(chronyd_t, chronyd_var_lib_t, chronyd_var_lib_t)
+ manage_sock_files_pattern(chronyd_t, chronyd_var_lib_t, chronyd_var_lib_t)
+@@ -50,6 +58,11 @@ manage_files_pattern(chronyd_t, chronyd_var_run_t, chronyd_var_run_t)
+ manage_dirs_pattern(chronyd_t, chronyd_var_run_t, chronyd_var_run_t)
+ files_pid_filetrans(chronyd_t, chronyd_var_run_t, file)
+
++kernel_read_system_state(chronyd_t)
++
++corecmd_exec_shell(chronyd_t)
++
++corenet_udp_bind_generic_node(chronyd_t)
+ corenet_udp_bind_ntp_port(chronyd_t)
+ # bind to udp/323
+ corenet_udp_bind_chronyd_port(chronyd_t)
+@@ -63,6 +76,8 @@ logging_send_syslog_msg(chronyd_t)
+
+ miscfiles_read_localization(chronyd_t)
+
++mta_send_mail(chronyd_t)
++
+ optional_policy(`
+ gpsd_rw_shm(chronyd_t)
+ ')
+diff --git a/policy/modules/services/clamav.fc b/policy/modules/services/clamav.fc
+index e8e9a21..0af0260 100644
+--- a/policy/modules/services/clamav.fc
++++ b/policy/modules/services/clamav.fc
+@@ -10,6 +10,7 @@
+
+ /var/clamav(/.*)? gen_context(system_u:object_r:clamd_var_lib_t,s0)
+ /var/lib/clamav(/.*)? gen_context(system_u:object_r:clamd_var_lib_t,s0)
++/var/lib/clamd.* gen_context(system_u:object_r:clamd_var_lib_t,s0)
+ /var/log/clamav.* gen_context(system_u:object_r:clamd_var_log_t,s0)
+ /var/log/clamav/freshclam.* -- gen_context(system_u:object_r:freshclam_var_log_t,s0)
+ /var/log/clamd.* gen_context(system_u:object_r:clamd_var_log_t,s0)
+diff --git a/policy/modules/services/clamav.if b/policy/modules/services/clamav.if
+index 1f11572..7f6a7ab 100644
+--- a/policy/modules/services/clamav.if
++++ b/policy/modules/services/clamav.if
+@@ -33,6 +33,7 @@ interface(`clamav_stream_connect',`
+ type clamd_t, clamd_var_run_t;
+ ')
+
++ files_search_pids($1)
+ stream_connect_pattern($1, clamd_var_run_t, clamd_var_run_t, clamd_t)
+ ')
+
+@@ -49,12 +50,12 @@ interface(`clamav_stream_connect',`
+ #
+ interface(`clamav_append_log',`
+ gen_require(`
+- type clamav_log_t;
++ type clamav_var_log_t;
+ ')
+
+ logging_search_logs($1)
+- allow $1 clamav_log_t:dir list_dir_perms;
+- append_files_pattern($1, clamav_log_t, clamav_log_t)
++ allow $1 clamav_var_log_t:dir list_dir_perms;
++ append_files_pattern($1, clamav_var_log_t, clamav_var_log_t)
+ ')
+
+ ########################################
+@@ -151,9 +152,8 @@ interface(`clamav_exec_clamscan',`
+ interface(`clamav_admin',`
+ gen_require(`
+ type clamd_t, clamd_etc_t, clamd_tmp_t;
+- type clamd_var_log_t, clamd_var_lib_t;
+- type clamd_var_run_t, clamscan_t, clamscan_tmp_t;
+- type clamd_initrc_exec_t;
++ type clamd_var_log_t, clamd_var_lib_t, clamd_var_run_t;
++ type clamscan_t, clamscan_tmp_t, clamd_initrc_exec_t;
+ type freshclam_t, freshclam_var_log_t;
+ ')
+
+diff --git a/policy/modules/services/clamav.te b/policy/modules/services/clamav.te
+index f758323..28166c1 100644
+--- a/policy/modules/services/clamav.te
++++ b/policy/modules/services/clamav.te
+@@ -1,9 +1,9 @@
+ policy_module(clamav, 1.9.0)
+
+ ##
+-##
+-## Allow clamd to use JIT compiler
+-##
++##
++## Allow clamd to use JIT compiler
++##
+ ##
+ gen_tunable(clamd_use_jit, false)
+
+@@ -64,6 +64,8 @@ logging_log_file(freshclam_var_log_t)
+
+ allow clamd_t self:capability { kill setgid setuid dac_override };
+ dontaudit clamd_t self:capability sys_tty_config;
++allow clamd_t self:process signal;
++
+ allow clamd_t self:fifo_file rw_fifo_file_perms;
+ allow clamd_t self:unix_stream_socket { create_stream_socket_perms connectto };
+ allow clamd_t self:unix_dgram_socket create_socket_perms;
+@@ -80,6 +82,7 @@ manage_files_pattern(clamd_t, clamd_tmp_t, clamd_tmp_t)
+ files_tmp_filetrans(clamd_t, clamd_tmp_t, { file dir })
+
+ # var/lib files for clamd
++manage_sock_files_pattern(clamd_t, clamd_var_lib_t, clamd_var_lib_t)
+ manage_dirs_pattern(clamd_t, clamd_var_lib_t, clamd_var_lib_t)
+ manage_files_pattern(clamd_t, clamd_var_lib_t, clamd_var_lib_t)
+
+@@ -89,9 +92,10 @@ manage_files_pattern(clamd_t, clamd_var_log_t, clamd_var_log_t)
+ logging_log_filetrans(clamd_t, clamd_var_log_t, { dir file })
+
+ # pid file
++manage_dirs_pattern(clamd_t, clamd_var_run_t, clamd_var_run_t)
+ manage_files_pattern(clamd_t, clamd_var_run_t, clamd_var_run_t)
+ manage_sock_files_pattern(clamd_t, clamd_var_run_t, clamd_var_run_t)
+-files_pid_filetrans(clamd_t, clamd_var_run_t, { file dir })
++files_pid_filetrans(clamd_t, clamd_var_run_t, { sock_file file dir })
+
+ kernel_dontaudit_list_proc(clamd_t)
+ kernel_read_sysctl(clamd_t)
+@@ -110,6 +114,7 @@ corenet_tcp_bind_generic_node(clamd_t)
+ corenet_tcp_bind_clamd_port(clamd_t)
+ corenet_tcp_bind_generic_port(clamd_t)
+ corenet_tcp_connect_generic_port(clamd_t)
++corenet_tcp_connect_clamd_port(clamd_t)
+ corenet_sendrecv_clamd_server_packets(clamd_t)
+
+ dev_read_rand(clamd_t)
+@@ -127,12 +132,16 @@ logging_send_syslog_msg(clamd_t)
+
+ miscfiles_read_localization(clamd_t)
+
+-cron_use_fds(clamd_t)
+-cron_use_system_job_fds(clamd_t)
+-cron_rw_pipes(clamd_t)
++optional_policy(`
++ cron_use_fds(clamd_t)
++ cron_use_system_job_fds(clamd_t)
++ cron_rw_pipes(clamd_t)
++')
+
+-mta_read_config(clamd_t)
+-mta_send_mail(clamd_t)
++optional_policy(`
++ mta_read_config(clamd_t)
++ mta_send_mail(clamd_t)
++')
+
+ optional_policy(`
+ amavis_read_lib_files(clamd_t)
+@@ -147,8 +156,10 @@ optional_policy(`
+
+ tunable_policy(`clamd_use_jit',`
+ allow clamd_t self:process execmem;
+-', `
++ allow clamscan_t self:process execmem;
++',`
+ dontaudit clamd_t self:process execmem;
++ dontaudit clamscan_t self:process execmem;
+ ')
+
+ ########################################
+@@ -178,10 +189,16 @@ files_pid_filetrans(freshclam_t, clamd_var_run_t, file)
+
+ # log files (own logfiles only)
+ manage_files_pattern(freshclam_t, freshclam_var_log_t, freshclam_var_log_t)
+-allow freshclam_t freshclam_var_log_t:dir setattr;
+-allow freshclam_t clamd_var_log_t:dir search_dir_perms;
++allow freshclam_t freshclam_var_log_t:dir setattr_dir_perms;
++read_files_pattern(freshclam_t, clamd_var_log_t, clamd_var_log_t)
+ logging_log_filetrans(freshclam_t, freshclam_var_log_t, file)
+
++kernel_read_kernel_sysctls(freshclam_t)
++kernel_read_system_state(freshclam_t)
++
++corecmd_exec_shell(freshclam_t)
++corecmd_exec_bin(freshclam_t)
++
+ corenet_all_recvfrom_unlabeled(freshclam_t)
+ corenet_all_recvfrom_netlabel(freshclam_t)
+ corenet_tcp_sendrecv_generic_if(freshclam_t)
+@@ -189,6 +206,7 @@ corenet_tcp_sendrecv_generic_node(freshclam_t)
+ corenet_tcp_sendrecv_all_ports(freshclam_t)
+ corenet_tcp_sendrecv_clamd_port(freshclam_t)
+ corenet_tcp_connect_http_port(freshclam_t)
++corenet_tcp_connect_clamd_port(freshclam_t)
+ corenet_sendrecv_http_client_packets(freshclam_t)
+
+ dev_read_rand(freshclam_t)
+@@ -207,16 +225,18 @@ miscfiles_read_localization(freshclam_t)
+
+ clamav_stream_connect(freshclam_t)
+
+-optional_policy(`
+- cron_system_entry(freshclam_t, freshclam_exec_t)
+-')
++userdom_stream_connect(freshclam_t)
+
+ tunable_policy(`clamd_use_jit',`
+ allow freshclam_t self:process execmem;
+-', `
++',`
+ dontaudit freshclam_t self:process execmem;
+ ')
+
++optional_policy(`
++ cron_system_entry(freshclam_t, freshclam_exec_t)
++')
++
+ ########################################
+ #
+ # clamscam local policy
+@@ -248,9 +268,11 @@ corenet_tcp_sendrecv_generic_if(clamscan_t)
+ corenet_tcp_sendrecv_generic_node(clamscan_t)
+ corenet_tcp_sendrecv_all_ports(clamscan_t)
+ corenet_tcp_sendrecv_clamd_port(clamscan_t)
++corenet_tcp_bind_generic_node(clamscan_t)
+ corenet_tcp_connect_clamd_port(clamscan_t)
+
+ kernel_read_kernel_sysctls(clamscan_t)
++kernel_read_system_state(clamscan_t)
+
+ files_read_etc_files(clamscan_t)
+ files_read_etc_runtime_files(clamscan_t)
+@@ -264,7 +286,12 @@ miscfiles_read_public_files(clamscan_t)
+
+ clamav_stream_connect(clamscan_t)
+
+-mta_send_mail(clamscan_t)
++sysnet_read_config(clamscan_t)
++
++optional_policy(`
++ mta_send_mail(clamscan_t)
++ mta_read_queue(clamscan_t)
++')
+
+ optional_policy(`
+ amavis_read_spool_files(clamscan_t)
+diff --git a/policy/modules/services/clockspeed.te b/policy/modules/services/clockspeed.te
+index b40f3f7..3676ecc 100644
+--- a/policy/modules/services/clockspeed.te
++++ b/policy/modules/services/clockspeed.te
+@@ -38,7 +38,7 @@ files_read_etc_files(clockspeed_cli_t)
+
+ miscfiles_read_localization(clockspeed_cli_t)
+
+-userdom_use_user_terminals(clockspeed_cli_t)
++userdom_use_inherited_user_terminals(clockspeed_cli_t)
+
+ ########################################
+ #
+diff --git a/policy/modules/services/clogd.if b/policy/modules/services/clogd.if
+index c0a66a4..e438c5f 100644
+--- a/policy/modules/services/clogd.if
++++ b/policy/modules/services/clogd.if
+@@ -5,9 +5,9 @@
+ ## Execute a domain transition to run clogd.
+ ##
+ ##
+-##
++##
+ ## Domain allowed to transition.
+-##
++##
+ ##
+ #
+ interface(`clogd_domtrans',`
+diff --git a/policy/modules/services/clogd.te b/policy/modules/services/clogd.te
+index 6077339..d10acd2 100644
+--- a/policy/modules/services/clogd.te
++++ b/policy/modules/services/clogd.te
+@@ -23,7 +23,6 @@ files_pid_file(clogd_var_run_t)
+
+ allow clogd_t self:capability { net_admin mknod };
+ allow clogd_t self:process signal;
+-
+ allow clogd_t self:sem create_sem_perms;
+ allow clogd_t self:shm create_shm_perms;
+ allow clogd_t self:netlink_socket create_socket_perms;
+@@ -36,7 +35,7 @@ fs_tmpfs_filetrans(clogd_t, clogd_tmpfs_t, { dir file })
+ # pid files
+ manage_files_pattern(clogd_t, clogd_var_run_t, clogd_var_run_t)
+ manage_sock_files_pattern(clogd_t, clogd_var_run_t, clogd_var_run_t)
+-files_pid_filetrans(clogd_t, clogd_var_run_t, { file })
++files_pid_filetrans(clogd_t, clogd_var_run_t, file)
+
+ dev_read_lvm_control(clogd_t)
+ dev_manage_generic_blk_files(clogd_t)
+diff --git a/policy/modules/services/cmirrord.fc b/policy/modules/services/cmirrord.fc
+new file mode 100644
+index 0000000..e500fa5
+--- /dev/null
++++ b/policy/modules/services/cmirrord.fc
+@@ -0,0 +1,6 @@
++
++/etc/rc\.d/init\.d/cmirrord -- gen_context(system_u:object_r:cmirrord_initrc_exec_t,s0)
++
++/usr/sbin/cmirrord -- gen_context(system_u:object_r:cmirrord_exec_t,s0)
++
++/var/run/cmirrord\.pid -- gen_context(system_u:object_r:cmirrord_var_run_t,s0)
+diff --git a/policy/modules/services/cmirrord.if b/policy/modules/services/cmirrord.if
+new file mode 100644
+index 0000000..756ac91
+--- /dev/null
++++ b/policy/modules/services/cmirrord.if
+@@ -0,0 +1,113 @@
++## policy for cmirrord
++
++########################################
++##
++## Execute a domain transition to run cmirrord.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`cmirrord_domtrans',`
++ gen_require(`
++ type cmirrord_t, cmirrord_exec_t;
++ ')
++
++ domtrans_pattern($1, cmirrord_exec_t, cmirrord_t)
++')
++
++########################################
++##
++## Execute cmirrord server in the cmirrord domain.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`cmirrord_initrc_domtrans',`
++ gen_require(`
++ type cmirrord_initrc_exec_t;
++ ')
++
++ init_labeled_script_domtrans($1, cmirrord_initrc_exec_t)
++')
++
++########################################
++##
++## Read cmirrord PID files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`cmirrord_read_pid_files',`
++ gen_require(`
++ type cmirrord_var_run_t;
++ ')
++
++ files_search_pids($1)
++ allow $1 cmirrord_var_run_t:file read_file_perms;
++')
++
++#######################################
++##
++## Read and write to cmirrord shared memory.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`cmirrord_rw_shm',`
++ gen_require(`
++ type cmirrord_t, cmirrord_tmpfs_t;
++ ')
++
++ allow $1 cmirrord_t:shm { rw_shm_perms destroy };
++ allow $1 cmirrord_tmpfs_t:dir list_dir_perms;
++ rw_files_pattern($1, cmirrord_tmpfs_t, cmirrord_tmpfs_t)
++ delete_files_pattern($1, cmirrord_tmpfs_t, cmirrord_tmpfs_t)
++ read_lnk_files_pattern($1, cmirrord_tmpfs_t, cmirrord_tmpfs_t)
++ fs_search_tmpfs($1)
++')
++
++########################################
++##
++## All of the rules required to administrate
++## an cmirrord environment
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++##
++## Role allowed access.
++##
++##
++##
++#
++interface(`cmirrord_admin',`
++ gen_require(`
++ type cmirrord_t, cmirrord_initrc_exec_t, cmirrord_var_run_t;
++ ')
++
++ allow $1 cmirrord_t:process { ptrace signal_perms };
++ ps_process_pattern($1, cmirrord_t)
++
++ cmirrord_initrc_domtrans($1)
++ domain_system_change_exemption($1)
++ role_transition $2 cmirrord_initrc_exec_t system_r;
++ allow $2 system_r;
++
++ files_list_pids($1)
++ admin_pattern($1, cmirrord_var_run_t)
++')
+diff --git a/policy/modules/services/cmirrord.te b/policy/modules/services/cmirrord.te
+new file mode 100644
+index 0000000..28fdd8a
+--- /dev/null
++++ b/policy/modules/services/cmirrord.te
+@@ -0,0 +1,58 @@
++policy_module(cmirrord, 1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++type cmirrord_t;
++type cmirrord_exec_t;
++init_daemon_domain(cmirrord_t, cmirrord_exec_t)
++
++type cmirrord_initrc_exec_t;
++init_script_file(cmirrord_initrc_exec_t)
++
++type cmirrord_tmpfs_t;
++files_tmpfs_file(cmirrord_tmpfs_t)
++
++type cmirrord_var_run_t;
++files_pid_file(cmirrord_var_run_t)
++
++########################################
++#
++# cmirrord local policy
++#
++
++allow cmirrord_t self:capability { net_admin kill };
++dontaudit cmirrord_t self:capability sys_tty_config;
++allow cmirrord_t self:process { setfscreate signal};
++allow cmirrord_t self:fifo_file rw_fifo_file_perms;
++allow cmirrord_t self:sem create_sem_perms;
++allow cmirrord_t self:shm create_shm_perms;
++allow cmirrord_t self:netlink_socket create_socket_perms;
++allow cmirrord_t self:unix_stream_socket create_stream_socket_perms;
++
++manage_dirs_pattern(cmirrord_t, cmirrord_tmpfs_t, cmirrord_tmpfs_t)
++manage_files_pattern(cmirrord_t, cmirrord_tmpfs_t, cmirrord_tmpfs_t)
++fs_tmpfs_filetrans(cmirrord_t, cmirrord_tmpfs_t, { dir file })
++
++manage_dirs_pattern(cmirrord_t, cmirrord_var_run_t, cmirrord_var_run_t)
++manage_files_pattern(cmirrord_t, cmirrord_var_run_t, cmirrord_var_run_t)
++files_pid_filetrans(cmirrord_t, cmirrord_var_run_t, file)
++
++domain_use_interactive_fds(cmirrord_t)
++domain_obj_id_change_exemption(cmirrord_t)
++
++files_read_etc_files(cmirrord_t)
++
++storage_create_fixed_disk_dev(cmirrord_t)
++
++seutil_read_file_contexts(cmirrord_t)
++
++logging_send_syslog_msg(cmirrord_t)
++
++miscfiles_read_localization(cmirrord_t)
++
++optional_policy(`
++ corosync_stream_connect(cmirrord_t)
++')
+diff --git a/policy/modules/services/cobbler.fc b/policy/modules/services/cobbler.fc
+index 1cf6c4e..e4bac67 100644
+--- a/policy/modules/services/cobbler.fc
++++ b/policy/modules/services/cobbler.fc
+@@ -1,7 +1,33 @@
+-/etc/cobbler(/.*)? gen_context(system_u:object_r:cobbler_etc_t, s0)
+-/etc/rc\.d/init\.d/cobblerd -- gen_context(system_u:object_r:cobblerd_initrc_exec_t, s0)
+
+-/usr/bin/cobblerd -- gen_context(system_u:object_r:cobblerd_exec_t, s0)
++/etc/cobbler(/.*)? gen_context(system_u:object_r:cobbler_etc_t,s0)
++
++/etc/rc\.d/init\.d/cobblerd -- gen_context(system_u:object_r:cobblerd_initrc_exec_t,s0)
++
++/usr/bin/cobblerd -- gen_context(system_u:object_r:cobblerd_exec_t,s0)
++
++/var/lib/cobbler(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0)
++
++/var/lib/tftpboot/etc(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0)
++/var/lib/tftpboot/grub(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0)
++/var/lib/tftpboot/images(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0)
++/var/lib/tftpboot/memdisk -- gen_context(system_u:object_r:cobbler_var_lib_t,s0)
++/var/lib/tftpboot/menu\.c32 -- gen_context(system_u:object_r:cobbler_var_lib_t,s0)
++/var/lib/tftpboot/ppc(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0)
++/var/lib/tftpboot/pxelinux\.0 -- gen_context(system_u:object_r:cobbler_var_lib_t,s0)
++/var/lib/tftpboot/pxelinux\.cfg(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0)
++/var/lib/tftpboot/s390x(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0)
++/var/lib/tftpboot/yaboot -- gen_context(system_u:object_r:cobbler_var_lib_t,s0)
++
++/var/log/cobbler(/.*)? gen_context(system_u:object_r:cobbler_var_log_t,s0)
++
++# This should removable when cobbler package installs /var/www/cobbler/rendered
++/var/www/cobbler(/.*)? gen_context(system_u:object_r:httpd_cobbler_content_t,s0)
++
++/var/www/cobbler/images(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0)
++/var/www/cobbler/ks_mirror(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0)
++/var/www/cobbler/links(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0)
++/var/www/cobbler/localmirror(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0)
++/var/www/cobbler/pub(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0)
++/var/www/cobbler/rendered(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0)
++/var/www/cobbler/repo_mirror(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0)
+
+-/var/lib/cobbler(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t, s0)
+-/var/log/cobbler(/.*)? gen_context(system_u:object_r:cobbler_var_log_t, s0)
+diff --git a/policy/modules/services/cobbler.if b/policy/modules/services/cobbler.if
+index 293e08d..82306eb 100644
+--- a/policy/modules/services/cobbler.if
++++ b/policy/modules/services/cobbler.if
+@@ -1,12 +1,12 @@
+ ## Cobbler installation server.
+ ##
+ ##
+-## Cobbler is a Linux installation server that allows for
+-## rapid setup of network installation environments. It
+-## glues together and automates many associated Linux
+-## tasks so you do not have to hop between lots of various
+-## commands and applications when rolling out new systems,
+-## and, in some cases, changing existing ones.
++## Cobbler is a Linux installation server that allows for
++## rapid setup of network installation environments. It
++## glues together and automates many associated Linux
++## tasks so you do not have to hop between lots of various
++## commands and applications when rolling out new systems,
++## and, in some cases, changing existing ones.
+ ##
+ ##
+
+@@ -15,9 +15,9 @@
+ ## Execute a domain transition to run cobblerd.
+ ##
+ ##
+-##
++##
+ ## Domain allowed to transition.
+-##
++##
+ ##
+ #
+ interface(`cobblerd_domtrans',`
+@@ -26,6 +26,7 @@ interface(`cobblerd_domtrans',`
+ ')
+
+ domtrans_pattern($1, cobblerd_exec_t, cobblerd_t)
++ corecmd_search_bin($1)
+ ')
+
+ ########################################
+@@ -48,7 +49,7 @@ interface(`cobblerd_initrc_domtrans',`
+
+ ########################################
+ ##
+-## Read Cobbler content in /etc
++## List Cobbler configuration.
+ ##
+ ##
+ ##
+@@ -56,19 +57,18 @@ interface(`cobblerd_initrc_domtrans',`
+ ##
+ ##
+ #
+-interface(`cobbler_read_config',`
++interface(`cobbler_list_config',`
+ gen_require(`
+ type cobbler_etc_t;
+ ')
+
+- read_files_pattern($1, cobbler_etc_t, cobbler_etc_t);
++ list_dirs_pattern($1, cobbler_etc_t, cobbler_etc_t)
+ files_search_etc($1)
+ ')
+
+ ########################################
+ ##
+-## Do not audit attempts to read and write
+-## Cobbler log files (leaked fd).
++## Read Cobbler configuration files.
+ ##
+ ##
+ ##
+@@ -76,12 +76,13 @@ interface(`cobbler_read_config',`
+ ##
+ ##
+ #
+-interface(`cobbler_dontaudit_rw_log',`
++interface(`cobbler_read_config',`
+ gen_require(`
+- type cobbler_var_log_t;
++ type cobbler_etc_t;
+ ')
+
+- dontaudit $1 cobbler_var_log_t:file rw_file_perms;
++ read_files_pattern($1, cobbler_etc_t, cobbler_etc_t)
++ files_search_etc($1)
+ ')
+
+ ########################################
+@@ -100,6 +101,7 @@ interface(`cobbler_search_lib',`
+ ')
+
+ search_dirs_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t)
++ read_lnk_files_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t)
+ files_search_var_lib($1)
+ ')
+
+@@ -119,6 +121,7 @@ interface(`cobbler_read_lib_files',`
+ ')
+
+ read_files_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t)
++ read_lnk_files_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t)
+ files_search_var_lib($1)
+ ')
+
+@@ -137,12 +140,33 @@ interface(`cobbler_manage_lib_files',`
+ type cobbler_var_lib_t;
+ ')
+
++ manage_dirs_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t)
+ manage_files_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t)
++ manage_lnk_files_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t)
+ files_search_var_lib($1)
+ ')
+
+ ########################################
+ ##
++## Do not audit attempts to read and write
++## Cobbler log files (leaked fd).
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`cobbler_dontaudit_rw_log',`
++ gen_require(`
++ type cobbler_var_log_t;
++ ')
++
++ dontaudit $1 cobbler_var_log_t:file rw_inherited_file_perms;
++')
++
++########################################
++##
+ ## All of the rules required to administrate
+ ## an cobblerd environment
+ ##
+@@ -161,25 +185,34 @@ interface(`cobbler_manage_lib_files',`
+ interface(`cobblerd_admin',`
+ gen_require(`
+ type cobblerd_t, cobbler_var_lib_t, cobbler_var_log_t;
+- type cobbler_etc_t, cobblerd_initrc_exec_t;
++ type cobbler_etc_t, cobblerd_initrc_exec_t, httpd_cobbler_content_t;
++ type httpd_cobbler_content_ra_t, httpd_cobbler_content_rw_t;
+ ')
+
+- allow $1 cobblerd_t:process { ptrace signal_perms getattr };
+- read_files_pattern($1, cobblerd_t, cobblerd_t)
++ allow $1 cobblerd_t:process { ptrace signal_perms };
++ ps_process_pattern($1, cobblerd_t)
+
+- files_search_etc($1)
++ files_list_etc($1)
+ admin_pattern($1, cobbler_etc_t)
+
+ files_list_var_lib($1)
+ admin_pattern($1, cobbler_var_lib_t)
+
+- logging_search_logs($1)
++ logging_list_logs($1)
+ admin_pattern($1, cobbler_var_log_t)
+
++ apache_list_sys_content($1)
++ admin_pattern($1, httpd_cobbler_content_t)
++ admin_pattern($1, httpd_cobbler_content_ra_t)
+ admin_pattern($1, httpd_cobbler_content_rw_t)
+
+ cobblerd_initrc_domtrans($1)
+ domain_system_change_exemption($1)
+ role_transition $2 cobblerd_initrc_exec_t system_r;
+ allow $2 system_r;
++
++ optional_policy(`
++ # traverse /var/lib/tftpdir to get to cobbler_var_lib_t there.
++ tftp_search_rw_content($1)
++ ')
+ ')
+diff --git a/policy/modules/services/cobbler.te b/policy/modules/services/cobbler.te
+index 0258b48..8fde016 100644
+--- a/policy/modules/services/cobbler.te
++++ b/policy/modules/services/cobbler.te
+@@ -6,13 +6,35 @@ policy_module(cobbler, 1.1.0)
+ #
+
+ ##
+-##
+-## Allow Cobbler to modify public files
+-## used for public file transfer services.
+-##
++##
++## Allow Cobbler to modify public files
++## used for public file transfer services.
++##
+ ##
+ gen_tunable(cobbler_anon_write, false)
+
++##
++##
++## Allow Cobbler to connect to the
++## network using TCP.
++##
++##
++gen_tunable(cobbler_can_network_connect, false)
++
++##
++##
++## Allow Cobbler to access cifs file systems.
++##
++##
++gen_tunable(cobbler_use_cifs, false)
++
++##
++##
++## Allow Cobbler to access nfs file systems.
++##
++##
++gen_tunable(cobbler_use_nfs, false)
++
+ type cobblerd_t;
+ type cobblerd_exec_t;
+ init_daemon_domain(cobblerd_t, cobblerd_exec_t)
+@@ -26,25 +48,40 @@ files_config_file(cobbler_etc_t)
+ type cobbler_var_log_t;
+ logging_log_file(cobbler_var_log_t)
+
+-type cobbler_var_lib_t;
++type cobbler_var_lib_t alias cobbler_content_t;
+ files_type(cobbler_var_lib_t)
+
++type cobbler_tmp_t;
++files_tmp_file(cobbler_tmp_t)
++
+ ########################################
+ #
+ # Cobbler personal policy.
+ #
+
+-allow cobblerd_t self:capability { chown dac_override fowner sys_nice };
++allow cobblerd_t self:capability { chown dac_override fowner fsetid sys_nice };
++dontaudit cobblerd_t self:capability { sys_ptrace sys_tty_config };
++
+ allow cobblerd_t self:process { getsched setsched signal };
+ allow cobblerd_t self:fifo_file rw_fifo_file_perms;
++allow cobblerd_t self:netlink_route_socket create_netlink_socket_perms;
+ allow cobblerd_t self:tcp_socket create_stream_socket_perms;
++allow cobblerd_t self:udp_socket create_socket_perms;
++allow cobblerd_t self:unix_dgram_socket create_socket_perms;
+
+ list_dirs_pattern(cobblerd_t, cobbler_etc_t, cobbler_etc_t)
+ read_files_pattern(cobblerd_t, cobbler_etc_t, cobbler_etc_t)
+
++# Something that runs in the cobberd_t domain tries to relabelfrom cobbler_var_lib_t dir to httpd_sys_content_t.
++dontaudit cobblerd_t cobbler_var_lib_t:dir relabel_dir_perms;
++
+ manage_dirs_pattern(cobblerd_t, cobbler_var_lib_t, cobbler_var_lib_t)
+ manage_files_pattern(cobblerd_t, cobbler_var_lib_t, cobbler_var_lib_t)
+-files_var_lib_filetrans(cobblerd_t, cobbler_var_lib_t, { dir file })
++manage_lnk_files_pattern(cobblerd_t, cobbler_var_lib_t, cobbler_var_lib_t)
++files_var_lib_filetrans(cobblerd_t, cobbler_var_lib_t, { dir file lnk_file })
++
++# Something really needs to write to cobbler.log. Ideally this should not be happening.
++allow cobblerd_t cobbler_var_log_t:file write;
+
+ append_files_pattern(cobblerd_t, cobbler_var_log_t, cobbler_var_log_t)
+ create_files_pattern(cobblerd_t, cobbler_var_log_t, cobbler_var_log_t)
+@@ -52,7 +89,12 @@ read_files_pattern(cobblerd_t, cobbler_var_log_t, cobbler_var_log_t)
+ setattr_files_pattern(cobblerd_t, cobbler_var_log_t, cobbler_var_log_t)
+ logging_log_filetrans(cobblerd_t, cobbler_var_log_t, file)
+
++manage_dirs_pattern(cobblerd_t, cobbler_tmp_t, cobbler_tmp_t)
++manage_files_pattern(cobblerd_t, cobbler_tmp_t, cobbler_tmp_t)
++files_tmp_filetrans(cobblerd_t, cobbler_tmp_t, { dir file })
++
+ kernel_read_system_state(cobblerd_t)
++kernel_dontaudit_search_network_state(cobblerd_t)
+
+ corecmd_exec_bin(cobblerd_t)
+ corecmd_exec_shell(cobblerd_t)
+@@ -65,26 +107,75 @@ corenet_tcp_bind_generic_node(cobblerd_t)
+ corenet_tcp_sendrecv_generic_if(cobblerd_t)
+ corenet_tcp_sendrecv_generic_node(cobblerd_t)
+ corenet_tcp_sendrecv_generic_port(cobblerd_t)
++corenet_tcp_sendrecv_cobbler_port(cobblerd_t)
++# sync and rsync to ftp and http are permitted by default, for any other media use cobbler_can_network_connect.
++corenet_tcp_connect_ftp_port(cobblerd_t)
++corenet_tcp_sendrecv_ftp_port(cobblerd_t)
++corenet_sendrecv_ftp_client_packets(cobblerd_t)
++corenet_tcp_connect_http_port(cobblerd_t)
++corenet_tcp_sendrecv_http_port(cobblerd_t)
++corenet_sendrecv_http_client_packets(cobblerd_t)
+
+ dev_read_urand(cobblerd_t)
+
++domain_dontaudit_exec_all_entry_files(cobblerd_t)
++domain_dontaudit_read_all_domains_state(cobblerd_t)
++
++files_read_etc_files(cobblerd_t)
++# mtab
++files_read_etc_runtime_files(cobblerd_t)
+ files_read_usr_files(cobblerd_t)
+ files_list_boot(cobblerd_t)
++files_read_boot_files(cobblerd_t)
+ files_list_tmp(cobblerd_t)
+-# read /etc/nsswitch.conf
+-files_read_etc_files(cobblerd_t)
++
++# read from mounted images (install media)
++fs_read_iso9660_files(cobblerd_t)
++
++init_dontaudit_read_all_script_files(cobblerd_t)
++
++term_use_console(cobblerd_t)
+
+ miscfiles_read_localization(cobblerd_t)
+ miscfiles_read_public_files(cobblerd_t)
+
++selinux_dontaudit_read_fs(cobblerd_t)
++
+ sysnet_read_config(cobblerd_t)
+ sysnet_rw_dhcp_config(cobblerd_t)
+ sysnet_write_config(cobblerd_t)
+
++userdom_dontaudit_use_user_terminals(cobblerd_t)
++userdom_dontaudit_search_user_home_dirs(cobblerd_t)
++userdom_dontaudit_search_admin_dir(cobblerd_t)
++
+ tunable_policy(`cobbler_anon_write',`
+ miscfiles_manage_public_files(cobblerd_t)
+ ')
+
++tunable_policy(`cobbler_can_network_connect',`
++ corenet_tcp_connect_all_ports(cobblerd_t)
++ corenet_tcp_sendrecv_all_ports(cobblerd_t)
++ corenet_sendrecv_all_client_packets(cobblerd_t)
++')
++
++tunable_policy(`cobbler_use_cifs',`
++ fs_manage_cifs_dirs(cobblerd_t)
++ fs_manage_cifs_files(cobblerd_t)
++ fs_manage_cifs_symlinks(cobblerd_t)
++')
++
++tunable_policy(`cobbler_use_nfs',`
++ fs_manage_nfs_dirs(cobblerd_t)
++ fs_manage_nfs_files(cobblerd_t)
++ fs_manage_nfs_symlinks(cobblerd_t)
++')
++
++optional_policy(`
++ # Cobbler traverses /var/www to get to /var/www/cobbler/*
++ apache_search_sys_content(cobblerd_t)
++')
++
+ optional_policy(`
+ bind_read_config(cobblerd_t)
+ bind_write_config(cobblerd_t)
+@@ -95,6 +186,10 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ certmaster_exec(cobblerd_t)
++')
++
++optional_policy(`
+ dhcpd_domtrans(cobblerd_t)
+ dhcpd_initrc_domtrans(cobblerd_t)
+ ')
+@@ -106,16 +201,28 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ gnome_dontaudit_search_config(cobblerd_t)
++')
++
++optional_policy(`
+ rpm_exec(cobblerd_t)
+ ')
+
+ optional_policy(`
+- rsync_read_config(cobblerd_t)
+- rsync_write_config(cobblerd_t)
++ rsync_exec(cobblerd_t)
++ rsync_manage_config(cobblerd_t)
++ # cobbler creates /etc/rsync.conf if its not there.
++ rsync_filetrans_config(cobblerd_t, file)
+ ')
+
+ optional_policy(`
+- tftp_manage_rw_content(cobblerd_t)
++ # Cobbler puts objects in both /var/lib/tftpdir as well as /var/lib/tftpdir/images.
++ # tftp_manage_rw_content(cobblerd_t) can be used instead if:
++ # 1. cobbler package installs /var/lib/tftpdir/images.
++ # 2. no FILES in /var/lib/TFTPDIR are hard linked.
++ # Cobbler also creates other directories in /var/lib/tftpdir (etc, s390x, ppc, pxelinux.cfg)
++ # are any of those hard linked?
++ tftp_filetrans_tftpdir(cobblerd_t, cobbler_var_lib_t, { dir file })
+ ')
+
+ ########################################
+@@ -124,5 +231,6 @@ optional_policy(`
+ #
+
+ apache_content_template(cobbler)
++list_dirs_pattern(cobblerd_t, httpd_cobbler_content_t, httpd_cobbler_content_t)
+ manage_dirs_pattern(cobblerd_t, httpd_cobbler_content_rw_t, httpd_cobbler_content_rw_t)
+ manage_files_pattern(cobblerd_t, httpd_cobbler_content_rw_t, httpd_cobbler_content_rw_t)
+diff --git a/policy/modules/services/colord.fc b/policy/modules/services/colord.fc
+new file mode 100644
+index 0000000..0a83e88
+--- /dev/null
++++ b/policy/modules/services/colord.fc
+@@ -0,0 +1,5 @@
++
++/usr/libexec/colord -- gen_context(system_u:object_r:colord_exec_t,s0)
++
++/var/lib/color(/.*)? gen_context(system_u:object_r:colord_var_lib_t,s0)
++/var/lib/colord(/.*)? gen_context(system_u:object_r:colord_var_lib_t,s0)
+diff --git a/policy/modules/services/colord.if b/policy/modules/services/colord.if
+new file mode 100644
+index 0000000..939d76e
+--- /dev/null
++++ b/policy/modules/services/colord.if
+@@ -0,0 +1,60 @@
++
++## policy for colord
++
++########################################
++##
++## Execute a domain transition to run colord.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`colord_domtrans',`
++ gen_require(`
++ type colord_t, colord_exec_t;
++ ')
++
++ domtrans_pattern($1, colord_exec_t, colord_t)
++')
++
++########################################
++##
++## Send and receive messages from
++## colord over dbus.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`colord_dbus_chat',`
++ gen_require(`
++ type colord_t;
++ class dbus send_msg;
++ ')
++
++ allow $1 colord_t:dbus send_msg;
++ allow colord_t $1:dbus send_msg;
++')
++
++######################################
++##
++## Read colord lib files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`colord_read_lib_files',`
++ gen_require(`
++ type colord_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ read_files_pattern($1, colord_var_lib_t, colord_var_lib_t)
++')
+diff --git a/policy/modules/services/colord.te b/policy/modules/services/colord.te
+new file mode 100644
+index 0000000..36d4c6d
+--- /dev/null
++++ b/policy/modules/services/colord.te
+@@ -0,0 +1,76 @@
++policy_module(colord,1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++type colord_t;
++type colord_exec_t;
++dbus_system_domain(colord_t, colord_exec_t)
++
++type colord_var_lib_t;
++files_type(colord_var_lib_t)
++
++type colord_tmp_t;
++files_tmp_file(colord_tmp_t)
++
++########################################
++#
++# colord local policy
++#
++allow colord_t self:fifo_file rw_fifo_file_perms;
++allow colord_t self:netlink_kobject_uevent_socket create_socket_perms;
++allow colord_t self:udp_socket create_socket_perms;
++
++manage_dirs_pattern(colord_t, colord_tmp_t, colord_tmp_t)
++manage_files_pattern(colord_t, colord_tmp_t, colord_tmp_t)
++files_tmp_filetrans(colord_t, colord_tmp_t, { file dir })
++
++manage_dirs_pattern(colord_t, colord_var_lib_t, colord_var_lib_t)
++manage_files_pattern(colord_t, colord_var_lib_t, colord_var_lib_t)
++files_var_lib_filetrans(colord_t, colord_var_lib_t, { file dir })
++
++kernel_read_device_sysctls(colord_t)
++
++corenet_udp_bind_generic_node(colord_t)
++corenet_udp_bind_ipp_port(colord_t)
++corenet_tcp_connect_ipp_port(colord_t)
++
++dev_read_raw_memory(colord_t)
++dev_write_raw_memory(colord_t)
++dev_read_video_dev(colord_t)
++dev_write_video_dev(colord_t)
++dev_read_rand(colord_t)
++dev_read_sysfs(colord_t)
++dev_read_urand(colord_t)
++dev_list_sysfs(colord_t)
++dev_read_generic_usb_dev(colord_t)
++storage_read_scsi_generic(colord_t)
++storage_write_scsi_generic(colord_t)
++
++domain_use_interactive_fds(colord_t)
++
++files_read_etc_files(colord_t)
++files_read_usr_files(colord_t)
++
++miscfiles_read_localization(colord_t)
++
++sysnet_dns_name_resolve(colord_t)
++
++optional_policy(`
++ cups_read_rw_config(colord_t)
++ cups_stream_connect(colord_t)
++ cups_dbus_chat(colord_t)
++')
++
++optional_policy(`
++ policykit_dbus_chat(colord_t)
++ policykit_domtrans_auth(colord_t)
++ policykit_read_lib(colord_t)
++ policykit_read_reload(colord_t)
++')
++
++optional_policy(`
++ udev_read_db(colord_t)
++')
+diff --git a/policy/modules/services/consolekit.if b/policy/modules/services/consolekit.if
+index fd15dfe..ad224fa 100644
+--- a/policy/modules/services/consolekit.if
++++ b/policy/modules/services/consolekit.if
+@@ -5,9 +5,9 @@
+ ## Execute a domain transition to run consolekit.
+ ##
+ ##
+-##
++##
+ ## Domain allowed to transition.
+-##
++##
+ ##
+ #
+ interface(`consolekit_domtrans',`
+@@ -20,6 +20,27 @@ interface(`consolekit_domtrans',`
+
+ ########################################
+ ##
++## dontaudit Send and receive messages from
++## consolekit over dbus.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`consolekit_dontaudit_dbus_chat',`
++ gen_require(`
++ type consolekit_t;
++ class dbus send_msg;
++ ')
++
++ dontaudit $1 consolekit_t:dbus send_msg;
++ dontaudit consolekit_t $1:dbus send_msg;
++')
++
++########################################
++##
+ ## Send and receive messages from
+ ## consolekit over dbus.
+ ##
+@@ -41,6 +62,24 @@ interface(`consolekit_dbus_chat',`
+
+ ########################################
+ ##
++## Dontaudit attempts to read consolekit log files.
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`consolekit_dontaudit_read_log',`
++ gen_require(`
++ type consolekit_log_t;
++ ')
++
++ dontaudit $1 consolekit_log_t:file read_file_perms;
++')
++
++########################################
++##
+ ## Read consolekit log files.
+ ##
+ ##
+@@ -96,3 +135,22 @@ interface(`consolekit_read_pid_files',`
+ allow $1 consolekit_var_run_t:dir list_dir_perms;
+ read_files_pattern($1, consolekit_var_run_t, consolekit_var_run_t)
+ ')
++
++########################################
++##
++## List consolekit PID files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`consolekit_list_pid_files',`
++ gen_require(`
++ type consolekit_var_run_t;
++ ')
++
++ files_search_pids($1)
++ list_dirs_pattern($1, consolekit_var_run_t, consolekit_var_run_t)
++')
+diff --git a/policy/modules/services/consolekit.te b/policy/modules/services/consolekit.te
+index e67a003..894d4e0 100644
+--- a/policy/modules/services/consolekit.te
++++ b/policy/modules/services/consolekit.te
+@@ -15,6 +15,9 @@ logging_log_file(consolekit_log_t)
+ type consolekit_var_run_t;
+ files_pid_file(consolekit_var_run_t)
+
++type consolekit_tmpfs_t;
++files_tmpfs_file(consolekit_tmpfs_t)
++
+ ########################################
+ #
+ # consolekit local policy
+@@ -69,11 +72,12 @@ logging_send_audit_msgs(consolekit_t)
+
+ miscfiles_read_localization(consolekit_t)
+
++# consolekit needs to be able to ptrace all logged in users
++userdom_ptrace_all_users(consolekit_t)
+ userdom_dontaudit_read_user_home_content_files(consolekit_t)
++userdom_dontaudit_getattr_admin_home_files(consolekit_t)
+ userdom_read_user_tmp_files(consolekit_t)
+
+-hal_ptrace(consolekit_t)
+-
+ tunable_policy(`use_nfs_home_dirs',`
+ fs_read_nfs_files(consolekit_t)
+ ')
+@@ -83,6 +87,14 @@ tunable_policy(`use_samba_home_dirs',`
+ ')
+
+ optional_policy(`
++ cron_read_system_job_lib_files(consolekit_t)
++')
++
++optional_policy(`
++ hal_ptrace(consolekit_t)
++')
++
++optional_policy(`
+ dbus_system_domain(consolekit_t, consolekit_exec_t)
+
+ optional_policy(`
+@@ -99,6 +111,10 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ networkmanager_append_log(consolekit_t)
++')
++
++optional_policy(`
+ policykit_dbus_chat(consolekit_t)
+ policykit_domtrans_auth(consolekit_t)
+ policykit_read_lib(consolekit_t)
+@@ -106,9 +122,10 @@ optional_policy(`
+ ')
+
+ optional_policy(`
+- type consolekit_tmpfs_t;
+- files_tmpfs_file(consolekit_tmpfs_t)
++ shutdown_domtrans(consolekit_t)
++')
+
++optional_policy(`
+ xserver_read_xdm_pid(consolekit_t)
+ xserver_read_user_xauth(consolekit_t)
+ xserver_non_drawing_client(consolekit_t)
+@@ -125,5 +142,6 @@ optional_policy(`
+
+ optional_policy(`
+ #reading .Xauthity
++ unconfined_ptrace(consolekit_t)
+ unconfined_stream_connect(consolekit_t)
+ ')
+diff --git a/policy/modules/services/corosync.fc b/policy/modules/services/corosync.fc
+index 3a6d7eb..2098ee9 100644
+--- a/policy/modules/services/corosync.fc
++++ b/policy/modules/services/corosync.fc
+@@ -3,6 +3,7 @@
+ /usr/sbin/corosync -- gen_context(system_u:object_r:corosync_exec_t,s0)
+
+ /usr/sbin/ccs_tool -- gen_context(system_u:object_r:corosync_exec_t,s0)
++/usr/sbin/cman_tool -- gen_context(system_u:object_r:corosync_exec_t,s0)
+
+ /var/lib/corosync(/.*)? gen_context(system_u:object_r:corosync_var_lib_t,s0)
+
+diff --git a/policy/modules/services/corosync.if b/policy/modules/services/corosync.if
+index 5220c9d..a2e6830 100644
+--- a/policy/modules/services/corosync.if
++++ b/policy/modules/services/corosync.if
+@@ -18,6 +18,25 @@ interface(`corosync_domtrans',`
+ domtrans_pattern($1, corosync_exec_t, corosync_t)
+ ')
+
++######################################
++##
++## Execute corosync in the caller domain.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`corosync_exec',`
++ gen_require(`
++ type corosync_exec_t;
++ ')
++
++ corecmd_search_bin($1)
++ can_exec($1, corosync_exec_t)
++')
++
+ #######################################
+ ##
+ ## Allow the specified domain to read corosync's log files.
+diff --git a/policy/modules/services/corosync.te b/policy/modules/services/corosync.te
+index 7d2cf85..92b621a 100644
+--- a/policy/modules/services/corosync.te
++++ b/policy/modules/services/corosync.te
+@@ -32,8 +32,8 @@ files_pid_file(corosync_var_run_t)
+ # corosync local policy
+ #
+
+-allow corosync_t self:capability { sys_nice sys_resource ipc_lock };
+-allow corosync_t self:process { setrlimit setsched signal };
++allow corosync_t self:capability { dac_override setuid sys_nice sys_ptrace sys_resource ipc_lock };
++allow corosync_t self:process { setpgid setrlimit setsched signal signull };
+
+ allow corosync_t self:fifo_file rw_fifo_file_perms;
+ allow corosync_t self:sem create_sem_perms;
+@@ -41,6 +41,8 @@ allow corosync_t self:unix_stream_socket { create_stream_socket_perms connectto
+ allow corosync_t self:unix_dgram_socket create_socket_perms;
+ allow corosync_t self:udp_socket create_socket_perms;
+
++can_exec(corosync_t, corosync_exec_t)
++
+ manage_dirs_pattern(corosync_t, corosync_tmp_t, corosync_tmp_t)
+ manage_files_pattern(corosync_t, corosync_tmp_t, corosync_tmp_t)
+ files_tmp_filetrans(corosync_t, corosync_tmp_t, { file dir })
+@@ -63,8 +65,11 @@ manage_sock_files_pattern(corosync_t, corosync_var_run_t, corosync_var_run_t)
+ files_pid_filetrans(corosync_t, corosync_var_run_t, { file sock_file })
+
+ kernel_read_system_state(corosync_t)
++kernel_read_network_state(corosync_t)
++kernel_read_net_sysctls(corosync_t)
+
+ corecmd_exec_bin(corosync_t)
++corecmd_exec_shell(corosync_t)
+
+ corenet_udp_bind_netsupport_port(corosync_t)
+
+@@ -73,6 +78,7 @@ dev_read_urand(corosync_t)
+ domain_read_all_domains_state(corosync_t)
+
+ files_manage_mounttab(corosync_t)
++files_read_usr_files(corosync_t)
+
+ auth_use_nsswitch(corosync_t)
+
+@@ -83,19 +89,37 @@ logging_send_syslog_msg(corosync_t)
+
+ miscfiles_read_localization(corosync_t)
+
++userdom_delete_user_tmpfs_files(corosync_t)
+ userdom_rw_user_tmpfs_files(corosync_t)
+
+ optional_policy(`
++ fs_manage_tmpfs_files(corosync_t)
++ init_manage_script_status_files(corosync_t)
++')
++
++optional_policy(`
+ ccs_read_config(corosync_t)
+ ')
+
+ optional_policy(`
+- # to communication with RHCS
+- rhcs_rw_dlm_controld_semaphores(corosync_t)
++ cmirrord_rw_shm(corosync_t)
++')
+
+- rhcs_rw_fenced_semaphores(corosync_t)
++optional_policy(`
++ drbd_domtrans(corosync_t)
++')
++
++optional_policy(`
++ lvm_rw_clvmd_tmpfs_files(corosync_t)
++ lvm_delete_clvmd_tmpfs_files(corosync_t)
++')
+
+- rhcs_rw_gfs_controld_semaphores(corosync_t)
++optional_policy(`
++ # to communication with RHCS
++ rhcs_rw_cluster_shm(corosync_t)
++ rhcs_rw_cluster_semaphores(corosync_t)
++ rhcs_stream_connect_cluster(corosync_t)
++ rhcs_read_cluster_lib_files(corosync_t)
+ ')
+
+ optional_policy(`
+diff --git a/policy/modules/services/courier.if b/policy/modules/services/courier.if
+index 9971337..f081899 100644
+--- a/policy/modules/services/courier.if
++++ b/policy/modules/services/courier.if
+@@ -138,6 +138,7 @@ interface(`courier_read_config',`
+ type courier_etc_t;
+ ')
+
++ files_search_etc($1)
+ read_files_pattern($1, courier_etc_t, courier_etc_t)
+ ')
+
+@@ -157,6 +158,7 @@ interface(`courier_manage_spool_dirs',`
+ type courier_spool_t;
+ ')
+
++ files_search_spool($1)
+ manage_dirs_pattern($1, courier_spool_t, courier_spool_t)
+ ')
+
+@@ -176,6 +178,7 @@ interface(`courier_manage_spool_files',`
+ type courier_spool_t;
+ ')
+
++ files_search_spool($1)
+ manage_files_pattern($1, courier_spool_t, courier_spool_t)
+ ')
+
+@@ -194,6 +197,7 @@ interface(`courier_read_spool',`
+ type courier_spool_t;
+ ')
+
++ files_search_spool($1)
+ read_files_pattern($1, courier_spool_t, courier_spool_t)
+ ')
+
+diff --git a/policy/modules/services/courier.te b/policy/modules/services/courier.te
+index 2802dbb..5d323df 100644
+--- a/policy/modules/services/courier.te
++++ b/policy/modules/services/courier.te
+@@ -93,7 +93,7 @@ allow courier_pop_t courier_authdaemon_t:process sigchld;
+ allow courier_pop_t courier_tcpd_t:{ unix_stream_socket tcp_socket } rw_stream_socket_perms;
+
+ # inherits file handle - should it?
+-allow courier_pop_t courier_var_lib_t:file { read write };
++allow courier_pop_t courier_var_lib_t:file rw_inherited_file_perms;
+
+ miscfiles_read_localization(courier_pop_t)
+
+diff --git a/policy/modules/services/cpucontrol.te b/policy/modules/services/cpucontrol.te
+index 13d2f63..a048c53 100644
+--- a/policy/modules/services/cpucontrol.te
++++ b/policy/modules/services/cpucontrol.te
+@@ -10,7 +10,7 @@ type cpucontrol_exec_t;
+ init_system_domain(cpucontrol_t, cpucontrol_exec_t)
+
+ type cpucontrol_conf_t;
+-files_type(cpucontrol_conf_t)
++files_config_file(cpucontrol_conf_t)
+
+ type cpuspeed_t;
+ type cpuspeed_exec_t;
+diff --git a/policy/modules/services/cron.fc b/policy/modules/services/cron.fc
+index 2eefc08..6030f34 100644
+--- a/policy/modules/services/cron.fc
++++ b/policy/modules/services/cron.fc
+@@ -14,9 +14,10 @@
+ /var/run/anacron\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0)
+ /var/run/atd\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0)
+ /var/run/crond?\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0)
+-/var/run/crond\.reboot -- gen_context(system_u:object_r:crond_var_run_t,s0)
++/var/run/crond?\.reboot -- gen_context(system_u:object_r:crond_var_run_t,s0)
+ /var/run/fcron\.fifo -s gen_context(system_u:object_r:crond_var_run_t,s0)
+ /var/run/fcron\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0)
++/var/run/.*cron.* -- gen_context(system_u:object_r:crond_var_run_t,s0)
+
+ /var/spool/anacron(/.*)? gen_context(system_u:object_r:system_cron_spool_t,s0)
+ /var/spool/at(/.*)? gen_context(system_u:object_r:user_cron_spool_t,s0)
+@@ -45,3 +46,7 @@ ifdef(`distro_suse', `
+ /var/spool/fcron/systab\.orig -- gen_context(system_u:object_r:system_cron_spool_t,s0)
+ /var/spool/fcron/systab -- gen_context(system_u:object_r:system_cron_spool_t,s0)
+ /var/spool/fcron/new\.systab -- gen_context(system_u:object_r:system_cron_spool_t,s0)
++
++/var/lib/glpi/files(/.*)? gen_context(system_u:object_r:cron_var_lib_t,s0)
++
++/var/log/mcelog.* -- gen_context(system_u:object_r:cron_log_t,s0)
+diff --git a/policy/modules/services/cron.if b/policy/modules/services/cron.if
+index 35241ed..b6c4cc9 100644
+--- a/policy/modules/services/cron.if
++++ b/policy/modules/services/cron.if
+@@ -12,6 +12,11 @@
+ ##
+ #
+ template(`cron_common_crontab_template',`
++ gen_require(`
++ type crond_t, crond_var_run_t, crontab_exec_t;
++ type cron_spool_t, user_cron_spool_t;
++ ')
++
+ ##############################
+ #
+ # Declarations
+@@ -34,8 +39,12 @@ template(`cron_common_crontab_template',`
+ allow $1_t self:process { setsched signal_perms };
+ allow $1_t self:fifo_file rw_fifo_file_perms;
+
+- allow $1_t $1_tmp_t:file manage_file_perms;
+- files_tmp_filetrans($1_t, $1_tmp_t, file)
++ allow $1_t crond_t:process signal;
++ allow $1_t crond_var_run_t:file read_file_perms;
++
++ manage_dirs_pattern($1_t, $1_tmp_t, $1_tmp_t)
++ manage_files_pattern($1_t, $1_tmp_t, $1_tmp_t)
++ files_tmp_filetrans($1_t, $1_tmp_t, { dir file })
+
+ # create files in /var/spool/cron
+ manage_files_pattern($1_t, { cron_spool_t user_cron_spool_t }, user_cron_spool_t)
+@@ -43,7 +52,7 @@ template(`cron_common_crontab_template',`
+ files_list_spool($1_t)
+
+ # crontab signals crond by updating the mtime on the spooldir
+- allow $1_t cron_spool_t:dir setattr;
++ allow $1_t cron_spool_t:dir setattr_dir_perms;
+
+ kernel_read_system_state($1_t)
+
+@@ -62,6 +71,7 @@ template(`cron_common_crontab_template',`
+
+ logging_send_syslog_msg($1_t)
+ logging_send_audit_msgs($1_t)
++ logging_set_loginuid($1_t)
+
+ init_dontaudit_write_utmp($1_t)
+ init_read_utmp($1_t)
+@@ -73,9 +83,10 @@ template(`cron_common_crontab_template',`
+ userdom_manage_user_tmp_dirs($1_t)
+ userdom_manage_user_tmp_files($1_t)
+ # Access terminals.
+- userdom_use_user_terminals($1_t)
++ userdom_use_inherited_user_terminals($1_t)
+ # Read user crontabs
+ userdom_read_user_home_content_files($1_t)
++ userdom_read_user_home_content_symlinks($1_t)
+
+ tunable_policy(`fcron_crond',`
+ # fcron wants an instant update of a crontab change for the administrator
+@@ -102,10 +113,12 @@ template(`cron_common_crontab_template',`
+ ## User domain for the role
+ ##
+ ##
++##
+ #
+ interface(`cron_role',`
+ gen_require(`
+ type cronjob_t, crontab_t, crontab_exec_t;
++ type user_cron_spool_t, crond_t;
+ ')
+
+ role $1 types { cronjob_t crontab_t };
+@@ -116,9 +129,16 @@ interface(`cron_role',`
+ # Transition from the user domain to the derived domain.
+ domtrans_pattern($2, crontab_exec_t, crontab_t)
+
++ allow crond_t $2:process transition;
++ dontaudit crond_t $2:process { noatsecure siginh rlimitinh };
++ allow $2 crond_t:process sigchld;
++
++ # needs to be authorized SELinux context for cron
++ allow $2 user_cron_spool_t:file entrypoint;
++
+ # crontab shows up in user ps
+ ps_process_pattern($2, crontab_t)
+- allow $2 crontab_t:process signal;
++ allow $2 crontab_t:process { ptrace signal_perms };
+
+ # Run helper programs as the user domain
+ #corecmd_bin_domtrans(crontab_t, $2)
+@@ -132,9 +152,8 @@ interface(`cron_role',`
+ ')
+
+ dbus_stub(cronjob_t)
+-
+ allow cronjob_t $2:dbus send_msg;
+- ')
++ ')
+ ')
+
+ ########################################
+@@ -151,29 +170,18 @@ interface(`cron_role',`
+ ## User domain for the role
+ ##
+ ##
++##
+ #
+ interface(`cron_unconfined_role',`
+ gen_require(`
+- type unconfined_cronjob_t, crontab_t, crontab_tmp_t, crontab_exec_t;
++ type unconfined_cronjob_t;
+ ')
+
+- role $1 types { unconfined_cronjob_t crontab_t };
++ role $1 types unconfined_cronjob_t;
+
+ # cronjob shows up in user ps
+ ps_process_pattern($2, unconfined_cronjob_t)
+-
+- # Transition from the user domain to the derived domain.
+- domtrans_pattern($2, crontab_exec_t, crontab_t)
+-
+- # crontab shows up in user ps
+- ps_process_pattern($2, crontab_t)
+- allow $2 crontab_t:process signal;
+-
+- # Run helper programs as the user domain
+- #corecmd_bin_domtrans(crontab_t, $2)
+- #corecmd_shell_domtrans(crontab_t, $2)
+- corecmd_exec_bin(crontab_t)
+- corecmd_exec_shell(crontab_t)
++ allow $2 unconfined_cronjob_t:process { ptrace signal_perms };
+
+ optional_policy(`
+ gen_require(`
+@@ -181,9 +189,8 @@ interface(`cron_unconfined_role',`
+ ')
+
+ dbus_stub(unconfined_cronjob_t)
+-
+ allow unconfined_cronjob_t $2:dbus send_msg;
+- ')
++ ')
+ ')
+
+ ########################################
+@@ -200,6 +207,7 @@ interface(`cron_unconfined_role',`
+ ## User domain for the role
+ ##
+ ##
++##
+ #
+ interface(`cron_admin_role',`
+ gen_require(`
+@@ -220,7 +228,7 @@ interface(`cron_admin_role',`
+
+ # crontab shows up in user ps
+ ps_process_pattern($2, admin_crontab_t)
+- allow $2 admin_crontab_t:process signal;
++ allow $2 admin_crontab_t:process { ptrace signal_perms };
+
+ # Run helper programs as the user domain
+ #corecmd_bin_domtrans(admin_crontab_t, $2)
+@@ -234,9 +242,8 @@ interface(`cron_admin_role',`
+ ')
+
+ dbus_stub(admin_cronjob_t)
+-
+ allow cronjob_t $2:dbus send_msg;
+- ')
++ ')
+ ')
+
+ ########################################
+@@ -304,7 +311,7 @@ interface(`cron_exec',`
+
+ ########################################
+ ##
+-## Execute crond server in the nscd domain.
++## Execute crond server in the crond domain.
+ ##
+ ##
+ ##
+@@ -408,7 +415,43 @@ interface(`cron_rw_pipes',`
+ type crond_t;
+ ')
+
+- allow $1 crond_t:fifo_file { getattr read write };
++ allow $1 crond_t:fifo_file rw_inherited_fifo_file_perms;
++')
++
++########################################
++##
++## Read and write inherited user spool files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`cron_rw_inherited_user_spool_files',`
++ gen_require(`
++ type user_cron_spool_t;
++ ')
++
++ allow $1 user_cron_spool_t:file rw_inherited_file_perms;
++')
++
++########################################
++##
++## Read and write inherited spool files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`cron_rw_inherited_spool_files',`
++ gen_require(`
++ type cron_spool_t;
++ ')
++
++ allow $1 cron_spool_t:file rw_inherited_file_perms;
+ ')
+
+ ########################################
+@@ -481,6 +524,7 @@ interface(`cron_manage_pid_files',`
+ type crond_var_run_t;
+ ')
+
++ files_search_pids($1)
+ manage_files_pattern($1, crond_var_run_t, crond_var_run_t)
+ ')
+
+@@ -536,7 +580,7 @@ interface(`cron_write_system_job_pipes',`
+ type system_cronjob_t;
+ ')
+
+- allow $1 system_cronjob_t:file write;
++ allow $1 system_cronjob_t:fifo_file write;
+ ')
+
+ ########################################
+@@ -554,7 +598,7 @@ interface(`cron_rw_system_job_pipes',`
+ type system_cronjob_t;
+ ')
+
+- allow $1 system_cronjob_t:fifo_file rw_fifo_file_perms;
++ allow $1 system_cronjob_t:fifo_file rw_inherited_fifo_file_perms;
+ ')
+
+ ########################################
+@@ -587,11 +631,14 @@ interface(`cron_rw_system_job_stream_sockets',`
+ #
+ interface(`cron_read_system_job_tmp_files',`
+ gen_require(`
+- type system_cronjob_tmp_t;
++ type system_cronjob_tmp_t, cron_var_run_t;
+ ')
+
+ files_search_tmp($1)
+ allow $1 system_cronjob_tmp_t:file read_file_perms;
++
++ files_search_pids($1)
++ allow $1 cron_var_run_t:file read_file_perms;
+ ')
+
+ ########################################
+@@ -627,7 +674,47 @@ interface(`cron_dontaudit_append_system_job_tmp_files',`
+ interface(`cron_dontaudit_write_system_job_tmp_files',`
+ gen_require(`
+ type system_cronjob_tmp_t;
++ type cron_var_run_t;
+ ')
+
+ dontaudit $1 system_cronjob_tmp_t:file write_file_perms;
++ dontaudit $1 cron_var_run_t:file write_file_perms;
++')
++
++########################################
++##
++## Read temporary files from the system cron jobs.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`cron_read_system_job_lib_files',`
++ gen_require(`
++ type system_cronjob_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ read_files_pattern($1, system_cronjob_var_lib_t, system_cronjob_var_lib_t)
++')
++
++########################################
++##
++## Manage files from the system cron jobs.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`cron_manage_system_job_lib_files',`
++ gen_require(`
++ type system_cronjob_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ manage_files_pattern($1, system_cronjob_var_lib_t, system_cronjob_var_lib_t)
+ ')
+diff --git a/policy/modules/services/cron.te b/policy/modules/services/cron.te
+index f7583ab..9941737 100644
+--- a/policy/modules/services/cron.te
++++ b/policy/modules/services/cron.te
+@@ -10,18 +10,18 @@ gen_require(`
+ #
+
+ ##
+-##
+-## Allow system cron jobs to relabel filesystem
+-## for restoring file contexts.
+-##
++##
++## Allow system cron jobs to relabel filesystem
++## for restoring file contexts.
++##
+ ##
+ gen_tunable(cron_can_relabel, false)
+
+ ##
+-##
+-## Enable extra rules in the cron domain
+-## to support fcron.
+-##
++##
++## Enable extra rules in the cron domain
++## to support fcron.
++##
+ ##
+ gen_tunable(fcron_crond, false)
+
+@@ -38,7 +38,7 @@ type cron_var_lib_t;
+ files_type(cron_var_lib_t)
+
+ type cron_var_run_t;
+-files_type(cron_var_run_t)
++files_pid_file(cron_var_run_t)
+
+ # var/log files
+ type cron_log_t;
+@@ -63,9 +63,12 @@ init_script_file(crond_initrc_exec_t)
+
+ type crond_tmp_t;
+ files_tmp_file(crond_tmp_t)
++files_poly_parent(crond_tmp_t)
++mta_system_content(crond_tmp_t)
+
+ type crond_var_run_t;
+ files_pid_file(crond_var_run_t)
++mta_system_content(crond_var_run_t)
+
+ type crontab_exec_t;
+ application_executable_file(crontab_exec_t)
+@@ -79,6 +82,7 @@ typealias crontab_t alias { user_crontab_t staff_crontab_t };
+ typealias crontab_t alias { auditadm_crontab_t secadm_crontab_t };
+ typealias crontab_tmp_t alias { user_crontab_tmp_t staff_crontab_tmp_t };
+ typealias crontab_tmp_t alias { auditadm_crontab_tmp_t secadm_crontab_tmp_t };
++allow admin_crontab_t crond_t:process signal;
+
+ type system_cron_spool_t, cron_spool_type;
+ files_type(system_cron_spool_t)
+@@ -87,6 +91,7 @@ type system_cronjob_t alias system_crond_t;
+ init_daemon_domain(system_cronjob_t, anacron_exec_t)
+ corecmd_shell_entry_type(system_cronjob_t)
+ role system_r types system_cronjob_t;
++domtrans_pattern(crond_t, anacron_exec_t, system_cronjob_t)
+
+ type system_cronjob_lock_t alias system_crond_lock_t;
+ files_lock_file(system_cronjob_lock_t)
+@@ -94,10 +99,6 @@ files_lock_file(system_cronjob_lock_t)
+ type system_cronjob_tmp_t alias system_crond_tmp_t;
+ files_tmp_file(system_cronjob_tmp_t)
+
+-ifdef(`enable_mcs',`
+- init_ranged_daemon_domain(crond_t, crond_exec_t, s0 - mcs_systemhigh)
+-')
+-
+ type unconfined_cronjob_t;
+ domain_type(unconfined_cronjob_t)
+ domain_cron_exemption_target(unconfined_cronjob_t)
+@@ -108,6 +109,18 @@ typealias user_cron_spool_t alias { staff_cron_spool_t sysadm_cron_spool_t uncon
+ typealias user_cron_spool_t alias { auditadm_cron_spool_t secadm_cron_spool_t };
+ files_type(user_cron_spool_t)
+ ubac_constrained(user_cron_spool_t)
++mta_system_content(user_cron_spool_t)
++
++type system_cronjob_var_lib_t;
++files_type(system_cronjob_var_lib_t)
++typealias system_cronjob_var_lib_t alias system_crond_var_lib_t;
++
++type system_cronjob_var_run_t;
++files_pid_file(system_cronjob_var_run_t)
++
++ifdef(`enable_mcs',`
++ init_ranged_daemon_domain(crond_t, crond_exec_t, s0 - mcs_systemhigh)
++')
+
+ ########################################
+ #
+@@ -115,7 +128,7 @@ ubac_constrained(user_cron_spool_t)
+ #
+
+ # Allow our crontab domain to unlink a user cron spool file.
+-allow admin_crontab_t user_cron_spool_t:file { getattr read unlink };
++allow admin_crontab_t user_cron_spool_t:file { read_file_perms delete_file_perms };
+
+ # Manipulate other users crontab.
+ selinux_get_fs_mount(admin_crontab_t)
+@@ -125,7 +138,7 @@ selinux_compute_create_context(admin_crontab_t)
+ selinux_compute_relabel_context(admin_crontab_t)
+ selinux_compute_user_contexts(admin_crontab_t)
+
+-tunable_policy(`fcron_crond', `
++tunable_policy(`fcron_crond',`
+ # fcron wants an instant update of a crontab change for the administrator
+ # also crontab does a security check for crontab -u
+ allow admin_crontab_t self:process setfscreate;
+@@ -138,7 +151,7 @@ tunable_policy(`fcron_crond', `
+
+ allow crond_t self:capability { dac_override setgid setuid sys_nice dac_read_search };
+ dontaudit crond_t self:capability { sys_resource sys_tty_config };
+-allow crond_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
++allow crond_t self:process ~{ ptrace setcurrent setexec setfscreate execmem execstack execheap };
+ allow crond_t self:process { setexec setfscreate };
+ allow crond_t self:fd use;
+ allow crond_t self:fifo_file rw_fifo_file_perms;
+@@ -187,12 +200,16 @@ fs_list_inotifyfs(crond_t)
+
+ # need auth_chkpwd to check for locked accounts.
+ auth_domtrans_chk_passwd(crond_t)
++auth_read_var_auth(crond_t)
+
+ corecmd_exec_shell(crond_t)
+ corecmd_list_bin(crond_t)
++corecmd_exec_bin(crond_t)
+ corecmd_read_bin_symlinks(crond_t)
+
+ domain_use_interactive_fds(crond_t)
++domain_subj_id_change_exemption(crond_t)
++domain_role_change_exemption(crond_t)
+
+ files_read_usr_files(crond_t)
+ files_read_etc_runtime_files(crond_t)
+@@ -203,11 +220,16 @@ files_list_usr(crond_t)
+ files_search_var_lib(crond_t)
+ files_search_default(crond_t)
+
++fs_manage_cgroup_dirs(crond_t)
++fs_manage_cgroup_files(crond_t)
++
+ init_rw_utmp(crond_t)
+ init_spec_domtrans_script(crond_t)
+
++auth_manage_var_auth(crond_t)
+ auth_use_nsswitch(crond_t)
+
++logging_send_audit_msgs(crond_t)
+ logging_send_syslog_msg(crond_t)
+ logging_set_loginuid(crond_t)
+
+@@ -220,8 +242,10 @@ miscfiles_read_localization(crond_t)
+ userdom_use_unpriv_users_fds(crond_t)
+ # Not sure why this is needed
+ userdom_list_user_home_dirs(crond_t)
++userdom_create_all_users_keys(crond_t)
+
+ mta_send_mail(crond_t)
++mta_system_content(cron_spool_t)
+
+ ifdef(`distro_debian',`
+ # pam_limits is used
+@@ -233,7 +257,7 @@ ifdef(`distro_debian',`
+ ')
+ ')
+
+-ifdef(`distro_redhat', `
++ifdef(`distro_redhat',`
+ # Run the rpm program in the rpm_t domain. Allow creation of RPM log files
+ # via redirection of standard out.
+ optional_policy(`
+@@ -250,11 +274,30 @@ tunable_policy(`fcron_crond', `
+ ')
+
+ optional_policy(`
++ apache_search_sys_content(crond_t)
++')
++
++optional_policy(`
++ djbdns_search_tinydns_keys(crond_t)
++ djbdns_link_tinydns_keys(crond_t)
++')
++
++optional_policy(`
+ locallogin_search_keys(crond_t)
+ locallogin_link_keys(crond_t)
+ ')
+
+ optional_policy(`
++ # these should probably be unconfined_crond_t
++ dbus_system_bus_client(crond_t)
++ init_dbus_send_script(crond_t)
++')
++
++optional_policy(`
++ mono_domtrans(crond_t)
++')
++
++optional_policy(`
+ amanda_search_var_lib(crond_t)
+ ')
+
+@@ -264,6 +307,8 @@ optional_policy(`
+
+ optional_policy(`
+ hal_dbus_chat(crond_t)
++ hal_write_log(crond_t)
++ hal_dbus_chat(system_cronjob_t)
+ ')
+
+ optional_policy(`
+@@ -289,12 +334,18 @@ optional_policy(`
+ udev_read_db(crond_t)
+ ')
+
++optional_policy(`
++ vnstatd_search_lib(crond_t)
++')
++
+ ########################################
+ #
+ # System cron process domain
+ #
+
+ allow system_cronjob_t self:capability { dac_override dac_read_search chown setgid setuid fowner net_bind_service fsetid sys_nice };
++dontaudit system_cronjob_t self:capability sys_ptrace;
++
+ allow system_cronjob_t self:process { signal_perms getsched setsched };
+ allow system_cronjob_t self:fifo_file rw_fifo_file_perms;
+ allow system_cronjob_t self:passwd rootok;
+@@ -306,10 +357,19 @@ logging_log_filetrans(system_cronjob_t, cron_log_t, file)
+
+ # This is to handle /var/lib/misc directory. Used currently
+ # by prelink var/lib files for cron
+-allow system_cronjob_t cron_var_lib_t:file manage_file_perms;
++allow system_cronjob_t cron_var_lib_t:file { manage_file_perms relabel_file_perms };
+ files_var_lib_filetrans(system_cronjob_t, cron_var_lib_t, file)
+
++allow system_cronjob_t cron_var_run_t:file manage_file_perms;
++files_pid_filetrans(system_cronjob_t, cron_var_run_t, file)
++
+ allow system_cronjob_t system_cron_spool_t:file read_file_perms;
++
++mls_file_read_to_clearance(system_cronjob_t)
++
++# anacron forces the following
++manage_files_pattern(system_cronjob_t, system_cron_spool_t, system_cron_spool_t)
++
+ # The entrypoint interface is not used as this is not
+ # a regular entrypoint. Since crontab files are
+ # not directly executed, crond must ensure that
+@@ -329,6 +389,7 @@ allow crond_t system_cronjob_t:fd use;
+ allow system_cronjob_t crond_t:fd use;
+ allow system_cronjob_t crond_t:fifo_file rw_file_perms;
+ allow system_cronjob_t crond_t:process sigchld;
++allow crond_t system_cronjob_t:key manage_key_perms;
+
+ # Write /var/lock/makewhatis.lock.
+ allow system_cronjob_t system_cronjob_lock_t:file manage_file_perms;
+@@ -340,9 +401,13 @@ manage_lnk_files_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t)
+ filetrans_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t, { file lnk_file })
+ files_tmp_filetrans(system_cronjob_t, system_cronjob_tmp_t, file)
+
++# var/lib files for system_crond
++files_search_var_lib(system_cronjob_t)
++manage_files_pattern(system_cronjob_t, system_cronjob_var_lib_t, system_cronjob_var_lib_t)
++
+ # Read from /var/spool/cron.
+ allow system_cronjob_t cron_spool_t:dir list_dir_perms;
+-allow system_cronjob_t cron_spool_t:file read_file_perms;
++allow system_cronjob_t cron_spool_t:file rw_file_perms;
+
+ kernel_read_kernel_sysctls(system_cronjob_t)
+ kernel_read_system_state(system_cronjob_t)
+@@ -365,6 +430,7 @@ corenet_udp_sendrecv_all_ports(system_cronjob_t)
+ dev_getattr_all_blk_files(system_cronjob_t)
+ dev_getattr_all_chr_files(system_cronjob_t)
+ dev_read_urand(system_cronjob_t)
++dev_read_sysfs(system_cronjob_t)
+
+ fs_getattr_all_fs(system_cronjob_t)
+ fs_getattr_all_files(system_cronjob_t)
+@@ -391,6 +457,7 @@ files_dontaudit_search_pids(system_cronjob_t)
+ # Access other spool directories like
+ # /var/spool/anacron and /var/spool/slrnpull.
+ files_manage_generic_spool(system_cronjob_t)
++files_create_boot_flag(system_cronjob_t)
+
+ init_use_script_fds(system_cronjob_t)
+ init_read_utmp(system_cronjob_t)
+@@ -413,8 +480,10 @@ miscfiles_manage_man_pages(system_cronjob_t)
+
+ seutil_read_config(system_cronjob_t)
+
+-ifdef(`distro_redhat', `
++ifdef(`distro_redhat',`
+ # Run the rpm program in the rpm_t domain. Allow creation of RPM log files
++ allow crond_t system_cron_spool_t:file manage_file_perms;
++
+ # via redirection of standard out.
+ optional_policy(`
+ rpm_manage_log(system_cronjob_t)
+@@ -439,6 +508,8 @@ optional_policy(`
+ apache_read_config(system_cronjob_t)
+ apache_read_log(system_cronjob_t)
+ apache_read_sys_content(system_cronjob_t)
++ apache_delete_cache_dirs(system_cronjob_t)
++ apache_delete_cache_files(system_cronjob_t)
+ ')
+
+ optional_policy(`
+@@ -446,6 +517,14 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ dbus_system_bus_client(system_cronjob_t)
++')
++
++optional_policy(`
++ exim_read_spool_files(system_cronjob_t)
++')
++
++optional_policy(`
+ ftp_read_log(system_cronjob_t)
+ ')
+
+@@ -456,15 +535,24 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ livecd_read_tmp_files(system_cronjob_t)
++')
++
++optional_policy(`
+ lpd_list_spool(system_cronjob_t)
+ ')
+
+ optional_policy(`
++ mono_domtrans(system_cronjob_t)
++')
++
++optional_policy(`
+ mrtg_append_create_logs(system_cronjob_t)
+ ')
+
+ optional_policy(`
+ mta_send_mail(system_cronjob_t)
++ mta_system_content(system_cron_spool_t)
+ ')
+
+ optional_policy(`
+@@ -480,7 +568,7 @@ optional_policy(`
+ prelink_manage_lib(system_cronjob_t)
+ prelink_manage_log(system_cronjob_t)
+ prelink_read_cache(system_cronjob_t)
+- prelink_relabelfrom_lib(system_cronjob_t)
++ prelink_relabel_lib(system_cronjob_t)
+ ')
+
+ optional_policy(`
+@@ -495,6 +583,7 @@ optional_policy(`
+
+ optional_policy(`
+ spamassassin_manage_lib_files(system_cronjob_t)
++ spamassassin_manage_home_client(system_cronjob_t)
+ ')
+
+ optional_policy(`
+@@ -502,7 +591,13 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ unconfined_domain(crond_t)
+ unconfined_domain(system_cronjob_t)
++')
++
++optional_policy(`
++ unconfined_shell_domtrans(crond_t)
++ unconfined_dbus_send(crond_t)
+ userdom_user_home_dir_filetrans_user_home_content(system_cronjob_t, { dir file lnk_file fifo_file sock_file })
+ ')
+
+@@ -595,9 +690,12 @@ userdom_manage_user_home_content_sockets(cronjob_t)
+ #userdom_user_home_dir_filetrans_user_home_content(cronjob_t, notdevfile_class_set)
+
+ list_dirs_pattern(crond_t, user_cron_spool_t, user_cron_spool_t)
++rw_dirs_pattern(crond_t, user_cron_spool_t, user_cron_spool_t)
+ read_files_pattern(crond_t, user_cron_spool_t, user_cron_spool_t)
++read_lnk_files_pattern(crond_t, user_cron_spool_t, user_cron_spool_t)
++allow crond_t user_cron_spool_t:file manage_lnk_file_perms;
+
+-tunable_policy(`fcron_crond', `
++tunable_policy(`fcron_crond',`
+ allow crond_t user_cron_spool_t:file manage_file_perms;
+ ')
+
+diff --git a/policy/modules/services/cups.fc b/policy/modules/services/cups.fc
+index 1b492ed..76480c2 100644
+--- a/policy/modules/services/cups.fc
++++ b/policy/modules/services/cups.fc
+@@ -56,6 +56,7 @@
+
+ /var/lib/cups/certs -d gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+ /var/lib/cups/certs/.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
++/usr/lib/bjlib(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,mls_systemhigh)
+
+ /var/lib/hp(/.*)? gen_context(system_u:object_r:hplip_var_lib_t,s0)
+
+@@ -64,10 +65,16 @@
+
+ /var/ccpd(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0)
+ /var/ekpd(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0)
+-/var/run/cups(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0)
++/var/run/cups(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,mls_systemhigh)
+ /var/run/hp.*\.pid -- gen_context(system_u:object_r:hplip_var_run_t,s0)
+ /var/run/hp.*\.port -- gen_context(system_u:object_r:hplip_var_run_t,s0)
+ /var/run/ptal-printd(/.*)? gen_context(system_u:object_r:ptal_var_run_t,s0)
+ /var/run/ptal-mlcd(/.*)? gen_context(system_u:object_r:ptal_var_run_t,s0)
+ /var/run/udev-configure-printer(/.*)? gen_context(system_u:object_r:cupsd_config_var_run_t,s0)
+ /var/turboprint(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0)
++
++/usr/local/Brother/fax/.*\.log gen_context(system_u:object_r:cupsd_log_t,s0)
++/usr/local/Brother/(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
++/usr/local/Printer/(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
++
++/usr/local/linuxprinter/ppd(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+diff --git a/policy/modules/services/cups.if b/policy/modules/services/cups.if
+index 305ddf4..777091a 100644
+--- a/policy/modules/services/cups.if
++++ b/policy/modules/services/cups.if
+@@ -190,10 +190,12 @@ interface(`cups_dbus_chat_config',`
+ interface(`cups_read_config',`
+ gen_require(`
+ type cupsd_etc_t, cupsd_rw_etc_t;
++ type hplip_etc_t;
+ ')
+
+ files_search_etc($1)
+ read_files_pattern($1, cupsd_etc_t, cupsd_etc_t)
++ read_files_pattern($1, hplip_etc_t, hplip_etc_t)
+ read_files_pattern($1, cupsd_etc_t, cupsd_rw_etc_t)
+ ')
+
+@@ -314,11 +316,10 @@ interface(`cups_stream_connect_ptal',`
+ interface(`cups_admin',`
+ gen_require(`
+ type cupsd_t, cupsd_tmp_t, cupsd_lpd_tmp_t;
+- type cupsd_etc_t, cupsd_log_t, cupsd_spool_t;
+- type cupsd_config_var_run_t, cupsd_lpd_var_run_t;
+- type cupsd_var_run_t, ptal_etc_t;
+- type ptal_var_run_t, hplip_var_run_t;
+- type cupsd_initrc_exec_t;
++ type cupsd_etc_t, cupsd_log_t, hplip_etc_t;
++ type cupsd_config_var_run_t, cupsd_lpd_var_run_t, cupsd_initrc_exec_t;
++ type cupsd_var_run_t, ptal_etc_t, hplip_var_run_t;
++ type ptal_var_run_t;
+ ')
+
+ allow $1 cupsd_t:process { ptrace signal_perms };
+@@ -341,15 +342,14 @@ interface(`cups_admin',`
+
+ admin_pattern($1, cupsd_lpd_var_run_t)
+
+- admin_pattern($1, cupsd_spool_t)
+- files_list_spool($1)
+-
+ admin_pattern($1, cupsd_tmp_t)
+ files_list_tmp($1)
+
+ admin_pattern($1, cupsd_var_run_t)
+ files_list_pids($1)
+
++ admin_pattern($1, hplip_etc_t)
++
+ admin_pattern($1, hplip_var_run_t)
+
+ admin_pattern($1, ptal_etc_t)
+diff --git a/policy/modules/services/cups.te b/policy/modules/services/cups.te
+index 0f28095..1c96265 100644
+--- a/policy/modules/services/cups.te
++++ b/policy/modules/services/cups.te
+@@ -15,6 +15,7 @@ files_pid_file(cupsd_config_var_run_t)
+ type cupsd_t;
+ type cupsd_exec_t;
+ init_daemon_domain(cupsd_t, cupsd_exec_t)
++mls_trusted_object(cupsd_t)
+
+ type cupsd_etc_t;
+ files_config_file(cupsd_etc_t)
+@@ -123,6 +124,7 @@ read_lnk_files_pattern(cupsd_t, cupsd_etc_t, cupsd_etc_t)
+ files_search_etc(cupsd_t)
+
+ manage_files_pattern(cupsd_t, cupsd_interface_t, cupsd_interface_t)
++can_exec(cupsd_t, cupsd_interface_t)
+
+ manage_dirs_pattern(cupsd_t, cupsd_etc_t, cupsd_rw_etc_t)
+ manage_files_pattern(cupsd_t, cupsd_etc_t, cupsd_rw_etc_t)
+@@ -137,6 +139,7 @@ allow cupsd_t cupsd_exec_t:lnk_file read_lnk_file_perms;
+ allow cupsd_t cupsd_lock_t:file manage_file_perms;
+ files_lock_filetrans(cupsd_t, cupsd_lock_t, file)
+
++manage_dirs_pattern(cupsd_t, cupsd_log_t, cupsd_log_t)
+ manage_files_pattern(cupsd_t, cupsd_log_t, cupsd_log_t)
+ allow cupsd_t cupsd_log_t:dir setattr;
+ logging_log_filetrans(cupsd_t, cupsd_log_t, { file dir })
+@@ -146,11 +149,12 @@ manage_files_pattern(cupsd_t, cupsd_tmp_t, cupsd_tmp_t)
+ manage_fifo_files_pattern(cupsd_t, cupsd_tmp_t, cupsd_tmp_t)
+ files_tmp_filetrans(cupsd_t, cupsd_tmp_t, { file dir fifo_file })
+
+-allow cupsd_t cupsd_var_run_t:dir setattr;
++allow cupsd_t cupsd_var_run_t:dir setattr_dir_perms;
++manage_dirs_pattern(cupsd_t, cupsd_var_run_t, cupsd_var_run_t)
+ manage_files_pattern(cupsd_t, cupsd_var_run_t, cupsd_var_run_t)
+ manage_sock_files_pattern(cupsd_t, cupsd_var_run_t, cupsd_var_run_t)
+ manage_fifo_files_pattern(cupsd_t, cupsd_var_run_t, cupsd_var_run_t)
+-files_pid_filetrans(cupsd_t, cupsd_var_run_t, { file fifo_file })
++files_pid_filetrans(cupsd_t, cupsd_var_run_t, { dir file fifo_file })
+
+ allow cupsd_t hplip_t:process { signal sigkill };
+
+@@ -159,7 +163,7 @@ read_files_pattern(cupsd_t, hplip_etc_t, hplip_etc_t)
+ allow cupsd_t hplip_var_run_t:file read_file_perms;
+
+ stream_connect_pattern(cupsd_t, ptal_var_run_t, ptal_var_run_t, ptal_t)
+-allow cupsd_t ptal_var_run_t : sock_file setattr;
++allow cupsd_t ptal_var_run_t:sock_file setattr_sock_file_perms;
+
+ kernel_read_system_state(cupsd_t)
+ kernel_read_network_state(cupsd_t)
+@@ -270,12 +274,6 @@ files_dontaudit_list_home(cupsd_t)
+ userdom_dontaudit_use_unpriv_user_fds(cupsd_t)
+ userdom_dontaudit_search_user_home_content(cupsd_t)
+
+-# Write to /var/spool/cups.
+-lpd_manage_spool(cupsd_t)
+-lpd_read_config(cupsd_t)
+-lpd_exec_lpr(cupsd_t)
+-lpd_relabel_spool(cupsd_t)
+-
+ optional_policy(`
+ apm_domtrans_client(cupsd_t)
+ ')
+@@ -297,8 +295,10 @@ optional_policy(`
+ hal_dbus_chat(cupsd_t)
+ ')
+
++ # talk to processes that do not have policy
+ optional_policy(`
+ unconfined_dbus_chat(cupsd_t)
++ files_write_generic_pid_pipes(cupsd_t)
+ ')
+ ')
+
+@@ -315,6 +315,14 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ # Write to /var/spool/cups.
++ lpd_manage_spool(cupsd_t)
++ lpd_read_config(cupsd_t)
++ lpd_exec_lpr(cupsd_t)
++ lpd_relabel_spool(cupsd_t)
++')
++
++optional_policy(`
+ mta_send_mail(cupsd_t)
+ ')
+
+@@ -371,8 +379,9 @@ files_tmp_filetrans(cupsd_config_t, cupsd_tmp_t, { lnk_file file dir })
+
+ allow cupsd_config_t cupsd_var_run_t:file read_file_perms;
+
++manage_dirs_pattern(cupsd_config_t, cupsd_config_var_run_t, cupsd_config_var_run_t)
+ manage_files_pattern(cupsd_config_t, cupsd_config_var_run_t, cupsd_config_var_run_t)
+-files_pid_filetrans(cupsd_config_t, cupsd_config_var_run_t, file)
++files_pid_filetrans(cupsd_config_t, cupsd_config_var_run_t, { dir file })
+
+ domtrans_pattern(cupsd_config_t, hplip_exec_t, hplip_t)
+
+@@ -425,11 +434,10 @@ seutil_dontaudit_search_config(cupsd_config_t)
+
+ userdom_dontaudit_use_unpriv_user_fds(cupsd_config_t)
+ userdom_dontaudit_search_user_home_dirs(cupsd_config_t)
++userdom_rw_user_tmp_files(cupsd_config_t)
+
+ cups_stream_connect(cupsd_config_t)
+
+-lpd_read_config(cupsd_config_t)
+-
+ ifdef(`distro_redhat',`
+ optional_policy(`
+ rpm_read_db(cupsd_config_t)
+@@ -453,6 +461,10 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ gnome_dontaudit_search_config(cupsd_config_t)
++')
++
++optional_policy(`
+ hal_domtrans(cupsd_config_t)
+ hal_read_tmp_files(cupsd_config_t)
+ hal_dontaudit_use_fds(hplip_t)
+@@ -467,6 +479,10 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ lpd_read_config(cupsd_config_t)
++')
++
++optional_policy(`
+ policykit_dbus_chat(cupsd_config_t)
+ userdom_read_all_users_state(cupsd_config_t)
+ ')
+@@ -587,13 +603,17 @@ auth_use_nsswitch(cups_pdf_t)
+
+ miscfiles_read_localization(cups_pdf_t)
+ miscfiles_read_fonts(cups_pdf_t)
++miscfiles_setattr_fonts_cache_dirs(cups_pdf_t)
+
+ userdom_home_filetrans_user_home_dir(cups_pdf_t)
++userdom_user_home_dir_filetrans_pattern(cups_pdf_t, { file dir })
+ userdom_manage_user_home_content_dirs(cups_pdf_t)
+ userdom_manage_user_home_content_files(cups_pdf_t)
++userdom_dontaudit_search_admin_dir(cups_pdf_t)
+
+-lpd_manage_spool(cups_pdf_t)
+-
++optional_policy(`
++ lpd_manage_spool(cups_pdf_t)
++')
+
+ tunable_policy(`use_nfs_home_dirs',`
+ fs_search_auto_mountpoints(cups_pdf_t)
+@@ -606,6 +626,10 @@ tunable_policy(`use_samba_home_dirs',`
+ fs_manage_cifs_files(cups_pdf_t)
+ ')
+
++optional_policy(`
++ gnome_read_config(cups_pdf_t)
++')
++
+ ########################################
+ #
+ # HPLIP local policy
+@@ -639,7 +663,7 @@ manage_files_pattern(hplip_t, hplip_var_lib_t, hplip_var_lib_t)
+ manage_lnk_files_pattern(hplip_t, hplip_var_lib_t, hplip_var_lib_t)
+
+ manage_fifo_files_pattern(hplip_t, hplip_tmp_t, hplip_tmp_t)
+-files_tmp_filetrans(hplip_t, hplip_tmp_t, fifo_file )
++files_tmp_filetrans(hplip_t, hplip_tmp_t, fifo_file)
+
+ manage_files_pattern(hplip_t, hplip_var_run_t, hplip_var_run_t)
+ files_pid_filetrans(hplip_t, hplip_var_run_t, file)
+@@ -685,6 +709,7 @@ domain_use_interactive_fds(hplip_t)
+ files_read_etc_files(hplip_t)
+ files_read_etc_runtime_files(hplip_t)
+ files_read_usr_files(hplip_t)
++files_dontaudit_write_usr_dirs(hplip_t)
+
+ logging_send_syslog_msg(hplip_t)
+
+@@ -696,8 +721,10 @@ userdom_dontaudit_use_unpriv_user_fds(hplip_t)
+ userdom_dontaudit_search_user_home_dirs(hplip_t)
+ userdom_dontaudit_search_user_home_content(hplip_t)
+
+-lpd_read_config(hplip_t)
+-lpd_manage_spool(hplip_t)
++optional_policy(`
++ lpd_read_config(hplip_t)
++ lpd_manage_spool(hplip_t)
++')
+
+ optional_policy(`
+ dbus_system_bus_client(hplip_t)
+diff --git a/policy/modules/services/cvs.if b/policy/modules/services/cvs.if
+index c43ff4c..a9783e3 100644
+--- a/policy/modules/services/cvs.if
++++ b/policy/modules/services/cvs.if
+@@ -1,5 +1,23 @@
+ ## Concurrent versions system
+
++######################################
++##
++## Dontaudit Attempts to list the CVS data and metadata.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`cvs_dontaudit_list_data',`
++ gen_require(`
++ type cvs_data_t;
++ ')
++
++ dontaudit $1 cvs_data_t:dir list_dir_perms;
++')
++
+ ########################################
+ ##
+ ## Read the CVS data and metadata.
+@@ -58,9 +76,8 @@ interface(`cvs_exec',`
+ #
+ interface(`cvs_admin',`
+ gen_require(`
+- type cvs_t, cvs_tmp_t;
++ type cvs_t, cvs_tmp_t, cvs_initrc_exec_t;
+ type cvs_data_t, cvs_var_run_t;
+- type cvs_initrc_exec_t;
+ ')
+
+ allow $1 cvs_t:process { ptrace signal_perms };
+diff --git a/policy/modules/services/cvs.te b/policy/modules/services/cvs.te
+index 88e7e97..e18dc0b 100644
+--- a/policy/modules/services/cvs.te
++++ b/policy/modules/services/cvs.te
+@@ -6,9 +6,9 @@ policy_module(cvs, 1.9.0)
+ #
+
+ ##
+-##
+-## Allow cvs daemon to read shadow
+-##
++##
++## Allow cvs daemon to read shadow
++##
+ ##
+ gen_tunable(allow_cvs_read_shadow, false)
+
+@@ -35,12 +35,12 @@ files_pid_file(cvs_var_run_t)
+ # Local policy
+ #
+
++allow cvs_t self:capability { setuid setgid };
+ allow cvs_t self:process signal_perms;
+ allow cvs_t self:fifo_file rw_fifo_file_perms;
+ allow cvs_t self:tcp_socket connected_stream_socket_perms;
+ # for identd; cjp: this should probably only be inetd_child rules?
+ allow cvs_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
+-allow cvs_t self:capability { setuid setgid };
+
+ manage_dirs_pattern(cvs_t, cvs_data_t, cvs_data_t)
+ manage_files_pattern(cvs_t, cvs_data_t, cvs_data_t)
+@@ -112,4 +112,5 @@ optional_policy(`
+ read_files_pattern(httpd_cvs_script_t, cvs_data_t, cvs_data_t)
+ manage_dirs_pattern(httpd_cvs_script_t, cvs_tmp_t, cvs_tmp_t)
+ manage_files_pattern(httpd_cvs_script_t, cvs_tmp_t, cvs_tmp_t)
++ files_tmp_filetrans(httpd_cvs_script_t, cvs_tmp_t, { file dir })
+ ')
+diff --git a/policy/modules/services/cyphesis.if b/policy/modules/services/cyphesis.if
+index 9d44538..7e9057e 100644
+--- a/policy/modules/services/cyphesis.if
++++ b/policy/modules/services/cyphesis.if
+@@ -5,9 +5,9 @@
+ ## Execute a domain transition to run cyphesis.
+ ##
+ ##
+-##
++##
+ ## Domain allowed to transition.
+-##
++##
+ ##
+ #
+ interface(`cyphesis_domtrans',`
+diff --git a/policy/modules/services/cyrus.te b/policy/modules/services/cyrus.te
+index e182bf4..aab657c 100644
+--- a/policy/modules/services/cyrus.te
++++ b/policy/modules/services/cyrus.te
+@@ -26,7 +26,7 @@ files_pid_file(cyrus_var_run_t)
+ # Local policy
+ #
+
+-allow cyrus_t self:capability { dac_override net_bind_service setgid setuid sys_resource };
++allow cyrus_t self:capability { fsetid dac_override net_bind_service setgid setuid sys_resource };
+ dontaudit cyrus_t self:capability sys_tty_config;
+ allow cyrus_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+ allow cyrus_t self:process setrlimit;
+@@ -119,6 +119,10 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ dirsrv_stream_connect(cyrus_t)
++')
++
++optional_policy(`
+ kerberos_keytab_template(cyrus, cyrus_t)
+ ')
+
+@@ -135,6 +139,7 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ files_dontaudit_write_usr_dirs(cyrus_t)
+ snmp_read_snmp_var_lib_files(cyrus_t)
+ snmp_dontaudit_write_snmp_var_lib_files(cyrus_t)
+ snmp_stream_connect(cyrus_t)
+diff --git a/policy/modules/services/dante.te b/policy/modules/services/dante.te
+index a8b93c0..831ce70 100644
+--- a/policy/modules/services/dante.te
++++ b/policy/modules/services/dante.te
+@@ -10,7 +10,7 @@ type dante_exec_t;
+ init_daemon_domain(dante_t, dante_exec_t)
+
+ type dante_conf_t;
+-files_type(dante_conf_t)
++files_config_file(dante_conf_t)
+
+ type dante_var_run_t;
+ files_pid_file(dante_var_run_t)
+diff --git a/policy/modules/services/dbus.if b/policy/modules/services/dbus.if
+index 0d5711c..85a1dc0 100644
+--- a/policy/modules/services/dbus.if
++++ b/policy/modules/services/dbus.if
+@@ -41,9 +41,9 @@ interface(`dbus_stub',`
+ template(`dbus_role_template',`
+ gen_require(`
+ class dbus { send_msg acquire_svc };
+-
+- attribute session_bus_type;
++ attribute dbusd_unconfined, session_bus_type;
+ type system_dbusd_t, session_dbusd_tmp_t, dbusd_exec_t, dbusd_etc_t;
++ type $1_t;
+ ')
+
+ ##############################
+@@ -52,8 +52,7 @@ template(`dbus_role_template',`
+ #
+
+ type $1_dbusd_t, session_bus_type;
+- domain_type($1_dbusd_t)
+- domain_entry_file($1_dbusd_t, dbusd_exec_t)
++ application_domain($1_dbusd_t, dbusd_exec_t)
+ ubac_constrained($1_dbusd_t)
+ role $2 types $1_dbusd_t;
+
+@@ -62,8 +61,9 @@ template(`dbus_role_template',`
+ # Local policy
+ #
+
++ dontaudit $1_dbusd_t self:capability sys_resource;
+ allow $1_dbusd_t self:process { getattr sigkill signal };
+- dontaudit $1_dbusd_t self:process ptrace;
++ dontaudit $1_dbusd_t self:process { ptrace setrlimit };
+ allow $1_dbusd_t self:file { getattr read write };
+ allow $1_dbusd_t self:fifo_file rw_fifo_file_perms;
+ allow $1_dbusd_t self:dbus { send_msg acquire_svc };
+@@ -76,7 +76,7 @@ template(`dbus_role_template',`
+ allow $3 $1_dbusd_t:unix_stream_socket connectto;
+
+ # SE-DBus specific permissions
+- allow $3 $1_dbusd_t:dbus { send_msg acquire_svc };
++ allow { dbusd_unconfined $3 } $1_dbusd_t:dbus { send_msg acquire_svc };
+ allow $3 system_dbusd_t:dbus { send_msg acquire_svc };
+
+ allow $1_dbusd_t dbusd_etc_t:dir list_dir_perms;
+@@ -88,14 +88,16 @@ template(`dbus_role_template',`
+ files_tmp_filetrans($1_dbusd_t, session_dbusd_tmp_t, { file dir })
+
+ domtrans_pattern($3, dbusd_exec_t, $1_dbusd_t)
+- allow $3 $1_dbusd_t:process { signull sigkill signal };
++
++ ps_process_pattern($3, $1_dbusd_t)
++ allow $3 $1_dbusd_t:process { ptrace signal_perms };
+
+ # cjp: this seems very broken
+- corecmd_bin_domtrans($1_dbusd_t, $3)
++ corecmd_bin_domtrans($1_dbusd_t, $1_t)
++ corecmd_shell_domtrans($1_dbusd_t, $1_t)
+ allow $1_dbusd_t $3:process sigkill;
+ allow $3 $1_dbusd_t:fd use;
+ allow $3 $1_dbusd_t:fifo_file rw_fifo_file_perms;
+- allow $3 $1_dbusd_t:process sigchld;
+
+ kernel_read_system_state($1_dbusd_t)
+ kernel_read_kernel_sysctls($1_dbusd_t)
+@@ -116,7 +118,7 @@ template(`dbus_role_template',`
+
+ dev_read_urand($1_dbusd_t)
+
+- domain_use_interactive_fds($1_dbusd_t)
++ domain_use_interactive_fds($1_dbusd_t)
+ domain_read_all_domains_state($1_dbusd_t)
+
+ files_read_etc_files($1_dbusd_t)
+@@ -147,19 +149,27 @@ template(`dbus_role_template',`
+ seutil_read_config($1_dbusd_t)
+ seutil_read_default_contexts($1_dbusd_t)
+
+- term_use_all_terms($1_dbusd_t)
++ term_use_all_inherited_terms($1_dbusd_t)
+
+- userdom_read_user_home_content_files($1_dbusd_t)
++ userdom_dontaudit_search_admin_dir($1_dbusd_t)
++ userdom_manage_user_home_content_dirs($1_dbusd_t)
++ userdom_manage_user_home_content_files($1_dbusd_t)
++ userdom_user_home_dir_filetrans_user_home_content($1_dbusd_t, { dir file })
+
+- ifdef(`hide_broken_symptoms', `
++ ifdef(`hide_broken_symptoms',`
+ dontaudit $3 $1_dbusd_t:netlink_selinux_socket { read write };
+ ')
+
+ optional_policy(`
++ gnome_read_gconf_home_files($1_dbusd_t)
++ ')
++
++ optional_policy(`
+ hal_dbus_chat($1_dbusd_t)
+ ')
+
+ optional_policy(`
++ xserver_search_xdm_lib($1_dbusd_t)
+ xserver_use_xdm_fds($1_dbusd_t)
+ xserver_rw_xdm_pipes($1_dbusd_t)
+ ')
+@@ -181,10 +191,12 @@ interface(`dbus_system_bus_client',`
+ type system_dbusd_t, system_dbusd_t;
+ type system_dbusd_var_run_t, system_dbusd_var_lib_t;
+ class dbus send_msg;
++ attribute dbusd_unconfined;
+ ')
+
+ # SE-DBus specific permissions
+ allow $1 { system_dbusd_t self }:dbus send_msg;
++ allow { system_dbusd_t dbusd_unconfined } $1:dbus send_msg;
+
+ read_files_pattern($1, system_dbusd_var_lib_t, system_dbusd_var_lib_t)
+ files_search_var_lib($1)
+@@ -197,6 +209,34 @@ interface(`dbus_system_bus_client',`
+
+ #######################################
+ ##
++## Creating connections to specified
++## DBUS sessions.
++##
++##
++##
++## The prefix of the user role (e.g., user
++## is the prefix for user_r).
++##
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`dbus_session_client',`
++ gen_require(`
++ class dbus send_msg;
++ type $1_dbusd_t;
++ ')
++
++ allow $2 $1_dbusd_t:fd use;
++ allow $2 { $1_dbusd_t self }:dbus send_msg;
++ allow $2 $1_dbusd_t:unix_stream_socket connectto;
++')
++
++#######################################
++##
+ ## Template for creating connections to
+ ## a user DBUS.
+ ##
+@@ -217,6 +257,8 @@ interface(`dbus_session_bus_client',`
+
+ # For connecting to the bus
+ allow $1 session_bus_type:unix_stream_socket connectto;
++
++ allow session_bus_type $1:process sigkill;
+ ')
+
+ ########################################
+@@ -431,14 +473,28 @@ interface(`dbus_system_domain',`
+
+ domtrans_pattern(system_dbusd_t, $2, $1)
+
++ fs_search_all($1)
++
+ dbus_system_bus_client($1)
+ dbus_connect_system_bus($1)
+
++ init_stream_connect($1)
++ init_dgram_send($1)
++
+ ps_process_pattern(system_dbusd_t, $1)
+
++ userdom_dontaudit_search_admin_dir($1)
+ userdom_read_all_users_state($1)
+
+- ifdef(`hide_broken_symptoms', `
++ optional_policy(`
++ rpm_script_dbus_chat($1)
++ ')
++
++ optional_policy(`
++ unconfined_dbus_send($1)
++ ')
++
++ ifdef(`hide_broken_symptoms',`
+ dontaudit $1 system_dbusd_t:netlink_selinux_socket { read write };
+ ')
+ ')
+@@ -497,3 +553,23 @@ interface(`dbus_unconfined',`
+
+ typeattribute $1 dbusd_unconfined;
+ ')
++
++########################################
++##
++## Delete all dbus pid files
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`dbus_delete_pid_files',`
++ gen_require(`
++ type system_dbusd_var_run_t;
++ ')
++
++ files_search_pids($1)
++ delete_files_pattern($1, system_dbusd_var_run_t, system_dbusd_var_run_t)
++')
++
+diff --git a/policy/modules/services/dbus.te b/policy/modules/services/dbus.te
+index 86d09b4..8e05351 100644
+--- a/policy/modules/services/dbus.te
++++ b/policy/modules/services/dbus.te
+@@ -36,6 +36,7 @@ files_type(system_dbusd_var_lib_t)
+
+ type system_dbusd_var_run_t;
+ files_pid_file(system_dbusd_var_run_t)
++init_sock_file(system_dbusd_var_run_t)
+
+ ifdef(`enable_mcs',`
+ init_ranged_system_domain(system_dbusd_t, dbusd_exec_t, s0 - mcs_systemhigh)
+@@ -52,9 +53,9 @@ ifdef(`enable_mls',`
+
+ # dac_override: /var/run/dbus is owned by messagebus on Debian
+ # cjp: dac_override should probably go in a distro_debian
+-allow system_dbusd_t self:capability { dac_override setgid setpcap setuid };
++allow system_dbusd_t self:capability { sys_resource dac_override setgid setpcap setuid };
+ dontaudit system_dbusd_t self:capability sys_tty_config;
+-allow system_dbusd_t self:process { getattr getsched signal_perms setpgid getcap setcap };
++allow system_dbusd_t self:process { getattr getsched signal_perms setpgid getcap setcap setrlimit };
+ allow system_dbusd_t self:fifo_file rw_fifo_file_perms;
+ allow system_dbusd_t self:dbus { send_msg acquire_svc };
+ allow system_dbusd_t self:unix_stream_socket { connectto create_stream_socket_perms connectto };
+@@ -74,9 +75,10 @@ files_tmp_filetrans(system_dbusd_t, system_dbusd_tmp_t, { file dir })
+
+ read_files_pattern(system_dbusd_t, system_dbusd_var_lib_t, system_dbusd_var_lib_t)
+
++manage_dirs_pattern(system_dbusd_t, system_dbusd_var_run_t, system_dbusd_var_run_t)
+ manage_files_pattern(system_dbusd_t, system_dbusd_var_run_t, system_dbusd_var_run_t)
+ manage_sock_files_pattern(system_dbusd_t, system_dbusd_var_run_t, system_dbusd_var_run_t)
+-files_pid_filetrans(system_dbusd_t, system_dbusd_var_run_t, file)
++files_pid_filetrans(system_dbusd_t, system_dbusd_var_run_t, { file dir })
+
+ kernel_read_system_state(system_dbusd_t)
+ kernel_read_kernel_sysctls(system_dbusd_t)
+@@ -111,6 +113,8 @@ auth_read_pam_console_data(system_dbusd_t)
+ corecmd_list_bin(system_dbusd_t)
+ corecmd_read_bin_pipes(system_dbusd_t)
+ corecmd_read_bin_sockets(system_dbusd_t)
++# needed for system-tools-backends
++corecmd_exec_shell(system_dbusd_t)
+
+ domain_use_interactive_fds(system_dbusd_t)
+ domain_read_all_domains_state(system_dbusd_t)
+@@ -121,7 +125,9 @@ files_read_usr_files(system_dbusd_t)
+
+ init_use_fds(system_dbusd_t)
+ init_use_script_ptys(system_dbusd_t)
++init_bin_domtrans_spec(system_dbusd_t)
+ init_domtrans_script(system_dbusd_t)
++init_rw_stream_sockets(system_dbusd_t)
+
+ logging_send_audit_msgs(system_dbusd_t)
+ logging_send_syslog_msg(system_dbusd_t)
+@@ -141,10 +147,18 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ gnome_exec_gconf(system_dbusd_t)
++')
++
++optional_policy(`
+ cpufreqselector_dbus_chat(system_dbusd_t)
+ ')
+
+ optional_policy(`
++ networkmanager_initrc_domtrans(system_dbusd_t)
++')
++
++optional_policy(`
+ policykit_dbus_chat(system_dbusd_t)
+ policykit_domtrans_auth(system_dbusd_t)
+ policykit_search_lib(system_dbusd_t)
+@@ -162,5 +176,12 @@ optional_policy(`
+ #
+ # Unconfined access to this module
+ #
+-
+ allow dbusd_unconfined session_bus_type:dbus all_dbus_perms;
++allow dbusd_unconfined dbusd_unconfined:dbus all_dbus_perms;
++allow session_bus_type dbusd_unconfined:dbus send_msg;
++
++optional_policy(`
++ xserver_use_xdm_fds(session_bus_type)
++ xserver_rw_xdm_pipes(session_bus_type)
++ xserver_append_xdm_home_files(session_bus_type)
++')
+diff --git a/policy/modules/services/dcc.if b/policy/modules/services/dcc.if
+index 784753e..bf65e7d 100644
+--- a/policy/modules/services/dcc.if
++++ b/policy/modules/services/dcc.if
+@@ -168,6 +168,6 @@ interface(`dcc_stream_connect_dccifd',`
+ type dcc_var_t, dccifd_var_run_t, dccifd_t;
+ ')
+
+- files_search_var($1)
++ files_search_pids($1)
+ stream_connect_pattern($1, dcc_var_t, dccifd_var_run_t, dccifd_t)
+ ')
+diff --git a/policy/modules/services/dcc.te b/policy/modules/services/dcc.te
+index ec19ff4..2f84017 100644
+--- a/policy/modules/services/dcc.te
++++ b/policy/modules/services/dcc.te
+@@ -36,7 +36,7 @@ type dcc_var_t;
+ files_type(dcc_var_t)
+
+ type dcc_var_run_t;
+-files_type(dcc_var_run_t)
++files_pid_file(dcc_var_run_t)
+
+ type dccd_t;
+ type dccd_exec_t;
+@@ -110,7 +110,7 @@ logging_send_syslog_msg(cdcc_t)
+
+ miscfiles_read_localization(cdcc_t)
+
+-userdom_use_user_terminals(cdcc_t)
++userdom_use_inherited_user_terminals(cdcc_t)
+
+ ########################################
+ #
+@@ -152,7 +152,7 @@ logging_send_syslog_msg(dcc_client_t)
+
+ miscfiles_read_localization(dcc_client_t)
+
+-userdom_use_user_terminals(dcc_client_t)
++userdom_use_inherited_user_terminals(dcc_client_t)
+
+ optional_policy(`
+ amavis_read_spool_files(dcc_client_t)
+@@ -197,7 +197,7 @@ logging_send_syslog_msg(dcc_dbclean_t)
+
+ miscfiles_read_localization(dcc_dbclean_t)
+
+-userdom_use_user_terminals(dcc_dbclean_t)
++userdom_use_inherited_user_terminals(dcc_dbclean_t)
+
+ ########################################
+ #
+diff --git a/policy/modules/services/ddclient.if b/policy/modules/services/ddclient.if
+index 0a1a61b..da508f4 100644
+--- a/policy/modules/services/ddclient.if
++++ b/policy/modules/services/ddclient.if
+@@ -64,8 +64,8 @@ interface(`ddclient_run',`
+ interface(`ddclient_admin',`
+ gen_require(`
+ type ddclient_t, ddclient_etc_t, ddclient_log_t;
+- type ddclient_var_t, ddclient_var_lib_t;
+- type ddclient_var_run_t, ddclient_initrc_exec_t;
++ type ddclient_var_t, ddclient_var_lib_t, ddclient_initrc_exec_t;
++ type ddclient_var_run_t;
+ ')
+
+ allow $1 ddclient_t:process { ptrace signal_perms };
+diff --git a/policy/modules/services/ddclient.te b/policy/modules/services/ddclient.te
+index 24ba98a..b8d064a 100644
+--- a/policy/modules/services/ddclient.te
++++ b/policy/modules/services/ddclient.te
+@@ -18,6 +18,9 @@ init_script_file(ddclient_initrc_exec_t)
+ type ddclient_log_t;
+ logging_log_file(ddclient_log_t)
+
++type ddclient_tmp_t;
++files_tmp_file(ddclient_tmp_t)
++
+ type ddclient_var_t;
+ files_type(ddclient_var_t)
+
+@@ -37,12 +40,17 @@ allow ddclient_t self:process signal_perms;
+ allow ddclient_t self:fifo_file rw_fifo_file_perms;
+ allow ddclient_t self:tcp_socket create_socket_perms;
+ allow ddclient_t self:udp_socket create_socket_perms;
++allow ddclient_t self:netlink_route_socket r_netlink_socket_perms;
+
+-allow ddclient_t ddclient_etc_t:file read_file_perms;
++read_files_pattern(ddclient_t, ddclient_etc_t, ddclient_etc_t)
++setattr_files_pattern(ddclient_t, ddclient_etc_t, ddclient_etc_t)
+
+ allow ddclient_t ddclient_log_t:file manage_file_perms;
+ logging_log_filetrans(ddclient_t, ddclient_log_t, file)
+
++manage_files_pattern(ddclient_t, ddclient_tmp_t, ddclient_tmp_t)
++files_tmp_filetrans(ddclient_t, ddclient_tmp_t, { file })
++
+ manage_dirs_pattern(ddclient_t, ddclient_var_t, ddclient_var_t)
+ manage_files_pattern(ddclient_t, ddclient_var_t, ddclient_var_t)
+ manage_lnk_files_pattern(ddclient_t, ddclient_var_t, ddclient_var_t)
+@@ -62,6 +70,7 @@ kernel_read_software_raid_state(ddclient_t)
+ kernel_getattr_core_if(ddclient_t)
+ kernel_getattr_message_if(ddclient_t)
+ kernel_read_kernel_sysctls(ddclient_t)
++kernel_search_network_sysctl(ddclient_t)
+
+ corecmd_exec_shell(ddclient_t)
+ corecmd_exec_bin(ddclient_t)
+@@ -74,6 +83,8 @@ corenet_tcp_sendrecv_generic_node(ddclient_t)
+ corenet_udp_sendrecv_generic_node(ddclient_t)
+ corenet_tcp_sendrecv_all_ports(ddclient_t)
+ corenet_udp_sendrecv_all_ports(ddclient_t)
++corenet_tcp_bind_generic_node(ddclient_t)
++corenet_udp_bind_generic_node(ddclient_t)
+ corenet_tcp_connect_all_ports(ddclient_t)
+ corenet_sendrecv_all_client_packets(ddclient_t)
+
+@@ -89,6 +100,8 @@ files_read_usr_files(ddclient_t)
+ fs_getattr_all_fs(ddclient_t)
+ fs_search_auto_mountpoints(ddclient_t)
+
++mta_send_mail(ddclient_t)
++
+ logging_send_syslog_msg(ddclient_t)
+
+ miscfiles_read_localization(ddclient_t)
+diff --git a/policy/modules/services/denyhosts.if b/policy/modules/services/denyhosts.if
+index 567865f..9c9e65c 100644
+--- a/policy/modules/services/denyhosts.if
++++ b/policy/modules/services/denyhosts.if
+@@ -13,12 +13,12 @@
+ ## Execute a domain transition to run denyhosts.
+ ##
+ ##
+-##
++##
+ ## Domain allowed to transition.
+-##
++##
+ ##
+ #
+-interface(`denyhosts_domtrans', `
++interface(`denyhosts_domtrans',`
+ gen_require(`
+ type denyhosts_t, denyhosts_exec_t;
+ ')
+@@ -36,7 +36,7 @@ interface(`denyhosts_domtrans', `
+ ##
+ ##
+ #
+-interface(`denyhosts_initrc_domtrans', `
++interface(`denyhosts_initrc_domtrans',`
+ gen_require(`
+ type denyhosts_initrc_exec_t;
+ ')
+@@ -59,8 +59,9 @@ interface(`denyhosts_initrc_domtrans', `
+ ## Role allowed access.
+ ##
+ ##
++##
+ #
+-interface(`denyhosts_admin', `
++interface(`denyhosts_admin',`
+ gen_require(`
+ type denyhosts_t, denyhosts_var_lib_t, denyhosts_var_lock_t;
+ type denyhosts_var_log_t, denyhosts_initrc_exec_t;
+@@ -74,12 +75,12 @@ interface(`denyhosts_admin', `
+ role_transition $2 denyhosts_initrc_exec_t system_r;
+ allow $2 system_r;
+
+- files_search_var_lib($1)
++ files_list_var_lib($1)
+ admin_pattern($1, denyhosts_var_lib_t)
+
+- logging_search_logs($1)
++ logging_list_logs($1)
+ admin_pattern($1, denyhosts_var_log_t)
+
+- files_search_locks($1)
++ files_list_locks($1)
+ admin_pattern($1, denyhosts_var_lock_t)
+ ')
+diff --git a/policy/modules/services/denyhosts.te b/policy/modules/services/denyhosts.te
+index 8ba9425..b10da2c 100644
+--- a/policy/modules/services/denyhosts.te
++++ b/policy/modules/services/denyhosts.te
+@@ -25,7 +25,8 @@ logging_log_file(denyhosts_var_log_t)
+ #
+ # DenyHosts personal policy.
+ #
+-
++# Bug #588563
++allow denyhosts_t self:capability sys_tty_config;
+ allow denyhosts_t self:netlink_route_socket create_netlink_socket_perms;
+ allow denyhosts_t self:tcp_socket create_socket_perms;
+ allow denyhosts_t self:udp_socket create_socket_perms;
+@@ -53,20 +54,28 @@ corenet_tcp_sendrecv_generic_if(denyhosts_t)
+ corenet_tcp_sendrecv_generic_node(denyhosts_t)
+ corenet_tcp_bind_generic_node(denyhosts_t)
+ corenet_tcp_connect_smtp_port(denyhosts_t)
++corenet_tcp_connect_sype_port(denyhosts_t)
+ corenet_sendrecv_smtp_client_packets(denyhosts_t)
+
+ dev_read_urand(denyhosts_t)
+
+ files_read_etc_files(denyhosts_t)
++files_read_usr_files(denyhosts_t)
+
+ # /var/log/secure
+ logging_read_generic_logs(denyhosts_t)
++logging_send_syslog_msg(denyhosts_t)
+
+ miscfiles_read_localization(denyhosts_t)
+
++sysnet_dns_name_resolve(denyhosts_t)
+ sysnet_manage_config(denyhosts_t)
+ sysnet_etc_filetrans_config(denyhosts_t)
+
+ optional_policy(`
+ cron_system_entry(denyhosts_t, denyhosts_exec_t)
+ ')
++
++optional_policy(`
++ gnome_dontaudit_search_config(denyhosts_t)
++')
+diff --git a/policy/modules/services/devicekit.fc b/policy/modules/services/devicekit.fc
+index 418a5a0..28d9e41 100644
+--- a/policy/modules/services/devicekit.fc
++++ b/policy/modules/services/devicekit.fc
+@@ -8,7 +8,12 @@
+ /var/lib/upower(/.*)? gen_context(system_u:object_r:devicekit_var_lib_t,s0)
+ /var/lib/udisks(/.*)? gen_context(system_u:object_r:devicekit_var_lib_t,s0)
+
++/var/log/pm-powersave\.log -- gen_context(system_u:object_r:devicekit_var_log_t,s0)
++/var/log/pm-suspend\.log -- gen_context(system_u:object_r:devicekit_var_log_t,s0)
++
+ /var/run/devkit(/.*)? gen_context(system_u:object_r:devicekit_var_run_t,s0)
+ /var/run/DeviceKit-disks(/.*)? gen_context(system_u:object_r:devicekit_var_run_t,s0)
++/var/run/pm-utils(/.*)? gen_context(system_u:object_r:devicekit_var_run_t,s0)
++
+ /var/run/udisks(/.*)? gen_context(system_u:object_r:devicekit_var_run_t,s0)
+ /var/run/upower(/.*)? gen_context(system_u:object_r:devicekit_var_run_t,s0)
+diff --git a/policy/modules/services/devicekit.if b/policy/modules/services/devicekit.if
+index f706b99..22b862e 100644
+--- a/policy/modules/services/devicekit.if
++++ b/policy/modules/services/devicekit.if
+@@ -5,9 +5,9 @@
+ ## Execute a domain transition to run devicekit.
+ ##
+ ##
+-##
++##
+ ## Domain allowed to transition.
+-##
++##
+ ##
+ #
+ interface(`devicekit_domtrans',`
+@@ -118,6 +118,44 @@ interface(`devicekit_dbus_chat_power',`
+ allow devicekit_power_t $1:dbus send_msg;
+ ')
+
++#######################################
++##
++## Do not audit attempts to write the devicekit
++## log files.
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`devicekit_dontaudit_rw_log',`
++ gen_require(`
++ type devicekit_var_log_t;
++ ')
++
++ dontaudit $1 devicekit_var_log_t:file rw_inherited_file_perms;
++')
++
++########################################
++##
++## Allow the domain to read devicekit_power state files in /proc.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`devicekit_read_state_power',`
++ gen_require(`
++ type devicekit_power_t;
++ ')
++
++ kernel_search_proc($1)
++ ps_process_pattern($1, devicekit_power_t)
++')
++
+ ########################################
+ ##
+ ## Read devicekit PID files.
+@@ -139,22 +177,52 @@ interface(`devicekit_read_pid_files',`
+
+ ########################################
+ ##
+-## All of the rules required to administrate
+-## an devicekit environment
++## Do not audit attempts to read
++## devicekit PID files.
+ ##
+ ##
+ ##
+-## Domain allowed access.
++## Domain to not audit.
+ ##
+ ##
+-##
++#
++interface(`devicekit_dontaudit_read_pid_files',`
++ gen_require(`
++ type devicekit_var_run_t;
++ ')
++
++ dontaudit $1 devicekit_var_run_t:file read_inherited_file_perms;
++')
++
++
++########################################
++##
++## Manage devicekit PID files.
++##
++##
+ ##
+-## The role to be allowed to manage the devicekit domain.
++## Domain allowed access.
+ ##
+ ##
+-##
++#
++interface(`devicekit_manage_pid_files',`
++ gen_require(`
++ type devicekit_var_run_t;
++ ')
++
++ files_search_pids($1)
++ rw_dirs_pattern($1, devicekit_var_run_t, devicekit_var_run_t)
++ manage_files_pattern($1, devicekit_var_run_t, devicekit_var_run_t)
++')
++
++########################################
++##
++## All of the rules required to administrate
++## an devicekit environment
++##
++##
+ ##
+-## The type of the user terminal.
++## Domain allowed access.
+ ##
+ ##
+ ##
+@@ -165,21 +233,21 @@ interface(`devicekit_admin',`
+ type devicekit_var_lib_t, devicekit_var_run_t, devicekit_tmp_t;
+ ')
+
+- allow $1 devicekit_t:process { ptrace signal_perms getattr };
++ allow $1 devicekit_t:process { ptrace signal_perms };
+ ps_process_pattern($1, devicekit_t)
+
+- allow $1 devicekit_disk_t:process { ptrace signal_perms getattr };
++ allow $1 devicekit_disk_t:process { ptrace signal_perms };
+ ps_process_pattern($1, devicekit_disk_t)
+
+- allow $1 devicekit_power_t:process { ptrace signal_perms getattr };
++ allow $1 devicekit_power_t:process { ptrace signal_perms };
+ ps_process_pattern($1, devicekit_power_t)
+
+ admin_pattern($1, devicekit_tmp_t)
+- files_search_tmp($1)
++ files_list_tmp($1)
+
+ admin_pattern($1, devicekit_var_lib_t)
+- files_search_var_lib($1)
++ files_list_var_lib($1)
+
+ admin_pattern($1, devicekit_var_run_t)
+- files_search_pids($1)
++ files_list_pids($1)
+ ')
+diff --git a/policy/modules/services/devicekit.te b/policy/modules/services/devicekit.te
+index f231f17..bf57734 100644
+--- a/policy/modules/services/devicekit.te
++++ b/policy/modules/services/devicekit.te
+@@ -26,6 +26,9 @@ files_pid_file(devicekit_var_run_t)
+ type devicekit_var_lib_t;
+ files_type(devicekit_var_lib_t)
+
++type devicekit_var_log_t;
++logging_log_file(devicekit_var_log_t)
++
+ ########################################
+ #
+ # DeviceKit local policy
+@@ -75,10 +78,12 @@ manage_dirs_pattern(devicekit_disk_t, devicekit_var_lib_t, devicekit_var_lib_t)
+ manage_files_pattern(devicekit_disk_t, devicekit_var_lib_t, devicekit_var_lib_t)
+ files_var_lib_filetrans(devicekit_disk_t, devicekit_var_lib_t, dir)
+
++allow devicekit_disk_t devicekit_var_run_t:dir mounton;
+ manage_dirs_pattern(devicekit_disk_t, devicekit_var_run_t, devicekit_var_run_t)
+ manage_files_pattern(devicekit_disk_t, devicekit_var_run_t, devicekit_var_run_t)
+ files_pid_filetrans(devicekit_disk_t, devicekit_var_run_t, { file dir })
+
++kernel_list_unlabeled(devicekit_disk_t)
+ kernel_getattr_message_if(devicekit_disk_t)
+ kernel_read_fs_sysctls(devicekit_disk_t)
+ kernel_read_network_state(devicekit_disk_t)
+@@ -105,14 +110,17 @@ domain_read_all_domains_state(devicekit_disk_t)
+
+ files_dontaudit_read_all_symlinks(devicekit_disk_t)
+ files_getattr_all_sockets(devicekit_disk_t)
+-files_getattr_all_mountpoints(devicekit_disk_t)
++files_getattr_all_dirs(devicekit_disk_t)
+ files_getattr_all_files(devicekit_disk_t)
++files_getattr_all_pipes(devicekit_disk_t)
++files_manage_boot_dirs(devicekit_disk_t)
+ files_manage_isid_type_dirs(devicekit_disk_t)
+ files_manage_mnt_dirs(devicekit_disk_t)
+ files_read_etc_files(devicekit_disk_t)
+ files_read_etc_runtime_files(devicekit_disk_t)
+ files_read_usr_files(devicekit_disk_t)
+
++fs_getattr_all_fs(devicekit_disk_t)
+ fs_list_inotifyfs(devicekit_disk_t)
+ fs_manage_fusefs_dirs(devicekit_disk_t)
+ fs_mount_all_fs(devicekit_disk_t)
+@@ -127,7 +135,7 @@ storage_raw_write_fixed_disk(devicekit_disk_t)
+ storage_raw_read_removable_device(devicekit_disk_t)
+ storage_raw_write_removable_device(devicekit_disk_t)
+
+-term_use_all_terms(devicekit_disk_t)
++term_use_all_inherited_terms(devicekit_disk_t)
+
+ auth_use_nsswitch(devicekit_disk_t)
+
+@@ -178,33 +186,53 @@ optional_policy(`
+ virt_manage_images(devicekit_disk_t)
+ ')
+
++#optional_policy(`
++# unconfined_domain(devicekit_t)
++# unconfined_domain(devicekit_power_t)
++# unconfined_domain(devicekit_disk_t)
++#')
++
+ ########################################
+ #
+ # DeviceKit-Power local policy
+ #
+
+ allow devicekit_power_t self:capability { dac_override net_admin sys_admin sys_tty_config sys_nice sys_ptrace };
+-allow devicekit_power_t self:process getsched;
++allow devicekit_power_t self:process { getsched signal_perms };
+ allow devicekit_power_t self:fifo_file rw_fifo_file_perms;
+ allow devicekit_power_t self:unix_dgram_socket create_socket_perms;
+ allow devicekit_power_t self:netlink_kobject_uevent_socket create_socket_perms;
+
++manage_files_pattern(devicekit_power_t, devicekit_var_log_t, devicekit_var_log_t)
++logging_log_filetrans(devicekit_power_t, devicekit_var_log_t, file)
++
++manage_dirs_pattern(devicekit_power_t, devicekit_tmp_t, devicekit_tmp_t)
++manage_files_pattern(devicekit_power_t, devicekit_tmp_t, devicekit_tmp_t)
++files_tmp_filetrans(devicekit_power_t, devicekit_tmp_t, { file dir })
++
+ manage_dirs_pattern(devicekit_power_t, devicekit_var_lib_t, devicekit_var_lib_t)
+ manage_files_pattern(devicekit_power_t, devicekit_var_lib_t, devicekit_var_lib_t)
+ files_var_lib_filetrans(devicekit_power_t, devicekit_var_lib_t, dir)
+
++manage_files_pattern(devicekit_power_t, devicekit_var_log_t, devicekit_var_log_t)
++logging_log_filetrans(devicekit_power_t, devicekit_var_log_t, file)
++
++manage_files_pattern(devicekit_power_t, devicekit_var_run_t, devicekit_var_run_t)
++manage_dirs_pattern(devicekit_power_t, devicekit_var_run_t, devicekit_var_run_t)
++files_pid_filetrans(devicekit_power_t, devicekit_var_run_t, dir)
++
++kernel_read_fs_sysctls(devicekit_power_t)
+ kernel_read_network_state(devicekit_power_t)
+ kernel_read_system_state(devicekit_power_t)
+ kernel_rw_hotplug_sysctls(devicekit_power_t)
+ kernel_rw_kernel_sysctl(devicekit_power_t)
++kernel_rw_vm_sysctls(devicekit_power_t)
+ kernel_search_debugfs(devicekit_power_t)
+ kernel_write_proc_files(devicekit_power_t)
+
+ corecmd_exec_bin(devicekit_power_t)
+ corecmd_exec_shell(devicekit_power_t)
+
+-consoletype_exec(devicekit_power_t)
+-
+ domain_read_all_domains_state(devicekit_power_t)
+
+ dev_read_input(devicekit_power_t)
+@@ -212,21 +240,28 @@ dev_rw_generic_usb_dev(devicekit_power_t)
+ dev_rw_generic_chr_files(devicekit_power_t)
+ dev_rw_netcontrol(devicekit_power_t)
+ dev_rw_sysfs(devicekit_power_t)
++dev_read_rand(devicekit_power_t)
++dev_getattr_all_chr_files(devicekit_power_t)
+
+ files_read_kernel_img(devicekit_power_t)
+ files_read_etc_files(devicekit_power_t)
++files_read_etc_runtime_files(devicekit_power_t)
+ files_read_usr_files(devicekit_power_t)
+
+ fs_list_inotifyfs(devicekit_power_t)
++fs_getattr_all_fs(devicekit_power_t)
+
+-term_use_all_terms(devicekit_power_t)
++term_use_all_inherited_terms(devicekit_power_t)
+
+ auth_use_nsswitch(devicekit_power_t)
+
+ miscfiles_read_localization(devicekit_power_t)
+
++seutil_exec_setfiles(devicekit_power_t)
++
+ sysnet_read_config(devicekit_power_t)
+ sysnet_domtrans_ifconfig(devicekit_power_t)
++sysnet_domtrans_dhcpc(devicekit_power_t)
+
+ userdom_read_all_users_state(devicekit_power_t)
+
+@@ -235,6 +270,10 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ consoletype_exec(devicekit_power_t)
++')
++
++optional_policy(`
+ cron_initrc_domtrans(devicekit_power_t)
+ ')
+
+@@ -261,14 +300,21 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ gnome_read_home_config(devicekit_power_t)
++')
++
++optional_policy(`
+ hal_domtrans_mac(devicekit_power_t)
+- hal_manage_log(devicekit_power_t)
+ hal_manage_pid_dirs(devicekit_power_t)
+ hal_manage_pid_files(devicekit_power_t)
+ hal_dbus_chat(devicekit_power_t)
+ ')
+
+ optional_policy(`
++ networkmanager_domtrans(devicekit_power_t)
++')
++
++optional_policy(`
+ policykit_dbus_chat(devicekit_power_t)
+ policykit_domtrans_auth(devicekit_power_t)
+ policykit_read_lib(devicekit_power_t)
+@@ -276,9 +322,25 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ modutils_domtrans_insmod(devicekit_power_t)
++')
++
++optional_policy(`
++ mount_domtrans(devicekit_power_t)
++')
++
++optional_policy(`
++ readahead_domtrans(devicekit_power_t)
++')
++
++optional_policy(`
+ udev_read_db(devicekit_power_t)
+ ')
+
+ optional_policy(`
++ usbmuxd_stream_connect(devicekit_power_t)
++')
++
++optional_policy(`
+ vbetool_domtrans(devicekit_power_t)
+ ')
+diff --git a/policy/modules/services/dhcp.fc b/policy/modules/services/dhcp.fc
+index 767e0c7..7956248 100644
+--- a/policy/modules/services/dhcp.fc
++++ b/policy/modules/services/dhcp.fc
+@@ -1,8 +1,8 @@
+-/etc/rc\.d/init\.d/dhcpd -- gen_context(system_u:object_r:dhcpd_initrc_exec_t,s0)
++/etc/rc\.d/init\.d/dhcpd(6)? -- gen_context(system_u:object_r:dhcpd_initrc_exec_t,s0)
+
+ /usr/sbin/dhcpd.* -- gen_context(system_u:object_r:dhcpd_exec_t,s0)
+
+ /var/lib/dhcpd(/.*)? gen_context(system_u:object_r:dhcpd_state_t,s0)
+ /var/lib/dhcp(3)?/dhcpd\.leases.* -- gen_context(system_u:object_r:dhcpd_state_t,s0)
+
+-/var/run/dhcpd\.pid -- gen_context(system_u:object_r:dhcpd_var_run_t,s0)
++/var/run/dhcpd(6)?\.pid -- gen_context(system_u:object_r:dhcpd_var_run_t,s0)
+diff --git a/policy/modules/services/dhcp.if b/policy/modules/services/dhcp.if
+index 5e2cea8..7e129ff 100644
+--- a/policy/modules/services/dhcp.if
++++ b/policy/modules/services/dhcp.if
+@@ -36,7 +36,7 @@ interface(`dhcpd_setattr_state_files',`
+ ')
+
+ sysnet_search_dhcp_state($1)
+- allow $1 dhcpd_state_t:file setattr;
++ allow $1 dhcpd_state_t:file setattr_file_perms;
+ ')
+
+ ########################################
+@@ -77,7 +77,7 @@ interface(`dhcpd_initrc_domtrans',`
+ #
+ interface(`dhcpd_admin',`
+ gen_require(`
+- type dhcpd_t; type dhcpd_tmp_t; type dhcpd_state_t;
++ type dhcpd_t, dhcpd_tmp_t, dhcpd_state_t;
+ type dhcpd_var_run_t, dhcpd_initrc_exec_t;
+ ')
+
+diff --git a/policy/modules/services/dhcp.te b/policy/modules/services/dhcp.te
+index d4424ad..2e09383 100644
+--- a/policy/modules/services/dhcp.te
++++ b/policy/modules/services/dhcp.te
+@@ -73,6 +73,8 @@ corenet_tcp_connect_all_ports(dhcpd_t)
+ corenet_sendrecv_dhcpd_server_packets(dhcpd_t)
+ corenet_sendrecv_pxe_server_packets(dhcpd_t)
+ corenet_sendrecv_all_client_packets(dhcpd_t)
++corenet_dontaudit_udp_bind_all_reserved_ports(dhcpd_t)
++corenet_udp_bind_all_unreserved_ports(dhcpd_t)
+
+ dev_read_sysfs(dhcpd_t)
+ dev_read_rand(dhcpd_t)
+@@ -111,6 +113,10 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ cobbler_dontaudit_rw_log(dhcpd_t)
++')
++
++optional_policy(`
+ dbus_system_bus_client(dhcpd_t)
+ dbus_connect_system_bus(dhcpd_t)
+ ')
+diff --git a/policy/modules/services/dirsrv-admin.fc b/policy/modules/services/dirsrv-admin.fc
+new file mode 100644
+index 0000000..2ce40a0
+--- /dev/null
++++ b/policy/modules/services/dirsrv-admin.fc
+@@ -0,0 +1,11 @@
++/etc/dirsrv/admin-serv(/.*)? gen_context(system_u:object_r:dirsrvadmin_config_t,s0)
++
++/etc/dirsrv/dsgw(/.*)? gen_context(system_u:object_r:dirsrvadmin_config_t,s0)
++
++/usr/sbin/restart-ds-admin -- gen_context(system_u:object_r:dirsrvadmin_exec_t,s0)
++/usr/sbin/start-ds-admin -- gen_context(system_u:object_r:dirsrvadmin_exec_t,s0)
++/usr/sbin/stop-ds-admin -- gen_context(system_u:object_r:dirsrvadmin_exec_t,s0)
++
++/usr/lib64/dirsrv/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_dirsrvadmin_script_exec_t,s0)
++/usr/lib64/dirsrv/dsgw-cgi-bin(/.*)? gen_context(system_u:object_r:httpd_dirsrvadmin_script_exec_t,s0)
++
+diff --git a/policy/modules/services/dirsrv-admin.if b/policy/modules/services/dirsrv-admin.if
+new file mode 100644
+index 0000000..60c81d6
+--- /dev/null
++++ b/policy/modules/services/dirsrv-admin.if
+@@ -0,0 +1,95 @@
++## Administration Server for Directory Server, dirsrv-admin.
++
++########################################
++##
++## Exec dirsrv-admin programs.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`dirsrvadmin_run_exec',`
++ gen_require(`
++ type dirsrvadmin_exec_t;
++ ')
++
++ allow $1 dirsrvadmin_exec_t:dir search_dir_perms;
++ can_exec($1, dirsrvadmin_exec_t)
++')
++
++########################################
++##
++## Exec cgi programs.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`dirsrvadmin_run_httpd_script_exec',`
++ gen_require(`
++ type httpd_dirsrvadmin_script_exec_t;
++ ')
++
++ allow $1 httpd_dirsrvadmin_script_exec_t:dir search_dir_perms;
++ can_exec($1, httpd_dirsrvadmin_script_exec_t)
++')
++
++########################################
++##
++## Manage dirsrv-adminserver configuration files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`dirsrvadmin_read_config',`
++ gen_require(`
++ type dirsrvadmin_config_t;
++ ')
++
++ read_files_pattern($1, dirsrvadmin_config_t, dirsrvadmin_config_t)
++')
++
++########################################
++##
++## Manage dirsrv-adminserver configuration files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`dirsrvadmin_manage_config',`
++ gen_require(`
++ type dirsrvadmin_config_t;
++ ')
++
++ allow $1 dirsrvadmin_config_t:dir manage_dir_perms;
++ allow $1 dirsrvadmin_config_t:file manage_file_perms;
++')
++
++########################################
++##
++## Manage dirsrv-adminserver tmp files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`dirsrvadmin_manage_tmp',`
++ gen_require(`
++ type dirsrvadmin_tmp_t;
++ ')
++
++ manage_files_pattern($1, dirsrvadmin_tmp_t, dirsrvadmin_tmp_t)
++ manage_dirs_pattern($1, dirsrvadmin_tmp_t, dirsrvadmin_tmp_t)
++')
+diff --git a/policy/modules/services/dirsrv-admin.te b/policy/modules/services/dirsrv-admin.te
+new file mode 100644
+index 0000000..b7fc006
+--- /dev/null
++++ b/policy/modules/services/dirsrv-admin.te
+@@ -0,0 +1,100 @@
++policy_module(dirsrv-admin,1.0.0)
++
++########################################
++#
++# Declarations for the daemon
++#
++
++type dirsrvadmin_t;
++type dirsrvadmin_exec_t;
++init_daemon_domain(dirsrvadmin_t, dirsrvadmin_exec_t)
++role system_r types dirsrvadmin_t;
++
++type dirsrvadmin_config_t;
++files_type(dirsrvadmin_config_t)
++
++type dirsrvadmin_tmp_t;
++files_tmp_file(dirsrvadmin_tmp_t)
++
++########################################
++#
++# Local policy for the daemon
++#
++allow dirsrvadmin_t self:fifo_file rw_fifo_file_perms;
++allow dirsrvadmin_t self:capability { dac_read_search dac_override sys_tty_config };
++
++manage_files_pattern(dirsrvadmin_t, dirsrvadmin_tmp_t, dirsrvadmin_tmp_t)
++manage_dirs_pattern(dirsrvadmin_t, dirsrvadmin_tmp_t, dirsrvadmin_tmp_t)
++files_tmp_filetrans(dirsrvadmin_t, dirsrvadmin_tmp_t, { file dir })
++
++kernel_read_system_state(dirsrvadmin_t)
++
++corecmd_exec_bin(dirsrvadmin_t)
++corecmd_read_bin_symlinks(dirsrvadmin_t)
++corecmd_search_bin(dirsrvadmin_t)
++corecmd_shell_entry_type(dirsrvadmin_t)
++
++files_exec_etc_files(dirsrvadmin_t)
++
++libs_exec_ld_so(dirsrvadmin_t)
++
++logging_search_logs(dirsrvadmin_t)
++
++miscfiles_read_localization(dirsrvadmin_t)
++
++# Needed for stop and restart scripts
++dirsrv_read_var_run(dirsrvadmin_t)
++
++optional_policy(`
++ apache_domtrans(dirsrvadmin_t)
++ apache_signal(dirsrvadmin_t)
++')
++
++########################################
++#
++# Local policy for the CGIs
++#
++#
++#
++# Create a domain for the CGI scripts
++
++optional_policy(`
++ apache_content_template(dirsrvadmin)
++
++ allow httpd_dirsrvadmin_script_t self:process { getsched getpgid };
++ allow httpd_dirsrvadmin_script_t self:capability { setuid net_bind_service setgid chown sys_nice kill dac_read_search dac_override };
++ allow httpd_dirsrvadmin_script_t self:tcp_socket create_stream_socket_perms;
++ allow httpd_dirsrvadmin_script_t self:udp_socket create_socket_perms;
++ allow httpd_dirsrvadmin_script_t self:unix_dgram_socket create_socket_perms;
++ allow httpd_dirsrvadmin_script_t self:netlink_route_socket r_netlink_socket_perms;
++ allow httpd_dirsrvadmin_script_t self:sem create_sem_perms;
++
++ kernel_read_kernel_sysctls(httpd_dirsrvadmin_script_t)
++
++ corenet_all_recvfrom_unlabeled(httpd_dirsrvadmin_script_t)
++ corenet_all_recvfrom_netlabel(httpd_dirsrvadmin_script_t)
++ corenet_tcp_connect_generic_port(httpd_dirsrvadmin_script_t)
++ corenet_tcp_connect_ldap_port(httpd_dirsrvadmin_script_t)
++ corenet_tcp_connect_http_port(httpd_dirsrvadmin_script_t)
++
++ files_search_var_lib(httpd_dirsrvadmin_script_t)
++
++ sysnet_read_config(httpd_dirsrvadmin_script_t)
++
++ manage_files_pattern(httpd_dirsrvadmin_script_t, dirsrvadmin_tmp_t, dirsrvadmin_tmp_t)
++ manage_dirs_pattern(httpd_dirsrvadmin_script_t, dirsrvadmin_tmp_t, dirsrvadmin_tmp_t)
++ files_tmp_filetrans(httpd_dirsrvadmin_script_t, dirsrvadmin_tmp_t, { file dir })
++
++ # The CGI scripts must be able to manage dirsrv-admin
++ dirsrvadmin_run_exec(httpd_dirsrvadmin_script_t)
++ dirsrvadmin_manage_config(httpd_dirsrvadmin_script_t)
++ dirsrv_domtrans(httpd_dirsrvadmin_script_t)
++ dirsrv_signal(httpd_dirsrvadmin_script_t)
++ dirsrv_signull(httpd_dirsrvadmin_script_t)
++ dirsrv_manage_log(httpd_dirsrvadmin_script_t)
++ dirsrv_manage_var_lib(httpd_dirsrvadmin_script_t)
++ dirsrv_pid_filetrans(httpd_dirsrvadmin_script_t)
++ dirsrv_manage_var_run(httpd_dirsrvadmin_script_t)
++ dirsrv_manage_config(httpd_dirsrvadmin_script_t)
++ dirsrv_read_share(httpd_dirsrvadmin_script_t)
++')
+diff --git a/policy/modules/services/dirsrv.fc b/policy/modules/services/dirsrv.fc
+new file mode 100644
+index 0000000..3aae725
+--- /dev/null
++++ b/policy/modules/services/dirsrv.fc
+@@ -0,0 +1,20 @@
++/etc/dirsrv(/.*)? gen_context(system_u:object_r:dirsrv_config_t,s0)
++
++/usr/sbin/ns-slapd -- gen_context(system_u:object_r:dirsrv_exec_t,s0)
++/usr/sbin/ldap-agent -- gen_context(system_u:object_r:initrc_exec_t,s0)
++/usr/sbin/ldap-agent-bin -- gen_context(system_u:object_r:dirsrv_snmp_exec_t,s0)
++/usr/sbin/start-dirsrv -- gen_context(system_u:object_r:initrc_exec_t,s0)
++/usr/sbin/restart-dirsrv -- gen_context(system_u:object_r:initrc_exec_t,s0)
++
++/usr/share/dirsrv(/.*)? gen_context(system_u:object_r:dirsrv_share_t,s0)
++
++/var/run/dirsrv(/.*)? gen_context(system_u:object_r:dirsrv_var_run_t,s0)
++/var/run/ldap-agent\.pid gen_context(system_u:object_r:dirsrv_snmp_var_run_t,s0)
++
++/var/lib/dirsrv(/.*)? gen_context(system_u:object_r:dirsrv_var_lib_t,s0)
++
++/var/lock/dirsrv(/.*)? gen_context(system_u:object_r:dirsrv_var_lock_t,s0)
++
++/var/log/dirsrv(/.*)? gen_context(system_u:object_r:dirsrv_var_log_t,s0)
++
++/var/log/dirsrv/ldap-agent.log gen_context(system_u:object_r:dirsrv_snmp_var_log_t,s0)
+diff --git a/policy/modules/services/dirsrv.if b/policy/modules/services/dirsrv.if
+new file mode 100644
+index 0000000..9d8f5de
+--- /dev/null
++++ b/policy/modules/services/dirsrv.if
+@@ -0,0 +1,212 @@
++## policy for dirsrv
++
++########################################
++##
++## Execute a domain transition to run dirsrv.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`dirsrv_domtrans',`
++ gen_require(`
++ type dirsrv_t, dirsrv_exec_t;
++ ')
++
++ domtrans_pattern($1, dirsrv_exec_t,dirsrv_t)
++
++ ifdef(`hide_broken_symptoms', `
++ dontaudit dirsrv_t $1:socket_class_set { read write };
++ ')
++')
++
++
++########################################
++##
++## Allow caller to signal dirsrv.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`dirsrv_signal',`
++ gen_require(`
++ type dirsrv_t;
++ ')
++
++ allow $1 dirsrv_t:process signal;
++')
++
++
++########################################
++##
++## Send a null signal to dirsrv.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`dirsrv_signull',`
++ gen_require(`
++ type dirsrv_t;
++ ')
++
++ allow $1 dirsrv_t:process signull;
++')
++
++#######################################
++##
++## Allow a domain to manage dirsrv logs.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`dirsrv_manage_log',`
++ gen_require(`
++ type dirsrv_var_log_t;
++ ')
++
++ allow $1 dirsrv_var_log_t:dir manage_dir_perms;
++ allow $1 dirsrv_var_log_t:file manage_file_perms;
++ allow $1 dirsrv_var_log_t:fifo_file manage_fifo_file_perms;
++')
++
++#######################################
++##
++## Allow a domain to manage dirsrv /var/lib files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`dirsrv_manage_var_lib',`
++ gen_require(`
++ type dirsrv_var_lib_t;
++ ')
++ allow $1 dirsrv_var_lib_t:dir manage_dir_perms;
++ allow $1 dirsrv_var_lib_t:file manage_file_perms;
++')
++
++########################################
++##
++## Connect to dirsrv over an unix stream socket.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`dirsrv_stream_connect',`
++ gen_require(`
++ type dirsrv_t, dirsrv_var_run_t;
++ ')
++
++ files_search_pids($1)
++ stream_connect_pattern($1, dirsrv_var_run_t, dirsrv_var_run_t, dirsrv_t)
++')
++
++#######################################
++##
++## Allow a domain to manage dirsrv /var/run files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`dirsrv_manage_var_run',`
++ gen_require(`
++ type dirsrv_var_run_t;
++ ')
++ allow $1 dirsrv_var_run_t:dir manage_dir_perms;
++ allow $1 dirsrv_var_run_t:file manage_file_perms;
++ allow $1 dirsrv_var_run_t:sock_file manage_file_perms;
++')
++
++######################################
++##
++## Allow a domain to create dirsrv pid directories.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`dirsrv_pid_filetrans',`
++ gen_require(`
++ type dirsrv_var_run_t;
++ ')
++ # Allow creating a dir in /var/run with this type
++ files_pid_filetrans($1, dirsrv_var_run_t, dir)
++')
++
++#######################################
++##
++## Allow a domain to read dirsrv /var/run files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`dirsrv_read_var_run',`
++ gen_require(`
++ type dirsrv_var_run_t;
++ ')
++ allow $1 dirsrv_var_run_t:dir list_dir_perms;
++ allow $1 dirsrv_var_run_t:file read_file_perms;
++')
++
++########################################
++##
++## Manage dirsrv configuration files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`dirsrv_manage_config',`
++ gen_require(`
++ type dirsrv_config_t;
++ ')
++
++ allow $1 dirsrv_config_t:dir manage_dir_perms;
++ allow $1 dirsrv_config_t:file manage_file_perms;
++')
++
++########################################
++##
++## Read dirsrv share files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`dirsrv_read_share',`
++ gen_require(`
++ type dirsrv_share_t;
++ ')
++
++ allow $1 dirsrv_share_t:dir list_dir_perms;
++ allow $1 dirsrv_share_t:file read_file_perms;
++ allow $1 dirsrv_share_t:lnk_file read;
++')
+diff --git a/policy/modules/services/dirsrv.te b/policy/modules/services/dirsrv.te
+new file mode 100644
+index 0000000..24f776b
+--- /dev/null
++++ b/policy/modules/services/dirsrv.te
+@@ -0,0 +1,178 @@
++policy_module(dirsrv,1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++# main daemon
++type dirsrv_t;
++type dirsrv_exec_t;
++domain_type(dirsrv_t)
++init_daemon_domain(dirsrv_t, dirsrv_exec_t)
++
++type dirsrv_snmp_t;
++type dirsrv_snmp_exec_t;
++domain_type(dirsrv_snmp_t)
++init_daemon_domain(dirsrv_snmp_t, dirsrv_snmp_exec_t)
++
++type dirsrv_var_lib_t;
++files_type(dirsrv_var_lib_t)
++
++type dirsrv_var_log_t;
++logging_log_file(dirsrv_var_log_t)
++
++type dirsrv_snmp_var_log_t;
++logging_log_file(dirsrv_snmp_var_log_t)
++
++type dirsrv_var_run_t;
++files_pid_file(dirsrv_var_run_t)
++
++type dirsrv_snmp_var_run_t;
++files_pid_file(dirsrv_snmp_var_run_t)
++
++type dirsrv_var_lock_t;
++files_lock_file(dirsrv_var_lock_t)
++
++type dirsrv_config_t;
++files_type(dirsrv_config_t)
++
++type dirsrv_tmp_t;
++files_tmp_file(dirsrv_tmp_t)
++
++type dirsrv_tmpfs_t;
++files_tmpfs_file(dirsrv_tmpfs_t)
++
++type dirsrv_share_t;
++files_type(dirsrv_share_t);
++
++########################################
++#
++# dirsrv local policy
++#
++allow dirsrv_t self:process { getsched setsched setfscreate signal_perms};
++allow dirsrv_t self:capability { sys_nice setuid setgid fsetid chown dac_override fowner };
++allow dirsrv_t self:fifo_file rw_fifo_file_perms;
++allow dirsrv_t self:sem create_sem_perms;
++allow dirsrv_t self:tcp_socket create_stream_socket_perms;
++
++manage_files_pattern(dirsrv_t, dirsrv_tmpfs_t, dirsrv_tmpfs_t)
++fs_tmpfs_filetrans(dirsrv_t, dirsrv_tmpfs_t, file)
++
++manage_dirs_pattern(dirsrv_t, dirsrv_var_lib_t, dirsrv_var_lib_t)
++manage_files_pattern(dirsrv_t, dirsrv_var_lib_t, dirsrv_var_lib_t)
++manage_sock_files_pattern(dirsrv_t, dirsrv_var_lib_t, dirsrv_var_lib_t)
++files_var_lib_filetrans(dirsrv_t,dirsrv_var_lib_t, { file dir sock_file })
++
++manage_dirs_pattern(dirsrv_t, dirsrv_var_log_t, dirsrv_var_log_t)
++manage_files_pattern(dirsrv_t, dirsrv_var_log_t, dirsrv_var_log_t)
++manage_fifo_files_pattern(dirsrv_t, dirsrv_var_log_t, dirsrv_var_log_t)
++allow dirsrv_t dirsrv_var_log_t:dir { setattr };
++logging_log_filetrans(dirsrv_t,dirsrv_var_log_t,{ sock_file file dir })
++
++manage_dirs_pattern(dirsrv_t, dirsrv_var_run_t, dirsrv_var_run_t)
++manage_files_pattern(dirsrv_t, dirsrv_var_run_t, dirsrv_var_run_t)
++manage_sock_files_pattern(dirsrv_t, dirsrv_var_run_t, dirsrv_var_run_t)
++files_pid_filetrans(dirsrv_t, dirsrv_var_run_t, { file dir sock_file })
++
++manage_files_pattern(dirsrv_t, dirsrv_var_lock_t, dirsrv_var_lock_t)
++manage_dirs_pattern(dirsrv_t, dirsrv_var_lock_t, dirsrv_var_lock_t)
++files_lock_filetrans(dirsrv_t, dirsrv_var_lock_t, { file })
++
++manage_files_pattern(dirsrv_t, dirsrv_config_t, dirsrv_config_t)
++manage_dirs_pattern(dirsrv_t, dirsrv_config_t, dirsrv_config_t)
++manage_lnk_files_pattern(dirsrv_t, dirsrv_config_t, dirsrv_config_t)
++
++manage_files_pattern(dirsrv_t, dirsrv_tmp_t, dirsrv_tmp_t)
++manage_dirs_pattern(dirsrv_t, dirsrv_tmp_t, dirsrv_tmp_t)
++files_tmp_filetrans(dirsrv_t, dirsrv_tmp_t, { file dir })
++
++kernel_read_system_state(dirsrv_t)
++
++corecmd_search_sbin(dirsrv_t)
++
++corenet_all_recvfrom_unlabeled(dirsrv_t)
++corenet_all_recvfrom_netlabel(dirsrv_t)
++corenet_tcp_sendrecv_generic_if(dirsrv_t)
++corenet_tcp_sendrecv_generic_node(dirsrv_t)
++corenet_tcp_sendrecv_all_ports(dirsrv_t)
++corenet_tcp_bind_generic_node(dirsrv_t)
++corenet_tcp_bind_ldap_port(dirsrv_t)
++corenet_tcp_bind_dogtag_port(dirsrv_t)
++corenet_tcp_bind_all_rpc_ports(dirsrv_t)
++corenet_udp_bind_all_rpc_ports(dirsrv_t)
++corenet_tcp_connect_all_ports(dirsrv_t)
++corenet_sendrecv_ldap_server_packets(dirsrv_t)
++corenet_sendrecv_all_client_packets(dirsrv_t)
++
++dev_read_urand(dirsrv_t)
++
++files_read_etc_files(dirsrv_t)
++files_read_usr_symlinks(dirsrv_t)
++
++fs_getattr_all_fs(dirsrv_t)
++
++logging_send_syslog_msg(dirsrv_t)
++
++miscfiles_read_localization(dirsrv_t)
++
++sysnet_dns_name_resolve(dirsrv_t)
++
++optional_policy(`
++ apache_dontaudit_leaks(dirsrv_t)
++')
++
++optional_policy(`
++ kerberos_use(dirsrv_t)
++')
++
++optional_policy(`
++ rpcbind_stream_connect(dirsrv_t)
++')
++
++########################################
++#
++# dirsrv-snmp local policy
++#
++allow dirsrv_snmp_t self:capability { dac_override dac_read_search };
++allow dirsrv_snmp_t self:fifo_file rw_fifo_file_perms;
++
++rw_files_pattern(dirsrv_snmp_t, dirsrv_tmpfs_t, dirsrv_tmpfs_t)
++
++read_files_pattern(dirsrv_snmp_t, dirsrv_var_run_t, dirsrv_var_run_t)
++
++read_files_pattern(dirsrv_snmp_t, dirsrv_config_t, dirsrv_config_t)
++
++manage_files_pattern(dirsrv_snmp_t, dirsrv_snmp_var_run_t, dirsrv_snmp_var_run_t)
++files_pid_filetrans(dirsrv_snmp_t, dirsrv_snmp_var_run_t, { file sock_file })
++search_dirs_pattern(dirsrv_snmp_t, dirsrv_var_run_t, dirsrv_var_run_t)
++
++manage_files_pattern(dirsrv_snmp_t, dirsrv_var_log_t, dirsrv_snmp_var_log_t);
++filetrans_pattern(dirsrv_snmp_t, dirsrv_var_log_t, dirsrv_snmp_var_log_t, file)
++
++corenet_tcp_connect_agentx_port(dirsrv_snmp_t)
++
++dev_read_rand(dirsrv_snmp_t)
++dev_read_urand(dirsrv_snmp_t)
++
++domain_use_interactive_fds(dirsrv_snmp_t)
++
++#files_manage_var_files(dirsrv_snmp_t)
++files_read_etc_files(dirsrv_snmp_t)
++files_read_usr_files(dirsrv_snmp_t)
++
++fs_getattr_tmpfs(dirsrv_snmp_t)
++fs_search_tmpfs(dirsrv_snmp_t)
++
++miscfiles_read_localization(dirsrv_snmp_t)
++
++sysnet_read_config(dirsrv_snmp_t)
++sysnet_dns_name_resolve(dirsrv_snmp_t)
++
++optional_policy(`
++ snmp_dontaudit_read_snmp_var_lib_files(dirsrv_snmp_t)
++ snmp_dontaudit_write_snmp_var_lib_files(dirsrv_snmp_t)
++ snmp_manage_var_lib_dirs(dirsrv_snmp_t)
++ snmp_manage_var_lib_files(dirsrv_snmp_t)
++ snmp_stream_connect(dirsrv_snmp_t)
++')
+diff --git a/policy/modules/services/djbdns.te b/policy/modules/services/djbdns.te
+index 03b5286..fcafa0b 100644
+--- a/policy/modules/services/djbdns.te
++++ b/policy/modules/services/djbdns.te
+@@ -23,9 +23,6 @@ djbdns_daemontools_domain_template(tinydns)
+ # Local policy for axfrdns component
+ #
+
+-daemontools_ipc_domain(djbdns_axfrdns_t)
+-daemontools_read_svc(djbdns_axfrdns_t)
+-
+ allow djbdns_axfrdns_t self:capability { setuid setgid sys_chroot };
+
+ allow djbdns_axfrdns_t djbdns_axfrdns_conf_t:dir list_dir_perms;
+@@ -39,6 +36,9 @@ allow djbdns_axfrdns_t djbdns_tinydns_conf_t:file read_file_perms;
+
+ files_search_var(djbdns_axfrdns_t)
+
++daemontools_ipc_domain(djbdns_axfrdns_t)
++daemontools_read_svc(djbdns_axfrdns_t)
++
+ ucspitcp_service_domain(djbdns_axfrdns_t, djbdns_axfrdns_exec_t)
+
+ ########################################
+diff --git a/policy/modules/services/dkim.fc b/policy/modules/services/dkim.fc
+index dc1056c..bd60100 100644
+--- a/policy/modules/services/dkim.fc
++++ b/policy/modules/services/dkim.fc
+@@ -7,3 +7,5 @@
+ /var/run/dkim-filter(/.*)? gen_context(system_u:object_r:dkim_milter_data_t,s0)
+ /var/run/dkim-milter(/.*)? gen_context(system_u:object_r:dkim_milter_data_t,s0)
+ /var/run/dkim-milter\.pid -- gen_context(system_u:object_r:dkim_milter_data_t,s0)
++
++/var/lib/dkim-milter(/.*)? gen_context(system_u:object_r:dkim_milter_data_t,s0)
+diff --git a/policy/modules/services/dnsmasq.fc b/policy/modules/services/dnsmasq.fc
+index b886676..ad3210e 100644
+--- a/policy/modules/services/dnsmasq.fc
++++ b/policy/modules/services/dnsmasq.fc
+@@ -6,7 +6,7 @@
+ /var/lib/misc/dnsmasq\.leases -- gen_context(system_u:object_r:dnsmasq_lease_t,s0)
+ /var/lib/dnsmasq(/.*)? gen_context(system_u:object_r:dnsmasq_lease_t,s0)
+
+-/var/log/dnsmasq\.log gen_context(system_u:object_r:dnsmasq_var_log_t,s0)
++/var/log/dnsmasq.* -- gen_context(system_u:object_r:dnsmasq_var_log_t,s0)
+
+ /var/run/dnsmasq\.pid -- gen_context(system_u:object_r:dnsmasq_var_run_t,s0)
+ /var/run/libvirt/network(/.*)? gen_context(system_u:object_r:dnsmasq_var_run_t,s0)
+diff --git a/policy/modules/services/dnsmasq.if b/policy/modules/services/dnsmasq.if
+index 9bd812b..c808b31 100644
+--- a/policy/modules/services/dnsmasq.if
++++ b/policy/modules/services/dnsmasq.if
+@@ -101,9 +101,9 @@ interface(`dnsmasq_kill',`
+ ## Read dnsmasq config files.
+ ##
+ ##
+-##
++##
+ ## Domain allowed access.
+-##
++##
+ ##
+ #
+ interface(`dnsmasq_read_config',`
+@@ -120,9 +120,9 @@ interface(`dnsmasq_read_config',`
+ ## Write to dnsmasq config files.
+ ##
+ ##
+-##
++##
+ ## Domain allowed access.
+-##
++##
+ ##
+ #
+ interface(`dnsmasq_write_config',`
+@@ -144,12 +144,12 @@ interface(`dnsmasq_write_config',`
+ ##
+ ##
+ #
+-#
+ interface(`dnsmasq_delete_pid_files',`
+ gen_require(`
+ type dnsmasq_var_run_t;
+ ')
+
++ files_search_pids($1)
+ delete_files_pattern($1, dnsmasq_var_run_t, dnsmasq_var_run_t)
+ ')
+
+@@ -169,6 +169,7 @@ interface(`dnsmasq_read_pid_files',`
+ type dnsmasq_var_run_t;
+ ')
+
++ files_search_pids($1)
+ read_files_pattern($1, dnsmasq_var_run_t, dnsmasq_var_run_t)
+ ')
+
+diff --git a/policy/modules/services/dnsmasq.te b/policy/modules/services/dnsmasq.te
+index fdaeeba..df87ba8 100644
+--- a/policy/modules/services/dnsmasq.te
++++ b/policy/modules/services/dnsmasq.te
+@@ -48,8 +48,9 @@ files_var_lib_filetrans(dnsmasq_t, dnsmasq_lease_t, file)
+ manage_files_pattern(dnsmasq_t, dnsmasq_var_log_t, dnsmasq_var_log_t)
+ logging_log_filetrans(dnsmasq_t, dnsmasq_var_log_t, file)
+
++manage_dirs_pattern(dnsmasq_t, dnsmasq_var_run_t, dnsmasq_var_run_t)
+ manage_files_pattern(dnsmasq_t, dnsmasq_var_run_t, dnsmasq_var_run_t)
+-files_pid_filetrans(dnsmasq_t, dnsmasq_var_run_t, file)
++files_pid_filetrans(dnsmasq_t, dnsmasq_var_run_t, { dir file })
+
+ kernel_read_kernel_sysctls(dnsmasq_t)
+ kernel_read_system_state(dnsmasq_t)
+@@ -88,6 +89,8 @@ logging_send_syslog_msg(dnsmasq_t)
+
+ miscfiles_read_localization(dnsmasq_t)
+
++sysnet_dns_name_resolve(dnsmasq_t)
++
+ userdom_dontaudit_use_unpriv_user_fds(dnsmasq_t)
+ userdom_dontaudit_search_user_home_dirs(dnsmasq_t)
+
+@@ -96,7 +99,16 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ cron_manage_pid_files(dnsmasq_t)
++')
++
++optional_policy(`
+ dbus_system_bus_client(dnsmasq_t)
++ dbus_connect_system_bus(dnsmasq_t)
++')
++
++optional_policy(`
++ ppp_read_pid_files(dnsmasq_t)
+ ')
+
+ optional_policy(`
+@@ -114,4 +126,5 @@ optional_policy(`
+ optional_policy(`
+ virt_manage_lib_files(dnsmasq_t)
+ virt_read_pid_files(dnsmasq_t)
++ virt_pid_filetrans(dnsmasq_t, dnsmasq_var_run_t, { dir file })
+ ')
+diff --git a/policy/modules/services/dovecot.fc b/policy/modules/services/dovecot.fc
+index bfc880b..9a1dcba 100644
+--- a/policy/modules/services/dovecot.fc
++++ b/policy/modules/services/dovecot.fc
+@@ -25,7 +25,7 @@ ifdef(`distro_debian', `
+ ifdef(`distro_redhat', `
+ /usr/libexec/dovecot/auth -- gen_context(system_u:object_r:dovecot_auth_exec_t,s0)
+ /usr/libexec/dovecot/deliver -- gen_context(system_u:object_r:dovecot_deliver_exec_t,s0)
+-/usr/libexec/dovecot/deliver-lda -- gen_context(system_u:object_r:dovecot_deliver_exec_t,s0)
++/usr/libexec/dovecot/dovecot-lda -- gen_context(system_u:object_r:dovecot_deliver_exec_t,s0)
+ /usr/libexec/dovecot/dovecot-auth -- gen_context(system_u:object_r:dovecot_auth_exec_t,s0)
+ ')
+
+diff --git a/policy/modules/services/dovecot.if b/policy/modules/services/dovecot.if
+index e1d7dc5..673f185 100644
+--- a/policy/modules/services/dovecot.if
++++ b/policy/modules/services/dovecot.if
+@@ -1,5 +1,24 @@
+ ## Dovecot POP and IMAP mail server
+
++#######################################
++##
++## Connect to dovecot unix domain stream socket.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`dovecot_stream_connect',`
++ gen_require(`
++ type dovecot_t, dovecot_var_run_t;
++ ')
++
++ files_search_pids($1)
++ stream_connect_pattern($1, dovecot_var_run_t, dovecot_var_run_t, dovecot_t)
++')
++
+ ########################################
+ ##
+ ## Connect to dovecot auth unix domain stream socket.
+@@ -9,13 +28,13 @@
+ ## Domain allowed access.
+ ##
+ ##
+-##
+ #
+ interface(`dovecot_stream_connect_auth',`
+ gen_require(`
+ type dovecot_auth_t, dovecot_var_run_t;
+ ')
+
++ files_search_pids($1)
+ stream_connect_pattern($1, dovecot_var_run_t, dovecot_var_run_t, dovecot_auth_t)
+ ')
+
+@@ -52,6 +71,7 @@ interface(`dovecot_manage_spool',`
+ type dovecot_spool_t;
+ ')
+
++ files_search_spool($1)
+ manage_files_pattern($1, dovecot_spool_t, dovecot_spool_t)
+ manage_lnk_files_pattern($1, dovecot_spool_t, dovecot_spool_t)
+ ')
+@@ -93,12 +113,10 @@ interface(`dovecot_dontaudit_unlink_lib_files',`
+ #
+ interface(`dovecot_admin',`
+ gen_require(`
+- type dovecot_t, dovecot_etc_t, dovecot_log_t;
+- type dovecot_spool_t, dovecot_var_lib_t;
+- type dovecot_var_run_t;
+-
+- type dovecot_cert_t, dovecot_passwd_t;
+- type dovecot_initrc_exec_t;
++ type dovecot_t, dovecot_etc_t, dovecot_auth_tmp_t;
++ type dovecot_spool_t, dovecot_var_lib_t, dovecot_var_log_t;
++ type dovecot_var_run_t, dovecot_tmp_t, dovecot_keytab_t;
++ type dovecot_cert_t, dovecot_passwd_t, dovecot_initrc_exec_t;
+ ')
+
+ allow $1 dovecot_t:process { ptrace signal_perms };
+@@ -112,8 +130,11 @@ interface(`dovecot_admin',`
+ files_list_etc($1)
+ admin_pattern($1, dovecot_etc_t)
+
+- logging_list_logs($1)
+- admin_pattern($1, dovecot_log_t)
++ files_list_tmp($1)
++ admin_pattern($1, dovecot_auth_tmp_t)
++ admin_pattern($1, dovecot_tmp_t)
++
++ admin_pattern($1, dovecot_keytab_t)
+
+ files_list_spool($1)
+ admin_pattern($1, dovecot_spool_t)
+@@ -121,6 +142,9 @@ interface(`dovecot_admin',`
+ files_list_var_lib($1)
+ admin_pattern($1, dovecot_var_lib_t)
+
++ logging_search_logs($1)
++ admin_pattern($1, dovecot_var_log_t)
++
+ files_list_pids($1)
+ admin_pattern($1, dovecot_var_run_t)
+
+diff --git a/policy/modules/services/dovecot.te b/policy/modules/services/dovecot.te
+index cbe14e4..778b174 100644
+--- a/policy/modules/services/dovecot.te
++++ b/policy/modules/services/dovecot.te
+@@ -18,7 +18,7 @@ type dovecot_auth_tmp_t;
+ files_tmp_file(dovecot_auth_tmp_t)
+
+ type dovecot_cert_t;
+-files_type(dovecot_cert_t)
++miscfiles_cert_type(dovecot_cert_t)
+
+ type dovecot_deliver_t;
+ type dovecot_deliver_exec_t;
+@@ -26,6 +26,9 @@ domain_type(dovecot_deliver_t)
+ domain_entry_file(dovecot_deliver_t, dovecot_deliver_exec_t)
+ role system_r types dovecot_deliver_t;
+
++type dovecot_deliver_tmp_t;
++files_tmp_file(dovecot_deliver_tmp_t)
++
+ type dovecot_etc_t;
+ files_config_file(dovecot_etc_t)
+
+@@ -56,9 +59,9 @@ files_pid_file(dovecot_var_run_t)
+ # dovecot local policy
+ #
+
+-allow dovecot_t self:capability { dac_override dac_read_search chown kill net_bind_service setgid setuid sys_chroot };
++allow dovecot_t self:capability { dac_override dac_read_search chown fsetid kill net_bind_service setgid setuid sys_chroot };
+ dontaudit dovecot_t self:capability sys_tty_config;
+-allow dovecot_t self:process { setrlimit signal_perms getcap setcap };
++allow dovecot_t self:process { setrlimit signal_perms getcap setcap setsched };
+ allow dovecot_t self:fifo_file rw_fifo_file_perms;
+ allow dovecot_t self:tcp_socket create_stream_socket_perms;
+ allow dovecot_t self:unix_dgram_socket create_socket_perms;
+@@ -72,7 +75,9 @@ allow dovecot_t dovecot_cert_t:dir list_dir_perms;
+ read_files_pattern(dovecot_t, dovecot_cert_t, dovecot_cert_t)
+ read_lnk_files_pattern(dovecot_t, dovecot_cert_t, dovecot_cert_t)
+
+-allow dovecot_t dovecot_etc_t:file read_file_perms;
++allow dovecot_t dovecot_etc_t:dir list_dir_perms;
++read_files_pattern(dovecot_t, dovecot_etc_t, dovecot_etc_t)
++read_lnk_files_pattern(dovecot_t, dovecot_etc_t, dovecot_etc_t)
+ files_search_etc(dovecot_t)
+
+ can_exec(dovecot_t, dovecot_exec_t)
+@@ -94,10 +99,11 @@ manage_dirs_pattern(dovecot_t, dovecot_spool_t, dovecot_spool_t)
+ manage_files_pattern(dovecot_t, dovecot_spool_t, dovecot_spool_t)
+ manage_lnk_files_pattern(dovecot_t, dovecot_spool_t, dovecot_spool_t)
+
++manage_dirs_pattern(dovecot_t, dovecot_var_run_t, dovecot_var_run_t)
+ manage_files_pattern(dovecot_t, dovecot_var_run_t, dovecot_var_run_t)
+ manage_lnk_files_pattern(dovecot_t, dovecot_var_run_t, dovecot_var_run_t)
+ manage_sock_files_pattern(dovecot_t, dovecot_var_run_t, dovecot_var_run_t)
+-files_pid_filetrans(dovecot_t, dovecot_var_run_t, file)
++files_pid_filetrans(dovecot_t, dovecot_var_run_t, { dir file })
+
+ kernel_read_kernel_sysctls(dovecot_t)
+ kernel_read_system_state(dovecot_t)
+@@ -110,6 +116,8 @@ corenet_tcp_sendrecv_all_ports(dovecot_t)
+ corenet_tcp_bind_generic_node(dovecot_t)
+ corenet_tcp_bind_mail_port(dovecot_t)
+ corenet_tcp_bind_pop_port(dovecot_t)
++corenet_tcp_bind_lmtp_port(dovecot_t)
++corenet_tcp_bind_sieve_port(dovecot_t)
+ corenet_tcp_connect_all_ports(dovecot_t)
+ corenet_tcp_connect_postgresql_port(dovecot_t)
+ corenet_sendrecv_pop_server_packets(dovecot_t)
+@@ -159,6 +167,15 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ gnome_manage_data(dovecot_t)
++')
++
++optional_policy(`
++ postfix_manage_private_sockets(dovecot_t)
++ postfix_search_spool(dovecot_t)
++')
++
++optional_policy(`
+ postgresql_stream_connect(dovecot_t)
+ ')
+
+@@ -179,7 +196,7 @@ optional_policy(`
+ # dovecot auth local policy
+ #
+
+-allow dovecot_auth_t self:capability { chown dac_override setgid setuid };
++allow dovecot_auth_t self:capability { chown dac_override ipc_lock setgid setuid };
+ allow dovecot_auth_t self:process { signal_perms getcap setcap };
+ allow dovecot_auth_t self:fifo_file rw_fifo_file_perms;
+ allow dovecot_auth_t self:unix_dgram_socket create_socket_perms;
+@@ -189,6 +206,9 @@ allow dovecot_auth_t dovecot_t:unix_stream_socket { connectto rw_stream_socket_p
+
+ read_files_pattern(dovecot_auth_t, dovecot_passwd_t, dovecot_passwd_t)
+
++read_files_pattern(dovecot_auth_t, dovecot_etc_t, dovecot_etc_t)
++read_lnk_files_pattern(dovecot_auth_t, dovecot_etc_t, dovecot_etc_t)
++
+ manage_dirs_pattern(dovecot_auth_t, dovecot_auth_tmp_t, dovecot_auth_tmp_t)
+ manage_files_pattern(dovecot_auth_t, dovecot_auth_tmp_t, dovecot_auth_tmp_t)
+ files_tmp_filetrans(dovecot_auth_t, dovecot_auth_tmp_t, { file dir })
+@@ -235,6 +255,8 @@ optional_policy(`
+ optional_policy(`
+ mysql_search_db(dovecot_auth_t)
+ mysql_stream_connect(dovecot_auth_t)
++ mysql_read_config(dovecot_auth_t)
++ mysql_tcp_connect(dovecot_auth_t)
+ ')
+
+ optional_policy(`
+@@ -242,6 +264,8 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ postfix_manage_private_sockets(dovecot_auth_t)
++ postfix_rw_master_pipes(dovecot_deliver_t)
+ postfix_search_spool(dovecot_auth_t)
+ ')
+
+@@ -249,23 +273,40 @@ optional_policy(`
+ #
+ # dovecot deliver local policy
+ #
++
++allow dovecot_deliver_t self:fifo_file rw_fifo_file_perms;
+ allow dovecot_deliver_t self:unix_dgram_socket create_socket_perms;
+
+ allow dovecot_deliver_t dovecot_t:process signull;
+
+-allow dovecot_deliver_t dovecot_etc_t:file read_file_perms;
++allow dovecot_deliver_t dovecot_etc_t:dir list_dir_perms;
++read_files_pattern(dovecot_deliver_t, dovecot_etc_t, dovecot_etc_t)
++read_lnk_files_pattern(dovecot_deliver_t, dovecot_etc_t, dovecot_etc_t)
++
+ allow dovecot_deliver_t dovecot_var_run_t:dir list_dir_perms;
+
++allow dovecot_deliver_t dovecot_cert_t:dir search_dir_perms;
++
++append_files_pattern(dovecot_deliver_t, dovecot_var_log_t, dovecot_var_log_t)
++
++manage_dirs_pattern(dovecot_deliver_t, dovecot_deliver_tmp_t, dovecot_deliver_tmp_t)
++manage_files_pattern(dovecot_deliver_t, dovecot_deliver_tmp_t, dovecot_deliver_tmp_t)
++files_tmp_filetrans(dovecot_deliver_t, dovecot_deliver_tmp_t, { file dir })
++
++can_exec(dovecot_deliver_t, dovecot_deliver_exec_t)
++
+ kernel_read_all_sysctls(dovecot_deliver_t)
+ kernel_read_system_state(dovecot_deliver_t)
+
++corecmd_exec_bin(dovecot_deliver_t)
++
+ files_read_etc_files(dovecot_deliver_t)
+ files_read_etc_runtime_files(dovecot_deliver_t)
+
+ auth_use_nsswitch(dovecot_deliver_t)
+
+ logging_send_syslog_msg(dovecot_deliver_t)
+-logging_search_logs(dovecot_auth_t)
++logging_append_all_logs(dovecot_deliver_t)
+
+ miscfiles_read_localization(dovecot_deliver_t)
+
+@@ -301,5 +342,15 @@ tunable_policy(`use_samba_home_dirs',`
+ ')
+
+ optional_policy(`
++ gnome_manage_data(dovecot_deliver_t)
++')
++
++optional_policy(`
+ mta_manage_spool(dovecot_deliver_t)
++ mta_read_queue(dovecot_deliver_t)
++')
++
++optional_policy(`
++ # Handle sieve scripts
++ sendmail_domtrans(dovecot_deliver_t)
+ ')
+diff --git a/policy/modules/services/drbd.fc b/policy/modules/services/drbd.fc
+new file mode 100644
+index 0000000..f96c4f2
+--- /dev/null
++++ b/policy/modules/services/drbd.fc
+@@ -0,0 +1,9 @@
++
++/sbin/drbdadm -- gen_context(system_u:object_r:drbd_exec_t,s0)
++/sbin/drbdsetup -- gen_context(system_u:object_r:drbd_exec_t,s0)
++
++/usr/lib/ocf/resource.\d/linbit/drbd -- gen_context(system_u:object_r:drbd_exec_t,s0)
++
++/var/lib/drbd(/.*)? gen_context(system_u:object_r:drbd_var_lib_t,s0)
++
++
+diff --git a/policy/modules/services/drbd.if b/policy/modules/services/drbd.if
+new file mode 100644
+index 0000000..63f11d9
+--- /dev/null
++++ b/policy/modules/services/drbd.if
+@@ -0,0 +1,130 @@
++
++## policy for drbd
++
++########################################
++##
++## Execute a domain transition to run drbd.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`drbd_domtrans',`
++ gen_require(`
++ type drbd_t, drbd_exec_t;
++ ')
++
++ domtrans_pattern($1, drbd_exec_t, drbd_t)
++')
++
++########################################
++##
++## Search drbd lib directories.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`drbd_search_lib',`
++ gen_require(`
++ type drbd_var_lib_t;
++ ')
++
++ allow $1 drbd_var_lib_t:dir search_dir_perms;
++ files_search_var_lib($1)
++')
++
++########################################
++##
++## Read drbd lib files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`drbd_read_lib_files',`
++ gen_require(`
++ type drbd_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ read_files_pattern($1, drbd_var_lib_t, drbd_var_lib_t)
++')
++
++########################################
++##
++## Create, read, write, and delete
++## drbd lib files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`drbd_manage_lib_files',`
++ gen_require(`
++ type drbd_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ manage_files_pattern($1, drbd_var_lib_t, drbd_var_lib_t)
++')
++
++########################################
++##
++## Manage drbd lib dirs files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`drbd_manage_lib_dirs',`
++ gen_require(`
++ type drbd_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ manage_dirs_pattern($1, drbd_var_lib_t, drbd_var_lib_t)
++')
++
++
++########################################
++##
++## All of the rules required to administrate
++## an drbd environment
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++##
++## Role allowed access.
++##
++##
++##
++#
++interface(`drbd_admin',`
++ gen_require(`
++ type drbd_t;
++ type drbd_var_lib_t;
++ ')
++
++ allow $1 drbd_t:process { ptrace signal_perms };
++ ps_process_pattern($1, drbd_t)
++
++ files_search_var_lib($1)
++ admin_pattern($1, drbd_var_lib_t)
++
++')
++
+diff --git a/policy/modules/services/drbd.te b/policy/modules/services/drbd.te
+new file mode 100644
+index 0000000..1453c54
+--- /dev/null
++++ b/policy/modules/services/drbd.te
+@@ -0,0 +1,55 @@
++
++policy_module(drbd,1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++type drbd_t;
++type drbd_exec_t;
++init_daemon_domain(drbd_t, drbd_exec_t)
++
++type drbd_var_lib_t;
++files_type(drbd_var_lib_t)
++
++type drbd_lock_t;
++files_lock_file(drbd_lock_t)
++
++########################################
++#
++# drbd local policy
++#
++
++allow drbd_t self:capability net_admin;
++
++allow drbd_t self:capability { kill };
++allow drbd_t self:process { fork };
++
++allow drbd_t self:fifo_file rw_fifo_file_perms;
++allow drbd_t self:unix_stream_socket create_stream_socket_perms;
++allow drbd_t self:netlink_socket create_socket_perms;
++allow drbd_t self:netlink_route_socket rw_netlink_socket_perms;
++
++manage_dirs_pattern(drbd_t, drbd_var_lib_t, drbd_var_lib_t)
++manage_files_pattern(drbd_t, drbd_var_lib_t, drbd_var_lib_t)
++manage_lnk_files_pattern(drbd_t, drbd_var_lib_t, drbd_var_lib_t)
++files_var_lib_filetrans(drbd_t, drbd_var_lib_t, { dir file } )
++
++manage_files_pattern(drbd_t, drbd_lock_t, drbd_lock_t)
++files_lock_filetrans(drbd_t, drbd_lock_t, file)
++
++can_exec(drbd_t, drbd_exec_t)
++
++kernel_read_system_state(drbd_t)
++
++dev_read_sysfs(drbd_t)
++
++files_read_etc_files(drbd_t)
++
++storage_raw_read_fixed_disk(drbd_t)
++
++miscfiles_read_localization(drbd_t)
++
++sysnet_dns_name_resolve(drbd_t)
++
+diff --git a/policy/modules/services/exim.fc b/policy/modules/services/exim.fc
+index 298f066..c2570df 100644
+--- a/policy/modules/services/exim.fc
++++ b/policy/modules/services/exim.fc
+@@ -1,3 +1,6 @@
++
++/etc/rc\.d/init\.d/exim -- gen_context(system_u:object_r:exim_initrc_exec_t,s0)
++
+ /usr/sbin/exim[0-9]? -- gen_context(system_u:object_r:exim_exec_t,s0)
+ /var/log/exim[0-9]?(/.*)? gen_context(system_u:object_r:exim_log_t,s0)
+ /var/run/exim[0-9]?\.pid -- gen_context(system_u:object_r:exim_var_run_t,s0)
+diff --git a/policy/modules/services/exim.if b/policy/modules/services/exim.if
+index 6bef7f8..464669c 100644
+--- a/policy/modules/services/exim.if
++++ b/policy/modules/services/exim.if
+@@ -5,9 +5,9 @@
+ ## Execute a domain transition to run exim.
+ ##
+ ##
+-##
++##
+ ## Domain allowed to transition.
+-##
++##
+ ##
+ #
+ interface(`exim_domtrans',`
+@@ -20,6 +20,24 @@ interface(`exim_domtrans',`
+
+ ########################################
+ ##
++## Execute exim in the exim domain.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`exim_initrc_domtrans',`
++ gen_require(`
++ type exim_initrc_exec_t;
++ ')
++
++ init_labeled_script_domtrans($1, exim_initrc_exec_t)
++')
++
++########################################
++##
+ ## Do not audit attempts to read,
+ ## exim tmp files
+ ##
+@@ -101,9 +119,9 @@ interface(`exim_read_log',`
+ ## exim log files.
+ ##
+ ##
+-##
++##
+ ## Domain allowed access.
+-##
++##
+ ##
+ #
+ interface(`exim_append_log',`
+@@ -194,3 +212,46 @@ interface(`exim_manage_spool_files',`
+ manage_files_pattern($1, exim_spool_t, exim_spool_t)
+ files_search_spool($1)
+ ')
++
++########################################
++##
++## All of the rules required to administrate
++## an exim environment.
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++##
++## Role allowed access.
++##
++##
++#
++interface(`exim_admin',`
++ gen_require(`
++ type exim_t, exim_initrc_exec_t, exim_log_t;
++ type exim_tmp_t, exim_spool_t, exim_var_run_t;
++ ')
++
++ allow $1 exim_t:process { ptrace signal_perms };
++ ps_process_pattern($1, exim_t)
++
++ exim_initrc_domtrans($1)
++ domain_system_change_exemption($1)
++ role_transition $2 exim_initrc_exec_t system_r;
++ allow $2 system_r;
++
++ logging_list_logs($1)
++ admin_pattern($1, exim_log_t)
++
++ files_list_tmp($1)
++ admin_pattern($1, exim_tmp_t)
++
++ files_list_spool($1)
++ admin_pattern($1, exim_spool_t)
++
++ files_list_pids($1)
++ admin_pattern($1, exim_var_run_t)
++')
+diff --git a/policy/modules/services/exim.te b/policy/modules/services/exim.te
+index f28f64b..18c3c33 100644
+--- a/policy/modules/services/exim.te
++++ b/policy/modules/services/exim.te
+@@ -6,24 +6,24 @@ policy_module(exim, 1.5.0)
+ #
+
+ ##
+-##
+-## Allow exim to connect to databases (postgres, mysql)
+-##
++##
++## Allow exim to connect to databases (postgres, mysql)
++##
+ ##
+ gen_tunable(exim_can_connect_db, false)
+
+ ##
+-##
+-## Allow exim to read unprivileged user files.
+-##
++##
++## Allow exim to read unprivileged user files.
++##
+ ##
+ gen_tunable(exim_read_user_files, false)
+
+ ##
+-##
+-## Allow exim to create, read, write, and delete
+-## unprivileged user files.
+-##
++##
++## Allow exim to create, read, write, and delete
++## unprivileged user files.
++##
+ ##
+ gen_tunable(exim_manage_user_files, false)
+
+@@ -35,6 +35,9 @@ mta_mailserver_user_agent(exim_t)
+ application_executable_file(exim_exec_t)
+ mta_agent_executable(exim_exec_t)
+
++type exim_initrc_exec_t;
++init_script_file(exim_initrc_exec_t)
++
+ type exim_log_t;
+ logging_log_file(exim_log_t)
+
+@@ -171,6 +174,10 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ nagios_search_spool(exim_t)
++')
++
++optional_policy(`
+ tunable_policy(`exim_can_connect_db',`
+ mysql_stream_connect(exim_t)
+ ')
+@@ -184,6 +191,7 @@ optional_policy(`
+
+ optional_policy(`
+ procmail_domtrans(exim_t)
++ procmail_read_home_files(exim_t)
+ ')
+
+ optional_policy(`
+diff --git a/policy/modules/services/fail2ban.if b/policy/modules/services/fail2ban.if
+index f590a1f..87f6bfb 100644
+--- a/policy/modules/services/fail2ban.if
++++ b/policy/modules/services/fail2ban.if
+@@ -5,9 +5,9 @@
+ ## Execute a domain transition to run fail2ban.
+ ##