diff --git a/container-selinux.tgz b/container-selinux.tgz
index 001fc23..9d0d555 100644
Binary files a/container-selinux.tgz and b/container-selinux.tgz differ
diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch
index 7a71a37..a257b3f 100644
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@@ -6160,7 +6160,7 @@ index 8e0f9cd14..2fe34db47 100644
+create_ibendport_type_interfaces($*)
+')
diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
-index b191055f9..c3bbc8ea2 100644
+index b191055f9..15ec98f76 100644
--- a/policy/modules/kernel/corenetwork.te.in
+++ b/policy/modules/kernel/corenetwork.te.in
@@ -5,6 +5,7 @@ policy_module(corenetwork, 1.19.2)
@@ -6236,7 +6236,7 @@ index b191055f9..c3bbc8ea2 100644
# reserved_port_t is the type of INET port numbers below 1024.
#
type reserved_port_t, port_type, reserved_port_type;
-@@ -76,63 +101,82 @@ type server_packet_t, packet_type, server_packet_type;
+@@ -76,63 +101,83 @@ type server_packet_t, packet_type, server_packet_type;
network_port(afs_bos, udp,7007,s0)
network_port(afs_fs, tcp,2040,s0, udp,7000,s0, udp,7005,s0)
network_port(afs_ka, udp,7004,s0)
@@ -6284,6 +6284,7 @@ index b191055f9..c3bbc8ea2 100644
-network_port(ctdb, tcp,4379,s0, udp,4397,s0)
+network_port(conman, tcp,7890,s0, udp,7890,s0)
+network_port(connlcli, tcp,1358,s0, udp,1358,s0)
++network_port(conntrackd, udp,3780,s0)
+network_port(couchdb, tcp,5984,s0, udp,5984,s0, tcp,6984,s0, udp,6984,s0)
+network_port(ctdb, tcp,4379,s0, udp,4379,s0)
network_port(cvs, tcp,2401,s0, udp,2401,s0)
@@ -6329,7 +6330,7 @@ index b191055f9..c3bbc8ea2 100644
network_port(gopher, tcp,70,s0, udp,70,s0)
network_port(gpsd, tcp,2947,s0)
network_port(hadoop_datanode, tcp,50010,s0)
-@@ -140,45 +184,61 @@ network_port(hadoop_namenode, tcp,8020,s0)
+@@ -140,45 +185,61 @@ network_port(hadoop_namenode, tcp,8020,s0)
network_port(hddtemp, tcp,7634,s0)
network_port(howl, tcp,5335,s0, udp,5353,s0)
network_port(hplip, tcp,1782,s0, tcp,2207,s0, tcp,2208,s0, tcp, 8290,s0, tcp,50000,s0, tcp,50002,s0, tcp,8292,s0, tcp,9100,s0, tcp,9101,s0, tcp,9102,s0, tcp,9220,s0, tcp,9221,s0, tcp,9222,s0, tcp,9280,s0, tcp,9281,s0, tcp,9282,s0, tcp,9290,s0, tcp,9291,s0)
@@ -6407,7 +6408,7 @@ index b191055f9..c3bbc8ea2 100644
network_port(msnp, tcp,1863,s0, udp,1863,s0)
network_port(mssql, tcp,1433-1434,s0, udp,1433-1434,s0)
network_port(ms_streaming, tcp,1755,s0, udp,1755,s0)
-@@ -186,101 +246,130 @@ network_port(munin, tcp,4949,s0, udp,4949,s0)
+@@ -186,101 +247,130 @@ network_port(munin, tcp,4949,s0, udp,4949,s0)
network_port(mxi, tcp,8005,s0, udp,8005,s0)
network_port(mysqld, tcp,1186,s0, tcp,3306,s0, tcp,63132-63164,s0)
network_port(mysqlmanagerd, tcp,2273,s0)
@@ -6558,7 +6559,7 @@ index b191055f9..c3bbc8ea2 100644
network_port(xserver, tcp,6000-6020,s0)
network_port(zarafa, tcp,236,s0, tcp,237,s0)
network_port(zabbix, tcp,10051,s0)
-@@ -288,19 +377,23 @@ network_port(zabbix_agent, tcp,10050,s0)
+@@ -288,19 +378,23 @@ network_port(zabbix_agent, tcp,10050,s0)
network_port(zookeeper_client, tcp,2181,s0)
network_port(zookeeper_election, tcp,3888,s0)
network_port(zookeeper_leader, tcp,2888,s0)
@@ -6585,7 +6586,7 @@ index b191055f9..c3bbc8ea2 100644
########################################
#
-@@ -333,6 +426,8 @@ sid netif gen_context(system_u:object_r:netif_t,s0 - mls_systemhigh)
+@@ -333,6 +427,8 @@ sid netif gen_context(system_u:object_r:netif_t,s0 - mls_systemhigh)
build_option(`enable_mls',`
network_interface(lo, lo, s0 - mls_systemhigh)
@@ -6594,7 +6595,7 @@ index b191055f9..c3bbc8ea2 100644
',`
typealias netif_t alias { lo_netif_t netif_lo_t };
')
-@@ -345,9 +440,34 @@ typealias netif_t alias { lo_netif_t netif_lo_t };
+@@ -345,9 +441,34 @@ typealias netif_t alias { lo_netif_t netif_lo_t };
allow corenet_unconfined_type node_type:node *;
allow corenet_unconfined_type netif_type:netif *;
allow corenet_unconfined_type packet_type:packet *;
@@ -6686,7 +6687,7 @@ index 3f6e16889..abd046c56 100644
+ifelse(`$2',`',`',`declare_ibendportcons($1_ibendport_t,shift($*))')dnl
+')
diff --git a/policy/modules/kernel/devices.fc b/policy/modules/kernel/devices.fc
-index b31c05491..a7b0f009a 100644
+index b31c05491..b15a7aa05 100644
--- a/policy/modules/kernel/devices.fc
+++ b/policy/modules/kernel/devices.fc
@@ -15,15 +15,18 @@
@@ -6779,10 +6780,12 @@ index b31c05491..a7b0f009a 100644
/dev/tlk[0-3] -c gen_context(system_u:object_r:v4l_device_t,s0)
/dev/tpm[0-9]* -c gen_context(system_u:object_r:tpm_device_t,s0)
/dev/uinput -c gen_context(system_u:object_r:event_device_t,s0)
-@@ -118,6 +138,13 @@
+@@ -118,6 +138,15 @@
ifdef(`distro_suse', `
/dev/usbscanner -c gen_context(system_u:object_r:scanner_device_t,s0)
')
++/dev/vmci -c gen_context(system_u:object_r:vmci_device_t,s0)
++/dev/vsock -c gen_context(system_u:object_r:vsock_device_t,s0)
+/dev/vhci -c gen_context(system_u:object_r:vhost_device_t,s0)
+/dev/vchiq -c gen_context(system_u:object_r:v4l_device_t,s0)
+/dev/vc-mem -c gen_context(system_u:object_r:memory_device_t,mls_systemhigh)
@@ -6793,7 +6796,7 @@ index b31c05491..a7b0f009a 100644
/dev/vhost-net -c gen_context(system_u:object_r:vhost_device_t,s0)
/dev/vbi.* -c gen_context(system_u:object_r:v4l_device_t,s0)
/dev/vbox.* -c gen_context(system_u:object_r:xserver_misc_device_t,s0)
-@@ -129,12 +156,14 @@ ifdef(`distro_suse', `
+@@ -129,12 +158,14 @@ ifdef(`distro_suse', `
/dev/vttuner -c gen_context(system_u:object_r:v4l_device_t,s0)
/dev/vtx.* -c gen_context(system_u:object_r:v4l_device_t,s0)
/dev/watchdog.* -c gen_context(system_u:object_r:watchdog_device_t,s0)
@@ -6808,7 +6811,7 @@ index b31c05491..a7b0f009a 100644
/dev/card.* -c gen_context(system_u:object_r:xserver_misc_device_t,s0)
/dev/cmx.* -c gen_context(system_u:object_r:smartcard_device_t,s0)
-@@ -169,18 +198,26 @@ ifdef(`distro_suse', `
+@@ -169,18 +200,26 @@ ifdef(`distro_suse', `
/dev/s(ou)?nd/.* -c gen_context(system_u:object_r:sound_device_t,s0)
@@ -6835,7 +6838,7 @@ index b31c05491..a7b0f009a 100644
ifdef(`distro_debian',`
# this is a static /dev dir "backup mount"
-@@ -198,12 +235,27 @@ ifdef(`distro_debian',`
+@@ -198,12 +237,27 @@ ifdef(`distro_debian',`
/lib/udev/devices/null -c gen_context(system_u:object_r:null_device_t,s0)
/lib/udev/devices/zero -c gen_context(system_u:object_r:zero_device_t,s0)
@@ -6866,7 +6869,7 @@ index b31c05491..a7b0f009a 100644
+/usr/lib/udev/devices/null -c gen_context(system_u:object_r:null_device_t,s0)
+/usr/lib/udev/devices/zero -c gen_context(system_u:object_r:zero_device_t,s0)
diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
-index 76f285ea6..c28d65c08 100644
+index 76f285ea6..8c3bbb82c 100644
--- a/policy/modules/kernel/devices.if
+++ b/policy/modules/kernel/devices.if
@@ -143,13 +143,32 @@ interface(`dev_relabel_all_dev_nodes',`
@@ -7309,70 +7312,162 @@ index 76f285ea6..c28d65c08 100644
#######################################
##
## Set the attributes of the dlm control devices.
-@@ -1879,6 +2101,26 @@ interface(`dev_rw_dri',`
+@@ -1865,7 +2087,7 @@ interface(`dev_setattr_dri_dev',`
+
+ ########################################
+ ##
+-## Read and write the dri devices.
++## Mmap the dri devices.
+ ##
+ ##
+ ##
+@@ -1873,35 +2095,36 @@ interface(`dev_setattr_dri_dev',`
+ ##
+ ##
+ #
+-interface(`dev_rw_dri',`
++interface(`dev_map_dri',`
+ gen_require(`
+ type device_t, dri_device_t;
')
- rw_chr_files_pattern($1, device_t, dri_device_t)
+- rw_chr_files_pattern($1, device_t, dri_device_t)
+ allow $1 dri_device_t:chr_file map;
-+')
-+
-+########################################
-+##
+ ')
+
+ ########################################
+ ##
+-## Dontaudit read and write on the dri devices.
+## Read and write the dri devices.
-+##
-+##
-+##
+ ##
+ ##
+ ##
+-## Domain to not audit.
+## Domain allowed access.
-+##
-+##
-+#
-+interface(`dev_rw_inherited_dri',`
-+ gen_require(`
+ ##
+ ##
+ #
+-interface(`dev_dontaudit_rw_dri',`
++interface(`dev_rw_dri',`
+ gen_require(`
+- type dri_device_t;
+ type device_t, dri_device_t;
-+ ')
-+
-+ allow $1 device_t:dir search_dir_perms;
-+ allow $1 dri_device_t:chr_file rw_inherited_chr_file_perms;
- ')
+ ')
- ########################################
-@@ -2017,7 +2259,7 @@ interface(`dev_rw_input_dev',`
+- dontaudit $1 dri_device_t:chr_file rw_chr_file_perms;
++ rw_chr_files_pattern($1, device_t, dri_device_t)
++ allow $1 dri_device_t:chr_file map;
+ ')
########################################
##
--## Get the attributes of the framebuffer device node.
-+## Read input event devices (/dev/input).
+-## Create, read, write, and delete the dri devices.
++## Read and write the dri devices.
##
##
##
-@@ -2025,17 +2267,18 @@ interface(`dev_rw_input_dev',`
+@@ -1909,26 +2132,63 @@ interface(`dev_dontaudit_rw_dri',`
##
##
#
--interface(`dev_getattr_framebuffer_dev',`
-+interface(`dev_rw_inherited_input_dev',`
+-interface(`dev_manage_dri_dev',`
++interface(`dev_rw_inherited_dri',`
gen_require(`
-- type device_t, framebuf_device_t;
-+ type device_t, event_device_t;
+ type device_t, dri_device_t;
')
-- getattr_chr_files_pattern($1, device_t, framebuf_device_t)
+- manage_chr_files_pattern($1, device_t, dri_device_t)
+ allow $1 device_t:dir search_dir_perms;
-+ allow $1 event_device_t:chr_file rw_inherited_chr_file_perms;
++ allow $1 dri_device_t:chr_file rw_inherited_chr_file_perms;
')
########################################
##
--## Set the attributes of the framebuffer device node.
-+## Read ipmi devices.
+-## Automatic type transition to the type
+-## for DRI device nodes when created in /dev.
++## Dontaudit read and write on the dri devices.
##
##
##
-@@ -2043,7 +2286,180 @@ interface(`dev_getattr_framebuffer_dev',`
+-## Domain allowed access.
++## Domain to not audit.
##
##
- #
--interface(`dev_setattr_framebuffer_dev',`
+-##
+-##
++#
++interface(`dev_dontaudit_rw_dri',`
++ gen_require(`
++ type dri_device_t;
++ ')
++
++ dontaudit $1 dri_device_t:chr_file rw_chr_file_perms;
++')
++
++########################################
++##
++## Create, read, write, and delete the dri devices.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`dev_manage_dri_dev',`
++ gen_require(`
++ type device_t, dri_device_t;
++ ')
++
++ manage_chr_files_pattern($1, device_t, dri_device_t)
++')
++
++########################################
++##
++## Automatic type transition to the type
++## for DRI device nodes when created in /dev.
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++##
+ ## The name of the object being created.
+ ##
+ ##
+@@ -2017,6 +2277,180 @@ interface(`dev_rw_input_dev',`
+
+ ########################################
+ ##
++## Read input event devices (/dev/input).
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`dev_rw_inherited_input_dev',`
++ gen_require(`
++ type device_t, event_device_t;
++ ')
++
++ allow $1 device_t:dir search_dir_perms;
++ allow $1 event_device_t:chr_file rw_inherited_chr_file_perms;
++')
++
++########################################
++##
++## Read ipmi devices.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
+interface(`dev_read_ipmi_dev',`
+ gen_require(`
+ type device_t, ipmi_device_t;
@@ -7520,60 +7615,269 @@ index 76f285ea6..c28d65c08 100644
+
+########################################
+##
-+## Get the attributes of the framebuffer device node.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`dev_getattr_framebuffer_dev',`
-+ gen_require(`
-+ type device_t, framebuf_device_t;
-+ ')
-+
-+ getattr_chr_files_pattern($1, device_t, framebuf_device_t)
-+')
-+
-+########################################
-+##
-+## Set the attributes of the framebuffer device node.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`dev_setattr_framebuffer_dev',`
- gen_require(`
- type device_t, framebuf_device_t;
- ')
-@@ -2402,7 +2818,97 @@ interface(`dev_filetrans_lirc',`
+ ## Get the attributes of the framebuffer device node.
+ ##
+ ##
+@@ -2402,7 +2836,7 @@ interface(`dev_filetrans_lirc',`
########################################
##
-## Get the attributes of the lvm comtrol device.
+## Get the attributes of the loop comtrol device.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
+ ##
+ ##
+ ##
+@@ -2410,17 +2844,17 @@ interface(`dev_filetrans_lirc',`
+ ##
+ ##
+ #
+-interface(`dev_getattr_lvm_control',`
+interface(`dev_getattr_loop_control',`
-+ gen_require(`
+ gen_require(`
+- type device_t, lvm_control_t;
++ type device_t, loop_control_device_t;
+ ')
+
+- getattr_chr_files_pattern($1, device_t, lvm_control_t)
++ getattr_chr_files_pattern($1, device_t, loop_control_device_t)
+ ')
+
+ ########################################
+ ##
+-## Read the lvm comtrol device.
++## Read the loop comtrol device.
+ ##
+ ##
+ ##
+@@ -2428,17 +2862,17 @@ interface(`dev_getattr_lvm_control',`
+ ##
+ ##
+ #
+-interface(`dev_read_lvm_control',`
++interface(`dev_read_loop_control',`
+ gen_require(`
+- type device_t, lvm_control_t;
++ type device_t, loop_control_device_t;
+ ')
+
+- read_chr_files_pattern($1, device_t, lvm_control_t)
++ read_chr_files_pattern($1, device_t, loop_control_device_t)
+ ')
+
+ ########################################
+ ##
+-## Read and write the lvm control device.
++## Read and write the loop control device.
+ ##
+ ##
+ ##
+@@ -2446,17 +2880,17 @@ interface(`dev_read_lvm_control',`
+ ##
+ ##
+ #
+-interface(`dev_rw_lvm_control',`
++interface(`dev_rw_loop_control',`
+ gen_require(`
+- type device_t, lvm_control_t;
++ type device_t, loop_control_device_t;
+ ')
+
+- rw_chr_files_pattern($1, device_t, lvm_control_t)
++ rw_chr_files_pattern($1, device_t, loop_control_device_t)
+ ')
+
+ ########################################
+ ##
+-## Do not audit attempts to read and write lvm control device.
++## Do not audit attempts to read and write loop control device.
+ ##
+ ##
+ ##
+@@ -2464,17 +2898,17 @@ interface(`dev_rw_lvm_control',`
+ ##
+ ##
+ #
+-interface(`dev_dontaudit_rw_lvm_control',`
++interface(`dev_dontaudit_rw_loop_control',`
+ gen_require(`
+- type lvm_control_t;
++ type loop_control_device_t;
+ ')
+
+- dontaudit $1 lvm_control_t:chr_file rw_file_perms;
++ dontaudit $1 loop_control_device_t:chr_file rw_file_perms;
+ ')
+
+ ########################################
+ ##
+-## Delete the lvm control device.
++## Delete the loop control device.
+ ##
+ ##
+ ##
+@@ -2482,35 +2916,35 @@ interface(`dev_dontaudit_rw_lvm_control',`
+ ##
+ ##
+ #
+-interface(`dev_delete_lvm_control_dev',`
++interface(`dev_delete_loop_control_dev',`
+ gen_require(`
+- type device_t, lvm_control_t;
+ type device_t, loop_control_device_t;
+ ')
+
+- delete_chr_files_pattern($1, device_t, lvm_control_t)
++ delete_chr_files_pattern($1, device_t, loop_control_device_t)
+ ')
+
+ ########################################
+ ##
+-## dontaudit getattr raw memory devices (e.g. /dev/mem).
++## Get the attributes of the loop comtrol device.
+ ##
+ ##
+ ##
+-## Domain to not audit.
++## Domain allowed access.
+ ##
+ ##
+ #
+-interface(`dev_dontaudit_getattr_memory_dev',`
++interface(`dev_getattr_lvm_control',`
+ gen_require(`
+- type memory_device_t;
++ type device_t, lvm_control_t;
+ ')
+
+- dontaudit $1 memory_device_t:chr_file getattr;
++ getattr_chr_files_pattern($1, device_t, lvm_control_t)
+ ')
+
+ ########################################
+ ##
+-## Read raw memory devices (e.g. /dev/mem).
++## Read the lvm comtrol device.
+ ##
+ ##
+ ##
+@@ -2518,62 +2952,53 @@ interface(`dev_dontaudit_getattr_memory_dev',`
+ ##
+ ##
+ #
+-interface(`dev_read_raw_memory',`
++interface(`dev_read_lvm_control',`
+ gen_require(`
+- type device_t, memory_device_t;
+- attribute memory_raw_read;
++ type device_t, lvm_control_t;
+ ')
+
+- read_chr_files_pattern($1, device_t, memory_device_t)
+-
+- allow $1 self:capability sys_rawio;
+- typeattribute $1 memory_raw_read;
++ read_chr_files_pattern($1, device_t, lvm_control_t)
+ ')
+
+ ########################################
+ ##
+-## Do not audit attempts to read raw memory devices
+-## (e.g. /dev/mem).
++## Read and write the lvm control device.
+ ##
+ ##
+ ##
+-## Domain to not audit.
++## Domain allowed access.
+ ##
+ ##
+ #
+-interface(`dev_dontaudit_read_raw_memory',`
++interface(`dev_rw_lvm_control',`
+ gen_require(`
+- type memory_device_t;
++ type device_t, lvm_control_t;
+ ')
+
+- dontaudit $1 memory_device_t:chr_file read_chr_file_perms;
++ rw_chr_files_pattern($1, device_t, lvm_control_t)
+ ')
+
+ ########################################
+ ##
+-## Write raw memory devices (e.g. /dev/mem).
++## Do not audit attempts to read and write lvm control device.
+ ##
+ ##
+ ##
+-## Domain allowed access.
++## Domain to not audit.
+ ##
+ ##
+ #
+-interface(`dev_write_raw_memory',`
++interface(`dev_dontaudit_rw_lvm_control',`
+ gen_require(`
+- type device_t, memory_device_t;
+- attribute memory_raw_write;
++ type lvm_control_t;
+ ')
+
+- write_chr_files_pattern($1, device_t, memory_device_t)
+-
+- allow $1 self:capability sys_rawio;
+- typeattribute $1 memory_raw_write;
++ dontaudit $1 lvm_control_t:chr_file rw_file_perms;
+ ')
+
+ ########################################
+ ##
+-## Read and execute raw memory devices (e.g. /dev/mem).
++## Delete the lvm control device.
+ ##
+ ##
+ ##
+@@ -2581,32 +3006,168 @@ interface(`dev_write_raw_memory',`
+ ##
+ ##
+ #
+-interface(`dev_rx_raw_memory',`
++interface(`dev_delete_lvm_control_dev',`
+ gen_require(`
+- type device_t, memory_device_t;
++ type device_t, lvm_control_t;
+ ')
+
+- dev_read_raw_memory($1)
+- allow $1 memory_device_t:chr_file execute;
++ delete_chr_files_pattern($1, device_t, lvm_control_t)
+ ')
+
+ ########################################
+ ##
+-## Write and execute raw memory devices (e.g. /dev/mem).
++## dontaudit getattr raw memory devices (e.g. /dev/mem).
+ ##
+ ##
+ ##
+-## Domain allowed access.
++## Domain to not audit.
+ ##
+ ##
+ #
+-interface(`dev_wx_raw_memory',`
++interface(`dev_dontaudit_getattr_memory_dev',`
+ gen_require(`
+- type device_t, memory_device_t;
++ type memory_device_t;
+ ')
+
-+ getattr_chr_files_pattern($1, device_t, loop_control_device_t)
++ dontaudit $1 memory_device_t:chr_file getattr;
+')
+
+########################################
+##
-+## Read the loop comtrol device.
++## Read raw memory devices (e.g. /dev/mem).
+##
+##
+##
@@ -7581,17 +7885,22 @@ index 76f285ea6..c28d65c08 100644
+##
+##
+#
-+interface(`dev_read_loop_control',`
++interface(`dev_read_raw_memory',`
+ gen_require(`
-+ type device_t, loop_control_device_t;
++ type device_t, memory_device_t;
++ attribute memory_raw_read;
+ ')
+
-+ read_chr_files_pattern($1, device_t, loop_control_device_t)
++ read_chr_files_pattern($1, device_t, memory_device_t)
++ allow $1 memory_device_t:chr_file map;
++
++ allow $1 self:capability sys_rawio;
++ typeattribute $1 memory_raw_read;
+')
+
+########################################
+##
-+## Read and write the loop control device.
++## Allow to be reader of raw memory devices (e.g. /dev/mem).
+##
+##
+##
@@ -7599,17 +7908,18 @@ index 76f285ea6..c28d65c08 100644
+##
+##
+#
-+interface(`dev_rw_loop_control',`
++interface(`dev_raw_memory_reader',`
+ gen_require(`
-+ type device_t, loop_control_device_t;
++ attribute memory_raw_read;
+ ')
+
-+ rw_chr_files_pattern($1, device_t, loop_control_device_t)
++ typeattribute $1 memory_raw_read;
+')
+
+########################################
+##
-+## Do not audit attempts to read and write loop control device.
++## Do not audit attempts to read raw memory devices
++## (e.g. /dev/mem).
+##
+##
+##
@@ -7617,17 +7927,17 @@ index 76f285ea6..c28d65c08 100644
+##
+##
+#
-+interface(`dev_dontaudit_rw_loop_control',`
++interface(`dev_dontaudit_read_raw_memory',`
+ gen_require(`
-+ type loop_control_device_t;
++ type memory_device_t;
+ ')
+
-+ dontaudit $1 loop_control_device_t:chr_file rw_file_perms;
++ dontaudit $1 memory_device_t:chr_file read_chr_file_perms;
+')
+
+########################################
+##
-+## Delete the loop control device.
++## Write raw memory devices (e.g. /dev/mem).
+##
+##
+##
@@ -7635,33 +7945,21 @@ index 76f285ea6..c28d65c08 100644
+##
+##
+#
-+interface(`dev_delete_loop_control_dev',`
++interface(`dev_write_raw_memory',`
+ gen_require(`
-+ type device_t, loop_control_device_t;
++ type device_t, memory_device_t;
++ attribute memory_raw_write;
+ ')
+
-+ delete_chr_files_pattern($1, device_t, loop_control_device_t)
++ write_chr_files_pattern($1, device_t, memory_device_t)
++
++ allow $1 self:capability sys_rawio;
++ typeattribute $1 memory_raw_write;
+')
+
+########################################
+##
-+## Get the attributes of the loop comtrol device.
- ##
- ##
- ##
-@@ -2525,6 +3031,7 @@ interface(`dev_read_raw_memory',`
- ')
-
- read_chr_files_pattern($1, device_t, memory_device_t)
-+ allow $1 memory_device_t:chr_file map;
-
- allow $1 self:capability sys_rawio;
- typeattribute $1 memory_raw_read;
-@@ -2532,6 +3039,24 @@ interface(`dev_read_raw_memory',`
-
- ########################################
- ##
-+## Allow to be reader of raw memory devices (e.g. /dev/mem).
++## Allow to be writer of raw memory devices (e.g. /dev/mem).
+##
+##
+##
@@ -7669,24 +7967,17 @@ index 76f285ea6..c28d65c08 100644
+##
+##
+#
-+interface(`dev_raw_memory_reader',`
++interface(`dev_raw_memory_writer',`
+ gen_require(`
-+ attribute memory_raw_read;
++ attribute memory_raw_write;
+ ')
+
-+ typeattribute $1 memory_raw_read;
++ typeattribute $1 memory_raw_write;
+')
+
+########################################
+##
- ## Do not audit attempts to read raw memory devices
- ## (e.g. /dev/mem).
- ##
-@@ -2573,6 +3098,24 @@ interface(`dev_write_raw_memory',`
-
- ########################################
- ##
-+## Allow to be writer of raw memory devices (e.g. /dev/mem).
++## Read and execute raw memory devices (e.g. /dev/mem).
+##
+##
+##
@@ -7694,29 +7985,28 @@ index 76f285ea6..c28d65c08 100644
+##
+##
+#
-+interface(`dev_raw_memory_writer',`
++interface(`dev_rx_raw_memory',`
+ gen_require(`
-+ attribute memory_raw_write;
++ type device_t, memory_device_t;
+ ')
+
-+ typeattribute $1 memory_raw_write;
++ dev_read_raw_memory($1)
++ allow $1 memory_device_t:chr_file { map execute };
+')
+
+########################################
+##
- ## Read and execute raw memory devices (e.g. /dev/mem).
- ##
- ##
-@@ -2587,7 +3130,7 @@ interface(`dev_rx_raw_memory',`
- ')
-
- dev_read_raw_memory($1)
-- allow $1 memory_device_t:chr_file execute;
-+ allow $1 memory_device_t:chr_file { map execute };
- ')
-
- ########################################
-@@ -2606,7 +3149,7 @@ interface(`dev_wx_raw_memory',`
++## Write and execute raw memory devices (e.g. /dev/mem).
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`dev_wx_raw_memory',`
++ gen_require(`
++ type device_t, memory_device_t;
')
dev_write_raw_memory($1)
@@ -7725,7 +8015,7 @@ index 76f285ea6..c28d65c08 100644
')
########################################
-@@ -2725,7 +3268,7 @@ interface(`dev_write_misc',`
+@@ -2725,7 +3286,7 @@ interface(`dev_write_misc',`
##
##
##
@@ -7734,77 +8024,11 @@ index 76f285ea6..c28d65c08 100644
##
##
#
-@@ -2811,7 +3354,7 @@ interface(`dev_rw_modem',`
+@@ -2811,6 +3372,78 @@ interface(`dev_rw_modem',`
########################################
##
--## Get the attributes of the mouse devices.
+## Get the attributes of the monitor devices.
- ##
- ##
- ##
-@@ -2819,17 +3362,17 @@ interface(`dev_rw_modem',`
- ##
- ##
- #
--interface(`dev_getattr_mouse_dev',`
-+interface(`dev_getattr_monitor_dev',`
- gen_require(`
-- type device_t, mouse_device_t;
-+ type device_t, monitor_device_t;
- ')
-
-- getattr_chr_files_pattern($1, device_t, mouse_device_t)
-+ getattr_chr_files_pattern($1, device_t, monitor_device_t)
- ')
-
- ########################################
- ##
--## Set the attributes of the mouse devices.
-+## Set the attributes of the monitor devices.
- ##
- ##
- ##
-@@ -2837,17 +3380,17 @@ interface(`dev_getattr_mouse_dev',`
- ##
- ##
- #
--interface(`dev_setattr_mouse_dev',`
-+interface(`dev_setattr_monitor_dev',`
- gen_require(`
-- type device_t, mouse_device_t;
-+ type device_t, monitor_device_t;
- ')
-
-- setattr_chr_files_pattern($1, device_t, mouse_device_t)
-+ setattr_chr_files_pattern($1, device_t, monitor_device_t)
- ')
-
- ########################################
- ##
--## Read the mouse devices.
-+## Read the monitor devices.
- ##
- ##
- ##
-@@ -2855,12 +3398,84 @@ interface(`dev_setattr_mouse_dev',`
- ##
- ##
- #
--interface(`dev_read_mouse',`
-+interface(`dev_read_monitor_dev',`
- gen_require(`
-- type device_t, mouse_device_t;
-+ type device_t, monitor_device_t;
- ')
-
-- read_chr_files_pattern($1, device_t, mouse_device_t)
-+ read_chr_files_pattern($1, device_t, monitor_device_t)
-+')
-+
-+########################################
-+##
-+## Read and write to monitor devices.
+##
+##
+##
@@ -7812,17 +8036,17 @@ index 76f285ea6..c28d65c08 100644
+##
+##
+#
-+interface(`dev_rw_monitor_dev',`
++interface(`dev_getattr_monitor_dev',`
+ gen_require(`
+ type device_t, monitor_device_t;
+ ')
+
-+ rw_chr_files_pattern($1, device_t, monitor_device_t)
++ getattr_chr_files_pattern($1, device_t, monitor_device_t)
+')
+
+########################################
+##
-+## Get the attributes of the mouse devices.
++## Set the attributes of the monitor devices.
+##
+##
+##
@@ -7830,17 +8054,17 @@ index 76f285ea6..c28d65c08 100644
+##
+##
+#
-+interface(`dev_getattr_mouse_dev',`
++interface(`dev_setattr_monitor_dev',`
+ gen_require(`
-+ type device_t, mouse_device_t;
++ type device_t, monitor_device_t;
+ ')
+
-+ getattr_chr_files_pattern($1, device_t, mouse_device_t)
++ setattr_chr_files_pattern($1, device_t, monitor_device_t)
+')
+
+########################################
+##
-+## Set the attributes of the mouse devices.
++## Read the monitor devices.
+##
+##
+##
@@ -7848,17 +8072,17 @@ index 76f285ea6..c28d65c08 100644
+##
+##
+#
-+interface(`dev_setattr_mouse_dev',`
++interface(`dev_read_monitor_dev',`
+ gen_require(`
-+ type device_t, mouse_device_t;
++ type device_t, monitor_device_t;
+ ')
+
-+ setattr_chr_files_pattern($1, device_t, mouse_device_t)
++ read_chr_files_pattern($1, device_t, monitor_device_t)
+')
+
+########################################
+##
-+## Read the mouse devices.
++## Read and write to monitor devices.
+##
+##
+##
@@ -7866,16 +8090,20 @@ index 76f285ea6..c28d65c08 100644
+##
+##
+#
-+interface(`dev_read_mouse',`
++interface(`dev_rw_monitor_dev',`
+ gen_require(`
-+ type device_t, mouse_device_t;
++ type device_t, monitor_device_t;
+ ')
+
-+ read_chr_files_pattern($1, device_t, mouse_device_t)
- ')
-
- ########################################
-@@ -2903,20 +3518,20 @@ interface(`dev_getattr_mtrr_dev',`
++ rw_chr_files_pattern($1, device_t, monitor_device_t)
++')
++
++########################################
++##
+ ## Get the attributes of the mouse devices.
+ ##
+ ##
+@@ -2903,20 +3536,20 @@ interface(`dev_getattr_mtrr_dev',`
########################################
##
@@ -7900,7 +8128,7 @@ index 76f285ea6..c28d65c08 100644
##
##
##
-@@ -2925,43 +3540,34 @@ interface(`dev_getattr_mtrr_dev',`
+@@ -2925,43 +3558,34 @@ interface(`dev_getattr_mtrr_dev',`
##
##
#
@@ -7956,7 +8184,7 @@ index 76f285ea6..c28d65c08 100644
## range registers (MTRR).
##
##
-@@ -2970,13 +3576,32 @@ interface(`dev_write_mtrr',`
+@@ -2970,13 +3594,32 @@ interface(`dev_write_mtrr',`
##
##
#
@@ -7992,47 +8220,81 @@ index 76f285ea6..c28d65c08 100644
')
########################################
-@@ -3144,6 +3769,80 @@ interface(`dev_create_null_dev',`
+@@ -3144,44 +3787,43 @@ interface(`dev_create_null_dev',`
########################################
##
+-## Do not audit attempts to get the attributes
+-## of the BIOS non-volatile RAM device.
+## Get the status of a null device service.
-+##
-+##
-+##
+ ##
+ ##
+ ##
+-## Domain to not audit.
+## Domain allowed access.
-+##
-+##
-+#
+ ##
+ ##
+ #
+-interface(`dev_dontaudit_getattr_nvram_dev',`
+interface(`dev_service_status_null_dev',`
-+ gen_require(`
+ gen_require(`
+- type nvram_device_t;
+ type null_device_t;
-+ ')
-+
+ ')
+
+- dontaudit $1 nvram_device_t:chr_file getattr;
+ allow $1 null_device_t:service status;
-+')
-+
-+########################################
-+##
+ ')
+
+ ########################################
+ ##
+-## Read and write BIOS non-volatile RAM.
+## Configure null_device as a unit files.
-+##
-+##
-+##
+ ##
+ ##
+ ##
+-## Domain allowed access.
+## Domain allowed to transition.
-+##
-+##
-+#
+ ##
+ ##
+ #
+-interface(`dev_rw_nvram',`
+interface(`dev_config_null_dev_service',`
-+ gen_require(`
+ gen_require(`
+- type nvram_device_t;
+ type null_device_t;
-+ ')
-+
+ ')
+
+- rw_chr_files_pattern($1, device_t, nvram_device_t)
+ allow $1 null_device_t:service manage_service_perms;
+ ')
+
+ ########################################
+ ##
+-## Get the attributes of the printer device nodes.
++## Read Non-Volatile Memory Host Controller Interface.
+ ##
+ ##
+ ##
+@@ -3189,12 +3831,105 @@ interface(`dev_rw_nvram',`
+ ##
+ ##
+ #
+-interface(`dev_getattr_printer_dev',`
++interface(`dev_read_nvme',`
+ gen_require(`
+- type device_t, printer_device_t;
++ type nvme_device_t;
+ ')
+
+- getattr_chr_files_pattern($1, device_t, printer_device_t)
++ read_chr_files_pattern($1, device_t, nvme_device_t)
++ read_blk_files_pattern($1, device_t, nvme_device_t)
+')
+
+########################################
+##
-+## Read Non-Volatile Memory Host Controller Interface.
++## Read/Write Non-Volatile Memory Host Controller Interface.
+##
+##
+##
@@ -8040,43 +8302,36 @@ index 76f285ea6..c28d65c08 100644
+##
+##
+#
-+interface(`dev_read_nvme',`
++interface(`dev_rw_nvme',`
+ gen_require(`
+ type nvme_device_t;
+ ')
+
-+ read_chr_files_pattern($1, device_t, nvme_device_t)
-+ read_blk_files_pattern($1, device_t, nvme_device_t)
++ rw_chr_files_pattern($1, device_t, nvme_device_t)
++ rw_blk_files_pattern($1, device_t, nvme_device_t)
+')
+
+########################################
+##
-+## Read/Write Non-Volatile Memory Host Controller Interface.
++## Do not audit attempts to get the attributes
++## of the BIOS non-volatile RAM device.
+##
+##
+##
-+## Domain allowed access.
++## Domain to not audit.
+##
+##
+#
-+interface(`dev_rw_nvme',`
++interface(`dev_dontaudit_getattr_nvram_dev',`
+ gen_require(`
-+ type nvme_device_t;
++ type nvram_device_t;
+ ')
+
-+ rw_chr_files_pattern($1, device_t, nvme_device_t)
-+ rw_blk_files_pattern($1, device_t, nvme_device_t)
++ dontaudit $1 nvram_device_t:chr_file getattr;
+')
+
+########################################
+##
- ## Do not audit attempts to get the attributes
- ## of the BIOS non-volatile RAM device.
- ##
-@@ -3163,6 +3862,24 @@ interface(`dev_dontaudit_getattr_nvram_dev',`
-
- ########################################
- ##
+## Read BIOS non-volatile RAM.
+##
+##
@@ -8095,10 +8350,42 @@ index 76f285ea6..c28d65c08 100644
+
+########################################
+##
- ## Read and write BIOS non-volatile RAM.
- ##
- ##
-@@ -3254,7 +3971,25 @@ interface(`dev_rw_printer',`
++## Read and write BIOS non-volatile RAM.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`dev_rw_nvram',`
++ gen_require(`
++ type nvram_device_t;
++ ')
++
++ rw_chr_files_pattern($1, device_t, nvram_device_t)
++')
++
++########################################
++##
++## Get the attributes of the printer device nodes.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`dev_getattr_printer_dev',`
++ gen_require(`
++ type device_t, printer_device_t;
++ ')
++
++ getattr_chr_files_pattern($1, device_t, printer_device_t)
+ ')
+
+ ########################################
+@@ -3254,7 +3989,25 @@ interface(`dev_rw_printer',`
########################################
##
@@ -8125,7 +8412,7 @@ index 76f285ea6..c28d65c08 100644
##
##
##
-@@ -3262,12 +3997,13 @@ interface(`dev_rw_printer',`
+@@ -3262,12 +4015,13 @@ interface(`dev_rw_printer',`
##
##
#
@@ -8142,7 +8429,7 @@ index 76f285ea6..c28d65c08 100644
')
########################################
-@@ -3399,7 +4135,7 @@ interface(`dev_dontaudit_read_rand',`
+@@ -3399,7 +4153,7 @@ interface(`dev_dontaudit_read_rand',`
########################################
##
@@ -8151,7 +8438,7 @@ index 76f285ea6..c28d65c08 100644
## number generator devices (e.g., /dev/random)
##
##
-@@ -3413,7 +4149,7 @@ interface(`dev_dontaudit_append_rand',`
+@@ -3413,7 +4167,7 @@ interface(`dev_dontaudit_append_rand',`
type random_device_t;
')
@@ -8160,7 +8447,7 @@ index 76f285ea6..c28d65c08 100644
')
########################################
-@@ -3633,6 +4369,7 @@ interface(`dev_read_sound',`
+@@ -3633,6 +4387,7 @@ interface(`dev_read_sound',`
')
read_chr_files_pattern($1, device_t, sound_device_t)
@@ -8168,7 +8455,7 @@ index 76f285ea6..c28d65c08 100644
')
########################################
-@@ -3669,6 +4406,7 @@ interface(`dev_read_sound_mixer',`
+@@ -3669,6 +4424,7 @@ interface(`dev_read_sound_mixer',`
')
read_chr_files_pattern($1, device_t, sound_device_t)
@@ -8176,7 +8463,7 @@ index 76f285ea6..c28d65c08 100644
')
########################################
-@@ -3855,7 +4593,7 @@ interface(`dev_getattr_sysfs_dirs',`
+@@ -3855,7 +4611,7 @@ interface(`dev_getattr_sysfs_dirs',`
########################################
##
@@ -8185,7 +8472,7 @@ index 76f285ea6..c28d65c08 100644
##
##
##
-@@ -3863,91 +4601,89 @@ interface(`dev_getattr_sysfs_dirs',`
+@@ -3863,91 +4619,89 @@ interface(`dev_getattr_sysfs_dirs',`
##
##
#
@@ -8296,7 +8583,7 @@ index 76f285ea6..c28d65c08 100644
##
##
##
-@@ -3955,60 +4691,215 @@ interface(`dev_dontaudit_write_sysfs_dirs',`
+@@ -3955,68 +4709,53 @@ interface(`dev_dontaudit_write_sysfs_dirs',`
##
##
#
@@ -8362,12 +8649,244 @@ index 76f285ea6..c28d65c08 100644
')
- rw_files_pattern($1, sysfs_t, sysfs_t)
+- read_lnk_files_pattern($1, sysfs_t, sysfs_t)
+-
+- list_dirs_pattern($1, sysfs_t, sysfs_t)
+ dontaudit $1 sysfs_t:dir search_dir_perms;
+ ')
+
+ ########################################
+ ##
+-## Read and write the TPM device.
++## List the contents of the sysfs directories.
+ ##
+ ##
+ ##
+@@ -4024,114 +4763,97 @@ interface(`dev_rw_sysfs',`
+ ##
+ ##
+ #
+-interface(`dev_rw_tpm',`
++interface(`dev_list_sysfs',`
+ gen_require(`
+- type device_t, tpm_device_t;
++ type sysfs_t;
+ ')
+
+- rw_chr_files_pattern($1, device_t, tpm_device_t)
++ read_lnk_files_pattern($1, sysfs_t, sysfs_t)
++ list_dirs_pattern($1, sysfs_t, sysfs_t)
+ ')
+
+ ########################################
+ ##
+-## Read from pseudo random number generator devices (e.g., /dev/urandom).
++## Write in a sysfs directories.
+ ##
+-##
+-##
+-## Allow the specified domain to read from pseudo random number
+-## generator devices (e.g., /dev/urandom). Typically this is
+-## used in situations when a cryptographically secure random
+-## number is not necessarily needed. One example is the Stack
+-## Smashing Protector (SSP, formerly known as ProPolice) support
+-## that may be compiled into programs.
+-##
+-##
+-## Related interface:
+-##
+-##
+-## - dev_read_rand()
+-##
+-##
+-## Related tunable:
+-##
+-##
+-##
+ ##
+ ##
+ ## Domain allowed access.
+ ##
+ ##
+-##
+ #
+-interface(`dev_read_urand',`
++# cjp: added for cpuspeed
++interface(`dev_write_sysfs_dirs',`
+ gen_require(`
+- type device_t, urandom_device_t;
++ type sysfs_t;
+ ')
+
+- read_chr_files_pattern($1, device_t, urandom_device_t)
++ allow $1 sysfs_t:dir write;
+ ')
+
+ ########################################
+ ##
+-## Do not audit attempts to read from pseudo
+-## random devices (e.g., /dev/urandom)
++## Access check for a sysfs directories.
+ ##
+ ##
+ ##
+-## Domain to not audit.
++## Domain allowed access.
+ ##
+ ##
+ #
+-interface(`dev_dontaudit_read_urand',`
++interface(`dev_access_check_sysfs',`
+ gen_require(`
+- type urandom_device_t;
++ type sysfs_t;
+ ')
+
+- dontaudit $1 urandom_device_t:chr_file { getattr read };
++ allow $1 sysfs_t:dir audit_access;
+ ')
+
+ ########################################
+ ##
+-## Write to the pseudo random device (e.g., /dev/urandom). This
+-## sets the random number generator seed.
++## Do not audit attempts to write in a sysfs directory.
+ ##
+ ##
+ ##
+-## Domain allowed access.
++## Domain to not audit.
+ ##
+ ##
+ #
+-interface(`dev_write_urand',`
++interface(`dev_dontaudit_write_sysfs_dirs',`
+ gen_require(`
+- type device_t, urandom_device_t;
++ type sysfs_t;
+ ')
+
+- write_chr_files_pattern($1, device_t, urandom_device_t)
++ dontaudit $1 sysfs_t:dir write;
+ ')
+
+ ########################################
+ ##
+-## Getattr generic the USB devices.
++## Read cpu online hardware state information.
+ ##
++##
++##
++## Allow the specified domain to read /sys/devices/system/cpu/online file.
++##
++##
+ ##
+ ##
+ ## Domain allowed access.
+ ##
+ ##
+ #
+-interface(`dev_getattr_generic_usb_dev',`
++interface(`dev_read_cpu_online',`
+ gen_require(`
+- type usb_device_t;
++ type cpu_online_t;
+ ')
+
+- getattr_chr_files_pattern($1, device_t, usb_device_t)
++ dev_search_sysfs($1)
++ read_files_pattern($1, cpu_online_t, cpu_online_t)
+ ')
+
+ ########################################
+ ##
+-## Setattr generic the USB devices.
++## Relabel cpu online hardware state information.
+ ##
+ ##
+ ##
+@@ -4139,35 +4861,50 @@ interface(`dev_getattr_generic_usb_dev',`
+ ##
+ ##
+ #
+-interface(`dev_setattr_generic_usb_dev',`
++interface(`dev_relabel_cpu_online',`
+ gen_require(`
+- type usb_device_t;
++ type cpu_online_t;
++ type sysfs_t;
+ ')
+
+- setattr_chr_files_pattern($1, device_t, usb_device_t)
++ dev_search_sysfs($1)
++ allow $1 cpu_online_t:file relabel_file_perms;
+ ')
+
++
+ ########################################
+ ##
+-## Read generic the USB devices.
++## Read hardware state information.
+ ##
++##
++##
++## Allow the specified domain to read the contents of
++## the sysfs filesystem. This filesystem contains
++## information, parameters, and other settings on the
++## hardware installed on the system.
++##
++##
+ ##
+ ##
+ ## Domain allowed access.
+ ##
+ ##
++##
+ #
+-interface(`dev_read_generic_usb_dev',`
++interface(`dev_read_sysfs',`
+ gen_require(`
+- type usb_device_t;
++ type sysfs_t;
+ ')
+
+- read_chr_files_pattern($1, device_t, usb_device_t)
++ read_files_pattern($1, sysfs_t, sysfs_t)
++ read_lnk_files_pattern($1, sysfs_t, sysfs_t)
++
++ list_dirs_pattern($1, sysfs_t, sysfs_t)
+ ')
+
+ ########################################
+ ##
+-## Read and write generic the USB devices.
++## Allow caller to modify hardware state information.
+ ##
+ ##
+ ##
+@@ -4175,12 +4912,278 @@ interface(`dev_read_generic_usb_dev',`
+ ##
+ ##
+ #
+-interface(`dev_rw_generic_usb_dev',`
++interface(`dev_rw_sysfs',`
+ gen_require(`
+- type device_t, usb_device_t;
++ type sysfs_t;
+ ')
+
+- rw_chr_files_pattern($1, device_t, usb_device_t)
++ rw_files_pattern($1, sysfs_t, sysfs_t)
++ read_lnk_files_pattern($1, sysfs_t, sysfs_t)
++
++ list_dirs_pattern($1, sysfs_t, sysfs_t)
+')
+
+########################################
+##
-+## List the contents of the sysfs directories.
++## Relabel hardware state directories.
+##
+##
+##
@@ -8375,18 +8894,17 @@ index 76f285ea6..c28d65c08 100644
+##
+##
+#
-+interface(`dev_list_sysfs',`
++interface(`dev_relabel_sysfs_dirs',`
+ gen_require(`
+ type sysfs_t;
+ ')
+
-+ read_lnk_files_pattern($1, sysfs_t, sysfs_t)
-+ list_dirs_pattern($1, sysfs_t, sysfs_t)
++ relabel_dirs_pattern($1, sysfs_t, sysfs_t)
+')
+
+########################################
+##
-+## Write in a sysfs directories.
++## Relabel hardware state files
+##
+##
+##
@@ -8394,18 +8912,19 @@ index 76f285ea6..c28d65c08 100644
+##
+##
+#
-+# cjp: added for cpuspeed
-+interface(`dev_write_sysfs_dirs',`
++interface(`dev_relabel_all_sysfs',`
+ gen_require(`
+ type sysfs_t;
+ ')
+
-+ allow $1 sysfs_t:dir write;
++ relabel_dirs_pattern($1, sysfs_t, sysfs_t)
++ relabel_files_pattern($1, sysfs_t, sysfs_t)
++ relabel_lnk_files_pattern($1, sysfs_t, sysfs_t)
+')
+
+########################################
+##
-+## Access check for a sysfs directories.
++## Allow caller to modify hardware state information.
+##
+##
+##
@@ -8413,59 +8932,115 @@ index 76f285ea6..c28d65c08 100644
+##
+##
+#
-+interface(`dev_access_check_sysfs',`
++interface(`dev_manage_sysfs_dirs',`
+ gen_require(`
+ type sysfs_t;
+ ')
+
-+ allow $1 sysfs_t:dir audit_access;
++ manage_dirs_pattern($1, sysfs_t, sysfs_t)
+')
+
+########################################
+##
-+## Do not audit attempts to write in a sysfs directory.
++## Allow caller to modify hardware state information.
+##
+##
+##
-+## Domain to not audit.
++## Domain allowed access.
+##
+##
+#
-+interface(`dev_dontaudit_write_sysfs_dirs',`
++interface(`dev_manage_sysfs',`
+ gen_require(`
+ type sysfs_t;
+ ')
+
-+ dontaudit $1 sysfs_t:dir write;
++ manage_dirs_pattern($1, sysfs_t, sysfs_t)
++ manage_files_pattern($1, sysfs_t, sysfs_t)
+')
+
+########################################
+##
-+## Read cpu online hardware state information.
++## Read and write the TPM device.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`dev_rw_tpm',`
++ gen_require(`
++ type device_t, tpm_device_t;
++ ')
++
++ rw_chr_files_pattern($1, device_t, tpm_device_t)
++')
++
++########################################
++##
++## Read from pseudo random number generator devices (e.g., /dev/urandom).
+##
+##
+##
-+## Allow the specified domain to read /sys/devices/system/cpu/online file.
++## Allow the specified domain to read from pseudo random number
++## generator devices (e.g., /dev/urandom). Typically this is
++## used in situations when a cryptographically secure random
++## number is not necessarily needed. One example is the Stack
++## Smashing Protector (SSP, formerly known as ProPolice) support
++## that may be compiled into programs.
++##
++##
++## Related interface:
++##
++##
++## - dev_read_rand()
++##
++##
++## Related tunable:
+##
++##
+##
+##
+##
+## Domain allowed access.
+##
+##
++##
+#
-+interface(`dev_read_cpu_online',`
++interface(`dev_read_urand',`
+ gen_require(`
-+ type cpu_online_t;
++ type device_t, urandom_device_t;
+ ')
+
-+ dev_search_sysfs($1)
-+ read_files_pattern($1, cpu_online_t, cpu_online_t)
++ read_chr_files_pattern($1, device_t, urandom_device_t)
+')
+
+########################################
+##
-+## Relabel cpu online hardware state information.
++## Do not audit attempts to read from pseudo
++## random devices (e.g., /dev/urandom)
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`dev_dontaudit_read_urand',`
++ gen_require(`
++ type urandom_device_t;
++ ')
++
++ dontaudit $1 urandom_device_t:chr_file { getattr read };
++')
++
++########################################
++##
++## Write to the pseudo random device (e.g., /dev/urandom). This
++## sets the random number generator seed.
+##
+##
+##
@@ -8473,50 +9048,72 @@ index 76f285ea6..c28d65c08 100644
+##
+##
+#
-+interface(`dev_relabel_cpu_online',`
++interface(`dev_write_urand',`
+ gen_require(`
-+ type cpu_online_t;
-+ type sysfs_t;
++ type device_t, urandom_device_t;
+ ')
+
-+ dev_search_sysfs($1)
-+ allow $1 cpu_online_t:file relabel_file_perms;
++ write_chr_files_pattern($1, device_t, urandom_device_t)
+')
+
++########################################
++##
++## Do not audit attempts to write to pseudo
++## random devices (e.g., /dev/urandom)
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`dev_dontaudit_write_urand',`
++ gen_require(`
++ type urandom_device_t;
++ ')
++
++ dontaudit $1 urandom_device_t:chr_file write;
++')
+
+########################################
+##
-+## Read hardware state information.
++## Getattr generic the USB devices.
+##
-+##
-+##
-+## Allow the specified domain to read the contents of
-+## the sysfs filesystem. This filesystem contains
-+## information, parameters, and other settings on the
-+## hardware installed on the system.
-+##
-+##
+##
+##
+## Domain allowed access.
+##
+##
-+##
+#
-+interface(`dev_read_sysfs',`
++interface(`dev_getattr_generic_usb_dev',`
+ gen_require(`
-+ type sysfs_t;
++ type usb_device_t,device_t;
+ ')
+
-+ read_files_pattern($1, sysfs_t, sysfs_t)
-+ read_lnk_files_pattern($1, sysfs_t, sysfs_t)
++ getattr_chr_files_pattern($1, device_t, usb_device_t)
++')
+
-+ list_dirs_pattern($1, sysfs_t, sysfs_t)
++########################################
++##
++## Setattr generic the USB devices.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`dev_setattr_generic_usb_dev',`
++ gen_require(`
++ type usb_device_t;
++ ')
++
++ setattr_chr_files_pattern($1, device_t, usb_device_t)
+')
+
+########################################
+##
-+## Allow caller to modify hardware state information.
++## Read generic the USB devices.
+##
+##
+##
@@ -8524,20 +9121,65 @@ index 76f285ea6..c28d65c08 100644
+##
+##
+#
-+interface(`dev_rw_sysfs',`
++interface(`dev_read_generic_usb_dev',`
+ gen_require(`
-+ type sysfs_t;
++ type usb_device_t;
+ ')
+
-+ rw_files_pattern($1, sysfs_t, sysfs_t)
- read_lnk_files_pattern($1, sysfs_t, sysfs_t)
-
- list_dirs_pattern($1, sysfs_t, sysfs_t)
-@@ -4016,6 +4907,81 @@ interface(`dev_rw_sysfs',`
++ read_chr_files_pattern($1, device_t, usb_device_t)
++')
++
++########################################
++##
++## Read and write generic the USB devices.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`dev_rw_generic_usb_dev',`
++ gen_require(`
++ type device_t, usb_device_t;
++ ')
++
++ rw_chr_files_pattern($1, device_t, usb_device_t)
+ ')
########################################
- ##
-+## Relabel hardware state directories.
+@@ -4249,33 +5252,462 @@ interface(`dev_write_usbmon_dev',`
+ #
+ interface(`dev_mount_usbfs',`
+ gen_require(`
+- type usbfs_t;
++ type usbfs_t;
++ ')
++
++ allow $1 usbfs_t:filesystem mount;
++')
++
++########################################
++##
++## Associate a file to a usbfs filesystem.
++##
++##
++##
++## The type of the file to be associated to usbfs.
++##
++##
++#
++interface(`dev_associate_usbfs',`
++ gen_require(`
++ type usbfs_t;
++ ')
++
++ allow $1 usbfs_t:filesystem associate;
++')
++
++########################################
++##
++## Get the attributes of a directory in the usb filesystem.
+##
+##
+##
@@ -8545,17 +9187,36 @@ index 76f285ea6..c28d65c08 100644
+##
+##
+#
-+interface(`dev_relabel_sysfs_dirs',`
++interface(`dev_getattr_usbfs_dirs',`
+ gen_require(`
-+ type sysfs_t;
++ type usbfs_t;
+ ')
+
-+ relabel_dirs_pattern($1, sysfs_t, sysfs_t)
++ allow $1 usbfs_t:dir getattr_dir_perms;
+')
+
+########################################
+##
-+## Relabel hardware state files
++## Do not audit attempts to get the attributes
++## of a directory in the usb filesystem.
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`dev_dontaudit_getattr_usbfs_dirs',`
++ gen_require(`
++ type usbfs_t;
++ ')
++
++ dontaudit $1 usbfs_t:dir getattr_dir_perms;
++')
++
++########################################
++##
++## Search the directory containing USB hardware information.
+##
+##
+##
@@ -8563,19 +9224,17 @@ index 76f285ea6..c28d65c08 100644
+##
+##
+#
-+interface(`dev_relabel_all_sysfs',`
++interface(`dev_search_usbfs',`
+ gen_require(`
-+ type sysfs_t;
++ type usbfs_t;
+ ')
+
-+ relabel_dirs_pattern($1, sysfs_t, sysfs_t)
-+ relabel_files_pattern($1, sysfs_t, sysfs_t)
-+ relabel_lnk_files_pattern($1, sysfs_t, sysfs_t)
++ search_dirs_pattern($1, usbfs_t, usbfs_t)
+')
+
+########################################
+##
-+## Allow caller to modify hardware state information.
++## Allow caller to get a list of usb hardware.
+##
+##
+##
@@ -8583,17 +9242,20 @@ index 76f285ea6..c28d65c08 100644
+##
+##
+#
-+interface(`dev_manage_sysfs_dirs',`
++interface(`dev_list_usbfs',`
+ gen_require(`
-+ type sysfs_t;
++ type usbfs_t;
+ ')
+
-+ manage_dirs_pattern($1, sysfs_t, sysfs_t)
++ read_lnk_files_pattern($1, usbfs_t, usbfs_t)
++ getattr_files_pattern($1, usbfs_t, usbfs_t)
++
++ list_dirs_pattern($1, usbfs_t, usbfs_t)
+')
+
+########################################
+##
-+## Allow caller to modify hardware state information.
++## Set the attributes of usbfs filesystem.
+##
+##
+##
@@ -8601,110 +9263,205 @@ index 76f285ea6..c28d65c08 100644
+##
+##
+#
-+interface(`dev_manage_sysfs',`
++interface(`dev_setattr_usbfs_files',`
+ gen_require(`
-+ type sysfs_t;
++ type usbfs_t;
+ ')
+
-+ manage_dirs_pattern($1, sysfs_t, sysfs_t)
-+ manage_files_pattern($1, sysfs_t, sysfs_t)
++ setattr_files_pattern($1, usbfs_t, usbfs_t)
++ list_dirs_pattern($1, usbfs_t, usbfs_t)
+')
+
+########################################
+##
- ## Read and write the TPM device.
- ##
- ##
-@@ -4113,6 +5079,25 @@ interface(`dev_write_urand',`
-
- ########################################
- ##
-+## Do not audit attempts to write to pseudo
-+## random devices (e.g., /dev/urandom)
++## Read USB hardware information using
++## the usbfs filesystem interface.
+##
+##
+##
-+## Domain to not audit.
++## Domain allowed access.
+##
+##
+#
-+interface(`dev_dontaudit_write_urand',`
++interface(`dev_read_usbfs',`
+ gen_require(`
-+ type urandom_device_t;
++ type usbfs_t;
+ ')
+
-+ dontaudit $1 urandom_device_t:chr_file write;
++ read_files_pattern($1, usbfs_t, usbfs_t)
++ read_lnk_files_pattern($1, usbfs_t, usbfs_t)
++ list_dirs_pattern($1, usbfs_t, usbfs_t)
+')
+
+########################################
+##
- ## Getattr generic the USB devices.
- ##
- ##
-@@ -4123,7 +5108,7 @@ interface(`dev_write_urand',`
- #
- interface(`dev_getattr_generic_usb_dev',`
- gen_require(`
-- type usb_device_t;
-+ type usb_device_t,device_t;
- ')
-
- getattr_chr_files_pattern($1, device_t, usb_device_t)
-@@ -4409,9 +5394,9 @@ interface(`dev_rw_usbfs',`
- read_lnk_files_pattern($1, usbfs_t, usbfs_t)
- ')
-
--########################################
++## Allow caller to modify usb hardware configuration files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`dev_rw_usbfs',`
++ gen_require(`
++ type usbfs_t;
++ ')
++
++ list_dirs_pattern($1, usbfs_t, usbfs_t)
++ rw_files_pattern($1, usbfs_t, usbfs_t)
++ read_lnk_files_pattern($1, usbfs_t, usbfs_t)
++')
++
+######################################
- ##
--## Get the attributes of video4linux devices.
++##
+## Read and write userio device.
- ##
- ##
- ##
-@@ -4419,17 +5404,17 @@ interface(`dev_rw_usbfs',`
- ##
- ##
- #
--interface(`dev_getattr_video_dev',`
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
+interface(`dev_rw_userio_dev',`
- gen_require(`
-- type device_t, v4l_device_t;
++ gen_require(`
+ type device_t, userio_device_t;
- ')
-
-- getattr_chr_files_pattern($1, device_t, v4l_device_t)
++ ')
++
+ rw_chr_files_pattern($1, device_t, userio_device_t)
- ')
-
--######################################
++')
++
+########################################
- ##
--## Read and write userio device.
++##
+## Get the attributes of video4linux devices.
- ##
- ##
- ##
-@@ -4437,12 +5422,12 @@ interface(`dev_getattr_video_dev',`
- ##
- ##
- #
--interface(`dev_rw_userio_dev',`
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
+interface(`dev_getattr_video_dev',`
- gen_require(`
-- type device_t, userio_device_t;
++ gen_require(`
+ type device_t, v4l_device_t;
- ')
-
-- rw_chr_files_pattern($1, device_t, userio_device_t)
++ ')
++
+ getattr_chr_files_pattern($1, device_t, v4l_device_t)
- ')
-
- ########################################
-@@ -4539,6 +5524,134 @@ interface(`dev_write_video_dev',`
-
- ########################################
- ##
++')
++
++########################################
++##
++## Do not audit attempts to get the attributes
++## of video4linux device nodes.
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`dev_dontaudit_getattr_video_dev',`
++ gen_require(`
++ type v4l_device_t;
++ ')
++
++ dontaudit $1 v4l_device_t:chr_file getattr;
++')
++
++########################################
++##
++## Set the attributes of video4linux device nodes.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`dev_setattr_video_dev',`
++ gen_require(`
++ type device_t, v4l_device_t;
++ ')
++
++ setattr_chr_files_pattern($1, device_t, v4l_device_t)
++')
++
++########################################
++##
++## Do not audit attempts to set the attributes
++## of video4linux device nodes.
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`dev_dontaudit_setattr_video_dev',`
++ gen_require(`
++ type v4l_device_t;
++ ')
++
++ dontaudit $1 v4l_device_t:chr_file setattr;
++')
++
++########################################
++##
++## Read the video4linux devices.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`dev_read_video_dev',`
++ gen_require(`
++ type device_t, v4l_device_t;
++ ')
++
++ read_chr_files_pattern($1, device_t, v4l_device_t)
++')
++
++########################################
++##
++## Mmap the video4linux devices.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`dev_map_video_dev',`
++ gen_require(`
++ type device_t, v4l_device_t;
++ ')
++
++ allow $1 v4l_device_t:chr_file map;
++
++')
++
++########################################
++##
++## Write the video4linux devices.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`dev_write_video_dev',`
++ gen_require(`
++ type device_t, v4l_device_t;
++ ')
++
++ write_chr_files_pattern($1, device_t, v4l_device_t)
++')
++
++########################################
++##
+## Get the attributes of vfio devices.
+##
+##
@@ -8826,313 +9583,735 @@ index 76f285ea6..c28d65c08 100644
+interface(`dev_rw_vfio_dev',`
+ gen_require(`
+ type device_t, vfio_device_t;
-+ ')
-+
+ ')
+
+- allow $1 usbfs_t:filesystem mount;
+ rw_chr_files_pattern($1, device_t, vfio_device_t)
-+')
+ ')
+
+ ########################################
+ ##
+-## Associate a file to a usbfs filesystem.
++## Allow read/write the vhost net device
+ ##
+-##
++##
+ ##
+-## The type of the file to be associated to usbfs.
++## Domain allowed access.
+ ##
+ ##
+ #
+-interface(`dev_associate_usbfs',`
++interface(`dev_rw_vhost',`
+ gen_require(`
+- type usbfs_t;
++ type device_t, vhost_device_t;
+ ')
+
+- allow $1 usbfs_t:filesystem associate;
++ rw_chr_files_pattern($1, device_t, vhost_device_t)
+ ')
+
+ ########################################
+ ##
+-## Get the attributes of a directory in the usb filesystem.
++## Allow read/write inheretid the vhost net device
+ ##
+ ##
+ ##
+@@ -4283,36 +5715,35 @@ interface(`dev_associate_usbfs',`
+ ##
+ ##
+ #
+-interface(`dev_getattr_usbfs_dirs',`
++interface(`dev_rw_inherited_vhost',`
+ gen_require(`
+- type usbfs_t;
++ type device_t, vhost_device_t;
+ ')
+
+- allow $1 usbfs_t:dir getattr_dir_perms;
++ allow $1 vhost_device_t:chr_file rw_inherited_chr_file_perms;
+ ')
+
+ ########################################
+ ##
+-## Do not audit attempts to get the attributes
+-## of a directory in the usb filesystem.
++## Read and write VMWare devices.
+ ##
+ ##
+ ##
+-## Domain to not audit.
++## Domain allowed access.
+ ##
+ ##
+ #
+-interface(`dev_dontaudit_getattr_usbfs_dirs',`
++interface(`dev_rw_vmware',`
+ gen_require(`
+- type usbfs_t;
++ type device_t, vmware_device_t;
+ ')
+
+- dontaudit $1 usbfs_t:dir getattr_dir_perms;
++ rw_chr_files_pattern($1, device_t, vmware_device_t)
+ ')
+
+ ########################################
+ ##
+-## Search the directory containing USB hardware information.
++## Read, write, and mmap VMWare devices.
+ ##
+ ##
+ ##
+@@ -4320,17 +5751,18 @@ interface(`dev_dontaudit_getattr_usbfs_dirs',`
+ ##
+ ##
+ #
+-interface(`dev_search_usbfs',`
++interface(`dev_rwx_vmware',`
+ gen_require(`
+- type usbfs_t;
++ type device_t, vmware_device_t;
+ ')
+
+- search_dirs_pattern($1, usbfs_t, usbfs_t)
++ dev_rw_vmware($1)
++ allow $1 vmware_device_t:chr_file { map execute };
+ ')
+
+ ########################################
+ ##
+-## Allow caller to get a list of usb hardware.
++## Read from watchdog devices.
+ ##
+ ##
+ ##
+@@ -4338,20 +5770,17 @@ interface(`dev_search_usbfs',`
+ ##
+ ##
+ #
+-interface(`dev_list_usbfs',`
++interface(`dev_read_watchdog',`
+ gen_require(`
+- type usbfs_t;
++ type device_t, watchdog_device_t;
+ ')
+
+- read_lnk_files_pattern($1, usbfs_t, usbfs_t)
+- getattr_files_pattern($1, usbfs_t, usbfs_t)
+-
+- list_dirs_pattern($1, usbfs_t, usbfs_t)
++ read_chr_files_pattern($1, device_t, watchdog_device_t)
+ ')
+
+ ########################################
+ ##
+-## Set the attributes of usbfs filesystem.
++## Write to watchdog devices.
+ ##
+ ##
+ ##
+@@ -4359,19 +5788,17 @@ interface(`dev_list_usbfs',`
+ ##
+ ##
+ #
+-interface(`dev_setattr_usbfs_files',`
++interface(`dev_write_watchdog',`
+ gen_require(`
+- type usbfs_t;
++ type device_t, watchdog_device_t;
+ ')
+
+- setattr_files_pattern($1, usbfs_t, usbfs_t)
+- list_dirs_pattern($1, usbfs_t, usbfs_t)
++ write_chr_files_pattern($1, device_t, watchdog_device_t)
+ ')
+
+ ########################################
+ ##
+-## Read USB hardware information using
+-## the usbfs filesystem interface.
++## RW to watchdog devices.
+ ##
+ ##
+ ##
+@@ -4379,19 +5806,17 @@ interface(`dev_setattr_usbfs_files',`
+ ##
+ ##
+ #
+-interface(`dev_read_usbfs',`
++interface(`dev_rw_watchdog',`
+ gen_require(`
+- type usbfs_t;
++ type device_t, watchdog_device_t;
+ ')
+
+- read_files_pattern($1, usbfs_t, usbfs_t)
+- read_lnk_files_pattern($1, usbfs_t, usbfs_t)
+- list_dirs_pattern($1, usbfs_t, usbfs_t)
++ rw_chr_files_pattern($1, device_t, watchdog_device_t)
+ ')
+
+ ########################################
+ ##
+-## Allow caller to modify usb hardware configuration files.
++## Read and write the the wireless device.
+ ##
+ ##
+ ##
+@@ -4399,19 +5824,17 @@ interface(`dev_read_usbfs',`
+ ##
+ ##
+ #
+-interface(`dev_rw_usbfs',`
++interface(`dev_rw_wireless',`
+ gen_require(`
+- type usbfs_t;
++ type device_t, wireless_device_t;
+ ')
+
+- list_dirs_pattern($1, usbfs_t, usbfs_t)
+- rw_files_pattern($1, usbfs_t, usbfs_t)
+- read_lnk_files_pattern($1, usbfs_t, usbfs_t)
++ rw_chr_files_pattern($1, device_t, wireless_device_t)
+ ')
+
+ ########################################
+ ##
+-## Get the attributes of video4linux devices.
++## Read and write Xen devices.
+ ##
+ ##
+ ##
+@@ -4419,17 +5842,17 @@ interface(`dev_rw_usbfs',`
+ ##
+ ##
+ #
+-interface(`dev_getattr_video_dev',`
++interface(`dev_rw_xen',`
+ gen_require(`
+- type device_t, v4l_device_t;
++ type device_t, xen_device_t;
+ ')
+
+- getattr_chr_files_pattern($1, device_t, v4l_device_t)
++ rw_chr_files_pattern($1, device_t, xen_device_t)
+ ')
+
+-######################################
++########################################
+ ##
+-## Read and write userio device.
++## Create, read, write, and delete Xen devices.
+ ##
+ ##
+ ##
+@@ -4437,36 +5860,41 @@ interface(`dev_getattr_video_dev',`
+ ##
+ ##
+ #
+-interface(`dev_rw_userio_dev',`
++interface(`dev_manage_xen',`
+ gen_require(`
+- type device_t, userio_device_t;
++ type device_t, xen_device_t;
+ ')
+
+- rw_chr_files_pattern($1, device_t, userio_device_t)
++ manage_chr_files_pattern($1, device_t, xen_device_t)
+ ')
+
+ ########################################
+ ##
+-## Do not audit attempts to get the attributes
+-## of video4linux device nodes.
++## Automatic type transition to the type
++## for xen device nodes when created in /dev.
+ ##
+ ##
+ ##
+-## Domain to not audit.
++## Domain allowed access.
++##
++##
++##
++##
++## The name of the object being created.
+ ##
+ ##
+ #
+-interface(`dev_dontaudit_getattr_video_dev',`
++interface(`dev_filetrans_xen',`
+ gen_require(`
+- type v4l_device_t;
++ type device_t, xen_device_t;
+ ')
+
+- dontaudit $1 v4l_device_t:chr_file getattr;
++ filetrans_pattern($1, device_t, xen_device_t, chr_file, $2)
+ ')
+
+ ########################################
+ ##
+-## Set the attributes of video4linux device nodes.
++## Get the attributes of X server miscellaneous devices.
+ ##
+ ##
+ ##
+@@ -4474,36 +5902,35 @@ interface(`dev_dontaudit_getattr_video_dev',`
+ ##
+ ##
+ #
+-interface(`dev_setattr_video_dev',`
++interface(`dev_getattr_xserver_misc_dev',`
+ gen_require(`
+- type device_t, v4l_device_t;
++ type device_t, xserver_misc_device_t;
+ ')
+
+- setattr_chr_files_pattern($1, device_t, v4l_device_t)
++ getattr_chr_files_pattern($1, device_t, xserver_misc_device_t)
+ ')
+
+ ########################################
+ ##
+-## Do not audit attempts to set the attributes
+-## of video4linux device nodes.
++## Set the attributes of X server miscellaneous devices.
+ ##
+ ##
+ ##
+-## Domain to not audit.
++## Domain allowed access.
+ ##
+ ##
+ #
+-interface(`dev_dontaudit_setattr_video_dev',`
++interface(`dev_setattr_xserver_misc_dev',`
+ gen_require(`
+- type v4l_device_t;
++ type device_t, xserver_misc_device_t;
+ ')
+
+- dontaudit $1 v4l_device_t:chr_file setattr;
++ setattr_chr_files_pattern($1, device_t, xserver_misc_device_t)
+ ')
+
+ ########################################
+ ##
+-## Read the video4linux devices.
++## Read and write X server miscellaneous devices.
+ ##
+ ##
+ ##
+@@ -4511,35 +5938,35 @@ interface(`dev_dontaudit_setattr_video_dev',`
+ ##
+ ##
+ #
+-interface(`dev_read_video_dev',`
++interface(`dev_rw_xserver_misc',`
+ gen_require(`
+- type device_t, v4l_device_t;
++ type device_t, xserver_misc_device_t;
+ ')
+
+- read_chr_files_pattern($1, device_t, v4l_device_t)
++ rw_chr_files_pattern($1, device_t, xserver_misc_device_t)
+ ')
+
+ ########################################
+ ##
+-## Write the video4linux devices.
++## Dontaudit attempts to Read and write X server miscellaneous devices.
+ ##
+ ##
+ ##
+-## Domain allowed access.
++## Domain to not audit.
+ ##
+ ##
+ #
+-interface(`dev_write_video_dev',`
++interface(`dev_dontaudit_leaked_xserver_misc',`
+ gen_require(`
+- type device_t, v4l_device_t;
++ type xserver_misc_device_t;
+ ')
+
+- write_chr_files_pattern($1, device_t, v4l_device_t)
++ dontaudit $1 xserver_misc_device_t:chr_file { read write };
+ ')
+
+ ########################################
+ ##
+-## Allow read/write the vhost net device
++## Read and write X server miscellaneous devices.
+ ##
+ ##
+ ##
+@@ -4547,17 +5974,19 @@ interface(`dev_write_video_dev',`
+ ##
+ ##
+ #
+-interface(`dev_rw_vhost',`
++interface(`dev_manage_xserver_misc',`
+ gen_require(`
+- type device_t, vhost_device_t;
++ type device_t, xserver_misc_device_t;
+ ')
+
+- rw_chr_files_pattern($1, device_t, vhost_device_t)
++ manage_chr_files_pattern($1, device_t, xserver_misc_device_t)
+
-+########################################
-+##
- ## Allow read/write the vhost net device
++ dev_filetrans_xserver_named_dev($1)
+ ')
+
+ ########################################
+ ##
+-## Read and write VMWare devices.
++## Read and write to the zero device (/dev/zero).
##
##
-@@ -4557,6 +5670,24 @@ interface(`dev_rw_vhost',`
+ ##
+@@ -4565,17 +5994,17 @@ interface(`dev_rw_vhost',`
+ ##
+ ##
+ #
+-interface(`dev_rw_vmware',`
++interface(`dev_rw_zero',`
+ gen_require(`
+- type device_t, vmware_device_t;
++ type device_t, zero_device_t;
+ ')
+
+- rw_chr_files_pattern($1, device_t, vmware_device_t)
++ rw_chr_files_pattern($1, device_t, zero_device_t)
+ ')
########################################
##
-+## Allow read/write inheretid the vhost net device
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`dev_rw_inherited_vhost',`
-+ gen_require(`
-+ type device_t, vhost_device_t;
-+ ')
-+
-+ allow $1 vhost_device_t:chr_file rw_inherited_chr_file_perms;
-+')
-+
-+########################################
-+##
- ## Read and write VMWare devices.
+-## Read, write, and mmap VMWare devices.
++## Read, write, and execute the zero device (/dev/zero).
##
##
-@@ -4589,7 +5720,7 @@ interface(`dev_rwx_vmware',`
+ ##
+@@ -4583,18 +6012,18 @@ interface(`dev_rw_vmware',`
+ ##
+ ##
+ #
+-interface(`dev_rwx_vmware',`
++interface(`dev_rwx_zero',`
+ gen_require(`
+- type device_t, vmware_device_t;
++ type zero_device_t;
')
- dev_rw_vmware($1)
+- dev_rw_vmware($1)
- allow $1 vmware_device_t:chr_file execute;
-+ allow $1 vmware_device_t:chr_file { map execute };
++ dev_rw_zero($1)
++ allow $1 zero_device_t:chr_file { map execute };
')
########################################
-@@ -4630,6 +5761,24 @@ interface(`dev_write_watchdog',`
-
- ########################################
##
-+## RW to watchdog devices.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`dev_rw_watchdog',`
-+ gen_require(`
-+ type device_t, watchdog_device_t;
-+ ')
-+
-+ rw_chr_files_pattern($1, device_t, watchdog_device_t)
-+')
-+
-+########################################
-+##
- ## Read and write the the wireless device.
+-## Read from watchdog devices.
++## Execmod the zero device (/dev/zero).
##
##
-@@ -4762,6 +5911,44 @@ interface(`dev_rw_xserver_misc',`
+ ##
+@@ -4602,17 +6031,18 @@ interface(`dev_rwx_vmware',`
+ ##
+ ##
+ #
+-interface(`dev_read_watchdog',`
++interface(`dev_execmod_zero',`
+ gen_require(`
+- type device_t, watchdog_device_t;
++ type zero_device_t;
+ ')
+
+- read_chr_files_pattern($1, device_t, watchdog_device_t)
++ dev_rw_zero($1)
++ allow $1 zero_device_t:chr_file execmod;
+ ')
########################################
##
-+## Dontaudit attempts to Read and write X server miscellaneous devices.
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`dev_dontaudit_leaked_xserver_misc',`
-+ gen_require(`
-+ type xserver_misc_device_t;
-+ ')
-+
-+ dontaudit $1 xserver_misc_device_t:chr_file { read write };
-+')
-+
-+########################################
-+##
-+## Read and write X server miscellaneous devices.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`dev_manage_xserver_misc',`
-+ gen_require(`
-+ type device_t, xserver_misc_device_t;
-+ ')
-+
-+ manage_chr_files_pattern($1, device_t, xserver_misc_device_t)
-+
-+ dev_filetrans_xserver_named_dev($1)
-+')
-+
-+########################################
-+##
- ## Read and write to the zero device (/dev/zero).
+-## Write to watchdog devices.
++## Create the zero device (/dev/zero).
##
##
-@@ -4794,7 +5981,7 @@ interface(`dev_rwx_zero',`
+ ##
+@@ -4620,17 +6050,17 @@ interface(`dev_read_watchdog',`
+ ##
+ ##
+ #
+-interface(`dev_write_watchdog',`
++interface(`dev_create_zero_dev',`
+ gen_require(`
+- type device_t, watchdog_device_t;
++ type device_t, zero_device_t;
')
- dev_rw_zero($1)
-- allow $1 zero_device_t:chr_file execute;
-+ allow $1 zero_device_t:chr_file { map execute };
+- write_chr_files_pattern($1, device_t, watchdog_device_t)
++ create_chr_files_pattern($1, device_t, zero_device_t)
')
########################################
-@@ -4851,3 +6038,1064 @@ interface(`dev_unconfined',`
+ ##
+-## Read and write the the wireless device.
++## Unconfined access to devices.
+ ##
+ ##
+ ##
+@@ -4638,35 +6068,36 @@ interface(`dev_write_watchdog',`
+ ##
+ ##
+ #
+-interface(`dev_rw_wireless',`
++interface(`dev_unconfined',`
+ gen_require(`
+- type device_t, wireless_device_t;
++ attribute devices_unconfined_type;
+ ')
- typeattribute $1 devices_unconfined_type;
+- rw_chr_files_pattern($1, device_t, wireless_device_t)
++ typeattribute $1 devices_unconfined_type;
')
-+
-+########################################
-+##
+
+ ########################################
+ ##
+-## Read and write Xen devices.
+## Dontaudit getattr on all device nodes.
-+##
-+##
-+##
+ ##
+ ##
+ ##
+-## Domain allowed access.
+## Domain to not audit.
-+##
-+##
-+#
+ ##
+ ##
+ #
+-interface(`dev_rw_xen',`
+interface(`dev_dontaudit_getattr_all',`
-+ gen_require(`
+ gen_require(`
+- type device_t, xen_device_t;
+ attribute device_node;
+ type device_t;
-+ ')
-+
+ ')
+
+- rw_chr_files_pattern($1, device_t, xen_device_t)
+ dontaudit $1 { device_t device_node }:dir_file_class_set getattr;
-+')
-+
-+########################################
-+##
+ ')
+
+ ########################################
+ ##
+-## Create, read, write, and delete Xen devices.
+## Get the attributes of the mei devices.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
+ ##
+ ##
+ ##
+@@ -4674,41 +6105,35 @@ interface(`dev_rw_xen',`
+ ##
+ ##
+ #
+-interface(`dev_manage_xen',`
+interface(`dev_getattr_mei',`
-+ gen_require(`
+ gen_require(`
+- type device_t, xen_device_t;
+ type device_t, mei_device_t;
-+ ')
-+
+ ')
+
+- manage_chr_files_pattern($1, device_t, xen_device_t)
+ getattr_chr_files_pattern($1, device_t, mei_device_t)
-+')
-+
-+########################################
-+##
+ ')
+
+ ########################################
+ ##
+-## Automatic type transition to the type
+-## for xen device nodes when created in /dev.
+## Read the mei devices.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
+ ##
+ ##
+ ##
+ ## Domain allowed access.
+ ##
+ ##
+-##
+-##
+-## The name of the object being created.
+-##
+-##
+ #
+-interface(`dev_filetrans_xen',`
+interface(`dev_read_mei',`
-+ gen_require(`
+ gen_require(`
+- type device_t, xen_device_t;
+ type device_t, mei_device_t;
-+ ')
-+
+ ')
+
+- filetrans_pattern($1, device_t, xen_device_t, chr_file, $2)
+ read_chr_files_pattern($1, device_t, mei_device_t)
-+')
-+
-+########################################
-+##
+ ')
+
+ ########################################
+ ##
+-## Get the attributes of X server miscellaneous devices.
+## Read and write to mei devices.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
+ ##
+ ##
+ ##
+@@ -4716,17 +6141,17 @@ interface(`dev_filetrans_xen',`
+ ##
+ ##
+ #
+-interface(`dev_getattr_xserver_misc_dev',`
+interface(`dev_rw_mei',`
-+ gen_require(`
+ gen_require(`
+- type device_t, xserver_misc_device_t;
+ type device_t, mei_device_t;
-+ ')
-+
+ ')
+
+- getattr_chr_files_pattern($1, device_t, xserver_misc_device_t)
+ rw_chr_files_pattern($1, device_t, mei_device_t)
-+')
-+
-+########################################
-+##
+ ')
+
+ ########################################
+ ##
+-## Set the attributes of X server miscellaneous devices.
+## Read and write uhid devices.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
+ ##
+ ##
+ ##
+@@ -4734,17 +6159,18 @@ interface(`dev_getattr_xserver_misc_dev',`
+ ##
+ ##
+ #
+-interface(`dev_setattr_xserver_misc_dev',`
+interface(`dev_rw_uhid_dev',`
-+ gen_require(`
+ gen_require(`
+- type device_t, xserver_misc_device_t;
+ type device_t, uhid_device_t;
-+ ')
-+
+ ')
+
+- setattr_chr_files_pattern($1, device_t, xserver_misc_device_t)
+ rw_chr_files_pattern($1, device_t, uhid_device_t)
-+')
-+
+ ')
+
+
-+########################################
-+##
+ ########################################
+ ##
+-## Read and write X server miscellaneous devices.
+## Allow read/write the hypervkvp device
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
+ ##
+ ##
+ ##
+@@ -4752,17 +6178,17 @@ interface(`dev_setattr_xserver_misc_dev',`
+ ##
+ ##
+ #
+-interface(`dev_rw_xserver_misc',`
+interface(`dev_rw_hypervkvp',`
-+ gen_require(`
+ gen_require(`
+- type device_t, xserver_misc_device_t;
+ type device_t, hypervkvp_device_t;
-+ ')
-+
+ ')
+
+- rw_chr_files_pattern($1, device_t, xserver_misc_device_t)
+ rw_chr_files_pattern($1, device_t, hypervkvp_device_t)
-+')
-+
-+########################################
-+##
+ ')
+
+ ########################################
+ ##
+-## Read and write to the zero device (/dev/zero).
+## Allow read/write the hypervkvp device
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
+ ##
+ ##
+ ##
+@@ -4770,17 +6196,17 @@ interface(`dev_rw_xserver_misc',`
+ ##
+ ##
+ #
+-interface(`dev_rw_zero',`
+interface(`dev_read_gpfs',`
-+ gen_require(`
+ gen_require(`
+- type device_t, zero_device_t;
+ type device_t, gpfs_device_t;
-+ ')
-+
+ ')
+
+- rw_chr_files_pattern($1, device_t, zero_device_t)
+ read_chr_files_pattern($1, device_t, gpfs_device_t)
-+')
-+
-+########################################
-+##
+ ')
+
+ ########################################
+ ##
+-## Read, write, and execute the zero device (/dev/zero).
+## Allow read/write the gpiochip device
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
+ ##
+ ##
+ ##
+@@ -4788,18 +6214,17 @@ interface(`dev_rw_zero',`
+ ##
+ ##
+ #
+-interface(`dev_rwx_zero',`
+interface(`dev_read_gpio',`
-+ gen_require(`
+ gen_require(`
+- type zero_device_t;
+ type device_t, gpio_device_t;
-+ ')
-+
+ ')
+
+- dev_rw_zero($1)
+- allow $1 zero_device_t:chr_file execute;
+ read_chr_files_pattern($1, device_t, gpio_device_t)
-+')
-+
-+########################################
-+##
+ ')
+
+ ########################################
+ ##
+-## Execmod the zero device (/dev/zero).
+## Allow read/write the hypervvssd device
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
+ ##
+ ##
+ ##
+@@ -4807,47 +6232,911 @@ interface(`dev_rwx_zero',`
+ ##
+ ##
+ #
+-interface(`dev_execmod_zero',`
+interface(`dev_rw_hypervvssd',`
-+ gen_require(`
+ gen_require(`
+- type zero_device_t;
+ type device_t, hypervvssd_device_t;
-+ ')
-+
+ ')
+
+- dev_rw_zero($1)
+- allow $1 zero_device_t:chr_file execmod;
+ rw_chr_files_pattern($1, device_t, hypervvssd_device_t)
-+')
-+
-+########################################
-+##
+ ')
+
+ ########################################
+ ##
+-## Create the zero device (/dev/zero).
+## Create all named devices with the correct label
-+##
-+##
-+##
+ ##
+ ##
+ ##
+-## Domain allowed access.
+## Domain allowed access.
-+##
-+##
-+#
+ ##
+ ##
+ #
+-interface(`dev_create_zero_dev',`
+interface(`dev_filetrans_printer_named_dev',`
+
-+ gen_require(`
+ gen_require(`
+- type device_t, zero_device_t;
+- ')
+ type printer_device_t;
-+
+
+- create_chr_files_pattern($1, device_t, zero_device_t)
+ ')
+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "irlpt0")
+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "irlpt1")
@@ -9174,18 +10353,26 @@ index 76f285ea6..c28d65c08 100644
+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "usblp7")
+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "usblp8")
+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "usblp9")
-+')
-+
-+########################################
-+##
+ ')
+
+ ########################################
+ ##
+-## Unconfined access to devices.
+## Create all named devices with the correct label
-+##
-+##
-+##
+ ##
+ ##
+ ##
+-## Domain allowed access.
+## Domain allowed access.
-+##
-+##
-+#
+ ##
+ ##
+ #
+-interface(`dev_unconfined',`
+- gen_require(`
+- attribute devices_unconfined_type;
+- ')
+-
+- typeattribute $1 devices_unconfined_type;
+interface(`dev_filetrans_all_named_dev',`
+
+gen_require(`
@@ -9201,6 +10388,8 @@ index 76f285ea6..c28d65c08 100644
+ type dlm_control_device_t;
+ type clock_device_t;
+ type v4l_device_t;
++ type vsock_device_t;
++ type vmci_device_t;
+ type vfio_device_t;
+ type event_device_t;
+ type xen_device_t;
@@ -9368,6 +10557,8 @@ index 76f285ea6..c28d65c08 100644
+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "em83007")
+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "em83008")
+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "em83009")
++ filetrans_pattern($1, device_t, vsock_device_t, chr_file, "vsock")
++ filetrans_pattern($1, device_t, vmci_device_t, chr_file, "vmci")
+ filetrans_pattern($1, device_t, event_device_t, chr_file, "event0")
+ filetrans_pattern($1, device_t, event_device_t, chr_file, "event1")
+ filetrans_pattern($1, device_t, event_device_t, chr_file, "event2")
@@ -10013,9 +11204,9 @@ index 76f285ea6..c28d65c08 100644
+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "card7")
+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "card8")
+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "card9")
-+')
+ ')
diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te
-index 0b1a8715a..5c45b9323 100644
+index 0b1a8715a..849b00191 100644
--- a/policy/modules/kernel/devices.te
+++ b/policy/modules/kernel/devices.te
@@ -15,11 +15,12 @@ attribute devices_unconfined_type;
@@ -10180,7 +11371,7 @@ index 0b1a8715a..5c45b9323 100644
#
# Type for /dev/tpm
#
-@@ -266,6 +330,15 @@ dev_node(usbmon_device_t)
+@@ -266,14 +330,30 @@ dev_node(usbmon_device_t)
type userio_device_t;
dev_node(userio_device_t)
@@ -10196,7 +11387,14 @@ index 0b1a8715a..5c45b9323 100644
type v4l_device_t;
dev_node(v4l_device_t)
-@@ -274,6 +347,7 @@ dev_node(v4l_device_t)
++type vsock_device_t;
++dev_node(vsock_device_t)
++
++type vmci_device_t;
++dev_node(vmci_device_t)
++
+ #
+ # vhost_device_t is the type for /dev/vhost-net
#
type vhost_device_t;
dev_node(vhost_device_t)
@@ -10204,7 +11402,7 @@ index 0b1a8715a..5c45b9323 100644
# Type for vmware devices.
type vmware_device_t;
-@@ -319,5 +393,8 @@ files_associate_tmp(device_node)
+@@ -319,5 +399,8 @@ files_associate_tmp(device_node)
#
allow devices_unconfined_type self:capability sys_rawio;
@@ -11402,7 +12600,7 @@ index b876c48ad..2e591a538 100644
+
+/sysroot/ostree/deploy/.*-atomic/deploy(/.*)? gen_context(system_u:object_r:root_t,s0)
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
-index f962f76ad..de87579ff 100644
+index f962f76ad..f2b8e4558 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -19,6 +19,136 @@
@@ -13353,7 +14551,7 @@ index f962f76ad..de87579ff 100644
')
########################################
-@@ -3921,6 +4817,26 @@ interface(`files_read_mnt_symlinks',`
+@@ -3921,6 +4817,45 @@ interface(`files_read_mnt_symlinks',`
read_lnk_files_pattern($1, mnt_t, mnt_t)
')
@@ -13377,10 +14575,29 @@ index f962f76ad..de87579ff 100644
+ allow $1 modules_object_t:system module_load;
+')
+
++########################################
++##
++## Mmap kernel module files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`files_map_kernel_modules',`
++ gen_require(`
++ type modules_object_t;
++ ')
++
++ allow $1 modules_object_t:file map;
++
++')
++
########################################
##
## Create, read, write, and delete symbolic links in /mnt.
-@@ -4012,6 +4928,7 @@ interface(`files_read_kernel_modules',`
+@@ -4012,6 +4947,7 @@ interface(`files_read_kernel_modules',`
allow $1 modules_object_t:dir list_dir_perms;
read_files_pattern($1, modules_object_t, modules_object_t)
read_lnk_files_pattern($1, modules_object_t, modules_object_t)
@@ -13388,7 +14605,7 @@ index f962f76ad..de87579ff 100644
')
########################################
-@@ -4217,78 +5134,289 @@ interface(`files_read_world_readable_sockets',`
+@@ -4217,48 +5153,218 @@ interface(`files_read_world_readable_sockets',`
allow $1 readable_t:sock_file read_sock_file_perms;
')
@@ -13460,26 +14677,18 @@ index f962f76ad..de87579ff 100644
-## Do not audit attempts to get the
-## attributes of the tmp directory (/tmp).
+## File name transition for system configuration files in /etc.
- ##
- ##
--##
--## Domain allowed access.
--##
++##
++##
+##
+## Domain allowed access.
+##
- ##
- #
--interface(`files_dontaudit_getattr_tmp_dirs',`
-- gen_require(`
-- type tmp_t;
-- ')
++##
++#
+interface(`files_filetrans_system_conf_named_files',`
+ gen_require(`
+ type etc_t, system_conf_t, usr_t;
+ ')
-
-- dontaudit $1 tmp_t:dir getattr;
++
+ filetrans_pattern($1, etc_t, system_conf_t, file, "sysctl.conf")
+ filetrans_pattern($1, etc_t, system_conf_t, file, "sysctl.conf.old")
+ filetrans_pattern($1, etc_t, system_conf_t, file, "ebtables")
@@ -13500,24 +14709,18 @@ index f962f76ad..de87579ff 100644
+ filetrans_pattern($1, etc_t, system_conf_t, dir, "yum.repos.d")
+ filetrans_pattern($1, etc_t, system_conf_t, dir, "remotes.d")
+ filetrans_pattern($1, usr_t, system_conf_t, dir, "repo")
- ')
-
--########################################
++')
++
+######################################
- ##
--## Search the tmp directory (/tmp).
++##
+## Relabel manageable system configuration files in /etc.
- ##
- ##
--##
--## Domain allowed access.
--##
++##
++##
+##
+## Domain allowed access.
+##
- ##
- #
--interface(`files_search_tmp',`
++##
++#
+interface(`files_relabelto_system_conf_files',`
+ gen_require(`
+ type usr_t;
@@ -13644,13 +14847,13 @@ index f962f76ad..de87579ff 100644
+########################################
+##
+## Get the attributes of the tmp directory (/tmp).
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
+ ##
+ ##
+ ##
+@@ -4266,6 +5372,45 @@ interface(`files_getattr_tmp_dirs',`
+ ##
+ ##
+ #
+interface(`files_getattr_tmp_dirs',`
+ gen_require(`
+ type tmp_t;
@@ -13690,27 +14893,11 @@ index f962f76ad..de87579ff 100644
+##
+##
+#
-+interface(`files_dontaudit_getattr_tmp_dirs',`
-+ gen_require(`
-+ type tmp_t;
-+ ')
-+
-+ dontaudit $1 tmp_t:dir getattr;
-+')
-+
-+########################################
-+##
-+## Search the tmp directory (/tmp).
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`files_search_tmp',`
+ interface(`files_dontaudit_getattr_tmp_dirs',`
gen_require(`
type tmp_t;
+@@ -4289,6 +5434,8 @@ interface(`files_search_tmp',`
+ type tmp_t;
')
+ fs_search_tmpfs($1)
@@ -13718,7 +14905,7 @@ index f962f76ad..de87579ff 100644
allow $1 tmp_t:dir search_dir_perms;
')
-@@ -4325,6 +5453,7 @@ interface(`files_list_tmp',`
+@@ -4325,6 +5472,7 @@ interface(`files_list_tmp',`
type tmp_t;
')
@@ -13726,7 +14913,7 @@ index f962f76ad..de87579ff 100644
allow $1 tmp_t:dir list_dir_perms;
')
-@@ -4334,7 +5463,7 @@ interface(`files_list_tmp',`
+@@ -4334,7 +5482,7 @@ interface(`files_list_tmp',`
##
##
##
@@ -13735,7 +14922,7 @@ index f962f76ad..de87579ff 100644
##
##
#
-@@ -4346,6 +5475,25 @@ interface(`files_dontaudit_list_tmp',`
+@@ -4346,6 +5494,25 @@ interface(`files_dontaudit_list_tmp',`
dontaudit $1 tmp_t:dir list_dir_perms;
')
@@ -13761,7 +14948,7 @@ index f962f76ad..de87579ff 100644
########################################
##
## Remove entries from the tmp directory.
-@@ -4361,6 +5509,7 @@ interface(`files_delete_tmp_dir_entry',`
+@@ -4361,6 +5528,7 @@ interface(`files_delete_tmp_dir_entry',`
type tmp_t;
')
@@ -13769,7 +14956,7 @@ index f962f76ad..de87579ff 100644
allow $1 tmp_t:dir del_entry_dir_perms;
')
-@@ -4402,6 +5551,32 @@ interface(`files_manage_generic_tmp_dirs',`
+@@ -4402,6 +5570,32 @@ interface(`files_manage_generic_tmp_dirs',`
########################################
##
@@ -13802,7 +14989,7 @@ index f962f76ad..de87579ff 100644
## Manage temporary files and directories in /tmp.
##
##
-@@ -4456,6 +5631,42 @@ interface(`files_rw_generic_tmp_sockets',`
+@@ -4456,6 +5650,42 @@ interface(`files_rw_generic_tmp_sockets',`
########################################
##
@@ -13845,7 +15032,7 @@ index f962f76ad..de87579ff 100644
## Set the attributes of all tmp directories.
##
##
-@@ -4474,6 +5685,60 @@ interface(`files_setattr_all_tmp_dirs',`
+@@ -4474,6 +5704,60 @@ interface(`files_setattr_all_tmp_dirs',`
########################################
##
@@ -13906,7 +15093,7 @@ index f962f76ad..de87579ff 100644
## List all tmp directories.
##
##
-@@ -4519,7 +5784,7 @@ interface(`files_relabel_all_tmp_dirs',`
+@@ -4519,7 +5803,7 @@ interface(`files_relabel_all_tmp_dirs',`
##
##
##
@@ -13915,7 +15102,7 @@ index f962f76ad..de87579ff 100644
##
##
#
-@@ -4579,7 +5844,7 @@ interface(`files_relabel_all_tmp_files',`
+@@ -4579,7 +5863,7 @@ interface(`files_relabel_all_tmp_files',`
##
##
##
@@ -13924,7 +15111,7 @@ index f962f76ad..de87579ff 100644
##
##
#
-@@ -4611,15 +5876,53 @@ interface(`files_read_all_tmp_files',`
+@@ -4611,17 +5895,55 @@ interface(`files_read_all_tmp_files',`
########################################
##
@@ -13955,7 +15142,8 @@ index f962f76ad..de87579ff 100644
+## all leaked tmpfiles files.
+##
+##
-+##
+ ##
+-## The type of the object to be created.
+## Domain to not audit.
+##
+##
@@ -13979,10 +15167,12 @@ index f962f76ad..de87579ff 100644
+##
+##
+##
- ##
- ## The type of the object to be created.
++##
++## The type of the object to be created.
##
-@@ -4664,6 +5967,16 @@ interface(`files_purge_tmp',`
+ ##
+ ##
+@@ -4664,6 +5986,16 @@ interface(`files_purge_tmp',`
delete_lnk_files_pattern($1, tmpfile, tmpfile)
delete_fifo_files_pattern($1, tmpfile, tmpfile)
delete_sock_files_pattern($1, tmpfile, tmpfile)
@@ -13999,7 +15189,7 @@ index f962f76ad..de87579ff 100644
')
########################################
-@@ -4814,6 +6127,24 @@ interface(`files_delete_usr_files',`
+@@ -4814,6 +6146,24 @@ interface(`files_delete_usr_files',`
########################################
##
@@ -14024,7 +15214,7 @@ index f962f76ad..de87579ff 100644
## Get the attributes of files in /usr.
##
##
-@@ -5112,6 +6443,24 @@ interface(`files_create_kernel_symbol_table',`
+@@ -5112,6 +6462,24 @@ interface(`files_create_kernel_symbol_table',`
########################################
##
@@ -14049,7 +15239,7 @@ index f962f76ad..de87579ff 100644
## Read system.map in the /boot directory.
##
##
-@@ -5241,6 +6590,24 @@ interface(`files_list_var',`
+@@ -5241,6 +6609,24 @@ interface(`files_list_var',`
########################################
##
@@ -14074,7 +15264,7 @@ index f962f76ad..de87579ff 100644
## Create, read, write, and delete directories
## in the /var directory.
##
-@@ -5328,7 +6695,7 @@ interface(`files_dontaudit_rw_var_files',`
+@@ -5328,7 +6714,7 @@ interface(`files_dontaudit_rw_var_files',`
type var_t;
')
@@ -14083,7 +15273,7 @@ index f962f76ad..de87579ff 100644
')
########################################
-@@ -5419,6 +6786,24 @@ interface(`files_var_filetrans',`
+@@ -5419,6 +6805,24 @@ interface(`files_var_filetrans',`
filetrans_pattern($1, var_t, $2, $3, $4)
')
@@ -14108,7 +15298,7 @@ index f962f76ad..de87579ff 100644
########################################
##
## Get the attributes of the /var/lib directory.
-@@ -5527,6 +6912,25 @@ interface(`files_rw_var_lib_dirs',`
+@@ -5527,6 +6931,25 @@ interface(`files_rw_var_lib_dirs',`
########################################
##
@@ -14134,7 +15324,7 @@ index f962f76ad..de87579ff 100644
## Create objects in the /var/lib directory
##
##
-@@ -5596,6 +7000,25 @@ interface(`files_read_var_lib_symlinks',`
+@@ -5596,6 +7019,25 @@ interface(`files_read_var_lib_symlinks',`
read_lnk_files_pattern($1, { var_t var_lib_t }, var_lib_t)
')
@@ -14160,7 +15350,7 @@ index f962f76ad..de87579ff 100644
# cjp: the next two interfaces really need to be fixed
# in some way. They really neeed their own types.
-@@ -5619,6 +7042,42 @@ interface(`files_manage_urandom_seed',`
+@@ -5619,6 +7061,42 @@ interface(`files_manage_urandom_seed',`
manage_files_pattern($1, var_lib_t, var_lib_t)
')
@@ -14203,7 +15393,7 @@ index f962f76ad..de87579ff 100644
########################################
##
## Allow domain to manage mount tables
-@@ -5641,7 +7100,7 @@ interface(`files_manage_mounttab',`
+@@ -5641,7 +7119,7 @@ interface(`files_manage_mounttab',`
########################################
##
@@ -14212,7 +15402,7 @@ index f962f76ad..de87579ff 100644
##
##
##
-@@ -5649,12 +7108,13 @@ interface(`files_manage_mounttab',`
+@@ -5649,12 +7127,13 @@ interface(`files_manage_mounttab',`
##
##
#
@@ -14228,7 +15418,7 @@ index f962f76ad..de87579ff 100644
')
########################################
-@@ -5672,6 +7132,7 @@ interface(`files_search_locks',`
+@@ -5672,6 +7151,7 @@ interface(`files_search_locks',`
type var_t, var_lock_t;
')
@@ -14236,7 +15426,7 @@ index f962f76ad..de87579ff 100644
allow $1 var_lock_t:lnk_file read_lnk_file_perms;
search_dirs_pattern($1, var_t, var_lock_t)
')
-@@ -5698,7 +7159,26 @@ interface(`files_dontaudit_search_locks',`
+@@ -5698,7 +7178,26 @@ interface(`files_dontaudit_search_locks',`
########################################
##
@@ -14264,7 +15454,7 @@ index f962f76ad..de87579ff 100644
##
##
##
-@@ -5706,13 +7186,12 @@ interface(`files_dontaudit_search_locks',`
+@@ -5706,13 +7205,12 @@ interface(`files_dontaudit_search_locks',`
##
##
#
@@ -14281,7 +15471,7 @@ index f962f76ad..de87579ff 100644
')
########################################
-@@ -5731,7 +7210,7 @@ interface(`files_rw_lock_dirs',`
+@@ -5731,7 +7229,7 @@ interface(`files_rw_lock_dirs',`
type var_t, var_lock_t;
')
@@ -14290,7 +15480,7 @@ index f962f76ad..de87579ff 100644
rw_dirs_pattern($1, var_t, var_lock_t)
')
-@@ -5764,7 +7243,6 @@ interface(`files_create_lock_dirs',`
+@@ -5764,7 +7262,6 @@ interface(`files_create_lock_dirs',`
## Domain allowed access.
##
##
@@ -14298,7 +15488,7 @@ index f962f76ad..de87579ff 100644
#
interface(`files_relabel_all_lock_dirs',`
gen_require(`
-@@ -5779,7 +7257,7 @@ interface(`files_relabel_all_lock_dirs',`
+@@ -5779,7 +7276,7 @@ interface(`files_relabel_all_lock_dirs',`
########################################
##
@@ -14307,7 +15497,7 @@ index f962f76ad..de87579ff 100644
##
##
##
-@@ -5787,13 +7265,33 @@ interface(`files_relabel_all_lock_dirs',`
+@@ -5787,13 +7284,33 @@ interface(`files_relabel_all_lock_dirs',`
##
##
#
@@ -14342,7 +15532,7 @@ index f962f76ad..de87579ff 100644
allow $1 var_lock_t:dir list_dir_perms;
getattr_files_pattern($1, var_lock_t, var_lock_t)
')
-@@ -5809,13 +7307,12 @@ interface(`files_getattr_generic_locks',`
+@@ -5809,13 +7326,12 @@ interface(`files_getattr_generic_locks',`
##
#
interface(`files_delete_generic_locks',`
@@ -14360,7 +15550,7 @@ index f962f76ad..de87579ff 100644
')
########################################
-@@ -5834,9 +7331,7 @@ interface(`files_manage_generic_locks',`
+@@ -5834,9 +7350,7 @@ interface(`files_manage_generic_locks',`
type var_t, var_lock_t;
')
@@ -14371,7 +15561,7 @@ index f962f76ad..de87579ff 100644
manage_files_pattern($1, var_lock_t, var_lock_t)
')
-@@ -5878,8 +7373,7 @@ interface(`files_read_all_locks',`
+@@ -5878,8 +7392,7 @@ interface(`files_read_all_locks',`
type var_t, var_lock_t;
')
@@ -14381,7 +15571,7 @@ index f962f76ad..de87579ff 100644
allow $1 lockfile:dir list_dir_perms;
read_files_pattern($1, lockfile, lockfile)
read_lnk_files_pattern($1, lockfile, lockfile)
-@@ -5901,8 +7395,7 @@ interface(`files_manage_all_locks',`
+@@ -5901,8 +7414,7 @@ interface(`files_manage_all_locks',`
type var_t, var_lock_t;
')
@@ -14391,7 +15581,7 @@ index f962f76ad..de87579ff 100644
manage_dirs_pattern($1, lockfile, lockfile)
manage_files_pattern($1, lockfile, lockfile)
manage_lnk_files_pattern($1, lockfile, lockfile)
-@@ -5939,8 +7432,7 @@ interface(`files_lock_filetrans',`
+@@ -5939,8 +7451,7 @@ interface(`files_lock_filetrans',`
type var_t, var_lock_t;
')
@@ -14401,7 +15591,7 @@ index f962f76ad..de87579ff 100644
filetrans_pattern($1, var_lock_t, $2, $3, $4)
')
-@@ -5979,7 +7471,7 @@ interface(`files_setattr_pid_dirs',`
+@@ -5979,7 +7490,7 @@ interface(`files_setattr_pid_dirs',`
type var_run_t;
')
@@ -14410,7 +15600,7 @@ index f962f76ad..de87579ff 100644
allow $1 var_run_t:dir setattr;
')
-@@ -5999,10 +7491,48 @@ interface(`files_search_pids',`
+@@ -5999,10 +7510,48 @@ interface(`files_search_pids',`
type var_t, var_run_t;
')
@@ -14459,113 +15649,69 @@ index f962f76ad..de87579ff 100644
########################################
##
## Do not audit attempts to search
-@@ -6025,47 +7555,45 @@ interface(`files_dontaudit_search_pids',`
+@@ -6025,6 +7574,43 @@ interface(`files_dontaudit_search_pids',`
########################################
##
--## List the contents of the runtime process
--## ID directories (/var/run).
+## Do not audit attempts to search
+## the all /var/run directory.
- ##
- ##
- ##
--## Domain allowed access.
++##
++##
++##
+## Domain to not audit.
- ##
- ##
- #
--interface(`files_list_pids',`
++##
++##
++#
+interface(`files_dontaudit_search_all_pids',`
- gen_require(`
-- type var_t, var_run_t;
-+ attribute pidfile;
- ')
-
-- allow $1 var_run_t:lnk_file read_lnk_file_perms;
-- list_dirs_pattern($1, var_t, var_run_t)
-+ dontaudit $1 pidfile:dir search_dir_perms;
- ')
-
- ########################################
- ##
--## Read generic process ID files.
-+## Allow search the all /var/run directory.
- ##
- ##
- ##
--## Domain allowed access.
-+## Domain to not audit.
- ##
- ##
- #
--interface(`files_read_generic_pids',`
-+interface(`files_search_all_pids',`
- gen_require(`
-- type var_t, var_run_t;
-+ attribute pidfile;
- ')
-
-- allow $1 var_run_t:lnk_file read_lnk_file_perms;
-- list_dirs_pattern($1, var_t, var_run_t)
-- read_files_pattern($1, var_run_t, var_run_t)
-+ allow $1 pidfile:dir search_dir_perms;
- ')
-
- ########################################
- ##
--## Write named generic process ID pipes
-+## List the contents of the runtime process
-+## ID directories (/var/run).
- ##
- ##
- ##
-@@ -6073,12 +7601,51 @@ interface(`files_read_generic_pids',`
- ##
- ##
- #
--interface(`files_write_generic_pid_pipes',`
-+interface(`files_list_pids',`
+ gen_require(`
-+ type var_t, var_run_t;
++ attribute pidfile;
+ ')
+
-+ files_search_pids($1)
-+ list_dirs_pattern($1, var_t, var_run_t)
++ dontaudit $1 pidfile:dir search_dir_perms;
+')
+
+########################################
+##
-+## Read generic process ID files.
++## Allow search the all /var/run directory.
+##
+##
+##
-+## Domain allowed access.
++## Domain to not audit.
+##
+##
+#
-+interface(`files_read_generic_pids',`
++interface(`files_search_all_pids',`
+ gen_require(`
-+ type var_t, var_run_t;
++ attribute pidfile;
+ ')
+
-+ files_search_pids($1)
-+ list_dirs_pattern($1, var_t, var_run_t)
-+ read_files_pattern($1, var_run_t, var_run_t)
++ allow $1 pidfile:dir search_dir_perms;
+')
+
+########################################
+##
-+## Write named generic process ID pipes
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`files_write_generic_pid_pipes',`
- gen_require(`
+ ## List the contents of the runtime process
+ ## ID directories (/var/run).
+ ##
+@@ -6039,7 +7625,7 @@ interface(`files_list_pids',`
+ type var_t, var_run_t;
+ ')
+
+- allow $1 var_run_t:lnk_file read_lnk_file_perms;
++ files_search_pids($1)
+ list_dirs_pattern($1, var_t, var_run_t)
+ ')
+
+@@ -6058,7 +7644,7 @@ interface(`files_read_generic_pids',`
+ type var_t, var_run_t;
+ ')
+
+- allow $1 var_run_t:lnk_file read_lnk_file_perms;
++ files_search_pids($1)
+ list_dirs_pattern($1, var_t, var_run_t)
+ read_files_pattern($1, var_run_t, var_run_t)
+ ')
+@@ -6078,7 +7664,7 @@ interface(`files_write_generic_pid_pipes',`
type var_run_t;
')
@@ -14574,7 +15720,7 @@ index f962f76ad..de87579ff 100644
allow $1 var_run_t:fifo_file write;
')
-@@ -6140,7 +7707,6 @@ interface(`files_pid_filetrans',`
+@@ -6140,7 +7726,6 @@ interface(`files_pid_filetrans',`
')
allow $1 var_t:dir search_dir_perms;
@@ -14582,7 +15728,7 @@ index f962f76ad..de87579ff 100644
filetrans_pattern($1, var_run_t, $2, $3, $4)
')
-@@ -6169,6 +7735,24 @@ interface(`files_pid_filetrans_lock_dir',`
+@@ -6169,6 +7754,24 @@ interface(`files_pid_filetrans_lock_dir',`
########################################
##
@@ -14607,7 +15753,7 @@ index f962f76ad..de87579ff 100644
## Read and write generic process ID files.
##
##
-@@ -6182,7 +7766,7 @@ interface(`files_rw_generic_pids',`
+@@ -6182,7 +7785,7 @@ interface(`files_rw_generic_pids',`
type var_t, var_run_t;
')
@@ -14616,307 +15762,221 @@ index f962f76ad..de87579ff 100644
list_dirs_pattern($1, var_t, var_run_t)
rw_files_pattern($1, var_run_t, var_run_t)
')
-@@ -6249,55 +7833,43 @@ interface(`files_dontaudit_ioctl_all_pids',`
+@@ -6249,6 +7852,116 @@ interface(`files_dontaudit_ioctl_all_pids',`
########################################
##
--## Read all process ID files.
+## Relable all pid directories
- ##
- ##
- ##
- ## Domain allowed access.
- ##
- ##
--##
- #
--interface(`files_read_all_pids',`
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
+interface(`files_relabel_all_pid_dirs',`
- gen_require(`
- attribute pidfile;
-- type var_t, var_run_t;
- ')
-
-- allow $1 var_run_t:lnk_file read_lnk_file_perms;
-- list_dirs_pattern($1, var_t, pidfile)
-- read_files_pattern($1, pidfile, pidfile)
++ gen_require(`
++ attribute pidfile;
++ ')
++
+ relabel_dirs_pattern($1, pidfile, pidfile)
- ')
-
- ########################################
- ##
--## Delete all process IDs.
++')
++
++########################################
++##
+## Delete all pid sockets
- ##
- ##
- ##
- ## Domain allowed access.
- ##
- ##
--##
- #
--interface(`files_delete_all_pids',`
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
+interface(`files_delete_all_pid_sockets',`
- gen_require(`
- attribute pidfile;
-- type var_t, var_run_t;
- ')
-
-- allow $1 var_t:dir search_dir_perms;
-- allow $1 var_run_t:lnk_file read_lnk_file_perms;
-- allow $1 var_run_t:dir rmdir;
-- allow $1 var_run_t:lnk_file delete_lnk_file_perms;
-- delete_files_pattern($1, pidfile, pidfile)
-- delete_fifo_files_pattern($1, pidfile, pidfile)
-- delete_sock_files_pattern($1, pidfile, { pidfile var_run_t })
++ gen_require(`
++ attribute pidfile;
++ ')
++
+ allow $1 pidfile:sock_file delete_sock_file_perms;
- ')
-
- ########################################
- ##
--## Delete all process ID directories.
++')
++
++########################################
++##
+## Create all pid sockets
- ##
- ##
- ##
-@@ -6305,42 +7877,35 @@ interface(`files_delete_all_pids',`
- ##
- ##
- #
--interface(`files_delete_all_pid_dirs',`
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
+interface(`files_create_all_pid_sockets',`
- gen_require(`
- attribute pidfile;
-- type var_t, var_run_t;
- ')
-
-- allow $1 var_t:dir search_dir_perms;
-- allow $1 var_run_t:lnk_file read_lnk_file_perms;
-- delete_dirs_pattern($1, pidfile, pidfile)
++ gen_require(`
++ attribute pidfile;
++ ')
++
+ allow $1 pidfile:sock_file create_sock_file_perms;
- ')
-
- ########################################
- ##
--## Create, read, write and delete all
--## var_run (pid) content
++')
++
++########################################
++##
+## Create all pid named pipes
- ##
- ##
- ##
--## Domain alloed access.
++##
++##
++##
+## Domain allowed access.
- ##
- ##
- #
--interface(`files_manage_all_pids',`
++##
++##
++#
+interface(`files_create_all_pid_pipes',`
- gen_require(`
- attribute pidfile;
- ')
-
-- manage_dirs_pattern($1, pidfile, pidfile)
-- manage_files_pattern($1, pidfile, pidfile)
-- manage_lnk_files_pattern($1, pidfile, pidfile)
++ gen_require(`
++ attribute pidfile;
++ ')
++
+ allow $1 pidfile:fifo_file create_fifo_file_perms;
- ')
-
- ########################################
- ##
--## Mount filesystems on all polyinstantiation
--## member directories.
++')
++
++########################################
++##
+## Delete all pid named pipes
- ##
- ##
- ##
-@@ -6348,18 +7913,18 @@ interface(`files_manage_all_pids',`
- ##
- ##
- #
--interface(`files_mounton_all_poly_members',`
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
+interface(`files_delete_all_pid_pipes',`
- gen_require(`
-- attribute polymember;
++ gen_require(`
+ attribute pidfile;
- ')
-
-- allow $1 polymember:dir mounton;
++ ')
++
+ allow $1 pidfile:fifo_file delete_fifo_file_perms;
- ')
-
- ########################################
- ##
--## Search the contents of generic spool
--## directories (/var/spool).
++')
++
++########################################
++##
+## manage all pidfile directories
+## in the /var/run directory.
- ##
- ##
- ##
-@@ -6367,37 +7932,40 @@ interface(`files_mounton_all_poly_members',`
- ##
- ##
- #
--interface(`files_search_spool',`
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
+interface(`files_manage_all_pid_dirs',`
- gen_require(`
-- type var_t, var_spool_t;
++ gen_require(`
+ attribute pidfile;
- ')
-
-- search_dirs_pattern($1, var_t, var_spool_t)
++ ')
++
+ manage_dirs_pattern($1,pidfile,pidfile)
- ')
-
++')
+
- ########################################
- ##
--## Do not audit attempts to search generic
--## spool directories.
-+## Read all process ID files.
++
++########################################
++##
+ ## Read all process ID files.
##
##
- ##
--## Domain to not audit.
-+## Domain allowed access.
- ##
- ##
-+##
- #
--interface(`files_dontaudit_search_spool',`
-+interface(`files_read_all_pids',`
+@@ -6261,12 +7974,105 @@ interface(`files_dontaudit_ioctl_all_pids',`
+ interface(`files_read_all_pids',`
gen_require(`
-- type var_spool_t;
-+ attribute pidfile;
+ attribute pidfile;
+- type var_t, var_run_t;
+ type var_t;
')
-- dontaudit $1 var_spool_t:dir search_dir_perms;
-+ list_dirs_pattern($1, var_t, pidfile)
-+ read_files_pattern($1, pidfile, pidfile)
+- allow $1 var_run_t:lnk_file read_lnk_file_perms;
+ list_dirs_pattern($1, var_t, pidfile)
+ read_files_pattern($1, pidfile, pidfile)
+ read_lnk_files_pattern($1, pidfile, pidfile)
- ')
-
- ########################################
- ##
--## List the contents of generic spool
--## (/var/spool) directories.
++')
++
++########################################
++##
+## Relable all pid files
- ##
- ##
- ##
-@@ -6405,18 +7973,17 @@ interface(`files_dontaudit_search_spool',`
- ##
- ##
- #
--interface(`files_list_spool',`
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
+interface(`files_relabel_all_pid_files',`
- gen_require(`
-- type var_t, var_spool_t;
++ gen_require(`
+ attribute pidfile;
- ')
-
-- list_dirs_pattern($1, var_t, var_spool_t)
++ ')
++
+ relabel_files_pattern($1, pidfile, pidfile)
- ')
-
- ########################################
- ##
--## Create, read, write, and delete generic
--## spool directories (/var/spool).
++')
++
++########################################
++##
+## Execute generic programs in /var/run in the caller domain.
- ##
- ##
- ##
-@@ -6424,18 +7991,18 @@ interface(`files_list_spool',`
- ##
- ##
- #
--interface(`files_manage_generic_spool_dirs',`
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
+interface(`files_exec_generic_pid_files',`
- gen_require(`
-- type var_t, var_spool_t;
++ gen_require(`
+ type var_run_t;
- ')
-
-- allow $1 var_t:dir search_dir_perms;
-- manage_dirs_pattern($1, var_spool_t, var_spool_t)
++ ')
++
+ exec_files_pattern($1, var_run_t, var_run_t)
- ')
-
- ########################################
- ##
--## Read generic spool files.
++')
++
++########################################
++##
+## Write all sockets
+## in the /var/run directory.
- ##
- ##
- ##
-@@ -6443,19 +8010,18 @@ interface(`files_manage_generic_spool_dirs',`
- ##
- ##
- #
--interface(`files_read_generic_spool',`
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
+interface(`files_write_all_pid_sockets',`
- gen_require(`
-- type var_t, var_spool_t;
++ gen_require(`
+ attribute pidfile;
- ')
-
-- list_dirs_pattern($1, var_t, var_spool_t)
-- read_files_pattern($1, var_spool_t, var_spool_t)
++ ')
++
+ allow $1 pidfile:sock_file write_sock_file_perms;
- ')
-
- ########################################
- ##
--## Create, read, write, and delete generic
--## spool files.
++')
++
++########################################
++##
+## manage all pidfiles
+## in the /var/run directory.
- ##
- ##
- ##
-@@ -6463,55 +8029,62 @@ interface(`files_read_generic_spool',`
- ##
- ##
- #
--interface(`files_manage_generic_spool',`
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
+interface(`files_manage_all_pids',`
- gen_require(`
-- type var_t, var_spool_t;
++ gen_require(`
+ attribute pidfile;
- ')
-
-- allow $1 var_t:dir search_dir_perms;
-- manage_files_pattern($1, var_spool_t, var_spool_t)
++ ')
++
+ manage_files_pattern($1,pidfile,pidfile)
- ')
-
- ########################################
- ##
--## Create objects in the spool directory
--## with a private type with a type transition.
++')
++
++########################################
++##
+## Mount filesystems on all polyinstantiation
+## member directories.
- ##
- ##
- ##
- ## Domain allowed access.
- ##
- ##
--##
--##
--## Type to which the created node will be transitioned.
--##
--##
--##
--##
--## Object class(es) (single or set including {}) for which this
--## the transition will occur.
--##
--##
--##
++##
++##
++##
++## Domain allowed access.
++##
++##
+#
+interface(`files_mounton_all_poly_members',`
+ gen_require(`
@@ -14924,100 +15984,33 @@ index f962f76ad..de87579ff 100644
+ ')
+
+ allow $1 polymember:dir mounton;
-+')
-+
-+########################################
-+##
-+## Delete all process IDs.
-+##
-+##
- ##
--## The name of the object being created.
-+## Domain allowed access.
- ##
- ##
-+##
- #
--interface(`files_spool_filetrans',`
-+interface(`files_delete_all_pids',`
- gen_require(`
-- type var_t, var_spool_t;
-+ attribute pidfile;
-+ type var_t, var_run_t;
+ ')
+
+ ########################################
+@@ -6286,8 +8092,8 @@ interface(`files_delete_all_pids',`
+ type var_t, var_run_t;
')
+ files_search_pids($1)
allow $1 var_t:dir search_dir_perms;
-- filetrans_pattern($1, var_spool_t, $2, $3, $4)
-+ allow $1 var_run_t:dir rmdir;
-+ allow $1 var_run_t:lnk_file delete_lnk_file_perms;
-+ delete_files_pattern($1, pidfile, pidfile)
-+ delete_fifo_files_pattern($1, pidfile, pidfile)
-+ delete_sock_files_pattern($1, pidfile, { pidfile var_run_t })
- ')
-
- ########################################
- ##
--## Allow access to manage all polyinstantiated
--## directories on the system.
-+## Delete all process ID directories.
- ##
- ##
- ##
-@@ -6519,53 +8092,332 @@ interface(`files_spool_filetrans',`
- ##
- ##
- #
--interface(`files_polyinstantiate_all',`
-+interface(`files_delete_all_pid_dirs',`
- gen_require(`
-- attribute polydir, polymember, polyparent;
-- type poly_t;
-+ attribute pidfile;
-+ type var_t, var_run_t;
+- allow $1 var_run_t:lnk_file read_lnk_file_perms;
+ allow $1 var_run_t:dir rmdir;
+ allow $1 var_run_t:lnk_file delete_lnk_file_perms;
+ delete_files_pattern($1, pidfile, pidfile)
+@@ -6311,36 +8117,80 @@ interface(`files_delete_all_pid_dirs',`
+ type var_t, var_run_t;
')
-- # Need to give access to /selinux/member
-- selinux_compute_member($1)
--
-- # Need sys_admin capability for mounting
-- allow $1 self:capability { chown fsetid sys_admin fowner };
--
-- # Need to give access to the directories to be polyinstantiated
-- allow $1 polydir:dir { create open getattr search write add_name setattr mounton rmdir };
--
-- # Need to give access to the polyinstantiated subdirectories
-- allow $1 polymember:dir search_dir_perms;
--
-- # Need to give access to parent directories where original
-- # is remounted for polyinstantiation aware programs (like gdm)
-- allow $1 polyparent:dir { getattr mounton };
--
-- # Need to give permission to create directories where applicable
-- allow $1 self:process setfscreate;
-- allow $1 polymember: dir { create setattr relabelto };
-- allow $1 polydir: dir { write add_name open };
-- allow $1 polyparent:dir { open read write remove_name add_name relabelfrom relabelto };
--
-- # Default type for mountpoints
-- allow $1 poly_t:dir { create mounton };
-- fs_unmount_xattr_fs($1)
--
-- fs_mount_tmpfs($1)
-- fs_unmount_tmpfs($1)
+ files_search_pids($1)
-+ allow $1 var_t:dir search_dir_perms;
-+ delete_dirs_pattern($1, pidfile, pidfile)
-+')
+ allow $1 var_t:dir search_dir_perms;
+- allow $1 var_run_t:lnk_file read_lnk_file_perms;
+ delete_dirs_pattern($1, pidfile, pidfile)
+ ')
-- ifdef(`distro_redhat',`
-- # namespace.init
-- files_search_tmp($1)
-- files_search_home($1)
-- corecmd_exec_bin($1)
-- seutil_domtrans_setfiles($1)
-+########################################
-+##
+ ########################################
+ ##
+-## Create, read, write and delete all
+-## var_run (pid) content
+## Make the specified type a file
+## used for spool files.
+##
@@ -15058,46 +16051,56 @@ index f962f76ad..de87579ff 100644
+interface(`files_spool_file',`
+ gen_require(`
+ attribute spoolfile;
- ')
++ ')
+
+ files_type($1)
+ typeattribute $1 spoolfile;
- ')
-
- ########################################
- ##
--## Unconfined access to files.
++')
++
++########################################
++##
+## Create all spool sockets
-+##
-+##
-+##
+ ##
+ ##
+ ##
+-## Domain alloed access.
+## Domain allowed access.
-+##
-+##
-+#
+ ##
+ ##
+ #
+-interface(`files_manage_all_pids',`
+interface(`files_create_all_spool_sockets',`
-+ gen_require(`
+ gen_require(`
+- attribute pidfile;
+ attribute spoolfile;
-+ ')
-+
+ ')
+
+- manage_dirs_pattern($1, pidfile, pidfile)
+- manage_files_pattern($1, pidfile, pidfile)
+- manage_lnk_files_pattern($1, pidfile, pidfile)
+ allow $1 spoolfile:sock_file create_sock_file_perms;
-+')
-+
-+########################################
-+##
+ ')
+
+ ########################################
+ ##
+-## Mount filesystems on all polyinstantiation
+-## member directories.
+## Delete all spool sockets
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
+ ##
+ ##
+ ##
+@@ -6348,12 +8198,33 @@ interface(`files_manage_all_pids',`
+ ##
+ ##
+ #
+-interface(`files_mounton_all_poly_members',`
+interface(`files_delete_all_spool_sockets',`
-+ gen_require(`
+ gen_require(`
+- attribute polymember;
+ attribute spoolfile;
-+ ')
-+
+ ')
+
+- allow $1 polymember:dir mounton;
+ allow $1 spoolfile:sock_file delete_sock_file_perms;
+')
+
@@ -15120,222 +16123,10 @@ index f962f76ad..de87579ff 100644
+ ')
+
+ relabel_dirs_pattern($1, spoolfile, spoolfile)
-+')
-+
-+########################################
-+##
-+## Search the contents of generic spool
-+## directories (/var/spool).
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`files_search_spool',`
-+ gen_require(`
-+ type var_t, var_spool_t;
-+ ')
-+
-+ search_dirs_pattern($1, var_t, var_spool_t)
-+')
-+
-+########################################
-+##
-+## Do not audit attempts to search generic
-+## spool directories.
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`files_dontaudit_search_spool',`
-+ gen_require(`
-+ type var_spool_t;
-+ ')
-+
-+ dontaudit $1 var_spool_t:dir search_dir_perms;
-+')
-+
-+########################################
-+##
-+## List the contents of generic spool
-+## (/var/spool) directories.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`files_list_spool',`
-+ gen_require(`
-+ type var_t, var_spool_t;
-+ ')
-+
-+ list_dirs_pattern($1, var_t, var_spool_t)
-+')
-+
-+########################################
-+##
-+## Create, read, write, and delete generic
-+## spool directories (/var/spool).
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`files_manage_generic_spool_dirs',`
-+ gen_require(`
-+ type var_t, var_spool_t;
-+ ')
-+
-+ allow $1 var_t:dir search_dir_perms;
-+ manage_dirs_pattern($1, var_spool_t, var_spool_t)
-+')
-+
-+########################################
-+##
-+## Read generic spool files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`files_read_generic_spool',`
-+ gen_require(`
-+ type var_t, var_spool_t;
-+ ')
-+
-+ list_dirs_pattern($1, var_t, var_spool_t)
-+ read_files_pattern($1, var_spool_t, var_spool_t)
-+')
-+
-+########################################
-+##
-+## Create, read, write, and delete generic
-+## spool files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`files_manage_generic_spool',`
-+ gen_require(`
-+ type var_t, var_spool_t;
-+ ')
-+
-+ allow $1 var_t:dir search_dir_perms;
-+ manage_files_pattern($1, var_spool_t, var_spool_t)
-+')
-+
-+########################################
-+##
-+## Create objects in the spool directory
-+## with a private type with a type transition.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+##
-+## Type to which the created node will be transitioned.
-+##
-+##
-+##
-+##
-+## Object class(es) (single or set including {}) for which this
-+## the transition will occur.
-+##
-+##
-+##
-+##
-+## The name of the object being created.
-+##
-+##
-+#
-+interface(`files_spool_filetrans',`
-+ gen_require(`
-+ type var_t, var_spool_t;
-+ ')
-+
-+ allow $1 var_t:dir search_dir_perms;
-+ filetrans_pattern($1, var_spool_t, $2, $3, $4)
-+')
-+
-+########################################
-+##
-+## Allow access to manage all polyinstantiated
-+## directories on the system.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`files_polyinstantiate_all',`
-+ gen_require(`
-+ attribute polydir, polymember, polyparent;
-+ type poly_t;
-+ ')
-+
-+ # Need to give access to /selinux/member
-+ selinux_compute_member($1)
-+
-+ # Need sys_admin capability for mounting
-+ allow $1 self:capability { chown fsetid sys_admin fowner };
-+
-+ # Need to give access to the directories to be polyinstantiated
-+ allow $1 polydir:dir { create open getattr search write add_name setattr mounton rmdir };
-+
-+ # Need to give access to the polyinstantiated subdirectories
-+ allow $1 polymember:dir search_dir_perms;
-+
-+ # Need to give access to parent directories where original
-+ # is remounted for polyinstantiation aware programs (like gdm)
-+ allow $1 polyparent:dir { getattr mounton };
-+
-+ # Need to give permission to create directories where applicable
-+ allow $1 self:process setfscreate;
-+ allow $1 polymember: dir { create setattr relabelto };
-+ allow $1 polydir: dir { write add_name open };
-+ allow $1 polyparent:dir { open read write remove_name add_name relabelfrom relabelto };
-+
-+ # Default type for mountpoints
-+ allow $1 poly_t:dir { create mounton };
-+ fs_unmount_xattr_fs($1)
-+
-+ fs_mount_tmpfs($1)
-+ fs_unmount_tmpfs($1)
-+
-+ ifdef(`distro_redhat',`
-+ # namespace.init
-+ files_search_tmp($1)
-+ files_search_home($1)
-+ corecmd_exec_bin($1)
-+ seutil_domtrans_setfiles($1)
-+ ')
-+')
-+
-+########################################
-+##
-+## Unconfined access to files.
- ##
- ##
- ##
-@@ -6580,3 +8432,623 @@ interface(`files_unconfined',`
+ ')
+
+ ########################################
+@@ -6580,3 +8451,623 @@ interface(`files_unconfined',`
typeattribute $1 files_unconfined_type;
')
@@ -24690,10 +25481,10 @@ index 234a940f9..a92415a9d 100644
########################################
##
diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te
-index 0fef1fca2..88ac7d6bb 100644
+index 0fef1fca2..6773aa784 100644
--- a/policy/modules/roles/staff.te
+++ b/policy/modules/roles/staff.te
-@@ -8,11 +8,73 @@ policy_module(staff, 2.4.0)
+@@ -8,11 +8,75 @@ policy_module(staff, 2.4.0)
role staff_r;
userdom_unpriv_user_template(staff)
@@ -24726,6 +25517,7 @@ index 0fef1fca2..88ac7d6bb 100644
+
+dev_read_cpuid(staff_t)
+dev_read_kmsg(staff_t)
++dev_map_video_dev(staff_t)
+
+domain_read_all_domains_state(staff_t)
+domain_getcap_all_domains(staff_t)
@@ -24752,6 +25544,7 @@ index 0fef1fca2..88ac7d6bb 100644
+init_status(staff_t)
+
+miscfiles_read_hwdata(staff_t)
++miscfiles_map_generic_certs(staff_t)
+
+ifndef(`enable_mls',`
+ selinux_read_policy(staff_t)
@@ -24767,7 +25560,7 @@ index 0fef1fca2..88ac7d6bb 100644
optional_policy(`
apache_role(staff_r, staff_t)
-@@ -23,11 +85,128 @@ optional_policy(`
+@@ -23,11 +87,132 @@ optional_policy(`
')
optional_policy(`
@@ -24854,6 +25647,10 @@ index 0fef1fca2..88ac7d6bb 100644
+')
+
+optional_policy(`
++ mandb_map_cache_files(staff_t)
++')
++
++optional_policy(`
+ mock_role(staff_r, staff_t)
+')
+
@@ -24897,7 +25694,7 @@ index 0fef1fca2..88ac7d6bb 100644
')
optional_policy(`
-@@ -35,20 +214,74 @@ optional_policy(`
+@@ -35,20 +220,74 @@ optional_policy(`
')
optional_policy(`
@@ -24974,7 +25771,7 @@ index 0fef1fca2..88ac7d6bb 100644
')
optional_policy(`
-@@ -56,7 +289,20 @@ optional_policy(`
+@@ -56,7 +295,20 @@ optional_policy(`
')
optional_policy(`
@@ -24996,7 +25793,7 @@ index 0fef1fca2..88ac7d6bb 100644
')
ifndef(`distro_redhat',`
-@@ -65,10 +311,6 @@ ifndef(`distro_redhat',`
+@@ -65,10 +317,6 @@ ifndef(`distro_redhat',`
')
optional_policy(`
@@ -25007,7 +25804,7 @@ index 0fef1fca2..88ac7d6bb 100644
cdrecord_role(staff_r, staff_t)
')
-@@ -78,10 +320,6 @@ ifndef(`distro_redhat',`
+@@ -78,10 +326,6 @@ ifndef(`distro_redhat',`
optional_policy(`
dbus_role_template(staff, staff_r, staff_t)
@@ -25018,7 +25815,7 @@ index 0fef1fca2..88ac7d6bb 100644
')
optional_policy(`
-@@ -101,10 +339,6 @@ ifndef(`distro_redhat',`
+@@ -101,10 +345,6 @@ ifndef(`distro_redhat',`
')
optional_policy(`
@@ -25029,7 +25826,7 @@ index 0fef1fca2..88ac7d6bb 100644
java_role(staff_r, staff_t)
')
-@@ -125,10 +359,6 @@ ifndef(`distro_redhat',`
+@@ -125,10 +365,6 @@ ifndef(`distro_redhat',`
')
optional_policy(`
@@ -25040,7 +25837,7 @@ index 0fef1fca2..88ac7d6bb 100644
pyzor_role(staff_r, staff_t)
')
-@@ -141,10 +371,6 @@ ifndef(`distro_redhat',`
+@@ -141,10 +377,6 @@ ifndef(`distro_redhat',`
')
optional_policy(`
@@ -25051,7 +25848,7 @@ index 0fef1fca2..88ac7d6bb 100644
spamassassin_role(staff_r, staff_t)
')
-@@ -176,3 +402,24 @@ ifndef(`distro_redhat',`
+@@ -176,3 +408,24 @@ ifndef(`distro_redhat',`
wireshark_role(staff_r, staff_t)
')
')
@@ -25105,10 +25902,10 @@ index ff9243078..36740eab3 100644
##
## Execute a generic bin program in the sysadm domain.
diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
-index 2522ca6c0..800f41930 100644
+index 2522ca6c0..7aeed7254 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
-@@ -5,39 +5,105 @@ policy_module(sysadm, 2.6.1)
+@@ -5,39 +5,107 @@ policy_module(sysadm, 2.6.1)
# Declarations
#
@@ -25179,6 +25976,8 @@ index 2522ca6c0..800f41930 100644
+init_undefined(sysadm_t)
+
+logging_filetrans_named_content(sysadm_t)
++logging_map_audit_config(sysadm_t)
++logging_map_audit_log(sysadm_t)
+
+miscfiles_filetrans_named_content(sysadm_t)
+miscfiles_read_hwdata(sysadm_t)
@@ -25224,7 +26023,7 @@ index 2522ca6c0..800f41930 100644
ifdef(`direct_sysadm_daemon',`
optional_policy(`
-@@ -55,13 +121,7 @@ ifdef(`distro_gentoo',`
+@@ -55,13 +123,7 @@ ifdef(`distro_gentoo',`
init_exec_rc(sysadm_t)
')
@@ -25239,7 +26038,7 @@ index 2522ca6c0..800f41930 100644
domain_ptrace_all_domains(sysadm_t)
')
-@@ -71,9 +131,9 @@ optional_policy(`
+@@ -71,9 +133,9 @@ optional_policy(`
optional_policy(`
apache_run_helper(sysadm_t, sysadm_r)
@@ -25250,7 +26049,7 @@ index 2522ca6c0..800f41930 100644
')
optional_policy(`
-@@ -87,6 +147,7 @@ optional_policy(`
+@@ -87,6 +149,7 @@ optional_policy(`
optional_policy(`
asterisk_stream_connect(sysadm_t)
@@ -25258,7 +26057,7 @@ index 2522ca6c0..800f41930 100644
')
optional_policy(`
-@@ -110,11 +171,17 @@ optional_policy(`
+@@ -110,11 +173,17 @@ optional_policy(`
')
optional_policy(`
@@ -25276,7 +26075,7 @@ index 2522ca6c0..800f41930 100644
')
optional_policy(`
-@@ -122,11 +189,27 @@ optional_policy(`
+@@ -122,11 +191,27 @@ optional_policy(`
')
optional_policy(`
@@ -25306,7 +26105,7 @@ index 2522ca6c0..800f41930 100644
')
optional_policy(`
-@@ -140,6 +223,10 @@ optional_policy(`
+@@ -140,6 +225,10 @@ optional_policy(`
')
optional_policy(`
@@ -25317,7 +26116,7 @@ index 2522ca6c0..800f41930 100644
dmesg_exec(sysadm_t)
')
-@@ -156,6 +243,10 @@ optional_policy(`
+@@ -156,6 +245,10 @@ optional_policy(`
')
optional_policy(`
@@ -25328,7 +26127,7 @@ index 2522ca6c0..800f41930 100644
fstools_run(sysadm_t, sysadm_r)
')
-@@ -164,6 +255,11 @@ optional_policy(`
+@@ -164,6 +257,11 @@ optional_policy(`
')
optional_policy(`
@@ -25340,7 +26139,7 @@ index 2522ca6c0..800f41930 100644
hadoop_role(sysadm_r, sysadm_t)
')
-@@ -172,13 +268,31 @@ optional_policy(`
+@@ -172,13 +270,31 @@ optional_policy(`
# at things (e.g., ipsec auto --status)
# probably should create an ipsec_admin role for this kind of thing
ipsec_exec_mgmt(sysadm_t)
@@ -25372,7 +26171,7 @@ index 2522ca6c0..800f41930 100644
')
optional_policy(`
-@@ -190,11 +304,12 @@ optional_policy(`
+@@ -190,11 +306,12 @@ optional_policy(`
')
optional_policy(`
@@ -25387,7 +26186,7 @@ index 2522ca6c0..800f41930 100644
')
optional_policy(`
-@@ -210,22 +325,21 @@ optional_policy(`
+@@ -210,22 +327,21 @@ optional_policy(`
modutils_run_depmod(sysadm_t, sysadm_r)
modutils_run_insmod(sysadm_t, sysadm_r)
modutils_run_update_mods(sysadm_t, sysadm_r)
@@ -25417,7 +26216,7 @@ index 2522ca6c0..800f41930 100644
')
optional_policy(`
-@@ -237,14 +351,32 @@ optional_policy(`
+@@ -237,14 +353,32 @@ optional_policy(`
')
optional_policy(`
@@ -25450,7 +26249,7 @@ index 2522ca6c0..800f41930 100644
')
optional_policy(`
-@@ -252,10 +384,20 @@ optional_policy(`
+@@ -252,10 +386,20 @@ optional_policy(`
')
optional_policy(`
@@ -25471,7 +26270,7 @@ index 2522ca6c0..800f41930 100644
portage_run(sysadm_t, sysadm_r)
portage_run_fetch(sysadm_t, sysadm_r)
portage_run_gcc_config(sysadm_t, sysadm_r)
-@@ -266,35 +408,46 @@ optional_policy(`
+@@ -266,35 +410,46 @@ optional_policy(`
')
optional_policy(`
@@ -25525,7 +26324,7 @@ index 2522ca6c0..800f41930 100644
')
optional_policy(`
-@@ -308,6 +461,7 @@ optional_policy(`
+@@ -308,6 +463,7 @@ optional_policy(`
optional_policy(`
screen_role_template(sysadm, sysadm_r, sysadm_t)
@@ -25533,7 +26332,7 @@ index 2522ca6c0..800f41930 100644
')
optional_policy(`
-@@ -315,12 +469,20 @@ optional_policy(`
+@@ -315,12 +471,20 @@ optional_policy(`
')
optional_policy(`
@@ -25555,7 +26354,7 @@ index 2522ca6c0..800f41930 100644
')
optional_policy(`
-@@ -345,30 +507,38 @@ optional_policy(`
+@@ -345,30 +509,38 @@ optional_policy(`
')
optional_policy(`
@@ -25603,7 +26402,7 @@ index 2522ca6c0..800f41930 100644
')
optional_policy(`
-@@ -380,10 +550,6 @@ optional_policy(`
+@@ -380,10 +552,6 @@ optional_policy(`
')
optional_policy(`
@@ -25614,7 +26413,7 @@ index 2522ca6c0..800f41930 100644
usermanage_run_admin_passwd(sysadm_t, sysadm_r)
usermanage_run_groupadd(sysadm_t, sysadm_r)
usermanage_run_useradd(sysadm_t, sysadm_r)
-@@ -391,6 +557,9 @@ optional_policy(`
+@@ -391,6 +559,9 @@ optional_policy(`
optional_policy(`
virt_stream_connect(sysadm_t)
@@ -25624,7 +26423,7 @@ index 2522ca6c0..800f41930 100644
')
optional_policy(`
-@@ -398,31 +567,34 @@ optional_policy(`
+@@ -398,31 +569,34 @@ optional_policy(`
')
optional_policy(`
@@ -25665,7 +26464,7 @@ index 2522ca6c0..800f41930 100644
auth_role(sysadm_r, sysadm_t)
')
-@@ -435,10 +607,6 @@ ifndef(`distro_redhat',`
+@@ -435,10 +609,6 @@ ifndef(`distro_redhat',`
')
optional_policy(`
@@ -25676,7 +26475,7 @@ index 2522ca6c0..800f41930 100644
dbus_role_template(sysadm, sysadm_r, sysadm_t)
optional_policy(`
-@@ -459,15 +627,79 @@ ifndef(`distro_redhat',`
+@@ -459,15 +629,79 @@ ifndef(`distro_redhat',`
')
optional_policy(`
@@ -31153,7 +31952,7 @@ index 6bf0ecc2d..29db5fd25 100644
+')
+
diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
-index 8b403774f..a03fa4661 100644
+index 8b403774f..af9ee8070 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -26,28 +26,66 @@ gen_require(`
@@ -32216,7 +33015,7 @@ index 8b403774f..a03fa4661 100644
manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
manage_sock_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
-@@ -627,6 +1129,10 @@ files_tmp_filetrans(xserver_t, xserver_tmp_t, { file dir sock_file })
+@@ -627,36 +1129,53 @@ files_tmp_filetrans(xserver_t, xserver_tmp_t, { file dir sock_file })
filetrans_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t, sock_file)
@@ -32227,7 +33026,12 @@ index 8b403774f..a03fa4661 100644
manage_dirs_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
manage_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
manage_lnk_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
-@@ -638,25 +1144,37 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
+ manage_fifo_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
+ manage_sock_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
+ fs_tmpfs_filetrans(xserver_t, xserver_tmpfs_t, { dir file lnk_file sock_file fifo_file })
++allow xserver_t xserver_tmpfs_t:file map;
+
+ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
files_search_var_lib(xserver_t)
@@ -32269,11 +33073,12 @@ index 8b403774f..a03fa4661 100644
corenet_all_recvfrom_netlabel(xserver_t)
corenet_tcp_sendrecv_generic_if(xserver_t)
corenet_udp_sendrecv_generic_if(xserver_t)
-@@ -677,23 +1195,28 @@ dev_rw_apm_bios(xserver_t)
+@@ -677,23 +1196,29 @@ dev_rw_apm_bios(xserver_t)
dev_rw_agp(xserver_t)
dev_rw_framebuffer(xserver_t)
dev_manage_dri_dev(xserver_t)
-dev_filetrans_dri(xserver_t)
++dev_map_dri(xserver_t)
dev_create_generic_dirs(xserver_t)
dev_setattr_generic_dirs(xserver_t)
# raw memory access is needed if not using the frame buffer
@@ -32301,7 +33106,7 @@ index 8b403774f..a03fa4661 100644
# brought on by rhgb
files_search_mnt(xserver_t)
-@@ -705,6 +1228,14 @@ fs_search_nfs(xserver_t)
+@@ -705,6 +1230,14 @@ fs_search_nfs(xserver_t)
fs_search_auto_mountpoints(xserver_t)
fs_search_ramfs(xserver_t)
@@ -32316,7 +33121,7 @@ index 8b403774f..a03fa4661 100644
mls_xwin_read_to_clearance(xserver_t)
selinux_validate_context(xserver_t)
-@@ -718,20 +1249,18 @@ init_getpgid(xserver_t)
+@@ -718,28 +1251,25 @@ init_getpgid(xserver_t)
term_setattr_unallocated_ttys(xserver_t)
term_use_unallocated_ttys(xserver_t)
@@ -32340,16 +33145,16 @@ index 8b403774f..a03fa4661 100644
userdom_search_user_home_dirs(xserver_t)
userdom_use_user_ttys(xserver_t)
-@@ -739,8 +1268,6 @@ userdom_setattr_user_ttys(xserver_t)
+ userdom_setattr_user_ttys(xserver_t)
userdom_read_user_tmp_files(xserver_t)
userdom_rw_user_tmpfs_files(xserver_t)
-
--xserver_use_user_fonts(xserver_t)
-
+-xserver_use_user_fonts(xserver_t)
++userdom_map_tmp_files(xserver_t)
+
ifndef(`distro_redhat',`
allow xserver_t self:process { execmem execheap execstack };
- domain_mmap_low_uncond(xserver_t)
-@@ -785,17 +1312,54 @@ optional_policy(`
+@@ -785,17 +1315,54 @@ optional_policy(`
')
optional_policy(`
@@ -32406,7 +33211,7 @@ index 8b403774f..a03fa4661 100644
')
optional_policy(`
-@@ -803,6 +1367,10 @@ optional_policy(`
+@@ -803,6 +1370,10 @@ optional_policy(`
')
optional_policy(`
@@ -32417,7 +33222,7 @@ index 8b403774f..a03fa4661 100644
xfs_stream_connect(xserver_t)
')
-@@ -818,18 +1386,17 @@ allow xserver_t xdm_t:shm rw_shm_perms;
+@@ -818,18 +1389,17 @@ allow xserver_t xdm_t:shm rw_shm_perms;
# NB we do NOT allow xserver_t xdm_var_lib_t:dir, only access to an open
# handle of a file inside the dir!!!
@@ -32442,7 +33247,7 @@ index 8b403774f..a03fa4661 100644
can_exec(xserver_t, xkb_var_lib_t)
# VNC v4 module in X server
-@@ -842,26 +1409,21 @@ init_use_fds(xserver_t)
+@@ -842,26 +1412,21 @@ init_use_fds(xserver_t)
# to read ROLE_home_t - examine this in more detail
# (xauth?)
userdom_read_user_home_content_files(xserver_t)
@@ -32477,7 +33282,7 @@ index 8b403774f..a03fa4661 100644
')
optional_policy(`
-@@ -912,7 +1474,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
+@@ -912,7 +1477,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
allow x_domain root_xdrawable_t:x_drawable { getattr setattr list_child add_child remove_child send receive hide show };
# operations allowed on my windows
allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive };
@@ -32486,7 +33291,7 @@ index 8b403774f..a03fa4661 100644
# operations allowed on all windows
allow x_domain x_domain:x_drawable { getattr get_property set_property remove_child };
-@@ -966,11 +1528,31 @@ allow x_domain self:x_resource { read write };
+@@ -966,11 +1531,31 @@ allow x_domain self:x_resource { read write };
# can mess with the screensaver
allow x_domain xserver_t:x_screen { getattr saver_getattr };
@@ -32518,7 +33323,7 @@ index 8b403774f..a03fa4661 100644
tunable_policy(`! xserver_object_manager',`
# should be xserver_unconfined(x_domain),
# but typeattribute doesnt work in conditionals
-@@ -992,18 +1574,148 @@ tunable_policy(`! xserver_object_manager',`
+@@ -992,18 +1577,148 @@ tunable_policy(`! xserver_object_manager',`
allow x_domain xevent_type:{ x_event x_synthetic_event } *;
')
@@ -40543,7 +41348,7 @@ index b50c5fe81..9eacd9ba1 100644
+/var/webmin(/.*)? gen_context(system_u:object_r:var_log_t,s0)
+
diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if
-index 4e9488463..e7d5f42a5 100644
+index 4e9488463..2db173f77 100644
--- a/policy/modules/system/logging.if
+++ b/policy/modules/system/logging.if
@@ -81,6 +81,24 @@ interface(`logging_dontaudit_send_audit_msgs',`
@@ -40571,7 +41376,32 @@ index 4e9488463..e7d5f42a5 100644
## Set login uid
##
##
-@@ -233,7 +251,7 @@ interface(`logging_run_auditd',`
+@@ -146,6 +164,24 @@ interface(`logging_read_audit_log',`
+
+ ########################################
+ ##
++## Map the audit log.
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++#
++interface(`logging_map_audit_log',`
++ gen_require(`
++ type auditd_log_t;
++ ')
++
++ allow $1 auditd_log_t:file map;
++')
++########################################
++##
+ ## Execute auditctl in the auditctl domain.
+ ##
+ ##
+@@ -233,7 +269,7 @@ interface(`logging_run_auditd',`
########################################
##
@@ -40580,7 +41410,7 @@ index 4e9488463..e7d5f42a5 100644
##
##
##
-@@ -318,7 +336,7 @@ interface(`logging_dispatcher_domain',`
+@@ -318,7 +354,7 @@ interface(`logging_dispatcher_domain',`
########################################
##
@@ -40589,7 +41419,7 @@ index 4e9488463..e7d5f42a5 100644
##
##
##
-@@ -496,6 +514,68 @@ interface(`logging_log_filetrans',`
+@@ -496,6 +532,68 @@ interface(`logging_log_filetrans',`
filetrans_pattern($1, var_log_t, $2, $3, $4)
')
@@ -40658,7 +41488,7 @@ index 4e9488463..e7d5f42a5 100644
########################################
##
## Send system log messages.
-@@ -530,22 +610,107 @@ interface(`logging_log_filetrans',`
+@@ -530,22 +628,107 @@ interface(`logging_log_filetrans',`
#
interface(`logging_send_syslog_msg',`
gen_require(`
@@ -40778,10 +41608,29 @@ index 4e9488463..e7d5f42a5 100644
')
########################################
-@@ -571,6 +736,25 @@ interface(`logging_read_audit_config',`
+@@ -571,6 +754,44 @@ interface(`logging_read_audit_config',`
########################################
##
++## Map the auditd configuration files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++#
++interface(`logging_map_audit_config',`
++ gen_require(`
++ type auditd_etc_t;
++ ')
++
++ allow $1 auditd_etc_t:file map;
++')
++
++########################################
++##
+## dontaudit search of auditd log files.
+##
+##
@@ -40804,7 +41653,7 @@ index 4e9488463..e7d5f42a5 100644
## dontaudit search of auditd configuration files.
##
##
-@@ -609,6 +793,25 @@ interface(`logging_read_syslog_config',`
+@@ -609,6 +830,25 @@ interface(`logging_read_syslog_config',`
########################################
##
@@ -40830,7 +41679,7 @@ index 4e9488463..e7d5f42a5 100644
## Allows the domain to open a file in the
## log directory, but does not allow the listing
## of the contents of the log directory.
-@@ -722,6 +925,25 @@ interface(`logging_setattr_all_log_dirs',`
+@@ -722,6 +962,25 @@ interface(`logging_setattr_all_log_dirs',`
allow $1 logfile:dir setattr;
')
@@ -40856,7 +41705,7 @@ index 4e9488463..e7d5f42a5 100644
########################################
##
## Do not audit attempts to get the attributes
-@@ -776,7 +998,25 @@ interface(`logging_append_all_logs',`
+@@ -776,7 +1035,25 @@ interface(`logging_append_all_logs',`
')
files_search_var($1)
@@ -40883,7 +41732,7 @@ index 4e9488463..e7d5f42a5 100644
')
########################################
-@@ -859,7 +1099,7 @@ interface(`logging_manage_all_logs',`
+@@ -859,7 +1136,7 @@ interface(`logging_manage_all_logs',`
files_search_var($1)
manage_files_pattern($1, logfile, logfile)
@@ -40892,7 +41741,7 @@ index 4e9488463..e7d5f42a5 100644
')
########################################
-@@ -880,11 +1120,69 @@ interface(`logging_read_generic_logs',`
+@@ -880,11 +1157,69 @@ interface(`logging_read_generic_logs',`
files_search_var($1)
allow $1 var_log_t:dir list_dir_perms;
@@ -40962,7 +41811,7 @@ index 4e9488463..e7d5f42a5 100644
## Write generic log files.
##
##
-@@ -905,6 +1203,24 @@ interface(`logging_write_generic_logs',`
+@@ -905,6 +1240,24 @@ interface(`logging_write_generic_logs',`
########################################
##
@@ -40987,7 +41836,7 @@ index 4e9488463..e7d5f42a5 100644
## Dontaudit Write generic log files.
##
##
-@@ -984,11 +1300,16 @@ interface(`logging_admin_audit',`
+@@ -984,11 +1337,16 @@ interface(`logging_admin_audit',`
type auditd_t, auditd_etc_t, auditd_log_t;
type auditd_var_run_t;
type auditd_initrc_exec_t;
@@ -41005,7 +41854,7 @@ index 4e9488463..e7d5f42a5 100644
manage_dirs_pattern($1, auditd_etc_t, auditd_etc_t)
manage_files_pattern($1, auditd_etc_t, auditd_etc_t)
-@@ -1004,6 +1325,55 @@ interface(`logging_admin_audit',`
+@@ -1004,6 +1362,55 @@ interface(`logging_admin_audit',`
domain_system_change_exemption($1)
role_transition $2 auditd_initrc_exec_t system_r;
allow $2 system_r;
@@ -41061,7 +41910,7 @@ index 4e9488463..e7d5f42a5 100644
')
########################################
-@@ -1032,10 +1402,15 @@ interface(`logging_admin_syslog',`
+@@ -1032,10 +1439,15 @@ interface(`logging_admin_syslog',`
type syslogd_initrc_exec_t;
')
@@ -41079,7 +41928,7 @@ index 4e9488463..e7d5f42a5 100644
manage_dirs_pattern($1, klogd_var_run_t, klogd_var_run_t)
manage_files_pattern($1, klogd_var_run_t, klogd_var_run_t)
-@@ -1057,6 +1432,8 @@ interface(`logging_admin_syslog',`
+@@ -1057,6 +1469,8 @@ interface(`logging_admin_syslog',`
manage_files_pattern($1, syslogd_var_run_t, syslogd_var_run_t)
logging_manage_all_logs($1)
@@ -41088,7 +41937,7 @@ index 4e9488463..e7d5f42a5 100644
init_labeled_script_domtrans($1, syslogd_initrc_exec_t)
domain_system_change_exemption($1)
-@@ -1085,3 +1462,110 @@ interface(`logging_admin',`
+@@ -1085,3 +1499,110 @@ interface(`logging_admin',`
logging_admin_audit($1, $2)
logging_admin_syslog($1, $2)
')
@@ -41200,7 +42049,7 @@ index 4e9488463..e7d5f42a5 100644
+')
+
diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
-index 59b04c1a2..370f8a825 100644
+index 59b04c1a2..ba742cd03 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
@@ -4,6 +4,29 @@ policy_module(logging, 1.20.1)
@@ -41283,7 +42132,7 @@ index 59b04c1a2..370f8a825 100644
ifdef(`enable_mls',`
init_ranged_daemon_domain(auditd_t, auditd_exec_t, mls_systemhigh)
init_ranged_daemon_domain(syslogd_t, syslogd_exec_t, mls_systemhigh)
-@@ -94,6 +129,8 @@ ifdef(`enable_mls',`
+@@ -94,8 +129,11 @@ ifdef(`enable_mls',`
allow auditctl_t self:capability { fsetid dac_read_search dac_override };
allow auditctl_t self:netlink_audit_socket nlmsg_readpriv;
@@ -41291,8 +42140,11 @@ index 59b04c1a2..370f8a825 100644
+
read_files_pattern(auditctl_t, auditd_etc_t, auditd_etc_t)
allow auditctl_t auditd_etc_t:dir list_dir_perms;
++allow auditctl_t auditd_etc_t:file map;
-@@ -111,7 +148,9 @@ domain_use_interactive_fds(auditctl_t)
+ # Needed for adding watches
+ files_getattr_all_dirs(auditctl_t)
+@@ -111,7 +149,9 @@ domain_use_interactive_fds(auditctl_t)
mls_file_read_all_levels(auditctl_t)
@@ -41303,7 +42155,7 @@ index 59b04c1a2..370f8a825 100644
init_dontaudit_use_fds(auditctl_t)
-@@ -134,11 +173,12 @@ allow auditd_t self:fifo_file rw_fifo_file_perms;
+@@ -134,11 +174,12 @@ allow auditd_t self:fifo_file rw_fifo_file_perms;
allow auditd_t self:tcp_socket create_stream_socket_perms;
allow auditd_t auditd_etc_t:dir list_dir_perms;
@@ -41318,7 +42170,7 @@ index 59b04c1a2..370f8a825 100644
manage_files_pattern(auditd_t, auditd_var_run_t, auditd_var_run_t)
manage_sock_files_pattern(auditd_t, auditd_var_run_t, auditd_var_run_t)
-@@ -148,6 +188,7 @@ kernel_read_kernel_sysctls(auditd_t)
+@@ -148,6 +189,7 @@ kernel_read_kernel_sysctls(auditd_t)
# Needs to be able to run dispatcher. see /etc/audit/auditd.conf
# Probably want a transition, and a new auditd_helper app
kernel_read_system_state(auditd_t)
@@ -41326,7 +42178,7 @@ index 59b04c1a2..370f8a825 100644
dev_read_sysfs(auditd_t)
-@@ -155,9 +196,6 @@ fs_getattr_all_fs(auditd_t)
+@@ -155,9 +197,6 @@ fs_getattr_all_fs(auditd_t)
fs_search_auto_mountpoints(auditd_t)
fs_rw_anon_inodefs_files(auditd_t)
@@ -41336,7 +42188,7 @@ index 59b04c1a2..370f8a825 100644
corenet_all_recvfrom_netlabel(auditd_t)
corenet_tcp_sendrecv_generic_if(auditd_t)
corenet_tcp_sendrecv_generic_node(auditd_t)
-@@ -183,16 +221,17 @@ logging_send_syslog_msg(auditd_t)
+@@ -183,16 +222,17 @@ logging_send_syslog_msg(auditd_t)
logging_domtrans_dispatcher(auditd_t)
logging_signal_dispatcher(auditd_t)
@@ -41358,7 +42210,7 @@ index 59b04c1a2..370f8a825 100644
userdom_dontaudit_use_unpriv_user_fds(auditd_t)
userdom_dontaudit_search_user_home_dirs(auditd_t)
-@@ -219,7 +258,7 @@ optional_policy(`
+@@ -219,7 +259,7 @@ optional_policy(`
# audit dispatcher local policy
#
@@ -41367,7 +42219,7 @@ index 59b04c1a2..370f8a825 100644
allow audisp_t self:process { getcap signal_perms setcap setsched };
allow audisp_t self:fifo_file rw_fifo_file_perms;
allow audisp_t self:unix_stream_socket create_stream_socket_perms;
-@@ -237,19 +276,29 @@ corecmd_exec_shell(audisp_t)
+@@ -237,19 +277,29 @@ corecmd_exec_shell(audisp_t)
domain_use_interactive_fds(audisp_t)
@@ -41399,7 +42251,7 @@ index 59b04c1a2..370f8a825 100644
')
########################################
-@@ -266,9 +315,10 @@ manage_dirs_pattern(audisp_remote_t, audit_spool_t, audit_spool_t)
+@@ -266,9 +316,10 @@ manage_dirs_pattern(audisp_remote_t, audit_spool_t, audit_spool_t)
manage_files_pattern(audisp_remote_t, audit_spool_t, audit_spool_t)
files_spool_filetrans(audisp_remote_t, audit_spool_t, { dir file })
@@ -41411,7 +42263,7 @@ index 59b04c1a2..370f8a825 100644
corenet_all_recvfrom_netlabel(audisp_remote_t)
corenet_tcp_sendrecv_generic_if(audisp_remote_t)
corenet_tcp_sendrecv_generic_node(audisp_remote_t)
-@@ -280,13 +330,26 @@ corenet_sendrecv_audit_client_packets(audisp_remote_t)
+@@ -280,13 +331,26 @@ corenet_sendrecv_audit_client_packets(audisp_remote_t)
files_read_etc_files(audisp_remote_t)
@@ -41439,7 +42291,7 @@ index 59b04c1a2..370f8a825 100644
########################################
#
# klogd local policy
-@@ -326,7 +389,6 @@ files_read_etc_files(klogd_t)
+@@ -326,7 +390,6 @@ files_read_etc_files(klogd_t)
logging_send_syslog_msg(klogd_t)
@@ -41447,7 +42299,7 @@ index 59b04c1a2..370f8a825 100644
mls_file_read_all_levels(klogd_t)
-@@ -355,13 +417,13 @@ optional_policy(`
+@@ -355,13 +418,13 @@ optional_policy(`
# sys_admin for the integrated klog of syslog-ng and metalog
# sys_nice for rsyslog
# cjp: why net_admin!
@@ -41465,7 +42317,7 @@ index 59b04c1a2..370f8a825 100644
# receive messages to be logged
allow syslogd_t self:unix_dgram_socket create_socket_perms;
allow syslogd_t self:unix_stream_socket create_stream_socket_perms;
-@@ -369,15 +431,20 @@ allow syslogd_t self:unix_dgram_socket sendto;
+@@ -369,15 +432,20 @@ allow syslogd_t self:unix_dgram_socket sendto;
allow syslogd_t self:fifo_file rw_fifo_file_perms;
allow syslogd_t self:udp_socket create_socket_perms;
allow syslogd_t self:tcp_socket create_stream_socket_perms;
@@ -41487,7 +42339,7 @@ index 59b04c1a2..370f8a825 100644
rw_fifo_files_pattern(syslogd_t, var_log_t, var_log_t)
files_search_spool(syslogd_t)
-@@ -389,30 +456,48 @@ manage_dirs_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t)
+@@ -389,30 +457,48 @@ manage_dirs_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t)
manage_files_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t)
files_tmp_filetrans(syslogd_t, syslogd_tmp_t, { dir file })
@@ -41539,7 +42391,7 @@ index 59b04c1a2..370f8a825 100644
# syslog-ng can listen and connect on tcp port 514 (rsh)
corenet_tcp_sendrecv_generic_if(syslogd_t)
corenet_tcp_sendrecv_generic_node(syslogd_t)
-@@ -422,6 +507,8 @@ corenet_tcp_bind_rsh_port(syslogd_t)
+@@ -422,6 +508,8 @@ corenet_tcp_bind_rsh_port(syslogd_t)
corenet_tcp_connect_rsh_port(syslogd_t)
# Allow users to define additional syslog ports to connect to
corenet_tcp_bind_syslogd_port(syslogd_t)
@@ -41548,7 +42400,7 @@ index 59b04c1a2..370f8a825 100644
corenet_tcp_connect_syslogd_port(syslogd_t)
corenet_tcp_connect_postgresql_port(syslogd_t)
corenet_tcp_connect_mysqld_port(syslogd_t)
-@@ -432,9 +519,32 @@ corenet_sendrecv_syslogd_server_packets(syslogd_t)
+@@ -432,9 +520,32 @@ corenet_sendrecv_syslogd_server_packets(syslogd_t)
corenet_sendrecv_postgresql_client_packets(syslogd_t)
corenet_sendrecv_mysqld_client_packets(syslogd_t)
@@ -41582,7 +42434,7 @@ index 59b04c1a2..370f8a825 100644
domain_use_interactive_fds(syslogd_t)
files_read_etc_files(syslogd_t)
-@@ -448,13 +558,17 @@ files_var_lib_filetrans(syslogd_t, syslogd_var_lib_t, { file dir })
+@@ -448,13 +559,17 @@ files_var_lib_filetrans(syslogd_t, syslogd_var_lib_t, { file dir })
fs_getattr_all_fs(syslogd_t)
fs_search_auto_mountpoints(syslogd_t)
@@ -41600,7 +42452,7 @@ index 59b04c1a2..370f8a825 100644
# for sending messages to logged in users
init_read_utmp(syslogd_t)
init_dontaudit_write_utmp(syslogd_t)
-@@ -466,11 +580,12 @@ init_use_fds(syslogd_t)
+@@ -466,11 +581,12 @@ init_use_fds(syslogd_t)
# cjp: this doesnt make sense
logging_send_syslog_msg(syslogd_t)
@@ -41616,7 +42468,7 @@ index 59b04c1a2..370f8a825 100644
ifdef(`distro_gentoo',`
# default gentoo syslog-ng config appends kernel
-@@ -497,6 +612,7 @@ optional_policy(`
+@@ -497,6 +613,7 @@ optional_policy(`
optional_policy(`
cron_manage_log_files(syslogd_t)
cron_generic_log_filetrans_log(syslogd_t, file, "cron.log")
@@ -41624,7 +42476,7 @@ index 59b04c1a2..370f8a825 100644
')
optional_policy(`
-@@ -507,15 +623,44 @@ optional_policy(`
+@@ -507,15 +624,44 @@ optional_policy(`
')
optional_policy(`
@@ -41669,7 +42521,7 @@ index 59b04c1a2..370f8a825 100644
')
optional_policy(`
-@@ -526,3 +671,29 @@ optional_policy(`
+@@ -526,3 +672,29 @@ optional_policy(`
# log to the xconsole
xserver_rw_console(syslogd_t)
')
@@ -42154,7 +43006,7 @@ index 58bc27f22..90f567300 100644
+
+
diff --git a/policy/modules/system/lvm.te b/policy/modules/system/lvm.te
-index 79048c410..b0cb1e565 100644
+index 79048c410..924fa2e75 100644
--- a/policy/modules/system/lvm.te
+++ b/policy/modules/system/lvm.te
@@ -12,6 +12,9 @@ init_daemon_domain(clvmd_t, clvmd_exec_t)
@@ -42280,7 +43132,7 @@ index 79048c410..b0cb1e565 100644
manage_dirs_pattern(lvm_t, lvm_var_lib_t, lvm_var_lib_t)
manage_files_pattern(lvm_t, lvm_var_lib_t, lvm_var_lib_t)
-@@ -202,8 +222,10 @@ files_var_lib_filetrans(lvm_t, lvm_var_lib_t, { dir file })
+@@ -202,10 +222,13 @@ files_var_lib_filetrans(lvm_t, lvm_var_lib_t, { dir file })
manage_dirs_pattern(lvm_t, lvm_var_run_t, lvm_var_run_t)
manage_files_pattern(lvm_t, lvm_var_run_t, lvm_var_run_t)
@@ -42291,8 +43143,11 @@ index 79048c410..b0cb1e565 100644
+init_pid_filetrans(lvm_t, lvm_var_run_t, { dir file fifo_file sock_file })
read_files_pattern(lvm_t, lvm_etc_t, lvm_etc_t)
++allow lvm_t lvm_etc_t:file map;
read_lnk_files_pattern(lvm_t, lvm_etc_t, lvm_etc_t)
-@@ -220,6 +242,7 @@ kernel_read_kernel_sysctls(lvm_t)
+ # Write to /etc/lvm, /etc/lvmtab, /etc/lvmtab.d
+ manage_files_pattern(lvm_t, lvm_metadata_t, lvm_metadata_t)
+@@ -220,6 +243,7 @@ kernel_read_kernel_sysctls(lvm_t)
# it has no reason to need this
kernel_dontaudit_getattr_core_if(lvm_t)
kernel_use_fds(lvm_t)
@@ -42300,7 +43155,7 @@ index 79048c410..b0cb1e565 100644
kernel_search_debugfs(lvm_t)
corecmd_exec_bin(lvm_t)
-@@ -230,11 +253,13 @@ dev_delete_generic_dirs(lvm_t)
+@@ -230,11 +254,13 @@ dev_delete_generic_dirs(lvm_t)
dev_read_rand(lvm_t)
dev_read_urand(lvm_t)
dev_rw_lvm_control(lvm_t)
@@ -42315,7 +43170,7 @@ index 79048c410..b0cb1e565 100644
# cjp: this has no effect since LVM does not
# have lnk_file relabelto for anything else.
# perhaps this should be blk_files?
-@@ -246,6 +271,7 @@ dev_dontaudit_getattr_generic_chr_files(lvm_t)
+@@ -246,6 +272,7 @@ dev_dontaudit_getattr_generic_chr_files(lvm_t)
dev_dontaudit_getattr_generic_blk_files(lvm_t)
dev_dontaudit_getattr_generic_pipes(lvm_t)
dev_create_generic_dirs(lvm_t)
@@ -42323,7 +43178,7 @@ index 79048c410..b0cb1e565 100644
domain_use_interactive_fds(lvm_t)
domain_read_all_domains_state(lvm_t)
-@@ -255,17 +281,21 @@ files_read_etc_files(lvm_t)
+@@ -255,17 +282,21 @@ files_read_etc_files(lvm_t)
files_read_etc_runtime_files(lvm_t)
# for when /usr is not mounted:
files_dontaudit_search_isid_type_dirs(lvm_t)
@@ -42346,7 +43201,7 @@ index 79048c410..b0cb1e565 100644
selinux_get_fs_mount(lvm_t)
selinux_validate_context(lvm_t)
-@@ -285,7 +315,7 @@ storage_dev_filetrans_fixed_disk(lvm_t)
+@@ -285,7 +316,7 @@ storage_dev_filetrans_fixed_disk(lvm_t)
# Access raw devices and old /dev/lvm (c 109,0). Is this needed?
storage_manage_fixed_disk(lvm_t)
@@ -42355,7 +43210,7 @@ index 79048c410..b0cb1e565 100644
init_use_fds(lvm_t)
init_dontaudit_getattr_initctl(lvm_t)
-@@ -293,15 +323,23 @@ init_use_script_ptys(lvm_t)
+@@ -293,15 +324,23 @@ init_use_script_ptys(lvm_t)
init_read_script_state(lvm_t)
logging_send_syslog_msg(lvm_t)
@@ -42380,7 +43235,7 @@ index 79048c410..b0cb1e565 100644
ifdef(`distro_redhat',`
# this is from the initrd:
-@@ -313,6 +351,11 @@ ifdef(`distro_redhat',`
+@@ -313,6 +352,11 @@ ifdef(`distro_redhat',`
')
optional_policy(`
@@ -42392,7 +43247,7 @@ index 79048c410..b0cb1e565 100644
bootloader_rw_tmp_files(lvm_t)
')
-@@ -321,6 +364,10 @@ optional_policy(`
+@@ -321,6 +365,10 @@ optional_policy(`
')
optional_policy(`
@@ -42403,7 +43258,7 @@ index 79048c410..b0cb1e565 100644
gpm_dontaudit_getattr_gpmctl(lvm_t)
')
-@@ -333,14 +380,30 @@ optional_policy(`
+@@ -333,14 +381,30 @@ optional_policy(`
')
optional_policy(`
@@ -43062,7 +43917,7 @@ index 7449974f6..b79290062 100644
+ #files_kernel_modules_filetrans($1, modules_dep_t, file, "modules.symbols.bin")
+')
diff --git a/policy/modules/system/modutils.te b/policy/modules/system/modutils.te
-index 7a363b8b2..aa59857ad 100644
+index 7a363b8b2..3a6ded940 100644
--- a/policy/modules/system/modutils.te
+++ b/policy/modules/system/modutils.te
@@ -5,7 +5,7 @@ policy_module(modutils, 1.14.0)
@@ -43177,7 +44032,7 @@ index 7a363b8b2..aa59857ad 100644
# Read module config and dependency information
list_dirs_pattern(insmod_t, modules_conf_t, modules_conf_t)
-@@ -115,20 +124,28 @@ read_files_pattern(insmod_t, modules_conf_t, modules_conf_t)
+@@ -115,20 +124,29 @@ read_files_pattern(insmod_t, modules_conf_t, modules_conf_t)
list_dirs_pattern(insmod_t, modules_dep_t, modules_dep_t)
read_files_pattern(insmod_t, modules_dep_t, modules_dep_t)
@@ -43193,6 +44048,7 @@ index 7a363b8b2..aa59857ad 100644
kernel_load_module(insmod_t)
-kernel_request_load_module(insmod_t)
+files_manage_kernel_modules(insmod_t)
++files_map_kernel_modules(insmod_t)
kernel_read_system_state(insmod_t)
kernel_read_network_state(insmod_t)
kernel_write_proc_files(insmod_t)
@@ -43208,7 +44064,7 @@ index 7a363b8b2..aa59857ad 100644
kernel_setsched(insmod_t)
corecmd_exec_bin(insmod_t)
-@@ -142,40 +159,55 @@ dev_rw_agp(insmod_t)
+@@ -142,40 +160,55 @@ dev_rw_agp(insmod_t)
dev_read_sound(insmod_t)
dev_write_sound(insmod_t)
dev_rw_apm_bios(insmod_t)
@@ -43268,7 +44124,7 @@ index 7a363b8b2..aa59857ad 100644
kernel_domtrans_to(insmod_t, insmod_exec_t)
-@@ -184,28 +216,33 @@ optional_policy(`
+@@ -184,28 +217,33 @@ optional_policy(`
')
optional_policy(`
@@ -43309,7 +44165,7 @@ index 7a363b8b2..aa59857ad 100644
')
optional_policy(`
-@@ -225,6 +262,7 @@ optional_policy(`
+@@ -225,6 +263,7 @@ optional_policy(`
optional_policy(`
rpm_rw_pipes(insmod_t)
@@ -43317,7 +44173,7 @@ index 7a363b8b2..aa59857ad 100644
')
optional_policy(`
-@@ -233,6 +271,10 @@ optional_policy(`
+@@ -233,6 +272,10 @@ optional_policy(`
')
optional_policy(`
@@ -43328,7 +44184,7 @@ index 7a363b8b2..aa59857ad 100644
# cjp: why is this needed:
dev_rw_xserver_misc(insmod_t)
-@@ -291,11 +333,10 @@ init_use_script_ptys(update_modules_t)
+@@ -291,11 +334,10 @@ init_use_script_ptys(update_modules_t)
logging_send_syslog_msg(update_modules_t)
@@ -45143,7 +45999,7 @@ index 38220721d..abac74231 100644
+ allow semanage_t $1:dbus send_msg;
+')
diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
-index dc4642022..27d8d49ba 100644
+index dc4642022..0e7086c60 100644
--- a/policy/modules/system/selinuxutil.te
+++ b/policy/modules/system/selinuxutil.te
@@ -11,14 +11,16 @@ gen_require(`
@@ -45556,7 +46412,7 @@ index dc4642022..27d8d49ba 100644
ifdef(`distro_ubuntu',`
optional_policy(`
unconfined_domain(run_init_t)
-@@ -440,81 +512,85 @@ optional_policy(`
+@@ -440,81 +512,86 @@ optional_policy(`
# semodule local policy
#
@@ -45640,6 +46496,7 @@ index dc4642022..27d8d49ba 100644
userdom_read_user_home_content_files(semanage_t)
userdom_read_user_tmp_files(semanage_t)
+userdom_home_reader(semanage_t)
++userdom_map_tmp_files(semanage_t)
ifdef(`distro_debian',`
files_read_var_lib_files(semanage_t)
@@ -45698,7 +46555,7 @@ index dc4642022..27d8d49ba 100644
')
########################################
-@@ -522,111 +598,204 @@ ifdef(`distro_ubuntu',`
+@@ -522,111 +599,204 @@ ifdef(`distro_ubuntu',`
# Setfiles local policy
#
@@ -51529,7 +52386,7 @@ index db7597682..c54480a1d 100644
+/var/tmp/hsperfdata_root gen_context(system_u:object_r:user_tmp_t,s0)
+
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
-index 9dc60c6c0..597fe227f 100644
+index 9dc60c6c0..6a26bba87 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -30,9 +30,11 @@ template(`userdom_base_user_template',`
@@ -51844,7 +52701,7 @@ index 9dc60c6c0..597fe227f 100644
')
')
-@@ -273,6 +316,82 @@ interface(`userdom_manage_home_role',`
+@@ -273,6 +316,101 @@ interface(`userdom_manage_home_role',`
##
## Manage user temporary files
##
@@ -51865,6 +52722,25 @@ index 9dc60c6c0..597fe227f 100644
+
+#######################################
+##
++## Mmap user temporary files
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++#
++interface(`userdom_map_tmp_files',`
++ gen_require(`
++ type user_tmp_t;
++ ')
++
++ allow $1 user_tmp_t:file map;
++')
++
++#######################################
++##
+## Manage user temporary sockets
+##
+##
@@ -51927,7 +52803,7 @@ index 9dc60c6c0..597fe227f 100644
##
##
## Role allowed access.
-@@ -287,17 +406,65 @@ interface(`userdom_manage_home_role',`
+@@ -287,17 +425,65 @@ interface(`userdom_manage_home_role',`
#
interface(`userdom_manage_tmp_role',`
gen_require(`
@@ -51998,7 +52874,7 @@ index 9dc60c6c0..597fe227f 100644
')
#######################################
-@@ -317,11 +484,31 @@ interface(`userdom_exec_user_tmp_files',`
+@@ -317,11 +503,31 @@ interface(`userdom_exec_user_tmp_files',`
')
exec_files_pattern($1, user_tmp_t, user_tmp_t)
@@ -52030,7 +52906,7 @@ index 9dc60c6c0..597fe227f 100644
## Role access for the user tmpfs type
## that the user has full access.
##
-@@ -347,60 +534,45 @@ interface(`userdom_exec_user_tmp_files',`
+@@ -347,60 +553,45 @@ interface(`userdom_exec_user_tmp_files',`
##
#
interface(`userdom_manage_tmpfs_role',`
@@ -52111,7 +52987,7 @@ index 9dc60c6c0..597fe227f 100644
')
#######################################
-@@ -431,6 +603,7 @@ template(`userdom_xwindows_client_template',`
+@@ -431,6 +622,7 @@ template(`userdom_xwindows_client_template',`
dev_dontaudit_rw_dri($1_t)
# GNOME checks for usb and other devices:
dev_rw_usbfs($1_t)
@@ -52119,7 +52995,7 @@ index 9dc60c6c0..597fe227f 100644
xserver_user_x_domain_template($1, $1_t, user_tmpfs_t)
xserver_xsession_entry_type($1_t)
-@@ -463,8 +636,8 @@ template(`userdom_change_password_template',`
+@@ -463,8 +655,8 @@ template(`userdom_change_password_template',`
')
optional_policy(`
@@ -52130,7 +53006,7 @@ index 9dc60c6c0..597fe227f 100644
')
')
-@@ -491,51 +664,69 @@ template(`userdom_common_user_template',`
+@@ -491,51 +683,69 @@ template(`userdom_common_user_template',`
attribute unpriv_userdomain;
')
@@ -52224,7 +53100,7 @@ index 9dc60c6c0..597fe227f 100644
# cjp: some of this probably can be removed
selinux_get_fs_mount($1_t)
-@@ -546,93 +737,137 @@ template(`userdom_common_user_template',`
+@@ -546,93 +756,137 @@ template(`userdom_common_user_template',`
selinux_compute_user_contexts($1_t)
# for eject
@@ -52400,7 +53276,7 @@ index 9dc60c6c0..597fe227f 100644
')
optional_policy(`
-@@ -642,23 +877,21 @@ template(`userdom_common_user_template',`
+@@ -642,23 +896,21 @@ template(`userdom_common_user_template',`
optional_policy(`
mpd_manage_user_data_content($1_t)
mpd_relabel_user_data_content($1_t)
@@ -52429,7 +53305,7 @@ index 9dc60c6c0..597fe227f 100644
mysql_stream_connect($1_t)
')
')
-@@ -671,7 +904,7 @@ template(`userdom_common_user_template',`
+@@ -671,7 +923,7 @@ template(`userdom_common_user_template',`
optional_policy(`
# to allow monitoring of pcmcia status
@@ -52438,7 +53314,7 @@ index 9dc60c6c0..597fe227f 100644
')
optional_policy(`
-@@ -680,9 +913,9 @@ template(`userdom_common_user_template',`
+@@ -680,9 +932,9 @@ template(`userdom_common_user_template',`
')
optional_policy(`
@@ -52451,7 +53327,7 @@ index 9dc60c6c0..597fe227f 100644
')
')
-@@ -693,32 +926,35 @@ template(`userdom_common_user_template',`
+@@ -693,32 +945,35 @@ template(`userdom_common_user_template',`
')
optional_policy(`
@@ -52498,7 +53374,7 @@ index 9dc60c6c0..597fe227f 100644
')
')
-@@ -743,17 +979,32 @@ template(`userdom_common_user_template',`
+@@ -743,17 +998,32 @@ template(`userdom_common_user_template',`
template(`userdom_login_user_template', `
gen_require(`
class context contains;
@@ -52535,7 +53411,7 @@ index 9dc60c6c0..597fe227f 100644
userdom_change_password_template($1)
-@@ -761,82 +1012,113 @@ template(`userdom_login_user_template', `
+@@ -761,86 +1031,117 @@ template(`userdom_login_user_template', `
#
# User domain Local policy
#
@@ -52627,65 +53503,71 @@ index 9dc60c6c0..597fe227f 100644
- miscfiles_exec_tetex_data($1_t)
+ miscfiles_read_tetex_data($1_usertype)
+ miscfiles_exec_tetex_data($1_usertype)
-+
+
+- seutil_read_config($1_t)
+ seutil_read_config($1_usertype)
+ seutil_read_file_contexts($1_usertype)
+ seutil_read_default_contexts($1_usertype)
+ seutil_exec_setfiles($1_usertype)
-+
-+ optional_policy(`
+
+ optional_policy(`
+- cups_read_config($1_t)
+- cups_stream_connect($1_t)
+- cups_stream_connect_ptal($1_t)
+ cups_read_config($1_usertype)
+ cups_stream_connect($1_usertype)
+ cups_stream_connect_ptal($1_usertype)
-+ ')
-+
-+ optional_policy(`
+ ')
+
+ optional_policy(`
+- kerberos_use($1_t)
+ kerberos_use($1_usertype)
+ init_write_key($1_usertype)
-+ ')
+ ')
-- seutil_read_config($1_t)
-+ optional_policy(`
+ optional_policy(`
+- mta_dontaudit_read_spool_symlinks($1_t)
+ mysql_filetrans_named_content($1_usertype)
-+ ')
+ ')
optional_policy(`
-- cups_read_config($1_t)
-- cups_stream_connect($1_t)
-- cups_stream_connect_ptal($1_t)
+- quota_dontaudit_getattr_db($1_t)
+ mta_dontaudit_read_spool_symlinks($1_usertype)
')
optional_policy(`
-- kerberos_use($1_t)
+- rpm_read_db($1_t)
+- rpm_dontaudit_manage_db($1_t)
+ quota_dontaudit_getattr_db($1_usertype)
')
+-')
- optional_policy(`
-- mta_dontaudit_read_spool_symlinks($1_t)
+-#######################################
++ optional_policy(`
+ rpm_read_db($1_usertype)
+ rpm_dontaudit_manage_db($1_usertype)
+ rpm_read_cache($1_usertype)
- ')
-
- optional_policy(`
-- quota_dontaudit_getattr_db($1_t)
++ ')
++
++ optional_policy(`
+ oddjob_run_mkhomedir($1_t, $1_r)
+ oddjob_run($1_t, $1_r)
- ')
-
++ ')
++
+ optional_policy(`
+ ipa_run_helper($1_t, $1_r)
+ ')
+
- optional_policy(`
-- rpm_read_db($1_t)
-- rpm_dontaudit_manage_db($1_t)
++ optional_policy(`
+ wine_filetrans_named_content($1_usertype)
- ')
- ')
-
-@@ -868,6 +1150,12 @@ template(`userdom_restricted_user_template',`
++ ')
++')
++
++#######################################
+ ##
+ ## The template for creating a unprivileged login user.
+ ##
+@@ -868,6 +1169,12 @@ template(`userdom_restricted_user_template',`
typeattribute $1_t unpriv_userdomain;
domain_interactive_fd($1_t)
@@ -52698,7 +53580,7 @@ index 9dc60c6c0..597fe227f 100644
##############################
#
# Local policy
-@@ -907,53 +1195,143 @@ template(`userdom_restricted_xwindows_user_template',`
+@@ -907,53 +1214,143 @@ template(`userdom_restricted_xwindows_user_template',`
#
# Local policy
#
@@ -52720,9 +53602,7 @@ index 9dc60c6c0..597fe227f 100644
+ dev_dontaudit_read_rand($1_usertype)
+ # temporarily allow since openoffice requires this
+ dev_read_rand($1_usertype)
-
-- logging_send_syslog_msg($1_t)
-- logging_dontaudit_send_audit_msgs($1_t)
++
+ dev_read_video_dev($1_usertype)
+ dev_write_video_dev($1_usertype)
+ dev_rw_wireless($1_usertype)
@@ -52743,9 +53623,9 @@ index 9dc60c6c0..597fe227f 100644
+ storage_raw_read_removable_device($1_usertype)
+ storage_raw_write_removable_device($1_usertype)
+ ')
-+
-+ logging_send_syslog_msg($1_t)
-+ logging_dontaudit_send_audit_msgs($1_t)
+
+ logging_send_syslog_msg($1_t)
+ logging_dontaudit_send_audit_msgs($1_t)
# Need to to this just so screensaver will work. Should be moved to screensaver domain
- logging_send_audit_msgs($1_t)
@@ -52856,7 +53736,7 @@ index 9dc60c6c0..597fe227f 100644
')
#######################################
-@@ -987,27 +1365,36 @@ template(`userdom_unpriv_user_template', `
+@@ -987,27 +1384,36 @@ template(`userdom_unpriv_user_template', `
#
# Inherit rules for ordinary users.
@@ -52897,7 +53777,7 @@ index 9dc60c6c0..597fe227f 100644
fs_manage_noxattr_fs_files($1_t)
fs_manage_noxattr_fs_dirs($1_t)
# Write floppies
-@@ -1018,23 +1405,64 @@ template(`userdom_unpriv_user_template', `
+@@ -1018,23 +1424,64 @@ template(`userdom_unpriv_user_template', `
')
')
@@ -52935,11 +53815,9 @@ index 9dc60c6c0..597fe227f 100644
+
+ optional_policy(`
+ cron_role($1_r, $1_t)
- ')
-
- optional_policy(`
-- netutils_run_ping_cond($1_t, $1_r)
-- netutils_run_traceroute_cond($1_t, $1_r)
++ ')
++
++ optional_policy(`
+ games_manage_data_files($1_usertype)
+ ')
+
@@ -52964,15 +53842,17 @@ index 9dc60c6c0..597fe227f 100644
+
+ optional_policy(`
+ wine_role_template($1, $1_r, $1_t)
-+ ')
-+
-+ optional_policy(`
+ ')
+
+ optional_policy(`
+- netutils_run_ping_cond($1_t, $1_r)
+- netutils_run_traceroute_cond($1_t, $1_r)
+ postfix_run_postdrop($1_t, $1_r)
+ postfix_search_spool($1_t)
')
# Run pppd in pppd_t by default for user
-@@ -1043,7 +1471,9 @@ template(`userdom_unpriv_user_template', `
+@@ -1043,7 +1490,9 @@ template(`userdom_unpriv_user_template', `
')
optional_policy(`
@@ -52983,7 +53863,7 @@ index 9dc60c6c0..597fe227f 100644
')
')
-@@ -1079,7 +1509,9 @@ template(`userdom_unpriv_user_template', `
+@@ -1079,7 +1528,9 @@ template(`userdom_unpriv_user_template', `
template(`userdom_admin_user_template',`
gen_require(`
attribute admindomain;
@@ -52994,7 +53874,7 @@ index 9dc60c6c0..597fe227f 100644
')
##############################
-@@ -1095,6 +1527,7 @@ template(`userdom_admin_user_template',`
+@@ -1095,6 +1546,7 @@ template(`userdom_admin_user_template',`
role system_r types $1_t;
typeattribute $1_t admindomain;
@@ -53002,7 +53882,7 @@ index 9dc60c6c0..597fe227f 100644
ifdef(`direct_sysadm_daemon',`
domain_system_change_exemption($1_t)
-@@ -1105,14 +1538,8 @@ template(`userdom_admin_user_template',`
+@@ -1105,14 +1557,8 @@ template(`userdom_admin_user_template',`
# $1_t local policy
#
@@ -53019,7 +53899,7 @@ index 9dc60c6c0..597fe227f 100644
kernel_read_software_raid_state($1_t)
kernel_getattr_core_if($1_t)
-@@ -1128,6 +1555,8 @@ template(`userdom_admin_user_template',`
+@@ -1128,6 +1574,8 @@ template(`userdom_admin_user_template',`
kernel_sigstop_unlabeled($1_t)
kernel_signull_unlabeled($1_t)
kernel_sigchld_unlabeled($1_t)
@@ -53028,7 +53908,7 @@ index 9dc60c6c0..597fe227f 100644
corenet_tcp_bind_generic_port($1_t)
# allow setting up tunnels
-@@ -1145,10 +1574,15 @@ template(`userdom_admin_user_template',`
+@@ -1145,10 +1593,15 @@ template(`userdom_admin_user_template',`
dev_rename_all_blk_files($1_t)
dev_rename_all_chr_files($1_t)
dev_create_generic_symlinks($1_t)
@@ -53044,7 +53924,7 @@ index 9dc60c6c0..597fe227f 100644
domain_dontaudit_ptrace_all_domains($1_t)
# signal all domains:
domain_kill_all_domains($1_t)
-@@ -1159,29 +1593,40 @@ template(`userdom_admin_user_template',`
+@@ -1159,29 +1612,40 @@ template(`userdom_admin_user_template',`
domain_sigchld_all_domains($1_t)
# for lsof
domain_getattr_all_sockets($1_t)
@@ -53089,7 +53969,7 @@ index 9dc60c6c0..597fe227f 100644
# The following rule is temporary until such time that a complete
# policy management infrastructure is in place so that an administrator
-@@ -1191,6 +1636,8 @@ template(`userdom_admin_user_template',`
+@@ -1191,6 +1655,8 @@ template(`userdom_admin_user_template',`
# But presently necessary for installing the file_contexts file.
seutil_manage_bin_policy($1_t)
@@ -53098,7 +53978,7 @@ index 9dc60c6c0..597fe227f 100644
userdom_manage_user_home_content_dirs($1_t)
userdom_manage_user_home_content_files($1_t)
userdom_manage_user_home_content_symlinks($1_t)
-@@ -1198,13 +1645,21 @@ template(`userdom_admin_user_template',`
+@@ -1198,13 +1664,21 @@ template(`userdom_admin_user_template',`
userdom_manage_user_home_content_sockets($1_t)
userdom_user_home_dir_filetrans_user_home_content($1_t, { dir file lnk_file fifo_file sock_file })
@@ -53121,7 +54001,7 @@ index 9dc60c6c0..597fe227f 100644
optional_policy(`
postgresql_unconfined($1_t)
')
-@@ -1240,7 +1695,7 @@ template(`userdom_admin_user_template',`
+@@ -1240,7 +1714,7 @@ template(`userdom_admin_user_template',`
##
##
#
@@ -53130,7 +54010,7 @@ index 9dc60c6c0..597fe227f 100644
allow $1 self:capability { dac_read_search dac_override };
corecmd_exec_shell($1)
-@@ -1250,6 +1705,8 @@ template(`userdom_security_admin_template',`
+@@ -1250,6 +1724,8 @@ template(`userdom_security_admin_template',`
dev_relabel_all_dev_nodes($1)
files_create_boot_flag($1)
@@ -53139,7 +54019,7 @@ index 9dc60c6c0..597fe227f 100644
# Necessary for managing /boot/efi
fs_manage_dos_files($1)
-@@ -1262,8 +1719,10 @@ template(`userdom_security_admin_template',`
+@@ -1262,8 +1738,10 @@ template(`userdom_security_admin_template',`
selinux_set_enforce_mode($1)
selinux_set_all_booleans($1)
selinux_set_parameters($1)
@@ -53151,7 +54031,7 @@ index 9dc60c6c0..597fe227f 100644
auth_relabel_shadow($1)
init_exec($1)
-@@ -1274,29 +1733,31 @@ template(`userdom_security_admin_template',`
+@@ -1274,29 +1752,31 @@ template(`userdom_security_admin_template',`
logging_read_audit_config($1)
seutil_manage_bin_policy($1)
@@ -53194,7 +54074,7 @@ index 9dc60c6c0..597fe227f 100644
')
optional_policy(`
-@@ -1357,14 +1818,17 @@ interface(`userdom_user_home_content',`
+@@ -1357,14 +1837,17 @@ interface(`userdom_user_home_content',`
gen_require(`
attribute user_home_content_type;
type user_home_t;
@@ -53213,7 +54093,7 @@ index 9dc60c6c0..597fe227f 100644
')
########################################
-@@ -1397,12 +1861,52 @@ interface(`userdom_user_tmp_file',`
+@@ -1397,12 +1880,52 @@ interface(`userdom_user_tmp_file',`
##
#
interface(`userdom_user_tmpfs_file',`
@@ -53267,7 +54147,7 @@ index 9dc60c6c0..597fe227f 100644
## Allow domain to attach to TUN devices created by administrative users.
##
##
-@@ -1509,11 +2013,31 @@ interface(`userdom_search_user_home_dirs',`
+@@ -1509,11 +2032,31 @@ interface(`userdom_search_user_home_dirs',`
')
allow $1 user_home_dir_t:dir search_dir_perms;
@@ -53299,7 +54179,7 @@ index 9dc60c6c0..597fe227f 100644
## Do not audit attempts to search user home directories.
##
##
-@@ -1555,6 +2079,14 @@ interface(`userdom_list_user_home_dirs',`
+@@ -1555,6 +2098,14 @@ interface(`userdom_list_user_home_dirs',`
allow $1 user_home_dir_t:dir list_dir_perms;
files_search_home($1)
@@ -53314,7 +54194,7 @@ index 9dc60c6c0..597fe227f 100644
')
########################################
-@@ -1570,9 +2102,11 @@ interface(`userdom_list_user_home_dirs',`
+@@ -1570,9 +2121,11 @@ interface(`userdom_list_user_home_dirs',`
interface(`userdom_dontaudit_list_user_home_dirs',`
gen_require(`
type user_home_dir_t;
@@ -53326,7 +54206,7 @@ index 9dc60c6c0..597fe227f 100644
')
########################################
-@@ -1613,6 +2147,24 @@ interface(`userdom_manage_user_home_dirs',`
+@@ -1613,6 +2166,24 @@ interface(`userdom_manage_user_home_dirs',`
########################################
##
@@ -53351,7 +54231,7 @@ index 9dc60c6c0..597fe227f 100644
## Relabel to user home directories.
##
##
-@@ -1631,6 +2183,59 @@ interface(`userdom_relabelto_user_home_dirs',`
+@@ -1631,6 +2202,59 @@ interface(`userdom_relabelto_user_home_dirs',`
########################################
##
@@ -53411,7 +54291,7 @@ index 9dc60c6c0..597fe227f 100644
## Create directories in the home dir root with
## the user home directory type.
##
-@@ -1704,10 +2309,12 @@ interface(`userdom_user_home_domtrans',`
+@@ -1704,10 +2328,12 @@ interface(`userdom_user_home_domtrans',`
#
interface(`userdom_dontaudit_search_user_home_content',`
gen_require(`
@@ -53426,7 +54306,7 @@ index 9dc60c6c0..597fe227f 100644
')
########################################
-@@ -1741,10 +2348,12 @@ interface(`userdom_list_all_user_home_content',`
+@@ -1741,10 +2367,12 @@ interface(`userdom_list_all_user_home_content',`
#
interface(`userdom_list_user_home_content',`
gen_require(`
@@ -53441,7 +54321,7 @@ index 9dc60c6c0..597fe227f 100644
')
########################################
-@@ -1769,7 +2378,7 @@ interface(`userdom_manage_user_home_content_dirs',`
+@@ -1769,7 +2397,7 @@ interface(`userdom_manage_user_home_content_dirs',`
########################################
##
@@ -53450,7 +54330,7 @@ index 9dc60c6c0..597fe227f 100644
##
##
##
-@@ -1777,19 +2386,17 @@ interface(`userdom_manage_user_home_content_dirs',`
+@@ -1777,19 +2405,17 @@ interface(`userdom_manage_user_home_content_dirs',`
##
##
#
@@ -53474,7 +54354,7 @@ index 9dc60c6c0..597fe227f 100644
##
##
##
-@@ -1797,55 +2404,55 @@ interface(`userdom_delete_all_user_home_content_dirs',`
+@@ -1797,47 +2423,157 @@ interface(`userdom_delete_all_user_home_content_dirs',`
##
##
#
@@ -53532,30 +54412,21 @@ index 9dc60c6c0..597fe227f 100644
gen_require(`
- type user_home_t;
+ type user_tmp_t;
- ')
-
-- dontaudit $1 user_home_t:file setattr_file_perms;
++ ')
++
+ allow $1 user_tmp_t:file setattr;
- ')
-
- ########################################
- ##
--## Mmap user home files.
++')
++
++########################################
++##
+## Create a user tmp sockets.
- ##
- ##
- ##
-@@ -1853,18 +2460,19 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',`
- ##
- ##
- #
--interface(`userdom_mmap_user_home_content_files',`
-- gen_require(`
-- type user_home_dir_t, user_home_t;
-- ')
--
-- mmap_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t)
-- files_search_home($1)
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
+interface(`userdom_create_user_tmp_sockets',`
+ gen_require(`
+ type user_tmp_t;
@@ -53564,29 +54435,23 @@ index 9dc60c6c0..597fe227f 100644
+ files_search_tmp($1)
+ allow $1 user_tmp_t:dir list_dir_perms;
+ create_sock_files_pattern($1, user_tmp_t, user_tmp_t)
- ')
-
- ########################################
- ##
--## Read user home files.
++')
++
++########################################
++##
+## Dontaudit getattr on user tmp sockets.
- ##
- ##
- ##
-@@ -1872,17 +2480,167 @@ interface(`userdom_mmap_user_home_content_files',`
- ##
- ##
- #
--interface(`userdom_read_user_home_content_files',`
-- gen_require(`
-- type user_home_dir_t, user_home_t;
-- ')
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
+interface(`usedom_dontaudit_user_getattr_tmp_sockets',`
+ refpolicywarn(`$0($*) has been deprecated, use userdom_getattr_user_tmp_files() instead.')
+ userdom_getattr_user_tmp_files($1)
+')
-
-- read_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t)
++
+########################################
+##
+## Dontaudit getattr on user tmp sockets.
@@ -53657,13 +54522,13 @@ index 9dc60c6c0..597fe227f 100644
+interface(`userdom_dontaudit_setattr_user_home_content_files',`
+ gen_require(`
+ type user_home_t;
-+ ')
-+
-+ dontaudit $1 user_home_t:file setattr_file_perms;
-+')
-+
-+########################################
-+##
+ ')
+
+ dontaudit $1 user_home_t:file setattr_file_perms;
+@@ -1845,6 +2581,25 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',`
+
+ ########################################
+ ##
+## Set the attributes of all user home directories.
+##
+##
@@ -53683,39 +54548,17 @@ index 9dc60c6c0..597fe227f 100644
+
+########################################
+##
-+## Mmap user home files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`userdom_mmap_user_home_content_files',`
-+ gen_require(`
-+ type user_home_dir_t, user_home_t;
-+ ')
-+
-+ mmap_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t)
-+ files_search_home($1)
-+')
-+
-+########################################
-+##
-+## Read user home files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`userdom_read_user_home_content_files',`
-+ gen_require(`
-+ type user_home_dir_t, user_home_t;
+ ## Mmap user home files.
+ ##
+ ##
+@@ -1875,14 +2630,36 @@ interface(`userdom_mmap_user_home_content_files',`
+ interface(`userdom_read_user_home_content_files',`
+ gen_require(`
+ type user_home_dir_t, user_home_t;
+ attribute user_home_type;
-+ ')
-+
+ ')
+
+- read_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t)
+ allow $1 user_home_dir_t:lnk_file read_lnk_file_perms;
+ list_dirs_pattern($1, { user_home_dir_t user_home_type }, { user_home_dir_t user_home_type })
+ read_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type)
@@ -53746,7 +54589,7 @@ index 9dc60c6c0..597fe227f 100644
## Do not audit attempts to read user home files.
##
##
-@@ -1893,11 +2651,14 @@ interface(`userdom_read_user_home_content_files',`
+@@ -1893,11 +2670,14 @@ interface(`userdom_read_user_home_content_files',`
#
interface(`userdom_dontaudit_read_user_home_content_files',`
gen_require(`
@@ -53764,7 +54607,7 @@ index 9dc60c6c0..597fe227f 100644
')
########################################
-@@ -1938,7 +2699,7 @@ interface(`userdom_dontaudit_write_user_home_content_files',`
+@@ -1938,7 +2718,7 @@ interface(`userdom_dontaudit_write_user_home_content_files',`
########################################
##
@@ -53773,7 +54616,7 @@ index 9dc60c6c0..597fe227f 100644
##
##
##
-@@ -1946,10 +2707,9 @@ interface(`userdom_dontaudit_write_user_home_content_files',`
+@@ -1946,10 +2726,9 @@ interface(`userdom_dontaudit_write_user_home_content_files',`
##
##
#
@@ -53786,7 +54629,7 @@ index 9dc60c6c0..597fe227f 100644
')
userdom_search_user_home_content($1)
-@@ -1958,7 +2718,7 @@ interface(`userdom_delete_all_user_home_content_files',`
+@@ -1958,7 +2737,7 @@ interface(`userdom_delete_all_user_home_content_files',`
########################################
##
@@ -53795,7 +54638,7 @@ index 9dc60c6c0..597fe227f 100644
##
##
##
-@@ -1966,12 +2726,66 @@ interface(`userdom_delete_all_user_home_content_files',`
+@@ -1966,12 +2745,66 @@ interface(`userdom_delete_all_user_home_content_files',`
##
##
#
@@ -53864,7 +54707,7 @@ index 9dc60c6c0..597fe227f 100644
')
########################################
-@@ -2007,8 +2821,7 @@ interface(`userdom_read_user_home_content_symlinks',`
+@@ -2007,8 +2840,7 @@ interface(`userdom_read_user_home_content_symlinks',`
type user_home_dir_t, user_home_t;
')
@@ -53874,7 +54717,7 @@ index 9dc60c6c0..597fe227f 100644
')
########################################
-@@ -2024,20 +2837,14 @@ interface(`userdom_read_user_home_content_symlinks',`
+@@ -2024,20 +2856,14 @@ interface(`userdom_read_user_home_content_symlinks',`
#
interface(`userdom_exec_user_home_content_files',`
gen_require(`
@@ -53899,7 +54742,7 @@ index 9dc60c6c0..597fe227f 100644
########################################
##
-@@ -2120,7 +2927,7 @@ interface(`userdom_manage_user_home_content_symlinks',`
+@@ -2120,7 +2946,7 @@ interface(`userdom_manage_user_home_content_symlinks',`
########################################
##
@@ -53908,7 +54751,7 @@ index 9dc60c6c0..597fe227f 100644
##
##
##
-@@ -2128,19 +2935,17 @@ interface(`userdom_manage_user_home_content_symlinks',`
+@@ -2128,19 +2954,17 @@ interface(`userdom_manage_user_home_content_symlinks',`
##
##
#
@@ -53932,7 +54775,7 @@ index 9dc60c6c0..597fe227f 100644
##
##
##
-@@ -2148,12 +2953,12 @@ interface(`userdom_delete_all_user_home_content_symlinks',`
+@@ -2148,12 +2972,12 @@ interface(`userdom_delete_all_user_home_content_symlinks',`
##
##
#
@@ -53948,7 +54791,7 @@ index 9dc60c6c0..597fe227f 100644
')
########################################
-@@ -2388,18 +3193,54 @@ interface(`userdom_dontaudit_manage_user_tmp_dirs',`
+@@ -2388,18 +3212,54 @@ interface(`userdom_dontaudit_manage_user_tmp_dirs',`
##
##
#
@@ -54006,7 +54849,7 @@ index 9dc60c6c0..597fe227f 100644
## Do not audit attempts to read users
## temporary files.
##
-@@ -2414,7 +3255,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',`
+@@ -2414,7 +3274,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',`
type user_tmp_t;
')
@@ -54015,7 +54858,7 @@ index 9dc60c6c0..597fe227f 100644
')
########################################
-@@ -2455,6 +3296,25 @@ interface(`userdom_rw_user_tmp_files',`
+@@ -2455,6 +3315,25 @@ interface(`userdom_rw_user_tmp_files',`
rw_files_pattern($1, user_tmp_t, user_tmp_t)
files_search_tmp($1)
')
@@ -54041,7 +54884,7 @@ index 9dc60c6c0..597fe227f 100644
########################################
##
-@@ -2538,7 +3398,7 @@ interface(`userdom_manage_user_tmp_files',`
+@@ -2538,7 +3417,7 @@ interface(`userdom_manage_user_tmp_files',`
########################################
##
## Create, read, write, and delete user
@@ -54050,7 +54893,7 @@ index 9dc60c6c0..597fe227f 100644
##
##
##
-@@ -2546,19 +3406,60 @@ interface(`userdom_manage_user_tmp_files',`
+@@ -2546,19 +3425,19 @@ interface(`userdom_manage_user_tmp_files',`
##
##
#
@@ -54070,6 +54913,54 @@ index 9dc60c6c0..597fe227f 100644
## Create, read, write, and delete user
-## temporary named pipes.
+## temporary symbolic links.
+ ##
+ ##
+ ##
+@@ -2566,19 +3445,19 @@ interface(`userdom_manage_user_tmp_symlinks',`
+ ##
+ ##
+ #
+-interface(`userdom_manage_user_tmp_pipes',`
++interface(`userdom_manage_user_tmp_symlinks',`
+ gen_require(`
+ type user_tmp_t;
+ ')
+
+- manage_fifo_files_pattern($1, user_tmp_t, user_tmp_t)
++ manage_lnk_files_pattern($1, user_tmp_t, user_tmp_t)
+ files_search_tmp($1)
+ ')
+
+ ########################################
+ ##
+ ## Create, read, write, and delete user
+-## temporary named sockets.
++## temporary named pipes.
+ ##
+ ##
+ ##
+@@ -2586,19 +3465,60 @@ interface(`userdom_manage_user_tmp_pipes',`
+ ##
+ ##
+ #
+-interface(`userdom_manage_user_tmp_sockets',`
++interface(`userdom_rw_inherited_user_tmp_pipes',`
+ gen_require(`
+ type user_tmp_t;
+ ')
+
+- manage_sock_files_pattern($1, user_tmp_t, user_tmp_t)
++ allow $1 user_tmp_t:fifo_file rw_inherited_fifo_file_perms;
+ files_search_tmp($1)
+ ')
+
++
+ ########################################
+ ##
+-## Create objects in a user temporary directory
+-## with an automatic type transition to
++## Create, read, write, and delete user
++## temporary named pipes.
+##
+##
+##
@@ -54077,19 +54968,19 @@ index 9dc60c6c0..597fe227f 100644
+##
+##
+#
-+interface(`userdom_manage_user_tmp_symlinks',`
++interface(`userdom_manage_user_tmp_pipes',`
+ gen_require(`
+ type user_tmp_t;
+ ')
+
-+ manage_lnk_files_pattern($1, user_tmp_t, user_tmp_t)
++ manage_fifo_files_pattern($1, user_tmp_t, user_tmp_t)
+ files_search_tmp($1)
+')
+
+########################################
+##
+## Create, read, write, and delete user
-+## temporary named pipes.
++## temporary named sockets.
+##
+##
+##
@@ -54097,24 +54988,23 @@ index 9dc60c6c0..597fe227f 100644
+##
+##
+#
-+interface(`userdom_rw_inherited_user_tmp_pipes',`
++interface(`userdom_manage_user_tmp_sockets',`
+ gen_require(`
+ type user_tmp_t;
+ ')
+
-+ allow $1 user_tmp_t:fifo_file rw_inherited_fifo_file_perms;
++ manage_sock_files_pattern($1, user_tmp_t, user_tmp_t)
+ files_search_tmp($1)
+')
+
-+
+########################################
+##
-+## Create, read, write, and delete user
-+## temporary named pipes.
++## Create objects in a user temporary directory
++## with an automatic type transition to
+ ## a specified private type.
##
##
- ##
-@@ -2661,6 +3562,21 @@ interface(`userdom_tmp_filetrans_user_tmp',`
+@@ -2661,6 +3581,21 @@ interface(`userdom_tmp_filetrans_user_tmp',`
files_tmp_filetrans($1, user_tmp_t, $2, $3)
')
@@ -54136,7 +55026,7 @@ index 9dc60c6c0..597fe227f 100644
########################################
##
## Read user tmpfs files.
-@@ -2672,18 +3588,13 @@ interface(`userdom_tmp_filetrans_user_tmp',`
+@@ -2672,18 +3607,13 @@ interface(`userdom_tmp_filetrans_user_tmp',`
##
#
interface(`userdom_read_user_tmpfs_files',`
@@ -54158,7 +55048,7 @@ index 9dc60c6c0..597fe227f 100644
##
##
##
-@@ -2692,19 +3603,13 @@ interface(`userdom_read_user_tmpfs_files',`
+@@ -2692,19 +3622,13 @@ interface(`userdom_read_user_tmpfs_files',`
##
#
interface(`userdom_rw_user_tmpfs_files',`
@@ -54181,7 +55071,7 @@ index 9dc60c6c0..597fe227f 100644
##
##
##
-@@ -2713,13 +3618,56 @@ interface(`userdom_rw_user_tmpfs_files',`
+@@ -2713,13 +3637,56 @@ interface(`userdom_rw_user_tmpfs_files',`
##
#
interface(`userdom_manage_user_tmpfs_files',`
@@ -54242,7 +55132,7 @@ index 9dc60c6c0..597fe227f 100644
')
########################################
-@@ -2814,6 +3762,24 @@ interface(`userdom_use_user_ttys',`
+@@ -2814,6 +3781,24 @@ interface(`userdom_use_user_ttys',`
########################################
##
@@ -54267,7 +55157,7 @@ index 9dc60c6c0..597fe227f 100644
## Read and write a user domain pty.
##
##
-@@ -2832,22 +3798,34 @@ interface(`userdom_use_user_ptys',`
+@@ -2832,22 +3817,34 @@ interface(`userdom_use_user_ptys',`
########################################
##
@@ -54310,7 +55200,7 @@ index 9dc60c6c0..597fe227f 100644
##
##
##
-@@ -2856,14 +3834,33 @@ interface(`userdom_use_user_ptys',`
+@@ -2856,14 +3853,33 @@ interface(`userdom_use_user_ptys',`
##
##
#
@@ -54348,7 +55238,7 @@ index 9dc60c6c0..597fe227f 100644
')
########################################
-@@ -2882,8 +3879,27 @@ interface(`userdom_dontaudit_use_user_terminals',`
+@@ -2882,8 +3898,27 @@ interface(`userdom_dontaudit_use_user_terminals',`
type user_tty_device_t, user_devpts_t;
')
@@ -54378,7 +55268,7 @@ index 9dc60c6c0..597fe227f 100644
')
########################################
-@@ -2955,6 +3971,42 @@ interface(`userdom_spec_domtrans_unpriv_users',`
+@@ -2955,6 +3990,42 @@ interface(`userdom_spec_domtrans_unpriv_users',`
allow unpriv_userdomain $1:process sigchld;
')
@@ -54421,7 +55311,7 @@ index 9dc60c6c0..597fe227f 100644
########################################
##
## Execute an Xserver session in all unprivileged user domains. This
-@@ -2978,24 +4030,6 @@ interface(`userdom_xsession_spec_domtrans_unpriv_users',`
+@@ -2978,24 +4049,6 @@ interface(`userdom_xsession_spec_domtrans_unpriv_users',`
allow unpriv_userdomain $1:process sigchld;
')
@@ -54446,7 +55336,7 @@ index 9dc60c6c0..597fe227f 100644
########################################
##
## Manage unpriviledged user SysV sempaphores.
-@@ -3014,9 +4048,9 @@ interface(`userdom_manage_unpriv_user_semaphores',`
+@@ -3014,9 +4067,9 @@ interface(`userdom_manage_unpriv_user_semaphores',`
allow $1 unpriv_userdomain:sem create_sem_perms;
')
@@ -54458,7 +55348,7 @@ index 9dc60c6c0..597fe227f 100644
## memory segments.
##
##
-@@ -3025,17 +4059,17 @@ interface(`userdom_manage_unpriv_user_semaphores',`
+@@ -3025,17 +4078,17 @@ interface(`userdom_manage_unpriv_user_semaphores',`
##
##
#
@@ -54479,7 +55369,7 @@ index 9dc60c6c0..597fe227f 100644
## memory segments.
##
##
-@@ -3044,12 +4078,12 @@ interface(`userdom_rw_unpriv_user_shared_mem',`
+@@ -3044,12 +4097,12 @@ interface(`userdom_rw_unpriv_user_shared_mem',`
##
##
#
@@ -54494,7 +55384,7 @@ index 9dc60c6c0..597fe227f 100644
')
########################################
-@@ -3094,7 +4128,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
+@@ -3094,7 +4147,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
domain_entry_file_spec_domtrans($1, unpriv_userdomain)
allow unpriv_userdomain $1:fd use;
@@ -54503,7 +55393,7 @@ index 9dc60c6c0..597fe227f 100644
allow unpriv_userdomain $1:process sigchld;
')
-@@ -3110,29 +4144,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
+@@ -3110,29 +4163,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
#
interface(`userdom_search_user_home_content',`
gen_require(`
@@ -54537,7 +55427,7 @@ index 9dc60c6c0..597fe227f 100644
')
########################################
-@@ -3214,7 +4232,25 @@ interface(`userdom_dontaudit_use_user_ptys',`
+@@ -3214,7 +4251,25 @@ interface(`userdom_dontaudit_use_user_ptys',`
type user_devpts_t;
')
@@ -54564,7 +55454,7 @@ index 9dc60c6c0..597fe227f 100644
')
########################################
-@@ -3269,12 +4305,13 @@ interface(`userdom_write_user_tmp_files',`
+@@ -3269,12 +4324,13 @@ interface(`userdom_write_user_tmp_files',`
type user_tmp_t;
')
@@ -54580,7 +55470,7 @@ index 9dc60c6c0..597fe227f 100644
##
##
##
-@@ -3282,54 +4319,56 @@ interface(`userdom_write_user_tmp_files',`
+@@ -3282,49 +4338,125 @@ interface(`userdom_write_user_tmp_files',`
##
##
#
@@ -54642,21 +55532,19 @@ index 9dc60c6c0..597fe227f 100644
- allow $1 userdomain:process getattr;
+ dontaudit $1 user_tmp_t:fifo_file rw_inherited_fifo_file_perms;
- ')
-
- ########################################
- ##
--## Inherit the file descriptors from all user domains
++')
++
++########################################
++##
+## Allow domain to read/write inherited users
+## fifo files.
- ##
- ##
- ##
-@@ -3337,7 +4376,81 @@ interface(`userdom_getattr_all_users',`
- ##
- ##
- #
--interface(`userdom_use_all_users_fds',`
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
+interface(`userdom_rw_inherited_user_pipes',`
+ gen_require(`
+ attribute userdomain;
@@ -54719,23 +55607,10 @@ index 9dc60c6c0..597fe227f 100644
+ ')
+
+ allow $1 userdomain:process getattr;
-+')
-+
-+########################################
-+##
-+## Inherit the file descriptors from all user domains
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`userdom_use_all_users_fds',`
- gen_require(`
- attribute userdomain;
- ')
-@@ -3382,6 +4495,42 @@ interface(`userdom_signal_all_users',`
+ ')
+
+ ########################################
+@@ -3382,6 +4514,42 @@ interface(`userdom_signal_all_users',`
allow $1 userdomain:process signal;
')
@@ -54778,7 +55653,7 @@ index 9dc60c6c0..597fe227f 100644
########################################
##
## Send a SIGCHLD signal to all user domains.
-@@ -3402,6 +4551,60 @@ interface(`userdom_sigchld_all_users',`
+@@ -3402,6 +4570,60 @@ interface(`userdom_sigchld_all_users',`
########################################
##
@@ -54839,7 +55714,7 @@ index 9dc60c6c0..597fe227f 100644
## Create keys for all user domains.
##
##
-@@ -3435,4 +4638,1817 @@ interface(`userdom_dbus_send_all_users',`
+@@ -3435,4 +4657,1835 @@ interface(`userdom_dbus_send_all_users',`
')
allow $1 userdomain:dbus send_msg;
@@ -55067,6 +55942,24 @@ index 9dc60c6c0..597fe227f 100644
+
+########################################
+##
++## dontaudit manage files /root
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`userdom_dontaudit_manage_admin_files',`
++ gen_require(`
++ type admin_home_t;
++ ')
++
++ dontaudit $1 admin_home_t:file manage_file_perms;
++')
++
++########################################
++##
+## RW unpriviledged user SysV sempaphores.
+##
+##
diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch
index b3a8a86..e8ea30d 100644
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@@ -18519,7 +18519,7 @@ index ad0bae948..615a947aa 100644
+/var/spool/cron/tabs -d gen_context(system_u:object_r:cron_spool_t,s0)
')
diff --git a/cron.if b/cron.if
-index 1303b3036..f13c53200 100644
+index 1303b3036..f5bd4aee8 100644
--- a/cron.if
+++ b/cron.if
@@ -2,11 +2,12 @@
@@ -18705,6 +18705,15 @@ index 1303b3036..f13c53200 100644
- #
- # Declarations
- #
+-
+- role $1 types { unconfined_cronjob_t crontab_t };
+-
+- ##############################
+- #
+- # Local policy
+- #
+-
+- domtrans_pattern($2, crontab_exec_t, crontab_t)
+ ##############################
+ #
+ # Declarations
@@ -18712,41 +18721,32 @@ index 1303b3036..f13c53200 100644
+
+ role $1 types unconfined_cronjob_t;
-- role $1 types { unconfined_cronjob_t crontab_t };
+- dontaudit crond_t $2:process { noatsecure siginh rlimitinh };
+- allow $2 crond_t:process sigchld;
+ ##############################
+ #
+ # Local policy
+ #
-- ##############################
-- #
-- # Local policy
-- #
-+ dontaudit crond_t $2:process { noatsecure siginh rlimitinh };
-
-- domtrans_pattern($2, crontab_exec_t, crontab_t)
-+ allow $2 crond_t:process sigchld;
-
-- dontaudit crond_t $2:process { noatsecure siginh rlimitinh };
-- allow $2 crond_t:process sigchld;
-+ allow $2 user_cron_spool_t:file { getattr read write ioctl };
-
- allow $2 user_cron_spool_t:file { getattr read write ioctl };
-+ # cronjob shows up in user ps
-+ ps_process_pattern($2, unconfined_cronjob_t)
-+ allow $2 unconfined_cronjob_t:process signal_perms;
++ dontaudit crond_t $2:process { noatsecure siginh rlimitinh };
- allow $2 crontab_t:process { ptrace signal_perms };
- ps_process_pattern($2, crontab_t)
--
++ allow $2 crond_t:process sigchld;
+
- corecmd_exec_bin(crontab_t)
- corecmd_exec_shell(crontab_t)
--
++ allow $2 user_cron_spool_t:file { getattr read write ioctl };
+
- tunable_policy(`cron_userdomain_transition',`
- allow crond_t $2:process transition;
- allow crond_t $2:fd use;
- allow crond_t $2:key manage_key_perms;
--
++ # cronjob shows up in user ps
++ ps_process_pattern($2, unconfined_cronjob_t)
++ allow $2 unconfined_cronjob_t:process signal_perms;
+
- allow $2 user_cron_spool_t:file entrypoint;
+ tunable_policy(`deny_ptrace',`',`
+ allow $2 unconfined_cronjob_t:process ptrace;
@@ -18871,25 +18871,23 @@ index 1303b3036..f13c53200 100644
- allow crond_t $2:process transition;
- allow crond_t $2:fd use;
- allow crond_t $2:key manage_key_perms;
--
-- allow $2 user_cron_spool_t:file entrypoint;
+ tunable_policy(`cron_userdomain_transition',`
+ allow crond_t $2:process transition;
+ allow crond_t $2:fd use;
+ allow crond_t $2:key manage_key_perms;
-- allow $2 crond_t:fifo_file rw_fifo_file_perms;
+- allow $2 user_cron_spool_t:file entrypoint;
+ allow $2 user_cron_spool_t:file entrypoint;
+- allow $2 crond_t:fifo_file rw_fifo_file_perms;
++ allow $2 crond_t:fifo_file rw_fifo_file_perms;
+
- allow $2 cronjob_t:process { ptrace signal_perms };
- ps_process_pattern($2, cronjob_t)
- ',`
- dontaudit crond_t $2:process transition;
- dontaudit crond_t $2:fd use;
- dontaudit crond_t $2:key manage_key_perms;
-+ allow $2 crond_t:fifo_file rw_fifo_file_perms;
-
-- dontaudit $2 user_cron_spool_t:file entrypoint;
+ allow $2 cronjob_t:process { signal_perms };
+ ps_process_pattern($2, cronjob_t)
+ ',`
@@ -18897,6 +18895,8 @@ index 1303b3036..f13c53200 100644
+ dontaudit crond_t $2:fd use;
+ dontaudit crond_t $2:key manage_key_perms;
+- dontaudit $2 user_cron_spool_t:file entrypoint;
+-
- dontaudit $2 crond_t:fifo_file rw_fifo_file_perms;
-
- dontaudit $2 cronjob_t:process { ptrace signal_perms };
@@ -19205,10 +19205,11 @@ index 1303b3036..f13c53200 100644
- allow $1 crond_t:fifo_file rw_fifo_file_perms;
+ allow $1 user_cron_spool_t:file rw_inherited_file_perms;
-+')
-+
-+########################################
-+##
+ ')
+
+ ########################################
+ ##
+-## Read and write crond TCP sockets.
+## Read and write inherited spool files.
+##
+##
@@ -19223,11 +19224,10 @@ index 1303b3036..f13c53200 100644
+ ')
+
+ allow $1 cron_spool_t:file rw_inherited_file_perms;
- ')
-
- ########################################
- ##
--## Read and write crond TCP sockets.
++')
++
++########################################
++##
+## Read, and write cron daemon TCP sockets.
##
##
@@ -19455,7 +19455,7 @@ index 1303b3036..f13c53200 100644
##
##
##
-@@ -829,7 +876,97 @@ interface(`cron_dontaudit_append_system_job_tmp_files',`
+@@ -829,7 +876,126 @@ interface(`cron_dontaudit_append_system_job_tmp_files',`
interface(`cron_dontaudit_write_system_job_tmp_files',`
gen_require(`
type system_cronjob_tmp_t;
@@ -19552,9 +19552,38 @@ index 1303b3036..f13c53200 100644
+ ')
+
+ logging_log_filetrans($1, cron_log_t, $2, $3)
++')
++
++#######################################
++##
++## Create specified objects in generic
++## log directories with the cron log file type.
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++##
++## Class of the object being created.
++##
++##
++##
++##
++## The name of the object being created.
++##
++##
++#
++interface(`cron_generic_log_filetrans_log_insights',`
++ gen_require(`
++ type var_log_t;
++ ')
++
++ logging_log_filetrans($1, var_log_t, file, "redhat-access-insights.log")
')
diff --git a/cron.te b/cron.te
-index 7de385956..61dcff6a5 100644
+index 7de385956..e4c99bdd4 100644
--- a/cron.te
+++ b/cron.te
@@ -11,46 +11,54 @@ gen_require(`
@@ -20221,7 +20250,7 @@ index 7de385956..61dcff6a5 100644
selinux_validate_context(system_cronjob_t)
selinux_compute_access_vector(system_cronjob_t)
selinux_compute_create_context(system_cronjob_t)
-@@ -539,10 +549,18 @@ tunable_policy(`cron_can_relabel',`
+@@ -539,10 +549,22 @@ tunable_policy(`cron_can_relabel',`
')
optional_policy(`
@@ -20237,10 +20266,14 @@ index 7de385956..61dcff6a5 100644
+
+optional_policy(`
+ bind_read_config(system_cronjob_t)
++')
++
++optional_policy(`
++ cron_generic_log_filetrans_log_insights(system_cronjob_t)
')
optional_policy(`
-@@ -551,10 +569,6 @@ optional_policy(`
+@@ -551,10 +573,6 @@ optional_policy(`
optional_policy(`
dbus_system_bus_client(system_cronjob_t)
@@ -20251,7 +20284,7 @@ index 7de385956..61dcff6a5 100644
')
optional_policy(`
-@@ -567,6 +581,10 @@ optional_policy(`
+@@ -567,6 +585,10 @@ optional_policy(`
')
optional_policy(`
@@ -20262,7 +20295,7 @@ index 7de385956..61dcff6a5 100644
ftp_read_log(system_cronjob_t)
')
-@@ -591,6 +609,8 @@ optional_policy(`
+@@ -591,6 +613,8 @@ optional_policy(`
optional_policy(`
mta_read_config(system_cronjob_t)
mta_send_mail(system_cronjob_t)
@@ -20271,7 +20304,7 @@ index 7de385956..61dcff6a5 100644
')
optional_policy(`
-@@ -598,7 +618,31 @@ optional_policy(`
+@@ -598,7 +622,31 @@ optional_policy(`
')
optional_policy(`
@@ -20303,7 +20336,7 @@ index 7de385956..61dcff6a5 100644
')
optional_policy(`
-@@ -607,7 +651,12 @@ optional_policy(`
+@@ -607,7 +655,12 @@ optional_policy(`
')
optional_policy(`
@@ -20316,7 +20349,7 @@ index 7de385956..61dcff6a5 100644
')
optional_policy(`
-@@ -615,12 +664,27 @@ optional_policy(`
+@@ -615,12 +668,27 @@ optional_policy(`
')
optional_policy(`
@@ -20346,7 +20379,7 @@ index 7de385956..61dcff6a5 100644
#
allow cronjob_t self:process { signal_perms setsched };
-@@ -628,12 +692,32 @@ allow cronjob_t self:fifo_file rw_fifo_file_perms;
+@@ -628,12 +696,32 @@ allow cronjob_t self:fifo_file rw_fifo_file_perms;
allow cronjob_t self:unix_stream_socket create_stream_socket_perms;
allow cronjob_t self:unix_dgram_socket create_socket_perms;
@@ -20380,7 +20413,7 @@ index 7de385956..61dcff6a5 100644
corenet_all_recvfrom_netlabel(cronjob_t)
corenet_tcp_sendrecv_generic_if(cronjob_t)
corenet_udp_sendrecv_generic_if(cronjob_t)
-@@ -641,66 +725,141 @@ corenet_tcp_sendrecv_generic_node(cronjob_t)
+@@ -641,66 +729,141 @@ corenet_tcp_sendrecv_generic_node(cronjob_t)
corenet_udp_sendrecv_generic_node(cronjob_t)
corenet_tcp_sendrecv_all_ports(cronjob_t)
corenet_udp_sendrecv_all_ports(cronjob_t)
@@ -26116,7 +26149,7 @@ index 41c3f6770..653a1ecbb 100644
##
## Execute dmidecode in the dmidecode
diff --git a/dmidecode.te b/dmidecode.te
-index aa0ef6e94..02bdb681d 100644
+index aa0ef6e94..3c52d892c 100644
--- a/dmidecode.te
+++ b/dmidecode.te
@@ -31,4 +31,8 @@ mls_file_read_all_levels(dmidecode_t)
@@ -26127,7 +26160,7 @@ index aa0ef6e94..02bdb681d 100644
+userdom_use_inherited_user_terminals(dmidecode_t)
+
+optional_policy(`
-+ rhsmcertd_rw_inherited_lock_files(dmidecode_t)
++ rhsmcertd_rw_lock_files(dmidecode_t)
+')
diff --git a/dnsmasq.fc b/dnsmasq.fc
index 23ab808d8..84735a8cb 100644
@@ -36837,7 +36870,7 @@ index 180f1b7cc..3c8757e47 100644
+ userdom_user_home_dir_filetrans($1, gpg_secret_t, dir, ".gnupg")
+')
diff --git a/gpg.te b/gpg.te
-index 0e97e82f1..2569781e9 100644
+index 0e97e82f1..4bcee621d 100644
--- a/gpg.te
+++ b/gpg.te
@@ -4,15 +4,7 @@ policy_module(gpg, 2.8.0)
@@ -37194,7 +37227,7 @@ index 0e97e82f1..2569781e9 100644
manage_sock_files_pattern(gpg_pinentry_t, gpg_pinentry_tmp_t, gpg_pinentry_tmp_t)
userdom_user_tmp_filetrans(gpg_pinentry_t, gpg_pinentry_tmp_t, sock_file)
-@@ -287,53 +322,87 @@ manage_dirs_pattern(gpg_pinentry_t, gpg_pinentry_tmpfs_t, gpg_pinentry_tmpfs_t)
+@@ -287,53 +322,88 @@ manage_dirs_pattern(gpg_pinentry_t, gpg_pinentry_tmpfs_t, gpg_pinentry_tmpfs_t)
manage_files_pattern(gpg_pinentry_t, gpg_pinentry_tmpfs_t, gpg_pinentry_tmpfs_t)
fs_tmpfs_filetrans(gpg_pinentry_t, gpg_pinentry_tmpfs_t, { file dir })
@@ -37246,6 +37279,7 @@ index 0e97e82f1..2569781e9 100644
-')
+userdom_home_reader(gpg_pinentry_t)
+userdom_stream_connect(gpg_pinentry_t)
++userdom_map_tmp_files(gpg_pinentry_t)
-tunable_policy(`use_samba_home_dirs',`
- fs_read_cifs_files(gpg_pinentry_t)
@@ -43283,10 +43317,10 @@ index 000000000..bd7e7fa17
+')
diff --git a/keepalived.te b/keepalived.te
new file mode 100644
-index 000000000..202ac2b59
+index 000000000..923edd01e
--- /dev/null
+++ b/keepalived.te
-@@ -0,0 +1,99 @@
+@@ -0,0 +1,100 @@
+policy_module(keepalived, 1.0.0)
+
+########################################
@@ -43312,7 +43346,7 @@ index 000000000..202ac2b59
+# keepalived local policy
+#
+
-+allow keepalived_t self:capability { net_admin net_raw kill };
++allow keepalived_t self:capability { net_admin net_raw kill dac_read_search sys_ptrace };
+allow keepalived_t self:process { signal_perms };
+allow keepalived_t self:netlink_socket create_socket_perms;
+allow keepalived_t self:netlink_generic_socket create_socket_perms;
@@ -43343,6 +43377,7 @@ index 000000000..202ac2b59
+corenet_tcp_connect_squid_port(keepalived_t)
+
+domain_read_all_domains_state(keepalived_t)
++domain_getattr_all_domains(keepalived_t)
+
+dev_read_urand(keepalived_t)
+
@@ -49535,7 +49570,7 @@ index 8ae78b5bf..b365cddec 100644
+
+/root/.manpath -- gen_context(system_u:object_r:mandb_home_t,s0)
diff --git a/mandb.if b/mandb.if
-index 327f3f726..4f6156138 100644
+index 327f3f726..36d4af101 100644
--- a/mandb.if
+++ b/mandb.if
@@ -1,14 +1,14 @@
@@ -49611,60 +49646,78 @@ index 327f3f726..4f6156138 100644
########################################
##
-## Search mandb cache directories.
-+## Relabel mandb cache files/directories
++## Mmap mandb cache files.
##
##
##
-@@ -56,13 +68,18 @@ interface(`mandb_run',`
+@@ -56,13 +68,17 @@ interface(`mandb_run',`
##
##
#
-interface(`mandb_search_cache',`
- refpolicywarn(`$0($*) has been deprecated')
-+interface(`mandb_relabel_cache',`
++interface(`mandb_map_cache_files',`
+ gen_require(`
+ type mandb_cache_t;
+ ')
+
-+ allow $1 mandb_cache_t:dir relabel_dir_perms;
-+ allow $1 mandb_cache_t:file relabel_file_perms;
++ allow $1, mandb_cache_t:file map;
')
########################################
##
-## Delete mandb cache content.
-+## Set attributes on mandb cache files.
++## Relabel mandb cache files/directories
##
##
##
-@@ -70,13 +87,18 @@ interface(`mandb_search_cache',`
+@@ -70,13 +86,18 @@ interface(`mandb_search_cache',`
##
##
#
-interface(`mandb_delete_cache_content',`
- refpolicywarn(`$0($*) has been deprecated')
-+interface(`mandb_setattr_cache_dirs',`
++interface(`mandb_relabel_cache',`
+ gen_require(`
+ type mandb_cache_t;
+ ')
+
-+ files_search_var($1)
-+ allow $1 mandb_cache_t:dir setattr;
++ allow $1 mandb_cache_t:dir relabel_dir_perms;
++ allow $1 mandb_cache_t:file relabel_file_perms;
')
########################################
##
-## Read mandb cache content.
-+## Delete mandb cache files.
++## Set attributes on mandb cache files.
##
##
##
-@@ -84,8 +106,16 @@ interface(`mandb_delete_cache_content',`
+@@ -84,8 +105,35 @@ interface(`mandb_delete_cache_content',`
##
##
#
-interface(`mandb_read_cache_content',`
- refpolicywarn(`$0($*) has been deprecated')
++interface(`mandb_setattr_cache_dirs',`
++ gen_require(`
++ type mandb_cache_t;
++ ')
++
++ files_search_var($1)
++ allow $1 mandb_cache_t:dir setattr;
++')
++
++########################################
++##
++## Delete mandb cache files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
+interface(`mandb_delete_cache',`
+ gen_require(`
+ type mandb_cache_t;
@@ -49678,7 +49731,7 @@ index 327f3f726..4f6156138 100644
')
########################################
-@@ -99,37 +129,82 @@ interface(`mandb_read_cache_content',`
+@@ -99,37 +147,82 @@ interface(`mandb_read_cache_content',`
##
##
#
@@ -49691,34 +49744,13 @@ index 327f3f726..4f6156138 100644
+
+ files_search_var($1)
+ manage_files_pattern($1, mandb_cache_t, mandb_cache_t)
-+')
-+
-+########################################
-+##
-+## Manage mandb cache dirs.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`mandb_manage_cache_dirs',`
-+ gen_require(`
-+ type mandb_cache_t;
-+ ')
-+
-+ files_search_var($1)
-+ manage_dirs_pattern($1, mandb_cache_t, mandb_cache_t)
')
########################################
##
-## All of the rules required to
-## administrate an mandb environment.
-+## Create configuration files in user
-+## home directories with a named file
-+## type transition.
++## Manage mandb cache dirs.
##
##
##
@@ -49727,6 +49759,27 @@ index 327f3f726..4f6156138 100644
##
-##
+#
++interface(`mandb_manage_cache_dirs',`
++ gen_require(`
++ type mandb_cache_t;
++ ')
++
++ files_search_var($1)
++ manage_dirs_pattern($1, mandb_cache_t, mandb_cache_t)
++')
++
++########################################
++##
++## Create configuration files in user
++## home directories with a named file
++## type transition.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
+interface(`mandb_filetrans_named_home_content',`
+ gen_require(`
+ type mandb_home_t;
@@ -49761,12 +49814,12 @@ index 327f3f726..4f6156138 100644
- mandb_run($1, $2)
+ files_search_var($1)
+ admin_pattern($1, mandb_cache_t)
-+
-+ files_search_locks($1)
-+ admin_pattern($1, mandb_lock_t)
- # pending
- # miscfiles_manage_man_cache_content(mandb_t)
++ files_search_locks($1)
++ admin_pattern($1, mandb_lock_t)
++
+ optional_policy(`
+ systemd_passwd_agent_exec($1)
+ systemd_read_fifo_file_passwd_run($1)
@@ -60730,9 +60783,15 @@ index 86dc29dfa..cb39739a5 100644
+ logging_log_filetrans($1, NetworkManager_var_lib_t, file, "wpa_supplicant.log")
')
diff --git a/networkmanager.te b/networkmanager.te
-index 55f20095e..4419e3531 100644
+index 55f20095e..3ed3ed0b3 100644
--- a/networkmanager.te
+++ b/networkmanager.te
+@@ -1,4 +1,4 @@
+-policy_module(networkmanager, 1.15.2)
++policy_module(networkmanager, 1.15.3)
+
+ ########################################
+ #
@@ -9,15 +9,18 @@ type NetworkManager_t;
type NetworkManager_exec_t;
init_daemon_domain(NetworkManager_t, NetworkManager_exec_t)
@@ -60950,10 +61009,10 @@ index 55f20095e..4419e3531 100644
-# certificates in user home directories (cert_home_t in ~/\.pki)
-userdom_read_user_home_content_files(NetworkManager_t)
+systemd_machined_read_pid_files(NetworkManager_t)
-+
-+term_use_unallocated_ttys(NetworkManager_t)
-userdom_write_user_tmp_sockets(NetworkManager_t)
++term_use_unallocated_ttys(NetworkManager_t)
++
+userdom_stream_connect(NetworkManager_t)
userdom_dontaudit_use_unpriv_user_fds(NetworkManager_t)
userdom_dontaudit_use_user_ttys(NetworkManager_t)
@@ -61019,16 +61078,16 @@ index 55f20095e..4419e3531 100644
dnsmasq_signal(NetworkManager_t)
dnsmasq_signull(NetworkManager_t)
+ dnsmasq_systemctl(NetworkManager_t)
++')
++
++optional_policy(`
++ dnssec_trigger_domtrans(NetworkManager_t)
++ dnssec_trigger_signull(NetworkManager_t)
++ dnssec_trigger_sigkill(NetworkManager_t)
')
optional_policy(`
- gnome_stream_connect_all_gkeyringd(NetworkManager_t)
-+ dnssec_trigger_domtrans(NetworkManager_t)
-+ dnssec_trigger_signull(NetworkManager_t)
-+ dnssec_trigger_sigkill(NetworkManager_t)
-+')
-+
-+optional_policy(`
+ fcoe_dgram_send_fcoemon(NetworkManager_t)
')
@@ -61157,7 +61216,7 @@ index 55f20095e..4419e3531 100644
')
optional_policy(`
-@@ -338,12 +431,19 @@ optional_policy(`
+@@ -338,12 +431,23 @@ optional_policy(`
vpn_relabelfrom_tun_socket(NetworkManager_t)
')
@@ -61168,6 +61227,10 @@ index 55f20095e..4419e3531 100644
+ openfortivpn_signull(NetworkManager_t)
+')
+
++optional_policy(`
++ openvswitch_stream_connect(NetworkManager_t)
++')
++
########################################
#
# wpa_cli local policy
@@ -61178,7 +61241,7 @@ index 55f20095e..4419e3531 100644
allow wpa_cli_t self:unix_dgram_socket create_socket_perms;
allow wpa_cli_t NetworkManager_t:unix_dgram_socket sendto;
-@@ -357,6 +457,4 @@ rw_sock_files_pattern(wpa_cli_t, NetworkManager_var_run_t, NetworkManager_var_ru
+@@ -357,6 +461,4 @@ rw_sock_files_pattern(wpa_cli_t, NetworkManager_var_run_t, NetworkManager_var_ru
init_dontaudit_use_fds(wpa_cli_t)
init_use_script_ptys(wpa_cli_t)
@@ -87845,7 +87908,7 @@ index 16c8ecbe3..4e021eca7 100644
+ ')
')
diff --git a/redis.te b/redis.te
-index 25cd4175f..61de8277a 100644
+index 25cd4175f..84c02e325 100644
--- a/redis.te
+++ b/redis.te
@@ -12,6 +12,9 @@ init_daemon_domain(redis_t, redis_exec_t)
@@ -87877,7 +87940,7 @@ index 25cd4175f..61de8277a 100644
manage_dirs_pattern(redis_t, redis_log_t, redis_log_t)
manage_files_pattern(redis_t, redis_log_t, redis_log_t)
manage_lnk_files_pattern(redis_t, redis_log_t, redis_log_t)
-@@ -42,14 +50,17 @@ manage_lnk_files_pattern(redis_t, redis_var_lib_t, redis_var_lib_t)
+@@ -42,24 +50,27 @@ manage_lnk_files_pattern(redis_t, redis_var_lib_t, redis_var_lib_t)
manage_dirs_pattern(redis_t, redis_var_run_t, redis_var_run_t)
manage_files_pattern(redis_t, redis_var_run_t, redis_var_run_t)
manage_lnk_files_pattern(redis_t, redis_var_run_t, redis_var_run_t)
@@ -87895,7 +87958,12 @@ index 25cd4175f..61de8277a 100644
corenet_sendrecv_redis_server_packets(redis_t)
corenet_tcp_bind_redis_port(redis_t)
-@@ -60,6 +71,4 @@ dev_read_urand(redis_t)
+ corenet_tcp_sendrecv_redis_port(redis_t)
+
++corecmd_exec_shell(redis_t)
++
+ dev_read_sysfs(redis_t)
+ dev_read_urand(redis_t)
logging_send_syslog_msg(redis_t)
@@ -90773,7 +90841,7 @@ index 8c0280418..896c8c67f 100644
/var/lock/subsys/rhsmcertd -- gen_context(system_u:object_r:rhsmcertd_lock_t,s0)
diff --git a/rhsmcertd.if b/rhsmcertd.if
-index 6dbc905b3..4b17c933e 100644
+index 6dbc905b3..42e4306c8 100644
--- a/rhsmcertd.if
+++ b/rhsmcertd.if
@@ -1,8 +1,8 @@
@@ -90869,23 +90937,21 @@ index 6dbc905b3..4b17c933e 100644
##
##
##
-@@ -196,10 +192,9 @@ interface(`rhsmcertd_read_pid_files',`
+@@ -196,10 +192,47 @@ interface(`rhsmcertd_read_pid_files',`
allow $1 rhsmcertd_var_run_t:file read_file_perms;
')
-####################################
+########################################
- ##
--## Connect to rhsmcertd with a
--## unix domain stream socket.
++##
+## Read rhsmcertd PID files.
- ##
- ##
- ##
-@@ -207,6 +202,45 @@ interface(`rhsmcertd_read_pid_files',`
- ##
- ##
- #
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
+interface(`rhsmcertd_manage_pid_files',`
+ gen_require(`
+ type rhsmcertd_var_run_t;
@@ -90914,6 +90980,27 @@ index 6dbc905b3..4b17c933e 100644
+ allow $1 rhsmcertd_lock_t:file rw_inherited_file_perms;
+')
+
++########################################
+ ##
+-## Connect to rhsmcertd with a
+-## unix domain stream socket.
++## Read/wirte lock files.
+ ##
+ ##
+ ##
+@@ -207,6 +240,26 @@ interface(`rhsmcertd_read_pid_files',`
+ ##
+ ##
+ #
++interface(`rhsmcertd_rw_lock_files',`
++ gen_require(`
++ type rhsmcertd_lock_t;
++ ')
++
++ files_search_locks($1)
++ allow $1 rhsmcertd_lock_t:file rw_file_perms;
++')
++
+####################################
+##
+## Connect to rhsmcertd over a unix domain
@@ -90928,7 +91015,7 @@ index 6dbc905b3..4b17c933e 100644
interface(`rhsmcertd_stream_connect',`
gen_require(`
type rhsmcertd_t, rhsmcertd_var_run_t;
-@@ -239,30 +273,29 @@ interface(`rhsmcertd_dbus_chat',`
+@@ -239,30 +292,29 @@ interface(`rhsmcertd_dbus_chat',`
######################################
##
@@ -90972,7 +91059,7 @@ index 6dbc905b3..4b17c933e 100644
##
##
##
-@@ -270,35 +303,41 @@ interface(`rhsmcertd_dontaudit_dbus_chat',`
+@@ -270,35 +322,41 @@ interface(`rhsmcertd_dontaudit_dbus_chat',`
##
##
##
@@ -91004,24 +91091,24 @@ index 6dbc905b3..4b17c933e 100644
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 rhsmcertd_t:process ptrace;
+ ')
-+
+
+- logging_search_logs($1)
+- admin_pattern($1, rhsmcertd_log_t)
+ rhsmcertd_initrc_domtrans($1)
+ domain_system_change_exemption($1)
+ role_transition $2 rhsmcertd_initrc_exec_t system_r;
+ allow $2 system_r;
-- logging_search_logs($1)
-- admin_pattern($1, rhsmcertd_log_t)
-+ logging_search_logs($1)
-+ admin_pattern($1, rhsmcertd_log_t)
-
- files_search_var_lib($1)
- admin_pattern($1, rhsmcertd_var_lib_t)
-+ files_search_var_lib($1)
-+ admin_pattern($1, rhsmcertd_var_lib_t)
++ logging_search_logs($1)
++ admin_pattern($1, rhsmcertd_log_t)
- files_search_pids($1)
- admin_pattern($1, rhsmcertd_var_run_t)
++ files_search_var_lib($1)
++ admin_pattern($1, rhsmcertd_var_lib_t)
++
+ files_search_pids($1)
+ admin_pattern($1, rhsmcertd_var_run_t)
+
@@ -120344,10 +120431,10 @@ index 4815a93f4..24dcf5174 100644
+ rhcs_rw_cluster_tmpfs(wdmd_t)
')
diff --git a/webadm.te b/webadm.te
-index 2a6cae773..6d0a2a1c5 100644
+index 2a6cae773..d2752d9bb 100644
--- a/webadm.te
+++ b/webadm.te
-@@ -25,6 +25,9 @@ role webadm_r;
+@@ -25,12 +25,21 @@ role webadm_r;
userdom_base_user_template(webadm)
@@ -120357,26 +120444,43 @@ index 2a6cae773..6d0a2a1c5 100644
########################################
#
# Local policy
-@@ -32,6 +35,12 @@ userdom_base_user_template(webadm)
-
- allow webadm_t self:capability { dac_override dac_read_search kill sys_nice };
+ #
+-allow webadm_t self:capability { dac_override dac_read_search kill sys_nice };
++allow webadm_t self:capability { dac_override dac_read_search kill sys_nice sys_resource };
++
+manage_dirs_pattern(webadm_t, webadm_tmp_t, webadm_tmp_t)
+manage_files_pattern(webadm_t, webadm_tmp_t, webadm_tmp_t)
+manage_lnk_files_pattern(webadm_t, webadm_tmp_t, webadm_tmp_t)
+files_tmp_filetrans(webadm_t, webadm_tmp_t, { file dir })
+can_exec(webadm_t, webadm_tmp_t)
-+
+
files_dontaudit_search_all_dirs(webadm_t)
files_list_var(webadm_t)
+@@ -38,12 +47,26 @@ files_list_var(webadm_t)
+ selinux_get_enforce_mode(webadm_t)
+ seutil_domtrans_setfiles(webadm_t)
-@@ -43,7 +52,9 @@ logging_send_syslog_msg(webadm_t)
++init_rw_pipes(webadm_t)
++init_status(webadm_t)
++
+ logging_send_audit_msgs(webadm_t)
+ logging_send_syslog_msg(webadm_t)
userdom_dontaudit_search_user_home_dirs(webadm_t)
++userdom_dontaudit_manage_admin_files(webadm_t)
++
++optional_policy(`
++ apache_admin(webadm_t, webadm_r)
++')
++
++optional_policy(`
++ dbus_system_bus_client(webadm_t)
++')
-apache_admin(webadm_t, webadm_r)
+optional_policy(`
-+ apache_admin(webadm_t, webadm_r)
++ policykit_dbus_chat(webadm_t)
+')
tunable_policy(`webadm_manage_user_files',`
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 56ba655..8636194 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.13.1
-Release: 281%{?dist}
+Release: 282%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -681,6 +681,20 @@ exit 0
%endif
%changelog
+* Mon Sep 11 2017 Lukas Vrabec - 3.13.1-282
+- Add new bunch of map rules
+- Merge pull request #25 from NetworkManager/nm-ovs
+- Make working webadm_t userdomain
+- Allow redis domain to execute shell scripts.
+- Allow system_cronjob_t to create redhat-access-insights.log with var_log_t
+- Add couple capabilities to keepalived domain and allow get attributes of all domains
+- Allow dmidecode read rhsmcertd lock files
+- Add new interface rhsmcertd_rw_lock_files()
+- Add new bunch of map rules
+- Merge pull request #199 from mscherer/add_conntrackd
+- Add support labeling for vmci and vsock device
+- Add userdom_dontaudit_manage_admin_files() interface
+
* Mon Sep 11 2017 Lukas Vrabec - 3.13.1-281
- Allow domains reading raw memory also use mmap.