diff --git a/.selinux-policy.metadata b/.selinux-policy.metadata
index 75fe480..f47fe12 100644
--- a/.selinux-policy.metadata
+++ b/.selinux-policy.metadata
@@ -1,4 +1,4 @@
c21486a81ff7085007e30fb56ae8612607c5cc69 SOURCES/serefpolicy-contrib-3.12.1.tgz
-036245dbc144b57e1805e15e07a737fcd0119390 SOURCES/permissivedomains.pp
-e5d300354838008da0d531041df7aa168e6d3e93 SOURCES/config.tgz
+4fd46bd7d17737f2e7c0b287a11d6362d918da8f SOURCES/permissivedomains.pp
+5054dc0ae7f7378c4f6670e89544246558e20dc4 SOURCES/config.tgz
7c268e6658b024719ad248965c27398304ac9e79 SOURCES/serefpolicy-3.12.1.tgz
diff --git a/SOURCES/file_contexts.subs_dist b/SOURCES/file_contexts.subs_dist
index 500ef4d..5550852 100644
--- a/SOURCES/file_contexts.subs_dist
+++ b/SOURCES/file_contexts.subs_dist
@@ -5,10 +5,12 @@
/lib /usr/lib
/lib64 /usr/lib
/usr/lib64 /usr/lib
-/usr/local /usr
/usr/local/lib64 /usr/lib
/usr/local/lib32 /usr/lib
+/etc/init.d /etc/rc.d/init.d
/etc/systemd/system /usr/lib/systemd/system
/var/lib/xguest/home /home
/var/named/chroot/usr/lib64 /usr/lib
/var/named/chroot/lib64 /usr/lib
+/var/home /home
+/var/roothome /root
diff --git a/SOURCES/modules-targeted-contrib.conf b/SOURCES/modules-targeted-contrib.conf
index 67cdd0f..62763f2 100644
--- a/SOURCES/modules-targeted-contrib.conf
+++ b/SOURCES/modules-targeted-contrib.conf
@@ -216,6 +216,13 @@ brctl = module
bugzilla = module
# Layer: services
+# Module: bumblebee
+#
+# Support NVIDIA Optimus technology under Linux
+#
+bumblebee = module
+
+# Layer: services
# Module: cachefilesd
#
# CacheFiles userspace management daemon
@@ -658,6 +665,13 @@ firstboot = module
fprintd = module
# Layer: services
+# Module: freqset
+#
+# Utility for CPU frequency scaling
+#
+freqset = module
+
+# Layer: services
# Module: ftp
#
# File transfer protocol service
@@ -874,6 +888,13 @@ kdump = module
#
kerberos = module
+# Layer: services
+# Module: keepalived
+#
+# keepalived - load-balancing and high-availability service
+#
+keepalived = module
+
# Module: keyboardd
#
# system-setup-keyboard is a keyboard layout daemon that monitors
@@ -1043,6 +1064,13 @@ memcached = module
milter = module
# Layer: services
+# Module: mip6d
+#
+# UMIP Mobile IPv6 and NEMO Basic Support protocol implementation
+#
+mip6d = module
+
+# Layer: services
# Module: mock
#
# Policy for mock rpm builder
@@ -1265,6 +1293,13 @@ openshift-origin = module
openshift = module
# Layer: services
+# Module: opensm
+#
+# InfiniBand subnet manager and administration (SM/SA)
+#
+opensm = module
+
+# Layer: services
# Module: openvpn
#
# Policy for OPENVPN full-featured SSL VPN solution
@@ -1278,6 +1313,13 @@ openvpn = module
#
openvswitch = module
+# Layer: services
+# Module: osad
+#
+# Client-side service written in Python that responds to pings
+#
+osad = module
+
# Layer: contrib
# Module: prelude
#
@@ -1535,6 +1577,13 @@ radvd = module
raid = module
# Layer: services
+# Module: rasdaemon
+#
+# The rasdaemon program is a daemon with monitors the RAS trace events from /sys/kernel/debug/tracing
+#
+rasdaemon = module
+
+# Layer: services
# Module: rdisc
#
# Network router discovery daemon
@@ -2330,3 +2379,102 @@ motion = module
# rtas policy
#
rtas = module
+
+# Layer: contrib
+# Module: ninfod
+#
+# Respond to IPv6 Node Information Queries
+#
+ninfod = module
+
+# Layer: contrib
+# Module: openwsman
+#
+# WS-Management Server
+#
+openwsman = module
+
+# Layer: contrib
+# Module: freeipmi
+#
+# Remote-Console (out-of-band) and System Management Software (in-band)
+# based on IntelligentPlatform Management Interface specification
+#
+freeipmi = module
+
+# Layer: contrib
+# Module: conman
+#
+# Conman is a program for connecting to remote consoles being managed by conmand
+#
+conman = module
+
+# Layer: contrib
+# Module: docker
+#
+# Docker
+#
+docker = module
+
+# Layer: contrib
+# Module: freeipmi
+#
+# ipa policy module contain SELinux policies for IPA services
+#
+ipa = module
+
+# Layer: contrib
+# Module: snapper
+#
+# snapper policy
+#
+snapper = module
+
+# Layer: services
+# Module: vmtools
+#
+# VMware Tools daemon
+#
+vmtools = module
+
+# Layer: services
+# Module: speech-dispatcher
+#
+# speech-dispatcher - server process managing speech requests in Speech Dispatcher
+#
+speech-dispatcher = module
+
+# Layer: contrib
+# Module: rkhunter
+#
+# rkhunter policy for /var/lib/rkhunter
+#
+rkhunter = module
+
+# Layer: contrib
+# Module: pcp
+#
+# pcp policy
+#
+pcp = module
+
+# Layer: contrib
+# Module: bacula
+#
+# bacula policy
+#
+bacula = module
+
+# Layer: contrib
+# Module: rhnsd
+#
+# rhnsd policy
+#
+rhnsd = module
+
+# Layer: contrib
+# Module: gear
+#
+# gear policy
+#
+gear = module
diff --git a/SOURCES/policy-f20-base.patch b/SOURCES/policy-f20-base.patch
index 0722c5a..3c28671 100644
--- a/SOURCES/policy-f20-base.patch
+++ b/SOURCES/policy-f20-base.patch
@@ -71,6 +71,24 @@ index 881a292..80110a4 100644
system_r:xdm_t:s0 staff_r:staff_t:s0
staff_r:staff_su_t:s0 staff_r:staff_t:s0
staff_r:staff_sudo_t:s0 staff_r:staff_t:s0
+diff --git a/config/appconfig-mcs/sysadm_u_default_contexts b/config/appconfig-mcs/sysadm_u_default_contexts
+new file mode 100644
+index 0000000..b8fda95
+--- /dev/null
++++ b/config/appconfig-mcs/sysadm_u_default_contexts
+@@ -0,0 +1,12 @@
++system_r:local_login_t:s0 sysadm_r:sysadm_t:s0
++system_r:remote_login_t:s0 sysadm_r:sysadm_t:s0
++system_r:sshd_t:s0 sysadm_r:sysadm_t:s0
++system_r:crond_t:s0 sysadm_r:sysadm_t:s0
++system_r:xdm_t:s0 sysadm_r:sysadm_t:s0
++sysadm_r:sysadm_su_t:s0 sysadm_r:sysadm_t:s0
++sysadm_r:sysadm_sudo_t:s0 sysadm_r:sysadm_t:s0
++system_r:initrc_su_t:s0 sysadm_r:sysadm_t:s0
++sysadm_r:sysadm_t:s0 sysadm_r:sysadm_t:s0
++sysadm_r:sysadm_su_t:s0 sysadm_r:sysadm_t:s0
++sysadm_r:sysadm_sudo_t:s0 sysadm_r:sysadm_t:s0
++
diff --git a/config/appconfig-mcs/systemd_contexts b/config/appconfig-mcs/systemd_contexts
new file mode 100644
index 0000000..ff32acc
@@ -144,6 +162,24 @@ index c2a5ea8..f63999e 100644
system_r:xdm_t staff_r:staff_t
staff_r:staff_su_t staff_r:staff_t
staff_r:staff_sudo_t staff_r:staff_t
+diff --git a/config/appconfig-standard/sysadm_u_default_contexts b/config/appconfig-standard/sysadm_u_default_contexts
+new file mode 100644
+index 0000000..b8fda95
+--- /dev/null
++++ b/config/appconfig-standard/sysadm_u_default_contexts
+@@ -0,0 +1,12 @@
++system_r:local_login_t:s0 sysadm_r:sysadm_t:s0
++system_r:remote_login_t:s0 sysadm_r:sysadm_t:s0
++system_r:sshd_t:s0 sysadm_r:sysadm_t:s0
++system_r:crond_t:s0 sysadm_r:sysadm_t:s0
++system_r:xdm_t:s0 sysadm_r:sysadm_t:s0
++sysadm_r:sysadm_su_t:s0 sysadm_r:sysadm_t:s0
++sysadm_r:sysadm_sudo_t:s0 sysadm_r:sysadm_t:s0
++system_r:initrc_su_t:s0 sysadm_r:sysadm_t:s0
++sysadm_r:sysadm_t:s0 sysadm_r:sysadm_t:s0
++sysadm_r:sysadm_su_t:s0 sysadm_r:sysadm_t:s0
++sysadm_r:sysadm_sudo_t:s0 sysadm_r:sysadm_t:s0
++
diff --git a/config/appconfig-standard/systemd_contexts b/config/appconfig-standard/systemd_contexts
new file mode 100644
index 0000000..ff32acc
@@ -2693,7 +2729,7 @@ index 99e3903..7270808 100644
########################################
diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te
-index d555767..3053e39 100644
+index d555767..049a211 100644
--- a/policy/modules/admin/usermanage.te
+++ b/policy/modules/admin/usermanage.te
@@ -5,18 +5,18 @@ policy_module(usermanage, 1.18.1)
@@ -2901,6 +2937,15 @@ index d555767..3053e39 100644
')
optional_policy(`
+@@ -270,7 +297,7 @@ optional_policy(`
+ # Passwd local policy
+ #
+
+-allow passwd_t self:capability { chown dac_override fsetid setuid setgid sys_nice sys_resource };
++allow passwd_t self:capability { chown dac_override ipc_lock fsetid setuid setgid sys_nice sys_resource };
+ dontaudit passwd_t self:capability sys_tty_config;
+ allow passwd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+ allow passwd_t self:process { setrlimit setfscreate };
@@ -285,6 +312,7 @@ allow passwd_t self:shm create_shm_perms;
allow passwd_t self:sem create_sem_perms;
allow passwd_t self:msgq create_msgq_perms;
@@ -2975,7 +3020,7 @@ index d555767..3053e39 100644
userdom_use_unpriv_users_fds(passwd_t)
# make sure that getcon succeeds
userdom_getattr_all_users(passwd_t)
-@@ -349,9 +389,17 @@ userdom_read_user_tmp_files(passwd_t)
+@@ -349,9 +389,18 @@ userdom_read_user_tmp_files(passwd_t)
# user generally runs this from their home directory, so do not audit a search
# on user home dir
userdom_dontaudit_search_user_home_content(passwd_t)
@@ -2985,6 +3030,7 @@ index d555767..3053e39 100644
- nscd_run(passwd_t, passwd_roles)
+ gnome_exec_keyringd(passwd_t)
+ gnome_manage_cache_home_dir(passwd_t)
++ gnome_manage_generic_cache_sockets(passwd_t)
+ gnome_stream_connect_gkeyringd(passwd_t)
+')
+
@@ -2994,7 +3040,7 @@ index d555767..3053e39 100644
')
########################################
-@@ -398,9 +446,10 @@ dev_read_urand(sysadm_passwd_t)
+@@ -398,9 +447,10 @@ dev_read_urand(sysadm_passwd_t)
fs_getattr_xattr_fs(sysadm_passwd_t)
fs_search_auto_mountpoints(sysadm_passwd_t)
@@ -3007,7 +3053,7 @@ index d555767..3053e39 100644
auth_manage_shadow(sysadm_passwd_t)
auth_relabel_shadow(sysadm_passwd_t)
auth_etc_filetrans_shadow(sysadm_passwd_t)
-@@ -413,7 +462,6 @@ files_read_usr_files(sysadm_passwd_t)
+@@ -413,7 +463,6 @@ files_read_usr_files(sysadm_passwd_t)
domain_use_interactive_fds(sysadm_passwd_t)
@@ -3015,7 +3061,7 @@ index d555767..3053e39 100644
files_relabel_etc_files(sysadm_passwd_t)
files_read_etc_runtime_files(sysadm_passwd_t)
# for nscd lookups
-@@ -423,19 +471,17 @@ files_dontaudit_search_pids(sysadm_passwd_t)
+@@ -423,19 +472,17 @@ files_dontaudit_search_pids(sysadm_passwd_t)
# correctly without it. Do not audit write denials to utmp.
init_dontaudit_rw_utmp(sysadm_passwd_t)
@@ -3037,7 +3083,7 @@ index d555767..3053e39 100644
')
########################################
-@@ -443,7 +489,8 @@ optional_policy(`
+@@ -443,7 +490,8 @@ optional_policy(`
# Useradd local policy
#
@@ -3047,7 +3093,7 @@ index d555767..3053e39 100644
dontaudit useradd_t self:capability sys_tty_config;
allow useradd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow useradd_t self:process setfscreate;
-@@ -458,6 +505,10 @@ allow useradd_t self:unix_stream_socket create_stream_socket_perms;
+@@ -458,6 +506,10 @@ allow useradd_t self:unix_stream_socket create_stream_socket_perms;
allow useradd_t self:unix_dgram_socket sendto;
allow useradd_t self:unix_stream_socket connectto;
@@ -3058,7 +3104,7 @@ index d555767..3053e39 100644
# for getting the number of groups
kernel_read_kernel_sysctls(useradd_t)
-@@ -465,36 +516,36 @@ corecmd_exec_shell(useradd_t)
+@@ -465,36 +517,37 @@ corecmd_exec_shell(useradd_t)
# Execute /usr/bin/{passwd,chfn,chsh} and /usr/sbin/{useradd,vipw}.
corecmd_exec_bin(useradd_t)
@@ -3074,6 +3120,7 @@ index d555767..3053e39 100644
files_relabel_etc_files(useradd_t)
files_read_etc_runtime_files(useradd_t)
+files_manage_etc_files(useradd_t)
++files_create_var_lib_dirs(useradd_t)
+files_rw_var_lib_dirs(useradd_t)
fs_search_auto_mountpoints(useradd_t)
@@ -3107,7 +3154,7 @@ index d555767..3053e39 100644
auth_manage_shadow(useradd_t)
auth_relabel_shadow(useradd_t)
auth_etc_filetrans_shadow(useradd_t)
-@@ -505,33 +556,36 @@ init_rw_utmp(useradd_t)
+@@ -505,33 +558,36 @@ init_rw_utmp(useradd_t)
logging_send_audit_msgs(useradd_t)
logging_send_syslog_msg(useradd_t)
@@ -3158,7 +3205,7 @@ index d555767..3053e39 100644
optional_policy(`
apache_manage_all_user_content(useradd_t)
')
-@@ -542,7 +596,12 @@ optional_policy(`
+@@ -542,7 +598,12 @@ optional_policy(`
')
optional_policy(`
@@ -3172,7 +3219,7 @@ index d555767..3053e39 100644
')
optional_policy(`
-@@ -550,6 +609,11 @@ optional_policy(`
+@@ -550,6 +611,11 @@ optional_policy(`
')
optional_policy(`
@@ -3184,7 +3231,7 @@ index d555767..3053e39 100644
tunable_policy(`samba_domain_controller',`
samba_append_log(useradd_t)
')
-@@ -559,3 +623,12 @@ optional_policy(`
+@@ -559,3 +625,12 @@ optional_policy(`
rpm_use_fds(useradd_t)
rpm_rw_pipes(useradd_t)
')
@@ -3365,7 +3412,7 @@ index 7590165..fb30c11 100644
+ fs_mounton_fusefs(seunshare_domain)
+')
diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
-index 644d4d7..6e7dd83 100644
+index 644d4d7..ad789c2 100644
--- a/policy/modules/kernel/corecommands.fc
+++ b/policy/modules/kernel/corecommands.fc
@@ -1,9 +1,10 @@
@@ -3677,7 +3724,7 @@ index 644d4d7..6e7dd83 100644
/usr/share/system-config-selinux/polgen\.py -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/system-config-selinux/system-config-selinux\.py -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/system-config-display/system-config-display -- gen_context(system_u:object_r:bin_t,s0)
-@@ -383,11 +458,15 @@ ifdef(`distro_suse', `
+@@ -383,11 +458,16 @@ ifdef(`distro_suse', `
#
# /var
#
@@ -3687,6 +3734,7 @@ index 644d4d7..6e7dd83 100644
/var/ftp/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
/var/lib/asterisk/agi-bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
++/var/lib/dirsrv/scripts-INSTANCE -- gen_context(system_u:object_r:bin_t,s0)
+/var/lib/iscan/interpreter gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/ruby/gems(/.*)?/helper-scripts(/.*)? gen_context(system_u:object_r:bin_t,s0)
+/usr/share/gems(/.*)?/helper-scripts(/.*)? gen_context(system_u:object_r:bin_t,s0)
@@ -3694,7 +3742,7 @@ index 644d4d7..6e7dd83 100644
/usr/lib/yp/.+ -- gen_context(system_u:object_r:bin_t,s0)
/var/qmail/bin -d gen_context(system_u:object_r:bin_t,s0)
-@@ -397,3 +476,12 @@ ifdef(`distro_suse', `
+@@ -397,3 +477,12 @@ ifdef(`distro_suse', `
ifdef(`distro_suse',`
/var/lib/samba/bin/.+ gen_context(system_u:object_r:bin_t,s0)
')
@@ -5549,7 +5597,7 @@ index 8e0f9cd..b9f45b9 100644
define(`create_packet_interfaces',``
diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
-index 4edc40d..06129ea 100644
+index 4edc40d..72e1a41 100644
--- a/policy/modules/kernel/corenetwork.te.in
+++ b/policy/modules/kernel/corenetwork.te.in
@@ -5,6 +5,7 @@ policy_module(corenetwork, 1.18.4)
@@ -5623,7 +5671,7 @@ index 4edc40d..06129ea 100644
# reserved_port_t is the type of INET port numbers below 1024.
#
type reserved_port_t, port_type, reserved_port_type;
-@@ -84,10 +107,10 @@ network_port(amanda, udp,10080-10082,s0, tcp,10080-10083,s0)
+@@ -84,54 +107,68 @@ network_port(amanda, udp,10080-10082,s0, tcp,10080-10083,s0)
network_port(amavisd_recv, tcp,10024,s0)
network_port(amavisd_send, tcp,10025,s0)
network_port(amqp, udp,5671-5672,s0, tcp,5671-5672,s0)
@@ -5636,7 +5684,9 @@ index 4edc40d..06129ea 100644
network_port(asterisk, tcp,1720,s0, udp,2427,s0, udp,2727,s0, udp,4569,s0)
network_port(audit, tcp,60,s0)
network_port(auth, tcp,113,s0)
-@@ -96,19 +119,19 @@ network_port(boinc, tcp,31416,s0)
+ network_port(bgp, tcp,179,s0, udp,179,s0, tcp,2605,s0, udp,2605,s0)
++network_port(bacula, tcp,9103,s0, udp,9103,s0)
+ network_port(boinc, tcp,31416,s0)
network_port(boinc_client, tcp,1043,s0, udp,1034,s0)
network_port(biff) # no defined portcon
network_port(certmaster, tcp,51235,s0)
@@ -5652,14 +5702,21 @@ index 4edc40d..06129ea 100644
network_port(commplex_main, tcp,5000,s0, udp,5000,s0)
network_port(comsat, udp,512,s0)
network_port(condor, tcp,9618,s0, udp,9618,s0)
- network_port(couchdb, tcp,5984,s0, udp,5984,s0)
+-network_port(couchdb, tcp,5984,s0, udp,5984,s0)
-network_port(cslistener, tcp,9000,s0, udp,9000,s0)
-network_port(ctdb, tcp,4379,s0, udp,4397,s0)
++network_port(conman, tcp,7890,s0, udp,7890,s0)
++network_port(connlcli, tcp,1358,s0, udp,1358,s0)
++network_port(couchdb, tcp,5984,s0, udp,5984,s0, tcp,6984,s0, udp,6984,s0)
+network_port(ctdb, tcp,4379,s0, udp,4379,s0)
network_port(cvs, tcp,2401,s0, udp,2401,s0)
network_port(cyphesis, tcp,6767,s0, tcp,6769,s0, tcp,6780-6799,s0, udp,32771,s0)
network_port(daap, tcp,3689,s0, udp,3689,s0)
-@@ -119,19 +142,26 @@ network_port(dhcpc, udp,68,s0, tcp,68,s0, udp,546,s0, tcp, 546,s0, udp,5546,s0,
+ network_port(dbskkd, tcp,1178,s0)
+ network_port(dcc, udp,6276,s0, udp,6277,s0)
+ network_port(dccm, tcp,5679,s0, udp,5679,s0)
++network_port(dey_sapi, tcp,4330,s0)
+ network_port(dhcpc, udp,68,s0, tcp,68,s0, udp,546,s0, tcp, 546,s0, udp,5546,s0, tcp,5546,s0)
network_port(dhcpd, udp,67,s0, udp,547,s0, tcp, 547,s0, udp,548,s0, tcp, 548,s0, tcp,647,s0, udp,647,s0, tcp,847,s0, udp,847,s0, tcp,7911,s0)
network_port(dict, tcp,2628,s0)
network_port(distccd, tcp,3632,s0)
@@ -5676,9 +5733,12 @@ index 4edc40d..06129ea 100644
-network_port(ftp, tcp,21,s0, tcp,990,s0, udp,990,s0)
+network_port(fmpro_internal, tcp,5003,s0, udp,5003,s0)
+network_port(flash, tcp,843,s0, tcp,1935,s0, udp,1935,s0)
++network_port(freeipmi, tcp,9225,s0, udp,9225,s0)
+network_port(ftp, tcp,21,s0, tcp,989,s0, udp,989,s0, tcp,990,s0, udp,990,s0)
network_port(ftp_data, tcp,20,s0)
network_port(gatekeeper, udp,1718,s0, udp,1719,s0, tcp,1721,s0, tcp,7000,s0)
++network_port(gear, tcp,43273,s0, udp,43273,s0)
++network_port(gdomap, tcp,538,s0, udp,538,s0)
network_port(gds_db, tcp,3050,s0, udp,3050,s0)
network_port(giftd, tcp,1213,s0)
network_port(git, tcp,9418,s0, udp,9418,s0)
@@ -5688,7 +5748,7 @@ index 4edc40d..06129ea 100644
network_port(gopher, tcp,70,s0, udp,70,s0)
network_port(gpsd, tcp,2947,s0)
network_port(hadoop_datanode, tcp,50010,s0)
-@@ -139,45 +169,52 @@ network_port(hadoop_namenode, tcp,8020,s0)
+@@ -139,45 +176,52 @@ network_port(hadoop_namenode, tcp,8020,s0)
network_port(hddtemp, tcp,7634,s0)
network_port(howl, tcp,5335,s0, udp,5353,s0)
network_port(hplip, tcp,1782,s0, tcp,2207,s0, tcp,2208,s0, tcp, 8290,s0, tcp,50000,s0, tcp,50002,s0, tcp,8292,s0, tcp,9100,s0, tcp,9101,s0, tcp,9102,s0, tcp,9220,s0, tcp,9221,s0, tcp,9222,s0, tcp,9280,s0, tcp,9281,s0, tcp,9282,s0, tcp,9290,s0, tcp,9291,s0)
@@ -5744,7 +5804,7 @@ index 4edc40d..06129ea 100644
network_port(matahari, tcp,49000,s0, udp,49000,s0)
network_port(memcache, tcp,11211,s0, udp,11211,s0)
-network_port(milter) # no defined portcon
-+network_port(milter, tcp, 8891, s0, tcp, 8893, s0) # no defined portcon
++network_port(milter, tcp, 8890,s0, tcp, 8891,s0, tcp, 8893,s0) # no defined portcon
network_port(mmcc, tcp,5050,s0, udp,5050,s0)
+network_port(mongod, tcp,27017-27019,s0, tcp, 28017-28019,s0)
network_port(monopd, tcp,1234,s0)
@@ -5755,7 +5815,7 @@ index 4edc40d..06129ea 100644
network_port(msnp, tcp,1863,s0, udp,1863,s0)
network_port(mssql, tcp,1433-1434,s0, udp,1433-1434,s0)
network_port(ms_streaming, tcp,1755,s0, udp,1755,s0)
-@@ -185,26 +222,34 @@ network_port(munin, tcp,4949,s0, udp,4949,s0)
+@@ -185,26 +229,36 @@ network_port(munin, tcp,4949,s0, udp,4949,s0)
network_port(mxi, tcp,8005,s0, udp,8005,s0)
network_port(mysqld, tcp,1186,s0, tcp,3306,s0, tcp,63132-63164,s0)
network_port(mysqlmanagerd, tcp,2273,s0)
@@ -5774,8 +5834,10 @@ index 4edc40d..06129ea 100644
network_port(oa_system, tcp,8022,s0, udp,8022,s0)
-network_port(oracledb, tcp, 1521,s0,udp, 1521,s0, tcp,2483,s0,udp,2483,s0, tcp,2484,s0, udp,2484,s0)
network_port(ocsp, tcp,9080,s0)
++network_port(openflow, tcp,6633,s0, tcp,6653,s0)
network_port(openhpid, tcp,4743,s0, udp,4743,s0)
network_port(openvpn, tcp,1194,s0, udp,1194,s0)
++network_port(openvswitch, tcp,6634,s0)
+network_port(osapi_compute, tcp, 8774, s0)
network_port(pdps, tcp,1314,s0, udp,1314,s0)
network_port(pegasus_http, tcp,5988,s0)
@@ -5794,7 +5856,7 @@ index 4edc40d..06129ea 100644
network_port(portmap, udp,111,s0, tcp,111,s0)
network_port(postfix_policyd, tcp,10031,s0)
network_port(postgresql, tcp,5432,s0)
-@@ -214,38 +259,45 @@ network_port(prelude, tcp,4690,s0, udp,4690,s0)
+@@ -214,51 +268,59 @@ network_port(prelude, tcp,4690,s0, udp,4690,s0)
network_port(presence, tcp,5298-5299,s0, udp,5298-5299,s0)
network_port(printer, tcp,515,s0)
network_port(ptal, tcp,5703,s0)
@@ -5847,7 +5909,12 @@ index 4edc40d..06129ea 100644
network_port(ssh, tcp,22,s0)
network_port(stunnel) # no defined portcon
network_port(svn, tcp,3690,s0, udp,3690,s0)
-@@ -257,8 +309,9 @@ network_port(syslog_tls, tcp,6514,s0, udp,6514,s0)
+ network_port(svrloc, tcp,427,s0, udp,427,s0)
+ network_port(swat, tcp,901,s0)
+ network_port(sype_transport, tcp,9911,s0, udp,9911,s0)
+-network_port(syslogd, udp,514,s0)
++network_port(syslogd, udp,514,s0, udp,601,s0, tcp,601,s0)
+ network_port(syslog_tls, tcp,6514,s0, udp,6514,s0)
network_port(tcs, tcp, 30003, s0)
network_port(telnetd, tcp,23,s0)
network_port(tftp, udp,69,s0)
@@ -5858,7 +5925,7 @@ index 4edc40d..06129ea 100644
network_port(transproxy, tcp,8081,s0)
network_port(trisoap, tcp,10200,s0, udp,10200,s0)
network_port(ups, tcp,3493,s0)
-@@ -268,10 +321,10 @@ network_port(varnishd, tcp,6081-6082,s0)
+@@ -268,10 +330,10 @@ network_port(varnishd, tcp,6081-6082,s0)
network_port(virt, tcp,16509,s0, udp,16509,s0, tcp,16514,s0, udp,16514,s0)
network_port(virtual_places, tcp,1533,s0, udp,1533,s0)
network_port(virt_migration, tcp,49152-49216,s0)
@@ -5871,7 +5938,7 @@ index 4edc40d..06129ea 100644
network_port(winshadow, tcp,3161,s0, udp,3261,s0)
network_port(wsdapi, tcp,5357,s0, udp,5357,s0)
network_port(wsicopy, tcp,3378,s0, udp,3378,s0)
-@@ -285,19 +338,23 @@ network_port(zabbix_agent, tcp,10050,s0)
+@@ -285,19 +347,23 @@ network_port(zabbix_agent, tcp,10050,s0)
network_port(zookeeper_client, tcp,2181,s0)
network_port(zookeeper_election, tcp,3888,s0)
network_port(zookeeper_leader, tcp,2888,s0)
@@ -5898,7 +5965,7 @@ index 4edc40d..06129ea 100644
########################################
#
-@@ -330,6 +387,8 @@ sid netif gen_context(system_u:object_r:netif_t,s0 - mls_systemhigh)
+@@ -330,6 +396,8 @@ sid netif gen_context(system_u:object_r:netif_t,s0 - mls_systemhigh)
build_option(`enable_mls',`
network_interface(lo, lo, s0 - mls_systemhigh)
@@ -5907,7 +5974,7 @@ index 4edc40d..06129ea 100644
',`
typealias netif_t alias { lo_netif_t netif_lo_t };
')
-@@ -342,9 +401,28 @@ typealias netif_t alias { lo_netif_t netif_lo_t };
+@@ -342,9 +410,28 @@ typealias netif_t alias { lo_netif_t netif_lo_t };
allow corenet_unconfined_type node_type:node *;
allow corenet_unconfined_type netif_type:netif *;
allow corenet_unconfined_type packet_type:packet *;
@@ -5963,7 +6030,7 @@ index 3f6e168..51ad69a 100644
')
diff --git a/policy/modules/kernel/devices.fc b/policy/modules/kernel/devices.fc
-index b31c054..e4d61f5 100644
+index b31c054..0ad8553 100644
--- a/policy/modules/kernel/devices.fc
+++ b/policy/modules/kernel/devices.fc
@@ -15,15 +15,18 @@
@@ -6005,17 +6072,19 @@ index b31c054..e4d61f5 100644
/dev/tlk[0-3] -c gen_context(system_u:object_r:v4l_device_t,s0)
/dev/tpm[0-9]* -c gen_context(system_u:object_r:tpm_device_t,s0)
/dev/uinput -c gen_context(system_u:object_r:event_device_t,s0)
-@@ -118,6 +123,9 @@
+@@ -118,6 +123,11 @@
ifdef(`distro_suse', `
/dev/usbscanner -c gen_context(system_u:object_r:scanner_device_t,s0)
')
+/dev/vchiq -c gen_context(system_u:object_r:v4l_device_t,s0)
+/dev/vc-mem -c gen_context(system_u:object_r:memory_device_t,mls_systemhigh)
-+/dev/vfio/vfio -c gen_context(system_u:object_r:vfio_device_t,s0)
++/dev/vfio/(vfio)?[0-9]* -c gen_context(system_u:object_r:vfio_device_t,s0)
++/dev/sclp[0-9]* -c gen_context(system_u:object_r:vfio_device_t,s0)
++/dev/vmcp[0-9]* -c gen_context(system_u:object_r:vfio_device_t,s0)
/dev/vhost-net -c gen_context(system_u:object_r:vhost_device_t,s0)
/dev/vbi.* -c gen_context(system_u:object_r:v4l_device_t,s0)
/dev/vbox.* -c gen_context(system_u:object_r:xserver_misc_device_t,s0)
-@@ -129,12 +137,14 @@ ifdef(`distro_suse', `
+@@ -129,12 +139,14 @@ ifdef(`distro_suse', `
/dev/vttuner -c gen_context(system_u:object_r:v4l_device_t,s0)
/dev/vtx.* -c gen_context(system_u:object_r:v4l_device_t,s0)
/dev/watchdog.* -c gen_context(system_u:object_r:watchdog_device_t,s0)
@@ -6030,7 +6099,16 @@ index b31c054..e4d61f5 100644
/dev/card.* -c gen_context(system_u:object_r:xserver_misc_device_t,s0)
/dev/cmx.* -c gen_context(system_u:object_r:smartcard_device_t,s0)
-@@ -198,12 +208,22 @@ ifdef(`distro_debian',`
+@@ -172,6 +184,8 @@ ifdef(`distro_suse', `
+ /dev/touchscreen/ucb1x00 -c gen_context(system_u:object_r:mouse_device_t,s0)
+ /dev/touchscreen/mk712 -c gen_context(system_u:object_r:mouse_device_t,s0)
+
++/dev/uhid -c gen_context(system_u:object_r:uhid_device_t,s0)
++
+ /dev/usb/dc2xx.* -c gen_context(system_u:object_r:scanner_device_t,s0)
+ /dev/usb/lp.* -c gen_context(system_u:object_r:printer_device_t,s0)
+ /dev/usb/mdc800.* -c gen_context(system_u:object_r:scanner_device_t,s0)
+@@ -198,12 +212,27 @@ ifdef(`distro_debian',`
/lib/udev/devices/null -c gen_context(system_u:object_r:null_device_t,s0)
/lib/udev/devices/zero -c gen_context(system_u:object_r:zero_device_t,s0)
@@ -6042,6 +6120,11 @@ index b31c054..e4d61f5 100644
/var/named/chroot/dev/null -c gen_context(system_u:object_r:null_device_t,s0)
/var/named/chroot/dev/random -c gen_context(system_u:object_r:random_device_t,s0)
/var/named/chroot/dev/zero -c gen_context(system_u:object_r:zero_device_t,s0)
++/var/named/chroot_sdb/dev -d gen_context(system_u:object_r:device_t,s0)
++/var/named/chroot_sdb/dev/null -c gen_context(system_u:object_r:null_device_t,s0)
++/var/named/chroot_sdb/dev/random -c gen_context(system_u:object_r:random_device_t,s0)
++/var/named/chroot_sdb/dev/zero -c gen_context(system_u:object_r:zero_device_t,s0)
++/
+/var/spool/postfix/dev -d gen_context(system_u:object_r:device_t,s0)
')
+
@@ -6056,7 +6139,7 @@ index b31c054..e4d61f5 100644
+/usr/lib/udev/devices/null -c gen_context(system_u:object_r:null_device_t,s0)
+/usr/lib/udev/devices/zero -c gen_context(system_u:object_r:zero_device_t,s0)
diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
-index 76f285e..b708d28 100644
+index 76f285e..fb27ae5 100644
--- a/policy/modules/kernel/devices.if
+++ b/policy/modules/kernel/devices.if
@@ -143,13 +143,32 @@ interface(`dev_relabel_all_dev_nodes',`
@@ -6473,122 +6556,85 @@ index 76f285e..b708d28 100644
#######################################
## <summary>
## Set the attributes of the dlm control devices.
-@@ -2402,7 +2605,7 @@ interface(`dev_filetrans_lirc',`
-
- ########################################
- ## <summary>
--## Get the attributes of the lvm comtrol device.
-+## Get the attributes of the loop comtrol device.
- ## </summary>
- ## <param name="domain">
- ## <summary>
-@@ -2410,17 +2613,17 @@ interface(`dev_filetrans_lirc',`
- ## </summary>
- ## </param>
- #
--interface(`dev_getattr_lvm_control',`
-+interface(`dev_getattr_loop_control',`
- gen_require(`
-- type device_t, lvm_control_t;
-+ type device_t, loop_control_device_t;
- ')
-
-- getattr_chr_files_pattern($1, device_t, lvm_control_t)
-+ getattr_chr_files_pattern($1, device_t, loop_control_device_t)
- ')
-
- ########################################
- ## <summary>
--## Read the lvm comtrol device.
-+## Read the loop comtrol device.
- ## </summary>
- ## <param name="domain">
- ## <summary>
-@@ -2428,17 +2631,17 @@ interface(`dev_getattr_lvm_control',`
- ## </summary>
- ## </param>
- #
--interface(`dev_read_lvm_control',`
-+interface(`dev_read_loop_control',`
- gen_require(`
-- type device_t, lvm_control_t;
-+ type device_t, loop_control_device_t;
- ')
-
-- read_chr_files_pattern($1, device_t, lvm_control_t)
-+ read_chr_files_pattern($1, device_t, loop_control_device_t)
- ')
+@@ -1883,6 +2086,25 @@ interface(`dev_rw_dri',`
########################################
## <summary>
--## Read and write the lvm control device.
-+## Read and write the loop control device.
++## Read and write the dri devices.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`dev_rw_inherited_dri',`
++ gen_require(`
++ type device_t, dri_device_t;
++ ')
++
++ allow $1 device_t:dir search_dir_perms;
++ allow $1 dri_device_t:chr_file rw_inherited_chr_file_perms;
++')
++
++########################################
++## <summary>
+ ## Dontaudit read and write on the dri devices.
## </summary>
## <param name="domain">
- ## <summary>
-@@ -2446,17 +2649,17 @@ interface(`dev_read_lvm_control',`
- ## </summary>
- ## </param>
- #
--interface(`dev_rw_lvm_control',`
-+interface(`dev_rw_loop_control',`
- gen_require(`
-- type device_t, lvm_control_t;
-+ type device_t, loop_control_device_t;
- ')
-
-- rw_chr_files_pattern($1, device_t, lvm_control_t)
-+ rw_chr_files_pattern($1, device_t, loop_control_device_t)
- ')
+@@ -2017,7 +2239,7 @@ interface(`dev_rw_input_dev',`
########################################
## <summary>
--## Do not audit attempts to read and write lvm control device.
-+## Do not audit attempts to read and write loop control device.
+-## Get the attributes of the framebuffer device node.
++## Read input event devices (/dev/input).
## </summary>
## <param name="domain">
## <summary>
-@@ -2464,17 +2667,17 @@ interface(`dev_rw_lvm_control',`
+@@ -2025,17 +2247,19 @@ interface(`dev_rw_input_dev',`
## </summary>
## </param>
#
--interface(`dev_dontaudit_rw_lvm_control',`
-+interface(`dev_dontaudit_rw_loop_control',`
+-interface(`dev_getattr_framebuffer_dev',`
++interface(`dev_rw_inherited_input_dev',`
gen_require(`
-- type lvm_control_t;
-+ type loop_control_device_t;
+- type device_t, framebuf_device_t;
++ type device_t, event_device_t;
')
-- dontaudit $1 lvm_control_t:chr_file rw_file_perms;
-+ dontaudit $1 loop_control_device_t:chr_file rw_file_perms;
+- getattr_chr_files_pattern($1, device_t, framebuf_device_t)
++ allow $1 device_t:dir search_dir_perms;
++ allow $1 event_device_t:chr_file rw_inherited_chr_file_perms;
')
++
########################################
## <summary>
--## Delete the lvm control device.
-+## Delete the loop control device.
+-## Set the attributes of the framebuffer device node.
++## Read ipmi devices.
## </summary>
## <param name="domain">
## <summary>
-@@ -2482,35 +2685,35 @@ interface(`dev_dontaudit_rw_lvm_control',`
+@@ -2043,36 +2267,35 @@ interface(`dev_getattr_framebuffer_dev',`
## </summary>
## </param>
#
--interface(`dev_delete_lvm_control_dev',`
-+interface(`dev_delete_loop_control_dev',`
+-interface(`dev_setattr_framebuffer_dev',`
++interface(`dev_read_ipmi_dev',`
gen_require(`
-- type device_t, lvm_control_t;
-+ type device_t, loop_control_device_t;
+- type device_t, framebuf_device_t;
++ type device_t, ipmi_device_t;
')
-- delete_chr_files_pattern($1, device_t, lvm_control_t)
-+ delete_chr_files_pattern($1, device_t, loop_control_device_t)
+- setattr_chr_files_pattern($1, device_t, framebuf_device_t)
++ read_chr_files_pattern($1, device_t, ipmi_device_t)
')
########################################
## <summary>
--## dontaudit getattr raw memory devices (e.g. /dev/mem).
-+## Get the attributes of the loop comtrol device.
+-## Dot not audit attempts to set the attributes
+-## of the framebuffer device node.
++## Read and write ipmi devices.
## </summary>
## <param name="domain">
## <summary>
@@ -6597,46 +6643,41 @@ index 76f285e..b708d28 100644
## </summary>
## </param>
#
--interface(`dev_dontaudit_getattr_memory_dev',`
-+interface(`dev_getattr_lvm_control',`
+-interface(`dev_dontaudit_setattr_framebuffer_dev',`
++interface(`dev_rw_ipmi_dev',`
gen_require(`
-- type memory_device_t;
-+ type device_t, lvm_control_t;
+- type framebuf_device_t;
++ type device_t, ipmi_device_t;
')
-- dontaudit $1 memory_device_t:chr_file getattr;
-+ getattr_chr_files_pattern($1, device_t, lvm_control_t)
+- dontaudit $1 framebuf_device_t:chr_file setattr;
++ rw_chr_files_pattern($1, device_t, ipmi_device_t)
')
########################################
## <summary>
--## Read raw memory devices (e.g. /dev/mem).
-+## Read the lvm comtrol device.
+-## Read the framebuffer.
++## Get the attributes of the framebuffer device node.
## </summary>
## <param name="domain">
## <summary>
-@@ -2518,16 +2721,106 @@ interface(`dev_dontaudit_getattr_memory_dev',`
+@@ -2080,9 +2303,64 @@ interface(`dev_dontaudit_setattr_framebuffer_dev',`
## </summary>
## </param>
#
--interface(`dev_read_raw_memory',`
-+interface(`dev_read_lvm_control',`
+-interface(`dev_read_framebuffer',`
++interface(`dev_getattr_framebuffer_dev',`
gen_require(`
-- type device_t, memory_device_t;
-- attribute memory_raw_read;
-+ type device_t, lvm_control_t;
- ')
-
-- read_chr_files_pattern($1, device_t, memory_device_t)
--
-- allow $1 self:capability sys_rawio;
-- typeattribute $1 memory_raw_read;
-+ read_chr_files_pattern($1, device_t, lvm_control_t)
+- type framebuf_device_t;
++ type device_t, framebuf_device_t;
++ ')
++
++ getattr_chr_files_pattern($1, device_t, framebuf_device_t)
+')
+
+########################################
+## <summary>
-+## Read and write the lvm control device.
++## Set the attributes of the framebuffer device node.
+## </summary>
+## <param name="domain">
+## <summary>
@@ -6644,17 +6685,18 @@ index 76f285e..b708d28 100644
+## </summary>
+## </param>
+#
-+interface(`dev_rw_lvm_control',`
++interface(`dev_setattr_framebuffer_dev',`
+ gen_require(`
-+ type device_t, lvm_control_t;
++ type device_t, framebuf_device_t;
+ ')
+
-+ rw_chr_files_pattern($1, device_t, lvm_control_t)
++ setattr_chr_files_pattern($1, device_t, framebuf_device_t)
+')
+
+########################################
+## <summary>
-+## Do not audit attempts to read and write lvm control device.
++## Dot not audit attempts to set the attributes
++## of the framebuffer device node.
+## </summary>
+## <param name="domain">
+## <summary>
@@ -6662,17 +6704,54 @@ index 76f285e..b708d28 100644
+## </summary>
+## </param>
+#
-+interface(`dev_dontaudit_rw_lvm_control',`
++interface(`dev_dontaudit_setattr_framebuffer_dev',`
++ gen_require(`
++ type framebuf_device_t;
++ ')
++
++ dontaudit $1 framebuf_device_t:chr_file setattr;
++')
++
++########################################
++## <summary>
++## Read the framebuffer.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`dev_read_framebuffer',`
+ gen_require(`
-+ type lvm_control_t;
++ type framebuf_device_t;
+ ')
+
+ read_chr_files_pattern($1, device_t, framebuf_device_t)
+@@ -2402,7 +2680,97 @@ interface(`dev_filetrans_lirc',`
+
+ ########################################
+ ## <summary>
+-## Get the attributes of the lvm comtrol device.
++## Get the attributes of the loop comtrol device.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`dev_getattr_loop_control',`
++ gen_require(`
++ type device_t, loop_control_device_t;
+ ')
+
-+ dontaudit $1 lvm_control_t:chr_file rw_file_perms;
++ getattr_chr_files_pattern($1, device_t, loop_control_device_t)
+')
+
+########################################
+## <summary>
-+## Delete the lvm control device.
++## Read the loop comtrol device.
+## </summary>
+## <param name="domain">
+## <summary>
@@ -6680,17 +6759,35 @@ index 76f285e..b708d28 100644
+## </summary>
+## </param>
+#
-+interface(`dev_delete_lvm_control_dev',`
++interface(`dev_read_loop_control',`
+ gen_require(`
-+ type device_t, lvm_control_t;
++ type device_t, loop_control_device_t;
+ ')
+
-+ delete_chr_files_pattern($1, device_t, lvm_control_t)
++ read_chr_files_pattern($1, device_t, loop_control_device_t)
+')
+
+########################################
+## <summary>
-+## dontaudit getattr raw memory devices (e.g. /dev/mem).
++## Read and write the loop control device.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`dev_rw_loop_control',`
++ gen_require(`
++ type device_t, loop_control_device_t;
++ ')
++
++ rw_chr_files_pattern($1, device_t, loop_control_device_t)
++')
++
++########################################
++## <summary>
++## Do not audit attempts to read and write loop control device.
+## </summary>
+## <param name="domain">
+## <summary>
@@ -6698,17 +6795,17 @@ index 76f285e..b708d28 100644
+## </summary>
+## </param>
+#
-+interface(`dev_dontaudit_getattr_memory_dev',`
++interface(`dev_dontaudit_rw_loop_control',`
+ gen_require(`
-+ type memory_device_t;
++ type loop_control_device_t;
+ ')
+
-+ dontaudit $1 memory_device_t:chr_file getattr;
++ dontaudit $1 loop_control_device_t:chr_file rw_file_perms;
+')
+
+########################################
+## <summary>
-+## Read raw memory devices (e.g. /dev/mem).
++## Delete the loop control device.
+## </summary>
+## <param name="domain">
+## <summary>
@@ -6716,20 +6813,21 @@ index 76f285e..b708d28 100644
+## </summary>
+## </param>
+#
-+interface(`dev_read_raw_memory',`
++interface(`dev_delete_loop_control_dev',`
+ gen_require(`
-+ type device_t, memory_device_t;
-+ attribute memory_raw_read;
++ type device_t, loop_control_device_t;
+ ')
+
-+ read_chr_files_pattern($1, device_t, memory_device_t)
++ delete_chr_files_pattern($1, device_t, loop_control_device_t)
++')
+
-+ allow $1 self:capability sys_rawio;
-+ typeattribute $1 memory_raw_read;
- ')
-
- ########################################
-@@ -2725,7 +3018,7 @@ interface(`dev_write_misc',`
++########################################
++## <summary>
++## Get the attributes of the loop comtrol device.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -2725,7 +3093,7 @@ interface(`dev_write_misc',`
## </summary>
## <param name="domain">
## <summary>
@@ -6738,7 +6836,7 @@ index 76f285e..b708d28 100644
## </summary>
## </param>
#
-@@ -2903,20 +3196,20 @@ interface(`dev_getattr_mtrr_dev',`
+@@ -2903,20 +3271,20 @@ interface(`dev_getattr_mtrr_dev',`
########################################
## <summary>
@@ -6763,7 +6861,7 @@ index 76f285e..b708d28 100644
## </p>
## </desc>
## <param name="domain">
-@@ -2925,43 +3218,34 @@ interface(`dev_getattr_mtrr_dev',`
+@@ -2925,43 +3293,34 @@ interface(`dev_getattr_mtrr_dev',`
## </summary>
## </param>
#
@@ -6819,7 +6917,7 @@ index 76f285e..b708d28 100644
## range registers (MTRR).
## </summary>
## <param name="domain">
-@@ -2970,13 +3254,13 @@ interface(`dev_write_mtrr',`
+@@ -2970,13 +3329,13 @@ interface(`dev_write_mtrr',`
## </summary>
## </param>
#
@@ -6836,7 +6934,7 @@ index 76f285e..b708d28 100644
')
########################################
-@@ -3144,6 +3428,42 @@ interface(`dev_create_null_dev',`
+@@ -3144,6 +3503,42 @@ interface(`dev_create_null_dev',`
########################################
## <summary>
@@ -6879,7 +6977,7 @@ index 76f285e..b708d28 100644
## Do not audit attempts to get the attributes
## of the BIOS non-volatile RAM device.
## </summary>
-@@ -3163,6 +3483,24 @@ interface(`dev_dontaudit_getattr_nvram_dev',`
+@@ -3163,6 +3558,24 @@ interface(`dev_dontaudit_getattr_nvram_dev',`
########################################
## <summary>
@@ -6904,7 +7002,7 @@ index 76f285e..b708d28 100644
## Read and write BIOS non-volatile RAM.
## </summary>
## <param name="domain">
-@@ -3254,7 +3592,25 @@ interface(`dev_rw_printer',`
+@@ -3254,7 +3667,25 @@ interface(`dev_rw_printer',`
########################################
## <summary>
@@ -6931,7 +7029,7 @@ index 76f285e..b708d28 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -3262,12 +3618,13 @@ interface(`dev_rw_printer',`
+@@ -3262,12 +3693,13 @@ interface(`dev_rw_printer',`
## </summary>
## </param>
#
@@ -6948,7 +7046,7 @@ index 76f285e..b708d28 100644
')
########################################
-@@ -3399,7 +3756,7 @@ interface(`dev_dontaudit_read_rand',`
+@@ -3399,7 +3831,7 @@ interface(`dev_dontaudit_read_rand',`
########################################
## <summary>
@@ -6957,7 +7055,7 @@ index 76f285e..b708d28 100644
## number generator devices (e.g., /dev/random)
## </summary>
## <param name="domain">
-@@ -3413,7 +3770,7 @@ interface(`dev_dontaudit_append_rand',`
+@@ -3413,7 +3845,7 @@ interface(`dev_dontaudit_append_rand',`
type random_device_t;
')
@@ -6966,7 +7064,7 @@ index 76f285e..b708d28 100644
')
########################################
-@@ -3855,7 +4212,7 @@ interface(`dev_getattr_sysfs_dirs',`
+@@ -3855,7 +4287,7 @@ interface(`dev_getattr_sysfs_dirs',`
########################################
## <summary>
@@ -6975,7 +7073,7 @@ index 76f285e..b708d28 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -3863,53 +4220,53 @@ interface(`dev_getattr_sysfs_dirs',`
+@@ -3863,53 +4295,53 @@ interface(`dev_getattr_sysfs_dirs',`
## </summary>
## </param>
#
@@ -7040,7 +7138,7 @@ index 76f285e..b708d28 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -3917,37 +4274,35 @@ interface(`dev_list_sysfs',`
+@@ -3917,37 +4349,35 @@ interface(`dev_list_sysfs',`
## </summary>
## </param>
#
@@ -7085,7 +7183,7 @@ index 76f285e..b708d28 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -3955,47 +4310,35 @@ interface(`dev_dontaudit_write_sysfs_dirs',`
+@@ -3955,26 +4385,145 @@ interface(`dev_dontaudit_write_sysfs_dirs',`
## </summary>
## </param>
#
@@ -7103,91 +7201,63 @@ index 76f285e..b708d28 100644
## <summary>
-## Read hardware state information.
+## Do not audit attempts to search sysfs.
- ## </summary>
--## <desc>
--## <p>
--## Allow the specified domain to read the contents of
--## the sysfs filesystem. This filesystem contains
--## information, parameters, and other settings on the
--## hardware installed on the system.
--## </p>
--## </desc>
- ## <param name="domain">
- ## <summary>
--## Domain allowed access.
++## </summary>
++## <param name="domain">
++## <summary>
+## Domain to not audit.
- ## </summary>
- ## </param>
--## <infoflow type="read" weight="10"/>
- #
--interface(`dev_read_sysfs',`
++## </summary>
++## </param>
++#
+interface(`dev_dontaudit_search_sysfs',`
- gen_require(`
- type sysfs_t;
- ')
-
-- read_files_pattern($1, sysfs_t, sysfs_t)
-- read_lnk_files_pattern($1, sysfs_t, sysfs_t)
--
-- list_dirs_pattern($1, sysfs_t, sysfs_t)
++ gen_require(`
++ type sysfs_t;
++ ')
++
+ dontaudit $1 sysfs_t:dir search_dir_perms;
- ')
-
- ########################################
- ## <summary>
--## Allow caller to modify hardware state information.
++')
++
++########################################
++## <summary>
+## List the contents of the sysfs directories.
- ## </summary>
- ## <param name="domain">
- ## <summary>
-@@ -4003,20 +4346,18 @@ interface(`dev_read_sysfs',`
- ## </summary>
- ## </param>
- #
--interface(`dev_rw_sysfs',`
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
+interface(`dev_list_sysfs',`
- gen_require(`
- type sysfs_t;
- ')
-
-- rw_files_pattern($1, sysfs_t, sysfs_t)
- read_lnk_files_pattern($1, sysfs_t, sysfs_t)
--
- list_dirs_pattern($1, sysfs_t, sysfs_t)
- ')
-
- ########################################
- ## <summary>
--## Read and write the TPM device.
++ gen_require(`
++ type sysfs_t;
++ ')
++
++ read_lnk_files_pattern($1, sysfs_t, sysfs_t)
++ list_dirs_pattern($1, sysfs_t, sysfs_t)
++')
++
++########################################
++## <summary>
+## Write in a sysfs directories.
- ## </summary>
- ## <param name="domain">
- ## <summary>
-@@ -4024,22 +4365,211 @@ interface(`dev_rw_sysfs',`
- ## </summary>
- ## </param>
- #
--interface(`dev_rw_tpm',`
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
+# cjp: added for cpuspeed
+interface(`dev_write_sysfs_dirs',`
- gen_require(`
-- type device_t, tpm_device_t;
++ gen_require(`
+ type sysfs_t;
- ')
-
-- rw_chr_files_pattern($1, device_t, tpm_device_t)
++ ')
++
+ allow $1 sysfs_t:dir write;
- ')
-
- ########################################
- ## <summary>
--## Read from pseudo random number generator devices (e.g., /dev/urandom).
++')
++
++########################################
++## <summary>
+## Do not audit attempts to write in a sysfs directory.
- ## </summary>
--## <desc>
--## <p>
--## Allow the specified domain to read from pseudo random number
--## generator devices (e.g., /dev/urandom). Typically this is
++## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
@@ -7229,7 +7299,15 @@ index 76f285e..b708d28 100644
+########################################
+## <summary>
+## Relabel cpu online hardware state information.
-+## </summary>
+ ## </summary>
+-## <desc>
+-## <p>
+-## Allow the specified domain to read the contents of
+-## the sysfs filesystem. This filesystem contains
+-## information, parameters, and other settings on the
+-## hardware installed on the system.
+-## </p>
+-## </desc>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
@@ -7259,47 +7337,13 @@ index 76f285e..b708d28 100644
+## hardware installed on the system.
+## </p>
+## </desc>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+## <infoflow type="read" weight="10"/>
-+#
-+interface(`dev_read_sysfs',`
-+ gen_require(`
-+ type sysfs_t;
-+ ')
-+
-+ read_files_pattern($1, sysfs_t, sysfs_t)
-+ read_lnk_files_pattern($1, sysfs_t, sysfs_t)
-+
-+ list_dirs_pattern($1, sysfs_t, sysfs_t)
-+')
-+
-+########################################
-+## <summary>
-+## Allow caller to modify hardware state information.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`dev_rw_sysfs',`
-+ gen_require(`
-+ type sysfs_t;
-+ ')
-+
-+ rw_files_pattern($1, sysfs_t, sysfs_t)
-+ read_lnk_files_pattern($1, sysfs_t, sysfs_t)
-+
-+ list_dirs_pattern($1, sysfs_t, sysfs_t)
-+')
-+
-+########################################
-+## <summary>
+ ## <param name="domain">
+ ## <summary>
+ ## Domain allowed access.
+@@ -4016,6 +4565,62 @@ interface(`dev_rw_sysfs',`
+
+ ########################################
+ ## <summary>
+## Relabel hardware state directories.
+## </summary>
+## <param name="domain">
@@ -7356,34 +7400,10 @@ index 76f285e..b708d28 100644
+
+########################################
+## <summary>
-+## Read and write the TPM device.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`dev_rw_tpm',`
-+ gen_require(`
-+ type device_t, tpm_device_t;
-+ ')
-+
-+ rw_chr_files_pattern($1, device_t, tpm_device_t)
-+')
-+
-+########################################
-+## <summary>
-+## Read from pseudo random number generator devices (e.g., /dev/urandom).
-+## </summary>
-+## <desc>
-+## <p>
-+## Allow the specified domain to read from pseudo random number
-+## generator devices (e.g., /dev/urandom). Typically this is
- ## used in situations when a cryptographically secure random
- ## number is not necessarily needed. One example is the Stack
- ## Smashing Protector (SSP, formerly known as ProPolice) support
-@@ -4113,6 +4643,25 @@ interface(`dev_write_urand',`
+ ## Read and write the TPM device.
+ ## </summary>
+ ## <param name="domain">
+@@ -4113,6 +4718,25 @@ interface(`dev_write_urand',`
########################################
## <summary>
@@ -7409,7 +7429,7 @@ index 76f285e..b708d28 100644
## Getattr generic the USB devices.
## </summary>
## <param name="domain">
-@@ -4409,9 +4958,9 @@ interface(`dev_rw_usbfs',`
+@@ -4409,9 +5033,9 @@ interface(`dev_rw_usbfs',`
read_lnk_files_pattern($1, usbfs_t, usbfs_t)
')
@@ -7421,7 +7441,7 @@ index 76f285e..b708d28 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -4419,17 +4968,17 @@ interface(`dev_rw_usbfs',`
+@@ -4419,17 +5043,17 @@ interface(`dev_rw_usbfs',`
## </summary>
## </param>
#
@@ -7444,7 +7464,7 @@ index 76f285e..b708d28 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -4437,12 +4986,12 @@ interface(`dev_getattr_video_dev',`
+@@ -4437,12 +5061,12 @@ interface(`dev_getattr_video_dev',`
## </summary>
## </param>
#
@@ -7460,7 +7480,7 @@ index 76f285e..b708d28 100644
')
########################################
-@@ -4539,6 +5088,134 @@ interface(`dev_write_video_dev',`
+@@ -4539,6 +5163,134 @@ interface(`dev_write_video_dev',`
########################################
## <summary>
@@ -7595,7 +7615,7 @@ index 76f285e..b708d28 100644
## Allow read/write the vhost net device
## </summary>
## <param name="domain">
-@@ -4557,6 +5234,24 @@ interface(`dev_rw_vhost',`
+@@ -4557,6 +5309,24 @@ interface(`dev_rw_vhost',`
########################################
## <summary>
@@ -7620,7 +7640,7 @@ index 76f285e..b708d28 100644
## Read and write VMWare devices.
## </summary>
## <param name="domain">
-@@ -4762,6 +5457,26 @@ interface(`dev_rw_xserver_misc',`
+@@ -4762,6 +5532,26 @@ interface(`dev_rw_xserver_misc',`
########################################
## <summary>
@@ -7647,7 +7667,7 @@ index 76f285e..b708d28 100644
## Read and write to the zero device (/dev/zero).
## </summary>
## <param name="domain">
-@@ -4851,3 +5566,943 @@ interface(`dev_unconfined',`
+@@ -4851,3 +5641,946 @@ interface(`dev_unconfined',`
typeattribute $1 devices_unconfined_type;
')
@@ -7798,6 +7818,7 @@ index 76f285e..b708d28 100644
+gen_require(`
+ type device_t;
+ type usb_device_t;
++ type uhid_device_t;
+ type sound_device_t;
+ type apm_bios_t;
+ type mouse_device_t;
@@ -7988,6 +8009,7 @@ index 76f285e..b708d28 100644
+ filetrans_pattern($1, device_t, event_device_t, chr_file, "event18")
+ filetrans_pattern($1, device_t, event_device_t, chr_file, "event19")
+ filetrans_pattern($1, device_t, event_device_t, chr_file, "event20")
++ filetrans_pattern($1, device_t, event_device_t, chr_file, "event21")
+ filetrans_pattern($1, device_t, xen_device_t, chr_file, "evtchn")
+ filetrans_pattern($1, device_t, framebuf_device_t, chr_file, "fb0")
+ filetrans_pattern($1, device_t, framebuf_device_t, chr_file, "fb1")
@@ -8524,6 +8546,7 @@ index 76f285e..b708d28 100644
+ filetrans_pattern($1, device_t, usb_device_t, chr_file, "uba")
+ filetrans_pattern($1, device_t, usb_device_t, chr_file, "ubb")
+ filetrans_pattern($1, device_t, usb_device_t, chr_file, "ubc")
++ filetrans_pattern($1, device_t, uhid_device_t, chr_file, "uhid")
+ dev_filetrans_xserver_named_dev($1)
+')
+
@@ -8592,7 +8615,7 @@ index 76f285e..b708d28 100644
+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "card9")
+')
diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te
-index 6529bd9..831344c 100644
+index 6529bd9..b31a5e8 100644
--- a/policy/modules/kernel/devices.te
+++ b/policy/modules/kernel/devices.te
@@ -15,11 +15,12 @@ attribute devices_unconfined_type;
@@ -8658,17 +8681,23 @@ index 6529bd9..831344c 100644
#
# Type for /dev/tpm
#
-@@ -266,6 +275,9 @@ dev_node(usbmon_device_t)
+@@ -266,6 +275,15 @@ dev_node(usbmon_device_t)
type userio_device_t;
dev_node(userio_device_t)
++#
++# uhid_device_t is the type for /dev/uhid
++#
++type uhid_device_t;
++dev_node(uhid_device_t)
++
+type vfio_device_t;
+dev_node(vfio_device_t)
+
type v4l_device_t;
dev_node(v4l_device_t)
-@@ -274,6 +286,7 @@ dev_node(v4l_device_t)
+@@ -274,6 +292,7 @@ dev_node(v4l_device_t)
#
type vhost_device_t;
dev_node(vhost_device_t)
@@ -8676,7 +8705,7 @@ index 6529bd9..831344c 100644
# Type for vmware devices.
type vmware_device_t;
-@@ -319,5 +332,5 @@ files_associate_tmp(device_node)
+@@ -319,5 +338,5 @@ files_associate_tmp(device_node)
#
allow devices_unconfined_type self:capability sys_rawio;
@@ -8892,7 +8921,7 @@ index 6a1e4d1..84e8030 100644
+ dontaudit $1 domain:dir_file_class_set audit_access;
')
diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te
-index cf04cb5..369ddc2 100644
+index cf04cb5..64d9761 100644
--- a/policy/modules/kernel/domain.te
+++ b/policy/modules/kernel/domain.te
@@ -4,6 +4,29 @@ policy_module(domain, 1.11.0)
@@ -8933,13 +8962,14 @@ index cf04cb5..369ddc2 100644
# Transitions only allowed from domains to other domains
neverallow domain ~domain:process { transition dyntransition };
-@@ -86,23 +110,45 @@ neverallow ~{ domain unlabeled_t } *:process *;
+@@ -86,23 +110,47 @@ neverallow ~{ domain unlabeled_t } *:process *;
allow domain self:dir list_dir_perms;
allow domain self:lnk_file { read_lnk_file_perms lock ioctl };
allow domain self:file rw_file_perms;
+allow domain self:fifo_file rw_fifo_file_perms;
+allow domain self:sem create_sem_perms;
+allow domain self:shm create_shm_perms;
++allow domain self:key manage_key_perms;
+
kernel_read_proc_symlinks(domain)
+kernel_read_crypto_sysctls(domain)
@@ -8970,6 +9000,7 @@ index cf04cb5..369ddc2 100644
+files_read_inherited_tmp_files(domain)
+files_append_inherited_tmp_files(domain)
+files_read_all_base_ro_files(domain)
++files_dontaduit_getattr_kernel_symbol_table(domain)
+
+# All executables should be able to search the directory they are in
+corecmd_search_bin(domain)
@@ -8980,7 +9011,7 @@ index cf04cb5..369ddc2 100644
ifdef(`hide_broken_symptoms',`
# This check is in the general socket
-@@ -121,8 +167,18 @@ tunable_policy(`global_ssp',`
+@@ -121,8 +169,18 @@ tunable_policy(`global_ssp',`
')
optional_policy(`
@@ -8999,7 +9030,7 @@ index cf04cb5..369ddc2 100644
')
optional_policy(`
-@@ -133,6 +189,9 @@ optional_policy(`
+@@ -133,6 +191,9 @@ optional_policy(`
optional_policy(`
xserver_dontaudit_use_xdm_fds(domain)
xserver_dontaudit_rw_xdm_pipes(domain)
@@ -9009,7 +9040,7 @@ index cf04cb5..369ddc2 100644
')
########################################
-@@ -147,12 +206,18 @@ optional_policy(`
+@@ -147,12 +208,18 @@ optional_policy(`
# Use/sendto/connectto sockets created by any domain.
allow unconfined_domain_type domain:{ socket_class_set socket key_socket } *;
@@ -9029,7 +9060,7 @@ index cf04cb5..369ddc2 100644
# Create/access any System V IPC objects.
allow unconfined_domain_type domain:{ sem msgq shm } *;
-@@ -166,5 +231,306 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock };
+@@ -166,5 +233,338 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock };
# act on all domains keys
allow unconfined_domain_type domain:key *;
@@ -9046,6 +9077,10 @@ index cf04cb5..369ddc2 100644
+dev_config_null_dev_service(unconfined_domain_type)
+
+optional_policy(`
++ dbus_filetrans_named_content_system(named_filetrans_domain)
++')
++
++optional_policy(`
+ kdump_filetrans_named_content(unconfined_domain_type)
+')
+
@@ -9061,6 +9096,10 @@ index cf04cb5..369ddc2 100644
+ seutil_filetrans_named_content(named_filetrans_domain)
+')
+
++optional_policy(`
++ wine_filetrans_named_content(named_filetrans_domain)
++')
++
+storage_filetrans_all_named_dev(named_filetrans_domain)
+
+term_filetrans_all_named_dev(named_filetrans_domain)
@@ -9076,6 +9115,14 @@ index cf04cb5..369ddc2 100644
+ init_filetrans_named_content(named_filetrans_domain)
+')
+
++# Allow manage transient unit files
++optional_policy(`
++ init_start_transient_unit(unconfined_domain_type)
++ init_stop_transient_unit(unconfined_domain_type)
++ init_status_transient_unit(unconfined_domain_type)
++ init_reload_transient_unit(unconfined_domain_type)
++')
++
+optional_policy(`
+ auth_filetrans_named_content(named_filetrans_domain)
+ auth_filetrans_admin_home_content(named_filetrans_domain)
@@ -9126,6 +9173,10 @@ index cf04cb5..369ddc2 100644
+')
+
+optional_policy(`
++ docker_filetrans_named_content(named_filetrans_domain)
++')
++
++optional_policy(`
+ dnsmasq_filetrans_named_content(named_filetrans_domain)
+')
+
@@ -9225,6 +9276,10 @@ index cf04cb5..369ddc2 100644
+')
+
+optional_policy(`
++ userdom_filetrans_named_user_tmp_files(named_filetrans_domain)
++')
++
++optional_policy(`
+ virt_filetrans_named_content(named_filetrans_domain)
+')
+
@@ -9272,6 +9327,10 @@ index cf04cb5..369ddc2 100644
+ cron_rw_system_job_pipes(domain)
+')
+
++optional_policy(`
++ devicekit_dbus_chat_power(domain)
++')
++
+ifdef(`hide_broken_symptoms',`
+ dontaudit domain self:udp_socket listen;
+ allow domain domain:key { link search };
@@ -9316,6 +9375,10 @@ index cf04cb5..369ddc2 100644
+dontaudit domain domain:process { noatsecure siginh rlimitinh } ;
+
+optional_policy(`
++ rkhunter_append_lib_files(domain)
++')
++
++optional_policy(`
+ rpm_rw_script_inherited_pipes(domain)
+ rpm_use_fds(domain)
+ rpm_read_pipes(domain)
@@ -9337,7 +9400,7 @@ index cf04cb5..369ddc2 100644
+ ')
+')
diff --git a/policy/modules/kernel/files.fc b/policy/modules/kernel/files.fc
-index c2c6e05..058bb58 100644
+index c2c6e05..7996499 100644
--- a/policy/modules/kernel/files.fc
+++ b/policy/modules/kernel/files.fc
@@ -18,6 +18,7 @@ ifdef(`distro_redhat',`
@@ -9392,7 +9455,7 @@ index c2c6e05..058bb58 100644
+/etc/sysconfig/ip6?tables.* -- gen_context(system_u:object_r:system_conf_t,s0)
+/etc/sysconfig/ipvsadm.* -- gen_context(system_u:object_r:system_conf_t,s0)
+/etc/sysconfig/system-config-firewall.* -- gen_context(system_u:object_r:system_conf_t,s0)
-+/etc/yum\.repos\.d/redhat\.repo -- gen_context(system_u:object_r:system_conf_t,s0)
++/etc/yum\.repos\.d(/.*)? gen_context(system_u:object_r:system_conf_t,s0)
/etc/cups/client\.conf -- gen_context(system_u:object_r:etc_t,s0)
@@ -9535,7 +9598,7 @@ index c2c6e05..058bb58 100644
/var/.* gen_context(system_u:object_r:var_t,s0)
/var/\.journal <<none>>
-@@ -237,11 +244,24 @@ ifndef(`distro_redhat',`
+@@ -237,11 +244,25 @@ ifndef(`distro_redhat',`
/var/ftp/etc(/.*)? gen_context(system_u:object_r:etc_t,s0)
@@ -9553,7 +9616,8 @@ index c2c6e05..058bb58 100644
+/var/lib/openshift/.stickshift-proxy.d(/.*)? gen_context(system_u:object_r:etc_t,s0)
+/var/lib/openshift/.limits.d(/.*)? gen_context(system_u:object_r:etc_t,s0)
+
-+/var/lib/servicelog/servicelog.db -- gen_context(system_u:object_r:system_db_t,s0)
++/var/lib/servicelog/servicelog\.db -- gen_context(system_u:object_r:system_db_t,s0)
++/var/lib/servicelog/servicelog\.db-journal -- gen_context(system_u:object_r:system_db_t,s0)
+
+/var/lock -d gen_context(system_u:object_r:var_lock_t,s0)
+/var/lock -l gen_context(system_u:object_r:var_lock_t,s0)
@@ -9561,7 +9625,7 @@ index c2c6e05..058bb58 100644
/var/log/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh)
/var/log/lost\+found/.* <<none>>
-@@ -256,12 +276,14 @@ ifndef(`distro_redhat',`
+@@ -256,12 +277,14 @@ ifndef(`distro_redhat',`
/var/run -l gen_context(system_u:object_r:var_run_t,s0)
/var/run/.* gen_context(system_u:object_r:var_run_t,s0)
/var/run/.*\.*pid <<none>>
@@ -9576,14 +9640,14 @@ index c2c6e05..058bb58 100644
/var/tmp/.* <<none>>
/var/tmp/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh)
/var/tmp/lost\+found/.* <<none>>
-@@ -270,3 +292,5 @@ ifndef(`distro_redhat',`
+@@ -270,3 +293,5 @@ ifndef(`distro_redhat',`
ifdef(`distro_debian',`
/var/run/motd -- gen_context(system_u:object_r:initrc_var_run_t,s0)
')
+/nsr(/.*)? gen_context(system_u:object_r:var_t,s0)
+/nsr/logs(/.*)? gen_context(system_u:object_r:var_log_t,s0)
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
-index 64ff4d7..2b01383 100644
+index 64ff4d7..2dd815a 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -19,6 +19,136 @@
@@ -10214,7 +10278,32 @@ index 64ff4d7..2b01383 100644
## Set the attributes of all mount points.
## </summary>
## <param name="domain">
-@@ -1673,6 +2043,24 @@ interface(`files_dontaudit_list_all_mountpoints',`
+@@ -1601,6 +1971,24 @@ interface(`files_setattr_all_mountpoints',`
+
+ ########################################
+ ## <summary>
++## Set the attributes of all mount points.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`files_relabelto_all_mountpoints',`
++ gen_require(`
++ attribute mountpoint;
++ ')
++
++ allow $1 mountpoint:dir relabelto;
++')
++
++########################################
++## <summary>
+ ## Do not audit attempts to set the attributes on all mount points.
+ ## </summary>
+ ## <param name="domain">
+@@ -1673,6 +2061,24 @@ interface(`files_dontaudit_list_all_mountpoints',`
########################################
## <summary>
@@ -10239,7 +10328,7 @@ index 64ff4d7..2b01383 100644
## Do not audit attempts to write to mount points.
## </summary>
## <param name="domain">
-@@ -1691,6 +2079,42 @@ interface(`files_dontaudit_write_all_mountpoints',`
+@@ -1691,6 +2097,42 @@ interface(`files_dontaudit_write_all_mountpoints',`
########################################
## <summary>
@@ -10282,7 +10371,58 @@ index 64ff4d7..2b01383 100644
## List the contents of the root directory.
## </summary>
## <param name="domain">
-@@ -1874,25 +2298,25 @@ interface(`files_delete_root_dir_entry',`
+@@ -1707,6 +2149,23 @@ interface(`files_list_root',`
+ allow $1 root_t:dir list_dir_perms;
+ allow $1 root_t:lnk_file { read_lnk_file_perms ioctl lock };
+ ')
++########################################
++## <summary>
++## Do not audit attempts to write to / dirs.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain to not audit.
++## </summary>
++## </param>
++#
++interface(`files_write_root_dirs',`
++ gen_require(`
++ type root_t;
++ ')
++
++ allow $1 root_t:dir write;
++')
+
+ ########################################
+ ## <summary>
+@@ -1747,6 +2206,26 @@ interface(`files_dontaudit_rw_root_dir',`
+
+ ########################################
+ ## <summary>
++## Do not audit attempts to check the
++## access on root directory.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain to not audit.
++## </summary>
++## </param>
++#
++interface(`files_dontaudit_access_check_root',`
++ gen_require(`
++ type root_t;
++ ')
++
++ dontaudit $1 root_t:dir_file_class_set audit_access;
++')
++
++
++########################################
++## <summary>
+ ## Create an object in the root directory, with a private
+ ## type using a type transition.
+ ## </summary>
+@@ -1874,25 +2353,25 @@ interface(`files_delete_root_dir_entry',`
########################################
## <summary>
@@ -10314,7 +10454,7 @@ index 64ff4d7..2b01383 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1905,7 +2329,7 @@ interface(`files_relabel_rootfs',`
+@@ -1905,7 +2384,7 @@ interface(`files_relabel_rootfs',`
type root_t;
')
@@ -10323,7 +10463,7 @@ index 64ff4d7..2b01383 100644
')
########################################
-@@ -1928,6 +2352,24 @@ interface(`files_unmount_rootfs',`
+@@ -1928,6 +2407,24 @@ interface(`files_unmount_rootfs',`
########################################
## <summary>
@@ -10348,7 +10488,7 @@ index 64ff4d7..2b01383 100644
## Get attributes of the /boot directory.
## </summary>
## <param name="domain">
-@@ -2163,6 +2605,24 @@ interface(`files_relabelfrom_boot_files',`
+@@ -2163,6 +2660,24 @@ interface(`files_relabelfrom_boot_files',`
relabelfrom_files_pattern($1, boot_t, boot_t)
')
@@ -10373,7 +10513,7 @@ index 64ff4d7..2b01383 100644
######################################
## <summary>
## Read symbolic links in the /boot directory.
-@@ -2627,6 +3087,24 @@ interface(`files_rw_etc_dirs',`
+@@ -2627,6 +3142,24 @@ interface(`files_rw_etc_dirs',`
allow $1 etc_t:dir rw_dir_perms;
')
@@ -10398,7 +10538,7 @@ index 64ff4d7..2b01383 100644
##########################################
## <summary>
## Manage generic directories in /etc
-@@ -2698,6 +3176,7 @@ interface(`files_read_etc_files',`
+@@ -2698,6 +3231,7 @@ interface(`files_read_etc_files',`
allow $1 etc_t:dir list_dir_perms;
read_files_pattern($1, etc_t, etc_t)
read_lnk_files_pattern($1, etc_t, etc_t)
@@ -10406,7 +10546,7 @@ index 64ff4d7..2b01383 100644
')
########################################
-@@ -2706,7 +3185,7 @@ interface(`files_read_etc_files',`
+@@ -2706,7 +3240,7 @@ interface(`files_read_etc_files',`
## </summary>
## <param name="domain">
## <summary>
@@ -10415,7 +10555,7 @@ index 64ff4d7..2b01383 100644
## </summary>
## </param>
#
-@@ -2762,6 +3241,25 @@ interface(`files_manage_etc_files',`
+@@ -2762,6 +3296,25 @@ interface(`files_manage_etc_files',`
########################################
## <summary>
@@ -10441,7 +10581,7 @@ index 64ff4d7..2b01383 100644
## Delete system configuration files in /etc.
## </summary>
## <param name="domain">
-@@ -2780,6 +3278,24 @@ interface(`files_delete_etc_files',`
+@@ -2780,6 +3333,24 @@ interface(`files_delete_etc_files',`
########################################
## <summary>
@@ -10466,7 +10606,7 @@ index 64ff4d7..2b01383 100644
## Execute generic files in /etc.
## </summary>
## <param name="domain">
-@@ -2945,24 +3461,6 @@ interface(`files_delete_boot_flag',`
+@@ -2945,26 +3516,8 @@ interface(`files_delete_boot_flag',`
########################################
## <summary>
@@ -10488,10 +10628,14 @@ index 64ff4d7..2b01383 100644
-
-########################################
-## <summary>
- ## Read files in /etc that are dynamically
- ## created on boot, such as mtab.
+-## Read files in /etc that are dynamically
+-## created on boot, such as mtab.
++## Read files in /etc that are dynamically
++## created on boot, such as mtab.
## </summary>
-@@ -3003,9 +3501,7 @@ interface(`files_read_etc_runtime_files',`
+ ## <desc>
+ ## <p>
+@@ -3003,9 +3556,7 @@ interface(`files_read_etc_runtime_files',`
########################################
## <summary>
@@ -10502,7 +10646,7 @@ index 64ff4d7..2b01383 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -3013,18 +3509,17 @@ interface(`files_read_etc_runtime_files',`
+@@ -3013,18 +3564,17 @@ interface(`files_read_etc_runtime_files',`
## </summary>
## </param>
#
@@ -10524,7 +10668,7 @@ index 64ff4d7..2b01383 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -3042,6 +3537,26 @@ interface(`files_dontaudit_write_etc_runtime_files',`
+@@ -3042,6 +3592,26 @@ interface(`files_dontaudit_write_etc_runtime_files',`
########################################
## <summary>
@@ -10551,7 +10695,7 @@ index 64ff4d7..2b01383 100644
## Read and write files in /etc that are dynamically
## created on boot, such as mtab.
## </summary>
-@@ -3059,6 +3574,7 @@ interface(`files_rw_etc_runtime_files',`
+@@ -3059,6 +3629,7 @@ interface(`files_rw_etc_runtime_files',`
allow $1 etc_t:dir list_dir_perms;
rw_files_pattern($1, etc_t, etc_runtime_t)
@@ -10559,7 +10703,7 @@ index 64ff4d7..2b01383 100644
')
########################################
-@@ -3080,6 +3596,7 @@ interface(`files_manage_etc_runtime_files',`
+@@ -3080,6 +3651,7 @@ interface(`files_manage_etc_runtime_files',`
')
manage_files_pattern($1, { etc_t etc_runtime_t }, etc_runtime_t)
@@ -10567,58 +10711,30 @@ index 64ff4d7..2b01383 100644
')
########################################
-@@ -3132,45 +3649,64 @@ interface(`files_getattr_isid_type_dirs',`
+@@ -3132,6 +3704,44 @@ interface(`files_getattr_isid_type_dirs',`
########################################
## <summary>
--## Do not audit attempts to search directories on new filesystems
-+## Setattr of directories on new filesystems
- ## that have not yet been labeled.
- ## </summary>
- ## <param name="domain">
- ## <summary>
--## Domain to not audit.
++## Getattr all file opbjects on new filesystems
++## that have not yet been labeled.
++## </summary>
++## <param name="domain">
++## <summary>
+## Domain allowed access.
- ## </summary>
- ## </param>
- #
--interface(`files_dontaudit_search_isid_type_dirs',`
-+interface(`files_setattr_isid_type_dirs',`
- gen_require(`
- type file_t;
- ')
-
-- dontaudit $1 file_t:dir search_dir_perms;
-+ allow $1 file_t:dir setattr;
- ')
-
- ########################################
- ## <summary>
--## List the contents of directories on new filesystems
-+## Do not audit attempts to search directories on new filesystems
- ## that have not yet been labeled.
- ## </summary>
- ## <param name="domain">
- ## <summary>
--## Domain allowed access.
-+## Domain to not audit.
- ## </summary>
- ## </param>
- #
--interface(`files_list_isid_type_dirs',`
-+interface(`files_dontaudit_search_isid_type_dirs',`
- gen_require(`
- type file_t;
- ')
-
-- allow $1 file_t:dir list_dir_perms;
-+ dontaudit $1 file_t:dir search_dir_perms;
- ')
-
- ########################################
- ## <summary>
--## Read and write directories on new filesystems
-+## List the contents of directories on new filesystems
++## </summary>
++## </param>
++#
++interface(`files_getattr_isid_type',`
++ gen_require(`
++ type unlabeled_t;
++ ')
++
++ allow $1 unlabeled_t:dir_file_class_set getattr;
++')
++
++########################################
++## <summary>
++## Setattr of directories on new filesystems
+## that have not yet been labeled.
+## </summary>
+## <param name="domain">
@@ -10627,21 +10743,20 @@ index 64ff4d7..2b01383 100644
+## </summary>
+## </param>
+#
-+interface(`files_list_isid_type_dirs',`
++interface(`files_setattr_isid_type_dirs',`
+ gen_require(`
+ type file_t;
+ ')
+
-+ allow $1 file_t:dir list_dir_perms;
++ allow $1 file_t:dir setattr;
+')
+
+########################################
+## <summary>
-+## Read and write directories on new filesystems
+ ## Do not audit attempts to search directories on new filesystems
## that have not yet been labeled.
## </summary>
- ## <param name="domain">
-@@ -3205,6 +3741,62 @@ interface(`files_delete_isid_type_dirs',`
+@@ -3205,6 +3815,62 @@ interface(`files_delete_isid_type_dirs',`
delete_dirs_pattern($1, file_t, file_t)
')
@@ -10704,7 +10819,33 @@ index 64ff4d7..2b01383 100644
########################################
## <summary>
-@@ -3455,6 +4047,25 @@ interface(`files_rw_isid_type_blk_files',`
+@@ -3246,6 +3912,25 @@ interface(`files_mounton_isid_type_dirs',`
+
+ ########################################
+ ## <summary>
++## Mount a filesystem on a new chr_file
++## that has not yet been labeled.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`files_mounton_isid_type_chr_file',`
++ gen_require(`
++ type unlabeled_t;
++ ')
++
++ allow $1 unlabeled_t:chr_file mounton;
++')
++
++########################################
++## <summary>
+ ## Read files on new filesystems
+ ## that have not yet been labeled.
+ ## </summary>
+@@ -3455,6 +4140,25 @@ interface(`files_rw_isid_type_blk_files',`
########################################
## <summary>
@@ -10730,7 +10871,7 @@ index 64ff4d7..2b01383 100644
## Create, read, write, and delete block device nodes
## on new filesystems that have not yet been labeled.
## </summary>
-@@ -3796,20 +4407,38 @@ interface(`files_list_mnt',`
+@@ -3796,20 +4500,38 @@ interface(`files_list_mnt',`
######################################
## <summary>
@@ -10774,64 +10915,98 @@ index 64ff4d7..2b01383 100644
')
########################################
-@@ -4199,6 +4828,171 @@ interface(`files_read_world_readable_sockets',`
+@@ -4199,192 +4921,215 @@ interface(`files_read_world_readable_sockets',`
allow $1 readable_t:sock_file read_sock_file_perms;
')
+-########################################
+#######################################
-+## <summary>
+ ## <summary>
+-## Allow the specified type to associate
+-## to a filesystem with the type of the
+-## temporary directory (/tmp).
+## Read manageable system configuration files in /etc
-+## </summary>
+ ## </summary>
+-## <param name="file_type">
+-## <summary>
+-## Type of the file to associate.
+-## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
-+## </param>
-+#
+ ## </param>
+ #
+-interface(`files_associate_tmp',`
+- gen_require(`
+- type tmp_t;
+- ')
+interface(`files_read_system_conf_files',`
+ gen_require(`
+ type etc_t, system_conf_t;
+ ')
-+
+
+- allow $1 tmp_t:filesystem associate;
+ allow $1 etc_t:dir list_dir_perms;
+ read_files_pattern($1, etc_t, system_conf_t)
+ read_lnk_files_pattern($1, etc_t, system_conf_t)
-+')
-+
+ ')
+
+-########################################
+######################################
-+## <summary>
+ ## <summary>
+-## Get the attributes of the tmp directory (/tmp).
+## Manage manageable system configuration files in /etc.
-+## </summary>
-+## <param name="domain">
+ ## </summary>
+ ## <param name="domain">
+-## <summary>
+-## Domain allowed access.
+-## </summary>
+## <summary>
+## Domain allowed access.
+## </summary>
-+## </param>
-+#
+ ## </param>
+ #
+-interface(`files_getattr_tmp_dirs',`
+- gen_require(`
+- type tmp_t;
+- ')
+interface(`files_manage_system_conf_files',`
+ gen_require(`
+ type etc_t, system_conf_t;
+ ')
-+
+
+- allow $1 tmp_t:dir getattr;
+ manage_files_pattern($1, { etc_t system_conf_t }, system_conf_t)
+ files_filetrans_system_conf_named_files($1)
-+')
-+
+ ')
+
+-########################################
+#####################################
-+## <summary>
+ ## <summary>
+-## Do not audit attempts to get the
+-## attributes of the tmp directory (/tmp).
+## File name transition for system configuration files in /etc.
-+## </summary>
-+## <param name="domain">
+ ## </summary>
+ ## <param name="domain">
+-## <summary>
+-## Domain allowed access.
+-## </summary>
+## <summary>
+## Domain allowed access.
+## </summary>
-+## </param>
-+#
+ ## </param>
+ #
+-interface(`files_dontaudit_getattr_tmp_dirs',`
+- gen_require(`
+- type tmp_t;
+- ')
+interface(`files_filetrans_system_conf_named_files',`
+ gen_require(`
+ type etc_t, system_conf_t;
+ ')
-+
+
+- dontaudit $1 tmp_t:dir getattr;
+ filetrans_pattern($1, etc_t, system_conf_t, file, "sysctl.conf")
+ filetrans_pattern($1, etc_t, system_conf_t, file, "sysctl.conf.old")
+ filetrans_pattern($1, etc_t, system_conf_t, file, "ebtables")
@@ -10849,161 +11024,253 @@ index 64ff4d7..2b01383 100644
+ filetrans_pattern($1, etc_t, system_conf_t, file, "redhat.repo")
+ filetrans_pattern($1, etc_t, system_conf_t, file, "system-config-firewall")
+ filetrans_pattern($1, etc_t, system_conf_t, file, "system-config-firewall.old")
-+')
-+
+ ')
+
+-########################################
+######################################
-+## <summary>
+ ## <summary>
+-## Search the tmp directory (/tmp).
+## Relabel manageable system configuration files in /etc.
-+## </summary>
-+## <param name="domain">
+ ## </summary>
+ ## <param name="domain">
+-## <summary>
+-## Domain allowed access.
+-## </summary>
+## <summary>
+## Domain allowed access.
+## </summary>
-+## </param>
-+#
+ ## </param>
+ #
+-interface(`files_search_tmp',`
+- gen_require(`
+- type tmp_t;
+- ')
+interface(`files_relabelto_system_conf_files',`
+ gen_require(`
+ type usr_t;
+ ')
-+
+
+- allow $1 tmp_t:dir search_dir_perms;
+ relabelto_files_pattern($1, system_conf_t, system_conf_t)
-+')
-+
+ ')
+
+-########################################
+######################################
-+## <summary>
+ ## <summary>
+-## Do not audit attempts to search the tmp directory (/tmp).
+## Relabel manageable system configuration files in /etc.
-+## </summary>
-+## <param name="domain">
+ ## </summary>
+ ## <param name="domain">
+-## <summary>
+-## Domain to not audit.
+-## </summary>
+## <summary>
+## Domain allowed access.
+## </summary>
-+## </param>
-+#
+ ## </param>
+ #
+-interface(`files_dontaudit_search_tmp',`
+- gen_require(`
+- type tmp_t;
+- ')
+interface(`files_relabelfrom_system_conf_files',`
+ gen_require(`
+ type usr_t;
+ ')
-+
+
+- dontaudit $1 tmp_t:dir search_dir_perms;
+ relabelfrom_files_pattern($1, system_conf_t, system_conf_t)
-+')
-+
+ ')
+
+-########################################
+###################################
-+## <summary>
+ ## <summary>
+-## Read the tmp directory (/tmp).
+## Create files in /etc with the type used for
+## the manageable system config files.
-+## </summary>
-+## <param name="domain">
+ ## </summary>
+ ## <param name="domain">
+-## <summary>
+-## Domain allowed access.
+-## </summary>
+## <summary>
+## The type of the process performing this action.
+## </summary>
-+## </param>
-+#
+ ## </param>
+ #
+-interface(`files_list_tmp',`
+- gen_require(`
+- type tmp_t;
+- ')
+interface(`files_etc_filetrans_system_conf',`
+ gen_require(`
+ type etc_t, system_conf_t;
+ ')
-+
+
+- allow $1 tmp_t:dir list_dir_perms;
+ filetrans_pattern($1, etc_t, system_conf_t, file)
-+')
-+
+ ')
+
+-########################################
+######################################
-+## <summary>
+ ## <summary>
+-## Do not audit listing of the tmp directory (/tmp).
+## Manage manageable system db files in /var/lib.
-+## </summary>
-+## <param name="domain">
+ ## </summary>
+ ## <param name="domain">
+-## <summary>
+-## Domain not to audit.
+-## </summary>
+## <summary>
+## Domain allowed access.
+## </summary>
-+## </param>
-+#
+ ## </param>
+ #
+-interface(`files_dontaudit_list_tmp',`
+- gen_require(`
+- type tmp_t;
+- ')
+interface(`files_manage_system_db_files',`
+ gen_require(`
+ type var_lib_t, system_db_t;
+ ')
-+
+
+- dontaudit $1 tmp_t:dir list_dir_perms;
+ manage_files_pattern($1, { var_lib_t system_db_t }, system_db_t)
+ files_filetrans_system_db_named_files($1)
-+')
-+
+ ')
+
+-########################################
+#####################################
-+## <summary>
+ ## <summary>
+-## Remove entries from the tmp directory.
+## File name transition for system db files in /var/lib.
-+## </summary>
-+## <param name="domain">
+ ## </summary>
+ ## <param name="domain">
+-## <summary>
+-## Domain allowed access.
+-## </summary>
+## <summary>
+## Domain allowed access.
+## </summary>
-+## </param>
-+#
+ ## </param>
+ #
+-interface(`files_delete_tmp_dir_entry',`
+- gen_require(`
+- type tmp_t;
+- ')
+interface(`files_filetrans_system_db_named_files',`
+ gen_require(`
+ type var_lib_t, system_db_t;
+ ')
-+
+
+- allow $1 tmp_t:dir del_entry_dir_perms;
+ filetrans_pattern($1, var_lib_t, system_db_t, file, "servicelog.db")
-+')
-+
++ filetrans_pattern($1, var_lib_t, system_db_t, file, "servicelog.db-journal")
+ ')
+
########################################
## <summary>
- ## Allow the specified type to associate
-@@ -4221,6 +5015,26 @@ interface(`files_associate_tmp',`
+-## Read files in the tmp directory (/tmp).
++## Allow the specified type to associate
++## to a filesystem with the type of the
++## temporary directory (/tmp).
+ ## </summary>
+-## <param name="domain">
++## <param name="file_type">
+ ## <summary>
+-## Domain allowed access.
++## Type of the file to associate.
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_read_generic_tmp_files',`
++interface(`files_associate_tmp',`
+ gen_require(`
+ type tmp_t;
+ ')
+
+- read_files_pattern($1, tmp_t, tmp_t)
++ allow $1 tmp_t:filesystem associate;
+ ')
########################################
## <summary>
+-## Manage temporary directories in /tmp.
+## Allow the specified type to associate
+## to a filesystem with the type of the
+## / file system
-+## </summary>
+ ## </summary>
+-## <param name="domain">
+## <param name="file_type">
-+## <summary>
+ ## <summary>
+-## Domain allowed access.
+## Type of the file to associate.
-+## </summary>
-+## </param>
-+#
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_manage_generic_tmp_dirs',`
+interface(`files_associate_rootfs',`
-+ gen_require(`
+ gen_require(`
+- type tmp_t;
+ type root_t;
-+ ')
-+
+ ')
+
+- manage_dirs_pattern($1, tmp_t, tmp_t)
+ allow $1 root_t:filesystem associate;
-+')
-+
-+########################################
-+## <summary>
- ## Get the attributes of the tmp directory (/tmp).
+ ')
+
+ ########################################
+ ## <summary>
+-## Manage temporary files and directories in /tmp.
++## Get the attributes of the tmp directory (/tmp).
## </summary>
## <param name="domain">
-@@ -4234,17 +5048,37 @@ interface(`files_getattr_tmp_dirs',`
+ ## <summary>
+@@ -4392,53 +5137,56 @@ interface(`files_manage_generic_tmp_dirs',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_manage_generic_tmp_files',`
++interface(`files_getattr_tmp_dirs',`
+ gen_require(`
type tmp_t;
')
+- manage_files_pattern($1, tmp_t, tmp_t)
+ read_lnk_files_pattern($1, tmp_t, tmp_t)
- allow $1 tmp_t:dir getattr;
++ allow $1 tmp_t:dir getattr;
')
########################################
## <summary>
+-## Read symbolic links in the tmp directory (/tmp).
+## Do not audit attempts to check the
+## access on tmp files
-+## </summary>
-+## <param name="domain">
-+## <summary>
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+-## Domain allowed access.
+## Domain to not audit.
-+## </summary>
-+## </param>
-+#
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_read_generic_tmp_symlinks',`
+interface(`files_dontaudit_access_check_tmp',`
-+ gen_require(`
+ gen_require(`
+- type tmp_t;
+ type etc_t;
-+ ')
-+
+ ')
+
+- read_lnk_files_pattern($1, tmp_t, tmp_t)
+ dontaudit $1 tmp_t:dir_file_class_set audit_access;
-+')
-+
-+########################################
-+## <summary>
- ## Do not audit attempts to get the
- ## attributes of the tmp directory (/tmp).
+ ')
+
+ ########################################
+ ## <summary>
+-## Read and write generic named sockets in the tmp directory (/tmp).
++## Do not audit attempts to get the
++## attributes of the tmp directory (/tmp).
## </summary>
## <param name="domain">
## <summary>
@@ -11012,35 +11279,113 @@ index 64ff4d7..2b01383 100644
## </summary>
## </param>
#
-@@ -4271,6 +5105,7 @@ interface(`files_search_tmp',`
+-interface(`files_rw_generic_tmp_sockets',`
++interface(`files_dontaudit_getattr_tmp_dirs',`
+ gen_require(`
type tmp_t;
')
-+ read_lnk_files_pattern($1, tmp_t, tmp_t)
- allow $1 tmp_t:dir search_dir_perms;
+- rw_sock_files_pattern($1, tmp_t, tmp_t)
++ dontaudit $1 tmp_t:dir getattr;
')
-@@ -4307,6 +5142,7 @@ interface(`files_list_tmp',`
- type tmp_t;
+ ########################################
+ ## <summary>
+-## Set the attributes of all tmp directories.
++## Search the tmp directory (/tmp).
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -4446,77 +5194,92 @@ interface(`files_rw_generic_tmp_sockets',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_setattr_all_tmp_dirs',`
++interface(`files_search_tmp',`
+ gen_require(`
+- attribute tmpfile;
++ type tmp_t;
')
+- allow $1 tmpfile:dir { search_dir_perms setattr };
+ read_lnk_files_pattern($1, tmp_t, tmp_t)
- allow $1 tmp_t:dir list_dir_perms;
++ allow $1 tmp_t:dir search_dir_perms;
')
-@@ -4316,7 +5152,7 @@ interface(`files_list_tmp',`
+ ########################################
+ ## <summary>
+-## List all tmp directories.
++## Do not audit attempts to search the tmp directory (/tmp).
## </summary>
## <param name="domain">
## <summary>
--## Domain not to audit.
+-## Domain allowed access.
+## Domain to not audit.
## </summary>
## </param>
#
-@@ -4328,6 +5164,25 @@ interface(`files_dontaudit_list_tmp',`
- dontaudit $1 tmp_t:dir list_dir_perms;
+-interface(`files_list_all_tmp',`
++interface(`files_dontaudit_search_tmp',`
+ gen_require(`
+- attribute tmpfile;
++ type tmp_t;
+ ')
+
+- allow $1 tmpfile:dir list_dir_perms;
++ dontaudit $1 tmp_t:dir search_dir_perms;
')
+ ########################################
+ ## <summary>
+-## Relabel to and from all temporary
+-## directory types.
++## Read the tmp directory (/tmp).
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+ ## Domain allowed access.
+ ## </summary>
+ ## </param>
+-## <rolecap/>
+ #
+-interface(`files_relabel_all_tmp_dirs',`
++interface(`files_list_tmp',`
+ gen_require(`
+- attribute tmpfile;
+- type var_t;
++ type tmp_t;
+ ')
+
+- allow $1 var_t:dir search_dir_perms;
+- relabel_dirs_pattern($1, tmpfile, tmpfile)
++ read_lnk_files_pattern($1, tmp_t, tmp_t)
++ allow $1 tmp_t:dir list_dir_perms;
+ ')
+
+ ########################################
+ ## <summary>
+-## Do not audit attempts to get the attributes
+-## of all tmp files.
++## Do not audit listing of the tmp directory (/tmp).
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+-## Domain not to audit.
++## Domain to not audit.
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_dontaudit_getattr_all_tmp_files',`
++interface(`files_dontaudit_list_tmp',`
+ gen_require(`
+- attribute tmpfile;
++ type tmp_t;
+ ')
+
+- dontaudit $1 tmpfile:file getattr;
++ dontaudit $1 tmp_t:dir list_dir_perms;
++')
++
+#######################################
+## <summary>
+## Allow read and write to the tmp directory (/tmp).
@@ -11058,25 +11403,87 @@ index 64ff4d7..2b01383 100644
+
+ files_search_tmp($1)
+ allow $1 tmp_t:dir rw_dir_perms;
-+')
-+
+ ')
+
########################################
## <summary>
- ## Remove entries from the tmp directory.
-@@ -4343,6 +5198,7 @@ interface(`files_delete_tmp_dir_entry',`
- type tmp_t;
+-## Allow attempts to get the attributes
+-## of all tmp files.
++## Remove entries from the tmp directory.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -4524,110 +5287,98 @@ interface(`files_dontaudit_getattr_all_tmp_files',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_getattr_all_tmp_files',`
++interface(`files_delete_tmp_dir_entry',`
+ gen_require(`
+- attribute tmpfile;
++ type tmp_t;
')
+- allow $1 tmpfile:file getattr;
+ files_search_tmp($1)
- allow $1 tmp_t:dir del_entry_dir_perms;
++ allow $1 tmp_t:dir del_entry_dir_perms;
+ ')
+
+ ########################################
+ ## <summary>
+-## Relabel to and from all temporary
+-## file types.
++## Read files in the tmp directory (/tmp).
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+ ## Domain allowed access.
+ ## </summary>
+ ## </param>
+-## <rolecap/>
+ #
+-interface(`files_relabel_all_tmp_files',`
++interface(`files_read_generic_tmp_files',`
+ gen_require(`
+- attribute tmpfile;
+- type var_t;
++ type tmp_t;
+ ')
+
+- allow $1 var_t:dir search_dir_perms;
+- relabel_files_pattern($1, tmpfile, tmpfile)
++ read_files_pattern($1, tmp_t, tmp_t)
')
-@@ -4384,6 +5240,32 @@ interface(`files_manage_generic_tmp_dirs',`
+ ########################################
+ ## <summary>
+-## Do not audit attempts to get the attributes
+-## of all tmp sock_file.
++## Manage temporary directories in /tmp.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+-## Domain not to audit.
++## Domain allowed access.
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_dontaudit_getattr_all_tmp_sockets',`
++interface(`files_manage_generic_tmp_dirs',`
+ gen_require(`
+- attribute tmpfile;
++ type tmp_t;
+ ')
+
+- dontaudit $1 tmpfile:sock_file getattr;
++ manage_dirs_pattern($1, tmp_t, tmp_t)
+ ')
########################################
## <summary>
+-## Read all tmp files.
+## Allow shared library text relocations in tmp files.
-+## </summary>
+ ## </summary>
+## <desc>
+## <p>
+## Allow shared library text relocations in tmp files.
@@ -11085,538 +11492,2356 @@ index 64ff4d7..2b01383 100644
+## This is added to support java policy.
+## </p>
+## </desc>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
+ ## <param name="domain">
+ ## <summary>
+ ## Domain allowed access.
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_read_all_tmp_files',`
+interface(`files_execmod_tmp',`
-+ gen_require(`
-+ attribute tmpfile;
-+ ')
-+
+ gen_require(`
+ attribute tmpfile;
+ ')
+
+- read_files_pattern($1, tmpfile, tmpfile)
+ allow $1 tmpfile:file execmod;
-+')
-+
-+########################################
-+## <summary>
- ## Manage temporary files and directories in /tmp.
+ ')
+
+ ########################################
+ ## <summary>
+-## Create an object in the tmp directories, with a private
+-## type using a type transition.
++## Manage temporary files and directories in /tmp.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+ ## Domain allowed access.
+ ## </summary>
+ ## </param>
+-## <param name="private type">
+-## <summary>
+-## The type of the object to be created.
+-## </summary>
+-## </param>
+-## <param name="object">
+-## <summary>
+-## The object class of the object being created.
+-## </summary>
+-## </param>
+-## <param name="name" optional="true">
+-## <summary>
+-## The name of the object being created.
+-## </summary>
+-## </param>
+ #
+-interface(`files_tmp_filetrans',`
++interface(`files_manage_generic_tmp_files',`
+ gen_require(`
+ type tmp_t;
+ ')
+
+- filetrans_pattern($1, tmp_t, $2, $3, $4)
++ manage_files_pattern($1, tmp_t, tmp_t)
+ ')
+
+ ########################################
+ ## <summary>
+-## Delete the contents of /tmp.
++## Read symbolic links in the tmp directory (/tmp).
## </summary>
## <param name="domain">
-@@ -4438,7 +5320,7 @@ interface(`files_rw_generic_tmp_sockets',`
+ ## <summary>
+@@ -4635,22 +5386,17 @@ interface(`files_tmp_filetrans',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_purge_tmp',`
++interface(`files_read_generic_tmp_symlinks',`
+ gen_require(`
+- attribute tmpfile;
++ type tmp_t;
+ ')
+
+- allow $1 tmpfile:dir list_dir_perms;
+- delete_dirs_pattern($1, tmpfile, tmpfile)
+- delete_files_pattern($1, tmpfile, tmpfile)
+- delete_lnk_files_pattern($1, tmpfile, tmpfile)
+- delete_fifo_files_pattern($1, tmpfile, tmpfile)
+- delete_sock_files_pattern($1, tmpfile, tmpfile)
++ read_lnk_files_pattern($1, tmp_t, tmp_t)
+ ')
########################################
## <summary>
--## Set the attributes of all tmp directories.
+-## Set the attributes of the /usr directory.
++## Read and write generic named sockets in the tmp directory (/tmp).
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -4658,17 +5404,17 @@ interface(`files_purge_tmp',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_setattr_usr_dirs',`
++interface(`files_rw_generic_tmp_sockets',`
+ gen_require(`
+- type usr_t;
++ type tmp_t;
+ ')
+
+- allow $1 usr_t:dir setattr;
++ rw_sock_files_pattern($1, tmp_t, tmp_t)
+ ')
+
+ ########################################
+ ## <summary>
+-## Search the content of /usr.
+## Relabel a dir from the type used in /tmp.
## </summary>
## <param name="domain">
## <summary>
-@@ -4446,17 +5328,17 @@ interface(`files_rw_generic_tmp_sockets',`
+@@ -4676,18 +5422,17 @@ interface(`files_setattr_usr_dirs',`
## </summary>
## </param>
#
--interface(`files_setattr_all_tmp_dirs',`
+-interface(`files_search_usr',`
+interface(`files_relabelfrom_tmp_dirs',`
gen_require(`
-- attribute tmpfile;
+- type usr_t;
+ type tmp_t;
')
-- allow $1 tmpfile:dir { search_dir_perms setattr };
+- allow $1 usr_t:dir search_dir_perms;
+ relabelfrom_dirs_pattern($1, tmp_t, tmp_t)
')
########################################
## <summary>
--## List all tmp directories.
+-## List the contents of generic
+-## directories in /usr.
+## Relabel a file from the type used in /tmp.
## </summary>
## <param name="domain">
## <summary>
-@@ -4464,34 +5346,124 @@ interface(`files_setattr_all_tmp_dirs',`
+@@ -4695,35 +5440,35 @@ interface(`files_search_usr',`
## </summary>
## </param>
#
--interface(`files_list_all_tmp',`
+-interface(`files_list_usr',`
+interface(`files_relabelfrom_tmp_files',`
gen_require(`
-- attribute tmpfile;
+- type usr_t;
+ type tmp_t;
')
-- allow $1 tmpfile:dir list_dir_perms;
+- allow $1 usr_t:dir list_dir_perms;
+ relabelfrom_files_pattern($1, tmp_t, tmp_t)
')
########################################
## <summary>
--## Relabel to and from all temporary
--## directory types.
+-## Do not audit write of /usr dirs
+## Set the attributes of all tmp directories.
## </summary>
## <param name="domain">
## <summary>
- ## Domain allowed access.
+-## Domain to not audit.
++## Domain allowed access.
## </summary>
## </param>
--## <rolecap/>
#
--interface(`files_relabel_all_tmp_dirs',`
+-interface(`files_dontaudit_write_usr_dirs',`
+interface(`files_setattr_all_tmp_dirs',`
gen_require(`
- attribute tmpfile;
-- type var_t;
+- type usr_t;
++ attribute tmpfile;
')
-- allow $1 var_t:dir search_dir_perms;
-- relabel_dirs_pattern($1, tmpfile, tmpfile)
+- dontaudit $1 usr_t:dir write;
+ allow $1 tmpfile:dir { search_dir_perms setattr };
-+')
-+
-+########################################
-+## <summary>
+ ')
+
+ ########################################
+ ## <summary>
+-## Add and remove entries from /usr directories.
+## Allow caller to read inherited tmp files.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -4731,36 +5476,35 @@ interface(`files_dontaudit_write_usr_dirs',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_rw_usr_dirs',`
+interface(`files_read_inherited_tmp_files',`
-+ gen_require(`
+ gen_require(`
+- type usr_t;
+ attribute tmpfile;
-+ ')
-+
+ ')
+
+- allow $1 usr_t:dir rw_dir_perms;
+ allow $1 tmpfile:file { append read_inherited_file_perms };
-+')
-+
-+########################################
-+## <summary>
+ ')
+
+ ########################################
+ ## <summary>
+-## Do not audit attempts to add and remove
+-## entries from /usr directories.
+## Allow caller to append inherited tmp files.
-+## </summary>
-+## <param name="domain">
-+## <summary>
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+-## Domain to not audit.
+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_dontaudit_rw_usr_dirs',`
+interface(`files_append_inherited_tmp_files',`
-+ gen_require(`
+ gen_require(`
+- type usr_t;
+ attribute tmpfile;
-+ ')
-+
+ ')
+
+- dontaudit $1 usr_t:dir rw_dir_perms;
+ allow $1 tmpfile:file append_inherited_file_perms;
-+')
-+
-+########################################
-+## <summary>
+ ')
+
+ ########################################
+ ## <summary>
+-## Delete generic directories in /usr in the caller domain.
+## Allow caller to read and write inherited tmp files.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -4768,17 +5512,17 @@ interface(`files_dontaudit_rw_usr_dirs',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_delete_usr_dirs',`
+interface(`files_rw_inherited_tmp_file',`
-+ gen_require(`
+ gen_require(`
+- type usr_t;
+ attribute tmpfile;
-+ ')
-+
+ ')
+
+- delete_dirs_pattern($1, usr_t, usr_t)
+ allow $1 tmpfile:file rw_inherited_file_perms;
-+')
-+
-+########################################
-+## <summary>
+ ')
+
+ ########################################
+ ## <summary>
+-## Delete generic files in /usr in the caller domain.
+## List all tmp directories.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -4786,73 +5530,59 @@ interface(`files_delete_usr_dirs',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_delete_usr_files',`
+interface(`files_list_all_tmp',`
-+ gen_require(`
+ gen_require(`
+- type usr_t;
+ attribute tmpfile;
-+ ')
-+
+ ')
+
+- delete_files_pattern($1, usr_t, usr_t)
+ allow $1 tmpfile:dir list_dir_perms;
-+')
-+
-+########################################
-+## <summary>
+ ')
+
+ ########################################
+ ## <summary>
+-## Get the attributes of files in /usr.
+## Relabel to and from all temporary
+## directory types.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+ ## Domain allowed access.
+ ## </summary>
+ ## </param>
+## <rolecap/>
-+#
+ #
+-interface(`files_getattr_usr_files',`
+interface(`files_relabel_all_tmp_dirs',`
-+ gen_require(`
+ gen_require(`
+- type usr_t;
+ attribute tmpfile;
+ type var_t;
-+ ')
-+
+ ')
+
+- getattr_files_pattern($1, usr_t, usr_t)
+ allow $1 var_t:dir search_dir_perms;
+ relabel_dirs_pattern($1, tmpfile, tmpfile)
')
########################################
-@@ -4501,7 +5473,7 @@ interface(`files_relabel_all_tmp_dirs',`
+ ## <summary>
+-## Read generic files in /usr.
++## Do not audit attempts to get the attributes
++## of all tmp files.
## </summary>
+-## <desc>
+-## <p>
+-## Allow the specified domain to read generic
+-## files in /usr. These files are various program
+-## files that do not have more specific SELinux types.
+-## Some examples of these files are:
+-## </p>
+-## <ul>
+-## <li>/usr/include/*</li>
+-## <li>/usr/share/doc/*</li>
+-## <li>/usr/share/info/*</li>
+-## </ul>
+-## <p>
+-## Generally, it is safe for many domains to have
+-## this access.
+-## </p>
+-## </desc>
## <param name="domain">
## <summary>
--## Domain not to audit.
+-## Domain allowed access.
+## Domain to not audit.
## </summary>
## </param>
+-## <infoflow type="read" weight="10"/>
#
-@@ -4561,7 +5533,7 @@ interface(`files_relabel_all_tmp_files',`
+-interface(`files_read_usr_files',`
++interface(`files_dontaudit_getattr_all_tmp_files',`
+ gen_require(`
+- type usr_t;
++ attribute tmpfile;
+ ')
+
+- allow $1 usr_t:dir list_dir_perms;
+- read_files_pattern($1, usr_t, usr_t)
+- read_lnk_files_pattern($1, usr_t, usr_t)
++ dontaudit $1 tmpfile:file getattr;
+ ')
+
+ ########################################
+ ## <summary>
+-## Execute generic programs in /usr in the caller domain.
++## Allow attempts to get the attributes
++## of all tmp files.
## </summary>
## <param name="domain">
## <summary>
--## Domain not to audit.
-+## Domain to not audit.
+@@ -4860,55 +5590,58 @@ interface(`files_read_usr_files',`
## </summary>
## </param>
#
-@@ -4593,6 +5565,44 @@ interface(`files_read_all_tmp_files',`
-
- ########################################
- ## <summary>
-+## Do not audit attempts to read or write
-+## all leaked tmpfiles files.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain to not audit.
-+## </summary>
-+## </param>
-+#
-+interface(`files_dontaudit_tmp_file_leaks',`
-+ gen_require(`
-+ attribute tmpfile;
-+ ')
-+
-+ dontaudit $1 tmpfile:file rw_inherited_file_perms;
-+')
-+
-+########################################
-+## <summary>
-+## Do allow attempts to read or write
-+## all leaked tmpfiles files.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain to not audit.
-+## </summary>
-+## </param>
-+#
-+interface(`files_rw_tmp_file_leaks',`
-+ gen_require(`
+-interface(`files_exec_usr_files',`
++interface(`files_getattr_all_tmp_files',`
+ gen_require(`
+- type usr_t;
+ attribute tmpfile;
-+ ')
-+
-+ allow $1 tmpfile:file rw_inherited_file_perms;
-+')
-+
-+########################################
-+## <summary>
- ## Create an object in the tmp directories, with a private
- ## type using a type transition.
- ## </summary>
-@@ -4646,6 +5656,16 @@ interface(`files_purge_tmp',`
- delete_lnk_files_pattern($1, tmpfile, tmpfile)
- delete_fifo_files_pattern($1, tmpfile, tmpfile)
- delete_sock_files_pattern($1, tmpfile, tmpfile)
-+ delete_chr_files_pattern($1, tmpfile, tmpfile)
-+ delete_blk_files_pattern($1, tmpfile, tmpfile)
-+ files_list_isid_type_dirs($1)
-+ files_delete_isid_type_dirs($1)
-+ files_delete_isid_type_files($1)
-+ files_delete_isid_type_symlinks($1)
-+ files_delete_isid_type_fifo_files($1)
-+ files_delete_isid_type_sock_files($1)
-+ files_delete_isid_type_blk_files($1)
-+ files_delete_isid_type_chr_files($1)
- ')
+ ')
- ########################################
-@@ -5223,6 +6243,24 @@ interface(`files_list_var',`
+- allow $1 usr_t:dir list_dir_perms;
+- exec_files_pattern($1, usr_t, usr_t)
+- read_lnk_files_pattern($1, usr_t, usr_t)
++ allow $1 tmpfile:file getattr;
+ ')
########################################
## <summary>
-+## Do not audit listing of the var directory (/var).
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain to not audit.
-+## </summary>
-+## </param>
-+#
-+interface(`files_dontaudit_list_var',`
-+ gen_require(`
-+ type var_t;
-+ ')
-+
-+ dontaudit $1 var_t:dir list_dir_perms;
-+')
-+
-+########################################
-+## <summary>
- ## Create, read, write, and delete directories
- ## in the /var directory.
+-## dontaudit write of /usr files
++## Relabel to and from all temporary
++## file types.
## </summary>
-@@ -5578,6 +6616,25 @@ interface(`files_read_var_lib_symlinks',`
- read_lnk_files_pattern($1, { var_t var_lib_t }, var_lib_t)
- ')
-
-+########################################
-+## <summary>
-+## manage generic symbolic links
-+## in the /var/lib directory.
-+## </summary>
-+## <param name="domain">
-+## <summary>
+ ## <param name="domain">
+ ## <summary>
+-## Domain to not audit.
+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`files_manage_var_lib_symlinks',`
-+ gen_require(`
-+ type var_lib_t;
-+ ')
-+
-+ manage_lnk_files_pattern($1,var_lib_t,var_lib_t)
-+')
-+
- # cjp: the next two interfaces really need to be fixed
- # in some way. They really neeed their own types.
+ ## </summary>
+ ## </param>
++## <rolecap/>
+ #
+-interface(`files_dontaudit_write_usr_files',`
++interface(`files_relabel_all_tmp_files',`
+ gen_require(`
+- type usr_t;
++ attribute tmpfile;
++ type var_t;
+ ')
-@@ -5623,7 +6680,7 @@ interface(`files_manage_mounttab',`
+- dontaudit $1 usr_t:file write;
++ allow $1 var_t:dir search_dir_perms;
++ relabel_files_pattern($1, tmpfile, tmpfile)
+ ')
########################################
## <summary>
--## Set the attributes of the generic lock directories.
-+## List generic lock directories.
+-## Create, read, write, and delete files in the /usr directory.
++## Do not audit attempts to get the attributes
++## of all tmp sock_file.
## </summary>
## <param name="domain">
## <summary>
-@@ -5631,12 +6688,13 @@ interface(`files_manage_mounttab',`
+-## Domain allowed access.
++## Domain to not audit.
## </summary>
## </param>
#
--interface(`files_setattr_lock_dirs',`
-+interface(`files_list_locks',`
+-interface(`files_manage_usr_files',`
++interface(`files_dontaudit_getattr_all_tmp_sockets',`
gen_require(`
- type var_t, var_lock_t;
+- type usr_t;
++ attribute tmpfile;
')
-- setattr_dirs_pattern($1, var_t, var_lock_t)
-+ files_search_locks($1)
-+ list_dirs_pattern($1, var_t, var_lock_t)
+- manage_files_pattern($1, usr_t, usr_t)
++ dontaudit $1 tmpfile:sock_file getattr;
')
########################################
-@@ -5654,6 +6712,7 @@ interface(`files_search_locks',`
- type var_t, var_lock_t;
+ ## <summary>
+-## Relabel a file to the type used in /usr.
++## Read all tmp files.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -4916,67 +5649,70 @@ interface(`files_manage_usr_files',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_relabelto_usr_files',`
++interface(`files_read_all_tmp_files',`
+ gen_require(`
+- type usr_t;
++ attribute tmpfile;
')
-+ files_search_pids($1)
- allow $1 var_lock_t:lnk_file read_lnk_file_perms;
- search_dirs_pattern($1, var_t, var_lock_t)
+- relabelto_files_pattern($1, usr_t, usr_t)
++ read_files_pattern($1, tmpfile, tmpfile)
')
-@@ -5680,7 +6739,26 @@ interface(`files_dontaudit_search_locks',`
########################################
## <summary>
--## List generic lock directories.
-+## Do not audit attempts to read/write inherited
-+## locks (/var/lock).
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain to not audit.
-+## </summary>
-+## </param>
-+#
-+interface(`files_dontaudit_rw_inherited_locks',`
-+ gen_require(`
-+ type var_lock_t;
-+ ')
-+
-+ dontaudit $1 var_lock_t:file rw_inherited_file_perms;
-+')
-+
-+########################################
-+## <summary>
-+## Set the attributes of the /var/lock directory.
+-## Relabel a file from the type used in /usr.
++## Do not audit attempts to read or write
++## all leaked tmpfiles files.
## </summary>
## <param name="domain">
## <summary>
-@@ -5688,13 +6766,12 @@ interface(`files_dontaudit_search_locks',`
+-## Domain allowed access.
++## Domain to not audit.
## </summary>
## </param>
#
--interface(`files_list_locks',`
-+interface(`files_setattr_lock_dirs',`
+-interface(`files_relabelfrom_usr_files',`
++interface(`files_dontaudit_tmp_file_leaks',`
gen_require(`
-- type var_t, var_lock_t;
-+ type var_lock_t;
+- type usr_t;
++ attribute tmpfile;
')
-- allow $1 var_lock_t:lnk_file read_lnk_file_perms;
+- relabelfrom_files_pattern($1, usr_t, usr_t)
++ dontaudit $1 tmpfile:file rw_inherited_file_perms;
+ ')
+
+ ########################################
+ ## <summary>
+-## Read symbolic links in /usr.
++## Do allow attempts to read or write
++## all leaked tmpfiles files.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+-## Domain allowed access.
++## Domain to not audit.
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_read_usr_symlinks',`
++interface(`files_rw_tmp_file_leaks',`
+ gen_require(`
+- type usr_t;
++ attribute tmpfile;
+ ')
+
+- read_lnk_files_pattern($1, usr_t, usr_t)
++ allow $1 tmpfile:file rw_inherited_file_perms;
+ ')
+
+ ########################################
+ ## <summary>
+-## Create objects in the /usr directory
++## Create an object in the tmp directories, with a private
++## type using a type transition.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+ ## Domain allowed access.
+ ## </summary>
+ ## </param>
+-## <param name="file_type">
++## <param name="private type">
+ ## <summary>
+-## The type of the object to be created
++## The type of the object to be created.
+ ## </summary>
+ ## </param>
+-## <param name="object_class">
++## <param name="object">
+ ## <summary>
+-## The object class.
++## The object class of the object being created.
+ ## </summary>
+ ## </param>
+ ## <param name="name" optional="true">
+@@ -4985,35 +5721,50 @@ interface(`files_read_usr_symlinks',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_usr_filetrans',`
++interface(`files_tmp_filetrans',`
+ gen_require(`
+- type usr_t;
++ type tmp_t;
+ ')
+
+- filetrans_pattern($1, usr_t, $2, $3, $4)
++ filetrans_pattern($1, tmp_t, $2, $3, $4)
+ ')
+
+ ########################################
+ ## <summary>
+-## Do not audit attempts to search /usr/src.
++## Delete the contents of /tmp.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+-## Domain to not audit.
++## Domain allowed access.
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_dontaudit_search_src',`
++interface(`files_purge_tmp',`
+ gen_require(`
+- type src_t;
++ attribute tmpfile;
+ ')
+
+- dontaudit $1 src_t:dir search_dir_perms;
++ allow $1 tmpfile:dir list_dir_perms;
++ delete_dirs_pattern($1, tmpfile, tmpfile)
++ delete_files_pattern($1, tmpfile, tmpfile)
++ delete_lnk_files_pattern($1, tmpfile, tmpfile)
++ delete_fifo_files_pattern($1, tmpfile, tmpfile)
++ delete_sock_files_pattern($1, tmpfile, tmpfile)
++ delete_chr_files_pattern($1, tmpfile, tmpfile)
++ delete_blk_files_pattern($1, tmpfile, tmpfile)
++ files_list_isid_type_dirs($1)
++ files_delete_isid_type_dirs($1)
++ files_delete_isid_type_files($1)
++ files_delete_isid_type_symlinks($1)
++ files_delete_isid_type_fifo_files($1)
++ files_delete_isid_type_sock_files($1)
++ files_delete_isid_type_blk_files($1)
++ files_delete_isid_type_chr_files($1)
+ ')
+
+ ########################################
+ ## <summary>
+-## Get the attributes of files in /usr/src.
++## Set the attributes of the /usr directory.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -5021,20 +5772,17 @@ interface(`files_dontaudit_search_src',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_getattr_usr_src_files',`
++interface(`files_setattr_usr_dirs',`
+ gen_require(`
+- type usr_t, src_t;
++ type usr_t;
+ ')
+
+- getattr_files_pattern($1, src_t, src_t)
+-
+- # /usr/src/linux symlink:
+- read_lnk_files_pattern($1, usr_t, src_t)
++ allow $1 usr_t:dir setattr;
+ ')
+
+ ########################################
+ ## <summary>
+-## Read files in /usr/src.
++## Search the content of /usr.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -5042,20 +5790,18 @@ interface(`files_getattr_usr_src_files',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_read_usr_src_files',`
++interface(`files_search_usr',`
+ gen_require(`
+- type usr_t, src_t;
++ type usr_t;
+ ')
+
+ allow $1 usr_t:dir search_dir_perms;
+- read_files_pattern($1, { usr_t src_t }, src_t)
+- read_lnk_files_pattern($1, { usr_t src_t }, src_t)
+- allow $1 src_t:dir list_dir_perms;
+ ')
+
+ ########################################
+ ## <summary>
+-## Execute programs in /usr/src in the caller domain.
++## List the contents of generic
++## directories in /usr.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -5063,38 +5809,35 @@ interface(`files_read_usr_src_files',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_exec_usr_src_files',`
++interface(`files_list_usr',`
+ gen_require(`
+- type usr_t, src_t;
++ type usr_t;
+ ')
+
+- list_dirs_pattern($1, usr_t, src_t)
+- exec_files_pattern($1, src_t, src_t)
+- read_lnk_files_pattern($1, src_t, src_t)
++ allow $1 usr_t:dir list_dir_perms;
+ ')
+
+ ########################################
+ ## <summary>
+-## Install a system.map into the /boot directory.
++## Do not audit write of /usr dirs
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+-## Domain allowed access.
++## Domain to not audit.
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_create_kernel_symbol_table',`
++interface(`files_dontaudit_write_usr_dirs',`
+ gen_require(`
+- type boot_t, system_map_t;
++ type usr_t;
+ ')
+
+- allow $1 boot_t:dir { list_dir_perms add_entry_dir_perms };
+- allow $1 system_map_t:file { create_file_perms rw_file_perms };
++ dontaudit $1 usr_t:dir write;
+ ')
+
+ ########################################
+ ## <summary>
+-## Read system.map in the /boot directory.
++## Add and remove entries from /usr directories.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -5102,37 +5845,36 @@ interface(`files_create_kernel_symbol_table',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_read_kernel_symbol_table',`
++interface(`files_rw_usr_dirs',`
+ gen_require(`
+- type boot_t, system_map_t;
++ type usr_t;
+ ')
+
+- allow $1 boot_t:dir list_dir_perms;
+- read_files_pattern($1, boot_t, system_map_t)
++ allow $1 usr_t:dir rw_dir_perms;
+ ')
+
+ ########################################
+ ## <summary>
+-## Delete a system.map in the /boot directory.
++## Do not audit attempts to add and remove
++## entries from /usr directories.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+-## Domain allowed access.
++## Domain to not audit.
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_delete_kernel_symbol_table',`
++interface(`files_dontaudit_rw_usr_dirs',`
+ gen_require(`
+- type boot_t, system_map_t;
++ type usr_t;
+ ')
+
+- allow $1 boot_t:dir list_dir_perms;
+- delete_files_pattern($1, boot_t, system_map_t)
++ dontaudit $1 usr_t:dir rw_dir_perms;
+ ')
+
+ ########################################
+ ## <summary>
+-## Search the contents of /var.
++## Delete generic directories in /usr in the caller domain.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -5140,35 +5882,35 @@ interface(`files_delete_kernel_symbol_table',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_search_var',`
++interface(`files_delete_usr_dirs',`
+ gen_require(`
+- type var_t;
++ type usr_t;
+ ')
+
+- allow $1 var_t:dir search_dir_perms;
++ delete_dirs_pattern($1, usr_t, usr_t)
+ ')
+
+ ########################################
+ ## <summary>
+-## Do not audit attempts to write to /var.
++## Delete generic files in /usr in the caller domain.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+-## Domain to not audit.
++## Domain allowed access.
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_dontaudit_write_var_dirs',`
++interface(`files_delete_usr_files',`
+ gen_require(`
+- type var_t;
++ type usr_t;
+ ')
+
+- dontaudit $1 var_t:dir write;
++ delete_files_pattern($1, usr_t, usr_t)
+ ')
+
+ ########################################
+ ## <summary>
+-## Allow attempts to write to /var.dirs
++## Get the attributes of files in /usr.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -5176,36 +5918,55 @@ interface(`files_dontaudit_write_var_dirs',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_write_var_dirs',`
++interface(`files_getattr_usr_files',`
+ gen_require(`
+- type var_t;
++ type usr_t;
+ ')
+
+- allow $1 var_t:dir write;
++ getattr_files_pattern($1, usr_t, usr_t)
+ ')
+
+ ########################################
+ ## <summary>
+-## Do not audit attempts to search
+-## the contents of /var.
++## Read generic files in /usr.
+ ## </summary>
++## <desc>
++## <p>
++## Allow the specified domain to read generic
++## files in /usr. These files are various program
++## files that do not have more specific SELinux types.
++## Some examples of these files are:
++## </p>
++## <ul>
++## <li>/usr/include/*</li>
++## <li>/usr/share/doc/*</li>
++## <li>/usr/share/info/*</li>
++## </ul>
++## <p>
++## Generally, it is safe for many domains to have
++## this access.
++## </p>
++## </desc>
+ ## <param name="domain">
+ ## <summary>
+-## Domain to not audit.
++## Domain allowed access.
+ ## </summary>
+ ## </param>
++## <infoflow type="read" weight="10"/>
+ #
+-interface(`files_dontaudit_search_var',`
++interface(`files_read_usr_files',`
+ gen_require(`
+- type var_t;
++ type usr_t;
+ ')
+
+- dontaudit $1 var_t:dir search_dir_perms;
++ allow $1 usr_t:dir list_dir_perms;
++ read_files_pattern($1, usr_t, usr_t)
++ read_lnk_files_pattern($1, usr_t, usr_t)
+ ')
+
+ ########################################
+ ## <summary>
+-## List the contents of /var.
++## Execute generic programs in /usr in the caller domain.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -5213,36 +5974,37 @@ interface(`files_dontaudit_search_var',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_list_var',`
++interface(`files_exec_usr_files',`
+ gen_require(`
+- type var_t;
++ type usr_t;
+ ')
+
+- allow $1 var_t:dir list_dir_perms;
++ allow $1 usr_t:dir list_dir_perms;
++ exec_files_pattern($1, usr_t, usr_t)
++ read_lnk_files_pattern($1, usr_t, usr_t)
+ ')
+
+ ########################################
+ ## <summary>
+-## Create, read, write, and delete directories
+-## in the /var directory.
++## dontaudit write of /usr files
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+-## Domain allowed access.
++## Domain to not audit.
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_manage_var_dirs',`
++interface(`files_dontaudit_write_usr_files',`
+ gen_require(`
+- type var_t;
++ type usr_t;
+ ')
+
+- allow $1 var_t:dir manage_dir_perms;
++ dontaudit $1 usr_t:file write;
+ ')
+
+ ########################################
+ ## <summary>
+-## Read files in the /var directory.
++## Create, read, write, and delete files in the /usr directory.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -5250,17 +6012,17 @@ interface(`files_manage_var_dirs',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_read_var_files',`
++interface(`files_manage_usr_files',`
+ gen_require(`
+- type var_t;
++ type usr_t;
+ ')
+
+- read_files_pattern($1, var_t, var_t)
++ manage_files_pattern($1, usr_t, usr_t)
+ ')
+
+ ########################################
+ ## <summary>
+-## Append files in the /var directory.
++## Relabel a file to the type used in /usr.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -5268,17 +6030,17 @@ interface(`files_read_var_files',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_append_var_files',`
++interface(`files_relabelto_usr_files',`
+ gen_require(`
+- type var_t;
++ type usr_t;
+ ')
+
+- append_files_pattern($1, var_t, var_t)
++ relabelto_files_pattern($1, usr_t, usr_t)
+ ')
+
+ ########################################
+ ## <summary>
+-## Read and write files in the /var directory.
++## Relabel a file from the type used in /usr.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -5286,73 +6048,86 @@ interface(`files_append_var_files',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_rw_var_files',`
++interface(`files_relabelfrom_usr_files',`
+ gen_require(`
+- type var_t;
++ type usr_t;
+ ')
+
+- rw_files_pattern($1, var_t, var_t)
++ relabelfrom_files_pattern($1, usr_t, usr_t)
+ ')
+
+ ########################################
+ ## <summary>
+-## Do not audit attempts to read and write
+-## files in the /var directory.
++## Read symbolic links in /usr.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+-## Domain to not audit.
++## Domain allowed access.
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_dontaudit_rw_var_files',`
++interface(`files_read_usr_symlinks',`
+ gen_require(`
+- type var_t;
++ type usr_t;
+ ')
+
+- dontaudit $1 var_t:file rw_file_perms;
++ read_lnk_files_pattern($1, usr_t, usr_t)
+ ')
+
+ ########################################
+ ## <summary>
+-## Create, read, write, and delete files in the /var directory.
++## Create objects in the /usr directory
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+ ## Domain allowed access.
+ ## </summary>
+ ## </param>
++## <param name="file_type">
++## <summary>
++## The type of the object to be created
++## </summary>
++## </param>
++## <param name="object_class">
++## <summary>
++## The object class.
++## </summary>
++## </param>
++## <param name="name" optional="true">
++## <summary>
++## The name of the object being created.
++## </summary>
++## </param>
+ #
+-interface(`files_manage_var_files',`
++interface(`files_usr_filetrans',`
+ gen_require(`
+- type var_t;
++ type usr_t;
+ ')
+
+- manage_files_pattern($1, var_t, var_t)
++ filetrans_pattern($1, usr_t, $2, $3, $4)
+ ')
+
+ ########################################
+ ## <summary>
+-## Read symbolic links in the /var directory.
++## Do not audit attempts to search /usr/src.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+-## Domain allowed access.
++## Domain to not audit.
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_read_var_symlinks',`
++interface(`files_dontaudit_search_src',`
+ gen_require(`
+- type var_t;
++ type src_t;
+ ')
+
+- read_lnk_files_pattern($1, var_t, var_t)
++ dontaudit $1 src_t:dir search_dir_perms;
+ ')
+
+ ########################################
+ ## <summary>
+-## Create, read, write, and delete symbolic
+-## links in the /var directory.
++## Get the attributes of files in /usr/src.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -5360,50 +6135,41 @@ interface(`files_read_var_symlinks',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_manage_var_symlinks',`
++interface(`files_getattr_usr_src_files',`
+ gen_require(`
+- type var_t;
++ type usr_t, src_t;
+ ')
+
+- manage_lnk_files_pattern($1, var_t, var_t)
++ getattr_files_pattern($1, src_t, src_t)
++
++ # /usr/src/linux symlink:
++ read_lnk_files_pattern($1, usr_t, src_t)
+ ')
+
+ ########################################
+ ## <summary>
+-## Create objects in the /var directory
++## Read files in /usr/src.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+ ## Domain allowed access.
+ ## </summary>
+ ## </param>
+-## <param name="file_type">
+-## <summary>
+-## The type of the object to be created
+-## </summary>
+-## </param>
+-## <param name="object_class">
+-## <summary>
+-## The object class.
+-## </summary>
+-## </param>
+-## <param name="name" optional="true">
+-## <summary>
+-## The name of the object being created.
+-## </summary>
+-## </param>
+ #
+-interface(`files_var_filetrans',`
++interface(`files_read_usr_src_files',`
+ gen_require(`
+- type var_t;
++ type usr_t, src_t;
+ ')
+
+- filetrans_pattern($1, var_t, $2, $3, $4)
++ allow $1 usr_t:dir search_dir_perms;
++ read_files_pattern($1, { usr_t src_t }, src_t)
++ read_lnk_files_pattern($1, { usr_t src_t }, src_t)
++ allow $1 src_t:dir list_dir_perms;
+ ')
+
+ ########################################
+ ## <summary>
+-## Get the attributes of the /var/lib directory.
++## Execute programs in /usr/src in the caller domain.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -5411,69 +6177,56 @@ interface(`files_var_filetrans',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_getattr_var_lib_dirs',`
++interface(`files_exec_usr_src_files',`
+ gen_require(`
+- type var_t, var_lib_t;
++ type usr_t, src_t;
+ ')
+
+- getattr_dirs_pattern($1, var_t, var_lib_t)
++ list_dirs_pattern($1, usr_t, src_t)
++ exec_files_pattern($1, src_t, src_t)
++ read_lnk_files_pattern($1, src_t, src_t)
+ ')
+
+ ########################################
+ ## <summary>
+-## Search the /var/lib directory.
++## Install a system.map into the /boot directory.
+ ## </summary>
+-## <desc>
+-## <p>
+-## Search the /var/lib directory. This is
+-## necessary to access files or directories under
+-## /var/lib that have a private type. For example, a
+-## domain accessing a private library file in the
+-## /var/lib directory:
+-## </p>
+-## <p>
+-## allow mydomain_t mylibfile_t:file read_file_perms;
+-## files_search_var_lib(mydomain_t)
+-## </p>
+-## </desc>
+ ## <param name="domain">
+ ## <summary>
+ ## Domain allowed access.
+ ## </summary>
+ ## </param>
+-## <infoflow type="read" weight="5"/>
+ #
+-interface(`files_search_var_lib',`
++interface(`files_create_kernel_symbol_table',`
+ gen_require(`
+- type var_t, var_lib_t;
++ type boot_t, system_map_t;
+ ')
+
+- search_dirs_pattern($1, var_t, var_lib_t)
++ allow $1 boot_t:dir { list_dir_perms add_entry_dir_perms };
++ allow $1 system_map_t:file { create_file_perms rw_file_perms };
+ ')
+
+ ########################################
+ ## <summary>
+-## Do not audit attempts to search the
+-## contents of /var/lib.
++## Dontaudit getattr attempts on the system.map file
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+ ## Domain to not audit.
+ ## </summary>
+ ## </param>
+-## <infoflow type="read" weight="5"/>
+ #
+-interface(`files_dontaudit_search_var_lib',`
++interface(`files_dontaduit_getattr_kernel_symbol_table',`
+ gen_require(`
+- type var_lib_t;
++ type system_map_t;
+ ')
+
+- dontaudit $1 var_lib_t:dir search_dir_perms;
++ dontaudit $1 system_map_t:file getattr;
+ ')
+
+ ########################################
+ ## <summary>
+-## List the contents of the /var/lib directory.
++## Read system.map in the /boot directory.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -5481,17 +6234,18 @@ interface(`files_dontaudit_search_var_lib',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_list_var_lib',`
++interface(`files_read_kernel_symbol_table',`
+ gen_require(`
+- type var_t, var_lib_t;
++ type boot_t, system_map_t;
+ ')
+
+- list_dirs_pattern($1, var_t, var_lib_t)
++ allow $1 boot_t:dir list_dir_perms;
++ read_files_pattern($1, boot_t, system_map_t)
+ ')
+
+-###########################################
++########################################
+ ## <summary>
+-## Read-write /var/lib directories
++## Delete a system.map in the /boot directory.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -5499,70 +6253,54 @@ interface(`files_list_var_lib',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_rw_var_lib_dirs',`
++interface(`files_delete_kernel_symbol_table',`
+ gen_require(`
+- type var_lib_t;
++ type boot_t, system_map_t;
+ ')
+
+- rw_dirs_pattern($1, var_lib_t, var_lib_t)
++ allow $1 boot_t:dir list_dir_perms;
++ delete_files_pattern($1, boot_t, system_map_t)
+ ')
+
+ ########################################
+ ## <summary>
+-## Create objects in the /var/lib directory
++## Search the contents of /var.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+ ## Domain allowed access.
+ ## </summary>
+ ## </param>
+-## <param name="file_type">
+-## <summary>
+-## The type of the object to be created
+-## </summary>
+-## </param>
+-## <param name="object_class">
+-## <summary>
+-## The object class.
+-## </summary>
+-## </param>
+-## <param name="name" optional="true">
+-## <summary>
+-## The name of the object being created.
+-## </summary>
+-## </param>
+ #
+-interface(`files_var_lib_filetrans',`
++interface(`files_search_var',`
+ gen_require(`
+- type var_t, var_lib_t;
++ type var_t;
+ ')
+
+ allow $1 var_t:dir search_dir_perms;
+- filetrans_pattern($1, var_lib_t, $2, $3, $4)
+ ')
+
+ ########################################
+ ## <summary>
+-## Read generic files in /var/lib.
++## Do not audit attempts to write to /var.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+-## Domain allowed access.
++## Domain to not audit.
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_read_var_lib_files',`
++interface(`files_dontaudit_write_var_dirs',`
+ gen_require(`
+- type var_t, var_lib_t;
++ type var_t;
+ ')
+
+- allow $1 var_lib_t:dir list_dir_perms;
+- read_files_pattern($1, { var_t var_lib_t }, var_lib_t)
++ dontaudit $1 var_t:dir write;
+ ')
+
+ ########################################
+ ## <summary>
+-## Read generic symbolic links in /var/lib
++## Allow attempts to write to /var.dirs
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -5570,41 +6308,36 @@ interface(`files_read_var_lib_files',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_read_var_lib_symlinks',`
++interface(`files_write_var_dirs',`
+ gen_require(`
+- type var_t, var_lib_t;
++ type var_t;
+ ')
+
+- read_lnk_files_pattern($1, { var_t var_lib_t }, var_lib_t)
++ allow $1 var_t:dir write;
+ ')
+
+-# cjp: the next two interfaces really need to be fixed
+-# in some way. They really neeed their own types.
+-
+ ########################################
+ ## <summary>
+-## Create, read, write, and delete the
+-## pseudorandom number generator seed.
++## Do not audit attempts to search
++## the contents of /var.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+-## Domain allowed access.
++## Domain to not audit.
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_manage_urandom_seed',`
++interface(`files_dontaudit_search_var',`
+ gen_require(`
+- type var_t, var_lib_t;
++ type var_t;
+ ')
+
+- allow $1 var_t:dir search_dir_perms;
+- manage_files_pattern($1, var_lib_t, var_lib_t)
++ dontaudit $1 var_t:dir search_dir_perms;
+ ')
+
+ ########################################
+ ## <summary>
+-## Allow domain to manage mount tables
+-## necessary for rpcd, nfsd, etc.
++## List the contents of /var.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -5612,36 +6345,36 @@ interface(`files_manage_urandom_seed',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_manage_mounttab',`
++interface(`files_list_var',`
+ gen_require(`
+- type var_t, var_lib_t;
++ type var_t;
+ ')
+
+- allow $1 var_t:dir search_dir_perms;
+- manage_files_pattern($1, var_lib_t, var_lib_t)
++ allow $1 var_t:dir list_dir_perms;
+ ')
+
+ ########################################
+ ## <summary>
+-## Set the attributes of the generic lock directories.
++## Do not audit listing of the var directory (/var).
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+-## Domain allowed access.
++## Domain to not audit.
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_setattr_lock_dirs',`
++interface(`files_dontaudit_list_var',`
+ gen_require(`
+- type var_t, var_lock_t;
++ type var_t;
+ ')
+
+- setattr_dirs_pattern($1, var_t, var_lock_t)
++ dontaudit $1 var_t:dir list_dir_perms;
+ ')
+
+ ########################################
+ ## <summary>
+-## Search the locks directory (/var/lock).
++## Create, read, write, and delete directories
++## in the /var directory.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -5649,38 +6382,35 @@ interface(`files_setattr_lock_dirs',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_search_locks',`
++interface(`files_manage_var_dirs',`
+ gen_require(`
+- type var_t, var_lock_t;
++ type var_t;
+ ')
+
+- allow $1 var_lock_t:lnk_file read_lnk_file_perms;
+- search_dirs_pattern($1, var_t, var_lock_t)
++ allow $1 var_t:dir manage_dir_perms;
+ ')
+
+ ########################################
+ ## <summary>
+-## Do not audit attempts to search the
+-## locks directory (/var/lock).
++## Read files in the /var directory.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+-## Domain to not audit.
++## Domain allowed access.
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_dontaudit_search_locks',`
++interface(`files_read_var_files',`
+ gen_require(`
+- type var_lock_t;
++ type var_t;
+ ')
+
+- dontaudit $1 var_lock_t:lnk_file read_lnk_file_perms;
+- dontaudit $1 var_lock_t:dir search_dir_perms;
++ read_files_pattern($1, var_t, var_t)
+ ')
+
+ ########################################
+ ## <summary>
+-## List generic lock directories.
++## Append files in the /var directory.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -5688,19 +6418,17 @@ interface(`files_dontaudit_search_locks',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_list_locks',`
++interface(`files_append_var_files',`
+ gen_require(`
+- type var_t, var_lock_t;
++ type var_t;
+ ')
+
+- allow $1 var_lock_t:lnk_file read_lnk_file_perms;
- list_dirs_pattern($1, var_t, var_lock_t)
-+ allow $1 var_lock_t:dir setattr;
++ append_files_pattern($1, var_t, var_t)
+ ')
+
+ ########################################
+ ## <summary>
+-## Add and remove entries in the /var/lock
+-## directories.
++## Read and write files in the /var directory.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -5708,60 +6436,54 @@ interface(`files_list_locks',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_rw_lock_dirs',`
++interface(`files_rw_var_files',`
+ gen_require(`
+- type var_t, var_lock_t;
++ type var_t;
+ ')
+
+- allow $1 var_lock_t:lnk_file read_lnk_file_perms;
+- rw_dirs_pattern($1, var_t, var_lock_t)
++ rw_files_pattern($1, var_t, var_t)
+ ')
+
+ ########################################
+ ## <summary>
+-## Create lock directories
++## Do not audit attempts to read and write
++## files in the /var directory.
+ ## </summary>
+ ## <param name="domain">
+-## <summary>
+-## Domain allowed access
++## <summary>
++## Domain to not audit.
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_create_lock_dirs',`
++interface(`files_dontaudit_rw_var_files',`
+ gen_require(`
+- type var_t, var_lock_t;
++ type var_t;
+ ')
+
+- allow $1 var_t:dir search_dir_perms;
+- allow $1 var_lock_t:lnk_file read_lnk_file_perms;
+- create_dirs_pattern($1, var_lock_t, var_lock_t)
++ dontaudit $1 var_t:file rw_inherited_file_perms;
+ ')
+
+ ########################################
+ ## <summary>
+-## Relabel to and from all lock directory types.
++## Create, read, write, and delete files in the /var directory.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+ ## Domain allowed access.
+ ## </summary>
+ ## </param>
+-## <rolecap/>
+ #
+-interface(`files_relabel_all_lock_dirs',`
++interface(`files_manage_var_files',`
+ gen_require(`
+- attribute lockfile;
+- type var_t, var_lock_t;
++ type var_t;
+ ')
+
+- allow $1 var_t:dir search_dir_perms;
+- allow $1 var_lock_t:lnk_file read_lnk_file_perms;
+- relabel_dirs_pattern($1, lockfile, lockfile)
++ manage_files_pattern($1, var_t, var_t)
+ ')
+
+ ########################################
+ ## <summary>
+-## Get the attributes of generic lock files.
++## Read symbolic links in the /var directory.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -5769,20 +6491,18 @@ interface(`files_relabel_all_lock_dirs',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_getattr_generic_locks',`
++interface(`files_read_var_symlinks',`
+ gen_require(`
+- type var_t, var_lock_t;
++ type var_t;
+ ')
+
+- allow $1 var_t:dir search_dir_perms;
+- allow $1 var_lock_t:lnk_file read_lnk_file_perms;
+- allow $1 var_lock_t:dir list_dir_perms;
+- getattr_files_pattern($1, var_lock_t, var_lock_t)
++ read_lnk_files_pattern($1, var_t, var_t)
+ ')
+
+ ########################################
+ ## <summary>
+-## Delete generic lock files.
++## Create, read, write, and delete symbolic
++## links in the /var directory.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -5790,185 +6510,207 @@ interface(`files_getattr_generic_locks',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_delete_generic_locks',`
++interface(`files_manage_var_symlinks',`
+ gen_require(`
+- type var_t, var_lock_t;
++ type var_t;
+ ')
+
+- allow $1 var_t:dir search_dir_perms;
+- allow $1 var_lock_t:lnk_file read_lnk_file_perms;
+- delete_files_pattern($1, var_lock_t, var_lock_t)
++ manage_lnk_files_pattern($1, var_t, var_t)
+ ')
+
+ ########################################
+ ## <summary>
+-## Create, read, write, and delete generic
+-## lock files.
++## Create objects in the /var directory
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+ ## Domain allowed access.
+ ## </summary>
+ ## </param>
++## <param name="file_type">
++## <summary>
++## The type of the object to be created
++## </summary>
++## </param>
++## <param name="object_class">
++## <summary>
++## The object class.
++## </summary>
++## </param>
++## <param name="name" optional="true">
++## <summary>
++## The name of the object being created.
++## </summary>
++## </param>
+ #
+-interface(`files_manage_generic_locks',`
++interface(`files_var_filetrans',`
+ gen_require(`
+- type var_t, var_lock_t;
++ type var_t;
+ ')
+
+- allow $1 var_t:dir search_dir_perms;
+- allow $1 var_lock_t:lnk_file read_lnk_file_perms;
+- manage_dirs_pattern($1, var_lock_t, var_lock_t)
+- manage_files_pattern($1, var_lock_t, var_lock_t)
++ filetrans_pattern($1, var_t, $2, $3, $4)
+ ')
+
+ ########################################
+ ## <summary>
+-## Delete all lock files.
++## Get the attributes of the /var/lib directory.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+ ## Domain allowed access.
+ ## </summary>
+ ## </param>
+-## <rolecap/>
+ #
+-interface(`files_delete_all_locks',`
++interface(`files_getattr_var_lib_dirs',`
+ gen_require(`
+- attribute lockfile;
+- type var_t, var_lock_t;
++ type var_t, var_lib_t;
+ ')
+
+- allow $1 var_t:dir search_dir_perms;
+- allow $1 var_lock_t:lnk_file read_lnk_file_perms;
+- delete_files_pattern($1, lockfile, lockfile)
++ getattr_dirs_pattern($1, var_t, var_lib_t)
')
########################################
-@@ -5713,7 +6790,7 @@ interface(`files_rw_lock_dirs',`
- type var_t, var_lock_t;
+ ## <summary>
+-## Read all lock files.
++## Search the /var/lib directory.
+ ## </summary>
++## <desc>
++## <p>
++## Search the /var/lib directory. This is
++## necessary to access files or directories under
++## /var/lib that have a private type. For example, a
++## domain accessing a private library file in the
++## /var/lib directory:
++## </p>
++## <p>
++## allow mydomain_t mylibfile_t:file read_file_perms;
++## files_search_var_lib(mydomain_t)
++## </p>
++## </desc>
+ ## <param name="domain">
+ ## <summary>
+ ## Domain allowed access.
+ ## </summary>
+ ## </param>
++## <infoflow type="read" weight="5"/>
+ #
+-interface(`files_read_all_locks',`
++interface(`files_search_var_lib',`
+ gen_require(`
+- attribute lockfile;
+- type var_t, var_lock_t;
++ type var_t, var_lib_t;
')
- allow $1 var_lock_t:lnk_file read_lnk_file_perms;
-+ files_search_locks($1)
- rw_dirs_pattern($1, var_t, var_lock_t)
+- allow $1 { var_t var_lock_t }:dir search_dir_perms;
+- allow $1 lockfile:dir list_dir_perms;
+- read_files_pattern($1, lockfile, lockfile)
+- read_lnk_files_pattern($1, lockfile, lockfile)
++ search_dirs_pattern($1, var_t, var_lib_t)
')
-@@ -5746,7 +6823,6 @@ interface(`files_create_lock_dirs',`
- ## Domain allowed access.
+ ########################################
+ ## <summary>
+-## manage all lock files.
++## Do not audit attempts to search the
++## contents of /var/lib.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+-## Domain allowed access.
++## Domain to not audit.
## </summary>
## </param>
--## <rolecap/>
++## <infoflow type="read" weight="5"/>
#
- interface(`files_relabel_all_lock_dirs',`
+-interface(`files_manage_all_locks',`
++interface(`files_dontaudit_search_var_lib',`
gen_require(`
-@@ -5761,7 +6837,7 @@ interface(`files_relabel_all_lock_dirs',`
+- attribute lockfile;
+- type var_t, var_lock_t;
++ type var_lib_t;
+ ')
+
+- allow $1 var_lock_t:lnk_file read_lnk_file_perms;
+- allow $1 { var_t var_lock_t }:dir search_dir_perms;
+- manage_dirs_pattern($1, lockfile, lockfile)
+- manage_files_pattern($1, lockfile, lockfile)
+- manage_lnk_files_pattern($1, lockfile, lockfile)
++ dontaudit $1 var_lib_t:dir search_dir_perms;
+ ')
########################################
## <summary>
--## Get the attributes of generic lock files.
-+## Relabel to and from all lock file types.
+-## Create an object in the locks directory, with a private
+-## type using a type transition.
++## List the contents of the /var/lib directory.
## </summary>
## <param name="domain">
## <summary>
-@@ -5769,13 +6845,33 @@ interface(`files_relabel_all_lock_dirs',`
+ ## Domain allowed access.
## </summary>
## </param>
+-## <param name="private type">
+-## <summary>
+-## The type of the object to be created.
+-## </summary>
+-## </param>
+-## <param name="object">
+-## <summary>
+-## The object class of the object being created.
+-## </summary>
+-## </param>
+-## <param name="name" optional="true">
+-## <summary>
+-## The name of the object being created.
+-## </summary>
+-## </param>
#
--interface(`files_getattr_generic_locks',`
-+interface(`files_relabel_all_lock_files',`
+-interface(`files_lock_filetrans',`
++interface(`files_list_var_lib',`
gen_require(`
-+ attribute lockfile;
- type var_t, var_lock_t;
+- type var_t, var_lock_t;
++ type var_t, var_lib_t;
')
- allow $1 var_t:dir search_dir_perms;
- allow $1 var_lock_t:lnk_file read_lnk_file_perms;
-+ relabel_files_pattern($1, lockfile, lockfile)
+- allow $1 var_t:dir search_dir_perms;
+- allow $1 var_lock_t:lnk_file read_lnk_file_perms;
+- filetrans_pattern($1, var_lock_t, $2, $3, $4)
++ list_dirs_pattern($1, var_t, var_lib_t)
+ ')
+
+-########################################
++###########################################
+ ## <summary>
+-## Do not audit attempts to get the attributes
+-## of the /var/run directory.
++## Read-write /var/lib directories
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+-## Domain to not audit.
++## Domain allowed access.
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_dontaudit_getattr_pid_dirs',`
++interface(`files_rw_var_lib_dirs',`
+ gen_require(`
+- type var_run_t;
++ type var_lib_t;
+ ')
+
+- dontaudit $1 var_run_t:lnk_file read_lnk_file_perms;
+- dontaudit $1 var_run_t:dir getattr;
++ rw_dirs_pattern($1, var_lib_t, var_lib_t)
+')
+
-+########################################
++#######################################
+## <summary>
-+## Get the attributes of generic lock files.
++## Create directories in /var/lib
+## </summary>
+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
++## <summary>
++## Domain allowed access.
++## </summary>
+## </param>
+#
-+interface(`files_getattr_generic_locks',`
-+ gen_require(`
-+ type var_t, var_lock_t;
-+ ')
-+
-+ files_search_locks($1)
- allow $1 var_lock_t:dir list_dir_perms;
- getattr_files_pattern($1, var_lock_t, var_lock_t)
++interface(`files_create_var_lib_dirs',`
++ gen_require(`
++ type var_lib_t;
++ ')
++ allow $1 var_lib_t:dir { create rw_dir_perms };
')
-@@ -5791,13 +6887,12 @@ interface(`files_getattr_generic_locks',`
+
+ ########################################
+ ## <summary>
+-## Set the attributes of the /var/run directory.
++## Create objects in the /var/lib directory
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+ ## Domain allowed access.
+ ## </summary>
## </param>
++## <param name="file_type">
++## <summary>
++## The type of the object to be created
++## </summary>
++## </param>
++## <param name="object_class">
++## <summary>
++## The object class.
++## </summary>
++## </param>
++## <param name="name" optional="true">
++## <summary>
++## The name of the object being created.
++## </summary>
++## </param>
#
- interface(`files_delete_generic_locks',`
-- gen_require(`
-+ gen_require(`
- type var_t, var_lock_t;
-- ')
-+ ')
+-interface(`files_setattr_pid_dirs',`
++interface(`files_var_lib_filetrans',`
+ gen_require(`
+- type var_run_t;
++ type var_t, var_lib_t;
+ ')
-- allow $1 var_t:dir search_dir_perms;
-- allow $1 var_lock_t:lnk_file read_lnk_file_perms;
-- delete_files_pattern($1, var_lock_t, var_lock_t)
-+ files_search_locks($1)
-+ delete_files_pattern($1, var_lock_t, var_lock_t)
+- allow $1 var_run_t:lnk_file read_lnk_file_perms;
+- allow $1 var_run_t:dir setattr;
++ allow $1 var_t:dir search_dir_perms;
++ filetrans_pattern($1, var_lib_t, $2, $3, $4)
')
########################################
-@@ -5816,9 +6911,7 @@ interface(`files_manage_generic_locks',`
- type var_t, var_lock_t;
+ ## <summary>
+-## Search the contents of runtime process
+-## ID directories (/var/run).
++## Read generic files in /var/lib.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -5976,39 +6718,37 @@ interface(`files_setattr_pid_dirs',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_search_pids',`
++interface(`files_read_var_lib_files',`
+ gen_require(`
+- type var_t, var_run_t;
++ type var_t, var_lib_t;
')
-- allow $1 var_t:dir search_dir_perms;
-- allow $1 var_lock_t:lnk_file read_lnk_file_perms;
-- manage_dirs_pattern($1, var_lock_t, var_lock_t)
-+ files_search_locks($1)
- manage_files_pattern($1, var_lock_t, var_lock_t)
+- allow $1 var_run_t:lnk_file read_lnk_file_perms;
+- search_dirs_pattern($1, var_t, var_run_t)
++ allow $1 var_lib_t:dir list_dir_perms;
++ read_files_pattern($1, { var_t var_lib_t }, var_lib_t)
')
-@@ -5860,8 +6953,7 @@ interface(`files_read_all_locks',`
- type var_t, var_lock_t;
+ ########################################
+ ## <summary>
+-## Do not audit attempts to search
+-## the /var/run directory.
++## Read generic symbolic links in /var/lib
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+-## Domain to not audit.
++## Domain allowed access.
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_dontaudit_search_pids',`
++interface(`files_read_var_lib_symlinks',`
+ gen_require(`
+- type var_run_t;
++ type var_t, var_lib_t;
')
-- allow $1 var_lock_t:lnk_file read_lnk_file_perms;
-- allow $1 { var_t var_lock_t }:dir search_dir_perms;
-+ files_search_locks($1)
- allow $1 lockfile:dir list_dir_perms;
- read_files_pattern($1, lockfile, lockfile)
- read_lnk_files_pattern($1, lockfile, lockfile)
-@@ -5883,8 +6975,7 @@ interface(`files_manage_all_locks',`
- type var_t, var_lock_t;
- ')
+- dontaudit $1 var_run_t:lnk_file read_lnk_file_perms;
+- dontaudit $1 var_run_t:dir search_dir_perms;
++ read_lnk_files_pattern($1, { var_t var_lib_t }, var_lib_t)
+ ')
-- allow $1 var_lock_t:lnk_file read_lnk_file_perms;
-- allow $1 { var_t var_lock_t }:dir search_dir_perms;
-+ files_search_locks($1)
- manage_dirs_pattern($1, lockfile, lockfile)
- manage_files_pattern($1, lockfile, lockfile)
- manage_lnk_files_pattern($1, lockfile, lockfile)
-@@ -5921,8 +7012,7 @@ interface(`files_lock_filetrans',`
- type var_t, var_lock_t;
+ ########################################
+ ## <summary>
+-## List the contents of the runtime process
+-## ID directories (/var/run).
++## manage generic symbolic links
++## in the /var/lib directory.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -6016,18 +6756,21 @@ interface(`files_dontaudit_search_pids',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_list_pids',`
++interface(`files_manage_var_lib_symlinks',`
+ gen_require(`
+- type var_t, var_run_t;
++ type var_lib_t;
')
-- allow $1 var_t:dir search_dir_perms;
-- allow $1 var_lock_t:lnk_file read_lnk_file_perms;
-+ files_search_locks($1)
- filetrans_pattern($1, var_lock_t, $2, $3, $4)
+- allow $1 var_run_t:lnk_file read_lnk_file_perms;
+- list_dirs_pattern($1, var_t, var_run_t)
++ manage_lnk_files_pattern($1,var_lib_t,var_lib_t)
')
-@@ -5961,7 +7051,7 @@ interface(`files_setattr_pid_dirs',`
- type var_run_t;
++# cjp: the next two interfaces really need to be fixed
++# in some way. They really neeed their own types.
++
+ ########################################
+ ## <summary>
+-## Read generic process ID files.
++## Create, read, write, and delete the
++## pseudorandom number generator seed.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -6035,19 +6778,19 @@ interface(`files_list_pids',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_read_generic_pids',`
++interface(`files_manage_urandom_seed',`
+ gen_require(`
+- type var_t, var_run_t;
++ type var_t, var_lib_t;
')
- allow $1 var_run_t:lnk_file read_lnk_file_perms;
+- list_dirs_pattern($1, var_t, var_run_t)
+- read_files_pattern($1, var_run_t, var_run_t)
++ allow $1 var_t:dir search_dir_perms;
++ manage_files_pattern($1, var_lib_t, var_lib_t)
+ ')
+
+ ########################################
+ ## <summary>
+-## Write named generic process ID pipes
++## Allow domain to manage mount tables
++## necessary for rpcd, nfsd, etc.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -6055,58 +6798,1223 @@ interface(`files_read_generic_pids',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_write_generic_pid_pipes',`
++interface(`files_manage_mounttab',`
++ gen_require(`
++ type var_t, var_lib_t;
++ ')
++
++ allow $1 var_t:dir search_dir_perms;
++ manage_files_pattern($1, var_lib_t, var_lib_t)
++')
++
++########################################
++## <summary>
++## List generic lock directories.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`files_list_locks',`
++ gen_require(`
++ type var_t, var_lock_t;
++ ')
++
++ files_search_locks($1)
++ list_dirs_pattern($1, var_t, var_lock_t)
++')
++
++########################################
++## <summary>
++## Search the locks directory (/var/lock).
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`files_search_locks',`
++ gen_require(`
++ type var_t, var_lock_t;
++ ')
++
++ files_search_pids($1)
++ allow $1 var_lock_t:lnk_file read_lnk_file_perms;
++ search_dirs_pattern($1, var_t, var_lock_t)
++')
++
++########################################
++## <summary>
++## Do not audit attempts to search the
++## locks directory (/var/lock).
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain to not audit.
++## </summary>
++## </param>
++#
++interface(`files_dontaudit_search_locks',`
++ gen_require(`
++ type var_lock_t;
++ ')
++
++ dontaudit $1 var_lock_t:lnk_file read_lnk_file_perms;
++ dontaudit $1 var_lock_t:dir search_dir_perms;
++')
++
++########################################
++## <summary>
++## Do not audit attempts to read/write inherited
++## locks (/var/lock).
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain to not audit.
++## </summary>
++## </param>
++#
++interface(`files_dontaudit_rw_inherited_locks',`
++ gen_require(`
++ type var_lock_t;
++ ')
++
++ dontaudit $1 var_lock_t:file rw_inherited_file_perms;
++')
++
++########################################
++## <summary>
++## Set the attributes of the /var/lock directory.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`files_setattr_lock_dirs',`
++ gen_require(`
++ type var_lock_t;
++ ')
++
++ allow $1 var_lock_t:dir setattr;
++')
++
++########################################
++## <summary>
++## Add and remove entries in the /var/lock
++## directories.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`files_rw_lock_dirs',`
++ gen_require(`
++ type var_t, var_lock_t;
++ ')
++
++ files_search_locks($1)
++ rw_dirs_pattern($1, var_t, var_lock_t)
++')
++
++########################################
++## <summary>
++## Create lock directories
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access
++## </summary>
++## </param>
++#
++interface(`files_create_lock_dirs',`
++ gen_require(`
++ type var_t, var_lock_t;
++ ')
++
++ allow $1 var_t:dir search_dir_perms;
++ allow $1 var_lock_t:lnk_file read_lnk_file_perms;
++ create_dirs_pattern($1, var_lock_t, var_lock_t)
++')
++
++########################################
++## <summary>
++## Relabel to and from all lock directory types.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`files_relabel_all_lock_dirs',`
++ gen_require(`
++ attribute lockfile;
++ type var_t, var_lock_t;
++ ')
++
++ allow $1 var_t:dir search_dir_perms;
++ allow $1 var_lock_t:lnk_file read_lnk_file_perms;
++ relabel_dirs_pattern($1, lockfile, lockfile)
++')
++
++########################################
++## <summary>
++## Relabel to and from all lock file types.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`files_relabel_all_lock_files',`
++ gen_require(`
++ attribute lockfile;
++ type var_t, var_lock_t;
++ ')
++
++ allow $1 var_t:dir search_dir_perms;
++ allow $1 var_lock_t:lnk_file read_lnk_file_perms;
++ relabel_files_pattern($1, lockfile, lockfile)
++')
++
++########################################
++## <summary>
++## Get the attributes of generic lock files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`files_getattr_generic_locks',`
++ gen_require(`
++ type var_t, var_lock_t;
++ ')
++
++ files_search_locks($1)
++ allow $1 var_lock_t:dir list_dir_perms;
++ getattr_files_pattern($1, var_lock_t, var_lock_t)
++')
++
++########################################
++## <summary>
++## Delete generic lock files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`files_delete_generic_locks',`
++ gen_require(`
++ type var_t, var_lock_t;
++ ')
++
++ files_search_locks($1)
++ delete_files_pattern($1, var_lock_t, var_lock_t)
++')
++
++########################################
++## <summary>
++## Create, read, write, and delete generic
++## lock files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`files_manage_generic_locks',`
++ gen_require(`
++ type var_t, var_lock_t;
++ ')
++
++ files_search_locks($1)
++ manage_files_pattern($1, var_lock_t, var_lock_t)
++')
++
++########################################
++## <summary>
++## Delete all lock files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`files_delete_all_locks',`
++ gen_require(`
++ attribute lockfile;
++ type var_t, var_lock_t;
++ ')
++
++ allow $1 var_t:dir search_dir_perms;
++ allow $1 var_lock_t:lnk_file read_lnk_file_perms;
++ delete_files_pattern($1, lockfile, lockfile)
++')
++
++########################################
++## <summary>
++## Read all lock files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`files_read_all_locks',`
++ gen_require(`
++ attribute lockfile;
++ type var_t, var_lock_t;
++ ')
++
++ files_search_locks($1)
++ allow $1 lockfile:dir list_dir_perms;
++ read_files_pattern($1, lockfile, lockfile)
++ read_lnk_files_pattern($1, lockfile, lockfile)
++')
++
++########################################
++## <summary>
++## manage all lock files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`files_manage_all_locks',`
++ gen_require(`
++ attribute lockfile;
++ type var_t, var_lock_t;
++ ')
++
++ files_search_locks($1)
++ manage_dirs_pattern($1, lockfile, lockfile)
++ manage_files_pattern($1, lockfile, lockfile)
++ manage_lnk_files_pattern($1, lockfile, lockfile)
++')
++
++########################################
++## <summary>
++## Create an object in the locks directory, with a private
++## type using a type transition.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <param name="private type">
++## <summary>
++## The type of the object to be created.
++## </summary>
++## </param>
++## <param name="object">
++## <summary>
++## The object class of the object being created.
++## </summary>
++## </param>
++## <param name="name" optional="true">
++## <summary>
++## The name of the object being created.
++## </summary>
++## </param>
++#
++interface(`files_lock_filetrans',`
++ gen_require(`
++ type var_t, var_lock_t;
++ ')
++
++ files_search_locks($1)
++ filetrans_pattern($1, var_lock_t, $2, $3, $4)
++')
++
++########################################
++## <summary>
++## Do not audit attempts to get the attributes
++## of the /var/run directory.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain to not audit.
++## </summary>
++## </param>
++#
++interface(`files_dontaudit_getattr_pid_dirs',`
++ gen_require(`
++ type var_run_t;
++ ')
++
++ dontaudit $1 var_run_t:lnk_file read_lnk_file_perms;
++ dontaudit $1 var_run_t:dir getattr;
++')
++
++########################################
++## <summary>
++## Set the attributes of the /var/run directory.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`files_setattr_pid_dirs',`
++ gen_require(`
++ type var_run_t;
++ ')
++
+ files_search_pids($1)
- allow $1 var_run_t:dir setattr;
- ')
-
-@@ -5981,10 +7071,48 @@ interface(`files_search_pids',`
- type var_t, var_run_t;
- ')
-
++ allow $1 var_run_t:dir setattr;
++')
++
++########################################
++## <summary>
++## Search the contents of runtime process
++## ID directories (/var/run).
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`files_search_pids',`
++ gen_require(`
++ type var_t, var_run_t;
++ ')
++
+ allow $1 var_t:lnk_file read_lnk_file_perms;
- allow $1 var_run_t:lnk_file read_lnk_file_perms;
- search_dirs_pattern($1, var_t, var_run_t)
- ')
-
++ allow $1 var_run_t:lnk_file read_lnk_file_perms;
++ search_dirs_pattern($1, var_t, var_run_t)
++')
++
+######################################
+## <summary>
+## Add and remove entries from pid directories.
@@ -11654,13 +13879,28 @@ index 64ff4d7..2b01383 100644
+ allow $1 var_run_t:dir create_dir_perms;
+')
+
- ########################################
- ## <summary>
- ## Do not audit attempts to search
-@@ -6007,6 +7135,25 @@ interface(`files_dontaudit_search_pids',`
-
- ########################################
- ## <summary>
++########################################
++## <summary>
++## Do not audit attempts to search
++## the /var/run directory.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain to not audit.
++## </summary>
++## </param>
++#
++interface(`files_dontaudit_search_pids',`
++ gen_require(`
++ type var_run_t;
++ ')
++
++ dontaudit $1 var_run_t:lnk_file read_lnk_file_perms;
++ dontaudit $1 var_run_t:dir search_dir_perms;
++')
++
++########################################
++## <summary>
+## Do not audit attempts to search
+## the all /var/run directory.
+## </summary>
@@ -11680,74 +13920,167 @@ index 64ff4d7..2b01383 100644
+
+########################################
+## <summary>
- ## List the contents of the runtime process
- ## ID directories (/var/run).
- ## </summary>
-@@ -6021,7 +7168,7 @@ interface(`files_list_pids',`
- type var_t, var_run_t;
- ')
-
-- allow $1 var_run_t:lnk_file read_lnk_file_perms;
++## List the contents of the runtime process
++## ID directories (/var/run).
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`files_list_pids',`
++ gen_require(`
++ type var_t, var_run_t;
++ ')
++
+ files_search_pids($1)
- list_dirs_pattern($1, var_t, var_run_t)
- ')
-
-@@ -6040,7 +7187,7 @@ interface(`files_read_generic_pids',`
- type var_t, var_run_t;
- ')
-
-- allow $1 var_run_t:lnk_file read_lnk_file_perms;
++ list_dirs_pattern($1, var_t, var_run_t)
++')
++
++########################################
++## <summary>
++## Read generic process ID files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`files_read_generic_pids',`
++ gen_require(`
++ type var_t, var_run_t;
++ ')
++
+ files_search_pids($1)
- list_dirs_pattern($1, var_t, var_run_t)
- read_files_pattern($1, var_run_t, var_run_t)
- ')
-@@ -6060,7 +7207,7 @@ interface(`files_write_generic_pid_pipes',`
- type var_run_t;
- ')
-
-- allow $1 var_run_t:lnk_file read_lnk_file_perms;
++ list_dirs_pattern($1, var_t, var_run_t)
++ read_files_pattern($1, var_run_t, var_run_t)
++')
++
++########################################
++## <summary>
++## Write named generic process ID pipes
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`files_write_generic_pid_pipes',`
++ gen_require(`
++ type var_run_t;
++ ')
++
+ files_search_pids($1)
- allow $1 var_run_t:fifo_file write;
- ')
-
-@@ -6122,7 +7269,6 @@ interface(`files_pid_filetrans',`
- ')
-
- allow $1 var_t:dir search_dir_perms;
-- allow $1 var_run_t:lnk_file read_lnk_file_perms;
- filetrans_pattern($1, var_run_t, $2, $3, $4)
- ')
-
-@@ -6151,7 +7297,7 @@ interface(`files_pid_filetrans_lock_dir',`
-
- ########################################
- ## <summary>
--## Read and write generic process ID files.
++ allow $1 var_run_t:fifo_file write;
++')
++
++########################################
++## <summary>
++## Create an object in the process ID directory, with a private type.
++## </summary>
++## <desc>
++## <p>
++## Create an object in the process ID directory (e.g., /var/run)
++## with a private type. Typically this is used for creating
++## private PID files in /var/run with the private type instead
++## of the general PID file type. To accomplish this goal,
++## either the program must be SELinux-aware, or use this interface.
++## </p>
++## <p>
++## Related interfaces:
++## </p>
++## <ul>
++## <li>files_pid_file()</li>
++## </ul>
++## <p>
++## Example usage with a domain that can create and
++## write its PID file with a private PID file type in the
++## /var/run directory:
++## </p>
++## <p>
++## type mypidfile_t;
++## files_pid_file(mypidfile_t)
++## allow mydomain_t mypidfile_t:file { create_file_perms write_file_perms };
++## files_pid_filetrans(mydomain_t, mypidfile_t, file)
++## </p>
++## </desc>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <param name="private type">
++## <summary>
++## The type of the object to be created.
++## </summary>
++## </param>
++## <param name="object">
++## <summary>
++## The object class of the object being created.
++## </summary>
++## </param>
++## <param name="name" optional="true">
++## <summary>
++## The name of the object being created.
++## </summary>
++## </param>
++## <infoflow type="write" weight="10"/>
++#
++interface(`files_pid_filetrans',`
++ gen_require(`
++ type var_t, var_run_t;
++ ')
++
++ allow $1 var_t:dir search_dir_perms;
++ filetrans_pattern($1, var_run_t, $2, $3, $4)
++')
++
++########################################
++## <summary>
++## Create a generic lock directory within the run directories
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access
++## </summary>
++## </param>
++## <param name="name" optional="true">
++## <summary>
++## The name of the object being created.
++## </summary>
++## </param>
++#
++interface(`files_pid_filetrans_lock_dir',`
++ gen_require(`
++ type var_lock_t;
++ ')
++
++ files_pid_filetrans($1, var_lock_t, dir, $2)
++')
++
++########################################
++## <summary>
+## rw generic pid files inherited from another process
- ## </summary>
- ## <param name="domain">
- ## <summary>
-@@ -6159,20 +7305,38 @@ interface(`files_pid_filetrans_lock_dir',`
- ## </summary>
- ## </param>
- #
--interface(`files_rw_generic_pids',`
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
+interface(`files_rw_inherited_generic_pid_files',`
- gen_require(`
-- type var_t, var_run_t;
++ gen_require(`
+ type var_run_t;
- ')
-
-- allow $1 var_run_t:lnk_file read_lnk_file_perms;
-- list_dirs_pattern($1, var_t, var_run_t)
-- rw_files_pattern($1, var_run_t, var_run_t)
++ ')
++
+ allow $1 var_run_t:file rw_inherited_file_perms;
- ')
-
- ########################################
- ## <summary>
--## Do not audit attempts to get the attributes of
--## daemon runtime data files.
++')
++
++########################################
++## <summary>
+## Read and write generic process ID files.
+## </summary>
+## <param name="domain">
@@ -11770,13 +14103,64 @@ index 64ff4d7..2b01383 100644
+## <summary>
+## Do not audit attempts to get the attributes of
+## daemon runtime data files.
- ## </summary>
- ## <param name="domain">
- ## <summary>
-@@ -6231,6 +7395,116 @@ interface(`files_dontaudit_ioctl_all_pids',`
-
- ########################################
- ## <summary>
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain to not audit.
++## </summary>
++## </param>
++#
++interface(`files_dontaudit_getattr_all_pids',`
++ gen_require(`
++ attribute pidfile;
++ type var_run_t;
++ ')
++
++ dontaudit $1 var_run_t:lnk_file read_lnk_file_perms;
++ dontaudit $1 pidfile:file getattr;
++')
++
++########################################
++## <summary>
++## Do not audit attempts to write to daemon runtime data files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain to not audit.
++## </summary>
++## </param>
++#
++interface(`files_dontaudit_write_all_pids',`
++ gen_require(`
++ attribute pidfile;
++ ')
++
++ dontaudit $1 var_run_t:lnk_file read_lnk_file_perms;
++ dontaudit $1 pidfile:file write;
++')
++
++########################################
++## <summary>
++## Do not audit attempts to ioctl daemon runtime data files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain to not audit.
++## </summary>
++## </param>
++#
++interface(`files_dontaudit_ioctl_all_pids',`
++ gen_require(`
++ attribute pidfile;
++ type var_run_t;
++ ')
++
++ dontaudit $1 var_run_t:lnk_file read_lnk_file_perms;
++ dontaudit $1 pidfile:file ioctl;
++')
++
++########################################
++## <summary>
+## Relable all pid directories
+## </summary>
+## <param name="domain">
@@ -11887,20 +14271,23 @@ index 64ff4d7..2b01383 100644
+
+########################################
+## <summary>
- ## Read all process ID files.
- ## </summary>
- ## <param name="domain">
-@@ -6243,12 +7517,86 @@ interface(`files_dontaudit_ioctl_all_pids',`
- interface(`files_read_all_pids',`
- gen_require(`
- attribute pidfile;
-- type var_t, var_run_t;
++## Read all process ID files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`files_read_all_pids',`
++ gen_require(`
++ attribute pidfile;
+ type var_t;
- ')
-
-- allow $1 var_run_t:lnk_file read_lnk_file_perms;
- list_dirs_pattern($1, var_t, pidfile)
- read_files_pattern($1, pidfile, pidfile)
++ ')
++
++ list_dirs_pattern($1, var_t, pidfile)
++ read_files_pattern($1, pidfile, pidfile)
+ read_lnk_files_pattern($1, pidfile, pidfile)
+')
+
@@ -11933,10 +14320,12 @@ index 64ff4d7..2b01383 100644
+## </param>
+#
+interface(`files_exec_generic_pid_files',`
-+ gen_require(`
-+ type var_run_t;
-+ ')
-+
+ gen_require(`
+ type var_run_t;
+ ')
+
+- allow $1 var_run_t:lnk_file read_lnk_file_perms;
+- allow $1 var_run_t:fifo_file write;
+ exec_files_pattern($1, var_run_t, var_run_t)
+')
+
@@ -11976,33 +14365,57 @@ index 64ff4d7..2b01383 100644
+ ')
+
+ allow $1 polymember:dir mounton;
- ')
-
- ########################################
-@@ -6268,8 +7616,8 @@ interface(`files_delete_all_pids',`
- type var_t, var_run_t;
- ')
-
++')
++
++########################################
++## <summary>
++## Delete all process IDs.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`files_delete_all_pids',`
++ gen_require(`
++ attribute pidfile;
++ type var_t, var_run_t;
++ ')
++
+ files_search_pids($1)
- allow $1 var_t:dir search_dir_perms;
-- allow $1 var_run_t:lnk_file read_lnk_file_perms;
- allow $1 var_run_t:dir rmdir;
- allow $1 var_run_t:lnk_file delete_lnk_file_perms;
- delete_files_pattern($1, pidfile, pidfile)
-@@ -6293,36 +7641,80 @@ interface(`files_delete_all_pid_dirs',`
- type var_t, var_run_t;
- ')
-
++ allow $1 var_t:dir search_dir_perms;
++ allow $1 var_run_t:dir rmdir;
++ allow $1 var_run_t:lnk_file delete_lnk_file_perms;
++ delete_files_pattern($1, pidfile, pidfile)
++ delete_fifo_files_pattern($1, pidfile, pidfile)
++ delete_sock_files_pattern($1, pidfile, { pidfile var_run_t })
++')
++
++########################################
++## <summary>
++## Delete all process ID directories.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`files_delete_all_pid_dirs',`
++ gen_require(`
++ attribute pidfile;
++ type var_t, var_run_t;
++ ')
++
+ files_search_pids($1)
- allow $1 var_t:dir search_dir_perms;
-- allow $1 var_run_t:lnk_file read_lnk_file_perms;
- delete_dirs_pattern($1, pidfile, pidfile)
- ')
-
- ########################################
- ## <summary>
--## Create, read, write and delete all
--## var_run (pid) content
++ allow $1 var_t:dir search_dir_perms;
++ delete_dirs_pattern($1, pidfile, pidfile)
++')
++
++########################################
++## <summary>
+## Make the specified type a file
+## used for spool files.
+## </summary>
@@ -12052,153 +14465,24 @@ index 64ff4d7..2b01383 100644
+########################################
+## <summary>
+## Create all spool sockets
- ## </summary>
- ## <param name="domain">
- ## <summary>
--## Domain alloed access.
-+## Domain allowed access.
- ## </summary>
- ## </param>
- #
--interface(`files_manage_all_pids',`
-+interface(`files_create_all_spool_sockets',`
- gen_require(`
-- attribute pidfile;
-+ attribute spoolfile;
- ')
-
-- manage_dirs_pattern($1, pidfile, pidfile)
-- manage_files_pattern($1, pidfile, pidfile)
-- manage_lnk_files_pattern($1, pidfile, pidfile)
-+ allow $1 spoolfile:sock_file create_sock_file_perms;
- ')
-
- ########################################
- ## <summary>
--## Mount filesystems on all polyinstantiation
--## member directories.
-+## Delete all spool sockets
- ## </summary>
- ## <param name="domain">
- ## <summary>
-@@ -6330,12 +7722,33 @@ interface(`files_manage_all_pids',`
- ## </summary>
- ## </param>
- #
--interface(`files_mounton_all_poly_members',`
-+interface(`files_delete_all_spool_sockets',`
- gen_require(`
-- attribute polymember;
-+ attribute spoolfile;
- ')
-
-- allow $1 polymember:dir mounton;
-+ allow $1 spoolfile:sock_file delete_sock_file_perms;
-+')
-+
-+########################################
-+## <summary>
-+## Relabel to and from all spool
-+## directory types.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
-+## <rolecap/>
+#
-+interface(`files_relabel_all_spool_dirs',`
++interface(`files_create_all_spool_sockets',`
+ gen_require(`
+ attribute spoolfile;
-+ type var_t;
-+ ')
-+
-+ relabel_dirs_pattern($1, spoolfile, spoolfile)
- ')
-
- ########################################
-@@ -6562,3 +7975,491 @@ interface(`files_unconfined',`
-
- typeattribute $1 files_unconfined_type;
- ')
-+
-+########################################
-+## <summary>
-+## Create a core files in /
-+## </summary>
-+## <desc>
-+## <p>
-+## Create a core file in /,
-+## </p>
-+## </desc>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+## <rolecap/>
-+#
-+interface(`files_manage_root_files',`
-+ gen_require(`
-+ type root_t;
+ ')
+
-+ manage_files_pattern($1, root_t, root_t)
-+')
-+
-+########################################
-+## <summary>
-+## Create a default directory
-+## </summary>
-+## <desc>
-+## <p>
-+## Create a default_t direcrory
-+## </p>
-+## </desc>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+## <rolecap/>
-+#
-+interface(`files_create_default_dir',`
-+ gen_require(`
-+ type default_t;
-+ ')
-+
-+ allow $1 default_t:dir create;
-+')
-+
-+########################################
-+## <summary>
-+## Create, default_t objects with an automatic
-+## type transition.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+## <param name="object">
-+## <summary>
-+## The class of the object being created.
-+## </summary>
-+## </param>
-+#
-+interface(`files_root_filetrans_default',`
-+ gen_require(`
-+ type root_t, default_t;
-+ ')
-+
-+ filetrans_pattern($1, root_t, default_t, $2)
++ allow $1 spoolfile:sock_file create_sock_file_perms;
+')
+
+########################################
+## <summary>
-+## manage generic symbolic links
-+## in the /var/run directory.
++## Delete all spool sockets
+## </summary>
+## <param name="domain">
+## <summary>
@@ -12206,54 +14490,59 @@ index 64ff4d7..2b01383 100644
+## </summary>
+## </param>
+#
-+interface(`files_manage_generic_pids_symlinks',`
++interface(`files_delete_all_spool_sockets',`
+ gen_require(`
-+ type var_run_t;
++ attribute spoolfile;
+ ')
+
-+ manage_lnk_files_pattern($1,var_run_t,var_run_t)
++ allow $1 spoolfile:sock_file delete_sock_file_perms;
+')
+
+########################################
+## <summary>
-+## Do not audit attempts to getattr
-+## all tmpfs files.
++## Relabel to and from all spool
++## directory types.
+## </summary>
+## <param name="domain">
+## <summary>
-+## Domain to not audit.
++## Domain allowed access.
+## </summary>
+## </param>
++## <rolecap/>
+#
-+interface(`files_dontaudit_getattr_tmpfs_files',`
++interface(`files_relabel_all_spool_dirs',`
+ gen_require(`
-+ attribute tmpfsfile;
++ attribute spoolfile;
++ type var_t;
+ ')
+
-+ allow $1 tmpfsfile:file getattr;
++ relabel_dirs_pattern($1, spoolfile, spoolfile)
+')
+
+########################################
+## <summary>
-+## Allow read write all tmpfs files
++## Search the contents of generic spool
++## directories (/var/spool).
+## </summary>
+## <param name="domain">
+## <summary>
-+## Domain to not audit.
++## Domain allowed access.
+## </summary>
+## </param>
+#
-+interface(`files_rw_tmpfs_files',`
++interface(`files_search_spool',`
+ gen_require(`
-+ attribute tmpfsfile;
++ type var_t, var_spool_t;
+ ')
+
-+ allow $1 tmpfsfile:file { read write };
-+')
-+
-+########################################
-+## <summary>
-+## Do not audit attempts to read security files
++ search_dirs_pattern($1, var_t, var_spool_t)
+ ')
+
+ ########################################
+ ## <summary>
+-## Create an object in the process ID directory, with a private type.
++## Do not audit attempts to search generic
++## spool directories.
+## </summary>
+## <param name="domain">
+## <summary>
@@ -12261,193 +14550,687 @@ index 64ff4d7..2b01383 100644
+## </summary>
+## </param>
+#
-+interface(`files_dontaudit_read_security_files',`
++interface(`files_dontaudit_search_spool',`
+ gen_require(`
-+ attribute security_file_type;
++ type var_spool_t;
+ ')
+
-+ dontaudit $1 security_file_type:file read_file_perms;
++ dontaudit $1 var_spool_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
-+## rw any files inherited from another process
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+## <param name="object_type">
-+## <summary>
-+## Object type.
-+## </summary>
-+## </param>
++## List the contents of generic spool
++## (/var/spool) directories.
+ ## </summary>
+-## <desc>
+-## <p>
+-## Create an object in the process ID directory (e.g., /var/run)
+-## with a private type. Typically this is used for creating
+-## private PID files in /var/run with the private type instead
+-## of the general PID file type. To accomplish this goal,
+-## either the program must be SELinux-aware, or use this interface.
+-## </p>
+-## <p>
+-## Related interfaces:
+-## </p>
+-## <ul>
+-## <li>files_pid_file()</li>
+-## </ul>
+-## <p>
+-## Example usage with a domain that can create and
+-## write its PID file with a private PID file type in the
+-## /var/run directory:
+-## </p>
+-## <p>
+-## type mypidfile_t;
+-## files_pid_file(mypidfile_t)
+-## allow mydomain_t mypidfile_t:file { create_file_perms write_file_perms };
+-## files_pid_filetrans(mydomain_t, mypidfile_t, file)
+-## </p>
+-## </desc>
+ ## <param name="domain">
+ ## <summary>
+ ## Domain allowed access.
+ ## </summary>
+ ## </param>
+-## <param name="private type">
+#
-+interface(`files_rw_all_inherited_files',`
++interface(`files_list_spool',`
+ gen_require(`
-+ attribute file_type;
++ type var_t, var_spool_t;
+ ')
+
-+ allow $1 { file_type $2 }:file rw_inherited_file_perms;
-+ allow $1 { file_type $2 }:fifo_file rw_inherited_fifo_file_perms;
-+ allow $1 { file_type $2 }:sock_file rw_inherited_sock_file_perms;
-+ allow $1 { file_type $2 }:chr_file rw_inherited_chr_file_perms;
++ list_dirs_pattern($1, var_t, var_spool_t)
+')
+
+########################################
+## <summary>
-+## Allow any file point to be the entrypoint of this domain
++## Create, read, write, and delete generic
++## spool directories (/var/spool).
+## </summary>
+## <param name="domain">
-+## <summary>
+ ## <summary>
+-## The type of the object to be created.
+## Domain allowed access.
-+## </summary>
-+## </param>
-+## <rolecap/>
+ ## </summary>
+ ## </param>
+-## <param name="object">
+#
-+interface(`files_entrypoint_all_files',`
++interface(`files_manage_generic_spool_dirs',`
+ gen_require(`
-+ attribute file_type;
++ type var_t, var_spool_t;
+ ')
-+ allow $1 file_type:file entrypoint;
++
++ allow $1 var_t:dir search_dir_perms;
++ manage_dirs_pattern($1, var_spool_t, var_spool_t)
+')
+
+########################################
+## <summary>
-+## Do not audit attempts to rw inherited file perms
-+## of non security files.
++## Read generic spool files.
+## </summary>
+## <param name="domain">
-+## <summary>
-+## Domain to not audit.
+ ## <summary>
+-## The object class of the object being created.
++## Domain allowed access.
+## </summary>
+## </param>
+#
-+interface(`files_dontaudit_all_non_security_leaks',`
++interface(`files_read_generic_spool',`
+ gen_require(`
-+ attribute non_security_file_type;
++ type var_t, var_spool_t;
+ ')
+
-+ dontaudit $1 non_security_file_type:file_class_set rw_inherited_file_perms;
++ list_dirs_pattern($1, var_t, var_spool_t)
++ read_files_pattern($1, var_spool_t, var_spool_t)
+')
+
+########################################
+## <summary>
-+## Do not audit attempts to read or write
-+## all leaked files.
++## Create, read, write, and delete generic
++## spool files.
+## </summary>
+## <param name="domain">
+## <summary>
-+## Domain to not audit.
++## Domain allowed access.
+## </summary>
+## </param>
+#
-+interface(`files_dontaudit_leaks',`
++interface(`files_manage_generic_spool',`
+ gen_require(`
-+ attribute file_type;
++ type var_t, var_spool_t;
+ ')
+
-+ dontaudit $1 file_type:file rw_inherited_file_perms;
-+ dontaudit $1 file_type:lnk_file { read };
++ allow $1 var_t:dir search_dir_perms;
++ manage_files_pattern($1, var_spool_t, var_spool_t)
+')
+
+########################################
+## <summary>
-+## Allow domain to create_file_ass all types
++## Create objects in the spool directory
++## with a private type with a type transition.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
-+#
-+interface(`files_create_as_is_all_files',`
++## <param name="file">
++## <summary>
++## Type to which the created node will be transitioned.
++## </summary>
++## </param>
++## <param name="class">
++## <summary>
++## Object class(es) (single or set including {}) for which this
++## the transition will occur.
+ ## </summary>
+ ## </param>
+ ## <param name="name" optional="true">
+@@ -6114,44 +8022,165 @@ interface(`files_write_generic_pid_pipes',`
+ ## The name of the object being created.
+ ## </summary>
+ ## </param>
+-## <infoflow type="write" weight="10"/>
+ #
+-interface(`files_pid_filetrans',`
+- gen_require(`
+- type var_t, var_run_t;
+- ')
++interface(`files_spool_filetrans',`
+ gen_require(`
-+ attribute file_type;
-+ class kernel_service create_files_as;
++ type var_t, var_spool_t;
+ ')
+
-+ allow $1 file_type:kernel_service create_files_as;
++ allow $1 var_t:dir search_dir_perms;
++ filetrans_pattern($1, var_spool_t, $2, $3, $4)
+')
+
+########################################
+## <summary>
-+## Do not audit attempts to check the
-+## access on all files
++## Allow access to manage all polyinstantiated
++## directories on the system.
+## </summary>
+## <param name="domain">
+## <summary>
-+## Domain to not audit.
++## Domain allowed access.
+## </summary>
+## </param>
+#
-+interface(`files_dontaudit_all_access_check',`
++interface(`files_polyinstantiate_all',`
+ gen_require(`
-+ attribute file_type;
++ attribute polydir, polymember, polyparent;
++ type poly_t;
+ ')
+
-+ dontaudit $1 file_type:dir_file_class_set audit_access;
++ # Need to give access to /selinux/member
++ selinux_compute_member($1)
++
++ # Need sys_admin capability for mounting
++ allow $1 self:capability { chown fsetid sys_admin fowner };
++
++ # Need to give access to the directories to be polyinstantiated
++ allow $1 polydir:dir { create open getattr search write add_name setattr mounton rmdir };
++
++ # Need to give access to the polyinstantiated subdirectories
++ allow $1 polymember:dir search_dir_perms;
++
++ # Need to give access to parent directories where original
++ # is remounted for polyinstantiation aware programs (like gdm)
++ allow $1 polyparent:dir { getattr mounton };
++
++ # Need to give permission to create directories where applicable
++ allow $1 self:process setfscreate;
++ allow $1 polymember: dir { create setattr relabelto };
++ allow $1 polydir: dir { write add_name open };
++ allow $1 polyparent:dir { open read write remove_name add_name relabelfrom relabelto };
++
++ # Default type for mountpoints
++ allow $1 poly_t:dir { create mounton };
++ fs_unmount_xattr_fs($1)
++
++ fs_mount_tmpfs($1)
++ fs_unmount_tmpfs($1)
++
++ ifdef(`distro_redhat',`
++ # namespace.init
++ files_search_tmp($1)
++ files_search_home($1)
++ corecmd_exec_bin($1)
++ seutil_domtrans_setfiles($1)
++ ')
+')
+
+########################################
+## <summary>
-+## Do not audit attempts to write to all files
++## Unconfined access to files.
+## </summary>
+## <param name="domain">
+## <summary>
-+## Domain to not audit.
++## Domain allowed access.
+## </summary>
+## </param>
+#
-+interface(`files_dontaudit_write_all_files',`
++interface(`files_unconfined',`
+ gen_require(`
-+ attribute file_type;
++ attribute files_unconfined_type;
+ ')
+
-+ dontaudit $1 file_type:dir_file_class_set write;
++ typeattribute $1 files_unconfined_type;
+')
+
+########################################
+## <summary>
-+## Allow domain to delete to all files
++## Create a core files in /
+## </summary>
++## <desc>
++## <p>
++## Create a core file in /,
++## </p>
++## </desc>
+## <param name="domain">
+## <summary>
-+## Domain to not audit.
++## Domain allowed access.
+## </summary>
+## </param>
++## <rolecap/>
+#
-+interface(`files_delete_all_non_security_files',`
++interface(`files_manage_root_files',`
+ gen_require(`
-+ attribute non_security_file_type;
++ type root_t;
+ ')
+
-+ allow $1 non_security_file_type:dir del_entry_dir_perms;
-+ allow $1 non_security_file_type:file_class_set delete_file_perms;
++ manage_files_pattern($1, root_t, root_t)
+')
+
+########################################
+## <summary>
-+## Transition named content in the var_run_t directory
++## Create a default directory
+## </summary>
++## <desc>
++## <p>
++## Create a default_t direcrory
++## </p>
++## </desc>
+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
++## <summary>
++## Domain allowed access.
++## </summary>
+## </param>
++## <rolecap/>
+#
++interface(`files_create_default_dir',`
++ gen_require(`
++ type default_t;
++ ')
+
+- allow $1 var_t:dir search_dir_perms;
+- allow $1 var_run_t:lnk_file read_lnk_file_perms;
+- filetrans_pattern($1, var_run_t, $2, $3, $4)
++ allow $1 default_t:dir create;
+ ')
+
+ ########################################
+ ## <summary>
+-## Create a generic lock directory within the run directories
++## Create, default_t objects with an automatic
++## type transition.
+ ## </summary>
+ ## <param name="domain">
+-## <summary>
+-## Domain allowed access
++## <summary>
++## Domain allowed access.
+ ## </summary>
+ ## </param>
+-## <param name="name" optional="true">
++## <param name="object">
+ ## <summary>
+-## The name of the object being created.
++## The class of the object being created.
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_pid_filetrans_lock_dir',`
+- gen_require(`
+- type var_lock_t;
+- ')
++interface(`files_root_filetrans_default',`
++ gen_require(`
++ type root_t, default_t;
++ ')
+
+- files_pid_filetrans($1, var_lock_t, dir, $2)
++ filetrans_pattern($1, root_t, default_t, $2)
+ ')
+
+ ########################################
+ ## <summary>
+-## Read and write generic process ID files.
++## manage generic symbolic links
++## in the /var/run directory.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -6159,20 +8188,18 @@ interface(`files_pid_filetrans_lock_dir',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_rw_generic_pids',`
++interface(`files_manage_generic_pids_symlinks',`
+ gen_require(`
+- type var_t, var_run_t;
++ type var_run_t;
+ ')
+
+- allow $1 var_run_t:lnk_file read_lnk_file_perms;
+- list_dirs_pattern($1, var_t, var_run_t)
+- rw_files_pattern($1, var_run_t, var_run_t)
++ manage_lnk_files_pattern($1,var_run_t,var_run_t)
+ ')
+
+ ########################################
+ ## <summary>
+-## Do not audit attempts to get the attributes of
+-## daemon runtime data files.
++## Do not audit attempts to getattr
++## all tmpfs files.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -6180,19 +8207,17 @@ interface(`files_rw_generic_pids',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_dontaudit_getattr_all_pids',`
++interface(`files_dontaudit_getattr_tmpfs_files',`
+ gen_require(`
+- attribute pidfile;
+- type var_run_t;
++ attribute tmpfsfile;
+ ')
+
+- dontaudit $1 var_run_t:lnk_file read_lnk_file_perms;
+- dontaudit $1 pidfile:file getattr;
++ allow $1 tmpfsfile:file getattr;
+ ')
+
+ ########################################
+ ## <summary>
+-## Do not audit attempts to write to daemon runtime data files.
++## Allow read write all tmpfs files
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -6200,18 +8225,17 @@ interface(`files_dontaudit_getattr_all_pids',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_dontaudit_write_all_pids',`
++interface(`files_rw_tmpfs_files',`
+ gen_require(`
+- attribute pidfile;
++ attribute tmpfsfile;
+ ')
+
+- dontaudit $1 var_run_t:lnk_file read_lnk_file_perms;
+- dontaudit $1 pidfile:file write;
++ allow $1 tmpfsfile:file { read write };
+ ')
+
+ ########################################
+ ## <summary>
+-## Do not audit attempts to ioctl daemon runtime data files.
++## Do not audit attempts to read security files
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -6219,41 +8243,43 @@ interface(`files_dontaudit_write_all_pids',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_dontaudit_ioctl_all_pids',`
++interface(`files_dontaudit_read_security_files',`
+ gen_require(`
+- attribute pidfile;
+- type var_run_t;
++ attribute security_file_type;
+ ')
+
+- dontaudit $1 var_run_t:lnk_file read_lnk_file_perms;
+- dontaudit $1 pidfile:file ioctl;
++ dontaudit $1 security_file_type:file read_file_perms;
+ ')
+
+ ########################################
+ ## <summary>
+-## Read all process ID files.
++## rw any files inherited from another process
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+ ## Domain allowed access.
+ ## </summary>
+ ## </param>
+-## <rolecap/>
++## <param name="object_type">
++## <summary>
++## Object type.
++## </summary>
++## </param>
+ #
+-interface(`files_read_all_pids',`
++interface(`files_rw_all_inherited_files',`
+ gen_require(`
+- attribute pidfile;
+- type var_t, var_run_t;
++ attribute file_type;
+ ')
+
+- allow $1 var_run_t:lnk_file read_lnk_file_perms;
+- list_dirs_pattern($1, var_t, pidfile)
+- read_files_pattern($1, pidfile, pidfile)
++ allow $1 { file_type $2 }:file rw_inherited_file_perms;
++ allow $1 { file_type $2 }:fifo_file rw_inherited_fifo_file_perms;
++ allow $1 { file_type $2 }:sock_file rw_inherited_sock_file_perms;
++ allow $1 { file_type $2 }:chr_file rw_inherited_chr_file_perms;
+ ')
+
+ ########################################
+ ## <summary>
+-## Delete all process IDs.
++## Allow any file point to be the entrypoint of this domain
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -6262,67 +8288,55 @@ interface(`files_read_all_pids',`
+ ## </param>
+ ## <rolecap/>
+ #
+-interface(`files_delete_all_pids',`
++interface(`files_entrypoint_all_files',`
+ gen_require(`
+- attribute pidfile;
+- type var_t, var_run_t;
++ attribute file_type;
+ ')
+-
+- allow $1 var_t:dir search_dir_perms;
+- allow $1 var_run_t:lnk_file read_lnk_file_perms;
+- allow $1 var_run_t:dir rmdir;
+- allow $1 var_run_t:lnk_file delete_lnk_file_perms;
+- delete_files_pattern($1, pidfile, pidfile)
+- delete_fifo_files_pattern($1, pidfile, pidfile)
+- delete_sock_files_pattern($1, pidfile, { pidfile var_run_t })
++ allow $1 file_type:file entrypoint;
+ ')
+
+ ########################################
+ ## <summary>
+-## Delete all process ID directories.
++## Do not audit attempts to rw inherited file perms
++## of non security files.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+-## Domain allowed access.
++## Domain to not audit.
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_delete_all_pid_dirs',`
++interface(`files_dontaudit_all_non_security_leaks',`
+ gen_require(`
+- attribute pidfile;
+- type var_t, var_run_t;
++ attribute non_security_file_type;
+ ')
+
+- allow $1 var_t:dir search_dir_perms;
+- allow $1 var_run_t:lnk_file read_lnk_file_perms;
+- delete_dirs_pattern($1, pidfile, pidfile)
++ dontaudit $1 non_security_file_type:file_class_set rw_inherited_file_perms;
+ ')
+
+ ########################################
+ ## <summary>
+-## Create, read, write and delete all
+-## var_run (pid) content
++## Do not audit attempts to read or write
++## all leaked files.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+-## Domain alloed access.
++## Domain to not audit.
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_manage_all_pids',`
++interface(`files_dontaudit_leaks',`
+ gen_require(`
+- attribute pidfile;
++ attribute file_type;
+ ')
+
+- manage_dirs_pattern($1, pidfile, pidfile)
+- manage_files_pattern($1, pidfile, pidfile)
+- manage_lnk_files_pattern($1, pidfile, pidfile)
++ dontaudit $1 file_type:file rw_inherited_file_perms;
++ dontaudit $1 file_type:lnk_file { read };
+ ')
+
+ ########################################
+ ## <summary>
+-## Mount filesystems on all polyinstantiation
+-## member directories.
++## Allow domain to create_file_ass all types
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -6330,37 +8344,37 @@ interface(`files_manage_all_pids',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_mounton_all_poly_members',`
++interface(`files_create_as_is_all_files',`
+ gen_require(`
+- attribute polymember;
++ attribute file_type;
++ class kernel_service create_files_as;
+ ')
+
+- allow $1 polymember:dir mounton;
++ allow $1 file_type:kernel_service create_files_as;
+ ')
+
+ ########################################
+ ## <summary>
+-## Search the contents of generic spool
+-## directories (/var/spool).
++## Do not audit attempts to check the
++## access on all files
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+-## Domain allowed access.
++## Domain to not audit.
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_search_spool',`
++interface(`files_dontaudit_all_access_check',`
+ gen_require(`
+- type var_t, var_spool_t;
++ attribute file_type;
+ ')
+
+- search_dirs_pattern($1, var_t, var_spool_t)
++ dontaudit $1 file_type:dir_file_class_set audit_access;
+ ')
+
+ ########################################
+ ## <summary>
+-## Do not audit attempts to search generic
+-## spool directories.
++## Do not audit attempts to write to all files
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -6368,132 +8382,206 @@ interface(`files_search_spool',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_dontaudit_search_spool',`
++interface(`files_dontaudit_write_all_files',`
+ gen_require(`
+- type var_spool_t;
++ attribute file_type;
+ ')
+
+- dontaudit $1 var_spool_t:dir search_dir_perms;
++ dontaudit $1 file_type:dir_file_class_set write;
+ ')
+
+ ########################################
+ ## <summary>
+-## List the contents of generic spool
+-## (/var/spool) directories.
++## Allow domain to delete to all files
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+-## Domain allowed access.
++## Domain to not audit.
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_list_spool',`
++interface(`files_delete_all_non_security_files',`
+ gen_require(`
+- type var_t, var_spool_t;
++ attribute non_security_file_type;
+ ')
+
+- list_dirs_pattern($1, var_t, var_spool_t)
++ allow $1 non_security_file_type:dir del_entry_dir_perms;
++ allow $1 non_security_file_type:file_class_set delete_file_perms;
+ ')
+
+ ########################################
+ ## <summary>
+-## Create, read, write, and delete generic
+-## spool directories (/var/spool).
++## Allow domain to delete to all dirs
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+-## Domain allowed access.
++## Domain to not audit.
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_manage_generic_spool_dirs',`
++interface(`files_delete_all_non_security_dirs',`
+ gen_require(`
+- type var_t, var_spool_t;
++ attribute non_security_file_type;
+ ')
+
+- allow $1 var_t:dir search_dir_perms;
+- manage_dirs_pattern($1, var_spool_t, var_spool_t)
++ allow $1 non_security_file_type:dir { del_entry_dir_perms delete_dir_perms };
+ ')
+
+ ########################################
+ ## <summary>
+-## Read generic spool files.
++## Transition named content in the var_run_t directory
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+-## Domain allowed access.
++## Domain allowed access.
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_read_generic_spool',`
+interface(`files_filetrans_named_content',`
-+ gen_require(`
+ gen_require(`
+- type var_t, var_spool_t;
+ type etc_t;
+ type mnt_t;
+ type usr_t;
+ type tmp_t;
+ type var_t;
+ type var_run_t;
++ type var_lock_t;
+ type tmp_t;
-+ ')
-+
+ ')
+
+- list_dirs_pattern($1, var_t, var_spool_t)
+- read_files_pattern($1, var_spool_t, var_spool_t)
+ files_pid_filetrans($1, mnt_t, dir, "media")
+ files_root_filetrans($1, etc_runtime_t, file, ".readahead")
+ files_root_filetrans($1, etc_runtime_t, file, ".autorelabel")
@@ -12459,6 +15242,8 @@ index 64ff4d7..2b01383 100644
+ files_root_filetrans($1, usr_t, dir, "emul")
+ files_root_filetrans($1, var_t, dir, "srv")
+ files_root_filetrans($1, var_run_t, dir, "run")
++ files_root_filetrans($1, var_run_t, lnk_file, "run")
++ files_root_filetrans($1, var_lock_t, lnk_file, "lock")
+ files_root_filetrans($1, tmp_t, dir, "sandbox")
+ files_root_filetrans($1, tmp_t, dir, "tmp")
+ files_root_filetrans($1, var_t, dir, "nsr")
@@ -12481,13 +15266,17 @@ index 64ff4d7..2b01383 100644
+ files_etc_filetrans_etc_runtime($1, file, "iptables.save")
+ files_tmp_filetrans($1, tmp_t, dir, "tmp-inst")
+ files_var_filetrans($1, tmp_t, dir, "tmp")
-+')
-+
-+########################################
-+## <summary>
++ files_var_filetrans($1, var_run_t, dir, "run")
+ ')
+
+ ########################################
+ ## <summary>
+-## Create, read, write, and delete generic
+-## spool files.
+## Make the specified type a
+## base file.
-+## </summary>
+ ## </summary>
+-## <param name="domain">
+## <desc>
+## <p>
+## Identify file type as base file type. Tools will use this attribute,
@@ -12495,35 +15284,51 @@ index 64ff4d7..2b01383 100644
+## </p>
+## </desc>
+## <param name="file_type">
-+## <summary>
+ ## <summary>
+-## Domain allowed access.
+## Type to be used as a base files.
-+## </summary>
-+## </param>
+ ## </summary>
+ ## </param>
+## <infoflow type="none"/>
-+#
+ #
+-interface(`files_manage_generic_spool',`
+interface(`files_base_file',`
-+ gen_require(`
+ gen_require(`
+- type var_t, var_spool_t;
+ attribute base_file_type;
-+ ')
+ ')
+-
+- allow $1 var_t:dir search_dir_perms;
+- manage_files_pattern($1, var_spool_t, var_spool_t)
+ files_type($1)
+ typeattribute $1 base_file_type;
-+')
-+
-+########################################
-+## <summary>
+ ')
+
+ ########################################
+ ## <summary>
+-## Create objects in the spool directory
+-## with a private type with a type transition.
+## Make the specified type a
+## base read only file.
-+## </summary>
+ ## </summary>
+-## <param name="domain">
+-## <summary>
+-## Domain allowed access.
+-## </summary>
+-## </param>
+-## <param name="file">
+## <desc>
+## <p>
+## Make the specified type readable for all domains.
+## </p>
+## </desc>
+## <param name="file_type">
-+## <summary>
+ ## <summary>
+-## Type to which the created node will be transitioned.
+## Type to be used as a base read only files.
-+## </summary>
-+## </param>
+ ## </summary>
+ ## </param>
+-## <param name="class">
+## <infoflow type="none"/>
+#
+interface(`files_ro_base_file',`
@@ -12539,10 +15344,13 @@ index 64ff4d7..2b01383 100644
+## Read all ro base files.
+## </summary>
+## <param name="domain">
-+## <summary>
+ ## <summary>
+-## Object class(es) (single or set including {}) for which this
+-## the transition will occur.
+## Domain allowed access.
-+## </summary>
-+## </param>
+ ## </summary>
+ ## </param>
+-## <param name="name" optional="true">
+## <rolecap/>
+#
+interface(`files_read_all_base_ro_files',`
@@ -12560,58 +15368,108 @@ index 64ff4d7..2b01383 100644
+## Execute all base ro files.
+## </summary>
+## <param name="domain">
-+## <summary>
+ ## <summary>
+-## The name of the object being created.
+## Domain allowed access.
-+## </summary>
-+## </param>
+ ## </summary>
+ ## </param>
+## <rolecap/>
-+#
+ #
+-interface(`files_spool_filetrans',`
+interface(`files_exec_all_base_ro_files',`
-+ gen_require(`
+ gen_require(`
+- type var_t, var_spool_t;
+ attribute base_ro_file_type;
-+ ')
-+
+ ')
+
+- allow $1 var_t:dir search_dir_perms;
+- filetrans_pattern($1, var_spool_t, $2, $3, $4)
+ can_exec($1, base_ro_file_type)
-+')
-+
-+########################################
-+## <summary>
+ ')
+
+ ########################################
+ ## <summary>
+-## Allow access to manage all polyinstantiated
+-## directories on the system.
+## Allow the specified domain to modify the systemd configuration of
+## any file.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -6501,53 +8589,17 @@ interface(`files_spool_filetrans',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_polyinstantiate_all',`
+interface(`files_config_all_files',`
-+ gen_require(`
+ gen_require(`
+- attribute polydir, polymember, polyparent;
+- type poly_t;
+ attribute file_type;
-+ ')
-+
+ ')
+
+- # Need to give access to /selinux/member
+- selinux_compute_member($1)
+-
+- # Need sys_admin capability for mounting
+- allow $1 self:capability { chown fsetid sys_admin fowner };
+-
+- # Need to give access to the directories to be polyinstantiated
+- allow $1 polydir:dir { create open getattr search write add_name setattr mounton rmdir };
+-
+- # Need to give access to the polyinstantiated subdirectories
+- allow $1 polymember:dir search_dir_perms;
+-
+- # Need to give access to parent directories where original
+- # is remounted for polyinstantiation aware programs (like gdm)
+- allow $1 polyparent:dir { getattr mounton };
+-
+- # Need to give permission to create directories where applicable
+- allow $1 self:process setfscreate;
+- allow $1 polymember: dir { create setattr relabelto };
+- allow $1 polydir: dir { write add_name open };
+- allow $1 polyparent:dir { open read write remove_name add_name relabelfrom relabelto };
+-
+- # Default type for mountpoints
+- allow $1 poly_t:dir { create mounton };
+- fs_unmount_xattr_fs($1)
+-
+- fs_mount_tmpfs($1)
+- fs_unmount_tmpfs($1)
+-
+- ifdef(`distro_redhat',`
+- # namespace.init
+- files_search_tmp($1)
+- files_search_home($1)
+- corecmd_exec_bin($1)
+- seutil_domtrans_setfiles($1)
+- ')
+ allow $1 file_type:service all_service_perms;
-+')
-+
-+########################################
-+## <summary>
+ ')
+
+ ########################################
+ ## <summary>
+-## Unconfined access to files.
+## Get the status of etc_t files
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -6555,10 +8607,10 @@ interface(`files_polyinstantiate_all',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_unconfined',`
+interface(`files_status_etc',`
-+ gen_require(`
+ gen_require(`
+- attribute files_unconfined_type;
+ type etc_t;
-+ ')
-+
+ ')
+
+- typeattribute $1 files_unconfined_type;
+ allow $1 etc_t:service status;
-+')
+ ')
diff --git a/policy/modules/kernel/files.te b/policy/modules/kernel/files.te
-index 148d87a..ccbcb66 100644
+index 148d87a..b5a89ba 100644
--- a/policy/modules/kernel/files.te
+++ b/policy/modules/kernel/files.te
@@ -5,12 +5,16 @@ policy_module(files, 1.17.5)
@@ -12631,7 +15489,7 @@ index 148d87a..ccbcb66 100644
# For labeling types that are to be polyinstantiated
attribute polydir;
-@@ -48,28 +52,45 @@ attribute usercanread;
+@@ -48,31 +52,46 @@ attribute usercanread;
#
type boot_t;
files_mountpoint(boot_t)
@@ -12675,11 +15533,15 @@ index 148d87a..ccbcb66 100644
# generated during initialization.
#
-type etc_runtime_t;
+-files_type(etc_runtime_t)
+-#Temporarily in policy until FC5 dissappears
+-typealias etc_runtime_t alias firstboot_rw_t;
+type etc_runtime_t, configfile;
- files_type(etc_runtime_t)
- #Temporarily in policy until FC5 dissappears
- typealias etc_runtime_t alias firstboot_rw_t;
-@@ -81,6 +102,7 @@ typealias etc_runtime_t alias firstboot_rw_t;
++files_ro_base_file(etc_runtime_t)
+
+ #
+ # file_t is the default type of a file that has not yet been
+@@ -81,6 +100,7 @@ typealias etc_runtime_t alias firstboot_rw_t;
#
type file_t;
files_mountpoint(file_t)
@@ -12687,7 +15549,7 @@ index 148d87a..ccbcb66 100644
kernel_rootfs_mountpoint(file_t)
sid file gen_context(system_u:object_r:file_t,s0)
-@@ -89,6 +111,7 @@ sid file gen_context(system_u:object_r:file_t,s0)
+@@ -89,6 +109,7 @@ sid file gen_context(system_u:object_r:file_t,s0)
# are created
#
type home_root_t;
@@ -12695,7 +15557,7 @@ index 148d87a..ccbcb66 100644
files_mountpoint(home_root_t)
files_poly_parent(home_root_t)
-@@ -96,12 +119,13 @@ files_poly_parent(home_root_t)
+@@ -96,12 +117,13 @@ files_poly_parent(home_root_t)
# lost_found_t is the type for the lost+found directories.
#
type lost_found_t;
@@ -12710,7 +15572,7 @@ index 148d87a..ccbcb66 100644
files_mountpoint(mnt_t)
#
-@@ -123,6 +147,7 @@ files_type(readable_t)
+@@ -123,6 +145,7 @@ files_type(readable_t)
# root_t is the type for rootfs and the root directory.
#
type root_t;
@@ -12718,7 +15580,7 @@ index 148d87a..ccbcb66 100644
files_mountpoint(root_t)
files_poly_parent(root_t)
kernel_rootfs_mountpoint(root_t)
-@@ -133,52 +158,63 @@ genfscon rootfs / gen_context(system_u:object_r:root_t,s0)
+@@ -133,52 +156,63 @@ genfscon rootfs / gen_context(system_u:object_r:root_t,s0)
#
type src_t;
files_mountpoint(src_t)
@@ -12782,7 +15644,7 @@ index 148d87a..ccbcb66 100644
files_pid_file(var_run_t)
files_mountpoint(var_run_t)
-@@ -186,7 +222,9 @@ files_mountpoint(var_run_t)
+@@ -186,7 +220,9 @@ files_mountpoint(var_run_t)
# var_spool_t is the type of /var/spool
#
type var_spool_t;
@@ -12792,7 +15654,7 @@ index 148d87a..ccbcb66 100644
########################################
#
-@@ -225,10 +263,11 @@ fs_associate_tmpfs(tmpfsfile)
+@@ -225,10 +261,11 @@ fs_associate_tmpfs(tmpfsfile)
# Create/access any file in a labeled filesystem;
allow files_unconfined_type file_type:{ file chr_file } ~execmod;
allow files_unconfined_type file_type:{ dir lnk_file sock_file fifo_file blk_file } *;
@@ -14256,7 +17118,7 @@ index 8416beb..c6cd3eb 100644
+ fs_tmpfs_filetrans($1, cgroup_t, lnk_file, "cpuacct")
+')
diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te
-index 9e603f5..1198b51 100644
+index 9e603f5..3b8dd74 100644
--- a/policy/modules/kernel/filesystem.te
+++ b/policy/modules/kernel/filesystem.te
@@ -32,8 +32,11 @@ fs_use_xattr gpfs gen_context(system_u:object_r:fs_t,s0);
@@ -14279,12 +17141,13 @@ index 9e603f5..1198b51 100644
type bdev_t;
fs_type(bdev_t)
-@@ -63,12 +67,17 @@ fs_type(binfmt_misc_fs_t)
+@@ -63,12 +67,18 @@ fs_type(binfmt_misc_fs_t)
files_mountpoint(binfmt_misc_fs_t)
genfscon binfmt_misc / gen_context(system_u:object_r:binfmt_misc_fs_t,s0)
+type oracleasmfs_t;
+fs_type(oracleasmfs_t)
++dev_node(oracleasmfs_t)
+files_mountpoint(oracleasmfs_t)
+genfscon oracleasmfs / gen_context(system_u:object_r:oracleasmfs_t,s0)
+
@@ -14298,7 +17161,7 @@ index 9e603f5..1198b51 100644
fs_type(cgroup_t)
files_type(cgroup_t)
files_mountpoint(cgroup_t)
-@@ -89,6 +98,11 @@ fs_noxattr_type(ecryptfs_t)
+@@ -89,6 +99,11 @@ fs_noxattr_type(ecryptfs_t)
files_mountpoint(ecryptfs_t)
genfscon ecryptfs / gen_context(system_u:object_r:ecryptfs_t,s0)
@@ -14310,7 +17173,7 @@ index 9e603f5..1198b51 100644
type futexfs_t;
fs_type(futexfs_t)
genfscon futexfs / gen_context(system_u:object_r:futexfs_t,s0)
-@@ -97,6 +111,7 @@ type hugetlbfs_t;
+@@ -97,6 +112,7 @@ type hugetlbfs_t;
fs_type(hugetlbfs_t)
files_mountpoint(hugetlbfs_t)
fs_use_trans hugetlbfs gen_context(system_u:object_r:hugetlbfs_t,s0);
@@ -14318,7 +17181,7 @@ index 9e603f5..1198b51 100644
type ibmasmfs_t;
fs_type(ibmasmfs_t)
-@@ -119,12 +134,17 @@ genfscon mvfs / gen_context(system_u:object_r:mvfs_t,s0)
+@@ -119,12 +135,17 @@ genfscon mvfs / gen_context(system_u:object_r:mvfs_t,s0)
type nfsd_fs_t;
fs_type(nfsd_fs_t)
@@ -14336,7 +17199,7 @@ index 9e603f5..1198b51 100644
type ramfs_t;
fs_type(ramfs_t)
files_mountpoint(ramfs_t)
-@@ -145,11 +165,6 @@ fs_type(spufs_t)
+@@ -145,11 +166,6 @@ fs_type(spufs_t)
genfscon spufs / gen_context(system_u:object_r:spufs_t,s0)
files_mountpoint(spufs_t)
@@ -14348,7 +17211,7 @@ index 9e603f5..1198b51 100644
type sysv_t;
fs_noxattr_type(sysv_t)
files_mountpoint(sysv_t)
-@@ -167,6 +182,8 @@ type vxfs_t;
+@@ -167,6 +183,8 @@ type vxfs_t;
fs_noxattr_type(vxfs_t)
files_mountpoint(vxfs_t)
genfscon vxfs / gen_context(system_u:object_r:vxfs_t,s0)
@@ -14357,7 +17220,7 @@ index 9e603f5..1198b51 100644
#
# tmpfs_t is the type for tmpfs filesystems
-@@ -176,6 +193,8 @@ fs_type(tmpfs_t)
+@@ -176,6 +194,8 @@ fs_type(tmpfs_t)
files_type(tmpfs_t)
files_mountpoint(tmpfs_t)
files_poly_parent(tmpfs_t)
@@ -14366,7 +17229,7 @@ index 9e603f5..1198b51 100644
# Use a transition SID based on the allocating task SID and the
# filesystem SID to label inodes in the following filesystem types,
-@@ -255,6 +274,8 @@ genfscon udf / gen_context(system_u:object_r:iso9660_t,s0)
+@@ -255,6 +275,8 @@ genfscon udf / gen_context(system_u:object_r:iso9660_t,s0)
type removable_t;
allow removable_t noxattrfs:filesystem associate;
fs_noxattr_type(removable_t)
@@ -14375,7 +17238,7 @@ index 9e603f5..1198b51 100644
files_mountpoint(removable_t)
#
-@@ -274,6 +295,7 @@ genfscon ncpfs / gen_context(system_u:object_r:nfs_t,s0)
+@@ -274,6 +296,7 @@ genfscon ncpfs / gen_context(system_u:object_r:nfs_t,s0)
genfscon reiserfs / gen_context(system_u:object_r:nfs_t,s0)
genfscon panfs / gen_context(system_u:object_r:nfs_t,s0)
genfscon gadgetfs / gen_context(system_u:object_r:nfs_t,s0)
@@ -14392,7 +17255,7 @@ index 7be4ddf..f7021a0 100644
+
+/sys/class/net/ib.* gen_context(system_u:object_r:sysctl_net_t,s0)
diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
-index 649e458..d47750f 100644
+index 649e458..3270372 100644
--- a/policy/modules/kernel/kernel.if
+++ b/policy/modules/kernel/kernel.if
@@ -286,7 +286,7 @@ interface(`kernel_rw_unix_dgram_sockets',`
@@ -14404,6 +17267,16 @@ index 649e458..d47750f 100644
')
########################################
+@@ -762,8 +762,8 @@ interface(`kernel_manage_debugfs',`
+ ')
+
+ manage_files_pattern($1, debugfs_t, debugfs_t)
++ manage_dirs_pattern($1,debugfs_t, debugfs_t)
+ read_lnk_files_pattern($1, debugfs_t, debugfs_t)
+- list_dirs_pattern($1, debugfs_t, debugfs_t)
+ ')
+
+ ########################################
@@ -786,6 +786,24 @@ interface(`kernel_mount_kvmfs',`
########################################
@@ -14470,7 +17343,59 @@ index 649e458..d47750f 100644
')
########################################
-@@ -1477,6 +1510,24 @@ interface(`kernel_dontaudit_list_all_proc',`
+@@ -1025,6 +1058,25 @@ interface(`kernel_write_proc_files',`
+
+ ########################################
+ ## <summary>
++## Do not audit attempts to check the
++## access on generic proc entries.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain to not audit.
++## </summary>
++## </param>
++#
++interface(`kernel_dontaudit_access_check_proc',`
++ gen_require(`
++ type proc_t;
++ ')
++
++ dontaudit $1 proc_t:dir_file_class_set audit_access;
++')
++
++########################################
++## <summary>
+ ## Do not audit attempts by caller to
+ ## read system state information in proc.
+ ## </summary>
+@@ -1208,6 +1260,25 @@ interface(`kernel_read_messages',`
+
+ ########################################
+ ## <summary>
++## Allow caller to read kernel messages
++## using the /proc/kmsg interface.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`kernel_mounton_messages',`
++ gen_require(`
++ type proc_kmsg_t, proc_t;
++ ')
++
++ allow $1 proc_kmsg_t:dir mounton;
++')
++
++########################################
++## <summary>
+ ## Allow caller to get the attributes of kernel message
+ ## interface (/proc/kmsg).
+ ## </summary>
+@@ -1477,6 +1548,24 @@ interface(`kernel_dontaudit_list_all_proc',`
########################################
## <summary>
@@ -14495,7 +17420,7 @@ index 649e458..d47750f 100644
## Do not audit attempts by caller to search
## the base directory of sysctls.
## </summary>
-@@ -2085,7 +2136,7 @@ interface(`kernel_dontaudit_list_all_sysctls',`
+@@ -2085,7 +2174,7 @@ interface(`kernel_dontaudit_list_all_sysctls',`
')
dontaudit $1 sysctl_type:dir list_dir_perms;
@@ -14504,7 +17429,7 @@ index 649e458..d47750f 100644
')
########################################
-@@ -2282,6 +2333,25 @@ interface(`kernel_list_unlabeled',`
+@@ -2282,6 +2371,25 @@ interface(`kernel_list_unlabeled',`
########################################
## <summary>
@@ -14530,7 +17455,7 @@ index 649e458..d47750f 100644
## Read the process state (/proc/pid) of all unlabeled_t.
## </summary>
## <param name="domain">
-@@ -2306,7 +2376,7 @@ interface(`kernel_read_unlabeled_state',`
+@@ -2306,7 +2414,7 @@ interface(`kernel_read_unlabeled_state',`
## </summary>
## <param name="domain">
## <summary>
@@ -14539,7 +17464,7 @@ index 649e458..d47750f 100644
## </summary>
## </param>
#
-@@ -2488,6 +2558,24 @@ interface(`kernel_rw_unlabeled_blk_files',`
+@@ -2488,6 +2596,24 @@ interface(`kernel_rw_unlabeled_blk_files',`
########################################
## <summary>
@@ -14564,7 +17489,7 @@ index 649e458..d47750f 100644
## Do not audit attempts by caller to get attributes for
## unlabeled character devices.
## </summary>
-@@ -2525,6 +2613,24 @@ interface(`kernel_relabelfrom_unlabeled_dirs',`
+@@ -2525,6 +2651,24 @@ interface(`kernel_relabelfrom_unlabeled_dirs',`
########################################
## <summary>
@@ -14589,7 +17514,7 @@ index 649e458..d47750f 100644
## Allow caller to relabel unlabeled files.
## </summary>
## <param name="domain">
-@@ -2632,7 +2738,7 @@ interface(`kernel_sendrecv_unlabeled_association',`
+@@ -2632,7 +2776,7 @@ interface(`kernel_sendrecv_unlabeled_association',`
allow $1 unlabeled_t:association { sendto recvfrom };
# temporary hack until labeling on packets is supported
@@ -14598,7 +17523,7 @@ index 649e458..d47750f 100644
')
########################################
-@@ -2670,6 +2776,24 @@ interface(`kernel_dontaudit_sendrecv_unlabeled_association',`
+@@ -2670,6 +2814,24 @@ interface(`kernel_dontaudit_sendrecv_unlabeled_association',`
########################################
## <summary>
@@ -14623,7 +17548,7 @@ index 649e458..d47750f 100644
## Receive TCP packets from an unlabeled connection.
## </summary>
## <desc>
-@@ -2697,6 +2821,25 @@ interface(`kernel_tcp_recvfrom_unlabeled',`
+@@ -2697,6 +2859,25 @@ interface(`kernel_tcp_recvfrom_unlabeled',`
########################################
## <summary>
@@ -14649,7 +17574,7 @@ index 649e458..d47750f 100644
## Do not audit attempts to receive TCP packets from an unlabeled
## connection.
## </summary>
-@@ -2806,6 +2949,33 @@ interface(`kernel_raw_recvfrom_unlabeled',`
+@@ -2806,6 +2987,33 @@ interface(`kernel_raw_recvfrom_unlabeled',`
allow $1 unlabeled_t:rawip_socket recvfrom;
')
@@ -14683,7 +17608,7 @@ index 649e458..d47750f 100644
########################################
## <summary>
-@@ -2961,6 +3131,24 @@ interface(`kernel_relabelfrom_unlabeled_database',`
+@@ -2961,6 +3169,24 @@ interface(`kernel_relabelfrom_unlabeled_database',`
########################################
## <summary>
@@ -14708,7 +17633,7 @@ index 649e458..d47750f 100644
## Unconfined access to kernel module resources.
## </summary>
## <param name="domain">
-@@ -2975,5 +3163,300 @@ interface(`kernel_unconfined',`
+@@ -2975,5 +3201,300 @@ interface(`kernel_unconfined',`
')
typeattribute $1 kern_unconfined;
@@ -15011,7 +17936,7 @@ index 649e458..d47750f 100644
+ list_dirs_pattern($1, sysctl_vm_overcommit_t, sysctl_vm_overcommit_t)
')
diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
-index 6fac350..5a087a7 100644
+index 6fac350..cdc610d 100644
--- a/policy/modules/kernel/kernel.te
+++ b/policy/modules/kernel/kernel.te
@@ -25,6 +25,9 @@ attribute kern_unconfined;
@@ -15192,18 +18117,19 @@ index 6fac350..5a087a7 100644
')
optional_policy(`
-@@ -312,6 +368,10 @@ optional_policy(`
+@@ -312,6 +368,11 @@ optional_policy(`
')
optional_policy(`
+ plymouthd_create_log(kernel_t)
++ plymouthd_filetrans_named_content(kernel_t)
+')
+
+optional_policy(`
# nfs kernel server needs kernel UDP access. It is less risky and painful
# to just give it everything.
allow kernel_t self:tcp_socket create_stream_socket_perms;
-@@ -332,9 +392,6 @@ optional_policy(`
+@@ -332,9 +393,6 @@ optional_policy(`
sysnet_read_config(kernel_t)
@@ -15213,7 +18139,7 @@ index 6fac350..5a087a7 100644
rpc_udp_rw_nfs_sockets(kernel_t)
tunable_policy(`nfs_export_all_ro',`
-@@ -343,9 +400,7 @@ optional_policy(`
+@@ -343,9 +401,7 @@ optional_policy(`
fs_read_noxattr_fs_files(kernel_t)
fs_read_noxattr_fs_symlinks(kernel_t)
@@ -15224,7 +18150,7 @@ index 6fac350..5a087a7 100644
')
tunable_policy(`nfs_export_all_rw',`
-@@ -354,7 +409,7 @@ optional_policy(`
+@@ -354,7 +410,7 @@ optional_policy(`
fs_read_noxattr_fs_files(kernel_t)
fs_read_noxattr_fs_symlinks(kernel_t)
@@ -15233,7 +18159,7 @@ index 6fac350..5a087a7 100644
')
')
-@@ -367,6 +422,15 @@ optional_policy(`
+@@ -367,6 +423,15 @@ optional_policy(`
unconfined_domain_noaudit(kernel_t)
')
@@ -15249,7 +18175,7 @@ index 6fac350..5a087a7 100644
########################################
#
# Unlabeled process local policy
-@@ -409,4 +473,26 @@ allow kern_unconfined unlabeled_t:dir_file_class_set *;
+@@ -409,4 +474,26 @@ allow kern_unconfined unlabeled_t:dir_file_class_set *;
allow kern_unconfined unlabeled_t:filesystem *;
allow kern_unconfined unlabeled_t:association *;
allow kern_unconfined unlabeled_t:packet *;
@@ -15763,10 +18689,18 @@ index 522ab32..cb9c3a2 100644
')
}
diff --git a/policy/modules/kernel/storage.fc b/policy/modules/kernel/storage.fc
-index 54f1827..cc2de1a 100644
+index 54f1827..39faa3f 100644
--- a/policy/modules/kernel/storage.fc
+++ b/policy/modules/kernel/storage.fc
-@@ -23,12 +23,15 @@
+@@ -7,6 +7,7 @@
+ /dev/n?tpqic[12].* -c gen_context(system_u:object_r:tape_device_t,s0)
+ /dev/[shmxv]d[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
+ /dev/aztcd -b gen_context(system_u:object_r:removable_device_t,s0)
++/dev/bcache[0-9]+ -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
+ /dev/bpcd -b gen_context(system_u:object_r:removable_device_t,s0)
+ /dev/bsg/.+ -c gen_context(system_u:object_r:scsi_generic_device_t,s0)
+ /dev/cdu.* -b gen_context(system_u:object_r:removable_device_t,s0)
+@@ -23,12 +24,15 @@
/dev/ht[0-1] -b gen_context(system_u:object_r:tape_device_t,s0)
/dev/hwcdrom -b gen_context(system_u:object_r:removable_device_t,s0)
/dev/initrd -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
@@ -15783,7 +18717,7 @@ index 54f1827..cc2de1a 100644
/dev/mmcblk.* -b gen_context(system_u:object_r:removable_device_t,s0)
/dev/mspblk.* -b gen_context(system_u:object_r:removable_device_t,s0)
/dev/mtd.* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
-@@ -51,7 +54,8 @@ ifdef(`distro_redhat', `
+@@ -51,7 +55,8 @@ ifdef(`distro_redhat', `
/dev/sjcd -b gen_context(system_u:object_r:removable_device_t,s0)
/dev/sonycd -b gen_context(system_u:object_r:removable_device_t,s0)
/dev/tape.* -c gen_context(system_u:object_r:tape_device_t,s0)
@@ -15793,7 +18727,7 @@ index 54f1827..cc2de1a 100644
/dev/ub[a-z][^/]+ -b gen_context(system_u:object_r:removable_device_t,mls_systemhigh)
/dev/ubd[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
/dev/vd[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
-@@ -81,3 +85,6 @@ ifdef(`distro_redhat', `
+@@ -81,3 +86,6 @@ ifdef(`distro_redhat', `
/lib/udev/devices/loop.* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
/lib/udev/devices/fuse -c gen_context(system_u:object_r:fuse_device_t,s0)
@@ -15801,7 +18735,7 @@ index 54f1827..cc2de1a 100644
+/usr/lib/udev/devices/loop.* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
+/usr/lib/udev/devices/fuse -c gen_context(system_u:object_r:fuse_device_t,s0)
diff --git a/policy/modules/kernel/storage.if b/policy/modules/kernel/storage.if
-index 1700ef2..38b597e 100644
+index 1700ef2..13caedd 100644
--- a/policy/modules/kernel/storage.if
+++ b/policy/modules/kernel/storage.if
@@ -22,6 +22,26 @@ interface(`storage_getattr_fixed_disk_dev',`
@@ -15930,7 +18864,7 @@ index 1700ef2..38b597e 100644
########################################
## <summary>
## Allow the caller to directly read
-@@ -808,3 +892,401 @@ interface(`storage_unconfined',`
+@@ -808,3 +892,452 @@ interface(`storage_unconfined',`
typeattribute $1 storage_unconfined_type;
')
@@ -16031,6 +18965,16 @@ index 1700ef2..38b597e 100644
+ dev_filetrans($1, removable_device_t, blk_file, "cm207")
+ dev_filetrans($1, removable_device_t, blk_file, "cm208")
+ dev_filetrans($1, removable_device_t, blk_file, "cm209")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "bcache0")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "bcache1")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "bcache2")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "bcache3")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "bcache4")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "bcache5")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "bcache6")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "bcache7")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "bcache8")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "bcache9")
+ dev_filetrans($1, fixed_disk_device_t, blk_file, "md0")
+ dev_filetrans($1, fixed_disk_device_t, blk_file, "md1")
+ dev_filetrans($1, fixed_disk_device_t, blk_file, "md2")
@@ -16265,6 +19209,47 @@ index 1700ef2..38b597e 100644
+ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg7")
+ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg8")
+ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg9")
++ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg10")
++ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg11")
++ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg12")
++ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg13")
++ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg14")
++ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg15")
++ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg16")
++ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg17")
++ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg18")
++ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg19")
++ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg20")
++ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg21")
++ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg22")
++ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg23")
++ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg24")
++ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg25")
++ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg26")
++ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg27")
++ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg28")
++ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg29")
++ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg30")
++ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg31")
++ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg32")
++ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg33")
++ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg34")
++ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg35")
++ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg36")
++ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg37")
++ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg38")
++ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg39")
++ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg40")
++ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg41")
++ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg42")
++ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg43")
++ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg44")
++ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg45")
++ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg46")
++ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg47")
++ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg48")
++ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg49")
++ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg50")
+ dev_filetrans($1, removable_device_t, blk_file, "sr0")
+ dev_filetrans($1, removable_device_t, blk_file, "sr1")
+ dev_filetrans($1, removable_device_t, blk_file, "sr2")
@@ -16347,16 +19332,17 @@ index 156c333..02f5a3c 100644
+ dev_manage_generic_blk_files(fixed_disk_raw_write)
+')
diff --git a/policy/modules/kernel/terminal.fc b/policy/modules/kernel/terminal.fc
-index 7d45d15..22c9cfe 100644
+index 7d45d15..a3e5a1e 100644
--- a/policy/modules/kernel/terminal.fc
+++ b/policy/modules/kernel/terminal.fc
-@@ -14,11 +14,12 @@
+@@ -14,11 +14,13 @@
/dev/ip2[^/]* -c gen_context(system_u:object_r:tty_device_t,s0)
/dev/isdn.* -c gen_context(system_u:object_r:tty_device_t,s0)
/dev/ptmx -c gen_context(system_u:object_r:ptmx_t,s0)
-/dev/pts/ptmx -c gen_context(system_u:object_r:ptmx_t,s0)
/dev/rfcomm[0-9]+ -c gen_context(system_u:object_r:tty_device_t,s0)
/dev/slamr[0-9]+ -c gen_context(system_u:object_r:tty_device_t,s0)
++/dev/sclp_line[0-9]+ -c gen_context(system_u:object_r:tty_device_t,s0)
/dev/tty -c gen_context(system_u:object_r:devtty_t,s0)
/dev/ttySG.* -c gen_context(system_u:object_r:tty_device_t,s0)
+/dev/ttyUSB[0-9]+ -c gen_context(system_u:object_r:usbtty_device_t,s0)
@@ -16364,7 +19350,7 @@ index 7d45d15..22c9cfe 100644
/dev/xvc[^/]* -c gen_context(system_u:object_r:tty_device_t,s0)
/dev/pty/.* -c gen_context(system_u:object_r:bsdpty_device_t,s0)
-@@ -41,3 +42,7 @@ ifdef(`distro_gentoo',`
+@@ -41,3 +43,7 @@ ifdef(`distro_gentoo',`
# used by init scripts to initally populate udev /dev
/lib/udev/devices/console -c gen_context(system_u:object_r:console_device_t,s0)
')
@@ -16373,7 +19359,7 @@ index 7d45d15..22c9cfe 100644
+
+/usr/lib/udev/devices/pts -d gen_context(system_u:object_r:devpts_t,s0-mls_systemhigh)
diff --git a/policy/modules/kernel/terminal.if b/policy/modules/kernel/terminal.if
-index 771bce1..5bbf50b 100644
+index 771bce1..e3722ab 100644
--- a/policy/modules/kernel/terminal.if
+++ b/policy/modules/kernel/terminal.if
@@ -124,7 +124,7 @@ interface(`term_user_tty',`
@@ -16600,7 +19586,33 @@ index 771bce1..5bbf50b 100644
## </summary>
## </param>
#
-@@ -1259,7 +1376,47 @@ interface(`term_dontaudit_use_unallocated_ttys',`
+@@ -1165,6 +1282,25 @@ interface(`term_relabel_unallocated_ttys',`
+
+ ########################################
+ ## <summary>
++## Mounton unallocated tty device nodes.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`term_mounton_unallocated_ttys',`
++ gen_require(`
++ type tty_device_t;
++ ')
++
++ allow $1 tty_device_t:chr_file mounton;
++')
++
++########################################
++## <summary>
+ ## Relabel from all user tty types to
+ ## the unallocated tty type.
+ ## </summary>
+@@ -1259,7 +1395,47 @@ interface(`term_dontaudit_use_unallocated_ttys',`
type tty_device_t;
')
@@ -16649,7 +19661,7 @@ index 771bce1..5bbf50b 100644
')
########################################
-@@ -1275,11 +1432,13 @@ interface(`term_dontaudit_use_unallocated_ttys',`
+@@ -1275,11 +1451,13 @@ interface(`term_dontaudit_use_unallocated_ttys',`
#
interface(`term_getattr_all_ttys',`
gen_require(`
@@ -16663,7 +19675,7 @@ index 771bce1..5bbf50b 100644
')
########################################
-@@ -1296,10 +1455,12 @@ interface(`term_getattr_all_ttys',`
+@@ -1296,10 +1474,12 @@ interface(`term_getattr_all_ttys',`
interface(`term_dontaudit_getattr_all_ttys',`
gen_require(`
attribute ttynode;
@@ -16676,7 +19688,7 @@ index 771bce1..5bbf50b 100644
')
########################################
-@@ -1377,7 +1538,27 @@ interface(`term_use_all_ttys',`
+@@ -1377,7 +1557,27 @@ interface(`term_use_all_ttys',`
')
dev_list_all_dev_nodes($1)
@@ -16705,7 +19717,7 @@ index 771bce1..5bbf50b 100644
')
########################################
-@@ -1396,7 +1577,7 @@ interface(`term_dontaudit_use_all_ttys',`
+@@ -1396,7 +1596,7 @@ interface(`term_dontaudit_use_all_ttys',`
attribute ttynode;
')
@@ -16714,7 +19726,7 @@ index 771bce1..5bbf50b 100644
')
########################################
-@@ -1504,7 +1685,7 @@ interface(`term_use_all_user_ttys',`
+@@ -1504,7 +1704,7 @@ interface(`term_use_all_user_ttys',`
## </summary>
## <param name="domain">
## <summary>
@@ -16723,7 +19735,7 @@ index 771bce1..5bbf50b 100644
## </summary>
## </param>
#
-@@ -1512,3 +1693,436 @@ interface(`term_dontaudit_use_all_user_ttys',`
+@@ -1512,3 +1712,436 @@ interface(`term_dontaudit_use_all_user_ttys',`
refpolicywarn(`$0() is deprecated, use term_dontaudit_use_all_ttys() instead.')
term_dontaudit_use_all_ttys($1)
')
@@ -17219,7 +20231,7 @@ index 0000000..48caabc
+allow domain unlabeled_t:packet { send recv };
+
diff --git a/policy/modules/roles/auditadm.te b/policy/modules/roles/auditadm.te
-index 834a065..c769f81 100644
+index 834a065..ff93697 100644
--- a/policy/modules/roles/auditadm.te
+++ b/policy/modules/roles/auditadm.te
@@ -7,7 +7,7 @@ policy_module(auditadm, 2.2.0)
@@ -17231,10 +20243,12 @@ index 834a065..c769f81 100644
########################################
#
-@@ -22,16 +22,21 @@ corecmd_exec_shell(auditadm_t)
+@@ -22,16 +22,23 @@ corecmd_exec_shell(auditadm_t)
domain_kill_all_domains(auditadm_t)
++mls_file_read_all_levels(auditadm_t)
++
+selinux_read_policy(auditadm_t)
+
logging_send_syslog_msg(auditadm_t)
@@ -17274,10 +20288,10 @@ index 3a45a3e..7499f24 100644
+allow logadm_t self:capability { dac_override dac_read_search kill sys_nice };
logging_admin(logadm_t, logadm_r)
diff --git a/policy/modules/roles/secadm.te b/policy/modules/roles/secadm.te
-index da11120..d67bcca 100644
+index da11120..621ec5a 100644
--- a/policy/modules/roles/secadm.te
+++ b/policy/modules/roles/secadm.te
-@@ -7,8 +7,10 @@ policy_module(secadm, 2.4.0)
+@@ -7,8 +7,11 @@ policy_module(secadm, 2.4.0)
role secadm_r;
@@ -17287,10 +20301,24 @@ index da11120..d67bcca 100644
+userdom_security_admin(secadm_t, secadm_r)
+userdom_inherit_append_admin_home_files(secadm_t)
+userdom_read_admin_home_files(secadm_t)
++userdom_manage_tmp_role(secadm_r, secadm_t)
########################################
#
-@@ -30,8 +32,7 @@ mls_file_upgrade(secadm_t)
+@@ -17,9 +20,12 @@ userdom_security_admin_template(secadm_t, secadm_r)
+
+ allow secadm_t self:capability { dac_read_search dac_override };
+
++kernel_read_system_state(secadm_t)
++
+ corecmd_exec_shell(secadm_t)
+
+ dev_relabel_all_dev_nodes(secadm_t)
++dev_read_urand(secadm_t)
+
+ domain_obj_id_change_exemption(secadm_t)
+
+@@ -30,8 +36,7 @@ mls_file_upgrade(secadm_t)
mls_file_downgrade(secadm_t)
auth_role(secadm_r, secadm_t)
@@ -17311,7 +20339,7 @@ index 234a940..d340f20 100644
########################################
## <summary>
diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te
-index 5da7870..4f46291 100644
+index 5da7870..5247b99 100644
--- a/policy/modules/roles/staff.te
+++ b/policy/modules/roles/staff.te
@@ -8,12 +8,71 @@ policy_module(staff, 2.3.1)
@@ -17386,7 +20414,7 @@ index 5da7870..4f46291 100644
optional_policy(`
apache_role(staff_r, staff_t)
')
-@@ -23,11 +82,110 @@ optional_policy(`
+@@ -23,11 +82,114 @@ optional_policy(`
')
optional_policy(`
@@ -17431,6 +20459,10 @@ index 5da7870..4f46291 100644
+')
+
+optional_policy(`
++ freqset_run(staff_t, staff_r)
++')
++
++optional_policy(`
+ gnome_role(staff_r, staff_t)
+')
+
@@ -17498,7 +20530,7 @@ index 5da7870..4f46291 100644
')
optional_policy(`
-@@ -35,15 +193,31 @@ optional_policy(`
+@@ -35,15 +197,31 @@ optional_policy(`
')
optional_policy(`
@@ -17532,7 +20564,7 @@ index 5da7870..4f46291 100644
')
optional_policy(`
-@@ -52,10 +226,55 @@ optional_policy(`
+@@ -52,11 +230,61 @@ optional_policy(`
')
optional_policy(`
@@ -17577,6 +20609,10 @@ index 5da7870..4f46291 100644
')
optional_policy(`
++ vmtools_run_helper(staff_t, staff_r)
++')
++
++optional_policy(`
+ vnstatd_read_lib_files(staff_t)
+')
+
@@ -17586,9 +20622,11 @@ index 5da7870..4f46291 100644
+
+optional_policy(`
xserver_role(staff_r, staff_t)
++ xserver_read_log(staff_t)
')
-@@ -65,10 +284,6 @@ ifndef(`distro_redhat',`
+ ifndef(`distro_redhat',`
+@@ -65,10 +293,6 @@ ifndef(`distro_redhat',`
')
optional_policy(`
@@ -17599,7 +20637,7 @@ index 5da7870..4f46291 100644
cdrecord_role(staff_r, staff_t)
')
-@@ -78,10 +293,6 @@ ifndef(`distro_redhat',`
+@@ -78,10 +302,6 @@ ifndef(`distro_redhat',`
optional_policy(`
dbus_role_template(staff, staff_r, staff_t)
@@ -17610,7 +20648,7 @@ index 5da7870..4f46291 100644
')
optional_policy(`
-@@ -101,10 +312,6 @@ ifndef(`distro_redhat',`
+@@ -101,10 +321,6 @@ ifndef(`distro_redhat',`
')
optional_policy(`
@@ -17621,7 +20659,7 @@ index 5da7870..4f46291 100644
java_role(staff_r, staff_t)
')
-@@ -125,10 +332,6 @@ ifndef(`distro_redhat',`
+@@ -125,10 +341,6 @@ ifndef(`distro_redhat',`
')
optional_policy(`
@@ -17632,7 +20670,7 @@ index 5da7870..4f46291 100644
pyzor_role(staff_r, staff_t)
')
-@@ -141,10 +344,6 @@ ifndef(`distro_redhat',`
+@@ -141,10 +353,6 @@ ifndef(`distro_redhat',`
')
optional_policy(`
@@ -17643,7 +20681,7 @@ index 5da7870..4f46291 100644
spamassassin_role(staff_r, staff_t)
')
-@@ -176,3 +375,22 @@ ifndef(`distro_redhat',`
+@@ -176,3 +384,22 @@ ifndef(`distro_redhat',`
wireshark_role(staff_r, staff_t)
')
')
@@ -17695,7 +20733,7 @@ index ff92430..36740ea 100644
## <summary>
## Execute a generic bin program in the sysadm domain.
diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
-index 88d0028..f520b74 100644
+index 88d0028..4a77968 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
@@ -5,39 +5,85 @@ policy_module(sysadm, 2.5.1)
@@ -18204,7 +21242,7 @@ index 88d0028..f520b74 100644
dbus_role_template(sysadm, sysadm_r, sysadm_t)
optional_policy(`
-@@ -463,15 +575,75 @@ ifndef(`distro_redhat',`
+@@ -463,15 +575,79 @@ ifndef(`distro_redhat',`
')
optional_policy(`
@@ -18271,6 +21309,10 @@ index 88d0028..f520b74 100644
+ userhelper_role_template(sysadm, sysadm_r, sysadm_t)
+ ')
+
++ optional_policy(`
++ vmtools_run_helper(sysadm_t, sysadm_r)
++ ')
++
+ optional_policy(`
+ vmware_role(sysadm_r, sysadm_t)
+ ')
@@ -18344,11 +21386,11 @@ index 0000000..0e8654b
+/usr/sbin/xrdp-sesman -- gen_context(system_u:object_r:unconfined_exec_t,s0)
diff --git a/policy/modules/roles/unconfineduser.if b/policy/modules/roles/unconfineduser.if
new file mode 100644
-index 0000000..cf6582f
+index 0000000..b1163a6
--- /dev/null
+++ b/policy/modules/roles/unconfineduser.if
-@@ -0,0 +1,613 @@
-+## <summary>Unconfiend user role</summary>
+@@ -0,0 +1,637 @@
++## <summary>Unconfined user role</summary>
+
+########################################
+## <summary>
@@ -18961,12 +22003,36 @@ index 0000000..cf6582f
+ allow $1 self:tun_socket relabelto;
+')
+
++########################################
++## <summary>
++## Allow domain to transition to unconfined_t user
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <param name="entrypoint">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`unconfined_transition',`
++ gen_require(`
++ type unconfined_t;
++ ')
++
++ domtrans_pattern($1,$2,unconfined_t)
++ allow unconfined_t $2:file entrypoint;
++ allow $1 unconfined_t:process signal_perms;
++')
diff --git a/policy/modules/roles/unconfineduser.te b/policy/modules/roles/unconfineduser.te
new file mode 100644
-index 0000000..539c163
+index 0000000..b126e2b
--- /dev/null
+++ b/policy/modules/roles/unconfineduser.te
-@@ -0,0 +1,328 @@
+@@ -0,0 +1,332 @@
+policy_module(unconfineduser, 1.0.0)
+
+########################################
@@ -19127,6 +22193,10 @@ index 0000000..539c163
+ sandbox_x_transition(unconfined_t, unconfined_r)
+ ')
+
++ optional_policy(`
++ vmtools_run_helper(unconfined_t, unconfined_r)
++ ')
++
+ optional_policy(`
+ gen_require(`
+ type user_tmpfs_t;
@@ -19306,7 +22376,7 @@ index 3835596..fbca2be 100644
########################################
## <summary>
diff --git a/policy/modules/roles/unprivuser.te b/policy/modules/roles/unprivuser.te
-index cdfddf4..ad1f001 100644
+index cdfddf4..c3271fb 100644
--- a/policy/modules/roles/unprivuser.te
+++ b/policy/modules/roles/unprivuser.te
@@ -1,5 +1,12 @@
@@ -19314,7 +22384,7 @@ index cdfddf4..ad1f001 100644
+## <desc>
+## <p>
-+## Allow unprivledged user to create and transition to svirt domains.
++## Allow unprivileged user to create and transition to svirt domains.
+## </p>
+## </desc>
+gen_tunable(unprivuser_use_svirt, false)
@@ -19322,7 +22392,7 @@ index cdfddf4..ad1f001 100644
# this module should be named user, but that is
# a compile error since user is a keyword.
-@@ -12,12 +19,100 @@ role user_r;
+@@ -12,12 +19,102 @@ role user_r;
userdom_unpriv_user_template(user)
@@ -19335,6 +22405,8 @@ index cdfddf4..ad1f001 100644
+storage_read_scsi_generic(user_t)
+storage_write_scsi_generic(user_t)
+
++seutil_read_module_store(user_t)
++
+init_dbus_chat(user_t)
+init_status(user_t)
+
@@ -19424,7 +22496,7 @@ index cdfddf4..ad1f001 100644
')
optional_policy(`
-@@ -25,6 +120,18 @@ optional_policy(`
+@@ -25,6 +122,18 @@ optional_policy(`
')
optional_policy(`
@@ -19443,7 +22515,7 @@ index cdfddf4..ad1f001 100644
vlock_run(user_t, user_r)
')
-@@ -102,10 +209,6 @@ ifndef(`distro_redhat',`
+@@ -102,10 +211,6 @@ ifndef(`distro_redhat',`
')
optional_policy(`
@@ -19454,7 +22526,7 @@ index cdfddf4..ad1f001 100644
postgresql_role(user_r, user_t)
')
-@@ -128,7 +231,6 @@ ifndef(`distro_redhat',`
+@@ -128,7 +233,6 @@ ifndef(`distro_redhat',`
optional_policy(`
ssh_role_template(user, user_r, user_t)
')
@@ -19462,11 +22534,15 @@ index cdfddf4..ad1f001 100644
optional_policy(`
su_role_template(user, user_r, user_t)
')
-@@ -161,3 +263,15 @@ ifndef(`distro_redhat',`
+@@ -161,3 +265,19 @@ ifndef(`distro_redhat',`
wireshark_role(user_r, user_t)
')
')
+
++optional_policy(`
++ vmtools_run_helper(user_t, user_r)
++')
++
+
+optional_policy(`
+ virt_transition_svirt(user_t, user_r)
@@ -19843,7 +22919,7 @@ index 9d2f311..9e87525 100644
+ postgresql_filetrans_named_content($1)
')
diff --git a/policy/modules/services/postgresql.te b/policy/modules/services/postgresql.te
-index 346d011..3e23acb 100644
+index 346d011..19dfc1f 100644
--- a/policy/modules/services/postgresql.te
+++ b/policy/modules/services/postgresql.te
@@ -19,25 +19,32 @@ gen_require(`
@@ -19917,7 +22993,13 @@ index 346d011..3e23acb 100644
manage_files_pattern(postgresql_t, postgresql_log_t, postgresql_log_t)
logging_log_filetrans(postgresql_t, postgresql_log_t, { file dir })
-@@ -304,7 +313,6 @@ kernel_list_proc(postgresql_t)
+@@ -299,12 +308,12 @@ manage_sock_files_pattern(postgresql_t, postgresql_var_run_t, postgresql_var_run
+ files_pid_filetrans(postgresql_t, postgresql_var_run_t, { dir file })
+
+ kernel_read_kernel_sysctls(postgresql_t)
++kernel_read_network_state(postgresql_t)
+ kernel_read_system_state(postgresql_t)
+ kernel_list_proc(postgresql_t)
kernel_read_all_sysctls(postgresql_t)
kernel_read_proc_symlinks(postgresql_t)
@@ -19925,7 +23007,7 @@ index 346d011..3e23acb 100644
corenet_all_recvfrom_netlabel(postgresql_t)
corenet_tcp_sendrecv_generic_if(postgresql_t)
corenet_udp_sendrecv_generic_if(postgresql_t)
-@@ -342,8 +350,7 @@ domain_dontaudit_list_all_domains_state(postgresql_t)
+@@ -342,8 +351,7 @@ domain_dontaudit_list_all_domains_state(postgresql_t)
domain_use_interactive_fds(postgresql_t)
files_dontaudit_search_home(postgresql_t)
@@ -19935,15 +23017,19 @@ index 346d011..3e23acb 100644
files_read_etc_runtime_files(postgresql_t)
files_read_usr_files(postgresql_t)
-@@ -354,7 +361,6 @@ init_read_utmp(postgresql_t)
+@@ -354,20 +362,28 @@ init_read_utmp(postgresql_t)
logging_send_syslog_msg(postgresql_t)
logging_send_audit_msgs(postgresql_t)
-miscfiles_read_localization(postgresql_t)
-
+-
seutil_libselinux_linked(postgresql_t)
seutil_read_default_contexts(postgresql_t)
-@@ -364,10 +370,18 @@ userdom_dontaudit_search_user_home_dirs(postgresql_t)
+
++sysnet_use_ldap(postgresql_t)
++
+ userdom_dontaudit_use_unpriv_user_fds(postgresql_t)
+ userdom_dontaudit_search_user_home_dirs(postgresql_t)
userdom_dontaudit_use_user_terminals(postgresql_t)
optional_policy(`
@@ -19963,7 +23049,7 @@ index 346d011..3e23acb 100644
allow postgresql_t self:process execmem;
')
-@@ -485,10 +499,52 @@ dontaudit { postgresql_t sepgsql_admin_type sepgsql_client_type sepgsql_unconfin
+@@ -485,10 +501,52 @@ dontaudit { postgresql_t sepgsql_admin_type sepgsql_client_type sepgsql_unconfin
# It is always allowed to operate temporary objects for any database client.
allow sepgsql_client_type sepgsql_temp_object_t:{db_schema db_table db_column db_tuple db_sequence db_view db_procedure} ~{ relabelto relabelfrom };
@@ -20020,7 +23106,7 @@ index 346d011..3e23acb 100644
allow sepgsql_client_type sepgsql_schema_t:db_schema { add_name remove_name };
')
-@@ -536,7 +592,7 @@ allow sepgsql_admin_type sepgsql_module_type:db_database install_module;
+@@ -536,7 +594,7 @@ allow sepgsql_admin_type sepgsql_module_type:db_database install_module;
kernel_relabelfrom_unlabeled_database(sepgsql_admin_type)
@@ -20029,7 +23115,7 @@ index 346d011..3e23acb 100644
allow sepgsql_admin_type sepgsql_database_type:db_database *;
allow sepgsql_admin_type sepgsql_schema_type:db_schema *;
-@@ -589,3 +645,17 @@ allow sepgsql_unconfined_type sepgsql_blob_type:db_blob *;
+@@ -589,3 +647,17 @@ allow sepgsql_unconfined_type sepgsql_blob_type:db_blob *;
allow sepgsql_unconfined_type sepgsql_module_type:db_database install_module;
kernel_relabelfrom_unlabeled_database(sepgsql_unconfined_type)
@@ -20096,7 +23182,7 @@ index 76d9f66..5c271ce 100644
+/root/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0)
+/root/\.shosts gen_context(system_u:object_r:ssh_home_t,s0)
diff --git a/policy/modules/services/ssh.if b/policy/modules/services/ssh.if
-index fe0c682..c0413e8 100644
+index fe0c682..e8dcfa7 100644
--- a/policy/modules/services/ssh.if
+++ b/policy/modules/services/ssh.if
@@ -32,10 +32,11 @@
@@ -20347,7 +23433,7 @@ index fe0c682..c0413e8 100644
allow ssh_t $3:unix_stream_socket rw_socket_perms;
allow ssh_t $3:unix_stream_socket connectto;
+ allow ssh_t $3:key manage_key_perms;
-+ allow $3 ssh_t:key read;
++ allow $3 ssh_t:key { write search read view };
# user can manage the keys and config
manage_files_pattern($3, ssh_home_t, ssh_home_t)
@@ -20796,10 +23882,10 @@ index fe0c682..c0413e8 100644
+ ps_process_pattern($1, sshd_t)
+')
diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
-index 5fc0391..692569b 100644
+index 5fc0391..d6519a1 100644
--- a/policy/modules/services/ssh.te
+++ b/policy/modules/services/ssh.te
-@@ -6,43 +6,61 @@ policy_module(ssh, 2.3.3)
+@@ -6,43 +6,62 @@ policy_module(ssh, 2.3.3)
#
## <desc>
@@ -20856,6 +23942,7 @@ index 5fc0391..692569b 100644
ssh_server_template(sshd)
init_daemon_domain(sshd_t, sshd_exec_t)
+mls_trusted_object(sshd_t)
++mls_process_write_all_levels(sshd_t)
-type sshd_key_t;
-files_type(sshd_key_t)
@@ -20876,7 +23963,7 @@ index 5fc0391..692569b 100644
type ssh_t;
type ssh_exec_t;
-@@ -73,6 +91,11 @@ type ssh_home_t;
+@@ -73,6 +92,11 @@ type ssh_home_t;
typealias ssh_home_t alias { home_ssh_t user_ssh_home_t user_home_ssh_t staff_home_ssh_t sysadm_home_ssh_t };
typealias ssh_home_t alias { auditadm_home_ssh_t secadm_home_ssh_t };
userdom_user_home_content(ssh_home_t)
@@ -20888,7 +23975,7 @@ index 5fc0391..692569b 100644
##############################
#
-@@ -83,6 +106,7 @@ allow ssh_t self:capability { setuid setgid dac_override dac_read_search };
+@@ -83,6 +107,7 @@ allow ssh_t self:capability { setuid setgid dac_override dac_read_search };
allow ssh_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow ssh_t self:fd use;
allow ssh_t self:fifo_file rw_fifo_file_perms;
@@ -20896,7 +23983,7 @@ index 5fc0391..692569b 100644
allow ssh_t self:unix_dgram_socket { create_socket_perms sendto };
allow ssh_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow ssh_t self:shm create_shm_perms;
-@@ -90,15 +114,11 @@ allow ssh_t self:sem create_sem_perms;
+@@ -90,15 +115,11 @@ allow ssh_t self:sem create_sem_perms;
allow ssh_t self:msgq create_msgq_perms;
allow ssh_t self:msg { send receive };
allow ssh_t self:tcp_socket create_stream_socket_perms;
@@ -20913,7 +24000,7 @@ index 5fc0391..692569b 100644
manage_files_pattern(ssh_t, ssh_tmpfs_t, ssh_tmpfs_t)
manage_lnk_files_pattern(ssh_t, ssh_tmpfs_t, ssh_tmpfs_t)
manage_fifo_files_pattern(ssh_t, ssh_tmpfs_t, ssh_tmpfs_t)
-@@ -107,33 +127,42 @@ fs_tmpfs_filetrans(ssh_t, ssh_tmpfs_t, { dir file lnk_file sock_file fifo_file }
+@@ -107,33 +128,42 @@ fs_tmpfs_filetrans(ssh_t, ssh_tmpfs_t, { dir file lnk_file sock_file fifo_file }
manage_dirs_pattern(ssh_t, ssh_home_t, ssh_home_t)
manage_sock_files_pattern(ssh_t, ssh_home_t, ssh_home_t)
@@ -20961,7 +24048,7 @@ index 5fc0391..692569b 100644
dev_read_urand(ssh_t)
fs_getattr_all_fs(ssh_t)
-@@ -154,40 +183,46 @@ files_read_var_files(ssh_t)
+@@ -154,40 +184,46 @@ files_read_var_files(ssh_t)
logging_send_syslog_msg(ssh_t)
logging_read_generic_logs(ssh_t)
@@ -21027,7 +24114,7 @@ index 5fc0391..692569b 100644
')
optional_policy(`
-@@ -195,6 +230,7 @@ optional_policy(`
+@@ -195,6 +231,7 @@ optional_policy(`
xserver_domtrans_xauth(ssh_t)
')
@@ -21035,7 +24122,7 @@ index 5fc0391..692569b 100644
##############################
#
# ssh_keysign_t local policy
-@@ -206,6 +242,7 @@ allow ssh_keysign_t self:unix_stream_socket create_socket_perms;
+@@ -206,6 +243,7 @@ allow ssh_keysign_t self:unix_stream_socket create_socket_perms;
allow ssh_keysign_t sshd_key_t:file { getattr read };
dev_read_urand(ssh_keysign_t)
@@ -21043,7 +24130,7 @@ index 5fc0391..692569b 100644
files_read_etc_files(ssh_keysign_t)
-@@ -223,33 +260,54 @@ optional_policy(`
+@@ -223,33 +261,55 @@ optional_policy(`
# so a tunnel can point to another ssh tunnel
allow sshd_t self:netlink_route_socket r_netlink_socket_perms;
allow sshd_t self:key { search link write };
@@ -21056,12 +24143,13 @@ index 5fc0391..692569b 100644
kernel_search_key(sshd_t)
kernel_link_key(sshd_t)
-
++kernel_read_net_sysctls(sshd_t)
++
+files_search_all(sshd_t)
+
+fs_search_cgroup_dirs(sshd_t)
+fs_rw_cgroup_files(sshd_t)
-+
+
term_use_all_ptys(sshd_t)
term_setattr_all_ptys(sshd_t)
+term_setattr_all_ttys(sshd_t)
@@ -21107,7 +24195,7 @@ index 5fc0391..692569b 100644
')
optional_policy(`
-@@ -257,11 +315,28 @@ optional_policy(`
+@@ -257,11 +317,28 @@ optional_policy(`
')
optional_policy(`
@@ -21137,7 +24225,7 @@ index 5fc0391..692569b 100644
')
optional_policy(`
-@@ -269,6 +344,10 @@ optional_policy(`
+@@ -269,6 +346,10 @@ optional_policy(`
')
optional_policy(`
@@ -21148,7 +24236,7 @@ index 5fc0391..692569b 100644
rpm_use_script_fds(sshd_t)
')
-@@ -279,13 +358,93 @@ optional_policy(`
+@@ -279,13 +360,93 @@ optional_policy(`
')
optional_policy(`
@@ -21242,7 +24330,7 @@ index 5fc0391..692569b 100644
########################################
#
# ssh_keygen local policy
-@@ -294,19 +453,29 @@ optional_policy(`
+@@ -294,19 +455,29 @@ optional_policy(`
# ssh_keygen_t is the type of the ssh-keygen program when run at install time
# and by sysadm_t
@@ -21273,7 +24361,7 @@ index 5fc0391..692569b 100644
dev_read_urand(ssh_keygen_t)
term_dontaudit_use_console(ssh_keygen_t)
-@@ -323,6 +492,12 @@ auth_use_nsswitch(ssh_keygen_t)
+@@ -323,6 +494,12 @@ auth_use_nsswitch(ssh_keygen_t)
logging_send_syslog_msg(ssh_keygen_t)
userdom_dontaudit_use_unpriv_user_fds(ssh_keygen_t)
@@ -21286,7 +24374,7 @@ index 5fc0391..692569b 100644
optional_policy(`
seutil_sigchld_newrole(ssh_keygen_t)
-@@ -331,3 +506,140 @@ optional_policy(`
+@@ -331,3 +508,140 @@ optional_policy(`
optional_policy(`
udev_read_db(ssh_keygen_t)
')
@@ -21428,7 +24516,7 @@ index 5fc0391..692569b 100644
+ xserver_rw_xdm_pipes(ssh_agent_type)
+')
diff --git a/policy/modules/services/xserver.fc b/policy/modules/services/xserver.fc
-index d1f64a0..9a5dab5 100644
+index d1f64a0..7acda6c 100644
--- a/policy/modules/services/xserver.fc
+++ b/policy/modules/services/xserver.fc
@@ -2,13 +2,35 @@
@@ -21490,7 +24578,7 @@ index d1f64a0..9a5dab5 100644
/etc/X11/[wx]dm/Xreset.* -- gen_context(system_u:object_r:xsession_exec_t,s0)
/etc/X11/[wxg]dm/Xsession -- gen_context(system_u:object_r:xsession_exec_t,s0)
/etc/X11/wdm(/.*)? gen_context(system_u:object_r:xdm_rw_etc_t,s0)
-@@ -46,26 +76,32 @@ HOME_DIR/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0)
+@@ -46,26 +76,34 @@ HOME_DIR/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0)
# /tmp
#
@@ -21519,6 +24607,8 @@ index d1f64a0..9a5dab5 100644
+/usr/s?bin/lxdm(-binary)? -- gen_context(system_u:object_r:xdm_exec_t,s0)
+/usr/s?bin/[mxgkw]dm -- gen_context(system_u:object_r:xdm_exec_t,s0)
+
++/usr/bin/sddm -- gen_context(system_u:object_r:xdm_exec_t,s0)
++/usr/bin/sddm-greeter -- gen_context(system_u:object_r:xdm_exec_t,s0)
/usr/bin/gpe-dm -- gen_context(system_u:object_r:xdm_exec_t,s0)
/usr/bin/iceauth -- gen_context(system_u:object_r:iceauth_exec_t,s0)
+/usr/bin/razor-lightdm-.* -- gen_context(system_u:object_r:xdm_exec_t,s0)
@@ -21532,12 +24622,13 @@ index d1f64a0..9a5dab5 100644
/usr/lib/qt-.*/etc/settings(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0)
-@@ -92,25 +128,49 @@ ifndef(`distro_debian',`
+@@ -92,25 +130,50 @@ ifndef(`distro_debian',`
/var/lib/gdm(3)?(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0)
/var/lib/lxdm(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0)
-/var/lib/[xkw]dm(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0)
+/var/lib/lightdm(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0)
++/var/lib/lightdm-data(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0)
+/var/lib/[mxkwg]dm(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0)
/var/lib/xkb(/.*)? gen_context(system_u:object_r:xkb_var_lib_t,s0)
+/var/lib/xorg(/.*)? gen_context(system_u:object_r:xserver_var_lib_t,s0)
@@ -21553,7 +24644,7 @@ index d1f64a0..9a5dab5 100644
+/var/log/lightdm(/.*)? gen_context(system_u:object_r:xserver_log_t,s0)
+/var/log/lxdm\.log.* -- gen_context(system_u:object_r:xdm_log_t,s0)
+/var/log/mdm(/.*)? gen_context(system_u:object_r:xdm_log_t,s0)
-+/var/log/slim\.log -- gen_context(system_u:object_r:xdm_log_t,s0)
++/var/log/slim\.log.* -- gen_context(system_u:object_r:xdm_log_t,s0)
/var/log/XFree86.* -- gen_context(system_u:object_r:xserver_log_t,s0)
/var/log/Xorg.* -- gen_context(system_u:object_r:xserver_log_t,s0)
+/var/log/nvidia-installer\.log.* -- gen_context(system_u:object_r:xserver_log_t,s0)
@@ -21588,7 +24679,7 @@ index d1f64a0..9a5dab5 100644
+/var/lib/pqsql/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0)
+
diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if
-index 6bf0ecc..5a7e2a4 100644
+index 6bf0ecc..0d55916 100644
--- a/policy/modules/services/xserver.if
+++ b/policy/modules/services/xserver.if
@@ -18,100 +18,37 @@
@@ -22323,10 +25414,30 @@ index 6bf0ecc..5a7e2a4 100644
')
########################################
-@@ -1004,6 +1230,64 @@ interface(`xserver_read_xkb_libs',`
+@@ -1004,6 +1230,84 @@ interface(`xserver_read_xkb_libs',`
########################################
## <summary>
++## Manage X keyboard extension libraries.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`xserver_manage_xkb_libs',`
++ gen_require(`
++ type xkb_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ allow $1 xkb_var_lib_t:dir list_dir_perms;
++ manage_files_pattern($1, xkb_var_lib_t, xkb_var_lib_t)
++')
++
++########################################
++## <summary>
+## dontaudit access checks X keyboard extension libraries.
+## </summary>
+## <param name="domain">
@@ -22388,7 +25499,7 @@ index 6bf0ecc..5a7e2a4 100644
## Read xdm temporary files.
## </summary>
## <param name="domain">
-@@ -1017,7 +1301,7 @@ interface(`xserver_read_xdm_tmp_files',`
+@@ -1017,7 +1321,7 @@ interface(`xserver_read_xdm_tmp_files',`
type xdm_tmp_t;
')
@@ -22397,7 +25508,7 @@ index 6bf0ecc..5a7e2a4 100644
read_files_pattern($1, xdm_tmp_t, xdm_tmp_t)
')
-@@ -1079,6 +1363,42 @@ interface(`xserver_manage_xdm_tmp_files',`
+@@ -1079,6 +1383,42 @@ interface(`xserver_manage_xdm_tmp_files',`
########################################
## <summary>
@@ -22440,7 +25551,7 @@ index 6bf0ecc..5a7e2a4 100644
## Do not audit attempts to get the attributes of
## xdm temporary named sockets.
## </summary>
-@@ -1093,7 +1413,7 @@ interface(`xserver_dontaudit_getattr_xdm_tmp_sockets',`
+@@ -1093,7 +1433,7 @@ interface(`xserver_dontaudit_getattr_xdm_tmp_sockets',`
type xdm_tmp_t;
')
@@ -22449,7 +25560,7 @@ index 6bf0ecc..5a7e2a4 100644
')
########################################
-@@ -1111,8 +1431,10 @@ interface(`xserver_domtrans',`
+@@ -1111,8 +1451,10 @@ interface(`xserver_domtrans',`
type xserver_t, xserver_exec_t;
')
@@ -22461,7 +25572,7 @@ index 6bf0ecc..5a7e2a4 100644
')
########################################
-@@ -1210,6 +1532,25 @@ interface(`xserver_dontaudit_rw_stream_sockets',`
+@@ -1210,6 +1552,25 @@ interface(`xserver_dontaudit_rw_stream_sockets',`
########################################
## <summary>
@@ -22487,7 +25598,7 @@ index 6bf0ecc..5a7e2a4 100644
## Connect to the X server over a unix domain
## stream socket.
## </summary>
-@@ -1226,6 +1567,26 @@ interface(`xserver_stream_connect',`
+@@ -1226,6 +1587,26 @@ interface(`xserver_stream_connect',`
files_search_tmp($1)
stream_connect_pattern($1, xserver_tmp_t, xserver_tmp_t, xserver_t)
@@ -22514,7 +25625,7 @@ index 6bf0ecc..5a7e2a4 100644
')
########################################
-@@ -1251,7 +1612,7 @@ interface(`xserver_read_tmp_files',`
+@@ -1251,7 +1632,7 @@ interface(`xserver_read_tmp_files',`
## <summary>
## Interface to provide X object permissions on a given X server to
## an X client domain. Gives the domain permission to read the
@@ -22523,7 +25634,7 @@ index 6bf0ecc..5a7e2a4 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1261,13 +1622,27 @@ interface(`xserver_read_tmp_files',`
+@@ -1261,13 +1642,27 @@ interface(`xserver_read_tmp_files',`
#
interface(`xserver_manage_core_devices',`
gen_require(`
@@ -22552,7 +25663,7 @@ index 6bf0ecc..5a7e2a4 100644
')
########################################
-@@ -1284,10 +1659,624 @@ interface(`xserver_manage_core_devices',`
+@@ -1284,10 +1679,643 @@ interface(`xserver_manage_core_devices',`
#
interface(`xserver_unconfined',`
gen_require(`
@@ -23179,8 +26290,27 @@ index 6bf0ecc..5a7e2a4 100644
+
+ dontaudit $1 xserver_log_t:dir search_dir_perms;
+')
++
++########################################
++## <summary>
++## Manage keys for xdm.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`xserver_rw_xdm_keys',`
++ gen_require(`
++ type xdm_t;
++ ')
++
++ allow $1 xdm_t:key { read write };
++')
++
diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
-index 2696452..adbe339 100644
+index 2696452..5be1645 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -26,28 +26,59 @@ gen_require(`
@@ -23431,7 +26561,7 @@ index 2696452..adbe339 100644
')
########################################
-@@ -247,48 +321,89 @@ tunable_policy(`use_samba_home_dirs',`
+@@ -247,48 +321,90 @@ tunable_policy(`use_samba_home_dirs',`
# Xauth local policy
#
@@ -23494,6 +26624,7 @@ index 2696452..adbe339 100644
+userdom_use_inherited_user_terminals(xauth_t)
userdom_read_user_tmp_files(xauth_t)
+userdom_read_all_users_state(xauth_t)
++userdom_search_user_home_dirs(xauth_t)
+userdom_user_home_dir_filetrans(xauth_t, xauth_home_t, file, ".Xauthority")
+userdom_user_home_dir_filetrans(xauth_t, xauth_home_t, file, ".Xauthority-l")
+userdom_user_home_dir_filetrans(xauth_t, xauth_home_t, file, ".Xauthority-c")
@@ -23532,13 +26663,13 @@ index 2696452..adbe339 100644
ssh_sigchld(xauth_t)
ssh_read_pipes(xauth_t)
ssh_dontaudit_rw_tcp_sockets(xauth_t)
-@@ -299,64 +414,109 @@ optional_policy(`
+@@ -299,64 +415,109 @@ optional_policy(`
# XDM Local policy
#
-allow xdm_t self:capability { setgid setuid sys_resource kill sys_tty_config mknod chown dac_override dac_read_search fowner fsetid ipc_owner sys_nice sys_rawio net_bind_service };
-allow xdm_t self:process { setexec setpgid getsched setsched setrlimit signal_perms setkeycreate };
-+allow xdm_t self:capability { setgid setuid sys_resource kill sys_tty_config mknod chown dac_override dac_read_search fowner fsetid ipc_owner sys_nice sys_rawio net_bind_service sys_ptrace };
++allow xdm_t self:capability { setgid setuid sys_resource kill sys_tty_config mknod chown dac_override dac_read_search fowner fsetid ipc_owner sys_nice sys_rawio net_bind_service net_admin sys_ptrace };
+allow xdm_t self:capability2 { block_suspend };
+dontaudit xdm_t self:capability sys_admin;
+tunable_policy(`deny_ptrace',`',`
@@ -23652,7 +26783,7 @@ index 2696452..adbe339 100644
# connect to xdm xserver over stream socket
stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t)
-@@ -365,20 +525,29 @@ stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t)
+@@ -365,20 +526,30 @@ stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t)
delete_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t)
delete_sock_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t)
@@ -23667,6 +26798,7 @@ index 2696452..adbe339 100644
+manage_lnk_files_pattern(xdm_t, xserver_log_t, xserver_log_t)
manage_fifo_files_pattern(xdm_t, xserver_log_t, xserver_log_t)
-logging_log_filetrans(xdm_t, xserver_log_t, file)
++files_var_filetrans(xdm_t, xserver_log_t, dir, "gdm")
kernel_read_system_state(xdm_t)
+kernel_read_device_sysctls(xdm_t)
@@ -23684,7 +26816,7 @@ index 2696452..adbe339 100644
corenet_all_recvfrom_netlabel(xdm_t)
corenet_tcp_sendrecv_generic_if(xdm_t)
corenet_udp_sendrecv_generic_if(xdm_t)
-@@ -388,38 +557,49 @@ corenet_tcp_sendrecv_all_ports(xdm_t)
+@@ -388,38 +559,49 @@ corenet_tcp_sendrecv_all_ports(xdm_t)
corenet_udp_sendrecv_all_ports(xdm_t)
corenet_tcp_bind_generic_node(xdm_t)
corenet_udp_bind_generic_node(xdm_t)
@@ -23738,7 +26870,7 @@ index 2696452..adbe339 100644
files_read_etc_files(xdm_t)
files_read_var_files(xdm_t)
-@@ -430,9 +610,28 @@ files_list_mnt(xdm_t)
+@@ -430,9 +612,28 @@ files_list_mnt(xdm_t)
files_read_usr_files(xdm_t)
# Poweroff wants to create the /poweroff file when run from xdm
files_create_boot_flag(xdm_t)
@@ -23767,7 +26899,7 @@ index 2696452..adbe339 100644
storage_dontaudit_read_fixed_disk(xdm_t)
storage_dontaudit_write_fixed_disk(xdm_t)
-@@ -441,28 +640,45 @@ storage_dontaudit_raw_read_removable_device(xdm_t)
+@@ -441,28 +642,45 @@ storage_dontaudit_raw_read_removable_device(xdm_t)
storage_dontaudit_raw_write_removable_device(xdm_t)
storage_dontaudit_setattr_removable_dev(xdm_t)
storage_dontaudit_rw_scsi_generic(xdm_t)
@@ -23816,7 +26948,7 @@ index 2696452..adbe339 100644
userdom_dontaudit_use_unpriv_user_fds(xdm_t)
userdom_create_all_users_keys(xdm_t)
-@@ -471,24 +687,144 @@ userdom_read_user_home_content_files(xdm_t)
+@@ -471,24 +689,151 @@ userdom_read_user_home_content_files(xdm_t)
# Search /proc for any user domain processes.
userdom_read_all_users_state(xdm_t)
userdom_signal_all_users(xdm_t)
@@ -23828,7 +26960,8 @@ index 2696452..adbe339 100644
+
+#userdom_home_manager(xdm_t)
+tunable_policy(`xdm_write_home',`
-+ userdom_user_home_dir_filetrans(xdm_t, xdm_home_t, file)
++ userdom_user_home_dir_filetrans(xdm_t, xdm_home_t, { file lnk_file })
++ userdom_admin_home_dir_filetrans(xdm_t, xdm_home_t, { file lnk_file })
+',`
+ userdom_user_home_dir_filetrans_user_home_content(xdm_t, { dir file lnk_file fifo_file sock_file })
+')
@@ -23838,12 +26971,14 @@ index 2696452..adbe339 100644
+ fs_manage_nfs_dirs(xdm_t)
+ fs_manage_nfs_files(xdm_t)
+ fs_manage_nfs_symlinks(xdm_t)
++ fs_append_nfs_files(xdm_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+ fs_manage_cifs_dirs(xdm_t)
+ fs_manage_cifs_files(xdm_t)
+ fs_manage_cifs_symlinks(xdm_t)
++ fs_append_cifs_files(xdm_t)
+')
+
+tunable_policy(`use_fusefs_home_dirs',`
@@ -23901,6 +27036,10 @@ index 2696452..adbe339 100644
+')
+
+optional_policy(`
++ remotelogin_signull(xdm_t)
++')
++
++optional_policy(`
+ spamassassin_filetrans_home_content(xdm_t)
+ spamassassin_filetrans_admin_home_content(xdm_t)
+')
@@ -23967,7 +27106,7 @@ index 2696452..adbe339 100644
tunable_policy(`xdm_sysadm_login',`
userdom_xsession_spec_domtrans_all_users(xdm_t)
# FIXME:
-@@ -502,11 +838,26 @@ tunable_policy(`xdm_sysadm_login',`
+@@ -502,11 +847,26 @@ tunable_policy(`xdm_sysadm_login',`
')
optional_policy(`
@@ -23994,7 +27133,7 @@ index 2696452..adbe339 100644
')
optional_policy(`
-@@ -514,12 +865,57 @@ optional_policy(`
+@@ -514,12 +874,57 @@ optional_policy(`
')
optional_policy(`
@@ -24052,7 +27191,7 @@ index 2696452..adbe339 100644
hostname_exec(xdm_t)
')
-@@ -537,28 +933,78 @@ optional_policy(`
+@@ -537,28 +942,78 @@ optional_policy(`
')
optional_policy(`
@@ -24140,7 +27279,7 @@ index 2696452..adbe339 100644
')
optional_policy(`
-@@ -570,6 +1016,14 @@ optional_policy(`
+@@ -570,6 +1025,14 @@ optional_policy(`
')
optional_policy(`
@@ -24155,7 +27294,7 @@ index 2696452..adbe339 100644
xfs_stream_connect(xdm_t)
')
-@@ -584,7 +1038,7 @@ type_transition xserver_t xserver_t:x_colormap root_xcolormap_t;
+@@ -584,7 +1047,7 @@ type_transition xserver_t xserver_t:x_colormap root_xcolormap_t;
type_transition root_xdrawable_t input_xevent_t:x_event root_input_xevent_t;
allow xserver_t { root_xdrawable_t x_domain }:x_drawable send;
@@ -24164,7 +27303,7 @@ index 2696452..adbe339 100644
# setuid/setgid for the wrapper program to change UID
# sys_rawio is for iopl access - should not be needed for frame-buffer
-@@ -594,8 +1048,11 @@ allow xserver_t input_xevent_t:x_event send;
+@@ -594,8 +1057,11 @@ allow xserver_t input_xevent_t:x_event send;
# execheap needed until the X module loader is fixed.
# NVIDIA Needs execstack
@@ -24177,7 +27316,7 @@ index 2696452..adbe339 100644
allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow xserver_t self:fd use;
allow xserver_t self:fifo_file rw_fifo_file_perms;
-@@ -608,8 +1065,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
+@@ -608,8 +1074,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow xserver_t self:tcp_socket create_stream_socket_perms;
allow xserver_t self:udp_socket create_socket_perms;
@@ -24193,7 +27332,7 @@ index 2696452..adbe339 100644
manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
manage_sock_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
-@@ -617,6 +1081,10 @@ files_tmp_filetrans(xserver_t, xserver_tmp_t, { file dir sock_file })
+@@ -617,6 +1090,10 @@ files_tmp_filetrans(xserver_t, xserver_tmp_t, { file dir sock_file })
filetrans_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t, sock_file)
@@ -24204,7 +27343,7 @@ index 2696452..adbe339 100644
manage_dirs_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
manage_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
manage_lnk_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
-@@ -628,12 +1096,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
+@@ -628,12 +1105,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
files_search_var_lib(xserver_t)
@@ -24226,7 +27365,7 @@ index 2696452..adbe339 100644
kernel_read_system_state(xserver_t)
kernel_read_device_sysctls(xserver_t)
-@@ -641,12 +1116,12 @@ kernel_read_modprobe_sysctls(xserver_t)
+@@ -641,12 +1125,12 @@ kernel_read_modprobe_sysctls(xserver_t)
# Xorg wants to check if kernel is tainted
kernel_read_kernel_sysctls(xserver_t)
kernel_write_proc_files(xserver_t)
@@ -24240,7 +27379,7 @@ index 2696452..adbe339 100644
corenet_all_recvfrom_netlabel(xserver_t)
corenet_tcp_sendrecv_generic_if(xserver_t)
corenet_udp_sendrecv_generic_if(xserver_t)
-@@ -667,23 +1142,28 @@ dev_rw_apm_bios(xserver_t)
+@@ -667,23 +1151,28 @@ dev_rw_apm_bios(xserver_t)
dev_rw_agp(xserver_t)
dev_rw_framebuffer(xserver_t)
dev_manage_dri_dev(xserver_t)
@@ -24272,7 +27411,7 @@ index 2696452..adbe339 100644
# brought on by rhgb
files_search_mnt(xserver_t)
-@@ -694,7 +1174,16 @@ fs_getattr_xattr_fs(xserver_t)
+@@ -694,7 +1183,16 @@ fs_getattr_xattr_fs(xserver_t)
fs_search_nfs(xserver_t)
fs_search_auto_mountpoints(xserver_t)
fs_search_ramfs(xserver_t)
@@ -24290,7 +27429,7 @@ index 2696452..adbe339 100644
mls_xwin_read_to_clearance(xserver_t)
selinux_validate_context(xserver_t)
-@@ -708,20 +1197,18 @@ init_getpgid(xserver_t)
+@@ -708,20 +1206,18 @@ init_getpgid(xserver_t)
term_setattr_unallocated_ttys(xserver_t)
term_use_unallocated_ttys(xserver_t)
@@ -24314,7 +27453,7 @@ index 2696452..adbe339 100644
userdom_search_user_home_dirs(xserver_t)
userdom_use_user_ttys(xserver_t)
-@@ -729,8 +1216,6 @@ userdom_setattr_user_ttys(xserver_t)
+@@ -729,8 +1225,6 @@ userdom_setattr_user_ttys(xserver_t)
userdom_read_user_tmp_files(xserver_t)
userdom_rw_user_tmpfs_files(xserver_t)
@@ -24323,7 +27462,7 @@ index 2696452..adbe339 100644
ifndef(`distro_redhat',`
allow xserver_t self:process { execmem execheap execstack };
domain_mmap_low_uncond(xserver_t)
-@@ -775,16 +1260,44 @@ optional_policy(`
+@@ -775,16 +1269,44 @@ optional_policy(`
')
optional_policy(`
@@ -24369,7 +27508,7 @@ index 2696452..adbe339 100644
unconfined_domtrans(xserver_t)
')
-@@ -793,6 +1306,10 @@ optional_policy(`
+@@ -793,6 +1315,10 @@ optional_policy(`
')
optional_policy(`
@@ -24380,7 +27519,7 @@ index 2696452..adbe339 100644
xfs_stream_connect(xserver_t)
')
-@@ -808,10 +1325,10 @@ allow xserver_t xdm_t:shm rw_shm_perms;
+@@ -808,10 +1334,10 @@ allow xserver_t xdm_t:shm rw_shm_perms;
# NB we do NOT allow xserver_t xdm_var_lib_t:dir, only access to an open
# handle of a file inside the dir!!!
@@ -24394,7 +27533,7 @@ index 2696452..adbe339 100644
# Label pid and temporary files with derived types.
manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
-@@ -819,7 +1336,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
+@@ -819,7 +1345,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
manage_sock_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
# Run xkbcomp.
@@ -24403,7 +27542,7 @@ index 2696452..adbe339 100644
can_exec(xserver_t, xkb_var_lib_t)
# VNC v4 module in X server
-@@ -832,26 +1349,21 @@ init_use_fds(xserver_t)
+@@ -832,26 +1358,21 @@ init_use_fds(xserver_t)
# to read ROLE_home_t - examine this in more detail
# (xauth?)
userdom_read_user_home_content_files(xserver_t)
@@ -24438,7 +27577,7 @@ index 2696452..adbe339 100644
')
optional_policy(`
-@@ -902,7 +1414,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
+@@ -902,7 +1423,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
allow x_domain root_xdrawable_t:x_drawable { getattr setattr list_child add_child remove_child send receive hide show };
# operations allowed on my windows
allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive };
@@ -24447,7 +27586,7 @@ index 2696452..adbe339 100644
# operations allowed on all windows
allow x_domain x_domain:x_drawable { getattr get_property set_property remove_child };
-@@ -956,11 +1468,31 @@ allow x_domain self:x_resource { read write };
+@@ -956,11 +1477,31 @@ allow x_domain self:x_resource { read write };
# can mess with the screensaver
allow x_domain xserver_t:x_screen { getattr saver_getattr };
@@ -24479,7 +27618,7 @@ index 2696452..adbe339 100644
tunable_policy(`! xserver_object_manager',`
# should be xserver_unconfined(x_domain),
# but typeattribute doesnt work in conditionals
-@@ -982,18 +1514,150 @@ tunable_policy(`! xserver_object_manager',`
+@@ -982,18 +1523,150 @@ tunable_policy(`! xserver_object_manager',`
allow x_domain xevent_type:{ x_event x_synthetic_event } *;
')
@@ -24803,7 +27942,7 @@ index c6fdab7..af71c62 100644
sudo_sigchld(application_domain_type)
')
diff --git a/policy/modules/system/authlogin.fc b/policy/modules/system/authlogin.fc
-index 28ad538..003b09a 100644
+index 28ad538..36fbb93 100644
--- a/policy/modules/system/authlogin.fc
+++ b/policy/modules/system/authlogin.fc
@@ -1,14 +1,28 @@
@@ -24839,7 +27978,7 @@ index 28ad538..003b09a 100644
/sbin/unix_chkpwd -- gen_context(system_u:object_r:chkpwd_exec_t,s0)
/sbin/unix_update -- gen_context(system_u:object_r:updpwd_exec_t,s0)
/sbin/unix_verify -- gen_context(system_u:object_r:chkpwd_exec_t,s0)
-@@ -16,13 +30,24 @@ ifdef(`distro_suse', `
+@@ -16,13 +30,25 @@ ifdef(`distro_suse', `
/sbin/unix2_chkpwd -- gen_context(system_u:object_r:chkpwd_exec_t,s0)
')
@@ -24851,6 +27990,7 @@ index 28ad538..003b09a 100644
-/usr/sbin/validate -- gen_context(system_u:object_r:chkpwd_exec_t,s0)
+/usr/sbin/pam_console_apply -- gen_context(system_u:object_r:pam_console_exec_t,s0)
+/usr/sbin/pam_timestamp_check -- gen_context(system_u:object_r:pam_timestamp_exec_t,s0)
++/usr/sbin/pwhistory_helper -- gen_context(system_u:object_r:updpwd_exec_t,s0)
+/usr/sbin/unix_chkpwd -- gen_context(system_u:object_r:chkpwd_exec_t,s0)
+/usr/sbin/unix_update -- gen_context(system_u:object_r:updpwd_exec_t,s0)
+/usr/sbin/unix_verify -- gen_context(system_u:object_r:chkpwd_exec_t,s0)
@@ -24866,7 +28006,7 @@ index 28ad538..003b09a 100644
/var/cache/coolkey(/.*)? gen_context(system_u:object_r:auth_cache_t,s0)
-@@ -30,20 +55,24 @@ ifdef(`distro_gentoo', `
+@@ -30,20 +56,24 @@ ifdef(`distro_gentoo', `
/var/lib/abl(/.*)? gen_context(system_u:object_r:var_auth_t,s0)
/var/lib/pam_ssh(/.*)? gen_context(system_u:object_r:var_auth_t,s0)
@@ -24896,7 +28036,7 @@ index 28ad538..003b09a 100644
-/var/run/user(/.*)? gen_context(system_u:object_r:var_auth_t,s0)
/var/(db|lib|adm)/sudo(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0)
diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if
-index 3efd5b6..08c3e93 100644
+index 3efd5b6..c74d0d5 100644
--- a/policy/modules/system/authlogin.if
+++ b/policy/modules/system/authlogin.if
@@ -23,11 +23,17 @@ interface(`auth_role',`
@@ -25465,7 +28605,7 @@ index 3efd5b6..08c3e93 100644
')
########################################
-@@ -1767,11 +1989,13 @@ interface(`auth_relabel_login_records',`
+@@ -1767,11 +1989,17 @@ interface(`auth_relabel_login_records',`
## <infoflow type="both" weight="10"/>
#
interface(`auth_use_nsswitch',`
@@ -25479,10 +28619,14 @@ index 3efd5b6..08c3e93 100644
typeattribute $1 nsswitch_domain;
+
+ corenet_all_recvfrom_netlabel($1)
++
++ optional_policy(`
++ kerberos_keytab_domains($1)
++ ')
')
########################################
-@@ -1805,3 +2029,242 @@ interface(`auth_unconfined',`
+@@ -1805,3 +2033,242 @@ interface(`auth_unconfined',`
typeattribute $1 can_write_shadow_passwords;
typeattribute $1 can_relabelto_shadow_passwords;
')
@@ -25726,7 +28870,7 @@ index 3efd5b6..08c3e93 100644
+ allow $1 login_pgm:process sigchld;
+')
diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te
-index 104037e..348e8cf 100644
+index 104037e..9b993c6 100644
--- a/policy/modules/system/authlogin.te
+++ b/policy/modules/system/authlogin.te
@@ -5,6 +5,19 @@ policy_module(authlogin, 2.4.2)
@@ -25923,15 +29067,19 @@ index 104037e..348e8cf 100644
miscfiles_read_generic_certs(pam_console_t)
seutil_read_file_contexts(pam_console_t)
-@@ -341,6 +362,7 @@ kernel_read_system_state(updpwd_t)
+@@ -341,6 +362,11 @@ kernel_read_system_state(updpwd_t)
dev_read_urand(updpwd_t)
files_manage_etc_files(updpwd_t)
+auth_manage_passwd(updpwd_t)
++
++mls_file_read_all_levels(updpwd_t)
++mls_file_write_all_levels(updpwd_t)
++mls_file_downgrade(updpwd_t)
term_dontaudit_use_console(updpwd_t)
term_dontaudit_use_unallocated_ttys(updpwd_t)
-@@ -350,9 +372,7 @@ auth_use_nsswitch(updpwd_t)
+@@ -350,9 +376,7 @@ auth_use_nsswitch(updpwd_t)
logging_send_syslog_msg(updpwd_t)
@@ -25942,7 +29090,7 @@ index 104037e..348e8cf 100644
ifdef(`distro_ubuntu',`
optional_policy(`
-@@ -380,13 +400,15 @@ term_dontaudit_use_all_ttys(utempter_t)
+@@ -380,13 +404,15 @@ term_dontaudit_use_all_ttys(utempter_t)
term_dontaudit_use_all_ptys(utempter_t)
term_dontaudit_use_ptmx(utempter_t)
@@ -25959,7 +29107,7 @@ index 104037e..348e8cf 100644
# Allow utemper to write to /tmp/.xses-*
userdom_write_user_tmp_files(utempter_t)
-@@ -397,19 +419,29 @@ ifdef(`distro_ubuntu',`
+@@ -397,19 +423,29 @@ ifdef(`distro_ubuntu',`
')
optional_policy(`
@@ -25993,7 +29141,7 @@ index 104037e..348e8cf 100644
files_list_var_lib(nsswitch_domain)
# read /etc/nsswitch.conf
-@@ -417,15 +449,21 @@ files_read_etc_files(nsswitch_domain)
+@@ -417,15 +453,21 @@ files_read_etc_files(nsswitch_domain)
sysnet_dns_name_resolve(nsswitch_domain)
@@ -26017,7 +29165,7 @@ index 104037e..348e8cf 100644
ldap_stream_connect(nsswitch_domain)
')
')
-@@ -438,6 +476,7 @@ optional_policy(`
+@@ -438,6 +480,7 @@ optional_policy(`
likewise_stream_connect_lsassd(nsswitch_domain)
')
@@ -26025,7 +29173,7 @@ index 104037e..348e8cf 100644
optional_policy(`
kerberos_use(nsswitch_domain)
')
-@@ -456,6 +495,8 @@ optional_policy(`
+@@ -456,10 +499,145 @@ optional_policy(`
optional_policy(`
sssd_stream_connect(nsswitch_domain)
@@ -26034,7 +29182,8 @@ index 104037e..348e8cf 100644
')
optional_policy(`
-@@ -463,3 +504,133 @@ optional_policy(`
+ samba_stream_connect_winbind(nsswitch_domain)
++ samba_stream_connect_nmbd(nsswitch_domain)
samba_read_var_files(nsswitch_domain)
samba_dontaudit_write_var_files(nsswitch_domain)
')
@@ -26050,6 +29199,7 @@ index 104037e..348e8cf 100644
+
+allow login_pgm self:netlink_kobject_uevent_socket create_socket_perms;
+allow login_pgm self:capability ipc_lock;
++dontaudit login_pgm self:capability net_admin;
+allow login_pgm self:process setkeycreate;
+allow login_pgm self:key manage_key_perms;
+userdom_manage_all_users_keys(login_pgm)
@@ -26062,7 +29212,7 @@ index 104037e..348e8cf 100644
+manage_dirs_pattern(login_pgm, auth_cache_t, auth_cache_t)
+manage_files_pattern(login_pgm, auth_cache_t, auth_cache_t)
+manage_sock_files_pattern(login_pgm, auth_cache_t, auth_cache_t)
-+files_var_filetrans(login_pgm, auth_cache_t, dir)
++files_var_filetrans(login_pgm, auth_cache_t, dir, "coolkey")
+
+manage_dirs_pattern(login_pgm, auth_home_t, auth_home_t)
+manage_files_pattern(login_pgm, auth_home_t, auth_home_t)
@@ -26110,6 +29260,7 @@ index 104037e..348e8cf 100644
+logging_set_tty_audit(login_pgm)
+
+miscfiles_dontaudit_write_generic_cert_files(login_pgm)
++miscfiles_filetrans_named_content(login_pgm)
+
+seutil_read_config(login_pgm)
+seutil_read_login_config(login_pgm)
@@ -26362,7 +29513,7 @@ index 016a770..1effeb4 100644
+ files_pid_filetrans($1, fsadm_var_run_t, dir, "blkid")
+')
diff --git a/policy/modules/system/fstools.te b/policy/modules/system/fstools.te
-index 6c4b6ee..f512b72 100644
+index 6c4b6ee..9eebe0b 100644
--- a/policy/modules/system/fstools.te
+++ b/policy/modules/system/fstools.te
@@ -13,6 +13,9 @@ role system_r types fsadm_t;
@@ -26375,7 +29526,15 @@ index 6c4b6ee..f512b72 100644
type fsadm_tmp_t;
files_tmp_file(fsadm_tmp_t)
-@@ -41,9 +44,15 @@ allow fsadm_t self:msg { send receive };
+@@ -26,6 +29,7 @@ files_type(swapfile_t)
+
+ # ipc_lock is for losetup
+ allow fsadm_t self:capability { ipc_lock sys_rawio sys_admin sys_resource sys_tty_config dac_override dac_read_search };
++dontaudit fsadm_t self:capability net_admin;
+ allow fsadm_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execmem execheap };
+ allow fsadm_t self:fd use;
+ allow fsadm_t self:fifo_file rw_fifo_file_perms;
+@@ -41,9 +45,15 @@ allow fsadm_t self:msg { send receive };
can_exec(fsadm_t, fsadm_exec_t)
@@ -26391,7 +29550,7 @@ index 6c4b6ee..f512b72 100644
# log files
allow fsadm_t fsadm_log_t:dir setattr;
-@@ -53,6 +62,7 @@ logging_log_filetrans(fsadm_t, fsadm_log_t, file)
+@@ -53,6 +63,7 @@ logging_log_filetrans(fsadm_t, fsadm_log_t, file)
# Enable swapping to files
allow fsadm_t swapfile_t:file { rw_file_perms swapon };
@@ -26399,7 +29558,7 @@ index 6c4b6ee..f512b72 100644
kernel_read_system_state(fsadm_t)
kernel_read_kernel_sysctls(fsadm_t)
kernel_request_load_module(fsadm_t)
-@@ -101,6 +111,8 @@ files_read_usr_files(fsadm_t)
+@@ -101,6 +112,8 @@ files_read_usr_files(fsadm_t)
files_read_etc_files(fsadm_t)
files_manage_lost_found(fsadm_t)
files_manage_isid_type_dirs(fsadm_t)
@@ -26408,7 +29567,7 @@ index 6c4b6ee..f512b72 100644
# Write to /etc/mtab.
files_manage_etc_runtime_files(fsadm_t)
files_etc_filetrans_etc_runtime(fsadm_t, file)
-@@ -120,6 +132,9 @@ fs_list_auto_mountpoints(fsadm_t)
+@@ -120,6 +133,9 @@ fs_list_auto_mountpoints(fsadm_t)
fs_search_tmpfs(fsadm_t)
fs_getattr_tmpfs_dirs(fsadm_t)
fs_read_tmpfs_symlinks(fsadm_t)
@@ -26418,7 +29577,7 @@ index 6c4b6ee..f512b72 100644
# Recreate /mnt/cdrom.
files_manage_mnt_dirs(fsadm_t)
# for tune2fs
-@@ -133,21 +148,27 @@ storage_raw_write_fixed_disk(fsadm_t)
+@@ -133,21 +149,27 @@ storage_raw_write_fixed_disk(fsadm_t)
storage_raw_read_removable_device(fsadm_t)
storage_raw_write_removable_device(fsadm_t)
storage_read_scsi_generic(fsadm_t)
@@ -26448,7 +29607,7 @@ index 6c4b6ee..f512b72 100644
ifdef(`distro_redhat',`
optional_policy(`
-@@ -166,6 +187,11 @@ optional_policy(`
+@@ -166,6 +188,11 @@ optional_policy(`
')
optional_policy(`
@@ -26460,7 +29619,7 @@ index 6c4b6ee..f512b72 100644
hal_dontaudit_write_log(fsadm_t)
')
-@@ -179,6 +205,10 @@ optional_policy(`
+@@ -179,6 +206,10 @@ optional_policy(`
')
optional_policy(`
@@ -26471,7 +29630,7 @@ index 6c4b6ee..f512b72 100644
nis_use_ypbind(fsadm_t)
')
-@@ -192,6 +222,10 @@ optional_policy(`
+@@ -192,6 +223,10 @@ optional_policy(`
')
optional_policy(`
@@ -26629,6 +29788,18 @@ index 9dfecf7..6d00f5c 100644
/bin/hostname -- gen_context(system_u:object_r:hostname_exec_t,s0)
+
+/usr/bin/hostname -- gen_context(system_u:object_r:hostname_exec_t,s0)
+diff --git a/policy/modules/system/hostname.if b/policy/modules/system/hostname.if
+index 187f04f..cf0af09 100644
+--- a/policy/modules/system/hostname.if
++++ b/policy/modules/system/hostname.if
+@@ -53,7 +53,6 @@ interface(`hostname_run',`
+ ## Domain allowed access.
+ ## </summary>
+ ## </param>
+-## <rolecap/>
+ #
+ interface(`hostname_exec',`
+ gen_require(`
diff --git a/policy/modules/system/hostname.te b/policy/modules/system/hostname.te
index f6cbda9..51e9aef 100644
--- a/policy/modules/system/hostname.te
@@ -26830,7 +30001,7 @@ index 9a4d3a7..9d960bb 100644
')
+/var/run/systemd(/.*)? gen_context(system_u:object_r:init_var_run_t,s0)
diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
-index 24e7804..76da5dd 100644
+index 24e7804..2863546 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -1,5 +1,21 @@
@@ -27213,11 +30384,11 @@ index 24e7804..76da5dd 100644
+ type init_t;
+ ')
+
-+ dontaudit $1 init_t:unix_stream_socket { getattr read write };
++ dontaudit $1 init_t:unix_stream_socket { getattr read write ioctl };
')
########################################
-@@ -743,22 +923,23 @@ interface(`init_write_initctl',`
+@@ -743,22 +923,24 @@ interface(`init_write_initctl',`
interface(`init_telinit',`
gen_require(`
type initctl_t;
@@ -27242,6 +30413,7 @@ index 24e7804..76da5dd 100644
- ')
+ ps_process_pattern($1, init_t)
+ allow $1 init_t:process signal;
++ dontaudit $1 self:capability net_admin;
+ # upstart uses a datagram socket instead of initctl pipe
+ allow $1 self:unix_dgram_socket create_socket_perms;
+ allow $1 init_t:unix_dgram_socket sendto;
@@ -27250,7 +30422,7 @@ index 24e7804..76da5dd 100644
')
########################################
-@@ -787,7 +968,7 @@ interface(`init_rw_initctl',`
+@@ -787,7 +969,7 @@ interface(`init_rw_initctl',`
## </summary>
## <param name="domain">
## <summary>
@@ -27259,7 +30431,7 @@ index 24e7804..76da5dd 100644
## </summary>
## </param>
#
-@@ -830,11 +1011,12 @@ interface(`init_script_file_entry_type',`
+@@ -830,11 +1012,12 @@ interface(`init_script_file_entry_type',`
#
interface(`init_spec_domtrans_script',`
gen_require(`
@@ -27274,7 +30446,7 @@ index 24e7804..76da5dd 100644
ifdef(`distro_gentoo',`
gen_require(`
-@@ -845,11 +1027,11 @@ interface(`init_spec_domtrans_script',`
+@@ -845,11 +1028,11 @@ interface(`init_spec_domtrans_script',`
')
ifdef(`enable_mcs',`
@@ -27288,7 +30460,7 @@ index 24e7804..76da5dd 100644
')
')
-@@ -865,19 +1047,41 @@ interface(`init_spec_domtrans_script',`
+@@ -865,19 +1048,41 @@ interface(`init_spec_domtrans_script',`
#
interface(`init_domtrans_script',`
gen_require(`
@@ -27334,7 +30506,7 @@ index 24e7804..76da5dd 100644
')
########################################
-@@ -933,9 +1137,14 @@ interface(`init_script_file_domtrans',`
+@@ -933,9 +1138,14 @@ interface(`init_script_file_domtrans',`
interface(`init_labeled_script_domtrans',`
gen_require(`
type initrc_t;
@@ -27349,7 +30521,7 @@ index 24e7804..76da5dd 100644
files_search_etc($1)
')
-@@ -1012,6 +1221,42 @@ interface(`init_read_state',`
+@@ -1012,6 +1222,42 @@ interface(`init_read_state',`
########################################
## <summary>
@@ -27392,7 +30564,7 @@ index 24e7804..76da5dd 100644
## Ptrace init
## </summary>
## <param name="domain">
-@@ -1026,7 +1271,9 @@ interface(`init_ptrace',`
+@@ -1026,7 +1272,9 @@ interface(`init_ptrace',`
type init_t;
')
@@ -27403,7 +30575,7 @@ index 24e7804..76da5dd 100644
')
########################################
-@@ -1125,6 +1372,25 @@ interface(`init_getattr_all_script_files',`
+@@ -1125,6 +1373,25 @@ interface(`init_getattr_all_script_files',`
########################################
## <summary>
@@ -27429,7 +30601,7 @@ index 24e7804..76da5dd 100644
## Read all init script files.
## </summary>
## <param name="domain">
-@@ -1144,6 +1410,24 @@ interface(`init_read_all_script_files',`
+@@ -1144,6 +1411,24 @@ interface(`init_read_all_script_files',`
#######################################
## <summary>
@@ -27454,7 +30626,7 @@ index 24e7804..76da5dd 100644
## Dontaudit read all init script files.
## </summary>
## <param name="domain">
-@@ -1195,12 +1479,7 @@ interface(`init_read_script_state',`
+@@ -1195,12 +1480,7 @@ interface(`init_read_script_state',`
')
kernel_search_proc($1)
@@ -27468,69 +30640,113 @@ index 24e7804..76da5dd 100644
')
########################################
-@@ -1440,7 +1719,7 @@ interface(`init_dbus_send_script',`
+@@ -1314,7 +1594,7 @@ interface(`init_signal_script',`
+
########################################
## <summary>
- ## Send and receive messages from
--## init scripts over dbus.
-+## init over dbus.
+-## Send null signals to init scripts.
++## Send kill signals to init scripts.
## </summary>
## <param name="domain">
## <summary>
-@@ -1448,23 +1727,44 @@ interface(`init_dbus_send_script',`
+@@ -1322,17 +1602,17 @@ interface(`init_signal_script',`
## </summary>
## </param>
#
--interface(`init_dbus_chat_script',`
-+interface(`init_dbus_chat',`
+-interface(`init_signull_script',`
++interface(`init_sigkill_script',`
gen_require(`
-- type initrc_t;
-+ type init_t;
- class dbus send_msg;
+ type initrc_t;
')
-- allow $1 initrc_t:dbus send_msg;
-- allow initrc_t $1:dbus send_msg;
-+ allow $1 init_t:dbus send_msg;
-+ allow init_t $1:dbus send_msg;
+- allow $1 initrc_t:process signull;
++ allow $1 initrc_t:process sigkill;
')
########################################
## <summary>
--## Read and write the init script pty.
-+## Send and receive messages from
-+## init scripts over dbus.
+-## Read and write init script unnamed pipes.
++## Send null signals to init scripts.
## </summary>
--## <desc>
--## <p>
--## Read and write the init script pty. This
+ ## <param name="domain">
+ ## <summary>
+@@ -1340,17 +1620,17 @@ interface(`init_signull_script',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`init_rw_script_pipes',`
++interface(`init_signull_script',`
+ gen_require(`
+ type initrc_t;
+ ')
+
+- allow $1 initrc_t:fifo_file { read write };
++ allow $1 initrc_t:process signull;
+ ')
+
+ ########################################
+ ## <summary>
+-## Send UDP network traffic to init scripts. (Deprecated)
++## Read and write init script unnamed pipes.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -1358,7 +1638,25 @@ interface(`init_rw_script_pipes',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`init_udp_send_script',`
++interface(`init_rw_script_pipes',`
++ gen_require(`
++ type initrc_t;
++ ')
++
++ allow $1 initrc_t:fifo_file { read write };
++')
++
++########################################
++## <summary>
++## Send UDP network traffic to init scripts. (Deprecated)
++## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
-+interface(`init_dbus_chat_script',`
++interface(`init_udp_send_script',`
+ refpolicywarn(`$0($*) has been deprecated.')
+ ')
+
+@@ -1440,6 +1738,27 @@ interface(`init_dbus_send_script',`
+ ########################################
+ ## <summary>
+ ## Send and receive messages from
++## init over dbus.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`init_dbus_chat',`
+ gen_require(`
-+ type initrc_t;
++ type init_t;
+ class dbus send_msg;
+ ')
+
-+ allow $1 initrc_t:dbus send_msg;
-+ allow initrc_t $1:dbus send_msg;
++ allow $1 init_t:dbus send_msg;
++ allow init_t $1:dbus send_msg;
+')
+
+########################################
+## <summary>
-+## Read and write the init script pty.
-+## </summary>
-+## <desc>
-+## <p>
-+## Read and write the init script pty. This
- ## pty is generally opened by the open_init_pty
- ## portion of the run_init program so that the
- ## daemon does not require direct access to
-@@ -1526,6 +1826,25 @@ interface(`init_getattr_script_status_files',`
++## Send and receive messages from
+ ## init scripts over dbus.
+ ## </summary>
+ ## <param name="domain">
+@@ -1526,6 +1845,25 @@ interface(`init_getattr_script_status_files',`
########################################
## <summary>
@@ -27556,7 +30772,7 @@ index 24e7804..76da5dd 100644
## Do not audit attempts to read init script
## status files.
## </summary>
-@@ -1584,6 +1903,24 @@ interface(`init_rw_script_tmp_files',`
+@@ -1584,6 +1922,24 @@ interface(`init_rw_script_tmp_files',`
########################################
## <summary>
@@ -27581,7 +30797,7 @@ index 24e7804..76da5dd 100644
## Create files in a init script
## temporary data directory.
## </summary>
-@@ -1656,6 +1993,43 @@ interface(`init_read_utmp',`
+@@ -1656,6 +2012,43 @@ interface(`init_read_utmp',`
########################################
## <summary>
@@ -27625,7 +30841,7 @@ index 24e7804..76da5dd 100644
## Do not audit attempts to write utmp.
## </summary>
## <param name="domain">
-@@ -1744,7 +2118,7 @@ interface(`init_dontaudit_rw_utmp',`
+@@ -1744,7 +2137,7 @@ interface(`init_dontaudit_rw_utmp',`
type initrc_var_run_t;
')
@@ -27634,7 +30850,7 @@ index 24e7804..76da5dd 100644
')
########################################
-@@ -1785,6 +2159,133 @@ interface(`init_pid_filetrans_utmp',`
+@@ -1785,6 +2178,133 @@ interface(`init_pid_filetrans_utmp',`
files_pid_filetrans($1, initrc_var_run_t, file, "utmp")
')
@@ -27768,7 +30984,7 @@ index 24e7804..76da5dd 100644
########################################
## <summary>
## Allow the specified domain to connect to daemon with a tcp socket
-@@ -1819,3 +2320,360 @@ interface(`init_udp_recvfrom_all_daemons',`
+@@ -1819,3 +2339,450 @@ interface(`init_udp_recvfrom_all_daemons',`
')
corenet_udp_recvfrom_labeled($1, daemon)
')
@@ -28110,6 +31326,96 @@ index 24e7804..76da5dd 100644
+
+########################################
+## <summary>
++## Tell init to do an unknown access.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`init_start_transient_unit',`
++ gen_require(`
++ type init_t;
++ ')
++
++ allow $1 init_t:service start;
++')
++
++########################################
++## <summary>
++## Tell init to do an unknown access.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`init_stop_transient_unit',`
++ gen_require(`
++ type init_t;
++ ')
++
++ allow $1 init_t:service stop;
++')
++
++########################################
++## <summary>
++## Tell init to do an unknown access.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`init_reload_transient_unit',`
++ gen_require(`
++ type init_t;
++ ')
++
++ allow $1 init_t:service reload;
++')
++
++########################################
++## <summary>
++## Tell init to do an unknown access.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`init_status_transient_unit',`
++ gen_require(`
++ type init_t;
++ ')
++
++ allow $1 init_t:service status;
++')
++
++########################################
++## <summary>
++## Tell init to do an unknown access.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`init_manage_transient_unit',`
++ gen_require(`
++ type init_t;
++ ')
++
++ allow $1 init_t:service { start stop reload status };
++')
++
++########################################
++## <summary>
+## Transition to init named content
+## </summary>
+## <param name="domain">
@@ -28130,7 +31436,7 @@ index 24e7804..76da5dd 100644
+ files_etc_filetrans($1, machineid_t, file, "machine-id" )
+')
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
-index dd3be8d..0996734 100644
+index dd3be8d..c983546 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -11,10 +11,31 @@ gen_require(`
@@ -28185,7 +31491,7 @@ index dd3be8d..0996734 100644
# Mark file type as a daemon run directory
attribute daemonrundir;
-@@ -35,12 +64,14 @@ attribute daemonrundir;
+@@ -35,12 +64,20 @@ attribute daemonrundir;
#
# init_t is the domain of the init process.
#
@@ -28198,10 +31504,16 @@ index dd3be8d..0996734 100644
kernel_domtrans_to(init_t, init_exec_t)
role system_r types init_t;
+init_initrc_domain(init_t)
++
++#
++# init_tmp_t is the type for content in /tmp directory
++#
++type init_tmp_t;
++files_tmp_file(init_tmp_t)
#
# init_var_run_t is the type for /var/run/shutdown.pid.
-@@ -49,6 +80,15 @@ type init_var_run_t;
+@@ -49,6 +86,15 @@ type init_var_run_t;
files_pid_file(init_var_run_t)
#
@@ -28217,7 +31529,7 @@ index dd3be8d..0996734 100644
# initctl_t is the type of the named pipe created
# by init during initialization. This pipe is used
# to communicate with init.
-@@ -57,7 +97,7 @@ type initctl_t;
+@@ -57,7 +103,7 @@ type initctl_t;
files_type(initctl_t)
mls_trusted_object(initctl_t)
@@ -28226,7 +31538,7 @@ index dd3be8d..0996734 100644
type initrc_exec_t, init_script_file_type;
domain_type(initrc_t)
domain_entry_file(initrc_t, initrc_exec_t)
-@@ -98,7 +138,9 @@ ifdef(`enable_mls',`
+@@ -98,7 +144,9 @@ ifdef(`enable_mls',`
#
# Use capabilities. old rule:
@@ -28237,8 +31549,12 @@ index dd3be8d..0996734 100644
# is ~sys_module really needed? observed:
# sys_boot
# sys_tty_config
-@@ -110,12 +152,33 @@ allow init_t self:fifo_file rw_fifo_file_perms;
+@@ -108,14 +156,42 @@ allow init_t self:capability ~sys_module;
+
+ allow init_t self:fifo_file rw_fifo_file_perms;
++allow init_t self:service manage_service_perms;
++
# Re-exec itself
can_exec(init_t, init_exec_t)
-
@@ -28256,6 +31572,11 @@ index dd3be8d..0996734 100644
+allow initrc_t init_t:unix_stream_socket { connectto rw_stream_socket_perms sendto };
+allow initrc_t init_t:fifo_file rw_fifo_file_perms;
+
++manage_files_pattern(init_t, init_tmp_t, init_tmp_t)
++manage_dirs_pattern(init_t, init_tmp_t, init_tmp_t)
++manage_lnk_files_pattern(init_t, init_tmp_t, init_tmp_t)
++files_tmp_filetrans(init_t, init_tmp_t, { file })
++
+manage_dirs_pattern(init_t, init_var_lib_t, init_var_lib_t)
+manage_files_pattern(init_t, init_var_lib_t, init_var_lib_t)
+manage_lnk_files_pattern(init_t, init_var_lib_t, init_var_lib_t)
@@ -28277,7 +31598,7 @@ index dd3be8d..0996734 100644
allow init_t initctl_t:fifo_file manage_fifo_file_perms;
dev_filetrans(init_t, initctl_t, fifo_file)
-@@ -125,13 +188,18 @@ allow init_t initrc_var_run_t:file { rw_file_perms setattr };
+@@ -125,13 +201,18 @@ allow init_t initrc_var_run_t:file { rw_file_perms setattr };
kernel_read_system_state(init_t)
kernel_share_state(init_t)
@@ -28297,11 +31618,12 @@ index dd3be8d..0996734 100644
domain_getpgid_all_domains(init_t)
domain_kill_all_domains(init_t)
-@@ -139,14 +207,20 @@ domain_signal_all_domains(init_t)
+@@ -139,14 +220,22 @@ domain_signal_all_domains(init_t)
domain_signull_all_domains(init_t)
domain_sigstop_all_domains(init_t)
domain_sigchld_all_domains(init_t)
+domain_read_all_domains_state(init_t)
++domain_getattr_all_domains(init_t)
files_read_etc_files(init_t)
+files_read_all_pids(init_t)
@@ -28315,10 +31637,11 @@ index dd3be8d..0996734 100644
# Run /etc/X11/prefdm:
files_exec_etc_files(init_t)
+files_read_usr_files(init_t)
++files_write_root_dirs(init_t)
# file descriptors inherited from the rootfs:
files_dontaudit_rw_root_files(init_t)
files_dontaudit_rw_root_chr_files(init_t)
-@@ -156,28 +230,52 @@ fs_list_inotifyfs(init_t)
+@@ -156,28 +245,53 @@ fs_list_inotifyfs(init_t)
fs_write_ramfs_sockets(init_t)
mcs_process_set_categories(init_t)
@@ -28358,14 +31681,15 @@ index dd3be8d..0996734 100644
+logging_send_audit_msgs(init_t)
logging_rw_generic_logs(init_t)
+logging_relabel_devlog_dev(init_t)
++logging_manage_audit_config(init_t)
seutil_read_config(init_t)
+seutil_read_module_store(init_t)
-+
-+miscfiles_manage_localization(init_t)
-+miscfiles_filetrans_named_content(init_t)
-miscfiles_read_localization(init_t)
++miscfiles_manage_localization(init_t)
++miscfiles_filetrans_named_content(init_t)
++
+userdom_use_user_ttys(init_t)
+userdom_manage_tmp_dirs(init_t)
+userdom_manage_tmp_sockets(init_t)
@@ -28374,7 +31698,7 @@ index dd3be8d..0996734 100644
ifdef(`distro_gentoo',`
allow init_t self:process { getcap setcap };
-@@ -186,29 +284,208 @@ ifdef(`distro_gentoo',`
+@@ -186,29 +300,226 @@ ifdef(`distro_gentoo',`
')
ifdef(`distro_redhat',`
@@ -28404,20 +31728,21 @@ index dd3be8d..0996734 100644
+
+optional_policy(`
+ chronyd_read_keys(init_t)
-+')
-+
-+optional_policy(`
-+ kdump_read_crash(init_t)
')
optional_policy(`
- auth_rw_login_records(init_t)
-+ gnome_filetrans_home_content(init_t)
-+ gnome_manage_data(init_t)
++ kdump_read_crash(init_t)
')
optional_policy(`
++ gnome_filetrans_home_content(init_t)
++ gnome_manage_data(init_t)
++')
++
++optional_policy(`
+ iscsi_read_lib_files(init_t)
++ iscsi_manage_lock(init_t)
+')
+
+optional_policy(`
@@ -28549,8 +31874,25 @@ index dd3be8d..0996734 100644
+auth_rw_login_records(init_t)
+auth_domtrans_chk_passwd(init_t)
+
-+optional_policy(`
-+ ipsec_read_config(init_t)
++ifdef(`distro_redhat',`
++ # it comes from setupr scripts used in systemd unit files
++ # has been covered by initrc_t
++ optional_policy(`
++ bind_manage_config_dirs(init_t)
++ bind_manage_config(init_t)
++ bind_write_config(init_t)
++ bind_setattr_zone_dirs(init_t)
++ ')
++
++ optional_policy(`
++ ipsec_read_config(init_t)
++ ipsec_manage_pid(init_t)
++ ipsec_stream_connect(init_t)
++ ')
++
++ optional_policy(`
++ rpc_manage_nfs_state_data(init_t)
++ ')
+')
+
+optional_policy(`
@@ -28570,9 +31912,10 @@ index dd3be8d..0996734 100644
+ optional_policy(`
+ devicekit_dbus_chat_power(init_t)
+ ')
-+')
-+
-+optional_policy(`
+ ')
+
+ optional_policy(`
+- nscd_use(init_t)
+ # /var/run/dovecot/login/ssl-parameters.dat is a hard link to
+ # /var/lib/dovecot/ssl-parameters.dat and init tries to clean up
+ # the directory. But we do not want to allow this.
@@ -28582,16 +31925,15 @@ index dd3be8d..0996734 100644
+
+optional_policy(`
+ networkmanager_stream_connect(init_t)
- ')
-
- optional_policy(`
-- nscd_use(init_t)
++')
++
++optional_policy(`
+ plymouthd_stream_connect(init_t)
+ plymouthd_exec_plymouth(init_t)
')
optional_policy(`
-@@ -216,7 +493,30 @@ optional_policy(`
+@@ -216,7 +527,30 @@ optional_policy(`
')
optional_policy(`
@@ -28622,7 +31964,7 @@ index dd3be8d..0996734 100644
')
########################################
-@@ -225,8 +525,9 @@ optional_policy(`
+@@ -225,8 +559,9 @@ optional_policy(`
#
allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
@@ -28634,7 +31976,7 @@ index dd3be8d..0996734 100644
allow initrc_t self:passwd rootok;
allow initrc_t self:key manage_key_perms;
-@@ -257,12 +558,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
+@@ -257,12 +592,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
allow initrc_t initrc_var_run_t:file manage_file_perms;
files_pid_filetrans(initrc_t, initrc_var_run_t, file)
@@ -28651,7 +31993,7 @@ index dd3be8d..0996734 100644
manage_dirs_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
manage_files_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
-@@ -278,23 +583,36 @@ kernel_change_ring_buffer_level(initrc_t)
+@@ -278,23 +617,36 @@ kernel_change_ring_buffer_level(initrc_t)
kernel_clear_ring_buffer(initrc_t)
kernel_get_sysvipc_info(initrc_t)
kernel_read_all_sysctls(initrc_t)
@@ -28694,7 +32036,7 @@ index dd3be8d..0996734 100644
corenet_tcp_sendrecv_all_ports(initrc_t)
corenet_udp_sendrecv_all_ports(initrc_t)
corenet_tcp_connect_all_ports(initrc_t)
-@@ -302,9 +620,11 @@ corenet_sendrecv_all_client_packets(initrc_t)
+@@ -302,9 +654,11 @@ corenet_sendrecv_all_client_packets(initrc_t)
dev_read_rand(initrc_t)
dev_read_urand(initrc_t)
@@ -28706,7 +32048,7 @@ index dd3be8d..0996734 100644
dev_rw_sysfs(initrc_t)
dev_list_usbfs(initrc_t)
dev_read_framebuffer(initrc_t)
-@@ -312,8 +632,10 @@ dev_write_framebuffer(initrc_t)
+@@ -312,8 +666,10 @@ dev_write_framebuffer(initrc_t)
dev_read_realtime_clock(initrc_t)
dev_read_sound_mixer(initrc_t)
dev_write_sound_mixer(initrc_t)
@@ -28717,7 +32059,7 @@ index dd3be8d..0996734 100644
dev_delete_lvm_control_dev(initrc_t)
dev_manage_generic_symlinks(initrc_t)
dev_manage_generic_files(initrc_t)
-@@ -321,8 +643,7 @@ dev_manage_generic_files(initrc_t)
+@@ -321,8 +677,7 @@ dev_manage_generic_files(initrc_t)
dev_delete_generic_symlinks(initrc_t)
dev_getattr_all_blk_files(initrc_t)
dev_getattr_all_chr_files(initrc_t)
@@ -28727,7 +32069,7 @@ index dd3be8d..0996734 100644
domain_kill_all_domains(initrc_t)
domain_signal_all_domains(initrc_t)
-@@ -331,7 +652,6 @@ domain_sigstop_all_domains(initrc_t)
+@@ -331,7 +686,6 @@ domain_sigstop_all_domains(initrc_t)
domain_sigchld_all_domains(initrc_t)
domain_read_all_domains_state(initrc_t)
domain_getattr_all_domains(initrc_t)
@@ -28735,7 +32077,7 @@ index dd3be8d..0996734 100644
domain_getsession_all_domains(initrc_t)
domain_use_interactive_fds(initrc_t)
# for lsof which is used by alsa shutdown:
-@@ -339,6 +659,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
+@@ -339,6 +693,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
domain_dontaudit_getattr_all_tcp_sockets(initrc_t)
domain_dontaudit_getattr_all_dgram_sockets(initrc_t)
domain_dontaudit_getattr_all_pipes(initrc_t)
@@ -28743,7 +32085,7 @@ index dd3be8d..0996734 100644
files_getattr_all_dirs(initrc_t)
files_getattr_all_files(initrc_t)
-@@ -346,14 +667,15 @@ files_getattr_all_symlinks(initrc_t)
+@@ -346,14 +701,15 @@ files_getattr_all_symlinks(initrc_t)
files_getattr_all_pipes(initrc_t)
files_getattr_all_sockets(initrc_t)
files_purge_tmp(initrc_t)
@@ -28761,7 +32103,7 @@ index dd3be8d..0996734 100644
files_read_usr_files(initrc_t)
files_manage_urandom_seed(initrc_t)
files_manage_generic_spool(initrc_t)
-@@ -363,8 +685,12 @@ files_list_isid_type_dirs(initrc_t)
+@@ -363,8 +719,12 @@ files_list_isid_type_dirs(initrc_t)
files_mounton_isid_type_dirs(initrc_t)
files_list_default(initrc_t)
files_mounton_default(initrc_t)
@@ -28775,7 +32117,7 @@ index dd3be8d..0996734 100644
fs_list_inotifyfs(initrc_t)
fs_register_binary_executable_type(initrc_t)
# rhgb-console writes to ramfs
-@@ -374,10 +700,11 @@ fs_mount_all_fs(initrc_t)
+@@ -374,10 +734,11 @@ fs_mount_all_fs(initrc_t)
fs_unmount_all_fs(initrc_t)
fs_remount_all_fs(initrc_t)
fs_getattr_all_fs(initrc_t)
@@ -28789,7 +32131,7 @@ index dd3be8d..0996734 100644
mcs_process_set_categories(initrc_t)
mls_file_read_all_levels(initrc_t)
-@@ -386,6 +713,7 @@ mls_process_read_up(initrc_t)
+@@ -386,6 +747,7 @@ mls_process_read_up(initrc_t)
mls_process_write_down(initrc_t)
mls_rangetrans_source(initrc_t)
mls_fd_share_all_levels(initrc_t)
@@ -28797,7 +32139,7 @@ index dd3be8d..0996734 100644
selinux_get_enforce_mode(initrc_t)
-@@ -397,6 +725,7 @@ term_use_all_terms(initrc_t)
+@@ -397,6 +759,7 @@ term_use_all_terms(initrc_t)
term_reset_tty_labels(initrc_t)
auth_rw_login_records(initrc_t)
@@ -28805,7 +32147,7 @@ index dd3be8d..0996734 100644
auth_setattr_login_records(initrc_t)
auth_rw_lastlog(initrc_t)
auth_read_pam_pid(initrc_t)
-@@ -415,20 +744,18 @@ logging_read_all_logs(initrc_t)
+@@ -415,20 +778,18 @@ logging_read_all_logs(initrc_t)
logging_append_all_logs(initrc_t)
logging_read_audit_config(initrc_t)
@@ -28829,7 +32171,7 @@ index dd3be8d..0996734 100644
ifdef(`distro_debian',`
dev_setattr_generic_dirs(initrc_t)
-@@ -450,7 +777,6 @@ ifdef(`distro_gentoo',`
+@@ -450,7 +811,6 @@ ifdef(`distro_gentoo',`
allow initrc_t self:process setfscreate;
dev_create_null_dev(initrc_t)
dev_create_zero_dev(initrc_t)
@@ -28837,7 +32179,7 @@ index dd3be8d..0996734 100644
term_create_console_dev(initrc_t)
# unfortunately /sbin/rc does stupid tricks
-@@ -485,6 +811,10 @@ ifdef(`distro_gentoo',`
+@@ -485,6 +845,10 @@ ifdef(`distro_gentoo',`
sysnet_setattr_config(initrc_t)
optional_policy(`
@@ -28848,7 +32190,7 @@ index dd3be8d..0996734 100644
alsa_read_lib(initrc_t)
')
-@@ -505,7 +835,7 @@ ifdef(`distro_redhat',`
+@@ -505,7 +869,7 @@ ifdef(`distro_redhat',`
# Red Hat systems seem to have a stray
# fd open from the initrd
@@ -28857,7 +32199,7 @@ index dd3be8d..0996734 100644
files_dontaudit_read_root_files(initrc_t)
# These seem to be from the initrd
-@@ -520,6 +850,7 @@ ifdef(`distro_redhat',`
+@@ -520,6 +884,7 @@ ifdef(`distro_redhat',`
files_create_boot_dirs(initrc_t)
files_create_boot_flag(initrc_t)
files_rw_boot_symlinks(initrc_t)
@@ -28865,7 +32207,7 @@ index dd3be8d..0996734 100644
# wants to read /.fonts directory
files_read_default_files(initrc_t)
files_mountpoint(initrc_tmp_t)
-@@ -540,6 +871,7 @@ ifdef(`distro_redhat',`
+@@ -540,6 +905,7 @@ ifdef(`distro_redhat',`
miscfiles_rw_localization(initrc_t)
miscfiles_setattr_localization(initrc_t)
miscfiles_relabel_localization(initrc_t)
@@ -28873,7 +32215,7 @@ index dd3be8d..0996734 100644
miscfiles_read_fonts(initrc_t)
miscfiles_read_hwdata(initrc_t)
-@@ -549,8 +881,44 @@ ifdef(`distro_redhat',`
+@@ -549,8 +915,44 @@ ifdef(`distro_redhat',`
')
optional_policy(`
@@ -28918,7 +32260,7 @@ index dd3be8d..0996734 100644
')
optional_policy(`
-@@ -558,14 +926,31 @@ ifdef(`distro_redhat',`
+@@ -558,14 +960,31 @@ ifdef(`distro_redhat',`
rpc_write_exports(initrc_t)
rpc_manage_nfs_state_data(initrc_t)
')
@@ -28950,7 +32292,7 @@ index dd3be8d..0996734 100644
')
')
-@@ -576,6 +961,39 @@ ifdef(`distro_suse',`
+@@ -576,6 +995,39 @@ ifdef(`distro_suse',`
')
')
@@ -28990,7 +32332,7 @@ index dd3be8d..0996734 100644
optional_policy(`
amavis_search_lib(initrc_t)
amavis_setattr_pid_files(initrc_t)
-@@ -588,6 +1006,8 @@ optional_policy(`
+@@ -588,6 +1040,8 @@ optional_policy(`
optional_policy(`
apache_read_config(initrc_t)
apache_list_modules(initrc_t)
@@ -28999,7 +32341,7 @@ index dd3be8d..0996734 100644
')
optional_policy(`
-@@ -609,6 +1029,7 @@ optional_policy(`
+@@ -609,6 +1063,7 @@ optional_policy(`
optional_policy(`
cgroup_stream_connect_cgred(initrc_t)
@@ -29007,7 +32349,7 @@ index dd3be8d..0996734 100644
')
optional_policy(`
-@@ -625,6 +1046,17 @@ optional_policy(`
+@@ -625,6 +1080,17 @@ optional_policy(`
')
optional_policy(`
@@ -29025,7 +32367,7 @@ index dd3be8d..0996734 100644
dev_getattr_printer_dev(initrc_t)
cups_read_log(initrc_t)
-@@ -641,9 +1073,13 @@ optional_policy(`
+@@ -641,9 +1107,13 @@ optional_policy(`
dbus_connect_system_bus(initrc_t)
dbus_system_bus_client(initrc_t)
dbus_read_config(initrc_t)
@@ -29039,7 +32381,7 @@ index dd3be8d..0996734 100644
')
optional_policy(`
-@@ -656,15 +1092,11 @@ optional_policy(`
+@@ -656,15 +1126,11 @@ optional_policy(`
')
optional_policy(`
@@ -29057,7 +32399,7 @@ index dd3be8d..0996734 100644
')
optional_policy(`
-@@ -685,6 +1117,15 @@ optional_policy(`
+@@ -685,6 +1151,15 @@ optional_policy(`
')
optional_policy(`
@@ -29073,7 +32415,7 @@ index dd3be8d..0996734 100644
inn_exec_config(initrc_t)
')
-@@ -725,6 +1166,7 @@ optional_policy(`
+@@ -725,6 +1200,7 @@ optional_policy(`
lpd_list_spool(initrc_t)
lpd_read_config(initrc_t)
@@ -29081,7 +32423,7 @@ index dd3be8d..0996734 100644
')
optional_policy(`
-@@ -742,7 +1184,13 @@ optional_policy(`
+@@ -742,7 +1218,13 @@ optional_policy(`
')
optional_policy(`
@@ -29096,7 +32438,7 @@ index dd3be8d..0996734 100644
mta_dontaudit_read_spool_symlinks(initrc_t)
')
-@@ -765,6 +1213,10 @@ optional_policy(`
+@@ -765,6 +1247,10 @@ optional_policy(`
')
optional_policy(`
@@ -29107,7 +32449,7 @@ index dd3be8d..0996734 100644
postgresql_manage_db(initrc_t)
postgresql_read_config(initrc_t)
')
-@@ -774,10 +1226,20 @@ optional_policy(`
+@@ -774,10 +1260,20 @@ optional_policy(`
')
optional_policy(`
@@ -29128,7 +32470,7 @@ index dd3be8d..0996734 100644
quota_manage_flags(initrc_t)
')
-@@ -786,6 +1248,10 @@ optional_policy(`
+@@ -786,6 +1282,10 @@ optional_policy(`
')
optional_policy(`
@@ -29139,7 +32481,7 @@ index dd3be8d..0996734 100644
fs_write_ramfs_sockets(initrc_t)
fs_search_ramfs(initrc_t)
-@@ -807,8 +1273,6 @@ optional_policy(`
+@@ -807,8 +1307,6 @@ optional_policy(`
# bash tries ioctl for some reason
files_dontaudit_ioctl_all_pids(initrc_t)
@@ -29148,7 +32490,7 @@ index dd3be8d..0996734 100644
')
optional_policy(`
-@@ -817,6 +1281,10 @@ optional_policy(`
+@@ -817,6 +1315,10 @@ optional_policy(`
')
optional_policy(`
@@ -29159,7 +32501,7 @@ index dd3be8d..0996734 100644
# shorewall-init script run /var/lib/shorewall/firewall
shorewall_lib_domtrans(initrc_t)
')
-@@ -826,10 +1294,12 @@ optional_policy(`
+@@ -826,10 +1328,12 @@ optional_policy(`
squid_manage_logs(initrc_t)
')
@@ -29172,12 +32514,14 @@ index dd3be8d..0996734 100644
optional_policy(`
ssh_dontaudit_read_server_keys(initrc_t)
-@@ -856,12 +1326,33 @@ optional_policy(`
+@@ -856,12 +1360,35 @@ optional_policy(`
')
optional_policy(`
+ virt_read_config(init_t)
+ virt_stream_connect(init_t)
++ virt_noatsecure(init_t)
++ virt_rlimitinh(init_t)
+')
+
+optional_policy(`
@@ -29207,7 +32551,7 @@ index dd3be8d..0996734 100644
ifdef(`distro_redhat',`
# system-config-services causes avc messages that should be dontaudited
-@@ -871,6 +1362,18 @@ optional_policy(`
+@@ -871,6 +1398,18 @@ optional_policy(`
optional_policy(`
mono_domtrans(initrc_t)
')
@@ -29226,7 +32570,7 @@ index dd3be8d..0996734 100644
')
optional_policy(`
-@@ -886,6 +1389,10 @@ optional_policy(`
+@@ -886,6 +1425,10 @@ optional_policy(`
')
optional_policy(`
@@ -29237,7 +32581,7 @@ index dd3be8d..0996734 100644
# Set device ownerships/modes.
xserver_setattr_console_pipes(initrc_t)
-@@ -896,3 +1403,218 @@ optional_policy(`
+@@ -896,3 +1439,218 @@ optional_policy(`
optional_policy(`
zebra_read_config(initrc_t)
')
@@ -29457,48 +32801,59 @@ index dd3be8d..0996734 100644
+ ')
+ ')
diff --git a/policy/modules/system/ipsec.fc b/policy/modules/system/ipsec.fc
-index 662e79b..a199ffd 100644
+index 662e79b..15116db 100644
--- a/policy/modules/system/ipsec.fc
+++ b/policy/modules/system/ipsec.fc
-@@ -1,14 +1,22 @@
+@@ -1,14 +1,28 @@
/etc/rc\.d/init\.d/ipsec -- gen_context(system_u:object_r:ipsec_initrc_exec_t,s0)
/etc/rc\.d/init\.d/racoon -- gen_context(system_u:object_r:ipsec_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/strongswan -- gen_context(system_u:object_r:ipsec_initrc_exec_t,s0)
-/etc/ipsec\.secrets -- gen_context(system_u:object_r:ipsec_key_file_t,s0)
++/usr/lib/systemd/system/ipsec.* -- gen_context(system_u:object_r:ipsec_mgmt_unit_file_t,s0)
+/usr/lib/systemd/system/strongswan.* -- gen_context(system_u:object_r:ipsec_mgmt_unit_file_t,s0)
++/usr/lib/systemd/system/strongimcv.* -- gen_context(system_u:object_r:ipsec_mgmt_unit_file_t,s0)
+
+/etc/ipsec\.secrets.* -- gen_context(system_u:object_r:ipsec_key_file_t,s0)
/etc/ipsec\.conf -- gen_context(system_u:object_r:ipsec_conf_file_t,s0)
+/etc/strongswan/ipsec\.secrets.* -- gen_context(system_u:object_r:ipsec_key_file_t,s0)
+/etc/strongswan/ipsec\.conf -- gen_context(system_u:object_r:ipsec_conf_file_t,s0)
++/etc/strongimcv/ipsec\.secrets.* -- gen_context(system_u:object_r:ipsec_key_file_t,s0)
++/etc/strongimcv/ipsec\.conf -- gen_context(system_u:object_r:ipsec_conf_file_t,s0)
/etc/racoon/psk\.txt -- gen_context(system_u:object_r:ipsec_key_file_t,s0)
/etc/racoon(/.*)? gen_context(system_u:object_r:ipsec_conf_file_t,s0)
/etc/racoon/certs(/.*)? gen_context(system_u:object_r:ipsec_key_file_t,s0)
+/etc/strongswan(/.*)? gen_context(system_u:object_r:ipsec_conf_file_t,s0)
++/etc/strongimcv(/.*)? gen_context(system_u:object_r:ipsec_conf_file_t,s0)
+
/etc/ipsec\.d(/.*)? gen_context(system_u:object_r:ipsec_key_file_t,s0)
+/etc/strongswan/ipsec\.d(/.*)? gen_context(system_u:object_r:ipsec_key_file_t,s0)
++/etc/strongimcv/ipsec\.d(/.*)? gen_context(system_u:object_r:ipsec_key_file_t,s0)
/sbin/setkey -- gen_context(system_u:object_r:setkey_exec_t,s0)
-@@ -26,16 +34,23 @@
+@@ -26,16 +40,27 @@
/usr/libexec/ipsec/pluto -- gen_context(system_u:object_r:ipsec_exec_t,s0)
/usr/libexec/ipsec/spi -- gen_context(system_u:object_r:ipsec_exec_t,s0)
/usr/libexec/nm-openswan-service -- gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0)
-+/usr/libexec/strongswan/.* -- gen_context(system_u:object_r:ipsec_exec_t,s0)
++/usr/libexec/nm-libreswan-service -- gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0)
++/usr/libexec/strongswan/.* -- gen_context(system_u:object_r:ipsec_exec_t,s0)
++/usr/libexec/strongimcv/.* -- gen_context(system_u:object_r:ipsec_exec_t,s0)
/usr/sbin/ipsec -- gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0)
/usr/sbin/racoon -- gen_context(system_u:object_r:racoon_exec_t,s0)
/usr/sbin/setkey -- gen_context(system_u:object_r:setkey_exec_t,s0)
+/usr/sbin/strongswan -- gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0)
++/usr/sbin/strongimcv -- gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0)
/var/lock/subsys/ipsec -- gen_context(system_u:object_r:ipsec_mgmt_lock_t,s0)
+/var/lock/subsys/strongswan -- gen_context(system_u:object_r:ipsec_mgmt_lock_t,s0)
++/var/lock/subsys/strongimcv -- gen_context(system_u:object_r:ipsec_mgmt_lock_t,s0)
- /var/log/pluto\.log -- gen_context(system_u:object_r:ipsec_log_t,s0)
+-/var/log/pluto\.log -- gen_context(system_u:object_r:ipsec_log_t,s0)
++/var/log/pluto\.log.* -- gen_context(system_u:object_r:ipsec_log_t,s0)
/var/racoon(/.*)? gen_context(system_u:object_r:ipsec_var_run_t,s0)
@@ -29509,7 +32864,7 @@ index 662e79b..a199ffd 100644
+/var/run/pluto/ipsec\.info -- gen_context(system_u:object_r:ipsec_mgmt_var_run_t, s0)
+/var/run/pluto/ipsec_setup\.pid -- gen_context(system_u:object_r:ipsec_mgmt_var_run_t, s0)
diff --git a/policy/modules/system/ipsec.if b/policy/modules/system/ipsec.if
-index 0d4c8d3..e6ffda3 100644
+index 0d4c8d3..3a3ec52 100644
--- a/policy/modules/system/ipsec.if
+++ b/policy/modules/system/ipsec.if
@@ -55,6 +55,64 @@ interface(`ipsec_domtrans_mgmt',`
@@ -29670,7 +33025,15 @@ index 0d4c8d3..e6ffda3 100644
')
########################################
-@@ -369,3 +479,26 @@ interface(`ipsec_run_setkey',`
+@@ -282,6 +392,7 @@ interface(`ipsec_manage_pid',`
+
+ files_search_pids($1)
+ manage_files_pattern($1, ipsec_var_run_t, ipsec_var_run_t)
++ manage_sock_files_pattern($1, ipsec_var_run_t, ipsec_var_run_t)
+ ')
+
+ ########################################
+@@ -369,3 +480,26 @@ interface(`ipsec_run_setkey',`
ipsec_domtrans_setkey($1)
role $2 types setkey_t;
')
@@ -29698,7 +33061,7 @@ index 0d4c8d3..e6ffda3 100644
+ ps_process_pattern($1, ipsec_mgmt_t)
+')
diff --git a/policy/modules/system/ipsec.te b/policy/modules/system/ipsec.te
-index 9e54bf9..ceb7f99 100644
+index 9e54bf9..7ca1e9e 100644
--- a/policy/modules/system/ipsec.te
+++ b/policy/modules/system/ipsec.te
@@ -48,6 +48,9 @@ init_system_domain(ipsec_mgmt_t, ipsec_mgmt_exec_t)
@@ -29720,7 +33083,7 @@ index 9e54bf9..ceb7f99 100644
-allow ipsec_t self:process { getcap setcap getsched signal setsched };
+allow ipsec_t self:capability { net_admin dac_override dac_read_search setpcap sys_nice net_raw setuid setgid };
+dontaudit ipsec_t self:capability sys_tty_config;
-+allow ipsec_t self:process { getcap setcap getsched signal signull setsched };
++allow ipsec_t self:process { getcap setcap getsched signal signull setsched sigkill };
allow ipsec_t self:tcp_socket create_stream_socket_perms;
allow ipsec_t self:udp_socket create_socket_perms;
+allow ipsec_t self:packet_socket create_socket_perms;
@@ -29893,14 +33256,18 @@ index 9e54bf9..ceb7f99 100644
init_read_utmp(ipsec_mgmt_t)
init_use_script_ptys(ipsec_mgmt_t)
-@@ -290,15 +326,18 @@ init_labeled_script_domtrans(ipsec_mgmt_t, ipsec_initrc_exec_t)
+@@ -288,17 +324,22 @@ init_exec_script_files(ipsec_mgmt_t)
+ init_use_fds(ipsec_mgmt_t)
+ init_labeled_script_domtrans(ipsec_mgmt_t, ipsec_initrc_exec_t)
- logging_send_syslog_msg(ipsec_mgmt_t)
+-logging_send_syslog_msg(ipsec_mgmt_t)
++ipsec_mgmt_systemctl(ipsec_mgmt_t)
-miscfiles_read_localization(ipsec_mgmt_t)
-
-seutil_dontaudit_search_config(ipsec_mgmt_t)
--
++logging_send_syslog_msg(ipsec_mgmt_t)
+
sysnet_manage_config(ipsec_mgmt_t)
sysnet_domtrans_ifconfig(ipsec_mgmt_t)
sysnet_etc_filetrans_config(ipsec_mgmt_t)
@@ -29917,7 +33284,7 @@ index 9e54bf9..ceb7f99 100644
optional_policy(`
consoletype_exec(ipsec_mgmt_t)
-@@ -322,6 +361,10 @@ optional_policy(`
+@@ -322,6 +363,10 @@ optional_policy(`
')
optional_policy(`
@@ -29928,7 +33295,7 @@ index 9e54bf9..ceb7f99 100644
modutils_domtrans_insmod(ipsec_mgmt_t)
')
-@@ -335,7 +378,7 @@ optional_policy(`
+@@ -335,7 +380,7 @@ optional_policy(`
#
allow racoon_t self:capability { net_admin net_bind_service };
@@ -29937,7 +33304,7 @@ index 9e54bf9..ceb7f99 100644
allow racoon_t self:unix_dgram_socket { connect create ioctl write };
allow racoon_t self:netlink_selinux_socket { bind create read };
allow racoon_t self:udp_socket create_socket_perms;
-@@ -370,13 +413,12 @@ kernel_request_load_module(racoon_t)
+@@ -370,13 +415,12 @@ kernel_request_load_module(racoon_t)
corecmd_exec_shell(racoon_t)
corecmd_exec_bin(racoon_t)
@@ -29957,7 +33324,7 @@ index 9e54bf9..ceb7f99 100644
corenet_udp_bind_isakmp_port(racoon_t)
corenet_udp_bind_ipsecnat_port(racoon_t)
-@@ -401,10 +443,10 @@ locallogin_use_fds(racoon_t)
+@@ -401,10 +445,10 @@ locallogin_use_fds(racoon_t)
logging_send_syslog_msg(racoon_t)
logging_send_audit_msgs(racoon_t)
@@ -29970,7 +33337,7 @@ index 9e54bf9..ceb7f99 100644
auth_can_read_shadow_passwords(racoon_t)
tunable_policy(`racoon_read_shadow',`
auth_tunable_read_shadow(racoon_t)
-@@ -438,9 +480,8 @@ corenet_setcontext_all_spds(setkey_t)
+@@ -438,9 +482,8 @@ corenet_setcontext_all_spds(setkey_t)
locallogin_use_fds(setkey_t)
@@ -29983,10 +33350,10 @@ index 9e54bf9..ceb7f99 100644
+userdom_use_inherited_user_terminals(setkey_t)
+userdom_read_user_tmp_files(setkey_t)
diff --git a/policy/modules/system/iptables.fc b/policy/modules/system/iptables.fc
-index 1b93eb7..b2532aa 100644
+index 1b93eb7..957deb0 100644
--- a/policy/modules/system/iptables.fc
+++ b/policy/modules/system/iptables.fc
-@@ -1,21 +1,27 @@
+@@ -1,21 +1,32 @@
/etc/rc\.d/init\.d/ip6?tables -- gen_context(system_u:object_r:iptables_initrc_exec_t,s0)
-/etc/rc\.d/init\.d/ebtables -- gen_context(system_u:object_r:iptables_initrc_exec_t,s0)
-/etc/sysconfig/ip6?tables.* -- gen_context(system_u:object_r:iptables_conf_t,s0)
@@ -29995,6 +33362,9 @@ index 1b93eb7..b2532aa 100644
+
+/usr/lib/systemd/system/iptables.* -- gen_context(system_u:object_r:iptables_unit_file_t,s0)
+/usr/lib/systemd/system/ip6tables.* -- gen_context(system_u:object_r:iptables_unit_file_t,s0)
++/usr/lib/systemd/system/ipset.* -- gen_context(system_u:object_r:iptables_unit_file_t,s0)
++
++/usr/libexec/ipset -- gen_context(system_u:object_r:iptables_exec_t,s0)
/sbin/ebtables -- gen_context(system_u:object_r:iptables_exec_t,s0)
/sbin/ebtables-restore -- gen_context(system_u:object_r:iptables_exec_t,s0)
@@ -30005,6 +33375,7 @@ index 1b93eb7..b2532aa 100644
+/sbin/ip6?tables.* -- gen_context(system_u:object_r:iptables_exec_t,s0)
+/sbin/ip6?tables-restore.* -- gen_context(system_u:object_r:iptables_exec_t,s0)
+/sbin/ip6?tables-multi.* -- gen_context(system_u:object_r:iptables_exec_t,s0)
++/sbin/ipset -- gen_context(system_u:object_r:iptables_exec_t,s0)
/sbin/ipvsadm -- gen_context(system_u:object_r:iptables_exec_t,s0)
/sbin/ipvsadm-restore -- gen_context(system_u:object_r:iptables_exec_t,s0)
/sbin/ipvsadm-save -- gen_context(system_u:object_r:iptables_exec_t,s0)
@@ -30020,6 +33391,7 @@ index 1b93eb7..b2532aa 100644
+/usr/sbin/ip6?tables.* -- gen_context(system_u:object_r:iptables_exec_t,s0)
+/usr/sbin/ip6?tables-restore.* -- gen_context(system_u:object_r:iptables_exec_t,s0)
+/usr/sbin/ip6?tables-multi.* -- gen_context(system_u:object_r:iptables_exec_t,s0)
++/usr/sbin/ipset -- gen_context(system_u:object_r:iptables_exec_t,s0)
+/usr/sbin/ipvsadm -- gen_context(system_u:object_r:iptables_exec_t,s0)
+/usr/sbin/ipvsadm-restore -- gen_context(system_u:object_r:iptables_exec_t,s0)
+/usr/sbin/ipvsadm-save -- gen_context(system_u:object_r:iptables_exec_t,s0)
@@ -30070,7 +33442,7 @@ index c42fbc3..174cfdb 100644
## <summary>
## Set the attributes of iptables config files.
diff --git a/policy/modules/system/iptables.te b/policy/modules/system/iptables.te
-index 5dfa44b..cafb28e 100644
+index 5dfa44b..1c9fe59 100644
--- a/policy/modules/system/iptables.te
+++ b/policy/modules/system/iptables.te
@@ -16,15 +16,15 @@ role iptables_roles types iptables_t;
@@ -30111,15 +33483,16 @@ index 5dfa44b..cafb28e 100644
kernel_request_load_module(iptables_t)
kernel_read_system_state(iptables_t)
kernel_read_network_state(iptables_t)
-@@ -64,6 +65,7 @@ corenet_relabelto_all_packets(iptables_t)
+@@ -64,6 +65,8 @@ corenet_relabelto_all_packets(iptables_t)
corenet_dontaudit_rw_tun_tap_dev(iptables_t)
dev_read_sysfs(iptables_t)
+dev_read_urand(iptables_t)
++dev_read_rand(iptables_t)
fs_getattr_xattr_fs(iptables_t)
fs_search_auto_mountpoints(iptables_t)
-@@ -72,11 +74,12 @@ fs_list_inotifyfs(iptables_t)
+@@ -72,11 +75,12 @@ fs_list_inotifyfs(iptables_t)
mls_file_read_all_levels(iptables_t)
term_dontaudit_use_console(iptables_t)
@@ -30134,7 +33507,7 @@ index 5dfa44b..cafb28e 100644
auth_use_nsswitch(iptables_t)
-@@ -85,15 +88,14 @@ init_use_script_ptys(iptables_t)
+@@ -85,15 +89,14 @@ init_use_script_ptys(iptables_t)
# to allow rules to be saved on reboot:
init_rw_script_tmp_files(iptables_t)
init_rw_script_stream_sockets(iptables_t)
@@ -30152,7 +33525,7 @@ index 5dfa44b..cafb28e 100644
userdom_use_all_users_fds(iptables_t)
ifdef(`hide_broken_symptoms',`
-@@ -102,6 +104,8 @@ ifdef(`hide_broken_symptoms',`
+@@ -102,6 +105,8 @@ ifdef(`hide_broken_symptoms',`
optional_policy(`
fail2ban_append_log(iptables_t)
@@ -30161,7 +33534,7 @@ index 5dfa44b..cafb28e 100644
')
optional_policy(`
-@@ -110,6 +114,11 @@ optional_policy(`
+@@ -110,6 +115,11 @@ optional_policy(`
')
optional_policy(`
@@ -30173,7 +33546,7 @@ index 5dfa44b..cafb28e 100644
modutils_run_insmod(iptables_t, iptables_roles)
')
-@@ -124,6 +133,12 @@ optional_policy(`
+@@ -124,6 +134,12 @@ optional_policy(`
optional_policy(`
psad_rw_tmp_files(iptables_t)
@@ -30186,7 +33559,7 @@ index 5dfa44b..cafb28e 100644
')
optional_policy(`
-@@ -135,9 +150,9 @@ optional_policy(`
+@@ -135,9 +151,9 @@ optional_policy(`
')
optional_policy(`
@@ -30528,7 +33901,7 @@ index 73bb3c0..5b9420f 100644
+
+/usr/sbin/ldconfig -- gen_context(system_u:object_r:ldconfig_exec_t,s0)
diff --git a/policy/modules/system/libraries.if b/policy/modules/system/libraries.if
-index 808ba93..9d8f729 100644
+index 808ba93..57a68da 100644
--- a/policy/modules/system/libraries.if
+++ b/policy/modules/system/libraries.if
@@ -66,6 +66,25 @@ interface(`libs_exec_ldconfig',`
@@ -30664,7 +34037,7 @@ index 808ba93..9d8f729 100644
')
########################################
-@@ -534,3 +558,26 @@ interface(`lib_filetrans_shared_lib',`
+@@ -534,3 +558,28 @@ interface(`lib_filetrans_shared_lib',`
interface(`files_lib_filetrans_shared_lib',`
refpolicywarn(`$0($*) has been deprecated.')
')
@@ -30681,10 +34054,12 @@ index 808ba93..9d8f729 100644
+#
+interface(`libs_filetrans_named_content',`
+ gen_require(`
++ type lib_t;
+ type ld_so_cache_t;
+ type ldconfig_cache_t;
+ ')
+
++ files_var_lib_filetrans($1,ldconfig_cache_t, dir, "debug")
+ files_var_filetrans($1, ldconfig_cache_t, dir, "ldconfig")
+ files_etc_filetrans($1, ld_so_cache_t, file, "ld.so.cache")
+ files_etc_filetrans($1, ld_so_cache_t, file, "ld.so.cache~")
@@ -30881,7 +34256,7 @@ index 0e3c2a9..ea9bd57 100644
+ userdom_admin_home_dir_filetrans($1, local_login_home_t, file, ".hushlogin")
+')
diff --git a/policy/modules/system/locallogin.te b/policy/modules/system/locallogin.te
-index c04ac46..ed59137 100644
+index c04ac46..7b55414 100644
--- a/policy/modules/system/locallogin.te
+++ b/policy/modules/system/locallogin.te
@@ -13,9 +13,8 @@ auth_login_entry_type(local_login_t)
@@ -31005,10 +34380,28 @@ index c04ac46..ed59137 100644
unconfined_shell_domtrans(local_login_t)
')
-@@ -215,37 +211,56 @@ allow sulogin_t self:sem create_sem_perms;
+@@ -195,6 +191,7 @@ optional_policy(`
+ optional_policy(`
+ xserver_read_xdm_tmp_files(local_login_t)
+ xserver_rw_xdm_tmp_files(local_login_t)
++ xserver_rw_xdm_keys(local_login_t)
+ ')
+
+ #################################
+@@ -202,7 +199,7 @@ optional_policy(`
+ # Sulogin local policy
+ #
+
+-allow sulogin_t self:capability dac_override;
++allow sulogin_t self:capability { dac_override sys_admin };
+ allow sulogin_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+ allow sulogin_t self:fd use;
+ allow sulogin_t self:fifo_file rw_fifo_file_perms;
+@@ -215,18 +212,27 @@ allow sulogin_t self:sem create_sem_perms;
allow sulogin_t self:msgq create_msgq_perms;
allow sulogin_t self:msg { send receive };
++kernel_getattr_core_if(sulogin_t)
+kernel_read_crypto_sysctls(sulogin_t)
kernel_read_system_state(sulogin_t)
@@ -31028,12 +34421,11 @@ index c04ac46..ed59137 100644
init_getpgid_script(sulogin_t)
+init_getpgid(sulogin_t)
++init_getattr_initctl(sulogin_t)
logging_send_syslog_msg(sulogin_t)
-+
- seutil_read_config(sulogin_t)
- seutil_read_default_contexts(sulogin_t)
+@@ -235,17 +241,28 @@ seutil_read_default_contexts(sulogin_t)
userdom_use_unpriv_users_fds(sulogin_t)
@@ -31064,7 +34456,7 @@ index c04ac46..ed59137 100644
init_getpgid(sulogin_t)
', `
allow sulogin_t self:process setexec;
-@@ -256,11 +271,3 @@ ifdef(`sulogin_no_pam', `
+@@ -256,11 +273,3 @@ ifdef(`sulogin_no_pam', `
selinux_compute_relabel_context(sulogin_t)
selinux_compute_user_contexts(sulogin_t)
')
@@ -31077,7 +34469,7 @@ index c04ac46..ed59137 100644
- nscd_use(sulogin_t)
-')
diff --git a/policy/modules/system/logging.fc b/policy/modules/system/logging.fc
-index b50c5fe..2faaaf2 100644
+index b50c5fe..e55a556 100644
--- a/policy/modules/system/logging.fc
+++ b/policy/modules/system/logging.fc
@@ -2,10 +2,13 @@
@@ -31121,7 +34513,7 @@ index b50c5fe..2faaaf2 100644
/var/lib/misc/syslog-ng.persist-? -- gen_context(system_u:object_r:syslogd_var_lib_t,s0)
/var/lib/syslog-ng(/.*)? gen_context(system_u:object_r:syslogd_var_lib_t,s0)
-@@ -38,13 +54,13 @@ ifdef(`distro_suse', `
+@@ -38,21 +54,22 @@ ifdef(`distro_suse', `
/var/log -d gen_context(system_u:object_r:var_log_t,s0-mls_systemhigh)
/var/log/.* gen_context(system_u:object_r:var_log_t,s0)
@@ -31136,8 +34528,10 @@ index b50c5fe..2faaaf2 100644
+/var/run/systemd/journal(/.*)? gen_context(system_u:object_r:syslogd_var_run_t,mls_systemhigh)
ifndef(`distro_gentoo',`
- /var/log/audit\.log -- gen_context(system_u:object_r:auditd_log_t,mls_systemhigh)
-@@ -53,6 +69,7 @@ ifndef(`distro_gentoo',`
+-/var/log/audit\.log -- gen_context(system_u:object_r:auditd_log_t,mls_systemhigh)
++/var/log/audit\.log.* -- gen_context(system_u:object_r:auditd_log_t,mls_systemhigh)
+ ')
+
ifdef(`distro_redhat',`
/var/named/chroot/var/log -d gen_context(system_u:object_r:var_log_t,s0)
/var/named/chroot/dev/log -s gen_context(system_u:object_r:devlog_t,s0)
@@ -31164,7 +34558,7 @@ index b50c5fe..2faaaf2 100644
+/var/webmin(/.*)? gen_context(system_u:object_r:var_log_t,s0)
+
diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if
-index 4e94884..9b82ed0 100644
+index 4e94884..b144ffe 100644
--- a/policy/modules/system/logging.if
+++ b/policy/modules/system/logging.if
@@ -233,7 +233,7 @@ interface(`logging_run_auditd',`
@@ -31254,24 +34648,17 @@ index 4e94884..9b82ed0 100644
########################################
## <summary>
## Send system log messages.
-@@ -530,22 +592,85 @@ interface(`logging_log_filetrans',`
+@@ -530,22 +592,104 @@ interface(`logging_log_filetrans',`
#
interface(`logging_send_syslog_msg',`
gen_require(`
- type syslogd_t, devlog_t;
+ attribute syslog_client_type;
- ')
-
-- allow $1 devlog_t:lnk_file read_lnk_file_perms;
-- allow $1 devlog_t:sock_file write_sock_file_perms;
++ ')
++
+ typeattribute $1 syslog_client_type;
+')
-
-- # the type of socket depends on the syslog daemon
-- allow $1 syslogd_t:unix_dgram_socket sendto;
-- allow $1 syslogd_t:unix_stream_socket connectto;
-- allow $1 self:unix_dgram_socket create_socket_perms;
-- allow $1 self:unix_stream_socket create_socket_perms;
++
+########################################
+## <summary>
+## Connect to the syslog control unix stream socket.
@@ -31286,11 +34673,7 @@ index 4e94884..9b82ed0 100644
+ gen_require(`
+ type devlog_t;
+ ')
-
-- # If syslog is down, the glibc syslog() function
-- # will write to the console.
-- term_write_console($1)
-- term_dontaudit_read_console($1)
++
+ allow $1 devlog_t:sock_file manage_sock_file_perms;
+ dev_filetrans($1, devlog_t, sock_file)
+ init_pid_filetrans($1, devlog_t, sock_file, "syslog")
@@ -31316,6 +34699,32 @@ index 4e94884..9b82ed0 100644
+
+########################################
+## <summary>
++## Allow domain to read the syslog pid files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`logging_read_syslog_pid',`
++ gen_require(`
++ type syslogd_var_run_t;
+ ')
+
+- allow $1 devlog_t:lnk_file read_lnk_file_perms;
+- allow $1 devlog_t:sock_file write_sock_file_perms;
++ read_files_pattern($1, syslogd_var_run_t, syslogd_var_run_t)
++ list_dirs_pattern($1, syslogd_var_run_t, syslogd_var_run_t)
++')
+
+- # the type of socket depends on the syslog daemon
+- allow $1 syslogd_t:unix_dgram_socket sendto;
+- allow $1 syslogd_t:unix_stream_socket connectto;
+- allow $1 self:unix_dgram_socket create_socket_perms;
+- allow $1 self:unix_stream_socket create_socket_perms;
++########################################
++## <summary>
+## Relabel the syslog pid sock_file.
+## </summary>
+## <param name="domain">
@@ -31328,7 +34737,11 @@ index 4e94884..9b82ed0 100644
+ gen_require(`
+ type syslogd_var_run_t;
+ ')
-+
+
+- # If syslog is down, the glibc syslog() function
+- # will write to the console.
+- term_write_console($1)
+- term_dontaudit_read_console($1)
+ allow $1 syslogd_var_run_t:sock_file relabel_sock_file_perms;
+')
+
@@ -31352,7 +34765,59 @@ index 4e94884..9b82ed0 100644
')
########################################
-@@ -776,7 +901,25 @@ interface(`logging_append_all_logs',`
+@@ -609,6 +753,25 @@ interface(`logging_read_syslog_config',`
+
+ ########################################
+ ## <summary>
++## Manage syslog configuration files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`logging_manage_syslog_config',`
++ gen_require(`
++ type syslog_conf_t;
++ ')
++
++ manage_files_pattern($1, syslog_conf_t, syslog_conf_t)
++')
++
++########################################
++## <summary>
+ ## Allows the domain to open a file in the
+ ## log directory, but does not allow the listing
+ ## of the contents of the log directory.
+@@ -722,6 +885,25 @@ interface(`logging_setattr_all_log_dirs',`
+ allow $1 logfile:dir setattr;
+ ')
+
++#######################################
++## <summary>
++## Relabel on all log dirs.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`logging_relabel_all_log_dirs',`
++ gen_require(`
++ attribute logfile;
++ ')
++
++ relabel_dirs_pattern($1, logfile, logfile)
++')
++
+ ########################################
+ ## <summary>
+ ## Do not audit attempts to get the attributes
+@@ -776,7 +958,25 @@ interface(`logging_append_all_logs',`
')
files_search_var($1)
@@ -31379,7 +34844,7 @@ index 4e94884..9b82ed0 100644
')
########################################
-@@ -859,7 +1002,7 @@ interface(`logging_manage_all_logs',`
+@@ -859,7 +1059,7 @@ interface(`logging_manage_all_logs',`
files_search_var($1)
manage_files_pattern($1, logfile, logfile)
@@ -31388,7 +34853,7 @@ index 4e94884..9b82ed0 100644
')
########################################
-@@ -885,6 +1028,44 @@ interface(`logging_read_generic_logs',`
+@@ -885,6 +1085,44 @@ interface(`logging_read_generic_logs',`
########################################
## <summary>
@@ -31433,7 +34898,7 @@ index 4e94884..9b82ed0 100644
## Write generic log files.
## </summary>
## <param name="domain">
-@@ -905,6 +1086,24 @@ interface(`logging_write_generic_logs',`
+@@ -905,6 +1143,24 @@ interface(`logging_write_generic_logs',`
########################################
## <summary>
@@ -31458,7 +34923,7 @@ index 4e94884..9b82ed0 100644
## Dontaudit Write generic log files.
## </summary>
## <param name="domain">
-@@ -984,11 +1183,16 @@ interface(`logging_admin_audit',`
+@@ -984,11 +1240,16 @@ interface(`logging_admin_audit',`
type auditd_t, auditd_etc_t, auditd_log_t;
type auditd_var_run_t;
type auditd_initrc_exec_t;
@@ -31476,7 +34941,7 @@ index 4e94884..9b82ed0 100644
manage_dirs_pattern($1, auditd_etc_t, auditd_etc_t)
manage_files_pattern($1, auditd_etc_t, auditd_etc_t)
-@@ -1004,6 +1208,33 @@ interface(`logging_admin_audit',`
+@@ -1004,6 +1265,33 @@ interface(`logging_admin_audit',`
domain_system_change_exemption($1)
role_transition $2 auditd_initrc_exec_t system_r;
allow $2 system_r;
@@ -31510,7 +34975,7 @@ index 4e94884..9b82ed0 100644
')
########################################
-@@ -1032,10 +1263,15 @@ interface(`logging_admin_syslog',`
+@@ -1032,10 +1320,15 @@ interface(`logging_admin_syslog',`
type syslogd_initrc_exec_t;
')
@@ -31528,7 +34993,7 @@ index 4e94884..9b82ed0 100644
manage_dirs_pattern($1, klogd_var_run_t, klogd_var_run_t)
manage_files_pattern($1, klogd_var_run_t, klogd_var_run_t)
-@@ -1057,6 +1293,8 @@ interface(`logging_admin_syslog',`
+@@ -1057,6 +1350,8 @@ interface(`logging_admin_syslog',`
manage_files_pattern($1, syslogd_var_run_t, syslogd_var_run_t)
logging_manage_all_logs($1)
@@ -31537,13 +35002,32 @@ index 4e94884..9b82ed0 100644
init_labeled_script_domtrans($1, syslogd_initrc_exec_t)
domain_system_change_exemption($1)
-@@ -1085,3 +1323,35 @@ interface(`logging_admin',`
+@@ -1085,3 +1380,54 @@ interface(`logging_admin',`
logging_admin_audit($1, $2)
logging_admin_syslog($1, $2)
')
+
+########################################
+## <summary>
++## Transition to syslog.conf
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`logging_filetrans_named_conf',`
++ gen_require(`
++ type syslog_conf_t;
++ ')
++
++ files_etc_filetrans($1, syslog_conf_t, file, "syslog.conf")
++ files_etc_filetrans($1, syslog_conf_t, file, "rsyslog.conf")
++')
++
++########################################
++## <summary>
+## Transition to logging named content
+## </summary>
+## <param name="domain">
@@ -31574,7 +35058,7 @@ index 4e94884..9b82ed0 100644
+ logging_log_filetrans($1, var_log_t, dir, "anaconda")
+')
diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
-index 39ea221..616d6a8 100644
+index 39ea221..553ae21 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
@@ -4,6 +4,21 @@ policy_module(logging, 1.19.6)
@@ -31595,7 +35079,7 @@ index 39ea221..616d6a8 100644
+## Allow syslogd the ability to read/write terminals
+## </p>
+## </desc>
-+gen_tunable(logging_syslogd_use_tty, false)
++gen_tunable(logging_syslogd_use_tty, true)
attribute logfile;
@@ -31642,16 +35126,18 @@ index 39ea221..616d6a8 100644
read_files_pattern(auditctl_t, auditd_etc_t, auditd_etc_t)
allow auditctl_t auditd_etc_t:dir list_dir_perms;
-@@ -111,7 +134,7 @@ domain_use_interactive_fds(auditctl_t)
+@@ -111,7 +134,9 @@ domain_use_interactive_fds(auditctl_t)
mls_file_read_all_levels(auditctl_t)
-term_use_all_terms(auditctl_t)
++storage_getattr_removable_dev(auditctl_t)
++
+term_use_all_inherited_terms(auditctl_t)
init_dontaudit_use_fds(auditctl_t)
-@@ -148,6 +171,7 @@ kernel_read_kernel_sysctls(auditd_t)
+@@ -148,6 +173,7 @@ kernel_read_kernel_sysctls(auditd_t)
# Needs to be able to run dispatcher. see /etc/audit/auditd.conf
# Probably want a transition, and a new auditd_helper app
kernel_read_system_state(auditd_t)
@@ -31659,7 +35145,7 @@ index 39ea221..616d6a8 100644
dev_read_sysfs(auditd_t)
-@@ -155,9 +179,6 @@ fs_getattr_all_fs(auditd_t)
+@@ -155,9 +181,6 @@ fs_getattr_all_fs(auditd_t)
fs_search_auto_mountpoints(auditd_t)
fs_rw_anon_inodefs_files(auditd_t)
@@ -31669,7 +35155,7 @@ index 39ea221..616d6a8 100644
corenet_all_recvfrom_netlabel(auditd_t)
corenet_tcp_sendrecv_generic_if(auditd_t)
corenet_tcp_sendrecv_generic_node(auditd_t)
-@@ -183,16 +204,17 @@ logging_send_syslog_msg(auditd_t)
+@@ -183,16 +206,17 @@ logging_send_syslog_msg(auditd_t)
logging_domtrans_dispatcher(auditd_t)
logging_signal_dispatcher(auditd_t)
@@ -31691,7 +35177,7 @@ index 39ea221..616d6a8 100644
userdom_dontaudit_use_unpriv_user_fds(auditd_t)
userdom_dontaudit_search_user_home_dirs(auditd_t)
-@@ -237,19 +259,29 @@ corecmd_exec_shell(audisp_t)
+@@ -237,19 +261,29 @@ corecmd_exec_shell(audisp_t)
domain_use_interactive_fds(audisp_t)
@@ -31722,7 +35208,7 @@ index 39ea221..616d6a8 100644
')
########################################
-@@ -268,7 +300,6 @@ files_spool_filetrans(audisp_remote_t, audit_spool_t, { dir file })
+@@ -268,7 +302,6 @@ files_spool_filetrans(audisp_remote_t, audit_spool_t, { dir file })
corecmd_exec_bin(audisp_remote_t)
@@ -31730,7 +35216,7 @@ index 39ea221..616d6a8 100644
corenet_all_recvfrom_netlabel(audisp_remote_t)
corenet_tcp_sendrecv_generic_if(audisp_remote_t)
corenet_tcp_sendrecv_generic_node(audisp_remote_t)
-@@ -280,10 +311,18 @@ corenet_sendrecv_audit_client_packets(audisp_remote_t)
+@@ -280,10 +313,18 @@ corenet_sendrecv_audit_client_packets(audisp_remote_t)
files_read_etc_files(audisp_remote_t)
@@ -31750,7 +35236,7 @@ index 39ea221..616d6a8 100644
sysnet_dns_name_resolve(audisp_remote_t)
-@@ -326,7 +365,6 @@ files_read_etc_files(klogd_t)
+@@ -326,7 +367,6 @@ files_read_etc_files(klogd_t)
logging_send_syslog_msg(klogd_t)
@@ -31758,12 +35244,12 @@ index 39ea221..616d6a8 100644
mls_file_read_all_levels(klogd_t)
-@@ -354,12 +392,12 @@ optional_policy(`
+@@ -354,12 +394,12 @@ optional_policy(`
# chown fsetid for syslog-ng
# sys_admin for the integrated klog of syslog-ng and metalog
# cjp: why net_admin!
-allow syslogd_t self:capability { dac_override sys_resource sys_tty_config net_admin sys_admin chown fsetid };
-+allow syslogd_t self:capability { sys_ptrace dac_override sys_resource sys_tty_config ipc_lock net_admin setgid setuid sys_admin sys_nice chown fsetid setuid setgid };
++allow syslogd_t self:capability { sys_ptrace dac_override sys_resource sys_tty_config ipc_lock net_admin setgid setuid sys_admin sys_nice chown fsetid setuid setgid net_raw };
dontaudit syslogd_t self:capability sys_tty_config;
+allow syslogd_t self:capability2 { syslog block_suspend };
# setpgid for metalog
@@ -31774,15 +35260,18 @@ index 39ea221..616d6a8 100644
# receive messages to be logged
allow syslogd_t self:unix_dgram_socket create_socket_perms;
allow syslogd_t self:unix_stream_socket create_stream_socket_perms;
-@@ -369,6 +407,7 @@ allow syslogd_t self:udp_socket create_socket_perms;
+@@ -367,8 +407,10 @@ allow syslogd_t self:unix_dgram_socket sendto;
+ allow syslogd_t self:fifo_file rw_fifo_file_perms;
+ allow syslogd_t self:udp_socket create_socket_perms;
allow syslogd_t self:tcp_socket create_stream_socket_perms;
++allow syslogd_t self:rawip_socket create_socket_perms;
allow syslogd_t syslog_conf_t:file read_file_perms;
+allow syslogd_t syslog_conf_t:dir list_dir_perms;
# Create and bind to /dev/log or /var/run/log.
allow syslogd_t devlog_t:sock_file manage_sock_file_perms;
-@@ -377,6 +416,7 @@ files_pid_filetrans(syslogd_t, devlog_t, sock_file)
+@@ -377,6 +419,7 @@ files_pid_filetrans(syslogd_t, devlog_t, sock_file)
# create/append log files.
manage_files_pattern(syslogd_t, var_log_t, var_log_t)
rw_fifo_files_pattern(syslogd_t, var_log_t, var_log_t)
@@ -31790,7 +35279,7 @@ index 39ea221..616d6a8 100644
# Allow access for syslog-ng
allow syslogd_t var_log_t:dir { create setattr };
-@@ -386,28 +426,41 @@ manage_dirs_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t)
+@@ -386,28 +429,41 @@ manage_dirs_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t)
manage_files_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t)
files_tmp_filetrans(syslogd_t, syslogd_tmp_t, { dir file })
@@ -31835,7 +35324,7 @@ index 39ea221..616d6a8 100644
# syslog-ng can listen and connect on tcp port 514 (rsh)
corenet_tcp_sendrecv_generic_if(syslogd_t)
corenet_tcp_sendrecv_generic_node(syslogd_t)
-@@ -417,6 +470,8 @@ corenet_tcp_bind_rsh_port(syslogd_t)
+@@ -417,6 +473,8 @@ corenet_tcp_bind_rsh_port(syslogd_t)
corenet_tcp_connect_rsh_port(syslogd_t)
# Allow users to define additional syslog ports to connect to
corenet_tcp_bind_syslogd_port(syslogd_t)
@@ -31844,7 +35333,7 @@ index 39ea221..616d6a8 100644
corenet_tcp_connect_syslogd_port(syslogd_t)
corenet_tcp_connect_postgresql_port(syslogd_t)
corenet_tcp_connect_mysqld_port(syslogd_t)
-@@ -427,9 +482,26 @@ corenet_sendrecv_syslogd_server_packets(syslogd_t)
+@@ -427,9 +485,26 @@ corenet_sendrecv_syslogd_server_packets(syslogd_t)
corenet_sendrecv_postgresql_client_packets(syslogd_t)
corenet_sendrecv_mysqld_client_packets(syslogd_t)
@@ -31872,7 +35361,7 @@ index 39ea221..616d6a8 100644
domain_use_interactive_fds(syslogd_t)
files_read_etc_files(syslogd_t)
-@@ -442,14 +514,19 @@ files_read_kernel_symbol_table(syslogd_t)
+@@ -442,14 +517,19 @@ files_read_kernel_symbol_table(syslogd_t)
files_var_lib_filetrans(syslogd_t, syslogd_var_lib_t, { file dir })
fs_getattr_all_fs(syslogd_t)
@@ -31892,7 +35381,7 @@ index 39ea221..616d6a8 100644
# for sending messages to logged in users
init_read_utmp(syslogd_t)
init_dontaudit_write_utmp(syslogd_t)
-@@ -461,11 +538,11 @@ init_use_fds(syslogd_t)
+@@ -461,11 +541,11 @@ init_use_fds(syslogd_t)
# cjp: this doesnt make sense
logging_send_syslog_msg(syslogd_t)
@@ -31907,7 +35396,16 @@ index 39ea221..616d6a8 100644
ifdef(`distro_gentoo',`
# default gentoo syslog-ng config appends kernel
-@@ -502,15 +579,40 @@ optional_policy(`
+@@ -492,6 +572,8 @@ optional_policy(`
+ optional_policy(`
+ cron_manage_log_files(syslogd_t)
+ cron_generic_log_filetrans_log(syslogd_t, file, "cron.log")
++ cron_generic_log_filetrans_log(syslogd_t, file, "cron")
++
+ ')
+
+ optional_policy(`
+@@ -502,15 +584,40 @@ optional_policy(`
')
optional_policy(`
@@ -31948,7 +35446,7 @@ index 39ea221..616d6a8 100644
')
optional_policy(`
-@@ -521,3 +623,26 @@ optional_policy(`
+@@ -521,3 +628,26 @@ optional_policy(`
# log to the xconsole
xserver_rw_console(syslogd_t)
')
@@ -31976,7 +35474,7 @@ index 39ea221..616d6a8 100644
+
+logging_stream_connect_syslog(syslog_client_type)
diff --git a/policy/modules/system/lvm.fc b/policy/modules/system/lvm.fc
-index 879bb1e..b250b3e 100644
+index 879bb1e..633e449 100644
--- a/policy/modules/system/lvm.fc
+++ b/policy/modules/system/lvm.fc
@@ -23,28 +23,35 @@ ifdef(`distro_gentoo',`
@@ -32091,20 +35589,72 @@ index 879bb1e..b250b3e 100644
#
# /var
-@@ -97,5 +168,8 @@ ifdef(`distro_gentoo',`
+@@ -97,5 +168,9 @@ ifdef(`distro_gentoo',`
/var/cache/multipathd(/.*)? gen_context(system_u:object_r:lvm_metadata_t,s0)
/var/lib/multipath(/.*)? gen_context(system_u:object_r:lvm_var_lib_t,s0)
/var/lock/lvm(/.*)? gen_context(system_u:object_r:lvm_lock_t,s0)
+/var/lock/dmraid(/.*)? gen_context(system_u:object_r:lvm_lock_t,s0)
+/var/run/lvm(/.*)? gen_context(system_u:object_r:lvm_var_run_t,s0)
++/var/run/multipathd(/.*)? gen_context(system_u:object_r:lvm_var_run_t,s0)
/var/run/multipathd\.sock -s gen_context(system_u:object_r:lvm_var_run_t,s0)
+/var/run/clvmd\.pid -- gen_context(system_u:object_r:clvmd_var_run_t,s0)
/var/run/dmevent.* gen_context(system_u:object_r:lvm_var_run_t,s0)
diff --git a/policy/modules/system/lvm.if b/policy/modules/system/lvm.if
-index 58bc27f..51e9872 100644
+index 58bc27f..f887230 100644
--- a/policy/modules/system/lvm.if
+++ b/policy/modules/system/lvm.if
-@@ -123,3 +123,94 @@ interface(`lvm_domtrans_clvmd',`
+@@ -86,6 +86,50 @@ interface(`lvm_read_config',`
+
+ ########################################
+ ## <summary>
++## Read LVM configuration files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`lvm_read_metadata',`
++ gen_require(`
++ type lvm_etc_t;
++ type lvm_metadata_t;
++ ')
++
++ files_search_etc($1)
++ allow $1 lvm_etc_t:dir list_dir_perms;
++ read_files_pattern($1,lvm_metadata_t ,lvm_metadata_t)
++')
++
++########################################
++## <summary>
++## Read LVM configuration files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`lvm_write_metadata',`
++ gen_require(`
++ type lvm_etc_t;
++ type lvm_metadata_t;
++ ')
++
++ files_search_etc($1)
++ allow $1 lvm_etc_t:dir list_dir_perms;
++ write_files_pattern($1,lvm_metadata_t ,lvm_metadata_t)
++')
++
++########################################
++## <summary>
+ ## Manage LVM configuration files.
+ ## </summary>
+ ## <param name="domain">
+@@ -123,3 +167,113 @@ interface(`lvm_domtrans_clvmd',`
corecmd_search_bin($1)
domtrans_pattern($1, clvmd_exec_t, clvmd_t)
')
@@ -32199,6 +35749,25 @@ index 58bc27f..51e9872 100644
+
+ allow $1 lvm_var_run_t:fifo_file rw_inherited_fifo_file_perms;
+')
++
++########################################
++## <summary>
++## Do not audit attempts to access check cert dirs/files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain to not audit.
++## </summary>
++## </param>
++#
++interface(`lvm_dontaudit_access_check_lock',`
++ gen_require(`
++ type lvm_lock_t;
++ ')
++
++ dontaudit $1 lvm_lock_t:dir audit_access;
++')
++
diff --git a/policy/modules/system/lvm.te b/policy/modules/system/lvm.te
index e8c59a5..b22837c 100644
--- a/policy/modules/system/lvm.te
@@ -32800,7 +36369,7 @@ index 9933677..ca14c17 100644
+
+/var/run/tmpfiles.d/kmod.conf -- gen_context(system_u:object_r:insmod_var_run_t,s0)
diff --git a/policy/modules/system/modutils.if b/policy/modules/system/modutils.if
-index 7449974..6375786 100644
+index 7449974..23bbbf2 100644
--- a/policy/modules/system/modutils.if
+++ b/policy/modules/system/modutils.if
@@ -12,7 +12,7 @@
@@ -32857,7 +36426,57 @@ index 7449974..6375786 100644
## Read the configuration options used when
## loading modules.
## </summary>
-@@ -308,11 +346,18 @@ interface(`modutils_domtrans_update_mods',`
+@@ -163,6 +201,24 @@ interface(`modutils_domtrans_insmod',`
+
+ ########################################
+ ## <summary>
++## Allow send signal to insmod.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`modutils_signal_insmod',`
++ gen_require(`
++ type insmod_t;
++ ')
++
++ allow $1 insmod_t:process signal;
++')
++
++########################################
++## <summary>
+ ## Execute insmod in the insmod domain, and
+ ## allow the specified role the insmod domain,
+ ## and use the caller's terminal. Has a sigchld
+@@ -208,6 +264,24 @@ interface(`modutils_exec_insmod',`
+ can_exec($1, insmod_exec_t)
+ ')
+
++#######################################
++## <summary>
++## Don't audit execute insmod in the caller domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`modutils_dontaudit_exec_insmod',`
++ gen_require(`
++ type insmod_exec_t;
++ ')
++
++ dontaudit $1 insmod_exec_t:file exec_file_perms;
++')
++
+ ########################################
+ ## <summary>
+ ## Execute depmod in the depmod domain.
+@@ -308,11 +382,18 @@ interface(`modutils_domtrans_update_mods',`
#
interface(`modutils_run_update_mods',`
gen_require(`
@@ -32878,7 +36497,7 @@ index 7449974..6375786 100644
')
########################################
-@@ -333,3 +378,25 @@ interface(`modutils_exec_update_mods',`
+@@ -333,3 +414,25 @@ interface(`modutils_exec_update_mods',`
corecmd_search_bin($1)
can_exec($1, update_modules_exec_t)
')
@@ -33204,7 +36823,7 @@ index 72c746e..f035d9f 100644
+/usr/sbin/umount\.ecryptfs_private -- gen_context(system_u:object_r:mount_ecryptfs_exec_t,s0)
+/usr/sbin/umount\.ecryptfs -- gen_context(system_u:object_r:mount_ecryptfs_exec_t,s0)
diff --git a/policy/modules/system/mount.if b/policy/modules/system/mount.if
-index 4584457..e432df3 100644
+index 4584457..8a190ae 100644
--- a/policy/modules/system/mount.if
+++ b/policy/modules/system/mount.if
@@ -16,6 +16,13 @@ interface(`mount_domtrans',`
@@ -33221,7 +36840,7 @@ index 4584457..e432df3 100644
')
########################################
-@@ -38,11 +45,122 @@ interface(`mount_domtrans',`
+@@ -38,11 +45,140 @@ interface(`mount_domtrans',`
#
interface(`mount_run',`
gen_require(`
@@ -33326,6 +36945,24 @@ index 4584457..e432df3 100644
+ files_search_pids($1)
+')
+
++#######################################
++## <summary>
++## Do not audit attemps to write mount PID files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain to not audit.
++## </summary>
++## </param>
++#
++interface(`mount_dontaudit_write_mount_pid',`
++ gen_require(`
++ type mount_var_run_t;
++ ')
++
++ dontaudit $1 mount_var_run_t:file write;
++')
++
+########################################
+## <summary>
+## Manage mount PID files.
@@ -33346,7 +36983,7 @@ index 4584457..e432df3 100644
')
########################################
-@@ -91,7 +209,7 @@ interface(`mount_signal',`
+@@ -91,7 +227,7 @@ interface(`mount_signal',`
## </summary>
## <param name="domain">
## <summary>
@@ -33355,7 +36992,7 @@ index 4584457..e432df3 100644
## </summary>
## </param>
#
-@@ -131,45 +249,138 @@ interface(`mount_send_nfs_client_request',`
+@@ -131,45 +267,138 @@ interface(`mount_send_nfs_client_request',`
########################################
## <summary>
@@ -35601,7 +39238,7 @@ index 346a7cc..42a48b6 100644
+/var/run/netns(/.*)? gen_context(system_u:object_r:ifconfig_var_run_t,s0)
+/etc/firestarter/firestarter\.sh gen_context(system_u:object_r:dhcpc_helper_exec_t,s0)
diff --git a/policy/modules/system/sysnetwork.if b/policy/modules/system/sysnetwork.if
-index 6944526..0bd8d93 100644
+index 6944526..821e74c 100644
--- a/policy/modules/system/sysnetwork.if
+++ b/policy/modules/system/sysnetwork.if
@@ -38,11 +38,30 @@ interface(`sysnet_domtrans_dhcpc',`
@@ -35635,6 +39272,15 @@ index 6944526..0bd8d93 100644
')
########################################
+@@ -212,7 +231,7 @@ interface(`sysnet_rw_dhcp_config',`
+ ')
+
+ files_search_etc($1)
+- allow $1 dhcp_etc_t:file rw_file_perms;
++ rw_files_pattern($1, dhcp_etc_t, dhcp_etc_t)
+ ')
+
+ ########################################
@@ -250,6 +269,7 @@ interface(`sysnet_read_dhcpc_state',`
type dhcpc_state_t;
')
@@ -35840,8 +39486,11 @@ index 6944526..0bd8d93 100644
corenet_tcp_sendrecv_generic_if($1)
corenet_udp_sendrecv_generic_if($1)
corenet_tcp_sendrecv_generic_node($1)
-@@ -692,6 +842,8 @@ interface(`sysnet_dns_name_resolve',`
+@@ -690,8 +840,11 @@ interface(`sysnet_dns_name_resolve',`
+ corenet_tcp_sendrecv_dns_port($1)
+ corenet_udp_sendrecv_dns_port($1)
corenet_tcp_connect_dns_port($1)
++ corenet_tcp_connect_dnssec_port($1)
corenet_sendrecv_dns_client_packets($1)
+ miscfiles_read_generic_certs($1)
@@ -35849,7 +39498,7 @@ index 6944526..0bd8d93 100644
sysnet_read_config($1)
optional_policy(`
-@@ -720,8 +872,6 @@ interface(`sysnet_use_ldap',`
+@@ -720,8 +873,6 @@ interface(`sysnet_use_ldap',`
allow $1 self:tcp_socket create_socket_perms;
@@ -35858,7 +39507,7 @@ index 6944526..0bd8d93 100644
corenet_tcp_sendrecv_generic_if($1)
corenet_tcp_sendrecv_generic_node($1)
corenet_tcp_sendrecv_ldap_port($1)
-@@ -733,6 +883,9 @@ interface(`sysnet_use_ldap',`
+@@ -733,6 +884,9 @@ interface(`sysnet_use_ldap',`
dev_read_urand($1)
sysnet_read_config($1)
@@ -35868,7 +39517,7 @@ index 6944526..0bd8d93 100644
')
########################################
-@@ -754,7 +907,6 @@ interface(`sysnet_use_portmap',`
+@@ -754,7 +908,6 @@ interface(`sysnet_use_portmap',`
allow $1 self:udp_socket create_socket_perms;
corenet_all_recvfrom_unlabeled($1)
@@ -35876,7 +39525,7 @@ index 6944526..0bd8d93 100644
corenet_tcp_sendrecv_generic_if($1)
corenet_udp_sendrecv_generic_if($1)
corenet_tcp_sendrecv_generic_node($1)
-@@ -766,3 +918,76 @@ interface(`sysnet_use_portmap',`
+@@ -766,3 +919,114 @@ interface(`sysnet_use_portmap',`
sysnet_read_config($1)
')
@@ -35953,8 +39602,46 @@ index 6944526..0bd8d93 100644
+ files_etc_filetrans($1, net_conf_t, file, "yp.conf")
+ files_etc_filetrans($1, net_conf_t, file, "ntp.conf")
+')
++
++########################################
++## <summary>
++## Transition to sysnet ifconfig named content
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`sysnet_manage_ifconfig_run',`
++ gen_require(`
++ type ifconfig_var_run_t;
++ ')
++
++ manage_files_pattern($1, ifconfig_var_run_t, ifconfig_var_run_t)
++ manage_dirs_pattern($1, ifconfig_var_run_t, ifconfig_var_run_t)
++ manage_lnk_files_pattern($1, ifconfig_var_run_t, ifconfig_var_run_t)
++')
++
++########################################
++## <summary>
++## Transition to sysnet ifconfig named content
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`sysnet_filetrans_named_content_ifconfig',`
++ gen_require(`
++ type ifconfig_var_run_t;
++ ')
++
++ files_pid_filetrans($1, ifconfig_var_run_t, dir, "netns")
++')
diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
-index b7686d5..087fe08 100644
+index b7686d5..28f16ce 100644
--- a/policy/modules/system/sysnetwork.te
+++ b/policy/modules/system/sysnetwork.te
@@ -5,6 +5,13 @@ policy_module(sysnetwork, 1.14.6)
@@ -36206,7 +39893,7 @@ index b7686d5..087fe08 100644
kernel_use_fds(ifconfig_t)
kernel_read_system_state(ifconfig_t)
kernel_read_network_state(ifconfig_t)
-@@ -274,14 +333,30 @@ kernel_rw_net_sysctls(ifconfig_t)
+@@ -274,14 +333,31 @@ kernel_rw_net_sysctls(ifconfig_t)
corenet_rw_tun_tap_dev(ifconfig_t)
@@ -36230,6 +39917,7 @@ index b7686d5..087fe08 100644
+files_dontaudit_rw_inherited_locks(ifconfig_t)
+files_dontaudit_read_root_files(ifconfig_t)
+files_rw_inherited_tmp_file(ifconfig_t)
++files_dontaudit_rw_var_files(ifconfig_t)
+
files_read_etc_files(ifconfig_t)
files_read_etc_runtime_files(ifconfig_t)
@@ -36237,7 +39925,7 @@ index b7686d5..087fe08 100644
fs_getattr_xattr_fs(ifconfig_t)
fs_search_auto_mountpoints(ifconfig_t)
-@@ -294,22 +369,22 @@ term_dontaudit_use_all_ptys(ifconfig_t)
+@@ -294,22 +370,22 @@ term_dontaudit_use_all_ptys(ifconfig_t)
term_dontaudit_use_ptmx(ifconfig_t)
term_dontaudit_use_generic_ptys(ifconfig_t)
@@ -36265,7 +39953,7 @@ index b7686d5..087fe08 100644
userdom_use_all_users_fds(ifconfig_t)
ifdef(`distro_ubuntu',`
-@@ -318,7 +393,22 @@ ifdef(`distro_ubuntu',`
+@@ -318,7 +394,22 @@ ifdef(`distro_ubuntu',`
')
')
@@ -36288,7 +39976,7 @@ index b7686d5..087fe08 100644
optional_policy(`
dev_dontaudit_rw_cardmgr(ifconfig_t)
')
-@@ -329,8 +419,11 @@ ifdef(`hide_broken_symptoms',`
+@@ -329,8 +420,11 @@ ifdef(`hide_broken_symptoms',`
')
optional_policy(`
@@ -36302,7 +39990,7 @@ index b7686d5..087fe08 100644
')
optional_policy(`
-@@ -339,7 +432,15 @@ optional_policy(`
+@@ -339,7 +433,15 @@ optional_policy(`
')
optional_policy(`
@@ -36319,7 +40007,7 @@ index b7686d5..087fe08 100644
')
optional_policy(`
-@@ -360,3 +461,13 @@ optional_policy(`
+@@ -360,3 +462,13 @@ optional_policy(`
xen_append_log(ifconfig_t)
xen_dontaudit_rw_unix_stream_sockets(ifconfig_t)
')
@@ -36388,10 +40076,10 @@ index 0000000..e9f1096
+/var/run/initramfs(/.*)? <<none>>
diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
new file mode 100644
-index 0000000..35b4178
+index 0000000..8bca1d7
--- /dev/null
+++ b/policy/modules/system/systemd.if
-@@ -0,0 +1,1400 @@
+@@ -0,0 +1,1440 @@
+## <summary>SELinux policy for systemd components</summary>
+
+######################################
@@ -37338,6 +41026,27 @@ index 0000000..35b4178
+ allow $1 hostname_etc_t:file read_file_perms;
+')
+
++########################################
++## <summary>
++## Allow process to manage hostname config file.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`systemd_hostnamed_manage_config',`
++ gen_require(`
++ type hostname_etc_t;
++ ')
++
++ files_search_etc($1)
++ allow $1 hostname_etc_t:file manage_file_perms;
++ files_etc_filetrans($1, hostname_etc_t, file, "hostname")
++')
++
+#######################################
+## <summary>
+## Create objects in /run/systemd/generator directory
@@ -37670,6 +41379,25 @@ index 0000000..35b4178
+ allow $1 power_unit_file_t:service start;
+')
+
++########################################
++## <summary>
++## Status power unit files domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`systemd_status_power_services',`
++ gen_require(`
++ type power_unit_file_t;
++ ')
++
++ systemd_exec_systemctl($1)
++ allow $1 power_unit_file_t:service status;
++')
++
+#######################################
+## <summary>
+## Start power unit files domain.
@@ -37794,10 +41522,10 @@ index 0000000..35b4178
+')
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
new file mode 100644
-index 0000000..f758960
+index 0000000..8c56513
--- /dev/null
+++ b/policy/modules/system/systemd.te
-@@ -0,0 +1,650 @@
+@@ -0,0 +1,635 @@
+policy_module(systemd, 1.0.0)
+
+#######################################
@@ -37881,6 +41609,7 @@ index 0000000..f758960
+
+# dac_override is for /run/user/$USER ($USER ownership is $USER:$USER)
+allow systemd_logind_t self:capability { chown kill dac_override fowner sys_tty_config };
++allow systemd_logind_t self:capability2 block_suspend;
+allow systemd_logind_t self:process getcap;
+allow systemd_logind_t self:netlink_kobject_uevent_socket create_socket_perms;
+allow systemd_logind_t self:unix_dgram_socket create_socket_perms;
@@ -37908,6 +41637,7 @@ index 0000000..f758960
+dev_getattr_all_blk_files(systemd_logind_t)
+dev_rw_sysfs(systemd_logind_t)
+dev_rw_input_dev(systemd_logind_t)
++dev_rw_dri(systemd_logind_t)
+dev_setattr_all_chr_files(systemd_logind_t)
+dev_setattr_dri_dev(systemd_logind_t)
+dev_setattr_generic_usb_dev(systemd_logind_t)
@@ -37961,7 +41691,6 @@ index 0000000..f758960
+init_dbus_chat(systemd_logind_t)
+init_dbus_chat_script(systemd_logind_t)
+init_read_script_state(systemd_logind_t)
-+init_read_state(systemd_logind_t)
+init_rw_stream_sockets(systemd_logind_t)
+
+logging_send_syslog_msg(systemd_logind_t)
@@ -38043,7 +41772,7 @@ index 0000000..f758960
+logging_send_syslog_msg(systemd_passwd_agent_t)
+
+userdom_use_user_ptys(systemd_passwd_agent_t)
-+userdom_use_inherited_user_ttys(systemd_passwd_agent_t)
++userdom_use_user_ttys(systemd_passwd_agent_t)
+
+optional_policy(`
+ lvm_signull(systemd_passwd_agent_t)
@@ -38081,31 +41810,8 @@ index 0000000..f758960
+fs_relabel_tmpfs_dirs(systemd_tmpfiles_t)
+fs_list_all(systemd_tmpfiles_t)
+
-+files_getattr_all_dirs(systemd_tmpfiles_t)
-+files_getattr_all_files(systemd_tmpfiles_t)
-+files_getattr_all_sockets(systemd_tmpfiles_t)
-+files_getattr_all_symlinks(systemd_tmpfiles_t)
-+files_relabel_all_lock_dirs(systemd_tmpfiles_t)
-+files_relabel_all_lock_files(systemd_tmpfiles_t)
-+files_relabel_all_pid_dirs(systemd_tmpfiles_t)
-+files_relabel_all_pid_files(systemd_tmpfiles_t)
-+files_relabel_all_spool_dirs(systemd_tmpfiles_t)
-+files_manage_all_pids(systemd_tmpfiles_t)
-+files_manage_all_pid_dirs(systemd_tmpfiles_t)
-+files_manage_all_locks(systemd_tmpfiles_t)
-+files_read_generic_tmp_symlinks(systemd_tmpfiles_t)
-+files_setattr_all_tmp_dirs(systemd_tmpfiles_t)
-+files_delete_boot_flag(systemd_tmpfiles_t)
-+files_delete_all_non_security_files(systemd_tmpfiles_t)
-+files_delete_all_pid_sockets(systemd_tmpfiles_t)
-+files_delete_all_pid_pipes(systemd_tmpfiles_t)
-+files_purge_tmp(systemd_tmpfiles_t)
-+files_manage_generic_tmp_files(systemd_tmpfiles_t)
-+files_manage_generic_tmp_dirs(systemd_tmpfiles_t)
-+files_relabelfrom_tmp_dirs(systemd_tmpfiles_t)
-+files_relabelfrom_tmp_files(systemd_tmpfiles_t)
-+files_relabel_all_tmp_dirs(systemd_tmpfiles_t)
-+files_relabel_all_tmp_files(systemd_tmpfiles_t)
++files_manage_non_auth_files(systemd_tmpfiles_t)
++files_relabel_non_auth_files(systemd_tmpfiles_t)
+files_list_lost_found(systemd_tmpfiles_t)
+
+mls_file_read_all_levels(systemd_tmpfiles_t)
@@ -38129,6 +41835,7 @@ index 0000000..f758960
+logging_create_devlog_dev(systemd_tmpfiles_t)
+logging_send_syslog_msg(systemd_tmpfiles_t)
+logging_setattr_all_log_dirs(systemd_tmpfiles_t)
++logging_relabel_all_log_dirs(systemd_tmpfiles_t)
+
+miscfiles_filetrans_named_content(systemd_tmpfiles_t)
+miscfiles_manage_man_pages(systemd_tmpfiles_t)
@@ -38308,7 +42015,6 @@ index 0000000..f758960
+dev_read_sysfs(systemd_hostnamed_t)
+
+init_status(systemd_hostnamed_t)
-+init_read_state(systemd_hostnamed_t)
+init_stream_connect(systemd_hostnamed_t)
+
+logging_send_syslog_msg(systemd_hostnamed_t)
@@ -38407,7 +42113,7 @@ index 0000000..f758960
+#
+# systemd_sysctl domains local policy
+#
-+allow systemd_sysctl_t self:capability net_admin;
++allow systemd_sysctl_t self:capability { sys_admin net_admin };
+allow systemd_sysctl_t self:unix_dgram_socket create_socket_perms;
+
+kernel_dgram_send(systemd_sysctl_t)
@@ -38428,6 +42134,7 @@ index 0000000..f758960
+# Common rules for systemd domains
+#
+allow systemd_domain self:process { setfscreate signal_perms };
++dontaudit systemd_domain self:capability net_admin;
+
+dev_read_urand(systemd_domain)
+
@@ -38436,6 +42143,11 @@ index 0000000..f758960
+files_read_usr_files(systemd_domain)
+
+init_search_pid_dirs(systemd_domain)
++init_start_transient_unit(systemd_domain)
++init_stop_transient_unit(systemd_domain)
++init_status_transient_unit(systemd_domain)
++init_reload_transient_unit(systemd_domain)
++init_read_state(systemd_domain)
+
+logging_stream_connect_syslog(systemd_domain)
+
@@ -38448,6 +42160,7 @@ index 0000000..f758960
+
+read_files_pattern(systemd_domain, systemd_home_t, systemd_home_t)
+read_lnk_files_pattern(systemd_domain, systemd_home_t, systemd_home_t)
++
diff --git a/policy/modules/system/udev.fc b/policy/modules/system/udev.fc
index 40928d8..49fd32e 100644
--- a/policy/modules/system/udev.fc
@@ -38746,7 +42459,7 @@ index 0f64692..d7e8a01 100644
########################################
diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
-index a5ec88b..de9d585 100644
+index a5ec88b..f10561b 100644
--- a/policy/modules/system/udev.te
+++ b/policy/modules/system/udev.te
@@ -17,16 +17,17 @@ init_daemon_domain(udev_t, udev_exec_t)
@@ -38937,7 +42650,7 @@ index a5ec88b..de9d585 100644
# for arping used for static IP addresses on PCMCIA ethernet
netutils_domtrans(udev_t)
-@@ -226,19 +248,34 @@ optional_policy(`
+@@ -226,19 +248,38 @@ optional_policy(`
optional_policy(`
cups_domtrans_config(udev_t)
@@ -38964,6 +42677,10 @@ index a5ec88b..de9d585 100644
+
+optional_policy(`
+ gpsd_domtrans(udev_t)
++')
++
++optional_policy(`
++ kdump_systemctl(udev_t)
')
optional_policy(`
@@ -38972,7 +42689,7 @@ index a5ec88b..de9d585 100644
')
optional_policy(`
-@@ -264,6 +301,10 @@ optional_policy(`
+@@ -264,6 +305,10 @@ optional_policy(`
')
optional_policy(`
@@ -38983,7 +42700,7 @@ index a5ec88b..de9d585 100644
openct_read_pid_files(udev_t)
openct_domtrans(udev_t)
')
-@@ -278,6 +319,15 @@ optional_policy(`
+@@ -278,6 +323,15 @@ optional_policy(`
')
optional_policy(`
@@ -38999,7 +42716,7 @@ index a5ec88b..de9d585 100644
unconfined_signal(udev_t)
')
-@@ -290,6 +340,7 @@ optional_policy(`
+@@ -290,6 +344,7 @@ optional_policy(`
kernel_read_xen_state(udev_t)
xen_manage_log(udev_t)
xen_read_image_files(udev_t)
@@ -39804,10 +43521,10 @@ index 0280b32..61f19e9 100644
-')
+attribute unconfined_services;
diff --git a/policy/modules/system/userdomain.fc b/policy/modules/system/userdomain.fc
-index db75976..65191bd 100644
+index db75976..4ca3a28 100644
--- a/policy/modules/system/userdomain.fc
+++ b/policy/modules/system/userdomain.fc
-@@ -1,4 +1,21 @@
+@@ -1,4 +1,28 @@
HOME_DIR -d gen_context(system_u:object_r:user_home_dir_t,s0-mls_systemhigh)
+HOME_DIR -l gen_context(system_u:object_r:user_home_dir_t,s0-mls_systemhigh)
HOME_DIR/.+ gen_context(system_u:object_r:user_home_t,s0)
@@ -39828,10 +43545,17 @@ index db75976..65191bd 100644
+HOME_DIR/\.pki(/.*)? gen_context(system_u:object_r:home_cert_t,s0)
+HOME_DIR/\.gvfs/.* <<none>>
+HOME_DIR/\.debug(/.*)? <<none>>
++HOME_DIR/\.texlive2012(/.*)? gen_context(system_u:object_r:texlive_home_t,s0)
++HOME_DIR/\.texlive2013(/.*)? gen_context(system_u:object_r:texlive_home_t,s0)
++HOME_DIR/\.texlive2014(/.*)? gen_context(system_u:object_r:texlive_home_t,s0)
+
+/var/run/user(/.*)? gen_context(system_u:object_r:user_tmp_t,s0)
++
++/tmp/hsperfdata_root gen_context(system_u:object_r:user_tmp_t,s0)
++/var/tmp/hsperfdata_root gen_context(system_u:object_r:user_tmp_t,s0)
++
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
-index 3c5dba7..2890de8 100644
+index 3c5dba7..333f640 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -30,9 +30,11 @@ template(`userdom_base_user_template',`
@@ -40421,7 +44145,7 @@ index 3c5dba7..2890de8 100644
')
')
-@@ -491,7 +659,8 @@ template(`userdom_common_user_template',`
+@@ -491,51 +659,63 @@ template(`userdom_common_user_template',`
attribute unpriv_userdomain;
')
@@ -40431,7 +44155,10 @@ index 3c5dba7..2890de8 100644
##############################
#
-@@ -501,41 +670,51 @@ template(`userdom_common_user_template',`
+ # User domain Local policy
+ #
++ allow $1_t self:packet_socket create_socket_perms;
+
# evolution and gnome-session try to create a netlink socket
dontaudit $1_t self:netlink_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown };
dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write };
@@ -40506,7 +44233,7 @@ index 3c5dba7..2890de8 100644
# cjp: some of this probably can be removed
selinux_get_fs_mount($1_t)
-@@ -546,93 +725,120 @@ template(`userdom_common_user_template',`
+@@ -546,93 +726,128 @@ template(`userdom_common_user_template',`
selinux_compute_user_contexts($1_t)
# for eject
@@ -40601,6 +44328,10 @@ index 3c5dba7..2890de8 100644
+ evolution_alarm_dbus_chat($1_usertype)
+ ')
+
++ optional_policy(`
++ firewalld_dbus_chat($1_usertype)
++ ')
++
+ optional_policy(`
+ gnome_dbus_chat_gconfdefault($1_usertype)
+ ')
@@ -40615,6 +44346,10 @@ index 3c5dba7..2890de8 100644
+ kde_dbus_chat_backlighthelper($1_usertype)
')
++ optional_policy(`
++ memcached_stream_connect($1_usertype)
++ ')
++
optional_policy(`
- cups_dbus_chat_config($1_t)
+ modemmanager_dbus_chat($1_usertype)
@@ -40665,7 +44400,7 @@ index 3c5dba7..2890de8 100644
')
optional_policy(`
-@@ -642,23 +848,21 @@ template(`userdom_common_user_template',`
+@@ -642,23 +857,21 @@ template(`userdom_common_user_template',`
optional_policy(`
mpd_manage_user_data_content($1_t)
mpd_relabel_user_data_content($1_t)
@@ -40694,7 +44429,7 @@ index 3c5dba7..2890de8 100644
mysql_stream_connect($1_t)
')
')
-@@ -671,7 +875,7 @@ template(`userdom_common_user_template',`
+@@ -671,7 +884,7 @@ template(`userdom_common_user_template',`
optional_policy(`
# to allow monitoring of pcmcia status
@@ -40703,7 +44438,7 @@ index 3c5dba7..2890de8 100644
')
optional_policy(`
-@@ -680,9 +884,9 @@ template(`userdom_common_user_template',`
+@@ -680,9 +893,9 @@ template(`userdom_common_user_template',`
')
optional_policy(`
@@ -40716,7 +44451,7 @@ index 3c5dba7..2890de8 100644
')
')
-@@ -693,32 +897,35 @@ template(`userdom_common_user_template',`
+@@ -693,32 +906,35 @@ template(`userdom_common_user_template',`
')
optional_policy(`
@@ -40726,27 +44461,31 @@ index 3c5dba7..2890de8 100644
+
+ optional_policy(`
+ rpc_dontaudit_getattr_exports($1_usertype)
++ ')
++
++ optional_policy(`
++ rpcbind_stream_connect($1_usertype)
')
optional_policy(`
- rpc_dontaudit_getattr_exports($1_t)
- rpc_manage_nfs_rw_content($1_t)
-+ rpcbind_stream_connect($1_usertype)
++ samba_stream_connect_winbind($1_usertype)
')
optional_policy(`
- samba_stream_connect_winbind($1_t)
-+ samba_stream_connect_winbind($1_usertype)
++ sandbox_transition($1_usertype, $1_r)
')
optional_policy(`
- slrnpull_search_spool($1_t)
-+ sandbox_transition($1_usertype, $1_r)
++ seunshare_role_template($1, $1_r, $1_t)
')
optional_policy(`
- usernetctl_run($1_t, $1_r)
-+ seunshare_role_template($1, $1_r, $1_t)
++ slrnpull_search_spool($1_usertype)
')
optional_policy(`
@@ -40755,15 +44494,11 @@ index 3c5dba7..2890de8 100644
- virt_home_filetrans_virt_content($1_t, dir, "isos")
- virt_home_filetrans_svirt_home($1_t, dir, "qemu")
- virt_home_filetrans_virt_home($1_t, dir, "VirtualMachines")
-+ slrnpull_search_spool($1_usertype)
-+ ')
-+
-+ optional_policy(`
+ thumb_role($1_r, $1_usertype)
')
')
-@@ -743,17 +950,33 @@ template(`userdom_common_user_template',`
+@@ -743,17 +959,33 @@ template(`userdom_common_user_template',`
template(`userdom_login_user_template', `
gen_require(`
class context contains;
@@ -40780,9 +44515,7 @@ index 3c5dba7..2890de8 100644
- userdom_manage_tmpfs_role($1_r, $1_t)
+ userdom_manage_tmp_role($1_r, $1_usertype)
+ userdom_manage_tmpfs_role($1_r, $1_usertype)
-
-- userdom_exec_user_tmp_files($1_t)
-- userdom_exec_user_home_content_files($1_t)
++
+ ifelse(`$1',`unconfined',`',`
+ gen_tunable($1_exec_content, true)
+
@@ -40793,7 +44526,9 @@ index 3c5dba7..2890de8 100644
+ tunable_policy(`$1_exec_content && use_nfs_home_dirs',`
+ fs_exec_nfs_files($1_usertype)
+ ')
-+
+
+- userdom_exec_user_tmp_files($1_t)
+- userdom_exec_user_home_content_files($1_t)
+ tunable_policy(`$1_exec_content && use_samba_home_dirs',`
+ fs_exec_cifs_files($1_usertype)
+ ')
@@ -40801,7 +44536,7 @@ index 3c5dba7..2890de8 100644
userdom_change_password_template($1)
-@@ -761,82 +984,101 @@ template(`userdom_login_user_template', `
+@@ -761,83 +993,107 @@ template(`userdom_login_user_template', `
#
# User domain Local policy
#
@@ -40895,8 +44630,7 @@ index 3c5dba7..2890de8 100644
+ seutil_read_file_contexts($1_usertype)
+ seutil_read_default_contexts($1_usertype)
+ seutil_exec_setfiles($1_usertype)
-
-- seutil_read_config($1_t)
++
+ optional_policy(`
+ cups_read_config($1_usertype)
+ cups_stream_connect($1_usertype)
@@ -40908,38 +44642,45 @@ index 3c5dba7..2890de8 100644
+ init_write_key($1_usertype)
+ ')
+- seutil_read_config($1_t)
++ optional_policy(`
++ mysql_filetrans_named_content($1_usertype)
++ ')
+
optional_policy(`
- cups_read_config($1_t)
- cups_stream_connect($1_t)
- cups_stream_connect_ptal($1_t)
-+ mysql_filetrans_named_content($1_usertype)
++ mta_dontaudit_read_spool_symlinks($1_usertype)
')
optional_policy(`
- kerberos_use($1_t)
-+ mta_dontaudit_read_spool_symlinks($1_usertype)
++ quota_dontaudit_getattr_db($1_usertype)
')
optional_policy(`
- mta_dontaudit_read_spool_symlinks($1_t)
-+ quota_dontaudit_getattr_db($1_usertype)
++ rpm_read_db($1_usertype)
++ rpm_dontaudit_manage_db($1_usertype)
++ rpm_read_cache($1_usertype)
')
optional_policy(`
- quota_dontaudit_getattr_db($1_t)
-+ rpm_read_db($1_usertype)
-+ rpm_dontaudit_manage_db($1_usertype)
-+ rpm_read_cache($1_usertype)
++ oddjob_run_mkhomedir($1_t, $1_r)
')
optional_policy(`
- rpm_read_db($1_t)
- rpm_dontaudit_manage_db($1_t)
-+ oddjob_run_mkhomedir($1_t, $1_r)
++ wine_filetrans_named_content($1_usertype)
')
++
')
-@@ -868,6 +1110,12 @@ template(`userdom_restricted_user_template',`
+ #######################################
+@@ -868,6 +1124,12 @@ template(`userdom_restricted_user_template',`
typeattribute $1_t unpriv_userdomain;
domain_interactive_fd($1_t)
@@ -40952,7 +44693,7 @@ index 3c5dba7..2890de8 100644
##############################
#
# Local policy
-@@ -907,42 +1155,99 @@ template(`userdom_restricted_xwindows_user_template',`
+@@ -907,42 +1169,99 @@ template(`userdom_restricted_xwindows_user_template',`
#
# Local policy
#
@@ -41041,57 +44782,60 @@ index 3c5dba7..2890de8 100644
+ consolekit_dontaudit_read_log($1_usertype)
+ consolekit_dbus_chat($1_usertype)
+ ')
-+
-+ optional_policy(`
-+ cups_dbus_chat($1_usertype)
-+ cups_dbus_chat_config($1_usertype)
-+ ')
optional_policy(`
- consolekit_dbus_chat($1_t)
-+ devicekit_dbus_chat($1_usertype)
-+ devicekit_dbus_chat_disk($1_usertype)
-+ devicekit_dbus_chat_power($1_usertype)
++ cups_dbus_chat($1_usertype)
++ cups_dbus_chat_config($1_usertype)
')
optional_policy(`
- cups_dbus_chat($1_t)
-+ fprintd_dbus_chat($1_t)
++ devicekit_dbus_chat($1_usertype)
++ devicekit_dbus_chat_disk($1_usertype)
++ devicekit_dbus_chat_power($1_usertype)
')
optional_policy(`
- gnome_role_template($1, $1_r, $1_t)
++ fprintd_dbus_chat($1_t)
++ ')
++
++ optional_policy(`
+ realmd_dbus_chat($1_t)
')
optional_policy(`
-@@ -951,15 +1256,36 @@ template(`userdom_restricted_xwindows_user_template',`
+@@ -951,17 +1270,38 @@ template(`userdom_restricted_xwindows_user_template',`
')
optional_policy(`
- java_role($1_r, $1_t)
+ policykit_role($1_r, $1_usertype)
-+ ')
-+
-+ optional_policy(`
+ ')
+
+ optional_policy(`
+- setroubleshoot_dontaudit_stream_connect($1_t)
+ pulseaudio_role($1_r, $1_usertype)
+ pulseaudio_filetrans_admin_home_content($1_usertype)
-+ ')
-+
+ ')
+-')
+
+-#######################################
+-## <summary>
+-## The template for creating a unprivileged user roughly
+ optional_policy(`
+ rtkit_scheduled($1_usertype)
+ ')
+
+ optional_policy(`
+ systemd_filetrans_home_content($1_usertype)
- ')
-
- optional_policy(`
- setroubleshoot_dontaudit_stream_connect($1_t)
- ')
--')
-
--#######################################
++ ')
++
++ optional_policy(`
++ setroubleshoot_dontaudit_stream_connect($1_t)
++ ')
++
+ optional_policy(`
+ udev_read_db($1_usertype)
+ ')
@@ -41102,10 +44846,12 @@ index 3c5dba7..2890de8 100644
+')
+
+#######################################
- ## <summary>
- ## The template for creating a unprivileged user roughly
++## <summary>
++## The template for creating a unprivileged user roughly
## equivalent to a regular linux user.
-@@ -990,27 +1316,33 @@ template(`userdom_unpriv_user_template', `
+ ## </summary>
+ ## <desc>
+@@ -990,27 +1330,33 @@ template(`userdom_unpriv_user_template', `
#
# Inherit rules for ordinary users.
@@ -41143,7 +44889,7 @@ index 3c5dba7..2890de8 100644
fs_manage_noxattr_fs_files($1_t)
fs_manage_noxattr_fs_dirs($1_t)
# Write floppies
-@@ -1021,23 +1353,60 @@ template(`userdom_unpriv_user_template', `
+@@ -1021,23 +1367,60 @@ template(`userdom_unpriv_user_template', `
')
')
@@ -41195,26 +44941,26 @@ index 3c5dba7..2890de8 100644
+
+ optional_policy(`
+ gpm_stream_connect($1_usertype)
-+ ')
-+
-+ optional_policy(`
+ ')
+
+ optional_policy(`
+- netutils_run_ping_cond($1_t, $1_r)
+- netutils_run_traceroute_cond($1_t, $1_r)
+ mount_run_fusermount($1_t, $1_r)
+ mount_read_pid_files($1_t)
+ ')
+
+ optional_policy(`
+ wine_role_template($1, $1_r, $1_t)
- ')
-
- optional_policy(`
-- netutils_run_ping_cond($1_t, $1_r)
-- netutils_run_traceroute_cond($1_t, $1_r)
++ ')
++
++ optional_policy(`
+ postfix_run_postdrop($1_t, $1_r)
+ postfix_search_spool($1_t)
')
# Run pppd in pppd_t by default for user
-@@ -1046,7 +1415,9 @@ template(`userdom_unpriv_user_template', `
+@@ -1046,7 +1429,9 @@ template(`userdom_unpriv_user_template', `
')
optional_policy(`
@@ -41225,7 +44971,7 @@ index 3c5dba7..2890de8 100644
')
')
-@@ -1082,7 +1453,9 @@ template(`userdom_unpriv_user_template', `
+@@ -1082,7 +1467,9 @@ template(`userdom_unpriv_user_template', `
template(`userdom_admin_user_template',`
gen_require(`
attribute admindomain;
@@ -41236,7 +44982,7 @@ index 3c5dba7..2890de8 100644
')
##############################
-@@ -1098,6 +1471,7 @@ template(`userdom_admin_user_template',`
+@@ -1098,6 +1485,7 @@ template(`userdom_admin_user_template',`
role system_r types $1_t;
typeattribute $1_t admindomain;
@@ -41244,25 +44990,24 @@ index 3c5dba7..2890de8 100644
ifdef(`direct_sysadm_daemon',`
domain_system_change_exemption($1_t)
-@@ -1109,6 +1483,7 @@ template(`userdom_admin_user_template',`
+@@ -1108,14 +1496,8 @@ template(`userdom_admin_user_template',`
+ # $1_t local policy
#
- allow $1_t self:capability ~{ sys_module audit_control audit_write };
-+ allow $1_t self:capability2 { block_suspend syslog };
- allow $1_t self:process { setexec setfscreate };
- allow $1_t self:netlink_audit_socket nlmsg_readpriv;
- allow $1_t self:tun_socket create;
-@@ -1117,6 +1492,9 @@ template(`userdom_admin_user_template',`
- # Skip authentication when pam_rootok is specified.
- allow $1_t self:passwd rootok;
-
+- allow $1_t self:capability ~{ sys_module audit_control audit_write };
+- allow $1_t self:process { setexec setfscreate };
+- allow $1_t self:netlink_audit_socket nlmsg_readpriv;
+- allow $1_t self:tun_socket create;
+- # Set password information for other users.
+- allow $1_t self:passwd { passwd chfn chsh };
+- # Skip authentication when pam_rootok is specified.
+- allow $1_t self:passwd rootok;
+ # Manipulate other users crontab.
+ allow $1_t self:passwd crontab;
-+
+
kernel_read_software_raid_state($1_t)
kernel_getattr_core_if($1_t)
- kernel_getattr_message_if($1_t)
-@@ -1131,6 +1509,7 @@ template(`userdom_admin_user_template',`
+@@ -1131,6 +1513,7 @@ template(`userdom_admin_user_template',`
kernel_sigstop_unlabeled($1_t)
kernel_signull_unlabeled($1_t)
kernel_sigchld_unlabeled($1_t)
@@ -41270,7 +45015,7 @@ index 3c5dba7..2890de8 100644
corenet_tcp_bind_generic_port($1_t)
# allow setting up tunnels
-@@ -1148,10 +1527,14 @@ template(`userdom_admin_user_template',`
+@@ -1148,10 +1531,14 @@ template(`userdom_admin_user_template',`
dev_rename_all_blk_files($1_t)
dev_rename_all_chr_files($1_t)
dev_create_generic_symlinks($1_t)
@@ -41285,7 +45030,7 @@ index 3c5dba7..2890de8 100644
domain_dontaudit_ptrace_all_domains($1_t)
# signal all domains:
domain_kill_all_domains($1_t)
-@@ -1162,29 +1545,38 @@ template(`userdom_admin_user_template',`
+@@ -1162,29 +1549,38 @@ template(`userdom_admin_user_template',`
domain_sigchld_all_domains($1_t)
# for lsof
domain_getattr_all_sockets($1_t)
@@ -41328,7 +45073,7 @@ index 3c5dba7..2890de8 100644
# The following rule is temporary until such time that a complete
# policy management infrastructure is in place so that an administrator
-@@ -1194,6 +1586,8 @@ template(`userdom_admin_user_template',`
+@@ -1194,6 +1590,8 @@ template(`userdom_admin_user_template',`
# But presently necessary for installing the file_contexts file.
seutil_manage_bin_policy($1_t)
@@ -41337,7 +45082,7 @@ index 3c5dba7..2890de8 100644
userdom_manage_user_home_content_dirs($1_t)
userdom_manage_user_home_content_files($1_t)
userdom_manage_user_home_content_symlinks($1_t)
-@@ -1201,13 +1595,17 @@ template(`userdom_admin_user_template',`
+@@ -1201,13 +1599,17 @@ template(`userdom_admin_user_template',`
userdom_manage_user_home_content_sockets($1_t)
userdom_user_home_dir_filetrans_user_home_content($1_t, { dir file lnk_file fifo_file sock_file })
@@ -41356,7 +45101,7 @@ index 3c5dba7..2890de8 100644
optional_policy(`
postgresql_unconfined($1_t)
')
-@@ -1243,7 +1641,7 @@ template(`userdom_admin_user_template',`
+@@ -1243,7 +1645,7 @@ template(`userdom_admin_user_template',`
## </summary>
## </param>
#
@@ -41365,7 +45110,7 @@ index 3c5dba7..2890de8 100644
allow $1 self:capability { dac_read_search dac_override };
corecmd_exec_shell($1)
-@@ -1253,6 +1651,8 @@ template(`userdom_security_admin_template',`
+@@ -1253,6 +1655,8 @@ template(`userdom_security_admin_template',`
dev_relabel_all_dev_nodes($1)
files_create_boot_flag($1)
@@ -41374,7 +45119,7 @@ index 3c5dba7..2890de8 100644
# Necessary for managing /boot/efi
fs_manage_dos_files($1)
-@@ -1265,8 +1665,10 @@ template(`userdom_security_admin_template',`
+@@ -1265,8 +1669,10 @@ template(`userdom_security_admin_template',`
selinux_set_enforce_mode($1)
selinux_set_all_booleans($1)
selinux_set_parameters($1)
@@ -41386,7 +45131,7 @@ index 3c5dba7..2890de8 100644
auth_relabel_shadow($1)
init_exec($1)
-@@ -1277,29 +1679,31 @@ template(`userdom_security_admin_template',`
+@@ -1277,29 +1683,31 @@ template(`userdom_security_admin_template',`
logging_read_audit_config($1)
seutil_manage_bin_policy($1)
@@ -41429,7 +45174,7 @@ index 3c5dba7..2890de8 100644
')
optional_policy(`
-@@ -1360,14 +1764,17 @@ interface(`userdom_user_home_content',`
+@@ -1360,14 +1768,17 @@ interface(`userdom_user_home_content',`
gen_require(`
attribute user_home_content_type;
type user_home_t;
@@ -41448,7 +45193,7 @@ index 3c5dba7..2890de8 100644
')
########################################
-@@ -1408,6 +1815,51 @@ interface(`userdom_user_tmpfs_file',`
+@@ -1408,6 +1819,51 @@ interface(`userdom_user_tmpfs_file',`
## <summary>
## Allow domain to attach to TUN devices created by administrative users.
## </summary>
@@ -41500,7 +45245,7 @@ index 3c5dba7..2890de8 100644
## <param name="domain">
## <summary>
## Domain allowed access.
-@@ -1512,11 +1964,31 @@ interface(`userdom_search_user_home_dirs',`
+@@ -1512,11 +1968,31 @@ interface(`userdom_search_user_home_dirs',`
')
allow $1 user_home_dir_t:dir search_dir_perms;
@@ -41532,7 +45277,7 @@ index 3c5dba7..2890de8 100644
## Do not audit attempts to search user home directories.
## </summary>
## <desc>
-@@ -1558,6 +2030,14 @@ interface(`userdom_list_user_home_dirs',`
+@@ -1558,6 +2034,14 @@ interface(`userdom_list_user_home_dirs',`
allow $1 user_home_dir_t:dir list_dir_perms;
files_search_home($1)
@@ -41547,7 +45292,7 @@ index 3c5dba7..2890de8 100644
')
########################################
-@@ -1573,9 +2053,11 @@ interface(`userdom_list_user_home_dirs',`
+@@ -1573,9 +2057,11 @@ interface(`userdom_list_user_home_dirs',`
interface(`userdom_dontaudit_list_user_home_dirs',`
gen_require(`
type user_home_dir_t;
@@ -41559,7 +45304,7 @@ index 3c5dba7..2890de8 100644
')
########################################
-@@ -1632,6 +2114,42 @@ interface(`userdom_relabelto_user_home_dirs',`
+@@ -1632,6 +2118,42 @@ interface(`userdom_relabelto_user_home_dirs',`
allow $1 user_home_dir_t:dir relabelto;
')
@@ -41602,7 +45347,7 @@ index 3c5dba7..2890de8 100644
########################################
## <summary>
## Create directories in the home dir root with
-@@ -1711,6 +2229,8 @@ interface(`userdom_dontaudit_search_user_home_content',`
+@@ -1711,6 +2233,8 @@ interface(`userdom_dontaudit_search_user_home_content',`
')
dontaudit $1 user_home_t:dir search_dir_perms;
@@ -41611,7 +45356,7 @@ index 3c5dba7..2890de8 100644
')
########################################
-@@ -1744,10 +2264,12 @@ interface(`userdom_list_all_user_home_content',`
+@@ -1744,10 +2268,12 @@ interface(`userdom_list_all_user_home_content',`
#
interface(`userdom_list_user_home_content',`
gen_require(`
@@ -41626,7 +45371,7 @@ index 3c5dba7..2890de8 100644
')
########################################
-@@ -1772,7 +2294,25 @@ interface(`userdom_manage_user_home_content_dirs',`
+@@ -1772,7 +2298,25 @@ interface(`userdom_manage_user_home_content_dirs',`
########################################
## <summary>
@@ -41653,7 +45398,7 @@ index 3c5dba7..2890de8 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1782,53 +2322,70 @@ interface(`userdom_manage_user_home_content_dirs',`
+@@ -1782,53 +2326,70 @@ interface(`userdom_manage_user_home_content_dirs',`
#
interface(`userdom_delete_all_user_home_content_dirs',`
gen_require(`
@@ -41736,7 +45481,7 @@ index 3c5dba7..2890de8 100644
## Do not audit attempts to set the
## attributes of user home files.
## </summary>
-@@ -1848,6 +2405,25 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',`
+@@ -1848,6 +2409,25 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',`
########################################
## <summary>
@@ -41762,7 +45507,7 @@ index 3c5dba7..2890de8 100644
## Mmap user home files.
## </summary>
## <param name="domain">
-@@ -1878,14 +2454,36 @@ interface(`userdom_mmap_user_home_content_files',`
+@@ -1878,14 +2458,36 @@ interface(`userdom_mmap_user_home_content_files',`
interface(`userdom_read_user_home_content_files',`
gen_require(`
type user_home_dir_t, user_home_t;
@@ -41800,7 +45545,7 @@ index 3c5dba7..2890de8 100644
## Do not audit attempts to read user home files.
## </summary>
## <param name="domain">
-@@ -1896,11 +2494,14 @@ interface(`userdom_read_user_home_content_files',`
+@@ -1896,11 +2498,14 @@ interface(`userdom_read_user_home_content_files',`
#
interface(`userdom_dontaudit_read_user_home_content_files',`
gen_require(`
@@ -41818,7 +45563,7 @@ index 3c5dba7..2890de8 100644
')
########################################
-@@ -1941,7 +2542,7 @@ interface(`userdom_dontaudit_write_user_home_content_files',`
+@@ -1941,7 +2546,7 @@ interface(`userdom_dontaudit_write_user_home_content_files',`
########################################
## <summary>
@@ -41827,7 +45572,7 @@ index 3c5dba7..2890de8 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1949,19 +2550,17 @@ interface(`userdom_dontaudit_write_user_home_content_files',`
+@@ -1949,19 +2554,17 @@ interface(`userdom_dontaudit_write_user_home_content_files',`
## </summary>
## </param>
#
@@ -41851,7 +45596,7 @@ index 3c5dba7..2890de8 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1969,35 +2568,35 @@ interface(`userdom_delete_all_user_home_content_files',`
+@@ -1969,21 +2572,75 @@ interface(`userdom_delete_all_user_home_content_files',`
## </summary>
## </param>
#
@@ -41875,91 +45620,38 @@ index 3c5dba7..2890de8 100644
## <summary>
-## Domain to not audit.
+## Domain allowed access.
- ## </summary>
- ## </param>
- #
--interface(`userdom_dontaudit_relabel_user_home_content_files',`
++## </summary>
++## </param>
++#
+interface(`userdom_delete_user_home_content_sock_files',`
- gen_require(`
- type user_home_t;
- ')
-
-- dontaudit $1 user_home_t:file relabel_file_perms;
++ gen_require(`
++ type user_home_t;
++ ')
++
+ allow $1 user_home_t:sock_file delete_file_perms;
- ')
-
- ########################################
- ## <summary>
--## Read user home subdirectory symbolic links.
-+## Delete all sock files in a user home subdirectory.
- ## </summary>
- ## <param name="domain">
- ## <summary>
-@@ -2005,45 +2604,92 @@ interface(`userdom_dontaudit_relabel_user_home_content_files',`
- ## </summary>
- ## </param>
- #
--interface(`userdom_read_user_home_content_symlinks',`
-+interface(`userdom_delete_all_user_home_content_sock_files',`
- gen_require(`
-- type user_home_dir_t, user_home_t;
-+ attribute user_home_type;
- ')
-
-- read_lnk_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t)
-- files_search_home($1)
-+ allow $1 user_home_type:sock_file delete_file_perms;
- ')
-
- ########################################
- ## <summary>
--## Execute user home files.
-+## Delete all files in a user home subdirectory.
- ## </summary>
- ## <param name="domain">
- ## <summary>
- ## Domain allowed access.
- ## </summary>
- ## </param>
--## <rolecap/>
- #
--interface(`userdom_exec_user_home_content_files',`
-+interface(`userdom_delete_all_user_home_content',`
- gen_require(`
-- type user_home_dir_t, user_home_t;
-+ attribute user_home_type;
- ')
-
-- files_search_home($1)
-- exec_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t)
-+ allow $1 user_home_type:dir_file_class_set delete_file_perms;
+')
-
-- tunable_policy(`use_nfs_home_dirs',`
-- fs_exec_nfs_files($1)
++
+########################################
+## <summary>
-+## Do not audit attempts to write user home files.
++## Delete all sock files in a user home subdirectory.
+## </summary>
+## <param name="domain">
+## <summary>
-+## Domain to not audit.
++## Domain allowed access.
+## </summary>
+## </param>
+#
-+interface(`userdom_dontaudit_relabel_user_home_content_files',`
++interface(`userdom_delete_all_user_home_content_sock_files',`
+ gen_require(`
-+ type user_home_t;
- ')
-
-- tunable_policy(`use_samba_home_dirs',`
-- fs_exec_cifs_files($1)
-+ dontaudit $1 user_home_t:file relabel_file_perms;
++ attribute user_home_type;
++ ')
++
++ allow $1 user_home_type:sock_file delete_file_perms;
+')
+
+########################################
+## <summary>
-+## Read user home subdirectory symbolic links.
++## Delete all files in a user home subdirectory.
+## </summary>
+## <param name="domain">
+## <summary>
@@ -41967,42 +45659,60 @@ index 3c5dba7..2890de8 100644
+## </summary>
+## </param>
+#
-+interface(`userdom_read_user_home_content_symlinks',`
++interface(`userdom_delete_all_user_home_content',`
+ gen_require(`
-+ type user_home_dir_t, user_home_t;
- ')
++ attribute user_home_type;
++ ')
++
++ allow $1 user_home_type:dir_file_class_set delete_file_perms;
++')
+
++########################################
++## <summary>
++## Do not audit attempts to write user home files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain to not audit.
+ ## </summary>
+ ## </param>
+ #
+@@ -2010,8 +2667,7 @@ interface(`userdom_read_user_home_content_symlinks',`
+ type user_home_dir_t, user_home_t;
+ ')
+
+- read_lnk_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t)
+- files_search_home($1)
+ allow $1 { user_home_dir_t user_home_t }:lnk_file read_lnk_file_perms;
')
########################################
- ## <summary>
-+## Execute user home files.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+## <rolecap/>
-+#
-+interface(`userdom_exec_user_home_content_files',`
-+ gen_require(`
+@@ -2027,20 +2683,14 @@ interface(`userdom_read_user_home_content_symlinks',`
+ #
+ interface(`userdom_exec_user_home_content_files',`
+ gen_require(`
+- type user_home_dir_t, user_home_t;
+ type user_home_dir_t;
+ attribute user_home_type;
-+ ')
-+
-+ files_search_home($1)
+ ')
+
+ files_search_home($1)
+- exec_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t)
+-
+- tunable_policy(`use_nfs_home_dirs',`
+- fs_exec_nfs_files($1)
+- ')
+-
+- tunable_policy(`use_samba_home_dirs',`
+- fs_exec_cifs_files($1)
+ exec_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type)
+ dontaudit $1 user_home_type:sock_file execute;
-+ ')
-+
-+########################################
-+## <summary>
- ## Do not audit attempts to execute user home files.
- ## </summary>
- ## <param name="domain">
-@@ -2123,7 +2769,7 @@ interface(`userdom_manage_user_home_content_symlinks',`
+ ')
+-')
+
+ ########################################
+ ## <summary>
+@@ -2123,7 +2773,7 @@ interface(`userdom_manage_user_home_content_symlinks',`
########################################
## <summary>
@@ -42011,7 +45721,7 @@ index 3c5dba7..2890de8 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2131,19 +2777,17 @@ interface(`userdom_manage_user_home_content_symlinks',`
+@@ -2131,19 +2781,17 @@ interface(`userdom_manage_user_home_content_symlinks',`
## </summary>
## </param>
#
@@ -42035,7 +45745,7 @@ index 3c5dba7..2890de8 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2151,12 +2795,12 @@ interface(`userdom_delete_all_user_home_content_symlinks',`
+@@ -2151,12 +2799,12 @@ interface(`userdom_delete_all_user_home_content_symlinks',`
## </summary>
## </param>
#
@@ -42051,7 +45761,7 @@ index 3c5dba7..2890de8 100644
')
########################################
-@@ -2393,11 +3037,11 @@ interface(`userdom_dontaudit_manage_user_tmp_dirs',`
+@@ -2393,11 +3041,11 @@ interface(`userdom_dontaudit_manage_user_tmp_dirs',`
#
interface(`userdom_read_user_tmp_files',`
gen_require(`
@@ -42066,7 +45776,7 @@ index 3c5dba7..2890de8 100644
files_search_tmp($1)
')
-@@ -2417,7 +3061,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',`
+@@ -2417,7 +3065,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',`
type user_tmp_t;
')
@@ -42075,7 +45785,34 @@ index 3c5dba7..2890de8 100644
')
########################################
-@@ -2664,6 +3308,25 @@ interface(`userdom_tmp_filetrans_user_tmp',`
+@@ -2541,6 +3189,26 @@ interface(`userdom_manage_user_tmp_files',`
+ ########################################
+ ## <summary>
+ ## Create, read, write, and delete user
++## temporary files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`userdom_filetrans_named_user_tmp_files',`
++ gen_require(`
++ type user_tmp_t;
++ ')
++
++ files_tmp_filetrans($1, user_tmp_t, dir, "hsperfdata_root")
++ files_search_tmp($1)
++')
++
++########################################
++## <summary>
++## Create, read, write, and delete user
+ ## temporary symbolic links.
+ ## </summary>
+ ## <param name="domain">
+@@ -2664,6 +3332,25 @@ interface(`userdom_tmp_filetrans_user_tmp',`
files_tmp_filetrans($1, user_tmp_t, $2, $3)
')
@@ -42101,7 +45838,7 @@ index 3c5dba7..2890de8 100644
########################################
## <summary>
## Read user tmpfs files.
-@@ -2680,13 +3343,14 @@ interface(`userdom_read_user_tmpfs_files',`
+@@ -2680,13 +3367,14 @@ interface(`userdom_read_user_tmpfs_files',`
')
read_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
@@ -42117,7 +45854,7 @@ index 3c5dba7..2890de8 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2707,7 +3371,7 @@ interface(`userdom_rw_user_tmpfs_files',`
+@@ -2707,7 +3395,7 @@ interface(`userdom_rw_user_tmpfs_files',`
########################################
## <summary>
@@ -42126,7 +45863,7 @@ index 3c5dba7..2890de8 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2715,14 +3379,30 @@ interface(`userdom_rw_user_tmpfs_files',`
+@@ -2715,14 +3403,30 @@ interface(`userdom_rw_user_tmpfs_files',`
## </summary>
## </param>
#
@@ -42161,7 +45898,7 @@ index 3c5dba7..2890de8 100644
')
########################################
-@@ -2817,6 +3497,24 @@ interface(`userdom_use_user_ttys',`
+@@ -2817,6 +3521,24 @@ interface(`userdom_use_user_ttys',`
########################################
## <summary>
@@ -42186,7 +45923,7 @@ index 3c5dba7..2890de8 100644
## Read and write a user domain pty.
## </summary>
## <param name="domain">
-@@ -2835,22 +3533,34 @@ interface(`userdom_use_user_ptys',`
+@@ -2835,22 +3557,34 @@ interface(`userdom_use_user_ptys',`
########################################
## <summary>
@@ -42229,7 +45966,7 @@ index 3c5dba7..2890de8 100644
## </desc>
## <param name="domain">
## <summary>
-@@ -2859,14 +3569,33 @@ interface(`userdom_use_user_ptys',`
+@@ -2859,14 +3593,33 @@ interface(`userdom_use_user_ptys',`
## </param>
## <infoflow type="both" weight="10"/>
#
@@ -42267,7 +46004,7 @@ index 3c5dba7..2890de8 100644
')
########################################
-@@ -2885,8 +3614,27 @@ interface(`userdom_dontaudit_use_user_terminals',`
+@@ -2885,8 +3638,27 @@ interface(`userdom_dontaudit_use_user_terminals',`
type user_tty_device_t, user_devpts_t;
')
@@ -42297,7 +46034,7 @@ index 3c5dba7..2890de8 100644
')
########################################
-@@ -2958,69 +3706,68 @@ interface(`userdom_spec_domtrans_unpriv_users',`
+@@ -2958,69 +3730,68 @@ interface(`userdom_spec_domtrans_unpriv_users',`
allow unpriv_userdomain $1:process sigchld;
')
@@ -42398,7 +46135,7 @@ index 3c5dba7..2890de8 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -3028,12 +3775,12 @@ interface(`userdom_manage_unpriv_user_semaphores',`
+@@ -3028,12 +3799,12 @@ interface(`userdom_manage_unpriv_user_semaphores',`
## </summary>
## </param>
#
@@ -42413,7 +46150,7 @@ index 3c5dba7..2890de8 100644
')
########################################
-@@ -3097,7 +3844,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
+@@ -3097,7 +3868,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
domain_entry_file_spec_domtrans($1, unpriv_userdomain)
allow unpriv_userdomain $1:fd use;
@@ -42422,7 +46159,7 @@ index 3c5dba7..2890de8 100644
allow unpriv_userdomain $1:process sigchld;
')
-@@ -3113,29 +3860,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
+@@ -3113,29 +3884,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
#
interface(`userdom_search_user_home_content',`
gen_require(`
@@ -42456,7 +46193,7 @@ index 3c5dba7..2890de8 100644
')
########################################
-@@ -3217,7 +3948,25 @@ interface(`userdom_dontaudit_use_user_ptys',`
+@@ -3217,7 +3972,25 @@ interface(`userdom_dontaudit_use_user_ptys',`
type user_devpts_t;
')
@@ -42483,107 +46220,37 @@ index 3c5dba7..2890de8 100644
')
########################################
-@@ -3272,12 +4021,13 @@ interface(`userdom_write_user_tmp_files',`
+@@ -3272,7 +4045,83 @@ interface(`userdom_write_user_tmp_files',`
type user_tmp_t;
')
- allow $1 user_tmp_t:file write_file_perms;
+ write_files_pattern($1, user_tmp_t, user_tmp_t)
- ')
-
- ########################################
- ## <summary>
--## Do not audit attempts to use user ttys.
-+## Do not audit attempts to write users
-+## temporary files.
- ## </summary>
- ## <param name="domain">
- ## <summary>
-@@ -3285,46 +4035,122 @@ interface(`userdom_write_user_tmp_files',`
- ## </summary>
- ## </param>
- #
--interface(`userdom_dontaudit_use_user_ttys',`
-+interface(`userdom_dontaudit_write_user_tmp_files',`
- gen_require(`
-- type user_tty_device_t;
-+ type user_tmp_t;
- ')
-
-- dontaudit $1 user_tty_device_t:chr_file rw_file_perms;
-+ dontaudit $1 user_tmp_t:file write;
- ')
-
- ########################################
- ## <summary>
--## Read the process state of all user domains.
-+## Do not audit attempts to delete users
-+## temporary files.
- ## </summary>
- ## <param name="domain">
- ## <summary>
--## Domain allowed access.
-+## Domain to not audit.
- ## </summary>
- ## </param>
- #
--interface(`userdom_read_all_users_state',`
-+interface(`userdom_dontaudit_delete_user_tmp_files',`
- gen_require(`
-- attribute userdomain;
-+ type user_tmp_t;
- ')
-
-- read_files_pattern($1, userdomain, userdomain)
-- kernel_search_proc($1)
-+ dontaudit $1 user_tmp_t:file delete_file_perms;
- ')
-
- ########################################
- ## <summary>
--## Get the attributes of all user domains.
-+## Do not audit attempts to read/write users
-+## temporary fifo files.
- ## </summary>
- ## <param name="domain">
- ## <summary>
--## Domain allowed access.
-+## Domain to not audit.
- ## </summary>
- ## </param>
- #
--interface(`userdom_getattr_all_users',`
-+interface(`userdom_dontaudit_rw_user_tmp_pipes',`
- gen_require(`
-- attribute userdomain;
-+ type user_tmp_t;
-+ ')
-+
-+ dontaudit $1 user_tmp_t:fifo_file rw_inherited_fifo_file_perms;
+')
+
+########################################
+## <summary>
-+## Allow domain to read/write inherited users
-+## fifo files.
++## Do not audit attempts to write users
++## temporary files.
+## </summary>
+## <param name="domain">
+## <summary>
-+## Domain allowed access.
++## Domain to not audit.
+## </summary>
+## </param>
+#
-+interface(`userdom_rw_inherited_user_pipes',`
++interface(`userdom_dontaudit_write_user_tmp_files',`
+ gen_require(`
-+ attribute userdomain;
++ type user_tmp_t;
+ ')
+
-+ allow $1 userdomain:fifo_file rw_inherited_fifo_file_perms;
++ dontaudit $1 user_tmp_t:file write;
+')
+
+########################################
+## <summary>
-+## Do not audit attempts to use user ttys.
++## Do not audit attempts to delete users
++## temporary files.
+## </summary>
+## <param name="domain">
+## <summary>
@@ -42591,37 +46258,37 @@ index 3c5dba7..2890de8 100644
+## </summary>
+## </param>
+#
-+interface(`userdom_dontaudit_use_user_ttys',`
++interface(`userdom_dontaudit_delete_user_tmp_files',`
+ gen_require(`
-+ type user_tty_device_t;
++ type user_tmp_t;
+ ')
+
-+ dontaudit $1 user_tty_device_t:chr_file rw_inherited_file_perms;
++ dontaudit $1 user_tmp_t:file delete_file_perms;
+')
+
+########################################
+## <summary>
-+## Read the process state of all user domains.
++## Do not audit attempts to read/write users
++## temporary fifo files.
+## </summary>
+## <param name="domain">
+## <summary>
-+## Domain allowed access.
++## Domain to not audit.
+## </summary>
+## </param>
+#
-+interface(`userdom_read_all_users_state',`
++interface(`userdom_dontaudit_rw_user_tmp_pipes',`
+ gen_require(`
-+ attribute userdomain;
++ type user_tmp_t;
+ ')
+
-+ read_files_pattern($1, userdomain, userdomain)
-+ read_lnk_files_pattern($1,userdomain,userdomain)
-+ kernel_search_proc($1)
++ dontaudit $1 user_tmp_t:fifo_file rw_inherited_fifo_file_perms;
+')
+
+########################################
+## <summary>
-+## Get the attributes of all user domains.
++## Allow domain to read/write inherited users
++## fifo files.
+## </summary>
+## <param name="domain">
+## <summary>
@@ -42629,13 +46296,33 @@ index 3c5dba7..2890de8 100644
+## </summary>
+## </param>
+#
-+interface(`userdom_getattr_all_users',`
++interface(`userdom_rw_inherited_user_pipes',`
+ gen_require(`
+ attribute userdomain;
++ ')
++
++ allow $1 userdomain:fifo_file rw_inherited_fifo_file_perms;
+ ')
+
+ ########################################
+@@ -3290,7 +4139,7 @@ interface(`userdom_dontaudit_use_user_ttys',`
+ type user_tty_device_t;
')
- allow $1 userdomain:process getattr;
-@@ -3385,6 +4211,42 @@ interface(`userdom_signal_all_users',`
+- dontaudit $1 user_tty_device_t:chr_file rw_file_perms;
++ dontaudit $1 user_tty_device_t:chr_file rw_inherited_file_perms;
+ ')
+
+ ########################################
+@@ -3309,6 +4158,7 @@ interface(`userdom_read_all_users_state',`
+ ')
+
+ read_files_pattern($1, userdomain, userdomain)
++ read_lnk_files_pattern($1,userdomain,userdomain)
+ kernel_search_proc($1)
+ ')
+
+@@ -3385,6 +4235,42 @@ interface(`userdom_signal_all_users',`
allow $1 userdomain:process signal;
')
@@ -42678,7 +46365,7 @@ index 3c5dba7..2890de8 100644
########################################
## <summary>
## Send a SIGCHLD signal to all user domains.
-@@ -3405,6 +4267,24 @@ interface(`userdom_sigchld_all_users',`
+@@ -3405,6 +4291,24 @@ interface(`userdom_sigchld_all_users',`
########################################
## <summary>
@@ -42703,7 +46390,32 @@ index 3c5dba7..2890de8 100644
## Create keys for all user domains.
## </summary>
## <param name="domain">
-@@ -3438,4 +4318,1630 @@ interface(`userdom_dbus_send_all_users',`
+@@ -3423,6 +4327,24 @@ interface(`userdom_create_all_users_keys',`
+
+ ########################################
+ ## <summary>
++## Manage keys for all user domains.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`userdom_manage_all_users_keys',`
++ gen_require(`
++ attribute userdomain;
++ ')
++
++ allow $1 userdomain:key manage_key_perms;
++')
++
++########################################
++## <summary>
+ ## Send a dbus message to all user domains.
+ ## </summary>
+ ## <param name="domain">
+@@ -3438,4 +4360,1661 @@ interface(`userdom_dbus_send_all_users',`
')
allow $1 userdomain:dbus send_msg;
@@ -42832,6 +46544,7 @@ index 3c5dba7..2890de8 100644
+ type admin_home_t;
+ ')
+
++ dontaudit $1 admin_home_t:lnk_file read_lnk_file_perms;
+ dontaudit $1 admin_home_t:dir search_dir_perms;
+')
+
@@ -42850,6 +46563,7 @@ index 3c5dba7..2890de8 100644
+ type admin_home_t;
+ ')
+
++ dontaudit $1 admin_home_t:lnk_file read_lnk_file_perms;
+ dontaudit $1 admin_home_t:dir list_dir_perms;
+')
+
@@ -42868,6 +46582,7 @@ index 3c5dba7..2890de8 100644
+ type admin_home_t;
+ ')
+
++ allow $1 admin_home_t:lnk_file read_lnk_file_perms;
+ allow $1 admin_home_t:dir list_dir_perms;
+')
+
@@ -42886,8 +46601,9 @@ index 3c5dba7..2890de8 100644
+ type admin_home_t;
+ ')
+
++ allow $1 admin_home_t:lnk_file read_lnk_file_perms;
+ allow $1 admin_home_t:dir search_dir_perms;
-+')
+ ')
+
+########################################
+## <summary>
@@ -42905,7 +46621,7 @@ index 3c5dba7..2890de8 100644
+ ')
+
+ allow $1 unpriv_userdomain:sem rw_sem_perms;
- ')
++')
+
+########################################
+## <summary>
@@ -42980,6 +46696,7 @@ index 3c5dba7..2890de8 100644
+ type admin_home_t;
+ ')
+
++ allow $1 admin_home_t:lnk_file read_lnk_file_perms;
+ read_files_pattern($1, admin_home_t, admin_home_t)
+')
+
@@ -42999,6 +46716,7 @@ index 3c5dba7..2890de8 100644
+ type admin_home_t;
+ ')
+
++ allow $1 admin_home_t:lnk_file read_lnk_file_perms;
+ allow $1 admin_home_t:file delete_file_perms;
+')
+
@@ -43018,6 +46736,7 @@ index 3c5dba7..2890de8 100644
+ type admin_home_t;
+ ')
+
++ allow $1 admin_home_t:lnk_file read_lnk_file_perms;
+ exec_files_pattern($1, admin_home_t, admin_home_t)
+')
+
@@ -43166,6 +46885,7 @@ index 3c5dba7..2890de8 100644
+ type admin_home_t;
+ ')
+
++ allow $1 admin_home_t:lnk_file read_lnk_file_perms;
+ filetrans_pattern($1, admin_home_t, $2, $3, $4)
+')
+
@@ -43207,25 +46927,6 @@ index 3c5dba7..2890de8 100644
+
+########################################
+## <summary>
-+## Manage keys for all user domains.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`userdom_manage_all_users_keys',`
-+ gen_require(`
-+ attribute userdomain;
-+ ')
-+
-+ allow $1 userdomain:key manage_key_perms;
-+')
-+
-+
-+########################################
-+## <summary>
+## Do not audit attempts to read and write
+## unserdomain stream.
+## </summary>
@@ -43417,6 +47118,31 @@ index 3c5dba7..2890de8 100644
+ read_lnk_files_pattern($1, audio_home_t, audio_home_t)
+')
+
++######################################
++## <summary>
++## Manage texlive content in the users homedir.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`userdom_manage_home_texlive',`
++ gen_require(`
++ type texlive_home_t;
++ ')
++
++ userdom_search_user_home_dirs($1)
++ userdom_user_home_dir_filetrans($1, texlive_home_t, dir, ".texlive2012")
++ userdom_user_home_dir_filetrans($1, texlive_home_t, dir, ".texlive2013")
++ userdom_user_home_dir_filetrans($1, texlive_home_t, dir, ".texlive2014")
++ manage_dirs_pattern($1, texlive_home_t, texlive_home_t)
++ manage_files_pattern($1, texlive_home_t, texlive_home_t)
++ manage_lnk_files_pattern($1, texlive_home_t, texlive_home_t)
++')
++
+########################################
+## <summary>
+## Do not audit attempts to write all user home content files.
@@ -43661,6 +47387,7 @@ index 3c5dba7..2890de8 100644
+ type admin_home_t;
+ ')
+
++ dontaudit $1 admin_home_t:lnk_file read_lnk_file_perms;
+ dontaudit $1 admin_home_t:file read_file_perms;
+')
+
@@ -44236,6 +47963,22 @@ index 3c5dba7..2890de8 100644
+ ubac_constrained($1_t)
+
+ auth_use_nsswitch($1_t)
++
++ ifelse(`$1',`unconfined',`',`
++ gen_tunable($1_exec_content, true)
++
++ tunable_policy(`$1_exec_content',`
++ userdom_exec_user_tmp_files($1_t)
++ userdom_exec_user_home_content_files($1_t)
++ ')
++ tunable_policy(`$1_exec_content && use_nfs_home_dirs',`
++ fs_exec_nfs_files($1_t)
++ ')
++
++ tunable_policy(`$1_exec_content && use_samba_home_dirs',`
++ fs_exec_cifs_files($1_t)
++ ')
++ ')
+')
+
+########################################
@@ -44335,7 +48078,7 @@ index 3c5dba7..2890de8 100644
+')
+
diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te
-index e2b538b..e0c6eeb 100644
+index e2b538b..0730c10 100644
--- a/policy/modules/system/userdomain.te
+++ b/policy/modules/system/userdomain.te
@@ -7,48 +7,43 @@ policy_module(userdomain, 4.8.5)
@@ -44424,7 +48167,7 @@ index e2b538b..e0c6eeb 100644
type user_home_dir_t alias { staff_home_dir_t sysadm_home_dir_t secadm_home_dir_t auditadm_home_dir_t unconfined_home_dir_t };
fs_associate_tmpfs(user_home_dir_t)
files_type(user_home_dir_t)
-@@ -70,26 +83,359 @@ ubac_constrained(user_home_dir_t)
+@@ -70,26 +83,382 @@ ubac_constrained(user_home_dir_t)
type user_home_t alias { staff_home_t sysadm_home_t secadm_home_t auditadm_home_t unconfined_home_t };
typealias user_home_t alias { staff_untrusted_content_t sysadm_untrusted_content_t secadm_untrusted_content_t auditadm_untrusted_content_t unconfined_untrusted_content_t };
@@ -44465,6 +48208,10 @@ index e2b538b..e0c6eeb 100644
+userdom_user_home_content(audio_home_t)
+ubac_constrained(audio_home_t)
+
++type texlive_home_t;
++userdom_user_home_content(texlive_home_t)
++ubac_constrained(texlive_home_t)
++
+type home_bin_t;
+userdom_user_home_content(home_bin_t)
+ubac_constrained(home_bin_t)
@@ -44480,12 +48227,15 @@ index e2b538b..e0c6eeb 100644
+
+allow userdomain userdomain:process signull;
+allow userdomain userdomain:fifo_file rw_inherited_fifo_file_perms;
++dontaudit unpriv_userdomain self:rawip_socket create_socket_perms;
+
+# Nautilus causes this avc
+domain_dontaudit_access_check(unpriv_userdomain)
+dontaudit unpriv_userdomain self:dir setattr;
+allow unpriv_userdomain self:key manage_key_perms;
+
++mount_dontaudit_write_mount_pid(unpriv_userdomain)
++
+optional_policy(`
+ alsa_read_rw_config(unpriv_userdomain)
+ alsa_manage_home_files(unpriv_userdomain)
@@ -44578,6 +48328,9 @@ index e2b538b..e0c6eeb 100644
+userdom_user_home_dir_filetrans(userdom_filetrans_type, home_cert_t, dir, ".cert")
+userdom_user_home_dir_filetrans(userdom_filetrans_type, home_cert_t, dir, ".pki")
+userdom_user_home_dir_filetrans(userdom_filetrans_type, home_cert_t, dir, "certificates")
++userdom_user_home_dir_filetrans(userdom_filetrans_type, texlive_home_t, dir, ".texlive2012")
++userdom_user_home_dir_filetrans(userdom_filetrans_type, texlive_home_t, dir, ".texlive2013")
++userdom_user_home_dir_filetrans(userdom_filetrans_type, texlive_home_t, dir, ".texlive2014")
+
+optional_policy(`
+ gnome_config_filetrans(userdom_filetrans_type, home_cert_t, dir, "certificates")
@@ -44660,8 +48413,21 @@ index e2b538b..e0c6eeb 100644
+#
+gen_require(`
+ class context contains;
++ class passwd { passwd chfn chsh rootok };
+')
+
++allow confined_admindomain self:capability ~{ sys_module audit_control audit_write };
++allow confined_admindomain self:capability2 { block_suspend syslog };
++allow confined_admindomain self:process { setexec setfscreate };
++allow confined_admindomain self:netlink_audit_socket nlmsg_readpriv;
++allow confined_admindomain self:tun_socket create_socket_perms;
++allow confined_admindomain self:packet_socket create_socket_perms;
++
++# Set password information for other users.
++allow confined_admindomain self:passwd { passwd chfn chsh };
++# Skip authentication when pam_rootok is specified.
++allow confined_admindomain self:passwd rootok;
++
+corecmd_shell_entry_type(confined_admindomain)
+corecmd_bin_entry_type(confined_admindomain)
+
@@ -44818,7 +48584,7 @@ index e79d545..101086d 100644
')
diff --git a/policy/support/obj_perm_sets.spt b/policy/support/obj_perm_sets.spt
-index 6e91317..64e135a 100644
+index 6e91317..018d0a6 100644
--- a/policy/support/obj_perm_sets.spt
+++ b/policy/support/obj_perm_sets.spt
@@ -28,8 +28,7 @@ define(`devfile_class_set', `{ chr_file blk_file }')
@@ -44928,7 +48694,7 @@ index 6e91317..64e135a 100644
+#
+# Service
+#
-+define(`manage_service_perms', `{ start stop status reload } ')
++define(`manage_service_perms', `{ start stop status reload enable disable } ')
diff --git a/policy/users b/policy/users
index c4ebc7e..30d6d7a 100644
--- a/policy/users
diff --git a/SOURCES/policy-f20-contrib.patch b/SOURCES/policy-f20-contrib.patch
index f874adf..19dd80d 100644
--- a/SOURCES/policy-f20-contrib.patch
+++ b/SOURCES/policy-f20-contrib.patch
@@ -1,8 +1,8 @@
diff --git a/abrt.fc b/abrt.fc
-index e4f84de..2ed712d 100644
+index e4f84de..6098f52 100644
--- a/abrt.fc
+++ b/abrt.fc
-@@ -1,30 +1,42 @@
+@@ -1,30 +1,46 @@
-/etc/abrt(/.*)? gen_context(system_u:object_r:abrt_etc_t,s0)
-/etc/rc\.d/init\.d/abrt -- gen_context(system_u:object_r:abrt_initrc_exec_t,s0)
+/etc/abrt(/.*)? gen_context(system_u:object_r:abrt_etc_t,s0)
@@ -40,25 +40,29 @@ index e4f84de..2ed712d 100644
+/var/run/abrtd?\.lock -- gen_context(system_u:object_r:abrt_var_run_t,s0)
+/var/run/abrtd?\.socket -- gen_context(system_u:object_r:abrt_var_run_t,s0)
+/var/run/abrt(/.*)? gen_context(system_u:object_r:abrt_var_run_t,s0)
++
++/var/spool/abrt(/.*)? gen_context(system_u:object_r:abrt_var_cache_t,s0)
++/var/spool/debug(/.*)? gen_context(system_u:object_r:abrt_var_cache_t,s0)
++/var/spool/rhsm/debug(/.*)? gen_context(system_u:object_r:abrt_var_cache_t,s0)
++/var/tmp/abrt(/.*)? gen_context(system_u:object_r:abrt_var_cache_t,s0)
-/var/cache/abrt(/.*)? gen_context(system_u:object_r:abrt_var_cache_t,s0)
-/var/cache/abrt-di(/.*)? gen_context(system_u:object_r:abrt_var_cache_t,s0)
-/var/cache/abrt-retrace(/.*)? gen_context(system_u:object_r:abrt_retrace_cache_t,s0)
-/var/cache/retrace-server(/.*)? gen_context(system_u:object_r:abrt_retrace_cache_t,s0)
-+/var/spool/abrt(/.*)? gen_context(system_u:object_r:abrt_var_cache_t,s0)
-+/var/tmp/abrt(/.*)? gen_context(system_u:object_r:abrt_var_cache_t,s0)
-
--/var/log/abrt-logger.* -- gen_context(system_u:object_r:abrt_var_log_t,s0)
+# ABRT retrace server
+/usr/bin/abrt-retrace-worker -- gen_context(system_u:object_r:abrt_retrace_worker_exec_t,s0)
+/usr/bin/coredump2packages -- gen_context(system_u:object_r:abrt_retrace_coredump_exec_t,s0)
+-/var/log/abrt-logger.* -- gen_context(system_u:object_r:abrt_var_log_t,s0)
++/var/cache/abrt-retrace(/.*)? gen_context(system_u:object_r:abrt_retrace_cache_t,s0)
++/var/spool/abrt-retrace(/.*)? gen_context(system_u:object_r:abrt_retrace_spool_t,s0)
++/var/spool/faf(/.*)? gen_context(system_u:object_r:abrt_retrace_spool_t,s0)
+
-/var/run/abrt\.pid -- gen_context(system_u:object_r:abrt_var_run_t,s0)
-/var/run/abrtd?\.lock -- gen_context(system_u:object_r:abrt_var_run_t,s0)
-/var/run/abrtd?\.socket -s gen_context(system_u:object_r:abrt_var_run_t,s0)
-/var/run/abrt(/.*)? gen_context(system_u:object_r:abrt_var_run_t,s0)
-+/var/cache/abrt-retrace(/.*)? gen_context(system_u:object_r:abrt_retrace_cache_t,s0)
-+/var/spool/abrt-retrace(/.*)? gen_context(system_u:object_r:abrt_retrace_spool_t,s0)
-/var/spool/abrt(/.*)? gen_context(system_u:object_r:abrt_var_cache_t,s0)
-/var/spool/abrt-retrace(/.*)? gen_context(system_u:object_r:abrt_retrace_spool_t,s0)
@@ -68,7 +72,7 @@ index e4f84de..2ed712d 100644
+/var/cache/retrace-server(/.*)? gen_context(system_u:object_r:abrt_retrace_cache_t,s0)
+/var/spool/retrace-server(/.*)? gen_context(system_u:object_r:abrt_retrace_spool_t,s0)
diff --git a/abrt.if b/abrt.if
-index 058d908..702b716 100644
+index 058d908..cf17e67 100644
--- a/abrt.if
+++ b/abrt.if
@@ -1,4 +1,26 @@
@@ -99,16 +103,34 @@ index 058d908..702b716 100644
######################################
## <summary>
-@@ -40,7 +62,7 @@ interface(`abrt_exec',`
+@@ -40,7 +62,25 @@ interface(`abrt_exec',`
########################################
## <summary>
-## Send null signals to abrt.
++## Send a signal to abrt.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`abrt_signal',`
++ gen_require(`
++ type abrt_t;
++ ')
++
++ allow $1 abrt_t:process signal;
++')
++
++########################################
++## <summary>
+## Send a null signal to abrt.
## </summary>
## <param name="domain">
## <summary>
-@@ -58,7 +80,7 @@ interface(`abrt_signull',`
+@@ -58,7 +98,7 @@ interface(`abrt_signull',`
########################################
## <summary>
@@ -117,7 +139,7 @@ index 058d908..702b716 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -71,12 +93,13 @@ interface(`abrt_read_state',`
+@@ -71,12 +111,13 @@ interface(`abrt_read_state',`
type abrt_t;
')
@@ -132,7 +154,7 @@ index 058d908..702b716 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -116,8 +139,7 @@ interface(`abrt_dbus_chat',`
+@@ -116,8 +157,7 @@ interface(`abrt_dbus_chat',`
#####################################
## <summary>
@@ -142,7 +164,7 @@ index 058d908..702b716 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -130,15 +152,13 @@ interface(`abrt_domtrans_helper',`
+@@ -130,15 +170,13 @@ interface(`abrt_domtrans_helper',`
type abrt_helper_t, abrt_helper_exec_t;
')
@@ -160,7 +182,7 @@ index 058d908..702b716 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -154,17 +174,35 @@ interface(`abrt_domtrans_helper',`
+@@ -154,17 +192,54 @@ interface(`abrt_domtrans_helper',`
#
interface(`abrt_run_helper',`
gen_require(`
@@ -190,60 +212,60 @@ index 058d908..702b716 100644
+
+ read_files_pattern($1, abrt_var_cache_t, abrt_var_cache_t)
+ read_lnk_files_pattern($1, abrt_var_cache_t, abrt_var_cache_t)
++')
++
++########################################
++## <summary>
++## Append abrt cache
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`abrt_append_cache',`
++ gen_require(`
++ type abrt_var_cache_t;
++ ')
++
++
++ allow $1 abrt_var_cache_t:file append_inherited_file_perms;
')
########################################
## <summary>
-## Create, read, write, and delete
-## abrt cache files.
-+## Append abrt cache
++## Read/Write inherited abrt cache
## </summary>
## <param name="domain">
## <summary>
-@@ -172,15 +210,37 @@ interface(`abrt_run_helper',`
+@@ -172,15 +247,18 @@ interface(`abrt_run_helper',`
## </summary>
## </param>
#
-interface(`abrt_cache_manage',`
- refpolicywarn(`$0($*) has been deprecated, use abrt_manage_cache() instead.')
- abrt_manage_cache($1)
-+interface(`abrt_append_cache',`
++interface(`abrt_rw_inherited_cache',`
+ gen_require(`
+ type abrt_var_cache_t;
+ ')
+
+
-+ allow $1 abrt_var_cache_t:file append_inherited_file_perms;
++ allow $1 abrt_var_cache_t:file rw_inherited_file_perms;
')
########################################
## <summary>
-## Create, read, write, and delete
-## abrt cache content.
-+## Read/Write inherited abrt cache
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`abrt_rw_inherited_cache',`
-+ gen_require(`
-+ type abrt_var_cache_t;
-+ ')
-+
-+
-+ allow $1 abrt_var_cache_t:file rw_inherited_file_perms;
-+')
-+
-+########################################
-+## <summary>
+## Manage abrt cache
## </summary>
## <param name="domain">
## <summary>
-@@ -193,7 +253,6 @@ interface(`abrt_manage_cache',`
+@@ -193,7 +271,6 @@ interface(`abrt_manage_cache',`
type abrt_var_cache_t;
')
@@ -251,7 +273,7 @@ index 058d908..702b716 100644
manage_files_pattern($1, abrt_var_cache_t, abrt_var_cache_t)
manage_lnk_files_pattern($1, abrt_var_cache_t, abrt_var_cache_t)
manage_dirs_pattern($1, abrt_var_cache_t, abrt_var_cache_t)
-@@ -201,7 +260,7 @@ interface(`abrt_manage_cache',`
+@@ -201,7 +278,7 @@ interface(`abrt_manage_cache',`
####################################
## <summary>
@@ -260,8 +282,30 @@ index 058d908..702b716 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -220,7 +279,7 @@ interface(`abrt_read_config',`
+@@ -218,9 +295,29 @@ interface(`abrt_read_config',`
+ read_files_pattern($1, abrt_etc_t, abrt_etc_t)
+ ')
++####################################
++## <summary>
++## Dontaudit read abrt configuration file.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`abrt_dontaudit_read_config',`
++ gen_require(`
++ type abrt_etc_t;
++ ')
++
++ files_search_etc($1)
++ dontaudit $1 abrt_etc_t:dir list_dir_perms;
++ dontaudit $1 abrt_etc_t:file read_file_perms;
++')
++
######################################
## <summary>
-## Read abrt log files.
@@ -269,7 +313,7 @@ index 058d908..702b716 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -258,8 +317,7 @@ interface(`abrt_read_pid_files',`
+@@ -258,8 +355,7 @@ interface(`abrt_read_pid_files',`
######################################
## <summary>
@@ -279,7 +323,7 @@ index 058d908..702b716 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -276,10 +334,51 @@ interface(`abrt_manage_pid_files',`
+@@ -276,10 +372,51 @@ interface(`abrt_manage_pid_files',`
manage_files_pattern($1, abrt_var_run_t, abrt_var_run_t)
')
@@ -333,7 +377,7 @@ index 058d908..702b716 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -288,39 +387,172 @@ interface(`abrt_manage_pid_files',`
+@@ -288,39 +425,174 @@ interface(`abrt_manage_pid_files',`
## </param>
## <param name="role">
## <summary>
@@ -433,6 +477,7 @@ index 058d908..702b716 100644
+ manage_dirs_pattern($1, abrt_retrace_spool_t, abrt_retrace_spool_t)
+ manage_files_pattern($1, abrt_retrace_spool_t, abrt_retrace_spool_t)
+ manage_lnk_files_pattern($1, abrt_retrace_spool_t, abrt_retrace_spool_t)
++ manage_sock_files_pattern($1, abrt_retrace_spool_t, abrt_retrace_spool_t)
+')
+
+#####################################
@@ -453,7 +498,7 @@ index 058d908..702b716 100644
+ list_dirs_pattern($1, abrt_retrace_spool_t, abrt_retrace_spool_t)
+ read_files_pattern($1, abrt_retrace_spool_t, abrt_retrace_spool_t)
+ read_lnk_files_pattern($1, abrt_retrace_spool_t, abrt_retrace_spool_t)
-+')
+ ')
+
+
+#####################################
@@ -474,7 +519,7 @@ index 058d908..702b716 100644
+ list_dirs_pattern($1, abrt_retrace_cache_t, abrt_retrace_cache_t)
+ read_files_pattern($1, abrt_retrace_cache_t, abrt_retrace_cache_t)
+ read_lnk_files_pattern($1, abrt_retrace_cache_t, abrt_retrace_cache_t)
- ')
++')
+
+########################################
+## <summary>
@@ -516,11 +561,12 @@ index 058d908..702b716 100644
+ files_etc_filetrans($1, abrt_etc_t, dir, "abrt")
+ files_var_filetrans($1, abrt_var_cache_t, dir, "abrt")
+ files_var_filetrans($1, abrt_var_cache_t, dir, "abrt-dix")
++ files_var_filetrans($1, abrt_var_cache_t, dir, "debug")
+ files_pid_filetrans($1, abrt_var_run_t, dir, "abrt")
+')
+
diff --git a/abrt.te b/abrt.te
-index cc43d25..1ec0046 100644
+index cc43d25..23aea8e 100644
--- a/abrt.te
+++ b/abrt.te
@@ -1,4 +1,4 @@
@@ -686,7 +732,7 @@ index cc43d25..1ec0046 100644
-allow abrt_t self:capability { chown dac_override fowner fsetid kill setgid setuid sys_nice };
-dontaudit abrt_t self:capability sys_rawio;
+allow abrt_t self:capability { chown dac_override fowner fsetid ipc_lock kill setgid setuid sys_nice sys_ptrace };
-+dontaudit abrt_t self:capability { sys_rawio sys_ptrace };
++dontaudit abrt_t self:capability { net_admin sys_rawio sys_ptrace };
allow abrt_t self:process { setpgid sigkill signal signull setsched getsched };
+
allow abrt_t self:fifo_file rw_fifo_file_perms;
@@ -756,7 +802,7 @@ index cc43d25..1ec0046 100644
dev_getattr_all_chr_files(abrt_t)
dev_getattr_all_blk_files(abrt_t)
-@@ -163,29 +193,37 @@ files_getattr_all_files(abrt_t)
+@@ -163,29 +193,40 @@ files_getattr_all_files(abrt_t)
files_read_config_files(abrt_t)
files_read_etc_runtime_files(abrt_t)
files_read_var_symlinks(abrt_t)
@@ -783,6 +829,8 @@ index cc43d25..1ec0046 100644
+logging_read_generic_logs(abrt_t)
+logging_send_syslog_msg(abrt_t)
++logging_stream_connect_syslog(abrt_t)
++logging_read_syslog_pid(abrt_t)
+
auth_use_nsswitch(abrt_t)
@@ -791,13 +839,14 @@ index cc43d25..1ec0046 100644
+miscfiles_read_generic_certs(abrt_t)
miscfiles_read_public_files(abrt_t)
++miscfiles_dontaudit_access_check_cert(abrt_t)
userdom_dontaudit_read_user_home_content_files(abrt_t)
+userdom_dontaudit_read_admin_home_files(abrt_t)
tunable_policy(`abrt_anon_write',`
miscfiles_manage_public_files(abrt_t)
-@@ -193,15 +231,11 @@ tunable_policy(`abrt_anon_write',`
+@@ -193,15 +234,11 @@ tunable_policy(`abrt_anon_write',`
optional_policy(`
apache_list_modules(abrt_t)
@@ -814,7 +863,7 @@ index cc43d25..1ec0046 100644
')
optional_policy(`
-@@ -209,6 +243,20 @@ optional_policy(`
+@@ -209,6 +246,20 @@ optional_policy(`
')
optional_policy(`
@@ -835,15 +884,19 @@ index cc43d25..1ec0046 100644
policykit_domtrans_auth(abrt_t)
policykit_read_lib(abrt_t)
policykit_read_reload(abrt_t)
-@@ -220,6 +268,7 @@ optional_policy(`
- corecmd_exec_all_executables(abrt_t)
+@@ -221,6 +272,11 @@ optional_policy(`
')
-+# to install debuginfo packages
optional_policy(`
++ puppet_read_lib(abrt_t)
++')
++
++# to install debuginfo packages
++optional_policy(`
rpm_exec(abrt_t)
rpm_dontaudit_manage_db(abrt_t)
-@@ -230,6 +279,7 @@ optional_policy(`
+ rpm_manage_cache(abrt_t)
+@@ -230,6 +286,7 @@ optional_policy(`
rpm_signull(abrt_t)
')
@@ -851,7 +904,7 @@ index cc43d25..1ec0046 100644
optional_policy(`
sendmail_domtrans(abrt_t)
')
-@@ -240,9 +290,17 @@ optional_policy(`
+@@ -240,9 +297,17 @@ optional_policy(`
sosreport_delete_tmp_files(abrt_t)
')
@@ -870,7 +923,7 @@ index cc43d25..1ec0046 100644
#
allow abrt_handle_event_t self:fifo_file rw_fifo_file_perms;
-@@ -253,9 +311,13 @@ tunable_policy(`abrt_handle_event',`
+@@ -253,9 +318,13 @@ tunable_policy(`abrt_handle_event',`
can_exec(abrt_t, abrt_handle_event_exec_t)
')
@@ -885,7 +938,7 @@ index cc43d25..1ec0046 100644
#
allow abrt_helper_t self:capability { chown setgid sys_nice };
-@@ -268,6 +330,7 @@ manage_dirs_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
+@@ -268,6 +337,7 @@ manage_dirs_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
manage_files_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
manage_lnk_files_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
files_var_filetrans(abrt_helper_t, abrt_var_cache_t, { file dir })
@@ -893,7 +946,7 @@ index cc43d25..1ec0046 100644
read_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t)
read_lnk_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t)
-@@ -276,15 +339,20 @@ corecmd_read_all_executables(abrt_helper_t)
+@@ -276,15 +346,20 @@ corecmd_read_all_executables(abrt_helper_t)
domain_read_all_domains_state(abrt_helper_t)
@@ -914,7 +967,7 @@ index cc43d25..1ec0046 100644
userdom_dontaudit_read_user_home_content_files(abrt_helper_t)
userdom_dontaudit_read_user_tmp_files(abrt_helper_t)
dev_dontaudit_read_all_blk_files(abrt_helper_t)
-@@ -292,11 +360,25 @@ ifdef(`hide_broken_symptoms',`
+@@ -292,11 +367,25 @@ ifdef(`hide_broken_symptoms',`
dev_dontaudit_write_all_chr_files(abrt_helper_t)
dev_dontaudit_write_all_blk_files(abrt_helper_t)
fs_dontaudit_rw_anon_inodefs_files(abrt_helper_t)
@@ -941,7 +994,7 @@ index cc43d25..1ec0046 100644
#
allow abrt_retrace_coredump_t self:fifo_file rw_fifo_file_perms;
-@@ -314,10 +396,12 @@ corecmd_exec_shell(abrt_retrace_coredump_t)
+@@ -314,10 +403,12 @@ corecmd_exec_shell(abrt_retrace_coredump_t)
dev_read_urand(abrt_retrace_coredump_t)
@@ -955,7 +1008,7 @@ index cc43d25..1ec0046 100644
optional_policy(`
rpm_exec(abrt_retrace_coredump_t)
rpm_dontaudit_manage_db(abrt_retrace_coredump_t)
-@@ -330,10 +414,11 @@ optional_policy(`
+@@ -330,10 +421,11 @@ optional_policy(`
#######################################
#
@@ -969,7 +1022,7 @@ index cc43d25..1ec0046 100644
allow abrt_retrace_worker_t self:fifo_file rw_fifo_file_perms;
domtrans_pattern(abrt_retrace_worker_t, abrt_retrace_coredump_exec_t, abrt_retrace_coredump_t)
-@@ -352,46 +437,56 @@ corecmd_exec_shell(abrt_retrace_worker_t)
+@@ -352,46 +444,56 @@ corecmd_exec_shell(abrt_retrace_worker_t)
dev_read_urand(abrt_retrace_worker_t)
@@ -1031,7 +1084,7 @@ index cc43d25..1ec0046 100644
read_files_pattern(abrt_watch_log_t, abrt_etc_t, abrt_etc_t)
-@@ -400,16 +495,50 @@ domtrans_pattern(abrt_watch_log_t, abrt_dump_oops_exec_t, abrt_dump_oops_t)
+@@ -400,16 +502,50 @@ domtrans_pattern(abrt_watch_log_t, abrt_dump_oops_exec_t, abrt_dump_oops_t)
corecmd_exec_bin(abrt_watch_log_t)
logging_read_all_logs(abrt_watch_log_t)
@@ -1048,7 +1101,7 @@ index cc43d25..1ec0046 100644
#
-kernel_read_system_state(abrt_domain)
-+allow abrt_upload_watch_t self:capability dac_override;
++allow abrt_upload_watch_t self:capability { dac_override chown };
-files_read_etc_files(abrt_domain)
+manage_files_pattern(abrt_upload_watch_t, abrt_upload_watch_tmp_t, abrt_upload_watch_tmp_t)
@@ -1057,9 +1110,11 @@ index cc43d25..1ec0046 100644
+files_tmp_filetrans(abrt_upload_watch_t, abrt_upload_watch_tmp_t, {file dir})
+
+read_files_pattern(abrt_upload_watch_t, abrt_etc_t, abrt_etc_t)
-+
+
+-logging_send_syslog_msg(abrt_domain)
+manage_dirs_pattern(abrt_upload_watch_t, abrt_var_cache_t, abrt_var_cache_t)
-+
+
+-miscfiles_read_localization(abrt_domain)
+corecmd_exec_bin(abrt_upload_watch_t)
+
+dev_read_urand(abrt_upload_watch_t)
@@ -1067,8 +1122,7 @@ index cc43d25..1ec0046 100644
+files_search_spool(abrt_upload_watch_t)
+
+auth_read_passwd(abrt_upload_watch_t)
-
--logging_send_syslog_msg(abrt_domain)
++
+tunable_policy(`abrt_upload_watch_anon_write',`
+ miscfiles_manage_public_files(abrt_upload_watch_t)
+')
@@ -1081,8 +1135,7 @@ index cc43d25..1ec0046 100644
+#
+# Local policy for all abrt domain
+#
-
--miscfiles_read_localization(abrt_domain)
++
+allow abrt_domain abrt_var_run_t:sock_file write_sock_file_perms;
+allow abrt_domain abrt_var_run_t:unix_stream_socket connectto;
+
@@ -1564,6 +1617,16 @@ index 72c33c2..6e4206c 100644
optional_policy(`
modutils_domtrans_insmod(aiccu_t)
+diff --git a/aide.fc b/aide.fc
+index df6e4d0..4b99c25 100644
+--- a/aide.fc
++++ b/aide.fc
+@@ -3,4 +3,4 @@
+ /var/lib/aide(/.*) gen_context(system_u:object_r:aide_db_t,mls_systemhigh)
+
+ /var/log/aide(/.*)? gen_context(system_u:object_r:aide_log_t,mls_systemhigh)
+-/var/log/aide\.log -- gen_context(system_u:object_r:aide_log_t,mls_systemhigh)
++/var/log/aide\.log.* -- gen_context(system_u:object_r:aide_log_t,mls_systemhigh)
diff --git a/aide.if b/aide.if
index 01cbb67..94a4a24 100644
--- a/aide.if
@@ -1985,7 +2048,7 @@ index 708b743..cc78465 100644
+ ps_process_pattern($1, alsa_t)
')
diff --git a/alsa.te b/alsa.te
-index cda6d20..443ce3c 100644
+index cda6d20..a80ddb9 100644
--- a/alsa.te
+++ b/alsa.te
@@ -21,16 +21,23 @@ files_tmp_file(alsa_tmp_t)
@@ -2014,7 +2077,7 @@ index cda6d20..443ce3c 100644
allow alsa_t self:sem create_sem_perms;
allow alsa_t self:shm create_shm_perms;
allow alsa_t self:unix_stream_socket { accept listen };
-@@ -51,6 +58,11 @@ userdom_user_tmp_filetrans(alsa_t, alsa_tmp_t, { dir file })
+@@ -51,7 +58,13 @@ userdom_user_tmp_filetrans(alsa_t, alsa_tmp_t, { dir file })
manage_dirs_pattern(alsa_t, alsa_var_lib_t, alsa_var_lib_t)
manage_files_pattern(alsa_t, alsa_var_lib_t, alsa_var_lib_t)
@@ -2024,9 +2087,11 @@ index cda6d20..443ce3c 100644
+files_pid_filetrans(alsa_t, alsa_var_run_t, { file dir })
+
kernel_read_system_state(alsa_t)
++kernel_signal(alsa_t)
corecmd_exec_bin(alsa_t)
-@@ -59,7 +71,6 @@ dev_read_sound(alsa_t)
+
+@@ -59,7 +72,6 @@ dev_read_sound(alsa_t)
dev_read_sysfs(alsa_t)
dev_write_sound(alsa_t)
@@ -2034,7 +2099,7 @@ index cda6d20..443ce3c 100644
files_search_var_lib(alsa_t)
term_dontaudit_use_console(alsa_t)
-@@ -72,8 +83,6 @@ init_use_fds(alsa_t)
+@@ -72,8 +84,6 @@ init_use_fds(alsa_t)
logging_send_syslog_msg(alsa_t)
@@ -2064,7 +2129,7 @@ index 7f4dfbc..e5c9f45 100644
/usr/sbin/amrecover -- gen_context(system_u:object_r:amanda_recover_exec_t,s0)
diff --git a/amanda.te b/amanda.te
-index ed45974..ec7bb41 100644
+index ed45974..f367ba0 100644
--- a/amanda.te
+++ b/amanda.te
@@ -9,11 +9,14 @@ attribute_role amanda_recover_roles;
@@ -2102,7 +2167,7 @@ index ed45974..ec7bb41 100644
filetrans_pattern(amanda_t, amanda_config_t, amanda_data_t, { file dir })
allow amanda_t amanda_dumpdates_t:file rw_file_perms;
-@@ -100,13 +104,14 @@ kernel_dontaudit_read_proc_symlinks(amanda_t)
+@@ -100,13 +104,15 @@ kernel_dontaudit_read_proc_symlinks(amanda_t)
corecmd_exec_shell(amanda_t)
corecmd_exec_bin(amanda_t)
@@ -2114,11 +2179,12 @@ index ed45974..ec7bb41 100644
corenet_tcp_bind_generic_node(amanda_t)
+corenet_tcp_bind_amanda_port(amanda_t)
++corenet_udp_bind_amanda_port(amanda_t)
+
corenet_sendrecv_all_server_packets(amanda_t)
corenet_tcp_bind_all_rpc_ports(amanda_t)
corenet_tcp_bind_generic_port(amanda_t)
-@@ -114,6 +119,7 @@ corenet_dontaudit_tcp_bind_all_ports(amanda_t)
+@@ -114,6 +120,7 @@ corenet_dontaudit_tcp_bind_all_ports(amanda_t)
dev_getattr_all_blk_files(amanda_t)
dev_getattr_all_chr_files(amanda_t)
@@ -2126,7 +2192,7 @@ index ed45974..ec7bb41 100644
files_read_etc_runtime_files(amanda_t)
files_list_all(amanda_t)
-@@ -170,7 +176,6 @@ kernel_read_system_state(amanda_recover_t)
+@@ -170,7 +177,6 @@ kernel_read_system_state(amanda_recover_t)
corecmd_exec_shell(amanda_recover_t)
corecmd_exec_bin(amanda_recover_t)
@@ -2134,7 +2200,7 @@ index ed45974..ec7bb41 100644
corenet_all_recvfrom_netlabel(amanda_recover_t)
corenet_tcp_sendrecv_generic_if(amanda_recover_t)
corenet_udp_sendrecv_generic_if(amanda_recover_t)
-@@ -195,12 +200,16 @@ files_search_tmp(amanda_recover_t)
+@@ -195,12 +201,16 @@ files_search_tmp(amanda_recover_t)
auth_use_nsswitch(amanda_recover_t)
@@ -2327,8 +2393,79 @@ index c960f92..486e9ed 100644
optional_policy(`
nscd_dontaudit_search_pid(amtu_t)
+diff --git a/anaconda.fc b/anaconda.fc
+index b098089..258407b 100644
+--- a/anaconda.fc
++++ b/anaconda.fc
+@@ -1 +1,7 @@
+ # No file context specifications.
++
++/usr/libexec/anaconda/anaconda-yum -- gen_context(system_u:object_r:install_exec_t,s0)
++/usr/sbin/anaconda -- gen_context(system_u:object_r:install_exec_t,s0)
++
++/usr/bin/ostree -- gen_context(system_u:object_r:install_exec_t,s0)
++/usr/bin/rpm-ostree -- gen_context(system_u:object_r:install_exec_t,s0)
+diff --git a/anaconda.if b/anaconda.if
+index 14a61b7..21bbf36 100644
+--- a/anaconda.if
++++ b/anaconda.if
+@@ -1 +1,54 @@
+ ## <summary>Anaconda installer.</summary>
++
++########################################
++## <summary>
++## Execute a domain transition to run install.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`anaconda_domtrans_install',`
++ gen_require(`
++ type install_t, install_exec_t;
++ ')
++
++ corecmd_search_bin($1)
++ domtrans_pattern($1, install_exec_t, install_t)
++')
++
++########################################
++## <summary>
++## Execute install in the install
++## domain, and allow the specified
++## role the install domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++## <param name="role">
++## <summary>
++## Role allowed access.
++## </summary>
++## </param>
++#
++interface(`anaconda_run_install',`
++ gen_require(`
++ type install_t;
++ type install_exec_t;
++ attribute_role install_roles;
++ ')
++
++ anaconda_domtrans_install($1)
++ roleattribute $2 install_roles;
++ role_transition $2 install_exec_t system_r;
++
++ optional_policy(`
++ rpm_transition_script(install_t, $2)
++ ')
++')
++
diff --git a/anaconda.te b/anaconda.te
-index 6f1384c..9f23456 100644
+index 6f1384c..f226596 100644
--- a/anaconda.te
+++ b/anaconda.te
@@ -4,6 +4,10 @@ gen_require(`
@@ -2342,7 +2479,22 @@ index 6f1384c..9f23456 100644
########################################
#
# Declarations
-@@ -34,8 +38,9 @@ modutils_domtrans_insmod(anaconda_t)
+@@ -16,6 +20,14 @@ domain_entry_file(anaconda_t, anaconda_exec_t)
+ domain_obj_id_change_exemption(anaconda_t)
+ role system_r types anaconda_t;
+
++attribute_role install_roles;
++roleattribute system_r install_roles;
++
++type install_t;
++type install_exec_t;
++application_domain(install_t, install_exec_t)
++role install_roles types install_t;
++
+ ########################################
+ #
+ # Local policy
+@@ -34,8 +46,9 @@ modutils_domtrans_insmod(anaconda_t)
modutils_domtrans_depmod(anaconda_t)
seutil_domtrans_semanage(anaconda_t)
@@ -2353,9 +2505,44 @@ index 6f1384c..9f23456 100644
optional_policy(`
rpm_domtrans(anaconda_t)
+@@ -53,3 +66,34 @@ optional_policy(`
+ optional_policy(`
+ unconfined_domain_noaudit(anaconda_t)
+ ')
++
++########################################
++#
++# Local policy
++#
++
++allow install_t self:capability2 mac_admin;
++
++systemd_dbus_chat_localed(install_t)
++
++tunable_policy(`deny_ptrace',`',`
++ domain_ptrace_all_domains(install_t)
++')
++
++optional_policy(`
++ mount_run(install_t, install_roles)
++')
++
++optional_policy(`
++ networkmanager_dbus_chat(install_t)
++')
++
++optional_policy(`
++ seutil_run_setfiles_mac(install_t, install_roles)
++')
++
++optional_policy(`
++ unconfined_domain_noaudit(install_t)
++')
++
++
diff --git a/antivirus.fc b/antivirus.fc
new file mode 100644
-index 0000000..e44bff0
+index 0000000..9d5214b
--- /dev/null
+++ b/antivirus.fc
@@ -0,0 +1,43 @@
@@ -2380,10 +2567,10 @@ index 0000000..e44bff0
+
+/var/clamav(/.*)? gen_context(system_u:object_r:antivirus_db_t,s0)
+
-+
+/var/amavis(/.*)? gen_context(system_u:object_r:antivirus_db_t,s0)
+/var/lib/amavis(/.*)? gen_context(system_u:object_r:antivirus_db_t,s0)
+/var/lib/clamav(/.*)? gen_context(system_u:object_r:antivirus_db_t,s0)
++/var/lib/clamav-unofficial-sigs(/.*)? gen_context(system_u:object_r:antivirus_db_t,s0)
+/var/lib/clamd.* gen_context(system_u:object_r:antivirus_db_t,s0)
+/var/opt/f-secure(/.*)? gen_context(system_u:object_r:antivirus_db_t,s0)
+/var/spool/amavisd(/.*)? gen_context(system_u:object_r:antivirus_db_t,s0)
@@ -3011,10 +3198,10 @@ index 0000000..8ba9c95
+ spamassassin_read_pid_files(antivirus_domain)
+')
diff --git a/apache.fc b/apache.fc
-index 550a69e..66ba451 100644
+index 550a69e..43bb1c9 100644
--- a/apache.fc
+++ b/apache.fc
-@@ -1,161 +1,200 @@
+@@ -1,161 +1,212 @@
-HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_user_content_t,s0)
-HOME_DIR/((www)|(web)|(public_html))/cgi-bin(/.+)? gen_context(system_u:object_r:httpd_user_script_exec_t,s0)
+HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_user_content_t,s0)
@@ -3041,6 +3228,7 @@ index 550a69e..66ba451 100644
+/etc/apache-ssl(2)?(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
+/etc/cherokee(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
+/etc/drupal.* gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
++/etc/glpi(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/etc/owncloud(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/etc/horde(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/etc/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
@@ -3058,6 +3246,7 @@ index 550a69e..66ba451 100644
-/etc/vhosts -- gen_context(system_u:object_r:httpd_config_t,s0)
-/etc/WebCalendar(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
-/etc/zabbix/web(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
++/etc/thttpd\.conf -- gen_context(system_u:object_r:httpd_config_t,s0)
+/etc/vhosts -- gen_context(system_u:object_r:httpd_config_t,s0)
+/etc/WebCalendar(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/etc/zabbix/web(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
@@ -3098,6 +3287,7 @@ index 550a69e..66ba451 100644
-/usr/lib/httpd(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0)
-/usr/lib/lighttpd(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0)
+/usr/share/jetty/bin/jetty.sh -- gen_context(system_u:object_r:httpd_exec_t,s0)
++/usr/share/joomla(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
-/usr/libexec/httpd-ssl-pass-dialog -- gen_context(system_u:object_r:httpd_passwd_exec_t,s0)
+/usr/lib/apache-ssl/.+ -- gen_context(system_u:object_r:httpd_exec_t,s0)
@@ -3124,11 +3314,13 @@ index 550a69e..66ba451 100644
-
-ifdef(`distro_suse',`
-/usr/sbin/httpd2-.* -- gen_context(system_u:object_r:httpd_exec_t,s0)
++/usr/sbin/htcacheclean -- gen_context(system_u:object_r:httpd_exec_t,s0)
+/usr/sbin/lighttpd -- gen_context(system_u:object_r:httpd_exec_t,s0)
+/usr/sbin/nginx -- gen_context(system_u:object_r:httpd_exec_t,s0)
+/usr/sbin/php-fpm -- gen_context(system_u:object_r:httpd_exec_t,s0)
+/usr/sbin/rotatelogs -- gen_context(system_u:object_r:httpd_rotatelogs_exec_t,s0)
+/usr/sbin/suexec -- gen_context(system_u:object_r:httpd_suexec_exec_t,s0)
++/usr/sbin/thttpd -- gen_context(system_u:object_r:httpd_exec_t,s0)
+
+ifdef(`distro_suse', `
+/usr/sbin/httpd2-.* -- gen_context(system_u:object_r:httpd_exec_t,s0)
@@ -3167,6 +3359,7 @@ index 550a69e..66ba451 100644
+/usr/share/drupal.* gen_context(system_u:object_r:httpd_sys_content_t,s0)
+/usr/share/doc/ghc/html(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
+
++/usr/share/glpi(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
+/usr/share/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
+/usr/share/icecast(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
+/usr/share/ntop/html(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
@@ -3213,6 +3406,7 @@ index 550a69e..66ba451 100644
+/var/lib/cacti/rra(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
+/var/lib/cherokee(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
+/var/lib/dav(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
++/var/lib/glpi(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
+/var/lib/php(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
+/var/lib/dokuwiki(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/var/lib/drupal.* gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
@@ -3250,6 +3444,7 @@ index 550a69e..66ba451 100644
+
+/var/log/apache(2)?(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
+/var/log/apache-ssl(2)?(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
++/var/log/glpi(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
+/var/log/cacti(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
+/var/log/cgiwrap\.log.* -- gen_context(system_u:object_r:httpd_log_t,s0)
+/var/log/cherokee(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
@@ -3260,6 +3455,8 @@ index 550a69e..66ba451 100644
/var/log/roundcubemail(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
/var/log/suphp\.log.* -- gen_context(system_u:object_r:httpd_log_t,s0)
-/var/log/z-push(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
++/var/log/thttpd\.log.* -- gen_context(system_u:object_r:httpd_log_t,s0)
++/var/log/php_errors\.log.* -- gen_context(system_u:object_r:httpd_log_t,s0)
+/var/log/z-push(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+ifdef(`distro_debian', `
+/var/log/horde2(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
@@ -3276,6 +3473,7 @@ index 550a69e..66ba451 100644
+/var/run/mod_.* gen_context(system_u:object_r:httpd_var_run_t,s0)
+/var/run/nginx.* gen_context(system_u:object_r:httpd_var_run_t,s0)
+/var/run/php-fpm(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0)
++/var/run/thttpd\.pid -- gen_context(system_u:object_r:httpd_var_run_t,s0)
+/var/run/wsgi.* -s gen_context(system_u:object_r:httpd_var_run_t,s0)
+/var/run/user/apache(/.*)? gen_context(system_u:object_r:httpd_tmp_t,s0)
+
@@ -3328,7 +3526,8 @@ index 550a69e..66ba451 100644
+/var/www/html/configuration\.php gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+
+/var/www/html(/.*)?/wp-content(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
-+
++/var/www/html(/.*)?/uploads(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
++/var/www/html/owncloud/data(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/var/www/gallery/albums(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+
+/var/www/moodledata(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
@@ -3354,7 +3553,7 @@ index 550a69e..66ba451 100644
+/var/run/dirsrv/admin-serv.* gen_context(system_u:object_r:httpd_var_run_t,s0)
+/opt/dirsrv/var/run/dirsrv/dsgw/cookies(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0)
diff --git a/apache.if b/apache.if
-index 83e899c..fac6fe5 100644
+index 83e899c..64beed7 100644
--- a/apache.if
+++ b/apache.if
@@ -1,9 +1,9 @@
@@ -4001,131 +4200,166 @@ index 83e899c..fac6fe5 100644
-## Create, read, write, and delete
-## httpd log files.
+## Allow the specified domain to manage
-+## to apache log files.
++## to apache var lib files.
## </summary>
## <param name="domain">
## <summary>
-@@ -698,47 +762,49 @@ interface(`apache_manage_log',`
- read_lnk_files_pattern($1, httpd_log_t, httpd_log_t)
+@@ -687,20 +751,21 @@ interface(`apache_dontaudit_append_log',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`apache_manage_log',`
++interface(`apache_manage_lib',`
+ gen_require(`
+- type httpd_log_t;
++ type httpd_var_lib_t;
+ ')
+
+- logging_search_logs($1)
+- manage_dirs_pattern($1, httpd_log_t, httpd_log_t)
+- manage_files_pattern($1, httpd_log_t, httpd_log_t)
+- read_lnk_files_pattern($1, httpd_log_t, httpd_log_t)
++ files_search_var_lib($1)
++ manage_dirs_pattern($1, httpd_var_lib_t, httpd_var_lib_t)
++ manage_files_pattern($1, httpd_var_lib_t, httpd_var_lib_t)
++ read_lnk_files_pattern($1, httpd_var_lib_t, httpd_var_lib_t)
')
-#######################################
+########################################
## <summary>
-## Write apache log files.
-+## Do not audit attempts to search Apache
-+## module directories.
++## Allow the specified domain to manage
++## to apache log files.
## </summary>
## <param name="domain">
## <summary>
--## Domain allowed access.
-+## Domain to not audit.
+@@ -708,19 +773,21 @@ interface(`apache_manage_log',`
## </summary>
## </param>
#
-interface(`apache_write_log',`
-+interface(`apache_dontaudit_search_modules',`
++interface(`apache_manage_log',`
gen_require(`
-- type httpd_log_t;
-+ type httpd_modules_t;
+ type httpd_log_t;
')
-- logging_search_logs($1)
+ logging_search_logs($1)
- write_files_pattern($1, httpd_log_t, httpd_log_t)
-+ dontaudit $1 httpd_modules_t:dir search_dir_perms;
++ manage_dirs_pattern($1, httpd_log_t, httpd_log_t)
++ manage_files_pattern($1, httpd_log_t, httpd_log_t)
++ read_lnk_files_pattern($1, httpd_log_t, httpd_log_t)
')
########################################
## <summary>
-## Do not audit attempts to search
-## httpd module directories.
++## Do not audit attempts to search Apache
++## module directories.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -738,7 +805,8 @@ interface(`apache_dontaudit_search_modules',`
+
+ ########################################
+ ## <summary>
+-## List httpd module directories.
+## Allow the specified domain to read
+## the apache module directories.
## </summary>
## <param name="domain">
## <summary>
--## Domain to not audit.
-+## Domain allowed access.
+@@ -746,17 +814,19 @@ interface(`apache_dontaudit_search_modules',`
## </summary>
## </param>
#
--interface(`apache_dontaudit_search_modules',`
+-interface(`apache_list_modules',`
+interface(`apache_read_modules',`
gen_require(`
type httpd_modules_t;
')
-- dontaudit $1 httpd_modules_t:dir search_dir_perms;
+- allow $1 httpd_modules_t:dir list_dir_perms;
+ read_files_pattern($1, httpd_modules_t, httpd_modules_t)
')
########################################
## <summary>
--## List httpd module directories.
+-## Execute httpd module files.
+## Allow the specified domain to list
+## the contents of the apache modules
+## directory.
## </summary>
## <param name="domain">
## <summary>
-@@ -752,11 +818,13 @@ interface(`apache_list_modules',`
+@@ -764,19 +834,19 @@ interface(`apache_list_modules',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`apache_exec_modules',`
++interface(`apache_list_modules',`
+ gen_require(`
+ type httpd_modules_t;
')
allow $1 httpd_modules_t:dir list_dir_perms;
+- allow $1 httpd_modules_t:lnk_file read_lnk_file_perms;
+- can_exec($1, httpd_modules_t)
+ read_lnk_files_pattern($1, httpd_modules_t, httpd_modules_t)
')
########################################
## <summary>
--## Execute httpd module files.
+-## Read httpd module files.
+## Allow the specified domain to execute
+## apache modules.
## </summary>
## <param name="domain">
## <summary>
-@@ -776,46 +844,63 @@ interface(`apache_exec_modules',`
-
- ########################################
- ## <summary>
--## Read httpd module files.
-+## Execute a domain transition to run httpd_rotatelogs.
- ## </summary>
- ## <param name="domain">
- ## <summary>
--## Domain allowed access.
-+## Domain allowed to transition.
+@@ -784,19 +854,19 @@ interface(`apache_exec_modules',`
## </summary>
## </param>
#
-interface(`apache_read_module_files',`
-+interface(`apache_domtrans_rotatelogs',`
++interface(`apache_exec_modules',`
gen_require(`
-- type httpd_modules_t;
-+ type httpd_rotatelogs_t, httpd_rotatelogs_exec_t;
+ type httpd_modules_t;
')
- libs_search_lib($1)
- read_files_pattern($1, httpd_modules_t, httpd_modules_t)
-+ domtrans_pattern($1, httpd_rotatelogs_exec_t, httpd_rotatelogs_t)
++ allow $1 httpd_modules_t:dir list_dir_perms;
++ allow $1 httpd_modules_t:lnk_file read_lnk_file_perms;
++ can_exec($1, httpd_modules_t)
')
--########################################
-+#######################################
+ ########################################
## <summary>
-## Execute a domain transition to
-## run httpd_rotatelogs.
-+## Execute httpd_rotatelogs in the caller domain.
++## Execute a domain transition to run httpd_rotatelogs.
## </summary>
## <param name="domain">
--## <summary>
--## Domain allowed to transition.
--## </summary>
+ ## <summary>
+@@ -809,13 +879,50 @@ interface(`apache_domtrans_rotatelogs',`
+ type httpd_rotatelogs_t, httpd_rotatelogs_exec_t;
+ ')
+
+- corecmd_search_bin($1)
+ domtrans_pattern($1, httpd_rotatelogs_exec_t, httpd_rotatelogs_t)
+ ')
+
++#######################################
++## <summary>
++## Execute httpd_rotatelogs in the caller domain.
++## </summary>
++## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
- ## </param>
- #
--interface(`apache_domtrans_rotatelogs',`
++## </param>
++#
+interface(`apache_exec_rotatelogs',`
+ gen_require(`
+ type httpd_rotatelogs_exec_t;
@@ -4145,17 +4379,14 @@ index 83e899c..fac6fe5 100644
+## </param>
+#
+interface(`apache_exec_sys_script',`
- gen_require(`
-- type httpd_rotatelogs_t, httpd_rotatelogs_exec_t;
++ gen_require(`
+ type httpd_sys_script_exec_t;
- ')
-
-- corecmd_search_bin($1)
-- domtrans_pattern($1, httpd_rotatelogs_exec_t, httpd_rotatelogs_t)
++ ')
++
+ allow $1 httpd_sys_script_exec_t:dir search_dir_perms;
+ can_exec($1, httpd_sys_script_exec_t)
- ')
-
++')
++
########################################
## <summary>
-## List httpd system content directories.
@@ -4164,7 +4395,7 @@ index 83e899c..fac6fe5 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -829,13 +914,14 @@ interface(`apache_list_sys_content',`
+@@ -829,13 +936,14 @@ interface(`apache_list_sys_content',`
')
list_dirs_pattern($1, httpd_sys_content_t, httpd_sys_content_t)
@@ -4181,7 +4412,7 @@ index 83e899c..fac6fe5 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -844,6 +930,7 @@ interface(`apache_list_sys_content',`
+@@ -844,6 +952,7 @@ interface(`apache_list_sys_content',`
## </param>
## <rolecap/>
#
@@ -4189,23 +4420,21 @@ index 83e899c..fac6fe5 100644
interface(`apache_manage_sys_content',`
gen_require(`
type httpd_sys_content_t;
-@@ -855,32 +942,98 @@ interface(`apache_manage_sys_content',`
+@@ -855,32 +964,98 @@ interface(`apache_manage_sys_content',`
manage_lnk_files_pattern($1, httpd_sys_content_t, httpd_sys_content_t)
')
-########################################
+######################################
- ## <summary>
--## Create, read, write, and delete
--## httpd system rw content.
++## <summary>
+## Allow the specified domain to read
+## apache system content rw files.
- ## </summary>
- ## <param name="domain">
- ## <summary>
- ## Domain allowed access.
- ## </summary>
- ## </param>
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
+## <rolecap/>
+#
+interface(`apache_read_sys_content_rw_files',`
@@ -4217,22 +4446,26 @@ index 83e899c..fac6fe5 100644
+')
+
+######################################
-+## <summary>
+ ## <summary>
+-## Create, read, write, and delete
+-## httpd system rw content.
+## Allow the specified domain to read
+## apache system content rw dirs.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+ ## Domain allowed access.
+ ## </summary>
+ ## </param>
+## <rolecap/>
-+#
+ #
+-interface(`apache_manage_sys_rw_content',`
+interface(`apache_read_sys_content_rw_dirs',`
-+ gen_require(`
-+ type httpd_sys_rw_content_t;
-+ ')
-+
+ gen_require(`
+ type httpd_sys_rw_content_t;
+ ')
+
+- apache_search_sys_content($1)
+ list_dirs_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
+')
+
@@ -4247,14 +4480,12 @@ index 83e899c..fac6fe5 100644
+## </summary>
+## </param>
+## <rolecap/>
- #
--interface(`apache_manage_sys_rw_content',`
++#
+interface(`apache_manage_sys_content_rw',`
- gen_require(`
- type httpd_sys_rw_content_t;
- ')
-
-- apache_search_sys_content($1)
++ gen_require(`
++ type httpd_sys_rw_content_t;
++ ')
++
+ files_search_var($1)
manage_dirs_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
- manage_files_pattern($1,httpd_sys_rw_content_t, httpd_sys_rw_content_t)
@@ -4296,7 +4527,7 @@ index 83e899c..fac6fe5 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -888,10 +1041,17 @@ interface(`apache_manage_sys_rw_content',`
+@@ -888,10 +1063,17 @@ interface(`apache_manage_sys_rw_content',`
## </summary>
## </param>
#
@@ -4315,7 +4546,7 @@ index 83e899c..fac6fe5 100644
')
tunable_policy(`httpd_enable_cgi && httpd_unified',`
-@@ -901,9 +1061,8 @@ interface(`apache_domtrans_sys_script',`
+@@ -901,9 +1083,8 @@ interface(`apache_domtrans_sys_script',`
########################################
## <summary>
@@ -4327,7 +4558,7 @@ index 83e899c..fac6fe5 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -941,7 +1100,7 @@ interface(`apache_domtrans_all_scripts',`
+@@ -941,7 +1122,7 @@ interface(`apache_domtrans_all_scripts',`
########################################
## <summary>
## Execute all user scripts in the user
@@ -4336,7 +4567,7 @@ index 83e899c..fac6fe5 100644
## to the specified role.
## </summary>
## <param name="domain">
-@@ -954,6 +1113,7 @@ interface(`apache_domtrans_all_scripts',`
+@@ -954,6 +1135,7 @@ interface(`apache_domtrans_all_scripts',`
## Role allowed access.
## </summary>
## </param>
@@ -4344,7 +4575,7 @@ index 83e899c..fac6fe5 100644
#
interface(`apache_run_all_scripts',`
gen_require(`
-@@ -966,7 +1126,8 @@ interface(`apache_run_all_scripts',`
+@@ -966,7 +1148,8 @@ interface(`apache_run_all_scripts',`
########################################
## <summary>
@@ -4354,7 +4585,7 @@ index 83e899c..fac6fe5 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -979,12 +1140,13 @@ interface(`apache_read_squirrelmail_data',`
+@@ -979,12 +1162,13 @@ interface(`apache_read_squirrelmail_data',`
type httpd_squirrelmail_t;
')
@@ -4370,7 +4601,7 @@ index 83e899c..fac6fe5 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1002,7 +1164,7 @@ interface(`apache_append_squirrelmail_data',`
+@@ -1002,7 +1186,7 @@ interface(`apache_append_squirrelmail_data',`
########################################
## <summary>
@@ -4379,7 +4610,7 @@ index 83e899c..fac6fe5 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1015,13 +1177,12 @@ interface(`apache_search_sys_content',`
+@@ -1015,13 +1199,12 @@ interface(`apache_search_sys_content',`
type httpd_sys_content_t;
')
@@ -4394,7 +4625,7 @@ index 83e899c..fac6fe5 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1041,7 +1202,7 @@ interface(`apache_read_sys_content',`
+@@ -1041,7 +1224,7 @@ interface(`apache_read_sys_content',`
########################################
## <summary>
@@ -4403,7 +4634,7 @@ index 83e899c..fac6fe5 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1059,8 +1220,7 @@ interface(`apache_search_sys_scripts',`
+@@ -1059,8 +1242,7 @@ interface(`apache_search_sys_scripts',`
########################################
## <summary>
@@ -4413,7 +4644,7 @@ index 83e899c..fac6fe5 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1070,13 +1230,22 @@ interface(`apache_search_sys_scripts',`
+@@ -1070,13 +1252,22 @@ interface(`apache_search_sys_scripts',`
## <rolecap/>
#
interface(`apache_manage_all_user_content',`
@@ -4439,7 +4670,7 @@ index 83e899c..fac6fe5 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1094,7 +1263,8 @@ interface(`apache_search_sys_script_state',`
+@@ -1094,7 +1285,8 @@ interface(`apache_search_sys_script_state',`
########################################
## <summary>
@@ -4449,7 +4680,7 @@ index 83e899c..fac6fe5 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1111,10 +1281,29 @@ interface(`apache_read_tmp_files',`
+@@ -1111,10 +1303,29 @@ interface(`apache_read_tmp_files',`
read_files_pattern($1, httpd_tmp_t, httpd_tmp_t)
')
@@ -4481,7 +4712,7 @@ index 83e899c..fac6fe5 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1127,7 +1316,7 @@ interface(`apache_dontaudit_write_tmp_files',`
+@@ -1127,7 +1338,7 @@ interface(`apache_dontaudit_write_tmp_files',`
type httpd_tmp_t;
')
@@ -4490,7 +4721,7 @@ index 83e899c..fac6fe5 100644
')
########################################
-@@ -1136,6 +1325,9 @@ interface(`apache_dontaudit_write_tmp_files',`
+@@ -1136,6 +1347,9 @@ interface(`apache_dontaudit_write_tmp_files',`
## </summary>
## <desc>
## <p>
@@ -4500,7 +4731,7 @@ index 83e899c..fac6fe5 100644
## This is an interface to support third party modules
## and its use is not allowed in upstream reference
## policy.
-@@ -1165,8 +1357,30 @@ interface(`apache_cgi_domain',`
+@@ -1165,8 +1379,30 @@ interface(`apache_cgi_domain',`
########################################
## <summary>
@@ -4533,7 +4764,7 @@ index 83e899c..fac6fe5 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1183,18 +1397,19 @@ interface(`apache_cgi_domain',`
+@@ -1183,18 +1419,19 @@ interface(`apache_cgi_domain',`
interface(`apache_admin',`
gen_require(`
attribute httpdcontent, httpd_script_exec_type;
@@ -4562,7 +4793,7 @@ index 83e899c..fac6fe5 100644
init_labeled_script_domtrans($1, httpd_initrc_exec_t)
domain_system_change_exemption($1)
-@@ -1204,10 +1419,10 @@ interface(`apache_admin',`
+@@ -1204,10 +1441,10 @@ interface(`apache_admin',`
apache_manage_all_content($1)
miscfiles_manage_public_files($1)
@@ -4576,7 +4807,7 @@ index 83e899c..fac6fe5 100644
admin_pattern($1, httpd_log_t)
admin_pattern($1, httpd_modules_t)
-@@ -1218,9 +1433,129 @@ interface(`apache_admin',`
+@@ -1218,9 +1455,141 @@ interface(`apache_admin',`
admin_pattern($1, httpd_var_run_t)
files_pid_filetrans($1, httpd_var_run_t, file)
@@ -4640,7 +4871,19 @@ index 83e899c..fac6fe5 100644
+
+
+ apache_filetrans_home_content($1)
++ files_usr_filetrans($1, httpd_sys_content_t, dir, "gallery2")
++ files_usr_filetrans($1, httpd_sys_content_t, dir, "z-push")
++ files_etc_filetrans($1, httpd_sys_content_t, dir, "z-push")
++ files_etc_filetrans($1, httpd_sys_content_t, dir, "web")
++ files_etc_filetrans($1, httpd_sys_content_t, dir, "WebCalendar")
++ files_etc_filetrans($1, httpd_sys_content_t, dir, "htdig")
++ files_etc_filetrans($1, httpd_sys_rw_content_t, dir, "horde")
++ files_etc_filetrans($1, httpd_sys_rw_content_t, dir, "owncloud")
+ filetrans_pattern($1, httpd_sys_content_t, httpd_sys_rw_content_t, file, "settings.php")
++ filetrans_pattern($1, httpd_sys_content_t, httpd_sys_rw_content_t, dir, "smarty")
++ filetrans_pattern($1, httpd_sys_content_t, httpd_sys_rw_content_t, dir, "uploads")
++ filetrans_pattern($1, httpd_sys_content_t, httpd_sys_rw_content_t, dir, "wp-content")
++ filetrans_pattern($1, httpd_sys_content_t, httpd_sys_rw_content_t, dir, "upgrade")
+ userdom_user_tmp_filetrans($1, httpd_tmp_t, dir, "apache")
+')
+
@@ -4711,10 +4954,10 @@ index 83e899c..fac6fe5 100644
+ filetrans_pattern($1, { httpd_user_content_t httpd_user_script_exec_t }, httpd_user_htaccess_t, file, ".htaccess")
')
diff --git a/apache.te b/apache.te
-index 1a82e29..bfe87eb 100644
+index 1a82e29..21d7195 100644
--- a/apache.te
+++ b/apache.te
-@@ -1,297 +1,367 @@
+@@ -1,297 +1,381 @@
-policy_module(apache, 2.6.10)
+policy_module(apache, 2.4.0)
+
@@ -4759,33 +5002,33 @@ index 1a82e29..bfe87eb 100644
-## Determine whether httpd can use mod_auth_pam.
-## </p>
+## <p>
-+## Allow Apache to use mod_auth_pam
++## Dontaudit Apache to search dirs.
+## </p>
## </desc>
-gen_tunable(allow_httpd_mod_auth_pam, false)
-+gen_tunable(httpd_mod_auth_pam, false)
++gen_tunable(httpd_dontaudit_search_dirs, false)
## <desc>
-## <p>
-## Determine whether httpd can use built in scripting.
-## </p>
+## <p>
-+## Allow Apache to use mod_auth_ntlm_winbind
++## Allow Apache to use mod_auth_pam
+## </p>
## </desc>
-gen_tunable(httpd_builtin_scripting, false)
-+gen_tunable(httpd_mod_auth_ntlm_winbind, false)
++gen_tunable(httpd_mod_auth_pam, false)
## <desc>
-## <p>
-## Determine whether httpd can check spam.
-## </p>
+## <p>
-+## Allow httpd scripts and modules execmem/execstack
++## Allow Apache to use mod_auth_ntlm_winbind
+## </p>
## </desc>
-gen_tunable(httpd_can_check_spam, false)
-+gen_tunable(httpd_execmem, false)
++gen_tunable(httpd_mod_auth_ntlm_winbind, false)
## <desc>
-## <p>
@@ -4793,6 +5036,13 @@ index 1a82e29..bfe87eb 100644
-## can connect to the network using TCP.
-## </p>
+## <p>
++## Allow httpd scripts and modules execmem/execstack
++## </p>
++## </desc>
++gen_tunable(httpd_execmem, false)
++
++## <desc>
++## <p>
+## Allow httpd processes to manage IPA content
+## </p>
+## </desc>
@@ -4866,61 +5116,55 @@ index 1a82e29..bfe87eb 100644
+## <p>
+## Allow httpd to connect to memcache server
+## </p>
-+## </desc>
-+gen_tunable(httpd_can_network_memcache, false)
-+
-+## <desc>
-+## <p>
-+## Allow httpd to act as a relay
-+## </p>
## </desc>
- gen_tunable(httpd_can_network_relay, false)
+-gen_tunable(httpd_can_network_relay, false)
++gen_tunable(httpd_can_network_memcache, false)
## <desc>
-## <p>
-## Determine whether httpd daemon can
-## connect to zabbix over the network.
-## </p>
-+## <p>
-+## Allow http daemon to connect to zabbix
-+## </p>
++## <p>
++## Allow httpd to act as a relay
++## </p>
## </desc>
-gen_tunable(httpd_can_network_connect_zabbix, false)
-+gen_tunable(httpd_can_connect_zabbix, false)
++gen_tunable(httpd_can_network_relay, false)
## <desc>
-## <p>
-## Determine whether httpd can send mail.
-## </p>
+## <p>
-+## Allow http daemon to connect to mythtv
++## Allow http daemon to connect to zabbix
+## </p>
## </desc>
-gen_tunable(httpd_can_sendmail, false)
-+gen_tunable(httpd_can_connect_mythtv, false)
++gen_tunable(httpd_can_connect_zabbix, false)
## <desc>
-## <p>
-## Determine whether httpd can communicate
-## with avahi service via dbus.
-## </p>
-+## <p>
-+## Allow http daemon to check spam
-+## </p>
++## <p>
++## Allow http daemon to connect to mythtv
++## </p>
## </desc>
-gen_tunable(httpd_dbus_avahi, false)
-+gen_tunable(httpd_can_check_spam, false)
++gen_tunable(httpd_can_connect_mythtv, false)
## <desc>
-## <p>
-## Determine wether httpd can use support.
-## </p>
+## <p>
-+## Allow http daemon to send mail
++## Allow http daemon to check spam
+## </p>
## </desc>
-gen_tunable(httpd_enable_cgi, false)
-+gen_tunable(httpd_can_sendmail, false)
++gen_tunable(httpd_can_check_spam, false)
## <desc>
-## <p>
@@ -4928,11 +5172,11 @@ index 1a82e29..bfe87eb 100644
-## FTP server by listening on the ftp port.
-## </p>
+## <p>
-+## Allow Apache to communicate with avahi service via dbus
++## Allow http daemon to send mail
+## </p>
## </desc>
-gen_tunable(httpd_enable_ftp_server, false)
-+gen_tunable(httpd_dbus_avahi, false)
++gen_tunable(httpd_can_sendmail, false)
## <desc>
-## <p>
@@ -4940,11 +5184,11 @@ index 1a82e29..bfe87eb 100644
-## user home directories.
-## </p>
+## <p>
-+## Allow httpd cgi support
++## Allow Apache to communicate with avahi service via dbus
+## </p>
## </desc>
-gen_tunable(httpd_enable_homedirs, false)
-+gen_tunable(httpd_enable_cgi, false)
++gen_tunable(httpd_dbus_avahi, false)
## <desc>
-## <p>
@@ -4954,12 +5198,11 @@ index 1a82e29..bfe87eb 100644
-## be labeled public_content_rw_t.
-## </p>
+## <p>
-+## Allow httpd to act as a FTP server by
-+## listening on the ftp port.
++## Allow Apache to communicate with sssd service via dbus
+## </p>
## </desc>
-gen_tunable(httpd_gpg_anon_write, false)
-+gen_tunable(httpd_enable_ftp_server, false)
++gen_tunable(httpd_dbus_sssd, false)
## <desc>
-## <p>
@@ -4967,24 +5210,24 @@ index 1a82e29..bfe87eb 100644
-## its temporary content.
-## </p>
+## <p>
-+## Allow httpd to act as a FTP client
-+## connecting to the ftp port and ephemeral ports
++## Allow httpd cgi support
+## </p>
## </desc>
-gen_tunable(httpd_tmp_exec, false)
-+gen_tunable(httpd_can_connect_ftp, false)
++gen_tunable(httpd_enable_cgi, false)
## <desc>
-## <p>
-## Determine whether httpd scripts and
-## modules can use execmem and execstack.
-## </p>
-+## <p>
-+## Allow httpd to connect to the ldap port
-+## </p>
++## <p>
++## Allow httpd to act as a FTP server by
++## listening on the ftp port.
++## </p>
## </desc>
-gen_tunable(httpd_execmem, false)
-+gen_tunable(httpd_can_connect_ldap, false)
++gen_tunable(httpd_enable_ftp_server, false)
## <desc>
-## <p>
@@ -4992,34 +5235,35 @@ index 1a82e29..bfe87eb 100644
-## to port 80 for graceful shutdown.
-## </p>
+## <p>
-+## Allow httpd to read home directories
++## Allow httpd to act as a FTP client
++## connecting to the ftp port and ephemeral ports
+## </p>
## </desc>
-gen_tunable(httpd_graceful_shutdown, false)
-+gen_tunable(httpd_enable_homedirs, false)
++gen_tunable(httpd_can_connect_ftp, false)
## <desc>
-## <p>
-## Determine whether httpd can
-## manage IPA content files.
-## </p>
-+## <p>
-+## Allow httpd to read user content
-+## </p>
++## <p>
++## Allow httpd to connect to the ldap port
++## </p>
## </desc>
-gen_tunable(httpd_manage_ipa, false)
-+gen_tunable(httpd_read_user_content, false)
++gen_tunable(httpd_can_connect_ldap, false)
## <desc>
-## <p>
-## Determine whether httpd can use mod_auth_ntlm_winbind.
-## </p>
+## <p>
-+## Allow Apache to run in stickshift mode, not transition to passenger
++## Allow httpd to read home directories
+## </p>
## </desc>
-gen_tunable(httpd_mod_auth_ntlm_winbind, false)
-+gen_tunable(httpd_run_stickshift, false)
++gen_tunable(httpd_enable_homedirs, false)
## <desc>
-## <p>
@@ -5027,11 +5271,10 @@ index 1a82e29..bfe87eb 100644
-## generic user home content files.
-## </p>
+## <p>
-+## Allow Apache to query NS records
++## Allow httpd to read user content
+## </p>
## </desc>
--gen_tunable(httpd_read_user_content, false)
-+gen_tunable(httpd_verify_dns, false)
+ gen_tunable(httpd_read_user_content, false)
## <desc>
-## <p>
@@ -5039,6 +5282,20 @@ index 1a82e29..bfe87eb 100644
-## its resource limits.
-## </p>
+## <p>
++## Allow Apache to run in stickshift mode, not transition to passenger
++## </p>
++## </desc>
++gen_tunable(httpd_run_stickshift, false)
++
++## <desc>
++## <p>
++## Allow Apache to query NS records
++## </p>
++## </desc>
++gen_tunable(httpd_verify_dns, false)
++
++## <desc>
++## <p>
+## Allow httpd daemon to change its resource limits
+## </p>
## </desc>
@@ -5231,7 +5488,7 @@ index 1a82e29..bfe87eb 100644
type httpd_rotatelogs_t;
type httpd_rotatelogs_exec_t;
init_daemon_domain(httpd_rotatelogs_t, httpd_rotatelogs_exec_t)
-@@ -299,10 +369,8 @@ init_daemon_domain(httpd_rotatelogs_t, httpd_rotatelogs_exec_t)
+@@ -299,10 +383,8 @@ init_daemon_domain(httpd_rotatelogs_t, httpd_rotatelogs_exec_t)
type httpd_squirrelmail_t;
files_type(httpd_squirrelmail_t)
@@ -5244,7 +5501,7 @@ index 1a82e29..bfe87eb 100644
type httpd_suexec_exec_t;
domain_type(httpd_suexec_t)
domain_entry_file(httpd_suexec_t, httpd_suexec_exec_t)
-@@ -311,9 +379,19 @@ role system_r types httpd_suexec_t;
+@@ -311,9 +393,19 @@ role system_r types httpd_suexec_t;
type httpd_suexec_tmp_t;
files_tmp_file(httpd_suexec_tmp_t)
@@ -5266,7 +5523,7 @@ index 1a82e29..bfe87eb 100644
type httpd_tmp_t;
files_tmp_file(httpd_tmp_t)
-@@ -323,12 +401,19 @@ files_tmpfs_file(httpd_tmpfs_t)
+@@ -323,12 +415,19 @@ files_tmpfs_file(httpd_tmpfs_t)
apache_content_template(user)
ubac_constrained(httpd_user_script_t)
@@ -5286,7 +5543,7 @@ index 1a82e29..bfe87eb 100644
typealias httpd_user_content_t alias { httpd_auditadm_content_t httpd_secadm_content_t };
typealias httpd_user_content_t alias { httpd_staff_script_ro_t httpd_sysadm_script_ro_t };
typealias httpd_user_content_t alias { httpd_auditadm_script_ro_t httpd_secadm_script_ro_t };
-@@ -343,33 +428,40 @@ typealias httpd_user_rw_content_t alias { httpd_auditadm_script_rw_t httpd_secad
+@@ -343,33 +442,40 @@ typealias httpd_user_rw_content_t alias { httpd_auditadm_script_rw_t httpd_secad
typealias httpd_user_ra_content_t alias { httpd_staff_script_ra_t httpd_sysadm_script_ra_t };
typealias httpd_user_ra_content_t alias { httpd_auditadm_script_ra_t httpd_secadm_script_ra_t };
@@ -5337,7 +5594,7 @@ index 1a82e29..bfe87eb 100644
allow httpd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow httpd_t self:fd use;
allow httpd_t self:sock_file read_sock_file_perms;
-@@ -378,28 +470,36 @@ allow httpd_t self:shm create_shm_perms;
+@@ -378,28 +484,36 @@ allow httpd_t self:shm create_shm_perms;
allow httpd_t self:sem create_sem_perms;
allow httpd_t self:msgq create_msgq_perms;
allow httpd_t self:msg { send receive };
@@ -5379,7 +5636,7 @@ index 1a82e29..bfe87eb 100644
logging_log_filetrans(httpd_t, httpd_log_t, file)
allow httpd_t httpd_modules_t:dir list_dir_perms;
-@@ -407,6 +507,8 @@ mmap_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t)
+@@ -407,14 +521,21 @@ mmap_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t)
read_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t)
read_lnk_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t)
@@ -5388,8 +5645,10 @@ index 1a82e29..bfe87eb 100644
allow httpd_t httpd_rotatelogs_t:process signal_perms;
manage_dirs_pattern(httpd_t, httpd_squirrelmail_t, httpd_squirrelmail_t)
-@@ -415,6 +517,10 @@ manage_lnk_files_pattern(httpd_t, httpd_squirrelmail_t, httpd_squirrelmail_t)
+ manage_files_pattern(httpd_t, httpd_squirrelmail_t, httpd_squirrelmail_t)
+ manage_lnk_files_pattern(httpd_t, httpd_squirrelmail_t, httpd_squirrelmail_t)
++allow httpd_t httpd_suexec_exec_t:process { signal signull };
allow httpd_t httpd_suexec_exec_t:file read_file_perms;
+allow httpd_t httpd_sys_content_t:dir list_dir_perms;
@@ -5399,7 +5658,7 @@ index 1a82e29..bfe87eb 100644
allow httpd_t httpd_sys_script_t:unix_stream_socket connectto;
manage_dirs_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
-@@ -445,140 +551,167 @@ manage_dirs_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
+@@ -445,140 +566,172 @@ manage_dirs_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
manage_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
manage_lnk_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
@@ -5473,10 +5732,11 @@ index 1a82e29..bfe87eb 100644
+# execute perl
+corecmd_exec_bin(httpd_t)
+corecmd_exec_shell(httpd_t)
-+
+
+domain_use_interactive_fds(httpd_t)
+domain_dontaudit_read_all_domains_state(httpd_t)
-
++
++files_dontaudit_search_all_pids(httpd_t)
files_dontaudit_getattr_all_pids(httpd_t)
-files_read_usr_files(httpd_t)
+files_exec_usr_files(httpd_t)
@@ -5540,16 +5800,20 @@ index 1a82e29..bfe87eb 100644
-ifdef(`hide_broken_symptoms',`
- libs_exec_lib_files(httpd_t)
++tunable_policy(`httpd_dontaudit_search_dirs',`
++ files_dontaudit_search_non_security_dirs(httpd_t)
+ ')
+
+-tunable_policy(`allow_httpd_anon_write',`
+- miscfiles_manage_public_files(httpd_t)
+#
+# We need optionals to be able to be within booleans to make this work
+#
+tunable_policy(`httpd_mod_auth_pam',`
+ auth_domtrans_chkpwd(httpd_t)
+ logging_send_audit_msgs(httpd_t)
- ')
-
--tunable_policy(`allow_httpd_anon_write',`
-- miscfiles_manage_public_files(httpd_t)
++')
++
+optional_policy(`
+ tunable_policy(`httpd_mod_auth_ntlm_winbind',`
+ samba_domtrans_winbind_helper(httpd_t)
@@ -5632,7 +5896,7 @@ index 1a82e29..bfe87eb 100644
')
tunable_policy(`httpd_enable_cgi && httpd_use_nfs',`
-@@ -589,28 +722,50 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',`
+@@ -589,28 +742,50 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',`
fs_cifs_domtrans(httpd_t, httpd_sys_script_t)
')
@@ -5692,7 +5956,7 @@ index 1a82e29..bfe87eb 100644
')
tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
-@@ -619,68 +774,44 @@ tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
+@@ -619,68 +794,44 @@ tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
fs_read_nfs_symlinks(httpd_t)
')
@@ -5783,7 +6047,7 @@ index 1a82e29..bfe87eb 100644
')
tunable_policy(`httpd_setrlimit',`
-@@ -690,49 +821,48 @@ tunable_policy(`httpd_setrlimit',`
+@@ -690,49 +841,48 @@ tunable_policy(`httpd_setrlimit',`
tunable_policy(`httpd_ssi_exec',`
corecmd_shell_domtrans(httpd_t, httpd_sys_script_t)
@@ -5864,30 +6128,33 @@ index 1a82e29..bfe87eb 100644
')
optional_policy(`
-@@ -743,14 +873,6 @@ optional_policy(`
- ccs_read_config(httpd_t)
+@@ -744,24 +894,32 @@ optional_policy(`
')
--optional_policy(`
+ optional_policy(`
- clamav_domtrans_clamscan(httpd_t)
--')
--
--optional_policy(`
++ cron_system_entry(httpd_t, httpd_exec_t)
+ ')
+
+ optional_policy(`
- cobbler_read_config(httpd_t)
- cobbler_read_lib_files(httpd_t)
--')
++ cvs_read_data(httpd_t)
+ ')
optional_policy(`
- cron_system_entry(httpd_t, httpd_exec_t)
-@@ -765,6 +887,23 @@ optional_policy(`
+- cron_system_entry(httpd_t, httpd_exec_t)
++ daemontools_service_domain(httpd_t, httpd_exec_t)
')
optional_policy(`
+- cvs_read_data(httpd_t)
+ #needed by FreeIPA
+ dirsrv_stream_connect(httpd_t)
-+')
-+
-+optional_policy(`
+ ')
+
+ optional_policy(`
+- daemontools_service_domain(httpd_t, httpd_exec_t)
+ dirsrv_manage_config(httpd_t)
+ dirsrv_manage_log(httpd_t)
+ dirsrv_manage_var_run(httpd_t)
@@ -5897,13 +6164,21 @@ index 1a82e29..bfe87eb 100644
+ dirsrvadmin_manage_config(httpd_t)
+ dirsrvadmin_manage_tmp(httpd_t)
+ dirsrvadmin_domtrans_unconfined_script_t(httpd_t)
-+')
-+
-+ optional_policy(`
- dbus_system_bus_client(httpd_t)
+ ')
+ optional_policy(`
+@@ -770,6 +928,10 @@ optional_policy(`
tunable_policy(`httpd_dbus_avahi',`
-@@ -781,34 +920,46 @@ optional_policy(`
+ avahi_dbus_chat(httpd_t)
+ ')
++
++ tunable_policy(`httpd_dbus_sssd',
++ sssd_dbus_chat(httpd_t)
++ ')
+ ')
+
+ optional_policy(`
+@@ -781,34 +943,53 @@ optional_policy(`
')
optional_policy(`
@@ -5917,6 +6192,12 @@ index 1a82e29..bfe87eb 100644
+')
+
+optional_policy(`
++ mirrormanager_manage_pid_files(httpd_t)
++ mirrormanager_read_lib_files(httpd_t)
++ mirrormanager_read_log(httpd_t)
++')
++
++optional_policy(`
+ jetty_admin(httpd_t)
+')
+
@@ -5936,6 +6217,7 @@ index 1a82e29..bfe87eb 100644
- tunable_policy(`httpd_can_network_connect_ldap',`
- ldap_tcp_connect(httpd_t)
- ')
++ ldap_read_certs(httpd_t)
')
optional_policy(`
@@ -5961,7 +6243,7 @@ index 1a82e29..bfe87eb 100644
tunable_policy(`httpd_manage_ipa',`
memcached_manage_pid_files(httpd_t)
-@@ -816,8 +967,18 @@ optional_policy(`
+@@ -816,8 +997,18 @@ optional_policy(`
')
optional_policy(`
@@ -5980,7 +6262,7 @@ index 1a82e29..bfe87eb 100644
tunable_policy(`httpd_can_network_connect_db',`
mysql_tcp_connect(httpd_t)
-@@ -826,6 +987,7 @@ optional_policy(`
+@@ -826,6 +1017,7 @@ optional_policy(`
optional_policy(`
nagios_read_config(httpd_t)
@@ -5988,7 +6270,7 @@ index 1a82e29..bfe87eb 100644
')
optional_policy(`
-@@ -836,20 +998,39 @@ optional_policy(`
+@@ -836,20 +1028,39 @@ optional_policy(`
')
optional_policy(`
@@ -6014,7 +6296,7 @@ index 1a82e29..bfe87eb 100644
+ pki_manage_apache_lib(httpd_t)
+ pki_manage_apache_log_files(httpd_t)
+ pki_manage_apache_run(httpd_t)
-+ pki_read_tomcat_cert(httpd_t)
++ pki_read_tomcat_cert(httpd_t)
+')
- tunable_policy(`httpd_can_network_connect_db',`
@@ -6022,19 +6304,19 @@ index 1a82e29..bfe87eb 100644
- ')
+optional_policy(`
+ puppet_read_lib(httpd_t)
++')
++
++optional_policy(`
++ pwauth_domtrans(httpd_t)
')
optional_policy(`
- puppet_read_lib_files(httpd_t)
-+ pwauth_domtrans(httpd_t)
-+')
-+
-+optional_policy(`
+ rpm_dontaudit_read_db(httpd_t)
')
optional_policy(`
-@@ -857,19 +1038,35 @@ optional_policy(`
+@@ -857,19 +1068,35 @@ optional_policy(`
')
optional_policy(`
@@ -6070,7 +6352,7 @@ index 1a82e29..bfe87eb 100644
udev_read_db(httpd_t)
')
-@@ -877,65 +1074,173 @@ optional_policy(`
+@@ -877,65 +1104,173 @@ optional_policy(`
yam_read_content(httpd_t)
')
@@ -6266,7 +6548,7 @@ index 1a82e29..bfe87eb 100644
files_dontaudit_search_pids(httpd_suexec_t)
files_search_home(httpd_suexec_t)
-@@ -944,123 +1249,74 @@ auth_use_nsswitch(httpd_suexec_t)
+@@ -944,123 +1279,74 @@ auth_use_nsswitch(httpd_suexec_t)
logging_search_logs(httpd_suexec_t)
logging_send_syslog_msg(httpd_suexec_t)
@@ -6421,7 +6703,7 @@ index 1a82e29..bfe87eb 100644
mysql_read_config(httpd_suexec_t)
tunable_policy(`httpd_can_network_connect_db',`
-@@ -1077,172 +1333,106 @@ optional_policy(`
+@@ -1077,172 +1363,106 @@ optional_policy(`
')
')
@@ -6593,7 +6875,8 @@ index 1a82e29..bfe87eb 100644
-allow httpd_sys_script_t httpd_t:tcp_socket { read write };
-
-dontaudit httpd_sys_script_t httpd_config_t:dir search;
--
++corenet_all_recvfrom_netlabel(httpd_sys_script_t)
+
-allow httpd_sys_script_t httpd_squirrelmail_t:file { append_file_perms read_file_perms };
-
-allow httpd_sys_script_t squirrelmail_spool_t:dir list_dir_perms;
@@ -6619,8 +6902,7 @@ index 1a82e29..bfe87eb 100644
- corenet_sendrecv_pop_client_packets(httpd_sys_script_t)
- corenet_tcp_connect_pop_port(httpd_sys_script_t)
- corenet_tcp_sendrecv_pop_port(httpd_sys_script_t)
-+corenet_all_recvfrom_netlabel(httpd_sys_script_t)
-
+-
- mta_send_mail(httpd_sys_script_t)
- mta_signal_system_mail(httpd_sys_script_t)
+tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
@@ -6658,7 +6940,7 @@ index 1a82e29..bfe87eb 100644
')
tunable_policy(`httpd_read_user_content',`
-@@ -1250,64 +1440,74 @@ tunable_policy(`httpd_read_user_content',`
+@@ -1250,64 +1470,74 @@ tunable_policy(`httpd_read_user_content',`
')
tunable_policy(`httpd_use_cifs',`
@@ -6755,7 +7037,7 @@ index 1a82e29..bfe87eb 100644
########################################
#
-@@ -1315,8 +1515,15 @@ miscfiles_read_localization(httpd_rotatelogs_t)
+@@ -1315,8 +1545,15 @@ miscfiles_read_localization(httpd_rotatelogs_t)
#
optional_policy(`
@@ -6772,7 +7054,7 @@ index 1a82e29..bfe87eb 100644
')
########################################
-@@ -1324,49 +1531,38 @@ optional_policy(`
+@@ -1324,49 +1561,38 @@ optional_policy(`
# User content local policy
#
@@ -6837,7 +7119,7 @@ index 1a82e29..bfe87eb 100644
kernel_read_system_state(httpd_passwd_t)
corecmd_exec_bin(httpd_passwd_t)
-@@ -1376,38 +1572,99 @@ dev_read_urand(httpd_passwd_t)
+@@ -1376,38 +1602,99 @@ dev_read_urand(httpd_passwd_t)
domain_use_interactive_fds(httpd_passwd_t)
@@ -6958,10 +7240,12 @@ index 1a82e29..bfe87eb 100644
+ corenet_tcp_connect_osapi_compute_port(httpd_t)
')
diff --git a/apcupsd.fc b/apcupsd.fc
-index 5ec0e13..1c37fe1 100644
+index 5ec0e13..462acb8 100644
--- a/apcupsd.fc
+++ b/apcupsd.fc
-@@ -1,10 +1,13 @@
+@@ -1,10 +1,15 @@
++/etc/apcupsd/powerfail -- gen_context(system_u:object_r:apcupsd_power_t,s0)
++
/etc/rc\.d/init\.d/apcupsd -- gen_context(system_u:object_r:apcupsd_initrc_exec_t,s0)
+/usr/lib/systemd/system/apcupsd.* -- gen_context(system_u:object_r:apcupsd_unit_file_t,s0)
@@ -6976,7 +7260,7 @@ index 5ec0e13..1c37fe1 100644
/var/log/apcupsd\.events.* -- gen_context(system_u:object_r:apcupsd_log_t,s0)
/var/log/apcupsd\.status.* -- gen_context(system_u:object_r:apcupsd_log_t,s0)
diff --git a/apcupsd.if b/apcupsd.if
-index f3c0aba..b6afc90 100644
+index f3c0aba..cbe3d4a 100644
--- a/apcupsd.if
+++ b/apcupsd.if
@@ -125,6 +125,49 @@ interface(`apcupsd_cgi_script_domtrans',`
@@ -7029,11 +7313,12 @@ index f3c0aba..b6afc90 100644
## All of the rules required to
## administrate an apcupsd environment.
## </summary>
-@@ -144,11 +187,16 @@ interface(`apcupsd_admin',`
+@@ -144,11 +187,17 @@ interface(`apcupsd_admin',`
gen_require(`
type apcupsd_t, apcupsd_tmp_t, apcupsd_log_t;
type apcupsd_var_run_t, apcupsd_initrc_exec_t, apcupsd_lock_t;
+ type apcupsd_unit_file_t;
++ type apcupsd_power_t;
')
- allow $1 apcupsd_t:process { ptrace signal_perms };
@@ -7047,7 +7332,7 @@ index f3c0aba..b6afc90 100644
apcupsd_initrc_domtrans($1, apcupsd_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 apcupsd_initrc_exec_t system_r;
-@@ -165,4 +213,8 @@ interface(`apcupsd_admin',`
+@@ -165,4 +214,11 @@ interface(`apcupsd_admin',`
files_list_pids($1)
admin_pattern($1, apcupsd_var_run_t)
@@ -7055,33 +7340,42 @@ index f3c0aba..b6afc90 100644
+ apcupsd_systemctl($1)
+ admin_pattern($1, apcupsd_unit_file_t)
+ allow $1 apcupsd_unit_file_t:service all_service_perms;
++
++ manage_files_pattern($1, apcupsd_power_t, apcupsd_power_t)
++ files_etc_filetrans(apcupsd_t, apcupsd_power_t, file, "powerfail")
')
diff --git a/apcupsd.te b/apcupsd.te
-index b236327..7b2142b 100644
+index b236327..a370cb8 100644
--- a/apcupsd.te
+++ b/apcupsd.te
-@@ -24,6 +24,9 @@ files_tmp_file(apcupsd_tmp_t)
+@@ -24,6 +24,12 @@ files_tmp_file(apcupsd_tmp_t)
type apcupsd_var_run_t;
files_pid_file(apcupsd_var_run_t)
++type apcupsd_power_t;
++files_type(apcupsd_power_t)
++
+type apcupsd_unit_file_t;
+systemd_unit_file(apcupsd_unit_file_t)
+
########################################
#
# Local policy
-@@ -38,9 +41,7 @@ allow apcupsd_t self:tcp_socket create_stream_socket_perms;
+@@ -38,9 +44,10 @@ allow apcupsd_t self:tcp_socket create_stream_socket_perms;
allow apcupsd_t apcupsd_lock_t:file manage_file_perms;
files_lock_filetrans(apcupsd_t, apcupsd_lock_t, file)
-append_files_pattern(apcupsd_t, apcupsd_log_t, apcupsd_log_t)
-create_files_pattern(apcupsd_t, apcupsd_log_t, apcupsd_log_t)
-setattr_files_pattern(apcupsd_t, apcupsd_log_t, apcupsd_log_t)
++manage_files_pattern(apcupsd_t, apcupsd_power_t, apcupsd_power_t)
++files_etc_filetrans(apcupsd_t, apcupsd_power_t, file, "powerfail")
++
+manage_files_pattern(apcupsd_t, apcupsd_log_t, apcupsd_log_t)
logging_log_filetrans(apcupsd_t, apcupsd_log_t, file)
manage_files_pattern(apcupsd_t, apcupsd_tmp_t, apcupsd_tmp_t)
-@@ -54,7 +55,6 @@ kernel_read_system_state(apcupsd_t)
+@@ -54,7 +61,6 @@ kernel_read_system_state(apcupsd_t)
corecmd_exec_bin(apcupsd_t)
corecmd_exec_shell(apcupsd_t)
@@ -7089,7 +7383,7 @@ index b236327..7b2142b 100644
corenet_all_recvfrom_netlabel(apcupsd_t)
corenet_tcp_sendrecv_generic_if(apcupsd_t)
corenet_tcp_sendrecv_generic_node(apcupsd_t)
-@@ -67,6 +67,8 @@ corenet_tcp_bind_apcupsd_port(apcupsd_t)
+@@ -67,6 +73,8 @@ corenet_tcp_bind_apcupsd_port(apcupsd_t)
corenet_sendrecv_apcupsd_server_packets(apcupsd_t)
corenet_tcp_sendrecv_apcupsd_port(apcupsd_t)
corenet_tcp_connect_apcupsd_port(apcupsd_t)
@@ -7098,7 +7392,7 @@ index b236327..7b2142b 100644
corenet_udp_bind_snmp_port(apcupsd_t)
corenet_sendrecv_snmp_server_packets(apcupsd_t)
-@@ -74,19 +76,25 @@ corenet_udp_sendrecv_snmp_port(apcupsd_t)
+@@ -74,19 +82,23 @@ corenet_udp_sendrecv_snmp_port(apcupsd_t)
dev_rw_generic_usb_dev(apcupsd_t)
@@ -7122,13 +7416,23 @@ index b236327..7b2142b 100644
sysnet_dns_name_resolve(apcupsd_t)
-userdom_use_user_ttys(apcupsd_t)
-+systemd_start_power_services(apcupsd_t)
-+
+userdom_use_inherited_user_ttys(apcupsd_t)
optional_policy(`
hostname_exec(apcupsd_t)
-@@ -112,7 +120,6 @@ optional_policy(`
+@@ -101,6 +113,11 @@ optional_policy(`
+ shutdown_domtrans(apcupsd_t)
+ ')
+
++optional_policy(`
++ systemd_start_power_services(apcupsd_t)
++ systemd_status_power_services(apcupsd_t)
++')
++
+ ########################################
+ #
+ # CGI local policy
+@@ -112,7 +129,6 @@ optional_policy(`
allow httpd_apcupsd_cgi_script_t self:tcp_socket create_stream_socket_perms;
allow httpd_apcupsd_cgi_script_t self:udp_socket create_socket_perms;
@@ -7195,7 +7499,7 @@ index 1a7a97e..1d29dce 100644
domain_system_change_exemption($1)
role_transition $2 apmd_initrc_exec_t system_r;
diff --git a/apm.te b/apm.te
-index 3590e2f..e1494bd 100644
+index 3590e2f..1d8a844 100644
--- a/apm.te
+++ b/apm.te
@@ -35,6 +35,9 @@ files_type(apmd_var_lib_t)
@@ -7226,7 +7530,15 @@ index 3590e2f..e1494bd 100644
allow apmd_t self:process { signal_perms getsession };
allow apmd_t self:fifo_file rw_fifo_file_perms;
allow apmd_t self:netlink_socket create_socket_perms;
-@@ -114,8 +117,7 @@ fs_dontaudit_getattr_all_files(apmd_t)
+@@ -90,6 +93,7 @@ kernel_read_kernel_sysctls(apmd_t)
+ kernel_rw_all_sysctls(apmd_t)
+ kernel_read_system_state(apmd_t)
+ kernel_write_proc_files(apmd_t)
++kernel_request_load_module(apmd_t)
+
+ dev_read_input(apmd_t)
+ dev_read_mouse(apmd_t)
+@@ -114,8 +118,7 @@ fs_dontaudit_getattr_all_files(apmd_t)
fs_dontaudit_getattr_all_symlinks(apmd_t)
fs_dontaudit_getattr_all_pipes(apmd_t)
fs_dontaudit_getattr_all_sockets(apmd_t)
@@ -7236,7 +7548,7 @@ index 3590e2f..e1494bd 100644
corecmd_exec_all_executables(apmd_t)
-@@ -129,6 +131,8 @@ domain_dontaudit_list_all_domains_state(apmd_t)
+@@ -129,6 +132,8 @@ domain_dontaudit_list_all_domains_state(apmd_t)
auth_use_nsswitch(apmd_t)
init_domtrans_script(apmd_t)
@@ -7245,7 +7557,7 @@ index 3590e2f..e1494bd 100644
libs_exec_ld_so(apmd_t)
libs_exec_lib_files(apmd_t)
-@@ -136,17 +140,16 @@ libs_exec_lib_files(apmd_t)
+@@ -136,17 +141,16 @@ libs_exec_lib_files(apmd_t)
logging_send_audit_msgs(apmd_t)
logging_send_syslog_msg(apmd_t)
@@ -7265,7 +7577,7 @@ index 3590e2f..e1494bd 100644
optional_policy(`
automount_domtrans(apmd_t)
-@@ -206,11 +209,15 @@ optional_policy(`
+@@ -206,11 +210,15 @@ optional_policy(`
')
optional_policy(`
@@ -7733,10 +8045,10 @@ index 0000000..316c324
+')
diff --git a/authconfig.te b/authconfig.te
new file mode 100644
-index 0000000..f2aa4e6
+index 0000000..362a049
--- /dev/null
+++ b/authconfig.te
-@@ -0,0 +1,32 @@
+@@ -0,0 +1,33 @@
+policy_module(authconfig, 1.0.0)
+
+########################################
@@ -7765,6 +8077,7 @@ index 0000000..f2aa4e6
+files_var_lib_filetrans(authconfig_t, authconfig_var_lib_t, { dir file lnk_file })
+
+domain_use_interactive_fds(authconfig_t)
++domain_named_filetrans(authconfig_t)
+
+init_domtrans_script(authconfig_t)
+
@@ -7878,7 +8191,7 @@ index 089430a..b0bed70 100644
+ allow $1 automount_unit_file_t:service all_service_perms;
')
diff --git a/automount.te b/automount.te
-index a579c3b..294b5f4 100644
+index a579c3b..f27656d 100644
--- a/automount.te
+++ b/automount.te
@@ -22,12 +22,16 @@ type automount_tmp_t;
@@ -7915,7 +8228,15 @@ index a579c3b..294b5f4 100644
files_search_boot(automount_t)
files_search_all(automount_t)
files_unmount_all_file_type_fs(automount_t)
-@@ -130,15 +132,18 @@ auth_use_nsswitch(automount_t)
+@@ -108,6 +110,7 @@ fs_manage_autofs_symlinks(automount_t)
+ fs_mount_all_fs(automount_t)
+ fs_mount_autofs(automount_t)
+ fs_read_nfs_files(automount_t)
++fs_read_nfs_symlinks(automount_t)
+ fs_search_all(automount_t)
+ fs_search_auto_mountpoints(automount_t)
+ fs_unmount_all_fs(automount_t)
+@@ -130,15 +133,18 @@ auth_use_nsswitch(automount_t)
logging_send_syslog_msg(automount_t)
logging_search_logs(automount_t)
@@ -7938,7 +8259,7 @@ index a579c3b..294b5f4 100644
fstools_domtrans(automount_t)
')
-@@ -160,3 +165,8 @@ optional_policy(`
+@@ -160,3 +166,8 @@ optional_policy(`
optional_policy(`
udev_read_db(automount_t)
')
@@ -8139,11 +8460,51 @@ index d6ceef4..c10d39c 100644
optional_policy(`
cron_system_entry(backup_t, backup_exec_t)
+diff --git a/bacula.if b/bacula.if
+index dcd774e..c240ffa 100644
+--- a/bacula.if
++++ b/bacula.if
+@@ -69,6 +69,7 @@ interface(`bacula_admin',`
+ type bacula_t, bacula_etc_t, bacula_log_t;
+ type bacula_spool_t, bacula_var_lib_t;
+ type bacula_var_run_t, bacula_initrc_exec_t;
++ attribute_role bacula_admin_roles;
+ ')
+
+ allow $1 bacula_t:process { ptrace signal_perms };
diff --git a/bacula.te b/bacula.te
-index 3beba2f..7ca4480 100644
+index 3beba2f..12cd4f6 100644
--- a/bacula.te
+++ b/bacula.te
-@@ -148,9 +148,7 @@ corenet_tcp_connect_hplip_port(bacula_admin_t)
+@@ -43,7 +43,7 @@ role bacula_admin_roles types bacula_admin_t;
+ # Local policy
+ #
+
+-allow bacula_t self:capability { dac_read_search dac_override chown fowner fsetid};
++allow bacula_t self:capability { dac_read_search dac_override chown fowner fsetid setgid setuid};
+ allow bacula_t self:process signal;
+ allow bacula_t self:fifo_file rw_fifo_file_perms;
+ allow bacula_t self:tcp_socket { accept listen };
+@@ -88,6 +88,10 @@ corenet_udp_bind_generic_node(bacula_t)
+ corenet_sendrecv_generic_server_packets(bacula_t)
+ corenet_udp_bind_generic_port(bacula_t)
+
++
++#TODO: check port labels for hplip a bacula
++corenet_tcp_bind_bacula_port(bacula_t)
++
+ corenet_sendrecv_hplip_server_packets(bacula_t)
+ corenet_tcp_bind_hplip_port(bacula_t)
+ corenet_udp_bind_hplip_port(bacula_t)
+@@ -105,6 +109,7 @@ files_read_all_symlinks(bacula_t)
+ fs_getattr_xattr_fs(bacula_t)
+ fs_list_all(bacula_t)
+
++auth_use_nsswitch(bacula_t)
+ auth_read_shadow(bacula_t)
+
+ logging_send_syslog_msg(bacula_t)
+@@ -148,9 +153,7 @@ corenet_tcp_connect_hplip_port(bacula_admin_t)
domain_use_interactive_fds(bacula_admin_t)
@@ -8259,13 +8620,14 @@ index 536ec3c..271b976 100644
-
-miscfiles_read_localization(bcfg2_t)
diff --git a/bind.fc b/bind.fc
-index 2b9a3a1..1742ebf 100644
+index 2b9a3a1..f755e6b 100644
--- a/bind.fc
+++ b/bind.fc
-@@ -1,54 +1,71 @@
+@@ -1,54 +1,75 @@
-/etc/rc\.d/init\.d/named -- gen_context(system_u:object_r:named_initrc_exec_t,s0)
-/etc/rc\.d/init\.d/unbound -- gen_context(system_u:object_r:named_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/named -- gen_context(system_u:object_r:named_initrc_exec_t,s0)
++/etc/rc\.d/init\.d/named-sdb -- gen_context(system_u:object_r:named_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/unbound -- gen_context(system_u:object_r:named_initrc_exec_t,s0)
-/etc/bind(/.*)? gen_context(system_u:object_r:named_zone_t,s0)
@@ -8288,12 +8650,14 @@ index 2b9a3a1..1742ebf 100644
+
+/usr/lib/systemd/system/unbound.* -- gen_context(system_u:object_r:named_unit_file_t,s0)
+/usr/lib/systemd/system/named.* -- gen_context(system_u:object_r:named_unit_file_t,s0)
++/usr/lib/systemd/system/named-sdb.* -- gen_context(system_u:object_r:named_unit_file_t,s0)
/usr/sbin/lwresd -- gen_context(system_u:object_r:named_exec_t,s0)
-/usr/sbin/named -- gen_context(system_u:object_r:named_exec_t,s0)
-/usr/sbin/named-checkconf -- gen_context(system_u:object_r:named_checkconf_exec_t,s0)
-/usr/sbin/r?ndc -- gen_context(system_u:object_r:ndc_exec_t,s0)
+/usr/sbin/named -- gen_context(system_u:object_r:named_exec_t,s0)
++/usr/sbin/named-sdb -- gen_context(system_u:object_r:named_exec_t,s0)
+/usr/sbin/named-checkconf -- gen_context(system_u:object_r:named_checkconf_exec_t,s0)
+/usr/sbin/r?ndc -- gen_context(system_u:object_r:ndc_exec_t,s0)
/usr/sbin/unbound -- gen_context(system_u:object_r:named_exec_t,s0)
@@ -8360,6 +8724,7 @@ index 2b9a3a1..1742ebf 100644
-/var/named/chroot/var/named/slaves(/.*)? gen_context(system_u:object_r:named_cache_t,s0)
-/var/named/chroot/var/named/data(/.*)? gen_context(system_u:object_r:named_cache_t,s0)
+/var/named/chroot/var/run/named.* gen_context(system_u:object_r:named_var_run_t,s0)
++/var/named/chroot/run/named.* gen_context(system_u:object_r:named_var_run_t,s0)
+/var/named/chroot/var/tmp(/.*)? gen_context(system_u:object_r:named_cache_t,s0)
+/var/named/chroot/var/named(/.*)? gen_context(system_u:object_r:named_zone_t,s0)
+/var/named/chroot/var/named/slaves(/.*)? gen_context(system_u:object_r:named_cache_t,s0)
@@ -9283,7 +9648,7 @@ index 02fefaa..fbcef10 100644
+ ')
')
diff --git a/boinc.te b/boinc.te
-index 7c92aa1..47619ff 100644
+index 7c92aa1..44edba7 100644
--- a/boinc.te
+++ b/boinc.te
@@ -1,11 +1,20 @@
@@ -9485,22 +9850,24 @@ index 7c92aa1..47619ff 100644
term_getattr_all_ptys(boinc_t)
term_getattr_unallocated_ttys(boinc_t)
-@@ -130,55 +151,67 @@ init_read_utmp(boinc_t)
+@@ -130,55 +151,69 @@ init_read_utmp(boinc_t)
logging_send_syslog_msg(boinc_t)
-miscfiles_read_fonts(boinc_t)
-miscfiles_read_localization(boinc_t)
++modutils_dontaudit_exec_insmod(boinc_t)
+
+-optional_policy(`
+- mta_send_mail(boinc_t)
+-')
+xserver_stream_connect(boinc_t)
optional_policy(`
- mta_send_mail(boinc_t)
+- sysnet_dns_name_resolve(boinc_t)
++ mta_send_mail(boinc_t)
')
--optional_policy(`
-- sysnet_dns_name_resolve(boinc_t)
--')
--
########################################
#
-# Project local policy
@@ -9694,6 +10061,217 @@ index 41f8251..57f094e 100644
optional_policy(`
mta_send_mail(httpd_bugzilla_script_t)
')
+diff --git a/bumblebee.fc b/bumblebee.fc
+new file mode 100644
+index 0000000..b5ee23b
+--- /dev/null
++++ b/bumblebee.fc
+@@ -0,0 +1,7 @@
++/etc/systemd/system/bumblebeed.* -- gen_context(system_u:object_r:bumblebee_unit_file_t,s0)
++
++/usr/lib/systemd/system/bumblebeed.* -- gen_context(system_u:object_r:bumblebee_unit_file_t,s0)
++
++/usr/sbin/bumblebeed -- gen_context(system_u:object_r:bumblebee_exec_t,s0)
++
++/var/run/bumblebee.* gen_context(system_u:object_r:bumblebee_var_run_t,s0)
+diff --git a/bumblebee.if b/bumblebee.if
+new file mode 100644
+index 0000000..de66654
+--- /dev/null
++++ b/bumblebee.if
+@@ -0,0 +1,121 @@
++## <summary>policy for bumblebee</summary>
++
++########################################
++## <summary>
++## Execute bumblebee in the bumblebee domin.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`bumblebee_domtrans',`
++ gen_require(`
++ type bumblebee_t, bumblebee_exec_t;
++ ')
++
++ corecmd_search_bin($1)
++ domtrans_pattern($1, bumblebee_exec_t, bumblebee_t)
++')
++
++########################################
++## <summary>
++## Read bumblebee PID files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`bumblebee_read_pid_files',`
++ gen_require(`
++ type bumblebee_var_run_t;
++ ')
++
++ files_search_pids($1)
++ read_files_pattern($1, bumblebee_var_run_t, bumblebee_var_run_t)
++')
++
++########################################
++## <summary>
++## Execute bumblebee server in the bumblebee domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`bumblebee_systemctl',`
++ gen_require(`
++ type bumblebee_t;
++ type bumblebee_unit_file_t;
++ ')
++
++ systemd_exec_systemctl($1)
++ systemd_read_fifo_file_passwd_run($1)
++ allow $1 bumblebee_unit_file_t:file read_file_perms;
++ allow $1 bumblebee_unit_file_t:service manage_service_perms;
++
++ ps_process_pattern($1, bumblebee_t)
++')
++
++########################################
++## <summary>
++## Connect to bumblebee over a unix stream socket.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`bumblebee_stream_connect',`
++ gen_require(`
++ type bumblebee_t, bumblebee_var_run_t;
++ ')
++
++ files_search_pids($1)
++ stream_connect_pattern($1, bumblebee_var_run_t, bumblebee_var_run_t, bumblebee_t)
++')
++
++########################################
++## <summary>
++## All of the rules required to administrate
++## an bumblebee environment
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`bumblebee_admin',`
++ gen_require(`
++ type bumblebee_t;
++ type bumblebee_var_run_t;
++ type bumblebee_unit_file_t;
++ ')
++
++ allow $1 bumblebee_t:process { signal_perms };
++ ps_process_pattern($1, bumblebee_t)
++
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 bumblebee_t:process ptrace;
++ ')
++
++ files_search_pids($1)
++ admin_pattern($1, bumblebee_var_run_t)
++
++ bumblebee_systemctl($1)
++ admin_pattern($1, bumblebee_unit_file_t)
++ allow $1 bumblebee_unit_file_t:service all_service_perms;
++
++ optional_policy(`
++ systemd_passwd_agent_exec($1)
++ systemd_read_fifo_file_passwd_run($1)
++ ')
++')
+diff --git a/bumblebee.te b/bumblebee.te
+new file mode 100644
+index 0000000..6e058fc
+--- /dev/null
++++ b/bumblebee.te
+@@ -0,0 +1,65 @@
++policy_module(bumblebee, 1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++type bumblebee_t;
++type bumblebee_exec_t;
++init_daemon_domain(bumblebee_t, bumblebee_exec_t)
++
++type bumblebee_var_run_t;
++files_pid_file(bumblebee_var_run_t)
++
++type bumblebee_unit_file_t;
++systemd_unit_file(bumblebee_unit_file_t)
++
++########################################
++#
++# bumblebee local policy
++#
++
++allow bumblebee_t self:capability { setgid };
++allow bumblebee_t self:process { fork signal_perms };
++allow bumblebee_t self:fifo_file rw_fifo_file_perms;
++allow bumblebee_t self:unix_stream_socket create_stream_socket_perms;
++
++manage_dirs_pattern(bumblebee_t, bumblebee_var_run_t, bumblebee_var_run_t)
++manage_files_pattern(bumblebee_t, bumblebee_var_run_t, bumblebee_var_run_t)
++manage_sock_files_pattern(bumblebee_t, bumblebee_var_run_t, bumblebee_var_run_t)
++manage_lnk_files_pattern(bumblebee_t, bumblebee_var_run_t, bumblebee_var_run_t)
++files_pid_filetrans(bumblebee_t, bumblebee_var_run_t, { dir file lnk_file sock_file })
++
++kernel_read_system_state(bumblebee_t)
++kernel_dontaudit_access_check_proc(bumblebee_t)
++kernel_manage_debugfs(bumblebee_t)
++
++corecmd_exec_shell(bumblebee_t)
++corecmd_exec_bin(bumblebee_t)
++
++dev_read_sysfs(bumblebee_t)
++
++auth_read_passwd(bumblebee_t)
++
++logging_send_syslog_msg(bumblebee_t)
++
++modutils_domtrans_insmod(bumblebee_t)
++modutils_signal_insmod(bumblebee_t)
++
++sysnet_dns_name_resolve(bumblebee_t)
++
++xserver_domtrans(bumblebee_t)
++xserver_kill(bumblebee_t)
++xserver_signal(bumblebee_t)
++xserver_stream_connect(bumblebee_t)
++xserver_manage_xkb_libs(bumblebee_t)
++corenet_tcp_connect_xserver_port(bumblebee_t)
++
++optional_policy(`
++ apm_stream_connect(bumblebee_t)
++')
++
++optional_policy(`
++ unconfined_domain(bumblebee_t)
++')
diff --git a/cachefilesd.fc b/cachefilesd.fc
index 648c790..aa03fc8 100644
--- a/cachefilesd.fc
@@ -9972,6 +10550,19 @@ index 581c8ef..2c71b1d 100644
+dev_search_sysfs(cachefiles_kernel_t)
+
+init_sigchld_script(cachefiles_kernel_t)
+diff --git a/calamaris.if b/calamaris.if
+index cd9c528..ba793b7 100644
+--- a/calamaris.if
++++ b/calamaris.if
+@@ -42,7 +42,7 @@ interface(`calamaris_run',`
+ attribute_role calamaris_roles;
+ ')
+
+- lightsquid_domtrans($1)
++ calamaris_domtrans($1)
+ roleattribute $2 calamaris_roles;
+ ')
+
diff --git a/calamaris.te b/calamaris.te
index f4f21d3..de28437 100644
--- a/calamaris.te
@@ -10279,7 +10870,7 @@ index 008f8ef..144c074 100644
admin_pattern($1, certmonger_var_run_t)
')
diff --git a/certmonger.te b/certmonger.te
-index 2354e21..fb8c9ed 100644
+index 2354e21..b2b0a2f 100644
--- a/certmonger.te
+++ b/certmonger.te
@@ -18,6 +18,9 @@ files_type(certmonger_var_lib_t)
@@ -10316,7 +10907,7 @@ index 2354e21..fb8c9ed 100644
corenet_all_recvfrom_unlabeled(certmonger_t)
corenet_all_recvfrom_netlabel(certmonger_t)
-@@ -49,16 +55,21 @@ corenet_tcp_sendrecv_generic_node(certmonger_t)
+@@ -49,17 +55,25 @@ corenet_tcp_sendrecv_generic_node(certmonger_t)
corenet_sendrecv_certmaster_client_packets(certmonger_t)
corenet_tcp_connect_certmaster_port(certmonger_t)
@@ -10324,6 +10915,8 @@ index 2354e21..fb8c9ed 100644
+corenet_tcp_connect_http_port(certmonger_t)
+corenet_tcp_connect_http_cache_port(certmonger_t)
+
++corenet_tcp_connect_ldap_port(certmonger_t)
++
+corenet_tcp_connect_pki_ca_port(certmonger_t)
corenet_tcp_sendrecv_certmaster_port(certmonger_t)
@@ -10337,9 +10930,11 @@ index 2354e21..fb8c9ed 100644
-files_read_usr_files(certmonger_t)
files_list_tmp(certmonger_t)
++files_list_home(certmonger_t)
fs_search_cgroup_dirs(certmonger_t)
-@@ -70,16 +81,17 @@ init_getattr_all_script_files(certmonger_t)
+
+@@ -70,16 +84,18 @@ init_getattr_all_script_files(certmonger_t)
logging_send_syslog_msg(certmonger_t)
@@ -10349,6 +10944,7 @@ index 2354e21..fb8c9ed 100644
+systemd_exec_systemctl(certmonger_t)
+
userdom_search_user_home_content(certmonger_t)
++userdom_manage_home_certs(certmonger_t)
optional_policy(`
- apache_initrc_domtrans(certmonger_t)
@@ -10359,7 +10955,7 @@ index 2354e21..fb8c9ed 100644
')
optional_policy(`
-@@ -92,11 +104,47 @@ optional_policy(`
+@@ -92,11 +108,51 @@ optional_policy(`
')
optional_policy(`
@@ -10370,6 +10966,10 @@ index 2354e21..fb8c9ed 100644
+')
+
+optional_policy(`
++ ipa_manage_lib(certmonger_t)
++')
++
++optional_policy(`
kerberos_use(certmonger_t)
+ kerberos_read_keytab(certmonger_t)
')
@@ -10381,7 +10981,7 @@ index 2354e21..fb8c9ed 100644
+
+optional_policy(`
+ pki_rw_tomcat_cert(certmonger_t)
-+ pki_read_tomcat_lib_files(certmonger_t)
++ pki_read_tomcat_lib_files(certmonger_t)
+')
+
+########################################
@@ -10621,7 +11221,7 @@ index 85ca63f..1d1c99c 100644
admin_pattern($1, { cgconfig_etc_t cgrules_etc_t })
files_list_etc($1)
diff --git a/cgroup.te b/cgroup.te
-index fdee107..7a38b63 100644
+index fdee107..a4c2efb 100644
--- a/cgroup.te
+++ b/cgroup.te
@@ -25,8 +25,8 @@ files_pid_file(cgred_var_run_t)
@@ -10649,7 +11249,7 @@ index fdee107..7a38b63 100644
domain_setpriority_all_domains(cgclear_t)
fs_manage_cgroup_dirs(cgclear_t)
-@@ -64,20 +66,21 @@ allow cgconfig_t cgconfig_etc_t:file read_file_perms;
+@@ -64,23 +66,25 @@ allow cgconfig_t cgconfig_etc_t:file read_file_perms;
kernel_list_unlabeled(cgconfig_t)
kernel_read_system_state(cgconfig_t)
@@ -10674,13 +11274,19 @@ index fdee107..7a38b63 100644
allow cgred_t self:netlink_socket { write bind create read };
allow cgred_t self:unix_dgram_socket { write create connect };
-@@ -99,10 +102,10 @@ domain_setpriority_all_domains(cgred_t)
++allow cgred_t cgconfig_etc_t:file read_file_perms;
+ allow cgred_t cgrules_etc_t:file read_file_perms;
+
+ allow cgred_t cgred_log_t:file { append_file_perms create_file_perms setattr_file_perms };
+@@ -99,10 +103,11 @@ domain_setpriority_all_domains(cgred_t)
files_getattr_all_files(cgred_t)
files_getattr_all_sockets(cgred_t)
files_read_all_symlinks(cgred_t)
-files_read_etc_files(cgred_t)
- fs_write_cgroup_files(cgred_t)
+-fs_write_cgroup_files(cgred_t)
++fs_manage_cgroup_dirs(cgred_t)
++fs_manage_cgroup_files(cgred_t)
+fs_list_inotifyfs(cgred_t)
-logging_send_syslog_msg(cgred_t)
@@ -10705,10 +11311,10 @@ index 0000000..57866f6
+HOME_DIR/\.cache/chromium(/.*)? gen_context(system_u:object_r:chrome_sandbox_home_t,s0)
diff --git a/chrome.if b/chrome.if
new file mode 100644
-index 0000000..5977d96
+index 0000000..23407b8
--- /dev/null
+++ b/chrome.if
-@@ -0,0 +1,134 @@
+@@ -0,0 +1,137 @@
+
+## <summary>policy for chrome</summary>
+
@@ -10732,6 +11338,9 @@ index 0000000..5977d96
+
+ allow $1 chrome_sandbox_t:fd use;
+
++ dontaudit chrome_sandbox_t $1:socket_class_set getattr;
++ allow chrome_sandbox_t $1:unix_stream_socket rw_socket_perms;
++
+ ifdef(`hide_broken_symptoms',`
+ fs_dontaudit_rw_anon_inodefs_files(chrome_sandbox_t)
+ ')
@@ -10845,10 +11454,10 @@ index 0000000..5977d96
+')
diff --git a/chrome.te b/chrome.te
new file mode 100644
-index 0000000..406f3a0
+index 0000000..fb60ffc
--- /dev/null
+++ b/chrome.te
-@@ -0,0 +1,242 @@
+@@ -0,0 +1,248 @@
+policy_module(chrome,1.0.0)
+
+########################################
@@ -10977,6 +11586,8 @@ index 0000000..406f3a0
+userdom_manage_home_certs(chrome_sandbox_t)
+
+optional_policy(`
++ gnome_exec_config_home_files(chrome_sandbox_t)
++ gnome_read_generic_cache_files(chrome_sandbox_t)
+ gnome_rw_inherited_config(chrome_sandbox_t)
+ gnome_read_home_config(chrome_sandbox_t)
+ gnome_cache_filetrans(chrome_sandbox_t, chrome_sandbox_home_t, dir, "chromium")
@@ -11025,6 +11636,10 @@ index 0000000..406f3a0
+')
+
+optional_policy(`
++ bumblebee_stream_connect(chrome_sandbox_t)
++')
++
++optional_policy(`
+ cups_stream_connect(chrome_sandbox_t)
+')
+
@@ -11824,14 +12439,15 @@ index 29782b8..685edff 100644
')
diff --git a/cloudform.fc b/cloudform.fc
new file mode 100644
-index 0000000..3a0de96
+index 0000000..6cc6774
--- /dev/null
+++ b/cloudform.fc
-@@ -0,0 +1,27 @@
+@@ -0,0 +1,28 @@
+/etc/rc\.d/init\.d/iwhd -- gen_context(system_u:object_r:iwhd_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/mongod -- gen_context(system_u:object_r:mongod_initrc_exec_t,s0)
+
+/usr/bin/cloud-init -- gen_context(system_u:object_r:cloud_init_exec_t,s0)
++/usr/libexec/min-metadata-service -- gen_context(system_u:object_r:cloud_init_exec_t,s0)
+/usr/bin/deltacloudd -- gen_context(system_u:object_r:deltacloudd_exec_t,s0)
+/usr/bin/iwhd -- gen_context(system_u:object_r:iwhd_exec_t,s0)
+/usr/bin/mongod -- gen_context(system_u:object_r:mongod_exec_t,s0)
@@ -11843,7 +12459,7 @@ index 0000000..3a0de96
+/usr/lib/systemd/system/cloud-init.* -- gen_context(system_u:object_r:cloud_init_unit_file_t,s0)
+
+/var/lib/cloud(/.*)? gen_context(system_u:object_r:cloud_var_lib_t,s0)
-+/var/log/cloud-init\.log -- gen_context(system_u:object_r:cloud_log_t,s0)
++/var/log/cloud-init\.log.* -- gen_context(system_u:object_r:cloud_log_t,s0)
+/var/lib/iwhd(/.*)? gen_context(system_u:object_r:iwhd_var_lib_t,s0)
+/var/lib/mongo.* gen_context(system_u:object_r:mongod_var_lib_t,s0)
+
@@ -11905,10 +12521,10 @@ index 0000000..8ac848b
+')
diff --git a/cloudform.te b/cloudform.te
new file mode 100644
-index 0000000..4e41e84
+index 0000000..786d623
--- /dev/null
+++ b/cloudform.te
-@@ -0,0 +1,298 @@
+@@ -0,0 +1,299 @@
+policy_module(cloudform, 1.0)
+########################################
+#
@@ -12072,6 +12688,7 @@ index 0000000..4e41e84
+
+optional_policy(`
+ rpm_domtrans(cloud_init_t)
++ rpm_transition_script(cloud_init_t)
+ unconfined_domain(cloud_init_t)
+')
+
@@ -12240,7 +12857,7 @@ index cc4e7cb..f348d27 100644
domain_system_change_exemption($1)
role_transition $2 cmirrord_initrc_exec_t system_r;
diff --git a/cmirrord.te b/cmirrord.te
-index d8e9958..d2303a4 100644
+index d8e9958..e4c023c 100644
--- a/cmirrord.te
+++ b/cmirrord.te
@@ -23,7 +23,7 @@ files_pid_file(cmirrord_var_run_t)
@@ -12252,13 +12869,14 @@ index d8e9958..d2303a4 100644
dontaudit cmirrord_t self:capability sys_tty_config;
allow cmirrord_t self:process { setfscreate signal };
allow cmirrord_t self:fifo_file rw_fifo_file_perms;
-@@ -42,16 +42,17 @@ files_pid_filetrans(cmirrord_t, cmirrord_var_run_t, file)
+@@ -42,16 +42,18 @@ files_pid_filetrans(cmirrord_t, cmirrord_var_run_t, file)
domain_use_interactive_fds(cmirrord_t)
domain_obj_id_change_exemption(cmirrord_t)
-files_read_etc_files(cmirrord_t)
-
storage_create_fixed_disk_dev(cmirrord_t)
++storage_raw_read_fixed_disk(cmirrord_t)
+storage_rw_inherited_fixed_disk_dev(cmirrord_t)
seutil_read_file_contexts(cmirrord_t)
@@ -12356,7 +12974,7 @@ index c223f81..8b567c1 100644
- admin_pattern($1, { httpd_cobbler_content_t httpd_cobbler_content_ra_t httpd_cobbler_content_rw_t })
')
diff --git a/cobbler.te b/cobbler.te
-index 2a71346..8c4ac39 100644
+index 2a71346..3a38b11 100644
--- a/cobbler.te
+++ b/cobbler.te
@@ -81,6 +81,7 @@ manage_dirs_pattern(cobblerd_t, cobbler_var_lib_t, cobbler_var_lib_t)
@@ -12405,23 +13023,42 @@ index 2a71346..8c4ac39 100644
')
optional_policy(`
-+ apache_domtrans(cobblerd_t)
++ apache_domtrans(cobblerd_t)
apache_search_sys_content(cobblerd_t)
')
-@@ -188,17 +191,25 @@ optional_policy(`
+@@ -170,6 +173,7 @@ optional_policy(`
+ bind_domtrans(cobblerd_t)
+ bind_initrc_domtrans(cobblerd_t)
+ bind_manage_zone(cobblerd_t)
++ bind_systemctl(cobblerd_t)
')
optional_policy(`
-+ libs_exec_ldconfig(cobblerd_t)
+@@ -179,12 +183,22 @@ optional_policy(`
+ optional_policy(`
+ dhcpd_domtrans(cobblerd_t)
+ dhcpd_initrc_domtrans(cobblerd_t)
++ dhcpd_systemctl(cobblerd_t)
+ ')
+
+ optional_policy(`
+ dnsmasq_domtrans(cobblerd_t)
+ dnsmasq_initrc_domtrans(cobblerd_t)
+ dnsmasq_write_config(cobblerd_t)
++ dnsmasq_systemctl(cobblerd_t)
+')
+
+optional_policy(`
-+ mysql_stream_connect(cobblerd_t)
++ libs_exec_ldconfig(cobblerd_t)
+')
+
+optional_policy(`
- rpm_exec(cobblerd_t)
++ mysql_stream_connect(cobblerd_t)
+ ')
+
+ optional_policy(`
+@@ -192,13 +206,13 @@ optional_policy(`
')
optional_policy(`
@@ -12633,10 +13270,10 @@ index 954309e..f4db2ca 100644
')
+
diff --git a/collectd.te b/collectd.te
-index 6471fa8..dc0423c 100644
+index 6471fa8..6ade0ea 100644
--- a/collectd.te
+++ b/collectd.te
-@@ -26,8 +26,14 @@ files_type(collectd_var_lib_t)
+@@ -26,18 +26,27 @@ files_type(collectd_var_lib_t)
type collectd_var_run_t;
files_pid_file(collectd_var_run_t)
@@ -12651,7 +13288,11 @@ index 6471fa8..dc0423c 100644
########################################
#
# Local policy
-@@ -38,6 +44,9 @@ allow collectd_t self:process { getsched setsched signal };
+ #
+
+-allow collectd_t self:capability { ipc_lock sys_nice };
++allow collectd_t self:capability { ipc_lock net_admin sys_nice };
+ allow collectd_t self:process { getsched setsched signal };
allow collectd_t self:fifo_file rw_fifo_file_perms;
allow collectd_t self:packet_socket create_socket_perms;
allow collectd_t self:unix_stream_socket { accept listen };
@@ -12669,13 +13310,13 @@ index 6471fa8..dc0423c 100644
+kernel_read_all_sysctls(collectd_t)
+kernel_read_all_proc(collectd_t)
+kernel_list_all_proc(collectd_t)
-+
-+auth_getattr_passwd(collectd_t)
-+auth_read_passwd(collectd_t)
-kernel_read_network_state(collectd_t)
-kernel_read_net_sysctls(collectd_t)
-kernel_read_system_state(collectd_t)
++auth_getattr_passwd(collectd_t)
++auth_read_passwd(collectd_t)
++
+corenet_udp_bind_generic_node(collectd_t)
+corenet_udp_bind_collectd_port(collectd_t)
@@ -12697,15 +13338,20 @@ index 6471fa8..dc0423c 100644
logging_send_syslog_msg(collectd_t)
-@@ -75,16 +89,26 @@ tunable_policy(`collectd_tcp_network_connect',`
+@@ -75,16 +89,31 @@ tunable_policy(`collectd_tcp_network_connect',`
')
optional_policy(`
++ mysql_stream_connect(collectd_t)
++')
++
++optional_policy(`
+ netutils_domtrans_ping(collectd_t)
+')
+
+optional_policy(`
virt_read_config(collectd_t)
++ virt_stream_connect(collectd_t)
')
########################################
@@ -12963,10 +13609,10 @@ index 23dc348..c4450f7 100644
/var/lib/condor/execute(/.*)? gen_context(system_u:object_r:condor_var_lib_t,s0)
diff --git a/condor.if b/condor.if
-index 3fe3cb8..5fe84a6 100644
+index 3fe3cb8..e979b3d 100644
--- a/condor.if
+++ b/condor.if
-@@ -1,81 +1,397 @@
+@@ -1,81 +1,396 @@
-## <summary>High-Throughput Computing System.</summary>
+
+## <summary>policy for condor</summary>
@@ -13021,13 +13667,13 @@ index 3fe3cb8..5fe84a6 100644
+## </summary>
+## </param>
+#
-+interface(`condor_domtrans',`
++interface(`condor_domtrans_master',`
+ gen_require(`
-+ type condor_t, condor_exec_t;
++ type condor_master_t, condor_master_exec_t;
+ ')
+
+ corecmd_search_bin($1)
-+ domtrans_pattern($1, condor_exec_t, condor_t)
++ domtrans_pattern($1, condor_master_exec_t, condor_master_t)
+')
+
+#######################################
@@ -13308,7 +13954,7 @@ index 3fe3cb8..5fe84a6 100644
+#
+interface(`condor_systemctl',`
+ gen_require(`
-+ type condor_t;
++ type condor_domain;
+ type condor_unit_file_t;
+ ')
+
@@ -13317,10 +13963,9 @@ index 3fe3cb8..5fe84a6 100644
+ allow $1 condor_unit_file_t:file read_file_perms;
+ allow $1 condor_unit_file_t:service manage_service_perms;
+
-+ ps_process_pattern($1, condor_t)
+ ps_process_pattern($1, condor_domain)
+')
+
-+
+#######################################
+## <summary>
+## Read and write condor_startd server TCP sockets.
@@ -13335,7 +13980,11 @@ index 3fe3cb8..5fe84a6 100644
+ gen_require(`
+ type condor_startd_t;
+ ')
-+
+
+- init_labeled_script_domtrans($1, condor_initrc_exec_t)
+- domain_system_change_exemption($1)
+- role_transition $2 condor_initrc_exec_t system_r;
+- allow $2 system_r;
+ allow $1 condor_startd_t:tcp_socket rw_socket_perms;
+')
+
@@ -13383,12 +14032,8 @@ index 3fe3cb8..5fe84a6 100644
+ ')
+
+ allow $1 condor_domain:process { signal_perms };
- ps_process_pattern($1, condor_domain)
-
-- init_labeled_script_domtrans($1, condor_initrc_exec_t)
-- domain_system_change_exemption($1)
-- role_transition $2 condor_initrc_exec_t system_r;
-- allow $2 system_r;
++ ps_process_pattern($1, condor_domain)
++
+ init_labeled_script_domtrans($1, condor_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 condor_initrc_exec_t system_r;
@@ -13404,7 +14049,7 @@ index 3fe3cb8..5fe84a6 100644
files_search_var_lib($1)
admin_pattern($1, condor_var_lib_t)
-@@ -85,4 +401,13 @@ interface(`condor_admin',`
+@@ -85,4 +400,13 @@ interface(`condor_admin',`
files_search_tmp($1)
admin_pattern($1, { condor_schedd_tmp_t condor_startd_tmp_t })
@@ -13419,7 +14064,7 @@ index 3fe3cb8..5fe84a6 100644
+ ')
')
diff --git a/condor.te b/condor.te
-index 3f2b672..ff94f23 100644
+index 3f2b672..8fb887d 100644
--- a/condor.te
+++ b/condor.te
@@ -34,6 +34,9 @@ files_tmp_file(condor_startd_tmp_t)
@@ -13469,7 +14114,11 @@ index 3f2b672..ff94f23 100644
logging_log_filetrans(condor_domain, condor_log_t, { dir file })
manage_dirs_pattern(condor_domain, condor_var_lib_t, condor_var_lib_t)
-@@ -86,13 +98,10 @@ allow condor_domain condor_master_t:tcp_socket getattr;
+@@ -83,16 +95,14 @@ files_pid_filetrans(condor_domain, condor_var_run_t, { dir file fifo_file })
+
+ allow condor_domain condor_master_t:process signull;
+ allow condor_domain condor_master_t:tcp_socket getattr;
++allow condor_domain condor_master_t:udp_socket { read write };
kernel_read_kernel_sysctls(condor_domain)
kernel_read_network_state(condor_domain)
@@ -13483,7 +14132,7 @@ index 3f2b672..ff94f23 100644
corenet_tcp_sendrecv_generic_if(condor_domain)
corenet_tcp_sendrecv_generic_node(condor_domain)
-@@ -106,9 +115,9 @@ dev_read_rand(condor_domain)
+@@ -106,9 +116,9 @@ dev_read_rand(condor_domain)
dev_read_sysfs(condor_domain)
dev_read_urand(condor_domain)
@@ -13495,7 +14144,7 @@ index 3f2b672..ff94f23 100644
tunable_policy(`condor_tcp_network_connect',`
corenet_sendrecv_all_client_packets(condor_domain)
-@@ -125,7 +134,7 @@ optional_policy(`
+@@ -125,7 +135,7 @@ optional_policy(`
# Master local policy
#
@@ -13504,7 +14153,7 @@ index 3f2b672..ff94f23 100644
allow condor_master_t condor_domain:process { sigkill signal };
-@@ -133,6 +142,10 @@ manage_dirs_pattern(condor_master_t, condor_master_tmp_t, condor_master_tmp_t)
+@@ -133,6 +143,10 @@ manage_dirs_pattern(condor_master_t, condor_master_tmp_t, condor_master_tmp_t)
manage_files_pattern(condor_master_t, condor_master_tmp_t, condor_master_tmp_t)
files_tmp_filetrans(condor_master_t, condor_master_tmp_t, { file dir })
@@ -13515,7 +14164,7 @@ index 3f2b672..ff94f23 100644
corenet_udp_sendrecv_generic_if(condor_master_t)
corenet_udp_sendrecv_generic_node(condor_master_t)
corenet_tcp_bind_generic_node(condor_master_t)
-@@ -152,6 +165,8 @@ domain_read_all_domains_state(condor_master_t)
+@@ -152,6 +166,8 @@ domain_read_all_domains_state(condor_master_t)
auth_use_nsswitch(condor_master_t)
@@ -13524,7 +14173,7 @@ index 3f2b672..ff94f23 100644
optional_policy(`
mta_send_mail(condor_master_t)
mta_read_config(condor_master_t)
-@@ -169,6 +184,8 @@ allow condor_collector_t condor_master_t:udp_socket rw_socket_perms;
+@@ -169,6 +185,8 @@ allow condor_collector_t condor_master_t:udp_socket rw_socket_perms;
kernel_read_network_state(condor_collector_t)
@@ -13533,7 +14182,7 @@ index 3f2b672..ff94f23 100644
#####################################
#
# Negotiator local policy
-@@ -178,6 +195,8 @@ allow condor_negotiator_t self:capability { setuid setgid };
+@@ -178,6 +196,8 @@ allow condor_negotiator_t self:capability { setuid setgid };
allow condor_negotiator_t condor_master_t:tcp_socket rw_stream_socket_perms;
allow condor_negotiator_t condor_master_t:udp_socket getattr;
@@ -13542,7 +14191,7 @@ index 3f2b672..ff94f23 100644
######################################
#
# Procd local policy
-@@ -185,7 +204,8 @@ allow condor_negotiator_t condor_master_t:udp_socket getattr;
+@@ -185,7 +205,8 @@ allow condor_negotiator_t condor_master_t:udp_socket getattr;
allow condor_procd_t self:capability { fowner chown kill dac_override sys_ptrace };
@@ -13552,7 +14201,7 @@ index 3f2b672..ff94f23 100644
domain_read_all_domains_state(condor_procd_t)
-@@ -201,6 +221,8 @@ allow condor_schedd_t condor_master_t:udp_socket getattr;
+@@ -201,6 +222,8 @@ allow condor_schedd_t condor_master_t:udp_socket getattr;
allow condor_schedd_t condor_var_lock_t:dir manage_file_perms;
@@ -13561,7 +14210,7 @@ index 3f2b672..ff94f23 100644
domtrans_pattern(condor_schedd_t, condor_procd_exec_t, condor_procd_t)
domtrans_pattern(condor_schedd_t, condor_startd_exec_t, condor_startd_t)
-@@ -209,6 +231,8 @@ manage_files_pattern(condor_schedd_t, condor_schedd_tmp_t, condor_schedd_tmp_t)
+@@ -209,6 +232,8 @@ manage_files_pattern(condor_schedd_t, condor_schedd_tmp_t, condor_schedd_tmp_t)
relabel_files_pattern(condor_schedd_t, condor_schedd_tmp_t, condor_schedd_tmp_t)
files_tmp_filetrans(condor_schedd_t, condor_schedd_tmp_t, { file dir })
@@ -13570,7 +14219,7 @@ index 3f2b672..ff94f23 100644
#####################################
#
# Startd local policy
-@@ -233,11 +257,10 @@ domain_read_all_domains_state(condor_startd_t)
+@@ -233,11 +258,10 @@ domain_read_all_domains_state(condor_startd_t)
mcs_process_set_categories(condor_startd_t)
init_domtrans_script(condor_startd_t)
@@ -13583,7 +14232,7 @@ index 3f2b672..ff94f23 100644
optional_policy(`
ssh_basic_client_template(condor_startd, condor_startd_t, system_r)
ssh_domtrans(condor_startd_t)
-@@ -249,3 +272,7 @@ optional_policy(`
+@@ -249,3 +273,7 @@ optional_policy(`
kerberos_use(condor_startd_ssh_t)
')
')
@@ -13591,6 +14240,218 @@ index 3f2b672..ff94f23 100644
+optional_policy(`
+ unconfined_domain(condor_startd_t)
+')
+diff --git a/conman.fc b/conman.fc
+new file mode 100644
+index 0000000..5f97ba9
+--- /dev/null
++++ b/conman.fc
+@@ -0,0 +1,7 @@
++/usr/lib/systemd/system/conman.* -- gen_context(system_u:object_r:conman_unit_file_t,s0)
++
++/usr/sbin/conmand -- gen_context(system_u:object_r:conman_exec_t,s0)
++
++/var/log/conman(/.*)? gen_context(system_u:object_r:conman_log_t,s0)
++/var/log/conman\.old(/.*)? gen_context(system_u:object_r:conman_log_t,s0)
++
+diff --git a/conman.if b/conman.if
+new file mode 100644
+index 0000000..54b4b04
+--- /dev/null
++++ b/conman.if
+@@ -0,0 +1,142 @@
++## <summary>Conman is a program for connecting to remote consoles being managed by conmand</summary>
++
++########################################
++## <summary>
++## Execute conman in the conman domin.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`conman_domtrans',`
++ gen_require(`
++ type conman_t, conman_exec_t;
++ ')
++
++ corecmd_search_bin($1)
++ domtrans_pattern($1, conman_exec_t, conman_t)
++')
++
++########################################
++## <summary>
++## Read conman's log files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`conman_read_log',`
++ gen_require(`
++ type conman_log_t;
++ ')
++
++ logging_search_logs($1)
++ read_files_pattern($1, conman_log_t, conman_log_t)
++')
++
++########################################
++## <summary>
++## Append to conman log files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`conman_append_log',`
++ gen_require(`
++ type conman_log_t;
++ ')
++
++ logging_search_logs($1)
++ append_files_pattern($1, conman_log_t, conman_log_t)
++')
++
++########################################
++## <summary>
++## Manage conman log files
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`conman_manage_log',`
++ gen_require(`
++ type conman_log_t;
++ ')
++
++ logging_search_logs($1)
++ manage_dirs_pattern($1, conman_log_t, conman_log_t)
++ manage_files_pattern($1, conman_log_t, conman_log_t)
++')
++
++########################################
++## <summary>
++## Execute conman server in the conman domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`conman_systemctl',`
++ gen_require(`
++ type conman_t;
++ type conman_unit_file_t;
++ ')
++
++ systemd_exec_systemctl($1)
++ systemd_read_fifo_file_passwd_run($1)
++ allow $1 conman_unit_file_t:file read_file_perms;
++ allow $1 conman_unit_file_t:service manage_service_perms;
++
++ ps_process_pattern($1, conman_t)
++')
++
++
++########################################
++## <summary>
++## All of the rules required to administrate
++## an conman environment
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`conman_admin',`
++ gen_require(`
++ type conman_t;
++ type conman_log_t;
++ type conman_unit_file_t;
++ ')
++
++ allow $1 conman_t:process { signal_perms };
++ ps_process_pattern($1, conman_t)
++
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 conman_t:process ptrace;
++ ')
++
++ logging_search_logs($1)
++ admin_pattern($1, conman_log_t)
++
++ conman_systemctl($1)
++ admin_pattern($1, conman_unit_file_t)
++ allow $1 conman_unit_file_t:service all_service_perms;
++
++ optional_policy(`
++ systemd_passwd_agent_exec($1)
++ systemd_read_fifo_file_passwd_run($1)
++ ')
++')
+diff --git a/conman.te b/conman.te
+new file mode 100644
+index 0000000..0de2d4d
+--- /dev/null
++++ b/conman.te
+@@ -0,0 +1,45 @@
++policy_module(conman, 1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++type conman_t;
++type conman_exec_t;
++init_daemon_domain(conman_t, conman_exec_t)
++
++type conman_log_t;
++logging_log_file(conman_log_t)
++
++type conman_unit_file_t;
++systemd_unit_file(conman_unit_file_t)
++
++########################################
++#
++# conman local policy
++#
++
++allow conman_t self:capability { sys_tty_config };
++allow conman_t self:process { setrlimit signal_perms };
++
++allow conman_t self:fifo_file rw_fifo_file_perms;
++allow conman_t self:unix_stream_socket create_stream_socket_perms;
++allow conman_t self:tcp_socket { listen create_socket_perms };
++
++manage_dirs_pattern(conman_t, conman_log_t, conman_log_t)
++manage_files_pattern(conman_t, conman_log_t, conman_log_t)
++logging_log_filetrans(conman_t, conman_log_t, { dir })
++
++corenet_tcp_bind_generic_node(conman_t)
++corenet_tcp_bind_conman_port(conman_t)
++
++corecmd_exec_bin(conman_t)
++
++auth_read_passwd(conman_t)
++
++logging_send_syslog_msg(conman_t)
++
++optional_policy(`
++ freeipmi_stream_connect(conman_t)
++')
diff --git a/consolekit.fc b/consolekit.fc
index 23c9558..29e5fd3 100644
--- a/consolekit.fc
@@ -13724,10 +14585,10 @@ index 5b830ec..0647a3b 100644
+ ps_process_pattern($1, consolekit_t)
+')
diff --git a/consolekit.te b/consolekit.te
-index 5f0c793..d11e25b 100644
+index 5f0c793..580dff0 100644
--- a/consolekit.te
+++ b/consolekit.te
-@@ -19,12 +19,16 @@ type consolekit_var_run_t;
+@@ -19,21 +19,23 @@ type consolekit_var_run_t;
files_pid_file(consolekit_var_run_t)
init_daemon_run_dir(consolekit_var_run_t, "ConsoleKit")
@@ -13744,7 +14605,19 @@ index 5f0c793..d11e25b 100644
allow consolekit_t self:process { getsched signal };
allow consolekit_t self:fifo_file rw_fifo_file_perms;
allow consolekit_t self:unix_stream_socket { accept listen };
-@@ -54,37 +58,36 @@ dev_read_sysfs(consolekit_t)
+
+-create_files_pattern(consolekit_t, consolekit_log_t, consolekit_log_t)
+-append_files_pattern(consolekit_t, consolekit_log_t, consolekit_log_t)
+-read_files_pattern(consolekit_t, consolekit_log_t, consolekit_log_t)
+-setattr_files_pattern(consolekit_t, consolekit_log_t, consolekit_log_t)
+-logging_log_filetrans(consolekit_t, consolekit_log_t, file)
++manage_dirs_pattern(consolekit_t, consolekit_log_t, consolekit_log_t)
++manage_files_pattern(consolekit_t, consolekit_log_t, consolekit_log_t)
++logging_log_filetrans(consolekit_t, consolekit_log_t, { dir file })
+
+ manage_dirs_pattern(consolekit_t, consolekit_var_run_t, consolekit_var_run_t)
+ manage_files_pattern(consolekit_t, consolekit_var_run_t, consolekit_var_run_t)
+@@ -54,37 +56,36 @@ dev_read_sysfs(consolekit_t)
domain_read_all_domains_state(consolekit_t)
domain_use_interactive_fds(consolekit_t)
@@ -13791,7 +14664,7 @@ index 5f0c793..d11e25b 100644
')
ifdef(`distro_debian',`
-@@ -112,13 +115,6 @@ optional_policy(`
+@@ -112,13 +113,6 @@ optional_policy(`
')
')
@@ -14021,7 +14894,7 @@ index c086302..4f33119 100644
/etc/rc\.d/init\.d/couchdb -- gen_context(system_u:object_r:couchdb_initrc_exec_t,s0)
diff --git a/couchdb.if b/couchdb.if
-index 83d6744..afa2f78 100644
+index 83d6744..3f0c0dc 100644
--- a/couchdb.if
+++ b/couchdb.if
@@ -2,6 +2,44 @@
@@ -14069,7 +14942,7 @@ index 83d6744..afa2f78 100644
## All of the rules required to
## administrate an couchdb environment.
## </summary>
-@@ -10,6 +48,127 @@
+@@ -10,6 +48,151 @@
## Domain allowed access.
## </summary>
## </param>
@@ -14159,6 +15032,30 @@ index 83d6744..afa2f78 100644
+ allow $1 couchdb_var_run_t:dir search_dir_perms;
+')
+
++#######################################
++## <summary>
++## Allow domain to manage couchdb content.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`couchdb_manage_files',`
++ gen_require(`
++ type couchdb_var_run_t;
++ type couchdb_log_t;
++ type couchdb_var_lib_t;
++ type couchdb_conf_t;
++ ')
++
++ manage_files_pattern($1, couchdb_log_t, couchdb_log_t)
++ manage_files_pattern($1, couchdb_var_lib_t, couchdb_var_lib_t)
++ manage_files_pattern($1, couchdb_var_run_t, couchdb_var_run_t)
++ manage_files_pattern($1, couchdb_conf_t, couchdb_conf_t)
++')
++
+########################################
+## <summary>
+## Execute couchdb server in the couchdb domain.
@@ -14197,7 +15094,7 @@ index 83d6744..afa2f78 100644
## <param name="role">
## <summary>
## Role allowed access.
-@@ -19,14 +178,19 @@
+@@ -19,14 +202,19 @@
#
interface(`couchdb_admin',`
gen_require(`
@@ -14218,7 +15115,7 @@ index 83d6744..afa2f78 100644
init_labeled_script_domtrans($1, couchdb_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 couchdb_initrc_exec_t system_r;
-@@ -46,4 +210,13 @@ interface(`couchdb_admin',`
+@@ -46,4 +234,13 @@ interface(`couchdb_admin',`
files_search_pids($1)
admin_pattern($1, couchdb_var_run_t)
@@ -14620,7 +15517,7 @@ index a3bbc21..7fd7d8f 100644
+ xserver_dbus_chat_xdm(cpufreqselector_t)
+')
diff --git a/cron.fc b/cron.fc
-index 6e76215..224142a 100644
+index 6e76215..4819e90 100644
--- a/cron.fc
+++ b/cron.fc
@@ -3,6 +3,9 @@
@@ -14633,17 +15530,18 @@ index 6e76215..224142a 100644
/usr/bin/at -- gen_context(system_u:object_r:crontab_exec_t,s0)
/usr/bin/(f)?crontab -- gen_context(system_u:object_r:crontab_exec_t,s0)
-@@ -12,9 +15,6 @@
+@@ -12,9 +15,7 @@
/usr/sbin/fcron -- gen_context(system_u:object_r:crond_exec_t,s0)
/usr/sbin/fcronsighup -- gen_context(system_u:object_r:crontab_exec_t,s0)
-/var/lib/glpi/files(/.*)? gen_context(system_u:object_r:cron_var_lib_t,s0)
-
-/var/log/cron.* gen_context(system_u:object_r:cron_log_t,s0)
++/var/log/cron.* gen_context(system_u:object_r:cron_log_t,s0)
/var/log/rpmpkgs.* -- gen_context(system_u:object_r:cron_log_t,s0)
/var/run/anacron\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0)
-@@ -27,13 +27,23 @@
+@@ -27,13 +28,23 @@
/var/spool/anacron(/.*)? gen_context(system_u:object_r:system_cron_spool_t,s0)
/var/spool/at(/.*)? gen_context(system_u:object_r:user_cron_spool_t,s0)
@@ -14670,7 +15568,7 @@ index 6e76215..224142a 100644
/var/spool/cron/crontabs/.* -- <<none>>
#/var/spool/cron/crontabs/root -- gen_context(system_u:object_r:sysadm_cron_spool_t,s0)
-@@ -43,19 +53,23 @@
+@@ -43,19 +54,23 @@
/var/spool/fcron/systab -- gen_context(system_u:object_r:system_cron_spool_t,s0)
/var/spool/fcron/new\.systab -- gen_context(system_u:object_r:system_cron_spool_t,s0)
@@ -15665,7 +16563,7 @@ index 1303b30..058864e 100644
+ logging_log_filetrans($1, cron_log_t, $2, $3)
')
diff --git a/cron.te b/cron.te
-index 28e1b86..f871609 100644
+index 28e1b86..439a761 100644
--- a/cron.te
+++ b/cron.te
@@ -1,4 +1,4 @@
@@ -15869,7 +16767,7 @@ index 28e1b86..f871609 100644
selinux_get_fs_mount(admin_crontab_t)
selinux_validate_context(admin_crontab_t)
selinux_compute_access_vector(admin_crontab_t)
-@@ -204,12 +143,14 @@ selinux_compute_relabel_context(admin_crontab_t)
+@@ -204,22 +143,26 @@ selinux_compute_relabel_context(admin_crontab_t)
selinux_compute_user_contexts(admin_crontab_t)
tunable_policy(`fcron_crond',`
@@ -15885,7 +16783,9 @@ index 28e1b86..f871609 100644
#
allow crond_t self:capability { dac_override chown fowner setgid setuid sys_nice dac_read_search };
-@@ -218,8 +159,10 @@ allow crond_t self:process ~{ ptrace setcurrent setexec setfscreate execmem exec
+-dontaudit crond_t self:capability { sys_resource sys_tty_config };
++dontaudit crond_t self:capability { net_admin sys_resource sys_tty_config };
+ allow crond_t self:process ~{ ptrace setcurrent setexec setfscreate execmem execstack execheap };
allow crond_t self:process { setexec setfscreate };
allow crond_t self:fd use;
allow crond_t self:fifo_file rw_fifo_file_perms;
@@ -16315,7 +17215,7 @@ index 28e1b86..f871609 100644
selinux_validate_context(system_cronjob_t)
selinux_compute_access_vector(system_cronjob_t)
selinux_compute_create_context(system_cronjob_t)
-@@ -534,10 +523,17 @@ tunable_policy(`cron_can_relabel',`
+@@ -534,10 +523,18 @@ tunable_policy(`cron_can_relabel',`
')
optional_policy(`
@@ -16324,6 +17224,7 @@ index 28e1b86..f871609 100644
apache_read_config(system_cronjob_t)
apache_read_log(system_cronjob_t)
apache_read_sys_content(system_cronjob_t)
++ apache_manage_lib(system_cronjob_t)
+ apache_delete_cache_dirs(system_cronjob_t)
+ apache_delete_cache_files(system_cronjob_t)
+')
@@ -16333,7 +17234,7 @@ index 28e1b86..f871609 100644
')
optional_policy(`
-@@ -546,10 +542,6 @@ optional_policy(`
+@@ -546,10 +543,6 @@ optional_policy(`
optional_policy(`
dbus_system_bus_client(system_cronjob_t)
@@ -16344,7 +17245,7 @@ index 28e1b86..f871609 100644
')
optional_policy(`
-@@ -581,6 +573,7 @@ optional_policy(`
+@@ -581,6 +574,7 @@ optional_policy(`
optional_policy(`
mta_read_config(system_cronjob_t)
mta_send_mail(system_cronjob_t)
@@ -16352,7 +17253,7 @@ index 28e1b86..f871609 100644
')
optional_policy(`
-@@ -588,15 +581,19 @@ optional_policy(`
+@@ -588,15 +582,23 @@ optional_policy(`
')
optional_policy(`
@@ -16371,10 +17272,14 @@ index 28e1b86..f871609 100644
prelink_read_cache(system_cronjob_t)
- prelink_relabelfrom_lib(system_cronjob_t)
+ prelink_relabel_lib(system_cronjob_t)
++')
++
++optional_policy(`
++ rkhunter_manage_lib_files(system_cronjob_t)
')
optional_policy(`
-@@ -606,6 +603,7 @@ optional_policy(`
+@@ -606,6 +608,7 @@ optional_policy(`
optional_policy(`
spamassassin_manage_lib_files(system_cronjob_t)
@@ -16382,7 +17287,7 @@ index 28e1b86..f871609 100644
')
optional_policy(`
-@@ -613,12 +611,24 @@ optional_policy(`
+@@ -613,12 +616,24 @@ optional_policy(`
')
optional_policy(`
@@ -16409,7 +17314,7 @@ index 28e1b86..f871609 100644
#
allow cronjob_t self:process { signal_perms setsched };
-@@ -626,12 +636,32 @@ allow cronjob_t self:fifo_file rw_fifo_file_perms;
+@@ -626,12 +641,32 @@ allow cronjob_t self:fifo_file rw_fifo_file_perms;
allow cronjob_t self:unix_stream_socket create_stream_socket_perms;
allow cronjob_t self:unix_dgram_socket create_socket_perms;
@@ -16443,7 +17348,7 @@ index 28e1b86..f871609 100644
corenet_all_recvfrom_netlabel(cronjob_t)
corenet_tcp_sendrecv_generic_if(cronjob_t)
corenet_udp_sendrecv_generic_if(cronjob_t)
-@@ -639,84 +669,148 @@ corenet_tcp_sendrecv_generic_node(cronjob_t)
+@@ -639,84 +674,148 @@ corenet_tcp_sendrecv_generic_node(cronjob_t)
corenet_udp_sendrecv_generic_node(cronjob_t)
corenet_tcp_sendrecv_all_ports(cronjob_t)
corenet_udp_sendrecv_all_ports(cronjob_t)
@@ -16627,18 +17532,26 @@ index 28e1b86..f871609 100644
+ openshift_transition(system_cronjob_t)
')
diff --git a/ctdb.fc b/ctdb.fc
-index 8401fe6..507804b 100644
+index 8401fe6..9131995 100644
--- a/ctdb.fc
+++ b/ctdb.fc
-@@ -2,6 +2,8 @@
+@@ -2,11 +2,16 @@
/usr/sbin/ctdbd -- gen_context(system_u:object_r:ctdbd_exec_t,s0)
+/var/ctdb(/.*)? gen_context(system_u:object_r:ctdbd_var_t,s0)
+
++/var/lib/ctdb(/.*)? gen_context(system_u:object_r:ctdbd_var_lib_t,s0)
/var/lib/ctdbd(/.*)? gen_context(system_u:object_r:ctdbd_var_lib_t,s0)
/var/log/ctdb\.log.* -- gen_context(system_u:object_r:ctdbd_log_t,s0)
+ /var/log/log\.ctdb.* -- gen_context(system_u:object_r:ctdbd_log_t,s0)
+
++
++/var/run/ctdb(/.*)? gen_context(system_u:object_r:ctdbd_var_run_t,s0)
+ /var/run/ctdbd(/.*)? gen_context(system_u:object_r:ctdbd_var_run_t,s0)
+
+ /var/spool/ctdb(/.*)? gen_context(system_u:object_r:ctdbd_spool_t,s0)
diff --git a/ctdb.if b/ctdb.if
index b25b01d..e99c5c6 100644
--- a/ctdb.if
@@ -16930,7 +17843,7 @@ index b25b01d..e99c5c6 100644
')
+
diff --git a/ctdb.te b/ctdb.te
-index 6ce66e7..03bc338 100644
+index 6ce66e7..7725178 100644
--- a/ctdb.te
+++ b/ctdb.te
@@ -24,6 +24,9 @@ files_tmp_file(ctdbd_tmp_t)
@@ -16958,19 +17871,26 @@ index 6ce66e7..03bc338 100644
append_files_pattern(ctdbd_t, ctdbd_log_t, ctdbd_log_t)
create_files_pattern(ctdbd_t, ctdbd_log_t, ctdbd_log_t)
-@@ -59,6 +64,11 @@ manage_dirs_pattern(ctdbd_t, ctdbd_var_lib_t, ctdbd_var_lib_t)
+@@ -57,10 +62,17 @@ files_spool_filetrans(ctdbd_t, ctdbd_spool_t, dir)
+ exec_files_pattern(ctdbd_t, ctdbd_var_lib_t, ctdbd_var_lib_t)
+ manage_dirs_pattern(ctdbd_t, ctdbd_var_lib_t, ctdbd_var_lib_t)
manage_files_pattern(ctdbd_t, ctdbd_var_lib_t, ctdbd_var_lib_t)
- files_var_lib_filetrans(ctdbd_t, ctdbd_var_lib_t, dir)
-
+-files_var_lib_filetrans(ctdbd_t, ctdbd_var_lib_t, dir)
++files_var_lib_filetrans(ctdbd_t, ctdbd_var_lib_t, dir, "ctdb")
++
+manage_dirs_pattern(ctdbd_t, ctdbd_var_t, ctdbd_var_t)
+manage_files_pattern(ctdbd_t, ctdbd_var_t, ctdbd_var_t)
+manage_lnk_files_pattern(ctdbd_t, ctdbd_var_t, ctdbd_var_t)
++files_var_filetrans(ctdbd_t, ctdbd_var_t, dir, "ctdbd")
+files_var_filetrans(ctdbd_t, ctdbd_var_t, dir, "ctdb")
-+
+
manage_dirs_pattern(ctdbd_t, ctdbd_var_run_t, ctdbd_var_run_t)
manage_files_pattern(ctdbd_t, ctdbd_var_run_t, ctdbd_var_run_t)
++manage_sock_files_pattern(ctdbd_t, ctdbd_var_run_t, ctdbd_var_run_t)
files_pid_filetrans(ctdbd_t, ctdbd_var_run_t, dir)
-@@ -72,9 +82,11 @@ corenet_all_recvfrom_netlabel(ctdbd_t)
+
+ kernel_read_network_state(ctdbd_t)
+@@ -72,9 +84,12 @@ corenet_all_recvfrom_netlabel(ctdbd_t)
corenet_tcp_sendrecv_generic_if(ctdbd_t)
corenet_tcp_sendrecv_generic_node(ctdbd_t)
corenet_tcp_bind_generic_node(ctdbd_t)
@@ -16979,16 +17899,19 @@ index 6ce66e7..03bc338 100644
corenet_sendrecv_ctdb_server_packets(ctdbd_t)
corenet_tcp_bind_ctdb_port(ctdbd_t)
+corenet_udp_bind_ctdb_port(ctdbd_t)
++corenet_tcp_connect_ctdb_port(ctdbd_t)
corenet_tcp_sendrecv_ctdb_port(ctdbd_t)
corecmd_exec_bin(ctdbd_t)
-@@ -85,12 +97,12 @@ dev_read_urand(ctdbd_t)
+@@ -85,12 +100,14 @@ dev_read_urand(ctdbd_t)
domain_dontaudit_read_all_domains_state(ctdbd_t)
-files_read_etc_files(ctdbd_t)
files_search_all_mountpoints(ctdbd_t)
++fs_getattr_all_fs(ctdbd_t)
++
+auth_read_passwd(ctdbd_t)
+
logging_send_syslog_msg(ctdbd_t)
@@ -16997,7 +17920,7 @@ index 6ce66e7..03bc338 100644
miscfiles_read_public_files(ctdbd_t)
optional_policy(`
-@@ -109,6 +121,7 @@ optional_policy(`
+@@ -109,6 +126,7 @@ optional_policy(`
samba_initrc_domtrans(ctdbd_t)
samba_domtrans_net(ctdbd_t)
samba_rw_var_files(ctdbd_t)
@@ -17147,7 +18070,7 @@ index 949011e..afe482b 100644
+/etc/opt/brother/Printers/(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+/opt/brother/Printers(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
diff --git a/cups.if b/cups.if
-index 06da9a0..c7834c8 100644
+index 06da9a0..c18145d 100644
--- a/cups.if
+++ b/cups.if
@@ -200,10 +200,13 @@ interface(`cups_dbus_chat_config',`
@@ -17224,7 +18147,7 @@ index 06da9a0..c7834c8 100644
init_labeled_script_domtrans($1, cupsd_initrc_exec_t)
domain_system_change_exemption($1)
-@@ -348,13 +379,63 @@ interface(`cups_admin',`
+@@ -348,13 +379,64 @@ interface(`cups_admin',`
logging_list_logs($1)
admin_pattern($1, cupsd_log_t)
@@ -17273,6 +18196,7 @@ index 06da9a0..c7834c8 100644
+ files_etc_filetrans($1, cupsd_rw_etc_t, dir, "inf")
+ files_usr_filetrans($1, cupsd_rw_etc_t, dir, "inf")
+ corecmd_bin_filetrans($1, cupsd_rw_etc_t, dir, "inf")
++ files_var_filetrans($1, cupsd_rw_etc_t, dir, "cups")
+')
+
+########################################
@@ -17294,7 +18218,7 @@ index 06da9a0..c7834c8 100644
+ ps_process_pattern($1, cupsd_t)
')
diff --git a/cups.te b/cups.te
-index 9f34c2e..d084359 100644
+index 9f34c2e..f3aaaed 100644
--- a/cups.te
+++ b/cups.te
@@ -5,19 +5,24 @@ policy_module(cups, 1.15.9)
@@ -17427,7 +18351,7 @@ index 9f34c2e..d084359 100644
#
-allow cupsd_t self:capability { ipc_lock sys_admin dac_override dac_read_search kill setgid setuid fsetid fowner chown dac_override sys_rawio sys_resource sys_tty_config };
-+allow cupsd_t self:capability { ipc_lock sys_admin dac_override dac_read_search kill fsetid fowner chown dac_override sys_rawio sys_resource sys_tty_config };
++allow cupsd_t self:capability { ipc_lock sys_admin dac_override dac_read_search kill fsetid fowner chown dac_override sys_resource sys_tty_config };
dontaudit cupsd_t self:capability { sys_tty_config net_admin };
allow cupsd_t self:capability2 block_suspend;
-allow cupsd_t self:process { getpgid setpgid setsched signal_perms };
@@ -17535,7 +18459,7 @@ index 9f34c2e..d084359 100644
files_exec_usr_files(cupsd_t)
# for /var/lib/defoma
files_read_var_lib_files(cupsd_t)
-@@ -215,16 +243,17 @@ files_read_world_readable_files(cupsd_t)
+@@ -215,17 +243,19 @@ files_read_world_readable_files(cupsd_t)
files_read_world_readable_symlinks(cupsd_t)
files_read_var_files(cupsd_t)
files_read_var_symlinks(cupsd_t)
@@ -17553,9 +18477,11 @@ index 9f34c2e..d084359 100644
+fs_rw_anon_inodefs_files(cupsd_t)
+fs_rw_inherited_tmpfs_files(cupsd_t)
++mls_dbus_send_all_levels(cupsd_t)
mls_fd_use_all_levels(cupsd_t)
mls_file_downgrade(cupsd_t)
-@@ -235,6 +264,8 @@ mls_socket_write_all_levels(cupsd_t)
+ mls_file_write_all_levels(cupsd_t)
+@@ -235,6 +265,8 @@ mls_socket_write_all_levels(cupsd_t)
term_search_ptys(cupsd_t)
term_use_unallocated_ttys(cupsd_t)
@@ -17564,12 +18490,13 @@ index 9f34c2e..d084359 100644
selinux_compute_access_vector(cupsd_t)
selinux_validate_context(cupsd_t)
-@@ -247,21 +278,20 @@ auth_dontaudit_read_pam_pid(cupsd_t)
+@@ -247,21 +279,21 @@ auth_dontaudit_read_pam_pid(cupsd_t)
auth_rw_faillog(cupsd_t)
auth_use_nsswitch(cupsd_t)
-libs_read_lib_files(cupsd_t)
libs_exec_lib_files(cupsd_t)
++libs_exec_ldconfig(cupsd_t)
logging_send_audit_msgs(cupsd_t)
logging_send_syslog_msg(cupsd_t)
@@ -17590,7 +18517,7 @@ index 9f34c2e..d084359 100644
userdom_dontaudit_search_user_home_content(cupsd_t)
optional_policy(`
-@@ -275,6 +305,8 @@ optional_policy(`
+@@ -275,6 +307,8 @@ optional_policy(`
optional_policy(`
dbus_system_bus_client(cupsd_t)
@@ -17599,7 +18526,7 @@ index 9f34c2e..d084359 100644
userdom_dbus_send_all_users(cupsd_t)
optional_policy(`
-@@ -285,8 +317,10 @@ optional_policy(`
+@@ -285,8 +319,10 @@ optional_policy(`
hal_dbus_chat(cupsd_t)
')
@@ -17610,7 +18537,7 @@ index 9f34c2e..d084359 100644
')
')
-@@ -299,8 +333,8 @@ optional_policy(`
+@@ -299,8 +335,8 @@ optional_policy(`
')
optional_policy(`
@@ -17620,7 +18547,7 @@ index 9f34c2e..d084359 100644
')
optional_policy(`
-@@ -309,7 +343,6 @@ optional_policy(`
+@@ -309,7 +345,6 @@ optional_policy(`
optional_policy(`
lpd_exec_lpr(cupsd_t)
@@ -17628,7 +18555,7 @@ index 9f34c2e..d084359 100644
lpd_read_config(cupsd_t)
lpd_relabel_spool(cupsd_t)
')
-@@ -337,7 +370,11 @@ optional_policy(`
+@@ -337,7 +372,11 @@ optional_policy(`
')
optional_policy(`
@@ -17641,7 +18568,7 @@ index 9f34c2e..d084359 100644
')
########################################
-@@ -345,12 +382,11 @@ optional_policy(`
+@@ -345,12 +384,11 @@ optional_policy(`
# Configuration daemon local policy
#
@@ -17657,7 +18584,7 @@ index 9f34c2e..d084359 100644
allow cupsd_config_t cupsd_t:process signal;
ps_process_pattern(cupsd_config_t, cupsd_t)
-@@ -375,18 +411,16 @@ manage_dirs_pattern(cupsd_config_t, cupsd_config_var_run_t, cupsd_config_var_run
+@@ -375,18 +413,16 @@ manage_dirs_pattern(cupsd_config_t, cupsd_config_var_run_t, cupsd_config_var_run
manage_files_pattern(cupsd_config_t, cupsd_config_var_run_t, cupsd_config_var_run_t)
files_pid_filetrans(cupsd_config_t, cupsd_config_var_run_t, { dir file })
@@ -17678,7 +18605,7 @@ index 9f34c2e..d084359 100644
corenet_all_recvfrom_netlabel(cupsd_config_t)
corenet_tcp_sendrecv_generic_if(cupsd_config_t)
corenet_tcp_sendrecv_generic_node(cupsd_config_t)
-@@ -395,20 +429,12 @@ corenet_tcp_sendrecv_all_ports(cupsd_config_t)
+@@ -395,20 +431,12 @@ corenet_tcp_sendrecv_all_ports(cupsd_config_t)
corenet_sendrecv_all_client_packets(cupsd_config_t)
corenet_tcp_connect_all_ports(cupsd_config_t)
@@ -17699,7 +18626,7 @@ index 9f34c2e..d084359 100644
fs_search_auto_mountpoints(cupsd_config_t)
domain_use_interactive_fds(cupsd_config_t)
-@@ -420,11 +446,6 @@ auth_use_nsswitch(cupsd_config_t)
+@@ -420,11 +448,6 @@ auth_use_nsswitch(cupsd_config_t)
logging_send_syslog_msg(cupsd_config_t)
@@ -17711,11 +18638,11 @@ index 9f34c2e..d084359 100644
userdom_dontaudit_use_unpriv_user_fds(cupsd_config_t)
userdom_dontaudit_search_user_home_dirs(cupsd_config_t)
userdom_read_all_users_state(cupsd_config_t)
-@@ -452,9 +473,12 @@ optional_policy(`
+@@ -452,9 +475,12 @@ optional_policy(`
')
optional_policy(`
-+ gnome_dontaudit_search_config(cupsd_config_t)
++ gnome_dontaudit_read_config(cupsd_config_t)
+')
+
+optional_policy(`
@@ -17725,7 +18652,7 @@ index 9f34c2e..d084359 100644
')
optional_policy(`
-@@ -490,10 +514,6 @@ optional_policy(`
+@@ -490,10 +516,6 @@ optional_policy(`
# Lpd local policy
#
@@ -17736,7 +18663,7 @@ index 9f34c2e..d084359 100644
allow cupsd_lpd_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
allow cupsd_lpd_t { cupsd_etc_t cupsd_rw_etc_t }:dir list_dir_perms;
-@@ -511,31 +531,23 @@ stream_connect_pattern(cupsd_lpd_t, cupsd_var_run_t, cupsd_var_run_t, cupsd_t)
+@@ -511,31 +533,23 @@ stream_connect_pattern(cupsd_lpd_t, cupsd_var_run_t, cupsd_var_run_t, cupsd_t)
kernel_read_kernel_sysctls(cupsd_lpd_t)
kernel_read_system_state(cupsd_lpd_t)
@@ -17770,7 +18697,7 @@ index 9f34c2e..d084359 100644
optional_policy(`
inetd_service_domain(cupsd_lpd_t, cupsd_lpd_exec_t)
')
-@@ -546,7 +558,6 @@ optional_policy(`
+@@ -546,7 +560,6 @@ optional_policy(`
#
allow cups_pdf_t self:capability { chown fowner fsetid setuid setgid dac_override };
@@ -17778,7 +18705,7 @@ index 9f34c2e..d084359 100644
allow cups_pdf_t self:unix_stream_socket create_stream_socket_perms;
append_files_pattern(cups_pdf_t, cupsd_log_t, cupsd_log_t)
-@@ -562,148 +573,23 @@ fs_search_auto_mountpoints(cups_pdf_t)
+@@ -562,148 +575,23 @@ fs_search_auto_mountpoints(cups_pdf_t)
kernel_read_system_state(cups_pdf_t)
@@ -17930,7 +18857,7 @@ index 9f34c2e..d084359 100644
########################################
#
-@@ -731,7 +617,6 @@ kernel_read_kernel_sysctls(ptal_t)
+@@ -731,7 +619,6 @@ kernel_read_kernel_sysctls(ptal_t)
kernel_list_proc(ptal_t)
kernel_read_proc_symlinks(ptal_t)
@@ -17938,7 +18865,7 @@ index 9f34c2e..d084359 100644
corenet_all_recvfrom_netlabel(ptal_t)
corenet_tcp_sendrecv_generic_if(ptal_t)
corenet_tcp_sendrecv_generic_node(ptal_t)
-@@ -741,13 +626,11 @@ corenet_sendrecv_ptal_server_packets(ptal_t)
+@@ -741,13 +628,11 @@ corenet_sendrecv_ptal_server_packets(ptal_t)
corenet_tcp_bind_ptal_port(ptal_t)
corenet_tcp_sendrecv_ptal_port(ptal_t)
@@ -17952,7 +18879,7 @@ index 9f34c2e..d084359 100644
files_read_etc_runtime_files(ptal_t)
fs_getattr_all_fs(ptal_t)
-@@ -755,8 +638,6 @@ fs_search_auto_mountpoints(ptal_t)
+@@ -755,8 +640,6 @@ fs_search_auto_mountpoints(ptal_t)
logging_send_syslog_msg(ptal_t)
@@ -17961,13 +18888,24 @@ index 9f34c2e..d084359 100644
sysnet_read_config(ptal_t)
userdom_dontaudit_use_unpriv_user_fds(ptal_t)
-@@ -769,3 +650,4 @@ optional_policy(`
+@@ -769,3 +652,4 @@ optional_policy(`
optional_policy(`
udev_read_db(ptal_t)
')
+
+diff --git a/cvs.fc b/cvs.fc
+index 75c8be9..9dcffb2 100644
+--- a/cvs.fc
++++ b/cvs.fc
+@@ -1,3 +1,6 @@
++HOME_DIR/\.cvsignore -- gen_context(system_u:object_r:cvs_home_t,s0)
++/root/\.cvsignore -- gen_context(system_u:object_r:cvs_home_t,s0)
++
+ /etc/rc\.d/init\.d/cvs -- gen_context(system_u:object_r:cvs_initrc_exec_t,s0)
+
+ /opt/cvs(/.*)? gen_context(system_u:object_r:cvs_data_t,s0)
diff --git a/cvs.if b/cvs.if
-index 9fa7ffb..fd3262c 100644
+index 9fa7ffb..089c8d4 100644
--- a/cvs.if
+++ b/cvs.if
@@ -1,5 +1,23 @@
@@ -17994,8 +18932,38 @@ index 9fa7ffb..fd3262c 100644
########################################
## <summary>
## Read CVS data and metadata content.
-@@ -62,9 +80,14 @@ interface(`cvs_admin',`
- type cvs_data_t, cvs_var_run_t;
+@@ -41,6 +59,24 @@ interface(`cvs_exec',`
+
+ ########################################
+ ## <summary>
++## Transition to cvs named content
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`cvs_filetrans_home_content',`
++ gen_require(`
++ type cvs_home_t;
++ ')
++
++ userdom_user_home_dir_filetrans($1, cvs_home_t, file, ".cvsignore")
++')
++
++########################################
++## <summary>
+ ## All of the rules required to
+ ## administrate an cvs environment
+ ## </summary>
+@@ -59,12 +95,18 @@ interface(`cvs_exec',`
+ interface(`cvs_admin',`
+ gen_require(`
+ type cvs_t, cvs_tmp_t, cvs_initrc_exec_t;
+- type cvs_data_t, cvs_var_run_t;
++ type cvs_data_t, cvs_var_run_t, cvs_keytab_t;
++ type cvs_home_t;
')
- allow $1 cvs_t:process { ptrace signal_perms };
@@ -18010,8 +18978,16 @@ index 9fa7ffb..fd3262c 100644
init_labeled_script_domtrans($1, cvs_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 cvs_initrc_exec_t system_r;
+@@ -78,4 +120,7 @@ interface(`cvs_admin',`
+
+ files_list_pids($1)
+ admin_pattern($1, cvs_var_run_t)
++
++ userdom_search_user_home_dirs($1)
++ admin_pattern($1, cvs_home_t)
+ ')
diff --git a/cvs.te b/cvs.te
-index 53fc3af..897ad64 100644
+index 53fc3af..d7cdaaf 100644
--- a/cvs.te
+++ b/cvs.te
@@ -11,11 +11,12 @@ policy_module(cvs, 1.9.1)
@@ -18028,7 +19004,31 @@ index 53fc3af..897ad64 100644
application_executable_file(cvs_exec_t)
type cvs_data_t; # customizable
-@@ -58,6 +59,15 @@ kernel_read_network_state(cvs_t)
+@@ -30,16 +31,22 @@ files_tmp_file(cvs_tmp_t)
+ type cvs_var_run_t;
+ files_pid_file(cvs_var_run_t)
+
++type cvs_home_t;
++userdom_user_home_content(cvs_home_t)
++
+ ########################################
+ #
+ # Local policy
+ #
+
+-allow cvs_t self:capability { setuid setgid };
++allow cvs_t self:capability { dac_override dac_read_search setuid setgid };
+ allow cvs_t self:process signal_perms;
+ allow cvs_t self:fifo_file rw_fifo_file_perms;
+ allow cvs_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
+
++userdom_search_user_home_dirs(cvs_t)
++allow cvs_t cvs_home_t:file read_file_perms;
++
+ manage_dirs_pattern(cvs_t, cvs_data_t, cvs_data_t)
+ manage_files_pattern(cvs_t, cvs_data_t, cvs_data_t)
+ manage_lnk_files_pattern(cvs_t, cvs_data_t, cvs_data_t)
+@@ -58,6 +65,15 @@ kernel_read_network_state(cvs_t)
corecmd_exec_bin(cvs_t)
corecmd_exec_shell(cvs_t)
@@ -18044,7 +19044,7 @@ index 53fc3af..897ad64 100644
dev_read_urand(cvs_t)
files_read_etc_runtime_files(cvs_t)
-@@ -70,18 +80,18 @@ auth_use_nsswitch(cvs_t)
+@@ -70,18 +86,16 @@ auth_use_nsswitch(cvs_t)
init_read_utmp(cvs_t)
@@ -18057,8 +19057,8 @@ index 53fc3af..897ad64 100644
-
mta_send_mail(cvs_t)
- userdom_dontaudit_search_user_home_dirs(cvs_t)
-
+-userdom_dontaudit_search_user_home_dirs(cvs_t)
+-
# cjp: typeattribute doesnt work in conditionals yet
auth_can_read_shadow_passwords(cvs_t)
-tunable_policy(`allow_cvs_read_shadow',`
@@ -18066,7 +19066,7 @@ index 53fc3af..897ad64 100644
allow cvs_t self:capability dac_override;
auth_tunable_read_shadow(cvs_t)
')
-@@ -103,4 +113,5 @@ optional_policy(`
+@@ -103,4 +117,5 @@ optional_policy(`
read_files_pattern(httpd_cvs_script_t, cvs_data_t, cvs_data_t)
manage_dirs_pattern(httpd_cvs_script_t, cvs_tmp_t, cvs_tmp_t)
manage_files_pattern(httpd_cvs_script_t, cvs_tmp_t, cvs_tmp_t)
@@ -18345,10 +19345,10 @@ index 188e2e6..719583e 100644
-
-miscfiles_read_localization(dbskkd_t)
diff --git a/dbus.fc b/dbus.fc
-index dda905b..31f269b 100644
+index dda905b..ccd0ba9 100644
--- a/dbus.fc
+++ b/dbus.fc
-@@ -1,20 +1,26 @@
+@@ -1,20 +1,27 @@
-HOME_DIR/\.dbus(/.*)? gen_context(system_u:object_r:session_dbusd_home_t,s0)
+/etc/dbus-1(/.*)? gen_context(system_u:object_r:dbusd_etc_t,s0)
@@ -18376,6 +19376,7 @@ index dda905b..31f269b 100644
-/usr/libexec/dbus-daemon-launch-helper -- gen_context(system_u:object_r:dbusd_exec_t,s0)
+/var/lib/dbus(/.*)? gen_context(system_u:object_r:system_dbusd_var_lib_t,s0)
++/var/cache/ibus(/.*)? gen_context(system_u:object_r:system_dbusd_var_lib_t,s0)
-/var/lib/dbus(/.*)? gen_context(system_u:object_r:system_dbusd_var_lib_t,s0)
-
@@ -18387,7 +19388,7 @@ index dda905b..31f269b 100644
/var/named/chroot/var/run/dbus(/.*)? gen_context(system_u:object_r:system_dbusd_var_run_t,s0)
+')
diff --git a/dbus.if b/dbus.if
-index afcf3a2..e6ecc4d 100644
+index afcf3a2..8cc440f 100644
--- a/dbus.if
+++ b/dbus.if
@@ -1,4 +1,4 @@
@@ -18396,16 +19397,33 @@ index afcf3a2..e6ecc4d 100644
########################################
## <summary>
-@@ -19,7 +19,7 @@ interface(`dbus_stub',`
+@@ -19,7 +19,24 @@ interface(`dbus_stub',`
########################################
## <summary>
-## Role access for dbus.
++## Execute dbus-daemon in the caller domain.
++## </summary>
++## <param name="domain" unused="true">
++## <summary>
++## Domain allowed access
++## </summary>
++## </param>
++#
++interface(`dbus_exec_dbusd',`
++ gen_require(`
++ type dbusd_exec_t;
++ ')
++ can_exec($1, dbusd_exec_t)
++')
++
++########################################
++## <summary>
+## Role access for dbus
## </summary>
## <param name="role_prefix">
## <summary>
-@@ -41,59 +41,68 @@ interface(`dbus_stub',`
+@@ -41,59 +58,68 @@ interface(`dbus_stub',`
template(`dbus_role_template',`
gen_require(`
class dbus { send_msg acquire_svc };
@@ -18495,7 +19513,7 @@ index afcf3a2..e6ecc4d 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -103,65 +112,29 @@ template(`dbus_role_template',`
+@@ -103,91 +129,82 @@ template(`dbus_role_template',`
#
interface(`dbus_system_bus_client',`
gen_require(`
@@ -18529,12 +19547,17 @@ index afcf3a2..e6ecc4d 100644
## <summary>
-## Acquire service on DBUS
-## session bus.
--## </summary>
++## Creating connections to specified
++## DBUS sessions.
+ ## </summary>
-## <param name="domain">
--## <summary>
++## <param name="role_prefix">
+ ## <summary>
-## Domain allowed access.
--## </summary>
--## </param>
++## The prefix of the user role (e.g., user
++## is the prefix for user_r).
+ ## </summary>
+ ## </param>
-#
-interface(`dbus_connect_session_bus',`
- refpolicywarn(`$0($*) has been deprecated, use dbus_connect_all_session_bus() instead.')
@@ -18546,235 +19569,381 @@ index afcf3a2..e6ecc4d 100644
-## Acquire service on all DBUS
-## session busses.
-## </summary>
--## <param name="domain">
--## <summary>
--## Domain allowed access.
--## </summary>
--## </param>
--#
+ ## <param name="domain">
+ ## <summary>
+ ## Domain allowed access.
+ ## </summary>
+ ## </param>
+ #
-interface(`dbus_connect_all_session_bus',`
-- gen_require(`
++interface(`dbus_session_client',`
+ gen_require(`
- attribute session_bus_type;
- class dbus acquire_svc;
-- ')
--
++ class dbus send_msg;
++ type $1_dbusd_t;
+ ')
+
- allow $1 session_bus_type:dbus acquire_svc;
--')
--
--#######################################
--## <summary>
++ allow $2 $1_dbusd_t:fd use;
++ allow $2 { $1_dbusd_t self }:dbus send_msg;
++ allow $2 $1_dbusd_t:unix_stream_socket connectto;
+ ')
+
+ #######################################
+ ## <summary>
-## Acquire service on specified
-## DBUS session bus.
-+## Creating connections to specified
-+## DBUS sessions.
++## Template for creating connections to
++## a user DBUS.
## </summary>
- ## <param name="role_prefix">
+-## <param name="role_prefix">
+-## <summary>
+-## The prefix of the user role (e.g., user
+-## is the prefix for user_r).
+-## </summary>
+-## </param>
+ ## <param name="domain">
## <summary>
-@@ -175,19 +148,21 @@ interface(`dbus_connect_all_session_bus',`
+ ## Domain allowed access.
## </summary>
## </param>
#
-interface(`dbus_connect_spec_session_bus',`
-+interface(`dbus_session_client',`
++interface(`dbus_session_bus_client',`
gen_require(`
-+ class dbus send_msg;
- type $1_dbusd_t;
+- type $1_dbusd_t;
- class dbus acquire_svc;
++ attribute session_bus_type;
++ class dbus send_msg;
')
- allow $2 $1_dbusd_t:dbus acquire_svc;
-+ allow $2 $1_dbusd_t:fd use;
-+ allow $2 { $1_dbusd_t self }:dbus send_msg;
-+ allow $2 $1_dbusd_t:unix_stream_socket connectto;
++ # SE-DBus specific permissions
++ allow $1 { session_bus_type self }:dbus send_msg;
++
++ # For connecting to the bus
++ allow $1 session_bus_type:unix_stream_socket connectto;
++
++ allow session_bus_type $1:process sigkill;
')
- #######################################
+-#######################################
++########################################
## <summary>
-## Creating connections to DBUS
-## session bus.
-+## Template for creating connections to
-+## a user DBUS.
++## Send a message the session DBUS.
## </summary>
## <param name="domain">
## <summary>
-@@ -196,72 +171,23 @@ interface(`dbus_connect_spec_session_bus',`
+@@ -195,15 +212,18 @@ interface(`dbus_connect_spec_session_bus',`
+ ## </summary>
## </param>
#
- interface(`dbus_session_bus_client',`
+-interface(`dbus_session_bus_client',`
- refpolicywarn(`$0($*) has been deprecated, use dbus_all_session_bus_client() instead.')
- dbus_all_session_bus_client($1)
--')
--
++interface(`dbus_send_session_bus',`
++ gen_require(`
++ attribute session_bus_type;
++ class dbus send_msg;
++ ')
++
++ allow $1 session_bus_type:dbus send_msg;
+ ')
+
-#######################################
--## <summary>
++########################################
+ ## <summary>
-## Creating connections to all
-## DBUS session busses.
--## </summary>
--## <param name="domain">
--## <summary>
--## Domain allowed access.
--## </summary>
--## </param>
--#
++## Read dbus configuration.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -211,57 +231,38 @@ interface(`dbus_session_bus_client',`
+ ## </summary>
+ ## </param>
+ #
-interface(`dbus_all_session_bus_client',`
++interface(`dbus_read_config',`
gen_require(`
- attribute session_bus_type, dbusd_session_bus_client;
-+ attribute session_bus_type;
- class dbus send_msg;
+- class dbus send_msg;
++ type dbusd_etc_t;
')
- typeattribute $1 dbusd_session_bus_client;
-
-+ # SE-DBus specific permissions
- allow $1 { session_bus_type self }:dbus send_msg;
+- allow $1 { session_bus_type self }:dbus send_msg;
- allow session_bus_type $1:dbus send_msg;
-
- allow $1 session_bus_type:unix_stream_socket connectto;
- allow $1 session_bus_type:fd use;
--')
++ allow $1 dbusd_etc_t:dir list_dir_perms;
++ allow $1 dbusd_etc_t:file read_file_perms;
+ ')
-#######################################
--## <summary>
++########################################
+ ## <summary>
-## Creating connections to specified
-## DBUS session bus.
--## </summary>
++## Read system dbus lib files.
+ ## </summary>
-## <param name="role_prefix">
-## <summary>
-## The prefix of the user role (e.g., user
-## is the prefix for user_r).
-## </summary>
-## </param>
--## <param name="domain">
--## <summary>
--## Domain allowed access.
--## </summary>
--## </param>
--#
+ ## <param name="domain">
+ ## <summary>
+ ## Domain allowed access.
+ ## </summary>
+ ## </param>
+ #
-interface(`dbus_spec_session_bus_client',`
-- gen_require(`
++interface(`dbus_read_lib_files',`
+ gen_require(`
- attribute dbusd_session_bus_client;
- type $1_dbusd_t;
- class dbus send_msg;
-- ')
--
++ type system_dbusd_var_lib_t;
+ ')
+
- typeattribute $2 dbusd_session_bus_client;
-
- allow $2 { $1_dbusd_t self }:dbus send_msg;
- allow $1_dbusd_t $2:dbus send_msg;
-+ # For connecting to the bus
-+ allow $1 session_bus_type:unix_stream_socket connectto;
-
+-
- allow $2 $1_dbusd_t:unix_stream_socket connectto;
- allow $2 $1_dbusd_t:fd use;
-+ allow session_bus_type $1:process sigkill;
++ files_search_var_lib($1)
++ read_files_pattern($1, system_dbusd_var_lib_t, system_dbusd_var_lib_t)
')
-#######################################
+########################################
## <summary>
-## Send messages to DBUS session bus.
-+## Send a message the session DBUS.
++## Create, read, write, and delete
++## system dbus lib files.
## </summary>
## <param name="domain">
## <summary>
-@@ -270,59 +196,17 @@ interface(`dbus_spec_session_bus_client',`
+@@ -269,15 +270,19 @@ interface(`dbus_spec_session_bus_client',`
+ ## </summary>
## </param>
#
- interface(`dbus_send_session_bus',`
+-interface(`dbus_send_session_bus',`
- refpolicywarn(`$0($*) has been deprecated, use dbus_send_all_session_bus() instead.')
- dbus_send_all_session_bus($1)
--')
--
++interface(`dbus_manage_lib_files',`
++ gen_require(`
++ type system_dbusd_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ manage_files_pattern($1, system_dbusd_var_lib_t, system_dbusd_var_lib_t)
+ ')
+
-#######################################
--## <summary>
++########################################
+ ## <summary>
-## Send messages to all DBUS
-## session busses.
--## </summary>
--## <param name="domain">
--## <summary>
--## Domain allowed access.
--## </summary>
--## </param>
--#
++## Connect to the system DBUS
++## for service (acquire_svc).
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -285,44 +290,52 @@ interface(`dbus_send_session_bus',`
+ ## </summary>
+ ## </param>
+ #
-interface(`dbus_send_all_session_bus',`
++interface(`dbus_connect_session_bus',`
gen_require(`
attribute session_bus_type;
- class dbus send_msg;
+- class dbus send_msg;
++ class dbus acquire_svc;
')
- allow $1 dbus_session_bus_type:dbus send_msg;
--')
--
++ allow $1 session_bus_type:dbus acquire_svc;
+ ')
+
-#######################################
--## <summary>
++########################################
+ ## <summary>
-## Send messages to specified
-## DBUS session busses.
--## </summary>
++## Allow a application domain to be started
++## by the session dbus.
+ ## </summary>
-## <param name="role_prefix">
--## <summary>
++## <param name="domain_prefix">
+ ## <summary>
-## The prefix of the user role (e.g., user
-## is the prefix for user_r).
--## </summary>
--## </param>
--## <param name="domain">
--## <summary>
++## User domain prefix to be used.
+ ## </summary>
+ ## </param>
+ ## <param name="domain">
+ ## <summary>
-## Domain allowed access.
--## </summary>
--## </param>
--#
++## Type to be used as a domain.
++## </summary>
++## </param>
++## <param name="entry_point">
++## <summary>
++## Type of the program to be used as an
++## entry point to this domain.
+ ## </summary>
+ ## </param>
+ #
-interface(`dbus_send_spec_session_bus',`
-- gen_require(`
-- type $1_dbusd_t;
++interface(`dbus_session_domain',`
+ gen_require(`
+ type $1_dbusd_t;
- class dbus send_msg;
-- ')
--
+ ')
+
- allow $2 $1_dbusd_t:dbus send_msg;
-+ allow $1 session_bus_type:dbus send_msg;
++ domtrans_pattern($1_dbusd_t, $2, $3)
++
++ dbus_session_bus_client($3)
++ dbus_connect_session_bus($3)
')
########################################
## <summary>
-## Read dbus configuration content.
-+## Read dbus configuration.
++## Connect to the system DBUS
++## for service (acquire_svc).
## </summary>
## <param name="domain">
## <summary>
-@@ -380,69 +264,32 @@ interface(`dbus_manage_lib_files',`
+@@ -330,18 +343,18 @@ interface(`dbus_send_spec_session_bus',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`dbus_read_config',`
++interface(`dbus_connect_system_bus',`
+ gen_require(`
+- type dbusd_etc_t;
++ type system_dbusd_t;
++ class dbus acquire_svc;
+ ')
+
+- allow $1 dbusd_etc_t:dir list_dir_perms;
+- allow $1 dbusd_etc_t:file read_file_perms;
++ allow $1 system_dbusd_t:dbus acquire_svc;
+ ')
+
+ ########################################
+ ## <summary>
+-## Read system dbus lib files.
++## Send a message on the system DBUS.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -349,19 +362,18 @@ interface(`dbus_read_config',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`dbus_read_lib_files',`
++interface(`dbus_send_system_bus',`
+ gen_require(`
+- type system_dbusd_var_lib_t;
++ type system_dbusd_t;
++ class dbus send_msg;
+ ')
+
+- files_search_var_lib($1)
+- read_files_pattern($1, system_dbusd_var_lib_t, system_dbusd_var_lib_t)
++ allow $1 system_dbusd_t:dbus send_msg;
+ ')
+
+ ########################################
+ ## <summary>
+-## Create, read, write, and delete
+-## system dbus lib files.
++## Allow unconfined access to the system DBUS.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -369,26 +381,20 @@ interface(`dbus_read_lib_files',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`dbus_manage_lib_files',`
++interface(`dbus_system_bus_unconfined',`
+ gen_require(`
+- type system_dbusd_var_lib_t;
++ type system_dbusd_t;
++ class dbus all_dbus_perms;
+ ')
+
+- files_search_var_lib($1)
+- manage_files_pattern($1, system_dbusd_var_lib_t, system_dbusd_var_lib_t)
++ allow $1 system_dbusd_t:dbus *;
+ ')
########################################
## <summary>
-## Allow a application domain to be
-## started by the specified session bus.
--## </summary>
++## Create a domain for processes
++## which can be started by the system dbus
+ ## </summary>
-## <param name="role_prefix">
-## <summary>
-## The prefix of the user role (e.g., user
-## is the prefix for user_r).
-## </summary>
-## </param>
--## <param name="domain">
--## <summary>
--## Type to be used as a domain.
--## </summary>
--## </param>
--## <param name="entry_point">
--## <summary>
+ ## <param name="domain">
+ ## <summary>
+ ## Type to be used as a domain.
+@@ -396,81 +402,67 @@ interface(`dbus_manage_lib_files',`
+ ## </param>
+ ## <param name="entry_point">
+ ## <summary>
-## Type of the program to be used as an
-## entry point to this domain.
--## </summary>
--## </param>
--#
++## Type of the program to be used as an entry point to this domain.
+ ## </summary>
+ ## </param>
+ #
-interface(`dbus_session_domain',`
- refpolicywarn(`$0($*) has been deprecated, use dbus_all_session_domain() instead.')
- dbus_all_session_domain($1, $2)
--')
--
--########################################
--## <summary>
++interface(`dbus_system_domain',`
++ gen_require(`
++ attribute system_bus_type;
++ type system_dbusd_t;
++ role system_r;
++ ')
++ typeattribute $1 system_bus_type;
++
++ domain_type($1)
++ domain_entry_file($1, $2)
++
++ domtrans_pattern(system_dbusd_t, $2, $1)
++ init_system_domain($1, $2)
++
++ ps_process_pattern($1, system_dbusd_t)
++
+ ')
+
+ ########################################
+ ## <summary>
-## Allow a application domain to be
-## started by the specified session bus.
-+## Connect to the system DBUS
-+## for service (acquire_svc).
++## Use and inherit system DBUS file descriptors.
## </summary>
## <param name="domain">
## <summary>
@@ -18790,259 +19959,276 @@ index afcf3a2..e6ecc4d 100644
## </param>
#
-interface(`dbus_all_session_domain',`
-+interface(`dbus_connect_session_bus',`
++interface(`dbus_use_system_bus_fds',`
gen_require(`
- type session_bus_type;
-+ attribute session_bus_type;
-+ class dbus acquire_svc;
++ type system_dbusd_t;
')
- domtrans_pattern(session_bus_type, $2, $1)
-
- dbus_all_session_bus_client($1)
- dbus_connect_all_session_bus($1)
-+ allow $1 session_bus_type:dbus acquire_svc;
++ allow $1 system_dbusd_t:fd use;
')
########################################
## <summary>
-## Allow a application domain to be
-## started by the specified session bus.
-+## Allow a application domain to be started
-+## by the session dbus.
++## Allow unconfined access to the system DBUS.
## </summary>
-## <param name="role_prefix">
-+## <param name="domain_prefix">
- ## <summary>
+-## <summary>
-## The prefix of the user role (e.g., user
-## is the prefix for user_r).
-+## User domain prefix to be used.
- ## </summary>
- ## </param>
+-## </summary>
+-## </param>
## <param name="domain">
-@@ -457,20 +304,21 @@ interface(`dbus_all_session_domain',`
+ ## <summary>
+-## Type to be used as a domain.
+-## </summary>
+-## </param>
+-## <param name="entry_point">
+-## <summary>
+-## Type of the program to be used as an
+-## entry point to this domain.
++## Domain allowed access.
## </summary>
## </param>
#
-interface(`dbus_spec_session_domain',`
-+interface(`dbus_session_domain',`
++interface(`dbus_unconfined',`
gen_require(`
- type $1_dbusd_t;
+- type $1_dbusd_t;
++ attribute dbusd_unconfined;
')
- domtrans_pattern($1_dbusd_t, $2, $3)
-
+- domtrans_pattern($1_dbusd_t, $2, $3)
+-
- dbus_spec_session_bus_client($1, $2)
- dbus_connect_spec_session_bus($1, $2)
-+ dbus_session_bus_client($3)
-+ dbus_connect_session_bus($3)
++ typeattribute $1 dbusd_unconfined;
')
########################################
## <summary>
-## Acquire service on the DBUS system bus.
-+## Connect to the system DBUS
-+## for service (acquire_svc).
++## Delete all dbus pid files
## </summary>
## <param name="domain">
## <summary>
-@@ -489,7 +337,7 @@ interface(`dbus_connect_system_bus',`
+@@ -478,18 +470,18 @@ interface(`dbus_spec_session_domain',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`dbus_connect_system_bus',`
++interface(`dbus_delete_pid_files',`
+ gen_require(`
+- type system_dbusd_t;
+- class dbus acquire_svc;
++ type system_dbusd_var_run_t;
+ ')
+
+- allow $1 system_dbusd_t:dbus acquire_svc;
++ files_search_pids($1)
++ delete_files_pattern($1, system_dbusd_var_run_t, system_dbusd_var_run_t)
+ ')
########################################
## <summary>
-## Send messages to the DBUS system bus.
-+## Send a message on the system DBUS.
++## Read all dbus pid files
## </summary>
## <param name="domain">
## <summary>
-@@ -508,7 +356,7 @@ interface(`dbus_send_system_bus',`
+@@ -497,98 +489,80 @@ interface(`dbus_connect_system_bus',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`dbus_send_system_bus',`
++interface(`dbus_read_pid_files',`
+ gen_require(`
+- type system_dbusd_t;
+- class dbus send_msg;
++ type system_dbusd_var_run_t;
+ ')
+
+- allow $1 system_dbusd_t:dbus send_msg;
++ files_search_pids($1)
++ read_files_pattern($1, system_dbusd_var_run_t, system_dbusd_var_run_t)
+ ')
########################################
## <summary>
-## Unconfined access to DBUS system bus.
-+## Allow unconfined access to the system DBUS.
++## Do not audit attempts to connect to
++## session bus types with a unix
++## stream socket.
## </summary>
## <param name="domain">
## <summary>
-@@ -527,8 +375,8 @@ interface(`dbus_system_bus_unconfined',`
+-## Domain allowed access.
++## Domain to not audit.
+ ## </summary>
+ ## </param>
+ #
+-interface(`dbus_system_bus_unconfined',`
++interface(`dbus_dontaudit_stream_connect_session_bus',`
+ gen_require(`
+- type system_dbusd_t;
+- class dbus all_dbus_perms;
++ attribute session_bus_type;
+ ')
+
+- allow $1 system_dbusd_t:dbus *;
++ dontaudit $1 session_bus_type:unix_stream_socket connectto;
+ ')
########################################
## <summary>
-## Create a domain for processes which
-## can be started by the DBUS system bus.
-+## Create a domain for processes
-+## which can be started by the system dbus
++## Allow attempts to connect to
++## session bus types with a unix
++## stream socket.
## </summary>
## <param name="domain">
## <summary>
-@@ -543,33 +391,24 @@ interface(`dbus_system_bus_unconfined',`
+-## Type to be used as a domain.
+-## </summary>
+-## </param>
+-## <param name="entry_point">
+-## <summary>
+-## Type of the program to be used as an entry point to this domain.
++## Domain to not audit.
+ ## </summary>
+ ## </param>
#
- interface(`dbus_system_domain',`
+-interface(`dbus_system_domain',`
++interface(`dbus_stream_connect_session_bus',`
gen_require(`
-+ attribute system_bus_type;
- type system_dbusd_t;
- role system_r;
+- type system_dbusd_t;
+- role system_r;
++ attribute session_bus_type;
')
-+ typeattribute $1 system_bus_type;
-
- domain_type($1)
- domain_entry_file($1, $2)
+- domain_type($1)
+- domain_entry_file($1, $2)
+-
- role system_r types $1;
-
- domtrans_pattern(system_dbusd_t, $2, $1)
-
+- domtrans_pattern(system_dbusd_t, $2, $1)
+-
- dbus_system_bus_client($1)
- dbus_connect_system_bus($1)
-
- ps_process_pattern(system_dbusd_t, $1)
-
- userdom_read_all_users_state($1)
-+ ps_process_pattern($1, system_dbusd_t)
-
+-
- ifdef(`hide_broken_symptoms', `
- dontaudit $1 system_dbusd_t:netlink_selinux_socket { read write };
- ')
++ allow $1 session_bus_type:unix_stream_socket connectto;
')
########################################
## <summary>
-## Use and inherit DBUS system bus
-## file descriptors.
-+## Use and inherit system DBUS file descriptors.
++## Do not audit attempts to send dbus
++## messages to session bus types.
## </summary>
## <param name="domain">
## <summary>
-@@ -587,26 +426,25 @@ interface(`dbus_use_system_bus_fds',`
+-## Domain allowed access.
++## Domain to not audit.
+ ## </summary>
+ ## </param>
+ #
+-interface(`dbus_use_system_bus_fds',`
++interface(`dbus_chat_session_bus',`
+ gen_require(`
+- type system_dbusd_t;
++ attribute session_bus_type;
++ class dbus send_msg;
+ ')
+
+- allow $1 system_dbusd_t:fd use;
++ allow $1 session_bus_type:dbus send_msg;
++ allow session_bus_type $1:dbus send_msg;
+ ')
########################################
## <summary>
-## Do not audit attempts to read and
-## write DBUS system bus TCP sockets.
-+## Allow unconfined access to the system DBUS.
++## Do not audit attempts to send dbus
++## messages to session bus types.
## </summary>
## <param name="domain">
## <summary>
--## Domain to not audit.
-+## Domain allowed access.
+@@ -596,28 +570,49 @@ interface(`dbus_use_system_bus_fds',`
## </summary>
## </param>
#
-interface(`dbus_dontaudit_system_bus_rw_tcp_sockets',`
-+interface(`dbus_unconfined',`
++interface(`dbus_dontaudit_chat_session_bus',`
gen_require(`
- type system_dbusd_t;
-+ attribute dbusd_unconfined;
++ attribute session_bus_type;
++ class dbus send_msg;
')
- dontaudit $1 system_dbusd_t:tcp_socket { read write };
-+ typeattribute $1 dbusd_unconfined;
++ dontaudit $1 session_bus_type:dbus send_msg;
')
########################################
## <summary>
-## Unconfined access to DBUS.
-+## Delete all dbus pid files
++## Do not audit attempts to send dbus
++## messages to system bus types.
## </summary>
## <param name="domain">
## <summary>
-@@ -614,10 +452,91 @@ interface(`dbus_dontaudit_system_bus_rw_tcp_sockets',`
+-## Domain allowed access.
++## Domain to not audit.
## </summary>
## </param>
#
-interface(`dbus_unconfined',`
-+interface(`dbus_delete_pid_files',`
++interface(`dbus_dontaudit_chat_system_bus',`
gen_require(`
- attribute dbusd_unconfined;
-+ type system_dbusd_var_run_t;
++ attribute system_bus_type;
++ class dbus send_msg;
')
- typeattribute $1 dbusd_unconfined;
-+ files_search_pids($1)
-+ delete_files_pattern($1, system_dbusd_var_run_t, system_dbusd_var_run_t)
-+')
-+
-+########################################
-+## <summary>
-+## Read all dbus pid files
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`dbus_read_pid_files',`
-+ gen_require(`
-+ type system_dbusd_var_run_t;
-+ ')
-+
-+ files_search_pids($1)
-+ read_files_pattern($1, system_dbusd_var_run_t, system_dbusd_var_run_t)
-+')
-+
-+########################################
-+## <summary>
-+## Do not audit attempts to connect to
-+## session bus types with a unix
-+## stream socket.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain to not audit.
-+## </summary>
-+## </param>
-+#
-+interface(`dbus_dontaudit_stream_connect_session_bus',`
-+ gen_require(`
-+ attribute session_bus_type;
-+ ')
-+
-+ dontaudit $1 session_bus_type:unix_stream_socket connectto;
-+')
-+
-+########################################
-+## <summary>
-+## Do not audit attempts to send dbus
-+## messages to session bus types.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain to not audit.
-+## </summary>
-+## </param>
-+#
-+interface(`dbus_dontaudit_chat_session_bus',`
-+ gen_require(`
-+ attribute session_bus_type;
-+ class dbus send_msg;
-+ ')
-+
-+ dontaudit $1 session_bus_type:dbus send_msg;
++ dontaudit $1 system_bus_type:dbus send_msg;
++ dontaudit system_bus_type $1:dbus send_msg;
+')
+
-+########################################
++#######################################
+## <summary>
-+## Do not audit attempts to send dbus
-+## messages to system bus types.
++## Transition to dbus named content
+## </summary>
+## <param name="domain">
-+## <summary>
-+## Domain to not audit.
-+## </summary>
++## <summary>
++## Domain allowed access.
++## </summary>
+## </param>
+#
-+interface(`dbus_dontaudit_chat_system_bus',`
-+ gen_require(`
-+ attribute system_bus_type;
-+ class dbus send_msg;
-+ ')
-+
-+ dontaudit $1 system_bus_type:dbus send_msg;
-+ dontaudit system_bus_type $1:dbus send_msg;
++interface(`dbus_filetrans_named_content_system',`
++ gen_require(`
++ type system_dbusd_var_lib_t;
++ ')
++ files_var_filetrans($1, system_dbusd_var_lib_t, dir, "ibus")
')
diff --git a/dbus.te b/dbus.te
-index 2c2e7e1..493ab48 100644
+index 2c2e7e1..2ead441 100644
--- a/dbus.te
+++ b/dbus.te
@@ -1,20 +1,18 @@
@@ -19090,7 +20276,7 @@ index 2c2e7e1..493ab48 100644
ifdef(`enable_mcs',`
init_ranged_system_domain(system_dbusd_t, dbusd_exec_t, s0 - mcs_systemhigh)
-@@ -51,59 +47,58 @@ ifdef(`enable_mls',`
+@@ -51,59 +47,61 @@ ifdef(`enable_mls',`
init_ranged_system_domain(system_dbusd_t, dbusd_exec_t, s0 - mls_systemhigh)
')
@@ -19149,7 +20335,9 @@ index 2c2e7e1..493ab48 100644
-domain_use_interactive_fds(system_dbusd_t)
-domain_read_all_domains_state(system_dbusd_t)
--
++dev_rw_inherited_input_dev(system_dbusd_t)
++dev_rw_inherited_dri(system_dbusd_t)
+
-files_list_home(system_dbusd_t)
-files_read_usr_files(system_dbusd_t)
+files_rw_inherited_non_security_files(system_dbusd_t)
@@ -19167,7 +20355,7 @@ index 2c2e7e1..493ab48 100644
mls_fd_use_all_levels(system_dbusd_t)
mls_rangetrans_target(system_dbusd_t)
mls_file_read_all_levels(system_dbusd_t)
-@@ -123,66 +118,159 @@ term_dontaudit_use_console(system_dbusd_t)
+@@ -123,66 +121,159 @@ term_dontaudit_use_console(system_dbusd_t)
auth_use_nsswitch(system_dbusd_t)
auth_read_pam_console_data(system_dbusd_t)
@@ -19225,10 +20413,9 @@ index 2c2e7e1..493ab48 100644
+optional_policy(`
+ gnome_exec_gconf(system_dbusd_t)
+ gnome_read_inherited_home_icc_data_files(system_dbusd_t)
- ')
-
- optional_policy(`
-- seutil_sigchld_newrole(system_dbusd_t)
++')
++
++optional_policy(`
+ nis_use_ypbind(system_dbusd_t)
+')
+
@@ -19245,9 +20432,10 @@ index 2c2e7e1..493ab48 100644
+
+optional_policy(`
+ sysnet_domtrans_dhcpc(system_dbusd_t)
-+')
-+
-+optional_policy(`
+ ')
+
+ optional_policy(`
+- seutil_sigchld_newrole(system_dbusd_t)
+ systemd_use_fds_logind(system_dbusd_t)
+ systemd_write_inherited_logind_sessions_pipes(system_dbusd_t)
+ systemd_write_inhibit_pipes(system_dbusd_t)
@@ -19341,7 +20529,7 @@ index 2c2e7e1..493ab48 100644
kernel_read_kernel_sysctls(session_bus_type)
corecmd_list_bin(session_bus_type)
-@@ -191,23 +279,18 @@ corecmd_read_bin_files(session_bus_type)
+@@ -191,23 +282,18 @@ corecmd_read_bin_files(session_bus_type)
corecmd_read_bin_pipes(session_bus_type)
corecmd_read_bin_sockets(session_bus_type)
@@ -19366,7 +20554,7 @@ index 2c2e7e1..493ab48 100644
files_dontaudit_search_var(session_bus_type)
fs_getattr_romfs(session_bus_type)
-@@ -215,7 +298,6 @@ fs_getattr_xattr_fs(session_bus_type)
+@@ -215,7 +301,6 @@ fs_getattr_xattr_fs(session_bus_type)
fs_list_inotifyfs(session_bus_type)
fs_dontaudit_list_nfs(session_bus_type)
@@ -19374,7 +20562,7 @@ index 2c2e7e1..493ab48 100644
selinux_validate_context(session_bus_type)
selinux_compute_access_vector(session_bus_type)
selinux_compute_create_context(session_bus_type)
-@@ -225,18 +307,36 @@ selinux_compute_user_contexts(session_bus_type)
+@@ -225,18 +310,36 @@ selinux_compute_user_contexts(session_bus_type)
auth_read_pam_console_data(session_bus_type)
logging_send_audit_msgs(session_bus_type)
@@ -19416,7 +20604,7 @@ index 2c2e7e1..493ab48 100644
')
########################################
-@@ -244,5 +344,6 @@ optional_policy(`
+@@ -244,5 +347,6 @@ optional_policy(`
# Unconfined access to this module
#
@@ -20315,12 +21503,13 @@ index ff933af..cd1d88d 100644
+')
+
diff --git a/dhcp.fc b/dhcp.fc
-index 7956248..5fee161 100644
+index 7956248..333d214 100644
--- a/dhcp.fc
+++ b/dhcp.fc
-@@ -1,4 +1,5 @@
+@@ -1,4 +1,6 @@
/etc/rc\.d/init\.d/dhcpd(6)? -- gen_context(system_u:object_r:dhcpd_initrc_exec_t,s0)
+/usr/lib/systemd/system/dhcpcd.* -- gen_context(system_u:object_r:dhcpd_unit_file_t,s0)
++/usr/lib/systemd/system/dhcpd.* -- gen_context(system_u:object_r:dhcpd_unit_file_t,s0)
/usr/sbin/dhcpd.* -- gen_context(system_u:object_r:dhcpd_exec_t,s0)
@@ -21437,7 +22626,7 @@ index 23ab808..84735a8 100644
+/var/run/dnsmasq.* gen_context(system_u:object_r:dnsmasq_var_run_t,s0)
/var/run/libvirt/network(/.*)? gen_context(system_u:object_r:dnsmasq_var_run_t,s0)
diff --git a/dnsmasq.if b/dnsmasq.if
-index 19aa0b8..e34a540 100644
+index 19aa0b8..b9895ba 100644
--- a/dnsmasq.if
+++ b/dnsmasq.if
@@ -10,7 +10,6 @@
@@ -21581,27 +22770,40 @@ index 19aa0b8..e34a540 100644
read_files_pattern($1, dnsmasq_var_run_t, dnsmasq_var_run_t)
')
-@@ -214,37 +292,49 @@ interface(`dnsmasq_create_pid_dirs',`
+@@ -214,37 +292,66 @@ interface(`dnsmasq_create_pid_dirs',`
########################################
## <summary>
-## Create specified objects in specified
-## directories with a type transition to
-## the dnsmasq pid file type.
-+## Transition to dnsmasq named content
++## Create dnsmasq pid directories.
## </summary>
## <param name="domain">
## <summary>
--## Domain allowed access.
--## </summary>
--## </param>
+ ## Domain allowed access.
+ ## </summary>
+ ## </param>
-## <param name="file_type">
-## <summary>
-## Directory to transition on.
-## </summary>
-## </param>
-## <param name="object">
--## <summary>
++#
++interface(`dnsmasq_read_state',`
++ gen_require(`
++ type dnsmasq_t;
++ ')
++ ps_process_pattern($1, dnsmasq_t)
++')
++
++########################################
++## <summary>
++## Transition to dnsmasq named content
++## </summary>
++## <param name="domain">
+ ## <summary>
-## The object class of the object being created.
+## Domain allowed access.
## </summary>
@@ -21649,7 +22851,7 @@ index 19aa0b8..e34a540 100644
')
########################################
-@@ -267,12 +357,18 @@ interface(`dnsmasq_spec_filetrans_pid',`
+@@ -267,12 +374,18 @@ interface(`dnsmasq_spec_filetrans_pid',`
interface(`dnsmasq_admin',`
gen_require(`
type dnsmasq_t, dnsmasq_lease_t, dnsmasq_var_run_t;
@@ -21670,7 +22872,7 @@ index 19aa0b8..e34a540 100644
init_labeled_script_domtrans($1, dnsmasq_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 dnsmasq_initrc_exec_t system_r;
-@@ -281,9 +377,13 @@ interface(`dnsmasq_admin',`
+@@ -281,9 +394,13 @@ interface(`dnsmasq_admin',`
files_list_var_lib($1)
admin_pattern($1, dnsmasq_lease_t)
@@ -21686,7 +22888,7 @@ index 19aa0b8..e34a540 100644
+ allow $1 dnsmasq_unit_file_t:service all_service_perms;
')
diff --git a/dnsmasq.te b/dnsmasq.te
-index ba14bcf..a3e6c7c 100644
+index ba14bcf..34a4c71 100644
--- a/dnsmasq.te
+++ b/dnsmasq.te
@@ -24,6 +24,9 @@ logging_log_file(dnsmasq_var_log_t)
@@ -21699,7 +22901,15 @@ index ba14bcf..a3e6c7c 100644
########################################
#
# Local policy
-@@ -52,11 +55,14 @@ manage_files_pattern(dnsmasq_t, dnsmasq_var_run_t, dnsmasq_var_run_t)
+@@ -38,6 +41,7 @@ allow dnsmasq_t self:packet_socket create_socket_perms;
+ allow dnsmasq_t self:rawip_socket create_socket_perms;
+
+ read_files_pattern(dnsmasq_t, dnsmasq_etc_t, dnsmasq_etc_t)
++list_dirs_pattern(dnsmasq_t, dnsmasq_etc_t, dnsmasq_etc_t)
+
+ manage_files_pattern(dnsmasq_t, dnsmasq_lease_t, dnsmasq_lease_t)
+ files_var_lib_filetrans(dnsmasq_t, dnsmasq_lease_t, file)
+@@ -52,11 +56,14 @@ manage_files_pattern(dnsmasq_t, dnsmasq_var_run_t, dnsmasq_var_run_t)
files_pid_filetrans(dnsmasq_t, dnsmasq_var_run_t, { dir file })
kernel_read_kernel_sysctls(dnsmasq_t)
@@ -21715,7 +22925,7 @@ index ba14bcf..a3e6c7c 100644
corenet_all_recvfrom_netlabel(dnsmasq_t)
corenet_tcp_sendrecv_generic_if(dnsmasq_t)
corenet_udp_sendrecv_generic_if(dnsmasq_t)
-@@ -86,9 +92,9 @@ fs_search_auto_mountpoints(dnsmasq_t)
+@@ -86,9 +93,9 @@ fs_search_auto_mountpoints(dnsmasq_t)
auth_use_nsswitch(dnsmasq_t)
@@ -21727,7 +22937,7 @@ index ba14bcf..a3e6c7c 100644
userdom_dontaudit_use_unpriv_user_fds(dnsmasq_t)
userdom_dontaudit_search_user_home_dirs(dnsmasq_t)
-@@ -98,12 +104,21 @@ optional_policy(`
+@@ -98,12 +105,21 @@ optional_policy(`
')
optional_policy(`
@@ -21750,7 +22960,7 @@ index ba14bcf..a3e6c7c 100644
')
optional_policy(`
-@@ -124,6 +139,14 @@ optional_policy(`
+@@ -124,6 +140,14 @@ optional_policy(`
optional_policy(`
virt_manage_lib_files(dnsmasq_t)
@@ -21923,10 +23133,10 @@ index ef36d73..fddd51f 100644
sysnet_etc_filetrans_config(dnssec_triggerd_t)
diff --git a/docker.fc b/docker.fc
new file mode 100644
-index 0000000..484dd44
+index 0000000..1c4ac02
--- /dev/null
+++ b/docker.fc
-@@ -0,0 +1,12 @@
+@@ -0,0 +1,17 @@
+/usr/bin/docker -- gen_context(system_u:object_r:docker_exec_t,s0)
+
+/usr/lib/systemd/system/docker.service -- gen_context(system_u:object_r:docker_unit_file_t,s0)
@@ -21936,22 +23146,26 @@ index 0000000..484dd44
+/var/run/docker\.pid -- gen_context(system_u:object_r:docker_var_run_t,s0)
+/var/run/docker\.sock -s gen_context(system_u:object_r:docker_var_run_t,s0)
+
++/var/lock/lxc(/.*)? gen_context(system_u:object_r:docker_lock_t,s0)
++
+/var/log/lxc(/.*)? gen_context(system_u:object_r:docker_log_t,s0)
+
-+/usr/lib/lxc/rootfs gen_context(system_u:object_r:mnt_t,s0)
-\ No newline at end of file
++/var/lib/docker/init(/.*)? gen_context(system_u:object_r:docker_share_t,s0)
++/var/lib/docker/containers/.*/hosts gen_context(system_u:object_r:docker_share_t,s0)
++/var/lib/docker/containers/.*/hostname gen_context(system_u:object_r:docker_share_t,s0)
++/var/lib/docker/.*/config\.env gen_context(system_u:object_r:docker_share_t,s0)
diff --git a/docker.if b/docker.if
new file mode 100644
-index 0000000..097c75c
+index 0000000..66fe66d
--- /dev/null
+++ b/docker.if
-@@ -0,0 +1,202 @@
+@@ -0,0 +1,344 @@
+
-+## <summary>policy for docker</summary>
++## <summary>The open-source application container engine.</summary>
+
+########################################
+## <summary>
-+## Execute TEMPLATE in the docker domin.
++## Execute docker in the docker domain.
+## </summary>
+## <param name="domain">
+## <summary>
@@ -21989,6 +23203,25 @@ index 0000000..097c75c
+
+########################################
+## <summary>
++## Execute docker lib directories.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`docker_exec_lib',`
++ gen_require(`
++ type docker_var_lib_t;
++ ')
++
++ allow $1 docker_var_lib_t:dir search_dir_perms;
++ can_exec($1, docker_var_lib_t)
++')
++
++########################################
++## <summary>
+## Read docker lib files.
+## </summary>
+## <param name="domain">
@@ -22008,6 +23241,25 @@ index 0000000..097c75c
+
+########################################
+## <summary>
++## Read docker share files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`docker_read_share_files',`
++ gen_require(`
++ type docker_share_t;
++ ')
++
++ files_search_var_lib($1)
++ read_files_pattern($1, docker_share_t, docker_share_t)
++')
++
++########################################
++## <summary>
+## Manage docker lib files.
+## </summary>
+## <param name="domain">
@@ -22023,6 +23275,7 @@ index 0000000..097c75c
+
+ files_search_var_lib($1)
+ manage_files_pattern($1, docker_var_lib_t, docker_var_lib_t)
++ manage_lnk_files_pattern($1, docker_var_lib_t, docker_var_lib_t)
+')
+
+########################################
@@ -22046,6 +23299,41 @@ index 0000000..097c75c
+
+########################################
+## <summary>
++## Create objects in a docker var lib directory
++## with an automatic type transition to
++## a specified private type.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <param name="private_type">
++## <summary>
++## The type of the object to create.
++## </summary>
++## </param>
++## <param name="object_class">
++## <summary>
++## The class of the object to be created.
++## </summary>
++## </param>
++## <param name="name" optional="true">
++## <summary>
++## The name of the object being created.
++## </summary>
++## </param>
++#
++interface(`docker_lib_filetrans',`
++ gen_require(`
++ type docker_var_lib_t;
++ ')
++
++ filetrans_pattern($1, docker_var_lib_t, $2, $3, $4)
++')
++
++########################################
++## <summary>
+## Read docker PID files.
+## </summary>
+## <param name="domain">
@@ -22087,30 +23375,109 @@ index 0000000..097c75c
+ ps_process_pattern($1, docker_t)
+')
+
++########################################
++## <summary>
++## Read and write docker shared memory.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`docker_rw_sem',`
++ gen_require(`
++ type docker_t;
++ ')
++
++ allow $1 docker_t:sem rw_sem_perms;
++')
++
++#######################################
++## <summary>
++## Read and write the docker pty type.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`docker_use_ptys',`
++ gen_require(`
++ type docker_devpts_t;
++ ')
++
++ allow $1 docker_devpts_t:chr_file rw_term_perms;
++')
++
++#######################################
++## <summary>
++## Allow domain to create docker content
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`docker_filetrans_named_content',`
++
++ gen_require(`
++ type docker_var_lib_t;
++ type docker_share_t;
++ type docker_log_t;
++ type docker_var_run_t;
++ ')
++
++ files_pid_filetrans($1, docker_var_run_t, file, "docker.pid")
++ files_pid_filetrans($1, docker_var_run_t, sock_file, "docker.sock")
++ logging_log_filetrans($1, docker_log_t, dir, "lxc")
++ files_var_lib_filetrans($1, docker_var_lib_t, dir, "docker")
++ filetrans_pattern($1, docker_var_lib_t, docker_share_t, file, "config.env")
++ filetrans_pattern($1, docker_var_lib_t, docker_share_t, file, "hosts")
++ filetrans_pattern($1, docker_var_lib_t, docker_share_t, file, "hostname")
++ filetrans_pattern($1, docker_var_lib_t, docker_share_t, dir, "init")
++')
+
+########################################
+## <summary>
-+## All of the rules required to administrate
-+## an docker environment
++## Connect to docker over a unix stream socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
-+## <param name="role">
++#
++interface(`docker_stream_connect',`
++ gen_require(`
++ type docker_t, docker_var_run_t;
++ ')
++
++ files_search_pids($1)
++ stream_connect_pattern($1, docker_var_run_t, docker_var_run_t, docker_t)
++')
++
++
++########################################
++## <summary>
++## All of the rules required to administrate
++## an docker environment
++## </summary>
++## <param name="domain">
+## <summary>
-+## Role allowed access.
++## Domain allowed access.
+## </summary>
+## </param>
-+## <rolecap/>
+#
+interface(`docker_admin',`
+ gen_require(`
+ type docker_t;
-+ type docker_var_lib_t;
-+ type docker_var_run_t;
-+ type docker_unit_file_t;
++ type docker_var_lib_t, docker_var_run_t;
++ type docker_unit_file_t;
++ type docker_lock_t;
++ type docker_log_t;
+ ')
+
+ allow $1 docker_t:process { ptrace signal_perms };
@@ -22122,38 +23489,27 @@ index 0000000..097c75c
+ files_search_pids($1)
+ admin_pattern($1, docker_var_run_t)
+
++ files_search_locks($1)
++ admin_pattern($1, docker_lock_t)
++
++ logging_search_logs($1)
++ admin_pattern($1, docker_log_t)
++
+ docker_systemctl($1)
+ admin_pattern($1, docker_unit_file_t)
+ allow $1 docker_unit_file_t:service all_service_perms;
++
+ optional_policy(`
+ systemd_passwd_agent_exec($1)
+ systemd_read_fifo_file_passwd_run($1)
+ ')
+')
-+
-+########################################
-+## <summary>
-+## Read and write docker shared memory.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`docker_rw_sem',`
-+ gen_require(`
-+ type docker_t;
-+ ')
-+
-+ allow $1 docker_t:sem rw_sem_perms;
-+')
diff --git a/docker.te b/docker.te
new file mode 100644
-index 0000000..1229d66
+index 0000000..c80e06c
--- /dev/null
+++ b/docker.te
-@@ -0,0 +1,133 @@
+@@ -0,0 +1,265 @@
+policy_module(docker, 1.0.0)
+
+########################################
@@ -22161,35 +23517,70 @@ index 0000000..1229d66
+# Declarations
+#
+
++## <desc>
++## <p>
++## Determine whether docker can
++## connect to all TCP ports.
++## </p>
++## </desc>
++gen_tunable(docker_connect_any, false)
++
++## <desc>
++## <p>
++## Allow docker to transition to unconfined containers.
++## </p>
++## </desc>
++gen_tunable(docker_transition_unconfined, false)
++
+type docker_t;
+type docker_exec_t;
+init_daemon_domain(docker_t, docker_exec_t)
++domain_subj_id_change_exemption(docker_t)
++domain_role_change_exemption(docker_t)
+
+type docker_var_lib_t;
+files_type(docker_var_lib_t)
+
++type docker_lock_t;
++files_lock_file(docker_lock_t)
++
+type docker_log_t;
+logging_log_file(docker_log_t)
+
+type docker_tmp_t;
+files_tmp_file(docker_tmp_t)
+
++type docker_tmpfs_t;
++files_tmpfs_file(docker_tmpfs_t)
++
+type docker_var_run_t;
+files_pid_file(docker_var_run_t)
+
+type docker_unit_file_t;
+systemd_unit_file(docker_unit_file_t)
+
++type docker_devpts_t;
++term_pty(docker_devpts_t)
++
++type docker_share_t;
++files_type(docker_share_t)
++
+########################################
+#
+# docker local policy
+#
-+allow docker_t self:capability { chown fowner fsetid mknod net_admin };
-+allow docker_t self:process signal_perms;
++allow docker_t self:capability { chown fowner fsetid mknod net_admin net_bind_service };
++allow docker_t self:process { getattr signal_perms };
+allow docker_t self:fifo_file rw_fifo_file_perms;
+allow docker_t self:unix_stream_socket create_stream_socket_perms;
++allow docker_t self:tcp_socket create_stream_socket_perms;
++allow docker_t self:udp_socket create_socket_perms;
+allow docker_t self:capability2 block_suspend;
+
++manage_dirs_pattern(docker_t, docker_lock_t, docker_lock_t)
++manage_files_pattern(docker_t, docker_lock_t, docker_lock_t)
++files_lock_filetrans(docker_t, docker_lock_t, { dir file }, "lxc")
++
+manage_dirs_pattern(docker_t, docker_log_t, docker_log_t)
+manage_files_pattern(docker_t, docker_log_t, docker_log_t)
+manage_lnk_files_pattern(docker_t, docker_log_t, docker_log_t)
@@ -22200,6 +23591,19 @@ index 0000000..1229d66
+manage_lnk_files_pattern(docker_t, docker_tmp_t, docker_tmp_t)
+files_tmp_filetrans(docker_t, docker_tmp_t, { dir file lnk_file })
+
++manage_dirs_pattern(docker_t, docker_tmpfs_t, docker_tmpfs_t)
++manage_files_pattern(docker_t, docker_tmpfs_t, docker_tmpfs_t)
++manage_lnk_files_pattern(docker_t, docker_tmpfs_t, docker_tmpfs_t)
++manage_fifo_files_pattern(docker_t, docker_tmpfs_t, docker_tmpfs_t)
++manage_chr_files_pattern(docker_t, docker_tmpfs_t, docker_tmpfs_t)
++fs_tmpfs_filetrans(docker_t, docker_tmpfs_t, { dir file })
++
++manage_dirs_pattern(docker_t, docker_share_t, docker_share_t)
++manage_files_pattern(docker_t, docker_share_t, docker_share_t)
++manage_lnk_files_pattern(docker_t, docker_share_t, docker_share_t)
++can_exec(docker_t, docker_share_t)
++docker_filetrans_named_content(docker_t)
++
+manage_dirs_pattern(docker_t, docker_var_lib_t, docker_var_lib_t)
+manage_chr_files_pattern(docker_t, docker_var_lib_t, docker_var_lib_t)
+manage_blk_files_pattern(docker_t, docker_var_lib_t, docker_var_lib_t)
@@ -22213,9 +23617,13 @@ index 0000000..1229d66
+manage_lnk_files_pattern(docker_t, docker_var_run_t, docker_var_run_t)
+files_pid_filetrans(docker_t, docker_var_run_t, { dir file lnk_file sock_file })
+
++allow docker_t docker_devpts_t:chr_file { rw_chr_file_perms setattr_chr_file_perms };
++term_create_pty(docker_t, docker_devpts_t)
++
+kernel_read_system_state(docker_t)
+kernel_read_network_state(docker_t)
+kernel_read_all_sysctls(docker_t)
++kernel_rw_net_sysctls(docker_t)
+
+domain_use_interactive_fds(docker_t)
+
@@ -22223,17 +23631,38 @@ index 0000000..1229d66
+corecmd_exec_shell(docker_t)
+
+corenet_tcp_bind_generic_node(docker_t)
++corenet_tcp_sendrecv_generic_if(docker_t)
++corenet_tcp_sendrecv_generic_node(docker_t)
++corenet_tcp_sendrecv_generic_port(docker_t)
++corenet_tcp_bind_all_ports(docker_t)
++corenet_tcp_connect_http_port(docker_t)
++corenet_tcp_connect_commplex_main_port(docker_t)
++corenet_udp_sendrecv_generic_if(docker_t)
++corenet_udp_sendrecv_generic_node(docker_t)
++corenet_udp_sendrecv_all_ports(docker_t)
++corenet_udp_bind_generic_node(docker_t)
++corenet_udp_bind_all_ports(docker_t)
+
+files_read_etc_files(docker_t)
+
+fs_read_cgroup_files(docker_t)
++fs_read_tmpfs_symlinks(docker_t)
++
++storage_raw_rw_fixed_disk(docker_t)
+
+auth_use_nsswitch(docker_t)
+
++init_read_state(docker_t)
++
++logging_send_audit_msgs(docker_t)
++logging_send_syslog_msg(docker_t)
++
+miscfiles_read_localization(docker_t)
+
+mount_domtrans(docker_t)
+
++seutil_read_default_contexts(docker_t)
++
+sysnet_dns_name_resolve(docker_t)
+sysnet_exec_ifconfig(docker_t)
+
@@ -22249,44 +23678,103 @@ index 0000000..1229d66
+# lxc rules
+#
+
-+allow docker_t self:capability { sys_admin sys_boot dac_override setpcap sys_ptrace };
-+allow docker_t self:process { setsched signal_perms };
-+allow docker_t self:netlink_route_socket nlmsg_write;
-+allow docker_t self:unix_dgram_socket create_socket_perms;
++allow docker_t self:capability { dac_override setgid setpcap setuid sys_admin sys_boot sys_chroot sys_ptrace };
++
++allow docker_t self:process { getcap setcap setexec setpgid setsched signal_perms };
++
++allow docker_t self:netlink_route_socket rw_netlink_socket_perms;;
++allow docker_t self:netlink_audit_socket create_netlink_socket_perms;
++allow docker_t self:unix_dgram_socket { create_socket_perms sendto };
++allow docker_t self:unix_stream_socket { create_stream_socket_perms connectto };
+
+allow docker_t docker_var_lib_t:dir mounton;
++allow docker_t docker_var_lib_t:chr_file mounton;
++can_exec(docker_t, docker_var_lib_t)
+
+kernel_setsched(docker_t)
++kernel_get_sysvipc_info(docker_t)
++kernel_request_load_module(docker_t)
++kernel_mounton_messages(docker_t)
+
+dev_getattr_all_blk_files(docker_t)
++dev_getattr_sysfs_fs(docker_t)
+dev_read_urand(docker_t)
+dev_read_lvm_control(docker_t)
+dev_read_sysfs(docker_t)
++dev_rw_loop_control(docker_t)
++dev_rw_lvm_control(docker_t)
+
++files_getattr_isid_type_dirs(docker_t)
+files_manage_isid_type_dirs(docker_t)
+files_manage_isid_type_files(docker_t)
+files_manage_isid_type_symlinks(docker_t)
+files_manage_isid_type_chr_files(docker_t)
++files_manage_isid_type_blk_files(docker_t)
+files_exec_isid_files(docker_t)
+files_mounton_isid(docker_t)
+files_mounton_non_security(docker_t)
++files_mounton_isid_type_chr_file(docker_t)
+
+fs_mount_all_fs(docker_t)
+fs_unmount_all_fs(docker_t)
+fs_remount_all_fs(docker_t)
++files_mounton_isid(docker_t)
+fs_manage_cgroup_dirs(docker_t)
+fs_manage_cgroup_files(docker_t)
++fs_relabelfrom_xattr_fs(docker_t)
++fs_relabelfrom_tmpfs(docker_t)
+
+term_use_generic_ptys(docker_t)
+term_use_ptmx(docker_t)
+term_getattr_pty_fs(docker_t)
++term_relabel_pty_fs(docker_t)
++term_mounton_unallocated_ttys(docker_t)
+
+modutils_domtrans_insmod(docker_t)
+
+optional_policy(`
++ dbus_system_bus_client(docker_t)
++ init_dbus_chat(docker_t)
++
++ optional_policy(`
++ systemd_dbus_chat_logind(docker_t)
++ ')
++')
++
++optional_policy(`
++ udev_read_db(docker_t)
++')
++
++optional_policy(`
+ virt_read_config(docker_t)
+ virt_exec(docker_t)
++ virt_stream_connect(docker_t)
++ virt_stream_connect_sandbox(docker_t)
++ virt_exec_sandbox_files(docker_t)
++ virt_manage_sandbox_files(docker_t)
++ virt_relabel_sandbox_filesystem(docker_t)
++ # for lxc
++ virt_transition_svirt_sandbox(docker_t, system_r)
++ virt_mounton_sandbox_file(docker_t)
++')
++
++tunable_policy(`docker_connect_any',`
++ corenet_tcp_connect_all_ports(docker_t)
++ corenet_sendrecv_all_packets(docker_t)
++ corenet_tcp_sendrecv_all_ports(docker_t)
++')
++
++optional_policy(`
++ tunable_policy(`docker_transition_unconfined',`
++ unconfined_transition(docker_t, docker_share_t)
++ unconfined_transition(docker_t, docker_var_lib_t)
++ ')
++')
++
++optional_policy(`
++ unconfined_domain(docker_t)
+')
++
diff --git a/dovecot.fc b/dovecot.fc
index c880070..4448055 100644
--- a/dovecot.fc
@@ -22363,7 +23851,7 @@ index c880070..4448055 100644
-/var/spool/dovecot(/.*)? gen_context(system_u:object_r:dovecot_spool_t,s0)
+/var/spool/dovecot(/.*)? gen_context(system_u:object_r:dovecot_spool_t,s0)
diff --git a/dovecot.if b/dovecot.if
-index dbcac59..66d42bb 100644
+index dbcac59..f3e446c 100644
--- a/dovecot.if
+++ b/dovecot.if
@@ -1,29 +1,49 @@
@@ -22490,8 +23978,30 @@ index dbcac59..66d42bb 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -122,8 +138,8 @@ interface(`dovecot_write_inherited_tmp_files',`
+@@ -120,10 +136,30 @@ interface(`dovecot_write_inherited_tmp_files',`
+ allow $1 dovecot_tmp_t:file write;
+ ')
++####################################
++## <summary>
++## Read dovecot configuration file.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`dovecot_read_config',`
++ gen_require(`
++ type dovecot_etc_t;
++ ')
++
++ files_search_etc($1)
++ list_dirs_pattern($1, dovecot_etc_t, dovecot_etc_t)
++ read_files_pattern($1, dovecot_etc_t, dovecot_etc_t)
++')
++
########################################
## <summary>
-## All of the rules required to
@@ -22501,7 +24011,7 @@ index dbcac59..66d42bb 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -132,21 +148,24 @@ interface(`dovecot_write_inherited_tmp_files',`
+@@ -132,21 +168,24 @@ interface(`dovecot_write_inherited_tmp_files',`
## </param>
## <param name="role">
## <summary>
@@ -22532,7 +24042,7 @@ index dbcac59..66d42bb 100644
init_labeled_script_domtrans($1, dovecot_initrc_exec_t)
domain_system_change_exemption($1)
-@@ -156,20 +175,25 @@ interface(`dovecot_admin',`
+@@ -156,20 +195,25 @@ interface(`dovecot_admin',`
files_list_etc($1)
admin_pattern($1, dovecot_etc_t)
@@ -22565,7 +24075,7 @@ index dbcac59..66d42bb 100644
+ admin_pattern($1, dovecot_passwd_t)
')
diff --git a/dovecot.te b/dovecot.te
-index a7bfaf0..d4a79a1 100644
+index a7bfaf0..38bfca8 100644
--- a/dovecot.te
+++ b/dovecot.te
@@ -1,4 +1,4 @@
@@ -22926,7 +24436,7 @@ index a7bfaf0..d4a79a1 100644
allow dovecot_deliver_t dovecot_cert_t:dir search_dir_perms;
append_files_pattern(dovecot_deliver_t, dovecot_var_log_t, dovecot_var_log_t)
-@@ -289,35 +316,43 @@ manage_files_pattern(dovecot_deliver_t, dovecot_deliver_tmp_t, dovecot_deliver_t
+@@ -289,35 +316,44 @@ manage_files_pattern(dovecot_deliver_t, dovecot_deliver_tmp_t, dovecot_deliver_t
files_tmp_filetrans(dovecot_deliver_t, dovecot_deliver_tmp_t, { file dir })
allow dovecot_deliver_t dovecot_var_run_t:dir list_dir_perms;
@@ -22953,6 +24463,7 @@ index a7bfaf0..d4a79a1 100644
-logging_search_logs(dovecot_deliver_t)
+files_search_tmp(dovecot_deliver_t)
+files_dontaudit_getattr_all_dirs(dovecot_deliver_t)
++files_search_all_mountpoints(dovecot_deliver_t)
-tunable_policy(`use_nfs_home_dirs',`
- fs_manage_nfs_dirs(dovecot_deliver_t)
@@ -22987,7 +24498,7 @@ index a7bfaf0..d4a79a1 100644
mta_read_queue(dovecot_deliver_t)
')
-@@ -326,5 +361,6 @@ optional_policy(`
+@@ -326,5 +362,6 @@ optional_policy(`
')
optional_policy(`
@@ -23137,7 +24648,7 @@ index 9a21639..26c5986 100644
')
+
diff --git a/drbd.te b/drbd.te
-index 8e5ee54..6e11edb 100644
+index 8e5ee54..bdd8883 100644
--- a/drbd.te
+++ b/drbd.te
@@ -28,7 +28,7 @@ dontaudit drbd_t self:capability sys_tty_config;
@@ -23149,7 +24660,13 @@ index 8e5ee54..6e11edb 100644
manage_dirs_pattern(drbd_t, drbd_var_lib_t, drbd_var_lib_t)
manage_files_pattern(drbd_t, drbd_var_lib_t, drbd_var_lib_t)
-@@ -46,10 +46,6 @@ dev_read_rand(drbd_t)
+@@ -42,14 +42,12 @@ can_exec(drbd_t, drbd_exec_t)
+
+ kernel_read_system_state(drbd_t)
+
++corecmd_exec_bin(drbd_t)
++
+ dev_read_rand(drbd_t)
dev_read_sysfs(drbd_t)
dev_read_urand(drbd_t)
@@ -23532,9 +25049,18 @@ index 266cb8f..b619351 100644
+ procmail_domtrans(dspam_t)
+')
diff --git a/entropyd.te b/entropyd.te
-index a0da189..d8bc9d5 100644
+index a0da189..dc22b89 100644
--- a/entropyd.te
+++ b/entropyd.te
+@@ -12,7 +12,7 @@ policy_module(entropyd, 1.7.2)
+ ## the entropy feeds.
+ ## </p>
+ ## </desc>
+-gen_tunable(entropyd_use_audio, false)
++gen_tunable(entropyd_use_audio, true)
+
+ type entropyd_t;
+ type entropyd_exec_t;
@@ -45,9 +45,6 @@ dev_write_urand(entropyd_t)
dev_read_rand(entropyd_t)
dev_write_rand(entropyd_t)
@@ -24119,7 +25645,7 @@ index 50d0084..6565422 100644
fail2ban_run_client($1, $2)
diff --git a/fail2ban.te b/fail2ban.te
-index 0872e50..95bb886 100644
+index 0872e50..cdea6d0 100644
--- a/fail2ban.te
+++ b/fail2ban.te
@@ -37,7 +37,7 @@ role fail2ban_client_roles types fail2ban_client_t;
@@ -24196,7 +25722,7 @@ index 0872e50..95bb886 100644
shorewall_domtrans(fail2ban_t)
')
-@@ -129,22 +142,25 @@ allow fail2ban_client_t self:unix_stream_socket { create connect write read };
+@@ -129,22 +142,29 @@ allow fail2ban_client_t self:unix_stream_socket { create connect write read };
domtrans_pattern(fail2ban_client_t, fail2ban_exec_t, fail2ban_t)
@@ -24226,11 +25752,15 @@ index 0872e50..95bb886 100644
-
userdom_dontaudit_search_user_home_dirs(fail2ban_client_t)
userdom_use_user_terminals(fail2ban_client_t)
++
++optional_policy(`
++ apache_read_log(fail2ban_client_t)
++')
diff --git a/fcoe.te b/fcoe.te
-index 79b9273..76b7ed5 100644
+index 79b9273..28dec44 100644
--- a/fcoe.te
+++ b/fcoe.te
-@@ -20,20 +20,20 @@ files_pid_file(fcoemon_var_run_t)
+@@ -20,25 +20,31 @@ files_pid_file(fcoemon_var_run_t)
# Local policy
#
@@ -24255,6 +25785,17 @@ index 79b9273..76b7ed5 100644
logging_send_syslog_msg(fcoemon_t)
+ miscfiles_read_localization(fcoemon_t)
+
++userdom_dgram_send(fcoemon_t)
++
+ optional_policy(`
+ lldpad_dgram_send(fcoemon_t)
+ ')
++
++optional_policy(`
++ networkmanager_dgram_send(fcoemon_t)
++')
diff --git a/fetchmail.fc b/fetchmail.fc
index 2486e2a..fef9bff 100644
--- a/fetchmail.fc
@@ -24413,7 +25954,7 @@ index 21d7b84..0e272bd 100644
/etc/firewalld(/.*)? gen_context(system_u:object_r:firewalld_etc_rw_t,s0)
diff --git a/firewalld.if b/firewalld.if
-index 5cf6ac6..0fc685b 100644
+index 5cf6ac6..1893f7f 100644
--- a/firewalld.if
+++ b/firewalld.if
@@ -2,6 +2,66 @@
@@ -24513,7 +26054,12 @@ index 5cf6ac6..0fc685b 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -45,10 +124,14 @@ interface(`firewalld_admin',`
+@@ -41,14 +120,18 @@ interface(`firewalld_dbus_chat',`
+ interface(`firewalld_admin',`
+ gen_require(`
+ type firewalld_t, firewalld_initrc_exec_t;
+- type firewall_etc_rw_t, firewalld_var_run_t;
++ type firewalld_etc_rw_t, firewalld_var_run_t;
type firewalld_var_log_t;
')
@@ -24535,7 +26081,8 @@ index 5cf6ac6..0fc685b 100644
admin_pattern($1, firewalld_var_log_t)
- files_search_etc($1)
- admin_pattern($1, firewall_etc_rw_t)
+- admin_pattern($1, firewall_etc_rw_t)
++ admin_pattern($1, firewalld_etc_rw_t)
+
+ admin_pattern($1, firewalld_unit_file_t)
+ firewalld_systemctl($1)
@@ -24960,18 +26507,19 @@ index c12c067..a415012 100644
optional_policy(`
diff --git a/fprintd.te b/fprintd.te
-index c81b6e8..34e1f1c 100644
+index c81b6e8..ed04b9e 100644
--- a/fprintd.te
+++ b/fprintd.te
-@@ -20,6 +20,7 @@ files_type(fprintd_var_lib_t)
+@@ -20,6 +20,8 @@ files_type(fprintd_var_lib_t)
allow fprintd_t self:capability sys_nice;
allow fprintd_t self:process { getsched setsched signal sigkill };
allow fprintd_t self:fifo_file rw_fifo_file_perms;
+allow fprintd_t self:netlink_kobject_uevent_socket create_socket_perms;
++allow fprintd_t self:unix_dgram_socket { create_socket_perms sendto };
manage_dirs_pattern(fprintd_t, fprintd_var_lib_t, fprintd_var_lib_t)
manage_files_pattern(fprintd_t, fprintd_var_lib_t, fprintd_var_lib_t)
-@@ -28,16 +29,13 @@ kernel_read_system_state(fprintd_t)
+@@ -28,15 +30,14 @@ kernel_read_system_state(fprintd_t)
dev_list_usbfs(fprintd_t)
dev_read_sysfs(fprintd_t)
@@ -24985,11 +26533,11 @@ index c81b6e8..34e1f1c 100644
auth_use_nsswitch(fprintd_t)
-miscfiles_read_localization(fprintd_t)
--
++logging_send_syslog_msg(fprintd_t)
+
userdom_use_user_ptys(fprintd_t)
userdom_read_all_users_state(fprintd_t)
-
-@@ -54,8 +52,13 @@ optional_policy(`
+@@ -54,8 +55,17 @@ optional_policy(`
')
')
@@ -25002,8 +26550,324 @@ index c81b6e8..34e1f1c 100644
+')
+
+optional_policy(`
++ udev_read_db(fprintd_t)
++')
++
++optional_policy(`
+ xserver_read_state_xdm(fprintd_t)
')
+diff --git a/freeipmi.fc b/freeipmi.fc
+new file mode 100644
+index 0000000..0942a2e
+--- /dev/null
++++ b/freeipmi.fc
+@@ -0,0 +1,17 @@
++/usr/lib/systemd/system/bmc-watchdog.* -- gen_context(system_u:object_r:freeipmi_bmc_watchdog_unit_file_t,s0)
++/usr/lib/systemd/system/ipmidetectd.* -- gen_context(system_u:object_r:freeipmi_ipmidetectd_unit_file_t,s0)
++/usr/lib/systemd/system/ipmiseld.* -- gen_context(system_u:object_r:freeipmi_ipmiseld_unit_file_t,s0)
++
++/usr/sbin/bmc-watchdog -- gen_context(system_u:object_r:freeipmi_bmc_watchdog_exec_t,s0)
++/usr/sbin/ipmidetectd -- gen_context(system_u:object_r:freeipmi_ipmidetectd_exec_t,s0)
++/usr/sbin/ipmiseld -- gen_context(system_u:object_r:freeipmi_ipmiseld_exec_t,s0)
++
++/var/cache/ipmiseld(/.*)? gen_context(system_u:object_r:freeipmi_var_cache_t,s0)
++/var/cache/ipmimonitoringsdrcache(/.*)? gen_context(system_u:object_r:freeipmi_var_cache_t,s0)
++
++/var/lib/freeipmi(/.*)? gen_context(system_u:object_r:freeipmi_var_lib_t,s0)
++
++
++/var/run/ipmidetectd\.pid -- gen_context(system_u:object_r:freeipmi_ipmidetectd_var_run_t,s0)
++/var/run/ipmiseld\.pid -- gen_context(system_u:object_r:freeipmi_ipmiseld_var_run_t,s0)
++/var/run/bmc-watchdog\.pid -- gen_context(system_u:object_r:freeipmi_bmc_watchdog_var_run_t,s0)
+diff --git a/freeipmi.if b/freeipmi.if
+new file mode 100644
+index 0000000..9715f27
+--- /dev/null
++++ b/freeipmi.if
+@@ -0,0 +1,73 @@
++## <summary>Remote-Console (out-of-band) and System Management Software (in-band) based on Intelligent Platform Management Interface specification</summary>
++
++#####################################
++## <summary>
++## Creates types and rules for a basic
++## freeipmi init daemon domain.
++## </summary>
++## <param name="prefix">
++## <summary>
++## Prefix for the domain.
++## </summary>
++## </param>
++#
++template(`freeipmi_domain_template',`
++ gen_require(`
++ attribute freeipmi_domain, freeipmi_pid;
++ ')
++
++ #############################
++ #
++ # Declarations
++ #
++
++ type freeipmi_$1_t, freeipmi_domain;
++ type freeipmi_$1_exec_t;
++ init_daemon_domain(freeipmi_$1_t, freeipmi_$1_exec_t)
++ role system_r types freeipmi_$1_t;
++
++ type freeipmi_$1_unit_file_t;
++ systemd_unit_file(freeipmi_$1_unit_file_t)
++
++ type freeipmi_$1_var_run_t, freeipmi_pid;
++ files_pid_file(freeipmi_$1_var_run_t)
++
++ #############################
++ #
++ # Local policy
++ #
++
++ manage_files_pattern(freeipmi_$1_t, freeipmi_$1_var_run_t, freeipmi_$1_var_run_t)
++
++ kernel_read_system_state(freeipmi_$1_t)
++
++ corenet_all_recvfrom_netlabel(freeipmi_$1_t)
++ corenet_all_recvfrom_unlabeled(freeipmi_$1_t)
++
++ dev_read_raw_memory(freeipmi_$1_t)
++
++ auth_use_nsswitch(freeipmi_$1_t)
++
++ logging_send_syslog_msg(freeipmi_$1_t)
++')
++
++####################################
++## <summary>
++## Connect to cluster domains over a unix domain
++## stream socket.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`freeipmi_stream_connect',`
++ gen_require(`
++ attribute freeipmi_domain, freeipmi_pid;
++ ')
++
++ files_search_pids($1)
++ stream_connect_pattern($1, freeipmi_pid, freeipmi_pid, freeipmi_domain)
++')
++
+diff --git a/freeipmi.te b/freeipmi.te
+new file mode 100644
+index 0000000..8071a76
+--- /dev/null
++++ b/freeipmi.te
+@@ -0,0 +1,75 @@
++policy_module(freeipmi, 1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++attribute freeipmi_domain;
++attribute freeipmi_pid;
++
++freeipmi_domain_template(ipmidetectd)
++freeipmi_domain_template(ipmiseld)
++freeipmi_domain_template(bmc_watchdog)
++
++type freeipmi_var_lib_t;
++files_type(freeipmi_var_lib_t)
++
++type freeipmi_var_cache_t;
++files_type(freeipmi_var_cache_t)
++
++########################################
++#
++# freeipmi_domain local policy
++#
++
++allow freeipmi_domain self:fifo_file rw_fifo_file_perms;
++allow freeipmi_domain self:unix_stream_socket create_stream_socket_perms;
++allow freeipmi_domain self:sem create_sem_perms;
++allow freeipmi_domain self:tcp_socket { listen create_stream_socket_perms };
++
++manage_dirs_pattern(freeipmi_domain, freeipmi_var_cache_t, freeipmi_var_cache_t)
++manage_files_pattern(freeipmi_domain, freeipmi_var_cache_t, freeipmi_var_cache_t)
++manage_lnk_files_pattern(freeipmi_domain, freeipmi_var_cache_t, freeipmi_var_cache_t)
++files_var_filetrans(freeipmi_domain, freeipmi_var_cache_t, { dir })
++
++manage_dirs_pattern(freeipmi_domain, freeipmi_var_lib_t, freeipmi_var_lib_t)
++manage_files_pattern(freeipmi_domain, freeipmi_var_lib_t, freeipmi_var_lib_t)
++manage_lnk_files_pattern(freeipmi_domain, freeipmi_var_lib_t, freeipmi_var_lib_t)
++files_var_lib_filetrans(freeipmi_domain, freeipmi_var_lib_t, { dir })
++
++dev_read_rand(freeipmi_domain)
++dev_read_urand(freeipmi_domain)
++
++sysnet_dns_name_resolve(freeipmi_domain)
++
++#######################################
++#
++# bmc-watchdog local policy
++#
++
++files_pid_filetrans(freeipmi_bmc_watchdog_t, freeipmi_bmc_watchdog_var_run_t, file, "bmc-watchdog.pid")
++
++dev_rw_ipmi_dev(freeipmi_bmc_watchdog_t)
++
++allow freeipmi_bmc_watchdog_t freeipmi_ipmiseld_t:sem rw_sem_perms;
++
++#######################################
++#
++# ipmidetectd local policy
++#
++
++files_pid_filetrans(freeipmi_ipmidetectd_t, freeipmi_ipmidetectd_var_run_t, file, "ipmidetectd.pid")
++
++corenet_tcp_bind_freeipmi_port(freeipmi_ipmidetectd_t)
++
++#######################################
++#
++# ipmiseld local policy
++#
++
++allow freeipmi_ipmiseld_t self:capability sys_rawio;
++
++allow freeipmi_ipmiseld_t freeipmi_bmc_watchdog_t:sem rw_sem_perms;
++
++files_pid_filetrans(freeipmi_ipmiseld_t, freeipmi_ipmiseld_var_run_t, file, "ipmiseld.pid")
+diff --git a/freqset.fc b/freqset.fc
+new file mode 100644
+index 0000000..3cd9c38
+--- /dev/null
++++ b/freqset.fc
+@@ -0,0 +1 @@
++/usr/lib/enlightenment/modules/cpufreq/linux-gnu-[^/]*/freqset -- gen_context(system_u:object_r:freqset_exec_t,s0)
+diff --git a/freqset.if b/freqset.if
+new file mode 100644
+index 0000000..190ccc0
+--- /dev/null
++++ b/freqset.if
+@@ -0,0 +1,76 @@
++
++## <summary>policy for freqset</summary>
++
++########################################
++## <summary>
++## Execute TEMPLATE in the freqset domin.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`freqset_domtrans',`
++ gen_require(`
++ type freqset_t, freqset_exec_t;
++ ')
++
++ corecmd_search_bin($1)
++ domtrans_pattern($1, freqset_exec_t, freqset_t)
++')
++
++########################################
++## <summary>
++## Execute freqset in the freqset domain, and
++## allow the specified role the freqset domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition
++## </summary>
++## </param>
++## <param name="role">
++## <summary>
++## The role to be allowed the freqset domain.
++## </summary>
++## </param>
++#
++interface(`freqset_run',`
++ gen_require(`
++ type freqset_t;
++ attribute_role freqset_roles;
++ ')
++
++ freqset_domtrans($1)
++ roleattribute $2 freqset_roles;
++')
++
++########################################
++## <summary>
++## Role access for freqset
++## </summary>
++## <param name="role">
++## <summary>
++## Role allowed access
++## </summary>
++## </param>
++## <param name="domain">
++## <summary>
++## User domain for the role
++## </summary>
++## </param>
++#
++interface(`freqset_role',`
++ gen_require(`
++ type freqset_t;
++ attribute_role freqset_roles;
++ ')
++
++ roleattribute $1 freqset_roles;
++
++ freqset_domtrans($2)
++
++ ps_process_pattern($2, freqset_t)
++ allow $2 freqset_t:process { signull signal sigkill };
++')
+diff --git a/freqset.te b/freqset.te
+new file mode 100644
+index 0000000..0d09fbd
+--- /dev/null
++++ b/freqset.te
+@@ -0,0 +1,34 @@
++policy_module(freqset, 1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++attribute_role freqset_roles;
++roleattribute system_r freqset_roles;
++
++type freqset_t;
++type freqset_exec_t;
++application_domain(freqset_t, freqset_exec_t)
++
++role freqset_roles types freqset_t;
++
++########################################
++#
++# freqset local policy
++#
++allow freqset_t self:capability { setuid };
++
++allow freqset_t self:fifo_file manage_fifo_file_perms;
++allow freqset_t self:unix_stream_socket create_stream_socket_perms;
++
++dev_rw_sysfs(freqset_t)
++
++domain_use_interactive_fds(freqset_t)
++
++files_read_etc_files(freqset_t)
++
++miscfiles_read_localization(freqset_t)
++
++userdom_use_inherited_user_terminals(freqset_t)
diff --git a/ftp.fc b/ftp.fc
index ddb75c1..44f74e6 100644
--- a/ftp.fc
@@ -25112,7 +26976,7 @@ index d062080..97fb494 100644
ftp_run_ftpdctl($1, $2)
')
diff --git a/ftp.te b/ftp.te
-index e50f33c..6edd471 100644
+index e50f33c..de8e914 100644
--- a/ftp.te
+++ b/ftp.te
@@ -13,7 +13,7 @@ policy_module(ftp, 1.14.1)
@@ -25178,7 +27042,18 @@ index e50f33c..6edd471 100644
manage_dirs_pattern(ftpd_t, ftpd_tmpfs_t, ftpd_tmpfs_t)
manage_files_pattern(ftpd_t, ftpd_tmpfs_t, ftpd_tmpfs_t)
manage_lnk_files_pattern(ftpd_t, ftpd_tmpfs_t, ftpd_tmpfs_t)
-@@ -201,14 +214,13 @@ logging_log_filetrans(ftpd_t, xferlog_t, file)
+@@ -193,22 +206,19 @@ files_pid_filetrans(ftpd_t, ftpd_var_run_t, { file dir })
+
+ allow ftpd_t ftpdctl_tmp_t:sock_file delete_sock_file_perms;
+
+-allow ftpd_t xferlog_t:dir setattr_dir_perms;
+-append_files_pattern(ftpd_t, xferlog_t, xferlog_t)
+-create_files_pattern(ftpd_t, xferlog_t, xferlog_t)
+-setattr_files_pattern(ftpd_t, xferlog_t, xferlog_t)
+-logging_log_filetrans(ftpd_t, xferlog_t, file)
++manage_dirs_pattern(ftpd_t, xferlog_t, xferlog_t)
++manage_files_pattern(ftpd_t, xferlog_t, xferlog_t)
++logging_log_filetrans(ftpd_t, xferlog_t, { dir file })
kernel_read_kernel_sysctls(ftpd_t)
kernel_read_system_state(ftpd_t)
@@ -25194,7 +27069,7 @@ index e50f33c..6edd471 100644
corenet_all_recvfrom_netlabel(ftpd_t)
corenet_tcp_sendrecv_generic_if(ftpd_t)
corenet_udp_sendrecv_generic_if(ftpd_t)
-@@ -224,9 +236,12 @@ corenet_tcp_bind_ftp_port(ftpd_t)
+@@ -224,9 +234,12 @@ corenet_tcp_bind_ftp_port(ftpd_t)
corenet_sendrecv_ftp_data_server_packets(ftpd_t)
corenet_tcp_bind_ftp_data_port(ftpd_t)
@@ -25208,7 +27083,7 @@ index e50f33c..6edd471 100644
files_read_etc_runtime_files(ftpd_t)
files_search_var_lib(ftpd_t)
-@@ -245,7 +260,6 @@ logging_send_audit_msgs(ftpd_t)
+@@ -245,7 +258,6 @@ logging_send_audit_msgs(ftpd_t)
logging_send_syslog_msg(ftpd_t)
logging_set_loginuid(ftpd_t)
@@ -25216,7 +27091,7 @@ index e50f33c..6edd471 100644
miscfiles_read_public_files(ftpd_t)
seutil_dontaudit_search_config(ftpd_t)
-@@ -254,32 +268,49 @@ sysnet_use_ldap(ftpd_t)
+@@ -254,32 +266,50 @@ sysnet_use_ldap(ftpd_t)
userdom_dontaudit_use_unpriv_user_fds(ftpd_t)
userdom_dontaudit_search_user_home_dirs(ftpd_t)
@@ -25242,6 +27117,7 @@ index e50f33c..6edd471 100644
+tunable_policy(`ftpd_use_fusefs',`
+ fs_manage_fusefs_dirs(ftpd_t)
+ fs_manage_fusefs_files(ftpd_t)
++ fs_manage_fusefs_symlinks(ftpd_t)
+',`
+ fs_search_fusefs(ftpd_t)
+')
@@ -25273,7 +27149,7 @@ index e50f33c..6edd471 100644
')
tunable_policy(`ftpd_use_passive_mode',`
-@@ -299,22 +330,19 @@ tunable_policy(`ftpd_connect_db',`
+@@ -299,22 +329,19 @@ tunable_policy(`ftpd_connect_db',`
corenet_sendrecv_mssql_client_packets(ftpd_t)
corenet_tcp_connect_mssql_port(ftpd_t)
corenet_tcp_sendrecv_mssql_port(ftpd_t)
@@ -25301,7 +27177,7 @@ index e50f33c..6edd471 100644
userdom_tmp_filetrans_user_tmp(ftpd_t, { dir file })
')
-@@ -360,7 +388,7 @@ optional_policy(`
+@@ -360,7 +387,7 @@ optional_policy(`
selinux_validate_context(ftpd_t)
kerberos_keytab_template(ftpd, ftpd_t)
@@ -25310,7 +27186,7 @@ index e50f33c..6edd471 100644
')
optional_policy(`
-@@ -410,21 +438,20 @@ optional_policy(`
+@@ -410,21 +437,20 @@ optional_policy(`
#
stream_connect_pattern(ftpdctl_t, ftpd_var_run_t, ftpd_var_run_t, ftpd_t)
@@ -25334,7 +27210,7 @@ index e50f33c..6edd471 100644
miscfiles_read_public_files(anon_sftpd_t)
-@@ -437,23 +464,34 @@ tunable_policy(`sftpd_anon_write',`
+@@ -437,23 +463,34 @@ tunable_policy(`sftpd_anon_write',`
# Sftpd local policy
#
@@ -25375,7 +27251,7 @@ index e50f33c..6edd471 100644
')
tunable_policy(`sftpd_enable_homedirs && use_nfs_home_dirs',`
-@@ -475,21 +513,11 @@ tunable_policy(`sftpd_anon_write',`
+@@ -475,21 +512,11 @@ tunable_policy(`sftpd_anon_write',`
tunable_policy(`sftpd_full_access',`
allow sftpd_t self:capability { dac_override dac_read_search };
fs_read_noxattr_fs_files(sftpd_t)
@@ -25475,6 +27351,413 @@ index fc3b036..10a1bbe 100644
sysnet_read_config(gatekeeper_t)
userdom_dontaudit_use_unpriv_user_fds(gatekeeper_t)
+diff --git a/gear.fc b/gear.fc
+new file mode 100644
+index 0000000..5eabf35
+--- /dev/null
++++ b/gear.fc
+@@ -0,0 +1,7 @@
++/usr/bin/gear -- gen_context(system_u:object_r:gear_exec_t,s0)
++
++/usr/lib/systemd/system/gear.service -- gen_context(system_u:object_r:gear_unit_file_t,s0)
++
++/var/lib/containers/bin/gear -- gen_context(system_u:object_r:gear_exec_t,s0)
++
++/var/lib/gear(/.*)? gen_context(system_u:object_r:gear_var_lib_t,s0)
+diff --git a/gear.if b/gear.if
+new file mode 100644
+index 0000000..04e159f
+--- /dev/null
++++ b/gear.if
+@@ -0,0 +1,288 @@
++
++## <summary>The open-source application container engine.</summary>
++
++########################################
++## <summary>
++## Execute gear in the gear domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`gear_domtrans',`
++ gen_require(`
++ type gear_t, gear_exec_t;
++ ')
++
++ corecmd_search_bin($1)
++ domtrans_pattern($1, gear_exec_t, gear_t)
++')
++
++########################################
++## <summary>
++## Search gear lib directories.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`gear_search_lib',`
++ gen_require(`
++ type gear_var_lib_t;
++ ')
++
++ allow $1 gear_var_lib_t:dir search_dir_perms;
++ files_search_var_lib($1)
++')
++
++########################################
++## <summary>
++## Execute gear lib directories.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`gear_exec_lib',`
++ gen_require(`
++ type gear_var_lib_t;
++ ')
++
++ allow $1 gear_var_lib_t:dir search_dir_perms;
++ can_exec($1, gear_var_lib_t)
++')
++
++########################################
++## <summary>
++## Read gear lib files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`gear_read_lib_files',`
++ gen_require(`
++ type gear_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ read_files_pattern($1, gear_var_lib_t, gear_var_lib_t)
++')
++
++########################################
++## <summary>
++## Manage gear lib files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`gear_manage_lib_files',`
++ gen_require(`
++ type gear_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ manage_files_pattern($1, gear_var_lib_t, gear_var_lib_t)
++ manage_lnk_files_pattern($1, gear_var_lib_t, gear_var_lib_t)
++')
++
++########################################
++## <summary>
++## Manage gear lib directories.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`gear_manage_lib_dirs',`
++ gen_require(`
++ type gear_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ manage_dirs_pattern($1, gear_var_lib_t, gear_var_lib_t)
++')
++
++########################################
++## <summary>
++## Create objects in a gear var lib directory
++## with an automatic type transition to
++## a specified private type.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <param name="private_type">
++## <summary>
++## The type of the object to create.
++## </summary>
++## </param>
++## <param name="object_class">
++## <summary>
++## The class of the object to be created.
++## </summary>
++## </param>
++## <param name="name" optional="true">
++## <summary>
++## The name of the object being created.
++## </summary>
++## </param>
++#
++interface(`gear_lib_filetrans',`
++ gen_require(`
++ type gear_var_lib_t;
++ ')
++
++ filetrans_pattern($1, gear_var_lib_t, $2, $3, $4)
++')
++
++########################################
++## <summary>
++## Read gear PID files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`gear_read_pid_files',`
++ gen_require(`
++ type gear_var_run_t;
++ ')
++
++ files_search_pids($1)
++ read_files_pattern($1, gear_var_run_t, gear_var_run_t)
++')
++
++########################################
++## <summary>
++## Execute gear server in the gear domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`gear_systemctl',`
++ gen_require(`
++ type gear_t;
++ type gear_unit_file_t;
++ ')
++
++ systemd_exec_systemctl($1)
++ systemd_read_fifo_file_passwd_run($1)
++ allow $1 gear_unit_file_t:file read_file_perms;
++ allow $1 gear_unit_file_t:service manage_service_perms;
++
++ ps_process_pattern($1, gear_t)
++')
++
++########################################
++## <summary>
++## Read and write gear shared memory.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`gear_rw_sem',`
++ gen_require(`
++ type gear_t;
++ ')
++
++ allow $1 gear_t:sem rw_sem_perms;
++')
++
++#######################################
++## <summary>
++## Read and write the gear pty type.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`gear_use_ptys',`
++ gen_require(`
++ type gear_devpts_t;
++ ')
++
++ allow $1 gear_devpts_t:chr_file rw_term_perms;
++')
++
++#######################################
++## <summary>
++## Allow domain to create gear content
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`gear_filetrans_named_content',`
++ gen_require(`
++ type gear_var_lib_t;
++ type gear_var_run_t;
++ ')
++
++ files_pid_filetrans($1, gear_var_run_t, file, "gear.pid")
++ files_var_lib_filetrans($1, gear_var_lib_t, dir, "gear")
++')
++
++########################################
++## <summary>
++## All of the rules required to administrate
++## an gear environment
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`gear_admin',`
++ gen_require(`
++ type gear_t;
++ type gear_var_lib_t, gear_var_run_t;
++ type gear_unit_file_t;
++ type gear_lock_t;
++ type gear_log_t;
++ ')
++
++ allow $1 gear_t:process { ptrace signal_perms };
++ ps_process_pattern($1, gear_t)
++
++ files_search_var_lib($1)
++ admin_pattern($1, gear_var_lib_t)
++
++ files_search_pids($1)
++ admin_pattern($1, gear_var_run_t)
++
++ logging_search_logs($1)
++ admin_pattern($1, gear_log_t)
++
++ gear_systemctl($1)
++ admin_pattern($1, gear_unit_file_t)
++ allow $1 gear_unit_file_t:service all_service_perms;
++')
+diff --git a/gear.te b/gear.te
+new file mode 100644
+index 0000000..6c32f79
+--- /dev/null
++++ b/gear.te
+@@ -0,0 +1,94 @@
++policy_module(gear, 1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++type gear_t;
++type gear_exec_t;
++init_daemon_domain(gear_t, gear_exec_t)
++
++type gear_var_lib_t;
++files_type(gear_var_lib_t)
++
++type gear_log_t;
++logging_log_file(gear_log_t)
++
++type gear_var_run_t;
++files_pid_file(gear_var_run_t)
++
++type gear_unit_file_t;
++systemd_unit_file(gear_unit_file_t)
++
++########################################
++#
++# gear local policy
++#
++allow gear_t self:process { getattr signal_perms };
++allow gear_t self:fifo_file rw_fifo_file_perms;
++allow gear_t self:unix_stream_socket create_stream_socket_perms;
++allow gear_t self:tcp_socket create_stream_socket_perms;
++
++manage_dirs_pattern(gear_t, gear_log_t, gear_log_t)
++manage_files_pattern(gear_t, gear_log_t, gear_log_t)
++manage_lnk_files_pattern(gear_t, gear_log_t, gear_log_t)
++logging_log_filetrans(gear_t, gear_log_t, { dir file lnk_file })
++
++gear_filetrans_named_content(gear_t)
++
++manage_dirs_pattern(gear_t, gear_var_lib_t, gear_var_lib_t)
++manage_chr_files_pattern(gear_t, gear_var_lib_t, gear_var_lib_t)
++manage_blk_files_pattern(gear_t, gear_var_lib_t, gear_var_lib_t)
++manage_files_pattern(gear_t, gear_var_lib_t, gear_var_lib_t)
++manage_lnk_files_pattern(gear_t, gear_var_lib_t, gear_var_lib_t)
++files_var_lib_filetrans(gear_t, gear_var_lib_t, { dir file lnk_file })
++
++manage_dirs_pattern(gear_t, gear_var_run_t, gear_var_run_t)
++manage_files_pattern(gear_t, gear_var_run_t, gear_var_run_t)
++manage_sock_files_pattern(gear_t, gear_var_run_t, gear_var_run_t)
++manage_lnk_files_pattern(gear_t, gear_var_run_t, gear_var_run_t)
++files_pid_filetrans(gear_t, gear_var_run_t, { dir file lnk_file sock_file })
++
++kernel_read_system_state(gear_t)
++kernel_read_network_state(gear_t)
++kernel_read_all_sysctls(gear_t)
++kernel_rw_net_sysctls(gear_t)
++
++domain_use_interactive_fds(gear_t)
++
++corecmd_exec_bin(gear_t)
++corecmd_exec_shell(gear_t)
++
++corenet_tcp_bind_generic_node(gear_t)
++corenet_tcp_sendrecv_generic_if(gear_t)
++corenet_tcp_sendrecv_generic_node(gear_t)
++corenet_tcp_sendrecv_generic_port(gear_t)
++corenet_tcp_bind_gear_port(gear_t)
++
++files_read_etc_files(gear_t)
++
++fs_read_cgroup_files(gear_t)
++fs_read_tmpfs_symlinks(gear_t)
++
++auth_use_nsswitch(gear_t)
++
++init_read_state(gear_t)
++init_dbus_chat(gear_t)
++
++logging_send_audit_msgs(gear_t)
++logging_send_syslog_msg(gear_t)
++
++miscfiles_read_localization(gear_t)
++
++mount_domtrans(gear_t)
++
++seutil_read_default_contexts(gear_t)
++
++sysnet_dns_name_resolve(gear_t)
++
++systemd_manage_all_unit_files(gear_t)
++
++optional_policy(`
++ docker_stream_connect(gear_t)
++')
diff --git a/gift.te b/gift.te
index 395238e..af76abb 100644
--- a/gift.te
@@ -25570,7 +27853,7 @@ index 1e29af1..6c64f55 100644
+ userdom_user_home_dir_filetrans($1, git_user_content_t, dir, "public_git")
+')
diff --git a/git.te b/git.te
-index 93b0301..ad8eb38 100644
+index 93b0301..6acc1f0 100644
--- a/git.te
+++ b/git.te
@@ -49,14 +49,6 @@ gen_tunable(git_session_users, false)
@@ -25633,7 +27916,30 @@ index 93b0301..ad8eb38 100644
files_search_var_lib(git_system_t)
auth_use_nsswitch(git_system_t)
-@@ -255,12 +252,9 @@ tunable_policy(`git_cgi_use_nfs',`
+@@ -165,6 +162,10 @@ logging_send_syslog_msg(git_system_t)
+
+ tunable_policy(`git_system_enable_homedirs',`
+ userdom_search_user_home_dirs(git_system_t)
++ list_dirs_pattern(httpd_git_script_t, git_user_content_t, git_user_content_t)
++ list_dirs_pattern(git_system_t, git_user_content_t, git_user_content_t)
++ read_files_pattern(git_system_t, git_user_content_t, git_user_content_t)
++
+ ')
+
+ tunable_policy(`git_system_enable_homedirs && use_nfs_home_dirs',`
+@@ -248,6 +249,11 @@ tunable_policy(`git_cgi_use_nfs',`
+ fs_dontaudit_read_nfs_files(httpd_git_script_t)
+ ')
+
++
++optional_policy(`
++ gitosis_read_lib_files(httpd_git_script_t)
++')
++
+ ########################################
+ #
+ # Git global policy
+@@ -255,12 +261,9 @@ tunable_policy(`git_cgi_use_nfs',`
allow git_daemon self:fifo_file rw_fifo_file_perms;
@@ -26017,10 +28323,10 @@ index 0000000..1ed97fe
+
diff --git a/glusterd.te b/glusterd.te
new file mode 100644
-index 0000000..0f9d485
+index 0000000..36ff903
--- /dev/null
+++ b/glusterd.te
-@@ -0,0 +1,189 @@
+@@ -0,0 +1,200 @@
+policy_module(glusterfs, 1.0.1)
+
+## <desc>
@@ -26073,6 +28379,9 @@ index 0000000..0f9d485
+type glusterd_var_lib_t;
+files_type(glusterd_var_lib_t)
+
++type glusterd_brick_t;
++files_type(glusterd_brick_t)
++
+########################################
+#
+# Local policy
@@ -26109,10 +28418,18 @@ index 0000000..0f9d485
+
+manage_dirs_pattern(glusterd_t, glusterd_var_lib_t, glusterd_var_lib_t)
+manage_files_pattern(glusterd_t, glusterd_var_lib_t, glusterd_var_lib_t)
-+#manage_sock_files_pattern(glusterd_t, glusterd_var_lib_t, glusterd_var_lib_t)
++manage_sock_files_pattern(glusterd_t, glusterd_var_lib_t, glusterd_var_lib_t)
+files_var_lib_filetrans(glusterd_t, glusterd_var_lib_t, dir)
+relabel_files_pattern(glusterd_t, glusterd_var_lib_t, glusterd_var_lib_t)
+
++manage_dirs_pattern(glusterd_t, glusterd_brick_t, glusterd_brick_t)
++manage_files_pattern(glusterd_t, glusterd_brick_t, glusterd_brick_t)
++manage_fifo_files_pattern(glusterd_t, glusterd_brick_t, glusterd_brick_t)
++manage_lnk_files_pattern(glusterd_t, glusterd_brick_t, glusterd_brick_t)
++relabel_files_pattern(glusterd_t, glusterd_brick_t, glusterd_brick_t)
++relabel_lnk_files_pattern(glusterd_t, glusterd_brick_t, glusterd_brick_t)
++relabel_dirs_pattern(glusterd_t, glusterd_brick_t, glusterd_brick_t)
++
+can_exec(glusterd_t, glusterd_exec_t)
+
+kernel_read_system_state(glusterd_t)
@@ -26164,7 +28481,7 @@ index 0000000..0f9d485
+fs_unmount_all_fs(glusterd_t)
+fs_getattr_all_fs(glusterd_t)
+
-+files_mounton_mnt(glusterd_t)
++files_mounton_non_security(glusterd_t)
+
+storage_rw_fuse(glusterd_t)
+
@@ -26418,10 +28735,10 @@ index fd02acc..0000000
-
-miscfiles_read_localization(glusterd_t)
diff --git a/gnome.fc b/gnome.fc
-index e39de43..5818f74 100644
+index e39de43..6a6db28 100644
--- a/gnome.fc
+++ b/gnome.fc
-@@ -1,15 +1,58 @@
+@@ -1,15 +1,61 @@
-HOME_DIR/\.gconf(/.*)? gen_context(system_u:object_r:gconf_home_t,s0)
-HOME_DIR/\.gconfd(/.*)? gen_context(system_u:object_r:gconf_home_t,s0)
-HOME_DIR/\.gnome(/.*)? gen_context(system_u:object_r:gnome_home_t,s0)
@@ -26435,6 +28752,7 @@ index e39de43..5818f74 100644
+HOME_DIR/\.config(/.*)? gen_context(system_u:object_r:config_home_t,s0)
+HOME_DIR/\.kde(/.*)? gen_context(system_u:object_r:config_home_t,s0)
+HOME_DIR/\.nv(/.*)? gen_context(system_u:object_r:cache_home_t,s0)
++HOME_DIR/\.nv/GLCache(/.*)? gen_context(system_u:object_r:gstreamer_home_t,s0)
+HOME_DIR/\.gconf(d)?(/.*)? gen_context(system_u:object_r:gconf_home_t,s0)
+HOME_DIR/\.gnome2(/.*)? gen_context(system_u:object_r:gnome_home_t,s0)
+HOME_DIR/\.gnome2/keyrings(/.*)? gen_context(system_u:object_r:gkeyringd_gnome_home_t,s0)
@@ -26443,6 +28761,7 @@ index e39de43..5818f74 100644
+HOME_DIR/\.grl-bookmarks gen_context(system_u:object_r:gstreamer_home_t,s0)
+HOME_DIR/\.gstreamer-.* gen_context(system_u:object_r:gstreamer_home_t,s0)
+HOME_DIR/\.cache/gstreamer-.* gen_context(system_u:object_r:gstreamer_home_t,s0)
++HOME_DIR/\.cache/GLCache(/.*)? gen_context(system_u:object_r:gstreamer_home_t,s0)
+HOME_DIR/\.orc(/.*)? gen_context(system_u:object_r:gstreamer_home_t,s0)
+HOME_DIR/\.local.* gen_context(system_u:object_r:gconf_home_t,s0)
+HOME_DIR/\.local/share(/.*)? gen_context(system_u:object_r:data_home_t,s0)
@@ -26479,18 +28798,19 @@ index e39de43..5818f74 100644
+/usr/share/config(/.*)? gen_context(system_u:object_r:config_usr_t,s0)
+
/usr/bin/gnome-keyring-daemon -- gen_context(system_u:object_r:gkeyringd_exec_t,s0)
-
--/usr/lib/[^/]*/gconf/gconfd-2 -- gen_context(system_u:object_r:gconfd_exec_t,s0)
--/usr/libexec/gconfd-2 -- gen_context(system_u:object_r:gconfd_exec_t,s0)
++/usr/bin/mate-keyring-daemon -- gen_context(system_u:object_r:gkeyringd_exec_t,s0)
++
+# Don't use because toolchain is broken
+#/usr/libexec/gconfd-2 -- gen_context(system_u:object_r:gconfd_exec_t,s0)
+
+/usr/libexec/gconf-defaults-mechanism -- gen_context(system_u:object_r:gconfdefaultsm_exec_t,s0)
-+
+
+-/usr/lib/[^/]*/gconf/gconfd-2 -- gen_context(system_u:object_r:gconfd_exec_t,s0)
+-/usr/libexec/gconfd-2 -- gen_context(system_u:object_r:gconfd_exec_t,s0)
+/usr/libexec/gnome-system-monitor-mechanism -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
+/usr/libexec/kde(3|4)/ksysguardprocesslist_helper -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
diff --git a/gnome.if b/gnome.if
-index d03fd43..0e04529 100644
+index d03fd43..af9415c 100644
--- a/gnome.if
+++ b/gnome.if
@@ -1,123 +1,157 @@
@@ -27204,58 +29524,92 @@ index d03fd43..0e04529 100644
## <summary>
-## Create, read, write, and delete
-## generic gconf home content.
-+## Manage a sock_file in the generic cache home files (.cache)
++## write to generic cache home files (.cache)
## </summary>
## <param name="domain">
## <summary>
-@@ -473,82 +519,73 @@ interface(`gnome_read_generic_gconf_home_content',`
+@@ -473,22 +519,18 @@ interface(`gnome_read_generic_gconf_home_content',`
## </summary>
## </param>
#
-interface(`gnome_manage_generic_gconf_home_content',`
-+interface(`gnome_manage_generic_cache_sockets',`
++interface(`gnome_manage_generic_cache_files',`
gen_require(`
- type gconf_home_t;
+ type cache_home_t;
')
++ manage_files_pattern($1, cache_home_t, cache_home_t)
userdom_search_user_home_dirs($1)
- allow $1 gconf_home_t:dir manage_dir_perms;
- allow $1 gconf_home_t:file manage_file_perms;
- allow $1 gconf_home_t:fifo_file manage_fifo_file_perms;
- allow $1 gconf_home_t:lnk_file manage_lnk_file_perms;
- allow $1 gconf_home_t:sock_file manage_sock_file_perms;
-+ manage_sock_files_pattern($1, cache_home_t, cache_home_t)
')
########################################
## <summary>
-## Search generic gconf home directories.
++## Manage a sock_file in the generic cache home files (.cache)
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -496,79 +538,59 @@ interface(`gnome_manage_generic_gconf_home_content',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`gnome_search_generic_gconf_home',`
++interface(`gnome_manage_generic_cache_sockets',`
+ gen_require(`
+- type gconf_home_t;
++ type cache_home_t;
+ ')
+
+ userdom_search_user_home_dirs($1)
+- allow $1 gconf_home_t:dir search_dir_perms;
++ manage_sock_files_pattern($1, cache_home_t, cache_home_t)
+ ')
+
+ ########################################
+ ## <summary>
+-## Create objects in user home
+-## directories with the generic gconf
+-## home type.
+## Dontaudit read/write to generic cache home files (.cache)
## </summary>
## <param name="domain">
## <summary>
-## Domain allowed access.
+-## </summary>
+-## </param>
+-## <param name="object_class">
+-## <summary>
+-## Class of the object being created.
+-## </summary>
+-## </param>
+-## <param name="name" optional="true">
+-## <summary>
+-## The name of the object being created.
+## Domain to not audit.
## </summary>
## </param>
#
--interface(`gnome_search_generic_gconf_home',`
+-interface(`gnome_home_filetrans_gconf_home',`
+interface(`gnome_dontaudit_rw_generic_cache_files',`
gen_require(`
- type gconf_home_t;
+ type cache_home_t;
')
-- userdom_search_user_home_dirs($1)
-- allow $1 gconf_home_t:dir search_dir_perms;
+- userdom_user_home_dir_filetrans($1, gconf_home_t, $2, $3)
+ dontaudit $1 cache_home_t:file rw_inherited_file_perms;
')
########################################
## <summary>
-## Create objects in user home
--## directories with the generic gconf
+-## directories with the generic gnome
-## home type.
+## read gnome homedir content (.config)
## </summary>
@@ -27275,14 +29629,14 @@ index d03fd43..0e04529 100644
-## </summary>
-## </param>
#
--interface(`gnome_home_filetrans_gconf_home',`
+-interface(`gnome_home_filetrans_gnome_home',`
+interface(`gnome_read_config',`
gen_require(`
-- type gconf_home_t;
+- type gnome_home_t;
+ attribute gnome_home_type;
')
-- userdom_user_home_dir_filetrans($1, gconf_home_t, $2, $3)
+- userdom_user_home_dir_filetrans($1, gnome_home_t, $2, $3)
+ list_dirs_pattern($1, gnome_home_type, gnome_home_type)
+ read_files_pattern($1, gnome_home_type, gnome_home_type)
+ read_lnk_files_pattern($1, gnome_home_type, gnome_home_type)
@@ -27291,23 +29645,22 @@ index d03fd43..0e04529 100644
########################################
## <summary>
--## Create objects in user home
--## directories with the generic gnome
--## home type.
+-## Create objects in gnome gconf home
+-## directories with a private type.
+## Create objects in a Gnome gconf home directory
+## with an automatic type transition to
+## a specified private type.
## </summary>
## <param name="domain">
## <summary>
- ## Domain allowed access.
- ## </summary>
+@@ -577,12 +599,12 @@ interface(`gnome_home_filetrans_gnome_home',`
## </param>
-+## <param name="private_type">
-+## <summary>
+ ## <param name="private_type">
+ ## <summary>
+-## Private file type.
+## The type of the object to create.
-+## </summary>
-+## </param>
+ ## </summary>
+ ## </param>
## <param name="object_class">
## <summary>
-## Class of the object being created.
@@ -27315,18 +29668,19 @@ index d03fd43..0e04529 100644
## </summary>
## </param>
## <param name="name" optional="true">
-@@ -557,52 +594,77 @@ interface(`gnome_home_filetrans_gconf_home',`
+@@ -591,18 +613,18 @@ interface(`gnome_home_filetrans_gnome_home',`
## </summary>
## </param>
#
--interface(`gnome_home_filetrans_gnome_home',`
+-interface(`gnome_gconf_home_filetrans',`
+interface(`gnome_data_filetrans',`
gen_require(`
-- type gnome_home_t;
+- type gconf_home_t;
+ type data_home_t;
')
-- userdom_user_home_dir_filetrans($1, gnome_home_t, $2, $3)
+- userdom_search_user_home_dirs($1)
+- filetrans_pattern($1, gconf_home_t, $2, $3, $4)
+ filetrans_pattern($1, data_home_t, $2, $3, $4)
+ gnome_search_gconf($1)
')
@@ -27334,44 +29688,40 @@ index d03fd43..0e04529 100644
-########################################
+#######################################
## <summary>
--## Create objects in gnome gconf home
--## directories with a private type.
+-## Read generic gnome keyring home files.
+## Read generic data home files.
## </summary>
## <param name="domain">
## <summary>
- ## Domain allowed access.
+@@ -610,46 +632,80 @@ interface(`gnome_gconf_home_filetrans',`
## </summary>
## </param>
--## <param name="private_type">
--## <summary>
--## Private file type.
--## </summary>
--## </param>
--## <param name="object_class">
--## <summary>
--## Class of the object being created.
--## </summary>
-+#
+ #
+-interface(`gnome_read_keyring_home_files',`
+interface(`gnome_read_generic_data_home_files',`
-+ gen_require(`
+ gen_require(`
+- type gnome_home_t, gnome_keyring_home_t;
+ type data_home_t, gconf_home_t;
-+ ')
-+
+ ')
+
+- userdom_search_user_home_dirs($1)
+- read_files_pattern($1, { gnome_home_t gnome_keyring_home_t }, gnome_keyring_home_t)
+ read_files_pattern($1, { gconf_home_t data_home_t }, data_home_t)
+ read_lnk_files_pattern($1, { gconf_home_t data_home_t }, data_home_t)
-+')
-+
+ ')
+
+-########################################
+######################################
-+## <summary>
+ ## <summary>
+-## Send and receive messages from
+-## gnome keyring daemon over dbus.
+## Read generic data home dirs.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
- ## </param>
--## <param name="name" optional="true">
++## </param>
+#
+interface(`gnome_read_generic_data_home_dirs',`
+ gen_require(`
@@ -27384,49 +29734,49 @@ index d03fd43..0e04529 100644
+#######################################
+## <summary>
+## Manage gconf data home files
-+## </summary>
+ ## </summary>
+-## <param name="role_prefix">
+## <param name="domain">
## <summary>
--## The name of the object being created.
+-## The prefix of the user domain (e.g., user
+-## is the prefix for user_t).
+## Domain allowed access.
## </summary>
## </param>
- #
--interface(`gnome_gconf_home_filetrans',`
++#
+interface(`gnome_manage_data',`
- gen_require(`
++ gen_require(`
+ type data_home_t;
- type gconf_home_t;
- ')
-
-- userdom_search_user_home_dirs($1)
-- filetrans_pattern($1, gconf_home_t, $2, $3, $4)
++ type gconf_home_t;
++ ')
++
+ allow $1 gconf_home_t:dir search_dir_perms;
+ manage_dirs_pattern($1, data_home_t, data_home_t)
+ manage_files_pattern($1, data_home_t, data_home_t)
+ manage_lnk_files_pattern($1, data_home_t, data_home_t)
- ')
-
- ########################################
- ## <summary>
--## Read generic gnome keyring home files.
++')
++
++########################################
++## <summary>
+## Read icc data home content.
- ## </summary>
++## </summary>
## <param name="domain">
## <summary>
-@@ -610,93 +672,126 @@ interface(`gnome_gconf_home_filetrans',`
+ ## Domain allowed access.
## </summary>
## </param>
#
--interface(`gnome_read_keyring_home_files',`
+-interface(`gnome_dbus_chat_gkeyringd',`
+interface(`gnome_read_home_icc_data_content',`
gen_require(`
-- type gnome_home_t, gnome_keyring_home_t;
+- type $1_gkeyringd_t;
+- class dbus send_msg;
+ type icc_data_home_t, gconf_home_t, data_home_t;
')
- userdom_search_user_home_dirs($1)
-- read_files_pattern($1, { gnome_home_t gnome_keyring_home_t }, gnome_keyring_home_t)
+- allow $2 $1_gkeyringd_t:dbus send_msg;
+- allow $1_gkeyringd_t $2:dbus send_msg;
++ userdom_search_user_home_dirs($1)
+ allow $1 { gconf_home_t data_home_t }:dir search_dir_perms;
+ list_dirs_pattern($1, icc_data_home_t, icc_data_home_t)
+ read_files_pattern($1, icc_data_home_t, icc_data_home_t)
@@ -27435,106 +29785,76 @@ index d03fd43..0e04529 100644
########################################
## <summary>
--## Send and receive messages from
+-## Send and receive messages from all
-## gnome keyring daemon over dbus.
+## Read inherited icc data home files.
## </summary>
--## <param name="role_prefix">
--## <summary>
--## The prefix of the user domain (e.g., user
--## is the prefix for user_t).
--## </summary>
--## </param>
## <param name="domain">
## <summary>
- ## Domain allowed access.
+@@ -657,46 +713,64 @@ interface(`gnome_dbus_chat_gkeyringd',`
## </summary>
## </param>
#
--interface(`gnome_dbus_chat_gkeyringd',`
+-interface(`gnome_dbus_chat_all_gkeyringd',`
+interface(`gnome_read_inherited_home_icc_data_files',`
gen_require(`
-- type $1_gkeyringd_t;
+- attribute gkeyringd_domain;
- class dbus send_msg;
+ type icc_data_home_t;
')
-- allow $2 $1_gkeyringd_t:dbus send_msg;
-- allow $1_gkeyringd_t $2:dbus send_msg;
+- allow $1 gkeyringd_domain:dbus send_msg;
+- allow gkeyringd_domain $1:dbus send_msg;
+ allow $1 icc_data_home_t:file read_inherited_file_perms;
')
########################################
## <summary>
--## Send and receive messages from all
--## gnome keyring daemon over dbus.
+-## Connect to gnome keyring daemon
+-## with a unix stream socket.
+## Create gconf_home_t objects in the /root directory
## </summary>
- ## <param name="domain">
- ## <summary>
- ## Domain allowed access.
- ## </summary>
- ## </param>
-+## <param name="object_class">
+-## <param name="role_prefix">
++## <param name="domain">
+## <summary>
-+## The class of the object to be created.
++## Domain allowed access.
+## </summary>
+## </param>
-+## <param name="name" optional="true">
++## <param name="object_class">
+## <summary>
-+## The name of the object being created.
++## The class of the object to be created.
+## </summary>
+## </param>
- #
--interface(`gnome_dbus_chat_all_gkeyringd',`
-+interface(`gnome_admin_home_gconf_filetrans',`
- gen_require(`
-- attribute gkeyringd_domain;
-- class dbus send_msg;
-+ type gconf_home_t;
- ')
-
-- allow $1 gkeyringd_domain:dbus send_msg;
-- allow gkeyringd_domain $1:dbus send_msg;
-+ userdom_admin_home_dir_filetrans($1, gconf_home_t, $2, $3)
- ')
-
- ########################################
- ## <summary>
--## Connect to gnome keyring daemon
--## with a unix stream socket.
-+## Do not audit attempts to read
-+## inherited gconf config files.
- ## </summary>
--## <param name="role_prefix">
-+## <param name="domain">
++## <param name="name" optional="true">
## <summary>
-## The prefix of the user domain (e.g., user
-## is the prefix for user_t).
-+## Domain to not audit.
++## The name of the object being created.
## </summary>
## </param>
+#
-+interface(`gnome_dontaudit_read_inherited_gconf_config_files',`
++interface(`gnome_admin_home_gconf_filetrans',`
+ gen_require(`
-+ type gconf_etc_t;
++ type gconf_home_t;
+ ')
+
-+ dontaudit $1 gconf_etc_t:file read_inherited_file_perms;
++ userdom_admin_home_dir_filetrans($1, gconf_home_t, $2, $3)
+')
+
+########################################
+## <summary>
-+## read gconf config files
++## Do not audit attempts to read
++## inherited gconf config files.
+## </summary>
## <param name="domain">
## <summary>
- ## Domain allowed access.
+-## Domain allowed access.
++## Domain to not audit.
## </summary>
## </param>
#
-interface(`gnome_stream_connect_gkeyringd',`
-+interface(`gnome_read_gconf_config',`
++interface(`gnome_dontaudit_read_inherited_gconf_config_files',`
gen_require(`
- type $1_gkeyringd_t, gnome_keyring_tmp_t;
+ type gconf_etc_t;
@@ -27542,6 +29862,31 @@ index d03fd43..0e04529 100644
- files_search_tmp($2)
- stream_connect_pattern($2, gnome_keyring_tmp_t, gnome_keyring_tmp_t, $1_gkeyringd_t)
++ dontaudit $1 gconf_etc_t:file read_inherited_file_perms;
+ ')
+
+ ########################################
+ ## <summary>
+-## Connect to all gnome keyring daemon
+-## with a unix stream socket.
++## read gconf config files
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -704,12 +778,966 @@ interface(`gnome_stream_connect_gkeyringd',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`gnome_stream_connect_all_gkeyringd',`
++interface(`gnome_read_gconf_config',`
+ gen_require(`
+- attribute gkeyringd_domain;
+- type gnome_keyring_tmp_t;
++ type gconf_etc_t;
+ ')
+
+- files_search_tmp($1)
+- stream_connect_pattern($1, gnome_keyring_tmp_t, gnome_keyring_tmp_t, gkeyringd_domain)
+ allow $1 gconf_etc_t:dir list_dir_perms;
+ read_files_pattern($1, gconf_etc_t, gconf_etc_t)
+ files_search_etc($1)
@@ -27564,22 +29909,19 @@ index d03fd43..0e04529 100644
+
+ allow $1 gconf_etc_t:dir list_dir_perms;
+ manage_files_pattern($1, gconf_etc_t, gconf_etc_t)
- ')
-
- ########################################
- ## <summary>
--## Connect to all gnome keyring daemon
--## with a unix stream socket.
++')
++
++########################################
++## <summary>
+## Execute gconf programs in
+## in the caller domain.
- ## </summary>
- ## <param name="domain">
- ## <summary>
-@@ -704,12 +799,872 @@ interface(`gnome_stream_connect_gkeyringd',`
- ## </summary>
- ## </param>
- #
--interface(`gnome_stream_connect_all_gkeyringd',`
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
+interface(`gnome_exec_gconf',`
+ gen_require(`
+ type gconfd_exec_t;
@@ -27924,6 +30266,23 @@ index d03fd43..0e04529 100644
+ read_files_pattern($1, config_home_t, config_home_t)
+ read_lnk_files_pattern($1, config_home_t, config_home_t)
+')
++#######################################
++## <summary>
++## append gnome homedir content (.config)
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`gnome_append_home_config',`
++ gen_require(`
++ type config_home_t;
++ ')
++
++ append_files_pattern($1, config_home_t, config_home_t)
++')
+
+#######################################
+## <summary>
@@ -27943,6 +30302,24 @@ index d03fd43..0e04529 100644
+ delete_files_pattern($1, config_home_t, config_home_t)
+')
+
++########################################
++## <summary>
++## Create gnome homedir content (.config)
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`gnome_create_home_config_dirs',`
++ gen_require(`
++ type config_home_t;
++ ')
++
++ allow $1 config_home_t:dir create_dir_perms;
++')
++
+#######################################
+## <summary>
+## setattr gnome homedir content (.config)
@@ -28053,6 +30430,24 @@ index d03fd43..0e04529 100644
+ can_exec($1, gstreamer_home_t)
+')
+
++######################################
++## <summary>
++## Allow to execute config home content files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`gnome_exec_config_home_files',`
++ gen_require(`
++ type config_home_t;
++ ')
++
++ can_exec($1, config_home_t)
++')
++
+#######################################
+## <summary>
+## file name transition gstreamer home content files.
@@ -28080,6 +30475,7 @@ index d03fd43..0e04529 100644
+ userdom_user_home_dir_filetrans($1, gstreamer_home_t, dir, ".orc")
+ userdom_user_tmp_filetrans($1, gstreamer_home_t, dir, ".orc")
+ gnome_cache_filetrans($1, gstreamer_home_t, dir, "gstreamer-0.12")
++ gnome_cache_filetrans($1, gstreamer_home_t, dir, "GLCache")
+ gnome_cache_filetrans($1, gstreamer_home_t, dir, "gstreamer-0.10")
+ gnome_cache_filetrans($1, gstreamer_home_t, dir, "gstreamer-1.0")
+ gnome_cache_filetrans($1, gstreamer_home_t, dir, "gstreamer-1.2")
@@ -28174,14 +30570,11 @@ index d03fd43..0e04529 100644
+## </param>
+#
+interface(`gnome_dbus_chat_gkeyringd',`
- gen_require(`
- attribute gkeyringd_domain;
-- type gnome_keyring_tmp_t;
++ gen_require(`
++ attribute gkeyringd_domain;
+ class dbus send_msg;
- ')
-
-- files_search_tmp($1)
-- stream_connect_pattern($1, gnome_keyring_tmp_t, gnome_keyring_tmp_t, gkeyringd_domain)
++ ')
++
+ allow $1 gkeyringd_domain:dbus send_msg;
+ allow gkeyringd_domain $1:dbus send_msg;
+')
@@ -28453,7 +30846,7 @@ index d03fd43..0e04529 100644
+ type_transition $1 gkeyringd_exec_t:process $2;
')
diff --git a/gnome.te b/gnome.te
-index 20f726b..c6ff2a1 100644
+index 20f726b..5314f96 100644
--- a/gnome.te
+++ b/gnome.te
@@ -1,18 +1,36 @@
@@ -28497,7 +30890,7 @@ index 20f726b..c6ff2a1 100644
typealias gconf_home_t alias { user_gconf_home_t staff_gconf_home_t sysadm_gconf_home_t };
typealias gconf_home_t alias { auditadm_gconf_home_t secadm_gconf_home_t };
typealias gconf_home_t alias unconfined_gconf_home_t;
-@@ -29,107 +47,226 @@ type gconfd_exec_t;
+@@ -29,107 +47,227 @@ type gconfd_exec_t;
typealias gconfd_t alias { user_gconfd_t staff_gconfd_t sysadm_gconfd_t };
typealias gconfd_t alias { auditadm_gconfd_t secadm_gconfd_t };
userdom_user_application_domain(gconfd_t, gconfd_exec_t)
@@ -28727,6 +31120,7 @@ index 20f726b..c6ff2a1 100644
+manage_dirs_pattern(gkeyringd_domain, gkeyringd_tmp_t, gkeyringd_tmp_t)
+manage_sock_files_pattern(gkeyringd_domain, gkeyringd_tmp_t, gkeyringd_tmp_t)
+files_tmp_filetrans(gkeyringd_domain, gkeyringd_tmp_t, dir)
++fs_tmpfs_filetrans(gkeyringd_domain, gkeyringd_tmp_t, dir)
+userdom_user_tmp_filetrans(gkeyringd_domain, gkeyringd_tmp_t, { sock_file dir })
-kernel_read_system_state(gkeyringd_domain)
@@ -28758,9 +31152,9 @@ index 20f726b..c6ff2a1 100644
optional_policy(`
- telepathy_mission_control_read_state(gkeyringd_domain)
++ gnome_create_home_config_dirs(gkeyringd_domain)
+ gnome_read_home_config(gkeyringd_domain)
-+ gnome_read_generic_cache_files(gkeyringd_domain)
-+ gnome_write_generic_cache_files(gkeyringd_domain)
++ gnome_manage_generic_cache_files(gkeyringd_domain)
+ gnome_manage_cache_home_dir(gkeyringd_domain)
+ gnome_manage_generic_cache_sockets(gkeyringd_domain)
')
@@ -29296,7 +31690,7 @@ index 180f1b7..951b790 100644
+ userdom_user_home_dir_filetrans($1, gpg_secret_t, dir, ".gnupg")
+')
diff --git a/gpg.te b/gpg.te
-index 44cf341..8aa9dd9 100644
+index 44cf341..4af1ba0 100644
--- a/gpg.te
+++ b/gpg.te
@@ -1,47 +1,47 @@
@@ -29420,7 +31814,7 @@ index 44cf341..8aa9dd9 100644
+allow gpgdomain self:process { getsched setsched };
+#at setrlimit is for ulimit -c 0
+allow gpgdomain self:process { signal signull setrlimit getcap setcap setpgid };
-+dontaudit gpgdomain self:netlink_audit_socket r_netlink_socket_perms;
++dontaudit gpgdomain self:netlink_audit_socket { r_netlink_socket_perms nlmsg_relay };
+
+allow gpgdomain self:fifo_file rw_fifo_file_perms;
+allow gpgdomain self:tcp_socket create_stream_socket_perms;
@@ -29597,7 +31991,7 @@ index 44cf341..8aa9dd9 100644
tunable_policy(`use_nfs_home_dirs',`
fs_dontaudit_rw_nfs_files(gpg_helper_t)
-@@ -207,29 +225,35 @@ tunable_policy(`use_samba_home_dirs',`
+@@ -207,29 +225,36 @@ tunable_policy(`use_samba_home_dirs',`
########################################
#
@@ -29605,11 +31999,12 @@ index 44cf341..8aa9dd9 100644
+# GPG agent local policy
#
+domtrans_pattern(gpg_t, gpg_agent_exec_t, gpg_agent_t)
-
++
+# rlimit: gpg-agent wants to prevent coredumps
- allow gpg_agent_t self:process setrlimit;
++allow gpg_agent_t self:process { setrlimit signal_perms };
+
+-allow gpg_agent_t self:process setrlimit;
-allow gpg_agent_t self:unix_stream_socket { create_stream_socket_perms connectto };
-+
+allow gpg_agent_t self:unix_stream_socket { create_stream_socket_perms connectto } ;
allow gpg_agent_t self:fifo_file rw_fifo_file_perms;
@@ -29633,17 +32028,19 @@ index 44cf341..8aa9dd9 100644
-kernel_dontaudit_search_sysctl(gpg_agent_t)
+kernel_read_system_state(gpg_agent_t)
++kernel_read_core_if(gpg_agent_t)
+corecmd_read_bin_symlinks(gpg_agent_t)
-+corecmd_search_bin(gpg_agent_t)
++corecmd_exec_bin(gpg_agent_t)
corecmd_exec_shell(gpg_agent_t)
dev_read_rand(gpg_agent_t)
-@@ -239,37 +263,40 @@ domain_use_interactive_fds(gpg_agent_t)
+@@ -239,37 +264,41 @@ domain_use_interactive_fds(gpg_agent_t)
fs_dontaudit_list_inotifyfs(gpg_agent_t)
-miscfiles_read_localization(gpg_agent_t)
++miscfiles_read_certs(gpg_agent_t)
-userdom_use_user_terminals(gpg_agent_t)
+# Write to the user domain tty.
@@ -29692,7 +32089,7 @@ index 44cf341..8aa9dd9 100644
##############################
#
# Pinentry local policy
-@@ -277,8 +304,17 @@ optional_policy(`
+@@ -277,8 +306,17 @@ optional_policy(`
allow gpg_pinentry_t self:process { getcap getsched setsched signal };
allow gpg_pinentry_t self:fifo_file rw_fifo_file_perms;
@@ -29711,7 +32108,7 @@ index 44cf341..8aa9dd9 100644
manage_sock_files_pattern(gpg_pinentry_t, gpg_pinentry_tmp_t, gpg_pinentry_tmp_t)
userdom_user_tmp_filetrans(gpg_pinentry_t, gpg_pinentry_tmp_t, sock_file)
-@@ -287,53 +323,89 @@ manage_dirs_pattern(gpg_pinentry_t, gpg_pinentry_tmpfs_t, gpg_pinentry_tmpfs_t)
+@@ -287,53 +325,89 @@ manage_dirs_pattern(gpg_pinentry_t, gpg_pinentry_tmpfs_t, gpg_pinentry_tmpfs_t)
manage_files_pattern(gpg_pinentry_t, gpg_pinentry_tmpfs_t, gpg_pinentry_tmpfs_t)
fs_tmpfs_filetrans(gpg_pinentry_t, gpg_pinentry_tmpfs_t, { file dir })
@@ -30103,10 +32500,10 @@ index 0000000..3ce0ac0
+')
diff --git a/gssproxy.te b/gssproxy.te
new file mode 100644
-index 0000000..5044e7b
+index 0000000..bbd5979
--- /dev/null
+++ b/gssproxy.te
-@@ -0,0 +1,66 @@
+@@ -0,0 +1,68 @@
+policy_module(gssproxy, 1.0.0)
+
+########################################
@@ -30131,6 +32528,7 @@ index 0000000..5044e7b
+#
+# gssproxy local policy
+#
++allow gssproxy_t self:capability { setuid setgid };
+allow gssproxy_t self:capability2 block_suspend;
+allow gssproxy_t self:fifo_file rw_fifo_file_perms;
+allow gssproxy_t self:unix_stream_socket create_stream_socket_perms;
@@ -30161,6 +32559,7 @@ index 0000000..5044e7b
+
+miscfiles_read_localization(gssproxy_t)
+
++userdom_read_all_users_keys(gssproxy_t)
+userdom_manage_user_tmp_dirs(gssproxy_t)
+userdom_manage_user_tmp_files(gssproxy_t)
+
@@ -30325,10 +32724,10 @@ index 0000000..e2ae3b2
+/var/lib/hyperv(/.*)? gen_context(system_u:object_r:hypervkvp_var_lib_t,s0)
diff --git a/hypervkvp.if b/hypervkvp.if
new file mode 100644
-index 0000000..17c3627
+index 0000000..b7ca833
--- /dev/null
+++ b/hypervkvp.if
-@@ -0,0 +1,111 @@
+@@ -0,0 +1,134 @@
+
+## <summary>policy for hypervkvp</summary>
+
@@ -30410,6 +32809,29 @@ index 0000000..17c3627
+ manage_files_pattern($1, hypervkvp_var_lib_t, hypervkvp_var_lib_t)
+')
+
++#######################################
++## <summary>
++## Execute hypervkvp server in the hypervkvp domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`hypervkvp_systemctl',`
++ gen_require(`
++ type hypervkvp_t;
++ type hypervkvp_unit_file_t;
++ ')
++
++ systemd_exec_systemctl($1)
++ allow $1 hypervkvp_unit_file_t:file read_file_perms;
++ allow $1 hypervkvp_unit_file_t:service manage_service_perms;
++
++ ps_process_pattern($1, hypervkvp_t)
++ ')
++
+########################################
+## <summary>
+## All of the rules required to administrate
@@ -30442,10 +32864,10 @@ index 0000000..17c3627
+')
diff --git a/hypervkvp.te b/hypervkvp.te
new file mode 100644
-index 0000000..d2ad022
+index 0000000..97144bc
--- /dev/null
+++ b/hypervkvp.te
-@@ -0,0 +1,59 @@
+@@ -0,0 +1,79 @@
+policy_module(hypervkvp, 1.0.0)
+
+########################################
@@ -30486,6 +32908,11 @@ index 0000000..d2ad022
+allow hyperv_domain self:fifo_file rw_fifo_file_perms;
+allow hyperv_domain self:unix_stream_socket create_stream_socket_perms;
+
++corecmd_exec_shell(hyperv_domain)
++corecmd_exec_bin(hyperv_domain)
++
++dev_read_sysfs(hyperv_domain)
++
+########################################
+#
+# hypervkvp local policy
@@ -30495,15 +32922,30 @@ index 0000000..d2ad022
+manage_files_pattern(hypervkvp_t, hypervkvp_var_lib_t, hypervkvp_var_lib_t)
+files_var_lib_filetrans(hypervkvp_t, hypervkvp_var_lib_t, dir)
+
++kernel_read_system_state(hypervkvp_t)
++kernel_read_network_state(hypervkvp_t)
++
++files_dontaudit_search_home(hypervkvp_t)
++
++auth_read_passwd(hypervkvp_t)
++
+logging_send_syslog_msg(hypervkvp_t)
+
+sysnet_dns_name_resolve(hypervkvp_t)
+
++userdom_dontaudit_search_admin_dir(hypervkvp_t)
++
++optional_policy(`
++ sysnet_exec_ifconfig(hypervkvp_t)
++')
++
+########################################
+#
+# hypervvssd local policy
+#
+
++allow hypervvssd_t self:capability sys_admin;
++
+logging_send_syslog_msg(hypervvssd_t)
diff --git a/i18n_input.te b/i18n_input.te
index 3bed8fa..a738d7f 100644
@@ -30874,13 +33316,32 @@ index ca07a87..6ea129c 100644
+
/usr/sbin/iodined -- gen_context(system_u:object_r:iodined_exec_t,s0)
diff --git a/iodine.if b/iodine.if
-index a0bfbd0..47f7c75 100644
+index a0bfbd0..a3b02e6 100644
--- a/iodine.if
+++ b/iodine.if
-@@ -2,6 +2,30 @@
+@@ -2,6 +2,49 @@
########################################
## <summary>
++## Execute NetworkManager with a domain transition.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`iodined_domtrans',`
++ gen_require(`
++ type iodined_t, iodined_exec_t;
++ ')
++
++ corecmd_search_bin($1)
++ domtrans_pattern($1, iodined_exec_t, iodined_t)
++')
++
++########################################
++## <summary>
+## Execute iodined server in the iodined domain.
+## </summary>
+## <param name="domain">
@@ -30909,9 +33370,15 @@ index a0bfbd0..47f7c75 100644
## administrate an iodined environment
## </summary>
diff --git a/iodine.te b/iodine.te
-index 94ec5f8..8556c27 100644
+index 94ec5f8..6cbbf7d 100644
--- a/iodine.te
+++ b/iodine.te
+@@ -1,4 +1,4 @@
+-policy_module(iodine, 1.0.2)
++policy_module(iodine, 1.1.0)
+
+ ########################################
+ #
@@ -12,6 +12,9 @@ init_daemon_domain(iodined_t, iodined_exec_t)
type iodined_initrc_exec_t;
init_script_file(iodined_initrc_exec_t)
@@ -30922,23 +33389,167 @@ index 94ec5f8..8556c27 100644
########################################
#
# Local policy
-@@ -43,7 +46,6 @@ corenet_udp_sendrecv_dns_port(iodined_t)
+@@ -43,7 +46,7 @@ corenet_udp_sendrecv_dns_port(iodined_t)
corecmd_exec_shell(iodined_t)
-files_read_etc_files(iodined_t)
++auth_use_nsswitch(iodined_t)
logging_send_syslog_msg(iodined_t)
+diff --git a/ipa.fc b/ipa.fc
+new file mode 100644
+index 0000000..48d7322
+--- /dev/null
++++ b/ipa.fc
+@@ -0,0 +1,6 @@
++/usr/lib/systemd/system/ipa-otpd.* -- gen_context(system_u:object_r:ipa_otpd_unit_file_t,s0)
++
++/usr/libexec/ipa-otpd -- gen_context(system_u:object_r:ipa_otpd_exec_t,s0)
++
++/var/lib/ipa(/.*)? gen_context(system_u:object_r:ipa_var_lib_t,s0)
++
+diff --git a/ipa.if b/ipa.if
+new file mode 100644
+index 0000000..a2af18e
+--- /dev/null
++++ b/ipa.if
+@@ -0,0 +1,76 @@
++## <summary>Policy for IPA services.</summary>
++
++########################################
++## <summary>
++## Execute rtas_errd in the rtas_errd domin.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`ipa_domtrans_otpd',`
++ gen_require(`
++ type ipa_otpd_t, ipa_otpd_exec_t;
++ ')
++
++ corecmd_search_bin($1)
++ domtrans_pattern($1, ipa_otpd_exec_t, ipa_otpd_t)
++')
++
++########################################
++## <summary>
++## Connect to ipa-otpd over a unix stream socket.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`ipa_stream_connect_otpd',`
++ gen_require(`
++ type ipa_otpd_t;
++ ')
++ allow $1 ipa_otpd_t:unix_stream_socket connectto;
++')
++
++########################################
++## <summary>
++## Allow domain to manage ipa lib files/dirs.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`ipa_manage_lib',`
++ gen_require(`
++ type ipa_var_lib_t;
++ ')
++
++ manage_files_pattern($1, ipa_var_lib_t, ipa_var_lib_t)
++ manage_dirs_pattern($1, ipa_var_lib_t, ipa_var_lib_t)
++')
++
++########################################
++## <summary>
++## Allow domain to manage ipa lib files/dirs.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`ipa_read_lib',`
++ gen_require(`
++ type ipa_var_lib_t;
++ ')
++
++ read_files_pattern($1, ipa_var_lib_t, ipa_var_lib_t)
++ list_dirs_pattern($1, ipa_var_lib_t, ipa_var_lib_t)
++')
++
+diff --git a/ipa.te b/ipa.te
+new file mode 100644
+index 0000000..b60bc5f
+--- /dev/null
++++ b/ipa.te
+@@ -0,0 +1,43 @@
++policy_module(ipa, 1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++attribute ipa_domain;
++
++type ipa_otpd_t, ipa_domain;
++type ipa_otpd_exec_t;
++init_daemon_domain(ipa_otpd_t, ipa_otpd_exec_t)
++
++type ipa_otpd_unit_file_t;
++systemd_unit_file(ipa_otpd_unit_file_t)
++
++type ipa_var_lib_t;
++files_type(ipa_var_lib_t)
++
++########################################
++#
++# ipa_otpd local policy
++#
++
++allow ipa_otpd_t self:capability2 block_suspend;
++
++allow ipa_otpd_t self:fifo_file rw_fifo_file_perms;
++allow ipa_otpd_t self:unix_stream_socket create_stream_socket_perms;
++
++corenet_tcp_connect_radius_port(ipa_otpd_t)
++
++dev_read_urand(ipa_otpd_t)
++dev_read_rand(ipa_otpd_t)
++
++sysnet_dns_name_resolve(ipa_otpd_t)
++
++optional_policy(`
++ dirsrv_stream_connect(ipa_otpd_t)
++')
++
++optional_policy(`
++ kerberos_use(ipa_otpd_t)
++')
diff --git a/irc.fc b/irc.fc
-index 48e7739..c3285c2 100644
+index 48e7739..1bf0326 100644
--- a/irc.fc
+++ b/irc.fc
@@ -1,6 +1,6 @@
HOME_DIR/\.ircmotd -- gen_context(system_u:object_r:irc_home_t,s0)
HOME_DIR/\.irssi(/.*)? gen_context(system_u:object_r:irc_home_t,s0)
-HOME_DIR/irclogs(/.*)? gen_context(system_u:object_r:irc_log_home_t,s0)
-+HOME_DIR/irclog(/.*)? gen_context(system_u:object_r:issi_home_t,s0)
++HOME_DIR/irclog(/.*)? gen_context(system_u:object_r:irc_home_t,s0)
/etc/irssi\.conf -- gen_context(system_u:object_r:irc_conf_t,s0)
@@ -31006,7 +33617,7 @@ index ac00fb0..36ef2e5 100644
+ userdom_user_home_dir_filetrans($1, irssi_home_t, dir, "irclogs")
')
diff --git a/irc.te b/irc.te
-index ecad9c7..e413e5a 100644
+index ecad9c7..abf0b2d 100644
--- a/irc.te
+++ b/irc.te
@@ -31,13 +31,35 @@ typealias irc_home_t alias { user_irc_home_t staff_irc_home_t sysadm_irc_home_t
@@ -31064,23 +33675,27 @@ index ecad9c7..e413e5a 100644
manage_dirs_pattern(irc_t, irc_tmp_t, irc_tmp_t)
manage_files_pattern(irc_t, irc_tmp_t, irc_tmp_t)
-@@ -70,7 +86,6 @@ files_tmp_filetrans(irc_t, irc_tmp_t, { file dir lnk_file sock_file fifo_file })
+@@ -70,7 +86,9 @@ files_tmp_filetrans(irc_t, irc_tmp_t, { file dir lnk_file sock_file fifo_file })
kernel_read_system_state(irc_t)
-corenet_all_recvfrom_unlabeled(irc_t)
++corecmd_exec_shell(irc_t)
++corecmd_exec_bin(irc_t)
++
corenet_all_recvfrom_netlabel(irc_t)
corenet_tcp_sendrecv_generic_if(irc_t)
corenet_tcp_sendrecv_generic_node(irc_t)
-@@ -93,7 +108,6 @@ dev_read_rand(irc_t)
+@@ -93,8 +111,6 @@ dev_read_rand(irc_t)
domain_use_interactive_fds(irc_t)
-files_read_usr_files(irc_t)
-
+-
fs_getattr_all_fs(irc_t)
fs_search_auto_mountpoints(irc_t)
-@@ -106,15 +120,18 @@ auth_use_nsswitch(irc_t)
+
+@@ -106,15 +122,18 @@ auth_use_nsswitch(irc_t)
init_read_utmp(irc_t)
init_dontaudit_lock_utmp(irc_t)
@@ -31101,7 +33716,7 @@ index ecad9c7..e413e5a 100644
corenet_sendrecv_all_server_packets(irc_t)
corenet_tcp_bind_all_unreserved_ports(irc_t)
corenet_sendrecv_all_client_packets(irc_t)
-@@ -122,18 +139,71 @@ tunable_policy(`irc_use_any_tcp_ports',`
+@@ -122,18 +141,71 @@ tunable_policy(`irc_use_any_tcp_ports',`
corenet_tcp_sendrecv_all_ports(irc_t)
')
@@ -31138,7 +33753,7 @@ index ecad9c7..e413e5a 100644
+
+kernel_read_system_state(irssi_t)
+
-+corecmd_search_bin(irssi_t)
++corecmd_exec_shell(irssi_t)
+corecmd_read_bin_symlinks(irssi_t)
+
+corenet_tcp_connect_ircd_port(irssi_t)
@@ -31280,10 +33895,38 @@ index 08b7560..417e630 100644
+/usr/lib/systemd/system/((iscsi)|(iscsid)|(iscsiuio))\.service -- gen_context(system_u:object_r:iscsi_unit_file_t,s0)
+/usr/lib/systemd/system/((iscsid)|(iscsiuio))\.socket -- gen_context(system_u:object_r:iscsi_unit_file_t,s0)
diff --git a/iscsi.if b/iscsi.if
-index 1a35420..4b9b978 100644
+index 1a35420..2ea1241 100644
--- a/iscsi.if
+++ b/iscsi.if
-@@ -80,17 +80,31 @@ interface(`iscsi_read_lib_files',`
+@@ -22,6 +22,27 @@ interface(`iscsid_domtrans',`
+ ########################################
+ ## <summary>
+ ## Create, read, write, and delete
++## iscsid lock files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`iscsi_manage_lock',`
++ gen_require(`
++ type iscsi_lock_t;
++ ')
++
++ files_search_locks($1)
++ manage_files_pattern($1, iscsi_lock_t, iscsi_lock_t)
++ manage_dirs_pattern($1, iscsi_lock_t, iscsi_lock_t)
++')
++
++########################################
++## <summary>
++## Create, read, write, and delete
+ ## iscsid sempaphores.
+ ## </summary>
+ ## <param name="domain">
+@@ -80,17 +101,31 @@ interface(`iscsi_read_lib_files',`
########################################
## <summary>
@@ -31320,7 +33963,7 @@ index 1a35420..4b9b978 100644
## </summary>
## </param>
## <rolecap/>
-@@ -99,16 +113,15 @@ interface(`iscsi_admin',`
+@@ -99,16 +134,15 @@ interface(`iscsi_admin',`
gen_require(`
type iscsid_t, iscsi_lock_t, iscsi_log_t;
type iscsi_var_lib_t, iscsi_var_run_t, iscsi_tmp_t;
@@ -31342,7 +33985,7 @@ index 1a35420..4b9b978 100644
logging_search_logs($1)
admin_pattern($1, iscsi_log_t)
diff --git a/iscsi.te b/iscsi.te
-index 57304e4..46e5e3d 100644
+index 57304e4..56d45ec 100644
--- a/iscsi.te
+++ b/iscsi.te
@@ -9,8 +9,8 @@ type iscsid_t;
@@ -31366,7 +34009,20 @@ index 57304e4..46e5e3d 100644
allow iscsid_t self:process { setrlimit setsched signal };
allow iscsid_t self:fifo_file rw_fifo_file_perms;
allow iscsid_t self:unix_stream_socket { accept connectto listen };
-@@ -64,11 +63,12 @@ files_pid_filetrans(iscsid_t, iscsi_var_run_t, file)
+@@ -55,20 +54,22 @@ manage_dirs_pattern(iscsid_t, iscsi_tmp_t, iscsi_tmp_t)
+ manage_files_pattern(iscsid_t, iscsi_tmp_t, iscsi_tmp_t)
+ fs_tmpfs_filetrans(iscsid_t, iscsi_tmp_t, { dir file })
+
+-allow iscsid_t iscsi_var_lib_t:dir list_dir_perms;
+-read_files_pattern(iscsid_t, iscsi_var_lib_t, iscsi_var_lib_t)
+-read_lnk_files_pattern(iscsid_t, iscsi_var_lib_t, iscsi_var_lib_t)
++manage_files_pattern(iscsid_t, iscsi_var_lib_t, iscsi_var_lib_t)
++manage_lnk_files_pattern(iscsid_t, iscsi_var_lib_t, iscsi_var_lib_t)
++manage_dirs_pattern(iscsid_t, iscsi_var_lib_t, iscsi_var_lib_t)
++files_var_lib_filetrans(iscsid_t, iscsi_var_lib_t, dir)
+
+ manage_files_pattern(iscsid_t, iscsi_var_run_t, iscsi_var_run_t)
+ files_pid_filetrans(iscsid_t, iscsi_var_run_t, file)
can_exec(iscsid_t, iscsid_exec_t)
@@ -31380,7 +34036,7 @@ index 57304e4..46e5e3d 100644
corenet_all_recvfrom_netlabel(iscsid_t)
corenet_tcp_sendrecv_generic_if(iscsid_t)
corenet_tcp_sendrecv_generic_node(iscsid_t)
-@@ -85,21 +85,26 @@ corenet_sendrecv_isns_client_packets(iscsid_t)
+@@ -85,21 +86,26 @@ corenet_sendrecv_isns_client_packets(iscsid_t)
corenet_tcp_connect_isns_port(iscsid_t)
corenet_tcp_sendrecv_isns_port(iscsid_t)
@@ -32930,7 +35586,7 @@ index 3a00b3a..21efcc4 100644
+ allow $1 kdump_unit_file_t:service all_service_perms;
')
diff --git a/kdump.te b/kdump.te
-index 70f3007..f8b68bf 100644
+index 70f3007..58bd992 100644
--- a/kdump.te
+++ b/kdump.te
@@ -1,4 +1,4 @@
@@ -32939,7 +35595,7 @@ index 70f3007..f8b68bf 100644
#######################################
#
-@@ -12,35 +12,55 @@ init_system_domain(kdump_t, kdump_exec_t)
+@@ -12,35 +12,56 @@ init_system_domain(kdump_t, kdump_exec_t)
type kdump_etc_t;
files_config_file(kdump_etc_t)
@@ -32977,13 +35633,14 @@ index 70f3007..f8b68bf 100644
+manage_files_pattern(kdump_t, kdump_crash_t, kdump_crash_t)
+manage_lnk_files_pattern(kdump_t, kdump_crash_t, kdump_crash_t)
+files_var_filetrans(kdump_t, kdump_crash_t, dir, "crash")
-+
-+read_files_pattern(kdump_t, kdump_etc_t, kdump_etc_t)
-allow kdump_t kdump_etc_t:file read_file_perms;
++read_files_pattern(kdump_t, kdump_etc_t, kdump_etc_t)
++
+manage_dirs_pattern(kdump_t, kdump_lock_t, kdump_lock_t)
+manage_files_pattern(kdump_t, kdump_lock_t, kdump_lock_t)
-+files_lock_filetrans(kdump_t, kdump_lock_t, { dir file })
++manage_lnk_files_pattern(kdump_t, kdump_lock_t, kdump_lock_t)
++files_lock_filetrans(kdump_t, kdump_lock_t, { dir file lnk_file })
-files_read_etc_files(kdump_t)
files_read_etc_runtime_files(kdump_t)
@@ -33000,7 +35657,7 @@ index 70f3007..f8b68bf 100644
dev_read_framebuffer(kdump_t)
dev_read_sysfs(kdump_t)
-@@ -48,22 +68,32 @@ term_use_console(kdump_t)
+@@ -48,22 +69,35 @@ term_use_console(kdump_t)
#######################################
#
@@ -33014,12 +35671,14 @@ index 70f3007..f8b68bf 100644
+
allow kdumpctl_t self:capability { dac_override sys_chroot };
allow kdumpctl_t self:process setfscreate;
--allow kdumpctl_t self:fifo_file rw_fifo_file_perms;
++
+ allow kdumpctl_t self:fifo_file rw_fifo_file_perms;
-allow kdumpctl_t self:unix_stream_socket { accept listen };
++allow kdumpctl_t self:unix_stream_socket create_stream_socket_perms;
-allow kdumpctl_t kdump_etc_t:file read_file_perms;
-+allow kdumpctl_t self:fifo_file rw_fifo_file_perms;
-+allow kdumpctl_t self:unix_stream_socket create_stream_socket_perms;
++manage_files_pattern(kdumpctl_t, kdump_lock_t, kdump_lock_t)
++files_lock_filetrans(kdumpctl_t, kdump_lock_t, file, "kdump")
manage_dirs_pattern(kdumpctl_t, kdumpctl_tmp_t, kdumpctl_tmp_t)
+manage_chr_files_pattern(kdumpctl_t, kdumpctl_tmp_t, kdumpctl_tmp_t)
@@ -33038,7 +35697,7 @@ index 70f3007..f8b68bf 100644
kernel_read_system_state(kdumpctl_t)
-@@ -71,46 +101,56 @@ corecmd_exec_bin(kdumpctl_t)
+@@ -71,46 +105,56 @@ corecmd_exec_bin(kdumpctl_t)
corecmd_exec_shell(kdumpctl_t)
dev_read_sysfs(kdumpctl_t)
@@ -33135,7 +35794,7 @@ index 182ab8b..8b1d9c2 100644
+')
+
diff --git a/kdumpgui.te b/kdumpgui.te
-index e7f5c81..8c75bc8 100644
+index e7f5c81..12ff296 100644
--- a/kdumpgui.te
+++ b/kdumpgui.te
@@ -1,83 +1,92 @@
@@ -33251,7 +35910,7 @@ index e7f5c81..8c75bc8 100644
')
optional_policy(`
-@@ -87,4 +96,10 @@ optional_policy(`
+@@ -87,4 +96,24 @@ optional_policy(`
optional_policy(`
kdump_manage_config(kdumpgui_t)
kdump_initrc_domtrans(kdumpgui_t)
@@ -33261,12 +35920,180 @@ index e7f5c81..8c75bc8 100644
+
+optional_policy(`
+ policykit_dbus_chat(kdumpgui_t)
++')
++
++optional_policy(`
++ ifdef(`hide_broken_symptoms',`
++ # systemd bug
++ init_enable_services(kdumpgui_t)
++ init_disable_services(kdumpgui_t)
++ init_reload_services(kdumpgui_t)
++ ')
++')
++
++
++optional_policy(`
++ unconfined_domain(kdumpgui_t)
')
+diff --git a/keepalived.fc b/keepalived.fc
+new file mode 100644
+index 0000000..7e6f8be
+--- /dev/null
++++ b/keepalived.fc
+@@ -0,0 +1,5 @@
++/usr/lib/systemd/system/keepalived.* -- gen_context(system_u:object_r:keepalived_unit_file_t,s0)
++
++/usr/sbin/keepalived -- gen_context(system_u:object_r:keepalived_exec_t,s0)
++
++/var/run/keepalived.* -- gen_context(system_u:object_r:keepalived_var_run_t,s0)
+diff --git a/keepalived.if b/keepalived.if
+new file mode 100644
+index 0000000..0d61849
+--- /dev/null
++++ b/keepalived.if
+@@ -0,0 +1,84 @@
++
++## <summary> keepalived - load-balancing and high-availability service</summary>
++
++########################################
++## <summary>
++## Execute keepalived in the keepalived domin.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`keepalived_domtrans',`
++ gen_require(`
++ type keepalived_t, keepalived_exec_t;
++ ')
++
++ corecmd_search_bin($1)
++ domtrans_pattern($1, keepalived_exec_t, keepalived_t)
++')
++########################################
++## <summary>
++## Execute keepalived server in the keepalived domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`keepalived_systemctl',`
++ gen_require(`
++ type keepalived_t;
++ type keepalived_unit_file_t;
++ ')
++
++ systemd_exec_systemctl($1)
++ systemd_read_fifo_file_passwd_run($1)
++ allow $1 keepalived_unit_file_t:file read_file_perms;
++ allow $1 keepalived_unit_file_t:service manage_service_perms;
++
++ ps_process_pattern($1, keepalived_t)
++')
++
++
++########################################
++## <summary>
++## All of the rules required to administrate
++## an keepalived environment
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <param name="role">
++## <summary>
++## Role allowed access.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`keepalived_admin',`
++ gen_require(`
++ type keepalived_t;
++ type keepalived_unit_file_t;
++ ')
++
++ allow $1 keepalived_t:process { signal_perms };
++ ps_process_pattern($1, keepalived_t)
++
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 keepalived_t:process ptrace;
++ ')
++
++ keepalived_systemctl($1)
++ admin_pattern($1, keepalived_unit_file_t)
++ allow $1 keepalived_unit_file_t:service all_service_perms;
++ optional_policy(`
++ systemd_passwd_agent_exec($1)
++ systemd_read_fifo_file_passwd_run($1)
++ ')
++')
+diff --git a/keepalived.te b/keepalived.te
+new file mode 100644
+index 0000000..535f79b
+--- /dev/null
++++ b/keepalived.te
+@@ -0,0 +1,47 @@
++policy_module(keepalived, 1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++type keepalived_t;
++type keepalived_exec_t;
++init_daemon_domain(keepalived_t, keepalived_exec_t)
++
++type keepalived_unit_file_t;
++systemd_unit_file(keepalived_unit_file_t)
++
++type keepalived_var_run_t;
++files_pid_file(keepalived_var_run_t)
++
++########################################
++#
++# keepalived local policy
++#
++allow keepalived_t self:capability { net_admin net_raw };
++allow keepalived_t self:process { signal_perms };
++allow keepalived_t self:netlink_socket create_socket_perms;
++allow keepalived_t self:netlink_route_socket nlmsg_write;
++allow keepalived_t self:packet_socket create_socket_perms;
++allow keepalived_t self:rawip_socket create_socket_perms;
++
++
++manage_files_pattern(keepalived_t, keepalived_var_run_t, keepalived_var_run_t)
++files_pid_filetrans(keepalived_t, keepalived_var_run_t, { file })
++
++kernel_read_system_state(keepalived_t)
++kernel_read_network_state(keepalived_t)
++
++auth_use_nsswitch(keepalived_t)
++
++corenet_tcp_connect_connlcli_port(keepalived_t)
++corenet_tcp_connect_http_port(keepalived_t)
++corenet_tcp_connect_smtp_port(keepalived_t)
++
++dev_read_urand(keepalived_t)
++
++modutils_domtrans_insmod(keepalived_t)
++
++logging_send_syslog_msg(keepalived_t)
++
diff --git a/kerberos.fc b/kerberos.fc
-index 4fe75fd..8c702c9 100644
+index 4fe75fd..b029c28 100644
--- a/kerberos.fc
+++ b/kerberos.fc
-@@ -1,52 +1,44 @@
+@@ -1,52 +1,46 @@
-HOME_DIR/\.k5login -- gen_context(system_u:object_r:krb5_home_t,s0)
-/root/\.k5login -- gen_context(system_u:object_r:krb5_home_t,s0)
+HOME_DIR/\.k5login -- gen_context(system_u:object_r:krb5_home_t,s0)
@@ -33300,25 +36127,33 @@ index 4fe75fd..8c702c9 100644
-/usr/local/kerberos/sbin/krb5kdc -- gen_context(system_u:object_r:krb5kdc_exec_t,s0)
-/usr/local/kerberos/sbin/kadmind -- gen_context(system_u:object_r:kadmind_exec_t,s0)
--
++/usr/var/krb5kdc(/.*)? gen_context(system_u:object_r:krb5kdc_conf_t,s0)
++/usr/var/krb5kdc/principal.* gen_context(system_u:object_r:krb5kdc_principal_t,s0)
+
-/usr/sbin/krb5kdc -- gen_context(system_u:object_r:krb5kdc_exec_t,s0)
-/usr/sbin/kadmind -- gen_context(system_u:object_r:kadmind_exec_t,s0)
--
++/var/kerberos/krb5kdc(/.*)? gen_context(system_u:object_r:krb5kdc_conf_t,s0)
++/var/kerberos/krb5kdc/from_master.* gen_context(system_u:object_r:krb5kdc_lock_t,s0)
++/var/kerberos/krb5kdc/kadm5\.keytab -- gen_context(system_u:object_r:krb5_keytab_t,s0)
++/var/kerberos/krb5kdc/principal.* gen_context(system_u:object_r:krb5kdc_principal_t,s0)
++/var/kerberos/krb5kdc/principal.*\.ok gen_context(system_u:object_r:krb5kdc_lock_t,s0)
+
-/usr/local/var/krb5kdc(/.*)? gen_context(system_u:object_r:krb5kdc_conf_t,s0)
-/usr/local/var/krb5kdc/principal.* gen_context(system_u:object_r:krb5kdc_principal_t,s0)
--
++/var/log/krb5kdc\.log.* gen_context(system_u:object_r:krb5kdc_log_t,s0)
++/var/log/kadmin(d)?\.log.* gen_context(system_u:object_r:kadmind_log_t,s0)
+
-/usr/var/krb5kdc(/.*)? gen_context(system_u:object_r:krb5kdc_conf_t,s0)
-+/usr/var/krb5kdc(/.*)? gen_context(system_u:object_r:krb5kdc_conf_t,s0)
- /usr/var/krb5kdc/principal.* gen_context(system_u:object_r:krb5kdc_principal_t,s0)
+-/usr/var/krb5kdc/principal.* gen_context(system_u:object_r:krb5kdc_principal_t,s0)
++/var/cache/krb5rcache(/.*)? gen_context(system_u:object_r:krb5_host_rcache_t,s0)
-/var/cache/krb5rcache(/.*)? gen_context(system_u:object_r:krb5_host_rcache_t,s0)
--
++/var/run/krb5kdc(/.*)? gen_context(system_u:object_r:krb5kdc_var_run_t,s0)
+
-/var/kerberos/krb5kdc(/.*)? gen_context(system_u:object_r:krb5kdc_conf_t,s0)
-+/var/kerberos/krb5kdc(/.*)? gen_context(system_u:object_r:krb5kdc_conf_t,s0)
- /var/kerberos/krb5kdc/from_master.* gen_context(system_u:object_r:krb5kdc_lock_t,s0)
+-/var/kerberos/krb5kdc/from_master.* gen_context(system_u:object_r:krb5kdc_lock_t,s0)
-/var/kerberos/krb5kdc/kadm5\.keytab -- gen_context(system_u:object_r:krb5_keytab_t,s0)
-+/var/kerberos/krb5kdc/kadm5\.keytab -- gen_context(system_u:object_r:krb5_keytab_t,s0)
- /var/kerberos/krb5kdc/principal.* gen_context(system_u:object_r:krb5kdc_principal_t,s0)
+-/var/kerberos/krb5kdc/principal.* gen_context(system_u:object_r:krb5kdc_principal_t,s0)
-/var/kerberos/krb5kdc/principal.*\.ok -- gen_context(system_u:object_r:krb5kdc_lock_t,s0)
-
-/var/log/krb5kdc\.log.* -- gen_context(system_u:object_r:krb5kdc_log_t,s0)
@@ -33333,13 +36168,6 @@ index 4fe75fd..8c702c9 100644
-/var/tmp/ldapmap1_0 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0)
-/var/tmp/ldap_487 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0)
-/var/tmp/ldap_55 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0)
-+/var/kerberos/krb5kdc/principal.*\.ok gen_context(system_u:object_r:krb5kdc_lock_t,s0)
-+
-+/var/log/krb5kdc\.log.* gen_context(system_u:object_r:krb5kdc_log_t,s0)
-+/var/log/kadmin(d)?\.log.* gen_context(system_u:object_r:kadmind_log_t,s0)
-+
-+/var/cache/krb5rcache(/.*)? gen_context(system_u:object_r:krb5_host_rcache_t,s0)
-+
+/var/tmp/DNS_25 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0)
+/var/tmp/host_0 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0)
+/var/tmp/HTTP_23 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0)
@@ -33350,7 +36178,7 @@ index 4fe75fd..8c702c9 100644
+/var/tmp/ldap_487 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0)
+/var/tmp/ldap_55 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0)
diff --git a/kerberos.if b/kerberos.if
-index f9de9fc..11e6268 100644
+index f9de9fc..b573f79 100644
--- a/kerberos.if
+++ b/kerberos.if
@@ -1,27 +1,29 @@
@@ -33623,12 +36451,13 @@ index f9de9fc..11e6268 100644
## <summary>
-## Create, read, write, and delete
-## kerberos key table files.
--## </summary>
--## <param name="domain">
--## <summary>
--## Domain allowed access.
--## </summary>
--## </param>
++## Create keytab file in /etc
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+ ## Domain allowed access.
+ ## </summary>
+ ## </param>
-#
-interface(`kerberos_manage_keytab_files',`
- gen_require(`
@@ -33644,13 +36473,12 @@ index f9de9fc..11e6268 100644
-## Create specified objects in generic
-## etc directories with the kerberos
-## keytab file type.
-+## Create keytab file in /etc
- ## </summary>
- ## <param name="domain">
- ## <summary>
- ## Domain allowed access.
- ## </summary>
- ## </param>
+-## </summary>
+-## <param name="domain">
+-## <summary>
+-## Domain allowed access.
+-## </summary>
+-## </param>
-## <param name="object_class">
-## <summary>
-## Class of the object being created.
@@ -33676,16 +36504,20 @@ index f9de9fc..11e6268 100644
## </summary>
## <param name="prefix">
## <summary>
-@@ -354,21 +255,15 @@ interface(`kerberos_etc_filetrans_keytab',`
+@@ -354,21 +255,21 @@ interface(`kerberos_etc_filetrans_keytab',`
## </param>
#
template(`kerberos_keytab_template',`
--
++ gen_require(`
++ attribute kerberos_keytab_domain;
++ ')
+
- ########################################
- #
- # Declarations
- #
--
++ typeattribute $2 kerberos_keytab_domain;
+
type $1_keytab_t;
files_type($1_keytab_t)
@@ -33703,16 +36535,35 @@ index f9de9fc..11e6268 100644
kerberos_read_keytab($2)
kerberos_use($2)
-@@ -376,7 +271,7 @@ template(`kerberos_keytab_template',`
+@@ -376,7 +277,26 @@ template(`kerberos_keytab_template',`
########################################
## <summary>
-## Read kerberos kdc configuration files.
+## Read the kerberos kdc configuration file (/etc/krb5kdc.conf).
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`kerberos_keytab_domains',`
++ gen_require(`
++ attribute kerberos_keytab_domain;
++ ')
++
++ typeattribute $1 kerberos_keytab_domain;
++')
++
++########################################
++## <summary>
++## Read the kerberos kdc configuration file (/etc/krb5kdc.conf).
## </summary>
## <param name="domain">
## <summary>
-@@ -396,8 +291,7 @@ interface(`kerberos_read_kdc_config',`
+@@ -396,8 +316,7 @@ interface(`kerberos_read_kdc_config',`
########################################
## <summary>
@@ -33722,7 +36573,7 @@ index f9de9fc..11e6268 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -411,34 +305,99 @@ interface(`kerberos_manage_host_rcache',`
+@@ -411,34 +330,99 @@ interface(`kerberos_manage_host_rcache',`
type krb5_host_rcache_t;
')
@@ -33830,7 +36681,7 @@ index f9de9fc..11e6268 100644
## </summary>
## </param>
## <param name="name" optional="true">
-@@ -452,12 +411,13 @@ interface(`kerberos_tmp_filetrans_host_rcache',`
+@@ -452,12 +436,13 @@ interface(`kerberos_tmp_filetrans_host_rcache',`
type krb5_host_rcache_t;
')
@@ -33846,7 +36697,7 @@ index f9de9fc..11e6268 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -465,82 +425,85 @@ interface(`kerberos_tmp_filetrans_host_rcache',`
+@@ -465,82 +450,85 @@ interface(`kerberos_tmp_filetrans_host_rcache',`
## </summary>
## </param>
#
@@ -33987,7 +36838,7 @@ index f9de9fc..11e6268 100644
+ kerberos_tmp_filetrans_host_rcache($1, "ldap_55")
')
diff --git a/kerberos.te b/kerberos.te
-index 3465a9a..353c4ce 100644
+index 3465a9a..31ad037 100644
--- a/kerberos.te
+++ b/kerberos.te
@@ -1,4 +1,4 @@
@@ -33996,7 +36847,7 @@ index 3465a9a..353c4ce 100644
########################################
#
-@@ -6,11 +6,11 @@ policy_module(kerberos, 1.11.7)
+@@ -6,11 +6,13 @@ policy_module(kerberos, 1.11.7)
#
## <desc>
@@ -34009,10 +36860,12 @@ index 3465a9a..353c4ce 100644
## </desc>
-gen_tunable(allow_kerberos, false)
+gen_tunable(kerberos_enabled, false)
++
++attribute kerberos_keytab_domain;
type kadmind_t;
type kadmind_exec_t;
-@@ -35,23 +35,27 @@ init_daemon_domain(kpropd_t, kpropd_exec_t)
+@@ -35,23 +37,27 @@ init_daemon_domain(kpropd_t, kpropd_exec_t)
domain_obj_id_change_exemption(kpropd_t)
type krb5_conf_t;
@@ -34038,13 +36891,13 @@ index 3465a9a..353c4ce 100644
type krb5kdc_lock_t;
-files_type(krb5kdc_lock_t)
+files_lock_file(krb5kdc_lock_t)
-
+
+
+# types for KDC principal file(s)
type krb5kdc_principal_t;
files_type(krb5kdc_principal_t)
-@@ -74,28 +78,31 @@ files_pid_file(krb5kdc_var_run_t)
+@@ -74,28 +80,31 @@ files_pid_file(krb5kdc_var_run_t)
# kadmind local policy
#
@@ -34082,7 +36935,7 @@ index 3465a9a..353c4ce 100644
manage_dirs_pattern(kadmind_t, kadmind_tmp_t, kadmind_tmp_t)
manage_files_pattern(kadmind_t, kadmind_tmp_t, kadmind_tmp_t)
files_tmp_filetrans(kadmind_t, kadmind_tmp_t, { file dir })
-@@ -103,13 +110,15 @@ files_tmp_filetrans(kadmind_t, kadmind_tmp_t, { file dir })
+@@ -103,13 +112,15 @@ files_tmp_filetrans(kadmind_t, kadmind_tmp_t, { file dir })
manage_files_pattern(kadmind_t, kadmind_var_run_t, kadmind_var_run_t)
files_pid_filetrans(kadmind_t, kadmind_var_run_t, file)
@@ -34101,7 +36954,7 @@ index 3465a9a..353c4ce 100644
corenet_all_recvfrom_netlabel(kadmind_t)
corenet_tcp_sendrecv_generic_if(kadmind_t)
corenet_udp_sendrecv_generic_if(kadmind_t)
-@@ -119,31 +128,41 @@ corenet_tcp_sendrecv_all_ports(kadmind_t)
+@@ -119,31 +130,41 @@ corenet_tcp_sendrecv_all_ports(kadmind_t)
corenet_udp_sendrecv_all_ports(kadmind_t)
corenet_tcp_bind_generic_node(kadmind_t)
corenet_udp_bind_generic_node(kadmind_t)
@@ -34148,7 +37001,7 @@ index 3465a9a..353c4ce 100644
sysnet_use_ldap(kadmind_t)
userdom_dontaudit_use_unpriv_user_fds(kadmind_t)
-@@ -154,6 +173,10 @@ optional_policy(`
+@@ -154,11 +175,16 @@ optional_policy(`
')
optional_policy(`
@@ -34159,7 +37012,13 @@ index 3465a9a..353c4ce 100644
nis_use_ypbind(kadmind_t)
')
-@@ -174,24 +197,27 @@ optional_policy(`
+ optional_policy(`
+ sssd_read_public_files(kadmind_t)
++ sssd_stream_connect(kadmind_t)
+ ')
+
+ optional_policy(`
+@@ -174,24 +200,27 @@ optional_policy(`
# Krb5kdc local policy
#
@@ -34191,12 +37050,17 @@ index 3465a9a..353c4ce 100644
logging_log_filetrans(krb5kdc_t, krb5kdc_log_t, file)
allow krb5kdc_t krb5kdc_principal_t:file rw_file_perms;
-@@ -203,54 +229,53 @@ files_tmp_filetrans(krb5kdc_t, krb5kdc_tmp_t, { file dir })
- manage_files_pattern(krb5kdc_t, krb5kdc_var_run_t, krb5kdc_var_run_t)
- files_pid_filetrans(krb5kdc_t, krb5kdc_var_run_t, file)
+@@ -201,71 +230,76 @@ manage_files_pattern(krb5kdc_t, krb5kdc_tmp_t, krb5kdc_tmp_t)
+ files_tmp_filetrans(krb5kdc_t, krb5kdc_tmp_t, { file dir })
--can_exec(krb5kdc_t, krb5kdc_exec_t)
+ manage_files_pattern(krb5kdc_t, krb5kdc_var_run_t, krb5kdc_var_run_t)
+-files_pid_filetrans(krb5kdc_t, krb5kdc_var_run_t, file)
-
+-can_exec(krb5kdc_t, krb5kdc_exec_t)
++manage_sock_files_pattern(krb5kdc_t, krb5kdc_var_run_t, krb5kdc_var_run_t)
++manage_dirs_pattern(krb5kdc_t, krb5kdc_var_run_t, krb5kdc_var_run_t)
++files_pid_filetrans(krb5kdc_t, krb5kdc_var_run_t, { dir file sock_file })
+
kernel_read_system_state(krb5kdc_t)
kernel_read_kernel_sysctls(krb5kdc_t)
+kernel_list_proc(krb5kdc_t)
@@ -34257,7 +37121,14 @@ index 3465a9a..353c4ce 100644
sysnet_use_ldap(krb5kdc_t)
userdom_dontaudit_use_unpriv_user_fds(krb5kdc_t)
-@@ -261,11 +286,11 @@ optional_policy(`
+ userdom_dontaudit_search_user_home_dirs(krb5kdc_t)
+
+ optional_policy(`
++ ipa_stream_connect_otpd(krb5kdc_t)
++')
++
++optional_policy(`
+ ldap_stream_connect(krb5kdc_t)
')
optional_policy(`
@@ -34271,7 +37142,7 @@ index 3465a9a..353c4ce 100644
')
optional_policy(`
-@@ -273,6 +298,10 @@ optional_policy(`
+@@ -273,6 +307,10 @@ optional_policy(`
')
optional_policy(`
@@ -34282,7 +37153,7 @@ index 3465a9a..353c4ce 100644
udev_read_db(krb5kdc_t)
')
-@@ -281,10 +310,12 @@ optional_policy(`
+@@ -281,10 +319,12 @@ optional_policy(`
# kpropd local policy
#
@@ -34298,7 +37169,7 @@ index 3465a9a..353c4ce 100644
allow kpropd_t krb5_host_rcache_t:file manage_file_perms;
-@@ -303,26 +334,20 @@ files_tmp_filetrans(kpropd_t, krb5kdc_tmp_t, { file dir })
+@@ -303,28 +343,37 @@ files_tmp_filetrans(kpropd_t, krb5kdc_tmp_t, { file dir })
corecmd_exec_bin(kpropd_t)
@@ -34326,6 +37197,23 @@ index 3465a9a..353c4ce 100644
seutil_read_file_contexts(kpropd_t)
sysnet_dns_name_resolve(kpropd_t)
+
+ kerberos_use(kpropd_t)
++
++
++########################################
++#
++# kerberos keytab domain local policy
++#
++
++#until we get sssd fix
++allow kerberos_keytab_domain kerberos_keytab_domain:key manage_key_perms;
++
++userdom_manage_all_users_keys(kerberos_keytab_domain)
++
++optional_policy(`
++ sssd_manage_keys(kerberos_keytab_domain)
++')
diff --git a/kerneloops.if b/kerneloops.if
index 714448f..fa0c994 100644
--- a/kerneloops.if
@@ -35033,7 +37921,7 @@ index 19777b8..55d1556 100644
+ ')
+')
diff --git a/ktalk.te b/ktalk.te
-index 2cf3815..a43a4f6 100644
+index 2cf3815..f932c32 100644
--- a/ktalk.te
+++ b/ktalk.te
@@ -7,11 +7,15 @@ policy_module(ktalk, 1.8.1)
@@ -35052,7 +37940,7 @@ index 2cf3815..a43a4f6 100644
type ktalkd_tmp_t;
files_tmp_file(ktalkd_tmp_t)
-@@ -35,16 +39,24 @@ kernel_read_kernel_sysctls(ktalkd_t)
+@@ -35,11 +39,21 @@ kernel_read_kernel_sysctls(ktalkd_t)
kernel_read_system_state(ktalkd_t)
kernel_read_network_state(ktalkd_t)
@@ -35075,11 +37963,13 @@ index 2cf3815..a43a4f6 100644
auth_use_nsswitch(ktalkd_t)
- init_read_utmp(ktalkd_t)
+@@ -47,4 +61,5 @@ init_read_utmp(ktalkd_t)
logging_send_syslog_msg(ktalkd_t)
--
+
-miscfiles_read_localization(ktalkd_t)
++userdom_use_user_ptys(ktalkd_t)
++userdom_use_user_ttys(ktalkd_t)
diff --git a/kudzu.if b/kudzu.if
index 5297064..6ba8108 100644
--- a/kudzu.if
@@ -35148,7 +38038,7 @@ index d5d1572..82267a7 100644
/var/run/.*l2tpd(/.*)? gen_context(system_u:object_r:l2tpd_var_run_t,s0)
/var/run/prol2tpd\.ctl -s gen_context(system_u:object_r:l2tpd_var_run_t,s0)
diff --git a/l2tp.if b/l2tp.if
-index 73e2803..2fc7570 100644
+index 73e2803..34ca3aa 100644
--- a/l2tp.if
+++ b/l2tp.if
@@ -1,9 +1,45 @@
@@ -35352,7 +38242,7 @@ index 73e2803..2fc7570 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -77,22 +224,26 @@ interface(`l2tpd_stream_connect',`
+@@ -77,16 +224,20 @@ interface(`l2tpd_stream_connect',`
## </param>
## <rolecap/>
#
@@ -35360,8 +38250,7 @@ index 73e2803..2fc7570 100644
+interface(`l2tpd_admin',`
gen_require(`
type l2tpd_t, l2tpd_initrc_exec_t, l2tpd_var_run_t;
-- type l2tp_conf_t, l2tpd_tmp_t;
-+ type l2tp_etc_t, l2tpd_tmp_t;
+ type l2tp_conf_t, l2tpd_tmp_t;
')
- allow $1 l2tpd_t:process { ptrace signal_perms };
@@ -35377,13 +38266,6 @@ index 73e2803..2fc7570 100644
domain_system_change_exemption($1)
role_transition $2 l2tpd_initrc_exec_t system_r;
allow $2 system_r;
-
- files_search_etc($1)
-- admin_pattern($1, l2tp_conf_t)
-+ admin_pattern($1, l2tp_etc_t)
-
- files_search_pids($1)
- admin_pattern($1, l2tpd_var_run_t)
diff --git a/l2tp.te b/l2tp.te
index 19f2b97..bbbda10 100644
--- a/l2tp.te
@@ -35486,7 +38368,7 @@ index bc25c95..6692d91 100644
+/var/run/slapd\.args -- gen_context(system_u:object_r:slapd_var_run_t,s0)
+/var/run/slapd\.pid -- gen_context(system_u:object_r:slapd_var_run_t,s0)
diff --git a/ldap.if b/ldap.if
-index ee0c7cc..c54e3d2 100644
+index ee0c7cc..4ac8f2d 100644
--- a/ldap.if
+++ b/ldap.if
@@ -1,8 +1,68 @@
@@ -35594,7 +38476,7 @@ index ee0c7cc..c54e3d2 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -41,22 +119,27 @@ interface(`ldap_read_config',`
+@@ -41,22 +119,29 @@ interface(`ldap_read_config',`
########################################
## <summary>
@@ -35616,7 +38498,9 @@ index ee0c7cc..c54e3d2 100644
+ ')
+
+ files_search_etc($1)
++ allow $1 slapd_cert_t:dir list_dir_perms;
+ read_files_pattern($1, slapd_cert_t, slapd_cert_t)
++ read_lnk_files_pattern($1, slapd_cert_t, slapd_cert_t)
')
########################################
@@ -35627,7 +38511,7 @@ index ee0c7cc..c54e3d2 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -64,18 +147,13 @@ interface(`ldap_use',`
+@@ -64,18 +149,13 @@ interface(`ldap_use',`
## </summary>
## </param>
#
@@ -35649,7 +38533,7 @@ index ee0c7cc..c54e3d2 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -83,21 +161,19 @@ interface(`ldap_stream_connect',`
+@@ -83,21 +163,19 @@ interface(`ldap_stream_connect',`
## </summary>
## </param>
#
@@ -35677,7 +38561,7 @@ index ee0c7cc..c54e3d2 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -106,7 +182,7 @@ interface(`ldap_tcp_connect',`
+@@ -106,7 +184,7 @@ interface(`ldap_tcp_connect',`
## </param>
## <param name="role">
## <summary>
@@ -35686,7 +38570,7 @@ index ee0c7cc..c54e3d2 100644
## </summary>
## </param>
## <rolecap/>
-@@ -115,28 +191,28 @@ interface(`ldap_admin',`
+@@ -115,28 +193,28 @@ interface(`ldap_admin',`
gen_require(`
type slapd_t, slapd_tmp_t, slapd_replog_t;
type slapd_lock_t, slapd_etc_t, slapd_var_run_t;
@@ -35724,7 +38608,7 @@ index ee0c7cc..c54e3d2 100644
admin_pattern($1, slapd_replog_t)
files_list_tmp($1)
-@@ -144,4 +220,8 @@ interface(`ldap_admin',`
+@@ -144,4 +222,8 @@ interface(`ldap_admin',`
files_list_pids($1)
admin_pattern($1, slapd_var_run_t)
@@ -35734,7 +38618,7 @@ index ee0c7cc..c54e3d2 100644
+ allow $1 slapd_unit_file_t:service all_service_perms;
')
diff --git a/ldap.te b/ldap.te
-index d7d9b09..562c288 100644
+index d7d9b09..d0fdb7c 100644
--- a/ldap.te
+++ b/ldap.te
@@ -21,6 +21,9 @@ files_config_file(slapd_etc_t)
@@ -35747,7 +38631,27 @@ index d7d9b09..562c288 100644
type slapd_lock_t;
files_lock_file(slapd_lock_t)
-@@ -88,7 +91,6 @@ files_pid_filetrans(slapd_t, slapd_var_run_t, { dir file sock_file })
+@@ -46,7 +49,7 @@ files_pid_file(slapd_var_run_t)
+
+ allow slapd_t self:capability { kill setgid setuid net_raw dac_override dac_read_search };
+ dontaudit slapd_t self:capability sys_tty_config;
+-allow slapd_t self:process setsched;
++allow slapd_t self:process { setsched signal } ;
+ allow slapd_t self:fifo_file rw_fifo_file_perms;
+ allow slapd_t self:tcp_socket { accept listen };
+
+@@ -64,9 +67,7 @@ allow slapd_t slapd_lock_t:file manage_file_perms;
+ files_lock_filetrans(slapd_t, slapd_lock_t, file)
+
+ manage_dirs_pattern(slapd_t, slapd_log_t, slapd_log_t)
+-append_files_pattern(slapd_t, slapd_log_t, slapd_log_t)
+-create_files_pattern(slapd_t, slapd_log_t, slapd_log_t)
+-setattr_files_pattern(slapd_t, slapd_log_t, slapd_log_t)
++manage_files_pattern(slapd_t, slapd_log_t, slapd_log_t)
+ logging_log_filetrans(slapd_t, slapd_log_t, { file dir })
+
+ manage_dirs_pattern(slapd_t, slapd_replog_t, slapd_replog_t)
+@@ -88,7 +89,6 @@ files_pid_filetrans(slapd_t, slapd_var_run_t, { dir file sock_file })
kernel_read_system_state(slapd_t)
kernel_read_kernel_sysctls(slapd_t)
@@ -35755,7 +38659,7 @@ index d7d9b09..562c288 100644
corenet_all_recvfrom_netlabel(slapd_t)
corenet_tcp_sendrecv_generic_if(slapd_t)
corenet_tcp_sendrecv_generic_node(slapd_t)
-@@ -110,25 +112,23 @@ fs_getattr_all_fs(slapd_t)
+@@ -110,25 +110,23 @@ fs_getattr_all_fs(slapd_t)
fs_search_auto_mountpoints(slapd_t)
files_read_etc_runtime_files(slapd_t)
@@ -36176,7 +39080,7 @@ index d18c960..fb5b674 100644
domain_system_change_exemption($1)
role_transition $2 lldpad_initrc_exec_t system_r;
diff --git a/lldpad.te b/lldpad.te
-index 648def0..b17392a 100644
+index 648def0..07f58a5 100644
--- a/lldpad.te
+++ b/lldpad.te
@@ -26,7 +26,7 @@ files_pid_file(lldpad_var_run_t)
@@ -36188,7 +39092,7 @@ index 648def0..b17392a 100644
allow lldpad_t self:shm create_shm_perms;
allow lldpad_t self:fifo_file rw_fifo_file_perms;
allow lldpad_t self:unix_stream_socket { accept listen };
-@@ -51,11 +51,9 @@ kernel_request_load_module(lldpad_t)
+@@ -51,12 +51,14 @@ kernel_request_load_module(lldpad_t)
dev_read_sysfs(lldpad_t)
@@ -36201,6 +39105,11 @@ index 648def0..b17392a 100644
optional_policy(`
fcoe_dgram_send_fcoemon(lldpad_t)
+ ')
++
++optional_policy(`
++ networkmanager_dgram_send(lldpad_t)
++')
diff --git a/loadkeys.te b/loadkeys.te
index 6cbb977..bd5406a 100644
--- a/loadkeys.te
@@ -36342,10 +39251,10 @@ index dd8e01a..9cd6b0b 100644
## <param name="domain">
## <summary>
diff --git a/logrotate.te b/logrotate.te
-index 7bab8e5..b88bbf3 100644
+index 7bab8e5..f8c5464 100644
--- a/logrotate.te
+++ b/logrotate.te
-@@ -1,20 +1,18 @@
+@@ -1,20 +1,26 @@
-policy_module(logrotate, 1.14.5)
+policy_module(logrotate, 1.14.0)
@@ -36356,7 +39265,14 @@ index 7bab8e5..b88bbf3 100644
-attribute_role logrotate_roles;
-roleattribute system_r logrotate_roles;
--
++## <desc>
++## <p>
++## Allow logrotate to manage nfs files
++## </p>
++## </desc>
++gen_tunable(logrotate_use_nfs, false)
++
+
type logrotate_t;
-type logrotate_exec_t;
domain_type(logrotate_t)
@@ -36370,7 +39286,7 @@ index 7bab8e5..b88bbf3 100644
type logrotate_lock_t;
files_lock_file(logrotate_lock_t)
-@@ -25,21 +23,27 @@ files_tmp_file(logrotate_tmp_t)
+@@ -25,21 +31,27 @@ files_tmp_file(logrotate_tmp_t)
type logrotate_var_lib_t;
files_type(logrotate_var_lib_t)
@@ -36404,7 +39320,7 @@ index 7bab8e5..b88bbf3 100644
allow logrotate_t self:shm create_shm_perms;
allow logrotate_t self:sem create_sem_perms;
allow logrotate_t self:msgq create_msgq_perms;
-@@ -48,79 +52,94 @@ allow logrotate_t self:msg { send receive };
+@@ -48,79 +60,99 @@ allow logrotate_t self:msg { send receive };
allow logrotate_t logrotate_lock_t:file manage_file_perms;
files_lock_filetrans(logrotate_t, logrotate_lock_t, file)
@@ -36510,7 +39426,11 @@ index 7bab8e5..b88bbf3 100644
+userdom_dontaudit_getattr_user_home_content(logrotate_t)
-mta_sendmail_domtrans(logrotate_t, logrotate_mail_t)
--
++tunable_policy(`logrotate_use_nfs',`
++ fs_read_nfs_files(logrotate_t)
++ fs_read_nfs_symlinks(logrotate_t)
++')
+
-ifdef(`distro_debian',`
+ifdef(`distro_debian', `
allow logrotate_t logrotate_tmp_t:file relabel_file_perms;
@@ -36526,7 +39446,7 @@ index 7bab8e5..b88bbf3 100644
')
optional_policy(`
-@@ -135,16 +154,17 @@ optional_policy(`
+@@ -135,16 +167,17 @@ optional_policy(`
optional_policy(`
apache_read_config(logrotate_t)
@@ -36546,7 +39466,18 @@ index 7bab8e5..b88bbf3 100644
')
optional_policy(`
-@@ -178,7 +198,7 @@ optional_policy(`
+@@ -170,6 +203,10 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ dbus_system_bus_client(logrotate_t)
++')
++
++optional_policy(`
+ fail2ban_stream_connect(logrotate_t)
+ ')
+
+@@ -178,7 +215,7 @@ optional_policy(`
')
optional_policy(`
@@ -36555,7 +39486,7 @@ index 7bab8e5..b88bbf3 100644
')
optional_policy(`
-@@ -198,21 +218,26 @@ optional_policy(`
+@@ -198,21 +235,26 @@ optional_policy(`
')
optional_policy(`
@@ -36569,24 +39500,24 @@ index 7bab8e5..b88bbf3 100644
- openvswitch_read_pid_files(logrotate_t)
- openvswitch_domtrans(logrotate_t)
+ polipo_named_filetrans_log_files(logrotate_t)
-+')
-+
-+optional_policy(`
-+ psad_domtrans(logrotate_t)
')
optional_policy(`
- polipo_log_filetrans_log(logrotate_t, file, "polipo")
-+ rabbitmq_domtrans_beam(logrotate_t)
++ psad_domtrans(logrotate_t)
')
optional_policy(`
- psad_domtrans(logrotate_t)
++ rabbitmq_domtrans_beam(logrotate_t)
++')
++
++optional_policy(`
+ raid_domtrans_mdadm(logrotate_t)
')
optional_policy(`
-@@ -228,10 +253,20 @@ optional_policy(`
+@@ -228,10 +270,21 @@ optional_policy(`
')
optional_policy(`
@@ -36600,6 +39531,7 @@ index 7bab8e5..b88bbf3 100644
+
+optional_policy(`
squid_domtrans(logrotate_t)
++ squid_read_config(logrotate_t)
')
optional_policy(`
@@ -36607,7 +39539,7 @@ index 7bab8e5..b88bbf3 100644
su_exec(logrotate_t)
')
-@@ -241,13 +276,11 @@ optional_policy(`
+@@ -241,13 +294,11 @@ optional_policy(`
#######################################
#
@@ -36627,7 +39559,7 @@ index 7bab8e5..b88bbf3 100644
logging_read_all_logs(logrotate_mail_t)
+manage_files_pattern(logrotate_mail_t, logrotate_tmp_t, logrotate_tmp_t)
diff --git a/logwatch.te b/logwatch.te
-index 4256a4c..30e3cd2 100644
+index 4256a4c..7569cd9 100644
--- a/logwatch.te
+++ b/logwatch.te
@@ -5,9 +5,17 @@ policy_module(logwatch, 1.11.6)
@@ -36687,19 +39619,20 @@ index 4256a4c..30e3cd2 100644
mta_sendmail_domtrans(logwatch_t, logwatch_mail_t)
mta_getattr_spool(logwatch_t)
-@@ -137,6 +146,11 @@ optional_policy(`
+@@ -137,6 +146,12 @@ optional_policy(`
')
optional_policy(`
+ raid_domtrans_mdadm(logwatch_t)
+ raid_access_check_mdadm(logwatch_t)
++ raid_read_conf_files(logwatch_t)
+')
+
+optional_policy(`
rpc_search_nfs_state_data(logwatch_t)
')
-@@ -145,6 +159,13 @@ optional_policy(`
+@@ -145,6 +160,13 @@ optional_policy(`
samba_read_share_files(logwatch_t)
')
@@ -36713,7 +39646,7 @@ index 4256a4c..30e3cd2 100644
########################################
#
# Mail local policy
-@@ -164,6 +185,12 @@ dev_read_sysfs(logwatch_mail_t)
+@@ -164,6 +186,17 @@ dev_read_sysfs(logwatch_mail_t)
logging_read_all_logs(logwatch_mail_t)
@@ -36726,6 +39659,11 @@ index 4256a4c..30e3cd2 100644
+optional_policy(`
+ courier_stream_connect_authdaemon(logwatch_mail_t)
+')
++
++optional_policy(`
++ qmail_domtrans_inject(logwatch_mail_t)
++ qmail_domtrans_queue(logwatch_mail_t)
++')
diff --git a/lpd.fc b/lpd.fc
index 2fb9b2e..08974e3 100644
--- a/lpd.fc
@@ -36739,7 +39677,7 @@ index 2fb9b2e..08974e3 100644
/usr/share/printconf/.* -- gen_context(system_u:object_r:printconf_t,s0)
diff --git a/lpd.if b/lpd.if
-index 6256371..7826e38 100644
+index 6256371..ce2acb8 100644
--- a/lpd.if
+++ b/lpd.if
@@ -1,44 +1,49 @@
@@ -36864,7 +39802,12 @@ index 6256371..7826e38 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -153,7 +155,7 @@ interface(`lpd_manage_spool',`
+@@ -149,11 +151,12 @@ interface(`lpd_manage_spool',`
+ manage_dirs_pattern($1, print_spool_t, print_spool_t)
+ manage_files_pattern($1, print_spool_t, print_spool_t)
+ manage_lnk_files_pattern($1, print_spool_t, print_spool_t)
++ manage_fifo_files_pattern($1, print_spool_t, print_spool_t)
+ ')
########################################
## <summary>
@@ -36873,7 +39816,7 @@ index 6256371..7826e38 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -172,7 +174,7 @@ interface(`lpd_relabel_spool',`
+@@ -172,7 +175,7 @@ interface(`lpd_relabel_spool',`
########################################
## <summary>
@@ -36882,7 +39825,7 @@ index 6256371..7826e38 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -200,12 +202,11 @@ interface(`lpd_read_config',`
+@@ -200,12 +203,11 @@ interface(`lpd_read_config',`
## </summary>
## </param>
#
@@ -36896,7 +39839,7 @@ index 6256371..7826e38 100644
domtrans_pattern($1, lpr_exec_t, lpr_t)
')
-@@ -237,7 +238,8 @@ interface(`lpd_run_lpr',`
+@@ -237,7 +239,8 @@ interface(`lpd_run_lpr',`
########################################
## <summary>
@@ -36906,7 +39849,7 @@ index 6256371..7826e38 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -250,6 +252,5 @@ interface(`lpd_exec_lpr',`
+@@ -250,6 +253,5 @@ interface(`lpd_exec_lpr',`
type lpr_exec_t;
')
@@ -37069,12 +40012,14 @@ index b9270f7..15f3748 100644
')
diff --git a/lsm.fc b/lsm.fc
new file mode 100644
-index 0000000..81cd4e0
+index 0000000..d60293d
--- /dev/null
+++ b/lsm.fc
-@@ -0,0 +1,5 @@
+@@ -0,0 +1,7 @@
+/usr/bin/lsmd -- gen_context(system_u:object_r:lsmd_exec_t,s0)
+
++/usr/bin/.*_lsmplugin -- gen_context(system_u:object_r:lsmd_plugin_exec_t,s0)
++
+/usr/lib/systemd/system/libstoragemgmt.* -- gen_context(system_u:object_r:lsmd_unit_file_t,s0)
+
+/var/run/lsm(/.*)? gen_context(system_u:object_r:lsmd_var_run_t,s0)
@@ -37185,16 +40130,23 @@ index 0000000..da30c5d
+')
diff --git a/lsm.te b/lsm.te
new file mode 100644
-index 0000000..6611d9f
+index 0000000..7e8fde0
--- /dev/null
+++ b/lsm.te
-@@ -0,0 +1,34 @@
+@@ -0,0 +1,90 @@
+policy_module(lsm, 1.0.0)
+
+########################################
+#
+# Declarations
+#
++## <desc>
++## <p>
++## Determine whether lsmd_plugin can
++## connect to all TCP ports.
++## </p>
++## </desc>
++gen_tunable(lsmd_plugin_connect_any, false)
+
+type lsmd_t;
+type lsmd_exec_t;
@@ -37206,6 +40158,14 @@ index 0000000..6611d9f
+type lsmd_unit_file_t;
+systemd_unit_file(lsmd_unit_file_t)
+
++type lsmd_plugin_t;
++type lsmd_plugin_exec_t;
++application_domain(lsmd_plugin_t, lsmd_plugin_exec_t)
++role system_r types lsmd_plugin_t;
++
++type lsmd_plugin_tmp_t;
++files_tmp_file(lsmd_plugin_tmp_t)
++
+########################################
+#
+# lsmd local policy
@@ -37223,6 +40183,47 @@ index 0000000..6611d9f
+corecmd_exec_bin(lsmd_t)
+
+logging_send_syslog_msg(lsmd_t)
++
++########################################
++#
++# Local lsmd plugin policy
++#
++
++allow lsmd_plugin_t self:udp_socket create_socket_perms;
++allow lsmd_plugin_t self:tcp_socket create_stream_socket_perms;
++
++domtrans_pattern(lsmd_t, lsmd_plugin_exec_t, lsmd_plugin_t)
++allow lsmd_plugin_t lsmd_t:unix_stream_socket { read write };
++
++allow lsmd_t lsmd_plugin_exec_t:file read_file_perms;
++stream_connect_pattern(lsmd_plugin_t, lsmd_var_run_t, lsmd_var_run_t, lsmd_t)
++
++manage_files_pattern(lsmd_plugin_t, lsmd_plugin_tmp_t, lsmd_plugin_tmp_t)
++manage_dirs_pattern(lsmd_plugin_t, lsmd_plugin_tmp_t, lsmd_plugin_tmp_t)
++files_tmp_filetrans(lsmd_plugin_t, lsmd_plugin_tmp_t, { file dir })
++
++tunable_policy(`lsmd_plugin_connect_any',`
++ corenet_tcp_connect_all_ports(lsmd_plugin_t)
++ corenet_sendrecv_all_packets(lsmd_plugin_t)
++ corenet_tcp_sendrecv_all_ports(lsmd_plugin_t)
++')
++
++kernel_read_system_state(lsmd_plugin_t)
++
++dev_read_urand(lsmd_plugin_t)
++
++corecmd_exec_bin(lsmd_plugin_t)
++
++corenet_tcp_connect_http_port(lsmd_plugin_t)
++corenet_tcp_connect_http_cache_port(lsmd_plugin_t)
++corenet_tcp_connect_ssh_port(lsmd_plugin_t)
++
++init_stream_connect(lsmd_plugin_t)
++init_dontaudit_rw_stream_socket(lsmd_plugin_t)
++
++logging_send_syslog_msg(lsmd_plugin_t)
++
++sysnet_read_config(lsmd_plugin_t)
diff --git a/mailman.fc b/mailman.fc
index 7fa381b..bbe6b01 100644
--- a/mailman.fc
@@ -37937,10 +40938,12 @@ index e08c55d..9e634bd 100644
+
+')
diff --git a/mandb.fc b/mandb.fc
-index 2de0f64..3c24286 100644
+index 2de0f64..c127555 100644
--- a/mandb.fc
+++ b/mandb.fc
-@@ -1 +1,10 @@
+@@ -1 +1,12 @@
++HOME_DIR/\.manpath -- gen_context(system_u:object_r:mandb_home_t,s0)
++
/etc/cron.daily/man-db\.cron -- gen_context(system_u:object_r:mandb_exec_t,s0)
+
+/usr/bin/mandb -- gen_context(system_u:object_r:mandb_exec_t,s0)
@@ -37950,7 +40953,7 @@ index 2de0f64..3c24286 100644
+
+/var/lock/man-db\.lock -- gen_context(system_u:object_r:mandb_lock_t,s0)
+
-+HOME_DIR/\.manpath -- gen_context(system_u:object_r:mandb_home_t,s0)
++/root/.manpath -- gen_context(system_u:object_r:mandb_home_t,s0)
diff --git a/mandb.if b/mandb.if
index 327f3f7..4f61561 100644
--- a/mandb.if
@@ -38190,10 +41193,10 @@ index 327f3f7..4f61561 100644
+ ')
')
diff --git a/mandb.te b/mandb.te
-index 5a414e0..7fee444 100644
+index 5a414e0..24f45a8 100644
--- a/mandb.te
+++ b/mandb.te
-@@ -10,28 +10,51 @@ roleattribute system_r mandb_roles;
+@@ -10,28 +10,52 @@ roleattribute system_r mandb_roles;
type mandb_t;
type mandb_exec_t;
@@ -38240,6 +41243,7 @@ index 5a414e0..7fee444 100644
-files_read_etc_files(mandb_t)
+files_search_locks(mandb_t)
++files_dontaudit_search_all_mountpoints(mandb_t)
miscfiles_manage_man_cache(mandb_t)
+miscfiles_setattr_man_pages(mandb_t)
@@ -38249,7 +41253,7 @@ index 5a414e0..7fee444 100644
')
+
diff --git a/mcelog.if b/mcelog.if
-index 9dbe694..ea89ab1 100644
+index 9dbe694..c73214d 100644
--- a/mcelog.if
+++ b/mcelog.if
@@ -19,6 +19,25 @@ interface(`mcelog_domtrans',`
@@ -38268,11 +41272,11 @@ index 9dbe694..ea89ab1 100644
+#
+interface(`mcelog_read_log',`
+ gen_require(`
-+ type mcelog_var_log_t;
++ type mcelog_log_t;
+ ')
+
+ logging_search_logs($1)
-+ read_files_pattern($1, mcelog_var_log_t, mcelog_var_log_t)
++ read_files_pattern($1, mcelog_log_t, mcelog_log_t)
+')
+
########################################
@@ -38287,7 +41291,7 @@ index 9dbe694..ea89ab1 100644
admin_pattern($1, mcelog_var_run_t)
')
diff --git a/mcelog.te b/mcelog.te
-index 13ea191..c146d9c 100644
+index 13ea191..2b4e761 100644
--- a/mcelog.te
+++ b/mcelog.te
@@ -36,13 +36,6 @@ gen_tunable(mcelog_foreground, false)
@@ -38304,7 +41308,7 @@ index 13ea191..c146d9c 100644
type mcelog_t;
type mcelog_exec_t;
init_daemon_domain(mcelog_t, mcelog_exec_t)
-@@ -84,17 +77,20 @@ files_pid_filetrans(mcelog_t, mcelog_var_run_t, { dir file sock_file })
+@@ -84,17 +77,21 @@ files_pid_filetrans(mcelog_t, mcelog_var_run_t, { dir file sock_file })
kernel_read_system_state(mcelog_t)
@@ -38314,9 +41318,10 @@ index 13ea191..c146d9c 100644
dev_read_raw_memory(mcelog_t)
dev_read_kmsg(mcelog_t)
dev_rw_sysfs(mcelog_t)
-
--files_read_etc_files(mcelog_t)
-
+-files_read_etc_files(mcelog_t)
++dev_rw_cpu_microcode(mcelog_t)
+
mls_file_read_all_levels(mcelog_t)
+auth_use_nsswitch(mcelog_t)
@@ -38328,7 +41333,7 @@ index 13ea191..c146d9c 100644
tunable_policy(`mcelog_client',`
allow mcelog_t self:unix_stream_socket connectto;
-@@ -114,9 +110,6 @@ tunable_policy(`mcelog_server',`
+@@ -114,9 +111,6 @@ tunable_policy(`mcelog_server',`
allow mcelog_t self:unix_stream_socket { listen accept };
')
@@ -38464,10 +41469,10 @@ index 0000000..3f433f1
+')
diff --git a/mcollective.te b/mcollective.te
new file mode 100644
-index 0000000..a04dd6b
+index 0000000..8bc27f4
--- /dev/null
+++ b/mcollective.te
-@@ -0,0 +1,29 @@
+@@ -0,0 +1,27 @@
+policy_module(mcollective, 1.0.0)
+
+########################################
@@ -38480,8 +41485,6 @@ index 0000000..a04dd6b
+init_daemon_domain(mcollective_t, mcollective_exec_t)
+cron_system_entry(mcollective_t, mcollective_exec_t)
+
-+permissive mcollective_t;
-+
+type mcollective_etc_rw_t;
+files_type(mcollective_etc_rw_t)
+
@@ -38913,10 +41916,10 @@ index cba62db..562833a 100644
+ delete_files_pattern($1, dkim_milter_data_t, dkim_milter_data_t)
+')
diff --git a/milter.te b/milter.te
-index 92508b2..db83591 100644
+index 92508b2..9c51c34 100644
--- a/milter.te
+++ b/milter.te
-@@ -1,77 +1,110 @@
+@@ -1,77 +1,121 @@
-policy_module(milter, 1.4.2)
+policy_module(milter, 1.4.0)
@@ -38936,6 +41939,9 @@ index 92508b2..db83591 100644
+type dkim_milter_private_key_t;
+files_type(dkim_milter_private_key_t)
+
++type dkim_milter_tmp_t;
++files_tmp_file(dkim_milter_tmp_t)
++
+# currently-supported milters are milter-greylist, milter-regex and spamass-milter
milter_template(greylist)
milter_template(regex)
@@ -38960,6 +41966,8 @@ index 92508b2..db83591 100644
allow milter_domains self:fifo_file rw_fifo_file_perms;
-allow milter_domains self:tcp_socket { accept listen };
+
++allow milter_domains self:process signull;
++
+# Allow communication with MTA over a TCP socket
+allow milter_domains self:tcp_socket create_stream_socket_perms;
@@ -38995,8 +42003,14 @@ index 92508b2..db83591 100644
-logging_send_syslog_msg(milter_domains)
+read_files_pattern(dkim_milter_t, dkim_milter_private_key_t, dkim_milter_private_key_t)
+
++manage_files_pattern(dkim_milter_t, dkim_milter_tmp_t, dkim_milter_tmp_t)
++manage_dirs_pattern(dkim_milter_t, dkim_milter_tmp_t, dkim_milter_tmp_t)
++files_tmp_filetrans(dkim_milter_t, dkim_milter_tmp_t, { dir file })
++
+kernel_read_kernel_sysctls(dkim_milter_t)
+
++corenet_udp_bind_all_ports(dkim_milter_t)
++
+auth_use_nsswitch(dkim_milter_t)
+
+sysnet_dns_name_resolve(dkim_milter_t)
@@ -39055,7 +42069,7 @@ index 92508b2..db83591 100644
optional_policy(`
mysql_stream_connect(greylist_milter_t)
-@@ -79,30 +112,45 @@ optional_policy(`
+@@ -79,30 +123,45 @@ optional_policy(`
########################################
#
@@ -39105,6 +42119,444 @@ index 92508b2..db83591 100644
optional_policy(`
spamassassin_domtrans_client(spamass_milter_t)
')
+diff --git a/mip6d.fc b/mip6d.fc
+new file mode 100644
+index 0000000..767bbad
+--- /dev/null
++++ b/mip6d.fc
+@@ -0,0 +1,3 @@
++/usr/lib/systemd/system/mip6d.* -- gen_context(system_u:object_r:mip6d_unit_file_t,s0)
++
++/usr/sbin/mip6d -- gen_context(system_u:object_r:mip6d_exec_t,s0)
+diff --git a/mip6d.if b/mip6d.if
+new file mode 100644
+index 0000000..8169129
+--- /dev/null
++++ b/mip6d.if
+@@ -0,0 +1,79 @@
++
++## <summary>Mobile IPv6 and NEMO Basic Support implementation</summary>
++
++########################################
++## <summary>
++## Execute TEMPLATE in the mip6d domin.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`mip6d_domtrans',`
++ gen_require(`
++ type mip6d_t, mip6d_exec_t;
++ ')
++
++ corecmd_search_bin($1)
++ domtrans_pattern($1, mip6d_exec_t, mip6d_t)
++')
++########################################
++## <summary>
++## Execute mip6d server in the mip6d domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`mip6d_systemctl',`
++ gen_require(`
++ type mip6d_t;
++ type mip6d_unit_file_t;
++ ')
++
++ systemd_exec_systemctl($1)
++ systemd_read_fifo_file_passwd_run($1)
++ allow $1 mip6d_unit_file_t:file read_file_perms;
++ allow $1 mip6d_unit_file_t:service manage_service_perms;
++
++ ps_process_pattern($1, mip6d_t)
++')
++
++
++########################################
++## <summary>
++## All of the rules required to administrate
++## an mip6d environment
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`mip6d_admin',`
++ gen_require(`
++ type mip6d_t;
++ type mip6d_unit_file_t;
++ ')
++
++ allow $1 mip6d_t:process { signal_perms };
++ ps_process_pattern($1, mip6d_t)
++
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 mip6d_t:process ptrace;
++ ')
++
++ mip6d_systemctl($1)
++ admin_pattern($1, mip6d_unit_file_t)
++ allow $1 mip6d_unit_file_t:service all_service_perms;
++ optional_policy(`
++ systemd_passwd_agent_exec($1)
++ systemd_read_fifo_file_passwd_run($1)
++ ')
++')
+diff --git a/mip6d.te b/mip6d.te
+new file mode 100644
+index 0000000..1d34063
+--- /dev/null
++++ b/mip6d.te
+@@ -0,0 +1,33 @@
++policy_module(mip6d, 1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++type mip6d_t;
++type mip6d_exec_t;
++init_daemon_domain(mip6d_t, mip6d_exec_t)
++
++type mip6d_unit_file_t;
++systemd_unit_file(mip6d_unit_file_t)
++
++########################################
++#
++# mip6d local policy
++#
++allow mip6d_t self:capability { net_admin net_raw };
++allow mip6d_t self:process { fork signal };
++allow mip6d_t self:netlink_route_socket create_netlink_socket_perms;
++allow mip6d_t self:netlink_xfrm_socket create_netlink_socket_perms;
++allow mip6d_t self:rawip_socket create_socket_perms;
++allow mip6d_t self:udp_socket create_socket_perms;
++allow mip6d_t self:fifo_file rw_fifo_file_perms;
++allow mip6d_t self:unix_stream_socket create_stream_socket_perms;
++
++kernel_rw_net_sysctls(mip6d_t)
++kernel_read_network_state(mip6d_t)
++kernel_request_load_module(mip6d_t)
++
++logging_send_syslog_msg(mip6d_t)
++
+diff --git a/mirrormanager.fc b/mirrormanager.fc
+new file mode 100644
+index 0000000..c713b27
+--- /dev/null
++++ b/mirrormanager.fc
+@@ -0,0 +1,7 @@
++/usr/share/mirrormanager/server/mirrormanager -- gen_context(system_u:object_r:mirrormanager_exec_t,s0)
++
++/var/lib/mirrormanager(/.*)? gen_context(system_u:object_r:mirrormanager_var_lib_t,s0)
++
++/var/log/mirrormanager(/.*)? gen_context(system_u:object_r:mirrormanager_log_t,s0)
++
++/var/run/mirrormanager(/.*)? gen_context(system_u:object_r:mirrormanager_var_run_t,s0)
+diff --git a/mirrormanager.if b/mirrormanager.if
+new file mode 100644
+index 0000000..fbb831d
+--- /dev/null
++++ b/mirrormanager.if
+@@ -0,0 +1,237 @@
++
++## <summary>policy for mirrormanager</summary>
++
++########################################
++## <summary>
++## Execute mirrormanager in the mirrormanager domin.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`mirrormanager_domtrans',`
++ gen_require(`
++ type mirrormanager_t, mirrormanager_exec_t;
++ ')
++
++ corecmd_search_bin($1)
++ domtrans_pattern($1, mirrormanager_exec_t, mirrormanager_t)
++')
++
++########################################
++## <summary>
++## Read mirrormanager's log files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`mirrormanager_read_log',`
++ gen_require(`
++ type mirrormanager_log_t;
++ ')
++
++ logging_search_logs($1)
++ read_files_pattern($1, mirrormanager_log_t, mirrormanager_log_t)
++')
++
++########################################
++## <summary>
++## Append to mirrormanager log files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`mirrormanager_append_log',`
++ gen_require(`
++ type mirrormanager_log_t;
++ ')
++
++ logging_search_logs($1)
++ append_files_pattern($1, mirrormanager_log_t, mirrormanager_log_t)
++')
++
++########################################
++## <summary>
++## Manage mirrormanager log files
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`mirrormanager_manage_log',`
++ gen_require(`
++ type mirrormanager_log_t;
++ ')
++
++ logging_search_logs($1)
++ manage_dirs_pattern($1, mirrormanager_log_t, mirrormanager_log_t)
++ manage_files_pattern($1, mirrormanager_log_t, mirrormanager_log_t)
++ manage_lnk_files_pattern($1, mirrormanager_log_t, mirrormanager_log_t)
++')
++
++########################################
++## <summary>
++## Search mirrormanager lib directories.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`mirrormanager_search_lib',`
++ gen_require(`
++ type mirrormanager_var_lib_t;
++ ')
++
++ allow $1 mirrormanager_var_lib_t:dir search_dir_perms;
++ files_search_var_lib($1)
++')
++
++########################################
++## <summary>
++## Read mirrormanager lib files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`mirrormanager_read_lib_files',`
++ gen_require(`
++ type mirrormanager_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ list_dirs_pattern($1, mirrormanager_var_lib_t, mirrormanager_var_lib_t)
++ read_files_pattern($1, mirrormanager_var_lib_t, mirrormanager_var_lib_t)
++')
++
++########################################
++## <summary>
++## Manage mirrormanager lib files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`mirrormanager_manage_lib_files',`
++ gen_require(`
++ type mirrormanager_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ manage_files_pattern($1, mirrormanager_var_lib_t, mirrormanager_var_lib_t)
++')
++
++########################################
++## <summary>
++## Manage mirrormanager lib directories.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`mirrormanager_manage_lib_dirs',`
++ gen_require(`
++ type mirrormanager_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ manage_dirs_pattern($1, mirrormanager_var_lib_t, mirrormanager_var_lib_t)
++')
++
++########################################
++## <summary>
++## Read mirrormanager PID files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`mirrormanager_read_pid_files',`
++ gen_require(`
++ type mirrormanager_var_run_t;
++ ')
++
++ files_search_pids($1)
++ read_files_pattern($1, mirrormanager_var_run_t, mirrormanager_var_run_t)
++')
++
++########################################
++## <summary>
++## Manage mirrormanager PID files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`mirrormanager_manage_pid_files',`
++ gen_require(`
++ type mirrormanager_var_run_t;
++ ')
++
++ files_search_pids($1)
++ manage_files_pattern($1, mirrormanager_var_run_t, mirrormanager_var_run_t)
++')
++
++########################################
++## <summary>
++## All of the rules required to administrate
++## an mirrormanager environment
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`mirrormanager_admin',`
++ gen_require(`
++ type mirrormanager_t;
++ type mirrormanager_log_t;
++ type mirrormanager_var_lib_t;
++ type mirrormanager_var_run_t;
++ ')
++
++ allow $1 mirrormanager_t:process { signal_perms };
++ ps_process_pattern($1, mirrormanager_t)
++
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 mirrormanager_t:process ptrace;
++ ')
++
++ logging_search_logs($1)
++ admin_pattern($1, mirrormanager_log_t)
++
++ files_search_var_lib($1)
++ admin_pattern($1, mirrormanager_var_lib_t)
++
++ files_search_pids($1)
++ admin_pattern($1, mirrormanager_var_run_t)
++
++ optional_policy(`
++ systemd_passwd_agent_exec($1)
++ systemd_read_fifo_file_passwd_run($1)
++ ')
++')
+diff --git a/mirrormanager.te b/mirrormanager.te
+new file mode 100644
+index 0000000..841b732
+--- /dev/null
++++ b/mirrormanager.te
+@@ -0,0 +1,43 @@
++policy_module(mirrormanager, 1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++type mirrormanager_t;
++type mirrormanager_exec_t;
++cron_system_entry(mirrormanager_t, mirrormanager_exec_t)
++
++type mirrormanager_log_t;
++logging_log_file(mirrormanager_log_t)
++
++type mirrormanager_var_lib_t;
++files_type(mirrormanager_var_lib_t)
++
++type mirrormanager_var_run_t;
++files_pid_file(mirrormanager_var_run_t)
++
++########################################
++#
++# mirrormanager local policy
++#
++
++allow mirrormanager_t self:fifo_file rw_fifo_file_perms;
++allow mirrormanager_t self:unix_stream_socket create_stream_socket_perms;
++
++manage_dirs_pattern(mirrormanager_t, mirrormanager_log_t, mirrormanager_log_t)
++manage_files_pattern(mirrormanager_t, mirrormanager_log_t, mirrormanager_log_t)
++manage_lnk_files_pattern(mirrormanager_t, mirrormanager_log_t, mirrormanager_log_t)
++logging_log_filetrans(mirrormanager_t, mirrormanager_log_t, { dir })
++
++manage_dirs_pattern(mirrormanager_t, mirrormanager_var_lib_t, mirrormanager_var_lib_t)
++manage_files_pattern(mirrormanager_t, mirrormanager_var_lib_t, mirrormanager_var_lib_t)
++manage_lnk_files_pattern(mirrormanager_t, mirrormanager_var_lib_t, mirrormanager_var_lib_t)
++files_var_lib_filetrans(mirrormanager_t, mirrormanager_var_lib_t, { dir })
++
++manage_dirs_pattern(mirrormanager_t, mirrormanager_var_run_t, mirrormanager_var_run_t)
++manage_files_pattern(mirrormanager_t, mirrormanager_var_run_t, mirrormanager_var_run_t)
++manage_lnk_files_pattern(mirrormanager_t, mirrormanager_var_run_t, mirrormanager_var_run_t)
++files_pid_filetrans(mirrormanager_t, mirrormanager_var_run_t, { dir })
++
diff --git a/mock.fc b/mock.fc
new file mode 100644
index 0000000..8d0e473
@@ -39434,10 +42886,10 @@ index 0000000..6568bfe
+')
diff --git a/mock.te b/mock.te
new file mode 100644
-index 0000000..7245033
+index 0000000..fc64201
--- /dev/null
+++ b/mock.te
-@@ -0,0 +1,273 @@
+@@ -0,0 +1,276 @@
+policy_module(mock,1.0.0)
+
+## <desc>
@@ -39485,6 +42937,7 @@ index 0000000..7245033
+#
+
+allow mock_t self:capability { sys_admin sys_ptrace setfcap setuid sys_chroot chown audit_write dac_override sys_nice mknod fsetid setgid fowner };
++allow mock_t self:capability2 block_suspend;
+allow mock_t self:process { siginh noatsecure signal_perms transition rlimitinh setsched setpgid };
+# Needed because mock can run java and mono withing build environment
+allow mock_t self:process { execmem execstack };
@@ -39708,6 +43161,8 @@ index 0000000..7245033
+
+libs_exec_ldconfig(mock_build_t)
+
++userdom_use_inherited_user_ptys(mock_build_t)
++
+tunable_policy(`mock_enable_homedirs',`
+ userdom_read_user_home_content_files(mock_build_t)
+')
@@ -39790,7 +43245,7 @@ index b1ac8b5..9b22bea 100644
+ ')
+')
diff --git a/modemmanager.te b/modemmanager.te
-index cb4c13d..ab6fb25 100644
+index cb4c13d..9342be3 100644
--- a/modemmanager.te
+++ b/modemmanager.te
@@ -11,6 +11,9 @@ init_daemon_domain(modemmanager_t, modemmanager_exec_t)
@@ -39803,12 +43258,15 @@ index cb4c13d..ab6fb25 100644
########################################
#
# Local policy
-@@ -27,12 +30,12 @@ kernel_read_system_state(modemmanager_t)
+@@ -25,14 +28,14 @@ allow modemmanager_t self:netlink_kobject_uevent_socket create_socket_perms;
+ kernel_read_system_state(modemmanager_t)
+
dev_read_sysfs(modemmanager_t)
++dev_read_urand(modemmanager_t)
dev_rw_modem(modemmanager_t)
-files_read_etc_files(modemmanager_t)
-
+-
term_use_generic_ptys(modemmanager_t)
term_use_unallocated_ttys(modemmanager_t)
+term_use_usb_ttys(modemmanager_t)
@@ -39974,16 +43432,16 @@ index 0000000..7415106
+/var/motion(/.*)? gen_context(system_u:object_r:motion_data_t,s0)
diff --git a/motion.if b/motion.if
new file mode 100644
-index 0000000..1b1b04c
+index 0000000..39f4a04
--- /dev/null
+++ b/motion.if
-@@ -0,0 +1,193 @@
+@@ -0,0 +1,197 @@
+
+## <summary>Detect motion using a video4linux device</summary>
+
+########################################
+## <summary>
-+## Execute TEMPLATE in the motion domain.
++## Execute motion in the motion domain.
+## </summary>
+## <param name="domain">
+## <summary>
@@ -40114,7 +43572,7 @@ index 0000000..1b1b04c
+ ')
+
+ systemd_exec_systemctl($1)
-+ systemd_read_fifo_file_password_run($1)
++ systemd_read_fifo_file_passwd_run($1)
+ allow $1 motion_unit_file_t:file read_file_perms;
+ allow $1 motion_unit_file_t:service manage_service_perms;
+
@@ -40154,12 +43612,16 @@ index 0000000..1b1b04c
+ gen_require(`
+ type motion_t;
+ type motion_log_t;
-+ type motion_unit_file_t;
++ type motion_unit_file_t;
+ ')
+
-+ allow $1 motion_t:process { ptrace signal_perms };
++ allow $1 motion_t:process { signal_perms };
+ ps_process_pattern($1, motion_t)
+
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 motion_t:process ptrace;
++ ')
++
+ logging_search_logs($1)
+ admin_pattern($1, motion_log_t)
+
@@ -40242,10 +43704,10 @@ index 0000000..b694afc
+')
+
diff --git a/mozilla.fc b/mozilla.fc
-index 6ffaba2..a4d75bf 100644
+index 6ffaba2..ab66d2f 100644
--- a/mozilla.fc
+++ b/mozilla.fc
-@@ -1,38 +1,69 @@
+@@ -1,38 +1,70 @@
-HOME_DIR/\.galeon(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
-HOME_DIR/\.mozilla(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
-HOME_DIR/\.mozilla/plugins(/.*)? gen_context(system_u:object_r:mozilla_plugin_home_t,s0)
@@ -40269,6 +43731,7 @@ index 6ffaba2..a4d75bf 100644
+HOME_DIR/\.java(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
+HOME_DIR/\.mozilla(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
+HOME_DIR/\.cache/mozilla(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
++HOME_DIR/\.cache/icedtea-web(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
+HOME_DIR/\.thunderbird(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
+HOME_DIR/POkemon.*(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
+HOME_DIR/\.netscape(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
@@ -40287,8 +43750,6 @@ index 6ffaba2..a4d75bf 100644
+HOME_DIR/\.lyx(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
+HOME_DIR/\.quakelive(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
+HOME_DIR/\.spicec(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
-+HOME_DIR/\.texlive2012(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
-+HOME_DIR/\.texlive2013(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
+HOME_DIR/\.ICAClient(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
+HOME_DIR/\.IBMERS(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
+HOME_DIR/zimbrauserdata(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
@@ -40305,7 +43766,7 @@ index 6ffaba2..a4d75bf 100644
-/usr/bin/netscape -- gen_context(system_u:object_r:mozilla_exec_t,s0)
-/usr/bin/nspluginscan -- gen_context(system_u:object_r:mozilla_plugin_exec_t,s0)
-/usr/bin/nspluginviewer -- gen_context(system_u:object_r:mozilla_plugin_exec_t,s0)
-
+-
-/usr/lib/[^/]*firefox[^/]*/firefox -- gen_context(system_u:object_r:mozilla_exec_t,s0)
-/usr/lib/[^/]*firefox[^/]*/firefox-bin -- gen_context(system_u:object_r:mozilla_exec_t,s0)
-/usr/lib/firefox[^/]*/mozilla-.* -- gen_context(system_u:object_r:mozilla_exec_t,s0)
@@ -40316,6 +43777,7 @@ index 6ffaba2..a4d75bf 100644
-/usr/lib/mozilla/plugins-wrapped(/.*)? gen_context(system_u:object_r:mozilla_plugin_rw_t,s0)
-/usr/lib/netscape/base-4/wrapper -- gen_context(system_u:object_r:mozilla_exec_t,s0)
-/usr/lib/netscape/.+/communicator/communicator-smotif\.real -- gen_context(system_u:object_r:mozilla_exec_t,s0)
++
+ifdef(`distro_redhat',`
+/usr/bin/nspluginscan -- gen_context(system_u:object_r:mozilla_plugin_exec_t,s0)
+/usr/bin/nspluginviewer -- gen_context(system_u:object_r:mozilla_plugin_exec_t,s0)
@@ -40343,13 +43805,15 @@ index 6ffaba2..a4d75bf 100644
+
+/usr/lib/xulrunner[^/]*/plugin-container -- gen_context(system_u:object_r:mozilla_plugin_exec_t,s0)
+
++/usr/lib/firefox/plugin-container -- gen_context(system_u:object_r:mozilla_plugin_exec_t,s0)
++
+/usr/lib/mozilla/plugins-wrapped(/.*)? gen_context(system_u:object_r:mozilla_plugin_rw_t,s0)
+
+ifdef(`distro_redhat',`
+/usr/lib/nspluginwrapper/plugin-config -- gen_context(system_u:object_r:mozilla_plugin_config_exec_t,s0)
+')
diff --git a/mozilla.if b/mozilla.if
-index 6194b80..ada96f0 100644
+index 6194b80..cafb2b0 100644
--- a/mozilla.if
+++ b/mozilla.if
@@ -1,146 +1,75 @@
@@ -40481,7 +43945,8 @@ index 6194b80..ada96f0 100644
- mozilla_run_plugin($2, $1)
- mozilla_run_plugin_config($2, $1)
--
++ mozilla_filetrans_home_content($2)
+
- allow $2 { mozilla_plugin_t mozilla_plugin_config_t }:process { ptrace signal_perms };
- ps_process_pattern($2, { mozilla_plugin_t mozilla_plugin_config_t })
-
@@ -40503,8 +43968,7 @@ index 6194b80..ada96f0 100644
- userdom_user_home_dir_filetrans($2, mozilla_home_t, dir, ".mozilla")
- userdom_user_home_dir_filetrans($2, mozilla_home_t, dir, ".netscape")
- userdom_user_home_dir_filetrans($2, mozilla_home_t, dir, ".phoenix")
-+ mozilla_filetrans_home_content($2)
-
+-
- allow $2 mozilla_plugin_tmp_t:dir { manage_dir_perms relabel_dir_perms };
- allow $2 mozilla_plugin_tmp_t:file { manage_file_perms relabel_file_perms };
- allow $2 mozilla_plugin_tmp_t:fifo_file { manage_fifo_file_perms relabel_fifo_file_perms };
@@ -40635,7 +44099,7 @@ index 6194b80..ada96f0 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -265,140 +173,153 @@ interface(`mozilla_exec_user_plugin_home_files',`
+@@ -265,140 +173,155 @@ interface(`mozilla_exec_user_plugin_home_files',`
## </param>
#
interface(`mozilla_execmod_user_home_files',`
@@ -40735,6 +44199,8 @@ index 6194b80..ada96f0 100644
+ allow mozilla_plugin_t $1:unix_dgram_socket { sendto rw_socket_perms };
+ allow mozilla_plugin_t $1:shm { rw_shm_perms destroy };
+ allow mozilla_plugin_t $1:sem create_sem_perms;
++ allow $1 mozilla_plugin_t:sem rw_sem_perms;
++ allow $1 mozilla_plugin_t:shm rw_shm_perms;
+
+ ps_process_pattern($1, mozilla_plugin_t)
+ allow $1 mozilla_plugin_t:process signal_perms;
@@ -40849,7 +44315,7 @@ index 6194b80..ada96f0 100644
')
########################################
-@@ -424,8 +345,7 @@ interface(`mozilla_dbus_chat',`
+@@ -424,8 +347,7 @@ interface(`mozilla_dbus_chat',`
########################################
## <summary>
@@ -40859,7 +44325,7 @@ index 6194b80..ada96f0 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -433,76 +353,126 @@ interface(`mozilla_dbus_chat',`
+@@ -433,76 +355,144 @@ interface(`mozilla_dbus_chat',`
## </summary>
## </param>
#
@@ -40962,7 +44428,25 @@ index 6194b80..ada96f0 100644
+ type mozilla_plugin_t;
+ ')
+
-+ allow $1 mozilla_plugin_t:sem { unix_read unix_write };
++ dontaudit $1 mozilla_plugin_t:sem { associate unix_read unix_write };
++')
++
++#######################################
++## <summary>
++## Allow generict ipc read/write to a mozilla_plugin
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain to not audit.
++## </summary>
++## </param>
++#
++interface(`mozilla_plugin_rw_sem',`
++ gen_require(`
++ type mozilla_plugin_t;
++ ')
++
++ allow $1 mozilla_plugin_t:sem { associate unix_read unix_write };
')
########################################
@@ -41015,7 +44499,7 @@ index 6194b80..ada96f0 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -510,19 +480,18 @@ interface(`mozilla_plugin_read_tmpfs_files',`
+@@ -510,19 +500,18 @@ interface(`mozilla_plugin_read_tmpfs_files',`
## </summary>
## </param>
#
@@ -41040,7 +44524,7 @@ index 6194b80..ada96f0 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -530,45 +499,58 @@ interface(`mozilla_plugin_delete_tmpfs_files',`
+@@ -530,45 +519,57 @@ interface(`mozilla_plugin_delete_tmpfs_files',`
## </summary>
## </param>
#
@@ -41109,8 +44593,6 @@ index 6194b80..ada96f0 100644
+ userdom_user_home_dir_filetrans($1, mozilla_home_t, file, "abc")
+ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".quakelive")
+ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".spicec")
-+ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".texlive2012")
-+ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".texlive2013")
+ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".ICAClient")
+ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, "zimbrauserdata")
+ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".juniper_networks")
@@ -41120,11 +44602,12 @@ index 6194b80..ada96f0 100644
+ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".webex")
+ optional_policy(`
+ gnome_cache_filetrans($1, mozilla_home_t, dir, "mozilla")
++ gnome_cache_filetrans($1, mozilla_home_t, dir, "icedtea-web")
+ ')
')
+
diff --git a/mozilla.te b/mozilla.te
-index 6a306ee..b236449 100644
+index 6a306ee..e76899c 100644
--- a/mozilla.te
+++ b/mozilla.te
@@ -1,4 +1,4 @@
@@ -41387,7 +44870,7 @@ index 6a306ee..b236449 100644
term_dontaudit_getattr_pty_dirs(mozilla_t)
-@@ -181,56 +196,73 @@ auth_use_nsswitch(mozilla_t)
+@@ -181,57 +196,76 @@ auth_use_nsswitch(mozilla_t)
logging_send_syslog_msg(mozilla_t)
miscfiles_read_fonts(mozilla_t)
@@ -41440,12 +44923,6 @@ index 6a306ee..b236449 100644
- fs_manage_nfs_dirs(mozilla_t)
- fs_manage_nfs_files(mozilla_t)
- fs_manage_nfs_symlinks(mozilla_t)
--')
--
--tunable_policy(`use_samba_home_dirs',`
-- fs_manage_cifs_dirs(mozilla_t)
-- fs_manage_cifs_files(mozilla_t)
-- fs_manage_cifs_symlinks(mozilla_t)
+userdom_home_manager(mozilla_t)
+
+# Uploads, local html
@@ -41497,8 +44974,16 @@ index 6a306ee..b236449 100644
+ userdom_dontaudit_read_user_home_content_files(mozilla_t)
')
+-tunable_policy(`use_samba_home_dirs',`
+- fs_manage_cifs_dirs(mozilla_t)
+- fs_manage_cifs_files(mozilla_t)
+- fs_manage_cifs_symlinks(mozilla_t)
+-')
++userdom_manage_home_texlive(mozilla_t)
+
optional_policy(`
-@@ -244,19 +276,12 @@ optional_policy(`
+ apache_read_user_scripts(mozilla_t)
+@@ -244,19 +278,12 @@ optional_policy(`
optional_policy(`
cups_read_rw_config(mozilla_t)
@@ -41520,7 +45005,7 @@ index 6a306ee..b236449 100644
optional_policy(`
networkmanager_dbus_chat(mozilla_t)
-@@ -265,33 +290,32 @@ optional_policy(`
+@@ -265,33 +292,32 @@ optional_policy(`
optional_policy(`
gnome_stream_connect_gconf(mozilla_t)
@@ -41568,7 +45053,7 @@ index 6a306ee..b236449 100644
')
optional_policy(`
-@@ -300,259 +324,236 @@ optional_policy(`
+@@ -300,259 +326,250 @@ optional_policy(`
########################################
#
@@ -41582,7 +45067,7 @@ index 6a306ee..b236449 100644
+dontaudit mozilla_plugin_t self:capability { sys_admin ipc_lock sys_nice sys_tty_config };
+dontaudit mozilla_plugin_t self:capability2 block_suspend;
+
-+allow mozilla_plugin_t self:process { setpgid getsched setsched signal_perms execmem execstack setrlimit transition };
++allow mozilla_plugin_t self:process { getsession setcap setpgid getsched setsched signal_perms execmem execstack setrlimit transition };
+allow mozilla_plugin_t self:netlink_route_socket r_netlink_socket_perms;
+allow mozilla_plugin_t self:netlink_socket create_socket_perms;
+allow mozilla_plugin_t self:tcp_socket create_stream_socket_perms;
@@ -41647,6 +45132,7 @@ index 6a306ee..b236449 100644
manage_sock_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t)
fs_tmpfs_filetrans(mozilla_plugin_t, mozilla_plugin_tmpfs_t, { file lnk_file sock_file fifo_file })
+userdom_tmpfs_filetrans_to(mozilla_plugin_t, mozilla_plugin_tmpfs_t, { file lnk_file sock_file fifo_file })
++userdom_manage_home_texlive(mozilla_plugin_t)
allow mozilla_plugin_t mozilla_plugin_rw_t:dir list_dir_perms;
-allow mozilla_plugin_t mozilla_plugin_rw_t:file read_file_perms;
@@ -41666,6 +45152,8 @@ index 6a306ee..b236449 100644
kernel_request_load_module(mozilla_plugin_t)
kernel_dontaudit_getattr_core_if(mozilla_plugin_t)
+files_dontaudit_read_root_files(mozilla_plugin_t)
++kernel_dontaudit_list_all_proc(mozilla_plugin_t)
++kernel_dontaudit_list_all_sysctls(mozilla_plugin_t)
corecmd_exec_bin(mozilla_plugin_t)
corecmd_exec_shell(mozilla_plugin_t)
@@ -41846,8 +45334,11 @@ index 6a306ee..b236449 100644
userdom_dontaudit_use_user_terminals(mozilla_plugin_t)
+userdom_manage_user_tmp_sockets(mozilla_plugin_t)
+userdom_manage_user_tmp_dirs(mozilla_plugin_t)
++userdom_manage_tmpfs_files(mozilla_plugin_t)
+userdom_rw_inherited_user_tmp_files(mozilla_plugin_t)
++userdom_rw_inherited_user_tmpfs_files(mozilla_plugin_t)
+userdom_delete_user_tmp_files(mozilla_plugin_t)
++userdom_delete_user_tmpfs_files(mozilla_plugin_t)
+userdom_rw_inherited_user_home_sock_files(mozilla_plugin_t)
+userdom_manage_home_certs(mozilla_plugin_t)
+userdom_read_user_tmp_symlinks(mozilla_plugin_t)
@@ -41857,28 +45348,33 @@ index 6a306ee..b236449 100644
-ifndef(`enable_mls',`
- fs_list_dos(mozilla_plugin_t)
- fs_read_dos_files(mozilla_plugin_t)
--
-- fs_search_removable(mozilla_plugin_t)
-- fs_read_removable_files(mozilla_plugin_t)
-- fs_read_removable_symlinks(mozilla_plugin_t)
+userdom_read_user_home_content_files(mozilla_plugin_t)
+userdom_read_user_home_content_symlinks(mozilla_plugin_t)
+userdom_read_home_certs(mozilla_plugin_t)
+userdom_read_home_audio_files(mozilla_plugin_t)
+userdom_exec_user_tmp_files(mozilla_plugin_t)
+- fs_search_removable(mozilla_plugin_t)
+- fs_read_removable_files(mozilla_plugin_t)
+- fs_read_removable_symlinks(mozilla_plugin_t)
++userdom_home_manager(mozilla_plugin_t)
+
- fs_read_iso9660_files(mozilla_plugin_t)
--')
--
++tunable_policy(`mozilla_plugin_can_network_connect',`
++ corenet_tcp_connect_all_ports(mozilla_plugin_t)
+ ')
+
-tunable_policy(`allow_execmem',`
- allow mozilla_plugin_t self:process execmem;
--')
-+userdom_home_manager(mozilla_plugin_t)
++optional_policy(`
++ abrt_stream_connect(mozilla_plugin_t)
+ ')
-tunable_policy(`mozilla_execstack',`
- allow mozilla_plugin_t self:process { execmem execstack };
-+tunable_policy(`mozilla_plugin_can_network_connect',`
-+ corenet_tcp_connect_all_ports(mozilla_plugin_t)
++optional_policy(`
++ alsa_read_rw_config(mozilla_plugin_t)
++ alsa_read_home_files(mozilla_plugin_t)
')
-tunable_policy(`use_nfs_home_dirs',`
@@ -41886,8 +45382,7 @@ index 6a306ee..b236449 100644
- fs_manage_nfs_files(mozilla_plugin_t)
- fs_manage_nfs_symlinks(mozilla_plugin_t)
+optional_policy(`
-+ alsa_read_rw_config(mozilla_plugin_t)
-+ alsa_read_home_files(mozilla_plugin_t)
++ apache_list_modules(mozilla_plugin_t)
')
-tunable_policy(`use_samba_home_dirs',`
@@ -41895,7 +45390,7 @@ index 6a306ee..b236449 100644
- fs_manage_cifs_files(mozilla_plugin_t)
- fs_manage_cifs_symlinks(mozilla_plugin_t)
+optional_policy(`
-+ apache_list_modules(mozilla_plugin_t)
++ bumblebee_stream_connect(mozilla_plugin_t)
')
optional_policy(`
@@ -41956,16 +45451,20 @@ index 6a306ee..b236449 100644
')
optional_policy(`
-@@ -560,7 +561,7 @@ optional_policy(`
+@@ -560,7 +577,11 @@ optional_policy(`
')
optional_policy(`
- pulseaudio_run(mozilla_plugin_t, mozilla_plugin_roles)
++ policykit_dbus_chat(mozilla_plugin_t)
++')
++
++optional_policy(`
+ rtkit_scheduled(mozilla_plugin_t)
')
optional_policy(`
-@@ -568,108 +569,130 @@ optional_policy(`
+@@ -568,108 +589,131 @@ optional_policy(`
')
optional_policy(`
@@ -42146,6 +45645,7 @@ index 6a306ee..b236449 100644
- automount_dontaudit_getattr_tmp_dirs(mozilla_plugin_config_t)
+tunable_policy(`mozilla_plugin_use_spice',`
+ dev_rw_generic_usb_dev(mozilla_plugin_t)
++ dev_setattr_generic_usb_dev(mozilla_plugin_t)
+ corenet_tcp_bind_vnc_port(mozilla_plugin_t)
')
@@ -42217,10 +45717,24 @@ index 5fa77c7..2e01c7d 100644
domain_system_change_exemption($1)
role_transition $2 mpd_initrc_exec_t system_r;
diff --git a/mpd.te b/mpd.te
-index 7c8afcc..33b18c8 100644
+index 7c8afcc..b8c9bf1 100644
--- a/mpd.te
+++ b/mpd.te
-@@ -62,18 +62,25 @@ files_type(mpd_var_lib_t)
+@@ -7,6 +7,13 @@ policy_module(mpd, 1.0.4)
+
+ ## <desc>
+ ## <p>
++## Allow mpd execmem/execstack.
++## </p>
++## </desc>
++gen_tunable(mpd_execmem, false)
++
++## <desc>
++## <p>
+ ## Determine whether mpd can traverse
+ ## user home directories.
+ ## </p>
+@@ -62,18 +69,25 @@ files_type(mpd_var_lib_t)
type mpd_user_data_t;
userdom_user_home_content(mpd_user_data_t) # customizable
@@ -42247,7 +45761,7 @@ index 7c8afcc..33b18c8 100644
allow mpd_t mpd_data_t:dir manage_dir_perms;
allow mpd_t mpd_data_t:file manage_file_perms;
-@@ -104,13 +111,22 @@ manage_files_pattern(mpd_t, mpd_var_lib_t, mpd_var_lib_t)
+@@ -104,13 +118,22 @@ manage_files_pattern(mpd_t, mpd_var_lib_t, mpd_var_lib_t)
manage_lnk_files_pattern(mpd_t, mpd_var_lib_t, mpd_var_lib_t)
files_var_lib_filetrans(mpd_t, mpd_var_lib_t, dir)
@@ -42271,7 +45785,7 @@ index 7c8afcc..33b18c8 100644
corenet_all_recvfrom_netlabel(mpd_t)
corenet_tcp_sendrecv_generic_if(mpd_t)
corenet_tcp_sendrecv_generic_node(mpd_t)
-@@ -139,9 +155,9 @@ dev_read_sound(mpd_t)
+@@ -139,9 +162,9 @@ dev_read_sound(mpd_t)
dev_write_sound(mpd_t)
dev_read_sysfs(mpd_t)
@@ -42282,12 +45796,16 @@ index 7c8afcc..33b18c8 100644
fs_list_inotifyfs(mpd_t)
fs_rw_anon_inodefs_files(mpd_t)
fs_search_auto_mountpoints(mpd_t)
-@@ -150,15 +166,26 @@ auth_use_nsswitch(mpd_t)
+@@ -150,15 +173,30 @@ auth_use_nsswitch(mpd_t)
logging_send_syslog_msg(mpd_t)
-miscfiles_read_localization(mpd_t)
+userdom_home_reader(mpd_t)
++
++tunable_policy(`mpd_execmem',`
++ allow mpd_t self:process { execstack execmem };
++')
tunable_policy(`mpd_enable_homedirs',`
- userdom_search_user_home_dirs(mpd_t)
@@ -42311,7 +45829,7 @@ index 7c8afcc..33b18c8 100644
')
tunable_policy(`mpd_enable_homedirs && use_samba_home_dirs',`
-@@ -191,7 +218,7 @@ optional_policy(`
+@@ -191,7 +229,7 @@ optional_policy(`
')
optional_policy(`
@@ -42320,7 +45838,7 @@ index 7c8afcc..33b18c8 100644
')
optional_policy(`
-@@ -199,6 +226,16 @@ optional_policy(`
+@@ -199,6 +237,16 @@ optional_policy(`
')
optional_policy(`
@@ -42461,6 +45979,36 @@ index 9aca704..f92829c 100644
allow mplayer_t mplayer_tmpfs_t:file execute;
')
+diff --git a/mrtg.if b/mrtg.if
+index c595094..2346458 100644
+--- a/mrtg.if
++++ b/mrtg.if
+@@ -2,6 +2,25 @@
+
+ ########################################
+ ## <summary>
++## Read mrtg lib files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`mrtg_read_lib_files',`
++ gen_require(`
++ type mrtg_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ read_files_pattern($1, mrtg_var_lib_t, mrtg_var_lib_t)
++')
++
++########################################
++## <summary>
+ ## Create and append mrtg log files.
+ ## </summary>
+ ## <param name="domain">
diff --git a/mrtg.te b/mrtg.te
index c97c177..9411154 100644
--- a/mrtg.te
@@ -42559,7 +46107,7 @@ index f42896c..cb2791a 100644
-/var/spool/mail(/.*)? gen_context(system_u:object_r:mail_spool_t,s0)
+/var/spool/mail(/.*)? gen_context(system_u:object_r:mail_spool_t,s0)
diff --git a/mta.if b/mta.if
-index ed81cac..566684a 100644
+index ed81cac..e968c28 100644
--- a/mta.if
+++ b/mta.if
@@ -1,4 +1,4 @@
@@ -42610,7 +46158,7 @@ index ed81cac..566684a 100644
#
type $1_mail_t, user_mail_domain;
-@@ -43,17 +57,16 @@ template(`mta_base_mail_template',`
+@@ -43,17 +57,18 @@ template(`mta_base_mail_template',`
type $1_mail_tmp_t;
files_tmp_file($1_mail_tmp_t)
@@ -42625,6 +46173,8 @@ index ed81cac..566684a 100644
+ kernel_read_system_state($1_mail_t)
+
++ corenet_all_recvfrom_netlabel($1_mail_t)
++
auth_use_nsswitch($1_mail_t)
+ logging_send_syslog_msg($1_mail_t)
@@ -42632,7 +46182,7 @@ index ed81cac..566684a 100644
optional_policy(`
postfix_domtrans_user_mail_handler($1_mail_t)
')
-@@ -61,61 +74,41 @@ template(`mta_base_mail_template',`
+@@ -61,61 +76,41 @@ template(`mta_base_mail_template',`
########################################
## <summary>
@@ -42704,7 +46254,7 @@ index ed81cac..566684a 100644
')
')
-@@ -163,125 +156,23 @@ interface(`mta_agent_executable',`
+@@ -163,125 +158,23 @@ interface(`mta_agent_executable',`
application_executable_file($1)
')
@@ -42837,7 +46387,7 @@ index ed81cac..566684a 100644
')
########################################
-@@ -334,7 +225,6 @@ interface(`mta_sendmail_mailserver',`
+@@ -334,7 +227,6 @@ interface(`mta_sendmail_mailserver',`
')
init_system_domain($1, sendmail_exec_t)
@@ -42845,7 +46395,7 @@ index ed81cac..566684a 100644
typeattribute $1 mailserver_domain;
')
-@@ -374,6 +264,15 @@ interface(`mta_mailserver_delivery',`
+@@ -374,6 +266,15 @@ interface(`mta_mailserver_delivery',`
')
typeattribute $1 mailserver_delivery;
@@ -42861,7 +46411,7 @@ index ed81cac..566684a 100644
')
#######################################
-@@ -394,6 +293,12 @@ interface(`mta_mailserver_user_agent',`
+@@ -394,6 +295,12 @@ interface(`mta_mailserver_user_agent',`
')
typeattribute $1 mta_user_agent;
@@ -42874,7 +46424,7 @@ index ed81cac..566684a 100644
')
########################################
-@@ -408,14 +313,19 @@ interface(`mta_mailserver_user_agent',`
+@@ -408,14 +315,19 @@ interface(`mta_mailserver_user_agent',`
#
interface(`mta_send_mail',`
gen_require(`
@@ -42896,7 +46446,7 @@ index ed81cac..566684a 100644
')
########################################
-@@ -445,18 +355,24 @@ interface(`mta_send_mail',`
+@@ -445,18 +357,24 @@ interface(`mta_send_mail',`
#
interface(`mta_sendmail_domtrans',`
gen_require(`
@@ -42926,7 +46476,7 @@ index ed81cac..566684a 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -464,7 +380,6 @@ interface(`mta_sendmail_domtrans',`
+@@ -464,7 +382,6 @@ interface(`mta_sendmail_domtrans',`
## </summary>
## </param>
#
@@ -42934,7 +46484,7 @@ index ed81cac..566684a 100644
interface(`mta_signal_system_mail',`
gen_require(`
type system_mail_t;
-@@ -475,7 +390,43 @@ interface(`mta_signal_system_mail',`
+@@ -475,7 +392,43 @@ interface(`mta_signal_system_mail',`
########################################
## <summary>
@@ -42979,7 +46529,7 @@ index ed81cac..566684a 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -506,13 +457,32 @@ interface(`mta_sendmail_exec',`
+@@ -506,13 +459,32 @@ interface(`mta_sendmail_exec',`
type sendmail_exec_t;
')
@@ -43014,7 +46564,7 @@ index ed81cac..566684a 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -528,13 +498,13 @@ interface(`mta_read_config',`
+@@ -528,13 +500,13 @@ interface(`mta_read_config',`
files_search_etc($1)
allow $1 etc_mail_t:dir list_dir_perms;
@@ -43031,7 +46581,7 @@ index ed81cac..566684a 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -548,33 +518,31 @@ interface(`mta_write_config',`
+@@ -548,33 +520,31 @@ interface(`mta_write_config',`
type etc_mail_t;
')
@@ -43071,7 +46621,7 @@ index ed81cac..566684a 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -582,84 +550,66 @@ interface(`mta_read_aliases',`
+@@ -582,84 +552,66 @@ interface(`mta_read_aliases',`
## </summary>
## </param>
#
@@ -43172,7 +46722,7 @@ index ed81cac..566684a 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -674,14 +624,13 @@ interface(`mta_rw_aliases',`
+@@ -674,14 +626,13 @@ interface(`mta_rw_aliases',`
')
files_search_etc($1)
@@ -43190,7 +46740,7 @@ index ed81cac..566684a 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -697,6 +646,25 @@ interface(`mta_dontaudit_rw_delivery_tcp_sockets',`
+@@ -697,6 +648,25 @@ interface(`mta_dontaudit_rw_delivery_tcp_sockets',`
dontaudit $1 mailserver_delivery:tcp_socket { read write };
')
@@ -43216,7 +46766,7 @@ index ed81cac..566684a 100644
#######################################
## <summary>
## Connect to all mail servers over TCP. (Deprecated)
-@@ -713,8 +681,8 @@ interface(`mta_tcp_connect_all_mailservers',`
+@@ -713,8 +683,8 @@ interface(`mta_tcp_connect_all_mailservers',`
#######################################
## <summary>
@@ -43227,7 +46777,7 @@ index ed81cac..566684a 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -732,7 +700,7 @@ interface(`mta_dontaudit_read_spool_symlinks',`
+@@ -732,7 +702,7 @@ interface(`mta_dontaudit_read_spool_symlinks',`
########################################
## <summary>
@@ -43236,7 +46786,7 @@ index ed81cac..566684a 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -753,8 +721,8 @@ interface(`mta_getattr_spool',`
+@@ -753,8 +723,8 @@ interface(`mta_getattr_spool',`
########################################
## <summary>
@@ -43247,7 +46797,7 @@ index ed81cac..566684a 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -775,9 +743,8 @@ interface(`mta_dontaudit_getattr_spool_files',`
+@@ -775,9 +745,8 @@ interface(`mta_dontaudit_getattr_spool_files',`
#######################################
## <summary>
@@ -43259,7 +46809,7 @@ index ed81cac..566684a 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -811,7 +778,7 @@ interface(`mta_spool_filetrans',`
+@@ -811,7 +780,7 @@ interface(`mta_spool_filetrans',`
#######################################
## <summary>
@@ -43268,7 +46818,7 @@ index ed81cac..566684a 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -819,10 +786,10 @@ interface(`mta_spool_filetrans',`
+@@ -819,10 +788,10 @@ interface(`mta_spool_filetrans',`
## </summary>
## </param>
#
@@ -43283,7 +46833,7 @@ index ed81cac..566684a 100644
files_search_spool($1)
read_files_pattern($1, mail_spool_t, mail_spool_t)
-@@ -830,7 +797,7 @@ interface(`mta_read_spool_files',`
+@@ -830,7 +799,7 @@ interface(`mta_read_spool_files',`
########################################
## <summary>
@@ -43292,7 +46842,7 @@ index ed81cac..566684a 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -845,13 +812,14 @@ interface(`mta_rw_spool',`
+@@ -845,13 +814,14 @@ interface(`mta_rw_spool',`
files_search_spool($1)
allow $1 mail_spool_t:dir list_dir_perms;
@@ -43310,7 +46860,7 @@ index ed81cac..566684a 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -866,13 +834,14 @@ interface(`mta_append_spool',`
+@@ -866,13 +836,14 @@ interface(`mta_append_spool',`
files_search_spool($1)
allow $1 mail_spool_t:dir list_dir_perms;
@@ -43328,7 +46878,7 @@ index ed81cac..566684a 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -891,8 +860,7 @@ interface(`mta_delete_spool',`
+@@ -891,8 +862,7 @@ interface(`mta_delete_spool',`
########################################
## <summary>
@@ -43338,7 +46888,7 @@ index ed81cac..566684a 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -911,45 +879,9 @@ interface(`mta_manage_spool',`
+@@ -911,45 +881,9 @@ interface(`mta_manage_spool',`
manage_lnk_files_pattern($1, mail_spool_t, mail_spool_t)
')
@@ -43385,7 +46935,7 @@ index ed81cac..566684a 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -968,7 +900,7 @@ interface(`mta_search_queue',`
+@@ -968,7 +902,7 @@ interface(`mta_search_queue',`
#######################################
## <summary>
@@ -43394,7 +46944,7 @@ index ed81cac..566684a 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -981,13 +913,13 @@ interface(`mta_list_queue',`
+@@ -981,13 +915,13 @@ interface(`mta_list_queue',`
type mqueue_spool_t;
')
@@ -43410,7 +46960,7 @@ index ed81cac..566684a 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1000,14 +932,14 @@ interface(`mta_read_queue',`
+@@ -1000,14 +934,14 @@ interface(`mta_read_queue',`
type mqueue_spool_t;
')
@@ -43427,7 +46977,7 @@ index ed81cac..566684a 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1027,7 +959,7 @@ interface(`mta_dontaudit_rw_queue',`
+@@ -1027,7 +961,7 @@ interface(`mta_dontaudit_rw_queue',`
########################################
## <summary>
## Create, read, write, and delete
@@ -43436,7 +46986,7 @@ index ed81cac..566684a 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1047,6 +979,41 @@ interface(`mta_manage_queue',`
+@@ -1047,6 +981,41 @@ interface(`mta_manage_queue',`
#######################################
## <summary>
@@ -43478,7 +47028,7 @@ index ed81cac..566684a 100644
## Read sendmail binary.
## </summary>
## <param name="domain">
-@@ -1055,6 +1022,7 @@ interface(`mta_manage_queue',`
+@@ -1055,6 +1024,7 @@ interface(`mta_manage_queue',`
## </summary>
## </param>
#
@@ -43486,7 +47036,7 @@ index ed81cac..566684a 100644
interface(`mta_read_sendmail_bin',`
gen_require(`
type sendmail_exec_t;
-@@ -1065,8 +1033,8 @@ interface(`mta_read_sendmail_bin',`
+@@ -1065,8 +1035,8 @@ interface(`mta_read_sendmail_bin',`
#######################################
## <summary>
@@ -43497,7 +47047,7 @@ index ed81cac..566684a 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1081,3 +1049,175 @@ interface(`mta_rw_user_mail_stream_sockets',`
+@@ -1081,3 +1051,175 @@ interface(`mta_rw_user_mail_stream_sockets',`
allow $1 user_mail_domain:unix_stream_socket rw_socket_perms;
')
@@ -43666,7 +47216,7 @@ index ed81cac..566684a 100644
+ type etc_mail_t;
+ ')
+
-+ filetrans_pattern($1, etc_mail_t, etc_aliases_t, { dir file })
++ #filetrans_pattern($1, etc_mail_t, etc_aliases_t, { dir file })
+ mta_etc_filetrans_aliases($1, "aliases")
+ mta_etc_filetrans_aliases($1, "aliases.db")
+ mta_etc_filetrans_aliases($1, "aliasesdb-stamp")
@@ -43674,7 +47224,7 @@ index ed81cac..566684a 100644
+ mta_filetrans_admin_home_content($1)
+')
diff --git a/mta.te b/mta.te
-index afd2fad..09ebbbe 100644
+index afd2fad..b995f01 100644
--- a/mta.te
+++ b/mta.te
@@ -1,4 +1,4 @@
@@ -43878,14 +47428,14 @@ index afd2fad..09ebbbe 100644
+
+manage_dirs_pattern(system_mail_t, mail_home_rw_t, mail_home_rw_t)
+manage_files_pattern(system_mail_t, mail_home_rw_t, mail_home_rw_t)
-+
+
+-userdom_use_user_terminals(system_mail_t)
+allow system_mail_t mail_home_t:file manage_file_perms;
+userdom_admin_home_dir_filetrans(system_mail_t, mail_home_t, file)
+
+
+logging_append_all_logs(system_mail_t)
-
--userdom_use_user_terminals(system_mail_t)
++
+logging_send_syslog_msg(system_mail_t)
optional_policy(`
@@ -43942,7 +47492,7 @@ index afd2fad..09ebbbe 100644
courier_manage_spool_dirs(system_mail_t)
courier_manage_spool_files(system_mail_t)
courier_rw_spool_pipes(system_mail_t)
-@@ -245,13 +146,8 @@ optional_policy(`
+@@ -245,14 +146,10 @@ optional_policy(`
')
optional_policy(`
@@ -43952,12 +47502,16 @@ index afd2fad..09ebbbe 100644
-
-optional_policy(`
- fail2ban_dontaudit_rw_stream_sockets(system_mail_t)
- fail2ban_append_log(system_mail_t)
-+ fail2ban_dontaudit_leaks(system_mail_t)
- fail2ban_rw_inherited_tmp_files(system_mail_t)
+- fail2ban_append_log(system_mail_t)
+- fail2ban_rw_inherited_tmp_files(system_mail_t)
++ fail2ban_append_log(user_mail_domain)
++ fail2ban_dontaudit_leaks(user_mail_domain)
++ fail2ban_rw_inherited_tmp_files(mta_user_agent)
++ fail2ban_rw_inherited_tmp_files(user_mail_domain)
')
-@@ -264,10 +160,15 @@ optional_policy(`
+ optional_policy(`
+@@ -264,10 +161,15 @@ optional_policy(`
')
optional_policy(`
@@ -43973,7 +47527,7 @@ index afd2fad..09ebbbe 100644
nagios_read_tmp_files(system_mail_t)
')
-@@ -278,6 +179,15 @@ optional_policy(`
+@@ -278,6 +180,19 @@ optional_policy(`
manage_fifo_files_pattern(system_mail_t, etc_aliases_t, etc_aliases_t)
manage_sock_files_pattern(system_mail_t, etc_aliases_t, etc_aliases_t)
files_etc_filetrans(system_mail_t, etc_aliases_t, { file lnk_file sock_file fifo_file })
@@ -43982,6 +47536,10 @@ index afd2fad..09ebbbe 100644
+')
+
+optional_policy(`
++ postfix_domtrans_postdrop(system_mail_t)
++')
++
++optional_policy(`
+ qmail_domtrans_inject(system_mail_t)
+ qmail_manage_spool_dirs(system_mail_t)
+ qmail_manage_spool_files(system_mail_t)
@@ -43989,7 +47547,7 @@ index afd2fad..09ebbbe 100644
')
optional_policy(`
-@@ -293,42 +203,36 @@ optional_policy(`
+@@ -293,42 +208,36 @@ optional_policy(`
')
optional_policy(`
@@ -44042,7 +47600,7 @@ index afd2fad..09ebbbe 100644
allow mailserver_delivery mail_spool_t:dir list_dir_perms;
create_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
-@@ -337,40 +241,26 @@ append_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
+@@ -337,40 +246,26 @@ append_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
create_lnk_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
read_lnk_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
@@ -44091,7 +47649,18 @@ index afd2fad..09ebbbe 100644
files_search_var_lib(mailserver_delivery)
mailman_domtrans(mailserver_delivery)
-@@ -387,24 +277,173 @@ optional_policy(`
+@@ -378,6 +273,10 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ pcp_read_lib_files(mailserver_delivery)
++')
++
++optional_policy(`
+ postfix_rw_inherited_master_pipes(mailserver_delivery)
+ ')
+
+@@ -387,24 +286,177 @@ optional_policy(`
########################################
#
@@ -44209,6 +47778,9 @@ index afd2fad..09ebbbe 100644
+# Check available space.
+fs_getattr_xattr_fs(user_mail_domain)
+
++mta_filetrans_admin_home_content(user_mail_domain)
++mta_filetrans_home_content(user_mail_domain)
++
+init_dontaudit_rw_utmp(user_mail_domain)
+
+optional_policy(`
@@ -44240,6 +47812,7 @@ index afd2fad..09ebbbe 100644
+
+optional_policy(`
+ openshift_rw_inherited_content(mta_user_agent)
++ openshift_dontaudit_rw_inherited_fifo_files(mta_user_agent)
+')
+
+optional_policy(`
@@ -44564,10 +48137,10 @@ index b744fe3..4c1b6a8 100644
init_labeled_script_domtrans($1, munin_initrc_exec_t)
domain_system_change_exemption($1)
diff --git a/munin.te b/munin.te
-index 97370e4..3549b8f 100644
+index 97370e4..e53abbb 100644
--- a/munin.te
+++ b/munin.te
-@@ -37,15 +37,22 @@ munin_plugin_template(disk)
+@@ -37,44 +37,47 @@ munin_plugin_template(disk)
munin_plugin_template(mail)
munin_plugin_template(selinux)
munin_plugin_template(services)
@@ -44591,7 +48164,14 @@ index 97370e4..3549b8f 100644
allow munin_plugin_domain self:fifo_file rw_fifo_file_perms;
allow munin_plugin_domain munin_t:tcp_socket rw_socket_perms;
-@@ -58,23 +65,17 @@ allow munin_plugin_domain munin_var_lib_t:dir search_dir_perms;
+
+ read_lnk_files_pattern(munin_plugin_domain, munin_etc_t, munin_etc_t)
+
++allow munin_plugin_domain munin_unconfined_plugin_exec_t:file read_file_perms;
++
+ allow munin_plugin_domain munin_exec_t:file read_file_perms;
+
+ allow munin_plugin_domain munin_var_lib_t:dir search_dir_perms;
manage_files_pattern(munin_plugin_domain, munin_plugin_state_t, munin_plugin_state_t)
@@ -44616,7 +48196,7 @@ index 97370e4..3549b8f 100644
optional_policy(`
nscd_use(munin_plugin_domain)
-@@ -114,7 +115,7 @@ manage_dirs_pattern(munin_t, munin_var_lib_t, munin_var_lib_t)
+@@ -114,7 +117,7 @@ manage_dirs_pattern(munin_t, munin_var_lib_t, munin_var_lib_t)
manage_files_pattern(munin_t, munin_var_lib_t, munin_var_lib_t)
manage_lnk_files_pattern(munin_t, munin_var_lib_t, munin_var_lib_t)
@@ -44625,7 +48205,7 @@ index 97370e4..3549b8f 100644
manage_dirs_pattern(munin_t, munin_var_run_t, munin_var_run_t)
manage_files_pattern(munin_t, munin_var_run_t, munin_var_run_t)
-@@ -130,7 +131,6 @@ kernel_read_all_sysctls(munin_t)
+@@ -130,7 +133,6 @@ kernel_read_all_sysctls(munin_t)
corecmd_exec_bin(munin_t)
corecmd_exec_shell(munin_t)
@@ -44633,7 +48213,7 @@ index 97370e4..3549b8f 100644
corenet_all_recvfrom_netlabel(munin_t)
corenet_tcp_sendrecv_generic_if(munin_t)
corenet_tcp_sendrecv_generic_node(munin_t)
-@@ -153,7 +153,6 @@ domain_use_interactive_fds(munin_t)
+@@ -153,7 +155,6 @@ domain_use_interactive_fds(munin_t)
domain_read_all_domains_state(munin_t)
files_read_etc_runtime_files(munin_t)
@@ -44641,7 +48221,7 @@ index 97370e4..3549b8f 100644
files_list_spool(munin_t)
fs_getattr_all_fs(munin_t)
-@@ -165,7 +164,6 @@ logging_send_syslog_msg(munin_t)
+@@ -165,7 +166,6 @@ logging_send_syslog_msg(munin_t)
logging_read_all_logs(munin_t)
miscfiles_read_fonts(munin_t)
@@ -44649,7 +48229,7 @@ index 97370e4..3549b8f 100644
miscfiles_setattr_fonts_cache_dirs(munin_t)
sysnet_exec_ifconfig(munin_t)
-@@ -173,13 +171,6 @@ sysnet_exec_ifconfig(munin_t)
+@@ -173,13 +173,6 @@ sysnet_exec_ifconfig(munin_t)
userdom_dontaudit_use_unpriv_user_fds(munin_t)
userdom_dontaudit_search_user_home_dirs(munin_t)
@@ -44663,7 +48243,7 @@ index 97370e4..3549b8f 100644
optional_policy(`
cron_system_entry(munin_t, munin_exec_t)
-@@ -213,7 +204,6 @@ optional_policy(`
+@@ -213,7 +206,6 @@ optional_policy(`
optional_policy(`
postfix_list_spool(munin_t)
@@ -44671,7 +48251,7 @@ index 97370e4..3549b8f 100644
')
optional_policy(`
-@@ -242,21 +232,23 @@ allow disk_munin_plugin_t self:tcp_socket create_stream_socket_perms;
+@@ -242,21 +234,23 @@ allow disk_munin_plugin_t self:tcp_socket create_stream_socket_perms;
rw_files_pattern(disk_munin_plugin_t, munin_var_lib_t, munin_var_lib_t)
@@ -44699,7 +48279,7 @@ index 97370e4..3549b8f 100644
sysnet_read_config(disk_munin_plugin_t)
-@@ -268,6 +260,10 @@ optional_policy(`
+@@ -268,6 +262,10 @@ optional_policy(`
fstools_exec(disk_munin_plugin_t)
')
@@ -44710,7 +48290,7 @@ index 97370e4..3549b8f 100644
####################################
#
# Mail local policy
-@@ -275,27 +271,36 @@ optional_policy(`
+@@ -275,27 +273,38 @@ optional_policy(`
allow mail_munin_plugin_t self:capability dac_override;
@@ -44719,6 +48299,8 @@ index 97370e4..3549b8f 100644
+
rw_files_pattern(mail_munin_plugin_t, munin_var_lib_t, munin_var_lib_t)
++kernel_read_net_sysctls(mail_munin_plugin_t)
++
dev_read_urand(mail_munin_plugin_t)
logging_read_generic_logs(mail_munin_plugin_t)
@@ -44751,7 +48333,7 @@ index 97370e4..3549b8f 100644
')
optional_policy(`
-@@ -320,6 +325,9 @@ allow services_munin_plugin_t self:tcp_socket create_stream_socket_perms;
+@@ -320,6 +329,9 @@ allow services_munin_plugin_t self:tcp_socket create_stream_socket_perms;
allow services_munin_plugin_t self:udp_socket create_socket_perms;
allow services_munin_plugin_t self:netlink_route_socket r_netlink_socket_perms;
@@ -44761,7 +48343,7 @@ index 97370e4..3549b8f 100644
corenet_sendrecv_all_client_packets(services_munin_plugin_t)
corenet_tcp_connect_all_ports(services_munin_plugin_t)
corenet_tcp_connect_http_port(services_munin_plugin_t)
-@@ -331,7 +339,7 @@ dev_read_rand(services_munin_plugin_t)
+@@ -331,7 +343,7 @@ dev_read_rand(services_munin_plugin_t)
sysnet_read_config(services_munin_plugin_t)
optional_policy(`
@@ -44770,7 +48352,7 @@ index 97370e4..3549b8f 100644
')
optional_policy(`
-@@ -353,7 +361,11 @@ optional_policy(`
+@@ -353,7 +365,11 @@ optional_policy(`
')
optional_policy(`
@@ -44783,7 +48365,7 @@ index 97370e4..3549b8f 100644
')
optional_policy(`
-@@ -385,6 +397,7 @@ read_files_pattern(system_munin_plugin_t, munin_log_t, munin_log_t)
+@@ -385,6 +401,7 @@ read_files_pattern(system_munin_plugin_t, munin_log_t, munin_log_t)
kernel_read_network_state(system_munin_plugin_t)
kernel_read_all_sysctls(system_munin_plugin_t)
@@ -44791,7 +48373,7 @@ index 97370e4..3549b8f 100644
dev_read_sysfs(system_munin_plugin_t)
dev_read_urand(system_munin_plugin_t)
-@@ -413,3 +426,31 @@ optional_policy(`
+@@ -413,3 +430,31 @@ optional_policy(`
optional_policy(`
unconfined_domain(unconfined_munin_plugin_t)
')
@@ -44824,10 +48406,10 @@ index 97370e4..3549b8f 100644
+ apache_search_sys_content(munin_t)
+')
diff --git a/mysql.fc b/mysql.fc
-index c48dc17..43d56e3 100644
+index c48dc17..297f831 100644
--- a/mysql.fc
+++ b/mysql.fc
-@@ -1,11 +1,24 @@
+@@ -1,11 +1,25 @@
-HOME_DIR/\.my\.cnf -- gen_context(system_u:object_r:mysqld_home_t,s0)
-
-/etc/my\.cnf -- gen_context(system_u:object_r:mysqld_etc_t,s0)
@@ -44845,6 +48427,7 @@ index c48dc17..43d56e3 100644
+/root/\.my\.cnf -- gen_context(system_u:object_r:mysqld_home_t, s0)
+
+/usr/lib/systemd/system/mysqld.* -- gen_context(system_u:object_r:mysqld_unit_file_t,s0)
++/usr/lib/systemd/system/mariadb.* -- gen_context(system_u:object_r:mysqld_unit_file_t,s0)
+
+#
+# /etc
@@ -44860,7 +48443,7 @@ index c48dc17..43d56e3 100644
/usr/bin/mysqld_safe -- gen_context(system_u:object_r:mysqld_safe_exec_t,s0)
/usr/bin/mysql_upgrade -- gen_context(system_u:object_r:mysqld_exec_t,s0)
-@@ -13,13 +26,17 @@ HOME_DIR/\.my\.cnf -- gen_context(system_u:object_r:mysqld_home_t,s0)
+@@ -13,13 +27,17 @@ HOME_DIR/\.my\.cnf -- gen_context(system_u:object_r:mysqld_home_t,s0)
/usr/sbin/mysqld(-max)? -- gen_context(system_u:object_r:mysqld_exec_t,s0)
/usr/sbin/mysqlmanager -- gen_context(system_u:object_r:mysqlmanagerd_exec_t,s0)
@@ -45417,7 +49000,7 @@ index 687af38..404ed6d 100644
+ mysql_stream_connect($1)
')
diff --git a/mysql.te b/mysql.te
-index 9f6179e..4383f87 100644
+index 9f6179e..699587e 100644
--- a/mysql.te
+++ b/mysql.te
@@ -1,4 +1,4 @@
@@ -45590,7 +49173,7 @@ index 9f6179e..4383f87 100644
seutil_sigchld_newrole(mysqld_t)
')
-@@ -153,29 +160,24 @@ optional_policy(`
+@@ -153,29 +160,25 @@ optional_policy(`
#######################################
#
@@ -45600,6 +49183,7 @@ index 9f6179e..4383f87 100644
-allow mysqld_safe_t self:capability { chown dac_override fowner kill };
+allow mysqld_safe_t self:capability { chown dac_override fowner kill sys_nice sys_resource };
++dontaudit mysqld_safe_t self:capability sys_ptrace;
allow mysqld_safe_t self:process { setsched getsched setrlimit };
allow mysqld_safe_t self:fifo_file rw_fifo_file_perms;
@@ -45628,7 +49212,7 @@ index 9f6179e..4383f87 100644
kernel_read_system_state(mysqld_safe_t)
kernel_read_kernel_sysctls(mysqld_safe_t)
-@@ -183,21 +185,27 @@ kernel_read_kernel_sysctls(mysqld_safe_t)
+@@ -183,21 +186,29 @@ kernel_read_kernel_sysctls(mysqld_safe_t)
corecmd_exec_bin(mysqld_safe_t)
corecmd_exec_shell(mysqld_safe_t)
@@ -45641,10 +49225,12 @@ index 9f6179e..4383f87 100644
-files_read_usr_files(mysqld_safe_t)
-files_search_pids(mysqld_safe_t)
-files_dontaudit_getattr_all_dirs(mysqld_safe_t)
++files_dontaudit_access_check_root(mysqld_safe_t)
files_dontaudit_search_all_mountpoints(mysqld_safe_t)
+files_dontaudit_getattr_all_dirs(mysqld_safe_t)
-+files_dontaudit_write_root_dirs(mysqld_safe_t)
++files_write_root_dirs(mysqld_safe_t)
++
+logging_log_filetrans(mysqld_safe_t, mysqld_log_t, file)
logging_send_syslog_msg(mysqld_safe_t)
@@ -45662,7 +49248,7 @@ index 9f6179e..4383f87 100644
optional_policy(`
hostname_exec(mysqld_safe_t)
-@@ -205,7 +213,7 @@ optional_policy(`
+@@ -205,7 +216,7 @@ optional_policy(`
########################################
#
@@ -45671,7 +49257,7 @@ index 9f6179e..4383f87 100644
#
allow mysqlmanagerd_t self:capability { dac_override kill };
-@@ -214,11 +222,12 @@ allow mysqlmanagerd_t self:fifo_file rw_fifo_file_perms;
+@@ -214,11 +225,12 @@ allow mysqlmanagerd_t self:fifo_file rw_fifo_file_perms;
allow mysqlmanagerd_t self:tcp_socket create_stream_socket_perms;
allow mysqlmanagerd_t self:unix_stream_socket create_stream_socket_perms;
@@ -45689,7 +49275,7 @@ index 9f6179e..4383f87 100644
domtrans_pattern(mysqlmanagerd_t, mysqld_exec_t, mysqld_t)
-@@ -226,31 +235,20 @@ manage_files_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t)
+@@ -226,31 +238,20 @@ manage_files_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t)
manage_sock_files_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t)
filetrans_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t, { file sock_file })
@@ -45900,10 +49486,10 @@ index 0000000..171f666
+')
diff --git a/mythtv.te b/mythtv.te
new file mode 100644
-index 0000000..90129ac
+index 0000000..395c2fd
--- /dev/null
+++ b/mythtv.te
-@@ -0,0 +1,41 @@
+@@ -0,0 +1,46 @@
+policy_module(mythtv, 1.0.0)
+
+########################################
@@ -45923,6 +49509,9 @@ index 0000000..90129ac
+#
+# httpd_mythtv_script local policy
+#
++#============= httpd_mythtv_script_t ==============
++allow httpd_mythtv_script_t self:process setpgid;
++dev_list_sysfs(httpd_mythtv_script_t)
+
+manage_files_pattern(httpd_mythtv_script_t, mythtv_var_lib_t, mythtv_var_lib_t)
+manage_dirs_pattern(httpd_mythtv_script_t, mythtv_var_lib_t, mythtv_var_lib_t)
@@ -45938,6 +49527,8 @@ index 0000000..90129ac
+
+fs_read_nfs_files(httpd_mythtv_script_t)
+
++auth_read_passwd(httpd_mythtv_script_t)
++
+miscfiles_read_localization(httpd_mythtv_script_t)
+
+optional_policy(`
@@ -45946,41 +49537,51 @@ index 0000000..90129ac
+ mysql_tcp_connect(httpd_mythtv_script_t)
+')
diff --git a/nagios.fc b/nagios.fc
-index d78dfc3..a00cc2d 100644
+index d78dfc3..1c81436 100644
--- a/nagios.fc
+++ b/nagios.fc
-@@ -1,88 +1,97 @@
+@@ -1,88 +1,109 @@
-/etc/nagios(/.*)? gen_context(system_u:object_r:nagios_etc_t,s0)
-/etc/nagios/nrpe\.cfg -- gen_context(system_u:object_r:nrpe_etc_t,s0)
+/etc/nagios(/.*)? gen_context(system_u:object_r:nagios_etc_t,s0)
++/etc/icinga(/.*)? gen_context(system_u:object_r:nagios_etc_t,s0)
+/etc/nagios/nrpe\.cfg -- gen_context(system_u:object_r:nrpe_etc_t,s0)
+/etc/rc\.d/init\.d/nagios -- gen_context(system_u:object_r:nagios_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/nrpe -- gen_context(system_u:object_r:nagios_initrc_exec_t,s0)
-/etc/rc\.d/init\.d/nagios -- gen_context(system_u:object_r:nagios_initrc_exec_t,s0)
-/etc/rc\.d/init\.d/nrpe -- gen_context(system_u:object_r:nagios_initrc_exec_t,s0)
-+/usr/s?bin/nagios -- gen_context(system_u:object_r:nagios_exec_t,s0)
-+/usr/s?bin/nrpe -- gen_context(system_u:object_r:nrpe_exec_t,s0)
-/usr/bin/nagios -- gen_context(system_u:object_r:nagios_exec_t,s0)
-/usr/bin/nrpe -- gen_context(system_u:object_r:nrpe_exec_t,s0)
-+/usr/lib/cgi-bin/netsaint(/.*)? gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0)
-+/usr/lib/nagios/cgi(/.*)? gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0)
++/usr/bin/nagios -- gen_context(system_u:object_r:nagios_exec_t,s0)
++/usr/bin/icinga -- gen_context(system_u:object_r:nagios_exec_t,s0)
++/usr/bin/nrpe -- gen_context(system_u:object_r:nrpe_exec_t,s0)
-/usr/sbin/nagios -- gen_context(system_u:object_r:nagios_exec_t,s0)
-/usr/sbin/nrpe -- gen_context(system_u:object_r:nrpe_exec_t,s0)
-+/var/log/nagios(/.*)? gen_context(system_u:object_r:nagios_log_t,s0)
-+/var/log/netsaint(/.*)? gen_context(system_u:object_r:nagios_log_t,s0)
++/usr/sbin/nagios -- gen_context(system_u:object_r:nagios_exec_t,s0)
++/usr/sbin/icinga -- gen_context(system_u:object_r:nagios_exec_t,s0)
++/usr/sbin/nrpe -- gen_context(system_u:object_r:nrpe_exec_t,s0)
-/usr/lib/cgi-bin/nagios(/.*)? gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0)
-/usr/lib/cgi-bin/netsaint(/.*)? gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0)
-+/var/run/nagios.* gen_context(system_u:object_r:nagios_var_run_t,s0)
++/usr/lib/cgi-bin/netsaint(/.*)? gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0)
++/usr/lib/nagios/cgi(/.*)? gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0)
++/usr/lib/icinga/cgi(/.*)? gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0)
-/usr/lib/nagios/cgi(/.*)? gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0)
-/usr/lib/nagios/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0)
-+/var/spool/nagios(/.*)? gen_context(system_u:object_r:nagios_spool_t,s0)
++/var/log/nagios(/.*)? gen_context(system_u:object_r:nagios_log_t,s0)
++/var/log/icinga(/.*)? gen_context(system_u:object_r:nagios_log_t,s0)
++/var/log/netsaint(/.*)? gen_context(system_u:object_r:nagios_log_t,s0)
-/usr/lib/nagios/plugins/eventhandlers(/.*) gen_context(system_u:object_r:nagios_eventhandler_plugin_exec_t,s0)
++/var/run/nagios.* gen_context(system_u:object_r:nagios_var_run_t,s0)
++
++/var/spool/nagios(/.*)? gen_context(system_u:object_r:nagios_spool_t,s0)
++/var/spool/icinga(/.*)? gen_context(system_u:object_r:nagios_spool_t,s0)
++
+ifdef(`distro_debian',`
+/usr/sbin/nagios -- gen_context(system_u:object_r:nagios_exec_t,s0)
+')
@@ -46000,9 +49601,9 @@ index d78dfc3..a00cc2d 100644
-/usr/lib/nagios/plugins/check_mailq -- gen_context(system_u:object_r:nagios_mail_plugin_exec_t,s0)
+# mail plugins
+/usr/lib/nagios/plugins/check_mailq -- gen_context(system_u:object_r:nagios_mail_plugin_exec_t,s0)
-+
-+/usr/lib/pnp4nagios(/.*)? gen_context(system_u:object_r:nagios_var_lib_t,s0)
++/usr/lib/pnp4nagios(/.*)? gen_context(system_u:object_r:nagios_var_lib_t,s0)
++
+# system plugins
/usr/lib/nagios/plugins/check_breeze -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
/usr/lib/nagios/plugins/check_dummy -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
@@ -46093,10 +49694,11 @@ index d78dfc3..a00cc2d 100644
-/var/run/nagios.* -- gen_context(system_u:object_r:nagios_var_run_t,s0)
-/var/run/nrpe.* -- gen_context(system_u:object_r:nrpe_var_run_t,s0)
--
--/var/spool/nagios(/.*)? gen_context(system_u:object_r:nagios_spool_t,s0)
+# eventhandlers
+/usr/lib/nagios/plugins/eventhandlers(/.*) gen_context(system_u:object_r:nagios_eventhandler_plugin_exec_t,s0)
++/usr/lib/icinga/plugins/eventhandlers(/.*) gen_context(system_u:object_r:nagios_eventhandler_plugin_exec_t,s0)
+
+-/var/spool/nagios(/.*)? gen_context(system_u:object_r:nagios_spool_t,s0)
diff --git a/nagios.if b/nagios.if
index 0641e97..d7d9a79 100644
--- a/nagios.if
@@ -46337,7 +49939,7 @@ index 0641e97..d7d9a79 100644
+ admin_pattern($1, nrpe_etc_t)
')
diff --git a/nagios.te b/nagios.te
-index 44ad3b7..a0488ea 100644
+index 44ad3b7..39bcd98 100644
--- a/nagios.te
+++ b/nagios.te
@@ -27,7 +27,7 @@ type nagios_var_run_t;
@@ -46551,7 +50153,7 @@ index 44ad3b7..a0488ea 100644
kernel_read_kernel_sysctls(nagios_system_plugin_t)
corecmd_exec_bin(nagios_system_plugin_t)
-@@ -420,10 +435,10 @@ dev_read_sysfs(nagios_system_plugin_t)
+@@ -420,14 +435,18 @@ dev_read_sysfs(nagios_system_plugin_t)
domain_read_all_domains_state(nagios_system_plugin_t)
@@ -46564,7 +50166,15 @@ index 44ad3b7..a0488ea 100644
optional_policy(`
init_read_utmp(nagios_system_plugin_t)
')
-@@ -442,11 +457,44 @@ corecmd_exec_shell(nagios_eventhandler_plugin_t)
+
++optional_policy(`
++ mrtg_read_lib_files(nagios_system_plugin_t)
++')
++
+ #######################################
+ #
+ # Event local policy
+@@ -442,11 +461,44 @@ corecmd_exec_shell(nagios_eventhandler_plugin_t)
init_domtrans_script(nagios_eventhandler_plugin_t)
@@ -46675,10 +50285,10 @@ index 0000000..8d7c751
+')
diff --git a/namespace.te b/namespace.te
new file mode 100644
-index 0000000..c674894
+index 0000000..e289f2d
--- /dev/null
+++ b/namespace.te
-@@ -0,0 +1,39 @@
+@@ -0,0 +1,41 @@
+policy_module(namespace,1.0.0)
+
+########################################
@@ -46710,6 +50320,8 @@ index 0000000..c674894
+
+files_polyinstantiate_all(namespace_init_t)
+
++fs_getattr_xattr_fs(namespace_init_t)
++
+auth_use_nsswitch(namespace_init_t)
+
+term_use_console(namespace_init_t)
@@ -46815,10 +50427,10 @@ index 56c0fbd..173a2c0 100644
userdom_dontaudit_use_unpriv_user_fds(nessusd_t)
diff --git a/networkmanager.fc b/networkmanager.fc
-index a1fb3c3..2b818b9 100644
+index a1fb3c3..dfb99d2 100644
--- a/networkmanager.fc
+++ b/networkmanager.fc
-@@ -1,43 +1,45 @@
+@@ -1,43 +1,47 @@
-/etc/rc\.d/init\.d/wicd -- gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/wicd -- gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0)
@@ -46847,7 +50459,7 @@ index a1fb3c3..2b818b9 100644
-/sbin/wpa_cli -- gen_context(system_u:object_r:wpa_cli_exec_t,s0)
-/sbin/wpa_supplicant -- gen_context(system_u:object_r:NetworkManager_exec_t,s0)
-+/usr/libexec/nm-dispatcher.action -- gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0)
++/usr/libexec/nm-dispatcher.action -- gen_context(system_u:object_r:NetworkManager_exec_t,s0)
-/usr/bin/NetworkManager -- gen_context(system_u:object_r:NetworkManager_exec_t,s0)
-/usr/bin/wpa_supplicant -- gen_context(system_u:object_r:NetworkManager_exec_t,s0)
@@ -46862,6 +50474,7 @@ index a1fb3c3..2b818b9 100644
/usr/sbin/nm-system-settings -- gen_context(system_u:object_r:NetworkManager_exec_t,s0)
-/usr/sbin/wicd -- gen_context(system_u:object_r:NetworkManager_exec_t,s0)
-/usr/sbin/wpa_cli -- gen_context(system_u:object_r:wpa_cli_exec_t,s0)
++/usr/bin/teamd -- gen_context(system_u:object_r:NetworkManager_exec_t,s0)
+/usr/sbin/wicd -- gen_context(system_u:object_r:NetworkManager_exec_t,s0)
+/usr/sbin/wpa_cli -- gen_context(system_u:object_r:wpa_cli_exec_t,s0)
/usr/sbin/wpa_supplicant -- gen_context(system_u:object_r:NetworkManager_exec_t,s0)
@@ -46884,11 +50497,12 @@ index a1fb3c3..2b818b9 100644
/var/run/nm-dns-dnsmasq\.conf -- gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
-/var/run/wpa_supplicant(/.*)? gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
+/var/run/nm-xl2tpd.conf.* -- gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
++/var/run/teamd(/.*)? gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
+/var/run/wicd\.pid -- gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
+/var/run/wpa_supplicant(/.*)? gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
/var/run/wpa_supplicant-global -s gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
diff --git a/networkmanager.if b/networkmanager.if
-index 0e8508c..ee2e3de 100644
+index 0e8508c..9a7332c 100644
--- a/networkmanager.if
+++ b/networkmanager.if
@@ -2,7 +2,7 @@
@@ -46968,28 +50582,10 @@ index 0e8508c..ee2e3de 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -95,8 +98,7 @@ interface(`networkmanager_domtrans',`
+@@ -93,10 +96,27 @@ interface(`networkmanager_domtrans',`
+ domtrans_pattern($1, NetworkManager_exec_t, NetworkManager_t)
+ ')
- ########################################
- ## <summary>
--## Execute networkmanager scripts with
--## an automatic domain transition to initrc.
-+## Execute NetworkManager scripts with an automatic domain transition to NetworkManagerrc.
- ## </summary>
- ## <param name="domain">
- ## <summary>
-@@ -104,18 +106,59 @@ interface(`networkmanager_domtrans',`
- ## </summary>
- ## </param>
- #
-+interface(`networkmanager_NetworkManagerrc_domtrans',`
-+ gen_require(`
-+ type NetworkManager_NetworkManagerrc_exec_t;
-+ ')
-+
-+ NetworkManager_labeled_script_domtrans($1, NetworkManager_NetworkManagerrc_exec_t)
-+')
-+
+#######################################
+## <summary>
+## Execute NetworkManager scripts with an automatic domain transition to initrc.
@@ -47000,7 +50596,7 @@ index 0e8508c..ee2e3de 100644
+## </summary>
+## </param>
+#
- interface(`networkmanager_initrc_domtrans',`
++interface(`networkmanager_initrc_domtrans',`
+ gen_require(`
+ type NetworkManager_initrc_exec_t;
+ ')
@@ -47008,16 +50604,19 @@ index 0e8508c..ee2e3de 100644
+ init_labeled_script_domtrans($1, NetworkManager_initrc_exec_t)
+')
+
-+########################################
-+## <summary>
+ ########################################
+ ## <summary>
+-## Execute networkmanager scripts with
+-## an automatic domain transition to initrc.
+## Execute NetworkManager server in the NetworkManager domain.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed to transition.
-+## </summary>
-+## </param>
-+#
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -104,18 +124,23 @@ interface(`networkmanager_domtrans',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`networkmanager_initrc_domtrans',`
+interface(`networkmanager_systemctl',`
gen_require(`
- type NetworkManager_initrc_exec_t;
@@ -47041,7 +50640,7 @@ index 0e8508c..ee2e3de 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -135,7 +178,29 @@ interface(`networkmanager_dbus_chat',`
+@@ -135,7 +160,29 @@ interface(`networkmanager_dbus_chat',`
########################################
## <summary>
@@ -47072,7 +50671,7 @@ index 0e8508c..ee2e3de 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -153,7 +218,7 @@ interface(`networkmanager_signal',`
+@@ -153,7 +200,7 @@ interface(`networkmanager_signal',`
########################################
## <summary>
@@ -47081,7 +50680,7 @@ index 0e8508c..ee2e3de 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -171,9 +236,28 @@ interface(`networkmanager_read_lib_files',`
+@@ -171,9 +218,28 @@ interface(`networkmanager_read_lib_files',`
read_files_pattern($1, NetworkManager_var_lib_t, NetworkManager_var_lib_t)
')
@@ -47111,7 +50710,7 @@ index 0e8508c..ee2e3de 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -181,19 +265,18 @@ interface(`networkmanager_read_lib_files',`
+@@ -181,19 +247,18 @@ interface(`networkmanager_read_lib_files',`
## </summary>
## </param>
#
@@ -47132,11 +50731,11 @@ index 0e8508c..ee2e3de 100644
########################################
## <summary>
-## Read networkmanager pid files.
-+## Read NetworkManager PID files.
++## Manage NetworkManager PID files.
## </summary>
## <param name="domain">
## <summary>
-@@ -201,23 +284,23 @@ interface(`networkmanager_append_log_files',`
+@@ -201,25 +266,44 @@ interface(`networkmanager_append_log_files',`
## </summary>
## </param>
#
@@ -47155,17 +50754,37 @@ index 0e8508c..ee2e3de 100644
## <summary>
-## All of the rules required to
-## administrate an networkmanager environment.
-+## Execute NetworkManager in the NetworkManager domain, and
-+## allow the specified role the NetworkManager domain.
++## Delete NetworkManager PID files.
## </summary>
## <param name="domain">
## <summary>
--## Domain allowed access.
-+## Domain allowed to transition.
+ ## Domain allowed access.
## </summary>
## </param>
++#
++interface(`networkmanager_delete_pid_files',`
++ gen_require(`
++ type NetworkManager_var_run_t;
++ ')
++
++ files_search_pids($1)
++ delete_files_pattern($1, NetworkManager_var_run_t, NetworkManager_var_run_t)
++')
++
++########################################
++## <summary>
++## Execute NetworkManager in the NetworkManager domain, and
++## allow the specified role the NetworkManager domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
## <param name="role">
-@@ -227,33 +310,133 @@ interface(`networkmanager_read_pid_files',`
+ ## <summary>
+ ## Role allowed access.
+@@ -227,33 +311,152 @@ interface(`networkmanager_read_pid_files',`
## </param>
## <rolecap/>
#
@@ -47230,9 +50849,7 @@ index 0e8508c..ee2e3de 100644
+ gen_require(`
+ type NetworkManager_var_lib_t;
+ ')
-
-- files_search_pids($1)
-- admin_pattern($1, NetworkManager_var_run_t)
++
+ manage_files_pattern($1, NetworkManager_var_lib_t, NetworkManager_var_lib_t)
+')
+
@@ -47276,6 +50893,26 @@ index 0e8508c..ee2e3de 100644
+ allow $1 NetworkManager_t:lnk_file read_lnk_file_perms;
+')
+
++#######################################
++## <summary>
++## Send to NetworkManager with a unix dgram socket.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`networkmanager_dgram_send',`
++ gen_require(`
++ type NetworkManager_t, NetworkManager_var_run_t;
++ ')
+
+ files_search_pids($1)
+- admin_pattern($1, NetworkManager_var_run_t)
++ dgram_send_pattern($1, NetworkManager_var_run_t, NetworkManager_var_run_t, NetworkManager_t)
++')
++
+########################################
+## <summary>
+## Transition to networkmanager named content
@@ -47320,7 +50957,7 @@ index 0e8508c..ee2e3de 100644
+ logging_log_filetrans($1, NetworkManager_var_lib_t, file, "wpa_supplicant.log")
')
diff --git a/networkmanager.te b/networkmanager.te
-index 0b48a30..b5c140b 100644
+index 0b48a30..9e9b2dc 100644
--- a/networkmanager.te
+++ b/networkmanager.te
@@ -1,4 +1,4 @@
@@ -47351,7 +50988,7 @@ index 0b48a30..b5c140b 100644
type NetworkManager_log_t;
logging_log_file(NetworkManager_log_t)
-@@ -39,25 +42,44 @@ init_system_domain(wpa_cli_t, wpa_cli_exec_t)
+@@ -39,25 +42,51 @@ init_system_domain(wpa_cli_t, wpa_cli_exec_t)
# Local policy
#
@@ -47360,13 +50997,17 @@ index 0b48a30..b5c140b 100644
-allow NetworkManager_t self:process { ptrace getcap setcap setpgid getsched setsched signal_perms };
+# networkmanager will ptrace itself if gdb is installed
+# and it receives a unexpected signal (rh bug #204161)
-+allow NetworkManager_t self:capability { fowner chown fsetid kill setgid setuid sys_admin sys_nice dac_override net_admin net_raw net_bind_service ipc_lock };
++allow NetworkManager_t self:capability { fowner chown fsetid kill setgid setuid sys_admin sys_nice dac_override net_admin net_raw net_bind_service ipc_lock sys_chroot };
+dontaudit NetworkManager_t self:capability sys_tty_config;
+ifdef(`hide_broken_symptoms',`
+ # caused by some bogus kernel code
+ dontaudit NetworkManager_t self:capability sys_module;
+')
+allow NetworkManager_t self:process { getcap setcap setpgid getsched setsched signal_perms };
++
++allow NetworkManager_t self:process setfscreate;
++selinux_validate_context(NetworkManager_t)
++
+tunable_policy(`deny_ptrace',`',`
+ allow NetworkManager_t self:capability sys_ptrace;
+ allow NetworkManager_t self:process ptrace;
@@ -47376,7 +51017,7 @@ index 0b48a30..b5c140b 100644
-allow NetworkManager_t self:unix_dgram_socket sendto;
-allow NetworkManager_t self:unix_stream_socket { accept listen };
+allow NetworkManager_t self:unix_dgram_socket { sendto create_socket_perms };
-+allow NetworkManager_t self:unix_stream_socket create_stream_socket_perms;
++allow NetworkManager_t self:unix_stream_socket{ create_stream_socket_perms connectto };
allow NetworkManager_t self:netlink_route_socket create_netlink_socket_perms;
+allow NetworkManager_t self:netlink_xfrm_socket create_netlink_socket_perms;
allow NetworkManager_t self:netlink_socket create_socket_perms;
@@ -47396,16 +51037,19 @@ index 0b48a30..b5c140b 100644
+can_exec(NetworkManager_t, NetworkManager_exec_t)
+#wicd
+can_exec(NetworkManager_t, wpa_cli_exec_t)
-
++
++list_dirs_pattern(NetworkManager_t, NetworkManager_initrc_exec_t, NetworkManager_initrc_exec_t)
++read_files_pattern(NetworkManager_t, NetworkManager_initrc_exec_t, NetworkManager_initrc_exec_t)
++
+list_dirs_pattern(NetworkManager_t, NetworkManager_etc_t, NetworkManager_etc_t)
+read_files_pattern(NetworkManager_t, NetworkManager_etc_t, NetworkManager_etc_t)
+read_lnk_files_pattern(NetworkManager_t, NetworkManager_etc_t, NetworkManager_etc_t)
-+
+
+read_lnk_files_pattern(NetworkManager_t, NetworkManager_etc_rw_t, NetworkManager_etc_rw_t)
manage_dirs_pattern(NetworkManager_t, NetworkManager_etc_rw_t, NetworkManager_etc_rw_t)
manage_files_pattern(NetworkManager_t, NetworkManager_etc_rw_t, NetworkManager_etc_rw_t)
filetrans_pattern(NetworkManager_t, NetworkManager_etc_t, NetworkManager_etc_rw_t, { dir file })
-@@ -68,6 +90,7 @@ create_files_pattern(NetworkManager_t, NetworkManager_log_t, NetworkManager_log_
+@@ -68,6 +97,7 @@ create_files_pattern(NetworkManager_t, NetworkManager_log_t, NetworkManager_log_
setattr_files_pattern(NetworkManager_t, NetworkManager_log_t, NetworkManager_log_t)
logging_log_filetrans(NetworkManager_t, NetworkManager_log_t, file)
@@ -47413,7 +51057,7 @@ index 0b48a30..b5c140b 100644
manage_files_pattern(NetworkManager_t, NetworkManager_tmp_t, NetworkManager_tmp_t)
manage_sock_files_pattern(NetworkManager_t, NetworkManager_tmp_t, NetworkManager_tmp_t)
files_tmp_filetrans(NetworkManager_t, NetworkManager_tmp_t, { sock_file file })
-@@ -81,17 +104,14 @@ manage_files_pattern(NetworkManager_t, NetworkManager_var_run_t, NetworkManager_
+@@ -81,17 +111,14 @@ manage_files_pattern(NetworkManager_t, NetworkManager_var_run_t, NetworkManager_
manage_sock_files_pattern(NetworkManager_t, NetworkManager_var_run_t, NetworkManager_var_run_t)
files_pid_filetrans(NetworkManager_t, NetworkManager_var_run_t, { dir file sock_file })
@@ -47432,7 +51076,7 @@ index 0b48a30..b5c140b 100644
corenet_all_recvfrom_netlabel(NetworkManager_t)
corenet_tcp_sendrecv_generic_if(NetworkManager_t)
corenet_udp_sendrecv_generic_if(NetworkManager_t)
-@@ -102,22 +122,15 @@ corenet_raw_sendrecv_generic_node(NetworkManager_t)
+@@ -102,22 +129,15 @@ corenet_raw_sendrecv_generic_node(NetworkManager_t)
corenet_tcp_sendrecv_all_ports(NetworkManager_t)
corenet_udp_sendrecv_all_ports(NetworkManager_t)
corenet_udp_bind_generic_node(NetworkManager_t)
@@ -47458,7 +51102,7 @@ index 0b48a30..b5c140b 100644
dev_rw_sysfs(NetworkManager_t)
dev_read_rand(NetworkManager_t)
dev_read_urand(NetworkManager_t)
-@@ -125,13 +138,6 @@ dev_dontaudit_getattr_generic_blk_files(NetworkManager_t)
+@@ -125,13 +145,6 @@ dev_dontaudit_getattr_generic_blk_files(NetworkManager_t)
dev_getattr_all_chr_files(NetworkManager_t)
dev_rw_wireless(NetworkManager_t)
@@ -47472,7 +51116,7 @@ index 0b48a30..b5c140b 100644
fs_getattr_all_fs(NetworkManager_t)
fs_search_auto_mountpoints(NetworkManager_t)
fs_list_inotifyfs(NetworkManager_t)
-@@ -140,6 +146,17 @@ mls_file_read_all_levels(NetworkManager_t)
+@@ -140,18 +153,33 @@ mls_file_read_all_levels(NetworkManager_t)
selinux_dontaudit_search_fs(NetworkManager_t)
@@ -47490,7 +51134,11 @@ index 0b48a30..b5c140b 100644
storage_getattr_fixed_disk_dev(NetworkManager_t)
init_read_utmp(NetworkManager_t)
-@@ -148,10 +165,11 @@ init_domtrans_script(NetworkManager_t)
+ init_dontaudit_write_utmp(NetworkManager_t)
+ init_domtrans_script(NetworkManager_t)
++init_signull_script(NetworkManager_t)
++init_signal_script(NetworkManager_t)
++init_sigkill_script(NetworkManager_t)
auth_use_nsswitch(NetworkManager_t)
@@ -47503,7 +51151,7 @@ index 0b48a30..b5c140b 100644
seutil_read_config(NetworkManager_t)
-@@ -166,21 +184,32 @@ sysnet_kill_dhcpc(NetworkManager_t)
+@@ -166,21 +194,32 @@ sysnet_kill_dhcpc(NetworkManager_t)
sysnet_read_dhcpc_state(NetworkManager_t)
sysnet_delete_dhcpc_state(NetworkManager_t)
sysnet_search_dhcp_state(NetworkManager_t)
@@ -47540,7 +51188,7 @@ index 0b48a30..b5c140b 100644
')
optional_policy(`
-@@ -196,10 +225,6 @@ optional_policy(`
+@@ -196,10 +235,6 @@ optional_policy(`
')
optional_policy(`
@@ -47551,7 +51199,7 @@ index 0b48a30..b5c140b 100644
consoletype_exec(NetworkManager_t)
')
-@@ -210,16 +235,11 @@ optional_policy(`
+@@ -210,16 +245,11 @@ optional_policy(`
optional_policy(`
dbus_system_domain(NetworkManager_t, NetworkManager_exec_t)
@@ -47570,7 +51218,7 @@ index 0b48a30..b5c140b 100644
')
')
-@@ -231,18 +251,19 @@ optional_policy(`
+@@ -231,10 +261,11 @@ optional_policy(`
dnsmasq_kill(NetworkManager_t)
dnsmasq_signal(NetworkManager_t)
dnsmasq_signull(NetworkManager_t)
@@ -47579,21 +51227,27 @@ index 0b48a30..b5c140b 100644
optional_policy(`
- gnome_stream_connect_all_gkeyringd(NetworkManager_t)
-+ hal_write_log(NetworkManager_t)
++ fcoe_dgram_send_fcoemon(NetworkManager_t)
')
optional_policy(`
-- hal_write_log(NetworkManager_t)
-+ howl_signal(NetworkManager_t)
+@@ -246,10 +277,26 @@ optional_policy(`
')
optional_policy(`
-- howl_signal(NetworkManager_t)
+ gnome_dontaudit_search_config(NetworkManager_t)
- ')
-
- optional_policy(`
-@@ -250,6 +271,10 @@ optional_policy(`
++')
++
++optional_policy(`
++ iscsid_domtrans(NetworkManager_t)
++')
++
++optional_policy(`
++ iodined_domtrans(NetworkManager_t)
++')
++
++optional_policy(`
+ ipsec_domtrans_mgmt(NetworkManager_t)
ipsec_kill_mgmt(NetworkManager_t)
ipsec_signal_mgmt(NetworkManager_t)
ipsec_signull_mgmt(NetworkManager_t)
@@ -47604,15 +51258,11 @@ index 0b48a30..b5c140b 100644
')
optional_policy(`
-@@ -257,11 +282,10 @@ optional_policy(`
+@@ -257,15 +304,19 @@ optional_policy(`
')
optional_policy(`
- libs_exec_ldconfig(NetworkManager_t)
--')
--
--optional_policy(`
-- modutils_domtrans_insmod(NetworkManager_t)
+ l2tpd_domtrans(NetworkManager_t)
+ l2tpd_sigkill(NetworkManager_t)
+ l2tpd_signal(NetworkManager_t)
@@ -47620,7 +51270,17 @@ index 0b48a30..b5c140b 100644
')
optional_policy(`
-@@ -274,10 +298,17 @@ optional_policy(`
+- modutils_domtrans_insmod(NetworkManager_t)
++ lldpad_dgram_send(NetworkManager_t)
+ ')
+
+ optional_policy(`
+ netutils_exec_ping(NetworkManager_t)
++ netutils_exec(NetworkManager_t)
+ ')
+
+ optional_policy(`
+@@ -274,10 +325,17 @@ optional_policy(`
nscd_signull(NetworkManager_t)
nscd_kill(NetworkManager_t)
nscd_initrc_domtrans(NetworkManager_t)
@@ -47638,7 +51298,7 @@ index 0b48a30..b5c140b 100644
')
optional_policy(`
-@@ -289,6 +320,7 @@ optional_policy(`
+@@ -289,6 +347,7 @@ optional_policy(`
')
optional_policy(`
@@ -47646,7 +51306,7 @@ index 0b48a30..b5c140b 100644
policykit_domtrans_auth(NetworkManager_t)
policykit_read_lib(NetworkManager_t)
policykit_read_reload(NetworkManager_t)
-@@ -296,7 +328,7 @@ optional_policy(`
+@@ -296,7 +355,7 @@ optional_policy(`
')
optional_policy(`
@@ -47655,7 +51315,7 @@ index 0b48a30..b5c140b 100644
')
optional_policy(`
-@@ -307,6 +339,7 @@ optional_policy(`
+@@ -307,6 +366,7 @@ optional_policy(`
ppp_signal(NetworkManager_t)
ppp_signull(NetworkManager_t)
ppp_read_config(NetworkManager_t)
@@ -47663,7 +51323,7 @@ index 0b48a30..b5c140b 100644
')
optional_policy(`
-@@ -320,13 +353,19 @@ optional_policy(`
+@@ -320,13 +380,19 @@ optional_policy(`
')
optional_policy(`
@@ -47672,28 +51332,166 @@ index 0b48a30..b5c140b 100644
+ systemd_write_inhibit_pipes(NetworkManager_t)
+ systemd_read_logind_sessions_files(NetworkManager_t)
+ systemd_dbus_chat_logind(NetworkManager_t)
-+ systemd_hostnamed_read_config(NetworkManager_t)
++ systemd_hostnamed_manage_config(NetworkManager_t)
++')
++
++optional_policy(`
++ ssh_exec(NetworkManager_t)
')
optional_policy(`
- # unconfined_dgram_send(NetworkManager_t)
- unconfined_stream_connect(NetworkManager_t)
-+ ssh_exec(NetworkManager_t)
-+')
-+
-+optional_policy(`
+ udev_exec(NetworkManager_t)
+ udev_read_db(NetworkManager_t)
')
optional_policy(`
-@@ -356,6 +395,4 @@ rw_sock_files_pattern(wpa_cli_t, NetworkManager_var_run_t, NetworkManager_var_ru
+@@ -356,6 +422,4 @@ rw_sock_files_pattern(wpa_cli_t, NetworkManager_var_run_t, NetworkManager_var_ru
init_dontaudit_use_fds(wpa_cli_t)
init_use_script_ptys(wpa_cli_t)
-miscfiles_read_localization(wpa_cli_t)
-
term_dontaudit_use_console(wpa_cli_t)
+diff --git a/ninfod.fc b/ninfod.fc
+new file mode 100644
+index 0000000..cc31b9f
+--- /dev/null
++++ b/ninfod.fc
+@@ -0,0 +1,6 @@
++/usr/lib/systemd/system/ninfod.* -- gen_context(system_u:object_r:ninfod_unit_file_t,s0)
++
++/usr/sbin/ninfod -- gen_context(system_u:object_r:ninfod_exec_t,s0)
++
++/var/run/ninfod.* -- gen_context(system_u:object_r:ninfod_run_t,s0)
++
+diff --git a/ninfod.if b/ninfod.if
+new file mode 100644
+index 0000000..a7f57d9
+--- /dev/null
++++ b/ninfod.if
+@@ -0,0 +1,79 @@
++
++## <summary>Respond to IPv6 Node Information Queries</summary>
++
++########################################
++## <summary>
++## Execute ninfod in the ninfod domin.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`ninfod_domtrans',`
++ gen_require(`
++ type ninfod_t, ninfod_exec_t;
++ ')
++
++ corecmd_search_bin($1)
++ domtrans_pattern($1, ninfod_exec_t, ninfod_t)
++')
++########################################
++## <summary>
++## Execute ninfod server in the ninfod domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`ninfod_systemctl',`
++ gen_require(`
++ type ninfod_t;
++ type ninfod_unit_file_t;
++ ')
++
++ systemd_exec_systemctl($1)
++ systemd_read_fifo_file_passwd_run($1)
++ allow $1 ninfod_unit_file_t:file read_file_perms;
++ allow $1 ninfod_unit_file_t:service manage_service_perms;
++
++ ps_process_pattern($1, ninfod_t)
++')
++
++
++########################################
++## <summary>
++## All of the rules required to administrate
++## an ninfod environment
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`ninfod_admin',`
++ gen_require(`
++ type ninfod_t;
++ type ninfod_unit_file_t;
++ ')
++
++ allow $1 ninfod_t:process { signal_perms };
++ ps_process_pattern($1, ninfod_t)
++
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 ninfod_t:process ptrace;
++ ')
++
++ ninfod_systemctl($1)
++ admin_pattern($1, ninfod_unit_file_t)
++ allow $1 ninfod_unit_file_t:service all_service_perms;
++ optional_policy(`
++ systemd_passwd_agent_exec($1)
++ systemd_read_fifo_file_passwd_run($1)
++ ')
++')
+diff --git a/ninfod.te b/ninfod.te
+new file mode 100644
+index 0000000..d75c408
+--- /dev/null
++++ b/ninfod.te
+@@ -0,0 +1,35 @@
++policy_module(ninfod, 1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++type ninfod_t;
++type ninfod_exec_t;
++init_daemon_domain(ninfod_t, ninfod_exec_t)
++
++type ninfod_run_t;
++files_pid_file(ninfod_run_t)
++
++type ninfod_unit_file_t;
++systemd_unit_file(ninfod_unit_file_t)
++
++########################################
++#
++# ninfod local policy
++#
++allow ninfod_t self:capability { net_raw setuid };
++allow ninfod_t self:process setcap;
++allow ninfod_t self:fifo_file rw_fifo_file_perms;
++allow ninfod_t self:rawip_socket { create setopt };
++allow ninfod_t self:unix_stream_socket create_stream_socket_perms;
++
++manage_files_pattern(ninfod_t, ninfod_run_t, ninfod_run_t)
++files_pid_filetrans(ninfod_t,ninfod_run_t, { file })
++
++auth_use_nsswitch(ninfod_t)
++
++logging_send_syslog_msg(ninfod_t)
++
++sysnet_dns_name_resolve(ninfod_t)
diff --git a/nis.fc b/nis.fc
index 8aa1bfa..cd0e015 100644
--- a/nis.fc
@@ -47998,7 +51796,7 @@ index 46e55c3..6e4e061 100644
+ allow $1 nis_unit_file_t:service all_service_perms;
')
diff --git a/nis.te b/nis.te
-index 3e4a31c..eea788e 100644
+index 3e4a31c..6aeb9dd 100644
--- a/nis.te
+++ b/nis.te
@@ -1,12 +1,10 @@
@@ -48169,11 +51967,12 @@ index 3e4a31c..eea788e 100644
dev_read_sysfs(yppasswdd_t)
fs_getattr_all_fs(yppasswdd_t)
-@@ -203,11 +192,19 @@ selinux_get_fs_mount(yppasswdd_t)
+@@ -202,12 +191,20 @@ fs_search_auto_mountpoints(yppasswdd_t)
+ selinux_get_fs_mount(yppasswdd_t)
auth_manage_shadow(yppasswdd_t)
++auth_manage_passwd(yppasswdd_t)
auth_relabel_shadow(yppasswdd_t)
-+auth_read_passwd(yppasswdd_t)
auth_etc_filetrans_shadow(yppasswdd_t)
+corecmd_exec_bin(yppasswdd_t)
@@ -48759,7 +52558,7 @@ index ba64485..429bd79 100644
+
+/usr/lib/systemd/system/nscd\.service -- gen_context(system_u:object_r:nscd_unit_file_t,s0)
diff --git a/nscd.if b/nscd.if
-index 8f2ab09..6ab4ea1 100644
+index 8f2ab09..bc2c7fe 100644
--- a/nscd.if
+++ b/nscd.if
@@ -1,8 +1,8 @@
@@ -48915,7 +52714,7 @@ index 8f2ab09..6ab4ea1 100644
+interface(`nscd_shm_use',`
+ gen_require(`
+ type nscd_t, nscd_var_run_t;
-+ class nscd { getpwd getgrp gethost shmempwd shmemgrp shmemhost };
++ class nscd { getserv getpwd getgrp gethost shmempwd shmemgrp shmemhost shmemserv };
')
+
+ allow $1 nscd_var_run_t:dir list_dir_perms;
@@ -49057,7 +52856,7 @@ index 8f2ab09..6ab4ea1 100644
+ allow $1 nscd_unit_file_t:service all_service_perms;
')
diff --git a/nscd.te b/nscd.te
-index df4c10f..8c09c68 100644
+index df4c10f..2bbc3a6 100644
--- a/nscd.te
+++ b/nscd.te
@@ -1,36 +1,37 @@
@@ -49109,7 +52908,11 @@ index df4c10f..8c09c68 100644
type nscd_log_t;
logging_log_file(nscd_log_t)
-@@ -43,53 +44,54 @@ allow nscd_t self:capability { kill setgid setuid };
+@@ -40,56 +41,58 @@ logging_log_file(nscd_log_t)
+ #
+
+ allow nscd_t self:capability { kill setgid setuid };
++allow nscd_t self:capability2 block_suspend;
dontaudit nscd_t self:capability sys_tty_config;
allow nscd_t self:process { getattr getcap setcap setsched signal_perms };
allow nscd_t self:fifo_file read_fifo_file_perms;
@@ -49182,7 +52985,7 @@ index df4c10f..8c09c68 100644
corenet_rw_tun_tap_dev(nscd_t)
selinux_get_fs_mount(nscd_t)
-@@ -98,16 +100,23 @@ selinux_compute_access_vector(nscd_t)
+@@ -98,16 +101,23 @@ selinux_compute_access_vector(nscd_t)
selinux_compute_create_context(nscd_t)
selinux_compute_relabel_context(nscd_t)
selinux_compute_user_contexts(nscd_t)
@@ -49207,44 +53010,45 @@ index df4c10f..8c09c68 100644
userdom_dontaudit_use_user_terminals(nscd_t)
userdom_dontaudit_use_unpriv_user_fds(nscd_t)
userdom_dontaudit_search_user_home_dirs(nscd_t)
-@@ -121,20 +130,31 @@ optional_policy(`
+@@ -121,13 +131,11 @@ optional_policy(`
')
optional_policy(`
+- tunable_policy(`samba_domain_controller',`
+- samba_append_log(nscd_t)
+- samba_dontaudit_use_fds(nscd_t)
+- ')
+ kerberos_use(nscd_t)
+')
-+
+
+- samba_read_config(nscd_t)
+- samba_read_var_files(nscd_t)
+optional_policy(`
-+ udev_read_db(nscd_t)
-+')
++ nis_authenticate(nscd_t)
+ ')
+
+ optional_policy(`
+@@ -138,3 +146,20 @@ optional_policy(`
+ xen_dontaudit_rw_unix_stream_sockets(nscd_t)
+ xen_append_log(nscd_t)
+ ')
+
+optional_policy(`
-+ xen_dontaudit_rw_unix_stream_sockets(nscd_t)
-+ xen_append_log(nscd_t)
++ tunable_policy(`samba_domain_controller',`
++ samba_append_log(nscd_t)
++ samba_dontaudit_use_fds(nscd_t)
++ ')
+')
+
+optional_policy(`
- tunable_policy(`samba_domain_controller',`
- samba_append_log(nscd_t)
- samba_dontaudit_use_fds(nscd_t)
- ')
--
-- samba_read_config(nscd_t)
-- samba_read_var_files(nscd_t)
- ')
-
- optional_policy(`
-- udev_read_db(nscd_t)
+ samba_read_config(nscd_t)
+ samba_read_var_files(nscd_t)
+ samba_stream_connect_nmbd(nscd_t)
- ')
-
- optional_policy(`
-- xen_dontaudit_rw_unix_stream_sockets(nscd_t)
-- xen_append_log(nscd_t)
++')
++
++optional_policy(`
+ unconfined_dontaudit_rw_packet_sockets(nscd_t)
- ')
++')
diff --git a/nsd.fc b/nsd.fc
index 4f2b1b6..5348e92 100644
--- a/nsd.fc
@@ -49662,7 +53466,7 @@ index 97df768..852d1c6 100644
+ admin_pattern($1, nslcd_var_run_t, nslcd_var_run_t)
')
diff --git a/nslcd.te b/nslcd.te
-index a3e56f0..2c5b389 100644
+index a3e56f0..c37998e 100644
--- a/nslcd.te
+++ b/nslcd.te
@@ -1,4 +1,4 @@
@@ -49682,7 +53486,7 @@ index a3e56f0..2c5b389 100644
-allow nslcd_t self:capability { setgid setuid dac_override };
-allow nslcd_t self:process signal;
-allow nslcd_t self:unix_stream_socket { accept listen };
-+allow nslcd_t self:capability { dac_override setgid setuid sys_nice };
++allow nslcd_t self:capability { chown dac_override setgid setuid sys_nice };
+allow nslcd_t self:process { setsched signal signull };
+allow nslcd_t self:unix_stream_socket create_stream_socket_perms;
@@ -50590,7 +54394,7 @@ index af3c91e..6882a3f 100644
/var/lib/sntp-kod(/.*)? gen_context(system_u:object_r:ntp_drift_t,s0)
diff --git a/ntp.if b/ntp.if
-index b59196f..017b36f 100644
+index b59196f..24f45be 100644
--- a/ntp.if
+++ b/ntp.if
@@ -1,4 +1,4 @@
@@ -50755,7 +54559,7 @@ index b59196f..017b36f 100644
logging_list_logs($1)
admin_pattern($1, ntpd_log_t)
-@@ -164,5 +246,28 @@ interface(`ntp_admin',`
+@@ -164,5 +246,30 @@ interface(`ntp_admin',`
files_list_pids($1)
admin_pattern($1, ntpd_var_run_t)
@@ -50780,13 +54584,15 @@ index b59196f..017b36f 100644
+interface(`ntp_filetrans_named_content',`
+ gen_require(`
+ type ntp_conf_t;
++ type ntp_drift_t;
+ ')
+
+ files_etc_filetrans($1, ntp_conf_t, file, "ntpd.conf")
+ files_etc_filetrans($1, ntp_conf_t, dir, "ntp")
++ files_var_lib_filetrans($1, ntp_drift_t, file, "sntp-kod")
')
diff --git a/ntp.te b/ntp.te
-index b90e343..8369b61 100644
+index b90e343..ae081d4 100644
--- a/ntp.te
+++ b/ntp.te
@@ -18,6 +18,9 @@ role ntpd_roles types ntpd_t;
@@ -50799,7 +54605,15 @@ index b90e343..8369b61 100644
type ntp_conf_t;
files_config_file(ntp_conf_t)
-@@ -60,9 +63,7 @@ read_files_pattern(ntpd_t, ntpd_key_t, ntpd_key_t)
+@@ -53,6 +56,7 @@ allow ntpd_t self:tcp_socket { accept listen };
+
+ manage_dirs_pattern(ntpd_t, ntp_drift_t, ntp_drift_t)
+ manage_files_pattern(ntpd_t, ntp_drift_t, ntp_drift_t)
++files_var_lib_filetrans(ntpd_t, ntp_drift_t, dir, "sntp-kod")
+
+ allow ntpd_t ntp_conf_t:file read_file_perms;
+
+@@ -60,9 +64,7 @@ read_files_pattern(ntpd_t, ntpd_key_t, ntpd_key_t)
read_lnk_files_pattern(ntpd_t, ntpd_key_t, ntpd_key_t)
allow ntpd_t ntpd_log_t:dir setattr_dir_perms;
@@ -50810,7 +54624,7 @@ index b90e343..8369b61 100644
logging_log_filetrans(ntpd_t, ntpd_log_t, { file dir })
manage_dirs_pattern(ntpd_t, ntpd_tmp_t, ntpd_tmp_t)
-@@ -83,21 +84,16 @@ kernel_read_system_state(ntpd_t)
+@@ -83,21 +85,16 @@ kernel_read_system_state(ntpd_t)
kernel_read_network_state(ntpd_t)
kernel_request_load_module(ntpd_t)
@@ -50834,7 +54648,7 @@ index b90e343..8369b61 100644
corecmd_exec_bin(ntpd_t)
corecmd_exec_shell(ntpd_t)
-@@ -110,13 +106,15 @@ domain_use_interactive_fds(ntpd_t)
+@@ -110,13 +107,15 @@ domain_use_interactive_fds(ntpd_t)
domain_dontaudit_list_all_domains_state(ntpd_t)
files_read_etc_runtime_files(ntpd_t)
@@ -50851,7 +54665,7 @@ index b90e343..8369b61 100644
auth_use_nsswitch(ntpd_t)
-@@ -124,8 +122,6 @@ init_exec_script_files(ntpd_t)
+@@ -124,8 +123,6 @@ init_exec_script_files(ntpd_t)
logging_send_syslog_msg(ntpd_t)
@@ -50973,7 +54787,7 @@ index 0d3c270..709dda1 100644
+ ')
')
diff --git a/numad.te b/numad.te
-index f5d145d..97e1148 100644
+index f5d145d..f050103 100644
--- a/numad.te
+++ b/numad.te
@@ -1,4 +1,4 @@
@@ -50982,7 +54796,7 @@ index f5d145d..97e1148 100644
########################################
#
-@@ -8,29 +8,29 @@ policy_module(numad, 1.0.3)
+@@ -8,37 +8,44 @@ policy_module(numad, 1.0.3)
type numad_t;
type numad_exec_t;
init_daemon_domain(numad_t, numad_exec_t)
@@ -51021,15 +54835,17 @@ index f5d145d..97e1148 100644
manage_files_pattern(numad_t, numad_var_run_t, numad_var_run_t)
files_pid_filetrans(numad_t, numad_var_run_t, file)
-@@ -39,6 +39,13 @@ kernel_read_system_state(numad_t)
- dev_read_sysfs(numad_t)
+ kernel_read_system_state(numad_t)
--files_read_etc_files(numad_t)
+-dev_read_sysfs(numad_t)
++dev_rw_sysfs(numad_t)
++
+domain_use_interactive_fds(numad_t)
+domain_read_all_domains_state(numad_t)
+domain_setpriority_all_domains(numad_t)
-+
+
+-files_read_etc_files(numad_t)
+fs_manage_cgroup_dirs(numad_t)
+fs_rw_cgroup_files(numad_t)
@@ -51073,7 +54889,7 @@ index 379af96..41ff159 100644
+/var/www/nut-cgi-bin/upsset\.cgi -- gen_context(system_u:object_r:httpd_nutups_cgi_script_exec_t,s0)
+/var/www/nut-cgi-bin/upsstats\.cgi -- gen_context(system_u:object_r:httpd_nutups_cgi_script_exec_t,s0)
diff --git a/nut.if b/nut.if
-index 57c0161..54bd4d7 100644
+index 57c0161..dae3360 100644
--- a/nut.if
+++ b/nut.if
@@ -1,39 +1,24 @@
@@ -51129,7 +54945,7 @@ index 57c0161..54bd4d7 100644
- files_search_pids($1)
- admin_pattern($1, nut_var_run_t)
-+ ps_process_pattern($1, swift_t)
++ ps_process_pattern($1, nut_t)
')
diff --git a/nut.te b/nut.te
index 0c9deb7..76988d6 100644
@@ -52301,10 +56117,10 @@ index 0000000..a437f80
+files_read_config_files(openshift_domain)
diff --git a/openshift.fc b/openshift.fc
new file mode 100644
-index 0000000..f2d6119
+index 0000000..1d4e039
--- /dev/null
+++ b/openshift.fc
-@@ -0,0 +1,26 @@
+@@ -0,0 +1,28 @@
+/etc/rc\.d/init\.d/libra gen_context(system_u:object_r:openshift_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/mcollective gen_context(system_u:object_r:openshift_initrc_exec_t,s0)
+
@@ -52312,6 +56128,7 @@ index 0000000..f2d6119
+
+/var/lib/stickshift(/.*)? gen_context(system_u:object_r:openshift_var_lib_t,s0)
+/var/lib/stickshift/.*/data(/.*)? gen_context(system_u:object_r:openshift_rw_file_t,s0)
++/var/lib/containers(/.*)? gen_context(system_u:object_r:openshift_var_lib_t,s0)
+/var/lib/openshift(/.*)? gen_context(system_u:object_r:openshift_var_lib_t,s0)
+/var/lib/openshift/.*/data(/.*)? gen_context(system_u:object_r:openshift_rw_file_t,s0)
+
@@ -52320,7 +56137,8 @@ index 0000000..f2d6119
+/var/lib/openshift/.*/\.tmp(/.*)? gen_context(system_u:object_r:openshift_tmp_t,s0)
+/var/lib/openshift/.*/\.sandbox(/.*)? gen_context(system_u:object_r:openshift_tmp_t,s0)
+
-+/var/log/mcollective\.log -- gen_context(system_u:object_r:openshift_log_t,s0)
++/var/log/mcollective\.log.* -- gen_context(system_u:object_r:openshift_log_t,s0)
++/var/log/openshift(/.*)? gen_context(system_u:object_r:openshift_log_t,s0)
+
+/usr/s?bin/(oo|rhc)-cgroup-read -- gen_context(system_u:object_r:openshift_cgroup_read_exec_t,s0)
+
@@ -52333,10 +56151,10 @@ index 0000000..f2d6119
+/var/run/openshift(/.*)? gen_context(system_u:object_r:openshift_var_run_t,s0)
diff --git a/openshift.if b/openshift.if
new file mode 100644
-index 0000000..e03de01
+index 0000000..9451b83
--- /dev/null
+++ b/openshift.if
-@@ -0,0 +1,700 @@
+@@ -0,0 +1,702 @@
+
+## <summary> policy for openshift </summary>
+
@@ -52958,9 +56776,11 @@ index 0000000..e03de01
+interface(`openshift_dontaudit_rw_inherited_fifo_files',`
+ gen_require(`
+ type openshift_initrc_t;
++ type openshift_t;
+ ')
+
+ dontaudit $1 openshift_initrc_t:fifo_file rw_inherited_fifo_file_perms;
++ dontaudit $1 openshift_t:fifo_file rw_inherited_fifo_file_perms;
+')
+
+########################################
@@ -53039,16 +56859,24 @@ index 0000000..e03de01
+')
diff --git a/openshift.te b/openshift.te
new file mode 100644
-index 0000000..cd25e8e
+index 0000000..ebd0c68
--- /dev/null
+++ b/openshift.te
-@@ -0,0 +1,555 @@
+@@ -0,0 +1,575 @@
+policy_module(openshift,1.0.0)
+
+gen_require(`
+ role system_r;
+')
+
++## <desc>
++## <p>
++## Allow openshift to access nfs file systems without labels
++## </p>
++## </desc>
++gen_tunable(openshift_use_nfs, false)
++
++
+########################################
+#
+# Declarations
@@ -53185,6 +57013,8 @@ index 0000000..cd25e8e
+allow openshift_domain self:shm create_shm_perms;
+allow openshift_domain self:sem create_sem_perms;
+dontaudit openshift_domain self:dir write;
++dontaudit openshift_domain self:rawip_socket create_socket_perms;
++
+dontaudit openshift_t self:unix_stream_socket recvfrom;
+dontaudit openshift_domain self:netlink_tcpdiag_socket create;
+dontaudit openshift_domain self:netlink_route_socket nlmsg_write;
@@ -53533,6 +57363,7 @@ index 0000000..cd25e8e
+allow openshift_cron_t self:unix_dgram_socket create_socket_perms;
+allow openshift_cron_t self:netlink_route_socket rw_netlink_socket_perms;
+
++append_files_pattern(openshift_cron_t, openshift_log_t, openshift_log_t)
+manage_dirs_pattern(openshift_cron_t, openshift_cron_tmp_t, openshift_cron_tmp_t)
+manage_fifo_files_pattern(openshift_cron_t, openshift_cron_tmp_t, openshift_cron_tmp_t)
+manage_files_pattern(openshift_cron_t, openshift_cron_tmp_t, openshift_cron_tmp_t)
@@ -53547,6 +57378,8 @@ index 0000000..cd25e8e
+kernel_read_network_state(openshift_cron_t)
+kernel_read_system_state(openshift_cron_t)
+
++files_dontaudit_search_all_mountpoints(openshift_cron_t)
++
+corecmd_exec_bin(openshift_cron_t)
+corecmd_exec_shell(openshift_cron_t)
+
@@ -53598,6 +57431,305 @@ index 0000000..cd25e8e
+ ssh_dontaudit_read_server_keys(openshift_cron_t)
+')
+
++tunable_policy(`openshift_use_nfs',`
++ fs_list_auto_mountpoints(openshift_domain)
++ fs_manage_nfs_dirs(openshift_domain)
++ fs_manage_nfs_files(openshift_domain)
++ fs_manage_nfs_symlinks(openshift_domain)
++ fs_exec_nfs_files(openshift_domain)
++')
+diff --git a/opensm.fc b/opensm.fc
+new file mode 100644
+index 0000000..51650fa
+--- /dev/null
++++ b/opensm.fc
+@@ -0,0 +1,7 @@
++/usr/lib/systemd/system/opensm.* -- gen_context(system_u:object_r:opensm_unit_file_t,s0)
++
++/usr/libexec/opensm-launch -- gen_context(system_u:object_r:opensm_exec_t,s0)
++
++/var/cache/opensm(/.*)? gen_context(system_u:object_r:opensm_cache_t,s0)
++
++/var/log/opensm\.log.* -- gen_context(system_u:object_r:opensm_log_t,s0)
+diff --git a/opensm.if b/opensm.if
+new file mode 100644
+index 0000000..776fda7
+--- /dev/null
++++ b/opensm.if
+@@ -0,0 +1,223 @@
++
++## <summary>Opensm is an InfiniBand compliant Subnet Manager and Administration, and runs on top of OpenIB</summary>
++
++########################################
++## <summary>
++## Execute opensm in the opensm domin.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`opensm_domtrans',`
++ gen_require(`
++ type opensm_t, opensm_exec_t;
++ ')
++
++ corecmd_search_bin($1)
++ domtrans_pattern($1, opensm_exec_t, opensm_t)
++')
++
++########################################
++## <summary>
++## Search opensm cache directories.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`opensm_search_cache',`
++ gen_require(`
++ type opensm_cache_t;
++ ')
++
++ allow $1 opensm_cache_t:dir search_dir_perms;
++ files_search_var($1)
++')
++
++########################################
++## <summary>
++## Read opensm cache files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`opensm_read_cache_files',`
++ gen_require(`
++ type opensm_cache_t;
++ ')
++
++ files_search_var($1)
++ read_files_pattern($1, opensm_cache_t, opensm_cache_t)
++')
++
++########################################
++## <summary>
++## Create, read, write, and delete
++## opensm cache files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`opensm_manage_cache_files',`
++ gen_require(`
++ type opensm_cache_t;
++ ')
++
++ files_search_var($1)
++ manage_files_pattern($1, opensm_cache_t, opensm_cache_t)
++')
++
++########################################
++## <summary>
++## Manage opensm cache dirs.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`opensm_manage_cache_dirs',`
++ gen_require(`
++ type opensm_cache_t;
++ ')
++
++ files_search_var($1)
++ manage_dirs_pattern($1, opensm_cache_t, opensm_cache_t)
++')
++
++########################################
++## <summary>
++## Read opensm's log files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`opensm_read_log',`
++ gen_require(`
++ type opensm_log_t;
++ ')
++
++ logging_search_logs($1)
++ read_files_pattern($1, opensm_log_t, opensm_log_t)
++')
++
++########################################
++## <summary>
++## Append to opensm log files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`opensm_append_log',`
++ gen_require(`
++ type opensm_log_t;
++ ')
++
++ logging_search_logs($1)
++ append_files_pattern($1, opensm_log_t, opensm_log_t)
++')
++
++########################################
++## <summary>
++## Manage opensm log files
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`opensm_manage_log',`
++ gen_require(`
++ type opensm_log_t;
++ ')
++
++ logging_search_logs($1)
++ manage_dirs_pattern($1, opensm_log_t, opensm_log_t)
++ manage_files_pattern($1, opensm_log_t, opensm_log_t)
++ manage_lnk_files_pattern($1, opensm_log_t, opensm_log_t)
++')
++########################################
++## <summary>
++## Execute opensm server in the opensm domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`opensm_systemctl',`
++ gen_require(`
++ type opensm_t;
++ type opensm_unit_file_t;
++ ')
++
++ systemd_exec_systemctl($1)
++ systemd_read_fifo_file_passwd_run($1)
++ allow $1 opensm_unit_file_t:file read_file_perms;
++ allow $1 opensm_unit_file_t:service manage_service_perms;
++
++ ps_process_pattern($1, opensm_t)
++')
++
++
++########################################
++## <summary>
++## All of the rules required to administrate
++## an opensm environment
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`opensm_admin',`
++ gen_require(`
++ type opensm_t;
++ type opensm_cache_t;
++ type opensm_log_t;
++ type opensm_unit_file_t;
++ ')
++
++ allow $1 opensm_t:process { signal_perms };
++ ps_process_pattern($1, opensm_t)
++
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 opensm_t:process ptrace;
++ ')
++
++ files_search_var($1)
++ admin_pattern($1, opensm_cache_t)
++
++ logging_search_logs($1)
++ admin_pattern($1, opensm_log_t)
++
++ opensm_systemctl($1)
++ admin_pattern($1, opensm_unit_file_t)
++ allow $1 opensm_unit_file_t:service all_service_perms;
++ optional_policy(`
++ systemd_passwd_agent_exec($1)
++ systemd_read_fifo_file_passwd_run($1)
++ ')
++')
+diff --git a/opensm.te b/opensm.te
+new file mode 100644
+index 0000000..a055461
+--- /dev/null
++++ b/opensm.te
+@@ -0,0 +1,44 @@
++policy_module(opensm, 1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++type opensm_t;
++type opensm_exec_t;
++init_daemon_domain(opensm_t, opensm_exec_t)
++
++type opensm_cache_t;
++files_type(opensm_cache_t)
++
++type opensm_log_t;
++logging_log_file(opensm_log_t)
++
++type opensm_unit_file_t;
++systemd_unit_file(opensm_unit_file_t)
++
++########################################
++#
++# opensm local policy
++#
++allow opensm_t self:process { signal fork };
++allow opensm_t self:fifo_file rw_fifo_file_perms;
++allow opensm_t self:unix_stream_socket create_stream_socket_perms;
++
++manage_dirs_pattern(opensm_t, opensm_cache_t, opensm_cache_t)
++manage_files_pattern(opensm_t, opensm_cache_t, opensm_cache_t)
++files_var_filetrans(opensm_t, opensm_cache_t, { dir file })
++
++manage_files_pattern(opensm_t, opensm_log_t, opensm_log_t)
++logging_log_filetrans(opensm_t, opensm_log_t, file )
++
++kernel_read_system_state(opensm_t)
++
++auth_read_passwd(opensm_t)
++
++corecmd_exec_bin(opensm_t)
++
++dev_read_sysfs(opensm_t)
++
++logging_send_syslog_msg(opensm_t)
diff --git a/openvpn.fc b/openvpn.fc
index 300213f..4cdfe09 100644
--- a/openvpn.fc
@@ -54137,7 +58269,7 @@ index 9b15730..eedd136 100644
+ ')
')
diff --git a/openvswitch.te b/openvswitch.te
-index 508fedf..a499612 100644
+index 508fedf..452ad74 100644
--- a/openvswitch.te
+++ b/openvswitch.te
@@ -1,4 +1,4 @@
@@ -54160,7 +58292,7 @@ index 508fedf..a499612 100644
type openvswitch_var_lib_t;
files_type(openvswitch_var_lib_t)
-@@ -21,23 +18,33 @@ files_type(openvswitch_var_lib_t)
+@@ -21,23 +18,34 @@ files_type(openvswitch_var_lib_t)
type openvswitch_log_t;
logging_log_file(openvswitch_log_t)
@@ -54188,6 +58320,7 @@ index 508fedf..a499612 100644
-allow openvswitch_t self:rawip_socket create_socket_perms;
-allow openvswitch_t self:unix_stream_socket { accept connectto listen };
+allow openvswitch_t self:unix_stream_socket { create_stream_socket_perms connectto };
++allow openvswitch_t self:tcp_socket create_stream_socket_perms;
+allow openvswitch_t self:netlink_socket create_socket_perms;
+allow openvswitch_t self:netlink_route_socket rw_netlink_socket_perms;
@@ -54202,7 +58335,7 @@ index 508fedf..a499612 100644
manage_dirs_pattern(openvswitch_t, openvswitch_var_lib_t, openvswitch_var_lib_t)
manage_files_pattern(openvswitch_t, openvswitch_var_lib_t, openvswitch_var_lib_t)
-@@ -45,45 +52,53 @@ manage_lnk_files_pattern(openvswitch_t, openvswitch_var_lib_t, openvswitch_var_l
+@@ -45,45 +53,57 @@ manage_lnk_files_pattern(openvswitch_t, openvswitch_var_lib_t, openvswitch_var_l
files_var_lib_filetrans(openvswitch_t, openvswitch_var_lib_t, { dir file lnk_file })
manage_dirs_pattern(openvswitch_t, openvswitch_log_t, openvswitch_log_t)
@@ -54228,12 +58361,15 @@ index 508fedf..a499612 100644
-
kernel_read_network_state(openvswitch_t)
kernel_read_system_state(openvswitch_t)
--
++kernel_request_load_module(openvswitch_t)
+
-corenet_all_recvfrom_unlabeled(openvswitch_t)
-corenet_all_recvfrom_netlabel(openvswitch_t)
-corenet_raw_sendrecv_generic_if(openvswitch_t)
-corenet_raw_sendrecv_generic_node(openvswitch_t)
-+kernel_request_load_module(openvswitch_t)
++corenet_tcp_connect_openflow_port(openvswitch_t)
++corenet_tcp_bind_generic_node(openvswitch_t)
++corenet_tcp_bind_openvswitch_port(openvswitch_t)
corecmd_exec_bin(openvswitch_t)
+corecmd_exec_shell(openvswitch_t)
@@ -54268,6 +58404,152 @@ index 508fedf..a499612 100644
+optional_policy(`
+ plymouthd_exec_plymouth(openvswitch_t)
+')
+diff --git a/openwsman.fc b/openwsman.fc
+new file mode 100644
+index 0000000..00d0643
+--- /dev/null
++++ b/openwsman.fc
+@@ -0,0 +1,7 @@
++/usr/lib/systemd/system/openwsmand.* -- gen_context(system_u:object_r:openwsman_unit_file_t,s0)
++
++/usr/sbin/openwsmand -- gen_context(system_u:object_r:openwsman_exec_t,s0)
++
++/var/log/wsmand.* -- gen_context(system_u:object_r:openwsman_log_t,s0)
++
++/var/run/wsmand.* -- gen_context(system_u:object_r:openwsman_run_t,s0)
+diff --git a/openwsman.if b/openwsman.if
+new file mode 100644
+index 0000000..42ed4ba
+--- /dev/null
++++ b/openwsman.if
+@@ -0,0 +1,78 @@
++## <summary>WS-Management Server</summary>
++
++########################################
++## <summary>
++## Execute openwsman in the openwsman domin.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`openwsman_domtrans',`
++ gen_require(`
++ type openwsman_t, openwsman_exec_t;
++ ')
++
++ corecmd_search_bin($1)
++ domtrans_pattern($1, openwsman_exec_t, openwsman_t)
++')
++########################################
++## <summary>
++## Execute openwsman server in the openwsman domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`openwsman_systemctl',`
++ gen_require(`
++ type openwsman_t;
++ type openwsman_unit_file_t;
++ ')
++
++ systemd_exec_systemctl($1)
++ systemd_read_fifo_file_passwd_run($1)
++ allow $1 openwsman_unit_file_t:file read_file_perms;
++ allow $1 openwsman_unit_file_t:service manage_service_perms;
++
++ ps_process_pattern($1, openwsman_t)
++')
++
++
++########################################
++## <summary>
++## All of the rules required to administrate
++## an openwsman environment
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`openwsman_admin',`
++ gen_require(`
++ type openwsman_t;
++ type openwsman_unit_file_t;
++ ')
++
++ allow $1 openwsman_t:process { signal_perms };
++ ps_process_pattern($1, openwsman_t)
++
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 openwsman_t:process ptrace;
++ ')
++
++ openwsman_systemctl($1)
++ admin_pattern($1, openwsman_unit_file_t)
++ allow $1 openwsman_unit_file_t:service all_service_perms;
++ optional_policy(`
++ systemd_passwd_agent_exec($1)
++ systemd_read_fifo_file_passwd_run($1)
++ ')
++')
+diff --git a/openwsman.te b/openwsman.te
+new file mode 100644
+index 0000000..49dc5ef
+--- /dev/null
++++ b/openwsman.te
+@@ -0,0 +1,43 @@
++policy_module(openwsman, 1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++type openwsman_t;
++type openwsman_exec_t;
++init_daemon_domain(openwsman_t, openwsman_exec_t)
++
++type openwsman_log_t;
++logging_log_file(openwsman_log_t)
++
++type openwsman_run_t;
++files_pid_file(openwsman_run_t)
++
++type openwsman_unit_file_t;
++systemd_unit_file(openwsman_unit_file_t)
++
++########################################
++#
++# openwsman local policy
++#
++allow openwsman_t self:process { fork };
++allow openwsman_t self:fifo_file rw_fifo_file_perms;
++allow openwsman_t self:unix_stream_socket create_stream_socket_perms;
++allow openwsman_t self:tcp_socket { create_socket_perms listen };
++
++manage_files_pattern(openwsman_t, openwsman_log_t, openwsman_log_t)
++logging_log_filetrans(openwsman_t, openwsman_log_t, { file })
++
++manage_files_pattern(openwsman_t, openwsman_run_t, openwsman_run_t)
++files_pid_filetrans(openwsman_t, openwsman_run_t, { file })
++
++auth_use_nsswitch(openwsman_t)
++
++corenet_tcp_bind_vnc_port(openwsman_t)
++
++dev_read_urand(openwsman_t)
++
++logging_send_syslog_msg(openwsman_t)
++
diff --git a/oracleasm.fc b/oracleasm.fc
new file mode 100644
index 0000000..80fb8c3
@@ -54399,6 +58681,241 @@ index 0000000..0493b99
+optional_policy(`
+ modutils_domtrans_insmod(oracleasm_t)
+')
+diff --git a/osad.fc b/osad.fc
+new file mode 100644
+index 0000000..1e1eceb
+--- /dev/null
++++ b/osad.fc
+@@ -0,0 +1,7 @@
++/etc/rc\.d/init\.d/osad -- gen_context(system_u:object_r:osad_initrc_exec_t,s0)
++
++/usr/sbin/osad -- gen_context(system_u:object_r:osad_exec_t,s0)
++
++/var/log/osad -- gen_context(system_u:object_r:osad_log_t,s0)
++
++/var/run/osad.* -- gen_context(system_u:object_r:osad_var_run_t,s0)
+diff --git a/osad.if b/osad.if
+new file mode 100644
+index 0000000..05648bd
+--- /dev/null
++++ b/osad.if
+@@ -0,0 +1,165 @@
++
++## <summary>Client-side service written in Python that responds to pings and runs rhn_check when told to by osa-dispatcher. </summary>
++
++########################################
++## <summary>
++## Execute osad in the osad domin.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`osad_domtrans',`
++ gen_require(`
++ type osad_t, osad_exec_t;
++ ')
++
++ corecmd_search_bin($1)
++ domtrans_pattern($1, osad_exec_t, osad_t)
++')
++
++########################################
++## <summary>
++## Execute osad server in the osad domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`osad_initrc_domtrans',`
++ gen_require(`
++ type osad_initrc_exec_t;
++ ')
++
++ init_labeled_script_domtrans($1, osad_initrc_exec_t)
++')
++########################################
++## <summary>
++## Read osad's log files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`osad_read_log',`
++ gen_require(`
++ type osad_log_t;
++ ')
++
++ logging_search_logs($1)
++ read_files_pattern($1, osad_log_t, osad_log_t)
++')
++
++########################################
++## <summary>
++## Append to osad log files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`osad_append_log',`
++ gen_require(`
++ type osad_log_t;
++ ')
++
++ logging_search_logs($1)
++ append_files_pattern($1, osad_log_t, osad_log_t)
++')
++
++########################################
++## <summary>
++## Manage osad log files
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`osad_manage_log',`
++ gen_require(`
++ type osad_log_t;
++ ')
++
++ logging_search_logs($1)
++ manage_dirs_pattern($1, osad_log_t, osad_log_t)
++ manage_files_pattern($1, osad_log_t, osad_log_t)
++ manage_lnk_files_pattern($1, osad_log_t, osad_log_t)
++')
++########################################
++## <summary>
++## Read osad PID files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`osad_read_pid_files',`
++ gen_require(`
++ type osad_var_run_t;
++ ')
++
++ files_search_pids($1)
++ read_files_pattern($1, osad_var_run_t, osad_var_run_t)
++')
++
++
++########################################
++## <summary>
++## All of the rules required to administrate
++## an osad environment
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <param name="role">
++## <summary>
++## Role allowed access.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`osad_admin',`
++ gen_require(`
++ type osad_t;
++ type osad_initrc_exec_t;
++ type osad_log_t;
++ type osad_var_run_t;
++ ')
++
++ allow $1 osad_t:process { signal_perms };
++ ps_process_pattern($1, osad_t)
++
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 osad_t:process ptrace;
++ ')
++
++ osad_initrc_domtrans($1)
++ domain_system_change_exemption($1)
++ role_transition $2 osad_initrc_exec_t system_r;
++ allow $2 system_r;
++
++ logging_search_logs($1)
++ admin_pattern($1, osad_log_t)
++
++ files_search_pids($1)
++ admin_pattern($1, osad_var_run_t)
++ optional_policy(`
++ systemd_passwd_agent_exec($1)
++ systemd_read_fifo_file_passwd_run($1)
++ ')
++')
+diff --git a/osad.te b/osad.te
+new file mode 100644
+index 0000000..a40fcc3
+--- /dev/null
++++ b/osad.te
+@@ -0,0 +1,45 @@
++policy_module(osad, 1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++type osad_t;
++type osad_exec_t;
++init_daemon_domain(osad_t, osad_exec_t)
++
++type osad_initrc_exec_t;
++init_script_file(osad_initrc_exec_t)
++
++type osad_log_t;
++logging_log_file(osad_log_t)
++
++type osad_var_run_t;
++files_pid_file(osad_var_run_t)
++
++########################################
++#
++# osad local policy
++#
++allow osad_t self:process setpgid;
++
++manage_files_pattern(osad_t, osad_log_t, osad_log_t)
++logging_log_filetrans(osad_t, osad_log_t, { file })
++
++manage_files_pattern(osad_t, osad_var_run_t, osad_var_run_t)
++files_pid_filetrans(osad_t, osad_var_run_t, { file})
++
++kernel_read_system_state(osad_t)
++
++auth_read_passwd(osad_t)
++
++dev_read_urand(osad_t)
++
++optional_policy(`
++ gnome_dontaudit_search_config(osad_t)
++')
++
++optional_policy(`
++ rhnsd_manage_config(osad_t)
++')
diff --git a/pacemaker.fc b/pacemaker.fc
index 2f0ad56..d4da0b8 100644
--- a/pacemaker.fc
@@ -55108,6 +59625,468 @@ index 3ad10b5..49baca5 100644
seutil_sigchld_newrole(cardmgr_t)
')
+diff --git a/pcp.fc b/pcp.fc
+new file mode 100644
+index 0000000..9b8cb6b
+--- /dev/null
++++ b/pcp.fc
+@@ -0,0 +1,28 @@
++/etc/rc\.d/init\.d/pmcd -- gen_context(system_u:object_r:pcp_pmcd_initrc_exec_t,s0)
++/etc/rc\.d/init\.d/pmlogger -- gen_context(system_u:object_r:pcp_pmlogger_initrc_exec_t,s0)
++/etc/rc\.d/init\.d/pmproxy -- gen_context(system_u:object_r:pcp_pmproxy_initrc_exec_t,s0)
++/etc/rc\.d/init\.d/pmwebd -- gen_context(system_u:object_r:pcp_pmwebd_initrc_exec_t,s0)
++/etc/rc\.d/init\.d/pmie -- gen_context(system_u:object_r:pcp_pmie_initrc_exec_t,s0)
++/etc/rc\.d/init\.d/pmmgr -- gen_context(system_u:object_r:pcp_pmmgr_initrc_exec_t,s0)
++
++/usr/bin/pmie -- gen_context(system_u:object_r:pcp_pmie_exec_t,s0)
++/usr/bin/pmcd -- gen_context(system_u:object_r:pcp_pmcd_exec_t,s0)
++/usr/bin/pmlogger -- gen_context(system_u:object_r:pcp_pmlogger_exec_t,s0)
++/usr/bin/pmproxy -- gen_context(system_u:object_r:pcp_pmproxy_exec_t,s0)
++/usr/bin/pmwebd -- gen_context(system_u:object_r:pcp_pmwebd_exec_t,s0)
++/usr/bin/pmmgr -- gen_context(system_u:object_r:pcp_pmmgr_exec_t,s0)
++
++
++/usr/libexec/pcp/bin/pmcd -- gen_context(system_u:object_r:pcp_pmcd_exec_t,s0)
++/usr/libexec/pcp/bin/pmlogger -- gen_context(system_u:object_r:pcp_pmlogger_exec_t,s0)
++/usr/libexec/pcp/bin/pmproxy -- gen_context(system_u:object_r:pcp_pmproxy_exec_t,s0)
++/usr/libexec/pcp/bin/pmwebd -- gen_context(system_u:object_r:pcp_pmwebd_exec_t,s0)
++/usr/libexec/pcp/bin/pmie -- gen_context(system_u:object_r:pcp_pmie_exec_t,s0)
++/usr/libexec/pcp/bin/pmmgr -- gen_context(system_u:object_r:pcp_pmmgr_exec_t,s0)
++
++/var/lib/pcp(/.*)? gen_context(system_u:object_r:pcp_var_lib_t,s0)
++
++/var/log/pcp(/.*)? gen_context(system_u:object_r:pcp_log_t,s0)
++
++/var/run/pcp(/.*)? gen_context(system_u:object_r:pcp_var_run_t,s0)
++/var/run/pmcd\.socket -- gen_context(system_u:object_r:pcp_var_run_t,s0)
+diff --git a/pcp.if b/pcp.if
+new file mode 100644
+index 0000000..ba24b40
+--- /dev/null
++++ b/pcp.if
+@@ -0,0 +1,139 @@
++## <summary>The pcp command summarizes the status of a Performance Co-Pilot (PCP) installation</summary>
++
++######################################
++## <summary>
++## Creates types and rules for a basic
++## pcp daemon domain.
++## </summary>
++## <param name="prefix">
++## <summary>
++## Prefix for the domain.
++## </summary>
++## </param>
++#
++template(`pcp_domain_template',`
++ gen_require(`
++ attribute pcp_domain;
++ ')
++
++ type pcp_$1_t, pcp_domain;
++ type pcp_$1_exec_t;
++ init_daemon_domain(pcp_$1_t, pcp_$1_exec_t)
++
++ type pcp_$1_initrc_exec_t;
++ init_script_file(pcp_$1_initrc_exec_t)
++
++')
++
++######################################
++## <summary>
++## Allow domain to read pcp lib files
++## </summary>
++## <param name="prefix">
++## <summary>
++## Prefix for the domain.
++## </summary>
++## </param>
++#
++interface(`pcp_read_lib_files',`
++ gen_require(`
++ type pcp_var_lib_t;
++ ')
++ libs_search_lib($1)
++ read_files_pattern($1,pcp_var_lib_t,pcp_var_lib_t)
++')
++
++########################################
++## <summary>
++## All of the rules required to administrate
++## an pcp environment
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`pcp_admin',`
++ gen_require(`
++ type pcp_pmcd_t;
++ type pcp_pmlogger_t;
++ type pcp_pmproxy_t;
++ type pcp_pmwebd_t;
++ type pcp_pmie_t;
++ type pcp_pmmgr_t;
++ type pcp_var_run_t;
++ ')
++
++ allow $1 pcp_pmcd_t:process signal_perms;
++ ps_process_pattern($1, pcp_pmcd_t)
++
++ allow $1 pcp_pmlogger_t:process signal_perms;
++ ps_process_pattern($1, pcp_pmlogger_t)
++
++ allow $1 pcp_pmproxy_t:process signal_perms;
++ ps_process_pattern($1, pcp_pmproxy_t)
++
++ allow $1 pcp_pmwebd_t:process signal_perms;
++ ps_process_pattern($1, pcp_pmwebd_t)
++
++ allow $1 pcp_pmie_t:process signal_perms;
++ ps_process_pattern($1, pcp_pmie_t)
++
++ allow $1 pcp_pmmgr_t:process signal_perms;
++ ps_process_pattern($1, pcp_pmmgr_t)
++
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 pcp_pmcd_t:process ptrace;
++ allow $1 pcp_pmlogger_t:process ptrace;
++ allow $1 pcp_pmproxy_t:process ptrace;
++ allow $1 pcp_pmwebd_t:process ptrace;
++ allow $1 pcp_pmie_t:process ptrace;
++ allow $1 pcp_pmmgr_t:process ptrace;
++ ')
++
++ files_search_pids($1)
++ admin_pattern($1, pcp_var_run_t)
++')
++
++########################################
++## <summary>
++## Allow the specified domain to execute pcp_pmie
++## in the caller domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`pcp_pmie_exec',`
++ gen_require(`
++ type pcp_pmie_exec_t;
++ ')
++
++ corecmd_search_bin($1)
++ can_exec($1, pcp_pmie_exec_t)
++')
++
++########################################
++## <summary>
++## Allow the specified domain to execute pcp_pmlogger
++## in the caller domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`pcp_pmlogger_exec',`
++ gen_require(`
++ type pcp_pmlogger_exec_t;
++ ')
++
++ corecmd_search_bin($1)
++ can_exec($1, pcp_pmlogger_exec_t)
++')
++
+diff --git a/pcp.te b/pcp.te
+new file mode 100644
+index 0000000..b756da3
+--- /dev/null
++++ b/pcp.te
+@@ -0,0 +1,277 @@
++policy_module(pcp, 1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++## <desc>
++## <p>
++## Allow pcp to bind to all unreserved_ports
++## </p>
++## </desc>
++gen_tunable(pcp_bind_all_unreserved_ports, false)
++
++attribute pcp_domain;
++
++pcp_domain_template(pmcd)
++pcp_domain_template(pmlogger)
++pcp_domain_template(pmproxy)
++pcp_domain_template(pmwebd)
++pcp_domain_template(pmie)
++pcp_domain_template(pmmgr)
++
++type pcp_log_t;
++logging_log_file(pcp_log_t)
++
++type pcp_var_lib_t;
++files_type(pcp_var_lib_t)
++
++type pcp_var_run_t;
++files_pid_file(pcp_var_run_t)
++
++type pcp_tmp_t;
++files_tmp_file(pcp_tmp_t)
++
++type pcp_tmpfs_t;
++files_tmpfs_file(pcp_tmpfs_t)
++
++########################################
++#
++# pcp domain local policy
++#
++
++allow pcp_domain self:capability { setuid setgid dac_override };
++allow pcp_domain self:process signal_perms;
++allow pcp_domain self:tcp_socket create_stream_socket_perms;
++allow pcp_domain self:udp_socket create_socket_perms;
++
++manage_dirs_pattern(pcp_domain, pcp_log_t, pcp_log_t)
++manage_files_pattern(pcp_domain, pcp_log_t, pcp_log_t)
++logging_log_filetrans(pcp_domain, pcp_log_t, { dir })
++
++manage_dirs_pattern(pcp_domain, pcp_var_lib_t, pcp_var_lib_t)
++manage_files_pattern(pcp_domain, pcp_var_lib_t, pcp_var_lib_t)
++exec_files_pattern(pcp_domain, pcp_var_lib_t, pcp_var_lib_t)
++files_var_lib_filetrans(pcp_domain, pcp_var_lib_t, { dir})
++
++manage_dirs_pattern(pcp_domain, pcp_var_run_t, pcp_var_run_t)
++manage_files_pattern(pcp_domain, pcp_var_run_t, pcp_var_run_t)
++manage_sock_files_pattern(pcp_domain, pcp_var_run_t, pcp_var_run_t)
++files_pid_filetrans(pcp_domain, pcp_var_run_t, { dir file sock_file })
++
++manage_dirs_pattern(pcp_domain, pcp_tmp_t, pcp_tmp_t)
++manage_files_pattern(pcp_domain, pcp_tmp_t, pcp_tmp_t)
++manage_sock_files_pattern(pcp_domain, pcp_tmp_t, pcp_tmp_t)
++files_tmp_filetrans(pcp_domain, pcp_tmp_t, { dir file sock_file })
++
++manage_dirs_pattern(pcp_domain, pcp_tmpfs_t, pcp_tmpfs_t)
++manage_files_pattern(pcp_domain, pcp_tmpfs_t, pcp_tmpfs_t)
++fs_tmpfs_filetrans(pcp_domain, pcp_tmpfs_t, { dir file })
++
++dev_read_urand(pcp_domain)
++
++files_read_etc_files(pcp_domain)
++
++fs_getattr_all_fs(pcp_domain)
++
++auth_read_passwd(pcp_domain)
++
++miscfiles_read_generic_certs(pcp_domain)
++
++sysnet_read_config(pcp_domain)
++
++########################################
++#
++# pcp_pmcd local policy
++#
++
++allow pcp_pmcd_t self:process { setsched };
++allow pcp_pmcd_t self:netlink_route_socket create_socket_perms;
++allow pcp_pmcd_t self:unix_dgram_socket create_socket_perms;
++
++auth_use_nsswitch(pcp_pmcd_t)
++
++kernel_get_sysvipc_info(pcp_pmcd_t)
++kernel_read_network_state(pcp_pmcd_t)
++kernel_read_system_state(pcp_pmcd_t)
++kernel_read_state(pcp_pmcd_t)
++kernel_read_fs_sysctls(pcp_pmcd_t)
++kernel_read_rpc_sysctls(pcp_pmcd_t)
++kernel_read_debugfs(pcp_pmcd_t)
++
++corecmd_exec_bin(pcp_pmcd_t)
++
++corenet_tcp_bind_amqp_port(pcp_pmcd_t)
++corenet_tcp_connect_amqp_port(pcp_pmcd_t)
++corenet_tcp_connect_http_port(pcp_pmcd_t)
++corenet_tcp_connect_all_ephemeral_ports(pcp_pmcd_t)
++
++domain_read_all_domains_state(pcp_pmcd_t)
++domain_getattr_all_domains(pcp_pmcd_t)
++
++dev_getattr_all_blk_files(pcp_pmcd_t)
++dev_getattr_all_chr_files(pcp_pmcd_t)
++dev_read_sysfs(pcp_pmcd_t)
++dev_read_urand(pcp_pmcd_t)
++
++fs_getattr_all_fs(pcp_pmcd_t)
++fs_getattr_all_dirs(pcp_pmcd_t)
++fs_list_cgroup_dirs(pcp_pmcd_t)
++fs_read_cgroup_files(pcp_pmcd_t)
++
++hostname_exec(pcp_pmcd_t)
++
++init_read_utmp(pcp_pmcd_t)
++
++logging_send_syslog_msg(pcp_pmcd_t)
++
++sendmail_read_log(pcp_pmcd_t)
++
++storage_getattr_fixed_disk_dev(pcp_pmcd_t)
++
++userdom_read_user_tmp_files(pcp_pmcd_t)
++
++tunable_policy(`pcp_bind_all_unreserved_ports',`
++ corenet_sendrecv_all_server_packets(pcp_pmcd_t)
++ corenet_tcp_bind_all_unreserved_ports(pcp_pmcd_t)
++')
++
++optional_policy(`
++ dbus_system_bus_client(pcp_pmcd_t)
++
++ optional_policy(`
++ avahi_dbus_chat(pcp_pmcd_t)
++ ')
++')
++
++optional_policy(`
++ unconfined_domain(pcp_pmcd_t)
++')
++
++optional_policy(`
++ rpm_read_db(pcp_pmcd_t)
++')
++
++optional_policy(`
++ rpcbind_stream_connect(pcp_pmcd_t)
++')
++
++optional_policy(`
++ pcp_pmie_exec(pcp_pmcd_t)
++')
++
++optional_policy(`
++ mta_read_config(pcp_pmcd_t)
++')
++
++########################################
++#
++# pcp_pmproxy local policy
++#
++
++allow pcp_pmproxy_t self:process setsched;
++allow pcp_pmproxy_t self:netlink_route_socket create_socket_perms;
++allow pcp_pmproxy_t self:unix_dgram_socket create_socket_perms;
++
++auth_use_nsswitch(pcp_pmproxy_t)
++
++logging_send_syslog_msg(pcp_pmproxy_t)
++
++optional_policy(`
++ unconfined_domain(pcp_pmproxy_t)
++')
++
++########################################
++#
++# pcp_pmwebd local policy
++#
++
++corenet_tcp_bind_generic_node(pcp_pmwebd_t)
++
++optional_policy(`
++ unconfined_domain(pcp_pmwebd_t)
++')
++
++########################################
++#
++# pcp_pmmgr local policy
++#
++
++allow pcp_pmmgr_t self:process { setpgid };
++allow pcp_pmmgr_t self:unix_dgram_socket create_socket_perms;
++allow pcp_pmmgr_t pcp_pmcd_t:unix_stream_socket connectto;
++
++kernel_read_system_state(pcp_pmmgr_t)
++
++auth_use_nsswitch(pcp_pmmgr_t)
++
++corenet_udp_bind_dey_sapi_port(pcp_pmmgr_t)
++
++corenet_tcp_bind_commplex_link_port(pcp_pmmgr_t)
++corenet_tcp_bind_dey_sapi_port(pcp_pmmgr_t)
++
++corenet_tcp_connect_all_ephemeral_ports(pcp_pmmgr_t)
++
++corecmd_exec_bin(pcp_pmmgr_t)
++
++logging_send_syslog_msg(pcp_pmmgr_t)
++
++optional_policy(`
++ pcp_pmie_exec(pcp_pmmgr_t)
++ pcp_pmlogger_exec(pcp_pmmgr_t)
++')
++
++optional_policy(`
++ unconfined_domain(pcp_pmmgr_t)
++')
++
++########################################
++#
++# pcp_pmie local policy
++#
++
++allow pcp_pmie_t self:netlink_route_socket { create_socket_perms nlmsg_read };
++allow pcp_pmie_t self:unix_dgram_socket { create_socket_perms sendto };
++
++allow pcp_pmie_t pcp_pmcd_t:unix_stream_socket connectto;
++
++kernel_read_system_state(pcp_pmie_t)
++
++corecmd_exec_bin(pcp_pmie_t)
++
++corenet_tcp_connect_all_ephemeral_ports(pcp_pmie_t)
++
++logging_send_syslog_msg(pcp_pmie_t)
++
++userdom_read_user_tmp_files(pcp_pmie_t)
++
++optional_policy(`
++ unconfined_domain(pcp_pmie_t)
++')
++
++########################################
++#
++# pcp_pmlogger local policy
++#
++
++allow pcp_pmlogger_t self:process setpgid;
++allow pcp_pmlogger_t self:netlink_route_socket {create_socket_perms nlmsg_read };
++
++allow pcp_pmlogger_t pcp_pmcd_t:unix_stream_socket connectto;
++
++corenet_tcp_bind_generic_node(pcp_pmlogger_t)
++corenet_tcp_bind_dey_sapi_port(pcp_pmlogger_t)
++corenet_tcp_bind_commplex_link_port(pcp_pmlogger_t)
++corenet_tcp_bind_amqp_port(pcp_pmlogger_t)
++
++corenet_tcp_connect_all_ephemeral_ports(pcp_pmlogger_t)
++
++tunable_policy(`pcp_bind_all_unreserved_ports',`
++ corenet_sendrecv_all_server_packets(pcp_pmlogger_t)
++ corenet_tcp_bind_all_unreserved_ports(pcp_pmlogger_t)
++')
++
++optional_policy(`
++ unconfined_domain(pcp_pmlogger_t)
++')
diff --git a/pcscd.if b/pcscd.if
index 43d50f9..7f77d32 100644
--- a/pcscd.if
@@ -55122,12 +60101,15 @@ index 43d50f9..7f77d32 100644
########################################
diff --git a/pcscd.te b/pcscd.te
-index 96db654..ff3aadd 100644
+index 96db654..a958595 100644
--- a/pcscd.te
+++ b/pcscd.te
-@@ -24,8 +24,9 @@ init_daemon_run_dir(pcscd_var_run_t, "pcscd")
+@@ -22,10 +22,11 @@ init_daemon_run_dir(pcscd_var_run_t, "pcscd")
+ #
+
allow pcscd_t self:capability { dac_override dac_read_search fsetid };
- allow pcscd_t self:process signal;
+-allow pcscd_t self:process signal;
++allow pcscd_t self:process { signal signull };
allow pcscd_t self:fifo_file rw_fifo_file_perms;
-allow pcscd_t self:unix_stream_socket { accept listen };
-allow pcscd_t self:tcp_socket { accept listen };
@@ -55145,7 +60127,14 @@ index 96db654..ff3aadd 100644
corenet_all_recvfrom_netlabel(pcscd_t)
corenet_tcp_sendrecv_generic_if(pcscd_t)
corenet_tcp_sendrecv_generic_node(pcscd_t)
-@@ -50,7 +50,6 @@ dev_rw_smartcard(pcscd_t)
+@@ -45,12 +45,13 @@ corenet_sendrecv_http_client_packets(pcscd_t)
+ corenet_tcp_connect_http_port(pcscd_t)
+ corenet_tcp_sendrecv_http_port(pcscd_t)
+
++domain_read_all_domains_state(pcscd_t)
++
+ dev_rw_generic_usb_dev(pcscd_t)
+ dev_rw_smartcard(pcscd_t)
dev_rw_usbfs(pcscd_t)
dev_read_sysfs(pcscd_t)
@@ -55153,7 +60142,7 @@ index 96db654..ff3aadd 100644
files_read_etc_runtime_files(pcscd_t)
term_use_unallocated_ttys(pcscd_t)
-@@ -60,8 +59,6 @@ locallogin_use_fds(pcscd_t)
+@@ -60,16 +61,22 @@ locallogin_use_fds(pcscd_t)
logging_send_syslog_msg(pcscd_t)
@@ -55161,8 +60150,24 @@ index 96db654..ff3aadd 100644
-
sysnet_dns_name_resolve(pcscd_t)
++userdom_read_all_users_state(pcscd_t)
++
optional_policy(`
-@@ -85,3 +82,7 @@ optional_policy(`
+ dbus_system_bus_client(pcscd_t)
+
+ optional_policy(`
+ hal_dbus_chat(pcscd_t)
+ ')
++
++ optional_policy(`
++ policykit_dbus_chat(pcscd_t)
++ policykit_dbus_chat_auth(pcscd_t)
++ ')
++
+ ')
+
+ optional_policy(`
+@@ -85,3 +92,7 @@ optional_policy(`
optional_policy(`
udev_read_db(pcscd_t)
')
@@ -55171,10 +60176,10 @@ index 96db654..ff3aadd 100644
+ virt_rw_svirt_dev(pcscd_t)
+')
diff --git a/pegasus.fc b/pegasus.fc
-index dfd46e4..31122bd 100644
+index dfd46e4..d40433a 100644
--- a/pegasus.fc
+++ b/pegasus.fc
-@@ -1,15 +1,26 @@
+@@ -1,15 +1,32 @@
-/etc/Pegasus(/.*)? gen_context(system_u:object_r:pegasus_conf_t,s0)
+
+/etc/Pegasus(/.*)? gen_context(system_u:object_r:pegasus_conf_t,s0)
@@ -55198,17 +60203,23 @@ index dfd46e4..31122bd 100644
+/var/lib/openlmi-storage(/.*)? gen_context(system_u:object_r:pegasus_openlmi_storage_lib_t,s0)
-/usr/share/Pegasus/mof(/.*)?/.*\.mof gen_context(system_u:object_r:pegasus_mof_t,s0)
-+#openlmi agents
++/var/run/openlmi-storage(/.*)? gen_context(system_u:object_r:pegasus_openlmi_storage_var_run_t,s0)
++
+/usr/libexec/pegasus/cmpiLMI_Account-cimprovagt -- gen_context(system_u:object_r:pegasus_openlmi_account_exec_t,s0)
-+/usr/libexec/pegasus/cmpiLMI_Fan-cimprovagt -- gen_context(system_u:object_r:pegasus_openlmi_system_exec_t,s0)
++
+/usr/libexec/pegasus/cmpiLMI_LogicalFile-cimprovagt -- gen_context(system_u:object_r:pegasus_openlmi_logicalfile_exec_t,s0)
++
++/usr/libexec/pegasus/cmpiLMI_Fan-cimprovagt -- gen_context(system_u:object_r:pegasus_openlmi_system_exec_t,s0)
+/usr/libexec/pegasus/cmpiLMI_Networking-cimprovagt -- gen_context(system_u:object_r:pegasus_openlmi_system_exec_t,s0)
+/usr/libexec/pegasus/cmpiLMI_PowerManagement-cimprovagt -- gen_context(system_u:object_r:pegasus_openlmi_system_exec_t,s0)
++
+/usr/libexec/pegasus/cmpiLMI_Realmd-cimprovagt -- gen_context(system_u:object_r:pegasus_openlmi_services_exec_t,s0)
-+/usr/libexec/pegasus/cmpiLMI_Service-cimprovagt -- gen_context(system_u:object_r:pegasus_openlmi_admin_exec_t,s0)
+
++/usr/libexec/pegasus/cmpiLMI_Service-cimprovagt -- gen_context(system_u:object_r:pegasus_openlmi_admin_exec_t,s0)
++/usr/libexec/pegasus/cmpiLMI_Journald-cimprovagt -- gen_context(system_u:object_r:pegasus_openlmi_admin_exec_t,s0)
+
+/usr/libexec/pegasus/pycmpiLMI_Storage-cimprovagt -- gen_context(system_u:object_r:pegasus_openlmi_storage_exec_t,s0)
++/usr/libexec/pegasus/cmpiLMI_Hardware-cimprovagt -- gen_context(system_u:object_r:pegasus_openlmi_storage_exec_t,s0)
diff --git a/pegasus.if b/pegasus.if
index d2fc677..ded726f 100644
--- a/pegasus.if
@@ -55310,7 +60321,7 @@ index d2fc677..ded726f 100644
')
+
diff --git a/pegasus.te b/pegasus.te
-index 7bcf327..22a5b66 100644
+index 7bcf327..6c3afa0 100644
--- a/pegasus.te
+++ b/pegasus.te
@@ -1,17 +1,16 @@
@@ -55334,13 +60345,14 @@ index 7bcf327..22a5b66 100644
type pegasus_cache_t;
files_type(pegasus_cache_t)
-@@ -30,20 +29,269 @@ files_type(pegasus_mof_t)
+@@ -30,20 +29,319 @@ files_type(pegasus_mof_t)
type pegasus_var_run_t;
files_pid_file(pegasus_var_run_t)
+# pegasus openlmi providers
+pegasus_openlmi_domain_template(admin)
+typealias pegasus_openlmi_admin_t alias pegasus_openlmi_service_t;
++typealias pegasus_openlmi_admin_exec_t alias pegasus_openlmi_service_exec_t;
+
+pegasus_openlmi_domain_template(account)
+domain_obj_id_change_exemption(pegasus_openlmi_account_t)
@@ -55356,6 +60368,9 @@ index 7bcf327..22a5b66 100644
+type pegasus_openlmi_storage_lib_t;
+files_type(pegasus_openlmi_storage_lib_t)
+
++type pegasus_openlmi_storage_var_run_t;
++files_pid_file(pegasus_openlmi_storage_var_run_t)
++
+pegasus_openlmi_domain_template(system)
+typealias pegasus_openlmi_system_t alias pegasus_openlmi_networking_t;
+pegasus_openlmi_domain_template(unconfined)
@@ -55480,7 +60495,8 @@ index 7bcf327..22a5b66 100644
+# pegasus openlmi system (networking) local policy
+#
+
-+allow pegasus_openlmi_system_t self:capability { net_admin };
++allow pegasus_openlmi_system_t self:capability { net_admin sys_boot };
++allow pegasus_openlmi_system_t self:process signal_perms;
+
+allow pegasus_openlmi_system_t self:netlink_route_socket r_netlink_socket_perms;
+
@@ -55489,6 +60505,11 @@ index 7bcf327..22a5b66 100644
+dev_rw_sysfs(pegasus_openlmi_system_t)
+dev_read_urand(pegasus_openlmi_system_t)
+
++init_read_utmp(pegasus_openlmi_system_t)
++
++systemd_config_power_services(pegasus_openlmi_system_t)
++systemd_dbus_chat_logind(pegasus_openlmi_system_t)
++
+optional_policy(`
+ dbus_system_bus_client(pegasus_openlmi_system_t)
+')
@@ -55502,9 +60523,12 @@ index 7bcf327..22a5b66 100644
+# pegasus openlmi service local policy
+#
+
++init_manage_transient_unit(pegasus_openlmi_admin_t)
+init_disable_services(pegasus_openlmi_admin_t)
+init_enable_services(pegasus_openlmi_admin_t)
+init_reload_services(pegasus_openlmi_admin_t)
++init_status(pegasus_openlmi_admin_t)
++init_reboot(pegasus_openlmi_admin_t)
+init_exec(pegasus_openlmi_admin_t)
+
+systemd_config_all_services(pegasus_openlmi_admin_t)
@@ -55515,6 +60539,14 @@ index 7bcf327..22a5b66 100644
+
+optional_policy(`
+ dbus_system_bus_client(pegasus_openlmi_admin_t)
++
++ optional_policy(`
++ init_dbus_chat(pegasus_openlmi_admin_t)
++ ')
++')
++
++optional_policy(`
++ sssd_stream_connect(pegasus_openlmi_admin_t)
+')
+
+######################################
@@ -55522,7 +60554,10 @@ index 7bcf327..22a5b66 100644
+# pegasus openlmi storage local policy
+#
+
-+allow pegasus_openlmi_storage_t self:capability { sys_admin sys_rawio };
++allow pegasus_openlmi_storage_t self:capability { sys_admin sys_rawio sys_resource ipc_lock };
++allow pegasus_openlmi_storage_t self:process setrlimit;
++
++allow pegasus_openlmi_storage_t self:netlink_route_socket r_netlink_socket_perms;
+
+manage_files_pattern(pegasus_openlmi_storage_t, pegasus_openlmi_storage_lib_t, pegasus_openlmi_storage_lib_t)
+manage_dirs_pattern(pegasus_openlmi_storage_t, pegasus_openlmi_storage_lib_t, pegasus_openlmi_storage_lib_t)
@@ -55532,9 +60567,16 @@ index 7bcf327..22a5b66 100644
+manage_dirs_pattern(pegasus_openlmi_storage_t, pegasus_openlmi_storage_tmp_t, pegasus_openlmi_storage_tmp_t)
+files_tmp_filetrans(pegasus_openlmi_storage_tmp_t, pegasus_openlmi_storage_tmp_t, { file dir})
+
++manage_files_pattern(pegasus_openlmi_storage_t, pegasus_openlmi_storage_var_run_t, pegasus_openlmi_storage_var_run_t)
++manage_dirs_pattern(pegasus_openlmi_storage_t, pegasus_openlmi_storage_var_run_t, pegasus_openlmi_storage_var_run_t)
++files_pid_filetrans(pegasus_openlmi_storage_t, pegasus_openlmi_storage_var_run_t, dir, "openlmi-storage")
++
+kernel_read_all_sysctls(pegasus_openlmi_storage_t)
++kernel_read_network_state(pegasus_openlmi_storage_t)
+kernel_get_sysvipc_info(pegasus_openlmi_storage_t)
++kernel_request_load_module(pegasus_openlmi_storage_t)
+
++dev_read_raw_memory(pegasus_openlmi_storage_t)
+dev_read_rand(pegasus_openlmi_storage_t)
+dev_read_urand(pegasus_openlmi_storage_t)
+
@@ -55545,9 +60587,13 @@ index 7bcf327..22a5b66 100644
+
+seutil_read_file_contexts(pegasus_openlmi_storage_t)
+
++storage_raw_read_removable_device(pegasus_openlmi_storage_t)
++storage_raw_write_removable_device(pegasus_openlmi_storage_t)
+storage_raw_read_fixed_disk(pegasus_openlmi_storage_t)
+storage_raw_write_fixed_disk(pegasus_openlmi_storage_t)
+
++files_read_kernel_modules(pegasus_openlmi_storage_t)
++
+fs_getattr_all_fs(pegasus_openlmi_storage_t)
+
+modutils_domtrans_insmod(pegasus_openlmi_storage_t)
@@ -55555,6 +60601,10 @@ index 7bcf327..22a5b66 100644
+udev_domtrans(pegasus_openlmi_storage_t)
+udev_read_pid_files(pegasus_openlmi_storage_t)
+
++init_read_state(pegasus_openlmi_storage_t)
++
++miscfiles_read_hwdata(pegasus_openlmi_storage_t)
++
+optional_policy(`
+ dmidecode_domtrans(pegasus_openlmi_storage_t)
+')
@@ -55564,7 +60614,18 @@ index 7bcf327..22a5b66 100644
+')
+
+optional_policy(`
++ iscsi_manage_lock(pegasus_openlmi_storage_t)
++ iscsi_read_lib_files(pegasus_openlmi_storage_t)
++')
++
++optional_policy(`
++ libs_exec_ldconfig(pegasus_openlmi_storage_t)
++')
++
++optional_policy(`
+ lvm_domtrans(pegasus_openlmi_storage_t)
++ lvm_read_metadata(pegasus_openlmi_storage_t)
++ lvm_write_metadata(pegasus_openlmi_storage_t)
+')
+
+optional_policy(`
@@ -55609,7 +60670,7 @@ index 7bcf327..22a5b66 100644
allow pegasus_t pegasus_conf_t:lnk_file read_lnk_file_perms;
manage_dirs_pattern(pegasus_t, pegasus_cache_t, pegasus_cache_t)
-@@ -54,22 +302,22 @@ files_var_filetrans(pegasus_t, pegasus_cache_t, { dir file lnk_file })
+@@ -54,22 +352,22 @@ files_var_filetrans(pegasus_t, pegasus_cache_t, { dir file lnk_file })
manage_dirs_pattern(pegasus_t, pegasus_data_t, pegasus_data_t)
manage_files_pattern(pegasus_t, pegasus_data_t, pegasus_data_t)
manage_lnk_files_pattern(pegasus_t, pegasus_data_t, pegasus_data_t)
@@ -55640,7 +60701,7 @@ index 7bcf327..22a5b66 100644
kernel_read_network_state(pegasus_t)
kernel_read_kernel_sysctls(pegasus_t)
-@@ -80,27 +328,21 @@ kernel_read_net_sysctls(pegasus_t)
+@@ -80,27 +378,21 @@ kernel_read_net_sysctls(pegasus_t)
kernel_read_xen_state(pegasus_t)
kernel_write_xen_state(pegasus_t)
@@ -55673,7 +60734,7 @@ index 7bcf327..22a5b66 100644
corecmd_exec_bin(pegasus_t)
corecmd_exec_shell(pegasus_t)
-@@ -114,6 +356,7 @@ files_getattr_all_dirs(pegasus_t)
+@@ -114,9 +406,11 @@ files_getattr_all_dirs(pegasus_t)
auth_use_nsswitch(pegasus_t)
auth_domtrans_chk_passwd(pegasus_t)
@@ -55681,7 +60742,11 @@ index 7bcf327..22a5b66 100644
domain_use_interactive_fds(pegasus_t)
domain_read_all_domains_state(pegasus_t)
-@@ -128,18 +371,25 @@ init_stream_connect_script(pegasus_t)
++domain_named_filetrans(pegasus_t)
+
+ files_list_var_lib(pegasus_t)
+ files_read_var_lib_files(pegasus_t)
+@@ -128,18 +422,29 @@ init_stream_connect_script(pegasus_t)
logging_send_audit_msgs(pegasus_t)
logging_send_syslog_msg(pegasus_t)
@@ -55697,12 +60762,16 @@ index 7bcf327..22a5b66 100644
optional_policy(`
- dbus_system_bus_client(pegasus_t)
- dbus_connect_system_bus(pegasus_t)
-+ dbus_system_bus_client(pegasus_t)
-+ dbus_connect_system_bus(pegasus_t)
++ dmidecode_domtrans(pegasus_t)
++')
- optional_policy(`
- networkmanager_dbus_chat(pegasus_t)
- ')
++optional_policy(`
++ dbus_system_bus_client(pegasus_t)
++ dbus_connect_system_bus(pegasus_t)
++
+ optional_policy(`
+ networkmanager_dbus_chat(pegasus_t)
+ ')
@@ -55713,7 +60782,7 @@ index 7bcf327..22a5b66 100644
')
optional_policy(`
-@@ -151,16 +401,24 @@ optional_policy(`
+@@ -151,16 +456,24 @@ optional_policy(`
')
optional_policy(`
@@ -55742,7 +60811,7 @@ index 7bcf327..22a5b66 100644
')
optional_policy(`
-@@ -168,7 +426,7 @@ optional_policy(`
+@@ -168,7 +481,7 @@ optional_policy(`
')
optional_policy(`
@@ -55751,6 +60820,15 @@ index 7bcf327..22a5b66 100644
')
optional_policy(`
+@@ -180,6 +493,8 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ virt_getattr_images(pegasus_t)
++ virt_getattr_content(pegasus_t)
+ virt_domtrans(pegasus_t)
+ virt_stream_connect(pegasus_t)
+ virt_manage_config(pegasus_t)
diff --git a/pesign.fc b/pesign.fc
new file mode 100644
index 0000000..7b54c39
@@ -56791,10 +61869,10 @@ index 0000000..848ddc9
+')
diff --git a/pkcsslotd.te b/pkcsslotd.te
new file mode 100644
-index 0000000..2ce92e0
+index 0000000..a82ca85
--- /dev/null
+++ b/pkcsslotd.te
-@@ -0,0 +1,67 @@
+@@ -0,0 +1,69 @@
+policy_module(pkcsslotd, 1.0.0)
+
+########################################
@@ -56862,9 +61940,11 @@ index 0000000..2ce92e0
+auth_read_passwd(pkcsslotd_t)
+
+logging_send_syslog_msg(pkcsslotd_t)
++
++userdom_read_all_users_state(pkcsslotd_t)
diff --git a/pki.fc b/pki.fc
new file mode 100644
-index 0000000..726d992
+index 0000000..e6592ea
--- /dev/null
+++ b/pki.fc
@@ -0,0 +1,56 @@
@@ -56873,7 +61953,7 @@ index 0000000..726d992
+/var/run/pki/tomcat(/.*)? gen_context(system_u:object_r:pki_tomcat_var_run_t,s0)
+/var/log/pki/pki-tomcat(/.*)? gen_context(system_u:object_r:pki_tomcat_log_t,s0)
+/etc/sysconfig/pki/tomcat(/.*)? gen_context(system_u:object_r:pki_tomcat_etc_rw_t,s0)
-+/var/log/pki gen_context(system_u:object_r:pki_log_t,s0)
++/var/log/pki(/.*)? gen_context(system_u:object_r:pki_log_t,s0)
+/usr/bin/pkidaemon gen_context(system_u:object_r:pki_tomcat_exec_t,s0)
+/etc/pki/pki-tomcat/alias(/.*)? gen_context(system_u:object_r:pki_tomcat_cert_t,s0)
+
@@ -57226,10 +62306,10 @@ index 0000000..b975b85
+')
diff --git a/pki.te b/pki.te
new file mode 100644
-index 0000000..17f5d18
+index 0000000..d1265c4
--- /dev/null
+++ b/pki.te
-@@ -0,0 +1,284 @@
+@@ -0,0 +1,291 @@
+policy_module(pki,10.0.11)
+
+########################################
@@ -57259,7 +62339,7 @@ index 0000000..17f5d18
+files_type(pki_tomcat_etc_rw_t)
+
+type pki_tomcat_cert_t;
-+files_type(pki_tomcat_cert_t)
++miscfiles_cert_type(pki_tomcat_cert_t)
+
+tomcat_domain_template(pki_tomcat)
+
@@ -57305,6 +62385,7 @@ index 0000000..17f5d18
+#
+
+allow pki_tomcat_t self:capability { setuid chown setgid fowner audit_write dac_override sys_nice fsetid};
++dontaudit pki_tomcat_t self:capability net_admin;
+allow pki_tomcat_t self:process { signal setsched signull execmem };
+
+allow pki_tomcat_t self:netlink_audit_socket { nlmsg_relay create };
@@ -57342,6 +62423,7 @@ index 0000000..17f5d18
+search_dirs_pattern(pki_tomcat_t, pki_log_t, pki_log_t)
+
+kernel_read_kernel_sysctls(pki_tomcat_t)
++kernel_read_net_sysctls(pki_tomcat_t)
+
+corenet_tcp_connect_http_cache_port(pki_tomcat_t)
+corenet_tcp_connect_ldap_port(pki_tomcat_t)
@@ -57380,6 +62462,10 @@ index 0000000..17f5d18
+ hostname_exec(pki_tomcat_t)
+')
+
++optional_policy(`
++ ipa_read_lib(pki_tomcat_t)
++')
++
+#######################################
+#
+# tps local policy
@@ -57412,6 +62498,7 @@ index 0000000..17f5d18
+
+corenet_tcp_bind_pki_ra_port(pki_ra_t)
+# talk to other subsystems
++corenet_tcp_connect_http_port(pki_ra_t)
+corenet_tcp_connect_pki_ca_port(pki_ra_t)
+corenet_tcp_connect_smtp_port(pki_ra_t)
+
@@ -57515,10 +62602,10 @@ index 0000000..17f5d18
+')
+
diff --git a/plymouthd.fc b/plymouthd.fc
-index 735500f..ef1dd7a 100644
+index 735500f..2ba6832 100644
--- a/plymouthd.fc
+++ b/plymouthd.fc
-@@ -1,15 +1,15 @@
+@@ -1,15 +1,14 @@
-/bin/plymouth -- gen_context(system_u:object_r:plymouth_exec_t,s0)
+/bin/plymouth -- gen_context(system_u:object_r:plymouth_exec_t,s0)
@@ -57539,11 +62626,11 @@ index 735500f..ef1dd7a 100644
+/usr/sbin/plymouthd -- gen_context(system_u:object_r:plymouthd_exec_t,s0)
-/var/run/plymouth(/.*)? gen_context(system_u:object_r:plymouthd_var_run_t,s0)
-+/var/spool/plymouth(/.*)? gen_context(system_u:object_r:plymouthd_spool_t,s0)
-
+-
-/var/spool/plymouth(/.*)? gen_context(system_u:object_r:plymouthd_spool_t,s0)
++/var/spool/plymouth(/.*)? gen_context(system_u:object_r:plymouthd_spool_t,s0)
diff --git a/plymouthd.if b/plymouthd.if
-index 30e751f..3985ff9 100644
+index 30e751f..61feb3a 100644
--- a/plymouthd.if
+++ b/plymouthd.if
@@ -1,4 +1,4 @@
@@ -57731,7 +62818,7 @@ index 30e751f..3985ff9 100644
gen_require(`
type plymouthd_var_run_t;
')
-@@ -233,36 +228,93 @@ interface(`plymouthd_read_pid_files',`
+@@ -233,36 +228,112 @@ interface(`plymouthd_read_pid_files',`
########################################
## <summary>
@@ -57756,17 +62843,39 @@ index 30e751f..3985ff9 100644
+ read_files_pattern($1, plymouthd_var_log_t, plymouthd_var_log_t)
+')
+
++#####################################
++## <summary>
++## Allow the specified domain to create plymouthd's log files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`plymouthd_create_log',`
++ gen_require(`
++ type plymouthd_var_log_t;
++ ')
++
++ logging_search_logs($1)
++ create_files_pattern($1, plymouthd_var_log_t, plymouthd_var_log_t)
++')
++
+########################################
+## <summary>
+## Allow the specified domain to manage
+## to plymouthd log files.
+## </summary>
+## <param name="domain">
-+## <summary>
+ ## <summary>
+-## Role allowed access.
+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
+ ## </summary>
+ ## </param>
+-## <rolecap/>
+ #
+-interface(`plymouthd_admin',`
+interface(`plymouthd_manage_log',`
+ gen_require(`
+ type plymouthd_var_log_t;
@@ -57788,12 +62897,12 @@ index 30e751f..3985ff9 100644
+## </summary>
+## </param>
+#
-+interface(`plymouthd_create_log',`
++interface(`plymouthd_filetrans_named_content',`
++
+ gen_require(`
+ type plymouthd_var_log_t;
+ ')
+
-+ logging_rw_generic_log_dirs($1)
+ logging_log_named_filetrans($1, plymouthd_var_log_t, file, "boot.log")
+')
+
@@ -57803,14 +62912,11 @@ index 30e751f..3985ff9 100644
+## an plymouthd environment
+## </summary>
+## <param name="domain">
- ## <summary>
--## Role allowed access.
++## <summary>
+## Domain allowed access.
- ## </summary>
- ## </param>
--## <rolecap/>
- #
--interface(`plymouthd_admin',`
++## </summary>
++## </param>
++#
+interface(`plymouthd_admin', `
gen_require(`
type plymouthd_t, plymouthd_spool_t, plymouthd_var_lib_t;
@@ -57837,7 +62943,7 @@ index 30e751f..3985ff9 100644
admin_pattern($1, plymouthd_var_run_t)
')
diff --git a/plymouthd.te b/plymouthd.te
-index b1f412b..3a3249a 100644
+index b1f412b..b78836f 100644
--- a/plymouthd.te
+++ b/plymouthd.te
@@ -1,4 +1,4 @@
@@ -57855,7 +62961,7 @@ index b1f412b..3a3249a 100644
type plymouthd_var_lib_t;
files_type(plymouthd_var_lib_t)
-@@ -28,12 +28,12 @@ files_pid_file(plymouthd_var_run_t)
+@@ -28,13 +28,14 @@ files_pid_file(plymouthd_var_run_t)
########################################
#
@@ -57868,9 +62974,11 @@ index b1f412b..3a3249a 100644
allow plymouthd_t self:capability2 block_suspend;
+dontaudit plymouthd_t self:capability dac_override;
allow plymouthd_t self:process { signal getsched };
++allow plymouthd_t self:netlink_kobject_uevent_socket create_socket_perms;
allow plymouthd_t self:fifo_file rw_fifo_file_perms;
allow plymouthd_t self:unix_stream_socket create_stream_socket_perms;
-@@ -48,9 +48,7 @@ manage_files_pattern(plymouthd_t, plymouthd_var_lib_t, plymouthd_var_lib_t)
+
+@@ -48,9 +49,7 @@ manage_files_pattern(plymouthd_t, plymouthd_var_lib_t, plymouthd_var_lib_t)
files_var_lib_filetrans(plymouthd_t, plymouthd_var_lib_t, { file dir })
manage_dirs_pattern(plymouthd_t, plymouthd_var_log_t, plymouthd_var_log_t)
@@ -57881,13 +62989,13 @@ index b1f412b..3a3249a 100644
logging_log_filetrans(plymouthd_t, plymouthd_var_log_t, { file dir })
manage_dirs_pattern(plymouthd_t, plymouthd_var_run_t, plymouthd_var_run_t)
-@@ -70,19 +68,27 @@ domain_use_interactive_fds(plymouthd_t)
+@@ -70,19 +69,26 @@ domain_use_interactive_fds(plymouthd_t)
fs_getattr_all_fs(plymouthd_t)
-files_read_etc_files(plymouthd_t)
-files_read_usr_files(plymouthd_t)
-
+-
term_getattr_pty_fs(plymouthd_t)
term_use_all_terms(plymouthd_t)
term_use_ptmx(plymouthd_t)
@@ -57913,12 +63021,16 @@ index b1f412b..3a3249a 100644
')
optional_policy(`
-@@ -90,35 +96,33 @@ optional_policy(`
+@@ -90,35 +96,37 @@ optional_policy(`
')
optional_policy(`
- xserver_manage_xdm_spool_files(plymouthd_t)
- xserver_read_xdm_state(plymouthd_t)
++ udev_read_pid_files(plymouthd_t)
++')
++
++optional_policy(`
+ xserver_xdm_manage_spool(plymouthd_t)
+ xserver_read_state_xdm(plymouthd_t)
')
@@ -58873,7 +63985,7 @@ index ae27bb7..d00f6ba 100644
+ allow $1 polipo_unit_file_t:service all_service_perms;
')
diff --git a/polipo.te b/polipo.te
-index 316d53a..35d9018 100644
+index 316d53a..6646219 100644
--- a/polipo.te
+++ b/polipo.te
@@ -1,4 +1,4 @@
@@ -58949,7 +64061,7 @@ index 316d53a..35d9018 100644
type polipo_cache_t;
files_type(polipo_cache_t)
-@@ -56,112 +63,97 @@ files_type(polipo_cache_t)
+@@ -56,112 +63,98 @@ files_type(polipo_cache_t)
type polipo_log_t;
logging_log_file(polipo_log_t)
@@ -59002,6 +64114,7 @@ index 316d53a..35d9018 100644
+corenet_tcp_bind_http_cache_port(polipo_daemon)
+corenet_sendrecv_http_cache_server_packets(polipo_daemon)
+corenet_tcp_connect_http_port(polipo_daemon)
++corenet_tcp_connect_http_cache_port(polipo_daemon)
+corenet_tcp_connect_tor_port(polipo_daemon)
+corenet_tcp_connect_flash_port(polipo_daemon)
@@ -59238,7 +64351,7 @@ index 5ad5291..7f1ae2a 100644
portreserve_initrc_domtrans($1)
domain_system_change_exemption($1)
diff --git a/portreserve.te b/portreserve.te
-index a38b57a..aa9d604 100644
+index a38b57a..49758db 100644
--- a/portreserve.te
+++ b/portreserve.te
@@ -41,7 +41,6 @@ files_pid_filetrans(portreserve_t, portreserve_var_run_t, { file sock_file dir }
@@ -59249,13 +64362,17 @@ index a38b57a..aa9d604 100644
corenet_all_recvfrom_netlabel(portreserve_t)
corenet_tcp_sendrecv_generic_if(portreserve_t)
corenet_udp_sendrecv_generic_if(portreserve_t)
-@@ -56,6 +55,5 @@ corenet_sendrecv_all_server_packets(portreserve_t)
+@@ -56,6 +55,8 @@ corenet_sendrecv_all_server_packets(portreserve_t)
corenet_tcp_bind_all_ports(portreserve_t)
corenet_udp_bind_all_ports(portreserve_t)
-files_read_etc_files(portreserve_t)
-
+-
userdom_dontaudit_search_user_home_content(portreserve_t)
++
++optional_policy(`
++ sssd_search_lib(portreserve_t)
++')
diff --git a/portslave.te b/portslave.te
index e85e33d..a7d7c55 100644
--- a/portslave.te
@@ -59370,7 +64487,7 @@ index c0e8785..c0e0959 100644
+/var/spool/postfix/bounce(/.*)? gen_context(system_u:object_r:postfix_spool_bounce_t,s0)
/var/spool/postfix/flush(/.*)? gen_context(system_u:object_r:postfix_spool_flush_t,s0)
diff --git a/postfix.if b/postfix.if
-index 2e23946..0b76d72 100644
+index 2e23946..d8a163f 100644
--- a/postfix.if
+++ b/postfix.if
@@ -1,4 +1,4 @@
@@ -59701,7 +64818,7 @@ index 2e23946..0b76d72 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -382,14 +367,32 @@ interface(`postfix_domtrans_master',`
+@@ -382,14 +367,31 @@ interface(`postfix_domtrans_master',`
type postfix_master_t, postfix_master_exec_t;
')
@@ -59709,7 +64826,6 @@ index 2e23946..0b76d72 100644
domtrans_pattern($1, postfix_master_exec_t, postfix_master_t)
')
-+
########################################
## <summary>
-## Execute the master postfix program
@@ -59737,7 +64853,7 @@ index 2e23946..0b76d72 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -402,21 +405,18 @@ interface(`postfix_exec_master',`
+@@ -402,21 +404,18 @@ interface(`postfix_exec_master',`
type postfix_master_exec_t;
')
@@ -59760,7 +64876,7 @@ index 2e23946..0b76d72 100644
#
interface(`postfix_stream_connect_master',`
gen_require(`
-@@ -428,8 +428,7 @@ interface(`postfix_stream_connect_master',`
+@@ -428,8 +427,7 @@ interface(`postfix_stream_connect_master',`
########################################
## <summary>
@@ -59770,7 +64886,7 @@ index 2e23946..0b76d72 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -437,15 +436,18 @@ interface(`postfix_stream_connect_master',`
+@@ -437,15 +435,18 @@ interface(`postfix_stream_connect_master',`
## </summary>
## </param>
#
@@ -59793,7 +64909,7 @@ index 2e23946..0b76d72 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -458,14 +460,13 @@ interface(`postfix_domtrans_postdrop',`
+@@ -458,14 +459,13 @@ interface(`postfix_domtrans_postdrop',`
type postfix_postdrop_t, postfix_postdrop_exec_t;
')
@@ -59809,7 +64925,7 @@ index 2e23946..0b76d72 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -478,30 +479,85 @@ interface(`postfix_domtrans_postqueue',`
+@@ -478,30 +478,85 @@ interface(`postfix_domtrans_postqueue',`
type postfix_postqueue_t, postfix_postqueue_exec_t;
')
@@ -59829,18 +64945,15 @@ index 2e23946..0b76d72 100644
## <summary>
-## Domain allowed access.
+## Domain allowed to transition.
- ## </summary>
- ## </param>
++## </summary>
++## </param>
+## <param name="role">
+## <summary>
+## The role to be allowed the iptables domain.
+## </summary>
+## </param>
+## <rolecap/>
- #
--interface(`posftix_exec_postqueue',`
-- refpolicywarn(`$0($*) has been deprecated.')
-- postfix_exec_postqueue($1)
++#
+
+interface(`postfix_run_postqueue',`
+ gen_require(`
@@ -59850,8 +64963,8 @@ index 2e23946..0b76d72 100644
+ postfix_domtrans_postqueue($1)
+ role $2 types postfix_postqueue_t;
+ allow postfix_postqueue_t $1:unix_stream_socket { read write getattr };
- ')
-
++')
++
+########################################
+## <summary>
+## Execute postfix_postgqueue in the postfix_postgqueue domain.
@@ -59883,10 +64996,13 @@ index 2e23946..0b76d72 100644
+## <param name="role">
+## <summary>
+## Role allowed access.
-+## </summary>
-+## </param>
+ ## </summary>
+ ## </param>
+## <rolecap/>
-+#
+ #
+-interface(`posftix_exec_postqueue',`
+- refpolicywarn(`$0($*) has been deprecated.')
+- postfix_exec_postqueue($1)
+interface(`postfix_run_postgqueue',`
+ gen_require(`
+ type postfix_postgqueue_t;
@@ -59894,8 +65010,8 @@ index 2e23946..0b76d72 100644
+
+ postfix_domtrans_postgqueue($1)
+ role $2 types postfix_postgqueue_t;
-+')
-+
+ ')
+
+
#######################################
## <summary>
@@ -59905,7 +65021,7 @@ index 2e23946..0b76d72 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -514,13 +570,12 @@ interface(`postfix_exec_postqueue',`
+@@ -514,13 +569,12 @@ interface(`postfix_exec_postqueue',`
type postfix_postqueue_exec_t;
')
@@ -59920,7 +65036,7 @@ index 2e23946..0b76d72 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -533,13 +588,13 @@ interface(`postfix_create_private_sockets',`
+@@ -533,13 +587,13 @@ interface(`postfix_create_private_sockets',`
type postfix_private_t;
')
@@ -59936,7 +65052,7 @@ index 2e23946..0b76d72 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -552,13 +607,14 @@ interface(`postfix_manage_private_sockets',`
+@@ -552,13 +606,14 @@ interface(`postfix_manage_private_sockets',`
type postfix_private_t;
')
@@ -59953,7 +65069,7 @@ index 2e23946..0b76d72 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -571,14 +627,12 @@ interface(`postfix_domtrans_smtp',`
+@@ -571,14 +626,12 @@ interface(`postfix_domtrans_smtp',`
type postfix_smtp_t, postfix_smtp_exec_t;
')
@@ -59969,7 +65085,7 @@ index 2e23946..0b76d72 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -586,7 +640,7 @@ interface(`postfix_domtrans_smtp',`
+@@ -586,7 +639,7 @@ interface(`postfix_domtrans_smtp',`
## </summary>
## </param>
#
@@ -59978,7 +65094,7 @@ index 2e23946..0b76d72 100644
gen_require(`
attribute postfix_spool_type;
')
-@@ -607,11 +661,11 @@ interface(`postfix_getattr_all_spool_files',`
+@@ -607,11 +660,11 @@ interface(`postfix_getattr_all_spool_files',`
#
interface(`postfix_search_spool',`
gen_require(`
@@ -59992,7 +65108,7 @@ index 2e23946..0b76d72 100644
')
########################################
-@@ -626,11 +680,11 @@ interface(`postfix_search_spool',`
+@@ -626,11 +679,11 @@ interface(`postfix_search_spool',`
#
interface(`postfix_list_spool',`
gen_require(`
@@ -60006,7 +65122,7 @@ index 2e23946..0b76d72 100644
')
########################################
-@@ -645,17 +699,16 @@ interface(`postfix_list_spool',`
+@@ -645,17 +698,16 @@ interface(`postfix_list_spool',`
#
interface(`postfix_read_spool_files',`
gen_require(`
@@ -60027,7 +65143,7 @@ index 2e23946..0b76d72 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -665,11 +718,50 @@ interface(`postfix_read_spool_files',`
+@@ -665,11 +717,50 @@ interface(`postfix_read_spool_files',`
#
interface(`postfix_manage_spool_files',`
gen_require(`
@@ -60080,7 +65196,7 @@ index 2e23946..0b76d72 100644
')
########################################
-@@ -693,8 +785,8 @@ interface(`postfix_domtrans_user_mail_handler',`
+@@ -693,8 +784,8 @@ interface(`postfix_domtrans_user_mail_handler',`
########################################
## <summary>
@@ -60091,7 +65207,7 @@ index 2e23946..0b76d72 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -710,37 +802,137 @@ interface(`postfix_domtrans_user_mail_handler',`
+@@ -710,37 +801,137 @@ interface(`postfix_domtrans_user_mail_handler',`
#
interface(`postfix_admin',`
gen_require(`
@@ -60250,7 +65366,7 @@ index 2e23946..0b76d72 100644
+ postfix_config_filetrans($1, postfix_prng_t, file, "prng_exch")
')
diff --git a/postfix.te b/postfix.te
-index 191a66f..f19bca4 100644
+index 191a66f..cd766c0 100644
--- a/postfix.te
+++ b/postfix.te
@@ -1,4 +1,4 @@
@@ -60432,9 +65548,8 @@ index 191a66f..f19bca4 100644
-########################################
-#
-# Common postfix user domain local policy
-+# Postfix master process local policy
- #
-
+-#
+-
-allow postfix_user_domains self:capability dac_override;
-
-domain_use_interactive_fds(postfix_user_domains)
@@ -60442,8 +65557,9 @@ index 191a66f..f19bca4 100644
-########################################
-#
-# Master local policy
--#
--
++# Postfix master process local policy
+ #
+
-allow postfix_master_t self:capability { chown dac_override kill fowner setgid setuid sys_tty_config };
+# chown is to set the correct ownership of queue dirs
+allow postfix_master_t self:capability { chown dac_override kill setgid setuid net_bind_service sys_tty_config };
@@ -60499,7 +65615,7 @@ index 191a66f..f19bca4 100644
manage_files_pattern(postfix_master_t, postfix_spool_flush_t, postfix_spool_flush_t)
manage_lnk_files_pattern(postfix_master_t, postfix_spool_flush_t, postfix_spool_flush_t)
-filetrans_pattern(postfix_master_t, postfix_spool_t, postfix_spool_flush_t, dir, "flush")
--
+
-create_dirs_pattern(postfix_master_t, postfix_spool_t, postfix_private_t)
-manage_fifo_files_pattern(postfix_master_t, postfix_private_t, postfix_private_t)
-manage_sock_files_pattern(postfix_master_t, postfix_private_t, postfix_private_t)
@@ -60511,24 +65627,24 @@ index 191a66f..f19bca4 100644
-manage_sock_files_pattern(postfix_master_t, postfix_public_t, postfix_public_t)
-setattr_dirs_pattern(postfix_master_t, postfix_public_t, postfix_public_t)
-filetrans_pattern(postfix_master_t, postfix_spool_t, postfix_public_t, dir, "public")
-
+-
-create_dirs_pattern(postfix_master_t, postfix_spool_t, postfix_spool_maildrop_t)
-delete_files_pattern(postfix_master_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
-rename_files_pattern(postfix_master_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
-setattr_dirs_pattern(postfix_master_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
-filetrans_pattern(postfix_master_t, postfix_spool_t, postfix_spool_maildrop_t, dir, "maildrop")
-+manage_files_pattern(postfix_master_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
-
+-
-create_dirs_pattern(postfix_master_t, postfix_spool_t, postfix_var_run_t)
-setattr_dirs_pattern(postfix_master_t, postfix_var_run_t, postfix_var_run_t)
-filetrans_pattern(postfix_master_t, postfix_spool_t, postfix_var_run_t, dir, "pid")
-+kernel_read_all_sysctls(postfix_master_t)
-
--can_exec(postfix_master_t, postfix_exec_t)
-
+-can_exec(postfix_master_t, postfix_exec_t)
++manage_files_pattern(postfix_master_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
+
-domtrans_pattern(postfix_master_t, postfix_postqueue_exec_t, postfix_postqueue_t)
-domtrans_pattern(postfix_master_t, postfix_showq_exec_t, postfix_showq_t)
--
++kernel_read_all_sysctls(postfix_master_t)
+
-corenet_all_recvfrom_unlabeled(postfix_master_t)
corenet_all_recvfrom_netlabel(postfix_master_t)
corenet_tcp_sendrecv_generic_if(postfix_master_t)
@@ -60740,7 +65856,7 @@ index 191a66f..f19bca4 100644
')
optional_policy(`
-@@ -434,6 +335,7 @@ optional_policy(`
+@@ -434,16 +335,25 @@ optional_policy(`
')
optional_policy(`
@@ -60748,7 +65864,14 @@ index 191a66f..f19bca4 100644
mailman_manage_data_files(postfix_local_t)
mailman_append_log(postfix_local_t)
mailman_read_log(postfix_local_t)
-@@ -444,6 +346,10 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ munin_search_lib(postfix_local_t)
++')
++
++optional_policy(`
+ nagios_search_spool(postfix_local_t)
')
optional_policy(`
@@ -60759,7 +65882,7 @@ index 191a66f..f19bca4 100644
procmail_domtrans(postfix_local_t)
')
-@@ -458,15 +364,17 @@ optional_policy(`
+@@ -458,15 +368,17 @@ optional_policy(`
########################################
#
@@ -60783,7 +65906,7 @@ index 191a66f..f19bca4 100644
manage_dirs_pattern(postfix_map_t, postfix_map_tmp_t, postfix_map_tmp_t)
manage_files_pattern(postfix_map_t, postfix_map_tmp_t, postfix_map_tmp_t)
-@@ -476,14 +384,15 @@ kernel_read_kernel_sysctls(postfix_map_t)
+@@ -476,14 +388,15 @@ kernel_read_kernel_sysctls(postfix_map_t)
kernel_dontaudit_list_proc(postfix_map_t)
kernel_dontaudit_read_system_state(postfix_map_t)
@@ -60803,7 +65926,7 @@ index 191a66f..f19bca4 100644
corecmd_list_bin(postfix_map_t)
corecmd_read_bin_symlinks(postfix_map_t)
-@@ -492,7 +401,6 @@ corecmd_read_bin_pipes(postfix_map_t)
+@@ -492,7 +405,6 @@ corecmd_read_bin_pipes(postfix_map_t)
corecmd_read_bin_sockets(postfix_map_t)
files_list_home(postfix_map_t)
@@ -60811,7 +65934,7 @@ index 191a66f..f19bca4 100644
files_read_etc_runtime_files(postfix_map_t)
files_dontaudit_search_var(postfix_map_t)
-@@ -500,21 +408,22 @@ auth_use_nsswitch(postfix_map_t)
+@@ -500,21 +412,22 @@ auth_use_nsswitch(postfix_map_t)
logging_send_syslog_msg(postfix_map_t)
@@ -60837,7 +65960,7 @@ index 191a66f..f19bca4 100644
stream_connect_pattern(postfix_pickup_t, postfix_private_t, postfix_private_t, postfix_master_t)
rw_fifo_files_pattern(postfix_pickup_t, postfix_public_t, postfix_public_t)
-@@ -524,16 +433,15 @@ allow postfix_pickup_t postfix_spool_t:dir list_dir_perms;
+@@ -524,21 +437,21 @@ allow postfix_pickup_t postfix_spool_t:dir list_dir_perms;
read_files_pattern(postfix_pickup_t, postfix_spool_t, postfix_spool_t)
delete_files_pattern(postfix_pickup_t, postfix_spool_t, postfix_spool_t)
@@ -60857,7 +65980,24 @@ index 191a66f..f19bca4 100644
#
allow postfix_pipe_t self:process setrlimit;
-@@ -576,19 +484,26 @@ optional_policy(`
+
+ write_sock_files_pattern(postfix_pipe_t, postfix_private_t, postfix_private_t)
++write_sock_files_pattern(postfix_pipe_t, postfix_public_t, postfix_public_t)
+
+ write_fifo_files_pattern(postfix_pipe_t, postfix_public_t, postfix_public_t)
+
+@@ -549,6 +462,10 @@ domtrans_pattern(postfix_pipe_t, postfix_postdrop_exec_t, postfix_postdrop_t)
+ corecmd_exec_bin(postfix_pipe_t)
+
+ optional_policy(`
++ cyrus_stream_connect(postfix_pipe_t)
++')
++
++optional_policy(`
+ dovecot_domtrans_deliver(postfix_pipe_t)
+ ')
+
+@@ -576,19 +493,26 @@ optional_policy(`
########################################
#
@@ -60889,7 +66029,7 @@ index 191a66f..f19bca4 100644
term_dontaudit_use_all_ptys(postfix_postdrop_t)
term_dontaudit_use_all_ttys(postfix_postdrop_t)
-@@ -603,10 +518,7 @@ optional_policy(`
+@@ -603,10 +527,7 @@ optional_policy(`
cron_system_entry(postfix_postdrop_t, postfix_postdrop_exec_t)
')
@@ -60901,7 +66041,7 @@ index 191a66f..f19bca4 100644
optional_policy(`
fstools_read_pipes(postfix_postdrop_t)
')
-@@ -621,17 +533,24 @@ optional_policy(`
+@@ -621,17 +542,24 @@ optional_policy(`
#######################################
#
@@ -60929,7 +66069,7 @@ index 191a66f..f19bca4 100644
init_sigchld_script(postfix_postqueue_t)
init_use_script_fds(postfix_postqueue_t)
-@@ -647,67 +566,77 @@ optional_policy(`
+@@ -647,67 +575,77 @@ optional_policy(`
########################################
#
@@ -61025,7 +66165,7 @@ index 191a66f..f19bca4 100644
')
optional_policy(`
-@@ -720,29 +649,30 @@ optional_policy(`
+@@ -720,29 +658,30 @@ optional_policy(`
########################################
#
@@ -61064,7 +66204,7 @@ index 191a66f..f19bca4 100644
optional_policy(`
dovecot_stream_connect_auth(postfix_smtpd_t)
dovecot_stream_connect(postfix_smtpd_t)
-@@ -754,6 +684,7 @@ optional_policy(`
+@@ -754,6 +693,7 @@ optional_policy(`
optional_policy(`
milter_stream_connect_all(postfix_smtpd_t)
@@ -61072,7 +66212,7 @@ index 191a66f..f19bca4 100644
')
optional_policy(`
-@@ -764,31 +695,99 @@ optional_policy(`
+@@ -764,31 +704,99 @@ optional_policy(`
sasl_connect(postfix_smtpd_t)
')
@@ -63078,7 +68218,7 @@ index 00edeab..166e9c3 100644
+ read_files_pattern($1, procmail_home_t, procmail_home_t)
')
diff --git a/procmail.te b/procmail.te
-index d447152..73c437c 100644
+index d447152..f3e6fbf 100644
--- a/procmail.te
+++ b/procmail.te
@@ -1,4 +1,4 @@
@@ -63113,7 +68253,7 @@ index d447152..73c437c 100644
allow procmail_t procmail_log_t:dir setattr_dir_perms;
create_files_pattern(procmail_t, procmail_log_t, procmail_log_t)
append_files_pattern(procmail_t, procmail_log_t, procmail_log_t)
-@@ -40,89 +44,106 @@ logging_log_filetrans(procmail_t, procmail_log_t, { file dir })
+@@ -40,89 +44,108 @@ logging_log_filetrans(procmail_t, procmail_log_t, { file dir })
allow procmail_t procmail_tmp_t:file manage_file_perms;
files_tmp_filetrans(procmail_t, procmail_tmp_t, file)
@@ -63145,6 +68285,7 @@ index d447152..73c437c 100644
-corecmd_exec_bin(procmail_t)
-corecmd_exec_shell(procmail_t)
++dev_read_rand(procmail_t)
dev_read_urand(procmail_t)
-fs_getattr_all_fs(procmail_t)
@@ -63167,10 +68308,10 @@ index d447152..73c437c 100644
-miscfiles_read_localization(procmail_t)
+init_read_utmp(procmail_t)
-+
+
+logging_send_syslog_msg(procmail_t)
+logging_append_all_logs(procmail_t)
-
++
+list_dirs_pattern(procmail_t, procmail_home_t, procmail_home_t)
+read_files_pattern(procmail_t, procmail_home_t, procmail_home_t)
userdom_search_user_home_dirs(procmail_t)
@@ -63192,17 +68333,17 @@ index d447152..73c437c 100644
+userdom_manage_user_tmp_dirs(procmail_t)
+userdom_manage_user_tmp_files(procmail_t)
+userdom_manage_user_tmp_symlinks(procmail_t)
-+
-+# Execute user executables
-+userdom_exec_user_bin_files(procmail_t)
-+
-+mta_manage_spool(procmail_t)
-+mta_read_queue(procmail_t)
-tunable_policy(`use_samba_home_dirs',`
- fs_manage_cifs_dirs(procmail_t)
- fs_manage_cifs_files(procmail_t)
- fs_manage_cifs_symlinks(procmail_t)
++# Execute user executables
++userdom_exec_user_bin_files(procmail_t)
++
++mta_manage_spool(procmail_t)
++mta_read_queue(procmail_t)
++
+ifdef(`hide_broken_symptoms',`
+ mta_dontaudit_rw_queue(procmail_t)
')
@@ -63219,6 +68360,7 @@ index d447152..73c437c 100644
optional_policy(`
- cyrus_stream_connect(procmail_t)
+ dovecot_stream_connect(procmail_t)
++ dovecot_read_config(procmail_t)
')
optional_policy(`
@@ -63257,15 +68399,25 @@ index d447152..73c437c 100644
')
optional_policy(`
-@@ -131,6 +152,8 @@ optional_policy(`
+@@ -131,6 +154,9 @@ optional_policy(`
')
optional_policy(`
+ mta_read_config(procmail_t)
++ mta_mailserver_delivery(procmail_t)
+ mta_manage_home_rw(procmail_t)
sendmail_domtrans(procmail_t)
sendmail_signal(procmail_t)
sendmail_dontaudit_rw_tcp_sockets(procmail_t)
+@@ -145,3 +171,8 @@ optional_policy(`
+ spamassassin_domtrans_client(procmail_t)
+ spamassassin_read_lib_files(procmail_t)
+ ')
++
++optional_policy(`
++ zarafa_stream_connect_server(procmail_t)
++ zarafa_domtrans_deliver(procmail_t)
++')
diff --git a/prosody.fc b/prosody.fc
new file mode 100644
index 0000000..96a0d9f
@@ -64236,7 +69388,7 @@ index fa3dc8e..99cfa95 100644
+ ps_process_pattern($1, pulseaudio_t)
')
diff --git a/pulseaudio.te b/pulseaudio.te
-index e31bbe1..822ab6c 100644
+index e31bbe1..5f0e288 100644
--- a/pulseaudio.te
+++ b/pulseaudio.te
@@ -1,4 +1,4 @@
@@ -64253,7 +69405,8 @@ index e31bbe1..822ab6c 100644
-
type pulseaudio_t;
type pulseaudio_exec_t;
- init_daemon_domain(pulseaudio_t, pulseaudio_exec_t)
+-init_daemon_domain(pulseaudio_t, pulseaudio_exec_t)
++#init_daemon_domain(pulseaudio_t, pulseaudio_exec_t)
userdom_user_application_domain(pulseaudio_t, pulseaudio_exec_t)
-role pulseaudio_roles types pulseaudio_t;
+role system_r types pulseaudio_t;
@@ -67877,10 +73030,10 @@ index afc0068..3105104 100644
+ ')
')
diff --git a/quantum.te b/quantum.te
-index 769d1fd..0ef5efc 100644
+index 769d1fd..52bad99 100644
--- a/quantum.te
+++ b/quantum.te
-@@ -1,96 +1,109 @@
+@@ -1,96 +1,132 @@
-policy_module(quantum, 1.0.2)
+policy_module(quantum, 1.0.3)
@@ -67930,55 +73083,52 @@ index 769d1fd..0ef5efc 100644
-allow quantum_t self:key manage_key_perms;
-allow quantum_t self:tcp_socket { accept listen };
-allow quantum_t self:unix_stream_socket { accept listen };
-+allow neutron_t self:capability { setgid setuid sys_resource };
++allow neutron_t self:capability { sys_ptrace kill setgid setuid sys_resource net_admin sys_admin net_raw };
+allow neutron_t self:process { setsched setrlimit };
+allow neutron_t self:fifo_file rw_fifo_file_perms;
+allow neutron_t self:key manage_key_perms;
+allow neutron_t self:tcp_socket { accept listen };
+allow neutron_t self:unix_stream_socket { accept listen };
-
--manage_dirs_pattern(quantum_t, quantum_log_t, quantum_log_t)
--append_files_pattern(quantum_t, quantum_log_t, quantum_log_t)
--create_files_pattern(quantum_t, quantum_log_t, quantum_log_t)
--setattr_files_pattern(quantum_t, quantum_log_t, quantum_log_t)
--logging_log_filetrans(quantum_t, quantum_log_t, dir)
++allow neutron_t self:netlink_route_socket rw_netlink_socket_perms;
++
+manage_dirs_pattern(neutron_t, neutron_log_t, neutron_log_t)
+append_files_pattern(neutron_t, neutron_log_t, neutron_log_t)
+create_files_pattern(neutron_t, neutron_log_t, neutron_log_t)
+setattr_files_pattern(neutron_t, neutron_log_t, neutron_log_t)
+logging_log_filetrans(neutron_t, neutron_log_t, dir)
--manage_files_pattern(quantum_t, quantum_tmp_t, quantum_tmp_t)
--files_tmp_filetrans(quantum_t, quantum_tmp_t, file)
+-manage_dirs_pattern(quantum_t, quantum_log_t, quantum_log_t)
+-append_files_pattern(quantum_t, quantum_log_t, quantum_log_t)
+-create_files_pattern(quantum_t, quantum_log_t, quantum_log_t)
+-setattr_files_pattern(quantum_t, quantum_log_t, quantum_log_t)
+-logging_log_filetrans(quantum_t, quantum_log_t, dir)
+manage_files_pattern(neutron_t, neutron_tmp_t, neutron_tmp_t)
+files_tmp_filetrans(neutron_t, neutron_tmp_t, file)
--manage_dirs_pattern(quantum_t, quantum_var_lib_t, quantum_var_lib_t)
--manage_files_pattern(quantum_t, quantum_var_lib_t, quantum_var_lib_t)
--files_var_lib_filetrans(quantum_t, quantum_var_lib_t, dir)
+-manage_files_pattern(quantum_t, quantum_tmp_t, quantum_tmp_t)
+-files_tmp_filetrans(quantum_t, quantum_tmp_t, file)
+manage_dirs_pattern(neutron_t, neutron_var_lib_t, neutron_var_lib_t)
+manage_files_pattern(neutron_t, neutron_var_lib_t, neutron_var_lib_t)
+files_var_lib_filetrans(neutron_t, neutron_var_lib_t, dir)
--can_exec(quantum_t, quantum_tmp_t)
+-manage_dirs_pattern(quantum_t, quantum_var_lib_t, quantum_var_lib_t)
+-manage_files_pattern(quantum_t, quantum_var_lib_t, quantum_var_lib_t)
+-files_var_lib_filetrans(quantum_t, quantum_var_lib_t, dir)
+can_exec(neutron_t, neutron_tmp_t)
--kernel_read_kernel_sysctls(quantum_t)
--kernel_read_system_state(quantum_t)
+-can_exec(quantum_t, quantum_tmp_t)
+kernel_read_kernel_sysctls(neutron_t)
+kernel_read_system_state(neutron_t)
++kernel_read_network_state(neutron_t)
++kernel_request_load_module(neutron_t)
--corecmd_exec_shell(quantum_t)
--corecmd_exec_bin(quantum_t)
+-kernel_read_kernel_sysctls(quantum_t)
+-kernel_read_system_state(quantum_t)
+corecmd_exec_shell(neutron_t)
+corecmd_exec_bin(neutron_t)
--corenet_all_recvfrom_unlabeled(quantum_t)
--corenet_all_recvfrom_netlabel(quantum_t)
--corenet_tcp_sendrecv_generic_if(quantum_t)
--corenet_tcp_sendrecv_generic_node(quantum_t)
--corenet_tcp_sendrecv_all_ports(quantum_t)
--corenet_tcp_bind_generic_node(quantum_t)
+-corecmd_exec_shell(quantum_t)
+-corecmd_exec_bin(quantum_t)
+corenet_all_recvfrom_unlabeled(neutron_t)
+corenet_all_recvfrom_netlabel(neutron_t)
+corenet_tcp_sendrecv_generic_if(neutron_t)
@@ -67986,67 +73136,93 @@ index 769d1fd..0ef5efc 100644
+corenet_tcp_sendrecv_all_ports(neutron_t)
+corenet_tcp_bind_generic_node(neutron_t)
--dev_list_sysfs(quantum_t)
--dev_read_urand(quantum_t)
+-corenet_all_recvfrom_unlabeled(quantum_t)
+-corenet_all_recvfrom_netlabel(quantum_t)
+-corenet_tcp_sendrecv_generic_if(quantum_t)
+-corenet_tcp_sendrecv_generic_node(quantum_t)
+-corenet_tcp_sendrecv_all_ports(quantum_t)
+-corenet_tcp_bind_generic_node(quantum_t)
+corenet_tcp_bind_neutron_port(neutron_t)
+corenet_tcp_connect_keystone_port(neutron_t)
+corenet_tcp_connect_amqp_port(neutron_t)
+corenet_tcp_connect_mysqld_port(neutron_t)
+-dev_list_sysfs(quantum_t)
+-dev_read_urand(quantum_t)
++domain_named_filetrans(neutron_t)
+
-files_read_usr_files(quantum_t)
-+dev_list_sysfs(neutron_t)
++dev_read_sysfs(neutron_t)
+dev_read_urand(neutron_t)
++dev_mounton_sysfs(neutron_t)
++dev_mount_sysfs_fs(neutron_t)
++dev_unmount_sysfs_fs(neutron_t)
-auth_use_nsswitch(quantum_t)
-+auth_use_nsswitch(neutron_t)
++files_mounton_non_security(neutron_t)
-libs_exec_ldconfig(quantum_t)
-+libs_exec_ldconfig(neutron_t)
++auth_use_nsswitch(neutron_t)
-logging_send_audit_msgs(quantum_t)
-logging_send_syslog_msg(quantum_t)
-+logging_send_audit_msgs(neutron_t)
-+logging_send_syslog_msg(neutron_t)
++libs_exec_ldconfig(neutron_t)
-miscfiles_read_localization(quantum_t)
-+sysnet_exec_ifconfig(neutron_t)
++logging_send_audit_msgs(neutron_t)
++logging_send_syslog_msg(neutron_t)
-sysnet_domtrans_ifconfig(quantum_t)
-+optional_policy(`
-+ brctl_domtrans(neutron_t)
-+')
++sysnet_exec_ifconfig(neutron_t)
++sysnet_manage_ifconfig_run(neutron_t)
++sysnet_filetrans_named_content_ifconfig(neutron_t)
optional_policy(`
- brctl_domtrans(quantum_t)
-+ mysql_stream_connect(neutron_t)
-+ mysql_read_config(neutron_t)
-+
-+ mysql_tcp_connect(neutron_t)
++ brctl_domtrans(neutron_t)
')
optional_policy(`
- mysql_stream_connect(quantum_t)
- mysql_read_config(quantum_t)
-+ postgresql_stream_connect(neutron_t)
-+ postgresql_unpriv_client(neutron_t)
++ dnsmasq_domtrans(neutron_t)
++ dnsmasq_signal(neutron_t)
++ dnsmasq_kill(neutron_t)
++ dnsmasq_read_state(neutron_t)
++')
- mysql_tcp_connect(quantum_t)
-+ postgresql_tcp_connect(neutron_t)
++optional_policy(`
++ iptables_domtrans(neutron_t)
')
optional_policy(`
- postgresql_stream_connect(quantum_t)
- postgresql_unpriv_client(quantum_t)
++ mysql_stream_connect(neutron_t)
++ mysql_read_config(neutron_t)
+
+- postgresql_tcp_connect(quantum_t)
++ mysql_tcp_connect(neutron_t)
+ ')
++
++optional_policy(`
++ postgresql_stream_connect(neutron_t)
++ postgresql_unpriv_client(neutron_t)
++
++ postgresql_tcp_connect(neutron_t)
++')
++
++optional_policy(`
+ openvswitch_domtrans(neutron_t)
+ openvswitch_stream_connect(neutron_t)
+')
-
-- postgresql_tcp_connect(quantum_t)
++
+optional_policy(`
+ sudo_exec(neutron_t)
- ')
++')
diff --git a/quota.fc b/quota.fc
-index cadabe3..0ee2489 100644
+index cadabe3..54ba01d 100644
--- a/quota.fc
+++ b/quota.fc
@@ -1,6 +1,5 @@
@@ -68057,7 +73233,7 @@ index cadabe3..0ee2489 100644
/a?quota\.(user|group) -- gen_context(system_u:object_r:quota_db_t,s0)
-@@ -8,24 +7,23 @@ HOME_DIR/a?quota\.(user|group) -- gen_context(system_u:object_r:quota_db_t,s0)
+@@ -8,24 +7,24 @@ HOME_DIR/a?quota\.(user|group) -- gen_context(system_u:object_r:quota_db_t,s0)
/etc/a?quota\.(user|group) -- gen_context(system_u:object_r:quota_db_t,s0)
@@ -68073,6 +73249,7 @@ index cadabe3..0ee2489 100644
/var/a?quota\.(user|group) -- gen_context(system_u:object_r:quota_db_t,s0)
+/var/lib/quota(/.*)? gen_context(system_u:object_r:quota_flag_t,s0)
++/var/spool/cron/a?quota\.(user|group) -- gen_context(system_u:object_r:quota_db_t,s0)
+/var/spool/(.*/)?a?quota\.(user|group) -- gen_context(system_u:object_r:quota_db_t,s0)
-/var/lib/quota(/.*)? gen_context(system_u:object_r:quota_flag_t,s0)
@@ -68491,7 +73668,7 @@ index 2c3d338..cf3e5ad 100644
########################################
diff --git a/rabbitmq.te b/rabbitmq.te
-index 3698b51..136b017 100644
+index 3698b51..7d5630f 100644
--- a/rabbitmq.te
+++ b/rabbitmq.te
@@ -19,6 +19,9 @@ init_script_file(rabbitmq_initrc_exec_t)
@@ -68513,7 +73690,7 @@ index 3698b51..136b017 100644
allow rabbitmq_beam_t self:process { setsched signal signull };
allow rabbitmq_beam_t self:fifo_file rw_fifo_file_perms;
allow rabbitmq_beam_t self:tcp_socket { accept listen };
-@@ -38,27 +43,35 @@ manage_dirs_pattern(rabbitmq_beam_t, rabbitmq_var_lib_t, rabbitmq_var_lib_t)
+@@ -38,50 +43,85 @@ manage_dirs_pattern(rabbitmq_beam_t, rabbitmq_var_lib_t, rabbitmq_var_lib_t)
manage_files_pattern(rabbitmq_beam_t, rabbitmq_var_lib_t, rabbitmq_var_lib_t)
manage_dirs_pattern(rabbitmq_beam_t, rabbitmq_var_log_t, rabbitmq_var_log_t)
@@ -68549,35 +73726,39 @@ index 3698b51..136b017 100644
corenet_tcp_sendrecv_generic_node(rabbitmq_beam_t)
corenet_tcp_bind_generic_node(rabbitmq_beam_t)
+corenet_tcp_connect_all_ephemeral_ports(rabbitmq_beam_t)
++corenet_tcp_bind_all_ephemeral_ports(rabbitmq_beam_t)
corenet_sendrecv_amqp_server_packets(rabbitmq_beam_t)
- corenet_tcp_bind_amqp_port(rabbitmq_beam_t)
-@@ -68,20 +81,50 @@ corenet_sendrecv_epmd_client_packets(rabbitmq_beam_t)
- corenet_tcp_connect_epmd_port(rabbitmq_beam_t)
- corenet_tcp_sendrecv_epmd_port(rabbitmq_beam_t)
+-corenet_tcp_bind_amqp_port(rabbitmq_beam_t)
+-corenet_tcp_sendrecv_amqp_port(rabbitmq_beam_t)
--dev_read_sysfs(rabbitmq_beam_t)
+ corenet_sendrecv_epmd_client_packets(rabbitmq_beam_t)
++corenet_tcp_sendrecv_amqp_port(rabbitmq_beam_t)
++corenet_tcp_bind_amqp_port(rabbitmq_beam_t)
+corenet_tcp_bind_couchdb_port(rabbitmq_beam_t)
-+
+corenet_tcp_bind_jabber_client_port(rabbitmq_beam_t)
+corenet_tcp_bind_jabber_interserver_port(rabbitmq_beam_t)
-+
++corenet_tcp_connect_amqp_port(rabbitmq_beam_t)
++corenet_tcp_connect_couchdb_port(rabbitmq_beam_t)
+ corenet_tcp_connect_epmd_port(rabbitmq_beam_t)
++corenet_tcp_connect_jabber_interserver_port(rabbitmq_beam_t)
+ corenet_tcp_sendrecv_epmd_port(rabbitmq_beam_t)
+
+-dev_read_sysfs(rabbitmq_beam_t)
+domain_read_all_domains_state(rabbitmq_beam_t)
-+
-+auth_read_passwd(rabbitmq_beam_t)
-+auth_use_pam(rabbitmq_beam_t)
-files_read_etc_files(rabbitmq_beam_t)
-+files_getattr_all_mountpoints(rabbitmq_beam_t)
++auth_read_passwd(rabbitmq_beam_t)
++auth_use_pam(rabbitmq_beam_t)
-miscfiles_read_localization(rabbitmq_beam_t)
++files_getattr_all_mountpoints(rabbitmq_beam_t)
++
+fs_getattr_all_fs(rabbitmq_beam_t)
+fs_getattr_all_dirs(rabbitmq_beam_t)
+fs_getattr_cgroup(rabbitmq_beam_t)
+fs_search_cgroup_dirs(rabbitmq_beam_t)
+
-+corenet_tcp_connect_couchdb_port(rabbitmq_beam_t)
-+
+dev_read_sysfs(rabbitmq_beam_t)
+dev_read_urand(rabbitmq_beam_t)
+
@@ -68588,10 +73769,7 @@ index 3698b51..136b017 100644
+logging_send_syslog_msg(rabbitmq_beam_t)
+
+optional_policy(`
-+ couchdb_manage_lib_files(rabbitmq_beam_t)
-+ couchdb_read_conf_files(rabbitmq_beam_t)
-+ couchdb_read_log_files(rabbitmq_beam_t)
-+ couchdb_search_pid_dirs(rabbitmq_beam_t)
++ couchdb_manage_files(rabbitmq_beam_t)
+')
+
+optional_policy(`
@@ -68607,7 +73785,16 @@ index 3698b51..136b017 100644
allow rabbitmq_epmd_t self:process signal;
allow rabbitmq_epmd_t self:fifo_file rw_fifo_file_perms;
allow rabbitmq_epmd_t self:tcp_socket create_stream_socket_perms;
-@@ -99,8 +142,5 @@ corenet_sendrecv_epmd_server_packets(rabbitmq_epmd_t)
+@@ -89,6 +129,8 @@ allow rabbitmq_epmd_t self:unix_stream_socket { accept listen };
+
+ allow rabbitmq_epmd_t rabbitmq_var_log_t:file append_file_perms;
+
++manage_files_pattern(rabbitmq_beam_t, rabbitmq_var_log_t, rabbitmq_var_log_t)
++
+ corenet_all_recvfrom_unlabeled(rabbitmq_epmd_t)
+ corenet_all_recvfrom_netlabel(rabbitmq_epmd_t)
+ corenet_tcp_sendrecv_generic_if(rabbitmq_epmd_t)
+@@ -99,8 +141,5 @@ corenet_sendrecv_epmd_server_packets(rabbitmq_epmd_t)
corenet_tcp_bind_epmd_port(rabbitmq_epmd_t)
corenet_tcp_sendrecv_epmd_port(rabbitmq_epmd_t)
@@ -68810,20 +73997,22 @@ index b31f2d7..046f5b8 100644
userdom_dontaudit_search_user_home_dirs(radvd_t)
diff --git a/raid.fc b/raid.fc
-index 5806046..5578653 100644
+index 5806046..d83ec27 100644
--- a/raid.fc
+++ b/raid.fc
-@@ -3,6 +3,9 @@
+@@ -3,6 +3,11 @@
/etc/rc\.d/init\.d/mdmonitor -- gen_context(system_u:object_r:mdadm_initrc_exec_t,s0)
++/etc/mdadm\.conf -- gen_context(system_u:object_r:mdadm_conf_t,s0)
++
+/usr/lib/systemd/system/mdmon@.* -- gen_context(system_u:object_r:mdadm_unit_file_t,s0)
+/usr/lib/systemd/system/mdmonitor.* -- gen_context(system_u:object_r:mdadm_unit_file_t,s0)
+
/sbin/iprdump -- gen_context(system_u:object_r:mdadm_exec_t,s0)
/sbin/iprinit -- gen_context(system_u:object_r:mdadm_exec_t,s0)
/sbin/iprupdate -- gen_context(system_u:object_r:mdadm_exec_t,s0)
-@@ -16,6 +19,7 @@
+@@ -16,6 +21,7 @@
/usr/sbin/iprupdate -- gen_context(system_u:object_r:mdadm_exec_t,s0)
/usr/sbin/mdadm -- gen_context(system_u:object_r:mdadm_exec_t,s0)
/usr/sbin/mdmpd -- gen_context(system_u:object_r:mdadm_exec_t,s0)
@@ -68832,7 +74021,7 @@ index 5806046..5578653 100644
/var/run/mdadm(/.*)? gen_context(system_u:object_r:mdadm_var_run_t,s0)
diff --git a/raid.if b/raid.if
-index 951db7f..98a0758 100644
+index 951db7f..c0cabe8 100644
--- a/raid.if
+++ b/raid.if
@@ -1,9 +1,8 @@
@@ -68913,7 +74102,7 @@ index 951db7f..98a0758 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -57,47 +78,94 @@ interface(`raid_run_mdadm',`
+@@ -57,47 +78,112 @@ interface(`raid_run_mdadm',`
## </summary>
## </param>
#
@@ -68981,7 +74170,7 @@ index 951db7f..98a0758 100644
+
+########################################
+## <summary>
-+## Manage mdadm config files.
++## Read mdadm config files.
+## </summary>
+## <param name="domain">
## <summary>
@@ -68992,7 +74181,7 @@ index 951db7f..98a0758 100644
-## <rolecap/>
#
-interface(`raid_admin_mdadm',`
-+interface(`raid_manage_conf_files',`
++interface(`raid_read_conf_files',`
gen_require(`
- type mdadm_t, mdadm_initrc_exec_t, mdadm_var_run_t;
+ type mdadm_conf_t;
@@ -69000,7 +74189,24 @@ index 951db7f..98a0758 100644
- allow $1 mdadm_t:process { ptrace signal_perms };
- ps_process_pattern($1, mdadm_t)
--
++ read_files_pattern($1, mdadm_conf_t, mdadm_conf_t)
++')
++
++########################################
++## <summary>
++## Manage mdadm config files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`raid_manage_conf_files',`
++ gen_require(`
++ type mdadm_conf_t;
++ ')
+
- init_labeled_script_domtrans($1, mdadm_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 mdadm_initrc_exec_t system_r;
@@ -69029,10 +74235,10 @@ index 951db7f..98a0758 100644
+ files_etc_filetrans($1, mdadm_conf_t, file, "mdadm.conf")
')
diff --git a/raid.te b/raid.te
-index 2c1730b..4699a1e 100644
+index 2c1730b..aa0ff54 100644
--- a/raid.te
+++ b/raid.te
-@@ -15,6 +15,15 @@ role mdadm_roles types mdadm_t;
+@@ -15,6 +15,18 @@ role mdadm_roles types mdadm_t;
type mdadm_initrc_exec_t;
init_script_file(mdadm_initrc_exec_t)
@@ -69043,12 +74249,15 @@ index 2c1730b..4699a1e 100644
+systemd_unit_file(mdadm_unit_file_t)
+
+type mdadm_tmp_t;
-+files_tmpfs_file(mdadm_tmp_t)
++files_tmp_file(mdadm_tmp_t)
++
++type mdadm_tmpfs_t;
++files_tmpfs_file(mdadm_tmpfs_t)
+
type mdadm_var_run_t alias mdadm_map_t;
files_pid_file(mdadm_var_run_t)
dev_associate(mdadm_var_run_t)
-@@ -25,23 +34,34 @@ dev_associate(mdadm_var_run_t)
+@@ -25,43 +37,68 @@ dev_associate(mdadm_var_run_t)
#
allow mdadm_t self:capability { dac_override sys_admin ipc_lock };
@@ -69066,6 +74275,10 @@ index 2c1730b..4699a1e 100644
+manage_files_pattern(mdadm_t, mdadm_tmp_t, mdadm_tmp_t)
+manage_dirs_pattern(mdadm_t, mdadm_tmp_t, mdadm_tmp_t)
+files_tmp_filetrans(mdadm_t, mdadm_tmp_t, file)
++
++manage_files_pattern(mdadm_t, mdadm_tmpfs_t, mdadm_tmpfs_t)
++manage_dirs_pattern(mdadm_t, mdadm_tmpfs_t, mdadm_tmpfs_t)
++fs_tmpfs_filetrans(mdadm_t, mdadm_tmpfs_t, file)
manage_dirs_pattern(mdadm_t, mdadm_var_run_t, mdadm_var_run_t)
manage_files_pattern(mdadm_t, mdadm_var_run_t, mdadm_var_run_t)
@@ -69087,10 +74300,12 @@ index 2c1730b..4699a1e 100644
corecmd_exec_bin(mdadm_t)
corecmd_exec_shell(mdadm_t)
-@@ -49,19 +69,29 @@ corecmd_exec_shell(mdadm_t)
+
dev_rw_sysfs(mdadm_t)
- dev_dontaudit_getattr_all_blk_files(mdadm_t)
- dev_dontaudit_getattr_all_chr_files(mdadm_t)
+-dev_dontaudit_getattr_all_blk_files(mdadm_t)
+-dev_dontaudit_getattr_all_chr_files(mdadm_t)
++dev_dontaudit_read_all_blk_files(mdadm_t)
++dev_dontaudit_read_all_chr_files(mdadm_t)
+dev_read_crash(mdadm_t)
+dev_read_framebuffer(mdadm_t)
dev_read_realtime_clock(mdadm_t)
@@ -69120,7 +74335,7 @@ index 2c1730b..4699a1e 100644
mls_file_read_all_levels(mdadm_t)
mls_file_write_all_levels(mdadm_t)
-@@ -70,15 +100,20 @@ storage_dev_filetrans_fixed_disk(mdadm_t)
+@@ -70,15 +107,20 @@ storage_dev_filetrans_fixed_disk(mdadm_t)
storage_manage_fixed_disk(mdadm_t)
storage_read_scsi_generic(mdadm_t)
storage_write_scsi_generic(mdadm_t)
@@ -69142,7 +74357,15 @@ index 2c1730b..4699a1e 100644
userdom_dontaudit_use_unpriv_user_fds(mdadm_t)
userdom_dontaudit_search_user_home_content(mdadm_t)
-@@ -93,13 +128,30 @@ optional_policy(`
+@@ -89,17 +131,38 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ dbus_system_bus_client(mdadm_t)
++')
++
++optional_policy(`
+ gpm_dontaudit_getattr_gpmctl(mdadm_t)
')
optional_policy(`
@@ -69173,6 +74396,235 @@ index 2c1730b..4699a1e 100644
+optional_policy(`
+ xserver_dontaudit_search_log(mdadm_t)
+')
+diff --git a/rasdaemon.fc b/rasdaemon.fc
+new file mode 100644
+index 0000000..8e31dd0
+--- /dev/null
++++ b/rasdaemon.fc
+@@ -0,0 +1,9 @@
++/usr/lib/systemd/system/ras-mc-ctl.* -- gen_context(system_u:object_r:rasdaemon_unit_file_t,s0)
++
++/usr/lib/systemd/system/rasdaemon.* -- gen_context(system_u:object_r:rasdaemon_unit_file_t,s0)
++
++/usr/sbin/rasdaemon -- gen_context(system_u:object_r:rasdaemon_exec_t,s0)
++
++/usr/sbin/ras-mc-ctl -- gen_context(system_u:object_r:rasdaemon_exec_t,s0)
++
++/var/lib/rasdaemon(/.*)? gen_context(system_u:object_r:rasdaemon_var_lib_t,s0)
+diff --git a/rasdaemon.if b/rasdaemon.if
+new file mode 100644
+index 0000000..a073efd
+--- /dev/null
++++ b/rasdaemon.if
+@@ -0,0 +1,156 @@
++
++## <summary>The rasdaemon program is a daemon with monitors the RAS trace events from /sys/kernel/debug/tracing</summary>
++
++########################################
++## <summary>
++## Execute TEMPLATE in the rasdaemon domin.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`rasdaemon_domtrans',`
++ gen_require(`
++ type rasdaemon_t, rasdaemon_exec_t;
++ ')
++
++ corecmd_search_bin($1)
++ domtrans_pattern($1, rasdaemon_exec_t, rasdaemon_t)
++')
++
++########################################
++## <summary>
++## Search rasdaemon lib directories.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`rasdaemon_search_lib',`
++ gen_require(`
++ type rasdaemon_var_lib_t;
++ ')
++
++ allow $1 rasdaemon_var_lib_t:dir search_dir_perms;
++ files_search_var_lib($1)
++')
++
++########################################
++## <summary>
++## Read rasdaemon lib files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`rasdaemon_read_lib_files',`
++ gen_require(`
++ type rasdaemon_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ read_files_pattern($1, rasdaemon_var_lib_t, rasdaemon_var_lib_t)
++')
++
++########################################
++## <summary>
++## Manage rasdaemon lib files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`rasdaemon_manage_lib_files',`
++ gen_require(`
++ type rasdaemon_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ manage_files_pattern($1, rasdaemon_var_lib_t, rasdaemon_var_lib_t)
++')
++
++########################################
++## <summary>
++## Manage rasdaemon lib directories.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`rasdaemon_manage_lib_dirs',`
++ gen_require(`
++ type rasdaemon_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ manage_dirs_pattern($1, rasdaemon_var_lib_t, rasdaemon_var_lib_t)
++')
++
++########################################
++## <summary>
++## Execute rasdaemon server in the rasdaemon domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`rasdaemon_systemctl',`
++ gen_require(`
++ type rasdaemon_t;
++ type rasdaemon_unit_file_t;
++ ')
++
++ systemd_exec_systemctl($1)
++ systemd_read_fifo_file_passwd_run($1)
++ allow $1 rasdaemon_unit_file_t:file read_file_perms;
++ allow $1 rasdaemon_unit_file_t:service manage_service_perms;
++
++ ps_process_pattern($1, rasdaemon_t)
++')
++
++
++########################################
++## <summary>
++## All of the rules required to administrate
++## an rasdaemon environment
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`rasdaemon_admin',`
++ gen_require(`
++ type rasdaemon_t;
++ type rasdaemon_var_lib_t;
++ type rasdaemon_unit_file_t;
++ ')
++
++ allow $1 rasdaemon_t:process { ptrace signal_perms };
++ ps_process_pattern($1, rasdaemon_t)
++
++ files_search_var_lib($1)
++ admin_pattern($1, rasdaemon_var_lib_t)
++
++ rasdaemon_systemctl($1)
++ admin_pattern($1, rasdaemon_unit_file_t)
++ allow $1 rasdaemon_unit_file_t:service all_service_perms;
++ optional_policy(`
++ systemd_passwd_agent_exec($1)
++ systemd_read_fifo_file_passwd_run($1)
++ ')
++')
+diff --git a/rasdaemon.te b/rasdaemon.te
+new file mode 100644
+index 0000000..6731d5c
+--- /dev/null
++++ b/rasdaemon.te
+@@ -0,0 +1,46 @@
++policy_module(rasdaemon, 1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++type rasdaemon_t;
++type rasdaemon_exec_t;
++init_daemon_domain(rasdaemon_t, rasdaemon_exec_t)
++
++type rasdaemon_var_lib_t;
++files_type(rasdaemon_var_lib_t)
++
++type rasdaemon_unit_file_t;
++systemd_unit_file(rasdaemon_unit_file_t)
++
++########################################
++#
++# rasdaemon local policy
++#
++allow rasdaemon_t self:fifo_file rw_fifo_file_perms;
++allow rasdaemon_t self:unix_stream_socket create_stream_socket_perms;
++
++manage_dirs_pattern(rasdaemon_t, rasdaemon_var_lib_t, rasdaemon_var_lib_t)
++manage_files_pattern(rasdaemon_t, rasdaemon_var_lib_t, rasdaemon_var_lib_t)
++files_var_lib_filetrans(rasdaemon_t, rasdaemon_var_lib_t, { dir file })
++
++kernel_read_system_state(rasdaemon_t)
++kernel_manage_debugfs(rasdaemon_t)
++
++dev_read_raw_memory(rasdaemon_t)
++dev_read_sysfs(rasdaemon_t)
++dev_read_urand(rasdaemon_t)
++dev_rw_cpu_microcode(rasdaemon_t)
++
++modutils_dontaudit_exec_insmod(rasdaemon_t) # more info here #1030277
++
++auth_use_nsswitch(rasdaemon_t)
++
++logging_send_syslog_msg(rasdaemon_t)
++
++optional_policy(`
++ dmidecode_exec(rasdaemon_t)
++')
++
diff --git a/razor.fc b/razor.fc
index 6723f4d..6e26673 100644
--- a/razor.fc
@@ -69682,11 +75134,92 @@ index 5ddedbc..4e15f29 100644
+ milter_manage_spamass_state(razor_t)
+ ')
')
+diff --git a/rdisc.fc b/rdisc.fc
+index e9765c0..ea21331 100644
+--- a/rdisc.fc
++++ b/rdisc.fc
+@@ -1,3 +1,3 @@
+-/sbin/rdisc -- gen_context(system_u:object_r:rdisc_exec_t,s0)
++/usr/lib/systemd/system/rdisc.* -- gen_context(system_u:object_r:rdisc_unit_file_t,s0)
+
+ /usr/sbin/rdisc -- gen_context(system_u:object_r:rdisc_exec_t,s0)
+diff --git a/rdisc.if b/rdisc.if
+index 170ef52..7dd9193 100644
+--- a/rdisc.if
++++ b/rdisc.if
+@@ -18,3 +18,57 @@ interface(`rdisc_exec',`
+ corecmd_search_bin($1)
+ can_exec($1, rdisc_exec_t)
+ ')
++
++########################################
++## <summary>
++## Execute rdisc server in the rdisc domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`rdisc_systemctl',`
++ gen_require(`
++ type rdisc_t;
++ type rdisc_unit_file_t;
++ ')
++
++ systemd_exec_systemctl($1)
++ systemd_read_fifo_file_passwd_run($1)
++ allow $1 rdisc_unit_file_t:file read_file_perms;
++ allow $1 rdisc_unit_file_t:service manage_service_perms;
++
++ ps_process_pattern($1, rdisc_t)
++')
++
++########################################
++## <summary>
++## All of the rules required to administrate
++## an rdisc environment
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`rdisc_admin',`
++ gen_require(`
++ type rdisc_t;
++ type rdisc_unit_file_t;
++ ')
++
++ allow $1 rdisc_t:process { ptrace signal_perms };
++ ps_process_pattern($1, rdisc_t)
++
++ rdisc_systemctl($1)
++ admin_pattern($1, rdisc_unit_file_t)
++ allow $1 rdisc_unit_file_t:service all_service_perms;
++ optional_policy(`
++ systemd_passwd_agent_exec($1)
++ systemd_read_fifo_file_passwd_run($1)
++ ')
++')
diff --git a/rdisc.te b/rdisc.te
-index 9196c1d..3dac4d9 100644
+index 9196c1d..b775931 100644
--- a/rdisc.te
+++ b/rdisc.te
-@@ -25,7 +25,6 @@ kernel_list_proc(rdisc_t)
+@@ -9,6 +9,9 @@ type rdisc_t;
+ type rdisc_exec_t;
+ init_daemon_domain(rdisc_t, rdisc_exec_t)
+
++type rdisc_unit_file_t;
++systemd_unit_file(rdisc_unit_file_t)
++
+ ########################################
+ #
+ # Local policy
+@@ -25,7 +28,6 @@ kernel_list_proc(rdisc_t)
kernel_read_proc_symlinks(rdisc_t)
kernel_read_kernel_sysctls(rdisc_t)
@@ -69694,7 +75227,7 @@ index 9196c1d..3dac4d9 100644
corenet_all_recvfrom_netlabel(rdisc_t)
corenet_udp_sendrecv_generic_if(rdisc_t)
corenet_raw_sendrecv_generic_if(rdisc_t)
-@@ -39,12 +38,9 @@ fs_search_auto_mountpoints(rdisc_t)
+@@ -39,12 +41,9 @@ fs_search_auto_mountpoints(rdisc_t)
domain_use_interactive_fds(rdisc_t)
@@ -70160,10 +75693,10 @@ index 9a8f052..3baa71a 100644
')
diff --git a/redis.fc b/redis.fc
new file mode 100644
-index 0000000..638d6b4
+index 0000000..741b785
--- /dev/null
+++ b/redis.fc
-@@ -0,0 +1,11 @@
+@@ -0,0 +1,12 @@
+/etc/rc\.d/init\.d/redis -- gen_context(system_u:object_r:redis_initrc_exec_t,s0)
+
+/usr/lib/systemd/system/redis.* -- gen_context(system_u:object_r:redis_unit_file_t,s0)
@@ -70175,18 +75708,18 @@ index 0000000..638d6b4
+/var/log/redis(/.*)? gen_context(system_u:object_r:redis_log_t,s0)
+
+/var/run/redis(/.*)? gen_context(system_u:object_r:redis_var_run_t,s0)
++/var/run/redis\.sock -- gen_context(system_u:object_r:redis_var_run_t,s0)
diff --git a/redis.if b/redis.if
new file mode 100644
-index 0000000..72a2d7b
+index 0000000..2640ab5
--- /dev/null
+++ b/redis.if
-@@ -0,0 +1,271 @@
-+
-+## <summary>redis-server SELinux policy</summary>
+@@ -0,0 +1,266 @@
++## <summary>Advanced key-value store</summary>
+
+########################################
+## <summary>
-+## Execute TEMPLATE in the redis domin.
++## Execute redis server in the redis domin.
+## </summary>
+## <param name="domain">
+## <summary>
@@ -70220,6 +75753,7 @@ index 0000000..72a2d7b
+
+ init_labeled_script_domtrans($1, redis_initrc_exec_t)
+')
++
+########################################
+## <summary>
+## Read redis's log files.
@@ -70229,7 +75763,6 @@ index 0000000..72a2d7b
+## Domain allowed access.
+## </summary>
+## </param>
-+## <rolecap/>
+#
+interface(`redis_read_log',`
+ gen_require(`
@@ -70392,14 +75925,13 @@ index 0000000..72a2d7b
+ ')
+
+ systemd_exec_systemctl($1)
-+ systemd_read_fifo_file_password_run($1)
++ systemd_read_fifo_file_passwd_run($1)
+ allow $1 redis_unit_file_t:file read_file_perms;
+ allow $1 redis_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, redis_t)
+')
+
-+
+########################################
+## <summary>
+## All of the rules required to administrate
@@ -70419,18 +75951,14 @@ index 0000000..72a2d7b
+#
+interface(`redis_admin',`
+ gen_require(`
-+ type redis_t;
-+ type redis_initrc_exec_t;
-+ type redis_log_t;
-+ type redis_var_lib_t;
-+ type redis_var_run_t;
-+ type redis_unit_file_t;
++ type redis_t, redis_initrc_exec_t, redis_var_lib_t;
++ type redis_log_t, redis_var_run_t, redis_unit_file_t;
+ ')
+
+ allow $1 redis_t:process { ptrace signal_perms };
+ ps_process_pattern($1, redis_t)
+
-+ redis_initrc_domtrans($1)
++ init_labeled_script_domtrans($1, redis_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 redis_initrc_exec_t system_r;
+ allow $2 system_r;
@@ -70447,6 +75975,7 @@ index 0000000..72a2d7b
+ redis_systemctl($1)
+ admin_pattern($1, redis_unit_file_t)
+ allow $1 redis_unit_file_t:service all_service_perms;
++
+ optional_policy(`
+ systemd_passwd_agent_exec($1)
+ systemd_read_fifo_file_passwd_run($1)
@@ -70454,10 +75983,10 @@ index 0000000..72a2d7b
+')
diff --git a/redis.te b/redis.te
new file mode 100644
-index 0000000..e5e9cf7
+index 0000000..51cd1fe
--- /dev/null
+++ b/redis.te
-@@ -0,0 +1,62 @@
+@@ -0,0 +1,64 @@
+policy_module(redis, 1.0.0)
+
+########################################
@@ -70505,6 +76034,8 @@ index 0000000..e5e9cf7
+manage_dirs_pattern(redis_t, redis_var_run_t, redis_var_run_t)
+manage_files_pattern(redis_t, redis_var_run_t, redis_var_run_t)
+manage_lnk_files_pattern(redis_t, redis_var_run_t, redis_var_run_t)
++manage_sock_files_pattern(redis_t, redis_var_run_t, redis_var_run_t)
++files_pid_filetrans(redis_t, redis_var_run_t, { sock_file })
+
+kernel_read_system_state(redis_t)
+
@@ -70528,7 +76059,7 @@ index 327baf0..d8691bd 100644
+
# Remote login currently has no file contexts.
diff --git a/remotelogin.if b/remotelogin.if
-index a9ce68e..31be971 100644
+index a9ce68e..92520aa 100644
--- a/remotelogin.if
+++ b/remotelogin.if
@@ -1,4 +1,4 @@
@@ -70552,24 +76083,23 @@ index a9ce68e..31be971 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -36,44 +35,3 @@ interface(`remotelogin_signal',`
+@@ -39,8 +38,7 @@ interface(`remotelogin_signal',`
- allow $1 remote_login_t:process signal;
- ')
--
--########################################
--## <summary>
+ ########################################
+ ## <summary>
-## Create, read, write, and delete
-## remote login temporary content.
--## </summary>
--## <param name="domain">
--## <summary>
--## Domain allowed access.
--## </summary>
--## </param>
--#
++## allow Domain to signal remote login domain.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -48,32 +46,10 @@ interface(`remotelogin_signal',`
+ ## </summary>
+ ## </param>
+ #
-interface(`remotelogin_manage_tmp_content',`
-- gen_require(`
++interface(`remotelogin_signull',`
+ gen_require(`
- type remote_login_tmp_t;
- ')
-
@@ -70591,12 +76121,14 @@ index a9ce68e..31be971 100644
-interface(`remotelogin_relabel_tmp_content',`
- gen_require(`
- type remote_login_tmp_t;
-- ')
--
++ type remote_login_t;
+ ')
+
- files_search_tmp($1)
- allow $1 remote_login_tmp_t:dir relabel_dir_perms;
- allow $1 remote_login_tmp_t:file relabel_file_perms;
--')
++ allow $1 remote_login_t:process signull;
+ ')
diff --git a/remotelogin.te b/remotelogin.te
index c51a32c..bef8238 100644
--- a/remotelogin.te
@@ -71190,10 +76722,10 @@ index b418d1c..1ad9c12 100644
xen_domtrans_xm(rgmanager_t)
')
diff --git a/rhcs.fc b/rhcs.fc
-index 47de2d6..98a4280 100644
+index 47de2d6..5ad36aa 100644
--- a/rhcs.fc
+++ b/rhcs.fc
-@@ -1,31 +1,85 @@
+@@ -1,31 +1,88 @@
-/etc/rc\.d/init\.d/dlm -- gen_context(system_u:object_r:dlm_controld_initrc_exec_t,s0)
-/etc/rc\.d/init\.d/foghorn -- gen_context(system_u:object_r:foghorn_initrc_exec_t,s0)
+/usr/sbin/dlm_controld -- gen_context(system_u:object_r:dlm_controld_exec_t,s0)
@@ -71252,6 +76784,8 @@ index 47de2d6..98a4280 100644
+/var/run/gfs_controld\.pid -- gen_context(system_u:object_r:gfs_controld_var_run_t,s0)
+/var/run/groupd\.pid -- gen_context(system_u:object_r:groupd_var_run_t,s0)
+/var/run/haproxy\.pid -- gen_context(system_u:object_r:haproxy_var_run_t,s0)
++/var/run/haproxy\.stat.* -- gen_context(system_u:object_r:haproxy_var_run_t,s0)
++/var/run/haproxy\.sock.* -- gen_context(system_u:object_r:haproxy_var_run_t,s0)
+/var/run/qdiskd\.pid -- gen_context(system_u:object_r:qdiskd_var_run_t,s0)
+
+# cluster administrative domains file spec
@@ -71275,6 +76809,7 @@ index 47de2d6..98a4280 100644
+/usr/sbin/ldirectord -- gen_context(system_u:object_r:cluster_exec_t,s0)
+/usr/sbin/rgmanager -- gen_context(system_u:object_r:cluster_exec_t,s0)
+/usr/sbin/pacemakerd -- gen_context(system_u:object_r:cluster_exec_t,s0)
++/usr/sbin/pacemaker_remoted -- gen_context(system_u:object_r:cluster_exec_t,s0)
+
+/usr/lib/pcsd/pcsd -- gen_context(system_u:object_r:cluster_exec_t,s0)
+
@@ -71303,7 +76838,7 @@ index 47de2d6..98a4280 100644
+/var/log/cluster/rgmanager\.log.* -- gen_context(system_u:object_r:cluster_var_log_t,s0)
+/var/log/pcsd(/.*)? gen_context(system_u:object_r:cluster_var_log_t,s0)
diff --git a/rhcs.if b/rhcs.if
-index 56bc01f..2e4d698 100644
+index 56bc01f..1337d42 100644
--- a/rhcs.if
+++ b/rhcs.if
@@ -1,19 +1,19 @@
@@ -71552,8 +77087,10 @@ index 56bc01f..2e4d698 100644
+ manage_files_pattern($1, groupd_tmpfs_t, groupd_tmpfs_t)
+')
+
-+########################################
-+## <summary>
+ ########################################
+ ## <summary>
+-## Read and write all cluster domains
+-## shared memory.
+## Read and write to group shared memory.
+## </summary>
+## <param name="domain">
@@ -71573,10 +77110,8 @@ index 56bc01f..2e4d698 100644
+ manage_files_pattern($1, groupd_tmpfs_t, groupd_tmpfs_t)
+')
+
- ########################################
- ## <summary>
--## Read and write all cluster domains
--## shared memory.
++########################################
++## <summary>
+## Read and write to group shared memory.
## </summary>
## <param name="domain">
@@ -71604,7 +77139,7 @@ index 56bc01f..2e4d698 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -393,36 +423,39 @@ interface(`rhcs_rw_cluster_semaphores',`
+@@ -393,20 +423,44 @@ interface(`rhcs_rw_cluster_semaphores',`
## </summary>
## </param>
#
@@ -71616,49 +77151,65 @@ index 56bc01f..2e4d698 100644
')
- allow $1 groupd_t:sem { rw_sem_perms destroy };
--
-- fs_search_tmpfs($1)
-- manage_files_pattern($1, groupd_tmpfs_t, groupd_tmpfs_t)
+ files_search_pids($1)
+ stream_connect_pattern($1, cluster_pid, cluster_pid, cluster_domain)
- ')
++')
--########################################
+- fs_search_tmpfs($1)
+- manage_files_pattern($1, groupd_tmpfs_t, groupd_tmpfs_t)
+#####################################
- ## <summary>
--## Read and write groupd shared memory.
++## <summary>
+## Connect to cluster domains over a unix domain
+## stream socket.
- ## </summary>
- ## <param name="domain">
- ## <summary>
- ## Domain allowed access.
- ## </summary>
- ## </param>
++## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`rhcs_stream_connect_cluster_to',`
++ gen_require(`
++ attribute cluster_domain;
++ attribute cluster_pid;
++ ')
++
++ files_search_pids($1)
++ stream_connect_pattern($1, cluster_pid, cluster_pid, $2)
+ ')
+
+ ########################################
+ ## <summary>
+-## Read and write groupd shared memory.
++## Send a null signal to cluster.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -414,15 +468,12 @@ interface(`rhcs_rw_groupd_semaphores',`
+ ## </summary>
+ ## </param>
#
-interface(`rhcs_rw_groupd_shm',`
-+interface(`rhcs_stream_connect_cluster_to',`
++interface(`rhcs_signull_cluster',`
gen_require(`
- type groupd_t, groupd_tmpfs_t;
-+ attribute cluster_domain;
-+ attribute cluster_pid;
++ type cluster_t;
')
- allow $1 groupd_t:shm { rw_shm_perms destroy };
-
- fs_search_tmpfs($1)
- manage_files_pattern($1, groupd_tmpfs_t, groupd_tmpfs_t)
-+ files_search_pids($1)
-+ stream_connect_pattern($1, cluster_pid, cluster_pid, $2)
++ allow $1 cluster_t:process signull;
')
######################################
-@@ -446,52 +479,360 @@ interface(`rhcs_domtrans_qdiskd',`
+@@ -446,52 +497,361 @@ interface(`rhcs_domtrans_qdiskd',`
########################################
## <summary>
@@ -71709,7 +77260,11 @@ index 56bc01f..2e4d698 100644
+ files_search_var_lib($1)
+ read_files_pattern($1, cluster_var_lib_t, cluster_var_lib_t)
+')
-+
+
+- init_labeled_script_domtrans($1, { dlm_controld_initrc_exec_t foghorn_initrc_exec_t })
+- domain_system_change_exemption($1)
+- role_transition $2 { dlm_controld_initrc_exec_t foghorn_initrc_exec_t } system_r;
+- allow $2 system_r;
+#####################################
+## <summary>
+## Allow domain to manage cluster lib files
@@ -71725,16 +77280,14 @@ index 56bc01f..2e4d698 100644
+ type cluster_var_lib_t;
+ ')
-- init_labeled_script_domtrans($1, { dlm_controld_initrc_exec_t foghorn_initrc_exec_t })
-- domain_system_change_exemption($1)
-- role_transition $2 { dlm_controld_initrc_exec_t foghorn_initrc_exec_t } system_r;
-- allow $2 system_r;
+- files_search_pids($1)
+- admin_pattern($1, cluster_pid)
+ files_search_var_lib($1)
+ manage_files_pattern($1, cluster_var_lib_t, cluster_var_lib_t)
+')
-- files_search_pids($1)
-- admin_pattern($1, cluster_pid)
+- files_search_locks($1)
+- admin_pattern($1, fenced_lock_t)
+####################################
+## <summary>
+## Allow domain to relabel cluster lib files
@@ -71755,8 +77308,8 @@ index 56bc01f..2e4d698 100644
+ relabelfrom_files_pattern($1, cluster_var_lib_t, cluster_var_lib_t)
+')
-- files_search_locks($1)
-- admin_pattern($1, fenced_lock_t)
+- files_search_tmp($1)
+- admin_pattern($1, fenced_tmp_t)
+######################################
+## <summary>
+## Execute a domain transition to run cluster administrative domain.
@@ -71772,14 +77325,14 @@ index 56bc01f..2e4d698 100644
+ type cluster_t, cluster_exec_t;
+ ')
-- files_search_tmp($1)
-- admin_pattern($1, fenced_tmp_t)
+- files_search_var_lib($1)
+- admin_pattern($1, qdiskd_var_lib_t)
+ corecmd_search_bin($1)
+ domtrans_pattern($1, cluster_exec_t, cluster_t)
+')
-- files_search_var_lib($1)
-- admin_pattern($1, qdiskd_var_lib_t)
+- fs_search_tmpfs($1)
+- admin_pattern($1, cluster_tmpfs)
+#######################################
+## <summary>
+## Execute cluster init scripts in
@@ -71795,9 +77348,7 @@ index 56bc01f..2e4d698 100644
+ gen_require(`
+ type cluster_initrc_exec_t;
+ ')
-
-- fs_search_tmpfs($1)
-- admin_pattern($1, cluster_tmpfs)
++
+ init_labeled_script_domtrans($1, cluster_initrc_exec_t)
+')
+
@@ -71911,6 +77462,7 @@ index 56bc01f..2e4d698 100644
+ ')
+
+ rw_files_pattern($1, cluster_tmpfs_t, cluster_tmpfs_t)
++ delete_files_pattern($1, cluster_tmpfs_t, cluster_tmpfs_t)
+')
+
+#####################################
@@ -72048,10 +77600,10 @@ index 56bc01f..2e4d698 100644
+ allow $1 cluster_unit_file_t:service all_service_perms;
')
diff --git a/rhcs.te b/rhcs.te
-index 2c2de9a..26fba30 100644
+index 2c2de9a..4fd3b77 100644
--- a/rhcs.te
+++ b/rhcs.te
-@@ -20,6 +20,27 @@ gen_tunable(fenced_can_network_connect, false)
+@@ -20,6 +20,35 @@ gen_tunable(fenced_can_network_connect, false)
## </desc>
gen_tunable(fenced_can_ssh, false)
@@ -72076,10 +77628,18 @@ index 2c2de9a..26fba30 100644
+## </desc>
+gen_tunable(cluster_use_execmem, false)
+
++## <desc>
++## <p>
++## Determine whether haproxy can
++## connect to all TCP ports.
++## </p>
++## </desc>
++gen_tunable(haproxy_connect_any, false)
++
attribute cluster_domain;
attribute cluster_log;
attribute cluster_pid;
-@@ -44,34 +65,283 @@ type foghorn_initrc_exec_t;
+@@ -44,34 +73,283 @@ type foghorn_initrc_exec_t;
init_script_file(foghorn_initrc_exec_t)
rhcs_domain_template(gfs_controld)
@@ -72367,7 +77927,7 @@ index 2c2de9a..26fba30 100644
')
#####################################
-@@ -79,7 +349,7 @@ optional_policy(`
+@@ -79,9 +357,11 @@ optional_policy(`
# dlm_controld local policy
#
@@ -72375,15 +77935,19 @@ index 2c2de9a..26fba30 100644
+allow dlm_controld_t self:capability { dac_override net_admin sys_admin sys_resource };
allow dlm_controld_t self:netlink_kobject_uevent_socket create_socket_perms;
++files_pid_filetrans(dlm_controld_t, dlm_controld_var_run_t, dir)
++
stream_connect_pattern(dlm_controld_t, fenced_var_run_t, fenced_var_run_t, fenced_t)
-@@ -98,16 +368,30 @@ fs_manage_configfs_dirs(dlm_controld_t)
+ stream_connect_pattern(dlm_controld_t, groupd_var_run_t, groupd_var_run_t, groupd_t)
+
+@@ -98,16 +378,30 @@ fs_manage_configfs_dirs(dlm_controld_t)
init_rw_script_tmp_files(dlm_controld_t)
+logging_send_syslog_msg(dlm_controld_t)
+
+optional_policy(`
-+ corosync_rw_tmpfs(dlm_controld_t)
++ rhcs_rw_cluster_tmpfs(dlm_controld_t)
+')
+
+optional_policy(`
@@ -72395,9 +77959,10 @@ index 2c2de9a..26fba30 100644
# fenced local policy
#
- allow fenced_t self:capability { sys_rawio sys_resource };
+-allow fenced_t self:capability { sys_rawio sys_resource };
-allow fenced_t self:process { getsched signal_perms };
-allow fenced_t self:tcp_socket { accept listen };
++allow fenced_t self:capability { net_admin sys_rawio sys_resource };
+allow fenced_t self:process { getsched setpgid signal_perms };
+
+allow fenced_t self:tcp_socket create_stream_socket_perms;
@@ -72409,7 +77974,7 @@ index 2c2de9a..26fba30 100644
manage_files_pattern(fenced_t, fenced_lock_t, fenced_lock_t)
files_lock_filetrans(fenced_t, fenced_lock_t, file)
-@@ -118,9 +402,8 @@ files_tmp_filetrans(fenced_t, fenced_tmp_t, { file fifo_file dir })
+@@ -118,9 +412,8 @@ files_tmp_filetrans(fenced_t, fenced_tmp_t, { file fifo_file dir })
stream_connect_pattern(fenced_t, groupd_var_run_t, groupd_var_run_t, groupd_t)
@@ -72420,7 +77985,16 @@ index 2c2de9a..26fba30 100644
corecmd_exec_bin(fenced_t)
corecmd_exec_shell(fenced_t)
-@@ -148,9 +431,7 @@ corenet_tcp_sendrecv_http_port(fenced_t)
+@@ -140,6 +433,8 @@ corenet_udp_sendrecv_ionixnetmon_port(fenced_t)
+
+ corenet_sendrecv_zented_server_packets(fenced_t)
+ corenet_tcp_bind_zented_port(fenced_t)
++corenet_udp_bind_zented_port(fenced_t)
++corenet_tcp_connect_zented_port(fenced_t)
+ corenet_tcp_sendrecv_zented_port(fenced_t)
+
+ corenet_sendrecv_http_client_packets(fenced_t)
+@@ -148,9 +443,7 @@ corenet_tcp_sendrecv_http_port(fenced_t)
dev_read_sysfs(fenced_t)
dev_read_urand(fenced_t)
@@ -72431,7 +78005,7 @@ index 2c2de9a..26fba30 100644
storage_raw_read_fixed_disk(fenced_t)
storage_raw_write_fixed_disk(fenced_t)
-@@ -160,7 +441,7 @@ term_getattr_pty_fs(fenced_t)
+@@ -160,7 +453,7 @@ term_getattr_pty_fs(fenced_t)
term_use_generic_ptys(fenced_t)
term_use_ptmx(fenced_t)
@@ -72440,7 +78014,7 @@ index 2c2de9a..26fba30 100644
tunable_policy(`fenced_can_network_connect',`
corenet_sendrecv_all_client_packets(fenced_t)
-@@ -182,7 +463,8 @@ optional_policy(`
+@@ -182,7 +475,8 @@ optional_policy(`
')
optional_policy(`
@@ -72450,7 +78024,7 @@ index 2c2de9a..26fba30 100644
')
optional_policy(`
-@@ -190,12 +472,12 @@ optional_policy(`
+@@ -190,12 +484,12 @@ optional_policy(`
')
optional_policy(`
@@ -72466,7 +78040,7 @@ index 2c2de9a..26fba30 100644
')
optional_policy(`
-@@ -203,6 +485,13 @@ optional_policy(`
+@@ -203,6 +497,13 @@ optional_policy(`
snmp_manage_var_lib_dirs(fenced_t)
')
@@ -72480,7 +78054,7 @@ index 2c2de9a..26fba30 100644
#######################################
#
# foghorn local policy
-@@ -221,16 +510,18 @@ corenet_sendrecv_agentx_client_packets(foghorn_t)
+@@ -221,16 +522,18 @@ corenet_sendrecv_agentx_client_packets(foghorn_t)
corenet_tcp_connect_agentx_port(foghorn_t)
corenet_tcp_sendrecv_agentx_port(foghorn_t)
@@ -72501,7 +78075,7 @@ index 2c2de9a..26fba30 100644
snmp_stream_connect(foghorn_t)
')
-@@ -257,6 +548,8 @@ storage_getattr_removable_dev(gfs_controld_t)
+@@ -257,6 +560,8 @@ storage_getattr_removable_dev(gfs_controld_t)
init_rw_script_tmp_files(gfs_controld_t)
@@ -72510,7 +78084,7 @@ index 2c2de9a..26fba30 100644
optional_policy(`
lvm_exec(gfs_controld_t)
dev_rw_lvm_control(gfs_controld_t)
-@@ -275,10 +568,39 @@ domtrans_pattern(groupd_t, fenced_exec_t, fenced_t)
+@@ -275,10 +580,53 @@ domtrans_pattern(groupd_t, fenced_exec_t, fenced_t)
dev_list_sysfs(groupd_t)
@@ -72526,13 +78100,14 @@ index 2c2de9a..26fba30 100644
+#
+
+# bug in haproxy and process vs pid owner
-+allow haproxy_t self:capability dac_override;
++allow haproxy_t self:capability { dac_override kill };
+
+allow haproxy_t self:capability { chown setgid setuid sys_chroot sys_resource };
+allow haproxy_t self:process { fork setrlimit signal_perms };
+allow haproxy_t self:fifo_file rw_fifo_file_perms;
+allow haproxy_t self:unix_stream_socket create_stream_socket_perms;
-+allow haproxy_t self:tcp_socket { accept listen };
++allow haproxy_t self:tcp_socket create_stream_socket_perms;
++allow haproxy_t self: udp_socket create_socket_perms;
+
+manage_dirs_pattern(haproxy_t, haproxy_var_lib_t, haproxy_var_lib_t)
+manage_files_pattern(haproxy_t, haproxy_var_lib_t, haproxy_var_lib_t)
@@ -72540,19 +78115,32 @@ index 2c2de9a..26fba30 100644
+manage_sock_files_pattern(haproxy_t, haproxy_var_lib_t, haproxy_var_lib_t)
+files_var_lib_filetrans(haproxy_t, haproxy_var_lib_t, { dir file lnk_file })
+
++corenet_sendrecv_unlabeled_packets(haproxy_t)
++
+corenet_tcp_connect_commplex_link_port(haproxy_t)
+corenet_tcp_connect_commplex_main_port(haproxy_t)
+corenet_tcp_bind_commplex_main_port(haproxy_t)
++corenet_tcp_bind_http_port(haproxy_t)
++corenet_tcp_bind_http_cache_port(haproxy_t)
+
+corenet_tcp_connect_fmpro_internal_port(haproxy_t)
++corenet_tcp_connect_http_port(haproxy_t)
++corenet_tcp_connect_http_cache_port(haproxy_t)
+corenet_tcp_connect_rtp_media_port(haproxy_t)
+
+sysnet_dns_name_resolve(haproxy_t)
+
++tunable_policy(`haproxy_connect_any',`
++ corenet_tcp_connect_all_ports(haproxy_t)
++ corenet_tcp_bind_all_ports(haproxy_t)
++ corenet_sendrecv_all_packets(haproxy_t)
++ corenet_tcp_sendrecv_all_ports(haproxy_t)
++')
++
######################################
#
# qdiskd local policy
-@@ -321,6 +643,8 @@ storage_raw_write_fixed_disk(qdiskd_t)
+@@ -321,6 +669,8 @@ storage_raw_write_fixed_disk(qdiskd_t)
auth_use_nsswitch(qdiskd_t)
@@ -72922,21 +78510,25 @@ index 3f32e4b..f97ea42 100644
diff --git a/rhnsd.fc b/rhnsd.fc
new file mode 100644
-index 0000000..1936028
+index 0000000..860a91d
--- /dev/null
+++ b/rhnsd.fc
-@@ -0,0 +1,5 @@
+@@ -0,0 +1,9 @@
+/etc/rc\.d/init\.d/rhnsd -- gen_context(system_u:object_r:rhnsd_initrc_exec_t,s0)
+
++/usr/lib/systemd/system/rhnsd.* -- gen_context(system_u:object_r:rhnsd_unit_file_t,s0)
++
+/usr/sbin/rhnsd -- gen_context(system_u:object_r:rhnsd_exec_t,s0)
+
+/var/run/rhnsd\.pid -- gen_context(system_u:object_r:rhnsd_var_run_t,s0)
++
++/etc/sysconfig/rhn(/.*)? gen_context(system_u:object_r:rhnsd_conf_t,s0)
diff --git a/rhnsd.if b/rhnsd.if
new file mode 100644
-index 0000000..88087b7
+index 0000000..8a5aaf0
--- /dev/null
+++ b/rhnsd.if
-@@ -0,0 +1,74 @@
+@@ -0,0 +1,118 @@
+## <summary>policy for rhnsd</summary>
+
+########################################
@@ -72978,6 +78570,50 @@ index 0000000..88087b7
+
+########################################
+## <summary>
++## Execute rhnsd server in the rhnsd domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`rhnsd_systemctl',`
++ gen_require(`
++ type rhnsd_t;
++ type rhnsd_unit_file_t;
++ ')
++
++ systemd_exec_systemctl($1)
++ systemd_read_fifo_file_passwd_run($1)
++ allow $1 rhnsd_unit_file_t:file read_file_perms;
++ allow $1 rhnsd_unit_file_t:service manage_service_perms;
++
++ ps_process_pattern($1, rhnsd_t)
++')
++
++######################################
++## <summary>
++## Allow the specified domain to manage
++## rhnsd configuration files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`rhnsd_manage_config',`
++ gen_require(`
++ type rhnsd_conf_t;
++ ')
++
++ files_search_etc($1)
++ manage_files_pattern( $1, rhnsd_conf_t, rhnsd_conf_t)
++')
++
++########################################
++## <summary>
+## All of the rules required to administrate
+## an rhnsd environment
+## </summary>
@@ -73013,10 +78649,10 @@ index 0000000..88087b7
+')
diff --git a/rhnsd.te b/rhnsd.te
new file mode 100644
-index 0000000..0e965c3
+index 0000000..898d82c
--- /dev/null
+++ b/rhnsd.te
-@@ -0,0 +1,40 @@
+@@ -0,0 +1,47 @@
+policy_module(rhnsd, 1.0.0)
+
+########################################
@@ -73034,6 +78670,12 @@ index 0000000..0e965c3
+type rhnsd_initrc_exec_t;
+init_script_file(rhnsd_initrc_exec_t)
+
++type rhnsd_unit_file_t;
++systemd_unit_file(rhnsd_unit_file_t)
++
++type rhnsd_conf_t;
++files_config_file(rhnsd_conf_t)
++
+########################################
+#
+# rhnsd local policy
@@ -73048,17 +78690,18 @@ index 0000000..0e965c3
+manage_files_pattern(rhnsd_t, rhnsd_var_run_t, rhnsd_var_run_t)
+files_pid_filetrans(rhnsd_t, rhnsd_var_run_t, { dir file })
+
-+corecmd_exec_bin(rhnsd_t)
++manage_files_pattern(rhnsd_t, rhnsd_conf_t, rhnsd_conf_t)
+
++corecmd_exec_bin(rhnsd_t)
+
+logging_send_syslog_msg(rhnsd_t)
+
+optional_policy(`
-+ # execute rhn_check
-+ rpm_domtrans(rhnsd_t)
++ # execute rhn_check
++ rpm_domtrans(rhnsd_t)
+')
diff --git a/rhsmcertd.if b/rhsmcertd.if
-index 6dbc905..78746ef 100644
+index 6dbc905..4b17c93 100644
--- a/rhsmcertd.if
+++ b/rhsmcertd.if
@@ -1,8 +1,8 @@
@@ -73163,14 +78806,33 @@ index 6dbc905..78746ef 100644
## <summary>
-## Connect to rhsmcertd with a
-## unix domain stream socket.
-+## Read/wirte inherited lock files.
++## Read rhsmcertd PID files.
## </summary>
## <param name="domain">
## <summary>
-@@ -207,6 +202,26 @@ interface(`rhsmcertd_read_pid_files',`
+@@ -207,6 +202,45 @@ interface(`rhsmcertd_read_pid_files',`
## </summary>
## </param>
#
++interface(`rhsmcertd_manage_pid_files',`
++ gen_require(`
++ type rhsmcertd_var_run_t;
++ ')
++
++ files_search_pids($1)
++ manage_files_pattern($1, rhsmcertd_var_run_t, rhsmcertd_var_run_t)
++')
++
++########################################
++## <summary>
++## Read/wirte inherited lock files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
+interface(`rhsmcertd_rw_inherited_lock_files',`
+ gen_require(`
+ type rhsmcertd_lock_t;
@@ -73194,7 +78856,7 @@ index 6dbc905..78746ef 100644
interface(`rhsmcertd_stream_connect',`
gen_require(`
type rhsmcertd_t, rhsmcertd_var_run_t;
-@@ -239,30 +254,29 @@ interface(`rhsmcertd_dbus_chat',`
+@@ -239,30 +273,29 @@ interface(`rhsmcertd_dbus_chat',`
######################################
## <summary>
@@ -73238,7 +78900,7 @@ index 6dbc905..78746ef 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -270,35 +284,41 @@ interface(`rhsmcertd_dontaudit_dbus_chat',`
+@@ -270,35 +303,41 @@ interface(`rhsmcertd_dontaudit_dbus_chat',`
## </summary>
## </param>
## <param name="role">
@@ -73270,24 +78932,24 @@ index 6dbc905..78746ef 100644
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 rhsmcertd_t:process ptrace;
+ ')
-
-- logging_search_logs($1)
-- admin_pattern($1, rhsmcertd_log_t)
++
+ rhsmcertd_initrc_domtrans($1)
+ domain_system_change_exemption($1)
+ role_transition $2 rhsmcertd_initrc_exec_t system_r;
+ allow $2 system_r;
-- files_search_var_lib($1)
-- admin_pattern($1, rhsmcertd_var_lib_t)
+- logging_search_logs($1)
+- admin_pattern($1, rhsmcertd_log_t)
+ logging_search_logs($1)
+ admin_pattern($1, rhsmcertd_log_t)
-- files_search_pids($1)
-- admin_pattern($1, rhsmcertd_var_run_t)
+- files_search_var_lib($1)
+- admin_pattern($1, rhsmcertd_var_lib_t)
+ files_search_var_lib($1)
+ admin_pattern($1, rhsmcertd_var_lib_t)
-+
+
+- files_search_pids($1)
+- admin_pattern($1, rhsmcertd_var_run_t)
+ files_search_pids($1)
+ admin_pattern($1, rhsmcertd_var_run_t)
+
@@ -73298,7 +78960,7 @@ index 6dbc905..78746ef 100644
- admin_pattern($1, rhsmcertd_lock_t)
')
diff --git a/rhsmcertd.te b/rhsmcertd.te
-index 1cedd70..0369e30 100644
+index 1cedd70..d193f7a 100644
--- a/rhsmcertd.te
+++ b/rhsmcertd.te
@@ -30,14 +30,13 @@ files_pid_file(rhsmcertd_var_run_t)
@@ -73319,12 +78981,15 @@ index 1cedd70..0369e30 100644
manage_files_pattern(rhsmcertd_t, rhsmcertd_lock_t, rhsmcertd_lock_t)
files_lock_filetrans(rhsmcertd_t, rhsmcertd_lock_t, file)
-@@ -52,21 +51,39 @@ files_pid_filetrans(rhsmcertd_t, rhsmcertd_var_run_t, { file dir })
+@@ -51,22 +50,47 @@ files_pid_filetrans(rhsmcertd_t, rhsmcertd_var_run_t, { file dir })
+
kernel_read_network_state(rhsmcertd_t)
kernel_read_system_state(rhsmcertd_t)
-
-+corenet_tcp_connect_http_port(rhsmcertd_t)
++kernel_read_sysctl(rhsmcertd_t)
+
++corenet_tcp_connect_http_port(rhsmcertd_t)
++corenet_tcp_connect_squid_port(rhsmcertd_t)
+
corecmd_exec_bin(rhsmcertd_t)
+corecmd_exec_shell(rhsmcertd_t)
@@ -73340,11 +79005,11 @@ index 1cedd70..0369e30 100644
+files_manage_system_conf_files(rhsmcertd_t)
+
+auth_read_passwd(rhsmcertd_t)
++
++init_read_state(rhsmcertd_t)
-miscfiles_read_localization(rhsmcertd_t)
-miscfiles_read_generic_certs(rhsmcertd_t)
-+init_read_state(rhsmcertd_t)
-+
+logging_send_syslog_msg(rhsmcertd_t)
+
+miscfiles_manage_cert_files(rhsmcertd_t)
@@ -73361,7 +79026,12 @@ index 1cedd70..0369e30 100644
+')
+
+optional_policy(`
++ rhnsd_manage_config(rhsmcertd_t)
++')
++
++optional_policy(`
rpm_read_db(rhsmcertd_t)
++ rpm_signull(rhsmcertd_t)
')
diff --git a/ricci.if b/ricci.if
index 2ab3ed1..23d579c 100644
@@ -73752,6 +79422,68 @@ index 9702ed2..a265af9 100644
optional_policy(`
ccs_stream_connect(ricci_modstorage_t)
+diff --git a/rkhunter.fc b/rkhunter.fc
+new file mode 100644
+index 0000000..645a9cc
+--- /dev/null
++++ b/rkhunter.fc
+@@ -0,0 +1 @@
++/var/lib/rkhunter(/.*)? gen_context(system_u:object_r:rkhunter_var_lib_t,s0)
+diff --git a/rkhunter.if b/rkhunter.if
+new file mode 100644
+index 0000000..0be4cee
+--- /dev/null
++++ b/rkhunter.if
+@@ -0,0 +1,39 @@
++## <summary> policy for rkhunter </summary>
++
++########################################
++## <summary>
++## Append rkhunter lib files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`rkhunter_append_lib_files',`
++ gen_require(`
++ type rkhunter_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ append_files_pattern($1, rkhunter_var_lib_t, rkhunter_var_lib_t)
++')
++
++########################################
++## <summary>
++## Manage rkhunter lib files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`rkhunter_manage_lib_files',`
++ gen_require(`
++ type rkhunter_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ manage_files_pattern($1, rkhunter_var_lib_t, rkhunter_var_lib_t)
++')
+diff --git a/rkhunter.te b/rkhunter.te
+new file mode 100644
+index 0000000..aa2d09e
+--- /dev/null
++++ b/rkhunter.te
+@@ -0,0 +1,4 @@
++policy_module(rhhunter, 1.0)
++
++type rkhunter_var_lib_t;
++files_type(rkhunter_var_lib_t)
diff --git a/rlogin.fc b/rlogin.fc
index f111877..e361ee9 100644
--- a/rlogin.fc
@@ -74544,7 +80276,7 @@ index 3bd6446..eec0a35 100644
+ allow $1 var_lib_nfs_t:file relabel_file_perms;
')
diff --git a/rpc.te b/rpc.te
-index e5212e6..022f7fc 100644
+index e5212e6..fa69f22 100644
--- a/rpc.te
+++ b/rpc.te
@@ -1,4 +1,4 @@
@@ -74730,35 +80462,38 @@ index e5212e6..022f7fc 100644
optional_policy(`
automount_signal(rpcd_t)
-@@ -174,19 +110,23 @@ optional_policy(`
+@@ -174,19 +110,27 @@ optional_policy(`
')
optional_policy(`
-- nis_read_ypserv_config(rpcd_t)
+ domain_unconfined_signal(rpcd_t)
++')
++
++optional_policy(`
++ quota_manage_db(rpcd_t)
++')
++
++optional_policy(`
+ nis_read_ypserv_config(rpcd_t)
')
optional_policy(`
- quota_manage_db_files(rpcd_t)
-+ quota_manage_db(rpcd_t)
++ quota_read_db(rpcd_t)
')
optional_policy(`
- rgmanager_manage_tmp_files(rpcd_t)
-+ nis_read_ypserv_config(rpcd_t)
++ rhcs_manage_cluster_tmp_files(rpcd_t)
')
optional_policy(`
- unconfined_signal(rpcd_t)
-+ quota_read_db(rpcd_t)
-+')
-+
-+optional_policy(`
-+ rhcs_manage_cluster_tmp_files(rpcd_t)
++ samba_stream_connect_nmbd(rpcd_t)
')
########################################
-@@ -195,41 +135,56 @@ optional_policy(`
+@@ -195,41 +139,56 @@ optional_policy(`
#
allow nfsd_t self:capability { dac_override dac_read_search sys_admin sys_resource };
@@ -74823,7 +80558,7 @@ index e5212e6..022f7fc 100644
miscfiles_manage_public_files(nfsd_t)
')
-@@ -238,7 +193,6 @@ tunable_policy(`nfs_export_all_rw',`
+@@ -238,7 +197,6 @@ tunable_policy(`nfs_export_all_rw',`
dev_getattr_all_chr_files(nfsd_t)
fs_read_noxattr_fs_files(nfsd_t)
@@ -74831,7 +80566,7 @@ index e5212e6..022f7fc 100644
')
tunable_policy(`nfs_export_all_ro',`
-@@ -250,12 +204,12 @@ tunable_policy(`nfs_export_all_ro',`
+@@ -250,12 +208,12 @@ tunable_policy(`nfs_export_all_ro',`
fs_read_noxattr_fs_files(nfsd_t)
@@ -74846,7 +80581,16 @@ index e5212e6..022f7fc 100644
')
########################################
-@@ -271,6 +225,7 @@ manage_dirs_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t)
+@@ -263,7 +221,7 @@ optional_policy(`
+ # GSSD local policy
+ #
+
+-allow gssd_t self:capability { dac_override dac_read_search setuid sys_nice };
++allow gssd_t self:capability { dac_override dac_read_search setuid setgid sys_nice };
+ allow gssd_t self:process { getsched setsched };
+ allow gssd_t self:fifo_file rw_fifo_file_perms;
+
+@@ -271,6 +229,7 @@ manage_dirs_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t)
manage_files_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t)
files_tmp_filetrans(gssd_t, gssd_tmp_t, { file dir })
@@ -74854,7 +80598,7 @@ index e5212e6..022f7fc 100644
kernel_read_network_state(gssd_t)
kernel_read_network_state_symlinks(gssd_t)
kernel_request_load_module(gssd_t)
-@@ -279,25 +234,29 @@ kernel_signal(gssd_t)
+@@ -279,25 +238,30 @@ kernel_signal(gssd_t)
corecmd_exec_bin(gssd_t)
@@ -74876,6 +80620,7 @@ index e5212e6..022f7fc 100644
miscfiles_read_generic_certs(gssd_t)
userdom_signal_all_users(gssd_t)
++userdom_manage_all_users_keys(gssd_t)
-tunable_policy(`allow_gssd_read_tmp',`
+tunable_policy(`gssd_read_tmp',`
@@ -74887,7 +80632,7 @@ index e5212e6..022f7fc 100644
')
optional_policy(`
-@@ -306,8 +265,11 @@ optional_policy(`
+@@ -306,8 +270,11 @@ optional_policy(`
optional_policy(`
kerberos_keytab_template(gssd, gssd_t)
@@ -75083,10 +80828,10 @@ index c49828c..56cb0c2 100644
sysnet_dns_name_resolve(rpcbind_t)
diff --git a/rpm.fc b/rpm.fc
-index ebe91fc..6392cad 100644
+index ebe91fc..576ca21 100644
--- a/rpm.fc
+++ b/rpm.fc
-@@ -1,61 +1,72 @@
+@@ -1,61 +1,74 @@
-/bin/rpm -- gen_context(system_u:object_r:rpm_exec_t,s0)
-/etc/rc\.d/init\.d/bcfg2 -- gen_context(system_u:object_r:rpm_initrc_exec_t,s0)
@@ -75116,6 +80861,8 @@ index ebe91fc..6392cad 100644
/usr/libexec/packagekitd -- gen_context(system_u:object_r:rpm_exec_t,s0)
/usr/libexec/yumDBUSBackend.py -- gen_context(system_u:object_r:rpm_exec_t,s0)
+/usr/libexec/pegasus/pycmpiLMI_Software-cimprovagt -- gen_context(system_u:object_r:rpm_exec_t,s0)
++
++/usr/sbin/yum-complete-transaction -- gen_context(system_u:object_r:rpm_exec_t,s0)
-/usr/sbin/bcfg2 -- gen_context(system_u:object_r:rpm_exec_t,s0)
-/usr/sbin/pirut -- gen_context(system_u:object_r:rpm_exec_t,s0)
@@ -75134,25 +80881,14 @@ index ebe91fc..6392cad 100644
-/usr/sbin/synaptic -- gen_context(system_u:object_r:rpm_exec_t,s0)
-/var/cache/PackageKit(/.*)? gen_context(system_u:object_r:rpm_var_cache_t,s0)
-/var/lib/PackageKit(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0)
--')
-+/usr/sbin/yum-complete-transaction -- gen_context(system_u:object_r:rpm_exec_t,s0)
-
--/usr/share/yumex/yumex-yum-backend -- gen_context(system_u:object_r:rpm_exec_t,s0)
--/usr/share/yumex/yum_childtask\.py -- gen_context(system_u:object_r:rpm_exec_t,s0)
+/usr/sbin/system-install-packages -- gen_context(system_u:object_r:rpm_exec_t,s0)
+/usr/sbin/yum-updatesd -- gen_context(system_u:object_r:rpm_exec_t,s0)
+/usr/sbin/yum-cron -- gen_context(system_u:object_r:rpm_exec_t,s0)
+/usr/sbin/packagekitd -- gen_context(system_u:object_r:rpm_exec_t,s0)
-
--/var/cache/bcfg2(/.*)? gen_context(system_u:object_r:rpm_var_cache_t,s0)
--/var/cache/yum(/.*)? gen_context(system_u:object_r:rpm_var_cache_t,s0)
++
+/usr/share/yumex/yumex-yum-backend -- gen_context(system_u:object_r:rpm_exec_t,s0)
+/usr/share/yumex/yum_childtask\.py -- gen_context(system_u:object_r:rpm_exec_t,s0)
-
--/var/lib/alternatives(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0)
--/var/lib/rpm(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0)
--/var/lib/YaST2(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0)
--/var/lib/yum(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0)
++
+ifdef(`distro_redhat', `
+/usr/sbin/bcfg2 -- gen_context(system_u:object_r:rpm_exec_t,s0)
+/usr/bin/package-cleanup -- gen_context(system_u:object_r:rpm_exec_t,s0)
@@ -75166,31 +80902,41 @@ index ebe91fc..6392cad 100644
+/usr/sbin/synaptic -- gen_context(system_u:object_r:rpm_exec_t,s0)
+/usr/bin/apt-get -- gen_context(system_u:object_r:rpm_exec_t,s0)
+/usr/bin/apt-shell -- gen_context(system_u:object_r:rpm_exec_t,s0)
-+')
-+
+ ')
+
+-/usr/share/yumex/yumex-yum-backend -- gen_context(system_u:object_r:rpm_exec_t,s0)
+-/usr/share/yumex/yum_childtask\.py -- gen_context(system_u:object_r:rpm_exec_t,s0)
+/var/cache/PackageKit(/.*)? gen_context(system_u:object_r:rpm_var_cache_t,s0)
+/var/cache/yum(/.*)? gen_context(system_u:object_r:rpm_var_cache_t,s0)
+/var/cache/dnf(/.*)? gen_context(system_u:object_r:rpm_var_cache_t,s0)
--/var/lock/bcfg2\.run -- gen_context(system_u:object_r:rpm_lock_t,s0)
+-/var/cache/bcfg2(/.*)? gen_context(system_u:object_r:rpm_var_cache_t,s0)
+-/var/cache/yum(/.*)? gen_context(system_u:object_r:rpm_var_cache_t,s0)
+/var/lib/alternatives(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0)
+/var/lib/PackageKit(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0)
+/var/lib/rpm(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0)
+/var/lib/yum(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0)
+/var/lib/dnf(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0)
+-/var/lib/alternatives(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0)
+-/var/lib/rpm(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0)
+-/var/lib/YaST2(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0)
+-/var/lib/yum(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0)
++/var/log/yum\.log.* -- gen_context(system_u:object_r:rpm_log_t,s0)
++/var/log/up2date.* -- gen_context(system_u:object_r:rpm_log_t,s0)
+
+-/var/lock/bcfg2\.run -- gen_context(system_u:object_r:rpm_lock_t,s0)
+
-/var/log/YaST2(/.*)? gen_context(system_u:object_r:rpm_log_t,s0)
-/var/log/yum\.log.* -- gen_context(system_u:object_r:rpm_log_t,s0)
-+/var/log/yum\.log.* -- gen_context(system_u:object_r:rpm_log_t,s0)
++/var/spool/up2date(/.*)? gen_context(system_u:object_r:rpm_var_cache_t,s0)
-/var/spool/up2date(/.*)? gen_context(system_u:object_r:rpm_var_cache_t,s0)
-+/var/spool/up2date(/.*)? gen_context(system_u:object_r:rpm_var_cache_t,s0)
++/var/run/yum.* -- gen_context(system_u:object_r:rpm_var_run_t,s0)
++/var/run/PackageKit(/.*)? gen_context(system_u:object_r:rpm_var_run_t,s0)
-/var/run/yum.* -- gen_context(system_u:object_r:rpm_var_run_t,s0)
-/var/run/PackageKit(/.*)? gen_context(system_u:object_r:rpm_var_run_t,s0)
-+/var/run/yum.* -- gen_context(system_u:object_r:rpm_var_run_t,s0)
-+/var/run/PackageKit(/.*)? gen_context(system_u:object_r:rpm_var_run_t,s0)
-+
+# SuSE
+ifdef(`distro_suse', `
+/usr/bin/online_update -- gen_context(system_u:object_r:rpm_exec_t,s0)
@@ -75204,7 +80950,7 @@ index ebe91fc..6392cad 100644
+/sbin/cpio -- gen_context(system_u:object_r:rpm_exec_t,s0)
')
diff --git a/rpm.if b/rpm.if
-index 0628d50..cafc027 100644
+index 0628d50..e9dbd7e 100644
--- a/rpm.if
+++ b/rpm.if
@@ -1,8 +1,8 @@
@@ -75463,16 +81209,34 @@ index 0628d50..cafc027 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -302,7 +378,7 @@ interface(`rpm_manage_log',`
+@@ -302,7 +378,25 @@ interface(`rpm_manage_log',`
########################################
## <summary>
-## Inherit and use rpm script file descriptors.
++## Create rpm logs with an correct label.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`rpm_named_filetrans_log_files',`
++ gen_require(`
++ type rpm_log_t;
++ ')
++ logging_log_named_filetrans($1, rpm_log_t, file, "yum.log")
++ logging_log_named_filetrans($1, rpm_log_t, file, "up2date")
++')
++
++########################################
++## <summary>
+## Inherit and use file descriptors from RPM scripts.
## </summary>
## <param name="domain">
## <summary>
-@@ -320,8 +396,8 @@ interface(`rpm_use_script_fds',`
+@@ -320,8 +414,8 @@ interface(`rpm_use_script_fds',`
########################################
## <summary>
@@ -75483,7 +81247,7 @@ index 0628d50..cafc027 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -335,12 +411,15 @@ interface(`rpm_manage_script_tmp_files',`
+@@ -335,12 +429,15 @@ interface(`rpm_manage_script_tmp_files',`
')
files_search_tmp($1)
@@ -75500,7 +81264,7 @@ index 0628d50..cafc027 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -353,14 +432,13 @@ interface(`rpm_append_tmp_files',`
+@@ -353,14 +450,13 @@ interface(`rpm_append_tmp_files',`
type rpm_tmp_t;
')
@@ -75518,7 +81282,7 @@ index 0628d50..cafc027 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -374,12 +452,14 @@ interface(`rpm_manage_tmp_files',`
+@@ -374,12 +470,14 @@ interface(`rpm_manage_tmp_files',`
')
files_search_tmp($1)
@@ -75534,7 +81298,7 @@ index 0628d50..cafc027 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -399,7 +479,7 @@ interface(`rpm_read_script_tmp_files',`
+@@ -399,7 +497,7 @@ interface(`rpm_read_script_tmp_files',`
########################################
## <summary>
@@ -75543,7 +81307,7 @@ index 0628d50..cafc027 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -420,8 +500,7 @@ interface(`rpm_read_cache',`
+@@ -420,8 +518,7 @@ interface(`rpm_read_cache',`
########################################
## <summary>
@@ -75553,7 +81317,7 @@ index 0628d50..cafc027 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -442,7 +521,7 @@ interface(`rpm_manage_cache',`
+@@ -442,7 +539,7 @@ interface(`rpm_manage_cache',`
########################################
## <summary>
@@ -75562,7 +81326,7 @@ index 0628d50..cafc027 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -459,11 +538,12 @@ interface(`rpm_read_db',`
+@@ -459,11 +556,12 @@ interface(`rpm_read_db',`
allow $1 rpm_var_lib_t:dir list_dir_perms;
read_files_pattern($1, rpm_var_lib_t, rpm_var_lib_t)
read_lnk_files_pattern($1, rpm_var_lib_t, rpm_var_lib_t)
@@ -75576,7 +81340,7 @@ index 0628d50..cafc027 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -482,8 +562,7 @@ interface(`rpm_delete_db',`
+@@ -482,8 +580,7 @@ interface(`rpm_delete_db',`
########################################
## <summary>
@@ -75586,7 +81350,7 @@ index 0628d50..cafc027 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -503,8 +582,28 @@ interface(`rpm_manage_db',`
+@@ -503,8 +600,28 @@ interface(`rpm_manage_db',`
########################################
## <summary>
@@ -75616,7 +81380,7 @@ index 0628d50..cafc027 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -517,7 +616,7 @@ interface(`rpm_dontaudit_manage_db',`
+@@ -517,7 +634,7 @@ interface(`rpm_dontaudit_manage_db',`
type rpm_var_lib_t;
')
@@ -75625,7 +81389,7 @@ index 0628d50..cafc027 100644
dontaudit $1 rpm_var_lib_t:file manage_file_perms;
dontaudit $1 rpm_var_lib_t:lnk_file manage_lnk_file_perms;
')
-@@ -543,8 +642,7 @@ interface(`rpm_read_pid_files',`
+@@ -543,8 +660,7 @@ interface(`rpm_read_pid_files',`
#####################################
## <summary>
@@ -75635,7 +81399,7 @@ index 0628d50..cafc027 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -563,8 +661,7 @@ interface(`rpm_manage_pid_files',`
+@@ -563,8 +679,7 @@ interface(`rpm_manage_pid_files',`
######################################
## <summary>
@@ -75645,7 +81409,7 @@ index 0628d50..cafc027 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -573,94 +670,72 @@ interface(`rpm_manage_pid_files',`
+@@ -573,94 +688,72 @@ interface(`rpm_manage_pid_files',`
## </param>
#
interface(`rpm_pid_filetrans',`
@@ -75777,7 +81541,7 @@ index 0628d50..cafc027 100644
+ allow rpm_script_t $1:process sigchld;
')
diff --git a/rpm.te b/rpm.te
-index 5cbe81c..5b28e97 100644
+index 5cbe81c..a461faa 100644
--- a/rpm.te
+++ b/rpm.te
@@ -1,15 +1,13 @@
@@ -76068,7 +81832,7 @@ index 5cbe81c..5b28e97 100644
kernel_read_crypto_sysctls(rpm_script_t)
kernel_read_kernel_sysctls(rpm_script_t)
-@@ -277,45 +293,27 @@ kernel_read_network_state(rpm_script_t)
+@@ -277,45 +293,29 @@ kernel_read_network_state(rpm_script_t)
kernel_list_all_proc(rpm_script_t)
kernel_read_software_raid_state(rpm_script_t)
@@ -76083,6 +81847,8 @@ index 5cbe81c..5b28e97 100644
-corenet_tcp_sendrecv_http_port(rpm_script_t)
-
-corecmd_exec_all_executables(rpm_script_t)
++# needed by unbound-anchor
++corenet_udp_bind_all_unreserved_ports(rpm_script_t)
dev_list_sysfs(rpm_script_t)
+
@@ -76118,7 +81884,7 @@ index 5cbe81c..5b28e97 100644
mls_file_read_all_levels(rpm_script_t)
mls_file_write_all_levels(rpm_script_t)
-@@ -331,30 +329,48 @@ storage_raw_write_fixed_disk(rpm_script_t)
+@@ -331,30 +331,52 @@ storage_raw_write_fixed_disk(rpm_script_t)
term_getattr_unallocated_ttys(rpm_script_t)
term_list_ptys(rpm_script_t)
@@ -76145,6 +81911,9 @@ index 5cbe81c..5b28e97 100644
+files_exec_usr_files(rpm_script_t)
+files_relabel_all_files(rpm_script_t)
+
++init_disable_services(rpm_script_t)
++init_enable_services(rpm_script_t)
++init_reload_services(rpm_script_t)
init_domtrans_script(rpm_script_t)
init_telinit(rpm_script_t)
@@ -76156,6 +81925,7 @@ index 5cbe81c..5b28e97 100644
+libs_ldconfig_exec_entry_type(rpm_script_t)
logging_send_syslog_msg(rpm_script_t)
++logging_send_audit_msgs(rpm_script_t)
-miscfiles_read_localization(rpm_script_t)
-
@@ -76176,7 +81946,7 @@ index 5cbe81c..5b28e97 100644
ifdef(`distro_redhat',`
optional_policy(`
-@@ -363,41 +379,61 @@ ifdef(`distro_redhat',`
+@@ -363,41 +385,71 @@ ifdef(`distro_redhat',`
')
')
@@ -76191,11 +81961,19 @@ index 5cbe81c..5b28e97 100644
+')
+
+optional_policy(`
++ bind_systemctl(rpm_script_t)
++')
++
++optional_policy(`
+ certmonger_dbus_chat(rpm_script_t)
+')
+
+optional_policy(`
+ cups_filetrans_named_content(rpm_script_t)
++')
++
++optional_policy(`
++ sblim_filetrans_named_content(rpm_script_t)
')
optional_policy(`
@@ -76206,6 +81984,8 @@ index 5cbe81c..5b28e97 100644
- ')
+ optional_policy(`
+ systemd_dbus_chat_logind(rpm_script_t)
++ systemd_dbus_chat_timedated(rpm_script_t)
++ systemd_dbus_chat_localed(rpm_script_t)
+ ')
+')
+
@@ -76248,7 +82028,7 @@ index 5cbe81c..5b28e97 100644
optional_policy(`
java_domtrans_unconfined(rpm_script_t)
-@@ -409,6 +445,6 @@ optional_policy(`
+@@ -409,6 +461,6 @@ optional_policy(`
')
optional_policy(`
@@ -76709,7 +82489,7 @@ index f1140ef..8afe362 100644
+ files_pid_filetrans($1, rsync_var_run_t, file, "rsyncd.lock")
')
diff --git a/rsync.te b/rsync.te
-index e3e7c96..ec50426 100644
+index e3e7c96..d7db2d9 100644
--- a/rsync.te
+++ b/rsync.te
@@ -1,4 +1,4 @@
@@ -76836,7 +82616,7 @@ index e3e7c96..ec50426 100644
logging_log_filetrans(rsync_t, rsync_log_t, file)
manage_dirs_pattern(rsync_t, rsync_tmp_t, rsync_tmp_t)
-@@ -108,91 +96,80 @@ kernel_read_kernel_sysctls(rsync_t)
+@@ -108,91 +96,78 @@ kernel_read_kernel_sysctls(rsync_t)
kernel_read_system_state(rsync_t)
kernel_read_network_state(rsync_t)
@@ -76902,9 +82682,7 @@ index e3e7c96..ec50426 100644
+
+tunable_policy(`rsync_full_access',`
+ allow rsync_t self:capability { dac_override dac_read_search };
-+ files_manage_non_security_dirs(rsync_t)
-+ files_manage_non_security_files(rsync_t)
-+ #files_relabel_non_security_files(rsync_t)
++ files_manage_non_auth_files(rsync_t)
')
tunable_policy(`rsync_export_all_ro',`
@@ -76967,7 +82745,7 @@ index e3e7c96..ec50426 100644
')
diff --git a/rtas.fc b/rtas.fc
new file mode 100644
-index 0000000..25d96cb
+index 0000000..4552e91
--- /dev/null
+++ b/rtas.fc
@@ -0,0 +1,13 @@
@@ -76979,23 +82757,23 @@ index 0000000..25d96cb
+/var/lock/.*librtas -- gen_context(system_u:object_r:rtas_errd_var_lock_t)
+
+/var/log/rtas_errd.* -- gen_context(system_u:object_r:rtas_errd_log_t)
-+/var/log/platform -- gen_context(system_u:object_r:rtas_errd_log_t)
-+/var/log/epow_status -- gen_context(system_u:object_r:rtas_errd_log_t)
++/var/log/platform.* -- gen_context(system_u:object_r:rtas_errd_log_t)
++/var/log/epow_status.* -- gen_context(system_u:object_r:rtas_errd_log_t)
+
+/var/run/rtas_errd.* -- gen_context(system_u:object_r:rtas_errd_var_run_t,s0)
+
diff --git a/rtas.if b/rtas.if
new file mode 100644
-index 0000000..9381936
+index 0000000..0ec3302
--- /dev/null
+++ b/rtas.if
-@@ -0,0 +1,166 @@
+@@ -0,0 +1,162 @@
+
-+## <summary>rtas_errd - Platform diagnostics report firmware events</summary>
++## <summary>Platform diagnostics report firmware events.</summary>
+
+########################################
+## <summary>
-+## Execute TEMPLATE in the rtas_errd domin.
++## Execute rtas_errd in the rtas_errd domin.
+## </summary>
+## <param name="domain">
+## <summary>
@@ -77011,6 +82789,7 @@ index 0000000..9381936
+ corecmd_search_bin($1)
+ domtrans_pattern($1, rtas_errd_exec_t, rtas_errd_t)
+')
++
+########################################
+## <summary>
+## Read rtas_errd's log files.
@@ -77070,6 +82849,7 @@ index 0000000..9381936
+ manage_files_pattern($1, rtas_errd_log_t, rtas_errd_log_t)
+ manage_lnk_files_pattern($1, rtas_errd_log_t, rtas_errd_log_t)
+')
++
+########################################
+## <summary>
+## Read rtas_errd PID files.
@@ -77106,7 +82886,7 @@ index 0000000..9381936
+ ')
+
+ systemd_exec_systemctl($1)
-+ systemd_read_fifo_file_passwd_run($1)
++ systemd_read_fifo_file_passwd_run($1)
+ allow $1 rtas_errd_unit_file_t:file read_file_perms;
+ allow $1 rtas_errd_unit_file_t:service manage_service_perms;
+
@@ -77124,19 +82904,12 @@ index 0000000..9381936
+## Domain allowed access.
+## </summary>
+## </param>
-+## <param name="role">
-+## <summary>
-+## Role allowed access.
-+## </summary>
-+## </param>
-+## <rolecap/>
+#
+interface(`rtas_errd_admin',`
+ gen_require(`
+ type rtas_errd_t;
-+ type rtas_errd_log_t;
-+ type rtas_errd_var_run_t;
-+ type rtas_errd_unit_file_t;
++ type rtas_errd_log_t, rtas_errd_var_run_t;
++ type rtas_errd_unit_file_t;
+ ')
+
+ allow $1 rtas_errd_t:process { ptrace signal_perms };
@@ -77151,6 +82924,7 @@ index 0000000..9381936
+ rtas_errd_systemctl($1)
+ admin_pattern($1, rtas_errd_unit_file_t)
+ allow $1 rtas_errd_unit_file_t:service all_service_perms;
++
+ optional_policy(`
+ systemd_passwd_agent_exec($1)
+ systemd_read_fifo_file_passwd_run($1)
@@ -77158,10 +82932,10 @@ index 0000000..9381936
+')
diff --git a/rtas.te b/rtas.te
new file mode 100644
-index 0000000..4e6663f
+index 0000000..9a5164c
--- /dev/null
+++ b/rtas.te
-@@ -0,0 +1,60 @@
+@@ -0,0 +1,95 @@
+policy_module(rtas, 1.0.0)
+
+########################################
@@ -77185,13 +82959,19 @@ index 0000000..4e6663f
+type rtas_errd_unit_file_t;
+systemd_unit_file(rtas_errd_unit_file_t)
+
++type rtas_errd_tmp_t;
++files_tmp_file(rtas_errd_tmp_t)
++
++type rtas_errd_tmpfs_t;
++files_tmpfs_file(rtas_errd_tmpfs_t)
++
+########################################
+#
+# rtas_errd local policy
+#
+
-+allow rtas_errd_t self:capability sys_admin;
-+allow rtas_errd_t self:process fork;
++allow rtas_errd_t self:capability { net_admin chown sys_admin };
++allow rtas_errd_t self:process { fork signull };
+allow rtas_errd_t self:fifo_file rw_fifo_file_perms;
+allow rtas_errd_t self:unix_stream_socket create_stream_socket_perms;
+
@@ -77209,19 +82989,48 @@ index 0000000..4e6663f
+manage_lnk_files_pattern(rtas_errd_t, rtas_errd_var_run_t, rtas_errd_var_run_t)
+files_pid_filetrans(rtas_errd_t, rtas_errd_var_run_t, { dir file lnk_file })
+
++manage_files_pattern(rtas_errd_t, rtas_errd_tmp_t, rtas_errd_tmp_t)
++manage_dirs_pattern(rtas_errd_t, rtas_errd_tmp_t, rtas_errd_tmp_t)
++files_tmp_filetrans(rtas_errd_t, rtas_errd_tmp_t, { file dir })
++
++manage_files_pattern(rtas_errd_t, rtas_errd_tmpfs_t, rtas_errd_tmpfs_t)
++manage_dirs_pattern(rtas_errd_t, rtas_errd_tmpfs_t, rtas_errd_tmpfs_t)
++fs_tmpfs_filetrans(rtas_errd_t, rtas_errd_tmpfs_t, { file dir })
++
++kernel_read_all_sysctls(rtas_errd_t)
+kernel_read_system_state(rtas_errd_t)
++kernel_read_network_state(rtas_errd_t)
++
++domain_read_all_domains_state(rtas_errd_t)
+
+auth_use_nsswitch(rtas_errd_t)
+
+corecmd_exec_bin(rtas_errd_t)
+
++dev_read_rand(rtas_errd_t)
++dev_read_urand(rtas_errd_t)
+dev_read_raw_memory(rtas_errd_t)
+dev_write_raw_memory(rtas_errd_t)
++dev_read_sysfs(rtas_errd_t)
++dev_rw_nvram(rtas_errd_t)
+
+files_manage_system_db_files(rtas_errd_t)
+
++logging_send_syslog_msg(rtas_errd_t)
+logging_read_generic_logs(rtas_errd_t)
+
++optional_policy(`
++ hostname_exec(rtas_errd_t)
++')
++
++optional_policy(`
++ rpm_exec(rtas_errd_t)
++ rpm_dontaudit_manage_db(rtas_errd_t)
++')
++
++optional_policy(`
++ unconfined_domain(rtas_errd_t)
++')
diff --git a/rtkit.if b/rtkit.if
index bd35afe..051addd 100644
--- a/rtkit.if
@@ -77375,10 +83184,10 @@ index 9927d29..6746952 100644
+userdom_getattr_user_terminals(rwho_t)
+
diff --git a/samba.fc b/samba.fc
-index b8b66ff..2ccac49 100644
+index b8b66ff..d1fa967 100644
--- a/samba.fc
+++ b/samba.fc
-@@ -1,42 +1,54 @@
+@@ -1,42 +1,55 @@
-/etc/rc\.d/init\.d/nmb -- gen_context(system_u:object_r:samba_initrc_exec_t,s0)
-/etc/rc\.d/init\.d/smb -- gen_context(system_u:object_r:samba_initrc_exec_t,s0)
+
@@ -77404,6 +83213,7 @@ index b8b66ff..2ccac49 100644
+#
+/usr/lib/systemd/system/smb.* -- gen_context(system_u:object_r:samba_unit_file_t,s0)
+/usr/lib/systemd/system/nmb.* -- gen_context(system_u:object_r:samba_unit_file_t,s0)
++/usr/lib/systemd/system/winbind.* -- gen_context(system_u:object_r:samba_unit_file_t,s0)
-/usr/bin/net -- gen_context(system_u:object_r:samba_net_exec_t,s0)
-/usr/bin/ntlm_auth -- gen_context(system_u:object_r:winbind_helper_exec_t,s0)
@@ -77459,7 +83269,7 @@ index b8b66ff..2ccac49 100644
/var/run/samba/messages\.tdb -- gen_context(system_u:object_r:nmbd_var_run_t,s0)
/var/run/samba/namelist\.debug -- gen_context(system_u:object_r:nmbd_var_run_t,s0)
/var/run/samba/nmbd\.pid -- gen_context(system_u:object_r:nmbd_var_run_t,s0)
-@@ -45,7 +57,11 @@
+@@ -45,7 +58,11 @@
/var/run/samba/smbd\.pid -- gen_context(system_u:object_r:smbd_var_run_t,s0)
/var/run/samba/unexpected\.tdb -- gen_context(system_u:object_r:nmbd_var_run_t,s0)
@@ -78232,7 +84042,7 @@ index aee75af..a6bab06 100644
+ allow $1 samba_unit_file_t:service all_service_perms;
')
diff --git a/samba.te b/samba.te
-index 57c034b..9e91107 100644
+index 57c034b..8736764 100644
--- a/samba.te
+++ b/samba.te
@@ -1,4 +1,4 @@
@@ -78405,7 +84215,14 @@ index 57c034b..9e91107 100644
type smbd_t;
type smbd_exec_t;
-@@ -149,9 +132,10 @@ type smbd_var_run_t;
+@@ -145,13 +128,17 @@ init_daemon_domain(smbd_t, smbd_exec_t)
+ type smbd_tmp_t;
+ files_tmp_file(smbd_tmp_t)
+
++type smbd_tmpfs_t;
++files_tmpfs_file(smbd_tmpfs_t)
++
+ type smbd_var_run_t;
files_pid_file(smbd_var_run_t)
type smbmount_t;
@@ -78418,7 +84235,7 @@ index 57c034b..9e91107 100644
type swat_t;
type swat_exec_t;
-@@ -170,27 +154,29 @@ type winbind_exec_t;
+@@ -170,27 +157,29 @@ type winbind_exec_t;
init_daemon_domain(winbind_t, winbind_exec_t)
type winbind_helper_t;
@@ -78456,7 +84273,7 @@ index 57c034b..9e91107 100644
allow samba_net_t samba_etc_t:file read_file_perms;
-@@ -206,17 +192,22 @@ manage_files_pattern(samba_net_t, samba_var_t, samba_var_t)
+@@ -206,17 +195,22 @@ manage_files_pattern(samba_net_t, samba_var_t, samba_var_t)
manage_lnk_files_pattern(samba_net_t, samba_var_t, samba_var_t)
files_var_filetrans(samba_net_t, samba_var_t, dir, "samba")
@@ -78483,7 +84300,7 @@ index 57c034b..9e91107 100644
dev_read_urand(samba_net_t)
-@@ -229,15 +220,16 @@ auth_manage_cache(samba_net_t)
+@@ -229,15 +223,16 @@ auth_manage_cache(samba_net_t)
logging_send_syslog_msg(samba_net_t)
@@ -78504,7 +84321,7 @@ index 57c034b..9e91107 100644
')
optional_policy(`
-@@ -245,44 +237,56 @@ optional_policy(`
+@@ -245,44 +240,56 @@ optional_policy(`
')
optional_policy(`
@@ -78547,11 +84364,11 @@ index 57c034b..9e91107 100644
-allow smbd_t { swat_t winbind_t smbcontrol_t nmbd_t }:process { signal signull };
+allow smbd_t nmbd_t:process { signal signull };
-+
-+allow smbd_t nmbd_var_run_t:file rw_file_perms;
-+stream_connect_pattern(smbd_t, nmbd_var_run_t, nmbd_var_run_t, nmbd_t)
-allow smbd_t samba_etc_t:file { rw_file_perms setattr_file_perms };
++allow smbd_t nmbd_var_run_t:file rw_file_perms;
++stream_connect_pattern(smbd_t, nmbd_var_run_t, nmbd_var_run_t, nmbd_t)
++
+allow smbd_t samba_etc_t:file { rw_file_perms setattr };
manage_dirs_pattern(smbd_t, samba_log_t, samba_log_t)
@@ -78573,7 +84390,7 @@ index 57c034b..9e91107 100644
manage_lnk_files_pattern(smbd_t, samba_share_t, samba_share_t)
allow smbd_t samba_share_t:filesystem { getattr quotaget };
-@@ -292,6 +296,8 @@ manage_lnk_files_pattern(smbd_t, samba_var_t, samba_var_t)
+@@ -292,20 +299,26 @@ manage_lnk_files_pattern(smbd_t, samba_var_t, samba_var_t)
manage_sock_files_pattern(smbd_t, samba_var_t, samba_var_t)
files_var_filetrans(smbd_t, samba_var_t, dir, "samba")
@@ -78582,7 +84399,13 @@ index 57c034b..9e91107 100644
manage_dirs_pattern(smbd_t, smbd_tmp_t, smbd_tmp_t)
manage_files_pattern(smbd_t, smbd_tmp_t, smbd_tmp_t)
files_tmp_filetrans(smbd_t, smbd_tmp_t, { file dir })
-@@ -301,11 +307,11 @@ manage_files_pattern(smbd_t, smbd_var_run_t, smbd_var_run_t)
+
++manage_dirs_pattern(smbd_t, smbd_tmpfs_t, smbd_tmpfs_t)
++manage_files_pattern(smbd_t, smbd_tmpfs_t, smbd_tmpfs_t)
++fs_tmpfs_filetrans(smbd_t, smbd_tmpfs_t, { file dir })
++
+ manage_dirs_pattern(smbd_t, smbd_var_run_t, smbd_var_run_t)
+ manage_files_pattern(smbd_t, smbd_var_run_t, smbd_var_run_t)
manage_sock_files_pattern(smbd_t, smbd_var_run_t, smbd_var_run_t)
files_pid_filetrans(smbd_t, smbd_var_run_t, { dir file })
@@ -78598,7 +84421,7 @@ index 57c034b..9e91107 100644
kernel_getattr_core_if(smbd_t)
kernel_getattr_message_if(smbd_t)
-@@ -315,43 +321,33 @@ kernel_read_kernel_sysctls(smbd_t)
+@@ -315,42 +328,34 @@ kernel_read_kernel_sysctls(smbd_t)
kernel_read_software_raid_state(smbd_t)
kernel_read_system_state(smbd_t)
@@ -78649,11 +84472,11 @@ index 57c034b..9e91107 100644
-files_dontaudit_getattr_all_dirs(smbd_t)
-files_dontaudit_list_all_mountpoints(smbd_t)
-files_list_mnt(smbd_t)
--
++domain_dontaudit_signull_all_domains(smbd_t)
+
fs_getattr_all_fs(smbd_t)
fs_getattr_all_dirs(smbd_t)
- fs_get_xattr_fs_quotas(smbd_t)
-@@ -360,44 +356,54 @@ fs_getattr_rpc_dirs(smbd_t)
+@@ -360,44 +365,55 @@ fs_getattr_rpc_dirs(smbd_t)
fs_list_inotifyfs(smbd_t)
fs_get_all_fs_quotas(smbd_t)
@@ -78702,6 +84525,7 @@ index 57c034b..9e91107 100644
files_dontaudit_getattr_default_dirs(smbd_t)
files_dontaudit_getattr_boot_dirs(smbd_t)
fs_dontaudit_getattr_tmpfs_dirs(smbd_t)
++ fs_rw_inherited_tmpfs_files(smbd_t)
')
-tunable_policy(`allow_smbd_anon_write',`
@@ -78719,7 +84543,7 @@ index 57c034b..9e91107 100644
')
tunable_policy(`samba_domain_controller',`
-@@ -413,20 +419,10 @@ tunable_policy(`samba_domain_controller',`
+@@ -413,20 +429,10 @@ tunable_policy(`samba_domain_controller',`
')
tunable_policy(`samba_enable_home_dirs',`
@@ -78742,7 +84566,7 @@ index 57c034b..9e91107 100644
tunable_policy(`samba_share_nfs',`
fs_manage_nfs_dirs(smbd_t)
fs_manage_nfs_files(smbd_t)
-@@ -435,6 +431,7 @@ tunable_policy(`samba_share_nfs',`
+@@ -435,6 +441,7 @@ tunable_policy(`samba_share_nfs',`
fs_manage_nfs_named_sockets(smbd_t)
')
@@ -78750,7 +84574,7 @@ index 57c034b..9e91107 100644
tunable_policy(`samba_share_fusefs',`
fs_manage_fusefs_dirs(smbd_t)
fs_manage_fusefs_files(smbd_t)
-@@ -442,17 +439,6 @@ tunable_policy(`samba_share_fusefs',`
+@@ -442,17 +449,6 @@ tunable_policy(`samba_share_fusefs',`
fs_search_fusefs(smbd_t)
')
@@ -78768,7 +84592,7 @@ index 57c034b..9e91107 100644
optional_policy(`
ccs_read_config(smbd_t)
')
-@@ -460,6 +446,7 @@ optional_policy(`
+@@ -460,6 +456,7 @@ optional_policy(`
optional_policy(`
ctdbd_stream_connect(smbd_t)
ctdbd_manage_lib_files(smbd_t)
@@ -78776,7 +84600,7 @@ index 57c034b..9e91107 100644
')
optional_policy(`
-@@ -473,6 +460,11 @@ optional_policy(`
+@@ -473,6 +470,11 @@ optional_policy(`
')
optional_policy(`
@@ -78788,7 +84612,18 @@ index 57c034b..9e91107 100644
lpd_exec_lpr(smbd_t)
')
-@@ -493,9 +485,33 @@ optional_policy(`
+@@ -482,6 +484,10 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ rhcs_signull_cluster(smbd_t)
++')
++
++optional_policy(`
+ rpc_search_nfs_state_data(smbd_t)
+ ')
+
+@@ -493,9 +499,36 @@ optional_policy(`
udev_read_db(smbd_t)
')
@@ -78811,9 +84646,12 @@ index 57c034b..9e91107 100644
+ allow nmbd_t self:capability { dac_read_search dac_override };
+ fs_manage_noxattr_fs_files(smbd_t)
+ files_manage_non_security_files(smbd_t)
++ files_manage_non_security_dirs(smbd_t)
+ fs_manage_noxattr_fs_files(nmbd_t)
+ files_manage_non_security_files(nmbd_t)
++ files_manage_non_security_dirs(nmbd_t)
+')
++
+userdom_filetrans_home_content(nmbd_t)
+
########################################
@@ -78823,7 +84661,7 @@ index 57c034b..9e91107 100644
#
dontaudit nmbd_t self:capability sys_tty_config;
-@@ -506,9 +522,11 @@ allow nmbd_t self:msg { send receive };
+@@ -506,9 +539,11 @@ allow nmbd_t self:msg { send receive };
allow nmbd_t self:msgq create_msgq_perms;
allow nmbd_t self:sem create_sem_perms;
allow nmbd_t self:shm create_shm_perms;
@@ -78838,7 +84676,7 @@ index 57c034b..9e91107 100644
manage_dirs_pattern(nmbd_t, { smbd_var_run_t nmbd_var_run_t }, nmbd_var_run_t)
manage_files_pattern(nmbd_t, nmbd_var_run_t, nmbd_var_run_t)
-@@ -520,20 +538,15 @@ read_files_pattern(nmbd_t, samba_etc_t, samba_etc_t)
+@@ -520,20 +555,15 @@ read_files_pattern(nmbd_t, samba_etc_t, samba_etc_t)
read_lnk_files_pattern(nmbd_t, samba_etc_t, samba_etc_t)
manage_dirs_pattern(nmbd_t, samba_log_t, samba_log_t)
@@ -78862,7 +84700,7 @@ index 57c034b..9e91107 100644
kernel_getattr_core_if(nmbd_t)
kernel_getattr_message_if(nmbd_t)
-@@ -542,52 +555,41 @@ kernel_read_network_state(nmbd_t)
+@@ -542,52 +572,42 @@ kernel_read_network_state(nmbd_t)
kernel_read_software_raid_state(nmbd_t)
kernel_read_system_state(nmbd_t)
@@ -78911,24 +84749,25 @@ index 57c034b..9e91107 100644
-
userdom_use_unpriv_users_fds(nmbd_t)
-userdom_user_home_dir_filetrans_user_home_content(nmbd_t, { file dir })
-+userdom_dontaudit_search_user_home_dirs(nmbd_t)
-
+-
-tunable_policy(`samba_export_all_ro',`
- fs_read_noxattr_fs_files(nmbd_t)
- files_list_non_auth_dirs(nmbd_t)
- files_read_non_auth_files(nmbd_t)
-')
--
++userdom_dontaudit_search_user_home_dirs(nmbd_t)
+
-tunable_policy(`samba_export_all_rw',`
- fs_read_noxattr_fs_files(nmbd_t)
- files_manage_non_auth_files(nmbd_t)
+optional_policy(`
+ ctdbd_stream_connect(nmbd_t)
+ ctdbd_manage_var_files(nmbd_t)
++ ctdbd_manage_lib_files(nmbd_t)
')
optional_policy(`
-@@ -600,19 +602,26 @@ optional_policy(`
+@@ -600,19 +620,26 @@ optional_policy(`
########################################
#
@@ -78936,7 +84775,7 @@ index 57c034b..9e91107 100644
+# smbcontrol local policy
#
-+
++allow smbcontrol_t self:capability2 block_suspend;
allow smbcontrol_t self:process signal;
-allow smbcontrol_t self:fifo_file rw_fifo_file_perms;
+# internal communication is often done using fifo and unix sockets.
@@ -78960,7 +84799,7 @@ index 57c034b..9e91107 100644
samba_search_var(smbcontrol_t)
samba_read_winbind_pid(smbcontrol_t)
-@@ -620,16 +629,12 @@ domain_use_interactive_fds(smbcontrol_t)
+@@ -620,16 +647,12 @@ domain_use_interactive_fds(smbcontrol_t)
dev_read_urand(smbcontrol_t)
@@ -78978,7 +84817,7 @@ index 57c034b..9e91107 100644
optional_policy(`
ctdbd_stream_connect(smbcontrol_t)
-@@ -637,22 +642,23 @@ optional_policy(`
+@@ -637,22 +660,23 @@ optional_policy(`
########################################
#
@@ -79010,7 +84849,7 @@ index 57c034b..9e91107 100644
allow smbmount_t samba_secrets_t:file manage_file_perms;
-@@ -661,26 +667,22 @@ manage_files_pattern(smbmount_t, samba_var_t, samba_var_t)
+@@ -661,26 +685,22 @@ manage_files_pattern(smbmount_t, samba_var_t, samba_var_t)
manage_lnk_files_pattern(smbmount_t, samba_var_t, samba_var_t)
files_var_filetrans(smbmount_t, samba_var_t, dir, "samba")
@@ -79046,7 +84885,7 @@ index 57c034b..9e91107 100644
fs_getattr_cifs(smbmount_t)
fs_mount_cifs(smbmount_t)
-@@ -692,58 +694,77 @@ fs_read_cifs_files(smbmount_t)
+@@ -692,58 +712,77 @@ fs_read_cifs_files(smbmount_t)
storage_raw_read_fixed_disk(smbmount_t)
storage_raw_write_fixed_disk(smbmount_t)
@@ -79138,7 +84977,7 @@ index 57c034b..9e91107 100644
manage_dirs_pattern(swat_t, swat_tmp_t, swat_tmp_t)
manage_files_pattern(swat_t, swat_tmp_t, swat_tmp_t)
-@@ -752,17 +773,13 @@ files_tmp_filetrans(swat_t, swat_tmp_t, { file dir })
+@@ -752,17 +791,13 @@ files_tmp_filetrans(swat_t, swat_tmp_t, { file dir })
manage_files_pattern(swat_t, swat_var_run_t, swat_var_run_t)
files_pid_filetrans(swat_t, swat_var_run_t, file)
@@ -79162,7 +85001,7 @@ index 57c034b..9e91107 100644
kernel_read_kernel_sysctls(swat_t)
kernel_read_system_state(swat_t)
-@@ -770,36 +787,25 @@ kernel_read_network_state(swat_t)
+@@ -770,36 +805,25 @@ kernel_read_network_state(swat_t)
corecmd_search_bin(swat_t)
@@ -79205,7 +85044,7 @@ index 57c034b..9e91107 100644
auth_domtrans_chk_passwd(swat_t)
auth_use_nsswitch(swat_t)
-@@ -811,10 +817,11 @@ logging_send_syslog_msg(swat_t)
+@@ -811,10 +835,11 @@ logging_send_syslog_msg(swat_t)
logging_send_audit_msgs(swat_t)
logging_search_logs(swat_t)
@@ -79219,10 +85058,12 @@ index 57c034b..9e91107 100644
optional_policy(`
cups_read_rw_config(swat_t)
cups_stream_connect(swat_t)
-@@ -834,16 +841,19 @@ optional_policy(`
+@@ -833,17 +858,20 @@ optional_policy(`
+ # Winbind local policy
#
- allow winbind_t self:capability { dac_override ipc_lock setuid sys_nice };
+-allow winbind_t self:capability { dac_override ipc_lock setuid sys_nice };
++allow winbind_t self:capability { kill dac_override ipc_lock setuid sys_nice };
+allow winbind_t self:capability2 block_suspend;
dontaudit winbind_t self:capability sys_tty_config;
allow winbind_t self:process { signal_perms getsched setsched };
@@ -79243,7 +85084,7 @@ index 57c034b..9e91107 100644
allow winbind_t samba_etc_t:dir list_dir_perms;
read_files_pattern(winbind_t, samba_etc_t, samba_etc_t)
-@@ -853,9 +863,7 @@ manage_files_pattern(winbind_t, samba_etc_t, samba_secrets_t)
+@@ -853,9 +881,7 @@ manage_files_pattern(winbind_t, samba_etc_t, samba_secrets_t)
filetrans_pattern(winbind_t, samba_etc_t, samba_secrets_t, file)
manage_dirs_pattern(winbind_t, samba_log_t, samba_log_t)
@@ -79254,7 +85095,7 @@ index 57c034b..9e91107 100644
manage_lnk_files_pattern(winbind_t, samba_log_t, samba_log_t)
manage_dirs_pattern(winbind_t, samba_var_t, samba_var_t)
-@@ -866,23 +874,21 @@ files_var_filetrans(winbind_t, samba_var_t, dir, "samba")
+@@ -866,23 +892,21 @@ files_var_filetrans(winbind_t, samba_var_t, dir, "samba")
rw_files_pattern(winbind_t, smbd_tmp_t, smbd_tmp_t)
@@ -79284,7 +85125,7 @@ index 57c034b..9e91107 100644
manage_sock_files_pattern(winbind_t, smbd_var_run_t, smbd_var_run_t)
kernel_read_network_state(winbind_t)
-@@ -891,13 +897,17 @@ kernel_read_system_state(winbind_t)
+@@ -891,13 +915,17 @@ kernel_read_system_state(winbind_t)
corecmd_exec_bin(winbind_t)
@@ -79305,7 +85146,7 @@ index 57c034b..9e91107 100644
corenet_tcp_connect_smbd_port(winbind_t)
corenet_tcp_connect_epmap_port(winbind_t)
corenet_tcp_connect_all_unreserved_ports(winbind_t)
-@@ -905,10 +915,6 @@ corenet_tcp_connect_all_unreserved_ports(winbind_t)
+@@ -905,10 +933,6 @@ corenet_tcp_connect_all_unreserved_ports(winbind_t)
dev_read_sysfs(winbind_t)
dev_read_urand(winbind_t)
@@ -79316,7 +85157,7 @@ index 57c034b..9e91107 100644
fs_getattr_all_fs(winbind_t)
fs_search_auto_mountpoints(winbind_t)
-@@ -917,26 +923,39 @@ auth_domtrans_chk_passwd(winbind_t)
+@@ -917,26 +941,43 @@ auth_domtrans_chk_passwd(winbind_t)
auth_use_nsswitch(winbind_t)
auth_manage_cache(winbind_t)
@@ -79355,10 +85196,14 @@ index 57c034b..9e91107 100644
optional_policy(`
kerberos_use(winbind_t)
+ kerberos_filetrans_named_content(winbind_t)
++')
++
++optional_policy(`
++ nis_authenticate(winbind_t)
')
optional_policy(`
-@@ -952,31 +971,29 @@ optional_policy(`
+@@ -952,31 +993,29 @@ optional_policy(`
# Winbind helper local policy
#
@@ -79396,7 +85241,7 @@ index 57c034b..9e91107 100644
optional_policy(`
apache_append_log(winbind_helper_t)
-@@ -990,25 +1007,38 @@ optional_policy(`
+@@ -990,25 +1029,38 @@ optional_policy(`
########################################
#
@@ -79417,24 +85262,24 @@ index 57c034b..9e91107 100644
+ role system_r types samba_unconfined_net_t;
+
+ unconfined_domain(samba_unconfined_net_t)
-+
+
+- allow smbd_t samba_unconfined_script_exec_t:dir search_dir_perms;
+- allow smbd_t samba_unconfined_script_exec_t:file ioctl;
+ manage_files_pattern(samba_unconfined_net_t, samba_etc_t, samba_secrets_t)
+ filetrans_pattern(samba_unconfined_net_t, samba_etc_t, samba_secrets_t, file)
+ userdom_use_inherited_user_terminals(samba_unconfined_net_t)
+')
-+
+
+type samba_unconfined_script_t;
+type samba_unconfined_script_exec_t;
+domain_type(samba_unconfined_script_t)
+domain_entry_file(samba_unconfined_script_t, samba_unconfined_script_exec_t)
+corecmd_shell_entry_type(samba_unconfined_script_t)
+role system_r types samba_unconfined_script_t;
-
-- allow smbd_t samba_unconfined_script_exec_t:dir search_dir_perms;
-- allow smbd_t samba_unconfined_script_exec_t:file ioctl;
++
+allow smbd_t samba_unconfined_script_exec_t:dir search_dir_perms;
+allow smbd_t samba_unconfined_script_exec_t:file ioctl;
-
++
+optional_policy(`
unconfined_domain(samba_unconfined_script_t)
+')
@@ -79522,10 +85367,10 @@ index 0000000..b7db254
+# Empty
diff --git a/sandbox.if b/sandbox.if
new file mode 100644
-index 0000000..577dfa7
+index 0000000..89bc443
--- /dev/null
+++ b/sandbox.if
-@@ -0,0 +1,55 @@
+@@ -0,0 +1,57 @@
+
+## <summary>policy for sandbox</summary>
+
@@ -79556,6 +85401,8 @@ index 0000000..577dfa7
+ allow sandbox_domain $1:process { sigchld signull };
+ allow sandbox_domain $1:fifo_file rw_inherited_fifo_file_perms;
+ dontaudit sandbox_domain $1:process signal;
++ dontaudit sandbox_domain $1:key { link read search view };
++ dontaudit sandbox_domain $1:unix_stream_socket rw_socket_perms;
+')
+
+########################################
@@ -79583,10 +85430,10 @@ index 0000000..577dfa7
+')
diff --git a/sandbox.te b/sandbox.te
new file mode 100644
-index 0000000..b12aada
+index 0000000..62a9666
--- /dev/null
+++ b/sandbox.te
-@@ -0,0 +1,62 @@
+@@ -0,0 +1,63 @@
+policy_module(sandbox,1.0.0)
+
+attribute sandbox_domain;
@@ -79632,6 +85479,7 @@ index 0000000..b12aada
+')
+
+kernel_dontaudit_read_system_state(sandbox_domain)
++kernel_dontaudit_getattr_core_if(sandbox_domain)
+
+corecmd_exec_all_executables(sandbox_domain)
+
@@ -79659,10 +85507,10 @@ index 0000000..6caef63
+/usr/share/sandbox/start -- gen_context(system_u:object_r:sandbox_exec_t,s0)
diff --git a/sandboxX.if b/sandboxX.if
new file mode 100644
-index 0000000..5da5bff
+index 0000000..3258f45
--- /dev/null
+++ b/sandboxX.if
-@@ -0,0 +1,392 @@
+@@ -0,0 +1,394 @@
+
+## <summary>policy for sandboxX </summary>
+
@@ -79704,10 +85552,11 @@ index 0000000..5da5bff
+ dontaudit sandbox_xserver_t $1:file read;
+ allow sandbox_x_domain sandbox_x_domain:process signal;
+ # Dontaudit leaked file descriptors
++ dontaudit sandbox_x_domain $1:key { link read search view };
+ dontaudit sandbox_x_domain $1:fifo_file { read write };
+ dontaudit sandbox_x_domain $1:tcp_socket rw_socket_perms;
+ dontaudit sandbox_x_domain $1:udp_socket rw_socket_perms;
-+ dontaudit sandbox_x_domain $1:unix_stream_socket { read write };
++ dontaudit sandbox_x_domain $1:unix_stream_socket rw_socket_perms;
+ dontaudit sandbox_x_domain $1:process { signal sigkill };
+
+ allow $1 sandbox_tmpfs_type:file manage_file_perms;
@@ -79786,6 +85635,7 @@ index 0000000..5da5bff
+
+ domtrans_pattern($1_t, sandbox_exec_t, $1_client_t)
+ domain_entry_file($1_client_t, sandbox_exec_t)
++ allow $1_client_t $1_t:shm { unix_read unix_write };
+
+ ps_process_pattern(sandbox_xserver_t, $1_client_t)
+ ps_process_pattern(sandbox_xserver_t, $1_t)
@@ -80057,10 +85907,10 @@ index 0000000..5da5bff
+')
diff --git a/sandboxX.te b/sandboxX.te
new file mode 100644
-index 0000000..710df6b
+index 0000000..330fea5
--- /dev/null
+++ b/sandboxX.te
-@@ -0,0 +1,483 @@
+@@ -0,0 +1,502 @@
+policy_module(sandboxX,1.0.0)
+
+dbus_stub()
@@ -80185,7 +86035,7 @@ index 0000000..710df6b
+#
+# sandbox_x_domain local policy
+#
-+allow sandbox_x_domain self:process { getattr signal_perms getsched setsched setpgid execstack };
++allow sandbox_x_domain self:process { getattr signal_perms getsched setsched setpgid execstack getcap setcap };
+tunable_policy(`deny_execmem',`',`
+ allow sandbox_x_domain self:process execmem;
+')
@@ -80277,6 +86127,10 @@ index 0000000..710df6b
+storage_dontaudit_rw_fuse(sandbox_x_domain)
+
+optional_policy(`
++ bluetooth_dbus_chat(sandbox_x_domain)
++')
++
++optional_policy(`
+ consolekit_dbus_chat(sandbox_x_domain)
+')
+
@@ -80295,6 +86149,8 @@ index 0000000..710df6b
+
+optional_policy(`
+ gnome_read_gconf_config(sandbox_x_domain)
++ gnome_dontaudit_rw_inherited_config(sandbox_x_domain)
++ gnome_dontaudit_rw_inherited_config(sandbox_xserver_t)
+')
+
+optional_policy(`
@@ -80342,6 +86198,10 @@ index 0000000..710df6b
+ fs_exec_fusefs_files(sandbox_x_domain)
+')
+
++optional_policy(`
++ networkmanager_dontaudit_dbus_chat(sandbox_x_domain)
++')
++
+files_search_home(sandbox_x_t)
+userdom_use_user_ptys(sandbox_x_t)
+
@@ -80363,6 +86223,10 @@ index 0000000..710df6b
+logging_send_syslog_msg(sandbox_x_client_t)
+
+optional_policy(`
++ avahi_dbus_chat(sandbox_x_client_t)
++')
++
++optional_policy(`
+ colord_dbus_chat(sandbox_x_client_t)
+')
+
@@ -80474,6 +86338,10 @@ index 0000000..710df6b
+')
+
+optional_policy(`
++ avahi_dbus_chat(sandbox_web_type)
++')
++
++optional_policy(`
+ bluetooth_dontaudit_dbus_chat(sandbox_web_type)
+')
+
@@ -80486,6 +86354,10 @@ index 0000000..710df6b
+')
+
+optional_policy(`
++ mozilla_plugin_rw_sem(sandbox_web_type)
++')
++
++optional_policy(`
+ nsplugin_manage_rw(sandbox_web_type)
+ nsplugin_read_rw_files(sandbox_web_type)
+ nsplugin_rw_exec(sandbox_web_type)
@@ -80507,10 +86379,6 @@ index 0000000..710df6b
+')
+
+optional_policy(`
-+ networkmanager_dontaudit_dbus_chat(sandbox_web_type)
-+')
-+
-+optional_policy(`
+ udev_read_state(sandbox_web_type)
+')
+
@@ -80540,10 +86408,11 @@ index 0000000..710df6b
+ mozilla_dontaudit_rw_user_home_files(sandbox_x_t)
+ mozilla_dontaudit_rw_user_home_files(sandbox_xserver_t)
+ mozilla_dontaudit_rw_user_home_files(sandbox_x_domain)
-+ mozilla_plugin_dontaudit_rw_sem(sandbox_x_domain)
++ mozilla_plugin_rw_sem(sandbox_x_domain)
+ mozilla_plugin_dontaudit_leaks(sandbox_x_domain)
+')
+userdom_dontaudit_open_user_ptys(sandbox_x_domain)
++
diff --git a/sanlock.fc b/sanlock.fc
index 3df2a0f..9059165 100644
--- a/sanlock.fc
@@ -81036,7 +86905,7 @@ index 68a550d..e976fc6 100644
/var/run/gather(/.*)? gen_context(system_u:object_r:sblim_var_run_t,s0)
diff --git a/sblim.if b/sblim.if
-index 98c9e0a..df51942 100644
+index 98c9e0a..d4aa009 100644
--- a/sblim.if
+++ b/sblim.if
@@ -1,8 +1,36 @@
@@ -81087,25 +86956,41 @@ index 98c9e0a..df51942 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -40,34 +68,33 @@ interface(`sblim_read_pid_files',`
+@@ -40,34 +68,51 @@ interface(`sblim_read_pid_files',`
########################################
## <summary>
-## All of the rules required to
-## administrate an sblim environment.
-+## All of the rules required to administrate
-+## an gatherd environment
++## Transition to sblim named content
## </summary>
## <param name="domain">
## <summary>
- ## Domain allowed access.
+-## Domain allowed access.
++## Domain allowed access.
## </summary>
## </param>
-## <param name="role">
--## <summary>
++#
++interface(`sblim_filetrans_named_content',`
++ gen_require(`
++ type sblim_var_run_t;
++ ')
++
++ files_pid_filetrans($1, sblim_var_run_t, dir, "gather")
++')
++
++########################################
++## <summary>
++## All of the rules required to administrate
++## an gatherd environment
++## </summary>
++## <param name="domain">
+ ## <summary>
-## Role allowed access.
--## </summary>
--## </param>
++## Domain allowed access.
+ ## </summary>
+ ## </param>
## <rolecap/>
#
interface(`sblim_admin',`
@@ -81137,7 +87022,7 @@ index 98c9e0a..df51942 100644
files_search_pids($1)
admin_pattern($1, sblim_var_run_t)
diff --git a/sblim.te b/sblim.te
-index 4a23d84..62df1db 100644
+index 4a23d84..20f5040 100644
--- a/sblim.te
+++ b/sblim.te
@@ -7,13 +7,11 @@ policy_module(sblim, 1.0.3)
@@ -81174,10 +87059,12 @@ index 4a23d84..62df1db 100644
######################################
#
# Common sblim domain local policy
-@@ -32,11 +39,18 @@ manage_dirs_pattern(sblim_domain, sblim_var_run_t, sblim_var_run_t)
+@@ -31,32 +38,38 @@ allow sblim_domain self:tcp_socket create_stream_socket_perms;
+ manage_dirs_pattern(sblim_domain, sblim_var_run_t, sblim_var_run_t)
manage_files_pattern(sblim_domain, sblim_var_run_t, sblim_var_run_t)
manage_sock_files_pattern(sblim_domain, sblim_var_run_t, sblim_var_run_t)
-
++files_pid_filetrans(sblim_domain, sblim_var_run_t,dir,"gather")
++
+manage_dirs_pattern(sblim_domain, sblim_var_lib_t, sblim_var_lib_t)
+manage_files_pattern(sblim_domain, sblim_var_lib_t, sblim_var_lib_t)
+manage_lnk_files_pattern(sblim_domain, sblim_var_lib_t, sblim_var_lib_t)
@@ -81187,7 +87074,7 @@ index 4a23d84..62df1db 100644
+manage_files_pattern(sblim_domain, sblim_tmp_t, sblim_tmp_t)
+manage_sock_files_pattern(sblim_domain, sblim_tmp_t, sblim_tmp_t)
+files_tmp_filetrans(sblim_domain, sblim_tmp_t, { dir file sock_file})
-+
+
kernel_read_network_state(sblim_domain)
-kernel_read_system_state(sblim_domain)
@@ -81196,9 +87083,11 @@ index 4a23d84..62df1db 100644
corenet_tcp_sendrecv_generic_if(sblim_domain)
corenet_tcp_sendrecv_generic_node(sblim_domain)
-@@ -44,19 +58,15 @@ corenet_tcp_sendrecv_repository_port(sblim_domain)
+ corenet_tcp_sendrecv_repository_port(sblim_domain)
dev_read_sysfs(sblim_domain)
++dev_read_rand(sblim_domain)
++dev_read_urand(sblim_domain)
-logging_send_syslog_msg(sblim_domain)
-
@@ -81219,7 +87108,7 @@ index 4a23d84..62df1db 100644
allow sblim_gatherd_t self:fifo_file rw_fifo_file_perms;
allow sblim_gatherd_t self:unix_stream_socket { accept listen };
-@@ -84,6 +94,8 @@ storage_raw_read_removable_device(sblim_gatherd_t)
+@@ -84,6 +97,8 @@ storage_raw_read_removable_device(sblim_gatherd_t)
init_read_utmp(sblim_gatherd_t)
@@ -81228,7 +87117,7 @@ index 4a23d84..62df1db 100644
sysnet_dns_name_resolve(sblim_gatherd_t)
term_getattr_pty_fs(sblim_gatherd_t)
-@@ -103,8 +115,9 @@ optional_policy(`
+@@ -103,8 +118,9 @@ optional_policy(`
')
optional_policy(`
@@ -81239,7 +87128,7 @@ index 4a23d84..62df1db 100644
')
optional_policy(`
-@@ -117,6 +130,29 @@ optional_policy(`
+@@ -117,6 +133,33 @@ optional_policy(`
# Reposd local policy
#
@@ -81266,7 +87155,11 @@ index 4a23d84..62df1db 100644
+
+auth_use_nsswitch(sblim_sfcbd_t)
+
-+corenet_tcp_bind_pegasus_https_port(sblim_sfcbd_t)
++corenet_tcp_bind_pegasus_http_port(sblim_sfcbd_t)
++corenet_tcp_connect_pegasus_http_port(sblim_sfcbd_t)
++
++dev_read_rand(sblim_sfcbd_t)
++dev_read_urand(sblim_sfcbd_t)
+
+domain_read_all_domains_state(sblim_sfcbd_t)
+domain_use_interactive_fds(sblim_sfcbd_t)
@@ -82242,20 +88135,24 @@ index 5f35d78..50651d2 100644
+ uucp_domtrans_uux(sendmail_t)
')
diff --git a/sensord.fc b/sensord.fc
-index 8185d5a..719ac47 100644
+index 8185d5a..97926d2 100644
--- a/sensord.fc
+++ b/sensord.fc
-@@ -1,3 +1,5 @@
+@@ -1,5 +1,9 @@
+/lib/systemd/system/sensord.service -- gen_context(system_u:object_r:sensord_unit_file_t,s0)
+
/etc/rc\.d/init\.d/sensord -- gen_context(system_u:object_r:sensord_initrc_exec_t,s0)
/usr/sbin/sensord -- gen_context(system_u:object_r:sensord_exec_t,s0)
+
++/var/log/sensord\.rrd -- gen_context(system_u:object_r:sensord_log_t,s0)
++
+ /var/run/sensord\.pid -- gen_context(system_u:object_r:sensord_var_run_t,s0)
diff --git a/sensord.if b/sensord.if
-index d204752..5eba5fd 100644
+index d204752..31cc6e6 100644
--- a/sensord.if
+++ b/sensord.if
-@@ -1,35 +1,75 @@
+@@ -1,35 +1,80 @@
-## <summary>Sensor information logging daemon.</summary>
+
+## <summary>Sensor information logging daemon</summary>
@@ -82323,7 +88220,9 @@ index d204752..5eba5fd 100644
gen_require(`
- type sensord_t, sensord_initrc_exec_t, sensord_var_run_t;
+ type sensord_t;
-+ type sensord_unit_file_t;
++ type sensord_unit_file_t;
++ type sensord_log_t;
++ type sensord_var_run_t;
')
allow $1 sensord_t:process { ptrace signal_perms };
@@ -82338,17 +88237,19 @@ index d204752..5eba5fd 100644
+ allow $1 sensord_unit_file_t:service all_service_perms;
- files_search_pids($1)
-- admin_pattern($1, sensord_var_run_t)
++ admin_pattern($1, sensord_log_t)
+ admin_pattern($1, sensord_var_run_t)
++
+ optional_policy(`
+ systemd_passwd_agent_exec($1)
+ systemd_read_fifo_file_passwd_run($1)
+ ')
')
diff --git a/sensord.te b/sensord.te
-index 5e82fd6..fa352d8 100644
+index 5e82fd6..f3e5808 100644
--- a/sensord.te
+++ b/sensord.te
-@@ -9,6 +9,9 @@ type sensord_t;
+@@ -9,12 +9,18 @@ type sensord_t;
type sensord_exec_t;
init_daemon_domain(sensord_t, sensord_exec_t)
@@ -82358,7 +88259,24 @@ index 5e82fd6..fa352d8 100644
type sensord_initrc_exec_t;
init_script_file(sensord_initrc_exec_t)
-@@ -28,8 +31,5 @@ files_pid_filetrans(sensord_t, sensord_var_run_t, file)
+ type sensord_var_run_t;
+ files_pid_file(sensord_var_run_t)
+
++type sensord_log_t;
++logging_log_file(sensord_log_t)
++
+ ########################################
+ #
+ # Local policy
+@@ -23,13 +29,13 @@ files_pid_file(sensord_var_run_t)
+ allow sensord_t self:fifo_file rw_fifo_file_perms;
+ allow sensord_t self:unix_stream_socket create_stream_socket_perms;
+
++manage_files_pattern(sensord_t, sensord_log_t, sensord_log_t)
++logging_log_filetrans(sensord_t, sensord_log_t, file)
++
+ manage_files_pattern(sensord_t, sensord_var_run_t, sensord_var_run_t)
+ files_pid_filetrans(sensord_t, sensord_var_run_t, file)
dev_read_sysfs(sensord_t)
@@ -82386,7 +88304,7 @@ index 0b3a971..397a522 100644
-/var/lib/setroubleshoot(/.*)? gen_context(system_u:object_r:setroubleshoot_var_lib_t,s0)
+/var/lib/setroubleshoot(/.*)? gen_context(system_u:object_r:setroubleshoot_var_lib_t,s0)
diff --git a/setroubleshoot.if b/setroubleshoot.if
-index 3a9a70b..039b0c8 100644
+index 3a9a70b..903109c 100644
--- a/setroubleshoot.if
+++ b/setroubleshoot.if
@@ -1,9 +1,8 @@
@@ -82413,7 +88331,32 @@ index 3a9a70b..039b0c8 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -107,8 +105,27 @@ interface(`setroubleshoot_dbus_chat_fixit',`
+@@ -42,6 +40,24 @@ interface(`setroubleshoot_dontaudit_stream_connect',`
+ dontaudit $1 setroubleshootd_t:unix_stream_socket connectto;
+ ')
+
++#######################################
++## <summary>
++## Send null signals to setroubleshoot.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`setroubleshoot_signull',`
++ gen_require(`
++ type setroubleshootd_t;
++ ')
++
++ allow $1 setroubleshootd_t:process signull;
++')
++
+ ########################################
+ ## <summary>
+ ## Send and receive messages from
+@@ -107,8 +123,27 @@ interface(`setroubleshoot_dbus_chat_fixit',`
########################################
## <summary>
@@ -82443,7 +88386,7 @@ index 3a9a70b..039b0c8 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -119,12 +136,15 @@ interface(`setroubleshoot_dbus_chat_fixit',`
+@@ -119,12 +154,15 @@ interface(`setroubleshoot_dbus_chat_fixit',`
#
interface(`setroubleshoot_admin',`
gen_require(`
@@ -82464,7 +88407,7 @@ index 3a9a70b..039b0c8 100644
logging_list_logs($1)
admin_pattern($1, setroubleshoot_var_log_t)
diff --git a/setroubleshoot.te b/setroubleshoot.te
-index 49b12ae..d686e4a 100644
+index 49b12ae..0f1e101 100644
--- a/setroubleshoot.te
+++ b/setroubleshoot.te
@@ -1,4 +1,4 @@
@@ -82473,7 +88416,7 @@ index 49b12ae..d686e4a 100644
########################################
#
-@@ -7,43 +7,50 @@ policy_module(setroubleshoot, 1.11.2)
+@@ -7,43 +7,52 @@ policy_module(setroubleshoot, 1.11.2)
type setroubleshootd_t alias setroubleshoot_t;
type setroubleshootd_exec_t;
@@ -82505,6 +88448,8 @@ index 49b12ae..d686e4a 100644
allow setroubleshootd_t self:capability { dac_override sys_nice sys_ptrace sys_tty_config };
-allow setroubleshootd_t self:process { getattr getsched setsched sigkill signull signal execmem execstack };
++dontaudit setroubleshootd_t self:capability net_admin;
++
+allow setroubleshootd_t self:process { getattr getsched setsched sigkill signull signal };
+# if bad library causes setroubleshoot to require these, we want to give it so setroubleshoot can continue to run
+allow setroubleshootd_t self:process { execmem execstack };
@@ -82535,7 +88480,14 @@ index 49b12ae..d686e4a 100644
manage_dirs_pattern(setroubleshootd_t, setroubleshoot_var_run_t, setroubleshoot_var_run_t)
manage_files_pattern(setroubleshootd_t, setroubleshoot_var_run_t, setroubleshoot_var_run_t)
manage_sock_files_pattern(setroubleshootd_t, setroubleshoot_var_run_t, setroubleshoot_var_run_t)
-@@ -61,14 +68,13 @@ corecmd_exec_bin(setroubleshootd_t)
+@@ -55,20 +64,20 @@ kernel_read_net_sysctls(setroubleshootd_t)
+ kernel_read_network_state(setroubleshootd_t)
+ kernel_dontaudit_list_all_proc(setroubleshootd_t)
+ kernel_read_irq_sysctls(setroubleshootd_t)
++kernel_read_rpc_sysctls(setroubleshootd_t)
+ kernel_read_unlabeled_state(setroubleshootd_t)
+
+ corecmd_exec_bin(setroubleshootd_t)
corecmd_exec_shell(setroubleshootd_t)
corecmd_read_all_executables(setroubleshootd_t)
@@ -82553,7 +88505,7 @@ index 49b12ae..d686e4a 100644
dev_read_urand(setroubleshootd_t)
dev_read_sysfs(setroubleshootd_t)
-@@ -76,10 +82,9 @@ dev_getattr_all_blk_files(setroubleshootd_t)
+@@ -76,10 +85,9 @@ dev_getattr_all_blk_files(setroubleshootd_t)
dev_getattr_all_chr_files(setroubleshootd_t)
dev_getattr_mtrr_dev(setroubleshootd_t)
@@ -82565,7 +88517,7 @@ index 49b12ae..d686e4a 100644
files_list_all(setroubleshootd_t)
files_getattr_all_files(setroubleshootd_t)
files_getattr_all_pipes(setroubleshootd_t)
-@@ -101,33 +106,32 @@ selinux_read_policy(setroubleshootd_t)
+@@ -101,33 +109,32 @@ selinux_read_policy(setroubleshootd_t)
term_dontaudit_use_all_ptys(setroubleshootd_t)
term_dontaudit_use_all_ttys(setroubleshootd_t)
@@ -82606,7 +88558,7 @@ index 49b12ae..d686e4a 100644
')
optional_policy(`
-@@ -135,10 +139,18 @@ optional_policy(`
+@@ -135,10 +142,18 @@ optional_policy(`
')
optional_policy(`
@@ -82625,7 +88577,7 @@ index 49b12ae..d686e4a 100644
rpm_exec(setroubleshootd_t)
rpm_signull(setroubleshootd_t)
rpm_read_db(setroubleshootd_t)
-@@ -148,26 +160,36 @@ optional_policy(`
+@@ -148,26 +163,36 @@ optional_policy(`
########################################
#
@@ -82664,7 +88616,7 @@ index 49b12ae..d686e4a 100644
files_list_tmp(setroubleshoot_fixit_t)
auth_use_nsswitch(setroubleshoot_fixit_t)
-@@ -175,23 +197,26 @@ auth_use_nsswitch(setroubleshoot_fixit_t)
+@@ -175,23 +200,26 @@ auth_use_nsswitch(setroubleshoot_fixit_t)
logging_send_audit_msgs(setroubleshoot_fixit_t)
logging_send_syslog_msg(setroubleshoot_fixit_t)
@@ -83125,10 +89077,18 @@ index 1aeef8a..d5ce40a 100644
admin_pattern($1, shorewall_etc_t)
diff --git a/shorewall.te b/shorewall.te
-index ca03de6..c3b5559 100644
+index ca03de6..e0ebb61 100644
--- a/shorewall.te
+++ b/shorewall.te
-@@ -44,9 +44,7 @@ manage_files_pattern(shorewall_t, shorewall_lock_t, shorewall_lock_t)
+@@ -34,6 +34,7 @@ logging_log_file(shorewall_log_t)
+
+ allow shorewall_t self:capability { dac_override net_admin net_raw setuid setgid sys_nice sys_admin };
+ dontaudit shorewall_t self:capability sys_tty_config;
++allow shorewall_t self:process signal_perms;
+ allow shorewall_t self:fifo_file rw_fifo_file_perms;
+ allow shorewall_t self:netlink_socket create_socket_perms;
+
+@@ -44,9 +45,7 @@ manage_files_pattern(shorewall_t, shorewall_lock_t, shorewall_lock_t)
files_lock_filetrans(shorewall_t, shorewall_lock_t, file)
manage_dirs_pattern(shorewall_t, shorewall_log_t, shorewall_log_t)
@@ -83139,7 +89099,7 @@ index ca03de6..c3b5559 100644
logging_log_filetrans(shorewall_t, shorewall_log_t, { file dir })
manage_dirs_pattern(shorewall_t, shorewall_tmp_t, shorewall_tmp_t)
-@@ -57,6 +55,9 @@ exec_files_pattern(shorewall_t, shorewall_var_lib_t, shorewall_var_lib_t)
+@@ -57,6 +56,9 @@ exec_files_pattern(shorewall_t, shorewall_var_lib_t, shorewall_var_lib_t)
manage_dirs_pattern(shorewall_t, shorewall_var_lib_t, shorewall_var_lib_t)
manage_files_pattern(shorewall_t, shorewall_var_lib_t, shorewall_var_lib_t)
files_var_lib_filetrans(shorewall_t, shorewall_var_lib_t, { dir file })
@@ -83149,7 +89109,7 @@ index ca03de6..c3b5559 100644
allow shorewall_t shorewall_initrc_exec_t:file read_file_perms;
-@@ -74,7 +75,6 @@ dev_read_urand(shorewall_t)
+@@ -74,7 +76,6 @@ dev_read_urand(shorewall_t)
domain_read_all_domains_state(shorewall_t)
files_getattr_kernel_modules(shorewall_t)
@@ -83157,7 +89117,7 @@ index ca03de6..c3b5559 100644
files_search_kernel_modules(shorewall_t)
fs_getattr_all_fs(shorewall_t)
-@@ -86,12 +86,11 @@ init_rw_utmp(shorewall_t)
+@@ -86,12 +87,11 @@ init_rw_utmp(shorewall_t)
logging_read_generic_logs(shorewall_t)
logging_send_syslog_msg(shorewall_t)
@@ -83379,9 +89339,18 @@ index 7880d1f..8804935 100644
+ xserver_xdm_append_log(shutdown_t)
')
diff --git a/slocate.te b/slocate.te
-index ba26427..83d21aa 100644
+index ba26427..8417705 100644
--- a/slocate.te
+++ b/slocate.te
+@@ -18,7 +18,7 @@ files_type(locate_var_lib_t)
+ #
+
+ allow locate_t self:capability { chown dac_read_search dac_override fowner fsetid };
+-allow locate_t self:process { execmem execheap execstack signal };
++allow locate_t self:process { execmem execheap execstack signal setsched };
+ allow locate_t self:fifo_file rw_fifo_file_perms;
+ allow locate_t self:unix_stream_socket create_socket_perms;
+
@@ -53,7 +53,6 @@ fs_read_noxattr_fs_symlinks(locate_t)
auth_use_nsswitch(locate_t)
@@ -83459,10 +89428,29 @@ index ca32e89..98278dd 100644
+
')
diff --git a/slpd.te b/slpd.te
-index 66ac42a..1a4c952 100644
+index 66ac42a..5efa3fd 100644
--- a/slpd.te
+++ b/slpd.te
-@@ -50,6 +50,10 @@ corenet_sendrecv_svrloc_server_packets(slpd_t)
+@@ -23,7 +23,7 @@ files_pid_file(slpd_var_run_t)
+ # Local policy
+ #
+
+-allow slpd_t self:capability { kill setgid setuid };
++allow slpd_t self:capability { kill net_admin setgid setuid };
+ allow slpd_t self:process signal;
+ allow slpd_t self:fifo_file rw_fifo_file_perms;
+ allow slpd_t self:tcp_socket { accept listen };
+@@ -35,6 +35,9 @@ logging_log_filetrans(slpd_t, slpd_log_t, file)
+ manage_files_pattern(slpd_t, slpd_var_run_t, slpd_var_run_t)
+ files_pid_filetrans(slpd_t, slpd_var_run_t, file)
+
++kernel_read_system_state(slpd_t)
++kernel_read_network_state(slpd_t)
++
+ corenet_all_recvfrom_unlabeled(slpd_t)
+ corenet_all_recvfrom_netlabel(slpd_t)
+ corenet_tcp_sendrecv_generic_if(slpd_t)
+@@ -50,6 +53,12 @@ corenet_sendrecv_svrloc_server_packets(slpd_t)
corenet_tcp_bind_svrloc_port(slpd_t)
corenet_udp_bind_svrloc_port(slpd_t)
@@ -83473,6 +89461,8 @@ index 66ac42a..1a4c952 100644
auth_use_nsswitch(slpd_t)
-miscfiles_read_localization(slpd_t)
++logging_send_syslog_msg(slpd_t)
++
+sysnet_dns_name_resolve(slpd_t)
diff --git a/slrnpull.te b/slrnpull.te
index 5437237..3dfc982 100644
@@ -83651,7 +89641,7 @@ index a8b1aaf..fc0a2be 100644
netutils_domtrans_ping(httpd_smokeping_cgi_script_t)
diff --git a/smoltclient.te b/smoltclient.te
-index 9c8f9a5..14f15a4 100644
+index 9c8f9a5..f074b4d 100644
--- a/smoltclient.te
+++ b/smoltclient.te
@@ -51,14 +51,12 @@ fs_list_auto_mountpoints(smoltclient_t)
@@ -83669,6 +89659,17 @@ index 9c8f9a5..14f15a4 100644
optional_policy(`
abrt_stream_connect(smoltclient_t)
+@@ -77,6 +75,10 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ libs_exec_ldconfig(smoltclient_t)
++')
++
++optional_policy(`
+ rpm_exec(smoltclient_t)
+ rpm_read_db(smoltclient_t)
+ ')
diff --git a/smsd.fc b/smsd.fc
new file mode 100644
index 0000000..4c3fcec
@@ -84108,11 +90109,18 @@ index cbfe369..6594af3 100644
files_search_var_lib($1)
diff --git a/snapper.fc b/snapper.fc
new file mode 100644
-index 0000000..3f412d5
+index 0000000..660fcd2
--- /dev/null
+++ b/snapper.fc
-@@ -0,0 +1 @@
+@@ -0,0 +1,8 @@
++HOME_DIR/\.snapshots -d gen_context(system_u:object_r:snapperd_home_t,s0)
++
+/usr/sbin/snapperd -- gen_context(system_u:object_r:snapperd_exec_t,s0)
++
++/etc/snapper(/.*)? gen_context(system_u:object_r:snapperd_conf_t,s0)
++/etc/sysconfig/snapper -- gen_context(system_u:object_r:snapperd_conf_t,s0)
++
++/var/log/snapper\.log.* -- gen_context(system_u:object_r:snapperd_log_t,s0)
diff --git a/snapper.if b/snapper.if
new file mode 100644
index 0000000..94105ee
@@ -84163,10 +90171,10 @@ index 0000000..94105ee
+')
diff --git a/snapper.te b/snapper.te
new file mode 100644
-index 0000000..ad232be
+index 0000000..3591c8e
--- /dev/null
+++ b/snapper.te
-@@ -0,0 +1,33 @@
+@@ -0,0 +1,81 @@
+policy_module(snapper, 1.0.0)
+
+########################################
@@ -84178,6 +90186,18 @@ index 0000000..ad232be
+type snapperd_exec_t;
+init_daemon_domain(snapperd_t, snapperd_exec_t)
+
++type snapperd_log_t;
++logging_log_file(snapperd_log_t)
++
++type snapperd_conf_t;
++files_config_file(snapperd_conf_t)
++
++type snapperd_data_t;
++files_type(snapperd_data_t)
++
++type snapperd_home_t;
++userdom_user_home_content(snapperd_home_t)
++
+########################################
+#
+# snapperd local policy
@@ -84186,13 +90206,41 @@ index 0000000..ad232be
+allow snapperd_t self:fifo_file rw_fifo_file_perms;
+allow snapperd_t self:unix_stream_socket create_stream_socket_perms;
+
++manage_files_pattern(snapperd_t, snapperd_log_t, snapperd_log_t)
++logging_log_filetrans(snapperd_t, snapperd_log_t, file)
++
++manage_files_pattern(snapperd_t, snapperd_conf_t, snapperd_conf_t)
++manage_dirs_pattern(snapperd_t, snapperd_conf_t, snapperd_conf_t)
++manage_lnk_files_pattern(snapperd_t, snapperd_conf_t, snapperd_conf_t)
++
++manage_files_pattern(snapperd_t, snapperd_data_t, snapperd_data_t)
++manage_dirs_pattern(snapperd_t, snapperd_data_t, snapperd_data_t)
++manage_lnk_files_pattern(snapperd_t, snapperd_data_t, snapperd_data_t)
++
++manage_files_pattern(snapperd_t, snapperd_home_t, snapperd_home_t)
++manage_dirs_pattern(snapperd_t, snapperd_home_t, snapperd_home_t)
++manage_lnk_files_pattern(snapperd_t, snapperd_home_t, snapperd_home_t)
++
++domain_read_all_domains_state(snapperd_t)
++
++corecmd_exec_shell(snapperd_t)
++corecmd_exec_bin(snapperd_t)
++
++files_write_all_dirs(snapperd_t)
++files_setattr_all_mountpoints(snapperd_t)
++files_relabelto_all_mountpoints(snapperd_t)
++files_relabelfrom_isid_type(snapperd_t)
++files_read_all_files(snapperd_t)
++files_list_all(snapperd_t)
++
++fs_getattr_all_fs(snapperd_t)
++
+storage_raw_read_fixed_disk(snapperd_t)
+
+auth_use_nsswitch(snapperd_t)
+
-+miscfiles_read_localization(snapperd_t)
-+
+optional_policy(`
++ dbus_system_domain(snapperd_t, snapperd_exec_t)
+ dbus_system_bus_client(snapperd_t)
+ dbus_connect_system_bus(snapperd_t)
+')
@@ -84200,8 +90248,16 @@ index 0000000..ad232be
+optional_policy(`
+ mount_domtrans(snapperd_t)
+')
++
++optional_policy(`
++ lvm_domtrans(snapperd_t)
++')
++
++optional_policy(`
++ unconfined_domain(snapperd_t)
++')
diff --git a/snmp.fc b/snmp.fc
-index c73fa24..408ff61 100644
+index c73fa24..50d80f4 100644
--- a/snmp.fc
+++ b/snmp.fc
@@ -1,6 +1,6 @@
@@ -84220,10 +90276,11 @@ index c73fa24..408ff61 100644
/var/log/snmpd\.log.* -- gen_context(system_u:object_r:snmpd_log_t,s0)
+-/var/run/net-snmpd(/.*)? gen_context(system_u:object_r:snmpd_var_run_t,s0)
+-/var/run/snmpd(/.*)? gen_context(system_u:object_r:snmpd_var_run_t,s0)
+/var/net-snmp(/.*)? gen_context(system_u:object_r:snmpd_var_lib_t,s0)
+
- /var/run/net-snmpd(/.*)? gen_context(system_u:object_r:snmpd_var_run_t,s0)
--/var/run/snmpd(/.*)? gen_context(system_u:object_r:snmpd_var_run_t,s0)
++/var/run/net-snmp(/.*)? gen_context(system_u:object_r:snmpd_var_run_t,s0)
+/var/run/snmpd(/.*)? gen_context(system_u:object_r:snmpd_var_run_t,s0)
/var/run/snmpd\.pid -- gen_context(system_u:object_r:snmpd_var_run_t,s0)
diff --git a/snmp.if b/snmp.if
@@ -84341,7 +90398,7 @@ index 7a9cc9d..86cbca9 100644
init_labeled_script_domtrans($1, snmpd_initrc_exec_t)
domain_system_change_exemption($1)
diff --git a/snmp.te b/snmp.te
-index 81864ce..4b6b771 100644
+index 81864ce..e0f790d 100644
--- a/snmp.te
+++ b/snmp.te
@@ -27,14 +27,16 @@ files_type(snmpd_var_lib_t)
@@ -84397,7 +90454,14 @@ index 81864ce..4b6b771 100644
files_read_etc_runtime_files(snmpd_t)
files_search_home(snmpd_t)
-@@ -112,10 +112,12 @@ auth_use_nsswitch(snmpd_t)
+@@ -107,15 +107,19 @@ fs_search_auto_mountpoints(snmpd_t)
+ storage_dontaudit_read_fixed_disk(snmpd_t)
+ storage_dontaudit_read_removable_device(snmpd_t)
+ storage_dontaudit_write_removable_device(snmpd_t)
++storage_getattr_fixed_disk_dev(snmpd_t)
++storage_getattr_removable_dev(snmpd_t)
+
+ auth_use_nsswitch(snmpd_t)
init_read_utmp(snmpd_t)
init_dontaudit_write_utmp(snmpd_t)
@@ -84411,7 +90475,7 @@ index 81864ce..4b6b771 100644
seutil_dontaudit_search_config(snmpd_t)
-@@ -131,7 +133,11 @@ optional_policy(`
+@@ -131,7 +135,11 @@ optional_policy(`
')
optional_policy(`
@@ -84424,6 +90488,14 @@ index 81864ce..4b6b771 100644
')
optional_policy(`
+@@ -140,6 +148,7 @@ optional_policy(`
+
+ optional_policy(`
+ mta_read_config(snmpd_t)
++ mta_read_aliases(snmpd_t)
+ mta_search_queue(snmpd_t)
+ ')
+
diff --git a/snort.if b/snort.if
index 7d86b34..5f58180 100644
--- a/snort.if
@@ -84457,7 +90529,7 @@ index 7d86b34..5f58180 100644
+ files_list_pids($1)
')
diff --git a/snort.te b/snort.te
-index ccd28bb..80106ac 100644
+index ccd28bb..6e335a9 100644
--- a/snort.te
+++ b/snort.te
@@ -32,10 +32,13 @@ files_pid_file(snort_var_run_t)
@@ -84475,7 +90547,18 @@ index ccd28bb..80106ac 100644
allow snort_t self:netlink_firewall_socket create_socket_perms;
allow snort_t snort_etc_t:dir list_dir_perms;
-@@ -63,7 +66,6 @@ kernel_request_load_module(snort_t)
+@@ -43,9 +46,7 @@ allow snort_t snort_etc_t:file read_file_perms;
+ allow snort_t snort_etc_t:lnk_file read_lnk_file_perms;
+
+ manage_dirs_pattern(snort_t, snort_log_t, snort_log_t)
+-append_files_pattern(snort_t, snort_log_t, snort_log_t)
+-create_files_pattern(snort_t, snort_log_t, snort_log_t)
+-setattr_files_pattern(snort_t, snort_log_t, snort_log_t)
++manage_files_pattern(snort_t, snort_log_t, snort_log_t)
+ logging_log_filetrans(snort_t, snort_log_t, { file dir })
+
+ manage_dirs_pattern(snort_t, snort_tmp_t, snort_tmp_t)
+@@ -63,7 +64,6 @@ kernel_request_load_module(snort_t)
kernel_dontaudit_read_system_state(snort_t)
kernel_read_network_state(snort_t)
@@ -84483,7 +90566,7 @@ index ccd28bb..80106ac 100644
corenet_all_recvfrom_netlabel(snort_t)
corenet_tcp_sendrecv_generic_if(snort_t)
corenet_udp_sendrecv_generic_if(snort_t)
-@@ -86,18 +88,17 @@ dev_rw_generic_usb_dev(snort_t)
+@@ -86,18 +86,17 @@ dev_rw_generic_usb_dev(snort_t)
domain_use_interactive_fds(snort_t)
@@ -84518,7 +90601,7 @@ index 634c6b4..e1edfd9 100644
########################################
diff --git a/sosreport.te b/sosreport.te
-index 703efa3..499d7e9 100644
+index 703efa3..08a6332 100644
--- a/sosreport.te
+++ b/sosreport.te
@@ -19,6 +19,9 @@ files_tmp_file(sosreport_tmp_t)
@@ -84539,7 +90622,7 @@ index 703efa3..499d7e9 100644
-allow sosreport_t self:process { setsched signull };
+allow sosreport_t self:capability { kill net_admin net_raw setuid sys_admin sys_nice dac_override chown };
+dontaudit sosreport_t self:capability sys_ptrace;
-+allow sosreport_t self:process { setpgid setsched signull };
++allow sosreport_t self:process { setpgid setsched signal_perms };
allow sosreport_t self:fifo_file rw_fifo_file_perms;
allow sosreport_t self:tcp_socket { accept listen };
allow sosreport_t self:unix_stream_socket { accept listen };
@@ -84561,10 +90644,12 @@ index 703efa3..499d7e9 100644
manage_files_pattern(sosreport_t, sosreport_tmpfs_t, sosreport_tmpfs_t)
fs_tmpfs_filetrans(sosreport_t, sosreport_tmpfs_t, file)
-@@ -49,6 +61,17 @@ kernel_read_software_raid_state(sosreport_t)
+@@ -48,6 +60,18 @@ kernel_read_all_sysctls(sosreport_t)
+ kernel_read_software_raid_state(sosreport_t)
kernel_search_debugfs(sosreport_t)
kernel_read_messages(sosreport_t)
-
++kernel_request_load_module(sosreport_t)
++
+corenet_all_recvfrom_netlabel(sosreport_t)
+corenet_tcp_sendrecv_generic_if(sosreport_t)
+corenet_tcp_sendrecv_generic_node(sosreport_t)
@@ -84575,21 +90660,21 @@ index 703efa3..499d7e9 100644
+corenet_tcp_connect_http_port(sosreport_t)
+corenet_tcp_connect_all_ports(sosreport_t)
+corenet_sendrecv_http_client_packets(sosreport_t)
-+
+
corecmd_exec_all_executables(sosreport_t)
- dev_getattr_all_chr_files(sosreport_t)
-@@ -58,6 +81,9 @@ dev_read_rand(sosreport_t)
+@@ -58,6 +82,10 @@ dev_read_rand(sosreport_t)
dev_read_urand(sosreport_t)
dev_read_raw_memory(sosreport_t)
dev_read_sysfs(sosreport_t)
+dev_rw_generic_usb_dev(sosreport_t)
++dev_rw_lvm_control(sosreport_t)
+dev_getattr_all_chr_files(sosreport_t)
+dev_getattr_all_blk_files(sosreport_t)
domain_getattr_all_domains(sosreport_t)
domain_read_all_domains_state(sosreport_t)
-@@ -65,12 +91,13 @@ domain_getattr_all_sockets(sosreport_t)
+@@ -65,12 +93,13 @@ domain_getattr_all_sockets(sosreport_t)
domain_getattr_all_pipes(sosreport_t)
files_getattr_all_sockets(sosreport_t)
@@ -84604,7 +90689,7 @@ index 703efa3..499d7e9 100644
files_read_var_lib_files(sosreport_t)
files_read_var_symlinks(sosreport_t)
files_read_kernel_modules(sosreport_t)
-@@ -79,27 +106,41 @@ files_manage_etc_runtime_files(sosreport_t)
+@@ -79,27 +108,49 @@ files_manage_etc_runtime_files(sosreport_t)
files_etc_filetrans_etc_runtime(sosreport_t, file)
fs_getattr_all_fs(sosreport_t)
@@ -84627,8 +90712,11 @@ index 703efa3..499d7e9 100644
init_domtrans_script(sosreport_t)
+init_getattr_initctl(sosreport_t)
++init_status(sosreport_t)
++init_stream_connect(sosreport_t)
libs_domtrans_ldconfig(sosreport_t)
++libs_use_ld_so(sosreport_t)
logging_read_all_logs(sosreport_t)
logging_send_syslog_msg(sosreport_t)
@@ -84642,6 +90730,11 @@ index 703efa3..499d7e9 100644
abrt_manage_pid_files(sosreport_t)
abrt_manage_cache(sosreport_t)
+ abrt_stream_connect(sosreport_t)
++ abrt_signal(sosreport_t)
++')
++
++optional_policy(`
++ bootloader_exec(sosreport_t)
+')
+
+optional_policy(`
@@ -84649,10 +90742,15 @@ index 703efa3..499d7e9 100644
')
optional_policy(`
-@@ -111,6 +152,11 @@ optional_policy(`
+@@ -111,6 +162,16 @@ optional_policy(`
')
optional_policy(`
++ lvm_read_config(sosreport_t)
++ lvm_dontaudit_access_check_lock(sosreport_t)
++')
++
++optional_policy(`
+ # needed by modinfo
+ modutils_read_module_deps(sosreport_t)
+')
@@ -84661,6 +90759,61 @@ index 703efa3..499d7e9 100644
fstools_domtrans(sosreport_t)
')
+@@ -120,6 +181,10 @@ optional_policy(`
+ optional_policy(`
+ hal_dbus_chat(sosreport_t)
+ ')
++
++ optional_policy(`
++ rpm_dbus_chat(sosreport_t)
++ ')
+ ')
+
+ optional_policy(`
+@@ -131,15 +196,40 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ prelink_domtrans(sosreport_t)
++')
++
++optional_policy(`
+ pulseaudio_run(sosreport_t, sosreport_roles)
+ ')
+
+ optional_policy(`
+- rpm_exec(sosreport_t)
+- rpm_dontaudit_manage_db(sosreport_t)
+- rpm_read_db(sosreport_t)
++ rhsmcertd_manage_lib_files(sosreport_t)
++ rhsmcertd_manage_pid_files(sosreport_t)
++')
++
++optional_policy(`
++ rpm_dontaudit_manage_db(sosreport_t)
++ rpm_manage_cache(sosreport_t)
++ rpm_manage_log(sosreport_t)
++ rpm_manage_pid_files(sosreport_t)
++ rpm_named_filetrans_log_files(sosreport_t)
++ rpm_read_db(sosreport_t)
++ rpm_signull(sosreport_t)
++')
++
++optional_policy(`
++ setroubleshoot_signull(sosreport_t)
++')
++
++optional_policy(`
++ unconfined_signull(sosreport_t)
+ ')
+
+ optional_policy(`
+ xserver_stream_connect(sosreport_t)
+ ')
++
++optional_policy(`
++ unconfined_domain(sosreport_t)
++')
diff --git a/soundserver.if b/soundserver.if
index a5abc5a..b9eff74 100644
--- a/soundserver.if
@@ -85229,7 +91382,7 @@ index 1499b0b..6950cab 100644
- spamassassin_role($2, $1)
')
diff --git a/spamassassin.te b/spamassassin.te
-index 4faa7e0..4babad1 100644
+index 4faa7e0..32f670e 100644
--- a/spamassassin.te
+++ b/spamassassin.te
@@ -1,4 +1,4 @@
@@ -85308,7 +91461,7 @@ index 4faa7e0..4babad1 100644
type spamd_initrc_exec_t;
init_script_file(spamd_initrc_exec_t)
-@@ -72,87 +39,196 @@ type spamd_log_t;
+@@ -72,87 +39,199 @@ type spamd_log_t;
logging_log_file(spamd_log_t)
type spamd_spool_t;
@@ -85445,6 +91598,8 @@ index 4faa7e0..4babad1 100644
+manage_lnk_files_pattern(spamd_t, spamassassin_home_t, spamassassin_home_t)
+manage_fifo_files_pattern(spamd_t, spamassassin_home_t, spamassassin_home_t)
+manage_sock_files_pattern(spamd_t, spamassassin_home_t, spamassassin_home_t)
++userdom_user_home_dir_filetrans(spamd_t, spamassassin_home_t, dir, ".spamassassin")
++userdom_admin_home_dir_filetrans(spamd_t, spamassassin_home_t, dir, ".spamassassin")
+userdom_home_manager(spamassassin_t)
+
kernel_read_kernel_sysctls(spamassassin_t)
@@ -85510,6 +91665,7 @@ index 4faa7e0..4babad1 100644
+ userdom_manage_user_home_content_dirs(spamd_t)
+ userdom_manage_user_home_content_files(spamd_t)
+ userdom_manage_user_home_content_symlinks(spamd_t)
++ userdom_exec_user_bin_files(spamd_t)
')
-tunable_policy(`use_samba_home_dirs',`
@@ -85527,7 +91683,7 @@ index 4faa7e0..4babad1 100644
nis_use_ypbind_uncond(spamassassin_t)
')
')
-@@ -160,6 +236,8 @@ optional_policy(`
+@@ -160,6 +239,8 @@ optional_policy(`
optional_policy(`
mta_read_config(spamassassin_t)
sendmail_stub(spamassassin_t)
@@ -85536,7 +91692,7 @@ index 4faa7e0..4babad1 100644
')
########################################
-@@ -167,72 +245,85 @@ optional_policy(`
+@@ -167,72 +248,85 @@ optional_policy(`
# Client local policy
#
@@ -85653,7 +91809,7 @@ index 4faa7e0..4babad1 100644
optional_policy(`
abrt_stream_connect(spamc_t)
-@@ -243,6 +334,7 @@ optional_policy(`
+@@ -243,6 +337,7 @@ optional_policy(`
')
optional_policy(`
@@ -85661,7 +91817,7 @@ index 4faa7e0..4babad1 100644
evolution_stream_connect(spamc_t)
')
-@@ -251,52 +343,55 @@ optional_policy(`
+@@ -251,52 +346,55 @@ optional_policy(`
')
optional_policy(`
@@ -85742,7 +91898,7 @@ index 4faa7e0..4babad1 100644
logging_log_filetrans(spamd_t, spamd_log_t, file)
manage_dirs_pattern(spamd_t, spamd_spool_t, spamd_spool_t)
-@@ -308,7 +403,8 @@ manage_dirs_pattern(spamd_t, spamd_tmp_t, spamd_tmp_t)
+@@ -308,7 +406,8 @@ manage_dirs_pattern(spamd_t, spamd_tmp_t, spamd_tmp_t)
manage_files_pattern(spamd_t, spamd_tmp_t, spamd_tmp_t)
files_tmp_filetrans(spamd_t, spamd_tmp_t, { file dir })
@@ -85752,7 +91908,7 @@ index 4faa7e0..4babad1 100644
manage_files_pattern(spamd_t, spamd_var_lib_t, spamd_var_lib_t)
manage_lnk_files_pattern(spamd_t, spamd_var_lib_t, spamd_var_lib_t)
-@@ -317,12 +413,13 @@ manage_files_pattern(spamd_t, spamd_var_run_t, spamd_var_run_t)
+@@ -317,12 +416,13 @@ manage_files_pattern(spamd_t, spamd_var_run_t, spamd_var_run_t)
manage_sock_files_pattern(spamd_t, spamd_var_run_t, spamd_var_run_t)
files_pid_filetrans(spamd_t, spamd_var_run_t, { file dir })
@@ -85768,7 +91924,7 @@ index 4faa7e0..4babad1 100644
corenet_all_recvfrom_netlabel(spamd_t)
corenet_tcp_sendrecv_generic_if(spamd_t)
corenet_udp_sendrecv_generic_if(spamd_t)
-@@ -331,78 +428,58 @@ corenet_udp_sendrecv_generic_node(spamd_t)
+@@ -331,78 +431,59 @@ corenet_udp_sendrecv_generic_node(spamd_t)
corenet_tcp_sendrecv_all_ports(spamd_t)
corenet_udp_sendrecv_all_ports(spamd_t)
corenet_tcp_bind_generic_node(spamd_t)
@@ -85778,6 +91934,7 @@ index 4faa7e0..4babad1 100644
corenet_tcp_bind_spamd_port(spamd_t)
-
-corenet_sendrecv_razor_client_packets(spamd_t)
++corenet_tcp_connect_spamd_port(spamd_t)
corenet_tcp_connect_razor_port(spamd_t)
-
-corenet_sendrecv_smtp_client_packets(spamd_t)
@@ -85871,7 +92028,7 @@ index 4faa7e0..4babad1 100644
')
optional_policy(`
-@@ -421,21 +498,13 @@ optional_policy(`
+@@ -421,21 +502,13 @@ optional_policy(`
')
optional_policy(`
@@ -85895,7 +92052,7 @@ index 4faa7e0..4babad1 100644
')
optional_policy(`
-@@ -443,8 +512,8 @@ optional_policy(`
+@@ -443,8 +516,8 @@ optional_policy(`
')
optional_policy(`
@@ -85905,7 +92062,7 @@ index 4faa7e0..4babad1 100644
')
optional_policy(`
-@@ -455,7 +524,12 @@ optional_policy(`
+@@ -455,7 +528,12 @@ optional_policy(`
optional_policy(`
razor_domtrans(spamd_t)
razor_read_lib_files(spamd_t)
@@ -85919,7 +92076,7 @@ index 4faa7e0..4babad1 100644
')
optional_policy(`
-@@ -463,9 +537,9 @@ optional_policy(`
+@@ -463,9 +541,9 @@ optional_policy(`
')
optional_policy(`
@@ -85930,7 +92087,7 @@ index 4faa7e0..4babad1 100644
')
optional_policy(`
-@@ -474,32 +548,32 @@ optional_policy(`
+@@ -474,32 +552,32 @@ optional_policy(`
########################################
#
@@ -85973,7 +92130,7 @@ index 4faa7e0..4babad1 100644
corecmd_exec_bin(spamd_update_t)
corecmd_exec_shell(spamd_update_t)
-@@ -508,25 +582,21 @@ dev_read_urand(spamd_update_t)
+@@ -508,25 +586,21 @@ dev_read_urand(spamd_update_t)
domain_use_interactive_fds(spamd_update_t)
@@ -86005,6 +92162,222 @@ index 4faa7e0..4babad1 100644
+ gpg_manage_home_content(spamd_update_t)
')
+
+diff --git a/speech-dispatcher.fc b/speech-dispatcher.fc
+new file mode 100644
+index 0000000..545f682
+--- /dev/null
++++ b/speech-dispatcher.fc
+@@ -0,0 +1,5 @@
++/usr/bin/speech-dispatcher -- gen_context(system_u:object_r:speech-dispatcher_exec_t,s0)
++
++/usr/lib/systemd/system/speech-dispatcherd.service -- gen_context(system_u:object_r:speech-dispatcher_unit_file_t,s0)
++
++/var/log/speech-dispatcher(/.*)? gen_context(system_u:object_r:speech-dispatcher_log_t,s0)
+diff --git a/speech-dispatcher.if b/speech-dispatcher.if
+new file mode 100644
+index 0000000..ddfed09
+--- /dev/null
++++ b/speech-dispatcher.if
+@@ -0,0 +1,142 @@
++
++## <summary>speech-dispatcher - server process managing speech requests in Speech Dispatcher</summary>
++
++########################################
++## <summary>
++## Execute speech-dispatcher in the speech-dispatcher domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`speech-dispatcher_domtrans',`
++ gen_require(`
++ type speech-dispatcher_t, speech-dispatcher_exec_t;
++ ')
++
++ corecmd_search_bin($1)
++ domtrans_pattern($1, speech-dispatcher_exec_t, speech-dispatcher_t)
++')
++########################################
++## <summary>
++## Read speech-dispatcher's log files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`speech-dispatcher_read_log',`
++ gen_require(`
++ type speech-dispatcher_log_t;
++ ')
++
++ logging_search_logs($1)
++ read_files_pattern($1, speech-dispatcher_log_t, speech-dispatcher_log_t)
++')
++
++########################################
++## <summary>
++## Append to speech-dispatcher log files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`speech-dispatcher_append_log',`
++ gen_require(`
++ type speech-dispatcher_log_t;
++ ')
++
++ logging_search_logs($1)
++ append_files_pattern($1, speech-dispatcher_log_t, speech-dispatcher_log_t)
++')
++
++########################################
++## <summary>
++## Manage speech-dispatcher log files
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`speech-dispatcher_manage_log',`
++ gen_require(`
++ type speech-dispatcher_log_t;
++ ')
++
++ logging_search_logs($1)
++ manage_dirs_pattern($1, speech-dispatcher_log_t, speech-dispatcher_log_t)
++ manage_files_pattern($1, speech-dispatcher_log_t, speech-dispatcher_log_t)
++ manage_lnk_files_pattern($1, speech-dispatcher_log_t, speech-dispatcher_log_t)
++')
++########################################
++## <summary>
++## Execute speech-dispatcher server in the speech-dispatcher domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`speech-dispatcher_systemctl',`
++ gen_require(`
++ type speech-dispatcher_t;
++ type speech-dispatcher_unit_file_t;
++ ')
++
++ systemd_exec_systemctl($1)
++ systemd_read_fifo_file_passwd_run($1)
++ allow $1 speech-dispatcher_unit_file_t:file read_file_perms;
++ allow $1 speech-dispatcher_unit_file_t:service manage_service_perms;
++
++ ps_process_pattern($1, speech-dispatcher_t)
++')
++
++
++########################################
++## <summary>
++## All of the rules required to administrate
++## an speech-dispatcher environment
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`speech-dispatcher_admin',`
++ gen_require(`
++ type speech-dispatcher_t;
++ type speech-dispatcher_log_t;
++ type speech-dispatcher_unit_file_t;
++ ')
++
++ allow $1 speech-dispatcher_t:process { signal_perms };
++ ps_process_pattern($1, speech-dispatcher_t)
++
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 speech-dispatcher_t:process ptrace;
++ ')
++
++ logging_search_logs($1)
++ admin_pattern($1, speech-dispatcher_log_t)
++
++ speech-dispatcher_systemctl($1)
++ admin_pattern($1, speech-dispatcher_unit_file_t)
++ allow $1 speech-dispatcher_unit_file_t:service all_service_perms;
++ optional_policy(`
++ systemd_passwd_agent_exec($1)
++ systemd_read_fifo_file_passwd_run($1)
++ ')
++')
+diff --git a/speech-dispatcher.te b/speech-dispatcher.te
+new file mode 100644
+index 0000000..931fa6c
+--- /dev/null
++++ b/speech-dispatcher.te
+@@ -0,0 +1,51 @@
++policy_module(speech-dispatcher, 1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++type speech-dispatcher_t;
++type speech-dispatcher_exec_t;
++init_daemon_domain(speech-dispatcher_t, speech-dispatcher_exec_t)
++application_executable_file(speech-dispatcher_exec_t)
++
++type speech-dispatcher_log_t;
++logging_log_file(speech-dispatcher_log_t)
++
++type speech-dispatcher_unit_file_t;
++systemd_unit_file(speech-dispatcher_unit_file_t)
++
++type speech-dispatcher_tmp_t;
++files_tmp_file(speech-dispatcher_tmp_t)
++
++type speech-dispatcher_tmpfs_t;
++files_tmpfs_file(speech-dispatcher_tmpfs_t)
++
++########################################
++#
++# speech-dispatcher local policy
++#
++allow speech-dispatcher_t self:process { fork signal_perms };
++allow speech-dispatcher_t self:fifo_file rw_fifo_file_perms;
++allow speech-dispatcher_t self:unix_stream_socket create_stream_socket_perms;
++allow speech-dispatcher_t self:tcp_socket create_socket_perms;
++
++manage_dirs_pattern(speech-dispatcher_t, speech-dispatcher_log_t, speech-dispatcher_log_t)
++manage_files_pattern(speech-dispatcher_t, speech-dispatcher_log_t, speech-dispatcher_log_t)
++logging_log_filetrans(speech-dispatcher_t, speech-dispatcher_log_t, { dir })
++
++manage_files_pattern(speech-dispatcher_t, speech-dispatcher_tmp_t, speech-dispatcher_tmp_t)
++files_tmp_filetrans(speech-dispatcher_t, speech-dispatcher_tmp_t, { file })
++
++manage_files_pattern(speech-dispatcher_t, speech-dispatcher_tmpfs_t, speech-dispatcher_tmpfs_t)
++fs_tmpfs_filetrans(speech-dispatcher_t, speech-dispatcher_tmpfs_t, { file })
++
++kernel_read_system_state(speech-dispatcher_t)
++
++auth_read_passwd(speech-dispatcher_t)
++
++corenet_tcp_connect_pdps_port(speech-dispatcher_t)
++
++dev_read_urand(speech-dispatcher_t)
++
diff --git a/speedtouch.te b/speedtouch.te
index 9025dbd..388ce0a 100644
--- a/speedtouch.te
@@ -86278,7 +92651,7 @@ index dbb005a..45291bb 100644
-/var/run/sssd\.pid -- gen_context(system_u:object_r:sssd_var_run_t,s0)
+/var/run/sssd.pid -- gen_context(system_u:object_r:sssd_var_run_t,s0)
diff --git a/sssd.if b/sssd.if
-index a240455..16a04bf 100644
+index a240455..3dd6f00 100644
--- a/sssd.if
+++ b/sssd.if
@@ -1,21 +1,21 @@
@@ -86572,7 +92945,7 @@ index a240455..16a04bf 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -317,8 +388,27 @@ interface(`sssd_stream_connect',`
+@@ -317,8 +388,46 @@ interface(`sssd_stream_connect',`
########################################
## <summary>
@@ -86597,12 +92970,31 @@ index a240455..16a04bf 100644
+
+########################################
+## <summary>
++## Manage keys for all user domains.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`sssd_manage_keys',`
++ gen_require(`
++ type sssd_t;
++ ')
++
++ allow $1 sssd_t:key manage_key_perms;
++ allow sssd_t $1:key manage_key_perms;
++')
++
++########################################
++## <summary>
+## All of the rules required to administrate
+## an sssd environment
## </summary>
## <param name="domain">
## <summary>
-@@ -327,7 +417,7 @@ interface(`sssd_stream_connect',`
+@@ -327,7 +436,7 @@ interface(`sssd_stream_connect',`
## </param>
## <param name="role">
## <summary>
@@ -86611,7 +93003,7 @@ index a240455..16a04bf 100644
## </summary>
## </param>
## <rolecap/>
-@@ -335,27 +425,29 @@ interface(`sssd_stream_connect',`
+@@ -335,27 +444,29 @@ interface(`sssd_stream_connect',`
interface(`sssd_admin',`
gen_require(`
type sssd_t, sssd_public_t, sssd_initrc_exec_t;
@@ -86653,7 +93045,7 @@ index a240455..16a04bf 100644
- admin_pattern($1, sssd_log_t)
')
diff --git a/sssd.te b/sssd.te
-index 8b537aa..3bce4df 100644
+index 8b537aa..fb39837 100644
--- a/sssd.te
+++ b/sssd.te
@@ -1,4 +1,4 @@
@@ -86696,9 +93088,11 @@ index 8b537aa..3bce4df 100644
logging_log_filetrans(sssd_t, sssd_var_log_t, file)
manage_dirs_pattern(sssd_t, sssd_var_run_t, sssd_var_run_t)
-@@ -63,16 +64,9 @@ files_pid_filetrans(sssd_t, sssd_var_run_t, { file dir })
+@@ -62,17 +63,11 @@ files_pid_filetrans(sssd_t, sssd_var_run_t, { file dir })
+
kernel_read_network_state(sssd_t)
kernel_read_system_state(sssd_t)
++kernel_request_load_module(sssd_t)
-corenet_all_recvfrom_unlabeled(sssd_t)
-corenet_all_recvfrom_netlabel(sssd_t)
@@ -86714,7 +93108,7 @@ index 8b537aa..3bce4df 100644
corecmd_exec_bin(sssd_t)
-@@ -83,9 +77,7 @@ domain_read_all_domains_state(sssd_t)
+@@ -83,9 +78,7 @@ domain_read_all_domains_state(sssd_t)
domain_obj_id_change_exemption(sssd_t)
files_list_tmp(sssd_t)
@@ -86724,7 +93118,7 @@ index 8b537aa..3bce4df 100644
files_list_var_lib(sssd_t)
fs_list_inotifyfs(sssd_t)
-@@ -94,14 +86,15 @@ selinux_validate_context(sssd_t)
+@@ -94,14 +87,15 @@ selinux_validate_context(sssd_t)
seutil_read_file_contexts(sssd_t)
# sssd wants to write /etc/selinux/<policy>/logins/ for SELinux PAM module
@@ -86742,7 +93136,7 @@ index 8b537aa..3bce4df 100644
auth_domtrans_chk_passwd(sssd_t)
auth_domtrans_upd_passwd(sssd_t)
auth_manage_cache(sssd_t)
-@@ -112,18 +105,32 @@ logging_send_syslog_msg(sssd_t)
+@@ -112,18 +106,34 @@ logging_send_syslog_msg(sssd_t)
logging_send_audit_msgs(sssd_t)
miscfiles_read_generic_certs(sssd_t)
@@ -86753,6 +93147,7 @@ index 8b537aa..3bce4df 100644
+userdom_manage_tmp_role(system_r, sssd_t)
+userdom_manage_all_users_keys(sssd_t)
++userdom_home_reader(sssd_t)
+
optional_policy(`
dbus_system_bus_client(sssd_t)
@@ -86769,15 +93164,16 @@ index 8b537aa..3bce4df 100644
+
+optional_policy(`
+ dirsrv_stream_connect(sssd_t)
- ')
++')
+
+optional_policy(`
+ ldap_stream_connect(sssd_t)
-+ ldap_read_certs(sssd_t)
++ ldap_read_certs(sssd_t)
+')
+
-+userdom_home_reader(sssd_t)
-+
++optional_policy(`
++ systemd_login_read_pid_files(sssd_t)
+ ')
diff --git a/stapserver.fc b/stapserver.fc
new file mode 100644
index 0000000..0ccce59
@@ -87253,7 +93649,7 @@ index 2ac91b6..dd2ac36 100644
')
+
diff --git a/svnserve.te b/svnserve.te
-index c6aaac7..a5600a8 100644
+index c6aaac7..84cdcac 100644
--- a/svnserve.te
+++ b/svnserve.te
@@ -12,12 +12,18 @@ init_daemon_domain(svnserve_t, svnserve_exec_t)
@@ -87297,12 +93693,16 @@ index c6aaac7..a5600a8 100644
corenet_all_recvfrom_unlabeled(svnserve_t)
corenet_all_recvfrom_netlabel(svnserve_t)
corenet_tcp_sendrecv_generic_if(svnserve_t)
-@@ -54,6 +62,4 @@ corenet_udp_sendrecv_svn_port(svnserve_t)
+@@ -52,8 +60,8 @@ corenet_tcp_sendrecv_svn_port(svnserve_t)
+ corenet_udp_bind_svn_port(svnserve_t)
+ corenet_udp_sendrecv_svn_port(svnserve_t)
- logging_send_syslog_msg(svnserve_t)
+-logging_send_syslog_msg(svnserve_t)
++dev_read_urand(svnserve_t)
-miscfiles_read_localization(svnserve_t)
--
++logging_send_syslog_msg(svnserve_t)
+
sysnet_dns_name_resolve(svnserve_t)
diff --git a/swift.fc b/swift.fc
new file mode 100644
@@ -87465,10 +93865,10 @@ index 0000000..df82c36
+')
diff --git a/swift.te b/swift.te
new file mode 100644
-index 0000000..c7b2bf6
+index 0000000..7bef550
--- /dev/null
+++ b/swift.te
-@@ -0,0 +1,69 @@
+@@ -0,0 +1,80 @@
+policy_module(swift, 1.0.0)
+
+########################################
@@ -87480,6 +93880,9 @@ index 0000000..c7b2bf6
+type swift_exec_t;
+init_daemon_domain(swift_t, swift_exec_t)
+
++type swift_tmp_t;
++files_tmpfs_file(swift_tmp_t)
++
+type swift_var_cache_t;
+files_type(swift_var_cache_t)
+
@@ -87504,6 +93907,10 @@ index 0000000..c7b2bf6
+allow swift_t self:unix_stream_socket create_stream_socket_perms;
+allow swift_t self:unix_dgram_socket create_socket_perms;
+
++manage_dirs_pattern(swift_t, swift_tmp_t, swift_tmp_t)
++manage_files_pattern(swift_t, swift_tmp_t, swift_tmp_t)
++files_tmp_filetrans(swift_t, swift_tmp_t, { dir file })
++
+manage_dirs_pattern(swift_t, swift_var_cache_t, swift_var_cache_t)
+manage_files_pattern(swift_t, swift_var_cache_t, swift_var_cache_t)
+manage_lnk_files_pattern(swift_t, swift_var_cache_t, swift_var_cache_t)
@@ -87538,6 +93945,10 @@ index 0000000..c7b2bf6
+logging_send_syslog_msg(swift_t)
+
+userdom_dontaudit_search_user_home_dirs(swift_t)
++
++optional_policy(`
++ rpm_exec(swift_t)
++')
diff --git a/swift_alias.fc b/swift_alias.fc
new file mode 100644
index 0000000..b7db254
@@ -89724,11 +96135,10 @@ index 0000000..39d17b7
+files_pid_filetrans(thin_aeolus_configserver_t, thin_aeolus_configserver_var_run_t, { dir file })
diff --git a/thumb.fc b/thumb.fc
new file mode 100644
-index 0000000..92b6843
+index 0000000..115bf6c
--- /dev/null
+++ b/thumb.fc
-@@ -0,0 +1,18 @@
-+HOME_DIR/\.texlive2012(/.*)? gen_context(system_u:object_r:thumb_home_t,s0)
+@@ -0,0 +1,17 @@
+HOME_DIR/\.thumbnails(/.*)? gen_context(system_u:object_r:thumb_home_t,s0)
+HOME_DIR/\.cache/thumbnails(/.*)? gen_context(system_u:object_r:thumb_home_t,s0)
+HOME_DIR/missfont\.log.* gen_context(system_u:object_r:thumb_home_t,s0)
@@ -89745,7 +96155,7 @@ index 0000000..92b6843
+/usr/bin/ffmpegthumbnailer -- gen_context(system_u:object_r:thumb_exec_t,s0)
+/usr/bin/mate-thumbnail-font -- gen_context(system_u:object_r:thumb_exec_t,s0)
+
-+/usr/lib/tumbler[^/]*/tumblerd -- gen_context(system_u:object_r:thumb_exec_t,s0)
++/usr/lib/tumbler-?[^/]*/tumblerd -- gen_context(system_u:object_r:thumb_exec_t,s0)
diff --git a/thumb.if b/thumb.if
new file mode 100644
index 0000000..c1fd8b4
@@ -89887,10 +96297,10 @@ index 0000000..c1fd8b4
+')
diff --git a/thumb.te b/thumb.te
new file mode 100644
-index 0000000..b57cc3c
+index 0000000..0e30ce2
--- /dev/null
+++ b/thumb.te
-@@ -0,0 +1,149 @@
+@@ -0,0 +1,157 @@
+policy_module(thumb, 1.0.0)
+
+########################################
@@ -89940,6 +96350,7 @@ index 0000000..b57cc3c
+userdom_user_home_dir_filetrans(thumb_t, thumb_home_t, file, "missfont.log")
+userdom_dontaudit_access_check_user_content(thumb_t)
+userdom_rw_inherited_user_tmpfs_files(thumb_t)
++userdom_manage_home_texlive(thumb_t)
+
+manage_files_pattern(thumb_t, thumb_tmp_t, thumb_tmp_t)
+manage_dirs_pattern(thumb_t, thumb_tmp_t, thumb_tmp_t)
@@ -90005,14 +96416,21 @@ index 0000000..b57cc3c
+xserver_use_user_fonts(thumb_t)
+
+optional_policy(`
-+ dbus_dontaudit_stream_connect_session_bus(thumb_t)
-+ dbus_dontaudit_chat_session_bus(thumb_t)
++ bumblebee_stream_connect(thumb_t)
++')
++
++optional_policy(`
++ dbus_exec_dbusd(thumb_t)
++ dbus_connect_session_bus(thumb_t)
++ dbus_stream_connect_session_bus(thumb_t)
++ dbus_chat_session_bus(thumb_t)
+')
+
+optional_policy(`
+ # .config
+ gnome_dontaudit_search_config(thumb_t)
+ gnome_dontaudit_write_config_files(thumb_t)
++ gnome_append_home_config(thumb_t)
+ gnome_append_generic_cache_files(thumb_t)
+ gnome_read_generic_data_home_files(thumb_t)
+ gnome_dontaudit_rw_generic_cache_files(thumb_t)
@@ -90782,7 +97200,7 @@ index 61c2e07..5e1df41 100644
+ ')
')
diff --git a/tor.te b/tor.te
-index 964a395..78962c4 100644
+index 964a395..ea77295 100644
--- a/tor.te
+++ b/tor.te
@@ -13,6 +13,13 @@ policy_module(tor, 1.8.4)
@@ -90817,7 +97235,15 @@ index 964a395..78962c4 100644
corenet_sendrecv_dns_server_packets(tor_t)
corenet_udp_bind_dns_port(tor_t)
corenet_udp_sendrecv_dns_port(tor_t)
-@@ -98,19 +107,22 @@ dev_read_urand(tor_t)
+@@ -85,6 +94,7 @@ corenet_udp_sendrecv_dns_port(tor_t)
+ corenet_sendrecv_tor_server_packets(tor_t)
+ corenet_tcp_bind_tor_port(tor_t)
+ corenet_tcp_sendrecv_tor_port(tor_t)
++corenet_tcp_bind_hplip_port(tor_t)
+
+ corenet_sendrecv_all_client_packets(tor_t)
+ corenet_tcp_connect_all_ports(tor_t)
+@@ -98,19 +108,22 @@ dev_read_urand(tor_t)
domain_use_interactive_fds(tor_t)
files_read_etc_runtime_files(tor_t)
@@ -90934,7 +97360,7 @@ index e29db63..061fb98 100644
domain_system_change_exemption($1)
role_transition $2 tuned_initrc_exec_t system_r;
diff --git a/tuned.te b/tuned.te
-index 7116181..6b315d8 100644
+index 7116181..3f42127 100644
--- a/tuned.te
+++ b/tuned.te
@@ -21,6 +21,9 @@ files_config_file(tuned_rw_etc_t)
@@ -90947,7 +97373,7 @@ index 7116181..6b315d8 100644
type tuned_var_run_t;
files_pid_file(tuned_var_run_t)
-@@ -29,10 +32,13 @@ files_pid_file(tuned_var_run_t)
+@@ -29,10 +32,14 @@ files_pid_file(tuned_var_run_t)
# Local policy
#
@@ -90960,10 +97386,11 @@ index 7116181..6b315d8 100644
+allow tuned_t self:netlink_kobject_uevent_socket create_socket_perms;
+allow tuned_t self:netlink_socket create_socket_perms;
+allow tuned_t self:udp_socket create_socket_perms;
++allow tuned_t self:socket create_socket_perms;
read_files_pattern(tuned_t, tuned_etc_t, tuned_etc_t)
exec_files_pattern(tuned_t, tuned_etc_t, tuned_etc_t)
-@@ -41,14 +47,18 @@ manage_files_pattern(tuned_t, tuned_etc_t, tuned_rw_etc_t)
+@@ -41,14 +48,19 @@ manage_files_pattern(tuned_t, tuned_etc_t, tuned_rw_etc_t)
files_etc_filetrans(tuned_t, tuned_rw_etc_t, file, "active_profile")
manage_dirs_pattern(tuned_t, tuned_log_t, tuned_log_t)
@@ -90982,11 +97409,12 @@ index 7116181..6b315d8 100644
manage_files_pattern(tuned_t, tuned_var_run_t, tuned_var_run_t)
manage_dirs_pattern(tuned_t, tuned_var_run_t, tuned_var_run_t)
files_pid_filetrans(tuned_t, tuned_var_run_t, { dir file })
++allow tuned_t tuned_var_run_t:file relabel_file_perms;
+can_exec(tuned_t, tuned_var_run_t)
kernel_read_system_state(tuned_t)
kernel_read_network_state(tuned_t)
-@@ -57,6 +67,8 @@ kernel_request_load_module(tuned_t)
+@@ -57,6 +69,8 @@ kernel_request_load_module(tuned_t)
kernel_rw_kernel_sysctl(tuned_t)
kernel_rw_hotplug_sysctls(tuned_t)
kernel_rw_vm_sysctls(tuned_t)
@@ -90995,7 +97423,7 @@ index 7116181..6b315d8 100644
corecmd_exec_bin(tuned_t)
corecmd_exec_shell(tuned_t)
-@@ -64,31 +76,55 @@ corecmd_exec_shell(tuned_t)
+@@ -64,31 +78,60 @@ corecmd_exec_shell(tuned_t)
dev_getattr_all_blk_files(tuned_t)
dev_getattr_all_chr_files(tuned_t)
dev_read_urand(tuned_t)
@@ -91008,18 +97436,23 @@ index 7116181..6b315d8 100644
files_dontaudit_search_home(tuned_t)
-files_dontaudit_list_tmp(tuned_t)
+files_list_tmp(tuned_t)
-
--fs_getattr_xattr_fs(tuned_t)
++
+fs_getattr_all_fs(tuned_t)
+fs_search_all(tuned_t)
+fs_rw_hugetlbfs_files(tuned_t)
-+
+
+-fs_getattr_xattr_fs(tuned_t)
+auth_use_nsswitch(tuned_t)
logging_send_syslog_msg(tuned_t)
++#bug in tuned
++logging_manage_syslog_config(tuned_t)
++logging_filetrans_named_conf(tuned_t)
-miscfiles_read_localization(tuned_t)
+mount_read_pid_files(tuned_t)
++
++modutils_domtrans_insmod(tuned_t)
udev_read_pid_files(tuned_t)
@@ -91055,6 +97488,14 @@ index 7116181..6b315d8 100644
optional_policy(`
sysnet_domtrans_ifconfig(tuned_t)
')
+@@ -96,3 +139,7 @@ optional_policy(`
+ optional_policy(`
+ unconfined_dbus_send(tuned_t)
+ ')
++
++optional_policy(`
++ unconfined_domain(tuned_t)
++')
diff --git a/tvtime.if b/tvtime.if
index 1bb0f7c..372be2f 100644
--- a/tvtime.if
@@ -92158,7 +98599,7 @@ index af9acc0..cdaf82e 100644
admin_pattern($1, uucpd_log_t)
diff --git a/uucp.te b/uucp.te
-index 380902c..75545d6 100644
+index 380902c..c09534e 100644
--- a/uucp.te
+++ b/uucp.te
@@ -31,7 +31,7 @@ type uucpd_ro_t;
@@ -92170,7 +98611,7 @@ index 380902c..75545d6 100644
type uucpd_log_t;
logging_log_file(uucpd_log_t)
-@@ -84,15 +84,19 @@ kernel_read_kernel_sysctls(uucpd_t)
+@@ -84,15 +84,20 @@ kernel_read_kernel_sysctls(uucpd_t)
kernel_read_system_state(uucpd_t)
kernel_read_network_state(uucpd_t)
@@ -92186,12 +98627,13 @@ index 380902c..75545d6 100644
corenet_tcp_connect_ssh_port(uucpd_t)
corenet_tcp_sendrecv_ssh_port(uucpd_t)
++corenet_tcp_bind_uucpd_port(uucpd_t)
+corenet_tcp_connect_uucpd_port(uucpd_t)
+
corecmd_exec_bin(uucpd_t)
corecmd_exec_shell(uucpd_t)
-@@ -110,7 +114,7 @@ auth_use_nsswitch(uucpd_t)
+@@ -110,7 +115,7 @@ auth_use_nsswitch(uucpd_t)
logging_send_syslog_msg(uucpd_t)
@@ -92200,7 +98642,7 @@ index 380902c..75545d6 100644
optional_policy(`
cron_system_entry(uucpd_t, uucpd_exec_t)
-@@ -125,10 +129,6 @@ optional_policy(`
+@@ -125,10 +130,6 @@ optional_policy(`
')
optional_policy(`
@@ -92211,7 +98653,7 @@ index 380902c..75545d6 100644
ssh_exec(uucpd_t)
')
-@@ -160,10 +160,15 @@ auth_use_nsswitch(uux_t)
+@@ -160,10 +161,15 @@ auth_use_nsswitch(uux_t)
logging_search_logs(uux_t)
logging_send_syslog_msg(uux_t)
@@ -92336,7 +98778,7 @@ index 1c35171..2cba4df 100644
domain_system_change_exemption($1)
role_transition $2 varnishd_initrc_exec_t system_r;
diff --git a/varnishd.te b/varnishd.te
-index 9d4d8cb..f50c3ff 100644
+index 9d4d8cb..a58e2dd 100644
--- a/varnishd.te
+++ b/varnishd.te
@@ -21,7 +21,7 @@ type varnishd_initrc_exec_t;
@@ -92348,7 +98790,7 @@ index 9d4d8cb..f50c3ff 100644
type varnishd_tmp_t;
files_tmp_file(varnishd_tmp_t)
-@@ -43,7 +43,7 @@ type varnishlog_var_run_t;
+@@ -43,16 +43,16 @@ type varnishlog_var_run_t;
files_pid_file(varnishlog_var_run_t)
type varnishlog_log_t;
@@ -92357,9 +98799,11 @@ index 9d4d8cb..f50c3ff 100644
########################################
#
-@@ -52,7 +52,7 @@ files_type(varnishlog_log_t)
+ # Local policy
+ #
- allow varnishd_t self:capability { kill dac_override ipc_lock setuid setgid };
+-allow varnishd_t self:capability { kill dac_override ipc_lock setuid setgid };
++allow varnishd_t self:capability { kill dac_override ipc_lock setuid setgid chown };
dontaudit varnishd_t self:capability sys_tty_config;
-allow varnishd_t self:process signal;
+allow varnishd_t self:process { execmem signal };
@@ -92501,7 +98945,7 @@ index 31c752e..ef52235 100644
init_labeled_script_domtrans($1, vdagentd_initrc_exec_t)
domain_system_change_exemption($1)
diff --git a/vdagent.te b/vdagent.te
-index 77be35a..0e9a7d1 100644
+index 77be35a..9ed83d0 100644
--- a/vdagent.te
+++ b/vdagent.te
@@ -25,6 +25,7 @@ logging_log_file(vdagent_log_t)
@@ -92512,7 +98956,7 @@ index 77be35a..0e9a7d1 100644
allow vdagent_t self:fifo_file rw_fifo_file_perms;
allow vdagent_t self:unix_stream_socket { accept listen };
-@@ -39,17 +40,20 @@ create_files_pattern(vdagent_t, vdagent_log_t, vdagent_log_t)
+@@ -39,20 +40,25 @@ create_files_pattern(vdagent_t, vdagent_log_t, vdagent_log_t)
setattr_files_pattern(vdagent_t, vdagent_log_t, vdagent_log_t)
logging_log_filetrans(vdagent_t, vdagent_log_t, file)
@@ -92529,14 +98973,19 @@ index 77be35a..0e9a7d1 100644
-logging_send_syslog_msg(vdagent_t)
+systemd_read_logind_sessions_files(vdagent_t)
+systemd_login_read_pid_files(vdagent_t)
-+
-+term_use_virtio_console(vdagent_t)
-miscfiles_read_localization(vdagent_t)
++term_use_virtio_console(vdagent_t)
++
+logging_send_syslog_msg(vdagent_t)
userdom_read_all_users_state(vdagent_t)
++xserver_read_xdm_state(vdagent_t)
++
+ optional_policy(`
+ dbus_system_bus_client(vdagent_t)
+
diff --git a/vhostmd.if b/vhostmd.if
index 22edd58..c3a5364 100644
--- a/vhostmd.if
@@ -92584,7 +99033,7 @@ index 0be8535..b96e329 100644
optional_policy(`
diff --git a/virt.fc b/virt.fc
-index c30da4c..9bad8b9 100644
+index c30da4c..6351bcb 100644
--- a/virt.fc
+++ b/virt.fc
@@ -1,52 +1,92 @@
@@ -92717,10 +99166,10 @@ index c30da4c..9bad8b9 100644
+/var/run/qemu-ga\.pid -- gen_context(system_u:object_r:virt_qemu_ga_var_run_t,s0)
+/var/run/qga\.state -- gen_context(system_u:object_r:virt_qemu_ga_var_run_t,s0)
+
-+/var/log/qemu-ga\.log -- gen_context(system_u:object_r:virt_qemu_ga_log_t,s0)
++/var/log/qemu-ga\.log.* -- gen_context(system_u:object_r:virt_qemu_ga_log_t,s0)
+/var/log/qemu-ga(/.*)? gen_context(system_u:object_r:virt_qemu_ga_log_t,s0)
diff --git a/virt.if b/virt.if
-index 9dec06c..73549fd 100644
+index 9dec06c..88dcafb 100644
--- a/virt.if
+++ b/virt.if
@@ -1,120 +1,51 @@
@@ -93171,17 +99620,35 @@ index 9dec06c..73549fd 100644
manage_files_pattern($1, virt_etc_t, virt_etc_t)
manage_files_pattern($1, virt_etc_rw_t, virt_etc_rw_t)
manage_lnk_files_pattern($1, virt_etc_rw_t, virt_etc_rw_t)
-@@ -414,8 +251,7 @@ interface(`virt_manage_config',`
+@@ -414,8 +251,25 @@ interface(`virt_manage_config',`
########################################
## <summary>
-## Create, read, write, and delete
-## virt image files.
+## Allow domain to manage virt image files
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`virt_getattr_content',`
++ gen_require(`
++ type virt_content_t;
++ ')
++
++ allow $1 virt_content_t:file getattr_file_perms;
++')
++
++########################################
++## <summary>
++## Allow domain to manage virt image files
## </summary>
## <param name="domain">
## <summary>
-@@ -450,8 +286,7 @@ interface(`virt_read_content',`
+@@ -450,8 +304,7 @@ interface(`virt_read_content',`
########################################
## <summary>
@@ -93191,7 +99658,7 @@ index 9dec06c..73549fd 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -459,35 +294,17 @@ interface(`virt_read_content',`
+@@ -459,35 +312,17 @@ interface(`virt_read_content',`
## </summary>
## </param>
#
@@ -93230,7 +99697,7 @@ index 9dec06c..73549fd 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -495,53 +312,37 @@ interface(`virt_manage_virt_content',`
+@@ -495,53 +330,37 @@ interface(`virt_manage_virt_content',`
## </summary>
## </param>
#
@@ -93294,7 +99761,7 @@ index 9dec06c..73549fd 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -549,34 +350,21 @@ interface(`virt_home_filetrans_virt_content',`
+@@ -549,34 +368,21 @@ interface(`virt_home_filetrans_virt_content',`
## </summary>
## </param>
#
@@ -93337,7 +99804,7 @@ index 9dec06c..73549fd 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -584,32 +372,36 @@ interface(`virt_manage_svirt_home_content',`
+@@ -584,32 +390,36 @@ interface(`virt_manage_svirt_home_content',`
## </summary>
## </param>
#
@@ -93386,7 +99853,7 @@ index 9dec06c..73549fd 100644
## </summary>
## </param>
## <param name="name" optional="true">
-@@ -618,54 +410,36 @@ interface(`virt_relabel_svirt_home_content',`
+@@ -618,54 +428,36 @@ interface(`virt_relabel_svirt_home_content',`
## </summary>
## </param>
#
@@ -93450,7 +99917,7 @@ index 9dec06c..73549fd 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -673,54 +447,38 @@ interface(`virt_home_filetrans',`
+@@ -673,54 +465,38 @@ interface(`virt_home_filetrans',`
## </summary>
## </param>
#
@@ -93517,7 +99984,7 @@ index 9dec06c..73549fd 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -728,52 +486,39 @@ interface(`virt_manage_generic_virt_home_content',`
+@@ -728,52 +504,58 @@ interface(`virt_manage_generic_virt_home_content',`
## </summary>
## </param>
#
@@ -93556,14 +100023,31 @@ index 9dec06c..73549fd 100644
-## </summary>
-## </param>
-## <param name="name" optional="true">
--## <summary>
--## The name of the object being created.
--## </summary>
--## </param>
+## <rolecap/>
++#
++interface(`virt_read_log',`
++ gen_require(`
++ type virt_log_t;
++ ')
++
++ logging_search_logs($1)
++ read_files_pattern($1, virt_log_t, virt_log_t)
++')
++
++########################################
++## <summary>
++## Allow the specified domain to append
++## virt log files.
++## </summary>
++## <param name="domain">
+ ## <summary>
+-## The name of the object being created.
++## Domain allowed access.
+ ## </summary>
+ ## </param>
#
-interface(`virt_home_filetrans_virt_home',`
-+interface(`virt_read_log',`
++interface(`virt_append_log',`
gen_require(`
- type virt_home_t;
+ type virt_log_t;
@@ -93571,23 +100055,22 @@ index 9dec06c..73549fd 100644
- userdom_user_home_dir_filetrans($1, virt_home_t, $2, $3)
+ logging_search_logs($1)
-+ read_files_pattern($1, virt_log_t, virt_log_t)
++ append_files_pattern($1, virt_log_t, virt_log_t)
')
########################################
## <summary>
-## Read virt pid files.
-+## Allow the specified domain to append
-+## virt log files.
++## Allow domain to manage virt log files
## </summary>
## <param name="domain">
## <summary>
-@@ -781,19 +526,18 @@ interface(`virt_home_filetrans_virt_home',`
+@@ -781,19 +563,19 @@ interface(`virt_home_filetrans_virt_home',`
## </summary>
## </param>
#
-interface(`virt_read_pid_files',`
-+interface(`virt_append_log',`
++interface(`virt_manage_log',`
gen_require(`
- type virt_var_run_t;
+ type virt_log_t;
@@ -93595,34 +100078,34 @@ index 9dec06c..73549fd 100644
- files_search_pids($1)
- read_files_pattern($1, virt_var_run_t, virt_var_run_t)
-+ logging_search_logs($1)
-+ append_files_pattern($1, virt_log_t, virt_log_t)
++ manage_dirs_pattern($1, virt_log_t, virt_log_t)
++ manage_files_pattern($1, virt_log_t, virt_log_t)
++ manage_lnk_files_pattern($1, virt_log_t, virt_log_t)
')
########################################
## <summary>
-## Create, read, write, and delete
-## virt pid files.
-+## Allow domain to manage virt log files
++## Allow domain to getattr virt image direcories
## </summary>
## <param name="domain">
## <summary>
-@@ -801,18 +545,19 @@ interface(`virt_read_pid_files',`
+@@ -801,18 +583,18 @@ interface(`virt_read_pid_files',`
## </summary>
## </param>
#
-interface(`virt_manage_pid_files',`
-+interface(`virt_manage_log',`
++interface(`virt_getattr_images',`
gen_require(`
- type virt_var_run_t;
-+ type virt_log_t;
++ attribute virt_image_type;
')
- files_search_pids($1)
- manage_files_pattern($1, virt_var_run_t, virt_var_run_t)
-+ manage_dirs_pattern($1, virt_log_t, virt_log_t)
-+ manage_files_pattern($1, virt_log_t, virt_log_t)
-+ manage_lnk_files_pattern($1, virt_log_t, virt_log_t)
++ virt_search_lib($1)
++ allow $1 virt_image_type:file getattr_file_perms;
')
########################################
@@ -93632,7 +100115,7 @@ index 9dec06c..73549fd 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -820,18 +565,18 @@ interface(`virt_manage_pid_files',`
+@@ -820,18 +602,18 @@ interface(`virt_manage_pid_files',`
## </summary>
## </param>
#
@@ -93656,7 +100139,7 @@ index 9dec06c..73549fd 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -839,20 +584,73 @@ interface(`virt_search_lib',`
+@@ -839,20 +621,73 @@ interface(`virt_search_lib',`
## </summary>
## </param>
#
@@ -93735,44 +100218,40 @@ index 9dec06c..73549fd 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -860,94 +658,189 @@ interface(`virt_read_lib_files',`
+@@ -860,74 +695,265 @@ interface(`virt_read_lib_files',`
## </summary>
## </param>
#
-interface(`virt_manage_lib_files',`
+interface(`virt_manage_cache',`
- gen_require(`
-- type virt_var_lib_t;
++ gen_require(`
+ type virt_cache_t;
- ')
-
-- files_search_var_lib($1)
-- manage_files_pattern($1, virt_var_lib_t, virt_var_lib_t)
++ ')
++
+ files_search_var($1)
+ manage_dirs_pattern($1, virt_cache_t, virt_cache_t)
+ manage_files_pattern($1, virt_cache_t, virt_cache_t)
+ manage_lnk_files_pattern($1, virt_cache_t, virt_cache_t)
- ')
-
- ########################################
- ## <summary>
--## Create objects in virt pid
--## directories with a private type.
++')
++
++########################################
++## <summary>
+## Allow domain to manage virt image files
- ## </summary>
- ## <param name="domain">
- ## <summary>
- ## Domain allowed access.
- ## </summary>
- ## </param>
--## <param name="private type">
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
+#
+interface(`virt_manage_images',`
-+ gen_require(`
-+ type virt_var_lib_t;
+ gen_require(`
+ type virt_var_lib_t;
+ attribute virt_image_type;
-+ ')
-+
+ ')
+
+- files_search_var_lib($1)
+- manage_files_pattern($1, virt_var_lib_t, virt_var_lib_t)
+ virt_search_lib($1)
+ allow $1 virt_image_type:dir list_dir_perms;
+ manage_dirs_pattern($1, virt_image_type, virt_image_type)
@@ -93802,19 +100281,19 @@ index 9dec06c..73549fd 100644
+ manage_dirs_pattern($1, virt_image_t, virt_image_t)
+ manage_files_pattern($1, virt_image_t, virt_image_t)
+ read_lnk_files_pattern($1, virt_image_t, virt_image_t)
-+')
-+
-+########################################
-+## <summary>
+ ')
+
+ ########################################
+ ## <summary>
+-## Create objects in virt pid
+-## directories with a private type.
+## Execute virt server in the virt domain.
+## </summary>
+## <param name="domain">
- ## <summary>
--## The type of the object to be created.
++## <summary>
+## Domain allowed to transition.
- ## </summary>
- ## </param>
--## <param name="object">
++## </summary>
++## </param>
+#
+interface(`virt_systemctl',`
+ gen_require(`
@@ -93834,24 +100313,85 @@ index 9dec06c..73549fd 100644
+## Ptrace the svirt domain
+## </summary>
+## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`virt_ptrace',`
++ gen_require(`
++ attribute virt_domain;
++ ')
++
++ allow $1 virt_domain:process ptrace;
++')
++
++#######################################
++## <summary>
++## Execute Sandbox Files
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+ ## Domain allowed access.
+ ## </summary>
+ ## </param>
+-## <param name="private type">
++#
++interface(`virt_exec_sandbox_files',`
++ gen_require(`
++ type svirt_sandbox_file_t;
++ ')
++
++ can_exec($1, svirt_sandbox_file_t)
++')
++
++#######################################
++## <summary>
++## Manage Sandbox Files
++## </summary>
++## <param name="domain">
+ ## <summary>
+-## The type of the object to be created.
++## Domain allowed access.
+ ## </summary>
+ ## </param>
+-## <param name="object">
++#
++interface(`virt_manage_sandbox_files',`
++ gen_require(`
++ type svirt_sandbox_file_t;
++ ')
++
++ manage_dirs_pattern($1, svirt_sandbox_file_t, svirt_sandbox_file_t)
++ manage_files_pattern($1, svirt_sandbox_file_t, svirt_sandbox_file_t)
++ manage_fifo_files_pattern($1, svirt_sandbox_file_t, svirt_sandbox_file_t)
++ manage_chr_files_pattern($1, svirt_sandbox_file_t, svirt_sandbox_file_t)
++ manage_lnk_files_pattern($1, svirt_sandbox_file_t, svirt_sandbox_file_t)
++')
++
++#######################################
++## <summary>
++## Relabel Sandbox File systems
++## </summary>
++## <param name="domain">
## <summary>
-## The object class of the object being created.
-+## Domain allowed to transition.
++## Domain allowed access.
## </summary>
## </param>
-## <param name="name" optional="true">
+#
-+interface(`virt_ptrace',`
++interface(`virt_relabel_sandbox_filesystem',`
+ gen_require(`
-+ attribute virt_domain;
++ type svirt_sandbox_file_t;
+ ')
+
-+ allow $1 virt_domain:process ptrace;
++ allow $1 svirt_sandbox_file_t:filesystem { relabelfrom relabelto };
+')
+
+#######################################
+## <summary>
-+## Connect to virt over a unix domain stream socket.
++## Mounton Sandbox Files
+## </summary>
+## <param name="domain">
## <summary>
@@ -93862,9 +100402,27 @@ index 9dec06c..73549fd 100644
-## <infoflow type="write" weight="10"/>
#
-interface(`virt_pid_filetrans',`
-+interface(`virt_stream_connect_sandbox',`
++interface(`virt_mounton_sandbox_file',`
gen_require(`
- type virt_var_run_t;
++ type svirt_sandbox_file_t;
++ ')
++
++ allow $1 svirt_sandbox_file_t:dir_file_class_set mounton;
++')
++
++#######################################
++## <summary>
++## Connect to virt over a unix domain stream socket.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`virt_stream_connect_sandbox',`
++ gen_require(`
+ attribute svirt_sandbox_domain;
+ type svirt_sandbox_file_t;
')
@@ -93926,93 +100484,110 @@ index 9dec06c..73549fd 100644
## <summary>
-## Append virt log files.
+## Do not audit attempts to write virt daemon unnamed pipes.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain to not audit.
++## </summary>
++## </param>
++#
++interface(`virt_dontaudit_write_pipes',`
++ gen_require(`
++ type virtd_t;
++ ')
++
++ dontaudit $1 virtd_t:fd use;
++ dontaudit $1 virtd_t:fifo_file write_fifo_file_perms;
++')
++
++########################################
++## <summary>
++## Send a sigkill to virtual machines
## </summary>
## <param name="domain">
## <summary>
--## Domain allowed access.
-+## Domain to not audit.
+@@ -935,19 +961,17 @@ interface(`virt_read_log',`
## </summary>
## </param>
#
-interface(`virt_append_log',`
-+interface(`virt_dontaudit_write_pipes',`
++interface(`virt_kill_svirt',`
gen_require(`
- type virt_log_t;
-+ type virtd_t;
++ attribute virt_domain;
')
- logging_search_logs($1)
- append_files_pattern($1, virt_log_t, virt_log_t)
-+ dontaudit $1 virtd_t:fd use;
-+ dontaudit $1 virtd_t:fifo_file write_fifo_file_perms;
++ allow $1 virt_domain:process sigkill;
')
########################################
## <summary>
-## Create, read, write, and delete
-## virt log files.
-+## Send a sigkill to virtual machines
++## Send a sigkill to virtd daemon.
## </summary>
## <param name="domain">
## <summary>
-@@ -955,20 +848,17 @@ interface(`virt_append_log',`
+@@ -955,20 +979,17 @@ interface(`virt_append_log',`
## </summary>
## </param>
#
-interface(`virt_manage_log',`
-+interface(`virt_kill_svirt',`
++interface(`virt_kill',`
gen_require(`
- type virt_log_t;
-+ attribute virt_domain;
++ type virtd_t;
')
- logging_search_logs($1)
- manage_dirs_pattern($1, virt_log_t, virt_log_t)
- manage_files_pattern($1, virt_log_t, virt_log_t)
- manage_lnk_files_pattern($1, virt_log_t, virt_log_t)
-+ allow $1 virt_domain:process sigkill;
++ allow $1 virtd_t:process sigkill;
')
########################################
## <summary>
-## Search virt image directories.
-+## Send a sigkill to virtd daemon.
++## Send a signal to virtual machines
## </summary>
## <param name="domain">
## <summary>
-@@ -976,18 +866,17 @@ interface(`virt_manage_log',`
+@@ -976,18 +997,17 @@ interface(`virt_manage_log',`
## </summary>
## </param>
#
-interface(`virt_search_images',`
-+interface(`virt_kill',`
++interface(`virt_signal_svirt',`
gen_require(`
- attribute virt_image_type;
-+ type virtd_t;
++ attribute virt_domain;
')
- virt_search_lib($1)
- allow $1 virt_image_type:dir search_dir_perms;
-+ allow $1 virtd_t:process sigkill;
++ allow $1 virt_domain:process signal;
')
########################################
## <summary>
-## Read virt image files.
-+## Send a signal to virtual machines
++## Manage virt home files.
## </summary>
## <param name="domain">
## <summary>
-@@ -995,73 +884,75 @@ interface(`virt_search_images',`
+@@ -995,36 +1015,57 @@ interface(`virt_search_images',`
## </summary>
## </param>
#
-interface(`virt_read_images',`
-+interface(`virt_signal_svirt',`
++interface(`virt_manage_home_files',`
gen_require(`
- type virt_var_lib_t;
- attribute virt_image_type;
-+ attribute virt_domain;
++ type virt_home_t;
')
- virt_search_lib($1)
@@ -94021,7 +100596,8 @@ index 9dec06c..73549fd 100644
- read_files_pattern($1, virt_image_type, virt_image_type)
- read_lnk_files_pattern($1, virt_image_type, virt_image_type)
- read_blk_files_pattern($1, virt_image_type, virt_image_type)
-+ allow $1 virt_domain:process signal;
++ userdom_search_user_home_dirs($1)
++ manage_files_pattern($1, virt_home_t, virt_home_t)
+')
- tunable_policy(`virt_use_nfs',`
@@ -94030,105 +100606,70 @@ index 9dec06c..73549fd 100644
- fs_read_nfs_symlinks($1)
+########################################
+## <summary>
-+## Manage virt home files.
++## allow domain to read
++## virt tmpfs files
+## </summary>
+## <param name="domain">
+## <summary>
-+## Domain allowed access.
++## Domain allowed access
+## </summary>
+## </param>
+#
-+interface(`virt_manage_home_files',`
++interface(`virt_read_tmpfs_files',`
+ gen_require(`
-+ type virt_home_t;
++ attribute virt_tmpfs_type;
')
- tunable_policy(`virt_use_samba',`
- fs_list_cifs($1)
- fs_read_cifs_files($1)
- fs_read_cifs_symlinks($1)
-- ')
-+ userdom_search_user_home_dirs($1)
-+ manage_files_pattern($1, virt_home_t, virt_home_t)
- ')
-
- ########################################
- ## <summary>
--## Read and write all virt image
--## character files.
-+## allow domain to read
-+## virt tmpfs files
- ## </summary>
- ## <param name="domain">
- ## <summary>
--## Domain allowed access.
-+## Domain allowed access
- ## </summary>
- ## </param>
- #
--interface(`virt_rw_all_image_chr_files',`
-+interface(`virt_read_tmpfs_files',`
- gen_require(`
-- attribute virt_image_type;
-+ attribute virt_tmpfs_type;
- ')
-
-- virt_search_lib($1)
-- allow $1 virt_image_type:dir list_dir_perms;
-- rw_chr_files_pattern($1, virt_image_type, virt_image_type)
+ allow $1 virt_tmpfs_type:file read_file_perms;
- ')
-
- ########################################
- ## <summary>
--## Create, read, write, and delete
--## svirt cache files.
++')
++
++########################################
++## <summary>
+## allow domain to manage
+## virt tmpfs files
- ## </summary>
- ## <param name="domain">
- ## <summary>
--## Domain allowed access.
++## </summary>
++## <param name="domain">
++## <summary>
+## Domain allowed access
- ## </summary>
- ## </param>
- #
--interface(`virt_manage_svirt_cache',`
-- refpolicywarn(`$0($*) has been deprecated, use virt_manage_virt_cache() instead.')
-- virt_manage_virt_cache($1)
++## </summary>
++## </param>
++#
+interface(`virt_manage_tmpfs_files',`
+ gen_require(`
+ attribute virt_tmpfs_type;
-+ ')
+ ')
+
+ allow $1 virt_tmpfs_type:file manage_file_perms;
')
########################################
## <summary>
--## Create, read, write, and delete
--## virt cache content.
+-## Read and write all virt image
+-## character files.
+## Create .virt directory in the user home directory
+## with an correct label.
## </summary>
## <param name="domain">
## <summary>
-@@ -1069,21 +960,28 @@ interface(`virt_manage_svirt_cache',`
+@@ -1032,20 +1073,28 @@ interface(`virt_read_images',`
## </summary>
## </param>
#
--interface(`virt_manage_virt_cache',`
+-interface(`virt_rw_all_image_chr_files',`
+interface(`virt_filetrans_home_content',`
gen_require(`
-- type virt_cache_t;
+- attribute virt_image_type;
+ type virt_home_t;
+ type svirt_home_t;
')
-- files_search_var($1)
-- manage_dirs_pattern($1, virt_cache_t, virt_cache_t)
-- manage_files_pattern($1, virt_cache_t, virt_cache_t)
-- manage_lnk_files_pattern($1, virt_cache_t, virt_cache_t)
+- virt_search_lib($1)
+- allow $1 virt_image_type:dir list_dir_perms;
+- rw_chr_files_pattern($1, virt_image_type, virt_image_type)
+ userdom_user_home_dir_filetrans($1, virt_home_t, dir, ".libvirt")
+ userdom_user_home_dir_filetrans($1, virt_home_t, dir, ".virtinst")
+ filetrans_pattern($1, virt_home_t, svirt_home_t, dir, "qemu")
@@ -94145,40 +100686,34 @@ index 9dec06c..73549fd 100644
########################################
## <summary>
-## Create, read, write, and delete
--## virt image files.
+-## svirt cache files.
+## Dontaudit attempts to Read virt_image_type devices.
## </summary>
## <param name="domain">
## <summary>
-@@ -1091,36 +989,148 @@ interface(`virt_manage_virt_cache',`
+@@ -1053,37 +1102,133 @@ interface(`virt_rw_all_image_chr_files',`
## </summary>
## </param>
#
--interface(`virt_manage_images',`
+-interface(`virt_manage_svirt_cache',`
+- refpolicywarn(`$0($*) has been deprecated, use virt_manage_virt_cache() instead.')
+- virt_manage_virt_cache($1)
+interface(`virt_dontaudit_read_chr_dev',`
- gen_require(`
-- type virt_var_lib_t;
- attribute virt_image_type;
- ')
-
-- virt_search_lib($1)
-- allow $1 virt_image_type:dir list_dir_perms;
-- manage_dirs_pattern($1, virt_image_type, virt_image_type)
-- manage_files_pattern($1, virt_image_type, virt_image_type)
-- read_lnk_files_pattern($1, virt_image_type, virt_image_type)
-- rw_blk_files_pattern($1, virt_image_type, virt_image_type)
++ gen_require(`
++ attribute virt_image_type;
++ ')
++
+ dontaudit $1 virt_image_type:chr_file read_chr_file_perms;
-+')
+ ')
-- tunable_policy(`virt_use_nfs',`
-- fs_manage_nfs_dirs($1)
-- fs_manage_nfs_files($1)
-- fs_read_nfs_symlinks($1)
-+########################################
-+## <summary>
+ ########################################
+ ## <summary>
+-## Create, read, write, and delete
+-## virt cache content.
+## Creates types and rules for a basic
+## virt_lxc process domain.
-+## </summary>
+ ## </summary>
+-## <param name="domain">
+## <param name="prefix">
+## <summary>
+## Prefix for the domain.
@@ -94188,12 +100723,8 @@ index 9dec06c..73549fd 100644
+template(`virt_sandbox_domain_template',`
+ gen_require(`
+ attribute svirt_sandbox_domain;
- ')
-
-- tunable_policy(`virt_use_samba',`
-- fs_manage_cifs_files($1)
-- fs_manage_cifs_files($1)
-- fs_read_cifs_symlinks($1)
++ ')
++
+ type $1_t, svirt_sandbox_domain;
+ domain_type($1_t)
+ domain_user_exemption_target($1_t)
@@ -94201,6 +100732,8 @@ index 9dec06c..73549fd 100644
+ mcs_constrained($1_t)
+ role system_r types $1_t;
+
++ logging_send_syslog_msg($1_t)
++
+ kernel_read_system_state($1_t)
+')
+
@@ -94209,7 +100742,7 @@ index 9dec06c..73549fd 100644
+## Make the specified type usable as a lxc domain
+## </summary>
+## <param name="type">
-+## <summary>
+ ## <summary>
+## Type to be used as a lxc domain
+## </summary>
+## </param>
@@ -94228,7 +100761,7 @@ index 9dec06c..73549fd 100644
+## </summary>
+## <param name="domain">
+## <summary>
-+## Domain allowed access.
+ ## Domain allowed access.
+## </summary>
+## </param>
+#
@@ -94247,22 +100780,30 @@ index 9dec06c..73549fd 100644
+## <param name="domain">
+## <summary>
+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
+ ## </summary>
+ ## </param>
+ #
+-interface(`virt_manage_virt_cache',`
+interface(`virt_filetrans_named_content',`
-+ gen_require(`
+ gen_require(`
+- type virt_cache_t;
+ type virt_lxc_var_run_t;
+ type virt_var_run_t;
-+ ')
-+
+ ')
+
+- files_search_var($1)
+- manage_dirs_pattern($1, virt_cache_t, virt_cache_t)
+- manage_files_pattern($1, virt_cache_t, virt_cache_t)
+- manage_lnk_files_pattern($1, virt_cache_t, virt_cache_t)
+ files_pid_filetrans($1, virt_lxc_var_run_t, dir, "libvirt-sandbox")
+ files_pid_filetrans($1, virt_var_run_t, dir, "libvirt")
+ files_pid_filetrans($1, virt_var_run_t, dir, "libguestfs")
-+')
-+
-+########################################
-+## <summary>
+ ')
+
+ ########################################
+ ## <summary>
+-## Create, read, write, and delete
+-## virt image files.
+## Execute qemu in the svirt domain, and
+## allow the specified role the svirt domain.
+## </summary>
@@ -94283,11 +100824,66 @@ index 9dec06c..73549fd 100644
+ attribute svirt_sandbox_domain;
+ ')
+
-+ allow $1 svirt_sandbox_domain:process transition;
++ allow $1 svirt_sandbox_domain:process { transition signal_perms };
+ role $2 types svirt_sandbox_domain;
+ allow $1 svirt_sandbox_domain:unix_dgram_socket sendto;
+
++ allow svirt_sandbox_domain $1:fifo_file rw_fifo_file_perms;
+ allow svirt_sandbox_domain $1:process sigchld;
++ ps_process_pattern($1, svirt_sandbox_domain)
++')
++
++########################################
++## <summary>
++## Read and write to svirt_image devices.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -1091,36 +1236,54 @@ interface(`virt_manage_virt_cache',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`virt_manage_images',`
++interface(`virt_rw_svirt_dev',`
+ gen_require(`
+- type virt_var_lib_t;
+- attribute virt_image_type;
++ type svirt_image_t;
+ ')
+
+- virt_search_lib($1)
+- allow $1 virt_image_type:dir list_dir_perms;
+- manage_dirs_pattern($1, virt_image_type, virt_image_type)
+- manage_files_pattern($1, virt_image_type, virt_image_type)
+- read_lnk_files_pattern($1, virt_image_type, virt_image_type)
+- rw_blk_files_pattern($1, virt_image_type, virt_image_type)
++ allow $1 svirt_image_t:chr_file rw_file_perms;
++')
+
+- tunable_policy(`virt_use_nfs',`
+- fs_manage_nfs_dirs($1)
+- fs_manage_nfs_files($1)
+- fs_read_nfs_symlinks($1)
++########################################
++## <summary>
++## Read and write to svirt_image devices.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`virt_rlimitinh',`
++ gen_require(`
++ type virtd_t;
+ ')
+
+- tunable_policy(`virt_use_samba',`
+- fs_manage_cifs_files($1)
+- fs_manage_cifs_files($1)
+- fs_read_cifs_symlinks($1)
++ allow $1 virtd_t:process { rlimitinh };
+')
+
+########################################
@@ -94300,12 +100896,12 @@ index 9dec06c..73549fd 100644
+## </summary>
+## </param>
+#
-+interface(`virt_rw_svirt_dev',`
++interface(`virt_noatsecure',`
+ gen_require(`
-+ type svirt_image_t;
++ type virtd_t;
')
+
-+ allow $1 svirt_image_t:chr_file rw_file_perms;
++ allow $1 virtd_t:process { noatsecure rlimitinh };
')
########################################
@@ -94317,7 +100913,7 @@ index 9dec06c..73549fd 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1136,50 +1146,36 @@ interface(`virt_manage_images',`
+@@ -1136,50 +1299,36 @@ interface(`virt_manage_images',`
#
interface(`virt_admin',`
gen_require(`
@@ -94365,11 +100961,11 @@ index 9dec06c..73549fd 100644
-
- logging_search_logs($1)
- admin_pattern($1, virt_log_t)
-+ allow $1 virt_domain:process signal_perms;
-
+-
- files_search_pids($1)
- admin_pattern($1, { virt_var_run_t virtd_lxc_var_run_t svirt_var_run_t })
--
++ allow $1 virt_domain:process signal_perms;
+
- files_search_var($1)
- admin_pattern($1, svirt_cache_t)
-
@@ -94390,10 +100986,10 @@ index 9dec06c..73549fd 100644
+ virt_stream_connect($1)
')
diff --git a/virt.te b/virt.te
-index 1f22fba..15485c6 100644
+index 1f22fba..57af4d0 100644
--- a/virt.te
+++ b/virt.te
-@@ -1,147 +1,173 @@
+@@ -1,147 +1,209 @@
-policy_module(virt, 1.6.10)
+policy_module(virt, 1.5.0)
@@ -94405,7 +101001,7 @@ index 1f22fba..15485c6 100644
+gen_require(`
+ class passwd rootok;
+ class passwd passwd;
-+ ')
++')
+
+attribute virsh_transition_domain;
+attribute virt_ptynode;
@@ -94531,34 +101127,67 @@ index 1f22fba..15485c6 100644
-attribute virt_image_type;
-attribute virt_tmp_type;
-attribute virt_tmpfs_type;
--
--attribute svirt_lxc_domain;
--
--attribute_role virt_domain_roles;
--roleattribute system_r virt_domain_roles;
+## <desc>
+## <p>
+## Allow confined virtual guests to use usb devices
+## </p>
+## </desc>
+gen_tunable(virt_use_usb, true)
++
++## <desc>
++## <p>
++## Allow sandbox containers to manage nfs files
++## </p>
++## </desc>
++gen_tunable(virt_sandbox_use_nfs, false)
++
++## <desc>
++## <p>
++## Allow sandbox containers to manage samba/cifs files
++## </p>
++## </desc>
++gen_tunable(virt_sandbox_use_samba, false)
+
+-attribute svirt_lxc_domain;
++## <desc>
++## <p>
++## Allow sandbox containers to send audit messages
+
+-attribute_role virt_domain_roles;
+-roleattribute system_r virt_domain_roles;
++## </p>
++## </desc>
++gen_tunable(virt_sandbox_use_audit, true)
-attribute_role virt_bridgehelper_roles;
-roleattribute system_r virt_bridgehelper_roles;
-+virt_domain_template(svirt)
-+role system_r types svirt_t;
-+typealias svirt_t alias qemu_t;
++## <desc>
++## <p>
++## Allow sandbox containers to use netlink system calls
++## </p>
++## </desc>
++gen_tunable(virt_sandbox_use_netlink, false)
-attribute_role svirt_lxc_domain_roles;
-roleattribute system_r svirt_lxc_domain_roles;
-+virt_domain_template(svirt_tcg)
-+role system_r types svirt_tcg_t;
++## <desc>
++## <p>
++## Allow sandbox containers to use sys_admin system calls, for example mount
++## </p>
++## </desc>
++gen_tunable(virt_sandbox_use_sys_admin, false)
--virt_domain_template(svirt)
+ virt_domain_template(svirt)
-virt_domain_template(svirt_prot_exec)
-+type qemu_exec_t, virt_file_type;
++role system_r types svirt_t;
++typealias svirt_t alias qemu_t;
++
++virt_domain_template(svirt_tcg)
++role system_r types svirt_tcg_t;
-type virt_cache_t alias svirt_cache_t;
++type qemu_exec_t, virt_file_type;
++
+type virt_cache_t alias svirt_cache_t, virt_file_type;
files_type(virt_cache_t)
@@ -94640,7 +101269,7 @@ index 1f22fba..15485c6 100644
ifdef(`enable_mcs',`
init_ranged_daemon_domain(virtd_t, virtd_exec_t, s0 - mcs_systemhigh)
')
-@@ -150,295 +176,142 @@ ifdef(`enable_mls',`
+@@ -150,295 +212,130 @@ ifdef(`enable_mls',`
init_ranged_daemon_domain(virtd_t, virtd_exec_t, s0 - mls_systemhigh)
')
@@ -94833,80 +101462,60 @@ index 1f22fba..15485c6 100644
- fs_manage_nfs_named_sockets(virt_domain)
- fs_read_nfs_symlinks(virt_domain)
-')
-+type virtd_lxc_t, virt_system_domain;
-+type virtd_lxc_exec_t, virt_file_type;
-+init_system_domain(virtd_lxc_t, virtd_lxc_exec_t)
-
+-
-tunable_policy(`virt_use_samba',`
- fs_manage_cifs_dirs(virt_domain)
- fs_manage_cifs_files(virt_domain)
- fs_manage_cifs_named_sockets(virt_domain)
- fs_read_cifs_symlinks(virt_domain)
-')
-+type virt_lxc_var_run_t, virt_file_type;
-+files_pid_file(virt_lxc_var_run_t)
-+typealias virt_lxc_var_run_t alias virtd_lxc_var_run_t;
-
+-
-tunable_policy(`virt_use_sysfs',`
- dev_rw_sysfs(virt_domain)
-')
-+# virt lxc container files
-+type svirt_sandbox_file_t alias svirt_lxc_file_t, svirt_file_type;
-+files_mountpoint(svirt_sandbox_file_t)
-
+-
-tunable_policy(`virt_use_usb',`
- dev_rw_usbfs(virt_domain)
- dev_read_sysfs(virt_domain)
- fs_manage_dos_dirs(virt_domain)
- fs_manage_dos_files(virt_domain)
-')
-+########################################
-+#
-+# svirt local policy
-+#
-
+-
-optional_policy(`
- tunable_policy(`virt_use_xserver',`
- xserver_read_xdm_pid(virt_domain)
- xserver_stream_connect(virt_domain)
- ')
-')
-+# it was a part of auth_use_nsswitch
-+allow svirt_t self:netlink_route_socket r_netlink_socket_perms;
-
+-
-optional_policy(`
- dbus_read_lib_files(virt_domain)
-')
-+corenet_udp_sendrecv_generic_if(svirt_t)
-+corenet_udp_sendrecv_generic_node(svirt_t)
-+corenet_udp_sendrecv_all_ports(svirt_t)
-+corenet_udp_bind_generic_node(svirt_t)
-+corenet_udp_bind_all_ports(svirt_t)
-+corenet_tcp_bind_all_ports(svirt_t)
-+corenet_tcp_connect_all_ports(svirt_t)
-
+-
-optional_policy(`
- nscd_use(virt_domain)
-')
-+miscfiles_read_generic_certs(svirt_t)
++type virtd_lxc_t, virt_system_domain;
++type virtd_lxc_exec_t, virt_file_type;
++init_system_domain(virtd_lxc_t, virtd_lxc_exec_t)
- optional_policy(`
+-optional_policy(`
- samba_domtrans_smbd(virt_domain)
-+ nscd_dontaudit_write_sock_file(svirt_t)
- ')
+-')
++type virt_lxc_var_run_t, virt_file_type;
++files_pid_file(virt_lxc_var_run_t)
++typealias virt_lxc_var_run_t alias virtd_lxc_var_run_t;
- optional_policy(`
+-optional_policy(`
- xen_rw_image_files(virt_domain)
-+ sssd_dontaudit_stream_connect(svirt_t)
-+ sssd_dontaudit_read_lib(svirt_t)
-+ sssd_dontaudit_read_public_files(svirt_t)
- ')
+-')
++# virt lxc container files
++type svirt_sandbox_file_t alias svirt_lxc_file_t, svirt_file_type;
++files_mountpoint(svirt_sandbox_file_t)
--########################################
-+#######################################
+ ########################################
#
--# svirt local policy
-+# svirt_prot_exec local policy
+ # svirt local policy
#
-list_dirs_pattern(svirt_t, virt_content_t, virt_content_t)
@@ -94928,26 +101537,35 @@ index 1f22fba..15485c6 100644
-corenet_udp_sendrecv_generic_node(svirt_t)
-corenet_udp_sendrecv_all_ports(svirt_t)
-corenet_udp_bind_generic_node(svirt_t)
--
++# it was a part of auth_use_nsswitch
++allow svirt_t self:netlink_route_socket r_netlink_socket_perms;
+
-corenet_all_recvfrom_unlabeled(svirt_t)
-corenet_all_recvfrom_netlabel(svirt_t)
-corenet_tcp_sendrecv_generic_if(svirt_t)
--corenet_udp_sendrecv_generic_if(svirt_t)
+ corenet_udp_sendrecv_generic_if(svirt_t)
-corenet_tcp_sendrecv_generic_node(svirt_t)
--corenet_udp_sendrecv_generic_node(svirt_t)
+ corenet_udp_sendrecv_generic_node(svirt_t)
-corenet_tcp_sendrecv_all_ports(svirt_t)
--corenet_udp_sendrecv_all_ports(svirt_t)
+ corenet_udp_sendrecv_all_ports(svirt_t)
-corenet_tcp_bind_generic_node(svirt_t)
--corenet_udp_bind_generic_node(svirt_t)
+ corenet_udp_bind_generic_node(svirt_t)
-
-corenet_sendrecv_all_server_packets(svirt_t)
--corenet_udp_bind_all_ports(svirt_t)
--corenet_tcp_bind_all_ports(svirt_t)
+ corenet_udp_bind_all_ports(svirt_t)
+ corenet_tcp_bind_all_ports(svirt_t)
+-
+-corenet_sendrecv_all_client_packets(svirt_t)
+ corenet_tcp_connect_all_ports(svirt_t)
+
++#######################################
++#
++# svirt_prot_exec local policy
++#
++
+allow svirt_tcg_t self:process { execmem execstack };
+allow svirt_tcg_t self:netlink_route_socket r_netlink_socket_perms;
-
--corenet_sendrecv_all_client_packets(svirt_t)
--corenet_tcp_connect_all_ports(svirt_t)
++
+corenet_udp_sendrecv_generic_if(svirt_tcg_t)
+corenet_udp_sendrecv_generic_node(svirt_tcg_t)
+corenet_udp_sendrecv_all_ports(svirt_tcg_t)
@@ -94955,7 +101573,7 @@ index 1f22fba..15485c6 100644
+corenet_udp_bind_all_ports(svirt_tcg_t)
+corenet_tcp_bind_all_ports(svirt_tcg_t)
+corenet_tcp_connect_all_ports(svirt_tcg_t)
-
++
########################################
#
# virtd local policy
@@ -95022,7 +101640,7 @@ index 1f22fba..15485c6 100644
read_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
read_lnk_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
-@@ -448,42 +321,29 @@ manage_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t)
+@@ -448,42 +345,29 @@ manage_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t)
manage_lnk_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t)
filetrans_pattern(virtd_t, virt_etc_t, virt_etc_rw_t, dir)
@@ -95069,29 +101687,29 @@ index 1f22fba..15485c6 100644
logging_log_filetrans(virtd_t, virt_log_t, { file dir })
manage_dirs_pattern(virtd_t, virt_var_lib_t, virt_var_lib_t)
-@@ -496,16 +356,12 @@ manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
+@@ -496,16 +380,12 @@ manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
manage_sock_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
files_pid_filetrans(virtd_t, virt_var_run_t, { file dir })
-manage_dirs_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t)
-manage_files_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t)
-filetrans_pattern(virtd_t, virt_var_run_t, virtd_lxc_var_run_t, dir, "lxc")
--
--stream_connect_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t, virtd_lxc_t)
--stream_connect_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t, virt_domain)
--
--can_exec(virtd_t, virt_tmp_t)
+manage_dirs_pattern(virtd_t, virt_lxc_var_run_t, virt_lxc_var_run_t)
+manage_files_pattern(virtd_t, virt_lxc_var_run_t, virt_lxc_var_run_t)
+filetrans_pattern(virtd_t, virt_var_run_t, virt_lxc_var_run_t, dir, "lxc")
+allow virtd_t virt_lxc_var_run_t:file { relabelfrom relabelto };
+stream_connect_pattern(virtd_t, virt_lxc_var_run_t, virt_lxc_var_run_t, virtd_lxc_t)
+-stream_connect_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t, virtd_lxc_t)
+-stream_connect_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t, virt_domain)
+-
+-can_exec(virtd_t, virt_tmp_t)
+-
-kernel_read_crypto_sysctls(virtd_t)
kernel_read_system_state(virtd_t)
kernel_read_network_state(virtd_t)
kernel_rw_net_sysctls(virtd_t)
-@@ -513,6 +369,7 @@ kernel_read_kernel_sysctls(virtd_t)
+@@ -513,6 +393,7 @@ kernel_read_kernel_sysctls(virtd_t)
kernel_request_load_module(virtd_t)
kernel_search_debugfs(virtd_t)
kernel_setsched(virtd_t)
@@ -95099,7 +101717,7 @@ index 1f22fba..15485c6 100644
corecmd_exec_bin(virtd_t)
corecmd_exec_shell(virtd_t)
-@@ -520,24 +377,16 @@ corecmd_exec_shell(virtd_t)
+@@ -520,24 +401,16 @@ corecmd_exec_shell(virtd_t)
corenet_all_recvfrom_netlabel(virtd_t)
corenet_tcp_sendrecv_generic_if(virtd_t)
corenet_tcp_sendrecv_generic_node(virtd_t)
@@ -95127,7 +101745,7 @@ index 1f22fba..15485c6 100644
dev_rw_sysfs(virtd_t)
dev_read_urand(virtd_t)
dev_read_rand(virtd_t)
-@@ -548,22 +397,27 @@ dev_rw_vhost(virtd_t)
+@@ -548,22 +421,27 @@ dev_rw_vhost(virtd_t)
dev_setattr_generic_usb_dev(virtd_t)
dev_relabel_generic_usb_dev(virtd_t)
@@ -95160,7 +101778,7 @@ index 1f22fba..15485c6 100644
fs_rw_anon_inodefs_files(virtd_t)
fs_list_inotifyfs(virtd_t)
fs_manage_cgroup_dirs(virtd_t)
-@@ -594,15 +448,18 @@ term_use_ptmx(virtd_t)
+@@ -594,15 +472,18 @@ term_use_ptmx(virtd_t)
auth_use_nsswitch(virtd_t)
@@ -95180,7 +101798,7 @@ index 1f22fba..15485c6 100644
selinux_validate_context(virtd_t)
-@@ -613,18 +470,26 @@ seutil_read_file_contexts(virtd_t)
+@@ -613,18 +494,26 @@ seutil_read_file_contexts(virtd_t)
sysnet_signull_ifconfig(virtd_t)
sysnet_signal_ifconfig(virtd_t)
sysnet_domtrans_ifconfig(virtd_t)
@@ -95217,7 +101835,7 @@ index 1f22fba..15485c6 100644
tunable_policy(`virt_use_nfs',`
fs_manage_nfs_dirs(virtd_t)
-@@ -633,7 +498,7 @@ tunable_policy(`virt_use_nfs',`
+@@ -633,7 +522,7 @@ tunable_policy(`virt_use_nfs',`
')
tunable_policy(`virt_use_samba',`
@@ -95226,7 +101844,7 @@ index 1f22fba..15485c6 100644
fs_manage_cifs_files(virtd_t)
fs_read_cifs_symlinks(virtd_t)
')
-@@ -658,20 +523,12 @@ optional_policy(`
+@@ -658,20 +547,12 @@ optional_policy(`
')
optional_policy(`
@@ -95247,7 +101865,7 @@ index 1f22fba..15485c6 100644
')
optional_policy(`
-@@ -684,14 +541,20 @@ optional_policy(`
+@@ -684,14 +565,20 @@ optional_policy(`
dnsmasq_kill(virtd_t)
dnsmasq_signull(virtd_t)
dnsmasq_create_pid_dirs(virtd_t)
@@ -95270,7 +101888,7 @@ index 1f22fba..15485c6 100644
iptables_manage_config(virtd_t)
')
-@@ -704,11 +567,13 @@ optional_policy(`
+@@ -704,11 +591,13 @@ optional_policy(`
')
optional_policy(`
@@ -95284,7 +101902,7 @@ index 1f22fba..15485c6 100644
policykit_domtrans_auth(virtd_t)
policykit_domtrans_resolve(virtd_t)
policykit_read_lib(virtd_t)
-@@ -719,10 +584,18 @@ optional_policy(`
+@@ -719,10 +608,18 @@ optional_policy(`
')
optional_policy(`
@@ -95303,7 +101921,7 @@ index 1f22fba..15485c6 100644
kernel_read_xen_state(virtd_t)
kernel_write_xen_state(virtd_t)
-@@ -737,44 +610,264 @@ optional_policy(`
+@@ -737,44 +634,277 @@ optional_policy(`
udev_read_db(virtd_t)
')
@@ -95331,28 +101949,23 @@ index 1f22fba..15485c6 100644
-allow virsh_t self:fifo_file rw_fifo_file_perms;
-allow virsh_t self:unix_stream_socket { accept connectto listen };
-allow virsh_t self:tcp_socket { accept listen };
--
++list_dirs_pattern(virt_domain, virt_content_t, virt_content_t)
++read_files_pattern(virt_domain, virt_content_t, virt_content_t)
++dontaudit virt_domain virt_content_t:file write_file_perms;
++dontaudit virt_domain virt_content_t:dir write;
+
-manage_files_pattern(virsh_t, virt_image_type, virt_image_type)
-manage_blk_files_pattern(virsh_t, virt_image_type, virt_image_type)
-manage_lnk_files_pattern(virsh_t, virt_image_type, virt_image_type)
--
++kernel_read_net_sysctls(virt_domain)
++kernel_read_network_state(virt_domain)
+
-manage_dirs_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
-manage_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
-manage_chr_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
-manage_lnk_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
-manage_sock_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
-manage_fifo_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
-+list_dirs_pattern(virt_domain, virt_content_t, virt_content_t)
-+read_files_pattern(virt_domain, virt_content_t, virt_content_t)
-+dontaudit virt_domain virt_content_t:file write_file_perms;
-+dontaudit virt_domain virt_content_t:dir write;
-
--manage_dirs_pattern(virsh_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t)
--manage_files_pattern(virsh_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t)
--filetrans_pattern(virsh_t, virt_var_run_t, virtd_lxc_var_run_t, dir, "lxc")
-+kernel_read_net_sysctls(virt_domain)
-
--dontaudit virsh_t virt_var_lib_t:file read_file_perms;
+userdom_search_user_home_content(virt_domain)
+userdom_read_user_home_content_symlinks(virt_domain)
+userdom_read_all_users_state(virt_domain)
@@ -95363,12 +101976,14 @@ index 1f22fba..15485c6 100644
+filetrans_pattern(virt_domain, virt_home_t, svirt_home_t, { dir sock_file file })
+stream_connect_pattern(virt_domain, svirt_home_t, svirt_home_t, virtd_t)
--allow virsh_t svirt_lxc_domain:process transition;
+-manage_dirs_pattern(virsh_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t)
+-manage_files_pattern(virsh_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t)
+-filetrans_pattern(virsh_t, virt_var_run_t, virtd_lxc_var_run_t, dir, "lxc")
+manage_dirs_pattern(virt_domain, virt_cache_t, virt_cache_t)
+manage_files_pattern(virt_domain, virt_cache_t, virt_cache_t)
+files_var_filetrans(virt_domain, virt_cache_t, { file dir })
--can_exec(virsh_t, virsh_exec_t)
+-dontaudit virsh_t virt_var_lib_t:file read_file_perms;
+read_lnk_files_pattern(virt_domain, virt_image_t, virt_image_t)
+
+manage_dirs_pattern(virt_domain, svirt_image_t, svirt_image_t)
@@ -95399,9 +102014,11 @@ index 1f22fba..15485c6 100644
+stream_connect_pattern(virt_domain, qemu_var_run_t, qemu_var_run_t, virtd_t)
+
+dontaudit virtd_t virt_domain:process { siginh noatsecure rlimitinh };
-+
+
+-allow virsh_t svirt_lxc_domain:process transition;
+dontaudit virt_domain virt_tmpfs_type:file { read write };
-+
+
+-can_exec(virsh_t, virsh_exec_t)
+append_files_pattern(virt_domain, virt_log_t, virt_log_t)
+
+append_files_pattern(virt_domain, virt_var_lib_t, virt_var_lib_t)
@@ -95417,7 +102034,7 @@ index 1f22fba..15485c6 100644
+corenet_tcp_bind_virt_migration_port(virt_domain)
+corenet_tcp_connect_virt_migration_port(virt_domain)
+corenet_rw_inherited_tun_tap_dev(virt_domain)
-
++
+dev_list_sysfs(virt_domain)
+dev_getattr_fs(virt_domain)
+dev_dontaudit_getattr_all(virt_domain)
@@ -95449,6 +102066,8 @@ index 1f22fba..15485c6 100644
+
+# I think we need these for now.
+miscfiles_read_public_files(virt_domain)
++miscfiles_read_generic_certs(virt_domain)
++
+storage_raw_read_removable_device(virt_domain)
+
+sysnet_read_config(virt_domain)
@@ -95467,6 +102086,10 @@ index 1f22fba..15485c6 100644
+')
+
+optional_policy(`
++ nscd_dontaudit_write_sock_file(virt_domain)
++')
++
++optional_policy(`
+ ptchown_domtrans(virt_domain)
+')
+
@@ -95475,6 +102098,12 @@ index 1f22fba..15485c6 100644
+')
+
+optional_policy(`
++ sssd_dontaudit_stream_connect(virt_domain)
++ sssd_dontaudit_read_lib(virt_domain)
++ sssd_dontaudit_read_public_files(virt_domain)
++')
++
++optional_policy(`
+ virt_read_config(virt_domain)
+ virt_read_lib_files(virt_domain)
+ virt_read_content(virt_domain)
@@ -95554,7 +102183,7 @@ index 1f22fba..15485c6 100644
+allow virsh_t self:fifo_file rw_fifo_file_perms;
+allow virsh_t self:unix_stream_socket { create_stream_socket_perms connectto };
+allow virsh_t self:tcp_socket create_stream_socket_perms;
-+
+
+ps_process_pattern(virsh_t, svirt_sandbox_domain)
+
+can_exec(virsh_t, virsh_exec_t)
@@ -95592,7 +102221,7 @@ index 1f22fba..15485c6 100644
kernel_read_system_state(virsh_t)
kernel_read_network_state(virsh_t)
kernel_read_kernel_sysctls(virsh_t)
-@@ -785,25 +878,18 @@ kernel_write_xen_state(virsh_t)
+@@ -785,25 +915,18 @@ kernel_write_xen_state(virsh_t)
corecmd_exec_bin(virsh_t)
corecmd_exec_shell(virsh_t)
@@ -95619,7 +102248,7 @@ index 1f22fba..15485c6 100644
fs_getattr_all_fs(virsh_t)
fs_manage_xenfs_dirs(virsh_t)
-@@ -812,23 +898,23 @@ fs_search_auto_mountpoints(virsh_t)
+@@ -812,23 +935,25 @@ fs_search_auto_mountpoints(virsh_t)
storage_raw_read_fixed_disk(virsh_t)
@@ -95639,20 +102268,21 @@ index 1f22fba..15485c6 100644
-miscfiles_read_localization(virsh_t)
+auth_read_passwd(virsh_t)
-
--sysnet_dns_name_resolve(virsh_t)
++
+logging_send_syslog_msg(virsh_t)
+ sysnet_dns_name_resolve(virsh_t)
+
-tunable_policy(`virt_use_fusefs',`
- fs_manage_fusefs_dirs(virsh_t)
- fs_manage_fusefs_files(virsh_t)
- fs_read_fusefs_symlinks(virsh_t)
-')
-+sysnet_dns_name_resolve(virsh_t)
++userdom_stream_connect(virsh_t)
tunable_policy(`virt_use_nfs',`
fs_manage_nfs_dirs(virsh_t)
-@@ -847,14 +933,20 @@ optional_policy(`
+@@ -847,14 +972,20 @@ optional_policy(`
')
optional_policy(`
@@ -95674,7 +102304,7 @@ index 1f22fba..15485c6 100644
xen_stream_connect(virsh_t)
xen_stream_connect_xenstore(virsh_t)
')
-@@ -879,49 +971,65 @@ optional_policy(`
+@@ -879,49 +1010,65 @@ optional_policy(`
kernel_read_xen_state(virsh_ssh_t)
kernel_write_xen_state(virsh_ssh_t)
@@ -95714,7 +102344,7 @@ index 1f22fba..15485c6 100644
manage_files_pattern(virtd_lxc_t, virt_image_t, virt_image_t)
+domtrans_pattern(virtd_t, virtd_lxc_exec_t, virtd_lxc_t)
-+allow virtd_t virtd_lxc_t:process { getattr signal signull sigkill };
++allow virtd_t virtd_lxc_t:process { getattr noatsecure signal_perms };
+
allow virtd_lxc_t virt_var_run_t:dir search_dir_perms;
-manage_dirs_pattern(virtd_lxc_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t)
@@ -95758,7 +102388,7 @@ index 1f22fba..15485c6 100644
corecmd_exec_bin(virtd_lxc_t)
corecmd_exec_shell(virtd_lxc_t)
-@@ -933,17 +1041,16 @@ dev_read_urand(virtd_lxc_t)
+@@ -933,17 +1080,16 @@ dev_read_urand(virtd_lxc_t)
domain_use_interactive_fds(virtd_lxc_t)
@@ -95778,7 +102408,7 @@ index 1f22fba..15485c6 100644
fs_getattr_all_fs(virtd_lxc_t)
fs_manage_tmpfs_dirs(virtd_lxc_t)
fs_manage_tmpfs_chr_files(virtd_lxc_t)
-@@ -955,8 +1062,23 @@ fs_rw_cgroup_files(virtd_lxc_t)
+@@ -955,8 +1101,23 @@ fs_rw_cgroup_files(virtd_lxc_t)
fs_unmount_all_fs(virtd_lxc_t)
fs_relabelfrom_tmpfs(virtd_lxc_t)
@@ -95802,7 +102432,7 @@ index 1f22fba..15485c6 100644
selinux_get_enforce_mode(virtd_lxc_t)
selinux_get_fs_mount(virtd_lxc_t)
selinux_validate_context(virtd_lxc_t)
-@@ -965,194 +1087,246 @@ selinux_compute_create_context(virtd_lxc_t)
+@@ -965,194 +1126,294 @@ selinux_compute_create_context(virtd_lxc_t)
selinux_compute_relabel_context(virtd_lxc_t)
selinux_compute_user_contexts(virtd_lxc_t)
@@ -95829,14 +102459,18 @@ index 1f22fba..15485c6 100644
-seutil_read_config(virtd_lxc_t)
-seutil_read_default_contexts(virtd_lxc_t)
+optional_policy(`
++ docker_exec_lib(virtd_lxc_t)
++')
++
++optional_policy(`
+ gnome_read_generic_cache_files(virtd_lxc_t)
+')
-
--sysnet_domtrans_ifconfig(virtd_lxc_t)
++
+optional_policy(`
+ setrans_manage_pid_files(virtd_lxc_t)
+')
-+
+
+-sysnet_domtrans_ifconfig(virtd_lxc_t)
+optional_policy(`
+ unconfined_domain(virtd_lxc_t)
+')
@@ -95856,83 +102490,8 @@ index 1f22fba..15485c6 100644
+allow svirt_sandbox_domain self:unix_dgram_socket { sendto create_socket_perms };
+allow svirt_sandbox_domain self:passwd rootok;
+
-+allow virtd_t svirt_sandbox_domain:unix_stream_socket { create_stream_socket_perms connectto };
-+allow virtd_t svirt_sandbox_domain:process { signal_perms getattr };
-+allow virtd_lxc_t svirt_sandbox_domain:process { getattr getsched setsched setrlimit transition signal_perms };
-+
-+allow svirt_sandbox_domain virtd_lxc_t:process sigchld;
-+allow svirt_sandbox_domain virtd_lxc_t:fd use;
-+allow svirt_sandbox_domain virtd_lxc_t:unix_stream_socket { connectto rw_socket_perms };
-+
-+manage_dirs_pattern(svirt_sandbox_domain, svirt_sandbox_file_t, svirt_sandbox_file_t)
-+manage_files_pattern(svirt_sandbox_domain, svirt_sandbox_file_t, svirt_sandbox_file_t)
-+manage_lnk_files_pattern(svirt_sandbox_domain, svirt_sandbox_file_t, svirt_sandbox_file_t)
-+manage_sock_files_pattern(svirt_sandbox_domain, svirt_sandbox_file_t, svirt_sandbox_file_t)
-+manage_fifo_files_pattern(svirt_sandbox_domain, svirt_sandbox_file_t, svirt_sandbox_file_t)
-+allow svirt_sandbox_domain svirt_sandbox_file_t:chr_file setattr;
-+rw_chr_files_pattern(svirt_sandbox_domain, svirt_sandbox_file_t, svirt_sandbox_file_t)
-+
-+allow svirt_sandbox_domain svirt_sandbox_file_t:blk_file setattr;
-+rw_blk_files_pattern(svirt_sandbox_domain, svirt_sandbox_file_t, svirt_sandbox_file_t)
-+can_exec(svirt_sandbox_domain, svirt_sandbox_file_t)
-+allow svirt_sandbox_domain svirt_sandbox_file_t:dir mounton;
-+allow svirt_sandbox_domain svirt_sandbox_file_t:filesystem getattr;
-+
-+kernel_getattr_proc(svirt_sandbox_domain)
-+kernel_list_all_proc(svirt_sandbox_domain)
-+kernel_read_all_sysctls(svirt_sandbox_domain)
-+kernel_rw_net_sysctls(svirt_sandbox_domain)
-+kernel_dontaudit_search_kernel_sysctl(svirt_sandbox_domain)
-+
-+corecmd_exec_all_executables(svirt_sandbox_domain)
-+
-+files_dontaudit_getattr_all_dirs(svirt_sandbox_domain)
-+files_dontaudit_getattr_all_files(svirt_sandbox_domain)
-+files_dontaudit_getattr_all_symlinks(svirt_sandbox_domain)
-+files_dontaudit_getattr_all_pipes(svirt_sandbox_domain)
-+files_dontaudit_getattr_all_sockets(svirt_sandbox_domain)
-+files_dontaudit_list_all_mountpoints(svirt_sandbox_domain)
-+files_dontaudit_write_etc_runtime_files(svirt_sandbox_domain)
-+files_entrypoint_all_files(svirt_sandbox_domain)
-+files_list_var(svirt_sandbox_domain)
-+files_list_var_lib(svirt_sandbox_domain)
-+files_search_all(svirt_sandbox_domain)
-+files_read_config_files(svirt_sandbox_domain)
-+files_read_usr_symlinks(svirt_sandbox_domain)
-+files_search_locks(svirt_sandbox_domain)
-+files_dontaudit_unmount_all_mountpoints(svirt_sandbox_domain)
-+
-+fs_getattr_all_fs(svirt_sandbox_domain)
-+fs_list_inotifyfs(svirt_sandbox_domain)
-+fs_rw_inherited_tmpfs_files(svirt_sandbox_domain)
-+fs_read_fusefs_files(svirt_sandbox_domain)
-+
-+auth_dontaudit_read_passwd(svirt_sandbox_domain)
-+auth_dontaudit_read_login_records(svirt_sandbox_domain)
-+auth_dontaudit_write_login_records(svirt_sandbox_domain)
-+auth_search_pam_console_data(svirt_sandbox_domain)
-+
-+clock_read_adjtime(svirt_sandbox_domain)
-+
-+init_read_utmp(svirt_sandbox_domain)
-+init_dontaudit_write_utmp(svirt_sandbox_domain)
-+
-+libs_dontaudit_setattr_lib_files(svirt_sandbox_domain)
-+
-+miscfiles_dontaudit_access_check_cert(svirt_sandbox_domain)
-+miscfiles_dontaudit_setattr_fonts_cache_dirs(svirt_sandbox_domain)
-+miscfiles_read_fonts(svirt_sandbox_domain)
-+miscfiles_read_hwdata(svirt_sandbox_domain)
-+
-+systemd_read_unit_files(svirt_sandbox_domain)
-+
-+userdom_use_inherited_user_terminals(svirt_sandbox_domain)
-+userdom_dontaudit_append_inherited_admin_home_file(svirt_sandbox_domain)
-+userdom_dontaudit_read_inherited_admin_home_files(svirt_sandbox_domain)
-+
-+optional_policy(`
-+ apache_exec_modules(svirt_sandbox_domain)
-+ apache_read_sys_content(svirt_sandbox_domain)
++tunable_policy(`deny_ptrace',`',`
++ allow svirt_sandbox_domain self:process ptrace;
+')
-allow svirt_lxc_domain self:capability { kill setuid setgid dac_override sys_boot };
@@ -96017,23 +102576,122 @@ index 1f22fba..15485c6 100644
-miscfiles_read_fonts(svirt_lxc_domain)
-
-mta_dontaudit_read_spool_symlinks(svirt_lxc_domain)
-+optional_policy(`
-+ mta_dontaudit_read_spool_symlinks(svirt_sandbox_domain)
-+')
++allow virtd_t svirt_sandbox_domain:unix_stream_socket { create_stream_socket_perms connectto };
++allow virtd_t svirt_sandbox_domain:process { signal_perms getattr };
++allow virtd_lxc_t svirt_sandbox_domain:process { getattr getsched setsched setrlimit transition signal_perms };
++
++allow svirt_sandbox_domain virtd_lxc_t:process sigchld;
++allow svirt_sandbox_domain virtd_lxc_t:fd use;
++allow svirt_sandbox_domain virtd_lxc_t:unix_stream_socket { connectto rw_socket_perms };
++
++manage_dirs_pattern(svirt_sandbox_domain, svirt_sandbox_file_t, svirt_sandbox_file_t)
++manage_files_pattern(svirt_sandbox_domain, svirt_sandbox_file_t, svirt_sandbox_file_t)
++manage_lnk_files_pattern(svirt_sandbox_domain, svirt_sandbox_file_t, svirt_sandbox_file_t)
++manage_sock_files_pattern(svirt_sandbox_domain, svirt_sandbox_file_t, svirt_sandbox_file_t)
++manage_fifo_files_pattern(svirt_sandbox_domain, svirt_sandbox_file_t, svirt_sandbox_file_t)
++allow svirt_sandbox_domain svirt_sandbox_file_t:chr_file setattr;
++rw_chr_files_pattern(svirt_sandbox_domain, svirt_sandbox_file_t, svirt_sandbox_file_t)
++
++allow svirt_sandbox_domain svirt_sandbox_file_t:blk_file setattr;
++rw_blk_files_pattern(svirt_sandbox_domain, svirt_sandbox_file_t, svirt_sandbox_file_t)
++can_exec(svirt_sandbox_domain, svirt_sandbox_file_t)
++allow svirt_sandbox_domain svirt_sandbox_file_t:dir mounton;
++allow svirt_sandbox_domain svirt_sandbox_file_t:filesystem getattr;
++
++kernel_getattr_proc(svirt_sandbox_domain)
++kernel_list_all_proc(svirt_sandbox_domain)
++kernel_read_all_sysctls(svirt_sandbox_domain)
++kernel_rw_net_sysctls(svirt_sandbox_domain)
++kernel_dontaudit_search_kernel_sysctl(svirt_sandbox_domain)
++
++corecmd_exec_all_executables(svirt_sandbox_domain)
++
++files_dontaudit_getattr_all_dirs(svirt_sandbox_domain)
++files_dontaudit_getattr_all_files(svirt_sandbox_domain)
++files_dontaudit_getattr_all_symlinks(svirt_sandbox_domain)
++files_dontaudit_getattr_all_pipes(svirt_sandbox_domain)
++files_dontaudit_getattr_all_sockets(svirt_sandbox_domain)
++files_dontaudit_list_all_mountpoints(svirt_sandbox_domain)
++files_dontaudit_write_etc_runtime_files(svirt_sandbox_domain)
++files_entrypoint_all_files(svirt_sandbox_domain)
++files_list_var(svirt_sandbox_domain)
++files_list_var_lib(svirt_sandbox_domain)
++files_search_all(svirt_sandbox_domain)
++files_read_config_files(svirt_sandbox_domain)
++files_read_usr_symlinks(svirt_sandbox_domain)
++files_search_locks(svirt_sandbox_domain)
++files_dontaudit_unmount_all_mountpoints(svirt_sandbox_domain)
++
++fs_getattr_all_fs(svirt_sandbox_domain)
++fs_list_inotifyfs(svirt_sandbox_domain)
++fs_rw_inherited_tmpfs_files(svirt_sandbox_domain)
++fs_read_fusefs_files(svirt_sandbox_domain)
++
++auth_dontaudit_read_passwd(svirt_sandbox_domain)
++auth_dontaudit_read_login_records(svirt_sandbox_domain)
++auth_dontaudit_write_login_records(svirt_sandbox_domain)
++auth_search_pam_console_data(svirt_sandbox_domain)
++
++clock_read_adjtime(svirt_sandbox_domain)
++
++init_read_utmp(svirt_sandbox_domain)
++init_dontaudit_write_utmp(svirt_sandbox_domain)
++
++libs_dontaudit_setattr_lib_files(svirt_sandbox_domain)
++
++miscfiles_dontaudit_access_check_cert(svirt_sandbox_domain)
++miscfiles_dontaudit_setattr_fonts_cache_dirs(svirt_sandbox_domain)
++miscfiles_read_fonts(svirt_sandbox_domain)
++miscfiles_read_hwdata(svirt_sandbox_domain)
++
++systemd_read_unit_files(svirt_sandbox_domain)
++
++userdom_use_inherited_user_terminals(svirt_sandbox_domain)
++userdom_dontaudit_append_inherited_admin_home_file(svirt_sandbox_domain)
++userdom_dontaudit_read_inherited_admin_home_files(svirt_sandbox_domain)
optional_policy(`
- udev_read_pid_files(svirt_lxc_domain)
-+ ssh_use_ptys(svirt_sandbox_domain)
++ apache_exec_modules(svirt_sandbox_domain)
++ apache_read_sys_content(svirt_sandbox_domain)
')
optional_policy(`
- apache_exec_modules(svirt_lxc_domain)
- apache_read_sys_content(svirt_lxc_domain)
++ docker_manage_lib_files(svirt_lxc_net_t)
++ docker_manage_lib_dirs(svirt_lxc_net_t)
++ docker_read_share_files(svirt_sandbox_domain)
++ docker_lib_filetrans(svirt_sandbox_domain,svirt_sandbox_file_t, sock_file)
++ docker_use_ptys(svirt_sandbox_domain)
++')
++
++optional_policy(`
++ mta_dontaudit_read_spool_symlinks(svirt_sandbox_domain)
++')
++
++optional_policy(`
++ ssh_use_ptys(svirt_sandbox_domain)
++')
++
++optional_policy(`
+ udev_read_pid_files(svirt_sandbox_domain)
+')
+
+optional_policy(`
+ userhelper_dontaudit_write_config(svirt_sandbox_domain)
++')
++
++tunable_policy(`virt_use_nfs',`
++ fs_manage_nfs_dirs(svirt_sandbox_domain)
++ fs_manage_nfs_files(svirt_sandbox_domain)
++ fs_read_nfs_symlinks(svirt_sandbox_domain)
++')
++
++tunable_policy(`virt_use_samba',`
++ fs_manage_nfs_files(svirt_sandbox_domain)
++ fs_manage_cifs_files(svirt_sandbox_domain)
++ fs_read_cifs_symlinks(svirt_sandbox_domain)
')
########################################
@@ -96045,7 +102703,7 @@ index 1f22fba..15485c6 100644
+typeattribute svirt_lxc_net_t sandbox_net_domain;
-allow svirt_lxc_net_t self:capability { chown dac_read_search dac_override fowner fsetid net_raw net_admin sys_admin sys_nice sys_ptrace sys_resource setpcap };
-+allow svirt_lxc_net_t self:capability { kill setuid setgid sys_boot ipc_lock chown dac_read_search dac_override fowner fsetid sys_chroot sys_admin sys_nice sys_ptrace sys_resource setpcap };
++allow svirt_lxc_net_t self:capability { kill setuid setgid setfcap sys_boot ipc_lock chown dac_read_search dac_override fowner fsetid sys_chroot sys_nice sys_ptrace sys_resource setpcap };
dontaudit svirt_lxc_net_t self:capability2 block_suspend;
-allow svirt_lxc_net_t self:process setrlimit;
-allow svirt_lxc_net_t self:tcp_socket { accept listen };
@@ -96053,15 +102711,18 @@ index 1f22fba..15485c6 100644
-allow svirt_lxc_net_t self:packet_socket create_socket_perms;
-allow svirt_lxc_net_t self:socket create_socket_perms;
-allow svirt_lxc_net_t self:rawip_socket create_socket_perms;
-+allow svirt_lxc_net_t self:process { execstack execmem };
- allow svirt_lxc_net_t self:netlink_socket create_socket_perms;
+-allow svirt_lxc_net_t self:netlink_socket create_socket_perms;
-allow svirt_lxc_net_t self:netlink_tcpdiag_socket create_socket_perms;
-+allow svirt_lxc_net_t self:netlink_tcpdiag_socket create_netlink_socket_perms;
- allow svirt_lxc_net_t self:netlink_kobject_uevent_socket create_socket_perms;
-
+-allow svirt_lxc_net_t self:netlink_kobject_uevent_socket create_socket_perms;
+-
-kernel_read_network_state(svirt_lxc_net_t)
-kernel_read_irq_sysctls(svirt_lxc_net_t)
--
++allow svirt_lxc_net_t self:process { execstack execmem };
++
++tunable_policy(`virt_sandbox_use_sys_admin',`
++ allow svirt_lxc_net_t self:capability sys_admin;
++')
+
-corenet_all_recvfrom_unlabeled(svirt_lxc_net_t)
-corenet_all_recvfrom_netlabel(svirt_lxc_net_t)
-corenet_tcp_sendrecv_generic_if(svirt_lxc_net_t)
@@ -96072,13 +102733,20 @@ index 1f22fba..15485c6 100644
-corenet_udp_sendrecv_all_ports(svirt_lxc_net_t)
-corenet_tcp_bind_generic_node(svirt_lxc_net_t)
-corenet_udp_bind_generic_node(svirt_lxc_net_t)
-+allow svirt_lxc_net_t virt_lxc_var_run_t:dir list_dir_perms;
-+allow svirt_lxc_net_t virt_lxc_var_run_t:file read_file_perms;
++tunable_policy(`virt_sandbox_use_netlink',`
++ allow svirt_lxc_net_t self:netlink_socket create_socket_perms;
++ allow svirt_lxc_net_t self:netlink_tcpdiag_socket create_netlink_socket_perms;
++ allow svirt_lxc_net_t self:netlink_kobject_uevent_socket create_socket_perms;
++', `
++ logging_dontaudit_send_audit_msgs(svirt_lxc_net_t)
++')
-corenet_sendrecv_all_server_packets(svirt_lxc_net_t)
-corenet_udp_bind_all_ports(svirt_lxc_net_t)
-corenet_tcp_bind_all_ports(svirt_lxc_net_t)
--
++allow svirt_lxc_net_t virt_lxc_var_run_t:dir list_dir_perms;
++allow svirt_lxc_net_t virt_lxc_var_run_t:file read_file_perms;
+
-corenet_sendrecv_all_client_packets(svirt_lxc_net_t)
-corenet_tcp_connect_all_ports(svirt_lxc_net_t)
+kernel_read_irq_sysctls(svirt_lxc_net_t)
@@ -96101,17 +102769,21 @@ index 1f22fba..15485c6 100644
auth_use_nsswitch(svirt_lxc_net_t)
+-logging_send_audit_msgs(svirt_lxc_net_t)
+rpm_read_db(svirt_lxc_net_t)
-+
- logging_send_audit_msgs(svirt_lxc_net_t)
- userdom_use_user_ptys(svirt_lxc_net_t)
+-userdom_use_user_ptys(svirt_lxc_net_t)
++logging_send_syslog_msg(svirt_lxc_net_t)
-optional_policy(`
- rpm_read_db(svirt_lxc_net_t)
--')
--
++tunable_policy(`virt_sandbox_use_audit',`
++ logging_send_audit_msgs(svirt_lxc_net_t)
+ ')
+
-#######################################
++userdom_use_user_ptys(svirt_lxc_net_t)
++
+########################################
#
-# Prot exec local policy
@@ -96123,9 +102795,12 @@ index 1f22fba..15485c6 100644
+allow svirt_qemu_net_t self:capability { kill setuid setgid sys_boot ipc_lock chown dac_read_search dac_override fowner fsetid sys_chroot sys_admin sys_nice sys_ptrace sys_resource setpcap };
+dontaudit svirt_qemu_net_t self:capability2 block_suspend;
+allow svirt_qemu_net_t self:process { execstack execmem };
-+allow svirt_qemu_net_t self:netlink_socket create_socket_perms;
-+allow svirt_qemu_net_t self:netlink_tcpdiag_socket create_netlink_socket_perms;
-+allow svirt_qemu_net_t self:netlink_kobject_uevent_socket create_socket_perms;
++
++tunable_policy(`virt_sandbox_use_netlink',`
++ allow svirt_qemu_net_t self:netlink_socket create_socket_perms;
++ allow svirt_qemu_net_t self:netlink_tcpdiag_socket create_netlink_socket_perms;
++ allow svirt_qemu_net_t self:netlink_kobject_uevent_socket create_socket_perms;
++')
+
+manage_dirs_pattern(sandbox_net_domain, svirt_home_t, svirt_home_t)
+manage_files_pattern(sandbox_net_domain, svirt_home_t, svirt_home_t)
@@ -96147,8 +102822,7 @@ index 1f22fba..15485c6 100644
+append_files_pattern(svirt_qemu_net_t, virt_log_t, virt_log_t)
+
+kernel_read_irq_sysctls(svirt_qemu_net_t)
-
--allow svirt_prot_exec_t self:process { execmem execstack };
++
+dev_read_sysfs(svirt_qemu_net_t)
+dev_getattr_mtrr_dev(svirt_qemu_net_t)
+dev_read_rand(svirt_qemu_net_t)
@@ -96162,12 +102836,17 @@ index 1f22fba..15485c6 100644
+fs_manage_cgroup_files(svirt_qemu_net_t)
+
+term_pty(svirt_sandbox_file_t)
-+
+
+-allow svirt_prot_exec_t self:process { execmem execstack };
+auth_use_nsswitch(svirt_qemu_net_t)
+
+rpm_read_db(svirt_qemu_net_t)
+
-+logging_send_audit_msgs(svirt_qemu_net_t)
++logging_send_syslog_msg(svirt_qemu_net_t)
++
++tunable_policy(`virt_sandbox_use_audit',`
++ logging_send_audit_msgs(svirt_qemu_net_t)
++')
+
+userdom_use_user_ptys(svirt_qemu_net_t)
@@ -96185,7 +102864,7 @@ index 1f22fba..15485c6 100644
allow virt_qmf_t self:tcp_socket create_stream_socket_perms;
allow virt_qmf_t self:netlink_route_socket create_netlink_socket_perms;
-@@ -1165,12 +1339,12 @@ dev_read_sysfs(virt_qmf_t)
+@@ -1165,12 +1426,12 @@ dev_read_sysfs(virt_qmf_t)
dev_read_rand(virt_qmf_t)
dev_read_urand(virt_qmf_t)
@@ -96200,7 +102879,7 @@ index 1f22fba..15485c6 100644
sysnet_read_config(virt_qmf_t)
optional_policy(`
-@@ -1183,9 +1357,8 @@ optional_policy(`
+@@ -1183,9 +1444,8 @@ optional_policy(`
########################################
#
@@ -96211,7 +102890,7 @@ index 1f22fba..15485c6 100644
allow virt_bridgehelper_t self:process { setcap getcap };
allow virt_bridgehelper_t self:capability { setpcap setgid setuid net_admin };
allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms;
-@@ -1198,5 +1371,193 @@ kernel_read_network_state(virt_bridgehelper_t)
+@@ -1198,5 +1458,218 @@ kernel_read_network_state(virt_bridgehelper_t)
corenet_rw_tun_tap_dev(virt_bridgehelper_t)
@@ -96224,7 +102903,7 @@ index 1f22fba..15485c6 100644
+# virt_qemu_ga local policy
+#
+
-+allow virt_qemu_ga_t self:capability { sys_admin sys_tty_config };
++allow virt_qemu_ga_t self:capability { sys_admin sys_time sys_tty_config };
+
+allow virt_qemu_ga_t self:fifo_file rw_fifo_file_perms;
+allow virt_qemu_ga_t self:unix_stream_socket create_stream_socket_perms;
@@ -96252,7 +102931,10 @@ index 1f22fba..15485c6 100644
+corecmd_exec_shell(virt_qemu_ga_t)
+corecmd_exec_bin(virt_qemu_ga_t)
+
++clock_read_adjtime(virt_qemu_ga_t)
++
+dev_rw_sysfs(virt_qemu_ga_t)
++dev_rw_realtime_clock(virt_qemu_ga_t)
+
+files_list_all_mountpoints(virt_qemu_ga_t)
+files_write_all_mountpoints(virt_qemu_ga_t)
@@ -96265,6 +102947,7 @@ index 1f22fba..15485c6 100644
+term_use_unallocated_ttys(virt_qemu_ga_t)
+
+logging_send_syslog_msg(virt_qemu_ga_t)
++logging_send_audit_msgs(virt_qemu_ga_t)
+
+sysnet_dns_name_resolve(virt_qemu_ga_t)
+
@@ -96278,6 +102961,10 @@ index 1f22fba..15485c6 100644
+')
+
+optional_policy(`
++ clock_domtrans(virt_qemu_ga_t)
++')
++
++optional_policy(`
+ dbus_system_bus_client(virt_qemu_ga_t)
+')
+
@@ -96348,9 +103035,12 @@ index 1f22fba..15485c6 100644
+
+allow svirt_kvm_net_t self:capability { kill setuid setgid sys_boot ipc_lock chown dac_read_search dac_override fowner fsetid sys_chroot sys_admin sys_nice sys_ptrace sys_resource setpcap };
+dontaudit svirt_kvm_net_t self:capability2 block_suspend;
-+allow svirt_kvm_net_t self:netlink_socket create_socket_perms;
-+allow svirt_kvm_net_t self:netlink_tcpdiag_socket create_netlink_socket_perms;
-+allow svirt_kvm_net_t self:netlink_kobject_uevent_socket create_socket_perms;
++
++tunable_policy(`virt_sandbox_use_netlink',`
++ allow svirt_kvm_net_t self:netlink_socket create_socket_perms;
++ allow svirt_kvm_net_t self:netlink_tcpdiag_socket create_netlink_socket_perms;
++ allow svirt_kvm_net_t self:netlink_kobject_uevent_socket create_socket_perms;
++')
+
+term_use_generic_ptys(svirt_kvm_net_t)
+term_use_ptmx(svirt_kvm_net_t)
@@ -96385,7 +103075,11 @@ index 1f22fba..15485c6 100644
+
+rpm_read_db(svirt_kvm_net_t)
+
-+logging_send_audit_msgs(svirt_kvm_net_t)
++logging_send_syslog_msg(svirt_kvm_net_t)
++
++tunable_policy(`virt_sandbox_use_audit',`
++ logging_send_audit_msgs(svirt_kvm_net_t)
++')
+
+userdom_use_user_ptys(svirt_kvm_net_t)
+
@@ -96407,6 +103101,16 @@ index 1f22fba..15485c6 100644
+corenet_udp_bind_all_ports(sandbox_net_domain)
+corenet_tcp_bind_all_ports(sandbox_net_domain)
+corenet_tcp_connect_all_ports(sandbox_net_domain)
++
++optional_policy(`
++ sssd_stream_connect(sandbox_net_domain)
++')
++
++optional_policy(`
++ systemd_dbus_chat_logind(sandbox_net_domain)
++')
++
++
diff --git a/vlock.te b/vlock.te
index 9ead775..b5285e7 100644
--- a/vlock.te
@@ -96421,6 +103125,247 @@ index 9ead775..b5285e7 100644
userdom_dontaudit_search_user_home_dirs(vlock_t)
-userdom_use_user_terminals(vlock_t)
+userdom_use_inherited_user_terminals(vlock_t)
+diff --git a/vmtools.fc b/vmtools.fc
+new file mode 100644
+index 0000000..c5deffb
+--- /dev/null
++++ b/vmtools.fc
+@@ -0,0 +1,5 @@
++/usr/bin/vmtoolsd -- gen_context(system_u:object_r:vmtools_exec_t,s0)
++
++/usr/bin/vmware-user-suid-wrapper -- gen_context(system_u:object_r:vmtools_helper_exec_t,s0)
++
++/usr/lib/systemd/system/vmtoolsd.* -- gen_context(system_u:object_r:vmtools_unit_file_t,s0)
+diff --git a/vmtools.if b/vmtools.if
+new file mode 100644
+index 0000000..7933d80
+--- /dev/null
++++ b/vmtools.if
+@@ -0,0 +1,122 @@
++## <summary>VMware Tools daemon</summary>
++
++########################################
++## <summary>
++## Execute vmtools in the vmtools domin.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`vmtools_domtrans',`
++ gen_require(`
++ type vmtools_t, vmtools_exec_t;
++ ')
++
++ corecmd_search_bin($1)
++ domtrans_pattern($1, vmtools_exec_t, vmtools_t)
++')
++
++########################################
++## <summary>
++## Execute vmtools in the vmtools domin.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`vmtools_domtrans_helper',`
++ gen_require(`
++ type vmtools_helper_t, vmtools_helper_exec_t;
++ ')
++
++ corecmd_search_bin($1)
++ domtrans_pattern($1, vmtools_helper_exec_t, vmtools_helper_t)
++')
++
++########################################
++## <summary>
++## Execute vmtools helpers in the vmtools_heler domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access
++## </summary>
++## </param>
++## <param name="role">
++## <summary>
++## The role to be allowed the mozilla_plugin domain.
++## </summary>
++## </param>
++#
++interface(`vmtools_run_helper',`
++ gen_require(`
++ attribute_role vmtools_helper_roles;
++ ')
++
++ vmtools_domtrans_helper($1)
++ roleattribute $2 vmtools_helper_roles;
++')
++
++########################################
++## <summary>
++## Execute vmtools server in the vmtools domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`vmtools_systemctl',`
++ gen_require(`
++ type vmtools_t;
++ type vmtools_unit_file_t;
++ ')
++
++ systemd_exec_systemctl($1)
++ systemd_read_fifo_file_passwd_run($1)
++ allow $1 vmtools_unit_file_t:file read_file_perms;
++ allow $1 vmtools_unit_file_t:service manage_service_perms;
++
++ ps_process_pattern($1, vmtools_t)
++')
++
++
++########################################
++## <summary>
++## All of the rules required to administrate
++## an vmtools environment
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`vmtools_admin',`
++ gen_require(`
++ type vmtools_t;
++ type vmtools_unit_file_t;
++ ')
++
++ allow $1 vmtools_t:process { signal_perms };
++ ps_process_pattern($1, vmtools_t)
++
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 vmtools_t:process ptrace;
++ ')
++
++ vmtools_systemctl($1)
++ admin_pattern($1, vmtools_unit_file_t)
++ allow $1 vmtools_unit_file_t:service all_service_perms;
++ optional_policy(`
++ systemd_passwd_agent_exec($1)
++ systemd_read_fifo_file_passwd_run($1)
++ ')
++')
+diff --git a/vmtools.te b/vmtools.te
+new file mode 100644
+index 0000000..1928ad9
+--- /dev/null
++++ b/vmtools.te
+@@ -0,0 +1,96 @@
++policy_module(vmtools, 1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++attribute_role vmtools_helper_roles;
++
++roleattribute system_r vmtools_helper_roles;
++
++type vmtools_t;
++type vmtools_exec_t;
++init_daemon_domain(vmtools_t, vmtools_exec_t)
++role vmtools_helper_roles types vmtools_t;
++
++type vmtools_helper_t;
++type vmtools_helper_exec_t;
++application_domain(vmtools_helper_t, vmtools_helper_exec_t)
++domain_system_change_exemption(vmtools_helper_t)
++role vmtools_helper_roles types vmtools_helper_t;
++
++type vmtools_unit_file_t;
++systemd_unit_file(vmtools_unit_file_t)
++
++type vmtools_tmp_t;
++files_tmp_file(vmtools_tmp_t)
++
++########################################
++#
++# vmtools local policy
++#
++
++allow vmtools_t self:capability { sys_time sys_rawio };
++allow vmtools_t self:fifo_file rw_fifo_file_perms;
++allow vmtools_t self:unix_stream_socket create_stream_socket_perms;
++allow vmtools_t self:unix_dgram_socket create_socket_perms;
++
++manage_dirs_pattern(vmtools_t, vmtools_tmp_t, vmtools_tmp_t)
++manage_files_pattern(vmtools_t, vmtools_tmp_t, vmtools_tmp_t)
++manage_lnk_files_pattern(vmtools_t, vmtools_tmp_t, vmtools_tmp_t)
++files_tmp_filetrans(vmtools_t, vmtools_tmp_t, { file dir })
++
++kernel_read_system_state(vmtools_t)
++kernel_read_network_state(vmtools_t)
++
++corecmd_exec_bin(vmtools_t)
++corecmd_exec_shell(vmtools_t)
++
++dev_read_urand(vmtools_t)
++dev_getattr_all_blk_files(vmtools_t)
++
++fs_getattr_all_fs(vmtools_t)
++
++auth_use_nsswitch(vmtools_t)
++
++#shutdown
++init_rw_utmp(vmtools_t)
++init_stream_connect(vmtools_t)
++init_telinit(vmtools_t)
++
++logging_send_syslog_msg(vmtools_t)
++
++systemd_exec_systemctl(vmtools_t)
++
++sysnet_domtrans_ifconfig(vmtools_t)
++
++xserver_stream_connect_xdm(vmtools_t)
++xserver_stream_connect(vmtools_t)
++
++optional_policy(`
++ networkmanager_dbus_chat(vmtools_t)
++')
++
++optional_policy(`
++ unconfined_domain(vmtools_t)
++')
++
++########################################
++#
++# vmtools-helper local policy
++#
++
++domtrans_pattern(vmtools_helper_t, vmtools_exec_t, vmtools_t)
++can_exec(vmtools_helper_t, vmtools_helper_exec_t)
++
++corecmd_exec_bin(vmtools_helper_t)
++
++userdom_stream_connect(vmtools_helper_t)
++userdom_use_inherited_user_ttys(vmtools_helper_t)
++userdom_use_inherited_user_ptys(vmtools_helper_t)
++
++optional_policy(`
++ unconfined_domain(vmtools_helper_t)
++')
++
diff --git a/vmware.if b/vmware.if
index 20a1fb2..470ea95 100644
--- a/vmware.if
@@ -96710,7 +103655,7 @@ index 7a7f342..afedcba 100644
## <param name="domain">
## <summary>
diff --git a/vpn.te b/vpn.te
-index 9329eae..824e86f 100644
+index 9329eae..38a4bf3 100644
--- a/vpn.te
+++ b/vpn.te
@@ -1,4 +1,4 @@
@@ -96820,14 +103765,38 @@ index 9329eae..824e86f 100644
optional_policy(`
dbus_system_bus_client(vpnc_t)
-@@ -125,7 +122,3 @@ optional_policy(`
+@@ -124,8 +121,5 @@ optional_policy(`
+
optional_policy(`
networkmanager_attach_tun_iface(vpnc_t)
- ')
+-')
-
-optional_policy(`
- seutil_use_newrole_fds(vpnc_t)
--')
++ networkmanager_manage_pid_files(vpnc_t)
+ ')
+diff --git a/w3c.te b/w3c.te
+index bcb76b6..d3cf4a8 100644
+--- a/w3c.te
++++ b/w3c.te
+@@ -7,10 +7,17 @@ policy_module(w3c, 1.0.1)
+
+ apache_content_template(w3c_validator)
+
++type httpd_w3c_validator_tmp_t;
++files_tmp_file(httpd_w3c_validator_tmp_t)
++
+ ########################################
+ #
+ # Local policy
+ #
++manage_dirs_pattern(httpd_w3c_validator_script_t, httpd_w3c_validator_tmp_t, httpd_w3c_validator_tmp_t)
++manage_files_pattern(httpd_w3c_validator_script_t, httpd_w3c_validator_tmp_t, httpd_w3c_validator_tmp_t)
++files_tmp_filetrans(httpd_w3c_validator_script_t, httpd_w3c_validator_tmp_t, { file dir })
++
+
+ corenet_all_recvfrom_unlabeled(httpd_w3c_validator_script_t)
+ corenet_all_recvfrom_netlabel(httpd_w3c_validator_script_t)
diff --git a/watchdog.fc b/watchdog.fc
index eecd0e0..8df2e8c 100644
--- a/watchdog.fc
@@ -96846,10 +103815,10 @@ index eecd0e0..8df2e8c 100644
/var/run/watchdog\.pid -- gen_context(system_u:object_r:watchdog_var_run_t,s0)
diff --git a/watchdog.te b/watchdog.te
-index 29f79e8..45b3926 100644
+index 29f79e8..026b259 100644
--- a/watchdog.te
+++ b/watchdog.te
-@@ -12,12 +12,18 @@ init_daemon_domain(watchdog_t, watchdog_exec_t)
+@@ -12,29 +12,41 @@ init_daemon_domain(watchdog_t, watchdog_exec_t)
type watchdog_initrc_exec_t;
init_script_file(watchdog_initrc_exec_t)
@@ -96868,9 +103837,15 @@ index 29f79e8..45b3926 100644
########################################
#
# Local policy
-@@ -29,8 +35,12 @@ allow watchdog_t self:process { setsched signal_perms };
+ #
+
+-allow watchdog_t self:capability { sys_admin net_admin sys_boot ipc_lock sys_pacct sys_nice sys_resource };
++allow watchdog_t self:capability { sys_admin net_admin sys_boot ipc_lock sys_pacct sys_nice sys_resource net_raw };
+ dontaudit watchdog_t self:capability sys_tty_config;
+ allow watchdog_t self:process { setsched signal_perms };
allow watchdog_t self:fifo_file rw_fifo_file_perms;
allow watchdog_t self:tcp_socket { accept listen };
++allow watchdog_t self:rawip_socket create_socket_perms;
-allow watchdog_t watchdog_log_t:file { append_file_perms create_file_perms setattr_file_perms };
-logging_log_filetrans(watchdog_t, watchdog_log_t, file)
@@ -96883,7 +103858,12 @@ index 29f79e8..45b3926 100644
manage_files_pattern(watchdog_t, watchdog_var_run_t, watchdog_var_run_t)
files_pid_filetrans(watchdog_t, watchdog_var_run_t, file)
-@@ -63,7 +73,6 @@ domain_signull_all_domains(watchdog_t)
+
++kernel_read_network_state(watchdog_t)
+ kernel_read_system_state(watchdog_t)
+ kernel_read_kernel_sysctls(watchdog_t)
+ kernel_unmount_proc(watchdog_t)
+@@ -63,7 +75,6 @@ domain_signull_all_domains(watchdog_t)
domain_signal_all_domains(watchdog_t)
domain_kill_all_domains(watchdog_t)
@@ -96891,7 +103871,11 @@ index 29f79e8..45b3926 100644
files_manage_etc_runtime_files(watchdog_t)
files_etc_filetrans_etc_runtime(watchdog_t, file)
-@@ -75,8 +84,6 @@ auth_append_login_records(watchdog_t)
+@@ -72,11 +83,10 @@ fs_getattr_all_fs(watchdog_t)
+ fs_search_auto_mountpoints(watchdog_t)
+
+ auth_append_login_records(watchdog_t)
++auth_read_passwd(watchdog_t)
logging_send_syslog_msg(watchdog_t)
@@ -96900,7 +103884,7 @@ index 29f79e8..45b3926 100644
sysnet_dns_name_resolve(watchdog_t)
userdom_dontaudit_use_unpriv_user_fds(watchdog_t)
-@@ -97,3 +104,28 @@ optional_policy(`
+@@ -97,3 +107,28 @@ optional_policy(`
optional_policy(`
udev_read_db(watchdog_t)
')
@@ -97195,7 +104179,7 @@ index cdca8c7..3c09628 100644
manage_files_pattern(webalizer_t, httpd_webalizer_content_t, httpd_webalizer_content_t)
')
diff --git a/wine.if b/wine.if
-index fd2b6cc..52a2e72 100644
+index fd2b6cc..938c4a7 100644
--- a/wine.if
+++ b/wine.if
@@ -1,46 +1,57 @@
@@ -97344,8 +104328,31 @@ index fd2b6cc..52a2e72 100644
')
########################################
+@@ -165,3 +169,22 @@ interface(`wine_rw_shm',`
+
+ allow $1 wine_t:shm rw_shm_perms;
+ ')
++
++########################################
++## <summary>
++## Transition to wine named content
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`wine_filetrans_named_content',`
++ gen_require(`
++ type wine_home_t;
++ ')
++
++ userdom_user_home_dir_filetrans($1, wine_home_t, dir, ".wine")
++')
++
diff --git a/wine.te b/wine.te
-index b51923c..8e47110 100644
+index b51923c..4906ce0 100644
--- a/wine.te
+++ b/wine.te
@@ -14,10 +14,11 @@ policy_module(wine, 1.10.1)
@@ -97361,7 +104368,7 @@ index b51923c..8e47110 100644
type wine_exec_t;
userdom_user_application_domain(wine_t, wine_exec_t)
role wine_roles types wine_t;
-@@ -25,56 +26,57 @@ role wine_roles types wine_t;
+@@ -25,56 +26,58 @@ role wine_roles types wine_t;
type wine_home_t;
userdom_user_home_content(wine_home_t)
@@ -97373,34 +104380,34 @@ index b51923c..8e47110 100644
# Local policy
#
+domain_mmap_low(wine_t)
-+
-+optional_policy(`
-+ unconfined_domain(wine_t)
-+')
-allow wine_t self:process { execstack execmem execheap };
-allow wine_t self:fifo_file manage_fifo_file_perms;
++optional_policy(`
++ unconfined_domain(wine_t)
++')
-can_exec(wine_t, wine_exec_t)
+
+-userdom_user_home_dir_filetrans(wine_t, wine_home_t, dir, ".wine")
+########################################
+#
+# Common wine domain policy
+#
--userdom_user_home_dir_filetrans(wine_t, wine_home_t, dir, ".wine")
-+allow wine_domain self:process { execstack execmem execheap };
-+allow wine_domain self:fifo_file manage_fifo_file_perms;
-
-manage_dirs_pattern(wine_t, wine_tmp_t, wine_tmp_t)
-manage_files_pattern(wine_t, wine_tmp_t, wine_tmp_t)
-files_tmp_filetrans(wine_t, wine_tmp_t, { file dir })
-+can_exec(wine_domain, wine_exec_t)
++allow wine_domain self:process { execstack execmem execheap };
++allow wine_domain self:fifo_file manage_fifo_file_perms;
-domain_mmap_low(wine_t)
++can_exec(wine_domain, wine_exec_t)
++
+manage_files_pattern(wine_domain, wine_home_t, wine_home_t)
+manage_dirs_pattern(wine_domain, wine_home_t, wine_home_t)
-+userdom_user_home_dir_filetrans(wine_domain, wine_home_t, dir, ".wine")
+userdom_tmpfs_filetrans(wine_domain, file)
++wine_filetrans_named_content(wine_domain)
-files_execmod_all_files(wine_t)
+files_execmod_all_files(wine_domain)
@@ -97430,19 +104437,19 @@ index b51923c..8e47110 100644
optional_policy(`
- rtkit_scheduled(wine_t)
--')
--
--optional_policy(`
-- unconfined_domain(wine_t)
+ rtkit_scheduled(wine_domain)
')
optional_policy(`
-- xserver_read_xdm_pid(wine_t)
-- xserver_rw_shm(wine_t)
+- unconfined_domain(wine_t)
+ xserver_read_xdm_pid(wine_domain)
+ xserver_rw_shm(wine_domain)
')
+
+-optional_policy(`
+- xserver_read_xdm_pid(wine_t)
+- xserver_rw_shm(wine_t)
+-')
diff --git a/wireshark.te b/wireshark.te
index cf5cab6..a2d910f 100644
--- a/wireshark.te
@@ -98800,7 +105807,7 @@ index 0cea2cd..7668014 100644
userdom_dontaudit_use_unpriv_user_fds(xfs_t)
diff --git a/xguest.te b/xguest.te
-index 2882821..8cf4841 100644
+index 2882821..0f1f514 100644
--- a/xguest.te
+++ b/xguest.te
@@ -1,4 +1,4 @@
@@ -98911,18 +105918,26 @@ index 2882821..8cf4841 100644
')
')
-@@ -84,12 +97,17 @@ optional_policy(`
+@@ -84,12 +97,25 @@ optional_policy(`
')
')
+
optional_policy(`
- apache_role(xguest_r, xguest_t)
++ abrt_dontaudit_read_config(xguest_t)
++')
++
++optional_policy(`
+ colord_dbus_chat(xguest_t)
+')
+
+optional_policy(`
+ chrome_role(xguest_r, xguest_t)
++')
++
++optional_policy(`
++ thumb_role(xguest_r, xguest_t)
')
optional_policy(`
@@ -98931,7 +105946,7 @@ index 2882821..8cf4841 100644
')
optional_policy(`
-@@ -97,75 +115,82 @@ optional_policy(`
+@@ -97,75 +123,82 @@ optional_policy(`
')
optional_policy(`
@@ -98949,7 +105964,7 @@ index 2882821..8cf4841 100644
- kernel_read_network_state(xguest_t)
+ mozilla_run_plugin(xguest_t, xguest_r)
+')
-
++
+optional_policy(`
+ mount_run_fusermount(xguest_t, xguest_r)
+')
@@ -98958,7 +105973,7 @@ index 2882821..8cf4841 100644
+ pcscd_read_pid_files(xguest_t)
+ pcscd_stream_connect(xguest_t)
+')
-+
+
+optional_policy(`
+ rhsmcertd_dontaudit_dbus_chat(xguest_t)
+')
@@ -99131,10 +106146,10 @@ index d837e88..910aeec 100644
userdom_search_user_home_dirs(yam_t)
diff --git a/zabbix.fc b/zabbix.fc
-index ce10cb1..3181728 100644
+index ce10cb1..38b143f 100644
--- a/zabbix.fc
+++ b/zabbix.fc
-@@ -4,11 +4,15 @@
+@@ -4,12 +4,17 @@
/usr/bin/zabbix_server -- gen_context(system_u:object_r:zabbix_exec_t,s0)
/usr/bin/zabbix_agentd -- gen_context(system_u:object_r:zabbix_agent_exec_t,s0)
@@ -99149,8 +106164,10 @@ index ce10cb1..3181728 100644
+/usr/sbin/zabbix_proxy_pgsql -- gen_context(system_u:object_r:zabbix_exec_t,s0)
+/usr/sbin/zabbix_proxy_sqlite3 -- gen_context(system_u:object_r:zabbix_exec_t,s0)
++/var/lib/zabbixsrv(/.*)? gen_context(system_u:object_r:zabbix_var_lib_t,s0)
/var/log/zabbix(/.*)? gen_context(system_u:object_r:zabbix_log_t,s0)
+ /var/run/zabbix(/.*)? gen_context(system_u:object_r:zabbix_var_run_t,s0)
diff --git a/zabbix.if b/zabbix.if
index dd63de0..38ce620 100644
--- a/zabbix.if
@@ -99314,10 +106331,10 @@ index dd63de0..38ce620 100644
- admin_pattern($1, zabbix_tmpfs_t)
')
diff --git a/zabbix.te b/zabbix.te
-index 46e4cd3..79317e6 100644
+index 46e4cd3..614e66c 100644
--- a/zabbix.te
+++ b/zabbix.te
-@@ -6,21 +6,23 @@ policy_module(zabbix, 1.5.3)
+@@ -6,27 +6,32 @@ policy_module(zabbix, 1.5.3)
#
## <desc>
@@ -99344,7 +106361,24 @@ index 46e4cd3..79317e6 100644
type zabbix_agent_exec_t;
init_daemon_domain(zabbix_agent_t, zabbix_agent_exec_t)
-@@ -41,22 +43,40 @@ files_pid_file(zabbix_var_run_t)
+ type zabbix_agent_initrc_exec_t;
+ init_script_file(zabbix_agent_initrc_exec_t)
+
++type zabbixd_var_lib_t;
++files_type(zabbixd_var_lib_t)
++
+ type zabbix_log_t;
+ logging_log_file(zabbix_log_t)
+
+@@ -36,27 +41,53 @@ files_tmp_file(zabbix_tmp_t)
+ type zabbix_tmpfs_t;
+ files_tmpfs_file(zabbix_tmpfs_t)
+
++type zabbix_var_lib_t;
++files_type(zabbix_var_lib_t)
++
+ type zabbix_var_run_t;
+ files_pid_file(zabbix_var_run_t)
########################################
#
@@ -99390,6 +106424,11 @@ index 46e4cd3..79317e6 100644
-create_files_pattern(zabbix_t, zabbix_log_t, zabbix_log_t)
-setattr_files_pattern(zabbix_t, zabbix_log_t, zabbix_log_t)
-logging_log_filetrans(zabbix_t, zabbix_log_t, file)
++manage_dirs_pattern(zabbix_t, zabbix_var_lib_t, zabbix_var_lib_t)
++manage_files_pattern(zabbix_t, zabbix_var_lib_t, zabbix_var_lib_t)
++manage_lnk_files_pattern(zabbix_t, zabbix_var_lib_t, zabbix_var_lib_t)
++files_var_lib_filetrans(zabbix_t, zabbix_var_lib_t, dir, "zabbixsrv")
++
+manage_dirs_pattern(zabbix_t, zabbix_log_t, zabbix_log_t)
+manage_files_pattern(zabbix_t, zabbix_log_t, zabbix_log_t)
+manage_lnk_files_pattern(zabbix_t, zabbix_log_t, zabbix_log_t)
@@ -99397,7 +106436,7 @@ index 46e4cd3..79317e6 100644
manage_dirs_pattern(zabbix_t, zabbix_tmp_t, zabbix_tmp_t)
manage_files_pattern(zabbix_t, zabbix_tmp_t, zabbix_tmp_t)
-@@ -70,13 +90,9 @@ manage_files_pattern(zabbix_t, zabbix_var_run_t, zabbix_var_run_t)
+@@ -70,13 +101,9 @@ manage_files_pattern(zabbix_t, zabbix_var_run_t, zabbix_var_run_t)
files_pid_filetrans(zabbix_t, zabbix_var_run_t, { dir file })
kernel_read_system_state(zabbix_t)
@@ -99411,7 +106450,13 @@ index 46e4cd3..79317e6 100644
corenet_sendrecv_ftp_client_packets(zabbix_t)
corenet_tcp_connect_ftp_port(zabbix_t)
-@@ -90,17 +106,8 @@ corenet_sendrecv_zabbix_server_packets(zabbix_t)
+@@ -85,24 +112,18 @@ corenet_tcp_sendrecv_ftp_port(zabbix_t)
+ corenet_sendrecv_http_client_packets(zabbix_t)
+ corenet_tcp_connect_http_port(zabbix_t)
+ corenet_tcp_sendrecv_http_port(zabbix_t)
++corenet_tcp_connect_smtp_port(zabbix_t)
+
+ corenet_sendrecv_zabbix_server_packets(zabbix_t)
corenet_tcp_bind_zabbix_port(zabbix_t)
corenet_tcp_sendrecv_zabbix_port(zabbix_t)
@@ -99428,8 +106473,12 @@ index 46e4cd3..79317e6 100644
-
zabbix_agent_tcp_connect(zabbix_t)
++logging_send_syslog_msg(zabbix_t)
++
tunable_policy(`zabbix_can_network',`
-@@ -110,12 +117,11 @@ tunable_policy(`zabbix_can_network',`
+ corenet_sendrecv_all_client_packets(zabbix_t)
+ corenet_tcp_connect_all_ports(zabbix_t)
+@@ -110,12 +131,11 @@ tunable_policy(`zabbix_can_network',`
')
optional_policy(`
@@ -99444,7 +106493,7 @@ index 46e4cd3..79317e6 100644
')
optional_policy(`
-@@ -125,6 +131,7 @@ optional_policy(`
+@@ -125,6 +145,7 @@ optional_policy(`
optional_policy(`
snmp_read_snmp_var_lib_files(zabbix_t)
@@ -99452,7 +106501,7 @@ index 46e4cd3..79317e6 100644
')
########################################
-@@ -132,18 +139,7 @@ optional_policy(`
+@@ -132,18 +153,7 @@ optional_policy(`
# Agent local policy
#
@@ -99472,7 +106521,7 @@ index 46e4cd3..79317e6 100644
rw_files_pattern(zabbix_agent_t, zabbix_tmpfs_t, zabbix_tmpfs_t)
fs_tmpfs_filetrans(zabbix_agent_t, zabbix_tmpfs_t, file)
-@@ -151,16 +147,12 @@ fs_tmpfs_filetrans(zabbix_agent_t, zabbix_tmpfs_t, file)
+@@ -151,16 +161,12 @@ fs_tmpfs_filetrans(zabbix_agent_t, zabbix_tmpfs_t, file)
manage_files_pattern(zabbix_agent_t, zabbix_var_run_t, zabbix_var_run_t)
files_pid_filetrans(zabbix_agent_t, zabbix_var_run_t, file)
@@ -99491,7 +106540,13 @@ index 46e4cd3..79317e6 100644
corenet_sendrecv_zabbix_agent_server_packets(zabbix_agent_t)
corenet_tcp_bind_zabbix_agent_port(zabbix_agent_t)
-@@ -182,7 +174,6 @@ domain_search_all_domains_state(zabbix_agent_t)
+@@ -177,21 +183,28 @@ corenet_tcp_sendrecv_zabbix_port(zabbix_agent_t)
+ dev_getattr_all_blk_files(zabbix_agent_t)
+ dev_getattr_all_chr_files(zabbix_agent_t)
+
+-domain_search_all_domains_state(zabbix_agent_t)
++domain_read_all_domains_state(zabbix_agent_t)
+
files_getattr_all_dirs(zabbix_agent_t)
files_getattr_all_files(zabbix_agent_t)
files_read_all_symlinks(zabbix_agent_t)
@@ -99499,7 +106554,9 @@ index 46e4cd3..79317e6 100644
fs_getattr_all_fs(zabbix_agent_t)
-@@ -190,8 +181,11 @@ init_read_utmp(zabbix_agent_t)
++auth_use_nsswitch(zabbix_agent_t)
++
+ init_read_utmp(zabbix_agent_t)
logging_search_logs(zabbix_agent_t)
@@ -99510,9 +106567,12 @@ index 46e4cd3..79317e6 100644
zabbix_tcp_connect(zabbix_agent_t)
+
+optional_policy(`
-+ hostname_exec(zabbix_agent_t)
++ dmidecode_domtrans(zabbix_agent_t)
+')
+
++optional_policy(`
++ hostname_exec(zabbix_agent_t)
++')
diff --git a/zarafa.fc b/zarafa.fc
index faf99ed..44e94fa 100644
--- a/zarafa.fc
@@ -99756,7 +106816,7 @@ index 36e32df..3d08962 100644
+ manage_dirs_pattern($1, zarafa_var_lib_t, zarafa_var_lib_t)
')
diff --git a/zarafa.te b/zarafa.te
-index a4479b1..a40d580 100644
+index a4479b1..ffeb7f4 100644
--- a/zarafa.te
+++ b/zarafa.te
@@ -1,13 +1,18 @@
@@ -99770,7 +106830,7 @@ index a4479b1..a40d580 100644
+## <desc>
+## <p>
-+## Allow zarafa domains to setrlimit/sys_rouserce.
++## Allow zarafa domains to setrlimit/sys_resource.
+## </p>
+## </desc>
+gen_tunable(zarafa_setrlimit, false)
@@ -100336,7 +107396,7 @@ index 0000000..8c61505
+/var/spool/zoneminder-upload(/.*)? gen_context(system_u:object_r:zoneminder_spool_t,s0)
diff --git a/zoneminder.if b/zoneminder.if
new file mode 100644
-index 0000000..d02a6f4
+index 0000000..fb0519e
--- /dev/null
+++ b/zoneminder.if
@@ -0,0 +1,374 @@
@@ -100549,7 +107609,7 @@ index 0000000..d02a6f4
+#
+interface(`zoneminder_manage_lib_sock_files',`
+ gen_require(`
-+ type sock_var_lib_t;
++ type zoneminder_var_lib_t;
+ ')
+ files_search_var_lib($1)
+ manage_sock_files_pattern($1, zoneminder_var_lib_t, zoneminder_var_lib_t)
diff --git a/SOURCES/setrans-minimum.conf b/SOURCES/setrans-minimum.conf
index 09a6ce3..0ac9c90 100644
--- a/SOURCES/setrans-minimum.conf
+++ b/SOURCES/setrans-minimum.conf
@@ -1,8 +1,6 @@
#
# Multi-Category Security translation table for SELinux
#
-# Uncomment the following to disable translation libary
-# disable=1
#
# Objects can be categorized with 0-1023 categories defined by the admin.
# Objects can be in more than one category at a time.
diff --git a/SOURCES/setrans-mls.conf b/SOURCES/setrans-mls.conf
index eb181d2..fa27ae2 100644
--- a/SOURCES/setrans-mls.conf
+++ b/SOURCES/setrans-mls.conf
@@ -1,8 +1,6 @@
#
# Multi-Level Security translation table for SELinux
#
-# Uncomment the following to disable translation libary
-# disable=1
#
# Objects can be labeled with one of 16 levels and be categorized with 0-1023
# categories defined by the admin.
diff --git a/SOURCES/setrans-targeted.conf b/SOURCES/setrans-targeted.conf
index 09a6ce3..0ac9c90 100644
--- a/SOURCES/setrans-targeted.conf
+++ b/SOURCES/setrans-targeted.conf
@@ -1,8 +1,6 @@
#
# Multi-Category Security translation table for SELinux
#
-# Uncomment the following to disable translation libary
-# disable=1
#
# Objects can be categorized with 0-1023 categories defined by the admin.
# Objects can be in more than one category at a time.
diff --git a/SPECS/selinux-policy.spec b/SPECS/selinux-policy.spec
index 8dfbad8..e363177 100644
--- a/SPECS/selinux-policy.spec
+++ b/SPECS/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.12.1
-Release: 103%{?dist}
+Release: 153%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -117,6 +117,7 @@ SELinux policy development and man page package
%{_usr}/share/selinux/devel/include/*
%dir %{_usr}/share/selinux/devel/html
%{_usr}/share/selinux/devel/html/*html
+%{_usr}/share/selinux/devel/html/*css
%{_usr}/share/selinux/devel/Makefile
%{_usr}/share/selinux/devel/example.*
%{_usr}/share/selinux/devel/policy.*
@@ -251,7 +252,7 @@ ln -sf /etc/selinux/%1/policy/policy.%{POLICYVER} %{buildroot}%{_sysconfdir}/se
%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/users/guest_u \
%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/users/xguest_u \
%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/users/user_u \
-%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/users/staff_u
+%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/users/staff_u
%define relabel() \
. %{_sysconfdir}/selinux/config; \
@@ -288,7 +289,7 @@ fi;
%define postInstall() \
. %{_sysconfdir}/selinux/config; \
-(cd /etc/selinux/%2/modules/active/modules; rm -f l2tpd.pp shutdown.pp amavis.pp clamav.pp gnomeclock.pp matahari.pp xfs.pp kudzu.pp kerneloops.pp execmem.pp openoffice.pp ada.pp tzdata.pp hal.pp hotplug.pp howl.pp java.pp mono.pp moilscanner.pp gamin.pp audio_entropy.pp audioentropy.pp iscsid.pp polkit_auth.pp polkit.pp rtkit_daemon.pp ModemManager.pp telepathysofiasip.pp ethereal.pp passanger.pp qpidd.pp pyzor.pp razor.pp pki-selinux.pp phpfpm.pp consoletype.pp ctdbd.pp fcoemon.pp isnsd.pp rgmanager.pp corosync.pp aisexec.pp pacemaker.pp ) \
+(cd /etc/selinux/%2/modules/active/modules; rm -f nsplugin.pp l2tpd.pp shutdown.pp amavis.pp clamav.pp gnomeclock.pp matahari.pp xfs.pp kudzu.pp kerneloops.pp execmem.pp openoffice.pp ada.pp tzdata.pp hal.pp hotplug.pp howl.pp java.pp mono.pp moilscanner.pp gamin.pp audio_entropy.pp audioentropy.pp iscsid.pp polkit_auth.pp polkit.pp rtkit_daemon.pp ModemManager.pp telepathysofiasip.pp ethereal.pp passanger.pp qpidd.pp pyzor.pp razor.pp pki-selinux.pp phpfpm.pp consoletype.pp ctdbd.pp fcoemon.pp isnsd.pp rgmanager.pp corosync.pp aisexec.pp pacemaker.pp smstools.pp qemu.pp ) \
if [ -e /etc/selinux/%2/.rebuild ]; then \
rm /etc/selinux/%2/.rebuild; \
/usr/sbin/semodule -B -n -s %2; \
@@ -388,6 +389,8 @@ chmod +x %{buildroot}%{_usr}/share/selinux/devel/policyhelp
mkdir %{buildroot}%{_usr}/share/selinux/devel/html
htmldir=`compgen -d %{buildroot}%{_usr}/share/man/man8/`
mv ${htmldir}/* %{buildroot}%{_usr}/share/selinux/devel/html
+mv %{buildroot}%{_usr}/share/man/man8/index.html %{buildroot}%{_usr}/share/selinux/devel/html
+mv %{buildroot}%{_usr}/share/man/man8/style.css %{buildroot}%{_usr}/share/selinux/devel/html
rm -rf ${htmldir}
mkdir -p %{buildroot}%{_rpmconfigdir}/macros.d
@@ -453,7 +456,7 @@ Obsoletes: mod_fcgid-selinux <= %{version}-%{release}
Obsoletes: cachefilesd-selinux <= 0.10-1
Conflicts: seedit
Conflicts: 389-ds-base < 1.2.7, 389-admin < 1.1.12
-Conflicts: pki-selinux < 10-0.0-0.45.b1
+Conflicts: pki-selinux < 10.0.0-0.45.b1
Conflicts: freeipa-server-selinux < 3.2.2-1
%description targeted
@@ -481,6 +484,7 @@ exit 0
%files targeted
%defattr(-,root,root,-)
%config(noreplace) %{_sysconfdir}/selinux/targeted/contexts/users/unconfined_u
+%config(noreplace) %{_sysconfdir}/selinux/targeted/contexts/users/sysadm_u
%fileList targeted
%{_usr}/share/selinux/targeted/modules-base.lst
%{_usr}/share/selinux/targeted/modules-contrib.lst
@@ -516,7 +520,7 @@ done
for p in $basepackages apache.pp dbus.pp inetd.pp kerberos.pp mta.pp nis.pp; do
rm -f /etc/selinux/minimum/modules/active/modules/$p.disabled
done
-/usr/sbin/semanage -S minimum -i - << __eof
+/usr/sbin/semanage import -S minimum -f - << __eof
login -m -s unconfined_u -r s0-s0:c0.c1023 __default__
login -m -s unconfined_u -r s0-s0:c0.c1023 root
__eof
@@ -538,6 +542,7 @@ exit 0
%files minimum
%defattr(-,root,root,-)
%config(noreplace) %{_sysconfdir}/selinux/minimum/contexts/users/unconfined_u
+%config(noreplace) %{_sysconfdir}/selinux/minimum/contexts/users/sysadm_u
%fileList minimum
%{_usr}/share/selinux/minimum/modules-base.lst
%{_usr}/share/selinux/minimum/modules-contrib.lst
@@ -574,9 +579,792 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Mon Apr 7 2014 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-153
+- Change hsperfdata_root to have as user_tmp_t
+Resolves:#1076523
+
+* Fri Apr 4 2014 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-152
+- Fix Multiple same specifications for /var/named/chroot/dev/zero
+- Add labels for /var/named/chroot_sdb/dev devices
+- Add support for strongimcv
+- Use kerberos_keytab_domains in auth_use_nsswitch
+- Update auth_use_nsswitch to make all these types as kerberos_keytab_domain to
+- Allow net_raw cap for neutron_t and send sigkill to dnsmasq
+- Fix ntp_filetrans_named_content for sntp-kod file
+- Add httpd_dbus_sssd boolean
+- Dontaudit exec insmod in boinc policy
+- Rename kerberos_keytab_domain to kerberos_keytab_domains
+- Add kerberos_keytab_domain()
+- Fix kerberos_keytab_template()
+- Make all domains which use kerberos as kerberos_keytab_domain
+Resolves:#1083670
+- Allow kill capability to winbind_t
+
+* Wed Apr 2 2014 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-151
+- varnishd wants chown capability
+- update ntp_filetrans_named_content() interface
+- Add additional fixes for neutron_t. #1083335
+- Dontaudit getattr on proc_kcore_t
+- Allow pki_tomcat_t to read ipa lib files
+- Allow named_filetrans_domain to create /var/cache/ibus with correct labelign
+- Allow init_t run /sbin/augenrules
+- Add dev_unmount_sysfs_fs and sysnet_manage_ifconfig_run interfaces
+- Allow unpriv SELinux user to use sandbox
+- Add default label for /tmp/hsperfdata_root
+
+* Tue Apr 1 2014 Miroslav Grepl<mgrepl@redhat.com> 3.12.1-149
+- Add file subs also for /var/home
+
+* Mon Mar 31 2014 Miroslav Grepl<mgrepl@redhat.com> 3.12.1-149
+- Allow xauth_t to read user_home_dir_t lnk_file
+- Add labeling for lightdm-data
+- Allow certmonger to manage ipa lib files
+- Add support for /var/lib/ipa
+- Allow pegasus to getattr virt_content
+- Added some new rules to pcp policy
+- Allow chrome_sandbox to execute config_home_t
+- Add support for ABRT FAF
+
+* Fri Mar 28 2014 Miroslav Grepl<mgrepl@redhat.com> 3.12.1-148
+- Allow kdm to send signull to remote_login_t process
+- Add gear policy
+- Turn on gear_port_t
+- Allow cgit to read gitosis lib files by default
+- Allow vdagent to read xdm state
+- Allow NM and fcoeadm to talk together over unix_dgram_socket
+
+* Thu Mar 27 2014 Miroslav Grepl<mgrepl@redhat.com> 3.12.1-147
+- Back port fixes for pegasus_openlmi_admin_t from rawhide
+Resolves:#1080973
+- Add labels for ostree
+- Add SELinux awareness for NM
+- Label /usr/sbin/pwhistory_helper as updpwd_exec_t
+
+* Wed Mar 26 2014 Miroslav Grepl<mgrepl@redhat.com> 3.12.1-146
+- add gnome_append_home_config()
+- Allow thumb to append GNOME config home files
+- Allow rasdaemon to rw /dev/cpu//msr
+- fix /var/log/pki file spec
+- make bacula_t as auth_nsswitch domain
+- Identify pki_tomcat_cert_t as a cert_type
+- Define speech-dispater_exec_t as an application executable
+- Add a new file context for /var/named/chroot/run directory
+- update storage_filetrans_all_named_dev for sg* devices
+- Allow auditctl_t to getattr on all removeable devices
+- Allow nsswitch_domains to stream connect to nmbd
+- Allow unprivusers to connect to memcached
+- label /var/lib/dirsrv/scripts-INSTANCE as bin_t
+
+* Mon Mar 24 2014 Miroslav Grepl<mgrepl@redhat.com> 3.12.1-145
+- Allow also unpriv user to run vmtools
+- Allow secadm to read /dev/urandom and meminfo
+Resolves:#1079250
+- Add booleans to allow docker processes to use nfs and samba
+- Add mdadm_tmpfs support
+- Dontaudit net_amdin for /usr/lib/jvm/java-1.7.0-openjdk-1.7.0.51-2.4.5.1.el7.x86_64/jre-abrt/bin/java running as pki_tomcat_t
+- Allow vmware-user-sui to use user ttys
+- Allow talk 2 users logged via console too
+- Allow ftp services to manage xferlog_t
+- Make all pcp domanis as unconfined for RHEL7.0 beucause of new policies
+- allow anaconda to dbus chat with systemd-localed
+
+* Fri Mar 21 2014 Miroslav Grepl<mgrepl@redhat.com> 3.12.1-144
+- allow anaconda to dbus chat with systemd-localed
+- Add fixes for haproxy based on bperkins@redhat.com
+- Allow cmirrord to make dmsetup working
+- Allow NM to execute arping
+- Allow users to send messages through talk
+- Add userdom_tmp_role for secadm_t
+
+* Thu Mar 20 2014 Lukas Vrabec <lvrabec@redhat.com> 3.12.1-143
+- Add additional fixes for rtas_errd
+- Fix transitions for tmp/tmpfs in rtas.te
+- Allow rtas_errd to readl all sysctls
+
+
+* Wed Mar 19 2014 Miroslav Grepl<mgrepl@redhat.com> 3.12.1-142
+- Add support for /var/spool/rhsm/debug
+- Make virt_sandbox_use_audit as True by default
+- Allow svirt_sandbox_domains to ptrace themselves
+
+* Wed Mar 19 2014 Miroslav Grepl<mgrepl@redhat.com> 3.12.1-141
+- Allow docker containers to manage /var/lib/docker content
+
+* Mon Mar 17 2014 Miroslav Grepl<mgrepl@redhat.com> 3.12.1-140
+- Allow docker to read tmpfs_t symlinks
+- Allow sandbox svirt_lxc_net_t to talk to syslog and to sssd over stream sockets
+
+* Mon Mar 17 2014 Miroslav Grepl<mgrepl@redhat.com> 3.12.1-139
+- Allow collectd to talk to libvirt
+- Allow chrome_sandbox to use leaked unix_stream_sockets
+- Dontaudit leaks of sockets into chrome_sandbox_t
+- If you create a cups directory in /var/cache then it should be labeled cups_rw_etc_t
+- Run vmtools as unconfined domains
+- Allow snort to manage its log files
+- Allow systemd_cronjob_t to be entered via bin_t
+- Allow procman to list doveconf_etc_t
+- allow keyring daemon to create content in tmpfs directories
+- Add proper labelling for icedtea-web
+- vpnc is creating content in networkmanager var run directory
+- Label sddm as xdm_exec_t to make KDE working again
+- Allow postgresql to read network state
+- Allow java running as pki_tomcat to read network sysctls
+- Fix cgroup.te to allow cgred to read cgconfig_etc_t
+- Allow beam.smp to use ephemeral ports
+- Allow winbind to use the nis to authenticate passwords
+
+* Fri Mar 14 2014 Lukas Vrabec <lvrabec@redhat.com> 3.12.1-138
+- Make rtas_errd_t as unconfined domain for F20.It needs additional fixes. It runs rpm at least.
+- Allow net_admin cap for fence_virtd running as fenced_t
+- Make abrt-java-connector working
+- Make cimtest script 03_defineVS.py of ComputerSystem group working
+- Fix git_system_enable_homedirs boolean
+- Allow munin mail plugins to read network systcl
+
+* Thu Mar 13 2014 Miroslav Grepl<mgrepl@redhat.com> 3.12.1-137
+- Allow vmtools_helper_t to execute bin_t
+- Add support for /usr/share/joomla
+- /var/lib/containers should be labeled as openshift content for now
+- Allow docker domains to talk to the login programs, to allow a process to login into the container
+- Allow install_t do dbus chat with NM
+- Fix interface names in anaconda.if
+- Add install_t for anaconda. A new type is a part of anaconda policy
+- sshd to read network sysctls
+
+* Wed Mar 12 2014 Miroslav Grepl<mgrepl@redhat.com> 3.12.1-136
+- Allow zabbix to send system log msgs
+- Allow init_t to stream connect to ipsec
+Resolves:#1060775
+
+* Tue Mar 11 2014 Miroslav Grepl<mgrepl@redhat.com> 3.12.1-135
+- Add docker_connect_any boolean
+
+* Tue Mar 11 2014 Miroslav Grepl<mgrepl@redhat.com> 3.12.1-134
+- Allow unpriv SELinux users to dbus chat with firewalld
+- Add lvm_write_metadata()
+- Label /etc/yum.reposd dir as system_conf_t. Should be safe because system_conf_t is base_ro_file_type
+- Allow pegasus_openlmi_storage_t to write lvm metadata
+- Add hide_broken_symptoms for kdumpgui because of systemd bug
+- Make kdumpgui_t as unconfined domain
+Resolves:#1044299
+- Allow docker to connect to tcp/5000
+
+* Mon Mar 10 2014 Miroslav Grepl<mgrepl@redhat.com> 3.12.1-133
+- Allow numad to write scan_sleep_millisecs
+- Turn on entropyd_use_audio boolean by default
+- Allow cgred to read /etc/cgconfig.conf because it contains templates used together with rules from /etc/cgrules.conf.
+- Allow lscpu running as rhsmcertd_t to read /proc/sysinfo
+- Fix label on irclogs in the homedir
+- Allow kerberos_keytab_domain domains to manage keys until we get sssd fix
+- Allow postgresql to use ldap
+- Add missing syslog-conn port
+- Add support for /dev/vmcp and /dev/sclp
+Resolves:#1069310
+
+* Fri Mar 7 2014 Miroslav Grepl<mgrepl@redhat.com> 3.12.1-132
+- Modify xdm_write_home to allow create files/links in /root with xdm_home_
+- Allow virt domains to read network state
+Resolves:#1072019
+
+* Thu Mar 6 2014 Miroslav Grepl<mgrepl@redhat.com> 3.12.1-131
+- Added pcp rules
+- dontaudit openshift_cron_t searching random directories, should be back ported to RHEL6
+- clean up ctdb.te
+- Allow ctdbd to connect own ports
+- Fix samba_export_all_rw booleanto cover also non security dirs
+- Allow swift to exec rpm in swift_t and allow to create tmp files/dirs
+- Allow neutron to create /run/netns with correct labeling
+- Allow certmonger to list home dirs
+
+* Wed Mar 5 2014 Miroslav Grepl<mgrepl@redhat.com> 3.12.1-130
+- Change userdom_use_user_inherited_ttys to userdom_use_user_ttys for systemd-tty-ask
+- Add sysnet_filetrans_named_content_ifconfig() interface
+- Allow ctdbd to connect own ports
+- Fix samba_export_all_rw booleanto cover also non security dirs
+- Allow swift to exec rpm in swift_t and allow to create tmp files/dirs
+- Allow neutron to create /run/netns with correct labeling
+- Allow kerberos keytab domains to manage sssd/userdomain keys"
+- Allow to run ip cmd in neutron_t domain
+
+* Mon Mar 3 2014 Miroslav Grepl<mgrepl@redhat.com> 3.12.1-129
+- Allow block_suspend cap2 for systemd-logind and rw dri device
+- Add labeling for /usr/libexec/nm-libreswan-service
+- Allow locallogin to rw xdm key to make Virtual Terminal login providing smartcard pin working
+- Add xserver_rw_xdm_keys()
+- Allow rpm_script_t to dbus chat also with systemd-located
+- Fix ipa_stream_connect_otpd()
+- update lpd_manage_spool() interface
+- Allow krb5kdc to stream connect to ipa-otpd
+- Add ipa_stream_connect_otpd() interface
+- Allow vpnc to unlink NM pids
+- Add networkmanager_delete_pid_files()
+- Allow munin plugins to access unconfined plugins
+- update abrt_filetrans_named_content to cover /var/spool/debug
+- Label /var/spool/debug as abrt_var_cache_t
+- Allow rhsmcertd to connect to squid port
+- Make docker_transition_unconfined as optional boolean
+- Allow certmonger to list home dirs
+
+* Wed Feb 26 2014 Miroslav Grepl<mgrepl@redhat.com> 3.12.1-128
+- Make snapperd as unconfined domain and add additional fixes for it
+- Remove nsplugin.pp module on upgrade
+
+* Tue Feb 25 2014 Miroslav Grepl<mgrepl@redhat.com> 3.12.1-127
+- Add snapperd_home_t for HOME_DIR/.snapshots directory
+- Make sosreport as unconfined domain
+- Allow sosreport to execute grub2-probe
+- Allow NM to manage hostname config file
+- Allow systemd_timedated_t to dbus chat with rpm_script_t
+- Allow lsmd plugins to connect to http/ssh/http_cache ports by default
+- Add lsmd_plugin_connect_any boolean
+- Allow mozilla_plugin to attempt to set capabilities
+- Allow lsdm_plugins to use tcp_socket
+- Dontaudit mozilla plugin from getattr on /proc or /sys
+- Dontaudit use of the keyring by the services in a sandbox
+- Dontaudit attempts to sys_ptrace caused by running ps for mysqld_safe_t
+- Allow rabbitmq_beam to connect to jabber_interserver_port
+- Allow logwatch_mail_t to transition to qmail_inject and queueu
+- Added new rules to pcp policy
+- Allow vmtools_helper_t to change role to system_r
+- Allow NM to dbus chat with vmtools
+- Fix couchdb_manage_files() to allow manage couchdb conf files
+- Add support for /var/run/redis.sock
+- dontaudit gpg trying to use audit
+- Allow consolekit to create log directories and files
+- Fix vmtools policy to allow user roles to access vmtools_helper_t
+- Allow block_suspend cap2 for ipa-otpd
+- Allow pkcsslotd to read users state
+- Add ioctl to init_dontaudit_rw_stream_socket
+- Add systemd_hostnamed_manage_config() interface
+- Remove transition for temp dirs created by init_t
+- gdm-simple-slave uses use setsockopt
+- sddm-greater is a xdm type program
+
+* Tue Feb 18 2014 Miroslav Grepl<mgrepl@redhat.com> 3.12.1-126
+- Add lvm_read_metadata()
+- Allow auditadm to search /var/log/audit dir
+- Add lvm_read_metadata() interface
+- Allow confined users to run vmtools helpers
+- Fix userdom_common_user_template()
+- Generic systemd unit scripts do write check on /
+- Allow init_t to create init_tmp_t in /tmp.This is for temporary content created by generic unit files
+- Add additional fixes needed for init_t and setup script running in generic unit files
+- Allow general users to create packet_sockets
+- added connlcli port
+- Add init_manage_transient_unit() interface
+- Allow init_t (generic unit files) to manage rpc state date as we had it for initrc_t
+- Fix userdomain.te to require passwd class
+- devicekit_power sends out a signal to all processes on the message bus when power is going down
+- Dontaudit rendom domains listing /proc and hittping system_map_t
+- Dontauit leaks of var_t into ifconfig_t
+- Allow domains that transition to ssh_t to manipulate its keyring
+- Define oracleasm_t as a device node
+- Change to handle /root as a symbolic link for os-tree
+- Allow sysadm_t to create packet_socket, also move some rules to attributes
+- Add label for openvswitch port
+- Remove general transition for files/dirs created in /etc/mail which got etc_aliases_t label.
+- Allow postfix_local to read .forward in pcp lib files
+- Allow pegasus_openlmi_storage_t to read lvm metadata
+- Add additional fixes for pegasus_openlmi_storage_t
+- Allow bumblebee to manage debugfs
+- Make bumblebee as unconfined domain
+- Allow snmp to read etc_aliases_t
+- Allow lscpu running in pegasus_openlmi_storage_t to read /dev/mem
+- Allow pegasus_openlmi_storage_t to read /proc/1/environ
+- Dontaudit read gconf files for cupsd_config_t
+- make vmtools as unconfined domain
+- Add vmtools_helper_t for helper scripts. Allow vmtools shutdonw a host and run ifconfig.
+- Allow collectd_t to use a mysql database
+- Allow ipa-otpd to perform DNS name resolution
+- Added new policy for keepalived
+- Allow openlmi-service provider to manage transitient units and allow stream connect to sssd
+- Add additional fixes new pscs-lite+polkit support
+- Add labeling for /run/krb5kdc
+- Change w3c_validator_tmp_t to httpd_w3c_validator_tmp_t in F20
+- Allow pcscd to read users proc info
+- Dontaudit smbd_t sending out random signuls
+- Add boolean to allow openshift domains to use nfs
+- Allow w3c_validator to create content in /tmp
+- zabbix_agent uses nsswitch
+- Allow procmail and dovecot to work together to deliver mail
+- Allow spamd to execute files in homedir if boolean turned on
+- Allow openvswitch to listen on port 6634
+- Add net_admin capability in collectd policy
+- Fixed snapperd policy
+- Fixed bugsfor pcp policy
+- Allow dbus_system_domains to be started by init
+- Fixed some interfaces
+- Add kerberos_keytab_domain attribute
+- Fix snapperd_conf_t def
+
+* Tue Feb 11 2014 Miroslav Grepl<mgrepl@redhat.com> 3.12.1-125
+- Addopt corenet rules for unbound-anchor to rpm_script_t
+- Allow runuser to send send audit messages.
+- Allow postfix-local to search .forward in munin lib dirs
+- Allow udisks to connect to D-Bus
+- Allow spamd to connect to spamd port
+- Fix syntax error in snapper.te
+- Dontaudit osad to search gconf home files
+- Allow rhsmcertd to manage /etc/sysconf/rhn director
+- Fix pcp labeling to accept /usr/bin for all daemon binaries
+- Fix mcelog_read_log() interface
+- Allow iscsid to manage iscsi lib files
+- Allow snapper domtrans to lvm_t. Add support for /etc/snapper and allow snapperd to manage it.
+- Make tuned_t as unconfined domain for RHEL7.0
+- Allow ABRT to read puppet certs
+- Add sys_time capability for virt-ga
+- Allow gemu-ga to domtrans to hwclock_t
+- Allow additional access for virt_qemu_ga_t processes to read system clock and send audit messages
+- Fix some AVCs in pcp policy
+- Add to bacula capability setgid and setuid and allow to bind to bacula ports
+- Changed label from rhnsd_rw_conf_t to rhnsd_conf_t
+- Add access rhnsd and osad to /etc/sysconfig/rhn
+- drbdadm executes drbdmeta
+- Fixes needed for docker
+- Allow epmd to manage /var/log/rabbitmq/startup_err file
+- Allow beam.smp connect to amqp port
+- Modify xdm_write_home to allow create also links as xdm_home_t if the boolean is on true
+- Allow init_t to manage pluto.ctl because of init_t instead of initrc_t
+- Allow systemd_tmpfiles_t to manage all non security files on the system
+- Added labels for bacula ports
+- Fix label on /dev/vfio/vfio
+- Add kernel_mounton_messages() interface
+- init wants to manage lock files for iscsi
+
+* Mon Feb 3 2014 Miroslav Grepl<mgrepl@redhat.com> 3.12.1-124
+- Added osad policy
+- Allow postfix to deliver to procmail
+- Allow bumblebee to seng kill signal to xserver
+- Allow vmtools to execute /usr/bin/lsb_release
+- Allow docker to write system net ctrls
+- Add support for rhnsd unit file
+- Add dbus_chat_session_bus() interface
+- Add dbus_stream_connect_session_bus() interface
+- Fix pcp.te
+- Fix logrotate_use_nfs boolean
+- Add lot of pcp fixes found in RHEL7
+- fix labeling for pmie for pcp pkg
+- Change thumb_t to be allowed to chat/connect with session bus type
+- Allow call renice in mlocate
+- Add logrotate_use_nfs boolean
+- Allow setroubleshootd to read rpc sysctl
+
+* Fri Jan 31 2014 Miroslav Grepl<mgrepl@redhat.com> 3.12.1-123
+- Turn on bacula, rhnsd policy
+- Add support for rhnsd unit file
+- Add dbus_chat_session_bus() interface
+- Add dbus_stream_connect_session_bus() interface
+- Fix logrotate_use_nfs boolean
+- Add lot of pcp fixes found in RHEL7
+- fix labeling for pmie for pcp pkg
+- Change thumb_t to be allowed to chat/connect with session bus type
+- Allow call renice in mlocate
+- Add logrotate_use_nfs boolean
+- Allow setroubleshootd to read rpc sysctl
+- Fixes for *_admin interfaces
+- Add pegasus_openlmi_storage_var_run_t type def
+- Add support for /var/run/openlmi-storage
+- Allow tuned to create syslog.conf with correct labeling
+- Add httpd_dontaudit_search_dirs boolean
+- Add support for winbind.service
+- ALlow also fail2ban-client to read apache logs
+- Allow vmtools to getattr on all fs
+- Add support for dey_sapi port
+- Add logging_filetrans_named_conf()
+- Allow passwd_t to use ipc_lock, so that it can change the password in gnome-keyring
+
+* Tue Jan 28 2014 Miroslav Grepl<mgrepl@redhat.com> 3.12.1-122
+- Update snapper policy
+- Allow domains to append rkhunter lib files
+- Allow snapperd to getattr on all fs
+- Allow xdm to create /var/gdm with correct labeling
+- Add label for snapper.log
+- Allow fail2ban-client to read apache log files
+- Allow thumb_t to execute dbus-daemon in thumb_t
+
+* Mon Jan 27 2014 Miroslav Grepl<mgrepl@redhat.com> 3.12.1-121
+- Allow gdm to create /var/gdm with correct labeling
+- Allow domains to append rkhunterl lib files. #1057982
+- Allow systemd_tmpfiles_t net_admin to communicate with journald
+- Add interface to getattr on an isid_type for any type of file
+- Update libs_filetrans_named_content() to have support for /usr/lib/debug directory
+- Allow initrc_t domtrans to authconfig if unconfined is enabled
+- Allow docker and mount on devpts chr_file
+- Allow docker to transition to unconfined_t if boolean set
+- init calling needs to be optional in domain.te
+- Allow uncofined domain types to handle transient unit files
+- Fix labeling for vfio devices
+- Allow net_admin capability and send system log msgs
+- Allow lldpad send dgram to NM
+- Add networkmanager_dgram_send()
+- rkhunter_var_lib_t is correct type
+- Back port pcp policy from rawhide
+- Allow openlmi-storage to read removable devices
+- Allow system cron jobs to manage rkhunter lib files
+- Add rkhunter_manage_lib_files()
+- Fix ftpd_use_fusefs boolean to allow manage also symlinks
+- Allow smbcontrob block_suspend cap2
+- Allow slpd to read network and system state info
+- Allow NM domtrans to iscsid_t if iscsiadm is executed
+- Allow slapd to send a signal itself
+- Allow sslget running as pki_ra_t to contact port 8443, the secure port of the CA.
+- Fix plymouthd_create_log() interface
+- Add rkhunter policy with files type definition for /var/lib/rkhunter until it is fixed in rkhunter package
+- Add mozilla_plugin_exec_t for /usr/lib/firefox/plugin-container
+- Allow postfix and cyrus-imapd to work out of box
+- Allow fcoemon to talk with unpriv user domain using unix_stream_socket
+- Dontaudit domains that are calling into journald to net_admin
+- Add rules to allow vmtools to do what it does
+- snapperd is D-Bus service
+- Allow OpenLMI PowerManagement to call 'systemctl --force reboot'
+- Add haproxy_connect_any boolean
+- Allow haproxy also to use http cache port by default
+Resolves:#1058248
+
+* Tue Jan 21 2014 Miroslav Grepl<mgrepl@redhat.com> 3.12.1-120
+- Allow apache to write to the owncloud data directory in /var/www/html...
+- Allow consolekit to create log dir
+- Add support for icinga CGI scripts
+- Add support for icinga
+- Allow kdumpctl_t to create kdump lock file
+Resolves:#1055634
+- Allow kdump to create lnk lock file
+- Allow nscd_t block_suspen capability
+- Allow unconfined domain types to manage own transient unit file
+- Allow systemd domains to handle transient init unit files
+- Add interfaces to handle transient
+
+* Mon Jan 20 2014 Miroslav Grepl<mgrepl@redhat.com> 3.12.1-119
+- Add cron unconfined role support for uncofined SELinux user
+- Call corenet_udp_bind_all_ports() in milter.te
+- Allow fence_virtd to connect to zented port
+- Fix header for mirrormanager_admin()
+- Allow dkim-milter to bind udp ports
+- Allow milter domains to send signull itself
+- Allow block_suspend for yum running as mock_t
+- Allow beam.smp to manage couchdb files
+- Add couchdb_manage_files()
+- Add labeling for /var/log/php_errors.log
+- Allow bumblebee to stream connect to xserver
+- Allow bumblebee to send a signal to xserver
+- gnome-thumbnail to stream connect to bumblebee
+- Allow xkbcomp running as bumblebee_t to execute bin_t
+- Allow logrotate to read squid.conf
+- Additional rules to get docker and lxc to play well with SELinux
+- Allow bumbleed to connect to xserver port
+- Allow pegasus_openlmi_storage_t to read hwdata
+
+* Thu Jan 16 2014 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-118
+- Allow init_t to work on transitient and snapshot unit files
+- Add logging_manage_syslog_config()
+- Update sysnet_dns_name_resolve() to allow connect to dnssec por
+- Allow pegasus_openlmi_storage_t to read hwdata
+Resolves:#1031721
+- Fix rhcs_rw_cluster_tmpfs()
+- Allow fenced_t to bind on zented udp port
+- Added policy for vmtools
+- Fix mirrormanager_read_lib_files()
+- Allow mirromanager scripts running as httpd_t to manage mirrormanager pid files
+- Allow ctdb to create sock files in /var/run/ctdb
+- Add sblim_filetrans_named_content() interface
+- Allow rpm scritplets to create /run/gather with correct labeling
+- Allow gnome keyring domains to create gnome config dirs
+- Dontaudit read/write to init stream socket for lsmd_plugin_t
+- Allow automount to read nfs link files
+- Allow lsm plugins to read/write lsmd stream socket
+- Allow certmonger to connect ldap port to make IPA CA certificate renewal working.
+- Add also labeling for /var/run/ctdb
+- Add missing labeling for /var/lib/ctdb
+- ALlow tuned to manage syslog.conf. Should be fixed in tuned. #1030446
+- Dontaudit hypervkvp to search homedirs
+- Dontaudit hypervkvp to search admin homedirs
+- Allow hypervkvp to execute bin_t and ifconfig in the caller domain
+- Dontaudit xguest_t to read ABRT conf files
+- Add abrt_dontaudit_read_config()
+- Allow namespace-init to getattr on fs
+- Add thumb_role() also for xguest
+- Add filename transitions to create .spamassassin with correct labeling
+- Allow apache domain to read mirrormanager pid files
+- Allow domains to read/write shm and sem owned by mozilla_plugin_t
+- Allow alsactl to send a generic signal to kernel_t
+
+* Tue Jan 14 2014 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-117
+- Add back rpm_run() for unconfined user
+
+* Tue Jan 14 2014 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-116
+- Add missing files_create_var_lib_dirs()
+- Fix typo in ipsec.te
+- Allow passwd to create directory in /var/lib
+- Add filename trans also for event21
+- Allow iptables command to read /dev/rand
+- Add sigkill capabilityfor ipsec_t
+- Add filename transitions for bcache devices
+- Add additional rules to create /var/log/cron by syslogd_t with correct labeling
+- Add give everyone full access to all key rings
+- Add default lvm_var_run_t label for /var/run/multipathd
+- Fix log labeling to have correct default label for them after logrotate
+- Labeled ~/.nv/GLCache as being gstreamer output
+- Allow nagios_system_plugin to read mrtg lib files
+- Add mrtg_read_lib_files()
+- Call rhcs_rw_cluster_tmpfs for dlm_controld
+- Make authconfing as named_filetrans domain
+- Allow virsh to connect to user process using stream socket
+- Allow rtas_errd to read rand/urand devices and add chown capability
+- Fix labeling from /var/run/net-snmpd to correct /var/run/net-snmp
+Resolves:#1051497
+- Add also chown cap for abrt_upload_watch_t. It already has dac_override
+- Allow sosreport to manage rhsmcertd pid files
+- Add rhsmcertd_manage_pid_files()
+- Allow also setgid cap for rpc.gssd
+- Dontaudit access check for abrt on cert_t
+- Allow pegasus_openlmi_system providers to dbus chat with systemd-logind
+
+* Fri Jan 10 2014 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-115
+- Fix semanage import handling in spec file
+
+* Fri Jan 10 2014 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-114
+- Add default lvm_var_run_t label for /var/run/multipathd
+Resolves:#1051430
+- Fix log labeling to have correct default label for them after logrotate
+- Add files_write_root_dirs
+- Add new openflow port label for 6653/tcp and 6633/tcp
+- Add xserver_manage_xkb_libs()
+- Label tcp/8891 as milter por
+- Allow gnome_manage_generic_cache_files also create cache_home_t files
+- Fix aide.log labeling
+- Fix log labeling to have correct default label for them after logrotate
+- Allow mysqld-safe write access on /root to make mysqld working
+- Allow sosreport domtrans to prelikn
+- Allow OpenvSwitch to connec to openflow ports
+- Allow NM send dgram to lldpad
+- Allow hyperv domains to execute shell
+- Allow lsmd plugins stream connect to lsmd/init
+- Allow sblim domains to create /run/gather with correct labeling
+- Allow httpd to read ldap certs
+- Allow cupsd to send dbus msgs to process with different MLS level
+- Allow bumblebee to stream connect to apmd
+- Allow bumblebee to run xkbcomp
+- Additional allow rules to get libvirt-lxc containers working with docker
+- Additional allow rules to get libvirt-lxc containers working with docker
+- Allow docker to getattr on itself
+- Additional rules needed for sandbox apps
+- Allow mozilla_plugin to set attributes on usb device if use_spice boolean enabled
+- httpd should be able to send signal/signull to httpd_suexec_t
+- Add more fixes for neturon. Domtrans to dnsmasq, iptables. Make neutron as filenamtrans domain.
+
+* Wed Jan 8 2014 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-113
+- Add neutron fixes
+
+* Mon Jan 6 2014 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-112
+- Allow sshd to write to all process levels in order to change passwd when running at a level
+- Allow updpwd_t to downgrade /etc/passwd file to s0, if it is not running with this range
+- Allow apcuspd_t to status and start the power unit file
+- Allow udev to manage kdump unit file
+- Added new interface modutils_dontaudit_exec_insmod
+- Allow cobbler to search dhcp_etc_t directory
+- systemd_systemctl needs sys_admin capability
+- Allow sytemd_tmpfiles_t to delete all directories
+- passwd to create gnome-keyring passwd socket
+- Add missing zabbix_var_lib_t type
+- Fix filename trans for zabbixsrv in zabbix.te
+- Allow fprintd_t to send syslog messages
+- Add zabbix_var_lib_t for /var/lib/zabbixsrv, also allow zabix to connect to smtp port
+- Allow mozilla plugin to chat with policykit, needed for spice
+- Allow gssprozy to change user and gid, as well as read user keyrings
+- Label upgrades directory under /var/www as httpd_sys_rw_content_t, add other filetrans rules to label content correctly
+- Allow polipo to connect to http_cache_ports
+- Allow cron jobs to manage apache var lib content
+- Allow yppassword to manage the passwd_file_t
+- Allow showall_t to send itself signals
+- Allow cobbler to restart dhcpc, dnsmasq and bind services
+- Allow certmonger to manage home cert files
+- Add userdom filename trans for user mail domains
+- Allow apcuspd_t to status and start the power unit file
+- Allow cgroupdrulesengd to create content in cgoups directories
+- Allow smbd_t to signull cluster
+- Allow gluster daemon to create fifo files in glusterd_brick_t and sock_file in glusterd_var_lib_t
+- Add label for /var/spool/cron.aquota.user
+- Allow sandbox_x domains to use work with the mozilla plugin semaphore
+- Added new policy for speech-dispatcher
+- Added dontaudit rule for insmod_exec_t in rasdaemon policy
+- Updated rasdaemon policy
+- Allow system_mail_t to transition to postfix_postdrop_t
+- Clean up mirrormanager policy
+- Allow virt_domains to read cert files, needs backport to RHEL7
+- Allow sssd to read systemd_login_var_run_t
+- Allow irc_t to execute shell and bin-t files:
+- Add new access for mythtv
+- Allow rsync_t to manage all non auth files
+- allow modemmanger to read /dev/urand
+- Allow sandbox apps to attempt to set and get capabilties
+
+* Thu Dec 19 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-111
+- Add labeling for /var/lib/servicelog/servicelog.db-journal
+- Add support for freeipmi port
+- Add sysadm_u_default_contexts
+- Make new type to texlive files in homedir
+- Allow subscription-manager running as sosreport_t to manage rhsmcertd
+- Additional fixes for docker.te
+- Remove ability to do mount/sys_admin by default in virt_sandbox domains
+- New rules required to run docker images within libivrt
+- Add label for ~/.cvsignore
+- Change mirrormanager to be run by cron
+- Add mirrormanager policy
+- Fixed bumblebee_admin() and mip6d_admin()
+- Add log support for sensord
+- Fix typo in docker.te
+- Allow amanda to do backups over UDP
+- Allow bumblebee to read /etc/group and clean up bumblebee.te
+- type transitions with a filename not allowed inside conditionals
+- Don't allow virt-sandbox tools to use netlink out of the box, needs back port to RHEL7
+- Make new type to texlive files in homedir
+
+* Thu Dec 12 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-110
+- Allow freeipmi_ipmidetectd_t to use freeipmi port
+- Update freeipmi_domain_template()
+- Allow journalctl running as ABRT to read /run/log/journal
+- Allow NM to read dispatcher.d directory
+- Update freeipmi policy
+- Type transitions with a filename not allowed inside conditionals
+- Allow tor to bind to hplip port
+- Make new type to texlive files in homedir
+- Allow zabbix_agent to transition to dmidecode
+- Add rules for docker
+- Allow sosreport to send signull to unconfined_t
+- Add virt_noatsecure and virt_rlimitinh interfaces
+- Fix labeling in thumb.fc to add support for /usr/lib64/tumbler-1/tumblerddd support for freeipmi port
+- Add sysadm_u_default_contexts
+- Add logging_read_syslog_pid()
+- Fix userdom_manage_home_texlive() interface
+- Make new type to texlive files in homedir
+- Add filename transitions for /run and /lock links
+- Allow virtd to inherit rlimit information
+Resolves:#975358
+
+* Tue Dec 10 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-109
+- Change labeling for /usr/libexec/nm-dispatcher.action to NetworkManager_exec_t
+Resolves:#1039879
+- Add labeling for /usr/lib/systemd/system/mariadb.service
+- Allow hyperv_domain to read sysfs
+- Fix ldap_read_certs() interface to allow acess also link files
+- Add support for /usr/libexec/pegasus/cmpiLMI_Journald-cimprovagt
+- Allow tuned to run modprobe
+- Allow portreserve to search /var/lib/sss dir
+- Add SELinux support for the teamd package contains team network device control daemon.
+- Dontaudit access check on /proc for bumblebee
+- Bumblebee wants to load nvidia modules
+- Fix rpm_named_filetrans_log_files and wine.te
+- Add conman policy for rawhide
+- DRM master and input event devices are used by the TakeDevice API
+- Clean up bumblebee policy
+- Update pegasus_openlmi_storage_t policy
+- Add freeipmi_stream_connect() interface
+- Allow logwatch read madm.conf to support RAID setup
+- Add raid_read_conf_files() interface
+- Allow up2date running as rpm_t create up2date log file with rpm_log_t labeling
+- add rpm_named_filetrans_log_files() interface
+- Allow dkim-milter to create files/dirs in /tmp
+- update freeipmi policy
+- Add policy for freeipmi services
+- Added rdisc_admin and rdisc_systemctl interfaces
+- opensm policy clean up
+- openwsman policy clean up
+- ninfod policy clean up
+- Added new policy for ninfod
+- Added new policy for openwsman
+- Added rdisc_admin and rdisc_systemctl interfaces
+- Fix kernel_dontaudit_access_check_proc()
+- Add support for /dev/uhid
+- Allow sulogin to get the attributes of initctl and sys_admin cap
+- Add kernel_dontaudit_access_check_proc()
+- Fix dev_rw_ipmi_dev()
+- Fix new interface in devices.if
+- DRM master and input event devices are used by the TakeDevice API
+- add dev_rw_inherited_dri() and dev_rw_inherited_input_dev()
+- Added support for default conman port
+- Add interfaces for ipmi devices
+
+* Wed Dec 4 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-108
+- Allow sosreport to send a signal to ABRT
+- Add proper aliases for pegasus_openlmi_service_exec_t and pegasus_openlmi_service_t
+- Label /usr/sbin/htcacheclean as httpd_exec_t
+Resolves:#1037529
+- Added support for rdisc unit file
+- Add antivirus_db_t labeling for /var/lib/clamav-unofficial-sigs
+- Allow runuser running as logrotate connections to system DBUS
+- Label bcache devices as fixed_disk_device_t
+- Allow systemctl running in ipsec_mgmt_t to access /usr/lib/systemd/system/ipsec.service
+- Label /usr/lib/systemd/system/ipsec.service as ipsec_mgmt_unit_file_t
+
+* Mon Dec 2 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-107
+- Add back setpgid/setsched for sosreport_t
+
+* Mon Dec 2 2013 Dan Walsh <dwalsh@redhat.com> 3.12.1-106
+- Added fix for clout_init to transition to rpm_script_t (dwalsh@redhat.com)
+
+* Tue Nov 26 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-105
+- Dontaudit openshift domains trying to use rawip_sockets, this is caused by a bad check in the kernel.
+- Allow git_system_t to read git_user_content if the git_system_enable_homedirs boolean is turned on
+- Add lsmd_plugin_t for lsm plugins
+- Allow dovecot-deliver to search mountpoints
+- Add labeling for /etc/mdadm.conf
+- Allow opelmi admin providers to dbus chat with init_t
+- Allow sblim domain to read /dev/urandom and /dev/random
+- Allow apmd to request the kernel load modules
+- Add glusterd_brick_t type
+- label mate-keyring-daemon with gkeyringd_exec_t
+- Add plymouthd_create_log()
+- Dontaudit leaks from openshift domains into mail domains, needs back port to RHEL6
+- Allow sssd to request the kernel loads modules
+- Allow gpg_agent to use ssh-add
+- Allow gpg_agent to use ssh-add
+- Dontaudit access check on /root for myslqd_safe_t
+- Allow ctdb to getattr on al filesystems
+- Allow abrt to stream connect to syslog
+- Allow dnsmasq to list dnsmasq.d directory
+- Watchdog opens the raw socket
+- Allow watchdog to read network state info
+- Dontaudit access check on lvm lock dir
+- Allow sosreport to send signull to setroubleshootd
+- Add setroubleshoot_signull() interface
+- Fix ldap_read_certs() interface
+- Allow sosreport all signal perms
+- Allow sosreport to run systemctl
+- Allow sosreport to dbus chat with rpm
+- Add glusterd_brick_t files type
+- Allow zabbix_agentd to read all domain state
+- Clean up rtas.if
+- Allow smoltclient to execute ldconfig
+- Allow sosreport to request the kernel to load a module
+- Fix userdom_confined_admin_template()
+- Add back exec_content boolean for secadm, logadm, auditadm
+- Fix files_filetrans_system_db_named_files() interface
+- Allow sulogin to getattr on /proc/kcore
+- Add filename transition also for servicelog.db-journal
+- Add files_dontaudit_access_check_root()
+- Add lvm_dontaudit_access_check_lock() interface
+
+* Thu Nov 21 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-104
+- Allow watchdog to read /etc/passwd
+- Allow browser plugins to connect to bumblebee
+- New policy for bumblebee and freqset
+- Add new policy for mip6d daemon
+- Add new policy for opensm daemon
+- Allow condor domains to read/write condor_master udp_socket
+- Allow openshift_cron_t to append to openshift log files, label /var/log/openshift
+- Add back file_pid_filetrans for /var/run/dlm_controld
+- Allow smbd_t to use inherited tmpfs content
+- Allow mcelog to use the /dev/cpu device
+- sosreport runs rpcinfo
+- sosreport runs subscription-manager
+- Allow staff_t to run frequency command
+- Allow systemd_tmpfiles to relabel log directories
+- Allow staff_t to read xserver_log file
+- Label hsperfdata_root as tmp_t
+
* Wed Nov 20 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-103
- More sosreport fixes to make ABRT working
-
+
* Fri Nov 15 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-102
- Fix files_dontaudit_unmount_all_mountpoints()
- Add support for 2608-2609 tcp/udp ports