-@@ -1094,7 +1263,8 @@ interface(`apache_search_sys_script_state',`
+@@ -1094,7 +1285,8 @@ interface(`apache_search_sys_script_state',`
########################################
##
@@ -4449,7 +4680,7 @@ index 83e899c..fac6fe5 100644
##
##
##
-@@ -1111,10 +1281,29 @@ interface(`apache_read_tmp_files',`
+@@ -1111,10 +1303,29 @@ interface(`apache_read_tmp_files',`
read_files_pattern($1, httpd_tmp_t, httpd_tmp_t)
')
@@ -4481,7 +4712,7 @@ index 83e899c..fac6fe5 100644
##
##
##
-@@ -1127,7 +1316,7 @@ interface(`apache_dontaudit_write_tmp_files',`
+@@ -1127,7 +1338,7 @@ interface(`apache_dontaudit_write_tmp_files',`
type httpd_tmp_t;
')
@@ -4490,7 +4721,7 @@ index 83e899c..fac6fe5 100644
')
########################################
-@@ -1136,6 +1325,9 @@ interface(`apache_dontaudit_write_tmp_files',`
+@@ -1136,6 +1347,9 @@ interface(`apache_dontaudit_write_tmp_files',`
##
##
##
@@ -4500,7 +4731,7 @@ index 83e899c..fac6fe5 100644
## This is an interface to support third party modules
## and its use is not allowed in upstream reference
## policy.
-@@ -1165,8 +1357,30 @@ interface(`apache_cgi_domain',`
+@@ -1165,8 +1379,30 @@ interface(`apache_cgi_domain',`
########################################
##
@@ -4533,7 +4764,7 @@ index 83e899c..fac6fe5 100644
##
##
##
-@@ -1183,18 +1397,19 @@ interface(`apache_cgi_domain',`
+@@ -1183,18 +1419,19 @@ interface(`apache_cgi_domain',`
interface(`apache_admin',`
gen_require(`
attribute httpdcontent, httpd_script_exec_type;
@@ -4562,7 +4793,7 @@ index 83e899c..fac6fe5 100644
init_labeled_script_domtrans($1, httpd_initrc_exec_t)
domain_system_change_exemption($1)
-@@ -1204,10 +1419,10 @@ interface(`apache_admin',`
+@@ -1204,10 +1441,10 @@ interface(`apache_admin',`
apache_manage_all_content($1)
miscfiles_manage_public_files($1)
@@ -4576,7 +4807,7 @@ index 83e899c..fac6fe5 100644
admin_pattern($1, httpd_log_t)
admin_pattern($1, httpd_modules_t)
-@@ -1218,9 +1433,129 @@ interface(`apache_admin',`
+@@ -1218,9 +1455,141 @@ interface(`apache_admin',`
admin_pattern($1, httpd_var_run_t)
files_pid_filetrans($1, httpd_var_run_t, file)
@@ -4640,7 +4871,19 @@ index 83e899c..fac6fe5 100644
+
+
+ apache_filetrans_home_content($1)
++ files_usr_filetrans($1, httpd_sys_content_t, dir, "gallery2")
++ files_usr_filetrans($1, httpd_sys_content_t, dir, "z-push")
++ files_etc_filetrans($1, httpd_sys_content_t, dir, "z-push")
++ files_etc_filetrans($1, httpd_sys_content_t, dir, "web")
++ files_etc_filetrans($1, httpd_sys_content_t, dir, "WebCalendar")
++ files_etc_filetrans($1, httpd_sys_content_t, dir, "htdig")
++ files_etc_filetrans($1, httpd_sys_rw_content_t, dir, "horde")
++ files_etc_filetrans($1, httpd_sys_rw_content_t, dir, "owncloud")
+ filetrans_pattern($1, httpd_sys_content_t, httpd_sys_rw_content_t, file, "settings.php")
++ filetrans_pattern($1, httpd_sys_content_t, httpd_sys_rw_content_t, dir, "smarty")
++ filetrans_pattern($1, httpd_sys_content_t, httpd_sys_rw_content_t, dir, "uploads")
++ filetrans_pattern($1, httpd_sys_content_t, httpd_sys_rw_content_t, dir, "wp-content")
++ filetrans_pattern($1, httpd_sys_content_t, httpd_sys_rw_content_t, dir, "upgrade")
+ userdom_user_tmp_filetrans($1, httpd_tmp_t, dir, "apache")
+')
+
@@ -4711,10 +4954,10 @@ index 83e899c..fac6fe5 100644
+ filetrans_pattern($1, { httpd_user_content_t httpd_user_script_exec_t }, httpd_user_htaccess_t, file, ".htaccess")
')
diff --git a/apache.te b/apache.te
-index 1a82e29..bfe87eb 100644
+index 1a82e29..21d7195 100644
--- a/apache.te
+++ b/apache.te
-@@ -1,297 +1,367 @@
+@@ -1,297 +1,381 @@
-policy_module(apache, 2.6.10)
+policy_module(apache, 2.4.0)
+
@@ -4759,33 +5002,33 @@ index 1a82e29..bfe87eb 100644
-## Determine whether httpd can use mod_auth_pam.
-##
+##
-+## Allow Apache to use mod_auth_pam
++## Dontaudit Apache to search dirs.
+##
##
-gen_tunable(allow_httpd_mod_auth_pam, false)
-+gen_tunable(httpd_mod_auth_pam, false)
++gen_tunable(httpd_dontaudit_search_dirs, false)
##
-##
-## Determine whether httpd can use built in scripting.
-##
+##
-+## Allow Apache to use mod_auth_ntlm_winbind
++## Allow Apache to use mod_auth_pam
+##
##
-gen_tunable(httpd_builtin_scripting, false)
-+gen_tunable(httpd_mod_auth_ntlm_winbind, false)
++gen_tunable(httpd_mod_auth_pam, false)
##
-##
-## Determine whether httpd can check spam.
-##
+##
-+## Allow httpd scripts and modules execmem/execstack
++## Allow Apache to use mod_auth_ntlm_winbind
+##
##
-gen_tunable(httpd_can_check_spam, false)
-+gen_tunable(httpd_execmem, false)
++gen_tunable(httpd_mod_auth_ntlm_winbind, false)
##
-##
@@ -4793,6 +5036,13 @@ index 1a82e29..bfe87eb 100644
-## can connect to the network using TCP.
-##
+##
++## Allow httpd scripts and modules execmem/execstack
++##
++##
++gen_tunable(httpd_execmem, false)
++
++##
++##
+## Allow httpd processes to manage IPA content
+##
+##
@@ -4866,61 +5116,55 @@ index 1a82e29..bfe87eb 100644
+##
+## Allow httpd to connect to memcache server
+##
-+##
-+gen_tunable(httpd_can_network_memcache, false)
-+
-+##
-+##
-+## Allow httpd to act as a relay
-+##
##
- gen_tunable(httpd_can_network_relay, false)
+-gen_tunable(httpd_can_network_relay, false)
++gen_tunable(httpd_can_network_memcache, false)
##
-##
-## Determine whether httpd daemon can
-## connect to zabbix over the network.
-##
-+##
-+## Allow http daemon to connect to zabbix
-+##
++##
++## Allow httpd to act as a relay
++##
##
-gen_tunable(httpd_can_network_connect_zabbix, false)
-+gen_tunable(httpd_can_connect_zabbix, false)
++gen_tunable(httpd_can_network_relay, false)
##
-##
-## Determine whether httpd can send mail.
-##
+##
-+## Allow http daemon to connect to mythtv
++## Allow http daemon to connect to zabbix
+##
##
-gen_tunable(httpd_can_sendmail, false)
-+gen_tunable(httpd_can_connect_mythtv, false)
++gen_tunable(httpd_can_connect_zabbix, false)
##
-##
-## Determine whether httpd can communicate
-## with avahi service via dbus.
-##
-+##
-+## Allow http daemon to check spam
-+##
++##
++## Allow http daemon to connect to mythtv
++##
##
-gen_tunable(httpd_dbus_avahi, false)
-+gen_tunable(httpd_can_check_spam, false)
++gen_tunable(httpd_can_connect_mythtv, false)
##
-##
-## Determine wether httpd can use support.
-##
+##
-+## Allow http daemon to send mail
++## Allow http daemon to check spam
+##
##
-gen_tunable(httpd_enable_cgi, false)
-+gen_tunable(httpd_can_sendmail, false)
++gen_tunable(httpd_can_check_spam, false)
##
-##
@@ -4928,11 +5172,11 @@ index 1a82e29..bfe87eb 100644
-## FTP server by listening on the ftp port.
-##
+##
-+## Allow Apache to communicate with avahi service via dbus
++## Allow http daemon to send mail
+##
##
-gen_tunable(httpd_enable_ftp_server, false)
-+gen_tunable(httpd_dbus_avahi, false)
++gen_tunable(httpd_can_sendmail, false)
##
-##
@@ -4940,11 +5184,11 @@ index 1a82e29..bfe87eb 100644
-## user home directories.
-##
+##
-+## Allow httpd cgi support
++## Allow Apache to communicate with avahi service via dbus
+##
##
-gen_tunable(httpd_enable_homedirs, false)
-+gen_tunable(httpd_enable_cgi, false)
++gen_tunable(httpd_dbus_avahi, false)
##
-##
@@ -4954,12 +5198,11 @@ index 1a82e29..bfe87eb 100644
-## be labeled public_content_rw_t.
-##
+##
-+## Allow httpd to act as a FTP server by
-+## listening on the ftp port.
++## Allow Apache to communicate with sssd service via dbus
+##
##
-gen_tunable(httpd_gpg_anon_write, false)
-+gen_tunable(httpd_enable_ftp_server, false)
++gen_tunable(httpd_dbus_sssd, false)
##
-##
@@ -4967,24 +5210,24 @@ index 1a82e29..bfe87eb 100644
-## its temporary content.
-##
+##
-+## Allow httpd to act as a FTP client
-+## connecting to the ftp port and ephemeral ports
++## Allow httpd cgi support
+##
##
-gen_tunable(httpd_tmp_exec, false)
-+gen_tunable(httpd_can_connect_ftp, false)
++gen_tunable(httpd_enable_cgi, false)
##
-##
-## Determine whether httpd scripts and
-## modules can use execmem and execstack.
-##
-+##
-+## Allow httpd to connect to the ldap port
-+##
++##
++## Allow httpd to act as a FTP server by
++## listening on the ftp port.
++##
##
-gen_tunable(httpd_execmem, false)
-+gen_tunable(httpd_can_connect_ldap, false)
++gen_tunable(httpd_enable_ftp_server, false)
##
-##
@@ -4992,34 +5235,35 @@ index 1a82e29..bfe87eb 100644
-## to port 80 for graceful shutdown.
-##
+##
-+## Allow httpd to read home directories
++## Allow httpd to act as a FTP client
++## connecting to the ftp port and ephemeral ports
+##
##
-gen_tunable(httpd_graceful_shutdown, false)
-+gen_tunable(httpd_enable_homedirs, false)
++gen_tunable(httpd_can_connect_ftp, false)
##
-##
-## Determine whether httpd can
-## manage IPA content files.
-##
-+##
-+## Allow httpd to read user content
-+##
++##
++## Allow httpd to connect to the ldap port
++##
##
-gen_tunable(httpd_manage_ipa, false)
-+gen_tunable(httpd_read_user_content, false)
++gen_tunable(httpd_can_connect_ldap, false)
##
-##
-## Determine whether httpd can use mod_auth_ntlm_winbind.
-##
+##
-+## Allow Apache to run in stickshift mode, not transition to passenger
++## Allow httpd to read home directories
+##
##
-gen_tunable(httpd_mod_auth_ntlm_winbind, false)
-+gen_tunable(httpd_run_stickshift, false)
++gen_tunable(httpd_enable_homedirs, false)
##
-##
@@ -5027,11 +5271,10 @@ index 1a82e29..bfe87eb 100644
-## generic user home content files.
-##
+##
-+## Allow Apache to query NS records
++## Allow httpd to read user content
+##
##
--gen_tunable(httpd_read_user_content, false)
-+gen_tunable(httpd_verify_dns, false)
+ gen_tunable(httpd_read_user_content, false)
##
-##
@@ -5039,6 +5282,20 @@ index 1a82e29..bfe87eb 100644
-## its resource limits.
-##
+##
++## Allow Apache to run in stickshift mode, not transition to passenger
++##
++##
++gen_tunable(httpd_run_stickshift, false)
++
++##
++##
++## Allow Apache to query NS records
++##
++##
++gen_tunable(httpd_verify_dns, false)
++
++##
++##
+## Allow httpd daemon to change its resource limits
+##
##
@@ -5231,7 +5488,7 @@ index 1a82e29..bfe87eb 100644
type httpd_rotatelogs_t;
type httpd_rotatelogs_exec_t;
init_daemon_domain(httpd_rotatelogs_t, httpd_rotatelogs_exec_t)
-@@ -299,10 +369,8 @@ init_daemon_domain(httpd_rotatelogs_t, httpd_rotatelogs_exec_t)
+@@ -299,10 +383,8 @@ init_daemon_domain(httpd_rotatelogs_t, httpd_rotatelogs_exec_t)
type httpd_squirrelmail_t;
files_type(httpd_squirrelmail_t)
@@ -5244,7 +5501,7 @@ index 1a82e29..bfe87eb 100644
type httpd_suexec_exec_t;
domain_type(httpd_suexec_t)
domain_entry_file(httpd_suexec_t, httpd_suexec_exec_t)
-@@ -311,9 +379,19 @@ role system_r types httpd_suexec_t;
+@@ -311,9 +393,19 @@ role system_r types httpd_suexec_t;
type httpd_suexec_tmp_t;
files_tmp_file(httpd_suexec_tmp_t)
@@ -5266,7 +5523,7 @@ index 1a82e29..bfe87eb 100644
type httpd_tmp_t;
files_tmp_file(httpd_tmp_t)
-@@ -323,12 +401,19 @@ files_tmpfs_file(httpd_tmpfs_t)
+@@ -323,12 +415,19 @@ files_tmpfs_file(httpd_tmpfs_t)
apache_content_template(user)
ubac_constrained(httpd_user_script_t)
@@ -5286,7 +5543,7 @@ index 1a82e29..bfe87eb 100644
typealias httpd_user_content_t alias { httpd_auditadm_content_t httpd_secadm_content_t };
typealias httpd_user_content_t alias { httpd_staff_script_ro_t httpd_sysadm_script_ro_t };
typealias httpd_user_content_t alias { httpd_auditadm_script_ro_t httpd_secadm_script_ro_t };
-@@ -343,33 +428,40 @@ typealias httpd_user_rw_content_t alias { httpd_auditadm_script_rw_t httpd_secad
+@@ -343,33 +442,40 @@ typealias httpd_user_rw_content_t alias { httpd_auditadm_script_rw_t httpd_secad
typealias httpd_user_ra_content_t alias { httpd_staff_script_ra_t httpd_sysadm_script_ra_t };
typealias httpd_user_ra_content_t alias { httpd_auditadm_script_ra_t httpd_secadm_script_ra_t };
@@ -5337,7 +5594,7 @@ index 1a82e29..bfe87eb 100644
allow httpd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow httpd_t self:fd use;
allow httpd_t self:sock_file read_sock_file_perms;
-@@ -378,28 +470,36 @@ allow httpd_t self:shm create_shm_perms;
+@@ -378,28 +484,36 @@ allow httpd_t self:shm create_shm_perms;
allow httpd_t self:sem create_sem_perms;
allow httpd_t self:msgq create_msgq_perms;
allow httpd_t self:msg { send receive };
@@ -5379,7 +5636,7 @@ index 1a82e29..bfe87eb 100644
logging_log_filetrans(httpd_t, httpd_log_t, file)
allow httpd_t httpd_modules_t:dir list_dir_perms;
-@@ -407,6 +507,8 @@ mmap_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t)
+@@ -407,14 +521,21 @@ mmap_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t)
read_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t)
read_lnk_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t)
@@ -5388,8 +5645,10 @@ index 1a82e29..bfe87eb 100644
allow httpd_t httpd_rotatelogs_t:process signal_perms;
manage_dirs_pattern(httpd_t, httpd_squirrelmail_t, httpd_squirrelmail_t)
-@@ -415,6 +517,10 @@ manage_lnk_files_pattern(httpd_t, httpd_squirrelmail_t, httpd_squirrelmail_t)
+ manage_files_pattern(httpd_t, httpd_squirrelmail_t, httpd_squirrelmail_t)
+ manage_lnk_files_pattern(httpd_t, httpd_squirrelmail_t, httpd_squirrelmail_t)
++allow httpd_t httpd_suexec_exec_t:process { signal signull };
allow httpd_t httpd_suexec_exec_t:file read_file_perms;
+allow httpd_t httpd_sys_content_t:dir list_dir_perms;
@@ -5399,7 +5658,7 @@ index 1a82e29..bfe87eb 100644
allow httpd_t httpd_sys_script_t:unix_stream_socket connectto;
manage_dirs_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
-@@ -445,140 +551,167 @@ manage_dirs_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
+@@ -445,140 +566,172 @@ manage_dirs_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
manage_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
manage_lnk_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
@@ -5473,10 +5732,11 @@ index 1a82e29..bfe87eb 100644
+# execute perl
+corecmd_exec_bin(httpd_t)
+corecmd_exec_shell(httpd_t)
-+
+
+domain_use_interactive_fds(httpd_t)
+domain_dontaudit_read_all_domains_state(httpd_t)
-
++
++files_dontaudit_search_all_pids(httpd_t)
files_dontaudit_getattr_all_pids(httpd_t)
-files_read_usr_files(httpd_t)
+files_exec_usr_files(httpd_t)
@@ -5540,16 +5800,20 @@ index 1a82e29..bfe87eb 100644
-ifdef(`hide_broken_symptoms',`
- libs_exec_lib_files(httpd_t)
++tunable_policy(`httpd_dontaudit_search_dirs',`
++ files_dontaudit_search_non_security_dirs(httpd_t)
+ ')
+
+-tunable_policy(`allow_httpd_anon_write',`
+- miscfiles_manage_public_files(httpd_t)
+#
+# We need optionals to be able to be within booleans to make this work
+#
+tunable_policy(`httpd_mod_auth_pam',`
+ auth_domtrans_chkpwd(httpd_t)
+ logging_send_audit_msgs(httpd_t)
- ')
-
--tunable_policy(`allow_httpd_anon_write',`
-- miscfiles_manage_public_files(httpd_t)
++')
++
+optional_policy(`
+ tunable_policy(`httpd_mod_auth_ntlm_winbind',`
+ samba_domtrans_winbind_helper(httpd_t)
@@ -5632,7 +5896,7 @@ index 1a82e29..bfe87eb 100644
')
tunable_policy(`httpd_enable_cgi && httpd_use_nfs',`
-@@ -589,28 +722,50 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',`
+@@ -589,28 +742,50 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',`
fs_cifs_domtrans(httpd_t, httpd_sys_script_t)
')
@@ -5692,7 +5956,7 @@ index 1a82e29..bfe87eb 100644
')
tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
-@@ -619,68 +774,44 @@ tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
+@@ -619,68 +794,44 @@ tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
fs_read_nfs_symlinks(httpd_t)
')
@@ -5783,7 +6047,7 @@ index 1a82e29..bfe87eb 100644
')
tunable_policy(`httpd_setrlimit',`
-@@ -690,49 +821,48 @@ tunable_policy(`httpd_setrlimit',`
+@@ -690,49 +841,48 @@ tunable_policy(`httpd_setrlimit',`
tunable_policy(`httpd_ssi_exec',`
corecmd_shell_domtrans(httpd_t, httpd_sys_script_t)
@@ -5864,30 +6128,33 @@ index 1a82e29..bfe87eb 100644
')
optional_policy(`
-@@ -743,14 +873,6 @@ optional_policy(`
- ccs_read_config(httpd_t)
+@@ -744,24 +894,32 @@ optional_policy(`
')
--optional_policy(`
+ optional_policy(`
- clamav_domtrans_clamscan(httpd_t)
--')
--
--optional_policy(`
++ cron_system_entry(httpd_t, httpd_exec_t)
+ ')
+
+ optional_policy(`
- cobbler_read_config(httpd_t)
- cobbler_read_lib_files(httpd_t)
--')
++ cvs_read_data(httpd_t)
+ ')
optional_policy(`
- cron_system_entry(httpd_t, httpd_exec_t)
-@@ -765,6 +887,23 @@ optional_policy(`
+- cron_system_entry(httpd_t, httpd_exec_t)
++ daemontools_service_domain(httpd_t, httpd_exec_t)
')
optional_policy(`
+- cvs_read_data(httpd_t)
+ #needed by FreeIPA
+ dirsrv_stream_connect(httpd_t)
-+')
-+
-+optional_policy(`
+ ')
+
+ optional_policy(`
+- daemontools_service_domain(httpd_t, httpd_exec_t)
+ dirsrv_manage_config(httpd_t)
+ dirsrv_manage_log(httpd_t)
+ dirsrv_manage_var_run(httpd_t)
@@ -5897,13 +6164,21 @@ index 1a82e29..bfe87eb 100644
+ dirsrvadmin_manage_config(httpd_t)
+ dirsrvadmin_manage_tmp(httpd_t)
+ dirsrvadmin_domtrans_unconfined_script_t(httpd_t)
-+')
-+
-+ optional_policy(`
- dbus_system_bus_client(httpd_t)
+ ')
+ optional_policy(`
+@@ -770,6 +928,10 @@ optional_policy(`
tunable_policy(`httpd_dbus_avahi',`
-@@ -781,34 +920,46 @@ optional_policy(`
+ avahi_dbus_chat(httpd_t)
+ ')
++
++ tunable_policy(`httpd_dbus_sssd',
++ sssd_dbus_chat(httpd_t)
++ ')
+ ')
+
+ optional_policy(`
+@@ -781,34 +943,53 @@ optional_policy(`
')
optional_policy(`
@@ -5917,6 +6192,12 @@ index 1a82e29..bfe87eb 100644
+')
+
+optional_policy(`
++ mirrormanager_manage_pid_files(httpd_t)
++ mirrormanager_read_lib_files(httpd_t)
++ mirrormanager_read_log(httpd_t)
++')
++
++optional_policy(`
+ jetty_admin(httpd_t)
+')
+
@@ -5936,6 +6217,7 @@ index 1a82e29..bfe87eb 100644
- tunable_policy(`httpd_can_network_connect_ldap',`
- ldap_tcp_connect(httpd_t)
- ')
++ ldap_read_certs(httpd_t)
')
optional_policy(`
@@ -5961,7 +6243,7 @@ index 1a82e29..bfe87eb 100644
tunable_policy(`httpd_manage_ipa',`
memcached_manage_pid_files(httpd_t)
-@@ -816,8 +967,18 @@ optional_policy(`
+@@ -816,8 +997,18 @@ optional_policy(`
')
optional_policy(`
@@ -5980,7 +6262,7 @@ index 1a82e29..bfe87eb 100644
tunable_policy(`httpd_can_network_connect_db',`
mysql_tcp_connect(httpd_t)
-@@ -826,6 +987,7 @@ optional_policy(`
+@@ -826,6 +1017,7 @@ optional_policy(`
optional_policy(`
nagios_read_config(httpd_t)
@@ -5988,7 +6270,7 @@ index 1a82e29..bfe87eb 100644
')
optional_policy(`
-@@ -836,20 +998,39 @@ optional_policy(`
+@@ -836,20 +1028,39 @@ optional_policy(`
')
optional_policy(`
@@ -6014,7 +6296,7 @@ index 1a82e29..bfe87eb 100644
+ pki_manage_apache_lib(httpd_t)
+ pki_manage_apache_log_files(httpd_t)
+ pki_manage_apache_run(httpd_t)
-+ pki_read_tomcat_cert(httpd_t)
++ pki_read_tomcat_cert(httpd_t)
+')
- tunable_policy(`httpd_can_network_connect_db',`
@@ -6022,19 +6304,19 @@ index 1a82e29..bfe87eb 100644
- ')
+optional_policy(`
+ puppet_read_lib(httpd_t)
++')
++
++optional_policy(`
++ pwauth_domtrans(httpd_t)
')
optional_policy(`
- puppet_read_lib_files(httpd_t)
-+ pwauth_domtrans(httpd_t)
-+')
-+
-+optional_policy(`
+ rpm_dontaudit_read_db(httpd_t)
')
optional_policy(`
-@@ -857,19 +1038,35 @@ optional_policy(`
+@@ -857,19 +1068,35 @@ optional_policy(`
')
optional_policy(`
@@ -6070,7 +6352,7 @@ index 1a82e29..bfe87eb 100644
udev_read_db(httpd_t)
')
-@@ -877,65 +1074,173 @@ optional_policy(`
+@@ -877,65 +1104,173 @@ optional_policy(`
yam_read_content(httpd_t)
')
@@ -6266,7 +6548,7 @@ index 1a82e29..bfe87eb 100644
files_dontaudit_search_pids(httpd_suexec_t)
files_search_home(httpd_suexec_t)
-@@ -944,123 +1249,74 @@ auth_use_nsswitch(httpd_suexec_t)
+@@ -944,123 +1279,74 @@ auth_use_nsswitch(httpd_suexec_t)
logging_search_logs(httpd_suexec_t)
logging_send_syslog_msg(httpd_suexec_t)
@@ -6421,7 +6703,7 @@ index 1a82e29..bfe87eb 100644
mysql_read_config(httpd_suexec_t)
tunable_policy(`httpd_can_network_connect_db',`
-@@ -1077,172 +1333,106 @@ optional_policy(`
+@@ -1077,172 +1363,106 @@ optional_policy(`
')
')
@@ -6593,7 +6875,8 @@ index 1a82e29..bfe87eb 100644
-allow httpd_sys_script_t httpd_t:tcp_socket { read write };
-
-dontaudit httpd_sys_script_t httpd_config_t:dir search;
--
++corenet_all_recvfrom_netlabel(httpd_sys_script_t)
+
-allow httpd_sys_script_t httpd_squirrelmail_t:file { append_file_perms read_file_perms };
-
-allow httpd_sys_script_t squirrelmail_spool_t:dir list_dir_perms;
@@ -6619,8 +6902,7 @@ index 1a82e29..bfe87eb 100644
- corenet_sendrecv_pop_client_packets(httpd_sys_script_t)
- corenet_tcp_connect_pop_port(httpd_sys_script_t)
- corenet_tcp_sendrecv_pop_port(httpd_sys_script_t)
-+corenet_all_recvfrom_netlabel(httpd_sys_script_t)
-
+-
- mta_send_mail(httpd_sys_script_t)
- mta_signal_system_mail(httpd_sys_script_t)
+tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
@@ -6658,7 +6940,7 @@ index 1a82e29..bfe87eb 100644
')
tunable_policy(`httpd_read_user_content',`
-@@ -1250,64 +1440,74 @@ tunable_policy(`httpd_read_user_content',`
+@@ -1250,64 +1470,74 @@ tunable_policy(`httpd_read_user_content',`
')
tunable_policy(`httpd_use_cifs',`
@@ -6755,7 +7037,7 @@ index 1a82e29..bfe87eb 100644
########################################
#
-@@ -1315,8 +1515,15 @@ miscfiles_read_localization(httpd_rotatelogs_t)
+@@ -1315,8 +1545,15 @@ miscfiles_read_localization(httpd_rotatelogs_t)
#
optional_policy(`
@@ -6772,7 +7054,7 @@ index 1a82e29..bfe87eb 100644
')
########################################
-@@ -1324,49 +1531,38 @@ optional_policy(`
+@@ -1324,49 +1561,38 @@ optional_policy(`
# User content local policy
#
@@ -6837,7 +7119,7 @@ index 1a82e29..bfe87eb 100644
kernel_read_system_state(httpd_passwd_t)
corecmd_exec_bin(httpd_passwd_t)
-@@ -1376,38 +1572,99 @@ dev_read_urand(httpd_passwd_t)
+@@ -1376,38 +1602,99 @@ dev_read_urand(httpd_passwd_t)
domain_use_interactive_fds(httpd_passwd_t)
@@ -6958,10 +7240,12 @@ index 1a82e29..bfe87eb 100644
+ corenet_tcp_connect_osapi_compute_port(httpd_t)
')
diff --git a/apcupsd.fc b/apcupsd.fc
-index 5ec0e13..1c37fe1 100644
+index 5ec0e13..462acb8 100644
--- a/apcupsd.fc
+++ b/apcupsd.fc
-@@ -1,10 +1,13 @@
+@@ -1,10 +1,15 @@
++/etc/apcupsd/powerfail -- gen_context(system_u:object_r:apcupsd_power_t,s0)
++
/etc/rc\.d/init\.d/apcupsd -- gen_context(system_u:object_r:apcupsd_initrc_exec_t,s0)
+/usr/lib/systemd/system/apcupsd.* -- gen_context(system_u:object_r:apcupsd_unit_file_t,s0)
@@ -6976,7 +7260,7 @@ index 5ec0e13..1c37fe1 100644
/var/log/apcupsd\.events.* -- gen_context(system_u:object_r:apcupsd_log_t,s0)
/var/log/apcupsd\.status.* -- gen_context(system_u:object_r:apcupsd_log_t,s0)
diff --git a/apcupsd.if b/apcupsd.if
-index f3c0aba..b6afc90 100644
+index f3c0aba..cbe3d4a 100644
--- a/apcupsd.if
+++ b/apcupsd.if
@@ -125,6 +125,49 @@ interface(`apcupsd_cgi_script_domtrans',`
@@ -7029,11 +7313,12 @@ index f3c0aba..b6afc90 100644
## All of the rules required to
## administrate an apcupsd environment.
##
-@@ -144,11 +187,16 @@ interface(`apcupsd_admin',`
+@@ -144,11 +187,17 @@ interface(`apcupsd_admin',`
gen_require(`
type apcupsd_t, apcupsd_tmp_t, apcupsd_log_t;
type apcupsd_var_run_t, apcupsd_initrc_exec_t, apcupsd_lock_t;
+ type apcupsd_unit_file_t;
++ type apcupsd_power_t;
')
- allow $1 apcupsd_t:process { ptrace signal_perms };
@@ -7047,7 +7332,7 @@ index f3c0aba..b6afc90 100644
apcupsd_initrc_domtrans($1, apcupsd_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 apcupsd_initrc_exec_t system_r;
-@@ -165,4 +213,8 @@ interface(`apcupsd_admin',`
+@@ -165,4 +214,11 @@ interface(`apcupsd_admin',`
files_list_pids($1)
admin_pattern($1, apcupsd_var_run_t)
@@ -7055,33 +7340,42 @@ index f3c0aba..b6afc90 100644
+ apcupsd_systemctl($1)
+ admin_pattern($1, apcupsd_unit_file_t)
+ allow $1 apcupsd_unit_file_t:service all_service_perms;
++
++ manage_files_pattern($1, apcupsd_power_t, apcupsd_power_t)
++ files_etc_filetrans(apcupsd_t, apcupsd_power_t, file, "powerfail")
')
diff --git a/apcupsd.te b/apcupsd.te
-index b236327..7b2142b 100644
+index b236327..a370cb8 100644
--- a/apcupsd.te
+++ b/apcupsd.te
-@@ -24,6 +24,9 @@ files_tmp_file(apcupsd_tmp_t)
+@@ -24,6 +24,12 @@ files_tmp_file(apcupsd_tmp_t)
type apcupsd_var_run_t;
files_pid_file(apcupsd_var_run_t)
++type apcupsd_power_t;
++files_type(apcupsd_power_t)
++
+type apcupsd_unit_file_t;
+systemd_unit_file(apcupsd_unit_file_t)
+
########################################
#
# Local policy
-@@ -38,9 +41,7 @@ allow apcupsd_t self:tcp_socket create_stream_socket_perms;
+@@ -38,9 +44,10 @@ allow apcupsd_t self:tcp_socket create_stream_socket_perms;
allow apcupsd_t apcupsd_lock_t:file manage_file_perms;
files_lock_filetrans(apcupsd_t, apcupsd_lock_t, file)
-append_files_pattern(apcupsd_t, apcupsd_log_t, apcupsd_log_t)
-create_files_pattern(apcupsd_t, apcupsd_log_t, apcupsd_log_t)
-setattr_files_pattern(apcupsd_t, apcupsd_log_t, apcupsd_log_t)
++manage_files_pattern(apcupsd_t, apcupsd_power_t, apcupsd_power_t)
++files_etc_filetrans(apcupsd_t, apcupsd_power_t, file, "powerfail")
++
+manage_files_pattern(apcupsd_t, apcupsd_log_t, apcupsd_log_t)
logging_log_filetrans(apcupsd_t, apcupsd_log_t, file)
manage_files_pattern(apcupsd_t, apcupsd_tmp_t, apcupsd_tmp_t)
-@@ -54,7 +55,6 @@ kernel_read_system_state(apcupsd_t)
+@@ -54,7 +61,6 @@ kernel_read_system_state(apcupsd_t)
corecmd_exec_bin(apcupsd_t)
corecmd_exec_shell(apcupsd_t)
@@ -7089,7 +7383,7 @@ index b236327..7b2142b 100644
corenet_all_recvfrom_netlabel(apcupsd_t)
corenet_tcp_sendrecv_generic_if(apcupsd_t)
corenet_tcp_sendrecv_generic_node(apcupsd_t)
-@@ -67,6 +67,8 @@ corenet_tcp_bind_apcupsd_port(apcupsd_t)
+@@ -67,6 +73,8 @@ corenet_tcp_bind_apcupsd_port(apcupsd_t)
corenet_sendrecv_apcupsd_server_packets(apcupsd_t)
corenet_tcp_sendrecv_apcupsd_port(apcupsd_t)
corenet_tcp_connect_apcupsd_port(apcupsd_t)
@@ -7098,7 +7392,7 @@ index b236327..7b2142b 100644
corenet_udp_bind_snmp_port(apcupsd_t)
corenet_sendrecv_snmp_server_packets(apcupsd_t)
-@@ -74,19 +76,25 @@ corenet_udp_sendrecv_snmp_port(apcupsd_t)
+@@ -74,19 +82,23 @@ corenet_udp_sendrecv_snmp_port(apcupsd_t)
dev_rw_generic_usb_dev(apcupsd_t)
@@ -7122,13 +7416,23 @@ index b236327..7b2142b 100644
sysnet_dns_name_resolve(apcupsd_t)
-userdom_use_user_ttys(apcupsd_t)
-+systemd_start_power_services(apcupsd_t)
-+
+userdom_use_inherited_user_ttys(apcupsd_t)
optional_policy(`
hostname_exec(apcupsd_t)
-@@ -112,7 +120,6 @@ optional_policy(`
+@@ -101,6 +113,11 @@ optional_policy(`
+ shutdown_domtrans(apcupsd_t)
+ ')
+
++optional_policy(`
++ systemd_start_power_services(apcupsd_t)
++ systemd_status_power_services(apcupsd_t)
++')
++
+ ########################################
+ #
+ # CGI local policy
+@@ -112,7 +129,6 @@ optional_policy(`
allow httpd_apcupsd_cgi_script_t self:tcp_socket create_stream_socket_perms;
allow httpd_apcupsd_cgi_script_t self:udp_socket create_socket_perms;
@@ -7195,7 +7499,7 @@ index 1a7a97e..1d29dce 100644
domain_system_change_exemption($1)
role_transition $2 apmd_initrc_exec_t system_r;
diff --git a/apm.te b/apm.te
-index 3590e2f..e1494bd 100644
+index 3590e2f..1d8a844 100644
--- a/apm.te
+++ b/apm.te
@@ -35,6 +35,9 @@ files_type(apmd_var_lib_t)
@@ -7226,7 +7530,15 @@ index 3590e2f..e1494bd 100644
allow apmd_t self:process { signal_perms getsession };
allow apmd_t self:fifo_file rw_fifo_file_perms;
allow apmd_t self:netlink_socket create_socket_perms;
-@@ -114,8 +117,7 @@ fs_dontaudit_getattr_all_files(apmd_t)
+@@ -90,6 +93,7 @@ kernel_read_kernel_sysctls(apmd_t)
+ kernel_rw_all_sysctls(apmd_t)
+ kernel_read_system_state(apmd_t)
+ kernel_write_proc_files(apmd_t)
++kernel_request_load_module(apmd_t)
+
+ dev_read_input(apmd_t)
+ dev_read_mouse(apmd_t)
+@@ -114,8 +118,7 @@ fs_dontaudit_getattr_all_files(apmd_t)
fs_dontaudit_getattr_all_symlinks(apmd_t)
fs_dontaudit_getattr_all_pipes(apmd_t)
fs_dontaudit_getattr_all_sockets(apmd_t)
@@ -7236,7 +7548,7 @@ index 3590e2f..e1494bd 100644
corecmd_exec_all_executables(apmd_t)
-@@ -129,6 +131,8 @@ domain_dontaudit_list_all_domains_state(apmd_t)
+@@ -129,6 +132,8 @@ domain_dontaudit_list_all_domains_state(apmd_t)
auth_use_nsswitch(apmd_t)
init_domtrans_script(apmd_t)
@@ -7245,7 +7557,7 @@ index 3590e2f..e1494bd 100644
libs_exec_ld_so(apmd_t)
libs_exec_lib_files(apmd_t)
-@@ -136,17 +140,16 @@ libs_exec_lib_files(apmd_t)
+@@ -136,17 +141,16 @@ libs_exec_lib_files(apmd_t)
logging_send_audit_msgs(apmd_t)
logging_send_syslog_msg(apmd_t)
@@ -7265,7 +7577,7 @@ index 3590e2f..e1494bd 100644
optional_policy(`
automount_domtrans(apmd_t)
-@@ -206,11 +209,15 @@ optional_policy(`
+@@ -206,11 +210,15 @@ optional_policy(`
')
optional_policy(`
@@ -7733,10 +8045,10 @@ index 0000000..316c324
+')
diff --git a/authconfig.te b/authconfig.te
new file mode 100644
-index 0000000..f2aa4e6
+index 0000000..362a049
--- /dev/null
+++ b/authconfig.te
-@@ -0,0 +1,32 @@
+@@ -0,0 +1,33 @@
+policy_module(authconfig, 1.0.0)
+
+########################################
@@ -7765,6 +8077,7 @@ index 0000000..f2aa4e6
+files_var_lib_filetrans(authconfig_t, authconfig_var_lib_t, { dir file lnk_file })
+
+domain_use_interactive_fds(authconfig_t)
++domain_named_filetrans(authconfig_t)
+
+init_domtrans_script(authconfig_t)
+
@@ -7878,7 +8191,7 @@ index 089430a..b0bed70 100644
+ allow $1 automount_unit_file_t:service all_service_perms;
')
diff --git a/automount.te b/automount.te
-index a579c3b..294b5f4 100644
+index a579c3b..f27656d 100644
--- a/automount.te
+++ b/automount.te
@@ -22,12 +22,16 @@ type automount_tmp_t;
@@ -7915,7 +8228,15 @@ index a579c3b..294b5f4 100644
files_search_boot(automount_t)
files_search_all(automount_t)
files_unmount_all_file_type_fs(automount_t)
-@@ -130,15 +132,18 @@ auth_use_nsswitch(automount_t)
+@@ -108,6 +110,7 @@ fs_manage_autofs_symlinks(automount_t)
+ fs_mount_all_fs(automount_t)
+ fs_mount_autofs(automount_t)
+ fs_read_nfs_files(automount_t)
++fs_read_nfs_symlinks(automount_t)
+ fs_search_all(automount_t)
+ fs_search_auto_mountpoints(automount_t)
+ fs_unmount_all_fs(automount_t)
+@@ -130,15 +133,18 @@ auth_use_nsswitch(automount_t)
logging_send_syslog_msg(automount_t)
logging_search_logs(automount_t)
@@ -7938,7 +8259,7 @@ index a579c3b..294b5f4 100644
fstools_domtrans(automount_t)
')
-@@ -160,3 +165,8 @@ optional_policy(`
+@@ -160,3 +166,8 @@ optional_policy(`
optional_policy(`
udev_read_db(automount_t)
')
@@ -8139,11 +8460,51 @@ index d6ceef4..c10d39c 100644
optional_policy(`
cron_system_entry(backup_t, backup_exec_t)
+diff --git a/bacula.if b/bacula.if
+index dcd774e..c240ffa 100644
+--- a/bacula.if
++++ b/bacula.if
+@@ -69,6 +69,7 @@ interface(`bacula_admin',`
+ type bacula_t, bacula_etc_t, bacula_log_t;
+ type bacula_spool_t, bacula_var_lib_t;
+ type bacula_var_run_t, bacula_initrc_exec_t;
++ attribute_role bacula_admin_roles;
+ ')
+
+ allow $1 bacula_t:process { ptrace signal_perms };
diff --git a/bacula.te b/bacula.te
-index 3beba2f..7ca4480 100644
+index 3beba2f..12cd4f6 100644
--- a/bacula.te
+++ b/bacula.te
-@@ -148,9 +148,7 @@ corenet_tcp_connect_hplip_port(bacula_admin_t)
+@@ -43,7 +43,7 @@ role bacula_admin_roles types bacula_admin_t;
+ # Local policy
+ #
+
+-allow bacula_t self:capability { dac_read_search dac_override chown fowner fsetid};
++allow bacula_t self:capability { dac_read_search dac_override chown fowner fsetid setgid setuid};
+ allow bacula_t self:process signal;
+ allow bacula_t self:fifo_file rw_fifo_file_perms;
+ allow bacula_t self:tcp_socket { accept listen };
+@@ -88,6 +88,10 @@ corenet_udp_bind_generic_node(bacula_t)
+ corenet_sendrecv_generic_server_packets(bacula_t)
+ corenet_udp_bind_generic_port(bacula_t)
+
++
++#TODO: check port labels for hplip a bacula
++corenet_tcp_bind_bacula_port(bacula_t)
++
+ corenet_sendrecv_hplip_server_packets(bacula_t)
+ corenet_tcp_bind_hplip_port(bacula_t)
+ corenet_udp_bind_hplip_port(bacula_t)
+@@ -105,6 +109,7 @@ files_read_all_symlinks(bacula_t)
+ fs_getattr_xattr_fs(bacula_t)
+ fs_list_all(bacula_t)
+
++auth_use_nsswitch(bacula_t)
+ auth_read_shadow(bacula_t)
+
+ logging_send_syslog_msg(bacula_t)
+@@ -148,9 +153,7 @@ corenet_tcp_connect_hplip_port(bacula_admin_t)
domain_use_interactive_fds(bacula_admin_t)
@@ -8259,13 +8620,14 @@ index 536ec3c..271b976 100644
-
-miscfiles_read_localization(bcfg2_t)
diff --git a/bind.fc b/bind.fc
-index 2b9a3a1..1742ebf 100644
+index 2b9a3a1..f755e6b 100644
--- a/bind.fc
+++ b/bind.fc
-@@ -1,54 +1,71 @@
+@@ -1,54 +1,75 @@
-/etc/rc\.d/init\.d/named -- gen_context(system_u:object_r:named_initrc_exec_t,s0)
-/etc/rc\.d/init\.d/unbound -- gen_context(system_u:object_r:named_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/named -- gen_context(system_u:object_r:named_initrc_exec_t,s0)
++/etc/rc\.d/init\.d/named-sdb -- gen_context(system_u:object_r:named_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/unbound -- gen_context(system_u:object_r:named_initrc_exec_t,s0)
-/etc/bind(/.*)? gen_context(system_u:object_r:named_zone_t,s0)
@@ -8288,12 +8650,14 @@ index 2b9a3a1..1742ebf 100644
+
+/usr/lib/systemd/system/unbound.* -- gen_context(system_u:object_r:named_unit_file_t,s0)
+/usr/lib/systemd/system/named.* -- gen_context(system_u:object_r:named_unit_file_t,s0)
++/usr/lib/systemd/system/named-sdb.* -- gen_context(system_u:object_r:named_unit_file_t,s0)
/usr/sbin/lwresd -- gen_context(system_u:object_r:named_exec_t,s0)
-/usr/sbin/named -- gen_context(system_u:object_r:named_exec_t,s0)
-/usr/sbin/named-checkconf -- gen_context(system_u:object_r:named_checkconf_exec_t,s0)
-/usr/sbin/r?ndc -- gen_context(system_u:object_r:ndc_exec_t,s0)
+/usr/sbin/named -- gen_context(system_u:object_r:named_exec_t,s0)
++/usr/sbin/named-sdb -- gen_context(system_u:object_r:named_exec_t,s0)
+/usr/sbin/named-checkconf -- gen_context(system_u:object_r:named_checkconf_exec_t,s0)
+/usr/sbin/r?ndc -- gen_context(system_u:object_r:ndc_exec_t,s0)
/usr/sbin/unbound -- gen_context(system_u:object_r:named_exec_t,s0)
@@ -8360,6 +8724,7 @@ index 2b9a3a1..1742ebf 100644
-/var/named/chroot/var/named/slaves(/.*)? gen_context(system_u:object_r:named_cache_t,s0)
-/var/named/chroot/var/named/data(/.*)? gen_context(system_u:object_r:named_cache_t,s0)
+/var/named/chroot/var/run/named.* gen_context(system_u:object_r:named_var_run_t,s0)
++/var/named/chroot/run/named.* gen_context(system_u:object_r:named_var_run_t,s0)
+/var/named/chroot/var/tmp(/.*)? gen_context(system_u:object_r:named_cache_t,s0)
+/var/named/chroot/var/named(/.*)? gen_context(system_u:object_r:named_zone_t,s0)
+/var/named/chroot/var/named/slaves(/.*)? gen_context(system_u:object_r:named_cache_t,s0)
@@ -9283,7 +9648,7 @@ index 02fefaa..fbcef10 100644
+ ')
')
diff --git a/boinc.te b/boinc.te
-index 7c92aa1..47619ff 100644
+index 7c92aa1..44edba7 100644
--- a/boinc.te
+++ b/boinc.te
@@ -1,11 +1,20 @@
@@ -9485,22 +9850,24 @@ index 7c92aa1..47619ff 100644
term_getattr_all_ptys(boinc_t)
term_getattr_unallocated_ttys(boinc_t)
-@@ -130,55 +151,67 @@ init_read_utmp(boinc_t)
+@@ -130,55 +151,69 @@ init_read_utmp(boinc_t)
logging_send_syslog_msg(boinc_t)
-miscfiles_read_fonts(boinc_t)
-miscfiles_read_localization(boinc_t)
++modutils_dontaudit_exec_insmod(boinc_t)
+
+-optional_policy(`
+- mta_send_mail(boinc_t)
+-')
+xserver_stream_connect(boinc_t)
optional_policy(`
- mta_send_mail(boinc_t)
+- sysnet_dns_name_resolve(boinc_t)
++ mta_send_mail(boinc_t)
')
--optional_policy(`
-- sysnet_dns_name_resolve(boinc_t)
--')
--
########################################
#
-# Project local policy
@@ -9694,6 +10061,217 @@ index 41f8251..57f094e 100644
optional_policy(`
mta_send_mail(httpd_bugzilla_script_t)
')
+diff --git a/bumblebee.fc b/bumblebee.fc
+new file mode 100644
+index 0000000..b5ee23b
+--- /dev/null
++++ b/bumblebee.fc
+@@ -0,0 +1,7 @@
++/etc/systemd/system/bumblebeed.* -- gen_context(system_u:object_r:bumblebee_unit_file_t,s0)
++
++/usr/lib/systemd/system/bumblebeed.* -- gen_context(system_u:object_r:bumblebee_unit_file_t,s0)
++
++/usr/sbin/bumblebeed -- gen_context(system_u:object_r:bumblebee_exec_t,s0)
++
++/var/run/bumblebee.* gen_context(system_u:object_r:bumblebee_var_run_t,s0)
+diff --git a/bumblebee.if b/bumblebee.if
+new file mode 100644
+index 0000000..de66654
+--- /dev/null
++++ b/bumblebee.if
+@@ -0,0 +1,121 @@
++##