diff --git a/policy-F16.patch b/policy-F16.patch
index 791b917..93056ad 100644
--- a/policy-F16.patch
+++ b/policy-F16.patch
@@ -264,6 +264,30 @@ index e66c296..993a1e9 100644
+
+ dontaudit $1 acct_data_t:dir list_dir_perms;
+')
+diff --git a/policy/modules/admin/acct.te b/policy/modules/admin/acct.te
+index 63ef90e..a535b31 100644
+--- a/policy/modules/admin/acct.te
++++ b/policy/modules/admin/acct.te
+@@ -55,6 +55,8 @@ files_list_usr(acct_t)
+ # for nscd
+ files_dontaudit_search_pids(acct_t)
+
++auth_use_nsswitch(acct_t)
++
+ init_use_fds(acct_t)
+ init_use_script_ptys(acct_t)
+ init_exec_script_files(acct_t)
+@@ -77,10 +79,6 @@ optional_policy(`
+ ')
+
+ optional_policy(`
+- nscd_socket_use(acct_t)
+-')
+-
+-optional_policy(`
+ seutil_sigchld_newrole(acct_t)
+ ')
+
diff --git a/policy/modules/admin/amanda.fc b/policy/modules/admin/amanda.fc
index e3e0701..3fd0282 100644
--- a/policy/modules/admin/amanda.fc
@@ -422,7 +446,7 @@ index 63eb96b..17a9f6d 100644
##
## Execute bootloader interactively and do
diff --git a/policy/modules/admin/bootloader.te b/policy/modules/admin/bootloader.te
-index d3da8f2..eeb1b1a 100644
+index d3da8f2..559bc9b 100644
--- a/policy/modules/admin/bootloader.te
+++ b/policy/modules/admin/bootloader.te
@@ -23,7 +23,7 @@ role system_r types bootloader_t;
@@ -434,7 +458,14 @@ index d3da8f2..eeb1b1a 100644
#
# The temp file is used for initrd creation;
-@@ -121,13 +121,11 @@ logging_rw_generic_logs(bootloader_t)
+@@ -116,18 +116,18 @@ init_rw_script_pipes(bootloader_t)
+ libs_read_lib_files(bootloader_t)
+ libs_exec_lib_files(bootloader_t)
+
++auth_use_nsswitch(bootloader_t)
++
+ logging_send_syslog_msg(bootloader_t)
+ logging_rw_generic_logs(bootloader_t)
miscfiles_read_localization(bootloader_t)
@@ -449,7 +480,7 @@ index d3da8f2..eeb1b1a 100644
userdom_dontaudit_search_user_home_dirs(bootloader_t)
ifdef(`distro_debian',`
-@@ -162,12 +160,18 @@ ifdef(`distro_redhat',`
+@@ -162,12 +162,18 @@ ifdef(`distro_redhat',`
files_manage_isid_type_blk_files(bootloader_t)
files_manage_isid_type_chr_files(bootloader_t)
@@ -472,10 +503,14 @@ index d3da8f2..eeb1b1a 100644
')
optional_policy(`
-@@ -197,6 +201,7 @@ optional_policy(`
+@@ -197,10 +203,7 @@ optional_policy(`
modutils_exec_insmod(bootloader_t)
modutils_exec_depmod(bootloader_t)
modutils_exec_update_mods(bootloader_t)
+-')
+-
+-optional_policy(`
+- nscd_socket_use(bootloader_t)
+ modutils_domtrans_insmod_uncond(bootloader_t)
')
@@ -528,6 +563,21 @@ index 6b02433..1e28e62 100644
optional_policy(`
apache_exec_modules(certwatch_t)
+diff --git a/policy/modules/admin/consoletype.if b/policy/modules/admin/consoletype.if
+index 0f57d3b..655d07f 100644
+--- a/policy/modules/admin/consoletype.if
++++ b/policy/modules/admin/consoletype.if
+@@ -19,10 +19,6 @@ interface(`consoletype_domtrans',`
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, consoletype_exec_t, consoletype_t)
+-
+- ifdef(`hide_broken_symptoms', `
+- dontaudit consoletype_t $1:socket_class_set { read write };
+- ')
+ ')
+
+ ########################################
diff --git a/policy/modules/admin/consoletype.te b/policy/modules/admin/consoletype.te
index cd5e005..50e9ee4 100644
--- a/policy/modules/admin/consoletype.te
@@ -890,7 +940,7 @@ index 9dd6880..4b7fa27 100644
optional_policy(`
diff --git a/policy/modules/admin/kudzu.te b/policy/modules/admin/kudzu.te
-index 4f7bd3c..b5c346f 100644
+index 4f7bd3c..6c420a4 100644
--- a/policy/modules/admin/kudzu.te
+++ b/policy/modules/admin/kudzu.te
@@ -111,15 +111,10 @@ logging_send_syslog_msg(kudzu_t)
@@ -910,22 +960,20 @@ index 4f7bd3c..b5c346f 100644
userdom_dontaudit_use_unpriv_user_fds(kudzu_t)
userdom_search_user_home_dirs(kudzu_t)
-@@ -128,6 +123,14 @@ optional_policy(`
+@@ -128,7 +123,11 @@ optional_policy(`
')
optional_policy(`
+- nscd_socket_use(kudzu_t)
+ modutils_read_module_config(kudzu_t)
+ modutils_read_module_deps(kudzu_t)
+ modutils_rename_module_config(kudzu_t)
+ modutils_delete_module_config(kudzu_t)
+ modutils_domtrans_insmod(kudzu_t)
-+')
-+
-+optional_policy(`
- nscd_socket_use(kudzu_t)
')
-@@ -141,5 +144,5 @@ optional_policy(`
+ optional_policy(`
+@@ -141,5 +140,5 @@ optional_policy(`
optional_policy(`
unconfined_domtrans(kudzu_t)
@@ -1559,6 +1607,18 @@ index 7f1d18e..a68d519 100644
userdom_dontaudit_read_user_home_content_files(portage_fetch_t)
ifdef(`hide_broken_symptoms',`
+diff --git a/policy/modules/admin/prelink.if b/policy/modules/admin/prelink.if
+index 93ec175..0e42018 100644
+--- a/policy/modules/admin/prelink.if
++++ b/policy/modules/admin/prelink.if
+@@ -19,7 +19,6 @@ interface(`prelink_domtrans',`
+ domtrans_pattern($1, prelink_exec_t, prelink_t)
+
+ ifdef(`hide_broken_symptoms', `
+- dontaudit prelink_t $1:socket_class_set { read write };
+ dontaudit prelink_t $1:fifo_file setattr;
+ ')
+ ')
diff --git a/policy/modules/admin/prelink.te b/policy/modules/admin/prelink.te
index af55369..5ede07b 100644
--- a/policy/modules/admin/prelink.te
@@ -2109,7 +2169,7 @@ index d33daa8..8ba0f86 100644
+ allow rpm_script_t $1:process sigchld;
+')
diff --git a/policy/modules/admin/rpm.te b/policy/modules/admin/rpm.te
-index 47a8f7d..0b100a8 100644
+index 47a8f7d..fdbf07c 100644
--- a/policy/modules/admin/rpm.te
+++ b/policy/modules/admin/rpm.te
@@ -1,10 +1,11 @@
@@ -2171,6 +2231,17 @@ index 47a8f7d..0b100a8 100644
fs_getattr_all_dirs(rpm_t)
fs_list_inotifyfs(rpm_t)
+@@ -154,8 +172,8 @@ storage_raw_read_fixed_disk(rpm_t)
+
+ term_list_ptys(rpm_t)
+
+-auth_relabel_all_files_except_shadow(rpm_t)
+-auth_manage_all_files_except_shadow(rpm_t)
++files_relabel_all_files(rpm_t)
++files_manage_all_files(rpm_t)
+ auth_dontaudit_read_shadow(rpm_t)
+ auth_use_nsswitch(rpm_t)
+
@@ -173,11 +191,13 @@ domain_dontaudit_getattr_all_packet_sockets(rpm_t)
domain_dontaudit_getattr_all_raw_sockets(rpm_t)
domain_dontaudit_getattr_all_stream_sockets(rpm_t)
@@ -2219,7 +2290,7 @@ index 47a8f7d..0b100a8 100644
kernel_read_software_raid_state(rpm_script_t)
dev_list_sysfs(rpm_script_t)
-@@ -299,7 +321,7 @@ storage_raw_write_fixed_disk(rpm_script_t)
+@@ -299,15 +321,17 @@ storage_raw_write_fixed_disk(rpm_script_t)
term_getattr_unallocated_ttys(rpm_script_t)
term_list_ptys(rpm_script_t)
@@ -2228,8 +2299,11 @@ index 47a8f7d..0b100a8 100644
auth_dontaudit_getattr_shadow(rpm_script_t)
auth_use_nsswitch(rpm_script_t)
-@@ -308,6 +330,8 @@ auth_manage_all_files_except_shadow(rpm_script_t)
- auth_relabel_shadow(rpm_script_t)
+ # ideally we would not need this
+-auth_manage_all_files_except_shadow(rpm_script_t)
+-auth_relabel_shadow(rpm_script_t)
++files_manage_all_files(rpm_script_t)
++files_relabel_all_files(rpm_script_t)
corecmd_exec_all_executables(rpm_script_t)
+can_exec(rpm_script_t, rpm_script_tmp_t)
@@ -2436,10 +2510,10 @@ index 95bce88..d1edd79 100644
optional_policy(`
hostname_exec(shorewall_t)
diff --git a/policy/modules/admin/shutdown.if b/policy/modules/admin/shutdown.if
-index d0604cf..3089f30 100644
+index d0604cf..15311b4 100644
--- a/policy/modules/admin/shutdown.if
+++ b/policy/modules/admin/shutdown.if
-@@ -18,9 +18,13 @@ interface(`shutdown_domtrans',`
+@@ -18,9 +18,12 @@ interface(`shutdown_domtrans',`
corecmd_search_bin($1)
domtrans_pattern($1, shutdown_exec_t, shutdown_t)
@@ -2448,13 +2522,13 @@ index d0604cf..3089f30 100644
+ ')
+
ifdef(`hide_broken_symptoms', `
- dontaudit shutdown_t $1:socket_class_set { read write };
+- dontaudit shutdown_t $1:socket_class_set { read write };
- dontaudit shutdown_t $1:fifo_file { read write };
+ dontaudit shutdown_t $1:fifo_file rw_inherited_fifo_file_perms;
')
')
-@@ -51,6 +55,73 @@ interface(`shutdown_run',`
+@@ -51,6 +54,73 @@ interface(`shutdown_run',`
########################################
##
@@ -2661,9 +2735,18 @@ index 94c01b5..f64bd93 100644
########################################
diff --git a/policy/modules/admin/sosreport.te b/policy/modules/admin/sosreport.te
-index fe1c377..7660180 100644
+index fe1c377..557e37f 100644
--- a/policy/modules/admin/sosreport.te
+++ b/policy/modules/admin/sosreport.te
+@@ -80,7 +80,7 @@ fs_list_inotifyfs(sosreport_t)
+
+ # some config files do not have configfile attribute
+ # sosreport needs to read various files on system
+-auth_read_all_files_except_shadow(sosreport_t)
++files_read_non_security_files(sosreport_t)
+ auth_use_nsswitch(sosreport_t)
+
+ init_domtrans_script(sosreport_t)
@@ -92,9 +92,6 @@ logging_send_syslog_msg(sosreport_t)
miscfiles_read_localization(sosreport_t)
@@ -2687,10 +2770,22 @@ index fe1c377..7660180 100644
')
diff --git a/policy/modules/admin/su.if b/policy/modules/admin/su.if
-index 8c5fa3c..1a46f56 100644
+index 8c5fa3c..ce3d33a 100644
--- a/policy/modules/admin/su.if
+++ b/policy/modules/admin/su.if
-@@ -210,7 +210,7 @@ template(`su_role_template',`
+@@ -119,11 +119,6 @@ template(`su_restricted_domain_template', `
+ userdom_spec_domtrans_unpriv_users($1_su_t)
+ ')
+
+- ifdef(`hide_broken_symptoms',`
+- # dontaudit leaked sockets from parent
+- dontaudit $1_su_t $2:socket_class_set { read write };
+- ')
+-
+ optional_policy(`
+ cron_read_pipes($1_su_t)
+ ')
+@@ -210,7 +205,7 @@ template(`su_role_template',`
auth_domtrans_chk_passwd($1_su_t)
auth_dontaudit_read_shadow($1_su_t)
@@ -2699,7 +2794,7 @@ index 8c5fa3c..1a46f56 100644
auth_rw_faillog($1_su_t)
corecmd_search_bin($1_su_t)
-@@ -234,6 +234,7 @@ template(`su_role_template',`
+@@ -234,6 +229,7 @@ template(`su_role_template',`
userdom_use_user_terminals($1_su_t)
userdom_search_user_home_dirs($1_su_t)
@@ -2707,6 +2802,18 @@ index 8c5fa3c..1a46f56 100644
ifdef(`distro_redhat',`
# RHEL5 and possibly newer releases incl. Fedora
+@@ -279,11 +275,6 @@ template(`su_role_template',`
+ ')
+ ')
+
+- ifdef(`hide_broken_symptoms',`
+- # dontaudit leaked sockets from parent
+- dontaudit $1_su_t $3:socket_class_set { read write };
+- ')
+-
+ tunable_policy(`allow_polyinstantiation',`
+ fs_mount_xattr_fs($1_su_t)
+ fs_unmount_xattr_fs($1_su_t)
diff --git a/policy/modules/admin/sudo.fc b/policy/modules/admin/sudo.fc
index 7bddc02..2b59ed0 100644
--- a/policy/modules/admin/sudo.fc
@@ -2717,7 +2824,7 @@ index 7bddc02..2b59ed0 100644
+
+/var/db/sudo(/.*)? gen_context(system_u:object_r:sudo_db_t,s0)
diff --git a/policy/modules/admin/sudo.if b/policy/modules/admin/sudo.if
-index 975af1a..f220623 100644
+index 975af1a..bcc4481 100644
--- a/policy/modules/admin/sudo.if
+++ b/policy/modules/admin/sudo.if
@@ -32,6 +32,7 @@ template(`sudo_role_template',`
@@ -2781,7 +2888,7 @@ index 975af1a..f220623 100644
seutil_libselinux_linked($1_sudo_t)
userdom_spec_domtrans_all_users($1_sudo_t)
-@@ -135,13 +153,18 @@ template(`sudo_role_template',`
+@@ -135,12 +153,13 @@ template(`sudo_role_template',`
userdom_manage_user_tmp_files($1_sudo_t)
userdom_manage_user_tmp_symlinks($1_sudo_t)
userdom_use_user_terminals($1_sudo_t)
@@ -2792,15 +2899,13 @@ index 975af1a..f220623 100644
+ userdom_search_admin_dir($1_sudo_t)
+ userdom_manage_all_users_keys($1_sudo_t)
- ifdef(`hide_broken_symptoms', `
- dontaudit $1_sudo_t $3:socket_class_set { read write };
- ')
-
+- ifdef(`hide_broken_symptoms', `
+- dontaudit $1_sudo_t $3:socket_class_set { read write };
+- ')
+ mta_role($2, $1_sudo_t)
-+
+
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_files($1_sudo_t)
- ')
diff --git a/policy/modules/admin/sudo.te b/policy/modules/admin/sudo.te
index 2731fa1..3443ba2 100644
--- a/policy/modules/admin/sudo.te
@@ -2814,9 +2919,18 @@ index 2731fa1..3443ba2 100644
+files_type(sudo_db_t)
+
diff --git a/policy/modules/admin/sxid.te b/policy/modules/admin/sxid.te
-index d5aaf0e..689b2fd 100644
+index d5aaf0e..6b16aef 100644
--- a/policy/modules/admin/sxid.te
+++ b/policy/modules/admin/sxid.te
+@@ -66,7 +66,7 @@ fs_list_all(sxid_t)
+
+ term_dontaudit_use_console(sxid_t)
+
+-auth_read_all_files_except_shadow(sxid_t)
++files_read_non_security_files(sxid_t)
+ auth_dontaudit_getattr_shadow(sxid_t)
+
+ init_use_fds(sxid_t)
@@ -76,13 +76,17 @@ logging_send_syslog_msg(sxid_t)
miscfiles_read_localization(sxid_t)
@@ -2978,6 +3092,33 @@ index d0f2a64..834a56d 100644
# tzdata looks for /var/spool/postfix/etc/localtime.
optional_policy(`
+diff --git a/policy/modules/admin/updfstab.te b/policy/modules/admin/updfstab.te
+index ef12ed5..2c013c4 100644
+--- a/policy/modules/admin/updfstab.te
++++ b/policy/modules/admin/updfstab.te
+@@ -78,9 +78,8 @@ seutil_read_file_contexts(updfstab_t)
+ userdom_dontaudit_search_user_home_content(updfstab_t)
+ userdom_dontaudit_use_unpriv_user_fds(updfstab_t)
+
+-optional_policy(`
+- auth_domtrans_pam_console(updfstab_t)
+-')
++auth_use_nsswitch(updfstab_t)
++auth_domtrans_pam_console(updfstab_t)
+
+ optional_policy(`
+ init_dbus_chat_script(updfstab_t)
+@@ -104,10 +103,6 @@ optional_policy(`
+ ')
+
+ optional_policy(`
+- nscd_socket_use(updfstab_t)
+-')
+-
+-optional_policy(`
+ seutil_sigchld_newrole(updfstab_t)
+ ')
+
diff --git a/policy/modules/admin/usbmodules.te b/policy/modules/admin/usbmodules.te
index 74354da..f04565f 100644
--- a/policy/modules/admin/usbmodules.te
@@ -3015,13 +3156,30 @@ index c467144..fb794f9 100644
/usr/sbin/crack_[a-z]* -- gen_context(system_u:object_r:crack_exec_t,s0)
/usr/sbin/cracklib-[a-z]* -- gen_context(system_u:object_r:crack_exec_t,s0)
diff --git a/policy/modules/admin/usermanage.if b/policy/modules/admin/usermanage.if
-index 81fb26f..adce466 100644
+index 81fb26f..66cf96c 100644
--- a/policy/modules/admin/usermanage.if
+++ b/policy/modules/admin/usermanage.if
-@@ -73,6 +73,25 @@ interface(`usermanage_domtrans_groupadd',`
+@@ -17,10 +17,6 @@ interface(`usermanage_domtrans_chfn',`
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, chfn_exec_t, chfn_t)
+-
+- ifdef(`hide_broken_symptoms',`
+- dontaudit chfn_t $1:socket_class_set { read write };
+- ')
+ ')
########################################
- ##
+@@ -65,10 +61,25 @@ interface(`usermanage_domtrans_groupadd',`
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, groupadd_exec_t, groupadd_t)
++')
+
+- ifdef(`hide_broken_symptoms',`
+- dontaudit groupadd_t $1:socket_class_set { read write };
++########################################
++##
+## Check access to the groupadd executable.
+##
+##
@@ -3033,18 +3191,25 @@ index 81fb26f..adce466 100644
+interface(`usermanage_access_check_groupadd',`
+ gen_require(`
+ type groupadd_exec_t;
-+ ')
+ ')
+
+ corecmd_search_bin($1)
+ allow $1 groupadd_exec_t:file { getattr_file_perms execute };
-+')
-+
-+########################################
-+##
- ## Execute groupadd in the groupadd domain, and
- ## allow the specified role the groupadd domain.
- ##
-@@ -170,6 +189,25 @@ interface(`usermanage_run_passwd',`
+ ')
+
+ ########################################
+@@ -118,10 +129,6 @@ interface(`usermanage_domtrans_passwd',`
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, passwd_exec_t, passwd_t)
+-
+- ifdef(`hide_broken_symptoms',`
+- dontaudit passwd_t $1:socket_class_set { read write };
+- ')
+ ')
+
+ ########################################
+@@ -170,6 +177,25 @@ interface(`usermanage_run_passwd',`
########################################
##
@@ -3070,7 +3235,18 @@ index 81fb26f..adce466 100644
## Execute password admin functions in
## the admin passwd domain.
##
-@@ -285,6 +323,9 @@ interface(`usermanage_run_useradd',`
+@@ -254,10 +280,6 @@ interface(`usermanage_domtrans_useradd',`
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, useradd_exec_t, useradd_t)
+-
+- ifdef(`hide_broken_symptoms',`
+- dontaudit useradd_t $1:socket_class_set { read write };
+- ')
+ ')
+
+ ########################################
+@@ -285,6 +307,9 @@ interface(`usermanage_run_useradd',`
usermanage_domtrans_useradd($1)
role $2 types useradd_t;
@@ -3080,7 +3256,7 @@ index 81fb26f..adce466 100644
seutil_run_semanage(useradd_t, $2)
optional_policy(`
-@@ -294,6 +335,25 @@ interface(`usermanage_run_useradd',`
+@@ -294,6 +319,25 @@ interface(`usermanage_run_useradd',`
########################################
##
@@ -3356,10 +3532,10 @@ index 0000000..1f468aa
+/usr/lib/chromium-browser/chrome-sandbox -- gen_context(system_u:object_r:chrome_sandbox_exec_t,s0)
diff --git a/policy/modules/apps/chrome.if b/policy/modules/apps/chrome.if
new file mode 100644
-index 0000000..bbbba63
+index 0000000..bacc639
--- /dev/null
+++ b/policy/modules/apps/chrome.if
-@@ -0,0 +1,128 @@
+@@ -0,0 +1,127 @@
+
+## policy for chrome
+
@@ -3384,7 +3560,6 @@ index 0000000..bbbba63
+ allow $1 chrome_sandbox_t:fd use;
+
+ ifdef(`hide_broken_symptoms',`
-+ dontaudit chrome_sandbox_t $1:socket_class_set { read write };
+ fs_dontaudit_rw_anon_inodefs_files(chrome_sandbox_t)
+ ')
+')
@@ -3646,10 +3821,19 @@ index 37475dd..7db4a01 100644
+ xserver_dbus_chat_xdm(cpufreqselector_t)
+')
diff --git a/policy/modules/apps/evolution.te b/policy/modules/apps/evolution.te
-index cd70958..126d7ea 100644
+index cd70958..e8c94b1 100644
--- a/policy/modules/apps/evolution.te
+++ b/policy/modules/apps/evolution.te
-@@ -215,7 +215,7 @@ userdom_rw_user_tmp_files(evolution_t)
+@@ -202,6 +202,8 @@ files_read_var_files(evolution_t)
+
+ fs_search_auto_mountpoints(evolution_t)
+
++auth_use_nsswitch(evolution_t)
++
+ logging_send_syslog_msg(evolution_t)
+
+ miscfiles_read_localization(evolution_t)
+@@ -215,7 +217,7 @@ userdom_rw_user_tmp_files(evolution_t)
userdom_manage_user_tmp_dirs(evolution_t)
userdom_manage_user_tmp_sockets(evolution_t)
userdom_manage_user_tmp_files(evolution_t)
@@ -3658,6 +3842,99 @@ index cd70958..126d7ea 100644
# FIXME: suppress access to .local/.icons/.themes until properly implemented
# FIXME: suppress access to .gaim/blist.xml (buddy list synchronization)
# until properly implemented
+@@ -319,15 +321,6 @@ optional_policy(`
+ mozilla_domtrans(evolution_t)
+ ')
+
+-# Allow POP/IMAP/SMTP/NNTP/LDAP/IPP(printing)
+-optional_policy(`
+- nis_use_ypbind(evolution_t)
+-')
+-
+-optional_policy(`
+- nscd_socket_use(evolution_t)
+-')
+-
+ ### Junk mail filtering (start spamd)
+ optional_policy(`
+ spamassassin_exec_spamd(evolution_t)
+@@ -376,6 +369,8 @@ files_read_usr_files(evolution_alarm_t)
+
+ fs_search_auto_mountpoints(evolution_alarm_t)
+
++auth_use_nsswitch(evolution_alarm_t)
++
+ miscfiles_read_localization(evolution_alarm_t)
+
+ # Access evolution home
+@@ -404,10 +399,6 @@ optional_policy(`
+ gnome_stream_connect_gconf(evolution_alarm_t)
+ ')
+
+-optional_policy(`
+- nscd_socket_use(evolution_alarm_t)
+-')
+-
+ ########################################
+ #
+ # Evolution exchange connector local policy
+@@ -459,6 +450,8 @@ files_read_usr_files(evolution_exchange_t)
+ # Access evolution home
+ fs_search_auto_mountpoints(evolution_exchange_t)
+
++auth_use_nsswitch(evolution_exchange_t)
++
+ miscfiles_read_localization(evolution_exchange_t)
+
+ userdom_write_user_tmp_sockets(evolution_exchange_t)
+@@ -484,10 +477,6 @@ optional_policy(`
+ gnome_stream_connect_gconf(evolution_exchange_t)
+ ')
+
+-optional_policy(`
+- nscd_socket_use(evolution_exchange_t)
+-')
+-
+ ########################################
+ #
+ # Evolution data server local policy
+@@ -539,6 +528,8 @@ files_read_usr_files(evolution_server_t)
+
+ fs_search_auto_mountpoints(evolution_server_t)
+
++auth_use_nsswitch(evolution_server_t)
++
+ miscfiles_read_localization(evolution_server_t)
+ # Look in /etc/pki
+ miscfiles_read_generic_certs(evolution_server_t)
+@@ -568,10 +559,6 @@ optional_policy(`
+ gnome_stream_connect_gconf(evolution_server_t)
+ ')
+
+-optional_policy(`
+- nscd_socket_use(evolution_server_t)
+-')
+-
+ ########################################
+ #
+ # Evolution webcal local policy
+@@ -600,6 +587,8 @@ corenet_tcp_connect_http_port(evolution_webcal_t)
+ corenet_sendrecv_http_client_packets(evolution_webcal_t)
+ corenet_sendrecv_http_cache_client_packets(evolution_webcal_t)
+
++auth_use_nsswitch(evolution_webcal_t)
++
+ # Networking capability - connect to website and handle ics link
+ sysnet_read_config(evolution_webcal_t)
+ sysnet_dns_name_resolve(evolution_webcal_t)
+@@ -612,7 +601,3 @@ userdom_search_user_home_dirs(evolution_webcal_t)
+ userdom_dontaudit_read_user_home_content_files(evolution_webcal_t)
+
+ xserver_user_x_domain_template(evolution_webcal, evolution_webcal_t, evolution_webcal_tmpfs_t)
+-
+-optional_policy(`
+- nscd_socket_use(evolution_webcal_t)
+-')
diff --git a/policy/modules/apps/execmem.fc b/policy/modules/apps/execmem.fc
new file mode 100644
index 0000000..6f3570a
@@ -3714,10 +3991,10 @@ index 0000000..6f3570a
+/usr/local/Wolfram/Mathematica(/.*)?MathKernel -- gen_context(system_u:object_r:execmem_exec_t,s0)
diff --git a/policy/modules/apps/execmem.if b/policy/modules/apps/execmem.if
new file mode 100644
-index 0000000..34d913e
+index 0000000..6c038c8
--- /dev/null
+++ b/policy/modules/apps/execmem.if
-@@ -0,0 +1,112 @@
+@@ -0,0 +1,110 @@
+## execmem domain
+
+########################################
@@ -3783,9 +4060,7 @@ index 0000000..34d913e
+ allow $1_execmem_t self:process { execmem execstack };
+ allow $3 $1_execmem_t:process { getattr ptrace noatsecure signal_perms };
+ domtrans_pattern($3, execmem_exec_t, $1_execmem_t)
-+ifdef(`hide_broken_symptoms', `
-+ dontaudit $1_execmem_t $3:socket_class_set { read write };
-+')
++
+ files_execmod_tmp($1_execmem_t)
+
+ # needed by plasma-desktop
@@ -3904,10 +4179,10 @@ index 0000000..2bd5790
+')
diff --git a/policy/modules/apps/firewallgui.te b/policy/modules/apps/firewallgui.te
new file mode 100644
-index 0000000..f4c2d3f
+index 0000000..5e96d3d
--- /dev/null
+++ b/policy/modules/apps/firewallgui.te
-@@ -0,0 +1,74 @@
+@@ -0,0 +1,71 @@
+policy_module(firewallgui,1.0.0)
+
+########################################
@@ -3953,6 +4228,8 @@ index 0000000..f4c2d3f
+files_search_kernel_modules(firewallgui_t)
+files_list_kernel_modules(firewallgui_t)
+
++auth_use_nsswitch(firewallgui_t)
++
+miscfiles_read_localization(firewallgui_t)
+
+userdom_dontaudit_search_user_home_dirs(firewallgui_t)
@@ -3975,11 +4252,6 @@ index 0000000..f4c2d3f
+')
+
+optional_policy(`
-+ nscd_dontaudit_search_pid(firewallgui_t)
-+ nscd_socket_use(firewallgui_t)
-+')
-+
-+optional_policy(`
+ policykit_dbus_chat(firewallgui_t)
+')
diff --git a/policy/modules/apps/gift.te b/policy/modules/apps/gift.te
@@ -4046,10 +4318,10 @@ index 00a19e3..d5acf98 100644
+/usr/libexec/gnome-system-monitor-mechanism -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
+/usr/libexec/kde(3|4)/ksysguardprocesslist_helper -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
diff --git a/policy/modules/apps/gnome.if b/policy/modules/apps/gnome.if
-index f5afe78..d428376 100644
+index f5afe78..940c1c4 100644
--- a/policy/modules/apps/gnome.if
+++ b/policy/modules/apps/gnome.if
-@@ -1,44 +1,729 @@
+@@ -1,44 +1,731 @@
## GNU network object model environment (GNOME)
-############################################################
@@ -4142,6 +4414,8 @@ index f5afe78..d428376 100644
+
+ ps_process_pattern($1_gkeyringd_t, $3)
+
++ auth_use_nsswitch($1_gkeyringd_t)
++
+ ps_process_pattern($3, $1_gkeyringd_t)
+ allow $3 $1_gkeyringd_t:process { ptrace signal_perms };
+
@@ -4797,7 +5071,7 @@ index f5afe78..d428376 100644
##
##
##
-@@ -46,37 +731,36 @@ interface(`gnome_role',`
+@@ -46,37 +733,36 @@ interface(`gnome_role',`
##
##
#
@@ -4846,7 +5120,7 @@ index f5afe78..d428376 100644
##
##
##
-@@ -84,37 +768,42 @@ template(`gnome_read_gconf_config',`
+@@ -84,37 +770,42 @@ template(`gnome_read_gconf_config',`
##
##
#
@@ -4900,7 +5174,7 @@ index f5afe78..d428376 100644
##
##
##
-@@ -122,17 +811,17 @@ interface(`gnome_stream_connect_gconf',`
+@@ -122,17 +813,17 @@ interface(`gnome_stream_connect_gconf',`
##
##
#
@@ -4922,7 +5196,7 @@ index f5afe78..d428376 100644
##
##
##
-@@ -140,51 +829,354 @@ interface(`gnome_domtrans_gconfd',`
+@@ -140,51 +831,354 @@ interface(`gnome_domtrans_gconfd',`
##
##
#
@@ -5293,7 +5567,7 @@ index f5afe78..d428376 100644
+ type_transition $1 gkeyringd_exec_t:process $2;
+')
diff --git a/policy/modules/apps/gnome.te b/policy/modules/apps/gnome.te
-index 2505654..5b18879 100644
+index 2505654..0c8361a 100644
--- a/policy/modules/apps/gnome.te
+++ b/policy/modules/apps/gnome.te
@@ -5,12 +5,29 @@ policy_module(gnome, 2.1.0)
@@ -5371,7 +5645,7 @@ index 2505654..5b18879 100644
##############################
#
# Local Policy
-@@ -75,3 +113,169 @@ optional_policy(`
+@@ -75,3 +113,167 @@ optional_policy(`
xserver_use_xdm_fds(gconfd_t)
xserver_rw_xdm_pipes(gconfd_t)
')
@@ -5505,8 +5779,6 @@ index 2505654..5b18879 100644
+
+selinux_getattr_fs(gkeyringd_domain)
+
-+auth_use_nsswitch(gkeyringd_domain)
-+
+logging_send_syslog_msg(gkeyringd_domain)
+
+miscfiles_read_localization(gkeyringd_domain)
@@ -5559,10 +5831,10 @@ index e9853d4..6864b58 100644
+/usr/lib/gnupg/.* -- gen_context(system_u:object_r:gpg_exec_t,s0)
+/usr/lib/gnupg/gpgkeys.* -- gen_context(system_u:object_r:gpg_helper_exec_t,s0)
diff --git a/policy/modules/apps/gpg.if b/policy/modules/apps/gpg.if
-index 40e0a2a..f4a103c 100644
+index 40e0a2a..93d212c 100644
--- a/policy/modules/apps/gpg.if
+++ b/policy/modules/apps/gpg.if
-@@ -54,10 +54,13 @@ interface(`gpg_role',`
+@@ -54,15 +54,16 @@ interface(`gpg_role',`
manage_sock_files_pattern($2, gpg_pinentry_tmp_t, gpg_pinentry_tmp_t)
relabel_sock_files_pattern($2, gpg_pinentry_tmp_t, gpg_pinentry_tmp_t)
@@ -5575,8 +5847,13 @@ index 40e0a2a..f4a103c 100644
+ allow $2 gpg_agent_t:unix_stream_socket { rw_socket_perms connectto };
ifdef(`hide_broken_symptoms',`
#Leaked File Descriptors
- dontaudit gpg_t $2:socket_class_set { getattr read write };
-@@ -85,6 +88,43 @@ interface(`gpg_domtrans',`
+- dontaudit gpg_t $2:socket_class_set { getattr read write };
+ dontaudit gpg_t $2:fifo_file rw_fifo_file_perms;
+- dontaudit gpg_agent_t $2:socket_class_set { getattr read write };
+ dontaudit gpg_agent_t $2:fifo_file rw_fifo_file_perms;
+ ')
+ ')
+@@ -85,6 +86,43 @@ interface(`gpg_domtrans',`
domtrans_pattern($1, gpg_exec_t, gpg_t)
')
@@ -6022,7 +6299,7 @@ index 86c1768..5d2130c 100644
/usr/java/eclipse[^/]*/eclipse -- gen_context(system_u:object_r:java_exec_t,s0)
')
diff --git a/policy/modules/apps/java.if b/policy/modules/apps/java.if
-index e6d84e8..b10bbbc 100644
+index e6d84e8..7c398c0 100644
--- a/policy/modules/apps/java.if
+++ b/policy/modules/apps/java.if
@@ -72,7 +72,8 @@ template(`java_role_template',`
@@ -6035,19 +6312,16 @@ index e6d84e8..b10bbbc 100644
allow $1_java_t self:process { ptrace signal getsched execmem execstack };
-@@ -82,7 +83,10 @@ template(`java_role_template',`
+@@ -82,7 +83,7 @@ template(`java_role_template',`
domtrans_pattern($3, java_exec_t, $1_java_t)
- corecmd_bin_domtrans($1_java_t, $3)
+ corecmd_bin_domtrans($1_java_t, $1_t)
-+ ifdef(`hide_broken_symptoms', `
-+ dontaudit $1_t $1_java_t:socket_class_set { read write };
-+ ')
dev_dontaudit_append_rand($1_java_t)
-@@ -105,7 +109,7 @@ template(`java_role_template',`
+@@ -105,7 +106,7 @@ template(`java_role_template',`
##
##
#
@@ -6056,7 +6330,7 @@ index e6d84e8..b10bbbc 100644
gen_require(`
type java_t, java_exec_t;
')
-@@ -179,6 +183,10 @@ interface(`java_run_unconfined',`
+@@ -179,6 +180,10 @@ interface(`java_run_unconfined',`
java_domtrans_unconfined($1)
role $2 types unconfined_java_t;
@@ -6068,10 +6342,10 @@ index e6d84e8..b10bbbc 100644
########################################
diff --git a/policy/modules/apps/java.te b/policy/modules/apps/java.te
-index 167950d..ef63b20 100644
+index 167950d..27d37b0 100644
--- a/policy/modules/apps/java.te
+++ b/policy/modules/apps/java.te
-@@ -82,12 +82,12 @@ dev_read_urand(java_t)
+@@ -82,18 +82,20 @@ dev_read_urand(java_t)
dev_read_rand(java_t)
dev_dontaudit_append_rand(java_t)
@@ -6085,7 +6359,30 @@ index 167950d..ef63b20 100644
fs_getattr_xattr_fs(java_t)
fs_dontaudit_rw_tmpfs_files(java_t)
-@@ -143,14 +143,21 @@ optional_policy(`
+
+ logging_send_syslog_msg(java_t)
+
++auth_use_nsswitch(java_t)
++
+ miscfiles_read_localization(java_t)
+ # Read global fonts and font config
+ miscfiles_read_fonts(java_t)
+@@ -123,14 +125,6 @@ tunable_policy(`allow_java_execstack',`
+ ')
+
+ optional_policy(`
+- nis_use_ypbind(java_t)
+-')
+-
+-optional_policy(`
+- nscd_socket_use(java_t)
+-')
+-
+-optional_policy(`
+ xserver_user_x_domain_template(java, java_t, java_tmpfs_t)
+ ')
+
+@@ -143,14 +137,21 @@ optional_policy(`
# execheap is needed for itanium/BEA jrocket
allow unconfined_java_t self:process { execstack execmem execheap };
@@ -6261,6 +6558,21 @@ index a0be4ef..ae36a3f 100644
')
optional_policy(`
+diff --git a/policy/modules/apps/loadkeys.if b/policy/modules/apps/loadkeys.if
+index b55edd0..7b8d952 100644
+--- a/policy/modules/apps/loadkeys.if
++++ b/policy/modules/apps/loadkeys.if
+@@ -17,10 +17,6 @@ interface(`loadkeys_domtrans',`
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, loadkeys_exec_t, loadkeys_t)
+-
+- ifdef(`hide_broken_symptoms',`
+- dontaudit loadkeys_t $1:socket_class_set { read write };
+- ')
+ ')
+
+ ########################################
diff --git a/policy/modules/apps/loadkeys.te b/policy/modules/apps/loadkeys.te
index 2523758..50629a8 100644
--- a/policy/modules/apps/loadkeys.te
@@ -6296,10 +6608,10 @@ index 0bac996..ca2388d 100644
+userdom_use_inherited_user_terminals(lockdev_t)
diff --git a/policy/modules/apps/mono.if b/policy/modules/apps/mono.if
-index 7b08e13..515a88a 100644
+index 7b08e13..1fa8573 100644
--- a/policy/modules/apps/mono.if
+++ b/policy/modules/apps/mono.if
-@@ -41,15 +41,22 @@ template(`mono_role_template',`
+@@ -41,7 +41,6 @@ template(`mono_role_template',`
application_type($1_mono_t)
allow $1_mono_t self:process { ptrace signal getsched execheap execmem execstack };
@@ -6307,20 +6619,13 @@ index 7b08e13..515a88a 100644
allow $3 $1_mono_t:process { getattr ptrace noatsecure signal_perms };
domtrans_pattern($3, mono_exec_t, $1_mono_t)
-
+@@ -49,7 +48,8 @@ template(`mono_role_template',`
fs_dontaudit_rw_tmpfs_files($1_mono_t)
corecmd_bin_domtrans($1_mono_t, $1_t)
-+ ifdef(`hide_broken_symptoms', `
-+ dontaudit $1_t $1_mono_t:socket_class_set { read write };
-+ ')
- userdom_manage_user_tmpfs_files($1_mono_t)
+ userdom_unpriv_usertype($1, $1_mono_t)
+ userdom_manage_tmpfs_role($2, $1_mono_t)
-+
-+ ifdef(`hide_broken_symptoms', `
-+ dontaudit $1_t $1_mono_t:socket_class_set { read write };
-+ ')
optional_policy(`
xserver_role($1_r, $1_mono_t)
@@ -6497,7 +6802,7 @@ index fbb5c5a..170963f 100644
+ dontaudit $1 mozilla_plugin_t:unix_stream_socket { read write };
')
diff --git a/policy/modules/apps/mozilla.te b/policy/modules/apps/mozilla.te
-index 2e9318b..456b38e 100644
+index 2e9318b..d4c78ac 100644
--- a/policy/modules/apps/mozilla.te
+++ b/policy/modules/apps/mozilla.te
@@ -25,6 +25,7 @@ files_config_file(mozilla_conf_t)
@@ -6529,7 +6834,16 @@ index 2e9318b..456b38e 100644
corenet_tcp_sendrecv_ftp_port(mozilla_t)
corenet_tcp_sendrecv_ipp_port(mozilla_t)
corenet_tcp_connect_http_port(mozilla_t)
-@@ -165,7 +169,7 @@ miscfiles_dontaudit_setattr_fonts_dirs(mozilla_t)
+@@ -156,6 +160,8 @@ fs_rw_tmpfs_files(mozilla_t)
+
+ term_dontaudit_getattr_pty_dirs(mozilla_t)
+
++auth_use_nsswitch(mozilla_t)
++
+ logging_send_syslog_msg(mozilla_t)
+
+ miscfiles_read_fonts(mozilla_t)
+@@ -165,7 +171,7 @@ miscfiles_dontaudit_setattr_fonts_dirs(mozilla_t)
# Browse the web, connect to printer
sysnet_dns_name_resolve(mozilla_t)
@@ -6538,7 +6852,7 @@ index 2e9318b..456b38e 100644
xserver_user_x_domain_template(mozilla, mozilla_t, mozilla_tmpfs_t)
xserver_dontaudit_read_xdm_tmp_files(mozilla_t)
-@@ -262,6 +266,7 @@ optional_policy(`
+@@ -262,6 +268,7 @@ optional_policy(`
optional_policy(`
gnome_stream_connect_gconf(mozilla_t)
gnome_manage_config(mozilla_t)
@@ -6546,19 +6860,17 @@ index 2e9318b..456b38e 100644
')
optional_policy(`
-@@ -282,6 +287,11 @@ optional_policy(`
+@@ -278,7 +285,8 @@ optional_policy(`
')
optional_policy(`
+- nscd_socket_use(mozilla_t)
+ nsplugin_manage_rw(mozilla_t)
+ nsplugin_manage_home_files(mozilla_t)
-+')
-+
-+optional_policy(`
- pulseaudio_exec(mozilla_t)
- pulseaudio_stream_connect(mozilla_t)
- pulseaudio_manage_home_files(mozilla_t)
-@@ -297,15 +307,18 @@ optional_policy(`
+ ')
+
+ optional_policy(`
+@@ -297,15 +305,18 @@ optional_policy(`
#
dontaudit mozilla_plugin_t self:capability { sys_ptrace };
@@ -6580,7 +6892,7 @@ index 2e9318b..456b38e 100644
can_exec(mozilla_plugin_t, mozilla_home_t)
read_files_pattern(mozilla_plugin_t, mozilla_home_t, mozilla_home_t)
-@@ -313,8 +326,10 @@ read_files_pattern(mozilla_plugin_t, mozilla_home_t, mozilla_home_t)
+@@ -313,8 +324,10 @@ read_files_pattern(mozilla_plugin_t, mozilla_home_t, mozilla_home_t)
manage_dirs_pattern(mozilla_plugin_t, mozilla_plugin_tmp_t, mozilla_plugin_tmp_t)
manage_files_pattern(mozilla_plugin_t, mozilla_plugin_tmp_t, mozilla_plugin_tmp_t)
manage_fifo_files_pattern(mozilla_plugin_t, mozilla_plugin_tmp_t, mozilla_plugin_tmp_t)
@@ -6593,7 +6905,7 @@ index 2e9318b..456b38e 100644
manage_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t)
manage_lnk_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t)
-@@ -332,11 +347,9 @@ kernel_request_load_module(mozilla_plugin_t)
+@@ -332,11 +345,9 @@ kernel_request_load_module(mozilla_plugin_t)
corecmd_exec_bin(mozilla_plugin_t)
corecmd_exec_shell(mozilla_plugin_t)
@@ -6607,7 +6919,7 @@ index 2e9318b..456b38e 100644
corenet_tcp_connect_pulseaudio_port(mozilla_plugin_t)
corenet_tcp_connect_http_port(mozilla_plugin_t)
corenet_tcp_connect_http_cache_port(mozilla_plugin_t)
-@@ -344,6 +357,9 @@ corenet_tcp_connect_squid_port(mozilla_plugin_t)
+@@ -344,6 +355,9 @@ corenet_tcp_connect_squid_port(mozilla_plugin_t)
corenet_tcp_connect_ipp_port(mozilla_plugin_t)
corenet_tcp_connect_mmcc_port(mozilla_plugin_t)
corenet_tcp_connect_speech_port(mozilla_plugin_t)
@@ -6617,7 +6929,7 @@ index 2e9318b..456b38e 100644
dev_read_rand(mozilla_plugin_t)
dev_read_urand(mozilla_plugin_t)
-@@ -385,13 +401,19 @@ term_getattr_all_ttys(mozilla_plugin_t)
+@@ -385,13 +399,19 @@ term_getattr_all_ttys(mozilla_plugin_t)
term_getattr_all_ptys(mozilla_plugin_t)
userdom_rw_user_tmpfs_files(mozilla_plugin_t)
@@ -6637,7 +6949,7 @@ index 2e9318b..456b38e 100644
tunable_policy(`allow_execmem',`
allow mozilla_plugin_t self:process { execmem execstack };
-@@ -425,6 +447,11 @@ optional_policy(`
+@@ -425,6 +445,11 @@ optional_policy(`
')
optional_policy(`
@@ -6649,7 +6961,7 @@ index 2e9318b..456b38e 100644
gnome_manage_config(mozilla_plugin_t)
')
-@@ -438,7 +465,14 @@ optional_policy(`
+@@ -438,7 +463,14 @@ optional_policy(`
')
optional_policy(`
@@ -6665,7 +6977,7 @@ index 2e9318b..456b38e 100644
')
optional_policy(`
-@@ -446,10 +480,27 @@ optional_policy(`
+@@ -446,10 +478,27 @@ optional_policy(`
pulseaudio_stream_connect(mozilla_plugin_t)
pulseaudio_setattr_home_dir(mozilla_plugin_t)
pulseaudio_manage_home_files(mozilla_plugin_t)
@@ -6738,7 +7050,7 @@ index d8ea41d..8bdc526 100644
+ domtrans_pattern($1, mplayer_exec_t, $2)
+')
diff --git a/policy/modules/apps/mplayer.te b/policy/modules/apps/mplayer.te
-index 072a210..7986b0b 100644
+index 072a210..16ce654 100644
--- a/policy/modules/apps/mplayer.te
+++ b/policy/modules/apps/mplayer.te
@@ -32,6 +32,7 @@ files_config_file(mplayer_etc_t)
@@ -6766,10 +7078,12 @@ index 072a210..7986b0b 100644
manage_files_pattern(mplayer_t, mplayer_tmpfs_t, mplayer_tmpfs_t)
manage_lnk_files_pattern(mplayer_t, mplayer_tmpfs_t, mplayer_tmpfs_t)
-@@ -225,10 +227,12 @@ fs_dontaudit_getattr_all_fs(mplayer_t)
+@@ -225,10 +227,14 @@ fs_dontaudit_getattr_all_fs(mplayer_t)
fs_search_auto_mountpoints(mplayer_t)
fs_list_inotifyfs(mplayer_t)
++auth_use_nsswitch(mplayer_t)
++
+logging_send_syslog_msg(mplayer_t)
+
miscfiles_read_localization(mplayer_t)
@@ -6780,17 +7094,15 @@ index 072a210..7986b0b 100644
# Read media files
userdom_list_user_tmp(mplayer_t)
userdom_read_user_tmp_files(mplayer_t)
-@@ -305,6 +309,10 @@ optional_policy(`
+@@ -305,7 +311,7 @@ optional_policy(`
')
optional_policy(`
+- nscd_socket_use(mplayer_t)
+ gnome_setattr_config_dirs(mplayer_t)
-+')
-+
-+optional_policy(`
- nscd_socket_use(mplayer_t)
')
+ optional_policy(`
diff --git a/policy/modules/apps/namespace.fc b/policy/modules/apps/namespace.fc
new file mode 100644
index 0000000..ce51c8d
@@ -6917,10 +7229,10 @@ index 0000000..22e6c96
+/usr/lib/mozilla/plugins-wrapped(/.*)? gen_context(system_u:object_r:nsplugin_rw_t,s0)
diff --git a/policy/modules/apps/nsplugin.if b/policy/modules/apps/nsplugin.if
new file mode 100644
-index 0000000..044c613
+index 0000000..1925bd9
--- /dev/null
+++ b/policy/modules/apps/nsplugin.if
-@@ -0,0 +1,474 @@
+@@ -0,0 +1,472 @@
+
+## policy for nsplugin
+
@@ -7006,9 +7318,7 @@ index 0000000..044c613
+
+ #Leaked File Descriptors
+ifdef(`hide_broken_symptoms', `
-+ dontaudit nsplugin_t $2:socket_class_set { read write };
+ dontaudit nsplugin_t $2:fifo_file rw_inherited_fifo_file_perms;
-+ dontaudit nsplugin_config_t $2:socket_class_set { read write };
+ dontaudit nsplugin_config_t $2:fifo_file rw_inherited_fifo_file_perms;
+')
+ allow nsplugin_t $2:unix_stream_socket connectto;
@@ -8320,10 +8630,10 @@ index 0000000..6caef63
+/usr/share/sandbox/start -- gen_context(system_u:object_r:sandbox_exec_t,s0)
diff --git a/policy/modules/apps/sandbox.if b/policy/modules/apps/sandbox.if
new file mode 100644
-index 0000000..6efdeca
+index 0000000..809784d
--- /dev/null
+++ b/policy/modules/apps/sandbox.if
-@@ -0,0 +1,362 @@
+@@ -0,0 +1,364 @@
+
+## policy for sandbox
+
@@ -8446,6 +8756,8 @@ index 0000000..6efdeca
+ application_type($1_t)
+ mcs_untrusted_proc($1_t)
+
++ auth_use_nsswitch($1_t)
++
+ # window manager
+ miscfiles_setattr_fonts_cache_dirs($1_t)
+ allow $1_t self:capability setuid;
@@ -8688,10 +9000,10 @@ index 0000000..6efdeca
+')
diff --git a/policy/modules/apps/sandbox.te b/policy/modules/apps/sandbox.te
new file mode 100644
-index 0000000..cb552f5
+index 0000000..31c02d2
--- /dev/null
+++ b/policy/modules/apps/sandbox.te
-@@ -0,0 +1,486 @@
+@@ -0,0 +1,483 @@
+policy_module(sandbox,1.0.0)
+dbus_stub()
+attribute sandbox_domain;
@@ -8916,7 +9228,6 @@ index 0000000..cb552f5
+
+auth_dontaudit_read_login_records(sandbox_x_domain)
+auth_dontaudit_write_login_records(sandbox_x_domain)
-+auth_use_nsswitch(sandbox_x_domain)
+auth_search_pam_console_data(sandbox_x_domain)
+
+init_read_utmp(sandbox_x_domain)
@@ -9101,8 +9412,6 @@ index 0000000..cb552f5
+
+storage_dontaudit_getattr_fixed_disk_dev(sandbox_web_type)
+
-+auth_use_nsswitch(sandbox_web_type)
-+
+dbus_system_bus_client(sandbox_web_type)
+dbus_read_config(sandbox_web_type)
+selinux_get_fs_mount(sandbox_web_type)
@@ -9242,10 +9551,20 @@ index a57e81e..57519a4 100644
files_search_tmp($1_screen_t)
diff --git a/policy/modules/apps/seunshare.if b/policy/modules/apps/seunshare.if
-index 1dc7a85..9342572 100644
+index 1dc7a85..a01511f 100644
--- a/policy/modules/apps/seunshare.if
+++ b/policy/modules/apps/seunshare.if
-@@ -53,8 +53,14 @@ interface(`seunshare_run',`
+@@ -43,18 +43,18 @@ interface(`seunshare_run',`
+ role $2 types seunshare_t;
+
+ allow $1 seunshare_t:process signal_perms;
+-
+- ifdef(`hide_broken_symptoms', `
+- dontaudit seunshare_t $1:tcp_socket rw_socket_perms;
+- dontaudit seunshare_t $1:udp_socket rw_socket_perms;
+- dontaudit seunshare_t $1:unix_stream_socket rw_socket_perms;
+- ')
+ ')
########################################
##
@@ -9261,7 +9580,7 @@ index 1dc7a85..9342572 100644
##
##
## Role allowed access.
-@@ -66,15 +72,32 @@ interface(`seunshare_run',`
+@@ -66,15 +66,30 @@ interface(`seunshare_run',`
##
##
#
@@ -9279,10 +9598,10 @@ index 1dc7a85..9342572 100644
+ role $2 types $1_seunshare_t;
- seunshare_domtrans($1)
++ auth_use_nsswitch($1_seunshare_t)
++
+ mls_process_set_level($1_seunshare_t)
-
-- ps_process_pattern($2, seunshare_t)
-- allow $2 seunshare_t:process signal;
++
+ domtrans_pattern($3, seunshare_exec_t, $1_seunshare_t)
+ sandbox_transition($1_seunshare_t, $2)
+
@@ -9292,19 +9611,17 @@ index 1dc7a85..9342572 100644
+
+ allow $1_seunshare_t $3:process transition;
+ dontaudit $1_seunshare_t $3:process { noatsecure siginh rlimitinh };
-+
+
+- ps_process_pattern($2, seunshare_t)
+- allow $2 seunshare_t:process signal;
+ corecmd_bin_domtrans($1_seunshare_t, $1_t)
+ corecmd_shell_domtrans($1_seunshare_t, $1_t)
-+
-+ ifdef(`hide_broken_symptoms', `
-+ dontaudit $1_seunshare_t $3:socket_class_set { read write };
-+ ')
')
diff --git a/policy/modules/apps/seunshare.te b/policy/modules/apps/seunshare.te
-index 7590165..9a7ebe5 100644
+index 7590165..7e6f53c 100644
--- a/policy/modules/apps/seunshare.te
+++ b/policy/modules/apps/seunshare.te
-@@ -5,40 +5,61 @@ policy_module(seunshare, 1.1.0)
+@@ -5,40 +5,59 @@ policy_module(seunshare, 1.1.0)
# Declarations
#
@@ -9351,13 +9668,11 @@ index 7590165..9a7ebe5 100644
+fs_manage_cgroup_files(seunshare_domain)
-miscfiles_read_localization(seunshare_t)
-+auth_use_nsswitch(seunshare_domain)
-
--userdom_use_user_terminals(seunshare_t)
+logging_send_syslog_msg(seunshare_domain)
+-userdom_use_user_terminals(seunshare_t)
+miscfiles_read_localization(seunshare_domain)
-+
+
+userdom_use_inherited_user_terminals(seunshare_domain)
+userdom_list_user_home_content(seunshare_domain)
ifdef(`hide_broken_symptoms', `
@@ -9384,7 +9699,7 @@ index 7590165..9a7ebe5 100644
+ fs_mounton_fusefs(seunshare_domain)
+')
diff --git a/policy/modules/apps/telepathy.if b/policy/modules/apps/telepathy.if
-index 3cfb128..e9bfed0 100644
+index 3cfb128..609921d 100644
--- a/policy/modules/apps/telepathy.if
+++ b/policy/modules/apps/telepathy.if
@@ -11,7 +11,6 @@
@@ -9395,7 +9710,18 @@ index 3cfb128..e9bfed0 100644
template(`telepathy_domain_template',`
gen_require(`
-@@ -32,7 +31,7 @@ template(`telepathy_domain_template',`
+@@ -23,16 +22,18 @@ template(`telepathy_domain_template',`
+ type telepathy_$1_exec_t, telepathy_executable;
+ application_domain(telepathy_$1_t, telepathy_$1_exec_t)
+ ubac_constrained(telepathy_$1_t)
++ auth_use_nsswitch(telepathy_$1_t)
+
+ type telepathy_$1_tmp_t;
+ files_tmp_file(telepathy_$1_tmp_t)
+ ubac_constrained(telepathy_$1_tmp_t)
++
+ ')
+
#######################################
##
## Role access for telepathy domains
@@ -9404,7 +9730,7 @@ index 3cfb128..e9bfed0 100644
##
##
##
-@@ -44,8 +43,13 @@ template(`telepathy_domain_template',`
+@@ -44,8 +45,13 @@ template(`telepathy_domain_template',`
## The type of the user domain.
##
##
@@ -9419,7 +9745,7 @@ index 3cfb128..e9bfed0 100644
gen_require(`
attribute telepathy_domain;
type telepathy_gabble_t, telepathy_sofiasip_t, telepathy_idle_t;
-@@ -76,6 +80,8 @@ template(`telepathy_role', `
+@@ -76,6 +82,8 @@ template(`telepathy_role', `
dbus_session_domain($3, telepathy_sunshine_exec_t, telepathy_sunshine_t)
dbus_session_domain($3, telepathy_stream_engine_exec_t, telepathy_stream_engine_t)
dbus_session_domain($3, telepathy_msn_exec_t, telepathy_msn_t)
@@ -9428,7 +9754,7 @@ index 3cfb128..e9bfed0 100644
')
########################################
-@@ -122,11 +128,6 @@ interface(`telepathy_gabble_dbus_chat', `
+@@ -122,11 +130,6 @@ interface(`telepathy_gabble_dbus_chat', `
##
## Read telepathy mission control state.
##
@@ -9440,7 +9766,7 @@ index 3cfb128..e9bfed0 100644
##
##
## Domain allowed access.
-@@ -179,3 +180,75 @@ interface(`telepathy_salut_stream_connect', `
+@@ -179,3 +182,75 @@ interface(`telepathy_salut_stream_connect', `
stream_connect_pattern($1, telepathy_salut_tmp_t, telepathy_salut_tmp_t, telepathy_salut_t)
files_search_tmp($1)
')
@@ -9517,7 +9843,7 @@ index 3cfb128..e9bfed0 100644
+ ')
+')
diff --git a/policy/modules/apps/telepathy.te b/policy/modules/apps/telepathy.te
-index 2533ea0..9f6298c 100644
+index 2533ea0..e6e956f 100644
--- a/policy/modules/apps/telepathy.te
+++ b/policy/modules/apps/telepathy.te
@@ -32,6 +32,8 @@ userdom_user_home_content(telepathy_gabble_cache_home_t)
@@ -9627,15 +9953,19 @@ index 2533ea0..9f6298c 100644
dbus_system_bus_client(telepathy_msn_t)
optional_policy(`
-@@ -365,6 +404,7 @@ dev_read_urand(telepathy_domain)
+@@ -365,10 +404,9 @@ dev_read_urand(telepathy_domain)
kernel_read_system_state(telepathy_domain)
+fs_getattr_all_fs(telepathy_domain)
fs_search_auto_mountpoints(telepathy_domain)
- auth_use_nsswitch(telepathy_domain)
-@@ -376,5 +416,23 @@ optional_policy(`
+-auth_use_nsswitch(telepathy_domain)
+-
+ miscfiles_read_localization(telepathy_domain)
+
+ optional_policy(`
+@@ -376,5 +414,23 @@ optional_policy(`
')
optional_policy(`
@@ -9695,7 +10025,7 @@ index e70b0e8..cd83b89 100644
/usr/sbin/userhelper -- gen_context(system_u:object_r:userhelper_exec_t,s0)
+/usr/bin/consolehelper -- gen_context(system_u:object_r:consolehelper_exec_t,s0)
diff --git a/policy/modules/apps/userhelper.if b/policy/modules/apps/userhelper.if
-index ced285a..3d2073a 100644
+index ced285a..ff11b08 100644
--- a/policy/modules/apps/userhelper.if
+++ b/policy/modules/apps/userhelper.if
@@ -25,6 +25,7 @@ template(`userhelper_role_template',`
@@ -9706,7 +10036,36 @@ index ced285a..3d2073a 100644
')
########################################
-@@ -256,3 +257,65 @@ interface(`userhelper_exec',`
+@@ -122,6 +123,9 @@ template(`userhelper_role_template',`
+ auth_manage_pam_pid($1_userhelper_t)
+ auth_manage_var_auth($1_userhelper_t)
+ auth_search_pam_console_data($1_userhelper_t)
++ auth_use_nsswitch($1_userhelper_t)
++
++ logging_send_syslog_msg($1_userhelper_t)
+
+ # Inherit descriptors from the current session.
+ init_use_fds($1_userhelper_t)
+@@ -146,18 +150,6 @@ template(`userhelper_role_template',`
+ ')
+
+ optional_policy(`
+- logging_send_syslog_msg($1_userhelper_t)
+- ')
+-
+- optional_policy(`
+- nis_use_ypbind($1_userhelper_t)
+- ')
+-
+- optional_policy(`
+- nscd_socket_use($1_userhelper_t)
+- ')
+-
+- optional_policy(`
+ tunable_policy(`! secure_mode',`
+ #if we are not in secure mode then we can transition to sysadm_t
+ sysadm_bin_spec_domtrans($1_userhelper_t)
+@@ -256,3 +248,65 @@ interface(`userhelper_exec',`
can_exec($1, userhelper_exec_t)
')
@@ -9946,10 +10305,18 @@ index 23066a1..6aff330 100644
# cjp: why?
userdom_read_user_home_content_files(vmware_t)
diff --git a/policy/modules/apps/webalizer.te b/policy/modules/apps/webalizer.te
-index b11941a..dc37e57 100644
+index b11941a..93ec570 100644
--- a/policy/modules/apps/webalizer.te
+++ b/policy/modules/apps/webalizer.te
-@@ -81,7 +81,7 @@ miscfiles_read_public_files(webalizer_t)
+@@ -75,13 +75,15 @@ files_read_etc_runtime_files(webalizer_t)
+ logging_list_logs(webalizer_t)
+ logging_send_syslog_msg(webalizer_t)
+
++auth_use_nsswitch(webalizer_t)
++
+ miscfiles_read_localization(webalizer_t)
+ miscfiles_read_public_files(webalizer_t)
+
sysnet_dns_name_resolve(webalizer_t)
sysnet_read_config(webalizer_t)
@@ -9958,6 +10325,20 @@ index b11941a..dc37e57 100644
userdom_use_unpriv_users_fds(webalizer_t)
userdom_dontaudit_search_user_home_content(webalizer_t)
+@@ -97,13 +99,5 @@ optional_policy(`
+ ')
+
+ optional_policy(`
+- nis_use_ypbind(webalizer_t)
+-')
+-
+-optional_policy(`
+- nscd_socket_use(webalizer_t)
+-')
+-
+-optional_policy(`
+ squid_read_log(webalizer_t)
+ ')
diff --git a/policy/modules/apps/wine.fc b/policy/modules/apps/wine.fc
index 9d24449..2666317 100644
--- a/policy/modules/apps/wine.fc
@@ -9979,7 +10360,7 @@ index 9d24449..2666317 100644
/opt/picasa/wine/bin/wine.* -- gen_context(system_u:object_r:wine_exec_t,s0)
diff --git a/policy/modules/apps/wine.if b/policy/modules/apps/wine.if
-index f9a73d0..4b055c1 100644
+index f9a73d0..e10101a 100644
--- a/policy/modules/apps/wine.if
+++ b/policy/modules/apps/wine.if
@@ -29,12 +29,16 @@
@@ -10017,13 +10398,8 @@ index f9a73d0..4b055c1 100644
type wine_exec_t;
')
-@@ -99,9 +103,12 @@ template(`wine_role_template',`
- allow $3 $1_wine_t:process { getattr ptrace noatsecure signal_perms };
- domtrans_pattern($3, wine_exec_t, $1_wine_t)
+@@ -101,7 +105,7 @@ template(`wine_role_template',`
corecmd_bin_domtrans($1_wine_t, $1_t)
-+ ifdef(`hide_broken_symptoms', `
-+ dontaudit $1_t $1_wine_t:socket_class_set { read write };
-+ ')
userdom_unpriv_usertype($1, $1_wine_t)
- userdom_manage_user_tmpfs_files($1_wine_t)
@@ -10031,7 +10407,7 @@ index f9a73d0..4b055c1 100644
domain_mmap_low($1_wine_t)
-@@ -109,6 +116,10 @@ template(`wine_role_template',`
+@@ -109,6 +113,10 @@ template(`wine_role_template',`
dontaudit $1_wine_t self:memprotect mmap_zero;
')
@@ -10056,7 +10432,7 @@ index be9246b..e3de8fa 100644
tunable_policy(`wine_mmap_zero_ignore',`
dontaudit wine_t self:memprotect mmap_zero;
diff --git a/policy/modules/apps/wireshark.te b/policy/modules/apps/wireshark.te
-index 8bfe97d..6bba1a8 100644
+index 8bfe97d..9e4ad2c 100644
--- a/policy/modules/apps/wireshark.te
+++ b/policy/modules/apps/wireshark.te
@@ -15,6 +15,7 @@ ubac_constrained(wireshark_t)
@@ -10067,6 +10443,26 @@ index 8bfe97d..6bba1a8 100644
userdom_user_home_content(wireshark_home_t)
type wireshark_tmp_t;
+@@ -85,6 +86,8 @@ fs_search_auto_mountpoints(wireshark_t)
+
+ libs_read_lib_files(wireshark_t)
+
++auth_use_nsswitch(wireshark_t)
++
+ miscfiles_read_fonts(wireshark_t)
+ miscfiles_read_localization(wireshark_t)
+
+@@ -106,10 +109,6 @@ tunable_policy(`use_samba_home_dirs',`
+ fs_manage_cifs_symlinks(wireshark_t)
+ ')
+
+-optional_policy(`
+- nscd_socket_use(wireshark_t)
+-')
+-
+ # Manual transition from userhelper
+ optional_policy(`
+ userhelper_use_fd(wireshark_t)
diff --git a/policy/modules/apps/wm.if b/policy/modules/apps/wm.if
index b3efef7..50c1a74 100644
--- a/policy/modules/apps/wm.if
@@ -10097,10 +10493,19 @@ index 1bdeb16..775f788 100644
userdom_read_user_home_content_files(xscreensaver_t)
diff --git a/policy/modules/apps/yam.te b/policy/modules/apps/yam.te
-index 223ad43..d400ef6 100644
+index 223ad43..d95e720 100644
--- a/policy/modules/apps/yam.te
+++ b/policy/modules/apps/yam.te
-@@ -92,7 +92,7 @@ seutil_read_config(yam_t)
+@@ -83,6 +83,8 @@ fs_search_auto_mountpoints(yam_t)
+ # Content can also be on ISO image files.
+ fs_read_iso9660_files(yam_t)
+
++auth_use_nsswitch(yam_t)
++
+ logging_send_syslog_msg(yam_t)
+
+ miscfiles_read_localization(yam_t)
+@@ -92,7 +94,7 @@ seutil_read_config(yam_t)
sysnet_dns_name_resolve(yam_t)
sysnet_read_config(yam_t)
@@ -10109,6 +10514,20 @@ index 223ad43..d400ef6 100644
userdom_use_unpriv_users_fds(yam_t)
# Reading dotfiles...
# cjp: ?
+@@ -112,13 +114,5 @@ optional_policy(`
+ ')
+
+ optional_policy(`
+- nis_use_ypbind(yam_t)
+-')
+-
+-optional_policy(`
+- nscd_socket_use(yam_t)
+-')
+-
+-optional_policy(`
+ rsync_exec(yam_t)
+ ')
diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
index 3fae11a..c8607de 100644
--- a/policy/modules/kernel/corecommands.fc
@@ -10368,7 +10787,7 @@ index 9e9263a..59c2125 100644
manage_lnk_files_pattern($1, bin_t, bin_t)
')
diff --git a/policy/modules/kernel/corenetwork.if.in b/policy/modules/kernel/corenetwork.if.in
-index 4f3b542..4581434 100644
+index 4f3b542..5a41e58 100644
--- a/policy/modules/kernel/corenetwork.if.in
+++ b/policy/modules/kernel/corenetwork.if.in
@@ -615,6 +615,24 @@ interface(`corenet_raw_sendrecv_all_if',`
@@ -10538,11 +10957,11 @@ index 4f3b542..4581434 100644
+interface(`corenet_dccp_bind_generic_port',`
+ gen_require(`
+ type port_t;
-+ attribute port_type;
++ attribute defined_port_type;
+ ')
+
+ allow $1 port_t:dccp_socket name_bind;
-+ dontaudit $1 { port_type -port_t }:dccp_socket name_bind;
++ dontaudit $1 defined_port_type:dccp_socket name_bind;
+')
+
+########################################
@@ -10550,10 +10969,21 @@ index 4f3b542..4581434 100644
## Bind TCP sockets to generic ports.
##
##
-@@ -1264,6 +1394,25 @@ interface(`corenet_tcp_bind_generic_port',`
+@@ -1255,11 +1385,30 @@ interface(`corenet_udp_sendrecv_generic_port',`
+ interface(`corenet_tcp_bind_generic_port',`
+ gen_require(`
+ type port_t;
+- attribute port_type;
++ attribute defined_port_type;
+ ')
- ########################################
- ##
+ allow $1 port_t:tcp_socket name_bind;
+- dontaudit $1 { port_type -port_t }:tcp_socket name_bind;
++ dontaudit $1 defined_port_type:tcp_socket name_bind;
++')
++
++########################################
++##
+## Do not audit attempts to bind DCCP
+## sockets to generic ports.
+##
@@ -10569,17 +10999,24 @@ index 4f3b542..4581434 100644
+ ')
+
+ dontaudit $1 port_t:dccp_socket name_bind;
+ ')
+
+ ########################################
+@@ -1293,11 +1442,29 @@ interface(`corenet_dontaudit_tcp_bind_generic_port',`
+ interface(`corenet_udp_bind_generic_port',`
+ gen_require(`
+ type port_t;
+- attribute port_type;
++ attribute defined_port_type;
+ ')
+
+ allow $1 port_t:udp_socket name_bind;
+- dontaudit $1 { port_type -port_t }:udp_socket name_bind;
++ dontaudit $1 defined_port_type:udp_socket name_bind;
+')
+
+########################################
+##
- ## Do not audit bind TCP sockets to generic ports.
- ##
- ##
-@@ -1302,6 +1451,24 @@ interface(`corenet_udp_bind_generic_port',`
-
- ########################################
- ##
+## Connect DCCP sockets to generic ports.
+##
+##
@@ -10594,13 +11031,9 @@ index 4f3b542..4581434 100644
+ ')
+
+ allow $1 port_t:dccp_socket name_connect;
-+')
-+
-+########################################
-+##
- ## Connect TCP sockets to generic ports.
- ##
- ##
+ ')
+
+ ########################################
@@ -1320,6 +1487,24 @@ interface(`corenet_tcp_connect_generic_port',`
########################################
@@ -10753,80 +11186,119 @@ index 4f3b542..4581434 100644
## Send and receive TCP network traffic on generic reserved ports.
##
##
-@@ -1647,6 +1924,25 @@ interface(`corenet_udp_sendrecv_reserved_port',`
+@@ -1647,7 +1924,7 @@ interface(`corenet_udp_sendrecv_reserved_port',`
########################################
##
+-## Bind TCP sockets to generic reserved ports.
+## Bind DCCP sockets to generic reserved ports.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
+ ##
+ ##
+ ##
+@@ -1655,18 +1932,18 @@ interface(`corenet_udp_sendrecv_reserved_port',`
+ ##
+ ##
+ #
+-interface(`corenet_tcp_bind_reserved_port',`
+interface(`corenet_dccp_bind_reserved_port',`
-+ gen_require(`
-+ type reserved_port_t;
-+ ')
-+
+ gen_require(`
+ type reserved_port_t;
+ ')
+
+- allow $1 reserved_port_t:tcp_socket name_bind;
+ allow $1 reserved_port_t:dccp_socket name_bind;
-+ allow $1 self:capability net_bind_service;
-+')
-+
-+########################################
-+##
- ## Bind TCP sockets to generic reserved ports.
+ allow $1 self:capability net_bind_service;
+ ')
+
+ ########################################
+ ##
+-## Bind UDP sockets to generic reserved ports.
++## Bind TCP sockets to generic reserved ports.
##
##
-@@ -1685,7 +1981,7 @@ interface(`corenet_udp_bind_reserved_port',`
+ ##
+@@ -1674,18 +1951,18 @@ interface(`corenet_tcp_bind_reserved_port',`
+ ##
+ ##
+ #
+-interface(`corenet_udp_bind_reserved_port',`
++interface(`corenet_tcp_bind_reserved_port',`
+ gen_require(`
+ type reserved_port_t;
+ ')
+
+- allow $1 reserved_port_t:udp_socket name_bind;
++ allow $1 reserved_port_t:tcp_socket name_bind;
+ allow $1 self:capability net_bind_service;
+ ')
########################################
##
-## Connect TCP sockets to generic reserved ports.
-+## Connect DCCP sockets to generic reserved ports.
++## Bind UDP sockets to generic reserved ports.
##
##
##
-@@ -1693,17 +1989,17 @@ interface(`corenet_udp_bind_reserved_port',`
+@@ -1693,17 +1970,18 @@ interface(`corenet_udp_bind_reserved_port',`
##
##
#
-interface(`corenet_tcp_connect_reserved_port',`
-+interface(`corenet_dccp_connect_reserved_port',`
++interface(`corenet_udp_bind_reserved_port',`
gen_require(`
type reserved_port_t;
')
- allow $1 reserved_port_t:tcp_socket name_connect;
-+ allow $1 reserved_port_t:dccp_socket name_connect;
++ allow $1 reserved_port_t:udp_socket name_bind;
++ allow $1 self:capability net_bind_service;
')
########################################
##
-## Send and receive TCP network traffic on all reserved ports.
-+## Connect TCP sockets to generic reserved ports.
++## Connect DCCP sockets to generic reserved ports.
##
##
##
-@@ -1711,17 +2007,53 @@ interface(`corenet_tcp_connect_reserved_port',`
+@@ -1711,17 +1989,17 @@ interface(`corenet_tcp_connect_reserved_port',`
##
##
#
-interface(`corenet_tcp_sendrecv_all_reserved_ports',`
-+interface(`corenet_tcp_connect_reserved_port',`
++interface(`corenet_dccp_connect_reserved_port',`
gen_require(`
- attribute reserved_port_type;
+ type reserved_port_t;
')
- allow $1 reserved_port_type:tcp_socket { send_msg recv_msg };
-+ allow $1 reserved_port_t:tcp_socket name_connect;
++ allow $1 reserved_port_t:dccp_socket name_connect;
')
########################################
##
-## Send UDP network traffic on all reserved ports.
++## Connect TCP sockets to generic reserved ports.
+ ##
+ ##
+ ##
+@@ -1729,9 +2007,63 @@ interface(`corenet_tcp_sendrecv_all_reserved_ports',`
+ ##
+ ##
+ #
+-interface(`corenet_udp_send_all_reserved_ports',`
++interface(`corenet_tcp_connect_reserved_port',`
+ gen_require(`
+- attribute reserved_port_type;
++ type reserved_port_t;
++ ')
++
++ allow $1 reserved_port_t:tcp_socket name_connect;
++')
++
++########################################
++##
+## Send and receive DCCP network traffic on all reserved ports.
+##
+##
@@ -10864,9 +11336,19 @@ index 4f3b542..4581434 100644
+########################################
+##
+## Send UDP network traffic on all reserved ports.
- ##
- ##
- ##
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`corenet_udp_send_all_reserved_ports',`
++ gen_require(`
++ attribute reserved_port_type;
+ ')
+
+ allow $1 reserved_port_type:udp_socket send_msg;
@@ -1772,6 +2104,25 @@ interface(`corenet_udp_sendrecv_all_reserved_ports',`
########################################
@@ -10932,10 +11414,10 @@ index 4f3b542..4581434 100644
+#
+interface(`corenet_dccp_bind_all_unreserved_ports',`
+ gen_require(`
-+ attribute port_type, reserved_port_type;
++ attribute unreserved_port_type;
+ ')
+
-+ allow $1 { port_type -reserved_port_type }:dccp_socket name_bind;
++ allow $1 unreserved_port_type:dccp_socket name_bind;
+')
+
+########################################
@@ -10943,10 +11425,32 @@ index 4f3b542..4581434 100644
## Bind TCP sockets to all ports > 1024.
##
##
-@@ -1882,6 +2269,24 @@ interface(`corenet_udp_bind_all_unreserved_ports',`
+@@ -1856,10 +2243,10 @@ interface(`corenet_dontaudit_udp_bind_all_reserved_ports',`
+ #
+ interface(`corenet_tcp_bind_all_unreserved_ports',`
+ gen_require(`
+- attribute port_type, reserved_port_type;
++ attribute unreserved_port_type;
+ ')
+
+- allow $1 { port_type -reserved_port_type }:tcp_socket name_bind;
++ allow $1 unreserved_port_type:tcp_socket name_bind;
+ ')
########################################
- ##
+@@ -1874,10 +2261,28 @@ interface(`corenet_tcp_bind_all_unreserved_ports',`
+ #
+ interface(`corenet_udp_bind_all_unreserved_ports',`
+ gen_require(`
+- attribute port_type, reserved_port_type;
++ attribute unreserved_port_type;
++ ')
++
++ allow $1 unreserved_port_type:udp_socket name_bind;
++')
++
++########################################
++##
+## Connect DCCP sockets to reserved ports.
+##
+##
@@ -10958,16 +11462,13 @@ index 4f3b542..4581434 100644
+interface(`corenet_dccp_connect_all_reserved_ports',`
+ gen_require(`
+ attribute reserved_port_type;
-+ ')
-+
+ ')
+
+- allow $1 { port_type -reserved_port_type }:udp_socket name_bind;
+ allow $1 reserved_port_type:dccp_socket name_connect;
-+')
-+
-+########################################
-+##
- ## Connect TCP sockets to reserved ports.
- ##
- ##
+ ')
+
+ ########################################
@@ -1900,6 +2305,24 @@ interface(`corenet_tcp_connect_all_reserved_ports',`
########################################
@@ -10982,10 +11483,10 @@ index 4f3b542..4581434 100644
+#
+interface(`corenet_dccp_connect_all_unreserved_ports',`
+ gen_require(`
-+ attribute port_type, reserved_port_type;
++ attribute unreserved_port_type;
+ ')
+
-+ allow $1 { port_type -reserved_port_type }:dccp_socket name_connect;
++ allow $1 unreserved_port_type:dccp_socket name_connect;
+')
+
+########################################
@@ -10993,10 +11494,20 @@ index 4f3b542..4581434 100644
## Connect TCP sockets to all ports > 1024.
##
##
-@@ -1918,6 +2341,25 @@ interface(`corenet_tcp_connect_all_unreserved_ports',`
+@@ -1910,10 +2333,29 @@ interface(`corenet_tcp_connect_all_reserved_ports',`
+ #
+ interface(`corenet_tcp_connect_all_unreserved_ports',`
+ gen_require(`
+- attribute port_type, reserved_port_type;
++ attribute unreserved_port_type;
+ ')
- ########################################
- ##
+- allow $1 { port_type -reserved_port_type }:tcp_socket name_connect;
++ allow $1 unreserved_port_type:tcp_socket name_connect;
++')
++
++########################################
++##
+## Do not audit attempts to connect DCCP sockets
+## all reserved ports.
+##
@@ -11012,13 +11523,9 @@ index 4f3b542..4581434 100644
+ ')
+
+ dontaudit $1 reserved_port_type:dccp_socket name_connect;
-+')
-+
-+########################################
-+##
- ## Do not audit attempts to connect TCP sockets
- ## all reserved ports.
- ##
+ ')
+
+ ########################################
@@ -1937,6 +2379,24 @@ interface(`corenet_dontaudit_tcp_connect_all_reserved_ports',`
########################################
@@ -11369,10 +11876,17 @@ index 4f3b542..4581434 100644
corenet_udp_recvfrom_labeled($1, $2)
corenet_raw_recvfrom_labeled($1, $2)
diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
-index 99b71cb..b49e084 100644
+index 99b71cb..7345e5f 100644
--- a/policy/modules/kernel/corenetwork.te.in
+++ b/policy/modules/kernel/corenetwork.te.in
-@@ -16,6 +16,7 @@ attribute rpc_port_type;
+@@ -11,11 +11,14 @@ attribute netif_type;
+ attribute node_type;
+ attribute packet_type;
+ attribute port_type;
++attribute defined_port_type;
+ attribute reserved_port_type;
++attribute unreserved_port_type;
+ attribute rpc_port_type;
attribute server_packet_type;
attribute corenet_unconfined_type;
@@ -11380,7 +11894,7 @@ index 99b71cb..b49e084 100644
type ppp_device_t;
dev_node(ppp_device_t)
-@@ -25,6 +26,7 @@ dev_node(ppp_device_t)
+@@ -25,6 +28,7 @@ dev_node(ppp_device_t)
#
type tun_tap_device_t;
dev_node(tun_tap_device_t)
@@ -11388,7 +11902,7 @@ index 99b71cb..b49e084 100644
########################################
#
-@@ -34,6 +36,18 @@ dev_node(tun_tap_device_t)
+@@ -34,6 +38,18 @@ dev_node(tun_tap_device_t)
#
# client_packet_t is the default type of IPv4 and IPv6 client packets.
#
@@ -11407,7 +11921,7 @@ index 99b71cb..b49e084 100644
type client_packet_t, packet_type, client_packet_type;
#
-@@ -65,22 +79,26 @@ type hi_reserved_port_t, port_type, reserved_port_type, rpc_port_type;
+@@ -65,22 +81,26 @@ type hi_reserved_port_t, port_type, reserved_port_type, rpc_port_type;
type server_packet_t, packet_type, server_packet_type;
network_port(afs_bos, udp,7007,s0)
@@ -11435,7 +11949,7 @@ index 99b71cb..b49e084 100644
type biff_port_t, port_type, reserved_port_type; dnl network_port(biff) # no defined portcon in current strict
network_port(certmaster, tcp,51235,s0)
network_port(chronyd, udp,323,s0)
-@@ -88,7 +106,9 @@ network_port(clamd, tcp,3310,s0)
+@@ -88,7 +108,9 @@ network_port(clamd, tcp,3310,s0)
network_port(clockspeed, udp,4041,s0)
network_port(cluster, tcp,5149,s0, udp,5149,s0, tcp,40040,s0, tcp,50006-50008,s0, udp,50006-50008,s0)
network_port(cobbler, tcp,25151,s0)
@@ -11445,7 +11959,7 @@ index 99b71cb..b49e084 100644
network_port(cvs, tcp,2401,s0, udp,2401,s0)
network_port(cyphesis, tcp,6767,s0, tcp,6769,s0, tcp,6780-6799,s0, udp,32771,s0)
network_port(daap, tcp,3689,s0, udp,3689,s0)
-@@ -99,9 +119,14 @@ network_port(dhcpc, udp,68,s0, tcp,68,s0, udp,546,s0, tcp, 546,s0)
+@@ -99,9 +121,14 @@ network_port(dhcpc, udp,68,s0, tcp,68,s0, udp,546,s0, tcp, 546,s0)
network_port(dhcpd, udp,67,s0, udp,547,s0, tcp, 547,s0, udp,548,s0, tcp, 548,s0, tcp,647,s0, udp,647,s0, tcp,847,s0, udp,847,s0, tcp,7911,s0)
network_port(dict, tcp,2628,s0)
network_port(distccd, tcp,3632,s0)
@@ -11460,7 +11974,7 @@ index 99b71cb..b49e084 100644
network_port(ftp, tcp,21,s0, tcp,990,s0, udp,990,s0)
network_port(ftp_data, tcp,20,s0)
network_port(gatekeeper, udp,1718,s0, udp,1719,s0, tcp,1721,s0, tcp,7000,s0)
-@@ -129,20 +154,25 @@ network_port(iscsi, tcp,3260,s0)
+@@ -129,20 +156,25 @@ network_port(iscsi, tcp,3260,s0)
network_port(isns, tcp,3205,s0, udp,3205,s0)
network_port(jabber_client, tcp,5222,s0, tcp,5223,s0)
network_port(jabber_interserver, tcp,5269,s0)
@@ -11489,7 +12003,7 @@ index 99b71cb..b49e084 100644
network_port(mpd, tcp,6600,s0)
network_port(msnp, tcp,1863,s0, udp,1863,s0)
network_port(mssql, tcp,1433-1434,s0, udp,1433-1434,s0)
-@@ -155,13 +185,21 @@ network_port(netsupport, tcp,5404,s0, udp,5404,s0, tcp,5405,s0, udp,5405,s0)
+@@ -155,13 +187,21 @@ network_port(netsupport, tcp,5404,s0, udp,5404,s0, tcp,5405,s0, udp,5405,s0)
network_port(nmbd, udp,137,s0, udp,138,s0)
network_port(ntop, tcp,3000-3001,s0, udp,3000-3001,s0)
network_port(ntp, udp,123,s0)
@@ -11512,7 +12026,7 @@ index 99b71cb..b49e084 100644
network_port(pop, tcp,106,s0, tcp,109,s0, tcp,110,s0, tcp,143,s0, tcp,220,s0, tcp,993,s0, tcp,995,s0, tcp,1109,s0)
network_port(portmap, udp,111,s0, tcp,111,s0)
network_port(postfix_policyd, tcp,10031,s0)
-@@ -183,25 +221,29 @@ network_port(ricci, tcp,11111,s0, udp,11111,s0)
+@@ -183,25 +223,29 @@ network_port(ricci, tcp,11111,s0, udp,11111,s0)
network_port(ricci_modcluster, tcp,16851,s0, udp,16851,s0)
network_port(rlogind, tcp,513,s0)
network_port(rndc, tcp,953,s0)
@@ -11545,7 +12059,7 @@ index 99b71cb..b49e084 100644
network_port(syslogd, udp,514,s0)
network_port(tcs, tcp, 30003, s0)
network_port(telnetd, tcp,23,s0)
-@@ -215,7 +257,7 @@ network_port(uucpd, tcp,540,s0)
+@@ -215,7 +259,7 @@ network_port(uucpd, tcp,540,s0)
network_port(varnishd, tcp,6081-6082,s0)
network_port(virt, tcp,16509,s0, udp,16509,s0, tcp,16514,s0, udp,16514,s0)
network_port(virt_migration, tcp,49152-49216,s0)
@@ -11554,7 +12068,7 @@ index 99b71cb..b49e084 100644
network_port(wccp, udp,2048,s0)
network_port(whois, tcp,43,s0, udp,43,s0, tcp, 4321, s0 , udp, 4321, s0 )
network_port(xdmcp, udp,177,s0, tcp,177,s0)
-@@ -229,6 +271,7 @@ network_port(zookeeper_client, tcp,2181,s0)
+@@ -229,6 +273,7 @@ network_port(zookeeper_client, tcp,2181,s0)
network_port(zookeeper_election, tcp,3888,s0)
network_port(zookeeper_leader, tcp,2888,s0)
network_port(zebra, tcp,2600-2604,s0, tcp,2606,s0, udp,2600-2604,s0, udp,2606,s0)
@@ -11562,7 +12076,7 @@ index 99b71cb..b49e084 100644
network_port(zope, tcp,8021,s0)
# Defaults for reserved ports. Earlier portcon entries take precedence;
-@@ -282,9 +325,10 @@ typealias netif_t alias { lo_netif_t netif_lo_t };
+@@ -282,9 +327,10 @@ typealias netif_t alias { lo_netif_t netif_lo_t };
allow corenet_unconfined_type node_type:node *;
allow corenet_unconfined_type netif_type:netif *;
allow corenet_unconfined_type packet_type:packet *;
@@ -11575,6 +12089,28 @@ index 99b71cb..b49e084 100644
-allow corenet_unconfined_type node_type:{ tcp_socket udp_socket rawip_socket } node_bind;
+allow corenet_unconfined_type port_type:{ dccp_socket tcp_socket udp_socket rawip_socket } name_bind;
+allow corenet_unconfined_type node_type:{ dccp_socket tcp_socket udp_socket rawip_socket } node_bind;
+diff --git a/policy/modules/kernel/corenetwork.te.m4 b/policy/modules/kernel/corenetwork.te.m4
+index 35fed4f..49f27ca 100644
+--- a/policy/modules/kernel/corenetwork.te.m4
++++ b/policy/modules/kernel/corenetwork.te.m4
+@@ -81,7 +81,7 @@ declare_nodes($1_node_t,shift($*))
+ define(`declare_ports',`dnl
+ ifelse(eval(range_start($3) < 1024),1,`typeattribute $1 reserved_port_type;
+ ifelse(eval(range_start($3) >= 512),1,`typeattribute $1 rpc_port_type;',`dnl')
+-',`dnl')
++',`typeattribute $1 unreserved_port_type;')
+ portcon $2 $3 gen_context(system_u:object_r:$1,$4)
+ ifelse(`$5',`',`',`declare_ports($1,shiftn(4,$*))')dnl
+ ')
+@@ -90,7 +90,7 @@ ifelse(`$5',`',`',`declare_ports($1,shiftn(4,$*))')dnl
+ # network_port(port_name,protocol portnum mls_sensitivity [,protocol portnum mls_sensitivity[,...]])
+ #
+ define(`network_port',`
+-type $1_port_t, port_type;
++type $1_port_t, port_type, defined_port_type;
+ type $1_client_packet_t, packet_type, client_packet_type;
+ type $1_server_packet_t, packet_type, server_packet_type;
+ declare_ports($1_port_t,shift($*))dnl
diff --git a/policy/modules/kernel/devices.fc b/policy/modules/kernel/devices.fc
index 6cf8784..5b25039 100644
--- a/policy/modules/kernel/devices.fc
@@ -12930,7 +13466,7 @@ index 6a1e4d1..cf3d50b 100644
+ dontaudit $1 domain:socket_class_set { read write };
')
diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te
-index fae1ab1..1f0b08f 100644
+index fae1ab1..da927bb 100644
--- a/policy/modules/kernel/domain.te
+++ b/policy/modules/kernel/domain.te
@@ -4,6 +4,21 @@ policy_module(domain, 1.9.1)
@@ -13023,7 +13559,7 @@ index fae1ab1..1f0b08f 100644
# Act upon any other process.
allow unconfined_domain_type domain:process ~{ transition dyntransition execmem execstack execheap };
-@@ -160,3 +197,88 @@ allow unconfined_domain_type domain:key *;
+@@ -160,3 +197,90 @@ allow unconfined_domain_type domain:key *;
# receive from all domains over labeled networking
domain_all_recvfrom_all_domains(unconfined_domain_type)
@@ -13085,6 +13621,7 @@ index fae1ab1..1f0b08f 100644
+ifdef(`hide_broken_symptoms',`
+ dontaudit domain self:udp_socket listen;
+ allow domain domain:key { link search };
++ dontaudit domain domain:socket_class_set { read write };
+')
+
+optional_policy(`
@@ -13112,6 +13649,7 @@ index fae1ab1..1f0b08f 100644
+
+# broken kernel
+dontaudit can_change_object_identity can_change_object_identity:key link;
++
diff --git a/policy/modules/kernel/files.fc b/policy/modules/kernel/files.fc
index c19518a..ba08cfe 100644
--- a/policy/modules/kernel/files.fc
@@ -13221,7 +13759,7 @@ index c19518a..ba08cfe 100644
+/nsr(/.*)? gen_context(system_u:object_r:var_t,s0)
+/nsr/logs(/.*)? gen_context(system_u:object_r:var_log_t,s0)
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
-index ff006ea..9097e58 100644
+index ff006ea..a049775 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -55,6 +55,7 @@
@@ -13232,7 +13770,71 @@ index ff006ea..9097e58 100644
## files_tmp_file()
## files_tmpfs_file()
## logging_log_file()
-@@ -1053,10 +1054,8 @@ interface(`files_relabel_all_files',`
+@@ -663,12 +664,63 @@ interface(`files_read_non_security_files',`
+ attribute non_security_file_type;
+ ')
+
++ list_dirs_pattern($1, non_security_file_type, non_security_file_type)
+ read_files_pattern($1, non_security_file_type, non_security_file_type)
+ read_lnk_files_pattern($1, non_security_file_type, non_security_file_type)
+ ')
+
+ ########################################
+ ##
++## Manage all non-security files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++#
++interface(`files_manage_non_security_files',`
++ gen_require(`
++ attribute non_security_file_type;
++ ')
++
++ manage_files_pattern($1, non_security_file_type, non_security_file_type)
++ read_lnk_files_pattern($1, non_security_file_type, non_security_file_type)
++')
++
++########################################
++##
++## Relabel all non-security files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++#
++interface(`files_relabel_non_security_files',`
++ gen_require(`
++ attribute non_security_file_type;
++ ')
++
++ relabel_files_pattern($1, non_security_file_type, non_security_file_type)
++ allow $1 { non_security_file_type }:dir list_dir_perms;
++ relabel_dirs_pattern($1, { non_security_file_type }, { non_security_file_type })
++ relabel_files_pattern($1, { non_security_file_type }, { non_security_file_type })
++ relabel_lnk_files_pattern($1, { non_security_file_type }, { non_security_file_type })
++ relabel_fifo_files_pattern($1, { non_security_file_type }, { non_security_file_type })
++ relabel_sock_files_pattern($1, { non_security_file_type }, { non_security_file_type })
++ relabel_blk_files_pattern($1, { non_security_file_type }, { non_security_file_type })
++ relabel_chr_files_pattern($1, { non_security_file_type }, { non_security_file_type })
++
++ # satisfy the assertions:
++ seutil_relabelto_bin_policy($1)
++')
++
++########################################
++##
+ ## Read all directories on the filesystem, except
+ ## the listed exceptions.
+ ##
+@@ -1053,10 +1105,8 @@ interface(`files_relabel_all_files',`
relabel_lnk_files_pattern($1, { file_type $2 }, { file_type $2 })
relabel_fifo_files_pattern($1, { file_type $2 }, { file_type $2 })
relabel_sock_files_pattern($1, { file_type $2 }, { file_type $2 })
@@ -13245,7 +13847,7 @@ index ff006ea..9097e58 100644
# satisfy the assertions:
seutil_relabelto_bin_policy($1)
-@@ -1482,6 +1481,42 @@ interface(`files_dontaudit_list_all_mountpoints',`
+@@ -1482,6 +1532,42 @@ interface(`files_dontaudit_list_all_mountpoints',`
########################################
##
@@ -13288,7 +13890,7 @@ index ff006ea..9097e58 100644
## List the contents of the root directory.
##
##
-@@ -1562,7 +1597,7 @@ interface(`files_root_filetrans',`
+@@ -1562,7 +1648,7 @@ interface(`files_root_filetrans',`
type root_t;
')
@@ -13297,7 +13899,7 @@ index ff006ea..9097e58 100644
')
########################################
-@@ -1848,7 +1883,7 @@ interface(`files_boot_filetrans',`
+@@ -1848,7 +1934,7 @@ interface(`files_boot_filetrans',`
type boot_t;
')
@@ -13306,7 +13908,7 @@ index ff006ea..9097e58 100644
')
########################################
-@@ -2372,6 +2407,24 @@ interface(`files_rw_etc_dirs',`
+@@ -2372,6 +2458,24 @@ interface(`files_rw_etc_dirs',`
allow $1 etc_t:dir rw_dir_perms;
')
@@ -13331,7 +13933,7 @@ index ff006ea..9097e58 100644
##########################################
##
## Manage generic directories in /etc
-@@ -2451,7 +2504,7 @@ interface(`files_read_etc_files',`
+@@ -2451,7 +2555,7 @@ interface(`files_read_etc_files',`
##
##
##
@@ -13340,7 +13942,7 @@ index ff006ea..9097e58 100644
##
##
#
-@@ -2525,6 +2578,24 @@ interface(`files_delete_etc_files',`
+@@ -2525,6 +2629,24 @@ interface(`files_delete_etc_files',`
########################################
##
@@ -13365,7 +13967,7 @@ index ff006ea..9097e58 100644
## Execute generic files in /etc.
##
##
-@@ -2624,7 +2695,7 @@ interface(`files_etc_filetrans',`
+@@ -2624,7 +2746,7 @@ interface(`files_etc_filetrans',`
type etc_t;
')
@@ -13374,7 +13976,7 @@ index ff006ea..9097e58 100644
')
########################################
-@@ -2680,24 +2751,6 @@ interface(`files_delete_boot_flag',`
+@@ -2680,24 +2802,6 @@ interface(`files_delete_boot_flag',`
########################################
##
@@ -13399,7 +14001,7 @@ index ff006ea..9097e58 100644
## Read files in /etc that are dynamically
## created on boot, such as mtab.
##
-@@ -2738,6 +2791,24 @@ interface(`files_read_etc_runtime_files',`
+@@ -2738,6 +2842,24 @@ interface(`files_read_etc_runtime_files',`
########################################
##
@@ -13424,7 +14026,7 @@ index ff006ea..9097e58 100644
## Do not audit attempts to read files
## in /etc that are dynamically
## created on boot, such as mtab.
-@@ -2775,6 +2846,7 @@ interface(`files_rw_etc_runtime_files',`
+@@ -2775,6 +2897,7 @@ interface(`files_rw_etc_runtime_files',`
allow $1 etc_t:dir list_dir_perms;
rw_files_pattern($1, etc_t, etc_runtime_t)
@@ -13432,7 +14034,7 @@ index ff006ea..9097e58 100644
')
########################################
-@@ -3364,7 +3436,7 @@ interface(`files_home_filetrans',`
+@@ -3364,7 +3487,7 @@ interface(`files_home_filetrans',`
type home_root_t;
')
@@ -13441,7 +14043,7 @@ index ff006ea..9097e58 100644
')
########################################
-@@ -3502,20 +3574,38 @@ interface(`files_list_mnt',`
+@@ -3502,20 +3625,38 @@ interface(`files_list_mnt',`
######################################
##
@@ -13485,7 +14087,7 @@ index ff006ea..9097e58 100644
')
########################################
-@@ -3900,6 +3990,99 @@ interface(`files_read_world_readable_sockets',`
+@@ -3900,6 +4041,99 @@ interface(`files_read_world_readable_sockets',`
allow $1 readable_t:sock_file read_sock_file_perms;
')
@@ -13585,7 +14187,7 @@ index ff006ea..9097e58 100644
########################################
##
## Allow the specified type to associate
-@@ -3945,7 +4128,7 @@ interface(`files_getattr_tmp_dirs',`
+@@ -3945,7 +4179,7 @@ interface(`files_getattr_tmp_dirs',`
##
##
##
@@ -13594,7 +14196,7 @@ index ff006ea..9097e58 100644
##
##
#
-@@ -4017,7 +4200,7 @@ interface(`files_list_tmp',`
+@@ -4017,7 +4251,7 @@ interface(`files_list_tmp',`
##
##
##
@@ -13603,7 +14205,7 @@ index ff006ea..9097e58 100644
##
##
#
-@@ -4029,6 +4212,24 @@ interface(`files_dontaudit_list_tmp',`
+@@ -4029,6 +4263,24 @@ interface(`files_dontaudit_list_tmp',`
dontaudit $1 tmp_t:dir list_dir_perms;
')
@@ -13628,7 +14230,7 @@ index ff006ea..9097e58 100644
########################################
##
## Remove entries from the tmp directory.
-@@ -4085,6 +4286,32 @@ interface(`files_manage_generic_tmp_dirs',`
+@@ -4085,6 +4337,32 @@ interface(`files_manage_generic_tmp_dirs',`
########################################
##
@@ -13661,7 +14263,7 @@ index ff006ea..9097e58 100644
## Manage temporary files and directories in /tmp.
##
##
-@@ -4139,6 +4366,42 @@ interface(`files_rw_generic_tmp_sockets',`
+@@ -4139,6 +4417,42 @@ interface(`files_rw_generic_tmp_sockets',`
########################################
##
@@ -13704,7 +14306,7 @@ index ff006ea..9097e58 100644
## Set the attributes of all tmp directories.
##
##
-@@ -4202,7 +4465,7 @@ interface(`files_relabel_all_tmp_dirs',`
+@@ -4202,7 +4516,7 @@ interface(`files_relabel_all_tmp_dirs',`
##
##
##
@@ -13713,7 +14315,7 @@ index ff006ea..9097e58 100644
##
##
#
-@@ -4262,7 +4525,7 @@ interface(`files_relabel_all_tmp_files',`
+@@ -4262,7 +4576,7 @@ interface(`files_relabel_all_tmp_files',`
##
##
##
@@ -13722,7 +14324,7 @@ index ff006ea..9097e58 100644
##
##
#
-@@ -4318,7 +4581,7 @@ interface(`files_tmp_filetrans',`
+@@ -4318,7 +4632,7 @@ interface(`files_tmp_filetrans',`
type tmp_t;
')
@@ -13731,7 +14333,7 @@ index ff006ea..9097e58 100644
')
########################################
-@@ -4342,6 +4605,16 @@ interface(`files_purge_tmp',`
+@@ -4342,6 +4656,16 @@ interface(`files_purge_tmp',`
delete_lnk_files_pattern($1, tmpfile, tmpfile)
delete_fifo_files_pattern($1, tmpfile, tmpfile)
delete_sock_files_pattern($1, tmpfile, tmpfile)
@@ -13748,7 +14350,7 @@ index ff006ea..9097e58 100644
')
########################################
-@@ -4681,7 +4954,7 @@ interface(`files_usr_filetrans',`
+@@ -4681,7 +5005,7 @@ interface(`files_usr_filetrans',`
type usr_t;
')
@@ -13757,7 +14359,7 @@ index ff006ea..9097e58 100644
')
########################################
-@@ -5084,7 +5357,7 @@ interface(`files_var_filetrans',`
+@@ -5084,7 +5408,7 @@ interface(`files_var_filetrans',`
type var_t;
')
@@ -13766,7 +14368,7 @@ index ff006ea..9097e58 100644
')
########################################
-@@ -5219,7 +5492,7 @@ interface(`files_var_lib_filetrans',`
+@@ -5219,7 +5543,7 @@ interface(`files_var_lib_filetrans',`
')
allow $1 var_t:dir search_dir_perms;
@@ -13775,10 +14377,11 @@ index ff006ea..9097e58 100644
')
########################################
-@@ -5304,6 +5577,25 @@ interface(`files_manage_mounttab',`
+@@ -5304,7 +5628,26 @@ interface(`files_manage_mounttab',`
########################################
##
+-## Search the locks directory (/var/lock).
+## List generic lock directories.
+##
+##
@@ -13798,10 +14401,11 @@ index ff006ea..9097e58 100644
+
+########################################
+##
- ## Search the locks directory (/var/lock).
++## Search the locks directory (/var/lock).
##
##
-@@ -5317,6 +5609,8 @@ interface(`files_search_locks',`
+ ##
+@@ -5317,6 +5660,8 @@ interface(`files_search_locks',`
type var_t, var_lock_t;
')
@@ -13810,7 +14414,7 @@ index ff006ea..9097e58 100644
search_dirs_pattern($1, var_t, var_lock_t)
')
-@@ -5336,12 +5630,14 @@ interface(`files_dontaudit_search_locks',`
+@@ -5336,12 +5681,14 @@ interface(`files_dontaudit_search_locks',`
type var_lock_t;
')
@@ -13826,7 +14430,7 @@ index ff006ea..9097e58 100644
##
##
##
-@@ -5349,12 +5645,30 @@ interface(`files_dontaudit_search_locks',`
+@@ -5349,12 +5696,30 @@ interface(`files_dontaudit_search_locks',`
##
##
#
@@ -13838,7 +14442,8 @@ index ff006ea..9097e58 100644
+ files_search_locks($1)
+ allow $1 var_lock_t:dir create_dir_perms;
+')
-+
+
+- list_dirs_pattern($1, var_t, var_lock_t)
+########################################
+##
+## Set the attributes of the /var/lock directory.
@@ -13853,13 +14458,12 @@ index ff006ea..9097e58 100644
+ gen_require(`
+ type var_lock_t;
+ ')
-
-- list_dirs_pattern($1, var_t, var_lock_t)
++
+ allow $1 var_lock_t:dir setattr;
')
########################################
-@@ -5373,6 +5687,7 @@ interface(`files_rw_lock_dirs',`
+@@ -5373,6 +5738,7 @@ interface(`files_rw_lock_dirs',`
type var_t, var_lock_t;
')
@@ -13867,7 +14471,7 @@ index ff006ea..9097e58 100644
rw_dirs_pattern($1, var_t, var_lock_t)
')
-@@ -5385,7 +5700,6 @@ interface(`files_rw_lock_dirs',`
+@@ -5385,7 +5751,6 @@ interface(`files_rw_lock_dirs',`
## Domain allowed access.
##
##
@@ -13875,7 +14479,7 @@ index ff006ea..9097e58 100644
#
interface(`files_relabel_all_lock_dirs',`
gen_require(`
-@@ -5412,7 +5726,7 @@ interface(`files_getattr_generic_locks',`
+@@ -5412,7 +5777,7 @@ interface(`files_getattr_generic_locks',`
type var_t, var_lock_t;
')
@@ -13884,7 +14488,7 @@ index ff006ea..9097e58 100644
allow $1 var_lock_t:dir list_dir_perms;
getattr_files_pattern($1, var_lock_t, var_lock_t)
')
-@@ -5428,12 +5742,12 @@ interface(`files_getattr_generic_locks',`
+@@ -5428,12 +5793,12 @@ interface(`files_getattr_generic_locks',`
##
#
interface(`files_delete_generic_locks',`
@@ -13901,7 +14505,7 @@ index ff006ea..9097e58 100644
')
########################################
-@@ -5452,7 +5766,7 @@ interface(`files_manage_generic_locks',`
+@@ -5452,7 +5817,7 @@ interface(`files_manage_generic_locks',`
type var_t, var_lock_t;
')
@@ -13910,7 +14514,7 @@ index ff006ea..9097e58 100644
manage_files_pattern($1, var_lock_t, var_lock_t)
')
-@@ -5493,7 +5807,7 @@ interface(`files_read_all_locks',`
+@@ -5493,7 +5858,7 @@ interface(`files_read_all_locks',`
type var_t, var_lock_t;
')
@@ -13919,7 +14523,7 @@ index ff006ea..9097e58 100644
allow $1 lockfile:dir list_dir_perms;
read_files_pattern($1, lockfile, lockfile)
read_lnk_files_pattern($1, lockfile, lockfile)
-@@ -5515,7 +5829,7 @@ interface(`files_manage_all_locks',`
+@@ -5515,7 +5880,7 @@ interface(`files_manage_all_locks',`
type var_t, var_lock_t;
')
@@ -13928,7 +14532,7 @@ index ff006ea..9097e58 100644
manage_dirs_pattern($1, lockfile, lockfile)
manage_files_pattern($1, lockfile, lockfile)
manage_lnk_files_pattern($1, lockfile, lockfile)
-@@ -5547,8 +5861,8 @@ interface(`files_lock_filetrans',`
+@@ -5547,8 +5912,8 @@ interface(`files_lock_filetrans',`
type var_t, var_lock_t;
')
@@ -13939,7 +14543,7 @@ index ff006ea..9097e58 100644
')
########################################
-@@ -5608,6 +5922,43 @@ interface(`files_search_pids',`
+@@ -5608,6 +5973,43 @@ interface(`files_search_pids',`
search_dirs_pattern($1, var_t, var_run_t)
')
@@ -13983,7 +14587,7 @@ index ff006ea..9097e58 100644
########################################
##
## Do not audit attempts to search
-@@ -5736,7 +6087,7 @@ interface(`files_pid_filetrans',`
+@@ -5736,7 +6138,7 @@ interface(`files_pid_filetrans',`
')
allow $1 var_t:dir search_dir_perms;
@@ -13992,7 +14596,7 @@ index ff006ea..9097e58 100644
')
########################################
-@@ -5815,6 +6166,116 @@ interface(`files_dontaudit_ioctl_all_pids',`
+@@ -5815,6 +6217,116 @@ interface(`files_dontaudit_ioctl_all_pids',`
########################################
##
@@ -14109,7 +14713,7 @@ index ff006ea..9097e58 100644
## Read all process ID files.
##
##
-@@ -5832,6 +6293,44 @@ interface(`files_read_all_pids',`
+@@ -5832,6 +6344,44 @@ interface(`files_read_all_pids',`
list_dirs_pattern($1, var_t, pidfile)
read_files_pattern($1, pidfile, pidfile)
@@ -14154,7 +14758,7 @@ index ff006ea..9097e58 100644
')
########################################
-@@ -5900,6 +6399,90 @@ interface(`files_delete_all_pid_dirs',`
+@@ -5900,6 +6450,90 @@ interface(`files_delete_all_pid_dirs',`
########################################
##
@@ -14245,7 +14849,7 @@ index ff006ea..9097e58 100644
## Search the contents of generic spool
## directories (/var/spool).
##
-@@ -6042,7 +6625,7 @@ interface(`files_spool_filetrans',`
+@@ -6042,7 +6676,7 @@ interface(`files_spool_filetrans',`
')
allow $1 var_t:dir search_dir_perms;
@@ -14254,7 +14858,7 @@ index ff006ea..9097e58 100644
')
########################################
-@@ -6117,3 +6700,284 @@ interface(`files_unconfined',`
+@@ -6117,3 +6751,284 @@ interface(`files_unconfined',`
typeattribute $1 files_unconfined_type;
')
@@ -15337,7 +15941,7 @@ index 6346378..edbe041 100644
+')
+
diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
-index d91c62f..30d03e3 100644
+index d91c62f..2860a62 100644
--- a/policy/modules/kernel/kernel.te
+++ b/policy/modules/kernel/kernel.te
@@ -50,6 +50,8 @@ sid kernel gen_context(system_u:system_r:kernel_t,mls_systemhigh)
@@ -15438,7 +16042,27 @@ index d91c62f..30d03e3 100644
')
optional_policy(`
-@@ -358,6 +399,15 @@ optional_policy(`
+@@ -334,9 +375,7 @@ optional_policy(`
+ fs_read_noxattr_fs_files(kernel_t)
+ fs_read_noxattr_fs_symlinks(kernel_t)
+
+- auth_read_all_dirs_except_shadow(kernel_t)
+- auth_read_all_files_except_shadow(kernel_t)
+- auth_read_all_symlinks_except_shadow(kernel_t)
++ files_read_non_security_files(kernel_t)
+ ')
+
+ tunable_policy(`nfs_export_all_rw',`
+@@ -345,7 +384,7 @@ optional_policy(`
+ fs_read_noxattr_fs_files(kernel_t)
+ fs_read_noxattr_fs_symlinks(kernel_t)
+
+- auth_manage_all_files_except_shadow(kernel_t)
++ files_manage_non_security_files(kernel_t)
+ ')
+ ')
+
+@@ -358,6 +397,15 @@ optional_policy(`
unconfined_domain_noaudit(kernel_t)
')
@@ -16873,7 +17497,7 @@ index 1cb7311..1de82b2 100644
+
+gen_user(guest_u, user, guest_r, s0, s0)
diff --git a/policy/modules/roles/secadm.te b/policy/modules/roles/secadm.te
-index be4de58..cce681a 100644
+index be4de58..7e8b6ec 100644
--- a/policy/modules/roles/secadm.te
+++ b/policy/modules/roles/secadm.te
@@ -9,6 +9,8 @@ role secadm_r;
@@ -16885,6 +17509,16 @@ index be4de58..cce681a 100644
########################################
#
+@@ -30,8 +32,7 @@ mls_file_upgrade(secadm_t)
+ mls_file_downgrade(secadm_t)
+
+ auth_role(secadm_r, secadm_t)
+-auth_relabel_all_files_except_shadow(secadm_t)
+-auth_relabel_shadow(secadm_t)
++files_relabel_all_files(secadm_t)
+
+ init_exec(secadm_t)
+
diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te
index 2be17d2..1a6d9d1 100644
--- a/policy/modules/roles/staff.te
@@ -18260,10 +18894,10 @@ index 0000000..8b2cdf3
+
diff --git a/policy/modules/roles/unconfineduser.te b/policy/modules/roles/unconfineduser.te
new file mode 100644
-index 0000000..99f35d5
+index 0000000..f35e36b
--- /dev/null
+++ b/policy/modules/roles/unconfineduser.te
-@@ -0,0 +1,545 @@
+@@ -0,0 +1,549 @@
+policy_module(unconfineduser, 1.0.0)
+
+########################################
@@ -18610,6 +19244,10 @@ index 0000000..99f35d5
+')
+
+optional_policy(`
++ dnsmasq_filetrans_named_content(unconfined_t)
++')
++
++optional_policy(`
+ firstboot_run(unconfined_t, unconfined_r)
+')
+
@@ -19165,7 +19803,7 @@ index 1bd5812..b3631d6 100644
+/var/cache/retrace-server(/.*)? gen_context(system_u:object_r:abrt_retrace_cache_t,s0)
+/var/spool/retrace-server(/.*)? gen_context(system_u:object_r:abrt_retrace_spool_t,s0)
diff --git a/policy/modules/services/abrt.if b/policy/modules/services/abrt.if
-index 0b827c5..7382308 100644
+index 0b827c5..e03a970 100644
--- a/policy/modules/services/abrt.if
+++ b/policy/modules/services/abrt.if
@@ -71,6 +71,7 @@ interface(`abrt_read_state',`
@@ -19176,18 +19814,7 @@ index 0b827c5..7382308 100644
ps_process_pattern($1, abrt_t)
')
-@@ -130,6 +131,10 @@ interface(`abrt_domtrans_helper',`
- ')
-
- domtrans_pattern($1, abrt_helper_exec_t, abrt_helper_t)
-+
-+ ifdef(`hide_broken_symptoms', `
-+ dontaudit abrt_helper_t $1:socket_class_set { read write };
-+ ')
- ')
-
- ########################################
-@@ -160,8 +165,44 @@ interface(`abrt_run_helper',`
+@@ -160,8 +161,44 @@ interface(`abrt_run_helper',`
########################################
##
@@ -19234,7 +19861,7 @@ index 0b827c5..7382308 100644
##
##
##
-@@ -253,6 +294,24 @@ interface(`abrt_manage_pid_files',`
+@@ -253,6 +290,24 @@ interface(`abrt_manage_pid_files',`
manage_files_pattern($1, abrt_var_run_t, abrt_var_run_t)
')
@@ -19259,7 +19886,7 @@ index 0b827c5..7382308 100644
#####################################
##
## All of the rules required to administrate
-@@ -286,18 +345,98 @@ interface(`abrt_admin',`
+@@ -286,18 +341,98 @@ interface(`abrt_admin',`
role_transition $2 abrt_initrc_exec_t system_r;
allow $2 system_r;
@@ -21952,7 +22579,7 @@ index 1ea99b2..9427dd5 100644
+ stream_connect_pattern($1, apmd_var_run_t, apmd_var_run_t, apmd_t)
')
diff --git a/policy/modules/services/apm.te b/policy/modules/services/apm.te
-index 1c8c27e..64ed1bb 100644
+index 1c8c27e..4ae8a51 100644
--- a/policy/modules/services/apm.te
+++ b/policy/modules/services/apm.te
@@ -4,6 +4,7 @@ policy_module(apm, 1.11.0)
@@ -22037,16 +22664,17 @@ index 1c8c27e..64ed1bb 100644
',`
# for ifconfig which is run all the time
kernel_dontaudit_search_sysctl(apmd_t)
-@@ -205,12 +217,18 @@ optional_policy(`
+@@ -201,7 +213,8 @@ optional_policy(`
')
optional_policy(`
+- nscd_socket_use(apmd_t)
+ modutils_domtrans_insmod(apmd_t)
+ modutils_read_module_config(apmd_t)
-+')
-+
-+optional_policy(`
- pcmcia_domtrans_cardmgr(apmd_t)
+ ')
+
+ optional_policy(`
+@@ -209,8 +222,9 @@ optional_policy(`
pcmcia_domtrans_cardctl(apmd_t)
')
@@ -22057,7 +22685,7 @@ index 1c8c27e..64ed1bb 100644
')
optional_policy(`
-@@ -218,9 +236,9 @@ optional_policy(`
+@@ -218,9 +232,9 @@ optional_policy(`
udev_read_state(apmd_t) #necessary?
')
@@ -22397,7 +23025,7 @@ index 44a1e3d..7e9d2fb 100644
files_list_pids($1)
admin_pattern($1, named_var_run_t)
diff --git a/policy/modules/services/bind.te b/policy/modules/services/bind.te
-index 4deca04..be16209 100644
+index 4deca04..991629d 100644
--- a/policy/modules/services/bind.te
+++ b/policy/modules/services/bind.te
@@ -6,16 +6,24 @@ policy_module(bind, 1.11.0)
@@ -22461,8 +23089,11 @@ index 4deca04..be16209 100644
tunable_policy(`named_write_master_zones',`
manage_dirs_pattern(named_t, named_zone_t, named_zone_t)
manage_files_pattern(named_t, named_zone_t, named_zone_t)
-@@ -201,12 +214,12 @@ allow ndc_t self:tcp_socket create_socket_perms;
- allow ndc_t self:netlink_route_socket r_netlink_socket_perms;
+@@ -198,15 +211,14 @@ allow ndc_t self:process { fork signal_perms };
+ allow ndc_t self:fifo_file rw_fifo_file_perms;
+ allow ndc_t self:unix_stream_socket { connect create_stream_socket_perms };
+ allow ndc_t self:tcp_socket create_socket_perms;
+-allow ndc_t self:netlink_route_socket r_netlink_socket_perms;
allow ndc_t dnssec_t:file read_file_perms;
-allow ndc_t dnssec_t:lnk_file { getattr read };
@@ -22476,10 +23107,22 @@ index 4deca04..be16209 100644
allow ndc_t named_zone_t:dir search_dir_perms;
-@@ -238,13 +251,13 @@ miscfiles_read_localization(ndc_t)
- sysnet_read_config(ndc_t)
- sysnet_dns_name_resolve(ndc_t)
+@@ -228,6 +240,8 @@ files_search_pids(ndc_t)
+
+ fs_getattr_xattr_fs(ndc_t)
+
++auth_use_nsswitch(ndc_t)
++
+ init_use_fds(ndc_t)
+ init_use_script_ptys(ndc_t)
+
+@@ -235,24 +249,13 @@ logging_send_syslog_msg(ndc_t)
+ miscfiles_read_localization(ndc_t)
+
+-sysnet_read_config(ndc_t)
+-sysnet_dns_name_resolve(ndc_t)
+-
-userdom_use_user_terminals(ndc_t)
+userdom_use_inherited_user_terminals(ndc_t)
@@ -22488,6 +23131,14 @@ index 4deca04..be16209 100644
# for /etc/rndc.key
ifdef(`distro_redhat',`
- allow ndc_t named_conf_t:dir search;
+-')
+-
+-optional_policy(`
+- nis_use_ypbind(ndc_t)
+-')
+-
+-optional_policy(`
+- nscd_socket_use(ndc_t)
+ allow ndc_t named_conf_t:dir search_dir_perms;
')
@@ -22660,7 +23311,7 @@ index 3e45431..4aa8fb1 100644
admin_pattern($1, bluetooth_var_lib_t)
diff --git a/policy/modules/services/bluetooth.te b/policy/modules/services/bluetooth.te
-index 215b86b..4a3569f 100644
+index 215b86b..619518f 100644
--- a/policy/modules/services/bluetooth.te
+++ b/policy/modules/services/bluetooth.te
@@ -4,12 +4,13 @@ policy_module(bluetooth, 3.3.0)
@@ -22701,6 +23352,33 @@ index 215b86b..4a3569f 100644
dbus_system_bus_client(bluetooth_t)
dbus_connect_system_bus(bluetooth_t)
+@@ -190,7 +200,6 @@ allow bluetooth_helper_t self:fifo_file rw_fifo_file_perms;
+ allow bluetooth_helper_t self:shm create_shm_perms;
+ allow bluetooth_helper_t self:unix_stream_socket { create_stream_socket_perms connectto };
+ allow bluetooth_helper_t self:tcp_socket create_socket_perms;
+-allow bluetooth_helper_t self:netlink_route_socket r_netlink_socket_perms;
+
+ allow bluetooth_helper_t bluetooth_t:socket { read write };
+
+@@ -220,6 +229,8 @@ files_read_etc_runtime_files(bluetooth_helper_t)
+ files_read_usr_files(bluetooth_helper_t)
+ files_dontaudit_list_default(bluetooth_helper_t)
+
++auth_use_nsswitch(bluetooth_helper_t)
++
+ locallogin_dontaudit_use_fds(bluetooth_helper_t)
+
+ logging_send_syslog_msg(bluetooth_helper_t)
+@@ -236,9 +247,5 @@ optional_policy(`
+ ')
+
+ optional_policy(`
+- nscd_socket_use(bluetooth_helper_t)
+-')
+-
+-optional_policy(`
+ xserver_user_x_domain_template(bluetooth_helper, bluetooth_helper_t, bluetooth_helper_tmpfs_t)
+ ')
diff --git a/policy/modules/services/boinc.fc b/policy/modules/services/boinc.fc
new file mode 100644
index 0000000..c095160
@@ -25902,7 +26580,7 @@ index 838dec7..59d0f96 100644
miscfiles_read_localization(courier_pop_t)
diff --git a/policy/modules/services/cpucontrol.te b/policy/modules/services/cpucontrol.te
-index 13d2f63..a048c53 100644
+index 13d2f63..861fad7 100644
--- a/policy/modules/services/cpucontrol.te
+++ b/policy/modules/services/cpucontrol.te
@@ -10,7 +10,7 @@ type cpucontrol_exec_t;
@@ -25914,6 +26592,28 @@ index 13d2f63..a048c53 100644
type cpuspeed_t;
type cpuspeed_exec_t;
+@@ -55,10 +55,6 @@ logging_send_syslog_msg(cpucontrol_t)
+ userdom_dontaudit_use_unpriv_user_fds(cpucontrol_t)
+
+ optional_policy(`
+- nscd_socket_use(cpucontrol_t)
+-')
+-
+-optional_policy(`
+ rhgb_use_ptys(cpucontrol_t)
+ ')
+
+@@ -110,10 +106,6 @@ miscfiles_read_localization(cpuspeed_t)
+ userdom_dontaudit_use_unpriv_user_fds(cpuspeed_t)
+
+ optional_policy(`
+- nscd_socket_use(cpuspeed_t)
+-')
+-
+-optional_policy(`
+ seutil_sigchld_newrole(cpuspeed_t)
+ ')
+
diff --git a/policy/modules/services/cron.fc b/policy/modules/services/cron.fc
index 2eefc08..34ab5ce 100644
--- a/policy/modules/services/cron.fc
@@ -25937,7 +26637,7 @@ index 2eefc08..34ab5ce 100644
+
+/var/lib/glpi/files(/.*)? gen_context(system_u:object_r:cron_var_lib_t,s0)
diff --git a/policy/modules/services/cron.if b/policy/modules/services/cron.if
-index 35241ed..2976df7 100644
+index 35241ed..074392b 100644
--- a/policy/modules/services/cron.if
+++ b/policy/modules/services/cron.if
@@ -12,6 +12,11 @@
@@ -25989,11 +26689,12 @@ index 35241ed..2976df7 100644
domain_use_interactive_fds($1_t)
-@@ -59,12 +70,15 @@ template(`cron_common_crontab_template',`
+@@ -59,12 +70,16 @@ template(`cron_common_crontab_template',`
files_dontaudit_search_pids($1_t)
auth_domtrans_chk_passwd($1_t)
+ auth_rw_var_auth($1_t)
++ auth_use_nsswitch($1_t)
logging_send_syslog_msg($1_t)
logging_send_audit_msgs($1_t)
@@ -26005,7 +26706,7 @@ index 35241ed..2976df7 100644
miscfiles_read_localization($1_t)
-@@ -73,9 +87,10 @@ template(`cron_common_crontab_template',`
+@@ -73,9 +88,10 @@ template(`cron_common_crontab_template',`
userdom_manage_user_tmp_dirs($1_t)
userdom_manage_user_tmp_files($1_t)
# Access terminals.
@@ -26017,7 +26718,17 @@ index 35241ed..2976df7 100644
tunable_policy(`fcron_crond',`
# fcron wants an instant update of a crontab change for the administrator
-@@ -102,10 +117,12 @@ template(`cron_common_crontab_template',`
+@@ -83,9 +99,6 @@ template(`cron_common_crontab_template',`
+ dontaudit $1_t crond_t:process signal;
+ ')
+
+- optional_policy(`
+- nscd_socket_use($1_t)
+- ')
+ ')
+
+ ########################################
+@@ -102,10 +115,12 @@ template(`cron_common_crontab_template',`
## User domain for the role
##
##
@@ -26030,7 +26741,7 @@ index 35241ed..2976df7 100644
')
role $1 types { cronjob_t crontab_t };
-@@ -116,9 +133,16 @@ interface(`cron_role',`
+@@ -116,9 +131,16 @@ interface(`cron_role',`
# Transition from the user domain to the derived domain.
domtrans_pattern($2, crontab_exec_t, crontab_t)
@@ -26048,7 +26759,7 @@ index 35241ed..2976df7 100644
# Run helper programs as the user domain
#corecmd_bin_domtrans(crontab_t, $2)
-@@ -132,9 +156,8 @@ interface(`cron_role',`
+@@ -132,9 +154,8 @@ interface(`cron_role',`
')
dbus_stub(cronjob_t)
@@ -26059,7 +26770,7 @@ index 35241ed..2976df7 100644
')
########################################
-@@ -151,29 +174,18 @@ interface(`cron_role',`
+@@ -151,29 +172,18 @@ interface(`cron_role',`
## User domain for the role
##
##
@@ -26093,7 +26804,7 @@ index 35241ed..2976df7 100644
optional_policy(`
gen_require(`
-@@ -181,9 +193,8 @@ interface(`cron_unconfined_role',`
+@@ -181,9 +191,8 @@ interface(`cron_unconfined_role',`
')
dbus_stub(unconfined_cronjob_t)
@@ -26104,7 +26815,7 @@ index 35241ed..2976df7 100644
')
########################################
-@@ -200,6 +211,7 @@ interface(`cron_unconfined_role',`
+@@ -200,6 +209,7 @@ interface(`cron_unconfined_role',`
## User domain for the role
##
##
@@ -26112,7 +26823,7 @@ index 35241ed..2976df7 100644
#
interface(`cron_admin_role',`
gen_require(`
-@@ -220,7 +232,7 @@ interface(`cron_admin_role',`
+@@ -220,7 +230,7 @@ interface(`cron_admin_role',`
# crontab shows up in user ps
ps_process_pattern($2, admin_crontab_t)
@@ -26121,7 +26832,7 @@ index 35241ed..2976df7 100644
# Run helper programs as the user domain
#corecmd_bin_domtrans(admin_crontab_t, $2)
-@@ -234,9 +246,8 @@ interface(`cron_admin_role',`
+@@ -234,9 +244,8 @@ interface(`cron_admin_role',`
')
dbus_stub(admin_cronjob_t)
@@ -26132,7 +26843,7 @@ index 35241ed..2976df7 100644
')
########################################
-@@ -304,7 +315,7 @@ interface(`cron_exec',`
+@@ -304,7 +313,7 @@ interface(`cron_exec',`
########################################
##
@@ -26141,7 +26852,7 @@ index 35241ed..2976df7 100644
##
##
##
-@@ -377,6 +388,47 @@ interface(`cron_read_pipes',`
+@@ -377,6 +386,47 @@ interface(`cron_read_pipes',`
########################################
##
@@ -26189,7 +26900,7 @@ index 35241ed..2976df7 100644
## Do not audit attempts to write cron daemon unnamed pipes.
##
##
-@@ -390,6 +442,7 @@ interface(`cron_dontaudit_write_pipes',`
+@@ -390,6 +440,7 @@ interface(`cron_dontaudit_write_pipes',`
type crond_t;
')
@@ -26197,7 +26908,7 @@ index 35241ed..2976df7 100644
dontaudit $1 crond_t:fifo_file write;
')
-@@ -408,7 +461,43 @@ interface(`cron_rw_pipes',`
+@@ -408,7 +459,43 @@ interface(`cron_rw_pipes',`
type crond_t;
')
@@ -26242,7 +26953,7 @@ index 35241ed..2976df7 100644
')
########################################
-@@ -481,6 +570,7 @@ interface(`cron_manage_pid_files',`
+@@ -481,6 +568,7 @@ interface(`cron_manage_pid_files',`
type crond_var_run_t;
')
@@ -26250,7 +26961,7 @@ index 35241ed..2976df7 100644
manage_files_pattern($1, crond_var_run_t, crond_var_run_t)
')
-@@ -536,7 +626,7 @@ interface(`cron_write_system_job_pipes',`
+@@ -536,7 +624,7 @@ interface(`cron_write_system_job_pipes',`
type system_cronjob_t;
')
@@ -26259,7 +26970,7 @@ index 35241ed..2976df7 100644
')
########################################
-@@ -554,7 +644,7 @@ interface(`cron_rw_system_job_pipes',`
+@@ -554,7 +642,7 @@ interface(`cron_rw_system_job_pipes',`
type system_cronjob_t;
')
@@ -26268,7 +26979,7 @@ index 35241ed..2976df7 100644
')
########################################
-@@ -587,11 +677,14 @@ interface(`cron_rw_system_job_stream_sockets',`
+@@ -587,11 +675,14 @@ interface(`cron_rw_system_job_stream_sockets',`
#
interface(`cron_read_system_job_tmp_files',`
gen_require(`
@@ -26284,7 +26995,7 @@ index 35241ed..2976df7 100644
')
########################################
-@@ -627,7 +720,47 @@ interface(`cron_dontaudit_append_system_job_tmp_files',`
+@@ -627,7 +718,47 @@ interface(`cron_dontaudit_append_system_job_tmp_files',`
interface(`cron_dontaudit_write_system_job_tmp_files',`
gen_require(`
type system_cronjob_tmp_t;
@@ -27047,7 +27758,7 @@ index 0000000..9146ef1
+
diff --git a/policy/modules/services/ctdbd.te b/policy/modules/services/ctdbd.te
new file mode 100644
-index 0000000..09cb39f
+index 0000000..5e2a4bd
--- /dev/null
+++ b/policy/modules/services/ctdbd.te
@@ -0,0 +1,114 @@
@@ -27139,10 +27850,10 @@ index 0000000..09cb39f
+logging_send_syslog_msg(ctdbd_t)
+
+miscfiles_read_localization(ctdbd_t)
++miscfiles_read_public_files(ctdbd_t)
+
-+
-+# corenet_tcp_bind_ctdbd_cache_port(traffic_manager_t)
-+# corenet_tcp_connect_ctdbd_cache_port(traffic_manager_t)
++#corenet_tcp_bind_ctdbd_cache_port(traffic_manager_t)
++#corenet_tcp_connect_ctdbd_cache_port(traffic_manager_t)
+
+optional_policy(`
+ consoletype_exec(ctdbd_t)
@@ -27644,7 +28355,7 @@ index 81eba14..d0ab56c 100644
/usr/bin/dbus-daemon(-1)? -- gen_context(system_u:object_r:dbusd_exec_t,s0)
/usr/libexec/dbus-daemon-launch-helper -- gen_context(system_u:object_r:dbusd_exec_t,s0)
diff --git a/policy/modules/services/dbus.if b/policy/modules/services/dbus.if
-index 1a1becd..7dbd8f6 100644
+index 1a1becd..d4357ec 100644
--- a/policy/modules/services/dbus.if
+++ b/policy/modules/services/dbus.if
@@ -41,9 +41,9 @@ interface(`dbus_stub',`
@@ -27669,18 +28380,21 @@ index 1a1becd..7dbd8f6 100644
ubac_constrained($1_dbusd_t)
role $2 types $1_dbusd_t;
-@@ -62,8 +61,9 @@ template(`dbus_role_template',`
+@@ -62,107 +61,26 @@ template(`dbus_role_template',`
# Local policy
#
-+ dontaudit $1_dbusd_t self:capability sys_resource;
- allow $1_dbusd_t self:process { getattr sigkill signal };
+- allow $1_dbusd_t self:process { getattr sigkill signal };
- dontaudit $1_dbusd_t self:process ptrace;
-+ dontaudit $1_dbusd_t self:process { ptrace setrlimit };
- allow $1_dbusd_t self:file { getattr read write };
- allow $1_dbusd_t self:fifo_file rw_fifo_file_perms;
- allow $1_dbusd_t self:dbus { send_msg acquire_svc };
-@@ -76,7 +76,7 @@ template(`dbus_role_template',`
+- allow $1_dbusd_t self:file { getattr read write };
+- allow $1_dbusd_t self:fifo_file rw_fifo_file_perms;
+- allow $1_dbusd_t self:dbus { send_msg acquire_svc };
+- allow $1_dbusd_t self:unix_stream_socket create_stream_socket_perms;
+- allow $1_dbusd_t self:unix_dgram_socket create_socket_perms;
+- allow $1_dbusd_t self:tcp_socket create_stream_socket_perms;
+- allow $1_dbusd_t self:netlink_selinux_socket create_socket_perms;
+-
+ # For connecting to the bus
allow $3 $1_dbusd_t:unix_stream_socket connectto;
# SE-DBus specific permissions
@@ -27688,10 +28402,14 @@ index 1a1becd..7dbd8f6 100644
+ allow { dbusd_unconfined $3 } $1_dbusd_t:dbus { send_msg acquire_svc };
allow $3 system_dbusd_t:dbus { send_msg acquire_svc };
- allow $1_dbusd_t dbusd_etc_t:dir list_dir_perms;
-@@ -88,14 +88,16 @@ template(`dbus_role_template',`
- files_tmp_filetrans($1_dbusd_t, session_dbusd_tmp_t, { file dir })
-
+- allow $1_dbusd_t dbusd_etc_t:dir list_dir_perms;
+- read_files_pattern($1_dbusd_t, dbusd_etc_t, dbusd_etc_t)
+- read_lnk_files_pattern($1_dbusd_t, dbusd_etc_t, dbusd_etc_t)
+-
+- manage_dirs_pattern($1_dbusd_t, session_dbusd_tmp_t, session_dbusd_tmp_t)
+- manage_files_pattern($1_dbusd_t, session_dbusd_tmp_t, session_dbusd_tmp_t)
+- files_tmp_filetrans($1_dbusd_t, session_dbusd_tmp_t, { file dir })
+-
domtrans_pattern($3, dbusd_exec_t, $1_dbusd_t)
- allow $3 $1_dbusd_t:process { signull sigkill signal };
+
@@ -27706,50 +28424,78 @@ index 1a1becd..7dbd8f6 100644
allow $3 $1_dbusd_t:fd use;
allow $3 $1_dbusd_t:fifo_file rw_fifo_file_perms;
- allow $3 $1_dbusd_t:process sigchld;
-
- kernel_read_system_state($1_dbusd_t)
- kernel_read_kernel_sysctls($1_dbusd_t)
-@@ -116,7 +118,7 @@ template(`dbus_role_template',`
-
- dev_read_urand($1_dbusd_t)
-
+-
+- kernel_read_system_state($1_dbusd_t)
+- kernel_read_kernel_sysctls($1_dbusd_t)
+-
+- corecmd_list_bin($1_dbusd_t)
+- corecmd_read_bin_symlinks($1_dbusd_t)
+- corecmd_read_bin_files($1_dbusd_t)
+- corecmd_read_bin_pipes($1_dbusd_t)
+- corecmd_read_bin_sockets($1_dbusd_t)
+-
+- corenet_all_recvfrom_unlabeled($1_dbusd_t)
+- corenet_all_recvfrom_netlabel($1_dbusd_t)
+- corenet_tcp_sendrecv_generic_if($1_dbusd_t)
+- corenet_tcp_sendrecv_generic_node($1_dbusd_t)
+- corenet_tcp_sendrecv_all_ports($1_dbusd_t)
+- corenet_tcp_bind_generic_node($1_dbusd_t)
+- corenet_tcp_bind_reserved_port($1_dbusd_t)
+-
+- dev_read_urand($1_dbusd_t)
+-
- domain_use_interactive_fds($1_dbusd_t)
-+ domain_use_interactive_fds($1_dbusd_t)
- domain_read_all_domains_state($1_dbusd_t)
-
- files_read_etc_files($1_dbusd_t)
-@@ -147,19 +149,27 @@ template(`dbus_role_template',`
- seutil_read_config($1_dbusd_t)
- seutil_read_default_contexts($1_dbusd_t)
-
+- domain_read_all_domains_state($1_dbusd_t)
+-
+- files_read_etc_files($1_dbusd_t)
+- files_list_home($1_dbusd_t)
+- files_read_usr_files($1_dbusd_t)
+- files_dontaudit_search_var($1_dbusd_t)
+-
+- fs_getattr_romfs($1_dbusd_t)
+- fs_getattr_xattr_fs($1_dbusd_t)
+- fs_list_inotifyfs($1_dbusd_t)
+- fs_dontaudit_list_nfs($1_dbusd_t)
+-
+- selinux_get_fs_mount($1_dbusd_t)
+- selinux_validate_context($1_dbusd_t)
+- selinux_compute_access_vector($1_dbusd_t)
+- selinux_compute_create_context($1_dbusd_t)
+- selinux_compute_relabel_context($1_dbusd_t)
+- selinux_compute_user_contexts($1_dbusd_t)
+-
+- auth_read_pam_console_data($1_dbusd_t)
+- auth_use_nsswitch($1_dbusd_t)
+-
+- logging_send_audit_msgs($1_dbusd_t)
+- logging_send_syslog_msg($1_dbusd_t)
+-
+- miscfiles_read_localization($1_dbusd_t)
+-
+- seutil_read_config($1_dbusd_t)
+- seutil_read_default_contexts($1_dbusd_t)
+-
- term_use_all_terms($1_dbusd_t)
-+ term_use_all_inherited_terms($1_dbusd_t)
-
+-
- userdom_read_user_home_content_files($1_dbusd_t)
-+ userdom_dontaudit_search_admin_dir($1_dbusd_t)
-+ userdom_manage_user_home_content_dirs($1_dbusd_t)
-+ userdom_manage_user_home_content_files($1_dbusd_t)
-+ userdom_user_home_dir_filetrans_user_home_content($1_dbusd_t, { dir file })
-
+-
- ifdef(`hide_broken_symptoms', `
-+ ifdef(`hide_broken_symptoms',`
- dontaudit $3 $1_dbusd_t:netlink_selinux_socket { read write };
- ')
+- dontaudit $3 $1_dbusd_t:netlink_selinux_socket { read write };
+- ')
+-
+- optional_policy(`
+- hal_dbus_chat($1_dbusd_t)
+- ')
- optional_policy(`
-+ gnome_read_gconf_home_files($1_dbusd_t)
-+ ')
-+
-+ optional_policy(`
- hal_dbus_chat($1_dbusd_t)
- ')
+- optional_policy(`
+- xserver_use_xdm_fds($1_dbusd_t)
+- xserver_rw_xdm_pipes($1_dbusd_t)
+- ')
++ auth_use_nsswitch($1_dbusd_t)
+ ')
- optional_policy(`
-+ xserver_search_xdm_lib($1_dbusd_t)
- xserver_use_xdm_fds($1_dbusd_t)
- xserver_rw_xdm_pipes($1_dbusd_t)
- ')
-@@ -181,11 +191,12 @@ interface(`dbus_system_bus_client',`
+ #######################################
+@@ -181,11 +99,12 @@ interface(`dbus_system_bus_client',`
type system_dbusd_t, system_dbusd_t;
type system_dbusd_var_run_t, system_dbusd_var_lib_t;
class dbus send_msg;
@@ -27763,7 +28509,7 @@ index 1a1becd..7dbd8f6 100644
read_files_pattern($1, system_dbusd_var_lib_t, system_dbusd_var_lib_t)
files_search_var_lib($1)
-@@ -198,6 +209,34 @@ interface(`dbus_system_bus_client',`
+@@ -198,6 +117,34 @@ interface(`dbus_system_bus_client',`
#######################################
##
@@ -27798,7 +28544,7 @@ index 1a1becd..7dbd8f6 100644
## Template for creating connections to
## a user DBUS.
##
-@@ -218,6 +257,8 @@ interface(`dbus_session_bus_client',`
+@@ -218,6 +165,8 @@ interface(`dbus_session_bus_client',`
# For connecting to the bus
allow $1 session_bus_type:unix_stream_socket connectto;
@@ -27807,7 +28553,7 @@ index 1a1becd..7dbd8f6 100644
')
########################################
-@@ -322,6 +363,11 @@ interface(`dbus_connect_session_bus',`
+@@ -322,6 +271,11 @@ interface(`dbus_connect_session_bus',`
## Allow a application domain to be started
## by the session dbus.
##
@@ -27819,7 +28565,7 @@ index 1a1becd..7dbd8f6 100644
##
##
## Type to be used as a domain.
-@@ -336,13 +382,13 @@ interface(`dbus_connect_session_bus',`
+@@ -336,13 +290,13 @@ interface(`dbus_connect_session_bus',`
#
interface(`dbus_session_domain',`
gen_require(`
@@ -27837,42 +28583,37 @@ index 1a1becd..7dbd8f6 100644
')
########################################
-@@ -432,14 +478,33 @@ interface(`dbus_system_domain',`
-
- domtrans_pattern(system_dbusd_t, $2, $1)
-
-+ fs_search_all($1)
-+
- dbus_system_bus_client($1)
- dbus_connect_system_bus($1)
-
-+ init_stream_connect($1)
-+ init_dgram_send($1)
-+ init_use_fds($1)
-+
- ps_process_pattern(system_dbusd_t, $1)
+@@ -421,27 +375,16 @@ interface(`dbus_system_bus_unconfined',`
+ #
+ interface(`dbus_system_domain',`
+ gen_require(`
++ attribute system_bus_type;
+ type system_dbusd_t;
+ role system_r;
+ ')
++ typeattribute $1 system_bus_type;
-+ userdom_dontaudit_search_admin_dir($1)
- userdom_read_all_users_state($1)
+ domain_type($1)
+ domain_entry_file($1, $2)
+- role system_r types $1;
+-
+ domtrans_pattern(system_dbusd_t, $2, $1)
+-
+- dbus_system_bus_client($1)
+- dbus_connect_system_bus($1)
+-
+- ps_process_pattern(system_dbusd_t, $1)
+-
+- userdom_read_all_users_state($1)
+-
- ifdef(`hide_broken_symptoms', `
-+ optional_policy(`
-+ abrt_stream_connect($1)
-+ ')
-+
-+ optional_policy(`
-+ rpm_script_dbus_chat($1)
-+ ')
-+
-+ optional_policy(`
-+ unconfined_dbus_send($1)
-+ ')
-+
-+ ifdef(`hide_broken_symptoms',`
- dontaudit $1 system_dbusd_t:netlink_selinux_socket { read write };
- ')
+- dontaudit $1 system_dbusd_t:netlink_selinux_socket { read write };
+- ')
')
-@@ -464,26 +529,25 @@ interface(`dbus_use_system_bus_fds',`
+
+ ########################################
+@@ -464,26 +407,25 @@ interface(`dbus_use_system_bus_fds',`
########################################
##
@@ -27905,7 +28646,7 @@ index 1a1becd..7dbd8f6 100644
##
##
##
-@@ -491,10 +555,12 @@ interface(`dbus_dontaudit_system_bus_rw_tcp_sockets',`
+@@ -491,10 +433,12 @@ interface(`dbus_dontaudit_system_bus_rw_tcp_sockets',`
##
##
#
@@ -27922,10 +28663,18 @@ index 1a1becd..7dbd8f6 100644
')
+
diff --git a/policy/modules/services/dbus.te b/policy/modules/services/dbus.te
-index 1bff6ee..0909589 100644
+index 1bff6ee..3136cb7 100644
--- a/policy/modules/services/dbus.te
+++ b/policy/modules/services/dbus.te
-@@ -36,6 +36,7 @@ files_type(system_dbusd_var_lib_t)
+@@ -10,6 +10,7 @@ gen_require(`
+ #
+
+ attribute dbusd_unconfined;
++attribute system_bus_type;
+ attribute session_bus_type;
+
+ type dbusd_etc_t;
+@@ -36,6 +37,7 @@ files_type(system_dbusd_var_lib_t)
type system_dbusd_var_run_t;
files_pid_file(system_dbusd_var_run_t)
@@ -27933,7 +28682,7 @@ index 1bff6ee..0909589 100644
ifdef(`enable_mcs',`
init_ranged_system_domain(system_dbusd_t, dbusd_exec_t, s0 - mcs_systemhigh)
-@@ -52,9 +53,9 @@ ifdef(`enable_mls',`
+@@ -52,9 +54,9 @@ ifdef(`enable_mls',`
# dac_override: /var/run/dbus is owned by messagebus on Debian
# cjp: dac_override should probably go in a distro_debian
@@ -27945,7 +28694,7 @@ index 1bff6ee..0909589 100644
allow system_dbusd_t self:fifo_file rw_fifo_file_perms;
allow system_dbusd_t self:dbus { send_msg acquire_svc };
allow system_dbusd_t self:unix_stream_socket { connectto create_stream_socket_perms connectto };
-@@ -74,9 +75,10 @@ files_tmp_filetrans(system_dbusd_t, system_dbusd_tmp_t, { file dir })
+@@ -74,9 +76,10 @@ files_tmp_filetrans(system_dbusd_t, system_dbusd_tmp_t, { file dir })
read_files_pattern(system_dbusd_t, system_dbusd_var_lib_t, system_dbusd_var_lib_t)
@@ -27957,7 +28706,7 @@ index 1bff6ee..0909589 100644
kernel_read_system_state(system_dbusd_t)
kernel_read_kernel_sysctls(system_dbusd_t)
-@@ -111,6 +113,8 @@ auth_read_pam_console_data(system_dbusd_t)
+@@ -111,6 +114,8 @@ auth_read_pam_console_data(system_dbusd_t)
corecmd_list_bin(system_dbusd_t)
corecmd_read_bin_pipes(system_dbusd_t)
corecmd_read_bin_sockets(system_dbusd_t)
@@ -27966,7 +28715,7 @@ index 1bff6ee..0909589 100644
domain_use_interactive_fds(system_dbusd_t)
domain_read_all_domains_state(system_dbusd_t)
-@@ -121,7 +125,9 @@ files_read_usr_files(system_dbusd_t)
+@@ -121,7 +126,9 @@ files_read_usr_files(system_dbusd_t)
init_use_fds(system_dbusd_t)
init_use_script_ptys(system_dbusd_t)
@@ -27976,7 +28725,7 @@ index 1bff6ee..0909589 100644
logging_send_audit_msgs(system_dbusd_t)
logging_send_syslog_msg(system_dbusd_t)
-@@ -141,6 +147,19 @@ optional_policy(`
+@@ -141,6 +148,19 @@ optional_policy(`
')
optional_policy(`
@@ -27996,7 +28745,7 @@ index 1bff6ee..0909589 100644
policykit_dbus_chat(system_dbusd_t)
policykit_domtrans_auth(system_dbusd_t)
policykit_search_lib(system_dbusd_t)
-@@ -151,12 +170,29 @@ optional_policy(`
+@@ -151,12 +171,155 @@ optional_policy(`
')
optional_policy(`
@@ -28015,18 +28764,144 @@ index 1bff6ee..0909589 100644
+
########################################
#
- # Unconfined access to this module
+-# Unconfined access to this module
++# system_bus_type rules
#
--
- allow dbusd_unconfined session_bus_type:dbus all_dbus_perms;
-+allow dbusd_unconfined dbusd_unconfined:dbus all_dbus_perms;
-+allow session_bus_type dbusd_unconfined:dbus send_msg;
++role system_r types system_bus_type;
++
++fs_search_all(system_bus_type)
++
++dbus_system_bus_client(system_bus_type)
++dbus_connect_system_bus(system_bus_type)
++
++init_stream_connect(system_bus_type)
++init_dgram_send(system_bus_type)
++init_use_fds(system_bus_type)
+
++ps_process_pattern(system_dbusd_t, system_bus_type)
++
++userdom_dontaudit_search_admin_dir(system_bus_type)
++userdom_read_all_users_state(system_bus_type)
+
+optional_policy(`
++ abrt_stream_connect(system_bus_type)
++')
++
++optional_policy(`
++ rpm_script_dbus_chat(system_bus_type)
++')
++
++optional_policy(`
++ unconfined_dbus_send(system_bus_type)
++')
++
++ifdef(`hide_broken_symptoms',`
++ dontaudit system_bus_type system_dbusd_t:netlink_selinux_socket { read write };
++')
++
++########################################
++#
++# session_bus_type rules
++#
++dontaudit session_bus_type self:capability sys_resource;
++allow session_bus_type self:process { getattr sigkill signal };
++dontaudit session_bus_type self:process { ptrace setrlimit };
++allow session_bus_type self:file { getattr read write };
++allow session_bus_type self:fifo_file rw_fifo_file_perms;
++allow session_bus_type self:dbus { send_msg acquire_svc };
++allow session_bus_type self:unix_stream_socket create_stream_socket_perms;
++allow session_bus_type self:unix_dgram_socket create_socket_perms;
++allow session_bus_type self:tcp_socket create_stream_socket_perms;
++allow session_bus_type self:netlink_selinux_socket create_socket_perms;
++
++allow session_bus_type dbusd_etc_t:dir list_dir_perms;
++read_files_pattern(session_bus_type, dbusd_etc_t, dbusd_etc_t)
++read_lnk_files_pattern(session_bus_type, dbusd_etc_t, dbusd_etc_t)
++
++manage_dirs_pattern(session_bus_type, session_dbusd_tmp_t, session_dbusd_tmp_t)
++manage_files_pattern(session_bus_type, session_dbusd_tmp_t, session_dbusd_tmp_t)
++files_tmp_filetrans(session_bus_type, session_dbusd_tmp_t, { file dir })
++
++kernel_read_system_state(session_bus_type)
++kernel_read_kernel_sysctls(session_bus_type)
++
++corecmd_list_bin(session_bus_type)
++corecmd_read_bin_symlinks(session_bus_type)
++corecmd_read_bin_files(session_bus_type)
++corecmd_read_bin_pipes(session_bus_type)
++corecmd_read_bin_sockets(session_bus_type)
++
++corenet_all_recvfrom_unlabeled(session_bus_type)
++corenet_all_recvfrom_netlabel(session_bus_type)
++corenet_tcp_sendrecv_generic_if(session_bus_type)
++corenet_tcp_sendrecv_generic_node(session_bus_type)
++corenet_tcp_sendrecv_all_ports(session_bus_type)
++corenet_tcp_bind_generic_node(session_bus_type)
++corenet_tcp_bind_reserved_port(session_bus_type)
++
++dev_read_urand(session_bus_type)
++
++domain_use_interactive_fds(session_bus_type)
++domain_read_all_domains_state(session_bus_type)
++
++files_read_etc_files(session_bus_type)
++files_list_home(session_bus_type)
++files_read_usr_files(session_bus_type)
++files_dontaudit_search_var(session_bus_type)
++
++fs_getattr_romfs(session_bus_type)
++fs_getattr_xattr_fs(session_bus_type)
++fs_list_inotifyfs(session_bus_type)
++fs_dontaudit_list_nfs(session_bus_type)
++
++selinux_get_fs_mount(session_bus_type)
++selinux_validate_context(session_bus_type)
++selinux_compute_access_vector(session_bus_type)
++selinux_compute_create_context(session_bus_type)
++selinux_compute_relabel_context(session_bus_type)
++selinux_compute_user_contexts(session_bus_type)
++
++auth_read_pam_console_data(session_bus_type)
++
++logging_send_audit_msgs(session_bus_type)
++logging_send_syslog_msg(session_bus_type)
++
++miscfiles_read_localization(session_bus_type)
++
++seutil_read_config(session_bus_type)
++seutil_read_default_contexts(session_bus_type)
++
++term_use_all_inherited_terms(session_bus_type)
++
++userdom_dontaudit_search_admin_dir(session_bus_type)
++userdom_manage_user_home_content_dirs(session_bus_type)
++userdom_manage_user_home_content_files(session_bus_type)
++userdom_user_home_dir_filetrans_user_home_content(session_bus_type, { dir file })
++
++optional_policy(`
++ gnome_read_gconf_home_files(session_bus_type)
++')
++
++optional_policy(`
++ hal_dbus_chat(session_bus_type)
++')
++
++optional_policy(`
++ xserver_search_xdm_lib(session_bus_type)
++ xserver_use_xdm_fds(session_bus_type)
++ xserver_rw_xdm_pipes(session_bus_type)
+ xserver_use_xdm_fds(session_bus_type)
+ xserver_rw_xdm_pipes(session_bus_type)
+ xserver_append_xdm_home_files(session_bus_type)
+')
++
++########################################
++#
++# Unconfined access to this module
++#
+ allow dbusd_unconfined session_bus_type:dbus all_dbus_perms;
++allow dbusd_unconfined dbusd_unconfined:dbus all_dbus_perms;
++allow session_bus_type dbusd_unconfined:dbus send_msg;
diff --git a/policy/modules/services/dcc.if b/policy/modules/services/dcc.if
index 784753e..bf65e7d 100644
--- a/policy/modules/services/dcc.if
@@ -28780,6 +29655,36 @@ index d4424ad..a809e38 100644
dbus_system_bus_client(dhcpd_t)
dbus_connect_system_bus(dhcpd_t)
')
+diff --git a/policy/modules/services/dictd.te b/policy/modules/services/dictd.te
+index d2d9359..ee10625 100644
+--- a/policy/modules/services/dictd.te
++++ b/policy/modules/services/dictd.te
+@@ -73,23 +73,15 @@ files_search_var_lib(dictd_t)
+ # for checking for nscd
+ files_dontaudit_search_pids(dictd_t)
+
++auth_use_nsswitch(dictd_t)
++
+ logging_send_syslog_msg(dictd_t)
+
+ miscfiles_read_localization(dictd_t)
+
+-sysnet_read_config(dictd_t)
+-
+ userdom_dontaudit_use_unpriv_user_fds(dictd_t)
+
+ optional_policy(`
+- nis_use_ypbind(dictd_t)
+-')
+-
+-optional_policy(`
+- nscd_socket_use(dictd_t)
+-')
+-
+-optional_policy(`
+ seutil_sigchld_newrole(dictd_t)
+ ')
+
diff --git a/policy/modules/services/dirsrv-admin.fc b/policy/modules/services/dirsrv-admin.fc
new file mode 100644
index 0000000..642e548
@@ -29110,10 +30015,10 @@ index 0000000..3aae725
+/var/log/dirsrv/ldap-agent.log gen_context(system_u:object_r:dirsrv_snmp_var_log_t,s0)
diff --git a/policy/modules/services/dirsrv.if b/policy/modules/services/dirsrv.if
new file mode 100644
-index 0000000..9d8f5de
+index 0000000..6fd8e9f
--- /dev/null
+++ b/policy/modules/services/dirsrv.if
-@@ -0,0 +1,212 @@
+@@ -0,0 +1,208 @@
+## policy for dirsrv
+
+########################################
@@ -29132,10 +30037,6 @@ index 0000000..9d8f5de
+ ')
+
+ domtrans_pattern($1, dirsrv_exec_t,dirsrv_t)
-+
-+ ifdef(`hide_broken_symptoms', `
-+ dontaudit dirsrv_t $1:socket_class_set { read write };
-+ ')
+')
+
+
@@ -29564,7 +30465,7 @@ index b886676..ad3210e 100644
/var/run/dnsmasq\.pid -- gen_context(system_u:object_r:dnsmasq_var_run_t,s0)
/var/run/libvirt/network(/.*)? gen_context(system_u:object_r:dnsmasq_var_run_t,s0)
diff --git a/policy/modules/services/dnsmasq.if b/policy/modules/services/dnsmasq.if
-index 9bd812b..89a9426 100644
+index 9bd812b..c4abec3 100644
--- a/policy/modules/services/dnsmasq.if
+++ b/policy/modules/services/dnsmasq.if
@@ -101,9 +101,9 @@ interface(`dnsmasq_kill',`
@@ -29605,7 +30506,7 @@ index 9bd812b..89a9426 100644
delete_files_pattern($1, dnsmasq_var_run_t, dnsmasq_var_run_t)
')
-@@ -163,17 +163,59 @@ interface(`dnsmasq_delete_pid_files',`
+@@ -163,17 +163,79 @@ interface(`dnsmasq_delete_pid_files',`
##
##
#
@@ -29647,18 +30548,38 @@ index 9bd812b..89a9426 100644
+## Domain allowed access.
+##
+##
-+##
-+##
-+## The type of the object to be created.
-+##
++##
++##
++## The type of the directory for the object to be created.
++##
+##
+#
-+interface(`dnsmasq_filetrans_named_content',`
++interface(`dnsmasq_filetrans_named_content_fromdir',`
+ gen_require(`
+ type dnsmasq_var_run_t;
+ ')
+
+ filetrans_pattern($1, $2, dnsmasq_var_run_t, dir, "network")
++ filetrans_pattern($1, $2, dnsmasq_var_run_t, file, "dnsmasq.pid")
++')
++
++########################################
++##
++## Transition to dnsmasq named content
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`dnsmasq_filetrans_named_content',`
++ gen_require(`
++ type dnsmasq_var_run_t;
++ ')
++
++ files_pid_filetrans($1, dnsmasq_var_run_t, dir, "network")
++ files_pid_filetrans($1, dnsmasq_var_run_t, file, "dnsmasq.pid")
+')
+
+########################################
@@ -31220,6 +32141,42 @@ index 6537214..7d64c0a 100644
ps_process_pattern($1, fetchmail_t)
files_list_etc($1)
+diff --git a/policy/modules/services/finger.te b/policy/modules/services/finger.te
+index 9b7036a..4770f61 100644
+--- a/policy/modules/services/finger.te
++++ b/policy/modules/services/finger.te
+@@ -66,6 +66,7 @@ term_getattr_all_ttys(fingerd_t)
+ term_getattr_all_ptys(fingerd_t)
+
+ auth_read_lastlog(fingerd_t)
++auth_use_nsswitch(fingerd_t)
+
+ corecmd_exec_bin(fingerd_t)
+ corecmd_exec_shell(fingerd_t)
+@@ -83,8 +84,6 @@ logging_send_syslog_msg(fingerd_t)
+
+ mta_getattr_spool(fingerd_t)
+
+-sysnet_read_config(fingerd_t)
+-
+ miscfiles_read_localization(fingerd_t)
+
+ # stop it accessing sub-directories, prevents checking a Maildir for new mail,
+@@ -101,14 +100,6 @@ optional_policy(`
+ ')
+
+ optional_policy(`
+- nis_use_ypbind(fingerd_t)
+-')
+-
+-optional_policy(`
+- nscd_socket_use(fingerd_t)
+-')
+-
+-optional_policy(`
+ seutil_sigchld_newrole(fingerd_t)
+ ')
+
diff --git a/policy/modules/services/firewalld.fc b/policy/modules/services/firewalld.fc
new file mode 100644
index 0000000..ba9a7a9
@@ -31490,7 +32447,7 @@ index 9d3201b..748cac5 100644
##
## Allow domain dyntransition to sftpd_anon domain.
diff --git a/policy/modules/services/ftp.te b/policy/modules/services/ftp.te
-index 8a74a83..4986fb9 100644
+index 8a74a83..3283e90 100644
--- a/policy/modules/services/ftp.te
+++ b/policy/modules/services/ftp.te
@@ -40,6 +40,13 @@ gen_tunable(allow_ftpd_use_nfs, false)
@@ -31582,6 +32539,15 @@ index 8a74a83..4986fb9 100644
init_rw_utmp(ftpd_t)
+@@ -261,7 +281,7 @@ tunable_policy(`allow_ftpd_use_nfs && allow_ftpd_anon_write',`
+
+ tunable_policy(`allow_ftpd_full_access',`
+ allow ftpd_t self:capability { dac_override dac_read_search };
+- auth_manage_all_files_except_shadow(ftpd_t)
++ files_manage_non_security_files(ftpd_t)
+ ')
+
+ tunable_policy(`ftp_home_dir',`
@@ -270,10 +290,13 @@ tunable_policy(`ftp_home_dir',`
# allow access to /home
files_list_home(ftpd_t)
@@ -31671,7 +32637,7 @@ index 8a74a83..4986fb9 100644
+tunable_policy(`sftpd_full_access',`
+ allow sftpd_t self:capability { dac_override dac_read_search };
+ fs_read_noxattr_fs_files(sftpd_t)
-+ auth_manage_all_files_except_shadow(sftpd_t)
++ files_manage_non_security_files(sftpd_t)
+')
+
+tunable_policy(`sftpd_write_ssh_home',`
@@ -31694,6 +32660,15 @@ index 8a74a83..4986fb9 100644
')
tunable_policy(`sftpd_enable_homedirs && use_nfs_home_dirs',`
+@@ -394,7 +456,7 @@ tunable_policy(`sftpd_enable_homedirs && use_samba_home_dirs',`
+ tunable_policy(`sftpd_full_access',`
+ allow sftpd_t self:capability { dac_override dac_read_search };
+ fs_read_noxattr_fs_files(sftpd_t)
+- auth_manage_all_files_except_shadow(sftpd_t)
++ files_manage_non_security_files(sftpd_t)
+ ')
+
+ tunable_policy(`use_samba_home_dirs',`
diff --git a/policy/modules/services/gatekeeper.te b/policy/modules/services/gatekeeper.te
index 99a94de..6dbc203 100644
--- a/policy/modules/services/gatekeeper.te
@@ -32272,10 +33247,10 @@ index 458aac6..8e83609 100644
+ userdom_search_user_home_dirs($1)
+')
diff --git a/policy/modules/services/git.te b/policy/modules/services/git.te
-index 7382f85..0b39a8b 100644
+index 7382f85..deb5bff 100644
--- a/policy/modules/services/git.te
+++ b/policy/modules/services/git.te
-@@ -1,8 +1,192 @@
+@@ -1,8 +1,194 @@
-policy_module(git, 1.0)
+policy_module(git, 1.0.3)
+
@@ -32374,8 +33349,6 @@ index 7382f85..0b39a8b 100644
+
+kernel_read_system_state(git_domains)
+
-+auth_use_nsswitch(git_domains)
-+
+logging_send_syslog_msg(git_domains)
+
+miscfiles_read_localization(git_domains)
@@ -32399,6 +33372,8 @@ index 7382f85..0b39a8b 100644
+read_files_pattern(git_system_t, git_content, git_content)
+files_search_var_lib(git_system_t)
+
++auth_use_nsswitch(git_system_t)
++
+tunable_policy(`git_system_enable_homedirs',`
+ userdom_search_user_home_dirs(git_system_t)
+')
@@ -32430,6 +33405,8 @@ index 7382f85..0b39a8b 100644
+
+allow git_session_t self:tcp_socket { accept listen };
+
++auth_use_nsswitch(git_session_t)
++
+list_dirs_pattern(git_session_t, git_session_content_t, git_session_content_t)
+read_files_pattern(git_session_t, git_session_content_t, git_session_content_t)
+userdom_search_user_home_dirs(git_session_t)
@@ -32693,7 +33670,7 @@ index 03742d8..c65263e 100644
')
diff --git a/policy/modules/services/hadoop.if b/policy/modules/services/hadoop.if
-index 2d0b4e1..e268ede 100644
+index 2d0b4e1..1e40c00 100644
--- a/policy/modules/services/hadoop.if
+++ b/policy/modules/services/hadoop.if
@@ -91,7 +91,7 @@ template(`hadoop_domain_template',`
@@ -32705,7 +33682,26 @@ index 2d0b4e1..e268ede 100644
corenet_tcp_sendrecv_generic_if(hadoop_$1_t)
corenet_udp_sendrecv_generic_if(hadoop_$1_t)
corenet_tcp_sendrecv_generic_node(hadoop_$1_t)
-@@ -175,8 +175,6 @@ template(`hadoop_domain_template',`
+@@ -109,6 +109,7 @@ template(`hadoop_domain_template',`
+ files_read_etc_files(hadoop_$1_t)
+
+ auth_domtrans_chkpwd(hadoop_$1_t)
++ auth_use_nsswitch(hadoop_$1_t)
+
+ hadoop_match_lan_spd(hadoop_$1_t)
+
+@@ -132,10 +133,6 @@ template(`hadoop_domain_template',`
+
+ su_exec(hadoop_$1_t)
+
+- optional_policy(`
+- nscd_socket_use(hadoop_$1_t)
+- ')
+-
+ ####################################
+ #
+ # Shared hadoop_$1 initrc policy.
+@@ -175,8 +172,6 @@ template(`hadoop_domain_template',`
files_read_etc_files(hadoop_$1_initrc_t)
files_read_usr_files(hadoop_$1_initrc_t)
@@ -32714,31 +33710,65 @@ index 2d0b4e1..e268ede 100644
fs_getattr_xattr_fs(hadoop_$1_initrc_t)
fs_search_cgroup_dirs(hadoop_$1_initrc_t)
-@@ -196,6 +194,10 @@ template(`hadoop_domain_template',`
+@@ -184,6 +179,8 @@ template(`hadoop_domain_template',`
+
+ hadoop_exec_config(hadoop_$1_initrc_t)
+
++ auth_domtrans_chkpwd(hadoop_$1_initrc_t)
++
+ init_rw_utmp(hadoop_$1_initrc_t)
+ init_use_fds(hadoop_$1_initrc_t)
+ init_use_script_ptys(hadoop_$1_initrc_t)
+@@ -196,8 +193,9 @@ template(`hadoop_domain_template',`
userdom_dontaudit_search_user_home_dirs(hadoop_$1_initrc_t)
optional_policy(`
+- nscd_socket_use(hadoop_$1_initrc_t)
+ consoletype_exec(hadoop_$1_initrc_t)
-+ ')
-+
-+ optional_policy(`
- nscd_socket_use(hadoop_$1_initrc_t)
')
++
')
+
+ ########################################
diff --git a/policy/modules/services/hadoop.te b/policy/modules/services/hadoop.te
-index 7d3a469..5b1ec32 100644
+index 7d3a469..3889dc9 100644
--- a/policy/modules/services/hadoop.te
+++ b/policy/modules/services/hadoop.te
-@@ -165,7 +165,7 @@ miscfiles_read_localization(hadoop_t)
+@@ -161,24 +161,16 @@ files_read_usr_files(hadoop_t)
+
+ fs_getattr_xattr_fs(hadoop_t)
- sysnet_read_config(hadoop_t)
+-miscfiles_read_localization(hadoop_t)
++auth_use_nsswitch(hadoop_t)
+
+-sysnet_read_config(hadoop_t)
++miscfiles_read_localization(hadoop_t)
-userdom_use_user_terminals(hadoop_t)
+userdom_use_inherited_user_terminals(hadoop_t)
java_exec(hadoop_t)
-@@ -345,7 +345,7 @@ miscfiles_read_localization(zookeeper_t)
+ kerberos_use(hadoop_t)
+
+-optional_policy(`
+- nis_use_ypbind(hadoop_t)
+-')
+-
+-optional_policy(`
+- nscd_socket_use(hadoop_t)
+-')
+-
+ ########################################
+ #
+ # Hadoop datanode policy.
+@@ -341,19 +333,17 @@ domain_use_interactive_fds(zookeeper_t)
+ files_read_etc_files(zookeeper_t)
+ files_read_usr_files(zookeeper_t)
+
++auth_use_nsswitch(zookeeper_t)
++
+ miscfiles_read_localization(zookeeper_t)
sysnet_read_config(zookeeper_t)
@@ -32747,6 +33777,14 @@ index 7d3a469..5b1ec32 100644
userdom_dontaudit_search_user_home_dirs(zookeeper_t)
java_exec(zookeeper_t)
+
+-optional_policy(`
+- nscd_socket_use(zookeeper_t)
+-')
+-
+ ########################################
+ #
+ # Hadoop zookeeper server policy.
diff --git a/policy/modules/services/hal.fc b/policy/modules/services/hal.fc
index c98b0df..3b1a051 100644
--- a/policy/modules/services/hal.fc
@@ -33209,7 +34247,7 @@ index dfb4232..7665429 100644
allow $1 ifplugd_t:process { ptrace signal_perms };
diff --git a/policy/modules/services/ifplugd.te b/policy/modules/services/ifplugd.te
-index 978c32f..3b96342 100644
+index 978c32f..81c5ca2 100644
--- a/policy/modules/services/ifplugd.te
+++ b/policy/modules/services/ifplugd.te
@@ -11,7 +11,7 @@ init_daemon_domain(ifplugd_t, ifplugd_exec_t)
@@ -33221,6 +34259,15 @@ index 978c32f..3b96342 100644
type ifplugd_initrc_exec_t;
init_script_file(ifplugd_initrc_exec_t)
+@@ -54,7 +54,7 @@ corecmd_exec_bin(ifplugd_t)
+ # reading of hardware information
+ dev_read_sysfs(ifplugd_t)
+
+-domain_read_confined_domains_state(ifplugd_t)
++domain_read_all_domains_state(ifplugd_t)
+ domain_dontaudit_read_all_domains_state(ifplugd_t)
+
+ auth_use_nsswitch(ifplugd_t)
diff --git a/policy/modules/services/inetd.if b/policy/modules/services/inetd.if
index df48e5e..878d9df 100644
--- a/policy/modules/services/inetd.if
@@ -36938,7 +37985,7 @@ index 256166a..6321a93 100644
+/var/spool/mqueue\.in(/.*)? gen_context(system_u:object_r:mqueue_spool_t,s0)
/var/spool/mail(/.*)? gen_context(system_u:object_r:mail_spool_t,s0)
diff --git a/policy/modules/services/mta.if b/policy/modules/services/mta.if
-index 343cee3..5e792cc 100644
+index 343cee3..f8c4fb6 100644
--- a/policy/modules/services/mta.if
+++ b/policy/modules/services/mta.if
@@ -37,9 +37,9 @@ interface(`mta_stub',`
@@ -37035,18 +38082,7 @@ index 343cee3..5e792cc 100644
')
allow $1 mta_exec_type:lnk_file read_lnk_file_perms;
-@@ -362,6 +375,10 @@ interface(`mta_send_mail',`
- allow mta_user_agent $1:fd use;
- allow mta_user_agent $1:process sigchld;
- allow mta_user_agent $1:fifo_file rw_fifo_file_perms;
-+
-+ ifdef(`hide_broken_symptoms',`
-+ dontaudit system_mail_t $1:socket_class_set { read write };
-+ ')
- ')
-
- ########################################
-@@ -391,12 +408,17 @@ interface(`mta_send_mail',`
+@@ -391,12 +404,17 @@ interface(`mta_send_mail',`
#
interface(`mta_sendmail_domtrans',`
gen_require(`
@@ -37066,7 +38102,7 @@ index 343cee3..5e792cc 100644
')
########################################
-@@ -409,7 +431,6 @@ interface(`mta_sendmail_domtrans',`
+@@ -409,7 +427,6 @@ interface(`mta_sendmail_domtrans',`
##
##
#
@@ -37074,7 +38110,7 @@ index 343cee3..5e792cc 100644
interface(`mta_signal_system_mail',`
gen_require(`
type system_mail_t;
-@@ -420,6 +441,24 @@ interface(`mta_signal_system_mail',`
+@@ -420,6 +437,24 @@ interface(`mta_signal_system_mail',`
########################################
##
@@ -37099,7 +38135,7 @@ index 343cee3..5e792cc 100644
## Execute sendmail in the caller domain.
##
##
-@@ -438,6 +477,26 @@ interface(`mta_sendmail_exec',`
+@@ -438,6 +473,26 @@ interface(`mta_sendmail_exec',`
########################################
##
@@ -37126,7 +38162,7 @@ index 343cee3..5e792cc 100644
## Read mail server configuration.
##
##
-@@ -474,7 +533,8 @@ interface(`mta_write_config',`
+@@ -474,7 +529,8 @@ interface(`mta_write_config',`
type etc_mail_t;
')
@@ -37136,7 +38172,7 @@ index 343cee3..5e792cc 100644
')
########################################
-@@ -494,6 +554,7 @@ interface(`mta_read_aliases',`
+@@ -494,6 +550,7 @@ interface(`mta_read_aliases',`
files_search_etc($1)
allow $1 etc_aliases_t:file read_file_perms;
@@ -37144,7 +38180,7 @@ index 343cee3..5e792cc 100644
')
########################################
-@@ -532,7 +593,7 @@ interface(`mta_etc_filetrans_aliases',`
+@@ -532,7 +589,7 @@ interface(`mta_etc_filetrans_aliases',`
type etc_aliases_t;
')
@@ -37153,7 +38189,7 @@ index 343cee3..5e792cc 100644
')
########################################
-@@ -552,7 +613,7 @@ interface(`mta_rw_aliases',`
+@@ -552,7 +609,7 @@ interface(`mta_rw_aliases',`
')
files_search_etc($1)
@@ -37162,7 +38198,7 @@ index 343cee3..5e792cc 100644
')
#######################################
-@@ -646,8 +707,8 @@ interface(`mta_dontaudit_getattr_spool_files',`
+@@ -646,8 +703,8 @@ interface(`mta_dontaudit_getattr_spool_files',`
files_dontaudit_search_spool($1)
dontaudit $1 mail_spool_t:dir search_dir_perms;
@@ -37173,7 +38209,7 @@ index 343cee3..5e792cc 100644
')
#######################################
-@@ -697,8 +758,8 @@ interface(`mta_rw_spool',`
+@@ -697,8 +754,8 @@ interface(`mta_rw_spool',`
files_search_spool($1)
allow $1 mail_spool_t:dir list_dir_perms;
@@ -37184,7 +38220,7 @@ index 343cee3..5e792cc 100644
read_lnk_files_pattern($1, mail_spool_t, mail_spool_t)
')
-@@ -838,7 +899,7 @@ interface(`mta_dontaudit_rw_queue',`
+@@ -838,7 +895,7 @@ interface(`mta_dontaudit_rw_queue',`
')
dontaudit $1 mqueue_spool_t:dir search_dir_perms;
@@ -37193,7 +38229,7 @@ index 343cee3..5e792cc 100644
')
########################################
-@@ -899,3 +960,112 @@ interface(`mta_rw_user_mail_stream_sockets',`
+@@ -899,3 +956,112 @@ interface(`mta_rw_user_mail_stream_sockets',`
allow $1 user_mail_domain:unix_stream_socket rw_socket_perms;
')
@@ -37307,7 +38343,7 @@ index 343cee3..5e792cc 100644
+ mta_filetrans_admin_home_content($1)
+')
diff --git a/policy/modules/services/mta.te b/policy/modules/services/mta.te
-index 64268e4..3bd4ceb 100644
+index 64268e4..cdcf4c7 100644
--- a/policy/modules/services/mta.te
+++ b/policy/modules/services/mta.te
@@ -20,14 +20,16 @@ files_type(etc_aliases_t)
@@ -37369,7 +38405,7 @@ index 64268e4..3bd4ceb 100644
optional_policy(`
apache_read_squirrelmail_data(system_mail_t)
-@@ -92,17 +89,28 @@ optional_policy(`
+@@ -92,14 +89,21 @@ optional_policy(`
apache_dontaudit_rw_stream_sockets(system_mail_t)
apache_dontaudit_rw_tcp_sockets(system_mail_t)
apache_dontaudit_rw_sys_script_stream_sockets(system_mail_t)
@@ -37383,23 +38419,18 @@ index 64268e4..3bd4ceb 100644
optional_policy(`
arpwatch_manage_tmp_files(system_mail_t)
++')
- ifdef(`hide_broken_symptoms', `
-+ ifdef(`hide_broken_symptoms',`
- arpwatch_dontaudit_rw_packet_sockets(system_mail_t)
- ')
- ')
-
- optional_policy(`
+- arpwatch_dontaudit_rw_packet_sockets(system_mail_t)
+- ')
++optional_policy(`
+ bugzilla_search_content(system_mail_t)
+ bugzilla_dontaudit_rw_stream_sockets(system_mail_t)
-+')
-+
-+optional_policy(`
- clamav_stream_connect(system_mail_t)
- clamav_append_log(system_mail_t)
')
-@@ -111,6 +119,8 @@ optional_policy(`
+
+ optional_policy(`
+@@ -111,6 +115,8 @@ optional_policy(`
cron_read_system_job_tmp_files(system_mail_t)
cron_dontaudit_write_pipes(system_mail_t)
cron_rw_system_job_stream_sockets(system_mail_t)
@@ -37408,7 +38439,7 @@ index 64268e4..3bd4ceb 100644
')
optional_policy(`
-@@ -124,12 +134,9 @@ optional_policy(`
+@@ -124,12 +130,9 @@ optional_policy(`
')
optional_policy(`
@@ -37423,7 +38454,7 @@ index 64268e4..3bd4ceb 100644
')
optional_policy(`
-@@ -146,6 +153,10 @@ optional_policy(`
+@@ -146,6 +149,10 @@ optional_policy(`
')
optional_policy(`
@@ -37434,7 +38465,7 @@ index 64268e4..3bd4ceb 100644
nagios_read_tmp_files(system_mail_t)
')
-@@ -158,18 +169,6 @@ optional_policy(`
+@@ -158,18 +165,6 @@ optional_policy(`
files_etc_filetrans(system_mail_t, etc_aliases_t, { file lnk_file sock_file fifo_file })
domain_use_interactive_fds(system_mail_t)
@@ -37453,7 +38484,7 @@ index 64268e4..3bd4ceb 100644
')
optional_policy(`
-@@ -189,6 +188,10 @@ optional_policy(`
+@@ -189,6 +184,10 @@ optional_policy(`
')
optional_policy(`
@@ -37464,16 +38495,28 @@ index 64268e4..3bd4ceb 100644
smartmon_read_tmp_files(system_mail_t)
')
-@@ -199,7 +202,7 @@ optional_policy(`
+@@ -199,15 +198,16 @@ optional_policy(`
arpwatch_search_data(mailserver_delivery)
arpwatch_manage_tmp_files(mta_user_agent)
- ifdef(`hide_broken_symptoms', `
-+ ifdef(`hide_broken_symptoms',`
- arpwatch_dontaudit_rw_packet_sockets(mta_user_agent)
+- arpwatch_dontaudit_rw_packet_sockets(mta_user_agent)
+- ')
+-
+ optional_policy(`
+ cron_read_system_job_tmp_files(mta_user_agent)
')
+ ')
-@@ -220,7 +223,8 @@ append_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
++ifdef(`hide_broken_symptoms',`
++ domain_dontaudit_leaks(user_mail_domain)
++ domain_dontaudit_leaks(mta_user_agent)
++')
++
+ ########################################
+ #
+ # Mailserver delivery local policy
+@@ -220,7 +220,8 @@ append_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
create_lnk_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
read_lnk_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
@@ -37483,7 +38526,7 @@ index 64268e4..3bd4ceb 100644
read_files_pattern(mailserver_delivery, system_mail_tmp_t, system_mail_tmp_t)
-@@ -242,6 +246,10 @@ optional_policy(`
+@@ -242,6 +243,10 @@ optional_policy(`
')
optional_policy(`
@@ -37494,7 +38537,7 @@ index 64268e4..3bd4ceb 100644
# so MTA can access /var/lib/mailman/mail/wrapper
files_search_var_lib(mailserver_delivery)
-@@ -249,16 +257,25 @@ optional_policy(`
+@@ -249,16 +254,25 @@ optional_policy(`
mailman_read_data_symlinks(mailserver_delivery)
')
@@ -37522,7 +38565,7 @@ index 64268e4..3bd4ceb 100644
# Create dead.letter in user home directories.
userdom_manage_user_home_content_files(user_mail_t)
userdom_user_home_dir_filetrans_user_home_content(user_mail_t, file)
-@@ -292,3 +309,44 @@ optional_policy(`
+@@ -292,3 +306,44 @@ optional_policy(`
postfix_read_config(user_mail_t)
postfix_list_spool(user_mail_t)
')
@@ -38655,7 +39698,7 @@ index 2324d9e..eebf5a7 100644
+ files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient.-eth9.conf")
+')
diff --git a/policy/modules/services/networkmanager.te b/policy/modules/services/networkmanager.te
-index 0619395..863ba2d 100644
+index 0619395..79140e4 100644
--- a/policy/modules/services/networkmanager.te
+++ b/policy/modules/services/networkmanager.te
@@ -12,6 +12,12 @@ init_daemon_domain(NetworkManager_t, NetworkManager_exec_t)
@@ -38724,6 +39767,15 @@ index 0619395..863ba2d 100644
fs_getattr_all_fs(NetworkManager_t)
fs_search_auto_mountpoints(NetworkManager_t)
+@@ -113,7 +136,7 @@ corecmd_exec_shell(NetworkManager_t)
+ corecmd_exec_bin(NetworkManager_t)
+
+ domain_use_interactive_fds(NetworkManager_t)
+-domain_read_confined_domains_state(NetworkManager_t)
++domain_read_all_domains_state(NetworkManager_t)
+
+ files_read_etc_files(NetworkManager_t)
+ files_read_etc_runtime_files(NetworkManager_t)
@@ -133,30 +156,37 @@ logging_send_syslog_msg(NetworkManager_t)
miscfiles_read_localization(NetworkManager_t)
miscfiles_read_generic_certs(NetworkManager_t)
@@ -41232,7 +42284,7 @@ index 1e7169d..05409ab 100644
')
-
diff --git a/policy/modules/services/portmap.te b/policy/modules/services/portmap.te
-index 333a1fe..dcca269 100644
+index 333a1fe..e599723 100644
--- a/policy/modules/services/portmap.te
+++ b/policy/modules/services/portmap.te
@@ -12,7 +12,6 @@ init_daemon_domain(portmap_t, portmap_exec_t)
@@ -41243,7 +42295,31 @@ index 333a1fe..dcca269 100644
type portmap_tmp_t;
files_tmp_file(portmap_tmp_t)
-@@ -142,7 +141,7 @@ logging_send_syslog_msg(portmap_helper_t)
+@@ -75,6 +74,8 @@ domain_use_interactive_fds(portmap_t)
+
+ files_read_etc_files(portmap_t)
+
++auth_use_nsswitch(portmap_t)
++
+ logging_send_syslog_msg(portmap_t)
+
+ miscfiles_read_localization(portmap_t)
+@@ -85,14 +86,6 @@ userdom_dontaudit_use_unpriv_user_fds(portmap_t)
+ userdom_dontaudit_search_user_home_dirs(portmap_t)
+
+ optional_policy(`
+- nis_use_ypbind(portmap_t)
+-')
+-
+-optional_policy(`
+- nscd_socket_use(portmap_t)
+-')
+-
+-optional_policy(`
+ seutil_sigchld_newrole(portmap_t)
+ ')
+
+@@ -142,7 +135,7 @@ logging_send_syslog_msg(portmap_helper_t)
sysnet_read_config(portmap_helper_t)
@@ -41356,7 +42432,7 @@ index a3e85c9..c0e0959 100644
/var/spool/postfix/pid/.* gen_context(system_u:object_r:postfix_var_run_t,s0)
/var/spool/postfix/private(/.*)? gen_context(system_u:object_r:postfix_private_t,s0)
diff --git a/policy/modules/services/postfix.if b/policy/modules/services/postfix.if
-index 46bee12..9e2714e 100644
+index 46bee12..c22af86 100644
--- a/policy/modules/services/postfix.if
+++ b/policy/modules/services/postfix.if
@@ -34,8 +34,9 @@ template(`postfix_domain_template',`
@@ -41592,7 +42668,7 @@ index 46bee12..9e2714e 100644
')
########################################
-@@ -621,3 +701,107 @@ interface(`postfix_domtrans_user_mail_handler',`
+@@ -621,3 +701,103 @@ interface(`postfix_domtrans_user_mail_handler',`
typeattribute $1 postfix_user_domtrans;
')
@@ -41695,10 +42771,6 @@ index 46bee12..9e2714e 100644
+
+ postfix_domtrans_postdrop($1)
+ role $2 types postfix_postdrop_t;
-+
-+ ifdef(`hide_broken_symptoms', `
-+ dontaudit postfix_postdrop_t $1:socket_class_set { getattr read write };
-+ ')
+')
diff --git a/policy/modules/services/postfix.te b/policy/modules/services/postfix.te
index a32c4b3..d60a654 100644
@@ -43152,7 +44224,7 @@ index 2855a44..c71fa1e 100644
type puppet_tmp_t;
')
diff --git a/policy/modules/services/puppet.te b/policy/modules/services/puppet.te
-index 64c5f95..cb7c5e2 100644
+index 64c5f95..81cc685 100644
--- a/policy/modules/services/puppet.te
+++ b/policy/modules/services/puppet.te
@@ -5,13 +5,23 @@ policy_module(puppet, 1.0.0)
@@ -43203,6 +44275,15 @@ index 64c5f95..cb7c5e2 100644
manage_files_pattern(puppet_t, puppet_var_run_t, puppet_var_run_t)
files_pid_filetrans(puppet_t, puppet_var_run_t, { file dir })
+@@ -132,7 +147,7 @@ sysnet_dns_name_resolve(puppet_t)
+ sysnet_run_ifconfig(puppet_t, system_r)
+
+ tunable_policy(`puppet_manage_all_files',`
+- auth_manage_all_files_except_shadow(puppet_t)
++ files_manage_non_security_files(puppet_t)
+ ')
+
+ optional_policy(`
@@ -162,7 +177,60 @@ optional_policy(`
########################################
@@ -44201,10 +45282,10 @@ index f04a595..3203212 100644
+ read_files_pattern($1, razor_var_lib_t, razor_var_lib_t)
+')
diff --git a/policy/modules/services/razor.te b/policy/modules/services/razor.te
-index 852840b..4427b21 100644
+index 852840b..cc1775e 100644
--- a/policy/modules/services/razor.te
+++ b/policy/modules/services/razor.te
-@@ -5,118 +5,139 @@ policy_module(razor, 2.2.0)
+@@ -5,118 +5,135 @@ policy_module(razor, 2.2.0)
# Declarations
#
@@ -44291,7 +45372,7 @@ index 852840b..4427b21 100644
+ corenet_tcp_connect_razor_port(system_razor_t)
+ corenet_sendrecv_razor_client_packets(system_razor_t)
+
-+ sysnet_read_config(system_razor_t)
++ auth_use_nsswitch(system_razor_t)
+
+ # cjp: this shouldn't be needed
+ userdom_use_unpriv_users_fds(system_razor_t)
@@ -44300,10 +45381,6 @@ index 852840b..4427b21 100644
+ logging_send_syslog_msg(system_razor_t)
+ ')
+
-+ optional_policy(`
-+ nscd_socket_use(system_razor_t)
-+ ')
-+
+ ########################################
+ #
+ # User razor local policy
@@ -44326,30 +45403,32 @@ index 852840b..4427b21 100644
+ auth_use_nsswitch(razor_t)
+
+ logging_send_syslog_msg(razor_t)
-
--type razor_etc_t;
--files_config_file(razor_etc_t)
++
+ userdom_search_user_home_dirs(razor_t)
+ userdom_use_inherited_user_terminals(razor_t)
-
--type razor_home_t;
--typealias razor_home_t alias { user_razor_home_t staff_razor_home_t sysadm_razor_home_t };
--typealias razor_home_t alias { auditadm_razor_home_t secadm_razor_home_t };
--userdom_user_home_content(razor_home_t)
++
+ tunable_policy(`use_nfs_home_dirs',`
+ fs_manage_nfs_dirs(razor_t)
+ fs_manage_nfs_files(razor_t)
+ fs_manage_nfs_symlinks(razor_t)
+ ')
--type razor_log_t;
--logging_log_file(razor_log_t)
+-type razor_etc_t;
+-files_config_file(razor_etc_t)
+ tunable_policy(`use_samba_home_dirs',`
+ fs_manage_cifs_dirs(razor_t)
+ fs_manage_cifs_files(razor_t)
+ fs_manage_cifs_symlinks(razor_t)
+ ')
+-type razor_home_t;
+-typealias razor_home_t alias { user_razor_home_t staff_razor_home_t sysadm_razor_home_t };
+-typealias razor_home_t alias { auditadm_razor_home_t secadm_razor_home_t };
+-userdom_user_home_content(razor_home_t)
+-
+-type razor_log_t;
+-logging_log_file(razor_log_t)
+-
-type razor_tmp_t;
-typealias razor_tmp_t alias { user_razor_tmp_t staff_razor_tmp_t sysadm_razor_tmp_t };
-typealias razor_tmp_t alias { auditadm_razor_tmp_t secadm_razor_tmp_t };
@@ -44635,7 +45714,7 @@ index 7dc38d1..9c2c963 100644
+ admin_pattern($1, rgmanager_var_run_t)
+')
diff --git a/policy/modules/services/rgmanager.te b/policy/modules/services/rgmanager.te
-index 00fa514..9e237a7 100644
+index 00fa514..d95e136 100644
--- a/policy/modules/services/rgmanager.te
+++ b/policy/modules/services/rgmanager.te
@@ -6,17 +6,19 @@ policy_module(rgmanager, 1.0.0)
@@ -44719,7 +45798,8 @@ index 00fa514..9e237a7 100644
-#term_use_ptmx(rgmanager_t)
# needed by resources scripts
- auth_read_all_files_except_shadow(rgmanager_t)
+-auth_read_all_files_except_shadow(rgmanager_t)
++files_read_non_security_files(rgmanager_t)
auth_dontaudit_getattr_shadow(rgmanager_t)
auth_use_nsswitch(rgmanager_t)
@@ -46024,7 +47104,7 @@ index f7826f9..679d185 100644
+ admin_pattern($1, ricci_var_run_t)
+')
diff --git a/policy/modules/services/ricci.te b/policy/modules/services/ricci.te
-index 33e72e8..a61bb94 100644
+index 33e72e8..ffc0c12 100644
--- a/policy/modules/services/ricci.te
+++ b/policy/modules/services/ricci.te
@@ -7,9 +7,11 @@ policy_module(ricci, 1.7.0)
@@ -46091,7 +47171,16 @@ index 33e72e8..a61bb94 100644
domain_read_all_domains_state(ricci_modcluster_t)
-@@ -209,13 +219,9 @@ logging_send_syslog_msg(ricci_modcluster_t)
+@@ -202,6 +212,8 @@ files_read_etc_runtime_files(ricci_modcluster_t)
+ files_read_etc_files(ricci_modcluster_t)
+ files_search_usr(ricci_modcluster_t)
+
++auth_use_nsswitch(ricci_modcluster_t)
++
+ init_exec(ricci_modcluster_t)
+ init_domtrans_script(ricci_modcluster_t)
+
+@@ -209,13 +221,9 @@ logging_send_syslog_msg(ricci_modcluster_t)
miscfiles_read_localization(ricci_modcluster_t)
@@ -46108,10 +47197,11 @@ index 33e72e8..a61bb94 100644
optional_policy(`
aisexec_stream_connect(ricci_modcluster_t)
-@@ -233,6 +239,18 @@ optional_policy(`
+@@ -233,7 +241,15 @@ optional_policy(`
')
optional_policy(`
+- nscd_socket_use(ricci_modcluster_t)
+ modutils_domtrans_insmod(ricci_modcluster_t)
+')
+
@@ -46121,13 +47211,10 @@ index 33e72e8..a61bb94 100644
+
+optional_policy(`
+ consoletype_exec(ricci_modcluster_t)
-+')
-+
-+optional_policy(`
- nscd_socket_use(ricci_modcluster_t)
')
-@@ -241,8 +259,7 @@ optional_policy(`
+ optional_policy(`
+@@ -241,8 +257,7 @@ optional_policy(`
')
optional_policy(`
@@ -46137,7 +47224,7 @@ index 33e72e8..a61bb94 100644
')
########################################
-@@ -261,6 +278,10 @@ allow ricci_modclusterd_t self:socket create_socket_perms;
+@@ -261,6 +276,10 @@ allow ricci_modclusterd_t self:socket create_socket_perms;
allow ricci_modclusterd_t ricci_modcluster_t:unix_stream_socket connectto;
allow ricci_modclusterd_t ricci_modcluster_t:fifo_file rw_file_perms;
@@ -46148,7 +47235,7 @@ index 33e72e8..a61bb94 100644
allow ricci_modclusterd_t ricci_modcluster_var_log_t:dir setattr;
manage_files_pattern(ricci_modclusterd_t, ricci_modcluster_var_log_t, ricci_modcluster_var_log_t)
manage_sock_files_pattern(ricci_modclusterd_t, ricci_modcluster_var_log_t, ricci_modcluster_var_log_t)
-@@ -272,6 +293,7 @@ files_pid_filetrans(ricci_modclusterd_t, ricci_modcluster_var_run_t, { file sock
+@@ -272,6 +291,7 @@ files_pid_filetrans(ricci_modclusterd_t, ricci_modcluster_var_run_t, { file sock
kernel_read_kernel_sysctls(ricci_modclusterd_t)
kernel_read_system_state(ricci_modclusterd_t)
@@ -46156,7 +47243,7 @@ index 33e72e8..a61bb94 100644
corecmd_exec_bin(ricci_modclusterd_t)
-@@ -394,8 +416,6 @@ files_search_usr(ricci_modservice_t)
+@@ -394,8 +414,6 @@ files_search_usr(ricci_modservice_t)
# Needed for running chkconfig
files_manage_etc_symlinks(ricci_modservice_t)
@@ -46165,7 +47252,7 @@ index 33e72e8..a61bb94 100644
init_domtrans_script(ricci_modservice_t)
miscfiles_read_localization(ricci_modservice_t)
-@@ -405,6 +425,10 @@ optional_policy(`
+@@ -405,6 +423,10 @@ optional_policy(`
')
optional_policy(`
@@ -46176,7 +47263,7 @@ index 33e72e8..a61bb94 100644
nscd_dontaudit_search_pid(ricci_modservice_t)
')
-@@ -444,22 +468,20 @@ files_read_etc_runtime_files(ricci_modstorage_t)
+@@ -444,22 +466,22 @@ files_read_etc_runtime_files(ricci_modstorage_t)
files_read_usr_files(ricci_modstorage_t)
files_read_kernel_modules(ricci_modstorage_t)
@@ -46191,7 +47278,8 @@ index 33e72e8..a61bb94 100644
term_dontaudit_use_console(ricci_modstorage_t)
-fstools_domtrans(ricci_modstorage_t)
--
++auth_use_nsswitch(ricci_modstorage_t)
+
logging_send_syslog_msg(ricci_modstorage_t)
miscfiles_read_localization(ricci_modstorage_t)
@@ -46205,7 +47293,7 @@ index 33e72e8..a61bb94 100644
optional_policy(`
aisexec_stream_connect(ricci_modstorage_t)
corosync_stream_connect(ricci_modstorage_t)
-@@ -471,11 +493,27 @@ optional_policy(`
+@@ -471,12 +493,24 @@ optional_policy(`
')
optional_policy(`
@@ -46222,17 +47310,15 @@ index 33e72e8..a61bb94 100644
')
optional_policy(`
+- nscd_socket_use(ricci_modstorage_t)
+ modutils_read_module_deps(ricci_modstorage_t)
+')
+
+optional_policy(`
+ mount_domtrans(ricci_modstorage_t)
-+')
-+
-+optional_policy(`
- nscd_socket_use(ricci_modstorage_t)
')
+ optional_policy(`
diff --git a/policy/modules/services/rlogin.fc b/policy/modules/services/rlogin.fc
index 2785337..d7f6b82 100644
--- a/policy/modules/services/rlogin.fc
@@ -46448,7 +47534,7 @@ index cda37bb..484e552 100644
+ allow $1 var_lib_nfs_t:file relabel_file_perms;
')
diff --git a/policy/modules/services/rpc.te b/policy/modules/services/rpc.te
-index b1468ed..06e637c 100644
+index b1468ed..fb0f852 100644
--- a/policy/modules/services/rpc.te
+++ b/policy/modules/services/rpc.te
@@ -6,18 +6,18 @@ policy_module(rpc, 1.12.0)
@@ -46545,7 +47631,25 @@ index b1468ed..06e637c 100644
# Write access to public_content_t and public_content_rw_t
tunable_policy(`allow_nfsd_anon_write',`
miscfiles_manage_public_files(nfsd_t)
-@@ -181,7 +199,7 @@ tunable_policy(`nfs_export_all_ro',`
+@@ -158,7 +176,6 @@ tunable_policy(`nfs_export_all_rw',`
+ dev_getattr_all_chr_files(nfsd_t)
+
+ fs_read_noxattr_fs_files(nfsd_t)
+- auth_manage_all_files_except_shadow(nfsd_t)
+ ')
+
+ tunable_policy(`nfs_export_all_ro',`
+@@ -170,8 +187,7 @@ tunable_policy(`nfs_export_all_ro',`
+
+ fs_read_noxattr_fs_files(nfsd_t)
+
+- auth_read_all_dirs_except_shadow(nfsd_t)
+- auth_read_all_files_except_shadow(nfsd_t)
++ files_read_non_security_files(nfsd_t)
+ ')
+
+ ########################################
+@@ -181,7 +197,7 @@ tunable_policy(`nfs_export_all_ro',`
allow gssd_t self:capability { dac_override dac_read_search setuid sys_nice };
allow gssd_t self:process { getsched setsched };
@@ -46554,7 +47658,7 @@ index b1468ed..06e637c 100644
manage_dirs_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t)
manage_files_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t)
-@@ -199,6 +217,7 @@ corecmd_exec_bin(gssd_t)
+@@ -199,6 +215,7 @@ corecmd_exec_bin(gssd_t)
fs_list_rpc(gssd_t)
fs_rw_rpc_sockets(gssd_t)
fs_read_rpc_files(gssd_t)
@@ -46562,7 +47666,7 @@ index b1468ed..06e637c 100644
fs_list_inotifyfs(gssd_t)
files_list_tmp(gssd_t)
-@@ -210,14 +229,14 @@ auth_manage_cache(gssd_t)
+@@ -210,14 +227,14 @@ auth_manage_cache(gssd_t)
miscfiles_read_generic_certs(gssd_t)
@@ -46579,7 +47683,7 @@ index b1468ed..06e637c 100644
')
optional_policy(`
-@@ -229,6 +248,10 @@ optional_policy(`
+@@ -229,6 +246,10 @@ optional_policy(`
')
optional_policy(`
@@ -46791,7 +47895,7 @@ index 3386f29..b28cae5 100644
+ files_etc_filetrans($1, rsync_etc_t, $2)
+')
diff --git a/policy/modules/services/rsync.te b/policy/modules/services/rsync.te
-index 39015ae..5e7b7cf 100644
+index 39015ae..967bebd 100644
--- a/policy/modules/services/rsync.te
+++ b/policy/modules/services/rsync.te
@@ -7,6 +7,13 @@ policy_module(rsync, 1.10.0)
@@ -46825,7 +47929,7 @@ index 39015ae..5e7b7cf 100644
allow rsync_t rsync_data_t:dir list_dir_perms;
read_files_pattern(rsync_t, rsync_data_t, rsync_data_t)
-@@ -122,6 +128,7 @@ optional_policy(`
+@@ -122,12 +128,26 @@ optional_policy(`
')
tunable_policy(`rsync_export_all_ro',`
@@ -46833,8 +47937,10 @@ index 39015ae..5e7b7cf 100644
fs_read_noxattr_fs_files(rsync_t)
fs_read_nfs_files(rsync_t)
fs_read_cifs_files(rsync_t)
-@@ -130,4 +137,19 @@ tunable_policy(`rsync_export_all_ro',`
- auth_read_all_symlinks_except_shadow(rsync_t)
+- auth_read_all_dirs_except_shadow(rsync_t)
+- auth_read_all_files_except_shadow(rsync_t)
+- auth_read_all_symlinks_except_shadow(rsync_t)
++ files_read_non_security_files(rsync_t)
auth_tunable_read_shadow(rsync_t)
')
+
@@ -47207,7 +48313,7 @@ index 82cb169..9e72970 100644
+ admin_pattern($1, samba_unconfined_script_exec_t)
')
diff --git a/policy/modules/services/samba.te b/policy/modules/services/samba.te
-index e30bb63..fdfa9bf 100644
+index e30bb63..a23112b 100644
--- a/policy/modules/services/samba.te
+++ b/policy/modules/services/samba.te
@@ -152,9 +152,6 @@ domain_entry_file(winbind_helper_t, winbind_helper_exec_t)
@@ -47314,7 +48420,7 @@ index e30bb63..fdfa9bf 100644
optional_policy(`
cups_read_rw_config(smbd_t)
-@@ -445,8 +445,8 @@ optional_policy(`
+@@ -445,26 +445,25 @@ optional_policy(`
tunable_policy(`samba_create_home_dirs',`
allow smbd_t self:capability chown;
userdom_create_user_home_dirs(smbd_t)
@@ -47324,17 +48430,31 @@ index e30bb63..fdfa9bf 100644
tunable_policy(`samba_export_all_ro',`
fs_read_noxattr_fs_files(smbd_t)
-@@ -462,8 +462,8 @@ tunable_policy(`samba_export_all_rw',`
- auth_manage_all_files_except_shadow(smbd_t)
+- auth_read_all_dirs_except_shadow(smbd_t)
+- auth_read_all_files_except_shadow(smbd_t)
++ files_read_non_security_files(smbd_t)
fs_read_noxattr_fs_files(nmbd_t)
- auth_manage_all_files_except_shadow(nmbd_t)
+- auth_read_all_dirs_except_shadow(nmbd_t)
+- auth_read_all_files_except_shadow(nmbd_t)
++ files_read_non_security_files(nmbd_t)
+ ')
+
+ tunable_policy(`samba_export_all_rw',`
+ fs_read_noxattr_fs_files(smbd_t)
+- auth_manage_all_files_except_shadow(smbd_t)
++ files_manage_non_security_files(smbd_t)
+ fs_read_noxattr_fs_files(nmbd_t)
+- auth_manage_all_files_except_shadow(nmbd_t)
- userdom_user_home_dir_filetrans_user_home_content(nmbd_t, { file dir })
++ files_manage_non_security_files(nmbd_t)
')
-+userdom_user_home_dir_filetrans_user_home_content(nmbd_t, { file dir })
++userdom_user_home_dir_filetrans_user_home_content(nmbd_t, { file dir })
++
########################################
#
-@@ -484,8 +484,9 @@ allow nmbd_t self:udp_socket create_socket_perms;
+ # nmbd Local policy
+@@ -484,8 +483,9 @@ allow nmbd_t self:udp_socket create_socket_perms;
allow nmbd_t self:unix_dgram_socket { create_socket_perms sendto };
allow nmbd_t self:unix_stream_socket { create_stream_socket_perms connectto };
@@ -47345,7 +48465,7 @@ index e30bb63..fdfa9bf 100644
read_files_pattern(nmbd_t, samba_etc_t, samba_etc_t)
read_lnk_files_pattern(nmbd_t, samba_etc_t, samba_etc_t)
-@@ -560,13 +561,13 @@ allow smbcontrol_t self:fifo_file rw_file_perms;
+@@ -560,13 +560,13 @@ allow smbcontrol_t self:fifo_file rw_file_perms;
allow smbcontrol_t self:unix_stream_socket create_stream_socket_perms;
allow smbcontrol_t nmbd_t:process { signal signull };
@@ -47363,7 +48483,7 @@ index e30bb63..fdfa9bf 100644
samba_read_config(smbcontrol_t)
samba_rw_var_files(smbcontrol_t)
samba_search_var(smbcontrol_t)
-@@ -578,7 +579,7 @@ files_read_etc_files(smbcontrol_t)
+@@ -578,7 +578,7 @@ files_read_etc_files(smbcontrol_t)
miscfiles_read_localization(smbcontrol_t)
@@ -47372,7 +48492,7 @@ index e30bb63..fdfa9bf 100644
########################################
#
-@@ -644,19 +645,21 @@ auth_use_nsswitch(smbmount_t)
+@@ -644,19 +644,21 @@ auth_use_nsswitch(smbmount_t)
miscfiles_read_localization(smbmount_t)
@@ -47397,7 +48517,7 @@ index e30bb63..fdfa9bf 100644
########################################
#
# SWAT Local policy
-@@ -677,7 +680,7 @@ samba_domtrans_nmbd(swat_t)
+@@ -677,7 +679,7 @@ samba_domtrans_nmbd(swat_t)
allow swat_t nmbd_t:process { signal signull };
allow nmbd_t swat_t:process signal;
@@ -47406,7 +48526,7 @@ index e30bb63..fdfa9bf 100644
allow swat_t smbd_port_t:tcp_socket name_bind;
-@@ -692,12 +695,14 @@ manage_files_pattern(swat_t, samba_log_t, samba_log_t)
+@@ -692,12 +694,14 @@ manage_files_pattern(swat_t, samba_log_t, samba_log_t)
manage_files_pattern(swat_t, samba_etc_t, samba_secrets_t)
manage_files_pattern(swat_t, samba_var_t, samba_var_t)
@@ -47421,7 +48541,7 @@ index e30bb63..fdfa9bf 100644
manage_dirs_pattern(swat_t, swat_tmp_t, swat_tmp_t)
manage_files_pattern(swat_t, swat_tmp_t, swat_tmp_t)
-@@ -710,6 +715,7 @@ allow swat_t winbind_exec_t:file mmap_file_perms;
+@@ -710,6 +714,7 @@ allow swat_t winbind_exec_t:file mmap_file_perms;
domtrans_pattern(swat_t, winbind_exec_t, winbind_t)
allow swat_t winbind_t:process { signal signull };
@@ -47429,7 +48549,7 @@ index e30bb63..fdfa9bf 100644
allow swat_t winbind_var_run_t:dir { write add_name remove_name };
allow swat_t winbind_var_run_t:sock_file { create unlink };
-@@ -754,6 +760,8 @@ logging_search_logs(swat_t)
+@@ -754,6 +759,8 @@ logging_search_logs(swat_t)
miscfiles_read_localization(swat_t)
@@ -47438,7 +48558,7 @@ index e30bb63..fdfa9bf 100644
optional_policy(`
cups_read_rw_config(swat_t)
cups_stream_connect(swat_t)
-@@ -806,15 +814,16 @@ rw_files_pattern(winbind_t, smbd_tmp_t, smbd_tmp_t)
+@@ -806,15 +813,16 @@ rw_files_pattern(winbind_t, smbd_tmp_t, smbd_tmp_t)
allow winbind_t winbind_log_t:file manage_file_perms;
logging_log_filetrans(winbind_t, winbind_log_t, file)
@@ -47460,7 +48580,7 @@ index e30bb63..fdfa9bf 100644
kernel_read_kernel_sysctls(winbind_t)
kernel_read_system_state(winbind_t)
-@@ -833,6 +842,7 @@ corenet_udp_sendrecv_all_ports(winbind_t)
+@@ -833,6 +841,7 @@ corenet_udp_sendrecv_all_ports(winbind_t)
corenet_tcp_bind_generic_node(winbind_t)
corenet_udp_bind_generic_node(winbind_t)
corenet_tcp_connect_smbd_port(winbind_t)
@@ -47468,7 +48588,7 @@ index e30bb63..fdfa9bf 100644
corenet_tcp_connect_epmap_port(winbind_t)
corenet_tcp_connect_all_unreserved_ports(winbind_t)
-@@ -904,7 +914,7 @@ logging_send_syslog_msg(winbind_helper_t)
+@@ -904,7 +913,7 @@ logging_send_syslog_msg(winbind_helper_t)
miscfiles_read_localization(winbind_helper_t)
@@ -47477,7 +48597,7 @@ index e30bb63..fdfa9bf 100644
optional_policy(`
apache_append_log(winbind_helper_t)
-@@ -922,6 +932,18 @@ optional_policy(`
+@@ -922,6 +931,18 @@ optional_policy(`
#
optional_policy(`
@@ -47496,7 +48616,7 @@ index e30bb63..fdfa9bf 100644
type samba_unconfined_script_t;
type samba_unconfined_script_exec_t;
domain_type(samba_unconfined_script_t)
-@@ -932,9 +954,12 @@ optional_policy(`
+@@ -932,9 +953,12 @@ optional_policy(`
allow smbd_t samba_unconfined_script_exec_t:dir search_dir_perms;
allow smbd_t samba_unconfined_script_exec_t:file ioctl;
@@ -48338,7 +49458,7 @@ index 275f9fb..4f4a192 100644
init_labeled_script_domtrans($1, snmpd_initrc_exec_t)
diff --git a/policy/modules/services/snmp.te b/policy/modules/services/snmp.te
-index 3d8d1b3..5c0d25f 100644
+index 3d8d1b3..0c5769c 100644
--- a/policy/modules/services/snmp.te
+++ b/policy/modules/services/snmp.te
@@ -4,6 +4,7 @@ policy_module(snmp, 1.11.0)
@@ -48379,14 +49499,18 @@ index 3d8d1b3..5c0d25f 100644
kernel_read_device_sysctls(snmpd_t)
kernel_read_kernel_sysctls(snmpd_t)
-@@ -97,6 +100,7 @@ fs_search_auto_mountpoints(snmpd_t)
+@@ -97,9 +100,10 @@ fs_search_auto_mountpoints(snmpd_t)
storage_dontaudit_read_fixed_disk(snmpd_t)
storage_dontaudit_read_removable_device(snmpd_t)
+storage_dontaudit_write_removable_device(snmpd_t)
auth_use_nsswitch(snmpd_t)
- auth_read_all_dirs_except_shadow(snmpd_t)
+-auth_read_all_dirs_except_shadow(snmpd_t)
++files_list_all(snmpd_t)
+
+ init_read_utmp(snmpd_t)
+ init_dontaudit_write_utmp(snmpd_t)
@@ -115,7 +119,7 @@ sysnet_read_config(snmpd_t)
userdom_dontaudit_use_unpriv_user_fds(snmpd_t)
userdom_dontaudit_search_user_home_dirs(snmpd_t)
@@ -49607,7 +50731,7 @@ index 22adaca..76e8829 100644
+ userdom_user_home_dir_filetrans($1, ssh_home_t, dir, ".shosts")
+')
diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
-index 2dad3c8..fcfc95b 100644
+index 2dad3c8..a85027d 100644
--- a/policy/modules/services/ssh.te
+++ b/policy/modules/services/ssh.te
@@ -6,26 +6,32 @@ policy_module(ssh, 2.2.0)
@@ -49793,7 +50917,7 @@ index 2dad3c8..fcfc95b 100644
##############################
#
# ssh_keysign_t local policy
-@@ -209,8 +230,9 @@ tunable_policy(`allow_ssh_keysign',`
+@@ -209,19 +230,14 @@ tunable_policy(`allow_ssh_keysign',`
allow ssh_keysign_t self:capability { setgid setuid };
allow ssh_keysign_t self:unix_stream_socket create_socket_perms;
@@ -49804,7 +50928,18 @@ index 2dad3c8..fcfc95b 100644
dev_read_urand(ssh_keysign_t)
files_read_etc_files(ssh_keysign_t)
-@@ -232,33 +254,43 @@ optional_policy(`
+ ')
+
+-optional_policy(`
+- tunable_policy(`allow_ssh_keysign',`
+- nscd_socket_use(ssh_keysign_t)
+- ')
+-')
+-
+ #################################
+ #
+ # sshd local policy
+@@ -232,33 +248,43 @@ optional_policy(`
# so a tunnel can point to another ssh tunnel
allow sshd_t self:netlink_route_socket r_netlink_socket_perms;
allow sshd_t self:key { search link write };
@@ -49857,7 +50992,7 @@ index 2dad3c8..fcfc95b 100644
')
optional_policy(`
-@@ -266,11 +298,24 @@ optional_policy(`
+@@ -266,11 +292,24 @@ optional_policy(`
')
optional_policy(`
@@ -49883,7 +51018,7 @@ index 2dad3c8..fcfc95b 100644
')
optional_policy(`
-@@ -284,6 +329,15 @@ optional_policy(`
+@@ -284,6 +323,15 @@ optional_policy(`
')
optional_policy(`
@@ -49899,7 +51034,7 @@ index 2dad3c8..fcfc95b 100644
unconfined_shell_domtrans(sshd_t)
')
-@@ -292,26 +346,26 @@ optional_policy(`
+@@ -292,26 +340,26 @@ optional_policy(`
')
ifdef(`TODO',`
@@ -49945,7 +51080,7 @@ index 2dad3c8..fcfc95b 100644
') dnl endif TODO
########################################
-@@ -322,19 +376,25 @@ tunable_policy(`ssh_sysadm_login',`
+@@ -322,19 +370,25 @@ tunable_policy(`ssh_sysadm_login',`
# ssh_keygen_t is the type of the ssh-keygen program when run at install time
# and by sysadm_t
@@ -49972,18 +51107,18 @@ index 2dad3c8..fcfc95b 100644
dev_read_urand(ssh_keygen_t)
term_dontaudit_use_console(ssh_keygen_t)
-@@ -351,9 +411,10 @@ auth_use_nsswitch(ssh_keygen_t)
+@@ -351,10 +405,7 @@ auth_use_nsswitch(ssh_keygen_t)
logging_send_syslog_msg(ssh_keygen_t)
userdom_dontaudit_use_unpriv_user_fds(ssh_keygen_t)
-+userdom_use_user_terminals(ssh_keygen_t)
-
- optional_policy(`
+-
+-optional_policy(`
- nscd_socket_use(ssh_keygen_t)
-+ nscd_socket_use(ssh_keygen_t)
- ')
+-')
++userdom_use_user_terminals(ssh_keygen_t)
optional_policy(`
+ seutil_sigchld_newrole(ssh_keygen_t)
diff --git a/policy/modules/services/sssd.if b/policy/modules/services/sssd.if
index 941380a..6dbfc01 100644
--- a/policy/modules/services/sssd.if
@@ -50216,7 +51351,7 @@ index 08d999c..bca4388 100644
/var/log/atsar(/.*)? gen_context(system_u:object_r:sysstat_log_t,s0)
/var/log/sa(/.*)? gen_context(system_u:object_r:sysstat_log_t,s0)
diff --git a/policy/modules/services/sysstat.te b/policy/modules/services/sysstat.te
-index 52f0d6c..6bfbf45 100644
+index 52f0d6c..7ef2b18 100644
--- a/policy/modules/services/sysstat.te
+++ b/policy/modules/services/sysstat.te
@@ -8,7 +8,6 @@ policy_module(sysstat, 1.6.0)
@@ -50237,7 +51372,7 @@ index 52f0d6c..6bfbf45 100644
allow sysstat_t self:fifo_file rw_fifo_file_perms;
can_exec(sysstat_t, sysstat_exec_t)
-@@ -51,7 +49,7 @@ fs_getattr_xattr_fs(sysstat_t)
+@@ -51,12 +49,16 @@ fs_getattr_xattr_fs(sysstat_t)
fs_list_inotifyfs(sysstat_t)
term_use_console(sysstat_t)
@@ -50246,14 +51381,23 @@ index 52f0d6c..6bfbf45 100644
init_use_fds(sysstat_t)
-@@ -68,3 +66,7 @@ optional_policy(`
+ locallogin_use_fds(sysstat_t)
+
++auth_use_nsswitch(sysstat_t)
++
++logging_send_syslog_msg(sysstat_t)
++
+ miscfiles_read_localization(sysstat_t)
+
+ userdom_dontaudit_list_user_home_dirs(sysstat_t)
+@@ -64,7 +66,3 @@ userdom_dontaudit_list_user_home_dirs(sysstat_t)
optional_policy(`
- logging_send_syslog_msg(sysstat_t)
+ cron_system_entry(sysstat_t, sysstat_exec_t)
')
-+
-+optional_policy(`
-+ nscd_socket_use(sysstat_t)
-+')
+-
+-optional_policy(`
+- logging_send_syslog_msg(sysstat_t)
+-')
diff --git a/policy/modules/services/tcpd.te b/policy/modules/services/tcpd.te
index 7038b55..4e84f23 100644
--- a/policy/modules/services/tcpd.te
@@ -50815,7 +51959,7 @@ index 4440aa6..34ffbfd 100644
+ virt_dontaudit_read_chr_dev(usbmuxd_t)
+')
diff --git a/policy/modules/services/uucp.te b/policy/modules/services/uucp.te
-index d4349e9..5e7be4f 100644
+index d4349e9..f14d337 100644
--- a/policy/modules/services/uucp.te
+++ b/policy/modules/services/uucp.te
@@ -24,7 +24,7 @@ type uucpd_ro_t;
@@ -50836,14 +51980,13 @@ index d4349e9..5e7be4f 100644
uucp_append_log(uux_t)
uucp_manage_spool(uux_t)
-@@ -147,3 +149,7 @@ optional_policy(`
- optional_policy(`
- nscd_socket_use(uux_t)
+@@ -145,5 +147,5 @@ optional_policy(`
')
-+
-+optional_policy(`
+
+ optional_policy(`
+- nscd_socket_use(uux_t)
+ postfix_rw_master_pipes(uux_t)
-+')
+ ')
diff --git a/policy/modules/services/varnishd.te b/policy/modules/services/varnishd.te
index f9310f3..064171e 100644
--- a/policy/modules/services/varnishd.te
@@ -51187,10 +52330,10 @@ index 2124b6a..55b5012 100644
+/var/lib/oz(/.*)? gen_context(system_u:object_r:virt_var_lib_t,s0)
+/var/lib/oz/isos(/.*)? gen_context(system_u:object_r:virt_content_t,s0)
diff --git a/policy/modules/services/virt.if b/policy/modules/services/virt.if
-index 7c5d8d8..59ba27c 100644
+index 7c5d8d8..4feaf88 100644
--- a/policy/modules/services/virt.if
+++ b/policy/modules/services/virt.if
-@@ -13,39 +13,42 @@
+@@ -13,39 +13,44 @@
#
template(`virt_domain_template',`
gen_require(`
@@ -51227,7 +52370,8 @@ index 7c5d8d8..59ba27c 100644
- type $1_var_run_t;
- files_pid_file($1_var_run_t)
--
++ auth_use_nsswitch($1_t)
+
- allow $1_t $1_devpts_t:chr_file { rw_chr_file_perms setattr };
+ allow $1_t $1_devpts_t:chr_file { rw_chr_file_perms setattr_chr_file_perms };
term_create_pty($1_t, $1_devpts_t)
@@ -51242,7 +52386,7 @@ index 7c5d8d8..59ba27c 100644
manage_dirs_pattern($1_t, $1_tmp_t, $1_tmp_t)
manage_files_pattern($1_t, $1_tmp_t, $1_tmp_t)
-@@ -57,18 +60,6 @@ template(`virt_domain_template',`
+@@ -57,18 +62,6 @@ template(`virt_domain_template',`
manage_lnk_files_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t)
fs_tmpfs_filetrans($1_t, $1_tmpfs_t, { dir file lnk_file })
@@ -51261,7 +52405,7 @@ index 7c5d8d8..59ba27c 100644
optional_policy(`
xserver_rw_shm($1_t)
')
-@@ -101,9 +92,9 @@ interface(`virt_image',`
+@@ -101,9 +94,9 @@ interface(`virt_image',`
## Execute a domain transition to run virt.
##
##
@@ -51273,7 +52417,7 @@ index 7c5d8d8..59ba27c 100644
##
#
interface(`virt_domtrans',`
-@@ -164,13 +155,13 @@ interface(`virt_attach_tun_iface',`
+@@ -164,13 +157,13 @@ interface(`virt_attach_tun_iface',`
#
interface(`virt_read_config',`
gen_require(`
@@ -51289,7 +52433,7 @@ index 7c5d8d8..59ba27c 100644
')
########################################
-@@ -185,13 +176,13 @@ interface(`virt_read_config',`
+@@ -185,13 +178,13 @@ interface(`virt_read_config',`
#
interface(`virt_manage_config',`
gen_require(`
@@ -51305,7 +52449,7 @@ index 7c5d8d8..59ba27c 100644
')
########################################
-@@ -231,6 +222,24 @@ interface(`virt_read_content',`
+@@ -231,6 +224,24 @@ interface(`virt_read_content',`
########################################
##
@@ -51330,7 +52474,7 @@ index 7c5d8d8..59ba27c 100644
## Read virt PID files.
##
##
-@@ -269,6 +278,36 @@ interface(`virt_manage_pid_files',`
+@@ -269,6 +280,36 @@ interface(`virt_manage_pid_files',`
########################################
##
@@ -51367,7 +52511,7 @@ index 7c5d8d8..59ba27c 100644
## Search virt lib directories.
##
##
-@@ -308,6 +347,24 @@ interface(`virt_read_lib_files',`
+@@ -308,6 +349,24 @@ interface(`virt_read_lib_files',`
########################################
##
@@ -51392,7 +52536,7 @@ index 7c5d8d8..59ba27c 100644
## Create, read, write, and delete
## virt lib files.
##
-@@ -352,9 +409,9 @@ interface(`virt_read_log',`
+@@ -352,9 +411,9 @@ interface(`virt_read_log',`
## virt log files.
##
##
@@ -51404,7 +52548,7 @@ index 7c5d8d8..59ba27c 100644
##
#
interface(`virt_append_log',`
-@@ -424,6 +481,24 @@ interface(`virt_read_images',`
+@@ -424,6 +483,24 @@ interface(`virt_read_images',`
########################################
##
@@ -51429,7 +52573,7 @@ index 7c5d8d8..59ba27c 100644
## Create, read, write, and delete
## svirt cache files.
##
-@@ -433,15 +508,15 @@ interface(`virt_read_images',`
+@@ -433,15 +510,15 @@ interface(`virt_read_images',`
##
##
#
@@ -51450,7 +52594,7 @@ index 7c5d8d8..59ba27c 100644
')
########################################
-@@ -500,11 +575,16 @@ interface(`virt_manage_images',`
+@@ -500,11 +577,16 @@ interface(`virt_manage_images',`
interface(`virt_admin',`
gen_require(`
type virtd_t, virtd_initrc_exec_t;
@@ -51467,7 +52611,7 @@ index 7c5d8d8..59ba27c 100644
init_labeled_script_domtrans($1, virtd_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 virtd_initrc_exec_t system_r;
-@@ -515,4 +595,188 @@ interface(`virt_admin',`
+@@ -515,4 +597,188 @@ interface(`virt_admin',`
virt_manage_lib_files($1)
virt_manage_log($1)
@@ -51657,7 +52801,7 @@ index 7c5d8d8..59ba27c 100644
+ dontaudit $1 virt_image_type:chr_file read_chr_file_perms;
')
diff --git a/policy/modules/services/virt.te b/policy/modules/services/virt.te
-index 3eca020..b2c36e4 100644
+index 3eca020..5a0c2ce 100644
--- a/policy/modules/services/virt.te
+++ b/policy/modules/services/virt.te
@@ -5,56 +5,67 @@ policy_module(virt, 1.4.0)
@@ -52062,7 +53206,7 @@ index 3eca020..b2c36e4 100644
dnsmasq_read_pid_files(virtd_t)
dnsmasq_signull(virtd_t)
+ dnsmasq_create_pid_dirs(virtd_t)
-+ dnsmasq_filetrans_named_content(virtd_t, virt_var_run_t);
++ dnsmasq_filetrans_named_content_fromdir(virtd_t, virt_var_run_t);
')
optional_policy(`
@@ -52148,7 +53292,7 @@ index 3eca020..b2c36e4 100644
files_read_usr_files(virt_domain)
files_read_var_files(virt_domain)
files_search_all(virt_domain)
-@@ -440,8 +588,16 @@ files_search_all(virt_domain)
+@@ -440,14 +588,20 @@ files_search_all(virt_domain)
fs_getattr_tmpfs(virt_domain)
fs_rw_anon_inodefs_files(virt_domain)
fs_rw_tmpfs_files(virt_domain)
@@ -52166,7 +53310,13 @@ index 3eca020..b2c36e4 100644
term_getattr_pty_fs(virt_domain)
term_use_generic_ptys(virt_domain)
term_use_ptmx(virt_domain)
-@@ -457,8 +613,176 @@ optional_policy(`
+
+-auth_use_nsswitch(virt_domain)
+-
+ logging_send_syslog_msg(virt_domain)
+
+ miscfiles_read_localization(virt_domain)
+@@ -457,8 +611,176 @@ optional_policy(`
')
optional_policy(`
@@ -52763,7 +53913,7 @@ index 4966c94..cb2e1a3 100644
+/var/lib/pqsql/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0)
+
diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if
-index 130ced9..10b57e0 100644
+index 130ced9..1772fa2 100644
--- a/policy/modules/services/xserver.if
+++ b/policy/modules/services/xserver.if
@@ -19,9 +19,10 @@
@@ -52848,17 +53998,13 @@ index 130ced9..10b57e0 100644
xserver_xsession_entry_type($2)
xserver_dontaudit_write_log($2)
xserver_stream_connect_xdm($2)
-@@ -106,12 +116,27 @@ interface(`xserver_restricted_role',`
+@@ -106,12 +116,23 @@ interface(`xserver_restricted_role',`
xserver_create_xdm_tmp_sockets($2)
# Needed for escd, remove if we get escd policy
xserver_manage_xdm_tmp_files($2)
+ xserver_read_xdm_etc_files($2)
+
+ modutils_run_insmod(xserver_t, $1)
-+
-+ ifdef(`hide_broken_symptoms',`
-+ dontaudit iceauth_t $2:socket_class_set { read write };
-+ ')
# Client write xserver shm
tunable_policy(`allow_write_xshm',`
@@ -52876,7 +54022,7 @@ index 130ced9..10b57e0 100644
')
########################################
-@@ -143,13 +168,15 @@ interface(`xserver_role',`
+@@ -143,13 +164,15 @@ interface(`xserver_role',`
allow $2 xserver_tmpfs_t:file rw_file_perms;
allow $2 iceauth_home_t:file manage_file_perms;
@@ -52894,7 +54040,7 @@ index 130ced9..10b57e0 100644
relabel_dirs_pattern($2, user_fonts_t, user_fonts_t)
relabel_files_pattern($2, user_fonts_t, user_fonts_t)
-@@ -162,7 +189,6 @@ interface(`xserver_role',`
+@@ -162,7 +185,6 @@ interface(`xserver_role',`
manage_files_pattern($2, user_fonts_config_t, user_fonts_config_t)
relabel_dirs_pattern($2, user_fonts_config_t, user_fonts_config_t)
relabel_files_pattern($2, user_fonts_config_t, user_fonts_config_t)
@@ -52902,7 +54048,7 @@ index 130ced9..10b57e0 100644
')
#######################################
-@@ -197,7 +223,7 @@ interface(`xserver_ro_session',`
+@@ -197,7 +219,7 @@ interface(`xserver_ro_session',`
allow $1 xserver_t:process signal;
# Read /tmp/.X0-lock
@@ -52911,7 +54057,7 @@ index 130ced9..10b57e0 100644
# Client read xserver shm
allow $1 xserver_t:fd use;
-@@ -227,7 +253,7 @@ interface(`xserver_rw_session',`
+@@ -227,7 +249,7 @@ interface(`xserver_rw_session',`
type xserver_t, xserver_tmpfs_t;
')
@@ -52920,7 +54066,7 @@ index 130ced9..10b57e0 100644
allow $1 xserver_t:shm rw_shm_perms;
allow $1 xserver_tmpfs_t:file rw_file_perms;
')
-@@ -255,7 +281,7 @@ interface(`xserver_non_drawing_client',`
+@@ -255,7 +277,7 @@ interface(`xserver_non_drawing_client',`
allow $1 self:x_gc { create setattr };
@@ -52929,7 +54075,7 @@ index 130ced9..10b57e0 100644
allow $1 xserver_t:unix_stream_socket connectto;
allow $1 xextension_t:x_extension { query use };
-@@ -291,13 +317,13 @@ interface(`xserver_user_client',`
+@@ -291,13 +313,13 @@ interface(`xserver_user_client',`
allow $1 self:unix_stream_socket { connectto create_stream_socket_perms };
# Read .Xauthority file
@@ -52947,7 +54093,7 @@ index 130ced9..10b57e0 100644
allow $1 xdm_tmp_t:sock_file { read write };
dontaudit $1 xdm_t:tcp_socket { read write };
-@@ -342,19 +368,23 @@ interface(`xserver_user_client',`
+@@ -342,19 +364,23 @@ interface(`xserver_user_client',`
#
template(`xserver_common_x_domain_template',`
gen_require(`
@@ -52974,7 +54120,7 @@ index 130ced9..10b57e0 100644
')
##############################
-@@ -386,6 +416,15 @@ template(`xserver_common_x_domain_template',`
+@@ -386,6 +412,15 @@ template(`xserver_common_x_domain_template',`
allow $2 xevent_t:{ x_event x_synthetic_event } receive;
# dont audit send failures
dontaudit $2 input_xevent_type:x_event send;
@@ -52990,7 +54136,7 @@ index 130ced9..10b57e0 100644
')
#######################################
-@@ -444,8 +483,9 @@ template(`xserver_object_types_template',`
+@@ -444,8 +479,9 @@ template(`xserver_object_types_template',`
#
template(`xserver_user_x_domain_template',`
gen_require(`
@@ -53002,7 +54148,7 @@ index 130ced9..10b57e0 100644
')
allow $2 self:shm create_shm_perms;
-@@ -456,11 +496,18 @@ template(`xserver_user_x_domain_template',`
+@@ -456,11 +492,18 @@ template(`xserver_user_x_domain_template',`
allow $2 xauth_home_t:file read_file_perms;
allow $2 iceauth_home_t:file read_file_perms;
@@ -53023,7 +54169,7 @@ index 130ced9..10b57e0 100644
dontaudit $2 xdm_t:tcp_socket { read write };
# Allow connections to X server.
-@@ -472,20 +519,25 @@ template(`xserver_user_x_domain_template',`
+@@ -472,20 +515,26 @@ template(`xserver_user_x_domain_template',`
# for .xsession-errors
userdom_dontaudit_write_user_home_content_files($2)
@@ -53033,6 +54179,7 @@ index 130ced9..10b57e0 100644
xserver_read_xdm_tmp_files($2)
+ xserver_read_xdm_pid($2)
++ xserver_xdm_append_log($2)
# X object manager
xserver_object_types_template($1)
@@ -53051,7 +54198,7 @@ index 130ced9..10b57e0 100644
')
########################################
-@@ -517,6 +569,7 @@ interface(`xserver_use_user_fonts',`
+@@ -517,6 +566,7 @@ interface(`xserver_use_user_fonts',`
# Read per user fonts
allow $1 user_fonts_t:dir list_dir_perms;
allow $1 user_fonts_t:file read_file_perms;
@@ -53059,18 +54206,10 @@ index 130ced9..10b57e0 100644
# Manipulate the global font cache
manage_dirs_pattern($1, user_fonts_cache_t, user_fonts_cache_t)
-@@ -545,6 +598,28 @@ interface(`xserver_domtrans_xauth',`
- ')
+@@ -549,6 +599,24 @@ interface(`xserver_domtrans_xauth',`
- domtrans_pattern($1, xauth_exec_t, xauth_t)
-+
-+ ifdef(`hide_broken_symptoms',`
-+ dontaudit xauth_t $1:socket_class_set { read write };
-+ ')
-+')
-+
-+########################################
-+##
+ ########################################
+ ##
+## Dontaudit exec of Xauthority program.
+##
+##
@@ -53085,10 +54224,14 @@ index 130ced9..10b57e0 100644
+ ')
+
+ dontaudit $1 xauth_exec_t:file execute;
- ')
-
- ########################################
-@@ -598,6 +673,7 @@ interface(`xserver_read_user_xauth',`
++')
++
++########################################
++##
+ ## Create a Xauthority file in the user home directory.
+ ##
+ ##
+@@ -598,6 +666,7 @@ interface(`xserver_read_user_xauth',`
allow $1 xauth_home_t:file read_file_perms;
userdom_search_user_home_dirs($1)
@@ -53096,7 +54239,7 @@ index 130ced9..10b57e0 100644
')
########################################
-@@ -615,7 +691,7 @@ interface(`xserver_setattr_console_pipes',`
+@@ -615,7 +684,7 @@ interface(`xserver_setattr_console_pipes',`
type xconsole_device_t;
')
@@ -53105,7 +54248,7 @@ index 130ced9..10b57e0 100644
')
########################################
-@@ -638,6 +714,25 @@ interface(`xserver_rw_console',`
+@@ -638,6 +707,25 @@ interface(`xserver_rw_console',`
########################################
##
@@ -53131,7 +54274,7 @@ index 130ced9..10b57e0 100644
## Use file descriptors for xdm.
##
##
-@@ -651,7 +746,7 @@ interface(`xserver_use_xdm_fds',`
+@@ -651,7 +739,7 @@ interface(`xserver_use_xdm_fds',`
type xdm_t;
')
@@ -53140,7 +54283,7 @@ index 130ced9..10b57e0 100644
')
########################################
-@@ -670,7 +765,7 @@ interface(`xserver_dontaudit_use_xdm_fds',`
+@@ -670,7 +758,7 @@ interface(`xserver_dontaudit_use_xdm_fds',`
type xdm_t;
')
@@ -53149,7 +54292,7 @@ index 130ced9..10b57e0 100644
')
########################################
-@@ -688,7 +783,7 @@ interface(`xserver_rw_xdm_pipes',`
+@@ -688,7 +776,7 @@ interface(`xserver_rw_xdm_pipes',`
type xdm_t;
')
@@ -53158,7 +54301,7 @@ index 130ced9..10b57e0 100644
')
########################################
-@@ -703,12 +798,11 @@ interface(`xserver_rw_xdm_pipes',`
+@@ -703,12 +791,11 @@ interface(`xserver_rw_xdm_pipes',`
##
#
interface(`xserver_dontaudit_rw_xdm_pipes',`
@@ -53172,7 +54315,7 @@ index 130ced9..10b57e0 100644
')
########################################
-@@ -724,11 +818,31 @@ interface(`xserver_dontaudit_rw_xdm_pipes',`
+@@ -724,11 +811,31 @@ interface(`xserver_dontaudit_rw_xdm_pipes',`
#
interface(`xserver_stream_connect_xdm',`
gen_require(`
@@ -53206,7 +54349,7 @@ index 130ced9..10b57e0 100644
')
########################################
-@@ -752,6 +866,25 @@ interface(`xserver_read_xdm_rw_config',`
+@@ -752,6 +859,25 @@ interface(`xserver_read_xdm_rw_config',`
########################################
##
@@ -53232,7 +54375,7 @@ index 130ced9..10b57e0 100644
## Set the attributes of XDM temporary directories.
##
##
-@@ -765,7 +898,7 @@ interface(`xserver_setattr_xdm_tmp_dirs',`
+@@ -765,7 +891,7 @@ interface(`xserver_setattr_xdm_tmp_dirs',`
type xdm_tmp_t;
')
@@ -53241,7 +54384,7 @@ index 130ced9..10b57e0 100644
')
########################################
-@@ -805,7 +938,26 @@ interface(`xserver_read_xdm_pid',`
+@@ -805,7 +931,26 @@ interface(`xserver_read_xdm_pid',`
')
files_search_pids($1)
@@ -53269,7 +54412,7 @@ index 130ced9..10b57e0 100644
')
########################################
-@@ -828,6 +980,24 @@ interface(`xserver_read_xdm_lib_files',`
+@@ -828,6 +973,24 @@ interface(`xserver_read_xdm_lib_files',`
########################################
##
@@ -53294,7 +54437,7 @@ index 130ced9..10b57e0 100644
## Make an X session script an entrypoint for the specified domain.
##
##
-@@ -897,7 +1067,7 @@ interface(`xserver_getattr_log',`
+@@ -897,7 +1060,7 @@ interface(`xserver_getattr_log',`
')
logging_search_logs($1)
@@ -53303,7 +54446,7 @@ index 130ced9..10b57e0 100644
')
########################################
-@@ -916,7 +1086,7 @@ interface(`xserver_dontaudit_write_log',`
+@@ -916,7 +1079,7 @@ interface(`xserver_dontaudit_write_log',`
type xserver_log_t;
')
@@ -53312,7 +54455,7 @@ index 130ced9..10b57e0 100644
')
########################################
-@@ -963,6 +1133,45 @@ interface(`xserver_read_xkb_libs',`
+@@ -963,6 +1126,45 @@ interface(`xserver_read_xkb_libs',`
########################################
##
@@ -53358,7 +54501,7 @@ index 130ced9..10b57e0 100644
## Read xdm temporary files.
##
##
-@@ -976,7 +1185,7 @@ interface(`xserver_read_xdm_tmp_files',`
+@@ -976,7 +1178,7 @@ interface(`xserver_read_xdm_tmp_files',`
type xdm_tmp_t;
')
@@ -53367,7 +54510,7 @@ index 130ced9..10b57e0 100644
read_files_pattern($1, xdm_tmp_t, xdm_tmp_t)
')
-@@ -1038,6 +1247,42 @@ interface(`xserver_manage_xdm_tmp_files',`
+@@ -1038,6 +1240,42 @@ interface(`xserver_manage_xdm_tmp_files',`
########################################
##
@@ -53410,7 +54553,7 @@ index 130ced9..10b57e0 100644
## Do not audit attempts to get the attributes of
## xdm temporary named sockets.
##
-@@ -1052,7 +1297,7 @@ interface(`xserver_dontaudit_getattr_xdm_tmp_sockets',`
+@@ -1052,7 +1290,7 @@ interface(`xserver_dontaudit_getattr_xdm_tmp_sockets',`
type xdm_tmp_t;
')
@@ -53419,7 +54562,7 @@ index 130ced9..10b57e0 100644
')
########################################
-@@ -1070,8 +1315,10 @@ interface(`xserver_domtrans',`
+@@ -1070,8 +1308,10 @@ interface(`xserver_domtrans',`
type xserver_t, xserver_exec_t;
')
@@ -53431,7 +54574,7 @@ index 130ced9..10b57e0 100644
')
########################################
-@@ -1185,6 +1432,26 @@ interface(`xserver_stream_connect',`
+@@ -1185,6 +1425,26 @@ interface(`xserver_stream_connect',`
files_search_tmp($1)
stream_connect_pattern($1, xserver_tmp_t, xserver_tmp_t, xserver_t)
@@ -53458,7 +54601,7 @@ index 130ced9..10b57e0 100644
')
########################################
-@@ -1210,7 +1477,7 @@ interface(`xserver_read_tmp_files',`
+@@ -1210,7 +1470,7 @@ interface(`xserver_read_tmp_files',`
##
## Interface to provide X object permissions on a given X server to
## an X client domain. Gives the domain permission to read the
@@ -53467,7 +54610,7 @@ index 130ced9..10b57e0 100644
##
##
##
-@@ -1220,13 +1487,23 @@ interface(`xserver_read_tmp_files',`
+@@ -1220,13 +1480,23 @@ interface(`xserver_read_tmp_files',`
#
interface(`xserver_manage_core_devices',`
gen_require(`
@@ -53492,7 +54635,7 @@ index 130ced9..10b57e0 100644
')
########################################
-@@ -1243,10 +1520,458 @@ interface(`xserver_manage_core_devices',`
+@@ -1243,10 +1513,458 @@ interface(`xserver_manage_core_devices',`
#
interface(`xserver_unconfined',`
gen_require(`
@@ -53711,7 +54854,7 @@ index 130ced9..10b57e0 100644
+ ')
+
+ typeattribute $1 xdmhomewriter;
-+ append_files_pattern($1, xdm_log_t, xdm_log_t)
++ allow $1 xdm_log_t:file append_inherited_file_perms;
+')
+
+########################################
@@ -55204,10 +56347,19 @@ index 3defaa1..2ad2488 100644
/var/log/zarafa/gateway\.log -- gen_context(system_u:object_r:zarafa_gateway_log_t,s0)
/var/log/zarafa/ical\.log -- gen_context(system_u:object_r:zarafa_ical_log_t,s0)
diff --git a/policy/modules/services/zarafa.if b/policy/modules/services/zarafa.if
-index 21ae664..fcc91a1 100644
+index 21ae664..3e448dd 100644
--- a/policy/modules/services/zarafa.if
+++ b/policy/modules/services/zarafa.if
-@@ -118,3 +118,24 @@ interface(`zarafa_stream_connect_server',`
+@@ -42,6 +42,8 @@ template(`zarafa_domain_template',`
+
+ manage_files_pattern(zarafa_$1_t, zarafa_$1_log_t, zarafa_$1_log_t)
+ logging_log_filetrans(zarafa_$1_t, zarafa_$1_log_t, { file })
++
++ auth_use_nsswitch(zarafa_$1_t)
+ ')
+
+ ######################################
+@@ -118,3 +120,24 @@ interface(`zarafa_stream_connect_server',`
files_search_var_lib($1)
stream_connect_pattern($1, zarafa_server_var_run_t, zarafa_server_var_run_t, zarafa_server_t)
')
@@ -55233,7 +56385,7 @@ index 21ae664..fcc91a1 100644
+ manage_dirs_pattern($1, zarafa_var_lib_t, zarafa_var_lib_t)
+')
diff --git a/policy/modules/services/zarafa.te b/policy/modules/services/zarafa.te
-index 9fb4747..54abc7a 100644
+index 9fb4747..42a6067 100644
--- a/policy/modules/services/zarafa.te
+++ b/policy/modules/services/zarafa.te
@@ -18,6 +18,10 @@ files_config_file(zarafa_etc_t)
@@ -55309,6 +56461,13 @@ index 9fb4747..54abc7a 100644
# zarafa domains local policy
#
+@@ -156,6 +201,4 @@ kernel_read_system_state(zarafa_domain)
+
+ files_read_etc_files(zarafa_domain)
+
+-auth_use_nsswitch(zarafa_domain)
+-
+ miscfiles_read_localization(zarafa_domain)
diff --git a/policy/modules/services/zebra.if b/policy/modules/services/zebra.if
index 6b87605..347f754 100644
--- a/policy/modules/services/zebra.if
@@ -55462,8 +56621,18 @@ index c6fdab7..41198a4 100644
optional_policy(`
cron_sigchld(application_domain_type)
')
+diff --git a/policy/modules/system/authlogin.fc b/policy/modules/system/authlogin.fc
+index 28ad538..5cae905 100644
+--- a/policy/modules/system/authlogin.fc
++++ b/policy/modules/system/authlogin.fc
+@@ -45,5 +45,4 @@ ifdef(`distro_gentoo', `
+ /var/run/pam_ssh(/.*)? gen_context(system_u:object_r:var_auth_t,s0)
+ /var/run/sepermit(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0)
+ /var/run/sudo(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0)
+-/var/run/user(/.*)? gen_context(system_u:object_r:var_auth_t,s0)
+ /var/(db|lib|adm)/sudo(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0)
diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if
-index 73554ec..dedb917 100644
+index 73554ec..07e21e1 100644
--- a/policy/modules/system/authlogin.if
+++ b/policy/modules/system/authlogin.if
@@ -57,6 +57,8 @@ interface(`auth_use_pam',`
@@ -55805,64 +56974,69 @@ index 73554ec..dedb917 100644
## Use nsswitch to look up user, password, group, or
## host information.
##
-@@ -1579,28 +1758,36 @@ interface(`auth_relabel_login_records',`
+@@ -1578,54 +1757,11 @@ interface(`auth_relabel_login_records',`
+ ##
#
interface(`auth_use_nsswitch',`
-
+-
- files_list_var_lib($1)
-
- # read /etc/nsswitch.conf
- files_read_etc_files($1)
-
+- # read /etc/nsswitch.conf
+- files_read_etc_files($1)
+-
- miscfiles_read_generic_certs($1)
-
- sysnet_dns_name_resolve($1)
+- sysnet_dns_name_resolve($1)
- sysnet_use_ldap($1)
-+
-+ tunable_policy(`authlogin_nsswitch_use_ldap',`
-+ files_list_var_lib($1)
-+
-+ miscfiles_read_generic_certs($1)
-+
-+ sysnet_use_ldap($1)
-+ ')
-
- optional_policy(`
+-
+- optional_policy(`
- avahi_stream_connect($1)
-+ tunable_policy(`authlogin_nsswitch_use_ldap',`
-+ dirsrv_stream_connect($1)
-+ ')
- ')
-
- optional_policy(`
+- ')
+-
+- optional_policy(`
- ldap_stream_connect($1)
-+ tunable_policy(`authlogin_nsswitch_use_ldap',`
-+ ldap_stream_connect($1)
-+ ')
- ')
-
- optional_policy(`
- likewise_stream_connect_lsassd($1)
- ')
-
-+ # can not wrap nis_use_ypbind or kerberos_use, but they both have booleans you can turn off.
- optional_policy(`
- kerberos_use($1)
- ')
-@@ -1610,7 +1797,7 @@ interface(`auth_use_nsswitch',`
- ')
-
- optional_policy(`
+- ')
+-
+- optional_policy(`
+- likewise_stream_connect_lsassd($1)
+- ')
+-
+- optional_policy(`
+- kerberos_use($1)
+- ')
+-
+- optional_policy(`
+- nis_use_ypbind($1)
+- ')
+-
+- optional_policy(`
- nscd_socket_use($1)
-+ nscd_use($1)
+- ')
+-
+- optional_policy(`
+- nslcd_stream_connect($1)
+- ')
+-
+- optional_policy(`
+- sssd_stream_connect($1)
++ gen_require(`
++ attribute nsswitch_domain;
')
- optional_policy(`
+- optional_policy(`
+- samba_stream_connect_winbind($1)
+- samba_read_var_files($1)
+- samba_dontaudit_write_var_files($1)
+- ')
++ typeattribute $1 nsswitch_domain;
+ ')
+
+ ########################################
diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te
-index b7a5f00..335900f 100644
+index b7a5f00..a53db2b 100644
--- a/policy/modules/system/authlogin.te
+++ b/policy/modules/system/authlogin.te
-@@ -5,9 +5,24 @@ policy_module(authlogin, 2.2.1)
+@@ -5,9 +5,25 @@ policy_module(authlogin, 2.2.1)
# Declarations
#
@@ -55884,10 +57058,11 @@ index b7a5f00..335900f 100644
attribute can_write_shadow_passwords;
attribute can_relabelto_shadow_passwords;
+attribute polydomain;
++attribute nsswitch_domain;
type auth_cache_t;
logging_log_file(auth_cache_t)
-@@ -100,6 +115,8 @@ dev_read_urand(chkpwd_t)
+@@ -100,6 +116,8 @@ dev_read_urand(chkpwd_t)
files_read_etc_files(chkpwd_t)
# for nscd
files_dontaudit_search_var(chkpwd_t)
@@ -55896,7 +57071,7 @@ index b7a5f00..335900f 100644
fs_dontaudit_getattr_xattr_fs(chkpwd_t)
-@@ -118,7 +135,7 @@ miscfiles_read_localization(chkpwd_t)
+@@ -118,7 +136,7 @@ miscfiles_read_localization(chkpwd_t)
seutil_read_config(chkpwd_t)
seutil_dontaudit_use_newrole_fds(chkpwd_t)
@@ -55905,7 +57080,7 @@ index b7a5f00..335900f 100644
ifdef(`distro_ubuntu',`
optional_policy(`
-@@ -343,7 +360,7 @@ logging_send_syslog_msg(updpwd_t)
+@@ -343,7 +361,7 @@ logging_send_syslog_msg(updpwd_t)
miscfiles_read_localization(updpwd_t)
@@ -55914,7 +57089,15 @@ index b7a5f00..335900f 100644
ifdef(`distro_ubuntu',`
optional_policy(`
-@@ -377,7 +394,7 @@ domain_use_interactive_fds(utempter_t)
+@@ -371,13 +389,15 @@ term_dontaudit_use_all_ttys(utempter_t)
+ term_dontaudit_use_all_ptys(utempter_t)
+ term_dontaudit_use_ptmx(utempter_t)
+
++auth_use_nsswitch(utempter_t)
++
+ init_rw_utmp(utempter_t)
+
+ domain_use_interactive_fds(utempter_t)
logging_search_logs(utempter_t)
@@ -55923,20 +57106,81 @@ index b7a5f00..335900f 100644
# Allow utemper to write to /tmp/.xses-*
userdom_write_user_tmp_files(utempter_t)
-@@ -395,3 +412,13 @@ optional_policy(`
- xserver_use_xdm_fds(utempter_t)
- xserver_rw_xdm_pipes(utempter_t)
+@@ -388,10 +408,71 @@ ifdef(`distro_ubuntu',`
')
+
+ optional_policy(`
+- nscd_socket_use(utempter_t)
++ xserver_use_xdm_fds(utempter_t)
++ xserver_rw_xdm_pipes(utempter_t)
++')
+
+tunable_policy(`allow_polyinstantiation',`
+ files_polyinstantiate_all(polydomain)
+ ')
+
+ optional_policy(`
+- xserver_use_xdm_fds(utempter_t)
+- xserver_rw_xdm_pipes(utempter_t)
++ tunable_policy(`allow_polyinstantiation',`
++ namespace_init_domtrans(polydomain)
++ ')
++')
++
++# read /etc/nsswitch.conf
++files_read_etc_files(nsswitch_domain)
++
++sysnet_dns_name_resolve(nsswitch_domain)
++
++tunable_policy(`authlogin_nsswitch_use_ldap',`
++ files_list_var_lib(nsswitch_domain)
++
++ miscfiles_read_generic_certs(nsswitch_domain)
++ sysnet_use_ldap(nsswitch_domain)
+')
+
+optional_policy(`
-+ tunable_policy(`allow_polyinstantiation',`
-+ namespace_init_domtrans(polydomain)
++ tunable_policy(`authlogin_nsswitch_use_ldap',`
++ dirsrv_stream_connect(nsswitch_domain)
++ ')
++')
++
++optional_policy(`
++ tunable_policy(`authlogin_nsswitch_use_ldap',`
++ ldap_stream_connect(nsswitch_domain)
+ ')
+')
++
++optional_policy(`
++ likewise_stream_connect_lsassd(nsswitch_domain)
++')
++
++# can not wrap nis_use_ypbind or kerberos_use, but they both have booleans you can turn off.
++optional_policy(`
++ kerberos_use(nsswitch_domain)
++')
++
++optional_policy(`
++ nis_use_ypbind(nsswitch_domain)
++')
++
++optional_policy(`
++ nscd_use(nsswitch_domain)
++')
++
++optional_policy(`
++ nslcd_stream_connect(nsswitch_domain)
++')
++
++optional_policy(`
++ sssd_stream_connect(nsswitch_domain)
++')
++
++optional_policy(`
++ samba_stream_connect_winbind(nsswitch_domain)
++ samba_read_var_files(nsswitch_domain)
++ samba_dontaudit_write_var_files(nsswitch_domain)
+ ')
diff --git a/policy/modules/system/clock.if b/policy/modules/system/clock.if
index e2f6d93..c78ccc6 100644
--- a/policy/modules/system/clock.if
@@ -55968,10 +57212,10 @@ index e2f6d93..c78ccc6 100644
##
##
diff --git a/policy/modules/system/clock.te b/policy/modules/system/clock.te
-index b9ed25b..de3738c 100644
+index b9ed25b..39e1dc1 100644
--- a/policy/modules/system/clock.te
+++ b/policy/modules/system/clock.te
-@@ -46,8 +46,8 @@ fs_search_auto_mountpoints(hwclock_t)
+@@ -46,11 +46,13 @@ fs_search_auto_mountpoints(hwclock_t)
term_dontaudit_use_console(hwclock_t)
term_use_unallocated_ttys(hwclock_t)
@@ -55982,6 +57226,22 @@ index b9ed25b..de3738c 100644
domain_use_interactive_fds(hwclock_t)
++auth_use_nsswitch(hwclock_t)
++
+ init_use_fds(hwclock_t)
+ init_use_script_ptys(hwclock_t)
+
+@@ -65,10 +67,6 @@ optional_policy(`
+ ')
+
+ optional_policy(`
+- nscd_socket_use(hwclock_t)
+-')
+-
+-optional_policy(`
+ seutil_sigchld_newrole(hwclock_t)
+ ')
+
diff --git a/policy/modules/system/daemontools.if b/policy/modules/system/daemontools.if
index ce3e676..0158314 100644
--- a/policy/modules/system/daemontools.if
@@ -56150,16 +57410,30 @@ index c28da1c..73883c4 100644
xen_rw_image_files(fsadm_t)
')
diff --git a/policy/modules/system/getty.te b/policy/modules/system/getty.te
-index ede3231..6cdbda3 100644
+index ede3231..c8c15bd 100644
--- a/policy/modules/system/getty.te
+++ b/policy/modules/system/getty.te
-@@ -83,6 +83,7 @@ term_use_unallocated_ttys(getty_t)
+@@ -83,8 +83,10 @@ term_use_unallocated_ttys(getty_t)
term_setattr_all_ttys(getty_t)
term_setattr_unallocated_ttys(getty_t)
term_setattr_console(getty_t)
+term_use_console(getty_t)
auth_rw_login_records(getty_t)
++auth_use_nsswitch(getty_t)
+
+ init_rw_utmp(getty_t)
+ init_use_script_ptys(getty_t)
+@@ -125,10 +127,6 @@ optional_policy(`
+ ')
+
+ optional_policy(`
+- nscd_socket_use(getty_t)
+-')
+-
+-optional_policy(`
+ ppp_domtrans(getty_t)
+ ')
diff --git a/policy/modules/system/hostname.te b/policy/modules/system/hostname.te
index c310775..ec32c5e 100644
@@ -56209,6 +57483,34 @@ index 40eb10c..2a0a32c 100644
')
corecmd_search_bin($1)
+diff --git a/policy/modules/system/hotplug.te b/policy/modules/system/hotplug.te
+index 1a3d970..ba2f286 100644
+--- a/policy/modules/system/hotplug.te
++++ b/policy/modules/system/hotplug.te
+@@ -96,6 +96,8 @@ init_domtrans_script(hotplug_t)
+ # kernel threads inherit from shared descriptor table used by init
+ init_dontaudit_rw_initctl(hotplug_t)
+
++auth_use_nsswitch(hotplug_t)
++
+ logging_send_syslog_msg(hotplug_t)
+ logging_search_logs(hotplug_t)
+
+@@ -164,14 +166,6 @@ optional_policy(`
+ ')
+
+ optional_policy(`
+- nis_use_ypbind(hotplug_t)
+-')
+-
+-optional_policy(`
+- nscd_socket_use(hotplug_t)
+-')
+-
+-optional_policy(`
+ seutil_sigchld_newrole(hotplug_t)
+ ')
+
diff --git a/policy/modules/system/init.fc b/policy/modules/system/init.fc
index 354ce93..b8b14b9 100644
--- a/policy/modules/system/init.fc
@@ -56254,7 +57556,7 @@ index 354ce93..b8b14b9 100644
')
+/var/run/systemd(/.*)? gen_context(system_u:object_r:init_var_run_t,s0)
diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
-index 94fd8dd..26dcf18 100644
+index 94fd8dd..354e39c 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -79,6 +79,42 @@ interface(`init_script_domain',`
@@ -56292,7 +57594,7 @@ index 94fd8dd..26dcf18 100644
+ domtrans_pattern(init_t,$2,$1)
+ allow init_t $1:unix_stream_socket create_stream_socket_perms;
+ allow init_t $1:unix_dgram_socket create_socket_perms;
-+ allow $1 init_t:unix_stream_socket ioctl;
++ allow $1 init_t:unix_stream_socket ioctl;
+ allow $1 init_t:unix_dgram_socket sendto;
+ ')
+')
@@ -56324,42 +57626,52 @@ index 94fd8dd..26dcf18 100644
')
typeattribute $1 daemon;
-@@ -204,7 +246,24 @@ interface(`init_daemon_domain',`
-
- role system_r types $1;
+@@ -202,39 +244,20 @@ interface(`init_daemon_domain',`
+ domain_type($1)
+ domain_entry_file($1, $2)
+- role system_r types $1;
+-
- domtrans_pattern(initrc_t, $2, $1)
+-
+- # daemons started from init will
+- # inherit fds from init for the console
+- init_dontaudit_use_fds($1)
+- term_dontaudit_use_console($1)
+-
+- # init script ptys are the stdin/out/err
+- # when using run_init
+- init_use_script_ptys($1)
+ domtrans_pattern(initrc_t,$2,$1)
-+ allow initrc_t $1:process siginh;
-+ allow $1 initrc_transition_domain:fifo_file rw_inherited_fifo_file_perms;
-+ allow $1 initrc_transition_domain:fd use;
-+
-+ tunable_policy(`init_upstart || init_systemd',`
-+ # Handle upstart direct transition to a executable
-+ domtrans_pattern(init_t,$2,$1)
-+ allow init_t $1:process siginh;
-+ ')
-+
-+ tunable_policy(`init_systemd',`
-+ allow init_t $1:unix_stream_socket create_stream_socket_perms;
-+ allow init_t $1:unix_dgram_socket create_socket_perms;
-+ allow init_t $1:tcp_socket create_stream_socket_perms;
-+ allow $1 init_t:unix_dgram_socket sendto;
-+ dontaudit $1 init_t:unix_stream_socket { read ioctl getattr };
-+ ')
- # daemons started from init will
- # inherit fds from init for the console
-@@ -231,6 +290,8 @@ interface(`init_daemon_domain',`
- ifdef(`distro_rhel4',`
- kernel_dontaudit_use_fds($1)
- ')
-+
-+ dontaudit $1 init_t:dir search_dir_perms;
+ ifdef(`direct_sysadm_daemon',`
+ domtrans_pattern(direct_run_init, $2, $1)
+- allow direct_run_init $1:process { noatsecure siginh rlimitinh };
+
+ typeattribute $1 direct_init;
+ typeattribute $2 direct_init_entry;
+
+- userdom_dontaudit_use_user_terminals($1)
++# userdom_dontaudit_use_user_terminals($1)
')
- optional_policy(`
-@@ -283,17 +344,20 @@ interface(`init_daemon_domain',`
+- ifdef(`hide_broken_symptoms',`
+- # RHEL4 systems seem to have a stray
+- # fds open from the initrd
+- ifdef(`distro_rhel4',`
+- kernel_dontaudit_use_fds($1)
+- ')
+- ')
+-
+- optional_policy(`
+- nscd_socket_use($1)
++ tunable_policy(`init_upstart || init_systemd',`
++ # Handle upstart direct transition to a executable
++ domtrans_pattern(init_t,$2,$1)
+ ')
+ ')
+
+@@ -283,17 +306,20 @@ interface(`init_daemon_domain',`
interface(`init_ranged_daemon_domain',`
gen_require(`
type initrc_t;
@@ -56381,7 +57693,7 @@ index 94fd8dd..26dcf18 100644
')
')
-@@ -336,15 +400,32 @@ interface(`init_ranged_daemon_domain',`
+@@ -336,22 +362,23 @@ interface(`init_ranged_daemon_domain',`
#
interface(`init_system_domain',`
gen_require(`
@@ -56389,75 +57701,30 @@ index 94fd8dd..26dcf18 100644
type initrc_t;
role system_r;
+ attribute initrc_transition_domain;
++ attribute systemprocess;
')
++ typeattribute $1 systemprocess;
application_domain($1, $2)
role system_r types $1;
- domtrans_pattern(initrc_t, $2, $1)
+ domtrans_pattern(initrc_t,$2,$1)
-+ allow initrc_t $1:process siginh;
-+ allow $1 initrc_transition_domain:fifo_file rw_inherited_fifo_file_perms;
-+ allow $1 initrc_transition_domain:fd use;
-+
-+ dontaudit $1 init_t:unix_stream_socket getattr;
-+
+
+- ifdef(`hide_broken_symptoms',`
+- # RHEL4 systems seem to have a stray
+- # fds open from the initrd
+- ifdef(`distro_rhel4',`
+- kernel_dontaudit_use_fds($1)
+- ')
+ tunable_policy(`init_systemd',`
+ # Handle upstart/systemd direct transition to a executable
+ domtrans_pattern(init_t,$2,$1)
-+ allow init_t $1:process siginh;
-+ allow init_t $1:unix_stream_socket create_stream_socket_perms;
-+ allow init_t $1:unix_dgram_socket create_socket_perms;
-+ allow $1 init_t:unix_dgram_socket sendto;
-+ dontaudit $1 init_t:unix_stream_socket { read getattr ioctl };
-+ ')
-
- ifdef(`hide_broken_symptoms',`
- # RHEL4 systems seem to have a stray
-@@ -353,6 +434,41 @@ interface(`init_system_domain',`
- kernel_dontaudit_use_fds($1)
- ')
')
-+
-+ userdom_dontaudit_search_user_home_dirs($1)
-+ userdom_dontaudit_rw_stream($1)
-+ userdom_dontaudit_write_user_tmp_files($1)
-+
-+ tunable_policy(`allow_daemons_use_tty',`
-+ term_use_all_ttys($1)
-+ term_use_all_ptys($1)
-+ ',`
-+ term_dontaudit_use_all_ttys($1)
-+ term_dontaudit_use_all_ptys($1)
-+ ')
-+
-+ # these apps are often redirect output to random log files
-+ logging_inherit_append_all_logs($1)
-+
-+ optional_policy(`
-+ abrt_stream_connect($1)
-+ ')
-+
-+ optional_policy(`
-+ cron_rw_pipes($1)
-+ ')
-+
-+ optional_policy(`
-+ xserver_dontaudit_append_xdm_home_files($1)
-+ ')
-+
-+ optional_policy(`
-+ unconfined_dontaudit_rw_pipes($1)
-+ unconfined_dontaudit_rw_stream($1)
-+ userdom_dontaudit_read_user_tmp_files($1)
-+ ')
-+
-+ init_rw_script_stream_sockets($1)
')
- ########################################
-@@ -401,16 +517,19 @@ interface(`init_system_domain',`
+@@ -401,16 +428,19 @@ interface(`init_system_domain',`
interface(`init_ranged_system_domain',`
gen_require(`
type initrc_t;
@@ -56477,7 +57744,7 @@ index 94fd8dd..26dcf18 100644
mls_rangetrans_target($1)
')
')
-@@ -451,6 +570,10 @@ interface(`init_exec',`
+@@ -451,6 +481,10 @@ interface(`init_exec',`
corecmd_search_bin($1)
can_exec($1, init_exec_t)
@@ -56488,7 +57755,7 @@ index 94fd8dd..26dcf18 100644
')
########################################
-@@ -509,6 +632,24 @@ interface(`init_sigchld',`
+@@ -509,6 +543,24 @@ interface(`init_sigchld',`
########################################
##
@@ -56513,7 +57780,7 @@ index 94fd8dd..26dcf18 100644
## Connect to init with a unix socket.
##
##
-@@ -519,10 +660,29 @@ interface(`init_sigchld',`
+@@ -519,10 +571,29 @@ interface(`init_sigchld',`
#
interface(`init_stream_connect',`
gen_require(`
@@ -56545,7 +57812,7 @@ index 94fd8dd..26dcf18 100644
')
########################################
-@@ -688,19 +848,25 @@ interface(`init_telinit',`
+@@ -688,19 +759,25 @@ interface(`init_telinit',`
type initctl_t;
')
@@ -56572,7 +57839,7 @@ index 94fd8dd..26dcf18 100644
')
')
-@@ -730,7 +896,7 @@ interface(`init_rw_initctl',`
+@@ -730,7 +807,7 @@ interface(`init_rw_initctl',`
##
##
##
@@ -56581,7 +57848,7 @@ index 94fd8dd..26dcf18 100644
##
##
#
-@@ -773,18 +939,19 @@ interface(`init_script_file_entry_type',`
+@@ -773,18 +850,19 @@ interface(`init_script_file_entry_type',`
#
interface(`init_spec_domtrans_script',`
gen_require(`
@@ -56605,7 +57872,7 @@ index 94fd8dd..26dcf18 100644
')
')
-@@ -800,23 +967,45 @@ interface(`init_spec_domtrans_script',`
+@@ -800,19 +878,41 @@ interface(`init_spec_domtrans_script',`
#
interface(`init_domtrans_script',`
gen_require(`
@@ -56628,11 +57895,11 @@ index 94fd8dd..26dcf18 100644
ifdef(`enable_mls',`
- range_transition $1 initrc_exec_t:process s0 - mls_systemhigh;
+ range_transition $1 init_script_file_type:process s0 - mls_systemhigh;
- ')
- ')
-
- ########################################
- ##
++ ')
++')
++
++########################################
++##
+## Execute a file in a bin directory
+## in the initrc_t domain
+##
@@ -56645,17 +57912,13 @@ index 94fd8dd..26dcf18 100644
+interface(`init_bin_domtrans_spec',`
+ gen_require(`
+ type initrc_t;
-+ ')
+ ')
+
+ corecmd_bin_domtrans($1, initrc_t)
-+')
-+
-+########################################
-+##
- ## Execute a init script in a specified domain.
- ##
- ##
-@@ -868,9 +1057,14 @@ interface(`init_script_file_domtrans',`
+ ')
+
+ ########################################
+@@ -868,9 +968,14 @@ interface(`init_script_file_domtrans',`
interface(`init_labeled_script_domtrans',`
gen_require(`
type initrc_t;
@@ -56670,7 +57933,7 @@ index 94fd8dd..26dcf18 100644
files_search_etc($1)
')
-@@ -1079,6 +1273,24 @@ interface(`init_read_all_script_files',`
+@@ -1079,6 +1184,24 @@ interface(`init_read_all_script_files',`
#######################################
##
@@ -56695,7 +57958,7 @@ index 94fd8dd..26dcf18 100644
## Dontaudit read all init script files.
##
##
-@@ -1130,12 +1342,7 @@ interface(`init_read_script_state',`
+@@ -1130,12 +1253,7 @@ interface(`init_read_script_state',`
')
kernel_search_proc($1)
@@ -56709,7 +57972,7 @@ index 94fd8dd..26dcf18 100644
')
########################################
-@@ -1375,6 +1582,27 @@ interface(`init_dbus_send_script',`
+@@ -1375,6 +1493,27 @@ interface(`init_dbus_send_script',`
########################################
##
## Send and receive messages from
@@ -56737,7 +58000,7 @@ index 94fd8dd..26dcf18 100644
## init scripts over dbus.
##
##
-@@ -1461,6 +1689,25 @@ interface(`init_getattr_script_status_files',`
+@@ -1461,6 +1600,25 @@ interface(`init_getattr_script_status_files',`
########################################
##
@@ -56763,7 +58026,7 @@ index 94fd8dd..26dcf18 100644
## Do not audit attempts to read init script
## status files.
##
-@@ -1519,6 +1766,24 @@ interface(`init_rw_script_tmp_files',`
+@@ -1519,6 +1677,24 @@ interface(`init_rw_script_tmp_files',`
########################################
##
@@ -56788,7 +58051,7 @@ index 94fd8dd..26dcf18 100644
## Create files in a init script
## temporary data directory.
##
-@@ -1674,7 +1939,7 @@ interface(`init_dontaudit_rw_utmp',`
+@@ -1674,7 +1850,7 @@ interface(`init_dontaudit_rw_utmp',`
type initrc_var_run_t;
')
@@ -56797,7 +58060,7 @@ index 94fd8dd..26dcf18 100644
')
########################################
-@@ -1715,6 +1980,128 @@ interface(`init_pid_filetrans_utmp',`
+@@ -1715,6 +1891,128 @@ interface(`init_pid_filetrans_utmp',`
files_pid_filetrans($1, initrc_var_run_t, file)
')
@@ -56926,7 +58189,7 @@ index 94fd8dd..26dcf18 100644
########################################
##
## Allow the specified domain to connect to daemon with a tcp socket
-@@ -1749,3 +2136,156 @@ interface(`init_udp_recvfrom_all_daemons',`
+@@ -1749,3 +2047,156 @@ interface(`init_udp_recvfrom_all_daemons',`
')
corenet_udp_recvfrom_labeled($1, daemon)
')
@@ -57084,7 +58347,7 @@ index 94fd8dd..26dcf18 100644
+ read_fifo_files_pattern($1, init_var_run_t, init_var_run_t)
+')
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
-index 29a9565..70532cc 100644
+index 29a9565..de6dda5 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -16,6 +16,34 @@ gen_require(`
@@ -57122,7 +58385,7 @@ index 29a9565..70532cc 100644
# used for direct running of init scripts
# by admin domains
attribute direct_run_init;
-@@ -25,6 +53,9 @@ attribute direct_init_entry;
+@@ -25,14 +53,18 @@ attribute direct_init_entry;
attribute init_script_domain_type;
attribute init_script_file_type;
attribute init_run_all_scripts_domain;
@@ -57132,7 +58395,8 @@ index 29a9565..70532cc 100644
# Mark process types as daemons
attribute daemon;
-@@ -32,7 +63,7 @@ attribute daemon;
++attribute systemprocess;
+
#
# init_t is the domain of the init process.
#
@@ -57141,7 +58405,7 @@ index 29a9565..70532cc 100644
type init_exec_t;
domain_type(init_t)
domain_entry_file(init_t, init_exec_t)
-@@ -63,6 +94,8 @@ role system_r types initrc_t;
+@@ -63,6 +95,8 @@ role system_r types initrc_t;
# of the below init_upstart tunable
# but this has a typeattribute in it
corecmd_shell_entry_type(initrc_t)
@@ -57150,7 +58414,7 @@ index 29a9565..70532cc 100644
type initrc_devpts_t;
term_pty(initrc_devpts_t)
-@@ -87,7 +120,7 @@ ifdef(`enable_mls',`
+@@ -87,7 +121,7 @@ ifdef(`enable_mls',`
#
# Use capabilities. old rule:
@@ -57159,7 +58423,7 @@ index 29a9565..70532cc 100644
# is ~sys_module really needed? observed:
# sys_boot
# sys_tty_config
-@@ -100,11 +133,15 @@ allow init_t self:fifo_file rw_fifo_file_perms;
+@@ -100,11 +134,15 @@ allow init_t self:fifo_file rw_fifo_file_perms;
# Re-exec itself
can_exec(init_t, init_exec_t)
@@ -57179,7 +58443,7 @@ index 29a9565..70532cc 100644
allow init_t initctl_t:fifo_file manage_fifo_file_perms;
dev_filetrans(init_t, initctl_t, fifo_file)
-@@ -114,25 +151,34 @@ allow init_t initrc_var_run_t:file { rw_file_perms setattr };
+@@ -114,25 +152,34 @@ allow init_t initrc_var_run_t:file { rw_file_perms setattr };
kernel_read_system_state(init_t)
kernel_share_state(init_t)
@@ -57214,7 +58478,7 @@ index 29a9565..70532cc 100644
files_etc_filetrans_etc_runtime(init_t, file)
# Run /etc/X11/prefdm:
files_exec_etc_files(init_t)
-@@ -151,10 +197,19 @@ mls_file_read_all_levels(init_t)
+@@ -151,10 +198,19 @@ mls_file_read_all_levels(init_t)
mls_file_write_all_levels(init_t)
mls_process_write_down(init_t)
mls_fd_use_all_levels(init_t)
@@ -57235,7 +58499,7 @@ index 29a9565..70532cc 100644
# Run init scripts.
init_domtrans_script(init_t)
-@@ -162,12 +217,16 @@ init_domtrans_script(init_t)
+@@ -162,12 +218,16 @@ init_domtrans_script(init_t)
libs_rw_ld_so_cache(init_t)
logging_send_syslog_msg(init_t)
@@ -57252,7 +58516,7 @@ index 29a9565..70532cc 100644
ifdef(`distro_gentoo',`
allow init_t self:process { getcap setcap };
')
-@@ -178,7 +237,7 @@ ifdef(`distro_redhat',`
+@@ -178,7 +238,7 @@ ifdef(`distro_redhat',`
fs_tmpfs_filetrans(init_t, initctl_t, fifo_file)
')
@@ -57261,7 +58525,7 @@ index 29a9565..70532cc 100644
corecmd_shell_domtrans(init_t, initrc_t)
',`
# Run the shell in the sysadm role for single-user mode.
-@@ -186,12 +245,131 @@ tunable_policy(`init_upstart',`
+@@ -186,16 +246,135 @@ tunable_policy(`init_upstart',`
sysadm_shell_domtrans(init_t)
')
@@ -57370,15 +58634,15 @@ index 29a9565..70532cc 100644
+
+')
+
++auth_use_nsswitch(init_t)
++auth_rw_login_records(init_t)
++
optional_policy(`
- auth_rw_login_records(init_t)
+- auth_rw_login_records(init_t)
++ consolekit_manage_log(init_t)
')
optional_policy(`
-+ consolekit_manage_log(init_t)
-+')
-+
-+optional_policy(`
+ dbus_connect_system_bus(init_t)
dbus_system_bus_client(init_t)
+ dbus_delete_pid_files(init_t)
@@ -57393,16 +58657,13 @@ index 29a9565..70532cc 100644
')
optional_policy(`
-@@ -199,10 +377,26 @@ optional_policy(`
+- nscd_socket_use(init_t)
++ plymouthd_stream_connect(init_t)
++ plymouthd_exec_plymouth(init_t)
')
optional_policy(`
-+ plymouthd_stream_connect(init_t)
-+ plymouthd_exec_plymouth(init_t)
-+')
-+
-+optional_policy(`
- sssd_stream_connect(init_t)
+@@ -203,6 +382,17 @@ optional_policy(`
')
optional_policy(`
@@ -57420,7 +58681,7 @@ index 29a9565..70532cc 100644
unconfined_domain(init_t)
')
-@@ -212,7 +406,7 @@ optional_policy(`
+@@ -212,7 +402,7 @@ optional_policy(`
#
allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
@@ -57429,7 +58690,7 @@ index 29a9565..70532cc 100644
dontaudit initrc_t self:capability sys_module; # sysctl is triggering this
allow initrc_t self:passwd rootok;
allow initrc_t self:key manage_key_perms;
-@@ -241,12 +435,15 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
+@@ -241,12 +431,15 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
allow initrc_t initrc_var_run_t:file manage_file_perms;
files_pid_filetrans(initrc_t, initrc_var_run_t, file)
@@ -57445,7 +58706,7 @@ index 29a9565..70532cc 100644
init_write_initctl(initrc_t)
-@@ -258,20 +455,32 @@ kernel_change_ring_buffer_level(initrc_t)
+@@ -258,20 +451,32 @@ kernel_change_ring_buffer_level(initrc_t)
kernel_clear_ring_buffer(initrc_t)
kernel_get_sysvipc_info(initrc_t)
kernel_read_all_sysctls(initrc_t)
@@ -57482,7 +58743,7 @@ index 29a9565..70532cc 100644
corenet_tcp_sendrecv_all_ports(initrc_t)
corenet_udp_sendrecv_all_ports(initrc_t)
corenet_tcp_connect_all_ports(initrc_t)
-@@ -279,6 +488,7 @@ corenet_sendrecv_all_client_packets(initrc_t)
+@@ -279,6 +484,7 @@ corenet_sendrecv_all_client_packets(initrc_t)
dev_read_rand(initrc_t)
dev_read_urand(initrc_t)
@@ -57490,7 +58751,7 @@ index 29a9565..70532cc 100644
dev_write_kmsg(initrc_t)
dev_write_rand(initrc_t)
dev_write_urand(initrc_t)
-@@ -289,8 +499,10 @@ dev_write_framebuffer(initrc_t)
+@@ -289,8 +495,10 @@ dev_write_framebuffer(initrc_t)
dev_read_realtime_clock(initrc_t)
dev_read_sound_mixer(initrc_t)
dev_write_sound_mixer(initrc_t)
@@ -57501,7 +58762,7 @@ index 29a9565..70532cc 100644
dev_delete_lvm_control_dev(initrc_t)
dev_manage_generic_symlinks(initrc_t)
dev_manage_generic_files(initrc_t)
-@@ -298,13 +510,14 @@ dev_manage_generic_files(initrc_t)
+@@ -298,13 +506,14 @@ dev_manage_generic_files(initrc_t)
dev_delete_generic_symlinks(initrc_t)
dev_getattr_all_blk_files(initrc_t)
dev_getattr_all_chr_files(initrc_t)
@@ -57518,7 +58779,7 @@ index 29a9565..70532cc 100644
domain_sigchld_all_domains(initrc_t)
domain_read_all_domains_state(initrc_t)
domain_getattr_all_domains(initrc_t)
-@@ -316,6 +529,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
+@@ -316,6 +525,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
domain_dontaudit_getattr_all_tcp_sockets(initrc_t)
domain_dontaudit_getattr_all_dgram_sockets(initrc_t)
domain_dontaudit_getattr_all_pipes(initrc_t)
@@ -57526,7 +58787,7 @@ index 29a9565..70532cc 100644
files_getattr_all_dirs(initrc_t)
files_getattr_all_files(initrc_t)
-@@ -323,8 +537,10 @@ files_getattr_all_symlinks(initrc_t)
+@@ -323,8 +533,10 @@ files_getattr_all_symlinks(initrc_t)
files_getattr_all_pipes(initrc_t)
files_getattr_all_sockets(initrc_t)
files_purge_tmp(initrc_t)
@@ -57538,7 +58799,7 @@ index 29a9565..70532cc 100644
files_delete_all_pids(initrc_t)
files_delete_all_pid_dirs(initrc_t)
files_read_etc_files(initrc_t)
-@@ -340,8 +556,12 @@ files_list_isid_type_dirs(initrc_t)
+@@ -340,8 +552,12 @@ files_list_isid_type_dirs(initrc_t)
files_mounton_isid_type_dirs(initrc_t)
files_list_default(initrc_t)
files_mounton_default(initrc_t)
@@ -57552,7 +58813,7 @@ index 29a9565..70532cc 100644
fs_list_inotifyfs(initrc_t)
fs_register_binary_executable_type(initrc_t)
# rhgb-console writes to ramfs
-@@ -351,6 +571,8 @@ fs_mount_all_fs(initrc_t)
+@@ -351,6 +567,8 @@ fs_mount_all_fs(initrc_t)
fs_unmount_all_fs(initrc_t)
fs_remount_all_fs(initrc_t)
fs_getattr_all_fs(initrc_t)
@@ -57561,7 +58822,7 @@ index 29a9565..70532cc 100644
# initrc_t needs to do a pidof which requires ptrace
mcs_ptrace_all(initrc_t)
-@@ -363,6 +585,7 @@ mls_process_read_up(initrc_t)
+@@ -363,6 +581,7 @@ mls_process_read_up(initrc_t)
mls_process_write_down(initrc_t)
mls_rangetrans_source(initrc_t)
mls_fd_share_all_levels(initrc_t)
@@ -57569,7 +58830,7 @@ index 29a9565..70532cc 100644
selinux_get_enforce_mode(initrc_t)
-@@ -374,6 +597,7 @@ term_use_all_terms(initrc_t)
+@@ -374,6 +593,7 @@ term_use_all_terms(initrc_t)
term_reset_tty_labels(initrc_t)
auth_rw_login_records(initrc_t)
@@ -57577,7 +58838,7 @@ index 29a9565..70532cc 100644
auth_setattr_login_records(initrc_t)
auth_rw_lastlog(initrc_t)
auth_read_pam_pid(initrc_t)
-@@ -394,18 +618,17 @@ logging_read_audit_config(initrc_t)
+@@ -394,18 +614,17 @@ logging_read_audit_config(initrc_t)
miscfiles_read_localization(initrc_t)
# slapd needs to read cert files from its initscript
@@ -57599,7 +58860,7 @@ index 29a9565..70532cc 100644
ifdef(`distro_debian',`
dev_setattr_generic_dirs(initrc_t)
-@@ -458,6 +681,10 @@ ifdef(`distro_gentoo',`
+@@ -458,6 +677,10 @@ ifdef(`distro_gentoo',`
sysnet_setattr_config(initrc_t)
optional_policy(`
@@ -57610,7 +58871,7 @@ index 29a9565..70532cc 100644
alsa_read_lib(initrc_t)
')
-@@ -478,7 +705,7 @@ ifdef(`distro_redhat',`
+@@ -478,7 +701,7 @@ ifdef(`distro_redhat',`
# Red Hat systems seem to have a stray
# fd open from the initrd
@@ -57619,7 +58880,7 @@ index 29a9565..70532cc 100644
files_dontaudit_read_root_files(initrc_t)
# These seem to be from the initrd
-@@ -493,6 +720,7 @@ ifdef(`distro_redhat',`
+@@ -493,6 +716,7 @@ ifdef(`distro_redhat',`
files_create_boot_dirs(initrc_t)
files_create_boot_flag(initrc_t)
files_rw_boot_symlinks(initrc_t)
@@ -57627,7 +58888,7 @@ index 29a9565..70532cc 100644
# wants to read /.fonts directory
files_read_default_files(initrc_t)
files_mountpoint(initrc_tmp_t)
-@@ -522,8 +750,33 @@ ifdef(`distro_redhat',`
+@@ -522,8 +746,33 @@ ifdef(`distro_redhat',`
')
optional_policy(`
@@ -57661,7 +58922,7 @@ index 29a9565..70532cc 100644
')
optional_policy(`
-@@ -531,10 +784,26 @@ ifdef(`distro_redhat',`
+@@ -531,10 +780,26 @@ ifdef(`distro_redhat',`
rpc_write_exports(initrc_t)
rpc_manage_nfs_state_data(initrc_t)
')
@@ -57688,7 +58949,7 @@ index 29a9565..70532cc 100644
')
optional_policy(`
-@@ -549,6 +818,39 @@ ifdef(`distro_suse',`
+@@ -549,6 +814,39 @@ ifdef(`distro_suse',`
')
')
@@ -57728,7 +58989,7 @@ index 29a9565..70532cc 100644
optional_policy(`
amavis_search_lib(initrc_t)
amavis_setattr_pid_files(initrc_t)
-@@ -561,6 +863,8 @@ optional_policy(`
+@@ -561,6 +859,8 @@ optional_policy(`
optional_policy(`
apache_read_config(initrc_t)
apache_list_modules(initrc_t)
@@ -57737,7 +58998,7 @@ index 29a9565..70532cc 100644
')
optional_policy(`
-@@ -577,6 +881,7 @@ optional_policy(`
+@@ -577,6 +877,7 @@ optional_policy(`
optional_policy(`
cgroup_stream_connect_cgred(initrc_t)
@@ -57745,7 +59006,7 @@ index 29a9565..70532cc 100644
')
optional_policy(`
-@@ -589,6 +894,11 @@ optional_policy(`
+@@ -589,6 +890,11 @@ optional_policy(`
')
optional_policy(`
@@ -57757,7 +59018,7 @@ index 29a9565..70532cc 100644
dev_getattr_printer_dev(initrc_t)
cups_read_log(initrc_t)
-@@ -605,9 +915,13 @@ optional_policy(`
+@@ -605,9 +911,13 @@ optional_policy(`
dbus_connect_system_bus(initrc_t)
dbus_system_bus_client(initrc_t)
dbus_read_config(initrc_t)
@@ -57771,7 +59032,7 @@ index 29a9565..70532cc 100644
')
optional_policy(`
-@@ -649,6 +963,11 @@ optional_policy(`
+@@ -649,6 +959,11 @@ optional_policy(`
')
optional_policy(`
@@ -57783,7 +59044,7 @@ index 29a9565..70532cc 100644
inn_exec_config(initrc_t)
')
-@@ -689,6 +1008,7 @@ optional_policy(`
+@@ -689,6 +1004,7 @@ optional_policy(`
lpd_list_spool(initrc_t)
lpd_read_config(initrc_t)
@@ -57791,7 +59052,7 @@ index 29a9565..70532cc 100644
')
optional_policy(`
-@@ -706,7 +1026,13 @@ optional_policy(`
+@@ -706,7 +1022,13 @@ optional_policy(`
')
optional_policy(`
@@ -57805,7 +59066,7 @@ index 29a9565..70532cc 100644
mta_dontaudit_read_spool_symlinks(initrc_t)
')
-@@ -729,6 +1055,10 @@ optional_policy(`
+@@ -729,6 +1051,10 @@ optional_policy(`
')
optional_policy(`
@@ -57816,7 +59077,7 @@ index 29a9565..70532cc 100644
postgresql_manage_db(initrc_t)
postgresql_read_config(initrc_t)
')
-@@ -738,10 +1068,20 @@ optional_policy(`
+@@ -738,10 +1064,20 @@ optional_policy(`
')
optional_policy(`
@@ -57837,7 +59098,7 @@ index 29a9565..70532cc 100644
quota_manage_flags(initrc_t)
')
-@@ -750,6 +1090,10 @@ optional_policy(`
+@@ -750,6 +1086,10 @@ optional_policy(`
')
optional_policy(`
@@ -57848,7 +59109,7 @@ index 29a9565..70532cc 100644
fs_write_ramfs_sockets(initrc_t)
fs_search_ramfs(initrc_t)
-@@ -771,8 +1115,6 @@ optional_policy(`
+@@ -771,8 +1111,6 @@ optional_policy(`
# bash tries ioctl for some reason
files_dontaudit_ioctl_all_pids(initrc_t)
@@ -57857,7 +59118,7 @@ index 29a9565..70532cc 100644
')
optional_policy(`
-@@ -790,10 +1132,12 @@ optional_policy(`
+@@ -790,10 +1128,12 @@ optional_policy(`
squid_manage_logs(initrc_t)
')
@@ -57870,7 +59131,7 @@ index 29a9565..70532cc 100644
optional_policy(`
ssh_dontaudit_read_server_keys(initrc_t)
-@@ -805,7 +1149,6 @@ optional_policy(`
+@@ -805,7 +1145,6 @@ optional_policy(`
')
optional_policy(`
@@ -57878,7 +59139,7 @@ index 29a9565..70532cc 100644
udev_manage_pid_files(initrc_t)
udev_manage_rules_files(initrc_t)
')
-@@ -815,11 +1158,24 @@ optional_policy(`
+@@ -815,11 +1154,24 @@ optional_policy(`
')
optional_policy(`
@@ -57904,7 +59165,7 @@ index 29a9565..70532cc 100644
ifdef(`distro_redhat',`
# system-config-services causes avc messages that should be dontaudited
-@@ -829,6 +1185,25 @@ optional_policy(`
+@@ -829,6 +1181,25 @@ optional_policy(`
optional_policy(`
mono_domtrans(initrc_t)
')
@@ -57930,7 +59191,7 @@ index 29a9565..70532cc 100644
')
optional_policy(`
-@@ -844,6 +1219,10 @@ optional_policy(`
+@@ -844,6 +1215,10 @@ optional_policy(`
')
optional_policy(`
@@ -57941,7 +59202,7 @@ index 29a9565..70532cc 100644
# Set device ownerships/modes.
xserver_setattr_console_pipes(initrc_t)
-@@ -854,3 +1233,45 @@ optional_policy(`
+@@ -854,3 +1229,149 @@ optional_policy(`
optional_policy(`
zebra_read_config(initrc_t)
')
@@ -57987,6 +59248,110 @@ index 29a9565..70532cc 100644
+allow init_t var_run_t:dir relabelto;
+
+init_stream_connect(initrc_t)
++
++allow initrc_t daemon:process siginh;
++allow daemon initrc_transition_domain:fifo_file rw_inherited_fifo_file_perms;
++allow daemon initrc_transition_domain:fd use;
++
++tunable_policy(`init_systemd',`
++ allow init_t daemon:unix_stream_socket create_stream_socket_perms;
++ allow init_t daemon:unix_dgram_socket create_socket_perms;
++ allow init_t daemon:tcp_socket create_stream_socket_perms;
++ allow daemon init_t:unix_dgram_socket sendto;
++ dontaudit daemon init_t:unix_stream_socket { read ioctl getattr };
++')
++
++# daemons started from init will
++# inherit fds from init for the console
++init_dontaudit_use_fds(daemon)
++term_dontaudit_use_console(daemon)
++# init script ptys are the stdin/out/err
++# when using run_init
++init_use_script_ptys(daemon)
++
++allow init_t daemon:process siginh;
++
++ifdef(`hide_broken_symptoms',`
++ # RHEL4 systems seem to have a stray
++ # fds open from the initrd
++ ifdef(`distro_rhel4',`
++ kernel_dontaudit_use_fds(daemon)
++ ')
++
++ dontaudit daemon init_t:dir search_dir_perms;
++')
++
++optional_policy(`
++ nscd_socket_use(daemon)
++')
++
++allow direct_run_init daemon:process { noatsecure siginh rlimitinh };
++
++allow initrc_t systemprocess:process siginh;
++allow systemprocess initrc_transition_domain:fifo_file rw_inherited_fifo_file_perms;
++allow systemprocess initrc_transition_domain:fd use;
++
++dontaudit systemprocess init_t:unix_stream_socket getattr;
++
++
++tunable_policy(`init_systemd',`
++ # Handle upstart/systemd direct transition to a executable
++ allow init_t systemprocess:process siginh;
++ allow init_t systemprocess:unix_stream_socket create_stream_socket_perms;
++ allow init_t systemprocess:unix_dgram_socket create_socket_perms;
++ allow systemprocess init_t:unix_dgram_socket sendto;
++ dontaudit systemprocess init_t:unix_stream_socket { read getattr ioctl };
++')
++
++ifdef(`hide_broken_symptoms',`
++ # RHEL4 systems seem to have a stray
++ # fds open from the initrd
++ ifdef(`distro_rhel4',`
++ kernel_dontaudit_use_fds(systemprocess)
++ ')
++')
++
++userdom_dontaudit_search_user_home_dirs(systemprocess)
++userdom_dontaudit_rw_stream(systemprocess)
++userdom_dontaudit_write_user_tmp_files(systemprocess)
++
++tunable_policy(`allow_daemons_use_tty',`
++ term_use_all_ttys(systemprocess)
++ term_use_all_ptys(systemprocess)
++',`
++ term_dontaudit_use_all_ttys(systemprocess)
++ term_dontaudit_use_all_ptys(systemprocess)
++')
++
++# these apps are often redirect output to random log files
++logging_inherit_append_all_logs(systemprocess)
++
++optional_policy(`
++ abrt_stream_connect(systemprocess)
++')
++
++optional_policy(`
++ cron_rw_pipes(systemprocess)
++')
++
++optional_policy(`
++ xserver_dontaudit_append_xdm_home_files(systemprocess)
++')
++
++optional_policy(`
++ unconfined_dontaudit_rw_pipes(systemprocess)
++ unconfined_dontaudit_rw_stream(systemprocess)
++ userdom_dontaudit_read_user_tmp_files(systemprocess)
++')
++
++init_rw_script_stream_sockets(systemprocess)
++
++role system_r types systemprocess;
++role system_r types daemon;
++
++#ifdef(`enable_mls',`
++# mls_rangetrans_target(systemprocess)
++#')
diff --git a/policy/modules/system/ipsec.fc b/policy/modules/system/ipsec.fc
index fb09b9e..e25c6b6 100644
--- a/policy/modules/system/ipsec.fc
@@ -58062,7 +59427,7 @@ index 0d4c8d3..9d66bf7 100644
########################################
diff --git a/policy/modules/system/ipsec.te b/policy/modules/system/ipsec.te
-index 55a6cd8..bec6385 100644
+index 55a6cd8..4bc226b 100644
--- a/policy/modules/system/ipsec.te
+++ b/policy/modules/system/ipsec.te
@@ -128,13 +128,13 @@ corecmd_exec_bin(ipsec_t)
@@ -58112,7 +59477,7 @@ index 55a6cd8..bec6385 100644
files_read_kernel_symbol_table(ipsec_mgmt_t)
files_getattr_kernel_modules(ipsec_mgmt_t)
-@@ -277,7 +290,7 @@ fs_getattr_xattr_fs(ipsec_mgmt_t)
+@@ -277,9 +290,10 @@ fs_getattr_xattr_fs(ipsec_mgmt_t)
fs_list_tmpfs(ipsec_mgmt_t)
term_use_console(ipsec_mgmt_t)
@@ -58120,8 +59485,11 @@ index 55a6cd8..bec6385 100644
+term_use_all_inherited_terms(ipsec_mgmt_t)
auth_dontaudit_read_login_records(ipsec_mgmt_t)
++auth_use_nsswitch(ipsec_mgmt_t)
-@@ -297,7 +310,7 @@ sysnet_manage_config(ipsec_mgmt_t)
+ init_read_utmp(ipsec_mgmt_t)
+ init_use_script_ptys(ipsec_mgmt_t)
+@@ -297,7 +311,7 @@ sysnet_manage_config(ipsec_mgmt_t)
sysnet_domtrans_ifconfig(ipsec_mgmt_t)
sysnet_etc_filetrans_config(ipsec_mgmt_t)
@@ -58130,7 +59498,18 @@ index 55a6cd8..bec6385 100644
optional_policy(`
consoletype_exec(ipsec_mgmt_t)
-@@ -377,12 +390,12 @@ corecmd_exec_shell(racoon_t)
+@@ -324,10 +338,6 @@ optional_policy(`
+ modutils_domtrans_insmod(ipsec_mgmt_t)
+ ')
+
+-optional_policy(`
+- nscd_socket_use(ipsec_mgmt_t)
+-')
+-
+ ifdef(`TODO',`
+ # ideally it would not need this. It wants to write to /root/.rnd
+ file_type_auto_trans(ipsec_mgmt_t, sysadm_home_dir_t, sysadm_home_t, file)
+@@ -377,12 +387,12 @@ corecmd_exec_shell(racoon_t)
corecmd_exec_bin(racoon_t)
corenet_all_recvfrom_unlabeled(racoon_t)
@@ -58149,7 +59528,7 @@ index 55a6cd8..bec6385 100644
corenet_udp_bind_isakmp_port(racoon_t)
corenet_udp_bind_ipsecnat_port(racoon_t)
-@@ -411,6 +424,8 @@ miscfiles_read_localization(racoon_t)
+@@ -411,6 +421,8 @@ miscfiles_read_localization(racoon_t)
sysnet_exec_ifconfig(racoon_t)
@@ -58158,7 +59537,7 @@ index 55a6cd8..bec6385 100644
auth_can_read_shadow_passwords(racoon_t)
tunable_policy(`racoon_read_shadow',`
auth_tunable_read_shadow(racoon_t)
-@@ -448,5 +463,6 @@ miscfiles_read_localization(setkey_t)
+@@ -448,5 +460,6 @@ miscfiles_read_localization(setkey_t)
seutil_read_config(setkey_t)
@@ -58189,6 +59568,21 @@ index 05fb364..6b895d1 100644
-/usr/sbin/iptables-multi -- gen_context(system_u:object_r:iptables_exec_t,s0)
-/usr/sbin/iptables-restore -- gen_context(system_u:object_r:iptables_exec_t,s0)
+/sbin/xtables-multi -- gen_context(system_u:object_r:iptables_exec_t,s0)
+diff --git a/policy/modules/system/iptables.if b/policy/modules/system/iptables.if
+index 7ba53db..5c94dfe 100644
+--- a/policy/modules/system/iptables.if
++++ b/policy/modules/system/iptables.if
+@@ -17,10 +17,6 @@ interface(`iptables_domtrans',`
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, iptables_exec_t, iptables_t)
+-
+- ifdef(`hide_broken_symptoms', `
+- dontaudit iptables_t $1:socket_class_set { read write };
+- ')
+ ')
+
+ ########################################
diff --git a/policy/modules/system/iptables.te b/policy/modules/system/iptables.te
index f3e1b57..d6a93ac 100644
--- a/policy/modules/system/iptables.te
@@ -58912,7 +60306,7 @@ index e5836d3..b32b945 100644
+#')
+
diff --git a/policy/modules/system/locallogin.te b/policy/modules/system/locallogin.te
-index a0b379d..77f0e09 100644
+index a0b379d..7d88511 100644
--- a/policy/modules/system/locallogin.te
+++ b/policy/modules/system/locallogin.te
@@ -32,9 +32,8 @@ role system_r types sulogin_t;
@@ -58936,15 +60330,18 @@ index a0b379d..77f0e09 100644
dev_dontaudit_getattr_apm_bios_dev(local_login_t)
dev_dontaudit_setattr_apm_bios_dev(local_login_t)
dev_dontaudit_read_framebuffer(local_login_t)
-@@ -125,6 +126,7 @@ auth_manage_pam_console_data(local_login_t)
+@@ -123,8 +124,10 @@ auth_rw_faillog(local_login_t)
+ auth_manage_pam_pid(local_login_t)
+ auth_manage_pam_console_data(local_login_t)
auth_domtrans_pam_console(local_login_t)
++auth_use_nsswitch(local_login_t)
init_dontaudit_use_fds(local_login_t)
+init_stream_connect(local_login_t)
miscfiles_read_localization(local_login_t)
-@@ -156,6 +158,12 @@ tunable_policy(`use_samba_home_dirs',`
+@@ -156,6 +159,12 @@ tunable_policy(`use_samba_home_dirs',`
fs_read_cifs_symlinks(local_login_t)
')
@@ -58957,7 +60354,22 @@ index a0b379d..77f0e09 100644
optional_policy(`
alsa_domtrans(local_login_t)
')
-@@ -225,6 +233,7 @@ files_read_etc_files(sulogin_t)
+@@ -177,14 +186,6 @@ optional_policy(`
+ ')
+
+ optional_policy(`
+- nis_use_ypbind(local_login_t)
+-')
+-
+-optional_policy(`
+- nscd_socket_use(local_login_t)
+-')
+-
+-optional_policy(`
+ unconfined_shell_domtrans(local_login_t)
+ ')
+
+@@ -225,6 +226,7 @@ files_read_etc_files(sulogin_t)
files_dontaudit_search_isid_type_dirs(sulogin_t)
auth_read_shadow(sulogin_t)
@@ -58965,7 +60377,7 @@ index a0b379d..77f0e09 100644
init_getpgid_script(sulogin_t)
-@@ -238,14 +247,23 @@ userdom_use_unpriv_users_fds(sulogin_t)
+@@ -238,14 +240,23 @@ userdom_use_unpriv_users_fds(sulogin_t)
userdom_search_user_home_dirs(sulogin_t)
userdom_use_user_ptys(sulogin_t)
@@ -58991,7 +60403,7 @@ index a0b379d..77f0e09 100644
init_getpgid(sulogin_t)
', `
allow sulogin_t self:process setexec;
-@@ -256,11 +274,3 @@ ifdef(`sulogin_no_pam', `
+@@ -256,11 +267,3 @@ ifdef(`sulogin_no_pam', `
selinux_compute_relabel_context(sulogin_t)
selinux_compute_user_contexts(sulogin_t)
')
@@ -59821,7 +61233,7 @@ index 9c0faab..dd6530e 100644
## loading modules.
##
diff --git a/policy/modules/system/modutils.te b/policy/modules/system/modutils.te
-index a0eef20..7a8241b 100644
+index a0eef20..223af54 100644
--- a/policy/modules/system/modutils.te
+++ b/policy/modules/system/modutils.te
@@ -18,11 +18,12 @@ type insmod_t;
@@ -59931,12 +61343,14 @@ index a0eef20..7a8241b 100644
domain_signal_all_domains(insmod_t)
domain_use_interactive_fds(insmod_t)
-@@ -161,11 +175,15 @@ files_write_kernel_modules(insmod_t)
+@@ -161,11 +175,17 @@ files_write_kernel_modules(insmod_t)
fs_getattr_xattr_fs(insmod_t)
fs_dontaudit_use_tmpfs_chr_dev(insmod_t)
+fs_mount_rpc_pipefs(insmod_t)
+fs_search_rpc(insmod_t)
++
++auth_use_nsswitch(insmod_t)
init_rw_initctl(insmod_t)
init_use_fds(insmod_t)
@@ -59947,7 +61361,7 @@ index a0eef20..7a8241b 100644
logging_send_syslog_msg(insmod_t)
logging_search_logs(insmod_t)
-@@ -174,8 +192,7 @@ miscfiles_read_localization(insmod_t)
+@@ -174,8 +194,7 @@ miscfiles_read_localization(insmod_t)
seutil_read_file_contexts(insmod_t)
@@ -59957,21 +61371,41 @@ index a0eef20..7a8241b 100644
userdom_dontaudit_search_user_home_dirs(insmod_t)
if( ! secure_mode_insmod ) {
-@@ -187,8 +204,11 @@ optional_policy(`
+@@ -187,28 +206,23 @@ optional_policy(`
')
optional_policy(`
- firstboot_dontaudit_rw_pipes(insmod_t)
- firstboot_dontaudit_rw_stream_sockets(insmod_t)
+ firstboot_dontaudit_leaks(insmod_t)
-+')
-+
-+optional_policy(`
+ ')
+
+ optional_policy(`
+- hal_write_log(insmod_t)
+ firewallgui_dontaudit_rw_pipes(insmod_t)
')
optional_policy(`
-@@ -231,11 +251,15 @@ optional_policy(`
+- hotplug_search_config(insmod_t)
+-')
+-
+-optional_policy(`
+- mount_domtrans(insmod_t)
++ hal_write_log(insmod_t)
+ ')
+
+ optional_policy(`
+- nis_use_ypbind(insmod_t)
++ hotplug_search_config(insmod_t)
+ ')
+
+ optional_policy(`
+- nscd_socket_use(insmod_t)
++ mount_domtrans(insmod_t)
+ ')
+
+ optional_policy(`
+@@ -231,11 +245,15 @@ optional_policy(`
')
optional_policy(`
@@ -59988,7 +61422,7 @@ index a0eef20..7a8241b 100644
# cjp: why is this needed:
dev_rw_xserver_misc(insmod_t)
-@@ -296,7 +320,7 @@ logging_send_syslog_msg(update_modules_t)
+@@ -296,7 +314,7 @@ logging_send_syslog_msg(update_modules_t)
miscfiles_read_localization(update_modules_t)
@@ -60020,10 +61454,10 @@ index 72c746e..704d2d7 100644
+/var/run/davfs2(/.*)? gen_context(system_u:object_r:mount_var_run_t,s0)
+/var/run/mount(/.*)? gen_context(system_u:object_r:mount_var_run_t,s0)
diff --git a/policy/modules/system/mount.if b/policy/modules/system/mount.if
-index 8b5c196..1ac1567 100644
+index 8b5c196..1be2768 100644
--- a/policy/modules/system/mount.if
+++ b/policy/modules/system/mount.if
-@@ -16,6 +16,18 @@ interface(`mount_domtrans',`
+@@ -16,6 +16,12 @@ interface(`mount_domtrans',`
')
domtrans_pattern($1, mount_exec_t, mount_t)
@@ -60033,16 +61467,10 @@ index 8b5c196..1ac1567 100644
+ ps_process_pattern(mount_t, $1)
+
+ allow mount_t $1:unix_stream_socket { read write };
-+
-+ifdef(`hide_broken_symptoms', `
-+ dontaudit mount_t $1:tcp_socket { read write };
-+ dontaudit mount_t $1:udp_socket { read write };
-+')
-+
')
########################################
-@@ -45,12 +57,77 @@ interface(`mount_run',`
+@@ -45,8 +51,73 @@ interface(`mount_run',`
role $2 types mount_t;
optional_policy(`
@@ -60065,11 +61493,11 @@ index 8b5c196..1ac1567 100644
+
+ optional_policy(`
+ samba_run_smbmount(mount_t, $2)
- ')
- ')
-
- ########################################
- ##
++ ')
++')
++
++########################################
++##
+## Execute fusermount in the mount domain, and
+## allow the specified role the mount domain,
+## and use the caller's terminal.
@@ -60089,7 +61517,7 @@ index 8b5c196..1ac1567 100644
+interface(`mount_run_fusermount',`
+ gen_require(`
+ type mount_t;
-+ ')
+ ')
+
+ mount_domtrans_fusermount($1)
+ role $2 types mount_t;
@@ -60114,14 +61542,10 @@ index 8b5c196..1ac1567 100644
+
+ allow $1 mount_var_run_t:file read_file_perms;
+ files_search_pids($1)
-+')
-+
-+########################################
-+##
- ## Execute mount in the caller domain.
- ##
- ##
-@@ -84,9 +161,11 @@ interface(`mount_exec',`
+ ')
+
+ ########################################
+@@ -84,9 +155,11 @@ interface(`mount_exec',`
interface(`mount_signal',`
gen_require(`
type mount_t;
@@ -60133,7 +61557,7 @@ index 8b5c196..1ac1567 100644
')
########################################
-@@ -95,7 +174,7 @@ interface(`mount_signal',`
+@@ -95,7 +168,7 @@ interface(`mount_signal',`
##
##
##
@@ -60142,7 +61566,7 @@ index 8b5c196..1ac1567 100644
##
##
#
-@@ -135,6 +214,24 @@ interface(`mount_send_nfs_client_request',`
+@@ -135,6 +208,24 @@ interface(`mount_send_nfs_client_request',`
########################################
##
@@ -60167,7 +61591,7 @@ index 8b5c196..1ac1567 100644
## Execute mount in the unconfined mount domain.
##
##
-@@ -176,4 +273,113 @@ interface(`mount_run_unconfined',`
+@@ -176,4 +267,113 @@ interface(`mount_run_unconfined',`
mount_domtrans_unconfined($1)
role $2 types unconfined_mount_t;
@@ -60282,7 +61706,7 @@ index 8b5c196..1ac1567 100644
+ role $2 types showmount_t;
')
diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te
-index 15832c7..ed497ff 100644
+index 15832c7..79bc8f4 100644
--- a/policy/modules/system/mount.te
+++ b/policy/modules/system/mount.te
@@ -17,8 +17,15 @@ type mount_exec_t;
@@ -60475,15 +61899,16 @@ index 15832c7..ed497ff 100644
ifdef(`distro_redhat',`
optional_policy(`
-@@ -141,26 +213,29 @@ ifdef(`distro_ubuntu',`
+@@ -141,26 +213,28 @@ ifdef(`distro_ubuntu',`
')
')
+corecmd_exec_shell(mount_t)
+
tunable_policy(`allow_mount_anyfile',`
- auth_read_all_dirs_except_shadow(mount_t)
- auth_read_all_files_except_shadow(mount_t)
+- auth_read_all_dirs_except_shadow(mount_t)
+- auth_read_all_files_except_shadow(mount_t)
++ files_read_non_security_files(mount_t)
files_mounton_non_security(mount_t)
+ files_rw_all_inherited_files(mount_t)
')
@@ -60513,7 +61938,7 @@ index 15832c7..ed497ff 100644
corenet_tcp_bind_generic_port(mount_t)
corenet_udp_bind_generic_port(mount_t)
corenet_tcp_bind_reserved_port(mount_t)
-@@ -174,6 +249,8 @@ optional_policy(`
+@@ -174,6 +248,8 @@ optional_policy(`
fs_search_rpc(mount_t)
rpc_stub(mount_t)
@@ -60522,7 +61947,7 @@ index 15832c7..ed497ff 100644
')
optional_policy(`
-@@ -181,6 +258,28 @@ optional_policy(`
+@@ -181,6 +257,28 @@ optional_policy(`
')
optional_policy(`
@@ -60551,7 +61976,7 @@ index 15832c7..ed497ff 100644
ifdef(`hide_broken_symptoms',`
# for a bug in the X server
rhgb_dontaudit_rw_stream_sockets(mount_t)
-@@ -188,13 +287,52 @@ optional_policy(`
+@@ -188,13 +286,52 @@ optional_policy(`
')
')
@@ -60604,7 +62029,7 @@ index 15832c7..ed497ff 100644
')
########################################
-@@ -203,6 +341,43 @@ optional_policy(`
+@@ -203,6 +340,43 @@ optional_policy(`
#
optional_policy(`
@@ -60667,10 +62092,22 @@ index cbbda4a..8dcc346 100644
+userdom_use_inherited_user_terminals(netlabel_mgmt_t)
+
diff --git a/policy/modules/system/pcmcia.te b/policy/modules/system/pcmcia.te
-index 4d06ae3..ebd5ed4 100644
+index 4d06ae3..e81b7ac 100644
--- a/policy/modules/system/pcmcia.te
+++ b/policy/modules/system/pcmcia.te
-@@ -98,18 +98,20 @@ logging_send_syslog_msg(cardmgr_t)
+@@ -62,9 +62,8 @@ dev_read_urand(cardmgr_t)
+
+ domain_use_interactive_fds(cardmgr_t)
+ # Read /proc/PID directories for all domains (for fuser).
+-domain_read_confined_domains_state(cardmgr_t)
+-domain_getattr_confined_domains(cardmgr_t)
+-domain_dontaudit_ptrace_confined_domains(cardmgr_t)
++domain_read_all_domains_state(cardmgr_t)
++domain_dontaudit_ptrace_all_domains(cardmgr_t)
+ # cjp: these look excessive:
+ domain_dontaudit_getattr_all_pipes(cardmgr_t)
+ domain_dontaudit_getattr_all_sockets(cardmgr_t)
+@@ -98,18 +97,20 @@ logging_send_syslog_msg(cardmgr_t)
miscfiles_read_localization(cardmgr_t)
@@ -60863,21 +62300,10 @@ index 2cc4bda..167c358 100644
+/etc/share/selinux/targeted(/.*)? gen_context(system_u:object_r:semanage_store_t,s0)
+/etc/share/selinux/mls(/.*)? gen_context(system_u:object_r:semanage_store_t,s0)
diff --git a/policy/modules/system/selinuxutil.if b/policy/modules/system/selinuxutil.if
-index 170e2c7..beb818f 100644
+index 170e2c7..7b10445 100644
--- a/policy/modules/system/selinuxutil.if
+++ b/policy/modules/system/selinuxutil.if
-@@ -85,6 +85,10 @@ interface(`seutil_domtrans_loadpolicy',`
-
- corecmd_search_bin($1)
- domtrans_pattern($1, load_policy_exec_t, load_policy_t)
-+
-+ ifdef(`hide_broken_symptoms', `
-+ dontaudit load_policy_t $1:socket_class_set { read write };
-+ ')
- ')
-
- ########################################
-@@ -199,6 +203,10 @@ interface(`seutil_run_newrole',`
+@@ -199,6 +199,10 @@ interface(`seutil_run_newrole',`
role $2 types newrole_t;
auth_run_upd_passwd(newrole_t, $2)
@@ -60888,7 +62314,7 @@ index 170e2c7..beb818f 100644
')
########################################
-@@ -361,6 +369,27 @@ interface(`seutil_exec_restorecon',`
+@@ -361,6 +365,27 @@ interface(`seutil_exec_restorecon',`
########################################
##
@@ -60916,18 +62342,7 @@ index 170e2c7..beb818f 100644
## Execute run_init in the run_init domain.
##
##
-@@ -514,6 +543,10 @@ interface(`seutil_domtrans_setfiles',`
- files_search_usr($1)
- corecmd_search_bin($1)
- domtrans_pattern($1, setfiles_exec_t, setfiles_t)
-+
-+ ifdef(`hide_broken_symptoms', `
-+ dontaudit setfiles_t $1:socket_class_set { read write };
-+ ')
- ')
-
- ########################################
-@@ -545,6 +578,53 @@ interface(`seutil_run_setfiles',`
+@@ -545,6 +570,53 @@ interface(`seutil_run_setfiles',`
########################################
##
@@ -60981,7 +62396,7 @@ index 170e2c7..beb818f 100644
## Execute setfiles in the caller domain.
##
##
-@@ -690,6 +770,7 @@ interface(`seutil_manage_config',`
+@@ -690,6 +762,7 @@ interface(`seutil_manage_config',`
')
files_search_etc($1)
@@ -60989,7 +62404,7 @@ index 170e2c7..beb818f 100644
manage_files_pattern($1, selinux_config_t, selinux_config_t)
read_lnk_files_pattern($1, selinux_config_t, selinux_config_t)
')
-@@ -756,6 +837,29 @@ interface(`seutil_read_default_contexts',`
+@@ -756,6 +829,29 @@ interface(`seutil_read_default_contexts',`
read_files_pattern($1, default_context_t, default_context_t)
')
@@ -61019,18 +62434,10 @@ index 170e2c7..beb818f 100644
########################################
##
## Create, read, write, and delete the default_contexts files.
-@@ -1005,6 +1109,30 @@ interface(`seutil_domtrans_semanage',`
- files_search_usr($1)
- corecmd_search_bin($1)
- domtrans_pattern($1, semanage_exec_t, semanage_t)
-+
-+ ifdef(`hide_broken_symptoms', `
-+ dontaudit semanage_t $1:socket_class_set { read write };
-+ ')
-+')
-+
-+########################################
-+##
+@@ -1009,6 +1105,26 @@ interface(`seutil_domtrans_semanage',`
+
+ ########################################
+ ##
+## Execute a domain transition to run setsebool.
+##
+##
@@ -61047,10 +62454,14 @@ index 170e2c7..beb818f 100644
+ files_search_usr($1)
+ corecmd_search_bin($1)
+ domtrans_pattern($1, setsebool_exec_t, setsebool_t)
- ')
-
- ########################################
-@@ -1038,6 +1166,54 @@ interface(`seutil_run_semanage',`
++')
++
++########################################
++##
+ ## Execute semanage in the semanage domain, and
+ ## allow the specified role the semanage domain,
+ ## and use the caller's terminal.
+@@ -1038,6 +1154,54 @@ interface(`seutil_run_semanage',`
########################################
##
@@ -61105,7 +62516,7 @@ index 170e2c7..beb818f 100644
## Full management of the semanage
## module store.
##
-@@ -1149,3 +1325,199 @@ interface(`seutil_dontaudit_libselinux_linked',`
+@@ -1149,3 +1313,199 @@ interface(`seutil_dontaudit_libselinux_linked',`
selinux_dontaudit_get_fs_mount($1)
seutil_dontaudit_read_config($1)
')
@@ -61306,7 +62717,7 @@ index 170e2c7..beb818f 100644
+ ')
+')
diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
-index 7ed9819..96406b1 100644
+index 7ed9819..d74087e 100644
--- a/policy/modules/system/selinuxutil.te
+++ b/policy/modules/system/selinuxutil.te
@@ -22,6 +22,9 @@ attribute can_relabelto_binary_policy;
@@ -61480,6 +62891,17 @@ index 7ed9819..96406b1 100644
fs_relabelfrom_noxattr_fs(restorecond_t)
fs_dontaudit_list_nfs(restorecond_t)
fs_getattr_xattr_fs(restorecond_t)
+@@ -323,8 +350,8 @@ selinux_compute_create_context(restorecond_t)
+ selinux_compute_relabel_context(restorecond_t)
+ selinux_compute_user_contexts(restorecond_t)
+
+-auth_relabel_all_files_except_shadow(restorecond_t )
+-auth_read_all_files_except_shadow(restorecond_t)
++files_relabel_all_files(restorecond_t )
++files_read_non_security_files(restorecond_t)
+ auth_use_nsswitch(restorecond_t)
+
+ locallogin_dontaudit_use_fds(restorecond_t)
@@ -335,6 +362,8 @@ miscfiles_read_localization(restorecond_t)
seutil_libselinux_linked(restorecond_t)
@@ -61606,7 +63028,7 @@ index 7ed9819..96406b1 100644
-
-locallogin_use_fds(semanage_t)
+# Admins are creating pp files in random locations
-+auth_read_all_files_except_shadow(semanage_t)
++files_read_non_security_files(semanage_t)
-logging_send_syslog_msg(semanage_t)
-
@@ -61825,7 +63247,7 @@ index 694fd94..334e80e 100644
+
+/etc/firestarter/firestarter\.sh gen_context(system_u:object_r:dhcpc_helper_exec_t,s0)
diff --git a/policy/modules/system/sysnetwork.if b/policy/modules/system/sysnetwork.if
-index ff80d0a..95e705c 100644
+index ff80d0a..752e031 100644
--- a/policy/modules/system/sysnetwork.if
+++ b/policy/modules/system/sysnetwork.if
@@ -60,6 +60,24 @@ interface(`sysnet_run_dhcpc',`
@@ -61967,17 +63389,7 @@ index ff80d0a..95e705c 100644
allow $1 dhcpc_var_run_t:file unlink;
')
-@@ -484,6 +579,9 @@ interface(`sysnet_domtrans_ifconfig',`
-
- corecmd_search_bin($1)
- domtrans_pattern($1, ifconfig_exec_t, ifconfig_t)
-+ ifdef(`hide_broken_symptoms', `
-+ dontaudit ifconfig_t $1:socket_class_set { read write };
-+ ')
- ')
-
- ########################################
-@@ -554,6 +652,25 @@ interface(`sysnet_signal_ifconfig',`
+@@ -554,6 +649,25 @@ interface(`sysnet_signal_ifconfig',`
########################################
##
@@ -62003,7 +63415,7 @@ index ff80d0a..95e705c 100644
## Read the DHCP configuration files.
##
##
-@@ -661,6 +778,8 @@ interface(`sysnet_dns_name_resolve',`
+@@ -661,6 +775,8 @@ interface(`sysnet_dns_name_resolve',`
corenet_tcp_connect_dns_port($1)
corenet_sendrecv_dns_client_packets($1)
@@ -62012,7 +63424,7 @@ index ff80d0a..95e705c 100644
sysnet_read_config($1)
optional_policy(`
-@@ -698,6 +817,9 @@ interface(`sysnet_use_ldap',`
+@@ -698,6 +814,9 @@ interface(`sysnet_use_ldap',`
corenet_sendrecv_ldap_client_packets($1)
sysnet_read_config($1)
@@ -62022,7 +63434,7 @@ index ff80d0a..95e705c 100644
')
########################################
-@@ -731,3 +853,49 @@ interface(`sysnet_use_portmap',`
+@@ -731,3 +850,49 @@ interface(`sysnet_use_portmap',`
sysnet_read_config($1)
')
@@ -62724,10 +64136,10 @@ index 0000000..11fbd0f
+
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
new file mode 100644
-index 0000000..a0b79d5
+index 0000000..4936451
--- /dev/null
+++ b/policy/modules/system/systemd.te
-@@ -0,0 +1,314 @@
+@@ -0,0 +1,317 @@
+policy_module(systemd, 1.0.0)
+
+#######################################
@@ -62849,6 +64261,9 @@ index 0000000..a0b79d5
+
+userdom_read_all_users_state(systemd_logind_t)
+userdom_use_user_ttys(systemd_logind_t)
++userdom_manage_user_tmp_dirs(systemd_logind_t)
++userdom_manage_user_tmp_files(systemd_logind_t)
++userdom_manage_user_tmp_symlinks(systemd_logind_t)
+
+optional_policy(`
+ cron_dbus_chat_crond(systemd_logind_t)
@@ -64225,10 +65640,10 @@ index eae5001..71e46b2 100644
-')
+attribute unconfined_services;
diff --git a/policy/modules/system/userdomain.fc b/policy/modules/system/userdomain.fc
-index db75976..392d1ee 100644
+index db75976..cca4cd1 100644
--- a/policy/modules/system/userdomain.fc
+++ b/policy/modules/system/userdomain.fc
-@@ -1,4 +1,17 @@
+@@ -1,4 +1,19 @@
HOME_DIR -d gen_context(system_u:object_r:user_home_dir_t,s0-mls_systemhigh)
+HOME_DIR -l gen_context(system_u:object_r:user_home_dir_t,s0-mls_systemhigh)
HOME_DIR/.+ gen_context(system_u:object_r:user_home_t,s0)
@@ -64240,15 +65655,17 @@ index db75976..392d1ee 100644
+/dev/shm/pulse-shm.* gen_context(system_u:object_r:user_tmpfs_t,s0)
+/dev/shm/mono.* gen_context(system_u:object_r:user_tmpfs_t,s0)
+HOME_DIR/bin(/.*)? gen_context(system_u:object_r:home_bin_t,s0)
-+HOME_DIR/local/bin(/.*)? gen_context(system_u:object_r:home_bin_t,s0)
++HOME_DIR/\.local/bin(/.*)? gen_context(system_u:object_r:home_bin_t,s0)
+HOME_DIR/Audio(/.*)? gen_context(system_u:object_r:audio_home_t,s0)
+HOME_DIR/Music(/.*)? gen_context(system_u:object_r:audio_home_t,s0)
+HOME_DIR/\.cert(/.*)? gen_context(system_u:object_r:home_cert_t,s0)
+HOME_DIR/\.pki(/.*)? gen_context(system_u:object_r:home_cert_t,s0)
+HOME_DIR/\.gvfs(/.*)? <>
+HOME_DIR/\.debug(/.*)? <>
++
++/var/run/user(/.*)? gen_context(system_u:object_r:user_tmp_t,s0)
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
-index 4b2878a..fd5c0a5 100644
+index 4b2878a..31290e1 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -30,8 +30,9 @@ template(`userdom_base_user_template',`
@@ -64393,16 +65810,16 @@ index 4b2878a..fd5c0a5 100644
+
+ storage_rw_fuse($1_usertype)
+
-+ auth_use_nsswitch($1_usertype)
-
-- libs_exec_ld_so($1_t)
++ auth_use_nsswitch($1_t)
++
+ init_stream_connect($1_usertype)
+ # The library functions always try to open read-write first,
+ # then fall back to read-only if it fails.
+ init_dontaudit_rw_utmp($1_usertype)
+
+ libs_exec_ld_so($1_usertype)
-+
+
+- libs_exec_ld_so($1_t)
+ logging_send_audit_msgs($1_t)
miscfiles_read_localization($1_t)
@@ -64772,27 +66189,27 @@ index 4b2878a..fd5c0a5 100644
+ kernel_get_sysvipc_info($1_usertype)
# Find CDROM devices:
- kernel_read_device_sysctls($1_t)
+-
+- corecmd_exec_bin($1_t)
+ kernel_read_device_sysctls($1_usertype)
+ kernel_request_load_module($1_usertype)
-- corecmd_exec_bin($1_t)
+- corenet_udp_bind_generic_node($1_t)
+- corenet_udp_bind_generic_port($1_t)
+ corenet_udp_bind_generic_node($1_usertype)
+ corenet_udp_bind_generic_port($1_usertype)
-- corenet_udp_bind_generic_node($1_t)
-- corenet_udp_bind_generic_port($1_t)
+- dev_read_rand($1_t)
+- dev_write_sound($1_t)
+- dev_read_sound($1_t)
+- dev_read_sound_mixer($1_t)
+- dev_write_sound_mixer($1_t)
+ dev_read_rand($1_usertype)
+ dev_write_sound($1_usertype)
+ dev_read_sound($1_usertype)
+ dev_read_sound_mixer($1_usertype)
+ dev_write_sound_mixer($1_usertype)
-- dev_read_rand($1_t)
-- dev_write_sound($1_t)
-- dev_read_sound($1_t)
-- dev_read_sound_mixer($1_t)
-- dev_write_sound_mixer($1_t)
--
- files_exec_etc_files($1_t)
- files_search_locks($1_t)
+ files_exec_etc_files($1_usertype)
@@ -64816,10 +66233,10 @@ index 4b2878a..fd5c0a5 100644
+ fs_read_noxattr_fs_files($1_usertype)
+ fs_read_noxattr_fs_symlinks($1_usertype)
+ fs_rw_cgroup_files($1_usertype)
-+
-+ application_getattr_socket($1_usertype)
- fs_rw_cgroup_files($1_t)
++ application_getattr_socket($1_usertype)
++
+ logging_send_syslog_msg($1_usertype)
+ logging_send_audit_msgs($1_usertype)
+ selinux_get_enforce_mode($1_usertype)
@@ -64912,89 +66329,89 @@ index 4b2878a..fd5c0a5 100644
+ optional_policy(`
+ avahi_dbus_chat($1_usertype)
+ ')
-+
-+ optional_policy(`
-+ policykit_dbus_chat($1_usertype)
-+ ')
-+
-+ optional_policy(`
-+ bluetooth_dbus_chat($1_usertype)
-+ ')
-+
-+ optional_policy(`
-+ consolekit_dbus_chat($1_usertype)
-+ consolekit_read_log($1_usertype)
-+ ')
-+
-+ optional_policy(`
-+ devicekit_dbus_chat($1_usertype)
-+ devicekit_dbus_chat_power($1_usertype)
-+ devicekit_dbus_chat_disk($1_usertype)
-+ ')
-+
-+ optional_policy(`
-+ evolution_dbus_chat($1_usertype)
-+ evolution_alarm_dbus_chat($1_usertype)
-+ ')
-+
-+ optional_policy(`
-+ gnome_dbus_chat_gconfdefault($1_usertype)
-+ ')
optional_policy(`
- bluetooth_dbus_chat($1_t)
-+ hal_dbus_chat($1_usertype)
++ policykit_dbus_chat($1_usertype)
')
optional_policy(`
- evolution_dbus_chat($1_t)
- evolution_alarm_dbus_chat($1_t)
-+ kde_dbus_chat_backlighthelper($1_usertype)
++ bluetooth_dbus_chat($1_usertype)
')
optional_policy(`
- cups_dbus_chat_config($1_t)
-+ modemmanager_dbus_chat($1_usertype)
++ consolekit_dbus_chat($1_usertype)
++ consolekit_read_log($1_usertype)
')
optional_policy(`
- hal_dbus_chat($1_t)
-+ networkmanager_dbus_chat($1_usertype)
-+ networkmanager_read_lib_files($1_usertype)
++ devicekit_dbus_chat($1_usertype)
++ devicekit_dbus_chat_power($1_usertype)
++ devicekit_dbus_chat_disk($1_usertype)
')
optional_policy(`
- networkmanager_dbus_chat($1_t)
-+ vpn_dbus_chat($1_usertype)
++ evolution_dbus_chat($1_usertype)
++ evolution_alarm_dbus_chat($1_usertype)
')
++
++ optional_policy(`
++ gnome_dbus_chat_gconfdefault($1_usertype)
++ ')
++
++ optional_policy(`
++ hal_dbus_chat($1_usertype)
++ ')
++
++ optional_policy(`
++ kde_dbus_chat_backlighthelper($1_usertype)
++ ')
++
++ optional_policy(`
++ modemmanager_dbus_chat($1_usertype)
++ ')
++
++ optional_policy(`
++ networkmanager_dbus_chat($1_usertype)
++ networkmanager_read_lib_files($1_usertype)
++ ')
++
++ optional_policy(`
++ vpn_dbus_chat($1_usertype)
++ ')
++ ')
++
++ optional_policy(`
++ git_session_role($1_r, $1_usertype)
++ ')
++
++ optional_policy(`
++ inetd_use_fds($1_usertype)
++ inetd_rw_tcp_sockets($1_usertype)
')
optional_policy(`
- inetd_use_fds($1_t)
- inetd_rw_tcp_sockets($1_t)
-+ git_session_role($1_r, $1_usertype)
++ inn_read_config($1_usertype)
++ inn_read_news_lib($1_usertype)
++ inn_read_news_spool($1_usertype)
')
optional_policy(`
- inn_read_config($1_t)
- inn_read_news_lib($1_t)
- inn_read_news_spool($1_t)
-+ inetd_use_fds($1_usertype)
-+ inetd_rw_tcp_sockets($1_usertype)
++ lircd_stream_connect($1_usertype)
')
optional_policy(`
- locate_read_lib_files($1_t)
-+ inn_read_config($1_usertype)
-+ inn_read_news_lib($1_usertype)
-+ inn_read_news_spool($1_usertype)
-+ ')
-+
-+ optional_policy(`
-+ lircd_stream_connect($1_usertype)
-+ ')
-+
-+ optional_policy(`
+ locate_read_lib_files($1_usertype)
')
@@ -65002,16 +66419,16 @@ index 4b2878a..fd5c0a5 100644
optional_policy(`
- modutils_read_module_config($1_t)
+ modutils_read_module_config($1_usertype)
-+ ')
-+
-+ optional_policy(`
-+ mta_rw_spool($1_usertype)
-+ mta_manage_queue($1_usertype)
-+ mta_filetrans_home_content($1_usertype)
')
optional_policy(`
- mta_rw_spool($1_t)
++ mta_rw_spool($1_usertype)
++ mta_manage_queue($1_usertype)
++ mta_filetrans_home_content($1_usertype)
++ ')
++
++ optional_policy(`
+ nsplugin_role($1_r, $1_usertype)
')
@@ -65048,32 +66465,32 @@ index 4b2878a..fd5c0a5 100644
+ optional_policy(`
+ rpc_dontaudit_getattr_exports($1_usertype)
+ rpc_manage_nfs_rw_content($1_usertype)
++ ')
++
++ optional_policy(`
++ rpcbind_stream_connect($1_usertype)
')
optional_policy(`
- rpc_dontaudit_getattr_exports($1_t)
- rpc_manage_nfs_rw_content($1_t)
-+ rpcbind_stream_connect($1_usertype)
++ samba_stream_connect_winbind($1_usertype)
')
optional_policy(`
- samba_stream_connect_winbind($1_t)
-+ samba_stream_connect_winbind($1_usertype)
++ sandbox_transition($1_usertype, $1_r)
')
optional_policy(`
- slrnpull_search_spool($1_t)
-+ sandbox_transition($1_usertype, $1_r)
++ seunshare_role_template($1, $1_r, $1_t)
')
optional_policy(`
- usernetctl_run($1_t, $1_r)
-+ seunshare_role_template($1, $1_r, $1_t)
- ')
-+
-+ optional_policy(`
+ slrnpull_search_spool($1_usertype)
-+ ')
+ ')
+
')
@@ -65084,17 +66501,15 @@ index 4b2878a..fd5c0a5 100644
- userdom_manage_home_role($1_r, $1_t)
+ userdom_manage_home_role($1_r, $1_usertype)
-
-- userdom_manage_tmp_role($1_r, $1_t)
-- userdom_manage_tmpfs_role($1_r, $1_t)
++
+ userdom_manage_tmp_role($1_r, $1_usertype)
+ userdom_manage_tmpfs_role($1_r, $1_usertype)
-
-- userdom_exec_user_tmp_files($1_t)
-- userdom_exec_user_home_content_files($1_t)
++
+ ifelse(`$1',`unconfined',`',`
+ gen_tunable(allow_$1_exec_content, true)
-+
+
+- userdom_manage_tmp_role($1_r, $1_t)
+- userdom_manage_tmpfs_role($1_r, $1_t)
+ tunable_policy(`allow_$1_exec_content',`
+ userdom_exec_user_tmp_files($1_usertype)
+ userdom_exec_user_home_content_files($1_usertype)
@@ -65102,7 +66517,9 @@ index 4b2878a..fd5c0a5 100644
+ tunable_policy(`allow_$1_exec_content && use_nfs_home_dirs',`
+ fs_exec_nfs_files($1_usertype)
+ ')
-+
+
+- userdom_exec_user_tmp_files($1_t)
+- userdom_exec_user_home_content_files($1_t)
+ tunable_policy(`allow_$1_exec_content && use_samba_home_dirs',`
+ fs_exec_cifs_files($1_usertype)
+ ')
@@ -65309,27 +66726,26 @@ index 4b2878a..fd5c0a5 100644
+ consolekit_dontaudit_read_log($1_usertype)
+ consolekit_dbus_chat($1_usertype)
+ ')
-+
-+ optional_policy(`
+
+ optional_policy(`
+- consolekit_dbus_chat($1_t)
+ cups_dbus_chat($1_usertype)
+ cups_dbus_chat_config($1_usertype)
-+ ')
+ ')
optional_policy(`
-- consolekit_dbus_chat($1_t)
+- cups_dbus_chat($1_t)
+ devicekit_dbus_chat($1_usertype)
+ devicekit_dbus_chat_disk($1_usertype)
+ devicekit_dbus_chat_power($1_usertype)
')
-
- optional_policy(`
-- cups_dbus_chat($1_t)
++
++ optional_policy(`
+ fprintd_dbus_chat($1_t)
- ')
- ')
-
- optional_policy(`
-- java_role($1_r, $1_t)
++ ')
++ ')
++
++ optional_policy(`
+ openoffice_role_template($1, $1_r, $1_usertype)
+ ')
+
@@ -65341,9 +66757,10 @@ index 4b2878a..fd5c0a5 100644
+ pulseaudio_role($1_r, $1_usertype)
+ pulseaudio_filetrans_admin_home_content($1_usertype)
+ pulseaudio_filetrans_home_content($1_usertype)
-+ ')
-+
-+ optional_policy(`
+ ')
+
+ optional_policy(`
+- java_role($1_r, $1_t)
+ rtkit_scheduled($1_usertype)
')
@@ -65454,19 +66871,19 @@ index 4b2878a..fd5c0a5 100644
+
+ optional_policy(`
+ mono_role_template($1, $1_r, $1_t)
-+ ')
-+
-+ optional_policy(`
+ ')
+
+ optional_policy(`
+- setroubleshoot_stream_connect($1_t)
+ mount_run_fusermount($1_t, $1_r)
+ mount_read_pid_files($1_t)
+ ')
+
+ optional_policy(`
+ wine_role_template($1, $1_r, $1_t)
- ')
-
- optional_policy(`
-- setroubleshoot_stream_connect($1_t)
++ ')
++
++ optional_policy(`
+ postfix_run_postdrop($1_t, $1_r)
+ ')
+
@@ -65525,7 +66942,7 @@ index 4b2878a..fd5c0a5 100644
domain_dontaudit_ptrace_all_domains($1_t)
# signal all domains:
domain_kill_all_domains($1_t)
-@@ -1119,17 +1429,22 @@ template(`userdom_admin_user_template',`
+@@ -1119,29 +1429,37 @@ template(`userdom_admin_user_template',`
domain_sigchld_all_domains($1_t)
# for lsof
domain_getattr_all_sockets($1_t)
@@ -65549,7 +66966,13 @@ index 4b2878a..fd5c0a5 100644
auth_getattr_shadow($1_t)
# Manage almost all files
-@@ -1141,7 +1456,10 @@ template(`userdom_admin_user_template',`
+- auth_manage_all_files_except_shadow($1_t)
++ files_manage_non_security_files($1_t)
+ # Relabel almost all files
+- auth_relabel_all_files_except_shadow($1_t)
++ files_relabel_non_security_files($1_t)
+
+ init_telinit($1_t)
logging_send_syslog_msg($1_t)
@@ -65579,14 +67002,17 @@ index 4b2878a..fd5c0a5 100644
# Necessary for managing /boot/efi
fs_manage_dos_files($1)
-@@ -1222,6 +1544,7 @@ template(`userdom_security_admin_template',`
+@@ -1222,8 +1544,9 @@ template(`userdom_security_admin_template',`
selinux_set_enforce_mode($1)
selinux_set_all_booleans($1)
selinux_set_parameters($1)
+ selinux_read_policy($1)
- auth_relabel_all_files_except_shadow($1)
+- auth_relabel_all_files_except_shadow($1)
++ files_relabel_all_files($1)
auth_relabel_shadow($1)
+
+ init_exec($1)
@@ -1234,13 +1557,24 @@ template(`userdom_security_admin_template',`
logging_read_audit_config($1)
@@ -65714,14 +67140,13 @@ index 4b2878a..fd5c0a5 100644
##
##
##
-@@ -1334,9 +1680,46 @@ interface(`userdom_setattr_user_ptys',`
+@@ -1334,7 +1680,44 @@ interface(`userdom_setattr_user_ptys',`
##
##
#
-interface(`userdom_create_user_pty',`
+interface(`userdom_attach_admin_tun_iface',`
- gen_require(`
-- type user_devpts_t;
++ gen_require(`
+ attribute admindomain;
+ ')
+
@@ -65758,11 +67183,9 @@ index 4b2878a..fd5c0a5 100644
+##
+#
+interface(`userdom_create_user_pty',`
-+ gen_require(`
-+ type user_devpts_t;
+ gen_require(`
+ type user_devpts_t;
')
-
- term_create_pty($1, user_devpts_t)
@@ -1395,6 +1778,7 @@ interface(`userdom_search_user_home_dirs',`
')
@@ -66528,7 +67951,7 @@ index 4b2878a..fd5c0a5 100644
## Send a SIGCHLD signal to all user domains.
##
##
-@@ -3194,3 +3825,1075 @@ interface(`userdom_dbus_send_all_users',`
+@@ -3194,3 +3825,1076 @@ interface(`userdom_dbus_send_all_users',`
allow $1 userdomain:dbus send_msg;
')
@@ -66580,7 +68003,8 @@ index 4b2878a..fd5c0a5 100644
+ typeattribute $2 $1_usertype;
+ typeattribute $2 unpriv_userdomain;
+ typeattribute $2 userdomain;
-+
++
++ auth_use_nsswitch($2)
+ ubac_constrained($2)
+')
+
@@ -68034,7 +69458,7 @@ index bdd500c..4719351 100644
define(`admin_pattern',`
diff --git a/policy/support/misc_patterns.spt b/policy/support/misc_patterns.spt
-index 22ca011..df6b5de 100644
+index 22ca011..823794e 100644
--- a/policy/support/misc_patterns.spt
+++ b/policy/support/misc_patterns.spt
@@ -15,7 +15,7 @@ define(`spec_domtrans_pattern',`
@@ -68046,20 +69470,15 @@ index 22ca011..df6b5de 100644
allow $3 $1:process sigchld;
')
-@@ -34,8 +34,12 @@ define(`domtrans_pattern',`
+@@ -34,7 +34,7 @@ define(`domtrans_pattern',`
domain_auto_transition_pattern($1,$2,$3)
allow $3 $1:fd use;
- allow $3 $1:fifo_file rw_fifo_file_perms;
+ allow $3 $1:fifo_file rw_inherited_fifo_file_perms;
allow $3 $1:process sigchld;
-+
-+ ifdef(`hide_broken_symptoms', `
-+ dontaudit $3 $1:socket_class_set { read write };
-+ ')
')
- #
diff --git a/policy/support/obj_perm_sets.spt b/policy/support/obj_perm_sets.spt
index f7380b3..fb62555 100644
--- a/policy/support/obj_perm_sets.spt
diff --git a/selinux-policy.spec b/selinux-policy.spec
index cbff720..b498729 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -17,7 +17,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.10.0
-Release: 10%{?dist}
+Release: 11%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -452,6 +452,9 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Fri Jul 29 2011 Miroslav Grepl 3.10.0-11
+- More fixes of rules which cause an explosion in rules by Dan Walsh
+
* Tue Jul 26 2011 Miroslav Grepl 3.10.0-10
- Allow rcsmcertd to perform DNS name resolution
- Add dirsrvadmin_unconfined_script_t domain type for 389-ds admin scripts