diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch
index 89f5679..c3f3910 100644
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@@ -10876,7 +10876,7 @@ index b876c48..03f9342 100644
+/nsr(/.*)? gen_context(system_u:object_r:var_t,s0)
+/nsr/logs(/.*)? gen_context(system_u:object_r:var_log_t,s0)
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
-index f962f76..a226015 100644
+index f962f76..7c3c35b 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -19,6 +19,136 @@
@@ -12776,7 +12776,19 @@ index f962f76..a226015 100644
')
########################################
-@@ -4217,6 +5039,175 @@ interface(`files_read_world_readable_sockets',`
+@@ -4012,6 +4834,11 @@ interface(`files_read_kernel_modules',`
+ allow $1 modules_object_t:dir list_dir_perms;
+ read_files_pattern($1, modules_object_t, modules_object_t)
+ read_lnk_files_pattern($1, modules_object_t, modules_object_t)
++
++ # allow to read module deps because of labeling changed to modules_dep_t
++ optional_policy(`
++ modutils_read_module_deps($1)
++ ')
+ ')
+
+ ########################################
+@@ -4217,6 +5044,175 @@ interface(`files_read_world_readable_sockets',`
allow $1 readable_t:sock_file read_sock_file_perms;
')
@@ -12952,7 +12964,7 @@ index f962f76..a226015 100644
########################################
##
## Allow the specified type to associate
-@@ -4239,6 +5230,26 @@ interface(`files_associate_tmp',`
+@@ -4239,6 +5235,26 @@ interface(`files_associate_tmp',`
########################################
##
@@ -12979,7 +12991,7 @@ index f962f76..a226015 100644
## Get the attributes of the tmp directory (/tmp).
##
##
-@@ -4252,17 +5263,37 @@ interface(`files_getattr_tmp_dirs',`
+@@ -4252,17 +5268,37 @@ interface(`files_getattr_tmp_dirs',`
type tmp_t;
')
@@ -13018,7 +13030,7 @@ index f962f76..a226015 100644
##
##
#
-@@ -4289,6 +5320,8 @@ interface(`files_search_tmp',`
+@@ -4289,6 +5325,8 @@ interface(`files_search_tmp',`
type tmp_t;
')
@@ -13027,7 +13039,7 @@ index f962f76..a226015 100644
allow $1 tmp_t:dir search_dir_perms;
')
-@@ -4325,6 +5358,7 @@ interface(`files_list_tmp',`
+@@ -4325,6 +5363,7 @@ interface(`files_list_tmp',`
type tmp_t;
')
@@ -13035,7 +13047,7 @@ index f962f76..a226015 100644
allow $1 tmp_t:dir list_dir_perms;
')
-@@ -4334,7 +5368,7 @@ interface(`files_list_tmp',`
+@@ -4334,7 +5373,7 @@ interface(`files_list_tmp',`
##
##
##
@@ -13044,7 +13056,7 @@ index f962f76..a226015 100644
##
##
#
-@@ -4346,21 +5380,41 @@ interface(`files_dontaudit_list_tmp',`
+@@ -4346,21 +5385,41 @@ interface(`files_dontaudit_list_tmp',`
dontaudit $1 tmp_t:dir list_dir_perms;
')
@@ -13092,7 +13104,7 @@ index f962f76..a226015 100644
allow $1 tmp_t:dir del_entry_dir_perms;
')
-@@ -4402,6 +5456,32 @@ interface(`files_manage_generic_tmp_dirs',`
+@@ -4402,6 +5461,32 @@ interface(`files_manage_generic_tmp_dirs',`
########################################
##
@@ -13125,7 +13137,7 @@ index f962f76..a226015 100644
## Manage temporary files and directories in /tmp.
##
##
-@@ -4456,6 +5536,42 @@ interface(`files_rw_generic_tmp_sockets',`
+@@ -4456,6 +5541,42 @@ interface(`files_rw_generic_tmp_sockets',`
########################################
##
@@ -13168,7 +13180,7 @@ index f962f76..a226015 100644
## Set the attributes of all tmp directories.
##
##
-@@ -4474,6 +5590,60 @@ interface(`files_setattr_all_tmp_dirs',`
+@@ -4474,6 +5595,60 @@ interface(`files_setattr_all_tmp_dirs',`
########################################
##
@@ -13229,7 +13241,7 @@ index f962f76..a226015 100644
## List all tmp directories.
##
##
-@@ -4519,7 +5689,7 @@ interface(`files_relabel_all_tmp_dirs',`
+@@ -4519,7 +5694,7 @@ interface(`files_relabel_all_tmp_dirs',`
##
##
##
@@ -13238,7 +13250,7 @@ index f962f76..a226015 100644
##
##
#
-@@ -4579,7 +5749,7 @@ interface(`files_relabel_all_tmp_files',`
+@@ -4579,7 +5754,7 @@ interface(`files_relabel_all_tmp_files',`
##
##
##
@@ -13247,7 +13259,7 @@ index f962f76..a226015 100644
##
##
#
-@@ -4611,6 +5781,44 @@ interface(`files_read_all_tmp_files',`
+@@ -4611,6 +5786,44 @@ interface(`files_read_all_tmp_files',`
########################################
##
@@ -13292,7 +13304,7 @@ index f962f76..a226015 100644
## Create an object in the tmp directories, with a private
## type using a type transition.
##
-@@ -4664,6 +5872,16 @@ interface(`files_purge_tmp',`
+@@ -4664,6 +5877,16 @@ interface(`files_purge_tmp',`
delete_lnk_files_pattern($1, tmpfile, tmpfile)
delete_fifo_files_pattern($1, tmpfile, tmpfile)
delete_sock_files_pattern($1, tmpfile, tmpfile)
@@ -13309,7 +13321,7 @@ index f962f76..a226015 100644
')
########################################
-@@ -5112,6 +6330,24 @@ interface(`files_create_kernel_symbol_table',`
+@@ -5112,6 +6335,24 @@ interface(`files_create_kernel_symbol_table',`
########################################
##
@@ -13334,7 +13346,7 @@ index f962f76..a226015 100644
## Read system.map in the /boot directory.
##
##
-@@ -5241,6 +6477,24 @@ interface(`files_list_var',`
+@@ -5241,6 +6482,24 @@ interface(`files_list_var',`
########################################
##
@@ -13359,7 +13371,7 @@ index f962f76..a226015 100644
## Create, read, write, and delete directories
## in the /var directory.
##
-@@ -5328,7 +6582,7 @@ interface(`files_dontaudit_rw_var_files',`
+@@ -5328,7 +6587,7 @@ interface(`files_dontaudit_rw_var_files',`
type var_t;
')
@@ -13368,7 +13380,7 @@ index f962f76..a226015 100644
')
########################################
-@@ -5527,6 +6781,25 @@ interface(`files_rw_var_lib_dirs',`
+@@ -5527,6 +6786,25 @@ interface(`files_rw_var_lib_dirs',`
########################################
##
@@ -13394,7 +13406,7 @@ index f962f76..a226015 100644
## Create objects in the /var/lib directory
##
##
-@@ -5596,6 +6869,25 @@ interface(`files_read_var_lib_symlinks',`
+@@ -5596,6 +6874,25 @@ interface(`files_read_var_lib_symlinks',`
read_lnk_files_pattern($1, { var_t var_lib_t }, var_lib_t)
')
@@ -13420,7 +13432,7 @@ index f962f76..a226015 100644
# cjp: the next two interfaces really need to be fixed
# in some way. They really neeed their own types.
-@@ -5641,7 +6933,7 @@ interface(`files_manage_mounttab',`
+@@ -5641,7 +6938,7 @@ interface(`files_manage_mounttab',`
########################################
##
@@ -13429,7 +13441,7 @@ index f962f76..a226015 100644
##
##
##
-@@ -5649,12 +6941,13 @@ interface(`files_manage_mounttab',`
+@@ -5649,12 +6946,13 @@ interface(`files_manage_mounttab',`
##
##
#
@@ -13445,7 +13457,7 @@ index f962f76..a226015 100644
')
########################################
-@@ -5672,6 +6965,7 @@ interface(`files_search_locks',`
+@@ -5672,6 +6970,7 @@ interface(`files_search_locks',`
type var_t, var_lock_t;
')
@@ -13453,7 +13465,7 @@ index f962f76..a226015 100644
allow $1 var_lock_t:lnk_file read_lnk_file_perms;
search_dirs_pattern($1, var_t, var_lock_t)
')
-@@ -5698,7 +6992,26 @@ interface(`files_dontaudit_search_locks',`
+@@ -5698,7 +6997,26 @@ interface(`files_dontaudit_search_locks',`
########################################
##
@@ -13481,7 +13493,7 @@ index f962f76..a226015 100644
##
##
##
-@@ -5706,13 +7019,12 @@ interface(`files_dontaudit_search_locks',`
+@@ -5706,13 +7024,12 @@ interface(`files_dontaudit_search_locks',`
##
##
#
@@ -13498,7 +13510,7 @@ index f962f76..a226015 100644
')
########################################
-@@ -5731,7 +7043,7 @@ interface(`files_rw_lock_dirs',`
+@@ -5731,7 +7048,7 @@ interface(`files_rw_lock_dirs',`
type var_t, var_lock_t;
')
@@ -13507,7 +13519,7 @@ index f962f76..a226015 100644
rw_dirs_pattern($1, var_t, var_lock_t)
')
-@@ -5764,7 +7076,6 @@ interface(`files_create_lock_dirs',`
+@@ -5764,7 +7081,6 @@ interface(`files_create_lock_dirs',`
## Domain allowed access.
##
##
@@ -13515,7 +13527,7 @@ index f962f76..a226015 100644
#
interface(`files_relabel_all_lock_dirs',`
gen_require(`
-@@ -5779,7 +7090,7 @@ interface(`files_relabel_all_lock_dirs',`
+@@ -5779,7 +7095,7 @@ interface(`files_relabel_all_lock_dirs',`
########################################
##
@@ -13524,7 +13536,7 @@ index f962f76..a226015 100644
##
##
##
-@@ -5787,13 +7098,33 @@ interface(`files_relabel_all_lock_dirs',`
+@@ -5787,13 +7103,33 @@ interface(`files_relabel_all_lock_dirs',`
##
##
#
@@ -13559,7 +13571,7 @@ index f962f76..a226015 100644
allow $1 var_lock_t:dir list_dir_perms;
getattr_files_pattern($1, var_lock_t, var_lock_t)
')
-@@ -5809,13 +7140,12 @@ interface(`files_getattr_generic_locks',`
+@@ -5809,13 +7145,12 @@ interface(`files_getattr_generic_locks',`
##
#
interface(`files_delete_generic_locks',`
@@ -13577,7 +13589,7 @@ index f962f76..a226015 100644
')
########################################
-@@ -5834,9 +7164,7 @@ interface(`files_manage_generic_locks',`
+@@ -5834,9 +7169,7 @@ interface(`files_manage_generic_locks',`
type var_t, var_lock_t;
')
@@ -13588,7 +13600,7 @@ index f962f76..a226015 100644
manage_files_pattern($1, var_lock_t, var_lock_t)
')
-@@ -5878,8 +7206,7 @@ interface(`files_read_all_locks',`
+@@ -5878,8 +7211,7 @@ interface(`files_read_all_locks',`
type var_t, var_lock_t;
')
@@ -13598,7 +13610,7 @@ index f962f76..a226015 100644
allow $1 lockfile:dir list_dir_perms;
read_files_pattern($1, lockfile, lockfile)
read_lnk_files_pattern($1, lockfile, lockfile)
-@@ -5901,8 +7228,7 @@ interface(`files_manage_all_locks',`
+@@ -5901,8 +7233,7 @@ interface(`files_manage_all_locks',`
type var_t, var_lock_t;
')
@@ -13608,7 +13620,7 @@ index f962f76..a226015 100644
manage_dirs_pattern($1, lockfile, lockfile)
manage_files_pattern($1, lockfile, lockfile)
manage_lnk_files_pattern($1, lockfile, lockfile)
-@@ -5939,8 +7265,7 @@ interface(`files_lock_filetrans',`
+@@ -5939,8 +7270,7 @@ interface(`files_lock_filetrans',`
type var_t, var_lock_t;
')
@@ -13618,7 +13630,7 @@ index f962f76..a226015 100644
filetrans_pattern($1, var_lock_t, $2, $3, $4)
')
-@@ -5979,7 +7304,7 @@ interface(`files_setattr_pid_dirs',`
+@@ -5979,7 +7309,7 @@ interface(`files_setattr_pid_dirs',`
type var_run_t;
')
@@ -13627,7 +13639,7 @@ index f962f76..a226015 100644
allow $1 var_run_t:dir setattr;
')
-@@ -5999,10 +7324,48 @@ interface(`files_search_pids',`
+@@ -5999,10 +7329,48 @@ interface(`files_search_pids',`
type var_t, var_run_t;
')
@@ -13676,7 +13688,7 @@ index f962f76..a226015 100644
########################################
##
## Do not audit attempts to search
-@@ -6025,6 +7388,43 @@ interface(`files_dontaudit_search_pids',`
+@@ -6025,6 +7393,43 @@ interface(`files_dontaudit_search_pids',`
########################################
##
@@ -13720,7 +13732,7 @@ index f962f76..a226015 100644
## List the contents of the runtime process
## ID directories (/var/run).
##
-@@ -6039,7 +7439,7 @@ interface(`files_list_pids',`
+@@ -6039,7 +7444,7 @@ interface(`files_list_pids',`
type var_t, var_run_t;
')
@@ -13729,7 +13741,7 @@ index f962f76..a226015 100644
list_dirs_pattern($1, var_t, var_run_t)
')
-@@ -6058,7 +7458,7 @@ interface(`files_read_generic_pids',`
+@@ -6058,7 +7463,7 @@ interface(`files_read_generic_pids',`
type var_t, var_run_t;
')
@@ -13738,7 +13750,7 @@ index f962f76..a226015 100644
list_dirs_pattern($1, var_t, var_run_t)
read_files_pattern($1, var_run_t, var_run_t)
')
-@@ -6078,7 +7478,7 @@ interface(`files_write_generic_pid_pipes',`
+@@ -6078,7 +7483,7 @@ interface(`files_write_generic_pid_pipes',`
type var_run_t;
')
@@ -13747,7 +13759,7 @@ index f962f76..a226015 100644
allow $1 var_run_t:fifo_file write;
')
-@@ -6140,7 +7540,6 @@ interface(`files_pid_filetrans',`
+@@ -6140,7 +7545,6 @@ interface(`files_pid_filetrans',`
')
allow $1 var_t:dir search_dir_perms;
@@ -13755,7 +13767,7 @@ index f962f76..a226015 100644
filetrans_pattern($1, var_run_t, $2, $3, $4)
')
-@@ -6169,6 +7568,24 @@ interface(`files_pid_filetrans_lock_dir',`
+@@ -6169,6 +7573,24 @@ interface(`files_pid_filetrans_lock_dir',`
########################################
##
@@ -13780,7 +13792,7 @@ index f962f76..a226015 100644
## Read and write generic process ID files.
##
##
-@@ -6182,7 +7599,7 @@ interface(`files_rw_generic_pids',`
+@@ -6182,7 +7604,7 @@ interface(`files_rw_generic_pids',`
type var_t, var_run_t;
')
@@ -13789,7 +13801,7 @@ index f962f76..a226015 100644
list_dirs_pattern($1, var_t, var_run_t)
rw_files_pattern($1, var_run_t, var_run_t)
')
-@@ -6249,55 +7666,43 @@ interface(`files_dontaudit_ioctl_all_pids',`
+@@ -6249,55 +7671,43 @@ interface(`files_dontaudit_ioctl_all_pids',`
########################################
##
@@ -13852,7 +13864,7 @@ index f962f76..a226015 100644
##
##
##
-@@ -6305,42 +7710,35 @@ interface(`files_delete_all_pids',`
+@@ -6305,42 +7715,35 @@ interface(`files_delete_all_pids',`
##
##
#
@@ -13902,7 +13914,7 @@ index f962f76..a226015 100644
##
##
##
-@@ -6348,18 +7746,18 @@ interface(`files_manage_all_pids',`
+@@ -6348,18 +7751,18 @@ interface(`files_manage_all_pids',`
##
##
#
@@ -13926,7 +13938,7 @@ index f962f76..a226015 100644
##
##
##
-@@ -6367,37 +7765,40 @@ interface(`files_mounton_all_poly_members',`
+@@ -6367,37 +7770,40 @@ interface(`files_mounton_all_poly_members',`
##
##
#
@@ -13978,7 +13990,7 @@ index f962f76..a226015 100644
##
##
##
-@@ -6405,18 +7806,17 @@ interface(`files_dontaudit_search_spool',`
+@@ -6405,18 +7811,17 @@ interface(`files_dontaudit_search_spool',`
##
##
#
@@ -14001,7 +14013,7 @@ index f962f76..a226015 100644
##
##
##
-@@ -6424,18 +7824,18 @@ interface(`files_list_spool',`
+@@ -6424,18 +7829,18 @@ interface(`files_list_spool',`
##
##
#
@@ -14025,7 +14037,7 @@ index f962f76..a226015 100644
##
##
##
-@@ -6443,19 +7843,18 @@ interface(`files_manage_generic_spool_dirs',`
+@@ -6443,19 +7848,18 @@ interface(`files_manage_generic_spool_dirs',`
##
##
#
@@ -14050,7 +14062,7 @@ index f962f76..a226015 100644
##
##
##
-@@ -6463,109 +7862,62 @@ interface(`files_read_generic_spool',`
+@@ -6463,109 +7867,62 @@ interface(`files_read_generic_spool',`
##
##
#
@@ -14181,7 +14193,7 @@ index f962f76..a226015 100644
##
##
##
-@@ -6573,10 +7925,944 @@ interface(`files_polyinstantiate_all',`
+@@ -6573,10 +7930,944 @@ interface(`files_polyinstantiate_all',`
##
##
#
@@ -15374,7 +15386,7 @@ index d7c11a0..6b3331d 100644
/var/run/shm/.* <>
-')
diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
-index 8416beb..f1378d6 100644
+index 8416beb..b66e93a 100644
--- a/policy/modules/kernel/filesystem.if
+++ b/policy/modules/kernel/filesystem.if
@@ -631,6 +631,27 @@ interface(`fs_getattr_cgroup',`
@@ -15822,7 +15834,7 @@ index 8416beb..f1378d6 100644
##
##
##
-@@ -1878,135 +2085,151 @@ interface(`fs_search_fusefs',`
+@@ -1878,117 +2085,190 @@ interface(`fs_search_fusefs',`
##
##
#
@@ -15992,93 +16004,83 @@ index 8416beb..f1378d6 100644
-## read, write, and delete files
-## on a FUSEFS filesystem.
+## Unmount a FUSE filesystem.
- ##
- ##
- ##
--## Domain to not audit.
++##
++##
++##
+## Domain allowed access.
- ##
- ##
- #
--interface(`fs_dontaudit_manage_fusefs_files',`
++##
++##
++#
+interface(`fs_unmount_fusefs',`
- gen_require(`
- type fusefs_t;
- ')
-
-- dontaudit $1 fusefs_t:file manage_file_perms;
++ gen_require(`
++ type fusefs_t;
++ ')
++
+ allow $1 fusefs_t:filesystem unmount;
- ')
-
- ########################################
- ##
--## Read symbolic links on a FUSEFS filesystem.
++')
++
++########################################
++##
+## Mounton a FUSEFS filesystem.
- ##
- ##
- ##
-@@ -2014,145 +2237,194 @@ interface(`fs_dontaudit_manage_fusefs_files',`
- ##
- ##
- #
--interface(`fs_read_fusefs_symlinks',`
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
+interface(`fs_mounton_fusefs',`
- gen_require(`
- type fusefs_t;
- ')
-
-- allow $1 fusefs_t:dir list_dir_perms;
-- read_lnk_files_pattern($1, fusefs_t, fusefs_t)
++ gen_require(`
++ type fusefs_t;
++ ')
++
+ allow $1 fusefs_t:dir mounton;
- ')
-
- ########################################
- ##
--## Get the attributes of an hugetlbfs
--## filesystem.
++')
++
++########################################
++##
+## Search directories
+## on a FUSEFS filesystem.
- ##
- ##
- ##
- ## Domain allowed access.
- ##
- ##
-+##
- #
--interface(`fs_getattr_hugetlbfs',`
-+interface(`fs_search_fusefs',`
- gen_require(`
-- type hugetlbfs_t;
-+ type fusefs_t;
- ')
-
-- allow $1 hugetlbfs_t:filesystem getattr;
-+ allow $1 fusefs_t:dir search_dir_perms;
- ')
-
- ########################################
- ##
--## List hugetlbfs.
-+## Do not audit attempts to list the contents
-+## of directories on a FUSEFS filesystem.
+##
+##
+##
-+## Domain to not audit.
++## Domain allowed access.
+##
+##
++##
+#
-+interface(`fs_dontaudit_list_fusefs',`
++interface(`fs_search_fusefs',`
+ gen_require(`
+ type fusefs_t;
+ ')
+
-+ dontaudit $1 fusefs_t:dir list_dir_perms;
++ allow $1 fusefs_t:dir search_dir_perms;
+')
+
+########################################
+##
++## Do not audit attempts to list the contents
++## of directories on a FUSEFS filesystem.
+ ##
+ ##
+ ##
+@@ -1996,91 +2276,173 @@ interface(`fs_manage_fusefs_files',`
+ ##
+ ##
+ #
+-interface(`fs_dontaudit_manage_fusefs_files',`
++interface(`fs_dontaudit_list_fusefs',`
+ gen_require(`
+ type fusefs_t;
+ ')
+
+- dontaudit $1 fusefs_t:file manage_file_perms;
++ dontaudit $1 fusefs_t:dir list_dir_perms;
+ ')
+
+ ########################################
+ ##
+-## Read symbolic links on a FUSEFS filesystem.
+## Create, read, write, and delete directories
+## on a FUSEFS filesystem.
##
@@ -16089,20 +16091,21 @@ index 8416beb..f1378d6 100644
##
+##
#
--interface(`fs_list_hugetlbfs',`
+-interface(`fs_read_fusefs_symlinks',`
+interface(`fs_manage_fusefs_dirs',`
gen_require(`
-- type hugetlbfs_t;
-+ type fusefs_t;
+ type fusefs_t;
')
-- allow $1 hugetlbfs_t:dir list_dir_perms;
+- allow $1 fusefs_t:dir list_dir_perms;
+- read_lnk_files_pattern($1, fusefs_t, fusefs_t)
+ allow $1 fusefs_t:dir manage_dir_perms;
')
########################################
##
--## Manage hugetlbfs dirs.
+-## Get the attributes of an hugetlbfs
+-## filesystem.
+## Do not audit attempts to create, read,
+## write, and delete directories
+## on a FUSEFS filesystem.
@@ -16132,20 +16135,20 @@ index 8416beb..f1378d6 100644
##
+##
#
--interface(`fs_manage_hugetlbfs_dirs',`
+-interface(`fs_getattr_hugetlbfs',`
+interface(`fs_read_fusefs_files',`
gen_require(`
- type hugetlbfs_t;
+ type fusefs_t;
')
-- manage_dirs_pattern($1, hugetlbfs_t, hugetlbfs_t)
+- allow $1 hugetlbfs_t:filesystem getattr;
+ read_files_pattern($1, fusefs_t, fusefs_t)
')
########################################
##
--## Read and write hugetlbfs files.
+-## List hugetlbfs.
+## Execute files on a FUSEFS filesystem.
##
##
@@ -16155,69 +16158,58 @@ index 8416beb..f1378d6 100644
##
+##
#
--interface(`fs_rw_hugetlbfs_files',`
+-interface(`fs_list_hugetlbfs',`
+interface(`fs_exec_fusefs_files',`
gen_require(`
- type hugetlbfs_t;
+ type fusefs_t;
')
-- rw_files_pattern($1, hugetlbfs_t, hugetlbfs_t)
+- allow $1 hugetlbfs_t:dir list_dir_perms;
+ exec_files_pattern($1, fusefs_t, fusefs_t)
')
########################################
##
--## Allow the type to associate to hugetlbfs filesystems.
+-## Manage hugetlbfs dirs.
+## Make general progams in FUSEFS an entrypoint for
+## the specified domain.
- ##
--##
++##
+##
- ##
--## The type of the object to be associated.
++##
+## The domain for which fusefs_t is an entrypoint.
- ##
- ##
- #
--interface(`fs_associate_hugetlbfs',`
++##
++##
++#
+interface(`fs_fusefs_entry_type',`
- gen_require(`
-- type hugetlbfs_t;
++ gen_require(`
+ type fusefs_t;
- ')
-
-- allow $1 hugetlbfs_t:filesystem associate;
++ ')
++
+ domain_entry_file($1, fusefs_t)
- ')
-
- ########################################
- ##
--## Search inotifyfs filesystem.
++')
++
++########################################
++##
+## Make general progams in FUSEFS an entrypoint for
+## the specified domain.
- ##
- ##
- ##
--## Domain allowed access.
++##
++##
++##
+## The domain for which fusefs_t is an entrypoint.
- ##
- ##
- #
--interface(`fs_search_inotifyfs',`
++##
++##
++#
+interface(`fs_fusefs_entrypoint',`
- gen_require(`
-- type inotifyfs_t;
++ gen_require(`
+ type fusefs_t;
- ')
-
-- allow $1 inotifyfs_t:dir search_dir_perms;
++ ')
++
+ allow $1 fusefs_t:file entrypoint;
- ')
-
- ########################################
- ##
--## List inotifyfs filesystem.
++')
++
++########################################
++##
+## Create, read, write, and delete files
+## on a FUSEFS filesystem.
##
@@ -16228,85 +16220,87 @@ index 8416beb..f1378d6 100644
##
+##
#
--interface(`fs_list_inotifyfs',`
+-interface(`fs_manage_hugetlbfs_dirs',`
+interface(`fs_manage_fusefs_files',`
gen_require(`
-- type inotifyfs_t;
+- type hugetlbfs_t;
+ type fusefs_t;
')
-- allow $1 inotifyfs_t:dir list_dir_perms;
+- manage_dirs_pattern($1, hugetlbfs_t, hugetlbfs_t)
+ manage_files_pattern($1, fusefs_t, fusefs_t)
')
########################################
##
--## Dontaudit List inotifyfs filesystem.
+-## Read and write hugetlbfs files.
+## Do not audit attempts to create,
+## read, write, and delete files
+## on a FUSEFS filesystem.
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`fs_dontaudit_manage_fusefs_files',`
++ gen_require(`
++ type fusefs_t;
++ ')
++
++ dontaudit $1 fusefs_t:file manage_file_perms;
++')
++
++########################################
++##
++## Read symbolic links on a FUSEFS filesystem.
##
##
##
-@@ -2160,53 +2432,626 @@ interface(`fs_list_inotifyfs',`
+@@ -2088,53 +2450,100 @@ interface(`fs_manage_hugetlbfs_dirs',`
##
##
#
--interface(`fs_dontaudit_list_inotifyfs',`
-+interface(`fs_dontaudit_manage_fusefs_files',`
+-interface(`fs_rw_hugetlbfs_files',`
++interface(`fs_read_fusefs_symlinks',`
gen_require(`
-- type inotifyfs_t;
+- type hugetlbfs_t;
+ type fusefs_t;
')
-- dontaudit $1 inotifyfs_t:dir list_dir_perms;
-+ dontaudit $1 fusefs_t:file manage_file_perms;
+- rw_files_pattern($1, hugetlbfs_t, hugetlbfs_t)
++ allow $1 fusefs_t:dir list_dir_perms;
++ read_lnk_files_pattern($1, fusefs_t, fusefs_t)
')
########################################
##
--## Create an object in a hugetlbfs filesystem, with a private
--## type using a type transition.
-+## Read symbolic links on a FUSEFS filesystem.
- ##
- ##
- ##
- ## Domain allowed access.
- ##
- ##
--##
-+#
-+interface(`fs_read_fusefs_symlinks',`
-+ gen_require(`
-+ type fusefs_t;
-+ ')
-+
-+ allow $1 fusefs_t:dir list_dir_perms;
-+ read_lnk_files_pattern($1, fusefs_t, fusefs_t)
-+')
-+
-+########################################
-+##
+-## Allow the type to associate to hugetlbfs filesystems.
+## Manage symbolic links on a FUSEFS filesystem.
-+##
+ ##
+-##
+##
##
--## The type of the object to be created.
+-## The type of the object to be associated.
+## Domain allowed access.
##
##
--##
-+#
+ #
+-interface(`fs_associate_hugetlbfs',`
+interface(`fs_manage_fusefs_symlinks',`
-+ gen_require(`
+ gen_require(`
+- type hugetlbfs_t;
+ type fusefs_t;
-+ ')
-+
+ ')
+
+- allow $1 hugetlbfs_t:filesystem associate;
+ manage_lnk_files_pattern($1, fusefs_t, fusefs_t)
-+')
-+
-+########################################
-+##
+ ')
+
+ ########################################
+ ##
+-## Search inotifyfs filesystem.
+## Execute a file on a FUSE filesystem
+## in the specified domain.
+##
@@ -16330,15 +16324,12 @@ index 8416beb..f1378d6 100644
+##
+##
+##
- ##
--## The object class of the object being created.
++##
+## Domain allowed to transition.
- ##
- ##
--##
++##
++##
+##
- ##
--## The name of the object being created.
++##
+## The type of the new process.
+##
+##
@@ -16355,61 +16346,75 @@ index 8416beb..f1378d6 100644
+########################################
+##
+## Get the attributes of a FUSEFS filesystem.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
+ ##
+ ##
+ ##
+ ## Domain allowed access.
+ ##
+ ##
+##
-+#
+ #
+-interface(`fs_search_inotifyfs',`
+interface(`fs_getattr_fusefs',`
-+ gen_require(`
+ gen_require(`
+- type inotifyfs_t;
+ type fusefs_t;
-+ ')
-+
+ ')
+
+- allow $1 inotifyfs_t:dir search_dir_perms;
+ allow $1 fusefs_t:filesystem getattr;
-+')
-+
-+########################################
-+##
+ ')
+
+ ########################################
+ ##
+-## List inotifyfs filesystem.
+## Get the attributes of an hugetlbfs
+## filesystem.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
+ ##
+ ##
+ ##
+@@ -2142,71 +2551,527 @@ interface(`fs_search_inotifyfs',`
+ ##
+ ##
+ #
+-interface(`fs_list_inotifyfs',`
+interface(`fs_getattr_hugetlbfs',`
-+ gen_require(`
+ gen_require(`
+- type inotifyfs_t;
+ type hugetlbfs_t;
-+ ')
-+
+ ')
+
+- allow $1 inotifyfs_t:dir list_dir_perms;
+ allow $1 hugetlbfs_t:filesystem getattr;
-+')
-+
-+########################################
-+##
+ ')
+
+ ########################################
+ ##
+-## Dontaudit List inotifyfs filesystem.
+## List hugetlbfs.
-+##
-+##
-+##
+ ##
+ ##
+ ##
+-## Domain to not audit.
+## Domain allowed access.
-+##
-+##
-+#
+ ##
+ ##
+ #
+-interface(`fs_dontaudit_list_inotifyfs',`
+interface(`fs_list_hugetlbfs',`
-+ gen_require(`
+ gen_require(`
+- type inotifyfs_t;
+ type hugetlbfs_t;
-+ ')
-+
+ ')
+
+- dontaudit $1 inotifyfs_t:dir list_dir_perms;
+ allow $1 hugetlbfs_t:dir list_dir_perms;
-+')
-+
-+########################################
-+##
+ ')
+
+ ########################################
+ ##
+-## Create an object in a hugetlbfs filesystem, with a private
+-## type using a type transition.
+## Manage hugetlbfs dirs.
+##
+##
@@ -16867,19 +16872,55 @@ index 8416beb..f1378d6 100644
+##
+##
+## Domain allowed access.
++##
++##
++#
++interface(`fs_delete_kdbus_dirs', `
++ gen_require(`
++ type kdbusfs_t;
++ ')
++
++ delete_dirs_pattern($1, kdbusfs_t, kdbusfs_t)
++ fs_search_tmpfs($1)
++ dev_search_sysfs($1)
++')
++
++########################################
++##
++## Manage kdbusfs directories.
+ ##
+ ##
+ ##
+ ## Domain allowed access.
##
##
+-##
+-##
+-## The type of the object to be created.
+-##
+-##
+-##
+-##
+-## The object class of the object being created.
+-##
+-##
+-##
+-##
+-## The name of the object being created.
+-##
+-##
#
-interface(`fs_hugetlbfs_filetrans',`
-+interface(`fs_delete_kdbus_dirs', `
++interface(`fs_manage_kdbus_dirs',`
gen_require(`
- type hugetlbfs_t;
+- ')
+ type kdbusfs_t;
- ')
- allow $2 hugetlbfs_t:filesystem associate;
- filetrans_pattern($1, hugetlbfs_t, $2, $3, $4)
-+ delete_dirs_pattern($1, kdbusfs_t, kdbusfs_t)
++ ')
++ manage_dirs_pattern($1, kdbusfs_t, kdbusfs_t)
+ fs_search_tmpfs($1)
+ dev_search_sysfs($1)
')
@@ -16888,24 +16929,25 @@ index 8416beb..f1378d6 100644
##
-## Mount an iso9660 filesystem, which
-## is usually used on CDs.
-+## Manage kdbusfs directories.
++## Read kdbusfs files.
##
##
##
-@@ -2214,19 +3059,19 @@ interface(`fs_hugetlbfs_filetrans',`
+@@ -2214,19 +3079,21 @@ interface(`fs_hugetlbfs_filetrans',`
##
##
#
-interface(`fs_mount_iso9660_fs',`
-+interface(`fs_manage_kdbus_dirs',`
++interface(`fs_read_kdbus_files',`
gen_require(`
- type iso9660_t;
-- ')
-+ type kdbusfs_t;
++ type cgroup_t;
++
+ ')
- allow $1 iso9660_t:filesystem mount;
-+ ')
-+ manage_dirs_pattern($1, kdbusfs_t, kdbusfs_t)
++ read_files_pattern($1, kdbusfs_t, kdbusfs_t)
++ read_lnk_files_pattern($1, kdbusfs_t, kdbusfs_t)
+ fs_search_tmpfs($1)
+ dev_search_sysfs($1)
')
@@ -16915,25 +16957,23 @@ index 8416beb..f1378d6 100644
-## Remount an iso9660 filesystem, which
-## is usually used on CDs. This allows
-## some mount options to be changed.
-+## Read kdbusfs files.
++## Write kdbusfs files.
##
##
##
-@@ -2234,18 +3079,21 @@ interface(`fs_mount_iso9660_fs',`
+@@ -2234,18 +3101,19 @@ interface(`fs_mount_iso9660_fs',`
##
##
#
-interface(`fs_remount_iso9660_fs',`
-+interface(`fs_read_kdbus_files',`
++interface(`fs_write_kdbus_files', `
gen_require(`
- type iso9660_t;
-+ type cgroup_t;
-+
++ type kdbusfs_t;
')
- allow $1 iso9660_t:filesystem remount;
-+ read_files_pattern($1, kdbusfs_t, kdbusfs_t)
-+ read_lnk_files_pattern($1, kdbusfs_t, kdbusfs_t)
++ write_files_pattern($1, kdbusfs_t, kdbusfs_t)
+ fs_search_tmpfs($1)
+ dev_search_sysfs($1)
')
@@ -16942,23 +16982,25 @@ index 8416beb..f1378d6 100644
##
-## Unmount an iso9660 filesystem, which
-## is usually used on CDs.
-+## Write kdbusfs files.
++## Read and write kdbusfs files.
##
##
##
-@@ -2253,38 +3101,61 @@ interface(`fs_remount_iso9660_fs',`
+@@ -2253,38 +3121,41 @@ interface(`fs_remount_iso9660_fs',`
##
##
#
-interface(`fs_unmount_iso9660_fs',`
-+interface(`fs_write_kdbus_files', `
++interface(`fs_rw_kdbus_files',`
gen_require(`
- type iso9660_t;
+ type kdbusfs_t;
++
')
- allow $1 iso9660_t:filesystem unmount;
-+ write_files_pattern($1, kdbusfs_t, kdbusfs_t)
++ read_lnk_files_pattern($1, kdbusfs_t, kdbusfs_t)
++ rw_files_pattern($1, kdbusfs_t, kdbusfs_t)
+ fs_search_tmpfs($1)
+ dev_search_sysfs($1)
')
@@ -16967,54 +17009,33 @@ index 8416beb..f1378d6 100644
##
-## Get the attributes of an iso9660
-## filesystem, which is usually used on CDs.
-+## Read and write kdbusfs files.
++## Do not audit attempts to open,
++## get attributes, read and write
++## cgroup files.
##
##
##
- ## Domain allowed access.
+-## Domain allowed access.
++## Domain to not audit.
##
##
-##
#
-interface(`fs_getattr_iso9660_fs',`
-+interface(`fs_rw_kdbus_files',`
++interface(`fs_dontaudit_rw_kdbus_files',`
gen_require(`
- type iso9660_t;
+ type kdbusfs_t;
-+
')
- allow $1 iso9660_t:filesystem getattr;
-+ read_lnk_files_pattern($1, kdbusfs_t, kdbusfs_t)
-+ rw_files_pattern($1, kdbusfs_t, kdbusfs_t)
-+ fs_search_tmpfs($1)
-+ dev_search_sysfs($1)
++ dontaudit $1 kdbusfs_t:file rw_file_perms;
')
########################################
##
-## Read files on an iso9660 filesystem, which
-## is usually used on CDs.
-+## Do not audit attempts to open,
-+## get attributes, read and write
-+## cgroup files.
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`fs_dontaudit_rw_kdbus_files',`
-+ gen_require(`
-+ type kdbusfs_t;
-+ ')
-+
-+ dontaudit $1 kdbusfs_t:file rw_file_perms;
-+')
-+
-+########################################
-+##
+## Manage kdbusfs files.
##
##
@@ -17416,79 +17437,47 @@ index 8416beb..f1378d6 100644
##
##
##
-@@ -3743,25 +4807,61 @@ interface(`fs_getattr_rpc_pipefs',`
-
- #########################################
- ##
--## Read and write RPC pipe filesystem named pipes.
-+## Read and write RPC pipe filesystem named pipes.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`fs_rw_rpc_named_pipes',`
+@@ -3769,17 +4833,53 @@ interface(`fs_rw_rpc_named_pipes',`
+ ##
+ ##
+ #
+-interface(`fs_mount_tmpfs',`
++interface(`fs_mount_tmpfs',`
+ gen_require(`
-+ type rpc_pipefs_t;
++ type tmpfs_t;
+ ')
+
-+ allow $1 rpc_pipefs_t:fifo_file rw_fifo_file_perms;
++ allow $1 tmpfs_t:filesystem mount;
+')
+
+########################################
+##
-+## Mount a tmpfs filesystem.
++## Dontaudit remount a tmpfs filesystem.
+##
+##
+##
-+## Domain allowed access.
++## Domain to not audit.
+##
+##
+#
-+interface(`fs_mount_tmpfs',`
++interface(`fs_dontaudit_remount_tmpfs',`
+ gen_require(`
+ type tmpfs_t;
+ ')
+
-+ allow $1 tmpfs_t:filesystem mount;
++ dontaudit $1 tmpfs_t:filesystem remount;
+')
+
+########################################
+##
-+## Dontaudit remount a tmpfs filesystem.
- ##
- ##
- ##
--## Domain allowed access.
-+## Domain to not audit.
- ##
- ##
- #
--interface(`fs_rw_rpc_named_pipes',`
-+interface(`fs_dontaudit_remount_tmpfs',`
- gen_require(`
-- type rpc_pipefs_t;
-+ type tmpfs_t;
- ')
-
-- allow $1 rpc_pipefs_t:fifo_file rw_fifo_file_perms;
-+ dontaudit $1 tmpfs_t:filesystem remount;
- ')
-
- ########################################
- ##
--## Mount a tmpfs filesystem.
+## Remount a tmpfs filesystem.
- ##
- ##
- ##
-@@ -3769,17 +4869,17 @@ interface(`fs_rw_rpc_named_pipes',`
- ##
- ##
- #
--interface(`fs_mount_tmpfs',`
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
+interface(`fs_remount_tmpfs',`
gen_require(`
type tmpfs_t;
@@ -17934,7 +17923,7 @@ index 8416beb..f1378d6 100644
## Search all directories with a filesystem type.
##
##
-@@ -4912,3 +6218,43 @@ interface(`fs_unconfined',`
+@@ -4912,3 +6218,63 @@ interface(`fs_unconfined',`
typeattribute $1 filesystem_unconfined_type;
')
@@ -17978,6 +17967,26 @@ index 8416beb..f1378d6 100644
+ fs_tmpfs_filetrans($1, cgroup_t, lnk_file, "cpu")
+ fs_tmpfs_filetrans($1, cgroup_t, lnk_file, "cpuacct")
+')
++
++#######################################
++##
++## Read files in efivarfs
++## - contains Linux Kernel configuration options for UEFI systems
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++#
++interface(`fs_read_efivarfs_files',`
++ gen_require(`
++ type efivarfs_t;
++ ')
++
++ read_files_pattern($1, efivarfs_t, efivarfs_t)
++')
diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te
index e7d1738..3e3ed4e 100644
--- a/policy/modules/kernel/filesystem.te
@@ -28263,7 +28272,7 @@ index 6bf0ecc..b036584 100644
+')
+
diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
-index 8b40377..8c77595 100644
+index 8b40377..69be4cf 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -26,28 +26,66 @@ gen_require(`
@@ -28611,13 +28620,13 @@ index 8b40377..8c77595 100644
+ifdef(`hide_broken_symptoms',`
+ term_dontaudit_use_unallocated_ttys(xauth_t)
+ dev_dontaudit_rw_dri(xauth_t)
- ')
-
- optional_policy(`
-+ nx_var_lib_filetrans(xauth_t, xauth_home_t, file)
+')
+
+optional_policy(`
++ nx_var_lib_filetrans(xauth_t, xauth_home_t, file)
+ ')
+
+ optional_policy(`
+ ssh_use_ptys(xauth_t)
ssh_sigchld(xauth_t)
ssh_read_pipes(xauth_t)
@@ -29107,17 +29116,18 @@ index 8b40377..8c77595 100644
')
optional_policy(`
-@@ -517,9 +891,34 @@ optional_policy(`
- optional_policy(`
+@@ -518,8 +892,36 @@ optional_policy(`
dbus_system_bus_client(xdm_t)
dbus_connect_system_bus(xdm_t)
-+
+
++ dbus_session_bus_client(xdm_t)
++ dbus_connect_session_bus(xdm_t)
++
+ optional_policy(`
+ accountsd_dbus_chat(xdm_t)
+ ')
-
- optional_policy(`
-- accountsd_dbus_chat(xdm_t)
++
++ optional_policy(`
+ bluetooth_dbus_chat(xdm_t)
+ ')
+
@@ -29125,7 +29135,8 @@ index 8b40377..8c77595 100644
+ cpufreqselector_dbus_chat(xdm_t)
+ ')
+
-+ optional_policy(`
+ optional_policy(`
+- accountsd_dbus_chat(xdm_t)
+ devicekit_dbus_chat_disk(xdm_t)
+ devicekit_dbus_chat_power(xdm_t)
+ ')
@@ -29143,7 +29154,7 @@ index 8b40377..8c77595 100644
')
')
-@@ -530,6 +929,20 @@ optional_policy(`
+@@ -530,6 +932,20 @@ optional_policy(`
')
optional_policy(`
@@ -29164,7 +29175,7 @@ index 8b40377..8c77595 100644
hostname_exec(xdm_t)
')
-@@ -547,28 +960,78 @@ optional_policy(`
+@@ -547,28 +963,78 @@ optional_policy(`
')
optional_policy(`
@@ -29252,7 +29263,7 @@ index 8b40377..8c77595 100644
')
optional_policy(`
-@@ -580,6 +1043,14 @@ optional_policy(`
+@@ -580,6 +1046,14 @@ optional_policy(`
')
optional_policy(`
@@ -29267,7 +29278,7 @@ index 8b40377..8c77595 100644
xfs_stream_connect(xdm_t)
')
-@@ -594,7 +1065,7 @@ type_transition xserver_t xserver_t:x_colormap root_xcolormap_t;
+@@ -594,7 +1068,7 @@ type_transition xserver_t xserver_t:x_colormap root_xcolormap_t;
type_transition root_xdrawable_t input_xevent_t:x_event root_input_xevent_t;
allow xserver_t { root_xdrawable_t x_domain }:x_drawable send;
@@ -29276,7 +29287,7 @@ index 8b40377..8c77595 100644
# setuid/setgid for the wrapper program to change UID
# sys_rawio is for iopl access - should not be needed for frame-buffer
-@@ -604,8 +1075,11 @@ allow xserver_t input_xevent_t:x_event send;
+@@ -604,8 +1078,11 @@ allow xserver_t input_xevent_t:x_event send;
# execheap needed until the X module loader is fixed.
# NVIDIA Needs execstack
@@ -29289,7 +29300,7 @@ index 8b40377..8c77595 100644
allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow xserver_t self:fd use;
allow xserver_t self:fifo_file rw_fifo_file_perms;
-@@ -618,8 +1092,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
+@@ -618,8 +1095,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow xserver_t self:tcp_socket create_stream_socket_perms;
allow xserver_t self:udp_socket create_socket_perms;
@@ -29305,7 +29316,7 @@ index 8b40377..8c77595 100644
manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
manage_sock_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
-@@ -627,6 +1108,10 @@ files_tmp_filetrans(xserver_t, xserver_tmp_t, { file dir sock_file })
+@@ -627,6 +1111,10 @@ files_tmp_filetrans(xserver_t, xserver_tmp_t, { file dir sock_file })
filetrans_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t, sock_file)
@@ -29316,7 +29327,7 @@ index 8b40377..8c77595 100644
manage_dirs_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
manage_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
manage_lnk_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
-@@ -638,25 +1123,32 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
+@@ -638,25 +1126,32 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
files_search_var_lib(xserver_t)
@@ -29353,7 +29364,7 @@ index 8b40377..8c77595 100644
corenet_all_recvfrom_netlabel(xserver_t)
corenet_tcp_sendrecv_generic_if(xserver_t)
corenet_udp_sendrecv_generic_if(xserver_t)
-@@ -677,23 +1169,28 @@ dev_rw_apm_bios(xserver_t)
+@@ -677,23 +1172,28 @@ dev_rw_apm_bios(xserver_t)
dev_rw_agp(xserver_t)
dev_rw_framebuffer(xserver_t)
dev_manage_dri_dev(xserver_t)
@@ -29385,7 +29396,7 @@ index 8b40377..8c77595 100644
# brought on by rhgb
files_search_mnt(xserver_t)
-@@ -705,6 +1202,14 @@ fs_search_nfs(xserver_t)
+@@ -705,6 +1205,14 @@ fs_search_nfs(xserver_t)
fs_search_auto_mountpoints(xserver_t)
fs_search_ramfs(xserver_t)
@@ -29400,7 +29411,7 @@ index 8b40377..8c77595 100644
mls_xwin_read_to_clearance(xserver_t)
selinux_validate_context(xserver_t)
-@@ -718,20 +1223,18 @@ init_getpgid(xserver_t)
+@@ -718,20 +1226,18 @@ init_getpgid(xserver_t)
term_setattr_unallocated_ttys(xserver_t)
term_use_unallocated_ttys(xserver_t)
@@ -29424,7 +29435,7 @@ index 8b40377..8c77595 100644
userdom_search_user_home_dirs(xserver_t)
userdom_use_user_ttys(xserver_t)
-@@ -739,8 +1242,6 @@ userdom_setattr_user_ttys(xserver_t)
+@@ -739,8 +1245,6 @@ userdom_setattr_user_ttys(xserver_t)
userdom_read_user_tmp_files(xserver_t)
userdom_rw_user_tmpfs_files(xserver_t)
@@ -29433,7 +29444,7 @@ index 8b40377..8c77595 100644
ifndef(`distro_redhat',`
allow xserver_t self:process { execmem execheap execstack };
domain_mmap_low_uncond(xserver_t)
-@@ -785,17 +1286,54 @@ optional_policy(`
+@@ -785,17 +1289,54 @@ optional_policy(`
')
optional_policy(`
@@ -29490,7 +29501,7 @@ index 8b40377..8c77595 100644
')
optional_policy(`
-@@ -803,6 +1341,10 @@ optional_policy(`
+@@ -803,6 +1344,10 @@ optional_policy(`
')
optional_policy(`
@@ -29501,7 +29512,7 @@ index 8b40377..8c77595 100644
xfs_stream_connect(xserver_t)
')
-@@ -818,18 +1360,17 @@ allow xserver_t xdm_t:shm rw_shm_perms;
+@@ -818,18 +1363,17 @@ allow xserver_t xdm_t:shm rw_shm_perms;
# NB we do NOT allow xserver_t xdm_var_lib_t:dir, only access to an open
# handle of a file inside the dir!!!
@@ -29526,7 +29537,7 @@ index 8b40377..8c77595 100644
can_exec(xserver_t, xkb_var_lib_t)
# VNC v4 module in X server
-@@ -842,26 +1383,21 @@ init_use_fds(xserver_t)
+@@ -842,26 +1386,21 @@ init_use_fds(xserver_t)
# to read ROLE_home_t - examine this in more detail
# (xauth?)
userdom_read_user_home_content_files(xserver_t)
@@ -29561,7 +29572,7 @@ index 8b40377..8c77595 100644
')
optional_policy(`
-@@ -912,7 +1448,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
+@@ -912,7 +1451,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
allow x_domain root_xdrawable_t:x_drawable { getattr setattr list_child add_child remove_child send receive hide show };
# operations allowed on my windows
allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive };
@@ -29570,7 +29581,7 @@ index 8b40377..8c77595 100644
# operations allowed on all windows
allow x_domain x_domain:x_drawable { getattr get_property set_property remove_child };
-@@ -966,11 +1502,31 @@ allow x_domain self:x_resource { read write };
+@@ -966,11 +1505,31 @@ allow x_domain self:x_resource { read write };
# can mess with the screensaver
allow x_domain xserver_t:x_screen { getattr saver_getattr };
@@ -29602,7 +29613,7 @@ index 8b40377..8c77595 100644
tunable_policy(`! xserver_object_manager',`
# should be xserver_unconfined(x_domain),
# but typeattribute doesnt work in conditionals
-@@ -992,18 +1548,148 @@ tunable_policy(`! xserver_object_manager',`
+@@ -992,18 +1551,148 @@ tunable_policy(`! xserver_object_manager',`
allow x_domain xevent_type:{ x_event x_synthetic_event } *;
')
@@ -39089,7 +39100,7 @@ index 9933677..0b9c20a 100644
+
+/var/run/tmpfiles.d/kmod.conf -- gen_context(system_u:object_r:insmod_var_run_t,s0)
diff --git a/policy/modules/system/modutils.if b/policy/modules/system/modutils.if
-index 7449974..23bbbf2 100644
+index 7449974..f32a37c 100644
--- a/policy/modules/system/modutils.if
+++ b/policy/modules/system/modutils.if
@@ -12,7 +12,7 @@
@@ -39217,7 +39228,7 @@ index 7449974..23bbbf2 100644
')
########################################
-@@ -333,3 +414,25 @@ interface(`modutils_exec_update_mods',`
+@@ -333,3 +414,43 @@ interface(`modutils_exec_update_mods',`
corecmd_search_bin($1)
can_exec($1, update_modules_exec_t)
')
@@ -39240,8 +39251,26 @@ index 7449974..23bbbf2 100644
+
+ files_etc_filetrans($1, modules_conf_t, file, "modprobe.conf")
+ files_etc_filetrans($1, modules_conf_t, file, "modules.conf")
++
++ files_kernel_modules_filetrans($1, modules_dep_t, file, "modules.alias")
++ files_kernel_modules_filetrans($1, modules_dep_t, file, "modules.alias.bin")
++ files_kernel_modules_filetrans($1, modules_dep_t, file, "modules.block")
++ files_kernel_modules_filetrans($1, modules_dep_t, file, "modules.builtin")
++ files_kernel_modules_filetrans($1, modules_dep_t, file, "modules.builtin.bin")
+ files_kernel_modules_filetrans($1, modules_dep_t, file, "modules.dep")
+ files_kernel_modules_filetrans($1, modules_dep_t, file, "modules.dep.bin")
++ files_kernel_modules_filetrans($1, modules_dep_t, file, "modules.devname")
++ files_kernel_modules_filetrans($1, modules_dep_t, file, "modules.drm")
++ files_kernel_modules_filetrans($1, modules_dep_t, file, "modules.modesetting")
++ files_kernel_modules_filetrans($1, modules_dep_t, file, "modules.networking")
++ files_kernel_modules_filetrans($1, modules_dep_t, file, "modules.order")
++ files_kernel_modules_filetrans($1, modules_dep_t, file, "modules.softdep")
++ files_kernel_modules_filetrans($1, modules_dep_t, file, "modules.symbols")
++ files_kernel_modules_filetrans($1, modules_dep_t, file, "modules.symbols.bin")
++')
++
++
++
+')
diff --git a/policy/modules/system/modutils.te b/policy/modules/system/modutils.te
index 7a363b8..3f02a36 100644
@@ -43134,10 +43163,10 @@ index a392fc4..30cf590 100644
+')
diff --git a/policy/modules/system/systemd.fc b/policy/modules/system/systemd.fc
new file mode 100644
-index 0000000..a03b5ee
+index 0000000..66b8608
--- /dev/null
+++ b/policy/modules/system/systemd.fc
-@@ -0,0 +1,51 @@
+@@ -0,0 +1,55 @@
+HOME_DIR/\.local/share/systemd(/.*)? gen_context(system_u:object_r:systemd_home_t,s0)
+/root/\.local/share/systemd(/.*)? gen_context(system_u:object_r:systemd_home_t,s0)
+
@@ -43157,6 +43186,7 @@ index 0000000..a03b5ee
+
+/usr/lib/dracut/modules.d/.*\.service gen_context(system_u:object_r:systemd_unit_file_t,s0)
+/usr/lib/systemd/system(/.*)? gen_context(system_u:object_r:systemd_unit_file_t,s0)
++/usr/lib/systemd/system/systemd-machined\.service -- gen_context(system_u:object_r:systemd_machined_unit_file_t,s0)
+/usr/lib/systemd/system/systemd-networkd\.service gen_context(system_u:object_r:systemd_networkd_unit_file_t,s0)
+/usr/lib/systemd/system/systemd-vconsole-setup\.service gen_context(system_u:object_r:systemd_vconsole_unit_file_t,s0)
+/usr/lib/systemd/system/systemd-time.*\.service -- gen_context(system_u:object_r:systemd_timedated_unit_file_t,s0)
@@ -43168,6 +43198,7 @@ index 0000000..a03b5ee
+/usr/lib/systemd/system/.*shutdown.* -- gen_context(system_u:object_r:power_unit_file_t,s0)
+/usr/lib/systemd/system/.*suspend.* -- gen_context(system_u:object_r:power_unit_file_t,s0)
+/usr/lib/systemd/systemd-hostnamed -- gen_context(system_u:object_r:systemd_hostnamed_exec_t,s0)
++/usr/lib/systemd/systemd-machined -- gen_context(system_u:object_r:systemd_machined_exec_t,s0)
+/usr/lib/systemd/systemd-sysctl -- gen_context(system_u:object_r:systemd_sysctl_exec_t,s0)
+/usr/lib/systemd/systemd-timedated -- gen_context(system_u:object_r:systemd_timedated_exec_t,s0)
+/usr/lib/systemd/systemd-logind -- gen_context(system_u:object_r:systemd_logind_exec_t,s0)
@@ -43176,6 +43207,7 @@ index 0000000..a03b5ee
+/usr/lib/systemd/systemd-networkd -- gen_context(system_u:object_r:systemd_networkd_exec_t,s0)
+/usr/lib/systemd/systemd-tmpfiles -- gen_context(system_u:object_r:systemd_tmpfiles_exec_t,s0)
+
++/var/lib/machines(/.*)? gen_context(system_u:object_r:systemd_machined_var_lib_t,s0)
+/var/lib/systemd/linger(/.*)? gen_context(system_u:object_r:systemd_logind_var_lib_t,mls_systemhigh)
+/var/lib/random-seed gen_context(system_u:object_r:random_seed_t,mls_systemhigh)
+/usr/var/lib/random-seed gen_context(system_u:object_r:random_seed_t,mls_systemhigh)
@@ -43187,14 +43219,15 @@ index 0000000..a03b5ee
+/var/run/systemd/inhibit(/.*)? gen_context(system_u:object_r:systemd_logind_inhibit_var_run_t,s0)
+/var/run/systemd/ask-password-block(/.*)? gen_context(system_u:object_r:systemd_passwd_var_run_t,s0)
+/var/run/systemd/ask-password(/.*)? gen_context(system_u:object_r:systemd_passwd_var_run_t,s0)
-+/var/run/systemd/netif(/.*)? gen_context(system_u:object_r:systemd_networkd_var_run_t,s0)
++/var/run/systemd/machines(/.*)? gen_context(system_u:object_r:systemd_machined_var_run_t,s0)
++/var/run/systemd/netif(/.*)? gen_context(system_u:object_r:systemd_networkd_var_run_t,s0)
+/var/run/initramfs(/.*)? <>
diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
new file mode 100644
-index 0000000..cde0261
+index 0000000..4f142e9
--- /dev/null
+++ b/policy/modules/system/systemd.if
-@@ -0,0 +1,1497 @@
+@@ -0,0 +1,1615 @@
+## SELinux policy for systemd components
+
+######################################
@@ -44692,12 +44725,130 @@ index 0000000..cde0261
+
+ dontaudit $1 systemd_domain:dbus send_msg;
+')
++
++######################################
++##
++## Read systemd-machined PID files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`systemd_machined_read_pid_files',`
++ gen_require(`
++ type systemd_machined_var_run_t;
++ ')
++
++ files_search_pids($1)
++ list_dirs_pattern($1, systemd_machined_var_run_t, systemd_machined_var_run_t)
++ read_files_pattern($1, systemd_machined_var_run_t, systemd_machined_var_run_t)
++')
++
++######################################
++##
++## Manage systemd-machined PID files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`systemd_machined_manage_pid_files',`
++ gen_require(`
++ type systemd_machined_var_run_t;
++ ')
++
++ files_search_pids($1)
++ manage_dirs_pattern($1, systemd_machined_var_run_t, systemd_machined_var_run_t)
++ manage_files_pattern($1, systemd_machined_var_run_t, systemd_machined_var_run_t)
++')
++
++######################################
++##
++## List systemd-machined PID files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`systemd_machined_list_pid_dirs',`
++ gen_require(`
++ type systemd_machined_var_run_t;
++ ')
++
++ files_search_pids($1)
++ list_dirs_pattern($1, systemd_machined_var_run_t, systemd_machined_var_run_t)
++')
++
++
++
++########################################
++##
++## Search systemd-machined lib directories.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`systemd_machined_search_lib',`
++ gen_require(`
++ type systemd_machined_var_lib_t;
++ ')
++
++ allow $1 systemd_machined_var_lib_t:dir search_dir_perms;
++ files_search_var_lib($1)
++')
++
++########################################
++##
++## Read systemd-machined lib files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`systemd_machined_read_lib_files',`
++ gen_require(`
++ type systemd_machined_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ read_files_pattern($1, systemd_machined_var_lib_t, systemd_machined_var_lib_t)
++')
++
++########################################
++##
++## Manage systemd-machined lib files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`systemd_machined_manage_lib_files',`
++ gen_require(`
++ type systemd_machined_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ manage_files_pattern($1, systemd_machined_var_lib_t, systemd_machined_var_lib_t)
++')
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
new file mode 100644
-index 0000000..8209291
+index 0000000..0920911
--- /dev/null
+++ b/policy/modules/system/systemd.te
-@@ -0,0 +1,725 @@
+@@ -0,0 +1,775 @@
+policy_module(systemd, 1.0.0)
+
+#######################################
@@ -44785,6 +44936,20 @@ index 0000000..8209291
+
+systemd_domain_template(systemd_sysctl)
+
++#domain for systemd-machined
++systemd_domain_template(systemd_machined)
++
++type systemd_machined_unit_file_t;
++systemd_unit_file(systemd_machined_unit_file_t)
++
++# /run/systemd/machines
++type systemd_machined_var_run_t;
++files_pid_file(systemd_machined_var_run_t)
++
++# /var/lib/machines
++type systemd_machined_var_lib_t;
++files_type(systemd_machined_var_lib_t)
++
+#######################################
+#
+# Systemd_logind local policy
@@ -44806,6 +44971,9 @@ index 0000000..8209291
+fs_mount_tmpfs(systemd_logind_t)
+fs_unmount_tmpfs(systemd_logind_t)
+fs_list_tmpfs(systemd_logind_t)
++
++fs_read_efivarfs_files(systemd_logind_t)
++
+fs_manage_fusefs_dirs(systemd_logind_t)
+fs_manage_fusefs_files(systemd_logind_t)
+
@@ -44939,6 +45107,39 @@ index 0000000..8209291
+ xserver_search_xdm_tmp_dirs(systemd_logind_t)
+')
+
++########################################
++#
++# systemd_machined local policy
++#
++
++allow systemd_machined_t self:capability sys_ptrace;
++allow systemd_machined_t systemd_unit_file_t:service { status start };
++allow systemd_machined_t self:unix_dgram_socket create_socket_perms;
++
++manage_dirs_pattern(systemd_machined_t, systemd_machined_var_run_t, systemd_machined_var_run_t)
++manage_files_pattern(systemd_machined_t, systemd_machined_var_run_t, systemd_machined_var_run_t)
++manage_lnk_files_pattern(systemd_machined_t, systemd_machined_var_run_t, systemd_machined_var_run_t)
++init_pid_filetrans(systemd_machined_t, systemd_machined_var_run_t, dir, "machines")
++
++manage_dirs_pattern(systemd_machined_t, systemd_machined_var_lib_t, systemd_machined_var_lib_t)
++manage_files_pattern(systemd_machined_t, systemd_machined_var_lib_t, systemd_machined_var_lib_t)
++manage_lnk_files_pattern(systemd_machined_t, systemd_machined_var_lib_t, systemd_machined_var_lib_t)
++init_var_lib_filetrans(systemd_machined_t, systemd_machined_var_lib_t, dir, "machines")
++
++kernel_dgram_send(systemd_machined_t)
++
++init_dbus_chat(systemd_machined_t)
++init_status(systemd_machined_t)
++
++optional_policy(`
++ dbus_connect_system_bus(systemd_machined_t)
++ dbus_system_bus_client(systemd_machined_t)
++')
++
++optional_policy(`
++ virt_dbus_chat(systemd_machined_t)
++')
++
+#######################################
+#
+# systemd-networkd local policy
diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch
index 599054e..45300a0 100644
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@@ -7985,7 +7985,7 @@ index 1a7a97e..2c7252a 100644
domain_system_change_exemption($1)
role_transition $2 apmd_initrc_exec_t system_r;
diff --git a/apm.te b/apm.te
-index 7fd431b..e9c4c5a 100644
+index 7fd431b..41f2a57 100644
--- a/apm.te
+++ b/apm.te
@@ -35,12 +35,15 @@ files_type(apmd_var_lib_t)
@@ -8014,7 +8014,7 @@ index 7fd431b..e9c4c5a 100644
domain_use_interactive_fds(apm_t)
-@@ -59,8 +62,8 @@ logging_send_syslog_msg(apm_t)
+@@ -59,11 +62,12 @@ logging_send_syslog_msg(apm_t)
# Server local policy
#
@@ -8025,7 +8025,11 @@ index 7fd431b..e9c4c5a 100644
allow apmd_t self:process { signal_perms getsession };
allow apmd_t self:fifo_file rw_fifo_file_perms;
allow apmd_t self:netlink_socket create_socket_perms;
-@@ -90,6 +93,7 @@ kernel_read_kernel_sysctls(apmd_t)
++allow apmd_t self:netlink_generic_socket create_socket_perms;
+ allow apmd_t self:unix_stream_socket { accept listen };
+
+ allow apmd_t apmd_lock_t:file manage_file_perms;
+@@ -90,6 +94,7 @@ kernel_read_kernel_sysctls(apmd_t)
kernel_rw_all_sysctls(apmd_t)
kernel_read_system_state(apmd_t)
kernel_write_proc_files(apmd_t)
@@ -8033,7 +8037,7 @@ index 7fd431b..e9c4c5a 100644
dev_read_input(apmd_t)
dev_read_mouse(apmd_t)
-@@ -114,8 +118,7 @@ fs_dontaudit_getattr_all_files(apmd_t)
+@@ -114,8 +119,7 @@ fs_dontaudit_getattr_all_files(apmd_t)
fs_dontaudit_getattr_all_symlinks(apmd_t)
fs_dontaudit_getattr_all_pipes(apmd_t)
fs_dontaudit_getattr_all_sockets(apmd_t)
@@ -8043,7 +8047,7 @@ index 7fd431b..e9c4c5a 100644
corecmd_exec_all_executables(apmd_t)
-@@ -129,6 +132,8 @@ domain_dontaudit_list_all_domains_state(apmd_t)
+@@ -129,6 +133,8 @@ domain_dontaudit_list_all_domains_state(apmd_t)
auth_use_nsswitch(apmd_t)
init_domtrans_script(apmd_t)
@@ -8052,7 +8056,7 @@ index 7fd431b..e9c4c5a 100644
libs_exec_ld_so(apmd_t)
libs_exec_lib_files(apmd_t)
-@@ -136,17 +141,16 @@ libs_exec_lib_files(apmd_t)
+@@ -136,17 +142,16 @@ libs_exec_lib_files(apmd_t)
logging_send_audit_msgs(apmd_t)
logging_send_syslog_msg(apmd_t)
@@ -8072,7 +8076,7 @@ index 7fd431b..e9c4c5a 100644
optional_policy(`
automount_domtrans(apmd_t)
-@@ -206,11 +210,15 @@ optional_policy(`
+@@ -206,11 +211,15 @@ optional_policy(`
')
optional_policy(`
@@ -68616,10 +68620,10 @@ index 0000000..1fa6db2
+')
diff --git a/pkcs11proxyd.te b/pkcs11proxyd.te
new file mode 100644
-index 0000000..6b49e41
+index 0000000..a2cb118
--- /dev/null
+++ b/pkcs11proxyd.te
-@@ -0,0 +1,41 @@
+@@ -0,0 +1,42 @@
+policy_module(pkcs11proxyd, 1.0.0)
+
+########################################
@@ -68644,6 +68648,7 @@ index 0000000..6b49e41
+#
+# pkcs11proxyd local policy
+#
++
+allow pkcs11proxyd_t self:capability { kill setuid setgid };
+allow pkcs11proxyd_t self:process { getpgid setpgid };
+
@@ -68655,10 +68660,10 @@ index 0000000..6b49e41
+manage_sock_files_pattern(pkcs11proxyd_t, pkcs11proxyd_var_run_t, pkcs11proxyd_var_run_t)
+files_pid_filetrans(pkcs11proxyd_t, pkcs11proxyd_var_run_t, { sock_file })
+
-+auth_use_nsswitch(pkcs11proxyd_t)
-+
+dev_read_urand(pkcs11proxyd_t)
+
++auth_use_nsswitch(pkcs11proxyd_t)
++
+logging_send_syslog_msg(pkcs11proxyd_t)
+
diff --git a/pki.fc b/pki.fc
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 673e3de..669d7e2 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.13.1
-Release: 149%{?dist}
+Release: 150%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -656,6 +656,20 @@ exit 0
%endif
%changelog
+* Fri Oct 02 2015 Lukas Vrabec 3.13.1-150
+- Allow acpid to attempt to connect to the Linux kernel via generic netlink socket.
+- Clean up pkcs11proxyd policy.
+- We need to require sandbox_web_type attribute in sandbox_x_domain_template().
+- Revert "depmod is a symlink to insmod so it runs as insmod_t. It causes that dep kernel modules files are not created with the correct labeling modules_dep_t. This fix adds filenamtrans rules for insmod_t."
+- depmod is a symlink to insmod so it runs as insmod_t. It causes that dep kernel modules files are not created with the correct labeling modules_dep_t. This fix adds filenamtrans rules for insmod_t.
+- Update files_read_kernel_modules() to contain modutils_read_module_deps() calling because module deps labeling has been updated and it allows to avoid regressions.
+- Update modules_filetrans_named_content() interface to cover more modules.* files.
+- New policy for systemd-machined. #1255305
+- In Rawhide/F24, we added pam_selinux.so support for systemd-users to have user sessions running under correct SELinux labeling. It also supports another new feature with systemd+dbus and we have sessions dbuses running with the correct labeling - unconfined_dbus_t for example.
+- Allow systemd-logind read access to efivarfs - Linux Kernel configuration options for UEFI systems (UEFI Runtime Variables). #1244973, #1267207 (partial solution)
+- Merge pull request #42 from vmojzis/rawhide-base
+- Add interface to allow reading files in efivarfs - contains Linux Kernel configuration options for UEFI systems (UEFI Runtime Variables)
+
* Tue Sep 29 2015 Lukas Vrabec 3.13.1-149
- Add few rules related to new policy for pkcs11proxyd
- Added new policy for pkcs11proxyd daemon