##
-@@ -4113,6 +5037,25 @@ interface(`dev_write_urand',`
+@@ -4113,6 +5056,25 @@ interface(`dev_write_urand',`
########################################
##
@@ -8322,7 +8341,7 @@ index 76f285e..6843613 100644
## Getattr generic the USB devices.
##
##
-@@ -4123,7 +5066,7 @@ interface(`dev_write_urand',`
+@@ -4123,7 +5085,7 @@ interface(`dev_write_urand',`
#
interface(`dev_getattr_generic_usb_dev',`
gen_require(`
@@ -8331,149 +8350,33 @@ index 76f285e..6843613 100644
')
getattr_chr_files_pattern($1, device_t, usb_device_t)
-@@ -4409,9 +5352,9 @@ interface(`dev_rw_usbfs',`
- read_lnk_files_pattern($1, usbfs_t, usbfs_t)
- ')
-
--########################################
-+######################################
- ##
--## Get the attributes of video4linux devices.
-+## Read and write userio device.
- ##
- ##
- ##
-@@ -4419,17 +5362,17 @@ interface(`dev_rw_usbfs',`
- ##
- ##
- #
--interface(`dev_getattr_video_dev',`
-+interface(`dev_rw_userio_dev',`
- gen_require(`
-- type device_t, v4l_device_t;
-+ type device_t, userio_device_t;
- ')
-
-- getattr_chr_files_pattern($1, device_t, v4l_device_t)
-+ rw_chr_files_pattern($1, device_t, userio_device_t)
- ')
-
--######################################
-+########################################
- ##
--## Read and write userio device.
-+## Get the attributes of video4linux devices.
- ##
- ##
- ##
-@@ -4437,12 +5380,12 @@ interface(`dev_getattr_video_dev',`
- ##
- ##
- #
--interface(`dev_rw_userio_dev',`
-+interface(`dev_getattr_video_dev',`
- gen_require(`
-- type device_t, userio_device_t;
-+ type device_t, v4l_device_t;
- ')
-
-- rw_chr_files_pattern($1, device_t, userio_device_t)
-+ getattr_chr_files_pattern($1, device_t, v4l_device_t)
- ')
-
- ########################################
-@@ -4539,7 +5482,7 @@ interface(`dev_write_video_dev',`
-
- ########################################
- ##
--## Allow read/write the vhost net device
-+## Get the attributes of vfio devices.
- ##
- ##
- ##
-@@ -4547,35 +5490,36 @@ interface(`dev_write_video_dev',`
- ##
- ##
- #
--interface(`dev_rw_vhost',`
-+interface(`dev_getattr_vfio_dev',`
- gen_require(`
-- type device_t, vhost_device_t;
-+ type device_t, vfio_device_t;
- ')
-
-- rw_chr_files_pattern($1, device_t, vhost_device_t)
-+ getattr_chr_files_pattern($1, device_t, vfio_device_t)
- ')
+@@ -4330,28 +5292,180 @@ interface(`dev_search_usbfs',`
########################################
##
--## Read and write VMWare devices.
-+## Do not audit attempts to get the attributes
-+## of vfio device nodes.
- ##
- ##
- ##
--## Domain allowed access.
-+## Domain to not audit.
- ##
- ##
- #
--interface(`dev_rw_vmware',`
-+interface(`dev_dontaudit_getattr_vfio_dev',`
- gen_require(`
-- type device_t, vmware_device_t;
-+ type vfio_device_t;
- ')
-
-- rw_chr_files_pattern($1, device_t, vmware_device_t)
-+ dontaudit $1 vfio_device_t:chr_file getattr;
- ')
-
- ########################################
- ##
--## Read, write, and mmap VMWare devices.
-+## Set the attributes of vfio device nodes.
- ##
- ##
- ##
-@@ -4583,12 +5527,157 @@ interface(`dev_rw_vmware',`
- ##
- ##
- #
--interface(`dev_rwx_vmware',`
-+interface(`dev_setattr_vfio_dev',`
- gen_require(`
-- type device_t, vmware_device_t;
-+ type device_t, vfio_device_t;
- ')
-
-- dev_rw_vmware($1)
-+ setattr_chr_files_pattern($1, device_t, vfio_device_t)
-+')
-+
-+########################################
-+##
-+## Do not audit attempts to set the attributes
-+## of vfio device nodes.
+-## Allow caller to get a list of usb hardware.
++## Allow caller to get a list of usb hardware.
+##
+##
+##
-+## Domain to not audit.
++## Domain allowed access.
+##
+##
+#
-+interface(`dev_dontaudit_setattr_vfio_dev',`
++interface(`dev_list_usbfs',`
+ gen_require(`
-+ type vfio_device_t;
++ type usbfs_t;
+ ')
+
-+ dontaudit $1 vfio_device_t:chr_file setattr;
++ read_lnk_files_pattern($1, usbfs_t, usbfs_t)
++ getattr_files_pattern($1, usbfs_t, usbfs_t)
++
++ list_dirs_pattern($1, usbfs_t, usbfs_t)
+')
+
+########################################
+##
-+## Read the vfio devices.
++## Set the attributes of usbfs filesystem.
+##
+##
+##
@@ -8481,17 +8384,19 @@ index 76f285e..6843613 100644
+##
+##
+#
-+interface(`dev_read_vfio_dev',`
++interface(`dev_setattr_usbfs_files',`
+ gen_require(`
-+ type device_t, vfio_device_t;
++ type usbfs_t;
+ ')
+
-+ read_chr_files_pattern($1, device_t, vfio_device_t)
++ setattr_files_pattern($1, usbfs_t, usbfs_t)
++ list_dirs_pattern($1, usbfs_t, usbfs_t)
+')
+
+########################################
+##
-+## Write the vfio devices.
++## Read USB hardware information using
++## the usbfs filesystem interface.
+##
+##
+##
@@ -8499,17 +8404,19 @@ index 76f285e..6843613 100644
+##
+##
+#
-+interface(`dev_write_vfio_dev',`
++interface(`dev_read_usbfs',`
+ gen_require(`
-+ type device_t, vfio_device_t;
++ type usbfs_t;
+ ')
+
-+ write_chr_files_pattern($1, device_t, vfio_device_t)
++ read_files_pattern($1, usbfs_t, usbfs_t)
++ read_lnk_files_pattern($1, usbfs_t, usbfs_t)
++ list_dirs_pattern($1, usbfs_t, usbfs_t)
+')
+
+########################################
+##
-+## Read and write the VFIO devices.
++## Allow caller to modify usb hardware configuration files.
+##
+##
+##
@@ -8517,17 +8424,19 @@ index 76f285e..6843613 100644
+##
+##
+#
-+interface(`dev_rw_vfio_dev',`
++interface(`dev_rw_usbfs',`
+ gen_require(`
-+ type device_t, vfio_device_t;
++ type usbfs_t;
+ ')
+
-+ rw_chr_files_pattern($1, device_t, vfio_device_t)
++ list_dirs_pattern($1, usbfs_t, usbfs_t)
++ rw_files_pattern($1, usbfs_t, usbfs_t)
++ read_lnk_files_pattern($1, usbfs_t, usbfs_t)
+')
+
-+########################################
++######################################
+##
-+## Allow read/write the vhost net device
++## Read and write userio device.
+##
+##
+##
@@ -8535,17 +8444,17 @@ index 76f285e..6843613 100644
+##
+##
+#
-+interface(`dev_rw_vhost',`
++interface(`dev_rw_userio_dev',`
+ gen_require(`
-+ type device_t, vhost_device_t;
++ type device_t, userio_device_t;
+ ')
+
-+ rw_chr_files_pattern($1, device_t, vhost_device_t)
++ rw_chr_files_pattern($1, device_t, userio_device_t)
+')
+
+########################################
+##
-+## Allow read/write inheretid the vhost net device
++## Get the attributes of video4linux devices.
+##
+##
+##
@@ -8553,35 +8462,36 @@ index 76f285e..6843613 100644
+##
+##
+#
-+interface(`dev_rw_inherited_vhost',`
++interface(`dev_getattr_video_dev',`
+ gen_require(`
-+ type device_t, vhost_device_t;
++ type device_t, v4l_device_t;
+ ')
+
-+ allow $1 vhost_device_t:chr_file rw_inherited_chr_file_perms;
++ getattr_chr_files_pattern($1, device_t, v4l_device_t)
+')
+
+########################################
+##
-+## Read and write VMWare devices.
++## Do not audit attempts to get the attributes
++## of video4linux device nodes.
+##
+##
+##
-+## Domain allowed access.
++## Domain to not audit.
+##
+##
+#
-+interface(`dev_rw_vmware',`
++interface(`dev_dontaudit_getattr_video_dev',`
+ gen_require(`
-+ type device_t, vmware_device_t;
++ type v4l_device_t;
+ ')
+
-+ rw_chr_files_pattern($1, device_t, vmware_device_t)
++ dontaudit $1 v4l_device_t:chr_file getattr;
+')
+
+########################################
+##
-+## Read, write, and mmap VMWare devices.
++## Set the attributes of video4linux device nodes.
+##
+##
+##
@@ -8589,16 +8499,296 @@ index 76f285e..6843613 100644
+##
+##
+#
-+interface(`dev_rwx_vmware',`
++interface(`dev_setattr_video_dev',`
+ gen_require(`
-+ type device_t, vmware_device_t;
++ type device_t, v4l_device_t;
+ ')
+
-+ dev_rw_vmware($1)
- allow $1 vmware_device_t:chr_file execute;
++ setattr_chr_files_pattern($1, device_t, v4l_device_t)
++')
++
++########################################
++##
++## Do not audit attempts to set the attributes
++## of video4linux device nodes.
+ ##
+ ##
+ ##
+-## Domain allowed access.
++## Domain to not audit.
+ ##
+ ##
+ #
+-interface(`dev_list_usbfs',`
++interface(`dev_dontaudit_setattr_video_dev',`
+ gen_require(`
+- type usbfs_t;
++ type v4l_device_t;
+ ')
+
+- read_lnk_files_pattern($1, usbfs_t, usbfs_t)
+- getattr_files_pattern($1, usbfs_t, usbfs_t)
+-
+- list_dirs_pattern($1, usbfs_t, usbfs_t)
++ dontaudit $1 v4l_device_t:chr_file setattr;
+ ')
+
+ ########################################
+ ##
+-## Set the attributes of usbfs filesystem.
++## Read the video4linux devices.
+ ##
+ ##
+ ##
+@@ -4359,19 +5473,17 @@ interface(`dev_list_usbfs',`
+ ##
+ ##
+ #
+-interface(`dev_setattr_usbfs_files',`
++interface(`dev_read_video_dev',`
+ gen_require(`
+- type usbfs_t;
++ type device_t, v4l_device_t;
+ ')
+
+- setattr_files_pattern($1, usbfs_t, usbfs_t)
+- list_dirs_pattern($1, usbfs_t, usbfs_t)
++ read_chr_files_pattern($1, device_t, v4l_device_t)
')
-@@ -4630,6 +5719,24 @@ interface(`dev_write_watchdog',`
+ ########################################
+ ##
+-## Read USB hardware information using
+-## the usbfs filesystem interface.
++## Write the video4linux devices.
+ ##
+ ##
+ ##
+@@ -4379,19 +5491,17 @@ interface(`dev_setattr_usbfs_files',`
+ ##
+ ##
+ #
+-interface(`dev_read_usbfs',`
++interface(`dev_write_video_dev',`
+ gen_require(`
+- type usbfs_t;
++ type device_t, v4l_device_t;
+ ')
+
+- read_files_pattern($1, usbfs_t, usbfs_t)
+- read_lnk_files_pattern($1, usbfs_t, usbfs_t)
+- list_dirs_pattern($1, usbfs_t, usbfs_t)
++ write_chr_files_pattern($1, device_t, v4l_device_t)
+ ')
+
+ ########################################
+ ##
+-## Allow caller to modify usb hardware configuration files.
++## Get the attributes of vfio devices.
+ ##
+ ##
+ ##
+@@ -4399,37 +5509,36 @@ interface(`dev_read_usbfs',`
+ ##
+ ##
+ #
+-interface(`dev_rw_usbfs',`
++interface(`dev_getattr_vfio_dev',`
+ gen_require(`
+- type usbfs_t;
++ type device_t, vfio_device_t;
+ ')
+
+- list_dirs_pattern($1, usbfs_t, usbfs_t)
+- rw_files_pattern($1, usbfs_t, usbfs_t)
+- read_lnk_files_pattern($1, usbfs_t, usbfs_t)
++ getattr_chr_files_pattern($1, device_t, vfio_device_t)
+ ')
+
+ ########################################
+ ##
+-## Get the attributes of video4linux devices.
++## Do not audit attempts to get the attributes
++## of vfio device nodes.
+ ##
+ ##
+ ##
+-## Domain allowed access.
++## Domain to not audit.
+ ##
+ ##
+ #
+-interface(`dev_getattr_video_dev',`
++interface(`dev_dontaudit_getattr_vfio_dev',`
+ gen_require(`
+- type device_t, v4l_device_t;
++ type vfio_device_t;
+ ')
+
+- getattr_chr_files_pattern($1, device_t, v4l_device_t)
++ dontaudit $1 vfio_device_t:chr_file getattr;
+ ')
+
+-######################################
++########################################
+ ##
+-## Read and write userio device.
++## Set the attributes of vfio device nodes.
+ ##
+ ##
+ ##
+@@ -4437,18 +5546,18 @@ interface(`dev_getattr_video_dev',`
+ ##
+ ##
+ #
+-interface(`dev_rw_userio_dev',`
++interface(`dev_setattr_vfio_dev',`
+ gen_require(`
+- type device_t, userio_device_t;
++ type device_t, vfio_device_t;
+ ')
+
+- rw_chr_files_pattern($1, device_t, userio_device_t)
++ setattr_chr_files_pattern($1, device_t, vfio_device_t)
+ ')
+
+ ########################################
+ ##
+-## Do not audit attempts to get the attributes
+-## of video4linux device nodes.
++## Do not audit attempts to set the attributes
++## of vfio device nodes.
+ ##
+ ##
+ ##
+@@ -4456,17 +5565,17 @@ interface(`dev_rw_userio_dev',`
+ ##
+ ##
+ #
+-interface(`dev_dontaudit_getattr_video_dev',`
++interface(`dev_dontaudit_setattr_vfio_dev',`
+ gen_require(`
+- type v4l_device_t;
++ type vfio_device_t;
+ ')
+
+- dontaudit $1 v4l_device_t:chr_file getattr;
++ dontaudit $1 vfio_device_t:chr_file setattr;
+ ')
+
+ ########################################
+ ##
+-## Set the attributes of video4linux device nodes.
++## Read the vfio devices.
+ ##
+ ##
+ ##
+@@ -4474,36 +5583,35 @@ interface(`dev_dontaudit_getattr_video_dev',`
+ ##
+ ##
+ #
+-interface(`dev_setattr_video_dev',`
++interface(`dev_read_vfio_dev',`
+ gen_require(`
+- type device_t, v4l_device_t;
++ type device_t, vfio_device_t;
+ ')
+
+- setattr_chr_files_pattern($1, device_t, v4l_device_t)
++ read_chr_files_pattern($1, device_t, vfio_device_t)
+ ')
+
+ ########################################
+ ##
+-## Do not audit attempts to set the attributes
+-## of video4linux device nodes.
++## Write the vfio devices.
+ ##
+ ##
+ ##
+-## Domain to not audit.
++## Domain allowed access.
+ ##
+ ##
+ #
+-interface(`dev_dontaudit_setattr_video_dev',`
++interface(`dev_write_vfio_dev',`
+ gen_require(`
+- type v4l_device_t;
++ type device_t, vfio_device_t;
+ ')
+
+- dontaudit $1 v4l_device_t:chr_file setattr;
++ write_chr_files_pattern($1, device_t, vfio_device_t)
+ ')
+
+ ########################################
+ ##
+-## Read the video4linux devices.
++## Read and write the VFIO devices.
+ ##
+ ##
+ ##
+@@ -4511,17 +5619,17 @@ interface(`dev_dontaudit_setattr_video_dev',`
+ ##
+ ##
+ #
+-interface(`dev_read_video_dev',`
++interface(`dev_rw_vfio_dev',`
+ gen_require(`
+- type device_t, v4l_device_t;
++ type device_t, vfio_device_t;
+ ')
+
+- read_chr_files_pattern($1, device_t, v4l_device_t)
++ rw_chr_files_pattern($1, device_t, vfio_device_t)
+ ')
+
+ ########################################
+ ##
+-## Write the video4linux devices.
++## Allow read/write the vhost net device
+ ##
+ ##
+ ##
+@@ -4529,17 +5637,17 @@ interface(`dev_read_video_dev',`
+ ##
+ ##
+ #
+-interface(`dev_write_video_dev',`
++interface(`dev_rw_vhost',`
+ gen_require(`
+- type device_t, v4l_device_t;
++ type device_t, vhost_device_t;
+ ')
+
+- write_chr_files_pattern($1, device_t, v4l_device_t)
++ rw_chr_files_pattern($1, device_t, vhost_device_t)
+ ')
+
+ ########################################
+ ##
+-## Allow read/write the vhost net device
++## Allow read/write inheretid the vhost net device
+ ##
+ ##
+ ##
+@@ -4547,12 +5655,12 @@ interface(`dev_write_video_dev',`
+ ##
+ ##
+ #
+-interface(`dev_rw_vhost',`
++interface(`dev_rw_inherited_vhost',`
+ gen_require(`
+ type device_t, vhost_device_t;
+ ')
+
+- rw_chr_files_pattern($1, device_t, vhost_device_t)
++ allow $1 vhost_device_t:chr_file rw_inherited_chr_file_perms;
+ ')
+
+ ########################################
+@@ -4630,6 +5738,24 @@ interface(`dev_write_watchdog',`
########################################
##
@@ -8623,7 +8813,7 @@ index 76f285e..6843613 100644
## Read and write the the wireless device.
##
##
-@@ -4762,6 +5869,44 @@ interface(`dev_rw_xserver_misc',`
+@@ -4762,6 +5888,44 @@ interface(`dev_rw_xserver_misc',`
########################################
##
@@ -8668,7 +8858,7 @@ index 76f285e..6843613 100644
## Read and write to the zero device (/dev/zero).
##
##
-@@ -4851,3 +5996,1022 @@ interface(`dev_unconfined',`
+@@ -4851,3 +6015,1022 @@ interface(`dev_unconfined',`
typeattribute $1 devices_unconfined_type;
')
@@ -46841,7 +47031,7 @@ index 2cea692..e3cb4f2 100644
+ files_etc_filetrans($1, net_conf_t, file)
+')
diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
-index a392fc4..518cf50 100644
+index a392fc4..b01eb22 100644
--- a/policy/modules/system/sysnetwork.te
+++ b/policy/modules/system/sysnetwork.te
@@ -5,6 +5,13 @@ policy_module(sysnetwork, 1.15.4)
@@ -47240,7 +47430,7 @@ index a392fc4..518cf50 100644
')
optional_policy(`
-@@ -371,3 +497,13 @@ optional_policy(`
+@@ -371,3 +497,17 @@ optional_policy(`
xen_append_log(ifconfig_t)
xen_dontaudit_rw_unix_stream_sockets(ifconfig_t)
')
@@ -47250,6 +47440,10 @@ index a392fc4..518cf50 100644
+')
+
+optional_policy(`
++ tlp_manage_pid_files(ifconfig_t)
++')
++
++optional_policy(`
+ tunable_policy(`dhcpc_exec_iptables',`
+ iptables_domtrans(dhcpc_t)
+ ')
diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch
index 811c8b8..d5c2491 100644
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@@ -87708,7 +87708,7 @@ index c8bdea2..8ad3e01 100644
+ allow $1 cluster_unit_file_t:service all_service_perms;
')
diff --git a/rhcs.te b/rhcs.te
-index 6cf79c4..943fd8b 100644
+index 6cf79c4..4538e45 100644
--- a/rhcs.te
+++ b/rhcs.te
@@ -20,6 +20,35 @@ gen_tunable(fenced_can_network_connect, false)
@@ -87747,7 +87747,7 @@ index 6cf79c4..943fd8b 100644
attribute cluster_domain;
attribute cluster_log;
attribute cluster_pid;
-@@ -44,34 +73,284 @@ type foghorn_initrc_exec_t;
+@@ -44,34 +73,288 @@ type foghorn_initrc_exec_t;
init_script_file(foghorn_initrc_exec_t)
rhcs_domain_template(gfs_controld)
@@ -87957,6 +87957,10 @@ index 6cf79c4..943fd8b 100644
+')
+
+optional_policy(`
++ fprintd_dbus_chat(cluster_t)
++')
++
++optional_policy(`
+ ldap_systemctl(cluster_t)
+')
+
@@ -88036,7 +88040,7 @@ index 6cf79c4..943fd8b 100644
')
#####################################
-@@ -79,13 +358,14 @@ optional_policy(`
+@@ -79,13 +362,14 @@ optional_policy(`
# dlm_controld local policy
#
@@ -88053,7 +88057,7 @@ index 6cf79c4..943fd8b 100644
kernel_rw_net_sysctls(dlm_controld_t)
corecmd_exec_bin(dlm_controld_t)
-@@ -98,16 +378,30 @@ fs_manage_configfs_dirs(dlm_controld_t)
+@@ -98,16 +382,30 @@ fs_manage_configfs_dirs(dlm_controld_t)
init_rw_script_tmp_files(dlm_controld_t)
@@ -88087,7 +88091,7 @@ index 6cf79c4..943fd8b 100644
manage_files_pattern(fenced_t, fenced_lock_t, fenced_lock_t)
files_lock_filetrans(fenced_t, fenced_lock_t, file)
-@@ -118,9 +412,8 @@ files_tmp_filetrans(fenced_t, fenced_tmp_t, { file fifo_file dir })
+@@ -118,9 +416,8 @@ files_tmp_filetrans(fenced_t, fenced_tmp_t, { file fifo_file dir })
stream_connect_pattern(fenced_t, groupd_var_run_t, groupd_var_run_t, groupd_t)
@@ -88099,7 +88103,7 @@ index 6cf79c4..943fd8b 100644
corecmd_exec_bin(fenced_t)
corecmd_exec_shell(fenced_t)
-@@ -140,6 +433,8 @@ corenet_udp_sendrecv_ionixnetmon_port(fenced_t)
+@@ -140,6 +437,8 @@ corenet_udp_sendrecv_ionixnetmon_port(fenced_t)
corenet_sendrecv_zented_server_packets(fenced_t)
corenet_tcp_bind_zented_port(fenced_t)
@@ -88108,7 +88112,7 @@ index 6cf79c4..943fd8b 100644
corenet_tcp_sendrecv_zented_port(fenced_t)
corenet_sendrecv_http_client_packets(fenced_t)
-@@ -148,9 +443,8 @@ corenet_tcp_sendrecv_http_port(fenced_t)
+@@ -148,9 +447,8 @@ corenet_tcp_sendrecv_http_port(fenced_t)
dev_read_sysfs(fenced_t)
dev_read_urand(fenced_t)
@@ -88120,7 +88124,7 @@ index 6cf79c4..943fd8b 100644
storage_raw_read_fixed_disk(fenced_t)
storage_raw_write_fixed_disk(fenced_t)
-@@ -160,7 +454,7 @@ term_getattr_pty_fs(fenced_t)
+@@ -160,7 +458,7 @@ term_getattr_pty_fs(fenced_t)
term_use_generic_ptys(fenced_t)
term_use_ptmx(fenced_t)
@@ -88129,7 +88133,7 @@ index 6cf79c4..943fd8b 100644
tunable_policy(`fenced_can_network_connect',`
corenet_sendrecv_all_client_packets(fenced_t)
-@@ -182,7 +476,8 @@ optional_policy(`
+@@ -182,7 +480,8 @@ optional_policy(`
')
optional_policy(`
@@ -88139,7 +88143,7 @@ index 6cf79c4..943fd8b 100644
')
optional_policy(`
-@@ -190,12 +485,17 @@ optional_policy(`
+@@ -190,12 +489,17 @@ optional_policy(`
')
optional_policy(`
@@ -88158,7 +88162,7 @@ index 6cf79c4..943fd8b 100644
')
optional_policy(`
-@@ -203,6 +503,21 @@ optional_policy(`
+@@ -203,6 +507,21 @@ optional_policy(`
snmp_manage_var_lib_dirs(fenced_t)
')
@@ -88180,7 +88184,7 @@ index 6cf79c4..943fd8b 100644
#######################################
#
# foghorn local policy
-@@ -221,16 +536,22 @@ corenet_sendrecv_agentx_client_packets(foghorn_t)
+@@ -221,16 +540,22 @@ corenet_sendrecv_agentx_client_packets(foghorn_t)
corenet_tcp_connect_agentx_port(foghorn_t)
corenet_tcp_sendrecv_agentx_port(foghorn_t)
@@ -88205,7 +88209,7 @@ index 6cf79c4..943fd8b 100644
snmp_stream_connect(foghorn_t)
')
-@@ -247,16 +568,20 @@ stream_connect_pattern(gfs_controld_t, dlm_controld_var_run_t, dlm_controld_var_
+@@ -247,16 +572,20 @@ stream_connect_pattern(gfs_controld_t, dlm_controld_var_run_t, dlm_controld_var_
stream_connect_pattern(gfs_controld_t, fenced_var_run_t, fenced_var_run_t, fenced_t)
stream_connect_pattern(gfs_controld_t, groupd_var_run_t, groupd_var_run_t, groupd_t)
@@ -88227,7 +88231,7 @@ index 6cf79c4..943fd8b 100644
optional_policy(`
lvm_exec(gfs_controld_t)
dev_rw_lvm_control(gfs_controld_t)
-@@ -275,10 +600,57 @@ domtrans_pattern(groupd_t, fenced_exec_t, fenced_t)
+@@ -275,10 +604,57 @@ domtrans_pattern(groupd_t, fenced_exec_t, fenced_t)
dev_list_sysfs(groupd_t)
@@ -88287,7 +88291,7 @@ index 6cf79c4..943fd8b 100644
######################################
#
# qdiskd local policy
-@@ -292,7 +664,6 @@ manage_dirs_pattern(qdiskd_t, qdiskd_var_lib_t, qdiskd_var_lib_t)
+@@ -292,7 +668,6 @@ manage_dirs_pattern(qdiskd_t, qdiskd_var_lib_t, qdiskd_var_lib_t)
manage_sock_files_pattern(qdiskd_t, qdiskd_var_lib_t, qdiskd_var_lib_t)
files_var_lib_filetrans(qdiskd_t, qdiskd_var_lib_t, { file dir sock_file })
@@ -88295,7 +88299,7 @@ index 6cf79c4..943fd8b 100644
kernel_read_software_raid_state(qdiskd_t)
kernel_getattr_core_if(qdiskd_t)
-@@ -321,6 +692,8 @@ storage_raw_write_fixed_disk(qdiskd_t)
+@@ -321,6 +696,8 @@ storage_raw_write_fixed_disk(qdiskd_t)
auth_use_nsswitch(qdiskd_t)
@@ -109009,6 +109013,267 @@ index 97cd155..49321a5 100644
files_search_tmp(timidity_t)
fs_search_auto_mountpoints(timidity_t)
+diff --git a/tlp.fc b/tlp.fc
+new file mode 100644
+index 0000000..8b8cf4a
+--- /dev/null
++++ b/tlp.fc
+@@ -0,0 +1,5 @@
++/usr/lib/systemd/system/((tlp-sleep.*)|(tlp.*)) -- gen_context(system_u:object_r:tlp_unit_file_t,s0)
++
++/usr/sbin/tlp -- gen_context(system_u:object_r:tlp_exec_t,s0)
++
++/var/run/tlp(/.*)? gen_context(system_u:object_r:tlp_var_run_t,s0)
+diff --git a/tlp.if b/tlp.if
+new file mode 100644
+index 0000000..46f12a4
+--- /dev/null
++++ b/tlp.if
+@@ -0,0 +1,184 @@
++
++## policy for tlp
++
++########################################
++##
++## Execute tlp_exec_t in the tlp domain.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`tlp_domtrans',`
++ gen_require(`
++ type tlp_t, tlp_exec_t;
++ ')
++
++ corecmd_search_bin($1)
++ domtrans_pattern($1, tlp_exec_t, tlp_t)
++')
++
++######################################
++##
++## Execute tlp in the caller domain.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`tlp_exec',`
++ gen_require(`
++ type tlp_exec_t;
++ ')
++
++ corecmd_search_bin($1)
++ can_exec($1, tlp_exec_t)
++')
++
++########################################
++##
++## Search tlp conf directories.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`tlp_search_conf',`
++ gen_require(`
++ type tlp_etc_rw_t;
++ ')
++
++ allow $1 tlp_etc_rw_t:dir search_dir_perms;
++ files_search_etc($1)
++')
++
++########################################
++##
++## Read tlp conf files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`tlp_read_conf_files',`
++ gen_require(`
++ type tlp_etc_rw_t;
++ ')
++
++ allow $1 tlp_etc_rw_t:dir list_dir_perms;
++ read_files_pattern($1, tlp_etc_rw_t, tlp_etc_rw_t)
++ files_search_etc($1)
++')
++
++########################################
++##
++## Manage tlp conf files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`tlp_manage_conf_files',`
++ gen_require(`
++ type tlp_etc_rw_t;
++ ')
++
++ manage_files_pattern($1, tlp_etc_rw_t, tlp_etc_rw_t)
++ files_search_etc($1)
++')
++
++########################################
++##
++## Execute tlp server in the tlp domain.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`tlp_systemctl',`
++ gen_require(`
++ type tlp_t;
++ type tlp_unit_file_t;
++ ')
++
++ systemd_exec_systemctl($1)
++ systemd_read_fifo_file_passwd_run($1)
++ allow $1 tlp_unit_file_t:file read_file_perms;
++ allow $1 tlp_unit_file_t:service manage_service_perms;
++
++ ps_process_pattern($1, tlp_t)
++')
++
++########################################
++##
++## Read all dbus pid files
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`tlp_manage_pid_files',`
++ gen_require(`
++ type tlp_var_run_t;
++ ')
++
++ files_search_pids($1)
++ read_files_pattern($1, tlp_var_run_t, tlp_var_run_t)
++')
++
++########################################
++##
++## All of the rules required to administrate
++## an tlp environment
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++##
++## Role allowed access.
++##
++##
++##
++#
++interface(`tlp_admin',`
++ gen_require(`
++ type tlp_t;
++ type tlp_etc_rw_t;
++ type tlp_unit_file_t;
++ ')
++
++ allow $1 tlp_t:process { signal_perms };
++ ps_process_pattern($1, tlp_t)
++
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 tlp_t:process ptrace;
++ ')
++
++ files_search_etc($1)
++ admin_pattern($1, tlp_etc_rw_t)
++
++ tlp_systemctl($1)
++ admin_pattern($1, tlp_unit_file_t)
++ allow $1 tlp_unit_file_t:service all_service_perms;
++ optional_policy(`
++ systemd_passwd_agent_exec($1)
++ systemd_read_fifo_file_passwd_run($1)
++ ')
++')
+diff --git a/tlp.te b/tlp.te
+new file mode 100644
+index 0000000..7c81c68
+--- /dev/null
++++ b/tlp.te
+@@ -0,0 +1,54 @@
++policy_module(tlp, 1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++type tlp_t;
++type tlp_exec_t;
++init_daemon_domain(tlp_t, tlp_exec_t)
++
++type tlp_var_run_t;
++files_pid_file(tlp_var_run_t)
++
++type tlp_unit_file_t;
++systemd_unit_file(tlp_unit_file_t)
++
++########################################
++#
++# tlp local policy
++#
++allow tlp_t self:capability { net_admin sys_rawio };
++allow tlp_t self:unix_stream_socket create_stream_socket_perms;
++allow tlp_t self:udp_socket create_socket_perms;
++
++manage_dirs_pattern(tlp_t, tlp_var_run_t, tlp_var_run_t)
++manage_files_pattern(tlp_t, tlp_var_run_t, tlp_var_run_t)
++files_pid_filetrans(tlp_t, tlp_var_run_t, { dir file })
++
++kernel_read_system_state(tlp_t)
++kernel_read_fs_sysctls(tlp_t)
++kernel_rw_fs_sysctls(tlp_t)
++kernel_rw_kernel_sysctl(tlp_t)
++kernel_rw_vm_sysctls(tlp_t)
++
++auth_read_passwd(tlp_t)
++
++corecmd_exec_bin(tlp_t)
++
++dev_list_sysfs(tlp_t)
++dev_manage_sysfs(tlp_t)
++
++files_read_kernel_modules(tlp_t)
++
++modutils_exec_insmod(tlp_t)
++modutils_read_module_config(tlp_t)
++
++storage_raw_read_fixed_disk(tlp_t)
++
++sysnet_exec_ifconfig(tlp_t)
++
++optional_policy(`
++ fstools_exec(tlp_t)
++')
diff --git a/tmpreaper.te b/tmpreaper.te
index 585a77f..a7cb326 100644
--- a/tmpreaper.te
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 4cd8e74..0c11cd7 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.13.1
-Release: 225%{?dist}
+Release: 226%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -675,6 +675,11 @@ exit 0
%endif
%changelog
+* Wed Nov 16 2016 Lukas Vrabec - 3.13.1-226
+- Adding policy for tlp
+- Add interface dev_manage_sysfs()
+- Allow ifconfig domain to manage tlp pid files.
+
* Wed Nov 09 2016 Lukas Vrabec - 3.13.1-225
- Allow systemd_logind_t domain to communicate with devicekit_t domain via dbus bz(1393373)