>
diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
new file mode 100644
-index 0000000..3e4cae7
+index 0000000..699dcef
--- /dev/null
+++ b/policy/modules/system/systemd.if
-@@ -0,0 +1,962 @@
+@@ -0,0 +1,1020 @@
+## SELinux policy for systemd components
+
+#######################################
@@ -141543,6 +141596,24 @@ index 0000000..3e4cae7
+ domtrans_pattern($1, systemd_tmpfiles_exec_t, systemd_tmpfiles_t)
+')
+
++#######################################
++##
++## Execute a domain transition to run systemd-localed.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`systemd_localed_domtrans',`
++ gen_require(`
++ type systemd_localed_t, systemd_localed_exec_t;
++ ')
++
++ domtrans_pattern($1, systemd_localed_exec_t, systemd_localed_t)
++')
++
+########################################
+##
+## Execute a domain transition to run systemd-tty-ask-password-agent.
@@ -141838,6 +141909,24 @@ index 0000000..3e4cae7
+
+########################################
+##
++## manage systemd unit link files
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`systemd_manage_unit_symlinks',`
++ gen_require(`
++ attribute systemd_unit_file_type;
++ ')
++
++ manage_lnk_files_pattern($1, systemd_unit_file_type, systemd_unit_file_type)
++')
++
++########################################
++##
+## manage all systemd unit files
+##
+##
@@ -142157,12 +142246,34 @@ index 0000000..3e4cae7
+ systemd_exec_systemctl($1)
+ allow $1 systemd_unit_file_type:service status;
+')
++
++########################################
++##
++## Send and receive messages from
++## systemd timedated over dbus.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`systemd_dbus_chat_timedated',`
++ gen_require(`
++ type systemd_timedated_t;
++ class dbus send_msg;
++ ')
++
++ allow $1 systemd_timedated_t:dbus send_msg;
++ allow systemd_timedated_t $1:dbus send_msg;
++')
++
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
new file mode 100644
-index 0000000..dc3c408
+index 0000000..74c656b
--- /dev/null
+++ b/policy/modules/system/systemd.te
-@@ -0,0 +1,451 @@
+@@ -0,0 +1,578 @@
+policy_module(systemd, 1.0.0)
+
+#######################################
@@ -142226,6 +142337,18 @@ index 0000000..dc3c408
+type systemd_systemctl_exec_t;
+corecmd_executable_file(systemd_systemctl_exec_t)
+
++type systemd_localed_t;
++type systemd_localed_exec_t;
++init_daemon_domain(systemd_localed_t, systemd_localed_exec_t)
++
++type systemd_hostnamed_t;
++type systemd_hostnamed_exec_t;
++init_daemon_domain(systemd_hostnamed_t, systemd_hostnamed_exec_t)
++
++type systemd_timedated_t alias gnomeclock_t;
++type systemd_timedated_exec_t;
++init_daemon_domain(systemd_timedated_t, systemd_timedated_exec_t)
++
+#######################################
+#
+# Systemd_logind local policy
@@ -142447,6 +142570,7 @@ index 0000000..dc3c408
+files_relabel_all_lock_dirs(systemd_tmpfiles_t)
+files_relabel_all_pid_dirs(systemd_tmpfiles_t)
+files_relabel_all_pid_files(systemd_tmpfiles_t)
++files_relabel_all_spool_dirs(systemd_tmpfiles_t)
+files_manage_all_pids(systemd_tmpfiles_t)
+files_manage_all_pid_dirs(systemd_tmpfiles_t)
+files_manage_all_locks(systemd_tmpfiles_t)
@@ -142562,7 +142686,6 @@ index 0000000..dc3c408
+
+init_rw_stream_sockets(systemd_notify_t)
+
-+
+optional_policy(`
+ readahead_manage_pid_files(systemd_notify_t)
+')
@@ -142614,6 +142737,121 @@ index 0000000..dc3c408
+init_read_state(systemctl_domain)
+init_list_pid_dirs(systemctl_domain)
+init_use_fds(systemctl_domain)
++
++#######################################
++#
++# Localed policy
++#
++allow systemd_localed_t self:process setfscreate;
++allow systemd_localed_t self:fifo_file rw_fifo_file_perms;
++allow systemd_localed_t self:unix_stream_socket create_stream_socket_perms;
++
++seutil_read_config(systemd_localed_t)
++seutil_read_file_contexts(systemd_localed_t)
++
++miscfiles_manage_localization(systemd_localed_t)
++miscfiles_etc_filetrans_localization(systemd_localed_t)
++
++optional_policy(`
++ dbus_connect_system_bus(systemd_localed_t)
++ dbus_system_bus_client(systemd_localed_t)
++')
++
++#######################################
++#
++# Hostnamed policy
++#
++allow systemd_hostnamed_t self:fifo_file rw_fifo_file_perms;
++allow systemd_hostnamed_t self:unix_stream_socket create_stream_socket_perms;
++
++init_status(systemd_hostnamed_t)
++
++optional_policy(`
++ dbus_system_bus_client(systemd_hostnamed_t)
++ dbus_connect_system_bus(systemd_hostnamed_t)
++')
++
++#######################################
++#
++# Timedated policy
++#
++allow systemd_timedated_t self:capability { sys_nice sys_time dac_override };
++allow systemd_timedated_t self:process { getattr getsched signal };
++allow systemd_timedated_t self:fifo_file rw_fifo_file_perms;
++allow systemd_timedated_t self:unix_stream_socket create_stream_socket_perms;
++allow systemd_timedated_t self:unix_dgram_socket create_socket_perms;
++
++kernel_read_system_state(systemd_timedated_t)
++
++corecmd_exec_bin(systemd_timedated_t)
++corecmd_exec_shell(systemd_timedated_t)
++corecmd_dontaudit_access_check_bin(systemd_timedated_t)
++
++corenet_tcp_connect_time_port(systemd_timedated_t)
++
++dev_rw_realtime_clock(systemd_timedated_t)
++dev_read_urand(systemd_timedated_t)
++dev_write_kmsg(systemd_timedated_t)
++dev_read_sysfs(systemd_timedated_t)
++
++files_read_etc_runtime_files(systemd_timedated_t)
++
++fs_getattr_xattr_fs(systemd_timedated_t)
++
++auth_use_nsswitch(systemd_timedated_t)
++
++init_dbus_chat(systemd_timedated_t)
++init_status(systemd_timedated_t)
++
++logging_stream_connect_syslog(systemd_timedated_t)
++logging_send_syslog_msg(systemd_timedated_t)
++
++miscfiles_manage_localization(systemd_timedated_t)
++miscfiles_etc_filetrans_localization(systemd_timedated_t)
++
++userdom_read_all_users_state(systemd_timedated_t)
++
++optional_policy(`
++ chronyd_systemctl(systemd_timedated_t)
++')
++
++optional_policy(`
++ clock_read_adjtime(systemd_timedated_t)
++ clock_domtrans(systemd_timedated_t)
++')
++
++optional_policy(`
++ consolekit_dbus_chat(systemd_timedated_t)
++')
++
++optional_policy(`
++ consoletype_exec(systemd_timedated_t)
++')
++
++optional_policy(`
++ dbus_system_bus_client(systemd_timedated_t)
++ dbus_connect_system_bus(systemd_timedated_t)
++')
++
++optional_policy(`
++ gnome_manage_usr_config(systemd_timedated_t)
++ gnome_manage_home_config(systemd_timedated_t)
++')
++
++optional_policy(`
++ ntp_domtrans_ntpdate(systemd_timedated_t)
++ ntp_initrc_domtrans(systemd_timedated_t)
++ init_dontaudit_getattr_all_script_files(systemd_timedated_t)
++ init_dontaudit_getattr_exec(systemd_timedated_t)
++ ntp_systemctl(systemd_timedated_t)
++')
++
++optional_policy(`
++ policykit_dbus_chat(systemd_timedated_t)
++ policykit_domtrans_auth(systemd_timedated_t)
++ policykit_read_lib(systemd_timedated_t)
++ policykit_read_reload(systemd_timedated_t)
++')
diff --git a/policy/modules/system/udev.fc b/policy/modules/system/udev.fc
index 40928d8..49fd32e 100644
--- a/policy/modules/system/udev.fc
@@ -142912,7 +143150,7 @@ index 0f64692..d7e8a01 100644
########################################
diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
-index a5ec88b..b31b982 100644
+index a5ec88b..32e7d9e 100644
--- a/policy/modules/system/udev.te
+++ b/policy/modules/system/udev.te
@@ -17,14 +17,12 @@ init_daemon_domain(udev_t, udev_exec_t)
@@ -143091,7 +143329,7 @@ index a5ec88b..b31b982 100644
# for arping used for static IP addresses on PCMCIA ethernet
netutils_domtrans(udev_t)
-@@ -226,6 +239,7 @@ optional_policy(`
+@@ -226,19 +239,34 @@ optional_policy(`
optional_policy(`
cups_domtrans_config(udev_t)
@@ -143099,7 +143337,13 @@ index a5ec88b..b31b982 100644
')
optional_policy(`
-@@ -235,10 +249,20 @@ optional_policy(`
+ dbus_system_bus_client(udev_t)
++
++ optional_policy(`
++ systemd_dbus_chat_logind(udev_t)
++ ')
+ ')
+
optional_policy(`
devicekit_read_pid_files(udev_t)
devicekit_dgram_send(udev_t)
@@ -143120,7 +143364,7 @@ index a5ec88b..b31b982 100644
')
optional_policy(`
-@@ -264,6 +288,10 @@ optional_policy(`
+@@ -264,6 +292,10 @@ optional_policy(`
')
optional_policy(`
@@ -143131,7 +143375,7 @@ index a5ec88b..b31b982 100644
openct_read_pid_files(udev_t)
openct_domtrans(udev_t)
')
-@@ -278,6 +306,15 @@ optional_policy(`
+@@ -278,6 +310,15 @@ optional_policy(`
')
optional_policy(`
@@ -143147,7 +143391,7 @@ index a5ec88b..b31b982 100644
unconfined_signal(udev_t)
')
-@@ -290,6 +327,7 @@ optional_policy(`
+@@ -290,6 +331,7 @@ optional_policy(`
kernel_read_xen_state(udev_t)
xen_manage_log(udev_t)
xen_read_image_files(udev_t)
@@ -143979,7 +144223,7 @@ index db75976..65191bd 100644
+
+/var/run/user(/.*)? gen_context(system_u:object_r:user_tmp_t,s0)
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
-index 3c5dba7..81b2173 100644
+index 3c5dba7..2d9f96b 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -30,9 +30,11 @@ template(`userdom_base_user_template',`
@@ -145273,7 +145517,7 @@ index 3c5dba7..81b2173 100644
+ ')
+
+ optional_policy(`
-+ gnomeclock_dbus_chat($1_t)
++ systemd_dbus_chat_timedated($1_t)
+ ')
+
+ optional_policy(`
diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch
index 6515ad8..c5c40e7 100644
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@@ -2131,10 +2131,10 @@ index 0000000..feabdf3
+ files_getattr_all_sockets(antivirus_domain)
+')
diff --git a/apache.fc b/apache.fc
-index 550a69e..dcb9d6e 100644
+index 550a69e..d2af19f 100644
--- a/apache.fc
+++ b/apache.fc
-@@ -1,161 +1,188 @@
+@@ -1,161 +1,184 @@
-HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_user_content_t,s0)
-HOME_DIR/((www)|(web)|(public_html))/cgi-bin(/.+)? gen_context(system_u:object_r:httpd_user_script_exec_t,s0)
+HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_user_content_t,s0)
@@ -2283,10 +2283,6 @@ index 550a69e..dcb9d6e 100644
+
+/usr/share/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
+/usr/share/icecast(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
-+/usr/share/mythweb(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
-+/usr/share/mythweb/mythweb\.pl gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
-+/usr/share/mythtv/mythweather/scripts(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
-+/usr/share/mythtv/data(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
+/usr/share/ntop/html(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
+/usr/share/openca/htdocs(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
+/usr/share/selinux-policy[^/]*/html(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
@@ -3757,7 +3753,7 @@ index 83e899c..7b2ad39 100644
+ filetrans_pattern($1, { httpd_user_content_t httpd_user_script_exec_t }, httpd_user_htaccess_t, file, ".htaccess")
')
diff --git a/apache.te b/apache.te
-index 1a82e29..93b55a0 100644
+index 1a82e29..8f88bc2 100644
--- a/apache.te
+++ b/apache.te
@@ -1,297 +1,353 @@
@@ -4986,40 +4982,39 @@ index 1a82e29..93b55a0 100644
')
optional_policy(`
-- pcscd_read_pid_files(httpd_t)
+ openshift_search_lib(httpd_t)
+ openshift_initrc_signull(httpd_t)
+ openshift_initrc_signal(httpd_t)
++')
++
++optional_policy(`
++ passenger_exec(httpd_t)
++ passenger_manage_pid_content(httpd_t)
++')
++
++optional_policy(`
+ pcscd_read_pid_files(httpd_t)
')
optional_policy(`
- postgresql_stream_connect(httpd_t)
- postgresql_unpriv_client(httpd_t)
-+ passenger_exec(httpd_t)
-+ passenger_manage_pid_content(httpd_t)
++ pki_apache_domain_signal(httpd_t)
++ pki_manage_apache_config_files(httpd_t)
++ pki_manage_apache_lib(httpd_t)
++ pki_manage_apache_log_files(httpd_t)
++ pki_manage_apache_run(httpd_t)
+')
- tunable_policy(`httpd_can_network_connect_db',`
- postgresql_tcp_connect(httpd_t)
- ')
+optional_policy(`
-+ pcscd_read_pub_files(httpd_t)
-+')
-+
-+optional_policy(`
-+ pki_apache_domain_signal(httpd_t)
-+ pki_manage_apache_config_files(httpd_t)
-+ pki_manage_apache_lib(httpd_t)
-+ pki_manage_apache_log_files(httpd_t)
-+ pki_manage_apache_run(httpd_t)
++ puppet_read_lib(httpd_t)
')
optional_policy(`
- puppet_read_lib_files(httpd_t)
-+ puppet_read_lib(httpd_t)
-+')
-+
-+optional_policy(`
+ pwauth_domtrans(httpd_t)
')
@@ -6373,10 +6368,36 @@ index fa18c76..fd6911a 100644
userdom_dontaudit_use_unpriv_user_fds(arpwatch_t)
diff --git a/asterisk.if b/asterisk.if
-index 7268a04..3a5dc33 100644
+index 7268a04..6ffd87d 100644
--- a/asterisk.if
+++ b/asterisk.if
-@@ -105,9 +105,13 @@ interface(`asterisk_admin',`
+@@ -19,6 +19,25 @@ interface(`asterisk_domtrans',`
+ domtrans_pattern($1, asterisk_exec_t, asterisk_t)
+ ')
+
++######################################
++##
++## Execute asterisk in the caller domain.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`asterisk_exec',`
++ gen_require(`
++ type asterisk_exec_t;
++ ')
++
++ corecmd_search_bin($1)
++ can_exec($1, asterisk_exec_t)
++')
++
+ #####################################
+ ##
+ ## Connect to asterisk over a unix domain.
+@@ -105,9 +124,13 @@ interface(`asterisk_admin',`
type asterisk_var_lib_t, asterisk_initrc_exec_t;
')
@@ -7075,10 +7096,10 @@ index 536ec3c..271b976 100644
-
-miscfiles_read_localization(bcfg2_t)
diff --git a/bind.fc b/bind.fc
-index 2b9a3a1..1cb1b4f 100644
+index 2b9a3a1..b5dadee 100644
--- a/bind.fc
+++ b/bind.fc
-@@ -1,54 +1,70 @@
+@@ -1,54 +1,71 @@
-/etc/rc\.d/init\.d/named -- gen_context(system_u:object_r:named_initrc_exec_t,s0)
-/etc/rc\.d/init\.d/unbound -- gen_context(system_u:object_r:named_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/named -- gen_context(system_u:object_r:named_initrc_exec_t,s0)
@@ -7114,6 +7135,7 @@ index 2b9a3a1..1cb1b4f 100644
+/usr/sbin/r?ndc -- gen_context(system_u:object_r:ndc_exec_t,s0)
/usr/sbin/unbound -- gen_context(system_u:object_r:named_exec_t,s0)
+/usr/sbin/unbound-anchor -- gen_context(system_u:object_r:named_exec_t,s0)
++/usr/sbin/unbound-chkconf -- gen_context(system_u:object_r:named_exec_t,s0)
-/var/bind(/.*)? gen_context(system_u:object_r:named_cache_t,s0)
-/var/bind/pri(/.*)? gen_context(system_u:object_r:named_zone_t,s0)
@@ -8923,7 +8945,7 @@ index 008f8ef..144c074 100644
admin_pattern($1, certmonger_var_run_t)
')
diff --git a/certmonger.te b/certmonger.te
-index 2354e21..dd34a80 100644
+index 2354e21..bec6c06 100644
--- a/certmonger.te
+++ b/certmonger.te
@@ -18,6 +18,9 @@ files_type(certmonger_var_lib_t)
@@ -8995,7 +9017,7 @@ index 2354e21..dd34a80 100644
')
optional_policy(`
-@@ -92,11 +103,47 @@ optional_policy(`
+@@ -92,11 +103,46 @@ optional_policy(`
')
optional_policy(`
@@ -9011,7 +9033,6 @@ index 2354e21..dd34a80 100644
')
optional_policy(`
-+ pcscd_read_pub_files(certmonger_t)
pcscd_read_pid_files(certmonger_t)
pcscd_stream_connect(certmonger_t)
')
@@ -11042,7 +11063,7 @@ index 8e27a37..fa2c3cb 100644
+ ps_process_pattern($1, colord_t)
+')
diff --git a/colord.te b/colord.te
-index 09f18e2..28dd440 100644
+index 09f18e2..6846284 100644
--- a/colord.te
+++ b/colord.te
@@ -8,6 +8,7 @@ policy_module(colord, 1.0.2)
@@ -11078,7 +11099,7 @@ index 09f18e2..28dd440 100644
manage_dirs_pattern(colord_t, colord_tmp_t, colord_tmp_t)
manage_files_pattern(colord_t, colord_tmp_t, colord_tmp_t)
-@@ -74,18 +81,15 @@ dev_read_video_dev(colord_t)
+@@ -74,22 +81,20 @@ dev_read_video_dev(colord_t)
dev_write_video_dev(colord_t)
dev_rw_printer(colord_t)
dev_read_rand(colord_t)
@@ -11098,20 +11119,38 @@ index 09f18e2..28dd440 100644
fs_list_noxattr_fs(colord_t)
fs_read_noxattr_fs_files(colord_t)
fs_search_all(colord_t)
-@@ -100,7 +104,11 @@ auth_use_nsswitch(colord_t)
+ fs_dontaudit_getattr_all_fs(colord_t)
++fs_getattr_tmpfs(colord_t)
+
+ storage_getattr_fixed_disk_dev(colord_t)
+ storage_getattr_removable_dev(colord_t)
+@@ -98,19 +103,15 @@ storage_write_scsi_generic(colord_t)
+
+ auth_use_nsswitch(colord_t)
++init_read_state(colord_t)
++
logging_send_syslog_msg(colord_t)
-miscfiles_read_localization(colord_t)
-+fs_getattr_tmpfs(colord_t)
++systemd_read_logind_sessions_files(colord_t)
+
+-tunable_policy(`use_nfs_home_dirs',`
+- fs_getattr_nfs(colord_t)
+- fs_read_nfs_files(colord_t)
+-')
+-
+-tunable_policy(`use_samba_home_dirs',`
+- fs_getattr_cifs(colord_t)
+- fs_read_cifs_files(colord_t)
+-')
+userdom_rw_user_tmpfs_files(colord_t)
-+
+userdom_home_reader(colord_t)
+userdom_read_inherited_user_home_content_files(colord_t)
- tunable_policy(`use_nfs_home_dirs',`
- fs_getattr_nfs(colord_t)
-@@ -120,6 +128,12 @@ optional_policy(`
+ optional_policy(`
+ cups_read_config(colord_t)
+@@ -120,6 +121,12 @@ optional_policy(`
')
optional_policy(`
@@ -11124,13 +11163,14 @@ index 09f18e2..28dd440 100644
policykit_dbus_chat(colord_t)
policykit_domtrans_auth(colord_t)
policykit_read_lib(colord_t)
-@@ -133,3 +147,13 @@ optional_policy(`
+@@ -133,3 +140,14 @@ optional_policy(`
optional_policy(`
udev_read_db(colord_t)
')
+
+optional_policy(`
+ xserver_dbus_chat_xdm(colord_t)
++ xserver_read_xdm_state(colord_t)
+ # /var/lib/gdm/.local/share/icc/edid-0a027915105823af34f99b1704e80336.icc
+ xserver_read_inherited_xdm_lib_files(colord_t)
+')
@@ -15881,7 +15921,7 @@ index dda905b..31f269b 100644
/var/named/chroot/var/run/dbus(/.*)? gen_context(system_u:object_r:system_dbusd_var_run_t,s0)
+')
diff --git a/dbus.if b/dbus.if
-index afcf3a2..126d543 100644
+index afcf3a2..90299b3 100644
--- a/dbus.if
+++ b/dbus.if
@@ -1,4 +1,4 @@
@@ -16147,9 +16187,9 @@ index afcf3a2..126d543 100644
- type $1_dbusd_t;
- class dbus send_msg;
- ')
-
-- typeattribute $2 dbusd_session_bus_client;
-
+- typeattribute $2 dbusd_session_bus_client;
+
- allow $2 { $1_dbusd_t self }:dbus send_msg;
- allow $1_dbusd_t $2:dbus send_msg;
+ # For connecting to the bus
@@ -16461,7 +16501,7 @@ index afcf3a2..126d543 100644
##
##
##
-@@ -596,28 +466,30 @@ interface(`dbus_use_system_bus_fds',`
+@@ -596,28 +466,51 @@ interface(`dbus_use_system_bus_fds',`
##
##
#
@@ -16499,6 +16539,27 @@ index afcf3a2..126d543 100644
- typeattribute $1 dbusd_unconfined;
+ dontaudit $1 session_bus_type:dbus send_msg;
++')
++
++########################################
++##
++## Do not audit attempts to send dbus
++## messages to system bus types.
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`dbus_dontaudit_chat_system_bus',`
++ gen_require(`
++ attribute system_bus_type;
++ class dbus send_msg;
++ ')
++
++ dontaudit $1 system_bus_type:dbus send_msg;
++ dontaudit system_bus_type $1:dbus send_msg;
')
diff --git a/dbus.te b/dbus.te
index 2c2e7e1..4c346e6 100644
@@ -17536,7 +17597,7 @@ index d294865..3b4f593 100644
+ logging_log_filetrans($1, devicekit_var_log_t, file, "pm-suspend.log")
')
diff --git a/devicekit.te b/devicekit.te
-index ff933af..979a3de 100644
+index ff933af..41ca7ce 100644
--- a/devicekit.te
+++ b/devicekit.te
@@ -7,15 +7,15 @@ policy_module(devicekit, 1.2.1)
@@ -17671,7 +17732,18 @@ index ff933af..979a3de 100644
allow devicekit_power_t self:process { getsched signal_perms };
allow devicekit_power_t self:fifo_file rw_fifo_file_perms;
allow devicekit_power_t self:unix_dgram_socket create_socket_perms;
-@@ -242,17 +257,16 @@ domain_read_all_domains_state(devicekit_power_t)
+@@ -207,9 +222,7 @@ manage_dirs_pattern(devicekit_power_t, devicekit_var_lib_t, devicekit_var_lib_t)
+ manage_files_pattern(devicekit_power_t, devicekit_var_lib_t, devicekit_var_lib_t)
+ files_var_lib_filetrans(devicekit_power_t, devicekit_var_lib_t, dir)
+
+-allow devicekit_power_t devicekit_var_log_t:file append_file_perms;
+-allow devicekit_power_t devicekit_var_log_t:file create_file_perms;
+-allow devicekit_power_t devicekit_var_log_t:file setattr_file_perms;
++manage_files_pattern(devicekit_power_t, devicekit_var_log_t, devicekit_var_log_t)
+ logging_log_filetrans(devicekit_power_t, devicekit_var_log_t, file)
+
+ manage_dirs_pattern(devicekit_power_t, devicekit_var_run_t, devicekit_var_run_t)
+@@ -242,17 +255,16 @@ domain_read_all_domains_state(devicekit_power_t)
files_read_kernel_img(devicekit_power_t)
files_read_etc_runtime_files(devicekit_power_t)
@@ -17691,7 +17763,7 @@ index ff933af..979a3de 100644
sysnet_domtrans_ifconfig(devicekit_power_t)
sysnet_domtrans_dhcpc(devicekit_power_t)
-@@ -269,9 +283,11 @@ optional_policy(`
+@@ -269,9 +281,11 @@ optional_policy(`
optional_policy(`
cron_initrc_domtrans(devicekit_power_t)
@@ -17703,7 +17775,7 @@ index ff933af..979a3de 100644
dbus_system_bus_client(devicekit_power_t)
allow devicekit_power_t devicekit_t:dbus send_msg;
-@@ -302,8 +318,11 @@ optional_policy(`
+@@ -302,8 +316,11 @@ optional_policy(`
')
optional_policy(`
@@ -17716,7 +17788,7 @@ index ff933af..979a3de 100644
hal_manage_pid_dirs(devicekit_power_t)
hal_manage_pid_files(devicekit_power_t)
')
-@@ -341,3 +360,9 @@ optional_policy(`
+@@ -341,3 +358,9 @@ optional_policy(`
optional_policy(`
vbetool_domtrans(devicekit_power_t)
')
@@ -20323,10 +20395,20 @@ index 18f2452..a446210 100644
+
')
diff --git a/dspam.te b/dspam.te
-index 266cb8f..dbbe097 100644
+index 266cb8f..d606e12 100644
--- a/dspam.te
+++ b/dspam.te
-@@ -64,14 +64,33 @@ auth_use_nsswitch(dspam_t)
+@@ -28,6 +28,9 @@ files_pid_file(dspam_var_run_t)
+
+ allow dspam_t self:capability net_admin;
+ allow dspam_t self:process signal;
++
++allow dspam_t self:tcp_socket { listen accept };
++
+ allow dspam_t self:fifo_file rw_fifo_file_perms;
+ allow dspam_t self:unix_stream_socket { accept listen };
+
+@@ -64,14 +67,33 @@ auth_use_nsswitch(dspam_t)
logging_send_syslog_msg(dspam_t)
@@ -21226,28 +21308,49 @@ index 5cf6ac6..839999e 100644
+ allow $1 firewalld_unit_file_t:service all_service_perms;
')
diff --git a/firewalld.te b/firewalld.te
-index c8014f8..646818a 100644
+index c8014f8..95f0a0b 100644
--- a/firewalld.te
+++ b/firewalld.te
-@@ -21,6 +21,9 @@ logging_log_file(firewalld_var_log_t)
+@@ -21,11 +21,20 @@ logging_log_file(firewalld_var_log_t)
type firewalld_var_run_t;
files_pid_file(firewalld_var_run_t)
+type firewalld_unit_file_t;
+systemd_unit_file(firewalld_unit_file_t)
+
++type firewalld_tmp_t;
++files_tmp_file(firewalld_tmp_t)
++
++type firewalld_tmpfs_t;
++files_tmpfs_file(firewalld_tmpfs_t)
++
########################################
#
# Local policy
-@@ -42,6 +45,7 @@ logging_log_filetrans(firewalld_t, firewalld_var_log_t, file)
+ #
+-
++allow firewalld_t self:capability dac_override;
+ dontaudit firewalld_t self:capability sys_tty_config;
+ allow firewalld_t self:fifo_file rw_fifo_file_perms;
+ allow firewalld_t self:unix_stream_socket { accept listen };
+@@ -40,8 +49,16 @@ allow firewalld_t firewalld_var_log_t:file read_file_perms;
+ allow firewalld_t firewalld_var_log_t:file setattr_file_perms;
+ logging_log_filetrans(firewalld_t, firewalld_var_log_t, file)
++manage_files_pattern(firewalld_t, firewalld_tmp_t, firewalld_tmp_t)
++files_tmp_filetrans(firewalld_t, firewalld_tmp_t, file)
++
++manage_files_pattern(firewalld_t, firewalld_tmpfs_t, firewalld_tmpfs_t)
++fs_tmpfs_filetrans(firewalld_t, firewalld_tmpfs_t, file)
++allow firewalld_t firewalld_tmpfs_t:file execute;
++
manage_files_pattern(firewalld_t, firewalld_var_run_t, firewalld_var_run_t)
files_pid_filetrans(firewalld_t, firewalld_var_run_t, file)
+can_exec(firewalld_t, firewalld_var_run_t)
kernel_read_network_state(firewalld_t)
kernel_read_system_state(firewalld_t)
-@@ -53,20 +57,17 @@ dev_read_urand(firewalld_t)
+@@ -53,20 +70,17 @@ dev_read_urand(firewalld_t)
domain_use_interactive_fds(firewalld_t)
@@ -25615,7 +25718,7 @@ index 180f1b7..951b790 100644
+ userdom_user_home_dir_filetrans($1, gpg_secret_t, dir, ".gnupg")
+')
diff --git a/gpg.te b/gpg.te
-index 44cf341..d80e7c0 100644
+index 44cf341..391e8e6 100644
--- a/gpg.te
+++ b/gpg.te
@@ -1,47 +1,47 @@
@@ -25834,7 +25937,7 @@ index 44cf341..d80e7c0 100644
optional_policy(`
- mozilla_dontaudit_rw_user_home_files(gpg_t)
-+ gnome_read_config(gpg_t)
++ gnome_manage_config(gpg_t)
+ gnome_stream_connect_gkeyringd(gpg_t)
')
@@ -31393,7 +31496,7 @@ index 7bab8e5..3a2c50c 100644
logging_read_all_logs(logrotate_mail_t)
+manage_files_pattern(logrotate_mail_t, logrotate_tmp_t, logrotate_tmp_t)
diff --git a/logwatch.te b/logwatch.te
-index 4256a4c..720b6cb 100644
+index 4256a4c..2d6adaf 100644
--- a/logwatch.te
+++ b/logwatch.te
@@ -7,7 +7,8 @@ policy_module(logwatch, 1.11.6)
@@ -31434,7 +31537,7 @@ index 4256a4c..720b6cb 100644
mta_sendmail_domtrans(logwatch_t, logwatch_mail_t)
mta_getattr_spool(logwatch_t)
-@@ -164,6 +165,8 @@ dev_read_sysfs(logwatch_mail_t)
+@@ -164,6 +165,12 @@ dev_read_sysfs(logwatch_mail_t)
logging_read_all_logs(logwatch_mail_t)
@@ -31443,6 +31546,10 @@ index 4256a4c..720b6cb 100644
optional_policy(`
cron_use_system_job_fds(logwatch_mail_t)
')
++
++optional_policy(`
++ courier_stream_connect_authdaemon(logwatch_mail_t)
++')
diff --git a/lpd.fc b/lpd.fc
index 2fb9b2e..08974e3 100644
--- a/lpd.fc
@@ -32451,7 +32558,7 @@ index 2de0f64..85c3827 100644
+
+/var/lock/man-db\.lock -- gen_context(system_u:object_r:mandb_lock_t,s0)
diff --git a/mandb.if b/mandb.if
-index 327f3f7..65bfa15 100644
+index 327f3f7..8d5841f 100644
--- a/mandb.if
+++ b/mandb.if
@@ -1,14 +1,14 @@
@@ -32594,7 +32701,7 @@ index 327f3f7..65bfa15 100644
')
########################################
-@@ -99,37 +129,60 @@ interface(`mandb_read_cache_content',`
+@@ -99,37 +129,63 @@ interface(`mandb_read_cache_content',`
##
##
#
@@ -32649,7 +32756,7 @@ index 327f3f7..65bfa15 100644
gen_require(`
- type mandb_t, mandb_cache_t;
+ type mandb_t;
-+ type mandb_cache_t;
++ type mandb_cache_t, mandb_lock_t;
')
allow $1 mandb_t:process { ptrace signal_perms };
@@ -32658,6 +32765,9 @@ index 327f3f7..65bfa15 100644
- mandb_run($1, $2)
+ files_search_var($1)
+ admin_pattern($1, mandb_cache_t)
++
++ files_search_locks($1)
++ admin_pattern($1, mandb_lock_t)
- # pending
- # miscfiles_manage_man_cache_content(mandb_t)
@@ -39288,6 +39398,231 @@ index 9f6179e..dfa6623 100644
-userdom_search_user_home_dirs(mysqlmanagerd_t)
+userdom_getattr_user_home_dirs(mysqlmanagerd_t)
+diff --git a/mythtv.fc b/mythtv.fc
+new file mode 100644
+index 0000000..3a1c423
+--- /dev/null
++++ b/mythtv.fc
+@@ -0,0 +1,9 @@
++/usr/share/mythweb/mythweb\.pl -- gen_context(system_u:object_r:httpd_mythtv_script_exec_t,s0)
++
++/var/lib/mythtv(/.*)? gen_context(system_u:object_r:mythtv_var_lib_t,s0)
++
++/var/log/mythtv(/.*)? gen_context(system_u:object_r:mythtv_var_log_t,s0)
++
++/usr/share/mythtv(/.*)? gen_context(system_u:object_r:httpd_mythtv_content_t,s0)
++/usr/share/mythweb(/.*)? gen_context(system_u:object_r:httpd_mythtv_content_t,s0)
++/usr/share/mythtv/mythweather/scripts(/.*)? gen_context(system_u:object_r:httpd_mythtv_script_exec_t,s0)
+diff --git a/mythtv.if b/mythtv.if
+new file mode 100644
+index 0000000..6ad142d
+--- /dev/null
++++ b/mythtv.if
+@@ -0,0 +1,157 @@
++
++## policy for httpd_mythtv_script
++
++########################################
++##
++## Execute TEMPLATE in the httpd_mythtv_script domin.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`httpd_mythtv_script_domtrans',`
++ gen_require(`
++ type httpd_mythtv_script_t, httpd_mythtv_script_exec_t;
++ ')
++
++ corecmd_search_bin($1)
++ domtrans_pattern($1, httpd_mythtv_script_exec_t, httpd_mythtv_script_t)
++')
++
++#######################################
++##
++## read mythtv libs.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`mythtv_read_lib',`
++ gen_require(`
++ type mythtv_var_lib_t;
++ ')
++
++ read_files_pattern($1, mythtv_var_lib_t, mythtv_var_lib_t)
++ files_list_var_lib($1)
++')
++
++#######################################
++##
++## Create, read, write, and delete
++## mythtv lib content.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`mythtv_manage_lib',`
++ gen_require(`
++ type mythtv_var_lib_t;
++ ')
++
++ manage_files_pattern($1, mythtv_var_lib_t, mythtv_var_lib_t)
++ manage_lnk_files_pattern($1, mythtv_var_lib_t, mythtv_var_lib_t)
++ files_list_var_lib($1)
++')
++
++#######################################
++##
++## read mythtv logs.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`mythtv_read_log',`
++ gen_require(`
++ type mythtv_var_log_t;
++ ')
++
++ read_files_pattern($1, mythtv_var_log_t, mythtv_var_log_t)
++ logging_search_logs($1)
++')
++
++#######################################
++##
++## Append mythtv log files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`mythtv_append_log',`
++ gen_require(`
++ type mythtv_var_log_t;
++ ')
++
++ append_files_pattern($1, mythtv_var_log_t, mythtv_var_log_t)
++ logging_search_logs($1)
++')
++
++#######################################
++##
++## Create, read, write, and delete
++## mythtv log content.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`mythtv_manage_log',`
++ gen_require(`
++ type mythtv_var_log_t;
++ ')
++
++ manage_files_pattern($1, mythtv_var_log_t, mythtv_var_log_t)
++ manage_lnk_files_pattern($1, mythtv_var_log_t, mythtv_var_log_t)
++ logging_search_logs($1)
++')
++
++########################################
++##
++## All of the rules required to
++## administrate an mythtv environment.
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++##
++## Role allowed access.
++##
++##
++##
++#
++interface(`mythtv_admin',`
++ gen_require(`
++ type httpd_mythtv_script_t, mythtv_var_lib_t;
++ type mythtv_var_log_t;
++ ')
++
++ allow $1 httpd_mythtv_script_t:process signal_perms;
++ ps_process_pattern($1, httpd_mythtv_script_t)
++
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 httpd_mythtv_script_t:process ptrace;
++ ')
++
++ logging_list_logs($1)
++ admin_pattern($1, mythtv_var_log_t)
++
++ files_list_var_lib($1)
++ admin_pattern($1, mythtv_var_lib_t)
++')
+diff --git a/mythtv.te b/mythtv.te
+new file mode 100644
+index 0000000..90129ac
+--- /dev/null
++++ b/mythtv.te
+@@ -0,0 +1,41 @@
++policy_module(mythtv, 1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++apache_content_template(mythtv)
++
++type mythtv_var_lib_t;
++files_type(mythtv_var_lib_t)
++
++type mythtv_var_log_t;
++logging_log_file(mythtv_var_log_t)
++
++########################################
++#
++# httpd_mythtv_script local policy
++#
++
++manage_files_pattern(httpd_mythtv_script_t, mythtv_var_lib_t, mythtv_var_lib_t)
++manage_dirs_pattern(httpd_mythtv_script_t, mythtv_var_lib_t, mythtv_var_lib_t)
++files_var_lib_filetrans(httpd_mythtv_script_t, mythtv_var_lib_t, { dir file })
++
++manage_files_pattern(httpd_mythtv_script_t, mythtv_var_log_t, mythtv_var_log_t)
++manage_dirs_pattern(httpd_mythtv_script_t, mythtv_var_log_t, mythtv_var_log_t)
++logging_log_filetrans(httpd_mythtv_script_t, mythtv_var_log_t, file )
++
++domain_use_interactive_fds(httpd_mythtv_script_t)
++
++files_read_etc_files(httpd_mythtv_script_t)
++
++fs_read_nfs_files(httpd_mythtv_script_t)
++
++miscfiles_read_localization(httpd_mythtv_script_t)
++
++optional_policy(`
++ mysql_read_config(httpd_mythtv_script_t)
++ mysql_stream_connect(httpd_mythtv_script_t)
++ mysql_tcp_connect(httpd_mythtv_script_t)
++')
diff --git a/nagios.fc b/nagios.fc
index d78dfc3..d80b4db 100644
--- a/nagios.fc
@@ -56188,7 +56523,7 @@ index 7cb8b1f..b7b5ee7 100644
+ allow $1 puppet_var_run_t:dir search_dir_perms;
')
diff --git a/puppet.te b/puppet.te
-index f2309f4..b3f151c 100644
+index f2309f4..a375475 100644
--- a/puppet.te
+++ b/puppet.te
@@ -1,4 +1,4 @@
@@ -56603,7 +56938,7 @@ index f2309f4..b3f151c 100644
optional_policy(`
- mysql_stream_connect(puppetmaster_t)
-+ gnomeclock_dbus_chat(puppetmaster_t)
++ systemd_dbus_chat_timedated(puppetmaster_t)
')
optional_policy(`
@@ -59823,7 +60158,7 @@ index 951db7f..db0d815 100644
+ allow $1 mdadm_var_run_t:file manage_file_perms;
')
diff --git a/raid.te b/raid.te
-index 2c1730b..43e7487 100644
+index 2c1730b..d9f7a3a 100644
--- a/raid.te
+++ b/raid.te
@@ -26,7 +26,7 @@ dev_associate(mdadm_var_run_t)
@@ -59835,7 +60170,7 @@ index 2c1730b..43e7487 100644
allow mdadm_t self:fifo_file rw_fifo_file_perms;
allow mdadm_t self:netlink_kobject_uevent_socket create_socket_perms;
-@@ -34,8 +34,8 @@ manage_dirs_pattern(mdadm_t, mdadm_var_run_t, mdadm_var_run_t)
+@@ -34,14 +34,15 @@ manage_dirs_pattern(mdadm_t, mdadm_var_run_t, mdadm_var_run_t)
manage_files_pattern(mdadm_t, mdadm_var_run_t, mdadm_var_run_t)
manage_lnk_files_pattern(mdadm_t, mdadm_var_run_t, mdadm_var_run_t)
manage_sock_files_pattern(mdadm_t, mdadm_var_run_t, mdadm_var_run_t)
@@ -59846,7 +60181,14 @@ index 2c1730b..43e7487 100644
kernel_getattr_core_if(mdadm_t)
kernel_read_system_state(mdadm_t)
-@@ -51,17 +51,19 @@ dev_dontaudit_getattr_all_blk_files(mdadm_t)
+ kernel_read_kernel_sysctls(mdadm_t)
+ kernel_request_load_module(mdadm_t)
+ kernel_rw_software_raid_state(mdadm_t)
++kernel_setsched(mdadm_t)
+
+ corecmd_exec_bin(mdadm_t)
+ corecmd_exec_shell(mdadm_t)
+@@ -51,17 +52,19 @@ dev_dontaudit_getattr_all_blk_files(mdadm_t)
dev_dontaudit_getattr_all_chr_files(mdadm_t)
dev_read_realtime_clock(mdadm_t)
dev_read_raw_memory(mdadm_t)
@@ -59868,7 +60210,7 @@ index 2c1730b..43e7487 100644
mls_file_read_all_levels(mdadm_t)
mls_file_write_all_levels(mdadm_t)
-@@ -74,12 +76,12 @@ storage_write_scsi_generic(mdadm_t)
+@@ -74,12 +77,12 @@ storage_write_scsi_generic(mdadm_t)
term_dontaudit_list_ptys(mdadm_t)
term_dontaudit_use_unallocated_ttys(mdadm_t)
@@ -62692,13 +63034,15 @@ index 6dbc905..92aac94 100644
- admin_pattern($1, rhsmcertd_lock_t)
')
diff --git a/rhsmcertd.te b/rhsmcertd.te
-index 1cedd70..48fec17 100644
+index 1cedd70..f8ae4cc 100644
--- a/rhsmcertd.te
+++ b/rhsmcertd.te
-@@ -31,6 +31,7 @@ files_pid_file(rhsmcertd_var_run_t)
+@@ -30,7 +30,8 @@ files_pid_file(rhsmcertd_var_run_t)
+ #
allow rhsmcertd_t self:capability sys_nice;
- allow rhsmcertd_t self:process { signal setsched };
+-allow rhsmcertd_t self:process { signal setsched };
++allow rhsmcertd_t self:process { signal_perms setsched };
+
allow rhsmcertd_t self:fifo_file rw_fifo_file_perms;
allow rhsmcertd_t self:unix_stream_socket create_stream_socket_perms;
@@ -63858,7 +64202,7 @@ index 3bd6446..a61764b 100644
+ allow $1 var_lib_nfs_t:file relabel_file_perms;
')
diff --git a/rpc.te b/rpc.te
-index e5212e6..43a888d 100644
+index e5212e6..66ec108 100644
--- a/rpc.te
+++ b/rpc.te
@@ -1,4 +1,4 @@
@@ -64205,15 +64549,6 @@ index e5212e6..43a888d 100644
')
optional_policy(`
-@@ -315,7 +277,7 @@ optional_policy(`
- ')
-
- optional_policy(`
-- pcscd_read_pid_files(gssd_t)
-+ pcscd_read_pub_files(gssd_t)
- ')
-
- optional_policy(`
diff --git a/rpcbind.if b/rpcbind.if
index 3b5e9ee..ff1163f 100644
--- a/rpcbind.if
@@ -65029,7 +65364,7 @@ index 0628d50..bedc8ae 100644
+ allow rpm_script_t $1:process sigchld;
')
diff --git a/rpm.te b/rpm.te
-index 5cbe81c..b86d966 100644
+index 5cbe81c..a29e4d0 100644
--- a/rpm.te
+++ b/rpm.te
@@ -1,15 +1,11 @@
@@ -65418,7 +65753,7 @@ index 5cbe81c..b86d966 100644
ifdef(`distro_redhat',`
optional_policy(`
-@@ -363,24 +375,24 @@ ifdef(`distro_redhat',`
+@@ -363,24 +375,28 @@ ifdef(`distro_redhat',`
')
')
@@ -65434,13 +65769,17 @@ index 5cbe81c..b86d966 100644
optional_policy(`
- dbus_system_bus_client(rpm_script_t)
-+ cups_filetrans_named_content(rpm_script_t)
++ certmonger_dbus_chat(rpm_script_t)
+')
- optional_policy(`
- unconfined_dbus_chat(rpm_script_t)
- ')
+optional_policy(`
++ cups_filetrans_named_content(rpm_script_t)
++')
++
++optional_policy(`
+ dbus_system_bus_client(rpm_script_t)
')
@@ -65450,7 +65789,7 @@ index 5cbe81c..b86d966 100644
')
optional_policy(`
-@@ -388,8 +400,17 @@ optional_policy(`
+@@ -388,8 +404,17 @@ optional_policy(`
')
optional_policy(`
@@ -65470,7 +65809,7 @@ index 5cbe81c..b86d966 100644
')
optional_policy(`
-@@ -397,6 +418,7 @@ optional_policy(`
+@@ -397,6 +422,7 @@ optional_policy(`
')
optional_policy(`
@@ -65478,7 +65817,7 @@ index 5cbe81c..b86d966 100644
unconfined_domtrans(rpm_script_t)
optional_policy(`
-@@ -409,6 +431,6 @@ optional_policy(`
+@@ -409,6 +435,6 @@ optional_policy(`
')
optional_policy(`
@@ -67158,7 +67497,7 @@ index aee75af..a6bab06 100644
+ allow $1 samba_unit_file_t:service all_service_perms;
')
diff --git a/samba.te b/samba.te
-index 57c034b..27fd4cd 100644
+index 57c034b..89b9b6a 100644
--- a/samba.te
+++ b/samba.te
@@ -1,4 +1,4 @@
@@ -67408,7 +67747,7 @@ index 57c034b..27fd4cd 100644
dev_read_urand(samba_net_t)
-@@ -229,54 +219,60 @@ auth_manage_cache(samba_net_t)
+@@ -229,15 +219,16 @@ auth_manage_cache(samba_net_t)
logging_send_syslog_msg(samba_net_t)
@@ -67429,9 +67768,7 @@ index 57c034b..27fd4cd 100644
')
optional_policy(`
-- pcscd_read_pid_files(samba_net_t)
-+ pcscd_read_pub_files(samba_net_t)
- ')
+@@ -246,37 +237,42 @@ optional_policy(`
optional_policy(`
kerberos_use(samba_net_t)
@@ -72207,7 +72544,7 @@ index e0644b5..ea347cc 100644
domain_system_change_exemption($1)
role_transition $2 fsdaemon_initrc_exec_t system_r;
diff --git a/smartmon.te b/smartmon.te
-index 9ade9c5..90cb567 100644
+index 9ade9c5..efefceb 100644
--- a/smartmon.te
+++ b/smartmon.te
@@ -60,21 +60,27 @@ kernel_read_system_state(fsdaemon_t)
@@ -72249,7 +72586,7 @@ index 9ade9c5..90cb567 100644
init_read_utmp(fsdaemon_t)
libs_exec_ld_so(fsdaemon_t)
-@@ -92,7 +100,7 @@ libs_exec_lib_files(fsdaemon_t)
+@@ -92,12 +100,13 @@ libs_exec_lib_files(fsdaemon_t)
logging_send_syslog_msg(fsdaemon_t)
@@ -72258,7 +72595,13 @@ index 9ade9c5..90cb567 100644
sysnet_dns_name_resolve(fsdaemon_t)
-@@ -116,9 +124,9 @@ optional_policy(`
+ userdom_dontaudit_use_unpriv_user_fds(fsdaemon_t)
+ userdom_dontaudit_search_user_home_dirs(fsdaemon_t)
++userdom_use_user_ptys(fsdaemon_t)
+
+ tunable_policy(`smartmon_3ware',`
+ allow fsdaemon_t self:process setfscreate;
+@@ -116,9 +125,9 @@ optional_policy(`
')
optional_policy(`
@@ -81908,10 +82251,10 @@ index 9dec06c..d8a2b54 100644
+ allow svirt_lxc_domain $1:process sigchld;
')
diff --git a/virt.te b/virt.te
-index 1f22fba..eaf5bf9 100644
+index 1f22fba..c566b8b 100644
--- a/virt.te
+++ b/virt.te
-@@ -1,94 +1,105 @@
+@@ -1,94 +1,98 @@
-policy_module(virt, 1.6.10)
+policy_module(virt, 1.5.0)
@@ -81998,11 +82341,12 @@ index 1f22fba..eaf5bf9 100644
-## Determine whether confined virtual guests
-## can manage device configuration.
-##
-+##
-+## Allow confined virtual guests to manage device configuration, (pci)
-+##
++##
++## Allow confined virtual guests to interact with the sanlock
++##
##
- gen_tunable(virt_use_sysfs, false)
+-gen_tunable(virt_use_sysfs, false)
++gen_tunable(virt_use_sanlock, false)
##
-##
@@ -82010,38 +82354,31 @@ index 1f22fba..eaf5bf9 100644
-## can use usb devices.
-##
+##
-+## Allow confined virtual guests to interact with the sanlock
++## Allow confined virtual guests to interact with rawip sockets
+##
##
-gen_tunable(virt_use_usb, false)
-+gen_tunable(virt_use_sanlock, false)
++gen_tunable(virt_use_rawip, false)
##
-##
-## Determine whether confined virtual guests
-## can interact with xserver.
-##
-+##
-+## Allow confined virtual guests to interact with rawip sockets
-+##
++##
++## Allow confined virtual guests to interact with the xserver
++##
##
--gen_tunable(virt_use_xserver, false)
--
+ gen_tunable(virt_use_xserver, false)
+
-attribute virt_ptynode;
-attribute virt_domain;
-attribute virt_image_type;
-attribute virt_tmp_type;
-attribute virt_tmpfs_type;
-+gen_tunable(virt_use_rawip, false)
-
+-
-attribute svirt_lxc_domain;
-+##
-+##
-+## Allow confined virtual guests to interact with the xserver
-+##
-+##
-+gen_tunable(virt_use_xserver, false)
-
+-
-attribute_role virt_domain_roles;
-roleattribute system_r virt_domain_roles;
+##
@@ -82068,7 +82405,7 @@ index 1f22fba..eaf5bf9 100644
type virt_cache_t alias svirt_cache_t;
files_type(virt_cache_t)
-@@ -105,27 +116,25 @@ userdom_user_home_content(virt_home_t)
+@@ -105,27 +109,25 @@ userdom_user_home_content(virt_home_t)
type svirt_home_t;
userdom_user_home_content(svirt_home_t)
@@ -82102,7 +82439,7 @@ index 1f22fba..eaf5bf9 100644
type virt_var_run_t;
files_pid_file(virt_var_run_t)
-@@ -139,9 +148,17 @@ init_daemon_domain(virtd_t, virtd_exec_t)
+@@ -139,9 +141,17 @@ init_daemon_domain(virtd_t, virtd_exec_t)
domain_obj_id_change_exemption(virtd_t)
domain_subj_id_change_exemption(virtd_t)
@@ -82120,7 +82457,7 @@ index 1f22fba..eaf5bf9 100644
ifdef(`enable_mcs',`
init_ranged_daemon_domain(virtd_t, virtd_exec_t, s0 - mcs_systemhigh)
')
-@@ -155,251 +172,82 @@ type virt_qmf_exec_t;
+@@ -155,251 +165,82 @@ type virt_qmf_exec_t;
init_daemon_domain(virt_qmf_t, virt_qmf_exec_t)
type virt_bridgehelper_t;
@@ -82208,7 +82545,9 @@ index 1f22fba..eaf5bf9 100644
-append_files_pattern(virt_domain, virt_log_t, virt_log_t)
-
-append_files_pattern(virt_domain, virt_var_lib_t, virt_var_lib_t)
--
++# it was a part of auth_use_nsswitch
++allow svirt_t self:netlink_route_socket r_netlink_socket_perms;
+
-kernel_read_system_state(virt_domain)
-
-fs_getattr_xattr_fs(virt_domain)
@@ -82335,9 +82674,7 @@ index 1f22fba..eaf5bf9 100644
- xserver_stream_connect(virt_domain)
- ')
-')
-+# it was a part of auth_use_nsswitch
-+allow svirt_t self:netlink_route_socket r_netlink_socket_perms;
-
+-
-optional_policy(`
- dbus_read_lib_files(virt_domain)
-')
@@ -82381,9 +82718,7 @@ index 1f22fba..eaf5bf9 100644
-manage_dirs_pattern(svirt_t, svirt_home_t, svirt_home_t)
-manage_files_pattern(svirt_t, svirt_home_t, svirt_home_t)
-manage_sock_files_pattern(svirt_t, svirt_home_t, svirt_home_t)
-+allow svirt_tcg_t self:process { execmem execstack };
-+allow svirt_tcg_t self:netlink_route_socket r_netlink_socket_perms;
-
+-
-filetrans_pattern(svirt_t, virt_home_t, svirt_home_t, dir, "qemu")
-
-stream_connect_pattern(svirt_t, svirt_home_t, svirt_home_t, virtd_t)
@@ -82407,7 +82742,9 @@ index 1f22fba..eaf5bf9 100644
-corenet_sendrecv_all_server_packets(svirt_t)
-corenet_udp_bind_all_ports(svirt_t)
-corenet_tcp_bind_all_ports(svirt_t)
--
++allow svirt_tcg_t self:process { execmem execstack };
++allow svirt_tcg_t self:netlink_route_socket r_netlink_socket_perms;
+
-corenet_sendrecv_all_client_packets(svirt_t)
-corenet_tcp_connect_all_ports(svirt_t)
+corenet_udp_sendrecv_generic_if(svirt_tcg_t)
@@ -82420,7 +82757,7 @@ index 1f22fba..eaf5bf9 100644
########################################
#
-@@ -407,38 +255,41 @@ corenet_tcp_connect_all_ports(svirt_t)
+@@ -407,38 +248,41 @@ corenet_tcp_connect_all_ports(svirt_t)
#
allow virtd_t self:capability { chown dac_override fowner ipc_lock kill mknod net_admin net_raw setpcap setuid setgid sys_admin sys_nice };
@@ -82481,7 +82818,7 @@ index 1f22fba..eaf5bf9 100644
read_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
read_lnk_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
-@@ -448,42 +299,28 @@ manage_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t)
+@@ -448,42 +292,28 @@ manage_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t)
manage_lnk_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t)
filetrans_pattern(virtd_t, virt_etc_t, virt_etc_rw_t, dir)
@@ -82527,7 +82864,7 @@ index 1f22fba..eaf5bf9 100644
logging_log_filetrans(virtd_t, virt_log_t, { file dir })
manage_dirs_pattern(virtd_t, virt_var_lib_t, virt_var_lib_t)
-@@ -496,16 +333,11 @@ manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
+@@ -496,16 +326,11 @@ manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
manage_sock_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
files_pid_filetrans(virtd_t, virt_var_run_t, { file dir })
@@ -82537,18 +82874,18 @@ index 1f22fba..eaf5bf9 100644
-
-stream_connect_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t, virtd_lxc_t)
-stream_connect_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t, virt_domain)
--
--can_exec(virtd_t, virt_tmp_t)
+manage_dirs_pattern(virtd_t, virt_lxc_var_run_t, virt_lxc_var_run_t)
+manage_files_pattern(virtd_t, virt_lxc_var_run_t, virt_lxc_var_run_t)
+filetrans_pattern(virtd_t, virt_var_run_t, virt_lxc_var_run_t, dir, "lxc")
+stream_connect_pattern(virtd_t, virt_lxc_var_run_t, virt_lxc_var_run_t, virtd_lxc_t)
+-can_exec(virtd_t, virt_tmp_t)
+-
-kernel_read_crypto_sysctls(virtd_t)
kernel_read_system_state(virtd_t)
kernel_read_network_state(virtd_t)
kernel_rw_net_sysctls(virtd_t)
-@@ -520,22 +352,12 @@ corecmd_exec_shell(virtd_t)
+@@ -520,22 +345,12 @@ corecmd_exec_shell(virtd_t)
corenet_all_recvfrom_netlabel(virtd_t)
corenet_tcp_sendrecv_generic_if(virtd_t)
corenet_tcp_sendrecv_generic_node(virtd_t)
@@ -82572,7 +82909,7 @@ index 1f22fba..eaf5bf9 100644
corenet_rw_tun_tap_dev(virtd_t)
dev_rw_sysfs(virtd_t)
-@@ -548,22 +370,22 @@ dev_rw_vhost(virtd_t)
+@@ -548,22 +363,22 @@ dev_rw_vhost(virtd_t)
dev_setattr_generic_usb_dev(virtd_t)
dev_relabel_generic_usb_dev(virtd_t)
@@ -82600,7 +82937,7 @@ index 1f22fba..eaf5bf9 100644
fs_rw_anon_inodefs_files(virtd_t)
fs_list_inotifyfs(virtd_t)
fs_manage_cgroup_dirs(virtd_t)
-@@ -594,15 +416,18 @@ term_use_ptmx(virtd_t)
+@@ -594,15 +409,18 @@ term_use_ptmx(virtd_t)
auth_use_nsswitch(virtd_t)
@@ -82620,7 +82957,7 @@ index 1f22fba..eaf5bf9 100644
selinux_validate_context(virtd_t)
-@@ -613,18 +438,24 @@ seutil_read_file_contexts(virtd_t)
+@@ -613,18 +431,24 @@ seutil_read_file_contexts(virtd_t)
sysnet_signull_ifconfig(virtd_t)
sysnet_signal_ifconfig(virtd_t)
sysnet_domtrans_ifconfig(virtd_t)
@@ -82655,7 +82992,7 @@ index 1f22fba..eaf5bf9 100644
tunable_policy(`virt_use_nfs',`
fs_manage_nfs_dirs(virtd_t)
-@@ -633,7 +464,7 @@ tunable_policy(`virt_use_nfs',`
+@@ -633,7 +457,7 @@ tunable_policy(`virt_use_nfs',`
')
tunable_policy(`virt_use_samba',`
@@ -82664,7 +83001,7 @@ index 1f22fba..eaf5bf9 100644
fs_manage_cifs_files(virtd_t)
fs_read_cifs_symlinks(virtd_t)
')
-@@ -646,107 +477,330 @@ optional_policy(`
+@@ -646,107 +470,326 @@ optional_policy(`
consoletype_exec(virtd_t)
')
@@ -82773,6 +83110,7 @@ index 1f22fba..eaf5bf9 100644
+#
+# virtual domains common policy
+#
++allow virt_domain self:capability2 compromise_kernel;
+allow virt_domain self:process { signal getsched signull };
+allow virt_domain self:fifo_file rw_fifo_file_perms;
+allow virt_domain self:shm create_shm_perms;
@@ -82986,11 +83324,6 @@ index 1f22fba..eaf5bf9 100644
+ fs_getattr_cifs(virt_domain)
+')
+
-+tunable_policy(`virt_use_sysfs',`
-+ allow svirt_t self:capability2 compromise_kernel;
-+ dev_rw_sysfs(virt_domain)
-+')
-+
+tunable_policy(`virt_use_usb',`
+ dev_rw_usbfs(virt_domain)
+ dev_read_sysfs(virt_domain)
@@ -83052,7 +83385,7 @@ index 1f22fba..eaf5bf9 100644
manage_files_pattern(virsh_t, virt_image_type, virt_image_type)
manage_blk_files_pattern(virsh_t, virt_image_type, virt_image_type)
-@@ -758,23 +812,14 @@ manage_chr_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
+@@ -758,23 +801,14 @@ manage_chr_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
manage_lnk_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
manage_sock_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
manage_fifo_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
@@ -83081,7 +83414,7 @@ index 1f22fba..eaf5bf9 100644
kernel_read_system_state(virsh_t)
kernel_read_network_state(virsh_t)
kernel_read_kernel_sysctls(virsh_t)
-@@ -785,25 +830,18 @@ kernel_write_xen_state(virsh_t)
+@@ -785,25 +819,18 @@ kernel_write_xen_state(virsh_t)
corecmd_exec_bin(virsh_t)
corecmd_exec_shell(virsh_t)
@@ -83108,7 +83441,7 @@ index 1f22fba..eaf5bf9 100644
fs_getattr_all_fs(virsh_t)
fs_manage_xenfs_dirs(virsh_t)
-@@ -812,24 +850,21 @@ fs_search_auto_mountpoints(virsh_t)
+@@ -812,24 +839,21 @@ fs_search_auto_mountpoints(virsh_t)
storage_raw_read_fixed_disk(virsh_t)
@@ -83139,7 +83472,7 @@ index 1f22fba..eaf5bf9 100644
tunable_policy(`virt_use_nfs',`
fs_manage_nfs_dirs(virsh_t)
fs_manage_nfs_files(virsh_t)
-@@ -847,6 +882,10 @@ optional_policy(`
+@@ -847,6 +871,10 @@ optional_policy(`
')
optional_policy(`
@@ -83150,7 +83483,7 @@ index 1f22fba..eaf5bf9 100644
rpm_exec(virsh_t)
')
-@@ -854,7 +893,7 @@ optional_policy(`
+@@ -854,7 +882,7 @@ optional_policy(`
xen_manage_image_dirs(virsh_t)
xen_append_log(virsh_t)
xen_domtrans(virsh_t)
@@ -83159,7 +83492,7 @@ index 1f22fba..eaf5bf9 100644
xen_stream_connect(virsh_t)
xen_stream_connect_xenstore(virsh_t)
')
-@@ -879,34 +918,39 @@ optional_policy(`
+@@ -879,34 +907,39 @@ optional_policy(`
kernel_read_xen_state(virsh_ssh_t)
kernel_write_xen_state(virsh_ssh_t)
@@ -83209,7 +83542,7 @@ index 1f22fba..eaf5bf9 100644
manage_dirs_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t)
manage_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t)
-@@ -916,12 +960,15 @@ manage_sock_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t)
+@@ -916,12 +949,15 @@ manage_sock_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t)
manage_fifo_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t)
allow virtd_lxc_t svirt_lxc_file_t:dir_file_class_set { relabelto relabelfrom };
allow virtd_lxc_t svirt_lxc_file_t:filesystem { relabelto relabelfrom };
@@ -83225,7 +83558,7 @@ index 1f22fba..eaf5bf9 100644
corecmd_exec_bin(virtd_lxc_t)
corecmd_exec_shell(virtd_lxc_t)
-@@ -933,10 +980,8 @@ dev_read_urand(virtd_lxc_t)
+@@ -933,10 +969,8 @@ dev_read_urand(virtd_lxc_t)
domain_use_interactive_fds(virtd_lxc_t)
@@ -83236,7 +83569,7 @@ index 1f22fba..eaf5bf9 100644
files_relabel_rootfs(virtd_lxc_t)
files_mounton_non_security(virtd_lxc_t)
files_mount_all_file_type_fs(virtd_lxc_t)
-@@ -955,15 +1000,11 @@ fs_rw_cgroup_files(virtd_lxc_t)
+@@ -955,15 +989,11 @@ fs_rw_cgroup_files(virtd_lxc_t)
fs_unmount_all_fs(virtd_lxc_t)
fs_relabelfrom_tmpfs(virtd_lxc_t)
@@ -83255,7 +83588,7 @@ index 1f22fba..eaf5bf9 100644
term_use_generic_ptys(virtd_lxc_t)
term_use_ptmx(virtd_lxc_t)
-@@ -973,20 +1014,38 @@ auth_use_nsswitch(virtd_lxc_t)
+@@ -973,20 +1003,38 @@ auth_use_nsswitch(virtd_lxc_t)
logging_send_syslog_msg(virtd_lxc_t)
@@ -83300,7 +83633,7 @@ index 1f22fba..eaf5bf9 100644
allow svirt_lxc_domain self:process { execstack execmem getattr signal_perms getsched setsched setcap setpgid };
allow svirt_lxc_domain self:fifo_file manage_file_perms;
allow svirt_lxc_domain self:sem create_sem_perms;
-@@ -995,19 +1054,6 @@ allow svirt_lxc_domain self:msgq create_msgq_perms;
+@@ -995,19 +1043,6 @@ allow svirt_lxc_domain self:msgq create_msgq_perms;
allow svirt_lxc_domain self:unix_stream_socket { create_stream_socket_perms connectto };
allow svirt_lxc_domain self:unix_dgram_socket { sendto create_socket_perms };
@@ -83320,7 +83653,7 @@ index 1f22fba..eaf5bf9 100644
manage_dirs_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
manage_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
manage_lnk_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
-@@ -1015,17 +1061,14 @@ manage_sock_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
+@@ -1015,17 +1050,14 @@ manage_sock_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
manage_fifo_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
rw_chr_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
rw_blk_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
@@ -83339,7 +83672,7 @@ index 1f22fba..eaf5bf9 100644
kernel_dontaudit_search_kernel_sysctl(svirt_lxc_domain)
corecmd_exec_all_executables(svirt_lxc_domain)
-@@ -1037,21 +1080,20 @@ files_dontaudit_getattr_all_pipes(svirt_lxc_domain)
+@@ -1037,21 +1069,20 @@ files_dontaudit_getattr_all_pipes(svirt_lxc_domain)
files_dontaudit_getattr_all_sockets(svirt_lxc_domain)
files_dontaudit_list_all_mountpoints(svirt_lxc_domain)
files_dontaudit_write_etc_runtime_files(svirt_lxc_domain)
@@ -83366,7 +83699,7 @@ index 1f22fba..eaf5bf9 100644
auth_dontaudit_read_login_records(svirt_lxc_domain)
auth_dontaudit_write_login_records(svirt_lxc_domain)
auth_search_pam_console_data(svirt_lxc_domain)
-@@ -1063,11 +1105,14 @@ init_dontaudit_write_utmp(svirt_lxc_domain)
+@@ -1063,11 +1094,14 @@ init_dontaudit_write_utmp(svirt_lxc_domain)
libs_dontaudit_setattr_lib_files(svirt_lxc_domain)
@@ -83383,7 +83716,7 @@ index 1f22fba..eaf5bf9 100644
optional_policy(`
udev_read_pid_files(svirt_lxc_domain)
-@@ -1078,81 +1123,63 @@ optional_policy(`
+@@ -1078,81 +1112,63 @@ optional_policy(`
apache_read_sys_content(svirt_lxc_domain)
')
@@ -83488,7 +83821,7 @@ index 1f22fba..eaf5bf9 100644
allow virt_qmf_t self:tcp_socket create_stream_socket_perms;
allow virt_qmf_t self:netlink_route_socket create_netlink_socket_perms;
-@@ -1165,12 +1192,12 @@ dev_read_sysfs(virt_qmf_t)
+@@ -1165,12 +1181,12 @@ dev_read_sysfs(virt_qmf_t)
dev_read_rand(virt_qmf_t)
dev_read_urand(virt_qmf_t)
@@ -83503,7 +83836,7 @@ index 1f22fba..eaf5bf9 100644
sysnet_read_config(virt_qmf_t)
optional_policy(`
-@@ -1183,9 +1210,8 @@ optional_policy(`
+@@ -1183,9 +1199,8 @@ optional_policy(`
########################################
#
@@ -83514,7 +83847,7 @@ index 1f22fba..eaf5bf9 100644
allow virt_bridgehelper_t self:process { setcap getcap };
allow virt_bridgehelper_t self:capability { setpcap setgid setuid net_admin };
allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms;
-@@ -1198,5 +1224,65 @@ kernel_read_network_state(virt_bridgehelper_t)
+@@ -1198,5 +1213,65 @@ kernel_read_network_state(virt_bridgehelper_t)
corenet_rw_tun_tap_dev(virt_bridgehelper_t)
@@ -85717,7 +86050,7 @@ index 0cea2cd..7668014 100644
userdom_dontaudit_use_unpriv_user_fds(xfs_t)
diff --git a/xguest.te b/xguest.te
-index 2882821..cc48c69 100644
+index 2882821..32ace1c 100644
--- a/xguest.te
+++ b/xguest.te
@@ -1,4 +1,4 @@
@@ -85826,63 +86159,67 @@ index 2882821..cc48c69 100644
')
')
-@@ -84,88 +95,92 @@ optional_policy(`
+@@ -84,12 +95,17 @@ optional_policy(`
')
')
+
-+optional_policy(`
-+ chrome_role(xguest_r, xguest_t)
+ optional_policy(`
+- apache_role(xguest_r, xguest_t)
++ colord_dbus_chat(xguest_t)
+')
+
+optional_policy(`
-+ hal_dbus_chat(xguest_t)
-+')
-+
- optional_policy(`
- apache_role(xguest_r, xguest_t)
++ chrome_role(xguest_r, xguest_t)
')
optional_policy(`
-+ gnome_role(xguest_r, xguest_t)
-+')
-+
-+optional_policy(`
- gnomeclock_dontaudit_dbus_chat(xguest_t)
+- gnomeclock_dontaudit_dbus_chat(xguest_t)
++ dbus_dontaudit_chat_system_bus(xguest_t)
')
optional_policy(`
-- hal_dbus_chat(xguest_t)
-+ mozilla_run_plugin(xguest_t, xguest_r)
+@@ -97,75 +113,78 @@ optional_policy(`
')
optional_policy(`
- java_role(xguest_r, xguest_t)
-+ pcscd_read_pub_files(xguest_t)
-+ pcscd_stream_connect(xguest_t)
++ apache_role(xguest_r, xguest_t)
')
optional_policy(`
- mozilla_role(xguest_r, xguest_t)
-+ rhsmcertd_dontaudit_dbus_chat(xguest_t)
++ gnome_role(xguest_r, xguest_t)
')
optional_policy(`
- tunable_policy(`xguest_connect_network',`
+- tunable_policy(`xguest_connect_network',`
- kernel_read_network_state(xguest_t)
--
++ mozilla_run_plugin(xguest_t, xguest_r)
++')
+
++optional_policy(`
++ pcscd_read_pid_files(xguest_t)
++ pcscd_stream_connect(xguest_t)
++')
++
++optional_policy(`
++ rhsmcertd_dontaudit_dbus_chat(xguest_t)
++')
++
++optional_policy(`
++ tunable_policy(`xguest_connect_network',`
networkmanager_dbus_chat(xguest_t)
-- networkmanager_read_lib_files(xguest_t)
-+ networkmanager_read_lib_files(xguest_t)
+ networkmanager_read_lib_files(xguest_t)
+ ')
+')
-
-- corenet_all_recvfrom_unlabeled(xguest_t)
-- corenet_all_recvfrom_netlabel(xguest_t)
++
+optional_policy(`
+ tunable_policy(`xguest_connect_network',`
+ kernel_read_network_state(xguest_t)
-+
+
+- corenet_all_recvfrom_unlabeled(xguest_t)
+- corenet_all_recvfrom_netlabel(xguest_t)
+ corenet_tcp_connect_pulseaudio_port(xguest_t)
corenet_tcp_sendrecv_generic_if(xguest_t)
corenet_raw_sendrecv_generic_if(xguest_t)
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 682d126..4df2d60 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.12.1
-Release: 4%{?dist}
+Release: 5%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -534,6 +534,27 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Wed Jan 16 2013 Miroslav Grepl 3.12.1-5
+- Fix systemd_manage_unit_symlinks() interface
+- Call systemd_manage_unit_symlinks(() which is correct interface
+- Add filename transition for opasswd
+- Switch gnomeclock_dbus_chat to systemd_dbus_chat_timedated since we have switched the name of gnomeclock
+- Allow sytstemd-timedated to get status of init_t
+- Add new systemd policies for hostnamed and rename gnomeclock_t to systemd_timedate_t
+- colord needs to communicate with systemd and systemd_logind, also remove duplicate rules
+- Switch gnomeclock_dbus_chat to systemd_dbus_chat_timedated since we have switched the name of gnomeclock
+- Allow gpg_t to manage all gnome files
+- Stop using pcscd_read_pub_files
+- New rules for xguest, dontaudit attempts to dbus chat
+- Allow firewalld to create its mmap files in tmpfs and tmp directories
+- Allow firewalld to create its mmap files in tmpfs and tmp directories
+- run unbound-chkconf as named_t, so it can read dnssec
+- Colord is reading xdm process state, probably reads state of any apps that sends dbus message
+- Allow mdadm_t to change the kernel scheduler
+- mythtv policy
+- Update mandb_admin() interface
+- Allow dsspam to listen on own tpc_socket
+
* Mon Jan 14 2013 Miroslav Grepl 3.12.1-4
- Allow systemd-tmpfiles to relabel lpd spool files
- Ad labeling for texlive bash scripts