diff --git a/modules-targeted.conf b/modules-targeted.conf
index 78530d4..f4909bf 100644
--- a/modules-targeted.conf
+++ b/modules-targeted.conf
@@ -2542,3 +2542,10 @@ svnserve = module
# policy for man2html apps
#
man2html = module
+
+# Layer: contrib
+# Module: glusterd
+#
+# policy for glusterd service
+#
+glusterd = module
diff --git a/policy-rawhide.patch b/policy-rawhide.patch
index b1a3db6..96b449d 100644
--- a/policy-rawhide.patch
+++ b/policy-rawhide.patch
@@ -58144,7 +58144,7 @@ index 3a45f23..f4754f0 100644
# fork
# setexec
diff --git a/policy/flask/access_vectors b/policy/flask/access_vectors
-index f462e95..d29da40 100644
+index f462e95..e8f76cb 100644
--- a/policy/flask/access_vectors
+++ b/policy/flask/access_vectors
@@ -393,6 +393,10 @@ class system
@@ -58163,7 +58163,7 @@ index f462e95..d29da40 100644
mac_admin # unused by SELinux
syslog
+ wake_alarm
-+ epolwakeup
++ epollwakeup
}
#
@@ -58218,7 +58218,7 @@ index 66e85ea..d02654d 100644
## user domains.
## </p>
diff --git a/policy/global_tunables b/policy/global_tunables
-index 4705ab6..cc2b436 100644
+index 4705ab6..8ba19a0 100644
--- a/policy/global_tunables
+++ b/policy/global_tunables
@@ -6,52 +6,59 @@
@@ -58307,10 +58307,17 @@ index 4705ab6..cc2b436 100644
## Allow any files/directories to be exported read/write via NFS.
## </p>
## </desc>
-@@ -105,9 +103,17 @@ gen_tunable(use_samba_home_dirs,false)
+@@ -105,9 +103,24 @@ gen_tunable(use_samba_home_dirs,false)
## <desc>
## <p>
++## Support ecryptfs home directories
++## </p>
++## </desc>
++gen_tunable(use_ecryptfs_home_dirs,false)
++
++## <desc>
++## <p>
+## Support fusefs home directories
+## </p>
+## </desc>
@@ -58422,10 +58429,10 @@ index f477c7f..d80599b 100644
+
') dnl end enable_mcs
diff --git a/policy/modules/admin/bootloader.fc b/policy/modules/admin/bootloader.fc
-index 7a6f06f..530d2df 100644
+index 7a6f06f..48fc840 100644
--- a/policy/modules/admin/bootloader.fc
+++ b/policy/modules/admin/bootloader.fc
-@@ -1,9 +1,14 @@
+@@ -1,9 +1,16 @@
-
+/etc/default/grub -- gen_context(system_u:object_r:bootloader_etc_t,s0)
/etc/lilo\.conf.* -- gen_context(system_u:object_r:bootloader_etc_t,s0)
@@ -58437,6 +58444,8 @@ index 7a6f06f..530d2df 100644
/sbin/lilo.* -- gen_context(system_u:object_r:bootloader_exec_t,s0)
/sbin/ybin.* -- gen_context(system_u:object_r:bootloader_exec_t,s0)
+/sbin/zipl -- gen_context(system_u:object_r:bootloader_exec_t,s0)
++
++/var/run/blkid(/.*)? gen_context(system_u:object_r:bootloader_var_run_t,s0)
-/usr/sbin/grub -- gen_context(system_u:object_r:bootloader_exec_t,s0)
+/usr/sbin/grub.* -- gen_context(system_u:object_r:bootloader_exec_t,s0)
@@ -58529,7 +58538,7 @@ index a778bb1..5e914db 100644
+ files_etc_filetrans($1,bootloader_etc_t,file, "yaboot.conf")
+')
diff --git a/policy/modules/admin/bootloader.te b/policy/modules/admin/bootloader.te
-index ab0439a..e717a21 100644
+index ab0439a..4104b53 100644
--- a/policy/modules/admin/bootloader.te
+++ b/policy/modules/admin/bootloader.te
@@ -5,8 +5,8 @@ policy_module(bootloader, 1.13.0)
@@ -58543,13 +58552,16 @@ index ab0439a..e717a21 100644
#
# boot_runtime_t is the type for /boot/kernel.h,
-@@ -19,14 +19,15 @@ files_type(boot_runtime_t)
+@@ -19,14 +19,18 @@ files_type(boot_runtime_t)
type bootloader_t;
type bootloader_exec_t;
application_domain(bootloader_t, bootloader_exec_t)
-role bootloader_roles types bootloader_t;
+#role bootloader_roles types bootloader_t;
+role system_r types bootloader_t;
++
++type bootloader_var_run_t;
++files_pid_file(bootloader_var_run_t)
#
# bootloader_etc_t is the configuration file,
@@ -58561,7 +58573,7 @@ index ab0439a..e717a21 100644
#
# The temp file is used for initrd creation;
-@@ -41,7 +42,7 @@ dev_node(bootloader_tmp_t)
+@@ -41,7 +45,7 @@ dev_node(bootloader_tmp_t)
# bootloader local policy
#
@@ -58570,7 +58582,18 @@ index ab0439a..e717a21 100644
allow bootloader_t self:process { signal_perms execmem };
allow bootloader_t self:fifo_file rw_fifo_file_perms;
-@@ -81,6 +82,7 @@ dev_rw_nvram(bootloader_t)
+@@ -59,6 +63,10 @@ files_tmp_filetrans(bootloader_t, bootloader_tmp_t, { dir file lnk_file chr_file
+ # for tune2fs (cjp: ?)
+ files_root_filetrans(bootloader_t, bootloader_tmp_t, file)
+
++manage_dirs_pattern(bootloader_t, bootloader_var_run_t, bootloader_var_run_t)
++manage_files_pattern(bootloader_t, bootloader_var_run_t, bootloader_var_run_t)
++files_pid_filetrans(bootloader_t, bootloader_var_run_t, {dir file })
++
+ kernel_getattr_core_if(bootloader_t)
+ kernel_read_network_state(bootloader_t)
+ kernel_read_system_state(bootloader_t)
+@@ -81,6 +89,7 @@ dev_rw_nvram(bootloader_t)
fs_getattr_xattr_fs(bootloader_t)
fs_getattr_tmpfs(bootloader_t)
@@ -58578,7 +58601,7 @@ index ab0439a..e717a21 100644
fs_read_tmpfs_symlinks(bootloader_t)
#Needed for ia64
fs_manage_dos_files(bootloader_t)
-@@ -89,6 +91,7 @@ mls_file_read_all_levels(bootloader_t)
+@@ -89,6 +98,7 @@ mls_file_read_all_levels(bootloader_t)
mls_file_write_all_levels(bootloader_t)
term_getattr_all_ttys(bootloader_t)
@@ -58586,7 +58609,7 @@ index ab0439a..e717a21 100644
term_dontaudit_manage_pty_dirs(bootloader_t)
corecmd_exec_all_executables(bootloader_t)
-@@ -98,12 +101,14 @@ domain_use_interactive_fds(bootloader_t)
+@@ -98,12 +108,14 @@ domain_use_interactive_fds(bootloader_t)
files_create_boot_dirs(bootloader_t)
files_manage_boot_files(bootloader_t)
files_manage_boot_symlinks(bootloader_t)
@@ -58601,7 +58624,7 @@ index ab0439a..e717a21 100644
# for nscd
files_dontaudit_search_pids(bootloader_t)
# for blkid.tab
-@@ -111,6 +116,7 @@ files_manage_etc_runtime_files(bootloader_t)
+@@ -111,6 +123,7 @@ files_manage_etc_runtime_files(bootloader_t)
files_etc_filetrans_etc_runtime(bootloader_t, file)
files_dontaudit_search_home(bootloader_t)
@@ -58609,7 +58632,7 @@ index ab0439a..e717a21 100644
init_getattr_initctl(bootloader_t)
init_use_script_ptys(bootloader_t)
init_use_script_fds(bootloader_t)
-@@ -118,8 +124,10 @@ init_rw_script_pipes(bootloader_t)
+@@ -118,8 +131,10 @@ init_rw_script_pipes(bootloader_t)
libs_read_lib_files(bootloader_t)
libs_exec_lib_files(bootloader_t)
@@ -58621,7 +58644,7 @@ index ab0439a..e717a21 100644
logging_rw_generic_logs(bootloader_t)
miscfiles_read_localization(bootloader_t)
-@@ -130,7 +138,8 @@ seutil_read_bin_policy(bootloader_t)
+@@ -130,7 +145,8 @@ seutil_read_bin_policy(bootloader_t)
seutil_read_loadpolicy(bootloader_t)
seutil_dontaudit_search_config(bootloader_t)
@@ -58631,7 +58654,7 @@ index ab0439a..e717a21 100644
userdom_dontaudit_search_user_home_dirs(bootloader_t)
ifdef(`distro_debian',`
-@@ -166,7 +175,8 @@ ifdef(`distro_redhat',`
+@@ -166,7 +182,8 @@ ifdef(`distro_redhat',`
files_manage_isid_type_chr_files(bootloader_t)
# for mke2fs
@@ -58641,7 +58664,7 @@ index ab0439a..e717a21 100644
optional_policy(`
unconfined_domain(bootloader_t)
-@@ -174,6 +184,10 @@ ifdef(`distro_redhat',`
+@@ -174,6 +191,10 @@ ifdef(`distro_redhat',`
')
optional_policy(`
@@ -58652,7 +58675,7 @@ index ab0439a..e717a21 100644
fstools_exec(bootloader_t)
')
-@@ -183,6 +197,10 @@ optional_policy(`
+@@ -183,6 +204,10 @@ optional_policy(`
')
optional_policy(`
@@ -58663,7 +58686,7 @@ index ab0439a..e717a21 100644
kudzu_domtrans(bootloader_t)
')
-@@ -195,15 +213,13 @@ optional_policy(`
+@@ -195,15 +220,13 @@ optional_policy(`
optional_policy(`
modutils_exec_insmod(bootloader_t)
@@ -60130,7 +60153,7 @@ index 7590165..59539e8 100644
+ fs_mounton_fusefs(seunshare_domain)
+')
diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
-index db981df..cdbf6c7 100644
+index db981df..b77f19f 100644
--- a/policy/modules/kernel/corecommands.fc
+++ b/policy/modules/kernel/corecommands.fc
@@ -1,9 +1,10 @@
@@ -60208,7 +60231,7 @@ index db981df..cdbf6c7 100644
/opt/gutenprint/cups/lib/filter(/.*)? gen_context(system_u:object_r:bin_t,s0)
-@@ -174,53 +183,77 @@ ifdef(`distro_gentoo',`
+@@ -174,53 +183,76 @@ ifdef(`distro_gentoo',`
/opt/vmware/workstation/lib/lib/wrapper-gtk24\.sh -- gen_context(system_u:object_r:bin_t,s0)
')
@@ -60221,7 +60244,6 @@ index db981df..cdbf6c7 100644
/usr/(.*/)?Bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/(.*/)?bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
-/usr/bin/git-shell -- gen_context(system_u:object_r:shell_exec_t,s0)
-+/usr/bin/.* gen_context(system_u:object_r:bin_t,s0)
+/usr/bin/d?ash -- gen_context(system_u:object_r:shell_exec_t,s0)
+/usr/bin/esh -- gen_context(system_u:object_r:shell_exec_t,s0)
+/usr/bin/bash -- gen_context(system_u:object_r:shell_exec_t,s0)
@@ -60303,7 +60325,7 @@ index db981df..cdbf6c7 100644
/usr/lib/xfce4/exo-1/exo-compose-mail-1 -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/xfce4/exo-1/exo-helper-1 -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/xfce4/panel/migrate -- gen_context(system_u:object_r:bin_t,s0)
-@@ -235,10 +268,15 @@ ifdef(`distro_gentoo',`
+@@ -235,10 +267,15 @@ ifdef(`distro_gentoo',`
/usr/lib/debug/sbin(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/debug/usr/bin(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/debug/usr/sbin(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
@@ -60319,7 +60341,7 @@ index db981df..cdbf6c7 100644
/usr/lib/[^/]*/run-mozilla\.sh -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/[^/]*/mozilla-xremote-client -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/thunderbird.*/mozilla-xremote-client -- gen_context(system_u:object_r:bin_t,s0)
-@@ -251,11 +289,18 @@ ifdef(`distro_gentoo',`
+@@ -251,11 +288,18 @@ ifdef(`distro_gentoo',`
/usr/libexec/openssh/sftp-server -- gen_context(system_u:object_r:bin_t,s0)
@@ -60339,7 +60361,7 @@ index db981df..cdbf6c7 100644
/usr/sbin/scponlyc -- gen_context(system_u:object_r:shell_exec_t,s0)
/usr/sbin/sesh -- gen_context(system_u:object_r:shell_exec_t,s0)
/usr/sbin/smrsh -- gen_context(system_u:object_r:shell_exec_t,s0)
-@@ -271,6 +316,10 @@ ifdef(`distro_gentoo',`
+@@ -271,6 +315,10 @@ ifdef(`distro_gentoo',`
/usr/share/cluster/.*\.sh gen_context(system_u:object_r:bin_t,s0)
/usr/share/cluster/ocf-shellfuncs -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/cluster/svclib_nfslock -- gen_context(system_u:object_r:bin_t,s0)
@@ -60350,7 +60372,7 @@ index db981df..cdbf6c7 100644
/usr/share/e16/misc(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/share/gedit-2/plugins/externaltools/tools(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/share/gitolite/hooks/common/update -- gen_context(system_u:object_r:bin_t,s0)
-@@ -290,15 +339,19 @@ ifdef(`distro_gentoo',`
+@@ -290,15 +338,19 @@ ifdef(`distro_gentoo',`
/usr/share/smolt/client(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/share/shorewall/compiler\.pl -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/shorewall/configpath -- gen_context(system_u:object_r:bin_t,s0)
@@ -60371,7 +60393,7 @@ index db981df..cdbf6c7 100644
ifdef(`distro_debian',`
/usr/lib/ConsoleKit/.* -- gen_context(system_u:object_r:bin_t,s0)
-@@ -314,8 +367,12 @@ ifdef(`distro_redhat', `
+@@ -314,8 +366,12 @@ ifdef(`distro_redhat', `
/etc/gdm/[^/]+ -d gen_context(system_u:object_r:bin_t,s0)
/etc/gdm/[^/]+/.* gen_context(system_u:object_r:bin_t,s0)
@@ -60384,7 +60406,7 @@ index db981df..cdbf6c7 100644
/usr/lib/vmware-tools/(s)?bin32(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/lib/vmware-tools/(s)?bin64(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/share/authconfig/authconfig-gtk\.py -- gen_context(system_u:object_r:bin_t,s0)
-@@ -325,9 +382,11 @@ ifdef(`distro_redhat', `
+@@ -325,9 +381,11 @@ ifdef(`distro_redhat', `
/usr/share/clamav/clamd-gen -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/clamav/freshclam-sleep -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/createrepo(/.*)? gen_context(system_u:object_r:bin_t,s0)
@@ -60396,7 +60418,7 @@ index db981df..cdbf6c7 100644
/usr/share/pwlib/make/ptlib-config -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/pydict/pydict\.py -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/rhn/rhn_applet/applet\.py -- gen_context(system_u:object_r:bin_t,s0)
-@@ -376,11 +435,14 @@ ifdef(`distro_suse', `
+@@ -376,11 +434,14 @@ ifdef(`distro_suse', `
#
# /var
#
@@ -60412,7 +60434,7 @@ index db981df..cdbf6c7 100644
/usr/lib/yp/.+ -- gen_context(system_u:object_r:bin_t,s0)
/var/qmail/bin -d gen_context(system_u:object_r:bin_t,s0)
-@@ -390,3 +452,12 @@ ifdef(`distro_suse', `
+@@ -390,3 +451,12 @@ ifdef(`distro_suse', `
ifdef(`distro_suse',`
/var/lib/samba/bin/.+ gen_context(system_u:object_r:bin_t,s0)
')
@@ -64649,7 +64671,7 @@ index 4429d30..cbcd9d0 100644
+/nsr(/.*)? gen_context(system_u:object_r:var_t,s0)
+/nsr/logs(/.*)? gen_context(system_u:object_r:var_log_t,s0)
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
-index 41346fb..9ec1de8 100644
+index 41346fb..6e7808a 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -55,6 +55,7 @@
@@ -66032,7 +66054,7 @@ index 41346fb..9ec1de8 100644
## Search the contents of generic spool
## directories (/var/spool).
## </summary>
-@@ -6406,3 +7285,332 @@ interface(`files_unconfined',`
+@@ -6406,3 +7285,343 @@ interface(`files_unconfined',`
typeattribute $1 files_unconfined_type;
')
@@ -66364,6 +66386,17 @@ index 41346fb..9ec1de8 100644
+ files_root_filetrans($1, usr_t, dir, "export")
+ files_root_filetrans($1, usr_t, dir, "emul")
+ files_root_filetrans($1, var_t, dir, "nsr")
++ files_etc_filetrans_etc_runtime($1, file, "runtime")
++ files_etc_filetrans_etc_runtime($1, dir, "blkid")
++ files_etc_filetrans_etc_runtime($1, dir, "cmtab")
++ files_etc_filetrans_etc_runtime($1, file, "fstab.REVOKE")
++ files_etc_filetrans_etc_runtime($1, file, "ioctl.save")
++ files_etc_filetrans_etc_runtime($1, file, "nologin")
++ files_etc_filetrans_etc_runtime($1, file, "securetty")
++ files_etc_filetrans_etc_runtime($1, file, "ifstate")
++ files_etc_filetrans_etc_runtime($1, file, "ptal-printd-like")
++ files_etc_filetrans_etc_runtime($1, file, "hwconf")
++ files_etc_filetrans_etc_runtime($1, file, "iptables.save")
+')
diff --git a/policy/modules/kernel/files.te b/policy/modules/kernel/files.te
index 1ce8aa0..24dfed0 100644
@@ -66442,10 +66475,18 @@ index 1ce8aa0..24dfed0 100644
allow files_unconfined_type file_type:file execmod;
')
diff --git a/policy/modules/kernel/filesystem.fc b/policy/modules/kernel/filesystem.fc
-index cda5588..e89e4bf 100644
+index cda5588..91d1e25 100644
--- a/policy/modules/kernel/filesystem.fc
+++ b/policy/modules/kernel/filesystem.fc
-@@ -14,3 +14,8 @@
+@@ -1,3 +1,7 @@
++# ecryptfs does not support xattr
++HOME_DIR/\.ecryptfs(/.*)? gen_context(system_u:object_r:ecryptfs_t,s0)
++HOME_DIR/\.Private(/.*)? gen_context(system_u:object_r:ecryptfs_t,s0)
++
+ /cgroup -d gen_context(system_u:object_r:cgroup_t,s0)
+ /cgroup/.* <<none>>
+
+@@ -14,3 +18,8 @@
# for systemd systems:
/sys/fs/cgroup -d gen_context(system_u:object_r:cgroup_t,s0)
/sys/fs/cgroup/.* <<none>>
@@ -66455,7 +66496,7 @@ index cda5588..e89e4bf 100644
+/usr/lib/udev/devices/shm -d gen_context(system_u:object_r:tmpfs_t,s0)
+/usr/lib/udev/devices/shm/.* <<none>>
diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
-index 7c6b791..6d3f720 100644
+index 7c6b791..242bce2 100644
--- a/policy/modules/kernel/filesystem.if
+++ b/policy/modules/kernel/filesystem.if
@@ -631,6 +631,27 @@ interface(`fs_getattr_cgroup',`
@@ -66581,15 +66622,17 @@ index 7c6b791..6d3f720 100644
dev_search_sysfs($1)
')
-@@ -763,6 +829,7 @@ interface(`fs_rw_cgroup_files',`
+@@ -762,7 +828,9 @@ interface(`fs_rw_cgroup_files',`
+
')
++ read_lnk_files_pattern($1, cgroup_t, cgroup_t)
rw_files_pattern($1, cgroup_t, cgroup_t)
+ fs_search_tmpfs($1)
dev_search_sysfs($1)
')
-@@ -803,6 +870,8 @@ interface(`fs_manage_cgroup_files',`
+@@ -803,6 +871,8 @@ interface(`fs_manage_cgroup_files',`
')
manage_files_pattern($1, cgroup_t, cgroup_t)
@@ -66598,7 +66641,7 @@ index 7c6b791..6d3f720 100644
dev_search_sysfs($1)
')
-@@ -1107,6 +1176,24 @@ interface(`fs_read_noxattr_fs_files',`
+@@ -1107,6 +1177,24 @@ interface(`fs_read_noxattr_fs_files',`
########################################
## <summary>
@@ -66623,7 +66666,7 @@ index 7c6b791..6d3f720 100644
## Do not audit attempts to read all
## noxattrfs files.
## </summary>
-@@ -1245,7 +1332,7 @@ interface(`fs_append_cifs_files',`
+@@ -1245,7 +1333,7 @@ interface(`fs_append_cifs_files',`
########################################
## <summary>
@@ -66632,7 +66675,7 @@ index 7c6b791..6d3f720 100644
## on a CIFS filesystem.
## </summary>
## <param name="domain">
-@@ -1265,6 +1352,42 @@ interface(`fs_dontaudit_append_cifs_files',`
+@@ -1265,6 +1353,42 @@ interface(`fs_dontaudit_append_cifs_files',`
########################################
## <summary>
@@ -66675,7 +66718,7 @@ index 7c6b791..6d3f720 100644
## Do not audit attempts to read or
## write files on a CIFS or SMB filesystem.
## </summary>
-@@ -1279,7 +1402,7 @@ interface(`fs_dontaudit_rw_cifs_files',`
+@@ -1279,7 +1403,7 @@ interface(`fs_dontaudit_rw_cifs_files',`
type cifs_t;
')
@@ -66684,7 +66727,7 @@ index 7c6b791..6d3f720 100644
')
########################################
-@@ -1542,6 +1665,25 @@ interface(`fs_cifs_domtrans',`
+@@ -1542,6 +1666,25 @@ interface(`fs_cifs_domtrans',`
domain_auto_transition_pattern($1, cifs_t, $2)
')
@@ -66710,7 +66753,7 @@ index 7c6b791..6d3f720 100644
#######################################
## <summary>
## Create, read, write, and delete dirs
-@@ -1582,6 +1724,24 @@ interface(`fs_manage_configfs_files',`
+@@ -1582,6 +1725,24 @@ interface(`fs_manage_configfs_files',`
########################################
## <summary>
@@ -66735,7 +66778,7 @@ index 7c6b791..6d3f720 100644
## Mount a DOS filesystem, such as
## FAT32 or NTFS.
## </summary>
-@@ -1679,6 +1839,25 @@ interface(`fs_relabelfrom_dos_fs',`
+@@ -1679,6 +1840,25 @@ interface(`fs_relabelfrom_dos_fs',`
########################################
## <summary>
@@ -66761,10 +66804,132 @@ index 7c6b791..6d3f720 100644
## Search dosfs filesystem.
## </summary>
## <param name="domain">
-@@ -2025,6 +2204,68 @@ interface(`fs_read_fusefs_symlinks',`
+@@ -1793,6 +1973,188 @@ interface(`fs_read_eventpollfs',`
+ refpolicywarn(`$0($*) has been deprecated.')
+ ')
- ########################################
- ## <summary>
++
++#######################################
++## <summary>
++## Search directories
++## on a ecrypt filesystem.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`fs_search_ecryptfs',`
++ gen_require(`
++ type fusefs_t;
++ ')
++
++ allow $1 ecryptfs_t:dir search_dir_perms;
++')
++
++########################################
++## <summary>
++## Create, read, write, and delete directories
++## on a FUSEFS filesystem.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`fs_manage_ecryptfs_dirs',`
++ gen_require(`
++ type ecryptfs_t;
++ ')
++
++ manage_dirs_pattern($1, ecryptfs_t, ecryptfs_t)
++ allow $1 ecryptfs_t:dir manage_dir_perms;
++')
++
++#######################################
++## <summary>
++## Create, read, write, and delete files
++## on a FUSEFS filesystem.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`fs_read_ecryptfs_files',`
++ gen_require(`
++ type ecryptfs_t;
++ ')
++
++ read_files_pattern($1, ecryptfs_t, ecryptfs_t)
++')
++
++########################################
++## <summary>
++## Create, read, write, and delete files
++## on a FUSEFS filesystem.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`fs_manage_ecryptfs_files',`
++ gen_require(`
++ type ecryptfs_t;
++ ')
++
++ manage_files_pattern($1, ecryptfs_t, ecryptfs_t)
++')
++
++########################################
++## <summary>
++## Do not audit attempts to create,
++## read, write, and delete files
++## on a FUSEFS filesystem.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain to not audit.
++## </summary>
++## </param>
++#
++interface(`fs_dontaudit_manage_ecryptfs_files',`
++ gen_require(`
++ type ecryptfs_t;
++ ')
++
++ dontaudit $1 ecryptfs_t:file manage_file_perms;
++')
++
++########################################
++## <summary>
++## Read symbolic links on a FUSEFS filesystem.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`fs_read_ecryptfs_symlinks',`
++ gen_require(`
++ type ecryptfs_t;
++ ')
++
++ allow $1 ecryptfs_t:dir list_dir_perms;
++ read_lnk_files_pattern($1, ecryptfs_t, ecryptfs_t)
++')
++
++########################################
++## <summary>
+## Manage symbolic links on a FUSEFS filesystem.
+## </summary>
+## <param name="domain">
@@ -66773,12 +66938,12 @@ index 7c6b791..6d3f720 100644
+## </summary>
+## </param>
+#
-+interface(`fs_manage_fusefs_symlinks',`
++interface(`fs_manage_ecryptfs_symlinks',`
+ gen_require(`
+ type fusefs_t;
+ ')
+
-+ manage_lnk_files_pattern($1, fusefs_t, fusefs_t)
++ manage_lnk_files_pattern($1, ecryptfs_t, ecryptfs_t)
+')
+
+########################################
@@ -66816,21 +66981,108 @@ index 7c6b791..6d3f720 100644
+## </summary>
+## </param>
+#
-+interface(`fs_fusefs_domtrans',`
++interface(`fs_ecryptfs_domtrans',`
++ gen_require(`
++ type ecryptfs_t;
++ ')
++
++ allow $1 ecryptfs_t:dir search_dir_perms;
++ domain_auto_transition_pattern($1, ecryptfs_t, $2)
++')
++
+ ########################################
+ ## <summary>
+ ## Mount a FUSE filesystem.
+@@ -2006,21 +2368,83 @@ interface(`fs_dontaudit_manage_fusefs_files',`
+
+ ########################################
+ ## <summary>
+-## Read symbolic links on a FUSEFS filesystem.
++## Read symbolic links on a FUSEFS filesystem.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`fs_read_fusefs_symlinks',`
+ gen_require(`
+ type fusefs_t;
+ ')
+
-+ allow $1 fusefs_t:dir search_dir_perms;
-+ domain_auto_transition_pattern($1, fusefs_t, $2)
++ allow $1 fusefs_t:dir list_dir_perms;
++ read_lnk_files_pattern($1, fusefs_t, fusefs_t)
+')
+
+########################################
+## <summary>
- ## Get the attributes of an hugetlbfs
- ## filesystem.
++## Manage symbolic links on a FUSEFS filesystem.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`fs_manage_fusefs_symlinks',`
++ gen_require(`
++ type fusefs_t;
++ ')
++
++ manage_lnk_files_pattern($1, fusefs_t, fusefs_t)
++')
++
++########################################
++## <summary>
++## Execute a file on a FUSE filesystem
++## in the specified domain.
## </summary>
-@@ -2080,6 +2321,24 @@ interface(`fs_manage_hugetlbfs_dirs',`
++## <desc>
++## <p>
++## Execute a file on a FUSE filesystem
++## in the specified domain. This allows
++## the specified domain to execute any file
++## on these filesystems in the specified
++## domain. This is not suggested.
++## </p>
++## <p>
++## No interprocess communication (signals, pipes,
++## etc.) is provided by this interface since
++## the domains are not owned by this module.
++## </p>
++## <p>
++## This interface was added to handle
++## home directories on FUSE filesystems,
++## in particular used by the ssh-agent policy.
++## </p>
++## </desc>
+ ## <param name="domain">
+ ## <summary>
+-## Domain allowed access.
++## Domain allowed to transition.
++## </summary>
++## </param>
++## <param name="target_domain">
++## <summary>
++## The type of the new process.
+ ## </summary>
+ ## </param>
+ #
+-interface(`fs_read_fusefs_symlinks',`
++interface(`fs_fusefs_domtrans',`
+ gen_require(`
+ type fusefs_t;
+ ')
+
+- allow $1 fusefs_t:dir list_dir_perms;
+- read_lnk_files_pattern($1, fusefs_t, fusefs_t)
++ allow $1 fusefs_t:dir search_dir_perms;
++ domain_auto_transition_pattern($1, fusefs_t, $2)
+ ')
+
+ ########################################
+@@ -2080,6 +2504,24 @@ interface(`fs_manage_hugetlbfs_dirs',`
########################################
## <summary>
@@ -66855,7 +67107,7 @@ index 7c6b791..6d3f720 100644
## Read and write hugetlbfs files.
## </summary>
## <param name="domain">
-@@ -2148,11 +2407,12 @@ interface(`fs_list_inotifyfs',`
+@@ -2148,11 +2590,12 @@ interface(`fs_list_inotifyfs',`
')
allow $1 inotifyfs_t:dir list_dir_perms;
@@ -66869,7 +67121,7 @@ index 7c6b791..6d3f720 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2485,6 +2745,7 @@ interface(`fs_read_nfs_files',`
+@@ -2485,6 +2928,7 @@ interface(`fs_read_nfs_files',`
type nfs_t;
')
@@ -66877,7 +67129,7 @@ index 7c6b791..6d3f720 100644
allow $1 nfs_t:dir list_dir_perms;
read_files_pattern($1, nfs_t, nfs_t)
')
-@@ -2523,6 +2784,7 @@ interface(`fs_write_nfs_files',`
+@@ -2523,6 +2967,7 @@ interface(`fs_write_nfs_files',`
type nfs_t;
')
@@ -66885,7 +67137,7 @@ index 7c6b791..6d3f720 100644
allow $1 nfs_t:dir list_dir_perms;
write_files_pattern($1, nfs_t, nfs_t)
')
-@@ -2549,6 +2811,25 @@ interface(`fs_exec_nfs_files',`
+@@ -2549,6 +2994,25 @@ interface(`fs_exec_nfs_files',`
########################################
## <summary>
@@ -66911,7 +67163,7 @@ index 7c6b791..6d3f720 100644
## Append files
## on a NFS filesystem.
## </summary>
-@@ -2569,7 +2850,7 @@ interface(`fs_append_nfs_files',`
+@@ -2569,7 +3033,7 @@ interface(`fs_append_nfs_files',`
########################################
## <summary>
@@ -66920,7 +67172,7 @@ index 7c6b791..6d3f720 100644
## on a NFS filesystem.
## </summary>
## <param name="domain">
-@@ -2589,6 +2870,42 @@ interface(`fs_dontaudit_append_nfs_files',`
+@@ -2589,6 +3053,42 @@ interface(`fs_dontaudit_append_nfs_files',`
########################################
## <summary>
@@ -66963,7 +67215,7 @@ index 7c6b791..6d3f720 100644
## Do not audit attempts to read or
## write files on a NFS filesystem.
## </summary>
-@@ -2603,7 +2920,7 @@ interface(`fs_dontaudit_rw_nfs_files',`
+@@ -2603,7 +3103,7 @@ interface(`fs_dontaudit_rw_nfs_files',`
type nfs_t;
')
@@ -66972,7 +67224,7 @@ index 7c6b791..6d3f720 100644
')
########################################
-@@ -2627,7 +2944,7 @@ interface(`fs_read_nfs_symlinks',`
+@@ -2627,7 +3127,7 @@ interface(`fs_read_nfs_symlinks',`
########################################
## <summary>
@@ -66981,7 +67233,7 @@ index 7c6b791..6d3f720 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2741,7 +3058,7 @@ interface(`fs_search_removable',`
+@@ -2741,7 +3241,7 @@ interface(`fs_search_removable',`
## </summary>
## <param name="domain">
## <summary>
@@ -66990,7 +67242,7 @@ index 7c6b791..6d3f720 100644
## </summary>
## </param>
#
-@@ -2777,7 +3094,7 @@ interface(`fs_read_removable_files',`
+@@ -2777,7 +3277,7 @@ interface(`fs_read_removable_files',`
## </summary>
## <param name="domain">
## <summary>
@@ -66999,7 +67251,7 @@ index 7c6b791..6d3f720 100644
## </summary>
## </param>
#
-@@ -2970,6 +3287,7 @@ interface(`fs_manage_nfs_dirs',`
+@@ -2970,6 +3470,7 @@ interface(`fs_manage_nfs_dirs',`
type nfs_t;
')
@@ -67007,7 +67259,7 @@ index 7c6b791..6d3f720 100644
allow $1 nfs_t:dir manage_dir_perms;
')
-@@ -3010,6 +3328,7 @@ interface(`fs_manage_nfs_files',`
+@@ -3010,6 +3511,7 @@ interface(`fs_manage_nfs_files',`
type nfs_t;
')
@@ -67015,7 +67267,7 @@ index 7c6b791..6d3f720 100644
manage_files_pattern($1, nfs_t, nfs_t)
')
-@@ -3050,6 +3369,7 @@ interface(`fs_manage_nfs_symlinks',`
+@@ -3050,6 +3552,7 @@ interface(`fs_manage_nfs_symlinks',`
type nfs_t;
')
@@ -67023,7 +67275,7 @@ index 7c6b791..6d3f720 100644
manage_lnk_files_pattern($1, nfs_t, nfs_t)
')
-@@ -3263,6 +3583,24 @@ interface(`fs_getattr_nfsd_files',`
+@@ -3263,6 +3766,24 @@ interface(`fs_getattr_nfsd_files',`
getattr_files_pattern($1, nfsd_fs_t, nfsd_fs_t)
')
@@ -67048,7 +67300,7 @@ index 7c6b791..6d3f720 100644
########################################
## <summary>
## Read and write NFS server files.
-@@ -3283,6 +3621,24 @@ interface(`fs_rw_nfsd_fs',`
+@@ -3283,6 +3804,24 @@ interface(`fs_rw_nfsd_fs',`
########################################
## <summary>
@@ -67073,7 +67325,7 @@ index 7c6b791..6d3f720 100644
## Allow the type to associate to ramfs filesystems.
## </summary>
## <param name="type">
-@@ -3392,7 +3748,7 @@ interface(`fs_search_ramfs',`
+@@ -3392,7 +3931,7 @@ interface(`fs_search_ramfs',`
########################################
## <summary>
@@ -67082,7 +67334,7 @@ index 7c6b791..6d3f720 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -3429,7 +3785,7 @@ interface(`fs_manage_ramfs_dirs',`
+@@ -3429,7 +3968,7 @@ interface(`fs_manage_ramfs_dirs',`
########################################
## <summary>
@@ -67091,7 +67343,7 @@ index 7c6b791..6d3f720 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -3447,7 +3803,7 @@ interface(`fs_dontaudit_read_ramfs_files',`
+@@ -3447,7 +3986,7 @@ interface(`fs_dontaudit_read_ramfs_files',`
########################################
## <summary>
@@ -67100,7 +67352,7 @@ index 7c6b791..6d3f720 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -3815,6 +4171,24 @@ interface(`fs_unmount_tmpfs',`
+@@ -3815,6 +4354,24 @@ interface(`fs_unmount_tmpfs',`
########################################
## <summary>
@@ -67125,7 +67377,7 @@ index 7c6b791..6d3f720 100644
## Get the attributes of a tmpfs
## filesystem.
## </summary>
-@@ -3963,6 +4337,42 @@ interface(`fs_dontaudit_list_tmpfs',`
+@@ -3963,6 +4520,42 @@ interface(`fs_dontaudit_list_tmpfs',`
########################################
## <summary>
@@ -67168,7 +67420,7 @@ index 7c6b791..6d3f720 100644
## Create, read, write, and delete
## tmpfs directories
## </summary>
-@@ -4069,7 +4479,7 @@ interface(`fs_dontaudit_rw_tmpfs_files',`
+@@ -4069,7 +4662,7 @@ interface(`fs_dontaudit_rw_tmpfs_files',`
type tmpfs_t;
')
@@ -67177,7 +67429,7 @@ index 7c6b791..6d3f720 100644
')
########################################
-@@ -4129,6 +4539,24 @@ interface(`fs_rw_tmpfs_files',`
+@@ -4129,6 +4722,24 @@ interface(`fs_rw_tmpfs_files',`
########################################
## <summary>
@@ -67202,7 +67454,7 @@ index 7c6b791..6d3f720 100644
## Read tmpfs link files.
## </summary>
## <param name="domain">
-@@ -4166,7 +4594,7 @@ interface(`fs_rw_tmpfs_chr_files',`
+@@ -4166,7 +4777,7 @@ interface(`fs_rw_tmpfs_chr_files',`
########################################
## <summary>
@@ -67211,7 +67463,7 @@ index 7c6b791..6d3f720 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -4185,6 +4613,42 @@ interface(`fs_dontaudit_use_tmpfs_chr_dev',`
+@@ -4185,6 +4796,42 @@ interface(`fs_dontaudit_use_tmpfs_chr_dev',`
########################################
## <summary>
@@ -67254,7 +67506,7 @@ index 7c6b791..6d3f720 100644
## Relabel character nodes on tmpfs filesystems.
## </summary>
## <param name="domain">
-@@ -4242,6 +4706,24 @@ interface(`fs_relabel_tmpfs_blk_file',`
+@@ -4242,6 +4889,24 @@ interface(`fs_relabel_tmpfs_blk_file',`
########################################
## <summary>
@@ -67279,7 +67531,7 @@ index 7c6b791..6d3f720 100644
## Read and write, create and delete generic
## files on tmpfs filesystems.
## </summary>
-@@ -4261,6 +4743,25 @@ interface(`fs_manage_tmpfs_files',`
+@@ -4261,6 +4926,25 @@ interface(`fs_manage_tmpfs_files',`
########################################
## <summary>
@@ -67305,7 +67557,7 @@ index 7c6b791..6d3f720 100644
## Read and write, create and delete symbolic
## links on tmpfs filesystems.
## </summary>
-@@ -4467,6 +4968,8 @@ interface(`fs_mount_all_fs',`
+@@ -4467,6 +5151,8 @@ interface(`fs_mount_all_fs',`
')
allow $1 filesystem_type:filesystem mount;
@@ -67314,7 +67566,7 @@ index 7c6b791..6d3f720 100644
')
########################################
-@@ -4513,7 +5016,7 @@ interface(`fs_unmount_all_fs',`
+@@ -4513,7 +5199,7 @@ interface(`fs_unmount_all_fs',`
## <desc>
## <p>
## Allow the specified domain to
@@ -67323,7 +67575,7 @@ index 7c6b791..6d3f720 100644
## Example attributes:
## </p>
## <ul>
-@@ -4876,3 +5379,24 @@ interface(`fs_unconfined',`
+@@ -4876,3 +5562,24 @@ interface(`fs_unconfined',`
typeattribute $1 filesystem_unconfined_type;
')
@@ -69634,10 +69886,10 @@ index 234a940..d340f20 100644
########################################
## <summary>
diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te
-index e5aee97..f373c8d 100644
+index e5aee97..3d10b66 100644
--- a/policy/modules/roles/staff.te
+++ b/policy/modules/roles/staff.te
-@@ -8,12 +8,52 @@ policy_module(staff, 2.3.0)
+@@ -8,12 +8,57 @@ policy_module(staff, 2.3.0)
role staff_r;
userdom_unpriv_user_template(staff)
@@ -69687,10 +69939,15 @@ index e5aee97..f373c8d 100644
+ abrt_read_cache(staff_t)
+')
+
++optional_policy(`
++ accountsd_dbus_chat(staff_t)
++ accountsd_read_lib_files(staff_t)
++')
++
optional_policy(`
apache_role(staff_r, staff_t)
')
-@@ -23,11 +63,99 @@ optional_policy(`
+@@ -23,11 +68,98 @@ optional_policy(`
')
optional_policy(`
@@ -69702,21 +69959,20 @@ index e5aee97..f373c8d 100644
+')
+
+optional_policy(`
- dbadm_role_change(staff_r)
- ')
-
- optional_policy(`
-- git_role(staff_r, staff_t)
-+ accountsd_dbus_chat(staff_t)
-+ accountsd_read_lib_files(staff_t)
++ chrome_role(staff_r, staff_t)
+')
+
+optional_policy(`
-+ chrome_role(staff_r, staff_t)
++ colord_dbus_chat(staff_t)
+')
+
+optional_policy(`
-+ colord_dbus_chat(staff_t)
+ dbadm_role_change(staff_r)
+ ')
+
+ optional_policy(`
+- git_role(staff_r, staff_t)
++ dnsmasq_read_pid_files(staff_t)
+')
+
+optional_policy(`
@@ -69791,7 +70047,7 @@ index e5aee97..f373c8d 100644
')
optional_policy(`
-@@ -35,15 +163,23 @@ optional_policy(`
+@@ -35,15 +167,27 @@ optional_policy(`
')
optional_policy(`
@@ -69803,6 +70059,10 @@ index e5aee97..f373c8d 100644
+')
+
+optional_policy(`
++ rwho_read_spool_files(staff_t)
++')
++
++optional_policy(`
secadm_role_change(staff_r)
')
@@ -69817,7 +70077,7 @@ index e5aee97..f373c8d 100644
')
optional_policy(`
-@@ -52,10 +188,59 @@ optional_policy(`
+@@ -52,10 +196,59 @@ optional_policy(`
')
optional_policy(`
@@ -69877,7 +70137,7 @@ index e5aee97..f373c8d 100644
xserver_role(staff_r, staff_t)
')
-@@ -65,10 +250,6 @@ ifndef(`distro_redhat',`
+@@ -65,10 +258,6 @@ ifndef(`distro_redhat',`
')
optional_policy(`
@@ -69888,7 +70148,7 @@ index e5aee97..f373c8d 100644
cdrecord_role(staff_r, staff_t)
')
-@@ -93,18 +274,10 @@ ifndef(`distro_redhat',`
+@@ -93,18 +282,10 @@ ifndef(`distro_redhat',`
')
optional_policy(`
@@ -69907,7 +70167,7 @@ index e5aee97..f373c8d 100644
java_role(staff_r, staff_t)
')
-@@ -125,10 +298,6 @@ ifndef(`distro_redhat',`
+@@ -125,10 +306,6 @@ ifndef(`distro_redhat',`
')
optional_policy(`
@@ -69918,7 +70178,7 @@ index e5aee97..f373c8d 100644
pyzor_role(staff_r, staff_t)
')
-@@ -141,10 +310,6 @@ ifndef(`distro_redhat',`
+@@ -141,10 +318,6 @@ ifndef(`distro_redhat',`
')
optional_policy(`
@@ -69929,7 +70189,7 @@ index e5aee97..f373c8d 100644
spamassassin_role(staff_r, staff_t)
')
-@@ -176,3 +341,7 @@ ifndef(`distro_redhat',`
+@@ -176,3 +349,7 @@ ifndef(`distro_redhat',`
wireshark_role(staff_r, staff_t)
')
')
@@ -73032,10 +73292,10 @@ index b17e27a..f87cce0 100644
+ ssh_rw_dgram_sockets(chroot_user_t)
+')
diff --git a/policy/modules/services/xserver.fc b/policy/modules/services/xserver.fc
-index fc86b7c..7421ac9 100644
+index fc86b7c..decae02 100644
--- a/policy/modules/services/xserver.fc
+++ b/policy/modules/services/xserver.fc
-@@ -2,13 +2,34 @@
+@@ -2,13 +2,35 @@
# HOME_DIR
#
HOME_DIR/\.fonts\.conf -- gen_context(system_u:object_r:user_fonts_config_t,s0)
@@ -73050,6 +73310,7 @@ index fc86b7c..7421ac9 100644
HOME_DIR/\.xauth.* -- gen_context(system_u:object_r:xauth_home_t,s0)
+HOME_DIR/\.Xauth.* -- gen_context(system_u:object_r:xauth_home_t,s0)
HOME_DIR/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0)
++HOME_DIR/\.cache/gdm(/.*)? -- gen_context(system_u:object_r:xdm_home_t,s0)
+HOME_DIR/\.xsession-errors.* -- gen_context(system_u:object_r:xdm_home_t,s0)
+HOME_DIR/\.dmrc.* -- gen_context(system_u:object_r:xdm_home_t,s0)
+
@@ -73070,7 +73331,7 @@ index fc86b7c..7421ac9 100644
#
# /dev
-@@ -24,11 +45,18 @@ HOME_DIR/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0)
+@@ -24,11 +46,18 @@ HOME_DIR/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0)
/etc/init\.d/xfree86-common -- gen_context(system_u:object_r:xserver_exec_t,s0)
@@ -73089,7 +73350,7 @@ index fc86b7c..7421ac9 100644
/etc/X11/[wx]dm/Xreset.* -- gen_context(system_u:object_r:xsession_exec_t,s0)
/etc/X11/[wxg]dm/Xsession -- gen_context(system_u:object_r:xsession_exec_t,s0)
/etc/X11/wdm(/.*)? gen_context(system_u:object_r:xdm_rw_etc_t,s0)
-@@ -46,23 +74,24 @@ HOME_DIR/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0)
+@@ -46,23 +75,24 @@ HOME_DIR/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0)
# /tmp
#
@@ -73120,12 +73381,12 @@ index fc86b7c..7421ac9 100644
/usr/bin/xauth -- gen_context(system_u:object_r:xauth_exec_t,s0)
/usr/bin/Xorg -- gen_context(system_u:object_r:xserver_exec_t,s0)
-@@ -90,24 +119,43 @@ ifndef(`distro_debian',`
+@@ -90,24 +120,43 @@ ifndef(`distro_debian',`
/var/[xgkw]dm(/.*)? gen_context(system_u:object_r:xserver_log_t,s0)
/var/lib/lxdm(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0)
-/var/lib/[xkw]dm(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0)
-+/var/lib/[mxkw]dm(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0)
++/var/lib/[mxkwg]dm(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0)
/var/lib/xkb(/.*)? gen_context(system_u:object_r:xkb_var_lib_t,s0)
+/var/lib/xorg(/.*)? gen_context(system_u:object_r:xserver_var_lib_t,s0)
+
@@ -73169,7 +73430,7 @@ index fc86b7c..7421ac9 100644
+/var/lib/pqsql/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0)
+
diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if
-index 130ced9..647cc5c 100644
+index 130ced9..173eaf5 100644
--- a/policy/modules/services/xserver.if
+++ b/policy/modules/services/xserver.if
@@ -19,9 +19,10 @@
@@ -73669,16 +73930,34 @@ index 130ced9..647cc5c 100644
## Set the attributes of XDM temporary directories.
## </summary>
## <param name="domain">
-@@ -765,7 +918,7 @@ interface(`xserver_setattr_xdm_tmp_dirs',`
+@@ -765,7 +918,25 @@ interface(`xserver_setattr_xdm_tmp_dirs',`
type xdm_tmp_t;
')
- allow $1 xdm_tmp_t:dir setattr;
+ allow $1 xdm_tmp_t:dir setattr_dir_perms;
++')
++
++########################################
++## <summary>
++## Dont audit attempts to set the attributes of XDM temporary directories.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain to not audit.
++## </summary>
++## </param>
++#
++interface(`xserver_dontaudit_xdm_tmp_dirs',`
++ gen_require(`
++ type xdm_tmp_t;
++ ')
++
++ dontaudit $1 xdm_tmp_t:dir setattr_dir_perms;
')
########################################
-@@ -805,7 +958,26 @@ interface(`xserver_read_xdm_pid',`
+@@ -805,7 +976,26 @@ interface(`xserver_read_xdm_pid',`
')
files_search_pids($1)
@@ -73706,7 +73985,7 @@ index 130ced9..647cc5c 100644
')
########################################
-@@ -828,6 +1000,24 @@ interface(`xserver_read_xdm_lib_files',`
+@@ -828,6 +1018,24 @@ interface(`xserver_read_xdm_lib_files',`
########################################
## <summary>
@@ -73731,7 +74010,7 @@ index 130ced9..647cc5c 100644
## Make an X session script an entrypoint for the specified domain.
## </summary>
## <param name="domain">
-@@ -897,7 +1087,7 @@ interface(`xserver_getattr_log',`
+@@ -897,7 +1105,7 @@ interface(`xserver_getattr_log',`
')
logging_search_logs($1)
@@ -73740,7 +74019,7 @@ index 130ced9..647cc5c 100644
')
########################################
-@@ -916,7 +1106,7 @@ interface(`xserver_dontaudit_write_log',`
+@@ -916,7 +1124,7 @@ interface(`xserver_dontaudit_write_log',`
type xserver_log_t;
')
@@ -73749,7 +74028,7 @@ index 130ced9..647cc5c 100644
')
########################################
-@@ -963,6 +1153,45 @@ interface(`xserver_read_xkb_libs',`
+@@ -963,6 +1171,45 @@ interface(`xserver_read_xkb_libs',`
########################################
## <summary>
@@ -73795,7 +74074,7 @@ index 130ced9..647cc5c 100644
## Read xdm temporary files.
## </summary>
## <param name="domain">
-@@ -976,7 +1205,7 @@ interface(`xserver_read_xdm_tmp_files',`
+@@ -976,7 +1223,7 @@ interface(`xserver_read_xdm_tmp_files',`
type xdm_tmp_t;
')
@@ -73804,7 +74083,7 @@ index 130ced9..647cc5c 100644
read_files_pattern($1, xdm_tmp_t, xdm_tmp_t)
')
-@@ -1038,6 +1267,42 @@ interface(`xserver_manage_xdm_tmp_files',`
+@@ -1038,6 +1285,42 @@ interface(`xserver_manage_xdm_tmp_files',`
########################################
## <summary>
@@ -73847,7 +74126,7 @@ index 130ced9..647cc5c 100644
## Do not audit attempts to get the attributes of
## xdm temporary named sockets.
## </summary>
-@@ -1052,7 +1317,7 @@ interface(`xserver_dontaudit_getattr_xdm_tmp_sockets',`
+@@ -1052,7 +1335,7 @@ interface(`xserver_dontaudit_getattr_xdm_tmp_sockets',`
type xdm_tmp_t;
')
@@ -73856,7 +74135,7 @@ index 130ced9..647cc5c 100644
')
########################################
-@@ -1070,8 +1335,10 @@ interface(`xserver_domtrans',`
+@@ -1070,8 +1353,10 @@ interface(`xserver_domtrans',`
type xserver_t, xserver_exec_t;
')
@@ -73868,7 +74147,7 @@ index 130ced9..647cc5c 100644
')
########################################
-@@ -1185,6 +1452,26 @@ interface(`xserver_stream_connect',`
+@@ -1185,6 +1470,26 @@ interface(`xserver_stream_connect',`
files_search_tmp($1)
stream_connect_pattern($1, xserver_tmp_t, xserver_tmp_t, xserver_t)
@@ -73895,7 +74174,7 @@ index 130ced9..647cc5c 100644
')
########################################
-@@ -1210,7 +1497,7 @@ interface(`xserver_read_tmp_files',`
+@@ -1210,7 +1515,7 @@ interface(`xserver_read_tmp_files',`
## <summary>
## Interface to provide X object permissions on a given X server to
## an X client domain. Gives the domain permission to read the
@@ -73904,7 +74183,7 @@ index 130ced9..647cc5c 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1220,13 +1507,23 @@ interface(`xserver_read_tmp_files',`
+@@ -1220,13 +1525,23 @@ interface(`xserver_read_tmp_files',`
#
interface(`xserver_manage_core_devices',`
gen_require(`
@@ -73929,7 +74208,7 @@ index 130ced9..647cc5c 100644
')
########################################
-@@ -1243,10 +1540,533 @@ interface(`xserver_manage_core_devices',`
+@@ -1243,10 +1558,533 @@ interface(`xserver_manage_core_devices',`
#
interface(`xserver_unconfined',`
gen_require(`
@@ -74466,7 +74745,7 @@ index 130ced9..647cc5c 100644
+ files_search_tmp($1)
+')
diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
-index c4f7c35..a4b887d 100644
+index c4f7c35..06c447c 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -26,27 +26,50 @@ gen_require(`
@@ -74790,7 +75069,7 @@ index c4f7c35..a4b887d 100644
')
optional_policy(`
-@@ -299,20 +396,38 @@ optional_policy(`
+@@ -299,64 +396,103 @@ optional_policy(`
# XDM Local policy
#
@@ -74833,7 +75112,8 @@ index c4f7c35..a4b887d 100644
# Allow gdm to run gdm-binary
can_exec(xdm_t, xdm_exec_t)
-@@ -320,43 +435,63 @@ can_exec(xdm_t, xdm_exec_t)
++can_exec(xdm_t, xsession_exec_t)
+
allow xdm_t xdm_lock_t:file manage_file_perms;
files_lock_filetrans(xdm_t, xdm_lock_t, file)
@@ -74903,7 +75183,7 @@ index c4f7c35..a4b887d 100644
# connect to xdm xserver over stream socket
stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t)
-@@ -365,18 +500,26 @@ stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t)
+@@ -365,18 +501,26 @@ stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t)
delete_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t)
delete_sock_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t)
@@ -74931,7 +75211,7 @@ index c4f7c35..a4b887d 100644
corenet_all_recvfrom_unlabeled(xdm_t)
corenet_all_recvfrom_netlabel(xdm_t)
-@@ -388,38 +531,48 @@ corenet_tcp_sendrecv_all_ports(xdm_t)
+@@ -388,38 +532,48 @@ corenet_tcp_sendrecv_all_ports(xdm_t)
corenet_udp_sendrecv_all_ports(xdm_t)
corenet_tcp_bind_generic_node(xdm_t)
corenet_udp_bind_generic_node(xdm_t)
@@ -74984,7 +75264,7 @@ index c4f7c35..a4b887d 100644
files_read_etc_files(xdm_t)
files_read_var_files(xdm_t)
-@@ -430,9 +583,25 @@ files_list_mnt(xdm_t)
+@@ -430,9 +584,25 @@ files_list_mnt(xdm_t)
files_read_usr_files(xdm_t)
# Poweroff wants to create the /poweroff file when run from xdm
files_create_boot_flag(xdm_t)
@@ -75010,7 +75290,7 @@ index c4f7c35..a4b887d 100644
storage_dontaudit_read_fixed_disk(xdm_t)
storage_dontaudit_write_fixed_disk(xdm_t)
-@@ -441,28 +610,38 @@ storage_dontaudit_raw_read_removable_device(xdm_t)
+@@ -441,28 +611,38 @@ storage_dontaudit_raw_read_removable_device(xdm_t)
storage_dontaudit_raw_write_removable_device(xdm_t)
storage_dontaudit_setattr_removable_dev(xdm_t)
storage_dontaudit_rw_scsi_generic(xdm_t)
@@ -75052,7 +75332,7 @@ index c4f7c35..a4b887d 100644
userdom_dontaudit_use_unpriv_user_fds(xdm_t)
userdom_create_all_users_keys(xdm_t)
-@@ -471,24 +650,43 @@ userdom_read_user_home_content_files(xdm_t)
+@@ -471,24 +651,43 @@ userdom_read_user_home_content_files(xdm_t)
# Search /proc for any user domain processes.
userdom_read_all_users_state(xdm_t)
userdom_signal_all_users(xdm_t)
@@ -75102,7 +75382,7 @@ index c4f7c35..a4b887d 100644
tunable_policy(`xdm_sysadm_login',`
userdom_xsession_spec_domtrans_all_users(xdm_t)
# FIXME:
-@@ -502,11 +700,21 @@ tunable_policy(`xdm_sysadm_login',`
+@@ -502,11 +701,21 @@ tunable_policy(`xdm_sysadm_login',`
')
optional_policy(`
@@ -75124,7 +75404,7 @@ index c4f7c35..a4b887d 100644
')
optional_policy(`
-@@ -514,12 +722,63 @@ optional_policy(`
+@@ -514,12 +723,64 @@ optional_policy(`
')
optional_policy(`
@@ -75182,13 +75462,14 @@ index c4f7c35..a4b887d 100644
+ gnome_read_usr_config(xdm_t)
+ gnome_read_gconf_config(xdm_t)
+ gnome_transition_gkeyringd(xdm_t)
++ gnome_cache_filetrans(xdm_t, xdm_home_t, dir, "gdm")
+')
+
+optional_policy(`
hostname_exec(xdm_t)
')
-@@ -537,28 +796,69 @@ optional_policy(`
+@@ -537,28 +798,69 @@ optional_policy(`
')
optional_policy(`
@@ -75267,7 +75548,7 @@ index c4f7c35..a4b887d 100644
')
optional_policy(`
-@@ -570,6 +870,14 @@ optional_policy(`
+@@ -570,6 +872,14 @@ optional_policy(`
')
optional_policy(`
@@ -75282,7 +75563,7 @@ index c4f7c35..a4b887d 100644
xfs_stream_connect(xdm_t)
')
-@@ -594,7 +902,8 @@ allow xserver_t input_xevent_t:x_event send;
+@@ -594,7 +904,8 @@ allow xserver_t input_xevent_t:x_event send;
# execheap needed until the X module loader is fixed.
# NVIDIA Needs execstack
@@ -75292,7 +75573,7 @@ index c4f7c35..a4b887d 100644
dontaudit xserver_t self:capability chown;
allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow xserver_t self:fd use;
-@@ -608,8 +917,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
+@@ -608,8 +919,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow xserver_t self:tcp_socket create_stream_socket_perms;
allow xserver_t self:udp_socket create_socket_perms;
@@ -75308,7 +75589,7 @@ index c4f7c35..a4b887d 100644
manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
manage_sock_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
-@@ -628,12 +944,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
+@@ -628,12 +946,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
files_search_var_lib(xserver_t)
@@ -75330,7 +75611,7 @@ index c4f7c35..a4b887d 100644
kernel_read_system_state(xserver_t)
kernel_read_device_sysctls(xserver_t)
-@@ -641,6 +964,7 @@ kernel_read_modprobe_sysctls(xserver_t)
+@@ -641,6 +966,7 @@ kernel_read_modprobe_sysctls(xserver_t)
# Xorg wants to check if kernel is tainted
kernel_read_kernel_sysctls(xserver_t)
kernel_write_proc_files(xserver_t)
@@ -75338,7 +75619,7 @@ index c4f7c35..a4b887d 100644
# Run helper programs in xserver_t.
corecmd_exec_bin(xserver_t)
-@@ -667,23 +991,28 @@ dev_rw_apm_bios(xserver_t)
+@@ -667,23 +993,28 @@ dev_rw_apm_bios(xserver_t)
dev_rw_agp(xserver_t)
dev_rw_framebuffer(xserver_t)
dev_manage_dri_dev(xserver_t)
@@ -75370,7 +75651,7 @@ index c4f7c35..a4b887d 100644
# brought on by rhgb
files_search_mnt(xserver_t)
-@@ -694,8 +1023,13 @@ fs_getattr_xattr_fs(xserver_t)
+@@ -694,8 +1025,13 @@ fs_getattr_xattr_fs(xserver_t)
fs_search_nfs(xserver_t)
fs_search_auto_mountpoints(xserver_t)
fs_search_ramfs(xserver_t)
@@ -75384,7 +75665,7 @@ index c4f7c35..a4b887d 100644
selinux_validate_context(xserver_t)
selinux_compute_access_vector(xserver_t)
-@@ -708,8 +1042,6 @@ init_getpgid(xserver_t)
+@@ -708,8 +1044,6 @@ init_getpgid(xserver_t)
term_setattr_unallocated_ttys(xserver_t)
term_use_unallocated_ttys(xserver_t)
@@ -75393,7 +75674,7 @@ index c4f7c35..a4b887d 100644
locallogin_use_fds(xserver_t)
logging_send_syslog_msg(xserver_t)
-@@ -717,11 +1049,12 @@ logging_send_audit_msgs(xserver_t)
+@@ -717,11 +1051,12 @@ logging_send_audit_msgs(xserver_t)
miscfiles_read_localization(xserver_t)
miscfiles_read_fonts(xserver_t)
@@ -75408,7 +75689,7 @@ index c4f7c35..a4b887d 100644
userdom_search_user_home_dirs(xserver_t)
userdom_use_user_ttys(xserver_t)
-@@ -775,16 +1108,40 @@ optional_policy(`
+@@ -775,16 +1110,40 @@ optional_policy(`
')
optional_policy(`
@@ -75450,7 +75731,7 @@ index c4f7c35..a4b887d 100644
unconfined_domtrans(xserver_t)
')
-@@ -793,6 +1150,10 @@ optional_policy(`
+@@ -793,6 +1152,10 @@ optional_policy(`
')
optional_policy(`
@@ -75461,7 +75742,7 @@ index c4f7c35..a4b887d 100644
xfs_stream_connect(xserver_t)
')
-@@ -808,10 +1169,10 @@ allow xserver_t xdm_t:shm rw_shm_perms;
+@@ -808,10 +1171,10 @@ allow xserver_t xdm_t:shm rw_shm_perms;
# NB we do NOT allow xserver_t xdm_var_lib_t:dir, only access to an open
# handle of a file inside the dir!!!
@@ -75475,7 +75756,7 @@ index c4f7c35..a4b887d 100644
# Label pid and temporary files with derived types.
manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
-@@ -819,7 +1180,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
+@@ -819,7 +1182,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
manage_sock_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
# Run xkbcomp.
@@ -75484,7 +75765,7 @@ index c4f7c35..a4b887d 100644
can_exec(xserver_t, xkb_var_lib_t)
# VNC v4 module in X server
-@@ -832,26 +1193,21 @@ init_use_fds(xserver_t)
+@@ -832,26 +1195,21 @@ init_use_fds(xserver_t)
# to read ROLE_home_t - examine this in more detail
# (xauth?)
userdom_read_user_home_content_files(xserver_t)
@@ -75519,7 +75800,7 @@ index c4f7c35..a4b887d 100644
')
optional_policy(`
-@@ -859,6 +1215,10 @@ optional_policy(`
+@@ -859,6 +1217,10 @@ optional_policy(`
rhgb_rw_tmpfs_files(xserver_t)
')
@@ -75530,7 +75811,7 @@ index c4f7c35..a4b887d 100644
########################################
#
# Rules common to all X window domains
-@@ -902,7 +1262,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
+@@ -902,7 +1264,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
allow x_domain root_xdrawable_t:x_drawable { getattr setattr list_child add_child remove_child send receive hide show };
# operations allowed on my windows
allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive };
@@ -75539,7 +75820,7 @@ index c4f7c35..a4b887d 100644
# operations allowed on all windows
allow x_domain x_domain:x_drawable { getattr get_property set_property remove_child };
-@@ -956,11 +1316,31 @@ allow x_domain self:x_resource { read write };
+@@ -956,11 +1318,31 @@ allow x_domain self:x_resource { read write };
# can mess with the screensaver
allow x_domain xserver_t:x_screen { getattr saver_getattr };
@@ -75571,7 +75852,7 @@ index c4f7c35..a4b887d 100644
tunable_policy(`! xserver_object_manager',`
# should be xserver_unconfined(x_domain),
# but typeattribute doesnt work in conditionals
-@@ -982,18 +1362,43 @@ tunable_policy(`! xserver_object_manager',`
+@@ -982,18 +1364,43 @@ tunable_policy(`! xserver_object_manager',`
allow x_domain xevent_type:{ x_event x_synthetic_event } *;
')
@@ -75789,7 +76070,7 @@ index 28ad538..82def3d 100644
-/var/run/user(/.*)? gen_context(system_u:object_r:var_auth_t,s0)
/var/(db|lib|adm)/sudo(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0)
diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if
-index 6ce867a..283f236 100644
+index 6ce867a..20a0b0a 100644
--- a/policy/modules/system/authlogin.if
+++ b/policy/modules/system/authlogin.if
@@ -23,11 +23,17 @@ interface(`auth_role',`
@@ -75872,7 +76153,7 @@ index 6ce867a..283f236 100644
manage_files_pattern($1, var_auth_t, var_auth_t)
manage_dirs_pattern($1, auth_cache_t, auth_cache_t)
-@@ -120,16 +146,29 @@ interface(`auth_login_pgm_domain',`
+@@ -120,16 +146,31 @@ interface(`auth_login_pgm_domain',`
manage_sock_files_pattern($1, auth_cache_t, auth_cache_t)
files_var_filetrans($1, auth_cache_t, dir)
@@ -75900,10 +76181,12 @@ index 6ce867a..283f236 100644
fs_list_auto_mountpoints($1)
+ fs_manage_cgroup_dirs($1)
+ fs_manage_cgroup_files($1)
++ fs_read_ecryptfs_symlinks($1)
++ fs_read_ecryptfs_files($1)
selinux_get_fs_mount($1)
selinux_validate_context($1)
-@@ -145,6 +184,8 @@ interface(`auth_login_pgm_domain',`
+@@ -145,6 +186,8 @@ interface(`auth_login_pgm_domain',`
mls_process_set_level($1)
mls_fd_share_all_levels($1)
@@ -75912,7 +76195,7 @@ index 6ce867a..283f236 100644
auth_use_pam($1)
init_rw_utmp($1)
-@@ -155,9 +196,83 @@ interface(`auth_login_pgm_domain',`
+@@ -155,9 +198,84 @@ interface(`auth_login_pgm_domain',`
seutil_read_config($1)
seutil_read_default_contexts($1)
@@ -75948,6 +76231,7 @@ index 6ce867a..283f236 100644
+ corecmd_exec_bin($1)
+ storage_getattr_fixed_disk_dev($1)
+ mount_domtrans($1)
++ mount_domtrans_ecryptmount($1)
+ ')
+
+ optional_policy(`
@@ -75998,7 +76282,7 @@ index 6ce867a..283f236 100644
')
########################################
-@@ -395,13 +510,15 @@ interface(`auth_domtrans_chk_passwd',`
+@@ -395,13 +513,15 @@ interface(`auth_domtrans_chk_passwd',`
')
optional_policy(`
@@ -76015,7 +76299,7 @@ index 6ce867a..283f236 100644
')
########################################
-@@ -448,6 +565,25 @@ interface(`auth_run_chk_passwd',`
+@@ -448,6 +568,25 @@ interface(`auth_run_chk_passwd',`
auth_domtrans_chk_passwd($1)
role $2 types chkpwd_t;
@@ -76041,7 +76325,7 @@ index 6ce867a..283f236 100644
')
########################################
-@@ -467,7 +603,6 @@ interface(`auth_domtrans_upd_passwd',`
+@@ -467,7 +606,6 @@ interface(`auth_domtrans_upd_passwd',`
domtrans_pattern($1, updpwd_exec_t, updpwd_t)
auth_dontaudit_read_shadow($1)
@@ -76049,7 +76333,7 @@ index 6ce867a..283f236 100644
')
########################################
-@@ -664,6 +799,10 @@ interface(`auth_manage_shadow',`
+@@ -664,6 +802,10 @@ interface(`auth_manage_shadow',`
allow $1 shadow_t:file manage_file_perms;
typeattribute $1 can_read_shadow_passwords, can_write_shadow_passwords;
@@ -76060,7 +76344,7 @@ index 6ce867a..283f236 100644
')
#######################################
-@@ -763,7 +902,50 @@ interface(`auth_rw_faillog',`
+@@ -763,7 +905,50 @@ interface(`auth_rw_faillog',`
')
logging_search_logs($1)
@@ -76112,7 +76396,7 @@ index 6ce867a..283f236 100644
')
#######################################
-@@ -959,9 +1141,30 @@ interface(`auth_manage_var_auth',`
+@@ -959,9 +1144,30 @@ interface(`auth_manage_var_auth',`
')
files_search_var($1)
@@ -76146,7 +76430,7 @@ index 6ce867a..283f236 100644
')
########################################
-@@ -1040,6 +1243,10 @@ interface(`auth_manage_pam_pid',`
+@@ -1040,6 +1246,10 @@ interface(`auth_manage_pam_pid',`
files_search_pids($1)
allow $1 pam_var_run_t:dir manage_dir_perms;
allow $1 pam_var_run_t:file manage_file_perms;
@@ -76157,7 +76441,7 @@ index 6ce867a..283f236 100644
')
########################################
-@@ -1157,6 +1364,7 @@ interface(`auth_manage_pam_console_data',`
+@@ -1157,6 +1367,7 @@ interface(`auth_manage_pam_console_data',`
files_search_pids($1)
manage_files_pattern($1, pam_var_console_t, pam_var_console_t)
manage_lnk_files_pattern($1, pam_var_console_t, pam_var_console_t)
@@ -76165,7 +76449,7 @@ index 6ce867a..283f236 100644
')
#######################################
-@@ -1526,6 +1734,25 @@ interface(`auth_setattr_login_records',`
+@@ -1526,6 +1737,25 @@ interface(`auth_setattr_login_records',`
########################################
## <summary>
@@ -76191,7 +76475,7 @@ index 6ce867a..283f236 100644
## Read login records files (/var/log/wtmp).
## </summary>
## <param name="domain">
-@@ -1676,37 +1903,49 @@ interface(`auth_manage_login_records',`
+@@ -1676,37 +1906,49 @@ interface(`auth_manage_login_records',`
logging_rw_generic_log_dirs($1)
allow $1 wtmp_t:file manage_file_perms;
@@ -76251,7 +76535,7 @@ index 6ce867a..283f236 100644
## </p>
## </desc>
## <param name="domain">
-@@ -1714,87 +1953,206 @@ interface(`auth_relabel_login_records',`
+@@ -1714,87 +1956,206 @@ interface(`auth_relabel_login_records',`
## Domain allowed access.
## </summary>
## </param>
@@ -76509,7 +76793,7 @@ index 6ce867a..283f236 100644
+ userdom_user_home_dir_filetrans($1, auth_home_t, file, ".google_authenticator~")
')
diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te
-index f12b8ff..b3e0efd 100644
+index f12b8ff..2293c1b 100644
--- a/policy/modules/system/authlogin.te
+++ b/policy/modules/system/authlogin.te
@@ -5,22 +5,42 @@ policy_module(authlogin, 2.3.1)
@@ -76618,7 +76902,7 @@ index f12b8ff..b3e0efd 100644
# Allow utemper to write to /tmp/.xses-*
userdom_write_user_tmp_files(utempter_t)
-@@ -388,10 +416,75 @@ ifdef(`distro_ubuntu',`
+@@ -388,10 +416,74 @@ ifdef(`distro_ubuntu',`
')
optional_policy(`
@@ -76639,7 +76923,6 @@ index f12b8ff..b3e0efd 100644
+ ')
+')
+
-+
+auth_read_passwd(nsswitch_domain)
+
+# read /etc/nsswitch.conf
@@ -77152,7 +77435,7 @@ index d2e40b8..3ba2e4c 100644
')
+/var/run/systemd(/.*)? gen_context(system_u:object_r:init_var_run_t,s0)
diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
-index d26fe81..b0bb610 100644
+index d26fe81..e07c6b7 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -79,6 +79,44 @@ interface(`init_script_domain',`
@@ -77213,7 +77496,7 @@ index d26fe81..b0bb610 100644
ifdef(`hide_broken_symptoms',`
# RHEL4 systems seem to have a stray
-@@ -193,8 +235,10 @@ interface(`init_daemon_domain',`
+@@ -193,8 +235,11 @@ interface(`init_daemon_domain',`
gen_require(`
attribute direct_run_init, direct_init, direct_init_entry;
type initrc_t;
@@ -77221,10 +77504,11 @@ index d26fe81..b0bb610 100644
role system_r;
attribute daemon;
+ attribute initrc_transition_domain;
++ attribute initrc_domain;
')
typeattribute $1 daemon;
-@@ -202,39 +246,20 @@ interface(`init_daemon_domain',`
+@@ -202,40 +247,40 @@ interface(`init_daemon_domain',`
domain_type($1)
domain_entry_file($1, $2)
@@ -77241,6 +77525,7 @@ index d26fe81..b0bb610 100644
- # when using run_init
- init_use_script_ptys($1)
+ domtrans_pattern(initrc_t,$2,$1)
++ domtrans_pattern(initrc_domain, $2,$1)
ifdef(`direct_sysadm_daemon',`
domtrans_pattern(direct_run_init, $2, $1)
@@ -77259,17 +77544,35 @@ index d26fe81..b0bb610 100644
- ifdef(`distro_rhel4',`
- kernel_dontaudit_use_fds($1)
- ')
-- ')
--
-- optional_policy(`
-- nscd_socket_use($1)
+ tunable_policy(`init_upstart || init_systemd',`
+ # Handle upstart direct transition to a executable
+ domtrans_pattern(init_t,$2,$1)
')
++')
+
+- optional_policy(`
+- nscd_socket_use($1)
+- ')
++#######################################
++## <summary>
++## Create initrc domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Type to be used as a initrc daemon domain.
++## </summary>
++## </param>
++#
++interface(`init_initrc_domain',`
++ gen_require(`
++ attribute initrc_domain;
++ ')
++
++ typeattribute $1 initrc_domain;
')
-@@ -283,17 +308,20 @@ interface(`init_daemon_domain',`
+ ########################################
+@@ -283,17 +328,20 @@ interface(`init_daemon_domain',`
interface(`init_ranged_daemon_domain',`
gen_require(`
type initrc_t;
@@ -77291,7 +77594,7 @@ index d26fe81..b0bb610 100644
')
')
-@@ -336,22 +364,23 @@ interface(`init_ranged_daemon_domain',`
+@@ -336,22 +384,23 @@ interface(`init_ranged_daemon_domain',`
#
interface(`init_system_domain',`
gen_require(`
@@ -77322,7 +77625,7 @@ index d26fe81..b0bb610 100644
')
')
-@@ -401,20 +430,41 @@ interface(`init_system_domain',`
+@@ -401,20 +450,41 @@ interface(`init_system_domain',`
interface(`init_ranged_system_domain',`
gen_require(`
type initrc_t;
@@ -77364,7 +77667,7 @@ index d26fe81..b0bb610 100644
########################################
## <summary>
## Execute init (/sbin/init) with a domain transition.
-@@ -442,7 +492,6 @@ interface(`init_domtrans',`
+@@ -442,7 +512,6 @@ interface(`init_domtrans',`
## Domain allowed access.
## </summary>
## </param>
@@ -77372,7 +77675,7 @@ index d26fe81..b0bb610 100644
#
interface(`init_exec',`
gen_require(`
-@@ -451,6 +500,29 @@ interface(`init_exec',`
+@@ -451,6 +520,29 @@ interface(`init_exec',`
corecmd_search_bin($1)
can_exec($1, init_exec_t)
@@ -77402,7 +77705,7 @@ index d26fe81..b0bb610 100644
')
########################################
-@@ -539,6 +611,24 @@ interface(`init_sigchld',`
+@@ -539,6 +631,24 @@ interface(`init_sigchld',`
########################################
## <summary>
@@ -77427,7 +77730,7 @@ index d26fe81..b0bb610 100644
## Connect to init with a unix socket.
## </summary>
## <param name="domain">
-@@ -549,10 +639,66 @@ interface(`init_sigchld',`
+@@ -549,10 +659,66 @@ interface(`init_sigchld',`
#
interface(`init_stream_connect',`
gen_require(`
@@ -77496,7 +77799,7 @@ index d26fe81..b0bb610 100644
')
########################################
-@@ -718,19 +864,25 @@ interface(`init_telinit',`
+@@ -718,19 +884,25 @@ interface(`init_telinit',`
type initctl_t;
')
@@ -77523,7 +77826,7 @@ index d26fe81..b0bb610 100644
')
')
-@@ -760,7 +912,7 @@ interface(`init_rw_initctl',`
+@@ -760,7 +932,7 @@ interface(`init_rw_initctl',`
## </summary>
## <param name="domain">
## <summary>
@@ -77532,7 +77835,7 @@ index d26fe81..b0bb610 100644
## </summary>
## </param>
#
-@@ -803,11 +955,12 @@ interface(`init_script_file_entry_type',`
+@@ -803,11 +975,12 @@ interface(`init_script_file_entry_type',`
#
interface(`init_spec_domtrans_script',`
gen_require(`
@@ -77547,7 +77850,7 @@ index d26fe81..b0bb610 100644
ifdef(`distro_gentoo',`
gen_require(`
-@@ -818,11 +971,11 @@ interface(`init_spec_domtrans_script',`
+@@ -818,11 +991,11 @@ interface(`init_spec_domtrans_script',`
')
ifdef(`enable_mcs',`
@@ -77561,7 +77864,7 @@ index d26fe81..b0bb610 100644
')
')
-@@ -838,19 +991,41 @@ interface(`init_spec_domtrans_script',`
+@@ -838,19 +1011,41 @@ interface(`init_spec_domtrans_script',`
#
interface(`init_domtrans_script',`
gen_require(`
@@ -77607,7 +77910,7 @@ index d26fe81..b0bb610 100644
')
########################################
-@@ -906,9 +1081,14 @@ interface(`init_script_file_domtrans',`
+@@ -906,9 +1101,14 @@ interface(`init_script_file_domtrans',`
interface(`init_labeled_script_domtrans',`
gen_require(`
type initrc_t;
@@ -77622,7 +77925,7 @@ index d26fe81..b0bb610 100644
files_search_etc($1)
')
-@@ -999,7 +1179,9 @@ interface(`init_ptrace',`
+@@ -999,7 +1199,9 @@ interface(`init_ptrace',`
type init_t;
')
@@ -77633,7 +77936,7 @@ index d26fe81..b0bb610 100644
')
########################################
-@@ -1117,6 +1299,24 @@ interface(`init_read_all_script_files',`
+@@ -1117,6 +1319,24 @@ interface(`init_read_all_script_files',`
#######################################
## <summary>
@@ -77658,7 +77961,7 @@ index d26fe81..b0bb610 100644
## Dontaudit read all init script files.
## </summary>
## <param name="domain">
-@@ -1168,12 +1368,7 @@ interface(`init_read_script_state',`
+@@ -1168,12 +1388,7 @@ interface(`init_read_script_state',`
')
kernel_search_proc($1)
@@ -77672,7 +77975,7 @@ index d26fe81..b0bb610 100644
')
########################################
-@@ -1413,6 +1608,27 @@ interface(`init_dbus_send_script',`
+@@ -1413,6 +1628,27 @@ interface(`init_dbus_send_script',`
########################################
## <summary>
## Send and receive messages from
@@ -77700,7 +78003,7 @@ index d26fe81..b0bb610 100644
## init scripts over dbus.
## </summary>
## <param name="domain">
-@@ -1499,6 +1715,25 @@ interface(`init_getattr_script_status_files',`
+@@ -1499,6 +1735,25 @@ interface(`init_getattr_script_status_files',`
########################################
## <summary>
@@ -77726,7 +78029,7 @@ index d26fe81..b0bb610 100644
## Do not audit attempts to read init script
## status files.
## </summary>
-@@ -1557,6 +1792,24 @@ interface(`init_rw_script_tmp_files',`
+@@ -1557,6 +1812,24 @@ interface(`init_rw_script_tmp_files',`
########################################
## <summary>
@@ -77751,7 +78054,7 @@ index d26fe81..b0bb610 100644
## Create files in a init script
## temporary data directory.
## </summary>
-@@ -1629,6 +1882,43 @@ interface(`init_read_utmp',`
+@@ -1629,6 +1902,43 @@ interface(`init_read_utmp',`
########################################
## <summary>
@@ -77795,7 +78098,7 @@ index d26fe81..b0bb610 100644
## Do not audit attempts to write utmp.
## </summary>
## <param name="domain">
-@@ -1717,7 +2007,7 @@ interface(`init_dontaudit_rw_utmp',`
+@@ -1717,7 +2027,7 @@ interface(`init_dontaudit_rw_utmp',`
type initrc_var_run_t;
')
@@ -77804,7 +78107,7 @@ index d26fe81..b0bb610 100644
')
########################################
-@@ -1758,6 +2048,128 @@ interface(`init_pid_filetrans_utmp',`
+@@ -1758,6 +2068,128 @@ interface(`init_pid_filetrans_utmp',`
files_pid_filetrans($1, initrc_var_run_t, file, "utmp")
')
@@ -77933,7 +78236,7 @@ index d26fe81..b0bb610 100644
########################################
## <summary>
## Allow the specified domain to connect to daemon with a tcp socket
-@@ -1792,3 +2204,284 @@ interface(`init_udp_recvfrom_all_daemons',`
+@@ -1792,3 +2224,284 @@ interface(`init_udp_recvfrom_all_daemons',`
')
corenet_udp_recvfrom_labeled($1, daemon)
')
@@ -78219,7 +78522,7 @@ index d26fe81..b0bb610 100644
+ allow $1 init_t:system undefined;
+')
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
-index 5fb9683..28b9f3b 100644
+index 5fb9683..0721079 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -16,6 +16,34 @@ gen_require(`
@@ -78257,7 +78560,7 @@ index 5fb9683..28b9f3b 100644
# used for direct running of init scripts
# by admin domains
attribute direct_run_init;
-@@ -25,14 +53,18 @@ attribute direct_init_entry;
+@@ -25,14 +53,21 @@ attribute direct_init_entry;
attribute init_script_domain_type;
attribute init_script_file_type;
attribute init_run_all_scripts_domain;
@@ -78268,6 +78571,9 @@ index 5fb9683..28b9f3b 100644
# Mark process types as daemons
attribute daemon;
+attribute systemprocess;
++
++# Mark process types as initrc domain
++attribute initrc_domain;
#
# init_t is the domain of the init process.
@@ -78277,7 +78583,7 @@ index 5fb9683..28b9f3b 100644
type init_exec_t;
domain_type(init_t)
domain_entry_file(init_t, init_exec_t)
-@@ -45,6 +77,9 @@ role system_r types init_t;
+@@ -45,6 +80,9 @@ role system_r types init_t;
type init_var_run_t;
files_pid_file(init_var_run_t)
@@ -78287,7 +78593,7 @@ index 5fb9683..28b9f3b 100644
#
# initctl_t is the type of the named pipe created
# by init during initialization. This pipe is used
-@@ -63,6 +98,8 @@ role system_r types initrc_t;
+@@ -63,6 +101,8 @@ role system_r types initrc_t;
# of the below init_upstart tunable
# but this has a typeattribute in it
corecmd_shell_entry_type(initrc_t)
@@ -78296,7 +78602,7 @@ index 5fb9683..28b9f3b 100644
type initrc_devpts_t;
term_pty(initrc_devpts_t)
-@@ -92,7 +129,7 @@ ifdef(`enable_mls',`
+@@ -92,7 +132,7 @@ ifdef(`enable_mls',`
#
# Use capabilities. old rule:
@@ -78305,7 +78611,7 @@ index 5fb9683..28b9f3b 100644
# is ~sys_module really needed? observed:
# sys_boot
# sys_tty_config
-@@ -104,12 +141,25 @@ allow init_t self:fifo_file rw_fifo_file_perms;
+@@ -104,12 +144,25 @@ allow init_t self:fifo_file rw_fifo_file_perms;
# Re-exec itself
can_exec(init_t, init_exec_t)
@@ -78337,7 +78643,7 @@ index 5fb9683..28b9f3b 100644
allow init_t initctl_t:fifo_file manage_fifo_file_perms;
dev_filetrans(init_t, initctl_t, fifo_file)
-@@ -119,25 +169,34 @@ allow init_t initrc_var_run_t:file { rw_file_perms setattr };
+@@ -119,28 +172,38 @@ allow init_t initrc_var_run_t:file { rw_file_perms setattr };
kernel_read_system_state(init_t)
kernel_share_state(init_t)
@@ -78373,7 +78679,11 @@ index 5fb9683..28b9f3b 100644
files_etc_filetrans_etc_runtime(init_t, file)
# Run /etc/X11/prefdm:
files_exec_etc_files(init_t)
-@@ -149,6 +208,8 @@ fs_list_inotifyfs(init_t)
++files_read_usr_files(init_t)
+ # file descriptors inherited from the rootfs:
+ files_dontaudit_rw_root_files(init_t)
+ files_dontaudit_rw_root_chr_files(init_t)
+@@ -149,6 +212,8 @@ fs_list_inotifyfs(init_t)
# cjp: this may be related to /dev/log
fs_write_ramfs_sockets(init_t)
@@ -78382,7 +78692,7 @@ index 5fb9683..28b9f3b 100644
mcs_process_set_categories(init_t)
mcs_killall(init_t)
-@@ -156,22 +217,40 @@ mls_file_read_all_levels(init_t)
+@@ -156,22 +221,40 @@ mls_file_read_all_levels(init_t)
mls_file_write_all_levels(init_t)
mls_process_write_down(init_t)
mls_fd_use_all_levels(init_t)
@@ -78424,7 +78734,7 @@ index 5fb9683..28b9f3b 100644
ifdef(`distro_gentoo',`
allow init_t self:process { getcap setcap };
-@@ -180,12 +259,14 @@ ifdef(`distro_gentoo',`
+@@ -180,12 +263,14 @@ ifdef(`distro_gentoo',`
')
ifdef(`distro_redhat',`
@@ -78440,18 +78750,17 @@ index 5fb9683..28b9f3b 100644
corecmd_shell_domtrans(init_t, initrc_t)
',`
# Run the shell in the sysadm role for single-user mode.
-@@ -193,16 +274,146 @@ tunable_policy(`init_upstart',`
+@@ -193,16 +278,146 @@ tunable_policy(`init_upstart',`
sysadm_shell_domtrans(init_t)
')
+storage_raw_rw_fixed_disk(init_t)
+
- optional_policy(`
-- auth_rw_login_records(init_t)
++optional_policy(`
+ modutils_domtrans_insmod(init_t)
- ')
-
- optional_policy(`
++')
++
++optional_policy(`
+ postfix_exec(init_t)
+ postfix_list_spool(init_t)
+ mta_read_aliases(init_t)
@@ -78564,32 +78873,33 @@ index 5fb9683..28b9f3b 100644
+ lvm_rw_pipes(init_t)
+')
+
-+optional_policy(`
+ optional_policy(`
+- auth_rw_login_records(init_t)
+ consolekit_manage_log(init_t)
-+')
-+
-+optional_policy(`
-+ dbus_connect_system_bus(init_t)
- dbus_system_bus_client(init_t)
-+ dbus_delete_pid_files(init_t)
')
optional_policy(`
-- nscd_socket_use(init_t)
++ dbus_connect_system_bus(init_t)
+ dbus_system_bus_client(init_t)
++ dbus_delete_pid_files(init_t)
++')
++
++optional_policy(`
+ # /var/run/dovecot/login/ssl-parameters.dat is a hard link to
+ # /var/lib/dovecot/ssl-parameters.dat and init tries to clean up
+ # the directory. But we do not want to allow this.
+ # The master process of dovecot will manage this file.
+ dovecot_dontaudit_unlink_lib_files(initrc_t)
-+')
-+
-+optional_policy(`
+ ')
+
+ optional_policy(`
+- nscd_socket_use(init_t)
+ plymouthd_stream_connect(init_t)
+ plymouthd_exec_plymouth(init_t)
')
optional_policy(`
-@@ -210,6 +421,17 @@ optional_policy(`
+@@ -210,6 +425,17 @@ optional_policy(`
')
optional_policy(`
@@ -78607,7 +78917,7 @@ index 5fb9683..28b9f3b 100644
unconfined_domain(init_t)
')
-@@ -219,8 +441,8 @@ optional_policy(`
+@@ -219,8 +445,8 @@ optional_policy(`
#
allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
@@ -78618,7 +78928,7 @@ index 5fb9683..28b9f3b 100644
allow initrc_t self:passwd rootok;
allow initrc_t self:key manage_key_perms;
-@@ -248,12 +470,15 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
+@@ -248,12 +474,15 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
allow initrc_t initrc_var_run_t:file manage_file_perms;
files_pid_filetrans(initrc_t, initrc_var_run_t, file)
@@ -78634,7 +78944,7 @@ index 5fb9683..28b9f3b 100644
init_write_initctl(initrc_t)
-@@ -265,20 +490,34 @@ kernel_change_ring_buffer_level(initrc_t)
+@@ -265,20 +494,34 @@ kernel_change_ring_buffer_level(initrc_t)
kernel_clear_ring_buffer(initrc_t)
kernel_get_sysvipc_info(initrc_t)
kernel_read_all_sysctls(initrc_t)
@@ -78673,7 +78983,7 @@ index 5fb9683..28b9f3b 100644
corenet_tcp_sendrecv_all_ports(initrc_t)
corenet_udp_sendrecv_all_ports(initrc_t)
corenet_tcp_connect_all_ports(initrc_t)
-@@ -286,6 +525,7 @@ corenet_sendrecv_all_client_packets(initrc_t)
+@@ -286,6 +529,7 @@ corenet_sendrecv_all_client_packets(initrc_t)
dev_read_rand(initrc_t)
dev_read_urand(initrc_t)
@@ -78681,7 +78991,7 @@ index 5fb9683..28b9f3b 100644
dev_write_kmsg(initrc_t)
dev_write_rand(initrc_t)
dev_write_urand(initrc_t)
-@@ -296,8 +536,10 @@ dev_write_framebuffer(initrc_t)
+@@ -296,8 +540,10 @@ dev_write_framebuffer(initrc_t)
dev_read_realtime_clock(initrc_t)
dev_read_sound_mixer(initrc_t)
dev_write_sound_mixer(initrc_t)
@@ -78692,7 +79002,7 @@ index 5fb9683..28b9f3b 100644
dev_delete_lvm_control_dev(initrc_t)
dev_manage_generic_symlinks(initrc_t)
dev_manage_generic_files(initrc_t)
-@@ -305,17 +547,16 @@ dev_manage_generic_files(initrc_t)
+@@ -305,17 +551,16 @@ dev_manage_generic_files(initrc_t)
dev_delete_generic_symlinks(initrc_t)
dev_getattr_all_blk_files(initrc_t)
dev_getattr_all_chr_files(initrc_t)
@@ -78712,7 +79022,7 @@ index 5fb9683..28b9f3b 100644
domain_getsession_all_domains(initrc_t)
domain_use_interactive_fds(initrc_t)
# for lsof which is used by alsa shutdown:
-@@ -323,6 +564,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
+@@ -323,6 +568,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
domain_dontaudit_getattr_all_tcp_sockets(initrc_t)
domain_dontaudit_getattr_all_dgram_sockets(initrc_t)
domain_dontaudit_getattr_all_pipes(initrc_t)
@@ -78720,7 +79030,7 @@ index 5fb9683..28b9f3b 100644
files_getattr_all_dirs(initrc_t)
files_getattr_all_files(initrc_t)
-@@ -330,8 +572,10 @@ files_getattr_all_symlinks(initrc_t)
+@@ -330,8 +576,10 @@ files_getattr_all_symlinks(initrc_t)
files_getattr_all_pipes(initrc_t)
files_getattr_all_sockets(initrc_t)
files_purge_tmp(initrc_t)
@@ -78732,7 +79042,7 @@ index 5fb9683..28b9f3b 100644
files_delete_all_pids(initrc_t)
files_delete_all_pid_dirs(initrc_t)
files_read_etc_files(initrc_t)
-@@ -347,8 +591,12 @@ files_list_isid_type_dirs(initrc_t)
+@@ -347,8 +595,12 @@ files_list_isid_type_dirs(initrc_t)
files_mounton_isid_type_dirs(initrc_t)
files_list_default(initrc_t)
files_mounton_default(initrc_t)
@@ -78746,7 +79056,7 @@ index 5fb9683..28b9f3b 100644
fs_list_inotifyfs(initrc_t)
fs_register_binary_executable_type(initrc_t)
# rhgb-console writes to ramfs
-@@ -358,9 +606,12 @@ fs_mount_all_fs(initrc_t)
+@@ -358,9 +610,12 @@ fs_mount_all_fs(initrc_t)
fs_unmount_all_fs(initrc_t)
fs_remount_all_fs(initrc_t)
fs_getattr_all_fs(initrc_t)
@@ -78760,7 +79070,7 @@ index 5fb9683..28b9f3b 100644
mcs_killall(initrc_t)
mcs_process_set_categories(initrc_t)
-@@ -370,6 +621,7 @@ mls_process_read_up(initrc_t)
+@@ -370,6 +625,7 @@ mls_process_read_up(initrc_t)
mls_process_write_down(initrc_t)
mls_rangetrans_source(initrc_t)
mls_fd_share_all_levels(initrc_t)
@@ -78768,7 +79078,7 @@ index 5fb9683..28b9f3b 100644
selinux_get_enforce_mode(initrc_t)
-@@ -381,6 +633,7 @@ term_use_all_terms(initrc_t)
+@@ -381,6 +637,7 @@ term_use_all_terms(initrc_t)
term_reset_tty_labels(initrc_t)
auth_rw_login_records(initrc_t)
@@ -78776,7 +79086,7 @@ index 5fb9683..28b9f3b 100644
auth_setattr_login_records(initrc_t)
auth_rw_lastlog(initrc_t)
auth_read_pam_pid(initrc_t)
-@@ -401,18 +654,17 @@ logging_read_audit_config(initrc_t)
+@@ -401,18 +658,17 @@ logging_read_audit_config(initrc_t)
miscfiles_read_localization(initrc_t)
# slapd needs to read cert files from its initscript
@@ -78798,7 +79108,7 @@ index 5fb9683..28b9f3b 100644
ifdef(`distro_debian',`
dev_setattr_generic_dirs(initrc_t)
-@@ -465,6 +717,10 @@ ifdef(`distro_gentoo',`
+@@ -465,6 +721,10 @@ ifdef(`distro_gentoo',`
sysnet_setattr_config(initrc_t)
optional_policy(`
@@ -78809,7 +79119,7 @@ index 5fb9683..28b9f3b 100644
alsa_read_lib(initrc_t)
')
-@@ -485,7 +741,7 @@ ifdef(`distro_redhat',`
+@@ -485,7 +745,7 @@ ifdef(`distro_redhat',`
# Red Hat systems seem to have a stray
# fd open from the initrd
@@ -78818,7 +79128,7 @@ index 5fb9683..28b9f3b 100644
files_dontaudit_read_root_files(initrc_t)
# These seem to be from the initrd
-@@ -500,6 +756,7 @@ ifdef(`distro_redhat',`
+@@ -500,6 +760,7 @@ ifdef(`distro_redhat',`
files_create_boot_dirs(initrc_t)
files_create_boot_flag(initrc_t)
files_rw_boot_symlinks(initrc_t)
@@ -78826,7 +79136,7 @@ index 5fb9683..28b9f3b 100644
# wants to read /.fonts directory
files_read_default_files(initrc_t)
files_mountpoint(initrc_tmp_t)
-@@ -520,6 +777,7 @@ ifdef(`distro_redhat',`
+@@ -520,6 +781,7 @@ ifdef(`distro_redhat',`
miscfiles_rw_localization(initrc_t)
miscfiles_setattr_localization(initrc_t)
miscfiles_relabel_localization(initrc_t)
@@ -78834,7 +79144,7 @@ index 5fb9683..28b9f3b 100644
miscfiles_read_fonts(initrc_t)
miscfiles_read_hwdata(initrc_t)
-@@ -529,8 +787,35 @@ ifdef(`distro_redhat',`
+@@ -529,8 +791,35 @@ ifdef(`distro_redhat',`
')
optional_policy(`
@@ -78870,7 +79180,7 @@ index 5fb9683..28b9f3b 100644
')
optional_policy(`
-@@ -538,14 +823,27 @@ ifdef(`distro_redhat',`
+@@ -538,14 +827,27 @@ ifdef(`distro_redhat',`
rpc_write_exports(initrc_t)
rpc_manage_nfs_state_data(initrc_t)
')
@@ -78898,7 +79208,7 @@ index 5fb9683..28b9f3b 100644
')
')
-@@ -556,6 +854,39 @@ ifdef(`distro_suse',`
+@@ -556,6 +858,39 @@ ifdef(`distro_suse',`
')
')
@@ -78938,7 +79248,7 @@ index 5fb9683..28b9f3b 100644
optional_policy(`
amavis_search_lib(initrc_t)
amavis_setattr_pid_files(initrc_t)
-@@ -568,6 +899,8 @@ optional_policy(`
+@@ -568,6 +903,8 @@ optional_policy(`
optional_policy(`
apache_read_config(initrc_t)
apache_list_modules(initrc_t)
@@ -78947,7 +79257,7 @@ index 5fb9683..28b9f3b 100644
')
optional_policy(`
-@@ -589,6 +922,7 @@ optional_policy(`
+@@ -589,6 +926,7 @@ optional_policy(`
optional_policy(`
cgroup_stream_connect_cgred(initrc_t)
@@ -78955,7 +79265,7 @@ index 5fb9683..28b9f3b 100644
')
optional_policy(`
-@@ -601,6 +935,17 @@ optional_policy(`
+@@ -601,6 +939,17 @@ optional_policy(`
')
optional_policy(`
@@ -78973,7 +79283,7 @@ index 5fb9683..28b9f3b 100644
dev_getattr_printer_dev(initrc_t)
cups_read_log(initrc_t)
-@@ -617,9 +962,13 @@ optional_policy(`
+@@ -617,9 +966,13 @@ optional_policy(`
dbus_connect_system_bus(initrc_t)
dbus_system_bus_client(initrc_t)
dbus_read_config(initrc_t)
@@ -78987,7 +79297,7 @@ index 5fb9683..28b9f3b 100644
')
optional_policy(`
-@@ -644,6 +993,10 @@ optional_policy(`
+@@ -644,6 +997,10 @@ optional_policy(`
')
optional_policy(`
@@ -78998,7 +79308,7 @@ index 5fb9683..28b9f3b 100644
gpm_setattr_gpmctl(initrc_t)
')
-@@ -661,6 +1014,15 @@ optional_policy(`
+@@ -661,6 +1018,15 @@ optional_policy(`
')
optional_policy(`
@@ -79014,7 +79324,7 @@ index 5fb9683..28b9f3b 100644
inn_exec_config(initrc_t)
')
-@@ -701,6 +1063,7 @@ optional_policy(`
+@@ -701,6 +1067,7 @@ optional_policy(`
lpd_list_spool(initrc_t)
lpd_read_config(initrc_t)
@@ -79022,7 +79332,7 @@ index 5fb9683..28b9f3b 100644
')
optional_policy(`
-@@ -718,7 +1081,13 @@ optional_policy(`
+@@ -718,7 +1085,13 @@ optional_policy(`
')
optional_policy(`
@@ -79036,7 +79346,7 @@ index 5fb9683..28b9f3b 100644
mta_dontaudit_read_spool_symlinks(initrc_t)
')
-@@ -741,6 +1110,10 @@ optional_policy(`
+@@ -741,6 +1114,10 @@ optional_policy(`
')
optional_policy(`
@@ -79047,7 +79357,7 @@ index 5fb9683..28b9f3b 100644
postgresql_manage_db(initrc_t)
postgresql_read_config(initrc_t)
')
-@@ -750,10 +1123,20 @@ optional_policy(`
+@@ -750,10 +1127,20 @@ optional_policy(`
')
optional_policy(`
@@ -79068,7 +79378,7 @@ index 5fb9683..28b9f3b 100644
quota_manage_flags(initrc_t)
')
-@@ -762,6 +1145,10 @@ optional_policy(`
+@@ -762,6 +1149,10 @@ optional_policy(`
')
optional_policy(`
@@ -79079,7 +79389,7 @@ index 5fb9683..28b9f3b 100644
fs_write_ramfs_sockets(initrc_t)
fs_search_ramfs(initrc_t)
-@@ -783,8 +1170,6 @@ optional_policy(`
+@@ -783,8 +1174,6 @@ optional_policy(`
# bash tries ioctl for some reason
files_dontaudit_ioctl_all_pids(initrc_t)
@@ -79088,7 +79398,7 @@ index 5fb9683..28b9f3b 100644
')
optional_policy(`
-@@ -793,6 +1178,10 @@ optional_policy(`
+@@ -793,6 +1182,10 @@ optional_policy(`
')
optional_policy(`
@@ -79099,7 +79409,7 @@ index 5fb9683..28b9f3b 100644
# shorewall-init script run /var/lib/shorewall/firewall
shorewall_lib_domtrans(initrc_t)
')
-@@ -802,10 +1191,12 @@ optional_policy(`
+@@ -802,10 +1195,12 @@ optional_policy(`
squid_manage_logs(initrc_t)
')
@@ -79112,7 +79422,7 @@ index 5fb9683..28b9f3b 100644
optional_policy(`
ssh_dontaudit_read_server_keys(initrc_t)
-@@ -817,7 +1208,6 @@ optional_policy(`
+@@ -817,7 +1212,6 @@ optional_policy(`
')
optional_policy(`
@@ -79120,7 +79430,7 @@ index 5fb9683..28b9f3b 100644
udev_manage_pid_files(initrc_t)
udev_manage_rules_files(initrc_t)
')
-@@ -827,12 +1217,30 @@ optional_policy(`
+@@ -827,12 +1221,30 @@ optional_policy(`
')
optional_policy(`
@@ -79153,7 +79463,7 @@ index 5fb9683..28b9f3b 100644
ifdef(`distro_redhat',`
# system-config-services causes avc messages that should be dontaudited
-@@ -842,6 +1250,18 @@ optional_policy(`
+@@ -842,6 +1254,18 @@ optional_policy(`
optional_policy(`
mono_domtrans(initrc_t)
')
@@ -79172,7 +79482,7 @@ index 5fb9683..28b9f3b 100644
')
optional_policy(`
-@@ -857,6 +1277,10 @@ optional_policy(`
+@@ -857,6 +1281,10 @@ optional_policy(`
')
optional_policy(`
@@ -79183,7 +79493,7 @@ index 5fb9683..28b9f3b 100644
# Set device ownerships/modes.
xserver_setattr_console_pipes(initrc_t)
-@@ -867,3 +1291,165 @@ optional_policy(`
+@@ -867,3 +1295,165 @@ optional_policy(`
optional_policy(`
zebra_read_config(initrc_t)
')
@@ -79813,7 +80123,7 @@ index 0646ee7..36e02fa 100644
')
diff --git a/policy/modules/system/libraries.fc b/policy/modules/system/libraries.fc
-index ef8bbaf..2c2e6f4 100644
+index ef8bbaf..6721637 100644
--- a/policy/modules/system/libraries.fc
+++ b/policy/modules/system/libraries.fc
@@ -28,14 +28,17 @@ ifdef(`distro_redhat',`
@@ -79870,7 +80180,15 @@ index ef8bbaf..2c2e6f4 100644
/usr/(.*/)?nvidia/.+\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-@@ -151,8 +158,8 @@ ifdef(`distro_redhat',`
+@@ -140,6 +147,7 @@ ifdef(`distro_redhat',`
+ /usr/lib/ati-fglrx/.+\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+ /usr/lib/fglrx/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+ /usr/lib/libjs\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib/libzvbi\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+ /usr/lib/sse2/libx264\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+ /usr/lib(/.*)?/libnvidia.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+ /usr/lib(/.*)?/nvidia_drv.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+@@ -151,8 +159,8 @@ ifdef(`distro_redhat',`
/usr/lib/xorg/modules/glesx\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/(local/)?.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:lib_t,s0)
@@ -79881,7 +80199,7 @@ index ef8bbaf..2c2e6f4 100644
/usr/NX/lib/libXcomp\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/NX/lib/libjpeg\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-@@ -244,8 +251,6 @@ HOME_DIR/.*/plugins/nppdf\.so.* -- gen_context(system_u:object_r:textrel_shlib_
+@@ -244,8 +252,6 @@ HOME_DIR/.*/plugins/nppdf\.so.* -- gen_context(system_u:object_r:textrel_shlib_
/usr/lib/codecs/drv[1-9c]\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/local/lib/codecs/drv[1-9c]\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -79890,7 +80208,7 @@ index ef8bbaf..2c2e6f4 100644
/usr/lib/.*/nprhapengine\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/local/(.*/)?nprhapengine\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-@@ -299,17 +304,153 @@ HOME_DIR/.mozilla/plugins/nprhapengine\.so.* -- gen_context(system_u:object_r:te
+@@ -299,17 +305,153 @@ HOME_DIR/.mozilla/plugins/nprhapengine\.so.* -- gen_context(system_u:object_r:te
#
/var/cache/ldconfig(/.*)? gen_context(system_u:object_r:ldconfig_cache_t,s0)
@@ -82100,10 +82418,10 @@ index 560d5d9..86a7107 100644
ifdef(`distro_gentoo',`
diff --git a/policy/modules/system/mount.fc b/policy/modules/system/mount.fc
-index 72c746e..fa210cd 100644
+index 72c746e..f035d9f 100644
--- a/policy/modules/system/mount.fc
+++ b/policy/modules/system/mount.fc
-@@ -1,4 +1,21 @@
+@@ -1,4 +1,26 @@
+/bin/fusermount -- gen_context(system_u:object_r:fusermount_exec_t,s0)
/bin/mount.* -- gen_context(system_u:object_r:mount_exec_t,s0)
/bin/umount.* -- gen_context(system_u:object_r:mount_exec_t,s0)
@@ -82126,8 +82444,13 @@ index 72c746e..fa210cd 100644
+/var/cache/davfs2(/.*)? gen_context(system_u:object_r:mount_var_run_t,s0)
+/var/run/davfs2(/.*)? gen_context(system_u:object_r:mount_var_run_t,s0)
+/var/run/mount(/.*)? gen_context(system_u:object_r:mount_var_run_t,s0)
++
++/usr/sbin/mount\.ecryptfs_private -- gen_context(system_u:object_r:mount_ecryptfs_exec_t,s0)
++/usr/sbin/mount\.ecryptfs -- gen_context(system_u:object_r:mount_ecryptfs_exec_t,s0)
++/usr/sbin/umount\.ecryptfs_private -- gen_context(system_u:object_r:mount_ecryptfs_exec_t,s0)
++/usr/sbin/umount\.ecryptfs -- gen_context(system_u:object_r:mount_ecryptfs_exec_t,s0)
diff --git a/policy/modules/system/mount.if b/policy/modules/system/mount.if
-index 4584457..4881d86 100644
+index 4584457..5b041ee 100644
--- a/policy/modules/system/mount.if
+++ b/policy/modules/system/mount.if
@@ -16,6 +16,12 @@ interface(`mount_domtrans',`
@@ -82239,7 +82562,7 @@ index 4584457..4881d86 100644
## </summary>
## </param>
#
-@@ -131,45 +210,119 @@ interface(`mount_send_nfs_client_request',`
+@@ -131,45 +210,138 @@ interface(`mount_send_nfs_client_request',`
########################################
## <summary>
@@ -82374,12 +82697,31 @@ index 4584457..4881d86 100644
+
+ mount_domtrans_showmount($1)
+ role $2 types showmount_t;
++')
++
++#######################################
++## <summary>
++## Transition to ecryptmount.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`mount_domtrans_ecryptmount',`
++ gen_require(`
++ type mount_ecryptfs_t, mount_ecryptfs_exec_t;
++ ')
++
++ corecmd_search_bin($1)
++ domtrans_pattern($1, mount_ecryptfs_exec_t, mount_ecryptfs_t)
')
diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te
-index 6d3b14b..3eddba2 100644
+index 6d3b14b..a810a6b 100644
--- a/policy/modules/system/mount.te
+++ b/policy/modules/system/mount.te
-@@ -10,35 +10,52 @@ policy_module(mount, 1.14.2)
+@@ -10,35 +10,60 @@ policy_module(mount, 1.14.2)
## Allow the mount command to mount any directory or file.
## </p>
## </desc>
@@ -82426,6 +82768,14 @@ index 6d3b14b..3eddba2 100644
+type showmount_exec_t;
+application_domain(showmount_t, showmount_exec_t)
+role system_r types showmount_t;
++
++type mount_ecryptfs_t;
++type mount_ecryptfs_exec_t;
++application_domain(mount_ecryptfs_t, mount_ecryptfs_exec_t)
++role system_r types mount_ecryptfs_t;
++
++type mount_ecryptfs_tmpfs_t;
++files_tmpfs_file(mount_ecryptfs_tmpfs_t)
########################################
#
@@ -82443,7 +82793,7 @@ index 6d3b14b..3eddba2 100644
allow mount_t mount_loopback_t:file read_file_perms;
-@@ -49,9 +66,24 @@ can_exec(mount_t, mount_exec_t)
+@@ -49,9 +74,24 @@ can_exec(mount_t, mount_exec_t)
files_tmp_filetrans(mount_t, mount_tmp_t, { file dir })
@@ -82469,7 +82819,7 @@ index 6d3b14b..3eddba2 100644
kernel_dontaudit_write_debugfs_dirs(mount_t)
kernel_dontaudit_write_proc_dirs(mount_t)
# To load binfmt_misc kernel module
-@@ -60,31 +92,46 @@ kernel_request_load_module(mount_t)
+@@ -60,31 +100,46 @@ kernel_request_load_module(mount_t)
# required for mount.smbfs
corecmd_exec_bin(mount_t)
@@ -82519,7 +82869,7 @@ index 6d3b14b..3eddba2 100644
files_read_isid_type_files(mount_t)
# For reading cert files
files_read_usr_files(mount_t)
-@@ -92,28 +139,39 @@ files_list_mnt(mount_t)
+@@ -92,28 +147,39 @@ files_list_mnt(mount_t)
files_dontaudit_write_all_mountpoints(mount_t)
files_dontaudit_setattr_all_mountpoints(mount_t)
@@ -82565,7 +82915,7 @@ index 6d3b14b..3eddba2 100644
term_dontaudit_manage_pty_dirs(mount_t)
auth_use_nsswitch(mount_t)
-@@ -121,6 +179,8 @@ auth_use_nsswitch(mount_t)
+@@ -121,6 +187,8 @@ auth_use_nsswitch(mount_t)
init_use_fds(mount_t)
init_use_script_ptys(mount_t)
init_dontaudit_getattr_initctl(mount_t)
@@ -82574,16 +82924,17 @@ index 6d3b14b..3eddba2 100644
logging_send_syslog_msg(mount_t)
-@@ -131,6 +191,8 @@ sysnet_use_portmap(mount_t)
+@@ -131,6 +199,9 @@ sysnet_use_portmap(mount_t)
seutil_read_config(mount_t)
userdom_use_all_users_fds(mount_t)
+userdom_manage_user_home_content_dirs(mount_t)
+userdom_read_user_home_content_symlinks(mount_t)
++userdom_list_user_tmp(mount_t)
ifdef(`distro_redhat',`
optional_policy(`
-@@ -146,26 +208,28 @@ ifdef(`distro_ubuntu',`
+@@ -146,26 +217,28 @@ ifdef(`distro_ubuntu',`
')
')
@@ -82623,7 +82974,7 @@ index 6d3b14b..3eddba2 100644
corenet_tcp_bind_generic_port(mount_t)
corenet_udp_bind_generic_port(mount_t)
corenet_tcp_bind_reserved_port(mount_t)
-@@ -179,6 +243,8 @@ optional_policy(`
+@@ -179,6 +252,8 @@ optional_policy(`
fs_search_rpc(mount_t)
rpc_stub(mount_t)
@@ -82632,7 +82983,7 @@ index 6d3b14b..3eddba2 100644
')
optional_policy(`
-@@ -186,6 +252,28 @@ optional_policy(`
+@@ -186,6 +261,28 @@ optional_policy(`
')
optional_policy(`
@@ -82661,7 +83012,7 @@ index 6d3b14b..3eddba2 100644
ifdef(`hide_broken_symptoms',`
# for a bug in the X server
rhgb_dontaudit_rw_stream_sockets(mount_t)
-@@ -193,21 +281,96 @@ optional_policy(`
+@@ -193,21 +290,124 @@ optional_policy(`
')
')
@@ -82714,12 +83065,10 @@ index 6d3b14b..3eddba2 100644
+optional_policy(`
+ ssh_exec(mount_t)
+')
-
- optional_policy(`
-- files_etc_filetrans_etc_runtime(unconfined_mount_t, file)
-- unconfined_domain(unconfined_mount_t)
++
++optional_policy(`
+ usbmuxd_stream_connect(mount_t)
- ')
++')
+
+optional_policy(`
+ userhelper_exec_console(mount_t)
@@ -82728,10 +83077,12 @@ index 6d3b14b..3eddba2 100644
+optional_policy(`
+ virt_read_blk_images(mount_t)
+')
-+
-+optional_policy(`
+
+ optional_policy(`
+- files_etc_filetrans_etc_runtime(unconfined_mount_t, file)
+- unconfined_domain(unconfined_mount_t)
+ vmware_exec_host(mount_t)
-+')
+ ')
+
+######################################
+#
@@ -82765,6 +83116,34 @@ index 6d3b14b..3eddba2 100644
+sysnet_dns_name_resolve(showmount_t)
+
+userdom_use_inherited_user_terminals(showmount_t)
++
++#######################################
++#
++# mount_ecryptfs local policy
++#
++
++domtrans_pattern(mount_ecryptfs_t, mount_exec_t, mount_t)
++
++allow mount_ecryptfs_t self:capability setgid;
++allow mount_ecryptfs_t self:capability { setuid sys_admin };
++allow mount_ecryptfs_t self:fifo_file rw_fifo_file_perms;
++allow mount_ecryptfs_t self:unix_stream_socket create_stream_socket_perms;
++
++manage_dirs_pattern(mount_ecryptfs_t, mount_ecryptfs_tmpfs_t, mount_ecryptfs_tmpfs_t)
++manage_files_pattern(mount_ecryptfs_t, mount_ecryptfs_tmpfs_t, mount_ecryptfs_tmpfs_t)
++fs_tmpfs_filetrans(mount_ecryptfs_t, mount_ecryptfs_tmpfs_t, { dir file })
++userdom_rw_user_tmpfs_files(mount_ecryptfs_t)
++
++domain_use_interactive_fds(mount_ecryptfs_t)
++
++files_read_etc_files(mount_ecryptfs_t)
++
++fs_read_ecryptfs_symlinks(mount_ecryptfs_t)
++fs_read_ecryptfs_files(mount_ecryptfs_t)
++
++auth_use_nsswitch(mount_ecryptfs_t)
++
++miscfiles_read_localization(mount_ecryptfs_t)
diff --git a/policy/modules/system/netlabel.fc b/policy/modules/system/netlabel.fc
index b263a8a..9348c8c 100644
--- a/policy/modules/system/netlabel.fc
@@ -85362,10 +85741,10 @@ index 0000000..2497606
+
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
new file mode 100644
-index 0000000..eec7c72
+index 0000000..a558441
--- /dev/null
+++ b/policy/modules/system/systemd.te
-@@ -0,0 +1,423 @@
+@@ -0,0 +1,421 @@
+policy_module(systemd, 1.0.0)
+
+#######################################
@@ -85437,9 +85816,11 @@ index 0000000..eec7c72
+init_named_pid_filetrans(systemd_logind_t, systemd_logind_sessions_t, dir, "sessions")
+init_pid_filetrans(systemd_logind_t, systemd_logind_var_run_t, dir)
+init_status(systemd_logind_t)
++init_signal(systemd_logind_t)
+init_reboot(systemd_logind_t)
+init_halt(systemd_logind_t)
+init_undefined(systemd_logind_t)
++init_signal_script(systemd_logind_t)
+
+kernel_read_system_state(systemd_logind_t)
+
@@ -85458,6 +85839,9 @@ index 0000000..eec7c72
+dev_write_kmsg(systemd_logind_t)
+
+domain_read_all_domains_state(systemd_logind_t)
++domain_signal_all_domains(systemd_logind_t)
++domain_signull_all_domains(systemd_logind_t)
++domain_kill_all_domains(systemd_logind_t)
+
+# /etc/udev/udev.conf should probably have a private type if only for confined administration
+# /etc/nsswitch.conf
@@ -85501,18 +85885,10 @@ index 0000000..eec7c72
+userdom_manage_user_tmp_files(systemd_logind_t)
+userdom_manage_user_tmp_symlinks(systemd_logind_t)
+userdom_manage_user_tmp_sockets(systemd_logind_t)
-+userdom_signal_all_users(systemd_logind_t)
-+userdom_signull_all_users(systemd_logind_t)
-+userdom_kill_all_users(systemd_logind_t)
-+
-+application_signal(systemd_logind_t)
-+application_signull(systemd_logind_t)
-+application_sigkill(systemd_logind_t)
+
+optional_policy(`
+ cron_dbus_chat_crond(systemd_logind_t)
+ cron_read_state_crond(systemd_logind_t)
-+ cron_signal(systemd_logind_t)
+')
+
+optional_policy(`
@@ -85529,6 +85905,7 @@ index 0000000..eec7c72
+ gnome_manage_home_config_dirs(systemd_logind_t)
+ gnome_manage_home_config(systemd_logind_t)
+ gnome_list_gkeyringd_tmp_dirs(systemd_logind_t)
++ gnome_manage_gstreamer_home_dirs(systemd_logind_t)
+')
+
+optional_policy(`
@@ -87110,7 +87487,7 @@ index db75976..ce61aed 100644
+
+/var/run/user(/.*)? gen_context(system_u:object_r:user_tmp_t,s0)
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
-index e720dcd..3361868 100644
+index e720dcd..4272eef 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -30,9 +30,11 @@ template(`userdom_base_user_template',`
@@ -89585,7 +89962,7 @@ index e720dcd..3361868 100644
## Create keys for all user domains.
## </summary>
## <param name="domain">
-@@ -3296,3 +4106,1292 @@ interface(`userdom_dbus_send_all_users',`
+@@ -3296,3 +4106,1282 @@ interface(`userdom_dbus_send_all_users',`
allow $1 userdomain:dbus send_msg;
')
@@ -89612,11 +89989,6 @@ index e720dcd..3361868 100644
+## <summary>
+## Define this type as a Allow apps to set rlimits on userdomain
+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
+## <param name="userdomain_prefix">
+## <summary>
+## The prefix of the user domain (e.g., user
@@ -89646,11 +90018,6 @@ index e720dcd..3361868 100644
+## <summary>
+## Define this type as a Allow apps to set rlimits on userdomain
+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
+## <param name="userdomain_prefix">
+## <summary>
+## The prefix of the user domain (e.g., user
@@ -90879,7 +91246,7 @@ index e720dcd..3361868 100644
+ typeattribute $1 userdom_home_manager_type;
+')
diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te
-index 47efe9a..55dc5cc 100644
+index 47efe9a..1fa68b1 100644
--- a/policy/modules/system/userdomain.te
+++ b/policy/modules/system/userdomain.te
@@ -7,17 +7,17 @@ policy_module(userdomain, 4.7.2)
@@ -90954,7 +91321,7 @@ index 47efe9a..55dc5cc 100644
type user_home_dir_t alias { staff_home_dir_t sysadm_home_dir_t secadm_home_dir_t auditadm_home_dir_t unconfined_home_dir_t };
fs_associate_tmpfs(user_home_dir_t)
files_type(user_home_dir_t)
-@@ -71,26 +102,111 @@ ubac_constrained(user_home_dir_t)
+@@ -71,26 +102,121 @@ ubac_constrained(user_home_dir_t)
type user_home_t alias { staff_home_t sysadm_home_t secadm_home_t auditadm_home_t unconfined_home_t };
typealias user_home_t alias { staff_untrusted_content_t sysadm_untrusted_content_t secadm_untrusted_content_t auditadm_untrusted_content_t unconfined_untrusted_content_t };
@@ -90979,6 +91346,7 @@ index 47efe9a..55dc5cc 100644
files_tmp_file(user_tmp_t)
userdom_user_home_content(user_tmp_t)
+files_poly_parent(user_tmp_t)
++files_mountpoint(user_tmp_t)
-type user_tmpfs_t alias { staff_tmpfs_t sysadm_tmpfs_t secadm_tmpfs_t auditadm_tmpfs_t unconfined_tmpfs_t };
+type user_tmpfs_t, user_tmpfs_type;
@@ -91049,6 +91417,10 @@ index 47efe9a..55dc5cc 100644
+ fs_read_fusefs_files(userdom_home_reader_type)
+')
+
++tunable_policy(`use_ecryptfs_home_dirs',`
++ fs_read_ecryptfs_files(userdom_home_reader_type)
++')
++
+tunable_policy(`use_nfs_home_dirs',`
+ fs_list_auto_mountpoints(userdom_home_manager_type)
+ fs_manage_nfs_dirs(userdom_home_manager_type)
@@ -91068,6 +91440,11 @@ index 47efe9a..55dc5cc 100644
+ fs_manage_fusefs_symlinks(userdom_home_manager_type)
+')
+
++tunable_policy(`use_ecryptfs_home_dirs',`
++ fs_manage_ecryptfs_dirs(userdom_home_manager_type)
++ fs_manage_ecryptfs_files(userdom_home_manager_type)
++ fs_manage_ecryptfs_files(userdom_home_manager_type)
++')
diff --git a/policy/support/misc_patterns.spt b/policy/support/misc_patterns.spt
index e79d545..101086d 100644
--- a/policy/support/misc_patterns.spt
diff --git a/policy_contrib-rawhide.patch b/policy_contrib-rawhide.patch
index 28dd5c1..2ee5085 100644
--- a/policy_contrib-rawhide.patch
+++ b/policy_contrib-rawhide.patch
@@ -745,7 +745,7 @@ index 1adca53..18e0e41 100644
/var/lib/AccountsService(/.*)? gen_context(system_u:object_r:accountsd_var_lib_t,s0)
diff --git a/accountsd.if b/accountsd.if
-index c0f858d..10a0cd6 100644
+index c0f858d..d75aae9 100644
--- a/accountsd.if
+++ b/accountsd.if
@@ -5,9 +5,9 @@
@@ -769,17 +769,21 @@ index c0f858d..10a0cd6 100644
## </summary>
## </param>
#
-@@ -118,6 +118,29 @@ interface(`accountsd_manage_lib_files',`
+@@ -118,28 +118,54 @@ interface(`accountsd_manage_lib_files',`
########################################
## <summary>
+-## All of the rules required to administrate
+-## an accountsd environment
+## Execute accountsd server in the accountsd domain.
-+## </summary>
-+## <param name="domain">
-+## <summary>
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+-## Domain allowed access.
+## Domain allowed to transition.
-+## </summary>
-+## </param>
+ ## </summary>
+ ## </param>
+-## <param name="role">
+#
+interface(`accountsd_systemctl',`
+ gen_require(`
@@ -796,10 +800,17 @@ index c0f858d..10a0cd6 100644
+
+########################################
+## <summary>
- ## All of the rules required to administrate
- ## an accountsd environment
- ## </summary>
-@@ -136,10 +159,19 @@ interface(`accountsd_manage_lib_files',`
++## All of the rules required to administrate
++## an accountsd environment
++## </summary>
++## <param name="domain">
+ ## <summary>
+-## Role allowed access.
++## Domain allowed access.
+ ## </summary>
+ ## </param>
+-## <rolecap/>
+ #
interface(`accountsd_admin',`
gen_require(`
type accountsd_t;
@@ -1549,7 +1560,7 @@ index e81bdbd..63ab279 100644
optional_policy(`
diff --git a/apache.fc b/apache.fc
-index fd9fa07..84bc8d6 100644
+index fd9fa07..2679748 100644
--- a/apache.fc
+++ b/apache.fc
@@ -1,39 +1,54 @@
@@ -1640,7 +1651,7 @@ index fd9fa07..84bc8d6 100644
/var/cache/httpd(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
/var/cache/lighttpd(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
-@@ -73,25 +92,36 @@ ifdef(`distro_suse', `
+@@ -73,31 +92,43 @@ ifdef(`distro_suse', `
/var/cache/ssl.*\.sem -- gen_context(system_u:object_r:httpd_cache_t,s0)
/var/lib/cacti/rra(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
@@ -1681,7 +1692,14 @@ index fd9fa07..84bc8d6 100644
/var/run/apache.* gen_context(system_u:object_r:httpd_var_run_t,s0)
/var/run/gcache_port -s gen_context(system_u:object_r:httpd_var_run_t,s0)
/var/run/httpd.* gen_context(system_u:object_r:httpd_var_run_t,s0)
-@@ -109,3 +139,25 @@ ifdef(`distro_debian', `
+ /var/run/lighttpd(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0)
+ /var/run/mod_.* gen_context(system_u:object_r:httpd_var_run_t,s0)
+ /var/run/wsgi.* -s gen_context(system_u:object_r:httpd_var_run_t,s0)
++/var/run/user/apache(/.*)? gen_context(system_u:object_r:httpd_tmp_t,s0)
+
+ /var/spool/gosa(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+ /var/spool/squirrelmail(/.*)? gen_context(system_u:object_r:squirrelmail_spool_t,s0)
+@@ -109,3 +140,25 @@ ifdef(`distro_debian', `
/var/www/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
/var/www/icons(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
/var/www/perl(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
@@ -1708,7 +1726,7 @@ index fd9fa07..84bc8d6 100644
+/var/run/dirsrv/admin-serv.* gen_context(system_u:object_r:httpd_var_run_t,s0)
+/opt/dirsrv/var/run/dirsrv/dsgw/cookies(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0)
diff --git a/apache.if b/apache.if
-index 6480167..d0bf548 100644
+index 6480167..d30bdbf 100644
--- a/apache.if
+++ b/apache.if
@@ -13,62 +13,46 @@
@@ -2353,7 +2371,7 @@ index 6480167..d0bf548 100644
admin_pattern($1, httpd_log_t)
admin_pattern($1, httpd_modules_t)
-@@ -1205,14 +1349,93 @@ interface(`apache_admin',`
+@@ -1205,14 +1349,88 @@ interface(`apache_admin',`
admin_pattern($1, httpd_var_run_t)
files_pid_filetrans($1, httpd_var_run_t, file)
@@ -2376,13 +2394,6 @@ index 6480167..d0bf548 100644
+ admin_pattern($1, httpd_unit_file_t)
+ allow $1 httpd_unit_file_t:service all_service_perms;
+
-+ ifdef(`TODO',`
-+ apache_set_booleans($1, $2, $3, httpd_bool_t)
-+ seutil_setsebool_role_template($1, $3, $2)
-+ allow httpd_setsebool_t httpd_bool_t:dir list_dir_perms;
-+ allow httpd_setsebool_t httpd_bool_t:file rw_file_perms;
-+ ')
-+
+ apache_filetrans_named_content($1)
+')
+
@@ -2422,11 +2433,13 @@ index 6480167..d0bf548 100644
+interface(`apache_filetrans_named_content',`
+ gen_require(`
+ type httpd_sys_content_t, httpd_sys_rw_content_t;
++ type httpd_tmp_t;
+ ')
+
+
+ apache_filetrans_home_content($1)
+ filetrans_pattern($1, httpd_sys_content_t, httpd_sys_rw_content_t, file, "settings.php")
++ userdom_user_tmp_filetrans($1, httpd_tmp_t, dir, "apache")
+')
+
+########################################
@@ -2453,7 +2466,7 @@ index 6480167..d0bf548 100644
+ filetrans_pattern($1, { httpd_user_content_t httpd_user_script_exec_t }, httpd_user_htaccess_t, file, ".htaccess")
')
diff --git a/apache.te b/apache.te
-index a36a01d..777623e 100644
+index a36a01d..bde887f 100644
--- a/apache.te
+++ b/apache.te
@@ -18,6 +18,8 @@ policy_module(apache, 2.3.2)
@@ -2772,7 +2785,7 @@ index a36a01d..777623e 100644
# Allow the httpd_t to read the web servers config files
allow httpd_t httpd_config_t:dir list_dir_perms;
-@@ -336,8 +494,9 @@ allow httpd_t httpd_sys_script_t:unix_stream_socket connectto;
+@@ -336,8 +494,10 @@ allow httpd_t httpd_sys_script_t:unix_stream_socket connectto;
manage_dirs_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
manage_files_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
@@ -2780,10 +2793,11 @@ index a36a01d..777623e 100644
manage_lnk_files_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
-files_tmp_filetrans(httpd_t, httpd_tmp_t, { file dir lnk_file })
+files_tmp_filetrans(httpd_t, httpd_tmp_t, { file dir lnk_file sock_file })
++userdom_user_tmp_filetrans(httpd_t, httpd_tmp_t, dir)
manage_dirs_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t)
manage_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t)
-@@ -346,8 +505,9 @@ manage_fifo_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t)
+@@ -346,8 +506,9 @@ manage_fifo_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t)
manage_sock_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t)
fs_tmpfs_filetrans(httpd_t, httpd_tmpfs_t, { dir file lnk_file sock_file fifo_file })
@@ -2794,7 +2808,7 @@ index a36a01d..777623e 100644
setattr_dirs_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t)
manage_dirs_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t)
-@@ -362,6 +522,9 @@ manage_lnk_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
+@@ -362,6 +523,9 @@ manage_lnk_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
kernel_read_kernel_sysctls(httpd_t)
# for modules that want to access /proc/meminfo
kernel_read_system_state(httpd_t)
@@ -2804,7 +2818,7 @@ index a36a01d..777623e 100644
corenet_all_recvfrom_unlabeled(httpd_t)
corenet_all_recvfrom_netlabel(httpd_t)
-@@ -372,11 +535,19 @@ corenet_udp_sendrecv_generic_node(httpd_t)
+@@ -372,11 +536,19 @@ corenet_udp_sendrecv_generic_node(httpd_t)
corenet_tcp_sendrecv_all_ports(httpd_t)
corenet_udp_sendrecv_all_ports(httpd_t)
corenet_tcp_bind_generic_node(httpd_t)
@@ -2825,7 +2839,7 @@ index a36a01d..777623e 100644
dev_read_sysfs(httpd_t)
dev_read_rand(httpd_t)
-@@ -385,9 +556,14 @@ dev_rw_crypto(httpd_t)
+@@ -385,9 +557,14 @@ dev_rw_crypto(httpd_t)
fs_getattr_all_fs(httpd_t)
fs_search_auto_mountpoints(httpd_t)
@@ -2840,7 +2854,7 @@ index a36a01d..777623e 100644
# execute perl
corecmd_exec_bin(httpd_t)
corecmd_exec_shell(httpd_t)
-@@ -398,6 +574,7 @@ files_dontaudit_getattr_all_pids(httpd_t)
+@@ -398,6 +575,7 @@ files_dontaudit_getattr_all_pids(httpd_t)
files_read_usr_files(httpd_t)
files_list_mnt(httpd_t)
files_search_spool(httpd_t)
@@ -2848,7 +2862,7 @@ index a36a01d..777623e 100644
files_read_var_lib_files(httpd_t)
files_search_home(httpd_t)
files_getattr_home_dir(httpd_t)
-@@ -409,48 +586,101 @@ files_read_etc_files(httpd_t)
+@@ -409,48 +587,101 @@ files_read_etc_files(httpd_t)
files_read_var_lib_symlinks(httpd_t)
fs_search_auto_mountpoints(httpd_sys_script_t)
@@ -2954,7 +2968,7 @@ index a36a01d..777623e 100644
')
tunable_policy(`httpd_enable_cgi && httpd_use_nfs',`
-@@ -461,27 +691,61 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',`
+@@ -461,27 +692,61 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',`
fs_cifs_domtrans(httpd_t, httpd_sys_script_t)
')
@@ -3018,7 +3032,7 @@ index a36a01d..777623e 100644
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
fs_read_cifs_files(httpd_t)
fs_read_cifs_symlinks(httpd_t)
-@@ -491,7 +755,22 @@ tunable_policy(`httpd_can_sendmail',`
+@@ -491,7 +756,22 @@ tunable_policy(`httpd_can_sendmail',`
# allow httpd to connect to mail servers
corenet_tcp_connect_smtp_port(httpd_t)
corenet_sendrecv_smtp_client_packets(httpd_t)
@@ -3041,7 +3055,7 @@ index a36a01d..777623e 100644
')
tunable_policy(`httpd_setrlimit',`
-@@ -511,9 +790,19 @@ tunable_policy(`httpd_ssi_exec',`
+@@ -511,9 +791,19 @@ tunable_policy(`httpd_ssi_exec',`
# to run correctly without this permission, so the permission
# are dontaudited here.
tunable_policy(`httpd_tty_comm',`
@@ -3062,7 +3076,7 @@ index a36a01d..777623e 100644
')
optional_policy(`
-@@ -525,6 +814,9 @@ optional_policy(`
+@@ -525,6 +815,9 @@ optional_policy(`
')
optional_policy(`
@@ -3072,11 +3086,17 @@ index a36a01d..777623e 100644
cobbler_search_lib(httpd_t)
')
-@@ -540,6 +832,18 @@ optional_policy(`
+@@ -540,6 +833,24 @@ optional_policy(`
daemontools_service_domain(httpd_t, httpd_exec_t)
')
+optional_policy(`
++ # needed by FreeIPA
++ dirsrv_stream_connect(httpd_t)
++ ldap_stream_connect(httpd_t)
++')
++
++optional_policy(`
+ dirsrv_manage_config(httpd_t)
+ dirsrv_manage_log(httpd_t)
+ dirsrv_manage_var_run(httpd_t)
@@ -3091,7 +3111,7 @@ index a36a01d..777623e 100644
optional_policy(`
dbus_system_bus_client(httpd_t)
-@@ -549,12 +853,21 @@ optional_policy(`
+@@ -549,13 +860,24 @@ optional_policy(`
')
optional_policy(`
@@ -3112,9 +3132,12 @@ index a36a01d..777623e 100644
+
+optional_policy(`
kerberos_keytab_template(httpd, httpd_t)
++ kerberos_tmp_filetrans_host_rcache(httpd_t, "HTTP_23")
++ kerberos_tmp_filetrans_host_rcache(httpd_t, "HTTP_48")
')
-@@ -568,7 +881,21 @@ optional_policy(`
+ optional_policy(`
+@@ -568,7 +890,21 @@ optional_policy(`
')
optional_policy(`
@@ -3136,7 +3159,7 @@ index a36a01d..777623e 100644
mysql_stream_connect(httpd_t)
mysql_rw_db_sockets(httpd_t)
-@@ -579,6 +906,7 @@ optional_policy(`
+@@ -579,6 +915,7 @@ optional_policy(`
optional_policy(`
nagios_read_config(httpd_t)
@@ -3144,7 +3167,7 @@ index a36a01d..777623e 100644
')
optional_policy(`
-@@ -589,6 +917,33 @@ optional_policy(`
+@@ -589,6 +926,33 @@ optional_policy(`
')
optional_policy(`
@@ -3178,7 +3201,7 @@ index a36a01d..777623e 100644
# Allow httpd to work with postgresql
postgresql_stream_connect(httpd_t)
postgresql_unpriv_client(httpd_t)
-@@ -603,6 +958,11 @@ optional_policy(`
+@@ -603,6 +967,11 @@ optional_policy(`
')
optional_policy(`
@@ -3190,7 +3213,7 @@ index a36a01d..777623e 100644
snmp_dontaudit_read_snmp_var_lib_files(httpd_t)
snmp_dontaudit_write_snmp_var_lib_files(httpd_t)
')
-@@ -615,6 +975,12 @@ optional_policy(`
+@@ -615,6 +984,12 @@ optional_policy(`
yam_read_content(httpd_t)
')
@@ -3203,7 +3226,7 @@ index a36a01d..777623e 100644
########################################
#
# Apache helper local policy
-@@ -628,7 +994,11 @@ allow httpd_helper_t httpd_log_t:file append_file_perms;
+@@ -628,7 +1003,11 @@ allow httpd_helper_t httpd_log_t:file append_file_perms;
logging_send_syslog_msg(httpd_helper_t)
@@ -3216,7 +3239,7 @@ index a36a01d..777623e 100644
########################################
#
-@@ -666,28 +1036,30 @@ libs_exec_lib_files(httpd_php_t)
+@@ -666,28 +1045,30 @@ libs_exec_lib_files(httpd_php_t)
userdom_use_unpriv_users_fds(httpd_php_t)
tunable_policy(`httpd_can_network_connect_db',`
@@ -3260,7 +3283,7 @@ index a36a01d..777623e 100644
')
########################################
-@@ -697,6 +1069,7 @@ optional_policy(`
+@@ -697,6 +1078,7 @@ optional_policy(`
allow httpd_suexec_t self:capability { setuid setgid };
allow httpd_suexec_t self:process signal_perms;
@@ -3268,7 +3291,7 @@ index a36a01d..777623e 100644
allow httpd_suexec_t self:unix_stream_socket create_stream_socket_perms;
domtrans_pattern(httpd_t, httpd_suexec_exec_t, httpd_suexec_t)
-@@ -711,14 +1084,23 @@ manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
+@@ -711,14 +1093,23 @@ manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
manage_files_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
files_tmp_filetrans(httpd_suexec_t, httpd_suexec_tmp_t, { file dir })
@@ -3292,7 +3315,7 @@ index a36a01d..777623e 100644
# for shell scripts
corecmd_exec_bin(httpd_suexec_t)
corecmd_exec_shell(httpd_suexec_t)
-@@ -752,13 +1134,31 @@ tunable_policy(`httpd_can_network_connect',`
+@@ -752,13 +1143,31 @@ tunable_policy(`httpd_can_network_connect',`
corenet_sendrecv_all_client_packets(httpd_suexec_t)
')
@@ -3325,7 +3348,7 @@ index a36a01d..777623e 100644
fs_read_nfs_files(httpd_suexec_t)
fs_read_nfs_symlinks(httpd_suexec_t)
fs_exec_nfs_files(httpd_suexec_t)
-@@ -781,6 +1181,25 @@ optional_policy(`
+@@ -781,6 +1190,25 @@ optional_policy(`
dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write };
')
@@ -3351,7 +3374,7 @@ index a36a01d..777623e 100644
########################################
#
# Apache system script local policy
-@@ -801,12 +1220,17 @@ read_lnk_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_sp
+@@ -801,12 +1229,17 @@ read_lnk_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_sp
kernel_read_kernel_sysctls(httpd_sys_script_t)
@@ -3369,7 +3392,7 @@ index a36a01d..777623e 100644
ifdef(`distro_redhat',`
allow httpd_sys_script_t httpd_log_t:file append_file_perms;
')
-@@ -815,18 +1239,50 @@ tunable_policy(`httpd_can_sendmail',`
+@@ -815,18 +1248,50 @@ tunable_policy(`httpd_can_sendmail',`
mta_send_mail(httpd_sys_script_t)
')
@@ -3426,7 +3449,7 @@ index a36a01d..777623e 100644
corenet_tcp_sendrecv_all_ports(httpd_sys_script_t)
corenet_udp_sendrecv_all_ports(httpd_sys_script_t)
corenet_tcp_connect_all_ports(httpd_sys_script_t)
-@@ -834,14 +1290,39 @@ tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
+@@ -834,14 +1299,39 @@ tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
')
tunable_policy(`httpd_enable_homedirs',`
@@ -3467,7 +3490,7 @@ index a36a01d..777623e 100644
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
fs_read_cifs_files(httpd_sys_script_t)
fs_read_cifs_symlinks(httpd_sys_script_t)
-@@ -854,10 +1335,20 @@ optional_policy(`
+@@ -854,10 +1344,20 @@ optional_policy(`
optional_policy(`
mysql_stream_connect(httpd_sys_script_t)
mysql_rw_db_sockets(httpd_sys_script_t)
@@ -3488,7 +3511,7 @@ index a36a01d..777623e 100644
')
########################################
-@@ -903,11 +1394,146 @@ optional_policy(`
+@@ -903,11 +1403,146 @@ optional_policy(`
tunable_policy(`httpd_enable_cgi && httpd_unified',`
allow httpd_user_script_t httpdcontent:file entrypoint;
@@ -3723,7 +3746,7 @@ index e342775..1fedbe5 100644
+ allow $1 apcupsd_unit_file_t:service all_service_perms;
')
diff --git a/apcupsd.te b/apcupsd.te
-index d052bf0..77e6e19 100644
+index d052bf0..6c7828b 100644
--- a/apcupsd.te
+++ b/apcupsd.te
@@ -24,6 +24,9 @@ files_tmp_file(apcupsd_tmp_t)
@@ -3736,7 +3759,7 @@ index d052bf0..77e6e19 100644
########################################
#
# apcupsd local policy
-@@ -76,6 +79,7 @@ files_etc_filetrans_etc_runtime(apcupsd_t, file)
+@@ -76,24 +79,31 @@ files_etc_filetrans_etc_runtime(apcupsd_t, file)
# https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=240805
term_use_unallocated_ttys(apcupsd_t)
@@ -3744,7 +3767,13 @@ index d052bf0..77e6e19 100644
#apcupsd runs shutdown, probably need a shutdown domain
init_rw_utmp(apcupsd_t)
-@@ -87,13 +91,17 @@ miscfiles_read_localization(apcupsd_t)
+ init_telinit(apcupsd_t)
+
++auth_read_passwd(apcupsd_t)
++
+ logging_send_syslog_msg(apcupsd_t)
+
+ miscfiles_read_localization(apcupsd_t)
sysnet_dns_name_resolve(apcupsd_t)
@@ -3817,7 +3846,7 @@ index 1ea99b2..0b668ae 100644
+ ps_process_pattern($1, apmd_t)
')
diff --git a/apm.te b/apm.te
-index 1c8c27e..13a6f08 100644
+index 1c8c27e..35d798f 100644
--- a/apm.te
+++ b/apm.te
@@ -4,6 +4,7 @@ policy_module(apm, 1.11.0)
@@ -3925,14 +3954,18 @@ index 1c8c27e..13a6f08 100644
dbus_system_bus_client(apmd_t)
optional_policy(`
-@@ -209,8 +233,9 @@ optional_policy(`
+@@ -209,8 +233,13 @@ optional_policy(`
pcmcia_domtrans_cardctl(apmd_t)
')
+
++optional_policy(`
++ shutdown_domtrans(apmd_t)
++')
++
optional_policy(`
- seutil_sigchld_newrole(apmd_t)
-+ shutdown_domtrans(apmd_t)
++ systemd_dbus_chat_logind(apmd_t)
')
optional_policy(`
@@ -5906,19 +5939,27 @@ index 2c2cdb6..73b3814 100644
+ role $2 types brctl_t;
+')
diff --git a/bugzilla.if b/bugzilla.if
-index de89d0f..954e726 100644
+index de89d0f..86e4ee7 100644
--- a/bugzilla.if
+++ b/bugzilla.if
-@@ -58,13 +58,20 @@ interface(`bugzilla_dontaudit_rw_stream_sockets',`
+@@ -48,23 +48,24 @@ interface(`bugzilla_dontaudit_rw_stream_sockets',`
+ ## Domain allowed access.
+ ## </summary>
+ ## </param>
+-## <param name="role">
+-## <summary>
+-## The role to be allowed to manage the bugzilla domain.
+-## </summary>
+-## </param>
+-## <rolecap/>
+ #
interface(`bugzilla_admin',`
gen_require(`
type httpd_bugzilla_script_t, httpd_bugzilla_content_t, httpd_bugzilla_ra_content_t;
-- type httpd_bugzilla_rw_content_t, httpd_bugzilla_script_exec_t;
+ type httpd_bugzilla_rw_content_t, httpd_bugzilla_script_exec_t;
- type httpd_bugzilla_htaccess_t;
-- ')
-+ type httpd_bugzilla_rw_content_t, httpd_bugzilla_script_exec_t;
-+ type httpd_bugzilla_htaccess_t, httpd_bugzilla_tmp_t;
-+ ')
++ type httpd_bugzilla_htaccess_t, httpd_bugzilla_tmp_t;
+ ')
- allow $1 httpd_bugzilla_script_t:process { ptrace signal_perms };
+ allow $1 httpd_bugzilla_script_t:process signal_perms;
@@ -8398,10 +8439,10 @@ index b40f3f7..3676ecc 100644
#
diff --git a/cloudform.fc b/cloudform.fc
new file mode 100644
-index 0000000..f2968f8
+index 0000000..3fe384f
--- /dev/null
+++ b/cloudform.fc
-@@ -0,0 +1,23 @@
+@@ -0,0 +1,22 @@
+/etc/rc\.d/init\.d/iwhd -- gen_context(system_u:object_r:iwhd_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/mongod -- gen_context(system_u:object_r:mongod_initrc_exec_t,s0)
+
@@ -8418,8 +8459,7 @@ index 0000000..f2968f8
+/var/log/deltacloud-core(/.*)? gen_context(system_u:object_r:deltacloudd_log_t,s0)
+/var/log/iwhd\.log -- gen_context(system_u:object_r:iwhd_log_t,s0)
+/var/log/mongodb(/.*)? gen_context(system_u:object_r:mongod_log_t,s0)
-+
-+
++/var/log/thin\.log -- gen_context(system_u:object_r:thin_log_t,s0)
+
+/var/run/mongodb(/.*)? gen_context(system_u:object_r:mongod_var_run_t,s0)
+/var/run/aeolus/dbomatic\.pid -- gen_context(system_u:object_r:mongod_var_run_t,s0)
@@ -8473,10 +8513,10 @@ index 0000000..7f55959
+')
diff --git a/cloudform.te b/cloudform.te
new file mode 100644
-index 0000000..2709243
+index 0000000..787b40a
--- /dev/null
+++ b/cloudform.te
-@@ -0,0 +1,224 @@
+@@ -0,0 +1,236 @@
+policy_module(cloudform, 1.0)
+########################################
+#
@@ -8490,6 +8530,9 @@ index 0000000..2709243
+cloudform_domain_template(mongod)
+cloudform_domain_template(thin)
+
++type thin_log_t;
++logging_log_file(thin_log_t)
++
+type deltacloudd_log_t;
+logging_log_file(deltacloudd_log_t)
+
@@ -8537,10 +8580,15 @@ index 0000000..2709243
+allow cloudform_domain self:fifo_file rw_fifo_file_perms;
+allow cloudform_domain self:tcp_socket create_stream_socket_perms;
+
++kernel_read_system_state(cloudform_domain)
++
++dev_read_rand(cloudform_domain)
+dev_read_urand(cloudform_domain)
+
+files_read_etc_files(cloudform_domain)
+
++auth_read_passwd(cloudform_domain)
++
+miscfiles_read_certs(cloudform_domain)
+miscfiles_read_localization(cloudform_domain)
+
@@ -8679,6 +8727,10 @@ index 0000000..2709243
+allow thin_t self:udp_socket create_socket_perms;
+allow thin_t self:unix_stream_socket create_stream_socket_perms;
+
++manage_files_pattern(thin_t, thin_log_t, thin_log_t)
++manage_dirs_pattern(thin_t, thin_log_t, thin_log_t)
++logging_log_filetrans(thin_t, thin_log_t, { file dir })
++
+manage_files_pattern(thin_t, thin_var_run_t, thin_var_run_t)
+files_pid_filetrans(thin_t, thin_var_run_t, { file })
+
@@ -10086,10 +10138,10 @@ index 0000000..168f664
+')
diff --git a/condor.te b/condor.te
new file mode 100644
-index 0000000..4eb7bd9
+index 0000000..1bba4b7
--- /dev/null
+++ b/condor.te
-@@ -0,0 +1,231 @@
+@@ -0,0 +1,232 @@
+policy_module(condor, 1.0.0)
+
+########################################
@@ -10308,6 +10360,7 @@ index 0000000..4eb7bd9
+auth_use_nsswitch(condor_startd_t)
+
+init_domtrans_script(condor_startd_t)
++init_initrc_domain(condor_startd_t)
+
+libs_exec_lib_files(condor_startd_t)
+
@@ -10812,10 +10865,10 @@ index 0000000..196461b
+/var/run/couchdb(/.*)? gen_context(system_u:object_r:couchdb_var_run_t,s0)
diff --git a/couchdb.if b/couchdb.if
new file mode 100644
-index 0000000..31692fb
+index 0000000..3e17383
--- /dev/null
+++ b/couchdb.if
-@@ -0,0 +1,249 @@
+@@ -0,0 +1,244 @@
+
+## <summary>policy for couchdb</summary>
+
@@ -11027,11 +11080,6 @@ index 0000000..31692fb
+## Domain allowed access.
+## </summary>
+## </param>
-+## <param name="role">
-+## <summary>
-+## Role allowed access.
-+## </summary>
-+## </param>
+## <rolecap/>
+#
+interface(`couchdb_admin',`
@@ -12812,7 +12860,7 @@ index 848bb92..25c56f7 100644
+
+/usr/local/linuxprinter/ppd(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
diff --git a/cups.if b/cups.if
-index 305ddf4..3629b92 100644
+index 305ddf4..11d010a 100644
--- a/cups.if
+++ b/cups.if
@@ -9,6 +9,11 @@
@@ -12897,7 +12945,7 @@ index 305ddf4..3629b92 100644
init_labeled_script_domtrans($1, cupsd_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 cupsd_initrc_exec_t system_r;
-@@ -350,9 +384,41 @@ interface(`cups_admin',`
+@@ -350,9 +384,42 @@ interface(`cups_admin',`
admin_pattern($1, cupsd_var_run_t)
files_list_pids($1)
@@ -12932,6 +12980,7 @@ index 305ddf4..3629b92 100644
+
+ filetrans_pattern($1, cups_etc_t, cups_rw_etc_t, file, "classes.conf")
+ filetrans_pattern($1, cups_etc_t, cups_rw_etc_t, file, "printers.conf")
++ filetrans_pattern($1, cups_etc_t, cups_rw_etc_t, file, "printers.conf.O")
+ filetrans_pattern($1, cups_etc_t, cups_rw_etc_t, file, "cupsd.conf")
+ filetrans_pattern($1, cups_etc_t, cups_rw_etc_t, file, "cupsd.conf.default")
+ filetrans_pattern($1, cups_etc_t, cups_rw_etc_t, file, "lpoptions")
@@ -12940,7 +12989,7 @@ index 305ddf4..3629b92 100644
+ filetrans_pattern($1, cups_etc_t, cups_rw_etc_t, file, "ppds.dat")
')
diff --git a/cups.te b/cups.te
-index 6e7f1b6..f7dabbe 100644
+index 6e7f1b6..a699948 100644
--- a/cups.te
+++ b/cups.te
@@ -15,6 +15,7 @@ files_pid_file(cupsd_config_var_run_t)
@@ -13056,10 +13105,11 @@ index 6e7f1b6..f7dabbe 100644
')
')
-@@ -311,10 +319,22 @@ optional_policy(`
+@@ -311,10 +319,23 @@ optional_policy(`
')
optional_policy(`
++ kerberos_tmp_filetrans_host_rcache(cupsd_t, "host_0")
+ kerberos_manage_host_rcache(cupsd_t)
+')
+
@@ -13079,7 +13129,7 @@ index 6e7f1b6..f7dabbe 100644
mta_send_mail(cupsd_t)
')
-@@ -322,6 +342,8 @@ optional_policy(`
+@@ -322,6 +343,8 @@ optional_policy(`
# cups execs smbtool which reads samba_etc_t files
samba_read_config(cupsd_t)
samba_rw_var_files(cupsd_t)
@@ -13088,7 +13138,7 @@ index 6e7f1b6..f7dabbe 100644
')
optional_policy(`
-@@ -371,8 +393,9 @@ files_tmp_filetrans(cupsd_config_t, cupsd_tmp_t, { lnk_file file dir })
+@@ -371,8 +394,9 @@ files_tmp_filetrans(cupsd_config_t, cupsd_tmp_t, { lnk_file file dir })
allow cupsd_config_t cupsd_var_run_t:file read_file_perms;
@@ -13099,7 +13149,7 @@ index 6e7f1b6..f7dabbe 100644
domtrans_pattern(cupsd_config_t, hplip_exec_t, hplip_t)
-@@ -425,11 +448,11 @@ seutil_dontaudit_search_config(cupsd_config_t)
+@@ -425,11 +449,11 @@ seutil_dontaudit_search_config(cupsd_config_t)
userdom_dontaudit_use_unpriv_user_fds(cupsd_config_t)
userdom_dontaudit_search_user_home_dirs(cupsd_config_t)
@@ -13113,7 +13163,7 @@ index 6e7f1b6..f7dabbe 100644
ifdef(`distro_redhat',`
optional_policy(`
rpm_read_db(cupsd_config_t)
-@@ -453,6 +476,10 @@ optional_policy(`
+@@ -453,6 +477,10 @@ optional_policy(`
')
optional_policy(`
@@ -13124,7 +13174,7 @@ index 6e7f1b6..f7dabbe 100644
hal_domtrans(cupsd_config_t)
hal_read_tmp_files(cupsd_config_t)
hal_dontaudit_use_fds(hplip_t)
-@@ -467,6 +494,10 @@ optional_policy(`
+@@ -467,6 +495,10 @@ optional_policy(`
')
optional_policy(`
@@ -13135,7 +13185,7 @@ index 6e7f1b6..f7dabbe 100644
policykit_dbus_chat(cupsd_config_t)
userdom_read_all_users_state(cupsd_config_t)
')
-@@ -537,6 +568,7 @@ corenet_udp_sendrecv_all_ports(cupsd_lpd_t)
+@@ -537,6 +569,7 @@ corenet_udp_sendrecv_all_ports(cupsd_lpd_t)
corenet_tcp_bind_generic_node(cupsd_lpd_t)
corenet_udp_bind_generic_node(cupsd_lpd_t)
corenet_tcp_connect_ipp_port(cupsd_lpd_t)
@@ -13143,7 +13193,7 @@ index 6e7f1b6..f7dabbe 100644
dev_read_urand(cupsd_lpd_t)
dev_read_rand(cupsd_lpd_t)
-@@ -587,23 +619,22 @@ auth_use_nsswitch(cups_pdf_t)
+@@ -587,23 +620,22 @@ auth_use_nsswitch(cups_pdf_t)
miscfiles_read_localization(cups_pdf_t)
miscfiles_read_fonts(cups_pdf_t)
@@ -13176,7 +13226,7 @@ index 6e7f1b6..f7dabbe 100644
')
########################################
-@@ -661,10 +692,10 @@ corenet_tcp_bind_generic_node(hplip_t)
+@@ -661,10 +693,10 @@ corenet_tcp_bind_generic_node(hplip_t)
corenet_udp_bind_generic_node(hplip_t)
corenet_tcp_bind_hplip_port(hplip_t)
corenet_tcp_connect_hplip_port(hplip_t)
@@ -13190,7 +13240,7 @@ index 6e7f1b6..f7dabbe 100644
dev_read_sysfs(hplip_t)
dev_rw_printer(hplip_t)
-@@ -685,6 +716,9 @@ domain_use_interactive_fds(hplip_t)
+@@ -685,6 +717,9 @@ domain_use_interactive_fds(hplip_t)
files_read_etc_files(hplip_t)
files_read_etc_runtime_files(hplip_t)
files_read_usr_files(hplip_t)
@@ -13200,7 +13250,7 @@ index 6e7f1b6..f7dabbe 100644
logging_send_syslog_msg(hplip_t)
-@@ -696,8 +730,10 @@ userdom_dontaudit_use_unpriv_user_fds(hplip_t)
+@@ -696,8 +731,10 @@ userdom_dontaudit_use_unpriv_user_fds(hplip_t)
userdom_dontaudit_search_user_home_dirs(hplip_t)
userdom_dontaudit_search_user_home_content(hplip_t)
@@ -13263,7 +13313,7 @@ index c43ff4c..5da88b5 100644
init_labeled_script_domtrans($1, cvs_initrc_exec_t)
domain_system_change_exemption($1)
diff --git a/cvs.te b/cvs.te
-index 88e7e97..1c723fb 100644
+index 88e7e97..08d7ec0 100644
--- a/cvs.te
+++ b/cvs.te
@@ -10,7 +10,7 @@ policy_module(cvs, 1.9.0)
@@ -13298,8 +13348,12 @@ index 88e7e97..1c723fb 100644
logging_send_syslog_msg(cvs_t)
logging_send_audit_msgs(cvs_t)
-@@ -90,7 +92,7 @@ mta_send_mail(cvs_t)
+@@ -88,9 +90,11 @@ miscfiles_read_localization(cvs_t)
+ mta_send_mail(cvs_t)
+
++userdom_dontaudit_search_user_home_dirs(cvs_t)
++
# cjp: typeattribute doesnt work in conditionals yet
auth_can_read_shadow_passwords(cvs_t)
-tunable_policy(`allow_cvs_read_shadow',`
@@ -13307,7 +13361,7 @@ index 88e7e97..1c723fb 100644
allow cvs_t self:capability dac_override;
auth_tunable_read_shadow(cvs_t)
')
-@@ -112,4 +114,5 @@ optional_policy(`
+@@ -112,4 +116,5 @@ optional_policy(`
read_files_pattern(httpd_cvs_script_t, cvs_data_t, cvs_data_t)
manage_dirs_pattern(httpd_cvs_script_t, cvs_tmp_t, cvs_tmp_t)
manage_files_pattern(httpd_cvs_script_t, cvs_tmp_t, cvs_tmp_t)
@@ -15717,10 +15771,10 @@ index 0000000..b214253
+')
diff --git a/dirsrv.te b/dirsrv.te
new file mode 100644
-index 0000000..71f225b
+index 0000000..4409b7d
--- /dev/null
+++ b/dirsrv.te
-@@ -0,0 +1,194 @@
+@@ -0,0 +1,197 @@
+policy_module(dirsrv,1.0.0)
+
+########################################
@@ -15858,6 +15912,9 @@ index 0000000..71f225b
+
+optional_policy(`
+ kerberos_use(dirsrv_t)
++ kerberos_tmp_filetrans_host_rcache(dirsrv_t, "ldapmap1_0")
++ kerberos_tmp_filetrans_host_rcache(dirsrv_t, "ldap_487")
++ kerberos_tmp_filetrans_host_rcache(dirsrv_t, "ldap_55")
+')
+
+# FIPS mode
@@ -15972,7 +16029,7 @@ index b886676..3d5ca2b 100644
/var/run/dnsmasq\.pid -- gen_context(system_u:object_r:dnsmasq_var_run_t,s0)
/var/run/libvirt/network(/.*)? gen_context(system_u:object_r:dnsmasq_var_run_t,s0)
diff --git a/dnsmasq.if b/dnsmasq.if
-index 9bd812b..9b48f71 100644
+index 9bd812b..53f895e 100644
--- a/dnsmasq.if
+++ b/dnsmasq.if
@@ -10,7 +10,6 @@
@@ -16038,7 +16095,7 @@ index 9bd812b..9b48f71 100644
## Send dnsmasq a signal
## </summary>
## <param name="domain">
-@@ -144,12 +184,12 @@ interface(`dnsmasq_write_config',`
+@@ -144,18 +184,18 @@ interface(`dnsmasq_write_config',`
## </summary>
## </param>
#
@@ -16052,11 +16109,36 @@ index 9bd812b..9b48f71 100644
delete_files_pattern($1, dnsmasq_var_run_t, dnsmasq_var_run_t)
')
-@@ -163,17 +203,80 @@ interface(`dnsmasq_delete_pid_files',`
+ ########################################
+ ## <summary>
+-## Read dnsmasq pid files
++## Manage dnsmasq pid files
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -163,17 +203,99 @@ interface(`dnsmasq_delete_pid_files',`
## </summary>
## </param>
#
--#
++interface(`dnsmasq_manage_pid_files',`
++ gen_require(`
++ type dnsmasq_var_run_t;
++ ')
++
++ files_search_pids($1)
++ manage_files_pattern($1, dnsmasq_var_run_t, dnsmasq_var_run_t)
++')
++
++########################################
++## <summary>
++## Read dnsmasq pid files
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
+ #
interface(`dnsmasq_read_pid_files',`
gen_require(`
type dnsmasq_var_run_t;
@@ -16134,7 +16216,7 @@ index 9bd812b..9b48f71 100644
## All of the rules required to administrate
## an dnsmasq environment
## </summary>
-@@ -193,10 +296,14 @@ interface(`dnsmasq_admin',`
+@@ -193,10 +315,14 @@ interface(`dnsmasq_admin',`
gen_require(`
type dnsmasq_t, dnsmasq_lease_t, dnsmasq_var_run_t;
type dnsmasq_initrc_exec_t;
@@ -16150,7 +16232,7 @@ index 9bd812b..9b48f71 100644
init_labeled_script_domtrans($1, dnsmasq_initrc_exec_t)
domain_system_change_exemption($1)
-@@ -208,4 +315,8 @@ interface(`dnsmasq_admin',`
+@@ -208,4 +334,8 @@ interface(`dnsmasq_admin',`
files_list_pids($1)
admin_pattern($1, dnsmasq_var_run_t)
@@ -16238,10 +16320,10 @@ index 0000000..9e231a8
+/var/run/dnssec.* gen_context(system_u:object_r:dnssec_trigger_var_run_t,s0)
diff --git a/dnssec.if b/dnssec.if
new file mode 100755
-index 0000000..a9dbcf2
+index 0000000..a952041
--- /dev/null
+++ b/dnssec.if
-@@ -0,0 +1,70 @@
+@@ -0,0 +1,64 @@
+
+## <summary>policy for dnssec_trigger</summary>
+
@@ -16293,12 +16375,6 @@ index 0000000..a9dbcf2
+## Domain allowed access.
+## </summary>
+## </param>
-+## <param name="role">
-+## <summary>
-+## Role allowed access.
-+## </summary>
-+## </param>
-+## <rolecap/>
+#
+interface(`dnssec_trigger_admin',`
+ gen_require(`
@@ -16520,7 +16596,7 @@ index e1d7dc5..df96c0d 100644
admin_pattern($1, dovecot_var_run_t)
diff --git a/dovecot.te b/dovecot.te
-index 2df7766..ef8b0d7 100644
+index 2df7766..0e55b6d 100644
--- a/dovecot.te
+++ b/dovecot.te
@@ -18,7 +18,7 @@ type dovecot_auth_tmp_t;
@@ -16612,8 +16688,11 @@ index 2df7766..ef8b0d7 100644
userdom_dontaudit_use_unpriv_user_fds(dovecot_t)
userdom_manage_user_home_content_dirs(dovecot_t)
userdom_manage_user_home_content_files(dovecot_t)
-@@ -154,16 +164,31 @@ userdom_manage_user_home_content_sockets(dovecot_t)
+@@ -152,18 +162,34 @@ userdom_manage_user_home_content_symlinks(dovecot_t)
+ userdom_manage_user_home_content_pipes(dovecot_t)
+ userdom_manage_user_home_content_sockets(dovecot_t)
userdom_user_home_dir_filetrans_user_home_content(dovecot_t, { dir file lnk_file fifo_file sock_file })
++mta_manage_home_rw(dovecot_t)
mta_manage_spool(dovecot_t)
+mta_read_home_rw(dovecot_t)
@@ -16644,7 +16723,7 @@ index 2df7766..ef8b0d7 100644
seutil_sigchld_newrole(dovecot_t)
')
-@@ -180,8 +205,8 @@ optional_policy(`
+@@ -180,8 +206,8 @@ optional_policy(`
# dovecot auth local policy
#
@@ -16655,7 +16734,7 @@ index 2df7766..ef8b0d7 100644
allow dovecot_auth_t self:fifo_file rw_fifo_file_perms;
allow dovecot_auth_t self:unix_dgram_socket create_socket_perms;
allow dovecot_auth_t self:unix_stream_socket create_stream_socket_perms;
-@@ -190,6 +215,9 @@ allow dovecot_auth_t dovecot_t:unix_stream_socket { connectto rw_stream_socket_p
+@@ -190,6 +216,9 @@ allow dovecot_auth_t dovecot_t:unix_stream_socket { connectto rw_stream_socket_p
read_files_pattern(dovecot_auth_t, dovecot_passwd_t, dovecot_passwd_t)
@@ -16665,7 +16744,7 @@ index 2df7766..ef8b0d7 100644
manage_dirs_pattern(dovecot_auth_t, dovecot_auth_tmp_t, dovecot_auth_tmp_t)
manage_files_pattern(dovecot_auth_t, dovecot_auth_tmp_t, dovecot_auth_tmp_t)
files_tmp_filetrans(dovecot_auth_t, dovecot_auth_tmp_t, { file dir })
-@@ -201,9 +229,12 @@ dovecot_stream_connect_auth(dovecot_auth_t)
+@@ -201,9 +230,12 @@ dovecot_stream_connect_auth(dovecot_auth_t)
kernel_read_all_sysctls(dovecot_auth_t)
kernel_read_system_state(dovecot_auth_t)
@@ -16678,7 +16757,7 @@ index 2df7766..ef8b0d7 100644
dev_read_urand(dovecot_auth_t)
auth_domtrans_chk_passwd(dovecot_auth_t)
-@@ -216,7 +247,8 @@ files_read_usr_files(dovecot_auth_t)
+@@ -216,7 +248,8 @@ files_read_usr_files(dovecot_auth_t)
files_read_usr_symlinks(dovecot_auth_t)
files_read_var_lib_files(dovecot_auth_t)
files_search_tmp(dovecot_auth_t)
@@ -16688,7 +16767,7 @@ index 2df7766..ef8b0d7 100644
init_rw_utmp(dovecot_auth_t)
-@@ -236,6 +268,8 @@ optional_policy(`
+@@ -236,6 +269,8 @@ optional_policy(`
optional_policy(`
mysql_search_db(dovecot_auth_t)
mysql_stream_connect(dovecot_auth_t)
@@ -16697,7 +16776,7 @@ index 2df7766..ef8b0d7 100644
')
optional_policy(`
-@@ -243,6 +277,8 @@ optional_policy(`
+@@ -243,6 +278,8 @@ optional_policy(`
')
optional_policy(`
@@ -16706,7 +16785,7 @@ index 2df7766..ef8b0d7 100644
postfix_search_spool(dovecot_auth_t)
')
-@@ -250,23 +286,42 @@ optional_policy(`
+@@ -250,23 +287,42 @@ optional_policy(`
#
# dovecot deliver local policy
#
@@ -16751,7 +16830,7 @@ index 2df7766..ef8b0d7 100644
miscfiles_read_localization(dovecot_deliver_t)
-@@ -283,24 +338,22 @@ userdom_manage_user_home_content_pipes(dovecot_deliver_t)
+@@ -283,24 +339,23 @@ userdom_manage_user_home_content_pipes(dovecot_deliver_t)
userdom_manage_user_home_content_sockets(dovecot_deliver_t)
userdom_user_home_dir_filetrans_user_home_content(dovecot_deliver_t, { dir file lnk_file fifo_file sock_file })
@@ -16779,6 +16858,7 @@ index 2df7766..ef8b0d7 100644
optional_policy(`
mta_manage_spool(dovecot_deliver_t)
+ mta_read_queue(dovecot_deliver_t)
++ mta_read_home_rw(dovecot_deliver_t)
+')
+
+optional_policy(`
@@ -18930,7 +19010,7 @@ index 9d3201b..6e75e3d 100644
+ allow $1 ftpd_unit_file_t:service all_service_perms;
')
diff --git a/ftp.te b/ftp.te
-index 4285c83..2edc3a2 100644
+index 4285c83..d1b00d0 100644
--- a/ftp.te
+++ b/ftp.te
@@ -12,7 +12,7 @@ policy_module(ftp, 1.13.1)
@@ -19169,7 +19249,7 @@ index 4285c83..2edc3a2 100644
')
tunable_policy(`ftp_home_dir && use_nfs_home_dirs',`
-@@ -309,10 +353,34 @@ optional_policy(`
+@@ -309,10 +353,35 @@ optional_policy(`
')
optional_policy(`
@@ -19183,6 +19263,7 @@ index 4285c83..2edc3a2 100644
- kerberos_manage_host_rcache(ftpd_t)
+ # this part of auth_use_pam
+ #kerberos_manage_host_rcache(ftpd_t)
++ kerberos_tmp_filetrans_host_rcache(ftpd_t, "host_0")
+')
+
+optional_policy(`
@@ -19205,7 +19286,7 @@ index 4285c83..2edc3a2 100644
')
optional_policy(`
-@@ -347,16 +415,17 @@ optional_policy(`
+@@ -347,16 +416,17 @@ optional_policy(`
# Allow ftpdctl to talk to ftpd over a socket connection
stream_connect_pattern(ftpdctl_t, ftpd_var_run_t, ftpd_var_run_t, ftpd_t)
@@ -19225,7 +19306,7 @@ index 4285c83..2edc3a2 100644
########################################
#
-@@ -365,18 +434,33 @@ userdom_use_user_terminals(ftpdctl_t)
+@@ -365,18 +435,33 @@ userdom_use_user_terminals(ftpdctl_t)
files_read_etc_files(sftpd_t)
@@ -19262,7 +19343,7 @@ index 4285c83..2edc3a2 100644
')
tunable_policy(`sftpd_enable_homedirs && use_nfs_home_dirs',`
-@@ -394,19 +478,7 @@ tunable_policy(`sftpd_enable_homedirs && use_samba_home_dirs',`
+@@ -394,19 +479,7 @@ tunable_policy(`sftpd_enable_homedirs && use_samba_home_dirs',`
tunable_policy(`sftpd_full_access',`
allow sftpd_t self:capability { dac_override dac_read_search };
fs_read_noxattr_fs_files(sftpd_t)
@@ -20055,7 +20136,7 @@ index 7ff9d6d..6b0a7ff 100644
allow $1 glance_api_t:process signal_perms;
ps_process_pattern($1, glance_api_t)
diff --git a/glance.te b/glance.te
-index 4afb81f..842165a 100644
+index 4afb81f..40df3ea 100644
--- a/glance.te
+++ b/glance.te
@@ -57,12 +57,17 @@ manage_files_pattern(glance_domain, glance_var_run_t, glance_var_run_t)
@@ -20076,10 +20157,11 @@ index 4afb81f..842165a 100644
miscfiles_read_localization(glance_domain)
optional_policy(`
-@@ -80,6 +85,14 @@ files_tmp_filetrans(glance_registry_t, glance_registry_tmp_t, { file dir })
+@@ -80,6 +85,15 @@ files_tmp_filetrans(glance_registry_t, glance_registry_tmp_t, { file dir })
corenet_tcp_bind_generic_node(glance_registry_t)
corenet_tcp_bind_glance_registry_port(glance_registry_t)
++corenet_tcp_connect_mysqld_port(glance_registry_t)
+corenet_tcp_connect_all_ephemeral_ports(glance_registry_t)
+
+logging_send_syslog_msg(glance_registry_t)
@@ -20091,7 +20173,7 @@ index 4afb81f..842165a 100644
########################################
#
-@@ -94,11 +107,11 @@ can_exec(glance_api_t, glance_tmp_t)
+@@ -94,11 +108,11 @@ can_exec(glance_api_t, glance_tmp_t)
corecmd_exec_shell(glance_api_t)
corenet_tcp_bind_generic_node(glance_api_t)
@@ -20105,17 +20187,302 @@ index 4afb81f..842165a 100644
fs_getattr_xattr_fs(glance_api_t)
-
-libs_exec_ldconfig(glance_api_t)
+diff --git a/glusterd.fc b/glusterd.fc
+new file mode 100644
+index 0000000..6418e39
+--- /dev/null
++++ b/glusterd.fc
+@@ -0,0 +1,16 @@
++
++/etc/rc\.d/init\.d/glusterd -- gen_context(system_u:object_r:glusterd_initrc_exec_t,s0)
++
++/etc/glusterfs(/.*)? gen_context(system_u:object_r:glusterd_etc_t,s0)
++/etc/glusterd(/.*)? gen_context(system_u:object_r:glusterd_etc_t,s0)
++
++/usr/sbin/glusterd -- gen_context(system_u:object_r:glusterd_initrc_exec_t,s0)
++/usr/sbin/glusterfsd -- gen_context(system_u:object_r:glusterd_exec_t,s0)
++
++/opt/glusterfs/[^/]+/sbin/glusterfsd -- gen_context(system_u:object_r:glusterd_exec_t,s0)
++
++/var/log/glusterfs(/.*)? gen_context(system_u:object_r:glusterd_log_t,s0)
++
++/var/run/glusterd(/.*)? gen_context(system_u:object_r:glusterd_var_run_t,s0)
++/var/run/glusterd\.pid -- gen_context(system_u:object_r:glusterd_var_run_t,s0)
++
+diff --git a/glusterd.if b/glusterd.if
+new file mode 100644
+index 0000000..e15bbb0
+--- /dev/null
++++ b/glusterd.if
+@@ -0,0 +1,146 @@
++
++## <summary>policy for glusterd</summary>
++
++
++########################################
++## <summary>
++## Transition to glusterd.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`glusterd_domtrans',`
++ gen_require(`
++ type glusterd_t, glusterd_exec_t;
++ ')
++
++ corecmd_search_bin($1)
++ domtrans_pattern($1, glusterd_exec_t, glusterd_t)
++')
++
++
++########################################
++## <summary>
++## Execute glusterd server in the glusterd domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`glusterd_initrc_domtrans',`
++ gen_require(`
++ type glusterd_initrc_exec_t;
++ ')
++
++ init_labeled_script_domtrans($1, glusterd_initrc_exec_t)
++')
++
++
++########################################
++## <summary>
++## Read glusterd's log files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`glusterd_read_log',`
++ gen_require(`
++ type glusterd_log_t;
++ ')
++
++ logging_search_logs($1)
++ read_files_pattern($1, glusterd_log_t, glusterd_log_t)
++')
++
++########################################
++## <summary>
++## Append to glusterd log files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`glusterd_append_log',`
++ gen_require(`
++ type glusterd_log_t;
++ ')
++
++ logging_search_logs($1)
++ append_files_pattern($1, glusterd_log_t, glusterd_log_t)
++')
++
++########################################
++## <summary>
++## Manage glusterd log files
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`glusterd_manage_log',`
++ gen_require(`
++ type glusterd_log_t;
++ ')
++
++ logging_search_logs($1)
++ manage_dirs_pattern($1, glusterd_log_t, glusterd_log_t)
++ manage_files_pattern($1, glusterd_log_t, glusterd_log_t)
++ manage_lnk_files_pattern($1, glusterd_log_t, glusterd_log_t)
++')
++
++########################################
++## <summary>
++## All of the rules required to administrate
++## an glusterd environment
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <param name="role">
++## <summary>
++## Role allowed access.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`glusterd_admin',`
++ gen_require(`
++ type glusterd_t;
++ type glusterd_initrc_exec_t;
++ type glusterd_log_t;
++ type glusterd_tmp_t;
++ type glusterd_etc_t;
++ ')
++
++ allow $1 glusterd_t:process { ptrace signal_perms };
++ ps_process_pattern($1, glusterd_t)
++
++ glusterd_initrc_domtrans($1)
++ domain_system_change_exemption($1)
++ role_transition $2 glusterd_initrc_exec_t system_r;
++ allow $2 system_r;
++
++ logging_search_logs($1)
++ admin_pattern($1, glusterd_log_t)
++
++ admin_pattern($1, glusterd_tmp_t)
++
++ admin_pattern($1, glusterd_etc_t)
++
++')
++
+diff --git a/glusterd.te b/glusterd.te
+new file mode 100644
+index 0000000..8dfb74a
+--- /dev/null
++++ b/glusterd.te
+@@ -0,0 +1,104 @@
++policy_module(glusterd, 1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++type glusterd_t;
++type glusterd_exec_t;
++init_daemon_domain(glusterd_t, glusterd_exec_t)
++
++type glusterd_etc_t;
++files_type(glusterd_etc_t)
++
++type glusterd_tmp_t;
++files_tmp_file(glusterd_tmp_t)
++
++type glusterd_initrc_exec_t;
++init_script_file(glusterd_initrc_exec_t)
++
++type glusterd_log_t;
++logging_log_file(glusterd_log_t)
++
++type glusterd_var_run_t;
++files_pid_file(glusterd_var_run_t)
++
++type glusterd_var_lib_t;
++files_type(glusterd_var_lib_t);
++
++
++########################################
++#
++# glusterd local policy
++#
++
++allow glusterd_t self:capability { net_bind_service sys_admin dac_override chown dac_read_search fowner };
++allow glusterd_t self:process { setrlimit signal };
++allow glusterd_t self:capability sys_resource;
++
++allow glusterd_t self:fifo_file rw_fifo_file_perms;
++allow glusterd_t self:netlink_route_socket r_netlink_socket_perms;
++allow glusterd_t self:tcp_socket create_stream_socket_perms;
++allow glusterd_t self:udp_socket create_socket_perms;
++allow glusterd_t self:unix_stream_socket create_stream_socket_perms;
++allow glusterd_t self:unix_dgram_socket create_socket_perms;
++
++manage_dirs_pattern(glusterd_t, glusterd_tmp_t, glusterd_tmp_t)
++manage_files_pattern(glusterd_t, glusterd_tmp_t, glusterd_tmp_t)
++manage_sock_files_pattern(glusterd_t, glusterd_tmp_t, glusterd_tmp_t)
++files_tmp_filetrans(glusterd_t, glusterd_tmp_t, { dir file sock_file })
++userdom_user_tmp_filetrans(glusterd_t, glusterd_tmp_t, { dir file sock_file })
++
++manage_dirs_pattern(glusterd_t, glusterd_log_t, glusterd_log_t)
++manage_files_pattern(glusterd_t, glusterd_log_t, glusterd_log_t)
++logging_log_filetrans(glusterd_t, glusterd_log_t, { dir file })
++
++manage_dirs_pattern(glusterd_t, glusterd_var_run_t, glusterd_var_run_t)
++manage_files_pattern(glusterd_t, glusterd_var_run_t, glusterd_var_run_t)
++files_pid_filetrans(glusterd_t, glusterd_var_run_t, { dir file })
++
++manage_dirs_pattern(glusterd_t, glusterd_var_lib_t, glusterd_var_lib_t)
++manage_files_pattern(glusterd_t, glusterd_var_lib_t, glusterd_var_lib_t)
++files_var_lib_filetrans(glusterd_t, glusterd_var_lib_t, { dir file })
++
++manage_dirs_pattern(glusterd_t, glusterd_etc_t, glusterd_etc_t)
++manage_files_pattern(glusterd_t, glusterd_etc_t, glusterd_etc_t)
++files_etc_filetrans(glusterd_t, glusterd_etc_t, { dir file }, "glusterfs")
++
++can_exec(glusterd_t, glusterd_exec_t)
++
++kernel_read_system_state(glusterd_t)
++
++corecmd_exec_bin(glusterd_t)
++corecmd_exec_shell(glusterd_t)
++
++domain_use_interactive_fds(glusterd_t)
++
++corenet_tcp_bind_generic_node(glusterd_t)
++corenet_tcp_bind_generic_port(glusterd_t)
++corenet_tcp_bind_all_reserved_ports(glusterd_t)
++corenet_udp_bind_all_rpc_ports(glusterd_t)
++corenet_tcp_connect_unreserved_ports(glusterd_t)
++corenet_udp_bind_generic_node(glusterd_t)
++corenet_udp_bind_ipp_port(glusterd_t)
++
++dev_read_sysfs(glusterd_t)
++dev_read_urand(glusterd_t)
++
++files_read_etc_files(glusterd_t)
++files_read_usr_files(glusterd_t)
++files_rw_pid_dirs(glusterd_t)
++
++# Why is this needed
++#files_manage_urandom_seed(glusterd_t)
++
++auth_use_nsswitch(glusterd_t)
++
++logging_send_syslog_msg(glusterd_t)
++
++miscfiles_read_localization(glusterd_t)
++
++sysnet_read_config(glusterd_t)
++
++userdom_manage_user_home_dirs(glusterd_t)
diff --git a/gnome.fc b/gnome.fc
-index 00a19e3..d776f66 100644
+index 00a19e3..17006fc 100644
--- a/gnome.fc
+++ b/gnome.fc
-@@ -1,9 +1,53 @@
+@@ -1,9 +1,54 @@
-HOME_DIR/\.config/gtk-.* gen_context(system_u:object_r:gnome_home_t,s0)
+HOME_DIR/\.cache(/.*)? gen_context(system_u:object_r:cache_home_t,s0)
+HOME_DIR/\.color/icc(/.*)? gen_context(system_u:object_r:icc_data_home_t,s0)
+HOME_DIR/\.dbus(/.*)? gen_context(system_u:object_r:dbus_home_t,s0)
+HOME_DIR/\.config(/.*)? gen_context(system_u:object_r:config_home_t,s0)
+HOME_DIR/\.kde(/.*)? gen_context(system_u:object_r:config_home_t,s0)
++HOME_DIR/\.nv(/.*)? gen_context(system_u:object_r:cache_home_t,s0)
HOME_DIR/\.gconf(d)?(/.*)? gen_context(system_u:object_r:gconf_home_t,s0)
HOME_DIR/\.gnome2(/.*)? gen_context(system_u:object_r:gnome_home_t,s0)
+HOME_DIR/\.gnome2/keyrings(/.*)? gen_context(system_u:object_r:gkeyringd_gnome_home_t,s0)
@@ -20166,7 +20533,7 @@ index 00a19e3..d776f66 100644
+/usr/libexec/gnome-system-monitor-mechanism -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
+/usr/libexec/kde(3|4)/ksysguardprocesslist_helper -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
diff --git a/gnome.if b/gnome.if
-index f5afe78..581c9dd 100644
+index f5afe78..8da3abc 100644
--- a/gnome.if
+++ b/gnome.if
@@ -1,44 +1,937 @@
@@ -21166,10 +21533,11 @@ index f5afe78..581c9dd 100644
+ list_dirs_pattern($1, config_home_t, config_home_t)
+ read_files_pattern($1, config_home_t, config_home_t)
+ read_lnk_files_pattern($1, config_home_t, config_home_t)
-+')
-+
-+#######################################
-+## <summary>
+ ')
+
+ #######################################
+ ## <summary>
+-## Create, read, write, and delete gconf config files.
+## delete gnome homedir content (.config)
+## </summary>
+## <param name="domain">
@@ -21184,11 +21552,10 @@ index f5afe78..581c9dd 100644
+ ')
+
+ delete_files_pattern($1, config_home_t, config_home_t)
- ')
-
- #######################################
- ## <summary>
--## Create, read, write, and delete gconf config files.
++')
++
++#######################################
++## <summary>
+## setattr gnome homedir content (.config)
+## </summary>
+## <param name="domain">
@@ -21276,7 +21643,7 @@ index f5afe78..581c9dd 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -122,17 +1068,62 @@ interface(`gnome_stream_connect_gconf',`
+@@ -122,17 +1068,80 @@ interface(`gnome_stream_connect_gconf',`
## </summary>
## </param>
#
@@ -21292,6 +21659,24 @@ index f5afe78..581c9dd 100644
+ gnome_filetrans_gstreamer_home_content($1)
+')
+
++######################################
++## <summary>
++## Allow to execute gstreamer home content files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`gnome_exec_gstreamer_home_files',`
++ gen_require(`
++ type gstreamer_home_t;
++ ')
++
++ can_exec($1, gstreamer_home_t)
++')
++
+#######################################
+## <summary>
+## file name transition gstreamer home content files.
@@ -21343,7 +21728,7 @@ index f5afe78..581c9dd 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -140,51 +1131,306 @@ interface(`gnome_domtrans_gconfd',`
+@@ -140,51 +1149,302 @@ interface(`gnome_domtrans_gconfd',`
## </summary>
## </param>
#
@@ -21520,11 +21905,6 @@ index f5afe78..581c9dd 100644
+## Domain allowed access
+## </summary>
+## </param>
-+## <param name="role">
-+## <summary>
-+## The role to be allowed the gkeyring domain.
-+## </summary>
-+## </param>
+#
+interface(`gnome_transition_gkeyringd',`
+ gen_require(`
@@ -21564,6 +21944,7 @@ index f5afe78..581c9dd 100644
+ userdom_user_home_dir_filetrans($1, config_home_t, file, ".Xdefaults")
+ userdom_user_home_dir_filetrans($1, config_home_t, dir, ".xine")
+ userdom_user_home_dir_filetrans($1, cache_home_t, dir, ".cache")
++ userdom_user_home_dir_filetrans($1, cache_home_t, dir, ".nv")
+ userdom_user_home_dir_filetrans($1, config_home_t, dir, ".kde")
+ userdom_user_home_dir_filetrans($1, gconf_home_t, dir, ".gconf")
+ userdom_user_home_dir_filetrans($1, gconf_home_t, dir, ".gconfd")
@@ -24054,10 +24435,10 @@ index 0000000..1725b7e
+
diff --git a/jetty.if b/jetty.if
new file mode 100644
-index 0000000..9f09101
+index 0000000..2abc285
--- /dev/null
+++ b/jetty.if
-@@ -0,0 +1,273 @@
+@@ -0,0 +1,268 @@
+
+## <summary>policy for jetty</summary>
+
@@ -24304,11 +24685,6 @@ index 0000000..9f09101
+## Domain allowed access.
+## </summary>
+## </param>
-+## <param name="role">
-+## <summary>
-+## Role allowed access.
-+## </summary>
-+## </param>
+## <rolecap/>
+#
+interface(`jetty_admin',`
@@ -24376,10 +24752,10 @@ index 0000000..274cdec
+/var/log/jockey\.log -- gen_context(system_u:object_r:jockey_var_log_t,s0)
diff --git a/jockey.if b/jockey.if
new file mode 100644
-index 0000000..fb58f33
+index 0000000..868c7d0
--- /dev/null
+++ b/jockey.if
-@@ -0,0 +1,132 @@
+@@ -0,0 +1,126 @@
+
+## <summary>policy for jockey</summary>
+
@@ -24489,12 +24865,6 @@ index 0000000..fb58f33
+## Domain allowed access.
+## </summary>
+## </param>
-+## <param name="role">
-+## <summary>
-+## Role allowed access.
-+## </summary>
-+## </param>
-+## <rolecap/>
+#
+interface(`jockey_admin',`
+ gen_require(`
@@ -24841,7 +25211,7 @@ index 3525d24..ee0a3d5 100644
+/var/tmp/ldap_487 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0)
+/var/tmp/ldap_55 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0)
diff --git a/kerberos.if b/kerberos.if
-index 604f67b..8714225 100644
+index 604f67b..ebebcd5 100644
--- a/kerberos.if
+++ b/kerberos.if
@@ -84,7 +84,7 @@ interface(`kerberos_use',`
@@ -24894,7 +25264,7 @@ index 604f67b..8714225 100644
## Create a derived type for kerberos keytab
## </summary>
## <param name="prefix">
-@@ -282,38 +302,25 @@ interface(`kerberos_manage_host_rcache',`
+@@ -282,42 +302,21 @@ interface(`kerberos_manage_host_rcache',`
# does not work in conditionals
domain_obj_id_change_exemption($1)
@@ -24911,10 +25281,10 @@ index 604f67b..8714225 100644
+ manage_files_pattern($1, krb5_host_rcache_t, krb5_host_rcache_t)
files_search_tmp($1)
')
--')
+ ')
--########################################
--## <summary>
+ ########################################
+ ## <summary>
-## Connect to krb524 service
-## </summary>
-## <param name="domain">
@@ -24933,17 +25303,14 @@ index 604f67b..8714225 100644
- corenet_udp_sendrecv_kerberos_master_port($1)
- corenet_sendrecv_kerberos_master_client_packets($1)
- ')
-+ kerberos_tmp_filetrans_host_rcache($1, "host_0")
-+ kerberos_tmp_filetrans_host_rcache($1, "HTTP_23")
-+ kerberos_tmp_filetrans_host_rcache($1, "HTTP_48")
-+ kerberos_tmp_filetrans_host_rcache($1, "nfs_0")
-+ kerberos_tmp_filetrans_host_rcache($1, "ldapmap1_0")
-+ kerberos_tmp_filetrans_host_rcache($1, "ldap_487")
-+ kerberos_tmp_filetrans_host_rcache($1, "ldap_55")
- ')
-
- ########################################
-@@ -338,18 +345,22 @@ interface(`kerberos_admin',`
+-')
+-
+-########################################
+-## <summary>
+ ## All of the rules required to administrate
+ ## an kerberos environment
+ ## </summary>
+@@ -338,18 +337,22 @@ interface(`kerberos_admin',`
type kadmind_t, krb5kdc_t, kerberos_initrc_exec_t;
type kadmind_log_t, kadmind_tmp_t, kadmind_var_run_t;
type krb5_conf_t, krb5_keytab_t, krb5kdc_conf_t;
@@ -24971,7 +25338,7 @@ index 604f67b..8714225 100644
ps_process_pattern($1, kpropd_t)
init_labeled_script_domtrans($1, kerberos_initrc_exec_t)
-@@ -378,3 +389,113 @@ interface(`kerberos_admin',`
+@@ -378,3 +381,114 @@ interface(`kerberos_admin',`
admin_pattern($1, krb5kdc_var_run_t)
')
@@ -24992,6 +25359,7 @@ index 604f67b..8714225 100644
+ type krb5_host_rcache_t;
+ ')
+
++ manage_files_pattern($1, krb5_host_rcache_t, krb5_host_rcache_t)
+ files_tmp_filetrans($1, krb5_host_rcache_t, file, $2)
+')
+
@@ -25352,10 +25720,10 @@ index 0000000..408d6c0
+/var/log/keystone(/.*)? gen_context(system_u:object_r:keystone_log_t,s0)
diff --git a/keystone.if b/keystone.if
new file mode 100644
-index 0000000..c7a5aeb
+index 0000000..f20248c
--- /dev/null
+++ b/keystone.if
-@@ -0,0 +1,224 @@
+@@ -0,0 +1,218 @@
+
+## <summary>policy for keystone</summary>
+
@@ -25548,12 +25916,6 @@ index 0000000..c7a5aeb
+## Domain allowed access.
+## </summary>
+## </param>
-+## <param name="role">
-+## <summary>
-+## Role allowed access.
-+## </summary>
-+## </param>
-+## <rolecap/>
+#
+interface(`keystone_admin',`
+ gen_require(`
@@ -26044,10 +26406,10 @@ index 0000000..8bc2c6d
+')
diff --git a/l2tpd.te b/l2tpd.te
new file mode 100644
-index 0000000..4786fde
+index 0000000..1b720ad
--- /dev/null
+++ b/l2tpd.te
-@@ -0,0 +1,99 @@
+@@ -0,0 +1,101 @@
+policy_module(l2tpd, 1.0.0)
+
+########################################
@@ -26136,6 +26498,8 @@ index 0000000..4786fde
+
+term_use_ptmx(l2tpd_t)
+
++auth_read_passwd(l2tpd_t)
++
+logging_send_syslog_msg(l2tpd_t)
+
+miscfiles_read_localization(l2tpd_t)
@@ -26302,7 +26666,7 @@ index 3aa8fa7..9539b76 100644
+ allow $1 ldap_unit_file_t:service all_service_perms;
')
diff --git a/ldap.te b/ldap.te
-index 64fd1ff..0f5d0b7 100644
+index 64fd1ff..47c43ab 100644
--- a/ldap.te
+++ b/ldap.te
@@ -10,7 +10,7 @@ type slapd_exec_t;
@@ -26370,6 +26734,16 @@ index 64fd1ff..0f5d0b7 100644
logging_send_syslog_msg(slapd_t)
+@@ -117,6 +135,9 @@ userdom_dontaudit_search_user_home_dirs(slapd_t)
+
+ optional_policy(`
+ kerberos_keytab_template(slapd, slapd_t)
++ kerberos_tmp_filetrans_host_rcache(slapd_t, "ldapmap1_0")
++ kerberos_tmp_filetrans_host_rcache(slapd_t, "ldap_487")
++ kerberos_tmp_filetrans_host_rcache(slapd_t, "ldap_55")
+ ')
+
+ optional_policy(`
diff --git a/likewise.fc b/likewise.fc
index 057a4e4..57491fc 100644
--- a/likewise.fc
@@ -27129,7 +27503,7 @@ index 3c7b1e8..1e155f5 100644
+
+/var/run/epylog\.pid gen_context(system_u:object_r:logwatch_var_run_t,s0)
diff --git a/logwatch.te b/logwatch.te
-index 75ce30f..671d4e1 100644
+index 75ce30f..47aa9f5 100644
--- a/logwatch.te
+++ b/logwatch.te
@@ -7,6 +7,7 @@ policy_module(logwatch, 1.11.0)
@@ -27171,16 +27545,18 @@ index 75ce30f..671d4e1 100644
files_read_usr_files(logwatch_t)
files_search_spool(logwatch_t)
files_search_mnt(logwatch_t)
-@@ -70,6 +81,8 @@ fs_getattr_all_fs(logwatch_t)
+@@ -70,6 +81,10 @@ fs_getattr_all_fs(logwatch_t)
fs_dontaudit_list_auto_mountpoints(logwatch_t)
fs_list_inotifyfs(logwatch_t)
++storage_dontaudit_getattr_fixed_disk_dev(logwatch_t)
++
+mls_file_read_to_clearance(logwatch_t)
+
term_dontaudit_getattr_pty_dirs(logwatch_t)
term_dontaudit_list_ptys(logwatch_t)
-@@ -92,11 +105,14 @@ sysnet_dns_name_resolve(logwatch_t)
+@@ -92,11 +107,14 @@ sysnet_dns_name_resolve(logwatch_t)
sysnet_exec_ifconfig(logwatch_t)
userdom_dontaudit_search_user_home_dirs(logwatch_t)
@@ -27196,7 +27572,7 @@ index 75ce30f..671d4e1 100644
files_getattr_all_file_type_fs(logwatch_t)
')
-@@ -145,3 +161,24 @@ optional_policy(`
+@@ -145,3 +163,24 @@ optional_policy(`
samba_read_log(logwatch_t)
samba_read_share_files(logwatch_t)
')
@@ -27759,10 +28135,10 @@ index 0000000..2907017
+/var/cache/man2html(/.*)? gen_context(system_u:object_r:httpd_man2html_script_cache_t,s0)
diff --git a/man2html.if b/man2html.if
new file mode 100644
-index 0000000..68fddff
+index 0000000..050157a
--- /dev/null
+++ b/man2html.if
-@@ -0,0 +1,133 @@
+@@ -0,0 +1,127 @@
+
+## <summary>policy for httpd_man2html_script</summary>
+
@@ -27873,12 +28249,6 @@ index 0000000..68fddff
+## Domain allowed access.
+## </summary>
+## </param>
-+## <param name="role">
-+## <summary>
-+## Role allowed access.
-+## </summary>
-+## </param>
-+## <rolecap/>
+#
+interface(`httpd_man2html_script_admin',`
+ gen_require(`
@@ -28700,7 +29070,7 @@ index ee72cbe..bf5fc09 100644
+ delete_files_pattern($1, dkim_milter_data_t, dkim_milter_data_t)
+')
diff --git a/milter.te b/milter.te
-index 26101cb..db61a30 100644
+index 26101cb..7393387 100644
--- a/milter.te
+++ b/milter.te
@@ -9,6 +9,13 @@ policy_module(milter, 1.4.0)
@@ -28717,7 +29087,7 @@ index 26101cb..db61a30 100644
# currently-supported milters are milter-greylist, milter-regex and spamass-milter
milter_template(greylist)
milter_template(regex)
-@@ -20,6 +27,23 @@ milter_template(spamass)
+@@ -20,6 +27,24 @@ milter_template(spamass)
type spamass_milter_state_t;
files_type(spamass_milter_state_t)
@@ -28728,6 +29098,7 @@ index 26101cb..db61a30 100644
+
+allow dkim_milter_t self:capability { kill setgid setuid };
+allow dkim_milter_t self:process signal;
++allow dkim_milter_t self:tcp_socket create_stream_socket_perms;
+allow dkim_milter_t self:unix_stream_socket create_stream_socket_perms;
+
+read_files_pattern(dkim_milter_t, dkim_milter_private_key_t, dkim_milter_private_key_t)
@@ -28741,7 +29112,7 @@ index 26101cb..db61a30 100644
########################################
#
# milter-greylist local policy
-@@ -33,11 +57,19 @@ files_type(spamass_milter_state_t)
+@@ -33,11 +58,19 @@ files_type(spamass_milter_state_t)
allow greylist_milter_t self:capability { chown dac_override setgid setuid sys_nice };
allow greylist_milter_t self:process { setsched getsched };
@@ -28774,10 +29145,10 @@ index 0000000..8d0e473
+/var/cache/mock(/.*)? gen_context(system_u:object_r:mock_cache_t,s0)
diff --git a/mock.if b/mock.if
new file mode 100644
-index 0000000..1d76fb8
+index 0000000..7f6f2d6
--- /dev/null
+++ b/mock.if
-@@ -0,0 +1,313 @@
+@@ -0,0 +1,307 @@
+## <summary>policy for mock</summary>
+
+########################################
@@ -29059,12 +29430,6 @@ index 0000000..1d76fb8
+## Domain allowed access.
+## </summary>
+## </param>
-+## <param name="role">
-+## <summary>
-+## Role allowed access.
-+## </summary>
-+## </param>
-+## <rolecap/>
+#
+interface(`mock_admin',`
+ gen_require(`
@@ -29401,10 +29766,19 @@ index b3ace16..83392b6 100644
optional_policy(`
udev_read_db(modemmanager_t)
diff --git a/mojomojo.if b/mojomojo.if
-index 657a9fc..0b9bf04 100644
+index 657a9fc..6be094b 100644
--- a/mojomojo.if
+++ b/mojomojo.if
-@@ -19,18 +19,23 @@
+@@ -10,27 +10,26 @@
+ ## Domain allowed access.
+ ## </summary>
+ ## </param>
+-## <param name="role">
+-## <summary>
+-## Role allowed access.
+-## </summary>
+-## </param>
+-## <rolecap/>
#
interface(`mojomojo_admin',`
gen_require(`
@@ -29791,7 +30165,7 @@ index b397fde..30bfefb 100644
+')
+
diff --git a/mozilla.te b/mozilla.te
-index 0724816..7ccc738 100644
+index 0724816..0749777 100644
--- a/mozilla.te
+++ b/mozilla.te
@@ -12,14 +12,22 @@ policy_module(mozilla, 2.5.3)
@@ -29961,7 +30335,7 @@ index 0724816..7ccc738 100644
manage_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t)
manage_lnk_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t)
-@@ -323,31 +350,46 @@ manage_fifo_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plug
+@@ -323,31 +350,47 @@ manage_fifo_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plug
manage_sock_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t)
fs_tmpfs_filetrans(mozilla_plugin_t, mozilla_plugin_tmpfs_t, { file lnk_file sock_file fifo_file })
@@ -30003,6 +30377,7 @@ index 0724816..7ccc738 100644
+corenet_tcp_connect_soundd_port(mozilla_plugin_t)
+corenet_tcp_connect_vnc_port(mozilla_plugin_t)
+corenet_tcp_connect_couchdb_port(mozilla_plugin_t)
++corenet_tcp_connect_monopd_port(mozilla_plugin_t)
+corenet_tcp_connect_all_ephemeral_ports(mozilla_plugin_t)
+corenet_tcp_bind_generic_node(mozilla_plugin_t)
+corenet_udp_bind_generic_node(mozilla_plugin_t)
@@ -30014,7 +30389,7 @@ index 0724816..7ccc738 100644
dev_read_video_dev(mozilla_plugin_t)
dev_write_video_dev(mozilla_plugin_t)
dev_read_sysfs(mozilla_plugin_t)
-@@ -356,6 +398,7 @@ dev_write_sound(mozilla_plugin_t)
+@@ -356,6 +399,7 @@ dev_write_sound(mozilla_plugin_t)
# for nvidia driver
dev_rw_xserver_misc(mozilla_plugin_t)
dev_dontaudit_rw_dri(mozilla_plugin_t)
@@ -30022,7 +30397,7 @@ index 0724816..7ccc738 100644
domain_use_interactive_fds(mozilla_plugin_t)
domain_dontaudit_read_all_domains_state(mozilla_plugin_t)
-@@ -363,15 +406,22 @@ domain_dontaudit_read_all_domains_state(mozilla_plugin_t)
+@@ -363,15 +407,22 @@ domain_dontaudit_read_all_domains_state(mozilla_plugin_t)
files_read_config_files(mozilla_plugin_t)
files_read_usr_files(mozilla_plugin_t)
files_list_mnt(mozilla_plugin_t)
@@ -30045,7 +30420,7 @@ index 0724816..7ccc738 100644
logging_send_syslog_msg(mozilla_plugin_t)
miscfiles_read_localization(mozilla_plugin_t)
-@@ -384,35 +434,26 @@ sysnet_dns_name_resolve(mozilla_plugin_t)
+@@ -384,35 +435,27 @@ sysnet_dns_name_resolve(mozilla_plugin_t)
term_getattr_all_ttys(mozilla_plugin_t)
term_getattr_all_ptys(mozilla_plugin_t)
@@ -30058,6 +30433,7 @@ index 0724816..7ccc738 100644
userdom_manage_user_tmp_dirs(mozilla_plugin_t)
-userdom_read_user_tmp_files(mozilla_plugin_t)
+userdom_rw_inherited_user_tmp_files(mozilla_plugin_t)
++userdom_delete_user_tmp_files(mozilla_plugin_t)
+userdom_rw_inherited_user_home_sock_files(mozilla_plugin_t)
+userdom_manage_home_certs(mozilla_plugin_t)
userdom_read_user_tmp_symlinks(mozilla_plugin_t)
@@ -30092,7 +30468,7 @@ index 0724816..7ccc738 100644
optional_policy(`
alsa_read_rw_config(mozilla_plugin_t)
-@@ -422,35 +463,134 @@ optional_policy(`
+@@ -422,24 +465,36 @@ optional_policy(`
optional_policy(`
dbus_system_bus_client(mozilla_plugin_t)
dbus_session_bus_client(mozilla_plugin_t)
@@ -30112,7 +30488,14 @@ index 0724816..7ccc738 100644
')
optional_policy(`
- java_exec(mozilla_plugin_t)
+- java_exec(mozilla_plugin_t)
++ gpm_dontaudit_getattr_gpmctl(mozilla_plugin_t)
+ ')
+
+ optional_policy(`
+- mplayer_exec(mozilla_plugin_t)
+- mplayer_read_user_home_files(mozilla_plugin_t)
++ java_exec(mozilla_plugin_t)
')
+#optional_policy(`
@@ -30120,16 +30503,13 @@ index 0724816..7ccc738 100644
+#')
+
optional_policy(`
- mplayer_exec(mozilla_plugin_t)
- mplayer_read_user_home_files(mozilla_plugin_t)
+- pcscd_stream_connect(mozilla_plugin_t)
++ mplayer_exec(mozilla_plugin_t)
++ mplayer_read_user_home_files(mozilla_plugin_t)
')
optional_policy(`
-- pcscd_stream_connect(mozilla_plugin_t)
--')
--
--optional_policy(`
- pulseaudio_exec(mozilla_plugin_t)
+@@ -447,10 +502,102 @@ optional_policy(`
pulseaudio_stream_connect(mozilla_plugin_t)
pulseaudio_setattr_home_dir(mozilla_plugin_t)
pulseaudio_manage_home_files(mozilla_plugin_t)
@@ -30156,8 +30536,9 @@ index 0724816..7ccc738 100644
xserver_use_user_fonts(mozilla_plugin_t)
+ xserver_read_user_iceauth(mozilla_plugin_t)
+ xserver_read_user_xauth(mozilla_plugin_t)
-+ xserver_append_xdm_home_files(mozilla_plugin_t);
-+')
++ xserver_append_xdm_home_files(mozilla_plugin_t)
++ xserver_dontaudit_xdm_tmp_dirs(mozilla_plugin_t)
+ ')
+
+########################################
+#
@@ -30216,7 +30597,7 @@ index 0724816..7ccc738 100644
+
+optional_policy(`
+ xserver_use_user_fonts(mozilla_plugin_config_t)
- ')
++')
+ifdef(`distro_redhat',`
+ typealias mozilla_plugin_t alias nsplugin_t;
+ typealias mozilla_plugin_exec_t alias nsplugin_exec_t;
@@ -30627,7 +31008,7 @@ index afa18c8..f6e2bb8 100644
+/var/spool/mqueue\.in(/.*)? gen_context(system_u:object_r:mqueue_spool_t,s0)
/var/spool/mail(/.*)? gen_context(system_u:object_r:mail_spool_t,s0)
diff --git a/mta.if b/mta.if
-index 4e2a5ba..12b951c 100644
+index 4e2a5ba..d5a1725 100644
--- a/mta.if
+++ b/mta.if
@@ -37,6 +37,7 @@ interface(`mta_stub',`
@@ -31034,7 +31415,7 @@ index 4e2a5ba..12b951c 100644
## Read sendmail binary.
## </summary>
## <param name="domain">
-@@ -901,3 +983,143 @@ interface(`mta_rw_user_mail_stream_sockets',`
+@@ -901,3 +983,169 @@ interface(`mta_rw_user_mail_stream_sockets',`
allow $1 user_mail_domain:unix_stream_socket rw_socket_perms;
')
@@ -31109,6 +31490,32 @@ index 4e2a5ba..12b951c 100644
+ ')
+')
+
++####################################
++## <summary>
++## Allow domain to manage mail content in the homedir
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`mta_manage_home_rw',`
++ gen_require(`
++ type mail_home_rw_t;
++ ')
++
++ userdom_search_user_home_dirs($1)
++ manage_files_pattern($1, mail_home_rw_t, mail_home_rw_t)
++ manage_dirs_pattern($1, mail_home_rw_t, mail_home_rw_t)
++ userdom_user_home_dir_filetrans($1, mail_home_rw_t, dir, "Maildir")
++
++ ifdef(`distro_redhat',`
++ userdom_search_admin_dir($1)
++ userdom_admin_home_dir_filetrans($1, mail_home_rw_t, dir, "Maildir")
++ ')
++')
++
+########################################
+## <summary>
+## create mail content in the in the /root directory
@@ -31129,7 +31536,7 @@ index 4e2a5ba..12b951c 100644
+ userdom_admin_home_dir_filetrans($1, mail_home_t, file, "dead.letter")
+ userdom_admin_home_dir_filetrans($1, mail_home_t, file, ".mailrc")
+ userdom_admin_home_dir_filetrans($1, mail_home_t, file, ".forward")
-+ userdom_admin_home_dir_filetrans($1, mail_home_rw_t, file, "Maildir")
++ userdom_admin_home_dir_filetrans($1, mail_home_rw_t, dir, "Maildir")
+ userdom_admin_home_dir_filetrans($1, mail_home_rw_t, file, ".esmtp_queue")
+')
+
@@ -31152,7 +31559,7 @@ index 4e2a5ba..12b951c 100644
+ userdom_user_home_dir_filetrans($1, mail_home_t, file, ".mailrc")
+ userdom_user_home_dir_filetrans($1, mail_home_t, file, "dead.letter")
+ userdom_user_home_dir_filetrans($1, mail_home_t, file, ".forward")
-+ userdom_user_home_dir_filetrans($1, mail_home_rw_t, file, "Maildir")
++ userdom_user_home_dir_filetrans($1, mail_home_rw_t, dir, "Maildir")
+ userdom_user_home_dir_filetrans($1, mail_home_rw_t, file, ".esmtp_queue")
+')
+
@@ -32982,7 +33389,7 @@ index a648982..59f096b 100644
')
+
diff --git a/ncftool.te b/ncftool.te
-index f19ca0b..8c48c33 100644
+index f19ca0b..dfc1ba2 100644
--- a/ncftool.te
+++ b/ncftool.te
@@ -5,25 +5,29 @@ policy_module(ncftool, 1.1.0)
@@ -33058,7 +33465,7 @@ index f19ca0b..8c48c33 100644
optional_policy(`
consoletype_exec(ncftool_t)
')
-@@ -69,13 +83,17 @@ optional_policy(`
+@@ -69,13 +83,18 @@ optional_policy(`
optional_policy(`
iptables_initrc_domtrans(ncftool_t)
@@ -33066,6 +33473,7 @@ index f19ca0b..8c48c33 100644
')
optional_policy(`
++ modutils_list_module_config(ncftool_t)
modutils_read_module_config(ncftool_t)
- modutils_run_insmod(ncftool_t, ncftool_roles)
+ modutils_domtrans_insmod(ncftool_t)
@@ -35604,10 +36012,10 @@ index 0000000..be6fcb0
+/var/run/numad\.pid -- gen_context(system_u:object_r:numad_var_run_t,s0)
diff --git a/numad.if b/numad.if
new file mode 100644
-index 0000000..77a3112
+index 0000000..709dda1
--- /dev/null
+++ b/numad.if
-@@ -0,0 +1,78 @@
+@@ -0,0 +1,72 @@
+
+## <summary>policy for numad</summary>
+
@@ -35664,12 +36072,6 @@ index 0000000..77a3112
+## Domain allowed access.
+## </summary>
+## </param>
-+## <param name="role">
-+## <summary>
-+## Role allowed access.
-+## </summary>
-+## </param>
-+## <rolecap/>
+#
+interface(`numad_admin',`
+ gen_require(`
@@ -37853,7 +38255,7 @@ index 5702ca4..498d856 100644
/var/run/plymouth(/.*)? gen_context(system_u:object_r:plymouthd_var_run_t,s0)
/var/spool/plymouth(/.*)? gen_context(system_u:object_r:plymouthd_spool_t,s0)
diff --git a/plymouthd.if b/plymouthd.if
-index 9759ed8..f8d254a 100644
+index 9759ed8..17c097d 100644
--- a/plymouthd.if
+++ b/plymouthd.if
@@ -120,7 +120,7 @@ interface(`plymouthd_search_spool', `
@@ -37865,10 +38267,12 @@ index 9759ed8..f8d254a 100644
gen_require(`
type plymouthd_spool_t;
')
-@@ -228,6 +228,48 @@ interface(`plymouthd_read_pid_files', `
+@@ -228,20 +228,56 @@ interface(`plymouthd_read_pid_files', `
########################################
## <summary>
+-## All of the rules required to administrate
+-## an plymouthd environment
+## Allow the specified domain to read
+## to plymouthd log files.
+## </summary>
@@ -37891,12 +38295,13 @@ index 9759ed8..f8d254a 100644
+## <summary>
+## Allow the specified domain to manage
+## to plymouthd log files.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+ ## Domain allowed access.
+ ## </summary>
+ ## </param>
+-## <param name="role">
+#
+interface(`plymouthd_manage_log',`
+ gen_require(`
@@ -37911,10 +38316,20 @@ index 9759ed8..f8d254a 100644
+
+########################################
+## <summary>
- ## All of the rules required to administrate
- ## an plymouthd environment
- ## </summary>
-@@ -249,12 +291,17 @@ interface(`plymouthd_admin', `
++## All of the rules required to administrate
++## an plymouthd environment
++## </summary>
++## <param name="domain">
+ ## <summary>
+-## Role allowed access.
++## Domain allowed access.
+ ## </summary>
+ ## </param>
+-## <rolecap/>
+ #
+ interface(`plymouthd_admin', `
+ gen_require(`
+@@ -249,12 +285,17 @@ interface(`plymouthd_admin', `
type plymouthd_var_run_t;
')
@@ -38034,16 +38449,17 @@ index 4cffb07..3436696 100644
allow podsleuth_t self:unix_stream_socket create_stream_socket_perms;
allow podsleuth_t self:sem create_sem_perms;
diff --git a/policykit.fc b/policykit.fc
-index 63d0061..c65d18f 100644
+index 63d0061..4718a93 100644
--- a/policykit.fc
+++ b/policykit.fc
-@@ -1,16 +1,18 @@
+@@ -1,16 +1,20 @@
/usr/lib/policykit/polkit-read-auth-helper -- gen_context(system_u:object_r:policykit_auth_exec_t,s0)
-/usr/lib/policykit/polkit-grant-helper.* -- gen_context(system_u:object_r:policykit_grant_exec_t,s0)
+/usr/lib/policykit/polkit-grant-helper.* -- gen_context(system_u:object_r:policykit_grant_exec_t,s0)
/usr/lib/policykit/polkit-resolve-exe-helper.* -- gen_context(system_u:object_r:policykit_resolve_exec_t,s0)
/usr/lib/policykit/polkitd -- gen_context(system_u:object_r:policykit_exec_t,s0)
-/usr/lib/policykit-1/polkitd -- gen_context(system_u:object_r:policykit_exec_t,s0)
++/usr/lib/polkit-1/polkitd -- gen_context(system_u:object_r:policykit_exec_t,s0)
/usr/libexec/polkit-read-auth-helper -- gen_context(system_u:object_r:policykit_auth_exec_t,s0)
/usr/libexec/polkit-grant-helper.* -- gen_context(system_u:object_r:policykit_grant_exec_t,s0)
@@ -38051,11 +38467,12 @@ index 63d0061..c65d18f 100644
-/usr/libexec/polkitd -- gen_context(system_u:object_r:policykit_exec_t,s0)
+/usr/libexec/polkitd.* -- gen_context(system_u:object_r:policykit_exec_t,s0)
+/usr/libexec/polkit-1/polkit-agent-helper-1 -- gen_context(system_u:object_r:policykit_auth_exec_t,s0)
++/usr/lib/polkit-1/polkit-agent-helper-1 -- gen_context(system_u:object_r:policykit_auth_exec_t,s0)
+/usr/libexec/polkit-1/polkitd.* -- gen_context(system_u:object_r:policykit_exec_t,s0)
/var/lib/misc/PolicyKit.reload gen_context(system_u:object_r:policykit_reload_t,s0)
/var/lib/PolicyKit(/.*)? gen_context(system_u:object_r:policykit_var_lib_t,s0)
-+/var/lib/polkit-1(/.*)? gen_context(system_u:object_r:policykit_var_lib_t,s0)
++/var/lib/polkit-1(/.*)? gen_context(system_u:object_r:policykit_var_lib_t,s0)
/var/lib/PolicyKit-public(/.*)? gen_context(system_u:object_r:policykit_var_lib_t,s0)
/var/run/PolicyKit(/.*)? gen_context(system_u:object_r:policykit_var_run_t,s0)
@@ -38203,7 +38620,7 @@ index 48ff1e8..be00a65 100644
+ allow $1 policykit_auth_t:process signal;
')
diff --git a/policykit.te b/policykit.te
-index 44db896..67a2c44 100644
+index 44db896..9e61080 100644
--- a/policykit.te
+++ b/policykit.te
@@ -1,51 +1,73 @@
@@ -38258,7 +38675,7 @@ index 44db896..67a2c44 100644
+# policykit_domain local policy
+#
+
-+allow policykit_domain self:process getattr;
++allow policykit_domain self:process { execmem getattr };
+allow policykit_domain self:fifo_file rw_fifo_file_perms;
+
+dev_read_sysfs(policykit_domain)
@@ -38293,7 +38710,7 @@ index 44db896..67a2c44 100644
rw_files_pattern(policykit_t, policykit_reload_t, policykit_reload_t)
policykit_domtrans_resolve(policykit_t)
-@@ -56,56 +78,107 @@ manage_dirs_pattern(policykit_t, policykit_var_run_t, policykit_var_run_t)
+@@ -56,56 +78,112 @@ manage_dirs_pattern(policykit_t, policykit_var_run_t, policykit_var_run_t)
manage_files_pattern(policykit_t, policykit_var_run_t, policykit_var_run_t)
files_pid_filetrans(policykit_t, policykit_var_run_t, { file dir })
@@ -38337,6 +38754,11 @@ index 44db896..67a2c44 100644
+')
+
+optional_policy(`
++ kerberos_tmp_filetrans_host_rcache(policykit_t, "host_0")
++ kerberos_manage_host_rcache(policykit_t)
++')
++
++optional_policy(`
+ gnome_read_config(policykit_t)
+')
+
@@ -38413,11 +38835,16 @@ index 44db896..67a2c44 100644
dbus_session_bus_client(policykit_auth_t)
optional_policy(`
-@@ -118,14 +191,21 @@ optional_policy(`
+@@ -118,14 +196,26 @@ optional_policy(`
hal_read_state(policykit_auth_t)
')
+optional_policy(`
++ kerberos_tmp_filetrans_host_rcache(policykit_auth_t, "host_0")
++ kerberos_manage_host_rcache(policykit_auth_t)
++')
++
++optional_policy(`
+ xserver_stream_connect(policykit_auth_t)
+ xserver_xdm_append_log(policykit_auth_t)
+ xserver_read_xdm_pid(policykit_auth_t)
@@ -38437,7 +38864,7 @@ index 44db896..67a2c44 100644
allow policykit_grant_t self:unix_dgram_socket create_socket_perms;
allow policykit_grant_t self:unix_stream_socket create_stream_socket_perms;
-@@ -145,19 +225,18 @@ manage_files_pattern(policykit_grant_t, policykit_var_lib_t, policykit_var_lib_t
+@@ -145,19 +235,18 @@ manage_files_pattern(policykit_grant_t, policykit_var_lib_t, policykit_var_lib_t
files_read_etc_files(policykit_grant_t)
files_read_usr_files(policykit_grant_t)
@@ -38462,7 +38889,7 @@ index 44db896..67a2c44 100644
consolekit_dbus_chat(policykit_grant_t)
')
')
-@@ -167,9 +246,8 @@ optional_policy(`
+@@ -167,9 +256,8 @@ optional_policy(`
# polkit_resolve local policy
#
@@ -38474,7 +38901,7 @@ index 44db896..67a2c44 100644
allow policykit_resolve_t self:unix_dgram_socket create_socket_perms;
allow policykit_resolve_t self:unix_stream_socket create_stream_socket_perms;
-@@ -185,14 +263,8 @@ corecmd_search_bin(policykit_resolve_t)
+@@ -185,14 +273,8 @@ corecmd_search_bin(policykit_resolve_t)
files_read_etc_files(policykit_resolve_t)
files_read_usr_files(policykit_resolve_t)
@@ -38489,7 +38916,7 @@ index 44db896..67a2c44 100644
userdom_read_all_users_state(policykit_resolve_t)
optional_policy(`
-@@ -207,4 +279,3 @@ optional_policy(`
+@@ -207,4 +289,3 @@ optional_policy(`
kernel_search_proc(policykit_resolve_t)
hal_read_state(policykit_resolve_t)
')
@@ -38743,10 +39170,10 @@ index 0000000..d00f6ba
+')
diff --git a/polipo.te b/polipo.te
new file mode 100644
-index 0000000..c08cddc
+index 0000000..781625a
--- /dev/null
+++ b/polipo.te
-@@ -0,0 +1,171 @@
+@@ -0,0 +1,172 @@
+policy_module(polipo, 1.0.0)
+
+########################################
@@ -38852,6 +39279,7 @@ index 0000000..c08cddc
+corenet_tcp_sendrecv_http_cache_port(polipo_daemon)
+corenet_tcp_bind_http_cache_port(polipo_daemon)
+corenet_sendrecv_http_cache_server_packets(polipo_daemon)
++corenet_tcp_connect_http_port(polipo_daemon)
+
+files_read_usr_files(polipo_daemon)
+
@@ -39692,7 +40120,7 @@ index 46bee12..99499ef 100644
+ postfix_config_filetrans($1, postfix_prng_t, file, "prng_exch")
+')
diff --git a/postfix.te b/postfix.te
-index 69cbd06..c990292 100644
+index 69cbd06..2f19c1c 100644
--- a/postfix.te
+++ b/postfix.te
@@ -1,10 +1,19 @@
@@ -39907,10 +40335,14 @@ index 69cbd06..c990292 100644
optional_policy(`
clamav_search_lib(postfix_local_t)
-@@ -297,6 +334,10 @@ optional_policy(`
+@@ -297,6 +334,14 @@ optional_policy(`
')
optional_policy(`
++ dovecot_domtrans_deliver(postfix_local_t)
++')
++
++optional_policy(`
+ dspam_domtrans(postfix_local_t)
+')
+
@@ -39918,7 +40350,7 @@ index 69cbd06..c990292 100644
# for postalias
mailman_manage_data_files(postfix_local_t)
mailman_append_log(postfix_local_t)
-@@ -304,9 +345,22 @@ optional_policy(`
+@@ -304,9 +349,22 @@ optional_policy(`
')
optional_policy(`
@@ -39941,7 +40373,7 @@ index 69cbd06..c990292 100644
########################################
#
# Postfix map local policy
-@@ -379,18 +433,24 @@ stream_connect_pattern(postfix_pickup_t, postfix_private_t, postfix_private_t, p
+@@ -379,18 +437,24 @@ stream_connect_pattern(postfix_pickup_t, postfix_private_t, postfix_private_t, p
rw_fifo_files_pattern(postfix_pickup_t, postfix_public_t, postfix_public_t)
rw_sock_files_pattern(postfix_pickup_t, postfix_public_t, postfix_public_t)
@@ -39967,7 +40399,7 @@ index 69cbd06..c990292 100644
allow postfix_pipe_t self:process setrlimit;
write_sock_files_pattern(postfix_pipe_t, postfix_private_t, postfix_private_t)
-@@ -401,6 +461,8 @@ rw_files_pattern(postfix_pipe_t, postfix_spool_t, postfix_spool_t)
+@@ -401,6 +465,8 @@ rw_files_pattern(postfix_pipe_t, postfix_spool_t, postfix_spool_t)
domtrans_pattern(postfix_pipe_t, postfix_postdrop_exec_t, postfix_postdrop_t)
@@ -39976,7 +40408,7 @@ index 69cbd06..c990292 100644
optional_policy(`
dovecot_domtrans_deliver(postfix_pipe_t)
')
-@@ -420,6 +482,7 @@ optional_policy(`
+@@ -420,6 +486,7 @@ optional_policy(`
optional_policy(`
spamassassin_domtrans_client(postfix_pipe_t)
@@ -39984,7 +40416,7 @@ index 69cbd06..c990292 100644
')
optional_policy(`
-@@ -436,11 +499,17 @@ allow postfix_postdrop_t self:capability sys_resource;
+@@ -436,11 +503,17 @@ allow postfix_postdrop_t self:capability sys_resource;
allow postfix_postdrop_t self:tcp_socket create;
allow postfix_postdrop_t self:udp_socket create_socket_perms;
@@ -40002,7 +40434,7 @@ index 69cbd06..c990292 100644
corenet_udp_sendrecv_generic_if(postfix_postdrop_t)
corenet_udp_sendrecv_generic_node(postfix_postdrop_t)
-@@ -487,8 +556,8 @@ write_fifo_files_pattern(postfix_postqueue_t, postfix_public_t, postfix_public_t
+@@ -487,8 +560,8 @@ write_fifo_files_pattern(postfix_postqueue_t, postfix_public_t, postfix_public_t
domtrans_pattern(postfix_postqueue_t, postfix_showq_exec_t, postfix_showq_t)
# to write the mailq output, it really should not need read access!
@@ -40013,7 +40445,7 @@ index 69cbd06..c990292 100644
init_sigchld_script(postfix_postqueue_t)
init_use_script_fds(postfix_postqueue_t)
-@@ -519,7 +588,11 @@ files_spool_filetrans(postfix_qmgr_t, postfix_spool_t, dir)
+@@ -519,7 +592,11 @@ files_spool_filetrans(postfix_qmgr_t, postfix_spool_t, dir)
allow postfix_qmgr_t postfix_spool_bounce_t:dir list_dir_perms;
allow postfix_qmgr_t postfix_spool_bounce_t:file read_file_perms;
@@ -40026,7 +40458,7 @@ index 69cbd06..c990292 100644
corecmd_exec_bin(postfix_qmgr_t)
-@@ -539,7 +612,9 @@ postfix_list_spool(postfix_showq_t)
+@@ -539,7 +616,9 @@ postfix_list_spool(postfix_showq_t)
allow postfix_showq_t postfix_spool_maildrop_t:dir list_dir_perms;
allow postfix_showq_t postfix_spool_maildrop_t:file read_file_perms;
@@ -40037,7 +40469,7 @@ index 69cbd06..c990292 100644
# to write the mailq output, it really should not need read access!
term_use_all_ptys(postfix_showq_t)
-@@ -558,6 +633,8 @@ allow postfix_smtp_t postfix_prng_t:file rw_file_perms;
+@@ -558,6 +637,8 @@ allow postfix_smtp_t postfix_prng_t:file rw_file_perms;
allow postfix_smtp_t postfix_spool_t:file rw_file_perms;
@@ -40046,7 +40478,7 @@ index 69cbd06..c990292 100644
files_search_all_mountpoints(postfix_smtp_t)
optional_policy(`
-@@ -565,6 +642,14 @@ optional_policy(`
+@@ -565,6 +646,14 @@ optional_policy(`
')
optional_policy(`
@@ -40061,7 +40493,7 @@ index 69cbd06..c990292 100644
milter_stream_connect_all(postfix_smtp_t)
')
-@@ -581,17 +666,25 @@ stream_connect_pattern(postfix_smtpd_t, { postfix_private_t postfix_public_t },
+@@ -581,17 +670,25 @@ stream_connect_pattern(postfix_smtpd_t, { postfix_private_t postfix_public_t },
corenet_tcp_connect_postfix_policyd_port(postfix_smtpd_t)
# for prng_exch
@@ -40088,7 +40520,7 @@ index 69cbd06..c990292 100644
')
optional_policy(`
-@@ -599,6 +692,12 @@ optional_policy(`
+@@ -599,6 +696,12 @@ optional_policy(`
')
optional_policy(`
@@ -40101,7 +40533,7 @@ index 69cbd06..c990292 100644
postgrey_stream_connect(postfix_smtpd_t)
')
-@@ -611,7 +710,6 @@ optional_policy(`
+@@ -611,7 +714,6 @@ optional_policy(`
# Postfix virtual local policy
#
@@ -40109,7 +40541,7 @@ index 69cbd06..c990292 100644
allow postfix_virtual_t self:process { setsched setrlimit };
allow postfix_virtual_t postfix_spool_t:file rw_file_perms;
-@@ -630,3 +728,75 @@ mta_delete_spool(postfix_virtual_t)
+@@ -630,3 +732,75 @@ mta_delete_spool(postfix_virtual_t)
# For reading spamassasin
mta_read_config(postfix_virtual_t)
mta_manage_spool(postfix_virtual_t)
@@ -43229,10 +43661,10 @@ index 0000000..9108437
+/var/log/quantum(/.*)? gen_context(system_u:object_r:quantum_log_t,s0)
diff --git a/quantum.if b/quantum.if
new file mode 100644
-index 0000000..89e4bc5
+index 0000000..010b2be
--- /dev/null
+++ b/quantum.if
-@@ -0,0 +1,224 @@
+@@ -0,0 +1,218 @@
+## <summary>Quantum is a virtual network service for Openstack</summary>
+
+########################################
@@ -43425,12 +43857,6 @@ index 0000000..89e4bc5
+## Domain allowed access.
+## </summary>
+## </param>
-+## <param name="role">
-+## <summary>
-+## Role allowed access.
-+## </summary>
-+## </param>
-+## <rolecap/>
+#
+interface(`quantum_admin',`
+ gen_require(`
@@ -44832,7 +45258,7 @@ index 7dc38d1..808f9c6 100644
+ admin_pattern($1, rgmanager_var_run_t)
+')
diff --git a/rgmanager.te b/rgmanager.te
-index 07333db..53bff36 100644
+index 07333db..91ef567 100644
--- a/rgmanager.te
+++ b/rgmanager.te
@@ -14,9 +14,11 @@ gen_tunable(rgmanager_can_network_connect, false)
@@ -44882,7 +45308,7 @@ index 07333db..53bff36 100644
# need to write to /dev/misc/dlm-control
dev_rw_dlm_control(rgmanager_t)
-@@ -76,31 +78,36 @@ dev_search_sysfs(rgmanager_t)
+@@ -76,31 +78,37 @@ dev_search_sysfs(rgmanager_t)
domain_read_all_domains_state(rgmanager_t)
domain_getattr_all_domains(rgmanager_t)
@@ -44914,6 +45340,7 @@ index 07333db..53bff36 100644
auth_use_nsswitch(rgmanager_t)
+init_domtrans_script(rgmanager_t)
++init_initrc_domain(rgmanager_t)
+
logging_send_syslog_msg(rgmanager_t)
@@ -44924,7 +45351,7 @@ index 07333db..53bff36 100644
tunable_policy(`rgmanager_can_network_connect',`
corenet_tcp_connect_all_ports(rgmanager_t)
-@@ -118,6 +125,14 @@ optional_policy(`
+@@ -118,6 +126,14 @@ optional_policy(`
')
optional_policy(`
@@ -44939,7 +45366,7 @@ index 07333db..53bff36 100644
fstools_domtrans(rgmanager_t)
')
-@@ -140,6 +155,16 @@ optional_policy(`
+@@ -140,6 +156,16 @@ optional_policy(`
')
optional_policy(`
@@ -44956,7 +45383,7 @@ index 07333db..53bff36 100644
mysql_domtrans_mysql_safe(rgmanager_t)
mysql_stream_connect(rgmanager_t)
')
-@@ -165,6 +190,8 @@ optional_policy(`
+@@ -165,6 +191,8 @@ optional_policy(`
optional_policy(`
rpc_initrc_domtrans_nfsd(rgmanager_t)
rpc_initrc_domtrans_rpcd(rgmanager_t)
@@ -46377,7 +46804,7 @@ index 63e78c6..fdd8228 100644
type rlogind_home_t;
')
diff --git a/rlogin.te b/rlogin.te
-index d654552..49dbcc4 100644
+index d654552..706700d 100644
--- a/rlogin.te
+++ b/rlogin.te
@@ -27,15 +27,14 @@ files_pid_file(rlogind_var_run_t)
@@ -46417,7 +46844,7 @@ index d654552..49dbcc4 100644
files_read_etc_files(rlogind_t)
files_read_etc_runtime_files(rlogind_t)
-@@ -88,27 +88,23 @@ seutil_read_config(rlogind_t)
+@@ -88,27 +88,24 @@ seutil_read_config(rlogind_t)
userdom_setattr_user_ptys(rlogind_t)
# cjp: this is egregious
userdom_read_user_home_content_files(rlogind_t)
@@ -46444,6 +46871,7 @@ index d654552..49dbcc4 100644
- fs_read_cifs_symlinks(rlogind_t)
+optional_policy(`
+ kerberos_keytab_template(rlogind, rlogind_t)
++ kerberos_tmp_filetrans_host_rcache(rlogind_t, "host_0")
+ #part of auth_use_pam
+ #kerberos_manage_host_rcache(rlogind_t)
')
@@ -47948,19 +48376,20 @@ index a07b2f4..36b4903 100644
+
+userdom_getattr_user_terminals(rwho_t)
diff --git a/samba.fc b/samba.fc
-index 69a6074..3d65472 100644
+index 69a6074..c9dbc93 100644
--- a/samba.fc
+++ b/samba.fc
-@@ -14,6 +14,8 @@
+@@ -14,6 +14,9 @@
#
# /usr
#
+/usr/lib/systemd/system/smb.* -- gen_context(system_u:object_r:samba_unit_file_t,s0)
++/usr/lib/systemd/system/nmb.* -- gen_context(system_u:object_r:samba_unit_file_t,s0)
+
/usr/bin/net -- gen_context(system_u:object_r:samba_net_exec_t,s0)
/usr/bin/ntlm_auth -- gen_context(system_u:object_r:winbind_helper_exec_t,s0)
/usr/bin/smbcontrol -- gen_context(system_u:object_r:smbcontrol_exec_t,s0)
-@@ -36,6 +38,10 @@
+@@ -36,6 +39,10 @@
/var/log/samba(/.*)? gen_context(system_u:object_r:samba_log_t,s0)
@@ -47971,7 +48400,7 @@ index 69a6074..3d65472 100644
/var/run/samba/brlock\.tdb -- gen_context(system_u:object_r:smbd_var_run_t,s0)
/var/run/samba/connections\.tdb -- gen_context(system_u:object_r:smbd_var_run_t,s0)
/var/run/samba/gencache\.tdb -- gen_context(system_u:object_r:smbd_var_run_t,s0)
-@@ -48,6 +54,11 @@
+@@ -48,6 +55,11 @@
/var/run/samba/smbd\.pid -- gen_context(system_u:object_r:smbd_var_run_t,s0)
/var/run/samba/unexpected\.tdb -- gen_context(system_u:object_r:nmbd_var_run_t,s0)
@@ -49849,7 +50278,7 @@ index cfe3172..3eb745d 100644
+
')
diff --git a/sanlock.te b/sanlock.te
-index e02eb6c..d5d96e7 100644
+index e02eb6c..c4130e0 100644
--- a/sanlock.te
+++ b/sanlock.te
@@ -1,4 +1,4 @@
@@ -49881,15 +50310,27 @@ index e02eb6c..d5d96e7 100644
## </desc>
gen_tunable(sanlock_use_samba, false)
-@@ -46,6 +46,7 @@ ifdef(`enable_mls',`
+@@ -44,8 +44,9 @@ ifdef(`enable_mls',`
#
- allow sanlock_t self:capability { sys_nice ipc_lock };
- allow sanlock_t self:process { setsched signull };
+ # sanlock local policy
+ #
+-allow sanlock_t self:capability { sys_nice ipc_lock };
+-allow sanlock_t self:process { setsched signull };
++allow sanlock_t self:capability { chown setgid dac_override ipc_lock sys_nice };
++allow sanlock_t self:process { setsched signull signal sigkill };
+
allow sanlock_t self:fifo_file rw_fifo_file_perms;
allow sanlock_t self:unix_stream_socket create_stream_socket_perms;
-@@ -67,6 +68,8 @@ storage_raw_rw_fixed_disk(sanlock_t)
+@@ -58,6 +59,7 @@ manage_sock_files_pattern(sanlock_t, sanlock_var_run_t, sanlock_var_run_t)
+ files_pid_filetrans(sanlock_t, sanlock_var_run_t, { file dir sock_file })
+
+ kernel_read_system_state(sanlock_t)
++kernel_read_kernel_sysctls(sanlock_t)
+
+ domain_use_interactive_fds(sanlock_t)
+
+@@ -67,6 +69,8 @@ storage_raw_rw_fixed_disk(sanlock_t)
dev_read_urand(sanlock_t)
@@ -49898,7 +50339,7 @@ index e02eb6c..d5d96e7 100644
init_read_utmp(sanlock_t)
init_dontaudit_write_utmp(sanlock_t)
-@@ -75,19 +78,25 @@ logging_send_syslog_msg(sanlock_t)
+@@ -75,19 +79,25 @@ logging_send_syslog_msg(sanlock_t)
miscfiles_read_localization(sanlock_t)
tunable_policy(`sanlock_use_nfs',`
@@ -49964,7 +50405,7 @@ index f1aea88..3e6a93f 100644
admin_pattern($1, saslauthd_var_run_t)
')
diff --git a/sasl.te b/sasl.te
-index 9d9f8ce..15569f0 100644
+index 9d9f8ce..637b67c 100644
--- a/sasl.te
+++ b/sasl.te
@@ -10,7 +10,7 @@ policy_module(sasl, 1.14.0)
@@ -49986,15 +50427,14 @@ index 9d9f8ce..15569f0 100644
type saslauthd_var_run_t;
files_pid_file(saslauthd_var_run_t)
-@@ -38,16 +35,19 @@ allow saslauthd_t self:unix_dgram_socket create_socket_perms;
+@@ -38,16 +35,17 @@ allow saslauthd_t self:unix_dgram_socket create_socket_perms;
allow saslauthd_t self:unix_stream_socket create_stream_socket_perms;
allow saslauthd_t self:tcp_socket create_socket_perms;
-allow saslauthd_t saslauthd_tmp_t:dir setattr;
-manage_files_pattern(saslauthd_t, saslauthd_tmp_t, saslauthd_tmp_t)
-files_tmp_filetrans(saslauthd_t, saslauthd_tmp_t, file)
-+kerberos_tmp_filetrans_host_rcache(saslauthd_t)
-
+-
+manage_dirs_pattern(saslauthd_t, saslauthd_var_run_t, saslauthd_var_run_t)
manage_files_pattern(saslauthd_t, saslauthd_var_run_t, saslauthd_var_run_t)
manage_sock_files_pattern(saslauthd_t, saslauthd_var_run_t, saslauthd_var_run_t)
@@ -50010,7 +50450,7 @@ index 9d9f8ce..15569f0 100644
corenet_all_recvfrom_unlabeled(saslauthd_t)
corenet_all_recvfrom_netlabel(saslauthd_t)
-@@ -55,6 +55,7 @@ corenet_tcp_sendrecv_generic_if(saslauthd_t)
+@@ -55,6 +53,7 @@ corenet_tcp_sendrecv_generic_if(saslauthd_t)
corenet_tcp_sendrecv_generic_node(saslauthd_t)
corenet_tcp_sendrecv_all_ports(saslauthd_t)
corenet_tcp_connect_pop_port(saslauthd_t)
@@ -50018,7 +50458,7 @@ index 9d9f8ce..15569f0 100644
corenet_sendrecv_pop_client_packets(saslauthd_t)
dev_read_urand(saslauthd_t)
-@@ -88,12 +89,13 @@ userdom_dontaudit_search_user_home_dirs(saslauthd_t)
+@@ -88,11 +87,12 @@ userdom_dontaudit_search_user_home_dirs(saslauthd_t)
# cjp: typeattribute doesnt work in conditionals
auth_can_read_shadow_passwords(saslauthd_t)
@@ -50028,11 +50468,10 @@ index 9d9f8ce..15569f0 100644
')
optional_policy(`
++ kerberos_tmp_filetrans_host_rcache(saslauthd_t, "host_0")
kerberos_keytab_template(saslauthd, saslauthd_t)
-+ #kerberos_manage_host_rcache(saslauthd_t)
')
- optional_policy(`
diff --git a/sblim.if b/sblim.if
index fa24879..fdb665a 100644
--- a/sblim.if
@@ -52755,7 +53194,7 @@ index d2496bd..c7614d7 100644
init_labeled_script_domtrans($1, squid_initrc_exec_t)
domain_system_change_exemption($1)
diff --git a/squid.te b/squid.te
-index d24bd07..e5f4599 100644
+index d24bd07..daf200c 100644
--- a/squid.te
+++ b/squid.te
@@ -29,7 +29,7 @@ type squid_cache_t;
@@ -52777,7 +53216,15 @@ index d24bd07..e5f4599 100644
type squid_var_run_t;
files_pid_file(squid_var_run_t)
-@@ -85,11 +88,16 @@ logging_log_filetrans(squid_t, squid_log_t, { file dir })
+@@ -69,6 +72,7 @@ allow squid_t self:udp_socket create_socket_perms;
+ manage_dirs_pattern(squid_t, squid_cache_t, squid_cache_t)
+ manage_files_pattern(squid_t, squid_cache_t, squid_cache_t)
+ manage_lnk_files_pattern(squid_t, squid_cache_t, squid_cache_t)
++files_var_filetrans(squid_t, squid_cache_t, dir, "squid")
+
+ allow squid_t squid_conf_t:dir list_dir_perms;
+ read_files_pattern(squid_t, squid_conf_t, squid_conf_t)
+@@ -85,11 +89,16 @@ logging_log_filetrans(squid_t, squid_log_t, { file dir })
manage_files_pattern(squid_t, squid_tmpfs_t, squid_tmpfs_t)
fs_tmpfs_filetrans(squid_t, squid_tmpfs_t, file)
@@ -52794,7 +53241,7 @@ index d24bd07..e5f4599 100644
files_dontaudit_getattr_boot_dirs(squid_t)
-@@ -169,7 +177,8 @@ userdom_dontaudit_search_user_home_dirs(squid_t)
+@@ -169,7 +178,8 @@ userdom_dontaudit_search_user_home_dirs(squid_t)
tunable_policy(`squid_connect_any',`
corenet_tcp_connect_all_ports(squid_t)
corenet_tcp_bind_all_ports(squid_t)
@@ -52804,7 +53251,7 @@ index d24bd07..e5f4599 100644
')
tunable_policy(`squid_use_tproxy',`
-@@ -185,6 +194,7 @@ optional_policy(`
+@@ -185,6 +195,7 @@ optional_policy(`
corenet_all_recvfrom_unlabeled(httpd_squid_script_t)
corenet_all_recvfrom_netlabel(httpd_squid_script_t)
corenet_tcp_connect_http_cache_port(httpd_squid_script_t)
@@ -52812,13 +53259,13 @@ index d24bd07..e5f4599 100644
sysnet_dns_name_resolve(httpd_squid_script_t)
-@@ -206,3 +216,7 @@ optional_policy(`
+@@ -206,3 +217,7 @@ optional_policy(`
optional_policy(`
udev_read_db(squid_t)
')
+
+optional_policy(`
-+ kerberos_manage_host_rcache(squid_t)
++ kerberos_tmp_filetrans_host_rcache(squid_t, "host_0")
+')
diff --git a/sssd.fc b/sssd.fc
index 4271815..4bc00ea 100644
@@ -52919,7 +53366,7 @@ index 941380a..e1095f0 100644
# Allow sssd_t to restart the apache service
sssd_initrc_domtrans($1)
diff --git a/sssd.te b/sssd.te
-index 8ffa257..1dfa5ce 100644
+index 8ffa257..20d8944 100644
--- a/sssd.te
+++ b/sssd.te
@@ -17,6 +17,7 @@ files_pid_file(sssd_public_t)
@@ -53011,10 +53458,11 @@ index 8ffa257..1dfa5ce 100644
optional_policy(`
dbus_system_bus_client(sssd_t)
-@@ -87,4 +108,18 @@ optional_policy(`
+@@ -87,4 +108,19 @@ optional_policy(`
optional_policy(`
kerberos_manage_host_rcache(sssd_t)
++ kerberos_tmp_filetrans_host_rcache(sssd_t, "host_0")
+ kerberos_read_home_content(sssd_t)
+')
+
@@ -53069,10 +53517,10 @@ index 0000000..5ab0840
+/var/lib/subversion/repo(/.*)? gen_context(system_u:object_r:svnserve_content_t,s0)
diff --git a/svnserve.if b/svnserve.if
new file mode 100644
-index 0000000..bab5617
+index 0000000..19d13a7
--- /dev/null
+++ b/svnserve.if
-@@ -0,0 +1,125 @@
+@@ -0,0 +1,119 @@
+
+## <summary>policy for svnserve</summary>
+
@@ -53169,12 +53617,6 @@ index 0000000..bab5617
+## Domain allowed access.
+## </summary>
+## </param>
-+## <param name="role">
-+## <summary>
-+## Role allowed access.
-+## </summary>
-+## </param>
-+## <rolecap/>
+#
+interface(`svnserve_admin',`
+ gen_require(`
@@ -53846,7 +54288,7 @@ index 58e7ec0..e4119f7 100644
+ allow $1 telnetd_devpts_t:chr_file rw_inherited_term_perms;
+')
diff --git a/telnet.te b/telnet.te
-index f40e67b..3519e88 100644
+index f40e67b..0634c00 100644
--- a/telnet.te
+++ b/telnet.te
@@ -24,21 +24,20 @@ files_pid_file(telnetd_var_run_t)
@@ -53892,13 +54334,14 @@ index f40e67b..3519e88 100644
tunable_policy(`use_nfs_home_dirs',`
fs_search_nfs(telnetd_t)
-@@ -98,3 +92,12 @@ tunable_policy(`use_nfs_home_dirs',`
+@@ -98,3 +92,13 @@ tunable_policy(`use_nfs_home_dirs',`
tunable_policy(`use_samba_home_dirs',`
fs_search_cifs(telnetd_t)
')
+
+optional_policy(`
+ kerberos_keytab_template(telnetd, telnetd_t)
++ kerberos_tmp_filetrans_host_rcache(telnetd_t, "host_0")
+ kerberos_manage_host_rcache(telnetd_t)
+')
+
@@ -54328,10 +54771,10 @@ index 0000000..9127cec
+')
diff --git a/thumb.te b/thumb.te
new file mode 100644
-index 0000000..a0d188c
+index 0000000..89684c9
--- /dev/null
+++ b/thumb.te
-@@ -0,0 +1,105 @@
+@@ -0,0 +1,110 @@
+policy_module(thumb, 1.0.0)
+
+########################################
@@ -54402,10 +54845,15 @@ index 0000000..a0d188c
+files_read_usr_files(thumb_t)
+files_read_non_security_files(thumb_t)
+
++fs_getattr_all_fs(thumb_t)
+fs_read_dos_files(thumb_t)
+
+auth_use_nsswitch(thumb_t)
+
++tunable_policy(`selinuxuser_execmod',`
++ libs_legacy_use_shared_libs(thumb_t)
++')
++
+miscfiles_read_fonts(thumb_t)
+miscfiles_read_localization(thumb_t)
+
@@ -54435,7 +54883,7 @@ index 0000000..a0d188c
+ gnome_read_generic_data_home_files(thumb_t)
+ gnome_manage_gstreamer_home_files(thumb_t)
+ gnome_manage_gstreamer_home_dirs(thumb_t)
-+ #gnome_exec_gstreamer_home_files(thumb_t)
++ gnome_exec_gstreamer_home_files(thumb_t)
+')
diff --git a/thunderbird.te b/thunderbird.te
index bf37d98..204ac7e 100644
@@ -54764,7 +55212,7 @@ index 54b8605..a04f013 100644
admin_pattern($1, tuned_var_run_t)
')
diff --git a/tuned.te b/tuned.te
-index db9d2a5..da20967 100644
+index db9d2a5..c7b09c0 100644
--- a/tuned.te
+++ b/tuned.te
@@ -12,6 +12,12 @@ init_daemon_domain(tuned_t, tuned_exec_t)
@@ -54780,7 +55228,7 @@ index db9d2a5..da20967 100644
type tuned_log_t;
logging_log_file(tuned_log_t)
-@@ -23,23 +29,38 @@ files_pid_file(tuned_var_run_t)
+@@ -23,23 +29,39 @@ files_pid_file(tuned_var_run_t)
# tuned local policy
#
@@ -54809,10 +55257,12 @@ index db9d2a5..da20967 100644
kernel_read_system_state(tuned_t)
kernel_read_network_state(tuned_t)
+-
+kernel_read_kernel_sysctls(tuned_t)
++kernel_rw_kernel_sysctl(tuned_t)
+kernel_rw_hotplug_sysctls(tuned_t)
+kernel_rw_vm_sysctls(tuned_t)
-
++
+dev_getattr_all_blk_files(tuned_t)
+dev_getattr_all_chr_files(tuned_t)
+dev_dontaudit_getattr_all(tuned_t)
@@ -54822,7 +55272,7 @@ index db9d2a5..da20967 100644
# to allow cpu tuning
dev_rw_netcontrol(tuned_t)
-@@ -47,6 +68,10 @@ files_read_etc_files(tuned_t)
+@@ -47,6 +69,10 @@ files_read_etc_files(tuned_t)
files_read_usr_files(tuned_t)
files_dontaudit_search_home(tuned_t)
@@ -54833,7 +55283,7 @@ index db9d2a5..da20967 100644
logging_send_syslog_msg(tuned_t)
miscfiles_read_localization(tuned_t)
-@@ -58,6 +83,14 @@ optional_policy(`
+@@ -58,6 +84,14 @@ optional_policy(`
fstools_domtrans(tuned_t)
')
@@ -56560,7 +57010,7 @@ index 7c5d8d8..85b7d8b 100644
+ files_pid_filetrans($1, virt_lxc_var_run_t, dir, "libvirt-sandbox")
')
diff --git a/virt.te b/virt.te
-index ad3068a..6713ab0 100644
+index ad3068a..caef8cf 100644
--- a/virt.te
+++ b/virt.te
@@ -5,56 +5,87 @@ policy_module(virt, 1.4.2)
@@ -56836,7 +57286,7 @@ index ad3068a..6713ab0 100644
+allow virtd_t self:process { getcap getsched setcap sigkill signal signull execmem setexec setfscreate setsockcreate setsched };
+ifdef(`hide_broken_symptoms',`
+ # caused by some bogus kernel code
-+ dontaudit virtd_t self:capability sys_module;
++ dontaudit virtd_t self:capability { sys_module sys_ptrace };
+')
-allow virtd_t self:fifo_file rw_fifo_file_perms;
@@ -57027,7 +57477,7 @@ index ad3068a..6713ab0 100644
dbus_system_bus_client(virtd_t)
optional_policy(`
-@@ -335,6 +506,14 @@ optional_policy(`
+@@ -335,19 +506,30 @@ optional_policy(`
optional_policy(`
hal_dbus_chat(virtd_t)
')
@@ -57042,12 +57492,14 @@ index ad3068a..6713ab0 100644
')
optional_policy(`
-@@ -343,11 +522,14 @@ optional_policy(`
+ dnsmasq_domtrans(virtd_t)
+ dnsmasq_signal(virtd_t)
dnsmasq_kill(virtd_t)
- dnsmasq_read_pid_files(virtd_t)
+- dnsmasq_read_pid_files(virtd_t)
dnsmasq_signull(virtd_t)
+ dnsmasq_create_pid_dirs(virtd_t)
+ dnsmasq_filetrans_named_content_fromdir(virtd_t, virt_var_run_t);
++ dnsmasq_manage_pid_files(virtd_t)
')
optional_policy(`
@@ -57087,7 +57539,15 @@ index ad3068a..6713ab0 100644
')
optional_policy(`
-@@ -403,20 +591,36 @@ optional_policy(`
+@@ -384,6 +572,7 @@ optional_policy(`
+ kernel_read_xen_state(virtd_t)
+ kernel_write_xen_state(virtd_t)
+
++ xen_exec(virtd_t)
+ xen_stream_connect(virtd_t)
+ xen_stream_connect_xenstore(virtd_t)
+ xen_read_image_files(virtd_t)
+@@ -403,20 +592,36 @@ optional_policy(`
# virtual domains common policy
#
@@ -57127,7 +57587,7 @@ index ad3068a..6713ab0 100644
corecmd_exec_bin(virt_domain)
corecmd_exec_shell(virt_domain)
-@@ -427,10 +631,12 @@ corenet_tcp_sendrecv_generic_node(virt_domain)
+@@ -427,10 +632,12 @@ corenet_tcp_sendrecv_generic_node(virt_domain)
corenet_tcp_sendrecv_all_ports(virt_domain)
corenet_tcp_bind_generic_node(virt_domain)
corenet_tcp_bind_vnc_port(virt_domain)
@@ -57141,7 +57601,7 @@ index ad3068a..6713ab0 100644
dev_read_rand(virt_domain)
dev_read_sound(virt_domain)
dev_read_urand(virt_domain)
-@@ -438,10 +644,12 @@ dev_write_sound(virt_domain)
+@@ -438,10 +645,12 @@ dev_write_sound(virt_domain)
dev_rw_ksm(virt_domain)
dev_rw_kvm(virt_domain)
dev_rw_qemu(virt_domain)
@@ -57154,7 +57614,7 @@ index ad3068a..6713ab0 100644
files_read_usr_files(virt_domain)
files_read_var_files(virt_domain)
files_search_all(virt_domain)
-@@ -449,25 +657,428 @@ files_search_all(virt_domain)
+@@ -449,25 +658,430 @@ files_search_all(virt_domain)
fs_getattr_tmpfs(virt_domain)
fs_rw_anon_inodefs_files(virt_domain)
fs_rw_tmpfs_files(virt_domain)
@@ -57257,6 +57717,8 @@ index ad3068a..6713ab0 100644
+init_rw_script_stream_sockets(virsh_t)
+init_use_fds(virsh_t)
+
++auth_read_passwd(virsh_t)
++
+miscfiles_read_localization(virsh_t)
+
+sysnet_dns_name_resolve(virsh_t)
@@ -57352,6 +57814,7 @@ index ad3068a..6713ab0 100644
+dev_relabel_all_dev_nodes(virtd_lxc_t)
+dev_rw_sysfs(virtd_lxc_t)
+dev_read_sysfs(virtd_lxc_t)
++dev_read_urand(virtd_lxc_t)
+
+domain_use_interactive_fds(virtd_lxc_t)
+
@@ -57374,8 +57837,7 @@ index ad3068a..6713ab0 100644
+fs_mounton_tmpfs(virtd_lxc_t)
+fs_remount_all_fs(virtd_lxc_t)
+fs_rw_cgroup_files(virtd_lxc_t)
-+fs_unmount_xattr_fs(virtd_lxc_t)
-+fs_unmount_configfs(virtd_lxc_t)
++fs_unmount_all_fs(virtd_lxc_t)
+fs_relabelfrom_tmpfs(virtd_lxc_t)
+
+selinux_mount_fs(virtd_lxc_t)
@@ -57660,10 +58122,22 @@ index f21389b..482db56 100644
# cjp: why?
userdom_read_user_home_content_files(vmware_t)
diff --git a/vnstatd.if b/vnstatd.if
-index 727fe95..958de01 100644
+index 727fe95..47ec114 100644
--- a/vnstatd.if
+++ b/vnstatd.if
-@@ -135,8 +135,11 @@ interface(`vnstatd_admin',`
+@@ -123,20 +123,17 @@ interface(`vnstatd_manage_lib_files',`
+ ## Domain allowed access.
+ ## </summary>
+ ## </param>
+-## <param name="role">
+-## <summary>
+-## Role allowed access.
+-## </summary>
+-## </param>
+-## <rolecap/>
+ #
+ interface(`vnstatd_admin',`
+ gen_require(`
type vnstatd_t, vnstatd_var_lib_t;
')
@@ -58073,10 +58547,31 @@ index 9d24449..2666317 100644
/opt/picasa/wine/bin/wine.* -- gen_context(system_u:object_r:wine_exec_t,s0)
diff --git a/wine.if b/wine.if
-index f9a73d0..00a98f1 100644
+index f9a73d0..4b83bb0 100644
--- a/wine.if
+++ b/wine.if
-@@ -29,12 +29,16 @@
+@@ -10,10 +10,9 @@
+ ## for wine applications.
+ ## </p>
+ ## </desc>
+-## <param name="userdomain_prefix">
++## <param name="user_role">
+ ## <summary>
+-## The prefix of the user domain (e.g., user
+-## is the prefix for user_t).
++## The role associated with the user domain.
+ ## </summary>
+ ## </param>
+ ## <param name="user_domain">
+@@ -21,20 +20,19 @@
+ ## The type of the user domain.
+ ## </summary>
+ ## </param>
+-## <param name="user_role">
+-## <summary>
+-## The role associated with the user domain.
+-## </summary>
+-## </param>
#
template(`wine_role',`
gen_require(`
@@ -58093,7 +58588,7 @@ index f9a73d0..00a98f1 100644
allow wine_t $2:fd use;
allow wine_t $2:process { sigchld signull };
allow wine_t $2:unix_stream_socket connectto;
-@@ -44,8 +48,7 @@ template(`wine_role',`
+@@ -44,8 +42,7 @@ template(`wine_role',`
allow $2 wine_t:process signal_perms;
allow $2 wine_t:fd use;
@@ -58103,7 +58598,7 @@ index f9a73d0..00a98f1 100644
allow $2 wine_t:unix_stream_socket connectto;
# X access, Home files
-@@ -86,6 +89,7 @@ template(`wine_role',`
+@@ -86,6 +83,7 @@ template(`wine_role',`
#
template(`wine_role_template',`
gen_require(`
@@ -58111,7 +58606,7 @@ index f9a73d0..00a98f1 100644
type wine_exec_t;
')
-@@ -96,12 +100,12 @@ template(`wine_role_template',`
+@@ -96,12 +94,12 @@ template(`wine_role_template',`
role $2 types $1_wine_t;
allow $1_wine_t self:process { execmem execstack };
@@ -58126,7 +58621,7 @@ index f9a73d0..00a98f1 100644
domain_mmap_low($1_wine_t)
-@@ -109,6 +113,10 @@ template(`wine_role_template',`
+@@ -109,6 +107,10 @@ template(`wine_role_template',`
dontaudit $1_wine_t self:memprotect mmap_zero;
')
@@ -58272,10 +58767,36 @@ index 1a1b374..f22f770 100644
')
diff --git a/xen.if b/xen.if
-index 77d41b6..138efd8 100644
+index 77d41b6..cc73c96 100644
--- a/xen.if
+++ b/xen.if
-@@ -55,6 +55,26 @@ interface(`xen_dontaudit_use_fds',`
+@@ -20,6 +20,25 @@ interface(`xen_domtrans',`
+
+ ########################################
+ ## <summary>
++## Allow the specified domain to execute xend
++## in the caller domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`xen_exec',`
++ gen_require(`
++ type xend_exec_t;
++ ')
++
++ can_exec($1, xend_exec_t)
++')
++
++########################################
++## <summary>
+ ## Inherit and use xen file descriptors.
+ ## </summary>
+ ## <param name="domain">
+@@ -55,6 +74,26 @@ interface(`xen_dontaudit_use_fds',`
dontaudit $1 xend_t:fd use;
')
@@ -58302,7 +58823,7 @@ index 77d41b6..138efd8 100644
########################################
## <summary>
## Read xend image files.
-@@ -87,6 +107,26 @@ interface(`xen_read_image_files',`
+@@ -87,6 +126,26 @@ interface(`xen_read_image_files',`
## </summary>
## </param>
#
@@ -58329,7 +58850,7 @@ index 77d41b6..138efd8 100644
interface(`xen_rw_image_files',`
gen_require(`
type xen_image_t, xend_var_lib_t;
-@@ -161,7 +201,7 @@ interface(`xen_dontaudit_rw_unix_stream_sockets',`
+@@ -161,7 +220,7 @@ interface(`xen_dontaudit_rw_unix_stream_sockets',`
########################################
## <summary>
@@ -58338,7 +58859,7 @@ index 77d41b6..138efd8 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -180,7 +220,7 @@ interface(`xen_stream_connect_xenstore',`
+@@ -180,7 +239,7 @@ interface(`xen_stream_connect_xenstore',`
########################################
## <summary>
@@ -58347,7 +58868,7 @@ index 77d41b6..138efd8 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -213,14 +253,15 @@ interface(`xen_stream_connect',`
+@@ -213,14 +272,15 @@ interface(`xen_stream_connect',`
interface(`xen_domtrans_xm',`
gen_require(`
type xm_t, xm_exec_t;
@@ -58365,7 +58886,7 @@ index 77d41b6..138efd8 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -230,7 +271,7 @@ interface(`xen_domtrans_xm',`
+@@ -230,7 +290,7 @@ interface(`xen_domtrans_xm',`
#
interface(`xen_stream_connect_xm',`
gen_require(`
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 245a07b..88b9896 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.11.0
-Release: 2%{?dist}
+Release: 5%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -491,6 +491,57 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Tue Jun 19 2012 Miroslav Grepl <mgrepl@redhat.com> 3.11.0-5
+- apcupsd needs to read /etc/passwd
+- Sanlock allso sends sigkill
+- Allow glance_registry to connect to the mysqld port
+- Dontaudit mozilla_plugin trying to getattr on /dev/gpmctl
+- Allow firefox plugins/flash to connect to port 1234
+- Allow mozilla plugins to delete user_tmp_t files
+- Add transition name rule for printers.conf.O
+- Allow virt_lxc_t to read urand
+- Allow systemd_loigind to list gstreamer_home_dirs
+- Fix labeling for /usr/bin
+- Fixes for cloudform services
+ * support FIPS
+- Allow polipo to work as web caching
+- Allow chfn to execute tmux
+
+* Fri Jun 15 2012 Miroslav Grepl <mgrepl@redhat.com> 3.11.0-4
+- Add support for ecryptfs
+ * ecryptfs does not support xattr
+ * we need labeling for HOMEDIR
+- Add policy for (u)mount.ecryptfs*
+- Fix labeling of kerbero host cache files, allow rpc.svcgssd to manage host cache
+- Allow dovecot to manage Maildir content, fix transitions to Maildir
+- Allow postfix_local to transition to dovecot_deliver
+- Dontaudit attempts to setattr on xdm_tmp_t, looks like bogus code
+- Cleanup interface definitions
+- Allow apmd to change with the logind daemon
+- Changes required for sanlock in rhel6
+- Label /run/user/apache as httpd_tmp_t
+- Allow thumb to use lib_t as execmod if boolean turned on
+- Allow squid to create the squid directory in /var with the correct labe
+- Add a new policy for glusterd from Bryan Bickford (bbickfor@redhat.com)
+- Allow virtd to exec xend_exec_t without transition
+- Allow virtd_lxc_t to unmount all file systems
+
+* Tue Jun 12 2012 Miroslav Grepl <mgrepl@redhat.com> 3.11.0-3
+- PolicyKit path has changed
+- Allow httpd connect to dirsrv socket
+- Allow tuned to write generic kernel sysctls
+- Dontaudit logwatch to gettr on /dev/dm-2
+- Allow policykit-auth to manage kerberos files
+- Make condor_startd and rgmanager as initrc domain
+- Allow virsh to read /etc/passwd
+- Allow mount to mount on user_tmp_t for /run/user/dwalsh/gvfs
+- xdm now needs to execute xsession_exec_t
+- Need labels for /var/lib/gdm
+- Fix files_filetrans_named_content() interface
+- Add new attribute - initrc_domain
+- Allow systemd_logind_t to signal, signull, sigkill all processes
+- Add filetrans rules for etc_runtime files
+
* Sat Jun 9 2012 Miroslav Grepl <mgrepl@redhat.com> 3.11.0-2
- Rename boolean names to remove allow_