++##
+## Receive Raw IP packets from an unlabeled connection.
- ##
- ##
--## The corenetwork interface corenet_dontaudit_raw_recv_unlabeled()
--## should be used instead of this one.
++##
++##
+## The corenetwork interface corenet_raw_recv_unlabeled() should
+## be used instead of this one.
+##
@@ -16227,24 +16267,10 @@ index e100d88..227ae89 100644
+ allow $1 unlabeled_t:rawip_socket rw_socket_perms;
+')
+
-+
-+########################################
-+##
-+## Do not audit attempts to receive Raw IP packets from an unlabeled
-+## connection.
-+##
-+##
-+##
-+## Do not audit attempts to receive Raw IP packets from an unlabeled
-+## connection.
-+##
-+##
-+## The corenetwork interface corenet_dontaudit_raw_recv_unlabeled()
-+## should be used instead of this one.
- ##
- ##
- ##
-@@ -2958,6 +3210,24 @@ interface(`kernel_relabelfrom_unlabeled_database',`
+
+ ########################################
+ ##
+@@ -2958,6 +3229,24 @@ interface(`kernel_relabelfrom_unlabeled_database',`
########################################
##
@@ -16269,7 +16295,7 @@ index e100d88..227ae89 100644
## Unconfined access to kernel module resources.
##
##
-@@ -2972,5 +3242,565 @@ interface(`kernel_unconfined',`
+@@ -2972,5 +3261,565 @@ interface(`kernel_unconfined',`
')
typeattribute $1 kern_unconfined;
@@ -28059,7 +28085,7 @@ index 3efd5b6..12dca57 100644
+ allow $1 login_pgm:key manage_key_perms;
+')
diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te
-index 09b791d..dbf639e 100644
+index 09b791d..03657db 100644
--- a/policy/modules/system/authlogin.te
+++ b/policy/modules/system/authlogin.te
@@ -5,6 +5,19 @@ policy_module(authlogin, 2.5.1)
@@ -28337,12 +28363,12 @@ index 09b791d..dbf639e 100644
+systemd_hostnamed_read_config(nsswitch_domain)
+
+
- tunable_policy(`authlogin_nsswitch_use_ldap',`
-- files_list_var_lib(nsswitch_domain)
++tunable_policy(`authlogin_nsswitch_use_ldap',`
+ allow nsswitch_domain self:tcp_socket create_socket_perms;
+')
+
-+tunable_policy(`authlogin_nsswitch_use_ldap',`
+ tunable_policy(`authlogin_nsswitch_use_ldap',`
+- files_list_var_lib(nsswitch_domain)
+ corenet_tcp_sendrecv_generic_if(nsswitch_domain)
+ corenet_tcp_sendrecv_generic_node(nsswitch_domain)
+ corenet_tcp_sendrecv_ldap_port(nsswitch_domain)
@@ -28383,7 +28409,7 @@ index 09b791d..dbf639e 100644
optional_policy(`
kerberos_use(nsswitch_domain)
')
-@@ -456,10 +520,151 @@ optional_policy(`
+@@ -456,10 +520,155 @@ optional_policy(`
optional_policy(`
sssd_stream_connect(nsswitch_domain)
@@ -28395,6 +28421,10 @@ index 09b791d..dbf639e 100644
+userdom_manage_all_users_keys(nsswitch_domain)
+optional_policy(`
+ sssd_manage_keys(nsswitch_domain)
++')
++
++optional_policy(`
++ rolekit_manage_keys(nsswitch_domain)
')
optional_policy(`
diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch
index 4917f25..9696771 100644
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@@ -9232,7 +9232,7 @@ index 531a8f2..67b6c3d 100644
+ allow $1 named_unit_file_t:service all_service_perms;
')
diff --git a/bind.te b/bind.te
-index 1241123..88edc92 100644
+index 1241123..a3d3001 100644
--- a/bind.te
+++ b/bind.te
@@ -34,7 +34,7 @@ type named_checkconf_exec_t;
@@ -9308,15 +9308,17 @@ index 1241123..88edc92 100644
dbus_system_domain(named_t, named_exec_t)
init_dbus_chat_script(named_t)
-@@ -187,6 +198,7 @@ optional_policy(`
+@@ -187,7 +198,9 @@ optional_policy(`
')
optional_policy(`
+ kerberos_filetrans_named_content(named_t)
kerberos_read_keytab(named_t)
++ kerberos_read_host_rcache(named_t)
kerberos_use(named_t)
')
-@@ -215,7 +227,8 @@ optional_policy(`
+
+@@ -215,7 +228,8 @@ optional_policy(`
#
allow ndc_t self:capability { dac_override net_admin };
@@ -9326,7 +9328,7 @@ index 1241123..88edc92 100644
allow ndc_t self:fifo_file rw_fifo_file_perms;
allow ndc_t self:unix_stream_socket { accept listen };
-@@ -229,10 +242,9 @@ allow ndc_t named_conf_t:lnk_file read_lnk_file_perms;
+@@ -229,10 +243,9 @@ allow ndc_t named_conf_t:lnk_file read_lnk_file_perms;
allow ndc_t named_zone_t:dir search_dir_perms;
@@ -9338,7 +9340,7 @@ index 1241123..88edc92 100644
corenet_all_recvfrom_netlabel(ndc_t)
corenet_tcp_sendrecv_generic_if(ndc_t)
corenet_tcp_sendrecv_generic_node(ndc_t)
-@@ -242,6 +254,9 @@ corenet_tcp_bind_generic_node(ndc_t)
+@@ -242,6 +255,9 @@ corenet_tcp_bind_generic_node(ndc_t)
corenet_tcp_connect_rndc_port(ndc_t)
corenet_sendrecv_rndc_client_packets(ndc_t)
@@ -9348,7 +9350,7 @@ index 1241123..88edc92 100644
domain_use_interactive_fds(ndc_t)
files_search_pids(ndc_t)
-@@ -257,7 +272,7 @@ init_use_script_ptys(ndc_t)
+@@ -257,7 +273,7 @@ init_use_script_ptys(ndc_t)
logging_send_syslog_msg(ndc_t)
@@ -10803,10 +10805,10 @@ index 0000000..de66654
+')
diff --git a/bumblebee.te b/bumblebee.te
new file mode 100644
-index 0000000..1076e6a
+index 0000000..cccf2f7
--- /dev/null
+++ b/bumblebee.te
-@@ -0,0 +1,60 @@
+@@ -0,0 +1,61 @@
+policy_module(bumblebee, 1.0.0)
+
+########################################
@@ -10842,6 +10844,7 @@ index 0000000..1076e6a
+
+kernel_read_system_state(bumblebee_t)
+kernel_dontaudit_access_check_proc(bumblebee_t)
++kernel_dontaudit_write_proc_files(bumblebee_t)
+kernel_manage_debugfs(bumblebee_t)
+
+corecmd_exec_shell(bumblebee_t)
@@ -12300,10 +12303,12 @@ index 0000000..f50b201
+ gnome_dontaudit_write_config_files(chrome_sandbox_nacl_t)
+')
diff --git a/chronyd.fc b/chronyd.fc
-index 4e4143e..a665b32 100644
+index 4e4143e..d5e0260 100644
--- a/chronyd.fc
+++ b/chronyd.fc
-@@ -2,6 +2,8 @@
+@@ -1,7 +1,9 @@
+-/etc/chrony\.keys -- gen_context(system_u:object_r:chronyd_keys_t,s0)
++/etc/chrony\.keys.* -- gen_context(system_u:object_r:chronyd_keys_t,s0)
/etc/rc\.d/init\.d/chronyd -- gen_context(system_u:object_r:chronyd_initrc_exec_t,s0)
@@ -23050,7 +23055,7 @@ index c697edb..31d45bf 100644
+ allow $1 dhcpd_unit_file_t:service all_service_perms;
')
diff --git a/dhcp.te b/dhcp.te
-index 98a24b9..5b576ff 100644
+index 98a24b9..401ddbc 100644
--- a/dhcp.te
+++ b/dhcp.te
@@ -20,6 +20,9 @@ init_daemon_domain(dhcpd_t, dhcpd_exec_t)
@@ -23063,6 +23068,15 @@ index 98a24b9..5b576ff 100644
type dhcpd_state_t;
files_type(dhcpd_state_t)
+@@ -34,7 +37,7 @@ files_pid_file(dhcpd_var_run_t)
+ # Local policy
+ #
+
+-allow dhcpd_t self:capability { chown dac_override sys_chroot net_raw setgid setuid sys_resource };
++allow dhcpd_t self:capability { chown dac_override sys_chroot net_raw setgid setuid setpcap sys_resource };
+ dontaudit dhcpd_t self:capability { net_admin sys_tty_config };
+ allow dhcpd_t self:process { getcap setcap signal_perms };
+ allow dhcpd_t self:fifo_file rw_fifo_file_perms;
@@ -58,7 +61,6 @@ kernel_read_system_state(dhcpd_t)
kernel_read_kernel_sysctls(dhcpd_t)
kernel_read_network_state(dhcpd_t)
@@ -28460,7 +28474,7 @@ index 0000000..dc94853
+
diff --git a/freeipmi.te b/freeipmi.te
new file mode 100644
-index 0000000..65fb9b8
+index 0000000..0ca4fc3
--- /dev/null
+++ b/freeipmi.te
@@ -0,0 +1,79 @@
@@ -28514,7 +28528,7 @@ index 0000000..65fb9b8
+# bmc-watchdog local policy
+#
+
-+allow freeipmi_bmc_watchdog_t freeipmi_ipmiseld_t:sem { unix_read unix_write };
++allow freeipmi_bmc_watchdog_t freeipmi_ipmiseld_t:sem rw_sem_perms;
+
+files_pid_filetrans(freeipmi_bmc_watchdog_t, freeipmi_bmc_watchdog_var_run_t, file, "bmc-watchdog.pid")
+
@@ -38620,7 +38634,7 @@ index 4fe75fd..b05128a 100644
+/var/tmp/ldap_487 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0)
+/var/tmp/ldap_55 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0)
diff --git a/kerberos.if b/kerberos.if
-index f6c00d8..59923df 100644
+index f6c00d8..7b777ab 100644
--- a/kerberos.if
+++ b/kerberos.if
@@ -1,27 +1,29 @@
@@ -38801,119 +38815,62 @@ index f6c00d8..59923df 100644
##
##
##
-@@ -182,75 +178,7 @@ interface(`kerberos_rw_config',`
+@@ -182,27 +178,27 @@ interface(`kerberos_rw_config',`
########################################
##
-## Create, read, write, and delete
-## kerberos home files.
--##
--##
--##
--## Domain allowed access.
--##
--##
--#
--interface(`kerberos_manage_krb5_home_files',`
-- gen_require(`
-- type krb5_home_t;
-- ')
--
-- userdom_search_user_home_dirs($1)
-- allow $1 krb5_home_t:file manage_file_perms;
--')
--
--########################################
--##
--## Relabel kerberos home files.
--##
--##
--##
--## Domain allowed access.
--##
--##
--#
--interface(`kerberos_relabel_krb5_home_files',`
-- gen_require(`
-- type krb5_home_t;
-- ')
--
-- userdom_search_user_home_dirs($1)
-- allow $1 krb5_home_t:file relabel_file_perms;
--')
--
--########################################
--##
--## Create objects in user home
--## directories with the krb5 home type.
--##
--##
--##
--## Domain allowed access.
--##
--##
--##
--##
--## Class of the object being created.
--##
--##
--##
--##
--## The name of the object being created.
--##
--##
--#
--interface(`kerberos_home_filetrans_krb5_home',`
-- gen_require(`
-- type krb5_home_t;
-- ')
--
-- userdom_user_home_dir_filetrans($1, krb5_home_t, $2, $3)
--')
--
--########################################
--##
--## Read kerberos key table files.
+## Read the kerberos key table.
##
##
##
-@@ -270,7 +198,7 @@ interface(`kerberos_read_keytab',`
+ ## Domain allowed access.
+ ##
+ ##
++##
+ #
+-interface(`kerberos_manage_krb5_home_files',`
++interface(`kerberos_read_keytab',`
+ gen_require(`
+- type krb5_home_t;
++ type krb5_keytab_t;
+ ')
+
+- userdom_search_user_home_dirs($1)
+- allow $1 krb5_home_t:file manage_file_perms;
++ files_search_etc($1)
++ allow $1 krb5_keytab_t:file read_file_perms;
+ ')
########################################
##
--## Read and write kerberos key table files.
+-## Relabel kerberos home files.
+## Read/Write the kerberos key table.
##
##
##
-@@ -289,40 +217,13 @@ interface(`kerberos_rw_keytab',`
+@@ -210,47 +206,63 @@ interface(`kerberos_manage_krb5_home_files',`
+ ##
+ ##
+ #
+-interface(`kerberos_relabel_krb5_home_files',`
++interface(`kerberos_rw_keytab',`
+ gen_require(`
+- type krb5_home_t;
++ type krb5_keytab_t;
+ ')
+
+- userdom_search_user_home_dirs($1)
+- allow $1 krb5_home_t:file relabel_file_perms;
++ files_search_etc($1)
++ allow $1 krb5_keytab_t:file rw_file_perms;
+ ')
########################################
##
--## Create, read, write, and delete
--## kerberos key table files.
--##
--##
--##
--## Domain allowed access.
--##
--##
--#
--interface(`kerberos_manage_keytab_files',`
-- gen_require(`
-- type krb5_keytab_t;
-- ')
--
-- files_search_etc($1)
-- allow $1 krb5_keytab_t:file manage_file_perms;
--')
--
--########################################
--##
--## Create specified objects in generic
--## etc directories with the kerberos
--## keytab file type.
+-## Create objects in user home
+-## directories with the krb5 home type.
+## Create keytab file in /etc
##
##
@@ -38929,97 +38886,167 @@ index f6c00d8..59923df 100644
##
##
## The name of the object being created.
-@@ -334,13 +235,13 @@ interface(`kerberos_etc_filetrans_keytab',`
- type krb5_keytab_t;
+ ##
+ ##
+ #
+-interface(`kerberos_home_filetrans_krb5_home',`
++interface(`kerberos_etc_filetrans_keytab',`
+ gen_require(`
+- type krb5_home_t;
++ type krb5_keytab_t;
')
-- files_etc_filetrans($1, krb5_keytab_t, $2, $3)
+- userdom_user_home_dir_filetrans($1, krb5_home_t, $2, $3)
+ allow $1 krb5_keytab_t:file manage_file_perms;
+ files_etc_filetrans($1, krb5_keytab_t, file, $2)
++')
++
++########################################
++##
++## Create a derived type for kerberos keytab
++##
++##
++##
++## The prefix to be used for deriving type names.
++##
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++template(`kerberos_keytab_template',`
++ refpolicywarn(`$0($*) has been deprecated.')
++ kerberos_read_keytab($2)
++ kerberos_use($2)
')
########################################
##
--## Create a derived type for kerberos
--## keytab files.
-+## Create a derived type for kerberos keytab
+-## Read kerberos key table files.
++## Read the kerberos kdc configuration file (/etc/krb5kdc.conf).
##
- ##
+ ##
##
-@@ -361,7 +262,7 @@ template(`kerberos_keytab_template',`
+@@ -259,18 +271,18 @@ interface(`kerberos_home_filetrans_krb5_home',`
+ ##
+ ##
+ #
+-interface(`kerberos_read_keytab',`
++interface(`kerberos_read_kdc_config',`
+ gen_require(`
+- type krb5_keytab_t;
++ type krb5kdc_conf_t;
+ ')
+
+ files_search_etc($1)
+- allow $1 krb5_keytab_t:file read_file_perms;
++ read_files_pattern($1, krb5kdc_conf_t, krb5kdc_conf_t)
+ ')
########################################
##
--## Read kerberos kdc configuration files.
+-## Read and write kerberos key table files.
+## Read the kerberos kdc configuration file (/etc/krb5kdc.conf).
##
##
##
-@@ -381,8 +282,7 @@ interface(`kerberos_read_kdc_config',`
+@@ -278,254 +290,255 @@ interface(`kerberos_read_keytab',`
+ ##
+ ##
+ #
+-interface(`kerberos_rw_keytab',`
++interface(`kerberos_read_host_rcache',`
+ gen_require(`
+- type krb5_keytab_t;
++ type krb5_host_rcache_t;
+ ')
+-
+- files_search_etc($1)
+- allow $1 krb5_keytab_t:file rw_file_perms;
++ read_files_pattern($1, krb5_host_rcache_t, krb5_host_rcache_t)
+ ')
########################################
##
-## Create, read, write, and delete
--## kerberos host rcache files.
+-## kerberos key table files.
+## Read the kerberos kdc configuration file (/etc/krb5kdc.conf).
##
##
##
-@@ -396,34 +296,99 @@ interface(`kerberos_manage_host_rcache',`
- type krb5_host_rcache_t;
+ ## Domain allowed access.
+ ##
+ ##
++##
+ #
+-interface(`kerberos_manage_keytab_files',`
++interface(`kerberos_manage_host_rcache',`
+ gen_require(`
+- type krb5_keytab_t;
++ type krb5_host_rcache_t;
')
+- files_search_etc($1)
+- allow $1 krb5_keytab_t:file manage_file_perms;
+ # creates files as system_u no matter what the selinux user
+ # cjp: should be in the below tunable but typeattribute
+ # does not work in conditionals
- domain_obj_id_change_exemption($1)
-
-- tunable_policy(`allow_kerberos',`
++ domain_obj_id_change_exemption($1)
++
+ tunable_policy(`kerberos_enabled',`
- allow $1 self:process setfscreate;
-
- selinux_validate_context($1)
-
- seutil_read_file_contexts($1)
-
++ allow $1 self:process setfscreate;
++
++ selinux_validate_context($1)
++
++ seutil_read_file_contexts($1)
++
+ files_rw_generic_tmp_dir($1)
+ manage_files_pattern($1, krb5_host_rcache_t, krb5_host_rcache_t)
- files_search_tmp($1)
-- allow $1 krb5_host_rcache_t:file manage_file_perms;
- ')
++ files_search_tmp($1)
++ ')
')
########################################
##
--## Create objects in generic temporary
--## directories with the kerberos host
--## rcache type.
+-## Create specified objects in generic
+-## etc directories with the kerberos
+-## keytab file type.
+## All of the rules required to administrate
+## an kerberos environment
##
##
##
--## Domain allowed to transition.
-+## Domain allowed access.
+ ## Domain allowed access.
##
##
-##
+-##
+-## Class of the object being created.
+-##
+-##
+-##
+##
-+##
+ ##
+-## The name of the object being created.
+## The role to be allowed to manage the kerberos domain.
-+##
-+##
+ ##
+ ##
+##
-+#
+ #
+-interface(`kerberos_etc_filetrans_keytab',`
+interface(`kerberos_admin',`
-+ gen_require(`
+ gen_require(`
+- type krb5_keytab_t;
+ type kadmind_t, krb5kdc_t, kerberos_initrc_exec_t;
+ type kadmind_log_t, kadmind_tmp_t, kadmind_var_run_t;
+ type krb5_conf_t, krb5_keytab_t, krb5kdc_conf_t;
+ type krb5kdc_principal_t, krb5kdc_tmp_t, kpropd_t;
+ type krb5kdc_var_run_t, krb5_host_rcache_t;
-+ ')
-+
+ ')
+
+- files_etc_filetrans($1, krb5_keytab_t, $2, $3)
+ allow $1 kadmind_t:process signal_perms;
+ ps_process_pattern($1, kadmind_t)
+ tunable_policy(`deny_ptrace',`',`
@@ -39059,37 +39086,156 @@ index f6c00d8..59923df 100644
+ admin_pattern($1, krb5kdc_tmp_t)
+
+ admin_pattern($1, krb5kdc_var_run_t)
-+')
-+
-+########################################
-+##
+ ')
+
+ ########################################
+ ##
+-## Create a derived type for kerberos
+-## keytab files.
+## Type transition files created in /tmp
+## to the krb5_host_rcache type.
-+##
+ ##
+-##
+##
##
+-## The prefix to be used for deriving type names.
++## Domain allowed access.
+ ##
+ ##
+-##
++##
+ ##
+-## Domain allowed access.
++## The name of the object being created.
+ ##
+ ##
+ #
+-template(`kerberos_keytab_template',`
+- refpolicywarn(`$0($*) has been deprecated.')
+- kerberos_read_keytab($2)
+- kerberos_use($2)
++interface(`kerberos_tmp_filetrans_host_rcache',`
++ gen_require(`
++ type krb5_host_rcache_t;
++ ')
++
++ manage_files_pattern($1, krb5_host_rcache_t, krb5_host_rcache_t)
++ files_tmp_filetrans($1, krb5_host_rcache_t, file, $2)
+ ')
+
+ ########################################
+ ##
+-## Read kerberos kdc configuration files.
++## Type transition files created in /tmp
++## to the kadmind_tmp type.
+ ##
+ ##
+ ##
+ ## Domain allowed access.
+ ##
+ ##
+-##
++##
++##
++## The name of the object being created.
++##
++##
+ #
+-interface(`kerberos_read_kdc_config',`
++interface(`kerberos_tmp_filetrans_kadmin',`
+ gen_require(`
+- type krb5kdc_conf_t;
++ type kadmind_tmp_t;
+ ')
+
+- files_search_etc($1)
+- read_files_pattern($1, krb5kdc_conf_t, krb5kdc_conf_t)
++ manage_files_pattern($1, kadmind_tmp_t, kadmind_tmp_t)
++ files_tmp_filetrans($1, kadmind_tmp_t, file, $2)
+ ')
+
+ ########################################
+ ##
+-## Create, read, write, and delete
+-## kerberos host rcache files.
++## read kerberos homedir content (.k5login)
+ ##
+ ##
+ ##
+ ## Domain allowed access.
+ ##
+ ##
+-##
+ #
+-interface(`kerberos_manage_host_rcache',`
++interface(`kerberos_read_home_content',`
+ gen_require(`
+- type krb5_host_rcache_t;
++ type krb5_home_t;
+ ')
+
+- domain_obj_id_change_exemption($1)
+-
+- tunable_policy(`allow_kerberos',`
+- allow $1 self:process setfscreate;
+-
+- selinux_validate_context($1)
+-
+- seutil_read_file_contexts($1)
+-
+- files_search_tmp($1)
+- allow $1 krb5_host_rcache_t:file manage_file_perms;
+- ')
++ userdom_search_user_home_dirs($1)
++ read_files_pattern($1, krb5_home_t, krb5_home_t)
+ ')
+
+ ########################################
+ ##
+-## Create objects in generic temporary
+-## directories with the kerberos host
+-## rcache type.
++## create kerberos content in the in the /root directory
++## with an correct label.
+ ##
+ ##
+ ##
+-## Domain allowed to transition.
+-##
+-##
+-##
+-##
-## Class of the object being created.
+-##
+-##
+-##
+-##
+-## The name of the object being created.
+## Domain allowed access.
##
##
- ##
-@@ -437,12 +402,13 @@ interface(`kerberos_tmp_filetrans_host_rcache',`
- type krb5_host_rcache_t;
+ #
+-interface(`kerberos_tmp_filetrans_host_rcache',`
++interface(`kerberos_filetrans_admin_home_content',`
+ gen_require(`
+- type krb5_host_rcache_t;
++ type krb5_home_t;
')
- files_tmp_filetrans($1, krb5_host_rcache_t, $2, $3)
-+ manage_files_pattern($1, krb5_host_rcache_t, krb5_host_rcache_t)
-+ files_tmp_filetrans($1, krb5_host_rcache_t, file, $2)
++ userdom_admin_home_dir_filetrans($1, krb5_home_t, file, ".k5login")
++ userdom_admin_home_dir_filetrans($1, krb5_home_t, file, ".k5users")
')
########################################
##
-## Connect to krb524 service.
-+## read kerberos homedir content (.k5login)
++## Transition to kerberos named content
##
##
##
-@@ -450,82 +416,87 @@ interface(`kerberos_tmp_filetrans_host_rcache',`
+-## Domain allowed access.
++## Domain allowed access.
##
##
#
@@ -39104,44 +39250,28 @@ index f6c00d8..59923df 100644
-
- corenet_sendrecv_kerberos_master_client_packets($1)
- corenet_udp_sendrecv_kerberos_master_port($1)
-+interface(`kerberos_read_home_content',`
++interface(`kerberos_filetrans_home_content',`
+ gen_require(`
+ type krb5_home_t;
')
+
-+ userdom_search_user_home_dirs($1)
-+ read_files_pattern($1, krb5_home_t, krb5_home_t)
++ userdom_user_home_dir_filetrans($1, krb5_home_t, file, ".k5login")
++ userdom_user_home_dir_filetrans($1, krb5_home_t, file, ".k5users")
')
########################################
##
-## All of the rules required to
-## administrate an kerberos environment.
-+## create kerberos content in the in the /root directory
-+## with an correct label.
++## Transition to kerberos named content
##
##
##
- ## Domain allowed access.
- ##
- ##
+-## Domain allowed access.
+-##
+-##
-##
-+#
-+interface(`kerberos_filetrans_admin_home_content',`
-+ gen_require(`
-+ type krb5_home_t;
-+ ')
-+
-+ userdom_admin_home_dir_filetrans($1, krb5_home_t, file, ".k5login")
-+ userdom_admin_home_dir_filetrans($1, krb5_home_t, file, ".k5users")
-+')
-+
-+########################################
-+##
-+## Transition to kerberos named content
-+##
-+##
- ##
+-##
-## Role allowed access.
+## Domain allowed access.
##
@@ -39149,14 +39279,14 @@ index f6c00d8..59923df 100644
-##
#
-interface(`kerberos_admin',`
-+interface(`kerberos_filetrans_home_content',`
++interface(`kerberos_filetrans_named_content',`
gen_require(`
- type kadmind_t, krb5kdc_t, kerberos_initrc_exec_t;
- type kadmind_log_t, kadmind_tmp_t, kadmind_var_run_t;
-- type krb5_conf_t, krb5_keytab_t, krb5kdc_conf_t;
+ type krb5_conf_t, krb5_keytab_t, krb5kdc_conf_t;
- type krb5kdc_principal_t, krb5kdc_tmp_t, kpropd_t;
- type krb5kdc_var_run_t, krb5_host_rcache_t;
-+ type krb5_home_t;
++ type krb5kdc_principal_t;
')
- allow $1 { kadmind_t krb5kdc_t kpropd }:process { ptrace signal_perms };
@@ -39184,28 +39314,10 @@ index f6c00d8..59923df 100644
-
- files_list_pids($1)
- admin_pattern($1, { kadmind_var_run_t krb5kdc_var_run_t })
-+ userdom_user_home_dir_filetrans($1, krb5_home_t, file, ".k5login")
-+ userdom_user_home_dir_filetrans($1, krb5_home_t, file, ".k5users")
-+')
-
+-
- files_list_etc($1)
- admin_pattern($1, krb5_conf_t)
-+########################################
-+##
-+## Transition to kerberos named content
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`kerberos_filetrans_named_content',`
-+ gen_require(`
-+ type krb5_conf_t, krb5_keytab_t, krb5kdc_conf_t;
-+ type krb5kdc_principal_t;
-+ ')
-
+-
files_etc_filetrans($1, krb5_conf_t, file, "krb5.conf")
-
- admin_pattern($1, { krb5_keytab_t krb5kdc_principal_t })
@@ -39946,7 +40058,7 @@ index e88fb16..f20248c 100644
+ ')
')
diff --git a/keystone.te b/keystone.te
-index 9929647..4a4ccf1 100644
+index 9929647..3144a89 100644
--- a/keystone.te
+++ b/keystone.te
@@ -18,13 +18,20 @@ logging_log_file(keystone_log_t)
@@ -40034,8 +40146,8 @@ index 9929647..4a4ccf1 100644
+
+ read_files_pattern(keystone_cgi_script_t, keystone_log_t, keystone_log_t)
+
-+ corenet_tcp_bind_commplex_main_port(keystone_t)
-+ corenet_tcp_sendrecv_commplex_main_port(keystone_t)
++ corenet_tcp_bind_commplex_main_port(keystone_cgi_script_t)
++ corenet_tcp_sendrecv_commplex_main_port(keystone_cgi_script_t)
')
diff --git a/kismet.if b/kismet.if
index aa2a337..7ff229f 100644
@@ -46092,7 +46204,7 @@ index b1ac8b5..9b22bea 100644
+ ')
+')
diff --git a/modemmanager.te b/modemmanager.te
-index d15eb5b..6af07aa 100644
+index d15eb5b..25f2cfe 100644
--- a/modemmanager.te
+++ b/modemmanager.te
@@ -11,6 +11,9 @@ init_daemon_domain(modemmanager_t, modemmanager_exec_t)
@@ -46105,7 +46217,13 @@ index d15eb5b..6af07aa 100644
########################################
#
# Local policy
-@@ -24,15 +27,17 @@ allow modemmanager_t self:netlink_kobject_uevent_socket create_socket_perms;
+@@ -19,20 +22,22 @@ typealias modemmanager_exec_t alias ModemManager_exec_t;
+ allow modemmanager_t self:capability { net_admin sys_admin sys_tty_config };
+ allow modemmanager_t self:process { getsched signal };
+ allow modemmanager_t self:fifo_file rw_fifo_file_perms;
+-allow modemmanager_t self:unix_stream_socket create_stream_socket_perms;
++allow modemmanager_t self:unix_stream_socket {connectto create_stream_socket_perms};
+ allow modemmanager_t self:netlink_kobject_uevent_socket create_socket_perms;
kernel_read_system_state(modemmanager_t)
@@ -77132,7 +77250,7 @@ index 2c3d338..7d49554 100644
init_labeled_script_domtrans($1, rabbitmq_initrc_exec_t)
domain_system_change_exemption($1)
diff --git a/rabbitmq.te b/rabbitmq.te
-index dc3b0ed..42203ed 100644
+index dc3b0ed..0675a9c 100644
--- a/rabbitmq.te
+++ b/rabbitmq.te
@@ -5,13 +5,14 @@ policy_module(rabbitmq, 1.0.2)
@@ -77166,7 +77284,7 @@ index dc3b0ed..42203ed 100644
type rabbitmq_var_log_t;
logging_log_file(rabbitmq_var_log_t)
-@@ -27,98 +31,82 @@ files_pid_file(rabbitmq_var_run_t)
+@@ -27,98 +31,86 @@ files_pid_file(rabbitmq_var_run_t)
######################################
#
@@ -77339,6 +77457,10 @@ index dc3b0ed..42203ed 100644
+optional_policy(`
+ dbus_system_bus_client(rabbitmq_t)
+')
++
++optional_policy(`
++ rpc_read_nfs_state_data(rabbitmq_t)
++')
-miscfiles_read_localization(rabbitmq_epmd_t)
diff --git a/radius.fc b/radius.fc
@@ -83300,6 +83422,194 @@ index a7b7717..861aa31 100644
logging_send_syslog_msg(rngd_t)
-miscfiles_read_localization(rngd_t)
+diff --git a/rolekit.fc b/rolekit.fc
+new file mode 100644
+index 0000000..504b6e1
+--- /dev/null
++++ b/rolekit.fc
+@@ -0,0 +1,3 @@
++/usr/lib/systemd/system/rolekit.* -- gen_context(system_u:object_r:rolekit_unit_file_t,s0)
++
++/usr/sbin/roled -- gen_context(system_u:object_r:rolekit_exec_t,s0)
+diff --git a/rolekit.if b/rolekit.if
+new file mode 100644
+index 0000000..8d833ed
+--- /dev/null
++++ b/rolekit.if
+@@ -0,0 +1,124 @@
++## Daemon for Linux systems providing a stable D-BUS interface to manage the deployment of Server Roles.
++
++########################################
++##
++## Execute rolekit in the rolekit domin.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`rolekit_domtrans',`
++ gen_require(`
++ type rolekit_t, rolekit_exec_t;
++ ')
++
++ corecmd_search_bin($1)
++ domtrans_pattern($1, rolekit_exec_t, rolekit_t)
++')
++
++########################################
++##
++## Execute rolekit server in the rolekit domain.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`rolekit_systemctl',`
++ gen_require(`
++ type rolekit_t;
++ type rolekit_unit_file_t;
++ ')
++
++ systemd_exec_systemctl($1)
++ systemd_read_fifo_file_passwd_run($1)
++ allow $1 rolekit_unit_file_t:file read_file_perms;
++ allow $1 rolekit_unit_file_t:service manage_service_perms;
++
++ ps_process_pattern($1, rolekit_t)
++')
++#######################################
++##
++## Manage rolekit kernel keyrings.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`rolekit_manage_keys',`
++ gen_require(`
++ type rolekit_t;
++ ')
++
++ allow $1 rolekit_t:key manage_key_perms;
++ allow rolekit_t $1:key manage_key_perms;
++')
++
++########################################
++##
++## Send and receive messages from
++## policykit over dbus.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`rolekit_dbus_chat',`
++ gen_require(`
++ type rolekit_t;
++ class dbus send_msg;
++ ')
++
++ ps_process_pattern(rolekit_t, $1)
++
++ allow $1 rolekit_t:dbus send_msg;
++ allow rolekit_t $1:dbus send_msg;
++')
++
++########################################
++##
++## All of the rules required to administrate
++## an rolekit environment
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++##
++## Role allowed access.
++##
++##
++##
++#
++interface(`rolekit_admin',`
++ gen_require(`
++ type rolekit_t;
++ type rolekit_unit_file_t;
++ ')
++
++ allow $1 rolekit_t:process { signal_perms };
++ ps_process_pattern($1, rolekit_t)
++
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 rolekit_t:process ptrace;
++ ')
++
++ rolekit_systemctl($1)
++ admin_pattern($1, rolekit_unit_file_t)
++ allow $1 rolekit_unit_file_t:service all_service_perms;
++ optional_policy(`
++ systemd_passwd_agent_exec($1)
++ systemd_read_fifo_file_passwd_run($1)
++ ')
++')
+diff --git a/rolekit.te b/rolekit.te
+new file mode 100644
+index 0000000..da7bd10
+--- /dev/null
++++ b/rolekit.te
+@@ -0,0 +1,43 @@
++policy_module(rolekit, 1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++type rolekit_t;
++type rolekit_exec_t;
++init_daemon_domain(rolekit_t, rolekit_exec_t)
++
++type rolekit_tmp_t;
++files_tmp_file(rolekit_tmp_t)
++
++type rolekit_unit_file_t;
++systemd_unit_file(rolekit_unit_file_t)
++
++########################################
++#
++# rolekit local policy
++#
++
++allow rolekit_t self:fifo_file rw_fifo_file_perms;
++allow rolekit_t self:unix_stream_socket create_stream_socket_perms;
++
++manage_files_pattern(rolekit_t, rolekit_tmp_t, rolekit_tmp_t)
++manage_dirs_pattern(rolekit_t, rolekit_tmp_t, rolekit_tmp_t)
++files_tmp_filetrans(rolekit_t, rolekit_tmp_t, { file dir })
++
++kernel_read_system_state(rolekit_t)
++
++auth_use_nsswitch(rolekit_t)
++
++optional_policy(`
++ sssd_domtrans(rolekit_t)
++')
++
++optional_policy(`
++ unconfined_domain_noaudit(rolekit_t)
++ #should be changed for debugging
++ #unconfined_domain(rolekit_t)
++ domain_named_filetrans(rolekit_t)
++')
diff --git a/roundup.if b/roundup.if
index 975bb6a..ce4f5ea 100644
--- a/roundup.if
diff --git a/selinux-policy.spec b/selinux-policy.spec
index c4549f8..1e58600 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.13.1
-Release: 88%{?dist}
+Release: 89%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -604,6 +604,19 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Wed Oct 29 2014 Lukas Vrabec 3.13.1-89
+- Allow keystone_cgi_script_t to bind on commplex_main_port. BZ (#1138424)
+- Allow freeipmi_bmc_watchdog rw_sem_perms to freeipmi_ipmiseld
+- Allow rabbitmq to read nfs state data. BZ(1122412)
+- Allow named to read /var/tmp/DNS_25 labeled as krb5_host_rcache_t.
+- Add rolekit policy
+- ALlow rolekit domtrans to sssd_t.
+- Add kerberos_tmp_filetrans_kadmin() interface.
+- rolekit should be noaudit.
+- Add rolekit_manage_keys().
+- Need to label rpmnew file correctly
+- Allow modemmanger to connectto itself
+
* Tue Oct 21 2014 Lukas Vrabec 3.13.1-88
- Allow couchdb read sysctl_fs_t files. BZ(1154327)
- Allow osad to connect to jabber client port. BZ (1154242)