diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch
index 26827c4..377dc48 100644
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@@ -1017,16 +1017,18 @@ index d218387..c2541c2 100644
# MLS policy for the process class
#
diff --git a/policy/modules/admin/bootloader.fc b/policy/modules/admin/bootloader.fc
-index 7a6f06f..bf04b0a 100644
+index 7a6f06f..5745bb2 100644
--- a/policy/modules/admin/bootloader.fc
+++ b/policy/modules/admin/bootloader.fc
@@ -1,9 +1,16 @@
--
+/etc/default/grub -- gen_context(system_u:object_r:bootloader_etc_t,s0)
- /etc/lilo\.conf.* -- gen_context(system_u:object_r:bootloader_etc_t,s0)
- /etc/yaboot\.conf.* -- gen_context(system_u:object_r:bootloader_etc_t,s0)
-+/etc/zipl\.conf.* -- gen_context(system_u:object_r:bootloader_etc_t,s0)
++/etc/lilo\.conf.* gen_context(system_u:object_r:bootloader_etc_t,s0)
++/etc/yaboot\.conf.* gen_context(system_u:object_r:bootloader_etc_t,s0)
++/etc/zipl\.conf.* gen_context(system_u:object_r:bootloader_etc_t,s0)
+-/etc/lilo\.conf.* -- gen_context(system_u:object_r:bootloader_etc_t,s0)
+-/etc/yaboot\.conf.* -- gen_context(system_u:object_r:bootloader_etc_t,s0)
+-
-/sbin/grub -- gen_context(system_u:object_r:bootloader_exec_t,s0)
+/sbin/grub.* -- gen_context(system_u:object_r:bootloader_exec_t,s0)
/sbin/lilo.* -- gen_context(system_u:object_r:bootloader_exec_t,s0)
@@ -1195,7 +1197,7 @@ index cc8df9d..34c2a4e 100644
+ files_etc_filetrans($1,bootloader_etc_t,file, "zipl.conf")
+')
diff --git a/policy/modules/admin/bootloader.te b/policy/modules/admin/bootloader.te
-index e3dbbb8..f766e86 100644
+index e3dbbb8..a99f6e9 100644
--- a/policy/modules/admin/bootloader.te
+++ b/policy/modules/admin/bootloader.te
@@ -5,8 +5,8 @@ policy_module(bootloader, 1.13.2)
@@ -1301,18 +1303,19 @@ index e3dbbb8..f766e86 100644
init_getattr_initctl(bootloader_t)
init_use_script_ptys(bootloader_t)
init_use_script_fds(bootloader_t)
-@@ -118,19 +142,21 @@ init_rw_script_pipes(bootloader_t)
+@@ -118,19 +142,20 @@ init_rw_script_pipes(bootloader_t)
libs_read_lib_files(bootloader_t)
libs_exec_lib_files(bootloader_t)
+libs_exec_ld_so(bootloader_t)
-+
-+auth_use_nsswitch(bootloader_t)
- logging_send_syslog_msg(bootloader_t)
- logging_rw_generic_logs(bootloader_t)
+-logging_send_syslog_msg(bootloader_t)
+-logging_rw_generic_logs(bootloader_t)
++auth_use_nsswitch(bootloader_t)
-miscfiles_read_localization(bootloader_t)
++logging_send_syslog_msg(bootloader_t)
++logging_manage_generic_logs(bootloader_t)
modutils_domtrans_insmod(bootloader_t)
@@ -1326,7 +1329,7 @@ index e3dbbb8..f766e86 100644
userdom_dontaudit_search_user_home_dirs(bootloader_t)
ifdef(`distro_debian',`
-@@ -166,7 +192,8 @@ ifdef(`distro_redhat',`
+@@ -166,7 +191,8 @@ ifdef(`distro_redhat',`
files_manage_isid_type_chr_files(bootloader_t)
# for mke2fs
@@ -1336,7 +1339,7 @@ index e3dbbb8..f766e86 100644
optional_policy(`
unconfined_domain(bootloader_t)
-@@ -174,6 +201,10 @@ ifdef(`distro_redhat',`
+@@ -174,6 +200,10 @@ ifdef(`distro_redhat',`
')
optional_policy(`
@@ -1347,7 +1350,7 @@ index e3dbbb8..f766e86 100644
fstools_exec(bootloader_t)
')
-@@ -183,6 +214,14 @@ optional_policy(`
+@@ -183,6 +213,14 @@ optional_policy(`
')
optional_policy(`
@@ -1362,7 +1365,7 @@ index e3dbbb8..f766e86 100644
kudzu_domtrans(bootloader_t)
')
-@@ -195,17 +234,18 @@ optional_policy(`
+@@ -195,17 +233,18 @@ optional_policy(`
optional_policy(`
modutils_exec_insmod(bootloader_t)
@@ -2373,7 +2376,7 @@ index 99e3903..7270808 100644
########################################
diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te
-index d555767..ce0c1b4 100644
+index d555767..34e1e8c 100644
--- a/policy/modules/admin/usermanage.te
+++ b/policy/modules/admin/usermanage.te
@@ -5,18 +5,18 @@ policy_module(usermanage, 1.18.1)
@@ -2846,7 +2849,7 @@ index d555767..ce0c1b4 100644
+')
+
+optional_policy(`
-+ openshift_manage_lib_dirs(useradd_t)
++ openshift_manage_content(useradd_t)
')
optional_policy(`
@@ -5167,7 +5170,7 @@ index 8e0f9cd..b9f45b9 100644
define(`create_packet_interfaces',``
diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
-index 4edc40d..999b8f1 100644
+index 4edc40d..68176bb 100644
--- a/policy/modules/kernel/corenetwork.te.in
+++ b/policy/modules/kernel/corenetwork.te.in
@@ -5,6 +5,7 @@ policy_module(corenetwork, 1.18.4)
@@ -5283,8 +5286,9 @@ index 4edc40d..999b8f1 100644
network_port(epmap, tcp,135,s0, udp,135,s0)
network_port(epmd, tcp,4369,s0, udp,4369,s0)
network_port(fingerd, tcp,79,s0)
+-network_port(ftp, tcp,21,s0, tcp,990,s0, udp,990,s0)
+network_port(flash, tcp,843,s0, tcp,1935,s0, udp,1935,s0)
- network_port(ftp, tcp,21,s0, tcp,990,s0, udp,990,s0)
++network_port(ftp, tcp,21,s0, tcp,989,s0, udp,989,s0, tcp,990,s0, udp,990,s0)
network_port(ftp_data, tcp,20,s0)
network_port(gatekeeper, udp,1718,s0, udp,1719,s0, tcp,1721,s0, tcp,7000,s0)
network_port(gds_db, tcp,3050,s0, udp,3050,s0)
@@ -5642,7 +5646,7 @@ index b31c054..17e11e0 100644
+/usr/lib/udev/devices/null -c gen_context(system_u:object_r:null_device_t,s0)
+/usr/lib/udev/devices/zero -c gen_context(system_u:object_r:zero_device_t,s0)
diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
-index 76f285e..7a424f4 100644
+index 76f285e..48504fe 100644
--- a/policy/modules/kernel/devices.if
+++ b/policy/modules/kernel/devices.if
@@ -143,13 +143,32 @@ interface(`dev_relabel_all_dev_nodes',`
@@ -5878,7 +5882,32 @@ index 76f285e..7a424f4 100644
')
########################################
-@@ -1003,6 +1112,26 @@ interface(`dev_getattr_all_blk_files',`
+@@ -877,6 +986,24 @@ interface(`dev_dontaudit_rw_generic_dev_nodes',`
+
+ ########################################
+ ## <summary>
++## Read block device files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`dev_read_generic_blk_files',`
++ gen_require(`
++ type device_t;
++ ')
++
++ read_blk_files_pattern($1, device_t, device_t)
++')
++
++########################################
++## <summary>
+ ## Create, delete, read, and write block device files.
+ ## </summary>
+ ## <param name="domain">
+@@ -1003,6 +1130,26 @@ interface(`dev_getattr_all_blk_files',`
########################################
## <summary>
@@ -5905,7 +5934,7 @@ index 76f285e..7a424f4 100644
## Dontaudit getattr on all block file device nodes.
## </summary>
## <param name="domain">
-@@ -1034,6 +1163,7 @@ interface(`dev_dontaudit_getattr_all_blk_files',`
+@@ -1034,6 +1181,7 @@ interface(`dev_dontaudit_getattr_all_blk_files',`
interface(`dev_getattr_all_chr_files',`
gen_require(`
attribute device_node;
@@ -5913,7 +5942,7 @@ index 76f285e..7a424f4 100644
')
getattr_chr_files_pattern($1, device_t, device_node)
-@@ -1206,6 +1336,42 @@ interface(`dev_create_all_chr_files',`
+@@ -1206,6 +1354,42 @@ interface(`dev_create_all_chr_files',`
########################################
## <summary>
@@ -5956,7 +5985,7 @@ index 76f285e..7a424f4 100644
## Delete all block device files.
## </summary>
## <param name="domain">
-@@ -1560,25 +1726,6 @@ interface(`dev_relabel_autofs_dev',`
+@@ -1560,25 +1744,6 @@ interface(`dev_relabel_autofs_dev',`
########################################
## <summary>
@@ -5982,7 +6011,7 @@ index 76f285e..7a424f4 100644
## Read and write the PCMCIA card manager device.
## </summary>
## <param name="domain">
-@@ -1682,6 +1829,26 @@ interface(`dev_filetrans_cardmgr',`
+@@ -1682,6 +1847,26 @@ interface(`dev_filetrans_cardmgr',`
########################################
## <summary>
@@ -6009,7 +6038,7 @@ index 76f285e..7a424f4 100644
## Get the attributes of the CPU
## microcode and id interfaces.
## </summary>
-@@ -1791,6 +1958,24 @@ interface(`dev_rw_crypto',`
+@@ -1791,6 +1976,24 @@ interface(`dev_rw_crypto',`
rw_chr_files_pattern($1, device_t, crypt_device_t)
')
@@ -6034,7 +6063,7 @@ index 76f285e..7a424f4 100644
#######################################
## <summary>
## Set the attributes of the dlm control devices.
-@@ -2402,7 +2587,7 @@ interface(`dev_filetrans_lirc',`
+@@ -2402,7 +2605,7 @@ interface(`dev_filetrans_lirc',`
########################################
## <summary>
@@ -6043,7 +6072,7 @@ index 76f285e..7a424f4 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2410,17 +2595,17 @@ interface(`dev_filetrans_lirc',`
+@@ -2410,17 +2613,17 @@ interface(`dev_filetrans_lirc',`
## </summary>
## </param>
#
@@ -6065,7 +6094,7 @@ index 76f285e..7a424f4 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2428,17 +2613,17 @@ interface(`dev_getattr_lvm_control',`
+@@ -2428,17 +2631,17 @@ interface(`dev_getattr_lvm_control',`
## </summary>
## </param>
#
@@ -6087,7 +6116,7 @@ index 76f285e..7a424f4 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2446,17 +2631,17 @@ interface(`dev_read_lvm_control',`
+@@ -2446,17 +2649,17 @@ interface(`dev_read_lvm_control',`
## </summary>
## </param>
#
@@ -6109,7 +6138,7 @@ index 76f285e..7a424f4 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2464,17 +2649,17 @@ interface(`dev_rw_lvm_control',`
+@@ -2464,17 +2667,17 @@ interface(`dev_rw_lvm_control',`
## </summary>
## </param>
#
@@ -6131,7 +6160,7 @@ index 76f285e..7a424f4 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2482,35 +2667,35 @@ interface(`dev_dontaudit_rw_lvm_control',`
+@@ -2482,35 +2685,35 @@ interface(`dev_dontaudit_rw_lvm_control',`
## </summary>
## </param>
#
@@ -6176,7 +6205,7 @@ index 76f285e..7a424f4 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2518,44 +2703,134 @@ interface(`dev_dontaudit_getattr_memory_dev',`
+@@ -2518,16 +2721,106 @@ interface(`dev_dontaudit_getattr_memory_dev',`
## </summary>
## </param>
#
@@ -6193,40 +6222,32 @@ index 76f285e..7a424f4 100644
- allow $1 self:capability sys_rawio;
- typeattribute $1 memory_raw_read;
+ read_chr_files_pattern($1, device_t, lvm_control_t)
- ')
-
- ########################################
- ## <summary>
--## Do not audit attempts to read raw memory devices
--## (e.g. /dev/mem).
++')
++
++########################################
++## <summary>
+## Read and write the lvm control device.
- ## </summary>
- ## <param name="domain">
- ## <summary>
--## Domain to not audit.
++## </summary>
++## <param name="domain">
++## <summary>
+## Domain allowed access.
- ## </summary>
- ## </param>
- #
--interface(`dev_dontaudit_read_raw_memory',`
++## </summary>
++## </param>
++#
+interface(`dev_rw_lvm_control',`
- gen_require(`
-- type memory_device_t;
++ gen_require(`
+ type device_t, lvm_control_t;
- ')
-
-- dontaudit $1 memory_device_t:chr_file read_chr_file_perms;
++ ')
++
+ rw_chr_files_pattern($1, device_t, lvm_control_t)
- ')
-
- ########################################
- ## <summary>
--## Write raw memory devices (e.g. /dev/mem).
++')
++
++########################################
++## <summary>
+## Do not audit attempts to read and write lvm control device.
- ## </summary>
- ## <param name="domain">
- ## <summary>
--## Domain allowed access.
++## </summary>
++## <param name="domain">
++## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
@@ -6295,38 +6316,10 @@ index 76f285e..7a424f4 100644
+
+ allow $1 self:capability sys_rawio;
+ typeattribute $1 memory_raw_read;
-+')
-+
-+########################################
-+## <summary>
-+## Do not audit attempts to read raw memory devices
-+## (e.g. /dev/mem).
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain to not audit.
-+## </summary>
-+## </param>
-+#
-+interface(`dev_dontaudit_read_raw_memory',`
-+ gen_require(`
-+ type memory_device_t;
-+ ')
-+
-+ dontaudit $1 memory_device_t:chr_file read_chr_file_perms;
-+')
-+
-+########################################
-+## <summary>
-+## Write raw memory devices (e.g. /dev/mem).
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
- ## </summary>
- ## </param>
- #
-@@ -2725,7 +3000,7 @@ interface(`dev_write_misc',`
+ ')
+
+ ########################################
+@@ -2725,7 +3018,7 @@ interface(`dev_write_misc',`
## </summary>
## <param name="domain">
## <summary>
@@ -6335,7 +6328,7 @@ index 76f285e..7a424f4 100644
## </summary>
## </param>
#
-@@ -2903,20 +3178,20 @@ interface(`dev_getattr_mtrr_dev',`
+@@ -2903,20 +3196,20 @@ interface(`dev_getattr_mtrr_dev',`
########################################
## <summary>
@@ -6360,7 +6353,7 @@ index 76f285e..7a424f4 100644
## </p>
## </desc>
## <param name="domain">
-@@ -2925,43 +3200,34 @@ interface(`dev_getattr_mtrr_dev',`
+@@ -2925,43 +3218,34 @@ interface(`dev_getattr_mtrr_dev',`
## </summary>
## </param>
#
@@ -6416,7 +6409,7 @@ index 76f285e..7a424f4 100644
## range registers (MTRR).
## </summary>
## <param name="domain">
-@@ -2970,13 +3236,13 @@ interface(`dev_write_mtrr',`
+@@ -2970,13 +3254,13 @@ interface(`dev_write_mtrr',`
## </summary>
## </param>
#
@@ -6433,7 +6426,7 @@ index 76f285e..7a424f4 100644
')
########################################
-@@ -3144,6 +3410,42 @@ interface(`dev_create_null_dev',`
+@@ -3144,6 +3428,42 @@ interface(`dev_create_null_dev',`
########################################
## <summary>
@@ -6476,7 +6469,7 @@ index 76f285e..7a424f4 100644
## Do not audit attempts to get the attributes
## of the BIOS non-volatile RAM device.
## </summary>
-@@ -3163,6 +3465,24 @@ interface(`dev_dontaudit_getattr_nvram_dev',`
+@@ -3163,6 +3483,24 @@ interface(`dev_dontaudit_getattr_nvram_dev',`
########################################
## <summary>
@@ -6501,7 +6494,7 @@ index 76f285e..7a424f4 100644
## Read and write BIOS non-volatile RAM.
## </summary>
## <param name="domain">
-@@ -3254,7 +3574,25 @@ interface(`dev_rw_printer',`
+@@ -3254,7 +3592,25 @@ interface(`dev_rw_printer',`
########################################
## <summary>
@@ -6528,7 +6521,7 @@ index 76f285e..7a424f4 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -3262,12 +3600,13 @@ interface(`dev_rw_printer',`
+@@ -3262,12 +3618,13 @@ interface(`dev_rw_printer',`
## </summary>
## </param>
#
@@ -6545,7 +6538,7 @@ index 76f285e..7a424f4 100644
')
########################################
-@@ -3855,7 +4194,7 @@ interface(`dev_getattr_sysfs_dirs',`
+@@ -3855,7 +4212,7 @@ interface(`dev_getattr_sysfs_dirs',`
########################################
## <summary>
@@ -6554,7 +6547,7 @@ index 76f285e..7a424f4 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -3863,53 +4202,53 @@ interface(`dev_getattr_sysfs_dirs',`
+@@ -3863,53 +4220,53 @@ interface(`dev_getattr_sysfs_dirs',`
## </summary>
## </param>
#
@@ -6619,7 +6612,7 @@ index 76f285e..7a424f4 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -3917,37 +4256,35 @@ interface(`dev_list_sysfs',`
+@@ -3917,37 +4274,35 @@ interface(`dev_list_sysfs',`
## </summary>
## </param>
#
@@ -6664,7 +6657,7 @@ index 76f285e..7a424f4 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -3955,47 +4292,35 @@ interface(`dev_dontaudit_write_sysfs_dirs',`
+@@ -3955,47 +4310,35 @@ interface(`dev_dontaudit_write_sysfs_dirs',`
## </summary>
## </param>
#
@@ -6719,7 +6712,7 @@ index 76f285e..7a424f4 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -4003,20 +4328,18 @@ interface(`dev_read_sysfs',`
+@@ -4003,20 +4346,18 @@ interface(`dev_read_sysfs',`
## </summary>
## </param>
#
@@ -6742,7 +6735,7 @@ index 76f285e..7a424f4 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -4024,21 +4347,210 @@ interface(`dev_rw_sysfs',`
+@@ -4024,22 +4365,211 @@ interface(`dev_rw_sysfs',`
## </summary>
## </param>
#
@@ -6766,6 +6759,7 @@ index 76f285e..7a424f4 100644
-## <desc>
-## <p>
-## Allow the specified domain to read from pseudo random number
+-## generator devices (e.g., /dev/urandom). Typically this is
+## <param name="domain">
+## <summary>
+## Domain to not audit.
@@ -6957,10 +6951,11 @@ index 76f285e..7a424f4 100644
+## <desc>
+## <p>
+## Allow the specified domain to read from pseudo random number
- ## generator devices (e.g., /dev/urandom). Typically this is
++## generator devices (e.g., /dev/urandom). Typically this is
## used in situations when a cryptographically secure random
## number is not necessarily needed. One example is the Stack
-@@ -4113,6 +4625,25 @@ interface(`dev_write_urand',`
+ ## Smashing Protector (SSP, formerly known as ProPolice) support
+@@ -4113,6 +4643,25 @@ interface(`dev_write_urand',`
########################################
## <summary>
@@ -6986,7 +6981,7 @@ index 76f285e..7a424f4 100644
## Getattr generic the USB devices.
## </summary>
## <param name="domain">
-@@ -4409,9 +4940,9 @@ interface(`dev_rw_usbfs',`
+@@ -4409,9 +4958,9 @@ interface(`dev_rw_usbfs',`
read_lnk_files_pattern($1, usbfs_t, usbfs_t)
')
@@ -6998,7 +6993,7 @@ index 76f285e..7a424f4 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -4419,17 +4950,17 @@ interface(`dev_rw_usbfs',`
+@@ -4419,17 +4968,17 @@ interface(`dev_rw_usbfs',`
## </summary>
## </param>
#
@@ -7021,7 +7016,7 @@ index 76f285e..7a424f4 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -4437,12 +4968,12 @@ interface(`dev_getattr_video_dev',`
+@@ -4437,12 +4986,12 @@ interface(`dev_getattr_video_dev',`
## </summary>
## </param>
#
@@ -7037,7 +7032,7 @@ index 76f285e..7a424f4 100644
')
########################################
-@@ -4539,6 +5070,134 @@ interface(`dev_write_video_dev',`
+@@ -4539,6 +5088,134 @@ interface(`dev_write_video_dev',`
########################################
## <summary>
@@ -7172,7 +7167,7 @@ index 76f285e..7a424f4 100644
## Allow read/write the vhost net device
## </summary>
## <param name="domain">
-@@ -4557,6 +5216,24 @@ interface(`dev_rw_vhost',`
+@@ -4557,6 +5234,24 @@ interface(`dev_rw_vhost',`
########################################
## <summary>
@@ -7197,7 +7192,7 @@ index 76f285e..7a424f4 100644
## Read and write VMWare devices.
## </summary>
## <param name="domain">
-@@ -4762,6 +5439,26 @@ interface(`dev_rw_xserver_misc',`
+@@ -4762,6 +5457,26 @@ interface(`dev_rw_xserver_misc',`
########################################
## <summary>
@@ -7224,7 +7219,7 @@ index 76f285e..7a424f4 100644
## Read and write to the zero device (/dev/zero).
## </summary>
## <param name="domain">
-@@ -4851,3 +5548,943 @@ interface(`dev_unconfined',`
+@@ -4851,3 +5566,943 @@ interface(`dev_unconfined',`
typeattribute $1 devices_unconfined_type;
')
@@ -15703,6 +15698,20 @@ index 1700ef2..38b597e 100644
+ dev_filetrans($1, fixed_disk_device_t, chr_file, "twa19")
+
+')
+diff --git a/policy/modules/kernel/storage.te b/policy/modules/kernel/storage.te
+index 156c333..02f5a3c 100644
+--- a/policy/modules/kernel/storage.te
++++ b/policy/modules/kernel/storage.te
+@@ -57,3 +57,9 @@ dev_node(tape_device_t)
+
+ allow storage_unconfined_type { fixed_disk_device_t removable_device_t }:blk_file *;
+ allow storage_unconfined_type { scsi_generic_device_t tape_device_t }:chr_file *;
++
++# Since block devices are some times used before being labeled correctly
++ifdef(`hide_broken_symptoms',`
++ dev_read_generic_blk_files(fixed_disk_raw_read)
++ dev_manage_generic_blk_files(fixed_disk_raw_write)
++')
diff --git a/policy/modules/kernel/terminal.fc b/policy/modules/kernel/terminal.fc
index 7d45d15..22c9cfe 100644
--- a/policy/modules/kernel/terminal.fc
@@ -19340,10 +19349,10 @@ index 346d011..3e23acb 100644
+ ')
+')
diff --git a/policy/modules/services/ssh.fc b/policy/modules/services/ssh.fc
-index 76d9f66..5cb2095 100644
+index 76d9f66..21c96cf 100644
--- a/policy/modules/services/ssh.fc
+++ b/policy/modules/services/ssh.fc
-@@ -1,4 +1,15 @@
+@@ -1,4 +1,16 @@
HOME_DIR/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0)
+HOME_DIR/\.shosts gen_context(system_u:object_r:ssh_home_t,s0)
+
@@ -19353,13 +19362,14 @@ index 76d9f66..5cb2095 100644
+/var/lib/nocpulse/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0)
+/var/lib/stickshift/[^/]+/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0)
+/var/lib/openshift/[^/]+/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0)
++/var/lib/openshift/gear/[^/]+/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0)
+/var/lib/pgsql/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0)
+
+/etc/rc\.d/init\.d/sshd -- gen_context(system_u:object_r:sshd_initrc_exec_t,s0)
/etc/ssh/primes -- gen_context(system_u:object_r:sshd_key_t,s0)
/etc/ssh/ssh_host.*_key -- gen_context(system_u:object_r:sshd_key_t,s0)
-@@ -8,9 +19,16 @@ HOME_DIR/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0)
+@@ -8,9 +20,16 @@ HOME_DIR/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0)
/usr/bin/ssh-keygen -- gen_context(system_u:object_r:ssh_keygen_exec_t,s0)
/usr/lib/openssh/ssh-keysign -- gen_context(system_u:object_r:ssh_keysign_exec_t,s0)
@@ -20792,120 +20802,135 @@ index d1f64a0..8f50bb9 100644
+/var/lib/pqsql/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0)
+
diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if
-index 6bf0ecc..9388756 100644
+index 6bf0ecc..8715521 100644
--- a/policy/modules/services/xserver.if
+++ b/policy/modules/services/xserver.if
-@@ -19,9 +19,10 @@
+@@ -18,100 +18,37 @@
+ #
interface(`xserver_restricted_role',`
gen_require(`
- type xserver_t, xserver_exec_t, xserver_tmp_t, xserver_tmpfs_t;
+- type xserver_t, xserver_exec_t, xserver_tmp_t, xserver_tmpfs_t;
- type user_fonts_t, user_fonts_cache_t, user_fonts_config_t;
-+ type user_fonts_t, user_fonts_cache_t, user_fonts_config_t, xdm_tmp_t;
- type iceauth_t, iceauth_exec_t, iceauth_home_t;
- type xauth_t, xauth_exec_t, xauth_home_t;
-+ class dbus send_msg;
+- type iceauth_t, iceauth_exec_t, iceauth_home_t;
+- type xauth_t, xauth_exec_t, xauth_home_t;
++ type xserver_t, xauth_t, iceauth_t;
++ attribute dridomain, x_userdomain;
')
role $1 types { xserver_t xauth_t iceauth_t };
-@@ -30,12 +31,13 @@ interface(`xserver_restricted_role',`
- allow xserver_t $2:fd use;
- allow xserver_t $2:shm rw_shm_perms;
++ typeattribute $2 x_userdomain, dridomain;
+- # Xserver read/write client shm
+- allow xserver_t $2:fd use;
+- allow xserver_t $2:shm rw_shm_perms;
+-
- allow xserver_t $2:process signal;
-+ allow xserver_t $2:process { getpgid signal };
-
- allow xserver_t $2:shm rw_shm_perms;
-
- allow $2 user_fonts_t:dir list_dir_perms;
- allow $2 user_fonts_t:file read_file_perms;
-+ allow $2 user_fonts_t:lnk_file read_lnk_file_perms;
-
- allow $2 user_fonts_config_t:dir list_dir_perms;
- allow $2 user_fonts_config_t:file read_file_perms;
-@@ -44,6 +46,8 @@ interface(`xserver_restricted_role',`
- manage_files_pattern($2, user_fonts_cache_t, user_fonts_cache_t)
-
- stream_connect_pattern($2, xserver_tmp_t, xserver_tmp_t, xserver_t)
-+ allow $2 xserver_tmp_t:sock_file delete_sock_file_perms;
-+ dontaudit $2 xdm_tmp_t:sock_file setattr_sock_file_perms;
- files_search_tmp($2)
-
- # Communicate via System V shared memory.
-@@ -69,17 +73,21 @@ interface(`xserver_restricted_role',`
-
- # for when /tmp/.X11-unix is created by the system
- allow $2 xdm_t:fd use;
+-
+- allow xserver_t $2:shm rw_shm_perms;
+-
+- allow $2 user_fonts_t:dir list_dir_perms;
+- allow $2 user_fonts_t:file read_file_perms;
+-
+- allow $2 user_fonts_config_t:dir list_dir_perms;
+- allow $2 user_fonts_config_t:file read_file_perms;
+-
+- manage_dirs_pattern($2, user_fonts_cache_t, user_fonts_cache_t)
+- manage_files_pattern($2, user_fonts_cache_t, user_fonts_cache_t)
+-
+- stream_connect_pattern($2, xserver_tmp_t, xserver_tmp_t, xserver_t)
+- files_search_tmp($2)
+-
+- # Communicate via System V shared memory.
+- allow $2 xserver_t:shm r_shm_perms;
+- allow $2 xserver_tmpfs_t:file read_file_perms;
+-
+- # allow ps to show iceauth
+- ps_process_pattern($2, iceauth_t)
+-
+- domtrans_pattern($2, iceauth_exec_t, iceauth_t)
+-
+- allow $2 iceauth_home_t:file read_file_perms;
+-
+- domtrans_pattern($2, xauth_exec_t, xauth_t)
+-
+- allow $2 xauth_t:process signal;
+-
+- # allow ps to show xauth
+- ps_process_pattern($2, xauth_t)
+- allow $2 xserver_t:process signal;
+-
+- allow $2 xauth_home_t:file read_file_perms;
+-
+- # for when /tmp/.X11-unix is created by the system
+- allow $2 xdm_t:fd use;
- allow $2 xdm_t:fifo_file { getattr read write ioctl };
- allow $2 xdm_tmp_t:dir search;
- allow $2 xdm_tmp_t:sock_file { read write };
-+ allow $2 xdm_t:fifo_file rw_inherited_fifo_file_perms;
-+ allow $2 xdm_tmp_t:dir search_dir_perms;
-+ allow $2 xdm_tmp_t:sock_file rw_inherited_sock_file_perms;
- dontaudit $2 xdm_t:tcp_socket { read write };
-+ dontaudit $2 xdm_tmp_t:dir setattr_dir_perms;
-+
-+ allow $2 xdm_t:dbus send_msg;
-+ allow xdm_t $2:dbus send_msg;
-
- # Client read xserver shm
- allow $2 xserver_t:fd use;
- allow $2 xserver_tmpfs_t:file read_file_perms;
-
- # Read /tmp/.X0-lock
+- dontaudit $2 xdm_t:tcp_socket { read write };
+-
+- # Client read xserver shm
+- allow $2 xserver_t:fd use;
+- allow $2 xserver_tmpfs_t:file read_file_perms;
+-
+- # Read /tmp/.X0-lock
- allow $2 xserver_tmp_t:file { getattr read };
-+ allow $2 xserver_tmp_t:file read_inherited_file_perms;
-
- dev_rw_xserver_misc($2)
- dev_rw_power_management($2)
-@@ -88,15 +96,17 @@ interface(`xserver_restricted_role',`
- dev_write_misc($2)
- # open office is looking for the following
- dev_getattr_agp_dev($2)
+-
+- dev_rw_xserver_misc($2)
+- dev_rw_power_management($2)
+- dev_read_input($2)
+- dev_read_misc($2)
+- dev_write_misc($2)
+- # open office is looking for the following
+- dev_getattr_agp_dev($2)
- dev_dontaudit_rw_dri($2)
-+
- # GNOME checks for usb and other devices:
- dev_rw_usbfs($2)
-
- miscfiles_read_fonts($2)
-+ miscfiles_setattr_fonts_cache_dirs($2)
-+ miscfiles_read_hwdata($2)
+- # GNOME checks for usb and other devices:
+- dev_rw_usbfs($2)
+-
+- miscfiles_read_fonts($2)
++ xserver_common_x_domain_template(user,$2)
++ xserver_stream_connect_xdm($2)
++ xserver_xdm_append_log($2)
- xserver_common_x_domain_template(user, $2)
- xserver_domtrans($2)
+- xserver_common_x_domain_template(user, $2)
+- xserver_domtrans($2)
- xserver_unconfined($2)
-+ #xserver_unconfined($2)
- xserver_xsession_entry_type($2)
- xserver_dontaudit_write_log($2)
- xserver_stream_connect_xdm($2)
-@@ -106,12 +116,26 @@ interface(`xserver_restricted_role',`
- xserver_create_xdm_tmp_sockets($2)
- # Needed for escd, remove if we get escd policy
- xserver_manage_xdm_tmp_files($2)
-+ xserver_read_xdm_etc_files($2)
-+ xserver_xdm_append_log($2)
-+
-+ term_use_virtio_console($2)
-+
+- xserver_xsession_entry_type($2)
+- xserver_dontaudit_write_log($2)
+- xserver_stream_connect_xdm($2)
+- # certain apps want to read xdm.pid file
+- xserver_read_xdm_pid($2)
+- # gnome-session creates socket under /tmp/.ICE-unix/
+- xserver_create_xdm_tmp_sockets($2)
+- # Needed for escd, remove if we get escd policy
+- xserver_manage_xdm_tmp_files($2)
+ modutils_run_insmod(xserver_t, $1)
++ xserver_dri_domain($2)
++')
- # Client write xserver shm
+- # Client write xserver shm
- tunable_policy(`allow_write_xshm',`
-+ tunable_policy(`xserver_clients_write_xshm',`
- allow $2 xserver_t:shm rw_shm_perms;
- allow $2 xserver_tmpfs_t:file rw_file_perms;
+- allow $2 xserver_t:shm rw_shm_perms;
+- allow $2 xserver_tmpfs_t:file rw_file_perms;
++########################################
++## <summary>
++## Domain wants to use direct io devices
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`xserver_dri_domain',`
++ gen_require(`
++ attribute dridomain;
')
+
-+ tunable_policy(`selinuxuser_direct_dri_enabled',`
-+ dev_rw_dri($2)
-+ ')
-+
-+ optional_policy(`
-+ gnome_read_gconf_config($2)
-+ ')
++ typeattribute $1 dridomain;
')
########################################
-@@ -143,13 +167,15 @@ interface(`xserver_role',`
+@@ -143,13 +80,15 @@ interface(`xserver_role',`
allow $2 xserver_tmpfs_t:file rw_file_perms;
allow $2 iceauth_home_t:file manage_file_perms;
@@ -20923,7 +20948,7 @@ index 6bf0ecc..9388756 100644
relabel_dirs_pattern($2, user_fonts_t, user_fonts_t)
relabel_files_pattern($2, user_fonts_t, user_fonts_t)
-@@ -162,7 +188,6 @@ interface(`xserver_role',`
+@@ -162,7 +101,6 @@ interface(`xserver_role',`
manage_files_pattern($2, user_fonts_config_t, user_fonts_config_t)
relabel_dirs_pattern($2, user_fonts_config_t, user_fonts_config_t)
relabel_files_pattern($2, user_fonts_config_t, user_fonts_config_t)
@@ -20931,7 +20956,7 @@ index 6bf0ecc..9388756 100644
')
#######################################
-@@ -197,7 +222,7 @@ interface(`xserver_ro_session',`
+@@ -197,7 +135,7 @@ interface(`xserver_ro_session',`
allow $1 xserver_t:process signal;
# Read /tmp/.X0-lock
@@ -20940,7 +20965,7 @@ index 6bf0ecc..9388756 100644
# Client read xserver shm
allow $1 xserver_t:fd use;
-@@ -227,7 +252,7 @@ interface(`xserver_rw_session',`
+@@ -227,7 +165,7 @@ interface(`xserver_rw_session',`
type xserver_t, xserver_tmpfs_t;
')
@@ -20949,7 +20974,7 @@ index 6bf0ecc..9388756 100644
allow $1 xserver_t:shm rw_shm_perms;
allow $1 xserver_tmpfs_t:file rw_file_perms;
')
-@@ -255,7 +280,7 @@ interface(`xserver_non_drawing_client',`
+@@ -255,7 +193,7 @@ interface(`xserver_non_drawing_client',`
allow $1 self:x_gc { create setattr };
@@ -20958,7 +20983,7 @@ index 6bf0ecc..9388756 100644
allow $1 xserver_t:unix_stream_socket connectto;
allow $1 xextension_t:x_extension { query use };
-@@ -291,13 +316,13 @@ interface(`xserver_user_client',`
+@@ -291,13 +229,13 @@ interface(`xserver_user_client',`
allow $1 self:unix_stream_socket { connectto create_stream_socket_perms };
# Read .Xauthority file
@@ -20976,7 +21001,7 @@ index 6bf0ecc..9388756 100644
allow $1 xdm_tmp_t:sock_file { read write };
dontaudit $1 xdm_t:tcp_socket { read write };
-@@ -316,7 +341,7 @@ interface(`xserver_user_client',`
+@@ -316,7 +254,7 @@ interface(`xserver_user_client',`
xserver_read_xdm_tmp_files($1)
# Client write xserver shm
@@ -20985,7 +21010,7 @@ index 6bf0ecc..9388756 100644
allow $1 xserver_t:shm rw_shm_perms;
allow $1 xserver_tmpfs_t:file rw_file_perms;
')
-@@ -342,19 +367,23 @@ interface(`xserver_user_client',`
+@@ -342,19 +280,23 @@ interface(`xserver_user_client',`
#
template(`xserver_common_x_domain_template',`
gen_require(`
@@ -21012,7 +21037,7 @@ index 6bf0ecc..9388756 100644
')
##############################
-@@ -386,6 +415,15 @@ template(`xserver_common_x_domain_template',`
+@@ -386,6 +328,15 @@ template(`xserver_common_x_domain_template',`
allow $2 xevent_t:{ x_event x_synthetic_event } receive;
# dont audit send failures
dontaudit $2 input_xevent_type:x_event send;
@@ -21028,7 +21053,7 @@ index 6bf0ecc..9388756 100644
')
#######################################
-@@ -444,8 +482,9 @@ template(`xserver_object_types_template',`
+@@ -444,8 +395,9 @@ template(`xserver_object_types_template',`
#
template(`xserver_user_x_domain_template',`
gen_require(`
@@ -21040,7 +21065,7 @@ index 6bf0ecc..9388756 100644
')
allow $2 self:shm create_shm_perms;
-@@ -456,11 +495,13 @@ template(`xserver_user_x_domain_template',`
+@@ -456,11 +408,13 @@ template(`xserver_user_x_domain_template',`
allow $2 xauth_home_t:file read_file_perms;
allow $2 iceauth_home_t:file read_file_perms;
@@ -21056,7 +21081,7 @@ index 6bf0ecc..9388756 100644
dontaudit $2 xdm_t:tcp_socket { read write };
# Allow connections to X server.
-@@ -472,20 +513,26 @@ template(`xserver_user_x_domain_template',`
+@@ -472,20 +426,26 @@ template(`xserver_user_x_domain_template',`
# for .xsession-errors
userdom_dontaudit_write_user_home_content_files($2)
@@ -21086,7 +21111,7 @@ index 6bf0ecc..9388756 100644
')
########################################
-@@ -517,6 +564,7 @@ interface(`xserver_use_user_fonts',`
+@@ -517,6 +477,7 @@ interface(`xserver_use_user_fonts',`
# Read per user fonts
allow $1 user_fonts_t:dir list_dir_perms;
allow $1 user_fonts_t:file read_file_perms;
@@ -21094,7 +21119,7 @@ index 6bf0ecc..9388756 100644
# Manipulate the global font cache
manage_dirs_pattern($1, user_fonts_cache_t, user_fonts_cache_t)
-@@ -547,6 +595,42 @@ interface(`xserver_domtrans_xauth',`
+@@ -547,6 +508,42 @@ interface(`xserver_domtrans_xauth',`
domtrans_pattern($1, xauth_exec_t, xauth_t)
')
@@ -21137,7 +21162,7 @@ index 6bf0ecc..9388756 100644
########################################
## <summary>
## Create a Xauthority file in the user home directory.
-@@ -567,6 +651,24 @@ interface(`xserver_user_home_dir_filetrans_user_xauth',`
+@@ -567,6 +564,24 @@ interface(`xserver_user_home_dir_filetrans_user_xauth',`
########################################
## <summary>
@@ -21162,7 +21187,7 @@ index 6bf0ecc..9388756 100644
## Read all users fonts, user font configurations,
## and manage all users font caches.
## </summary>
-@@ -598,6 +700,25 @@ interface(`xserver_read_user_xauth',`
+@@ -598,6 +613,25 @@ interface(`xserver_read_user_xauth',`
allow $1 xauth_home_t:file read_file_perms;
userdom_search_user_home_dirs($1)
@@ -21188,7 +21213,7 @@ index 6bf0ecc..9388756 100644
')
########################################
-@@ -615,7 +736,7 @@ interface(`xserver_setattr_console_pipes',`
+@@ -615,7 +649,7 @@ interface(`xserver_setattr_console_pipes',`
type xconsole_device_t;
')
@@ -21197,7 +21222,7 @@ index 6bf0ecc..9388756 100644
')
########################################
-@@ -638,6 +759,25 @@ interface(`xserver_rw_console',`
+@@ -638,6 +672,25 @@ interface(`xserver_rw_console',`
########################################
## <summary>
@@ -21223,7 +21248,7 @@ index 6bf0ecc..9388756 100644
## Use file descriptors for xdm.
## </summary>
## <param name="domain">
-@@ -651,7 +791,7 @@ interface(`xserver_use_xdm_fds',`
+@@ -651,7 +704,7 @@ interface(`xserver_use_xdm_fds',`
type xdm_t;
')
@@ -21232,7 +21257,7 @@ index 6bf0ecc..9388756 100644
')
########################################
-@@ -670,7 +810,7 @@ interface(`xserver_dontaudit_use_xdm_fds',`
+@@ -670,7 +723,7 @@ interface(`xserver_dontaudit_use_xdm_fds',`
type xdm_t;
')
@@ -21241,7 +21266,7 @@ index 6bf0ecc..9388756 100644
')
########################################
-@@ -688,7 +828,7 @@ interface(`xserver_rw_xdm_pipes',`
+@@ -688,7 +741,7 @@ interface(`xserver_rw_xdm_pipes',`
type xdm_t;
')
@@ -21250,7 +21275,7 @@ index 6bf0ecc..9388756 100644
')
########################################
-@@ -703,12 +843,11 @@ interface(`xserver_rw_xdm_pipes',`
+@@ -703,12 +756,11 @@ interface(`xserver_rw_xdm_pipes',`
## </param>
#
interface(`xserver_dontaudit_rw_xdm_pipes',`
@@ -21264,7 +21289,7 @@ index 6bf0ecc..9388756 100644
')
########################################
-@@ -765,11 +904,92 @@ interface(`xserver_manage_xdm_spool_files',`
+@@ -765,11 +817,92 @@ interface(`xserver_manage_xdm_spool_files',`
#
interface(`xserver_stream_connect_xdm',`
gen_require(`
@@ -21359,7 +21384,7 @@ index 6bf0ecc..9388756 100644
')
########################################
-@@ -793,6 +1013,25 @@ interface(`xserver_read_xdm_rw_config',`
+@@ -793,6 +926,25 @@ interface(`xserver_read_xdm_rw_config',`
########################################
## <summary>
@@ -21385,7 +21410,7 @@ index 6bf0ecc..9388756 100644
## Set the attributes of XDM temporary directories.
## </summary>
## <param name="domain">
-@@ -806,7 +1045,25 @@ interface(`xserver_setattr_xdm_tmp_dirs',`
+@@ -806,7 +958,25 @@ interface(`xserver_setattr_xdm_tmp_dirs',`
type xdm_tmp_t;
')
@@ -21412,7 +21437,7 @@ index 6bf0ecc..9388756 100644
')
########################################
-@@ -846,7 +1103,26 @@ interface(`xserver_read_xdm_pid',`
+@@ -846,7 +1016,26 @@ interface(`xserver_read_xdm_pid',`
')
files_search_pids($1)
@@ -21440,7 +21465,7 @@ index 6bf0ecc..9388756 100644
')
########################################
-@@ -869,6 +1145,24 @@ interface(`xserver_read_xdm_lib_files',`
+@@ -869,6 +1058,24 @@ interface(`xserver_read_xdm_lib_files',`
########################################
## <summary>
@@ -21465,14 +21490,15 @@ index 6bf0ecc..9388756 100644
## Make an X session script an entrypoint for the specified domain.
## </summary>
## <param name="domain">
-@@ -938,7 +1232,26 @@ interface(`xserver_getattr_log',`
+@@ -938,10 +1145,29 @@ interface(`xserver_getattr_log',`
')
logging_search_logs($1)
- allow $1 xserver_log_t:file getattr;
+ allow $1 xserver_log_t:file getattr_file_perms;
-+')
-+
+ ')
+
+-########################################
+#######################################
+## <summary>
+## Allow domain to read X server logs.
@@ -21490,10 +21516,13 @@ index 6bf0ecc..9388756 100644
+
+ logging_search_logs($1)
+ allow $1 xserver_log_t:file read_file_perms;
- ')
-
- ########################################
-@@ -957,7 +1270,7 @@ interface(`xserver_dontaudit_write_log',`
++')
++
++########################################
+ ## <summary>
+ ## Do not audit attempts to write the X server
+ ## log files.
+@@ -957,7 +1183,7 @@ interface(`xserver_dontaudit_write_log',`
type xserver_log_t;
')
@@ -21502,167 +21531,84 @@ index 6bf0ecc..9388756 100644
')
########################################
-@@ -1004,7 +1317,7 @@ interface(`xserver_read_xkb_libs',`
+@@ -1004,6 +1230,64 @@ interface(`xserver_read_xkb_libs',`
########################################
## <summary>
--## Read xdm temporary files.
+## dontaudit access checks X keyboard extension libraries.
- ## </summary>
- ## <param name="domain">
- ## <summary>
-@@ -1012,56 +1325,57 @@ interface(`xserver_read_xkb_libs',`
- ## </summary>
- ## </param>
- #
--interface(`xserver_read_xdm_tmp_files',`
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
+interface(`xserver_dontaudit_xkb_libs_access',`
- gen_require(`
-- type xdm_tmp_t;
-+ type xkb_var_lib_t;
- ')
-
-- files_search_tmp($1)
-- read_files_pattern($1, xdm_tmp_t, xdm_tmp_t)
-+ dontaudit $1 xkb_var_lib_t:dir audit_access;
-+ dontaudit $1 xkb_var_lib_t:file audit_access;
- ')
-
- ########################################
- ## <summary>
--## Do not audit attempts to read xdm temporary files.
-+## Read xdm config files.
- ## </summary>
- ## <param name="domain">
- ## <summary>
--## Domain to not audit.
-+## Domain to not audit
- ## </summary>
- ## </param>
- #
--interface(`xserver_dontaudit_read_xdm_tmp_files',`
-+interface(`xserver_read_xdm_etc_files',`
- gen_require(`
-- type xdm_tmp_t;
-+ type xdm_etc_t;
- ')
-
-- dontaudit $1 xdm_tmp_t:dir search_dir_perms;
-- dontaudit $1 xdm_tmp_t:file read_file_perms;
-+ files_search_etc($1)
-+ read_files_pattern($1, xdm_etc_t, xdm_etc_t)
-+ read_lnk_files_pattern($1, xdm_etc_t, xdm_etc_t)
- ')
-
- ########################################
- ## <summary>
--## Read write xdm temporary files.
-+## Manage xdm config files.
- ## </summary>
- ## <param name="domain">
- ## <summary>
--## Domain allowed access.
-+## Domain to not audit
- ## </summary>
- ## </param>
- #
--interface(`xserver_rw_xdm_tmp_files',`
-+interface(`xserver_manage_xdm_etc_files',`
- gen_require(`
-- type xdm_tmp_t;
-+ type xdm_etc_t;
- ')
-
-- allow $1 xdm_tmp_t:dir search_dir_perms;
-- allow $1 xdm_tmp_t:file rw_file_perms;
-+ files_search_etc($1)
-+ manage_files_pattern($1, xdm_etc_t, xdm_etc_t)
- ')
-
- ########################################
- ## <summary>
--## Create, read, write, and delete xdm temporary files.
-+## Read xdm temporary files.
- ## </summary>
- ## <param name="domain">
- ## <summary>
-@@ -1069,18 +1383,18 @@ interface(`xserver_rw_xdm_tmp_files',`
- ## </summary>
- ## </param>
- #
--interface(`xserver_manage_xdm_tmp_files',`
-+interface(`xserver_read_xdm_tmp_files',`
- gen_require(`
- type xdm_tmp_t;
- ')
-
-- manage_files_pattern($1, xdm_tmp_t, xdm_tmp_t)
-+ files_search_tmp($1)
-+ read_files_pattern($1, xdm_tmp_t, xdm_tmp_t)
- ')
-
- ########################################
- ## <summary>
--## Do not audit attempts to get the attributes of
--## xdm temporary named sockets.
-+## Do not audit attempts to read xdm temporary files.
- ## </summary>
- ## <param name="domain">
- ## <summary>
-@@ -1088,12 +1402,105 @@ interface(`xserver_manage_xdm_tmp_files',`
- ## </summary>
- ## </param>
- #
--interface(`xserver_dontaudit_getattr_xdm_tmp_sockets',`
-+interface(`xserver_dontaudit_read_xdm_tmp_files',`
+ gen_require(`
-+ type xdm_tmp_t;
++ type xkb_var_lib_t;
+ ')
+
-+ dontaudit $1 xdm_tmp_t:dir search_dir_perms;
-+ dontaudit $1 xdm_tmp_t:file read_file_perms;
++ dontaudit $1 xkb_var_lib_t:dir audit_access;
++ dontaudit $1 xkb_var_lib_t:file audit_access;
+')
+
+########################################
+## <summary>
-+## Read write xdm temporary files.
++## Read xdm config files.
+## </summary>
+## <param name="domain">
+## <summary>
-+## Domain allowed access.
++## Domain to not audit
+## </summary>
+## </param>
+#
-+interface(`xserver_rw_xdm_tmp_files',`
++interface(`xserver_read_xdm_etc_files',`
+ gen_require(`
-+ type xdm_tmp_t;
++ type xdm_etc_t;
+ ')
+
-+ allow $1 xdm_tmp_t:dir search_dir_perms;
-+ allow $1 xdm_tmp_t:file rw_file_perms;
++ files_search_etc($1)
++ read_files_pattern($1, xdm_etc_t, xdm_etc_t)
++ read_lnk_files_pattern($1, xdm_etc_t, xdm_etc_t)
+')
+
+########################################
+## <summary>
-+## Create, read, write, and delete xdm temporary files.
++## Manage xdm config files.
+## </summary>
+## <param name="domain">
+## <summary>
-+## Domain allowed access.
++## Domain to not audit
+## </summary>
+## </param>
+#
-+interface(`xserver_manage_xdm_tmp_files',`
- gen_require(`
- type xdm_tmp_t;
- ')
-
-- dontaudit $1 xdm_tmp_t:sock_file getattr;
-+ manage_files_pattern($1, xdm_tmp_t, xdm_tmp_t)
++interface(`xserver_manage_xdm_etc_files',`
++ gen_require(`
++ type xdm_etc_t;
++ ')
++
++ files_search_etc($1)
++ manage_files_pattern($1, xdm_etc_t, xdm_etc_t)
+')
+
+########################################
+## <summary>
+ ## Read xdm temporary files.
+ ## </summary>
+ ## <param name="domain">
+@@ -1017,7 +1301,7 @@ interface(`xserver_read_xdm_tmp_files',`
+ type xdm_tmp_t;
+ ')
+
+- files_search_tmp($1)
++ files_search_tmp($1)
+ read_files_pattern($1, xdm_tmp_t, xdm_tmp_t)
+ ')
+
+@@ -1079,6 +1363,42 @@ interface(`xserver_manage_xdm_tmp_files',`
+
+ ########################################
+ ## <summary>
+## Create, read, write, and delete xdm temporary dirs.
+## </summary>
+## <param name="domain">
@@ -21699,25 +21645,19 @@ index 6bf0ecc..9388756 100644
+
+########################################
+## <summary>
-+## Do not audit attempts to get the attributes of
-+## xdm temporary named sockets.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain to not audit.
-+## </summary>
-+## </param>
-+#
-+interface(`xserver_dontaudit_getattr_xdm_tmp_sockets',`
-+ gen_require(`
-+ type xdm_tmp_t;
-+ ')
-+
+ ## Do not audit attempts to get the attributes of
+ ## xdm temporary named sockets.
+ ## </summary>
+@@ -1093,7 +1413,7 @@ interface(`xserver_dontaudit_getattr_xdm_tmp_sockets',`
+ type xdm_tmp_t;
+ ')
+
+- dontaudit $1 xdm_tmp_t:sock_file getattr;
+ dontaudit $1 xdm_tmp_t:sock_file getattr_sock_file_perms;
')
########################################
-@@ -1111,8 +1518,10 @@ interface(`xserver_domtrans',`
+@@ -1111,8 +1431,10 @@ interface(`xserver_domtrans',`
type xserver_t, xserver_exec_t;
')
@@ -21729,7 +21669,7 @@ index 6bf0ecc..9388756 100644
')
########################################
-@@ -1210,6 +1619,25 @@ interface(`xserver_dontaudit_rw_stream_sockets',`
+@@ -1210,6 +1532,25 @@ interface(`xserver_dontaudit_rw_stream_sockets',`
########################################
## <summary>
@@ -21755,7 +21695,7 @@ index 6bf0ecc..9388756 100644
## Connect to the X server over a unix domain
## stream socket.
## </summary>
-@@ -1226,6 +1654,26 @@ interface(`xserver_stream_connect',`
+@@ -1226,6 +1567,26 @@ interface(`xserver_stream_connect',`
files_search_tmp($1)
stream_connect_pattern($1, xserver_tmp_t, xserver_tmp_t, xserver_t)
@@ -21782,7 +21722,7 @@ index 6bf0ecc..9388756 100644
')
########################################
-@@ -1251,7 +1699,7 @@ interface(`xserver_read_tmp_files',`
+@@ -1251,7 +1612,7 @@ interface(`xserver_read_tmp_files',`
## <summary>
## Interface to provide X object permissions on a given X server to
## an X client domain. Gives the domain permission to read the
@@ -21791,7 +21731,7 @@ index 6bf0ecc..9388756 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1261,13 +1709,23 @@ interface(`xserver_read_tmp_files',`
+@@ -1261,13 +1622,23 @@ interface(`xserver_read_tmp_files',`
#
interface(`xserver_manage_core_devices',`
gen_require(`
@@ -21816,7 +21756,7 @@ index 6bf0ecc..9388756 100644
')
########################################
-@@ -1284,10 +1742,604 @@ interface(`xserver_manage_core_devices',`
+@@ -1284,10 +1655,604 @@ interface(`xserver_manage_core_devices',`
#
interface(`xserver_unconfined',`
gen_require(`
@@ -22424,10 +22364,10 @@ index 6bf0ecc..9388756 100644
+ files_search_tmp($1)
+')
diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
-index 2696452..4690551 100644
+index 2696452..fcf58c6 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
-@@ -26,27 +26,57 @@ gen_require(`
+@@ -26,28 +26,59 @@ gen_require(`
#
## <desc>
@@ -22492,9 +22432,11 @@ index 2696452..4690551 100644
+attribute xdmhomewriter;
+attribute x_userdomain;
attribute x_domain;
++attribute dridomain;
# X Events
-@@ -107,44 +137,54 @@ xserver_object_types_template(remote)
+ attribute xevent_type;
+@@ -107,44 +138,54 @@ xserver_object_types_template(remote)
xserver_common_x_domain_template(remote, remote_t)
type user_fonts_t;
@@ -22550,7 +22492,7 @@ index 2696452..4690551 100644
typealias xauth_tmp_t alias { auditadm_xauth_tmp_t secadm_xauth_tmp_t };
userdom_user_tmp_file(xauth_tmp_t)
-@@ -154,19 +194,28 @@ files_type(xconsole_device_t)
+@@ -154,19 +195,28 @@ files_type(xconsole_device_t)
fs_associate_tmpfs(xconsole_device_t)
files_associate_tmp(xconsole_device_t)
@@ -22581,7 +22523,7 @@ index 2696452..4690551 100644
type xdm_var_lib_t;
files_type(xdm_var_lib_t)
-@@ -174,13 +223,27 @@ files_type(xdm_var_lib_t)
+@@ -174,13 +224,27 @@ files_type(xdm_var_lib_t)
type xdm_var_run_t;
files_pid_file(xdm_var_run_t)
@@ -22610,7 +22552,7 @@ index 2696452..4690551 100644
# type for /var/lib/xkb
type xkb_var_lib_t;
files_type(xkb_var_lib_t)
-@@ -193,14 +256,12 @@ typealias xserver_t alias { auditadm_xserver_t secadm_xserver_t xdm_xserver_t };
+@@ -193,14 +257,12 @@ typealias xserver_t alias { auditadm_xserver_t secadm_xserver_t xdm_xserver_t };
init_system_domain(xserver_t, xserver_exec_t)
ubac_constrained(xserver_t)
@@ -22629,7 +22571,7 @@ index 2696452..4690551 100644
userdom_user_tmpfs_file(xserver_tmpfs_t)
type xsession_exec_t;
-@@ -225,21 +286,33 @@ optional_policy(`
+@@ -225,21 +287,33 @@ optional_policy(`
#
allow iceauth_t iceauth_home_t:file manage_file_perms;
@@ -22672,7 +22614,7 @@ index 2696452..4690551 100644
')
########################################
-@@ -247,48 +320,83 @@ tunable_policy(`use_samba_home_dirs',`
+@@ -247,48 +321,83 @@ tunable_policy(`use_samba_home_dirs',`
# Xauth local policy
#
@@ -22767,7 +22709,7 @@ index 2696452..4690551 100644
ssh_sigchld(xauth_t)
ssh_read_pipes(xauth_t)
ssh_dontaudit_rw_tcp_sockets(xauth_t)
-@@ -299,64 +407,106 @@ optional_policy(`
+@@ -299,64 +408,106 @@ optional_policy(`
# XDM Local policy
#
@@ -22884,7 +22826,7 @@ index 2696452..4690551 100644
# connect to xdm xserver over stream socket
stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t)
-@@ -365,20 +515,27 @@ stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t)
+@@ -365,20 +516,27 @@ stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t)
delete_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t)
delete_sock_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t)
@@ -22914,7 +22856,7 @@ index 2696452..4690551 100644
corenet_all_recvfrom_netlabel(xdm_t)
corenet_tcp_sendrecv_generic_if(xdm_t)
corenet_udp_sendrecv_generic_if(xdm_t)
-@@ -388,38 +545,48 @@ corenet_tcp_sendrecv_all_ports(xdm_t)
+@@ -388,38 +546,48 @@ corenet_tcp_sendrecv_all_ports(xdm_t)
corenet_udp_sendrecv_all_ports(xdm_t)
corenet_tcp_bind_generic_node(xdm_t)
corenet_udp_bind_generic_node(xdm_t)
@@ -22967,7 +22909,7 @@ index 2696452..4690551 100644
files_read_etc_files(xdm_t)
files_read_var_files(xdm_t)
-@@ -430,9 +597,28 @@ files_list_mnt(xdm_t)
+@@ -430,9 +598,28 @@ files_list_mnt(xdm_t)
files_read_usr_files(xdm_t)
# Poweroff wants to create the /poweroff file when run from xdm
files_create_boot_flag(xdm_t)
@@ -22996,7 +22938,7 @@ index 2696452..4690551 100644
storage_dontaudit_read_fixed_disk(xdm_t)
storage_dontaudit_write_fixed_disk(xdm_t)
-@@ -441,28 +627,43 @@ storage_dontaudit_raw_read_removable_device(xdm_t)
+@@ -441,28 +628,43 @@ storage_dontaudit_raw_read_removable_device(xdm_t)
storage_dontaudit_raw_write_removable_device(xdm_t)
storage_dontaudit_setattr_removable_dev(xdm_t)
storage_dontaudit_rw_scsi_generic(xdm_t)
@@ -23043,7 +22985,7 @@ index 2696452..4690551 100644
userdom_dontaudit_use_unpriv_user_fds(xdm_t)
userdom_create_all_users_keys(xdm_t)
-@@ -471,24 +672,144 @@ userdom_read_user_home_content_files(xdm_t)
+@@ -471,24 +673,144 @@ userdom_read_user_home_content_files(xdm_t)
# Search /proc for any user domain processes.
userdom_read_all_users_state(xdm_t)
userdom_signal_all_users(xdm_t)
@@ -23194,7 +23136,7 @@ index 2696452..4690551 100644
tunable_policy(`xdm_sysadm_login',`
userdom_xsession_spec_domtrans_all_users(xdm_t)
# FIXME:
-@@ -502,11 +823,26 @@ tunable_policy(`xdm_sysadm_login',`
+@@ -502,11 +824,26 @@ tunable_policy(`xdm_sysadm_login',`
')
optional_policy(`
@@ -23221,7 +23163,7 @@ index 2696452..4690551 100644
')
optional_policy(`
-@@ -514,12 +850,72 @@ optional_policy(`
+@@ -514,12 +851,72 @@ optional_policy(`
')
optional_policy(`
@@ -23294,7 +23236,7 @@ index 2696452..4690551 100644
hostname_exec(xdm_t)
')
-@@ -537,28 +933,78 @@ optional_policy(`
+@@ -537,28 +934,78 @@ optional_policy(`
')
optional_policy(`
@@ -23382,7 +23324,7 @@ index 2696452..4690551 100644
')
optional_policy(`
-@@ -570,6 +1016,14 @@ optional_policy(`
+@@ -570,6 +1017,14 @@ optional_policy(`
')
optional_policy(`
@@ -23397,7 +23339,7 @@ index 2696452..4690551 100644
xfs_stream_connect(xdm_t)
')
-@@ -594,8 +1048,11 @@ allow xserver_t input_xevent_t:x_event send;
+@@ -594,8 +1049,11 @@ allow xserver_t input_xevent_t:x_event send;
# execheap needed until the X module loader is fixed.
# NVIDIA Needs execstack
@@ -23410,7 +23352,7 @@ index 2696452..4690551 100644
allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow xserver_t self:fd use;
allow xserver_t self:fifo_file rw_fifo_file_perms;
-@@ -608,8 +1065,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
+@@ -608,8 +1066,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow xserver_t self:tcp_socket create_stream_socket_perms;
allow xserver_t self:udp_socket create_socket_perms;
@@ -23426,7 +23368,7 @@ index 2696452..4690551 100644
manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
manage_sock_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
-@@ -617,6 +1081,10 @@ files_tmp_filetrans(xserver_t, xserver_tmp_t, { file dir sock_file })
+@@ -617,6 +1082,10 @@ files_tmp_filetrans(xserver_t, xserver_tmp_t, { file dir sock_file })
filetrans_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t, sock_file)
@@ -23437,7 +23379,7 @@ index 2696452..4690551 100644
manage_dirs_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
manage_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
manage_lnk_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
-@@ -628,12 +1096,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
+@@ -628,12 +1097,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
files_search_var_lib(xserver_t)
@@ -23459,7 +23401,7 @@ index 2696452..4690551 100644
kernel_read_system_state(xserver_t)
kernel_read_device_sysctls(xserver_t)
-@@ -641,12 +1116,12 @@ kernel_read_modprobe_sysctls(xserver_t)
+@@ -641,12 +1117,12 @@ kernel_read_modprobe_sysctls(xserver_t)
# Xorg wants to check if kernel is tainted
kernel_read_kernel_sysctls(xserver_t)
kernel_write_proc_files(xserver_t)
@@ -23473,7 +23415,7 @@ index 2696452..4690551 100644
corenet_all_recvfrom_netlabel(xserver_t)
corenet_tcp_sendrecv_generic_if(xserver_t)
corenet_udp_sendrecv_generic_if(xserver_t)
-@@ -667,23 +1142,28 @@ dev_rw_apm_bios(xserver_t)
+@@ -667,23 +1143,28 @@ dev_rw_apm_bios(xserver_t)
dev_rw_agp(xserver_t)
dev_rw_framebuffer(xserver_t)
dev_manage_dri_dev(xserver_t)
@@ -23505,7 +23447,7 @@ index 2696452..4690551 100644
# brought on by rhgb
files_search_mnt(xserver_t)
-@@ -694,7 +1174,16 @@ fs_getattr_xattr_fs(xserver_t)
+@@ -694,7 +1175,16 @@ fs_getattr_xattr_fs(xserver_t)
fs_search_nfs(xserver_t)
fs_search_auto_mountpoints(xserver_t)
fs_search_ramfs(xserver_t)
@@ -23523,7 +23465,7 @@ index 2696452..4690551 100644
mls_xwin_read_to_clearance(xserver_t)
selinux_validate_context(xserver_t)
-@@ -708,20 +1197,18 @@ init_getpgid(xserver_t)
+@@ -708,20 +1198,18 @@ init_getpgid(xserver_t)
term_setattr_unallocated_ttys(xserver_t)
term_use_unallocated_ttys(xserver_t)
@@ -23547,7 +23489,7 @@ index 2696452..4690551 100644
userdom_search_user_home_dirs(xserver_t)
userdom_use_user_ttys(xserver_t)
-@@ -729,8 +1216,6 @@ userdom_setattr_user_ttys(xserver_t)
+@@ -729,8 +1217,6 @@ userdom_setattr_user_ttys(xserver_t)
userdom_read_user_tmp_files(xserver_t)
userdom_rw_user_tmpfs_files(xserver_t)
@@ -23556,7 +23498,7 @@ index 2696452..4690551 100644
ifndef(`distro_redhat',`
allow xserver_t self:process { execmem execheap execstack };
domain_mmap_low_uncond(xserver_t)
-@@ -775,16 +1260,44 @@ optional_policy(`
+@@ -775,16 +1261,44 @@ optional_policy(`
')
optional_policy(`
@@ -23602,7 +23544,7 @@ index 2696452..4690551 100644
unconfined_domtrans(xserver_t)
')
-@@ -793,6 +1306,10 @@ optional_policy(`
+@@ -793,6 +1307,10 @@ optional_policy(`
')
optional_policy(`
@@ -23613,7 +23555,7 @@ index 2696452..4690551 100644
xfs_stream_connect(xserver_t)
')
-@@ -808,10 +1325,10 @@ allow xserver_t xdm_t:shm rw_shm_perms;
+@@ -808,10 +1326,10 @@ allow xserver_t xdm_t:shm rw_shm_perms;
# NB we do NOT allow xserver_t xdm_var_lib_t:dir, only access to an open
# handle of a file inside the dir!!!
@@ -23627,7 +23569,7 @@ index 2696452..4690551 100644
# Label pid and temporary files with derived types.
manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
-@@ -819,7 +1336,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
+@@ -819,7 +1337,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
manage_sock_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
# Run xkbcomp.
@@ -23636,7 +23578,7 @@ index 2696452..4690551 100644
can_exec(xserver_t, xkb_var_lib_t)
# VNC v4 module in X server
-@@ -832,26 +1349,21 @@ init_use_fds(xserver_t)
+@@ -832,26 +1350,21 @@ init_use_fds(xserver_t)
# to read ROLE_home_t - examine this in more detail
# (xauth?)
userdom_read_user_home_content_files(xserver_t)
@@ -23671,7 +23613,7 @@ index 2696452..4690551 100644
')
optional_policy(`
-@@ -902,7 +1414,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
+@@ -902,7 +1415,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
allow x_domain root_xdrawable_t:x_drawable { getattr setattr list_child add_child remove_child send receive hide show };
# operations allowed on my windows
allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive };
@@ -23680,7 +23622,7 @@ index 2696452..4690551 100644
# operations allowed on all windows
allow x_domain x_domain:x_drawable { getattr get_property set_property remove_child };
-@@ -956,11 +1468,31 @@ allow x_domain self:x_resource { read write };
+@@ -956,11 +1469,31 @@ allow x_domain self:x_resource { read write };
# can mess with the screensaver
allow x_domain xserver_t:x_screen { getattr saver_getattr };
@@ -23712,7 +23654,7 @@ index 2696452..4690551 100644
tunable_policy(`! xserver_object_manager',`
# should be xserver_unconfined(x_domain),
# but typeattribute doesnt work in conditionals
-@@ -982,18 +1514,41 @@ tunable_policy(`! xserver_object_manager',`
+@@ -982,18 +1515,150 @@ tunable_policy(`! xserver_object_manager',`
allow x_domain xevent_type:{ x_event x_synthetic_event } *;
')
@@ -23769,6 +23711,115 @@ index 2696452..4690551 100644
+ unconfined_domain(xdm_unconfined_t)
+')
+
++# X Userdomain
++# Xserver read/write client shm
++allow xserver_t x_userdomain:fd use;
++allow xserver_t x_userdomain:shm rw_shm_perms;
++
++allow xserver_t x_userdomain:process { getpgid signal };
++
++allow xserver_t x_userdomain:shm rw_shm_perms;
++
++allow x_userdomain user_fonts_t:dir list_dir_perms;
++allow x_userdomain user_fonts_t:file read_file_perms;
++allow x_userdomain user_fonts_t:lnk_file read_lnk_file_perms;
++
++allow x_userdomain user_fonts_config_t:dir list_dir_perms;
++allow x_userdomain user_fonts_config_t:file read_file_perms;
++
++manage_dirs_pattern(x_userdomain, user_fonts_cache_t, user_fonts_cache_t)
++manage_files_pattern(x_userdomain, user_fonts_cache_t, user_fonts_cache_t)
++
++stream_connect_pattern(x_userdomain, xserver_tmp_t, xserver_tmp_t, xserver_t)
++allow x_userdomain xserver_tmp_t:sock_file delete_sock_file_perms;
++dontaudit x_userdomain xdm_tmp_t:sock_file setattr_sock_file_perms;
++files_search_tmp(x_userdomain)
++
++# Communicate via System V shared memory.
++allow x_userdomain xserver_t:shm r_shm_perms;
++allow x_userdomain xserver_tmpfs_t:file read_file_perms;
++
++# allow ps to show iceauth
++ps_process_pattern(x_userdomain, iceauth_t)
++
++domtrans_pattern(x_userdomain, iceauth_exec_t, iceauth_t)
++
++allow x_userdomain iceauth_home_t:file read_file_perms;
++
++domtrans_pattern(x_userdomain, xauth_exec_t, xauth_t)
++
++allow x_userdomain xauth_t:process signal;
++
++# allow ps to show xauth
++ps_process_pattern(x_userdomain, xauth_t)
++allow x_userdomain xserver_t:process signal;
++
++allow x_userdomain xauth_home_t:file read_file_perms;
++
++# for when /tmp/.X11-unix is created by the system
++allow x_userdomain xdm_t:fd use;
++allow x_userdomain xdm_t:fifo_file rw_inherited_fifo_file_perms;
++allow x_userdomain xdm_tmp_t:dir search_dir_perms;
++allow x_userdomain xdm_tmp_t:sock_file rw_inherited_sock_file_perms;
++dontaudit x_userdomain xdm_t:tcp_socket { read write };
++dontaudit x_userdomain xdm_tmp_t:dir setattr_dir_perms;
++
++allow x_userdomain xdm_t:dbus send_msg;
++allow xdm_t x_userdomain:dbus send_msg;
++
++# Client read xserver shm
++allow x_userdomain xserver_t:fd use;
++allow x_userdomain xserver_tmpfs_t:file read_file_perms;
++
++# Read /tmp/.X0-lock
++allow x_userdomain xserver_tmp_t:file read_inherited_file_perms;
++
++dev_rw_xserver_misc(x_userdomain)
++dev_rw_power_management(x_userdomain)
++dev_read_input(x_userdomain)
++dev_read_misc(x_userdomain)
++dev_write_misc(x_userdomain)
++# open office is looking for the following
++dev_getattr_agp_dev(x_userdomain)
++
++# GNOME checks for usb and other devices:
++dev_rw_usbfs(x_userdomain)
++
++miscfiles_read_fonts(x_userdomain)
++miscfiles_setattr_fonts_cache_dirs(x_userdomain)
++miscfiles_read_hwdata(x_userdomain)
++
++#xserver_common_x_domain_template(user, x_userdomain)
++xserver_domtrans(x_userdomain)
++#xserver_unconfined(x_userdomain)
++xserver_xsession_entry_type(x_userdomain)
++xserver_dontaudit_write_log(x_userdomain)
++#xserver_stream_connect_xdm(x_userdomain)
++# certain apps want to read xdm.pid file
++xserver_read_xdm_pid(x_userdomain)
++# gnome-session creates socket under /tmp/.ICE-unix/
++xserver_create_xdm_tmp_sockets(x_userdomain)
++# Needed for escd, remove if we get escd policy
++xserver_manage_xdm_tmp_files(x_userdomain)
++xserver_read_xdm_etc_files(x_userdomain)
++#xserver_xdm_append_log(x_userdomain)
++
++term_use_virtio_console(x_userdomain)
++# Client write xserver shm
++tunable_policy(`xserver_clients_write_xshm',`
++ allow x_userdomain xserver_t:shm rw_shm_perms;
++ allow x_userdomain xserver_tmpfs_t:file rw_file_perms;
++')
++
++optional_policy(`
++ gnome_read_gconf_config(x_userdomain)
++')
++
++tunable_policy(`selinuxuser_direct_dri_enabled',`
++ dev_rw_dri(dridomain)
++',`
++ dev_dontaudit_rw_dri(dridomain)
++')
diff --git a/policy/modules/system/application.if b/policy/modules/system/application.if
index 1b6619e..be02b96 100644
--- a/policy/modules/system/application.if
@@ -34113,6 +34164,32 @@ index bea4629..06e2834 100644
+
/var/run/setrans(/.*)? gen_context(system_u:object_r:setrans_var_run_t,mls_systemhigh)
+/var/run/mcstransd\.pid gen_context(system_u:object_r:setrans_var_run_t,mls_systemhigh)
+diff --git a/policy/modules/system/setrans.if b/policy/modules/system/setrans.if
+index efa9c27..536a514 100644
+--- a/policy/modules/system/setrans.if
++++ b/policy/modules/system/setrans.if
+@@ -40,3 +40,21 @@ interface(`setrans_translate_context',`
+ stream_connect_pattern($1, setrans_var_run_t, setrans_var_run_t, setrans_t)
+ files_list_pids($1)
+ ')
++#######################################
++## <summary>
++## Allow a domain to manage pid files
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`setrans_manage_pid_files',`
++ gen_require(`
++ type setrans_var_run_t;
++ ')
++
++ files_search_pids($1)
++ manage_files_pattern($1, setrans_var_run_t, setrans_var_run_t)
++')
diff --git a/policy/modules/system/setrans.te b/policy/modules/system/setrans.te
index 1447687..d5e6fb9 100644
--- a/policy/modules/system/setrans.te
@@ -34490,7 +34567,7 @@ index 6944526..ec17624 100644
+ files_etc_filetrans($1, net_conf_t, file, "ntp.conf")
+')
diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
-index b7686d5..9c7aa79 100644
+index b7686d5..431d2f1 100644
--- a/policy/modules/system/sysnetwork.te
+++ b/policy/modules/system/sysnetwork.te
@@ -5,6 +5,13 @@ policy_module(sysnetwork, 1.14.6)
@@ -34706,13 +34783,14 @@ index b7686d5..9c7aa79 100644
')
optional_policy(`
-@@ -259,12 +302,20 @@ allow ifconfig_t self:msgq create_msgq_perms;
+@@ -259,12 +302,21 @@ allow ifconfig_t self:msgq create_msgq_perms;
allow ifconfig_t self:msg { send receive };
# Create UDP sockets, necessary when called from dhcpc
allow ifconfig_t self:udp_socket create_socket_perms;
+allow ifconfig_t self:appletalk_socket create_socket_perms;
# for /sbin/ip
allow ifconfig_t self:packet_socket create_socket_perms;
++allow ifconfig_t self:netlink_socket create_socket_perms;
allow ifconfig_t self:netlink_route_socket create_netlink_socket_perms;
allow ifconfig_t self:netlink_xfrm_socket { create_netlink_socket_perms nlmsg_read };
allow ifconfig_t self:tcp_socket { create ioctl };
@@ -34727,7 +34805,7 @@ index b7686d5..9c7aa79 100644
kernel_use_fds(ifconfig_t)
kernel_read_system_state(ifconfig_t)
kernel_read_network_state(ifconfig_t)
-@@ -274,14 +325,29 @@ kernel_rw_net_sysctls(ifconfig_t)
+@@ -274,14 +326,29 @@ kernel_rw_net_sysctls(ifconfig_t)
corenet_rw_tun_tap_dev(ifconfig_t)
@@ -34757,7 +34835,7 @@ index b7686d5..9c7aa79 100644
fs_getattr_xattr_fs(ifconfig_t)
fs_search_auto_mountpoints(ifconfig_t)
-@@ -294,22 +360,22 @@ term_dontaudit_use_all_ptys(ifconfig_t)
+@@ -294,22 +361,22 @@ term_dontaudit_use_all_ptys(ifconfig_t)
term_dontaudit_use_ptmx(ifconfig_t)
term_dontaudit_use_generic_ptys(ifconfig_t)
@@ -34785,7 +34863,7 @@ index b7686d5..9c7aa79 100644
userdom_use_all_users_fds(ifconfig_t)
ifdef(`distro_ubuntu',`
-@@ -318,7 +384,22 @@ ifdef(`distro_ubuntu',`
+@@ -318,7 +385,22 @@ ifdef(`distro_ubuntu',`
')
')
@@ -34808,7 +34886,7 @@ index b7686d5..9c7aa79 100644
optional_policy(`
dev_dontaudit_rw_cardmgr(ifconfig_t)
')
-@@ -329,8 +410,11 @@ ifdef(`hide_broken_symptoms',`
+@@ -329,8 +411,11 @@ ifdef(`hide_broken_symptoms',`
')
optional_policy(`
@@ -34822,7 +34900,7 @@ index b7686d5..9c7aa79 100644
')
optional_policy(`
-@@ -339,7 +423,15 @@ optional_policy(`
+@@ -339,7 +424,15 @@ optional_policy(`
')
optional_policy(`
@@ -34839,7 +34917,7 @@ index b7686d5..9c7aa79 100644
')
optional_policy(`
-@@ -360,3 +452,13 @@ optional_policy(`
+@@ -360,3 +453,13 @@ optional_policy(`
xen_append_log(ifconfig_t)
xen_dontaudit_rw_unix_stream_sockets(ifconfig_t)
')
diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch
index 74e826a..203ed18 100644
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@@ -6956,7 +6956,7 @@ index 1a7a97e..1d29dce 100644
domain_system_change_exemption($1)
role_transition $2 apmd_initrc_exec_t system_r;
diff --git a/apm.te b/apm.te
-index 3590e2f..5d9ac1d 100644
+index 3590e2f..e1494bd 100644
--- a/apm.te
+++ b/apm.te
@@ -35,6 +35,9 @@ files_type(apmd_var_lib_t)
@@ -6987,16 +6987,26 @@ index 3590e2f..5d9ac1d 100644
allow apmd_t self:process { signal_perms getsession };
allow apmd_t self:fifo_file rw_fifo_file_perms;
allow apmd_t self:netlink_socket create_socket_perms;
-@@ -115,8 +118,6 @@ fs_dontaudit_getattr_all_symlinks(apmd_t)
+@@ -114,8 +117,7 @@ fs_dontaudit_getattr_all_files(apmd_t)
+ fs_dontaudit_getattr_all_symlinks(apmd_t)
fs_dontaudit_getattr_all_pipes(apmd_t)
fs_dontaudit_getattr_all_sockets(apmd_t)
-
--selinux_search_fs(apmd_t)
-
+-selinux_search_fs(apmd_t)
++fs_read_cgroup_files(apmd_t)
+
corecmd_exec_all_executables(apmd_t)
- domain_read_all_domains_state(apmd_t)
-@@ -136,17 +137,16 @@ libs_exec_lib_files(apmd_t)
+@@ -129,6 +131,8 @@ domain_dontaudit_list_all_domains_state(apmd_t)
+ auth_use_nsswitch(apmd_t)
+
+ init_domtrans_script(apmd_t)
++init_read_utmp(apmd_t)
++init_telinit(apmd_t)
+
+ libs_exec_ld_so(apmd_t)
+ libs_exec_lib_files(apmd_t)
+@@ -136,17 +140,16 @@ libs_exec_lib_files(apmd_t)
logging_send_audit_msgs(apmd_t)
logging_send_syslog_msg(apmd_t)
@@ -7016,7 +7026,7 @@ index 3590e2f..5d9ac1d 100644
optional_policy(`
automount_domtrans(apmd_t)
-@@ -206,11 +206,15 @@ optional_policy(`
+@@ -206,11 +209,15 @@ optional_policy(`
')
optional_policy(`
@@ -10908,7 +10918,7 @@ index 32e8265..0de4af3 100644
+ allow $1 chronyd_unit_file_t:service all_service_perms;
')
diff --git a/chronyd.te b/chronyd.te
-index 914ee2d..1544e9b 100644
+index 914ee2d..72fab35 100644
--- a/chronyd.te
+++ b/chronyd.te
@@ -18,6 +18,9 @@ files_type(chronyd_keys_t)
@@ -10926,7 +10936,7 @@ index 914ee2d..1544e9b 100644
#
-allow chronyd_t self:capability { dac_override ipc_lock setuid setgid sys_resource sys_time };
-+allow chronyd_t self:capability { dac_override ipc_lock fsetid setuid setgid sys_resource sys_time };
++allow chronyd_t self:capability { dac_override ipc_lock fsetid setuid setgid sys_nice sys_resource sys_time };
allow chronyd_t self:process { getcap setcap setrlimit signal };
allow chronyd_t self:shm create_shm_perms;
+allow chronyd_t self:udp_socket create_socket_perms;
@@ -19484,7 +19494,7 @@ index d294865..3b4f593 100644
+ logging_log_filetrans($1, devicekit_var_log_t, file, "pm-suspend.log")
')
diff --git a/devicekit.te b/devicekit.te
-index ff933af..101bc81 100644
+index ff933af..d75b565 100644
--- a/devicekit.te
+++ b/devicekit.te
@@ -7,15 +7,15 @@ policy_module(devicekit, 1.2.1)
@@ -19550,15 +19560,17 @@ index ff933af..101bc81 100644
dev_getattr_usbfs_dirs(devicekit_disk_t)
dev_manage_generic_files(devicekit_disk_t)
dev_read_urand(devicekit_disk_t)
-@@ -117,7 +119,6 @@ files_manage_boot_dirs(devicekit_disk_t)
+@@ -116,8 +118,8 @@ files_getattr_all_pipes(devicekit_disk_t)
+ files_manage_boot_dirs(devicekit_disk_t)
files_manage_isid_type_dirs(devicekit_disk_t)
files_manage_mnt_dirs(devicekit_disk_t)
++files_manage_etc_files(devicekit_disk_t)
files_read_etc_runtime_files(devicekit_disk_t)
-files_read_usr_files(devicekit_disk_t)
fs_getattr_all_fs(devicekit_disk_t)
fs_list_inotifyfs(devicekit_disk_t)
-@@ -134,16 +135,18 @@ storage_raw_write_fixed_disk(devicekit_disk_t)
+@@ -134,16 +136,18 @@ storage_raw_write_fixed_disk(devicekit_disk_t)
storage_raw_read_removable_device(devicekit_disk_t)
storage_raw_write_removable_device(devicekit_disk_t)
@@ -19579,7 +19591,7 @@ index ff933af..101bc81 100644
dbus_system_bus_client(devicekit_disk_t)
allow devicekit_disk_t devicekit_t:dbus send_msg;
-@@ -167,6 +170,7 @@ optional_policy(`
+@@ -167,6 +171,7 @@ optional_policy(`
optional_policy(`
mount_domtrans(devicekit_disk_t)
@@ -19587,7 +19599,7 @@ index ff933af..101bc81 100644
')
optional_policy(`
-@@ -180,6 +184,11 @@ optional_policy(`
+@@ -180,6 +185,11 @@ optional_policy(`
')
optional_policy(`
@@ -19599,7 +19611,7 @@ index ff933af..101bc81 100644
udev_domtrans(devicekit_disk_t)
udev_read_db(devicekit_disk_t)
')
-@@ -188,12 +197,19 @@ optional_policy(`
+@@ -188,12 +198,19 @@ optional_policy(`
virt_manage_images(devicekit_disk_t)
')
@@ -19620,7 +19632,7 @@ index ff933af..101bc81 100644
allow devicekit_power_t self:process { getsched signal_perms };
allow devicekit_power_t self:fifo_file rw_fifo_file_perms;
allow devicekit_power_t self:unix_dgram_socket create_socket_perms;
-@@ -207,9 +223,7 @@ manage_dirs_pattern(devicekit_power_t, devicekit_var_lib_t, devicekit_var_lib_t)
+@@ -207,9 +224,7 @@ manage_dirs_pattern(devicekit_power_t, devicekit_var_lib_t, devicekit_var_lib_t)
manage_files_pattern(devicekit_power_t, devicekit_var_lib_t, devicekit_var_lib_t)
files_var_lib_filetrans(devicekit_power_t, devicekit_var_lib_t, dir)
@@ -19631,7 +19643,7 @@ index ff933af..101bc81 100644
logging_log_filetrans(devicekit_power_t, devicekit_var_log_t, file)
manage_dirs_pattern(devicekit_power_t, devicekit_var_run_t, devicekit_var_run_t)
-@@ -242,17 +256,16 @@ domain_read_all_domains_state(devicekit_power_t)
+@@ -242,17 +257,16 @@ domain_read_all_domains_state(devicekit_power_t)
files_read_kernel_img(devicekit_power_t)
files_read_etc_runtime_files(devicekit_power_t)
@@ -19651,7 +19663,7 @@ index ff933af..101bc81 100644
sysnet_domtrans_ifconfig(devicekit_power_t)
sysnet_domtrans_dhcpc(devicekit_power_t)
-@@ -269,9 +282,11 @@ optional_policy(`
+@@ -269,9 +283,11 @@ optional_policy(`
optional_policy(`
cron_initrc_domtrans(devicekit_power_t)
@@ -19663,7 +19675,7 @@ index ff933af..101bc81 100644
dbus_system_bus_client(devicekit_power_t)
allow devicekit_power_t devicekit_t:dbus send_msg;
-@@ -302,8 +317,11 @@ optional_policy(`
+@@ -302,8 +318,11 @@ optional_policy(`
')
optional_policy(`
@@ -19676,7 +19688,7 @@ index ff933af..101bc81 100644
hal_manage_pid_dirs(devicekit_power_t)
hal_manage_pid_files(devicekit_power_t)
')
-@@ -341,3 +359,9 @@ optional_policy(`
+@@ -341,3 +360,9 @@ optional_policy(`
optional_policy(`
vbetool_domtrans(devicekit_power_t)
')
@@ -30142,7 +30154,7 @@ index 16b1666..01673a4 100644
- admin_pattern($1, jabberd_var_run_t)
')
diff --git a/jabber.te b/jabber.te
-index bb12c90..fb916e0 100644
+index bb12c90..62d511b 100644
--- a/jabber.te
+++ b/jabber.te
@@ -1,4 +1,4 @@
@@ -30151,7 +30163,7 @@ index bb12c90..fb916e0 100644
########################################
#
-@@ -9,129 +9,131 @@ attribute jabberd_domain;
+@@ -9,129 +9,133 @@ attribute jabberd_domain;
jabber_domain_template(jabberd)
jabber_domain_template(jabberd_router)
@@ -30264,65 +30276,67 @@ index bb12c90..fb916e0 100644
+userdom_dontaudit_search_user_home_dirs(jabberd_t)
-manage_files_pattern(jabberd_domain, jabberd_spool_t, jabberd_spool_t)
++miscfiles_read_certs(jabberd_t)
+
+-manage_files_pattern(jabberd_t, jabberd_var_run_t, jabberd_var_run_t)
+-files_pid_filetrans(jabberd_t, jabberd_var_run_t, file)
+optional_policy(`
+ seutil_sigchld_newrole(jabberd_t)
+')
--manage_files_pattern(jabberd_t, jabberd_var_run_t, jabberd_var_run_t)
--files_pid_filetrans(jabberd_t, jabberd_var_run_t, file)
+-kernel_read_kernel_sysctls(jabberd_t)
+optional_policy(`
+ udev_read_db(jabberd_t)
+')
--kernel_read_kernel_sysctls(jabberd_t)
+-corenet_sendrecv_jabber_client_server_packets(jabberd_t)
+-corenet_tcp_bind_jabber_client_port(jabberd_t)
+-corenet_tcp_sendrecv_jabber_client_port(jabberd_t)
+######################################
+#
+# Local policy for pyicq-t
+#
--corenet_sendrecv_jabber_client_server_packets(jabberd_t)
--corenet_tcp_bind_jabber_client_port(jabberd_t)
--corenet_tcp_sendrecv_jabber_client_port(jabberd_t)
+-corenet_sendrecv_jabber_interserver_server_packets(jabberd_t)
+-corenet_tcp_bind_jabber_interserver_port(jabberd_t)
+-corenet_tcp_sendrecv_jabber_interserver_port(jabberd_t)
+# need for /var/log/pyicq-t.log
+manage_files_pattern(pyicqt_t, pyicqt_log_t, pyicqt_log_t)
+logging_log_filetrans(pyicqt_t, pyicqt_log_t, file)
--corenet_sendrecv_jabber_interserver_server_packets(jabberd_t)
--corenet_tcp_bind_jabber_interserver_port(jabberd_t)
--corenet_tcp_sendrecv_jabber_interserver_port(jabberd_t)
+-dev_read_rand(jabberd_t)
+manage_files_pattern(pyicqt_t, pyicqt_var_run_t, pyicqt_var_run_t);
--dev_read_rand(jabberd_t)
+-domain_use_interactive_fds(jabberd_t)
+files_search_spool(pyicqt_t)
+manage_files_pattern(pyicqt_t, pyicqt_var_spool_t, pyicqt_var_spool_t);
--domain_use_interactive_fds(jabberd_t)
-+corenet_tcp_bind_jabber_router_port(pyicqt_t)
-+corenet_tcp_connect_jabber_router_port(pyicqt_t)
-
-files_read_etc_files(jabberd_t)
-files_read_etc_runtime_files(jabberd_t)
-+corecmd_exec_bin(pyicqt_t)
++corenet_tcp_bind_jabber_router_port(pyicqt_t)
++corenet_tcp_connect_jabber_router_port(pyicqt_t)
-fs_search_auto_mountpoints(jabberd_t)
-+dev_read_urand(pyicqt_t)
++corecmd_exec_bin(pyicqt_t)
-sysnet_read_config(jabberd_t)
-+auth_use_nsswitch(pyicqt_t)
++dev_read_urand(pyicqt_t)
-userdom_dontaudit_use_unpriv_user_fds(jabberd_t)
-userdom_dontaudit_search_user_home_dirs(jabberd_t)
-+# needed for pyicq-t-mysql
-+optional_policy(`
-+ corenet_tcp_connect_mysqld_port(pyicqt_t)
-+')
++auth_use_nsswitch(pyicqt_t)
++# needed for pyicq-t-mysql
optional_policy(`
- udev_read_db(jabberd_t)
-+ sysnet_use_ldap(pyicqt_t)
++ corenet_tcp_connect_mysqld_port(pyicqt_t)
')
-########################################
++optional_policy(`
++ sysnet_use_ldap(pyicqt_t)
++')
++
+#######################################
#
-# Router local policy
@@ -38524,7 +38538,7 @@ index 6194b80..5fe7031 100644
')
+
diff --git a/mozilla.te b/mozilla.te
-index 6a306ee..0a31eec 100644
+index 6a306ee..cfaf593 100644
--- a/mozilla.te
+++ b/mozilla.te
@@ -1,4 +1,4 @@
@@ -38968,7 +38982,7 @@ index 6a306ee..0a31eec 100644
')
optional_policy(`
-@@ -300,221 +324,180 @@ optional_policy(`
+@@ -300,221 +324,181 @@ optional_policy(`
########################################
#
@@ -39169,14 +39183,14 @@ index 6a306ee..0a31eec 100644
+dev_write_sound(mozilla_plugin_t)
+# for nvidia driver
dev_rw_xserver_misc(mozilla_plugin_t)
--
++dev_rwx_zero(mozilla_plugin_t)
++dev_dontaudit_read_mtrr(mozilla_plugin_t)
++xserver_dri_domain(mozilla_plugin_t)
+
-dev_dontaudit_getattr_generic_files(mozilla_plugin_t)
-dev_dontaudit_getattr_generic_pipes(mozilla_plugin_t)
-dev_dontaudit_getattr_all_blk_files(mozilla_plugin_t)
-dev_dontaudit_getattr_all_chr_files(mozilla_plugin_t)
-+dev_rwx_zero(mozilla_plugin_t)
-+dev_dontaudit_read_mtrr(mozilla_plugin_t)
-+dev_dontaudit_rw_dri(mozilla_plugin_t)
+dev_dontaudit_getattr_all(mozilla_plugin_t)
domain_use_interactive_fds(mozilla_plugin_t)
@@ -39289,7 +39303,7 @@ index 6a306ee..0a31eec 100644
')
optional_policy(`
-@@ -523,36 +506,48 @@ optional_policy(`
+@@ -523,36 +507,48 @@ optional_policy(`
')
optional_policy(`
@@ -39351,7 +39365,7 @@ index 6a306ee..0a31eec 100644
')
optional_policy(`
-@@ -560,7 +555,7 @@ optional_policy(`
+@@ -560,7 +556,7 @@ optional_policy(`
')
optional_policy(`
@@ -39360,7 +39374,7 @@ index 6a306ee..0a31eec 100644
')
optional_policy(`
-@@ -568,108 +563,118 @@ optional_policy(`
+@@ -568,108 +564,118 @@ optional_policy(`
')
optional_policy(`
@@ -49486,10 +49500,10 @@ index 0000000..f2d6119
+/var/run/openshift(/.*)? gen_context(system_u:object_r:openshift_var_run_t,s0)
diff --git a/openshift.if b/openshift.if
new file mode 100644
-index 0000000..bddd4b3
+index 0000000..fdc4a03
--- /dev/null
+++ b/openshift.if
-@@ -0,0 +1,677 @@
+@@ -0,0 +1,700 @@
+
+## <summary> policy for openshift </summary>
+
@@ -49814,7 +49828,8 @@ index 0000000..bddd4b3
+
+########################################
+## <summary>
-+## Manage openshift lib dirs files.
++## Create, read, write, and delete
++## openshift lib files.
+## </summary>
+## <param name="domain">
+## <summary>
@@ -49831,6 +49846,28 @@ index 0000000..bddd4b3
+ manage_dirs_pattern($1, openshift_var_lib_t, openshift_var_lib_t)
+')
+
++########################################
++## <summary>
++## Manage openshift lib content.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`openshift_manage_content',`
++ gen_require(`
++ attribute openshift_file_type;
++ ')
++
++ files_search_var_lib($1)
++ manage_dirs_pattern($1, openshift_file_type, openshift_file_type)
++ manage_files_pattern($1, openshift_file_type, openshift_file_type)
++ manage_lnk_files_pattern($1, openshift_file_type, openshift_file_type)
++ manage_sock_files_pattern($1, openshift_file_type, openshift_file_type)
++')
++
+#######################################
+## <summary>
+## Create private objects in the
@@ -89001,7 +89038,7 @@ index 9dec06c..7877729 100644
+ allow $1 svirt_image_t:chr_file rw_file_perms;
')
diff --git a/virt.te b/virt.te
-index 1f22fba..253d98d 100644
+index 1f22fba..7a305c4 100644
--- a/virt.te
+++ b/virt.te
@@ -1,94 +1,98 @@
@@ -89631,14 +89668,14 @@ index 1f22fba..253d98d 100644
-manage_dirs_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t)
-manage_files_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t)
-filetrans_pattern(virtd_t, virt_var_run_t, virtd_lxc_var_run_t, dir, "lxc")
+-
+-stream_connect_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t, virtd_lxc_t)
+-stream_connect_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t, virt_domain)
+manage_dirs_pattern(virtd_t, virt_lxc_var_run_t, virt_lxc_var_run_t)
+manage_files_pattern(virtd_t, virt_lxc_var_run_t, virt_lxc_var_run_t)
+filetrans_pattern(virtd_t, virt_var_run_t, virt_lxc_var_run_t, dir, "lxc")
+stream_connect_pattern(virtd_t, virt_lxc_var_run_t, virt_lxc_var_run_t, virtd_lxc_t)
--stream_connect_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t, virtd_lxc_t)
--stream_connect_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t, virt_domain)
--
-can_exec(virtd_t, virt_tmp_t)
-
-kernel_read_crypto_sysctls(virtd_t)
@@ -89774,15 +89811,16 @@ index 1f22fba..253d98d 100644
fs_manage_cifs_files(virtd_t)
fs_read_cifs_symlinks(virtd_t)
')
-@@ -658,95 +496,321 @@ optional_policy(`
+@@ -658,95 +496,325 @@ optional_policy(`
')
optional_policy(`
- firewalld_dbus_chat(virtd_t)
+ hal_dbus_chat(virtd_t)
-+ ')
-+
-+ optional_policy(`
+ ')
+
+ optional_policy(`
+- hal_dbus_chat(virtd_t)
+ networkmanager_dbus_chat(virtd_t)
')
+')
@@ -89848,6 +89886,10 @@ index 1f22fba..253d98d 100644
+')
+
+optional_policy(`
++ setrans_manage_pid_files(virtd_t)
++')
++
++optional_policy(`
+ kernel_read_xen_state(virtd_t)
+ kernel_write_xen_state(virtd_t)
+
@@ -89981,21 +90023,18 @@ index 1f22fba..253d98d 100644
+storage_raw_read_removable_device(virt_domain)
- optional_policy(`
-- hal_dbus_chat(virtd_t)
+- networkmanager_dbus_chat(virtd_t)
- ')
+sysnet_read_config(virt_domain)
- optional_policy(`
-- networkmanager_dbus_chat(virtd_t)
+- policykit_dbus_chat(virtd_t)
- ')
+term_use_all_inherited_terms(virt_domain)
+term_getattr_pty_fs(virt_domain)
+term_use_generic_ptys(virt_domain)
+term_use_ptmx(virt_domain)
-
-- optional_policy(`
-- policykit_dbus_chat(virtd_t)
-- ')
++
+tunable_policy(`virt_use_execmem',`
+ allow virt_domain self:process { execmem execstack };
')
@@ -90144,7 +90183,7 @@ index 1f22fba..253d98d 100644
manage_files_pattern(virsh_t, virt_image_type, virt_image_type)
manage_blk_files_pattern(virsh_t, virt_image_type, virt_image_type)
-@@ -758,23 +822,15 @@ manage_chr_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
+@@ -758,23 +826,15 @@ manage_chr_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
manage_lnk_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
manage_sock_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
manage_fifo_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
@@ -90157,12 +90196,12 @@ index 1f22fba..253d98d 100644
-dontaudit virsh_t virt_var_lib_t:file read_file_perms;
-
-allow virsh_t svirt_lxc_domain:process transition;
--
--can_exec(virsh_t, virsh_exec_t)
+manage_dirs_pattern(virsh_t, virt_lxc_var_run_t, virt_lxc_var_run_t)
+manage_files_pattern(virsh_t, virt_lxc_var_run_t, virt_lxc_var_run_t)
+virt_filetrans_named_content(virsh_t)
+-can_exec(virsh_t, virsh_exec_t)
+-
-virt_domtrans(virsh_t)
-virt_manage_images(virsh_t)
-virt_manage_config(virsh_t)
@@ -90174,7 +90213,7 @@ index 1f22fba..253d98d 100644
kernel_read_system_state(virsh_t)
kernel_read_network_state(virsh_t)
kernel_read_kernel_sysctls(virsh_t)
-@@ -785,25 +841,18 @@ kernel_write_xen_state(virsh_t)
+@@ -785,25 +845,18 @@ kernel_write_xen_state(virsh_t)
corecmd_exec_bin(virsh_t)
corecmd_exec_shell(virsh_t)
@@ -90201,7 +90240,7 @@ index 1f22fba..253d98d 100644
fs_getattr_all_fs(virsh_t)
fs_manage_xenfs_dirs(virsh_t)
-@@ -812,24 +861,22 @@ fs_search_auto_mountpoints(virsh_t)
+@@ -812,24 +865,22 @@ fs_search_auto_mountpoints(virsh_t)
storage_raw_read_fixed_disk(virsh_t)
@@ -90233,7 +90272,7 @@ index 1f22fba..253d98d 100644
tunable_policy(`virt_use_nfs',`
fs_manage_nfs_dirs(virsh_t)
fs_manage_nfs_files(virsh_t)
-@@ -847,14 +894,20 @@ optional_policy(`
+@@ -847,14 +898,20 @@ optional_policy(`
')
optional_policy(`
@@ -90255,7 +90294,7 @@ index 1f22fba..253d98d 100644
xen_stream_connect(virsh_t)
xen_stream_connect_xenstore(virsh_t)
')
-@@ -879,34 +932,44 @@ optional_policy(`
+@@ -879,34 +936,44 @@ optional_policy(`
kernel_read_xen_state(virsh_ssh_t)
kernel_write_xen_state(virsh_ssh_t)
@@ -90309,7 +90348,7 @@ index 1f22fba..253d98d 100644
manage_dirs_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t)
manage_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t)
-@@ -916,12 +979,17 @@ manage_sock_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t)
+@@ -916,12 +983,17 @@ manage_sock_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t)
manage_fifo_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t)
allow virtd_lxc_t svirt_lxc_file_t:dir_file_class_set { relabelto relabelfrom };
allow virtd_lxc_t svirt_lxc_file_t:filesystem { relabelto relabelfrom };
@@ -90327,7 +90366,7 @@ index 1f22fba..253d98d 100644
corecmd_exec_bin(virtd_lxc_t)
corecmd_exec_shell(virtd_lxc_t)
-@@ -933,10 +1001,8 @@ dev_read_urand(virtd_lxc_t)
+@@ -933,10 +1005,8 @@ dev_read_urand(virtd_lxc_t)
domain_use_interactive_fds(virtd_lxc_t)
@@ -90338,7 +90377,7 @@ index 1f22fba..253d98d 100644
files_relabel_rootfs(virtd_lxc_t)
files_mounton_non_security(virtd_lxc_t)
files_mount_all_file_type_fs(virtd_lxc_t)
-@@ -944,6 +1010,7 @@ files_unmount_all_file_type_fs(virtd_lxc_t)
+@@ -944,6 +1014,7 @@ files_unmount_all_file_type_fs(virtd_lxc_t)
files_list_isid_type_dirs(virtd_lxc_t)
files_root_filetrans(virtd_lxc_t, svirt_lxc_file_t, dir_file_class_set)
@@ -90346,7 +90385,7 @@ index 1f22fba..253d98d 100644
fs_getattr_all_fs(virtd_lxc_t)
fs_manage_tmpfs_dirs(virtd_lxc_t)
fs_manage_tmpfs_chr_files(virtd_lxc_t)
-@@ -955,15 +1022,11 @@ fs_rw_cgroup_files(virtd_lxc_t)
+@@ -955,15 +1026,11 @@ fs_rw_cgroup_files(virtd_lxc_t)
fs_unmount_all_fs(virtd_lxc_t)
fs_relabelfrom_tmpfs(virtd_lxc_t)
@@ -90365,7 +90404,7 @@ index 1f22fba..253d98d 100644
term_use_generic_ptys(virtd_lxc_t)
term_use_ptmx(virtd_lxc_t)
-@@ -973,21 +1036,36 @@ auth_use_nsswitch(virtd_lxc_t)
+@@ -973,21 +1040,40 @@ auth_use_nsswitch(virtd_lxc_t)
logging_send_syslog_msg(virtd_lxc_t)
@@ -90393,6 +90432,10 @@ index 1f22fba..253d98d 100644
+')
+
+optional_policy(`
++ setrans_manage_pid_files(virtd_lxc_t)
++')
++
++optional_policy(`
+ unconfined_domain(virtd_lxc_t)
+')
@@ -90410,7 +90453,7 @@ index 1f22fba..253d98d 100644
allow svirt_lxc_domain self:fifo_file manage_file_perms;
allow svirt_lxc_domain self:sem create_sem_perms;
allow svirt_lxc_domain self:shm create_shm_perms;
-@@ -995,18 +1073,16 @@ allow svirt_lxc_domain self:msgq create_msgq_perms;
+@@ -995,18 +1081,16 @@ allow svirt_lxc_domain self:msgq create_msgq_perms;
allow svirt_lxc_domain self:unix_stream_socket { create_stream_socket_perms connectto };
allow svirt_lxc_domain self:unix_dgram_socket { sendto create_socket_perms };
@@ -90437,7 +90480,7 @@ index 1f22fba..253d98d 100644
manage_dirs_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
manage_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
-@@ -1015,17 +1091,14 @@ manage_sock_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
+@@ -1015,17 +1099,14 @@ manage_sock_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
manage_fifo_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
rw_chr_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
rw_blk_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
@@ -90456,7 +90499,7 @@ index 1f22fba..253d98d 100644
kernel_dontaudit_search_kernel_sysctl(svirt_lxc_domain)
corecmd_exec_all_executables(svirt_lxc_domain)
-@@ -1037,21 +1110,20 @@ files_dontaudit_getattr_all_pipes(svirt_lxc_domain)
+@@ -1037,21 +1118,20 @@ files_dontaudit_getattr_all_pipes(svirt_lxc_domain)
files_dontaudit_getattr_all_sockets(svirt_lxc_domain)
files_dontaudit_list_all_mountpoints(svirt_lxc_domain)
files_dontaudit_write_etc_runtime_files(svirt_lxc_domain)
@@ -90483,7 +90526,7 @@ index 1f22fba..253d98d 100644
auth_dontaudit_read_login_records(svirt_lxc_domain)
auth_dontaudit_write_login_records(svirt_lxc_domain)
auth_search_pam_console_data(svirt_lxc_domain)
-@@ -1063,96 +1135,92 @@ init_dontaudit_write_utmp(svirt_lxc_domain)
+@@ -1063,96 +1143,92 @@ init_dontaudit_write_utmp(svirt_lxc_domain)
libs_dontaudit_setattr_lib_files(svirt_lxc_domain)
@@ -90622,7 +90665,7 @@ index 1f22fba..253d98d 100644
allow virt_qmf_t self:tcp_socket create_stream_socket_perms;
allow virt_qmf_t self:netlink_route_socket create_netlink_socket_perms;
-@@ -1165,12 +1233,12 @@ dev_read_sysfs(virt_qmf_t)
+@@ -1165,12 +1241,12 @@ dev_read_sysfs(virt_qmf_t)
dev_read_rand(virt_qmf_t)
dev_read_urand(virt_qmf_t)
@@ -90637,7 +90680,7 @@ index 1f22fba..253d98d 100644
sysnet_read_config(virt_qmf_t)
optional_policy(`
-@@ -1183,9 +1251,8 @@ optional_policy(`
+@@ -1183,9 +1259,8 @@ optional_policy(`
########################################
#
@@ -90648,7 +90691,7 @@ index 1f22fba..253d98d 100644
allow virt_bridgehelper_t self:process { setcap getcap };
allow virt_bridgehelper_t self:capability { setpcap setgid setuid net_admin };
allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms;
-@@ -1198,5 +1265,114 @@ kernel_read_network_state(virt_bridgehelper_t)
+@@ -1198,5 +1273,114 @@ kernel_read_network_state(virt_bridgehelper_t)
corenet_rw_tun_tap_dev(virt_bridgehelper_t)
diff --git a/selinux-policy.spec b/selinux-policy.spec
index db4e2e3..eddfbfc 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.12.1
-Release: 57%{?dist}
+Release: 58%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -539,6 +539,20 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Fri Jun 28 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-58
+- Shrink the size of policy by moving to attributes, also add dridomain so that mozilla_plugin can follow selinuxuse_dri boolean.
+- Allow bootloader to manage generic log files
+- Allow ftp to bind to port 989
+- Fix label of new gear directory
+- Add support for new directory /var/lib/openshift/gears/
+- Add openshift_manage_lib_dirs()
+- allow virtd domains to manage setrans_var_run_t
+- Allow useradd to manage all openshift content
+- Add support so that mozilla_plugin_t can use dri devices
+- Allow chronyd to change the scheduler
+- Allow apmd to shut downthe system
+- Devicekit_disk_t needs to manage /etc/fstab
+
* Wed Jun 26 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-57
- Make DSPAM to act as a LDA working
- Allow ntop to create netlink socket