diff --git a/policy/modules/admin/consoletype.te b/policy/modules/admin/consoletype.te
index ce00934..a370656 100644
--- a/policy/modules/admin/consoletype.te
+++ b/policy/modules/admin/consoletype.te
@@ -81,11 +81,7 @@ optional_policy(`
')
optional_policy(`
- hal_dontaudit_use_fds(consoletype_t)
- hal_dontaudit_rw_pipes(consoletype_t)
- hal_dontaudit_rw_dgram_sockets(consoletype_t)
- hal_dontaudit_write_log(consoletype_t)
- hal_dontaudit_read_pid_files(consoletype_t)
+ hal_dontaudit_leaks(consoletype_t)
')
optional_policy(`
diff --git a/policy/modules/admin/tzdata.te b/policy/modules/admin/tzdata.te
index aa9636d..7851643 100644
--- a/policy/modules/admin/tzdata.te
+++ b/policy/modules/admin/tzdata.te
@@ -15,7 +15,7 @@ application_domain(tzdata_t, tzdata_exec_t)
# tzdata local policy
#
-files_read_etc_files(tzdata_t)
+files_read_config_files(tzdata_t)
files_search_spool(tzdata_t)
fs_getattr_xattr_fs(tzdata_t)
diff --git a/policy/modules/apps/gnome.if b/policy/modules/apps/gnome.if
index 92ab0c3..ffd9870 100644
--- a/policy/modules/apps/gnome.if
+++ b/policy/modules/apps/gnome.if
@@ -200,6 +200,25 @@ interface(`gnome_setattr_cache_home_dir',`
########################################
##
+## append to generic cache home files (.cache)
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`gnome_append_generic_cache_files',`
+ gen_require(`
+ type cache_home_t;
+ ')
+
+ append_files_pattern($1, cache_home_t, cache_home_t)
+ userdom_search_user_home_dirs($1)
+')
+
+########################################
+##
## write to generic cache home files (.cache)
##
##
diff --git a/policy/modules/apps/wine.if b/policy/modules/apps/wine.if
index 9cbfded..62e455a 100644
--- a/policy/modules/apps/wine.if
+++ b/policy/modules/apps/wine.if
@@ -48,8 +48,7 @@ template(`wine_role',`
allow $2 wine_t:process signal_perms;
allow $2 wine_t:fd use;
- allow $2 wine_t:shm { associate getattr };
- allow $2 wine_t:shm { unix_read unix_write };
+ allow $2 wine_t:shm { associate getattr unix_read unix_write };
allow $2 wine_t:unix_stream_socket connectto;
# X access, Home files
@@ -165,3 +164,22 @@ interface(`wine_run',`
wine_domtrans($1)
role $2 types wine_t;
')
+
+########################################
+##
+## Read and write wine Shared
+## memory segments.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`wine_rw_shm',`
+ gen_require(`
+ type wine_t;
+ ')
+
+ allow $1 wine_t:shm rw_shm_perms;
+')
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
index 73e4119..96a406d 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -4935,6 +4935,24 @@ interface(`files_read_var_files',`
########################################
##
+## Append files in the /var directory.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`files_append_var_files',`
+ gen_require(`
+ type var_t;
+ ')
+
+ append_files_pattern($1, var_t, var_t)
+')
+
+########################################
+##
## Read and write files in the /var directory.
##
##
diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te
index 712e644..3561f03 100644
--- a/policy/modules/kernel/filesystem.te
+++ b/policy/modules/kernel/filesystem.te
@@ -72,6 +72,7 @@ type cgroup_t alias cgroupfs_t;
fs_type(cgroup_t)
files_type(cgroup_t)
files_mountpoint(cgroup_t)
+dev_associate_sysfs(cgroup_t)
genfscon cgroup / gen_context(system_u:object_r:cgroup_t,s0)
type configfs_t;
diff --git a/policy/modules/services/apm.te b/policy/modules/services/apm.te
index 1a44ccb..c6832b0 100644
--- a/policy/modules/services/apm.te
+++ b/policy/modules/services/apm.te
@@ -144,21 +144,25 @@ ifdef(`distro_redhat',`
can_exec(apmd_t, apmd_var_run_t)
- # ifconfig_exec_t needs to be run in its own domain for Red Hat
optional_policy(`
- sssd_search_lib(apmd_t)
+ fstools_domtrans(apmd_t)
')
optional_policy(`
- sysnet_domtrans_ifconfig(apmd_t)
+ iptables_domtrans(apmd_t)
')
optional_policy(`
- iptables_domtrans(apmd_t)
+ netutils_domtrans(apmd_t)
')
+ # ifconfig_exec_t needs to be run in its own domain for Red Hat
optional_policy(`
- netutils_domtrans(apmd_t)
+ sssd_search_lib(apmd_t)
+ ')
+
+ optional_policy(`
+ sysnet_domtrans_ifconfig(apmd_t)
')
',`
diff --git a/policy/modules/services/cups.if b/policy/modules/services/cups.if
index 2c2a551..fb3454a 100644
--- a/policy/modules/services/cups.if
+++ b/policy/modules/services/cups.if
@@ -190,10 +190,12 @@ interface(`cups_dbus_chat_config',`
interface(`cups_read_config',`
gen_require(`
type cupsd_etc_t, cupsd_rw_etc_t;
+ type hplip_etc_t;
')
files_search_etc($1)
read_files_pattern($1, cupsd_etc_t, cupsd_etc_t)
+ read_files_pattern($1, hplip_etc_t, hplip_etc_t)
read_files_pattern($1, cupsd_etc_t, cupsd_rw_etc_t)
')
@@ -319,6 +321,7 @@ interface(`cups_admin',`
type cupsd_var_run_t, ptal_etc_t;
type ptal_var_run_t, hplip_var_run_t;
type cupsd_initrc_exec_t;
+ type hplip_etc_t;
')
allow $1 cupsd_t:process { ptrace signal_perms };
@@ -347,6 +350,8 @@ interface(`cups_admin',`
admin_pattern($1, cupsd_var_run_t)
files_list_pids($1)
+ admin_pattern($1, hplip_etc_t)
+
admin_pattern($1, hplip_var_run_t)
admin_pattern($1, ptal_etc_t)
diff --git a/policy/modules/services/devicekit.te b/policy/modules/services/devicekit.te
index 1e554a9..ccacea9 100644
--- a/policy/modules/services/devicekit.te
+++ b/policy/modules/services/devicekit.te
@@ -205,6 +205,10 @@ allow devicekit_power_t self:fifo_file rw_fifo_file_perms;
allow devicekit_power_t self:unix_dgram_socket create_socket_perms;
allow devicekit_power_t self:netlink_kobject_uevent_socket create_socket_perms;
+manage_dirs_pattern(devicekit_power_t, devicekit_tmp_t, devicekit_tmp_t)
+manage_files_pattern(devicekit_power_t, devicekit_tmp_t, devicekit_tmp_t)
+files_tmp_filetrans(devicekit_power_t, devicekit_tmp_t, { file dir })
+
manage_dirs_pattern(devicekit_power_t, devicekit_var_lib_t, devicekit_var_lib_t)
manage_files_pattern(devicekit_power_t, devicekit_var_lib_t, devicekit_var_lib_t)
files_var_lib_filetrans(devicekit_power_t, devicekit_var_lib_t, dir)
diff --git a/policy/modules/services/hal.if b/policy/modules/services/hal.if
index d01cab6..52ea89b 100644
--- a/policy/modules/services/hal.if
+++ b/policy/modules/services/hal.if
@@ -391,8 +391,7 @@ interface(`hal_dontaudit_read_pid_files',`
type hald_var_run_t;
')
- files_search_pids($1)
- allow $1 hald_var_run_t:file read_inherited_file_perms;
+ dontaudit $1 hald_var_run_t:file read_inherited_file_perms;
')
########################################
@@ -451,3 +450,27 @@ interface(`hal_manage_pid_files',`
files_search_pids($1)
manage_files_pattern($1, hald_var_run_t, hald_var_run_t)
')
+
+########################################
+##
+## dontaudit read and write an leaked file descriptors
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`hal_dontaudit_leaks',`
+ gen_require(`
+ type hald_log_t;
+ type hald_t;
+ type hald_var_run_t;
+ ')
+
+ dontaudit $1 hald_t:fd use;
+ dontaudit $1 hald_log_t:file rw_inherited_files_perms;
+ dontaudit $1 hald_t:fifo_file rw_fifo_file_perms;
+ dontaudit hald_t $1:socket_class_set { read write };
+ dontaudit $1 hald_var_run_t:file read_inherited_file_perms;
+')
diff --git a/policy/modules/services/rpcbind.te b/policy/modules/services/rpcbind.te
index af3353c..9cb5e25 100644
--- a/policy/modules/services/rpcbind.te
+++ b/policy/modules/services/rpcbind.te
@@ -43,6 +43,8 @@ kernel_read_system_state(rpcbind_t)
kernel_read_network_state(rpcbind_t)
kernel_request_load_module(rpcbind_t)
+corecmd_exec_shell(rpcbind_t)
+
corenet_all_recvfrom_unlabeled(rpcbind_t)
corenet_all_recvfrom_netlabel(rpcbind_t)
corenet_tcp_sendrecv_generic_if(rpcbind_t)
diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
index 288d513..60da940 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -1106,6 +1106,10 @@ optional_policy(`
')
optional_policy(`
+ wine_rw_shm(xserver_t)
+')
+
+optional_policy(`
xfs_stream_connect(xserver_t)
')
diff --git a/policy/modules/system/libraries.te b/policy/modules/system/libraries.te
index 6f36eca..af2af2d 100644
--- a/policy/modules/system/libraries.te
+++ b/policy/modules/system/libraries.te
@@ -137,6 +137,10 @@ optional_policy(`
')
optional_policy(`
+ gnome_append_generic_cache_files(ldconfig_t)
+')
+
+optional_policy(`
puppet_rw_tmp(ldconfig_t)
')
diff --git a/policy/modules/system/modutils.te b/policy/modules/system/modutils.te
index a3b7b0d..f39f39f 100644
--- a/policy/modules/system/modutils.te
+++ b/policy/modules/system/modutils.te
@@ -63,6 +63,7 @@ files_read_etc_runtime_files(depmod_t)
files_read_etc_files(depmod_t)
files_read_usr_src_files(depmod_t)
files_list_usr(depmod_t)
+files_append_var_files(depmod_t)
files_read_boot_files(depmod_t)
fs_getattr_xattr_fs(depmod_t)
diff --git a/policy/modules/system/selinuxutil.if b/policy/modules/system/selinuxutil.if
index 3f27d1b..b0ee958 100644
--- a/policy/modules/system/selinuxutil.if
+++ b/policy/modules/system/selinuxutil.if
@@ -535,6 +535,10 @@ interface(`seutil_domtrans_setfiles',`
files_search_usr($1)
corecmd_search_bin($1)
domtrans_pattern($1, setfiles_exec_t, setfiles_t)
+
+ ifdef(`hide_broken_symptoms', `
+ dontaudit consoletype_t $1:socket_class_set { read write };
+ ')
')
########################################
diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
index 6581e4b..8451600 100644
--- a/policy/modules/system/udev.te
+++ b/policy/modules/system/udev.te
@@ -233,6 +233,7 @@ optional_policy(`
optional_policy(`
cups_domtrans_config(udev_t)
+ cups_read_config(udev_t)
')
optional_policy(`