diff --git a/container-selinux.tgz b/container-selinux.tgz
index d4438ea..4bef662 100644
Binary files a/container-selinux.tgz and b/container-selinux.tgz differ
diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch
index 0876b45..c754c80 100644
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@@ -877,7 +877,7 @@ index 3a45f23..ee7d7b3 100644
constrain socket_class_set { create relabelto relabelfrom }
(
diff --git a/policy/flask/access_vectors b/policy/flask/access_vectors
-index a94b169..7c036a8 100644
+index a94b169..7c61322 100644
--- a/policy/flask/access_vectors
+++ b/policy/flask/access_vectors
@@ -121,6 +121,60 @@ common x_device
@@ -941,10 +941,19 @@ index a94b169..7c036a8 100644
# Define the access vectors.
#
# class class_name [ inherits common_name ] { permission_name ... }
-@@ -393,62 +447,31 @@ class system
+@@ -379,6 +433,7 @@ class security
+ setsecparam
+ setcheckreqprot
+ read_policy
++ validate_trans
+ }
+
+
+@@ -393,62 +448,32 @@ class system
syslog_mod
syslog_console
module_request
++ module_load
+ # these are overloaded userspace
+ # permissions from systemd
+ halt
@@ -1020,7 +1029,7 @@ index a94b169..7c036a8 100644
#
# Define the access vector interpretation for controlling
# changes to passwd information.
-@@ -690,6 +713,8 @@ class nscd
+@@ -690,6 +715,8 @@ class nscd
shmemhost
getserv
shmemserv
@@ -1029,7 +1038,7 @@ index a94b169..7c036a8 100644
}
# Define the access vector interpretation for controlling
-@@ -831,6 +856,38 @@ inherits socket
+@@ -831,6 +858,38 @@ inherits socket
attach_queue
}
@@ -1068,7 +1077,7 @@ index a94b169..7c036a8 100644
class x_pointer
inherits x_device
-@@ -865,3 +922,28 @@ inherits database
+@@ -865,3 +924,28 @@ inherits database
implement
execute
}
@@ -2300,7 +2309,7 @@ index 688abc2..3d89250 100644
/usr/bin/kdesu -- gen_context(system_u:object_r:su_exec_t,s0)
+/usr/bin/su -- gen_context(system_u:object_r:su_exec_t,s0)
diff --git a/policy/modules/admin/su.if b/policy/modules/admin/su.if
-index 03ec5ca..48ab7f8 100644
+index 03ec5ca..102ccff 100644
--- a/policy/modules/admin/su.if
+++ b/policy/modules/admin/su.if
@@ -58,6 +58,7 @@ template(`su_restricted_domain_template', `
@@ -2335,7 +2344,7 @@ index 03ec5ca..48ab7f8 100644
optional_policy(`
cron_read_pipes($1_su_t)
')
-@@ -172,14 +168,6 @@ template(`su_role_template',`
+@@ -172,15 +168,8 @@ template(`su_role_template',`
role $2 types $1_su_t;
allow $3 $1_su_t:process signal;
@@ -2348,9 +2357,11 @@ index 03ec5ca..48ab7f8 100644
- allow $1_su_t self:key { search write };
-
allow $1_su_t $3:key search;
++ allow $1_su_t self:netlink_selinux_socket create_socket_perms;
# Transition from the user domain to this domain.
-@@ -194,125 +182,16 @@ template(`su_role_template',`
+ domtrans_pattern($3, su_exec_t, $1_su_t)
+@@ -194,125 +183,16 @@ template(`su_role_template',`
allow $3 $1_su_t:process sigchld;
kernel_read_system_state($1_su_t)
@@ -11235,7 +11246,7 @@ index b876c48..03f9342 100644
+/nsr(/.*)? gen_context(system_u:object_r:var_t,s0)
+/nsr/logs(/.*)? gen_context(system_u:object_r:var_log_t,s0)
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
-index f962f76..e06a46c 100644
+index f962f76..fa12587 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -19,6 +19,136 @@
@@ -13199,7 +13210,33 @@ index f962f76..e06a46c 100644
')
########################################
-@@ -4217,174 +5119,218 @@ interface(`files_read_world_readable_sockets',`
+@@ -4126,6 +5028,25 @@ interface(`files_kernel_modules_filetrans',`
+
+ ########################################
+ ## <summary>
++## Load kernel module files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`files_load_kernel_modules',`
++ gen_require(`
++ type modules_object_t;
++ ')
++
++ files_read_kernel_modules($1)
++ allow $1 modules_object_t:system module_load;
++')
++
++########################################
++## <summary>
+ ## List world-readable directories.
+ ## </summary>
+ ## <param name="domain">
+@@ -4217,174 +5138,275 @@ interface(`files_read_world_readable_sockets',`
allow $1 readable_t:sock_file read_sock_file_perms;
')
@@ -13346,91 +13383,61 @@ index f962f76..e06a46c 100644
## <summary>
-## Do not audit attempts to search the tmp directory (/tmp).
+## Relabel manageable system configuration files in /etc.
- ## </summary>
- ## <param name="domain">
--## <summary>
--## Domain to not audit.
--## </summary>
++## </summary>
++## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
- ## </param>
- #
--interface(`files_dontaudit_search_tmp',`
-- gen_require(`
-- type tmp_t;
-- ')
++## </param>
++#
+interface(`files_relabelfrom_system_conf_files',`
+ gen_require(`
+ type usr_t;
+ ')
-
-- dontaudit $1 tmp_t:dir search_dir_perms;
++
+ relabelfrom_files_pattern($1, system_conf_t, system_conf_t)
- ')
-
--########################################
++')
++
+###################################
- ## <summary>
--## Read the tmp directory (/tmp).
++## <summary>
+## Create files in /etc with the type used for
+## the manageable system config files.
- ## </summary>
- ## <param name="domain">
--## <summary>
--## Domain allowed access.
--## </summary>
++## </summary>
++## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
- ## </param>
- #
--interface(`files_list_tmp',`
-- gen_require(`
-- type tmp_t;
-- ')
++## </param>
++#
+interface(`files_etc_filetrans_system_conf',`
+ gen_require(`
+ type etc_t, system_conf_t;
+ ')
-
-- allow $1 tmp_t:dir list_dir_perms;
++
+ filetrans_pattern($1, etc_t, system_conf_t, file)
- ')
-
--########################################
++')
++
+######################################
- ## <summary>
--## Do not audit listing of the tmp directory (/tmp).
++## <summary>
+## Manage manageable system db files in /var/lib.
- ## </summary>
- ## <param name="domain">
--## <summary>
--## Domain not to audit.
--## </summary>
++## </summary>
++## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
- ## </param>
- #
--interface(`files_dontaudit_list_tmp',`
-- gen_require(`
-- type tmp_t;
-- ')
++## </param>
++#
+interface(`files_manage_system_db_files',`
+ gen_require(`
+ type var_lib_t, system_db_t;
+ ')
-
-- dontaudit $1 tmp_t:dir list_dir_perms;
++
+ manage_files_pattern($1, { var_lib_t system_db_t }, system_db_t)
+ files_filetrans_system_db_named_files($1)
- ')
-
--########################################
++')
++
+#####################################
- ## <summary>
--## Remove entries from the tmp directory.
++## <summary>
+## File name transition for system db files in /var/lib.
## </summary>
## <param name="domain">
@@ -13456,24 +13463,24 @@ index f962f76..e06a46c 100644
+## </summary>
+## <param name="file_type">
## <summary>
--## Domain allowed access.
+-## Domain to not audit.
+## Type of the file to associate.
## </summary>
## </param>
#
--interface(`files_delete_tmp_dir_entry',`
+-interface(`files_dontaudit_search_tmp',`
+interface(`files_associate_tmp',`
gen_require(`
type tmp_t;
')
-- allow $1 tmp_t:dir del_entry_dir_perms;
+- dontaudit $1 tmp_t:dir search_dir_perms;
+ allow $1 tmp_t:filesystem associate;
')
########################################
## <summary>
--## Read files in the tmp directory (/tmp).
+-## Read the tmp directory (/tmp).
+## Allow the specified type to associate
+## to a filesystem with the type of the
+## / file system
@@ -13486,42 +13493,43 @@ index f962f76..e06a46c 100644
## </summary>
## </param>
#
--interface(`files_read_generic_tmp_files',`
+-interface(`files_list_tmp',`
+interface(`files_associate_rootfs',`
gen_require(`
- type tmp_t;
+ type root_t;
')
-- read_files_pattern($1, tmp_t, tmp_t)
+- allow $1 tmp_t:dir list_dir_perms;
+ allow $1 root_t:filesystem associate;
')
########################################
## <summary>
--## Manage temporary directories in /tmp.
+-## Do not audit listing of the tmp directory (/tmp).
+## Get the attributes of the tmp directory (/tmp).
## </summary>
## <param name="domain">
## <summary>
-@@ -4392,53 +5338,56 @@ interface(`files_read_generic_tmp_files',`
+-## Domain not to audit.
++## Domain allowed access.
## </summary>
## </param>
#
--interface(`files_manage_generic_tmp_dirs',`
+-interface(`files_dontaudit_list_tmp',`
+interface(`files_getattr_tmp_dirs',`
gen_require(`
type tmp_t;
')
-- manage_dirs_pattern($1, tmp_t, tmp_t)
+- dontaudit $1 tmp_t:dir list_dir_perms;
+ read_lnk_files_pattern($1, tmp_t, tmp_t)
+ allow $1 tmp_t:dir getattr;
')
########################################
## <summary>
--## Manage temporary files and directories in /tmp.
+-## Remove entries from the tmp directory.
+## Do not audit attempts to check the
+## access on tmp files
## </summary>
@@ -13532,20 +13540,20 @@ index f962f76..e06a46c 100644
## </summary>
## </param>
#
--interface(`files_manage_generic_tmp_files',`
+-interface(`files_delete_tmp_dir_entry',`
+interface(`files_dontaudit_access_check_tmp',`
gen_require(`
- type tmp_t;
+ type etc_t;
')
-- manage_files_pattern($1, tmp_t, tmp_t)
+- allow $1 tmp_t:dir del_entry_dir_perms;
+ dontaudit $1 tmp_t:dir_file_class_set audit_access;
')
########################################
## <summary>
--## Read symbolic links in the tmp directory (/tmp).
+-## Read files in the tmp directory (/tmp).
+## Do not audit attempts to get the
+## attributes of the tmp directory (/tmp).
## </summary>
@@ -13556,34 +13564,34 @@ index f962f76..e06a46c 100644
## </summary>
## </param>
#
--interface(`files_read_generic_tmp_symlinks',`
+-interface(`files_read_generic_tmp_files',`
+interface(`files_dontaudit_getattr_tmp_dirs',`
gen_require(`
type tmp_t;
')
-- read_lnk_files_pattern($1, tmp_t, tmp_t)
+- read_files_pattern($1, tmp_t, tmp_t)
+ dontaudit $1 tmp_t:dir getattr;
')
########################################
## <summary>
--## Read and write generic named sockets in the tmp directory (/tmp).
+-## Manage temporary directories in /tmp.
+## Search the tmp directory (/tmp).
## </summary>
## <param name="domain">
## <summary>
-@@ -4446,35 +5395,37 @@ interface(`files_read_generic_tmp_symlinks',`
+@@ -4392,35 +5414,37 @@ interface(`files_read_generic_tmp_files',`
## </summary>
## </param>
#
--interface(`files_rw_generic_tmp_sockets',`
+-interface(`files_manage_generic_tmp_dirs',`
+interface(`files_search_tmp',`
gen_require(`
type tmp_t;
')
-- rw_sock_files_pattern($1, tmp_t, tmp_t)
+- manage_dirs_pattern($1, tmp_t, tmp_t)
+ fs_search_tmpfs($1)
+ read_lnk_files_pattern($1, tmp_t, tmp_t)
+ allow $1 tmp_t:dir search_dir_perms;
@@ -13591,7 +13599,7 @@ index f962f76..e06a46c 100644
########################################
## <summary>
--## Set the attributes of all tmp directories.
+-## Manage temporary files and directories in /tmp.
+## Do not audit attempts to search the tmp directory (/tmp).
## </summary>
## <param name="domain">
@@ -13601,44 +13609,40 @@ index f962f76..e06a46c 100644
## </summary>
## </param>
#
--interface(`files_setattr_all_tmp_dirs',`
+-interface(`files_manage_generic_tmp_files',`
+interface(`files_dontaudit_search_tmp',`
gen_require(`
-- attribute tmpfile;
-+ type tmp_t;
+ type tmp_t;
')
-- allow $1 tmpfile:dir { search_dir_perms setattr };
+- manage_files_pattern($1, tmp_t, tmp_t)
+ dontaudit $1 tmp_t:dir search_dir_perms;
')
########################################
## <summary>
--## List all tmp directories.
+-## Read symbolic links in the tmp directory (/tmp).
+## Read the tmp directory (/tmp).
## </summary>
## <param name="domain">
## <summary>
-@@ -4482,59 +5433,55 @@ interface(`files_setattr_all_tmp_dirs',`
+@@ -4428,53 +5452,55 @@ interface(`files_manage_generic_tmp_files',`
## </summary>
## </param>
#
--interface(`files_list_all_tmp',`
+-interface(`files_read_generic_tmp_symlinks',`
+interface(`files_list_tmp',`
gen_require(`
-- attribute tmpfile;
-+ type tmp_t;
+ type tmp_t;
')
-- allow $1 tmpfile:dir list_dir_perms;
-+ read_lnk_files_pattern($1, tmp_t, tmp_t)
+ read_lnk_files_pattern($1, tmp_t, tmp_t)
+ allow $1 tmp_t:dir list_dir_perms;
')
########################################
## <summary>
--## Relabel to and from all temporary
--## directory types.
+-## Read and write generic named sockets in the tmp directory (/tmp).
+## Do not audit listing of the tmp directory (/tmp).
## </summary>
## <param name="domain">
@@ -13647,38 +13651,33 @@ index f962f76..e06a46c 100644
+## Domain to not audit.
## </summary>
## </param>
--## <rolecap/>
#
--interface(`files_relabel_all_tmp_dirs',`
+-interface(`files_rw_generic_tmp_sockets',`
+interface(`files_dontaudit_list_tmp',`
gen_require(`
-- attribute tmpfile;
-- type var_t;
-+ type tmp_t;
+ type tmp_t;
')
-- allow $1 var_t:dir search_dir_perms;
-- relabel_dirs_pattern($1, tmpfile, tmpfile)
+- rw_sock_files_pattern($1, tmp_t, tmp_t)
+ dontaudit $1 tmp_t:dir list_dir_perms;
')
-########################################
+#######################################
## <summary>
--## Do not audit attempts to get the attributes
--## of all tmp files.
+-## Set the attributes of all tmp directories.
+## Allow read and write to the tmp directory (/tmp).
## </summary>
## <param name="domain">
-## <summary>
--## Domain not to audit.
+-## Domain allowed access.
-## </summary>
+## <summary>
+## Domain not to audit.
+## </summary>
## </param>
#
--interface(`files_dontaudit_getattr_all_tmp_files',`
+-interface(`files_setattr_all_tmp_dirs',`
- gen_require(`
- attribute tmpfile;
- ')
@@ -13687,31 +13686,30 @@ index f962f76..e06a46c 100644
+ type tmp_t;
+ ')
-- dontaudit $1 tmpfile:file getattr;
+- allow $1 tmpfile:dir { search_dir_perms setattr };
+ files_search_tmp($1)
+ allow $1 tmp_t:dir rw_dir_perms;
')
########################################
## <summary>
--## Allow attempts to get the attributes
--## of all tmp files.
+-## List all tmp directories.
+## Remove entries from the tmp directory.
## </summary>
## <param name="domain">
## <summary>
-@@ -4542,110 +5489,98 @@ interface(`files_dontaudit_getattr_all_tmp_files',`
+@@ -4482,118 +5508,116 @@ interface(`files_setattr_all_tmp_dirs',`
## </summary>
## </param>
#
--interface(`files_getattr_all_tmp_files',`
+-interface(`files_list_all_tmp',`
+interface(`files_delete_tmp_dir_entry',`
gen_require(`
- attribute tmpfile;
+ type tmp_t;
')
-- allow $1 tmpfile:file getattr;
+- allow $1 tmpfile:dir list_dir_perms;
+ files_search_tmp($1)
+ allow $1 tmp_t:dir del_entry_dir_perms;
')
@@ -13719,7 +13717,7 @@ index f962f76..e06a46c 100644
########################################
## <summary>
-## Relabel to and from all temporary
--## file types.
+-## directory types.
+## Read files in the tmp directory (/tmp).
## </summary>
## <param name="domain">
@@ -13729,7 +13727,7 @@ index f962f76..e06a46c 100644
## </param>
-## <rolecap/>
#
--interface(`files_relabel_all_tmp_files',`
+-interface(`files_relabel_all_tmp_dirs',`
+interface(`files_read_generic_tmp_files',`
gen_require(`
- attribute tmpfile;
@@ -13738,14 +13736,14 @@ index f962f76..e06a46c 100644
')
- allow $1 var_t:dir search_dir_perms;
-- relabel_files_pattern($1, tmpfile, tmpfile)
+- relabel_dirs_pattern($1, tmpfile, tmpfile)
+ read_files_pattern($1, tmp_t, tmp_t)
')
########################################
## <summary>
-## Do not audit attempts to get the attributes
--## of all tmp sock_file.
+-## of all tmp files.
+## Manage temporary directories in /tmp.
## </summary>
## <param name="domain">
@@ -13755,20 +13753,21 @@ index f962f76..e06a46c 100644
## </summary>
## </param>
#
--interface(`files_dontaudit_getattr_all_tmp_sockets',`
+-interface(`files_dontaudit_getattr_all_tmp_files',`
+interface(`files_manage_generic_tmp_dirs',`
gen_require(`
- attribute tmpfile;
+ type tmp_t;
')
-- dontaudit $1 tmpfile:sock_file getattr;
+- dontaudit $1 tmpfile:file getattr;
+ manage_dirs_pattern($1, tmp_t, tmp_t)
')
########################################
## <summary>
--## Read all tmp files.
+-## Allow attempts to get the attributes
+-## of all tmp files.
+## Allow shared library text relocations in tmp files.
## </summary>
+## <desc>
@@ -13785,21 +13784,93 @@ index f962f76..e06a46c 100644
## </summary>
## </param>
#
--interface(`files_read_all_tmp_files',`
+-interface(`files_getattr_all_tmp_files',`
+interface(`files_execmod_tmp',`
gen_require(`
attribute tmpfile;
')
-- read_files_pattern($1, tmpfile, tmpfile)
+- allow $1 tmpfile:file getattr;
+ allow $1 tmpfile:file execmod;
')
########################################
## <summary>
+-## Relabel to and from all temporary
+-## file types.
++## Manage temporary files and directories in /tmp.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+ ## Domain allowed access.
+ ## </summary>
+ ## </param>
+-## <rolecap/>
+ #
+-interface(`files_relabel_all_tmp_files',`
++interface(`files_manage_generic_tmp_files',`
+ gen_require(`
+- attribute tmpfile;
+- type var_t;
++ type tmp_t;
+ ')
+
+- allow $1 var_t:dir search_dir_perms;
+- relabel_files_pattern($1, tmpfile, tmpfile)
++ manage_files_pattern($1, tmp_t, tmp_t)
+ ')
+
+ ########################################
+ ## <summary>
+-## Do not audit attempts to get the attributes
+-## of all tmp sock_file.
++## Read symbolic links in the tmp directory (/tmp).
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+-## Domain not to audit.
++## Domain allowed access.
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_dontaudit_getattr_all_tmp_sockets',`
++interface(`files_read_generic_tmp_symlinks',`
+ gen_require(`
+- attribute tmpfile;
++ type tmp_t;
+ ')
+
+- dontaudit $1 tmpfile:sock_file getattr;
++ read_lnk_files_pattern($1, tmp_t, tmp_t)
+ ')
+
+ ########################################
+ ## <summary>
+-## Read all tmp files.
++## Read and write generic named sockets in the tmp directory (/tmp).
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -4601,51 +5625,35 @@ interface(`files_dontaudit_getattr_all_tmp_sockets',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_read_all_tmp_files',`
++interface(`files_rw_generic_tmp_sockets',`
+ gen_require(`
+- attribute tmpfile;
++ type tmp_t;
+ ')
+
+- read_files_pattern($1, tmpfile, tmpfile)
++ rw_sock_files_pattern($1, tmp_t, tmp_t)
+ ')
+
+ ########################################
+ ## <summary>
-## Create an object in the tmp directories, with a private
-## type using a type transition.
-+## Manage temporary files and directories in /tmp.
++## Relabel a dir from the type used in /tmp.
## </summary>
## <param name="domain">
## <summary>
@@ -13823,28 +13894,28 @@ index f962f76..e06a46c 100644
-## </param>
#
-interface(`files_tmp_filetrans',`
-+interface(`files_manage_generic_tmp_files',`
++interface(`files_relabelfrom_tmp_dirs',`
gen_require(`
type tmp_t;
')
- filetrans_pattern($1, tmp_t, $2, $3, $4)
-+ manage_files_pattern($1, tmp_t, tmp_t)
++ relabelfrom_dirs_pattern($1, tmp_t, tmp_t)
')
########################################
## <summary>
-## Delete the contents of /tmp.
-+## Read symbolic links in the tmp directory (/tmp).
++## Relabel a file from the type used in /tmp.
## </summary>
## <param name="domain">
## <summary>
-@@ -4653,22 +5588,17 @@ interface(`files_tmp_filetrans',`
+@@ -4653,22 +5661,17 @@ interface(`files_tmp_filetrans',`
## </summary>
## </param>
#
-interface(`files_purge_tmp',`
-+interface(`files_read_generic_tmp_symlinks',`
++interface(`files_relabelfrom_tmp_files',`
gen_require(`
- attribute tmpfile;
+ type tmp_t;
@@ -13856,80 +13927,80 @@ index f962f76..e06a46c 100644
- delete_lnk_files_pattern($1, tmpfile, tmpfile)
- delete_fifo_files_pattern($1, tmpfile, tmpfile)
- delete_sock_files_pattern($1, tmpfile, tmpfile)
-+ read_lnk_files_pattern($1, tmp_t, tmp_t)
++ relabelfrom_files_pattern($1, tmp_t, tmp_t)
')
########################################
## <summary>
-## Set the attributes of the /usr directory.
-+## Read and write generic named sockets in the tmp directory (/tmp).
++## Set the attributes of all tmp directories.
## </summary>
## <param name="domain">
## <summary>
-@@ -4676,17 +5606,17 @@ interface(`files_purge_tmp',`
+@@ -4676,17 +5679,17 @@ interface(`files_purge_tmp',`
## </summary>
## </param>
#
-interface(`files_setattr_usr_dirs',`
-+interface(`files_rw_generic_tmp_sockets',`
++interface(`files_setattr_all_tmp_dirs',`
gen_require(`
- type usr_t;
-+ type tmp_t;
++ attribute tmpfile;
')
- allow $1 usr_t:dir setattr;
-+ rw_sock_files_pattern($1, tmp_t, tmp_t)
++ allow $1 tmpfile:dir { search_dir_perms setattr };
')
########################################
## <summary>
-## Search the content of /usr.
-+## Relabel a dir from the type used in /tmp.
++## Allow caller to read inherited tmp files.
## </summary>
## <param name="domain">
## <summary>
-@@ -4694,18 +5624,17 @@ interface(`files_setattr_usr_dirs',`
+@@ -4694,18 +5697,17 @@ interface(`files_setattr_usr_dirs',`
## </summary>
## </param>
#
-interface(`files_search_usr',`
-+interface(`files_relabelfrom_tmp_dirs',`
++interface(`files_read_inherited_tmp_files',`
gen_require(`
- type usr_t;
-+ type tmp_t;
++ attribute tmpfile;
')
- allow $1 usr_t:dir search_dir_perms;
-+ relabelfrom_dirs_pattern($1, tmp_t, tmp_t)
++ allow $1 tmpfile:file { append read_inherited_file_perms };
')
########################################
## <summary>
-## List the contents of generic
-## directories in /usr.
-+## Relabel a file from the type used in /tmp.
++## Allow caller to append inherited tmp files.
## </summary>
## <param name="domain">
## <summary>
-@@ -4713,35 +5642,35 @@ interface(`files_search_usr',`
+@@ -4713,35 +5715,35 @@ interface(`files_search_usr',`
## </summary>
## </param>
#
-interface(`files_list_usr',`
-+interface(`files_relabelfrom_tmp_files',`
++interface(`files_append_inherited_tmp_files',`
gen_require(`
- type usr_t;
-+ type tmp_t;
++ attribute tmpfile;
')
- allow $1 usr_t:dir list_dir_perms;
-+ relabelfrom_files_pattern($1, tmp_t, tmp_t)
++ allow $1 tmpfile:file append_inherited_file_perms;
')
########################################
## <summary>
-## Do not audit write of /usr dirs
-+## Set the attributes of all tmp directories.
++## Allow caller to read and write inherited tmp files.
## </summary>
## <param name="domain">
## <summary>
@@ -13939,43 +14010,44 @@ index f962f76..e06a46c 100644
## </param>
#
-interface(`files_dontaudit_write_usr_dirs',`
-+interface(`files_setattr_all_tmp_dirs',`
++interface(`files_rw_inherited_tmp_file',`
gen_require(`
- type usr_t;
+ attribute tmpfile;
')
- dontaudit $1 usr_t:dir write;
-+ allow $1 tmpfile:dir { search_dir_perms setattr };
++ allow $1 tmpfile:file rw_inherited_file_perms;
')
########################################
## <summary>
-## Add and remove entries from /usr directories.
-+## Allow caller to read inherited tmp files.
++## List all tmp directories.
## </summary>
## <param name="domain">
## <summary>
-@@ -4749,36 +5678,35 @@ interface(`files_dontaudit_write_usr_dirs',`
+@@ -4749,54 +5751,59 @@ interface(`files_dontaudit_write_usr_dirs',`
## </summary>
## </param>
#
-interface(`files_rw_usr_dirs',`
-+interface(`files_read_inherited_tmp_files',`
++interface(`files_list_all_tmp',`
gen_require(`
- type usr_t;
+ attribute tmpfile;
')
- allow $1 usr_t:dir rw_dir_perms;
-+ allow $1 tmpfile:file { append read_inherited_file_perms };
++ allow $1 tmpfile:dir list_dir_perms;
')
########################################
## <summary>
-## Do not audit attempts to add and remove
-## entries from /usr directories.
-+## Allow caller to append inherited tmp files.
++## Relabel to and from all temporary
++## directory types.
## </summary>
## <param name="domain">
## <summary>
@@ -13983,67 +14055,73 @@ index f962f76..e06a46c 100644
+## Domain allowed access.
## </summary>
## </param>
++## <rolecap/>
#
-interface(`files_dontaudit_rw_usr_dirs',`
-+interface(`files_append_inherited_tmp_files',`
++interface(`files_relabel_all_tmp_dirs',`
gen_require(`
- type usr_t;
+ attribute tmpfile;
++ type var_t;
')
- dontaudit $1 usr_t:dir rw_dir_perms;
-+ allow $1 tmpfile:file append_inherited_file_perms;
++ allow $1 var_t:dir search_dir_perms;
++ relabel_dirs_pattern($1, tmpfile, tmpfile)
')
########################################
## <summary>
-## Delete generic directories in /usr in the caller domain.
-+## Allow caller to read and write inherited tmp files.
++## Do not audit attempts to get the attributes
++## of all tmp files.
## </summary>
## <param name="domain">
## <summary>
-@@ -4786,17 +5714,17 @@ interface(`files_dontaudit_rw_usr_dirs',`
+-## Domain allowed access.
++## Domain to not audit.
## </summary>
## </param>
#
-interface(`files_delete_usr_dirs',`
-+interface(`files_rw_inherited_tmp_file',`
++interface(`files_dontaudit_getattr_all_tmp_files',`
gen_require(`
- type usr_t;
+ attribute tmpfile;
')
- delete_dirs_pattern($1, usr_t, usr_t)
-+ allow $1 tmpfile:file rw_inherited_file_perms;
++ dontaudit $1 tmpfile:file getattr;
')
########################################
## <summary>
-## Delete generic files in /usr in the caller domain.
-+## List all tmp directories.
++## Allow attempts to get the attributes
++## of all tmp files.
## </summary>
## <param name="domain">
## <summary>
-@@ -4804,73 +5732,59 @@ interface(`files_delete_usr_dirs',`
+@@ -4804,73 +5811,58 @@ interface(`files_delete_usr_dirs',`
## </summary>
## </param>
#
-interface(`files_delete_usr_files',`
-+interface(`files_list_all_tmp',`
++interface(`files_getattr_all_tmp_files',`
gen_require(`
- type usr_t;
+ attribute tmpfile;
')
- delete_files_pattern($1, usr_t, usr_t)
-+ allow $1 tmpfile:dir list_dir_perms;
++ allow $1 tmpfile:file getattr;
')
########################################
## <summary>
-## Get the attributes of files in /usr.
+## Relabel to and from all temporary
-+## directory types.
++## file types.
## </summary>
## <param name="domain">
## <summary>
@@ -14053,7 +14131,7 @@ index f962f76..e06a46c 100644
+## <rolecap/>
#
-interface(`files_getattr_usr_files',`
-+interface(`files_relabel_all_tmp_dirs',`
++interface(`files_relabel_all_tmp_files',`
gen_require(`
- type usr_t;
+ attribute tmpfile;
@@ -14062,14 +14140,14 @@ index f962f76..e06a46c 100644
- getattr_files_pattern($1, usr_t, usr_t)
+ allow $1 var_t:dir search_dir_perms;
-+ relabel_dirs_pattern($1, tmpfile, tmpfile)
++ relabel_files_pattern($1, tmpfile, tmpfile)
')
########################################
## <summary>
-## Read generic files in /usr.
+## Do not audit attempts to get the attributes
-+## of all tmp files.
++## of all tmp sock_file.
## </summary>
-## <desc>
-## <p>
@@ -14097,7 +14175,7 @@ index f962f76..e06a46c 100644
-## <infoflow type="read" weight="10"/>
#
-interface(`files_read_usr_files',`
-+interface(`files_dontaudit_getattr_all_tmp_files',`
++interface(`files_dontaudit_getattr_all_tmp_sockets',`
gen_require(`
- type usr_t;
+ attribute tmpfile;
@@ -14106,23 +14184,22 @@ index f962f76..e06a46c 100644
- allow $1 usr_t:dir list_dir_perms;
- read_files_pattern($1, usr_t, usr_t)
- read_lnk_files_pattern($1, usr_t, usr_t)
-+ dontaudit $1 tmpfile:file getattr;
++ dontaudit $1 tmpfile:sock_file getattr;
')
########################################
## <summary>
-## Execute generic programs in /usr in the caller domain.
-+## Allow attempts to get the attributes
-+## of all tmp files.
++## Read all tmp files.
## </summary>
## <param name="domain">
## <summary>
-@@ -4878,55 +5792,58 @@ interface(`files_read_usr_files',`
+@@ -4878,19 +5870,18 @@ interface(`files_read_usr_files',`
## </summary>
## </param>
#
-interface(`files_exec_usr_files',`
-+interface(`files_getattr_all_tmp_files',`
++interface(`files_read_all_tmp_files',`
gen_require(`
- type usr_t;
+ attribute tmpfile;
@@ -14131,109 +14208,35 @@ index f962f76..e06a46c 100644
- allow $1 usr_t:dir list_dir_perms;
- exec_files_pattern($1, usr_t, usr_t)
- read_lnk_files_pattern($1, usr_t, usr_t)
-+ allow $1 tmpfile:file getattr;
- ')
-
- ########################################
- ## <summary>
--## dontaudit write of /usr files
-+## Relabel to and from all temporary
-+## file types.
- ## </summary>
- ## <param name="domain">
- ## <summary>
--## Domain to not audit.
-+## Domain allowed access.
- ## </summary>
- ## </param>
-+## <rolecap/>
- #
--interface(`files_dontaudit_write_usr_files',`
-+interface(`files_relabel_all_tmp_files',`
- gen_require(`
-- type usr_t;
-+ attribute tmpfile;
-+ type var_t;
- ')
-
-- dontaudit $1 usr_t:file write;
-+ allow $1 var_t:dir search_dir_perms;
-+ relabel_files_pattern($1, tmpfile, tmpfile)
- ')
-
- ########################################
- ## <summary>
--## Create, read, write, and delete files in the /usr directory.
-+## Do not audit attempts to get the attributes
-+## of all tmp sock_file.
- ## </summary>
- ## <param name="domain">
- ## <summary>
--## Domain allowed access.
-+## Domain to not audit.
- ## </summary>
- ## </param>
- #
--interface(`files_manage_usr_files',`
-+interface(`files_dontaudit_getattr_all_tmp_sockets',`
- gen_require(`
-- type usr_t;
-+ attribute tmpfile;
- ')
-
-- manage_files_pattern($1, usr_t, usr_t)
-+ dontaudit $1 tmpfile:sock_file getattr;
- ')
-
- ########################################
- ## <summary>
--## Relabel a file to the type used in /usr.
-+## Read all tmp files.
- ## </summary>
- ## <param name="domain">
- ## <summary>
-@@ -4934,67 +5851,70 @@ interface(`files_manage_usr_files',`
- ## </summary>
- ## </param>
- #
--interface(`files_relabelto_usr_files',`
-+interface(`files_read_all_tmp_files',`
- gen_require(`
-- type usr_t;
-+ attribute tmpfile;
- ')
-
-- relabelto_files_pattern($1, usr_t, usr_t)
+ read_files_pattern($1, tmpfile, tmpfile)
')
########################################
## <summary>
--## Relabel a file from the type used in /usr.
+-## dontaudit write of /usr files
+## Do not audit attempts to read or write
+## all leaked tmpfiles files.
## </summary>
## <param name="domain">
## <summary>
--## Domain allowed access.
-+## Domain to not audit.
+@@ -4898,71 +5889,70 @@ interface(`files_exec_usr_files',`
## </summary>
## </param>
#
--interface(`files_relabelfrom_usr_files',`
+-interface(`files_dontaudit_write_usr_files',`
+interface(`files_dontaudit_tmp_file_leaks',`
gen_require(`
- type usr_t;
+ attribute tmpfile;
')
-- relabelfrom_files_pattern($1, usr_t, usr_t)
+- dontaudit $1 usr_t:file write;
+ dontaudit $1 tmpfile:file rw_inherited_file_perms;
')
########################################
## <summary>
--## Read symbolic links in /usr.
+-## Create, read, write, and delete files in the /usr directory.
+## Do allow attempts to read or write
+## all leaked tmpfiles files.
## </summary>
@@ -14244,20 +14247,20 @@ index f962f76..e06a46c 100644
## </summary>
## </param>
#
--interface(`files_read_usr_symlinks',`
+-interface(`files_manage_usr_files',`
+interface(`files_rw_tmp_file_leaks',`
gen_require(`
- type usr_t;
+ attribute tmpfile;
')
-- read_lnk_files_pattern($1, usr_t, usr_t)
+- manage_files_pattern($1, usr_t, usr_t)
+ allow $1 tmpfile:file rw_inherited_file_perms;
')
########################################
## <summary>
--## Create objects in the /usr directory
+-## Relabel a file to the type used in /usr.
+## Create an object in the tmp directories, with a private
+## type using a type transition.
## </summary>
@@ -14266,56 +14269,67 @@ index f962f76..e06a46c 100644
## Domain allowed access.
## </summary>
## </param>
--## <param name="file_type">
+-#
+-interface(`files_relabelto_usr_files',`
+- gen_require(`
+- type usr_t;
+- ')
+-
+- relabelto_files_pattern($1, usr_t, usr_t)
+-')
+-
+-########################################
+-## <summary>
+-## Relabel a file from the type used in /usr.
+-## </summary>
+-## <param name="domain">
+## <param name="private type">
## <summary>
--## The type of the object to be created
+-## Domain allowed access.
+## The type of the object to be created.
- ## </summary>
- ## </param>
--## <param name="object_class">
++## </summary>
++## </param>
+## <param name="object">
- ## <summary>
--## The object class.
++## <summary>
+## The object class of the object being created.
- ## </summary>
- ## </param>
- ## <param name="name" optional="true">
-@@ -5003,35 +5923,50 @@ interface(`files_read_usr_symlinks',`
++## </summary>
++## </param>
++## <param name="name" optional="true">
++## <summary>
++## The name of the object being created.
## </summary>
## </param>
#
--interface(`files_usr_filetrans',`
+-interface(`files_relabelfrom_usr_files',`
+interface(`files_tmp_filetrans',`
gen_require(`
- type usr_t;
+ type tmp_t;
')
-- filetrans_pattern($1, usr_t, $2, $3, $4)
+- relabelfrom_files_pattern($1, usr_t, usr_t)
+ filetrans_pattern($1, tmp_t, $2, $3, $4)
')
########################################
## <summary>
--## Do not audit attempts to search /usr/src.
+-## Read symbolic links in /usr.
+## Delete the contents of /tmp.
## </summary>
## <param name="domain">
## <summary>
--## Domain to not audit.
-+## Domain allowed access.
+@@ -4970,68 +5960,69 @@ interface(`files_relabelfrom_usr_files',`
## </summary>
## </param>
#
--interface(`files_dontaudit_search_src',`
+-interface(`files_read_usr_symlinks',`
+interface(`files_purge_tmp',`
gen_require(`
-- type src_t;
+- type usr_t;
+ attribute tmpfile;
')
-- dontaudit $1 src_t:dir search_dir_perms;
+- read_lnk_files_pattern($1, usr_t, usr_t)
+ allow $1 tmpfile:dir list_dir_perms;
+ delete_dirs_pattern($1, tmpfile, tmpfile)
+ delete_files_pattern($1, tmpfile, tmpfile)
@@ -14336,81 +14350,92 @@ index f962f76..e06a46c 100644
########################################
## <summary>
--## Get the attributes of files in /usr/src.
+-## Create objects in the /usr directory
+## Set the attributes of the /usr directory.
## </summary>
## <param name="domain">
## <summary>
-@@ -5039,20 +5974,17 @@ interface(`files_dontaudit_search_src',`
+ ## Domain allowed access.
## </summary>
## </param>
+-## <param name="file_type">
+-## <summary>
+-## The type of the object to be created
+-## </summary>
+-## </param>
+-## <param name="object_class">
+-## <summary>
+-## The object class.
+-## </summary>
+-## </param>
+-## <param name="name" optional="true">
+-## <summary>
+-## The name of the object being created.
+-## </summary>
+-## </param>
#
--interface(`files_getattr_usr_src_files',`
+-interface(`files_usr_filetrans',`
+interface(`files_setattr_usr_dirs',`
gen_require(`
-- type usr_t, src_t;
-+ type usr_t;
+ type usr_t;
')
-- getattr_files_pattern($1, src_t, src_t)
--
-- # /usr/src/linux symlink:
-- read_lnk_files_pattern($1, usr_t, src_t)
+- filetrans_pattern($1, usr_t, $2, $3, $4)
+ allow $1 usr_t:dir setattr;
')
########################################
## <summary>
--## Read files in /usr/src.
+-## Do not audit attempts to search /usr/src.
+## Search the content of /usr.
## </summary>
## <param name="domain">
## <summary>
-@@ -5060,20 +5992,18 @@ interface(`files_getattr_usr_src_files',`
+-## Domain to not audit.
++## Domain allowed access.
## </summary>
## </param>
#
--interface(`files_read_usr_src_files',`
+-interface(`files_dontaudit_search_src',`
+interface(`files_search_usr',`
gen_require(`
-- type usr_t, src_t;
+- type src_t;
+ type usr_t;
')
- allow $1 usr_t:dir search_dir_perms;
-- read_files_pattern($1, { usr_t src_t }, src_t)
-- read_lnk_files_pattern($1, { usr_t src_t }, src_t)
-- allow $1 src_t:dir list_dir_perms;
+- dontaudit $1 src_t:dir search_dir_perms;
++ allow $1 usr_t:dir search_dir_perms;
')
########################################
## <summary>
--## Execute programs in /usr/src in the caller domain.
+-## Get the attributes of files in /usr/src.
+## List the contents of generic
+## directories in /usr.
## </summary>
## <param name="domain">
## <summary>
-@@ -5081,38 +6011,35 @@ interface(`files_read_usr_src_files',`
+@@ -5039,41 +6030,35 @@ interface(`files_dontaudit_search_src',`
## </summary>
## </param>
#
--interface(`files_exec_usr_src_files',`
+-interface(`files_getattr_usr_src_files',`
+interface(`files_list_usr',`
gen_require(`
- type usr_t, src_t;
+ type usr_t;
')
-- list_dirs_pattern($1, usr_t, src_t)
-- exec_files_pattern($1, src_t, src_t)
-- read_lnk_files_pattern($1, src_t, src_t)
+- getattr_files_pattern($1, src_t, src_t)
+-
+- # /usr/src/linux symlink:
+- read_lnk_files_pattern($1, usr_t, src_t)
+ allow $1 usr_t:dir list_dir_perms;
')
########################################
## <summary>
--## Install a system.map into the /boot directory.
+-## Read files in /usr/src.
+## Do not audit write of /usr dirs
## </summary>
## <param name="domain">
@@ -14420,44 +14445,47 @@ index f962f76..e06a46c 100644
## </summary>
## </param>
#
--interface(`files_create_kernel_symbol_table',`
+-interface(`files_read_usr_src_files',`
+interface(`files_dontaudit_write_usr_dirs',`
gen_require(`
-- type boot_t, system_map_t;
+- type usr_t, src_t;
+ type usr_t;
')
-- allow $1 boot_t:dir { list_dir_perms add_entry_dir_perms };
-- allow $1 system_map_t:file { create_file_perms rw_file_perms };
+- allow $1 usr_t:dir search_dir_perms;
+- read_files_pattern($1, { usr_t src_t }, src_t)
+- read_lnk_files_pattern($1, { usr_t src_t }, src_t)
+- allow $1 src_t:dir list_dir_perms;
+ dontaudit $1 usr_t:dir write;
')
########################################
## <summary>
--## Read system.map in the /boot directory.
+-## Execute programs in /usr/src in the caller domain.
+## Add and remove entries from /usr directories.
## </summary>
## <param name="domain">
## <summary>
-@@ -5120,37 +6047,36 @@ interface(`files_create_kernel_symbol_table',`
+@@ -5081,38 +6066,36 @@ interface(`files_read_usr_src_files',`
## </summary>
## </param>
#
--interface(`files_read_kernel_symbol_table',`
+-interface(`files_exec_usr_src_files',`
+interface(`files_rw_usr_dirs',`
gen_require(`
-- type boot_t, system_map_t;
+- type usr_t, src_t;
+ type usr_t;
')
-- allow $1 boot_t:dir list_dir_perms;
-- read_files_pattern($1, boot_t, system_map_t)
+- list_dirs_pattern($1, usr_t, src_t)
+- exec_files_pattern($1, src_t, src_t)
+- read_lnk_files_pattern($1, src_t, src_t)
+ allow $1 usr_t:dir rw_dir_perms;
')
########################################
## <summary>
--## Delete a system.map in the /boot directory.
+-## Install a system.map into the /boot directory.
+## Do not audit attempts to add and remove
+## entries from /usr directories.
## </summary>
@@ -14468,89 +14496,89 @@ index f962f76..e06a46c 100644
## </summary>
## </param>
#
--interface(`files_delete_kernel_symbol_table',`
+-interface(`files_create_kernel_symbol_table',`
+interface(`files_dontaudit_rw_usr_dirs',`
gen_require(`
- type boot_t, system_map_t;
+ type usr_t;
')
-- allow $1 boot_t:dir list_dir_perms;
-- delete_files_pattern($1, boot_t, system_map_t)
+- allow $1 boot_t:dir { list_dir_perms add_entry_dir_perms };
+- allow $1 system_map_t:file { create_file_perms rw_file_perms };
+ dontaudit $1 usr_t:dir rw_dir_perms;
')
########################################
## <summary>
--## Search the contents of /var.
+-## Read system.map in the /boot directory.
+## Delete generic directories in /usr in the caller domain.
## </summary>
## <param name="domain">
## <summary>
-@@ -5158,35 +6084,35 @@ interface(`files_delete_kernel_symbol_table',`
+@@ -5120,18 +6103,17 @@ interface(`files_create_kernel_symbol_table',`
## </summary>
## </param>
#
--interface(`files_search_var',`
+-interface(`files_read_kernel_symbol_table',`
+interface(`files_delete_usr_dirs',`
gen_require(`
-- type var_t;
+- type boot_t, system_map_t;
+ type usr_t;
')
-- allow $1 var_t:dir search_dir_perms;
+- allow $1 boot_t:dir list_dir_perms;
+- read_files_pattern($1, boot_t, system_map_t)
+ delete_dirs_pattern($1, usr_t, usr_t)
')
########################################
## <summary>
--## Do not audit attempts to write to /var.
+-## Delete a system.map in the /boot directory.
+## Delete generic files in /usr in the caller domain.
## </summary>
## <param name="domain">
## <summary>
--## Domain to not audit.
-+## Domain allowed access.
+@@ -5139,18 +6121,17 @@ interface(`files_read_kernel_symbol_table',`
## </summary>
## </param>
#
--interface(`files_dontaudit_write_var_dirs',`
+-interface(`files_delete_kernel_symbol_table',`
+interface(`files_delete_usr_files',`
gen_require(`
-- type var_t;
+- type boot_t, system_map_t;
+ type usr_t;
')
-- dontaudit $1 var_t:dir write;
+- allow $1 boot_t:dir list_dir_perms;
+- delete_files_pattern($1, boot_t, system_map_t)
+ delete_files_pattern($1, usr_t, usr_t)
')
########################################
## <summary>
--## Allow attempts to write to /var.dirs
+-## Search the contents of /var.
+## Get the attributes of files in /usr.
## </summary>
## <param name="domain">
## <summary>
-@@ -5194,36 +6120,55 @@ interface(`files_dontaudit_write_var_dirs',`
+@@ -5158,35 +6139,55 @@ interface(`files_delete_kernel_symbol_table',`
## </summary>
## </param>
#
--interface(`files_write_var_dirs',`
+-interface(`files_search_var',`
+interface(`files_getattr_usr_files',`
gen_require(`
- type var_t;
+ type usr_t;
')
-- allow $1 var_t:dir write;
+- allow $1 var_t:dir search_dir_perms;
+ getattr_files_pattern($1, usr_t, usr_t)
')
########################################
## <summary>
--## Do not audit attempts to search
--## the contents of /var.
+-## Do not audit attempts to write to /var.
+## Read generic files in /usr.
## </summary>
+## <desc>
@@ -14578,14 +14606,14 @@ index f962f76..e06a46c 100644
## </param>
+## <infoflow type="read" weight="10"/>
#
--interface(`files_dontaudit_search_var',`
+-interface(`files_dontaudit_write_var_dirs',`
+interface(`files_read_usr_files',`
gen_require(`
- type var_t;
+ type usr_t;
')
-- dontaudit $1 var_t:dir search_dir_perms;
+- dontaudit $1 var_t:dir write;
+ allow $1 usr_t:dir list_dir_perms;
+ read_files_pattern($1, usr_t, usr_t)
+ read_lnk_files_pattern($1, usr_t, usr_t)
@@ -14593,23 +14621,23 @@ index f962f76..e06a46c 100644
########################################
## <summary>
--## List the contents of /var.
+-## Allow attempts to write to /var.dirs
+## Execute generic programs in /usr in the caller domain.
## </summary>
## <param name="domain">
## <summary>
-@@ -5231,36 +6176,37 @@ interface(`files_dontaudit_search_var',`
+@@ -5194,18 +6195,19 @@ interface(`files_dontaudit_write_var_dirs',`
## </summary>
## </param>
#
--interface(`files_list_var',`
+-interface(`files_write_var_dirs',`
+interface(`files_exec_usr_files',`
gen_require(`
- type var_t;
+ type usr_t;
')
-- allow $1 var_t:dir list_dir_perms;
+- allow $1 var_t:dir write;
+ allow $1 usr_t:dir list_dir_perms;
+ exec_files_pattern($1, usr_t, usr_t)
+ read_lnk_files_pattern($1, usr_t, usr_t)
@@ -14617,121 +14645,119 @@ index f962f76..e06a46c 100644
########################################
## <summary>
--## Create, read, write, and delete directories
--## in the /var directory.
+-## Do not audit attempts to search
+-## the contents of /var.
+## dontaudit write of /usr files
## </summary>
## <param name="domain">
## <summary>
--## Domain allowed access.
-+## Domain to not audit.
+@@ -5213,17 +6215,17 @@ interface(`files_write_var_dirs',`
## </summary>
## </param>
#
--interface(`files_manage_var_dirs',`
+-interface(`files_dontaudit_search_var',`
+interface(`files_dontaudit_write_usr_files',`
gen_require(`
- type var_t;
+ type usr_t;
')
-- allow $1 var_t:dir manage_dir_perms;
+- dontaudit $1 var_t:dir search_dir_perms;
+ dontaudit $1 usr_t:file write;
')
########################################
## <summary>
--## Read files in the /var directory.
+-## List the contents of /var.
+## Create, read, write, and delete files in the /usr directory.
## </summary>
## <param name="domain">
## <summary>
-@@ -5268,17 +6214,17 @@ interface(`files_manage_var_dirs',`
+@@ -5231,18 +6233,17 @@ interface(`files_dontaudit_search_var',`
## </summary>
## </param>
#
--interface(`files_read_var_files',`
+-interface(`files_list_var',`
+interface(`files_manage_usr_files',`
gen_require(`
- type var_t;
+ type usr_t;
')
-- read_files_pattern($1, var_t, var_t)
+- allow $1 var_t:dir list_dir_perms;
+ manage_files_pattern($1, usr_t, usr_t)
')
########################################
## <summary>
--## Append files in the /var directory.
+-## Create, read, write, and delete directories
+-## in the /var directory.
+## Relabel a file to the type used in /usr.
## </summary>
## <param name="domain">
## <summary>
-@@ -5286,17 +6232,17 @@ interface(`files_read_var_files',`
+@@ -5250,17 +6251,17 @@ interface(`files_list_var',`
## </summary>
## </param>
#
--interface(`files_append_var_files',`
+-interface(`files_manage_var_dirs',`
+interface(`files_relabelto_usr_files',`
gen_require(`
- type var_t;
+ type usr_t;
')
-- append_files_pattern($1, var_t, var_t)
+- allow $1 var_t:dir manage_dir_perms;
+ relabelto_files_pattern($1, usr_t, usr_t)
')
########################################
## <summary>
--## Read and write files in the /var directory.
+-## Read files in the /var directory.
+## Relabel a file from the type used in /usr.
## </summary>
## <param name="domain">
## <summary>
-@@ -5304,73 +6250,86 @@ interface(`files_append_var_files',`
+@@ -5268,17 +6269,17 @@ interface(`files_manage_var_dirs',`
## </summary>
## </param>
#
--interface(`files_rw_var_files',`
+-interface(`files_read_var_files',`
+interface(`files_relabelfrom_usr_files',`
gen_require(`
- type var_t;
+ type usr_t;
')
-- rw_files_pattern($1, var_t, var_t)
+- read_files_pattern($1, var_t, var_t)
+ relabelfrom_files_pattern($1, usr_t, usr_t)
')
########################################
## <summary>
--## Do not audit attempts to read and write
--## files in the /var directory.
+-## Append files in the /var directory.
+## Read symbolic links in /usr.
## </summary>
## <param name="domain">
## <summary>
--## Domain to not audit.
-+## Domain allowed access.
+@@ -5286,36 +6287,50 @@ interface(`files_read_var_files',`
## </summary>
## </param>
#
--interface(`files_dontaudit_rw_var_files',`
+-interface(`files_append_var_files',`
+interface(`files_read_usr_symlinks',`
gen_require(`
- type var_t;
+ type usr_t;
')
-- dontaudit $1 var_t:file rw_file_perms;
+- append_files_pattern($1, var_t, var_t)
+ read_lnk_files_pattern($1, usr_t, usr_t)
')
########################################
## <summary>
--## Create, read, write, and delete files in the /var directory.
+-## Read and write files in the /var directory.
+## Create objects in the /usr directory
## </summary>
## <param name="domain">
@@ -14755,60 +14781,59 @@ index f962f76..e06a46c 100644
+## </summary>
+## </param>
#
--interface(`files_manage_var_files',`
+-interface(`files_rw_var_files',`
+interface(`files_usr_filetrans',`
gen_require(`
- type var_t;
+ type usr_t;
')
-- manage_files_pattern($1, var_t, var_t)
+- rw_files_pattern($1, var_t, var_t)
+ filetrans_pattern($1, usr_t, $2, $3, $4)
')
########################################
## <summary>
--## Read symbolic links in the /var directory.
+-## Do not audit attempts to read and write
+-## files in the /var directory.
+## Do not audit attempts to search /usr/src.
## </summary>
## <param name="domain">
## <summary>
--## Domain allowed access.
-+## Domain to not audit.
+@@ -5323,17 +6338,17 @@ interface(`files_rw_var_files',`
## </summary>
## </param>
#
--interface(`files_read_var_symlinks',`
+-interface(`files_dontaudit_rw_var_files',`
+interface(`files_dontaudit_search_src',`
gen_require(`
- type var_t;
+ type src_t;
')
-- read_lnk_files_pattern($1, var_t, var_t)
+- dontaudit $1 var_t:file rw_file_perms;
+ dontaudit $1 src_t:dir search_dir_perms;
')
########################################
## <summary>
--## Create, read, write, and delete symbolic
--## links in the /var directory.
+-## Create, read, write, and delete files in the /var directory.
+## Get the attributes of files in /usr/src.
## </summary>
## <param name="domain">
## <summary>
-@@ -5378,50 +6337,41 @@ interface(`files_read_var_symlinks',`
+@@ -5341,17 +6356,20 @@ interface(`files_dontaudit_rw_var_files',`
## </summary>
## </param>
#
--interface(`files_manage_var_symlinks',`
+-interface(`files_manage_var_files',`
+interface(`files_getattr_usr_src_files',`
gen_require(`
- type var_t;
+ type usr_t, src_t;
')
-- manage_lnk_files_pattern($1, var_t, var_t)
+- manage_files_pattern($1, var_t, var_t)
+ getattr_files_pattern($1, src_t, src_t)
+
+ # /usr/src/linux symlink:
@@ -14817,11 +14842,61 @@ index f962f76..e06a46c 100644
########################################
## <summary>
--## Create objects in the /var directory
+-## Read symbolic links in the /var directory.
+## Read files in /usr/src.
## </summary>
## <param name="domain">
## <summary>
+@@ -5359,18 +6377,20 @@ interface(`files_manage_var_files',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_read_var_symlinks',`
++interface(`files_read_usr_src_files',`
+ gen_require(`
+- type var_t;
++ type usr_t, src_t;
+ ')
+
+- read_lnk_files_pattern($1, var_t, var_t)
++ allow $1 usr_t:dir search_dir_perms;
++ read_files_pattern($1, { usr_t src_t }, src_t)
++ read_lnk_files_pattern($1, { usr_t src_t }, src_t)
++ allow $1 src_t:dir list_dir_perms;
+ ')
+
+ ########################################
+ ## <summary>
+-## Create, read, write, and delete symbolic
+-## links in the /var directory.
++## Execute programs in /usr/src in the caller domain.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -5378,120 +6398,94 @@ interface(`files_read_var_symlinks',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_manage_var_symlinks',`
++interface(`files_exec_usr_src_files',`
+ gen_require(`
+- type var_t;
++ type usr_t, src_t;
+ ')
+
+- manage_lnk_files_pattern($1, var_t, var_t)
++ list_dirs_pattern($1, usr_t, src_t)
++ exec_files_pattern($1, src_t, src_t)
++ read_lnk_files_pattern($1, src_t, src_t)
+ ')
+
+ ########################################
+ ## <summary>
+-## Create objects in the /var directory
++## Install a system.map into the /boot directory.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
## Domain allowed access.
## </summary>
## </param>
@@ -14842,47 +14917,44 @@ index f962f76..e06a46c 100644
-## </param>
#
-interface(`files_var_filetrans',`
-+interface(`files_read_usr_src_files',`
++interface(`files_create_kernel_symbol_table',`
gen_require(`
- type var_t;
-+ type usr_t, src_t;
++ type boot_t, system_map_t;
')
- filetrans_pattern($1, var_t, $2, $3, $4)
-+ allow $1 usr_t:dir search_dir_perms;
-+ read_files_pattern($1, { usr_t src_t }, src_t)
-+ read_lnk_files_pattern($1, { usr_t src_t }, src_t)
-+ allow $1 src_t:dir list_dir_perms;
++ allow $1 boot_t:dir { list_dir_perms add_entry_dir_perms };
++ allow $1 system_map_t:file { create_file_perms rw_file_perms };
')
########################################
## <summary>
-## Get the attributes of the /var/lib directory.
-+## Execute programs in /usr/src in the caller domain.
++## Dontaudit getattr attempts on the system.map file
## </summary>
## <param name="domain">
## <summary>
-@@ -5429,69 +6379,56 @@ interface(`files_var_filetrans',`
+-## Domain allowed access.
++## Domain to not audit.
## </summary>
## </param>
#
-interface(`files_getattr_var_lib_dirs',`
-+interface(`files_exec_usr_src_files',`
++interface(`files_dontaduit_getattr_kernel_symbol_table',`
gen_require(`
- type var_t, var_lib_t;
-+ type usr_t, src_t;
++ type system_map_t;
')
- getattr_dirs_pattern($1, var_t, var_lib_t)
-+ list_dirs_pattern($1, usr_t, src_t)
-+ exec_files_pattern($1, src_t, src_t)
-+ read_lnk_files_pattern($1, src_t, src_t)
++ dontaudit $1 system_map_t:file getattr;
')
########################################
## <summary>
-## Search the /var/lib directory.
-+## Install a system.map into the /boot directory.
++## Read system.map in the /boot directory.
## </summary>
-## <desc>
-## <p>
@@ -14905,92 +14977,93 @@ index f962f76..e06a46c 100644
-## <infoflow type="read" weight="5"/>
#
-interface(`files_search_var_lib',`
-+interface(`files_create_kernel_symbol_table',`
++interface(`files_read_kernel_symbol_table',`
gen_require(`
- type var_t, var_lib_t;
+ type boot_t, system_map_t;
')
- search_dirs_pattern($1, var_t, var_lib_t)
-+ allow $1 boot_t:dir { list_dir_perms add_entry_dir_perms };
-+ allow $1 system_map_t:file { create_file_perms rw_file_perms };
++ allow $1 boot_t:dir list_dir_perms;
++ read_files_pattern($1, boot_t, system_map_t)
')
########################################
## <summary>
-## Do not audit attempts to search the
-## contents of /var/lib.
-+## Dontaudit getattr attempts on the system.map file
++## Delete a system.map in the /boot directory.
## </summary>
## <param name="domain">
## <summary>
- ## Domain to not audit.
+-## Domain to not audit.
++## Domain allowed access.
## </summary>
## </param>
-## <infoflow type="read" weight="5"/>
#
-interface(`files_dontaudit_search_var_lib',`
-+interface(`files_dontaduit_getattr_kernel_symbol_table',`
++interface(`files_delete_kernel_symbol_table',`
gen_require(`
- type var_lib_t;
-+ type system_map_t;
++ type boot_t, system_map_t;
')
- dontaudit $1 var_lib_t:dir search_dir_perms;
-+ dontaudit $1 system_map_t:file getattr;
++ allow $1 boot_t:dir list_dir_perms;
++ delete_files_pattern($1, boot_t, system_map_t)
')
########################################
## <summary>
-## List the contents of the /var/lib directory.
-+## Read system.map in the /boot directory.
++## Search the contents of /var.
## </summary>
## <param name="domain">
## <summary>
-@@ -5499,17 +6436,18 @@ interface(`files_dontaudit_search_var_lib',`
+@@ -5499,88 +6493,72 @@ interface(`files_dontaudit_search_var_lib',`
## </summary>
## </param>
#
-interface(`files_list_var_lib',`
-+interface(`files_read_kernel_symbol_table',`
++interface(`files_search_var',`
gen_require(`
- type var_t, var_lib_t;
-+ type boot_t, system_map_t;
++ type var_t;
')
- list_dirs_pattern($1, var_t, var_lib_t)
-+ allow $1 boot_t:dir list_dir_perms;
-+ read_files_pattern($1, boot_t, system_map_t)
++ allow $1 var_t:dir search_dir_perms;
')
-###########################################
+########################################
## <summary>
-## Read-write /var/lib directories
-+## Delete a system.map in the /boot directory.
++## Do not audit attempts to write to /var.
## </summary>
## <param name="domain">
## <summary>
-@@ -5517,70 +6455,54 @@ interface(`files_list_var_lib',`
+-## Domain allowed access.
++## Domain to not audit.
## </summary>
## </param>
#
-interface(`files_rw_var_lib_dirs',`
-+interface(`files_delete_kernel_symbol_table',`
++interface(`files_dontaudit_write_var_dirs',`
gen_require(`
- type var_lib_t;
-+ type boot_t, system_map_t;
++ type var_t;
')
- rw_dirs_pattern($1, var_lib_t, var_lib_t)
-+ allow $1 boot_t:dir list_dir_perms;
-+ delete_files_pattern($1, boot_t, system_map_t)
++ dontaudit $1 var_t:dir write;
')
########################################
## <summary>
-## Create objects in the /var/lib directory
-+## Search the contents of /var.
++## Allow attempts to write to /var.dirs
## </summary>
## <param name="domain">
## <summary>
@@ -15014,20 +15087,22 @@ index f962f76..e06a46c 100644
-## </param>
#
-interface(`files_var_lib_filetrans',`
-+interface(`files_search_var',`
++interface(`files_write_var_dirs',`
gen_require(`
- type var_t, var_lib_t;
+ type var_t;
')
- allow $1 var_t:dir search_dir_perms;
+- allow $1 var_t:dir search_dir_perms;
- filetrans_pattern($1, var_lib_t, $2, $3, $4)
++ allow $1 var_t:dir write;
')
########################################
## <summary>
-## Read generic files in /var/lib.
-+## Do not audit attempts to write to /var.
++## Do not audit attempts to search
++## the contents of /var.
## </summary>
## <param name="domain">
## <summary>
@@ -15037,7 +15112,7 @@ index f962f76..e06a46c 100644
## </param>
#
-interface(`files_read_var_lib_files',`
-+interface(`files_dontaudit_write_var_dirs',`
++interface(`files_dontaudit_search_var',`
gen_require(`
- type var_t, var_lib_t;
+ type var_t;
@@ -15045,29 +15120,29 @@ index f962f76..e06a46c 100644
- allow $1 var_lib_t:dir list_dir_perms;
- read_files_pattern($1, { var_t var_lib_t }, var_lib_t)
-+ dontaudit $1 var_t:dir write;
++ dontaudit $1 var_t:dir search_dir_perms;
')
########################################
## <summary>
-## Read generic symbolic links in /var/lib
-+## Allow attempts to write to /var.dirs
++## List the contents of /var.
## </summary>
## <param name="domain">
## <summary>
-@@ -5588,41 +6510,36 @@ interface(`files_read_var_lib_files',`
+@@ -5588,41 +6566,36 @@ interface(`files_read_var_lib_files',`
## </summary>
## </param>
#
-interface(`files_read_var_lib_symlinks',`
-+interface(`files_write_var_dirs',`
++interface(`files_list_var',`
gen_require(`
- type var_t, var_lib_t;
+ type var_t;
')
- read_lnk_files_pattern($1, { var_t var_lib_t }, var_lib_t)
-+ allow $1 var_t:dir write;
++ allow $1 var_t:dir list_dir_perms;
')
-# cjp: the next two interfaces really need to be fixed
@@ -15077,8 +15152,7 @@ index f962f76..e06a46c 100644
## <summary>
-## Create, read, write, and delete the
-## pseudorandom number generator seed.
-+## Do not audit attempts to search
-+## the contents of /var.
++## Do not audit listing of the var directory (/var).
## </summary>
## <param name="domain">
## <summary>
@@ -15088,7 +15162,7 @@ index f962f76..e06a46c 100644
## </param>
#
-interface(`files_manage_urandom_seed',`
-+interface(`files_dontaudit_search_var',`
++interface(`files_dontaudit_list_var',`
gen_require(`
- type var_t, var_lib_t;
+ type var_t;
@@ -15096,23 +15170,24 @@ index f962f76..e06a46c 100644
- allow $1 var_t:dir search_dir_perms;
- manage_files_pattern($1, var_lib_t, var_lib_t)
-+ dontaudit $1 var_t:dir search_dir_perms;
++ dontaudit $1 var_t:dir list_dir_perms;
')
########################################
## <summary>
-## Allow domain to manage mount tables
-## necessary for rpcd, nfsd, etc.
-+## List the contents of /var.
++## Create, read, write, and delete directories
++## in the /var directory.
## </summary>
## <param name="domain">
## <summary>
-@@ -5630,36 +6547,36 @@ interface(`files_manage_urandom_seed',`
+@@ -5630,18 +6603,17 @@ interface(`files_manage_urandom_seed',`
## </summary>
## </param>
#
-interface(`files_manage_mounttab',`
-+interface(`files_list_var',`
++interface(`files_manage_var_dirs',`
gen_require(`
- type var_t, var_lib_t;
+ type var_t;
@@ -15120,46 +15195,44 @@ index f962f76..e06a46c 100644
- allow $1 var_t:dir search_dir_perms;
- manage_files_pattern($1, var_lib_t, var_lib_t)
-+ allow $1 var_t:dir list_dir_perms;
++ allow $1 var_t:dir manage_dir_perms;
')
########################################
## <summary>
-## Set the attributes of the generic lock directories.
-+## Do not audit listing of the var directory (/var).
++## Read files in the /var directory.
## </summary>
## <param name="domain">
## <summary>
--## Domain allowed access.
-+## Domain to not audit.
+@@ -5649,17 +6621,17 @@ interface(`files_manage_mounttab',`
## </summary>
## </param>
#
-interface(`files_setattr_lock_dirs',`
-+interface(`files_dontaudit_list_var',`
++interface(`files_read_var_files',`
gen_require(`
- type var_t, var_lock_t;
+ type var_t;
')
- setattr_dirs_pattern($1, var_t, var_lock_t)
-+ dontaudit $1 var_t:dir list_dir_perms;
++ read_files_pattern($1, var_t, var_t)
')
########################################
## <summary>
-## Search the locks directory (/var/lock).
-+## Create, read, write, and delete directories
-+## in the /var directory.
++## Append files in the /var directory.
## </summary>
## <param name="domain">
## <summary>
-@@ -5667,38 +6584,35 @@ interface(`files_setattr_lock_dirs',`
+@@ -5667,58 +6639,54 @@ interface(`files_setattr_lock_dirs',`
## </summary>
## </param>
#
-interface(`files_search_locks',`
-+interface(`files_manage_var_dirs',`
++interface(`files_append_var_files',`
gen_require(`
- type var_t, var_lock_t;
+ type var_t;
@@ -15167,14 +15240,14 @@ index f962f76..e06a46c 100644
- allow $1 var_lock_t:lnk_file read_lnk_file_perms;
- search_dirs_pattern($1, var_t, var_lock_t)
-+ allow $1 var_t:dir manage_dir_perms;
++ append_files_pattern($1, var_t, var_t)
')
########################################
## <summary>
-## Do not audit attempts to search the
-## locks directory (/var/lock).
-+## Read files in the /var directory.
++## Read and write files in the /var directory.
## </summary>
## <param name="domain">
## <summary>
@@ -15184,7 +15257,7 @@ index f962f76..e06a46c 100644
## </param>
#
-interface(`files_dontaudit_search_locks',`
-+interface(`files_read_var_files',`
++interface(`files_rw_var_files',`
gen_require(`
- type var_lock_t;
+ type var_t;
@@ -15192,22 +15265,24 @@ index f962f76..e06a46c 100644
- dontaudit $1 var_lock_t:lnk_file read_lnk_file_perms;
- dontaudit $1 var_lock_t:dir search_dir_perms;
-+ read_files_pattern($1, var_t, var_t)
++ rw_files_pattern($1, var_t, var_t)
')
########################################
## <summary>
-## List generic lock directories.
-+## Append files in the /var directory.
++## Do not audit attempts to read and write
++## files in the /var directory.
## </summary>
## <param name="domain">
## <summary>
-@@ -5706,19 +6620,17 @@ interface(`files_dontaudit_search_locks',`
+-## Domain allowed access.
++## Domain to not audit.
## </summary>
## </param>
#
-interface(`files_list_locks',`
-+interface(`files_append_var_files',`
++interface(`files_dontaudit_rw_var_files',`
gen_require(`
- type var_t, var_lock_t;
+ type var_t;
@@ -15215,23 +15290,23 @@ index f962f76..e06a46c 100644
- allow $1 var_lock_t:lnk_file read_lnk_file_perms;
- list_dirs_pattern($1, var_t, var_lock_t)
-+ append_files_pattern($1, var_t, var_t)
++ dontaudit $1 var_t:file rw_inherited_file_perms;
')
########################################
## <summary>
-## Add and remove entries in the /var/lock
-## directories.
-+## Read and write files in the /var directory.
++## Create, read, write, and delete files in the /var directory.
## </summary>
## <param name="domain">
## <summary>
-@@ -5726,60 +6638,54 @@ interface(`files_list_locks',`
+@@ -5726,81 +6694,88 @@ interface(`files_list_locks',`
## </summary>
## </param>
#
-interface(`files_rw_lock_dirs',`
-+interface(`files_rw_var_files',`
++interface(`files_manage_var_files',`
gen_require(`
- type var_t, var_lock_t;
+ type var_t;
@@ -15239,25 +15314,24 @@ index f962f76..e06a46c 100644
- allow $1 var_lock_t:lnk_file read_lnk_file_perms;
- rw_dirs_pattern($1, var_t, var_lock_t)
-+ rw_files_pattern($1, var_t, var_t)
++ manage_files_pattern($1, var_t, var_t)
')
########################################
## <summary>
-## Create lock directories
-+## Do not audit attempts to read and write
-+## files in the /var directory.
++## Read symbolic links in the /var directory.
## </summary>
## <param name="domain">
-## <summary>
-## Domain allowed access
+## <summary>
-+## Domain to not audit.
++## Domain allowed access.
## </summary>
## </param>
#
-interface(`files_create_lock_dirs',`
-+interface(`files_dontaudit_rw_var_files',`
++interface(`files_read_var_symlinks',`
gen_require(`
- type var_t, var_lock_t;
+ type var_t;
@@ -15266,13 +15340,14 @@ index f962f76..e06a46c 100644
- allow $1 var_t:dir search_dir_perms;
- allow $1 var_lock_t:lnk_file read_lnk_file_perms;
- create_dirs_pattern($1, var_lock_t, var_lock_t)
-+ dontaudit $1 var_t:file rw_inherited_file_perms;
++ read_lnk_files_pattern($1, var_t, var_t)
')
########################################
## <summary>
-## Relabel to and from all lock directory types.
-+## Create, read, write, and delete files in the /var directory.
++## Create, read, write, and delete symbolic
++## links in the /var directory.
## </summary>
## <param name="domain">
## <summary>
@@ -15282,7 +15357,7 @@ index f962f76..e06a46c 100644
-## <rolecap/>
#
-interface(`files_relabel_all_lock_dirs',`
-+interface(`files_manage_var_files',`
++interface(`files_manage_var_symlinks',`
gen_require(`
- attribute lockfile;
- type var_t, var_lock_t;
@@ -15292,63 +15367,12 @@ index f962f76..e06a46c 100644
- allow $1 var_t:dir search_dir_perms;
- allow $1 var_lock_t:lnk_file read_lnk_file_perms;
- relabel_dirs_pattern($1, lockfile, lockfile)
-+ manage_files_pattern($1, var_t, var_t)
- ')
-
- ########################################
- ## <summary>
--## Get the attributes of generic lock files.
-+## Read symbolic links in the /var directory.
- ## </summary>
- ## <param name="domain">
- ## <summary>
-@@ -5787,20 +6693,18 @@ interface(`files_relabel_all_lock_dirs',`
- ## </summary>
- ## </param>
- #
--interface(`files_getattr_generic_locks',`
-+interface(`files_read_var_symlinks',`
- gen_require(`
-- type var_t, var_lock_t;
-+ type var_t;
- ')
-
-- allow $1 var_t:dir search_dir_perms;
-- allow $1 var_lock_t:lnk_file read_lnk_file_perms;
-- allow $1 var_lock_t:dir list_dir_perms;
-- getattr_files_pattern($1, var_lock_t, var_lock_t)
-+ read_lnk_files_pattern($1, var_t, var_t)
- ')
-
- ########################################
- ## <summary>
--## Delete generic lock files.
-+## Create, read, write, and delete symbolic
-+## links in the /var directory.
- ## </summary>
- ## <param name="domain">
- ## <summary>
-@@ -5808,63 +6712,68 @@ interface(`files_getattr_generic_locks',`
- ## </summary>
- ## </param>
- #
--interface(`files_delete_generic_locks',`
-+interface(`files_manage_var_symlinks',`
- gen_require(`
-- type var_t, var_lock_t;
-+ type var_t;
- ')
-
-- allow $1 var_t:dir search_dir_perms;
-- allow $1 var_lock_t:lnk_file read_lnk_file_perms;
-- delete_files_pattern($1, var_lock_t, var_lock_t)
+ manage_lnk_files_pattern($1, var_t, var_t)
')
########################################
## <summary>
--## Create, read, write, and delete generic
--## lock files.
+-## Get the attributes of generic lock files.
+## Create objects in the /var directory
## </summary>
## <param name="domain">
@@ -15372,7 +15396,7 @@ index f962f76..e06a46c 100644
+## </summary>
+## </param>
#
--interface(`files_manage_generic_locks',`
+-interface(`files_getattr_generic_locks',`
+interface(`files_var_filetrans',`
gen_require(`
- type var_t, var_lock_t;
@@ -15381,68 +15405,65 @@ index f962f76..e06a46c 100644
- allow $1 var_t:dir search_dir_perms;
- allow $1 var_lock_t:lnk_file read_lnk_file_perms;
-- manage_dirs_pattern($1, var_lock_t, var_lock_t)
-- manage_files_pattern($1, var_lock_t, var_lock_t)
+- allow $1 var_lock_t:dir list_dir_perms;
+- getattr_files_pattern($1, var_lock_t, var_lock_t)
+ filetrans_pattern($1, var_t, $2, $3, $4)
')
+
########################################
## <summary>
--## Delete all lock files.
+-## Delete generic lock files.
+## Relabel dirs in the /var directory.
## </summary>
## <param name="domain">
## <summary>
- ## Domain allowed access.
+@@ -5808,20 +6783,16 @@ interface(`files_getattr_generic_locks',`
## </summary>
## </param>
--## <rolecap/>
#
--interface(`files_delete_all_locks',`
+-interface(`files_delete_generic_locks',`
+interface(`files_relabel_var_dirs',`
gen_require(`
-- attribute lockfile;
- type var_t, var_lock_t;
+ type var_t;
')
-
- allow $1 var_t:dir search_dir_perms;
- allow $1 var_lock_t:lnk_file read_lnk_file_perms;
-- delete_files_pattern($1, lockfile, lockfile)
+- delete_files_pattern($1, var_lock_t, var_lock_t)
+ allow $1 var_t:dir relabel_dir_perms;
')
########################################
## <summary>
--## Read all lock files.
+-## Create, read, write, and delete generic
+-## lock files.
+## Get the attributes of the /var/lib directory.
## </summary>
## <param name="domain">
## <summary>
-@@ -5872,101 +6781,87 @@ interface(`files_delete_all_locks',`
+@@ -5829,65 +6800,69 @@ interface(`files_delete_generic_locks',`
## </summary>
## </param>
#
--interface(`files_read_all_locks',`
+-interface(`files_manage_generic_locks',`
+interface(`files_getattr_var_lib_dirs',`
gen_require(`
-- attribute lockfile;
- type var_t, var_lock_t;
+ type var_t, var_lib_t;
')
+- allow $1 var_t:dir search_dir_perms;
- allow $1 var_lock_t:lnk_file read_lnk_file_perms;
-- allow $1 { var_t var_lock_t }:dir search_dir_perms;
-- allow $1 lockfile:dir list_dir_perms;
-- read_files_pattern($1, lockfile, lockfile)
-- read_lnk_files_pattern($1, lockfile, lockfile)
+- manage_dirs_pattern($1, var_lock_t, var_lock_t)
+- manage_files_pattern($1, var_lock_t, var_lock_t)
+ getattr_dirs_pattern($1, var_t, var_lib_t)
')
########################################
## <summary>
--## manage all lock files.
+-## Delete all lock files.
+## Search the /var/lib directory.
## </summary>
+## <desc>
@@ -15463,9 +15484,10 @@ index f962f76..e06a46c 100644
## Domain allowed access.
## </summary>
## </param>
+-## <rolecap/>
+## <infoflow type="read" weight="5"/>
#
--interface(`files_manage_all_locks',`
+-interface(`files_delete_all_locks',`
+interface(`files_search_var_lib',`
gen_require(`
- attribute lockfile;
@@ -15473,140 +15495,143 @@ index f962f76..e06a46c 100644
+ type var_t, var_lib_t;
')
+- allow $1 var_t:dir search_dir_perms;
- allow $1 var_lock_t:lnk_file read_lnk_file_perms;
-- allow $1 { var_t var_lock_t }:dir search_dir_perms;
-- manage_dirs_pattern($1, lockfile, lockfile)
-- manage_files_pattern($1, lockfile, lockfile)
-- manage_lnk_files_pattern($1, lockfile, lockfile)
+- delete_files_pattern($1, lockfile, lockfile)
+ search_dirs_pattern($1, var_t, var_lib_t)
')
########################################
## <summary>
--## Create an object in the locks directory, with a private
--## type using a type transition.
+-## Read all lock files.
+## Do not audit attempts to search the
+## contents of /var/lib.
## </summary>
## <param name="domain">
## <summary>
-## Domain allowed access.
--## </summary>
--## </param>
--## <param name="private type">
--## <summary>
--## The type of the object to be created.
--## </summary>
--## </param>
--## <param name="object">
--## <summary>
--## The object class of the object being created.
--## </summary>
--## </param>
--## <param name="name" optional="true">
--## <summary>
--## The name of the object being created.
+## Domain to not audit.
## </summary>
## </param>
+## <infoflow type="read" weight="5"/>
#
--interface(`files_lock_filetrans',`
+-interface(`files_read_all_locks',`
+interface(`files_dontaudit_search_var_lib',`
gen_require(`
+- attribute lockfile;
- type var_t, var_lock_t;
+ type var_lib_t;
')
-- allow $1 var_t:dir search_dir_perms;
- allow $1 var_lock_t:lnk_file read_lnk_file_perms;
-- filetrans_pattern($1, var_lock_t, $2, $3, $4)
+- allow $1 { var_t var_lock_t }:dir search_dir_perms;
+- allow $1 lockfile:dir list_dir_perms;
+- read_files_pattern($1, lockfile, lockfile)
+- read_lnk_files_pattern($1, lockfile, lockfile)
+ dontaudit $1 var_lib_t:dir search_dir_perms;
')
########################################
## <summary>
--## Do not audit attempts to get the attributes
--## of the /var/run directory.
+-## manage all lock files.
+## List the contents of the /var/lib directory.
## </summary>
## <param name="domain">
## <summary>
--## Domain to not audit.
-+## Domain allowed access.
+@@ -5895,78 +6870,1372 @@ interface(`files_read_all_locks',`
## </summary>
## </param>
#
--interface(`files_dontaudit_getattr_pid_dirs',`
+-interface(`files_manage_all_locks',`
+interface(`files_list_var_lib',`
gen_require(`
-- type var_run_t;
+- attribute lockfile;
+- type var_t, var_lock_t;
+ type var_t, var_lib_t;
')
-- dontaudit $1 var_run_t:lnk_file read_lnk_file_perms;
-- dontaudit $1 var_run_t:dir getattr;
+- allow $1 var_lock_t:lnk_file read_lnk_file_perms;
+- allow $1 { var_t var_lock_t }:dir search_dir_perms;
+- manage_dirs_pattern($1, lockfile, lockfile)
+- manage_files_pattern($1, lockfile, lockfile)
+- manage_lnk_files_pattern($1, lockfile, lockfile)
+ list_dirs_pattern($1, var_t, var_lib_t)
')
-########################################
+###########################################
## <summary>
--## Set the attributes of the /var/run directory.
+-## Create an object in the locks directory, with a private
+-## type using a type transition.
+## Read-write /var/lib directories
## </summary>
## <param name="domain">
## <summary>
-@@ -5974,19 +6869,17 @@ interface(`files_dontaudit_getattr_pid_dirs',`
+ ## Domain allowed access.
## </summary>
## </param>
+-## <param name="private type">
+-## <summary>
+-## The type of the object to be created.
+-## </summary>
+-## </param>
+-## <param name="object">
+-## <summary>
+-## The object class of the object being created.
+-## </summary>
+-## </param>
+-## <param name="name" optional="true">
+-## <summary>
+-## The name of the object being created.
+-## </summary>
+-## </param>
#
--interface(`files_setattr_pid_dirs',`
+-interface(`files_lock_filetrans',`
+interface(`files_rw_var_lib_dirs',`
gen_require(`
-- type var_run_t;
+- type var_t, var_lock_t;
+ type var_lib_t;
')
-- allow $1 var_run_t:lnk_file read_lnk_file_perms;
-- allow $1 var_run_t:dir setattr;
+- allow $1 var_t:dir search_dir_perms;
+- allow $1 var_lock_t:lnk_file read_lnk_file_perms;
+- filetrans_pattern($1, var_lock_t, $2, $3, $4)
+ rw_dirs_pattern($1, var_lib_t, var_lib_t)
')
########################################
## <summary>
--## Search the contents of runtime process
--## ID directories (/var/run).
+-## Do not audit attempts to get the attributes
+-## of the /var/run directory.
+## Create directories in /var/lib
## </summary>
## <param name="domain">
## <summary>
-@@ -5994,39 +6887,52 @@ interface(`files_setattr_pid_dirs',`
+-## Domain to not audit.
++## Domain allowed access.
## </summary>
## </param>
#
--interface(`files_search_pids',`
+-interface(`files_dontaudit_getattr_pid_dirs',`
+interface(`files_create_var_lib_dirs',`
gen_require(`
-- type var_t, var_run_t;
+- type var_run_t;
+ type var_lib_t;
')
-- allow $1 var_run_t:lnk_file read_lnk_file_perms;
-- search_dirs_pattern($1, var_t, var_run_t)
+- dontaudit $1 var_run_t:lnk_file read_lnk_file_perms;
+- dontaudit $1 var_run_t:dir getattr;
+ allow $1 var_lib_t:dir { create rw_dir_perms };
')
+
########################################
## <summary>
--## Do not audit attempts to search
--## the /var/run directory.
+-## Set the attributes of the /var/run directory.
+## Create objects in the /var/lib directory
- ## </summary>
- ## <param name="domain">
- ## <summary>
--## Domain to not audit.
++## </summary>
++## <param name="domain">
++## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
@@ -15623,37 +15648,30 @@ index f962f76..e06a46c 100644
+## <param name="name" optional="true">
+## <summary>
+## The name of the object being created.
- ## </summary>
- ## </param>
- #
--interface(`files_dontaudit_search_pids',`
++## </summary>
++## </param>
++#
+interface(`files_var_lib_filetrans',`
- gen_require(`
-- type var_run_t;
++ gen_require(`
+ type var_t, var_lib_t;
- ')
-
-- dontaudit $1 var_run_t:lnk_file read_lnk_file_perms;
-- dontaudit $1 var_run_t:dir search_dir_perms;
++ ')
++
+ allow $1 var_t:dir search_dir_perms;
+ filetrans_pattern($1, var_lib_t, $2, $3, $4)
- ')
-
- ########################################
- ## <summary>
--## List the contents of the runtime process
--## ID directories (/var/run).
++')
++
++########################################
++## <summary>
+## Read generic files in /var/lib.
- ## </summary>
- ## <param name="domain">
- ## <summary>
-@@ -6034,18 +6940,1302 @@ interface(`files_dontaudit_search_pids',`
- ## </summary>
- ## </param>
- #
--interface(`files_list_pids',`
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
+interface(`files_read_var_lib_files',`
- gen_require(`
++ gen_require(`
+ type var_t, var_lib_t;
+ ')
+
@@ -16774,11 +16792,9 @@ index f962f76..e06a46c 100644
+interface(`files_delete_all_pid_dirs',`
+ gen_require(`
+ attribute pidfile;
- type var_t, var_run_t;
- ')
-
-- allow $1 var_run_t:lnk_file read_lnk_file_perms;
-- list_dirs_pattern($1, var_t, var_run_t)
++ type var_t, var_run_t;
++ ')
++
+ files_search_pids($1)
+ allow $1 var_t:dir search_dir_perms;
+ delete_dirs_pattern($1, pidfile, pidfile)
@@ -16931,34 +16947,39 @@ index f962f76..e06a46c 100644
+## <summary>
+## List the contents of generic spool
+## (/var/spool) directories.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -5974,19 +8243,18 @@ interface(`files_dontaudit_getattr_pid_dirs',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_setattr_pid_dirs',`
+interface(`files_list_spool',`
-+ gen_require(`
+ gen_require(`
+- type var_run_t;
+ type var_t, var_spool_t;
-+ ')
-+
+ ')
+
+- allow $1 var_run_t:lnk_file read_lnk_file_perms;
+- allow $1 var_run_t:dir setattr;
+ list_dirs_pattern($1, var_t, var_spool_t)
')
########################################
## <summary>
--## Read generic process ID files.
+-## Search the contents of runtime process
+-## ID directories (/var/run).
+## Create, read, write, and delete generic
+## spool directories (/var/spool).
## </summary>
## <param name="domain">
## <summary>
-@@ -6053,19 +8243,18 @@ interface(`files_list_pids',`
+@@ -5994,39 +8262,38 @@ interface(`files_setattr_pid_dirs',`
## </summary>
## </param>
#
--interface(`files_read_generic_pids',`
+-interface(`files_search_pids',`
+interface(`files_manage_generic_spool_dirs',`
gen_require(`
- type var_t, var_run_t;
@@ -16966,67 +16987,74 @@ index f962f76..e06a46c 100644
')
- allow $1 var_run_t:lnk_file read_lnk_file_perms;
-- list_dirs_pattern($1, var_t, var_run_t)
-- read_files_pattern($1, var_run_t, var_run_t)
+- search_dirs_pattern($1, var_t, var_run_t)
+ allow $1 var_t:dir search_dir_perms;
+ manage_dirs_pattern($1, var_spool_t, var_spool_t)
')
########################################
## <summary>
--## Write named generic process ID pipes
+-## Do not audit attempts to search
+-## the /var/run directory.
+## Read generic spool files.
## </summary>
## <param name="domain">
## <summary>
-@@ -6073,43 +8262,151 @@ interface(`files_read_generic_pids',`
+-## Domain to not audit.
++## Domain allowed access.
## </summary>
## </param>
#
--interface(`files_write_generic_pid_pipes',`
+-interface(`files_dontaudit_search_pids',`
+interface(`files_read_generic_spool',`
gen_require(`
- type var_run_t;
+ type var_t, var_spool_t;
')
-- allow $1 var_run_t:lnk_file read_lnk_file_perms;
-- allow $1 var_run_t:fifo_file write;
+- dontaudit $1 var_run_t:lnk_file read_lnk_file_perms;
+- dontaudit $1 var_run_t:dir search_dir_perms;
+ list_dirs_pattern($1, var_t, var_spool_t)
+ read_files_pattern($1, var_spool_t, var_spool_t)
')
########################################
## <summary>
--## Create an object in the process ID directory, with a private type.
+-## List the contents of the runtime process
+-## ID directories (/var/run).
+## Create, read, write, and delete generic
+## spool files.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -6034,38 +8301,55 @@ interface(`files_dontaudit_search_pids',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_list_pids',`
+interface(`files_manage_generic_spool',`
-+ gen_require(`
+ gen_require(`
+- type var_t, var_run_t;
+ type var_t, var_spool_t;
-+ ')
-+
+ ')
+
+- allow $1 var_run_t:lnk_file read_lnk_file_perms;
+- list_dirs_pattern($1, var_t, var_run_t)
+ allow $1 var_t:dir search_dir_perms;
+ manage_files_pattern($1, var_spool_t, var_spool_t)
-+')
-+
-+########################################
-+## <summary>
+ ')
+
+ ########################################
+ ## <summary>
+-## Read generic process ID files.
+## Create objects in the spool directory
+## with a private type with a type transition.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+ ## Domain allowed access.
+ ## </summary>
+ ## </param>
+## <param name="file">
+## <summary>
+## Type to which the created node will be transitioned.
@@ -17043,33 +17071,43 @@ index f962f76..e06a46c 100644
+## The name of the object being created.
+## </summary>
+## </param>
-+#
+ #
+-interface(`files_read_generic_pids',`
+interface(`files_spool_filetrans',`
-+ gen_require(`
+ gen_require(`
+- type var_t, var_run_t;
+ type var_t, var_spool_t;
-+ ')
-+
+ ')
+
+- allow $1 var_run_t:lnk_file read_lnk_file_perms;
+- list_dirs_pattern($1, var_t, var_run_t)
+- read_files_pattern($1, var_run_t, var_run_t)
+ allow $1 var_t:dir search_dir_perms;
+ filetrans_pattern($1, var_spool_t, $2, $3, $4)
-+')
-+
-+########################################
-+## <summary>
+ ')
+
+ ########################################
+ ## <summary>
+-## Write named generic process ID pipes
+## Allow access to manage all polyinstantiated
+## directories on the system.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -6073,43 +8357,75 @@ interface(`files_read_generic_pids',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_write_generic_pid_pipes',`
+interface(`files_polyinstantiate_all',`
-+ gen_require(`
+ gen_require(`
+- type var_run_t;
+ attribute polydir, polymember, polyparent;
+ type poly_t;
-+ ')
-+
+ ')
+
+- allow $1 var_run_t:lnk_file read_lnk_file_perms;
+- allow $1 var_run_t:fifo_file write;
+ # Need to give access to /selinux/member
+ selinux_compute_member($1)
+
@@ -17106,10 +17144,11 @@ index f962f76..e06a46c 100644
+ corecmd_exec_bin($1)
+ seutil_domtrans_setfiles($1)
+ ')
-+')
-+
-+########################################
-+## <summary>
+ ')
+
+ ########################################
+ ## <summary>
+-## Create an object in the process ID directory, with a private type.
+## Unconfined access to files.
+## </summary>
+## <param name="domain">
@@ -17158,7 +17197,7 @@ index f962f76..e06a46c 100644
## </p>
## </desc>
## <param name="domain">
-@@ -6117,80 +8414,157 @@ interface(`files_write_generic_pid_pipes',`
+@@ -6117,80 +8433,157 @@ interface(`files_write_generic_pid_pipes',`
## Domain allowed access.
## </summary>
## </param>
@@ -17345,7 +17384,7 @@ index f962f76..e06a46c 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -6198,19 +8572,17 @@ interface(`files_rw_generic_pids',`
+@@ -6198,19 +8591,17 @@ interface(`files_rw_generic_pids',`
## </summary>
## </param>
#
@@ -17369,7 +17408,7 @@ index f962f76..e06a46c 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -6218,18 +8590,17 @@ interface(`files_dontaudit_getattr_all_pids',`
+@@ -6218,18 +8609,17 @@ interface(`files_dontaudit_getattr_all_pids',`
## </summary>
## </param>
#
@@ -17392,7 +17431,7 @@ index f962f76..e06a46c 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -6237,129 +8608,119 @@ interface(`files_dontaudit_write_all_pids',`
+@@ -6237,129 +8627,119 @@ interface(`files_dontaudit_write_all_pids',`
## </summary>
## </param>
#
@@ -17562,7 +17601,7 @@ index f962f76..e06a46c 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -6367,18 +8728,19 @@ interface(`files_mounton_all_poly_members',`
+@@ -6367,18 +8747,19 @@ interface(`files_mounton_all_poly_members',`
## </summary>
## </param>
#
@@ -17587,7 +17626,7 @@ index f962f76..e06a46c 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -6386,132 +8748,227 @@ interface(`files_search_spool',`
+@@ -6386,132 +8767,227 @@ interface(`files_search_spool',`
## </summary>
## </param>
#
@@ -17861,7 +17900,7 @@ index f962f76..e06a46c 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -6519,53 +8976,17 @@ interface(`files_spool_filetrans',`
+@@ -6519,53 +8995,17 @@ interface(`files_spool_filetrans',`
## </summary>
## </param>
#
@@ -17919,7 +17958,7 @@ index f962f76..e06a46c 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -6573,10 +8994,10 @@ interface(`files_polyinstantiate_all',`
+@@ -6573,10 +9013,10 @@ interface(`files_polyinstantiate_all',`
## </summary>
## </param>
#
@@ -23004,7 +23043,7 @@ index e100d88..342fb1e 100644
+')
+
diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
-index 8dbab4c..5deb336 100644
+index 8dbab4c..c4d3183 100644
--- a/policy/modules/kernel/kernel.te
+++ b/policy/modules/kernel/kernel.te
@@ -25,6 +25,9 @@ attribute kern_unconfined;
@@ -23299,7 +23338,20 @@ index 8dbab4c..5deb336 100644
########################################
#
# Unlabeled process local policy
-@@ -399,14 +491,38 @@ if( ! secure_mode_insmod ) {
+@@ -388,8 +480,12 @@ optional_policy(`
+ if( ! secure_mode_insmod ) {
+ allow can_load_kernmodule self:capability sys_module;
+
++ files_load_kernel_modules(can_load_kernmodule)
++
+ # load_module() calls stop_machine() which
+ # calls sched_setscheduler()
++ # gt: there seems to be no trace of the above, at
++ # least in kernel versions greater than 2.6.37...
+ allow can_load_kernmodule self:capability sys_nice;
+ kernel_setsched(can_load_kernmodule)
+ }
+@@ -399,14 +495,38 @@ if( ! secure_mode_insmod ) {
# Rules for unconfined acccess to this module
#
@@ -37826,7 +37878,7 @@ index 79a45f6..6126f21 100644
+ allow $1 init_var_lib_t:dir search_dir_perms;
')
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
-index 17eda24..136864b 100644
+index 17eda24..3395ea6 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -11,10 +11,31 @@ gen_require(`
@@ -38006,10 +38058,11 @@ index 17eda24..136864b 100644
allow init_t initctl_t:fifo_file manage_fifo_file_perms;
dev_filetrans(init_t, initctl_t, fifo_file)
-@@ -125,13 +212,25 @@ allow init_t initrc_var_run_t:file { rw_file_perms setattr };
+@@ -125,13 +212,26 @@ allow init_t initrc_var_run_t:file { rw_file_perms setattr };
kernel_read_system_state(init_t)
kernel_share_state(init_t)
++kernel_stream_connect(init_t)
+kernel_rw_stream_socket_perms(init_t)
+kernel_rw_unix_dgram_sockets(init_t)
+kernel_mounton_systemd_ProtectKernelTunables(init_t)
@@ -38033,7 +38086,7 @@ index 17eda24..136864b 100644
domain_getpgid_all_domains(init_t)
domain_kill_all_domains(init_t)
-@@ -139,14 +238,26 @@ domain_signal_all_domains(init_t)
+@@ -139,14 +239,26 @@ domain_signal_all_domains(init_t)
domain_signull_all_domains(init_t)
domain_sigstop_all_domains(init_t)
domain_sigchld_all_domains(init_t)
@@ -38062,7 +38115,7 @@ index 17eda24..136864b 100644
# file descriptors inherited from the rootfs:
files_dontaudit_rw_root_files(init_t)
files_dontaudit_rw_root_chr_files(init_t)
-@@ -155,29 +266,73 @@ fs_list_inotifyfs(init_t)
+@@ -155,29 +267,73 @@ fs_list_inotifyfs(init_t)
# cjp: this may be related to /dev/log
fs_write_ramfs_sockets(init_t)
@@ -38141,7 +38194,7 @@ index 17eda24..136864b 100644
ifdef(`distro_gentoo',`
allow init_t self:process { getcap setcap };
-@@ -186,29 +341,275 @@ ifdef(`distro_gentoo',`
+@@ -186,29 +342,275 @@ ifdef(`distro_gentoo',`
')
ifdef(`distro_redhat',`
@@ -38426,7 +38479,7 @@ index 17eda24..136864b 100644
')
optional_policy(`
-@@ -216,7 +617,30 @@ optional_policy(`
+@@ -216,7 +618,30 @@ optional_policy(`
')
optional_policy(`
@@ -38458,7 +38511,7 @@ index 17eda24..136864b 100644
')
########################################
-@@ -225,9 +649,9 @@ optional_policy(`
+@@ -225,9 +650,9 @@ optional_policy(`
#
allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
@@ -38470,7 +38523,7 @@ index 17eda24..136864b 100644
allow initrc_t self:passwd rootok;
allow initrc_t self:key manage_key_perms;
-@@ -258,12 +682,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
+@@ -258,12 +683,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
allow initrc_t initrc_var_run_t:file manage_file_perms;
files_pid_filetrans(initrc_t, initrc_var_run_t, file)
@@ -38487,7 +38540,7 @@ index 17eda24..136864b 100644
manage_dirs_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
manage_files_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
-@@ -279,23 +707,36 @@ kernel_change_ring_buffer_level(initrc_t)
+@@ -279,23 +708,36 @@ kernel_change_ring_buffer_level(initrc_t)
kernel_clear_ring_buffer(initrc_t)
kernel_get_sysvipc_info(initrc_t)
kernel_read_all_sysctls(initrc_t)
@@ -38530,7 +38583,7 @@ index 17eda24..136864b 100644
corenet_tcp_sendrecv_all_ports(initrc_t)
corenet_udp_sendrecv_all_ports(initrc_t)
corenet_tcp_connect_all_ports(initrc_t)
-@@ -303,9 +744,11 @@ corenet_sendrecv_all_client_packets(initrc_t)
+@@ -303,9 +745,11 @@ corenet_sendrecv_all_client_packets(initrc_t)
dev_read_rand(initrc_t)
dev_read_urand(initrc_t)
@@ -38542,7 +38595,7 @@ index 17eda24..136864b 100644
dev_rw_sysfs(initrc_t)
dev_list_usbfs(initrc_t)
dev_read_framebuffer(initrc_t)
-@@ -313,8 +756,10 @@ dev_write_framebuffer(initrc_t)
+@@ -313,8 +757,10 @@ dev_write_framebuffer(initrc_t)
dev_read_realtime_clock(initrc_t)
dev_read_sound_mixer(initrc_t)
dev_write_sound_mixer(initrc_t)
@@ -38553,7 +38606,7 @@ index 17eda24..136864b 100644
dev_delete_lvm_control_dev(initrc_t)
dev_manage_generic_symlinks(initrc_t)
dev_manage_generic_files(initrc_t)
-@@ -322,8 +767,7 @@ dev_manage_generic_files(initrc_t)
+@@ -322,8 +768,7 @@ dev_manage_generic_files(initrc_t)
dev_delete_generic_symlinks(initrc_t)
dev_getattr_all_blk_files(initrc_t)
dev_getattr_all_chr_files(initrc_t)
@@ -38563,7 +38616,7 @@ index 17eda24..136864b 100644
domain_kill_all_domains(initrc_t)
domain_signal_all_domains(initrc_t)
-@@ -332,7 +776,6 @@ domain_sigstop_all_domains(initrc_t)
+@@ -332,7 +777,6 @@ domain_sigstop_all_domains(initrc_t)
domain_sigchld_all_domains(initrc_t)
domain_read_all_domains_state(initrc_t)
domain_getattr_all_domains(initrc_t)
@@ -38571,7 +38624,7 @@ index 17eda24..136864b 100644
domain_getsession_all_domains(initrc_t)
domain_use_interactive_fds(initrc_t)
# for lsof which is used by alsa shutdown:
-@@ -340,6 +783,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
+@@ -340,6 +784,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
domain_dontaudit_getattr_all_tcp_sockets(initrc_t)
domain_dontaudit_getattr_all_dgram_sockets(initrc_t)
domain_dontaudit_getattr_all_pipes(initrc_t)
@@ -38579,7 +38632,7 @@ index 17eda24..136864b 100644
files_getattr_all_dirs(initrc_t)
files_getattr_all_files(initrc_t)
-@@ -347,14 +791,15 @@ files_getattr_all_symlinks(initrc_t)
+@@ -347,14 +792,15 @@ files_getattr_all_symlinks(initrc_t)
files_getattr_all_pipes(initrc_t)
files_getattr_all_sockets(initrc_t)
files_purge_tmp(initrc_t)
@@ -38597,7 +38650,7 @@ index 17eda24..136864b 100644
files_read_usr_files(initrc_t)
files_manage_urandom_seed(initrc_t)
files_manage_generic_spool(initrc_t)
-@@ -364,8 +809,12 @@ files_list_isid_type_dirs(initrc_t)
+@@ -364,8 +810,12 @@ files_list_isid_type_dirs(initrc_t)
files_mounton_isid_type_dirs(initrc_t)
files_list_default(initrc_t)
files_mounton_default(initrc_t)
@@ -38611,7 +38664,7 @@ index 17eda24..136864b 100644
fs_list_inotifyfs(initrc_t)
fs_register_binary_executable_type(initrc_t)
# rhgb-console writes to ramfs
-@@ -375,10 +824,11 @@ fs_mount_all_fs(initrc_t)
+@@ -375,10 +825,11 @@ fs_mount_all_fs(initrc_t)
fs_unmount_all_fs(initrc_t)
fs_remount_all_fs(initrc_t)
fs_getattr_all_fs(initrc_t)
@@ -38625,7 +38678,7 @@ index 17eda24..136864b 100644
mcs_process_set_categories(initrc_t)
mls_file_read_all_levels(initrc_t)
-@@ -387,8 +837,10 @@ mls_process_read_up(initrc_t)
+@@ -387,8 +838,10 @@ mls_process_read_up(initrc_t)
mls_process_write_down(initrc_t)
mls_rangetrans_source(initrc_t)
mls_fd_share_all_levels(initrc_t)
@@ -38636,7 +38689,7 @@ index 17eda24..136864b 100644
storage_getattr_fixed_disk_dev(initrc_t)
storage_setattr_fixed_disk_dev(initrc_t)
-@@ -398,6 +850,7 @@ term_use_all_terms(initrc_t)
+@@ -398,6 +851,7 @@ term_use_all_terms(initrc_t)
term_reset_tty_labels(initrc_t)
auth_rw_login_records(initrc_t)
@@ -38644,7 +38697,7 @@ index 17eda24..136864b 100644
auth_setattr_login_records(initrc_t)
auth_rw_lastlog(initrc_t)
auth_read_pam_pid(initrc_t)
-@@ -416,20 +869,18 @@ logging_read_all_logs(initrc_t)
+@@ -416,20 +870,18 @@ logging_read_all_logs(initrc_t)
logging_append_all_logs(initrc_t)
logging_read_audit_config(initrc_t)
@@ -38668,7 +38721,7 @@ index 17eda24..136864b 100644
ifdef(`distro_debian',`
dev_setattr_generic_dirs(initrc_t)
-@@ -451,7 +902,6 @@ ifdef(`distro_gentoo',`
+@@ -451,7 +903,6 @@ ifdef(`distro_gentoo',`
allow initrc_t self:process setfscreate;
dev_create_null_dev(initrc_t)
dev_create_zero_dev(initrc_t)
@@ -38676,7 +38729,7 @@ index 17eda24..136864b 100644
term_create_console_dev(initrc_t)
# unfortunately /sbin/rc does stupid tricks
-@@ -486,6 +936,10 @@ ifdef(`distro_gentoo',`
+@@ -486,6 +937,10 @@ ifdef(`distro_gentoo',`
sysnet_setattr_config(initrc_t)
optional_policy(`
@@ -38687,7 +38740,7 @@ index 17eda24..136864b 100644
alsa_read_lib(initrc_t)
')
-@@ -506,7 +960,7 @@ ifdef(`distro_redhat',`
+@@ -506,7 +961,7 @@ ifdef(`distro_redhat',`
# Red Hat systems seem to have a stray
# fd open from the initrd
@@ -38696,7 +38749,7 @@ index 17eda24..136864b 100644
files_dontaudit_read_root_files(initrc_t)
# These seem to be from the initrd
-@@ -521,6 +975,7 @@ ifdef(`distro_redhat',`
+@@ -521,6 +976,7 @@ ifdef(`distro_redhat',`
files_create_boot_dirs(initrc_t)
files_create_boot_flag(initrc_t)
files_rw_boot_symlinks(initrc_t)
@@ -38704,7 +38757,7 @@ index 17eda24..136864b 100644
# wants to read /.fonts directory
files_read_default_files(initrc_t)
files_mountpoint(initrc_tmp_t)
-@@ -541,6 +996,7 @@ ifdef(`distro_redhat',`
+@@ -541,6 +997,7 @@ ifdef(`distro_redhat',`
miscfiles_rw_localization(initrc_t)
miscfiles_setattr_localization(initrc_t)
miscfiles_relabel_localization(initrc_t)
@@ -38712,7 +38765,7 @@ index 17eda24..136864b 100644
miscfiles_read_fonts(initrc_t)
miscfiles_read_hwdata(initrc_t)
-@@ -550,8 +1006,44 @@ ifdef(`distro_redhat',`
+@@ -550,8 +1007,44 @@ ifdef(`distro_redhat',`
')
optional_policy(`
@@ -38757,7 +38810,7 @@ index 17eda24..136864b 100644
')
optional_policy(`
-@@ -559,14 +1051,31 @@ ifdef(`distro_redhat',`
+@@ -559,14 +1052,31 @@ ifdef(`distro_redhat',`
rpc_write_exports(initrc_t)
rpc_manage_nfs_state_data(initrc_t)
')
@@ -38789,7 +38842,7 @@ index 17eda24..136864b 100644
')
')
-@@ -577,6 +1086,39 @@ ifdef(`distro_suse',`
+@@ -577,6 +1087,39 @@ ifdef(`distro_suse',`
')
')
@@ -38829,7 +38882,7 @@ index 17eda24..136864b 100644
optional_policy(`
amavis_search_lib(initrc_t)
amavis_setattr_pid_files(initrc_t)
-@@ -589,6 +1131,8 @@ optional_policy(`
+@@ -589,6 +1132,8 @@ optional_policy(`
optional_policy(`
apache_read_config(initrc_t)
apache_list_modules(initrc_t)
@@ -38838,7 +38891,7 @@ index 17eda24..136864b 100644
')
optional_policy(`
-@@ -610,6 +1154,7 @@ optional_policy(`
+@@ -610,6 +1155,7 @@ optional_policy(`
optional_policy(`
cgroup_stream_connect_cgred(initrc_t)
@@ -38846,7 +38899,7 @@ index 17eda24..136864b 100644
')
optional_policy(`
-@@ -626,6 +1171,17 @@ optional_policy(`
+@@ -626,6 +1172,17 @@ optional_policy(`
')
optional_policy(`
@@ -38864,7 +38917,7 @@ index 17eda24..136864b 100644
dev_getattr_printer_dev(initrc_t)
cups_read_log(initrc_t)
-@@ -642,9 +1198,13 @@ optional_policy(`
+@@ -642,9 +1199,13 @@ optional_policy(`
dbus_connect_system_bus(initrc_t)
dbus_system_bus_client(initrc_t)
dbus_read_config(initrc_t)
@@ -38878,7 +38931,7 @@ index 17eda24..136864b 100644
')
optional_policy(`
-@@ -657,15 +1217,11 @@ optional_policy(`
+@@ -657,15 +1218,11 @@ optional_policy(`
')
optional_policy(`
@@ -38896,7 +38949,7 @@ index 17eda24..136864b 100644
')
optional_policy(`
-@@ -686,6 +1242,15 @@ optional_policy(`
+@@ -686,6 +1243,15 @@ optional_policy(`
')
optional_policy(`
@@ -38912,7 +38965,7 @@ index 17eda24..136864b 100644
inn_exec_config(initrc_t)
')
-@@ -726,6 +1291,7 @@ optional_policy(`
+@@ -726,6 +1292,7 @@ optional_policy(`
lpd_list_spool(initrc_t)
lpd_read_config(initrc_t)
@@ -38920,7 +38973,7 @@ index 17eda24..136864b 100644
')
optional_policy(`
-@@ -743,7 +1309,13 @@ optional_policy(`
+@@ -743,7 +1310,13 @@ optional_policy(`
')
optional_policy(`
@@ -38935,7 +38988,7 @@ index 17eda24..136864b 100644
mta_dontaudit_read_spool_symlinks(initrc_t)
')
-@@ -766,6 +1338,10 @@ optional_policy(`
+@@ -766,6 +1339,10 @@ optional_policy(`
')
optional_policy(`
@@ -38946,7 +38999,7 @@ index 17eda24..136864b 100644
postgresql_manage_db(initrc_t)
postgresql_read_config(initrc_t)
')
-@@ -775,10 +1351,20 @@ optional_policy(`
+@@ -775,10 +1352,20 @@ optional_policy(`
')
optional_policy(`
@@ -38967,7 +39020,7 @@ index 17eda24..136864b 100644
quota_manage_flags(initrc_t)
')
-@@ -787,6 +1373,10 @@ optional_policy(`
+@@ -787,6 +1374,10 @@ optional_policy(`
')
optional_policy(`
@@ -38978,7 +39031,7 @@ index 17eda24..136864b 100644
fs_write_ramfs_sockets(initrc_t)
fs_search_ramfs(initrc_t)
-@@ -808,8 +1398,6 @@ optional_policy(`
+@@ -808,8 +1399,6 @@ optional_policy(`
# bash tries ioctl for some reason
files_dontaudit_ioctl_all_pids(initrc_t)
@@ -38987,7 +39040,7 @@ index 17eda24..136864b 100644
')
optional_policy(`
-@@ -818,6 +1406,10 @@ optional_policy(`
+@@ -818,6 +1407,10 @@ optional_policy(`
')
optional_policy(`
@@ -38998,7 +39051,7 @@ index 17eda24..136864b 100644
# shorewall-init script run /var/lib/shorewall/firewall
shorewall_lib_domtrans(initrc_t)
')
-@@ -827,10 +1419,12 @@ optional_policy(`
+@@ -827,10 +1420,12 @@ optional_policy(`
squid_manage_logs(initrc_t)
')
@@ -39011,7 +39064,7 @@ index 17eda24..136864b 100644
optional_policy(`
ssh_dontaudit_read_server_keys(initrc_t)
-@@ -857,21 +1451,62 @@ optional_policy(`
+@@ -857,21 +1452,62 @@ optional_policy(`
')
optional_policy(`
@@ -39075,7 +39128,7 @@ index 17eda24..136864b 100644
')
optional_policy(`
-@@ -887,6 +1522,10 @@ optional_policy(`
+@@ -887,6 +1523,10 @@ optional_policy(`
')
optional_policy(`
@@ -39086,7 +39139,7 @@ index 17eda24..136864b 100644
# Set device ownerships/modes.
xserver_setattr_console_pipes(initrc_t)
-@@ -897,3 +1536,218 @@ optional_policy(`
+@@ -897,3 +1537,218 @@ optional_policy(`
optional_policy(`
zebra_read_config(initrc_t)
')
@@ -47656,10 +47709,10 @@ index a392fc4..98c5f23 100644
+')
diff --git a/policy/modules/system/systemd.fc b/policy/modules/system/systemd.fc
new file mode 100644
-index 0000000..a0ed66f
+index 0000000..db8e9dc
--- /dev/null
+++ b/policy/modules/system/systemd.fc
-@@ -0,0 +1,72 @@
+@@ -0,0 +1,81 @@
+HOME_DIR/\.local/share/systemd(/.*)? gen_context(system_u:object_r:systemd_home_t,s0)
+/root/\.local/share/systemd(/.*)? gen_context(system_u:object_r:systemd_home_t,s0)
+
@@ -47680,6 +47733,10 @@ index 0000000..a0ed66f
+/usr/bin/systemd-tty-ask-password-agent -- gen_context(system_u:object_r:systemd_passwd_agent_exec_t,s0)
+/usr/bin/systemd-hwdb -- gen_context(system_u:object_r:systemd_hwdb_exec_t,s0)
+
++/usr/lib/systemd/systemd-bootchart -- gen_context(system_u:object_r:systemd_bootchart_exec_t,s0)
++
++/usr/lib/systemd/systemd-initctl -- gen_context(system_u:object_r:systemd_initctl_exec_t,s0)
++
+/usr/lib/dracut/modules.d/.*\.service gen_context(system_u:object_r:systemd_unit_file_t,s0)
+/usr/lib/systemd/system(/.*)? gen_context(system_u:object_r:systemd_unit_file_t,s0)
+/run/systemd/transient(/.*)? gen_context(system_u:object_r:systemd_unit_file_t,s0)
@@ -47691,6 +47748,8 @@ index 0000000..a0ed66f
+/usr/lib/systemd/system/systemd-rfkill\.service -- gen_context(system_u:object_r:systemd_rfkill_unit_file_t,s0)
+/usr/lib/systemd/system/systemd-time.*\.service -- gen_context(system_u:object_r:systemd_timedated_unit_file_t,s0)
+/usr/lib/systemd/system/systemd-hwdb.*\.service -- gen_context(system_u:object_r:systemd_hwdb_unit_file_t,s0)
++/usr/lib/systemd/system/systemd-bootchart.*\.service -- gen_context(system_u:object_r:systemd_bootchart_unit_file_t,s0)
++
+/usr/lib/systemd/system/.*halt.(service|target) -- gen_context(system_u:object_r:power_unit_file_t,s0)
+/usr/lib/systemd/system/.*hibernate.*\.(service|target) -- gen_context(system_u:object_r:power_unit_file_t,s0)
+/usr/lib/systemd/system/.*power.*\.(service|target) -- gen_context(system_u:object_r:power_unit_file_t,s0)
@@ -47731,6 +47790,9 @@ index 0000000..a0ed66f
+/var/run/systemd/machines(/.*)? gen_context(system_u:object_r:systemd_machined_var_run_t,s0)
+/var/run/systemd/resolve(/.*)? gen_context(system_u:object_r:systemd_resolved_var_run_t,s0)
+/var/run/systemd/netif(/.*)? gen_context(system_u:object_r:systemd_networkd_var_run_t,s0)
++
++/var/run/log/bootchart.* -- gen_context(system_u:object_r:systemd_bootchart_var_run_t,s0)
++
+/var/run/initramfs(/.*)? <<none>>
diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
new file mode 100644
@@ -49543,10 +49605,10 @@ index 0000000..86e3d01
+')
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
new file mode 100644
-index 0000000..0c415d2
+index 0000000..b06bf32
--- /dev/null
+++ b/policy/modules/system/systemd.te
-@@ -0,0 +1,980 @@
+@@ -0,0 +1,1016 @@
+policy_module(systemd, 1.0.0)
+
+#######################################
@@ -49601,6 +49663,16 @@ index 0000000..0c415d2
+type systemd_networkd_var_run_t;
+files_pid_file(systemd_networkd_var_run_t)
+
++systemd_domain_template(systemd_initctl)
++
++systemd_domain_template(systemd_bootchart)
++
++type systemd_bootchart_unit_file_t;
++systemd_unit_file(systemd_bootchart_unit_file_t)
++
++type systemd_bootchart_var_run_t;
++files_pid_file(systemd_bootchart_var_run_t)
++
+systemd_domain_template(systemd_resolved)
+
+type systemd_resolved_var_run_t;
@@ -50527,6 +50599,32 @@ index 0000000..0c415d2
+files_read_kernel_modules(systemd_modules_load_t)
+modutils_read_module_config(systemd_modules_load_t)
+
++
++#######################################
++#
++# systemd_modules_load domain
++#
++
++allow systemd_bootchart_t self:capability2 wake_alarm;
++
++kernel_dgram_send(systemd_bootchart_t)
++kernel_rw_kernel_sysctl(systemd_bootchart_t)
++dev_list_sysfs(systemd_bootchart_t)
++
++domain_read_all_domains_state(systemd_bootchart_t)
++
++manage_files_pattern(systemd_bootchart_t, systemd_bootchart_var_run_t, systemd_bootchart_var_run_t)
++logging_syslogd_pid_filetrans(systemd_bootchart_t, systemd_bootchart_var_run_t, file)
++
++#######################################
++#
++# systemd_modules_load domain
++#
++
++kernel_dgram_send(systemd_initctl_t)
++
++init_rw_initctl(systemd_initctl_t)
++init_stream_connectto(systemd_initctl_t)
diff --git a/policy/modules/system/udev.fc b/policy/modules/system/udev.fc
index f41857e..49fd32e 100644
--- a/policy/modules/system/udev.fc
diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch
index 2345806..326f2f1 100644
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@@ -57726,7 +57726,7 @@ index 0000000..79f1250
+
+fs_getattr_xattr_fs(naemon_t)
diff --git a/nagios.fc b/nagios.fc
-index d78dfc3..40e1c77 100644
+index d78dfc3..c781b72 100644
--- a/nagios.fc
+++ b/nagios.fc
@@ -1,88 +1,113 @@
@@ -57774,13 +57774,13 @@ index d78dfc3..40e1c77 100644
+
+/var/spool/nagios(/.*)? gen_context(system_u:object_r:nagios_spool_t,s0)
+/var/spool/icinga(/.*)? gen_context(system_u:object_r:nagios_spool_t,s0)
-+
+
+ifdef(`distro_debian',`
+/usr/sbin/nagios -- gen_context(system_u:object_r:nagios_exec_t,s0)
+')
+/usr/lib/cgi-bin/nagios(/.+)? gen_context(system_u:object_r:nagios_script_exec_t,s0)
+/usr/lib/nagios/cgi-bin(/.*)? gen_context(system_u:object_r:nagios_script_exec_t,s0)
-
++
+# admin plugins
/usr/lib/nagios/plugins/check_file_age -- gen_context(system_u:object_r:nagios_admin_plugin_exec_t,s0)
@@ -57792,106 +57792,132 @@ index d78dfc3..40e1c77 100644
/usr/lib/nagios/plugins/check_linux_raid -- gen_context(system_u:object_r:nagios_checkdisk_plugin_exec_t,s0)
-/usr/lib/nagios/plugins/check_mailq -- gen_context(system_u:object_r:nagios_mail_plugin_exec_t,s0)
-+# mail plugins
-+/usr/lib/nagios/plugins/check_mailq -- gen_context(system_u:object_r:nagios_mail_plugin_exec_t,s0)
-
-+/usr/lib/pnp4nagios(/.*)? gen_context(system_u:object_r:nagios_var_lib_t,s0)
-+
-+# system plugins
- /usr/lib/nagios/plugins/check_breeze -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
- /usr/lib/nagios/plugins/check_dummy -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
- /usr/lib/nagios/plugins/check_flexlm -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
- /usr/lib/nagios/plugins/check_ifoperstatus -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
- /usr/lib/nagios/plugins/check_ifstatus -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
+-
+-/usr/lib/nagios/plugins/check_breeze -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+-/usr/lib/nagios/plugins/check_dummy -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+-/usr/lib/nagios/plugins/check_flexlm -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
+-/usr/lib/nagios/plugins/check_ifoperstatus -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
+-/usr/lib/nagios/plugins/check_ifstatus -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
-/usr/lib/nagios/plugins/check_load -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
-/usr/lib/nagios/plugins/check_log -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
-/usr/lib/nagios/plugins/check_mrtg -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
-+/usr/lib/nagios/plugins/check_load -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
-+/usr/lib/nagios/plugins/check_log -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
-+/usr/lib/nagios/plugins/check_mrtg -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
- /usr/lib/nagios/plugins/check_mrtgtraf -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
- /usr/lib/nagios/plugins/check_nagios -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
- /usr/lib/nagios/plugins/check_nwstat -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
- /usr/lib/nagios/plugins/check_overcr -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
- /usr/lib/nagios/plugins/check_procs -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
- /usr/lib/nagios/plugins/check_sensors -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
+-/usr/lib/nagios/plugins/check_mrtgtraf -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
+-/usr/lib/nagios/plugins/check_nagios -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
+-/usr/lib/nagios/plugins/check_nwstat -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
+-/usr/lib/nagios/plugins/check_overcr -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
+-/usr/lib/nagios/plugins/check_procs -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
+-/usr/lib/nagios/plugins/check_sensors -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
-/usr/lib/nagios/plugins/check_swap -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
-+/usr/lib/nagios/plugins/check_swap -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
- /usr/lib/nagios/plugins/check_users -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
+-/usr/lib/nagios/plugins/check_users -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
-/usr/lib/nagios/plugins/check_wave -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
-+/usr/lib/nagios/plugins/check_wave -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
-
-+# services plugins
- /usr/lib/nagios/plugins/check_cluster -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+-
+-/usr/lib/nagios/plugins/check_cluster -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
-/usr/lib/nagios/plugins/check_dhcp -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
-/usr/lib/nagios/plugins/check_dig -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
-/usr/lib/nagios/plugins/check_dns -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
-/usr/lib/nagios/plugins/check_game -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
-+/usr/lib/nagios/plugins/check_dhcp -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
-+/usr/lib/nagios/plugins/check_dig -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
-+/usr/lib/nagios/plugins/check_dns -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
-+/usr/lib/nagios/plugins/check_game -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
- /usr/lib/nagios/plugins/check_fping -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+-/usr/lib/nagios/plugins/check_fping -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
-/usr/lib/nagios/plugins/check_hpjd -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
-/usr/lib/nagios/plugins/check_http -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
-/usr/lib/nagios/plugins/check_icmp -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
-/usr/lib/nagios/plugins/check_ircd -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
-/usr/lib/nagios/plugins/check_ldap -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
-+/usr/lib/nagios/plugins/check_hpjd -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
-+/usr/lib/nagios/plugins/check_http -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
-+/usr/lib/nagios/plugins/check_icmp -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
-+/usr/lib/nagios/plugins/check_ircd -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
-+/usr/lib/nagios/plugins/check_ldap -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
- /usr/lib/nagios/plugins/check_mysql -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+-/usr/lib/nagios/plugins/check_mysql -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
-/usr/lib/nagios/plugins/check_mysql_query -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
-/usr/lib/nagios/plugins/check_nrpe -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
-/usr/lib/nagios/plugins/check_nt -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
-+/usr/lib/nagios/plugins/check_mysql_query -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
-+/usr/lib/nagios/plugins/check_nrpe -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
-+/usr/lib/nagios/plugins/check_nt -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
- /usr/lib/nagios/plugins/check_ntp.* -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
- /usr/lib/nagios/plugins/check_oracle -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
- /usr/lib/nagios/plugins/check_pgsql -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+-/usr/lib/nagios/plugins/check_ntp.* -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+-/usr/lib/nagios/plugins/check_oracle -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+-/usr/lib/nagios/plugins/check_pgsql -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
-/usr/lib/nagios/plugins/check_ping -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
-+/usr/lib/nagios/plugins/check_ping -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
- /usr/lib/nagios/plugins/check_radius -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+-/usr/lib/nagios/plugins/check_radius -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
-/usr/lib/nagios/plugins/check_real -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
-/usr/lib/nagios/plugins/check_rpc -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
-/usr/lib/nagios/plugins/check_tcp -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
-/usr/lib/nagios/plugins/check_time -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
-/usr/lib/nagios/plugins/check_sip -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
-/usr/lib/nagios/plugins/check_smtp -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
-+/usr/lib/nagios/plugins/check_real -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
-+/usr/lib/nagios/plugins/check_rpc -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
-+/usr/lib/nagios/plugins/check_tcp -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
-+/usr/lib/nagios/plugins/check_time -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
-+/usr/lib/nagios/plugins/check_sip -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
-+/usr/lib/nagios/plugins/check_smtp -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
- /usr/lib/nagios/plugins/check_snmp.* -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+-/usr/lib/nagios/plugins/check_snmp.* -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
-/usr/lib/nagios/plugins/check_ssh -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
-/usr/lib/nagios/plugins/check_ups -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
-
-/usr/lib/nagios/plugins/check_by_ssh -- gen_context(system_u:object_r:nagios_unconfined_plugin_exec_t,s0)
-+/usr/lib/nagios/plugins/check_ssh -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
-+/usr/lib/nagios/plugins/check_ups -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
-
+-
-/usr/lib/pnp4nagios(/.*)? gen_context(system_u:object_r:nagios_var_lib_t,s0)
+-
+-/var/log/nagios(/.*)? gen_context(system_u:object_r:nagios_log_t,s0)
+-/var/log/netsaint(/.*)? gen_context(system_u:object_r:nagios_log_t,s0)
+-
+-/var/run/nagios.* -- gen_context(system_u:object_r:nagios_var_run_t,s0)
+-/var/run/nrpe.* -- gen_context(system_u:object_r:nrpe_var_run_t,s0)
+-
+-/var/spool/nagios(/.*)? gen_context(system_u:object_r:nagios_spool_t,s0)
++# mail plugins
++/usr/lib/nagios/plugins/check_mailq -- gen_context(system_u:object_r:nagios_mail_plugin_exec_t,s0)
++
++/usr/lib/pnp4nagios(/.*)? gen_context(system_u:object_r:nagios_var_lib_t,s0)
++
++# system plugins
++/usr/lib(64)?/nagios/plugins/check_breeze -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
++/usr/lib(64)?/nagios/plugins/check_dummy -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
++/usr/lib(64)?/nagios/plugins/check_flexlm -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
++/usr/lib(64)?/nagios/plugins/check_ifoperstatus -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
++/usr/lib(64)?/nagios/plugins/check_ifstatus -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
++/usr/lib(64)?/nagios/plugins/check_load -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
++/usr/lib(64)?/nagios/plugins/check_log -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
++/usr/lib(64)?/nagios/plugins/check_mrtg -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
++/usr/lib(64)?/nagios/plugins/check_mrtgtraf -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
++/usr/lib(64)?/nagios/plugins/check_nagios -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
++/usr/lib(64)?/nagios/plugins/check_nwstat -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
++/usr/lib(64)?/nagios/plugins/check_overcr -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
++/usr/lib(64)?/nagios/plugins/check_procs -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
++/usr/lib(64)?/nagios/plugins/check_sensors -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
++/usr/lib(64)?/nagios/plugins/check_swap -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
++/usr/lib(64)?/nagios/plugins/check_users -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
++/usr/lib(64)?/nagios/plugins/check_wave -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
++
++# services plugins
++/usr/lib(64)?/nagios/plugins/check_cluster -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
++/usr/lib(64)?/nagios/plugins/check_dhcp -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
++/usr/lib(64)?/nagios/plugins/check_dig -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
++/usr/lib(64)?/nagios/plugins/check_dns -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
++/usr/lib(64)?/nagios/plugins/check_game -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
++/usr/lib(64)?/nagios/plugins/check_fping -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
++/usr/lib(64)?/nagios/plugins/check_hpjd -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
++/usr/lib(64)?/nagios/plugins/check_http -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
++/usr/lib(64)?/nagios/plugins/check_icmp -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
++/usr/lib(64)?/nagios/plugins/check_ircd -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
++/usr/lib(64)?/nagios/plugins/check_ldap -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
++/usr/lib(64)?/nagios/plugins/check_mysql -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
++/usr/lib(64)?/nagios/plugins/check_mysql_query -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
++/usr/lib(64)?/nagios/plugins/check_nrpe -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
++/usr/lib(64)?/nagios/plugins/check_nt -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
++/usr/lib(64)?/nagios/plugins/check_ntp.* -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
++/usr/lib(64)?/nagios/plugins/check_oracle -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
++/usr/lib(64)?/nagios/plugins/check_pgsql -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
++/usr/lib(64)?/nagios/plugins/check_ping -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
++/usr/lib(64)?/nagios/plugins/check_radius -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
++/usr/lib(64)?/nagios/plugins/check_real -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
++/usr/lib(64)?/nagios/plugins/check_rpc -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
++/usr/lib(64)?/nagios/plugins/check_tcp -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
++/usr/lib(64)?/nagios/plugins/check_time -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
++/usr/lib(64)?/nagios/plugins/check_sip -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
++/usr/lib(64)?/nagios/plugins/check_smtp -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
++/usr/lib(64)?/nagios/plugins/check_snmp.* -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
++/usr/lib(64)?/nagios/plugins/check_ssh -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
++/usr/lib(64)?/nagios/plugins/check_ups -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
++
+# openshift plugins
+/usr/lib64/nagios/plugins/check_node_accept_status -- gen_context(system_u:object_r:nagios_openshift_plugin_exec_t,s0)
+/usr/lib64/nagios/plugins/check_number_openshift_apps -- gen_context(system_u:object_r:nagios_openshift_plugin_exec_t,s0)
-
--/var/log/nagios(/.*)? gen_context(system_u:object_r:nagios_log_t,s0)
--/var/log/netsaint(/.*)? gen_context(system_u:object_r:nagios_log_t,s0)
++
+# label all nagios plugin as unconfined by default
+/usr/lib/nagios/plugins/.* -- gen_context(system_u:object_r:nagios_unconfined_plugin_exec_t,s0)
-
--/var/run/nagios.* -- gen_context(system_u:object_r:nagios_var_run_t,s0)
--/var/run/nrpe.* -- gen_context(system_u:object_r:nrpe_var_run_t,s0)
++
+# eventhandlers
+/usr/lib/nagios/plugins/eventhandlers(/.*) gen_context(system_u:object_r:nagios_eventhandler_plugin_exec_t,s0)
+/usr/lib/icinga/plugins/eventhandlers(/.*) gen_context(system_u:object_r:nagios_eventhandler_plugin_exec_t,s0)
-
--/var/spool/nagios(/.*)? gen_context(system_u:object_r:nagios_spool_t,s0)
++
diff --git a/nagios.if b/nagios.if
index 0641e97..f3b1111 100644
--- a/nagios.if
@@ -89271,7 +89297,7 @@ index 6dbc905..4b17c93 100644
- admin_pattern($1, rhsmcertd_lock_t)
')
diff --git a/rhsmcertd.te b/rhsmcertd.te
-index d32e1a2..1271bf3 100644
+index d32e1a2..7239c98 100644
--- a/rhsmcertd.te
+++ b/rhsmcertd.te
@@ -18,6 +18,9 @@ logging_log_file(rhsmcertd_log_t)
@@ -89310,13 +89336,14 @@ index d32e1a2..1271bf3 100644
manage_dirs_pattern(rhsmcertd_t, rhsmcertd_var_lib_t, rhsmcertd_var_lib_t)
manage_files_pattern(rhsmcertd_t, rhsmcertd_var_lib_t, rhsmcertd_var_lib_t)
-@@ -50,25 +56,89 @@ manage_files_pattern(rhsmcertd_t, rhsmcertd_var_run_t, rhsmcertd_var_run_t)
+@@ -50,25 +56,90 @@ manage_files_pattern(rhsmcertd_t, rhsmcertd_var_run_t, rhsmcertd_var_run_t)
files_pid_filetrans(rhsmcertd_t, rhsmcertd_var_run_t, { file dir })
kernel_read_network_state(rhsmcertd_t)
+kernel_read_net_sysctls(rhsmcertd_t)
kernel_read_system_state(rhsmcertd_t)
+kernel_read_sysctl(rhsmcertd_t)
++kernel_signull(rhsmcertd_t)
+
+corenet_tcp_connect_http_port(rhsmcertd_t)
+corenet_tcp_connect_http_cache_port(rhsmcertd_t)
@@ -114709,7 +114736,7 @@ index facdee8..2cff369 100644
+ domtrans_pattern($1,container_file_t, $2)
')
diff --git a/virt.te b/virt.te
-index f03dcf5..b5b9ca5 100644
+index f03dcf5..482c24b 100644
--- a/virt.te
+++ b/virt.te
@@ -1,451 +1,411 @@
@@ -115789,7 +115816,7 @@ index f03dcf5..b5b9ca5 100644
+dev_read_sysfs(virtlogd_t)
+
+logging_send_syslog_msg(virtlogd_t)
-+
+
+auth_use_nsswitch(virtlogd_t)
+
+manage_files_pattern(virtlogd_t, virt_log_t, virt_log_t)
@@ -116045,7 +116072,7 @@ index f03dcf5..b5b9ca5 100644
+init_system_domain(virsh_t, virsh_exec_t)
+typealias virsh_t alias xm_t;
+typealias virsh_exec_t alias xm_exec_t;
-
++
+allow virsh_t self:capability { setpcap dac_override ipc_lock sys_admin sys_chroot sys_nice sys_tty_config };
+allow virsh_t self:process { getcap getsched setsched setcap setexec signal };
+allow virsh_t self:fifo_file rw_fifo_file_perms;
@@ -116133,10 +116160,10 @@ index f03dcf5..b5b9ca5 100644
-logging_send_syslog_msg(virsh_t)
+systemd_exec_systemctl(virsh_t)
-+
-+auth_read_passwd(virsh_t)
-miscfiles_read_localization(virsh_t)
++auth_read_passwd(virsh_t)
++
+logging_send_syslog_msg(virsh_t)
sysnet_dns_name_resolve(virsh_t)
@@ -116301,7 +116328,7 @@ index f03dcf5..b5b9ca5 100644
selinux_get_enforce_mode(virtd_lxc_t)
selinux_get_fs_mount(virtd_lxc_t)
selinux_validate_context(virtd_lxc_t)
-@@ -974,194 +1268,355 @@ selinux_compute_create_context(virtd_lxc_t)
+@@ -974,194 +1268,296 @@ selinux_compute_create_context(virtd_lxc_t)
selinux_compute_relabel_context(virtd_lxc_t)
selinux_compute_user_contexts(virtd_lxc_t)
@@ -116328,8 +116355,7 @@ index f03dcf5..b5b9ca5 100644
+ hal_dbus_chat(virtd_lxc_t)
+ ')
+')
-
--sysnet_domtrans_ifconfig(virtd_lxc_t)
++
+optional_policy(`
+ container_exec_lib(virtd_lxc_t)
+')
@@ -116341,7 +116367,8 @@ index f03dcf5..b5b9ca5 100644
+optional_policy(`
+ setrans_manage_pid_files(virtd_lxc_t)
+')
-+
+
+-sysnet_domtrans_ifconfig(virtd_lxc_t)
+optional_policy(`
+ unconfined_domain(virtd_lxc_t)
+')
@@ -116374,89 +116401,7 @@ index f03dcf5..b5b9ca5 100644
+tunable_policy(`deny_ptrace',`',`
+ allow svirt_sandbox_domain self:process ptrace;
+')
-
--allow svirt_lxc_domain self:capability { kill setuid setgid dac_override sys_boot };
--allow svirt_lxc_domain self:process { execstack execmem getattr signal_perms getsched setsched setcap setpgid };
--allow svirt_lxc_domain self:fifo_file manage_file_perms;
--allow svirt_lxc_domain self:sem create_sem_perms;
--allow svirt_lxc_domain self:shm create_shm_perms;
--allow svirt_lxc_domain self:msgq create_msgq_perms;
--allow svirt_lxc_domain self:unix_stream_socket { create_stream_socket_perms connectto };
--allow svirt_lxc_domain self:unix_dgram_socket { sendto create_socket_perms };
--
--allow svirt_lxc_domain virtd_lxc_t:fd use;
--allow svirt_lxc_domain virtd_lxc_t:fifo_file rw_fifo_file_perms;
--allow svirt_lxc_domain virtd_lxc_t:process sigchld;
--
--allow svirt_lxc_domain virtd_lxc_t:unix_stream_socket { connectto rw_socket_perms };
--
--allow svirt_lxc_domain virsh_t:fd use;
--allow svirt_lxc_domain virsh_t:fifo_file rw_fifo_file_perms;
--allow svirt_lxc_domain virsh_t:process sigchld;
--
--allow svirt_lxc_domain virtd_lxc_var_run_t:dir list_dir_perms;
--allow svirt_lxc_domain virtd_lxc_var_run_t:file read_file_perms;
--
--manage_dirs_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
--manage_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
--manage_lnk_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
--manage_sock_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
--manage_fifo_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
--rw_chr_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
--rw_blk_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
--
--allow svirt_lxc_net_t svirt_lxc_file_t:dir mounton;
--allow svirt_lxc_net_t svirt_lxc_file_t:filesystem getattr;
--
--can_exec(svirt_lxc_domain, svirt_lxc_file_t)
--
--kernel_getattr_proc(svirt_lxc_domain)
--kernel_list_all_proc(svirt_lxc_domain)
--kernel_read_kernel_sysctls(svirt_lxc_domain)
--kernel_rw_net_sysctls(svirt_lxc_domain)
--kernel_read_system_state(svirt_lxc_domain)
--kernel_dontaudit_search_kernel_sysctl(svirt_lxc_domain)
--
--corecmd_exec_all_executables(svirt_lxc_domain)
--
--files_dontaudit_getattr_all_dirs(svirt_lxc_domain)
--files_dontaudit_getattr_all_files(svirt_lxc_domain)
--files_dontaudit_getattr_all_symlinks(svirt_lxc_domain)
--files_dontaudit_getattr_all_pipes(svirt_lxc_domain)
--files_dontaudit_getattr_all_sockets(svirt_lxc_domain)
--files_dontaudit_list_all_mountpoints(svirt_lxc_domain)
--files_dontaudit_write_etc_runtime_files(svirt_lxc_domain)
--# files_entrypoint_all_files(svirt_lxc_domain)
--files_list_var(svirt_lxc_domain)
--files_list_var_lib(svirt_lxc_domain)
--files_search_all(svirt_lxc_domain)
--files_read_config_files(svirt_lxc_domain)
--files_read_usr_files(svirt_lxc_domain)
--files_read_usr_symlinks(svirt_lxc_domain)
--
--fs_getattr_all_fs(svirt_lxc_domain)
--fs_list_inotifyfs(svirt_lxc_domain)
--
--# fs_rw_inherited_tmpfs_files(svirt_lxc_domain)
--# fs_rw_inherited_cifs_files(svirt_lxc_domain)
--# fs_rw_inherited_noxattr_fs_files(svirt_lxc_domain)
--
--auth_dontaudit_read_login_records(svirt_lxc_domain)
--auth_dontaudit_write_login_records(svirt_lxc_domain)
--auth_search_pam_console_data(svirt_lxc_domain)
--
--clock_read_adjtime(svirt_lxc_domain)
--
--init_read_utmp(svirt_lxc_domain)
--init_dontaudit_write_utmp(svirt_lxc_domain)
--
--libs_dontaudit_setattr_lib_files(svirt_lxc_domain)
--
--miscfiles_read_localization(svirt_lxc_domain)
--miscfiles_dontaudit_setattr_fonts_cache_dirs(svirt_lxc_domain)
--miscfiles_read_fonts(svirt_lxc_domain)
--
--mta_dontaudit_read_spool_symlinks(svirt_lxc_domain)
++
+allow virtd_t svirt_sandbox_domain:unix_stream_socket { create_stream_socket_perms connectto };
+allow virtd_t svirt_sandbox_domain:process { signal_perms getattr };
+allow virtd_lxc_t svirt_sandbox_domain:process { getattr getsched setsched setrlimit transition signal_perms };
@@ -116546,28 +116491,112 @@ index f03dcf5..b5b9ca5 100644
+userdom_use_inherited_user_terminals(svirt_sandbox_domain)
+userdom_dontaudit_append_inherited_admin_home_file(svirt_sandbox_domain)
+userdom_dontaudit_read_inherited_admin_home_files(svirt_sandbox_domain)
-+
+
+-allow svirt_lxc_domain self:capability { kill setuid setgid dac_override sys_boot };
+-allow svirt_lxc_domain self:process { execstack execmem getattr signal_perms getsched setsched setcap setpgid };
+-allow svirt_lxc_domain self:fifo_file manage_file_perms;
+-allow svirt_lxc_domain self:sem create_sem_perms;
+-allow svirt_lxc_domain self:shm create_shm_perms;
+-allow svirt_lxc_domain self:msgq create_msgq_perms;
+-allow svirt_lxc_domain self:unix_stream_socket { create_stream_socket_perms connectto };
+-allow svirt_lxc_domain self:unix_dgram_socket { sendto create_socket_perms };
+-
+-allow svirt_lxc_domain virtd_lxc_t:fd use;
+-allow svirt_lxc_domain virtd_lxc_t:fifo_file rw_fifo_file_perms;
+-allow svirt_lxc_domain virtd_lxc_t:process sigchld;
+-
+-allow svirt_lxc_domain virtd_lxc_t:unix_stream_socket { connectto rw_socket_perms };
+-
+-allow svirt_lxc_domain virsh_t:fd use;
+-allow svirt_lxc_domain virsh_t:fifo_file rw_fifo_file_perms;
+-allow svirt_lxc_domain virsh_t:process sigchld;
+-
+-allow svirt_lxc_domain virtd_lxc_var_run_t:dir list_dir_perms;
+-allow svirt_lxc_domain virtd_lxc_var_run_t:file read_file_perms;
+-
+-manage_dirs_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
+-manage_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
+-manage_lnk_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
+-manage_sock_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
+-manage_fifo_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
+-rw_chr_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
+-rw_blk_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
+-
+-allow svirt_lxc_net_t svirt_lxc_file_t:dir mounton;
+-allow svirt_lxc_net_t svirt_lxc_file_t:filesystem getattr;
+-
+-can_exec(svirt_lxc_domain, svirt_lxc_file_t)
+-
+-kernel_getattr_proc(svirt_lxc_domain)
+-kernel_list_all_proc(svirt_lxc_domain)
+-kernel_read_kernel_sysctls(svirt_lxc_domain)
+-kernel_rw_net_sysctls(svirt_lxc_domain)
+-kernel_read_system_state(svirt_lxc_domain)
+-kernel_dontaudit_search_kernel_sysctl(svirt_lxc_domain)
+-
+-corecmd_exec_all_executables(svirt_lxc_domain)
+-
+-files_dontaudit_getattr_all_dirs(svirt_lxc_domain)
+-files_dontaudit_getattr_all_files(svirt_lxc_domain)
+-files_dontaudit_getattr_all_symlinks(svirt_lxc_domain)
+-files_dontaudit_getattr_all_pipes(svirt_lxc_domain)
+-files_dontaudit_getattr_all_sockets(svirt_lxc_domain)
+-files_dontaudit_list_all_mountpoints(svirt_lxc_domain)
+-files_dontaudit_write_etc_runtime_files(svirt_lxc_domain)
+-# files_entrypoint_all_files(svirt_lxc_domain)
+-files_list_var(svirt_lxc_domain)
+-files_list_var_lib(svirt_lxc_domain)
+-files_search_all(svirt_lxc_domain)
+-files_read_config_files(svirt_lxc_domain)
+-files_read_usr_files(svirt_lxc_domain)
+-files_read_usr_symlinks(svirt_lxc_domain)
+-
+-fs_getattr_all_fs(svirt_lxc_domain)
+-fs_list_inotifyfs(svirt_lxc_domain)
+-
+-# fs_rw_inherited_tmpfs_files(svirt_lxc_domain)
+-# fs_rw_inherited_cifs_files(svirt_lxc_domain)
+-# fs_rw_inherited_noxattr_fs_files(svirt_lxc_domain)
+-
+-auth_dontaudit_read_login_records(svirt_lxc_domain)
+-auth_dontaudit_write_login_records(svirt_lxc_domain)
+-auth_search_pam_console_data(svirt_lxc_domain)
+-
+-clock_read_adjtime(svirt_lxc_domain)
+-
+-init_read_utmp(svirt_lxc_domain)
+-init_dontaudit_write_utmp(svirt_lxc_domain)
+-
+-libs_dontaudit_setattr_lib_files(svirt_lxc_domain)
+-
+-miscfiles_read_localization(svirt_lxc_domain)
+-miscfiles_dontaudit_setattr_fonts_cache_dirs(svirt_lxc_domain)
+-miscfiles_read_fonts(svirt_lxc_domain)
+-
+-mta_dontaudit_read_spool_symlinks(svirt_lxc_domain)
+optional_policy(`
+tunable_policy(`virt_sandbox_share_apache_content',`
+ apache_exec_modules(svirt_sandbox_domain)
+ apache_read_sys_content(svirt_sandbox_domain)
+ ')
+')
-+
-+optional_policy(`
+
+ optional_policy(`
+- udev_read_pid_files(svirt_lxc_domain)
+ mta_dontaudit_read_spool_symlinks(svirt_sandbox_domain)
-+')
-+
-+optional_policy(`
+ ')
+
+ optional_policy(`
+- apache_exec_modules(svirt_lxc_domain)
+- apache_read_sys_content(svirt_lxc_domain)
+ ssh_use_ptys(svirt_sandbox_domain)
+')
+
+optional_policy(`
+ udev_read_pid_files(svirt_sandbox_domain)
+')
-
- optional_policy(`
-- udev_read_pid_files(svirt_lxc_domain)
++
++optional_policy(`
+ userhelper_dontaudit_write_config(svirt_sandbox_domain)
+')
+
@@ -116597,11 +116626,9 @@ index f03dcf5..b5b9ca5 100644
+ fs_mount_fusefs(svirt_sandbox_domain)
+ fs_unmount_fusefs(svirt_sandbox_domain)
+ fs_exec_fusefs_files(svirt_sandbox_domain)
- ')
-
- optional_policy(`
-- apache_exec_modules(svirt_lxc_domain)
-- apache_read_sys_content(svirt_lxc_domain)
++')
++
++optional_policy(`
+ container_read_share_files(svirt_sandbox_domain)
+ container_exec_share_files(svirt_sandbox_domain)
+ container_lib_filetrans(svirt_sandbox_domain,container_file_t, sock_file)
@@ -116618,16 +116645,7 @@ index f03dcf5..b5b9ca5 100644
#
+virt_sandbox_domain_template(container)
+typealias container_t alias svirt_lxc_net_t;
-+virt_default_capabilities(container_t)
-+dontaudit container_t self:capability fsetid;
-+dontaudit container_t self:capability2 block_suspend ;
-+allow container_t self:process { execstack execmem };
-+manage_chr_files_pattern(container_t, container_file_t, container_file_t)
-+manage_blk_files_pattern(container_t, container_file_t, container_file_t)
-+
-+tunable_policy(`virt_sandbox_use_sys_admin',`
-+ allow container_t self:capability sys_admin;
-+')
++# Policy moved to container-selinux policy package
-allow svirt_lxc_net_t self:capability { chown dac_read_search dac_override fowner fsetid net_raw net_admin sys_admin sys_nice sys_ptrace sys_resource setpcap };
-dontaudit svirt_lxc_net_t self:capability2 block_suspend;
@@ -116640,12 +116658,18 @@ index f03dcf5..b5b9ca5 100644
-allow svirt_lxc_net_t self:netlink_socket create_socket_perms;
-allow svirt_lxc_net_t self:netlink_tcpdiag_socket create_socket_perms;
-allow svirt_lxc_net_t self:netlink_kobject_uevent_socket create_socket_perms;
--
++########################################
++#
++# container_t local policy
++#
++virt_sandbox_domain_template(svirt_qemu_net)
++typeattribute svirt_qemu_net_t sandbox_net_domain;
+
-kernel_read_network_state(svirt_lxc_net_t)
-kernel_read_irq_sysctls(svirt_lxc_net_t)
-+tunable_policy(`virt_sandbox_use_mknod',`
-+ allow container_t self:capability mknod;
-+')
++allow svirt_qemu_net_t self:capability { kill setuid setgid sys_boot ipc_lock chown dac_read_search dac_override fowner fsetid sys_chroot sys_admin sys_nice sys_ptrace sys_resource setpcap };
++dontaudit svirt_qemu_net_t self:capability2 block_suspend;
++allow svirt_qemu_net_t self:process { execstack execmem };
-corenet_all_recvfrom_unlabeled(svirt_lxc_net_t)
-corenet_all_recvfrom_netlabel(svirt_lxc_net_t)
@@ -116657,118 +116681,63 @@ index f03dcf5..b5b9ca5 100644
-corenet_udp_sendrecv_all_ports(svirt_lxc_net_t)
-corenet_tcp_bind_generic_node(svirt_lxc_net_t)
-corenet_udp_bind_generic_node(svirt_lxc_net_t)
-+tunable_policy(`virt_sandbox_use_all_caps',`
-+ allow container_t self:capability all_capability_perms;
-+ allow container_t self:capability2 all_capability2_perms;
++tunable_policy(`virt_sandbox_use_netlink',`
++ allow svirt_qemu_net_t self:netlink_socket create_socket_perms;
++ allow svirt_qemu_net_t self:netlink_tcpdiag_socket create_netlink_socket_perms;
++ allow svirt_qemu_net_t self:netlink_kobject_uevent_socket create_socket_perms;
+')
-corenet_sendrecv_all_server_packets(svirt_lxc_net_t)
-corenet_udp_bind_all_ports(svirt_lxc_net_t)
-corenet_tcp_bind_all_ports(svirt_lxc_net_t)
-+tunable_policy(`virt_sandbox_use_netlink',`
-+ allow container_t self:netlink_socket create_socket_perms;
-+ allow container_t self:netlink_tcpdiag_socket create_netlink_socket_perms;
-+ allow container_t self:netlink_kobject_uevent_socket create_socket_perms;
-+ allow container_t self:netlink_connector_socket create_socket_perms;
-+ allow container_t self:netlink_crypto_socket create_socket_perms;
-+ allow container_t self:netlink_fib_lookup_socket create_socket_perms;
-+ allow container_t self:netlink_generic_socket create_socket_perms;
-+ allow container_t self:netlink_iscsi_socket create_socket_perms;
-+ allow container_t self:netlink_netfilter_socket create_socket_perms;
-+ allow container_t self:netlink_rdma_socket create_socket_perms;
-+ allow container_t self:netlink_scsitransport_socket create_socket_perms;
-+', `
-+ logging_dontaudit_send_audit_msgs(container_t)
-+')
++manage_dirs_pattern(sandbox_net_domain, svirt_home_t, svirt_home_t)
++manage_files_pattern(sandbox_net_domain, svirt_home_t, svirt_home_t)
++manage_fifo_files_pattern(sandbox_net_domain, svirt_home_t, svirt_home_t)
++manage_lnk_files_pattern(sandbox_net_domain, svirt_home_t, svirt_home_t)
++manage_sock_files_pattern(sandbox_net_domain, svirt_home_t, svirt_home_t)
++filetrans_pattern(sandbox_net_domain, virt_home_t, svirt_home_t, { dir sock_file file })
-corenet_sendrecv_all_client_packets(svirt_lxc_net_t)
-corenet_tcp_connect_all_ports(svirt_lxc_net_t)
-+allow container_t virt_lxc_var_run_t:dir list_dir_perms;
-+allow container_t virt_lxc_var_run_t:file read_file_perms;
++term_use_generic_ptys(svirt_qemu_net_t)
++term_use_ptmx(svirt_qemu_net_t)
-dev_getattr_mtrr_dev(svirt_lxc_net_t)
-dev_read_rand(svirt_lxc_net_t)
-dev_read_sysfs(svirt_lxc_net_t)
-dev_read_urand(svirt_lxc_net_t)
-+kernel_read_irq_sysctls(container_t)
-+kernel_read_messages(container_t)
++dev_rw_kvm(svirt_qemu_net_t)
-files_read_kernel_modules(svirt_lxc_net_t)
-+dev_read_sysfs(container_t)
-+dev_read_mtrr(container_t)
-+dev_read_rand(container_t)
-+dev_read_urand(container_t)
++manage_sock_files_pattern(svirt_qemu_net_t, qemu_var_run_t, qemu_var_run_t)
-fs_mount_cgroup(svirt_lxc_net_t)
-fs_manage_cgroup_dirs(svirt_lxc_net_t)
-fs_rw_cgroup_files(svirt_lxc_net_t)
-+files_read_kernel_modules(container_t)
++list_dirs_pattern(svirt_qemu_net_t, virt_content_t, virt_content_t)
++read_files_pattern(svirt_qemu_net_t, virt_content_t, virt_content_t)
-auth_use_nsswitch(svirt_lxc_net_t)
-+fs_noxattr_type(container_file_t)
++append_files_pattern(svirt_qemu_net_t, virt_log_t, virt_log_t)
-logging_send_audit_msgs(svirt_lxc_net_t)
-+term_pty(container_file_t)
++kernel_read_irq_sysctls(svirt_qemu_net_t)
-userdom_use_user_ptys(svirt_lxc_net_t)
-+logging_send_syslog_msg(container_t)
++dev_read_sysfs(svirt_qemu_net_t)
++dev_getattr_mtrr_dev(svirt_qemu_net_t)
++dev_read_rand(svirt_qemu_net_t)
++dev_read_urand(svirt_qemu_net_t)
-optional_policy(`
- rpm_read_db(svirt_lxc_net_t)
-+tunable_policy(`virt_sandbox_use_audit',`
-+ logging_send_audit_msgs(container_t)
- ')
+-')
++files_read_kernel_modules(svirt_qemu_net_t)
-#######################################
-+userdom_use_user_ptys(container_t)
-+
-+########################################
- #
+-#
-# Prot exec local policy
-+# container_t local policy
- #
-+virt_sandbox_domain_template(svirt_qemu_net)
-+typeattribute svirt_qemu_net_t sandbox_net_domain;
-+
-+allow svirt_qemu_net_t self:capability { kill setuid setgid sys_boot ipc_lock chown dac_read_search dac_override fowner fsetid sys_chroot sys_admin sys_nice sys_ptrace sys_resource setpcap };
-+dontaudit svirt_qemu_net_t self:capability2 block_suspend;
-+allow svirt_qemu_net_t self:process { execstack execmem };
-+
-+tunable_policy(`virt_sandbox_use_netlink',`
-+ allow svirt_qemu_net_t self:netlink_socket create_socket_perms;
-+ allow svirt_qemu_net_t self:netlink_tcpdiag_socket create_netlink_socket_perms;
-+ allow svirt_qemu_net_t self:netlink_kobject_uevent_socket create_socket_perms;
-+')
-+
-+manage_dirs_pattern(sandbox_net_domain, svirt_home_t, svirt_home_t)
-+manage_files_pattern(sandbox_net_domain, svirt_home_t, svirt_home_t)
-+manage_fifo_files_pattern(sandbox_net_domain, svirt_home_t, svirt_home_t)
-+manage_lnk_files_pattern(sandbox_net_domain, svirt_home_t, svirt_home_t)
-+manage_sock_files_pattern(sandbox_net_domain, svirt_home_t, svirt_home_t)
-+filetrans_pattern(sandbox_net_domain, virt_home_t, svirt_home_t, { dir sock_file file })
-+
-+term_use_generic_ptys(svirt_qemu_net_t)
-+term_use_ptmx(svirt_qemu_net_t)
-+
-+dev_rw_kvm(svirt_qemu_net_t)
-+
-+manage_sock_files_pattern(svirt_qemu_net_t, qemu_var_run_t, qemu_var_run_t)
-
--allow svirt_prot_exec_t self:process { execmem execstack };
-+list_dirs_pattern(svirt_qemu_net_t, virt_content_t, virt_content_t)
-+read_files_pattern(svirt_qemu_net_t, virt_content_t, virt_content_t)
-+
-+append_files_pattern(svirt_qemu_net_t, virt_log_t, virt_log_t)
-+
-+kernel_read_irq_sysctls(svirt_qemu_net_t)
-+
-+dev_read_sysfs(svirt_qemu_net_t)
-+dev_getattr_mtrr_dev(svirt_qemu_net_t)
-+dev_read_rand(svirt_qemu_net_t)
-+dev_read_urand(svirt_qemu_net_t)
-+
-+files_read_kernel_modules(svirt_qemu_net_t)
-+
+-#
+fs_noxattr_type(container_file_t)
+fs_mount_cgroup(svirt_qemu_net_t)
+fs_manage_cgroup_dirs(svirt_qemu_net_t)
@@ -116781,7 +116750,8 @@ index f03dcf5..b5b9ca5 100644
+rpm_read_db(svirt_qemu_net_t)
+
+logging_send_syslog_msg(svirt_qemu_net_t)
-+
+
+-allow svirt_prot_exec_t self:process { execmem execstack };
+tunable_policy(`virt_sandbox_use_audit',`
+ logging_send_audit_msgs(svirt_qemu_net_t)
+')
@@ -116802,7 +116772,7 @@ index f03dcf5..b5b9ca5 100644
allow virt_qmf_t self:tcp_socket create_stream_socket_perms;
allow virt_qmf_t self:netlink_route_socket create_netlink_socket_perms;
-@@ -1174,12 +1629,12 @@ dev_read_sysfs(virt_qmf_t)
+@@ -1174,12 +1570,12 @@ dev_read_sysfs(virt_qmf_t)
dev_read_rand(virt_qmf_t)
dev_read_urand(virt_qmf_t)
@@ -116817,7 +116787,7 @@ index f03dcf5..b5b9ca5 100644
sysnet_read_config(virt_qmf_t)
optional_policy(`
-@@ -1192,7 +1647,7 @@ optional_policy(`
+@@ -1192,7 +1588,7 @@ optional_policy(`
########################################
#
@@ -116826,7 +116796,7 @@ index f03dcf5..b5b9ca5 100644
#
allow virt_bridgehelper_t self:process { setcap getcap };
-@@ -1201,11 +1656,262 @@ allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms;
+@@ -1201,11 +1597,262 @@ allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms;
allow virt_bridgehelper_t self:tun_socket create_socket_perms;
allow virt_bridgehelper_t self:unix_dgram_socket create_socket_perms;
@@ -117000,7 +116970,7 @@ index f03dcf5..b5b9ca5 100644
+
+########################################
+#
-+# container_t local policy
++# svirt_kvm_net_t local policy
+#
+virt_sandbox_domain_template(svirt_kvm_net)
+typeattribute svirt_kvm_net_t sandbox_net_domain;
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 7b4a618..ad19431 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.13.1
-Release: 236%{?dist}
+Release: 237%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -675,6 +675,20 @@ exit 0
%endif
%changelog
+* Wed Feb 08 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-237
+- Merge pull request #187 from rhatdan/container-selinux
+- Allow rhsmcertd domain signull kernel.
+- Allow container-selinux to handle all policy for container processes
+- Fix label for nagios plugins in nagios file conxtext file
+- su using libselinux and creating netlink_selinux socket is needed to allow libselinux initialization. Resolves: rhbz#1146987
+- Add SELinux support for systemd-initctl daemon
+- Add SELinux support for systemd-bootchart
+- su using libselinux and creating netlink_selinux socket is needed to allow libselinux initialization. Resolves: rhbz#1146987
+- Add module_load permission to can_load_kernmodule
+- Add module_load permission to class system
+- Add the validate_trans access vector to the security class
+- Restore connecto permssions for init_t
+
* Thu Feb 02 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-236
- Allow kdumpgui domain to read nvme device
- Add amanda_tmpfs_t label. BZ(1243752)