From 450ced7fcdc95bc62e22bc00654d78a56acbadfd Mon Sep 17 00:00:00 2001
From: Dan Walsh
Date: Jun 04 2013 15:19:49 +0000
Subject: Merge branch 'f19' of ssh://pkgs.fedoraproject.org/selinux-policy into f19
Conflicts:
permissivedomains.te
---
diff --git a/permissivedomains.pp b/permissivedomains.pp
index 0870c6a..fcc92d8 100644
Binary files a/permissivedomains.pp and b/permissivedomains.pp differ
diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch
index 8b9cda6..01faa3e 100644
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@@ -3604,7 +3604,7 @@ index f9b25c1..9af1f7a 100644
+/usr/lib/udev/devices/ppp -c gen_context(system_u:object_r:ppp_device_t,s0)
+/usr/lib/udev/devices/net/.* -c gen_context(system_u:object_r:tun_tap_device_t,s0)
diff --git a/policy/modules/kernel/corenetwork.if.in b/policy/modules/kernel/corenetwork.if.in
-index 07126bd..d6ec4a8 100644
+index 07126bd..38ba47d 100644
--- a/policy/modules/kernel/corenetwork.if.in
+++ b/policy/modules/kernel/corenetwork.if.in
@@ -55,6 +55,7 @@ interface(`corenet_reserved_port',`
@@ -4138,10 +4138,11 @@ index 07126bd..d6ec4a8 100644
## Send and receive TCP network traffic on generic reserved ports.
##
##
-@@ -1647,6 +1964,25 @@ interface(`corenet_udp_sendrecv_reserved_port',`
+@@ -1647,7 +1964,26 @@ interface(`corenet_udp_sendrecv_reserved_port',`
########################################
##
+-## Bind TCP sockets to generic reserved ports.
+## Bind DCCP sockets to generic reserved ports.
+##
+##
@@ -4161,9 +4162,10 @@ index 07126bd..d6ec4a8 100644
+
+########################################
+##
- ## Bind TCP sockets to generic reserved ports.
++## Bind TCP sockets to generic reserved ports.
##
##
+ ##
@@ -1685,6 +2021,24 @@ interface(`corenet_udp_bind_reserved_port',`
########################################
@@ -4214,16 +4216,11 @@ index 07126bd..d6ec4a8 100644
## Send and receive TCP network traffic on all reserved ports.
##
##
-@@ -1752,12 +2124,210 @@ interface(`corenet_udp_receive_all_reserved_ports',`
- attribute reserved_port_type;
- ')
+@@ -1757,7 +2129,259 @@ interface(`corenet_udp_receive_all_reserved_ports',`
-- allow $1 reserved_port_type:udp_socket recv_msg;
-+ allow $1 reserved_port_type:udp_socket recv_msg;
-+')
-+
-+########################################
-+##
+ ########################################
+ ##
+-## Send and receive UDP network traffic on all reserved ports.
+## Send and receive UDP network traffic on all reserved ports.
+##
+##
@@ -4418,56 +4415,116 @@ index 07126bd..d6ec4a8 100644
+ ')
+
+ allow $1 ephemeral_port_type:tcp_socket name_bind;
- ')
-
- ########################################
- ##
--## Send and receive UDP network traffic on all reserved ports.
++')
++
++########################################
++##
+## Bind UDP sockets to all ports > 32768.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`corenet_udp_bind_all_ephemeral_ports',`
++ gen_require(`
++ attribute ephemeral_port_type;
++ ')
++
++ allow $1 ephemeral_port_type:udp_socket name_bind;
++')
++
++########################################
++##
++## Connect DCCP sockets to reserved ports.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`corenet_dccp_connect_all_reserved_ports',`
++ gen_require(`
++ attribute reserved_port_type;
++ ')
++
++ allow $1 reserved_port_type:dccp_socket name_connect;
++')
++
++########################################
++##
++## Connect TCP sockets to reserved ports.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`corenet_tcp_connect_all_reserved_ports',`
++ gen_require(`
++ attribute reserved_port_type;
++ ')
++
++ allow $1 reserved_port_type:tcp_socket name_connect;
++')
++
++########################################
++##
++## Connect DCCP sockets to all ports > 1024.
##
##
##
-@@ -1765,14 +2335,17 @@ interface(`corenet_udp_receive_all_reserved_ports',`
+@@ -1765,51 +2389,53 @@ interface(`corenet_udp_receive_all_reserved_ports',`
##
##
#
-interface(`corenet_udp_sendrecv_all_reserved_ports',`
- corenet_udp_send_all_reserved_ports($1)
- corenet_udp_receive_all_reserved_ports($1)
-+interface(`corenet_udp_bind_all_ephemeral_ports',`
++interface(`corenet_dccp_connect_all_unreserved_ports',`
+ gen_require(`
-+ attribute ephemeral_port_type;
++ attribute unreserved_port_type;
+ ')
+
-+ allow $1 ephemeral_port_type:udp_socket name_bind;
++ allow $1 unreserved_port_type:dccp_socket name_connect;
')
- ########################################
+-########################################
++#######################################
##
-## Bind TCP sockets to all reserved ports.
-+## Connect DCCP sockets to reserved ports.
++## Connect TCP sockets to ports > 1024.
##
##
- ##
-@@ -1780,36 +2353,35 @@ interface(`corenet_udp_sendrecv_all_reserved_ports',`
- ##
+-##
+-## Domain allowed access.
+-##
++##
++## Domain allowed access.
++##
##
#
-interface(`corenet_tcp_bind_all_reserved_ports',`
-+interface(`corenet_dccp_connect_all_reserved_ports',`
- gen_require(`
- attribute reserved_port_type;
- ')
+- gen_require(`
+- attribute reserved_port_type;
+- ')
++interface(`corenet_tcp_connect_unreserved_ports',`
++ gen_require(`
++ type unreserved_port_t;
++ ')
- allow $1 reserved_port_type:tcp_socket name_bind;
- allow $1 self:capability net_bind_service;
-+ allow $1 reserved_port_type:dccp_socket name_connect;
++ allow $1 unreserved_port_t:tcp_socket name_connect;
')
########################################
##
-## Do not audit attempts to bind TCP sockets to all reserved ports.
-+## Connect TCP sockets to reserved ports.
++## Connect TCP sockets to all ports > 1024.
##
##
##
@@ -4477,137 +4534,134 @@ index 07126bd..d6ec4a8 100644
##
#
-interface(`corenet_dontaudit_tcp_bind_all_reserved_ports',`
-+interface(`corenet_tcp_connect_all_reserved_ports',`
++interface(`corenet_tcp_connect_all_unreserved_ports',`
gen_require(`
- attribute reserved_port_type;
+- attribute reserved_port_type;
++ attribute unreserved_port_type;
')
- dontaudit $1 reserved_port_type:tcp_socket name_bind;
-+ allow $1 reserved_port_type:tcp_socket name_connect;
++ allow $1 unreserved_port_type:tcp_socket name_connect;
')
########################################
##
-## Bind UDP sockets to all reserved ports.
-+## Connect DCCP sockets to all ports > 1024.
++## Connect TCP sockets to all ports > 32768.
##
##
##
-@@ -1817,36 +2389,35 @@ interface(`corenet_dontaudit_tcp_bind_all_reserved_ports',`
+@@ -1817,18 +2443,18 @@ interface(`corenet_dontaudit_tcp_bind_all_reserved_ports',`
##
##
#
-interface(`corenet_udp_bind_all_reserved_ports',`
-+interface(`corenet_dccp_connect_all_unreserved_ports',`
++interface(`corenet_tcp_connect_all_ephemeral_ports',`
gen_require(`
- attribute reserved_port_type;
-+ attribute unreserved_port_type;
++ attribute ephemeral_port_type;
')
- allow $1 reserved_port_type:udp_socket name_bind;
- allow $1 self:capability net_bind_service;
-+ allow $1 unreserved_port_type:dccp_socket name_connect;
++ allow $1 ephemeral_port_type:tcp_socket name_connect;
')
--########################################
-+#######################################
+ ########################################
##
-## Do not audit attempts to bind UDP sockets to all reserved ports.
-+## Connect TCP sockets to ports > 1024.
++## Do not audit attempts to connect DCCP sockets
++## all reserved ports.
##
##
--##
--## Domain to not audit.
--##
-+##
-+## Domain allowed access.
-+##
+ ##
+@@ -1836,35 +2462,36 @@ interface(`corenet_udp_bind_all_reserved_ports',`
+ ##
##
#
-interface(`corenet_dontaudit_udp_bind_all_reserved_ports',`
-- gen_require(`
-- attribute reserved_port_type;
-- ')
-+interface(`corenet_tcp_connect_unreserved_ports',`
-+ gen_require(`
-+ type unreserved_port_t;
-+ ')
++interface(`corenet_dontaudit_dccp_connect_all_reserved_ports',`
+ gen_require(`
+ attribute reserved_port_type;
+ ')
- dontaudit $1 reserved_port_type:udp_socket name_bind;
-+ allow $1 unreserved_port_t:tcp_socket name_connect;
++ dontaudit $1 reserved_port_type:dccp_socket name_connect;
')
########################################
##
-## Bind TCP sockets to all ports > 1024.
-+## Connect TCP sockets to all ports > 1024.
++## Do not audit attempts to connect TCP sockets
++## all reserved ports.
##
##
##
-@@ -1854,17 +2425,17 @@ interface(`corenet_dontaudit_udp_bind_all_reserved_ports',`
+-## Domain allowed access.
++## Domain to not audit.
##
##
#
-interface(`corenet_tcp_bind_all_unreserved_ports',`
-+interface(`corenet_tcp_connect_all_unreserved_ports',`
++interface(`corenet_dontaudit_tcp_connect_all_reserved_ports',`
gen_require(`
- attribute unreserved_port_type;
+- attribute unreserved_port_type;
++ attribute reserved_port_type;
')
- allow $1 unreserved_port_type:tcp_socket name_bind;
-+ allow $1 unreserved_port_type:tcp_socket name_connect;
++ dontaudit $1 reserved_port_type:tcp_socket name_connect;
')
########################################
##
-## Bind UDP sockets to all ports > 1024.
-+## Connect TCP sockets to all ports > 32768.
++## Connect DCCP sockets to rpc ports.
##
##
##
-@@ -1872,67 +2443,68 @@ interface(`corenet_tcp_bind_all_unreserved_ports',`
+@@ -1872,17 +2499,17 @@ interface(`corenet_tcp_bind_all_unreserved_ports',`
##
##
#
-interface(`corenet_udp_bind_all_unreserved_ports',`
-+interface(`corenet_tcp_connect_all_ephemeral_ports',`
++interface(`corenet_dccp_connect_all_rpc_ports',`
gen_require(`
- attribute unreserved_port_type;
-+ attribute ephemeral_port_type;
++ attribute rpc_port_type;
')
- allow $1 unreserved_port_type:udp_socket name_bind;
-+ allow $1 ephemeral_port_type:tcp_socket name_connect;
++ allow $1 rpc_port_type:dccp_socket name_connect;
')
########################################
##
-## Connect TCP sockets to reserved ports.
-+## Do not audit attempts to connect DCCP sockets
-+## all reserved ports.
++## Connect TCP sockets to rpc ports.
##
##
##
--## Domain allowed access.
-+## Domain to not audit.
+@@ -1890,36 +2517,37 @@ interface(`corenet_udp_bind_all_unreserved_ports',`
##
##
#
-interface(`corenet_tcp_connect_all_reserved_ports',`
-+interface(`corenet_dontaudit_dccp_connect_all_reserved_ports',`
++interface(`corenet_tcp_connect_all_rpc_ports',`
gen_require(`
- attribute reserved_port_type;
+- attribute reserved_port_type;
++ attribute rpc_port_type;
')
- allow $1 reserved_port_type:tcp_socket name_connect;
-+ dontaudit $1 reserved_port_type:dccp_socket name_connect;
++ allow $1 rpc_port_type:tcp_socket name_connect;
')
########################################
##
-## Connect TCP sockets to all ports > 1024.
-+## Do not audit attempts to connect TCP sockets
-+## all reserved ports.
++## Do not audit attempts to connect DCCP sockets
++## all rpc ports.
##
##
##
@@ -4617,93 +4671,111 @@ index 07126bd..d6ec4a8 100644
##
#
-interface(`corenet_tcp_connect_all_unreserved_ports',`
-+interface(`corenet_dontaudit_tcp_connect_all_reserved_ports',`
++interface(`corenet_dontaudit_dccp_connect_all_rpc_ports',`
gen_require(`
- attribute unreserved_port_type;
-+ attribute reserved_port_type;
++ attribute rpc_port_type;
')
- allow $1 unreserved_port_type:tcp_socket name_connect;
-+ dontaudit $1 reserved_port_type:tcp_socket name_connect;
++ dontaudit $1 rpc_port_type:dccp_socket name_connect;
')
########################################
##
--## Do not audit attempts to connect TCP sockets
+ ## Do not audit attempts to connect TCP sockets
-## all reserved ports.
-+## Connect DCCP sockets to rpc ports.
++## all rpc ports.
##
##
##
--## Domain to not audit.
-+## Domain allowed access.
+@@ -1927,54 +2555,54 @@ interface(`corenet_tcp_connect_all_unreserved_ports',`
##
##
#
-interface(`corenet_dontaudit_tcp_connect_all_reserved_ports',`
-+interface(`corenet_dccp_connect_all_rpc_ports',`
++interface(`corenet_dontaudit_tcp_connect_all_rpc_ports',`
gen_require(`
- attribute reserved_port_type;
+ attribute rpc_port_type;
')
- dontaudit $1 reserved_port_type:tcp_socket name_connect;
-+ allow $1 rpc_port_type:dccp_socket name_connect;
++ dontaudit $1 rpc_port_type:tcp_socket name_connect;
')
########################################
-@@ -1955,6 +2527,25 @@ interface(`corenet_tcp_connect_all_rpc_ports',`
+ ##
+-## Connect TCP sockets to rpc ports.
++## Read and write the TUN/TAP virtual network device.
+ ##
+ ##
+ ##
+-## Domain allowed access.
++## The domain allowed access.
+ ##
+ ##
+ #
+-interface(`corenet_tcp_connect_all_rpc_ports',`
++interface(`corenet_rw_tun_tap_dev',`
+ gen_require(`
+- attribute rpc_port_type;
++ type tun_tap_device_t;
+ ')
+
+- allow $1 rpc_port_type:tcp_socket name_connect;
++ dev_list_all_dev_nodes($1)
++ allow $1 tun_tap_device_t:chr_file rw_chr_file_perms;
+ ')
########################################
##
-+## Do not audit attempts to connect DCCP sockets
-+## all rpc ports.
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`corenet_dontaudit_dccp_connect_all_rpc_ports',`
-+ gen_require(`
-+ attribute rpc_port_type;
-+ ')
-+
-+ dontaudit $1 rpc_port_type:dccp_socket name_connect;
-+')
-+
-+########################################
-+##
- ## Do not audit attempts to connect TCP sockets
- ## all rpc ports.
+-## Do not audit attempts to connect TCP sockets
+-## all rpc ports.
++## Relabel to and from the TUN/TAP virtual network device.
##
-@@ -1993,6 +2584,24 @@ interface(`corenet_rw_tun_tap_dev',`
+ ##
+ ##
+-## Domain to not audit.
++## The domain allowed access.
+ ##
+ ##
+ #
+-interface(`corenet_dontaudit_tcp_connect_all_rpc_ports',`
++interface(`corenet_relabel_tun_tap_dev',`
+ gen_require(`
+- attribute rpc_port_type;
++ type tun_tap_device_t;
+ ')
+
+- dontaudit $1 rpc_port_type:tcp_socket name_connect;
++ relabel_chr_files_pattern($1, tun_tap_device_t, tun_tap_device_t)
+ ')
########################################
##
+-## Read and write the TUN/TAP virtual network device.
+## Read and write inherited TUN/TAP virtual network device.
-+##
-+##
-+##
-+## The domain allowed access.
-+##
-+##
-+#
+ ##
+ ##
+ ##
+@@ -1982,13 +2610,12 @@ interface(`corenet_dontaudit_tcp_connect_all_rpc_ports',`
+ ##
+ ##
+ #
+-interface(`corenet_rw_tun_tap_dev',`
+interface(`corenet_rw_inherited_tun_tap_dev',`
-+ gen_require(`
-+ type tun_tap_device_t;
-+ ')
-+
+ gen_require(`
+ type tun_tap_device_t;
+ ')
+
+- dev_list_all_dev_nodes($1)
+- allow $1 tun_tap_device_t:chr_file rw_chr_file_perms;
+ allow $1 tun_tap_device_t:chr_file rw_inherited_chr_file_perms;
-+')
-+
-+########################################
-+##
- ## Do not audit attempts to read or write the TUN/TAP
- ## virtual network device.
- ##
-@@ -2049,6 +2658,25 @@ interface(`corenet_rw_ppp_dev',`
+ ')
+
+ ########################################
+@@ -2049,6 +2676,25 @@ interface(`corenet_rw_ppp_dev',`
########################################
##
@@ -4729,7 +4801,7 @@ index 07126bd..d6ec4a8 100644
## Bind TCP sockets to all RPC ports.
##
##
-@@ -2068,6 +2696,24 @@ interface(`corenet_tcp_bind_all_rpc_ports',`
+@@ -2068,6 +2714,24 @@ interface(`corenet_tcp_bind_all_rpc_ports',`
########################################
##
@@ -4754,7 +4826,7 @@ index 07126bd..d6ec4a8 100644
## Do not audit attempts to bind TCP sockets to all RPC ports.
##
##
-@@ -2194,6 +2840,25 @@ interface(`corenet_tcp_recv_netlabel',`
+@@ -2194,6 +2858,25 @@ interface(`corenet_tcp_recv_netlabel',`
########################################
##
@@ -4780,7 +4852,7 @@ index 07126bd..d6ec4a8 100644
## Receive TCP packets from a NetLabel connection.
##
##
-@@ -2213,7 +2878,7 @@ interface(`corenet_tcp_recvfrom_netlabel',`
+@@ -2213,7 +2896,7 @@ interface(`corenet_tcp_recvfrom_netlabel',`
########################################
##
@@ -4789,7 +4861,7 @@ index 07126bd..d6ec4a8 100644
##
##
##
-@@ -2221,10 +2886,15 @@ interface(`corenet_tcp_recvfrom_netlabel',`
+@@ -2221,10 +2904,15 @@ interface(`corenet_tcp_recvfrom_netlabel',`
##
##
#
@@ -4807,7 +4879,7 @@ index 07126bd..d6ec4a8 100644
# XXX - at some point the oubound/send access check will be removed
# but for right now we need to keep this in place so as not to break
# older systems
-@@ -2249,6 +2919,26 @@ interface(`corenet_dontaudit_tcp_recv_netlabel',`
+@@ -2249,6 +2937,26 @@ interface(`corenet_dontaudit_tcp_recv_netlabel',`
########################################
##
@@ -4834,7 +4906,7 @@ index 07126bd..d6ec4a8 100644
## Do not audit attempts to receive TCP packets from a NetLabel
## connection.
##
-@@ -2269,6 +2959,27 @@ interface(`corenet_dontaudit_tcp_recvfrom_netlabel',`
+@@ -2269,6 +2977,27 @@ interface(`corenet_dontaudit_tcp_recvfrom_netlabel',`
########################################
##
@@ -4862,7 +4934,7 @@ index 07126bd..d6ec4a8 100644
## Do not audit attempts to receive TCP packets from an unlabeled
## connection.
##
-@@ -2533,15 +3244,10 @@ interface(`corenet_dontaudit_raw_recvfrom_unlabeled',`
+@@ -2533,15 +3262,10 @@ interface(`corenet_dontaudit_raw_recvfrom_unlabeled',`
##
#
interface(`corenet_all_recvfrom_unlabeled',`
@@ -4882,7 +4954,7 @@ index 07126bd..d6ec4a8 100644
')
########################################
-@@ -2567,11 +3273,34 @@ interface(`corenet_all_recvfrom_unlabeled',`
+@@ -2567,11 +3291,34 @@ interface(`corenet_all_recvfrom_unlabeled',`
#
interface(`corenet_all_recvfrom_netlabel',`
gen_require(`
@@ -4920,7 +4992,7 @@ index 07126bd..d6ec4a8 100644
')
########################################
-@@ -2585,6 +3314,7 @@ interface(`corenet_all_recvfrom_netlabel',`
+@@ -2585,6 +3332,7 @@ interface(`corenet_all_recvfrom_netlabel',`
##
#
interface(`corenet_dontaudit_all_recvfrom_unlabeled',`
@@ -4928,7 +5000,7 @@ index 07126bd..d6ec4a8 100644
kernel_dontaudit_tcp_recvfrom_unlabeled($1)
kernel_dontaudit_udp_recvfrom_unlabeled($1)
kernel_dontaudit_raw_recvfrom_unlabeled($1)
-@@ -2613,7 +3343,35 @@ interface(`corenet_dontaudit_all_recvfrom_netlabel',`
+@@ -2613,7 +3361,35 @@ interface(`corenet_dontaudit_all_recvfrom_netlabel',`
')
dontaudit $1 netlabel_peer_t:peer recv;
@@ -4965,7 +5037,7 @@ index 07126bd..d6ec4a8 100644
')
########################################
-@@ -2727,6 +3485,7 @@ interface(`corenet_raw_recvfrom_labeled',`
+@@ -2727,6 +3503,7 @@ interface(`corenet_raw_recvfrom_labeled',`
##
#
interface(`corenet_all_recvfrom_labeled',`
@@ -4973,7 +5045,7 @@ index 07126bd..d6ec4a8 100644
corenet_tcp_recvfrom_labeled($1, $2)
corenet_udp_recvfrom_labeled($1, $2)
corenet_raw_recvfrom_labeled($1, $2)
-@@ -3134,3 +3893,53 @@ interface(`corenet_unconfined',`
+@@ -3134,3 +3911,53 @@ interface(`corenet_unconfined',`
typeattribute $1 corenet_unconfined_type;
')
@@ -5083,7 +5155,7 @@ index 8e0f9cd..b9f45b9 100644
define(`create_packet_interfaces',``
diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
-index 4edc40d..73d7b76 100644
+index 4edc40d..999b8f1 100644
--- a/policy/modules/kernel/corenetwork.te.in
+++ b/policy/modules/kernel/corenetwork.te.in
@@ -5,6 +5,7 @@ policy_module(corenetwork, 1.18.4)
@@ -5276,7 +5348,11 @@ index 4edc40d..73d7b76 100644
network_port(msnp, tcp,1863,s0, udp,1863,s0)
network_port(mssql, tcp,1433-1434,s0, udp,1433-1434,s0)
network_port(ms_streaming, tcp,1755,s0, udp,1755,s0)
-@@ -188,21 +221,28 @@ network_port(mysqlmanagerd, tcp,2273,s0)
+@@ -185,24 +218,32 @@ network_port(munin, tcp,4949,s0, udp,4949,s0)
+ network_port(mxi, tcp,8005,s0, udp,8005,s0)
+ network_port(mysqld, tcp,1186,s0, tcp,3306,s0, tcp,63132-63164,s0)
+ network_port(mysqlmanagerd, tcp,2273,s0)
++network_port(mythtv, tcp,6543-6544,s0)
network_port(nessus, tcp,1241,s0)
network_port(netport, tcp,3129,s0, udp,3129,s0)
network_port(netsupport, tcp,5404,s0, udp,5404,s0, tcp,5405,s0, udp,5405,s0)
@@ -5308,7 +5384,7 @@ index 4edc40d..73d7b76 100644
network_port(pktcable_cops, tcp,2126,s0, udp,2126,s0)
network_port(pop, tcp,106,s0, tcp,109,s0, tcp,110,s0, tcp,143,s0, tcp,220,s0, tcp,993,s0, tcp,995,s0, tcp,1109,s0)
network_port(portmap, udp,111,s0, tcp,111,s0)
-@@ -214,38 +254,41 @@ network_port(prelude, tcp,4690,s0, udp,4690,s0)
+@@ -214,38 +255,42 @@ network_port(prelude, tcp,4690,s0, udp,4690,s0)
network_port(presence, tcp,5298-5299,s0, udp,5298-5299,s0)
network_port(printer, tcp,515,s0)
network_port(ptal, tcp,5703,s0)
@@ -5337,6 +5413,7 @@ index 4edc40d..73d7b76 100644
network_port(sap, tcp,9875,s0, udp,9875,s0)
+network_port(saphostctrl, tcp,1128,s0, tcp,1129,s0)
network_port(servistaitsm, tcp,3636,s0, udp,3636,s0)
++network_port(sge, tcp,6444,s0, tcp,6445,s0)
network_port(sieve, tcp,4190,s0)
network_port(sip, tcp,5060,s0, udp,5060,s0, tcp,5061,s0, udp,5061,s0)
network_port(sixxsconfig, tcp,3874,s0, udp,3874,s0)
@@ -5356,7 +5433,7 @@ index 4edc40d..73d7b76 100644
network_port(ssh, tcp,22,s0)
network_port(stunnel) # no defined portcon
network_port(svn, tcp,3690,s0, udp,3690,s0)
-@@ -257,8 +300,9 @@ network_port(syslog_tls, tcp,6514,s0, udp,6514,s0)
+@@ -257,8 +302,9 @@ network_port(syslog_tls, tcp,6514,s0, udp,6514,s0)
network_port(tcs, tcp, 30003, s0)
network_port(telnetd, tcp,23,s0)
network_port(tftp, udp,69,s0)
@@ -5367,7 +5444,7 @@ index 4edc40d..73d7b76 100644
network_port(transproxy, tcp,8081,s0)
network_port(trisoap, tcp,10200,s0, udp,10200,s0)
network_port(ups, tcp,3493,s0)
-@@ -268,10 +312,10 @@ network_port(varnishd, tcp,6081-6082,s0)
+@@ -268,10 +314,10 @@ network_port(varnishd, tcp,6081-6082,s0)
network_port(virt, tcp,16509,s0, udp,16509,s0, tcp,16514,s0, udp,16514,s0)
network_port(virtual_places, tcp,1533,s0, udp,1533,s0)
network_port(virt_migration, tcp,49152-49216,s0)
@@ -5380,7 +5457,7 @@ index 4edc40d..73d7b76 100644
network_port(winshadow, tcp,3161,s0, udp,3261,s0)
network_port(wsdapi, tcp,5357,s0, udp,5357,s0)
network_port(wsicopy, tcp,3378,s0, udp,3378,s0)
-@@ -292,12 +336,16 @@ network_port(zope, tcp,8021,s0)
+@@ -292,12 +338,16 @@ network_port(zope, tcp,8021,s0)
# Defaults for reserved ports. Earlier portcon entries take precedence;
# these entries just cover any remaining reserved ports not otherwise declared.
@@ -5399,7 +5476,7 @@ index 4edc40d..73d7b76 100644
########################################
#
-@@ -330,6 +378,8 @@ sid netif gen_context(system_u:object_r:netif_t,s0 - mls_systemhigh)
+@@ -330,6 +380,8 @@ sid netif gen_context(system_u:object_r:netif_t,s0 - mls_systemhigh)
build_option(`enable_mls',`
network_interface(lo, lo, s0 - mls_systemhigh)
@@ -5408,7 +5485,7 @@ index 4edc40d..73d7b76 100644
',`
typealias netif_t alias { lo_netif_t netif_lo_t };
')
-@@ -342,9 +392,24 @@ typealias netif_t alias { lo_netif_t netif_lo_t };
+@@ -342,9 +394,24 @@ typealias netif_t alias { lo_netif_t netif_lo_t };
allow corenet_unconfined_type node_type:node *;
allow corenet_unconfined_type netif_type:netif *;
allow corenet_unconfined_type packet_type:packet *;
@@ -5543,7 +5620,7 @@ index b31c054..3035b45 100644
+/usr/lib/udev/devices/null -c gen_context(system_u:object_r:null_device_t,s0)
+/usr/lib/udev/devices/zero -c gen_context(system_u:object_r:zero_device_t,s0)
diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
-index 76f285e..09ccba4 100644
+index 76f285e..e26dfc3 100644
--- a/policy/modules/kernel/devices.if
+++ b/policy/modules/kernel/devices.if
@@ -143,13 +143,32 @@ interface(`dev_relabel_all_dev_nodes',`
@@ -6334,175 +6411,223 @@ index 76f285e..09ccba4 100644
')
########################################
-@@ -3855,6 +4185,78 @@ interface(`dev_getattr_sysfs_dirs',`
+@@ -3855,7 +4185,7 @@ interface(`dev_getattr_sysfs_dirs',`
########################################
##
+-## Search the sysfs directories.
+## Set the attributes of sysfs directories.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
+ ##
+ ##
+ ##
+@@ -3863,53 +4193,53 @@ interface(`dev_getattr_sysfs_dirs',`
+ ##
+ ##
+ #
+-interface(`dev_search_sysfs',`
+interface(`dev_setattr_sysfs_dirs',`
-+ gen_require(`
-+ type sysfs_t;
-+ ')
-+
+ gen_require(`
+ type sysfs_t;
+ ')
+
+- search_dirs_pattern($1, sysfs_t, sysfs_t)
+ allow $1 sysfs_t:dir setattr_dir_perms;
-+')
-+
-+########################################
-+##
+ ')
+
+ ########################################
+ ##
+-## Do not audit attempts to search sysfs.
+## Get attributes of sysfs filesystems.
-+##
-+##
-+##
+ ##
+ ##
+ ##
+-## Domain to not audit.
+## Domain allowed access.
-+##
-+##
-+#
+ ##
+ ##
+ #
+-interface(`dev_dontaudit_search_sysfs',`
+interface(`dev_getattr_sysfs_fs',`
-+ gen_require(`
-+ type sysfs_t;
-+ ')
-+
+ gen_require(`
+ type sysfs_t;
+ ')
+
+- dontaudit $1 sysfs_t:dir search_dir_perms;
+ allow $1 sysfs_t:filesystem getattr;
-+')
-+
-+########################################
-+##
+ ')
+
+ ########################################
+ ##
+-## List the contents of the sysfs directories.
++## Mount a filesystem on /sys
+ ##
+ ##
+ ##
+-## Domain allowed access.
++## Domain allow access.
+ ##
+ ##
+ #
+-interface(`dev_list_sysfs',`
++interface(`dev_mounton_sysfs',`
+ gen_require(`
+ type sysfs_t;
+ ')
+
+- list_dirs_pattern($1, sysfs_t, sysfs_t)
++ allow $1 sysfs_t:dir mounton;
+ ')
+
+ ########################################
+ ##
+-## Write in a sysfs directories.
+## Mount sysfs filesystems.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
+ ##
+ ##
+ ##
+@@ -3917,37 +4247,35 @@ interface(`dev_list_sysfs',`
+ ##
+ ##
+ #
+-# cjp: added for cpuspeed
+-interface(`dev_write_sysfs_dirs',`
+interface(`dev_mount_sysfs_fs',`
-+ gen_require(`
-+ type sysfs_t;
-+ ')
-+
+ gen_require(`
+ type sysfs_t;
+ ')
+
+- allow $1 sysfs_t:dir write;
+ allow $1 sysfs_t:filesystem mount;
-+')
-+
-+########################################
-+##
+ ')
+
+ ########################################
+ ##
+-## Do not audit attempts to write in a sysfs directory.
+## Unmount sysfs filesystems.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`dev_unmount_sysfs_fs',`
-+ gen_require(`
-+ type sysfs_t;
-+ ')
-+
-+ allow $1 sysfs_t:filesystem unmount;
-+')
-+
-+########################################
-+##
- ## Search the sysfs directories.
##
##
-@@ -3904,6 +4306,7 @@ interface(`dev_list_sysfs',`
+ ##
+-## Domain to not audit.
++## Domain allowed access.
+ ##
+ ##
+ #
+-interface(`dev_dontaudit_write_sysfs_dirs',`
++interface(`dev_unmount_sysfs_fs',`
+ gen_require(`
type sysfs_t;
')
-+ read_lnk_files_pattern($1, sysfs_t, sysfs_t)
- list_dirs_pattern($1, sysfs_t, sysfs_t)
+- dontaudit $1 sysfs_t:dir write;
++ allow $1 sysfs_t:filesystem unmount;
')
-@@ -3946,23 +4349,49 @@ interface(`dev_dontaudit_write_sysfs_dirs',`
-
########################################
##
-## Create, read, write, and delete sysfs
-## directories.
-+## Read cpu online hardware state information.
++## Search the sysfs directories.
##
-+##
-+##
-+## Allow the specified domain to read /sys/devices/system/cpu/online file.
-+##
-+##
##
##
- ## Domain allowed access.
+@@ -3955,47 +4283,35 @@ interface(`dev_dontaudit_write_sysfs_dirs',`
##
##
#
-interface(`dev_manage_sysfs_dirs',`
-+interface(`dev_read_cpu_online',`
-+ gen_require(`
-+ type cpu_online_t;
-+ ')
-+
-+ dev_search_sysfs($1)
-+ read_files_pattern($1, cpu_online_t, cpu_online_t)
-+')
-+
-+########################################
-+##
-+## Relabel cpu online hardware state information.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`dev_relabel_cpu_online',`
++interface(`dev_search_sysfs',`
gen_require(`
-+ type cpu_online_t;
type sysfs_t;
')
- manage_dirs_pattern($1, sysfs_t, sysfs_t)
-+ dev_search_sysfs($1)
-+ allow $1 cpu_online_t:file relabel_file_perms;
++ search_dirs_pattern($1, sysfs_t, sysfs_t)
')
-+
########################################
##
- ## Read hardware state information.
-@@ -4016,7 +4445,7 @@ interface(`dev_rw_sysfs',`
+-## Read hardware state information.
++## Do not audit attempts to search sysfs.
+ ##
+-##
+-##
+-## Allow the specified domain to read the contents of
+-## the sysfs filesystem. This filesystem contains
+-## information, parameters, and other settings on the
+-## hardware installed on the system.
+-##
+-##
+ ##
+ ##
+-## Domain allowed access.
++## Domain to not audit.
+ ##
+ ##
+-##
+ #
+-interface(`dev_read_sysfs',`
++interface(`dev_dontaudit_search_sysfs',`
+ gen_require(`
+ type sysfs_t;
+ ')
+
+- read_files_pattern($1, sysfs_t, sysfs_t)
+- read_lnk_files_pattern($1, sysfs_t, sysfs_t)
+-
+- list_dirs_pattern($1, sysfs_t, sysfs_t)
++ dontaudit $1 sysfs_t:dir search_dir_perms;
+ ')
+
+ ########################################
+ ##
+-## Allow caller to modify hardware state information.
++## List the contents of the sysfs directories.
+ ##
+ ##
+ ##
+@@ -4003,20 +4319,18 @@ interface(`dev_read_sysfs',`
+ ##
+ ##
+ #
+-interface(`dev_rw_sysfs',`
++interface(`dev_list_sysfs',`
+ gen_require(`
+ type sysfs_t;
+ ')
+
+- rw_files_pattern($1, sysfs_t, sysfs_t)
+ read_lnk_files_pattern($1, sysfs_t, sysfs_t)
+-
+ list_dirs_pattern($1, sysfs_t, sysfs_t)
+ ')
########################################
##
-## Read and write the TPM device.
-+## Relabel hardware state directories.
++## Write in a sysfs directories.
##
##
##
-@@ -4024,58 +4453,114 @@ interface(`dev_rw_sysfs',`
+@@ -4024,78 +4338,60 @@ interface(`dev_rw_sysfs',`
##
##
#
-interface(`dev_rw_tpm',`
-+interface(`dev_relabel_sysfs_dirs',`
++# cjp: added for cpuspeed
++interface(`dev_write_sysfs_dirs',`
gen_require(`
- type device_t, tpm_device_t;
+ type sysfs_t;
')
- rw_chr_files_pattern($1, device_t, tpm_device_t)
-+ relabel_dirs_pattern($1, sysfs_t, sysfs_t)
++ allow $1 sysfs_t:dir write;
')
########################################
##
-## Read from pseudo random number generator devices (e.g., /dev/urandom).
-+## Relabel hardware state files
++## Do not audit attempts to write in a sysfs directory.
##
-##
-##
@@ -6528,27 +6653,172 @@ index 76f285e..09ccba4 100644
-##
##
##
- ## Domain allowed access.
+-## Domain allowed access.
++## Domain to not audit.
##
##
-##
#
-interface(`dev_read_urand',`
-+interface(`dev_relabel_all_sysfs',`
++interface(`dev_dontaudit_write_sysfs_dirs',`
gen_require(`
- type device_t, urandom_device_t;
+ type sysfs_t;
')
- read_chr_files_pattern($1, device_t, urandom_device_t)
-+ relabel_dirs_pattern($1, sysfs_t, sysfs_t)
-+ relabel_files_pattern($1, sysfs_t, sysfs_t)
-+ relabel_lnk_files_pattern($1, sysfs_t, sysfs_t)
++ dontaudit $1 sysfs_t:dir write;
')
########################################
##
-## Do not audit attempts to read from pseudo
+-## random devices (e.g., /dev/urandom)
++## Read cpu online hardware state information.
+ ##
++##
++##
++## Allow the specified domain to read /sys/devices/system/cpu/online file.
++##
++##
+ ##
+ ##
+-## Domain to not audit.
++## Domain allowed access.
+ ##
+ ##
+ #
+-interface(`dev_dontaudit_read_urand',`
++interface(`dev_read_cpu_online',`
+ gen_require(`
+- type urandom_device_t;
++ type cpu_online_t;
+ ')
+
+- dontaudit $1 urandom_device_t:chr_file { getattr read };
++ dev_search_sysfs($1)
++ read_files_pattern($1, cpu_online_t, cpu_online_t)
+ ')
+
+ ########################################
+ ##
+-## Write to the pseudo random device (e.g., /dev/urandom). This
+-## sets the random number generator seed.
++## Relabel cpu online hardware state information.
+ ##
+ ##
+ ##
+@@ -4103,19 +4399,245 @@ interface(`dev_dontaudit_read_urand',`
+ ##
+ ##
+ #
+-interface(`dev_write_urand',`
++interface(`dev_relabel_cpu_online',`
+ gen_require(`
+- type device_t, urandom_device_t;
++ type cpu_online_t;
++ type sysfs_t;
+ ')
+
+- write_chr_files_pattern($1, device_t, urandom_device_t)
++ dev_search_sysfs($1)
++ allow $1 cpu_online_t:file relabel_file_perms;
+ ')
+
++
+ ########################################
+ ##
+-## Getattr generic the USB devices.
++## Read hardware state information.
+ ##
+-##
++##
++##
++## Allow the specified domain to read the contents of
++## the sysfs filesystem. This filesystem contains
++## information, parameters, and other settings on the
++## hardware installed on the system.
++##
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++#
++interface(`dev_read_sysfs',`
++ gen_require(`
++ type sysfs_t;
++ ')
++
++ read_files_pattern($1, sysfs_t, sysfs_t)
++ read_lnk_files_pattern($1, sysfs_t, sysfs_t)
++
++ list_dirs_pattern($1, sysfs_t, sysfs_t)
++')
++
++########################################
++##
++## Allow caller to modify hardware state information.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`dev_rw_sysfs',`
++ gen_require(`
++ type sysfs_t;
++ ')
++
++ rw_files_pattern($1, sysfs_t, sysfs_t)
++ read_lnk_files_pattern($1, sysfs_t, sysfs_t)
++
++ list_dirs_pattern($1, sysfs_t, sysfs_t)
++')
++
++########################################
++##
++## Relabel hardware state directories.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`dev_relabel_sysfs_dirs',`
++ gen_require(`
++ type sysfs_t;
++ ')
++
++ relabel_dirs_pattern($1, sysfs_t, sysfs_t)
++')
++
++########################################
++##
++## Relabel hardware state files
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`dev_relabel_all_sysfs',`
++ gen_require(`
++ type sysfs_t;
++ ')
++
++ relabel_dirs_pattern($1, sysfs_t, sysfs_t)
++ relabel_files_pattern($1, sysfs_t, sysfs_t)
++ relabel_lnk_files_pattern($1, sysfs_t, sysfs_t)
++')
++
++########################################
++##
+## Allow caller to modify hardware state information.
+##
+##
@@ -6627,13 +6897,43 @@ index 76f285e..09ccba4 100644
+########################################
+##
+## Do not audit attempts to read from pseudo
- ## random devices (e.g., /dev/urandom)
- ##
- ##
-@@ -4113,6 +4598,25 @@ interface(`dev_write_urand',`
-
- ########################################
- ##
++## random devices (e.g., /dev/urandom)
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`dev_dontaudit_read_urand',`
++ gen_require(`
++ type urandom_device_t;
++ ')
++
++ dontaudit $1 urandom_device_t:chr_file { getattr read };
++')
++
++########################################
++##
++## Write to the pseudo random device (e.g., /dev/urandom). This
++## sets the random number generator seed.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`dev_write_urand',`
++ gen_require(`
++ type device_t, urandom_device_t;
++ ')
++
++ write_chr_files_pattern($1, device_t, urandom_device_t)
++')
++
++########################################
++##
+## Do not audit attempts to write to pseudo
+## random devices (e.g., /dev/urandom)
+##
@@ -6653,10 +6953,13 @@ index 76f285e..09ccba4 100644
+
+########################################
+##
- ## Getattr generic the USB devices.
- ##
- ##
-@@ -4409,9 +4913,9 @@ interface(`dev_rw_usbfs',`
++## Getattr generic the USB devices.
++##
++##
+ ##
+ ## Domain allowed access.
+ ##
+@@ -4409,9 +4931,9 @@ interface(`dev_rw_usbfs',`
read_lnk_files_pattern($1, usbfs_t, usbfs_t)
')
@@ -6668,7 +6971,7 @@ index 76f285e..09ccba4 100644
##
##
##
-@@ -4419,17 +4923,17 @@ interface(`dev_rw_usbfs',`
+@@ -4419,17 +4941,17 @@ interface(`dev_rw_usbfs',`
##
##
#
@@ -6691,7 +6994,7 @@ index 76f285e..09ccba4 100644
##
##
##
-@@ -4437,12 +4941,12 @@ interface(`dev_getattr_video_dev',`
+@@ -4437,12 +4959,12 @@ interface(`dev_getattr_video_dev',`
##
##
#
@@ -6707,7 +7010,7 @@ index 76f285e..09ccba4 100644
')
########################################
-@@ -4539,6 +5043,134 @@ interface(`dev_write_video_dev',`
+@@ -4539,6 +5061,134 @@ interface(`dev_write_video_dev',`
########################################
##
@@ -6842,7 +7145,7 @@ index 76f285e..09ccba4 100644
## Allow read/write the vhost net device
##
##
-@@ -4557,6 +5189,24 @@ interface(`dev_rw_vhost',`
+@@ -4557,6 +5207,24 @@ interface(`dev_rw_vhost',`
########################################
##
@@ -6867,7 +7170,7 @@ index 76f285e..09ccba4 100644
## Read and write VMWare devices.
##
##
-@@ -4762,6 +5412,26 @@ interface(`dev_rw_xserver_misc',`
+@@ -4762,6 +5430,26 @@ interface(`dev_rw_xserver_misc',`
########################################
##
@@ -6894,7 +7197,7 @@ index 76f285e..09ccba4 100644
## Read and write to the zero device (/dev/zero).
##
##
-@@ -4851,3 +5521,943 @@ interface(`dev_unconfined',`
+@@ -4851,3 +5539,943 @@ interface(`dev_unconfined',`
typeattribute $1 devices_unconfined_type;
')
@@ -8069,7 +8372,7 @@ index 6a1e4d1..adafd25 100644
+ dontaudit $1 domain:socket_class_set { read write };
')
diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te
-index cf04cb5..8542b3d 100644
+index cf04cb5..5376a48 100644
--- a/policy/modules/kernel/domain.te
+++ b/policy/modules/kernel/domain.te
@@ -4,6 +4,29 @@ policy_module(domain, 1.11.0)
@@ -8197,7 +8500,7 @@ index cf04cb5..8542b3d 100644
# Create/access any System V IPC objects.
allow unconfined_domain_type domain:{ sem msgq shm } *;
-@@ -166,5 +229,271 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock };
+@@ -166,5 +229,275 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock };
# act on all domains keys
allow unconfined_domain_type domain:key *;
@@ -8267,6 +8570,10 @@ index cf04cb5..8542b3d 100644
+')
+
+optional_policy(`
++ clock_filetrans_named_content(unconfined_domain_type)
++')
++
++optional_policy(`
+ cups_filetrans_named_content(unconfined_domain_type)
+')
+
@@ -8343,7 +8650,7 @@ index cf04cb5..8542b3d 100644
+ systemd_login_reboot(unconfined_domain_type)
+ systemd_login_halt(unconfined_domain_type)
+ systemd_login_undefined(unconfined_domain_type)
-+ systemd_filetrans_named_hostname(unconfined_domain_type)
++ systemd_filetrans_named_hostname(unconfined_domain_type)
+')
+
+optional_policy(`
@@ -8355,11 +8662,11 @@ index cf04cb5..8542b3d 100644
+')
+
+optional_policy(`
-+ virt_filetrans_named_content(unconfined_domain_type)
++ ssh_filetrans_admin_home_content(unconfined_domain_type)
+')
+
+optional_policy(`
-+ ssh_filetrans_admin_home_content(unconfined_domain_type)
++ virt_filetrans_named_content(unconfined_domain_type)
+')
+
+selinux_getattr_fs(domain)
@@ -8713,7 +9020,7 @@ index c2c6e05..be423a7 100644
+/nsr(/.*)? gen_context(system_u:object_r:var_t,s0)
+/nsr/logs(/.*)? gen_context(system_u:object_r:var_log_t,s0)
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
-index 64ff4d7..9389e60 100644
+index 64ff4d7..455cc6c 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -19,6 +19,136 @@
@@ -9142,7 +9449,7 @@ index 64ff4d7..9389e60 100644
## Get the attributes of all named sockets.
##
##
-@@ -991,6 +1303,25 @@ interface(`files_dontaudit_getattr_all_sockets',`
+@@ -991,6 +1303,44 @@ interface(`files_dontaudit_getattr_all_sockets',`
########################################
##
@@ -9165,10 +9472,29 @@ index 64ff4d7..9389e60 100644
+
+########################################
+##
++## Do not audit attempts to read
++## of all security file types.
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`files_dontaudit_read_all_non_security_files',`
++ gen_require(`
++ attribute non_security_file_type;
++ ')
++
++ dontaudit $1 non_security_file_type:file read_file_perms;
++')
++
++########################################
++##
## Do not audit attempts to get the attributes
## of non security named sockets.
##
-@@ -1073,10 +1404,8 @@ interface(`files_relabel_all_files',`
+@@ -1073,10 +1423,8 @@ interface(`files_relabel_all_files',`
relabel_lnk_files_pattern($1, { file_type $2 }, { file_type $2 })
relabel_fifo_files_pattern($1, { file_type $2 }, { file_type $2 })
relabel_sock_files_pattern($1, { file_type $2 }, { file_type $2 })
@@ -9181,7 +9507,7 @@ index 64ff4d7..9389e60 100644
# satisfy the assertions:
seutil_relabelto_bin_policy($1)
-@@ -1182,24 +1511,6 @@ interface(`files_list_all',`
+@@ -1182,24 +1530,6 @@ interface(`files_list_all',`
########################################
##
@@ -9206,19 +9532,17 @@ index 64ff4d7..9389e60 100644
## Do not audit attempts to search the
## contents of any directories on extended
## attribute filesystems.
-@@ -1443,10 +1754,7 @@ interface(`files_relabel_non_auth_files',`
+@@ -1443,9 +1773,6 @@ interface(`files_relabel_non_auth_files',`
# device nodes with file types.
relabelfrom_blk_files_pattern($1, non_auth_file_type, non_auth_file_type)
relabelfrom_chr_files_pattern($1, non_auth_file_type, non_auth_file_type)
-
- # satisfy the assertions:
- seutil_relabelto_bin_policy($1)
--')
-+')
+ ')
#############################################
- ##
-@@ -1583,6 +1891,24 @@ interface(`files_getattr_all_mountpoints',`
+@@ -1583,6 +1910,24 @@ interface(`files_getattr_all_mountpoints',`
########################################
##
@@ -9243,7 +9567,7 @@ index 64ff4d7..9389e60 100644
## Set the attributes of all mount points.
##
##
-@@ -1673,6 +1999,24 @@ interface(`files_dontaudit_list_all_mountpoints',`
+@@ -1673,6 +2018,24 @@ interface(`files_dontaudit_list_all_mountpoints',`
########################################
##
@@ -9268,7 +9592,7 @@ index 64ff4d7..9389e60 100644
## Do not audit attempts to write to mount points.
##
##
-@@ -1691,6 +2035,24 @@ interface(`files_dontaudit_write_all_mountpoints',`
+@@ -1691,6 +2054,24 @@ interface(`files_dontaudit_write_all_mountpoints',`
########################################
##
@@ -9293,7 +9617,7 @@ index 64ff4d7..9389e60 100644
## List the contents of the root directory.
##
##
-@@ -1874,25 +2236,25 @@ interface(`files_delete_root_dir_entry',`
+@@ -1874,25 +2255,25 @@ interface(`files_delete_root_dir_entry',`
########################################
##
@@ -9325,7 +9649,7 @@ index 64ff4d7..9389e60 100644
##
##
##
-@@ -1905,7 +2267,7 @@ interface(`files_relabel_rootfs',`
+@@ -1905,7 +2286,7 @@ interface(`files_relabel_rootfs',`
type root_t;
')
@@ -9334,7 +9658,7 @@ index 64ff4d7..9389e60 100644
')
########################################
-@@ -1928,6 +2290,24 @@ interface(`files_unmount_rootfs',`
+@@ -1928,6 +2309,24 @@ interface(`files_unmount_rootfs',`
########################################
##
@@ -9359,7 +9683,7 @@ index 64ff4d7..9389e60 100644
## Get attributes of the /boot directory.
##
##
-@@ -2627,6 +3007,24 @@ interface(`files_rw_etc_dirs',`
+@@ -2627,6 +3026,24 @@ interface(`files_rw_etc_dirs',`
allow $1 etc_t:dir rw_dir_perms;
')
@@ -9384,7 +9708,7 @@ index 64ff4d7..9389e60 100644
##########################################
##
## Manage generic directories in /etc
-@@ -2698,6 +3096,7 @@ interface(`files_read_etc_files',`
+@@ -2698,6 +3115,7 @@ interface(`files_read_etc_files',`
allow $1 etc_t:dir list_dir_perms;
read_files_pattern($1, etc_t, etc_t)
read_lnk_files_pattern($1, etc_t, etc_t)
@@ -9392,7 +9716,7 @@ index 64ff4d7..9389e60 100644
')
########################################
-@@ -2706,7 +3105,7 @@ interface(`files_read_etc_files',`
+@@ -2706,7 +3124,7 @@ interface(`files_read_etc_files',`
##
##
##
@@ -9401,7 +9725,7 @@ index 64ff4d7..9389e60 100644
##
##
#
-@@ -2762,6 +3161,25 @@ interface(`files_manage_etc_files',`
+@@ -2762,6 +3180,25 @@ interface(`files_manage_etc_files',`
########################################
##
@@ -9427,7 +9751,7 @@ index 64ff4d7..9389e60 100644
## Delete system configuration files in /etc.
##
##
-@@ -2780,6 +3198,24 @@ interface(`files_delete_etc_files',`
+@@ -2780,6 +3217,24 @@ interface(`files_delete_etc_files',`
########################################
##
@@ -9452,7 +9776,7 @@ index 64ff4d7..9389e60 100644
## Execute generic files in /etc.
##
##
-@@ -2945,24 +3381,6 @@ interface(`files_delete_boot_flag',`
+@@ -2945,24 +3400,6 @@ interface(`files_delete_boot_flag',`
########################################
##
@@ -9477,7 +9801,7 @@ index 64ff4d7..9389e60 100644
## Read files in /etc that are dynamically
## created on boot, such as mtab.
##
-@@ -3003,9 +3421,7 @@ interface(`files_read_etc_runtime_files',`
+@@ -3003,9 +3440,7 @@ interface(`files_read_etc_runtime_files',`
########################################
##
@@ -9488,7 +9812,7 @@ index 64ff4d7..9389e60 100644
##
##
##
-@@ -3013,18 +3429,17 @@ interface(`files_read_etc_runtime_files',`
+@@ -3013,18 +3448,17 @@ interface(`files_read_etc_runtime_files',`
##
##
#
@@ -9510,7 +9834,7 @@ index 64ff4d7..9389e60 100644
##
##
##
-@@ -3042,6 +3457,26 @@ interface(`files_dontaudit_write_etc_runtime_files',`
+@@ -3042,6 +3476,26 @@ interface(`files_dontaudit_write_etc_runtime_files',`
########################################
##
@@ -9537,7 +9861,7 @@ index 64ff4d7..9389e60 100644
## Read and write files in /etc that are dynamically
## created on boot, such as mtab.
##
-@@ -3059,6 +3494,7 @@ interface(`files_rw_etc_runtime_files',`
+@@ -3059,6 +3513,7 @@ interface(`files_rw_etc_runtime_files',`
allow $1 etc_t:dir list_dir_perms;
rw_files_pattern($1, etc_t, etc_runtime_t)
@@ -9545,7 +9869,7 @@ index 64ff4d7..9389e60 100644
')
########################################
-@@ -3080,6 +3516,7 @@ interface(`files_manage_etc_runtime_files',`
+@@ -3080,6 +3535,7 @@ interface(`files_manage_etc_runtime_files',`
')
manage_files_pattern($1, { etc_t etc_runtime_t }, etc_runtime_t)
@@ -9553,7 +9877,7 @@ index 64ff4d7..9389e60 100644
')
########################################
-@@ -3132,6 +3569,25 @@ interface(`files_getattr_isid_type_dirs',`
+@@ -3132,6 +3588,25 @@ interface(`files_getattr_isid_type_dirs',`
########################################
##
@@ -9579,7 +9903,7 @@ index 64ff4d7..9389e60 100644
## Do not audit attempts to search directories on new filesystems
## that have not yet been labeled.
##
-@@ -3208,6 +3664,25 @@ interface(`files_delete_isid_type_dirs',`
+@@ -3208,6 +3683,25 @@ interface(`files_delete_isid_type_dirs',`
########################################
##
@@ -9605,7 +9929,7 @@ index 64ff4d7..9389e60 100644
## Create, read, write, and delete directories
## on new filesystems that have not yet been labeled.
##
-@@ -3455,6 +3930,25 @@ interface(`files_rw_isid_type_blk_files',`
+@@ -3455,6 +3949,25 @@ interface(`files_rw_isid_type_blk_files',`
########################################
##
@@ -9631,7 +9955,7 @@ index 64ff4d7..9389e60 100644
## Create, read, write, and delete block device nodes
## on new filesystems that have not yet been labeled.
##
-@@ -3796,20 +4290,38 @@ interface(`files_list_mnt',`
+@@ -3796,20 +4309,38 @@ interface(`files_list_mnt',`
######################################
##
@@ -9675,7 +9999,7 @@ index 64ff4d7..9389e60 100644
')
########################################
-@@ -4199,58 +4711,225 @@ interface(`files_read_world_readable_sockets',`
+@@ -4199,52 +4730,219 @@ interface(`files_read_world_readable_sockets',`
allow $1 readable_t:sock_file read_sock_file_perms;
')
@@ -9728,38 +10052,25 @@ index 64ff4d7..9389e60 100644
##
#
-interface(`files_getattr_tmp_dirs',`
-- gen_require(`
-- type tmp_t;
-- ')
+interface(`files_manage_system_conf_files',`
+ gen_require(`
+ type etc_t, system_conf_t;
+ ')
-
-- allow $1 tmp_t:dir getattr;
++
+ manage_files_pattern($1, { etc_t system_conf_t }, system_conf_t)
+ files_filetrans_system_conf_named_files($1)
- ')
-
--########################################
++')
++
+#####################################
- ##
--## Do not audit attempts to get the
--## attributes of the tmp directory (/tmp).
++##
+## File name transition for system configuration files in /etc.
- ##
- ##
--##
--## Domain allowed access.
--##
++##
++##
+##
+## Domain allowed access.
+##
- ##
- #
--interface(`files_dontaudit_getattr_tmp_dirs',`
-- gen_require(`
-- type tmp_t;
++##
++#
+interface(`files_filetrans_system_conf_named_files',`
+ gen_require(`
+ type etc_t, system_conf_t;
@@ -9889,16 +10200,16 @@ index 64ff4d7..9389e60 100644
+##
+#
+interface(`files_getattr_tmp_dirs',`
-+ gen_require(`
-+ type tmp_t;
-+ ')
-+
+ gen_require(`
+ type tmp_t;
+ ')
+
+ read_lnk_files_pattern($1, tmp_t, tmp_t)
-+ allow $1 tmp_t:dir getattr;
-+')
-+
-+########################################
-+##
+ allow $1 tmp_t:dir getattr;
+ ')
+
+ ########################################
+ ##
+## Do not audit attempts to check the
+## access on tmp files
+##
@@ -9918,22 +10229,17 @@ index 64ff4d7..9389e60 100644
+
+########################################
+##
-+## Do not audit attempts to get the
-+## attributes of the tmp directory (/tmp).
-+##
-+##
-+##
+ ## Do not audit attempts to get the
+ ## attributes of the tmp directory (/tmp).
+ ##
+ ##
+ ##
+-## Domain allowed access.
+## Domain to not audit.
-+##
-+##
-+#
-+interface(`files_dontaudit_getattr_tmp_dirs',`
-+ gen_require(`
-+ type tmp_t;
- ')
-
- dontaudit $1 tmp_t:dir getattr;
-@@ -4271,6 +4950,7 @@ interface(`files_search_tmp',`
+ ##
+ ##
+ #
+@@ -4271,6 +4969,7 @@ interface(`files_search_tmp',`
type tmp_t;
')
@@ -9941,7 +10247,7 @@ index 64ff4d7..9389e60 100644
allow $1 tmp_t:dir search_dir_perms;
')
-@@ -4307,6 +4987,7 @@ interface(`files_list_tmp',`
+@@ -4307,6 +5006,7 @@ interface(`files_list_tmp',`
type tmp_t;
')
@@ -9949,7 +10255,7 @@ index 64ff4d7..9389e60 100644
allow $1 tmp_t:dir list_dir_perms;
')
-@@ -4316,7 +4997,7 @@ interface(`files_list_tmp',`
+@@ -4316,7 +5016,7 @@ interface(`files_list_tmp',`
##
##
##
@@ -9958,7 +10264,7 @@ index 64ff4d7..9389e60 100644
##
##
#
-@@ -4328,6 +5009,25 @@ interface(`files_dontaudit_list_tmp',`
+@@ -4328,6 +5028,25 @@ interface(`files_dontaudit_list_tmp',`
dontaudit $1 tmp_t:dir list_dir_perms;
')
@@ -9984,7 +10290,7 @@ index 64ff4d7..9389e60 100644
########################################
##
## Remove entries from the tmp directory.
-@@ -4343,6 +5043,7 @@ interface(`files_delete_tmp_dir_entry',`
+@@ -4343,6 +5062,7 @@ interface(`files_delete_tmp_dir_entry',`
type tmp_t;
')
@@ -9992,7 +10298,7 @@ index 64ff4d7..9389e60 100644
allow $1 tmp_t:dir del_entry_dir_perms;
')
-@@ -4384,6 +5085,32 @@ interface(`files_manage_generic_tmp_dirs',`
+@@ -4384,6 +5104,32 @@ interface(`files_manage_generic_tmp_dirs',`
########################################
##
@@ -10025,7 +10331,7 @@ index 64ff4d7..9389e60 100644
## Manage temporary files and directories in /tmp.
##
##
-@@ -4438,6 +5165,42 @@ interface(`files_rw_generic_tmp_sockets',`
+@@ -4438,6 +5184,42 @@ interface(`files_rw_generic_tmp_sockets',`
########################################
##
@@ -10068,7 +10374,7 @@ index 64ff4d7..9389e60 100644
## Set the attributes of all tmp directories.
##
##
-@@ -4456,6 +5219,60 @@ interface(`files_setattr_all_tmp_dirs',`
+@@ -4456,6 +5238,60 @@ interface(`files_setattr_all_tmp_dirs',`
########################################
##
@@ -10129,7 +10435,7 @@ index 64ff4d7..9389e60 100644
## List all tmp directories.
##
##
-@@ -4501,7 +5318,7 @@ interface(`files_relabel_all_tmp_dirs',`
+@@ -4501,7 +5337,7 @@ interface(`files_relabel_all_tmp_dirs',`
##
##
##
@@ -10138,7 +10444,7 @@ index 64ff4d7..9389e60 100644
##
##
#
-@@ -4561,7 +5378,7 @@ interface(`files_relabel_all_tmp_files',`
+@@ -4561,7 +5397,7 @@ interface(`files_relabel_all_tmp_files',`
##
##
##
@@ -10147,124 +10453,52 @@ index 64ff4d7..9389e60 100644
##
##
#
-@@ -4593,59 +5410,107 @@ interface(`files_read_all_tmp_files',`
+@@ -4593,6 +5429,44 @@ interface(`files_read_all_tmp_files',`
########################################
##
--## Create an object in the tmp directories, with a private
--## type using a type transition.
+## Do not audit attempts to read or write
+## all leaked tmpfiles files.
- ##
- ##
- ##
--## Domain allowed access.
--##
--##
--##
--##
--## The type of the object to be created.
--##
--##
--##
--##
--## The object class of the object being created.
--##
--##
--##
--##
--## The name of the object being created.
-+## Domain to not audit.
- ##
- ##
- #
--interface(`files_tmp_filetrans',`
-+interface(`files_dontaudit_tmp_file_leaks',`
- gen_require(`
-- type tmp_t;
-+ attribute tmpfile;
- ')
-
-- filetrans_pattern($1, tmp_t, $2, $3, $4)
-+ dontaudit $1 tmpfile:file rw_inherited_file_perms;
- ')
-
- ########################################
- ##
--## Delete the contents of /tmp.
-+## Do allow attempts to read or write
-+## all leaked tmpfiles files.
- ##
- ##
- ##
--## Domain allowed access.
-+## Domain to not audit.
- ##
- ##
- #
--interface(`files_purge_tmp',`
-+interface(`files_rw_tmp_file_leaks',`
- gen_require(`
- attribute tmpfile;
- ')
-
-- allow $1 tmpfile:dir list_dir_perms;
-- delete_dirs_pattern($1, tmpfile, tmpfile)
-+ allow $1 tmpfile:file rw_inherited_file_perms;
-+')
-+
-+########################################
-+##
-+## Create an object in the tmp directories, with a private
-+## type using a type transition.
+##
+##
+##
-+## Domain allowed access.
-+##
-+##
-+##
-+##
-+## The type of the object to be created.
-+##
-+##
-+##
-+##
-+## The object class of the object being created.
-+##
-+##
-+##
-+##
-+## The name of the object being created.
++## Domain to not audit.
+##
+##
+#
-+interface(`files_tmp_filetrans',`
++interface(`files_dontaudit_tmp_file_leaks',`
+ gen_require(`
-+ type tmp_t;
++ attribute tmpfile;
+ ')
+
-+ filetrans_pattern($1, tmp_t, $2, $3, $4)
++ dontaudit $1 tmpfile:file rw_inherited_file_perms;
+')
+
+########################################
+##
-+## Delete the contents of /tmp.
++## Do allow attempts to read or write
++## all leaked tmpfiles files.
+##
+##
+##
-+## Domain allowed access.
++## Domain to not audit.
+##
+##
+#
-+interface(`files_purge_tmp',`
++interface(`files_rw_tmp_file_leaks',`
+ gen_require(`
+ attribute tmpfile;
+ ')
+
-+ allow $1 tmpfile:dir list_dir_perms;
-+ delete_dirs_pattern($1, tmpfile, tmpfile)
- delete_files_pattern($1, tmpfile, tmpfile)
++ allow $1 tmpfile:file rw_inherited_file_perms;
++')
++
++########################################
++##
+ ## Create an object in the tmp directories, with a private
+ ## type using a type transition.
+ ##
+@@ -4646,6 +5520,16 @@ interface(`files_purge_tmp',`
delete_lnk_files_pattern($1, tmpfile, tmpfile)
delete_fifo_files_pattern($1, tmpfile, tmpfile)
delete_sock_files_pattern($1, tmpfile, tmpfile)
@@ -10281,32 +10515,67 @@ index 64ff4d7..9389e60 100644
')
########################################
-@@ -5223,6 +6088,24 @@ interface(`files_list_var',`
+@@ -5223,26 +6107,26 @@ interface(`files_list_var',`
########################################
##
+-## Create, read, write, and delete directories
+-## in the /var directory.
+## Do not audit listing of the var directory (/var).
-+##
-+##
-+##
+ ##
+ ##
+ ##
+-## Domain allowed access.
+## Domain to not audit.
-+##
-+##
-+#
+ ##
+ ##
+ #
+-interface(`files_manage_var_dirs',`
+interface(`files_dontaudit_list_var',`
+ gen_require(`
+ type var_t;
+ ')
+
+- allow $1 var_t:dir manage_dir_perms;
++ dontaudit $1 var_t:dir list_dir_perms;
+ ')
+
+ ########################################
+ ##
+-## Read files in the /var directory.
++## Create, read, write, and delete directories
++## in the /var directory.
+ ##
+ ##
+ ##
+@@ -5250,7 +6134,25 @@ interface(`files_manage_var_dirs',`
+ ##
+ ##
+ #
+-interface(`files_read_var_files',`
++interface(`files_manage_var_dirs',`
+ gen_require(`
+ type var_t;
+ ')
+
-+ dontaudit $1 var_t:dir list_dir_perms;
++ allow $1 var_t:dir manage_dir_perms;
+')
+
+########################################
+##
- ## Create, read, write, and delete directories
- ## in the /var directory.
- ##
-@@ -5578,6 +6461,25 @@ interface(`files_read_var_lib_symlinks',`
++## Read files in the /var directory.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`files_read_var_files',`
+ gen_require(`
+ type var_t;
+ ')
+@@ -5578,6 +6480,25 @@ interface(`files_read_var_lib_symlinks',`
read_lnk_files_pattern($1, { var_t var_lib_t }, var_lib_t)
')
@@ -10332,7 +10601,7 @@ index 64ff4d7..9389e60 100644
# cjp: the next two interfaces really need to be fixed
# in some way. They really neeed their own types.
-@@ -5623,7 +6525,7 @@ interface(`files_manage_mounttab',`
+@@ -5623,7 +6544,7 @@ interface(`files_manage_mounttab',`
########################################
##
@@ -10341,7 +10610,7 @@ index 64ff4d7..9389e60 100644
##
##
##
-@@ -5631,12 +6533,13 @@ interface(`files_manage_mounttab',`
+@@ -5631,12 +6552,13 @@ interface(`files_manage_mounttab',`
##
##
#
@@ -10357,7 +10626,7 @@ index 64ff4d7..9389e60 100644
')
########################################
-@@ -5654,6 +6557,7 @@ interface(`files_search_locks',`
+@@ -5654,6 +6576,7 @@ interface(`files_search_locks',`
type var_t, var_lock_t;
')
@@ -10365,7 +10634,7 @@ index 64ff4d7..9389e60 100644
allow $1 var_lock_t:lnk_file read_lnk_file_perms;
search_dirs_pattern($1, var_t, var_lock_t)
')
-@@ -5680,7 +6584,26 @@ interface(`files_dontaudit_search_locks',`
+@@ -5680,7 +6603,26 @@ interface(`files_dontaudit_search_locks',`
########################################
##
@@ -10393,7 +10662,7 @@ index 64ff4d7..9389e60 100644
##
##
##
-@@ -5688,13 +6611,12 @@ interface(`files_dontaudit_search_locks',`
+@@ -5688,13 +6630,12 @@ interface(`files_dontaudit_search_locks',`
##
##
#
@@ -10410,7 +10679,7 @@ index 64ff4d7..9389e60 100644
')
########################################
-@@ -5713,7 +6635,7 @@ interface(`files_rw_lock_dirs',`
+@@ -5713,7 +6654,7 @@ interface(`files_rw_lock_dirs',`
type var_t, var_lock_t;
')
@@ -10419,7 +10688,7 @@ index 64ff4d7..9389e60 100644
rw_dirs_pattern($1, var_t, var_lock_t)
')
-@@ -5746,7 +6668,6 @@ interface(`files_create_lock_dirs',`
+@@ -5746,7 +6687,6 @@ interface(`files_create_lock_dirs',`
## Domain allowed access.
##
##
@@ -10427,7 +10696,7 @@ index 64ff4d7..9389e60 100644
#
interface(`files_relabel_all_lock_dirs',`
gen_require(`
-@@ -5774,8 +6695,7 @@ interface(`files_getattr_generic_locks',`
+@@ -5774,8 +6714,7 @@ interface(`files_getattr_generic_locks',`
type var_t, var_lock_t;
')
@@ -10437,7 +10706,7 @@ index 64ff4d7..9389e60 100644
allow $1 var_lock_t:dir list_dir_perms;
getattr_files_pattern($1, var_lock_t, var_lock_t)
')
-@@ -5791,13 +6711,12 @@ interface(`files_getattr_generic_locks',`
+@@ -5791,13 +6730,12 @@ interface(`files_getattr_generic_locks',`
##
#
interface(`files_delete_generic_locks',`
@@ -10455,7 +10724,7 @@ index 64ff4d7..9389e60 100644
')
########################################
-@@ -5816,9 +6735,7 @@ interface(`files_manage_generic_locks',`
+@@ -5816,9 +6754,7 @@ interface(`files_manage_generic_locks',`
type var_t, var_lock_t;
')
@@ -10466,7 +10735,7 @@ index 64ff4d7..9389e60 100644
manage_files_pattern($1, var_lock_t, var_lock_t)
')
-@@ -5860,8 +6777,7 @@ interface(`files_read_all_locks',`
+@@ -5860,8 +6796,7 @@ interface(`files_read_all_locks',`
type var_t, var_lock_t;
')
@@ -10476,7 +10745,7 @@ index 64ff4d7..9389e60 100644
allow $1 lockfile:dir list_dir_perms;
read_files_pattern($1, lockfile, lockfile)
read_lnk_files_pattern($1, lockfile, lockfile)
-@@ -5883,8 +6799,7 @@ interface(`files_manage_all_locks',`
+@@ -5883,8 +6818,7 @@ interface(`files_manage_all_locks',`
type var_t, var_lock_t;
')
@@ -10486,7 +10755,7 @@ index 64ff4d7..9389e60 100644
manage_dirs_pattern($1, lockfile, lockfile)
manage_files_pattern($1, lockfile, lockfile)
manage_lnk_files_pattern($1, lockfile, lockfile)
-@@ -5921,8 +6836,7 @@ interface(`files_lock_filetrans',`
+@@ -5921,8 +6855,7 @@ interface(`files_lock_filetrans',`
type var_t, var_lock_t;
')
@@ -10496,7 +10765,7 @@ index 64ff4d7..9389e60 100644
filetrans_pattern($1, var_lock_t, $2, $3, $4)
')
-@@ -5961,7 +6875,7 @@ interface(`files_setattr_pid_dirs',`
+@@ -5961,7 +6894,7 @@ interface(`files_setattr_pid_dirs',`
type var_run_t;
')
@@ -10505,7 +10774,7 @@ index 64ff4d7..9389e60 100644
allow $1 var_run_t:dir setattr;
')
-@@ -5981,10 +6895,48 @@ interface(`files_search_pids',`
+@@ -5981,10 +6914,48 @@ interface(`files_search_pids',`
type var_t, var_run_t;
')
@@ -10554,7 +10823,7 @@ index 64ff4d7..9389e60 100644
########################################
##
## Do not audit attempts to search
-@@ -6007,6 +6959,25 @@ interface(`files_dontaudit_search_pids',`
+@@ -6007,6 +6978,25 @@ interface(`files_dontaudit_search_pids',`
########################################
##
@@ -10580,7 +10849,7 @@ index 64ff4d7..9389e60 100644
## List the contents of the runtime process
## ID directories (/var/run).
##
-@@ -6021,7 +6992,7 @@ interface(`files_list_pids',`
+@@ -6021,7 +7011,7 @@ interface(`files_list_pids',`
type var_t, var_run_t;
')
@@ -10589,7 +10858,7 @@ index 64ff4d7..9389e60 100644
list_dirs_pattern($1, var_t, var_run_t)
')
-@@ -6040,7 +7011,7 @@ interface(`files_read_generic_pids',`
+@@ -6040,7 +7030,7 @@ interface(`files_read_generic_pids',`
type var_t, var_run_t;
')
@@ -10598,7 +10867,7 @@ index 64ff4d7..9389e60 100644
list_dirs_pattern($1, var_t, var_run_t)
read_files_pattern($1, var_run_t, var_run_t)
')
-@@ -6060,7 +7031,7 @@ interface(`files_write_generic_pid_pipes',`
+@@ -6060,7 +7050,7 @@ interface(`files_write_generic_pid_pipes',`
type var_run_t;
')
@@ -10607,7 +10876,7 @@ index 64ff4d7..9389e60 100644
allow $1 var_run_t:fifo_file write;
')
-@@ -6122,7 +7093,6 @@ interface(`files_pid_filetrans',`
+@@ -6122,7 +7112,6 @@ interface(`files_pid_filetrans',`
')
allow $1 var_t:dir search_dir_perms;
@@ -10615,7 +10884,7 @@ index 64ff4d7..9389e60 100644
filetrans_pattern($1, var_run_t, $2, $3, $4)
')
-@@ -6164,7 +7134,7 @@ interface(`files_rw_generic_pids',`
+@@ -6164,7 +7153,7 @@ interface(`files_rw_generic_pids',`
type var_t, var_run_t;
')
@@ -10624,7 +10893,7 @@ index 64ff4d7..9389e60 100644
list_dirs_pattern($1, var_t, var_run_t)
rw_files_pattern($1, var_run_t, var_run_t)
')
-@@ -6231,55 +7201,43 @@ interface(`files_dontaudit_ioctl_all_pids',`
+@@ -6231,55 +7220,43 @@ interface(`files_dontaudit_ioctl_all_pids',`
########################################
##
@@ -10687,7 +10956,7 @@ index 64ff4d7..9389e60 100644
##
##
##
-@@ -6287,42 +7245,35 @@ interface(`files_delete_all_pids',`
+@@ -6287,42 +7264,35 @@ interface(`files_delete_all_pids',`
##
##
#
@@ -10737,7 +11006,7 @@ index 64ff4d7..9389e60 100644
##
##
##
-@@ -6330,18 +7281,18 @@ interface(`files_manage_all_pids',`
+@@ -6330,18 +7300,18 @@ interface(`files_manage_all_pids',`
##
##
#
@@ -10761,7 +11030,7 @@ index 64ff4d7..9389e60 100644
##
##
##
-@@ -6349,37 +7300,40 @@ interface(`files_mounton_all_poly_members',`
+@@ -6349,37 +7319,40 @@ interface(`files_mounton_all_poly_members',`
##
##
#
@@ -10813,7 +11082,7 @@ index 64ff4d7..9389e60 100644
##
##
##
-@@ -6387,18 +7341,17 @@ interface(`files_dontaudit_search_spool',`
+@@ -6387,18 +7360,17 @@ interface(`files_dontaudit_search_spool',`
##
##
#
@@ -10836,7 +11105,7 @@ index 64ff4d7..9389e60 100644
##
##
##
-@@ -6406,18 +7359,18 @@ interface(`files_list_spool',`
+@@ -6406,18 +7378,18 @@ interface(`files_list_spool',`
##
##
#
@@ -10860,7 +11129,7 @@ index 64ff4d7..9389e60 100644
##
##
##
-@@ -6425,19 +7378,18 @@ interface(`files_manage_generic_spool_dirs',`
+@@ -6425,19 +7397,18 @@ interface(`files_manage_generic_spool_dirs',`
##
##
#
@@ -10885,7 +11154,7 @@ index 64ff4d7..9389e60 100644
##
##
##
-@@ -6445,29 +7397,296 @@ interface(`files_read_generic_spool',`
+@@ -6445,55 +7416,43 @@ interface(`files_read_generic_spool',`
##
##
#
@@ -10916,44 +11185,77 @@ index 64ff4d7..9389e60 100644
-##
-## Type to which the created node will be transitioned.
-##
+-##
+-##
+-##
+-## Object class(es) (single or set including {}) for which this
+-## the transition will occur.
+-##
+-##
+-##
+-##
+-## The name of the object being created.
+-##
+-##
+##
-+#
+ #
+-interface(`files_spool_filetrans',`
+interface(`files_delete_all_pids',`
-+ gen_require(`
+ gen_require(`
+- type var_t, var_spool_t;
+ attribute pidfile;
+ type var_t, var_run_t;
-+ ')
-+
+ ')
+
+ files_search_pids($1)
-+ allow $1 var_t:dir search_dir_perms;
+ allow $1 var_t:dir search_dir_perms;
+- filetrans_pattern($1, var_spool_t, $2, $3, $4)
+ allow $1 var_run_t:dir rmdir;
+ allow $1 var_run_t:lnk_file delete_lnk_file_perms;
+ delete_files_pattern($1, pidfile, pidfile)
+ delete_fifo_files_pattern($1, pidfile, pidfile)
+ delete_sock_files_pattern($1, pidfile, { pidfile var_run_t })
-+')
-+
-+########################################
-+##
+ ')
+
+ ########################################
+ ##
+-## Allow access to manage all polyinstantiated
+-## directories on the system.
+## Delete all process ID directories.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
+ ##
+ ##
+ ##
+@@ -6501,64 +7460,814 @@ interface(`files_spool_filetrans',`
+ ##
+ ##
+ #
+-interface(`files_polyinstantiate_all',`
+interface(`files_delete_all_pid_dirs',`
-+ gen_require(`
+ gen_require(`
+- attribute polydir, polymember, polyparent;
+- type poly_t;
+ attribute pidfile;
+ type var_t, var_run_t;
-+ ')
-+
+ ')
+
+- # Need to give access to /selinux/member
+- selinux_compute_member($1)
+-
+- # Need sys_admin capability for mounting
+- allow $1 self:capability { chown fsetid sys_admin fowner };
+-
+- # Need to give access to the directories to be polyinstantiated
+- allow $1 polydir:dir { create open getattr search write add_name setattr mounton rmdir };
+-
+- # Need to give access to the polyinstantiated subdirectories
+- allow $1 polymember:dir search_dir_perms;
+ files_search_pids($1)
+ allow $1 var_t:dir search_dir_perms;
+ delete_dirs_pattern($1, pidfile, pidfile)
+')
-+
+
+- # Need to give access to parent directories where original
+- # is remounted for polyinstantiation aware programs (like gdm)
+########################################
+##
+## Make the specified type a file
@@ -11189,13 +11491,105 @@ index 64ff4d7..9389e60 100644
+##
+## Type to which the created node will be transitioned.
+##
- ##
- ##
- ##
-@@ -6562,3 +7781,459 @@ interface(`files_unconfined',`
++##
++##
++##
++## Object class(es) (single or set including {}) for which this
++## the transition will occur.
++##
++##
++##
++##
++## The name of the object being created.
++##
++##
++#
++interface(`files_spool_filetrans',`
++ gen_require(`
++ type var_t, var_spool_t;
++ ')
++
++ allow $1 var_t:dir search_dir_perms;
++ filetrans_pattern($1, var_spool_t, $2, $3, $4)
++')
++
++########################################
++##
++## Allow access to manage all polyinstantiated
++## directories on the system.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`files_polyinstantiate_all',`
++ gen_require(`
++ attribute polydir, polymember, polyparent;
++ type poly_t;
++ ')
++
++ # Need to give access to /selinux/member
++ selinux_compute_member($1)
++
++ # Need sys_admin capability for mounting
++ allow $1 self:capability { chown fsetid sys_admin fowner };
++
++ # Need to give access to the directories to be polyinstantiated
++ allow $1 polydir:dir { create open getattr search write add_name setattr mounton rmdir };
++
++ # Need to give access to the polyinstantiated subdirectories
++ allow $1 polymember:dir search_dir_perms;
++
++ # Need to give access to parent directories where original
++ # is remounted for polyinstantiation aware programs (like gdm)
+ allow $1 polyparent:dir { getattr mounton };
- typeattribute $1 files_unconfined_type;
- ')
+- # Need to give permission to create directories where applicable
+- allow $1 self:process setfscreate;
+- allow $1 polymember: dir { create setattr relabelto };
+- allow $1 polydir: dir { write add_name open };
+- allow $1 polyparent:dir { open read write remove_name add_name relabelfrom relabelto };
++ # Need to give permission to create directories where applicable
++ allow $1 self:process setfscreate;
++ allow $1 polymember: dir { create setattr relabelto };
++ allow $1 polydir: dir { write add_name open };
++ allow $1 polyparent:dir { open read write remove_name add_name relabelfrom relabelto };
++
++ # Default type for mountpoints
++ allow $1 poly_t:dir { create mounton };
++ fs_unmount_xattr_fs($1)
++
++ fs_mount_tmpfs($1)
++ fs_unmount_tmpfs($1)
++
++ ifdef(`distro_redhat',`
++ # namespace.init
++ files_search_tmp($1)
++ files_search_home($1)
++ corecmd_exec_bin($1)
++ seutil_domtrans_setfiles($1)
++ ')
++')
++
++########################################
++##
++## Unconfined access to files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`files_unconfined',`
++ gen_require(`
++ attribute files_unconfined_type;
++ ')
++
++ typeattribute $1 files_unconfined_type;
++')
+
+########################################
+##
@@ -11321,10 +11715,15 @@ index 64ff4d7..9389e60 100644
+ gen_require(`
+ attribute tmpfsfile;
+ ')
-+
+
+- # Default type for mountpoints
+- allow $1 poly_t:dir { create mounton };
+- fs_unmount_xattr_fs($1)
+ allow $1 tmpfsfile:file { read write };
+')
-+
+
+- fs_mount_tmpfs($1)
+- fs_unmount_tmpfs($1)
+########################################
+##
+## Do not audit attempts to read security files
@@ -11339,7 +11738,13 @@ index 64ff4d7..9389e60 100644
+ gen_require(`
+ attribute security_file_type;
+ ')
-+
+
+- ifdef(`distro_redhat',`
+- # namespace.init
+- files_search_tmp($1)
+- files_search_home($1)
+- corecmd_exec_bin($1)
+- seutil_domtrans_setfiles($1)
+ dontaudit $1 security_file_type:file read_file_perms;
+')
+
@@ -11361,32 +11766,36 @@ index 64ff4d7..9389e60 100644
+interface(`files_rw_all_inherited_files',`
+ gen_require(`
+ attribute file_type;
-+ ')
+ ')
+
+ allow $1 { file_type $2 }:file rw_inherited_file_perms;
+ allow $1 { file_type $2 }:fifo_file rw_inherited_fifo_file_perms;
+ allow $1 { file_type $2 }:sock_file rw_inherited_sock_file_perms;
+ allow $1 { file_type $2 }:chr_file rw_inherited_chr_file_perms;
-+')
-+
-+########################################
-+##
+ ')
+
+ ########################################
+ ##
+-## Unconfined access to files.
+## Allow any file point to be the entrypoint of this domain
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
+ ##
+ ##
+ ##
+ ## Domain allowed access.
+ ##
+ ##
+##
-+#
+ #
+-interface(`files_unconfined',`
+interface(`files_entrypoint_all_files',`
-+ gen_require(`
+ gen_require(`
+- attribute files_unconfined_type;
+ attribute file_type;
-+ ')
+ ')
+ allow $1 file_type:file entrypoint;
+')
-+
+
+- typeattribute $1 files_unconfined_type;
+########################################
+##
+## Do not audit attempts to rw inherited file perms
@@ -11513,9 +11922,12 @@ index 64ff4d7..9389e60 100644
+#
+interface(`files_filetrans_named_content',`
+ gen_require(`
++ type etc_t;
+ type mnt_t;
+ type usr_t;
++ type tmp_t;
+ type var_t;
++ type var_run_t;
+ type tmp_t;
+ ')
+
@@ -11526,8 +11938,19 @@ index 64ff4d7..9389e60 100644
+ files_root_filetrans($1, mnt_t, dir, "misc")
+ files_root_filetrans($1, mnt_t, dir, "net")
+ files_root_filetrans($1, usr_t, dir, "export")
++ files_root_filetrans($1, usr_t, dir, "opt")
+ files_root_filetrans($1, usr_t, dir, "emul")
++ files_root_filetrans($1, var_t, dir, "srv")
++ files_root_filetrans($1, var_run_t, dir, "run")
++ files_root_filetrans($1, tmp_t, dir, "sandbox")
++ files_root_filetrans($1, tmp_t, dir, "tmp")
+ files_root_filetrans($1, var_t, dir, "nsr")
++ files_etc_filetrans($1, etc_t, file, "system-auth-ac")
++ files_etc_filetrans($1, etc_t, file, "postlogin-ac")
++ files_etc_filetrans($1, etc_t, file, "password-auth-ac")
++ files_etc_filetrans($1, etc_t, file, "fingerprint-auth-ac")
++ files_etc_filetrans($1, etc_t, file, "smartcard-auth-ac")
++ files_etc_filetrans($1, etc_t, file, "hwdb.bin")
+ files_etc_filetrans_etc_runtime($1, file, "runtime")
+ files_etc_filetrans_etc_runtime($1, dir, "blkid")
+ files_etc_filetrans_etc_runtime($1, dir, "cmtab")
@@ -11540,6 +11963,7 @@ index 64ff4d7..9389e60 100644
+ files_etc_filetrans_etc_runtime($1, file, "hwconf")
+ files_etc_filetrans_etc_runtime($1, file, "iptables.save")
+ files_tmp_filetrans($1, tmp_t, dir, "tmp-inst")
++ files_var_filetrans($1, tmp_t, dir, "tmp")
+')
+
+########################################
@@ -11566,7 +11990,7 @@ index 64ff4d7..9389e60 100644
+ ')
+ files_type($1)
+ typeattribute $1 base_file_type;
-+')
+ ')
+
+########################################
+##
@@ -11873,7 +12297,7 @@ index cda5588..3035829 100644
+/var/run/[^/]*/gvfs -d gen_context(system_u:object_r:fusefs_t,s0)
+/var/run/[^/]*/gvfs/.* <>
diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
-index 8416beb..0776923 100644
+index 8416beb..7170125 100644
--- a/policy/modules/kernel/filesystem.if
+++ b/policy/modules/kernel/filesystem.if
@@ -631,6 +631,27 @@ interface(`fs_getattr_cgroup',`
@@ -12607,7 +13031,34 @@ index 8416beb..0776923 100644
##
##
##
-@@ -2741,7 +3258,7 @@ interface(`fs_search_removable',`
+@@ -2719,6 +3236,26 @@ interface(`fs_search_rpc',`
+
+ ########################################
+ ##
++## Do not audit attempts to list removable storage directories.
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`fs_list_pstorefs',`
++ gen_require(`
++ type pstorefs_t;
++ ')
++
++ allow $1 pstorefs_t:dir list_dir_perms;
++')
++
++
++
++########################################
++##
+ ## Search removable storage directories.
+ ##
+ ##
+@@ -2741,7 +3278,7 @@ interface(`fs_search_removable',`
##
##
##
@@ -12616,7 +13067,7 @@ index 8416beb..0776923 100644
##
##
#
-@@ -2777,7 +3294,7 @@ interface(`fs_read_removable_files',`
+@@ -2777,7 +3314,7 @@ interface(`fs_read_removable_files',`
##
##
##
@@ -12625,7 +13076,7 @@ index 8416beb..0776923 100644
##
##
#
-@@ -2970,6 +3487,7 @@ interface(`fs_manage_nfs_dirs',`
+@@ -2970,6 +3507,7 @@ interface(`fs_manage_nfs_dirs',`
type nfs_t;
')
@@ -12633,7 +13084,7 @@ index 8416beb..0776923 100644
allow $1 nfs_t:dir manage_dir_perms;
')
-@@ -3010,6 +3528,7 @@ interface(`fs_manage_nfs_files',`
+@@ -3010,6 +3548,7 @@ interface(`fs_manage_nfs_files',`
type nfs_t;
')
@@ -12641,7 +13092,7 @@ index 8416beb..0776923 100644
manage_files_pattern($1, nfs_t, nfs_t)
')
-@@ -3050,6 +3569,7 @@ interface(`fs_manage_nfs_symlinks',`
+@@ -3050,6 +3589,7 @@ interface(`fs_manage_nfs_symlinks',`
type nfs_t;
')
@@ -12649,7 +13100,7 @@ index 8416beb..0776923 100644
manage_lnk_files_pattern($1, nfs_t, nfs_t)
')
-@@ -3263,6 +3783,24 @@ interface(`fs_getattr_nfsd_files',`
+@@ -3263,6 +3803,24 @@ interface(`fs_getattr_nfsd_files',`
getattr_files_pattern($1, nfsd_fs_t, nfsd_fs_t)
')
@@ -12674,7 +13125,7 @@ index 8416beb..0776923 100644
########################################
##
## Read and write NFS server files.
-@@ -3283,6 +3821,24 @@ interface(`fs_rw_nfsd_fs',`
+@@ -3283,6 +3841,24 @@ interface(`fs_rw_nfsd_fs',`
########################################
##
@@ -12699,7 +13150,7 @@ index 8416beb..0776923 100644
## Allow the type to associate to ramfs filesystems.
##
##
-@@ -3392,7 +3948,7 @@ interface(`fs_search_ramfs',`
+@@ -3392,7 +3968,7 @@ interface(`fs_search_ramfs',`
########################################
##
@@ -12708,7 +13159,7 @@ index 8416beb..0776923 100644
##
##
##
-@@ -3429,7 +3985,7 @@ interface(`fs_manage_ramfs_dirs',`
+@@ -3429,7 +4005,7 @@ interface(`fs_manage_ramfs_dirs',`
########################################
##
@@ -12717,7 +13168,7 @@ index 8416beb..0776923 100644
##
##
##
-@@ -3447,7 +4003,7 @@ interface(`fs_dontaudit_read_ramfs_files',`
+@@ -3447,7 +4023,7 @@ interface(`fs_dontaudit_read_ramfs_files',`
########################################
##
@@ -12726,7 +13177,7 @@ index 8416beb..0776923 100644
##
##
##
-@@ -3815,6 +4371,24 @@ interface(`fs_unmount_tmpfs',`
+@@ -3815,6 +4391,24 @@ interface(`fs_unmount_tmpfs',`
########################################
##
@@ -12751,7 +13202,7 @@ index 8416beb..0776923 100644
## Get the attributes of a tmpfs
## filesystem.
##
-@@ -3908,7 +4482,7 @@ interface(`fs_dontaudit_getattr_tmpfs_dirs',`
+@@ -3908,7 +4502,7 @@ interface(`fs_dontaudit_getattr_tmpfs_dirs',`
########################################
##
@@ -12760,7 +13211,7 @@ index 8416beb..0776923 100644
##
##
##
-@@ -3916,17 +4490,17 @@ interface(`fs_dontaudit_getattr_tmpfs_dirs',`
+@@ -3916,17 +4510,17 @@ interface(`fs_dontaudit_getattr_tmpfs_dirs',`
##
##
#
@@ -12781,7 +13232,7 @@ index 8416beb..0776923 100644
##
##
##
-@@ -3934,17 +4508,17 @@ interface(`fs_mounton_tmpfs',`
+@@ -3934,17 +4528,17 @@ interface(`fs_mounton_tmpfs',`
##
##
#
@@ -12802,7 +13253,7 @@ index 8416beb..0776923 100644
##
##
##
-@@ -3952,17 +4526,36 @@ interface(`fs_setattr_tmpfs_dirs',`
+@@ -3952,17 +4546,36 @@ interface(`fs_setattr_tmpfs_dirs',`
##
##
#
@@ -12842,7 +13293,7 @@ index 8416beb..0776923 100644
##
##
##
-@@ -3970,31 +4563,48 @@ interface(`fs_search_tmpfs',`
+@@ -3970,31 +4583,48 @@ interface(`fs_search_tmpfs',`
##
##
#
@@ -12898,7 +13349,7 @@ index 8416beb..0776923 100644
')
########################################
-@@ -4105,7 +4715,7 @@ interface(`fs_dontaudit_rw_tmpfs_files',`
+@@ -4105,7 +4735,7 @@ interface(`fs_dontaudit_rw_tmpfs_files',`
type tmpfs_t;
')
@@ -12907,7 +13358,7 @@ index 8416beb..0776923 100644
')
########################################
-@@ -4165,6 +4775,24 @@ interface(`fs_rw_tmpfs_files',`
+@@ -4165,6 +4795,24 @@ interface(`fs_rw_tmpfs_files',`
########################################
##
@@ -12932,7 +13383,7 @@ index 8416beb..0776923 100644
## Read tmpfs link files.
##
##
-@@ -4202,7 +4830,7 @@ interface(`fs_rw_tmpfs_chr_files',`
+@@ -4202,7 +4850,7 @@ interface(`fs_rw_tmpfs_chr_files',`
########################################
##
@@ -12941,7 +13392,7 @@ index 8416beb..0776923 100644
##
##
##
-@@ -4221,6 +4849,60 @@ interface(`fs_dontaudit_use_tmpfs_chr_dev',`
+@@ -4221,6 +4869,60 @@ interface(`fs_dontaudit_use_tmpfs_chr_dev',`
########################################
##
@@ -13002,7 +13453,7 @@ index 8416beb..0776923 100644
## Relabel character nodes on tmpfs filesystems.
##
##
-@@ -4278,6 +4960,44 @@ interface(`fs_relabel_tmpfs_blk_file',`
+@@ -4278,6 +4980,44 @@ interface(`fs_relabel_tmpfs_blk_file',`
########################################
##
@@ -13047,7 +13498,7 @@ index 8416beb..0776923 100644
## Read and write, create and delete generic
## files on tmpfs filesystems.
##
-@@ -4297,6 +5017,25 @@ interface(`fs_manage_tmpfs_files',`
+@@ -4297,6 +5037,25 @@ interface(`fs_manage_tmpfs_files',`
########################################
##
@@ -13073,7 +13524,7 @@ index 8416beb..0776923 100644
## Read and write, create and delete symbolic
## links on tmpfs filesystems.
##
-@@ -4503,6 +5242,8 @@ interface(`fs_mount_all_fs',`
+@@ -4503,6 +5262,8 @@ interface(`fs_mount_all_fs',`
')
allow $1 filesystem_type:filesystem mount;
@@ -13082,7 +13533,7 @@ index 8416beb..0776923 100644
')
########################################
-@@ -4549,7 +5290,7 @@ interface(`fs_unmount_all_fs',`
+@@ -4549,7 +5310,7 @@ interface(`fs_unmount_all_fs',`
##
##
## Allow the specified domain to
@@ -13091,7 +13542,7 @@ index 8416beb..0776923 100644
## Example attributes:
##
##
-@@ -4596,6 +5337,26 @@ interface(`fs_dontaudit_getattr_all_fs',`
+@@ -4596,6 +5357,26 @@ interface(`fs_dontaudit_getattr_all_fs',`
########################################
##
@@ -13118,7 +13569,7 @@ index 8416beb..0776923 100644
## Get the quotas of all filesystems.
##
##
-@@ -4912,3 +5673,43 @@ interface(`fs_unconfined',`
+@@ -4912,3 +5693,43 @@ interface(`fs_unconfined',`
typeattribute $1 filesystem_unconfined_type;
')
@@ -13163,7 +13614,7 @@ index 8416beb..0776923 100644
+ fs_tmpfs_filetrans($1, cgroup_t, lnk_file, "cpuacct")
+')
diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te
-index 9e603f5..698aaee 100644
+index 9e603f5..e0209df 100644
--- a/policy/modules/kernel/filesystem.te
+++ b/policy/modules/kernel/filesystem.te
@@ -32,7 +32,9 @@ fs_use_xattr gpfs gen_context(system_u:object_r:fs_t,s0);
@@ -13223,7 +13674,14 @@ index 9e603f5..698aaee 100644
type ibmasmfs_t;
fs_type(ibmasmfs_t)
-@@ -125,6 +139,10 @@ type oprofilefs_t;
+@@ -119,12 +133,17 @@ genfscon mvfs / gen_context(system_u:object_r:mvfs_t,s0)
+
+ type nfsd_fs_t;
+ fs_type(nfsd_fs_t)
++files_mountpoint(nfsd_fs_t)
+ genfscon nfsd / gen_context(system_u:object_r:nfsd_fs_t,s0)
+
+ type oprofilefs_t;
fs_type(oprofilefs_t)
genfscon oprofilefs / gen_context(system_u:object_r:oprofilefs_t,s0)
@@ -13234,7 +13692,7 @@ index 9e603f5..698aaee 100644
type ramfs_t;
fs_type(ramfs_t)
files_mountpoint(ramfs_t)
-@@ -145,11 +163,6 @@ fs_type(spufs_t)
+@@ -145,11 +164,6 @@ fs_type(spufs_t)
genfscon spufs / gen_context(system_u:object_r:spufs_t,s0)
files_mountpoint(spufs_t)
@@ -13246,7 +13704,7 @@ index 9e603f5..698aaee 100644
type sysv_t;
fs_noxattr_type(sysv_t)
files_mountpoint(sysv_t)
-@@ -167,6 +180,8 @@ type vxfs_t;
+@@ -167,6 +181,8 @@ type vxfs_t;
fs_noxattr_type(vxfs_t)
files_mountpoint(vxfs_t)
genfscon vxfs / gen_context(system_u:object_r:vxfs_t,s0)
@@ -13255,7 +13713,7 @@ index 9e603f5..698aaee 100644
#
# tmpfs_t is the type for tmpfs filesystems
-@@ -176,6 +191,8 @@ fs_type(tmpfs_t)
+@@ -176,6 +192,8 @@ fs_type(tmpfs_t)
files_type(tmpfs_t)
files_mountpoint(tmpfs_t)
files_poly_parent(tmpfs_t)
@@ -13264,7 +13722,7 @@ index 9e603f5..698aaee 100644
# Use a transition SID based on the allocating task SID and the
# filesystem SID to label inodes in the following filesystem types,
-@@ -255,6 +272,8 @@ genfscon udf / gen_context(system_u:object_r:iso9660_t,s0)
+@@ -255,6 +273,8 @@ genfscon udf / gen_context(system_u:object_r:iso9660_t,s0)
type removable_t;
allow removable_t noxattrfs:filesystem associate;
fs_noxattr_type(removable_t)
@@ -13273,7 +13731,7 @@ index 9e603f5..698aaee 100644
files_mountpoint(removable_t)
#
-@@ -274,6 +293,7 @@ genfscon ncpfs / gen_context(system_u:object_r:nfs_t,s0)
+@@ -274,6 +294,7 @@ genfscon ncpfs / gen_context(system_u:object_r:nfs_t,s0)
genfscon reiserfs / gen_context(system_u:object_r:nfs_t,s0)
genfscon panfs / gen_context(system_u:object_r:nfs_t,s0)
genfscon gadgetfs / gen_context(system_u:object_r:nfs_t,s0)
@@ -13290,7 +13748,7 @@ index 7be4ddf..f7021a0 100644
+
+/sys/class/net/ib.* gen_context(system_u:object_r:sysctl_net_t,s0)
diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
-index 649e458..cc924ae 100644
+index 649e458..d47750f 100644
--- a/policy/modules/kernel/kernel.if
+++ b/policy/modules/kernel/kernel.if
@@ -286,7 +286,7 @@ interface(`kernel_rw_unix_dgram_sockets',`
@@ -13606,7 +14064,7 @@ index 649e458..cc924ae 100644
## Unconfined access to kernel module resources.
##
##
-@@ -2975,5 +3163,299 @@ interface(`kernel_unconfined',`
+@@ -2975,5 +3163,300 @@ interface(`kernel_unconfined',`
')
typeattribute $1 kern_unconfined;
@@ -13669,6 +14127,7 @@ index 649e458..cc924ae 100644
+ ')
+
+ allow $1 kernel_t:unix_stream_socket rw_socket_perms;
++ allow $1 kernel_t:fd use;
+')
+
+########################################
@@ -13908,7 +14367,7 @@ index 649e458..cc924ae 100644
+ list_dirs_pattern($1, sysctl_vm_overcommit_t, sysctl_vm_overcommit_t)
')
diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
-index 6fac350..b5b2f00 100644
+index 6fac350..1470f08 100644
--- a/policy/modules/kernel/kernel.te
+++ b/policy/modules/kernel/kernel.te
@@ -25,6 +25,9 @@ attribute kern_unconfined;
@@ -14089,7 +14548,18 @@ index 6fac350..b5b2f00 100644
')
optional_policy(`
-@@ -334,7 +390,6 @@ optional_policy(`
+@@ -312,6 +368,10 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ plymouthd_create_log(kernel_t)
++')
++
++optional_policy(`
+ # nfs kernel server needs kernel UDP access. It is less risky and painful
+ # to just give it everything.
+ allow kernel_t self:tcp_socket create_stream_socket_perms;
+@@ -334,7 +394,6 @@ optional_policy(`
rpc_manage_nfs_ro_content(kernel_t)
rpc_manage_nfs_rw_content(kernel_t)
@@ -14097,7 +14567,7 @@ index 6fac350..b5b2f00 100644
rpc_udp_rw_nfs_sockets(kernel_t)
tunable_policy(`nfs_export_all_ro',`
-@@ -343,9 +398,7 @@ optional_policy(`
+@@ -343,9 +402,7 @@ optional_policy(`
fs_read_noxattr_fs_files(kernel_t)
fs_read_noxattr_fs_symlinks(kernel_t)
@@ -14108,7 +14578,7 @@ index 6fac350..b5b2f00 100644
')
tunable_policy(`nfs_export_all_rw',`
-@@ -354,7 +407,7 @@ optional_policy(`
+@@ -354,7 +411,7 @@ optional_policy(`
fs_read_noxattr_fs_files(kernel_t)
fs_read_noxattr_fs_symlinks(kernel_t)
@@ -14117,7 +14587,7 @@ index 6fac350..b5b2f00 100644
')
')
-@@ -367,6 +420,15 @@ optional_policy(`
+@@ -367,6 +424,15 @@ optional_policy(`
unconfined_domain_noaudit(kernel_t)
')
@@ -14133,7 +14603,7 @@ index 6fac350..b5b2f00 100644
########################################
#
# Unlabeled process local policy
-@@ -409,4 +471,26 @@ allow kern_unconfined unlabeled_t:dir_file_class_set *;
+@@ -409,4 +475,26 @@ allow kern_unconfined unlabeled_t:dir_file_class_set *;
allow kern_unconfined unlabeled_t:filesystem *;
allow kern_unconfined unlabeled_t:association *;
allow kern_unconfined unlabeled_t:packet *;
@@ -16487,7 +16957,7 @@ index ff92430..36740ea 100644
##
## Execute a generic bin program in the sysadm domain.
diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
-index 88d0028..4cc476f 100644
+index 88d0028..45f4d0a 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
@@ -5,39 +5,79 @@ policy_module(sysadm, 2.5.1)
@@ -16615,7 +17085,7 @@ index 88d0028..4cc476f 100644
')
optional_policy(`
-@@ -110,6 +145,10 @@ optional_policy(`
+@@ -110,11 +145,17 @@ optional_policy(`
')
optional_policy(`
@@ -16626,7 +17096,14 @@ index 88d0028..4cc476f 100644
certwatch_run(sysadm_t, sysadm_r)
')
-@@ -122,11 +161,19 @@ optional_policy(`
+ optional_policy(`
+ clock_run(sysadm_t, sysadm_r)
++ clock_manage_adjtime(sysadm_t)
++ clock_filetrans_named_content(sysadm_t)
+ ')
+
+ optional_policy(`
+@@ -122,11 +163,19 @@ optional_policy(`
')
optional_policy(`
@@ -16648,7 +17125,7 @@ index 88d0028..4cc476f 100644
')
optional_policy(`
-@@ -140,6 +187,10 @@ optional_policy(`
+@@ -140,6 +189,10 @@ optional_policy(`
')
optional_policy(`
@@ -16659,7 +17136,7 @@ index 88d0028..4cc476f 100644
dmesg_exec(sysadm_t)
')
-@@ -156,11 +207,11 @@ optional_policy(`
+@@ -156,11 +209,11 @@ optional_policy(`
')
optional_policy(`
@@ -16673,7 +17150,7 @@ index 88d0028..4cc476f 100644
')
optional_policy(`
-@@ -179,6 +230,13 @@ optional_policy(`
+@@ -179,6 +232,13 @@ optional_policy(`
ipsec_stream_connect(sysadm_t)
# for lsof
ipsec_getattr_key_sockets(sysadm_t)
@@ -16687,7 +17164,7 @@ index 88d0028..4cc476f 100644
')
optional_policy(`
-@@ -186,15 +244,20 @@ optional_policy(`
+@@ -186,15 +246,20 @@ optional_policy(`
')
optional_policy(`
@@ -16711,7 +17188,7 @@ index 88d0028..4cc476f 100644
')
optional_policy(`
-@@ -214,22 +277,20 @@ optional_policy(`
+@@ -214,22 +279,20 @@ optional_policy(`
modutils_run_depmod(sysadm_t, sysadm_r)
modutils_run_insmod(sysadm_t, sysadm_r)
modutils_run_update_mods(sysadm_t, sysadm_r)
@@ -16740,7 +17217,7 @@ index 88d0028..4cc476f 100644
')
optional_policy(`
-@@ -241,14 +302,27 @@ optional_policy(`
+@@ -241,14 +304,27 @@ optional_policy(`
')
optional_policy(`
@@ -16768,7 +17245,7 @@ index 88d0028..4cc476f 100644
')
optional_policy(`
-@@ -256,10 +330,20 @@ optional_policy(`
+@@ -256,10 +332,20 @@ optional_policy(`
')
optional_policy(`
@@ -16789,7 +17266,7 @@ index 88d0028..4cc476f 100644
portage_run(sysadm_t, sysadm_r)
portage_run_fetch(sysadm_t, sysadm_r)
portage_run_gcc_config(sysadm_t, sysadm_r)
-@@ -270,31 +354,36 @@ optional_policy(`
+@@ -270,31 +356,36 @@ optional_policy(`
')
optional_policy(`
@@ -16833,7 +17310,7 @@ index 88d0028..4cc476f 100644
')
optional_policy(`
-@@ -319,12 +408,18 @@ optional_policy(`
+@@ -319,12 +410,18 @@ optional_policy(`
')
optional_policy(`
@@ -16853,7 +17330,7 @@ index 88d0028..4cc476f 100644
')
optional_policy(`
-@@ -349,7 +444,18 @@ optional_policy(`
+@@ -349,7 +446,18 @@ optional_policy(`
')
optional_policy(`
@@ -16873,7 +17350,7 @@ index 88d0028..4cc476f 100644
')
optional_policy(`
-@@ -360,19 +466,15 @@ optional_policy(`
+@@ -360,19 +468,15 @@ optional_policy(`
')
optional_policy(`
@@ -16895,7 +17372,7 @@ index 88d0028..4cc476f 100644
')
optional_policy(`
-@@ -384,10 +486,6 @@ optional_policy(`
+@@ -384,10 +488,6 @@ optional_policy(`
')
optional_policy(`
@@ -16906,7 +17383,7 @@ index 88d0028..4cc476f 100644
usermanage_run_admin_passwd(sysadm_t, sysadm_r)
usermanage_run_groupadd(sysadm_t, sysadm_r)
usermanage_run_useradd(sysadm_t, sysadm_r)
-@@ -395,6 +493,9 @@ optional_policy(`
+@@ -395,6 +495,9 @@ optional_policy(`
optional_policy(`
virt_stream_connect(sysadm_t)
@@ -16916,7 +17393,7 @@ index 88d0028..4cc476f 100644
')
optional_policy(`
-@@ -402,31 +503,34 @@ optional_policy(`
+@@ -402,31 +505,34 @@ optional_policy(`
')
optional_policy(`
@@ -16957,7 +17434,7 @@ index 88d0028..4cc476f 100644
auth_role(sysadm_r, sysadm_t)
')
-@@ -439,10 +543,6 @@ ifndef(`distro_redhat',`
+@@ -439,10 +545,6 @@ ifndef(`distro_redhat',`
')
optional_policy(`
@@ -16968,7 +17445,7 @@ index 88d0028..4cc476f 100644
dbus_role_template(sysadm, sysadm_r, sysadm_t)
optional_policy(`
-@@ -463,15 +563,75 @@ ifndef(`distro_redhat',`
+@@ -463,15 +565,75 @@ ifndef(`distro_redhat',`
')
optional_policy(`
@@ -17727,10 +18204,10 @@ index 0000000..cf6582f
+
diff --git a/policy/modules/roles/unconfineduser.te b/policy/modules/roles/unconfineduser.te
new file mode 100644
-index 0000000..699d0dd
+index 0000000..c8f13da
--- /dev/null
+++ b/policy/modules/roles/unconfineduser.te
-@@ -0,0 +1,336 @@
+@@ -0,0 +1,329 @@
+policy_module(unconfineduser, 1.0.0)
+
+########################################
@@ -17755,13 +18232,6 @@ index 0000000..699d0dd
+
+##
+##
-+## Allow video playing tools to run unconfined
-+##
-+##
-+gen_tunable(unconfined_mplayer, false)
-+
-+##
-+##
+## Allow a user to login as an unconfined domain
+##
+##
@@ -18852,7 +19322,7 @@ index 76d9f66..3063a17 100644
+/root/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0)
+/root/\.shosts gen_context(system_u:object_r:ssh_home_t,s0)
diff --git a/policy/modules/services/ssh.if b/policy/modules/services/ssh.if
-index fe0c682..2e18809 100644
+index fe0c682..871b8fd 100644
--- a/policy/modules/services/ssh.if
+++ b/policy/modules/services/ssh.if
@@ -32,10 +32,11 @@
@@ -19372,16 +19842,35 @@ index fe0c682..2e18809 100644
## Read ssh server keys
##
##
-@@ -714,7 +814,7 @@ interface(`ssh_dontaudit_read_server_keys',`
+@@ -714,7 +814,26 @@ interface(`ssh_dontaudit_read_server_keys',`
type sshd_key_t;
')
- dontaudit $1 sshd_key_t:file { getattr read };
+ dontaudit $1 sshd_key_t:file read_file_perms;
++')
++
++######################################
++##
++## Append ssh home directory content
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`ssh_append_home_files',`
++ gen_require(`
++ type ssh_home_t;
++ ')
++
++ append_files_pattern($1, ssh_home_t, ssh_home_t)
++ userdom_search_user_home_dirs($1)
')
######################################
-@@ -754,3 +854,124 @@ interface(`ssh_delete_tmp',`
+@@ -754,3 +873,124 @@ interface(`ssh_delete_tmp',`
files_search_tmp($1)
delete_files_pattern($1, sshd_tmp_t, sshd_tmp_t)
')
@@ -19507,7 +19996,7 @@ index fe0c682..2e18809 100644
+ ps_process_pattern($1, sshd_t)
+')
diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
-index 5fc0391..b87b076 100644
+index 5fc0391..994eec2 100644
--- a/policy/modules/services/ssh.te
+++ b/policy/modules/services/ssh.te
@@ -6,43 +6,54 @@ policy_module(ssh, 2.3.3)
@@ -19740,7 +20229,7 @@ index 5fc0391..b87b076 100644
files_read_etc_files(ssh_keysign_t)
-@@ -223,33 +248,50 @@ optional_policy(`
+@@ -223,33 +248,53 @@ optional_policy(`
# so a tunnel can point to another ssh tunnel
allow sshd_t self:netlink_route_socket r_netlink_socket_perms;
allow sshd_t self:key { search link write };
@@ -19756,6 +20245,9 @@ index 5fc0391..b87b076 100644
+files_search_all(sshd_t)
+
++fs_search_cgroup_dirs(sshd_t)
++fs_rw_cgroup_files(sshd_t)
++
term_use_all_ptys(sshd_t)
term_setattr_all_ptys(sshd_t)
+term_setattr_all_ttys(sshd_t)
@@ -19800,7 +20292,7 @@ index 5fc0391..b87b076 100644
')
optional_policy(`
-@@ -257,11 +299,24 @@ optional_policy(`
+@@ -257,11 +302,24 @@ optional_policy(`
')
optional_policy(`
@@ -19826,7 +20318,7 @@ index 5fc0391..b87b076 100644
')
optional_policy(`
-@@ -269,6 +324,10 @@ optional_policy(`
+@@ -269,6 +327,10 @@ optional_policy(`
')
optional_policy(`
@@ -19837,7 +20329,7 @@ index 5fc0391..b87b076 100644
rpm_use_script_fds(sshd_t)
')
-@@ -279,13 +338,69 @@ optional_policy(`
+@@ -279,13 +341,69 @@ optional_policy(`
')
optional_policy(`
@@ -19907,7 +20399,7 @@ index 5fc0391..b87b076 100644
########################################
#
# ssh_keygen local policy
-@@ -294,19 +409,26 @@ optional_policy(`
+@@ -294,19 +412,26 @@ optional_policy(`
# ssh_keygen_t is the type of the ssh-keygen program when run at install time
# and by sysadm_t
@@ -19935,7 +20427,7 @@ index 5fc0391..b87b076 100644
dev_read_urand(ssh_keygen_t)
term_dontaudit_use_console(ssh_keygen_t)
-@@ -323,6 +445,12 @@ auth_use_nsswitch(ssh_keygen_t)
+@@ -323,6 +448,12 @@ auth_use_nsswitch(ssh_keygen_t)
logging_send_syslog_msg(ssh_keygen_t)
userdom_dontaudit_use_unpriv_user_fds(ssh_keygen_t)
@@ -19948,7 +20440,7 @@ index 5fc0391..b87b076 100644
optional_policy(`
seutil_sigchld_newrole(ssh_keygen_t)
-@@ -331,3 +459,138 @@ optional_policy(`
+@@ -331,3 +462,138 @@ optional_policy(`
optional_policy(`
udev_read_db(ssh_keygen_t)
')
@@ -20088,7 +20580,7 @@ index 5fc0391..b87b076 100644
+ xserver_rw_xdm_pipes(ssh_agent_type)
+')
diff --git a/policy/modules/services/xserver.fc b/policy/modules/services/xserver.fc
-index d1f64a0..3be3d00 100644
+index d1f64a0..97140ee 100644
--- a/policy/modules/services/xserver.fc
+++ b/policy/modules/services/xserver.fc
@@ -2,13 +2,35 @@
@@ -20150,7 +20642,7 @@ index d1f64a0..3be3d00 100644
/etc/X11/[wx]dm/Xreset.* -- gen_context(system_u:object_r:xsession_exec_t,s0)
/etc/X11/[wxg]dm/Xsession -- gen_context(system_u:object_r:xsession_exec_t,s0)
/etc/X11/wdm(/.*)? gen_context(system_u:object_r:xdm_rw_etc_t,s0)
-@@ -46,26 +76,31 @@ HOME_DIR/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0)
+@@ -46,26 +76,32 @@ HOME_DIR/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0)
# /tmp
#
@@ -20178,6 +20670,7 @@ index d1f64a0..3be3d00 100644
+
/usr/bin/gpe-dm -- gen_context(system_u:object_r:xdm_exec_t,s0)
/usr/bin/iceauth -- gen_context(system_u:object_r:iceauth_exec_t,s0)
++/usr/bin/razor-lightdm-greeter -- gen_context(system_u:object_r:xdm_exec_t,s0)
/usr/bin/slim -- gen_context(system_u:object_r:xdm_exec_t,s0)
/usr/bin/Xair -- gen_context(system_u:object_r:xserver_exec_t,s0)
+/usr/bin/Xephyr -- gen_context(system_u:object_r:xserver_exec_t,s0)
@@ -20188,7 +20681,7 @@ index d1f64a0..3be3d00 100644
/usr/lib/qt-.*/etc/settings(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0)
-@@ -92,25 +127,49 @@ ifndef(`distro_debian',`
+@@ -92,25 +128,49 @@ ifndef(`distro_debian',`
/var/lib/gdm(3)?(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0)
/var/lib/lxdm(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0)
@@ -21789,7 +22282,7 @@ index 6bf0ecc..f0080ba 100644
+ files_search_tmp($1)
+')
diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
-index 2696452..cb2c21b 100644
+index 2696452..4690551 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -26,27 +26,57 @@ gen_require(`
@@ -22838,7 +23331,7 @@ index 2696452..cb2c21b 100644
corenet_all_recvfrom_netlabel(xserver_t)
corenet_tcp_sendrecv_generic_if(xserver_t)
corenet_udp_sendrecv_generic_if(xserver_t)
-@@ -667,23 +1142,27 @@ dev_rw_apm_bios(xserver_t)
+@@ -667,23 +1142,28 @@ dev_rw_apm_bios(xserver_t)
dev_rw_agp(xserver_t)
dev_rw_framebuffer(xserver_t)
dev_manage_dri_dev(xserver_t)
@@ -22848,6 +23341,7 @@ index 2696452..cb2c21b 100644
# raw memory access is needed if not using the frame buffer
dev_read_raw_memory(xserver_t)
dev_wx_raw_memory(xserver_t)
++dev_read_urand(xserver_t)
# for other device nodes such as the NVidia binary-only driver
-dev_rw_xserver_misc(xserver_t)
+dev_manage_xserver_misc(xserver_t)
@@ -22869,7 +23363,7 @@ index 2696452..cb2c21b 100644
# brought on by rhgb
files_search_mnt(xserver_t)
-@@ -694,7 +1173,16 @@ fs_getattr_xattr_fs(xserver_t)
+@@ -694,7 +1174,16 @@ fs_getattr_xattr_fs(xserver_t)
fs_search_nfs(xserver_t)
fs_search_auto_mountpoints(xserver_t)
fs_search_ramfs(xserver_t)
@@ -22887,7 +23381,7 @@ index 2696452..cb2c21b 100644
mls_xwin_read_to_clearance(xserver_t)
selinux_validate_context(xserver_t)
-@@ -708,20 +1196,18 @@ init_getpgid(xserver_t)
+@@ -708,20 +1197,18 @@ init_getpgid(xserver_t)
term_setattr_unallocated_ttys(xserver_t)
term_use_unallocated_ttys(xserver_t)
@@ -22911,7 +23405,7 @@ index 2696452..cb2c21b 100644
userdom_search_user_home_dirs(xserver_t)
userdom_use_user_ttys(xserver_t)
-@@ -729,8 +1215,6 @@ userdom_setattr_user_ttys(xserver_t)
+@@ -729,8 +1216,6 @@ userdom_setattr_user_ttys(xserver_t)
userdom_read_user_tmp_files(xserver_t)
userdom_rw_user_tmpfs_files(xserver_t)
@@ -22920,7 +23414,7 @@ index 2696452..cb2c21b 100644
ifndef(`distro_redhat',`
allow xserver_t self:process { execmem execheap execstack };
domain_mmap_low_uncond(xserver_t)
-@@ -775,16 +1259,44 @@ optional_policy(`
+@@ -775,16 +1260,44 @@ optional_policy(`
')
optional_policy(`
@@ -22966,7 +23460,7 @@ index 2696452..cb2c21b 100644
unconfined_domtrans(xserver_t)
')
-@@ -793,6 +1305,10 @@ optional_policy(`
+@@ -793,6 +1306,10 @@ optional_policy(`
')
optional_policy(`
@@ -22977,7 +23471,7 @@ index 2696452..cb2c21b 100644
xfs_stream_connect(xserver_t)
')
-@@ -808,10 +1324,10 @@ allow xserver_t xdm_t:shm rw_shm_perms;
+@@ -808,10 +1325,10 @@ allow xserver_t xdm_t:shm rw_shm_perms;
# NB we do NOT allow xserver_t xdm_var_lib_t:dir, only access to an open
# handle of a file inside the dir!!!
@@ -22991,7 +23485,7 @@ index 2696452..cb2c21b 100644
# Label pid and temporary files with derived types.
manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
-@@ -819,7 +1335,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
+@@ -819,7 +1336,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
manage_sock_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
# Run xkbcomp.
@@ -23000,7 +23494,7 @@ index 2696452..cb2c21b 100644
can_exec(xserver_t, xkb_var_lib_t)
# VNC v4 module in X server
-@@ -832,26 +1348,21 @@ init_use_fds(xserver_t)
+@@ -832,26 +1349,21 @@ init_use_fds(xserver_t)
# to read ROLE_home_t - examine this in more detail
# (xauth?)
userdom_read_user_home_content_files(xserver_t)
@@ -23035,7 +23529,7 @@ index 2696452..cb2c21b 100644
')
optional_policy(`
-@@ -902,7 +1413,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
+@@ -902,7 +1414,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
allow x_domain root_xdrawable_t:x_drawable { getattr setattr list_child add_child remove_child send receive hide show };
# operations allowed on my windows
allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive };
@@ -23044,7 +23538,7 @@ index 2696452..cb2c21b 100644
# operations allowed on all windows
allow x_domain x_domain:x_drawable { getattr get_property set_property remove_child };
-@@ -956,11 +1467,31 @@ allow x_domain self:x_resource { read write };
+@@ -956,11 +1468,31 @@ allow x_domain self:x_resource { read write };
# can mess with the screensaver
allow x_domain xserver_t:x_screen { getattr saver_getattr };
@@ -23076,7 +23570,7 @@ index 2696452..cb2c21b 100644
tunable_policy(`! xserver_object_manager',`
# should be xserver_unconfined(x_domain),
# but typeattribute doesnt work in conditionals
-@@ -982,18 +1513,41 @@ tunable_policy(`! xserver_object_manager',`
+@@ -982,18 +1514,41 @@ tunable_policy(`! xserver_object_manager',`
allow x_domain xevent_type:{ x_event x_synthetic_event } *;
')
@@ -23375,7 +23869,7 @@ index 28ad538..ebe81bf 100644
-/var/run/user(/.*)? gen_context(system_u:object_r:var_auth_t,s0)
/var/(db|lib|adm)/sudo(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0)
diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if
-index 3efd5b6..5188076 100644
+index 3efd5b6..c7f52c2 100644
--- a/policy/modules/system/authlogin.if
+++ b/policy/modules/system/authlogin.if
@@ -23,11 +23,17 @@ interface(`auth_role',`
@@ -23397,11 +23891,12 @@ index 3efd5b6..5188076 100644
')
########################################
-@@ -53,10 +59,12 @@ interface(`auth_use_pam',`
+@@ -53,10 +59,13 @@ interface(`auth_use_pam',`
auth_read_login_records($1)
auth_append_login_records($1)
auth_rw_lastlog($1)
- auth_rw_faillog($1)
++ auth_create_lastlog($1)
+ auth_manage_faillog($1)
auth_exec_pam($1)
auth_use_nsswitch($1)
@@ -23411,7 +23906,7 @@ index 3efd5b6..5188076 100644
logging_send_audit_msgs($1)
logging_send_syslog_msg($1)
-@@ -78,8 +86,19 @@ interface(`auth_use_pam',`
+@@ -78,8 +87,19 @@ interface(`auth_use_pam',`
')
optional_policy(`
@@ -23431,7 +23926,7 @@ index 3efd5b6..5188076 100644
')
########################################
-@@ -95,48 +114,21 @@ interface(`auth_use_pam',`
+@@ -95,48 +115,21 @@ interface(`auth_use_pam',`
interface(`auth_login_pgm_domain',`
gen_require(`
type var_auth_t, auth_cache_t;
@@ -23486,7 +23981,7 @@ index 3efd5b6..5188076 100644
mls_file_read_all_levels($1)
mls_file_write_all_levels($1)
-@@ -146,18 +138,43 @@ interface(`auth_login_pgm_domain',`
+@@ -146,18 +139,43 @@ interface(`auth_login_pgm_domain',`
mls_fd_share_all_levels($1)
auth_use_pam($1)
@@ -23538,7 +24033,7 @@ index 3efd5b6..5188076 100644
')
########################################
-@@ -231,6 +248,25 @@ interface(`auth_domtrans_login_program',`
+@@ -231,6 +249,25 @@ interface(`auth_domtrans_login_program',`
########################################
##
@@ -23564,7 +24059,7 @@ index 3efd5b6..5188076 100644
## Execute a login_program in the target domain,
## with a range transition.
##
-@@ -395,6 +431,8 @@ interface(`auth_domtrans_chk_passwd',`
+@@ -395,6 +432,8 @@ interface(`auth_domtrans_chk_passwd',`
')
optional_policy(`
@@ -23573,7 +24068,7 @@ index 3efd5b6..5188076 100644
pcscd_read_pid_files($1)
pcscd_stream_connect($1)
')
-@@ -402,6 +440,8 @@ interface(`auth_domtrans_chk_passwd',`
+@@ -402,6 +441,8 @@ interface(`auth_domtrans_chk_passwd',`
optional_policy(`
samba_stream_connect_winbind($1)
')
@@ -23582,7 +24077,7 @@ index 3efd5b6..5188076 100644
')
########################################
-@@ -448,6 +488,25 @@ interface(`auth_run_chk_passwd',`
+@@ -448,6 +489,25 @@ interface(`auth_run_chk_passwd',`
auth_domtrans_chk_passwd($1)
role $2 types chkpwd_t;
@@ -23608,7 +24103,7 @@ index 3efd5b6..5188076 100644
')
########################################
-@@ -467,7 +526,6 @@ interface(`auth_domtrans_upd_passwd',`
+@@ -467,7 +527,6 @@ interface(`auth_domtrans_upd_passwd',`
domtrans_pattern($1, updpwd_exec_t, updpwd_t)
auth_dontaudit_read_shadow($1)
@@ -23616,7 +24111,7 @@ index 3efd5b6..5188076 100644
')
########################################
-@@ -664,6 +722,10 @@ interface(`auth_manage_shadow',`
+@@ -664,6 +723,10 @@ interface(`auth_manage_shadow',`
allow $1 shadow_t:file manage_file_perms;
typeattribute $1 can_read_shadow_passwords, can_write_shadow_passwords;
@@ -23627,7 +24122,7 @@ index 3efd5b6..5188076 100644
')
#######################################
-@@ -763,7 +825,50 @@ interface(`auth_rw_faillog',`
+@@ -763,7 +826,50 @@ interface(`auth_rw_faillog',`
')
logging_search_logs($1)
@@ -23679,8 +24174,30 @@ index 3efd5b6..5188076 100644
')
#######################################
-@@ -826,7 +931,7 @@ interface(`auth_rw_lastlog',`
+@@ -824,9 +930,29 @@ interface(`auth_rw_lastlog',`
+ allow $1 lastlog_t:file { rw_file_perms lock setattr };
+ ')
++#######################################
++##
++## Manage create logins log.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`auth_create_lastlog',`
++ gen_require(`
++ type lastlog_t;
++ ')
++
++ logging_search_logs($1)
++ allow $1 lastlog_t:file create;
++ logging_log_named_filetrans($1, lastlog_t, file, "lastlog")
++')
++
########################################
##
-## Execute pam programs in the pam domain.
@@ -23688,7 +24205,7 @@ index 3efd5b6..5188076 100644
##
##
##
-@@ -834,12 +939,27 @@ interface(`auth_rw_lastlog',`
+@@ -834,12 +960,27 @@ interface(`auth_rw_lastlog',`
##
##
#
@@ -23719,7 +24236,7 @@ index 3efd5b6..5188076 100644
')
########################################
-@@ -854,15 +974,15 @@ interface(`auth_domtrans_pam',`
+@@ -854,15 +995,15 @@ interface(`auth_domtrans_pam',`
#
interface(`auth_signal_pam',`
gen_require(`
@@ -23738,7 +24255,7 @@ index 3efd5b6..5188076 100644
##
##
##
-@@ -875,13 +995,33 @@ interface(`auth_signal_pam',`
+@@ -875,13 +1016,33 @@ interface(`auth_signal_pam',`
##
##
#
@@ -23776,7 +24293,7 @@ index 3efd5b6..5188076 100644
')
########################################
-@@ -959,9 +1099,30 @@ interface(`auth_manage_var_auth',`
+@@ -959,9 +1120,30 @@ interface(`auth_manage_var_auth',`
')
files_search_var($1)
@@ -23810,7 +24327,7 @@ index 3efd5b6..5188076 100644
')
########################################
-@@ -1040,6 +1201,10 @@ interface(`auth_manage_pam_pid',`
+@@ -1040,6 +1222,10 @@ interface(`auth_manage_pam_pid',`
files_search_pids($1)
allow $1 pam_var_run_t:dir manage_dir_perms;
allow $1 pam_var_run_t:file manage_file_perms;
@@ -23821,7 +24338,7 @@ index 3efd5b6..5188076 100644
')
########################################
-@@ -1176,6 +1341,7 @@ interface(`auth_manage_pam_console_data',`
+@@ -1176,6 +1362,7 @@ interface(`auth_manage_pam_console_data',`
files_search_pids($1)
manage_files_pattern($1, pam_var_console_t, pam_var_console_t)
manage_lnk_files_pattern($1, pam_var_console_t, pam_var_console_t)
@@ -23829,7 +24346,7 @@ index 3efd5b6..5188076 100644
')
#######################################
-@@ -1576,6 +1742,25 @@ interface(`auth_setattr_login_records',`
+@@ -1576,6 +1763,25 @@ interface(`auth_setattr_login_records',`
########################################
##
@@ -23855,7 +24372,7 @@ index 3efd5b6..5188076 100644
## Read login records files (/var/log/wtmp).
##
##
-@@ -1726,24 +1911,7 @@ interface(`auth_manage_login_records',`
+@@ -1726,24 +1932,7 @@ interface(`auth_manage_login_records',`
logging_rw_generic_log_dirs($1)
allow $1 wtmp_t:file manage_file_perms;
@@ -23881,7 +24398,7 @@ index 3efd5b6..5188076 100644
')
########################################
-@@ -1767,11 +1935,13 @@ interface(`auth_relabel_login_records',`
+@@ -1767,11 +1956,13 @@ interface(`auth_relabel_login_records',`
##
#
interface(`auth_use_nsswitch',`
@@ -23898,7 +24415,7 @@ index 3efd5b6..5188076 100644
')
########################################
-@@ -1805,3 +1975,219 @@ interface(`auth_unconfined',`
+@@ -1805,3 +1996,219 @@ interface(`auth_unconfined',`
typeattribute $1 can_write_shadow_passwords;
typeattribute $1 can_relabelto_shadow_passwords;
')
@@ -24568,6 +25085,51 @@ index c5e05ca..c9ddbee 100644
+/usr/sbin/hwclock -- gen_context(system_u:object_r:hwclock_exec_t,s0)
+
+diff --git a/policy/modules/system/clock.if b/policy/modules/system/clock.if
+index d475c2d..55305d5 100644
+--- a/policy/modules/system/clock.if
++++ b/policy/modules/system/clock.if
+@@ -117,3 +117,40 @@ interface(`clock_rw_adjtime',`
+ allow $1 adjtime_t:file rw_file_perms;
+ files_list_etc($1)
+ ')
++
++########################################
++##
++## Manage clock drift adjustments.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`clock_manage_adjtime',`
++ gen_require(`
++ type adjtime_t;
++ ')
++
++ allow $1 adjtime_t:file manage_file_perms;
++ files_list_etc($1)
++')
++
++########################################
++##
++## Transition to systemd clock content
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`clock_filetrans_named_content',`
++ gen_require(`
++ type adjtime_t;
++ ')
++
++ files_etc_filetrans($1, adjtime_t, file, "adjtime" )
++')
diff --git a/policy/modules/system/clock.te b/policy/modules/system/clock.te
index 3694bfe..7fcd27a 100644
--- a/policy/modules/system/clock.te
@@ -27607,19 +28169,20 @@ index dd3be8d..969bda2 100644
+ allow direct_run_init direct_init_entry:file { getattr open read execute };
+')
diff --git a/policy/modules/system/ipsec.fc b/policy/modules/system/ipsec.fc
-index 662e79b..626a689 100644
+index 662e79b..93aad6f 100644
--- a/policy/modules/system/ipsec.fc
+++ b/policy/modules/system/ipsec.fc
-@@ -1,6 +1,8 @@
+@@ -1,13 +1,17 @@
/etc/rc\.d/init\.d/ipsec -- gen_context(system_u:object_r:ipsec_initrc_exec_t,s0)
/etc/rc\.d/init\.d/racoon -- gen_context(system_u:object_r:ipsec_initrc_exec_t,s0)
+-/etc/ipsec\.secrets -- gen_context(system_u:object_r:ipsec_key_file_t,s0)
+/usr/lib/systemd/system/strongswan.* -- gen_context(system_u:object_r:ipsec_mgmt_unit_file_t,s0)
+
- /etc/ipsec\.secrets -- gen_context(system_u:object_r:ipsec_key_file_t,s0)
++/etc/ipsec\.secrets.* -- gen_context(system_u:object_r:ipsec_key_file_t,s0)
/etc/ipsec\.conf -- gen_context(system_u:object_r:ipsec_conf_file_t,s0)
/etc/racoon/psk\.txt -- gen_context(system_u:object_r:ipsec_key_file_t,s0)
-@@ -8,6 +10,8 @@
+
/etc/racoon(/.*)? gen_context(system_u:object_r:ipsec_conf_file_t,s0)
/etc/racoon/certs(/.*)? gen_context(system_u:object_r:ipsec_key_file_t,s0)
@@ -27641,11 +28204,80 @@ index 662e79b..626a689 100644
/var/lock/subsys/ipsec -- gen_context(system_u:object_r:ipsec_mgmt_lock_t,s0)
+@@ -39,3 +45,5 @@
+
+ /var/run/pluto(/.*)? gen_context(system_u:object_r:ipsec_var_run_t,s0)
+ /var/run/racoon\.pid -- gen_context(system_u:object_r:ipsec_var_run_t,s0)
++/var/run/pluto/ipsec\.info -- gen_context(system_u:object_r:ipsec_mgmt_var_run_t, s0)
++/var/run/pluto/ipsec_setup\.pid -- gen_context(system_u:object_r:ipsec_mgmt_var_run_t, s0)
diff --git a/policy/modules/system/ipsec.if b/policy/modules/system/ipsec.if
-index 0d4c8d3..3375525 100644
+index 0d4c8d3..a89c4a2 100644
--- a/policy/modules/system/ipsec.if
+++ b/policy/modules/system/ipsec.if
-@@ -120,7 +120,6 @@ interface(`ipsec_exec_mgmt',`
+@@ -55,6 +55,62 @@ interface(`ipsec_domtrans_mgmt',`
+ domtrans_pattern($1, ipsec_mgmt_exec_t, ipsec_mgmt_t)
+ ')
+
++#######################################
++##
++## Allow to create OBJECT in /etc with ipsec_key_file_t.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`ipsec_filetrans_key_file',`
++ gen_require(`
++ type ipsec_key_file_t;
++ ')
++
++ files_etc_filetrans($1, ipsec_key_file_t, file)
++')
++
++#######################################
++##
++## Allow to manage ipsec key files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`ipsec_manage_key_file',`
++ gen_require(`
++ type ipsec_key_file_t;
++ ')
++
++ manage_files_pattern($1, ipsec_key_file_t, ipsec_key_file_t)
++')
++
++########################################
++##
++## Read the ipsec_mgmt_var_run_t files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`ipsec_mgmt_read_pid',`
++ gen_require(`
++ type ipsec_mgmt_var_run_t;
++ ')
++
++ files_search_pids($1)
++ read_files_pattern($1, ipsec_mgmt_var_run_t, ipsec_mgmt_var_run_t)
++')
++
++
+ ########################################
+ ##
+ ## Connect to racoon using a unix domain stream socket.
+@@ -120,7 +176,6 @@ interface(`ipsec_exec_mgmt',`
##
##
#
@@ -27653,7 +28285,7 @@ index 0d4c8d3..3375525 100644
interface(`ipsec_signal_mgmt',`
gen_require(`
type ipsec_mgmt_t;
-@@ -139,7 +138,6 @@ interface(`ipsec_signal_mgmt',`
+@@ -139,7 +194,6 @@ interface(`ipsec_signal_mgmt',`
##
##
#
@@ -27661,7 +28293,7 @@ index 0d4c8d3..3375525 100644
interface(`ipsec_signull_mgmt',`
gen_require(`
type ipsec_mgmt_t;
-@@ -158,7 +156,6 @@ interface(`ipsec_signull_mgmt',`
+@@ -158,7 +212,6 @@ interface(`ipsec_signull_mgmt',`
##
##
#
@@ -27669,7 +28301,7 @@ index 0d4c8d3..3375525 100644
interface(`ipsec_kill_mgmt',`
gen_require(`
type ipsec_mgmt_t;
-@@ -167,6 +164,60 @@ interface(`ipsec_kill_mgmt',`
+@@ -167,6 +220,60 @@ interface(`ipsec_kill_mgmt',`
allow $1 ipsec_mgmt_t:process sigkill;
')
@@ -27730,7 +28362,7 @@ index 0d4c8d3..3375525 100644
######################################
##
## Send and receive messages from
-@@ -225,6 +276,7 @@ interface(`ipsec_match_default_spd',`
+@@ -225,6 +332,7 @@ interface(`ipsec_match_default_spd',`
allow $1 ipsec_spd_t:association polmatch;
allow $1 self:association sendto;
@@ -27738,7 +28370,7 @@ index 0d4c8d3..3375525 100644
')
########################################
-@@ -369,3 +421,26 @@ interface(`ipsec_run_setkey',`
+@@ -369,3 +477,26 @@ interface(`ipsec_run_setkey',`
ipsec_domtrans_setkey($1)
role $2 types setkey_t;
')
@@ -27766,7 +28398,7 @@ index 0d4c8d3..3375525 100644
+ ps_process_pattern($1, ipsec_mgmt_t)
+')
diff --git a/policy/modules/system/ipsec.te b/policy/modules/system/ipsec.te
-index 9e54bf9..35992c7 100644
+index 9e54bf9..b6e9ebc 100644
--- a/policy/modules/system/ipsec.te
+++ b/policy/modules/system/ipsec.te
@@ -48,6 +48,9 @@ init_system_domain(ipsec_mgmt_t, ipsec_mgmt_exec_t)
@@ -27849,20 +28481,30 @@ index 9e54bf9..35992c7 100644
userdom_dontaudit_use_unpriv_user_fds(ipsec_t)
userdom_dontaudit_search_user_home_dirs(ipsec_t)
-@@ -187,9 +197,9 @@ optional_policy(`
+@@ -187,10 +197,10 @@ optional_policy(`
# ipsec_mgmt Local policy
#
-allow ipsec_mgmt_t self:capability { dac_override dac_read_search net_admin setpcap sys_nice };
-dontaudit ipsec_mgmt_t self:capability { sys_ptrace sys_tty_config };
-allow ipsec_mgmt_t self:process { getsched ptrace setrlimit setsched signal };
+-allow ipsec_mgmt_t self:unix_stream_socket create_stream_socket_perms;
+allow ipsec_mgmt_t self:capability { dac_override dac_read_search net_admin setpcap sys_nice sys_ptrace };
+dontaudit ipsec_mgmt_t self:capability sys_tty_config;
+allow ipsec_mgmt_t self:process { getsched setrlimit setsched signal };
- allow ipsec_mgmt_t self:unix_stream_socket create_stream_socket_perms;
++allow ipsec_mgmt_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow ipsec_mgmt_t self:tcp_socket create_stream_socket_perms;
allow ipsec_mgmt_t self:udp_socket create_socket_perms;
-@@ -246,6 +256,16 @@ kernel_read_kernel_sysctls(ipsec_mgmt_t)
+ allow ipsec_mgmt_t self:key_socket create_socket_perms;
+@@ -210,6 +220,7 @@ allow ipsec_mgmt_t ipsec_mgmt_var_run_t:file manage_file_perms;
+ files_pid_filetrans(ipsec_mgmt_t, ipsec_mgmt_var_run_t, file)
+
+ manage_files_pattern(ipsec_mgmt_t, ipsec_var_run_t, ipsec_var_run_t)
++manage_dirs_pattern(ipsec_mgmt_t, ipsec_var_run_t, ipsec_var_run_t)
+ manage_lnk_files_pattern(ipsec_mgmt_t, ipsec_var_run_t, ipsec_var_run_t)
+
+ allow ipsec_mgmt_t ipsec_var_run_t:sock_file manage_sock_file_perms;
+@@ -246,6 +257,16 @@ kernel_read_kernel_sysctls(ipsec_mgmt_t)
kernel_getattr_core_if(ipsec_mgmt_t)
kernel_getattr_message_if(ipsec_mgmt_t)
@@ -27879,7 +28521,7 @@ index 9e54bf9..35992c7 100644
files_read_kernel_symbol_table(ipsec_mgmt_t)
files_getattr_kernel_modules(ipsec_mgmt_t)
-@@ -255,6 +275,8 @@ files_getattr_kernel_modules(ipsec_mgmt_t)
+@@ -255,6 +276,8 @@ files_getattr_kernel_modules(ipsec_mgmt_t)
corecmd_exec_bin(ipsec_mgmt_t)
corecmd_exec_shell(ipsec_mgmt_t)
@@ -27888,7 +28530,7 @@ index 9e54bf9..35992c7 100644
dev_read_rand(ipsec_mgmt_t)
dev_read_urand(ipsec_mgmt_t)
-@@ -278,9 +300,10 @@ fs_getattr_xattr_fs(ipsec_mgmt_t)
+@@ -278,9 +301,10 @@ fs_getattr_xattr_fs(ipsec_mgmt_t)
fs_list_tmpfs(ipsec_mgmt_t)
term_use_console(ipsec_mgmt_t)
@@ -27900,7 +28542,7 @@ index 9e54bf9..35992c7 100644
init_read_utmp(ipsec_mgmt_t)
init_use_script_ptys(ipsec_mgmt_t)
-@@ -290,15 +313,16 @@ init_labeled_script_domtrans(ipsec_mgmt_t, ipsec_initrc_exec_t)
+@@ -290,15 +314,18 @@ init_labeled_script_domtrans(ipsec_mgmt_t, ipsec_initrc_exec_t)
logging_send_syslog_msg(ipsec_mgmt_t)
@@ -27913,6 +28555,8 @@ index 9e54bf9..35992c7 100644
sysnet_etc_filetrans_config(ipsec_mgmt_t)
-userdom_use_user_terminals(ipsec_mgmt_t)
++systemd_exec_systemctl(ipsec_mgmt_t)
++
+userdom_use_inherited_user_terminals(ipsec_mgmt_t)
+
+optional_policy(`
@@ -27922,7 +28566,7 @@ index 9e54bf9..35992c7 100644
optional_policy(`
consoletype_exec(ipsec_mgmt_t)
-@@ -370,13 +394,12 @@ kernel_request_load_module(racoon_t)
+@@ -370,13 +397,12 @@ kernel_request_load_module(racoon_t)
corecmd_exec_shell(racoon_t)
corecmd_exec_bin(racoon_t)
@@ -27942,7 +28586,7 @@ index 9e54bf9..35992c7 100644
corenet_udp_bind_isakmp_port(racoon_t)
corenet_udp_bind_ipsecnat_port(racoon_t)
-@@ -401,10 +424,11 @@ locallogin_use_fds(racoon_t)
+@@ -401,10 +427,11 @@ locallogin_use_fds(racoon_t)
logging_send_syslog_msg(racoon_t)
logging_send_audit_msgs(racoon_t)
@@ -27955,7 +28599,7 @@ index 9e54bf9..35992c7 100644
auth_can_read_shadow_passwords(racoon_t)
tunable_policy(`racoon_read_shadow',`
auth_tunable_read_shadow(racoon_t)
-@@ -438,9 +462,9 @@ corenet_setcontext_all_spds(setkey_t)
+@@ -438,9 +465,9 @@ corenet_setcontext_all_spds(setkey_t)
locallogin_use_fds(setkey_t)
@@ -28055,7 +28699,7 @@ index c42fbc3..174cfdb 100644
##
## Set the attributes of iptables config files.
diff --git a/policy/modules/system/iptables.te b/policy/modules/system/iptables.te
-index 5dfa44b..aa4d8fc 100644
+index 5dfa44b..022d91d 100644
--- a/policy/modules/system/iptables.te
+++ b/policy/modules/system/iptables.te
@@ -16,15 +16,15 @@ role iptables_roles types iptables_t;
@@ -28137,7 +28781,7 @@ index 5dfa44b..aa4d8fc 100644
userdom_use_all_users_fds(iptables_t)
ifdef(`hide_broken_symptoms',`
-@@ -102,6 +104,8 @@ ifdef(`hide_broken_symptoms',`
+@@ -102,11 +104,14 @@ ifdef(`hide_broken_symptoms',`
optional_policy(`
fail2ban_append_log(iptables_t)
@@ -28146,7 +28790,13 @@ index 5dfa44b..aa4d8fc 100644
')
optional_policy(`
-@@ -124,6 +128,7 @@ optional_policy(`
+ firstboot_use_fds(iptables_t)
+ firstboot_rw_pipes(iptables_t)
++ firewalld_dontaudit_write_tmp_files(iptables_t)
+ ')
+
+ optional_policy(`
+@@ -124,6 +129,7 @@ optional_policy(`
optional_policy(`
psad_rw_tmp_files(iptables_t)
@@ -28154,7 +28804,7 @@ index 5dfa44b..aa4d8fc 100644
')
optional_policy(`
-@@ -135,9 +140,9 @@ optional_policy(`
+@@ -135,9 +141,9 @@ optional_policy(`
')
optional_policy(`
@@ -29026,7 +29676,7 @@ index c04ac46..e06286c 100644
- nscd_use(sulogin_t)
-')
diff --git a/policy/modules/system/logging.fc b/policy/modules/system/logging.fc
-index b50c5fe..286351e 100644
+index b50c5fe..2faaaf2 100644
--- a/policy/modules/system/logging.fc
+++ b/policy/modules/system/logging.fc
@@ -2,10 +2,13 @@
@@ -29070,7 +29720,7 @@ index b50c5fe..286351e 100644
/var/lib/misc/syslog-ng.persist-? -- gen_context(system_u:object_r:syslogd_var_lib_t,s0)
/var/lib/syslog-ng(/.*)? gen_context(system_u:object_r:syslogd_var_lib_t,s0)
-@@ -38,13 +54,14 @@ ifdef(`distro_suse', `
+@@ -38,13 +54,13 @@ ifdef(`distro_suse', `
/var/log -d gen_context(system_u:object_r:var_log_t,s0-mls_systemhigh)
/var/log/.* gen_context(system_u:object_r:var_log_t,s0)
@@ -29080,13 +29730,13 @@ index b50c5fe..286351e 100644
/var/log/maillog[^/]* gen_context(system_u:object_r:var_log_t,mls_systemhigh)
/var/log/spooler[^/]* gen_context(system_u:object_r:var_log_t,mls_systemhigh)
/var/log/audit(/.*)? gen_context(system_u:object_r:auditd_log_t,mls_systemhigh)
- /var/log/syslog-ng(/.*)? gen_context(system_u:object_r:syslogd_var_run_t,mls_systemhigh)
+-/var/log/syslog-ng(/.*)? gen_context(system_u:object_r:syslogd_var_run_t,mls_systemhigh)
+/var/run/log(/.*)? gen_context(system_u:object_r:syslogd_var_run_t,mls_systemhigh)
+/var/run/systemd/journal(/.*)? gen_context(system_u:object_r:syslogd_var_run_t,mls_systemhigh)
ifndef(`distro_gentoo',`
/var/log/audit\.log -- gen_context(system_u:object_r:auditd_log_t,mls_systemhigh)
-@@ -53,6 +70,7 @@ ifndef(`distro_gentoo',`
+@@ -53,6 +69,7 @@ ifndef(`distro_gentoo',`
ifdef(`distro_redhat',`
/var/named/chroot/var/log -d gen_context(system_u:object_r:var_log_t,s0)
/var/named/chroot/dev/log -s gen_context(system_u:object_r:devlog_t,s0)
@@ -29094,7 +29744,7 @@ index b50c5fe..286351e 100644
')
/var/run/audit_events -s gen_context(system_u:object_r:auditd_var_run_t,mls_systemhigh)
-@@ -65,11 +83,16 @@ ifdef(`distro_redhat',`
+@@ -65,11 +82,16 @@ ifdef(`distro_redhat',`
/var/run/syslogd\.pid -- gen_context(system_u:object_r:syslogd_var_run_t,mls_systemhigh)
/var/run/syslog-ng.ctl -- gen_context(system_u:object_r:syslogd_var_run_t,s0)
/var/run/syslog-ng(/.*)? gen_context(system_u:object_r:syslogd_var_run_t,s0)
@@ -29113,7 +29763,7 @@ index b50c5fe..286351e 100644
+/var/webmin(/.*)? gen_context(system_u:object_r:var_log_t,s0)
+
diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if
-index 4e94884..23894f4 100644
+index 4e94884..5481f47 100644
--- a/policy/modules/system/logging.if
+++ b/policy/modules/system/logging.if
@@ -233,7 +233,7 @@ interface(`logging_run_auditd',`
@@ -29486,7 +30136,7 @@ index 4e94884..23894f4 100644
init_labeled_script_domtrans($1, syslogd_initrc_exec_t)
domain_system_change_exemption($1)
-@@ -1085,3 +1323,29 @@ interface(`logging_admin',`
+@@ -1085,3 +1323,33 @@ interface(`logging_admin',`
logging_admin_audit($1, $2)
logging_admin_syslog($1, $2)
')
@@ -29506,6 +30156,7 @@ index 4e94884..23894f4 100644
+ type var_log_t;
+ type audit_spool_t;
+ type syslogd_var_run_t;
++ type syslog_conf_t;
+ ')
+
+ files_pid_filetrans($1, syslogd_var_run_t, dir, "log")
@@ -29514,6 +30165,9 @@ index 4e94884..23894f4 100644
+ files_spool_filetrans($1, audit_spool_t, dir, "audit")
+ files_var_filetrans($1, var_log_t, dir, "webmin")
+
++ files_etc_filetrans($1, syslog_conf_t, file, "syslog.conf")
++ files_etc_filetrans($1, syslog_conf_t, file, "rsyslog.conf")
++
+ init_named_pid_filetrans($1, syslogd_var_run_t, dir, "journal")
+')
diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
@@ -31361,7 +32015,7 @@ index 4584457..e432df3 100644
+ domtrans_pattern($1, mount_ecryptfs_exec_t, mount_ecryptfs_t)
')
diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te
-index 6a50270..117a29a 100644
+index 6a50270..ca097a7 100644
--- a/policy/modules/system/mount.te
+++ b/policy/modules/system/mount.te
@@ -10,35 +10,60 @@ policy_module(mount, 1.15.1)
@@ -31670,7 +32324,7 @@ index 6a50270..117a29a 100644
ifdef(`hide_broken_symptoms',`
# for a bug in the X server
rhgb_dontaudit_rw_stream_sockets(mount_t)
-@@ -194,24 +300,128 @@ optional_policy(`
+@@ -194,24 +300,129 @@ optional_policy(`
')
optional_policy(`
@@ -31725,6 +32379,7 @@ index 6a50270..117a29a 100644
-#
+optional_policy(`
+ ssh_exec(mount_t)
++ ssh_append_home_files(mount_t)
+')
+
+optional_policy(`
@@ -33293,7 +33948,7 @@ index 1447687..d5e6fb9 100644
seutil_read_config(setrans_t)
diff --git a/policy/modules/system/sysnetwork.fc b/policy/modules/system/sysnetwork.fc
-index 346a7cc..b44bb0c 100644
+index 346a7cc..42a48b6 100644
--- a/policy/modules/system/sysnetwork.fc
+++ b/policy/modules/system/sysnetwork.fc
@@ -17,16 +17,17 @@ ifdef(`distro_debian',`
@@ -33339,11 +33994,12 @@ index 346a7cc..b44bb0c 100644
/usr/sbin/tc -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
#
-@@ -72,3 +87,5 @@ ifdef(`distro_redhat',`
+@@ -72,3 +87,6 @@ ifdef(`distro_redhat',`
ifdef(`distro_gentoo',`
/var/lib/dhcpc(/.*)? gen_context(system_u:object_r:dhcpc_state_t,s0)
')
+
++/var/run/netns(/.*)? gen_context(system_u:object_r:ifconfig_var_run_t,s0)
+/etc/firestarter/firestarter\.sh gen_context(system_u:object_r:dhcpc_helper_exec_t,s0)
diff --git a/policy/modules/system/sysnetwork.if b/policy/modules/system/sysnetwork.if
index 6944526..ec17624 100644
@@ -33648,7 +34304,7 @@ index 6944526..ec17624 100644
+ files_etc_filetrans($1, net_conf_t, file, "ntp.conf")
+')
diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
-index b7686d5..9a50b11 100644
+index b7686d5..fda9b8a 100644
--- a/policy/modules/system/sysnetwork.te
+++ b/policy/modules/system/sysnetwork.te
@@ -5,6 +5,13 @@ policy_module(sysnetwork, 1.14.6)
@@ -33676,9 +34332,14 @@ index b7686d5..9a50b11 100644
type dhcpc_state_t;
files_type(dhcpc_state_t)
-@@ -37,17 +46,17 @@ init_system_domain(ifconfig_t, ifconfig_exec_t)
+@@ -36,18 +45,22 @@ type ifconfig_exec_t;
+ init_system_domain(ifconfig_t, ifconfig_exec_t)
role system_r types ifconfig_t;
++type ifconfig_var_run_t;
++files_pid_file(ifconfig_var_run_t)
++files_mountpoint(ifconfig_var_run_t)
++
type net_conf_t alias resolv_conf_t;
-files_type(net_conf_t)
+files_config_file(net_conf_t)
@@ -33697,7 +34358,7 @@ index b7686d5..9a50b11 100644
allow dhcpc_t self:fifo_file rw_fifo_file_perms;
allow dhcpc_t self:tcp_socket create_stream_socket_perms;
-@@ -60,8 +69,11 @@ read_lnk_files_pattern(dhcpc_t, dhcp_etc_t, dhcp_etc_t)
+@@ -60,8 +73,11 @@ read_lnk_files_pattern(dhcpc_t, dhcp_etc_t, dhcp_etc_t)
exec_files_pattern(dhcpc_t, dhcp_etc_t, dhcp_etc_t)
allow dhcpc_t dhcp_state_t:file read_file_perms;
@@ -33709,7 +34370,7 @@ index b7686d5..9a50b11 100644
# create pid file
manage_files_pattern(dhcpc_t, dhcpc_var_run_t, dhcpc_var_run_t)
-@@ -70,6 +82,8 @@ files_pid_filetrans(dhcpc_t, dhcpc_var_run_t, { file dir })
+@@ -70,6 +86,8 @@ files_pid_filetrans(dhcpc_t, dhcpc_var_run_t, { file dir })
# Allow read/write to /etc/resolv.conf and /etc/ntp.conf. Note that any files
# in /etc created by dhcpcd will be labelled net_conf_t.
@@ -33718,7 +34379,7 @@ index b7686d5..9a50b11 100644
sysnet_manage_config(dhcpc_t)
files_etc_filetrans(dhcpc_t, net_conf_t, file)
-@@ -91,14 +105,13 @@ kernel_rw_net_sysctls(dhcpc_t)
+@@ -91,14 +109,13 @@ kernel_rw_net_sysctls(dhcpc_t)
corecmd_exec_bin(dhcpc_t)
corecmd_exec_shell(dhcpc_t)
@@ -33739,7 +34400,7 @@ index b7686d5..9a50b11 100644
corenet_tcp_sendrecv_all_ports(dhcpc_t)
corenet_udp_sendrecv_all_ports(dhcpc_t)
corenet_tcp_bind_all_nodes(dhcpc_t)
-@@ -108,21 +121,23 @@ corenet_udp_bind_dhcpc_port(dhcpc_t)
+@@ -108,21 +125,23 @@ corenet_udp_bind_dhcpc_port(dhcpc_t)
corenet_tcp_connect_all_ports(dhcpc_t)
corenet_sendrecv_dhcpd_client_packets(dhcpc_t)
corenet_sendrecv_dhcpc_server_packets(dhcpc_t)
@@ -33765,7 +34426,7 @@ index b7686d5..9a50b11 100644
fs_getattr_all_fs(dhcpc_t)
fs_search_auto_mountpoints(dhcpc_t)
-@@ -132,11 +147,15 @@ term_dontaudit_use_all_ptys(dhcpc_t)
+@@ -132,11 +151,15 @@ term_dontaudit_use_all_ptys(dhcpc_t)
term_dontaudit_use_unallocated_ttys(dhcpc_t)
term_dontaudit_use_generic_ptys(dhcpc_t)
@@ -33782,7 +34443,7 @@ index b7686d5..9a50b11 100644
modutils_run_insmod(dhcpc_t, dhcpc_roles)
-@@ -156,7 +175,14 @@ ifdef(`distro_ubuntu',`
+@@ -156,7 +179,14 @@ ifdef(`distro_ubuntu',`
')
optional_policy(`
@@ -33798,7 +34459,7 @@ index b7686d5..9a50b11 100644
')
optional_policy(`
-@@ -174,10 +200,6 @@ optional_policy(`
+@@ -174,10 +204,6 @@ optional_policy(`
')
optional_policy(`
@@ -33809,7 +34470,7 @@ index b7686d5..9a50b11 100644
hotplug_getattr_config_dirs(dhcpc_t)
hotplug_search_config(dhcpc_t)
-@@ -190,23 +212,35 @@ optional_policy(`
+@@ -190,23 +216,36 @@ optional_policy(`
optional_policy(`
netutils_run_ping(dhcpc_t, dhcpc_roles)
netutils_run(dhcpc_t, dhcpc_roles)
@@ -33824,6 +34485,7 @@ index b7686d5..9a50b11 100644
+ networkmanager_domtrans(dhcpc_t)
+ networkmanager_read_pid_files(dhcpc_t)
+ networkmanager_manage_lib(dhcpc_t)
++ networkmanager_stream_connect(dhcpc_t)
+')
+
+optional_policy(`
@@ -33845,7 +34507,7 @@ index b7686d5..9a50b11 100644
')
optional_policy(`
-@@ -216,7 +250,11 @@ optional_policy(`
+@@ -216,7 +255,11 @@ optional_policy(`
optional_policy(`
seutil_sigchld_newrole(dhcpc_t)
@@ -33858,7 +34520,7 @@ index b7686d5..9a50b11 100644
')
optional_policy(`
-@@ -259,6 +297,7 @@ allow ifconfig_t self:msgq create_msgq_perms;
+@@ -259,12 +302,20 @@ allow ifconfig_t self:msgq create_msgq_perms;
allow ifconfig_t self:msg { send receive };
# Create UDP sockets, necessary when called from dhcpc
allow ifconfig_t self:udp_socket create_socket_perms;
@@ -33866,12 +34528,34 @@ index b7686d5..9a50b11 100644
# for /sbin/ip
allow ifconfig_t self:packet_socket create_socket_perms;
allow ifconfig_t self:netlink_route_socket create_netlink_socket_perms;
-@@ -277,11 +316,20 @@ corenet_rw_tun_tap_dev(ifconfig_t)
+ allow ifconfig_t self:netlink_xfrm_socket { create_netlink_socket_perms nlmsg_read };
+ allow ifconfig_t self:tcp_socket { create ioctl };
+
++can_exec(ifconfig_t, ifconfig_exec_t)
++
++manage_files_pattern(ifconfig_t, ifconfig_var_run_t, ifconfig_var_run_t)
++create_dirs_pattern(ifconfig_t, ifconfig_var_run_t, ifconfig_var_run_t)
++files_pid_filetrans(ifconfig_t, ifconfig_var_run_t, { file dir })
++allow ifconfig_t ifconfig_var_run_t:file mounton;
++
+ kernel_use_fds(ifconfig_t)
+ kernel_read_system_state(ifconfig_t)
+ kernel_read_network_state(ifconfig_t)
+@@ -274,14 +325,29 @@ kernel_rw_net_sysctls(ifconfig_t)
+
+ corenet_rw_tun_tap_dev(ifconfig_t)
+
++corecmd_exec_bin(ifconfig_t)
++corecmd_exec_shell(ifconfig_t)
++
dev_read_sysfs(ifconfig_t)
# for IPSEC setup:
dev_read_urand(ifconfig_t)
+# needed by tuned
+dev_rw_netcontrol(ifconfig_t)
++dev_mounton_sysfs(ifconfig_t)
++dev_mount_sysfs_fs(ifconfig_t)
++dev_unmount_sysfs_fs(ifconfig_t)
domain_use_interactive_fds(ifconfig_t)
@@ -33887,7 +34571,7 @@ index b7686d5..9a50b11 100644
fs_getattr_xattr_fs(ifconfig_t)
fs_search_auto_mountpoints(ifconfig_t)
-@@ -294,22 +342,22 @@ term_dontaudit_use_all_ptys(ifconfig_t)
+@@ -294,22 +360,22 @@ term_dontaudit_use_all_ptys(ifconfig_t)
term_dontaudit_use_ptmx(ifconfig_t)
term_dontaudit_use_generic_ptys(ifconfig_t)
@@ -33915,7 +34599,7 @@ index b7686d5..9a50b11 100644
userdom_use_all_users_fds(ifconfig_t)
ifdef(`distro_ubuntu',`
-@@ -318,7 +366,22 @@ ifdef(`distro_ubuntu',`
+@@ -318,7 +384,22 @@ ifdef(`distro_ubuntu',`
')
')
@@ -33938,17 +34622,21 @@ index b7686d5..9a50b11 100644
optional_policy(`
dev_dontaudit_rw_cardmgr(ifconfig_t)
')
-@@ -329,8 +392,7 @@ ifdef(`hide_broken_symptoms',`
+@@ -329,8 +410,11 @@ ifdef(`hide_broken_symptoms',`
')
optional_policy(`
- hal_dontaudit_rw_pipes(ifconfig_t)
- hal_dontaudit_rw_dgram_sockets(ifconfig_t)
++ dnsmasq_domtrans(ifconfig_t)
++')
++
++optional_policy(`
+ devicekit_dontaudit_read_pid_files(ifconfig_t)
')
optional_policy(`
-@@ -339,7 +401,11 @@ optional_policy(`
+@@ -339,7 +423,11 @@ optional_policy(`
')
optional_policy(`
@@ -33961,7 +34649,7 @@ index b7686d5..9a50b11 100644
')
optional_policy(`
-@@ -360,3 +426,9 @@ optional_policy(`
+@@ -360,3 +448,9 @@ optional_policy(`
xen_append_log(ifconfig_t)
xen_dontaudit_rw_unix_stream_sockets(ifconfig_t)
')
@@ -35222,10 +35910,10 @@ index 0000000..2e5b822
+')
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
new file mode 100644
-index 0000000..3916463
+index 0000000..35c1a7d
--- /dev/null
+++ b/policy/modules/system/systemd.te
-@@ -0,0 +1,644 @@
+@@ -0,0 +1,645 @@
+policy_module(systemd, 1.0.0)
+
+#######################################
@@ -35790,7 +36478,8 @@ index 0000000..3916463
+')
+
+optional_policy(`
-+ clock_read_adjtime(systemd_timedated_t)
++ clock_manage_adjtime(systemd_timedated_t)
++ clock_filetrans_named_content(systemd_timedated_t)
+ clock_domtrans(systemd_timedated_t)
+')
+
@@ -37242,7 +37931,7 @@ index db75976..65191bd 100644
+
+/var/run/user(/.*)? gen_context(system_u:object_r:user_tmp_t,s0)
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
-index 3c5dba7..e27d755 100644
+index 3c5dba7..08ce1e5 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -30,9 +30,11 @@ template(`userdom_base_user_template',`
@@ -39909,7 +40598,7 @@ index 3c5dba7..e27d755 100644
## Create keys for all user domains.
##
##
-@@ -3438,4 +4197,1415 @@ interface(`userdom_dbus_send_all_users',`
+@@ -3438,4 +4197,1455 @@ interface(`userdom_dbus_send_all_users',`
')
allow $1 userdomain:dbus send_msg;
@@ -40274,6 +40963,46 @@ index 3c5dba7..e27d755 100644
+
+')
+
++######################################
++##
++## Manage all dirs in the homedir
++##
++##
++##
++## The user domain
++##
++##
++#
++interface(`userdom_manage_all_user_home_type_dirs',`
++ gen_require(`
++ type user_home_dir_t, user_home_t;
++ attribute user_home_type;
++ ')
++
++ files_list_home($1)
++ manage_dirs_pattern($1, { user_home_dir_t user_home_type }, user_home_type)
++')
++
++######################################
++##
++## Manage all files in the homedir
++##
++##
++##
++## The user domain
++##
++##
++#
++interface(`userdom_manage_all_user_home_type_files',`
++ gen_require(`
++ type user_home_dir_t, user_home_t;
++ attribute user_home_type;
++ ')
++
++ files_list_home($1)
++ manage_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type)
++ manage_lnk_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type)
++')
+
+########################################
+##
@@ -41326,7 +42055,7 @@ index 3c5dba7..e27d755 100644
+ userdom_user_home_dir_filetrans($1, home_cert_t, dir, "certificates")
')
diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te
-index e2b538b..77626dd 100644
+index e2b538b..211263f 100644
--- a/policy/modules/system/userdomain.te
+++ b/policy/modules/system/userdomain.te
@@ -7,48 +7,42 @@ policy_module(userdomain, 4.8.5)
@@ -41414,7 +42143,7 @@ index e2b538b..77626dd 100644
type user_home_dir_t alias { staff_home_dir_t sysadm_home_dir_t secadm_home_dir_t auditadm_home_dir_t unconfined_home_dir_t };
fs_associate_tmpfs(user_home_dir_t)
files_type(user_home_dir_t)
-@@ -70,26 +82,222 @@ ubac_constrained(user_home_dir_t)
+@@ -70,26 +82,226 @@ ubac_constrained(user_home_dir_t)
type user_home_t alias { staff_home_t sysadm_home_t secadm_home_t auditadm_home_t unconfined_home_t };
typealias user_home_t alias { staff_untrusted_content_t sysadm_untrusted_content_t secadm_untrusted_content_t auditadm_untrusted_content_t unconfined_untrusted_content_t };
@@ -41482,6 +42211,10 @@ index e2b538b..77626dd 100644
+')
+
+optional_policy(`
++ gssproxy_stream_connect(userdomain)
++')
++
++optional_policy(`
+ gnome_filetrans_home_content(userdomain)
+')
+
diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch
index 17919d9..f091d89 100644
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@@ -1,8 +1,8 @@
diff --git a/abrt.fc b/abrt.fc
-index e4f84de..94697ea 100644
+index e4f84de..4e4cbd4 100644
--- a/abrt.fc
+++ b/abrt.fc
-@@ -1,30 +1,38 @@
+@@ -1,30 +1,40 @@
-/etc/abrt(/.*)? gen_context(system_u:object_r:abrt_etc_t,s0)
-/etc/rc\.d/init\.d/abrt -- gen_context(system_u:object_r:abrt_initrc_exec_t,s0)
+/etc/abrt(/.*)? gen_context(system_u:object_r:abrt_etc_t,s0)
@@ -15,11 +15,13 @@ index e4f84de..94697ea 100644
+/usr/lib/systemd/system/abrt.* -- gen_context(system_u:object_r:abrt_unit_file_t,s0)
+
+/usr/bin/abrt-dump-oops -- gen_context(system_u:object_r:abrt_dump_oops_exec_t,s0)
++/usr/bin/abrt-uefioops-oops -- gen_context(system_u:object_r:abrt_dump_oops_exec_t,s0)
+/usr/bin/abrt-pyhook-helper -- gen_context(system_u:object_r:abrt_helper_exec_t,s0)
+/usr/bin/abrt-watch-log -- gen_context(system_u:object_r:abrt_watch_log_exec_t,s0)
+
+/usr/sbin/abrtd -- gen_context(system_u:object_r:abrt_exec_t,s0)
+/usr/sbin/abrt-dbus -- gen_context(system_u:object_r:abrt_exec_t,s0)
++/usr/sbin/abrt-harvest.* -- gen_context(system_u:object_r:abrt_exec_t,s0)
-/usr/libexec/abrt-pyhook-helper -- gen_context(system_u:object_r:abrt_helper_exec_t,s0)
/usr/libexec/abrt-handle-event -- gen_context(system_u:object_r:abrt_handle_event_exec_t,s0)
@@ -516,7 +518,7 @@ index 058d908..702b716 100644
+')
+
diff --git a/abrt.te b/abrt.te
-index cc43d25..563c773 100644
+index cc43d25..5e60ff3 100644
--- a/abrt.te
+++ b/abrt.te
@@ -1,4 +1,4 @@
@@ -525,7 +527,7 @@ index cc43d25..563c773 100644
########################################
#
-@@ -6,105 +6,115 @@ policy_module(abrt, 1.3.4)
+@@ -6,105 +6,116 @@ policy_module(abrt, 1.3.4)
#
##
@@ -585,6 +587,7 @@ index cc43d25..563c773 100644
type abrt_var_cache_t;
files_type(abrt_var_cache_t)
+files_tmp_file(abrt_var_cache_t)
++userdom_user_tmp_content(abrt_var_cache_t)
+# pid files
type abrt_var_run_t;
@@ -664,7 +667,8 @@ index cc43d25..563c773 100644
+# abrt local policy
#
- allow abrt_t self:capability { chown dac_override fowner fsetid kill setgid setuid sys_nice };
+-allow abrt_t self:capability { chown dac_override fowner fsetid kill setgid setuid sys_nice };
++allow abrt_t self:capability { chown dac_override fowner fsetid kill setgid setuid sys_nice sys_ptrace };
dontaudit abrt_t self:capability sys_rawio;
allow abrt_t self:process { setpgid sigkill signal signull setsched getsched };
+
@@ -684,7 +688,7 @@ index cc43d25..563c773 100644
manage_files_pattern(abrt_t, abrt_var_log_t, abrt_var_log_t)
logging_log_filetrans(abrt_t, abrt_var_log_t, file)
-@@ -112,23 +122,25 @@ manage_dirs_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t)
+@@ -112,23 +123,25 @@ manage_dirs_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t)
manage_files_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t)
manage_lnk_files_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t)
files_tmp_filetrans(abrt_t, abrt_tmp_t, { file dir })
@@ -713,7 +717,7 @@ index cc43d25..563c773 100644
kernel_request_load_module(abrt_t)
kernel_rw_kernel_sysctl(abrt_t)
-@@ -137,16 +149,14 @@ corecmd_exec_shell(abrt_t)
+@@ -137,16 +150,14 @@ corecmd_exec_shell(abrt_t)
corecmd_read_all_executables(abrt_t)
corenet_all_recvfrom_netlabel(abrt_t)
@@ -732,7 +736,7 @@ index cc43d25..563c773 100644
dev_getattr_all_chr_files(abrt_t)
dev_getattr_all_blk_files(abrt_t)
-@@ -163,29 +173,36 @@ files_getattr_all_files(abrt_t)
+@@ -163,29 +174,37 @@ files_getattr_all_files(abrt_t)
files_read_config_files(abrt_t)
files_read_etc_runtime_files(abrt_t)
files_read_var_symlinks(abrt_t)
@@ -745,6 +749,7 @@ index cc43d25..563c773 100644
files_dontaudit_read_all_symlinks(abrt_t)
files_dontaudit_getattr_all_sockets(abrt_t)
files_list_mnt(abrt_t)
++fs_list_all(abrt_t)
+fs_list_inotifyfs(abrt_t)
fs_getattr_all_fs(abrt_t)
@@ -772,7 +777,7 @@ index cc43d25..563c773 100644
tunable_policy(`abrt_anon_write',`
miscfiles_manage_public_files(abrt_t)
-@@ -193,15 +210,11 @@ tunable_policy(`abrt_anon_write',`
+@@ -193,15 +212,11 @@ tunable_policy(`abrt_anon_write',`
optional_policy(`
apache_list_modules(abrt_t)
@@ -789,7 +794,7 @@ index cc43d25..563c773 100644
')
optional_policy(`
-@@ -209,6 +222,12 @@ optional_policy(`
+@@ -209,6 +224,12 @@ optional_policy(`
')
optional_policy(`
@@ -802,7 +807,7 @@ index cc43d25..563c773 100644
policykit_domtrans_auth(abrt_t)
policykit_read_lib(abrt_t)
policykit_read_reload(abrt_t)
-@@ -220,6 +239,7 @@ optional_policy(`
+@@ -220,6 +241,7 @@ optional_policy(`
corecmd_exec_all_executables(abrt_t)
')
@@ -810,7 +815,7 @@ index cc43d25..563c773 100644
optional_policy(`
rpm_exec(abrt_t)
rpm_dontaudit_manage_db(abrt_t)
-@@ -230,6 +250,7 @@ optional_policy(`
+@@ -230,6 +252,7 @@ optional_policy(`
rpm_signull(abrt_t)
')
@@ -818,7 +823,7 @@ index cc43d25..563c773 100644
optional_policy(`
sendmail_domtrans(abrt_t)
')
-@@ -240,9 +261,17 @@ optional_policy(`
+@@ -240,9 +263,17 @@ optional_policy(`
sosreport_delete_tmp_files(abrt_t)
')
@@ -837,7 +842,7 @@ index cc43d25..563c773 100644
#
allow abrt_handle_event_t self:fifo_file rw_fifo_file_perms;
-@@ -253,9 +282,13 @@ tunable_policy(`abrt_handle_event',`
+@@ -253,9 +284,13 @@ tunable_policy(`abrt_handle_event',`
can_exec(abrt_t, abrt_handle_event_exec_t)
')
@@ -852,7 +857,7 @@ index cc43d25..563c773 100644
#
allow abrt_helper_t self:capability { chown setgid sys_nice };
-@@ -268,6 +301,7 @@ manage_dirs_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
+@@ -268,6 +303,7 @@ manage_dirs_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
manage_files_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
manage_lnk_files_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
files_var_filetrans(abrt_helper_t, abrt_var_cache_t, { file dir })
@@ -860,7 +865,7 @@ index cc43d25..563c773 100644
read_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t)
read_lnk_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t)
-@@ -276,15 +310,20 @@ corecmd_read_all_executables(abrt_helper_t)
+@@ -276,15 +312,20 @@ corecmd_read_all_executables(abrt_helper_t)
domain_read_all_domains_state(abrt_helper_t)
@@ -881,7 +886,7 @@ index cc43d25..563c773 100644
userdom_dontaudit_read_user_home_content_files(abrt_helper_t)
userdom_dontaudit_read_user_tmp_files(abrt_helper_t)
dev_dontaudit_read_all_blk_files(abrt_helper_t)
-@@ -292,11 +331,25 @@ ifdef(`hide_broken_symptoms',`
+@@ -292,11 +333,25 @@ ifdef(`hide_broken_symptoms',`
dev_dontaudit_write_all_chr_files(abrt_helper_t)
dev_dontaudit_write_all_blk_files(abrt_helper_t)
fs_dontaudit_rw_anon_inodefs_files(abrt_helper_t)
@@ -908,7 +913,7 @@ index cc43d25..563c773 100644
#
allow abrt_retrace_coredump_t self:fifo_file rw_fifo_file_perms;
-@@ -314,10 +367,12 @@ corecmd_exec_shell(abrt_retrace_coredump_t)
+@@ -314,10 +369,12 @@ corecmd_exec_shell(abrt_retrace_coredump_t)
dev_read_urand(abrt_retrace_coredump_t)
@@ -922,7 +927,7 @@ index cc43d25..563c773 100644
optional_policy(`
rpm_exec(abrt_retrace_coredump_t)
rpm_dontaudit_manage_db(abrt_retrace_coredump_t)
-@@ -330,10 +385,11 @@ optional_policy(`
+@@ -330,10 +387,11 @@ optional_policy(`
#######################################
#
@@ -936,7 +941,7 @@ index cc43d25..563c773 100644
allow abrt_retrace_worker_t self:fifo_file rw_fifo_file_perms;
domtrans_pattern(abrt_retrace_worker_t, abrt_retrace_coredump_exec_t, abrt_retrace_coredump_t)
-@@ -352,30 +408,38 @@ corecmd_exec_shell(abrt_retrace_worker_t)
+@@ -352,46 +410,56 @@ corecmd_exec_shell(abrt_retrace_worker_t)
dev_read_urand(abrt_retrace_worker_t)
@@ -978,8 +983,10 @@ index cc43d25..563c773 100644
kernel_read_kernel_sysctls(abrt_dump_oops_t)
kernel_read_ring_buffer(abrt_dump_oops_t)
-@@ -384,14 +448,15 @@ domain_use_interactive_fds(abrt_dump_oops_t)
+ domain_use_interactive_fds(abrt_dump_oops_t)
+
fs_list_inotifyfs(abrt_dump_oops_t)
++fs_list_pstorefs(abrt_dump_oops_t)
logging_read_generic_logs(abrt_dump_oops_t)
+logging_send_syslog_msg(abrt_dump_oops_t)
@@ -996,7 +1003,7 @@ index cc43d25..563c773 100644
read_files_pattern(abrt_watch_log_t, abrt_etc_t, abrt_etc_t)
-@@ -400,16 +465,14 @@ domtrans_pattern(abrt_watch_log_t, abrt_dump_oops_exec_t, abrt_dump_oops_t)
+@@ -400,16 +468,14 @@ domtrans_pattern(abrt_watch_log_t, abrt_dump_oops_exec_t, abrt_dump_oops_t)
corecmd_exec_bin(abrt_watch_log_t)
logging_read_all_logs(abrt_watch_log_t)
@@ -1877,10 +1884,23 @@ index cda6d20..fbe259e 100644
userdom_manage_unpriv_user_shared_mem(alsa_t)
userdom_search_user_home_dirs(alsa_t)
diff --git a/amanda.te b/amanda.te
-index ed45974..b09436e 100644
+index ed45974..46e2c0d 100644
--- a/amanda.te
+++ b/amanda.te
-@@ -60,7 +60,7 @@ optional_policy(`
+@@ -9,11 +9,10 @@ attribute_role amanda_recover_roles;
+ roleattribute system_r amanda_recover_roles;
+
+ type amanda_t;
++type amanda_exec_t;
+ type amanda_inetd_exec_t;
+ inetd_service_domain(amanda_t, amanda_inetd_exec_t)
+
+-type amanda_exec_t;
+-domain_entry_file(amanda_t, amanda_exec_t)
+
+ type amanda_log_t;
+ logging_log_file(amanda_log_t)
+@@ -60,7 +59,7 @@ optional_policy(`
#
allow amanda_t self:capability { chown dac_override setuid kill };
@@ -1889,7 +1909,7 @@ index ed45974..b09436e 100644
allow amanda_t self:fifo_file rw_fifo_file_perms;
allow amanda_t self:unix_stream_socket { accept listen };
allow amanda_t self:tcp_socket { accept listen };
-@@ -71,6 +71,7 @@ allow amanda_t amanda_config_t:file read_file_perms;
+@@ -71,6 +70,7 @@ allow amanda_t amanda_config_t:file read_file_perms;
manage_dirs_pattern(amanda_t, amanda_data_t, amanda_data_t)
manage_files_pattern(amanda_t, amanda_data_t, amanda_data_t)
@@ -1897,7 +1917,7 @@ index ed45974..b09436e 100644
filetrans_pattern(amanda_t, amanda_config_t, amanda_data_t, { file dir })
allow amanda_t amanda_dumpdates_t:file rw_file_perms;
-@@ -100,7 +101,6 @@ kernel_dontaudit_read_proc_symlinks(amanda_t)
+@@ -100,7 +100,6 @@ kernel_dontaudit_read_proc_symlinks(amanda_t)
corecmd_exec_shell(amanda_t)
corecmd_exec_bin(amanda_t)
@@ -1905,7 +1925,7 @@ index ed45974..b09436e 100644
corenet_all_recvfrom_netlabel(amanda_t)
corenet_tcp_sendrecv_generic_if(amanda_t)
corenet_tcp_sendrecv_generic_node(amanda_t)
-@@ -170,7 +170,6 @@ kernel_read_system_state(amanda_recover_t)
+@@ -170,7 +169,6 @@ kernel_read_system_state(amanda_recover_t)
corecmd_exec_shell(amanda_recover_t)
corecmd_exec_bin(amanda_recover_t)
@@ -1913,7 +1933,7 @@ index ed45974..b09436e 100644
corenet_all_recvfrom_netlabel(amanda_recover_t)
corenet_tcp_sendrecv_generic_if(amanda_recover_t)
corenet_udp_sendrecv_generic_if(amanda_recover_t)
-@@ -195,12 +194,12 @@ files_search_tmp(amanda_recover_t)
+@@ -195,12 +193,12 @@ files_search_tmp(amanda_recover_t)
auth_use_nsswitch(amanda_recover_t)
@@ -2507,10 +2527,10 @@ index 0000000..df5b3be
+')
diff --git a/antivirus.te b/antivirus.te
new file mode 100644
-index 0000000..b334e9a
+index 0000000..1a35e88
--- /dev/null
+++ b/antivirus.te
-@@ -0,0 +1,245 @@
+@@ -0,0 +1,248 @@
+policy_module(antivirus, 1.0.0)
+
+########################################
@@ -2683,8 +2703,11 @@ index 0000000..b334e9a
+
+tunable_policy(`antivirus_can_scan_system',`
+ files_read_non_security_files(antivirus_domain)
++ files_dontaudit_read_all_non_security_files(antivirus_domain)
+ files_getattr_all_pipes(antivirus_domain)
+ files_getattr_all_sockets(antivirus_domain)
++ dev_getattr_all_blk_files(antivirus_domain)
++ dev_getattr_all_chr_files(antivirus_domain)
+')
+
+tunable_policy(`antivirus_use_jit',`
@@ -4452,7 +4475,7 @@ index 83e899c..c5be77c 100644
+ filetrans_pattern($1, { httpd_user_content_t httpd_user_script_exec_t }, httpd_user_htaccess_t, file, ".htaccess")
')
diff --git a/apache.te b/apache.te
-index 1a82e29..cb872c5 100644
+index 1a82e29..3a12c26 100644
--- a/apache.te
+++ b/apache.te
@@ -1,297 +1,360 @@
@@ -4633,18 +4656,12 @@ index 1a82e29..cb872c5 100644
-##
-## Determine whether httpd can send mail.
-##
-+##
-+## Allow http daemon to check spam
-+##
-+##
-+gen_tunable(httpd_can_check_spam, false)
-+
-+##
-+##
-+## Allow http daemon to send mail
-+##
++##
++## Allow http daemon to connect to mythtv
++##
##
- gen_tunable(httpd_can_sendmail, false)
+-gen_tunable(httpd_can_sendmail, false)
++gen_tunable(httpd_can_connect_mythtv, false)
##
-##
@@ -4652,20 +4669,22 @@ index 1a82e29..cb872c5 100644
-## with avahi service via dbus.
-##
+##
-+## Allow Apache to communicate with avahi service via dbus
++## Allow http daemon to check spam
+##
##
- gen_tunable(httpd_dbus_avahi, false)
+-gen_tunable(httpd_dbus_avahi, false)
++gen_tunable(httpd_can_check_spam, false)
##
-##
-## Determine wether httpd can use support.
-##
+##
-+## Allow httpd cgi support
++## Allow http daemon to send mail
+##
##
- gen_tunable(httpd_enable_cgi, false)
+-gen_tunable(httpd_enable_cgi, false)
++gen_tunable(httpd_can_sendmail, false)
##
-##
@@ -4673,11 +4692,11 @@ index 1a82e29..cb872c5 100644
-## FTP server by listening on the ftp port.
-##
+##
-+## Allow httpd to act as a FTP server by
-+## listening on the ftp port.
++## Allow Apache to communicate with avahi service via dbus
+##
##
- gen_tunable(httpd_enable_ftp_server, false)
+-gen_tunable(httpd_enable_ftp_server, false)
++gen_tunable(httpd_dbus_avahi, false)
##
-##
@@ -4685,12 +4704,11 @@ index 1a82e29..cb872c5 100644
-## user home directories.
-##
+##
-+## Allow httpd to act as a FTP client
-+## connecting to the ftp port and ephemeral ports
++## Allow httpd cgi support
+##
##
-gen_tunable(httpd_enable_homedirs, false)
-+gen_tunable(httpd_can_connect_ftp, false)
++gen_tunable(httpd_enable_cgi, false)
##
-##
@@ -4699,12 +4717,13 @@ index 1a82e29..cb872c5 100644
-## transfer services. Directories/Files must
-## be labeled public_content_rw_t.
-##
-+##
-+## Allow httpd to connect to the ldap port
-+##
++##
++## Allow httpd to act as a FTP server by
++## listening on the ftp port.
++##
##
-gen_tunable(httpd_gpg_anon_write, false)
-+gen_tunable(httpd_can_connect_ldap, false)
++gen_tunable(httpd_enable_ftp_server, false)
##
-##
@@ -4712,23 +4731,24 @@ index 1a82e29..cb872c5 100644
-## its temporary content.
-##
+##
-+## Allow httpd to read home directories
++## Allow httpd to act as a FTP client
++## connecting to the ftp port and ephemeral ports
+##
##
-gen_tunable(httpd_tmp_exec, false)
-+gen_tunable(httpd_enable_homedirs, false)
++gen_tunable(httpd_can_connect_ftp, false)
##
-##
-## Determine whether httpd scripts and
-## modules can use execmem and execstack.
-##
-+##
-+## Allow httpd to read user content
-+##
++##
++## Allow httpd to connect to the ldap port
++##
##
-gen_tunable(httpd_execmem, false)
-+gen_tunable(httpd_read_user_content, false)
++gen_tunable(httpd_can_connect_ldap, false)
##
-##
@@ -4736,11 +4756,11 @@ index 1a82e29..cb872c5 100644
-## to port 80 for graceful shutdown.
-##
+##
-+## Allow Apache to run in stickshift mode, not transition to passenger
++## Allow httpd to read home directories
+##
##
-gen_tunable(httpd_graceful_shutdown, false)
-+gen_tunable(httpd_run_stickshift, false)
++gen_tunable(httpd_enable_homedirs, false)
##
-##
@@ -4748,22 +4768,22 @@ index 1a82e29..cb872c5 100644
-## manage IPA content files.
-##
+##
-+## Allow Apache to query NS records
++## Allow httpd to read user content
+##
##
-gen_tunable(httpd_manage_ipa, false)
-+gen_tunable(httpd_verify_dns, false)
++gen_tunable(httpd_read_user_content, false)
##
-##
-## Determine whether httpd can use mod_auth_ntlm_winbind.
-##
+##
-+## Allow httpd daemon to change its resource limits
++## Allow Apache to run in stickshift mode, not transition to passenger
+##
##
-gen_tunable(httpd_mod_auth_ntlm_winbind, false)
-+gen_tunable(httpd_setrlimit, false)
++gen_tunable(httpd_run_stickshift, false)
##
-##
@@ -4771,11 +4791,11 @@ index 1a82e29..cb872c5 100644
-## generic user home content files.
-##
+##
-+## Allow HTTPD to run SSI executables in the same domain as system CGI scripts.
++## Allow Apache to query NS records
+##
##
-gen_tunable(httpd_read_user_content, false)
-+gen_tunable(httpd_ssi_exec, false)
++gen_tunable(httpd_verify_dns, false)
##
-##
@@ -4783,11 +4803,10 @@ index 1a82e29..cb872c5 100644
-## its resource limits.
-##
+##
-+## Allow Apache to execute tmp content.
++## Allow httpd daemon to change its resource limits
+##
##
--gen_tunable(httpd_setrlimit, false)
-+gen_tunable(httpd_tmp_exec, false)
+ gen_tunable(httpd_setrlimit, false)
##
-##
@@ -4796,13 +4815,10 @@ index 1a82e29..cb872c5 100644
-## as system CGI scripts.
-##
+##
-+## Unify HTTPD to communicate with the terminal.
-+## Needed for entering the passphrase for certificates at
-+## the terminal.
++## Allow HTTPD to run SSI executables in the same domain as system CGI scripts.
+##
##
--gen_tunable(httpd_ssi_exec, false)
-+gen_tunable(httpd_tty_comm, false)
+ gen_tunable(httpd_ssi_exec, false)
##
-##
@@ -4811,11 +4827,19 @@ index 1a82e29..cb872c5 100644
-## passphrase for certificates at the terminal.
-##
+##
-+## Unify HTTPD handling of all content files.
++## Allow Apache to execute tmp content.
++##
++##
++gen_tunable(httpd_tmp_exec, false)
++
++##
++##
++## Unify HTTPD to communicate with the terminal.
++## Needed for entering the passphrase for certificates at
++## the terminal.
+##
##
--gen_tunable(httpd_tty_comm, false)
-+gen_tunable(httpd_unified, false)
+ gen_tunable(httpd_tty_comm, false)
##
-##
@@ -4823,11 +4847,10 @@ index 1a82e29..cb872c5 100644
-## to its content types.
-##
+##
-+## Allow httpd to access openstack ports
++## Unify HTTPD handling of all content files.
+##
##
--gen_tunable(httpd_unified, false)
-+gen_tunable(httpd_use_openstack, false)
+ gen_tunable(httpd_unified, false)
##
-##
@@ -4835,6 +4858,13 @@ index 1a82e29..cb872c5 100644
-## cifs file systems.
-##
+##
++## Allow httpd to access openstack ports
++##
++##
++gen_tunable(httpd_use_openstack, false)
++
++##
++##
+## Allow httpd to access cifs file systems
+##
##
@@ -4877,13 +4907,6 @@ index 1a82e29..cb872c5 100644
+##
+gen_tunable(httpd_sys_script_anon_write, false)
+
-+##
-+##
-+## Allow httpd to communicate with oddjob to start up a service
-+##
-+##
-+gen_tunable(httpd_use_oddjob, false)
-+
attribute httpdcontent;
-attribute httpd_htaccess_type;
+attribute httpd_user_content_type;
@@ -5361,7 +5384,7 @@ index 1a82e29..cb872c5 100644
')
tunable_policy(`httpd_enable_cgi && httpd_use_nfs',`
-@@ -589,28 +710,46 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',`
+@@ -589,28 +710,50 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',`
fs_cifs_domtrans(httpd_t, httpd_sys_script_t)
')
@@ -5395,6 +5418,10 @@ index 1a82e29..cb872c5 100644
+ corenet_tcp_connect_ldap_port(httpd_t)
+')
+
++tunable_policy(`httpd_can_connect_mythtv',`
++ corenet_tcp_connect_mythtv_port(httpd_t)
++')
++
+tunable_policy(`httpd_can_connect_zabbix',`
+ corenet_tcp_connect_zabbix_port(httpd_t)
')
@@ -5417,7 +5444,7 @@ index 1a82e29..cb872c5 100644
')
tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
-@@ -619,68 +758,38 @@ tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
+@@ -619,68 +762,38 @@ tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
fs_read_nfs_symlinks(httpd_t)
')
@@ -5463,18 +5490,18 @@ index 1a82e29..cb872c5 100644
- tunable_policy(`httpd_can_network_connect_zabbix',`
- zabbix_tcp_connect(httpd_t)
- ')
+-')
+-
+-optional_policy(`
+- tunable_policy(`httpd_can_sendmail && httpd_can_check_spam',`
+- spamassassin_domtrans_client(httpd_t)
+- ')
+tunable_policy(`httpd_use_cifs',`
+ fs_manage_cifs_dirs(httpd_t)
+ fs_manage_cifs_files(httpd_t)
+ fs_manage_cifs_symlinks(httpd_t)
')
--optional_policy(`
-- tunable_policy(`httpd_can_sendmail && httpd_can_check_spam',`
-- spamassassin_domtrans_client(httpd_t)
-- ')
--')
--
-tunable_policy(`httpd_graceful_shutdown',`
- corenet_sendrecv_http_client_packets(httpd_t)
- corenet_tcp_connect_http_port(httpd_t)
@@ -5502,7 +5529,7 @@ index 1a82e29..cb872c5 100644
')
tunable_policy(`httpd_setrlimit',`
-@@ -690,49 +799,38 @@ tunable_policy(`httpd_setrlimit',`
+@@ -690,49 +803,42 @@ tunable_policy(`httpd_setrlimit',`
tunable_policy(`httpd_ssi_exec',`
corecmd_shell_domtrans(httpd_t, httpd_sys_script_t)
@@ -5523,10 +5550,8 @@ index 1a82e29..cb872c5 100644
- userdom_use_user_terminals(httpd_t)
-',`
- userdom_dontaudit_use_user_terminals(httpd_t)
-+ userdom_use_inherited_user_terminals(httpd_t)
-+ userdom_use_inherited_user_terminals(httpd_suexec_t)
- ')
-
+-')
+-
-tunable_policy(`httpd_use_cifs',`
- fs_list_auto_mountpoints(httpd_t)
- fs_manage_cifs_dirs(httpd_t)
@@ -5536,33 +5561,38 @@ index 1a82e29..cb872c5 100644
-
-tunable_policy(`httpd_use_cifs && httpd_builtin_scripting',`
- fs_exec_cifs_files(httpd_t)
--')
--
++ userdom_use_inherited_user_terminals(httpd_t)
++ userdom_use_inherited_user_terminals(httpd_suexec_t)
+ ')
+
-tunable_policy(`httpd_use_fusefs',`
- fs_list_auto_mountpoints(httpd_t)
- fs_manage_fusefs_dirs(httpd_t)
- fs_manage_fusefs_files(httpd_t)
- fs_read_fusefs_symlinks(httpd_t)
-')
--
--tunable_policy(`httpd_use_fusefs && httpd_builtin_scripting',`
-- fs_exec_fusefs_files(httpd_t)
--')
+optional_policy(`
+ cobbler_list_config(httpd_t)
+ cobbler_read_config(httpd_t)
--tunable_policy(`httpd_use_nfs',`
-- fs_list_auto_mountpoints(httpd_t)
-- fs_manage_nfs_dirs(httpd_t)
-- fs_manage_nfs_files(httpd_t)
-- fs_manage_nfs_symlinks(httpd_t)
+-tunable_policy(`httpd_use_fusefs && httpd_builtin_scripting',`
+- fs_exec_fusefs_files(httpd_t)
+-')
+ tunable_policy(`httpd_serve_cobbler_files',`
+ cobbler_manage_lib_files(httpd_t)
+',`
+ cobbler_read_lib_files(httpd_t)
+ cobbler_search_lib(httpd_t)
+ ')
+
+-tunable_policy(`httpd_use_nfs',`
+- fs_list_auto_mountpoints(httpd_t)
+- fs_manage_nfs_dirs(httpd_t)
+- fs_manage_nfs_files(httpd_t)
+- fs_manage_nfs_symlinks(httpd_t)
++ tunable_policy(`httpd_can_network_connect_cobbler',`
++ corenet_tcp_connect_cobbler_port(httpd_t)
++ ')
')
-tunable_policy(`httpd_use_nfs && httpd_builtin_scripting',`
@@ -5576,7 +5606,7 @@ index 1a82e29..cb872c5 100644
')
optional_policy(`
-@@ -743,14 +841,6 @@ optional_policy(`
+@@ -743,14 +849,6 @@ optional_policy(`
ccs_read_config(httpd_t)
')
@@ -5591,7 +5621,7 @@ index 1a82e29..cb872c5 100644
optional_policy(`
cron_system_entry(httpd_t, httpd_exec_t)
-@@ -765,6 +855,23 @@ optional_policy(`
+@@ -765,6 +863,23 @@ optional_policy(`
')
optional_policy(`
@@ -5615,7 +5645,7 @@ index 1a82e29..cb872c5 100644
dbus_system_bus_client(httpd_t)
tunable_policy(`httpd_dbus_avahi',`
-@@ -781,34 +888,42 @@ optional_policy(`
+@@ -781,34 +896,42 @@ optional_policy(`
')
optional_policy(`
@@ -5669,7 +5699,7 @@ index 1a82e29..cb872c5 100644
tunable_policy(`httpd_manage_ipa',`
memcached_manage_pid_files(httpd_t)
-@@ -816,8 +931,18 @@ optional_policy(`
+@@ -816,8 +939,18 @@ optional_policy(`
')
optional_policy(`
@@ -5688,7 +5718,7 @@ index 1a82e29..cb872c5 100644
tunable_policy(`httpd_can_network_connect_db',`
mysql_tcp_connect(httpd_t)
-@@ -826,6 +951,7 @@ optional_policy(`
+@@ -826,6 +959,7 @@ optional_policy(`
optional_policy(`
nagios_read_config(httpd_t)
@@ -5696,7 +5726,7 @@ index 1a82e29..cb872c5 100644
')
optional_policy(`
-@@ -836,20 +962,38 @@ optional_policy(`
+@@ -836,20 +970,38 @@ optional_policy(`
')
optional_policy(`
@@ -5741,7 +5771,7 @@ index 1a82e29..cb872c5 100644
')
optional_policy(`
-@@ -857,6 +1001,16 @@ optional_policy(`
+@@ -857,6 +1009,16 @@ optional_policy(`
')
optional_policy(`
@@ -5758,7 +5788,7 @@ index 1a82e29..cb872c5 100644
seutil_sigchld_newrole(httpd_t)
')
-@@ -865,6 +1019,7 @@ optional_policy(`
+@@ -865,6 +1027,7 @@ optional_policy(`
')
optional_policy(`
@@ -5766,7 +5796,7 @@ index 1a82e29..cb872c5 100644
snmp_dontaudit_read_snmp_var_lib_files(httpd_t)
snmp_dontaudit_write_snmp_var_lib_files(httpd_t)
')
-@@ -877,65 +1032,166 @@ optional_policy(`
+@@ -877,65 +1040,166 @@ optional_policy(`
yam_read_content(httpd_t)
')
@@ -5955,7 +5985,7 @@ index 1a82e29..cb872c5 100644
files_dontaudit_search_pids(httpd_suexec_t)
files_search_home(httpd_suexec_t)
-@@ -944,123 +1200,74 @@ auth_use_nsswitch(httpd_suexec_t)
+@@ -944,123 +1208,74 @@ auth_use_nsswitch(httpd_suexec_t)
logging_search_logs(httpd_suexec_t)
logging_send_syslog_msg(httpd_suexec_t)
@@ -6110,7 +6140,7 @@ index 1a82e29..cb872c5 100644
mysql_read_config(httpd_suexec_t)
tunable_policy(`httpd_can_network_connect_db',`
-@@ -1077,172 +1284,104 @@ optional_policy(`
+@@ -1077,172 +1292,104 @@ optional_policy(`
')
')
@@ -6130,10 +6160,10 @@ index 1a82e29..cb872c5 100644
-allow httpd_script_domains self:fifo_file rw_file_perms;
-allow httpd_script_domains self:unix_stream_socket connectto;
+-
+-allow httpd_script_domains httpd_sys_content_t:dir search_dir_perms;
+allow httpd_sys_script_t self:process getsched;
--allow httpd_script_domains httpd_sys_content_t:dir search_dir_perms;
--
-append_files_pattern(httpd_script_domains, httpd_log_t, httpd_log_t)
-read_lnk_files_pattern(httpd_script_domains, httpd_log_t, httpd_log_t)
-
@@ -6291,7 +6321,8 @@ index 1a82e29..cb872c5 100644
-kernel_read_kernel_sysctls(httpd_sys_script_t)
-
-fs_search_auto_mountpoints(httpd_sys_script_t)
--
++corenet_all_recvfrom_netlabel(httpd_sys_script_t)
+
-files_read_var_symlinks(httpd_sys_script_t)
-files_search_var_lib(httpd_sys_script_t)
-files_search_spool(httpd_sys_script_t)
@@ -6307,8 +6338,7 @@ index 1a82e29..cb872c5 100644
- corenet_sendrecv_pop_client_packets(httpd_sys_script_t)
- corenet_tcp_connect_pop_port(httpd_sys_script_t)
- corenet_tcp_sendrecv_pop_port(httpd_sys_script_t)
-+corenet_all_recvfrom_netlabel(httpd_sys_script_t)
-
+-
- mta_send_mail(httpd_sys_script_t)
- mta_signal_system_mail(httpd_sys_script_t)
+tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
@@ -6346,7 +6376,7 @@ index 1a82e29..cb872c5 100644
')
tunable_policy(`httpd_read_user_content',`
-@@ -1250,64 +1389,70 @@ tunable_policy(`httpd_read_user_content',`
+@@ -1250,64 +1397,74 @@ tunable_policy(`httpd_read_user_content',`
')
tunable_policy(`httpd_use_cifs',`
@@ -6369,10 +6399,6 @@ index 1a82e29..cb872c5 100644
fs_manage_fusefs_dirs(httpd_sys_script_t)
fs_manage_fusefs_files(httpd_sys_script_t)
- fs_read_fusefs_symlinks(httpd_sys_script_t)
--')
--
--tunable_policy(`httpd_use_fusefs && httpd_builtin_scripting',`
-- fs_exec_fusefs_files(httpd_sys_script_t)
+ fs_manage_fusefs_symlinks(httpd_sys_script_t)
+ fs_manage_fusefs_dirs(httpd_suexec_t)
+ fs_manage_fusefs_files(httpd_suexec_t)
@@ -6380,25 +6406,26 @@ index 1a82e29..cb872c5 100644
+ fs_exec_fusefs_files(httpd_suexec_t)
')
--tunable_policy(`httpd_use_nfs',`
-- fs_list_auto_mountpoints(httpd_sys_script_t)
-- fs_manage_nfs_dirs(httpd_sys_script_t)
-- fs_manage_nfs_files(httpd_sys_script_t)
-- fs_manage_nfs_symlinks(httpd_sys_script_t)
+-tunable_policy(`httpd_use_fusefs && httpd_builtin_scripting',`
+- fs_exec_fusefs_files(httpd_sys_script_t)
+tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
+ fs_read_cifs_files(httpd_sys_script_t)
+ fs_read_cifs_symlinks(httpd_sys_script_t)
')
--tunable_policy(`httpd_use_nfs && httpd_builtin_scripting',`
-- fs_exec_nfs_files(httpd_sys_script_t)
+-tunable_policy(`httpd_use_nfs',`
+- fs_list_auto_mountpoints(httpd_sys_script_t)
+- fs_manage_nfs_dirs(httpd_sys_script_t)
+- fs_manage_nfs_files(httpd_sys_script_t)
+- fs_manage_nfs_symlinks(httpd_sys_script_t)
+optional_policy(`
+ clamav_domtrans_clamscan(httpd_sys_script_t)
+ clamav_domtrans_clamscan(httpd_t)
')
- optional_policy(`
-- clamav_domtrans_clamscan(httpd_sys_script_t)
+-tunable_policy(`httpd_use_nfs && httpd_builtin_scripting',`
+- fs_exec_nfs_files(httpd_sys_script_t)
++optional_policy(`
+ mysql_stream_connect(httpd_sys_script_t)
+ mysql_rw_db_sockets(httpd_sys_script_t)
+ mysql_read_config(httpd_sys_script_t)
@@ -6409,14 +6436,20 @@ index 1a82e29..cb872c5 100644
')
optional_policy(`
+- clamav_domtrans_clamscan(httpd_sys_script_t)
+ postgresql_stream_connect(httpd_sys_script_t)
- postgresql_unpriv_client(httpd_sys_script_t)
++ postgresql_unpriv_client(httpd_sys_script_t)
+
+ tunable_policy(`httpd_can_network_connect_db',`
+ postgresql_tcp_connect(httpd_sys_script_t)
+ ')
')
+ optional_policy(`
+- postgresql_unpriv_client(httpd_sys_script_t)
++ snmp_read_snmp_var_lib_files(httpd_sys_script_t)
+ ')
+
########################################
#
-# Rotatelogs local policy
@@ -6440,7 +6473,7 @@ index 1a82e29..cb872c5 100644
########################################
#
-@@ -1315,8 +1460,15 @@ miscfiles_read_localization(httpd_rotatelogs_t)
+@@ -1315,8 +1472,15 @@ miscfiles_read_localization(httpd_rotatelogs_t)
#
optional_policy(`
@@ -6457,7 +6490,7 @@ index 1a82e29..cb872c5 100644
')
########################################
-@@ -1324,49 +1476,36 @@ optional_policy(`
+@@ -1324,49 +1488,36 @@ optional_policy(`
# User content local policy
#
@@ -6521,7 +6554,7 @@ index 1a82e29..cb872c5 100644
kernel_read_system_state(httpd_passwd_t)
corecmd_exec_bin(httpd_passwd_t)
-@@ -1376,38 +1515,99 @@ dev_read_urand(httpd_passwd_t)
+@@ -1376,38 +1527,99 @@ dev_read_urand(httpd_passwd_t)
domain_use_interactive_fds(httpd_passwd_t)
@@ -10356,10 +10389,10 @@ index 0000000..5977d96
+')
diff --git a/chrome.te b/chrome.te
new file mode 100644
-index 0000000..41d3959
+index 0000000..f4a8884
--- /dev/null
+++ b/chrome.te
-@@ -0,0 +1,220 @@
+@@ -0,0 +1,237 @@
+policy_module(chrome,1.0.0)
+
+########################################
@@ -10393,6 +10426,7 @@ index 0000000..41d3959
+#
+# chrome_sandbox local policy
+#
++allow chrome_sandbox_t self:capability2 block_suspend;
+allow chrome_sandbox_t self:capability { chown dac_override fsetid setgid setuid sys_admin sys_chroot sys_ptrace };
+dontaudit chrome_sandbox_t self:capability sys_nice;
+allow chrome_sandbox_t self:process { signal_perms setrlimit execmem execstack };
@@ -10429,20 +10463,35 @@ index 0000000..41d3959
+corecmd_exec_bin(chrome_sandbox_t)
+
+corenet_all_recvfrom_netlabel(chrome_sandbox_t)
++corenet_tcp_connect_all_ephemeral_ports(chrome_sandbox_t)
++corenet_tcp_connect_aol_port(chrome_sandbox_t)
+corenet_tcp_connect_asterisk_port(chrome_sandbox_t)
++corenet_tcp_connect_commplex_link_port(chrome_sandbox_t)
++corenet_tcp_connect_couchdb_port(chrome_sandbox_t)
+corenet_tcp_connect_flash_port(chrome_sandbox_t)
-+corenet_tcp_connect_ms_streaming_port(chrome_sandbox_t)
-+corenet_tcp_connect_rtsp_port(chrome_sandbox_t)
-+corenet_tcp_connect_pulseaudio_port(chrome_sandbox_t)
-+corenet_tcp_connect_http_port(chrome_sandbox_t)
++corenet_tcp_connect_ftp_port(chrome_sandbox_t)
++corenet_tcp_connect_gatekeeper_port(chrome_sandbox_t)
++corenet_tcp_connect_generic_port(chrome_sandbox_t)
+corenet_tcp_connect_http_cache_port(chrome_sandbox_t)
++corenet_tcp_connect_http_port(chrome_sandbox_t)
++corenet_tcp_connect_ipp_port(chrome_sandbox_t)
++corenet_tcp_connect_ipsecnat_port(chrome_sandbox_t)
++corenet_tcp_connect_jabber_client_port(chrome_sandbox_t)
++corenet_tcp_connect_jboss_management_port(chrome_sandbox_t)
++corenet_tcp_connect_mmcc_port(chrome_sandbox_t)
++corenet_tcp_connect_monopd_port(chrome_sandbox_t)
+corenet_tcp_connect_msnp_port(chrome_sandbox_t)
++corenet_tcp_connect_ms_streaming_port(chrome_sandbox_t)
++corenet_tcp_connect_pulseaudio_port(chrome_sandbox_t)
++corenet_tcp_connect_rtsp_port(chrome_sandbox_t)
++corenet_tcp_connect_soundd_port(chrome_sandbox_t)
++corenet_tcp_connect_speech_port(chrome_sandbox_t)
+corenet_tcp_connect_squid_port(chrome_sandbox_t)
+corenet_tcp_connect_tor_port(chrome_sandbox_t)
++corenet_tcp_connect_transproxy_port(chrome_sandbox_t)
++corenet_tcp_connect_vnc_port(chrome_sandbox_t)
+corenet_tcp_sendrecv_generic_if(chrome_sandbox_t)
+corenet_tcp_sendrecv_generic_node(chrome_sandbox_t)
-+corenet_tcp_connect_ipp_port(chrome_sandbox_t)
-+corenet_tcp_connect_speech_port(chrome_sandbox_t)
+
+domain_dontaudit_read_all_domains_state(chrome_sandbox_t)
+
@@ -10551,6 +10600,7 @@ index 0000000..41d3959
+
+domtrans_pattern(chrome_sandbox_t, chrome_sandbox_nacl_exec_t, chrome_sandbox_nacl_t)
+ps_process_pattern(chrome_sandbox_t, chrome_sandbox_nacl_t)
++ps_process_pattern(chrome_sandbox_nacl_t, chrome_sandbox_t)
+
+manage_dirs_pattern(chrome_sandbox_nacl_t, chrome_sandbox_home_t, chrome_sandbox_home_t)
+manage_files_pattern(chrome_sandbox_nacl_t, chrome_sandbox_home_t, chrome_sandbox_home_t)
@@ -10763,7 +10813,7 @@ index 32e8265..0de4af3 100644
+ allow $1 chronyd_unit_file_t:service all_service_perms;
')
diff --git a/chronyd.te b/chronyd.te
-index 914ee2d..bd3362e 100644
+index 914ee2d..6567c77 100644
--- a/chronyd.te
+++ b/chronyd.te
@@ -18,6 +18,9 @@ files_type(chronyd_keys_t)
@@ -10776,16 +10826,34 @@ index 914ee2d..bd3362e 100644
type chronyd_var_lib_t;
files_type(chronyd_var_lib_t)
-@@ -35,6 +38,8 @@ files_pid_file(chronyd_var_run_t)
- allow chronyd_t self:capability { dac_override ipc_lock setuid setgid sys_resource sys_time };
+@@ -32,11 +35,16 @@ files_pid_file(chronyd_var_run_t)
+ # Local policy
+ #
+
+-allow chronyd_t self:capability { dac_override ipc_lock setuid setgid sys_resource sys_time };
++allow chronyd_t self:capability { dac_override ipc_lock fsetid setuid setgid sys_resource sys_time };
allow chronyd_t self:process { getcap setcap setrlimit signal };
allow chronyd_t self:shm create_shm_perms;
+allow chronyd_t self:udp_socket create_socket_perms;
+allow chronyd_t self:unix_dgram_socket create_socket_perms;
allow chronyd_t self:fifo_file rw_fifo_file_perms;
++
++allow chronyd_t chronyd_keys_t:file append_file_perms;
++allow chronyd_t chronyd_keys_t:file setattr_file_perms;
allow chronyd_t chronyd_keys_t:file read_file_perms;
-@@ -82,12 +87,8 @@ auth_use_nsswitch(chronyd_t)
+
+ manage_dirs_pattern(chronyd_t, chronyd_tmpfs_t, chronyd_tmpfs_t)
+@@ -76,18 +84,17 @@ corenet_sendrecv_chronyd_server_packets(chronyd_t)
+ corenet_udp_bind_chronyd_port(chronyd_t)
+ corenet_udp_sendrecv_chronyd_port(chronyd_t)
+
++dev_read_rand(chronyd_t)
++dev_read_urand(chronyd_t)
++
+ dev_rw_realtime_clock(chronyd_t)
+
+ auth_use_nsswitch(chronyd_t)
logging_send_syslog_msg(chronyd_t)
@@ -11601,16 +11669,26 @@ index cc4e7cb..f348d27 100644
domain_system_change_exemption($1)
role_transition $2 cmirrord_initrc_exec_t system_r;
diff --git a/cmirrord.te b/cmirrord.te
-index d8e9958..0046a69 100644
+index d8e9958..d2303a4 100644
--- a/cmirrord.te
+++ b/cmirrord.te
-@@ -42,16 +42,12 @@ files_pid_filetrans(cmirrord_t, cmirrord_var_run_t, file)
+@@ -23,7 +23,7 @@ files_pid_file(cmirrord_var_run_t)
+ # Local policy
+ #
+
+-allow cmirrord_t self:capability { net_admin kill };
++allow cmirrord_t self:capability { sys_admin net_admin kill };
+ dontaudit cmirrord_t self:capability sys_tty_config;
+ allow cmirrord_t self:process { setfscreate signal };
+ allow cmirrord_t self:fifo_file rw_fifo_file_perms;
+@@ -42,16 +42,17 @@ files_pid_filetrans(cmirrord_t, cmirrord_var_run_t, file)
domain_use_interactive_fds(cmirrord_t)
domain_obj_id_change_exemption(cmirrord_t)
-files_read_etc_files(cmirrord_t)
-
storage_create_fixed_disk_dev(cmirrord_t)
++storage_rw_inherited_fixed_disk_dev(cmirrord_t)
seutil_read_file_contexts(cmirrord_t)
@@ -11621,6 +11699,10 @@ index d8e9958..0046a69 100644
optional_policy(`
corosync_stream_connect(cmirrord_t)
')
++
++optional_policy(`
++ rhcs_rw_cluster_tmpfs(cmirrord_t)
++')
diff --git a/cobbler.fc b/cobbler.fc
index 973d208..2b650a7 100644
--- a/cobbler.fc
@@ -11634,7 +11716,7 @@ index 973d208..2b650a7 100644
/var/lib/tftpboot/etc(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0)
diff --git a/cobbler.if b/cobbler.if
-index c223f81..83d5104 100644
+index c223f81..3bcdf6a 100644
--- a/cobbler.if
+++ b/cobbler.if
@@ -38,6 +38,28 @@ interface(`cobblerd_initrc_domtrans',`
@@ -11666,15 +11748,24 @@ index c223f81..83d5104 100644
########################################
##
## Read cobbler configuration files.
-@@ -132,6 +154,7 @@ interface(`cobbler_manage_lib_files',`
+@@ -112,6 +134,7 @@ interface(`cobbler_read_lib_files',`
+
+ files_search_var_lib($1)
+ read_files_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t)
++ read_lnk_files_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t)
+ ')
+
+ ########################################
+@@ -132,6 +155,8 @@ interface(`cobbler_manage_lib_files',`
files_search_var_lib($1)
manage_files_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t)
++ manage_lnk_files_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t)
+ manage_dirs_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t)
')
########################################
-@@ -199,7 +222,4 @@ interface(`cobbler_admin',`
+@@ -199,7 +224,4 @@ interface(`cobbler_admin',`
logging_search_logs($1)
admin_pattern($1, cobbler_var_log_t)
@@ -12082,7 +12173,7 @@ index 8e27a37..825f537 100644
+ ps_process_pattern($1, colord_t)
+')
diff --git a/colord.te b/colord.te
-index 09f18e2..f0cade4 100644
+index 09f18e2..9d70983 100644
--- a/colord.te
+++ b/colord.te
@@ -8,6 +8,7 @@ policy_module(colord, 1.0.2)
@@ -12133,8 +12224,9 @@ index 09f18e2..f0cade4 100644
files_list_mnt(colord_t)
-files_read_usr_files(colord_t)
- fs_getattr_noxattr_fs(colord_t)
+-fs_getattr_noxattr_fs(colord_t)
-fs_getattr_tmpfs(colord_t)
++fs_getattr_all_fs(colord_t)
fs_list_noxattr_fs(colord_t)
fs_read_noxattr_fs_files(colord_t)
fs_search_all(colord_t)
@@ -16055,10 +16147,10 @@ index 6ce66e7..1d0337a 100644
optional_policy(`
diff --git a/cups.fc b/cups.fc
-index 949011e..0332f88 100644
+index 949011e..afe482b 100644
--- a/cups.fc
+++ b/cups.fc
-@@ -1,77 +1,86 @@
+@@ -1,77 +1,87 @@
-/etc/alchemist/namespace/printconf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
-/etc/cups(/.*)? gen_context(system_u:object_r:cupsd_etc_t,s0)
@@ -16131,6 +16223,7 @@ index 949011e..0332f88 100644
-/usr/sbin/printconf-backend -- gen_context(system_u:object_r:cupsd_config_exec_t,s0)
+/usr/sbin/hp-[^/]+ -- gen_context(system_u:object_r:cupsd_exec_t,s0)
+/usr/sbin/cupsd -- gen_context(system_u:object_r:cupsd_exec_t,s0)
++/usr/sbin/cups-browsed -- gen_context(system_u:object_r:cupsd_exec_t,s0)
+/usr/sbin/hal_lpadmin -- gen_context(system_u:object_r:cupsd_config_exec_t,s0)
+/usr/sbin/hpiod -- gen_context(system_u:object_r:cupsd_exec_t,s0)
+/usr/sbin/printconf-backend -- gen_context(system_u:object_r:cupsd_config_exec_t,s0)
@@ -16343,7 +16436,7 @@ index 06da9a0..ca832e1 100644
+ ps_process_pattern($1, cupsd_t)
')
diff --git a/cups.te b/cups.te
-index 9f34c2e..52c170f 100644
+index 9f34c2e..c7268a7 100644
--- a/cups.te
+++ b/cups.te
@@ -5,19 +5,24 @@ policy_module(cups, 1.15.9)
@@ -16431,7 +16524,7 @@ index 9f34c2e..52c170f 100644
type ptal_t;
type ptal_exec_t;
-@@ -97,21 +94,48 @@ ifdef(`enable_mls',`
+@@ -97,21 +94,49 @@ ifdef(`enable_mls',`
init_ranged_daemon_domain(cupsd_t, cupsd_exec_t, mls_systemhigh)
')
@@ -16444,6 +16537,7 @@ index 9f34c2e..52c170f 100644
+allow cups_domain self:process { getsched setsched signal_perms };
+allow cups_domain self:fifo_file rw_fifo_file_perms;
+allow cups_domain self:tcp_socket { accept listen };
++allow cups_domain self:netlink_kobject_uevent_socket create_socket_perms;
+
+kernel_read_kernel_sysctls(cups_domain)
+kernel_read_network_state(cups_domain)
@@ -16484,7 +16578,7 @@ index 9f34c2e..52c170f 100644
allow cupsd_t self:appletalk_socket create_socket_perms;
allow cupsd_t cupsd_etc_t:dir setattr_dir_perms;
-@@ -120,6 +144,7 @@ read_files_pattern(cupsd_t, cupsd_etc_t, cupsd_etc_t)
+@@ -120,6 +145,7 @@ read_files_pattern(cupsd_t, cupsd_etc_t, cupsd_etc_t)
read_lnk_files_pattern(cupsd_t, cupsd_etc_t, cupsd_etc_t)
manage_files_pattern(cupsd_t, cupsd_interface_t, cupsd_interface_t)
@@ -16492,7 +16586,7 @@ index 9f34c2e..52c170f 100644
manage_dirs_pattern(cupsd_t, cupsd_etc_t, cupsd_rw_etc_t)
manage_files_pattern(cupsd_t, cupsd_etc_t, cupsd_rw_etc_t)
-@@ -139,22 +164,23 @@ read_files_pattern(cupsd_t, cupsd_log_t, cupsd_log_t)
+@@ -139,22 +165,23 @@ read_files_pattern(cupsd_t, cupsd_log_t, cupsd_log_t)
setattr_files_pattern(cupsd_t, cupsd_log_t, cupsd_log_t)
logging_log_filetrans(cupsd_t, cupsd_log_t, { file dir })
@@ -16520,7 +16614,7 @@ index 9f34c2e..52c170f 100644
stream_connect_pattern(cupsd_t, ptal_var_run_t, ptal_var_run_t, ptal_t)
allow cupsd_t ptal_var_run_t:sock_file setattr_sock_file_perms;
-@@ -162,11 +188,9 @@ allow cupsd_t ptal_var_run_t:sock_file setattr_sock_file_perms;
+@@ -162,11 +189,9 @@ allow cupsd_t ptal_var_run_t:sock_file setattr_sock_file_perms;
can_exec(cupsd_t, { cupsd_exec_t cupsd_interface_t })
kernel_read_system_state(cupsd_t)
@@ -16532,7 +16626,7 @@ index 9f34c2e..52c170f 100644
corenet_all_recvfrom_netlabel(cupsd_t)
corenet_tcp_sendrecv_generic_if(cupsd_t)
corenet_udp_sendrecv_generic_if(cupsd_t)
-@@ -189,12 +213,20 @@ corenet_dontaudit_tcp_bind_all_reserved_ports(cupsd_t)
+@@ -189,12 +214,20 @@ corenet_dontaudit_tcp_bind_all_reserved_ports(cupsd_t)
corenet_tcp_bind_all_rpc_ports(cupsd_t)
corenet_tcp_connect_all_ports(cupsd_t)
@@ -16557,7 +16651,7 @@ index 9f34c2e..52c170f 100644
dev_rw_input_dev(cupsd_t)
dev_rw_generic_usb_dev(cupsd_t)
dev_rw_usbfs(cupsd_t)
-@@ -206,7 +238,6 @@ domain_use_interactive_fds(cupsd_t)
+@@ -206,7 +239,6 @@ domain_use_interactive_fds(cupsd_t)
files_getattr_boot_dirs(cupsd_t)
files_list_spool(cupsd_t)
files_read_etc_runtime_files(cupsd_t)
@@ -16565,7 +16659,7 @@ index 9f34c2e..52c170f 100644
files_exec_usr_files(cupsd_t)
# for /var/lib/defoma
files_read_var_lib_files(cupsd_t)
-@@ -215,16 +246,17 @@ files_read_world_readable_files(cupsd_t)
+@@ -215,16 +247,17 @@ files_read_world_readable_files(cupsd_t)
files_read_world_readable_symlinks(cupsd_t)
files_read_var_files(cupsd_t)
files_read_var_symlinks(cupsd_t)
@@ -16585,7 +16679,7 @@ index 9f34c2e..52c170f 100644
mls_fd_use_all_levels(cupsd_t)
mls_file_downgrade(cupsd_t)
-@@ -235,6 +267,8 @@ mls_socket_write_all_levels(cupsd_t)
+@@ -235,6 +268,8 @@ mls_socket_write_all_levels(cupsd_t)
term_search_ptys(cupsd_t)
term_use_unallocated_ttys(cupsd_t)
@@ -16594,7 +16688,7 @@ index 9f34c2e..52c170f 100644
selinux_compute_access_vector(cupsd_t)
selinux_validate_context(cupsd_t)
-@@ -247,21 +281,20 @@ auth_dontaudit_read_pam_pid(cupsd_t)
+@@ -247,21 +282,20 @@ auth_dontaudit_read_pam_pid(cupsd_t)
auth_rw_faillog(cupsd_t)
auth_use_nsswitch(cupsd_t)
@@ -16620,7 +16714,7 @@ index 9f34c2e..52c170f 100644
userdom_dontaudit_search_user_home_content(cupsd_t)
optional_policy(`
-@@ -275,6 +308,8 @@ optional_policy(`
+@@ -275,6 +309,8 @@ optional_policy(`
optional_policy(`
dbus_system_bus_client(cupsd_t)
@@ -16629,7 +16723,7 @@ index 9f34c2e..52c170f 100644
userdom_dbus_send_all_users(cupsd_t)
optional_policy(`
-@@ -285,8 +320,10 @@ optional_policy(`
+@@ -285,8 +321,10 @@ optional_policy(`
hal_dbus_chat(cupsd_t)
')
@@ -16640,7 +16734,7 @@ index 9f34c2e..52c170f 100644
')
')
-@@ -299,8 +336,8 @@ optional_policy(`
+@@ -299,8 +337,8 @@ optional_policy(`
')
optional_policy(`
@@ -16650,7 +16744,7 @@ index 9f34c2e..52c170f 100644
')
optional_policy(`
-@@ -309,7 +346,6 @@ optional_policy(`
+@@ -309,7 +347,6 @@ optional_policy(`
optional_policy(`
lpd_exec_lpr(cupsd_t)
@@ -16658,16 +16752,20 @@ index 9f34c2e..52c170f 100644
lpd_read_config(cupsd_t)
lpd_relabel_spool(cupsd_t)
')
-@@ -337,7 +373,7 @@ optional_policy(`
+@@ -337,7 +374,11 @@ optional_policy(`
')
optional_policy(`
- virt_rw_all_image_chr_files(cupsd_t)
+ virt_rw_chr_files(cupsd_t)
++')
++
++optional_policy(`
++ vmware_read_system_config(cupsd_t)
')
########################################
-@@ -345,12 +381,11 @@ optional_policy(`
+@@ -345,12 +386,11 @@ optional_policy(`
# Configuration daemon local policy
#
@@ -16683,7 +16781,7 @@ index 9f34c2e..52c170f 100644
allow cupsd_config_t cupsd_t:process signal;
ps_process_pattern(cupsd_config_t, cupsd_t)
-@@ -375,18 +410,16 @@ manage_dirs_pattern(cupsd_config_t, cupsd_config_var_run_t, cupsd_config_var_run
+@@ -375,18 +415,16 @@ manage_dirs_pattern(cupsd_config_t, cupsd_config_var_run_t, cupsd_config_var_run
manage_files_pattern(cupsd_config_t, cupsd_config_var_run_t, cupsd_config_var_run_t)
files_pid_filetrans(cupsd_config_t, cupsd_config_var_run_t, { dir file })
@@ -16704,7 +16802,7 @@ index 9f34c2e..52c170f 100644
corenet_all_recvfrom_netlabel(cupsd_config_t)
corenet_tcp_sendrecv_generic_if(cupsd_config_t)
corenet_tcp_sendrecv_generic_node(cupsd_config_t)
-@@ -395,20 +428,12 @@ corenet_tcp_sendrecv_all_ports(cupsd_config_t)
+@@ -395,20 +433,12 @@ corenet_tcp_sendrecv_all_ports(cupsd_config_t)
corenet_sendrecv_all_client_packets(cupsd_config_t)
corenet_tcp_connect_all_ports(cupsd_config_t)
@@ -16725,7 +16823,7 @@ index 9f34c2e..52c170f 100644
fs_search_auto_mountpoints(cupsd_config_t)
domain_use_interactive_fds(cupsd_config_t)
-@@ -420,11 +445,6 @@ auth_use_nsswitch(cupsd_config_t)
+@@ -420,11 +450,6 @@ auth_use_nsswitch(cupsd_config_t)
logging_send_syslog_msg(cupsd_config_t)
@@ -16737,7 +16835,7 @@ index 9f34c2e..52c170f 100644
userdom_dontaudit_use_unpriv_user_fds(cupsd_config_t)
userdom_dontaudit_search_user_home_dirs(cupsd_config_t)
userdom_read_all_users_state(cupsd_config_t)
-@@ -452,9 +472,12 @@ optional_policy(`
+@@ -452,9 +477,12 @@ optional_policy(`
')
optional_policy(`
@@ -16751,7 +16849,7 @@ index 9f34c2e..52c170f 100644
')
optional_policy(`
-@@ -490,10 +513,6 @@ optional_policy(`
+@@ -490,10 +518,6 @@ optional_policy(`
# Lpd local policy
#
@@ -16762,7 +16860,7 @@ index 9f34c2e..52c170f 100644
allow cupsd_lpd_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
allow cupsd_lpd_t { cupsd_etc_t cupsd_rw_etc_t }:dir list_dir_perms;
-@@ -511,31 +530,22 @@ stream_connect_pattern(cupsd_lpd_t, cupsd_var_run_t, cupsd_var_run_t, cupsd_t)
+@@ -511,31 +535,22 @@ stream_connect_pattern(cupsd_lpd_t, cupsd_var_run_t, cupsd_var_run_t, cupsd_t)
kernel_read_kernel_sysctls(cupsd_lpd_t)
kernel_read_system_state(cupsd_lpd_t)
@@ -16795,7 +16893,7 @@ index 9f34c2e..52c170f 100644
optional_policy(`
inetd_service_domain(cupsd_lpd_t, cupsd_lpd_exec_t)
')
-@@ -546,7 +556,6 @@ optional_policy(`
+@@ -546,7 +561,6 @@ optional_policy(`
#
allow cups_pdf_t self:capability { chown fowner fsetid setuid setgid dac_override };
@@ -16803,7 +16901,7 @@ index 9f34c2e..52c170f 100644
allow cups_pdf_t self:unix_stream_socket create_stream_socket_perms;
append_files_pattern(cups_pdf_t, cupsd_log_t, cupsd_log_t)
-@@ -562,148 +571,23 @@ fs_search_auto_mountpoints(cups_pdf_t)
+@@ -562,148 +576,23 @@ fs_search_auto_mountpoints(cups_pdf_t)
kernel_read_system_state(cups_pdf_t)
@@ -16955,7 +17053,7 @@ index 9f34c2e..52c170f 100644
########################################
#
-@@ -731,7 +615,6 @@ kernel_read_kernel_sysctls(ptal_t)
+@@ -731,7 +620,6 @@ kernel_read_kernel_sysctls(ptal_t)
kernel_list_proc(ptal_t)
kernel_read_proc_symlinks(ptal_t)
@@ -16963,7 +17061,7 @@ index 9f34c2e..52c170f 100644
corenet_all_recvfrom_netlabel(ptal_t)
corenet_tcp_sendrecv_generic_if(ptal_t)
corenet_tcp_sendrecv_generic_node(ptal_t)
-@@ -741,13 +624,11 @@ corenet_sendrecv_ptal_server_packets(ptal_t)
+@@ -741,13 +629,11 @@ corenet_sendrecv_ptal_server_packets(ptal_t)
corenet_tcp_bind_ptal_port(ptal_t)
corenet_tcp_sendrecv_ptal_port(ptal_t)
@@ -16977,7 +17075,7 @@ index 9f34c2e..52c170f 100644
files_read_etc_runtime_files(ptal_t)
fs_getattr_all_fs(ptal_t)
-@@ -755,8 +636,6 @@ fs_search_auto_mountpoints(ptal_t)
+@@ -755,8 +641,6 @@ fs_search_auto_mountpoints(ptal_t)
logging_send_syslog_msg(ptal_t)
@@ -16986,6 +17084,11 @@ index 9f34c2e..52c170f 100644
sysnet_read_config(ptal_t)
userdom_dontaudit_use_unpriv_user_fds(ptal_t)
+@@ -769,3 +653,4 @@ optional_policy(`
+ optional_policy(`
+ udev_read_db(ptal_t)
+ ')
++
diff --git a/cvs.if b/cvs.if
index 9fa7ffb..fd3262c 100644
--- a/cvs.if
@@ -17158,7 +17261,7 @@ index 6508280..a2860e3 100644
domain_system_change_exemption($1)
role_transition $2 cyrus_initrc_exec_t system_r;
diff --git a/cyrus.te b/cyrus.te
-index 395f97c..e157463 100644
+index 395f97c..bf8db3c 100644
--- a/cyrus.te
+++ b/cyrus.te
@@ -26,7 +26,7 @@ files_pid_file(cyrus_var_run_t)
@@ -17216,14 +17319,17 @@ index 395f97c..e157463 100644
kerberos_keytab_template(cyrus, cyrus_t)
')
-@@ -128,6 +131,7 @@ optional_policy(`
+@@ -128,8 +131,8 @@ optional_policy(`
')
optional_policy(`
+- snmp_read_snmp_var_lib_files(cyrus_t)
+- snmp_dontaudit_write_snmp_var_lib_files(cyrus_t)
+ files_dontaudit_write_usr_dirs(cyrus_t)
- snmp_read_snmp_var_lib_files(cyrus_t)
- snmp_dontaudit_write_snmp_var_lib_files(cyrus_t)
++ snmp_manage_var_lib_files(cyrus_t)
snmp_stream_connect(cyrus_t)
+ ')
+
diff --git a/daemontools.if b/daemontools.if
index 3b3d9a0..6c8106a 100644
--- a/daemontools.if
@@ -19064,7 +19170,7 @@ index d294865..3b4f593 100644
+ logging_log_filetrans($1, devicekit_var_log_t, file, "pm-suspend.log")
')
diff --git a/devicekit.te b/devicekit.te
-index ff933af..fc9d3f4 100644
+index ff933af..101bc81 100644
--- a/devicekit.te
+++ b/devicekit.te
@@ -7,15 +7,15 @@ policy_module(devicekit, 1.2.1)
@@ -19104,7 +19210,7 @@ index ff933af..fc9d3f4 100644
#
-allow devicekit_disk_t self:capability { chown setuid setgid dac_override fowner fsetid net_admin sys_admin sys_nice sys_ptrace sys_rawio };
-+allow devicekit_disk_t self:capability { chown setuid setgid dac_override fowner fsetid net_admin sys_admin sys_nice sys_rawio };
++allow devicekit_disk_t self:capability { chown setuid setgid dac_override fowner fsetid net_admin sys_admin sys_nice sys_tty_config sys_rawio };
+
allow devicekit_disk_t self:process { getsched signal_perms };
allow devicekit_disk_t self:fifo_file rw_fifo_file_perms;
@@ -20570,7 +20676,7 @@ index 19aa0b8..b303b37 100644
+ allow $1 dnsmasq_unit_file_t:service all_service_perms;
')
diff --git a/dnsmasq.te b/dnsmasq.te
-index ba14bcf..07bcb8e 100644
+index ba14bcf..869bba7 100644
--- a/dnsmasq.te
+++ b/dnsmasq.te
@@ -24,6 +24,9 @@ logging_log_file(dnsmasq_var_log_t)
@@ -20594,16 +20700,19 @@ index ba14bcf..07bcb8e 100644
corenet_all_recvfrom_netlabel(dnsmasq_t)
corenet_tcp_sendrecv_generic_if(dnsmasq_t)
corenet_udp_sendrecv_generic_if(dnsmasq_t)
-@@ -88,8 +93,6 @@ auth_use_nsswitch(dnsmasq_t)
+@@ -86,9 +91,9 @@ fs_search_auto_mountpoints(dnsmasq_t)
- logging_send_syslog_msg(dnsmasq_t)
+ auth_use_nsswitch(dnsmasq_t)
+
+-logging_send_syslog_msg(dnsmasq_t)
++libs_exec_ldconfig(dnsmasq_t)
-miscfiles_read_localization(dnsmasq_t)
--
++logging_send_syslog_msg(dnsmasq_t)
+
userdom_dontaudit_use_unpriv_user_fds(dnsmasq_t)
userdom_dontaudit_search_user_home_dirs(dnsmasq_t)
-
-@@ -98,12 +101,21 @@ optional_policy(`
+@@ -98,12 +103,21 @@ optional_policy(`
')
optional_policy(`
@@ -20626,7 +20735,7 @@ index ba14bcf..07bcb8e 100644
')
optional_policy(`
-@@ -124,6 +136,7 @@ optional_policy(`
+@@ -124,6 +138,13 @@ optional_policy(`
optional_policy(`
virt_manage_lib_files(dnsmasq_t)
@@ -20634,6 +20743,12 @@ index ba14bcf..07bcb8e 100644
virt_read_pid_files(dnsmasq_t)
virt_pid_filetrans(dnsmasq_t, dnsmasq_var_run_t, { dir file })
')
++
++optional_policy(`
++ quantum_manage_lib_files(dnsmasq_t)
++ quantum_rw_fifo_file(dnsmasq_t)
++ quantum_sigchld(dnsmasq_t)
++')
diff --git a/dnssec.fc b/dnssec.fc
new file mode 100644
index 0000000..9e231a8
@@ -21068,7 +21183,7 @@ index dbcac59..66d42bb 100644
+ admin_pattern($1, dovecot_passwd_t)
')
diff --git a/dovecot.te b/dovecot.te
-index a7bfaf0..5690e77 100644
+index a7bfaf0..457c894 100644
--- a/dovecot.te
+++ b/dovecot.te
@@ -1,4 +1,4 @@
@@ -21412,7 +21527,7 @@ index a7bfaf0..5690e77 100644
allow dovecot_deliver_t dovecot_cert_t:dir search_dir_perms;
append_files_pattern(dovecot_deliver_t, dovecot_var_log_t, dovecot_var_log_t)
-@@ -289,35 +303,41 @@ manage_files_pattern(dovecot_deliver_t, dovecot_deliver_tmp_t, dovecot_deliver_t
+@@ -289,35 +303,42 @@ manage_files_pattern(dovecot_deliver_t, dovecot_deliver_tmp_t, dovecot_deliver_t
files_tmp_filetrans(dovecot_deliver_t, dovecot_deliver_tmp_t, { file dir })
allow dovecot_deliver_t dovecot_var_run_t:dir list_dir_perms;
@@ -21438,6 +21553,7 @@ index a7bfaf0..5690e77 100644
-logging_search_logs(dovecot_deliver_t)
+files_search_tmp(dovecot_deliver_t)
++files_dontaudit_getattr_all_dirs(dovecot_deliver_t)
-tunable_policy(`use_nfs_home_dirs',`
- fs_manage_nfs_dirs(dovecot_deliver_t)
@@ -21471,7 +21587,7 @@ index a7bfaf0..5690e77 100644
mta_read_queue(dovecot_deliver_t)
')
-@@ -326,5 +346,6 @@ optional_policy(`
+@@ -326,5 +347,6 @@ optional_policy(`
')
optional_policy(`
@@ -22790,7 +22906,7 @@ index 21d7b84..0e272bd 100644
/etc/firewalld(/.*)? gen_context(system_u:object_r:firewalld_etc_rw_t,s0)
diff --git a/firewalld.if b/firewalld.if
-index 5cf6ac6..839999e 100644
+index 5cf6ac6..62547ee 100644
--- a/firewalld.if
+++ b/firewalld.if
@@ -2,6 +2,66 @@
@@ -22860,18 +22976,37 @@ index 5cf6ac6..839999e 100644
## Send and receive messages from
## firewalld over dbus.
##
-@@ -23,8 +83,8 @@ interface(`firewalld_dbus_chat',`
+@@ -23,8 +83,27 @@ interface(`firewalld_dbus_chat',`
########################################
##
-## All of the rules required to
-## administrate an firewalld environment.
++## Dontaudit attempts to write
++## firewalld tmp files.
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`firewalld_dontaudit_write_tmp_files',`
++ gen_require(`
++ type firewalld_tmp_t;
++ ')
++
++ dontaudit $1 firewalld_tmp_t:file write;
++')
++
++########################################
++##
+## All of the rules required to administrate
+## an firewalld environment
##
##
##
-@@ -45,10 +105,14 @@ interface(`firewalld_admin',`
+@@ -45,10 +124,14 @@ interface(`firewalld_admin',`
type firewalld_var_log_t;
')
@@ -22888,7 +23023,7 @@ index 5cf6ac6..839999e 100644
domain_system_change_exemption($1)
role_transition $2 firewalld_initrc_exec_t system_r;
allow $2 system_r;
-@@ -59,6 +123,9 @@ interface(`firewalld_admin',`
+@@ -59,6 +142,9 @@ interface(`firewalld_admin',`
logging_search_logs($1)
admin_pattern($1, firewalld_var_log_t)
@@ -23303,10 +23438,18 @@ index c12c067..a415012 100644
optional_policy(`
diff --git a/fprintd.te b/fprintd.te
-index c81b6e8..7575a9b 100644
+index c81b6e8..fcb022d 100644
--- a/fprintd.te
+++ b/fprintd.te
-@@ -30,14 +30,10 @@ dev_list_usbfs(fprintd_t)
+@@ -20,6 +20,7 @@ files_type(fprintd_var_lib_t)
+ allow fprintd_t self:capability sys_nice;
+ allow fprintd_t self:process { getsched setsched signal sigkill };
+ allow fprintd_t self:fifo_file rw_fifo_file_perms;
++allow fprintd_t self:netlink_kobject_uevent_socket create_socket_perms;
+
+ manage_dirs_pattern(fprintd_t, fprintd_var_lib_t, fprintd_var_lib_t)
+ manage_files_pattern(fprintd_t, fprintd_var_lib_t, fprintd_var_lib_t)
+@@ -30,14 +31,10 @@ dev_list_usbfs(fprintd_t)
dev_read_sysfs(fprintd_t)
dev_rw_generic_usb_dev(fprintd_t)
@@ -23321,7 +23464,7 @@ index c81b6e8..7575a9b 100644
userdom_use_user_ptys(fprintd_t)
userdom_read_all_users_state(fprintd_t)
-@@ -54,8 +50,13 @@ optional_policy(`
+@@ -54,8 +51,13 @@ optional_policy(`
')
')
@@ -23444,7 +23587,7 @@ index d062080..97fb494 100644
ftp_run_ftpdctl($1, $2)
')
diff --git a/ftp.te b/ftp.te
-index e50f33c..5e6cdb8 100644
+index e50f33c..d9dca45 100644
--- a/ftp.te
+++ b/ftp.te
@@ -13,7 +13,7 @@ policy_module(ftp, 1.14.1)
@@ -23605,7 +23748,7 @@ index e50f33c..5e6cdb8 100644
')
tunable_policy(`ftpd_use_passive_mode',`
-@@ -299,9 +330,9 @@ tunable_policy(`ftpd_connect_db',`
+@@ -299,22 +330,19 @@ tunable_policy(`ftpd_connect_db',`
corenet_sendrecv_mssql_client_packets(ftpd_t)
corenet_tcp_connect_mssql_port(ftpd_t)
corenet_tcp_sendrecv_mssql_port(ftpd_t)
@@ -23618,11 +23761,13 @@ index e50f33c..5e6cdb8 100644
')
tunable_policy(`ftp_home_dir',`
-@@ -309,12 +340,9 @@ tunable_policy(`ftp_home_dir',`
+ allow ftpd_t self:capability { dac_override dac_read_search };
- userdom_manage_user_home_content_dirs(ftpd_t)
- userdom_manage_user_home_content_files(ftpd_t)
+- userdom_manage_user_home_content_dirs(ftpd_t)
+- userdom_manage_user_home_content_files(ftpd_t)
- userdom_user_home_dir_filetrans_user_home_content(ftpd_t, { dir file })
++ userdom_manage_all_user_home_type_dirs(ftpd_t)
++ userdom_manage_all_user_home_type_files(ftpd_t)
userdom_manage_user_tmp_dirs(ftpd_t)
userdom_manage_user_tmp_files(ftpd_t)
- userdom_tmp_filetrans_user_tmp(ftpd_t, { dir file })
@@ -24335,7 +24480,7 @@ index 0000000..1ed97fe
+
diff --git a/glusterd.te b/glusterd.te
new file mode 100644
-index 0000000..735cc94
+index 0000000..ab1fd22
--- /dev/null
+++ b/glusterd.te
@@ -0,0 +1,146 @@
@@ -24389,7 +24534,7 @@ index 0000000..735cc94
+files_pid_file(glusterd_var_run_t)
+
+type glusterd_var_lib_t;
-+files_type(glusterd_var_lib_t);
++files_type(glusterd_var_lib_t)
+
+########################################
+#
@@ -28049,10 +28194,10 @@ index 3226f52..68b2eb8 100644
optional_policy(`
seutil_sigchld_newrole(gpm_t)
diff --git a/gpsd.te b/gpsd.te
-index 25f09ae..aa94571 100644
+index 25f09ae..3085534 100644
--- a/gpsd.te
+++ b/gpsd.te
-@@ -28,7 +28,7 @@ files_pid_file(gpsd_var_run_t)
+@@ -28,11 +28,12 @@ files_pid_file(gpsd_var_run_t)
#
allow gpsd_t self:capability { fowner fsetid setuid setgid sys_nice sys_time sys_tty_config };
@@ -28061,7 +28206,12 @@ index 25f09ae..aa94571 100644
allow gpsd_t self:process { setsched signal_perms };
allow gpsd_t self:shm create_shm_perms;
allow gpsd_t self:unix_dgram_socket sendto;
-@@ -62,13 +62,13 @@ domain_dontaudit_read_all_domains_state(gpsd_t)
+ allow gpsd_t self:tcp_socket { accept listen };
++allow gpsd_t self:netlink_kobject_uevent_socket create_socket_perms;
+
+ manage_dirs_pattern(gpsd_t, gpsd_tmpfs_t, gpsd_tmpfs_t)
+ manage_files_pattern(gpsd_t, gpsd_tmpfs_t, gpsd_tmpfs_t)
+@@ -62,13 +63,13 @@ domain_dontaudit_read_all_domains_state(gpsd_t)
term_use_unallocated_ttys(gpsd_t)
term_setattr_unallocated_ttys(gpsd_t)
@@ -28077,6 +28227,298 @@ index 25f09ae..aa94571 100644
optional_policy(`
chronyd_rw_shm(gpsd_t)
chronyd_stream_connect(gpsd_t)
+diff --git a/gssproxy.fc b/gssproxy.fc
+new file mode 100644
+index 0000000..404ae4f
+--- /dev/null
++++ b/gssproxy.fc
+@@ -0,0 +1,7 @@
++/usr/lib/systemd/system/gssproxy.service -- gen_context(system_u:object_r:gssproxy_unit_file_t,s0)
++
++/usr/sbin/gssproxy -- gen_context(system_u:object_r:gssproxy_exec_t,s0)
++
++/var/lib/gssproxy(/.*)? gen_context(system_u:object_r:gssproxy_var_lib_t,s0)
++
++/var/run/gssproxy.pid -- gen_context(system_u:object_r:gssproxy_var_run_t,s0)
+diff --git a/gssproxy.if b/gssproxy.if
+new file mode 100644
+index 0000000..072ddb0
+--- /dev/null
++++ b/gssproxy.if
+@@ -0,0 +1,203 @@
++
++## policy for gssproxy
++
++########################################
++##
++## Execute TEMPLATE in the gssproxy domin.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`gssproxy_domtrans',`
++ gen_require(`
++ type gssproxy_t, gssproxy_exec_t;
++ ')
++
++ corecmd_search_bin($1)
++ domtrans_pattern($1, gssproxy_exec_t, gssproxy_t)
++')
++
++########################################
++##
++## Search gssproxy lib directories.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`gssproxy_search_lib',`
++ gen_require(`
++ type gssproxy_var_lib_t;
++ ')
++
++ allow $1 gssproxy_var_lib_t:dir search_dir_perms;
++ files_search_var_lib($1)
++')
++
++########################################
++##
++## Read gssproxy lib files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`gssproxy_read_lib_files',`
++ gen_require(`
++ type gssproxy_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ read_files_pattern($1, gssproxy_var_lib_t, gssproxy_var_lib_t)
++')
++
++########################################
++##
++## Manage gssproxy lib files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`gssproxy_manage_lib_files',`
++ gen_require(`
++ type gssproxy_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ manage_files_pattern($1, gssproxy_var_lib_t, gssproxy_var_lib_t)
++')
++
++########################################
++##
++## Manage gssproxy lib directories.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`gssproxy_manage_lib_dirs',`
++ gen_require(`
++ type gssproxy_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ manage_dirs_pattern($1, gssproxy_var_lib_t, gssproxy_var_lib_t)
++')
++
++########################################
++##
++## Read gssproxy PID files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`gssproxy_read_pid_files',`
++ gen_require(`
++ type gssproxy_var_run_t;
++ ')
++
++ files_search_pids($1)
++ read_files_pattern($1, gssproxy_var_run_t, gssproxy_var_run_t)
++')
++
++########################################
++##
++## Execute gssproxy server in the gssproxy domain.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`gssproxy_systemctl',`
++ gen_require(`
++ type gssproxy_t;
++ type gssproxy_unit_file_t;
++ ')
++
++ systemd_exec_systemctl($1)
++ systemd_read_fifo_file_password_run($1)
++ allow $1 gssproxy_unit_file_t:file read_file_perms;
++ allow $1 gssproxy_unit_file_t:service manage_service_perms;
++
++ ps_process_pattern($1, gssproxy_t)
++')
++
++########################################
++##
++## Connect to gssproxy over an unix
++## domain stream socket.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`gssproxy_stream_connect',`
++ gen_require(`
++ type gssproxy_t, gssproxy_var_run_t;
++ ')
++
++ files_search_pids($1)
++ stream_connect_pattern($1, gssproxy_var_run_t, gssproxy_var_run_t, gssproxy_t)
++')
++
++########################################
++##
++## All of the rules required to administrate
++## an gssproxy environment
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++##
++## Role allowed access.
++##
++##
++##
++#
++interface(`gssproxy_admin',`
++ gen_require(`
++ type gssproxy_t;
++ type gssproxy_var_lib_t;
++ type gssproxy_var_run_t;
++ type gssproxy_unit_file_t;
++ ')
++
++ allow $1 gssproxy_t:process { ptrace signal_perms };
++ ps_process_pattern($1, gssproxy_t)
++
++ files_search_var_lib($1)
++ admin_pattern($1, gssproxy_var_lib_t)
++
++ files_search_pids($1)
++ admin_pattern($1, gssproxy_var_run_t)
++
++ gssproxy_systemctl($1)
++ admin_pattern($1, gssproxy_unit_file_t)
++ allow $1 gssproxy_unit_file_t:service all_service_perms;
++ optional_policy(`
++ systemd_passwd_agent_exec($1)
++ systemd_read_fifo_file_passwd_run($1)
++ ')
++')
+diff --git a/gssproxy.te b/gssproxy.te
+new file mode 100644
+index 0000000..6f0253c
+--- /dev/null
++++ b/gssproxy.te
+@@ -0,0 +1,64 @@
++policy_module(gssproxy, 1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++type gssproxy_t;
++type gssproxy_exec_t;
++init_daemon_domain(gssproxy_t, gssproxy_exec_t)
++
++type gssproxy_var_lib_t;
++files_type(gssproxy_var_lib_t)
++
++type gssproxy_var_run_t;
++files_pid_file(gssproxy_var_run_t)
++
++type gssproxy_unit_file_t;
++systemd_unit_file(gssproxy_unit_file_t)
++
++########################################
++#
++# gssproxy local policy
++#
++allow gssproxy_t self:capability2 block_suspend;
++allow gssproxy_t self:fifo_file rw_fifo_file_perms;
++allow gssproxy_t self:unix_stream_socket create_stream_socket_perms;
++
++manage_dirs_pattern(gssproxy_t, gssproxy_var_lib_t, gssproxy_var_lib_t)
++manage_files_pattern(gssproxy_t, gssproxy_var_lib_t, gssproxy_var_lib_t)
++manage_sock_files_pattern(gssproxy_t, gssproxy_var_lib_t, gssproxy_var_lib_t)
++manage_lnk_files_pattern(gssproxy_t, gssproxy_var_lib_t, gssproxy_var_lib_t)
++files_var_lib_filetrans(gssproxy_t, gssproxy_var_lib_t, { dir file lnk_file })
++
++manage_dirs_pattern(gssproxy_t, gssproxy_var_run_t, gssproxy_var_run_t)
++manage_files_pattern(gssproxy_t, gssproxy_var_run_t, gssproxy_var_run_t)
++manage_lnk_files_pattern(gssproxy_t, gssproxy_var_run_t, gssproxy_var_run_t)
++files_pid_filetrans(gssproxy_t, gssproxy_var_run_t, { dir file lnk_file })
++
++kernel_rw_rpc_sysctls(gssproxy_t)
++
++domain_use_interactive_fds(gssproxy_t)
++
++files_read_etc_files(gssproxy_t)
++
++auth_use_nsswitch(gssproxy_t)
++
++dev_read_urand(gssproxy_t)
++
++logging_send_syslog_msg(gssproxy_t)
++
++miscfiles_read_localization(gssproxy_t)
++
++userdom_manage_user_tmp_dirs(gssproxy_t)
++userdom_manage_user_tmp_files(gssproxy_t)
++
++optional_policy(`
++ kerberos_use(gssproxy_t)
++')
++
++optional_policy(`
++ kerberos_keytab_template(gssproxy, gssproxy_t)
++ kerberos_manage_host_rcache(gssproxy_t)
++')
diff --git a/guest.te b/guest.te
index d928711..93d2d83 100644
--- a/guest.te
@@ -32344,7 +32786,7 @@ index d5d1572..82267a7 100644
/var/run/.*l2tpd(/.*)? gen_context(system_u:object_r:l2tpd_var_run_t,s0)
/var/run/prol2tpd\.ctl -s gen_context(system_u:object_r:l2tpd_var_run_t,s0)
diff --git a/l2tp.if b/l2tp.if
-index 73e2803..562d25b 100644
+index 73e2803..2fc7570 100644
--- a/l2tp.if
+++ b/l2tp.if
@@ -1,9 +1,45 @@
@@ -32436,7 +32878,7 @@ index 73e2803..562d25b 100644
##
##
##
-@@ -56,14 +110,32 @@ interface(`l2tpd_stream_connect',`
+@@ -56,14 +110,107 @@ interface(`l2tpd_stream_connect',`
')
files_search_pids($1)
@@ -32468,12 +32910,87 @@ index 73e2803..562d25b 100644
+
+########################################
+##
++## Allow send a signal to l2tpd.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`l2tpd_signal',`
++ gen_require(`
++ type l2tpd_t;
++ ')
++
++ allow $1 l2tpd_t:process signal;
++')
++
++########################################
++##
++## Allow send signull to l2tpd.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`l2tpd_signull',`
++ gen_require(`
++ type l2tpd_t;
++ ')
++
++ allow $1 l2tpd_t:process signull;
++')
++
++########################################
++##
++## Allow send sigkill to l2tpd.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`l2tpd_sigkill',`
++ gen_require(`
++ type l2tpd_t;
++ ')
++
++ allow $1 l2tpd_t:process sigkill;
++')
++
++########################################
++##
++## Send and receive messages from
++## l2tpd over dbus.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`l2tpd_dbus_chat',`
++ gen_require(`
++ type l2tpd_t;
++ class dbus send_msg;
++ ')
++
++ allow $1 l2tpd_t:dbus send_msg;
++ allow l2tpd_t $1:dbus send_msg;
++')
++
++########################################
++##
+## All of the rules required to administrate
+## an l2tpd environment
##
##
##
-@@ -77,22 +149,26 @@ interface(`l2tpd_stream_connect',`
+@@ -77,22 +224,26 @@ interface(`l2tpd_stream_connect',`
##
##
#
@@ -32506,7 +33023,7 @@ index 73e2803..562d25b 100644
files_search_pids($1)
admin_pattern($1, l2tpd_var_run_t)
diff --git a/l2tp.te b/l2tp.te
-index 19f2b97..23321e4 100644
+index 19f2b97..fbc0e48 100644
--- a/l2tp.te
+++ b/l2tp.te
@@ -27,7 +27,7 @@ files_pid_file(l2tpd_var_run_t)
@@ -32518,7 +33035,16 @@ index 19f2b97..23321e4 100644
allow l2tpd_t self:fifo_file rw_fifo_file_perms;
allow l2tpd_t self:netlink_socket create_socket_perms;
allow l2tpd_t self:rawip_socket create_socket_perms;
-@@ -75,19 +75,19 @@ corecmd_exec_bin(l2tpd_t)
+@@ -47,6 +47,8 @@ files_pid_filetrans(l2tpd_t, l2tpd_var_run_t, { dir file sock_file })
+ manage_sock_files_pattern(l2tpd_t, l2tpd_tmp_t, l2tpd_tmp_t)
+ files_tmp_filetrans(l2tpd_t, l2tpd_tmp_t, sock_file)
+
++can_exec(l2tpd_t, l2tpd_exec_t)
++
+ corenet_all_recvfrom_unlabeled(l2tpd_t)
+ corenet_all_recvfrom_netlabel(l2tpd_t)
+ corenet_raw_sendrecv_generic_if(l2tpd_t)
+@@ -75,19 +77,35 @@ corecmd_exec_bin(l2tpd_t)
dev_read_urand(l2tpd_t)
@@ -32535,6 +33061,22 @@ index 19f2b97..23321e4 100644
sysnet_dns_name_resolve(l2tpd_t)
optional_policy(`
++ dbus_system_bus_client(l2tpd_t)
++ dbus_connect_system_bus(l2tpd_t)
++
++ optional_policy(`
++ networkmanager_dbus_chat(l2tpd_t)
++ ')
++')
++
++optional_policy(`
++ ipsec_domtrans_mgmt(l2tpd_t)
++ ipsec_mgmt_read_pid(l2tpd_t)
++ ipsec_filetrans_key_file(l2tpd_t)
++ ipsec_manage_key_file(l2tpd_t)
++')
++
++optional_policy(`
+ networkmanager_read_pid_files(l2tpd_t)
+')
+
@@ -33071,7 +33613,7 @@ index dff21a7..b6981c8 100644
init_labeled_script_domtrans($1, lircd_initrc_exec_t)
domain_system_change_exemption($1)
diff --git a/lircd.te b/lircd.te
-index 98b5405..b1d3cdf 100644
+index 98b5405..7d982bb 100644
--- a/lircd.te
+++ b/lircd.te
@@ -13,7 +13,7 @@ type lircd_initrc_exec_t;
@@ -33083,7 +33625,15 @@ index 98b5405..b1d3cdf 100644
type lircd_var_run_t alias lircd_sock_t;
files_pid_file(lircd_var_run_t)
-@@ -64,9 +64,8 @@ files_manage_generic_locks(lircd_t)
+@@ -27,6 +27,7 @@ allow lircd_t self:capability { chown kill sys_admin };
+ allow lircd_t self:process signal;
+ allow lircd_t self:fifo_file rw_fifo_file_perms;
+ allow lircd_t self:tcp_socket { accept listen };
++allow lircd_t self:netlink_kobject_uevent_socket create_socket_perms;
+
+ read_files_pattern(lircd_t, lircd_etc_t, lircd_etc_t)
+
+@@ -64,9 +65,8 @@ files_manage_generic_locks(lircd_t)
files_read_all_locks(lircd_t)
term_use_ptmx(lircd_t)
@@ -36573,10 +37123,10 @@ index 4462c0e..84944d1 100644
userdom_dontaudit_use_unpriv_user_fds(monopd_t)
diff --git a/mozilla.fc b/mozilla.fc
-index 6ffaba2..90fd526 100644
+index 6ffaba2..d341a52 100644
--- a/mozilla.fc
+++ b/mozilla.fc
-@@ -1,38 +1,63 @@
+@@ -1,38 +1,64 @@
-HOME_DIR/\.galeon(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
-HOME_DIR/\.mozilla(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
-HOME_DIR/\.mozilla/plugins(/.*)? gen_context(system_u:object_r:mozilla_plugin_home_t,s0)
@@ -36611,6 +37161,7 @@ index 6ffaba2..90fd526 100644
+HOME_DIR/\.gcjwebplugin(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
+HOME_DIR/\.grl-podcasts(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
+HOME_DIR/\.icedteaplugin(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
++HOME_DIR/\.icedtea(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
+HOME_DIR/\.lyx(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
+HOME_DIR/\.quakelive(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
+HOME_DIR/\.spicec(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
@@ -36675,7 +37226,7 @@ index 6ffaba2..90fd526 100644
+/usr/lib/nspluginwrapper/plugin-config -- gen_context(system_u:object_r:mozilla_plugin_config_exec_t,s0)
+')
diff --git a/mozilla.if b/mozilla.if
-index 6194b80..116d9d2 100644
+index 6194b80..879f5db 100644
--- a/mozilla.if
+++ b/mozilla.if
@@ -1,146 +1,75 @@
@@ -37314,7 +37865,7 @@ index 6194b80..116d9d2 100644
##
##
##
-@@ -530,45 +448,50 @@ interface(`mozilla_plugin_delete_tmpfs_files',`
+@@ -530,45 +448,51 @@ interface(`mozilla_plugin_delete_tmpfs_files',`
##
##
#
@@ -37379,6 +37930,7 @@ index 6194b80..116d9d2 100644
+ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".grl-podcasts")
+ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".gcjwebplugin")
+ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".icedteaplugin")
++ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".icedtea")
+ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".quakelive")
+ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".spicec")
+ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".ICAClient")
@@ -37390,7 +37942,7 @@ index 6194b80..116d9d2 100644
')
+
diff --git a/mozilla.te b/mozilla.te
-index 6a306ee..66e7ada 100644
+index 6a306ee..30005c3 100644
--- a/mozilla.te
+++ b/mozilla.te
@@ -1,4 +1,4 @@
@@ -37399,7 +37951,7 @@ index 6a306ee..66e7ada 100644
########################################
#
-@@ -6,17 +6,34 @@ policy_module(mozilla, 2.7.4)
+@@ -6,17 +6,41 @@ policy_module(mozilla, 2.7.4)
#
##
@@ -37423,6 +37975,13 @@ index 6a306ee..66e7ada 100644
+
+##
+##
++## Allow mozilla plugin to support GPS.
++##
++##
++gen_tunable(mozilla_plugin_use_gps, false)
++
++##
++##
+## Allow confined web browsers to read home directory content
+##
+##
@@ -37439,7 +37998,7 @@ index 6a306ee..66e7ada 100644
type mozilla_t;
type mozilla_exec_t;
typealias mozilla_t alias { user_mozilla_t staff_mozilla_t sysadm_mozilla_t };
-@@ -24,6 +41,9 @@ typealias mozilla_t alias { auditadm_mozilla_t secadm_mozilla_t };
+@@ -24,6 +48,9 @@ typealias mozilla_t alias { auditadm_mozilla_t secadm_mozilla_t };
userdom_user_application_domain(mozilla_t, mozilla_exec_t)
role mozilla_roles types mozilla_t;
@@ -37449,7 +38008,7 @@ index 6a306ee..66e7ada 100644
type mozilla_home_t;
typealias mozilla_home_t alias { user_mozilla_home_t staff_mozilla_home_t sysadm_mozilla_home_t };
typealias mozilla_home_t alias { auditadm_mozilla_home_t secadm_mozilla_home_t };
-@@ -31,29 +51,24 @@ userdom_user_home_content(mozilla_home_t)
+@@ -31,29 +58,24 @@ userdom_user_home_content(mozilla_home_t)
type mozilla_plugin_t;
type mozilla_plugin_exec_t;
@@ -37484,7 +38043,7 @@ index 6a306ee..66e7ada 100644
type mozilla_tmp_t;
userdom_user_tmp_file(mozilla_tmp_t)
-@@ -63,10 +78,6 @@ typealias mozilla_tmpfs_t alias { user_mozilla_tmpfs_t staff_mozilla_tmpfs_t sys
+@@ -63,10 +85,6 @@ typealias mozilla_tmpfs_t alias { user_mozilla_tmpfs_t staff_mozilla_tmpfs_t sys
typealias mozilla_tmpfs_t alias { auditadm_mozilla_tmpfs_t secadm_mozilla_tmpfs_t };
userdom_user_tmpfs_file(mozilla_tmpfs_t)
@@ -37495,7 +38054,7 @@ index 6a306ee..66e7ada 100644
########################################
#
# Local policy
-@@ -75,27 +86,30 @@ optional_policy(`
+@@ -75,27 +93,30 @@ optional_policy(`
allow mozilla_t self:capability { sys_nice setgid setuid };
allow mozilla_t self:process { sigkill signal setsched getsched setrlimit };
allow mozilla_t self:fifo_file rw_fifo_file_perms;
@@ -37539,7 +38098,7 @@ index 6a306ee..66e7ada 100644
manage_files_pattern(mozilla_t, mozilla_tmpfs_t, mozilla_tmpfs_t)
manage_lnk_files_pattern(mozilla_t, mozilla_tmpfs_t, mozilla_tmpfs_t)
-@@ -103,76 +117,69 @@ manage_fifo_files_pattern(mozilla_t, mozilla_tmpfs_t, mozilla_tmpfs_t)
+@@ -103,76 +124,69 @@ manage_fifo_files_pattern(mozilla_t, mozilla_tmpfs_t, mozilla_tmpfs_t)
manage_sock_files_pattern(mozilla_t, mozilla_tmpfs_t, mozilla_tmpfs_t)
fs_tmpfs_filetrans(mozilla_t, mozilla_tmpfs_t, { file lnk_file sock_file fifo_file })
@@ -37647,7 +38206,7 @@ index 6a306ee..66e7ada 100644
term_dontaudit_getattr_pty_dirs(mozilla_t)
-@@ -181,56 +188,73 @@ auth_use_nsswitch(mozilla_t)
+@@ -181,56 +195,73 @@ auth_use_nsswitch(mozilla_t)
logging_send_syslog_msg(mozilla_t)
miscfiles_read_fonts(mozilla_t)
@@ -37655,15 +38214,15 @@ index 6a306ee..66e7ada 100644
miscfiles_dontaudit_setattr_fonts_dirs(mozilla_t)
-userdom_use_user_ptys(mozilla_t)
-+userdom_use_inherited_user_ptys(mozilla_t)
-
+-
-userdom_manage_user_tmp_dirs(mozilla_t)
-userdom_manage_user_tmp_files(mozilla_t)
-
-userdom_manage_user_home_content_dirs(mozilla_t)
-userdom_manage_user_home_content_files(mozilla_t)
-userdom_user_home_dir_filetrans_user_home_content(mozilla_t, { dir file })
--
++userdom_use_inherited_user_ptys(mozilla_t)
+
-userdom_write_user_tmp_sockets(mozilla_t)
-
-mozilla_run_plugin(mozilla_t, mozilla_roles)
@@ -37758,7 +38317,7 @@ index 6a306ee..66e7ada 100644
')
optional_policy(`
-@@ -244,19 +268,12 @@ optional_policy(`
+@@ -244,19 +275,12 @@ optional_policy(`
optional_policy(`
cups_read_rw_config(mozilla_t)
@@ -37780,7 +38339,7 @@ index 6a306ee..66e7ada 100644
optional_policy(`
networkmanager_dbus_chat(mozilla_t)
-@@ -265,33 +282,32 @@ optional_policy(`
+@@ -265,33 +289,32 @@ optional_policy(`
optional_policy(`
gnome_stream_connect_gconf(mozilla_t)
@@ -37793,34 +38352,34 @@ index 6a306ee..66e7ada 100644
- gnome_home_filetrans_gnome_home(mozilla_t, dir, ".gnome2_private")
+ gnome_manage_config(mozilla_t)
+ gnome_manage_gconf_home_files(mozilla_t)
++')
++
++optional_policy(`
++ java_domtrans(mozilla_t)
')
optional_policy(`
- java_exec(mozilla_t)
- java_manage_generic_home_content(mozilla_t)
- java_home_filetrans_java_home(mozilla_t, dir, ".java")
-+ java_domtrans(mozilla_t)
++ lpd_domtrans_lpr(mozilla_t)
')
optional_policy(`
- lpd_run_lpr(mozilla_t, mozilla_roles)
-+ lpd_domtrans_lpr(mozilla_t)
++ mplayer_domtrans(mozilla_t)
++ mplayer_read_user_home_files(mozilla_t)
')
optional_policy(`
- mplayer_exec(mozilla_t)
- mplayer_manage_generic_home_content(mozilla_t)
- mplayer_home_filetrans_mplayer_home(mozilla_t, dir, ".mplayer")
-+ mplayer_domtrans(mozilla_t)
-+ mplayer_read_user_home_files(mozilla_t)
++ nscd_socket_use(mozilla_t)
')
optional_policy(`
- pulseaudio_run(mozilla_t, mozilla_roles)
-+ nscd_socket_use(mozilla_t)
-+')
-+
-+optional_policy(`
+ #pulseaudio_role(mozilla_roles, mozilla_t)
+ pulseaudio_exec(mozilla_t)
+ pulseaudio_stream_connect(mozilla_t)
@@ -37828,7 +38387,7 @@ index 6a306ee..66e7ada 100644
')
optional_policy(`
-@@ -300,221 +316,174 @@ optional_policy(`
+@@ -300,221 +323,177 @@ optional_policy(`
########################################
#
@@ -37910,12 +38469,12 @@ index 6a306ee..66e7ada 100644
allow mozilla_plugin_t mozilla_plugin_rw_t:dir list_dir_perms;
-allow mozilla_plugin_t mozilla_plugin_rw_t:file read_file_perms;
-allow mozilla_plugin_t mozilla_plugin_rw_t:lnk_file read_lnk_file_perms;
+-
+-dgram_send_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t, mozilla_t)
+-stream_connect_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t, mozilla_t)
+read_lnk_files_pattern(mozilla_plugin_t, mozilla_plugin_rw_t, mozilla_plugin_rw_t)
+read_files_pattern(mozilla_plugin_t, mozilla_plugin_rw_t, mozilla_plugin_rw_t)
--dgram_send_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t, mozilla_t)
--stream_connect_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t, mozilla_t)
--
-can_exec(mozilla_plugin_t, { mozilla_exec_t mozilla_plugin_home_t mozilla_plugin_tmp_t })
+can_exec(mozilla_plugin_t, mozilla_exec_t)
@@ -37936,34 +38495,39 @@ index 6a306ee..66e7ada 100644
-corenet_tcp_sendrecv_generic_node(mozilla_plugin_t)
-
-corenet_sendrecv_asterisk_client_packets(mozilla_plugin_t)
++corenet_tcp_bind_generic_node(mozilla_plugin_t)
++corenet_tcp_connect_all_ephemeral_ports(mozilla_plugin_t)
++corenet_tcp_connect_aol_port(mozilla_plugin_t)
corenet_tcp_connect_asterisk_port(mozilla_plugin_t)
-corenet_tcp_sendrecv_asterisk_port(mozilla_plugin_t)
-
-corenet_sendrecv_ftp_client_packets(mozilla_plugin_t)
-+corenet_tcp_connect_generic_port(mozilla_plugin_t)
++corenet_tcp_connect_commplex_link_port(mozilla_plugin_t)
++corenet_tcp_connect_couchdb_port(mozilla_plugin_t)
+corenet_tcp_connect_flash_port(mozilla_plugin_t)
corenet_tcp_connect_ftp_port(mozilla_plugin_t)
-corenet_tcp_sendrecv_ftp_port(mozilla_plugin_t)
-
-corenet_sendrecv_gatekeeper_client_packets(mozilla_plugin_t)
--corenet_tcp_connect_gatekeeper_port(mozilla_plugin_t)
+ corenet_tcp_connect_gatekeeper_port(mozilla_plugin_t)
-corenet_tcp_sendrecv_gatekeeper_port(mozilla_plugin_t)
-
-corenet_sendrecv_http_client_packets(mozilla_plugin_t)
- corenet_tcp_connect_http_port(mozilla_plugin_t)
+-corenet_tcp_connect_http_port(mozilla_plugin_t)
-corenet_tcp_sendrecv_http_port(mozilla_plugin_t)
-
-corenet_sendrecv_http_cache_client_packets(mozilla_plugin_t)
-+corenet_tcp_connect_gatekeeper_port(mozilla_plugin_t)
++corenet_tcp_connect_generic_port(mozilla_plugin_t)
corenet_tcp_connect_http_cache_port(mozilla_plugin_t)
-corenet_tcp_sendrecv_http_cache_port(mozilla_plugin_t)
-
-corenet_sendrecv_ipp_client_packets(mozilla_plugin_t)
-+corenet_tcp_connect_ipsecnat_port(mozilla_plugin_t)
++corenet_tcp_connect_http_port(mozilla_plugin_t)
corenet_tcp_connect_ipp_port(mozilla_plugin_t)
-corenet_tcp_sendrecv_ipp_port(mozilla_plugin_t)
-
-corenet_sendrecv_ircd_client_packets(mozilla_plugin_t)
++corenet_tcp_connect_ipsecnat_port(mozilla_plugin_t)
corenet_tcp_connect_ircd_port(mozilla_plugin_t)
-corenet_tcp_sendrecv_ircd_port(mozilla_plugin_t)
-
@@ -37972,20 +38536,23 @@ index 6a306ee..66e7ada 100644
-corenet_tcp_sendrecv_jabber_client_port(mozilla_plugin_t)
-
-corenet_sendrecv_mmcc_client_packets(mozilla_plugin_t)
++corenet_tcp_connect_jboss_management_port(mozilla_plugin_t)
corenet_tcp_connect_mmcc_port(mozilla_plugin_t)
-corenet_tcp_sendrecv_mmcc_port(mozilla_plugin_t)
-
-corenet_sendrecv_monopd_client_packets(mozilla_plugin_t)
--corenet_tcp_connect_monopd_port(mozilla_plugin_t)
+ corenet_tcp_connect_monopd_port(mozilla_plugin_t)
-corenet_tcp_sendrecv_monopd_port(mozilla_plugin_t)
-
-corenet_sendrecv_soundd_client_packets(mozilla_plugin_t)
--corenet_tcp_connect_soundd_port(mozilla_plugin_t)
++corenet_tcp_connect_msnp_port(mozilla_plugin_t)
++corenet_tcp_connect_ms_streaming_port(mozilla_plugin_t)
++corenet_tcp_connect_pulseaudio_port(mozilla_plugin_t)
++corenet_tcp_connect_rtsp_port(mozilla_plugin_t)
+ corenet_tcp_connect_soundd_port(mozilla_plugin_t)
-corenet_tcp_sendrecv_soundd_port(mozilla_plugin_t)
-
-corenet_sendrecv_speech_client_packets(mozilla_plugin_t)
-+corenet_tcp_connect_msnp_port(mozilla_plugin_t)
-+corenet_tcp_connect_pulseaudio_port(mozilla_plugin_t)
corenet_tcp_connect_speech_port(mozilla_plugin_t)
-corenet_tcp_sendrecv_speech_port(mozilla_plugin_t)
-
@@ -37994,17 +38561,10 @@ index 6a306ee..66e7ada 100644
-corenet_tcp_sendrecv_squid_port(mozilla_plugin_t)
-
-corenet_sendrecv_vnc_client_packets(mozilla_plugin_t)
-+corenet_tcp_connect_ms_streaming_port(mozilla_plugin_t)
-+corenet_tcp_connect_rtsp_port(mozilla_plugin_t)
-+corenet_tcp_connect_soundd_port(mozilla_plugin_t)
+corenet_tcp_connect_tor_port(mozilla_plugin_t)
++corenet_tcp_connect_transproxy_port(mozilla_plugin_t)
corenet_tcp_connect_vnc_port(mozilla_plugin_t)
-corenet_tcp_sendrecv_vnc_port(mozilla_plugin_t)
-+corenet_tcp_connect_commplex_link_port(mozilla_plugin_t)
-+corenet_tcp_connect_couchdb_port(mozilla_plugin_t)
-+corenet_tcp_connect_monopd_port(mozilla_plugin_t)
-+corenet_tcp_connect_transproxy_port(mozilla_plugin_t)
-+corenet_tcp_connect_all_ephemeral_ports(mozilla_plugin_t)
+corenet_tcp_bind_generic_node(mozilla_plugin_t)
+corenet_udp_bind_generic_node(mozilla_plugin_t)
+corenet_dontaudit_udp_bind_ssdp_port(mozilla_plugin_t)
@@ -38145,7 +38705,7 @@ index 6a306ee..66e7ada 100644
')
optional_policy(`
-@@ -523,36 +492,47 @@ optional_policy(`
+@@ -523,36 +502,48 @@ optional_policy(`
')
optional_policy(`
@@ -38201,12 +38761,13 @@ index 6a306ee..66e7ada 100644
+ pulseaudio_exec(mozilla_plugin_t)
+ pulseaudio_stream_connect(mozilla_plugin_t)
+ pulseaudio_setattr_home_dir(mozilla_plugin_t)
++ pulseaudio_manage_home_dirs(mozilla_plugin_t)
+ pulseaudio_manage_home_files(mozilla_plugin_t)
+ pulseaudio_manage_home_symlinks(mozilla_plugin_t)
')
optional_policy(`
-@@ -560,7 +540,7 @@ optional_policy(`
+@@ -560,7 +551,7 @@ optional_policy(`
')
optional_policy(`
@@ -38215,7 +38776,7 @@ index 6a306ee..66e7ada 100644
')
optional_policy(`
-@@ -568,108 +548,113 @@ optional_policy(`
+@@ -568,108 +559,118 @@ optional_policy(`
')
optional_policy(`
@@ -38331,34 +38892,29 @@ index 6a306ee..66e7ada 100644
+userdom_dontaudit_write_all_user_tmp_content_files(mozilla_plugin_config_t)
-userdom_use_user_ptys(mozilla_plugin_config_t)
--
--mozilla_run_plugin(mozilla_plugin_config_t, mozilla_plugin_config_roles)
+domtrans_pattern(mozilla_plugin_config_t, mozilla_plugin_exec_t, mozilla_plugin_t)
--tunable_policy(`allow_execmem',`
-- allow mozilla_plugin_config_t self:process execmem;
+-mozilla_run_plugin(mozilla_plugin_config_t, mozilla_plugin_config_roles)
+tunable_policy(`use_ecryptfs_home_dirs',`
+ fs_read_ecryptfs_files(mozilla_plugin_config_t)
++')
+
+-tunable_policy(`allow_execmem',`
+- allow mozilla_plugin_config_t self:process execmem;
++optional_policy(`
++ gnome_dontaudit_rw_inherited_config(mozilla_plugin_config_t)
')
-tunable_policy(`mozilla_execstack',`
- allow mozilla_plugin_config_t self:process { execmem execstack };
+optional_policy(`
-+ gnome_dontaudit_rw_inherited_config(mozilla_plugin_config_t)
++ xserver_use_user_fonts(mozilla_plugin_config_t)
')
-tunable_policy(`use_nfs_home_dirs',`
- fs_manage_nfs_dirs(mozilla_plugin_config_t)
- fs_manage_nfs_files(mozilla_plugin_config_t)
- fs_manage_nfs_symlinks(mozilla_plugin_config_t)
-+optional_policy(`
-+ xserver_use_user_fonts(mozilla_plugin_config_t)
- ')
-
--tunable_policy(`use_samba_home_dirs',`
-- fs_manage_cifs_dirs(mozilla_plugin_config_t)
-- fs_manage_cifs_files(mozilla_plugin_config_t)
-- fs_manage_cifs_symlinks(mozilla_plugin_config_t)
+ifdef(`distro_redhat',`
+ typealias mozilla_plugin_t alias nsplugin_t;
+ typealias mozilla_plugin_exec_t alias nsplugin_exec_t;
@@ -38369,8 +38925,10 @@ index 6a306ee..66e7ada 100644
+ typealias mozilla_plugin_config_exec_t alias nsplugin_config_exec_t;
')
--optional_policy(`
-- automount_dontaudit_getattr_tmp_dirs(mozilla_plugin_config_t)
+-tunable_policy(`use_samba_home_dirs',`
+- fs_manage_cifs_dirs(mozilla_plugin_config_t)
+- fs_manage_cifs_files(mozilla_plugin_config_t)
+- fs_manage_cifs_symlinks(mozilla_plugin_config_t)
+#tunable_policy(`mozilla_plugin_enable_homedirs',`
+# userdom_user_home_dir_filetrans(mozilla_plugin_t, mozilla_home_t, { dir file })
+#', `
@@ -38384,10 +38942,17 @@ index 6a306ee..66e7ada 100644
')
-optional_policy(`
-- xserver_use_user_fonts(mozilla_plugin_config_t)
+- automount_dontaudit_getattr_tmp_dirs(mozilla_plugin_config_t)
+tunable_policy(`mozilla_plugin_use_spice',`
+ dev_rw_generic_usb_dev(mozilla_plugin_t)
')
+
+-optional_policy(`
+- xserver_use_user_fonts(mozilla_plugin_config_t)
++tunable_policy(`mozilla_plugin_use_gps',`
++ fs_manage_dos_dirs(mozilla_plugin_t)
++ fs_manage_dos_files(mozilla_plugin_t)
+ ')
diff --git a/mpd.fc b/mpd.fc
index 313ce52..6aa46d2 100644
--- a/mpd.fc
@@ -39833,7 +40398,7 @@ index ed81cac..566684a 100644
+ mta_filetrans_admin_home_content($1)
+')
diff --git a/mta.te b/mta.te
-index afd2fad..a270fd4 100644
+index afd2fad..363dd67 100644
--- a/mta.te
+++ b/mta.te
@@ -1,4 +1,4 @@
@@ -40031,7 +40596,7 @@ index afd2fad..a270fd4 100644
+init_dontaudit_rw_stream_socket(system_mail_t)
+
+userdom_use_inherited_user_terminals(system_mail_t)
-+userdom_dontaudit_search_user_home_dirs(system_mail_t)
++userdom_dontaudit_list_user_home_dirs(system_mail_t)
+userdom_dontaudit_list_admin_dir(system_mail_t)
+
+manage_dirs_pattern(system_mail_t, mail_home_rw_t, mail_home_rw_t)
@@ -42896,7 +43461,7 @@ index a1fb3c3..8fe1d63 100644
+/var/run/wpa_supplicant(/.*)? gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
/var/run/wpa_supplicant-global -s gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
diff --git a/networkmanager.if b/networkmanager.if
-index 0e8508c..b9c69d2 100644
+index 0e8508c..0b68b86 100644
--- a/networkmanager.if
+++ b/networkmanager.if
@@ -2,7 +2,7 @@
@@ -43143,7 +43708,7 @@ index 0e8508c..b9c69d2 100644
##
##
##
-@@ -227,33 +292,92 @@ interface(`networkmanager_read_pid_files',`
+@@ -227,33 +292,112 @@ interface(`networkmanager_read_pid_files',`
##
##
#
@@ -43214,6 +43779,25 @@ index 0e8508c..b9c69d2 100644
+ manage_files_pattern($1, NetworkManager_var_lib_t, NetworkManager_var_lib_t)
+')
+
++####################################
++##
++## Connect to NM over a unix domain
++## stream socket.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`networkmanager_stream_connect',`
++ gen_require(`
++ type NetworkManager_t, NetworkManager_var_run_t;
++ ')
++
++ files_search_pids($1)
++ stream_connect_pattern($1, NetworkManager_var_run_t, NetworkManager_var_run_t, NetworkManager_t)
++')
+
+########################################
+##
@@ -43254,10 +43838,11 @@ index 0e8508c..b9c69d2 100644
+ files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient-em8.conf")
+ files_etc_filetrans($1, NetworkManager_var_lib_t, file, "manager-settings.conf")
+ files_etc_filetrans($1, NetworkManager_var_lib_t, file, "wireless-settings.conf")
-+ files_etc_filetrans($1, NetworkManager_var_lib_t, file, "wireed-settings.conf")
++ files_etc_filetrans($1, NetworkManager_var_lib_t, file, "wired-settings.conf")
++ logging_log_filetrans($1, NetworkManager_var_lib_t, file, "wpa_supplicant.log")
')
diff --git a/networkmanager.te b/networkmanager.te
-index 0b48a30..57fe60f 100644
+index 0b48a30..f3320a3 100644
--- a/networkmanager.te
+++ b/networkmanager.te
@@ -1,4 +1,4 @@
@@ -43537,7 +44122,7 @@ index 0b48a30..57fe60f 100644
')
optional_policy(`
-@@ -257,11 +279,7 @@ optional_policy(`
+@@ -257,11 +279,10 @@ optional_policy(`
')
optional_policy(`
@@ -43547,10 +44132,13 @@ index 0b48a30..57fe60f 100644
-optional_policy(`
- modutils_domtrans_insmod(NetworkManager_t)
+ l2tpd_domtrans(NetworkManager_t)
++ l2tpd_sigkill(NetworkManager_t)
++ l2tpd_signal(NetworkManager_t)
++ l2tpd_signull(NetworkManager_t)
')
optional_policy(`
-@@ -274,10 +292,17 @@ optional_policy(`
+@@ -274,10 +295,17 @@ optional_policy(`
nscd_signull(NetworkManager_t)
nscd_kill(NetworkManager_t)
nscd_initrc_domtrans(NetworkManager_t)
@@ -43568,7 +44156,7 @@ index 0b48a30..57fe60f 100644
')
optional_policy(`
-@@ -289,6 +314,7 @@ optional_policy(`
+@@ -289,6 +317,7 @@ optional_policy(`
')
optional_policy(`
@@ -43576,7 +44164,7 @@ index 0b48a30..57fe60f 100644
policykit_domtrans_auth(NetworkManager_t)
policykit_read_lib(NetworkManager_t)
policykit_read_reload(NetworkManager_t)
-@@ -296,7 +322,7 @@ optional_policy(`
+@@ -296,7 +325,7 @@ optional_policy(`
')
optional_policy(`
@@ -43585,7 +44173,7 @@ index 0b48a30..57fe60f 100644
')
optional_policy(`
-@@ -307,6 +333,7 @@ optional_policy(`
+@@ -307,6 +336,7 @@ optional_policy(`
ppp_signal(NetworkManager_t)
ppp_signull(NetworkManager_t)
ppp_read_config(NetworkManager_t)
@@ -43593,7 +44181,7 @@ index 0b48a30..57fe60f 100644
')
optional_policy(`
-@@ -320,13 +347,15 @@ optional_policy(`
+@@ -320,13 +350,15 @@ optional_policy(`
')
optional_policy(`
@@ -43613,7 +44201,7 @@ index 0b48a30..57fe60f 100644
')
optional_policy(`
-@@ -356,6 +385,5 @@ rw_sock_files_pattern(wpa_cli_t, NetworkManager_var_run_t, NetworkManager_var_ru
+@@ -356,6 +388,5 @@ rw_sock_files_pattern(wpa_cli_t, NetworkManager_var_run_t, NetworkManager_var_ru
init_dontaudit_use_fds(wpa_cli_t)
init_use_script_ptys(wpa_cli_t)
@@ -47034,35 +47622,16 @@ index 57c0161..54bd4d7 100644
+ ps_process_pattern($1, swift_t)
')
diff --git a/nut.te b/nut.te
-index 0c9deb7..ea0ba5c 100644
+index 0c9deb7..98a02f8 100644
--- a/nut.te
+++ b/nut.te
-@@ -1,121 +1,108 @@
+@@ -1,4 +1,4 @@
-policy_module(nut, 1.2.4)
+policy_module(nut, 1.2.0)
########################################
#
- # Declarations
- #
-
--attribute nut_domain;
--
- type nut_conf_t;
- files_config_file(nut_conf_t)
-
--type nut_upsd_t, nut_domain;
-+type nut_upsd_t;
- type nut_upsd_exec_t;
- init_daemon_domain(nut_upsd_t, nut_upsd_exec_t)
-
--type nut_upsmon_t, nut_domain;
-+type nut_upsmon_t;
- type nut_upsmon_exec_t;
- init_daemon_domain(nut_upsmon_t, nut_upsmon_exec_t)
-
--type nut_upsdrvctl_t, nut_domain;
-+type nut_upsdrvctl_t;
+@@ -22,100 +22,94 @@ type nut_upsdrvctl_t, nut_domain;
type nut_upsdrvctl_exec_t;
init_daemon_domain(nut_upsdrvctl_t, nut_upsdrvctl_exec_t)
@@ -47072,11 +47641,12 @@ index 0c9deb7..ea0ba5c 100644
type nut_var_run_t;
files_pid_file(nut_var_run_t)
-init_daemon_run_dir(nut_var_run_t, "nut")
-+
+
+-########################################
+type nut_unit_file_t;
+systemd_unit_file(nut_unit_file_t)
-
- ########################################
++
++#######################################
#
-# Common nut domain local policy
+# Local policy for upsd
@@ -47090,39 +47660,35 @@ index 0c9deb7..ea0ba5c 100644
-allow nut_domain nut_conf_t:dir list_dir_perms;
-allow nut_domain nut_conf_t:file read_file_perms;
-allow nut_domain nut_conf_t:lnk_file read_lnk_file_perms;
-+allow nut_upsd_t self:capability { setgid setuid dac_override };
-+allow nut_upsd_t self:process signal_perms;
-
+-
-manage_files_pattern(nut_domain, nut_var_run_t, nut_var_run_t)
-manage_dirs_pattern(nut_domain, nut_var_run_t, nut_var_run_t)
-files_pid_filetrans(nut_domain, nut_var_run_t, { dir file })
-+allow nut_upsd_t self:unix_dgram_socket { create_socket_perms sendto };
-+allow nut_upsd_t self:tcp_socket connected_stream_socket_perms;
-
+-
-kernel_read_kernel_sysctls(nut_domain)
-+allow nut_upsd_t nut_upsdrvctl_t:unix_stream_socket connectto;
-
+-
-logging_send_syslog_msg(nut_domain)
-
-miscfiles_read_localization(nut_domain)
--
--########################################
--#
++allow nut_domain self:netlink_kobject_uevent_socket create_socket_perms;
+
+ ########################################
+ #
-# Upsd local policy
--#
--
++# Local policy for upsd
+ #
+
-allow nut_upsd_t self:tcp_socket { accept listen };
-+read_files_pattern(nut_upsd_t, nut_conf_t, nut_conf_t)
++allow nut_upsd_t self:capability { setgid setuid dac_override };
++allow nut_upsd_t self:process signal_perms;
-+# pid file
-+manage_files_pattern(nut_upsd_t, nut_var_run_t, nut_var_run_t)
-+manage_dirs_pattern(nut_upsd_t, nut_var_run_t, nut_var_run_t)
- manage_sock_files_pattern(nut_upsd_t, nut_var_run_t, nut_var_run_t)
+-manage_sock_files_pattern(nut_upsd_t, nut_var_run_t, nut_var_run_t)
-files_pid_filetrans(nut_upsd_t, nut_var_run_t, sock_file)
-+files_pid_filetrans(nut_upsd_t, nut_var_run_t, { dir file sock_file })
++allow nut_upsd_t self:unix_dgram_socket { create_socket_perms sendto };
++allow nut_upsd_t self:tcp_socket connected_stream_socket_perms;
-stream_connect_pattern(nut_upsd_t, nut_var_run_t, nut_var_run_t, nut_upsdrvctl_t)
-+kernel_read_kernel_sysctls(nut_upsd_t)
++allow nut_upsd_t nut_upsdrvctl_t:unix_stream_socket connectto;
-corenet_all_recvfrom_unlabeled(nut_upsd_t)
-corenet_all_recvfrom_netlabel(nut_upsd_t)
@@ -47130,21 +47696,29 @@ index 0c9deb7..ea0ba5c 100644
-corenet_tcp_sendrecv_generic_node(nut_upsd_t)
-corenet_tcp_sendrecv_all_ports(nut_upsd_t)
-corenet_tcp_bind_generic_node(nut_upsd_t)
--
++read_files_pattern(nut_upsd_t, nut_conf_t, nut_conf_t)
+
-corenet_sendrecv_ups_server_packets(nut_upsd_t)
- corenet_tcp_bind_ups_port(nut_upsd_t)
--
+-corenet_tcp_bind_ups_port(nut_upsd_t)
++# pid file
++manage_files_pattern(nut_upsd_t, nut_var_run_t, nut_var_run_t)
++manage_dirs_pattern(nut_upsd_t, nut_var_run_t, nut_var_run_t)
++manage_sock_files_pattern(nut_upsd_t, nut_var_run_t, nut_var_run_t)
++files_pid_filetrans(nut_upsd_t, nut_var_run_t, { dir file sock_file })
+
-corenet_sendrecv_generic_server_packets(nut_upsd_t)
- corenet_tcp_bind_generic_port(nut_upsd_t)
-+corenet_tcp_bind_all_nodes(nut_upsd_t)
+-corenet_tcp_bind_generic_port(nut_upsd_t)
++kernel_read_kernel_sysctls(nut_upsd_t)
-files_read_usr_files(nut_upsd_t)
++corenet_tcp_bind_ups_port(nut_upsd_t)
++corenet_tcp_bind_generic_port(nut_upsd_t)
++corenet_tcp_bind_all_nodes(nut_upsd_t)
auth_use_nsswitch(nut_upsd_t)
+logging_send_syslog_msg(nut_upsd_t)
+
-+
########################################
#
-# Upsmon local policy
@@ -47160,12 +47734,12 @@ index 0c9deb7..ea0ba5c 100644
+allow nut_upsmon_t self:tcp_socket create_socket_perms;
+
+read_files_pattern(nut_upsmon_t, nut_conf_t, nut_conf_t)
-
++
+# pid file
+manage_files_pattern(nut_upsmon_t, nut_var_run_t, nut_var_run_t)
+manage_dirs_pattern(nut_upsmon_t, nut_var_run_t, nut_var_run_t)
+files_pid_filetrans(nut_upsmon_t, nut_var_run_t, file)
-+
+
+kernel_read_kernel_sysctls(nut_upsmon_t)
kernel_read_system_state(nut_upsmon_t)
@@ -47205,7 +47779,7 @@ index 0c9deb7..ea0ba5c 100644
mta_send_mail(nut_upsmon_t)
optional_policy(`
-@@ -124,14 +111,27 @@ optional_policy(`
+@@ -124,14 +118,27 @@ optional_policy(`
########################################
#
@@ -47219,9 +47793,9 @@ index 0c9deb7..ea0ba5c 100644
+allow nut_upsdrvctl_t self:fifo_file rw_fifo_file_perms;
+allow nut_upsdrvctl_t self:unix_dgram_socket { create_socket_perms sendto };
+allow nut_upsdrvctl_t self:udp_socket create_socket_perms;
-+
-+read_files_pattern(nut_upsdrvctl_t, nut_conf_t, nut_conf_t)
++read_files_pattern(nut_upsdrvctl_t, nut_conf_t, nut_conf_t)
++
+# pid file
+manage_files_pattern(nut_upsdrvctl_t, nut_var_run_t, nut_var_run_t)
+manage_dirs_pattern(nut_upsdrvctl_t, nut_var_run_t, nut_var_run_t)
@@ -47235,7 +47809,7 @@ index 0c9deb7..ea0ba5c 100644
corecmd_exec_bin(nut_upsdrvctl_t)
dev_read_sysfs(nut_upsdrvctl_t)
-@@ -139,22 +139,34 @@ dev_read_urand(nut_upsdrvctl_t)
+@@ -139,22 +146,34 @@ dev_read_urand(nut_upsdrvctl_t)
dev_rw_generic_usb_dev(nut_upsdrvctl_t)
term_use_unallocated_ttys(nut_upsdrvctl_t)
@@ -47523,7 +48097,7 @@ index 8635ea2..eec20b4 100644
+ obex_dbus_chat($2)
')
diff --git a/obex.te b/obex.te
-index cd29ea8..efbf8f8 100644
+index cd29ea8..d01d2c8 100644
--- a/obex.te
+++ b/obex.te
@@ -1,4 +1,4 @@
@@ -47532,7 +48106,7 @@ index cd29ea8..efbf8f8 100644
########################################
#
-@@ -14,30 +14,25 @@ role obex_roles types obex_t;
+@@ -14,30 +14,26 @@ role obex_roles types obex_t;
########################################
#
@@ -47542,6 +48116,7 @@ index cd29ea8..efbf8f8 100644
allow obex_t self:fifo_file rw_fifo_file_perms;
allow obex_t self:socket create_stream_socket_perms;
++allow obex_t self:netlink_kobject_uevent_socket create_socket_perms;
-dev_read_urand(obex_t)
+kernel_request_load_module(obex_t)
@@ -48240,10 +48815,10 @@ index 0000000..f2d6119
+/var/run/openshift(/.*)? gen_context(system_u:object_r:openshift_var_run_t,s0)
diff --git a/openshift.if b/openshift.if
new file mode 100644
-index 0000000..8a1731a
+index 0000000..6c841fa
--- /dev/null
+++ b/openshift.if
-@@ -0,0 +1,654 @@
+@@ -0,0 +1,676 @@
+
+## policy for openshift
+
@@ -48482,7 +49057,27 @@ index 0000000..8a1731a
+ type openshift_var_lib_t;
+ ')
+
-+ allow $1 openshift_var_lib_t:dir search_dir_perms;
++ search_dirs_pattern($1, openshift_var_lib_t, openshift_var_lib_t)
++ getattr_files_pattern($1, openshift_var_lib_t, openshift_var_lib_t)
++ files_search_var_lib($1)
++')
++
++########################################
++##
++## Getattr openshift lib files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`openshift_getattr_lib',`
++ gen_require(`
++ type openshift_var_lib_t;
++ ')
++
++ getattr_files_pattern($1, openshift_var_lib_t, openshift_var_lib_t)
+ files_search_var_lib($1)
+')
+
@@ -48503,6 +49098,7 @@ index 0000000..8a1731a
+
+ files_search_var_lib($1)
+ read_files_pattern($1, openshift_var_lib_t, openshift_var_lib_t)
++ read_lnk_files_pattern($1, openshift_var_lib_t, openshift_var_lib_t)
+')
+
+########################################
@@ -48542,6 +49138,7 @@ index 0000000..8a1731a
+
+ files_search_var_lib($1)
+ manage_files_pattern($1, openshift_var_lib_t, openshift_var_lib_t)
++ manage_lnk_files_pattern($1, openshift_var_lib_t, openshift_var_lib_t)
+')
+
+########################################
@@ -48726,7 +49323,7 @@ index 0000000..8a1731a
+##
+##
+#
-+template(`openshift_net_type',`
++interface(`openshift_net_type',`
+ gen_require(`
+ attribute openshift_net_domain;
+ ')
@@ -50522,7 +51119,7 @@ index bf59ef7..c050b37 100644
+ manage_dirs_pattern($1, passenger_tmp_t, passenger_tmp_t)
')
diff --git a/passenger.te b/passenger.te
-index 4e114ff..fddaed2 100644
+index 4e114ff..c016f25 100644
--- a/passenger.te
+++ b/passenger.te
@@ -1,4 +1,4 @@
@@ -50611,11 +51208,12 @@ index 4e114ff..fddaed2 100644
userdom_dontaudit_use_user_terminals(passenger_t)
optional_policy(`
-@@ -90,14 +91,15 @@ optional_policy(`
+@@ -90,14 +91,16 @@ optional_policy(`
')
optional_policy(`
- puppet_manage_lib_files(passenger_t)
++ puppet_domtrans_master(passenger_t)
+ puppet_manage_lib(passenger_t)
puppet_read_config(passenger_t)
- puppet_append_log_files(passenger_t)
@@ -52684,7 +53282,7 @@ index 735500f..ef1dd7a 100644
-/var/spool/plymouth(/.*)? gen_context(system_u:object_r:plymouthd_spool_t,s0)
diff --git a/plymouthd.if b/plymouthd.if
-index 30e751f..17c097d 100644
+index 30e751f..3985ff9 100644
--- a/plymouthd.if
+++ b/plymouthd.if
@@ -1,4 +1,4 @@
@@ -52872,7 +53470,7 @@ index 30e751f..17c097d 100644
gen_require(`
type plymouthd_var_run_t;
')
-@@ -233,36 +228,74 @@ interface(`plymouthd_read_pid_files',`
+@@ -233,36 +228,93 @@ interface(`plymouthd_read_pid_files',`
########################################
##
@@ -52903,14 +53501,11 @@ index 30e751f..17c097d 100644
+## to plymouthd log files.
+##
+##
- ##
--## Role allowed access.
++##
+## Domain allowed access.
- ##
- ##
--##
- #
--interface(`plymouthd_admin',`
++##
++##
++#
+interface(`plymouthd_manage_log',`
+ gen_require(`
+ type plymouthd_var_log_t;
@@ -52922,17 +53517,39 @@ index 30e751f..17c097d 100644
+ read_lnk_files_pattern($1, plymouthd_var_log_t, plymouthd_var_log_t)
+')
+
++#######################################
++##
++## Allow domain to create boot.log
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`plymouthd_create_log',`
++ gen_require(`
++ type plymouthd_var_log_t;
++ ')
++
++ logging_rw_generic_log_dirs($1)
++ logging_log_named_filetrans($1, plymouthd_var_log_t, file, "boot.log")
++')
++
+########################################
+##
+## All of the rules required to administrate
+## an plymouthd environment
+##
+##
-+##
+ ##
+-## Role allowed access.
+## Domain allowed access.
-+##
-+##
-+#
+ ##
+ ##
+-##
+ #
+-interface(`plymouthd_admin',`
+interface(`plymouthd_admin', `
gen_require(`
type plymouthd_t, plymouthd_spool_t, plymouthd_var_lib_t;
@@ -55333,7 +55950,7 @@ index 2e23946..589bbf2 100644
+ postfix_config_filetrans($1, postfix_prng_t, file, "prng_exch")
')
diff --git a/postfix.te b/postfix.te
-index 191a66f..e9e96bd 100644
+index 191a66f..aa3e5f0 100644
--- a/postfix.te
+++ b/postfix.te
@@ -1,4 +1,4 @@
@@ -55422,7 +56039,7 @@ index 191a66f..e9e96bd 100644
type postfix_data_t;
files_type(postfix_data_t)
-@@ -102,160 +102,63 @@ mta_mailserver_delivery(postfix_virtual_t)
+@@ -102,160 +102,64 @@ mta_mailserver_delivery(postfix_virtual_t)
########################################
#
@@ -55548,6 +56165,7 @@ index 191a66f..e9e96bd 100644
+
+allow postfix_master_t postfix_postqueue_exec_t:file getattr_file_perms;
+
++manage_files_pattern(postfix_master_t, postfix_private_t, postfix_private_t)
+manage_fifo_files_pattern(postfix_master_t, postfix_private_t, postfix_private_t)
+manage_sock_files_pattern(postfix_master_t, postfix_private_t, postfix_private_t)
+
@@ -55607,7 +56225,7 @@ index 191a66f..e9e96bd 100644
corenet_all_recvfrom_netlabel(postfix_master_t)
corenet_tcp_sendrecv_generic_if(postfix_master_t)
corenet_udp_sendrecv_generic_if(postfix_master_t)
-@@ -263,50 +166,44 @@ corenet_tcp_sendrecv_generic_node(postfix_master_t)
+@@ -263,50 +167,44 @@ corenet_tcp_sendrecv_generic_node(postfix_master_t)
corenet_udp_sendrecv_generic_node(postfix_master_t)
corenet_tcp_sendrecv_all_ports(postfix_master_t)
corenet_udp_sendrecv_all_ports(postfix_master_t)
@@ -55676,7 +56294,7 @@ index 191a66f..e9e96bd 100644
optional_policy(`
cyrus_stream_connect(postfix_master_t)
')
-@@ -316,14 +213,11 @@ optional_policy(`
+@@ -316,14 +214,11 @@ optional_policy(`
')
optional_policy(`
@@ -55692,7 +56310,7 @@ index 191a66f..e9e96bd 100644
postgrey_search_spool(postfix_master_t)
')
-@@ -333,12 +227,14 @@ optional_policy(`
+@@ -333,12 +228,14 @@ optional_policy(`
########################################
#
@@ -55709,7 +56327,7 @@ index 191a66f..e9e96bd 100644
manage_dirs_pattern(postfix_bounce_t, postfix_spool_t, postfix_spool_t)
manage_files_pattern(postfix_bounce_t, postfix_spool_t, postfix_spool_t)
-@@ -355,35 +251,34 @@ manage_lnk_files_pattern(postfix_bounce_t, postfix_spool_bounce_t, postfix_spool
+@@ -355,35 +252,34 @@ manage_lnk_files_pattern(postfix_bounce_t, postfix_spool_bounce_t, postfix_spool
########################################
#
@@ -55754,7 +56372,7 @@ index 191a66f..e9e96bd 100644
mta_read_aliases(postfix_cleanup_t)
-@@ -393,36 +288,53 @@ optional_policy(`
+@@ -393,36 +289,53 @@ optional_policy(`
########################################
#
@@ -55816,7 +56434,7 @@ index 191a66f..e9e96bd 100644
')
optional_policy(`
-@@ -434,6 +346,7 @@ optional_policy(`
+@@ -434,6 +347,7 @@ optional_policy(`
')
optional_policy(`
@@ -55824,7 +56442,7 @@ index 191a66f..e9e96bd 100644
mailman_manage_data_files(postfix_local_t)
mailman_append_log(postfix_local_t)
mailman_read_log(postfix_local_t)
-@@ -444,6 +357,10 @@ optional_policy(`
+@@ -444,6 +358,10 @@ optional_policy(`
')
optional_policy(`
@@ -55835,7 +56453,7 @@ index 191a66f..e9e96bd 100644
procmail_domtrans(postfix_local_t)
')
-@@ -458,15 +375,17 @@ optional_policy(`
+@@ -458,15 +376,17 @@ optional_policy(`
########################################
#
@@ -55859,7 +56477,7 @@ index 191a66f..e9e96bd 100644
manage_dirs_pattern(postfix_map_t, postfix_map_tmp_t, postfix_map_tmp_t)
manage_files_pattern(postfix_map_t, postfix_map_tmp_t, postfix_map_tmp_t)
-@@ -476,14 +395,15 @@ kernel_read_kernel_sysctls(postfix_map_t)
+@@ -476,14 +396,15 @@ kernel_read_kernel_sysctls(postfix_map_t)
kernel_dontaudit_list_proc(postfix_map_t)
kernel_dontaudit_read_system_state(postfix_map_t)
@@ -55879,7 +56497,7 @@ index 191a66f..e9e96bd 100644
corecmd_list_bin(postfix_map_t)
corecmd_read_bin_symlinks(postfix_map_t)
-@@ -492,7 +412,6 @@ corecmd_read_bin_pipes(postfix_map_t)
+@@ -492,7 +413,6 @@ corecmd_read_bin_pipes(postfix_map_t)
corecmd_read_bin_sockets(postfix_map_t)
files_list_home(postfix_map_t)
@@ -55887,7 +56505,7 @@ index 191a66f..e9e96bd 100644
files_read_etc_runtime_files(postfix_map_t)
files_dontaudit_search_var(postfix_map_t)
-@@ -500,21 +419,22 @@ auth_use_nsswitch(postfix_map_t)
+@@ -500,21 +420,22 @@ auth_use_nsswitch(postfix_map_t)
logging_send_syslog_msg(postfix_map_t)
@@ -55913,7 +56531,7 @@ index 191a66f..e9e96bd 100644
stream_connect_pattern(postfix_pickup_t, postfix_private_t, postfix_private_t, postfix_master_t)
rw_fifo_files_pattern(postfix_pickup_t, postfix_public_t, postfix_public_t)
-@@ -524,16 +444,15 @@ allow postfix_pickup_t postfix_spool_t:dir list_dir_perms;
+@@ -524,16 +445,15 @@ allow postfix_pickup_t postfix_spool_t:dir list_dir_perms;
read_files_pattern(postfix_pickup_t, postfix_spool_t, postfix_spool_t)
delete_files_pattern(postfix_pickup_t, postfix_spool_t, postfix_spool_t)
@@ -55933,7 +56551,7 @@ index 191a66f..e9e96bd 100644
#
allow postfix_pipe_t self:process setrlimit;
-@@ -576,19 +495,26 @@ optional_policy(`
+@@ -576,19 +496,26 @@ optional_policy(`
########################################
#
@@ -55965,7 +56583,7 @@ index 191a66f..e9e96bd 100644
term_dontaudit_use_all_ptys(postfix_postdrop_t)
term_dontaudit_use_all_ttys(postfix_postdrop_t)
-@@ -603,10 +529,7 @@ optional_policy(`
+@@ -603,10 +530,7 @@ optional_policy(`
cron_system_entry(postfix_postdrop_t, postfix_postdrop_exec_t)
')
@@ -55977,7 +56595,7 @@ index 191a66f..e9e96bd 100644
optional_policy(`
fstools_read_pipes(postfix_postdrop_t)
')
-@@ -621,17 +544,24 @@ optional_policy(`
+@@ -621,17 +545,24 @@ optional_policy(`
#######################################
#
@@ -56005,7 +56623,7 @@ index 191a66f..e9e96bd 100644
init_sigchld_script(postfix_postqueue_t)
init_use_script_fds(postfix_postqueue_t)
-@@ -647,67 +577,77 @@ optional_policy(`
+@@ -647,67 +578,77 @@ optional_policy(`
########################################
#
@@ -56101,7 +56719,7 @@ index 191a66f..e9e96bd 100644
')
optional_policy(`
-@@ -720,24 +660,27 @@ optional_policy(`
+@@ -720,24 +661,27 @@ optional_policy(`
########################################
#
@@ -56135,7 +56753,7 @@ index 191a66f..e9e96bd 100644
fs_getattr_all_dirs(postfix_smtpd_t)
fs_getattr_all_fs(postfix_smtpd_t)
-@@ -754,6 +697,7 @@ optional_policy(`
+@@ -754,6 +698,7 @@ optional_policy(`
optional_policy(`
milter_stream_connect_all(postfix_smtpd_t)
@@ -56143,7 +56761,7 @@ index 191a66f..e9e96bd 100644
')
optional_policy(`
-@@ -764,31 +708,99 @@ optional_policy(`
+@@ -764,31 +709,99 @@ optional_policy(`
sasl_connect(postfix_smtpd_t)
')
@@ -56930,7 +57548,7 @@ index cd8b8b9..cde0d62 100644
+ allow $1 pppd_unit_file_t:service all_service_perms;
')
diff --git a/ppp.te b/ppp.te
-index b2b5dba..89ded87 100644
+index b2b5dba..7b8a7d1 100644
--- a/ppp.te
+++ b/ppp.te
@@ -1,4 +1,4 @@
@@ -57121,14 +57739,14 @@ index b2b5dba..89ded87 100644
-fs_getattr_all_fs(pppd_t)
-fs_search_auto_mountpoints(pppd_t)
--
++# for scripts
+
-term_use_unallocated_ttys(pppd_t)
-term_setattr_unallocated_ttys(pppd_t)
-term_ioctl_generic_ptys(pppd_t)
-term_create_pty(pppd_t, pppd_devpts_t)
-term_use_generic_ptys(pppd_t)
-+# for scripts
-
+-
-init_labeled_script_domtrans(pppd_t, pppd_initrc_exec_t)
init_read_utmp(pppd_t)
-init_signal_script(pppd_t)
@@ -57160,7 +57778,13 @@ index b2b5dba..89ded87 100644
optional_policy(`
ddclient_run(pppd_t, pppd_roles)
-@@ -190,7 +206,7 @@ optional_policy(`
+@@ -186,11 +202,13 @@ optional_policy(`
+ l2tpd_dgram_send(pppd_t)
+ l2tpd_rw_socket(pppd_t)
+ l2tpd_stream_connect(pppd_t)
++ l2tpd_read_pid_files(pppd_t)
++ l2tpd_dbus_chat(pppd_t)
+ ')
optional_policy(`
tunable_policy(`pppd_can_insmod',`
@@ -57169,7 +57793,7 @@ index b2b5dba..89ded87 100644
')
')
-@@ -218,16 +234,19 @@ optional_policy(`
+@@ -218,16 +236,19 @@ optional_policy(`
########################################
#
@@ -57192,7 +57816,7 @@ index b2b5dba..89ded87 100644
allow pptp_t pppd_etc_t:dir list_dir_perms;
allow pptp_t pppd_etc_t:file read_file_perms;
-@@ -236,45 +255,43 @@ allow pptp_t pppd_etc_t:lnk_file read_lnk_file_perms;
+@@ -236,45 +257,43 @@ allow pptp_t pppd_etc_t:lnk_file read_lnk_file_perms;
allow pptp_t pppd_etc_rw_t:dir list_dir_perms;
allow pptp_t pppd_etc_rw_t:file read_file_perms;
allow pptp_t pppd_etc_rw_t:lnk_file read_lnk_file_perms;
@@ -57249,7 +57873,7 @@ index b2b5dba..89ded87 100644
fs_getattr_all_fs(pptp_t)
fs_search_auto_mountpoints(pptp_t)
-@@ -282,12 +299,12 @@ term_ioctl_generic_ptys(pptp_t)
+@@ -282,12 +301,12 @@ term_ioctl_generic_ptys(pptp_t)
term_search_ptys(pptp_t)
term_use_ptmx(pptp_t)
@@ -57264,6 +57888,17 @@ index b2b5dba..89ded87 100644
sysnet_exec_ifconfig(pptp_t)
userdom_dontaudit_use_unpriv_user_fds(pptp_t)
+@@ -299,6 +318,10 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ gnome_dontaudit_search_config(pppd_t)
++')
++
++optional_policy(`
+ dbus_system_domain(pppd_t, pppd_exec_t)
+
+ optional_policy(`
diff --git a/prelink.fc b/prelink.fc
index a90d623..62af9a4 100644
--- a/prelink.fc
@@ -58514,7 +59149,7 @@ index 6864479..0e7d875 100644
+/var/lib/pulse(/.*)? gen_context(system_u:object_r:pulseaudio_var_lib_t,s0)
+/var/run/pulse(/.*)? gen_context(system_u:object_r:pulseaudio_var_run_t,s0)
diff --git a/pulseaudio.if b/pulseaudio.if
-index fa3dc8e..59808e5 100644
+index fa3dc8e..99cfa95 100644
--- a/pulseaudio.if
+++ b/pulseaudio.if
@@ -2,47 +2,44 @@
@@ -58680,7 +59315,7 @@ index fa3dc8e..59808e5 100644
##
## Domain allowed access.
##
-@@ -205,85 +204,95 @@ interface(`pulseaudio_setattr_home_dir',`
+@@ -205,148 +204,190 @@ interface(`pulseaudio_setattr_home_dir',`
type pulseaudio_home_t;
')
@@ -58742,7 +59377,7 @@ index fa3dc8e..59808e5 100644
##
-## Read and write Pulse Audio files.
+## Create, read, write, and delete pulseaudio
-+## home directory files.
++## home directories.
##
-##
+##
@@ -58752,16 +59387,15 @@ index fa3dc8e..59808e5 100644
##
#
-interface(`pulseaudio_rw_home_files',`
-+interface(`pulseaudio_manage_home_files',`
++interface(`pulseaudio_manage_home_dirs',`
gen_require(`
type pulseaudio_home_t;
')
userdom_search_user_home_dirs($1)
- rw_files_pattern($1, pulseaudio_home_t, pulseaudio_home_t)
-+ manage_files_pattern($1, pulseaudio_home_t, pulseaudio_home_t)
- read_lnk_files_pattern($1, pulseaudio_home_t, pulseaudio_home_t)
-+ pulseaudio_filetrans_home_content($1)
+- read_lnk_files_pattern($1, pulseaudio_home_t, pulseaudio_home_t)
++ manage_dirs_pattern($1, pulseaudio_home_t, pulseaudio_home_t)
')
########################################
@@ -58769,7 +59403,7 @@ index fa3dc8e..59808e5 100644
-## Create, read, write, and delete
-## pulseaudio home content.
+## Create, read, write, and delete pulseaudio
-+## home directory symlinks.
++## home directory files.
##
-##
+##
@@ -58778,47 +59412,44 @@ index fa3dc8e..59808e5 100644
##
##
#
--interface(`pulseaudio_manage_home_files',`
+ interface(`pulseaudio_manage_home_files',`
- refpolicywarn(`$0($*) has been deprecated, use pulseaudio_manage_home() instead.')
- pulseaudio_manage_home($1)
-+interface(`pulseaudio_manage_home_symlinks',`
+ gen_require(`
+ type pulseaudio_home_t;
+ ')
+
+ userdom_search_user_home_dirs($1)
-+ manage_lnk_files_pattern($1, pulseaudio_home_t, pulseaudio_home_t)
++ manage_files_pattern($1, pulseaudio_home_t, pulseaudio_home_t)
++ read_lnk_files_pattern($1, pulseaudio_home_t, pulseaudio_home_t)
++ pulseaudio_filetrans_home_content($1)
')
########################################
##
-## Create, read, write, and delete
-## pulseaudio home content.
-+## Create pulseaudio content in the user home directory
-+## with an correct label.
++## Create, read, write, and delete pulseaudio
++## home directory symlinks.
##
- ##
+-##
++##
##
-@@ -291,62 +300,74 @@ interface(`pulseaudio_manage_home_files',`
+ ## Domain allowed access.
##
##
#
-interface(`pulseaudio_manage_home',`
-+interface(`pulseaudio_filetrans_home_content',`
++interface(`pulseaudio_manage_home_symlinks',`
gen_require(`
type pulseaudio_home_t;
')
-- userdom_search_user_home_dirs($1)
+ userdom_search_user_home_dirs($1)
- allow $1 pulseaudio_home_t:dir manage_dir_perms;
- allow $1 pulseaudio_home_t:file manage_file_perms;
- allow $1 pulseaudio_home_t:lnk_file manage_lnk_file_perms;
-+ userdom_user_home_dir_filetrans($1, pulseaudio_home_t, dir, ".pulse")
-+ userdom_user_home_dir_filetrans($1, pulseaudio_home_t, file, ".pulse-cookie")
-+ userdom_user_home_dir_filetrans($1, pulseaudio_home_t, file, ".esd_auth")
-+ optional_policy(`
-+ gnome_config_filetrans($1, pulseaudio_home_t, dir, "pulse")
-+ ')
++ manage_lnk_files_pattern($1, pulseaudio_home_t, pulseaudio_home_t)
')
########################################
@@ -58826,7 +59457,7 @@ index fa3dc8e..59808e5 100644
-## Create objects in user home
-## directories with the pulseaudio
-## home type.
-+## Create pulseaudio content in the admin home directory
++## Create pulseaudio content in the user home directory
+## with an correct label.
##
##
@@ -58840,10 +59471,31 @@ index fa3dc8e..59808e5 100644
-##
-##
-##
--##
++#
++interface(`pulseaudio_filetrans_home_content',`
++ gen_require(`
++ type pulseaudio_home_t;
++ ')
++
++ userdom_user_home_dir_filetrans($1, pulseaudio_home_t, dir, ".pulse")
++ userdom_user_home_dir_filetrans($1, pulseaudio_home_t, file, ".pulse-cookie")
++ userdom_user_home_dir_filetrans($1, pulseaudio_home_t, file, ".esd_auth")
++ optional_policy(`
++ gnome_config_filetrans($1, pulseaudio_home_t, dir, "pulse")
++ ')
++')
++
++########################################
++##
++## Create pulseaudio content in the admin home directory
++## with an correct label.
++##
++##
+ ##
-## The name of the object being created.
--##
--##
++## Domain allowed access.
+ ##
+ ##
#
-interface(`pulseaudio_home_filetrans_pulseaudio_home',`
+interface(`pulseaudio_filetrans_admin_home_content',`
@@ -59223,10 +59875,10 @@ index 4ecda09..8c0b242 100644
+/var/log/puppet(/.*)? gen_context(system_u:object_r:puppet_log_t,s0)
+/var/run/puppet(/.*)? gen_context(system_u:object_r:puppet_var_run_t,s0)
diff --git a/puppet.if b/puppet.if
-index 7cb8b1f..b7b5ee7 100644
+index 7cb8b1f..7c5c5fb 100644
--- a/puppet.if
+++ b/puppet.if
-@@ -1,4 +1,12 @@
+@@ -1,4 +1,32 @@
-## Configuration management system.
+## Puppet client daemon
+##
@@ -59237,10 +59889,30 @@ index 7cb8b1f..b7b5ee7 100644
+## the client system matches.
+##
+##
++
++########################################
++##
++## Execute puppet_master in the puppet_master
++## domain.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`puppet_domtrans_master',`
++ gen_require(`
++ type puppet_master_t, puppet_master_exec_t;
++ ')
++
++ corecmd_search_bin($1)
++ domtrans_pattern($1, puppet_master_exec_t, puppet_master_t)
++')
########################################
##
-@@ -40,16 +48,19 @@ interface(`puppet_domtrans_puppetca',`
+@@ -40,16 +68,19 @@ interface(`puppet_domtrans_puppetca',`
#
interface(`puppet_run_puppetca',`
gen_require(`
@@ -59264,7 +59936,7 @@ index 7cb8b1f..b7b5ee7 100644
##
##
##
-@@ -57,15 +68,13 @@ interface(`puppet_run_puppetca',`
+@@ -57,15 +88,13 @@ interface(`puppet_run_puppetca',`
##
##
#
@@ -59284,7 +59956,7 @@ index 7cb8b1f..b7b5ee7 100644
')
################################################
-@@ -78,158 +87,164 @@ interface(`puppet_read_config',`
+@@ -78,158 +107,164 @@ interface(`puppet_read_config',`
##
##
#
@@ -59479,16 +60151,16 @@ index 7cb8b1f..b7b5ee7 100644
-
- allow $1 { puppet_t puppetca_t puppetmaster_t }:process { ptrace signal_perms };
- ps_process_pattern($1, { puppet_t puppetca_t puppetmaster_t })
--
-- init_labeled_script_domtrans($1, { puppet_initrc_exec_t puppetmaster_initrc_exec_t })
-- domain_system_change_exemption($1)
-- role_transition $2 { puppet_initrc_exec_t puppetmaster_initrc_exec_t } system_r;
-- allow $2 system_r;
+interface(`puppet_manage_log',`
+ gen_require(`
+ type puppet_log_t;
+ ')
+- init_labeled_script_domtrans($1, { puppet_initrc_exec_t puppetmaster_initrc_exec_t })
+- domain_system_change_exemption($1)
+- role_transition $2 { puppet_initrc_exec_t puppetmaster_initrc_exec_t } system_r;
+- allow $2 system_r;
+-
- files_search_etc($1)
- admin_pattern($1, puppet_etc_t)
+ logging_search_logs($1)
@@ -62188,10 +62860,10 @@ index 70ab68b..e97da31 100644
/var/lib/quantum(/.*)? gen_context(system_u:object_r:quantum_var_lib_t,s0)
diff --git a/quantum.if b/quantum.if
-index afc0068..7616aa4 100644
+index afc0068..b25d41e 100644
--- a/quantum.if
+++ b/quantum.if
-@@ -2,41 +2,217 @@
+@@ -2,41 +2,252 @@
########################################
##
@@ -62354,6 +63026,41 @@ index afc0068..7616aa4 100644
+
+########################################
+##
++## Read and write quantum fifo files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`quantum_rw_fifo_file',`
++ gen_require(`
++ type quantum_t;
++ ')
++
++ allow $1 quantum_t:fifo_file rw_inherited_fifo_file_perms;
++')
++
++########################################
++##
++## Allow domain to send sigchld to quantum process.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`quantum_sigchld',`
++ gen_require(`
++ type quantum_t;
++ ')
++
++ allow $1 quantum_t:process sigchld;
++')
++########################################
++##
+## Execute quantum server in the quantum domain.
+##
+##
@@ -62883,22 +63590,51 @@ index 4b2c272..1aee969 100644
+ dbus_system_bus_client(quota_nld_t)
+ dbus_connect_system_bus(quota_nld_t)
')
+diff --git a/rabbitmq.fc b/rabbitmq.fc
+index c5ad6de..c67dbef 100644
+--- a/rabbitmq.fc
++++ b/rabbitmq.fc
+@@ -4,7 +4,9 @@
+ /usr/lib/erlang/erts.*/bin/epmd -- gen_context(system_u:object_r:rabbitmq_epmd_exec_t,s0)
+
+ /var/lib/rabbitmq(/.*)? gen_context(system_u:object_r:rabbitmq_var_lib_t,s0)
++/var/lib/ejabberd(/.*)? gen_context(system_u:object_r:rabbitmq_var_lib_t,s0)
+
+ /var/log/rabbitmq(/.*)? gen_context(system_u:object_r:rabbitmq_var_log_t,s0)
++/var/log/ejabberd(/.*)? gen_context(system_u:object_r:rabbitmq_var_log_t,s0)
+
+ /var/run/rabbitmq(/.*)? gen_context(system_u:object_r:rabbitmq_var_run_t,s0)
diff --git a/rabbitmq.te b/rabbitmq.te
-index 3698b51..62a5977 100644
+index 3698b51..a68f9f1 100644
--- a/rabbitmq.te
+++ b/rabbitmq.te
-@@ -70,10 +70,6 @@ corenet_tcp_sendrecv_epmd_port(rabbitmq_beam_t)
-
- dev_read_sysfs(rabbitmq_beam_t)
+@@ -54,6 +54,8 @@ kernel_read_system_state(rabbitmq_beam_t)
+ corecmd_exec_bin(rabbitmq_beam_t)
+ corecmd_exec_shell(rabbitmq_beam_t)
+
++corenet_tcp_bind_generic_node(rabbitmq_beam_t)
++corenet_udp_bind_generic_node(rabbitmq_beam_t)
+ corenet_all_recvfrom_unlabeled(rabbitmq_beam_t)
+ corenet_all_recvfrom_netlabel(rabbitmq_beam_t)
+ corenet_tcp_sendrecv_generic_if(rabbitmq_beam_t)
+@@ -68,11 +70,13 @@ corenet_sendrecv_epmd_client_packets(rabbitmq_beam_t)
+ corenet_tcp_connect_epmd_port(rabbitmq_beam_t)
+ corenet_tcp_sendrecv_epmd_port(rabbitmq_beam_t)
+
+-dev_read_sysfs(rabbitmq_beam_t)
++corenet_tcp_bind_jabber_client_port(rabbitmq_beam_t)
++corenet_tcp_bind_jabber_interserver_port(rabbitmq_beam_t)
-files_read_etc_files(rabbitmq_beam_t)
--
++auth_read_passwd(rabbitmq_beam_t)
+
-miscfiles_read_localization(rabbitmq_beam_t)
--
++dev_read_sysfs(rabbitmq_beam_t)
++dev_read_urand(rabbitmq_beam_t)
+
sysnet_dns_name_resolve(rabbitmq_beam_t)
- ########################################
-@@ -81,7 +77,6 @@ sysnet_dns_name_resolve(rabbitmq_beam_t)
+@@ -81,7 +85,6 @@ sysnet_dns_name_resolve(rabbitmq_beam_t)
# Epmd local policy
#
@@ -62906,7 +63642,7 @@ index 3698b51..62a5977 100644
allow rabbitmq_epmd_t self:process signal;
allow rabbitmq_epmd_t self:fifo_file rw_fifo_file_perms;
allow rabbitmq_epmd_t self:tcp_socket create_stream_socket_perms;
-@@ -99,8 +94,5 @@ corenet_sendrecv_epmd_server_packets(rabbitmq_epmd_t)
+@@ -99,8 +102,5 @@ corenet_sendrecv_epmd_server_packets(rabbitmq_epmd_t)
corenet_tcp_bind_epmd_port(rabbitmq_epmd_t)
corenet_tcp_sendrecv_epmd_port(rabbitmq_epmd_t)
@@ -62990,7 +63726,7 @@ index 4460582..60cf556 100644
+
')
diff --git a/radius.te b/radius.te
-index 1e7927f..5874c98 100644
+index 1e7927f..eb72458 100644
--- a/radius.te
+++ b/radius.te
@@ -27,6 +27,9 @@ files_type(radiusd_var_lib_t)
@@ -63016,7 +63752,16 @@ index 1e7927f..5874c98 100644
corenet_all_recvfrom_netlabel(radiusd_t)
corenet_tcp_sendrecv_generic_if(radiusd_t)
corenet_udp_sendrecv_generic_if(radiusd_t)
-@@ -97,7 +100,6 @@ domain_use_interactive_fds(radiusd_t)
+@@ -74,6 +77,8 @@ corenet_tcp_sendrecv_all_ports(radiusd_t)
+ corenet_udp_sendrecv_all_ports(radiusd_t)
+ corenet_udp_bind_generic_node(radiusd_t)
+
++corenet_tcp_connect_postgresql_port(radiusd_t)
++
+ corenet_sendrecv_radacct_server_packets(radiusd_t)
+ corenet_udp_bind_radacct_port(radiusd_t)
+
+@@ -97,7 +102,6 @@ domain_use_interactive_fds(radiusd_t)
fs_getattr_all_fs(radiusd_t)
fs_search_auto_mountpoints(radiusd_t)
@@ -63024,7 +63769,7 @@ index 1e7927f..5874c98 100644
files_read_etc_runtime_files(radiusd_t)
files_dontaudit_list_tmp(radiusd_t)
-@@ -109,7 +111,6 @@ libs_exec_lib_files(radiusd_t)
+@@ -109,7 +113,6 @@ libs_exec_lib_files(radiusd_t)
logging_send_syslog_msg(radiusd_t)
@@ -63032,6 +63777,18 @@ index 1e7927f..5874c98 100644
miscfiles_read_generic_certs(radiusd_t)
sysnet_use_ldap(radiusd_t)
+@@ -122,6 +125,11 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ kerberos_tmp_filetrans_host_rcache(radiusd_t, "host_0")
++ kerberos_manage_host_rcache(radiusd_t)
++')
++
++optional_policy(`
+ logrotate_exec(radiusd_t)
+ ')
+
diff --git a/radvd.if b/radvd.if
index ac7058d..48739ac 100644
--- a/radvd.if
@@ -63241,7 +63998,7 @@ index 951db7f..6d6ec1d 100644
+ allow $1 mdadm_exec_t:file { getattr_file_perms execute };
')
diff --git a/raid.te b/raid.te
-index 2c1730b..d75003d 100644
+index 2c1730b..259b790 100644
--- a/raid.te
+++ b/raid.te
@@ -15,6 +15,9 @@ role mdadm_roles types mdadm_t;
@@ -63309,7 +64066,7 @@ index 2c1730b..d75003d 100644
mls_file_read_all_levels(mdadm_t)
mls_file_write_all_levels(mdadm_t)
-@@ -70,16 +80,17 @@ storage_dev_filetrans_fixed_disk(mdadm_t)
+@@ -70,16 +80,18 @@ storage_dev_filetrans_fixed_disk(mdadm_t)
storage_manage_fixed_disk(mdadm_t)
storage_read_scsi_generic(mdadm_t)
storage_write_scsi_generic(mdadm_t)
@@ -63322,6 +64079,7 @@ index 2c1730b..d75003d 100644
+
init_dontaudit_getattr_initctl(mdadm_t)
++logging_dontaudit_getattr_all_logs(mdadm_t)
logging_send_syslog_msg(mdadm_t)
-miscfiles_read_localization(mdadm_t)
@@ -65791,7 +66549,7 @@ index 56bc01f..895e16e 100644
+ allow $1 cluster_unit_file_t:service all_service_perms;
')
diff --git a/rhcs.te b/rhcs.te
-index 2c2de9a..38a33d7 100644
+index 2c2de9a..2bf6984 100644
--- a/rhcs.te
+++ b/rhcs.te
@@ -20,6 +20,27 @@ gen_tunable(fenced_can_network_connect, false)
@@ -65822,7 +66580,7 @@ index 2c2de9a..38a33d7 100644
attribute cluster_domain;
attribute cluster_log;
attribute cluster_pid;
-@@ -50,28 +71,263 @@ rhcs_domain_template(qdiskd)
+@@ -50,28 +71,267 @@ rhcs_domain_template(qdiskd)
type qdiskd_var_lib_t;
files_type(qdiskd_var_lib_t)
@@ -65866,12 +66624,15 @@ index 2c2de9a..38a33d7 100644
allow cluster_domain self:unix_dgram_socket create_socket_perms;
-logging_send_syslog_msg(cluster_domain)
--
--miscfiles_read_localization(cluster_domain)
+manage_dirs_pattern(cluster_domain, cluster_log, cluster_log)
+manage_files_pattern(cluster_domain, cluster_log, cluster_log)
+manage_sock_files_pattern(cluster_domain, cluster_log, cluster_log)
+-miscfiles_read_localization(cluster_domain)
++tunable_policy(`cluster_use_execmem',`
++ allow cluster_domain self:process execmem;
++')
+
optional_policy(`
ccs_stream_connect(cluster_domain)
')
@@ -66091,7 +66852,7 @@ index 2c2de9a..38a33d7 100644
')
#####################################
-@@ -79,7 +335,7 @@ optional_policy(`
+@@ -79,7 +339,7 @@ optional_policy(`
# dlm_controld local policy
#
@@ -66100,7 +66861,7 @@ index 2c2de9a..38a33d7 100644
allow dlm_controld_t self:netlink_kobject_uevent_socket create_socket_perms;
stream_connect_pattern(dlm_controld_t, fenced_var_run_t, fenced_var_run_t, fenced_t)
-@@ -98,6 +354,16 @@ fs_manage_configfs_dirs(dlm_controld_t)
+@@ -98,6 +358,16 @@ fs_manage_configfs_dirs(dlm_controld_t)
init_rw_script_tmp_files(dlm_controld_t)
@@ -66117,7 +66878,7 @@ index 2c2de9a..38a33d7 100644
#######################################
#
# fenced local policy
-@@ -105,9 +371,13 @@ init_rw_script_tmp_files(dlm_controld_t)
+@@ -105,9 +375,13 @@ init_rw_script_tmp_files(dlm_controld_t)
allow fenced_t self:capability { sys_rawio sys_resource };
allow fenced_t self:process { getsched signal_perms };
@@ -66132,7 +66893,7 @@ index 2c2de9a..38a33d7 100644
manage_files_pattern(fenced_t, fenced_lock_t, fenced_lock_t)
files_lock_filetrans(fenced_t, fenced_lock_t, file)
-@@ -118,9 +388,8 @@ files_tmp_filetrans(fenced_t, fenced_tmp_t, { file fifo_file dir })
+@@ -118,9 +392,8 @@ files_tmp_filetrans(fenced_t, fenced_tmp_t, { file fifo_file dir })
stream_connect_pattern(fenced_t, groupd_var_run_t, groupd_var_run_t, groupd_t)
@@ -66143,7 +66904,7 @@ index 2c2de9a..38a33d7 100644
corecmd_exec_bin(fenced_t)
corecmd_exec_shell(fenced_t)
-@@ -148,9 +417,7 @@ corenet_tcp_sendrecv_http_port(fenced_t)
+@@ -148,9 +421,7 @@ corenet_tcp_sendrecv_http_port(fenced_t)
dev_read_sysfs(fenced_t)
dev_read_urand(fenced_t)
@@ -66154,7 +66915,7 @@ index 2c2de9a..38a33d7 100644
storage_raw_read_fixed_disk(fenced_t)
storage_raw_write_fixed_disk(fenced_t)
-@@ -160,7 +427,7 @@ term_getattr_pty_fs(fenced_t)
+@@ -160,7 +431,7 @@ term_getattr_pty_fs(fenced_t)
term_use_generic_ptys(fenced_t)
term_use_ptmx(fenced_t)
@@ -66163,7 +66924,7 @@ index 2c2de9a..38a33d7 100644
tunable_policy(`fenced_can_network_connect',`
corenet_sendrecv_all_client_packets(fenced_t)
-@@ -190,10 +457,6 @@ optional_policy(`
+@@ -190,10 +461,6 @@ optional_policy(`
')
optional_policy(`
@@ -66174,7 +66935,7 @@ index 2c2de9a..38a33d7 100644
lvm_domtrans(fenced_t)
lvm_read_config(fenced_t)
')
-@@ -203,6 +466,13 @@ optional_policy(`
+@@ -203,6 +470,13 @@ optional_policy(`
snmp_manage_var_lib_dirs(fenced_t)
')
@@ -66188,7 +66949,7 @@ index 2c2de9a..38a33d7 100644
#######################################
#
# foghorn local policy
-@@ -223,14 +493,16 @@ corenet_tcp_sendrecv_agentx_port(foghorn_t)
+@@ -223,14 +497,16 @@ corenet_tcp_sendrecv_agentx_port(foghorn_t)
dev_read_urand(foghorn_t)
@@ -66207,7 +66968,7 @@ index 2c2de9a..38a33d7 100644
snmp_stream_connect(foghorn_t)
')
-@@ -257,6 +529,8 @@ storage_getattr_removable_dev(gfs_controld_t)
+@@ -257,6 +533,8 @@ storage_getattr_removable_dev(gfs_controld_t)
init_rw_script_tmp_files(gfs_controld_t)
@@ -66216,7 +66977,7 @@ index 2c2de9a..38a33d7 100644
optional_policy(`
lvm_exec(gfs_controld_t)
dev_rw_lvm_control(gfs_controld_t)
-@@ -275,10 +549,10 @@ domtrans_pattern(groupd_t, fenced_exec_t, fenced_t)
+@@ -275,10 +553,10 @@ domtrans_pattern(groupd_t, fenced_exec_t, fenced_t)
dev_list_sysfs(groupd_t)
@@ -66229,7 +66990,7 @@ index 2c2de9a..38a33d7 100644
######################################
#
# qdiskd local policy
-@@ -321,6 +595,8 @@ storage_raw_write_fixed_disk(qdiskd_t)
+@@ -321,6 +599,8 @@ storage_raw_write_fixed_disk(qdiskd_t)
auth_use_nsswitch(qdiskd_t)
@@ -69359,7 +70120,7 @@ index 0628d50..84f2fd7 100644
+ allow rpm_script_t $1:process sigchld;
')
diff --git a/rpm.te b/rpm.te
-index 5cbe81c..decdd95 100644
+index 5cbe81c..f79d5f4 100644
--- a/rpm.te
+++ b/rpm.te
@@ -1,15 +1,13 @@
@@ -69417,7 +70178,13 @@ index 5cbe81c..decdd95 100644
type rpm_script_tmp_t;
files_tmp_file(rpm_script_tmp_t)
-@@ -75,23 +69,28 @@ allow rpm_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit exec
+@@ -70,28 +64,34 @@ files_tmpfs_file(rpm_script_tmpfs_t)
+ # rpm Local policy
+ #
+
++allow rpm_t self:capability2 block_suspend;
+ allow rpm_t self:capability { chown dac_override fowner setfcap fsetid ipc_lock setgid setuid sys_chroot sys_nice sys_tty_config mknod };
+ allow rpm_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execstack execheap };
allow rpm_t self:process { getattr setexec setfscreate setrlimit };
allow rpm_t self:fd use;
allow rpm_t self:fifo_file rw_fifo_file_perms;
@@ -69451,7 +70218,7 @@ index 5cbe81c..decdd95 100644
manage_dirs_pattern(rpm_t, rpm_tmpfs_t, rpm_tmpfs_t)
manage_files_pattern(rpm_t, rpm_tmpfs_t, rpm_tmpfs_t)
-@@ -99,23 +98,19 @@ manage_lnk_files_pattern(rpm_t, rpm_tmpfs_t, rpm_tmpfs_t)
+@@ -99,23 +99,19 @@ manage_lnk_files_pattern(rpm_t, rpm_tmpfs_t, rpm_tmpfs_t)
manage_fifo_files_pattern(rpm_t, rpm_tmpfs_t, rpm_tmpfs_t)
manage_sock_files_pattern(rpm_t, rpm_tmpfs_t, rpm_tmpfs_t)
fs_tmpfs_filetrans(rpm_t, rpm_tmpfs_t, { dir file lnk_file sock_file fifo_file })
@@ -69479,7 +70246,7 @@ index 5cbe81c..decdd95 100644
kernel_read_crypto_sysctls(rpm_t)
kernel_read_network_state(rpm_t)
-@@ -126,41 +121,34 @@ kernel_rw_irq_sysctls(rpm_t)
+@@ -126,41 +122,34 @@ kernel_rw_irq_sysctls(rpm_t)
corecmd_exec_all_executables(rpm_t)
@@ -69535,7 +70302,7 @@ index 5cbe81c..decdd95 100644
fs_getattr_all_dirs(rpm_t)
fs_list_inotifyfs(rpm_t)
-@@ -183,29 +171,49 @@ selinux_compute_relabel_context(rpm_t)
+@@ -183,29 +172,49 @@ selinux_compute_relabel_context(rpm_t)
selinux_compute_user_contexts(rpm_t)
storage_raw_write_fixed_disk(rpm_t)
@@ -69587,7 +70354,7 @@ index 5cbe81c..decdd95 100644
userdom_use_unpriv_users_fds(rpm_t)
optional_policy(`
-@@ -224,13 +232,17 @@ optional_policy(`
+@@ -224,13 +233,17 @@ optional_policy(`
networkmanager_dbus_chat(rpm_t)
')
@@ -69609,7 +70376,7 @@ index 5cbe81c..decdd95 100644
')
########################################
-@@ -239,19 +251,20 @@ optional_policy(`
+@@ -239,19 +252,20 @@ optional_policy(`
#
allow rpm_script_t self:capability { chown dac_override dac_read_search fowner fsetid setgid setuid ipc_lock sys_admin sys_chroot sys_rawio sys_nice mknod kill net_admin };
@@ -69633,7 +70400,7 @@ index 5cbe81c..decdd95 100644
allow rpm_script_t rpm_tmp_t:file read_file_perms;
allow rpm_script_t rpm_script_tmp_t:dir mounton;
-@@ -267,8 +280,9 @@ manage_lnk_files_pattern(rpm_script_t, rpm_script_tmpfs_t, rpm_script_tmpfs_t)
+@@ -267,8 +281,9 @@ manage_lnk_files_pattern(rpm_script_t, rpm_script_tmpfs_t, rpm_script_tmpfs_t)
manage_fifo_files_pattern(rpm_script_t, rpm_script_tmpfs_t, rpm_script_tmpfs_t)
manage_sock_files_pattern(rpm_script_t, rpm_script_tmpfs_t, rpm_script_tmpfs_t)
fs_tmpfs_filetrans(rpm_script_t, rpm_script_tmpfs_t, { dir file lnk_file sock_file fifo_file })
@@ -69644,7 +70411,7 @@ index 5cbe81c..decdd95 100644
kernel_read_crypto_sysctls(rpm_script_t)
kernel_read_kernel_sysctls(rpm_script_t)
-@@ -277,45 +291,27 @@ kernel_read_network_state(rpm_script_t)
+@@ -277,45 +292,27 @@ kernel_read_network_state(rpm_script_t)
kernel_list_all_proc(rpm_script_t)
kernel_read_software_raid_state(rpm_script_t)
@@ -69694,7 +70461,7 @@ index 5cbe81c..decdd95 100644
mls_file_read_all_levels(rpm_script_t)
mls_file_write_all_levels(rpm_script_t)
-@@ -331,30 +327,48 @@ storage_raw_write_fixed_disk(rpm_script_t)
+@@ -331,30 +328,48 @@ storage_raw_write_fixed_disk(rpm_script_t)
term_getattr_unallocated_ttys(rpm_script_t)
term_list_ptys(rpm_script_t)
@@ -69752,7 +70519,7 @@ index 5cbe81c..decdd95 100644
ifdef(`distro_redhat',`
optional_policy(`
-@@ -363,40 +377,54 @@ ifdef(`distro_redhat',`
+@@ -363,40 +378,54 @@ ifdef(`distro_redhat',`
')
')
@@ -69817,7 +70584,7 @@ index 5cbe81c..decdd95 100644
unconfined_domtrans(rpm_script_t)
optional_policy(`
-@@ -409,6 +437,6 @@ optional_policy(`
+@@ -409,6 +438,6 @@ optional_policy(`
')
optional_policy(`
@@ -71545,7 +72312,7 @@ index aee75af..a6bab06 100644
+ allow $1 samba_unit_file_t:service all_service_perms;
')
diff --git a/samba.te b/samba.te
-index 57c034b..31e7d21 100644
+index 57c034b..fccf544 100644
--- a/samba.te
+++ b/samba.te
@@ -1,4 +1,4 @@
@@ -71820,7 +72587,7 @@ index 57c034b..31e7d21 100644
')
optional_policy(`
-+ realmd_read_cache_files(samba_net_t)
++ realmd_manage_cache_files(samba_net_t)
+ realmd_read_tmp_files(samba_net_t)
+')
+
@@ -74167,7 +74934,7 @@ index b2f388a..3e6a93f 100644
init_labeled_script_domtrans($1, saslauthd_initrc_exec_t)
domain_system_change_exemption($1)
diff --git a/sasl.te b/sasl.te
-index a63b875..64a7c79 100644
+index a63b875..1c9e41b 100644
--- a/sasl.te
+++ b/sasl.te
@@ -1,4 +1,4 @@
@@ -74204,7 +74971,7 @@ index a63b875..64a7c79 100644
manage_dirs_pattern(saslauthd_t, saslauthd_var_run_t, saslauthd_var_run_t)
manage_files_pattern(saslauthd_t, saslauthd_var_run_t, saslauthd_var_run_t)
-@@ -43,29 +44,19 @@ kernel_read_kernel_sysctls(saslauthd_t)
+@@ -43,29 +44,20 @@ kernel_read_kernel_sysctls(saslauthd_t)
kernel_read_system_state(saslauthd_t)
kernel_rw_afs_state(saslauthd_t)
@@ -74218,6 +74985,7 @@ index a63b875..64a7c79 100644
-
-corenet_sendrecv_pop_client_packets(saslauthd_t)
+corenet_tcp_sendrecv_all_ports(saslauthd_t)
++corenet_tcp_connect_ldap_port(saslauthd_t)
corenet_tcp_connect_pop_port(saslauthd_t)
-corenet_tcp_sendrecv_pop_port(saslauthd_t)
-
@@ -74239,7 +75007,7 @@ index a63b875..64a7c79 100644
fs_getattr_all_fs(saslauthd_t)
fs_search_auto_mountpoints(saslauthd_t)
-@@ -73,33 +64,37 @@ selinux_compute_access_vector(saslauthd_t)
+@@ -73,33 +65,37 @@ selinux_compute_access_vector(saslauthd_t)
auth_use_pam(saslauthd_t)
@@ -75631,7 +76399,7 @@ index 3a9a70b..039b0c8 100644
logging_list_logs($1)
admin_pattern($1, setroubleshoot_var_log_t)
diff --git a/setroubleshoot.te b/setroubleshoot.te
-index 49b12ae..a89828e 100644
+index 49b12ae..46356db 100644
--- a/setroubleshoot.te
+++ b/setroubleshoot.te
@@ -1,4 +1,4 @@
@@ -75799,13 +76567,15 @@ index 49b12ae..a89828e 100644
setroubleshoot_stream_connect(setroubleshoot_fixit_t)
kernel_read_system_state(setroubleshoot_fixit_t)
-@@ -165,9 +177,13 @@ corecmd_exec_bin(setroubleshoot_fixit_t)
+@@ -165,9 +177,15 @@ corecmd_exec_bin(setroubleshoot_fixit_t)
corecmd_exec_shell(setroubleshoot_fixit_t)
corecmd_getattr_all_executables(setroubleshoot_fixit_t)
+dev_read_sysfs(setroubleshoot_fixit_t)
+dev_read_urand(setroubleshoot_fixit_t)
+
++selinux_read_policy(setroubleshoot_fixit_t)
++
seutil_domtrans_setfiles(setroubleshoot_fixit_t)
+seutil_domtrans_setsebool(setroubleshoot_fixit_t)
+seutil_read_module_store(setroubleshoot_fixit_t)
@@ -75814,7 +76584,7 @@ index 49b12ae..a89828e 100644
files_list_tmp(setroubleshoot_fixit_t)
auth_use_nsswitch(setroubleshoot_fixit_t)
-@@ -175,23 +191,26 @@ auth_use_nsswitch(setroubleshoot_fixit_t)
+@@ -175,23 +193,26 @@ auth_use_nsswitch(setroubleshoot_fixit_t)
logging_send_audit_msgs(setroubleshoot_fixit_t)
logging_send_syslog_msg(setroubleshoot_fixit_t)
@@ -75892,10 +76662,10 @@ index 0000000..c9d2d9c
+
diff --git a/sge.te b/sge.te
new file mode 100644
-index 0000000..9a329a1
+index 0000000..af30acf
--- /dev/null
+++ b/sge.te
-@@ -0,0 +1,191 @@
+@@ -0,0 +1,195 @@
+policy_module(sge, 1.0.0)
+
+########################################
@@ -75942,19 +76712,23 @@ index 0000000..9a329a1
+# sge_execd local policy
+#
+
-+allow sge_execd_t self:capability { dac_override setuid chown setgid };
++allow sge_execd_t self:capability { dac_override kill setuid chown setgid };
+allow sge_execd_t self:process { setsched signal setpgid };
+
+allow sge_execd_t sge_shepherd_t:process signal;
+
+kernel_read_kernel_sysctls(sge_execd_t)
+
++corenet_tcp_bind_sge_port(sge_execd_t)
++corenet_tcp_connect_sge_port(sge_execd_t)
++
+dev_read_sysfs(sge_execd_t)
+
+files_exec_usr_files(sge_execd_t)
+files_search_spool(sge_execd_t)
+
+fs_getattr_xattr_fs(sge_execd_t)
++fs_read_cgroup_files(sge_execd_t)
+
+auth_use_nsswitch(sge_execd_t)
+
@@ -77362,10 +78136,10 @@ index 7a9cc9d..86cbca9 100644
init_labeled_script_domtrans($1, snmpd_initrc_exec_t)
domain_system_change_exemption($1)
diff --git a/snmp.te b/snmp.te
-index 81864ce..54a1bc6 100644
+index 81864ce..24fe118 100644
--- a/snmp.te
+++ b/snmp.te
-@@ -27,11 +27,13 @@ files_type(snmpd_var_lib_t)
+@@ -27,14 +27,16 @@ files_type(snmpd_var_lib_t)
#
allow snmpd_t self:capability { chown dac_override kill ipc_lock setgid setuid net_admin sys_nice sys_tty_config sys_ptrace };
@@ -77380,7 +78154,11 @@ index 81864ce..54a1bc6 100644
+allow snmpd_t self:tcp_socket create_stream_socket_perms;
allow snmpd_t self:udp_socket connected_stream_socket_perms;
- allow snmpd_t snmpd_log_t:file { append_file_perms create_file_perms setattr_file_perms };
+-allow snmpd_t snmpd_log_t:file { append_file_perms create_file_perms setattr_file_perms };
++manage_files_pattern(snmpd_t, snmpd_log_t, snmpd_log_t)
+ logging_log_filetrans(snmpd_t, snmpd_log_t, file)
+
+ manage_dirs_pattern(snmpd_t, snmpd_var_lib_t, snmpd_var_lib_t)
@@ -53,12 +55,13 @@ kernel_read_kernel_sysctls(snmpd_t)
kernel_read_fs_sysctls(snmpd_t)
kernel_read_net_sysctls(snmpd_t)
@@ -79006,7 +79784,7 @@ index 5e1f053..e7820bc 100644
domain_system_change_exemption($1)
role_transition $2 squid_initrc_exec_t system_r;
diff --git a/squid.te b/squid.te
-index 221c560..6ea61f9 100644
+index 221c560..fcf6da0 100644
--- a/squid.te
+++ b/squid.te
@@ -29,7 +29,7 @@ type squid_cache_t;
@@ -79043,7 +79821,14 @@ index 221c560..6ea61f9 100644
########################################
#
# Local policy
-@@ -80,13 +86,13 @@ setattr_files_pattern(squid_t, squid_log_t, squid_log_t)
+@@ -74,19 +80,17 @@ allow squid_t squid_conf_t:file read_file_perms;
+ allow squid_t squid_conf_t:lnk_file read_lnk_file_perms;
+
+ manage_dirs_pattern(squid_t, squid_log_t, squid_log_t)
+-append_files_pattern(squid_t, squid_log_t, squid_log_t)
+-create_files_pattern(squid_t, squid_log_t, squid_log_t)
+-setattr_files_pattern(squid_t, squid_log_t, squid_log_t)
++manage_files_pattern(squid_t, squid_log_t, squid_log_t)
manage_lnk_files_pattern(squid_t, squid_log_t, squid_log_t)
logging_log_filetrans(squid_t, squid_log_t, { file dir })
@@ -79060,7 +79845,7 @@ index 221c560..6ea61f9 100644
manage_files_pattern(squid_t, squid_var_run_t, squid_var_run_t)
files_pid_filetrans(squid_t, squid_var_run_t, file)
-@@ -96,7 +102,6 @@ kernel_read_kernel_sysctls(squid_t)
+@@ -96,7 +100,6 @@ kernel_read_kernel_sysctls(squid_t)
kernel_read_system_state(squid_t)
kernel_read_network_state(squid_t)
@@ -79068,7 +79853,15 @@ index 221c560..6ea61f9 100644
corenet_all_recvfrom_netlabel(squid_t)
corenet_tcp_sendrecv_generic_if(squid_t)
corenet_udp_sendrecv_generic_if(squid_t)
-@@ -156,7 +161,6 @@ dev_read_urand(squid_t)
+@@ -134,6 +137,7 @@ corenet_tcp_sendrecv_gopher_port(squid_t)
+ corenet_udp_sendrecv_gopher_port(squid_t)
+
+ corenet_sendrecv_squid_server_packets(squid_t)
++corenet_sendrecv_squid_client_packets(squid_t)
+ corenet_tcp_bind_squid_port(squid_t)
+ corenet_udp_bind_squid_port(squid_t)
+ corenet_tcp_sendrecv_squid_port(squid_t)
+@@ -156,7 +160,6 @@ dev_read_urand(squid_t)
domain_use_interactive_fds(squid_t)
files_read_etc_runtime_files(squid_t)
@@ -79076,7 +79869,7 @@ index 221c560..6ea61f9 100644
files_search_spool(squid_t)
files_dontaudit_getattr_tmp_dirs(squid_t)
files_getattr_home_dir(squid_t)
-@@ -178,7 +182,6 @@ libs_exec_lib_files(squid_t)
+@@ -178,7 +181,6 @@ libs_exec_lib_files(squid_t)
logging_send_syslog_msg(squid_t)
miscfiles_read_generic_certs(squid_t)
@@ -79084,7 +79877,7 @@ index 221c560..6ea61f9 100644
userdom_use_unpriv_users_fds(squid_t)
userdom_dontaudit_search_user_home_dirs(squid_t)
-@@ -200,6 +203,8 @@ tunable_policy(`squid_use_tproxy',`
+@@ -200,6 +202,8 @@ tunable_policy(`squid_use_tproxy',`
optional_policy(`
apache_content_template(squid)
@@ -79093,7 +79886,7 @@ index 221c560..6ea61f9 100644
corenet_all_recvfrom_unlabeled(httpd_squid_script_t)
corenet_all_recvfrom_netlabel(httpd_squid_script_t)
corenet_tcp_sendrecv_generic_if(httpd_squid_script_t)
-@@ -209,18 +214,18 @@ optional_policy(`
+@@ -209,18 +213,18 @@ optional_policy(`
corenet_tcp_connect_http_cache_port(httpd_squid_script_t)
corenet_tcp_sendrecv_http_cache_port(httpd_squid_script_t)
@@ -79119,7 +79912,7 @@ index 221c560..6ea61f9 100644
')
optional_policy(`
-@@ -238,3 +243,24 @@ optional_policy(`
+@@ -238,3 +242,24 @@ optional_policy(`
optional_policy(`
udev_read_db(squid_t)
')
@@ -85273,10 +86066,10 @@ index 0be8535..b96e329 100644
optional_policy(`
diff --git a/virt.fc b/virt.fc
-index c30da4c..d60e3e4 100644
+index c30da4c..f3e9b6d 100644
--- a/virt.fc
+++ b/virt.fc
-@@ -1,52 +1,81 @@
+@@ -1,52 +1,85 @@
-HOME_DIR/\.libvirt(/.*)? gen_context(system_u:object_r:virt_home_t,s0)
-HOME_DIR/\.libvirt/qemu(/.*)? gen_context(system_u:object_r:svirt_home_t,s0)
-HOME_DIR/\.virtinst(/.*)? gen_context(system_u:object_r:virt_home_t,s0)
@@ -85352,6 +86145,7 @@ index c30da4c..d60e3e4 100644
-/var/vdsm(/.*)? gen_context(system_u:object_r:virt_var_run_t,s0)
-
-/var/run/libguestfs(/.*)? gen_context(system_u:object_r:virt_var_run_t,s0)
++/var/lock/xl -- gen_context(system_u:object_r:virt_log_t,s0)
+/var/log/log(/.*)? gen_context(system_u:object_r:virt_log_t,s0)
+/var/log/libvirt(/.*)? gen_context(system_u:object_r:virt_log_t,s0)
+/var/log/vdsm(/.*)? gen_context(system_u:object_r:virt_log_t,s0)
@@ -85389,6 +86183,9 @@ index c30da4c..d60e3e4 100644
+/usr/bin/qemu-kvm -- gen_context(system_u:object_r:qemu_exec_t,s0)
+/usr/libexec/qemu.* -- gen_context(system_u:object_r:qemu_exec_t,s0)
+
++/usr/libexec/qemu-ga(/.*)? gen_context(system_u:object_r:virt_qemu_ga_exec_t,s0)
++/usr/libexec/qemu-ga/fsfreeze-hook.d(/.*)? gen_context(system_u:object_r:virt_qemu_ga_unconfined_exec_t,s0)
++
+/usr/lib/systemd/system/virt.*\.service -- gen_context(system_u:object_r:virtd_unit_file_t,s0)
+/usr/lib/systemd/system/libvirt.*\.service -- gen_context(system_u:object_r:virtd_unit_file_t,s0)
+/usr/lib/systemd/system/.*xen.*\.service -- gen_context(system_u:object_r:virtd_unit_file_t,s0)
@@ -87076,7 +87873,7 @@ index 9dec06c..7877729 100644
+ allow $1 svirt_image_t:chr_file rw_file_perms;
')
diff --git a/virt.te b/virt.te
-index 1f22fba..3f1bc45 100644
+index 1f22fba..a8390d3 100644
--- a/virt.te
+++ b/virt.te
@@ -1,94 +1,98 @@
@@ -87282,43 +88079,50 @@ index 1f22fba..3f1bc45 100644
ifdef(`enable_mcs',`
init_ranged_daemon_domain(virtd_t, virtd_exec_t, s0 - mcs_systemhigh)
')
-@@ -155,290 +165,121 @@ type virt_qmf_exec_t;
+@@ -155,290 +165,130 @@ type virt_qmf_exec_t;
init_daemon_domain(virt_qmf_t, virt_qmf_exec_t)
type virt_bridgehelper_t;
-type virt_bridgehelper_exec_t;
domain_type(virt_bridgehelper_t)
--domain_entry_file(virt_bridgehelper_t, virt_bridgehelper_exec_t)
++
++type virt_bridgehelper_exec_t;
+ domain_entry_file(virt_bridgehelper_t, virt_bridgehelper_exec_t)
-role virt_bridgehelper_roles types virt_bridgehelper_t;
--
++role system_r types virt_bridgehelper_t;
+
-type virtd_lxc_t;
-type virtd_lxc_exec_t;
-init_system_domain(virtd_lxc_t, virtd_lxc_exec_t)
++# policy for qemu_ga
++type virt_qemu_ga_t;
++type virt_qemu_ga_exec_t;
++init_daemon_domain(virt_qemu_ga_t, virt_qemu_ga_exec_t)
-type virtd_lxc_var_run_t;
-files_pid_file(virtd_lxc_var_run_t)
-+type virt_bridgehelper_exec_t;
-+domain_entry_file(virt_bridgehelper_t, virt_bridgehelper_exec_t)
-+role system_r types virt_bridgehelper_t;
++type virt_qemu_ga_var_run_t;
++files_pid_file(virt_qemu_ga_var_run_t)
-type svirt_lxc_file_t;
-files_mountpoint(svirt_lxc_file_t)
-fs_noxattr_type(svirt_lxc_file_t)
-term_pty(svirt_lxc_file_t)
-+# policy for qemu_ga
-+type virt_qemu_ga_t;
-+type virt_qemu_ga_exec_t;
-+init_daemon_domain(virt_qemu_ga_t, virt_qemu_ga_exec_t)
++type virt_qemu_ga_log_t;
++logging_log_file(virt_qemu_ga_log_t)
-virt_lxc_domain_template(svirt_lxc_net)
-+type virt_qemu_ga_var_run_t;
-+files_pid_file(virt_qemu_ga_var_run_t)
++type virt_qemu_ga_tmp_t;
++files_tmp_file(virt_qemu_ga_tmp_t)
-type virsh_t;
-type virsh_exec_t;
-init_system_domain(virsh_t, virsh_exec_t)
-+type virt_qemu_ga_log_t;
-+logging_log_file(virt_qemu_ga_log_t)
++type virt_qemu_ga_data_t;
++files_type(virt_qemu_ga_data_t)
++
++type virt_qemu_ga_unconfined_exec_t;
++application_executable_file(virt_qemu_ga_unconfined_exec_t)
########################################
#
@@ -87643,7 +88447,7 @@ index 1f22fba..3f1bc45 100644
read_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
read_lnk_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
-@@ -448,42 +289,28 @@ manage_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t)
+@@ -448,42 +298,28 @@ manage_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t)
manage_lnk_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t)
filetrans_pattern(virtd_t, virt_etc_t, virt_etc_rw_t, dir)
@@ -87689,7 +88493,7 @@ index 1f22fba..3f1bc45 100644
logging_log_filetrans(virtd_t, virt_log_t, { file dir })
manage_dirs_pattern(virtd_t, virt_var_lib_t, virt_var_lib_t)
-@@ -496,16 +323,11 @@ manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
+@@ -496,16 +332,11 @@ manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
manage_sock_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
files_pid_filetrans(virtd_t, virt_var_run_t, { file dir })
@@ -87710,7 +88514,7 @@ index 1f22fba..3f1bc45 100644
kernel_read_system_state(virtd_t)
kernel_read_network_state(virtd_t)
kernel_rw_net_sysctls(virtd_t)
-@@ -513,6 +335,7 @@ kernel_read_kernel_sysctls(virtd_t)
+@@ -513,6 +344,7 @@ kernel_read_kernel_sysctls(virtd_t)
kernel_request_load_module(virtd_t)
kernel_search_debugfs(virtd_t)
kernel_setsched(virtd_t)
@@ -87718,7 +88522,7 @@ index 1f22fba..3f1bc45 100644
corecmd_exec_bin(virtd_t)
corecmd_exec_shell(virtd_t)
-@@ -520,24 +343,15 @@ corecmd_exec_shell(virtd_t)
+@@ -520,24 +352,16 @@ corecmd_exec_shell(virtd_t)
corenet_all_recvfrom_netlabel(virtd_t)
corenet_tcp_sendrecv_generic_if(virtd_t)
corenet_tcp_sendrecv_generic_node(virtd_t)
@@ -87740,12 +88544,13 @@ index 1f22fba..3f1bc45 100644
-corenet_tcp_sendrecv_soundd_port(virtd_t)
-
corenet_rw_tun_tap_dev(virtd_t)
++corenet_relabel_tun_tap_dev(virtd_t)
+dev_rw_vfio_dev(virtd_t)
dev_rw_sysfs(virtd_t)
dev_read_urand(virtd_t)
dev_read_rand(virtd_t)
-@@ -548,22 +362,23 @@ dev_rw_vhost(virtd_t)
+@@ -548,22 +372,23 @@ dev_rw_vhost(virtd_t)
dev_setattr_generic_usb_dev(virtd_t)
dev_relabel_generic_usb_dev(virtd_t)
@@ -87774,7 +88579,7 @@ index 1f22fba..3f1bc45 100644
fs_rw_anon_inodefs_files(virtd_t)
fs_list_inotifyfs(virtd_t)
fs_manage_cgroup_dirs(virtd_t)
-@@ -594,15 +409,18 @@ term_use_ptmx(virtd_t)
+@@ -594,15 +419,18 @@ term_use_ptmx(virtd_t)
auth_use_nsswitch(virtd_t)
@@ -87794,7 +88599,7 @@ index 1f22fba..3f1bc45 100644
selinux_validate_context(virtd_t)
-@@ -613,18 +431,24 @@ seutil_read_file_contexts(virtd_t)
+@@ -613,18 +441,24 @@ seutil_read_file_contexts(virtd_t)
sysnet_signull_ifconfig(virtd_t)
sysnet_signal_ifconfig(virtd_t)
sysnet_domtrans_ifconfig(virtd_t)
@@ -87829,7 +88634,7 @@ index 1f22fba..3f1bc45 100644
tunable_policy(`virt_use_nfs',`
fs_manage_nfs_dirs(virtd_t)
-@@ -633,7 +457,7 @@ tunable_policy(`virt_use_nfs',`
+@@ -633,7 +467,7 @@ tunable_policy(`virt_use_nfs',`
')
tunable_policy(`virt_use_samba',`
@@ -87838,30 +88643,17 @@ index 1f22fba..3f1bc45 100644
fs_manage_cifs_files(virtd_t)
fs_read_cifs_symlinks(virtd_t)
')
-@@ -646,107 +470,328 @@ optional_policy(`
- consoletype_exec(virtd_t)
- ')
+@@ -658,95 +492,321 @@ optional_policy(`
+ ')
--optional_policy(`
-- dbus_system_bus_client(virtd_t)
-+optional_policy(`
-+ dbus_system_bus_client(virtd_t)
-+
-+ optional_policy(`
-+ avahi_dbus_chat(virtd_t)
-+ ')
-+
-+ optional_policy(`
-+ consolekit_dbus_chat(virtd_t)
-+ ')
-+
-+ optional_policy(`
+ optional_policy(`
+- firewalld_dbus_chat(virtd_t)
+ hal_dbus_chat(virtd_t)
+ ')
+
+ optional_policy(`
+ networkmanager_dbus_chat(virtd_t)
-+ ')
+ ')
+')
+
+optional_policy(`
@@ -88039,17 +88831,11 @@ index 1f22fba..3f1bc45 100644
+dev_rw_inherited_vhost(virt_domain)
+
+domain_use_interactive_fds(virt_domain)
-
-- optional_policy(`
-- avahi_dbus_chat(virtd_t)
-- ')
++
+files_read_mnt_symlinks(virt_domain)
+files_read_var_files(virt_domain)
+files_search_all(virt_domain)
-
-- optional_policy(`
-- consolekit_dbus_chat(virtd_t)
-- ')
++
+fs_getattr_xattr_fs(virt_domain)
+fs_getattr_tmpfs(virt_domain)
+fs_rw_anon_inodefs_files(virt_domain)
@@ -88058,10 +88844,7 @@ index 1f22fba..3f1bc45 100644
+fs_rw_inherited_nfs_files(virt_domain)
+fs_rw_inherited_cifs_files(virt_domain)
+fs_rw_inherited_noxattr_fs_files(virt_domain)
-
-- optional_policy(`
-- firewalld_dbus_chat(virtd_t)
-- ')
++
+# I think we need these for now.
+miscfiles_read_public_files(virt_domain)
+storage_raw_read_removable_device(virt_domain)
@@ -88222,10 +89005,15 @@ index 1f22fba..3f1bc45 100644
+virt_manage_images(virsh_t)
+virt_manage_config(virsh_t)
+virt_stream_connect(virsh_t)
++
++manage_dirs_pattern(virsh_t, virt_lock_t, virt_lock_t)
++manage_files_pattern(virsh_t, virt_lock_t, virt_lock_t)
++manage_lnk_files_pattern(virsh_t, virt_lock_t, virt_lock_t)
++files_lock_filetrans(virsh_t, virt_lock_t, { dir file lnk_file })
manage_files_pattern(virsh_t, virt_image_type, virt_image_type)
manage_blk_files_pattern(virsh_t, virt_image_type, virt_image_type)
-@@ -758,23 +803,15 @@ manage_chr_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
+@@ -758,23 +818,15 @@ manage_chr_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
manage_lnk_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
manage_sock_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
manage_fifo_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
@@ -88238,12 +89026,12 @@ index 1f22fba..3f1bc45 100644
-dontaudit virsh_t virt_var_lib_t:file read_file_perms;
-
-allow virsh_t svirt_lxc_domain:process transition;
+-
+-can_exec(virsh_t, virsh_exec_t)
+manage_dirs_pattern(virsh_t, virt_lxc_var_run_t, virt_lxc_var_run_t)
+manage_files_pattern(virsh_t, virt_lxc_var_run_t, virt_lxc_var_run_t)
+virt_filetrans_named_content(virsh_t)
--can_exec(virsh_t, virsh_exec_t)
--
-virt_domtrans(virsh_t)
-virt_manage_images(virsh_t)
-virt_manage_config(virsh_t)
@@ -88255,7 +89043,7 @@ index 1f22fba..3f1bc45 100644
kernel_read_system_state(virsh_t)
kernel_read_network_state(virsh_t)
kernel_read_kernel_sysctls(virsh_t)
-@@ -785,25 +822,18 @@ kernel_write_xen_state(virsh_t)
+@@ -785,25 +837,18 @@ kernel_write_xen_state(virsh_t)
corecmd_exec_bin(virsh_t)
corecmd_exec_shell(virsh_t)
@@ -88282,7 +89070,7 @@ index 1f22fba..3f1bc45 100644
fs_getattr_all_fs(virsh_t)
fs_manage_xenfs_dirs(virsh_t)
-@@ -812,24 +842,22 @@ fs_search_auto_mountpoints(virsh_t)
+@@ -812,24 +857,22 @@ fs_search_auto_mountpoints(virsh_t)
storage_raw_read_fixed_disk(virsh_t)
@@ -88314,7 +89102,7 @@ index 1f22fba..3f1bc45 100644
tunable_policy(`virt_use_nfs',`
fs_manage_nfs_dirs(virsh_t)
fs_manage_nfs_files(virsh_t)
-@@ -847,14 +875,20 @@ optional_policy(`
+@@ -847,14 +890,20 @@ optional_policy(`
')
optional_policy(`
@@ -88327,8 +89115,8 @@ index 1f22fba..3f1bc45 100644
optional_policy(`
xen_manage_image_dirs(virsh_t)
-+ xen_read_image_files(virsh_t)
-+ xen_read_lib_files(virsh_t)
++ xen_read_image_files(virsh_t)
++ xen_read_lib_files(virsh_t)
xen_append_log(virsh_t)
xen_domtrans(virsh_t)
- xen_read_xenstored_pid_files(virsh_t)
@@ -88336,7 +89124,7 @@ index 1f22fba..3f1bc45 100644
xen_stream_connect(virsh_t)
xen_stream_connect_xenstore(virsh_t)
')
-@@ -879,34 +913,44 @@ optional_policy(`
+@@ -879,34 +928,44 @@ optional_policy(`
kernel_read_xen_state(virsh_ssh_t)
kernel_write_xen_state(virsh_ssh_t)
@@ -88390,7 +89178,7 @@ index 1f22fba..3f1bc45 100644
manage_dirs_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t)
manage_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t)
-@@ -916,12 +960,17 @@ manage_sock_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t)
+@@ -916,12 +975,17 @@ manage_sock_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t)
manage_fifo_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t)
allow virtd_lxc_t svirt_lxc_file_t:dir_file_class_set { relabelto relabelfrom };
allow virtd_lxc_t svirt_lxc_file_t:filesystem { relabelto relabelfrom };
@@ -88408,7 +89196,7 @@ index 1f22fba..3f1bc45 100644
corecmd_exec_bin(virtd_lxc_t)
corecmd_exec_shell(virtd_lxc_t)
-@@ -933,10 +982,8 @@ dev_read_urand(virtd_lxc_t)
+@@ -933,10 +997,8 @@ dev_read_urand(virtd_lxc_t)
domain_use_interactive_fds(virtd_lxc_t)
@@ -88419,7 +89207,7 @@ index 1f22fba..3f1bc45 100644
files_relabel_rootfs(virtd_lxc_t)
files_mounton_non_security(virtd_lxc_t)
files_mount_all_file_type_fs(virtd_lxc_t)
-@@ -944,6 +991,7 @@ files_unmount_all_file_type_fs(virtd_lxc_t)
+@@ -944,6 +1006,7 @@ files_unmount_all_file_type_fs(virtd_lxc_t)
files_list_isid_type_dirs(virtd_lxc_t)
files_root_filetrans(virtd_lxc_t, svirt_lxc_file_t, dir_file_class_set)
@@ -88427,7 +89215,7 @@ index 1f22fba..3f1bc45 100644
fs_getattr_all_fs(virtd_lxc_t)
fs_manage_tmpfs_dirs(virtd_lxc_t)
fs_manage_tmpfs_chr_files(virtd_lxc_t)
-@@ -955,15 +1003,11 @@ fs_rw_cgroup_files(virtd_lxc_t)
+@@ -955,15 +1018,11 @@ fs_rw_cgroup_files(virtd_lxc_t)
fs_unmount_all_fs(virtd_lxc_t)
fs_relabelfrom_tmpfs(virtd_lxc_t)
@@ -88446,7 +89234,7 @@ index 1f22fba..3f1bc45 100644
term_use_generic_ptys(virtd_lxc_t)
term_use_ptmx(virtd_lxc_t)
-@@ -973,21 +1017,36 @@ auth_use_nsswitch(virtd_lxc_t)
+@@ -973,21 +1032,36 @@ auth_use_nsswitch(virtd_lxc_t)
logging_send_syslog_msg(virtd_lxc_t)
@@ -88491,7 +89279,7 @@ index 1f22fba..3f1bc45 100644
allow svirt_lxc_domain self:fifo_file manage_file_perms;
allow svirt_lxc_domain self:sem create_sem_perms;
allow svirt_lxc_domain self:shm create_shm_perms;
-@@ -995,18 +1054,16 @@ allow svirt_lxc_domain self:msgq create_msgq_perms;
+@@ -995,18 +1069,16 @@ allow svirt_lxc_domain self:msgq create_msgq_perms;
allow svirt_lxc_domain self:unix_stream_socket { create_stream_socket_perms connectto };
allow svirt_lxc_domain self:unix_dgram_socket { sendto create_socket_perms };
@@ -88518,7 +89306,7 @@ index 1f22fba..3f1bc45 100644
manage_dirs_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
manage_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
-@@ -1015,17 +1072,14 @@ manage_sock_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
+@@ -1015,17 +1087,14 @@ manage_sock_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
manage_fifo_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
rw_chr_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
rw_blk_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
@@ -88537,7 +89325,7 @@ index 1f22fba..3f1bc45 100644
kernel_dontaudit_search_kernel_sysctl(svirt_lxc_domain)
corecmd_exec_all_executables(svirt_lxc_domain)
-@@ -1037,21 +1091,20 @@ files_dontaudit_getattr_all_pipes(svirt_lxc_domain)
+@@ -1037,21 +1106,20 @@ files_dontaudit_getattr_all_pipes(svirt_lxc_domain)
files_dontaudit_getattr_all_sockets(svirt_lxc_domain)
files_dontaudit_list_all_mountpoints(svirt_lxc_domain)
files_dontaudit_write_etc_runtime_files(svirt_lxc_domain)
@@ -88564,7 +89352,7 @@ index 1f22fba..3f1bc45 100644
auth_dontaudit_read_login_records(svirt_lxc_domain)
auth_dontaudit_write_login_records(svirt_lxc_domain)
auth_search_pam_console_data(svirt_lxc_domain)
-@@ -1063,96 +1116,92 @@ init_dontaudit_write_utmp(svirt_lxc_domain)
+@@ -1063,96 +1131,92 @@ init_dontaudit_write_utmp(svirt_lxc_domain)
libs_dontaudit_setattr_lib_files(svirt_lxc_domain)
@@ -88583,12 +89371,12 @@ index 1f22fba..3f1bc45 100644
+ apache_exec_modules(svirt_lxc_domain)
+ apache_read_sys_content(svirt_lxc_domain)
+')
-+
+
+-mta_dontaudit_read_spool_symlinks(svirt_lxc_domain)
+optional_policy(`
+ mta_dontaudit_read_spool_symlinks(svirt_lxc_domain)
+')
-
--mta_dontaudit_read_spool_symlinks(svirt_lxc_domain)
++
+optional_policy(`
+ ssh_use_ptys(svirt_lxc_net_t)
+')
@@ -88703,7 +89491,7 @@ index 1f22fba..3f1bc45 100644
allow virt_qmf_t self:tcp_socket create_stream_socket_perms;
allow virt_qmf_t self:netlink_route_socket create_netlink_socket_perms;
-@@ -1165,12 +1214,12 @@ dev_read_sysfs(virt_qmf_t)
+@@ -1165,12 +1229,12 @@ dev_read_sysfs(virt_qmf_t)
dev_read_rand(virt_qmf_t)
dev_read_urand(virt_qmf_t)
@@ -88718,7 +89506,7 @@ index 1f22fba..3f1bc45 100644
sysnet_read_config(virt_qmf_t)
optional_policy(`
-@@ -1183,9 +1232,8 @@ optional_policy(`
+@@ -1183,9 +1247,8 @@ optional_policy(`
########################################
#
@@ -88729,7 +89517,7 @@ index 1f22fba..3f1bc45 100644
allow virt_bridgehelper_t self:process { setcap getcap };
allow virt_bridgehelper_t self:capability { setpcap setgid setuid net_admin };
allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms;
-@@ -1198,5 +1246,75 @@ kernel_read_network_state(virt_bridgehelper_t)
+@@ -1198,5 +1261,114 @@ kernel_read_network_state(virt_bridgehelper_t)
corenet_rw_tun_tap_dev(virt_bridgehelper_t)
@@ -88747,10 +89535,20 @@ index 1f22fba..3f1bc45 100644
+allow virt_qemu_ga_t self:fifo_file rw_fifo_file_perms;
+allow virt_qemu_ga_t self:unix_stream_socket create_stream_socket_perms;
+
++allow virt_qemu_ga_t virt_qemu_ga_exec_t:dir search_dir_perms;
++can_exec(virt_qemu_ga_t, virt_qemu_ga_exec_t)
++
++manage_dirs_pattern(virt_qemu_ga_t, virt_qemu_ga_tmp_t, virt_qemu_ga_tmp_t)
++manage_files_pattern(virt_qemu_ga_t, virt_qemu_ga_tmp_t, virt_qemu_ga_tmp_t)
++files_tmp_filetrans(virt_qemu_ga_t, virt_qemu_ga_tmp_t, { file dir })
++
+manage_files_pattern(virt_qemu_ga_t, virt_qemu_ga_var_run_t, virt_qemu_ga_var_run_t)
+manage_dirs_pattern(virt_qemu_ga_t, virt_qemu_ga_var_run_t, virt_qemu_ga_var_run_t)
+files_pid_filetrans(virt_qemu_ga_t, virt_qemu_ga_var_run_t, { dir file } )
+
++manage_files_pattern(virt_qemu_ga_t, virt_qemu_ga_data_t, virt_qemu_ga_data_t)
++manage_dirs_pattern(virt_qemu_ga_t, virt_qemu_ga_data_t, virt_qemu_ga_data_t)
++
+manage_files_pattern(virt_qemu_ga_t, virt_qemu_ga_log_t, virt_qemu_ga_log_t)
+logging_log_filetrans(virt_qemu_ga_t, virt_qemu_ga_log_t, file )
+
@@ -88761,7 +89559,9 @@ index 1f22fba..3f1bc45 100644
+
+files_list_all_mountpoints(virt_qemu_ga_t)
+files_write_all_mountpoints(virt_qemu_ga_t)
++
+fs_list_all(virt_qemu_ga_t)
++fs_getattr_all_fs(virt_qemu_ga_t)
+
+term_use_virtio_console(virt_qemu_ga_t)
+term_use_all_ttys(virt_qemu_ga_t)
@@ -88771,6 +89571,8 @@ index 1f22fba..3f1bc45 100644
+
+sysnet_dns_name_resolve(virt_qemu_ga_t)
+
++systemd_exec_systemctl(virt_qemu_ga_t)
++
+userdom_use_user_ptys(virt_qemu_ga_t)
+
+optional_policy(`
@@ -88800,6 +89602,31 @@ index 1f22fba..3f1bc45 100644
+
+#######################################
+#
++# qemu-ga unconfined hook script local policy
++#
++
++optional_policy(`
++ type virt_qemu_ga_unconfined_t;
++ domain_type(virt_qemu_ga_unconfined_t)
++
++ domain_entry_file(virt_qemu_ga_unconfined_t, virt_qemu_ga_unconfined_exec_t)
++ role system_r types virt_qemu_ga_unconfined_t;
++
++ domtrans_pattern(virt_qemu_ga_t, virt_qemu_ga_unconfined_exec_t, virt_qemu_ga_unconfined_t)
++
++ allow virt_qemu_ga_t virt_qemu_ga_unconfined_exec_t:dir search_dir_perms;
++ allow virt_qemu_ga_t virt_qemu_ga_unconfined_exec_t:dir read_file_perms;
++ allow virt_qemu_ga_t virt_qemu_ga_unconfined_exec_t:file ioctl;
++
++ init_domtrans_script(virt_qemu_ga_unconfined_t)
++
++ optional_policy(`
++ unconfined_domain(virt_qemu_ga_unconfined_t)
++ ')
++')
++
++#######################################
++#
+# tye for svirt sockets
+#
+
diff --git a/selinux-policy.spec b/selinux-policy.spec
index bd023ae..f2e847d 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.12.1
-Release: 44%{?dist}
+Release: 48%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -530,6 +530,124 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Mon Jun 3 2013 Miroslav Grepl 3.12.1-48
+- Fix openshift_search_lib
+- Add support for abrt-uefioops-oops
+- Allow colord to getattr any file system
+- Allow chrome processes to look at each other
+- Allow sys_ptrace for abrt_t
+- Add new policy for gssproxy
+- Dontaudit leaked file descriptor writes from firewalld
+- openshift_net_type is interface not template
+- Dontaudit pppd to search gnome config
+- Update openshift_search_lib() interface
+- Add fs_list_pstorefs()
+- Fix label on libbcm_host.so since it is built incorrectly on raspberry pi, needs back port to F18
+- Better labels for raspberry pi devices
+- Allow init to create devpts_t directory
+- Temporarily label rasbery pi devices as memory_device_t, needs back port to f18
+- Allow sysadm_t to build kernels
+- Make sure mount creates /var/run/blkid with the correct label, needs back port to F18
+- Allow userdomains to stream connect to gssproxy
+- Dontaudit leaked file descriptor writes from firewalld
+- Allow xserver to read /dev/urandom
+- Add additional fixes for ipsec-mgmt
+- Make SSHing into an Openshift Enterprise Node working
+
+* Wed May 29 2013 Miroslav Grepl 3.12.1-47
+- Add transition rules to unconfined domains and to sysadm_t to create /etc/adjtime
+- with the proper label.
+- Update files_filetrans_named_content() interface to get right labeling for pam.d conf files
+- Allow systemd-timedated to create adjtime
+- Add clock_create_adjtime()
+- Additional fix ifconfing for #966106
+- Allow kernel_t to create boot.log with correct labeling
+- Remove unconfined_mplayer for which we don't have rules
+- Rename interfaces
+- Add userdom_manage_user_home_files/dirs interfaces
+- Fix files_dontaudit_read_all_non_security_files
+- Fix ipsec_manage_key_file()
+- Fix ipsec_filetrans_key_file()
+- Label /usr/bin/razor-lightdm-greeter as xdm_exec_t instead of spamc_exec_t
+- Fix labeling for ipse.secrets
+- Add interfaces for ipsec and labeling for ipsec.info and ipsec_setup.pid
+- Add files_dontaudit_read_all_non_security_files() interface
+- /var/log/syslog-ng should be labeled var_log_t
+- Make ifconfig_var_run_t a mountpoint
+- Add transition from ifconfig to dnsmasq
+- Allow ifconfig to execute bin_t/shell_exec_t
+- We want to have hwdb.bin labeled as etc_t
+- update logging_filetrans_named_content() interface
+- Allow systemd_timedate_t to manage /etc/adjtime
+- Allow NM to send signals to l2tpd
+- Update antivirus_can_scan_system boolean
+- Allow devicekit_disk_t to sys_config_tty
+- Run abrt-harvest programs as abrt_t, and allow abrt_t to list all filesystem directories
+- Make printing from vmware working
+- Allow php-cgi from php54 collection to access /var/lib/net-snmp/mib_indexes
+- Add virt_qemu_ga_data_t for qemu-ga
+- Make chrome and mozilla able to connect to same ports, add jboss_management_port_t to both
+- Fix typo in virt.te
+- Add virt_qemu_ga_unconfined_t for hook scripts
+- Make sure NetworkManager files get created with the correct label
+- Add mozilla_plugin_use_gps boolean
+- Fix cyrus to have support for net-snmp
+- Additional fixes for dnsmasq and quantum for #966106
+- Add plymouthd_create_log()
+- remove httpd_use_oddjob for which we don't have rules
+- Add missing rules for httpd_can_network_connect_cobbler
+- Add missing cluster_use_execmem boolean
+- Call userdom_manage_all_user_home_type_files/dirs
+- Additional fix for ftp_home_dir
+- Fix ftp_home_dir boolean
+- Allow squit to recv/send client squid packet
+- Fix nut.te to have nut_domain attribute
+- Add support for ejabberd; TODO: revisit jabberd and rabbit policy
+- Fix amanda policy
+- Add more fixes for domains which use libusb
+- Make domains which use libusb working correctly
+- Allow l2tpd to create ipsec key files with correct labeling and manage them
+- Fix cobbler_manage_lib_files/cobbler_read_lib_files to cover also lnk files
+- Allow rabbitmq-beam to bind generic node
+- Allow l2tpd to read ipse-mgmt pid files
+- more fixes for l2tpd, NM and pppd from #967072
+
+* Wed May 22 2013 Miroslav Grepl 3.12.1-46
+- Dontaudit to getattr on dirs for dovecot-deliver
+- Allow raiudusd server connect to postgresql socket
+- Add kerberos support for radiusd
+- Allow saslauthd to connect to ldap port
+- Allow postfix to manage postfix_private_t files
+- Add chronyd support for #965457
+- Fix labeling for HOME_DIR/\.icedtea
+- CHange squid and snmpd to be allowed also write own logs
+- Fix labeling for /usr/libexec/qemu-ga
+- Allow virtd_t to use virt_lock_t
+- Allow also sealert to read the policy from the kernel
+- qemu-ga needs to execute scripts in /usr/libexec/qemu-ga and to use /tmp content
+- Dontaudit listing of users homedir by sendmail Seems like a leak
+- Allow passenger to transition to puppet master
+- Allow apache to connect to mythtv
+- Add definition for mythtv ports
+
+* Fri May 17 2013 Miroslav Grepl 3.12.1-45
+- Add additional fixes for #948073 bug
+- Allow sge_execd_t to also connect to sge ports
+- Allow openshift_cron_t to manage openshift_var_lib_t sym links
+- Allow openshift_cron_t to manage openshift_var_lib_t sym links
+- Allow sge_execd to bind sge ports. Allow kill capability and reads cgroup files
+- Remove pulseaudio filetrans pulseaudio_manage_home_dirs which is a part of pulseaudio_manage_home_files
+- Add networkmanager_stream_connect()
+- Make gnome-abrt wokring with staff_t
+- Fix openshift_manage_lib_files() interface
+- mdadm runs ps command which seems to getattr on random log files
+- Allow mozilla_plugin_t to create pulseaudit_home_t directories
+- Allow qemu-ga to shutdown virtual hosts
+- Add labelling for cupsd-browsed
+- Add web browser plugins to connect to aol ports
+- Allow nm-dhcp-helper to stream connect to NM
+- Add port definition for sge ports
+
* Mon May 13 2013 Miroslav Grepl 3.12.1-44
- Make sure users and unconfined domains create .hushlogin with the correct label
- Allow pegaus to chat with realmd over DBus