From 737a3cdcb3d7623fc926fde5c26c2f75a9b56c8a Mon Sep 17 00:00:00 2001
From: Miroslav Grepl
Date: Jul 30 2013 21:57:53 +0000
Subject: - Add more aliases in pegasus.te
- Add more fixes for *_admin interfaces
- Add interface fixes
- Allow nscd to stream connect to nmbd
- Allow gnupg apps to write to pcscd socket
- Add more fixes for openlmi provides. Fix naming and support for addit
- Allow fetchmail to resolve host names
- Allow firewalld to interact also with lnk files labeled as firewalld_
- Add labeling for cmpiLMI_Fan-cimprovagt
- Allow net_admin for glusterd
- Allow telepathy domain to create dconf with correct labeling in /home
- Add pegasus_openlmi_system_t
- Fix puppet_domtrans_master() to make all puppet calling working in pa
- Fix corecmd_exec_chroot()
- Fix logging_relabel_syslog_pid_socket interface
- Fix typo in unconfineduser.te
- Allow system_r to access unconfined_dbusd_t to run hp_chec
---
diff --git a/policy-f19-base.patch b/policy-f19-base.patch
index 930ffa4..831a640 100644
--- a/policy-f19-base.patch
+++ b/policy-f19-base.patch
@@ -3381,7 +3381,7 @@ index 644d4d7..51181b8 100644
+/usr/lib/ruby/gems/.*/agents(/.*)? gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/virtualbox/VBoxManage -- gen_context(system_u:object_r:bin_t,s0)
diff --git a/policy/modules/kernel/corecommands.if b/policy/modules/kernel/corecommands.if
-index 9e9263a..979f47f 100644
+index 9e9263a..43cdcb9 100644
--- a/policy/modules/kernel/corecommands.if
+++ b/policy/modules/kernel/corecommands.if
@@ -8,6 +8,22 @@
@@ -3508,7 +3508,15 @@ index 9e9263a..979f47f 100644
mmap_files_pattern($1, bin_t, bin_t)
')
-@@ -954,6 +999,24 @@ interface(`corecmd_exec_chroot',`
+@@ -945,6 +990,7 @@ interface(`corecmd_shell_domtrans',`
+ interface(`corecmd_exec_chroot',`
+ gen_require(`
+ type chroot_exec_t;
++ type bin_t;
+ ')
+
+ read_lnk_files_pattern($1, bin_t, bin_t)
+@@ -954,6 +1000,24 @@ interface(`corecmd_exec_chroot',`
########################################
##
@@ -3533,7 +3541,7 @@ index 9e9263a..979f47f 100644
## Get the attributes of all executable files.
##
##
-@@ -1012,6 +1075,10 @@ interface(`corecmd_exec_all_executables',`
+@@ -1012,6 +1076,10 @@ interface(`corecmd_exec_all_executables',`
can_exec($1, exec_type)
list_dirs_pattern($1, bin_t, bin_t)
read_lnk_files_pattern($1, bin_t, exec_type)
@@ -3544,7 +3552,7 @@ index 9e9263a..979f47f 100644
')
########################################
-@@ -1049,6 +1116,7 @@ interface(`corecmd_manage_all_executables',`
+@@ -1049,6 +1117,7 @@ interface(`corecmd_manage_all_executables',`
type bin_t;
')
@@ -3552,7 +3560,7 @@ index 9e9263a..979f47f 100644
manage_files_pattern($1, bin_t, exec_type)
manage_lnk_files_pattern($1, bin_t, bin_t)
')
-@@ -1091,3 +1159,36 @@ interface(`corecmd_mmap_all_executables',`
+@@ -1091,3 +1160,36 @@ interface(`corecmd_mmap_all_executables',`
mmap_files_pattern($1, bin_t, exec_type)
')
@@ -18330,10 +18338,10 @@ index 0000000..cf6582f
+
diff --git a/policy/modules/roles/unconfineduser.te b/policy/modules/roles/unconfineduser.te
new file mode 100644
-index 0000000..c8f13da
+index 0000000..a52f369
--- /dev/null
+++ b/policy/modules/roles/unconfineduser.te
-@@ -0,0 +1,329 @@
+@@ -0,0 +1,330 @@
+policy_module(unconfineduser, 1.0.0)
+
+########################################
@@ -18521,6 +18529,7 @@ index 0000000..c8f13da
+
+optional_policy(`
+ dbus_role_template(unconfined, unconfined_r, unconfined_t)
++ role system_r types unconfined_dbusd_t;
+
+ optional_policy(`
+ unconfined_domain(unconfined_dbusd_t)
@@ -30192,7 +30201,7 @@ index b50c5fe..2faaaf2 100644
+/var/webmin(/.*)? gen_context(system_u:object_r:var_log_t,s0)
+
diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if
-index 4e94884..55d2481 100644
+index 4e94884..9b82ed0 100644
--- a/policy/modules/system/logging.if
+++ b/policy/modules/system/logging.if
@@ -233,7 +233,7 @@ interface(`logging_run_auditd',`
@@ -30354,7 +30363,7 @@ index 4e94884..55d2481 100644
+#
+interface(`logging_relabel_syslog_pid_socket',`
+ gen_require(`
-+ type devlog_t;
++ type syslogd_var_run_t;
+ ')
+
+ allow $1 syslogd_var_run_t:sock_file relabel_sock_file_perms;
@@ -34806,7 +34815,7 @@ index 6944526..ec17624 100644
+ files_etc_filetrans($1, net_conf_t, file, "ntp.conf")
+')
diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
-index b7686d5..431d2f1 100644
+index b7686d5..a5086e8 100644
--- a/policy/modules/system/sysnetwork.te
+++ b/policy/modules/system/sysnetwork.te
@@ -5,6 +5,13 @@ policy_module(sysnetwork, 1.14.6)
@@ -35022,7 +35031,18 @@ index b7686d5..431d2f1 100644
')
optional_policy(`
-@@ -259,12 +302,21 @@ allow ifconfig_t self:msgq create_msgq_perms;
+@@ -228,6 +271,10 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ virt_manage_pid_files(dhcpc_t)
++')
++
++optional_policy(`
+ vmware_append_log(dhcpc_t)
+ ')
+
+@@ -259,12 +306,21 @@ allow ifconfig_t self:msgq create_msgq_perms;
allow ifconfig_t self:msg { send receive };
# Create UDP sockets, necessary when called from dhcpc
allow ifconfig_t self:udp_socket create_socket_perms;
@@ -35044,7 +35064,7 @@ index b7686d5..431d2f1 100644
kernel_use_fds(ifconfig_t)
kernel_read_system_state(ifconfig_t)
kernel_read_network_state(ifconfig_t)
-@@ -274,14 +326,29 @@ kernel_rw_net_sysctls(ifconfig_t)
+@@ -274,14 +330,29 @@ kernel_rw_net_sysctls(ifconfig_t)
corenet_rw_tun_tap_dev(ifconfig_t)
@@ -35074,7 +35094,7 @@ index b7686d5..431d2f1 100644
fs_getattr_xattr_fs(ifconfig_t)
fs_search_auto_mountpoints(ifconfig_t)
-@@ -294,22 +361,22 @@ term_dontaudit_use_all_ptys(ifconfig_t)
+@@ -294,22 +365,22 @@ term_dontaudit_use_all_ptys(ifconfig_t)
term_dontaudit_use_ptmx(ifconfig_t)
term_dontaudit_use_generic_ptys(ifconfig_t)
@@ -35102,7 +35122,7 @@ index b7686d5..431d2f1 100644
userdom_use_all_users_fds(ifconfig_t)
ifdef(`distro_ubuntu',`
-@@ -318,7 +385,22 @@ ifdef(`distro_ubuntu',`
+@@ -318,7 +389,22 @@ ifdef(`distro_ubuntu',`
')
')
@@ -35125,7 +35145,7 @@ index b7686d5..431d2f1 100644
optional_policy(`
dev_dontaudit_rw_cardmgr(ifconfig_t)
')
-@@ -329,8 +411,11 @@ ifdef(`hide_broken_symptoms',`
+@@ -329,8 +415,11 @@ ifdef(`hide_broken_symptoms',`
')
optional_policy(`
@@ -35139,7 +35159,7 @@ index b7686d5..431d2f1 100644
')
optional_policy(`
-@@ -339,7 +424,15 @@ optional_policy(`
+@@ -339,7 +428,15 @@ optional_policy(`
')
optional_policy(`
@@ -35156,7 +35176,7 @@ index b7686d5..431d2f1 100644
')
optional_policy(`
-@@ -360,3 +453,13 @@ optional_policy(`
+@@ -360,3 +457,13 @@ optional_policy(`
xen_append_log(ifconfig_t)
xen_dontaudit_rw_unix_stream_sockets(ifconfig_t)
')
diff --git a/policy-f19-contrib.patch b/policy-f19-contrib.patch
index 40fdab0..236a048 100644
--- a/policy-f19-contrib.patch
+++ b/policy-f19-contrib.patch
@@ -8266,7 +8266,7 @@ index 866a1e2..6c2dbe4 100644
+ allow $1 named_unit_file_t:service all_service_perms;
')
diff --git a/bind.te b/bind.te
-index 076ffee..e3dbd11 100644
+index 076ffee..9977c4d 100644
--- a/bind.te
+++ b/bind.te
@@ -34,7 +34,7 @@ type named_checkconf_exec_t;
@@ -8307,7 +8307,15 @@ index 076ffee..e3dbd11 100644
corenet_all_recvfrom_netlabel(named_t)
corenet_tcp_sendrecv_generic_if(named_t)
corenet_udp_sendrecv_generic_if(named_t)
-@@ -170,6 +173,11 @@ tunable_policy(`named_write_master_zones',`
+@@ -139,6 +142,7 @@ corenet_tcp_sendrecv_all_ports(named_t)
+ dev_read_sysfs(named_t)
+ dev_read_rand(named_t)
+ dev_read_urand(named_t)
++dev_dontaudit_write_urand(named_t)
+
+ domain_use_interactive_fds(named_t)
+
+@@ -170,6 +174,11 @@ tunable_policy(`named_write_master_zones',`
')
optional_policy(`
@@ -8319,7 +8327,7 @@ index 076ffee..e3dbd11 100644
dbus_system_domain(named_t, named_exec_t)
init_dbus_chat_script(named_t)
-@@ -183,6 +191,7 @@ optional_policy(`
+@@ -183,6 +192,7 @@ optional_policy(`
optional_policy(`
kerberos_keytab_template(named, named_t)
@@ -8327,7 +8335,7 @@ index 076ffee..e3dbd11 100644
')
optional_policy(`
-@@ -209,7 +218,8 @@ optional_policy(`
+@@ -209,7 +219,8 @@ optional_policy(`
#
allow ndc_t self:capability { dac_override net_admin };
@@ -8337,7 +8345,7 @@ index 076ffee..e3dbd11 100644
allow ndc_t self:fifo_file rw_fifo_file_perms;
allow ndc_t self:unix_stream_socket { accept listen };
-@@ -223,10 +233,9 @@ allow ndc_t named_conf_t:lnk_file read_lnk_file_perms;
+@@ -223,10 +234,9 @@ allow ndc_t named_conf_t:lnk_file read_lnk_file_perms;
allow ndc_t named_zone_t:dir search_dir_perms;
@@ -8349,7 +8357,7 @@ index 076ffee..e3dbd11 100644
corenet_all_recvfrom_netlabel(ndc_t)
corenet_tcp_sendrecv_generic_if(ndc_t)
corenet_tcp_sendrecv_generic_node(ndc_t)
-@@ -251,7 +260,7 @@ init_use_script_ptys(ndc_t)
+@@ -251,7 +261,7 @@ init_use_script_ptys(ndc_t)
logging_send_syslog_msg(ndc_t)
@@ -9763,10 +9771,15 @@ index 4ec0626..88e7e89 100644
userdom_dontaudit_use_unpriv_user_fds(canna_t)
diff --git a/ccs.if b/ccs.if
-index 5ded72d..c1b4d35 100644
+index 5ded72d..cb94e5e 100644
--- a/ccs.if
+++ b/ccs.if
-@@ -102,16 +102,20 @@ interface(`ccs_admin',`
+@@ -98,20 +98,24 @@ interface(`ccs_manage_config',`
+ interface(`ccs_admin',`
+ gen_require(`
+ type ccs_t, ccs_initrc_exec_t, cluster_conf_t;
+- type ccs_var_lib_t_t, ccs_var_log_t;
++ type ccs_var_lib_t, ccs_var_log_t;
type ccs_var_run_t, ccs_tmp_t;
')
@@ -12622,7 +12635,7 @@ index 23dc348..7cc536b 100644
/usr/sbin/condor_collector -- gen_context(system_u:object_r:condor_collector_exec_t,s0)
/usr/sbin/condor_master -- gen_context(system_u:object_r:condor_master_exec_t,s0)
diff --git a/condor.if b/condor.if
-index 3fe3cb8..b8e08c6 100644
+index 3fe3cb8..5fe84a6 100644
--- a/condor.if
+++ b/condor.if
@@ -1,81 +1,397 @@
@@ -13035,7 +13048,7 @@ index 3fe3cb8..b8e08c6 100644
+interface(`condor_admin',`
+ gen_require(`
+ attribute condor_domain;
-+ type condor_initrc_exec_config_t, condor_log_t;
++ type condor_initrc_exec_t, condor_log_t;
+ type condor_var_lib_t, condor_var_lock_t, condor_schedd_tmp_t;
+ type condor_var_run_t, condor_startd_tmp_t;
+ type condor_unit_file_t;
@@ -20887,7 +20900,7 @@ index 23ab808..4a801b5 100644
/var/lib/misc/dnsmasq\.leases -- gen_context(system_u:object_r:dnsmasq_lease_t,s0)
diff --git a/dnsmasq.if b/dnsmasq.if
-index 19aa0b8..531cf03 100644
+index 19aa0b8..1e8b244 100644
--- a/dnsmasq.if
+++ b/dnsmasq.if
@@ -10,7 +10,6 @@
@@ -21096,11 +21109,12 @@ index 19aa0b8..531cf03 100644
')
########################################
-@@ -267,12 +354,17 @@ interface(`dnsmasq_spec_filetrans_pid',`
+@@ -267,12 +354,18 @@ interface(`dnsmasq_spec_filetrans_pid',`
interface(`dnsmasq_admin',`
gen_require(`
type dnsmasq_t, dnsmasq_lease_t, dnsmasq_var_run_t;
- type dnsmasq_initrc_exec_t, dnsmasq_var_log_t;
++ type dnsmasq_var_log_t;
+ type dnsmasq_initrc_exec_t;
+ type dnsmasq_unit_file_t;
')
@@ -21116,7 +21130,7 @@ index 19aa0b8..531cf03 100644
init_labeled_script_domtrans($1, dnsmasq_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 dnsmasq_initrc_exec_t system_r;
-@@ -281,9 +373,13 @@ interface(`dnsmasq_admin',`
+@@ -281,9 +374,13 @@ interface(`dnsmasq_admin',`
files_list_var_lib($1)
admin_pattern($1, dnsmasq_lease_t)
@@ -23351,7 +23365,7 @@ index c3f7916..cab3954 100644
admin_pattern($1, fetchmail_etc_t)
diff --git a/fetchmail.te b/fetchmail.te
-index f0388cb..fd440f8 100644
+index f0388cb..7d63acb 100644
--- a/fetchmail.te
+++ b/fetchmail.te
@@ -39,8 +39,6 @@ allow fetchmail_t self:unix_stream_socket { accept listen };
@@ -23383,7 +23397,7 @@ index f0388cb..fd440f8 100644
corenet_all_recvfrom_netlabel(fetchmail_t)
corenet_tcp_sendrecv_generic_if(fetchmail_t)
corenet_tcp_sendrecv_generic_node(fetchmail_t)
-@@ -84,15 +86,17 @@ fs_search_auto_mountpoints(fetchmail_t)
+@@ -84,15 +86,19 @@ fs_search_auto_mountpoints(fetchmail_t)
domain_use_interactive_fds(fetchmail_t)
@@ -23395,6 +23409,8 @@ index f0388cb..fd440f8 100644
-miscfiles_read_localization(fetchmail_t)
miscfiles_read_generic_certs(fetchmail_t)
++sysnet_dns_name_resolve(fetchmail_t)
++
userdom_dontaudit_use_unpriv_user_fds(fetchmail_t)
-userdom_search_user_home_dirs(fetchmail_t)
+
@@ -23581,7 +23597,7 @@ index 5cf6ac6..0fc685b 100644
+ allow $1 firewalld_unit_file_t:service all_service_perms;
')
diff --git a/firewalld.te b/firewalld.te
-index c8014f8..64e18e1 100644
+index c8014f8..2888d51 100644
--- a/firewalld.te
+++ b/firewalld.te
@@ -21,11 +21,20 @@ logging_log_file(firewalld_var_log_t)
@@ -23606,7 +23622,15 @@ index c8014f8..64e18e1 100644
dontaudit firewalld_t self:capability sys_tty_config;
allow firewalld_t self:fifo_file rw_fifo_file_perms;
allow firewalld_t self:unix_stream_socket { accept listen };
-@@ -40,11 +49,21 @@ allow firewalld_t firewalld_var_log_t:file read_file_perms;
+@@ -33,6 +42,7 @@ allow firewalld_t self:udp_socket create_socket_perms;
+
+ manage_dirs_pattern(firewalld_t, firewalld_etc_rw_t, firewalld_etc_rw_t)
+ manage_files_pattern(firewalld_t, firewalld_etc_rw_t, firewalld_etc_rw_t)
++manage_lnk_files_pattern(firewalld_t, firewalld_etc_rw_t, firewalld_etc_rw_t)
+
+ allow firewalld_t firewalld_var_log_t:file append_file_perms;
+ allow firewalld_t firewalld_var_log_t:file create_file_perms;
+@@ -40,11 +50,21 @@ allow firewalld_t firewalld_var_log_t:file read_file_perms;
allow firewalld_t firewalld_var_log_t:file setattr_file_perms;
logging_log_filetrans(firewalld_t, firewalld_var_log_t, file)
@@ -23628,7 +23652,7 @@ index c8014f8..64e18e1 100644
corecmd_exec_bin(firewalld_t)
corecmd_exec_shell(firewalld_t)
-@@ -53,20 +72,17 @@ dev_read_urand(firewalld_t)
+@@ -53,20 +73,17 @@ dev_read_urand(firewalld_t)
domain_use_interactive_fds(firewalld_t)
@@ -23654,7 +23678,7 @@ index c8014f8..64e18e1 100644
optional_policy(`
dbus_system_domain(firewalld_t, firewalld_exec_t)
-@@ -85,6 +101,10 @@ optional_policy(`
+@@ -85,6 +102,10 @@ optional_policy(`
')
optional_policy(`
@@ -25026,10 +25050,10 @@ index 0000000..1ed97fe
+
diff --git a/glusterd.te b/glusterd.te
new file mode 100644
-index 0000000..cbe51a9
+index 0000000..3156ad4
--- /dev/null
+++ b/glusterd.te
-@@ -0,0 +1,164 @@
+@@ -0,0 +1,166 @@
+policy_module(glusterfs, 1.0.1)
+
+##
@@ -25087,7 +25111,7 @@ index 0000000..cbe51a9
+# Local policy
+#
+
-+allow glusterd_t self:capability { sys_admin sys_resource dac_override chown dac_read_search fowner setuid };
++allow glusterd_t self:capability { sys_admin sys_resource dac_override chown dac_read_search fowner setuid net_admin };
+allow glusterd_t self:capability2 block_suspend;
+allow glusterd_t self:process { getcap setcap setrlimit signal_perms };
+allow glusterd_t self:fifo_file rw_fifo_file_perms;
@@ -25162,6 +25186,8 @@ index 0000000..cbe51a9
+
+fs_getattr_all_fs(glusterd_t)
+
++files_mounton_mnt(glusterd_t)
++
+storage_rw_fuse(glusterd_t)
+
+auth_use_nsswitch(glusterd_t)
@@ -25474,7 +25500,7 @@ index e39de43..5818f74 100644
+/usr/libexec/gnome-system-monitor-mechanism -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
+/usr/libexec/kde(3|4)/ksysguardprocesslist_helper -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
diff --git a/gnome.if b/gnome.if
-index d03fd43..567f963 100644
+index d03fd43..e334392 100644
--- a/gnome.if
+++ b/gnome.if
@@ -1,123 +1,155 @@
@@ -26556,15 +26582,13 @@ index d03fd43..567f963 100644
##
##
##
-@@ -704,12 +795,811 @@ interface(`gnome_stream_connect_gkeyringd',`
+@@ -704,12 +795,830 @@ interface(`gnome_stream_connect_gkeyringd',`
##
##
#
-interface(`gnome_stream_connect_all_gkeyringd',`
+interface(`gnome_exec_gconf',`
- gen_require(`
-- attribute gkeyringd_domain;
-- type gnome_keyring_tmp_t;
++ gen_require(`
+ type gconfd_exec_t;
+ ')
+
@@ -26647,10 +26671,9 @@ index d03fd43..567f963 100644
+interface(`gnome_list_gkeyringd_tmp_dirs',`
+ gen_require(`
+ type gkeyringd_tmp_t;
- ')
-
- files_search_tmp($1)
-- stream_connect_pattern($1, gnome_keyring_tmp_t, gnome_keyring_tmp_t, gkeyringd_domain)
++ ')
++
++ files_search_tmp($1)
+ allow $1 gkeyringd_tmp_t:dir list_dir_perms;
+')
+
@@ -27116,11 +27139,14 @@ index d03fd43..567f963 100644
+##
+#
+interface(`gnome_dbus_chat_gkeyringd',`
-+ gen_require(`
-+ attribute gkeyringd_domain;
+ gen_require(`
+ attribute gkeyringd_domain;
+- type gnome_keyring_tmp_t;
+ class dbus send_msg;
-+ ')
-+
+ ')
+
+- files_search_tmp($1)
+- stream_connect_pattern($1, gnome_keyring_tmp_t, gnome_keyring_tmp_t, gkeyringd_domain)
+ allow $1 gkeyringd_domain:dbus send_msg;
+ allow gkeyringd_domain $1:dbus send_msg;
+')
@@ -27293,6 +27319,25 @@ index d03fd43..567f963 100644
+
+########################################
+##
++## Create gnome dconf dir in the user home directory
++## with an correct label.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`gnome_filetrans_config_home_content',`
++ gen_require(`
++ type config_home_t;
++ ')
++
++ gnome_cache_filetrans($1, config_home_t, dir, "dconf")
++')
++
++########################################
++##
+## Create gnome directory in the /root directory
+## with an correct label.
+##
@@ -28214,7 +28259,7 @@ index 180f1b7..951b790 100644
+ userdom_user_home_dir_filetrans($1, gpg_secret_t, dir, ".gnupg")
+')
diff --git a/gpg.te b/gpg.te
-index 44cf341..b04d02c 100644
+index 44cf341..8aa9dd9 100644
--- a/gpg.te
+++ b/gpg.te
@@ -1,47 +1,47 @@
@@ -28557,7 +28602,7 @@ index 44cf341..b04d02c 100644
corecmd_exec_shell(gpg_agent_t)
dev_read_rand(gpg_agent_t)
-@@ -239,31 +263,30 @@ domain_use_interactive_fds(gpg_agent_t)
+@@ -239,37 +263,40 @@ domain_use_interactive_fds(gpg_agent_t)
fs_dontaudit_list_inotifyfs(gpg_agent_t)
@@ -28600,7 +28645,17 @@ index 44cf341..b04d02c 100644
')
optional_policy(`
-@@ -277,8 +300,17 @@ optional_policy(`
+ mozilla_dontaudit_rw_user_home_files(gpg_agent_t)
+ ')
+
++optional_policy(`
++ pcscd_stream_connect(gpg_agent_t)
++')
++
+ ##############################
+ #
+ # Pinentry local policy
+@@ -277,8 +304,17 @@ optional_policy(`
allow gpg_pinentry_t self:process { getcap getsched setsched signal };
allow gpg_pinentry_t self:fifo_file rw_fifo_file_perms;
@@ -28619,7 +28674,7 @@ index 44cf341..b04d02c 100644
manage_sock_files_pattern(gpg_pinentry_t, gpg_pinentry_tmp_t, gpg_pinentry_tmp_t)
userdom_user_tmp_filetrans(gpg_pinentry_t, gpg_pinentry_tmp_t, sock_file)
-@@ -287,53 +319,89 @@ manage_dirs_pattern(gpg_pinentry_t, gpg_pinentry_tmpfs_t, gpg_pinentry_tmpfs_t)
+@@ -287,53 +323,89 @@ manage_dirs_pattern(gpg_pinentry_t, gpg_pinentry_tmpfs_t, gpg_pinentry_tmpfs_t)
manage_files_pattern(gpg_pinentry_t, gpg_pinentry_tmpfs_t, gpg_pinentry_tmpfs_t)
fs_tmpfs_filetrans(gpg_pinentry_t, gpg_pinentry_tmpfs_t, { file dir })
@@ -28807,10 +28862,10 @@ index 0000000..f4659d1
+/var/run/gssproxy\.sock -s gen_context(system_u:object_r:gssproxy_var_run_t,s0)
diff --git a/gssproxy.if b/gssproxy.if
new file mode 100644
-index 0000000..28263c7
+index 0000000..4bd5abf
--- /dev/null
+++ b/gssproxy.if
-@@ -0,0 +1,204 @@
+@@ -0,0 +1,203 @@
+
+## policy for gssproxy
+
@@ -28945,7 +29000,6 @@ index 0000000..28263c7
+ ')
+
+ systemd_exec_systemctl($1)
-+ systemd_read_fifo_file_password_run($1)
+ allow $1 gssproxy_unit_file_t:file read_file_perms;
+ allow $1 gssproxy_unit_file_t:service manage_service_perms;
+
@@ -29883,6 +29937,21 @@ index ecad9c7..86d790f 100644
optional_policy(`
seutil_use_newrole_fds(irc_t)
')
+diff --git a/ircd.if b/ircd.if
+index ade9803..3620c9a 100644
+--- a/ircd.if
++++ b/ircd.if
+@@ -33,8 +33,8 @@ interface(`ircd_admin',`
+
+ files_search_etc($1)
+ admin_pattern($1, ircd_etc_t)
+-
+- logging_search_log($1)
++
++ logging_search_logs($1)
+ admin_pattern($1, ircd_log_t)
+
+ files_search_var_lib($1)
diff --git a/ircd.te b/ircd.te
index e9f746e..40e440c 100644
--- a/ircd.te
@@ -36791,9 +36860,18 @@ index 1d4eb19..650014e 100644
admin_pattern($1, memcached_var_run_t)
')
diff --git a/memcached.te b/memcached.te
-index 4926208..293e577 100644
+index 4926208..018a640 100644
--- a/memcached.te
+++ b/memcached.te
+@@ -20,7 +20,7 @@ files_pid_file(memcached_var_run_t)
+ # Local policy
+ #
+
+-allow memcached_t self:capability { setuid setgid };
++allow memcached_t self:capability { setuid setgid sys_resource };
+ dontaudit memcached_t self:capability sys_tty_config;
+ allow memcached_t self:process { setrlimit signal_perms };
+ allow memcached_t self:tcp_socket { accept listen };
@@ -57,4 +57,3 @@ term_dontaudit_use_console(memcached_t)
auth_use_nsswitch(memcached_t)
@@ -37785,7 +37863,7 @@ index a83894c..481dca3 100644
+
+/usr/lib/systemd/system/ModemManager.service -- gen_context(system_u:object_r:modemmanager_unit_file_t,s0)
diff --git a/modemmanager.if b/modemmanager.if
-index b1ac8b5..90ca430 100644
+index b1ac8b5..d65017f 100644
--- a/modemmanager.if
+++ b/modemmanager.if
@@ -21,6 +21,30 @@ interface(`modemmanager_domtrans',`
@@ -37807,7 +37885,7 @@ index b1ac8b5..90ca430 100644
+ ')
+
+ systemd_exec_systemctl($1)
-+ systemd_read_fifo_file_password_run($1)
++ systemd_read_fifo_file_passwd_run($1)
+ allow $1 modemmanager_unit_file_t:file read_file_perms;
+ allow $1 modemmanager_unit_file_t:service manage_service_perms;
+
@@ -37985,6 +38063,19 @@ index d287fe9..3dc493c 100644
init_dbus_chat_script(mono_t)
+diff --git a/monop.if b/monop.if
+index 8fdaece..5440757 100644
+--- a/monop.if
++++ b/monop.if
+@@ -31,7 +31,7 @@ interface(`monop_admin',`
+ role_transition $2 monopd_initrc_exec_t system_r;
+ allow $2 system_r;
+
+- logging_search_etc($1)
++ logging_search_logs($1)
+ admin_pattern($1, monopd_etc_t)
+
+ files_search_pids($1)
diff --git a/monop.te b/monop.te
index 4462c0e..84944d1 100644
--- a/monop.te
@@ -45991,10 +46082,10 @@ index 0000000..cf8f660
+')
diff --git a/nova.te b/nova.te
new file mode 100644
-index 0000000..061a689
+index 0000000..fc9f771
--- /dev/null
+++ b/nova.te
-@@ -0,0 +1,329 @@
+@@ -0,0 +1,328 @@
+policy_module(nova, 1.0.0)
+
+########################################
@@ -46056,6 +46147,7 @@ index 0000000..061a689
+corecmd_exec_shell(nova_domain)
+corenet_tcp_connect_mysqld_port(nova_domain)
+
++dev_read_sysfs(nova_domain)
+dev_read_urand(nova_domain)
+
+fs_getattr_xattr_fs(nova_domain)
@@ -46157,8 +46249,6 @@ index 0000000..061a689
+
+dev_read_rand(nova_compute_t)
+
-+dev_read_sysfs(nova_compute_t)
-+
+optional_policy(`
+ virt_getattr_exec(nova_compute_t)
+ virt_stream_connect(nova_compute_t)
@@ -46649,7 +46739,7 @@ index 8f2ab09..7b8f5ad 100644
+ allow $1 nscd_unit_file_t:service all_service_perms;
')
diff --git a/nscd.te b/nscd.te
-index df4c10f..2814186 100644
+index df4c10f..8c09c68 100644
--- a/nscd.te
+++ b/nscd.te
@@ -1,36 +1,37 @@
@@ -46799,7 +46889,7 @@ index df4c10f..2814186 100644
userdom_dontaudit_use_user_terminals(nscd_t)
userdom_dontaudit_use_unpriv_user_fds(nscd_t)
userdom_dontaudit_search_user_home_dirs(nscd_t)
-@@ -121,20 +130,30 @@ optional_policy(`
+@@ -121,20 +130,31 @@ optional_policy(`
')
optional_policy(`
@@ -46829,6 +46919,7 @@ index df4c10f..2814186 100644
- udev_read_db(nscd_t)
+ samba_read_config(nscd_t)
+ samba_read_var_files(nscd_t)
++ samba_stream_connect_nmbd(nscd_t)
')
optional_policy(`
@@ -52549,10 +52640,10 @@ index 96db654..ff3aadd 100644
+ virt_rw_svirt_dev(pcscd_t)
+')
diff --git a/pegasus.fc b/pegasus.fc
-index dfd46e4..6667b8a 100644
+index dfd46e4..2e04b85 100644
--- a/pegasus.fc
+++ b/pegasus.fc
-@@ -1,15 +1,20 @@
+@@ -1,15 +1,24 @@
-/etc/Pegasus(/.*)? gen_context(system_u:object_r:pegasus_conf_t,s0)
+
+/etc/Pegasus(/.*)? gen_context(system_u:object_r:pegasus_conf_t,s0)
@@ -52561,26 +52652,30 @@ index dfd46e4..6667b8a 100644
-/etc/rc\.d/init\.d/tog-pegasus -- gen_context(system_u:object_r:pegasus_initrc_exec_t,s0)
+/usr/sbin/cimserver -- gen_context(system_u:object_r:pegasus_exec_t,s0)
+/usr/sbin/init_repository -- gen_context(system_u:object_r:pegasus_exec_t,s0)
++
++/var/lib/Pegasus(/.*)? gen_context(system_u:object_r:pegasus_data_t,s0)
-/usr/sbin/cimserver -- gen_context(system_u:object_r:pegasus_exec_t,s0)
-/usr/sbin/init_repository -- gen_context(system_u:object_r:pegasus_exec_t,s0)
-+/var/lib/Pegasus(/.*)? gen_context(system_u:object_r:pegasus_data_t,s0)
-
--/var/cache/Pegasus(/.*)? gen_context(system_u:object_r:pegasus_cache_t,s0)
+/var/run/tog-pegasus(/.*)? gen_context(system_u:object_r:pegasus_var_run_t,s0)
--/var/lib/Pegasus(/.*)? gen_context(system_u:object_r:pegasus_data_t,s0)
+-/var/cache/Pegasus(/.*)? gen_context(system_u:object_r:pegasus_cache_t,s0)
+/usr/share/Pegasus/mof(/.*)?/.*\.mof gen_context(system_u:object_r:pegasus_mof_t,s0)
--/var/run/tog-pegasus(/.*)? gen_context(system_u:object_r:pegasus_var_run_t,s0)
+-/var/lib/Pegasus(/.*)? gen_context(system_u:object_r:pegasus_data_t,s0)
+#openlmi agents
+/usr/libexec/pegasus/cmpiLMI_Account-cimprovagt -- gen_context(system_u:object_r:pegasus_openlmi_account_exec_t,s0)
++/usr/libexec/pegasus/cmpiLMI_Fan-cimprovagt -- gen_context(system_u:object_r:pegasus_openlmi_system_exec_t,s0)
+/usr/libexec/pegasus/cmpiLMI_LogicalFile-cimprovagt -- gen_context(system_u:object_r:pegasus_openlmi_logicalfile_exec_t,s0)
-+/usr/libexec/pegasus/cmpiLMI_Networking-cimprovagt -- gen_context(system_u:object_r:pegasus_openlmi_networking_exec_t,s0)
-+/usr/libexec/pegasus/cmpiLMI_Service-cimprovagt -- gen_context(system_u:object_r:pegasus_openlmi_service_exec_t,s0)
-+/usr/libexec/pegasus/pycmpiLMI_Storage-cimprovagt -- gen_context(system_u:object_r:pegasus_openlmi_storage_exec_t,s0)
++/usr/libexec/pegasus/cmpiLMI_Networking-cimprovagt -- gen_context(system_u:object_r:pegasus_openlmi_system_exec_t,s0)
++/usr/libexec/pegasus/cmpiLMI_PowerManagement-cimprovagt -- gen_context(system_u:object_r:pegasus_openlmi_system_exec_t,s0)
++/usr/libexec/pegasus/cmpiLMI_Realmd-cimprovagt -- gen_context(system_u:object_r:pegasus_openlmi_services_exec_t,s0)
++/usr/libexec/pegasus/cmpiLMI_Service-cimprovagt -- gen_context(system_u:object_r:pegasus_openlmi_admin_exec_t,s0)
+
+-/var/run/tog-pegasus(/.*)? gen_context(system_u:object_r:pegasus_var_run_t,s0)
-/usr/share/Pegasus/mof(/.*)?/.*\.mof gen_context(system_u:object_r:pegasus_mof_t,s0)
++/usr/libexec/pegasus/pycmpiLMI_Storage-cimprovagt -- gen_context(system_u:object_r:pegasus_openlmi_storage_exec_t,s0)
diff --git a/pegasus.if b/pegasus.if
index d2fc677..ded726f 100644
--- a/pegasus.if
@@ -52682,7 +52777,7 @@ index d2fc677..ded726f 100644
')
+
diff --git a/pegasus.te b/pegasus.te
-index 7bcf327..71ab12b 100644
+index 7bcf327..366eeaf 100644
--- a/pegasus.te
+++ b/pegasus.te
@@ -1,17 +1,16 @@
@@ -52706,20 +52801,27 @@ index 7bcf327..71ab12b 100644
type pegasus_cache_t;
files_type(pegasus_cache_t)
-@@ -30,20 +29,196 @@ files_type(pegasus_mof_t)
+@@ -30,20 +29,216 @@ files_type(pegasus_mof_t)
type pegasus_var_run_t;
files_pid_file(pegasus_var_run_t)
+# pegasus openlmi providers
++pegasus_openlmi_domain_template(admin)
++typealias pegasus_openlmi_admin_t alias pegasus_openlmi_service_t;
++typealias pegasus_openlmi_admin_exec_t alias pegasus_openlmi_service_exec_t;
++
++
+pegasus_openlmi_domain_template(account)
+pegasus_openlmi_domain_template(logicalfile)
-+pegasus_openlmi_domain_template(networking)
-+pegasus_openlmi_domain_template(service)
++pegasus_openlmi_domain_template(services)
+
+pegasus_openlmi_domain_template(storage)
+type pegasus_openlmi_storage_tmp_t;
+files_tmp_file(pegasus_openlmi_storage_tmp_t)
+
++pegasus_openlmi_domain_template(system)
++typealias pegasus_openlmi_system_t alias pegasus_openlmi_networking_t;
++typealias pegasus_openlmi_system_exec_t alias pegasus_openlmi_networking_exec_t;
+pegasus_openlmi_domain_template(unconfined)
+
+#######################################
@@ -52737,6 +52839,8 @@ index 7bcf327..71ab12b 100644
+corecmd_exec_bin(pegasus_openlmi_domain)
+corecmd_exec_shell(pegasus_openlmi_domain)
+
++dev_read_sysfs(pegasus_openlmi_domain)
++
+auth_read_passwd(pegasus_openlmi_domain)
+
+sysnet_read_config(pegasus_openlmi_domain)
@@ -52806,26 +52910,38 @@ index 7bcf327..71ab12b 100644
+ # so we want to have unconfined_domain attribute for filename rules
+ unconfined_domain(pegasus_openlmi_logicalfile_t)
+')
++######################################
++#
++# pegasus openlmi networking local policy
++#
++
++optional_policy(`
++ dbus_system_bus_client(pegasus_openlmi_services_t)
++')
++
++optional_policy(`
++ realmd_dbus_chat(pegasus_openlmi_services_t)
++')
+
+######################################
+#
+# pegasus openlmi networking local policy
+#
+
-+allow pegasus_openlmi_networking_t self:capability { net_admin };
++allow pegasus_openlmi_system_t self:capability { net_admin };
+
-+allow pegasus_openlmi_networking_t self:netlink_route_socket r_netlink_socket_perms;;
-+allow pegasus_openlmi_networking_t self:udp_socket create_socket_perms;
++allow pegasus_openlmi_system_t self:netlink_route_socket r_netlink_socket_perms;;
++allow pegasus_openlmi_system_t self:udp_socket create_socket_perms;
+
-+dev_rw_sysfs(pegasus_openlmi_networking_t)
-+dev_read_urand(pegasus_openlmi_networking_t)
++dev_rw_sysfs(pegasus_openlmi_system_t)
++dev_read_urand(pegasus_openlmi_system_t)
+
+optional_policy(`
-+ dbus_system_bus_client(pegasus_openlmi_networking_t)
++ dbus_system_bus_client(pegasus_openlmi_system_t)
++')
+
-+ optional_policy(`
-+ networkmanager_dbus_chat(pegasus_openlmi_networking_t)
-+ ')
++optional_policy(`
++ networkmanager_dbus_chat(pegasus_openlmi_system_t)
+')
+
+######################################
@@ -52833,20 +52949,19 @@ index 7bcf327..71ab12b 100644
+# pegasus openlmi service local policy
+#
+
++init_disable_services(pegasus_openlmi_admin_t)
++init_enable_services(pegasus_openlmi_admin_t)
++init_reload_services(pegasus_openlmi_admin_t)
++init_exec(pegasus_openlmi_admin_t)
+
-+init_disable_services(pegasus_openlmi_service_t)
-+init_enable_services(pegasus_openlmi_service_t)
-+init_reload_services(pegasus_openlmi_service_t)
-+init_exec(pegasus_openlmi_service_t)
-+
-+systemd_config_all_services(pegasus_openlmi_service_t)
-+systemd_manage_all_unit_files(pegasus_openlmi_service_t)
-+systemd_manage_all_unit_lnk_files(pegasus_openlmi_service_t)
++systemd_config_all_services(pegasus_openlmi_admin_t)
++systemd_manage_all_unit_files(pegasus_openlmi_admin_t)
++systemd_manage_all_unit_lnk_files(pegasus_openlmi_admin_t)
+
+allow pegasus_openlmi_service_t self:udp_socket create_socket_perms;
+
+optional_policy(`
-+ dbus_system_bus_client(pegasus_openlmi_service_t)
++ dbus_system_bus_client(pegasus_openlmi_admin_t)
+')
+
+######################################
@@ -52908,7 +53023,7 @@ index 7bcf327..71ab12b 100644
allow pegasus_t pegasus_conf_t:lnk_file read_lnk_file_perms;
manage_dirs_pattern(pegasus_t, pegasus_cache_t, pegasus_cache_t)
-@@ -54,22 +229,22 @@ files_var_filetrans(pegasus_t, pegasus_cache_t, { dir file lnk_file })
+@@ -54,22 +249,22 @@ files_var_filetrans(pegasus_t, pegasus_cache_t, { dir file lnk_file })
manage_dirs_pattern(pegasus_t, pegasus_data_t, pegasus_data_t)
manage_files_pattern(pegasus_t, pegasus_data_t, pegasus_data_t)
manage_lnk_files_pattern(pegasus_t, pegasus_data_t, pegasus_data_t)
@@ -52939,7 +53054,7 @@ index 7bcf327..71ab12b 100644
kernel_read_network_state(pegasus_t)
kernel_read_kernel_sysctls(pegasus_t)
-@@ -80,27 +255,21 @@ kernel_read_net_sysctls(pegasus_t)
+@@ -80,27 +275,21 @@ kernel_read_net_sysctls(pegasus_t)
kernel_read_xen_state(pegasus_t)
kernel_write_xen_state(pegasus_t)
@@ -52972,7 +53087,7 @@ index 7bcf327..71ab12b 100644
corecmd_exec_bin(pegasus_t)
corecmd_exec_shell(pegasus_t)
-@@ -114,6 +283,7 @@ files_getattr_all_dirs(pegasus_t)
+@@ -114,6 +303,7 @@ files_getattr_all_dirs(pegasus_t)
auth_use_nsswitch(pegasus_t)
auth_domtrans_chk_passwd(pegasus_t)
@@ -52980,7 +53095,7 @@ index 7bcf327..71ab12b 100644
domain_use_interactive_fds(pegasus_t)
domain_read_all_domains_state(pegasus_t)
-@@ -128,18 +298,25 @@ init_stream_connect_script(pegasus_t)
+@@ -128,18 +318,25 @@ init_stream_connect_script(pegasus_t)
logging_send_audit_msgs(pegasus_t)
logging_send_syslog_msg(pegasus_t)
@@ -53012,7 +53127,7 @@ index 7bcf327..71ab12b 100644
')
optional_policy(`
-@@ -151,16 +328,24 @@ optional_policy(`
+@@ -151,16 +348,24 @@ optional_policy(`
')
optional_policy(`
@@ -53041,7 +53156,7 @@ index 7bcf327..71ab12b 100644
')
optional_policy(`
-@@ -168,7 +353,7 @@ optional_policy(`
+@@ -168,7 +373,7 @@ optional_policy(`
')
optional_policy(`
@@ -53064,7 +53179,7 @@ index 0000000..7b54c39
+/var/run/pesign\.pid -- gen_context(system_u:object_r:pesign_var_run_t,s0)
diff --git a/pesign.if b/pesign.if
new file mode 100644
-index 0000000..c20674c
+index 0000000..26b1f0c
--- /dev/null
+++ b/pesign.if
@@ -0,0 +1,103 @@
@@ -53125,7 +53240,7 @@ index 0000000..c20674c
+ ')
+
+ systemd_exec_systemctl($1)
-+ systemd_read_fifo_file_password_run($1)
++ systemd_read_fifo_file_passwd_run($1)
+ allow $1 pesign_unit_file_t:file read_file_perms;
+ allow $1 pesign_unit_file_t:service manage_service_perms;
+
@@ -56650,7 +56765,7 @@ index c0e8785..c0e0959 100644
+/var/spool/postfix/bounce(/.*)? gen_context(system_u:object_r:postfix_spool_bounce_t,s0)
/var/spool/postfix/flush(/.*)? gen_context(system_u:object_r:postfix_spool_flush_t,s0)
diff --git a/postfix.if b/postfix.if
-index 2e23946..589bbf2 100644
+index 2e23946..e9ac366 100644
--- a/postfix.if
+++ b/postfix.if
@@ -1,4 +1,4 @@
@@ -57089,7 +57204,7 @@ index 2e23946..589bbf2 100644
##
##
##
-@@ -478,30 +479,84 @@ interface(`postfix_domtrans_postqueue',`
+@@ -478,30 +479,85 @@ interface(`postfix_domtrans_postqueue',`
type postfix_postqueue_t, postfix_postqueue_exec_t;
')
@@ -57142,6 +57257,7 @@ index 2e23946..589bbf2 100644
+interface(`postfix_domtrans_postgqueue',`
+ gen_require(`
+ type postfix_postgqueue_t;
++ type postfix_postgqueue_exec_t;
+ ')
+ domtrans_pattern($1, postfix_postgqueue_exec_t,postfix_postgqueue_t)
+')
@@ -57184,7 +57300,7 @@ index 2e23946..589bbf2 100644
##
##
##
-@@ -514,13 +569,12 @@ interface(`postfix_exec_postqueue',`
+@@ -514,13 +570,12 @@ interface(`postfix_exec_postqueue',`
type postfix_postqueue_exec_t;
')
@@ -57199,7 +57315,7 @@ index 2e23946..589bbf2 100644
##
##
##
-@@ -533,13 +587,13 @@ interface(`postfix_create_private_sockets',`
+@@ -533,13 +588,13 @@ interface(`postfix_create_private_sockets',`
type postfix_private_t;
')
@@ -57215,7 +57331,7 @@ index 2e23946..589bbf2 100644
##
##
##
-@@ -552,13 +606,14 @@ interface(`postfix_manage_private_sockets',`
+@@ -552,13 +607,14 @@ interface(`postfix_manage_private_sockets',`
type postfix_private_t;
')
@@ -57232,7 +57348,7 @@ index 2e23946..589bbf2 100644
##
##
##
-@@ -571,14 +626,12 @@ interface(`postfix_domtrans_smtp',`
+@@ -571,14 +627,12 @@ interface(`postfix_domtrans_smtp',`
type postfix_smtp_t, postfix_smtp_exec_t;
')
@@ -57248,7 +57364,7 @@ index 2e23946..589bbf2 100644
##
##
##
-@@ -586,7 +639,7 @@ interface(`postfix_domtrans_smtp',`
+@@ -586,7 +640,7 @@ interface(`postfix_domtrans_smtp',`
##
##
#
@@ -57257,7 +57373,7 @@ index 2e23946..589bbf2 100644
gen_require(`
attribute postfix_spool_type;
')
-@@ -607,11 +660,11 @@ interface(`postfix_getattr_all_spool_files',`
+@@ -607,11 +661,11 @@ interface(`postfix_getattr_all_spool_files',`
#
interface(`postfix_search_spool',`
gen_require(`
@@ -57271,7 +57387,7 @@ index 2e23946..589bbf2 100644
')
########################################
-@@ -626,11 +679,11 @@ interface(`postfix_search_spool',`
+@@ -626,11 +680,11 @@ interface(`postfix_search_spool',`
#
interface(`postfix_list_spool',`
gen_require(`
@@ -57285,7 +57401,7 @@ index 2e23946..589bbf2 100644
')
########################################
-@@ -645,17 +698,16 @@ interface(`postfix_list_spool',`
+@@ -645,17 +699,16 @@ interface(`postfix_list_spool',`
#
interface(`postfix_read_spool_files',`
gen_require(`
@@ -57306,7 +57422,7 @@ index 2e23946..589bbf2 100644
##
##
##
-@@ -665,11 +717,31 @@ interface(`postfix_read_spool_files',`
+@@ -665,11 +718,31 @@ interface(`postfix_read_spool_files',`
#
interface(`postfix_manage_spool_files',`
gen_require(`
@@ -57340,7 +57456,7 @@ index 2e23946..589bbf2 100644
')
########################################
-@@ -693,8 +765,8 @@ interface(`postfix_domtrans_user_mail_handler',`
+@@ -693,8 +766,8 @@ interface(`postfix_domtrans_user_mail_handler',`
########################################
##
@@ -57351,7 +57467,7 @@ index 2e23946..589bbf2 100644
##
##
##
-@@ -710,37 +782,137 @@ interface(`postfix_domtrans_user_mail_handler',`
+@@ -710,37 +783,137 @@ interface(`postfix_domtrans_user_mail_handler',`
#
interface(`postfix_admin',`
gen_require(`
@@ -61783,7 +61899,7 @@ index 4ecda09..8c0b242 100644
+/var/log/puppet(/.*)? gen_context(system_u:object_r:puppet_log_t,s0)
+/var/run/puppet(/.*)? gen_context(system_u:object_r:puppet_var_run_t,s0)
diff --git a/puppet.if b/puppet.if
-index 7cb8b1f..7c5c5fb 100644
+index 7cb8b1f..46650f0 100644
--- a/puppet.if
+++ b/puppet.if
@@ -1,4 +1,32 @@
@@ -61811,11 +61927,11 @@ index 7cb8b1f..7c5c5fb 100644
+#
+interface(`puppet_domtrans_master',`
+ gen_require(`
-+ type puppet_master_t, puppet_master_exec_t;
++ type puppetmaster_t, puppetmaster_t_exec_t;
+ ')
+
+ corecmd_search_bin($1)
-+ domtrans_pattern($1, puppet_master_exec_t, puppet_master_t)
++ domtrans_pattern($1, puppetmaster_t_exec_t, puppetmaster_t)
+')
########################################
@@ -64768,10 +64884,10 @@ index 70ab68b..e97da31 100644
/var/lib/quantum(/.*)? gen_context(system_u:object_r:quantum_var_lib_t,s0)
diff --git a/quantum.if b/quantum.if
-index afc0068..5fb7731 100644
+index afc0068..7b3cfad 100644
--- a/quantum.if
+++ b/quantum.if
-@@ -2,41 +2,292 @@
+@@ -2,41 +2,293 @@
########################################
##
@@ -65000,6 +65116,7 @@ index afc0068..5fb7731 100644
+#
+interface(`quantum_stream_connect',`
+ gen_require(`
++ type quantum_t;
+ type quantum_var_lib_t;
+ ')
+
@@ -80104,7 +80221,7 @@ index 0000000..92c3638
+
+sysnet_dns_name_resolve(smsd_t)
diff --git a/smstools.if b/smstools.if
-index cbfe369..085ac13 100644
+index cbfe369..6594af3 100644
--- a/smstools.if
+++ b/smstools.if
@@ -1,5 +1,81 @@
@@ -80189,6 +80306,15 @@ index cbfe369..085ac13 100644
########################################
##
## All of the rules required to
+@@ -32,7 +108,7 @@ interface(`smstools_admin',`
+ role_transition $2 smsd_initrc_exec_t system_r;
+ allow $2 system_r;
+
+- files_search_config($1)
++ files_search_etc($1)
+ admin_pattern($1, smsd_conf_t)
+
+ files_search_var_lib($1)
diff --git a/snapper.fc b/snapper.fc
new file mode 100644
index 0000000..3f412d5
@@ -84299,7 +84425,7 @@ index 42946bc..3d30062 100644
+ can_exec($1, telepathy_executable)
')
diff --git a/telepathy.te b/telepathy.te
-index e9c0964..20a31da 100644
+index e9c0964..91c1898 100644
--- a/telepathy.te
+++ b/telepathy.te
@@ -1,29 +1,28 @@
@@ -84800,7 +84926,7 @@ index e9c0964..20a31da 100644
optional_policy(`
xserver_read_xdm_pid(telepathy_sunshine_t)
xserver_stream_connect(telepathy_sunshine_t)
-@@ -452,31 +382,39 @@ optional_policy(`
+@@ -452,31 +382,40 @@ optional_policy(`
#######################################
#
@@ -84839,6 +84965,7 @@ index e9c0964..20a31da 100644
optional_policy(`
+ gnome_read_generic_cache_files(telepathy_domain)
+ gnome_write_generic_cache_files(telepathy_domain)
++ gnome_filetrans_config_home_content(telepathy_domain)
+')
+
+optional_policy(`
@@ -94701,7 +94828,7 @@ index dd63de0..38ce620 100644
- admin_pattern($1, zabbix_tmpfs_t)
')
diff --git a/zabbix.te b/zabbix.te
-index 46e4cd3..4dec288 100644
+index 46e4cd3..dea93eb 100644
--- a/zabbix.te
+++ b/zabbix.te
@@ -6,7 +6,7 @@ policy_module(zabbix, 1.5.3)
@@ -94713,7 +94840,23 @@ index 46e4cd3..4dec288 100644
## Determine whether zabbix can
## connect to all TCP ports
##
-@@ -95,12 +95,8 @@ corecmd_exec_shell(zabbix_t)
+@@ -52,11 +52,10 @@ allow zabbix_t self:sem create_sem_perms;
+ allow zabbix_t self:shm create_shm_perms;
+ allow zabbix_t self:tcp_socket create_stream_socket_perms;
+
+-allow zabbix_t zabbix_log_t:dir setattr_dir_perms;
+-append_files_pattern(zabbix_t, zabbix_log_t, zabbix_log_t)
+-create_files_pattern(zabbix_t, zabbix_log_t, zabbix_log_t)
+-setattr_files_pattern(zabbix_t, zabbix_log_t, zabbix_log_t)
+-logging_log_filetrans(zabbix_t, zabbix_log_t, file)
++manage_dirs_pattern(zabbix_t, zabbix_log_t, zabbix_log_t)
++manage_files_pattern(zabbix_t, zabbix_log_t, zabbix_log_t)
++manage_lnk_files_pattern(zabbix_t, zabbix_log_t, zabbix_log_t)
++logging_log_filetrans(zabbix_t, zabbix_log_t, { dir file })
+
+ manage_dirs_pattern(zabbix_t, zabbix_tmp_t, zabbix_tmp_t)
+ manage_files_pattern(zabbix_t, zabbix_tmp_t, zabbix_tmp_t)
+@@ -95,12 +94,8 @@ corecmd_exec_shell(zabbix_t)
dev_read_urand(zabbix_t)
@@ -94726,7 +94869,7 @@ index 46e4cd3..4dec288 100644
zabbix_agent_tcp_connect(zabbix_t)
tunable_policy(`zabbix_can_network',`
-@@ -110,12 +106,11 @@ tunable_policy(`zabbix_can_network',`
+@@ -110,12 +105,11 @@ tunable_policy(`zabbix_can_network',`
')
optional_policy(`
@@ -94741,7 +94884,7 @@ index 46e4cd3..4dec288 100644
')
optional_policy(`
-@@ -125,6 +120,7 @@ optional_policy(`
+@@ -125,6 +119,7 @@ optional_policy(`
optional_policy(`
snmp_read_snmp_var_lib_files(zabbix_t)
@@ -94749,7 +94892,7 @@ index 46e4cd3..4dec288 100644
')
########################################
-@@ -133,7 +129,7 @@ optional_policy(`
+@@ -133,17 +128,14 @@ optional_policy(`
#
allow zabbix_agent_t self:capability { setuid setgid };
@@ -94758,7 +94901,27 @@ index 46e4cd3..4dec288 100644
allow zabbix_agent_t self:fifo_file rw_fifo_file_perms;
allow zabbix_agent_t self:sem create_sem_perms;
allow zabbix_agent_t self:shm create_shm_perms;
-@@ -182,7 +178,6 @@ domain_search_all_domains_state(zabbix_agent_t)
+ allow zabbix_agent_t self:tcp_socket { accept listen };
+ allow zabbix_agent_t self:unix_stream_socket create_stream_socket_perms;
+
+-append_files_pattern(zabbix_agent_t, zabbix_log_t, zabbix_log_t)
+-create_files_pattern(zabbix_agent_t, zabbix_log_t, zabbix_log_t)
+-setattr_files_pattern(zabbix_agent_t, zabbix_log_t, zabbix_log_t)
+-filetrans_pattern(zabbix_agent_t, zabbix_log_t, zabbix_log_t, file)
++manage_files_pattern(zabbix_agent_t, zabbix_log_t, zabbix_log_t)
+
+ rw_files_pattern(zabbix_agent_t, zabbix_tmpfs_t, zabbix_tmpfs_t)
+ fs_tmpfs_filetrans(zabbix_agent_t, zabbix_tmpfs_t, file)
+@@ -154,6 +146,8 @@ files_pid_filetrans(zabbix_agent_t, zabbix_var_run_t, file)
+ kernel_read_all_sysctls(zabbix_agent_t)
+ kernel_read_system_state(zabbix_agent_t)
+
++corecmd_exec_shell(zabbix_agent_t)
++corecmd_exec_bin(zabbix_agent_t)
+ corecmd_read_all_executables(zabbix_agent_t)
+
+ corenet_all_recvfrom_unlabeled(zabbix_agent_t)
+@@ -182,7 +176,6 @@ domain_search_all_domains_state(zabbix_agent_t)
files_getattr_all_dirs(zabbix_agent_t)
files_getattr_all_files(zabbix_agent_t)
files_read_all_symlinks(zabbix_agent_t)
@@ -94766,14 +94929,20 @@ index 46e4cd3..4dec288 100644
fs_getattr_all_fs(zabbix_agent_t)
-@@ -190,7 +185,6 @@ init_read_utmp(zabbix_agent_t)
+@@ -190,8 +183,11 @@ init_read_utmp(zabbix_agent_t)
logging_search_logs(zabbix_agent_t)
-miscfiles_read_localization(zabbix_agent_t)
-
+-
sysnet_dns_name_resolve(zabbix_agent_t)
+ zabbix_tcp_connect(zabbix_agent_t)
++
++optional_policy(`
++ hostname_exec(zabbix_agent_t)
++')
++
diff --git a/zarafa.fc b/zarafa.fc
index faf99ed..a451e97 100644
--- a/zarafa.fc
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 0ef0be5..c586d41 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.12.1
-Release: 67%{?dist}
+Release: 68%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -539,6 +539,25 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Tue Jul 30 2013 Miroslav Grepl 3.12.1-68
+- Add more aliases in pegasus.te
+- Add more fixes for *_admin interfaces
+- Add interface fixes
+- Allow nscd to stream connect to nmbd
+- Allow gnupg apps to write to pcscd socket
+- Add more fixes for openlmi provides. Fix naming and support for additionals
+- Allow fetchmail to resolve host names
+- Allow firewalld to interact also with lnk files labeled as firewalld_etc_rw_t
+- Add labeling for cmpiLMI_Fan-cimprovagt
+- Allow net_admin for glusterd
+- Allow telepathy domain to create dconf with correct labeling in /home/userX/.cache/
+- Add pegasus_openlmi_system_t
+- Fix puppet_domtrans_master() to make all puppet calling working in passenger.te
+- Fix corecmd_exec_chroot()
+- Fix logging_relabel_syslog_pid_socket interface
+- Fix typo in unconfineduser.te
+- Allow system_r to access unconfined_dbusd_t to run hp_chec
+
* Fri Jul 26 2013 Miroslav Grepl 3.12.1-67
- Add support for cmpiLMI_Service-cimprovagt
- Allow pegasus domtrans to rpm_t to make pycmpiLMI_Software-cimprovagt running as rpm_t