##
@@ -4384,7 +4385,7 @@ index 83e899c..c5be77c 100644
## This is an interface to support third party modules
## and its use is not allowed in upstream reference
## policy.
-@@ -1165,8 +1356,30 @@ interface(`apache_cgi_domain',`
+@@ -1165,8 +1357,30 @@ interface(`apache_cgi_domain',`
########################################
##
@@ -4417,7 +4418,7 @@ index 83e899c..c5be77c 100644
##
##
##
-@@ -1183,18 +1396,19 @@ interface(`apache_cgi_domain',`
+@@ -1183,18 +1397,19 @@ interface(`apache_cgi_domain',`
interface(`apache_admin',`
gen_require(`
attribute httpdcontent, httpd_script_exec_type;
@@ -4446,7 +4447,7 @@ index 83e899c..c5be77c 100644
init_labeled_script_domtrans($1, httpd_initrc_exec_t)
domain_system_change_exemption($1)
-@@ -1204,10 +1418,10 @@ interface(`apache_admin',`
+@@ -1204,10 +1419,10 @@ interface(`apache_admin',`
apache_manage_all_content($1)
miscfiles_manage_public_files($1)
@@ -4460,7 +4461,7 @@ index 83e899c..c5be77c 100644
admin_pattern($1, httpd_log_t)
admin_pattern($1, httpd_modules_t)
-@@ -1218,9 +1432,129 @@ interface(`apache_admin',`
+@@ -1218,9 +1433,129 @@ interface(`apache_admin',`
admin_pattern($1, httpd_var_run_t)
files_pid_filetrans($1, httpd_var_run_t, file)
@@ -7154,6 +7155,19 @@ index 3590e2f..e1494bd 100644
')
optional_policy(`
+diff --git a/apt.if b/apt.if
+index e2414c4..970736b 100644
+--- a/apt.if
++++ b/apt.if
+@@ -152,7 +152,7 @@ interface(`apt_read_cache',`
+
+ files_search_var($1)
+ allow $1 apt_var_cache_t:dir list_dir_perms;
+- dontaudit $1 apt_var_cache_t:dir write_dir_perms;
++ dontaudit $1 apt_var_cache_t:dir rw_dir_perms;
+ allow $1 apt_var_cache_t:file read_file_perms;
+ ')
+
diff --git a/apt.te b/apt.te
index e2d8d52..d82403c 100644
--- a/apt.te
@@ -7378,7 +7392,7 @@ index 7268a04..6ffd87d 100644
domain_system_change_exemption($1)
role_transition $2 asterisk_initrc_exec_t system_r;
diff --git a/asterisk.te b/asterisk.te
-index 5439f1c..0be374d 100644
+index 5439f1c..74c24a3 100644
--- a/asterisk.te
+++ b/asterisk.te
@@ -19,7 +19,7 @@ type asterisk_log_t;
@@ -7400,7 +7414,7 @@ index 5439f1c..0be374d 100644
manage_sock_files_pattern(asterisk_t, asterisk_var_run_t, asterisk_var_run_t)
-files_pid_filetrans(asterisk_t, asterisk_var_run_t, file)
-
-+files_pid_filetrans(asterisk_t, asterisk_var_run_t, { dir file })
++files_pid_filetrans(asterisk_t, asterisk_var_run_t, { dir file sock_file fifo_file })
can_exec(asterisk_t, asterisk_exec_t)
kernel_read_kernel_sysctls(asterisk_t)
@@ -8360,7 +8374,7 @@ index 866a1e2..6c2dbe4 100644
+ allow $1 named_unit_file_t:service all_service_perms;
')
diff --git a/bind.te b/bind.te
-index 076ffee..d4fb2a4 100644
+index 076ffee..1672ca4 100644
--- a/bind.te
+++ b/bind.te
@@ -34,7 +34,7 @@ type named_checkconf_exec_t;
@@ -8393,7 +8407,18 @@ index 076ffee..d4fb2a4 100644
allow named_t self:process { setsched getcap setcap setrlimit signal_perms };
allow named_t self:fifo_file rw_fifo_file_perms;
allow named_t self:unix_stream_socket { accept listen };
-@@ -110,7 +114,6 @@ kernel_read_network_state(named_t)
+@@ -86,9 +90,7 @@ manage_lnk_files_pattern(named_t, named_cache_t, named_cache_t)
+
+ can_exec(named_t, named_exec_t)
+
+-append_files_pattern(named_t, named_log_t, named_log_t)
+-create_files_pattern(named_t, named_log_t, named_log_t)
+-setattr_files_pattern(named_t, named_log_t, named_log_t)
++manage_files_pattern(named_t, named_log_t, named_log_t)
+ logging_log_filetrans(named_t, named_log_t, file)
+
+ manage_dirs_pattern(named_t, named_tmp_t, named_tmp_t)
+@@ -110,7 +112,6 @@ kernel_read_network_state(named_t)
corecmd_search_bin(named_t)
@@ -8401,7 +8426,7 @@ index 076ffee..d4fb2a4 100644
corenet_all_recvfrom_netlabel(named_t)
corenet_tcp_sendrecv_generic_if(named_t)
corenet_udp_sendrecv_generic_if(named_t)
-@@ -139,6 +142,7 @@ corenet_tcp_sendrecv_all_ports(named_t)
+@@ -139,6 +140,7 @@ corenet_tcp_sendrecv_all_ports(named_t)
dev_read_sysfs(named_t)
dev_read_rand(named_t)
dev_read_urand(named_t)
@@ -8409,7 +8434,7 @@ index 076ffee..d4fb2a4 100644
domain_use_interactive_fds(named_t)
-@@ -170,6 +174,15 @@ tunable_policy(`named_write_master_zones',`
+@@ -170,6 +172,15 @@ tunable_policy(`named_write_master_zones',`
')
optional_policy(`
@@ -8425,7 +8450,7 @@ index 076ffee..d4fb2a4 100644
dbus_system_domain(named_t, named_exec_t)
init_dbus_chat_script(named_t)
-@@ -183,6 +196,7 @@ optional_policy(`
+@@ -183,6 +194,7 @@ optional_policy(`
optional_policy(`
kerberos_keytab_template(named, named_t)
@@ -8433,7 +8458,7 @@ index 076ffee..d4fb2a4 100644
')
optional_policy(`
-@@ -209,7 +223,8 @@ optional_policy(`
+@@ -209,7 +221,8 @@ optional_policy(`
#
allow ndc_t self:capability { dac_override net_admin };
@@ -8443,7 +8468,7 @@ index 076ffee..d4fb2a4 100644
allow ndc_t self:fifo_file rw_fifo_file_perms;
allow ndc_t self:unix_stream_socket { accept listen };
-@@ -223,10 +238,9 @@ allow ndc_t named_conf_t:lnk_file read_lnk_file_perms;
+@@ -223,10 +236,9 @@ allow ndc_t named_conf_t:lnk_file read_lnk_file_perms;
allow ndc_t named_zone_t:dir search_dir_perms;
@@ -8455,7 +8480,7 @@ index 076ffee..d4fb2a4 100644
corenet_all_recvfrom_netlabel(ndc_t)
corenet_tcp_sendrecv_generic_if(ndc_t)
corenet_tcp_sendrecv_generic_node(ndc_t)
-@@ -251,7 +265,7 @@ init_use_script_ptys(ndc_t)
+@@ -251,7 +263,7 @@ init_use_script_ptys(ndc_t)
logging_send_syslog_msg(ndc_t)
@@ -8651,10 +8676,10 @@ index bc5c984..63a4b1d 100644
+ xserver_read_state_xdm(blueman_t)
+')
diff --git a/bluetooth.fc b/bluetooth.fc
-index 2b9c7f3..63e4860 100644
+index 2b9c7f3..0086b95 100644
--- a/bluetooth.fc
+++ b/bluetooth.fc
-@@ -5,10 +5,13 @@
+@@ -5,10 +5,14 @@
/etc/rc\.d/init\.d/dund -- gen_context(system_u:object_r:bluetooth_initrc_exec_t,s0)
/etc/rc\.d/init\.d/pand -- gen_context(system_u:object_r:bluetooth_initrc_exec_t,s0)
@@ -8665,6 +8690,7 @@ index 2b9c7f3..63e4860 100644
/usr/bin/hidd -- gen_context(system_u:object_r:bluetooth_exec_t,s0)
/usr/bin/rfcomm -- gen_context(system_u:object_r:bluetooth_exec_t,s0)
+/usr/bin/pand -- gen_context(system_u:object_r:bluetooth_exec_t,s0)
++/usr/libexec/bluetooth/bluetoothd -- gen_context(system_u:object_r:bluetooth_exec_t,s0)
/usr/sbin/bluetoothd -- gen_context(system_u:object_r:bluetooth_exec_t,s0)
/usr/sbin/hciattach -- gen_context(system_u:object_r:bluetooth_exec_t,s0)
@@ -8785,7 +8811,7 @@ index c723a0a..3e8a553 100644
+ allow $1 bluetooth_unit_file_t:service all_service_perms;
')
diff --git a/bluetooth.te b/bluetooth.te
-index 6f09d24..9c48d18 100644
+index 6f09d24..b1ec892 100644
--- a/bluetooth.te
+++ b/bluetooth.te
@@ -49,6 +49,9 @@ files_type(bluetooth_var_lib_t)
@@ -8798,7 +8824,17 @@ index 6f09d24..9c48d18 100644
########################################
#
# Local policy
-@@ -90,14 +93,24 @@ files_pid_filetrans(bluetooth_t, bluetooth_var_run_t, { file sock_file })
+@@ -78,7 +81,8 @@ files_lock_filetrans(bluetooth_t, bluetooth_lock_t, file)
+
+ manage_dirs_pattern(bluetooth_t, bluetooth_tmp_t, bluetooth_tmp_t)
+ manage_files_pattern(bluetooth_t, bluetooth_tmp_t, bluetooth_tmp_t)
+-files_tmp_filetrans(bluetooth_t, bluetooth_tmp_t, { dir file })
++manage_fifo_files_pattern(bluetooth_t, bluetooth_tmp_t, bluetooth_tmp_t)
++files_tmp_filetrans(bluetooth_t, bluetooth_tmp_t, { dir file fifo_file })
+
+ manage_dirs_pattern(bluetooth_t, bluetooth_var_lib_t, bluetooth_var_lib_t)
+ manage_files_pattern(bluetooth_t, bluetooth_var_lib_t, bluetooth_var_lib_t)
+@@ -90,14 +94,24 @@ files_pid_filetrans(bluetooth_t, bluetooth_var_run_t, { file sock_file })
can_exec(bluetooth_t, bluetooth_helper_exec_t)
@@ -8825,7 +8861,7 @@ index 6f09d24..9c48d18 100644
dev_read_sysfs(bluetooth_t)
dev_rw_usbfs(bluetooth_t)
-@@ -110,7 +123,6 @@ domain_use_interactive_fds(bluetooth_t)
+@@ -110,7 +124,6 @@ domain_use_interactive_fds(bluetooth_t)
domain_dontaudit_search_all_domains_state(bluetooth_t)
files_read_etc_runtime_files(bluetooth_t)
@@ -8833,7 +8869,7 @@ index 6f09d24..9c48d18 100644
fs_getattr_all_fs(bluetooth_t)
fs_search_auto_mountpoints(bluetooth_t)
-@@ -122,7 +134,6 @@ auth_use_nsswitch(bluetooth_t)
+@@ -122,7 +135,6 @@ auth_use_nsswitch(bluetooth_t)
logging_send_syslog_msg(bluetooth_t)
@@ -8841,7 +8877,7 @@ index 6f09d24..9c48d18 100644
miscfiles_read_fonts(bluetooth_t)
miscfiles_read_hwdata(bluetooth_t)
-@@ -130,8 +141,12 @@ userdom_dontaudit_use_unpriv_user_fds(bluetooth_t)
+@@ -130,8 +142,12 @@ userdom_dontaudit_use_unpriv_user_fds(bluetooth_t)
userdom_dontaudit_use_user_terminals(bluetooth_t)
userdom_dontaudit_search_user_home_dirs(bluetooth_t)
@@ -8854,7 +8890,7 @@ index 6f09d24..9c48d18 100644
optional_policy(`
cups_dbus_chat(bluetooth_t)
-@@ -199,7 +214,6 @@ dev_read_urand(bluetooth_helper_t)
+@@ -199,7 +215,6 @@ dev_read_urand(bluetooth_helper_t)
domain_read_all_domains_state(bluetooth_helper_t)
files_read_etc_runtime_files(bluetooth_helper_t)
@@ -9105,7 +9141,7 @@ index 02fefaa..fbcef10 100644
+ ')
')
diff --git a/boinc.te b/boinc.te
-index 7c92aa1..f177ca5 100644
+index 7c92aa1..d4b9ffa 100644
--- a/boinc.te
+++ b/boinc.te
@@ -1,11 +1,13 @@
@@ -9297,7 +9333,7 @@ index 7c92aa1..f177ca5 100644
term_getattr_all_ptys(boinc_t)
term_getattr_unallocated_ttys(boinc_t)
-@@ -130,55 +141,65 @@ init_read_utmp(boinc_t)
+@@ -130,55 +141,69 @@ init_read_utmp(boinc_t)
logging_send_syslog_msg(boinc_t)
@@ -9308,10 +9344,11 @@ index 7c92aa1..f177ca5 100644
mta_send_mail(boinc_t)
')
--optional_policy(`
+ optional_policy(`
- sysnet_dns_name_resolve(boinc_t)
--')
--
++ xserver_stream_connect(boinc_t)
+ ')
+
########################################
#
-# Project local policy
@@ -12421,7 +12458,7 @@ index 954309e..f4db2ca 100644
')
+
diff --git a/collectd.te b/collectd.te
-index 6471fa8..b2709d1 100644
+index 6471fa8..dbb3f45 100644
--- a/collectd.te
+++ b/collectd.te
@@ -26,8 +26,14 @@ files_type(collectd_var_lib_t)
@@ -12439,16 +12476,17 @@ index 6471fa8..b2709d1 100644
########################################
#
# Local policy
-@@ -38,6 +44,8 @@ allow collectd_t self:process { getsched setsched signal };
+@@ -38,6 +44,9 @@ allow collectd_t self:process { getsched setsched signal };
allow collectd_t self:fifo_file rw_fifo_file_perms;
allow collectd_t self:packet_socket create_socket_perms;
allow collectd_t self:unix_stream_socket { accept listen };
+allow collectd_t self:netlink_tcpdiag_socket create_netlink_socket_perms;
+allow collectd_t self:udp_socket create_socket_perms;
++allow collectd_t self:rawip_socket create_socket_perms;
manage_dirs_pattern(collectd_t, collectd_var_lib_t, collectd_var_lib_t)
manage_files_pattern(collectd_t, collectd_var_lib_t, collectd_var_lib_t)
-@@ -46,23 +54,25 @@ files_var_lib_filetrans(collectd_t, collectd_var_lib_t, dir)
+@@ -46,23 +55,25 @@ files_var_lib_filetrans(collectd_t, collectd_var_lib_t, dir)
manage_files_pattern(collectd_t, collectd_var_run_t, collectd_var_run_t)
files_pid_filetrans(collectd_t, collectd_var_run_t, file)
@@ -12481,7 +12519,7 @@ index 6471fa8..b2709d1 100644
logging_send_syslog_msg(collectd_t)
-@@ -75,16 +85,26 @@ tunable_policy(`collectd_tcp_network_connect',`
+@@ -75,16 +86,26 @@ tunable_policy(`collectd_tcp_network_connect',`
')
optional_policy(`
@@ -19057,6 +19095,19 @@ index 2c2e7e1..493ab48 100644
+allow dbusd_unconfined session_bus_type:dbus all_dbus_perms;
+allow dbusd_unconfined dbusd_unconfined:dbus all_dbus_perms;
+allow session_bus_type dbusd_unconfined:dbus send_msg;
+diff --git a/dcc.fc b/dcc.fc
+index 62d3c4e..cef59a7 100644
+--- a/dcc.fc
++++ b/dcc.fc
+@@ -10,6 +10,8 @@
+ /usr/libexec/dcc/dccifd -- gen_context(system_u:object_r:dccifd_exec_t,s0)
+ /usr/libexec/dcc/dccm -- gen_context(system_u:object_r:dccm_exec_t,s0)
+
++/usr/libexec/dcc/start-dccifd -- gen_context(system_u:object_r:dccifd_exec_t,s0)
++
+ /usr/sbin/dbclean -- gen_context(system_u:object_r:dcc_dbclean_exec_t,s0)
+ /usr/sbin/dccd -- gen_context(system_u:object_r:dccd_exec_t,s0)
+ /usr/sbin/dccifd -- gen_context(system_u:object_r:dccifd_exec_t,s0)
diff --git a/dcc.if b/dcc.if
index a5c21e0..4639421 100644
--- a/dcc.if
@@ -19070,7 +19121,7 @@ index a5c21e0..4639421 100644
stream_connect_pattern($1, dcc_var_t, dccifd_var_run_t, dccifd_t)
')
diff --git a/dcc.te b/dcc.te
-index 15d908f..147dd14 100644
+index 15d908f..cecb0da 100644
--- a/dcc.te
+++ b/dcc.te
@@ -45,7 +45,7 @@ type dcc_var_t;
@@ -19104,7 +19155,16 @@ index 15d908f..147dd14 100644
########################################
#
-@@ -123,6 +126,12 @@ read_lnk_files_pattern(dcc_client_t, dcc_var_t, dcc_var_t)
+@@ -113,6 +116,8 @@ allow dcc_client_t self:capability { setuid setgid };
+
+ allow dcc_client_t dcc_client_map_t:file rw_file_perms;
+
++domtrans_pattern(dcc_client_t, dccifd_exec_t, dccifd_t)
++
+ manage_dirs_pattern(dcc_client_t, dcc_client_tmp_t, dcc_client_tmp_t)
+ manage_files_pattern(dcc_client_t, dcc_client_tmp_t, dcc_client_tmp_t)
+ files_tmp_filetrans(dcc_client_t, dcc_client_tmp_t, { file dir })
+@@ -123,6 +128,12 @@ read_lnk_files_pattern(dcc_client_t, dcc_var_t, dcc_var_t)
kernel_read_system_state(dcc_client_t)
@@ -19117,7 +19177,7 @@ index 15d908f..147dd14 100644
files_read_etc_runtime_files(dcc_client_t)
fs_getattr_all_fs(dcc_client_t)
-@@ -131,12 +140,10 @@ auth_use_nsswitch(dcc_client_t)
+@@ -131,12 +142,10 @@ auth_use_nsswitch(dcc_client_t)
logging_send_syslog_msg(dcc_client_t)
@@ -19132,7 +19192,7 @@ index 15d908f..147dd14 100644
')
optional_policy(`
-@@ -160,15 +167,18 @@ manage_lnk_files_pattern(dcc_dbclean_t, dcc_var_t, dcc_var_t)
+@@ -160,15 +169,18 @@ manage_lnk_files_pattern(dcc_dbclean_t, dcc_var_t, dcc_var_t)
kernel_read_system_state(dcc_dbclean_t)
@@ -19154,7 +19214,7 @@ index 15d908f..147dd14 100644
########################################
#
-@@ -202,7 +212,6 @@ files_pid_filetrans(dccd_t, dccd_var_run_t, { dir file })
+@@ -202,7 +214,6 @@ files_pid_filetrans(dccd_t, dccd_var_run_t, { dir file })
kernel_read_system_state(dccd_t)
kernel_read_kernel_sysctls(dccd_t)
@@ -19162,7 +19222,7 @@ index 15d908f..147dd14 100644
corenet_all_recvfrom_netlabel(dccd_t)
corenet_udp_sendrecv_generic_if(dccd_t)
corenet_udp_sendrecv_generic_node(dccd_t)
-@@ -227,8 +236,6 @@ auth_use_nsswitch(dccd_t)
+@@ -227,8 +238,6 @@ auth_use_nsswitch(dccd_t)
logging_send_syslog_msg(dccd_t)
@@ -19171,7 +19231,7 @@ index 15d908f..147dd14 100644
userdom_dontaudit_use_unpriv_user_fds(dccd_t)
userdom_dontaudit_search_user_home_dirs(dccd_t)
-@@ -269,6 +276,11 @@ files_pid_filetrans(dccifd_t, dccifd_var_run_t, file)
+@@ -269,6 +278,11 @@ files_pid_filetrans(dccifd_t, dccifd_var_run_t, file)
kernel_read_system_state(dccifd_t)
kernel_read_kernel_sysctls(dccifd_t)
@@ -19183,7 +19243,7 @@ index 15d908f..147dd14 100644
dev_read_sysfs(dccifd_t)
domain_use_interactive_fds(dccifd_t)
-@@ -282,8 +294,6 @@ auth_use_nsswitch(dccifd_t)
+@@ -282,8 +296,6 @@ auth_use_nsswitch(dccifd_t)
logging_send_syslog_msg(dccifd_t)
@@ -19192,7 +19252,7 @@ index 15d908f..147dd14 100644
userdom_dontaudit_use_unpriv_user_fds(dccifd_t)
userdom_dontaudit_search_user_home_dirs(dccifd_t)
-@@ -324,6 +334,11 @@ files_pid_filetrans(dccm_t, dccm_var_run_t, file)
+@@ -324,6 +336,11 @@ files_pid_filetrans(dccm_t, dccm_var_run_t, file)
kernel_read_system_state(dccm_t)
kernel_read_kernel_sysctls(dccm_t)
@@ -19204,7 +19264,7 @@ index 15d908f..147dd14 100644
dev_read_sysfs(dccm_t)
domain_use_interactive_fds(dccm_t)
-@@ -337,8 +352,6 @@ auth_use_nsswitch(dccm_t)
+@@ -337,8 +354,6 @@ auth_use_nsswitch(dccm_t)
logging_send_syslog_msg(dccm_t)
@@ -22994,7 +23054,7 @@ index 6041113..ef3b449 100644
role_transition $2 exim_initrc_exec_t system_r;
allow $2 system_r;
diff --git a/exim.te b/exim.te
-index 19325ce..5957aad 100644
+index 19325ce..b5c157f 100644
--- a/exim.te
+++ b/exim.te
@@ -49,7 +49,7 @@ type exim_log_t;
@@ -23051,7 +23111,18 @@ index 19325ce..5957aad 100644
')
optional_policy(`
-@@ -218,6 +216,7 @@ optional_policy(`
+@@ -192,8 +190,9 @@ optional_policy(`
+ ')
+
+ optional_policy(`
+- mailman_read_data_files(exim_t)
++ mailman_manage_data_files(exim_t)
+ mailman_domtrans(exim_t)
++ mailman_read_log(exim_t)
+ ')
+
+ optional_policy(`
+@@ -218,6 +217,7 @@ optional_policy(`
optional_policy(`
procmail_domtrans(exim_t)
@@ -24148,7 +24219,7 @@ index c12c067..a415012 100644
optional_policy(`
diff --git a/fprintd.te b/fprintd.te
-index c81b6e8..fcb022d 100644
+index c81b6e8..34e1f1c 100644
--- a/fprintd.te
+++ b/fprintd.te
@@ -20,6 +20,7 @@ files_type(fprintd_var_lib_t)
@@ -24159,8 +24230,11 @@ index c81b6e8..fcb022d 100644
manage_dirs_pattern(fprintd_t, fprintd_var_lib_t, fprintd_var_lib_t)
manage_files_pattern(fprintd_t, fprintd_var_lib_t, fprintd_var_lib_t)
-@@ -30,14 +31,10 @@ dev_list_usbfs(fprintd_t)
+@@ -28,16 +29,13 @@ kernel_read_system_state(fprintd_t)
+
+ dev_list_usbfs(fprintd_t)
dev_read_sysfs(fprintd_t)
++dev_read_urand(fprintd_t)
dev_rw_generic_usb_dev(fprintd_t)
-files_read_usr_files(fprintd_t)
@@ -24174,7 +24248,7 @@ index c81b6e8..fcb022d 100644
userdom_use_user_ptys(fprintd_t)
userdom_read_all_users_state(fprintd_t)
-@@ -54,8 +51,13 @@ optional_policy(`
+@@ -54,8 +52,13 @@ optional_policy(`
')
')
@@ -29774,7 +29848,7 @@ index ca07a87..6ea129c 100644
+
/usr/sbin/iodined -- gen_context(system_u:object_r:iodined_exec_t,s0)
diff --git a/iodine.if b/iodine.if
-index a0bfbd0..6f5dbdf 100644
+index a0bfbd0..47f7c75 100644
--- a/iodine.if
+++ b/iodine.if
@@ -2,6 +2,30 @@
@@ -29796,7 +29870,7 @@ index a0bfbd0..6f5dbdf 100644
+ ')
+
+ systemd_exec_systemctl($1)
-+ systemd_read_fifo_file_password_run($1)
++ systemd_read_fifo_file_passwd_run($1)
+ allow $1 iodined_unit_file_t:file read_file_perms;
+ allow $1 iodined_unit_file_t:service manage_service_perms;
+
@@ -31429,7 +31503,7 @@ index a49ae4e..913a0e3 100644
-/usr/sbin/kexec -- gen_context(system_u:object_r:kdump_exec_t,s0)
+/var/crash(/.*)? gen_context(system_u:object_r:kdump_crash_t,s0)
diff --git a/kdump.if b/kdump.if
-index 3a00b3a..f6402dc 100644
+index 3a00b3a..9d8c551 100644
--- a/kdump.if
+++ b/kdump.if
@@ -1,4 +1,4 @@
@@ -31619,7 +31693,7 @@ index 3a00b3a..f6402dc 100644
+ type kdump_t, kdump_etc_t;
+ type kdump_initrc_exec_t;
+ type kdump_unit_file_t;
-+ type kdump_crash_t
++ type kdump_crash_t;
')
- allow $1 { kdump_t kdumpctl_t }:process { ptrace signal_perms };
@@ -35941,7 +36015,7 @@ index 108c0f1..a248501 100644
domtrans_pattern($1, mailman_queue_exec_t, mailman_queue_t)
')
diff --git a/mailman.te b/mailman.te
-index 8eaf51b..3229e0f 100644
+index 8eaf51b..a057913 100644
--- a/mailman.te
+++ b/mailman.te
@@ -4,6 +4,12 @@ policy_module(mailman, 1.9.4)
@@ -35986,7 +36060,7 @@ index 8eaf51b..3229e0f 100644
########################################
#
# CGI local policy
-@@ -115,8 +112,9 @@ optional_policy(`
+@@ -115,20 +112,23 @@ optional_policy(`
# Mail local policy
#
@@ -35998,7 +36072,12 @@ index 8eaf51b..3229e0f 100644
manage_files_pattern(mailman_mail_t, mailman_var_run_t, mailman_var_run_t)
manage_dirs_pattern(mailman_mail_t, mailman_var_run_t, mailman_var_run_t)
-@@ -127,8 +125,8 @@ corenet_tcp_connect_innd_port(mailman_mail_t)
+ files_pid_filetrans(mailman_mail_t, mailman_var_run_t, { file dir })
+
++can_exec(mailman_mail_t, mailman_mail_exec_t)
++
+ corenet_sendrecv_innd_client_packets(mailman_mail_t)
+ corenet_tcp_connect_innd_port(mailman_mail_t)
corenet_tcp_sendrecv_innd_port(mailman_mail_t)
corenet_sendrecv_spamd_client_packets(mailman_mail_t)
@@ -36008,7 +36087,7 @@ index 8eaf51b..3229e0f 100644
dev_read_urand(mailman_mail_t)
-@@ -142,6 +140,10 @@ optional_policy(`
+@@ -142,6 +142,10 @@ optional_policy(`
')
optional_policy(`
@@ -36019,7 +36098,7 @@ index 8eaf51b..3229e0f 100644
cron_read_pipes(mailman_mail_t)
')
-@@ -182,3 +184,9 @@ optional_policy(`
+@@ -182,3 +186,9 @@ optional_policy(`
optional_policy(`
su_exec(mailman_queue_t)
')
@@ -39143,7 +39222,7 @@ index 6194b80..3209b1c 100644
')
+
diff --git a/mozilla.te b/mozilla.te
-index 6a306ee..2288b0e 100644
+index 6a306ee..2108bc7 100644
--- a/mozilla.te
+++ b/mozilla.te
@@ -1,4 +1,4 @@
@@ -39587,7 +39666,7 @@ index 6a306ee..2288b0e 100644
')
optional_policy(`
-@@ -300,221 +324,183 @@ optional_policy(`
+@@ -300,221 +324,184 @@ optional_policy(`
########################################
#
@@ -39855,6 +39934,7 @@ index 6a306ee..2288b0e 100644
+term_getattr_all_ttys(mozilla_plugin_t)
+term_getattr_all_ptys(mozilla_plugin_t)
+term_getattr_ptmx(mozilla_plugin_t)
++term_dontaudit_use_ptmx(mozilla_plugin_t)
+userdom_dontaudit_setattr_user_tmpfs(mozilla_plugin_t)
+userdom_rw_user_tmpfs_files(mozilla_plugin_t)
@@ -39910,7 +39990,7 @@ index 6a306ee..2288b0e 100644
')
optional_policy(`
-@@ -523,36 +509,44 @@ optional_policy(`
+@@ -523,36 +510,44 @@ optional_policy(`
')
optional_policy(`
@@ -39925,13 +40005,6 @@ index 6a306ee..2288b0e 100644
+ dbus_session_bus_client(mozilla_plugin_t)
+ dbus_connect_session_bus(mozilla_plugin_t)
+ dbus_read_lib_files(mozilla_plugin_t)
-+')
-+
-+optional_policy(`
-+ gnome_manage_config(mozilla_plugin_t)
-+ gnome_read_usr_config(mozilla_plugin_t)
-+ gnome_filetrans_home_content(mozilla_plugin_t)
-+ gnome_exec_gstreamer_home_files(mozilla_plugin_t)
')
optional_policy(`
@@ -39939,6 +40012,13 @@ index 6a306ee..2288b0e 100644
- gnome_home_filetrans_gnome_home(mozilla_plugin_t, dir, ".gnome")
- gnome_home_filetrans_gnome_home(mozilla_plugin_t, dir, ".gnome2")
- gnome_home_filetrans_gnome_home(mozilla_plugin_t, dir, ".gnome2_private")
++ gnome_manage_config(mozilla_plugin_t)
++ gnome_read_usr_config(mozilla_plugin_t)
++ gnome_filetrans_home_content(mozilla_plugin_t)
++ gnome_exec_gstreamer_home_files(mozilla_plugin_t)
++')
++
++optional_policy(`
+ gpm_dontaudit_getattr_gpmctl(mozilla_plugin_t)
')
@@ -39968,7 +40048,7 @@ index 6a306ee..2288b0e 100644
')
optional_policy(`
-@@ -560,7 +554,7 @@ optional_policy(`
+@@ -560,7 +555,7 @@ optional_policy(`
')
optional_policy(`
@@ -39977,7 +40057,7 @@ index 6a306ee..2288b0e 100644
')
optional_policy(`
-@@ -568,108 +562,126 @@ optional_policy(`
+@@ -568,108 +563,128 @@ optional_policy(`
')
optional_policy(`
@@ -40006,12 +40086,12 @@ index 6a306ee..2288b0e 100644
-allow mozilla_plugin_config_t self:process { setsched signal_perms getsched };
-allow mozilla_plugin_config_t self:fifo_file rw_fifo_file_perms;
-allow mozilla_plugin_config_t self:unix_stream_socket create_stream_socket_perms;
-+allow mozilla_plugin_config_t self:process { setsched signal_perms getsched execmem execstack };
-
+-
-allow mozilla_plugin_config_t mozilla_plugin_rw_t:dir manage_dir_perms;
-allow mozilla_plugin_config_t mozilla_plugin_rw_t:file manage_file_perms;
-allow mozilla_plugin_config_t mozilla_plugin_rw_t:lnk_file manage_lnk_file_perms;
--
++allow mozilla_plugin_config_t self:process { setsched signal_perms getsched execmem execstack };
+
-manage_dirs_pattern(mozilla_plugin_config_t, { mozilla_home_t mozilla_plugin_home_t }, { mozilla_home_t mozilla_plugin_home_t })
-manage_files_pattern(mozilla_plugin_config_t, { mozilla_home_t mozilla_plugin_home_t }, mozilla_plugin_home_t)
-manage_lnk_files_pattern(mozilla_plugin_config_t, { mozilla_home_t mozilla_plugin_home_t }, mozilla_plugin_home_t)
@@ -40083,6 +40163,8 @@ index 6a306ee..2288b0e 100644
fs_getattr_all_fs(mozilla_plugin_config_t)
-fs_search_auto_mountpoints(mozilla_plugin_config_t)
-fs_list_inotifyfs(mozilla_plugin_config_t)
++
++term_dontaudit_use_ptmx(mozilla_plugin_config_t)
auth_use_nsswitch(mozilla_plugin_config_t)
@@ -46294,7 +46376,7 @@ index 0000000..cf8f660
+')
diff --git a/nova.te b/nova.te
new file mode 100644
-index 0000000..fc9f771
+index 0000000..92134cc
--- /dev/null
+++ b/nova.te
@@ -0,0 +1,328 @@
@@ -46368,6 +46450,7 @@ index 0000000..fc9f771
+
+optional_policy(`
+ sysnet_read_config(nova_domain)
++ sysnet_exec_ifconfig(nova_domain)
+')
+
+######################################
@@ -46545,7 +46628,7 @@ index 0000000..fc9f771
+')
+
+optional_policy(`
-+ iptables_domtrans(nova_network_t)
++ iptables_domtrans(nova_network_t)
+')
+
+optional_policy(`
@@ -46625,7 +46708,6 @@ index 0000000..fc9f771
+optional_policy(`
+ unconfined_domain(nova_volume_t)
+')
-+
diff --git a/nscd.fc b/nscd.fc
index ba64485..429bd79 100644
--- a/nscd.fc
@@ -48961,7 +49043,7 @@ index 379af96..41ff159 100644
+/var/www/nut-cgi-bin/upsset\.cgi -- gen_context(system_u:object_r:httpd_nutups_cgi_script_exec_t,s0)
+/var/www/nut-cgi-bin/upsstats\.cgi -- gen_context(system_u:object_r:httpd_nutups_cgi_script_exec_t,s0)
diff --git a/nut.if b/nut.if
-index 57c0161..54bd4d7 100644
+index 57c0161..5eb71a0 100644
--- a/nut.if
+++ b/nut.if
@@ -1,39 +1,24 @@
@@ -48973,7 +49055,7 @@ index 57c0161..54bd4d7 100644
##
-## All of the rules required to
-## administrate an nut environment.
-+## Execute swift server in the swift domain.
++## Execute nut services in the nut domain.
##
##
-##
@@ -49005,7 +49087,7 @@ index 57c0161..54bd4d7 100644
- allow $2 system_r;
+interface(`nut_systemctl',`
+ gen_require(`
-+ type nut_t;
++ attribute nut_domain;
+ type nut_unit_file_t;
+ ')
@@ -49017,7 +49099,7 @@ index 57c0161..54bd4d7 100644
- files_search_pids($1)
- admin_pattern($1, nut_var_run_t)
-+ ps_process_pattern($1, swift_t)
++ ps_process_pattern($1, nut_domain)
')
diff --git a/nut.te b/nut.te
index 0c9deb7..76988d6 100644
@@ -51540,7 +51622,7 @@ index 6837e9a..21e6dae 100644
domain_system_change_exemption($1)
role_transition $2 openvpn_initrc_exec_t system_r;
diff --git a/openvpn.te b/openvpn.te
-index 3270ff9..8a6fbc2 100644
+index 3270ff9..83daba9 100644
--- a/openvpn.te
+++ b/openvpn.te
@@ -6,6 +6,13 @@ policy_module(openvpn, 1.11.3)
@@ -51606,8 +51688,11 @@ index 3270ff9..8a6fbc2 100644
corenet_all_recvfrom_netlabel(openvpn_t)
corenet_tcp_sendrecv_generic_if(openvpn_t)
corenet_udp_sendrecv_generic_if(openvpn_t)
-@@ -105,11 +123,12 @@ corenet_tcp_bind_http_port(openvpn_t)
+@@ -103,13 +121,15 @@ corenet_udp_sendrecv_openvpn_port(openvpn_t)
+ corenet_sendrecv_http_server_packets(openvpn_t)
+ corenet_tcp_bind_http_port(openvpn_t)
corenet_sendrecv_http_client_packets(openvpn_t)
++corenet_tcp_connect_squid_port(openvpn_t)
corenet_tcp_connect_http_port(openvpn_t)
corenet_tcp_sendrecv_http_port(openvpn_t)
-
@@ -51620,7 +51705,7 @@ index 3270ff9..8a6fbc2 100644
corenet_rw_tun_tap_dev(openvpn_t)
dev_read_rand(openvpn_t)
-@@ -121,18 +140,24 @@ fs_search_auto_mountpoints(openvpn_t)
+@@ -121,18 +141,24 @@ fs_search_auto_mountpoints(openvpn_t)
auth_use_pam(openvpn_t)
@@ -51648,7 +51733,7 @@ index 3270ff9..8a6fbc2 100644
')
tunable_policy(`openvpn_enable_homedirs && use_nfs_home_dirs',`
-@@ -155,3 +180,27 @@ optional_policy(`
+@@ -155,3 +181,27 @@ optional_policy(`
networkmanager_dbus_chat(openvpn_t)
')
')
@@ -56760,6 +56845,18 @@ index 316d53a..79b5c4f 100644
-miscfiles_read_localization(polipo_daemon)
+userdom_home_manager(polipo_session_t)
+diff --git a/portage.if b/portage.if
+index 67e8c12..18b89d7 100644
+--- a/portage.if
++++ b/portage.if
+@@ -67,6 +67,7 @@ interface(`portage_compile_domain',`
+ class dbus send_msg;
+ type portage_devpts_t, portage_log_t, portage_srcrepo_t, portage_tmp_t;
+ type portage_tmpfs_t;
++ type portage_sandbox_t;
+ ')
+
+ allow $1 self:capability { fowner fsetid mknod setgid setuid chown dac_override net_raw };
diff --git a/portage.te b/portage.te
index a95fc4a..b9b5418 100644
--- a/portage.te
@@ -59992,7 +60089,7 @@ index 20d4697..e6605c1 100644
+ files_etc_filetrans($1, prelink_cache_t, file, "prelink.cache")
+')
diff --git a/prelink.te b/prelink.te
-index c0f047a..6f22887 100644
+index c0f047a..e04bdd6 100644
--- a/prelink.te
+++ b/prelink.te
@@ -1,4 +1,4 @@
@@ -60165,7 +60262,7 @@ index c0f047a..6f22887 100644
kernel_read_system_state(prelink_cron_system_t)
-@@ -184,8 +168,11 @@ optional_policy(`
+@@ -184,23 +168,36 @@ optional_policy(`
dev_list_sysfs(prelink_cron_system_t)
dev_read_sysfs(prelink_cron_system_t)
@@ -60178,7 +60275,11 @@ index c0f047a..6f22887 100644
auth_use_nsswitch(prelink_cron_system_t)
-@@ -196,11 +183,20 @@ optional_policy(`
+ init_telinit(prelink_cron_system_t)
+ init_exec(prelink_cron_system_t)
++ init_reload_services(prelink_cron_system_t)
+
+ libs_exec_ld_so(prelink_cron_system_t)
logging_search_logs(prelink_cron_system_t)
@@ -60884,7 +60985,7 @@ index 0000000..96a0d9f
+/var/run/prosody(/.*)? gen_context(system_u:object_r:prosody_var_run_t,s0)
diff --git a/prosody.if b/prosody.if
new file mode 100644
-index 0000000..8867237
+index 0000000..f1e1209
--- /dev/null
+++ b/prosody.if
@@ -0,0 +1,239 @@
@@ -61022,7 +61123,7 @@ index 0000000..8867237
+ ')
+
+ systemd_exec_systemctl($1)
-+ systemd_read_fifo_file_password_run($1)
++ systemd_read_fifo_file_passwd_run($1)
+ allow $1 prosody_unit_file_t:file read_file_perms;
+ allow $1 prosody_unit_file_t:service manage_service_perms;
+
@@ -65938,7 +66039,7 @@ index 2c3d338..cf3e5ad 100644
########################################
diff --git a/rabbitmq.te b/rabbitmq.te
-index 3698b51..7054723 100644
+index 3698b51..8c4ba04 100644
--- a/rabbitmq.te
+++ b/rabbitmq.te
@@ -19,6 +19,9 @@ init_script_file(rabbitmq_initrc_exec_t)
@@ -65996,7 +66097,7 @@ index 3698b51..7054723 100644
corenet_sendrecv_amqp_server_packets(rabbitmq_beam_t)
corenet_tcp_bind_amqp_port(rabbitmq_beam_t)
-@@ -68,20 +80,42 @@ corenet_sendrecv_epmd_client_packets(rabbitmq_beam_t)
+@@ -68,20 +80,44 @@ corenet_sendrecv_epmd_client_packets(rabbitmq_beam_t)
corenet_tcp_connect_epmd_port(rabbitmq_beam_t)
corenet_tcp_sendrecv_epmd_port(rabbitmq_beam_t)
@@ -66017,6 +66118,8 @@ index 3698b51..7054723 100644
+fs_getattr_all_dirs(rabbitmq_beam_t)
+fs_getattr_cgroup(rabbitmq_beam_t)
+
++corenet_tcp_connect_couchdb_port(rabbitmq_beam_t)
++
+dev_read_sysfs(rabbitmq_beam_t)
+dev_read_urand(rabbitmq_beam_t)
@@ -66043,7 +66146,7 @@ index 3698b51..7054723 100644
allow rabbitmq_epmd_t self:process signal;
allow rabbitmq_epmd_t self:fifo_file rw_fifo_file_perms;
allow rabbitmq_epmd_t self:tcp_socket create_stream_socket_perms;
-@@ -99,8 +133,5 @@ corenet_sendrecv_epmd_server_packets(rabbitmq_epmd_t)
+@@ -99,8 +135,5 @@ corenet_sendrecv_epmd_server_packets(rabbitmq_epmd_t)
corenet_tcp_bind_epmd_port(rabbitmq_epmd_t)
corenet_tcp_sendrecv_epmd_port(rabbitmq_epmd_t)
@@ -72128,7 +72231,7 @@ index ebe91fc..6392cad 100644
+/sbin/cpio -- gen_context(system_u:object_r:rpm_exec_t,s0)
')
diff --git a/rpm.if b/rpm.if
-index 0628d50..84f2fd7 100644
+index 0628d50..3031a82 100644
--- a/rpm.if
+++ b/rpm.if
@@ -1,8 +1,8 @@
@@ -72263,10 +72366,28 @@ index 0628d50..84f2fd7 100644
##
##
##
-@@ -181,6 +186,42 @@ interface(`rpm_rw_pipes',`
+@@ -181,6 +186,60 @@ interface(`rpm_rw_pipes',`
########################################
##
++## Read and write an unnamed RPM script pipe.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`rpm_rw_script_inherited_pipes',`
++ gen_require(`
++ type rpm_t;
++ ')
++
++ allow $1 rpm_script_t:fifo_file rw_inherited_fifo_file_perms;
++')
++
++########################################
++##
+## dontaudit read and write an leaked file descriptors
+##
+##
@@ -72306,7 +72427,7 @@ index 0628d50..84f2fd7 100644
## Send and receive messages from
## rpm over dbus.
##
-@@ -224,7 +265,7 @@ interface(`rpm_dontaudit_dbus_chat',`
+@@ -224,7 +283,7 @@ interface(`rpm_dontaudit_dbus_chat',`
########################################
##
## Send and receive messages from
@@ -72315,7 +72436,7 @@ index 0628d50..84f2fd7 100644
##
##
##
-@@ -244,7 +285,7 @@ interface(`rpm_script_dbus_chat',`
+@@ -244,7 +303,7 @@ interface(`rpm_script_dbus_chat',`
########################################
##
@@ -72324,7 +72445,7 @@ index 0628d50..84f2fd7 100644
##
##
##
-@@ -263,7 +304,8 @@ interface(`rpm_search_log',`
+@@ -263,7 +322,8 @@ interface(`rpm_search_log',`
#####################################
##
@@ -72334,17 +72455,19 @@ index 0628d50..84f2fd7 100644
##
##
##
-@@ -276,14 +318,30 @@ interface(`rpm_append_log',`
+@@ -276,14 +336,30 @@ interface(`rpm_append_log',`
type rpm_log_t;
')
- logging_search_logs($1)
- append_files_pattern($1, rpm_log_t, rpm_log_t)
+ allow $1 rpm_log_t:file append_inherited_file_perms;
-+')
-+
-+########################################
-+##
+ ')
+
+ ########################################
+ ##
+-## Create, read, write, and delete
+-## rpm log files.
+## Create, read, write, and delete the RPM log.
+##
+##
@@ -72359,17 +72482,15 @@ index 0628d50..84f2fd7 100644
+ ')
+
+ read_files_pattern($1, rpm_log_t, rpm_log_t)
- ')
-
- ########################################
- ##
--## Create, read, write, and delete
--## rpm log files.
++')
++
++########################################
++##
+## Create, read, write, and delete the RPM log.
##
##
##
-@@ -302,7 +360,7 @@ interface(`rpm_manage_log',`
+@@ -302,7 +378,7 @@ interface(`rpm_manage_log',`
########################################
##
@@ -72378,7 +72499,7 @@ index 0628d50..84f2fd7 100644
##
##
##
-@@ -320,8 +378,8 @@ interface(`rpm_use_script_fds',`
+@@ -320,8 +396,8 @@ interface(`rpm_use_script_fds',`
########################################
##
@@ -72389,7 +72510,7 @@ index 0628d50..84f2fd7 100644
##
##
##
-@@ -335,12 +393,15 @@ interface(`rpm_manage_script_tmp_files',`
+@@ -335,12 +411,15 @@ interface(`rpm_manage_script_tmp_files',`
')
files_search_tmp($1)
@@ -72406,7 +72527,7 @@ index 0628d50..84f2fd7 100644
##
##
##
-@@ -353,14 +414,13 @@ interface(`rpm_append_tmp_files',`
+@@ -353,14 +432,13 @@ interface(`rpm_append_tmp_files',`
type rpm_tmp_t;
')
@@ -72424,7 +72545,7 @@ index 0628d50..84f2fd7 100644
##
##
##
-@@ -374,12 +434,14 @@ interface(`rpm_manage_tmp_files',`
+@@ -374,12 +452,14 @@ interface(`rpm_manage_tmp_files',`
')
files_search_tmp($1)
@@ -72440,7 +72561,7 @@ index 0628d50..84f2fd7 100644
##
##
##
-@@ -399,7 +461,7 @@ interface(`rpm_read_script_tmp_files',`
+@@ -399,7 +479,7 @@ interface(`rpm_read_script_tmp_files',`
########################################
##
@@ -72449,7 +72570,7 @@ index 0628d50..84f2fd7 100644
##
##
##
-@@ -420,8 +482,7 @@ interface(`rpm_read_cache',`
+@@ -420,8 +500,7 @@ interface(`rpm_read_cache',`
########################################
##
@@ -72459,7 +72580,7 @@ index 0628d50..84f2fd7 100644
##
##
##
-@@ -442,7 +503,7 @@ interface(`rpm_manage_cache',`
+@@ -442,7 +521,7 @@ interface(`rpm_manage_cache',`
########################################
##
@@ -72468,7 +72589,7 @@ index 0628d50..84f2fd7 100644
##
##
##
-@@ -459,11 +520,12 @@ interface(`rpm_read_db',`
+@@ -459,11 +538,12 @@ interface(`rpm_read_db',`
allow $1 rpm_var_lib_t:dir list_dir_perms;
read_files_pattern($1, rpm_var_lib_t, rpm_var_lib_t)
read_lnk_files_pattern($1, rpm_var_lib_t, rpm_var_lib_t)
@@ -72482,7 +72603,7 @@ index 0628d50..84f2fd7 100644
##
##
##
-@@ -482,8 +544,7 @@ interface(`rpm_delete_db',`
+@@ -482,8 +562,7 @@ interface(`rpm_delete_db',`
########################################
##
@@ -72492,7 +72613,7 @@ index 0628d50..84f2fd7 100644
##
##
##
-@@ -503,8 +564,28 @@ interface(`rpm_manage_db',`
+@@ -503,8 +582,28 @@ interface(`rpm_manage_db',`
########################################
##
@@ -72522,7 +72643,7 @@ index 0628d50..84f2fd7 100644
##
##
##
-@@ -517,7 +598,7 @@ interface(`rpm_dontaudit_manage_db',`
+@@ -517,7 +616,7 @@ interface(`rpm_dontaudit_manage_db',`
type rpm_var_lib_t;
')
@@ -72531,7 +72652,7 @@ index 0628d50..84f2fd7 100644
dontaudit $1 rpm_var_lib_t:file manage_file_perms;
dontaudit $1 rpm_var_lib_t:lnk_file manage_lnk_file_perms;
')
-@@ -543,8 +624,7 @@ interface(`rpm_read_pid_files',`
+@@ -543,8 +642,7 @@ interface(`rpm_read_pid_files',`
#####################################
##
@@ -72541,7 +72662,7 @@ index 0628d50..84f2fd7 100644
##
##
##
-@@ -563,8 +643,7 @@ interface(`rpm_manage_pid_files',`
+@@ -563,8 +661,7 @@ interface(`rpm_manage_pid_files',`
######################################
##
@@ -72551,7 +72672,7 @@ index 0628d50..84f2fd7 100644
##
##
##
-@@ -573,94 +652,72 @@ interface(`rpm_manage_pid_files',`
+@@ -573,94 +670,72 @@ interface(`rpm_manage_pid_files',`
##
#
interface(`rpm_pid_filetrans',`
@@ -72645,16 +72766,16 @@ index 0628d50..84f2fd7 100644
- allow $1 { rpm_t rpm_script_t }:process { ptrace signal_perms };
- ps_process_pattern($1, { rpm_t rpm_script_t })
--
++ typeattribute $1 rpm_transition_domain;
++ allow $1 rpm_script_t:process transition;
+
- init_labeled_script_domtrans($1, rpm_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 rpm_initrc_exec_t system_r;
- allow $2 system_r;
-
- admin_pattern($1, rpm_file_t)
-+ typeattribute $1 rpm_transition_domain;
-+ allow $1 rpm_script_t:process transition;
-
+-
- files_list_var($1)
- admin_pattern($1, rpm_cache_t)
-
@@ -81068,10 +81189,27 @@ index 634c6b4..e1edfd9 100644
########################################
diff --git a/sosreport.te b/sosreport.te
-index 703efa3..de313d7 100644
+index 703efa3..7779402 100644
--- a/sosreport.te
+++ b/sosreport.te
-@@ -70,7 +70,6 @@ files_list_all(sosreport_t)
+@@ -33,6 +33,7 @@ allow sosreport_t self:process { setsched signull };
+ allow sosreport_t self:fifo_file rw_fifo_file_perms;
+ allow sosreport_t self:tcp_socket { accept listen };
+ allow sosreport_t self:unix_stream_socket { accept listen };
++allow sosreport_t self:netlink_kobject_uevent_socket create_socket_perms;
+
+ manage_dirs_pattern(sosreport_t, sosreport_tmp_t, sosreport_tmp_t)
+ manage_files_pattern(sosreport_t, sosreport_tmp_t, sosreport_tmp_t)
+@@ -58,6 +59,8 @@ dev_read_rand(sosreport_t)
+ dev_read_urand(sosreport_t)
+ dev_read_raw_memory(sosreport_t)
+ dev_read_sysfs(sosreport_t)
++dev_getattr_all_chr_files(sosreport_t)
++dev_getattr_all_blk_files(sosreport_t)
+
+ domain_getattr_all_domains(sosreport_t)
+ domain_read_all_domains_state(sosreport_t)
+@@ -70,7 +73,6 @@ files_list_all(sosreport_t)
files_read_config_files(sosreport_t)
files_read_generic_tmp_files(sosreport_t)
files_read_non_auth_files(sosreport_t)
@@ -81079,10 +81217,18 @@ index 703efa3..de313d7 100644
files_read_var_lib_files(sosreport_t)
files_read_var_symlinks(sosreport_t)
files_read_kernel_modules(sosreport_t)
-@@ -84,6 +83,10 @@ fs_list_inotifyfs(sosreport_t)
+@@ -79,11 +81,18 @@ files_manage_etc_runtime_files(sosreport_t)
+ files_etc_filetrans_etc_runtime(sosreport_t, file)
+
+ fs_getattr_all_fs(sosreport_t)
++fs_getattr_all_dirs(sosreport_t)
+ fs_list_inotifyfs(sosreport_t)
+
storage_dontaudit_read_fixed_disk(sosreport_t)
storage_dontaudit_read_removable_device(sosreport_t)
++term_getattr_pty_fs(sosreport_t)
++
+# some config files do not have configfile attribute
+# sosreport needs to read various files on system
+files_read_non_security_files(sosreport_t)
@@ -81090,7 +81236,7 @@ index 703efa3..de313d7 100644
auth_use_nsswitch(sosreport_t)
init_domtrans_script(sosreport_t)
-@@ -93,9 +96,8 @@ libs_domtrans_ldconfig(sosreport_t)
+@@ -93,9 +102,8 @@ libs_domtrans_ldconfig(sosreport_t)
logging_read_all_logs(sosreport_t)
logging_send_syslog_msg(sosreport_t)
@@ -81101,7 +81247,7 @@ index 703efa3..de313d7 100644
optional_policy(`
abrt_manage_pid_files(sosreport_t)
-@@ -111,6 +113,11 @@ optional_policy(`
+@@ -111,6 +119,11 @@ optional_policy(`
')
optional_policy(`
@@ -84016,7 +84162,7 @@ index c9824cb..1973f71 100644
userdom_dontaudit_use_unpriv_user_fds(sxid_t)
diff --git a/sysstat.te b/sysstat.te
-index c8b80b2..f041061 100644
+index c8b80b2..c81d332 100644
--- a/sysstat.te
+++ b/sysstat.te
@@ -24,9 +24,7 @@ allow sysstat_t self:capability { dac_override sys_admin sys_resource sys_tty_co
@@ -84038,8 +84184,12 @@ index c8b80b2..f041061 100644
corecmd_exec_bin(sysstat_t)
dev_read_sysfs(sysstat_t)
-@@ -49,8 +48,10 @@ files_read_etc_runtime_files(sysstat_t)
- fs_getattr_xattr_fs(sysstat_t)
+@@ -46,11 +45,13 @@ dev_read_urand(sysstat_t)
+ files_search_var(sysstat_t)
+ files_read_etc_runtime_files(sysstat_t)
+
+-fs_getattr_xattr_fs(sysstat_t)
++fs_getattr_all_fs(sysstat_t)
fs_list_inotifyfs(sysstat_t)
+storage_getattr_fixed_disk_dev(sysstat_t)
@@ -84356,7 +84506,7 @@ index c7de0cf..9813503 100644
+/usr/libexec/telepathy-stream-engine -- gen_context(system_u:object_r:telepathy_stream_engine_exec_t, s0)
+/usr/libexec/telepathy-sunshine -- gen_context(system_u:object_r:telepathy_sunshine_exec_t, s0)
diff --git a/telepathy.if b/telepathy.if
-index 42946bc..3d30062 100644
+index 42946bc..741f2f4 100644
--- a/telepathy.if
+++ b/telepathy.if
@@ -2,45 +2,39 @@
@@ -84436,7 +84586,7 @@ index 42946bc..3d30062 100644
type telepathy_gabble_t, telepathy_sofiasip_t, telepathy_idle_t;
type telepathy_mission_control_t, telepathy_salut_t, telepathy_sunshine_t;
type telepathy_stream_engine_t, telepathy_msn_t, telepathy_gabble_exec_t;
-@@ -63,91 +62,79 @@ template(`telepathy_role_template',`
+@@ -63,91 +62,84 @@ template(`telepathy_role_template',`
type telepathy_mission_control_exec_t, telepathy_salut_exec_t;
type telepathy_sunshine_exec_t, telepathy_stream_engine_exec_t;
type telepathy_msn_exec_t;
@@ -84542,11 +84692,15 @@ index 42946bc..3d30062 100644
##
-##
+##
- ## Domain allowed access.
- ##
- ##
- #
--interface(`telepathy_gabble_dbus_chat',`
++## Domain allowed access.
++##
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
+interface(`telepathy_gabble_stream_connect_to', `
+ gen_require(`
+ type telepathy_gabble_t;
@@ -84562,15 +84716,16 @@ index 42946bc..3d30062 100644
+##
+##
+##
-+## Domain allowed access.
-+##
-+##
-+#
+ ## Domain allowed access.
+ ##
+ ##
+ #
+-interface(`telepathy_gabble_dbus_chat',`
+interface(`telepathy_gabble_dbus_chat', `
gen_require(`
type telepathy_gabble_t;
class dbus send_msg;
-@@ -159,10 +146,10 @@ interface(`telepathy_gabble_dbus_chat',`
+@@ -159,10 +151,10 @@ interface(`telepathy_gabble_dbus_chat',`
########################################
##
@@ -84583,7 +84738,7 @@ index 42946bc..3d30062 100644
## Domain allowed access.
##
##
-@@ -173,15 +160,12 @@ interface(`telepathy_mission_control_read_state',`
+@@ -173,15 +165,12 @@ interface(`telepathy_mission_control_read_state',`
')
kernel_search_proc($1)
@@ -84601,7 +84756,7 @@ index 42946bc..3d30062 100644
##
##
##
-@@ -189,19 +173,18 @@ interface(`telepathy_mission_control_read_state',`
+@@ -189,19 +178,18 @@ interface(`telepathy_mission_control_read_state',`
##
##
#
@@ -84624,7 +84779,7 @@ index 42946bc..3d30062 100644
##
##
##
-@@ -209,11 +192,138 @@ interface(`telepathy_msn_stream_connect',`
+@@ -209,11 +197,138 @@ interface(`telepathy_msn_stream_connect',`
##
##
#
@@ -87789,7 +87944,7 @@ index 1ec5e99..88e287d 100644
+ allow $1 usbmuxd_unit_file_t:service all_service_perms;
+')
diff --git a/usbmuxd.te b/usbmuxd.te
-index 8840be6..285680c 100644
+index 8840be6..d2c7596 100644
--- a/usbmuxd.te
+++ b/usbmuxd.te
@@ -10,12 +10,16 @@ roleattribute system_r usbmuxd_roles;
@@ -87809,7 +87964,15 @@ index 8840be6..285680c 100644
########################################
#
# Local policy
-@@ -38,6 +42,10 @@ dev_rw_generic_usb_dev(usbmuxd_t)
+@@ -24,6 +28,7 @@ files_pid_file(usbmuxd_var_run_t)
+ allow usbmuxd_t self:capability { kill setgid setuid };
+ allow usbmuxd_t self:process { signal signull };
+ allow usbmuxd_t self:fifo_file rw_fifo_file_perms;
++allow usbmuxd_t self:netlink_kobject_uevent_socket create_socket_perms;
+
+ manage_dirs_pattern(usbmuxd_t, usbmuxd_var_run_t, usbmuxd_var_run_t)
+ manage_files_pattern(usbmuxd_t, usbmuxd_var_run_t, usbmuxd_var_run_t)
+@@ -38,6 +43,10 @@ dev_rw_generic_usb_dev(usbmuxd_t)
auth_use_nsswitch(usbmuxd_t)
@@ -88909,10 +89072,10 @@ index 0be8535..b96e329 100644
optional_policy(`
diff --git a/virt.fc b/virt.fc
-index c30da4c..898ce74 100644
+index c30da4c..b81eaa0 100644
--- a/virt.fc
+++ b/virt.fc
-@@ -1,52 +1,87 @@
+@@ -1,52 +1,86 @@
-HOME_DIR/\.libvirt(/.*)? gen_context(system_u:object_r:virt_home_t,s0)
-HOME_DIR/\.libvirt/qemu(/.*)? gen_context(system_u:object_r:svirt_home_t,s0)
-HOME_DIR/\.virtinst(/.*)? gen_context(system_u:object_r:virt_home_t,s0)
@@ -88965,7 +89128,6 @@ index c30da4c..898ce74 100644
/usr/sbin/libvirtd -- gen_context(system_u:object_r:virtd_exec_t,s0)
+/usr/sbin/virtlockd -- gen_context(system_u:object_r:virtd_exec_t,s0)
+/usr/bin/virsh -- gen_context(system_u:object_r:virsh_exec_t,s0)
-+/usr/bin/virt-sandbox-service.* -- gen_context(system_u:object_r:virsh_exec_t,s0)
+/usr/sbin/condor_vm-gahp -- gen_context(system_u:object_r:virtd_exec_t,s0)
+/usr/sbin/xl -- gen_context(system_u:object_r:virsh_exec_t,s0)
+/usr/sbin/xm -- gen_context(system_u:object_r:virsh_exec_t,s0)
@@ -88981,14 +89143,14 @@ index c30da4c..898ce74 100644
-/var/log/log(/.*)? gen_context(system_u:object_r:virt_log_t,s0)
-/var/log/libvirt(/.*)? gen_context(system_u:object_r:virt_log_t,s0)
-/var/log/vdsm(/.*)? gen_context(system_u:object_r:virt_log_t,s0)
+-
+-/var/vdsm(/.*)? gen_context(system_u:object_r:virt_var_run_t,s0)
+/var/lib/libvirt(/.*)? gen_context(system_u:object_r:virt_var_lib_t,s0)
+/var/lib/libvirt/boot(/.*)? gen_context(system_u:object_r:virt_content_t,s0)
+/var/lib/libvirt/images(/.*)? gen_context(system_u:object_r:virt_image_t,s0)
+/var/lib/libvirt/isos(/.*)? gen_context(system_u:object_r:virt_content_t,s0)
+/var/lib/libvirt/qemu(/.*)? gen_context(system_u:object_r:qemu_var_run_t,s0-mls_systemhigh)
--/var/vdsm(/.*)? gen_context(system_u:object_r:virt_var_run_t,s0)
--
-/var/run/libguestfs(/.*)? gen_context(system_u:object_r:virt_var_run_t,s0)
+/var/lock/xl -- gen_context(system_u:object_r:virt_log_t,s0)
+/var/log/log(/.*)? gen_context(system_u:object_r:virt_log_t,s0)
@@ -90727,10 +90889,10 @@ index 9dec06c..bdba959 100644
+ allow $1 svirt_image_t:chr_file rw_file_perms;
')
diff --git a/virt.te b/virt.te
-index 1f22fba..2757963 100644
+index 1f22fba..4ed8171 100644
--- a/virt.te
+++ b/virt.te
-@@ -1,94 +1,97 @@
+@@ -1,94 +1,104 @@
-policy_module(virt, 1.6.10)
+policy_module(virt, 1.5.0)
@@ -90853,9 +91015,6 @@ index 1f22fba..2757963 100644
-attribute virt_tmpfs_type;
-
-attribute svirt_lxc_domain;
--
--attribute_role virt_domain_roles;
--roleattribute system_r virt_domain_roles;
+##
+##
+## Allow confined virtual guests to use usb devices
@@ -90863,6 +91022,15 @@ index 1f22fba..2757963 100644
+##
+gen_tunable(virt_use_usb, true)
+-attribute_role virt_domain_roles;
+-roleattribute system_r virt_domain_roles;
++##
++##
++## Allow virtual processes to run as userdomains
++##
++##
++gen_tunable(virt_transition_userdomain, false)
+
-attribute_role virt_bridgehelper_roles;
-roleattribute system_r virt_bridgehelper_roles;
+virt_domain_template(svirt)
@@ -90880,7 +91048,7 @@ index 1f22fba..2757963 100644
type virt_cache_t alias svirt_cache_t;
files_type(virt_cache_t)
-@@ -105,27 +108,25 @@ userdom_user_home_content(virt_home_t)
+@@ -105,27 +115,25 @@ userdom_user_home_content(virt_home_t)
type svirt_home_t;
userdom_user_home_content(svirt_home_t)
@@ -90914,7 +91082,7 @@ index 1f22fba..2757963 100644
type virt_var_run_t;
files_pid_file(virt_var_run_t)
-@@ -139,9 +140,17 @@ init_daemon_domain(virtd_t, virtd_exec_t)
+@@ -139,9 +147,17 @@ init_daemon_domain(virtd_t, virtd_exec_t)
domain_obj_id_change_exemption(virtd_t)
domain_subj_id_change_exemption(virtd_t)
@@ -90932,7 +91100,7 @@ index 1f22fba..2757963 100644
ifdef(`enable_mcs',`
init_ranged_daemon_domain(virtd_t, virtd_exec_t, s0 - mcs_systemhigh)
')
-@@ -155,290 +164,134 @@ type virt_qmf_exec_t;
+@@ -155,290 +171,134 @@ type virt_qmf_exec_t;
init_daemon_domain(virt_qmf_t, virt_qmf_exec_t)
type virt_bridgehelper_t;
@@ -91110,16 +91278,19 @@ index 1f22fba..2757963 100644
- fs_manage_fusefs_files(virt_domain)
- fs_read_fusefs_symlinks(virt_domain)
-')
--
++type virtd_lxc_t;
++type virtd_lxc_exec_t;
++init_system_domain(virtd_lxc_t, virtd_lxc_exec_t)
+
-tunable_policy(`virt_use_nfs',`
- fs_manage_nfs_dirs(virt_domain)
- fs_manage_nfs_files(virt_domain)
- fs_manage_nfs_named_sockets(virt_domain)
- fs_read_nfs_symlinks(virt_domain)
-')
-+type virtd_lxc_t;
-+type virtd_lxc_exec_t;
-+init_system_domain(virtd_lxc_t, virtd_lxc_exec_t)
++type virt_lxc_var_run_t;
++files_pid_file(virt_lxc_var_run_t)
++typealias virt_lxc_var_run_t alias virtd_lxc_var_run_t;
-tunable_policy(`virt_use_samba',`
- fs_manage_cifs_dirs(virt_domain)
@@ -91127,10 +91298,7 @@ index 1f22fba..2757963 100644
- fs_manage_cifs_named_sockets(virt_domain)
- fs_read_cifs_symlinks(virt_domain)
-')
-+type virt_lxc_var_run_t;
-+files_pid_file(virt_lxc_var_run_t)
-+typealias virt_lxc_var_run_t alias virtd_lxc_var_run_t;
-
+-
-tunable_policy(`virt_use_sysfs',`
- dev_rw_sysfs(virt_domain)
-')
@@ -91303,7 +91471,7 @@ index 1f22fba..2757963 100644
read_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
read_lnk_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
-@@ -448,42 +301,28 @@ manage_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t)
+@@ -448,42 +308,28 @@ manage_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t)
manage_lnk_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t)
filetrans_pattern(virtd_t, virt_etc_t, virt_etc_rw_t, dir)
@@ -91349,7 +91517,7 @@ index 1f22fba..2757963 100644
logging_log_filetrans(virtd_t, virt_log_t, { file dir })
manage_dirs_pattern(virtd_t, virt_var_lib_t, virt_var_lib_t)
-@@ -496,16 +335,11 @@ manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
+@@ -496,16 +342,11 @@ manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
manage_sock_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
files_pid_filetrans(virtd_t, virt_var_run_t, { file dir })
@@ -91359,18 +91527,18 @@ index 1f22fba..2757963 100644
-
-stream_connect_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t, virtd_lxc_t)
-stream_connect_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t, virt_domain)
+-
+-can_exec(virtd_t, virt_tmp_t)
+manage_dirs_pattern(virtd_t, virt_lxc_var_run_t, virt_lxc_var_run_t)
+manage_files_pattern(virtd_t, virt_lxc_var_run_t, virt_lxc_var_run_t)
+filetrans_pattern(virtd_t, virt_var_run_t, virt_lxc_var_run_t, dir, "lxc")
+stream_connect_pattern(virtd_t, virt_lxc_var_run_t, virt_lxc_var_run_t, virtd_lxc_t)
--can_exec(virtd_t, virt_tmp_t)
--
-kernel_read_crypto_sysctls(virtd_t)
kernel_read_system_state(virtd_t)
kernel_read_network_state(virtd_t)
kernel_rw_net_sysctls(virtd_t)
-@@ -513,6 +347,7 @@ kernel_read_kernel_sysctls(virtd_t)
+@@ -513,6 +354,7 @@ kernel_read_kernel_sysctls(virtd_t)
kernel_request_load_module(virtd_t)
kernel_search_debugfs(virtd_t)
kernel_setsched(virtd_t)
@@ -91378,7 +91546,7 @@ index 1f22fba..2757963 100644
corecmd_exec_bin(virtd_t)
corecmd_exec_shell(virtd_t)
-@@ -520,24 +355,16 @@ corecmd_exec_shell(virtd_t)
+@@ -520,24 +362,16 @@ corecmd_exec_shell(virtd_t)
corenet_all_recvfrom_netlabel(virtd_t)
corenet_tcp_sendrecv_generic_if(virtd_t)
corenet_tcp_sendrecv_generic_node(virtd_t)
@@ -91406,7 +91574,7 @@ index 1f22fba..2757963 100644
dev_rw_sysfs(virtd_t)
dev_read_urand(virtd_t)
dev_read_rand(virtd_t)
-@@ -548,22 +375,23 @@ dev_rw_vhost(virtd_t)
+@@ -548,22 +382,23 @@ dev_rw_vhost(virtd_t)
dev_setattr_generic_usb_dev(virtd_t)
dev_relabel_generic_usb_dev(virtd_t)
@@ -91435,7 +91603,7 @@ index 1f22fba..2757963 100644
fs_rw_anon_inodefs_files(virtd_t)
fs_list_inotifyfs(virtd_t)
fs_manage_cgroup_dirs(virtd_t)
-@@ -594,15 +422,18 @@ term_use_ptmx(virtd_t)
+@@ -594,15 +429,18 @@ term_use_ptmx(virtd_t)
auth_use_nsswitch(virtd_t)
@@ -91455,20 +91623,20 @@ index 1f22fba..2757963 100644
selinux_validate_context(virtd_t)
-@@ -613,18 +444,26 @@ seutil_read_file_contexts(virtd_t)
+@@ -613,18 +451,26 @@ seutil_read_file_contexts(virtd_t)
sysnet_signull_ifconfig(virtd_t)
sysnet_signal_ifconfig(virtd_t)
sysnet_domtrans_ifconfig(virtd_t)
+sysnet_read_config(virtd_t)
-userdom_read_all_users_state(virtd_t)
-+systemd_dbus_chat_logind(virtd_t)
-+systemd_write_inhibit_pipes(virtd_t)
-
+-
-ifdef(`hide_broken_symptoms',`
- dontaudit virtd_t self:capability { sys_module sys_ptrace };
-')
--
++systemd_dbus_chat_logind(virtd_t)
++systemd_write_inhibit_pipes(virtd_t)
+
-tunable_policy(`virt_use_fusefs',`
- fs_manage_fusefs_dirs(virtd_t)
- fs_manage_fusefs_files(virtd_t)
@@ -91492,7 +91660,7 @@ index 1f22fba..2757963 100644
tunable_policy(`virt_use_nfs',`
fs_manage_nfs_dirs(virtd_t)
-@@ -633,7 +472,7 @@ tunable_policy(`virt_use_nfs',`
+@@ -633,7 +479,7 @@ tunable_policy(`virt_use_nfs',`
')
tunable_policy(`virt_use_samba',`
@@ -91501,17 +91669,19 @@ index 1f22fba..2757963 100644
fs_manage_cifs_files(virtd_t)
fs_read_cifs_symlinks(virtd_t)
')
-@@ -658,95 +497,326 @@ optional_policy(`
+@@ -658,95 +504,326 @@ optional_policy(`
')
optional_policy(`
- firewalld_dbus_chat(virtd_t)
-+ hal_dbus_chat(virtd_t)
+- ')
+-
+- optional_policy(`
+ hal_dbus_chat(virtd_t)
')
optional_policy(`
-- hal_dbus_chat(virtd_t)
-+ networkmanager_dbus_chat(virtd_t)
+ networkmanager_dbus_chat(virtd_t)
')
+')
+
@@ -91711,10 +91881,7 @@ index 1f22fba..2757963 100644
+# I think we need these for now.
+miscfiles_read_public_files(virt_domain)
+storage_raw_read_removable_device(virt_domain)
-
-- optional_policy(`
-- networkmanager_dbus_chat(virtd_t)
-- ')
++
+sysnet_read_config(virt_domain)
- optional_policy(`
@@ -91874,7 +92041,7 @@ index 1f22fba..2757963 100644
manage_files_pattern(virsh_t, virt_image_type, virt_image_type)
manage_blk_files_pattern(virsh_t, virt_image_type, virt_image_type)
-@@ -758,23 +828,16 @@ manage_chr_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
+@@ -758,23 +835,16 @@ manage_chr_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
manage_lnk_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
manage_sock_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
manage_fifo_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
@@ -91885,27 +92052,27 @@ index 1f22fba..2757963 100644
-filetrans_pattern(virsh_t, virt_var_run_t, virtd_lxc_var_run_t, dir, "lxc")
-
-dontaudit virsh_t virt_var_lib_t:file read_file_perms;
--
--allow virsh_t svirt_lxc_domain:process transition;
+manage_dirs_pattern(virsh_t, virt_lxc_var_run_t, virt_lxc_var_run_t)
+manage_files_pattern(virsh_t, virt_lxc_var_run_t, virt_lxc_var_run_t)
+virt_filetrans_named_content(virsh_t)
+filetrans_pattern(virsh_t, virt_var_run_t, virt_lxc_var_run_t, dir, "lxc")
+-allow virsh_t svirt_lxc_domain:process transition;
++dontaudit virsh_t virt_var_lib_t:file read_inherited_file_perms;
+
-can_exec(virsh_t, virsh_exec_t)
-
-virt_domtrans(virsh_t)
-virt_manage_images(virsh_t)
-virt_manage_config(virsh_t)
-virt_stream_connect(virsh_t)
-+dontaudit virsh_t virt_var_lib_t:file read_inherited_file_perms;
-
+-
-kernel_read_crypto_sysctls(virsh_t)
+kernel_write_proc_files(virsh_t)
kernel_read_system_state(virsh_t)
kernel_read_network_state(virsh_t)
kernel_read_kernel_sysctls(virsh_t)
-@@ -785,25 +848,18 @@ kernel_write_xen_state(virsh_t)
+@@ -785,25 +855,18 @@ kernel_write_xen_state(virsh_t)
corecmd_exec_bin(virsh_t)
corecmd_exec_shell(virsh_t)
@@ -91932,7 +92099,7 @@ index 1f22fba..2757963 100644
fs_getattr_all_fs(virsh_t)
fs_manage_xenfs_dirs(virsh_t)
-@@ -812,24 +868,22 @@ fs_search_auto_mountpoints(virsh_t)
+@@ -812,24 +875,22 @@ fs_search_auto_mountpoints(virsh_t)
storage_raw_read_fixed_disk(virsh_t)
@@ -91964,7 +92131,7 @@ index 1f22fba..2757963 100644
tunable_policy(`virt_use_nfs',`
fs_manage_nfs_dirs(virsh_t)
fs_manage_nfs_files(virsh_t)
-@@ -847,14 +901,20 @@ optional_policy(`
+@@ -847,14 +908,20 @@ optional_policy(`
')
optional_policy(`
@@ -91986,7 +92153,7 @@ index 1f22fba..2757963 100644
xen_stream_connect(virsh_t)
xen_stream_connect_xenstore(virsh_t)
')
-@@ -879,34 +939,45 @@ optional_policy(`
+@@ -879,34 +946,45 @@ optional_policy(`
kernel_read_xen_state(virsh_ssh_t)
kernel_write_xen_state(virsh_ssh_t)
@@ -92041,7 +92208,7 @@ index 1f22fba..2757963 100644
manage_dirs_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t)
manage_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t)
-@@ -916,12 +987,17 @@ manage_sock_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t)
+@@ -916,12 +994,17 @@ manage_sock_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t)
manage_fifo_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t)
allow virtd_lxc_t svirt_lxc_file_t:dir_file_class_set { relabelto relabelfrom };
allow virtd_lxc_t svirt_lxc_file_t:filesystem { relabelto relabelfrom };
@@ -92059,7 +92226,7 @@ index 1f22fba..2757963 100644
corecmd_exec_bin(virtd_lxc_t)
corecmd_exec_shell(virtd_lxc_t)
-@@ -933,10 +1009,8 @@ dev_read_urand(virtd_lxc_t)
+@@ -933,10 +1016,8 @@ dev_read_urand(virtd_lxc_t)
domain_use_interactive_fds(virtd_lxc_t)
@@ -92070,7 +92237,7 @@ index 1f22fba..2757963 100644
files_relabel_rootfs(virtd_lxc_t)
files_mounton_non_security(virtd_lxc_t)
files_mount_all_file_type_fs(virtd_lxc_t)
-@@ -944,6 +1018,7 @@ files_unmount_all_file_type_fs(virtd_lxc_t)
+@@ -944,6 +1025,7 @@ files_unmount_all_file_type_fs(virtd_lxc_t)
files_list_isid_type_dirs(virtd_lxc_t)
files_root_filetrans(virtd_lxc_t, svirt_lxc_file_t, dir_file_class_set)
@@ -92078,7 +92245,7 @@ index 1f22fba..2757963 100644
fs_getattr_all_fs(virtd_lxc_t)
fs_manage_tmpfs_dirs(virtd_lxc_t)
fs_manage_tmpfs_chr_files(virtd_lxc_t)
-@@ -955,15 +1030,11 @@ fs_rw_cgroup_files(virtd_lxc_t)
+@@ -955,8 +1037,23 @@ fs_rw_cgroup_files(virtd_lxc_t)
fs_unmount_all_fs(virtd_lxc_t)
fs_relabelfrom_tmpfs(virtd_lxc_t)
@@ -92086,48 +92253,53 @@ index 1f22fba..2757963 100644
+
selinux_mount_fs(virtd_lxc_t)
selinux_unmount_fs(virtd_lxc_t)
--selinux_get_enforce_mode(virtd_lxc_t)
--selinux_get_fs_mount(virtd_lxc_t)
--selinux_validate_context(virtd_lxc_t)
--selinux_compute_access_vector(virtd_lxc_t)
--selinux_compute_create_context(virtd_lxc_t)
--selinux_compute_relabel_context(virtd_lxc_t)
--selinux_compute_user_contexts(virtd_lxc_t)
+seutil_read_config(virtd_lxc_t)
++
++term_use_generic_ptys(virtd_lxc_t)
++term_use_ptmx(virtd_lxc_t)
++term_relabel_pty_fs(virtd_lxc_t)
++
++auth_use_nsswitch(virtd_lxc_t)
++
++logging_send_syslog_msg(virtd_lxc_t)
++
++seutil_domtrans_setfiles(virtd_lxc_t)
++seutil_read_default_contexts(virtd_lxc_t)
++
+ selinux_get_enforce_mode(virtd_lxc_t)
+ selinux_get_fs_mount(virtd_lxc_t)
+ selinux_validate_context(virtd_lxc_t)
+@@ -965,29 +1062,33 @@ selinux_compute_create_context(virtd_lxc_t)
+ selinux_compute_relabel_context(virtd_lxc_t)
+ selinux_compute_user_contexts(virtd_lxc_t)
- term_use_generic_ptys(virtd_lxc_t)
- term_use_ptmx(virtd_lxc_t)
-@@ -973,21 +1044,39 @@ auth_use_nsswitch(virtd_lxc_t)
+-term_use_generic_ptys(virtd_lxc_t)
+-term_use_ptmx(virtd_lxc_t)
+-term_relabel_pty_fs(virtd_lxc_t)
++sysnet_exec_ifconfig(virtd_lxc_t)
- logging_send_syslog_msg(virtd_lxc_t)
+-auth_use_nsswitch(virtd_lxc_t)
++userdom_read_admin_home_files(virtd_lxc_t)
--miscfiles_read_localization(virtd_lxc_t)
--
- seutil_domtrans_setfiles(virtd_lxc_t)
--seutil_read_config(virtd_lxc_t)
- seutil_read_default_contexts(virtd_lxc_t)
+-logging_send_syslog_msg(virtd_lxc_t)
++optional_policy(`
++ dbus_system_bus_client(virtd_lxc_t)
++ init_dbus_chat(virtd_lxc_t)
++')
--sysnet_domtrans_ifconfig(virtd_lxc_t)
-+selinux_get_enforce_mode(virtd_lxc_t)
-+selinux_get_fs_mount(virtd_lxc_t)
-+selinux_validate_context(virtd_lxc_t)
-+selinux_compute_access_vector(virtd_lxc_t)
-+selinux_compute_create_context(virtd_lxc_t)
-+selinux_compute_relabel_context(virtd_lxc_t)
-+selinux_compute_user_contexts(virtd_lxc_t)
-+
-+sysnet_exec_ifconfig(virtd_lxc_t)
-+
-+userdom_read_admin_home_files(virtd_lxc_t)
-+
+-miscfiles_read_localization(virtd_lxc_t)
+optional_policy(`
+ gnome_read_generic_cache_files(virtd_lxc_t)
+')
-+
+
+-seutil_domtrans_setfiles(virtd_lxc_t)
+-seutil_read_config(virtd_lxc_t)
+-seutil_read_default_contexts(virtd_lxc_t)
+optional_policy(`
+ setrans_manage_pid_files(virtd_lxc_t)
+')
-+
+
+-sysnet_domtrans_ifconfig(virtd_lxc_t)
+optional_policy(`
+ unconfined_domain(virtd_lxc_t)
+')
@@ -92141,11 +92313,11 @@ index 1f22fba..2757963 100644
-allow svirt_lxc_domain self:capability { kill setuid setgid dac_override sys_boot };
-allow svirt_lxc_domain self:process { execstack execmem getattr signal_perms getsched setsched setcap setpgid };
+allow svirt_lxc_domain self:key manage_key_perms;
-+allow svirt_lxc_domain self:process { getattr signal_perms getsched setsched setcap setpgid setrlimit };
++allow svirt_lxc_domain self:process { getattr signal_perms getsched getpgid getcap setsched setcap setpgid setrlimit };
allow svirt_lxc_domain self:fifo_file manage_file_perms;
allow svirt_lxc_domain self:sem create_sem_perms;
allow svirt_lxc_domain self:shm create_shm_perms;
-@@ -995,18 +1084,16 @@ allow svirt_lxc_domain self:msgq create_msgq_perms;
+@@ -995,18 +1096,16 @@ allow svirt_lxc_domain self:msgq create_msgq_perms;
allow svirt_lxc_domain self:unix_stream_socket { create_stream_socket_perms connectto };
allow svirt_lxc_domain self:unix_dgram_socket { sendto create_socket_perms };
@@ -92172,7 +92344,7 @@ index 1f22fba..2757963 100644
manage_dirs_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
manage_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
-@@ -1015,17 +1102,14 @@ manage_sock_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
+@@ -1015,17 +1114,14 @@ manage_sock_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
manage_fifo_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
rw_chr_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
rw_blk_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
@@ -92192,7 +92364,7 @@ index 1f22fba..2757963 100644
kernel_dontaudit_search_kernel_sysctl(svirt_lxc_domain)
corecmd_exec_all_executables(svirt_lxc_domain)
-@@ -1037,21 +1121,20 @@ files_dontaudit_getattr_all_pipes(svirt_lxc_domain)
+@@ -1037,21 +1133,20 @@ files_dontaudit_getattr_all_pipes(svirt_lxc_domain)
files_dontaudit_getattr_all_sockets(svirt_lxc_domain)
files_dontaudit_list_all_mountpoints(svirt_lxc_domain)
files_dontaudit_write_etc_runtime_files(svirt_lxc_domain)
@@ -92219,11 +92391,12 @@ index 1f22fba..2757963 100644
auth_dontaudit_read_login_records(svirt_lxc_domain)
auth_dontaudit_write_login_records(svirt_lxc_domain)
auth_search_pam_console_data(svirt_lxc_domain)
-@@ -1063,96 +1146,93 @@ init_dontaudit_write_utmp(svirt_lxc_domain)
+@@ -1063,96 +1158,94 @@ init_dontaudit_write_utmp(svirt_lxc_domain)
libs_dontaudit_setattr_lib_files(svirt_lxc_domain)
-miscfiles_read_localization(svirt_lxc_domain)
++miscfiles_dontaudit_access_check_cert(svirt_lxc_domain)
miscfiles_dontaudit_setattr_fonts_cache_dirs(svirt_lxc_domain)
miscfiles_read_fonts(svirt_lxc_domain)
+miscfiles_read_hwdata(svirt_lxc_domain)
@@ -92238,12 +92411,12 @@ index 1f22fba..2757963 100644
+ apache_exec_modules(svirt_lxc_domain)
+ apache_read_sys_content(svirt_lxc_domain)
+')
-
--mta_dontaudit_read_spool_symlinks(svirt_lxc_domain)
++
+optional_policy(`
+ mta_dontaudit_read_spool_symlinks(svirt_lxc_domain)
+')
-+
+
+-mta_dontaudit_read_spool_symlinks(svirt_lxc_domain)
+optional_policy(`
+ ssh_use_ptys(svirt_lxc_net_t)
+')
@@ -92359,7 +92532,7 @@ index 1f22fba..2757963 100644
allow virt_qmf_t self:tcp_socket create_stream_socket_perms;
allow virt_qmf_t self:netlink_route_socket create_netlink_socket_perms;
-@@ -1165,12 +1245,12 @@ dev_read_sysfs(virt_qmf_t)
+@@ -1165,12 +1258,12 @@ dev_read_sysfs(virt_qmf_t)
dev_read_rand(virt_qmf_t)
dev_read_urand(virt_qmf_t)
@@ -92374,7 +92547,7 @@ index 1f22fba..2757963 100644
sysnet_read_config(virt_qmf_t)
optional_policy(`
-@@ -1183,9 +1263,8 @@ optional_policy(`
+@@ -1183,9 +1276,8 @@ optional_policy(`
########################################
#
@@ -92385,7 +92558,7 @@ index 1f22fba..2757963 100644
allow virt_bridgehelper_t self:process { setcap getcap };
allow virt_bridgehelper_t self:capability { setpcap setgid setuid net_admin };
allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms;
-@@ -1198,5 +1277,115 @@ kernel_read_network_state(virt_bridgehelper_t)
+@@ -1198,5 +1290,120 @@ kernel_read_network_state(virt_bridgehelper_t)
corenet_rw_tun_tap_dev(virt_bridgehelper_t)
@@ -92503,6 +92676,11 @@ index 1f22fba..2757963 100644
+role system_r types svirt_socket_t;
+allow virtd_t svirt_socket_t:unix_stream_socket { connectto create_stream_socket_perms };
+allow virt_domain svirt_socket_t:unix_stream_socket { connectto create_stream_socket_perms };
++
++tunable_policy(`virt_transition_userdomain',`
++ userdom_transition(virtd_t)
++ userdom_transition(virtd_lxc_t)
++')
diff --git a/vlock.te b/vlock.te
index 9ead775..b5285e7 100644
--- a/vlock.te
@@ -92925,10 +93103,20 @@ index 9329eae..824e86f 100644
- seutil_use_newrole_fds(vpnc_t)
-')
diff --git a/watchdog.te b/watchdog.te
-index 29f79e8..c58abd5 100644
+index 29f79e8..9e403ee 100644
--- a/watchdog.te
+++ b/watchdog.te
-@@ -63,7 +63,6 @@ domain_signull_all_domains(watchdog_t)
+@@ -30,7 +30,8 @@ allow watchdog_t self:fifo_file rw_fifo_file_perms;
+ allow watchdog_t self:tcp_socket { accept listen };
+
+ allow watchdog_t watchdog_log_t:file { append_file_perms create_file_perms setattr_file_perms };
+-logging_log_filetrans(watchdog_t, watchdog_log_t, file)
++manage_dirs_pattern(watchdog_t,watchdog_log_t,watchdog_log_t)
++logging_log_filetrans(watchdog_t, watchdog_log_t,{dir file})
+
+ manage_files_pattern(watchdog_t, watchdog_var_run_t, watchdog_var_run_t)
+ files_pid_filetrans(watchdog_t, watchdog_var_run_t, file)
+@@ -63,7 +64,6 @@ domain_signull_all_domains(watchdog_t)
domain_signal_all_domains(watchdog_t)
domain_kill_all_domains(watchdog_t)
@@ -92936,7 +93124,7 @@ index 29f79e8..c58abd5 100644
files_manage_etc_runtime_files(watchdog_t)
files_etc_filetrans_etc_runtime(watchdog_t, file)
-@@ -75,8 +74,6 @@ auth_append_login_records(watchdog_t)
+@@ -75,8 +75,6 @@ auth_append_login_records(watchdog_t)
logging_send_syslog_msg(watchdog_t)
diff --git a/selinux-policy.spec b/selinux-policy.spec
index cbdeaac..ba44369 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.12.1
-Release: 70%{?dist}
+Release: 71%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -539,6 +539,44 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Tue Aug 20 2013 Miroslav Grepl 3.12.1-71
+- Allow boinc to connect to @/tmp/.X11-unix/X0
+- Allow beam.smp to connect to tcp/5984
+- Allow named to manage own log files
+- Add label for /usr/libexec/dcc/start-dccifd and domtrans to dccifd_t
+- Add virt_transition_userdomain boolean decl
+- Allow httpd_t to sendto unix_dgram sockets on its children
+- Allow nova domains to execute ifconfig
+- bluetooth wants to create fifo_files in /tmp
+- exim needs to be able to manage mailman data
+- Allow sysstat to getattr on all file systems
+- Looks like bluetoothd has moved
+- Allow collectd to send ping packets
+- Allow svirt_lxc domains to getpgid
+- Remove virt-sandbox-service labeling as virsh_exec_t, since it no longer does virsh_t stuff
+- Allow frpintd_t to read /dev/urandom
+- Allow asterisk_t to create sock_file in /var/run
+- Allow usbmuxd to use netlink_kobject
+- sosreport needs to getattr on lots of devices, and needs access to netlink_kobject_uevent_socket
+- More cleanup of svirt_lxc policy
+- virtd_lxc_t now talks to dbus
+- Dontaudit leaked ptmx_t
+- Allow processes to use inherited fifo files
+- Allow openvpn_t to connect to squid ports
+- Allow prelink_cron_system_t to ask systemd to reloaddd miscfiles_dontaudit_access_check_cert()
+- Allow ssh_t to use /dev/ptmx
+- Make sure /run/pluto dir is created with correct labeling
+- Allow syslog to run shell and bin_t commands
+- Allow ip to relabel tun_sockets
+- Allow mount to create directories in files under /run
+- Allow processes to use inherited fifo files
+- Allow user roles to connect to the journal socket
+- xauth_t should be allowed to create xauth_home_t
+- selinux_set_enforce_mode needs to be used with type
+- Add append to the dontaudit for unix_stream_socket of xdm_t leak
+- Allow xdm_t to create symlinks in log direcotries
+- Allow login programs to read afs config
+
* Thu Aug 8 2013 Miroslav Grepl 3.12.1-70
- Add label for /var/crash
- Allow fenced to domtrans to sanclok_t