+-##
+-## Read and write the init script pty. This
+##
+##
+## Domain allowed access.
+##
+##
+#
-+interface(`init_dbus_chat',`
++interface(`init_dbus_chat_script',`
+ gen_require(`
-+ type init_t;
++ type initrc_t;
+ class dbus send_msg;
+ ')
+
-+ allow $1 init_t:dbus send_msg;
-+ allow init_t $1:dbus send_msg;
++ allow $1 initrc_t:dbus send_msg;
++ allow initrc_t $1:dbus send_msg;
+')
+
+########################################
+##
-+## Send and receive messages from
- ## init scripts over dbus.
- ##
- ##
-@@ -1526,6 +1790,25 @@ interface(`init_getattr_script_status_files',`
++## Read and write the init script pty.
++##
++##
++##
++## Read and write the init script pty. This
+ ## pty is generally opened by the open_init_pty
+ ## portion of the run_init program so that the
+ ## daemon does not require direct access to
+@@ -1526,6 +1826,25 @@ interface(`init_getattr_script_status_files',`
########################################
##
@@ -27048,26 +27126,17 @@ index 24e7804..c4155c7 100644
## Do not audit attempts to read init script
## status files.
##
-@@ -1584,21 +1867,39 @@ interface(`init_rw_script_tmp_files',`
+@@ -1584,6 +1903,24 @@ interface(`init_rw_script_tmp_files',`
########################################
##
--## Create files in a init script
--## temporary data directory.
+## Read and write init script inherited temporary data.
- ##
- ##
- ##
- ## Domain allowed access.
- ##
- ##
--##
--##
--## The type of the object to be created
--##
--##
--##
--##
++##
++##
++##
++## Domain allowed access.
++##
++##
+#
+interface(`init_rw_inherited_script_tmp_files',`
+ gen_require(`
@@ -27079,25 +27148,10 @@ index 24e7804..c4155c7 100644
+
+########################################
+##
-+## Create files in a init script
-+## temporary data directory.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+##
-+## The type of the object to be created
-+##
-+##
-+##
-+##
- ## The object class.
- ##
- ##
-@@ -1656,6 +1957,43 @@ interface(`init_read_utmp',`
+ ## Create files in a init script
+ ## temporary data directory.
+ ##
+@@ -1656,6 +1993,43 @@ interface(`init_read_utmp',`
########################################
##
@@ -27141,7 +27195,7 @@ index 24e7804..c4155c7 100644
## Do not audit attempts to write utmp.
##
##
-@@ -1744,7 +2082,7 @@ interface(`init_dontaudit_rw_utmp',`
+@@ -1744,7 +2118,7 @@ interface(`init_dontaudit_rw_utmp',`
type initrc_var_run_t;
')
@@ -27150,7 +27204,7 @@ index 24e7804..c4155c7 100644
')
########################################
-@@ -1785,6 +2123,133 @@ interface(`init_pid_filetrans_utmp',`
+@@ -1785,6 +2159,133 @@ interface(`init_pid_filetrans_utmp',`
files_pid_filetrans($1, initrc_var_run_t, file, "utmp")
')
@@ -27284,7 +27338,7 @@ index 24e7804..c4155c7 100644
########################################
##
## Allow the specified domain to connect to daemon with a tcp socket
-@@ -1819,3 +2284,360 @@ interface(`init_udp_recvfrom_all_daemons',`
+@@ -1819,3 +2320,360 @@ interface(`init_udp_recvfrom_all_daemons',`
')
corenet_udp_recvfrom_labeled($1, daemon)
')
@@ -27646,7 +27700,7 @@ index 24e7804..c4155c7 100644
+ files_etc_filetrans($1, machineid_t, file, "machine-id" )
+')
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
-index dd3be8d..c56175f 100644
+index dd3be8d..60b2656 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -11,10 +11,24 @@ gen_require(`
@@ -27735,17 +27789,18 @@ index dd3be8d..c56175f 100644
type initrc_exec_t, init_script_file_type;
domain_type(initrc_t)
domain_entry_file(initrc_t, initrc_exec_t)
-@@ -98,7 +131,8 @@ ifdef(`enable_mls',`
+@@ -98,7 +131,9 @@ ifdef(`enable_mls',`
#
# Use capabilities. old rule:
-allow init_t self:capability ~sys_module;
+allow init_t self:capability ~{ audit_control audit_write sys_module };
+allow init_t self:capability2 ~{ mac_admin mac_override };
++allow init_t self:key manage_key_perms;
# is ~sys_module really needed? observed:
# sys_boot
# sys_tty_config
-@@ -110,12 +144,33 @@ allow init_t self:fifo_file rw_fifo_file_perms;
+@@ -110,12 +145,33 @@ allow init_t self:fifo_file rw_fifo_file_perms;
# Re-exec itself
can_exec(init_t, init_exec_t)
@@ -27785,7 +27840,7 @@ index dd3be8d..c56175f 100644
allow init_t initctl_t:fifo_file manage_fifo_file_perms;
dev_filetrans(init_t, initctl_t, fifo_file)
-@@ -125,13 +180,17 @@ allow init_t initrc_var_run_t:file { rw_file_perms setattr };
+@@ -125,13 +181,17 @@ allow init_t initrc_var_run_t:file { rw_file_perms setattr };
kernel_read_system_state(init_t)
kernel_share_state(init_t)
@@ -27804,7 +27859,7 @@ index dd3be8d..c56175f 100644
domain_getpgid_all_domains(init_t)
domain_kill_all_domains(init_t)
-@@ -139,14 +198,20 @@ domain_signal_all_domains(init_t)
+@@ -139,14 +199,20 @@ domain_signal_all_domains(init_t)
domain_signull_all_domains(init_t)
domain_sigstop_all_domains(init_t)
domain_sigchld_all_domains(init_t)
@@ -27825,7 +27880,7 @@ index dd3be8d..c56175f 100644
# file descriptors inherited from the rootfs:
files_dontaudit_rw_root_files(init_t)
files_dontaudit_rw_root_chr_files(init_t)
-@@ -156,28 +221,49 @@ fs_list_inotifyfs(init_t)
+@@ -156,28 +222,50 @@ fs_list_inotifyfs(init_t)
fs_write_ramfs_sockets(init_t)
mcs_process_set_categories(init_t)
@@ -27870,15 +27925,16 @@ index dd3be8d..c56175f 100644
+
+miscfiles_manage_localization(init_t)
+miscfiles_filetrans_named_content(init_t)
++
++userdom_use_user_ttys(init_t)
++userdom_manage_tmp_dirs(init_t)
-miscfiles_read_localization(init_t)
-+userdom_use_user_ttys(init_t)
-+
+allow init_t self:process setsched;
ifdef(`distro_gentoo',`
allow init_t self:process { getcap setcap };
-@@ -186,29 +272,187 @@ ifdef(`distro_gentoo',`
+@@ -186,29 +274,192 @@ ifdef(`distro_gentoo',`
')
ifdef(`distro_redhat',`
@@ -27914,17 +27970,18 @@ index dd3be8d..c56175f 100644
+
+optional_policy(`
+ iscsi_read_lib_files(init_t)
-+')
-+
-+optional_policy(`
+ ')
+
+ optional_policy(`
+- auth_rw_login_records(init_t)
+ modutils_domtrans_insmod(init_t)
+ modutils_list_module_config(init_t)
')
optional_policy(`
-- auth_rw_login_records(init_t)
+ postfix_exec(init_t)
+ postfix_list_spool(init_t)
++ mta_read_config(init_t)
+ mta_read_aliases(init_t)
+')
+
@@ -28047,9 +28104,9 @@ index dd3be8d..c56175f 100644
+optional_policy(`
+ lvm_rw_pipes(init_t)
+ lvm_read_config(init_t)
- ')
-
- optional_policy(`
++')
++
++optional_policy(`
+ consolekit_manage_log(init_t)
+')
+
@@ -28065,6 +28122,10 @@ index dd3be8d..c56175f 100644
+ # the directory. But we do not want to allow this.
+ # The master process of dovecot will manage this file.
+ dovecot_dontaudit_unlink_lib_files(initrc_t)
++')
++
++optional_policy(`
++ networkmanager_stream_connect(init_t)
')
optional_policy(`
@@ -28074,7 +28135,7 @@ index dd3be8d..c56175f 100644
')
optional_policy(`
-@@ -216,7 +460,29 @@ optional_policy(`
+@@ -216,7 +467,29 @@ optional_policy(`
')
optional_policy(`
@@ -28104,7 +28165,7 @@ index dd3be8d..c56175f 100644
')
########################################
-@@ -225,8 +491,9 @@ optional_policy(`
+@@ -225,8 +498,9 @@ optional_policy(`
#
allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
@@ -28116,7 +28177,7 @@ index dd3be8d..c56175f 100644
allow initrc_t self:passwd rootok;
allow initrc_t self:key manage_key_perms;
-@@ -257,12 +524,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
+@@ -257,12 +531,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
allow initrc_t initrc_var_run_t:file manage_file_perms;
files_pid_filetrans(initrc_t, initrc_var_run_t, file)
@@ -28133,7 +28194,7 @@ index dd3be8d..c56175f 100644
manage_dirs_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
manage_files_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
-@@ -278,23 +549,36 @@ kernel_change_ring_buffer_level(initrc_t)
+@@ -278,23 +556,36 @@ kernel_change_ring_buffer_level(initrc_t)
kernel_clear_ring_buffer(initrc_t)
kernel_get_sysvipc_info(initrc_t)
kernel_read_all_sysctls(initrc_t)
@@ -28176,7 +28237,7 @@ index dd3be8d..c56175f 100644
corenet_tcp_sendrecv_all_ports(initrc_t)
corenet_udp_sendrecv_all_ports(initrc_t)
corenet_tcp_connect_all_ports(initrc_t)
-@@ -302,9 +586,11 @@ corenet_sendrecv_all_client_packets(initrc_t)
+@@ -302,9 +593,11 @@ corenet_sendrecv_all_client_packets(initrc_t)
dev_read_rand(initrc_t)
dev_read_urand(initrc_t)
@@ -28188,7 +28249,7 @@ index dd3be8d..c56175f 100644
dev_rw_sysfs(initrc_t)
dev_list_usbfs(initrc_t)
dev_read_framebuffer(initrc_t)
-@@ -312,8 +598,10 @@ dev_write_framebuffer(initrc_t)
+@@ -312,8 +605,10 @@ dev_write_framebuffer(initrc_t)
dev_read_realtime_clock(initrc_t)
dev_read_sound_mixer(initrc_t)
dev_write_sound_mixer(initrc_t)
@@ -28199,7 +28260,7 @@ index dd3be8d..c56175f 100644
dev_delete_lvm_control_dev(initrc_t)
dev_manage_generic_symlinks(initrc_t)
dev_manage_generic_files(initrc_t)
-@@ -321,8 +609,7 @@ dev_manage_generic_files(initrc_t)
+@@ -321,8 +616,7 @@ dev_manage_generic_files(initrc_t)
dev_delete_generic_symlinks(initrc_t)
dev_getattr_all_blk_files(initrc_t)
dev_getattr_all_chr_files(initrc_t)
@@ -28209,7 +28270,7 @@ index dd3be8d..c56175f 100644
domain_kill_all_domains(initrc_t)
domain_signal_all_domains(initrc_t)
-@@ -331,7 +618,6 @@ domain_sigstop_all_domains(initrc_t)
+@@ -331,7 +625,6 @@ domain_sigstop_all_domains(initrc_t)
domain_sigchld_all_domains(initrc_t)
domain_read_all_domains_state(initrc_t)
domain_getattr_all_domains(initrc_t)
@@ -28217,7 +28278,7 @@ index dd3be8d..c56175f 100644
domain_getsession_all_domains(initrc_t)
domain_use_interactive_fds(initrc_t)
# for lsof which is used by alsa shutdown:
-@@ -339,6 +625,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
+@@ -339,6 +632,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
domain_dontaudit_getattr_all_tcp_sockets(initrc_t)
domain_dontaudit_getattr_all_dgram_sockets(initrc_t)
domain_dontaudit_getattr_all_pipes(initrc_t)
@@ -28225,7 +28286,7 @@ index dd3be8d..c56175f 100644
files_getattr_all_dirs(initrc_t)
files_getattr_all_files(initrc_t)
-@@ -346,14 +633,15 @@ files_getattr_all_symlinks(initrc_t)
+@@ -346,14 +640,15 @@ files_getattr_all_symlinks(initrc_t)
files_getattr_all_pipes(initrc_t)
files_getattr_all_sockets(initrc_t)
files_purge_tmp(initrc_t)
@@ -28243,7 +28304,7 @@ index dd3be8d..c56175f 100644
files_read_usr_files(initrc_t)
files_manage_urandom_seed(initrc_t)
files_manage_generic_spool(initrc_t)
-@@ -363,8 +651,12 @@ files_list_isid_type_dirs(initrc_t)
+@@ -363,8 +658,12 @@ files_list_isid_type_dirs(initrc_t)
files_mounton_isid_type_dirs(initrc_t)
files_list_default(initrc_t)
files_mounton_default(initrc_t)
@@ -28257,7 +28318,7 @@ index dd3be8d..c56175f 100644
fs_list_inotifyfs(initrc_t)
fs_register_binary_executable_type(initrc_t)
# rhgb-console writes to ramfs
-@@ -374,10 +666,11 @@ fs_mount_all_fs(initrc_t)
+@@ -374,10 +673,11 @@ fs_mount_all_fs(initrc_t)
fs_unmount_all_fs(initrc_t)
fs_remount_all_fs(initrc_t)
fs_getattr_all_fs(initrc_t)
@@ -28271,7 +28332,7 @@ index dd3be8d..c56175f 100644
mcs_process_set_categories(initrc_t)
mls_file_read_all_levels(initrc_t)
-@@ -386,6 +679,7 @@ mls_process_read_up(initrc_t)
+@@ -386,6 +686,7 @@ mls_process_read_up(initrc_t)
mls_process_write_down(initrc_t)
mls_rangetrans_source(initrc_t)
mls_fd_share_all_levels(initrc_t)
@@ -28279,7 +28340,7 @@ index dd3be8d..c56175f 100644
selinux_get_enforce_mode(initrc_t)
-@@ -397,6 +691,7 @@ term_use_all_terms(initrc_t)
+@@ -397,6 +698,7 @@ term_use_all_terms(initrc_t)
term_reset_tty_labels(initrc_t)
auth_rw_login_records(initrc_t)
@@ -28287,7 +28348,7 @@ index dd3be8d..c56175f 100644
auth_setattr_login_records(initrc_t)
auth_rw_lastlog(initrc_t)
auth_read_pam_pid(initrc_t)
-@@ -415,20 +710,18 @@ logging_read_all_logs(initrc_t)
+@@ -415,20 +717,18 @@ logging_read_all_logs(initrc_t)
logging_append_all_logs(initrc_t)
logging_read_audit_config(initrc_t)
@@ -28311,7 +28372,7 @@ index dd3be8d..c56175f 100644
ifdef(`distro_debian',`
dev_setattr_generic_dirs(initrc_t)
-@@ -450,7 +743,6 @@ ifdef(`distro_gentoo',`
+@@ -450,7 +750,6 @@ ifdef(`distro_gentoo',`
allow initrc_t self:process setfscreate;
dev_create_null_dev(initrc_t)
dev_create_zero_dev(initrc_t)
@@ -28319,7 +28380,7 @@ index dd3be8d..c56175f 100644
term_create_console_dev(initrc_t)
# unfortunately /sbin/rc does stupid tricks
-@@ -485,6 +777,10 @@ ifdef(`distro_gentoo',`
+@@ -485,6 +784,10 @@ ifdef(`distro_gentoo',`
sysnet_setattr_config(initrc_t)
optional_policy(`
@@ -28330,7 +28391,7 @@ index dd3be8d..c56175f 100644
alsa_read_lib(initrc_t)
')
-@@ -505,7 +801,7 @@ ifdef(`distro_redhat',`
+@@ -505,7 +808,7 @@ ifdef(`distro_redhat',`
# Red Hat systems seem to have a stray
# fd open from the initrd
@@ -28339,7 +28400,7 @@ index dd3be8d..c56175f 100644
files_dontaudit_read_root_files(initrc_t)
# These seem to be from the initrd
-@@ -520,6 +816,7 @@ ifdef(`distro_redhat',`
+@@ -520,6 +823,7 @@ ifdef(`distro_redhat',`
files_create_boot_dirs(initrc_t)
files_create_boot_flag(initrc_t)
files_rw_boot_symlinks(initrc_t)
@@ -28347,7 +28408,7 @@ index dd3be8d..c56175f 100644
# wants to read /.fonts directory
files_read_default_files(initrc_t)
files_mountpoint(initrc_tmp_t)
-@@ -540,6 +837,7 @@ ifdef(`distro_redhat',`
+@@ -540,6 +844,7 @@ ifdef(`distro_redhat',`
miscfiles_rw_localization(initrc_t)
miscfiles_setattr_localization(initrc_t)
miscfiles_relabel_localization(initrc_t)
@@ -28355,7 +28416,7 @@ index dd3be8d..c56175f 100644
miscfiles_read_fonts(initrc_t)
miscfiles_read_hwdata(initrc_t)
-@@ -549,8 +847,44 @@ ifdef(`distro_redhat',`
+@@ -549,8 +854,44 @@ ifdef(`distro_redhat',`
')
optional_policy(`
@@ -28400,7 +28461,7 @@ index dd3be8d..c56175f 100644
')
optional_policy(`
-@@ -558,14 +892,31 @@ ifdef(`distro_redhat',`
+@@ -558,14 +899,31 @@ ifdef(`distro_redhat',`
rpc_write_exports(initrc_t)
rpc_manage_nfs_state_data(initrc_t)
')
@@ -28432,7 +28493,7 @@ index dd3be8d..c56175f 100644
')
')
-@@ -576,6 +927,39 @@ ifdef(`distro_suse',`
+@@ -576,6 +934,39 @@ ifdef(`distro_suse',`
')
')
@@ -28472,7 +28533,7 @@ index dd3be8d..c56175f 100644
optional_policy(`
amavis_search_lib(initrc_t)
amavis_setattr_pid_files(initrc_t)
-@@ -588,6 +972,8 @@ optional_policy(`
+@@ -588,6 +979,8 @@ optional_policy(`
optional_policy(`
apache_read_config(initrc_t)
apache_list_modules(initrc_t)
@@ -28481,7 +28542,7 @@ index dd3be8d..c56175f 100644
')
optional_policy(`
-@@ -609,6 +995,7 @@ optional_policy(`
+@@ -609,6 +1002,7 @@ optional_policy(`
optional_policy(`
cgroup_stream_connect_cgred(initrc_t)
@@ -28489,7 +28550,7 @@ index dd3be8d..c56175f 100644
')
optional_policy(`
-@@ -625,6 +1012,17 @@ optional_policy(`
+@@ -625,6 +1019,17 @@ optional_policy(`
')
optional_policy(`
@@ -28507,7 +28568,7 @@ index dd3be8d..c56175f 100644
dev_getattr_printer_dev(initrc_t)
cups_read_log(initrc_t)
-@@ -641,9 +1039,13 @@ optional_policy(`
+@@ -641,9 +1046,13 @@ optional_policy(`
dbus_connect_system_bus(initrc_t)
dbus_system_bus_client(initrc_t)
dbus_read_config(initrc_t)
@@ -28521,7 +28582,7 @@ index dd3be8d..c56175f 100644
')
optional_policy(`
-@@ -656,15 +1058,11 @@ optional_policy(`
+@@ -656,15 +1065,11 @@ optional_policy(`
')
optional_policy(`
@@ -28539,7 +28600,7 @@ index dd3be8d..c56175f 100644
')
optional_policy(`
-@@ -685,6 +1083,15 @@ optional_policy(`
+@@ -685,6 +1090,15 @@ optional_policy(`
')
optional_policy(`
@@ -28555,7 +28616,7 @@ index dd3be8d..c56175f 100644
inn_exec_config(initrc_t)
')
-@@ -725,6 +1132,7 @@ optional_policy(`
+@@ -725,6 +1139,7 @@ optional_policy(`
lpd_list_spool(initrc_t)
lpd_read_config(initrc_t)
@@ -28563,7 +28624,7 @@ index dd3be8d..c56175f 100644
')
optional_policy(`
-@@ -742,7 +1150,13 @@ optional_policy(`
+@@ -742,7 +1157,13 @@ optional_policy(`
')
optional_policy(`
@@ -28578,7 +28639,7 @@ index dd3be8d..c56175f 100644
mta_dontaudit_read_spool_symlinks(initrc_t)
')
-@@ -765,6 +1179,10 @@ optional_policy(`
+@@ -765,6 +1186,10 @@ optional_policy(`
')
optional_policy(`
@@ -28589,7 +28650,7 @@ index dd3be8d..c56175f 100644
postgresql_manage_db(initrc_t)
postgresql_read_config(initrc_t)
')
-@@ -774,10 +1192,20 @@ optional_policy(`
+@@ -774,10 +1199,20 @@ optional_policy(`
')
optional_policy(`
@@ -28610,7 +28671,7 @@ index dd3be8d..c56175f 100644
quota_manage_flags(initrc_t)
')
-@@ -786,6 +1214,10 @@ optional_policy(`
+@@ -786,6 +1221,10 @@ optional_policy(`
')
optional_policy(`
@@ -28621,7 +28682,7 @@ index dd3be8d..c56175f 100644
fs_write_ramfs_sockets(initrc_t)
fs_search_ramfs(initrc_t)
-@@ -807,8 +1239,6 @@ optional_policy(`
+@@ -807,8 +1246,6 @@ optional_policy(`
# bash tries ioctl for some reason
files_dontaudit_ioctl_all_pids(initrc_t)
@@ -28630,7 +28691,7 @@ index dd3be8d..c56175f 100644
')
optional_policy(`
-@@ -817,6 +1247,10 @@ optional_policy(`
+@@ -817,6 +1254,10 @@ optional_policy(`
')
optional_policy(`
@@ -28641,7 +28702,7 @@ index dd3be8d..c56175f 100644
# shorewall-init script run /var/lib/shorewall/firewall
shorewall_lib_domtrans(initrc_t)
')
-@@ -826,10 +1260,12 @@ optional_policy(`
+@@ -826,10 +1267,12 @@ optional_policy(`
squid_manage_logs(initrc_t)
')
@@ -28654,7 +28715,7 @@ index dd3be8d..c56175f 100644
optional_policy(`
ssh_dontaudit_read_server_keys(initrc_t)
-@@ -856,12 +1292,28 @@ optional_policy(`
+@@ -856,12 +1299,28 @@ optional_policy(`
')
optional_policy(`
@@ -28684,7 +28745,7 @@ index dd3be8d..c56175f 100644
ifdef(`distro_redhat',`
# system-config-services causes avc messages that should be dontaudited
-@@ -871,6 +1323,18 @@ optional_policy(`
+@@ -871,6 +1330,18 @@ optional_policy(`
optional_policy(`
mono_domtrans(initrc_t)
')
@@ -28703,7 +28764,7 @@ index dd3be8d..c56175f 100644
')
optional_policy(`
-@@ -886,6 +1350,10 @@ optional_policy(`
+@@ -886,6 +1357,10 @@ optional_policy(`
')
optional_policy(`
@@ -28714,7 +28775,7 @@ index dd3be8d..c56175f 100644
# Set device ownerships/modes.
xserver_setattr_console_pipes(initrc_t)
-@@ -896,3 +1364,196 @@ optional_policy(`
+@@ -896,3 +1371,196 @@ optional_policy(`
optional_policy(`
zebra_read_config(initrc_t)
')
@@ -31002,7 +31063,7 @@ index 4e94884..9b82ed0 100644
+ logging_log_filetrans($1, var_log_t, dir, "anaconda")
+')
diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
-index 39ea221..aae7b7d 100644
+index 39ea221..a55b140 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
@@ -4,6 +4,21 @@ policy_module(logging, 1.19.6)
@@ -31304,7 +31365,7 @@ index 39ea221..aae7b7d 100644
# for sending messages to logged in users
init_read_utmp(syslogd_t)
init_dontaudit_write_utmp(syslogd_t)
-@@ -461,11 +535,10 @@ init_use_fds(syslogd_t)
+@@ -461,11 +535,11 @@ init_use_fds(syslogd_t)
# cjp: this doesnt make sense
logging_send_syslog_msg(syslogd_t)
@@ -31315,10 +31376,11 @@ index 39ea221..aae7b7d 100644
userdom_dontaudit_use_unpriv_user_fds(syslogd_t)
-userdom_dontaudit_search_user_home_dirs(syslogd_t)
+userdom_search_user_home_dirs(syslogd_t)
++userdom_rw_inherited_user_tmpfs_files(syslogd_t)
ifdef(`distro_gentoo',`
# default gentoo syslog-ng config appends kernel
-@@ -502,15 +575,40 @@ optional_policy(`
+@@ -502,15 +576,40 @@ optional_policy(`
')
optional_policy(`
@@ -31359,7 +31421,7 @@ index 39ea221..aae7b7d 100644
')
optional_policy(`
-@@ -521,3 +619,26 @@ optional_policy(`
+@@ -521,3 +620,26 @@ optional_policy(`
# log to the xconsole
xserver_rw_console(syslogd_t)
')
@@ -39073,7 +39135,7 @@ index db75976..65191bd 100644
+
+/var/run/user(/.*)? gen_context(system_u:object_r:user_tmp_t,s0)
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
-index 3c5dba7..c4bc032 100644
+index 3c5dba7..472e80a 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -30,9 +30,11 @@ template(`userdom_base_user_template',`
@@ -39387,7 +39449,7 @@ index 3c5dba7..c4bc032 100644
')
')
-@@ -273,6 +315,25 @@ interface(`userdom_manage_home_role',`
+@@ -273,6 +315,44 @@ interface(`userdom_manage_home_role',`
##
## Manage user temporary files
##
@@ -39403,7 +39465,26 @@ index 3c5dba7..c4bc032 100644
+ type user_tmp_t;
+ ')
+
-+ allow $1 user_tmp_t:file manage_file_perms;
++ manage_files_pattern($1, user_tmp_t, user_tmp_t)
++')
++
++#######################################
++##
++## Manage user temporary directories
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++#
++interface(`userdom_manage_tmp_dirs',`
++ gen_require(`
++ type user_tmp_t;
++ ')
++
++ manage_dirs_pattern($1, user_tmp_t, user_tmp_t)
+')
+
+#######################################
@@ -39413,7 +39494,7 @@ index 3c5dba7..c4bc032 100644
##
##
## Role allowed access.
-@@ -287,17 +348,64 @@ interface(`userdom_manage_home_role',`
+@@ -287,17 +367,64 @@ interface(`userdom_manage_home_role',`
#
interface(`userdom_manage_tmp_role',`
gen_require(`
@@ -39483,7 +39564,7 @@ index 3c5dba7..c4bc032 100644
')
#######################################
-@@ -317,11 +425,31 @@ interface(`userdom_exec_user_tmp_files',`
+@@ -317,11 +444,31 @@ interface(`userdom_exec_user_tmp_files',`
')
exec_files_pattern($1, user_tmp_t, user_tmp_t)
@@ -39515,7 +39596,7 @@ index 3c5dba7..c4bc032 100644
## Role access for the user tmpfs type
## that the user has full access.
##
-@@ -348,59 +476,60 @@ interface(`userdom_exec_user_tmp_files',`
+@@ -348,59 +495,60 @@ interface(`userdom_exec_user_tmp_files',`
#
interface(`userdom_manage_tmpfs_role',`
gen_require(`
@@ -39606,7 +39687,7 @@ index 3c5dba7..c4bc032 100644
')
#######################################
-@@ -431,6 +560,7 @@ template(`userdom_xwindows_client_template',`
+@@ -431,6 +579,7 @@ template(`userdom_xwindows_client_template',`
dev_dontaudit_rw_dri($1_t)
# GNOME checks for usb and other devices:
dev_rw_usbfs($1_t)
@@ -39614,7 +39695,7 @@ index 3c5dba7..c4bc032 100644
xserver_user_x_domain_template($1, $1_t, user_tmpfs_t)
xserver_xsession_entry_type($1_t)
-@@ -463,8 +593,8 @@ template(`userdom_change_password_template',`
+@@ -463,8 +612,8 @@ template(`userdom_change_password_template',`
')
optional_policy(`
@@ -39625,7 +39706,7 @@ index 3c5dba7..c4bc032 100644
')
')
-@@ -491,7 +621,8 @@ template(`userdom_common_user_template',`
+@@ -491,7 +640,8 @@ template(`userdom_common_user_template',`
attribute unpriv_userdomain;
')
@@ -39635,7 +39716,7 @@ index 3c5dba7..c4bc032 100644
##############################
#
-@@ -501,41 +632,51 @@ template(`userdom_common_user_template',`
+@@ -501,41 +651,51 @@ template(`userdom_common_user_template',`
# evolution and gnome-session try to create a netlink socket
dontaudit $1_t self:netlink_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown };
dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write };
@@ -39702,15 +39783,15 @@ index 3c5dba7..c4bc032 100644
+ fs_rw_cgroup_files($1_usertype)
+
+ application_getattr_socket($1_usertype)
++
++ logging_send_syslog_msg($1_t)
- fs_rw_cgroup_files($1_t)
-+ logging_send_syslog_msg($1_t)
-+
+ selinux_get_enforce_mode($1_t)
# cjp: some of this probably can be removed
selinux_get_fs_mount($1_t)
-@@ -546,93 +687,120 @@ template(`userdom_common_user_template',`
+@@ -546,93 +706,120 @@ template(`userdom_common_user_template',`
selinux_compute_user_contexts($1_t)
# for eject
@@ -39780,96 +39861,96 @@ index 3c5dba7..c4bc032 100644
+ dbus_system_bus_client($1_usertype)
+
+ allow $1_usertype $1_usertype:dbus send_msg;
++
++ optional_policy(`
++ avahi_dbus_chat($1_usertype)
++ ')
++
++ optional_policy(`
++ bluetooth_dbus_chat($1_usertype)
++ ')
++
++ optional_policy(`
++ consolekit_dbus_chat($1_usertype)
++ consolekit_read_log($1_usertype)
++ ')
++
++ optional_policy(`
++ devicekit_dbus_chat($1_usertype)
++ devicekit_dbus_chat_power($1_usertype)
++ devicekit_dbus_chat_disk($1_usertype)
++ ')
++
++ optional_policy(`
++ evolution_dbus_chat($1_usertype)
++ evolution_alarm_dbus_chat($1_usertype)
++ ')
++
++ optional_policy(`
++ gnome_dbus_chat_gconfdefault($1_usertype)
++ ')
optional_policy(`
- bluetooth_dbus_chat($1_t)
-+ avahi_dbus_chat($1_usertype)
++ hal_dbus_chat($1_usertype)
')
optional_policy(`
- consolekit_dbus_chat($1_t)
-+ bluetooth_dbus_chat($1_usertype)
++ kde_dbus_chat_backlighthelper($1_usertype)
')
optional_policy(`
- cups_dbus_chat_config($1_t)
-+ consolekit_dbus_chat($1_usertype)
-+ consolekit_read_log($1_usertype)
++ modemmanager_dbus_chat($1_usertype)
')
optional_policy(`
- hal_dbus_chat($1_t)
-+ devicekit_dbus_chat($1_usertype)
-+ devicekit_dbus_chat_power($1_usertype)
-+ devicekit_dbus_chat_disk($1_usertype)
++ networkmanager_dbus_chat($1_usertype)
++ networkmanager_read_lib_files($1_usertype)
')
optional_policy(`
- networkmanager_dbus_chat($1_t)
-+ evolution_dbus_chat($1_usertype)
-+ evolution_alarm_dbus_chat($1_usertype)
++ policykit_dbus_chat($1_usertype)
')
optional_policy(`
- policykit_dbus_chat($1_t)
-+ gnome_dbus_chat_gconfdefault($1_usertype)
- ')
-+
-+ optional_policy(`
-+ hal_dbus_chat($1_usertype)
-+ ')
-+
-+ optional_policy(`
-+ kde_dbus_chat_backlighthelper($1_usertype)
-+ ')
-+
-+ optional_policy(`
-+ modemmanager_dbus_chat($1_usertype)
-+ ')
-+
-+ optional_policy(`
-+ networkmanager_dbus_chat($1_usertype)
-+ networkmanager_read_lib_files($1_usertype)
-+ ')
-+
-+ optional_policy(`
-+ policykit_dbus_chat($1_usertype)
-+ ')
-+
-+ optional_policy(`
+ vpn_dbus_chat($1_usertype)
-+ ')
-+ ')
-+
-+ optional_policy(`
-+ git_role($1_r, $1_t)
+ ')
')
optional_policy(`
- inetd_use_fds($1_t)
- inetd_rw_tcp_sockets($1_t)
-+ inetd_use_fds($1_usertype)
-+ inetd_rw_tcp_sockets($1_usertype)
++ git_role($1_r, $1_t)
')
optional_policy(`
- inn_read_config($1_t)
- inn_read_news_lib($1_t)
- inn_read_news_spool($1_t)
-+ inn_read_config($1_usertype)
-+ inn_read_news_lib($1_usertype)
-+ inn_read_news_spool($1_usertype)
++ inetd_use_fds($1_usertype)
++ inetd_rw_tcp_sockets($1_usertype)
')
optional_policy(`
- kerberos_manage_krb5_home_files($1_t)
- kerberos_relabel_krb5_home_files($1_t)
- kerberos_home_filetrans_krb5_home($1_t, file, ".k5login")
++ inn_read_config($1_usertype)
++ inn_read_news_lib($1_usertype)
++ inn_read_news_spool($1_usertype)
++ ')
++
++ optional_policy(`
+ lircd_stream_connect($1_usertype)
')
optional_policy(`
-@@ -642,23 +810,21 @@ template(`userdom_common_user_template',`
+@@ -642,23 +829,21 @@ template(`userdom_common_user_template',`
optional_policy(`
mpd_manage_user_data_content($1_t)
mpd_relabel_user_data_content($1_t)
@@ -39898,7 +39979,7 @@ index 3c5dba7..c4bc032 100644
mysql_stream_connect($1_t)
')
')
-@@ -671,7 +837,7 @@ template(`userdom_common_user_template',`
+@@ -671,7 +856,7 @@ template(`userdom_common_user_template',`
optional_policy(`
# to allow monitoring of pcmcia status
@@ -39907,7 +39988,7 @@ index 3c5dba7..c4bc032 100644
')
optional_policy(`
-@@ -680,9 +846,9 @@ template(`userdom_common_user_template',`
+@@ -680,9 +865,9 @@ template(`userdom_common_user_template',`
')
optional_policy(`
@@ -39920,41 +40001,33 @@ index 3c5dba7..c4bc032 100644
')
')
-@@ -693,32 +859,35 @@ template(`userdom_common_user_template',`
+@@ -693,32 +878,35 @@ template(`userdom_common_user_template',`
')
optional_policy(`
- resmgr_stream_connect($1_t)
+ resmgr_stream_connect($1_usertype)
-+ ')
-+
-+ optional_policy(`
-+ rpc_dontaudit_getattr_exports($1_usertype)
-+ ')
-+
-+ optional_policy(`
-+ rpcbind_stream_connect($1_usertype)
')
optional_policy(`
- rpc_dontaudit_getattr_exports($1_t)
- rpc_manage_nfs_rw_content($1_t)
-+ samba_stream_connect_winbind($1_usertype)
++ rpc_dontaudit_getattr_exports($1_usertype)
')
optional_policy(`
- samba_stream_connect_winbind($1_t)
-+ sandbox_transition($1_usertype, $1_r)
++ rpcbind_stream_connect($1_usertype)
')
optional_policy(`
- slrnpull_search_spool($1_t)
-+ seunshare_role_template($1, $1_r, $1_t)
++ samba_stream_connect_winbind($1_usertype)
')
optional_policy(`
- usernetctl_run($1_t, $1_r)
-+ slrnpull_search_spool($1_usertype)
++ sandbox_transition($1_usertype, $1_r)
')
optional_policy(`
@@ -39963,11 +40036,19 @@ index 3c5dba7..c4bc032 100644
- virt_home_filetrans_virt_content($1_t, dir, "isos")
- virt_home_filetrans_svirt_home($1_t, dir, "qemu")
- virt_home_filetrans_virt_home($1_t, dir, "VirtualMachines")
++ seunshare_role_template($1, $1_r, $1_t)
++ ')
++
++ optional_policy(`
++ slrnpull_search_spool($1_usertype)
++ ')
++
++ optional_policy(`
+ thumb_role($1_r, $1_usertype)
')
')
-@@ -743,17 +912,33 @@ template(`userdom_common_user_template',`
+@@ -743,17 +931,33 @@ template(`userdom_common_user_template',`
template(`userdom_login_user_template', `
gen_require(`
class context contains;
@@ -39987,7 +40068,9 @@ index 3c5dba7..c4bc032 100644
+
+ ifelse(`$1',`unconfined',`',`
+ gen_tunable($1_exec_content, true)
-+
+
+- userdom_exec_user_tmp_files($1_t)
+- userdom_exec_user_home_content_files($1_t)
+ tunable_policy(`$1_exec_content',`
+ userdom_exec_user_tmp_files($1_usertype)
+ userdom_exec_user_home_content_files($1_usertype)
@@ -39995,9 +40078,7 @@ index 3c5dba7..c4bc032 100644
+ tunable_policy(`$1_exec_content && use_nfs_home_dirs',`
+ fs_exec_nfs_files($1_usertype)
+ ')
-
-- userdom_exec_user_tmp_files($1_t)
-- userdom_exec_user_home_content_files($1_t)
++
+ tunable_policy(`$1_exec_content && use_samba_home_dirs',`
+ fs_exec_cifs_files($1_usertype)
+ ')
@@ -40005,7 +40086,7 @@ index 3c5dba7..c4bc032 100644
userdom_change_password_template($1)
-@@ -761,82 +946,99 @@ template(`userdom_login_user_template', `
+@@ -761,82 +965,100 @@ template(`userdom_login_user_template', `
#
# User domain Local policy
#
@@ -40108,6 +40189,7 @@ index 3c5dba7..c4bc032 100644
- seutil_read_config($1_t)
+ optional_policy(`
+ kerberos_use($1_usertype)
++ init_write_key($1_usertype)
+ ')
optional_policy(`
@@ -40141,7 +40223,7 @@ index 3c5dba7..c4bc032 100644
')
')
-@@ -868,6 +1070,12 @@ template(`userdom_restricted_user_template',`
+@@ -868,6 +1090,12 @@ template(`userdom_restricted_user_template',`
typeattribute $1_t unpriv_userdomain;
domain_interactive_fd($1_t)
@@ -40154,7 +40236,7 @@ index 3c5dba7..c4bc032 100644
##############################
#
# Local policy
-@@ -907,42 +1115,99 @@ template(`userdom_restricted_xwindows_user_template',`
+@@ -907,42 +1135,99 @@ template(`userdom_restricted_xwindows_user_template',`
#
# Local policy
#
@@ -40267,7 +40349,7 @@ index 3c5dba7..c4bc032 100644
')
optional_policy(`
-@@ -951,12 +1216,29 @@ template(`userdom_restricted_xwindows_user_template',`
+@@ -951,12 +1236,29 @@ template(`userdom_restricted_xwindows_user_template',`
')
optional_policy(`
@@ -40298,7 +40380,7 @@ index 3c5dba7..c4bc032 100644
')
#######################################
-@@ -990,27 +1272,33 @@ template(`userdom_unpriv_user_template', `
+@@ -990,27 +1292,33 @@ template(`userdom_unpriv_user_template', `
#
# Inherit rules for ordinary users.
@@ -40336,7 +40418,7 @@ index 3c5dba7..c4bc032 100644
fs_manage_noxattr_fs_files($1_t)
fs_manage_noxattr_fs_dirs($1_t)
# Write floppies
-@@ -1021,23 +1309,60 @@ template(`userdom_unpriv_user_template', `
+@@ -1021,38 +1329,77 @@ template(`userdom_unpriv_user_template', `
')
')
@@ -40362,20 +40444,29 @@ index 3c5dba7..c4bc032 100644
+
+ tunable_policy(`selinuxuser_tcp_server',`
+ corenet_tcp_bind_all_unreserved_ports($1_usertype)
-+ ')
-+
-+ optional_policy(`
+ ')
+
+ optional_policy(`
+- netutils_run_ping_cond($1_t, $1_r)
+- netutils_run_traceroute_cond($1_t, $1_r)
+ cdrecord_role($1_r, $1_t)
-+ ')
-+
-+ optional_policy(`
+ ')
+
+- # Run pppd in pppd_t by default for user
+ optional_policy(`
+- ppp_run_cond($1_t, $1_r)
+ cron_role($1_r, $1_t)
-+ ')
-+
-+ optional_policy(`
+ ')
+
+ optional_policy(`
+- setroubleshoot_stream_connect($1_t)
+ games_rw_data($1_usertype)
-+ ')
-+
+ ')
+-')
+
+-#######################################
+-##
+-## The template for creating an administrative user.
+ optional_policy(`
+ gpg_role($1_r, $1_usertype)
+ ')
@@ -40397,28 +40488,32 @@ index 3c5dba7..c4bc032 100644
+
+ optional_policy(`
+ wine_role_template($1, $1_r, $1_t)
- ')
-
- optional_policy(`
-- netutils_run_ping_cond($1_t, $1_r)
-- netutils_run_traceroute_cond($1_t, $1_r)
++ ')
++
++ optional_policy(`
+ postfix_run_postdrop($1_t, $1_r)
+ postfix_search_spool($1_t)
- ')
-
- # Run pppd in pppd_t by default for user
-@@ -1046,7 +1371,9 @@ template(`userdom_unpriv_user_template', `
- ')
-
- optional_policy(`
-- setroubleshoot_stream_connect($1_t)
++ ')
++
++ # Run pppd in pppd_t by default for user
++ optional_policy(`
++ ppp_run_cond($1_t, $1_r)
++ ')
++
++ optional_policy(`
+ vdagent_getattr_log($1_t)
+ vdagent_getattr_exec_files($1_t)
+ vdagent_stream_connect($1_t)
- ')
- ')
-
-@@ -1082,7 +1409,7 @@ template(`userdom_unpriv_user_template', `
++ ')
++')
++
++#######################################
++##
++## The template for creating an administrative user.
+ ##
+ ##
+ ##
+@@ -1082,7 +1429,7 @@ template(`userdom_unpriv_user_template', `
template(`userdom_admin_user_template',`
gen_require(`
attribute admindomain;
@@ -40427,7 +40522,7 @@ index 3c5dba7..c4bc032 100644
')
##############################
-@@ -1109,6 +1436,7 @@ template(`userdom_admin_user_template',`
+@@ -1109,6 +1456,7 @@ template(`userdom_admin_user_template',`
#
allow $1_t self:capability ~{ sys_module audit_control audit_write };
@@ -40435,7 +40530,7 @@ index 3c5dba7..c4bc032 100644
allow $1_t self:process { setexec setfscreate };
allow $1_t self:netlink_audit_socket nlmsg_readpriv;
allow $1_t self:tun_socket create;
-@@ -1117,6 +1445,9 @@ template(`userdom_admin_user_template',`
+@@ -1117,6 +1465,9 @@ template(`userdom_admin_user_template',`
# Skip authentication when pam_rootok is specified.
allow $1_t self:passwd rootok;
@@ -40445,7 +40540,7 @@ index 3c5dba7..c4bc032 100644
kernel_read_software_raid_state($1_t)
kernel_getattr_core_if($1_t)
kernel_getattr_message_if($1_t)
-@@ -1131,6 +1462,7 @@ template(`userdom_admin_user_template',`
+@@ -1131,6 +1482,7 @@ template(`userdom_admin_user_template',`
kernel_sigstop_unlabeled($1_t)
kernel_signull_unlabeled($1_t)
kernel_sigchld_unlabeled($1_t)
@@ -40453,7 +40548,7 @@ index 3c5dba7..c4bc032 100644
corenet_tcp_bind_generic_port($1_t)
# allow setting up tunnels
-@@ -1148,10 +1480,14 @@ template(`userdom_admin_user_template',`
+@@ -1148,10 +1500,14 @@ template(`userdom_admin_user_template',`
dev_rename_all_blk_files($1_t)
dev_rename_all_chr_files($1_t)
dev_create_generic_symlinks($1_t)
@@ -40468,7 +40563,7 @@ index 3c5dba7..c4bc032 100644
domain_dontaudit_ptrace_all_domains($1_t)
# signal all domains:
domain_kill_all_domains($1_t)
-@@ -1162,29 +1498,38 @@ template(`userdom_admin_user_template',`
+@@ -1162,29 +1518,38 @@ template(`userdom_admin_user_template',`
domain_sigchld_all_domains($1_t)
# for lsof
domain_getattr_all_sockets($1_t)
@@ -40511,7 +40606,7 @@ index 3c5dba7..c4bc032 100644
# The following rule is temporary until such time that a complete
# policy management infrastructure is in place so that an administrator
-@@ -1194,6 +1539,8 @@ template(`userdom_admin_user_template',`
+@@ -1194,6 +1559,8 @@ template(`userdom_admin_user_template',`
# But presently necessary for installing the file_contexts file.
seutil_manage_bin_policy($1_t)
@@ -40520,7 +40615,7 @@ index 3c5dba7..c4bc032 100644
userdom_manage_user_home_content_dirs($1_t)
userdom_manage_user_home_content_files($1_t)
userdom_manage_user_home_content_symlinks($1_t)
-@@ -1201,13 +1548,17 @@ template(`userdom_admin_user_template',`
+@@ -1201,13 +1568,17 @@ template(`userdom_admin_user_template',`
userdom_manage_user_home_content_sockets($1_t)
userdom_user_home_dir_filetrans_user_home_content($1_t, { dir file lnk_file fifo_file sock_file })
@@ -40539,7 +40634,7 @@ index 3c5dba7..c4bc032 100644
optional_policy(`
postgresql_unconfined($1_t)
')
-@@ -1253,6 +1604,8 @@ template(`userdom_security_admin_template',`
+@@ -1253,6 +1624,8 @@ template(`userdom_security_admin_template',`
dev_relabel_all_dev_nodes($1)
files_create_boot_flag($1)
@@ -40548,7 +40643,7 @@ index 3c5dba7..c4bc032 100644
# Necessary for managing /boot/efi
fs_manage_dos_files($1)
-@@ -1265,8 +1618,10 @@ template(`userdom_security_admin_template',`
+@@ -1265,8 +1638,10 @@ template(`userdom_security_admin_template',`
selinux_set_enforce_mode($1)
selinux_set_all_booleans($1)
selinux_set_parameters($1)
@@ -40560,7 +40655,7 @@ index 3c5dba7..c4bc032 100644
auth_relabel_shadow($1)
init_exec($1)
-@@ -1277,29 +1632,31 @@ template(`userdom_security_admin_template',`
+@@ -1277,29 +1652,31 @@ template(`userdom_security_admin_template',`
logging_read_audit_config($1)
seutil_manage_bin_policy($1)
@@ -40603,7 +40698,7 @@ index 3c5dba7..c4bc032 100644
')
optional_policy(`
-@@ -1360,14 +1717,17 @@ interface(`userdom_user_home_content',`
+@@ -1360,14 +1737,17 @@ interface(`userdom_user_home_content',`
gen_require(`
attribute user_home_content_type;
type user_home_t;
@@ -40622,7 +40717,7 @@ index 3c5dba7..c4bc032 100644
')
########################################
-@@ -1408,6 +1768,51 @@ interface(`userdom_user_tmpfs_file',`
+@@ -1408,6 +1788,51 @@ interface(`userdom_user_tmpfs_file',`
##
## Allow domain to attach to TUN devices created by administrative users.
##
@@ -40674,7 +40769,7 @@ index 3c5dba7..c4bc032 100644
##
##
## Domain allowed access.
-@@ -1512,11 +1917,31 @@ interface(`userdom_search_user_home_dirs',`
+@@ -1512,11 +1937,31 @@ interface(`userdom_search_user_home_dirs',`
')
allow $1 user_home_dir_t:dir search_dir_perms;
@@ -40706,7 +40801,7 @@ index 3c5dba7..c4bc032 100644
## Do not audit attempts to search user home directories.
##
##
-@@ -1558,6 +1983,14 @@ interface(`userdom_list_user_home_dirs',`
+@@ -1558,6 +2003,14 @@ interface(`userdom_list_user_home_dirs',`
allow $1 user_home_dir_t:dir list_dir_perms;
files_search_home($1)
@@ -40721,7 +40816,7 @@ index 3c5dba7..c4bc032 100644
')
########################################
-@@ -1573,9 +2006,11 @@ interface(`userdom_list_user_home_dirs',`
+@@ -1573,9 +2026,11 @@ interface(`userdom_list_user_home_dirs',`
interface(`userdom_dontaudit_list_user_home_dirs',`
gen_require(`
type user_home_dir_t;
@@ -40733,7 +40828,7 @@ index 3c5dba7..c4bc032 100644
')
########################################
-@@ -1632,6 +2067,42 @@ interface(`userdom_relabelto_user_home_dirs',`
+@@ -1632,6 +2087,42 @@ interface(`userdom_relabelto_user_home_dirs',`
allow $1 user_home_dir_t:dir relabelto;
')
@@ -40776,7 +40871,7 @@ index 3c5dba7..c4bc032 100644
########################################
##
## Create directories in the home dir root with
-@@ -1711,6 +2182,8 @@ interface(`userdom_dontaudit_search_user_home_content',`
+@@ -1711,6 +2202,8 @@ interface(`userdom_dontaudit_search_user_home_content',`
')
dontaudit $1 user_home_t:dir search_dir_perms;
@@ -40785,7 +40880,7 @@ index 3c5dba7..c4bc032 100644
')
########################################
-@@ -1744,10 +2217,12 @@ interface(`userdom_list_all_user_home_content',`
+@@ -1744,10 +2237,12 @@ interface(`userdom_list_all_user_home_content',`
#
interface(`userdom_list_user_home_content',`
gen_require(`
@@ -40800,7 +40895,7 @@ index 3c5dba7..c4bc032 100644
')
########################################
-@@ -1772,7 +2247,25 @@ interface(`userdom_manage_user_home_content_dirs',`
+@@ -1772,7 +2267,25 @@ interface(`userdom_manage_user_home_content_dirs',`
########################################
##
@@ -40827,7 +40922,7 @@ index 3c5dba7..c4bc032 100644
##
##
##
-@@ -1782,53 +2275,70 @@ interface(`userdom_manage_user_home_content_dirs',`
+@@ -1782,53 +2295,70 @@ interface(`userdom_manage_user_home_content_dirs',`
#
interface(`userdom_delete_all_user_home_content_dirs',`
gen_require(`
@@ -40910,7 +41005,7 @@ index 3c5dba7..c4bc032 100644
## Do not audit attempts to set the
## attributes of user home files.
##
-@@ -1848,6 +2358,25 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',`
+@@ -1848,6 +2378,25 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',`
########################################
##
@@ -40936,7 +41031,7 @@ index 3c5dba7..c4bc032 100644
## Mmap user home files.
##
##
-@@ -1878,14 +2407,36 @@ interface(`userdom_mmap_user_home_content_files',`
+@@ -1878,14 +2427,36 @@ interface(`userdom_mmap_user_home_content_files',`
interface(`userdom_read_user_home_content_files',`
gen_require(`
type user_home_dir_t, user_home_t;
@@ -40974,7 +41069,7 @@ index 3c5dba7..c4bc032 100644
## Do not audit attempts to read user home files.
##
##
-@@ -1896,11 +2447,14 @@ interface(`userdom_read_user_home_content_files',`
+@@ -1896,11 +2467,14 @@ interface(`userdom_read_user_home_content_files',`
#
interface(`userdom_dontaudit_read_user_home_content_files',`
gen_require(`
@@ -40992,71 +41087,157 @@ index 3c5dba7..c4bc032 100644
')
########################################
-@@ -1941,7 +2495,25 @@ interface(`userdom_dontaudit_write_user_home_content_files',`
+@@ -1941,7 +2515,7 @@ interface(`userdom_dontaudit_write_user_home_content_files',`
########################################
##
-## Delete all user home content files.
+## Delete files in a user home subdirectory.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
+ ##
+ ##
+ ##
+@@ -1949,19 +2523,17 @@ interface(`userdom_dontaudit_write_user_home_content_files',`
+ ##
+ ##
+ #
+-interface(`userdom_delete_all_user_home_content_files',`
+interface(`userdom_delete_user_home_content_files',`
-+ gen_require(`
+ gen_require(`
+- attribute user_home_content_type;
+- type user_home_dir_t;
+ type user_home_t;
-+ ')
-+
+ ')
+
+- userdom_search_user_home_content($1)
+- delete_files_pattern($1 { user_home_dir_t user_home_content_type }, user_home_content_type)
+ allow $1 user_home_t:file delete_file_perms;
-+')
-+
-+########################################
-+##
+ ')
+
+ ########################################
+ ##
+-## Delete files in a user home subdirectory.
+## Delete all files in a user home subdirectory.
##
##
##
-@@ -1951,17 +2523,15 @@ interface(`userdom_dontaudit_write_user_home_content_files',`
+@@ -1969,35 +2541,35 @@ interface(`userdom_delete_all_user_home_content_files',`
+ ##
+ ##
#
- interface(`userdom_delete_all_user_home_content_files',`
+-interface(`userdom_delete_user_home_content_files',`
++interface(`userdom_delete_all_user_home_content_files',`
gen_require(`
-- attribute user_home_content_type;
-- type user_home_dir_t;
+- type user_home_t;
+ attribute user_home_type;
')
-- userdom_search_user_home_content($1)
-- delete_files_pattern($1 { user_home_dir_t user_home_content_type }, user_home_content_type)
+- allow $1 user_home_t:file delete_file_perms;
+ allow $1 user_home_type:file delete_file_perms;
')
########################################
##
--## Delete files in a user home subdirectory.
+-## Do not audit attempts to write user home files.
+## Delete sock files in a user home subdirectory.
##
##
##
-@@ -1969,12 +2539,48 @@ interface(`userdom_delete_all_user_home_content_files',`
+-## Domain to not audit.
++## Domain allowed access.
##
##
#
--interface(`userdom_delete_user_home_content_files',`
+-interface(`userdom_dontaudit_relabel_user_home_content_files',`
+interface(`userdom_delete_user_home_content_sock_files',`
gen_require(`
type user_home_t;
')
-- allow $1 user_home_t:file delete_file_perms;
+- dontaudit $1 user_home_t:file relabel_file_perms;
+ allow $1 user_home_t:sock_file delete_file_perms;
-+')
-+
-+########################################
-+##
+ ')
+
+ ########################################
+ ##
+-## Read user home subdirectory symbolic links.
+## Delete all sock files in a user home subdirectory.
+ ##
+ ##
+ ##
+@@ -2005,46 +2577,35 @@ interface(`userdom_dontaudit_relabel_user_home_content_files',`
+ ##
+ ##
+ #
+-interface(`userdom_read_user_home_content_symlinks',`
++interface(`userdom_delete_all_user_home_content_sock_files',`
+ gen_require(`
+- type user_home_dir_t, user_home_t;
++ attribute user_home_type;
+ ')
+
+- read_lnk_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t)
+- files_search_home($1)
++ allow $1 user_home_type:sock_file delete_file_perms;
+ ')
+
+ ########################################
+ ##
+-## Execute user home files.
++## Delete all files in a user home subdirectory.
+ ##
+ ##
+ ##
+ ## Domain allowed access.
+ ##
+ ##
+-##
+ #
+-interface(`userdom_exec_user_home_content_files',`
++interface(`userdom_delete_all_user_home_content',`
+ gen_require(`
+- type user_home_dir_t, user_home_t;
+- ')
+-
+- files_search_home($1)
+- exec_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t)
+-
+- tunable_policy(`use_nfs_home_dirs',`
+- fs_exec_nfs_files($1)
++ attribute user_home_type;
+ ')
+
+- tunable_policy(`use_samba_home_dirs',`
+- fs_exec_cifs_files($1)
+- ')
++ allow $1 user_home_type:dir_file_class_set delete_file_perms;
+ ')
+
+ ########################################
+ ##
+-## Do not audit attempts to execute user home files.
++## Do not audit attempts to write user home files.
+ ##
+ ##
+ ##
+@@ -2052,18 +2613,76 @@ interface(`userdom_exec_user_home_content_files',`
+ ##
+ ##
+ #
+-interface(`userdom_dontaudit_exec_user_home_content_files',`
++interface(`userdom_dontaudit_relabel_user_home_content_files',`
+ gen_require(`
+ type user_home_t;
+ ')
+
+- dontaudit $1 user_home_t:file exec_file_perms;
++ dontaudit $1 user_home_t:file relabel_file_perms;
+ ')
+
+ ########################################
+ ##
+-## Create, read, write, and delete files
+-## in a user home subdirectory.
++## Read user home subdirectory symbolic links.
+##
+##
+##
@@ -41064,69 +41245,62 @@ index 3c5dba7..c4bc032 100644
+##
+##
+#
-+interface(`userdom_delete_all_user_home_content_sock_files',`
++interface(`userdom_read_user_home_content_symlinks',`
+ gen_require(`
-+ attribute user_home_type;
++ type user_home_dir_t, user_home_t;
+ ')
+
-+ allow $1 user_home_type:sock_file delete_file_perms;
++ allow $1 { user_home_dir_t user_home_t }:lnk_file read_lnk_file_perms;
+')
+
+########################################
+##
-+## Delete all files in a user home subdirectory.
++## Execute user home files.
+##
+##
+##
+## Domain allowed access.
+##
+##
++##
+#
-+interface(`userdom_delete_all_user_home_content',`
++interface(`userdom_exec_user_home_content_files',`
+ gen_require(`
++ type user_home_dir_t;
+ attribute user_home_type;
+ ')
+
-+ allow $1 user_home_type:dir_file_class_set delete_file_perms;
- ')
-
- ########################################
-@@ -2010,8 +2616,7 @@ interface(`userdom_read_user_home_content_symlinks',`
- type user_home_dir_t, user_home_t;
- ')
-
-- read_lnk_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t)
-- files_search_home($1)
-+ allow $1 { user_home_dir_t user_home_t }:lnk_file read_lnk_file_perms;
- ')
-
- ########################################
-@@ -2027,20 +2632,14 @@ interface(`userdom_read_user_home_content_symlinks',`
- #
- interface(`userdom_exec_user_home_content_files',`
- gen_require(`
-- type user_home_dir_t, user_home_t;
-+ type user_home_dir_t;
-+ attribute user_home_type;
- ')
-
- files_search_home($1)
-- exec_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t)
--
-- tunable_policy(`use_nfs_home_dirs',`
-- fs_exec_nfs_files($1)
-- ')
--
-- tunable_policy(`use_samba_home_dirs',`
-- fs_exec_cifs_files($1)
++ files_search_home($1)
+ exec_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type)
+ dontaudit $1 user_home_type:sock_file execute;
- ')
--')
-
- ########################################
- ##
-@@ -2123,7 +2722,7 @@ interface(`userdom_manage_user_home_content_symlinks',`
++ ')
++
++########################################
++##
++## Do not audit attempts to execute user home files.
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`userdom_dontaudit_exec_user_home_content_files',`
++ gen_require(`
++ type user_home_t;
++ ')
++
++ dontaudit $1 user_home_t:file exec_file_perms;
++')
++
++########################################
++##
++## Create, read, write, and delete files
++## in a user home subdirectory.
+ ##
+ ##
+ ##
+@@ -2123,7 +2742,7 @@ interface(`userdom_manage_user_home_content_symlinks',`
########################################
##
@@ -41135,7 +41309,7 @@ index 3c5dba7..c4bc032 100644
##
##
##
-@@ -2131,19 +2730,17 @@ interface(`userdom_manage_user_home_content_symlinks',`
+@@ -2131,19 +2750,17 @@ interface(`userdom_manage_user_home_content_symlinks',`
##
##
#
@@ -41159,7 +41333,7 @@ index 3c5dba7..c4bc032 100644
##
##
##
-@@ -2151,12 +2748,12 @@ interface(`userdom_delete_all_user_home_content_symlinks',`
+@@ -2151,12 +2768,12 @@ interface(`userdom_delete_all_user_home_content_symlinks',`
##
##
#
@@ -41175,7 +41349,7 @@ index 3c5dba7..c4bc032 100644
')
########################################
-@@ -2393,11 +2990,11 @@ interface(`userdom_dontaudit_manage_user_tmp_dirs',`
+@@ -2393,11 +3010,11 @@ interface(`userdom_dontaudit_manage_user_tmp_dirs',`
#
interface(`userdom_read_user_tmp_files',`
gen_require(`
@@ -41190,7 +41364,7 @@ index 3c5dba7..c4bc032 100644
files_search_tmp($1)
')
-@@ -2417,7 +3014,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',`
+@@ -2417,7 +3034,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',`
type user_tmp_t;
')
@@ -41199,7 +41373,7 @@ index 3c5dba7..c4bc032 100644
')
########################################
-@@ -2664,6 +3261,25 @@ interface(`userdom_tmp_filetrans_user_tmp',`
+@@ -2664,6 +3281,25 @@ interface(`userdom_tmp_filetrans_user_tmp',`
files_tmp_filetrans($1, user_tmp_t, $2, $3)
')
@@ -41225,7 +41399,7 @@ index 3c5dba7..c4bc032 100644
########################################
##
## Read user tmpfs files.
-@@ -2680,13 +3296,14 @@ interface(`userdom_read_user_tmpfs_files',`
+@@ -2680,13 +3316,14 @@ interface(`userdom_read_user_tmpfs_files',`
')
read_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
@@ -41241,7 +41415,7 @@ index 3c5dba7..c4bc032 100644
##
##
##
-@@ -2707,7 +3324,7 @@ interface(`userdom_rw_user_tmpfs_files',`
+@@ -2707,7 +3344,7 @@ interface(`userdom_rw_user_tmpfs_files',`
########################################
##
@@ -41250,7 +41424,7 @@ index 3c5dba7..c4bc032 100644
##
##
##
-@@ -2715,14 +3332,30 @@ interface(`userdom_rw_user_tmpfs_files',`
+@@ -2715,14 +3352,30 @@ interface(`userdom_rw_user_tmpfs_files',`
##
##
#
@@ -41285,7 +41459,7 @@ index 3c5dba7..c4bc032 100644
')
########################################
-@@ -2817,6 +3450,24 @@ interface(`userdom_use_user_ttys',`
+@@ -2817,6 +3470,24 @@ interface(`userdom_use_user_ttys',`
########################################
##
@@ -41310,7 +41484,7 @@ index 3c5dba7..c4bc032 100644
## Read and write a user domain pty.
##
##
-@@ -2835,22 +3486,34 @@ interface(`userdom_use_user_ptys',`
+@@ -2835,22 +3506,34 @@ interface(`userdom_use_user_ptys',`
########################################
##
@@ -41353,7 +41527,7 @@ index 3c5dba7..c4bc032 100644
##
##
##
-@@ -2859,14 +3522,33 @@ interface(`userdom_use_user_ptys',`
+@@ -2859,14 +3542,33 @@ interface(`userdom_use_user_ptys',`
##
##
#
@@ -41391,7 +41565,7 @@ index 3c5dba7..c4bc032 100644
')
########################################
-@@ -2885,8 +3567,27 @@ interface(`userdom_dontaudit_use_user_terminals',`
+@@ -2885,8 +3587,27 @@ interface(`userdom_dontaudit_use_user_terminals',`
type user_tty_device_t, user_devpts_t;
')
@@ -41421,7 +41595,7 @@ index 3c5dba7..c4bc032 100644
')
########################################
-@@ -2958,69 +3659,68 @@ interface(`userdom_spec_domtrans_unpriv_users',`
+@@ -2958,69 +3679,68 @@ interface(`userdom_spec_domtrans_unpriv_users',`
allow unpriv_userdomain $1:process sigchld;
')
@@ -41522,7 +41696,7 @@ index 3c5dba7..c4bc032 100644
##
##
##
-@@ -3028,12 +3728,12 @@ interface(`userdom_manage_unpriv_user_semaphores',`
+@@ -3028,12 +3748,12 @@ interface(`userdom_manage_unpriv_user_semaphores',`
##
##
#
@@ -41537,7 +41711,7 @@ index 3c5dba7..c4bc032 100644
')
########################################
-@@ -3097,7 +3797,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
+@@ -3097,7 +3817,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
domain_entry_file_spec_domtrans($1, unpriv_userdomain)
allow unpriv_userdomain $1:fd use;
@@ -41546,7 +41720,7 @@ index 3c5dba7..c4bc032 100644
allow unpriv_userdomain $1:process sigchld;
')
-@@ -3113,29 +3813,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
+@@ -3113,29 +3833,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
#
interface(`userdom_search_user_home_content',`
gen_require(`
@@ -41580,7 +41754,7 @@ index 3c5dba7..c4bc032 100644
')
########################################
-@@ -3217,7 +3901,25 @@ interface(`userdom_dontaudit_use_user_ptys',`
+@@ -3217,7 +3921,25 @@ interface(`userdom_dontaudit_use_user_ptys',`
type user_devpts_t;
')
@@ -41607,18 +41781,86 @@ index 3c5dba7..c4bc032 100644
')
########################################
-@@ -3272,7 +3974,64 @@ interface(`userdom_write_user_tmp_files',`
+@@ -3272,12 +3994,13 @@ interface(`userdom_write_user_tmp_files',`
type user_tmp_t;
')
- allow $1 user_tmp_t:file write_file_perms;
+ write_files_pattern($1, user_tmp_t, user_tmp_t)
+ ')
+
+ ########################################
+ ##
+-## Do not audit attempts to use user ttys.
++## Do not audit attempts to write users
++## temporary files.
+ ##
+ ##
+ ##
+@@ -3285,36 +4008,37 @@ interface(`userdom_write_user_tmp_files',`
+ ##
+ ##
+ #
+-interface(`userdom_dontaudit_use_user_ttys',`
++interface(`userdom_dontaudit_write_user_tmp_files',`
+ gen_require(`
+- type user_tty_device_t;
++ type user_tmp_t;
+ ')
+
+- dontaudit $1 user_tty_device_t:chr_file rw_file_perms;
++ dontaudit $1 user_tmp_t:file write;
+ ')
+
+ ########################################
+ ##
+-## Read the process state of all user domains.
++## Do not audit attempts to read/write users
++## temporary fifo files.
+ ##
+ ##
+ ##
+-## Domain allowed access.
++## Domain to not audit.
+ ##
+ ##
+ #
+-interface(`userdom_read_all_users_state',`
++interface(`userdom_dontaudit_rw_user_tmp_pipes',`
+ gen_require(`
+- attribute userdomain;
++ type user_tmp_t;
+ ')
+
+- read_files_pattern($1, userdomain, userdomain)
+- kernel_search_proc($1)
++ dontaudit $1 user_tmp_t:fifo_file rw_inherited_fifo_file_perms;
+ ')
+
+ ########################################
+ ##
+-## Get the attributes of all user domains.
++## Allow domain to read/write inherited users
++## fifo files.
+ ##
+ ##
+ ##
+@@ -3322,7 +4046,63 @@ interface(`userdom_read_all_users_state',`
+ ##
+ ##
+ #
+-interface(`userdom_getattr_all_users',`
++interface(`userdom_rw_inherited_user_pipes',`
++ gen_require(`
++ attribute userdomain;
++ ')
++
++ allow $1 userdomain:fifo_file rw_inherited_fifo_file_perms;
+')
+
+########################################
+##
-+## Do not audit attempts to write users
-+## temporary files.
++## Do not audit attempts to use user ttys.
+##
+##
+##
@@ -41626,37 +41868,37 @@ index 3c5dba7..c4bc032 100644
+##
+##
+#
-+interface(`userdom_dontaudit_write_user_tmp_files',`
++interface(`userdom_dontaudit_use_user_ttys',`
+ gen_require(`
-+ type user_tmp_t;
++ type user_tty_device_t;
+ ')
+
-+ dontaudit $1 user_tmp_t:file write;
++ dontaudit $1 user_tty_device_t:chr_file rw_inherited_file_perms;
+')
+
+########################################
+##
-+## Do not audit attempts to read/write users
-+## temporary fifo files.
++## Read the process state of all user domains.
+##
+##
+##
-+## Domain to not audit.
++## Domain allowed access.
+##
+##
+#
-+interface(`userdom_dontaudit_rw_user_tmp_pipes',`
++interface(`userdom_read_all_users_state',`
+ gen_require(`
-+ type user_tmp_t;
++ attribute userdomain;
+ ')
+
-+ dontaudit $1 user_tmp_t:fifo_file rw_inherited_fifo_file_perms;
++ read_files_pattern($1, userdomain, userdomain)
++ read_lnk_files_pattern($1,userdomain,userdomain)
++ kernel_search_proc($1)
+')
+
+########################################
+##
-+## Allow domain to read/write inherited users
-+## fifo files.
++## Get the attributes of all user domains.
+##
+##
+##
@@ -41664,33 +41906,11 @@ index 3c5dba7..c4bc032 100644
+##
+##
+#
-+interface(`userdom_rw_inherited_user_pipes',`
-+ gen_require(`
-+ attribute userdomain;
-+ ')
-+
-+ allow $1 userdomain:fifo_file rw_inherited_fifo_file_perms;
- ')
-
- ########################################
-@@ -3290,7 +4049,7 @@ interface(`userdom_dontaudit_use_user_ttys',`
- type user_tty_device_t;
- ')
-
-- dontaudit $1 user_tty_device_t:chr_file rw_file_perms;
-+ dontaudit $1 user_tty_device_t:chr_file rw_inherited_file_perms;
- ')
-
- ########################################
-@@ -3309,6 +4068,7 @@ interface(`userdom_read_all_users_state',`
++interface(`userdom_getattr_all_users',`
+ gen_require(`
+ attribute userdomain;
')
-
- read_files_pattern($1, userdomain, userdomain)
-+ read_lnk_files_pattern($1,userdomain,userdomain)
- kernel_search_proc($1)
- ')
-
-@@ -3385,6 +4145,42 @@ interface(`userdom_signal_all_users',`
+@@ -3385,6 +4165,42 @@ interface(`userdom_signal_all_users',`
allow $1 userdomain:process signal;
')
@@ -41733,54 +41953,11 @@ index 3c5dba7..c4bc032 100644
########################################
##
## Send a SIGCHLD signal to all user domains.
-@@ -3405,7 +4201,7 @@ interface(`userdom_sigchld_all_users',`
+@@ -3405,6 +4221,24 @@ interface(`userdom_sigchld_all_users',`
########################################
##
--## Create keys for all user domains.
+## Read keys for all user domains.
- ##
- ##
- ##
-@@ -3413,17 +4209,17 @@ interface(`userdom_sigchld_all_users',`
- ##
- ##
- #
--interface(`userdom_create_all_users_keys',`
-+interface(`userdom_read_all_users_keys',`
- gen_require(`
- attribute userdomain;
- ')
-
-- allow $1 userdomain:key create;
-+ allow $1 userdomain:key read;
- ')
-
- ########################################
- ##
--## Send a dbus message to all user domains.
-+## Create keys for all user domains.
- ##
- ##
- ##
-@@ -3431,11 +4227,1518 @@ interface(`userdom_create_all_users_keys',`
- ##
- ##
- #
--interface(`userdom_dbus_send_all_users',`
-+interface(`userdom_create_all_users_keys',`
- gen_require(`
- attribute userdomain;
-- class dbus send_msg;
- ')
-
-- allow $1 userdomain:dbus send_msg;
-+ allow $1 userdomain:key create;
-+')
-+
-+########################################
-+##
-+## Send a dbus message to all user domains.
+##
+##
+##
@@ -41788,13 +41965,23 @@ index 3c5dba7..c4bc032 100644
+##
+##
+#
-+interface(`userdom_dbus_send_all_users',`
++interface(`userdom_read_all_users_keys',`
+ gen_require(`
+ attribute userdomain;
-+ class dbus send_msg;
+ ')
+
-+ allow $1 userdomain:dbus send_msg;
++ allow $1 userdomain:key read;
++')
++
++########################################
++##
+ ## Create keys for all user domains.
+ ##
+ ##
+@@ -3438,4 +4272,1493 @@ interface(`userdom_dbus_send_all_users',`
+ ')
+
+ allow $1 userdomain:dbus send_msg;
+ ps_process_pattern($1, userdomain)
+')
+
@@ -43286,7 +43473,7 @@ index 3c5dba7..c4bc032 100644
+ dontaudit $1 user_home_type:dir_file_class_set audit_access;
')
diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te
-index e2b538b..3a775a7 100644
+index e2b538b..bbf002c 100644
--- a/policy/modules/system/userdomain.te
+++ b/policy/modules/system/userdomain.te
@@ -7,48 +7,42 @@ policy_module(userdomain, 4.8.5)
@@ -43394,7 +43581,7 @@ index e2b538b..3a775a7 100644
-type user_tmp_t alias { staff_tmp_t sysadm_tmp_t secadm_tmp_t auditadm_tmp_t unconfined_tmp_t };
+type user_tmp_t, user_tmp_type;
-+typealias user_tmp_t alias { screen_tmp_t winbind_tmp_t sshd_tmp_t staff_tmp_t sysadm_tmp_t secadm_tmp_t auditadm_tmp_t unconfined_tmp_t };
++typealias user_tmp_t alias { screen_tmp_t winbind_tmp_t wine_tmp_t sshd_tmp_t staff_tmp_t sysadm_tmp_t secadm_tmp_t auditadm_tmp_t unconfined_tmp_t };
typealias user_tmp_t alias { staff_untrusted_content_tmp_t sysadm_untrusted_content_tmp_t secadm_untrusted_content_tmp_t auditadm_untrusted_content_tmp_t unconfined_untrusted_content_tmp_t };
files_tmp_file(user_tmp_t)
userdom_user_home_content(user_tmp_t)
diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch
index f479fe8..f69bb0c 100644
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@@ -1,8 +1,8 @@
diff --git a/abrt.fc b/abrt.fc
-index e4f84de..2fe1152 100644
+index e4f84de..2ed712d 100644
--- a/abrt.fc
+++ b/abrt.fc
-@@ -1,30 +1,41 @@
+@@ -1,30 +1,42 @@
-/etc/abrt(/.*)? gen_context(system_u:object_r:abrt_etc_t,s0)
-/etc/rc\.d/init\.d/abrt -- gen_context(system_u:object_r:abrt_initrc_exec_t,s0)
+/etc/abrt(/.*)? gen_context(system_u:object_r:abrt_etc_t,s0)
@@ -22,6 +22,7 @@ index e4f84de..2fe1152 100644
+/usr/sbin/abrtd -- gen_context(system_u:object_r:abrt_exec_t,s0)
+/usr/sbin/abrt-dbus -- gen_context(system_u:object_r:abrt_exec_t,s0)
+/usr/sbin/abrt-harvest.* -- gen_context(system_u:object_r:abrt_exec_t,s0)
++/usr/sbin/abrt-install-ccpp-hook -- gen_context(system_u:object_r:abrt_exec_t,s0)
+/usr/sbin/abrt-upload-watch -- gen_context(system_u:object_r:abrt_upload_watch_exec_t,s0)
-/usr/libexec/abrt-pyhook-helper -- gen_context(system_u:object_r:abrt_helper_exec_t,s0)
@@ -2023,7 +2024,7 @@ index 7f4dfbc..4d750fa 100644
/usr/sbin/amrecover -- gen_context(system_u:object_r:amanda_recover_exec_t,s0)
diff --git a/amanda.te b/amanda.te
-index ed45974..d4df671 100644
+index ed45974..ec7bb41 100644
--- a/amanda.te
+++ b/amanda.te
@@ -9,11 +9,14 @@ attribute_role amanda_recover_roles;
@@ -2077,7 +2078,15 @@ index ed45974..d4df671 100644
corenet_sendrecv_all_server_packets(amanda_t)
corenet_tcp_bind_all_rpc_ports(amanda_t)
corenet_tcp_bind_generic_port(amanda_t)
-@@ -170,7 +175,6 @@ kernel_read_system_state(amanda_recover_t)
+@@ -114,6 +119,7 @@ corenet_dontaudit_tcp_bind_all_ports(amanda_t)
+
+ dev_getattr_all_blk_files(amanda_t)
+ dev_getattr_all_chr_files(amanda_t)
++dev_read_urand(amanda_t)
+
+ files_read_etc_runtime_files(amanda_t)
+ files_list_all(amanda_t)
+@@ -170,7 +176,6 @@ kernel_read_system_state(amanda_recover_t)
corecmd_exec_shell(amanda_recover_t)
corecmd_exec_bin(amanda_recover_t)
@@ -2085,7 +2094,7 @@ index ed45974..d4df671 100644
corenet_all_recvfrom_netlabel(amanda_recover_t)
corenet_tcp_sendrecv_generic_if(amanda_recover_t)
corenet_udp_sendrecv_generic_if(amanda_recover_t)
-@@ -195,12 +199,16 @@ files_search_tmp(amanda_recover_t)
+@@ -195,12 +200,16 @@ files_search_tmp(amanda_recover_t)
auth_use_nsswitch(amanda_recover_t)
@@ -10346,10 +10355,10 @@ index 2354e21..fb8c9ed 100644
+ ')
+')
diff --git a/certwatch.te b/certwatch.te
-index 403af41..84b41e6 100644
+index 403af41..1a4bd9c 100644
--- a/certwatch.te
+++ b/certwatch.te
-@@ -20,33 +20,44 @@ role certwatch_roles types certwatch_t;
+@@ -20,33 +20,45 @@ role certwatch_roles types certwatch_t;
allow certwatch_t self:capability sys_nice;
allow certwatch_t self:process { setsched getsched };
@@ -10377,11 +10386,12 @@ index 403af41..84b41e6 100644
miscfiles_read_all_certs(certwatch_t)
-miscfiles_read_localization(certwatch_t)
++miscfiles_manage_generic_cert_dirs(certwatch_t)
++
++sysnet_read_config(certwatch_t)
-userdom_use_user_terminals(certwatch_t)
-userdom_dontaudit_list_user_home_dirs(certwatch_t)
-+sysnet_read_config(certwatch_t)
-+
+userdom_use_inherited_user_terminals(certwatch_t)
+userdom_dontaudit_list_admin_dir(certwatch_t)
@@ -12280,7 +12290,7 @@ index c223f81..3bcdf6a 100644
- admin_pattern($1, { httpd_cobbler_content_t httpd_cobbler_content_ra_t httpd_cobbler_content_rw_t })
')
diff --git a/cobbler.te b/cobbler.te
-index 2a71346..9f877a1 100644
+index 2a71346..486cdb9 100644
--- a/cobbler.te
+++ b/cobbler.te
@@ -81,6 +81,7 @@ manage_dirs_pattern(cobblerd_t, cobbler_var_lib_t, cobbler_var_lib_t)
@@ -12320,7 +12330,7 @@ index 2a71346..9f877a1 100644
term_use_console(cobblerd_t)
-+auth_read_passwd(cobblerd_t)
++auth_use_nsswitch(cobblerd_t)
+
logging_send_syslog_msg(cobblerd_t)
@@ -12333,7 +12343,7 @@ index 2a71346..9f877a1 100644
apache_search_sys_content(cobblerd_t)
')
-@@ -188,17 +191,20 @@ optional_policy(`
+@@ -188,17 +191,21 @@ optional_policy(`
')
optional_policy(`
@@ -12345,6 +12355,7 @@ index 2a71346..9f877a1 100644
')
optional_policy(`
++ rsync_exec(cobblerd_t)
rsync_read_config(cobblerd_t)
- rsync_manage_config_files(cobblerd_t)
+ rsync_manage_config(cobblerd_t)
@@ -39985,7 +39996,7 @@ index 6194b80..bb32d40 100644
')
+
diff --git a/mozilla.te b/mozilla.te
-index 6a306ee..a74ab9d 100644
+index 6a306ee..628bc55 100644
--- a/mozilla.te
+++ b/mozilla.te
@@ -1,4 +1,4 @@
@@ -40443,7 +40454,7 @@ index 6a306ee..a74ab9d 100644
+dontaudit mozilla_plugin_t self:capability { sys_admin ipc_lock sys_nice sys_tty_config };
+dontaudit mozilla_plugin_t self:capability2 block_suspend;
+
-+allow mozilla_plugin_t self:process { setpgid getsched setsched signal_perms execmem execstack setrlimit };
++allow mozilla_plugin_t self:process { setpgid getsched setsched signal_perms execmem execstack setrlimit transition };
+allow mozilla_plugin_t self:netlink_route_socket r_netlink_socket_perms;
+allow mozilla_plugin_t self:netlink_socket create_socket_perms;
+allow mozilla_plugin_t self:tcp_socket create_stream_socket_perms;
@@ -44254,7 +44265,7 @@ index 687af38..404ed6d 100644
+ mysql_stream_connect($1)
')
diff --git a/mysql.te b/mysql.te
-index 9f6179e..3c7bbd8 100644
+index 9f6179e..cc14cbc 100644
--- a/mysql.te
+++ b/mysql.te
@@ -1,4 +1,4 @@
@@ -44465,7 +44476,12 @@ index 9f6179e..3c7bbd8 100644
kernel_read_system_state(mysqld_safe_t)
kernel_read_kernel_sysctls(mysqld_safe_t)
-@@ -187,17 +189,21 @@ dev_list_sysfs(mysqld_safe_t)
+@@ -183,21 +185,26 @@ kernel_read_kernel_sysctls(mysqld_safe_t)
+ corecmd_exec_bin(mysqld_safe_t)
+ corecmd_exec_shell(mysqld_safe_t)
+
++dev_read_urand(mysqld_safe_t)
+ dev_list_sysfs(mysqld_safe_t)
domain_read_all_domains_state(mysqld_safe_t)
@@ -44493,7 +44509,7 @@ index 9f6179e..3c7bbd8 100644
optional_policy(`
hostname_exec(mysqld_safe_t)
-@@ -205,7 +211,7 @@ optional_policy(`
+@@ -205,7 +212,7 @@ optional_policy(`
########################################
#
@@ -44502,7 +44518,7 @@ index 9f6179e..3c7bbd8 100644
#
allow mysqlmanagerd_t self:capability { dac_override kill };
-@@ -214,11 +220,12 @@ allow mysqlmanagerd_t self:fifo_file rw_fifo_file_perms;
+@@ -214,11 +221,12 @@ allow mysqlmanagerd_t self:fifo_file rw_fifo_file_perms;
allow mysqlmanagerd_t self:tcp_socket create_stream_socket_perms;
allow mysqlmanagerd_t self:unix_stream_socket create_stream_socket_perms;
@@ -44520,7 +44536,7 @@ index 9f6179e..3c7bbd8 100644
domtrans_pattern(mysqlmanagerd_t, mysqld_exec_t, mysqld_t)
-@@ -226,31 +233,20 @@ manage_files_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t)
+@@ -226,31 +234,20 @@ manage_files_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t)
manage_sock_files_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t)
filetrans_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t, { file sock_file })
@@ -46149,7 +46165,7 @@ index 0e8508c..f8893f8 100644
+ logging_log_filetrans($1, NetworkManager_var_lib_t, file, "wpa_supplicant.log")
')
diff --git a/networkmanager.te b/networkmanager.te
-index 0b48a30..2b6c69a 100644
+index 0b48a30..b5c140b 100644
--- a/networkmanager.te
+++ b/networkmanager.te
@@ -1,4 +1,4 @@
@@ -46242,7 +46258,7 @@ index 0b48a30..2b6c69a 100644
manage_files_pattern(NetworkManager_t, NetworkManager_tmp_t, NetworkManager_tmp_t)
manage_sock_files_pattern(NetworkManager_t, NetworkManager_tmp_t, NetworkManager_tmp_t)
files_tmp_filetrans(NetworkManager_t, NetworkManager_tmp_t, { sock_file file })
-@@ -81,9 +104,6 @@ manage_files_pattern(NetworkManager_t, NetworkManager_var_run_t, NetworkManager_
+@@ -81,17 +104,14 @@ manage_files_pattern(NetworkManager_t, NetworkManager_var_run_t, NetworkManager_
manage_sock_files_pattern(NetworkManager_t, NetworkManager_var_run_t, NetworkManager_var_run_t)
files_pid_filetrans(NetworkManager_t, NetworkManager_var_run_t, { dir file sock_file })
@@ -46252,15 +46268,16 @@ index 0b48a30..2b6c69a 100644
kernel_read_system_state(NetworkManager_t)
kernel_read_network_state(NetworkManager_t)
kernel_read_kernel_sysctls(NetworkManager_t)
-@@ -91,7 +111,6 @@ kernel_request_load_module(NetworkManager_t)
+ kernel_request_load_module(NetworkManager_t)
kernel_read_debugfs(NetworkManager_t)
kernel_rw_net_sysctls(NetworkManager_t)
++kernel_setsched(NetworkManager_t)
-corenet_all_recvfrom_unlabeled(NetworkManager_t)
corenet_all_recvfrom_netlabel(NetworkManager_t)
corenet_tcp_sendrecv_generic_if(NetworkManager_t)
corenet_udp_sendrecv_generic_if(NetworkManager_t)
-@@ -102,22 +121,15 @@ corenet_raw_sendrecv_generic_node(NetworkManager_t)
+@@ -102,22 +122,15 @@ corenet_raw_sendrecv_generic_node(NetworkManager_t)
corenet_tcp_sendrecv_all_ports(NetworkManager_t)
corenet_udp_sendrecv_all_ports(NetworkManager_t)
corenet_udp_bind_generic_node(NetworkManager_t)
@@ -46286,7 +46303,7 @@ index 0b48a30..2b6c69a 100644
dev_rw_sysfs(NetworkManager_t)
dev_read_rand(NetworkManager_t)
dev_read_urand(NetworkManager_t)
-@@ -125,13 +137,6 @@ dev_dontaudit_getattr_generic_blk_files(NetworkManager_t)
+@@ -125,13 +138,6 @@ dev_dontaudit_getattr_generic_blk_files(NetworkManager_t)
dev_getattr_all_chr_files(NetworkManager_t)
dev_rw_wireless(NetworkManager_t)
@@ -46300,7 +46317,7 @@ index 0b48a30..2b6c69a 100644
fs_getattr_all_fs(NetworkManager_t)
fs_search_auto_mountpoints(NetworkManager_t)
fs_list_inotifyfs(NetworkManager_t)
-@@ -140,6 +145,17 @@ mls_file_read_all_levels(NetworkManager_t)
+@@ -140,6 +146,17 @@ mls_file_read_all_levels(NetworkManager_t)
selinux_dontaudit_search_fs(NetworkManager_t)
@@ -46318,7 +46335,7 @@ index 0b48a30..2b6c69a 100644
storage_getattr_fixed_disk_dev(NetworkManager_t)
init_read_utmp(NetworkManager_t)
-@@ -148,10 +164,11 @@ init_domtrans_script(NetworkManager_t)
+@@ -148,10 +165,11 @@ init_domtrans_script(NetworkManager_t)
auth_use_nsswitch(NetworkManager_t)
@@ -46331,7 +46348,7 @@ index 0b48a30..2b6c69a 100644
seutil_read_config(NetworkManager_t)
-@@ -166,21 +183,32 @@ sysnet_kill_dhcpc(NetworkManager_t)
+@@ -166,21 +184,32 @@ sysnet_kill_dhcpc(NetworkManager_t)
sysnet_read_dhcpc_state(NetworkManager_t)
sysnet_delete_dhcpc_state(NetworkManager_t)
sysnet_search_dhcp_state(NetworkManager_t)
@@ -46368,7 +46385,7 @@ index 0b48a30..2b6c69a 100644
')
optional_policy(`
-@@ -196,10 +224,6 @@ optional_policy(`
+@@ -196,10 +225,6 @@ optional_policy(`
')
optional_policy(`
@@ -46379,7 +46396,7 @@ index 0b48a30..2b6c69a 100644
consoletype_exec(NetworkManager_t)
')
-@@ -210,16 +234,11 @@ optional_policy(`
+@@ -210,16 +235,11 @@ optional_policy(`
optional_policy(`
dbus_system_domain(NetworkManager_t, NetworkManager_exec_t)
@@ -46398,7 +46415,7 @@ index 0b48a30..2b6c69a 100644
')
')
-@@ -231,18 +250,19 @@ optional_policy(`
+@@ -231,18 +251,19 @@ optional_policy(`
dnsmasq_kill(NetworkManager_t)
dnsmasq_signal(NetworkManager_t)
dnsmasq_signull(NetworkManager_t)
@@ -46421,7 +46438,7 @@ index 0b48a30..2b6c69a 100644
')
optional_policy(`
-@@ -250,6 +270,10 @@ optional_policy(`
+@@ -250,6 +271,10 @@ optional_policy(`
ipsec_kill_mgmt(NetworkManager_t)
ipsec_signal_mgmt(NetworkManager_t)
ipsec_signull_mgmt(NetworkManager_t)
@@ -46432,7 +46449,7 @@ index 0b48a30..2b6c69a 100644
')
optional_policy(`
-@@ -257,11 +281,10 @@ optional_policy(`
+@@ -257,11 +282,10 @@ optional_policy(`
')
optional_policy(`
@@ -46448,7 +46465,7 @@ index 0b48a30..2b6c69a 100644
')
optional_policy(`
-@@ -274,10 +297,17 @@ optional_policy(`
+@@ -274,10 +298,17 @@ optional_policy(`
nscd_signull(NetworkManager_t)
nscd_kill(NetworkManager_t)
nscd_initrc_domtrans(NetworkManager_t)
@@ -46466,7 +46483,7 @@ index 0b48a30..2b6c69a 100644
')
optional_policy(`
-@@ -289,6 +319,7 @@ optional_policy(`
+@@ -289,6 +320,7 @@ optional_policy(`
')
optional_policy(`
@@ -46474,7 +46491,7 @@ index 0b48a30..2b6c69a 100644
policykit_domtrans_auth(NetworkManager_t)
policykit_read_lib(NetworkManager_t)
policykit_read_reload(NetworkManager_t)
-@@ -296,7 +327,7 @@ optional_policy(`
+@@ -296,7 +328,7 @@ optional_policy(`
')
optional_policy(`
@@ -46483,7 +46500,7 @@ index 0b48a30..2b6c69a 100644
')
optional_policy(`
-@@ -307,6 +338,7 @@ optional_policy(`
+@@ -307,6 +339,7 @@ optional_policy(`
ppp_signal(NetworkManager_t)
ppp_signull(NetworkManager_t)
ppp_read_config(NetworkManager_t)
@@ -46491,7 +46508,7 @@ index 0b48a30..2b6c69a 100644
')
optional_policy(`
-@@ -320,13 +352,19 @@ optional_policy(`
+@@ -320,13 +353,19 @@ optional_policy(`
')
optional_policy(`
@@ -46515,7 +46532,7 @@ index 0b48a30..2b6c69a 100644
')
optional_policy(`
-@@ -356,6 +394,4 @@ rw_sock_files_pattern(wpa_cli_t, NetworkManager_var_run_t, NetworkManager_var_ru
+@@ -356,6 +395,4 @@ rw_sock_files_pattern(wpa_cli_t, NetworkManager_var_run_t, NetworkManager_var_ru
init_dontaudit_use_fds(wpa_cli_t)
init_use_script_ptys(wpa_cli_t)
@@ -46826,7 +46843,7 @@ index 46e55c3..6e4e061 100644
+ allow $1 nis_unit_file_t:service all_service_perms;
')
diff --git a/nis.te b/nis.te
-index 3e4a31c..bd8e3ff 100644
+index 3e4a31c..eea788e 100644
--- a/nis.te
+++ b/nis.te
@@ -1,12 +1,10 @@
@@ -46971,7 +46988,7 @@ index 3e4a31c..bd8e3ff 100644
corenet_all_recvfrom_netlabel(yppasswdd_t)
corenet_tcp_sendrecv_generic_if(yppasswdd_t)
corenet_udp_sendrecv_generic_if(yppasswdd_t)
-@@ -177,22 +176,11 @@ corenet_tcp_sendrecv_all_ports(yppasswdd_t)
+@@ -177,23 +176,13 @@ corenet_tcp_sendrecv_all_ports(yppasswdd_t)
corenet_udp_sendrecv_all_ports(yppasswdd_t)
corenet_tcp_bind_generic_node(yppasswdd_t)
corenet_udp_bind_generic_node(yppasswdd_t)
@@ -46982,7 +46999,8 @@ index 3e4a31c..bd8e3ff 100644
-
corenet_dontaudit_tcp_bind_all_reserved_ports(yppasswdd_t)
corenet_dontaudit_udp_bind_all_reserved_ports(yppasswdd_t)
--
++corenet_sendrecv_generic_server_packets(yppasswdd_t)
+
-corecmd_exec_bin(yppasswdd_t)
-corecmd_exec_shell(yppasswdd_t)
-
@@ -46991,11 +47009,12 @@ index 3e4a31c..bd8e3ff 100644
-files_read_etc_files(yppasswdd_t)
-files_read_etc_runtime_files(yppasswdd_t)
-files_relabel_etc_files(yppasswdd_t)
-+corenet_sendrecv_generic_server_packets(yppasswdd_t)
-
+-
++dev_read_urand(yppasswdd_t)
dev_read_sysfs(yppasswdd_t)
-@@ -203,11 +191,19 @@ selinux_get_fs_mount(yppasswdd_t)
+ fs_getattr_all_fs(yppasswdd_t)
+@@ -203,11 +192,19 @@ selinux_get_fs_mount(yppasswdd_t)
auth_manage_shadow(yppasswdd_t)
auth_relabel_shadow(yppasswdd_t)
@@ -47016,7 +47035,7 @@ index 3e4a31c..bd8e3ff 100644
sysnet_read_config(yppasswdd_t)
-@@ -219,6 +215,14 @@ optional_policy(`
+@@ -219,6 +216,14 @@ optional_policy(`
')
optional_policy(`
@@ -47031,7 +47050,7 @@ index 3e4a31c..bd8e3ff 100644
seutil_sigchld_newrole(yppasswdd_t)
')
-@@ -234,7 +238,8 @@ optional_policy(`
+@@ -234,7 +239,8 @@ optional_policy(`
dontaudit ypserv_t self:capability sys_tty_config;
allow ypserv_t self:fifo_file rw_fifo_file_perms;
allow ypserv_t self:process signal_perms;
@@ -47041,7 +47060,7 @@ index 3e4a31c..bd8e3ff 100644
allow ypserv_t self:netlink_route_socket r_netlink_socket_perms;
allow ypserv_t self:tcp_socket connected_stream_socket_perms;
allow ypserv_t self:udp_socket create_socket_perms;
-@@ -254,7 +259,6 @@ kernel_read_kernel_sysctls(ypserv_t)
+@@ -254,7 +260,6 @@ kernel_read_kernel_sysctls(ypserv_t)
kernel_list_proc(ypserv_t)
kernel_read_proc_symlinks(ypserv_t)
@@ -47049,7 +47068,7 @@ index 3e4a31c..bd8e3ff 100644
corenet_all_recvfrom_netlabel(ypserv_t)
corenet_tcp_sendrecv_generic_if(ypserv_t)
corenet_udp_sendrecv_generic_if(ypserv_t)
-@@ -264,31 +268,27 @@ corenet_tcp_sendrecv_all_ports(ypserv_t)
+@@ -264,31 +269,27 @@ corenet_tcp_sendrecv_all_ports(ypserv_t)
corenet_udp_sendrecv_all_ports(ypserv_t)
corenet_tcp_bind_generic_node(ypserv_t)
corenet_udp_bind_generic_node(ypserv_t)
@@ -47087,7 +47106,7 @@ index 3e4a31c..bd8e3ff 100644
nis_domtrans_ypxfr(ypserv_t)
-@@ -310,8 +310,8 @@ optional_policy(`
+@@ -310,8 +311,8 @@ optional_policy(`
# ypxfr local policy
#
@@ -47098,7 +47117,7 @@ index 3e4a31c..bd8e3ff 100644
allow ypxfr_t self:tcp_socket create_stream_socket_perms;
allow ypxfr_t self:udp_socket create_socket_perms;
allow ypxfr_t self:netlink_route_socket r_netlink_socket_perms;
-@@ -326,7 +326,6 @@ allow ypxfr_t ypserv_conf_t:file read_file_perms;
+@@ -326,7 +327,6 @@ allow ypxfr_t ypserv_conf_t:file read_file_perms;
manage_files_pattern(ypxfr_t, ypxfr_var_run_t, ypxfr_var_run_t)
files_pid_filetrans(ypxfr_t, ypxfr_var_run_t, file)
@@ -47106,7 +47125,7 @@ index 3e4a31c..bd8e3ff 100644
corenet_all_recvfrom_netlabel(ypxfr_t)
corenet_tcp_sendrecv_generic_if(ypxfr_t)
corenet_udp_sendrecv_generic_if(ypxfr_t)
-@@ -336,23 +335,19 @@ corenet_tcp_sendrecv_all_ports(ypxfr_t)
+@@ -336,23 +336,19 @@ corenet_tcp_sendrecv_all_ports(ypxfr_t)
corenet_udp_sendrecv_all_ports(ypxfr_t)
corenet_tcp_bind_generic_node(ypxfr_t)
corenet_udp_bind_generic_node(ypxfr_t)
@@ -48489,7 +48508,7 @@ index 97df768..852d1c6 100644
+ admin_pattern($1, nslcd_var_run_t, nslcd_var_run_t)
')
diff --git a/nslcd.te b/nslcd.te
-index a3e56f0..f70a784 100644
+index a3e56f0..2c5b389 100644
--- a/nslcd.te
+++ b/nslcd.te
@@ -1,4 +1,4 @@
@@ -48510,7 +48529,7 @@ index a3e56f0..f70a784 100644
-allow nslcd_t self:process signal;
-allow nslcd_t self:unix_stream_socket { accept listen };
+allow nslcd_t self:capability { dac_override setgid setuid sys_nice };
-+allow nslcd_t self:process { setsched signal };
++allow nslcd_t self:process { setsched signal signull };
+allow nslcd_t self:unix_stream_socket create_stream_socket_perms;
allow nslcd_t nslcd_conf_t:file read_file_perms;
@@ -67744,7 +67763,7 @@ index 951db7f..7736755 100644
+ allow $1 mdadm_exec_t:file { getattr_file_perms execute };
')
diff --git a/raid.te b/raid.te
-index 2c1730b..6f60d73 100644
+index 2c1730b..3c6d751 100644
--- a/raid.te
+++ b/raid.te
@@ -15,6 +15,12 @@ role mdadm_roles types mdadm_t;
@@ -67849,7 +67868,15 @@ index 2c1730b..6f60d73 100644
userdom_dontaudit_use_unpriv_user_fds(mdadm_t)
userdom_dontaudit_search_user_home_content(mdadm_t)
-@@ -97,9 +125,17 @@ optional_policy(`
+@@ -93,13 +121,29 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ kdump_manage_kdumpctl_tmp_files(mdadm_t)
++')
++
++optional_policy(`
+ mta_send_mail(mdadm_t)
')
optional_policy(`
@@ -67865,6 +67892,10 @@ index 2c1730b..6f60d73 100644
')
+
+optional_policy(`
++ virt_read_blk_images(mdadm_t)
++')
++
++optional_policy(`
+ xserver_dontaudit_search_log(mdadm_t)
+')
diff --git a/razor.fc b/razor.fc
@@ -73817,7 +73848,7 @@ index ebe91fc..6392cad 100644
+/sbin/cpio -- gen_context(system_u:object_r:rpm_exec_t,s0)
')
diff --git a/rpm.if b/rpm.if
-index 0628d50..39e36fb 100644
+index 0628d50..cafc027 100644
--- a/rpm.if
+++ b/rpm.if
@@ -1,8 +1,8 @@
@@ -73966,10 +73997,10 @@ index 0628d50..39e36fb 100644
+#
+interface(`rpm_rw_script_inherited_pipes',`
+ gen_require(`
-+ type rpm_script_t;
++ type rpm_script_tmp_t;
+ ')
+
-+ allow $1 rpm_script_t:fifo_file rw_inherited_fifo_file_perms;
++ allow $1 rpm_script_tmp_t:fifo_file rw_inherited_fifo_file_perms;
+')
+
+########################################
@@ -80744,7 +80775,7 @@ index 3a9a70b..039b0c8 100644
logging_list_logs($1)
admin_pattern($1, setroubleshoot_var_log_t)
diff --git a/setroubleshoot.te b/setroubleshoot.te
-index 49b12ae..e5948ba 100644
+index 49b12ae..2da8cf7 100644
--- a/setroubleshoot.te
+++ b/setroubleshoot.te
@@ -1,4 +1,4 @@
@@ -80833,8 +80864,12 @@ index 49b12ae..e5948ba 100644
dev_read_urand(setroubleshootd_t)
dev_read_sysfs(setroubleshootd_t)
-@@ -79,7 +85,6 @@ dev_getattr_mtrr_dev(setroubleshootd_t)
- domain_dontaudit_search_all_domains_state(setroubleshootd_t)
+@@ -76,10 +82,9 @@ dev_getattr_all_blk_files(setroubleshootd_t)
+ dev_getattr_all_chr_files(setroubleshootd_t)
+ dev_getattr_mtrr_dev(setroubleshootd_t)
+
+-domain_dontaudit_search_all_domains_state(setroubleshootd_t)
++domain_read_all_domains_state(setroubleshootd_t)
domain_signull_all_domains(setroubleshootd_t)
-files_read_usr_files(setroubleshootd_t)
@@ -86595,7 +86630,7 @@ index 42946bc..741f2f4 100644
+ can_exec($1, telepathy_executable)
')
diff --git a/telepathy.te b/telepathy.te
-index e9c0964..d4686e6 100644
+index e9c0964..8d5bbdd 100644
--- a/telepathy.te
+++ b/telepathy.te
@@ -1,29 +1,28 @@
@@ -86709,14 +86744,14 @@ index e9c0964..d4686e6 100644
- corenet_sendrecv_generic_client_packets(telepathy_gabble_t)
corenet_tcp_connect_generic_port(telepathy_gabble_t)
- corenet_tcp_sendrecv_generic_port(telepathy_gabble_t)
--')
--
--tunable_policy(`use_nfs_home_dirs',`
-- fs_manage_nfs_dirs(telepathy_gabble_t)
-- fs_manage_nfs_files(telepathy_gabble_t)
+ corenet_sendrecv_generic_client_packets(telepathy_gabble_t)
')
+-tunable_policy(`use_nfs_home_dirs',`
+- fs_manage_nfs_dirs(telepathy_gabble_t)
+- fs_manage_nfs_files(telepathy_gabble_t)
+-')
+-
-tunable_policy(`use_samba_home_dirs',`
- fs_manage_cifs_dirs(telepathy_gabble_t)
- fs_manage_cifs_files(telepathy_gabble_t)
@@ -86829,11 +86864,11 @@ index e9c0964..d4686e6 100644
manage_files_pattern(telepathy_mission_control_t, telepathy_mission_control_home_t, telepathy_mission_control_home_t)
-userdom_user_home_dir_filetrans(telepathy_mission_control_t, telepathy_mission_control_home_t, dir, ".mission-control")
+userdom_search_user_home_dirs(telepathy_mission_control_t)
-+
-+manage_files_pattern(telepathy_mission_control_t, telepathy_gabble_cache_home_t, telepathy_gabble_cache_home_t)
-+manage_dirs_pattern(telepathy_mission_control_t, telepathy_gabble_cache_home_t, telepathy_gabble_cache_home_t)
-manage_dirs_pattern(telepathy_mission_control_t, telepathy_mission_control_data_home_t, telepathy_mission_control_data_home_t)
++manage_files_pattern(telepathy_mission_control_t, telepathy_gabble_cache_home_t, telepathy_gabble_cache_home_t)
++manage_dirs_pattern(telepathy_mission_control_t, telepathy_gabble_cache_home_t, telepathy_gabble_cache_home_t)
++
+manage_dirs_pattern(telepathy_mission_control_t, { telepathy_data_home_t telepathy_mission_control_data_home_t }, { telepathy_data_home_t telepathy_mission_control_data_home_t })
manage_files_pattern(telepathy_mission_control_t, telepathy_mission_control_data_home_t, telepathy_mission_control_data_home_t)
-filetrans_pattern(telepathy_mission_control_t, telepathy_data_home_t, telepathy_mission_control_data_home_t, dir, "mission-control")
@@ -87099,7 +87134,7 @@ index e9c0964..d4686e6 100644
optional_policy(`
xserver_read_xdm_pid(telepathy_sunshine_t)
xserver_stream_connect(telepathy_sunshine_t)
-@@ -452,31 +385,43 @@ optional_policy(`
+@@ -452,31 +385,48 @@ optional_policy(`
#######################################
#
@@ -87144,12 +87179,17 @@ index e9c0964..d4686e6 100644
+')
+
+optional_policy(`
++ systemd_dbus_chat_logind(telepathy_domain)
++')
++
++optional_policy(`
+ telepathy_dbus_chat(telepathy_domain)
+')
+
+optional_policy(`
xserver_rw_xdm_pipes(telepathy_domain)
')
++
diff --git a/telnet.te b/telnet.te
index 9f89916..1bdef51 100644
--- a/telnet.te
@@ -90765,10 +90805,10 @@ index 0be8535..b96e329 100644
optional_policy(`
diff --git a/virt.fc b/virt.fc
-index c30da4c..459fbcf 100644
+index c30da4c..9bad8b9 100644
--- a/virt.fc
+++ b/virt.fc
-@@ -1,52 +1,91 @@
+@@ -1,52 +1,92 @@
-HOME_DIR/\.libvirt(/.*)? gen_context(system_u:object_r:virt_home_t,s0)
-HOME_DIR/\.libvirt/qemu(/.*)? gen_context(system_u:object_r:svirt_home_t,s0)
-HOME_DIR/\.virtinst(/.*)? gen_context(system_u:object_r:virt_home_t,s0)
@@ -90899,8 +90939,9 @@ index c30da4c..459fbcf 100644
+/var/run/qga\.state -- gen_context(system_u:object_r:virt_qemu_ga_var_run_t,s0)
+
+/var/log/qemu-ga\.log -- gen_context(system_u:object_r:virt_qemu_ga_log_t,s0)
++/var/log/qemu-ga(/.*)? gen_context(system_u:object_r:virt_qemu_ga_log_t,s0)
diff --git a/virt.if b/virt.if
-index 9dec06c..4e31afe 100644
+index 9dec06c..73549fd 100644
--- a/virt.if
+++ b/virt.if
@@ -1,120 +1,51 @@
@@ -91915,7 +91956,7 @@ index 9dec06c..4e31afe 100644
##
##
##
-@@ -860,115 +658,245 @@ interface(`virt_read_lib_files',`
+@@ -860,94 +658,189 @@ interface(`virt_read_lib_files',`
##
##
#
@@ -92055,70 +92096,9 @@ index 9dec06c..4e31afe 100644
+ ps_process_pattern(svirt_sandbox_domain, $1)
')
-+
########################################
##
-## Read virt log files.
-+## All of the rules required to administrate
-+## an virt environment
- ##
- ##
- ##
- ## Domain allowed access.
- ##
- ##
-+##
-+##
-+## Role allowed access.
-+##
-+##
- ##
- #
--interface(`virt_read_log',`
-+interface(`virt_admin',`
- gen_require(`
-- type virt_log_t;
-+ type virtd_t, virtd_initrc_exec_t;
-+ attribute virt_domain;
-+ type virtd_lxc_t;
-+ type virtd_unit_file_t;
- ')
-
-- logging_search_logs($1)
-- read_files_pattern($1, virt_log_t, virt_log_t)
-+ allow $1 virtd_t:process signal_perms;
-+ ps_process_pattern($1, virtd_t)
-+ tunable_policy(`deny_ptrace',`',`
-+ allow $1 virtd_t:process ptrace;
-+ allow $1 virtd_lxc_t:process ptrace;
-+ ')
-+
-+ allow $1 virtd_lxc_t:process signal_perms;
-+ ps_process_pattern($1, virtd_lxc_t)
-+
-+ init_labeled_script_domtrans($1, virtd_initrc_exec_t)
-+ domain_system_change_exemption($1)
-+ role_transition $2 virtd_initrc_exec_t system_r;
-+ allow $2 system_r;
-+
-+ virt_manage_pid_files($1)
-+
-+ virt_manage_lib_files($1)
-+
-+ virt_manage_log($1)
-+
-+ virt_manage_images($1)
-+
-+ allow $1 virt_domain:process signal_perms;
-+
-+ virt_systemctl($1)
-+ admin_pattern($1, virtd_unit_file_t)
-+ allow $1 virtd_unit_file_t:service all_service_perms;
- ')
-
- ########################################
- ##
--## Append virt log files.
+## Execute qemu in the svirt domain, and
+## allow the specified role the svirt domain.
##
@@ -92133,9 +92113,9 @@ index 9dec06c..4e31afe 100644
+## The role to be allowed the sandbox domain.
##
##
-+##
+ ##
#
--interface(`virt_append_log',`
+-interface(`virt_read_log',`
+interface(`virt_transition_svirt',`
gen_require(`
- type virt_log_t;
@@ -92146,7 +92126,7 @@ index 9dec06c..4e31afe 100644
')
- logging_search_logs($1)
-- append_files_pattern($1, virt_log_t, virt_log_t)
+- read_files_pattern($1, virt_log_t, virt_log_t)
+ allow $1 virt_domain:process transition;
+ role $2 types virt_domain;
+ role $2 types virt_bridgehelper_t;
@@ -92165,8 +92145,7 @@ index 9dec06c..4e31afe 100644
########################################
##
--## Create, read, write, and delete
--## virt log files.
+-## Append virt log files.
+## Do not audit attempts to write virt daemon unnamed pipes.
##
##
@@ -92176,7 +92155,7 @@ index 9dec06c..4e31afe 100644
##
##
#
--interface(`virt_manage_log',`
+-interface(`virt_append_log',`
+interface(`virt_dontaudit_write_pipes',`
gen_require(`
- type virt_log_t;
@@ -92184,53 +92163,77 @@ index 9dec06c..4e31afe 100644
')
- logging_search_logs($1)
+- append_files_pattern($1, virt_log_t, virt_log_t)
++ dontaudit $1 virtd_t:fd use;
++ dontaudit $1 virtd_t:fifo_file write_fifo_file_perms;
+ ')
+
+ ########################################
+ ##
+-## Create, read, write, and delete
+-## virt log files.
++## Send a sigkill to virtual machines
+ ##
+ ##
+ ##
+@@ -955,20 +848,17 @@ interface(`virt_append_log',`
+ ##
+ ##
+ #
+-interface(`virt_manage_log',`
++interface(`virt_kill_svirt',`
+ gen_require(`
+- type virt_log_t;
++ attribute virt_domain;
+ ')
+
+- logging_search_logs($1)
- manage_dirs_pattern($1, virt_log_t, virt_log_t)
- manage_files_pattern($1, virt_log_t, virt_log_t)
- manage_lnk_files_pattern($1, virt_log_t, virt_log_t)
-+ dontaudit $1 virtd_t:fd use;
-+ dontaudit $1 virtd_t:fifo_file write_fifo_file_perms;
++ allow $1 virt_domain:process sigkill;
')
########################################
##
-## Search virt image directories.
-+## Send a sigkill to virtual machines
++## Send a sigkill to virtd daemon.
##
##
##
-@@ -976,18 +904,17 @@ interface(`virt_manage_log',`
+@@ -976,18 +866,17 @@ interface(`virt_manage_log',`
##
##
#
-interface(`virt_search_images',`
-+interface(`virt_kill_svirt',`
++interface(`virt_kill',`
gen_require(`
- attribute virt_image_type;
-+ attribute virt_domain;
++ type virtd_t;
')
- virt_search_lib($1)
- allow $1 virt_image_type:dir search_dir_perms;
-+ allow $1 virt_domain:process sigkill;
++ allow $1 virtd_t:process sigkill;
')
########################################
##
-## Read virt image files.
-+## Send a sigkill to virtd daemon.
++## Send a signal to virtual machines
##
##
##
-@@ -995,36 +922,35 @@ interface(`virt_search_images',`
+@@ -995,73 +884,75 @@ interface(`virt_search_images',`
##
##
#
-interface(`virt_read_images',`
-+interface(`virt_kill',`
++interface(`virt_signal_svirt',`
gen_require(`
- type virt_var_lib_t;
- attribute virt_image_type;
-+ type virtd_t;
++ attribute virt_domain;
')
- virt_search_lib($1)
@@ -92239,7 +92242,7 @@ index 9dec06c..4e31afe 100644
- read_files_pattern($1, virt_image_type, virt_image_type)
- read_lnk_files_pattern($1, virt_image_type, virt_image_type)
- read_blk_files_pattern($1, virt_image_type, virt_image_type)
-+ allow $1 virtd_t:process sigkill;
++ allow $1 virt_domain:process signal;
+')
- tunable_policy(`virt_use_nfs',`
@@ -92248,7 +92251,7 @@ index 9dec06c..4e31afe 100644
- fs_read_nfs_symlinks($1)
+########################################
+##
-+## Send a signal to virtual machines
++## Manage virt home files.
+##
+##
+##
@@ -92256,9 +92259,9 @@ index 9dec06c..4e31afe 100644
+##
+##
+#
-+interface(`virt_signal_svirt',`
++interface(`virt_manage_home_files',`
+ gen_require(`
-+ attribute virt_domain;
++ type virt_home_t;
')
- tunable_policy(`virt_use_samba',`
@@ -92266,40 +92269,42 @@ index 9dec06c..4e31afe 100644
- fs_read_cifs_files($1)
- fs_read_cifs_symlinks($1)
- ')
-+ allow $1 virt_domain:process signal;
++ userdom_search_user_home_dirs($1)
++ manage_files_pattern($1, virt_home_t, virt_home_t)
')
########################################
##
-## Read and write all virt image
-## character files.
-+## Manage virt home files.
++## allow domain to read
++## virt tmpfs files
##
##
##
-@@ -1032,58 +958,57 @@ interface(`virt_read_images',`
+-## Domain allowed access.
++## Domain allowed access
##
##
#
-interface(`virt_rw_all_image_chr_files',`
-+interface(`virt_manage_home_files',`
++interface(`virt_read_tmpfs_files',`
gen_require(`
- attribute virt_image_type;
-+ type virt_home_t;
++ attribute virt_tmpfs_type;
')
- virt_search_lib($1)
- allow $1 virt_image_type:dir list_dir_perms;
- rw_chr_files_pattern($1, virt_image_type, virt_image_type)
-+ userdom_search_user_home_dirs($1)
-+ manage_files_pattern($1, virt_home_t, virt_home_t)
++ allow $1 virt_tmpfs_type:file read_file_perms;
')
########################################
##
-## Create, read, write, and delete
-## svirt cache files.
-+## allow domain to read
++## allow domain to manage
+## virt tmpfs files
##
##
@@ -92312,62 +92317,69 @@ index 9dec06c..4e31afe 100644
-interface(`virt_manage_svirt_cache',`
- refpolicywarn(`$0($*) has been deprecated, use virt_manage_virt_cache() instead.')
- virt_manage_virt_cache($1)
-+interface(`virt_read_tmpfs_files',`
++interface(`virt_manage_tmpfs_files',`
+ gen_require(`
+ attribute virt_tmpfs_type;
+ ')
+
-+ allow $1 virt_tmpfs_type:file read_file_perms;
++ allow $1 virt_tmpfs_type:file manage_file_perms;
')
########################################
##
-## Create, read, write, and delete
-## virt cache content.
-+## allow domain to manage
-+## virt tmpfs files
++## Create .virt directory in the user home directory
++## with an correct label.
##
##
##
--## Domain allowed access.
-+## Domain allowed access
+@@ -1069,21 +960,28 @@ interface(`virt_manage_svirt_cache',`
##
##
#
-interface(`virt_manage_virt_cache',`
-+interface(`virt_manage_tmpfs_files',`
++interface(`virt_filetrans_home_content',`
gen_require(`
- type virt_cache_t;
-+ attribute virt_tmpfs_type;
++ type virt_home_t;
++ type svirt_home_t;
')
- files_search_var($1)
- manage_dirs_pattern($1, virt_cache_t, virt_cache_t)
- manage_files_pattern($1, virt_cache_t, virt_cache_t)
- manage_lnk_files_pattern($1, virt_cache_t, virt_cache_t)
-+ allow $1 virt_tmpfs_type:file manage_file_perms;
++ userdom_user_home_dir_filetrans($1, virt_home_t, dir, ".libvirt")
++ userdom_user_home_dir_filetrans($1, virt_home_t, dir, ".virtinst")
++ filetrans_pattern($1, virt_home_t, svirt_home_t, dir, "qemu")
++
++ optional_policy(`
++ gnome_config_filetrans($1, virt_home_t, dir, "libvirt")
++ gnome_cache_filetrans($1, virt_home_t, dir, "libvirt")
++ gnome_cache_filetrans($1, virt_home_t, dir, "libvirt-sandbox")
++ gnome_cache_filetrans($1, virt_home_t, dir, "gnome-boxes")
++ gnome_data_filetrans($1, svirt_home_t, dir, "images")
++ ')
')
########################################
##
-## Create, read, write, and delete
-## virt image files.
-+## Create .virt directory in the user home directory
-+## with an correct label.
++## Dontaudit attempts to Read virt_image_type devices.
##
##
##
-@@ -1091,95 +1016,169 @@ interface(`virt_manage_virt_cache',`
+@@ -1091,36 +989,148 @@ interface(`virt_manage_virt_cache',`
##
##
#
-interface(`virt_manage_images',`
-+interface(`virt_filetrans_home_content',`
++interface(`virt_dontaudit_read_chr_dev',`
gen_require(`
- type virt_var_lib_t;
-- attribute virt_image_type;
-+ type virt_home_t;
-+ type svirt_home_t;
+ attribute virt_image_type;
')
- virt_search_lib($1)
@@ -92376,97 +92388,43 @@ index 9dec06c..4e31afe 100644
- manage_files_pattern($1, virt_image_type, virt_image_type)
- read_lnk_files_pattern($1, virt_image_type, virt_image_type)
- rw_blk_files_pattern($1, virt_image_type, virt_image_type)
-+ userdom_user_home_dir_filetrans($1, virt_home_t, dir, ".libvirt")
-+ userdom_user_home_dir_filetrans($1, virt_home_t, dir, ".virtinst")
-+ filetrans_pattern($1, virt_home_t, svirt_home_t, dir, "qemu")
++ dontaudit $1 virt_image_type:chr_file read_chr_file_perms;
++')
- tunable_policy(`virt_use_nfs',`
- fs_manage_nfs_dirs($1)
- fs_manage_nfs_files($1)
- fs_read_nfs_symlinks($1)
-- ')
--
-- tunable_policy(`virt_use_samba',`
-- fs_manage_cifs_files($1)
-- fs_manage_cifs_files($1)
-- fs_read_cifs_symlinks($1)
-+ optional_policy(`
-+ gnome_config_filetrans($1, virt_home_t, dir, "libvirt")
-+ gnome_cache_filetrans($1, virt_home_t, dir, "libvirt")
-+ gnome_cache_filetrans($1, virt_home_t, dir, "libvirt-sandbox")
-+ gnome_cache_filetrans($1, virt_home_t, dir, "gnome-boxes")
-+ gnome_data_filetrans($1, svirt_home_t, dir, "images")
- ')
- ')
-
- ########################################
- ##
--## All of the rules required to
--## administrate an virt environment.
-+## Dontaudit attempts to Read virt_image_type devices.
- ##
- ##
- ##
- ## Domain allowed access.
- ##
- ##
--##
-+#
-+interface(`virt_dontaudit_read_chr_dev',`
-+ gen_require(`
-+ attribute virt_image_type;
-+ ')
-+
-+ dontaudit $1 virt_image_type:chr_file read_chr_file_perms;
-+')
-+
+########################################
+##
+## Creates types and rules for a basic
+## virt_lxc process domain.
+##
+##
- ##
--## Role allowed access.
++##
+## Prefix for the domain.
- ##
- ##
--##
- #
--interface(`virt_admin',`
++##
++##
++#
+template(`virt_sandbox_domain_template',`
- gen_require(`
-- attribute virt_domain, virt_image_type, virt_tmpfs_type;
-- attribute virt_ptynode, svirt_lxc_domain, virt_tmp_type;
-- type virtd_t, virtd_initrc_exec_t, virtd_lxc_t;
-- type virsh_t, virtd_lxc_var_run_t, svirt_lxc_file_t;
-- type virt_bridgehelper_t, virt_qmf_t, virt_var_lib_t;
-- type virt_var_run_t, virt_tmp_t, virt_log_t;
-- type virt_lock_t, svirt_var_run_t, virt_etc_rw_t;
-- type virt_etc_t, svirt_cache_t;
++ gen_require(`
+ attribute svirt_sandbox_domain;
')
-- allow $1 { virt_domain svirt_lxc_domain virtd_t }:process { ptrace signal_perms };
-- allow $1 { virtd_lxc_t virsh_t virt_bridgehelper_t virt_qmf_t }:process { ptrace signal_perms };
-- ps_process_pattern($1, { virt_domain svirt_lxc_domain virtd_t })
-- ps_process_pattern($1, { virtd_lxc_t virsh_t virt_bridgehelper_t virt_qmf_t })
+- tunable_policy(`virt_use_samba',`
+- fs_manage_cifs_files($1)
+- fs_manage_cifs_files($1)
+- fs_read_cifs_symlinks($1)
+ type $1_t, svirt_sandbox_domain;
+ domain_type($1_t)
+ domain_user_exemption_target($1_t)
+ mls_rangetrans_target($1_t)
+ mcs_constrained($1_t)
+ role system_r types $1_t;
-
-- init_labeled_script_domtrans($1, virtd_initrc_exec_t)
-- domain_system_change_exemption($1)
-- role_transition $2 virtd_initrc_exec_t system_r;
-- allow $2 system_r;
++
+ kernel_read_system_state($1_t)
+')
-
-- fs_search_tmpfs($1)
-- admin_pattern($1, virt_tmpfs_type)
++
+########################################
+##
+## Make the specified type usable as a lxc domain
@@ -92481,14 +92439,10 @@ index 9dec06c..4e31afe 100644
+ gen_require(`
+ attribute svirt_sandbox_domain;
+ ')
-
-- files_search_tmp($1)
-- admin_pattern($1, { virt_tmp_type virt_tmp_t })
++
+ typeattribute $1 svirt_sandbox_domain;
+')
-
-- files_search_etc($1)
-- admin_pattern($1, { virt_etc_t virt_etc_rw_t })
++
+########################################
+##
+## Execute a qemu_exec_t in the callers domain
@@ -92503,14 +92457,10 @@ index 9dec06c..4e31afe 100644
+ gen_require(`
+ type qemu_exec_t;
+ ')
-
-- logging_search_logs($1)
-- admin_pattern($1, virt_log_t)
++
+ can_exec($1, qemu_exec_t)
+')
-
-- files_search_pids($1)
-- admin_pattern($1, { virt_var_run_t virtd_lxc_var_run_t svirt_var_run_t })
++
+########################################
+##
+## Transition to virt named content
@@ -92526,16 +92476,12 @@ index 9dec06c..4e31afe 100644
+ type virt_lxc_var_run_t;
+ type virt_var_run_t;
+ ')
-
-- files_search_var($1)
-- admin_pattern($1, svirt_cache_t)
++
+ files_pid_filetrans($1, virt_lxc_var_run_t, dir, "libvirt-sandbox")
+ files_pid_filetrans($1, virt_var_run_t, dir, "libvirt")
+ files_pid_filetrans($1, virt_var_run_t, dir, "libguestfs")
+')
-
-- files_search_var_lib($1)
-- admin_pattern($1, { virt_image_type virt_var_lib_t svirt_lxc_file_t })
++
+########################################
+##
+## Execute qemu in the svirt domain, and
@@ -92564,9 +92510,7 @@ index 9dec06c..4e31afe 100644
+
+ allow svirt_sandbox_domain $1:process sigchld;
+')
-
-- files_search_locks($1)
-- admin_pattern($1, virt_lock_t)
++
+########################################
+##
+## Read and write to svirt_image devices.
@@ -92580,17 +92524,97 @@ index 9dec06c..4e31afe 100644
+interface(`virt_rw_svirt_dev',`
+ gen_require(`
+ type svirt_image_t;
+ ')
++
++ allow $1 svirt_image_t:chr_file rw_file_perms;
+ ')
+
+ ########################################
+ ##
+-## All of the rules required to
+-## administrate an virt environment.
++## All of the rules required to administrate
++## an virt environment
+ ##
+ ##
+ ##
+@@ -1136,50 +1146,36 @@ interface(`virt_manage_images',`
+ #
+ interface(`virt_admin',`
+ gen_require(`
+- attribute virt_domain, virt_image_type, virt_tmpfs_type;
+- attribute virt_ptynode, svirt_lxc_domain, virt_tmp_type;
+- type virtd_t, virtd_initrc_exec_t, virtd_lxc_t;
+- type virsh_t, virtd_lxc_var_run_t, svirt_lxc_file_t;
+- type virt_bridgehelper_t, virt_qmf_t, virt_var_lib_t;
+- type virt_var_run_t, virt_tmp_t, virt_log_t;
+- type virt_lock_t, svirt_var_run_t, virt_etc_rw_t;
+- type virt_etc_t, svirt_cache_t;
++ attribute virt_domain;
++ attribute virt_system_domain;
++ attribute svirt_file_type;
++ attribute virt_file_type;
++ type virtd_initrc_exec_t;
+ ')
+
+- allow $1 { virt_domain svirt_lxc_domain virtd_t }:process { ptrace signal_perms };
+- allow $1 { virtd_lxc_t virsh_t virt_bridgehelper_t virt_qmf_t }:process { ptrace signal_perms };
+- ps_process_pattern($1, { virt_domain svirt_lxc_domain virtd_t })
+- ps_process_pattern($1, { virtd_lxc_t virsh_t virt_bridgehelper_t virt_qmf_t })
++ allow $1 virt_system_domain:process signal_perms;
++ allow $1 virt_domain:process signal_perms;
++ ps_process_pattern($1, virt_system_domain)
++ ps_process_pattern($1, virt_domain)
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 virt_system_domain:process ptrace;
++ allow $1 virt_domain:process ptrace;
+ ')
+ init_labeled_script_domtrans($1, virtd_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 virtd_initrc_exec_t system_r;
+ allow $2 system_r;
+
+- fs_search_tmpfs($1)
+- admin_pattern($1, virt_tmpfs_type)
+-
+- files_search_tmp($1)
+- admin_pattern($1, { virt_tmp_type virt_tmp_t })
+-
+- files_search_etc($1)
+- admin_pattern($1, { virt_etc_t virt_etc_rw_t })
+-
+- logging_search_logs($1)
+- admin_pattern($1, virt_log_t)
++ allow $1 virt_domain:process signal_perms;
+
+- files_search_pids($1)
+- admin_pattern($1, { virt_var_run_t virtd_lxc_var_run_t svirt_var_run_t })
+-
+- files_search_var($1)
+- admin_pattern($1, svirt_cache_t)
+-
+- files_search_var_lib($1)
+- admin_pattern($1, { virt_image_type virt_var_lib_t svirt_lxc_file_t })
++ admin_pattern($1, virt_file_type)
++ admin_pattern($1, svirt_file_type)
+
+- files_search_locks($1)
+- admin_pattern($1, virt_lock_t)
++ virt_systemctl($1)
++ allow $1 virtd_unit_file_t:service all_service_perms;
+
- dev_list_all_dev_nodes($1)
- allow $1 virt_ptynode:chr_file rw_term_perms;
-+ allow $1 svirt_image_t:chr_file rw_file_perms;
++ virt_stream_connect_sandbox($1)
++ virt_stream_connect_svirt($1)
++ virt_stream_connect($1)
')
diff --git a/virt.te b/virt.te
-index 1f22fba..50f7cf9 100644
+index 1f22fba..924d71c 100644
--- a/virt.te
+++ b/virt.te
-@@ -1,94 +1,104 @@
+@@ -1,147 +1,166 @@
-policy_module(virt, 1.6.10)
+policy_module(virt, 1.5.0)
@@ -92600,17 +92624,20 @@ index 1f22fba..50f7cf9 100644
#
+attribute virsh_transition_domain;
+attribute virt_ptynode;
++attribute virt_system_domain;
+attribute virt_domain;
+attribute virt_image_type;
+attribute virt_tmpfs_type;
++attribute svirt_file_type;
++attribute virt_file_type;
+
-+type svirt_tmp_t;
++type svirt_tmp_t, svirt_file_type;
+files_tmp_file(svirt_tmp_t)
+
-+type svirt_tmpfs_t, virt_tmpfs_type;
++type svirt_tmpfs_t, virt_tmpfs_type, svirt_file_type;
+files_tmpfs_file(svirt_tmpfs_t)
+
-+type svirt_image_t, virt_image_type;
++type svirt_image_t, virt_image_type, svirt_file_type;
+files_type(svirt_image_t)
+dev_node(svirt_image_t)
+dev_associate_sysfs(svirt_image_t)
@@ -92743,55 +92770,83 @@ index 1f22fba..50f7cf9 100644
-virt_domain_template(svirt)
-virt_domain_template(svirt_prot_exec)
-+type qemu_exec_t;
++type qemu_exec_t, virt_file_type;
- type virt_cache_t alias svirt_cache_t;
+-type virt_cache_t alias svirt_cache_t;
++type virt_cache_t alias svirt_cache_t, virt_file_type;
files_type(virt_cache_t)
-@@ -105,27 +115,25 @@ userdom_user_home_content(virt_home_t)
- type svirt_home_t;
+
+-type virt_etc_t;
++type virt_etc_t, virt_file_type;
+ files_config_file(virt_etc_t)
+
+-type virt_etc_rw_t;
++type virt_etc_rw_t, virt_file_type;
+ files_type(virt_etc_rw_t)
+
+-type virt_home_t;
++type virt_home_t, virt_file_type;
+ userdom_user_home_content(virt_home_t)
+
+-type svirt_home_t;
++type svirt_home_t, svirt_file_type;
userdom_user_home_content(svirt_home_t)
-type svirt_var_run_t;
-files_pid_file(svirt_var_run_t)
-mls_trusted_object(svirt_var_run_t)
-
+-type virt_image_t; # customizable
+# virt Image files
- type virt_image_t; # customizable
++type virt_image_t, virt_file_type; # customizable
virt_image(virt_image_t)
files_mountpoint(virt_image_t)
+-type virt_content_t; # customizable
+# virt Image files
- type virt_content_t; # customizable
++type virt_content_t, virt_file_type; # customizable
virt_image(virt_content_t)
userdom_user_home_content(virt_content_t)
-type virt_lock_t;
-files_lock_file(virt_lock_t)
-+type virt_tmp_t;
++type virt_tmp_t, virt_file_type;
+files_tmp_file(virt_tmp_t)
- type virt_log_t;
+-type virt_log_t;
++type virt_log_t, virt_file_type;
logging_log_file(virt_log_t)
mls_trusted_object(virt_log_t)
-type virt_tmp_t;
-files_tmp_file(virt_tmp_t)
-+type virt_lock_t;
++type virt_lock_t, virt_file_type;
+files_lock_file(virt_lock_t)
- type virt_var_run_t;
+-type virt_var_run_t;
++type virt_var_run_t, virt_file_type;
files_pid_file(virt_var_run_t)
-@@ -139,9 +147,17 @@ init_daemon_domain(virtd_t, virtd_exec_t)
+
+-type virt_var_lib_t;
++type virt_var_lib_t, virt_file_type;
+ files_mountpoint(virt_var_lib_t)
+
+-type virtd_t;
+-type virtd_exec_t;
++type virtd_t, virt_system_domain;
++type virtd_exec_t, virt_file_type;
+ init_daemon_domain(virtd_t, virtd_exec_t)
domain_obj_id_change_exemption(virtd_t)
domain_subj_id_change_exemption(virtd_t)
-+type virtd_unit_file_t;
+-type virtd_initrc_exec_t;
++type virtd_unit_file_t, virt_file_type;
+systemd_unit_file(virtd_unit_file_t)
+
- type virtd_initrc_exec_t;
++type virtd_initrc_exec_t, virt_file_type;
init_script_file(virtd_initrc_exec_t)
-+type qemu_var_run_t;
++type qemu_var_run_t, virt_file_type;
+typealias qemu_var_run_t alias svirt_var_run_t;
+files_pid_file(qemu_var_run_t)
+mls_trusted_object(qemu_var_run_t)
@@ -92799,14 +92854,22 @@ index 1f22fba..50f7cf9 100644
ifdef(`enable_mcs',`
init_ranged_daemon_domain(virtd_t, virtd_exec_t, s0 - mcs_systemhigh)
')
-@@ -155,290 +171,134 @@ type virt_qmf_exec_t;
+@@ -150,295 +169,139 @@ ifdef(`enable_mls',`
+ init_ranged_daemon_domain(virtd_t, virtd_exec_t, s0 - mls_systemhigh)
+ ')
+
+-type virt_qmf_t;
+-type virt_qmf_exec_t;
++type virt_qmf_t, virt_system_domain;
++type virt_qmf_exec_t, virt_file_type;
init_daemon_domain(virt_qmf_t, virt_qmf_exec_t)
- type virt_bridgehelper_t;
+-type virt_bridgehelper_t;
-type virt_bridgehelper_exec_t;
++type virt_bridgehelper_t, virt_system_domain;
domain_type(virt_bridgehelper_t)
+
-+type virt_bridgehelper_exec_t;
++type virt_bridgehelper_exec_t, virt_file_type;
domain_entry_file(virt_bridgehelper_t, virt_bridgehelper_exec_t)
-role virt_bridgehelper_roles types virt_bridgehelper_t;
+role system_r types virt_bridgehelper_t;
@@ -92815,33 +92878,33 @@ index 1f22fba..50f7cf9 100644
-type virtd_lxc_exec_t;
-init_system_domain(virtd_lxc_t, virtd_lxc_exec_t)
+# policy for qemu_ga
-+type virt_qemu_ga_t;
-+type virt_qemu_ga_exec_t;
++type virt_qemu_ga_t, virt_system_domain;
++type virt_qemu_ga_exec_t, virt_file_type;
+init_daemon_domain(virt_qemu_ga_t, virt_qemu_ga_exec_t)
-type virtd_lxc_var_run_t;
-files_pid_file(virtd_lxc_var_run_t)
-+type virt_qemu_ga_var_run_t;
++type virt_qemu_ga_var_run_t, virt_file_type;
+files_pid_file(virt_qemu_ga_var_run_t)
-type svirt_lxc_file_t;
-files_mountpoint(svirt_lxc_file_t)
-fs_noxattr_type(svirt_lxc_file_t)
-term_pty(svirt_lxc_file_t)
-+type virt_qemu_ga_log_t;
++type virt_qemu_ga_log_t, virt_file_type;
+logging_log_file(virt_qemu_ga_log_t)
-virt_lxc_domain_template(svirt_lxc_net)
-+type virt_qemu_ga_tmp_t;
++type virt_qemu_ga_tmp_t, virt_file_type;
+files_tmp_file(virt_qemu_ga_tmp_t)
-type virsh_t;
-type virsh_exec_t;
-init_system_domain(virsh_t, virsh_exec_t)
-+type virt_qemu_ga_data_t;
++type virt_qemu_ga_data_t, virt_file_type;
+files_type(virt_qemu_ga_data_t)
+
-+type virt_qemu_ga_unconfined_exec_t;
++type virt_qemu_ga_unconfined_exec_t, virt_file_type;
+application_executable_file(virt_qemu_ga_unconfined_exec_t)
########################################
@@ -92984,8 +93047,8 @@ index 1f22fba..50f7cf9 100644
- fs_manage_nfs_named_sockets(virt_domain)
- fs_read_nfs_symlinks(virt_domain)
-')
-+type virtd_lxc_t;
-+type virtd_lxc_exec_t;
++type virtd_lxc_t, virt_system_domain;
++type virtd_lxc_exec_t, virt_file_type;
+init_system_domain(virtd_lxc_t, virtd_lxc_exec_t)
-tunable_policy(`virt_use_samba',`
@@ -92994,7 +93057,7 @@ index 1f22fba..50f7cf9 100644
- fs_manage_cifs_named_sockets(virt_domain)
- fs_read_cifs_symlinks(virt_domain)
-')
-+type virt_lxc_var_run_t;
++type virt_lxc_var_run_t, virt_file_type;
+files_pid_file(virt_lxc_var_run_t)
+typealias virt_lxc_var_run_t alias virtd_lxc_var_run_t;
@@ -93002,7 +93065,7 @@ index 1f22fba..50f7cf9 100644
- dev_rw_sysfs(virt_domain)
-')
+# virt lxc container files
-+type svirt_sandbox_file_t alias svirt_lxc_file_t;
++type svirt_sandbox_file_t alias svirt_lxc_file_t, svirt_file_type;
+files_mountpoint(svirt_sandbox_file_t)
-tunable_policy(`virt_use_usb',`
@@ -93068,9 +93131,7 @@ index 1f22fba..50f7cf9 100644
-manage_dirs_pattern(svirt_t, svirt_home_t, svirt_home_t)
-manage_files_pattern(svirt_t, svirt_home_t, svirt_home_t)
-manage_sock_files_pattern(svirt_t, svirt_home_t, svirt_home_t)
-+allow svirt_tcg_t self:process { execmem execstack };
-+allow svirt_tcg_t self:netlink_route_socket r_netlink_socket_perms;
-
+-
-filetrans_pattern(svirt_t, virt_home_t, svirt_home_t, dir, "qemu")
-
-stream_connect_pattern(svirt_t, svirt_home_t, svirt_home_t, virtd_t)
@@ -93094,7 +93155,9 @@ index 1f22fba..50f7cf9 100644
-corenet_sendrecv_all_server_packets(svirt_t)
-corenet_udp_bind_all_ports(svirt_t)
-corenet_tcp_bind_all_ports(svirt_t)
--
++allow svirt_tcg_t self:process { execmem execstack };
++allow svirt_tcg_t self:netlink_route_socket r_netlink_socket_perms;
+
-corenet_sendrecv_all_client_packets(svirt_t)
-corenet_tcp_connect_all_ports(svirt_t)
+corenet_udp_sendrecv_generic_if(svirt_tcg_t)
@@ -93170,7 +93233,7 @@ index 1f22fba..50f7cf9 100644
read_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
read_lnk_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
-@@ -448,42 +308,29 @@ manage_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t)
+@@ -448,42 +311,29 @@ manage_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t)
manage_lnk_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t)
filetrans_pattern(virtd_t, virt_etc_t, virt_etc_rw_t, dir)
@@ -93217,7 +93280,7 @@ index 1f22fba..50f7cf9 100644
logging_log_filetrans(virtd_t, virt_log_t, { file dir })
manage_dirs_pattern(virtd_t, virt_var_lib_t, virt_var_lib_t)
-@@ -496,16 +343,12 @@ manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
+@@ -496,16 +346,12 @@ manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
manage_sock_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
files_pid_filetrans(virtd_t, virt_var_run_t, { file dir })
@@ -93239,7 +93302,7 @@ index 1f22fba..50f7cf9 100644
kernel_read_system_state(virtd_t)
kernel_read_network_state(virtd_t)
kernel_rw_net_sysctls(virtd_t)
-@@ -513,6 +356,7 @@ kernel_read_kernel_sysctls(virtd_t)
+@@ -513,6 +359,7 @@ kernel_read_kernel_sysctls(virtd_t)
kernel_request_load_module(virtd_t)
kernel_search_debugfs(virtd_t)
kernel_setsched(virtd_t)
@@ -93247,7 +93310,7 @@ index 1f22fba..50f7cf9 100644
corecmd_exec_bin(virtd_t)
corecmd_exec_shell(virtd_t)
-@@ -520,24 +364,16 @@ corecmd_exec_shell(virtd_t)
+@@ -520,24 +367,16 @@ corecmd_exec_shell(virtd_t)
corenet_all_recvfrom_netlabel(virtd_t)
corenet_tcp_sendrecv_generic_if(virtd_t)
corenet_tcp_sendrecv_generic_node(virtd_t)
@@ -93275,7 +93338,7 @@ index 1f22fba..50f7cf9 100644
dev_rw_sysfs(virtd_t)
dev_read_urand(virtd_t)
dev_read_rand(virtd_t)
-@@ -548,22 +384,24 @@ dev_rw_vhost(virtd_t)
+@@ -548,22 +387,24 @@ dev_rw_vhost(virtd_t)
dev_setattr_generic_usb_dev(virtd_t)
dev_relabel_generic_usb_dev(virtd_t)
@@ -93305,7 +93368,7 @@ index 1f22fba..50f7cf9 100644
fs_rw_anon_inodefs_files(virtd_t)
fs_list_inotifyfs(virtd_t)
fs_manage_cgroup_dirs(virtd_t)
-@@ -594,15 +432,18 @@ term_use_ptmx(virtd_t)
+@@ -594,15 +435,18 @@ term_use_ptmx(virtd_t)
auth_use_nsswitch(virtd_t)
@@ -93325,7 +93388,7 @@ index 1f22fba..50f7cf9 100644
selinux_validate_context(virtd_t)
-@@ -613,18 +454,26 @@ seutil_read_file_contexts(virtd_t)
+@@ -613,18 +457,26 @@ seutil_read_file_contexts(virtd_t)
sysnet_signull_ifconfig(virtd_t)
sysnet_signal_ifconfig(virtd_t)
sysnet_domtrans_ifconfig(virtd_t)
@@ -93362,7 +93425,7 @@ index 1f22fba..50f7cf9 100644
tunable_policy(`virt_use_nfs',`
fs_manage_nfs_dirs(virtd_t)
-@@ -633,7 +482,7 @@ tunable_policy(`virt_use_nfs',`
+@@ -633,7 +485,7 @@ tunable_policy(`virt_use_nfs',`
')
tunable_policy(`virt_use_samba',`
@@ -93371,7 +93434,7 @@ index 1f22fba..50f7cf9 100644
fs_manage_cifs_files(virtd_t)
fs_read_cifs_symlinks(virtd_t)
')
-@@ -658,20 +507,12 @@ optional_policy(`
+@@ -658,20 +510,12 @@ optional_policy(`
')
optional_policy(`
@@ -93392,7 +93455,7 @@ index 1f22fba..50f7cf9 100644
')
optional_policy(`
-@@ -684,14 +525,20 @@ optional_policy(`
+@@ -684,14 +528,20 @@ optional_policy(`
dnsmasq_kill(virtd_t)
dnsmasq_signull(virtd_t)
dnsmasq_create_pid_dirs(virtd_t)
@@ -93415,7 +93478,7 @@ index 1f22fba..50f7cf9 100644
iptables_manage_config(virtd_t)
')
-@@ -704,11 +551,13 @@ optional_policy(`
+@@ -704,11 +554,13 @@ optional_policy(`
')
optional_policy(`
@@ -93429,7 +93492,7 @@ index 1f22fba..50f7cf9 100644
policykit_domtrans_auth(virtd_t)
policykit_domtrans_resolve(virtd_t)
policykit_read_lib(virtd_t)
-@@ -719,10 +568,18 @@ optional_policy(`
+@@ -719,10 +571,18 @@ optional_policy(`
')
optional_policy(`
@@ -93448,7 +93511,7 @@ index 1f22fba..50f7cf9 100644
kernel_read_xen_state(virtd_t)
kernel_write_xen_state(virtd_t)
-@@ -737,44 +594,262 @@ optional_policy(`
+@@ -737,44 +597,262 @@ optional_policy(`
udev_read_db(virtd_t)
')
@@ -93493,10 +93556,6 @@ index 1f22fba..50f7cf9 100644
+manage_sock_files_pattern(virt_domain, svirt_home_t, svirt_home_t)
+filetrans_pattern(virt_domain, virt_home_t, svirt_home_t, { dir sock_file file })
+stream_connect_pattern(virt_domain, svirt_home_t, svirt_home_t, virtd_t)
-+
-+manage_dirs_pattern(virt_domain, virt_cache_t, virt_cache_t)
-+manage_files_pattern(virt_domain, virt_cache_t, virt_cache_t)
-+files_var_filetrans(virt_domain, virt_cache_t, { file dir })
-manage_dirs_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
-manage_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
@@ -93504,6 +93563,13 @@ index 1f22fba..50f7cf9 100644
-manage_lnk_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
-manage_sock_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
-manage_fifo_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
++manage_dirs_pattern(virt_domain, virt_cache_t, virt_cache_t)
++manage_files_pattern(virt_domain, virt_cache_t, virt_cache_t)
++files_var_filetrans(virt_domain, virt_cache_t, { file dir })
+
+-manage_dirs_pattern(virsh_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t)
+-manage_files_pattern(virsh_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t)
+-filetrans_pattern(virsh_t, virt_var_run_t, virtd_lxc_var_run_t, dir, "lxc")
+read_lnk_files_pattern(virt_domain, virt_image_t, virt_image_t)
+
+manage_dirs_pattern(virt_domain, svirt_image_t, svirt_image_t)
@@ -93535,18 +93601,15 @@ index 1f22fba..50f7cf9 100644
+
+dontaudit virtd_t virt_domain:process { siginh noatsecure rlimitinh };
--manage_dirs_pattern(virsh_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t)
--manage_files_pattern(virsh_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t)
--filetrans_pattern(virsh_t, virt_var_run_t, virtd_lxc_var_run_t, dir, "lxc")
-+dontaudit virt_domain virt_tmpfs_type:file { read write };
-
-dontaudit virsh_t virt_var_lib_t:file read_file_perms;
-+append_files_pattern(virt_domain, virt_log_t, virt_log_t)
++dontaudit virt_domain virt_tmpfs_type:file { read write };
-allow virsh_t svirt_lxc_domain:process transition;
-+append_files_pattern(virt_domain, virt_var_lib_t, virt_var_lib_t)
++append_files_pattern(virt_domain, virt_log_t, virt_log_t)
-can_exec(virsh_t, virsh_exec_t)
++append_files_pattern(virt_domain, virt_var_lib_t, virt_var_lib_t)
++
+corecmd_exec_bin(virt_domain)
+corecmd_exec_shell(virt_domain)
+
@@ -93623,7 +93686,7 @@ index 1f22fba..50f7cf9 100644
+ virt_read_pid_symlinks(virt_domain)
+ virt_domtrans_bridgehelper(virt_domain)
+')
-
++
+optional_policy(`
+ xserver_rw_shm(virt_domain)
+')
@@ -93679,13 +93742,13 @@ index 1f22fba..50f7cf9 100644
+ xserver_stream_connect(virt_domain)
+ ')
+')
-+
+
+########################################
+#
+# xm local policy
+#
-+type virsh_t;
-+type virsh_exec_t;
++type virsh_t, virt_system_domain;
++type virsh_exec_t, virt_file_type;
+init_system_domain(virsh_t, virsh_exec_t)
+typealias virsh_t alias xm_t;
+typealias virsh_exec_t alias xm_exec_t;
@@ -93733,7 +93796,7 @@ index 1f22fba..50f7cf9 100644
kernel_read_system_state(virsh_t)
kernel_read_network_state(virsh_t)
kernel_read_kernel_sysctls(virsh_t)
-@@ -785,25 +860,18 @@ kernel_write_xen_state(virsh_t)
+@@ -785,25 +863,18 @@ kernel_write_xen_state(virsh_t)
corecmd_exec_bin(virsh_t)
corecmd_exec_shell(virsh_t)
@@ -93760,7 +93823,7 @@ index 1f22fba..50f7cf9 100644
fs_getattr_all_fs(virsh_t)
fs_manage_xenfs_dirs(virsh_t)
-@@ -812,24 +880,22 @@ fs_search_auto_mountpoints(virsh_t)
+@@ -812,24 +883,22 @@ fs_search_auto_mountpoints(virsh_t)
storage_raw_read_fixed_disk(virsh_t)
@@ -93792,7 +93855,7 @@ index 1f22fba..50f7cf9 100644
tunable_policy(`virt_use_nfs',`
fs_manage_nfs_dirs(virsh_t)
fs_manage_nfs_files(virsh_t)
-@@ -847,14 +913,20 @@ optional_policy(`
+@@ -847,14 +916,20 @@ optional_policy(`
')
optional_policy(`
@@ -93814,7 +93877,7 @@ index 1f22fba..50f7cf9 100644
xen_stream_connect(virsh_t)
xen_stream_connect_xenstore(virsh_t)
')
-@@ -879,49 +951,65 @@ optional_policy(`
+@@ -879,49 +954,65 @@ optional_policy(`
kernel_read_xen_state(virsh_ssh_t)
kernel_write_xen_state(virsh_ssh_t)
@@ -93898,7 +93961,7 @@ index 1f22fba..50f7cf9 100644
corecmd_exec_bin(virtd_lxc_t)
corecmd_exec_shell(virtd_lxc_t)
-@@ -933,17 +1021,16 @@ dev_read_urand(virtd_lxc_t)
+@@ -933,17 +1024,16 @@ dev_read_urand(virtd_lxc_t)
domain_use_interactive_fds(virtd_lxc_t)
@@ -93918,7 +93981,7 @@ index 1f22fba..50f7cf9 100644
fs_getattr_all_fs(virtd_lxc_t)
fs_manage_tmpfs_dirs(virtd_lxc_t)
fs_manage_tmpfs_chr_files(virtd_lxc_t)
-@@ -955,8 +1042,23 @@ fs_rw_cgroup_files(virtd_lxc_t)
+@@ -955,8 +1045,23 @@ fs_rw_cgroup_files(virtd_lxc_t)
fs_unmount_all_fs(virtd_lxc_t)
fs_relabelfrom_tmpfs(virtd_lxc_t)
@@ -93942,7 +94005,7 @@ index 1f22fba..50f7cf9 100644
selinux_get_enforce_mode(virtd_lxc_t)
selinux_get_fs_mount(virtd_lxc_t)
selinux_validate_context(virtd_lxc_t)
-@@ -965,194 +1067,247 @@ selinux_compute_create_context(virtd_lxc_t)
+@@ -965,194 +1070,251 @@ selinux_compute_create_context(virtd_lxc_t)
selinux_compute_relabel_context(virtd_lxc_t)
selinux_compute_user_contexts(virtd_lxc_t)
@@ -93958,17 +94021,21 @@ index 1f22fba..50f7cf9 100644
+optional_policy(`
+ dbus_system_bus_client(virtd_lxc_t)
+ init_dbus_chat(virtd_lxc_t)
-+')
-miscfiles_read_localization(virtd_lxc_t)
-+optional_policy(`
-+ gnome_read_generic_cache_files(virtd_lxc_t)
++ optional_policy(`
++ hal_dbus_chat(virtd_lxc_t)
++ ')
+')
-seutil_domtrans_setfiles(virtd_lxc_t)
-seutil_read_config(virtd_lxc_t)
-seutil_read_default_contexts(virtd_lxc_t)
+optional_policy(`
++ gnome_read_generic_cache_files(virtd_lxc_t)
++')
++
++optional_policy(`
+ setrans_manage_pid_files(virtd_lxc_t)
+')
@@ -94063,6 +94130,11 @@ index 1f22fba..50f7cf9 100644
+userdom_use_inherited_user_terminals(svirt_sandbox_domain)
+userdom_dontaudit_append_inherited_admin_home_file(svirt_sandbox_domain)
+userdom_dontaudit_read_inherited_admin_home_files(svirt_sandbox_domain)
++
++optional_policy(`
++ apache_exec_modules(svirt_sandbox_domain)
++ apache_read_sys_content(svirt_sandbox_domain)
++')
-allow svirt_lxc_domain self:capability { kill setuid setgid dac_override sys_boot };
-allow svirt_lxc_domain self:process { execstack execmem getattr signal_perms getsched setsched setcap setpgid };
@@ -94147,26 +94219,21 @@ index 1f22fba..50f7cf9 100644
-
-mta_dontaudit_read_spool_symlinks(svirt_lxc_domain)
+optional_policy(`
-+ apache_exec_modules(svirt_sandbox_domain)
-+ apache_read_sys_content(svirt_sandbox_domain)
-+')
-+
-+optional_policy(`
+ mta_dontaudit_read_spool_symlinks(svirt_sandbox_domain)
+')
-+
-+optional_policy(`
-+ ssh_use_ptys(svirt_sandbox_domain)
-+')
optional_policy(`
- udev_read_pid_files(svirt_lxc_domain)
-+ udev_read_pid_files(svirt_sandbox_domain)
++ ssh_use_ptys(svirt_sandbox_domain)
')
optional_policy(`
- apache_exec_modules(svirt_lxc_domain)
- apache_read_sys_content(svirt_lxc_domain)
++ udev_read_pid_files(svirt_sandbox_domain)
++')
++
++optional_policy(`
+ userhelper_dontaudit_write_config(svirt_sandbox_domain)
')
@@ -94274,8 +94341,7 @@ index 1f22fba..50f7cf9 100644
+
+kernel_read_network_state(svirt_qemu_net_t)
+kernel_read_irq_sysctls(svirt_qemu_net_t)
-
--allow svirt_prot_exec_t self:process { execmem execstack };
++
+dev_read_sysfs(svirt_qemu_net_t)
+dev_getattr_mtrr_dev(svirt_qemu_net_t)
+dev_read_rand(svirt_qemu_net_t)
@@ -94288,7 +94354,8 @@ index 1f22fba..50f7cf9 100644
+corenet_udp_bind_all_ports(svirt_qemu_net_t)
+corenet_tcp_bind_all_ports(svirt_qemu_net_t)
+corenet_tcp_connect_all_ports(svirt_qemu_net_t)
-+
+
+-allow svirt_prot_exec_t self:process { execmem execstack };
+files_read_kernel_modules(svirt_qemu_net_t)
+
+fs_noxattr_type(svirt_sandbox_file_t)
@@ -94320,7 +94387,7 @@ index 1f22fba..50f7cf9 100644
allow virt_qmf_t self:tcp_socket create_stream_socket_perms;
allow virt_qmf_t self:netlink_route_socket create_netlink_socket_perms;
-@@ -1165,12 +1320,12 @@ dev_read_sysfs(virt_qmf_t)
+@@ -1165,12 +1327,12 @@ dev_read_sysfs(virt_qmf_t)
dev_read_rand(virt_qmf_t)
dev_read_urand(virt_qmf_t)
@@ -94335,7 +94402,7 @@ index 1f22fba..50f7cf9 100644
sysnet_read_config(virt_qmf_t)
optional_policy(`
-@@ -1183,9 +1338,8 @@ optional_policy(`
+@@ -1183,9 +1345,8 @@ optional_policy(`
########################################
#
@@ -94346,7 +94413,7 @@ index 1f22fba..50f7cf9 100644
allow virt_bridgehelper_t self:process { setcap getcap };
allow virt_bridgehelper_t self:capability { setpcap setgid setuid net_admin };
allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms;
-@@ -1198,5 +1352,123 @@ kernel_read_network_state(virt_bridgehelper_t)
+@@ -1198,5 +1359,124 @@ kernel_read_network_state(virt_bridgehelper_t)
corenet_rw_tun_tap_dev(virt_bridgehelper_t)
@@ -94378,8 +94445,9 @@ index 1f22fba..50f7cf9 100644
+manage_files_pattern(virt_qemu_ga_t, virt_qemu_ga_data_t, virt_qemu_ga_data_t)
+manage_dirs_pattern(virt_qemu_ga_t, virt_qemu_ga_data_t, virt_qemu_ga_data_t)
+
++manage_dirs_pattern(virt_qemu_ga_t, virt_qemu_ga_log_t, virt_qemu_ga_log_t)
+manage_files_pattern(virt_qemu_ga_t, virt_qemu_ga_log_t, virt_qemu_ga_log_t)
-+logging_log_filetrans(virt_qemu_ga_t, virt_qemu_ga_log_t, file )
++logging_log_filetrans(virt_qemu_ga_t, virt_qemu_ga_log_t, { dir file })
+
+kernel_read_system_state(virt_qemu_ga_t)
+
@@ -94438,7 +94506,7 @@ index 1f22fba..50f7cf9 100644
+#
+
+optional_policy(`
-+ type virt_qemu_ga_unconfined_t;
++ type virt_qemu_ga_unconfined_t, virt_domain;
+ domain_type(virt_qemu_ga_unconfined_t)
+
+ domain_entry_file(virt_qemu_ga_unconfined_t, virt_qemu_ga_unconfined_exec_t)
@@ -95190,7 +95258,7 @@ index cdca8c7..3c09628 100644
manage_files_pattern(webalizer_t, httpd_webalizer_content_t, httpd_webalizer_content_t)
')
diff --git a/wine.if b/wine.if
-index fd2b6cc..4b83bb0 100644
+index fd2b6cc..52a2e72 100644
--- a/wine.if
+++ b/wine.if
@@ -1,46 +1,57 @@
@@ -95272,22 +95340,24 @@ index fd2b6cc..4b83bb0 100644
')
#######################################
-@@ -72,24 +83,23 @@ interface(`wine_role',`
+@@ -72,31 +83,25 @@ interface(`wine_role',`
#
template(`wine_role_template',`
gen_require(`
+ type wine_t;
++ attribute wine_domain;
type wine_exec_t;
')
- type $1_wine_t;
+- type $1_wine_t;
- userdom_user_application_domain($1_wine_t, wine_exec_t)
++ type $1_wine_t, wine_domain;
+ domain_type($1_wine_t)
+ domain_entry_file($1_wine_t, wine_exec_t)
+ ubac_constrained($1_wine_t)
role $2 types $1_wine_t;
-
- allow $1_wine_t self:process { execmem execstack };
+-
+- allow $1_wine_t self:process { execmem execstack };
-
- allow $3 $1_wine_t:process { ptrace noatsecure signal_perms };
- ps_process_pattern($3, $1_wine_t)
@@ -95304,18 +95374,14 @@ index fd2b6cc..4b83bb0 100644
domain_mmap_low($1_wine_t)
-@@ -97,6 +107,10 @@ template(`wine_role_template',`
- dontaudit $1_wine_t self:memprotect mmap_zero;
- ')
-
-+ tunable_policy(`wine_mmap_zero_ignore',`
-+ dontaudit $1_wine_t self:memprotect mmap_zero;
-+ ')
-+
+- tunable_policy(`wine_mmap_zero_ignore',`
+- dontaudit $1_wine_t self:memprotect mmap_zero;
+- ')
+-
optional_policy(`
xserver_role($1_r, $1_wine_t)
')
-@@ -123,9 +137,8 @@ interface(`wine_domtrans',`
+@@ -123,9 +128,8 @@ interface(`wine_domtrans',`
########################################
##
@@ -95327,7 +95393,7 @@ index fd2b6cc..4b83bb0 100644
##
##
##
-@@ -140,11 +153,11 @@ interface(`wine_domtrans',`
+@@ -140,11 +144,11 @@ interface(`wine_domtrans',`
#
interface(`wine_run',`
gen_require(`
@@ -95342,29 +95408,104 @@ index fd2b6cc..4b83bb0 100644
########################################
diff --git a/wine.te b/wine.te
-index b51923c..2641d0b 100644
+index b51923c..8e47110 100644
--- a/wine.te
+++ b/wine.te
-@@ -38,7 +38,10 @@ allow wine_t self:fifo_file manage_fifo_file_perms;
+@@ -14,10 +14,11 @@ policy_module(wine, 1.10.1)
+ ##
+ gen_tunable(wine_mmap_zero_ignore, false)
- can_exec(wine_t, wine_exec_t)
++attribute wine_domain;
+ attribute_role wine_roles;
+ roleattribute system_r wine_roles;
-+manage_files_pattern(wine_t, wine_home_t, wine_home_t)
-+manage_dirs_pattern(wine_t, wine_home_t, wine_home_t)
- userdom_user_home_dir_filetrans(wine_t, wine_home_t, dir, ".wine")
-+userdom_tmpfs_filetrans(wine_t, file)
+-type wine_t;
++type wine_t, wine_domain;
+ type wine_exec_t;
+ userdom_user_application_domain(wine_t, wine_exec_t)
+ role wine_roles types wine_t;
+@@ -25,56 +26,57 @@ role wine_roles types wine_t;
+ type wine_home_t;
+ userdom_user_home_content(wine_home_t)
- manage_dirs_pattern(wine_t, wine_tmp_t, wine_tmp_t)
- manage_files_pattern(wine_t, wine_tmp_t, wine_tmp_t)
-@@ -48,7 +51,7 @@ domain_mmap_low(wine_t)
+-type wine_tmp_t;
+-userdom_user_tmp_file(wine_tmp_t)
+-
+ ########################################
+ #
+ # Local policy
+ #
++domain_mmap_low(wine_t)
++
++optional_policy(`
++ unconfined_domain(wine_t)
++')
+
+-allow wine_t self:process { execstack execmem execheap };
+-allow wine_t self:fifo_file manage_fifo_file_perms;
+
+-can_exec(wine_t, wine_exec_t)
++########################################
++#
++# Common wine domain policy
++#
- files_execmod_all_files(wine_t)
+-userdom_user_home_dir_filetrans(wine_t, wine_home_t, dir, ".wine")
++allow wine_domain self:process { execstack execmem execheap };
++allow wine_domain self:fifo_file manage_fifo_file_perms;
+
+-manage_dirs_pattern(wine_t, wine_tmp_t, wine_tmp_t)
+-manage_files_pattern(wine_t, wine_tmp_t, wine_tmp_t)
+-files_tmp_filetrans(wine_t, wine_tmp_t, { file dir })
++can_exec(wine_domain, wine_exec_t)
+
+-domain_mmap_low(wine_t)
++manage_files_pattern(wine_domain, wine_home_t, wine_home_t)
++manage_dirs_pattern(wine_domain, wine_home_t, wine_home_t)
++userdom_user_home_dir_filetrans(wine_domain, wine_home_t, dir, ".wine")
++userdom_tmpfs_filetrans(wine_domain, file)
+
+-files_execmod_all_files(wine_t)
++files_execmod_all_files(wine_domain)
-userdom_use_user_terminals(wine_t)
-+userdom_use_inherited_user_terminals(wine_t)
++userdom_use_inherited_user_terminals(wine_domain)
tunable_policy(`wine_mmap_zero_ignore',`
- dontaudit wine_t self:memprotect mmap_zero;
+- dontaudit wine_t self:memprotect mmap_zero;
++ dontaudit wine_domain self:memprotect mmap_zero;
+ ')
+
+ optional_policy(`
+- dbus_system_bus_client(wine_t)
++ dbus_system_bus_client(wine_domain)
+
+ optional_policy(`
+- hal_dbus_chat(wine_t)
++ hal_dbus_chat(wine_domain)
+ ')
+
+ optional_policy(`
+- policykit_dbus_chat(wine_t)
++ policykit_dbus_chat(wine_domain)
+ ')
+ ')
+
+ optional_policy(`
+- rtkit_scheduled(wine_t)
+-')
+-
+-optional_policy(`
+- unconfined_domain(wine_t)
++ rtkit_scheduled(wine_domain)
+ ')
+
+ optional_policy(`
+- xserver_read_xdm_pid(wine_t)
+- xserver_rw_shm(wine_t)
++ xserver_read_xdm_pid(wine_domain)
++ xserver_rw_shm(wine_domain)
+ ')
diff --git a/wireshark.te b/wireshark.te
index cf5cab6..a2d910f 100644
--- a/wireshark.te
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 8239e16..427995a 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.12.1
-Release: 81%{?dist}
+Release: 82%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -570,6 +570,30 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Wed Sep 25 2013 Miroslav Grepl