-@@ -34,6 +35,7 @@ type xen_image_t; # customizable +@@ -65,6 +66,7 @@ type xen_image_t; # customizable files_type(xen_image_t) # xen_image_t can be assigned to blk devices dev_node(xen_image_t) @@ -53726,7 +53689,7 @@ index f661f5a..600d43f 100644 type xenctl_t; files_type(xenctl_t) -@@ -89,11 +91,6 @@ init_daemon_domain(xenconsoled_t, xenconsoled_exec_t) +@@ -121,11 +123,6 @@ init_daemon_domain(xenconsoled_t, xenconsoled_exec_t) type xenconsoled_var_run_t; files_pid_file(xenconsoled_var_run_t) @@ -53735,27 +53698,10 @@ index f661f5a..600d43f 100644 -domain_type(xm_t) -init_system_domain(xm_t, xm_exec_t) - - ####################################### - # - # evtchnd local policy -@@ -113,7 +110,7 @@ files_pid_filetrans(evtchnd_t, evtchnd_var_run_t, { file sock_file dir }) - # xend local policy + ######################################## # - --allow xend_t self:capability { mknod dac_override ipc_lock net_admin setuid sys_nice sys_ptrace sys_tty_config net_raw }; -+allow xend_t self:capability { mknod dac_override ipc_lock net_admin setuid sys_admin sys_nice sys_ptrace sys_tty_config net_raw }; - dontaudit xend_t self:capability { sys_ptrace }; - allow xend_t self:process { signal sigkill }; - dontaudit xend_t self:process ptrace; -@@ -228,6 +225,7 @@ logging_send_syslog_msg(xend_t) - lvm_domtrans(xend_t) - - miscfiles_read_localization(xend_t) -+miscfiles_read_hwdata(xend_t) - - mount_domtrans(xend_t) - -@@ -245,6 +243,8 @@ xen_stream_connect_xenstore(xend_t) + # blktap local policy +@@ -341,6 +338,8 @@ xen_stream_connect_xenstore(xend_t) netutils_domtrans(xend_t) @@ -53764,7 +53710,7 @@ index f661f5a..600d43f 100644 optional_policy(` brctl_domtrans(xend_t) ') -@@ -317,9 +317,10 @@ manage_dirs_pattern(xenstored_t, xenstored_tmp_t, xenstored_tmp_t) +@@ -413,9 +412,10 @@ manage_dirs_pattern(xenstored_t, xenstored_tmp_t, xenstored_tmp_t) files_tmp_filetrans(xenstored_t, xenstored_tmp_t, { file dir }) # pid file @@ -53776,23 +53722,19 @@ index f661f5a..600d43f 100644 # log files manage_dirs_pattern(xenstored_t, xenstored_var_log_t, xenstored_var_log_t) -@@ -346,6 +347,7 @@ dev_read_sysfs(xenstored_t) +@@ -442,9 +442,11 @@ files_read_etc_files(xenstored_t) files_read_usr_files(xenstored_t) +fs_search_xenfs(xenstored_t) fs_manage_xenfs_files(xenstored_t) - storage_raw_read_fixed_disk(xenstored_t) -@@ -353,6 +355,7 @@ storage_raw_write_fixed_disk(xenstored_t) - storage_raw_read_removable_device(xenstored_t) - term_use_generic_ptys(xenstored_t) +term_use_console(xenconsoled_t) init_use_fds(xenstored_t) init_use_script_ptys(xenstored_t) -@@ -365,98 +368,9 @@ xen_append_log(xenstored_t) +@@ -457,96 +459,9 @@ xen_append_log(xenstored_t) ######################################## # @@ -53842,8 +53784,6 @@ index f661f5a..600d43f 100644 -fs_manage_xenfs_dirs(xm_t) -fs_manage_xenfs_files(xm_t) - --storage_raw_read_fixed_disk(xm_t) -- -term_use_all_terms(xm_t) - -init_stream_connect_script(xm_t) @@ -53891,7 +53831,7 @@ index f661f5a..600d43f 100644 #Should have a boolean wrapping these fs_list_auto_mountpoints(xend_t) files_search_mnt(xend_t) -@@ -469,8 +383,4 @@ optional_policy(` +@@ -559,8 +474,4 @@ optional_policy(` fs_manage_nfs_files(xend_t) fs_read_nfs_symlinks(xend_t) ') @@ -54042,7 +53982,7 @@ index f7380b3..51867f6 100644 +define(`all_passwd_perms', `{ passwd chfn chsh rootok crontab } ') +define(`all_association_perms', `{ sendto recvfrom setcontext polmatch } ') diff --git a/policy/users b/policy/users -index c4ebc7e..be2a04c 100644 +index c4ebc7e..30d6d7a 100644 --- a/policy/users +++ b/policy/users @@ -15,7 +15,7 @@ @@ -54054,15 +53994,17 @@ index c4ebc7e..be2a04c 100644 # # user_u is a generic user identity for Linux users who have no -@@ -25,11 +25,8 @@ gen_user(system_u,, system_r, s0, s0 - mls_systemhigh, mcs_allcats) +@@ -24,12 +24,9 @@ gen_user(system_u,, system_r, s0, s0 - mls_systemhigh, mcs_allcats) + # SELinux user identity for a Linux user. If you do not want to # permit any access to such users, then remove this entry. # - gen_user(user_u, user, user_r, s0, s0) +-gen_user(user_u, user, user_r, s0, s0) -gen_user(staff_u, staff, staff_r sysadm_r ifdef(`enable_mls',`secadm_r auditadm_r'), s0, s0 - mls_systemhigh, mcs_allcats) -gen_user(sysadm_u, sysadm, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats) - -# Until order dependence is fixed for users: -gen_user(unconfined_u, unconfined, unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats) ++gen_user(user_u, user, user_r, s0, s0 - mls_systemhigh, mcs_allcats) +gen_user(staff_u, user, staff_r system_r sysadm_r ifdef(`enable_mls',`secadm_r auditadm_r'), s0, s0 - mls_systemhigh, mcs_allcats) +gen_user(sysadm_u, user, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats)