##
## Allow the specified domain to
@@ -20943,7 +20972,7 @@ index 8416beb..f7a29fe 100644
## Example attributes:
##
##
-@@ -4596,6 +6084,26 @@ interface(`fs_dontaudit_getattr_all_fs',`
+@@ -4596,6 +6141,26 @@ interface(`fs_dontaudit_getattr_all_fs',`
########################################
##
@@ -20970,7 +20999,7 @@ index 8416beb..f7a29fe 100644
## Get the quotas of all filesystems.
##
##
-@@ -4671,6 +6179,25 @@ interface(`fs_getattr_all_dirs',`
+@@ -4671,6 +6236,25 @@ interface(`fs_getattr_all_dirs',`
########################################
##
@@ -20996,7 +21025,7 @@ index 8416beb..f7a29fe 100644
## Search all directories with a filesystem type.
##
##
-@@ -4912,3 +6439,173 @@ interface(`fs_unconfined',`
+@@ -4912,3 +6496,173 @@ interface(`fs_unconfined',`
typeattribute $1 filesystem_unconfined_type;
')
@@ -37425,7 +37454,7 @@ index 79a45f6..d092e6e 100644
+ allow $1 init_var_lib_t:dir search_dir_perms;
+')
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
-index 17eda24..022bbb7 100644
+index 17eda24..b37411d 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -11,10 +11,31 @@ gen_require(`
@@ -37550,7 +37579,7 @@ index 17eda24..022bbb7 100644
# is ~sys_module really needed? observed:
# sys_boot
# sys_tty_config
-@@ -108,14 +161,47 @@ allow init_t self:capability ~sys_module;
+@@ -108,14 +161,48 @@ allow init_t self:capability ~sys_module;
allow init_t self:fifo_file rw_fifo_file_perms;
@@ -37594,8 +37623,9 @@ index 17eda24..022bbb7 100644
+files_pid_filetrans(init_t, init_var_run_t, { dir file blk_file chr_file fifo_file})
+allow init_t init_var_run_t:dir mounton;
+allow init_t init_var_run_t:sock_file relabelto;
-+allow init_t init_var_run_t:blk_file getattr;
-+allow init_t init_var_run_t:chr_file getattr;
++allow init_t init_var_run_t:blk_file { getattr relabelto };
++allow init_t init_var_run_t:chr_file { getattr relabelto };
++allow init_t init_var_run_t:fifo_file { getattr relabelto };
+
+allow init_t machineid_t:file manage_file_perms;
+files_pid_filetrans(init_t, machineid_t, file, "machine-id")
@@ -37604,7 +37634,7 @@ index 17eda24..022bbb7 100644
allow init_t initctl_t:fifo_file manage_fifo_file_perms;
dev_filetrans(init_t, initctl_t, fifo_file)
-@@ -125,13 +211,23 @@ allow init_t initrc_var_run_t:file { rw_file_perms setattr };
+@@ -125,13 +212,23 @@ allow init_t initrc_var_run_t:file { rw_file_perms setattr };
kernel_read_system_state(init_t)
kernel_share_state(init_t)
@@ -37629,7 +37659,7 @@ index 17eda24..022bbb7 100644
domain_getpgid_all_domains(init_t)
domain_kill_all_domains(init_t)
-@@ -139,14 +235,24 @@ domain_signal_all_domains(init_t)
+@@ -139,14 +236,24 @@ domain_signal_all_domains(init_t)
domain_signull_all_domains(init_t)
domain_sigstop_all_domains(init_t)
domain_sigchld_all_domains(init_t)
@@ -37655,7 +37685,7 @@ index 17eda24..022bbb7 100644
# file descriptors inherited from the rootfs:
files_dontaudit_rw_root_files(init_t)
files_dontaudit_rw_root_chr_files(init_t)
-@@ -155,29 +261,72 @@ fs_list_inotifyfs(init_t)
+@@ -155,29 +262,72 @@ fs_list_inotifyfs(init_t)
# cjp: this may be related to /dev/log
fs_write_ramfs_sockets(init_t)
@@ -37733,7 +37763,7 @@ index 17eda24..022bbb7 100644
ifdef(`distro_gentoo',`
allow init_t self:process { getcap setcap };
-@@ -186,29 +335,264 @@ ifdef(`distro_gentoo',`
+@@ -186,29 +336,266 @@ ifdef(`distro_gentoo',`
')
ifdef(`distro_redhat',`
@@ -37882,6 +37912,8 @@ index 17eda24..022bbb7 100644
+fs_manage_cgroup_files(init_t)
+fs_manage_hugetlbfs_dirs(init_t)
+fs_manage_tmpfs_dirs(init_t)
++fs_relabel_tmpfs_blk_file(init_t)
++fs_relabel_tmpfs_chr_file(init_t)
+fs_relabel_pstore_dirs(init_t)
+fs_relabel_tmpfs_dirs(init_t)
+fs_relabel_tmpfs_files(init_t)
@@ -38007,7 +38039,7 @@ index 17eda24..022bbb7 100644
')
optional_policy(`
-@@ -216,7 +600,30 @@ optional_policy(`
+@@ -216,7 +603,30 @@ optional_policy(`
')
optional_policy(`
@@ -38039,7 +38071,7 @@ index 17eda24..022bbb7 100644
')
########################################
-@@ -225,9 +632,9 @@ optional_policy(`
+@@ -225,9 +635,9 @@ optional_policy(`
#
allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
@@ -38051,7 +38083,7 @@ index 17eda24..022bbb7 100644
allow initrc_t self:passwd rootok;
allow initrc_t self:key manage_key_perms;
-@@ -258,12 +665,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
+@@ -258,12 +668,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
allow initrc_t initrc_var_run_t:file manage_file_perms;
files_pid_filetrans(initrc_t, initrc_var_run_t, file)
@@ -38068,7 +38100,7 @@ index 17eda24..022bbb7 100644
manage_dirs_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
manage_files_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
-@@ -279,23 +690,36 @@ kernel_change_ring_buffer_level(initrc_t)
+@@ -279,23 +693,36 @@ kernel_change_ring_buffer_level(initrc_t)
kernel_clear_ring_buffer(initrc_t)
kernel_get_sysvipc_info(initrc_t)
kernel_read_all_sysctls(initrc_t)
@@ -38111,7 +38143,7 @@ index 17eda24..022bbb7 100644
corenet_tcp_sendrecv_all_ports(initrc_t)
corenet_udp_sendrecv_all_ports(initrc_t)
corenet_tcp_connect_all_ports(initrc_t)
-@@ -303,9 +727,11 @@ corenet_sendrecv_all_client_packets(initrc_t)
+@@ -303,9 +730,11 @@ corenet_sendrecv_all_client_packets(initrc_t)
dev_read_rand(initrc_t)
dev_read_urand(initrc_t)
@@ -38123,7 +38155,7 @@ index 17eda24..022bbb7 100644
dev_rw_sysfs(initrc_t)
dev_list_usbfs(initrc_t)
dev_read_framebuffer(initrc_t)
-@@ -313,8 +739,10 @@ dev_write_framebuffer(initrc_t)
+@@ -313,8 +742,10 @@ dev_write_framebuffer(initrc_t)
dev_read_realtime_clock(initrc_t)
dev_read_sound_mixer(initrc_t)
dev_write_sound_mixer(initrc_t)
@@ -38134,7 +38166,7 @@ index 17eda24..022bbb7 100644
dev_delete_lvm_control_dev(initrc_t)
dev_manage_generic_symlinks(initrc_t)
dev_manage_generic_files(initrc_t)
-@@ -322,8 +750,7 @@ dev_manage_generic_files(initrc_t)
+@@ -322,8 +753,7 @@ dev_manage_generic_files(initrc_t)
dev_delete_generic_symlinks(initrc_t)
dev_getattr_all_blk_files(initrc_t)
dev_getattr_all_chr_files(initrc_t)
@@ -38144,7 +38176,7 @@ index 17eda24..022bbb7 100644
domain_kill_all_domains(initrc_t)
domain_signal_all_domains(initrc_t)
-@@ -332,7 +759,6 @@ domain_sigstop_all_domains(initrc_t)
+@@ -332,7 +762,6 @@ domain_sigstop_all_domains(initrc_t)
domain_sigchld_all_domains(initrc_t)
domain_read_all_domains_state(initrc_t)
domain_getattr_all_domains(initrc_t)
@@ -38152,7 +38184,7 @@ index 17eda24..022bbb7 100644
domain_getsession_all_domains(initrc_t)
domain_use_interactive_fds(initrc_t)
# for lsof which is used by alsa shutdown:
-@@ -340,6 +766,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
+@@ -340,6 +769,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
domain_dontaudit_getattr_all_tcp_sockets(initrc_t)
domain_dontaudit_getattr_all_dgram_sockets(initrc_t)
domain_dontaudit_getattr_all_pipes(initrc_t)
@@ -38160,7 +38192,7 @@ index 17eda24..022bbb7 100644
files_getattr_all_dirs(initrc_t)
files_getattr_all_files(initrc_t)
-@@ -347,14 +774,15 @@ files_getattr_all_symlinks(initrc_t)
+@@ -347,14 +777,15 @@ files_getattr_all_symlinks(initrc_t)
files_getattr_all_pipes(initrc_t)
files_getattr_all_sockets(initrc_t)
files_purge_tmp(initrc_t)
@@ -38178,7 +38210,7 @@ index 17eda24..022bbb7 100644
files_read_usr_files(initrc_t)
files_manage_urandom_seed(initrc_t)
files_manage_generic_spool(initrc_t)
-@@ -364,8 +792,12 @@ files_list_isid_type_dirs(initrc_t)
+@@ -364,8 +795,12 @@ files_list_isid_type_dirs(initrc_t)
files_mounton_isid_type_dirs(initrc_t)
files_list_default(initrc_t)
files_mounton_default(initrc_t)
@@ -38192,7 +38224,7 @@ index 17eda24..022bbb7 100644
fs_list_inotifyfs(initrc_t)
fs_register_binary_executable_type(initrc_t)
# rhgb-console writes to ramfs
-@@ -375,10 +807,11 @@ fs_mount_all_fs(initrc_t)
+@@ -375,10 +810,11 @@ fs_mount_all_fs(initrc_t)
fs_unmount_all_fs(initrc_t)
fs_remount_all_fs(initrc_t)
fs_getattr_all_fs(initrc_t)
@@ -38206,7 +38238,7 @@ index 17eda24..022bbb7 100644
mcs_process_set_categories(initrc_t)
mls_file_read_all_levels(initrc_t)
-@@ -387,8 +820,10 @@ mls_process_read_up(initrc_t)
+@@ -387,8 +823,10 @@ mls_process_read_up(initrc_t)
mls_process_write_down(initrc_t)
mls_rangetrans_source(initrc_t)
mls_fd_share_all_levels(initrc_t)
@@ -38217,7 +38249,7 @@ index 17eda24..022bbb7 100644
storage_getattr_fixed_disk_dev(initrc_t)
storage_setattr_fixed_disk_dev(initrc_t)
-@@ -398,6 +833,7 @@ term_use_all_terms(initrc_t)
+@@ -398,6 +836,7 @@ term_use_all_terms(initrc_t)
term_reset_tty_labels(initrc_t)
auth_rw_login_records(initrc_t)
@@ -38225,7 +38257,7 @@ index 17eda24..022bbb7 100644
auth_setattr_login_records(initrc_t)
auth_rw_lastlog(initrc_t)
auth_read_pam_pid(initrc_t)
-@@ -416,20 +852,18 @@ logging_read_all_logs(initrc_t)
+@@ -416,20 +855,18 @@ logging_read_all_logs(initrc_t)
logging_append_all_logs(initrc_t)
logging_read_audit_config(initrc_t)
@@ -38249,7 +38281,7 @@ index 17eda24..022bbb7 100644
ifdef(`distro_debian',`
dev_setattr_generic_dirs(initrc_t)
-@@ -451,7 +885,6 @@ ifdef(`distro_gentoo',`
+@@ -451,7 +888,6 @@ ifdef(`distro_gentoo',`
allow initrc_t self:process setfscreate;
dev_create_null_dev(initrc_t)
dev_create_zero_dev(initrc_t)
@@ -38257,7 +38289,7 @@ index 17eda24..022bbb7 100644
term_create_console_dev(initrc_t)
# unfortunately /sbin/rc does stupid tricks
-@@ -486,6 +919,10 @@ ifdef(`distro_gentoo',`
+@@ -486,6 +922,10 @@ ifdef(`distro_gentoo',`
sysnet_setattr_config(initrc_t)
optional_policy(`
@@ -38268,7 +38300,7 @@ index 17eda24..022bbb7 100644
alsa_read_lib(initrc_t)
')
-@@ -506,7 +943,7 @@ ifdef(`distro_redhat',`
+@@ -506,7 +946,7 @@ ifdef(`distro_redhat',`
# Red Hat systems seem to have a stray
# fd open from the initrd
@@ -38277,7 +38309,7 @@ index 17eda24..022bbb7 100644
files_dontaudit_read_root_files(initrc_t)
# These seem to be from the initrd
-@@ -521,6 +958,7 @@ ifdef(`distro_redhat',`
+@@ -521,6 +961,7 @@ ifdef(`distro_redhat',`
files_create_boot_dirs(initrc_t)
files_create_boot_flag(initrc_t)
files_rw_boot_symlinks(initrc_t)
@@ -38285,7 +38317,7 @@ index 17eda24..022bbb7 100644
# wants to read /.fonts directory
files_read_default_files(initrc_t)
files_mountpoint(initrc_tmp_t)
-@@ -541,6 +979,7 @@ ifdef(`distro_redhat',`
+@@ -541,6 +982,7 @@ ifdef(`distro_redhat',`
miscfiles_rw_localization(initrc_t)
miscfiles_setattr_localization(initrc_t)
miscfiles_relabel_localization(initrc_t)
@@ -38293,7 +38325,7 @@ index 17eda24..022bbb7 100644
miscfiles_read_fonts(initrc_t)
miscfiles_read_hwdata(initrc_t)
-@@ -550,8 +989,44 @@ ifdef(`distro_redhat',`
+@@ -550,8 +992,44 @@ ifdef(`distro_redhat',`
')
optional_policy(`
@@ -38338,7 +38370,7 @@ index 17eda24..022bbb7 100644
')
optional_policy(`
-@@ -559,14 +1034,31 @@ ifdef(`distro_redhat',`
+@@ -559,14 +1037,31 @@ ifdef(`distro_redhat',`
rpc_write_exports(initrc_t)
rpc_manage_nfs_state_data(initrc_t)
')
@@ -38370,7 +38402,7 @@ index 17eda24..022bbb7 100644
')
')
-@@ -577,6 +1069,39 @@ ifdef(`distro_suse',`
+@@ -577,6 +1072,39 @@ ifdef(`distro_suse',`
')
')
@@ -38410,7 +38442,7 @@ index 17eda24..022bbb7 100644
optional_policy(`
amavis_search_lib(initrc_t)
amavis_setattr_pid_files(initrc_t)
-@@ -589,6 +1114,8 @@ optional_policy(`
+@@ -589,6 +1117,8 @@ optional_policy(`
optional_policy(`
apache_read_config(initrc_t)
apache_list_modules(initrc_t)
@@ -38419,7 +38451,7 @@ index 17eda24..022bbb7 100644
')
optional_policy(`
-@@ -610,6 +1137,7 @@ optional_policy(`
+@@ -610,6 +1140,7 @@ optional_policy(`
optional_policy(`
cgroup_stream_connect_cgred(initrc_t)
@@ -38427,7 +38459,7 @@ index 17eda24..022bbb7 100644
')
optional_policy(`
-@@ -626,6 +1154,17 @@ optional_policy(`
+@@ -626,6 +1157,17 @@ optional_policy(`
')
optional_policy(`
@@ -38445,7 +38477,7 @@ index 17eda24..022bbb7 100644
dev_getattr_printer_dev(initrc_t)
cups_read_log(initrc_t)
-@@ -642,9 +1181,13 @@ optional_policy(`
+@@ -642,9 +1184,13 @@ optional_policy(`
dbus_connect_system_bus(initrc_t)
dbus_system_bus_client(initrc_t)
dbus_read_config(initrc_t)
@@ -38459,7 +38491,7 @@ index 17eda24..022bbb7 100644
')
optional_policy(`
-@@ -657,15 +1200,11 @@ optional_policy(`
+@@ -657,15 +1203,11 @@ optional_policy(`
')
optional_policy(`
@@ -38477,7 +38509,7 @@ index 17eda24..022bbb7 100644
')
optional_policy(`
-@@ -686,6 +1225,15 @@ optional_policy(`
+@@ -686,6 +1228,15 @@ optional_policy(`
')
optional_policy(`
@@ -38493,7 +38525,7 @@ index 17eda24..022bbb7 100644
inn_exec_config(initrc_t)
')
-@@ -726,6 +1274,7 @@ optional_policy(`
+@@ -726,6 +1277,7 @@ optional_policy(`
lpd_list_spool(initrc_t)
lpd_read_config(initrc_t)
@@ -38501,7 +38533,7 @@ index 17eda24..022bbb7 100644
')
optional_policy(`
-@@ -743,7 +1292,13 @@ optional_policy(`
+@@ -743,7 +1295,13 @@ optional_policy(`
')
optional_policy(`
@@ -38516,7 +38548,7 @@ index 17eda24..022bbb7 100644
mta_dontaudit_read_spool_symlinks(initrc_t)
')
-@@ -766,6 +1321,10 @@ optional_policy(`
+@@ -766,6 +1324,10 @@ optional_policy(`
')
optional_policy(`
@@ -38527,7 +38559,7 @@ index 17eda24..022bbb7 100644
postgresql_manage_db(initrc_t)
postgresql_read_config(initrc_t)
')
-@@ -775,10 +1334,20 @@ optional_policy(`
+@@ -775,10 +1337,20 @@ optional_policy(`
')
optional_policy(`
@@ -38548,7 +38580,7 @@ index 17eda24..022bbb7 100644
quota_manage_flags(initrc_t)
')
-@@ -787,6 +1356,10 @@ optional_policy(`
+@@ -787,6 +1359,10 @@ optional_policy(`
')
optional_policy(`
@@ -38559,7 +38591,7 @@ index 17eda24..022bbb7 100644
fs_write_ramfs_sockets(initrc_t)
fs_search_ramfs(initrc_t)
-@@ -808,8 +1381,6 @@ optional_policy(`
+@@ -808,8 +1384,6 @@ optional_policy(`
# bash tries ioctl for some reason
files_dontaudit_ioctl_all_pids(initrc_t)
@@ -38568,7 +38600,7 @@ index 17eda24..022bbb7 100644
')
optional_policy(`
-@@ -818,6 +1389,10 @@ optional_policy(`
+@@ -818,6 +1392,10 @@ optional_policy(`
')
optional_policy(`
@@ -38579,7 +38611,7 @@ index 17eda24..022bbb7 100644
# shorewall-init script run /var/lib/shorewall/firewall
shorewall_lib_domtrans(initrc_t)
')
-@@ -827,10 +1402,12 @@ optional_policy(`
+@@ -827,10 +1405,12 @@ optional_policy(`
squid_manage_logs(initrc_t)
')
@@ -38592,7 +38624,7 @@ index 17eda24..022bbb7 100644
optional_policy(`
ssh_dontaudit_read_server_keys(initrc_t)
-@@ -857,21 +1434,62 @@ optional_policy(`
+@@ -857,21 +1437,62 @@ optional_policy(`
')
optional_policy(`
@@ -38656,7 +38688,7 @@ index 17eda24..022bbb7 100644
')
optional_policy(`
-@@ -887,6 +1505,10 @@ optional_policy(`
+@@ -887,6 +1508,10 @@ optional_policy(`
')
optional_policy(`
@@ -38667,7 +38699,7 @@ index 17eda24..022bbb7 100644
# Set device ownerships/modes.
xserver_setattr_console_pipes(initrc_t)
-@@ -897,3 +1519,218 @@ optional_policy(`
+@@ -897,3 +1522,218 @@ optional_policy(`
optional_policy(`
zebra_read_config(initrc_t)
')
@@ -40564,7 +40596,7 @@ index 0e3c2a9..ea9bd57 100644
+ userdom_admin_home_dir_filetrans($1, local_login_home_t, file, ".hushlogin")
+')
diff --git a/policy/modules/system/locallogin.te b/policy/modules/system/locallogin.te
-index 446fa99..22f539c 100644
+index 446fa99..d66491c 100644
--- a/policy/modules/system/locallogin.te
+++ b/policy/modules/system/locallogin.te
@@ -13,9 +13,8 @@ auth_login_entry_type(local_login_t)
@@ -40588,7 +40620,7 @@ index 446fa99..22f539c 100644
+')
+
+ifdef(`enable_mls',`
-+ init_ranged_daemon_domain(sulogin_t, sulogin_exec_t, mls_systemhigh)
++ init_ranged_daemon_domain(sulogin_t, sulogin_exec_t, s0 - mls_systemhigh)
+')
+
########################################
@@ -44461,7 +44493,7 @@ index d43f3b1..c5053db 100644
+/etc/share/selinux/targeted(/.*)? gen_context(system_u:object_r:semanage_store_t,s0)
+/etc/share/selinux/mls(/.*)? gen_context(system_u:object_r:semanage_store_t,s0)
diff --git a/policy/modules/system/selinuxutil.if b/policy/modules/system/selinuxutil.if
-index 3822072..593c90d 100644
+index 3822072..d358162 100644
--- a/policy/modules/system/selinuxutil.if
+++ b/policy/modules/system/selinuxutil.if
@@ -135,6 +135,42 @@ interface(`seutil_exec_loadpolicy',`
@@ -44952,7 +44984,15 @@ index 3822072..593c90d 100644
')
########################################
-@@ -999,6 +1363,26 @@ interface(`seutil_domtrans_semanage',`
+@@ -846,6 +1210,7 @@ interface(`seutil_manage_file_contexts',`
+ files_search_etc($1)
+ allow $1 { selinux_config_t default_context_t }:dir search_dir_perms;
+ manage_files_pattern($1, file_context_t, file_context_t)
++ manage_dirs_pattern($1, file_context_t, file_context_t)
+ ')
+
+ ########################################
+@@ -999,6 +1364,26 @@ interface(`seutil_domtrans_semanage',`
########################################
##
@@ -44979,7 +45019,7 @@ index 3822072..593c90d 100644
## Execute semanage in the semanage domain, and
## allow the specified role the semanage domain,
## and use the caller's terminal.
-@@ -1017,11 +1401,105 @@ interface(`seutil_domtrans_semanage',`
+@@ -1017,11 +1402,105 @@ interface(`seutil_domtrans_semanage',`
#
interface(`seutil_run_semanage',`
gen_require(`
@@ -45087,7 +45127,7 @@ index 3822072..593c90d 100644
')
########################################
-@@ -1041,9 +1519,15 @@ interface(`seutil_manage_module_store',`
+@@ -1041,9 +1520,15 @@ interface(`seutil_manage_module_store',`
')
files_search_etc($1)
@@ -45103,7 +45143,7 @@ index 3822072..593c90d 100644
')
#######################################
-@@ -1067,6 +1551,24 @@ interface(`seutil_get_semanage_read_lock',`
+@@ -1067,6 +1552,24 @@ interface(`seutil_get_semanage_read_lock',`
#######################################
##
@@ -45128,7 +45168,7 @@ index 3822072..593c90d 100644
## Get trans lock on module store
##
##
-@@ -1137,3 +1639,121 @@ interface(`seutil_dontaudit_libselinux_linked',`
+@@ -1137,3 +1640,121 @@ interface(`seutil_dontaudit_libselinux_linked',`
selinux_dontaudit_get_fs_mount($1)
seutil_dontaudit_read_config($1)
')
@@ -46213,7 +46253,7 @@ index 40edc18..95f4458 100644
+/etc/firestarter/firestarter\.sh gen_context(system_u:object_r:dhcpc_helper_exec_t,s0)
+
diff --git a/policy/modules/system/sysnetwork.if b/policy/modules/system/sysnetwork.if
-index 2cea692..8edb742 100644
+index 2cea692..1c74c66 100644
--- a/policy/modules/system/sysnetwork.if
+++ b/policy/modules/system/sysnetwork.if
@@ -38,11 +38,30 @@ interface(`sysnet_domtrans_dhcpc',`
@@ -46630,7 +46670,7 @@ index 2cea692..8edb742 100644
corenet_tcp_sendrecv_generic_if($1)
corenet_udp_sendrecv_generic_if($1)
corenet_tcp_sendrecv_generic_node($1)
-@@ -796,3 +1053,143 @@ interface(`sysnet_use_portmap',`
+@@ -796,3 +1053,144 @@ interface(`sysnet_use_portmap',`
sysnet_read_config($1)
')
@@ -46704,6 +46744,7 @@ index 2cea692..8edb742 100644
+ files_etc_filetrans($1, net_conf_t, file, ".resolv.conf.dnssec-trigger")
+ files_etc_filetrans($1, net_conf_t, file, ".resolv-secure.conf.dnssec-trigger")
+ files_etc_filetrans($1, net_conf_t, lnk_file, ".resolv.conf")
++ files_etc_filetrans($1, net_conf_t, lnk_file, "resolv.conf")
+ files_etc_filetrans($1, net_conf_t, lnk_file, ".resolv.conf.NetworkManager")
+ files_etc_filetrans($1, net_conf_t, file, "denyhosts")
+ files_etc_filetrans($1, net_conf_t, file, "hosts")
@@ -46775,7 +46816,7 @@ index 2cea692..8edb742 100644
+ files_etc_filetrans($1, net_conf_t, file)
+')
diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
-index a392fc4..162b975 100644
+index a392fc4..518cf50 100644
--- a/policy/modules/system/sysnetwork.te
+++ b/policy/modules/system/sysnetwork.te
@@ -5,6 +5,13 @@ policy_module(sysnetwork, 1.15.4)
@@ -46817,7 +46858,7 @@ index a392fc4..162b975 100644
ifdef(`distro_debian',`
init_daemon_run_dir(net_conf_t, "network")
-@@ -48,10 +61,10 @@ ifdef(`distro_debian',`
+@@ -48,10 +61,11 @@ ifdef(`distro_debian',`
# DHCP client local policy
#
allow dhcpc_t self:capability { dac_override fsetid net_admin net_raw net_bind_service setpcap sys_nice sys_resource sys_tty_config };
@@ -46827,10 +46868,11 @@ index a392fc4..162b975 100644
dontaudit dhcpc_t self:capability { dac_read_search sys_module };
-allow dhcpc_t self:process { getsched getcap setcap setfscreate ptrace signal_perms };
+allow dhcpc_t self:process { getsched setsched getcap setcap setfscreate signal_perms };
++allow dhcpc_t self:cap_userns { net_bind_service };
allow dhcpc_t self:fifo_file rw_fifo_file_perms;
allow dhcpc_t self:tcp_socket create_stream_socket_perms;
-@@ -64,8 +77,11 @@ read_lnk_files_pattern(dhcpc_t, dhcp_etc_t, dhcp_etc_t)
+@@ -64,8 +78,11 @@ read_lnk_files_pattern(dhcpc_t, dhcp_etc_t, dhcp_etc_t)
exec_files_pattern(dhcpc_t, dhcp_etc_t, dhcp_etc_t)
allow dhcpc_t dhcp_state_t:file read_file_perms;
@@ -46842,7 +46884,7 @@ index a392fc4..162b975 100644
# create pid file
manage_files_pattern(dhcpc_t, dhcpc_var_run_t, dhcpc_var_run_t)
-@@ -74,6 +90,8 @@ files_pid_filetrans(dhcpc_t, dhcpc_var_run_t, { file dir })
+@@ -74,6 +91,8 @@ files_pid_filetrans(dhcpc_t, dhcpc_var_run_t, { file dir })
# Allow read/write to /etc/resolv.conf and /etc/ntp.conf. Note that any files
# in /etc created by dhcpcd will be labelled net_conf_t.
@@ -46851,7 +46893,7 @@ index a392fc4..162b975 100644
sysnet_manage_config(dhcpc_t)
files_etc_filetrans(dhcpc_t, net_conf_t, file)
-@@ -95,14 +113,13 @@ kernel_rw_net_sysctls(dhcpc_t)
+@@ -95,14 +114,13 @@ kernel_rw_net_sysctls(dhcpc_t)
corecmd_exec_bin(dhcpc_t)
corecmd_exec_shell(dhcpc_t)
@@ -46872,7 +46914,7 @@ index a392fc4..162b975 100644
corenet_tcp_sendrecv_all_ports(dhcpc_t)
corenet_udp_sendrecv_all_ports(dhcpc_t)
corenet_tcp_bind_all_nodes(dhcpc_t)
-@@ -112,22 +129,25 @@ corenet_udp_bind_dhcpc_port(dhcpc_t)
+@@ -112,22 +130,25 @@ corenet_udp_bind_dhcpc_port(dhcpc_t)
corenet_udp_bind_all_unreserved_ports(dhcpc_t)
corenet_tcp_connect_all_ports(dhcpc_t)
corenet_sendrecv_dhcpd_client_packets(dhcpc_t)
@@ -46900,7 +46942,7 @@ index a392fc4..162b975 100644
fs_getattr_all_fs(dhcpc_t)
fs_search_auto_mountpoints(dhcpc_t)
-@@ -137,11 +157,17 @@ term_dontaudit_use_all_ptys(dhcpc_t)
+@@ -137,11 +158,17 @@ term_dontaudit_use_all_ptys(dhcpc_t)
term_dontaudit_use_unallocated_ttys(dhcpc_t)
term_dontaudit_use_generic_ptys(dhcpc_t)
@@ -46919,7 +46961,7 @@ index a392fc4..162b975 100644
modutils_run_insmod(dhcpc_t, dhcpc_roles)
-@@ -161,7 +187,21 @@ ifdef(`distro_ubuntu',`
+@@ -161,7 +188,21 @@ ifdef(`distro_ubuntu',`
')
optional_policy(`
@@ -46942,7 +46984,7 @@ index a392fc4..162b975 100644
')
optional_policy(`
-@@ -179,10 +219,6 @@ optional_policy(`
+@@ -179,10 +220,6 @@ optional_policy(`
')
optional_policy(`
@@ -46953,7 +46995,7 @@ index a392fc4..162b975 100644
hotplug_getattr_config_dirs(dhcpc_t)
hotplug_search_config(dhcpc_t)
-@@ -195,23 +231,31 @@ optional_policy(`
+@@ -195,23 +232,31 @@ optional_policy(`
optional_policy(`
netutils_run_ping(dhcpc_t, dhcpc_roles)
netutils_run(dhcpc_t, dhcpc_roles)
@@ -46988,7 +47030,7 @@ index a392fc4..162b975 100644
')
optional_policy(`
-@@ -221,7 +265,16 @@ optional_policy(`
+@@ -221,7 +266,16 @@ optional_policy(`
optional_policy(`
seutil_sigchld_newrole(dhcpc_t)
@@ -47006,7 +47048,7 @@ index a392fc4..162b975 100644
')
optional_policy(`
-@@ -233,6 +286,10 @@ optional_policy(`
+@@ -233,6 +287,10 @@ optional_policy(`
')
optional_policy(`
@@ -47017,7 +47059,7 @@ index a392fc4..162b975 100644
vmware_append_log(dhcpc_t)
')
-@@ -264,29 +321,66 @@ allow ifconfig_t self:msgq create_msgq_perms;
+@@ -264,29 +322,66 @@ allow ifconfig_t self:msgq create_msgq_perms;
allow ifconfig_t self:msg { send receive };
# Create UDP sockets, necessary when called from dhcpc
allow ifconfig_t self:udp_socket create_socket_perms;
@@ -47084,7 +47126,7 @@ index a392fc4..162b975 100644
fs_getattr_xattr_fs(ifconfig_t)
fs_search_auto_mountpoints(ifconfig_t)
-@@ -299,33 +393,51 @@ term_dontaudit_use_all_ptys(ifconfig_t)
+@@ -299,33 +394,51 @@ term_dontaudit_use_all_ptys(ifconfig_t)
term_dontaudit_use_ptmx(ifconfig_t)
term_dontaudit_use_generic_ptys(ifconfig_t)
@@ -47142,7 +47184,7 @@ index a392fc4..162b975 100644
optional_policy(`
dev_dontaudit_rw_cardmgr(ifconfig_t)
')
-@@ -336,7 +448,11 @@ ifdef(`hide_broken_symptoms',`
+@@ -336,7 +449,11 @@ ifdef(`hide_broken_symptoms',`
')
optional_policy(`
@@ -47155,7 +47197,7 @@ index a392fc4..162b975 100644
')
optional_policy(`
-@@ -350,7 +466,16 @@ optional_policy(`
+@@ -350,7 +467,16 @@ optional_policy(`
')
optional_policy(`
@@ -47173,7 +47215,7 @@ index a392fc4..162b975 100644
')
optional_policy(`
-@@ -371,3 +496,13 @@ optional_policy(`
+@@ -371,3 +497,13 @@ optional_policy(`
xen_append_log(ifconfig_t)
xen_dontaudit_rw_unix_stream_sockets(ifconfig_t)
')
@@ -47189,7 +47231,7 @@ index a392fc4..162b975 100644
+')
diff --git a/policy/modules/system/systemd.fc b/policy/modules/system/systemd.fc
new file mode 100644
-index 0000000..8b77d7a
+index 0000000..fc4c791
--- /dev/null
+++ b/policy/modules/system/systemd.fc
@@ -0,0 +1,71 @@
@@ -47224,13 +47266,13 @@ index 0000000..8b77d7a
+/usr/lib/systemd/system/systemd-rfkill\.service -- gen_context(system_u:object_r:systemd_rfkill_unit_file_t,s0)
+/usr/lib/systemd/system/systemd-time.*\.service -- gen_context(system_u:object_r:systemd_timedated_unit_file_t,s0)
+/usr/lib/systemd/system/systemd-hwdb.*\.service -- gen_context(system_u:object_r:systemd_hwdb_unit_file_t,s0)
-+/usr/lib/systemd/system/.*halt.* -- gen_context(system_u:object_r:power_unit_file_t,s0)
-+/usr/lib/systemd/system/.*hibernate.* -- gen_context(system_u:object_r:power_unit_file_t,s0)
-+/usr/lib/systemd/system/.*power.* -- gen_context(system_u:object_r:power_unit_file_t,s0)
-+/usr/lib/systemd/system/.*reboot.* -- gen_context(system_u:object_r:power_unit_file_t,s0)
-+/usr/lib/systemd/system/.*sleep.* -- gen_context(system_u:object_r:power_unit_file_t,s0)
-+/usr/lib/systemd/system/.*shutdown.* -- gen_context(system_u:object_r:power_unit_file_t,s0)
-+/usr/lib/systemd/system/.*suspend.* -- gen_context(system_u:object_r:power_unit_file_t,s0)
++/usr/lib/systemd/system/.*halt.(service|target) -- gen_context(system_u:object_r:power_unit_file_t,s0)
++/usr/lib/systemd/system/.*hibernate.*\.(service|target) -- gen_context(system_u:object_r:power_unit_file_t,s0)
++/usr/lib/systemd/system/.*power.*\.(service|target) -- gen_context(system_u:object_r:power_unit_file_t,s0)
++/usr/lib/systemd/system/.*reboot.*\.(service|target) -- gen_context(system_u:object_r:power_unit_file_t,s0)
++/usr/lib/systemd/system/.*sleep.*\.(service|target) -- gen_context(system_u:object_r:power_unit_file_t,s0)
++/usr/lib/systemd/system/.*shutdown.*\.(service|target) -- gen_context(system_u:object_r:power_unit_file_t,s0)
++/usr/lib/systemd/system/.*suspend.*\.(service|target) -- gen_context(system_u:object_r:power_unit_file_t,s0)
+/usr/lib/systemd/systemd-hostnamed -- gen_context(system_u:object_r:systemd_hostnamed_exec_t,s0)
+/usr/lib/systemd/systemd-machined -- gen_context(system_u:object_r:systemd_machined_exec_t,s0)
+/usr/lib/systemd/systemd-rfkill -- gen_context(system_u:object_r:systemd_rfkill_exec_t,s0)
@@ -49035,10 +49077,10 @@ index 0000000..16cd1ac
+')
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
new file mode 100644
-index 0000000..d141c81
+index 0000000..f2c6d14
--- /dev/null
+++ b/policy/modules/system/systemd.te
-@@ -0,0 +1,969 @@
+@@ -0,0 +1,971 @@
+policy_module(systemd, 1.0.0)
+
+#######################################
@@ -49347,7 +49389,7 @@ index 0000000..d141c81
+# systemd_machined local policy
+#
+
-+allow systemd_machined_t self:capability { dac_override setgid sys_admin sys_chroot sys_ptrace };
++allow systemd_machined_t self:capability { dac_override setgid sys_admin sys_chroot sys_ptrace kill };
+allow systemd_machined_t systemd_unit_file_t:service { status start };
+allow systemd_machined_t self:unix_dgram_socket create_socket_perms;
+
@@ -49361,6 +49403,8 @@ index 0000000..d141c81
+manage_lnk_files_pattern(systemd_machined_t, systemd_machined_var_lib_t, systemd_machined_var_lib_t)
+init_var_lib_filetrans(systemd_machined_t, systemd_machined_var_lib_t, dir, "machines")
+
++fs_read_nsfs_files(systemd_machined_t)
++
+kernel_dgram_send(systemd_machined_t)
+# This is a bug, but need for now.
+kernel_read_unlabeled_state(systemd_machined_t)
diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch
index 522ac0c..ecd1d07 100644
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@@ -589,7 +589,7 @@ index 058d908..ee0c559 100644
+')
+
diff --git a/abrt.te b/abrt.te
-index eb50f07..22f5977 100644
+index eb50f07..22e6c69 100644
--- a/abrt.te
+++ b/abrt.te
@@ -6,11 +6,10 @@ policy_module(abrt, 1.4.1)
@@ -902,7 +902,7 @@ index eb50f07..22f5977 100644
policykit_domtrans_auth(abrt_t)
policykit_read_lib(abrt_t)
policykit_read_reload(abrt_t)
-@@ -234,6 +292,11 @@ optional_policy(`
+@@ -234,15 +292,22 @@ optional_policy(`
')
optional_policy(`
@@ -914,7 +914,10 @@ index eb50f07..22f5977 100644
rpm_exec(abrt_t)
rpm_dontaudit_manage_db(abrt_t)
rpm_manage_cache(abrt_t)
-@@ -243,6 +306,7 @@ optional_policy(`
+ rpm_manage_log(abrt_t)
+ rpm_manage_pid_files(abrt_t)
++ rpm_read_tmp_files(abrt_t)
+ rpm_read_db(abrt_t)
rpm_signull(abrt_t)
')
@@ -922,7 +925,7 @@ index eb50f07..22f5977 100644
optional_policy(`
sendmail_domtrans(abrt_t)
')
-@@ -253,9 +317,21 @@ optional_policy(`
+@@ -253,9 +318,21 @@ optional_policy(`
sosreport_delete_tmp_files(abrt_t)
')
@@ -945,7 +948,7 @@ index eb50f07..22f5977 100644
#
allow abrt_handle_event_t self:fifo_file rw_fifo_file_perms;
-@@ -266,9 +342,13 @@ tunable_policy(`abrt_handle_event',`
+@@ -266,9 +343,13 @@ tunable_policy(`abrt_handle_event',`
can_exec(abrt_t, abrt_handle_event_exec_t)
')
@@ -960,7 +963,7 @@ index eb50f07..22f5977 100644
#
allow abrt_helper_t self:capability { chown setgid sys_nice };
-@@ -281,6 +361,7 @@ manage_dirs_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
+@@ -281,6 +362,7 @@ manage_dirs_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
manage_files_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
manage_lnk_files_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
files_var_filetrans(abrt_helper_t, abrt_var_cache_t, { file dir })
@@ -968,7 +971,7 @@ index eb50f07..22f5977 100644
read_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t)
read_lnk_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t)
-@@ -289,15 +370,20 @@ corecmd_read_all_executables(abrt_helper_t)
+@@ -289,15 +371,20 @@ corecmd_read_all_executables(abrt_helper_t)
domain_read_all_domains_state(abrt_helper_t)
@@ -989,7 +992,7 @@ index eb50f07..22f5977 100644
userdom_dontaudit_read_user_home_content_files(abrt_helper_t)
userdom_dontaudit_read_user_tmp_files(abrt_helper_t)
dev_dontaudit_read_all_blk_files(abrt_helper_t)
-@@ -305,11 +391,25 @@ ifdef(`hide_broken_symptoms',`
+@@ -305,11 +392,25 @@ ifdef(`hide_broken_symptoms',`
dev_dontaudit_write_all_chr_files(abrt_helper_t)
dev_dontaudit_write_all_blk_files(abrt_helper_t)
fs_dontaudit_rw_anon_inodefs_files(abrt_helper_t)
@@ -1016,7 +1019,7 @@ index eb50f07..22f5977 100644
#
allow abrt_retrace_coredump_t self:fifo_file rw_fifo_file_perms;
-@@ -327,10 +427,12 @@ corecmd_exec_shell(abrt_retrace_coredump_t)
+@@ -327,10 +428,12 @@ corecmd_exec_shell(abrt_retrace_coredump_t)
dev_read_urand(abrt_retrace_coredump_t)
@@ -1030,7 +1033,7 @@ index eb50f07..22f5977 100644
optional_policy(`
rpm_exec(abrt_retrace_coredump_t)
rpm_dontaudit_manage_db(abrt_retrace_coredump_t)
-@@ -343,10 +445,11 @@ optional_policy(`
+@@ -343,10 +446,11 @@ optional_policy(`
#######################################
#
@@ -1044,7 +1047,7 @@ index eb50f07..22f5977 100644
allow abrt_retrace_worker_t self:fifo_file rw_fifo_file_perms;
domtrans_pattern(abrt_retrace_worker_t, abrt_retrace_coredump_exec_t, abrt_retrace_coredump_t)
-@@ -365,38 +468,78 @@ corecmd_exec_shell(abrt_retrace_worker_t)
+@@ -365,38 +469,78 @@ corecmd_exec_shell(abrt_retrace_worker_t)
dev_read_urand(abrt_retrace_worker_t)
@@ -1127,7 +1130,7 @@ index eb50f07..22f5977 100644
#######################################
#
-@@ -404,25 +547,60 @@ logging_read_generic_logs(abrt_dump_oops_t)
+@@ -404,25 +548,60 @@ logging_read_generic_logs(abrt_dump_oops_t)
#
allow abrt_watch_log_t self:fifo_file rw_fifo_file_perms;
@@ -1190,7 +1193,7 @@ index eb50f07..22f5977 100644
')
#######################################
-@@ -430,10 +608,7 @@ tunable_policy(`abrt_upload_watch_anon_write',`
+@@ -430,10 +609,7 @@ tunable_policy(`abrt_upload_watch_anon_write',`
# Global local policy
#
@@ -2275,7 +2278,7 @@ index 7f4dfbc..e5c9f45 100644
/usr/sbin/amrecover -- gen_context(system_u:object_r:amanda_recover_exec_t,s0)
diff --git a/amanda.te b/amanda.te
-index 519051c..0f871e6 100644
+index 519051c..69a4c66 100644
--- a/amanda.te
+++ b/amanda.te
@@ -9,11 +9,14 @@ attribute_role amanda_recover_roles;
@@ -2313,7 +2316,15 @@ index 519051c..0f871e6 100644
filetrans_pattern(amanda_t, amanda_config_t, amanda_data_t, { file dir })
allow amanda_t amanda_dumpdates_t:file rw_file_perms;
-@@ -100,13 +104,15 @@ kernel_dontaudit_read_proc_symlinks(amanda_t)
+@@ -81,6 +85,7 @@ allow amanda_t amanda_gnutarlists_t:lnk_file manage_lnk_file_perms;
+
+ manage_dirs_pattern(amanda_t, amanda_var_lib_t, amanda_var_lib_t)
+ manage_files_pattern(amanda_t, amanda_var_lib_t, amanda_var_lib_t)
++files_var_lib_filetrans(amanda_t, amanda_var_lib_t, dir)
+
+ manage_files_pattern(amanda_t, amanda_log_t, amanda_log_t)
+ manage_dirs_pattern(amanda_t, amanda_log_t, amanda_log_t)
+@@ -100,13 +105,15 @@ kernel_dontaudit_read_proc_symlinks(amanda_t)
corecmd_exec_shell(amanda_t)
corecmd_exec_bin(amanda_t)
@@ -2330,7 +2341,7 @@ index 519051c..0f871e6 100644
corenet_sendrecv_all_server_packets(amanda_t)
corenet_tcp_bind_all_rpc_ports(amanda_t)
corenet_tcp_bind_generic_port(amanda_t)
-@@ -114,6 +120,7 @@ corenet_dontaudit_tcp_bind_all_ports(amanda_t)
+@@ -114,6 +121,7 @@ corenet_dontaudit_tcp_bind_all_ports(amanda_t)
dev_getattr_all_blk_files(amanda_t)
dev_getattr_all_chr_files(amanda_t)
@@ -2338,7 +2349,7 @@ index 519051c..0f871e6 100644
files_read_etc_runtime_files(amanda_t)
files_list_all(amanda_t)
-@@ -130,6 +137,7 @@ fs_list_all(amanda_t)
+@@ -130,6 +138,7 @@ fs_list_all(amanda_t)
storage_raw_read_fixed_disk(amanda_t)
storage_read_tape(amanda_t)
storage_write_tape(amanda_t)
@@ -2346,7 +2357,7 @@ index 519051c..0f871e6 100644
auth_use_nsswitch(amanda_t)
auth_read_shadow(amanda_t)
-@@ -170,7 +178,6 @@ kernel_read_system_state(amanda_recover_t)
+@@ -170,7 +179,6 @@ kernel_read_system_state(amanda_recover_t)
corecmd_exec_shell(amanda_recover_t)
corecmd_exec_bin(amanda_recover_t)
@@ -2354,7 +2365,7 @@ index 519051c..0f871e6 100644
corenet_all_recvfrom_netlabel(amanda_recover_t)
corenet_tcp_sendrecv_generic_if(amanda_recover_t)
corenet_udp_sendrecv_generic_if(amanda_recover_t)
-@@ -195,12 +202,16 @@ files_search_tmp(amanda_recover_t)
+@@ -195,12 +203,16 @@ files_search_tmp(amanda_recover_t)
auth_use_nsswitch(amanda_recover_t)
@@ -22107,7 +22118,7 @@ index dda905b..5587295 100644
/var/named/chroot/var/run/dbus(/.*)? gen_context(system_u:object_r:system_dbusd_var_run_t,s0)
+')
diff --git a/dbus.if b/dbus.if
-index 62d22cb..a5ea200 100644
+index 62d22cb..90fc04d 100644
--- a/dbus.if
+++ b/dbus.if
@@ -1,4 +1,4 @@
@@ -22256,9 +22267,9 @@ index 62d22cb..a5ea200 100644
- files_search_var_lib($1)
read_files_pattern($1, system_dbusd_var_lib_t, system_dbusd_var_lib_t)
+ files_search_var_lib($1)
-
-+ dev_read_urand($1)
+
++ dev_read_urand($1)
+
+ # For connecting to the bus
files_search_pids($1)
stream_connect_pattern($1, system_dbusd_var_run_t, system_dbusd_var_run_t, system_dbusd_t)
@@ -22637,7 +22648,7 @@ index 62d22cb..a5ea200 100644
##
##
## Type to be used as a domain.
-@@ -397,81 +410,67 @@ interface(`dbus_manage_lib_files',`
+@@ -397,199 +410,228 @@ interface(`dbus_manage_lib_files',`
##
##
##
@@ -22677,10 +22688,25 @@ index 62d22cb..a5ea200 100644
##
##
-## Type to be used as a domain.
--##
--##
++## Domain allowed access.
+ ##
+ ##
-##
--##
++#
++interface(`dbus_use_system_bus_fds',`
++ gen_require(`
++ type system_dbusd_t;
++ ')
++
++ allow $1 system_dbusd_t:fd use;
++')
++
++########################################
++##
++## Allow unconfined access to the system DBUS.
++##
++##
+ ##
-## Type of the program to be used as an
-## entry point to this domain.
+## Domain allowed access.
@@ -22688,112 +22714,149 @@ index 62d22cb..a5ea200 100644
##
#
-interface(`dbus_all_session_domain',`
-+interface(`dbus_use_system_bus_fds',`
++interface(`dbus_unconfined',`
gen_require(`
- type session_bus_type;
-+ type system_dbusd_t;
++ attribute dbusd_unconfined;
')
- domtrans_pattern(session_bus_type, $2, $1)
-
- dbus_all_session_bus_client($1)
- dbus_connect_all_session_bus($1)
-+ allow $1 system_dbusd_t:fd use;
++ typeattribute $1 dbusd_unconfined;
')
########################################
##
-## Allow a application domain to be
-## started by the specified session bus.
-+## Allow unconfined access to the system DBUS.
++## Delete all dbus pid files
##
-##
--##
++##
+ ##
-## The prefix of the user role (e.g., user
-## is the prefix for user_r).
--##
--##
++## Domain allowed access.
+ ##
+ ##
++#
++interface(`dbus_delete_pid_files',`
++ gen_require(`
++ type system_dbusd_var_run_t;
++ ')
++
++ files_search_pids($1)
++ delete_files_pattern($1, system_dbusd_var_run_t, system_dbusd_var_run_t)
++')
++
++########################################
++##
++## Read all dbus pid files
++##
##
##
-## Type to be used as a domain.
--##
--##
++## Domain allowed access.
+ ##
+ ##
-##
--##
++#
++interface(`dbus_read_pid_files',`
++ gen_require(`
++ type system_dbusd_var_run_t;
++ ')
++
++ files_search_pids($1)
++ read_files_pattern($1, system_dbusd_var_run_t, system_dbusd_var_run_t)
++')
++
++########################################
++##
++## Do not audit attempts to connect to
++## session bus types with a unix
++## stream socket.
++##
++##
+ ##
-## Type of the program to be used as an
-## entry point to this domain.
-+## Domain allowed access.
++## Domain to not audit.
##
##
#
-interface(`dbus_spec_session_domain',`
-+interface(`dbus_unconfined',`
++interface(`dbus_dontaudit_stream_connect_session_bus',`
gen_require(`
- type $1_dbusd_t;
-+ attribute dbusd_unconfined;
++ attribute session_bus_type;
')
- domtrans_pattern($1_dbusd_t, $2, $3)
-
- dbus_spec_session_bus_client($1, $2)
- dbus_connect_spec_session_bus($1, $2)
-+ typeattribute $1 dbusd_unconfined;
++ dontaudit $1 session_bus_type:unix_stream_socket connectto;
')
########################################
##
-## Acquire service on the DBUS system bus.
-+## Delete all dbus pid files
++## Allow attempts to connect to
++## session bus types with a unix
++## stream socket.
##
##
##
-@@ -479,18 +478,18 @@ interface(`dbus_spec_session_domain',`
+-## Domain allowed access.
++## Domain to not audit.
##
##
#
-interface(`dbus_connect_system_bus',`
-+interface(`dbus_delete_pid_files',`
++interface(`dbus_stream_connect_session_bus',`
gen_require(`
- type system_dbusd_t;
- class dbus acquire_svc;
-+ type system_dbusd_var_run_t;
++ attribute session_bus_type;
')
- allow $1 system_dbusd_t:dbus acquire_svc;
-+ files_search_pids($1)
-+ delete_files_pattern($1, system_dbusd_var_run_t, system_dbusd_var_run_t)
++ allow $1 session_bus_type:unix_stream_socket connectto;
')
########################################
##
-## Send messages to the DBUS system bus.
-+## Read all dbus pid files
++## Do not audit attempts to send dbus
++## messages to session bus types.
##
##
##
-@@ -498,98 +497,121 @@ interface(`dbus_connect_system_bus',`
+-## Domain allowed access.
++## Domain to not audit.
##
##
#
-interface(`dbus_send_system_bus',`
-+interface(`dbus_read_pid_files',`
++interface(`dbus_chat_session_bus',`
gen_require(`
- type system_dbusd_t;
-- class dbus send_msg;
-+ type system_dbusd_var_run_t;
++ attribute session_bus_type;
+ class dbus send_msg;
')
- allow $1 system_dbusd_t:dbus send_msg;
-+ files_search_pids($1)
-+ read_files_pattern($1, system_dbusd_var_run_t, system_dbusd_var_run_t)
++ allow $1 session_bus_type:dbus send_msg;
++ allow session_bus_type $1:dbus send_msg;
')
########################################
##
-## Unconfined access to DBUS system bus.
-+## Do not audit attempts to connect to
-+## session bus types with a unix
-+## stream socket.
++## Do not audit attempts to send dbus
++## messages to session bus types.
##
##
##
@@ -22803,59 +22866,43 @@ index 62d22cb..a5ea200 100644
##
#
-interface(`dbus_system_bus_unconfined',`
-+interface(`dbus_dontaudit_stream_connect_session_bus',`
++interface(`dbus_dontaudit_chat_session_bus',`
gen_require(`
- type system_dbusd_t;
- class dbus all_dbus_perms;
+ attribute session_bus_type;
++ class dbus send_msg;
')
- allow $1 system_dbusd_t:dbus *;
-+ dontaudit $1 session_bus_type:unix_stream_socket connectto;
++ dontaudit $1 session_bus_type:dbus send_msg;
')
########################################
##
-## Create a domain for processes which
-## can be started by the DBUS system bus.
-+## Allow attempts to connect to
-+## session bus types with a unix
-+## stream socket.
++## Do not audit attempts to send dbus
++## messages to system bus types.
##
##
##
-## Type to be used as a domain.
-+## Domain to not audit.
- ##
- ##
+-##
+-##
-##
-+#
-+interface(`dbus_stream_connect_session_bus',`
-+ gen_require(`
-+ attribute session_bus_type;
-+ ')
-+
-+ allow $1 session_bus_type:unix_stream_socket connectto;
-+')
-+
-+########################################
-+##
-+## Do not audit attempts to send dbus
-+## messages to session bus types.
-+##
-+##
- ##
+-##
-## Type of the program to be used as an entry point to this domain.
+## Domain to not audit.
##
##
#
-interface(`dbus_system_domain',`
-+interface(`dbus_chat_session_bus',`
++interface(`dbus_dontaudit_chat_system_bus',`
gen_require(`
- type system_dbusd_t;
- role system_r;
-+ attribute session_bus_type;
++ attribute system_bus_type;
+ class dbus send_msg;
')
@@ -22872,38 +22919,21 @@ index 62d22cb..a5ea200 100644
- ps_process_pattern(system_dbusd_t, $1)
-
- userdom_read_all_users_state($1)
-+ allow $1 session_bus_type:dbus send_msg;
-+ allow session_bus_type $1:dbus send_msg;
-+')
-
+-
- ifdef(`hide_broken_symptoms', `
- dontaudit $1 system_dbusd_t:netlink_selinux_socket { read write };
-+########################################
-+##
-+## Do not audit attempts to send dbus
-+## messages to session bus types.
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`dbus_dontaudit_chat_session_bus',`
-+ gen_require(`
-+ attribute session_bus_type;
-+ class dbus send_msg;
- ')
-+
-+ dontaudit $1 session_bus_type:dbus send_msg;
+- ')
++ dontaudit $1 system_bus_type:dbus send_msg;
++ dontaudit system_bus_type $1:dbus send_msg;
')
########################################
##
-## Use and inherit DBUS system bus
-## file descriptors.
-+## Do not audit attempts to send dbus
-+## messages to system bus types.
++## Do not audit attempts to connect to
++## session bus types with a unix
++## stream socket.
##
##
##
@@ -22913,16 +22943,14 @@ index 62d22cb..a5ea200 100644
##
#
-interface(`dbus_use_system_bus_fds',`
-+interface(`dbus_dontaudit_chat_system_bus',`
++interface(`dbus_dontaudit_stream_connect_system_dbusd',`
gen_require(`
- type system_dbusd_t;
-+ attribute system_bus_type;
-+ class dbus send_msg;
++ attribute system_dbusd_t;
')
- allow $1 system_dbusd_t:fd use;
-+ dontaudit $1 system_bus_type:dbus send_msg;
-+ dontaudit system_bus_type $1:dbus send_msg;
++ dontaudit $1 system_dbusd_t:unix_stream_socket connectto;
')
########################################
@@ -22934,7 +22962,7 @@ index 62d22cb..a5ea200 100644
##
##
##
-@@ -597,28 +619,50 @@ interface(`dbus_use_system_bus_fds',`
+@@ -597,28 +639,50 @@ interface(`dbus_use_system_bus_fds',`
##
##
#
@@ -26176,10 +26204,10 @@ index 0000000..d22ed69
+')
diff --git a/dnssec.te b/dnssec.te
new file mode 100644
-index 0000000..e44017c
+index 0000000..2387876
--- /dev/null
+++ b/dnssec.te
-@@ -0,0 +1,89 @@
+@@ -0,0 +1,91 @@
+policy_module(dnssec, 1.0.0)
+
+########################################
@@ -26240,6 +26268,8 @@ index 0000000..e44017c
+files_read_etc_runtime_files(dnssec_trigger_t)
+files_dontaudit_list_tmp(dnssec_trigger_t)
+
++libs_exec_ldconfig(dnssec_trigger_t)
++
+logging_send_syslog_msg(dnssec_trigger_t)
+
+auth_use_nsswitch(dnssec_trigger_t)
@@ -31323,10 +31353,10 @@ index 0000000..cf9f7bf
+')
diff --git a/geoclue.te b/geoclue.te
new file mode 100644
-index 0000000..2d357a2
+index 0000000..efd838f
--- /dev/null
+++ b/geoclue.te
-@@ -0,0 +1,69 @@
+@@ -0,0 +1,71 @@
+policy_module(geoclue, 1.0.0)
+
+########################################
@@ -31371,6 +31401,8 @@ index 0000000..2d357a2
+
+dev_read_urand(geoclue_t)
+
++logging_send_syslog_msg(geoclue_t)
++
+miscfiles_read_certs(geoclue_t)
+
+sysnet_dns_name_resolve(geoclue_t)
@@ -34933,7 +34965,7 @@ index ab09d61..1a07290 100644
+ type_transition $1 gkeyringd_exec_t:process $2;
')
diff --git a/gnome.te b/gnome.te
-index 63893eb..d759604 100644
+index 63893eb..3508b98 100644
--- a/gnome.te
+++ b/gnome.te
@@ -5,14 +5,33 @@ policy_module(gnome, 2.3.0)
@@ -34972,7 +35004,7 @@ index 63893eb..d759604 100644
typealias gconf_home_t alias { user_gconf_home_t staff_gconf_home_t sysadm_gconf_home_t };
typealias gconf_home_t alias { auditadm_gconf_home_t secadm_gconf_home_t };
typealias gconf_home_t alias unconfined_gconf_home_t;
-@@ -31,105 +50,225 @@ typealias gconfd_t alias { auditadm_gconfd_t secadm_gconfd_t };
+@@ -31,105 +50,229 @@ typealias gconfd_t alias { auditadm_gconfd_t secadm_gconfd_t };
userdom_user_application_domain(gconfd_t, gconfd_exec_t)
role gconfd_roles types gconfd_t;
@@ -35024,41 +35056,41 @@ index 63893eb..d759604 100644
+manage_dirs_pattern(gconfd_t, gconf_home_t, gconf_home_t)
+manage_files_pattern(gconfd_t, gconf_home_t, gconf_home_t)
+userdom_user_home_dir_filetrans(gconfd_t, gconf_home_t, dir)
-
--domain_use_interactive_fds(gnomedomain)
++
+manage_dirs_pattern(gconfd_t, gconf_tmp_t, gconf_tmp_t)
+manage_files_pattern(gconfd_t, gconf_tmp_t, gconf_tmp_t)
+userdom_user_tmp_filetrans(gconfd_t, gconf_tmp_t, { dir file })
-
--files_read_etc_files(gnomedomain)
++
+allow gconfd_t gconf_etc_t:dir list_dir_perms;
+read_files_pattern(gconfd_t, gconf_etc_t, gconf_etc_t)
+
+dev_read_urand(gconfd_t)
--miscfiles_read_localization(gnomedomain)
+-domain_use_interactive_fds(gnomedomain)
--logging_send_syslog_msg(gnomedomain)
+-files_read_etc_files(gnomedomain)
--userdom_use_user_terminals(gnomedomain)
+-miscfiles_read_localization(gnomedomain)
+logging_send_syslog_msg(gconfd_t)
-+
+
+-logging_send_syslog_msg(gnomedomain)
+userdom_manage_user_tmp_sockets(gconfd_t)
+userdom_manage_user_tmp_dirs(gconfd_t)
+userdom_tmp_filetrans_user_tmp(gconfd_t, dir)
+-userdom_use_user_terminals(gnomedomain)
++optional_policy(`
++ nscd_dontaudit_search_pid(gconfd_t)
++')
+
optional_policy(`
- xserver_rw_xdm_pipes(gnomedomain)
- xserver_use_xdm_fds(gnomedomain)
-+ nscd_dontaudit_search_pid(gconfd_t)
++ xserver_use_xdm_fds(gconfd_t)
++ xserver_rw_xdm_pipes(gconfd_t)
')
-##############################
-+optional_policy(`
-+ xserver_use_xdm_fds(gconfd_t)
-+ xserver_rw_xdm_pipes(gconfd_t)
-+')
-+
+#######################################
#
-# Conf daemon local Policy
@@ -35227,6 +35259,10 @@ index 63893eb..d759604 100644
+ xserver_append_xdm_home_files(gkeyringd_domain)
+ xserver_read_xdm_home_files(gkeyringd_domain)
+ xserver_use_xdm_fds(gkeyringd_domain)
++')
++
++optional_policy(`
++ dbus_dontaudit_stream_connect_system_dbusd(gkeyringd_domain)
')
optional_policy(`
@@ -37938,10 +37974,18 @@ index fbb54e7..05c3777 100644
########################################
diff --git a/inetd.te b/inetd.te
-index c6450df..6304b00 100644
+index c6450df..ed6af79 100644
--- a/inetd.te
+++ b/inetd.te
-@@ -37,9 +37,9 @@ ifdef(`enable_mcs',`
+@@ -21,6 +21,7 @@ files_pid_file(inetd_var_run_t)
+ type inetd_child_t;
+ type inetd_child_exec_t;
+ inetd_service_domain(inetd_child_t, inetd_child_exec_t)
++init_daemon_domain(inetd_child_t, inetd_child_exec_t)
+
+ type inetd_child_tmp_t;
+ files_tmp_file(inetd_child_tmp_t)
+@@ -37,9 +38,9 @@ ifdef(`enable_mcs',`
# Local policy
#
@@ -37953,7 +37997,7 @@ index c6450df..6304b00 100644
allow inetd_t self:fifo_file rw_fifo_file_perms;
allow inetd_t self:tcp_socket { accept listen };
allow inetd_t self:fd use;
-@@ -61,6 +61,7 @@ kernel_read_system_state(inetd_t)
+@@ -61,6 +62,7 @@ kernel_read_system_state(inetd_t)
kernel_tcp_recvfrom_unlabeled(inetd_t)
corecmd_bin_domtrans(inetd_t, inetd_child_t)
@@ -37961,7 +38005,7 @@ index c6450df..6304b00 100644
corenet_all_recvfrom_unlabeled(inetd_t)
corenet_all_recvfrom_netlabel(inetd_t)
-@@ -98,6 +99,11 @@ corenet_sendrecv_inetd_child_server_packets(inetd_t)
+@@ -98,6 +100,11 @@ corenet_sendrecv_inetd_child_server_packets(inetd_t)
corenet_tcp_bind_inetd_child_port(inetd_t)
corenet_udp_bind_inetd_child_port(inetd_t)
@@ -37973,7 +38017,7 @@ index c6450df..6304b00 100644
corenet_sendrecv_ircd_server_packets(inetd_t)
corenet_tcp_bind_ircd_port(inetd_t)
-@@ -141,6 +147,9 @@ corenet_sendrecv_git_server_packets(inetd_t)
+@@ -141,6 +148,9 @@ corenet_sendrecv_git_server_packets(inetd_t)
corenet_tcp_bind_git_port(inetd_t)
corenet_udp_bind_git_port(inetd_t)
@@ -37983,7 +38027,7 @@ index c6450df..6304b00 100644
dev_read_sysfs(inetd_t)
domain_use_interactive_fds(inetd_t)
-@@ -157,8 +166,6 @@ auth_use_nsswitch(inetd_t)
+@@ -157,8 +167,6 @@ auth_use_nsswitch(inetd_t)
logging_send_syslog_msg(inetd_t)
@@ -37992,7 +38036,7 @@ index c6450df..6304b00 100644
mls_fd_share_all_levels(inetd_t)
mls_socket_read_to_clearance(inetd_t)
mls_socket_write_to_clearance(inetd_t)
-@@ -188,17 +195,13 @@ optional_policy(`
+@@ -188,17 +196,13 @@ optional_policy(`
')
optional_policy(`
@@ -38011,7 +38055,7 @@ index c6450df..6304b00 100644
########################################
#
# Child local policy
-@@ -220,6 +223,16 @@ kernel_read_kernel_sysctls(inetd_child_t)
+@@ -220,6 +224,16 @@ kernel_read_kernel_sysctls(inetd_child_t)
kernel_read_network_state(inetd_child_t)
kernel_read_system_state(inetd_child_t)
@@ -38028,7 +38072,7 @@ index c6450df..6304b00 100644
dev_read_urand(inetd_child_t)
fs_getattr_xattr_fs(inetd_child_t)
-@@ -230,7 +243,15 @@ auth_use_nsswitch(inetd_child_t)
+@@ -230,7 +244,15 @@ auth_use_nsswitch(inetd_child_t)
logging_send_syslog_msg(inetd_child_t)
@@ -41609,7 +41653,7 @@ index 3a00b3a..92f125f 100644
+')
+
diff --git a/kdump.te b/kdump.te
-index 715fc21..9852a07 100644
+index 715fc21..14a5a0f 100644
--- a/kdump.te
+++ b/kdump.te
@@ -12,35 +12,58 @@ init_system_domain(kdump_t, kdump_exec_t)
@@ -41643,7 +41687,8 @@ index 715fc21..9852a07 100644
+# kdump local policy
#
- allow kdump_t self:capability { sys_boot dac_override };
+-allow kdump_t self:capability { sys_boot dac_override };
++allow kdump_t self:capability { sys_admin sys_boot dac_override };
+#allow kdump_t self:capability2 compromise_kernel;
+
+manage_dirs_pattern(kdump_t, kdump_crash_t, kdump_crash_t)
@@ -42233,7 +42278,7 @@ index 4fe75fd..3504a9b 100644
+/var/tmp/ldap_487 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0)
+/var/tmp/ldap_55 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0)
diff --git a/kerberos.if b/kerberos.if
-index f6c00d8..e3cb4f1 100644
+index f6c00d8..192df56 100644
--- a/kerberos.if
+++ b/kerberos.if
@@ -1,27 +1,29 @@
@@ -42310,7 +42355,7 @@ index f6c00d8..e3cb4f1 100644
##
##
##
-@@ -69,45 +69,44 @@ interface(`kerberos_domtrans_kpropd',`
+@@ -69,45 +69,45 @@ interface(`kerberos_domtrans_kpropd',`
#
interface(`kerberos_use',`
gen_require(`
@@ -42324,6 +42369,7 @@ index f6c00d8..e3cb4f1 100644
- dontaudit $1 krb5_conf_t:file write_file_perms;
+ files_search_etc($1)
+ read_files_pattern($1, krb5_conf_t, krb5_conf_t)
++ list_dirs_pattern($1, krb5_conf_t, krb5_conf_t)
+ dontaudit $1 krb5_conf_t:file write;
dontaudit $1 krb5kdc_conf_t:dir list_dir_perms;
dontaudit $1 krb5kdc_conf_t:file rw_file_perms;
@@ -42371,7 +42417,7 @@ index f6c00d8..e3cb4f1 100644
pcscd_stream_connect($1)
')
')
-@@ -119,7 +118,7 @@ interface(`kerberos_use',`
+@@ -119,7 +119,7 @@ interface(`kerberos_use',`
########################################
##
@@ -42380,7 +42426,7 @@ index f6c00d8..e3cb4f1 100644
##
##
##
-@@ -135,15 +134,13 @@ interface(`kerberos_read_config',`
+@@ -135,15 +135,13 @@ interface(`kerberos_read_config',`
files_search_etc($1)
allow $1 krb5_conf_t:file read_file_perms;
@@ -42398,7 +42444,7 @@ index f6c00d8..e3cb4f1 100644
##
##
##
-@@ -156,13 +153,12 @@ interface(`kerberos_dontaudit_write_config',`
+@@ -156,13 +154,12 @@ interface(`kerberos_dontaudit_write_config',`
type krb5_conf_t;
')
@@ -42414,7 +42460,7 @@ index f6c00d8..e3cb4f1 100644
##
##
##
-@@ -182,27 +178,27 @@ interface(`kerberos_rw_config',`
+@@ -182,27 +179,27 @@ interface(`kerberos_rw_config',`
########################################
##
@@ -42449,7 +42495,7 @@ index f6c00d8..e3cb4f1 100644
##
##
##
-@@ -210,47 +206,63 @@ interface(`kerberos_manage_krb5_home_files',`
+@@ -210,47 +207,63 @@ interface(`kerberos_manage_krb5_home_files',`
##
##
#
@@ -42528,7 +42574,7 @@ index f6c00d8..e3cb4f1 100644
##
##
##
-@@ -259,18 +271,18 @@ interface(`kerberos_home_filetrans_krb5_home',`
+@@ -259,18 +272,18 @@ interface(`kerberos_home_filetrans_krb5_home',`
##
##
#
@@ -42551,7 +42597,7 @@ index f6c00d8..e3cb4f1 100644
##
##
##
-@@ -278,49 +290,122 @@ interface(`kerberos_read_keytab',`
+@@ -278,49 +291,122 @@ interface(`kerberos_read_keytab',`
##
##
#
@@ -42690,7 +42736,7 @@ index f6c00d8..e3cb4f1 100644
##
##
##
-@@ -329,60 +414,63 @@ interface(`kerberos_manage_keytab_files',`
+@@ -329,60 +415,63 @@ interface(`kerberos_manage_keytab_files',`
##
##
#
@@ -42775,7 +42821,7 @@ index f6c00d8..e3cb4f1 100644
##
##
##
-@@ -391,141 +479,88 @@ interface(`kerberos_read_kdc_config',`
+@@ -391,141 +480,88 @@ interface(`kerberos_read_kdc_config',`
##
##
#
@@ -44245,10 +44291,10 @@ index c5548c5..1356fcb 100644
+userdom_use_user_ttys(ktalkd_t)
diff --git a/kubernetes.fc b/kubernetes.fc
new file mode 100644
-index 0000000..6ab641c
+index 0000000..deda99e
--- /dev/null
+++ b/kubernetes.fc
-@@ -0,0 +1,13 @@
+@@ -0,0 +1,11 @@
+/usr/lib/systemd/system/kubelet.* -- gen_context(system_u:object_r:kubelet_unit_file_t,s0)
+/usr/lib/systemd/system/kube-apiserver.* -- gen_context(system_u:object_r:kube_apiserver_unit_file_t,s0)
+/usr/lib/systemd/system/kube-controller-manager.* -- gen_context(system_u:object_r:kube_controller_manager_unit_file_t,s0)
@@ -44259,8 +44305,6 @@ index 0000000..6ab641c
+/usr/bin/kube-controller-manager -- gen_context(system_u:object_r:kube_controller_manager_exec_t,s0)
+/usr/bin/kube-proxy -- gen_context(system_u:object_r:kube_proxy_exec_t,s0)
+
-+/var/lib/kubelet(/.*)? gen_context(system_u:object_r:kubelet_var_lib_t,s0)
-+
+
diff --git a/kubernetes.if b/kubernetes.if
new file mode 100644
@@ -52169,7 +52213,7 @@ index 6194b80..e27c53d 100644
')
+
diff --git a/mozilla.te b/mozilla.te
-index 11ac8e4..b341bb0 100644
+index 11ac8e4..653ba10 100644
--- a/mozilla.te
+++ b/mozilla.te
@@ -6,17 +6,56 @@ policy_module(mozilla, 2.8.0)
@@ -52622,7 +52666,7 @@ index 11ac8e4..b341bb0 100644
')
optional_policy(`
-@@ -300,259 +339,253 @@ optional_policy(`
+@@ -300,259 +339,254 @@ optional_policy(`
########################################
#
@@ -52635,6 +52679,7 @@ index 11ac8e4..b341bb0 100644
-allow mozilla_plugin_t self:fifo_file manage_fifo_file_perms;
+dontaudit mozilla_plugin_t self:capability { sys_ptrace sys_admin ipc_lock sys_nice sys_tty_config };
+dontaudit mozilla_plugin_t self:capability2 block_suspend;
++dontaudit mozilla_plugin_t self:cap_userns {sys_ptrace };
+
+allow mozilla_plugin_t self:process { getsession setcap setpgid getsched setsched signal_perms execmem execstack setrlimit transition };
+allow mozilla_plugin_t self:netlink_route_socket r_netlink_socket_perms;
@@ -53021,7 +53066,7 @@ index 11ac8e4..b341bb0 100644
')
optional_policy(`
-@@ -560,7 +593,11 @@ optional_policy(`
+@@ -560,7 +594,11 @@ optional_policy(`
')
optional_policy(`
@@ -53034,7 +53079,7 @@ index 11ac8e4..b341bb0 100644
')
optional_policy(`
-@@ -568,108 +605,144 @@ optional_policy(`
+@@ -568,108 +606,144 @@ optional_policy(`
')
optional_policy(`
@@ -63294,10 +63339,10 @@ index 57c0161..c554eb6 100644
+ ps_process_pattern($1, nut_t)
')
diff --git a/nut.te b/nut.te
-index 5b2cb0d..1ac5cf5 100644
+index 5b2cb0d..ccaa0d4 100644
--- a/nut.te
+++ b/nut.te
-@@ -7,154 +7,153 @@ policy_module(nut, 1.3.0)
+@@ -7,154 +7,155 @@ policy_module(nut, 1.3.0)
attribute nut_domain;
@@ -63411,9 +63456,9 @@ index 5b2cb0d..1ac5cf5 100644
+allow nut_upsmon_t self:tcp_socket create_socket_perms;
+allow nut_upsmon_t self:unix_dgram_socket { create_socket_perms sendto };
+allow nut_upsmon_t self:unix_stream_socket { create_socket_perms connectto };
-
-+read_files_pattern(nut_upsmon_t, nut_conf_t, nut_conf_t)
+
++read_files_pattern(nut_upsmon_t, nut_conf_t, nut_conf_t)
+
+kernel_read_kernel_sysctls(nut_upsmon_t)
kernel_read_system_state(nut_upsmon_t)
@@ -63475,13 +63520,13 @@ index 5b2cb0d..1ac5cf5 100644
+allow nut_upsdrvctl_t self:udp_socket create_socket_perms;
+
+can_exec(nut_upsdrvctl_t, nut_upsdrvctl_exec_t)
++
++read_files_pattern(nut_upsdrvctl_t, nut_conf_t, nut_conf_t)
-manage_sock_files_pattern(nut_upsdrvctl_t, nut_var_run_t, nut_var_run_t)
-files_pid_filetrans(nut_upsdrvctl_t, nut_var_run_t, sock_file)
-+read_files_pattern(nut_upsdrvctl_t, nut_conf_t, nut_conf_t)
-
+kernel_read_kernel_sysctls(nut_upsdrvctl_t)
-+
+
+# /sbin/upsdrvctl executes other drivers
corecmd_exec_bin(nut_upsdrvctl_t)
@@ -63497,6 +63542,8 @@ index 5b2cb0d..1ac5cf5 100644
init_sigchld(nut_upsdrvctl_t)
++udev_read_db(nut_upsdrvctl_t)
++
#######################################
#
-# Cgi local policy
@@ -67652,13 +67699,15 @@ index 0000000..3bcd32c
+
diff --git a/oracleasm.fc b/oracleasm.fc
new file mode 100644
-index 0000000..80fb8c3
+index 0000000..c416596
--- /dev/null
+++ b/oracleasm.fc
-@@ -0,0 +1,4 @@
+@@ -0,0 +1,6 @@
+
+/etc/rc\.d/init\.d/oracleasm -- gen_context(system_u:object_r:oracleasm_initrc_exec_t,s0)
+
++/etc/sysconfig/oracleasm-_dev_oracleasm -- gen_context(system_u:object_r:oracleasm_conf_t,s0)
++
+/usr/sbin/oracleasm -- gen_context(system_u:object_r:oracleasm_exec_t,s0)
diff --git a/oracleasm.if b/oracleasm.if
new file mode 100644
@@ -67743,10 +67792,10 @@ index 0000000..6ae382c
+
diff --git a/oracleasm.te b/oracleasm.te
new file mode 100644
-index 0000000..14d642b
+index 0000000..48fdbd5
--- /dev/null
+++ b/oracleasm.te
-@@ -0,0 +1,57 @@
+@@ -0,0 +1,64 @@
+policy_module(oracleasm, 1.0.0)
+
+########################################
@@ -67764,15 +67813,20 @@ index 0000000..14d642b
+type oracleasm_tmp_t;
+files_tmp_file(oracleasm_tmp_t)
+
++type oracleasm_conf_t;
++files_config_file(oracleasm_conf_t)
++
+########################################
+#
+# oracleasm local policy
+#
+
-+allow oracleasm_t self:capability { fsetid fowner chown };
++allow oracleasm_t self:capability { dac_override fsetid fowner chown };
+allow oracleasm_t self:fifo_file rw_fifo_file_perms;
+allow oracleasm_t self:unix_stream_socket create_stream_socket_perms;
+
++allow oracleasm_t oracleasm_conf_t:file manage_file_perms;
++
+manage_dirs_pattern(oracleasm_t, oracleasm_tmp_t, oracleasm_tmp_t)
+manage_files_pattern(oracleasm_t, oracleasm_tmp_t, oracleasm_tmp_t)
+files_tmp_filetrans(oracleasm_t, oracleasm_tmp_t, { file dir })
@@ -67791,8 +67845,10 @@ index 0000000..14d642b
+fs_getattr_xattr_fs(oracleasm_t)
+fs_list_oracleasmfs(oracleasm_t)
+fs_getattr_oracleasmfs(oracleasm_t)
++fs_getattr_oracleasmfs_fs(oracleasm_t)
+fs_setattr_oracleasmfs(oracleasm_t)
+fs_setattr_oracleasmfs_dirs(oracleasm_t)
++fs_manage_oracleasm(oracleasm_t)
+
+storage_raw_read_fixed_disk(oracleasm_t)
+storage_raw_read_removable_device(oracleasm_t)
@@ -68787,10 +68843,10 @@ index 8176e4a..2df1789 100644
diff --git a/pcp.fc b/pcp.fc
new file mode 100644
-index 0000000..26a45e3
+index 0000000..de7c78c
--- /dev/null
+++ b/pcp.fc
-@@ -0,0 +1,29 @@
+@@ -0,0 +1,33 @@
+/etc/rc\.d/init\.d/pmcd -- gen_context(system_u:object_r:pcp_pmcd_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/pmlogger -- gen_context(system_u:object_r:pcp_pmlogger_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/pmproxy -- gen_context(system_u:object_r:pcp_pmproxy_initrc_exec_t,s0)
@@ -68813,6 +68869,10 @@ index 0000000..26a45e3
+/usr/libexec/pcp/bin/pmie -- gen_context(system_u:object_r:pcp_pmie_exec_t,s0)
+/usr/libexec/pcp/bin/pmmgr -- gen_context(system_u:object_r:pcp_pmmgr_exec_t,s0)
+
++/usr/share/pcp/lib/pmie -- gen_context(system_u:object_r:pcp_pmie_exec_t,s0)
++
++/usr/share/pcp/lib/pmlogger -- gen_context(system_u:object_r:pcp_pmlogger_exec_t,s0)
++
+/var/lib/pcp(/.*)? gen_context(system_u:object_r:pcp_var_lib_t,s0)
+
+/var/log/pcp(/.*)? gen_context(system_u:object_r:pcp_log_t,s0)
@@ -68970,12 +69030,16 @@ index 0000000..80246e6
+ can_exec($1, pcp_pmlogger_exec_t)
+')
+
+diff --git a/pcp.pp b/pcp.pp
+new file mode 100644
+index 0000000..fa4cfaa
+Binary files /dev/null and b/pcp.pp differ
diff --git a/pcp.te b/pcp.te
new file mode 100644
-index 0000000..e81f463
+index 0000000..f302fd8
--- /dev/null
+++ b/pcp.te
-@@ -0,0 +1,287 @@
+@@ -0,0 +1,297 @@
+policy_module(pcp, 1.0.0)
+
+########################################
@@ -69246,6 +69310,7 @@ index 0000000..e81f463
+# pcp_pmlogger local policy
+#
+
++allow pcp_pmlogger_t self:capability chown;
+allow pcp_pmlogger_t self:process setpgid;
+allow pcp_pmlogger_t self:netlink_route_socket {create_socket_perms nlmsg_read };
+
@@ -69263,6 +69328,15 @@ index 0000000..e81f463
+
+domain_read_all_domains_state(pcp_pmlogger_t)
+
++init_read_utmp(pcp_pmlogger_t)
++
++systemd_exec_systemctl(pcp_pmlogger_t)
++systemd_getattr_unit_files(pcp_pmlogger_t)
++
++optional_policy(`
++ hostname_exec(pcp_pmlogger_t)
++')
++
diff --git a/pcscd.if b/pcscd.if
index 43d50f9..6b1544f 100644
--- a/pcscd.if
@@ -79153,10 +79227,10 @@ index 6643b49..dd0c3d3 100644
optional_policy(`
diff --git a/puppet.fc b/puppet.fc
-index d68e26d..2542f5a 100644
+index d68e26d..3b08cfd 100644
--- a/puppet.fc
+++ b/puppet.fc
-@@ -1,18 +1,22 @@
+@@ -1,18 +1,23 @@
-/etc/puppet(/.*)? gen_context(system_u:object_r:puppet_etc_t,s0)
+/etc/puppet(/.*)? gen_context(system_u:object_r:puppet_etc_t,s0)
+/etc/puppetlabs(/.*)? gen_context(system_u:object_r:puppet_etc_t,s0)
@@ -79178,6 +79252,7 @@ index d68e26d..2542f5a 100644
-/usr/sbin/puppetd -- gen_context(system_u:object_r:puppet_exec_t,s0)
-/usr/sbin/puppetmasterd -- gen_context(system_u:object_r:puppetmaster_exec_t,s0)
+/usr/bin/puppetca -- gen_context(system_u:object_r:puppetca_exec_t,s0)
++/usr/bin/puppet -- gen_context(system_u:object_r:puppetagent_exec_t,s0)
+/usr/bin/puppetd -- gen_context(system_u:object_r:puppetagent_exec_t,s0)
+/usr/bin/puppetmasterd -- gen_context(system_u:object_r:puppetmaster_exec_t,s0)
@@ -84039,7 +84114,7 @@ index 951db7f..00e699d 100644
+ files_etc_filetrans($1, mdadm_conf_t, file, "mdadm.conf.anacbak")
')
diff --git a/raid.te b/raid.te
-index c99753f..31ff402 100644
+index c99753f..0255b7e 100644
--- a/raid.te
+++ b/raid.te
@@ -15,54 +15,104 @@ role mdadm_roles types mdadm_t;
@@ -84123,7 +84198,7 @@ index c99753f..31ff402 100644
-dev_dontaudit_getattr_all_chr_files(mdadm_t)
+dev_dontaudit_read_all_blk_files(mdadm_t)
+dev_dontaudit_read_all_chr_files(mdadm_t)
-+dev_getattr_generic_chr_files(mdadm_t)
++dev_getattr_all(mdadm_t)
+dev_read_crash(mdadm_t)
+dev_read_framebuffer(mdadm_t)
dev_read_realtime_clock(mdadm_t)
@@ -91426,7 +91501,7 @@ index ebe91fc..6ba4338 100644
+/sbin/cpio -- gen_context(system_u:object_r:rpm_exec_t,s0)
')
diff --git a/rpm.if b/rpm.if
-index ef3b225..415a50b 100644
+index ef3b225..b15d901 100644
--- a/rpm.if
+++ b/rpm.if
@@ -1,8 +1,8 @@
@@ -91767,7 +91842,7 @@ index ef3b225..415a50b 100644
##
##
##
-@@ -374,12 +479,14 @@ interface(`rpm_manage_tmp_files',`
+@@ -374,12 +479,34 @@ interface(`rpm_manage_tmp_files',`
')
files_search_tmp($1)
@@ -91779,11 +91854,31 @@ index ef3b225..415a50b 100644
########################################
##
-## Read rpm script temporary files.
++## Read rpm temporary files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`rpm_read_tmp_files',`
++ gen_require(`
++ type rpm_tmp_t;
++ ')
++
++ files_search_tmp($1)
++ list_dirs_pattern($1, rpm_tmp_t, rpm_tmp_t)
++ read_files_pattern($1, rpm_tmp_t, rpm_tmp_t)
++')
++
++########################################
++##
+## Read RPM script temporary files.
##
##
##
-@@ -399,7 +506,7 @@ interface(`rpm_read_script_tmp_files',`
+@@ -399,7 +526,7 @@ interface(`rpm_read_script_tmp_files',`
########################################
##
@@ -91792,7 +91887,7 @@ index ef3b225..415a50b 100644
##
##
##
-@@ -420,8 +527,7 @@ interface(`rpm_read_cache',`
+@@ -420,8 +547,7 @@ interface(`rpm_read_cache',`
########################################
##
@@ -91802,7 +91897,7 @@ index ef3b225..415a50b 100644
##
##
##
-@@ -442,7 +548,7 @@ interface(`rpm_manage_cache',`
+@@ -442,7 +568,7 @@ interface(`rpm_manage_cache',`
########################################
##
@@ -91811,7 +91906,7 @@ index ef3b225..415a50b 100644
##
##
##
-@@ -459,11 +565,12 @@ interface(`rpm_read_db',`
+@@ -459,11 +585,12 @@ interface(`rpm_read_db',`
allow $1 rpm_var_lib_t:dir list_dir_perms;
read_files_pattern($1, rpm_var_lib_t, rpm_var_lib_t)
read_lnk_files_pattern($1, rpm_var_lib_t, rpm_var_lib_t)
@@ -91825,7 +91920,7 @@ index ef3b225..415a50b 100644
##
##
##
-@@ -482,8 +589,7 @@ interface(`rpm_delete_db',`
+@@ -482,8 +609,7 @@ interface(`rpm_delete_db',`
########################################
##
@@ -91835,7 +91930,7 @@ index ef3b225..415a50b 100644
##
##
##
-@@ -503,8 +609,28 @@ interface(`rpm_manage_db',`
+@@ -503,8 +629,28 @@ interface(`rpm_manage_db',`
########################################
##
@@ -91865,7 +91960,7 @@ index ef3b225..415a50b 100644
##
##
##
-@@ -517,7 +643,7 @@ interface(`rpm_dontaudit_manage_db',`
+@@ -517,7 +663,7 @@ interface(`rpm_dontaudit_manage_db',`
type rpm_var_lib_t;
')
@@ -91874,7 +91969,7 @@ index ef3b225..415a50b 100644
dontaudit $1 rpm_var_lib_t:file manage_file_perms;
dontaudit $1 rpm_var_lib_t:lnk_file manage_lnk_file_perms;
')
-@@ -543,8 +669,7 @@ interface(`rpm_read_pid_files',`
+@@ -543,8 +689,7 @@ interface(`rpm_read_pid_files',`
#####################################
##
@@ -91884,7 +91979,7 @@ index ef3b225..415a50b 100644
##
##
##
-@@ -563,8 +688,7 @@ interface(`rpm_manage_pid_files',`
+@@ -563,8 +708,7 @@ interface(`rpm_manage_pid_files',`
######################################
##
@@ -91894,7 +91989,7 @@ index ef3b225..415a50b 100644
##
##
##
-@@ -573,43 +697,54 @@ interface(`rpm_manage_pid_files',`
+@@ -573,43 +717,54 @@ interface(`rpm_manage_pid_files',`
##
#
interface(`rpm_pid_filetrans',`
@@ -91966,7 +92061,7 @@ index ef3b225..415a50b 100644
##
##
##
-@@ -617,22 +752,57 @@ interface(`rpm_pid_filetrans_rpm_pid',`
+@@ -617,22 +772,57 @@ interface(`rpm_pid_filetrans_rpm_pid',`
##
##
##
@@ -92035,7 +92130,7 @@ index ef3b225..415a50b 100644
init_labeled_script_domtrans($1, rpm_initrc_exec_t)
domain_system_change_exemption($1)
-@@ -641,9 +811,6 @@ interface(`rpm_admin',`
+@@ -641,9 +831,6 @@ interface(`rpm_admin',`
admin_pattern($1, rpm_file_t)
@@ -93000,10 +93095,10 @@ index f1140ef..642e062 100644
+ files_pid_filetrans($1, rsync_var_run_t, file, "rsyncd.lock")
')
diff --git a/rsync.te b/rsync.te
-index abeb302..6836678 100644
+index abeb302..b27a479 100644
--- a/rsync.te
+++ b/rsync.te
-@@ -6,67 +6,45 @@ policy_module(rsync, 1.13.0)
+@@ -6,67 +6,46 @@ policy_module(rsync, 1.13.0)
#
##
@@ -93076,11 +93171,11 @@ index abeb302..6836678 100644
type rsync_t;
type rsync_exec_t;
--init_daemon_domain(rsync_t, rsync_exec_t)
--application_domain(rsync_t, rsync_exec_t)
--role rsync_roles types rsync_t;
+application_executable_file(rsync_exec_t)
+role system_r types rsync_t;
+ init_daemon_domain(rsync_t, rsync_exec_t)
+-application_domain(rsync_t, rsync_exec_t)
+-role rsync_roles types rsync_t;
type rsync_etc_t;
files_config_file(rsync_etc_t)
@@ -93090,7 +93185,7 @@ index abeb302..6836678 100644
files_type(rsync_data_t)
type rsync_log_t;
-@@ -86,15 +64,25 @@ files_pid_file(rsync_var_run_t)
+@@ -86,15 +65,25 @@ files_pid_file(rsync_var_run_t)
allow rsync_t self:capability { chown dac_read_search dac_override fowner fsetid setuid setgid sys_chroot };
allow rsync_t self:process signal_perms;
allow rsync_t self:fifo_file rw_fifo_file_perms;
@@ -93121,7 +93216,7 @@ index abeb302..6836678 100644
logging_log_filetrans(rsync_t, rsync_log_t, file)
manage_dirs_pattern(rsync_t, rsync_tmp_t, rsync_tmp_t)
-@@ -108,46 +96,55 @@ kernel_read_kernel_sysctls(rsync_t)
+@@ -108,46 +97,55 @@ kernel_read_kernel_sysctls(rsync_t)
kernel_read_system_state(rsync_t)
kernel_read_network_state(rsync_t)
@@ -93195,7 +93290,7 @@ index abeb302..6836678 100644
')
tunable_policy(`rsync_export_all_ro',`
-@@ -161,38 +158,24 @@ tunable_policy(`rsync_export_all_ro',`
+@@ -161,38 +159,24 @@ tunable_policy(`rsync_export_all_ro',`
auth_tunable_read_shadow(rsync_t)
')
@@ -111608,10 +111703,10 @@ index 3d11c6a..b19a117 100644
optional_policy(`
diff --git a/virt.fc b/virt.fc
-index a4f20bc..f3d5b04 100644
+index a4f20bc..d8b1fd1 100644
--- a/virt.fc
+++ b/virt.fc
-@@ -1,51 +1,111 @@
+@@ -1,51 +1,109 @@
-HOME_DIR/\.libvirt(/.*)? gen_context(system_u:object_r:virt_home_t,s0)
-HOME_DIR/\.libvirt/qemu(/.*)? gen_context(system_u:object_r:svirt_home_t,s0)
-HOME_DIR/\.virtinst(/.*)? gen_context(system_u:object_r:virt_home_t,s0)
@@ -111754,15 +111849,13 @@ index a4f20bc..f3d5b04 100644
+
+/usr/bin/qemu-ga -- gen_context(system_u:object_r:virt_qemu_ga_exec_t,s0)
+
-+/var/lib/kubelet(/.*)? gen_context(system_u:object_r:svirt_sandbox_file_t,s0)
-+
+/var/run/qemu-ga\.pid -- gen_context(system_u:object_r:virt_qemu_ga_var_run_t,s0)
+/var/run/qga\.state -- gen_context(system_u:object_r:virt_qemu_ga_var_run_t,s0)
+
+/var/log/qemu-ga\.log.* -- gen_context(system_u:object_r:virt_qemu_ga_log_t,s0)
+/var/log/qemu-ga(/.*)? gen_context(system_u:object_r:virt_qemu_ga_log_t,s0)
diff --git a/virt.if b/virt.if
-index facdee8..816d860 100644
+index facdee8..12e74f1 100644
--- a/virt.if
+++ b/virt.if
@@ -1,318 +1,231 @@
@@ -112589,7 +112682,7 @@ index facdee8..816d860 100644
##
##
##
-@@ -673,54 +539,472 @@ interface(`virt_home_filetrans',`
+@@ -673,107 +539,607 @@ interface(`virt_home_filetrans',`
##
##
#
@@ -112625,14 +112718,8 @@ index facdee8..816d860 100644
gen_require(`
- type virt_home_t;
+ type virt_var_lib_t;
- ')
-
-- userdom_search_user_home_dirs($1)
-- allow $1 virt_home_t:dir manage_dir_perms;
-- allow $1 virt_home_t:file manage_file_perms;
-- allow $1 virt_home_t:fifo_file manage_fifo_file_perms;
-- allow $1 virt_home_t:lnk_file manage_lnk_file_perms;
-- allow $1 virt_home_t:sock_file manage_sock_file_perms;
++ ')
++
+ dontaudit $1 virt_var_lib_t:file read_inherited_file_perms;
+')
+
@@ -112777,20 +112864,14 @@ index facdee8..816d860 100644
+ read_lnk_files_pattern($1, virt_image_type, virt_image_type)
+ read_blk_files_pattern($1, virt_image_type, virt_image_type)
+ read_chr_files_pattern($1, virt_image_type, virt_image_type)
-
- tunable_policy(`virt_use_nfs',`
-- fs_manage_nfs_dirs($1)
-- fs_manage_nfs_files($1)
-- fs_manage_nfs_symlinks($1)
++
++ tunable_policy(`virt_use_nfs',`
+ fs_list_nfs($1)
+ fs_read_nfs_files($1)
+ fs_read_nfs_symlinks($1)
- ')
-
- tunable_policy(`virt_use_samba',`
-- fs_manage_cifs_dirs($1)
-- fs_manage_cifs_files($1)
-- fs_manage_cifs_symlinks($1)
++ ')
++
++ tunable_policy(`virt_use_samba',`
+ fs_list_cifs($1)
+ fs_read_cifs_files($1)
+ fs_read_cifs_symlinks($1)
@@ -112957,14 +113038,13 @@ index facdee8..816d860 100644
+interface(`virt_exec_sandbox_files',`
+ gen_require(`
+ type svirt_sandbox_file_t;
- ')
++ ')
+
+ can_exec($1, svirt_sandbox_file_t)
- ')
-
- ########################################
- ##
--## Relabel virt home content.
++')
++
++########################################
++##
+## Allow any svirt_sandbox_file_t to be an entrypoint of this domain
+##
+##
@@ -113081,19 +113161,97 @@ index facdee8..816d860 100644
+#######################################
+##
+## Connect to virt over a unix domain stream socket.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`virt_stream_connect_sandbox',`
++ gen_require(`
++ attribute svirt_sandbox_domain;
++ type svirt_sandbox_file_t;
++ ')
++
++ files_search_pids($1)
++ stream_connect_pattern($1, svirt_sandbox_file_t, svirt_sandbox_file_t, svirt_sandbox_domain)
++ ps_process_pattern(svirt_sandbox_domain, $1)
++')
++
++########################################
++##
++## Execute qemu in the svirt domain, and
++## allow the specified role the svirt domain.
++##
++##
++##
++## Domain allowed access
++##
++##
++##
++##
++## The role to be allowed the sandbox domain.
++##
++##
++##
++#
++interface(`virt_transition_svirt',`
++ gen_require(`
++ attribute virt_domain;
++ type virt_bridgehelper_t;
++ type svirt_image_t;
++ type svirt_socket_t;
+ ')
+
+- userdom_search_user_home_dirs($1)
+- allow $1 virt_home_t:dir manage_dir_perms;
+- allow $1 virt_home_t:file manage_file_perms;
+- allow $1 virt_home_t:fifo_file manage_fifo_file_perms;
+- allow $1 virt_home_t:lnk_file manage_lnk_file_perms;
+- allow $1 virt_home_t:sock_file manage_sock_file_perms;
++ allow $1 virt_domain:process transition;
++ role $2 types virt_domain;
++ role $2 types virt_bridgehelper_t;
++ role $2 types svirt_socket_t;
+
+- tunable_policy(`virt_use_nfs',`
+- fs_manage_nfs_dirs($1)
+- fs_manage_nfs_files($1)
+- fs_manage_nfs_symlinks($1)
+- ')
++ allow $1 virt_domain:process { sigkill sigstop signull signal };
++ allow $1 svirt_image_t:file { relabelfrom relabelto };
++ allow $1 svirt_image_t:fifo_file { read_fifo_file_perms relabelto };
++ allow $1 svirt_image_t:sock_file { create_sock_file_perms relabelto };
++ allow $1 svirt_socket_t:unix_stream_socket create_stream_socket_perms;
+
+- tunable_policy(`virt_use_samba',`
+- fs_manage_cifs_dirs($1)
+- fs_manage_cifs_files($1)
+- fs_manage_cifs_symlinks($1)
++ optional_policy(`
++ ptchown_run(virt_domain, $2)
+ ')
+ ')
+
+ ########################################
+ ##
+-## Relabel virt home content.
++## Do not audit attempts to write virt daemon unnamed pipes.
##
##
##
-@@ -728,52 +1012,80 @@ interface(`virt_manage_generic_virt_home_content',`
+-## Domain allowed access.
++## Domain to not audit.
##
##
#
-interface(`virt_relabel_generic_virt_home_content',`
-+interface(`virt_stream_connect_sandbox',`
++interface(`virt_dontaudit_write_pipes',`
gen_require(`
- type virt_home_t;
-+ attribute svirt_sandbox_domain;
-+ type svirt_sandbox_file_t;
++ type virtd_t;
')
- userdom_search_user_home_dirs($1)
@@ -113102,9 +113260,8 @@ index facdee8..816d860 100644
- allow $1 virt_home_t:fifo_file relabel_fifo_file_perms;
- allow $1 virt_home_t:lnk_file relabel_lnk_file_perms;
- allow $1 virt_home_t:sock_file relabel_sock_file_perms;
-+ files_search_pids($1)
-+ stream_connect_pattern($1, svirt_sandbox_file_t, svirt_sandbox_file_t, svirt_sandbox_domain)
-+ ps_process_pattern(svirt_sandbox_domain, $1)
++ dontaudit $1 virtd_t:fd use;
++ dontaudit $1 virtd_t:fifo_file write_fifo_file_perms;
')
########################################
@@ -113112,214 +113269,213 @@ index facdee8..816d860 100644
-## Create specified objects in user home
-## directories with the generic virt
-## home type.
-+## Execute qemu in the svirt domain, and
-+## allow the specified role the svirt domain.
++## Send a sigkill to virtual machines
##
##
##
--## Domain allowed access.
-+## Domain allowed access
+ ## Domain allowed access.
##
##
-##
-+##
++#
++interface(`virt_kill_svirt',`
++ gen_require(`
++ attribute virt_domain;
++ ')
++
++ allow $1 virt_domain:process sigkill;
++')
++
++########################################
++##
++## Send a sigkill to virtd daemon.
++##
++##
##
-## Class of the object being created.
-+## The role to be allowed the sandbox domain.
++## Domain allowed access.
##
##
-##
-+##
+#
-+interface(`virt_transition_svirt',`
++interface(`virt_kill',`
+ gen_require(`
-+ attribute virt_domain;
-+ type virt_bridgehelper_t;
-+ type svirt_image_t;
-+ type svirt_socket_t;
++ type virtd_t;
+ ')
+
-+ allow $1 virt_domain:process transition;
-+ role $2 types virt_domain;
-+ role $2 types virt_bridgehelper_t;
-+ role $2 types svirt_socket_t;
-+
-+ allow $1 virt_domain:process { sigkill sigstop signull signal };
-+ allow $1 svirt_image_t:file { relabelfrom relabelto };
-+ allow $1 svirt_image_t:fifo_file { read_fifo_file_perms relabelto };
-+ allow $1 svirt_image_t:sock_file { create_sock_file_perms relabelto };
-+ allow $1 svirt_socket_t:unix_stream_socket create_stream_socket_perms;
-+
-+ optional_policy(`
-+ ptchown_run(virt_domain, $2)
-+ ')
++ allow $1 virtd_t:process sigkill;
+')
+
+########################################
+##
-+## Do not audit attempts to write virt daemon unnamed pipes.
++## Send a signal to virtd daemon.
+##
+##
##
-## The name of the object being created.
-+## Domain to not audit.
++## Domain allowed access.
##
##
#
-interface(`virt_home_filetrans_virt_home',`
-+interface(`virt_dontaudit_write_pipes',`
++interface(`virt_signal',`
gen_require(`
- type virt_home_t;
+ type virtd_t;
')
- userdom_user_home_dir_filetrans($1, virt_home_t, $2, $3)
-+ dontaudit $1 virtd_t:fd use;
-+ dontaudit $1 virtd_t:fifo_file write_fifo_file_perms;
++ allow $1 virtd_t:process signal;
')
########################################
##
-## Read virt pid files.
-+## Send a sigkill to virtual machines
++## Send null signal to virtd daemon.
##
##
##
-@@ -781,19 +1093,17 @@ interface(`virt_home_filetrans_virt_home',`
+@@ -781,19 +1147,17 @@ interface(`virt_home_filetrans_virt_home',`
##
##
#
-interface(`virt_read_pid_files',`
-+interface(`virt_kill_svirt',`
++interface(`virt_signull',`
gen_require(`
- type virt_var_run_t;
-+ attribute virt_domain;
++ type virtd_t;
')
- files_search_pids($1)
- read_files_pattern($1, virt_var_run_t, virt_var_run_t)
-+ allow $1 virt_domain:process sigkill;
++ allow $1 virtd_t:process signull;
')
########################################
##
-## Create, read, write, and delete
-## virt pid files.
-+## Send a sigkill to virtd daemon.
++## Send a signal to virtual machines
##
##
##
-@@ -801,18 +1111,17 @@ interface(`virt_read_pid_files',`
+@@ -801,18 +1165,17 @@ interface(`virt_read_pid_files',`
##
##
#
-interface(`virt_manage_pid_files',`
-+interface(`virt_kill',`
++interface(`virt_signal_svirt',`
gen_require(`
- type virt_var_run_t;
-+ type virtd_t;
++ attribute virt_domain;
')
- files_search_pids($1)
- manage_files_pattern($1, virt_var_run_t, virt_var_run_t)
-+ allow $1 virtd_t:process sigkill;
++ allow $1 virt_domain:process signal;
')
########################################
##
-## Search virt lib directories.
-+## Send a signal to virtd daemon.
++## Send a signal to sandbox domains
##
##
##
-@@ -820,18 +1129,17 @@ interface(`virt_manage_pid_files',`
+@@ -820,18 +1183,17 @@ interface(`virt_manage_pid_files',`
##
##
#
-interface(`virt_search_lib',`
-+interface(`virt_signal',`
++interface(`virt_signal_sandbox',`
gen_require(`
- type virt_var_lib_t;
-+ type virtd_t;
++ attribute svirt_sandbox_domain;
')
- files_search_var_lib($1)
- allow $1 virt_var_lib_t:dir search_dir_perms;
-+ allow $1 virtd_t:process signal;
++ allow $1 svirt_sandbox_domain:process signal;
')
########################################
##
-## Read virt lib files.
-+## Send null signal to virtd daemon.
++## Manage virt home files.
##
##
##
-@@ -839,20 +1147,17 @@ interface(`virt_search_lib',`
+@@ -839,192 +1201,243 @@ interface(`virt_search_lib',`
##
##
#
-interface(`virt_read_lib_files',`
-+interface(`virt_signull',`
++interface(`virt_manage_home_files',`
gen_require(`
- type virt_var_lib_t;
-+ type virtd_t;
++ type virt_home_t;
')
- files_search_var_lib($1)
- read_files_pattern($1, virt_var_lib_t, virt_var_lib_t)
- read_lnk_files_pattern($1, virt_var_lib_t, virt_var_lib_t)
-+ allow $1 virtd_t:process signull;
++ userdom_search_user_home_dirs($1)
++ manage_files_pattern($1, virt_home_t, virt_home_t)
')
########################################
##
-## Create, read, write, and delete
-## virt lib files.
-+## Send a signal to virtual machines
++## allow domain to read
++## virt tmpfs files
##
##
##
-@@ -860,74 +1165,123 @@ interface(`virt_read_lib_files',`
+-## Domain allowed access.
++## Domain allowed access
##
##
#
-interface(`virt_manage_lib_files',`
-+interface(`virt_signal_svirt',`
++interface(`virt_read_tmpfs_files',`
gen_require(`
- type virt_var_lib_t;
-+ attribute virt_domain;
++ attribute virt_tmpfs_type;
')
- files_search_var_lib($1)
- manage_files_pattern($1, virt_var_lib_t, virt_var_lib_t)
-+ allow $1 virt_domain:process signal;
++ allow $1 virt_tmpfs_type:file read_file_perms;
')
########################################
##
-## Create objects in virt pid
-## directories with a private type.
-+## Send a signal to sandbox domains
++## allow domain to manage
++## virt tmpfs files
##
##
##
- ## Domain allowed access.
+-## Domain allowed access.
++## Domain allowed access
##
##
-##
+#
-+interface(`virt_signal_sandbox',`
++interface(`virt_manage_tmpfs_files',`
+ gen_require(`
-+ attribute svirt_sandbox_domain;
++ attribute virt_tmpfs_type;
+ ')
+
-+ allow $1 svirt_sandbox_domain:process signal;
++ allow $1 virt_tmpfs_type:file manage_file_perms;
+')
+
+########################################
+##
-+## Manage virt home files.
++## Create .virt directory in the user home directory
++## with an correct label.
+##
+##
##
@@ -113329,204 +113485,213 @@ index facdee8..816d860 100644
##
-##
+#
-+interface(`virt_manage_home_files',`
++interface(`virt_filetrans_home_content',`
+ gen_require(`
+ type virt_home_t;
++ type svirt_home_t;
+ ')
+
-+ userdom_search_user_home_dirs($1)
-+ manage_files_pattern($1, virt_home_t, virt_home_t)
++ userdom_user_home_dir_filetrans($1, virt_home_t, dir, ".libvirt")
++ userdom_user_home_dir_filetrans($1, virt_home_t, dir, ".virtinst")
++ filetrans_pattern($1, virt_home_t, svirt_home_t, dir, "qemu")
++
++ optional_policy(`
++ gnome_config_filetrans($1, virt_home_t, dir, "libvirt")
++ gnome_cache_filetrans($1, virt_home_t, dir, "libvirt")
++ gnome_cache_filetrans($1, virt_home_t, dir, "libvirt-sandbox")
++ gnome_cache_filetrans($1, virt_home_t, dir, "gnome-boxes")
++ gnome_data_filetrans($1, svirt_home_t, dir, "images")
++ gnome_data_filetrans($1, svirt_home_t, dir, "boot")
++ ')
+')
+
+########################################
+##
-+## allow domain to read
-+## virt tmpfs files
++## Dontaudit attempts to Read virt_image_type devices.
+##
+##
##
-## The object class of the object being created.
-+## Domain allowed access
++## Domain allowed access.
##
##
-##
+#
-+interface(`virt_read_tmpfs_files',`
++interface(`virt_dontaudit_read_chr_dev',`
+ gen_require(`
-+ attribute virt_tmpfs_type;
++ attribute virt_image_type;
+ ')
+
-+ allow $1 virt_tmpfs_type:file read_file_perms;
++ dontaudit $1 virt_image_type:chr_file read_chr_file_perms;
+')
+
+########################################
+##
-+## allow domain to manage
-+## virt tmpfs files
++## Creates types and rules for a basic
++## virt_lxc process domain.
+##
-+##
++##
##
-## The name of the object being created.
-+## Domain allowed access
++## Prefix for the domain.
##
##
-##
#
-interface(`virt_pid_filetrans',`
-+interface(`virt_manage_tmpfs_files',`
++template(`virt_sandbox_domain_template',`
gen_require(`
- type virt_var_run_t;
-+ attribute virt_tmpfs_type;
++ attribute svirt_sandbox_domain;
')
- files_search_pids($1)
- filetrans_pattern($1, virt_var_run_t, $2, $3, $4)
-+ allow $1 virt_tmpfs_type:file manage_file_perms;
++ type $1_t, svirt_sandbox_domain;
++ domain_type($1_t)
++ domain_user_exemption_target($1_t)
++ mls_rangetrans_target($1_t)
++ mcs_constrained($1_t)
++ role system_r types $1_t;
++
++ logging_send_syslog_msg($1_t)
++
++ kernel_read_system_state($1_t)
++ kernel_read_all_proc($1_t)
')
########################################
##
-## Read virt log files.
-+## Create .virt directory in the user home directory
-+## with an correct label.
++## Make the specified type usable as a lxc domain
##
- ##
+-##
++##
##
- ## Domain allowed access.
+-## Domain allowed access.
++## Type to be used as a lxc domain
##
##
-##
#
-interface(`virt_read_log',`
-+interface(`virt_filetrans_home_content',`
++template(`virt_sandbox_domain',`
gen_require(`
- type virt_log_t;
-+ type virt_home_t;
-+ type svirt_home_t;
++ attribute svirt_sandbox_domain;
')
- logging_search_logs($1)
- read_files_pattern($1, virt_log_t, virt_log_t)
-+ userdom_user_home_dir_filetrans($1, virt_home_t, dir, ".libvirt")
-+ userdom_user_home_dir_filetrans($1, virt_home_t, dir, ".virtinst")
-+ filetrans_pattern($1, virt_home_t, svirt_home_t, dir, "qemu")
-+
-+ optional_policy(`
-+ gnome_config_filetrans($1, virt_home_t, dir, "libvirt")
-+ gnome_cache_filetrans($1, virt_home_t, dir, "libvirt")
-+ gnome_cache_filetrans($1, virt_home_t, dir, "libvirt-sandbox")
-+ gnome_cache_filetrans($1, virt_home_t, dir, "gnome-boxes")
-+ gnome_data_filetrans($1, svirt_home_t, dir, "images")
-+ gnome_data_filetrans($1, svirt_home_t, dir, "boot")
-+ ')
++ typeattribute $1 svirt_sandbox_domain;
')
########################################
##
-## Append virt log files.
-+## Dontaudit attempts to Read virt_image_type devices.
++## Make the specified type usable as a lxc network domain
##
- ##
+-##
++##
##
-@@ -935,117 +1289,153 @@ interface(`virt_read_log',`
+-## Domain allowed access.
++## Type to be used as a lxc network domain
##
##
#
-interface(`virt_append_log',`
-+interface(`virt_dontaudit_read_chr_dev',`
++template(`virt_sandbox_net_domain',`
gen_require(`
- type virt_log_t;
-+ attribute virt_image_type;
++ attribute sandbox_net_domain;
')
- logging_search_logs($1)
- append_files_pattern($1, virt_log_t, virt_log_t)
-+ dontaudit $1 virt_image_type:chr_file read_chr_file_perms;
++ virt_sandbox_domain($1)
++ typeattribute $1 sandbox_net_domain;
')
########################################
##
-## Create, read, write, and delete
-## virt log files.
-+## Creates types and rules for a basic
-+## virt_lxc process domain.
++## Execute a qemu_exec_t in the callers domain
##
--##
-+##
- ##
--## Domain allowed access.
-+## Prefix for the domain.
- ##
+ ##
+-##
++##
+ ## Domain allowed access.
+-##
++##
##
#
-interface(`virt_manage_log',`
-+template(`virt_sandbox_domain_template',`
++interface(`virt_exec_qemu',`
gen_require(`
- type virt_log_t;
-+ attribute svirt_sandbox_domain;
++ type qemu_exec_t;
')
- logging_search_logs($1)
- manage_dirs_pattern($1, virt_log_t, virt_log_t)
- manage_files_pattern($1, virt_log_t, virt_log_t)
- manage_lnk_files_pattern($1, virt_log_t, virt_log_t)
-+ type $1_t, svirt_sandbox_domain;
-+ domain_type($1_t)
-+ domain_user_exemption_target($1_t)
-+ mls_rangetrans_target($1_t)
-+ mcs_constrained($1_t)
-+ role system_r types $1_t;
-+
-+ logging_send_syslog_msg($1_t)
-+
-+ kernel_read_system_state($1_t)
-+ kernel_read_all_proc($1_t)
++ can_exec($1, qemu_exec_t)
')
########################################
##
-## Search virt image directories.
-+## Make the specified type usable as a lxc domain
++## Transition to virt named content
##
--##
-+##
+ ##
##
-## Domain allowed access.
-+## Type to be used as a lxc domain
++## Domain allowed access.
##
##
#
-interface(`virt_search_images',`
-+template(`virt_sandbox_domain',`
++interface(`virt_filetrans_named_content',`
gen_require(`
- attribute virt_image_type;
-+ attribute svirt_sandbox_domain;
++ type virt_lxc_var_run_t;
++ type virt_var_run_t;
')
- virt_search_lib($1)
- allow $1 virt_image_type:dir search_dir_perms;
-+ typeattribute $1 svirt_sandbox_domain;
++ files_pid_filetrans($1, virt_lxc_var_run_t, dir, "libvirt-sandbox")
++ files_pid_filetrans($1, virt_var_run_t, dir, "libvirt")
++ files_pid_filetrans($1, virt_var_run_t, dir, "libguestfs")
')
########################################
##
-## Read virt image files.
-+## Make the specified type usable as a lxc network domain
++## Execute qemu in the svirt domain, and
++## allow the specified role the svirt domain.
##
--##
-+##
+ ##
##
-## Domain allowed access.
-+## Type to be used as a lxc network domain
++## Domain allowed access
++##
++##
++##
++##
++## The role to be allowed the sandbox domain.
##
##
++##
#
-interface(`virt_read_images',`
-+template(`virt_sandbox_net_domain',`
++interface(`virt_transition_svirt_sandbox',`
gen_require(`
- type virt_var_lib_t;
- attribute virt_image_type;
-+ attribute sandbox_net_domain;
++ attribute svirt_sandbox_domain;
')
- virt_search_lib($1)
@@ -113535,79 +113700,41 @@ index facdee8..816d860 100644
- read_files_pattern($1, virt_image_type, virt_image_type)
- read_lnk_files_pattern($1, virt_image_type, virt_image_type)
- read_blk_files_pattern($1, virt_image_type, virt_image_type)
-+ virt_sandbox_domain($1)
-+ typeattribute $1 sandbox_net_domain;
-+')
++ allow $1 svirt_sandbox_domain:process { transition signal_perms };
++ role $2 types svirt_sandbox_domain;
++ allow $1 svirt_sandbox_domain:unix_dgram_socket sendto;
- tunable_policy(`virt_use_nfs',`
- fs_list_nfs($1)
- fs_read_nfs_files($1)
- fs_read_nfs_symlinks($1)
-+########################################
-+##
-+## Execute a qemu_exec_t in the callers domain
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`virt_exec_qemu',`
-+ gen_require(`
-+ type qemu_exec_t;
- ')
+- ')
++ allow svirt_sandbox_domain $1:fd use;
- tunable_policy(`virt_use_samba',`
- fs_list_cifs($1)
- fs_read_cifs_files($1)
- fs_read_cifs_symlinks($1)
-+ can_exec($1, qemu_exec_t)
-+')
-+
-+########################################
-+##
-+## Transition to virt named content
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`virt_filetrans_named_content',`
-+ gen_require(`
-+ type virt_lxc_var_run_t;
-+ type virt_var_run_t;
- ')
-+
-+ files_pid_filetrans($1, virt_lxc_var_run_t, dir, "libvirt-sandbox")
-+ files_pid_filetrans($1, virt_var_run_t, dir, "libvirt")
-+ files_pid_filetrans($1, virt_var_run_t, dir, "libguestfs")
+- ')
++ allow svirt_sandbox_domain $1:fifo_file rw_fifo_file_perms;
++ allow svirt_sandbox_domain $1:process sigchld;
++ ps_process_pattern($1, svirt_sandbox_domain)
')
########################################
##
-## Read and write all virt image
-## character files.
-+## Execute qemu in the svirt domain, and
-+## allow the specified role the svirt domain.
++## Read the process state of virt sandbox containers
##
##
##
--## Domain allowed access.
-+## Domain allowed access
-+##
-+##
-+##
-+##
-+## The role to be allowed the sandbox domain.
+@@ -1032,20 +1445,17 @@ interface(`virt_read_images',`
##
##
-+##
#
-interface(`virt_rw_all_image_chr_files',`
-+interface(`virt_transition_svirt_sandbox',`
++interface(`virt_sandbox_read_state',`
gen_require(`
- attribute virt_image_type;
+ attribute svirt_sandbox_domain;
@@ -113616,12 +113743,6 @@ index facdee8..816d860 100644
- virt_search_lib($1)
- allow $1 virt_image_type:dir list_dir_perms;
- rw_chr_files_pattern($1, virt_image_type, virt_image_type)
-+ allow $1 svirt_sandbox_domain:process { transition signal_perms };
-+ role $2 types svirt_sandbox_domain;
-+ allow $1 svirt_sandbox_domain:unix_dgram_socket sendto;
-+
-+ allow svirt_sandbox_domain $1:fifo_file rw_fifo_file_perms;
-+ allow svirt_sandbox_domain $1:process sigchld;
+ ps_process_pattern($1, svirt_sandbox_domain)
')
@@ -113629,23 +113750,23 @@ index facdee8..816d860 100644
##
-## Create, read, write, and delete
-## svirt cache files.
-+## Read the process state of virt sandbox containers
++## Read and write to svirt_image devices.
##
##
##
-@@ -1053,15 +1443,17 @@ interface(`virt_rw_all_image_chr_files',`
+@@ -1053,15 +1463,17 @@ interface(`virt_rw_all_image_chr_files',`
##
##
#
-interface(`virt_manage_svirt_cache',`
- refpolicywarn(`$0($*) has been deprecated, use virt_manage_virt_cache() instead.')
- virt_manage_virt_cache($1)
-+interface(`virt_sandbox_read_state',`
++interface(`virt_rw_svirt_dev',`
+ gen_require(`
-+ attribute svirt_sandbox_domain;
++ type svirt_image_t;
+ ')
+
-+ ps_process_pattern($1, svirt_sandbox_domain)
++ allow $1 svirt_image_t:chr_file rw_file_perms;
')
########################################
@@ -113656,22 +113777,22 @@ index facdee8..816d860 100644
##
##
##
-@@ -1069,21 +1461,17 @@ interface(`virt_manage_svirt_cache',`
+@@ -1069,21 +1481,17 @@ interface(`virt_manage_svirt_cache',`
##
##
#
-interface(`virt_manage_virt_cache',`
-+interface(`virt_rw_svirt_dev',`
++interface(`virt_rlimitinh',`
gen_require(`
- type virt_cache_t;
-+ type svirt_image_t;
++ type virtd_t;
')
- files_search_var($1)
- manage_dirs_pattern($1, virt_cache_t, virt_cache_t)
- manage_files_pattern($1, virt_cache_t, virt_cache_t)
- manage_lnk_files_pattern($1, virt_cache_t, virt_cache_t)
-+ allow $1 svirt_image_t:chr_file rw_file_perms;
++ allow $1 virtd_t:process { rlimitinh };
')
########################################
@@ -113682,43 +113803,28 @@ index facdee8..816d860 100644
##
##
##
-@@ -1091,36 +1479,36 @@ interface(`virt_manage_virt_cache',`
+@@ -1091,36 +1499,18 @@ interface(`virt_manage_virt_cache',`
##
##
#
-interface(`virt_manage_images',`
-+interface(`virt_rlimitinh',`
++interface(`virt_noatsecure',`
gen_require(`
- type virt_var_lib_t;
- attribute virt_image_type;
-+ type virtd_t;
- ')
-
+- ')
+-
- virt_search_lib($1)
- allow $1 virt_image_type:dir list_dir_perms;
- manage_dirs_pattern($1, virt_image_type, virt_image_type)
- manage_files_pattern($1, virt_image_type, virt_image_type)
- read_lnk_files_pattern($1, virt_image_type, virt_image_type)
- rw_blk_files_pattern($1, virt_image_type, virt_image_type)
-+ allow $1 virtd_t:process { rlimitinh };
-+')
-
+-
- tunable_policy(`virt_use_nfs',`
- fs_manage_nfs_dirs($1)
- fs_manage_nfs_files($1)
- fs_read_nfs_symlinks($1)
-+########################################
-+##
-+## Read and write to svirt_image devices.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`virt_noatsecure',`
-+ gen_require(`
+ type virtd_t;
')
@@ -113739,7 +113845,7 @@ index facdee8..816d860 100644
##
##
##
-@@ -1136,50 +1524,76 @@ interface(`virt_manage_images',`
+@@ -1136,50 +1526,76 @@ interface(`virt_manage_images',`
#
interface(`virt_admin',`
gen_require(`
@@ -113849,7 +113955,7 @@ index facdee8..816d860 100644
+ ps_process_pattern(virtd_t, $1)
')
diff --git a/virt.te b/virt.te
-index f03dcf5..a4e5bf6 100644
+index f03dcf5..36bc283 100644
--- a/virt.te
+++ b/virt.te
@@ -1,451 +1,402 @@
@@ -114861,7 +114967,7 @@ index f03dcf5..a4e5bf6 100644
kernel_read_xen_state(virtd_t)
kernel_write_xen_state(virtd_t)
-@@ -746,44 +707,335 @@ optional_policy(`
+@@ -746,44 +707,336 @@ optional_policy(`
udev_read_pid_files(virtd_t)
')
@@ -115038,7 +115144,7 @@ index f03dcf5..a4e5bf6 100644
+dev_rw_dri(virt_domain)
+
+domain_use_interactive_fds(virt_domain)
-
++
+files_read_mnt_symlinks(virt_domain)
+files_read_var_files(virt_domain)
+files_search_all(virt_domain)
@@ -115142,6 +115248,7 @@ index f03dcf5..a4e5bf6 100644
+ fs_getattr_dos_fs(virt_domain)
+ fs_manage_dos_dirs(virt_domain)
+ fs_manage_dos_files(virt_domain)
++ udev_read_db(virt_domain)
+')
+
+optional_policy(`
@@ -115175,7 +115282,7 @@ index f03dcf5..a4e5bf6 100644
+init_system_domain(virsh_t, virsh_exec_t)
+typealias virsh_t alias xm_t;
+typealias virsh_exec_t alias xm_exec_t;
-+
+
+allow virsh_t self:capability { setpcap dac_override ipc_lock sys_admin sys_chroot sys_nice sys_tty_config };
+allow virsh_t self:process { getcap getsched setsched setcap setexec signal };
+allow virsh_t self:fifo_file rw_fifo_file_perms;
@@ -115219,7 +115326,7 @@ index f03dcf5..a4e5bf6 100644
kernel_read_system_state(virsh_t)
kernel_read_network_state(virsh_t)
kernel_read_kernel_sysctls(virsh_t)
-@@ -794,25 +1046,18 @@ kernel_write_xen_state(virsh_t)
+@@ -794,25 +1047,18 @@ kernel_write_xen_state(virsh_t)
corecmd_exec_bin(virsh_t)
corecmd_exec_shell(virsh_t)
@@ -115246,7 +115353,7 @@ index f03dcf5..a4e5bf6 100644
fs_getattr_all_fs(virsh_t)
fs_manage_xenfs_dirs(virsh_t)
-@@ -821,23 +1066,25 @@ fs_search_auto_mountpoints(virsh_t)
+@@ -821,23 +1067,25 @@ fs_search_auto_mountpoints(virsh_t)
storage_raw_read_fixed_disk(virsh_t)
@@ -115263,10 +115370,10 @@ index f03dcf5..a4e5bf6 100644
-logging_send_syslog_msg(virsh_t)
+systemd_exec_systemctl(virsh_t)
++
++auth_read_passwd(virsh_t)
-miscfiles_read_localization(virsh_t)
-+auth_read_passwd(virsh_t)
-+
+logging_send_syslog_msg(virsh_t)
sysnet_dns_name_resolve(virsh_t)
@@ -115280,7 +115387,7 @@ index f03dcf5..a4e5bf6 100644
tunable_policy(`virt_use_nfs',`
fs_manage_nfs_dirs(virsh_t)
-@@ -856,14 +1103,20 @@ optional_policy(`
+@@ -856,14 +1104,20 @@ optional_policy(`
')
optional_policy(`
@@ -115302,7 +115409,7 @@ index f03dcf5..a4e5bf6 100644
xen_stream_connect(virsh_t)
xen_stream_connect_xenstore(virsh_t)
')
-@@ -888,49 +1141,66 @@ optional_policy(`
+@@ -888,49 +1142,66 @@ optional_policy(`
kernel_read_xen_state(virsh_ssh_t)
kernel_write_xen_state(virsh_ssh_t)
@@ -115387,7 +115494,7 @@ index f03dcf5..a4e5bf6 100644
corecmd_exec_bin(virtd_lxc_t)
corecmd_exec_shell(virtd_lxc_t)
-@@ -942,17 +1212,16 @@ dev_read_urand(virtd_lxc_t)
+@@ -942,17 +1213,16 @@ dev_read_urand(virtd_lxc_t)
domain_use_interactive_fds(virtd_lxc_t)
@@ -115407,7 +115514,7 @@ index f03dcf5..a4e5bf6 100644
fs_getattr_all_fs(virtd_lxc_t)
fs_manage_tmpfs_dirs(virtd_lxc_t)
fs_manage_tmpfs_chr_files(virtd_lxc_t)
-@@ -964,8 +1233,23 @@ fs_rw_cgroup_files(virtd_lxc_t)
+@@ -964,8 +1234,23 @@ fs_rw_cgroup_files(virtd_lxc_t)
fs_unmount_all_fs(virtd_lxc_t)
fs_relabelfrom_tmpfs(virtd_lxc_t)
@@ -115431,7 +115538,7 @@ index f03dcf5..a4e5bf6 100644
selinux_get_enforce_mode(virtd_lxc_t)
selinux_get_fs_mount(virtd_lxc_t)
selinux_validate_context(virtd_lxc_t)
-@@ -974,194 +1258,357 @@ selinux_compute_create_context(virtd_lxc_t)
+@@ -974,194 +1259,359 @@ selinux_compute_create_context(virtd_lxc_t)
selinux_compute_relabel_context(virtd_lxc_t)
selinux_compute_user_contexts(virtd_lxc_t)
@@ -115458,12 +115565,12 @@ index f03dcf5..a4e5bf6 100644
+ hal_dbus_chat(virtd_lxc_t)
+ ')
+')
-+
+
+-sysnet_domtrans_ifconfig(virtd_lxc_t)
+optional_policy(`
+ docker_exec_lib(virtd_lxc_t)
+')
-
--sysnet_domtrans_ifconfig(virtd_lxc_t)
++
+optional_policy(`
+ gnome_read_generic_cache_files(virtd_lxc_t)
+')
@@ -115486,6 +115593,7 @@ index f03dcf5..a4e5bf6 100644
+
+allow svirt_sandbox_domain self:process { getattr signal_perms getsched getpgid getcap setsched setcap setpgid setrlimit };
+allow svirt_sandbox_domain self:fifo_file manage_file_perms;
++allow svirt_sandbox_domain self:msg all_msg_perms;
+allow svirt_sandbox_domain self:sem create_sem_perms;
+allow svirt_sandbox_domain self:shm create_shm_perms;
+allow svirt_sandbox_domain self:msgq create_msgq_perms;
@@ -115619,6 +115727,7 @@ index f03dcf5..a4e5bf6 100644
+kernel_list_all_proc(svirt_sandbox_domain)
+kernel_read_all_sysctls(svirt_sandbox_domain)
+kernel_rw_net_sysctls(svirt_sandbox_domain)
++kernel_rw_unix_sysctls(svirt_sandbox_domain)
+kernel_dontaudit_search_kernel_sysctl(svirt_sandbox_domain)
+kernel_dontaudit_access_check_proc(svirt_sandbox_domain)
+kernel_dontaudit_setattr_proc_files(svirt_sandbox_domain)
@@ -115682,8 +115791,9 @@ index f03dcf5..a4e5bf6 100644
+userdom_use_inherited_user_terminals(svirt_sandbox_domain)
+userdom_dontaudit_append_inherited_admin_home_file(svirt_sandbox_domain)
+userdom_dontaudit_read_inherited_admin_home_files(svirt_sandbox_domain)
-+
-+optional_policy(`
+
+ optional_policy(`
+- udev_read_pid_files(svirt_lxc_domain)
+ apache_exec_modules(svirt_sandbox_domain)
+ apache_read_sys_content(svirt_sandbox_domain)
+')
@@ -115691,9 +115801,8 @@ index f03dcf5..a4e5bf6 100644
+optional_policy(`
+ gear_read_pid_files(svirt_sandbox_domain)
+')
-
- optional_policy(`
-- udev_read_pid_files(svirt_lxc_domain)
++
++optional_policy(`
+ mta_dontaudit_read_spool_symlinks(svirt_sandbox_domain)
+')
+
@@ -115874,11 +115983,11 @@ index f03dcf5..a4e5bf6 100644
+manage_lnk_files_pattern(sandbox_net_domain, svirt_home_t, svirt_home_t)
+manage_sock_files_pattern(sandbox_net_domain, svirt_home_t, svirt_home_t)
+filetrans_pattern(sandbox_net_domain, virt_home_t, svirt_home_t, { dir sock_file file })
-
--allow svirt_prot_exec_t self:process { execmem execstack };
++
+term_use_generic_ptys(svirt_qemu_net_t)
+term_use_ptmx(svirt_qemu_net_t)
-+
+
+-allow svirt_prot_exec_t self:process { execmem execstack };
+dev_rw_kvm(svirt_qemu_net_t)
+
+manage_sock_files_pattern(svirt_qemu_net_t, qemu_var_run_t, qemu_var_run_t)
@@ -115930,7 +116039,7 @@ index f03dcf5..a4e5bf6 100644
allow virt_qmf_t self:tcp_socket create_stream_socket_perms;
allow virt_qmf_t self:netlink_route_socket create_netlink_socket_perms;
-@@ -1174,12 +1621,12 @@ dev_read_sysfs(virt_qmf_t)
+@@ -1174,12 +1624,12 @@ dev_read_sysfs(virt_qmf_t)
dev_read_rand(virt_qmf_t)
dev_read_urand(virt_qmf_t)
@@ -115945,7 +116054,7 @@ index f03dcf5..a4e5bf6 100644
sysnet_read_config(virt_qmf_t)
optional_policy(`
-@@ -1192,7 +1639,7 @@ optional_policy(`
+@@ -1192,7 +1642,7 @@ optional_policy(`
########################################
#
@@ -115954,7 +116063,7 @@ index f03dcf5..a4e5bf6 100644
#
allow virt_bridgehelper_t self:process { setcap getcap };
-@@ -1201,11 +1648,255 @@ allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms;
+@@ -1201,11 +1651,257 @@ allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms;
allow virt_bridgehelper_t self:tun_socket create_socket_perms;
allow virt_bridgehelper_t self:unix_dgram_socket create_socket_perms;
@@ -115982,6 +116091,8 @@ index f03dcf5..a4e5bf6 100644
+
+allow virt_qemu_ga_t self:capability { sys_admin sys_time sys_tty_config };
+
++allow virt_qemu_ga_t self:passwd passwd;
++
+allow virt_qemu_ga_t self:fifo_file rw_fifo_file_perms;
+allow virt_qemu_ga_t self:unix_stream_socket create_stream_socket_perms;
+
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 83047e3..8c20de1 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.13.1
-Release: 212%{?dist}
+Release: 214%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -492,7 +492,7 @@ Obsoletes: mod_fcgid-selinux <= %{version}-%{release}
Obsoletes: cachefilesd-selinux <= 0.10-1
Conflicts: seedit
Conflicts: 389-ds-base < 1.2.7, 389-admin < 1.1.12
-Conflicts: docker-selinux <= 1.9.0-9
+Conflicts: docker-selinux < 2:1.12.1-11
%description targeted
SELinux Reference policy targeted base module.
@@ -672,6 +672,51 @@ exit 0
%endif
%changelog
+* Thu Sep 15 2016 Lukas Vrabec 3.13.1-214
+- Allow attach usb device to virtual machine BZ(1276873)
+- Dontaudit mozilla_plugin to sys_ptrace
+- Allow nut_upsdrvctl_t domain to read udev db BZ(1375636)
+- Fix typo
+- Allow geoclue to send msgs to syslog. BZ(1371818)
+- Allow abrt to read rpm_tmp_t dirs
+- Add interface rpm_read_tmp_files()
+- Remove labels for somr docker sandbox files for now. This needs to be reverted after fixes in docker-selinux
+- Update oracleasm SELinux module that can manage oracleasmfs_t blk files. Add dac_override cap to oracleasm_t domain.
+- Add few rules to pcp SELinux module to make ti able to start pcp_pmlogger service
+- Revert "label /var/lib/kubelet as svirt_sandbox_file_t"
+- Remove file context for /var/lib/kubelet. This filecontext is part of docker now
+- Add oracleasm_conf_t type and allow oracleasm_t to create /dev/oracleasm
+- Label /usr/share/pcp/lib/pmie as pmie_exec_t and /usr/share/pcp/lib/pmlogger as pmlogger_exec_t
+- Allow mdadm_t to getattr all device nodes
+- Dontaudit gkeyringd_domain to connect to system_dbusd_t
+- Add interface dbus_dontaudit_stream_connect_system_dbusd()
+- Allow guest-set-user-passwd to set users password.
+- Allow domains using kerberos to read also kerberos config dirs
+- Add kdymp_t domain sys_admin capability BZ(1357949)
+- Allow dnssec_trigger to exec ldconfig
+- Label /var/lib/docker-latest/vfs as svirt_sandbox_file_t
+- Fix typo bugs in rsync and inetd SELinux modules
+- Label /var/lib/docker/vfs as svirt_sandbox_file_t in virt SELinux module
+- Merge pull request #147 from rhatdan/virt
+- Merge pull request #149 from rhatdan/daemon_contrib
+- Merge pull request #151 from rhatdan/msg
+- Allow add new interface to new namespace BZ(1375124)
+- Allow systemd to relalbel files stored in /run/systemd/inaccessible/
+- Add interface fs_getattr_tmpfs_blk_file()
+- Dontaudit domain to create any file in /proc. This is kernel bug.
+- Improve regexp for power_unit_file_t files. To catch just systemd power unit files.
+- Add new interface fs_getattr_oracleasmfs_fs()
+- Add interface fs_manage_oracleasm()
+- Label /dev/kfd as hsa_device_t
+- Update seutil_manage_file_contexts() interface that caller domain can also manage file_context_t dirs
+- Add transition rule that caller domain can create resolv.conf link file with correct label in sysnet_filetrans_named_content() interface
+- Add systemd_machined_t kill capability
+- Allow systemd_machined_t to read nsfs_t files
+- Allow run sulogin_t in range mls_systemlow-mls_systemhigh.
+
+* Thu Sep 15 2016 Lukas Vrabec 3.13.1-213
+- Bump release
+
* Wed Aug 31 2016 Lukas Vrabec 3.13.1-212
- udisk2 module is part of devicekit module now
- Fix file context for /etc/pki/pki-tomcat/ca/