diff --git a/policy-f20-base.patch b/policy-f20-base.patch
index 1c68fc8..eb91778 100644
--- a/policy-f20-base.patch
+++ b/policy-f20-base.patch
@@ -1,2135 +1,5 @@
-diff --git a/Changelog b/Changelog
-index 5fcca55..672e632 100644
---- a/Changelog
-+++ b/Changelog
-@@ -1,216 +1,952 @@
--* Wed Apr 24 2013 Chris PeBenito - 2.20130424
--Chris PeBenito (78):
-- Mcelog update from Guido Trentalancia.
-- Add bird contrib module from Dominick Grift.
-- Minor whitespace fix in udev.fc
-- Module version bump for udev binary location update from Sven Vermeulen.
-- clarify the file_contexts.subs_dist configuration file usage from Guido
-- Trentalancia
-- Update contrib.
-- Remove trailing / from paths
-- Module version bump for fc substitutions optimizations from Sven
-- Vermeulen.
-- Update contrib.
-- Module version bump for /run/dhcpc directory creation by dhcp from Sven
-- Vermeulen.
-- Module version bump for fc fixes in devices module from Dominick Grift.
-- Update contrib.
-- Module version bump for /dev/mei type and label from Dominick Grift.
-- Module version bump for init_daemon_run_dirs usage from Sven Vermeulen.
-- Module version bump for lost+found labeling in /var/log from Guido
-- Trentalancia.
-- Module version bump for loop-control patch.
-- Turn off all tunables by default, from Guido Trentalancia.
-- Add /usr/lib to TEST_TOOLCHAIN LD_LIBRARY_PATH.
-- Module version bump for various changes from Sven Vermeulen.
-- Module version bump for ports update from Dominick Grift.
-- Module version bump for Debian file context updates from Laurent
-- Bigonville.
-- Update contrib.
-- Update contrib.
-- split kmod fc into two lines.
-- Module version bump for kmod fc from Laurent Bigonville.
-- Module version bump for cfengine fc change from Dominick Grift.
-- Module verision bump for Debian cert file fc update from Laurent
-- Bigonville.
-- Module version bump for ipsec net sysctls reading from Miroslav Grepl.
-- Module version bump for srvloc port definition from Dominick Grift.
-- Rename cachefiles_dev_t to cachefiles_device_t.
-- Module version bump for cachefiles core support.
-- Module version bump for changes from Dominick Grift and Sven Vermeulen.
-- Module version bump for modutils patch from Dominick Grift.
-- Module version bump for dhcp6 ports, from Russell Coker.
-- Rearrange new xserver interfaces.
-- Rename new xserver interfaces.
-- Module version bump for xserver interfaces from Dominick Grift.
-- Move kernel_stream_connect() declaration.
-- Module version bump for kernel_stream_connect() from Dominick Grift.
-- Rename logging_search_all_log_dirs to logging_search_all_logs
-- Module version bump for minor logging and sysnet changes from Sven
-- Vermeulen.
-- Module version bump for dovecot libs from Mika Pflueger.
-- Rearrange interfaces in files, clock, and udev.
-- Module version bump for interfaces used by virt from Dominick Grift.
-- Module version bump for arping setcap from Dominick Grift.
-- Rearrange devices interfaces.
-- Module version bump/contrib sync.
-- Rearrange lines.
-- Module version bump for user home content fixes from Dominick Grift.
-- Rearrange files interfaces.
-- Module version bump for Gentoo openrc fixes for /run from Sven Vermeulen.
-- Update contrib.
-- Whitespace fix in miscfiles.fc.
-- Adjust man cache interface names.
-- Module version bump for man cache from Dominick Grift.
-- Module version bump for Debian ssh-keysign location from Laurent
-- Bigonville.
-- Module version bump for userdomain portion of XDG updates from Dominick
-- Grift.
-- Module version bump for iptables fc entry from Sven Vermeulen and inn log
-- from Dominick Grift.
-- Module version bump for logging and tcpdump fixes from Sven Vermeulen.
-- Move mcs_constrained() impementation.
-- Module version bump for mcs_constrained from Dominick Grift.
-- Update contrib.
-- Module version bump from Debian changes from Laurent Bigonville.
-- Module version bump for zfs labeling from Matthew Thode.
-- Module version bump for misc updates from Sven Vermeulen.
-- Update contrib.
-- Module version bump for fixes from Dominick Grift.
-- Module version bump for Debian updates from Laurent Bigonville.
-- Fix bug in userdom_delete_all_user_home_content_files() from Kohei KaiGai.
-- Update contrib
-- Fix fc_sort.c warning uncovered by recent gcc
-- Module version bump for chfn fixes from Sven Vermeulen.
-- Add swapoff fc entry.
-- Add conntrack fc entry.
-- Update contrib.
-- Update contrib
-- Archive old Changelog for log format change.
-- Bump module versions for release.
--
--Dominick Grift (40):
-- There can be more than a single watchdog interface
-- Fix a suspected typo
-- Intel® Active Management Technology
-- Declare a loop control device node type and label /dev/loop-control
-- accordingly
-- Declare port types for ports used by Fedora but use /etc/services for port
-- names rather than using fedora port names. If /etc/services does not
-- have a port name for a port used by Fedora, skip for now.
-- Remove var_log_t file context spec
-- svrloc port type declaration from slpd policy module
-- Declare a cachfiles device node type
-- Implement files_create_all_files_as() for cachefilesd
-- Restricted Xwindows user domains run windows managers in the windows
-- managers domain
-- Declare a cslistener port type for phpfpm
-- Changes to the sysnetwork policy module
-- Changes to the userdomain policy module
-- Changes to the bootloader policy module
-- Changes to the modutils policy module
-- Changes to the xserver policy module
-- Changes to various policy modules
-- Changes to the kernel policy module
-- For svirt_lxc_domain
-- For svirt_lxc_domain
-- For svirt_lxc_domain
-- For virtd lxc
-- For virtd_lxc
-- For virtd_lxc
-- For virtd lxc
-- For virtd lxc
-- For virtd
-- Arping needs setcap to cap_set_proc
-- For virtd
-- Changes to the user domain policy module
-- Samhain_admin() now requires a role for the role_transition from $1 to
-- initrc_t via samhain_initrc_exec_t
-- Changes to the user domain policy module
-- Label /var/cache/man with a private man cache type for mandb
-- Create a attribute user_home_content_type and assign it to all types that
-- are classified userdom_user_home_content()
-- These two attribute are unused
-- System logger creates innd log files with a named file transition
-- Implement mcs_constrained_type
-- Changes to the init policy module
-- Changes to the userdomain policy module
-- NSCD related changes in various policy modules
--
--Guido Trentalancia (1):
-- add lost+found filesystem labels to support NSA security guidelines
--
--Laurent Bigonville (21):
-- Add Debian locations for GDM 3
-- Add Debian location for udisks helpers
-- Add insmod_exec_t label for kmod executable
-- Add Debian location for PKI files
-- Add Debian location for ssh-keysign
-- Properly label all the ssh host keys
-- Allow udev_t domain to read files labeled as consolekit_var_run_t
-- authlogin.if: Add auth_create_pam_console_data_dirs and
-- auth_pid_filetrans_pam_var_console interfaces
-- Label /etc/rc.d/init.d/x11-common as xdm_exec_t
-- Drop /etc/rc.d/init.d/xfree86-common filecontext definition
-- Label /var/run/shm as tmpfs_t for Debian
-- Label /var/run/motd.dynamic as initrc_var_run_t
-- Label /var/run/initctl as initctl_t
-- udev.if: Call files_search_pid instead of files_search_var_lib in
-- udev_manage_pid_files
-- Label executables in /usr/lib/NetworkManager/ as bin_t
-- Add support for rsyslog
-- Label var_lock_t as a mountpoint
-- Add mount_var_run_t type and allow mount_t domain to manage the files and
-- directories
-- Add initrc_t to use block_suspend capability
-- Label executables under /usr/lib/gnome-settings-daemon/ as bin_t
-- Label nut drivers that are installed in /lib/nut on Debian as bin_t
--
--Matthew Thode (1):
-- Implement zfs support
--
--Mika Pflüger (2):
-- Debian locations of gvfs and kde4 libexec binaries in /usr/lib
-- Explicitly label dovecot libraries lib_t for debian
--
--Miroslav Grepl (1):
-- Allow ipsec to read kernel sysctl
--
--Paul Moore (1):
-- flask: add the attach_queue permission to the tun_socket object class
--
--Russell Coker (1):
-- Label port 5546 as dhcpc_port_t and allow dhcpc_t to bind to TCP for
-- client control
--
--Sven Vermeulen (27):
-- New location for udevd binary
-- Use substititions for /usr/local/lib and /etc/init.d
-- DHCP client's hooks create /run/dhcpc directory
-- Introduce init_daemon_run_dir transformation
-- Use the init_daemon_run_dir interface for udev
-- Allow initrc_t to create run dirs for core modules
-- Puppet uses mount output for verification
-- Allow syslogd to create /var/lib/syslog and
-- /var/lib/misc/syslog-ng.persist
-- Gentoo's openrc does not require initrc_exec_t for runscripts anymore
-- Allow init scripts to read courier configuration
-- Allow search within postgresql var directory for the stream connect
-- interface
-- Introduce logging_getattr_all_logs interface
-- Introduce logging_search_all_log_dirs interface
-- Support flushing routing cache
-- Allow init to set attributes on device_t
-- Introduce files_manage_all_pids interface
-- Gentoo openrc migrates /var/run and /var/lock data to /run(/lock)
-- Update files_manage_generic_locks with directory permissions
-- Run ipset in iptables domain
-- tcpdump chroots into /var/lib/tcpdump
-- Remove generic log label for cron location
-- Postgresql 9.2 connects to its unix stream socket
-- lvscan creates the /run/lock/lvm directory if nonexisting (v2)
-- Allow syslogger to manage cron log files (v2)
-- Allow initrc_t to read stunnel configuration
-- Introduce exec-check interfaces for passwd binaries and useradd binaries
-- chfn_t reads in file context information and executes nscd
-+- Mcelog update from Guido Trentalancia.
-+- Added contrib modules:
-+ bird (Dominick Grift)
-
-+* Wed Jul 25 2012 Chris PeBenito - 2.20120725
-+- Rename epollwakeup capability2 permission to block_suspend to match the
-+ corresponding kernel capability rename.
-+- Udev and init changes to support /run, from Sven Vermeulen.
-+- auth_use_nsswitch updates from Miroslav Grepl.
-+- Mount runtime files fix from Guido Trentalancia.
-+- Update Python scripts to support Python 3, from Sven Vermeulen.
-+- Update capability2 object class for new wake_alarm and epollwakeup
-+ capabilities.
-+- SEPostgresql updates from Kohei KaiGai.
-+- Simplify file contexts based on file context path substitutions, from Sven
-+ Vermeulen.
-+- Add optional name for kernel and system filetrans interfaces.
-+- Non-auth file attribute to eliminate set expressions, from James Carter.
-+- Virt updates from Sven Vermeulen.
-+- Various dontaudits from Sven Vermeulen.
-+- Fix base module and monolithic role declaration ordering issue now that
-+ role declarations must be explicit, from Harry Ciao.
-+- Added contrib modules:
-+ bacula (Stan Sander/Sven Vermeulen)
-+ bcfg2 (Miroslav Grepl)
-+ blueman (Miroslav Grepl)
-+
-+* Wed Feb 15 2012 Chris PeBenito - 2.20120215
-+- Sshd usage of mkhomedir_helper via oddjob, from Sven Vermeulen.
-+- Add slim and lxdm file contexts to xserver, from Sven Vermeulen.
-+- Add userdom interfaces for user application domains, user tmp files,
-+ and user tmpfs files.
-+- Asterisk administration fixes from Sven Vermeulen.
-+- Fix makefiles to install files with the correct DAC permissions if the
-+ umask is not 022.
-+- Remove deprecated support macros.
-+- Remove rolemap and per-role template support.
-+- Change corenetwork port declaration to apply the reserved port type
-+ attribute only, when the type has ports above and below 1024.
-+- Change secure_mode_policyload to disable only toggling of this Boolean
-+ rather than disabling all Boolean toggling permissions.
-+- Use role attributes to assist with domain transitions in interactive
-+ programs.
-+- Milter ports patch from Paul Howarth.
-+- Separate portage fetch rules out of portage_run() and portage_domtrans()
-+ from Sven Vermeulen.
-+- Enhance corenetwork network_port() macro to support ports that do not have
-+ a well defined port number, such as stunnel.
-+- Opendkim support in dkim module from Paul Howarth.
-+- Wireshark updates from Sven Vermeulen.
-+- Change secure_mode_insmod to control sys_module capability rather than
-+ controlling domain transitions to insmod.
-+- Openrc and portage updates from Sven Vermeulen.
-+- Allow user and role changes on dynamic transitions with the same
-+ constraints as regular transitions.
-+- New git service features from Dominick Grift.
-+- Corenetwork policy size optimization from Dan Walsh.
-+- Silence spurious udp_socket listen denials.
-+- Fix unexpanded MLS/MCS fields in monolithic seusers file.
-+- Type transition fix in Postgresql database objects from KaiGai Kohei.
-+- Support for file context path substitutions (file_contexts.subs).
-+- Added contrib modules:
-+ glance (Dan Walsh)
-+ rhsmcertd (Dan Walsh)
-+ sanlock (Dan Walsh)
-+ sblim (Dan Walsh)
-+ uuidd (Dan Walsh)
-+ vdagent (Dan Walsh)
-+
-+* Tue Jul 26 2011 Chris PeBenito - 2.20110726
-+- Fix role declarations to handle role attribute compilers.
-+- Rename audioentropy module to entropyd due to haveged support.
-+- Add haveged support from Sven Vermeulen.
-+- Authentication file patch from Matthew Ife.
-+- Add agent support to zabbix from Sven Vermeulen.
-+- Cyrus file context update for Gentoo from Corentin Labbe.
-+- Portage updates from Sven Vermeulen.
-+- Fix init_system_domain() description, pointed out by Elia Pinto.
-+- Postgresql selabel_lookup update from KaiGai Kohei.
-+- Dovecot managesieve support from Mika Pfluger.
-+- Semicolon after interface/template calls cleanup from Elia Pinto.
-+- Gentoo courier updates from Sven Vermeulen.
-+- Amavis patch for connecting to nslcd from Miroslav Grepl.
-+- Shorewall patch from Miroslav Grepl.
-+- Cpufreqselector dbus patch from Guido Trentalancia.
-+- Cron pam_namespace and pam_loginuid support from Harry Ciao.
-+- Xserver update for startx from Sven Vermeulen.
-+- Fix MLS constraint for contains permission from Harry Ciao.
-+- Apache user webpages fix from Dominick Grift.
-+- Change default build.conf to modular policy from Stephen Smalley.
-+- Xen refinement patch from Stephen Smalley.
-+- Sudo timestamp file location update from Sven Vermeulen.
-+- XServer keyboard event patch from Sven Vermeulen.
-+- RAID uevent patch from Sven Vermeulen.
-+- Gentoo ALSA init script usage patch from Sven Vermeulen.
-+- LVM semaphore usage patch from Sven Vermeulen.
-+- Module load request patch for insmod from Sven Vermeulen.
-+- Cron default contexts fix from Harry Ciao.
-+- Man page fixes from Justin Mattock.
-+- Add syslog capability.
-+- Support for logging in to /dev/console, from Harry Ciao.
-+- Database object class updates and associated SEPostgreSQL changes from
-+ KaiGai Kohei.
-+- IPSEC SPD and Hadoop IPSEC updates from Paul Nuzzi.
-+- Mount updates from Harry Ciao.
-+- Semanage update for MLS systems from Harry Ciao.
-+- Vlock terminal use update from Harry Ciao.
-+- Hadoop CDH3 updates from Paul Nuzzi.
-+- Add sepgsql_contexts appconfig files from KaiGai Kohei.
-+- Added modules:
-+ aiccu
-+ bugzilla (Dan Walsh)
-+ colord (Dan Walsh)
-+ cmirrord (Miroslav Grepl)
-+ mediawiki (Miroslav Grepl)
-+ mpd (Miroslav Grepl)
-+ ncftool
-+ passenger (Miroslav Grepl)
-+ qpid (Dan Walsh)
-+ samhain (Harry Ciao)
-+ telepathy (Dominick Grift)
-+ tcsd (Stephen Smalley)
-+ vnstatd (Dan Walsh)
-+ zarafa (Miroslav Grepl)
-+
-+* Mon Dec 13 2010 Chris PeBenito - 2.20101213
-+- Git man page from Dominick Grift.
-+- Alsa and oident home content cleanup from Dominick Grift.
-+- Add support for custom build options.
-+- Unconditional staff and user oidentd home config access from Dominick Grift.
-+- Conditional mmap_zero support from Dominick Grift.
-+- Added devtmpfs support.
-+- Dbadm updates from KaiGai Kohei.
-+- Virtio disk file context update from Mika Pfluger.
-+- Increase bindreservport range to 512-1024 in corenetwork, from Dan Walsh.
-+- Add JIT usage for freshclam.
-+- Remove ethereal module since the application was renamed to wireshark.
-+- Remove duplicate/redundant rules, from Russell Coker.
-+- Increased default number of categories to 1024, from Russell Coker.
-+- Added modules:
-+ accountsd (Dan Walsh)
-+ cgroup (Dominick Grift)
-+ hadoop (Paul Nuzzi)
-+ kdumpgui (Dan Walsh)
-+ livecd (Dan Walsh)
-+ mojomojo (Iain Arnell)
-+ sambagui (Dan Walsh)
-+ shutdown (Dan Walsh)
-+ sosreport (Dan Walsh)
-+ vlock (Harry Ciao)
-+
-+* Mon May 24 2010 Chris PeBenito - 2.20100524
-+- Merged a significant portion of Fedora policy.
-+- Move rules from mta mailserver delivery from interface to .te to use
-+ attributes.
-+- Remove concept of users from terminal module interfaces since the
-+ attributes are not specific to users.
-+- Add non-drawing X client support, for consolekit usage.
-+- Misc Gentoo fixes from Chris Richards.
-+- AFS and abrt fixes from Dominick Grift.
-+- Improved the XML docs of 55 most-used interfaces.
-+- Apcupsd and amavis fixes from Dominick Grift.
-+- Fix network_port() in corenetwork to correctly handle port ranges.
-+- SE-Postgresql updates from KaiGai Kohei.
-+- X object manager revisions from Eamon Walsh.
-+- Added modules:
-+ aisexec (Dan Walsh)
-+ chronyd (Miroslav Grepl)
-+ cobbler (Dominick Grift)
-+ corosync (Dan Walsh)
-+ dbadm (KaiGai Kohei)
-+ denyhosts (Dan Walsh)
-+ nut (Stefan Schulze Frielinghaus, Miroslav Grepl)
-+ likewise (Scott Salley)
-+ plymouthd (Dan Walsh)
-+ pyicqt (Stefan Schulze Frielinghaus)
-+ rhcs (Dan Walsh)
-+ rgmanager (Dan Walsh)
-+ sectoolm (Miroslav Grepl)
-+ usbmuxd (Dan Walsh)
-+ vhostmd (Dan Walsh)
-+
-+* Tue Nov 17 2009 Chris PeBenito - 2.20091117
-+- Add separate x_pointer and x_keyboard classes inheriting from x_device.
-+ From Eamon Walsh.
-+- Deprecated the userdom_xwindows_client_template().
-+- Misc Gentoo fixes from Corentin Labbe.
-+- Debian policykit fixes from Martin Orr.
-+- Fix unconfined_r use of unconfined_java_t.
-+- Add missing x_device rules for XI2 functions, from Eamon Walsh.
-+- Add missing rules to make unconfined_cronjob_t a valid cron job domain.
-+- Add btrfs and ext4 to labeling targets.
-+- Fix infrastructure to expand macros in initrc_context when installing.
-+- Handle unix_chkpwd usage by useradd and groupadd.
-+- Add missing compatibility aliases for xdm_xserver*_t types.
-+- Added modules:
-+ abrt (Dan Walsh)
-+ dkim (Stefan Schulze Frielinghaus)
-+ gitosis (Miroslav Grepl)
-+ gnomeclock (Dan Walsh)
-+ hddtemp (Dan Walsh)
-+ kdump (Dan Walsh)
-+ modemmanager(Dan Walsh)
-+ nslcd (Dan Walsh)
-+ puppet (Craig Grube)
-+ rtkit (Dan Walsh)
-+ seunshare (Dan Walsh)
-+ shorewall (Dan Walsh)
-+ tgtd (Matthew Ife)
-+ tuned (Miroslav Grepl)
-+ xscreensaver (Corentin Labbe)
-+
-+* Thu Jul 30 2009 Chris PeBenito - 2.20090730
-+- Gentoo fixes for init scripts and system startup.
-+- Remove read_default_t tunable.
-+- Greylist milter from Paul Howarth.
-+- Crack db access for su to handle password expiration, from Brandon Whalen.
-+- Misc fixes for unix_update from Brandon Whalen.
-+- Add x_device permissions for XI2 functions, from Eamon Walsh.
-+- MLS constraints for the x_selection class, from Eamon Walsh.
-+- Postgresql updates from KaiGai Kohei.
-+- Milter state directory patch from Paul Howarth.
-+- Add MLS constrains for ingress/egress and secmark from Paul Moore.
-+- Drop write permission from fs_read_rpc_sockets().
-+- Remove unused udev_runtime_t type.
-+- Patch for RadSec port from Glen Turner.
-+- Enable network_peer_controls policy capability from Paul Moore.
-+- Btrfs xattr support from Paul Moore.
-+- Add db_procedure install permission from KaiGai Kohei.
-+- Add support for network interfaces with access controlled by a Boolean
-+ from the CLIP project.
-+- Several fixes from the CLIP project.
-+- Add support for labeled Booleans.
-+- Remove node definitions and change node usage to generic nodes.
-+- Add kernel_service access vectors, from Stephen Smalley.
-+- Added modules:
-+ certmaster (Dan Walsh)
-+ cpufreqselector (Dan Walsh)
-+ devicekit (Dan Walsh)
-+ fprintd (Dan Walsh)
-+ git (Dan Walsh)
-+ gpsd (Miroslav Grepl)
-+ guest (Dan Walsh)
-+ ifplugd (Dan Walsh)
-+ lircd (Miroslav Grepl)
-+ logadm (Dan Walsh)
-+ pads (Dan Walsh)
-+ pingd (Dan Walsh)
-+ policykit (Dan Walsh)
-+ pulseaudio (Dan Walsh)
-+ psad (Dan Walsh)
-+ portreserve (Dan Walsh)
-+ sssd (Dan Walsh)
-+ ulogd (Dan Walsh)
-+ varnishd (Dan Walsh)
-+ webadm (Dan Walsh)
-+ wm (Dan Walsh)
-+ xguest (Dan Walsh)
-+ zosremote (Dan Walsh)
-+
-+* Wed Dec 10 2008 Chris PeBenito - 2.20081210
-+- Fix consistency of audioentropy and iscsi module naming.
-+- Debian file context fix for xen from Russell Coker.
-+- Xserver MLS fix from Eamon Walsh.
-+- Add omapi port for dhcpcd.
-+- Deprecate per-role templates and rolemap support.
-+- Implement user-based access control for use as role separations.
-+- Move shared library calls from individual modules to the domain module.
-+- Enable open permission checks policy capability.
-+- Remove hierarchy from portage module as it is not a good example of
-+ hieararchy.
-+- Remove enableaudit target from modular build as semodule -DB supplants it.
-+- Added modules:
-+ milter (Paul Howarth)
-+
-+* Tue Oct 14 2008 Chris PeBenito - 20081014
-+- Debian update for NetworkManager/wpa_supplicant from Martin Orr.
-+- Logrotate and Bind updates from Vaclav Ovsik.
-+- Init script file and domain support.
-+- Glibc 2.7 fix from Vaclav Ovsik.
-+- Samba/winbind update from Mike Edenfield.
-+- Policy size optimization with a non-security file attribute from James
-+ Carter.
-+- Database labeled networking update from KaiGai Kohei.
-+- Several misc changes from the Fedora policy, cherry picked by David
-+ Hardeman.
-+- Large whitespace fix from Dominick Grift.
-+- Pam_mount fix for local login from Stefan Schulze Frielinghaus.
-+- Issuing commands to upstart is over a datagram socket, not the initctl
-+ named pipe. Updated init_telinit() to match.
-+- Added modules:
-+ cyphesis (Dan Walsh)
-+ memcached (Dan Walsh)
-+ oident (Dominick Grift)
-+ w3c (Dan Walsh)
-+
-+* Wed Jul 02 2008 Chris PeBenito - 20080702
-+- Fix httpd_enable_homedirs to actually provide the access it is supposed to
-+ provide.
-+- Add unused interface/template parameter metadata in XML.
-+- Patch to handle postfix data_directory from Vaclav Ovsik.
-+- SE-Postgresql policy from KaiGai Kohei.
-+- Patch for X.org dbus support from Martin Orr.
-+- Patch for labeled networking controls in 2.6.25 from Paul Moore.
-+- Module loading now requires setsched on kernel threads.
-+- Patch to allow gpg agent --write-env-file option from Vaclav Ovsik.
-+- X application data class from Eamon Walsh and Ted Toth.
-+- Move user roles into individual modules.
-+- Make hald_log_t a log file.
-+- Cryptsetup runs shell scripts. Patch from Martin Orr.
-+- Add file for enabling policy capabilities.
-+- Patch to fix leaky interface/template call depth calculator from Vaclav
-+ Ovsik.
-+- Added modules:
-+ kerneloops (Dan Walsh)
-+ kismet (Dan Walsh)
-+ podsleuth (Dan Walsh)
-+ prelude (Dan Walsh)
-+ qemu (Dan Walsh)
-+ virt (Dan Walsh)
-+
-+* Wed Apr 02 2008 Chris PeBenito - 20080402
-+- Add core Security Enhanced X Windows support.
-+- Fix winbind socket connection interface for default location of the
-+ sock_file.
-+- Add wireshark module based on ethereal module.
-+- Revise upstart support in init module to use a tunable, as upstart is now
-+ used in Fedora too.
-+- Add iferror.m4 rather generate it out of the Makefiles.
-+- Definitions for open permisson on file and similar objects from Eric
-+ Paris.
-+- Apt updates for ptys and logs, from Martin Orr.
-+- RPC update from Vaclav Ovsik.
-+- Exim updates on Debian from Devin Carrawy.
-+- Pam and samba updates from Stefan Schulze Frielinghaus.
-+- Backup update on Debian from Vaclav Ovsik.
-+- Cracklib update on Debian from Vaclav Ovsik.
-+- Label /proc/kallsyms with system_map_t.
-+- 64-bit capabilities from Stephen Smalley.
-+- Labeled networking peer object class updates.
-+
-+* Fri Dec 14 2007 Chris PeBenito - 20071214
-+- Patch for debian logrotate to handle syslogd-listfiles, from Vaclav Ovsik.
-+- Improve several tunables descriptions from Dan Walsh.
-+- Patch to clean up ns switch usage in the policy from Dan Walsh.
-+- More complete labeled networking infrastructure from KaiGai Kohei.
-+- Add interface for libselinux constructor, for libselinux-linked
-+ SELinux-enabled programs.
-+- Patch to restructure user role templates to create restricted user roles
-+ from Dan Walsh.
-+- Russian man page translations from Andrey Markelov.
-+- Remove unused types from dbus.
-+- Add infrastructure for managing all user web content.
-+- Deprecate some old file and dir permission set macros in favor of the
-+ newer, more consistently-named macros.
-+- Patch to clean up unescaped periods in several file context entries from
-+ Jan-Frode Myklebust.
-+- Merge shlib_t into lib_t.
-+- Merge strict and targeted policies. The policy will now behave like the
-+ strict policy if the unconfined module is not present. If it is, it will
-+ behave like the targeted policy. Added an unconfined role to have a mix
-+ of confined and unconfined users.
-+- Added modules:
-+ exim (Dan Walsh)
-+ postfixpolicyd (Jan-Frode Myklebust)
-+
-+* Fri Sep 28 2007 Chris PeBenito - 20070928
-+- Add support for setting the unknown permissions handling.
-+- Fix XML building for external reference builds and headers builds.
-+- Patch to add missing requirements in userdomain interfaces from Shintaro
-+ Fujiwara.
-+- Add tcpd_wrapped_domain() for services that use tcp wrappers.
-+- Update MLS constraints from LSPP evaluated policy.
-+- Allow initrc_t file descriptors to be inherited regardless of MLS level.
-+ Accordingly drop MLS permissions from daemons that inherit from any level.
-+- Files and radvd updates from Stefan Schulze Frielinghaus.
-+- Deprecate mls_file_write_down() and mls_file_read_up(), replaced with
-+ mls_write_all_levels() and mls_read_all_levels(), for consistency.
-+- Add make kernel and init ranged interfaces pass the range transition MLS
-+ constraints. Also remove calls to mls_rangetrans_target() in modules that use
-+ the kernel and init interfaces, since its redundant.
-+- Add interfaces for all MLS attributes except X object classes.
-+- Require all sensitivities and categories for MLS and MCS policies, not just
-+ the low and high sensitivity and category.
-+- Database userspace object manager classes from KaiGai Kohei.
-+- Add third-party interface for Apache CGI.
-+- Add getserv and shmemserv nscd permissions.
-+- Add debian apcupsd binary location, from Stefan Schulze Frielinghaus.
-+- Added modules:
-+ application
-+ awstats (Stefan Schulze Frielinghaus)
-+ bitlbee (Devin Carraway)
-+ brctl (Dan Walsh)
-+
-+* Fri Jun 29 2007 Chris PeBenito - 20070629
-+- Fix incorrectly named files_lib_filetrans_shared_lib() interface in the
-+ libraries module.
-+- Unified labeled networking policy from Paul Moore.
-+- Use netmsg initial SID for MLS-only Netlabel packets, from Paul Moore.
-+- Xen updates from Dan Walsh.
-+- Filesystem updates from Dan Walsh.
-+- Large samba update from Dan Walsh.
-+- Drop snmpd_etc_t.
-+- Confine sendmail and logrotate on targeted.
-+- Tunable connection to postgresql for users from KaiGai Kohei.
-+- Memprotect support patch from Stephen Smalley.
-+- Add logging_send_audit_msgs() interface and deprecate
-+ send_audit_msgs_pattern().
-+- Openct updates patch from Dan Walsh.
-+- Merge restorecon into setfiles.
-+- Patch to begin separating out hald helper programs from Dan Walsh.
-+- Fixes for squid, dovecot, and snmp from Dan Walsh.
-+- Miscellaneous consolekit fixes from Dan Walsh.
-+- Patch to have avahi use the nsswitch interface rather than individual
-+ permissions from Dan Walsh.
-+- Patch to dontaudit logrotate searching avahi pid directory from Dan Walsh.
-+- Patch to allow insmod to mount kvmfs and dontaudit rw unconfined_t pipes
-+ to handle usage from userhelper from Dan Walsh.
-+- Patch to allow amavis to read spamassassin libraries from Dan Walsh.
-+- Patch to allow slocate to getattr other filesystems and directories on those
-+ filesystems from Dan Walsh.
-+- Fixes for RHEL4 from the CLIP project.
-+- Replace the old lrrd fc entries with munin ones.
-+- Move program admin template usage out of userdom_admin_user_template() to
-+ sysadm policy in userdomain.te to fix usage of the template for third
-+ parties.
-+- Fix clockspeed_run_cli() declaration, it was incorrectly defined as a
-+ template instead of an interface.
-+- Added modules:
-+ amtu (Dan Walsh)
-+ apcupsd (Dan Walsh)
-+ rpcbind (Dan Walsh)
-+ rwho (Nalin Dahyabhai)
-+
-+* Tue Apr 17 2007 Chris PeBenito - 20070417
-+- Patch for sasl's use of kerberos from Dan Walsh.
-+- Patches to confine ldconfig, udev, and insmod in the targeted policy from Dan Walsh.
-+- Man page updates from Dan Walsh.
-+- Two patches from Paul Moore to for ipsec to remove redundant rules and
-+ have setkey read the config file.
-+- Move booleans and tunables to modules when it is only used in a single
-+ module.
-+- Add support for tunables and booleans local to a module.
-+- Merge sbin_t and ls_exec_t into bin_t.
-+- Remove disable_trans booleans.
-+- Output different header sets for kernel and userland from flask headers.
-+- Marked the pax class as deprecated, changed it to userland so
-+ it will be removed from the kernel.
-+- Stop including netfilter contexts by default.
-+- Add dontaudits for init fds and console to init_daemon_domain().
-+- Patch to allow gpg to create user keys dir.
-+- Patch to support kvmfs from Dan Walsh.
-+- Patch for misc fixes in sudo from Dan Walsh.
-+- Patch to fix netlabel recvfrom MLS constraint from Paul Moore.
-+- Patch for handling restart of nscd when ran from useradd, groupadd, and
-+ admin passwd, from Dan Walsh.
-+- Patch for procmail, spamassassin, and pyzor updates from Dan Walsh.
-+- Patch for setroubleshoot for validating file contexts from Dan Walsh.
-+- Patch for gssd fixes from Dan Walsh.
-+- Patch for lvm fixes from Dan Walsh.
-+- Patch for ricci fixes from Dan Walsh.
-+- Patch for postfix lmtp labeling and pickup rule fix from Dan Walsh.
-+- Patch for kerberized telnet fixes from Dan Walsh.
-+- Patch for kerberized ftp and other ftp fixes from Dan Walsh.
-+- Patch for an additional wine executable from Dan Walsh.
-+- Eight patches for file contexts in games, wine, networkmanager, miscfiles,
-+ corecommands, devices, and java from Dan Walsh.
-+- Add support for libselinux 2.0.5 init_selinuxmnt() changes.
-+- Patch for misc fixes to bluetooth from Dan Walsh.
-+- Patch for misc fixes to kerberos from Dan Walsh.
-+- Patch to start deprecating usercanread attribute from Ryan Bradetich.
-+- Add dccp_socket object class which was added in kernel 2.6.20.
-+- Patch for prelink relabefrom it's temp files from Dan Walsh.
-+- Patch for capability fix for auditd and networking fix for syslogd from
-+ Dan Walsh.
-+- Patch to remove redundant mls_trusted_object() call from Dan Walsh.
-+- Patch for misc fixes to nis ypxfr policy from Dan Walsh.
-+- Patch to allow apmd to telinit from Dan Walsh.
-+- Patch for additional labeling of samba files from Stefan Schulze
-+ Frielinghaus.
-+- Patch to remove incorrect cron labeling in apache.fc from Ryan Bradetich.
-+- Fix ptys and ttys to be device nodes.
-+- Fix explicit use of httpd_t in openca_domtrans().
-+- Clean up file context regexes in apache and java, from Eamon Walsh.
-+- Patches from Dan Walsh:
-+ Thu, 25 Jan 2007
-+- Added modules:
-+ consolekit (Dan Walsh)
-+ fail2ban (Dan Walsh)
-+ zabbix (Dan Walsh)
-+
-+* Tue Dec 12 2006 Chris PeBenito - 20061212
-+- Add policy patterns support macros. This changes the behavior of
-+ the create_dir_perms and create_file_perms permission sets.
-+- Association polmatch MLS constraint making unlabeled_t an exception
-+ is no longer needed, patch from Venkat Yekkirala.
-+- Context contains checking for PAM and cron from James Antill.
-+- Add a reload target to Modules.devel and change the load
-+ target to only insert modules that were changed.
-+- Allow semanage to read from /root on strict non-MLS for
-+ local policy modules.
-+- Gentoo init script fixes for udev.
-+- Allow udev to read kernel modules.inputmap.
-+- Dnsmasq fixes from testing.
-+- Allow kernel NFS server to getattr filesystems so df can work
-+ on clients.
-+- Patch from Matt Anderson for a MLS constraint exemption on a
-+ file that can be written to from a subject whose range is
-+ within the object's range.
-+- Enhanced setransd support from Darrel Goeddel.
-+- Patches from Dan Walsh:
-+ Tue, 24 Oct 2006
-+ Wed, 29 Nov 2006
-+- Added modules:
-+ aide (Matt Anderson)
-+ ccs (Dan Walsh)
-+ iscsi (Dan Walsh)
-+ ricci (Dan Walsh)
-+
-+* Wed Oct 18 2006 Chris PeBenito - 20061018
-+- Patch from Russell Coker Thu, 5 Oct 2006
-+- Move range transitions to modules.
-+- Make number of MLS sensitivities, and number of MLS and MCS
-+ categories configurable as build options.
-+- Add role infrastructure.
-+- Debian updates from Erich Schubert.
-+- Add nscd_socket_use() to auth_use_nsswitch().
-+- Remove old selopt rules.
-+- Full support for netfilter_contexts.
-+- MRTG patch for daemon operation from Stefan.
-+- Add authlogin interface to abstract common access for login programs.
-+- Remove setbool auditallow, except for RHEL4.
-+- Change eventpollfs to task SID labeling.
-+- Add key support from Michael LeMay.
-+- Add ftpdctl domain to ftp, from Paul Howarth.
-+- Fix build system to not move type declarations out of optionals.
-+- Add gcc-config domain to portage.
-+- Add packet object class and support in corenetwork.
-+- Add a copy of genhomedircon for monolithic policy building, so that a
-+ policycoreutils package update is not required for RHEL4 systems.
-+- Add appletalk sockets for use in cups.
-+- Add Make target to validate module linking.
-+- Make duplicate template and interface declarations a fatal error.
-+- Patch to stabilize modules.conf `make conf` output, from Erich Schubert.
-+- Move xconsole_device_t from devices to xserver since it is
-+ not actually a device, it is a named pipe.
-+- Handle nonexistant .fc and .if files in devel Makefile by
-+ automatically creating empty files.
-+- Remove unused devfs_control_t.
-+- Add rhel4 distro, which also implies redhat distro.
-+- Remove unneeded range_transition for su_exec_t and move the
-+ type declaration back to the su module.
-+- Constrain transitions in MCS so unconfined_t cannot have
-+ arbitrary category sets.
-+- Change reiserfs from xattr filesystem to genfscon as it's xattrs
-+ are currently nonfunctional.
-+- Change files and filesystem modules to use their own interfaces.
-+- Add user fonts to xserver.
-+- Additional interfaces in corecommands, miscfiles, and userdomain
-+ from Joy Latten.
-+- Miscellaneous fixes from Thomas Bleher.
-+- Deprecate module name as first parameter of optional_policy()
-+ now that optionals are allowed everywhere.
-+- Enable optional blocks in base module and monolithic policy.
-+ This requires checkpolicy 1.30.1.
-+- Fix vpn module declaration.
-+- Numerous fixes from Dan Walsh.
-+- Change build order to preserve m4 line number information so policy
-+ compile errors are useful again.
-+- Additional MLS interfaces from Chad Hanson.
-+- Move some rules out of domain_type() and domain_base_type()
-+ to the TE file, to use the domain attribute to take advantage
-+ of space savings from attribute use.
-+- Add global stack smashing protector rule for urandom access from
-+ Petre Rodan.
-+- Fix temporary rules at the bottom of portmap.
-+- Updated comments in mls file from Chad Hanson.
-+- Patches from Dan Walsh:
-+ Fri, 17 Mar 2006
-+ Wed, 29 Mar 2006
-+ Tue, 11 Apr 2006
-+ Fri, 14 Apr 2006
-+ Tue, 18 Apr 2006
-+ Thu, 20 Apr 2006
-+ Tue, 02 May 2006
-+ Mon, 15 May 2006
-+ Thu, 18 May 2006
-+ Tue, 06 Jun 2006
-+ Mon, 12 Jun 2006
-+ Tue, 20 Jun 2006
-+ Wed, 26 Jul 2006
-+ Wed, 23 Aug 2006
-+ Thu, 31 Aug 2006
-+ Fri, 01 Sep 2006
-+ Tue, 05 Sep 2006
-+ Wed, 20 Sep 2006
-+ Fri, 22 Sep 2006
-+ Mon, 25 Sep 2006
-+- Added modules:
-+ afs
-+ amavis (Erich Schubert)
-+ apt (Erich Schubert)
-+ asterisk
-+ audioentropy
-+ authbind
-+ backup
-+ calamaris
-+ cipe
-+ clamav (Erich Schubert)
-+ clockspeed (Petre Rodan)
-+ courier
-+ dante
-+ dcc
-+ ddclient
-+ dpkg (Erich Schubert)
-+ dnsmasq
-+ ethereal
-+ evolution
-+ games
-+ gatekeeper
-+ gift
-+ gnome (James Carter)
-+ imaze
-+ ircd
-+ jabber
-+ monop
-+ mozilla
-+ mplayer
-+ munin
-+ nagios
-+ nessus
-+ netlabel (Paul Moore)
-+ nsd
-+ ntop
-+ nx
-+ oav
-+ oddjob (Dan Walsh)
-+ openca
-+ openvpn (Petre Rodan)
-+ perdition
-+ portslave
-+ postgrey
-+ pxe
-+ pyzor (Dan Walsh)
-+ qmail (Petre Rodan)
-+ razor
-+ resmgr
-+ rhgb
-+ rssh
-+ snort
-+ soundserver
-+ speedtouch
-+ sxid
-+ thunderbird
-+ tor (Erich Schubert)
-+ transproxy
-+ tripwire
-+ uptime
-+ uwimap
-+ vmware
-+ watchdog
-+ xen (Dan Walsh)
-+ xprint
-+ yam
-+
-+* Tue Mar 07 2006 Chris PeBenito - 20060307
-+- Make all interface parameters required.
-+- Move boot_t, system_map_t, and modules_object_t to files module,
-+ and move bootloader to admin layer.
-+- Add semanage policy for semodule from Dan Walsh.
-+- Remove allow_execmem from targeted policy domain_base_type().
-+- Add users_extra and seusers support.
-+- Postfix fixes from Serge Hallyn.
-+- Run python and shell directly to interpret scripts so policy
-+ sources need not be executable.
-+- Add desc tag XML to booleans and tunables, and add summary
-+ to param XML tag, to make future translations possible.
-+- Remove unused lvm_vg_t.
-+- Many interface renames to improve naming consistency.
-+- Merge xdm into xserver.
-+- Remove kernel module reversed interfaces.
-+- Add filename attribute to module XML tag and lineno attribute to
-+ interface XML tag.
-+- Changed QUIET build option to a yes or no option.
-+- Add a Makefile used for compiling loadable modules in a
-+ user's development environment, building against policy headers.
-+- Add Make target for installing policy headers.
-+- Separate per-userdomain template expansion from the userdomain
-+ module and add infrastructure to expand templates in the modules
-+ that own the template.
-+- Enable secadm only for MLS policies.
-+- Remove role change rules in su and sudo since this functionality has been
-+ removed from these programs.
-+- Add ctags Make target from Thomas Bleher.
-+- Collapse commands with grep piped to sed into one sed command.
-+- Fix type_change bug in term_user_pty().
-+- Move ice_tmp_t from miscfiles to xserver.
-+- Login fixes from Serge Hallyn.
-+- Move xserver_log_t from xdm to xserver.
-+- Add lpr per-userdomain policy to lpd.
-+- Miscellaneous fixes from Dan Walsh.
-+- Change initrc_var_run_t interface noun from script_pid to utmp,
-+ for greater clarity.
-+- Added modules:
-+ certwatch
-+ mono (Dan Walsh)
-+ mrtg
-+ portage
-+ tvtime
-+ userhelper
-+ usernetctl
-+ wine (Dan Walsh)
-+ xserver
-+
-+* Tue Jan 17 2006 Chris PeBenito - 20060117
-+- Adds support for generating corenetwork interfaces based on attributes
-+ in addition to types.
-+- Permits the listing of multiple nodes in a network_node() that will be
-+ given the same type.
-+- Add two new permission sets for stream sockets.
-+- Rename file type transition interfaces verb from create to
-+ filetrans to differentiate it from create interfaces without
-+ type transitions.
-+- Fix expansion of interfaces from disabled modules.
-+- Rsync can be long running from init,
-+ added rules to allow this.
-+- Add polyinstantiation build option.
-+- Add setcontext to the association object class.
-+- Add apache relay and db connect tunables.
-+- Rename texrel_shlib_t to textrel_shlib_t.
-+- Add swat to samba module.
-+- Numerous miscellaneous fixes from Dan Walsh.
-+- Added modules:
-+ alsa
-+ automount
-+ cdrecord
-+ daemontools (Petre Rodan)
-+ ddcprobe
-+ djbdns (Petre Rodan)
-+ fetchmail
-+ irc
-+ java
-+ lockdev
-+ logwatch (Dan Walsh)
-+ openct
-+ prelink (Dan Walsh)
-+ publicfile (Petre Rodan)
-+ readahead
-+ roundup
-+ screen
-+ slocate (Dan Walsh)
-+ slrnpull
-+ smartmon
-+ sysstat
-+ ucspitcp (Petre Rodan)
-+ usbmodules
-+ vbetool (Dan Walsh)
-+
-+* Wed Dec 07 2005 Chris PeBenito - 20051207
-+- Add unlabeled IPSEC association rule to domains with
-+ networking permissions.
-+- Merge systemuser back in to users, as these files
-+ do not need to be split.
-+- Add check for duplicate interface/template definitions.
-+- Move domain, files, and corecommands modules to kernel
-+ layer to resolve some layering inconsistencies.
-+- Move policy build options out of Makefile into build.conf.
-+- Add yppasswd to nis module.
-+- Change optional_policy() to refer to the module name
-+ rather than modulename.te.
-+- Fix labeling targets to use installed file_contexts rather
-+ than partial file_contexts in the policy source directory.
-+- Fix build process to use make's internal vpath functions
-+ to detect modules rather than using subshells and find.
-+- Add install target for modular policy.
-+- Add load target for modular policy.
-+- Add appconfig dependency to the load target.
-+- Miscellaneous fixes from Dan Walsh.
-+- Fix corenetwork gen_context()'s to expand during the policy
-+ build phase instead of during the generation phase.
-+- Added policies:
-+ amanda
-+ avahi
-+ canna
-+ cyrus
-+ dbskk
-+ dovecot
-+ distcc
-+ i18n_input
-+ irqbalance
-+ lpd
-+ networkmanager
-+ pegasus
-+ postfix
-+ procmail
-+ radius
-+ rdisc
-+ rpc
-+ spamassassin
-+ timidity
-+ xdm
-+ xfs
-+
-+* Wed Oct 19 2005 Chris PeBenito - 20051019
-+- Many fixes to make loadable modules build.
-+- Add targets for sechecker.
-+- Updated to sedoctool to read bool files and tunable
-+ files separately.
-+- Changed the xml tag of to to be consistent
-+ with gen_bool().
-+- Modified the implementation of segenxml to use regular
-+ expressions.
-+- Rename context_template() to gen_context() to clarify
-+ that its not a Reference Policy template, but a support
-+ macro.
-+- Add disable_*_trans bool support for targeted policy.
-+- Add MLS module to handle MLS constraint exceptions,
-+ such as reading up and writing down.
-+- Fix errors uncovered by sediff.
-+- Added policies:
-+ anaconda
-+ apache
-+ apm
-+ arpwatch
-+ bluetooth
-+ dmidecode
-+ finger
-+ ftp
-+ kudzu
-+ mailman
-+ ppp
-+ radvd
-+ sasl
-+ webalizer
-+
-+* Thu Sep 22 2005 Chris PeBenito - 20050922
-+- Make logrotate, sendmail, sshd, and rpm policies
-+ unconfined in the targeted policy so no special
-+ modules.conf is required.
-+- Add experimental MCS support.
-+- Add appconfig for MLS.
-+- Add equivalents for old can_resolve(), can_ldap(), and
-+ can_portmap() to sysnetwork.
-+- Fix base module compile issues.
-+- Added policies:
-+ cpucontrol
-+ cvs
-+ ktalk
-+ portmap
-+ postgresql
-+ rlogin
-+ samba
-+ snmp
-+ stunnel
-+ telnet
-+ tftp
-+ uucp
-+ vpn
-+ zebra
-+
-+* Wed Sep 07 2005 Chris PeBenito - 20050907
-+- Fix errors uncovered by sediff.
-+- Doc tool will explicitly say a module does not have interfaces
-+ or templates on the module page.
-+- Added policies:
-+ comsat
-+ dbus
-+ dhcp
-+ dictd
-+ hal
-+ inn
-+ ntp
-+ squid
-+
-+* Fri Aug 26 2005 Chris PeBenito - 20050826
-+- Add Makefile support for building loadable modules.
-+- Add genclassperms.py tool to add require blocks
-+ for loadable modules.
-+- Change sedoctool to make required modules part of base
-+ by default, otherwise make as modules, in modules.conf.
-+- Fix segenxml to handle modules with no interfaces.
-+- Rename ipsec connect interface for consistency.
-+- Add missing parts of unix stream socket connect interface
-+ of ipsec.
-+- Rename inetd connect interface for consistency.
-+- Rename interface for purging contents of tmp, for clarity,
-+ since it allows deletion of classes other than file.
-+- Misc. cleanups.
-+- Added policies:
-+ acct
-+ bind
-+ firstboot
-+ gpm
-+ howl
-+ ldap
-+ loadkeys
-+ mysql
-+ privoxy
-+ quota
-+ rshd
-+ rsync
-+ su
-+ sudo
-+ tcpd
-+ tmpreaper
-+ updfstab
-+
-+* Tue Aug 2 2005 Chris PeBenito - 20050802
-+- Fix comparison bug in fc_sort.
-+- Fix handling of ordered and unordered HTML lists.
-+- Corenetwork now supports multiple network interfaces having the
-+ same type.
-+- Doc tool now creates pages for global Booleans and global tunables.
-+- Doc tool now links directly to the interface/template in the
-+ module page when it is selected in the interface/template index.
-+- Added support for layer summaries.
-+- Added policies:
-+ ipsec
-+ nscd
-+ pcmcia
-+ raid
-+
-+* Thu Jul 7 2005 Chris PeBenito - 20050707
-+- Changed xml to have modules encapsulated by layer tags, rather
-+ than putting layer="foo" in the module tags. Also in the future
-+ we can put a summary and description for each layer.
-+- Added tool to infer interface, module, and layer tags. This will
-+ now list all interfaces, even if they are missing xml docs.
-+- Shortened xml tag names.
-+- Added macros to declare interfaces and templates.
-+- Added interface call trace.
-+- Updated all xml documentation for shorter and inferred tags.
-+- Doc tool now displays templates in the web pages.
-+- Doc tool retains the user's settings in modules.conf and
-+ tunables.conf if the files already exist.
-+- Modules.conf behavior has been changed to be a list of all
-+ available modules, and the user can specify if the module is
-+ built as a loadable module, included in the monolithic policy,
-+ or excluded.
-+- Added policies:
-+ fstools (fsck, mkfs, swapon, etc. tools)
-+ logrotate
-+ inetd
-+ kerberos
-+ nis (ypbind and ypserv)
-+ ssh (server, client, and agent)
-+ unconfined
-+- Added infrastructure for targeted policy support, only missing
-+ transition boolean support.
-+
-+* Wed Jun 15 2005 Chris PeBenito - 20050615
-+ - Initial release
-diff --git a/Changelog.old b/Changelog.old
-deleted file mode 100644
-index 672e632..0000000
---- a/Changelog.old
-+++ /dev/null
-@@ -1,952 +0,0 @@
--- Mcelog update from Guido Trentalancia.
--- Added contrib modules:
-- bird (Dominick Grift)
--
--* Wed Jul 25 2012 Chris PeBenito - 2.20120725
--- Rename epollwakeup capability2 permission to block_suspend to match the
-- corresponding kernel capability rename.
--- Udev and init changes to support /run, from Sven Vermeulen.
--- auth_use_nsswitch updates from Miroslav Grepl.
--- Mount runtime files fix from Guido Trentalancia.
--- Update Python scripts to support Python 3, from Sven Vermeulen.
--- Update capability2 object class for new wake_alarm and epollwakeup
-- capabilities.
--- SEPostgresql updates from Kohei KaiGai.
--- Simplify file contexts based on file context path substitutions, from Sven
-- Vermeulen.
--- Add optional name for kernel and system filetrans interfaces.
--- Non-auth file attribute to eliminate set expressions, from James Carter.
--- Virt updates from Sven Vermeulen.
--- Various dontaudits from Sven Vermeulen.
--- Fix base module and monolithic role declaration ordering issue now that
-- role declarations must be explicit, from Harry Ciao.
--- Added contrib modules:
-- bacula (Stan Sander/Sven Vermeulen)
-- bcfg2 (Miroslav Grepl)
-- blueman (Miroslav Grepl)
--
--* Wed Feb 15 2012 Chris PeBenito - 2.20120215
--- Sshd usage of mkhomedir_helper via oddjob, from Sven Vermeulen.
--- Add slim and lxdm file contexts to xserver, from Sven Vermeulen.
--- Add userdom interfaces for user application domains, user tmp files,
-- and user tmpfs files.
--- Asterisk administration fixes from Sven Vermeulen.
--- Fix makefiles to install files with the correct DAC permissions if the
-- umask is not 022.
--- Remove deprecated support macros.
--- Remove rolemap and per-role template support.
--- Change corenetwork port declaration to apply the reserved port type
-- attribute only, when the type has ports above and below 1024.
--- Change secure_mode_policyload to disable only toggling of this Boolean
-- rather than disabling all Boolean toggling permissions.
--- Use role attributes to assist with domain transitions in interactive
-- programs.
--- Milter ports patch from Paul Howarth.
--- Separate portage fetch rules out of portage_run() and portage_domtrans()
-- from Sven Vermeulen.
--- Enhance corenetwork network_port() macro to support ports that do not have
-- a well defined port number, such as stunnel.
--- Opendkim support in dkim module from Paul Howarth.
--- Wireshark updates from Sven Vermeulen.
--- Change secure_mode_insmod to control sys_module capability rather than
-- controlling domain transitions to insmod.
--- Openrc and portage updates from Sven Vermeulen.
--- Allow user and role changes on dynamic transitions with the same
-- constraints as regular transitions.
--- New git service features from Dominick Grift.
--- Corenetwork policy size optimization from Dan Walsh.
--- Silence spurious udp_socket listen denials.
--- Fix unexpanded MLS/MCS fields in monolithic seusers file.
--- Type transition fix in Postgresql database objects from KaiGai Kohei.
--- Support for file context path substitutions (file_contexts.subs).
--- Added contrib modules:
-- glance (Dan Walsh)
-- rhsmcertd (Dan Walsh)
-- sanlock (Dan Walsh)
-- sblim (Dan Walsh)
-- uuidd (Dan Walsh)
-- vdagent (Dan Walsh)
--
--* Tue Jul 26 2011 Chris PeBenito - 2.20110726
--- Fix role declarations to handle role attribute compilers.
--- Rename audioentropy module to entropyd due to haveged support.
--- Add haveged support from Sven Vermeulen.
--- Authentication file patch from Matthew Ife.
--- Add agent support to zabbix from Sven Vermeulen.
--- Cyrus file context update for Gentoo from Corentin Labbe.
--- Portage updates from Sven Vermeulen.
--- Fix init_system_domain() description, pointed out by Elia Pinto.
--- Postgresql selabel_lookup update from KaiGai Kohei.
--- Dovecot managesieve support from Mika Pfluger.
--- Semicolon after interface/template calls cleanup from Elia Pinto.
--- Gentoo courier updates from Sven Vermeulen.
--- Amavis patch for connecting to nslcd from Miroslav Grepl.
--- Shorewall patch from Miroslav Grepl.
--- Cpufreqselector dbus patch from Guido Trentalancia.
--- Cron pam_namespace and pam_loginuid support from Harry Ciao.
--- Xserver update for startx from Sven Vermeulen.
--- Fix MLS constraint for contains permission from Harry Ciao.
--- Apache user webpages fix from Dominick Grift.
--- Change default build.conf to modular policy from Stephen Smalley.
--- Xen refinement patch from Stephen Smalley.
--- Sudo timestamp file location update from Sven Vermeulen.
--- XServer keyboard event patch from Sven Vermeulen.
--- RAID uevent patch from Sven Vermeulen.
--- Gentoo ALSA init script usage patch from Sven Vermeulen.
--- LVM semaphore usage patch from Sven Vermeulen.
--- Module load request patch for insmod from Sven Vermeulen.
--- Cron default contexts fix from Harry Ciao.
--- Man page fixes from Justin Mattock.
--- Add syslog capability.
--- Support for logging in to /dev/console, from Harry Ciao.
--- Database object class updates and associated SEPostgreSQL changes from
-- KaiGai Kohei.
--- IPSEC SPD and Hadoop IPSEC updates from Paul Nuzzi.
--- Mount updates from Harry Ciao.
--- Semanage update for MLS systems from Harry Ciao.
--- Vlock terminal use update from Harry Ciao.
--- Hadoop CDH3 updates from Paul Nuzzi.
--- Add sepgsql_contexts appconfig files from KaiGai Kohei.
--- Added modules:
-- aiccu
-- bugzilla (Dan Walsh)
-- colord (Dan Walsh)
-- cmirrord (Miroslav Grepl)
-- mediawiki (Miroslav Grepl)
-- mpd (Miroslav Grepl)
-- ncftool
-- passenger (Miroslav Grepl)
-- qpid (Dan Walsh)
-- samhain (Harry Ciao)
-- telepathy (Dominick Grift)
-- tcsd (Stephen Smalley)
-- vnstatd (Dan Walsh)
-- zarafa (Miroslav Grepl)
--
--* Mon Dec 13 2010 Chris PeBenito - 2.20101213
--- Git man page from Dominick Grift.
--- Alsa and oident home content cleanup from Dominick Grift.
--- Add support for custom build options.
--- Unconditional staff and user oidentd home config access from Dominick Grift.
--- Conditional mmap_zero support from Dominick Grift.
--- Added devtmpfs support.
--- Dbadm updates from KaiGai Kohei.
--- Virtio disk file context update from Mika Pfluger.
--- Increase bindreservport range to 512-1024 in corenetwork, from Dan Walsh.
--- Add JIT usage for freshclam.
--- Remove ethereal module since the application was renamed to wireshark.
--- Remove duplicate/redundant rules, from Russell Coker.
--- Increased default number of categories to 1024, from Russell Coker.
--- Added modules:
-- accountsd (Dan Walsh)
-- cgroup (Dominick Grift)
-- hadoop (Paul Nuzzi)
-- kdumpgui (Dan Walsh)
-- livecd (Dan Walsh)
-- mojomojo (Iain Arnell)
-- sambagui (Dan Walsh)
-- shutdown (Dan Walsh)
-- sosreport (Dan Walsh)
-- vlock (Harry Ciao)
--
--* Mon May 24 2010 Chris PeBenito - 2.20100524
--- Merged a significant portion of Fedora policy.
--- Move rules from mta mailserver delivery from interface to .te to use
-- attributes.
--- Remove concept of users from terminal module interfaces since the
-- attributes are not specific to users.
--- Add non-drawing X client support, for consolekit usage.
--- Misc Gentoo fixes from Chris Richards.
--- AFS and abrt fixes from Dominick Grift.
--- Improved the XML docs of 55 most-used interfaces.
--- Apcupsd and amavis fixes from Dominick Grift.
--- Fix network_port() in corenetwork to correctly handle port ranges.
--- SE-Postgresql updates from KaiGai Kohei.
--- X object manager revisions from Eamon Walsh.
--- Added modules:
-- aisexec (Dan Walsh)
-- chronyd (Miroslav Grepl)
-- cobbler (Dominick Grift)
-- corosync (Dan Walsh)
-- dbadm (KaiGai Kohei)
-- denyhosts (Dan Walsh)
-- nut (Stefan Schulze Frielinghaus, Miroslav Grepl)
-- likewise (Scott Salley)
-- plymouthd (Dan Walsh)
-- pyicqt (Stefan Schulze Frielinghaus)
-- rhcs (Dan Walsh)
-- rgmanager (Dan Walsh)
-- sectoolm (Miroslav Grepl)
-- usbmuxd (Dan Walsh)
-- vhostmd (Dan Walsh)
--
--* Tue Nov 17 2009 Chris PeBenito - 2.20091117
--- Add separate x_pointer and x_keyboard classes inheriting from x_device.
-- From Eamon Walsh.
--- Deprecated the userdom_xwindows_client_template().
--- Misc Gentoo fixes from Corentin Labbe.
--- Debian policykit fixes from Martin Orr.
--- Fix unconfined_r use of unconfined_java_t.
--- Add missing x_device rules for XI2 functions, from Eamon Walsh.
--- Add missing rules to make unconfined_cronjob_t a valid cron job domain.
--- Add btrfs and ext4 to labeling targets.
--- Fix infrastructure to expand macros in initrc_context when installing.
--- Handle unix_chkpwd usage by useradd and groupadd.
--- Add missing compatibility aliases for xdm_xserver*_t types.
--- Added modules:
-- abrt (Dan Walsh)
-- dkim (Stefan Schulze Frielinghaus)
-- gitosis (Miroslav Grepl)
-- gnomeclock (Dan Walsh)
-- hddtemp (Dan Walsh)
-- kdump (Dan Walsh)
-- modemmanager(Dan Walsh)
-- nslcd (Dan Walsh)
-- puppet (Craig Grube)
-- rtkit (Dan Walsh)
-- seunshare (Dan Walsh)
-- shorewall (Dan Walsh)
-- tgtd (Matthew Ife)
-- tuned (Miroslav Grepl)
-- xscreensaver (Corentin Labbe)
--
--* Thu Jul 30 2009 Chris PeBenito - 2.20090730
--- Gentoo fixes for init scripts and system startup.
--- Remove read_default_t tunable.
--- Greylist milter from Paul Howarth.
--- Crack db access for su to handle password expiration, from Brandon Whalen.
--- Misc fixes for unix_update from Brandon Whalen.
--- Add x_device permissions for XI2 functions, from Eamon Walsh.
--- MLS constraints for the x_selection class, from Eamon Walsh.
--- Postgresql updates from KaiGai Kohei.
--- Milter state directory patch from Paul Howarth.
--- Add MLS constrains for ingress/egress and secmark from Paul Moore.
--- Drop write permission from fs_read_rpc_sockets().
--- Remove unused udev_runtime_t type.
--- Patch for RadSec port from Glen Turner.
--- Enable network_peer_controls policy capability from Paul Moore.
--- Btrfs xattr support from Paul Moore.
--- Add db_procedure install permission from KaiGai Kohei.
--- Add support for network interfaces with access controlled by a Boolean
-- from the CLIP project.
--- Several fixes from the CLIP project.
--- Add support for labeled Booleans.
--- Remove node definitions and change node usage to generic nodes.
--- Add kernel_service access vectors, from Stephen Smalley.
--- Added modules:
-- certmaster (Dan Walsh)
-- cpufreqselector (Dan Walsh)
-- devicekit (Dan Walsh)
-- fprintd (Dan Walsh)
-- git (Dan Walsh)
-- gpsd (Miroslav Grepl)
-- guest (Dan Walsh)
-- ifplugd (Dan Walsh)
-- lircd (Miroslav Grepl)
-- logadm (Dan Walsh)
-- pads (Dan Walsh)
-- pingd (Dan Walsh)
-- policykit (Dan Walsh)
-- pulseaudio (Dan Walsh)
-- psad (Dan Walsh)
-- portreserve (Dan Walsh)
-- sssd (Dan Walsh)
-- ulogd (Dan Walsh)
-- varnishd (Dan Walsh)
-- webadm (Dan Walsh)
-- wm (Dan Walsh)
-- xguest (Dan Walsh)
-- zosremote (Dan Walsh)
--
--* Wed Dec 10 2008 Chris PeBenito - 2.20081210
--- Fix consistency of audioentropy and iscsi module naming.
--- Debian file context fix for xen from Russell Coker.
--- Xserver MLS fix from Eamon Walsh.
--- Add omapi port for dhcpcd.
--- Deprecate per-role templates and rolemap support.
--- Implement user-based access control for use as role separations.
--- Move shared library calls from individual modules to the domain module.
--- Enable open permission checks policy capability.
--- Remove hierarchy from portage module as it is not a good example of
-- hieararchy.
--- Remove enableaudit target from modular build as semodule -DB supplants it.
--- Added modules:
-- milter (Paul Howarth)
--
--* Tue Oct 14 2008 Chris PeBenito - 20081014
--- Debian update for NetworkManager/wpa_supplicant from Martin Orr.
--- Logrotate and Bind updates from Vaclav Ovsik.
--- Init script file and domain support.
--- Glibc 2.7 fix from Vaclav Ovsik.
--- Samba/winbind update from Mike Edenfield.
--- Policy size optimization with a non-security file attribute from James
-- Carter.
--- Database labeled networking update from KaiGai Kohei.
--- Several misc changes from the Fedora policy, cherry picked by David
-- Hardeman.
--- Large whitespace fix from Dominick Grift.
--- Pam_mount fix for local login from Stefan Schulze Frielinghaus.
--- Issuing commands to upstart is over a datagram socket, not the initctl
-- named pipe. Updated init_telinit() to match.
--- Added modules:
-- cyphesis (Dan Walsh)
-- memcached (Dan Walsh)
-- oident (Dominick Grift)
-- w3c (Dan Walsh)
--
--* Wed Jul 02 2008 Chris PeBenito - 20080702
--- Fix httpd_enable_homedirs to actually provide the access it is supposed to
-- provide.
--- Add unused interface/template parameter metadata in XML.
--- Patch to handle postfix data_directory from Vaclav Ovsik.
--- SE-Postgresql policy from KaiGai Kohei.
--- Patch for X.org dbus support from Martin Orr.
--- Patch for labeled networking controls in 2.6.25 from Paul Moore.
--- Module loading now requires setsched on kernel threads.
--- Patch to allow gpg agent --write-env-file option from Vaclav Ovsik.
--- X application data class from Eamon Walsh and Ted Toth.
--- Move user roles into individual modules.
--- Make hald_log_t a log file.
--- Cryptsetup runs shell scripts. Patch from Martin Orr.
--- Add file for enabling policy capabilities.
--- Patch to fix leaky interface/template call depth calculator from Vaclav
-- Ovsik.
--- Added modules:
-- kerneloops (Dan Walsh)
-- kismet (Dan Walsh)
-- podsleuth (Dan Walsh)
-- prelude (Dan Walsh)
-- qemu (Dan Walsh)
-- virt (Dan Walsh)
--
--* Wed Apr 02 2008 Chris PeBenito - 20080402
--- Add core Security Enhanced X Windows support.
--- Fix winbind socket connection interface for default location of the
-- sock_file.
--- Add wireshark module based on ethereal module.
--- Revise upstart support in init module to use a tunable, as upstart is now
-- used in Fedora too.
--- Add iferror.m4 rather generate it out of the Makefiles.
--- Definitions for open permisson on file and similar objects from Eric
-- Paris.
--- Apt updates for ptys and logs, from Martin Orr.
--- RPC update from Vaclav Ovsik.
--- Exim updates on Debian from Devin Carrawy.
--- Pam and samba updates from Stefan Schulze Frielinghaus.
--- Backup update on Debian from Vaclav Ovsik.
--- Cracklib update on Debian from Vaclav Ovsik.
--- Label /proc/kallsyms with system_map_t.
--- 64-bit capabilities from Stephen Smalley.
--- Labeled networking peer object class updates.
--
--* Fri Dec 14 2007 Chris PeBenito - 20071214
--- Patch for debian logrotate to handle syslogd-listfiles, from Vaclav Ovsik.
--- Improve several tunables descriptions from Dan Walsh.
--- Patch to clean up ns switch usage in the policy from Dan Walsh.
--- More complete labeled networking infrastructure from KaiGai Kohei.
--- Add interface for libselinux constructor, for libselinux-linked
-- SELinux-enabled programs.
--- Patch to restructure user role templates to create restricted user roles
-- from Dan Walsh.
--- Russian man page translations from Andrey Markelov.
--- Remove unused types from dbus.
--- Add infrastructure for managing all user web content.
--- Deprecate some old file and dir permission set macros in favor of the
-- newer, more consistently-named macros.
--- Patch to clean up unescaped periods in several file context entries from
-- Jan-Frode Myklebust.
--- Merge shlib_t into lib_t.
--- Merge strict and targeted policies. The policy will now behave like the
-- strict policy if the unconfined module is not present. If it is, it will
-- behave like the targeted policy. Added an unconfined role to have a mix
-- of confined and unconfined users.
--- Added modules:
-- exim (Dan Walsh)
-- postfixpolicyd (Jan-Frode Myklebust)
--
--* Fri Sep 28 2007 Chris PeBenito - 20070928
--- Add support for setting the unknown permissions handling.
--- Fix XML building for external reference builds and headers builds.
--- Patch to add missing requirements in userdomain interfaces from Shintaro
-- Fujiwara.
--- Add tcpd_wrapped_domain() for services that use tcp wrappers.
--- Update MLS constraints from LSPP evaluated policy.
--- Allow initrc_t file descriptors to be inherited regardless of MLS level.
-- Accordingly drop MLS permissions from daemons that inherit from any level.
--- Files and radvd updates from Stefan Schulze Frielinghaus.
--- Deprecate mls_file_write_down() and mls_file_read_up(), replaced with
-- mls_write_all_levels() and mls_read_all_levels(), for consistency.
--- Add make kernel and init ranged interfaces pass the range transition MLS
-- constraints. Also remove calls to mls_rangetrans_target() in modules that use
-- the kernel and init interfaces, since its redundant.
--- Add interfaces for all MLS attributes except X object classes.
--- Require all sensitivities and categories for MLS and MCS policies, not just
-- the low and high sensitivity and category.
--- Database userspace object manager classes from KaiGai Kohei.
--- Add third-party interface for Apache CGI.
--- Add getserv and shmemserv nscd permissions.
--- Add debian apcupsd binary location, from Stefan Schulze Frielinghaus.
--- Added modules:
-- application
-- awstats (Stefan Schulze Frielinghaus)
-- bitlbee (Devin Carraway)
-- brctl (Dan Walsh)
--
--* Fri Jun 29 2007 Chris PeBenito - 20070629
--- Fix incorrectly named files_lib_filetrans_shared_lib() interface in the
-- libraries module.
--- Unified labeled networking policy from Paul Moore.
--- Use netmsg initial SID for MLS-only Netlabel packets, from Paul Moore.
--- Xen updates from Dan Walsh.
--- Filesystem updates from Dan Walsh.
--- Large samba update from Dan Walsh.
--- Drop snmpd_etc_t.
--- Confine sendmail and logrotate on targeted.
--- Tunable connection to postgresql for users from KaiGai Kohei.
--- Memprotect support patch from Stephen Smalley.
--- Add logging_send_audit_msgs() interface and deprecate
-- send_audit_msgs_pattern().
--- Openct updates patch from Dan Walsh.
--- Merge restorecon into setfiles.
--- Patch to begin separating out hald helper programs from Dan Walsh.
--- Fixes for squid, dovecot, and snmp from Dan Walsh.
--- Miscellaneous consolekit fixes from Dan Walsh.
--- Patch to have avahi use the nsswitch interface rather than individual
-- permissions from Dan Walsh.
--- Patch to dontaudit logrotate searching avahi pid directory from Dan Walsh.
--- Patch to allow insmod to mount kvmfs and dontaudit rw unconfined_t pipes
-- to handle usage from userhelper from Dan Walsh.
--- Patch to allow amavis to read spamassassin libraries from Dan Walsh.
--- Patch to allow slocate to getattr other filesystems and directories on those
-- filesystems from Dan Walsh.
--- Fixes for RHEL4 from the CLIP project.
--- Replace the old lrrd fc entries with munin ones.
--- Move program admin template usage out of userdom_admin_user_template() to
-- sysadm policy in userdomain.te to fix usage of the template for third
-- parties.
--- Fix clockspeed_run_cli() declaration, it was incorrectly defined as a
-- template instead of an interface.
--- Added modules:
-- amtu (Dan Walsh)
-- apcupsd (Dan Walsh)
-- rpcbind (Dan Walsh)
-- rwho (Nalin Dahyabhai)
--
--* Tue Apr 17 2007 Chris PeBenito - 20070417
--- Patch for sasl's use of kerberos from Dan Walsh.
--- Patches to confine ldconfig, udev, and insmod in the targeted policy from Dan Walsh.
--- Man page updates from Dan Walsh.
--- Two patches from Paul Moore to for ipsec to remove redundant rules and
-- have setkey read the config file.
--- Move booleans and tunables to modules when it is only used in a single
-- module.
--- Add support for tunables and booleans local to a module.
--- Merge sbin_t and ls_exec_t into bin_t.
--- Remove disable_trans booleans.
--- Output different header sets for kernel and userland from flask headers.
--- Marked the pax class as deprecated, changed it to userland so
-- it will be removed from the kernel.
--- Stop including netfilter contexts by default.
--- Add dontaudits for init fds and console to init_daemon_domain().
--- Patch to allow gpg to create user keys dir.
--- Patch to support kvmfs from Dan Walsh.
--- Patch for misc fixes in sudo from Dan Walsh.
--- Patch to fix netlabel recvfrom MLS constraint from Paul Moore.
--- Patch for handling restart of nscd when ran from useradd, groupadd, and
-- admin passwd, from Dan Walsh.
--- Patch for procmail, spamassassin, and pyzor updates from Dan Walsh.
--- Patch for setroubleshoot for validating file contexts from Dan Walsh.
--- Patch for gssd fixes from Dan Walsh.
--- Patch for lvm fixes from Dan Walsh.
--- Patch for ricci fixes from Dan Walsh.
--- Patch for postfix lmtp labeling and pickup rule fix from Dan Walsh.
--- Patch for kerberized telnet fixes from Dan Walsh.
--- Patch for kerberized ftp and other ftp fixes from Dan Walsh.
--- Patch for an additional wine executable from Dan Walsh.
--- Eight patches for file contexts in games, wine, networkmanager, miscfiles,
-- corecommands, devices, and java from Dan Walsh.
--- Add support for libselinux 2.0.5 init_selinuxmnt() changes.
--- Patch for misc fixes to bluetooth from Dan Walsh.
--- Patch for misc fixes to kerberos from Dan Walsh.
--- Patch to start deprecating usercanread attribute from Ryan Bradetich.
--- Add dccp_socket object class which was added in kernel 2.6.20.
--- Patch for prelink relabefrom it's temp files from Dan Walsh.
--- Patch for capability fix for auditd and networking fix for syslogd from
-- Dan Walsh.
--- Patch to remove redundant mls_trusted_object() call from Dan Walsh.
--- Patch for misc fixes to nis ypxfr policy from Dan Walsh.
--- Patch to allow apmd to telinit from Dan Walsh.
--- Patch for additional labeling of samba files from Stefan Schulze
-- Frielinghaus.
--- Patch to remove incorrect cron labeling in apache.fc from Ryan Bradetich.
--- Fix ptys and ttys to be device nodes.
--- Fix explicit use of httpd_t in openca_domtrans().
--- Clean up file context regexes in apache and java, from Eamon Walsh.
--- Patches from Dan Walsh:
-- Thu, 25 Jan 2007
--- Added modules:
-- consolekit (Dan Walsh)
-- fail2ban (Dan Walsh)
-- zabbix (Dan Walsh)
--
--* Tue Dec 12 2006 Chris PeBenito - 20061212
--- Add policy patterns support macros. This changes the behavior of
-- the create_dir_perms and create_file_perms permission sets.
--- Association polmatch MLS constraint making unlabeled_t an exception
-- is no longer needed, patch from Venkat Yekkirala.
--- Context contains checking for PAM and cron from James Antill.
--- Add a reload target to Modules.devel and change the load
-- target to only insert modules that were changed.
--- Allow semanage to read from /root on strict non-MLS for
-- local policy modules.
--- Gentoo init script fixes for udev.
--- Allow udev to read kernel modules.inputmap.
--- Dnsmasq fixes from testing.
--- Allow kernel NFS server to getattr filesystems so df can work
-- on clients.
--- Patch from Matt Anderson for a MLS constraint exemption on a
-- file that can be written to from a subject whose range is
-- within the object's range.
--- Enhanced setransd support from Darrel Goeddel.
--- Patches from Dan Walsh:
-- Tue, 24 Oct 2006
-- Wed, 29 Nov 2006
--- Added modules:
-- aide (Matt Anderson)
-- ccs (Dan Walsh)
-- iscsi (Dan Walsh)
-- ricci (Dan Walsh)
--
--* Wed Oct 18 2006 Chris PeBenito - 20061018
--- Patch from Russell Coker Thu, 5 Oct 2006
--- Move range transitions to modules.
--- Make number of MLS sensitivities, and number of MLS and MCS
-- categories configurable as build options.
--- Add role infrastructure.
--- Debian updates from Erich Schubert.
--- Add nscd_socket_use() to auth_use_nsswitch().
--- Remove old selopt rules.
--- Full support for netfilter_contexts.
--- MRTG patch for daemon operation from Stefan.
--- Add authlogin interface to abstract common access for login programs.
--- Remove setbool auditallow, except for RHEL4.
--- Change eventpollfs to task SID labeling.
--- Add key support from Michael LeMay.
--- Add ftpdctl domain to ftp, from Paul Howarth.
--- Fix build system to not move type declarations out of optionals.
--- Add gcc-config domain to portage.
--- Add packet object class and support in corenetwork.
--- Add a copy of genhomedircon for monolithic policy building, so that a
-- policycoreutils package update is not required for RHEL4 systems.
--- Add appletalk sockets for use in cups.
--- Add Make target to validate module linking.
--- Make duplicate template and interface declarations a fatal error.
--- Patch to stabilize modules.conf `make conf` output, from Erich Schubert.
--- Move xconsole_device_t from devices to xserver since it is
-- not actually a device, it is a named pipe.
--- Handle nonexistant .fc and .if files in devel Makefile by
-- automatically creating empty files.
--- Remove unused devfs_control_t.
--- Add rhel4 distro, which also implies redhat distro.
--- Remove unneeded range_transition for su_exec_t and move the
-- type declaration back to the su module.
--- Constrain transitions in MCS so unconfined_t cannot have
-- arbitrary category sets.
--- Change reiserfs from xattr filesystem to genfscon as it's xattrs
-- are currently nonfunctional.
--- Change files and filesystem modules to use their own interfaces.
--- Add user fonts to xserver.
--- Additional interfaces in corecommands, miscfiles, and userdomain
-- from Joy Latten.
--- Miscellaneous fixes from Thomas Bleher.
--- Deprecate module name as first parameter of optional_policy()
-- now that optionals are allowed everywhere.
--- Enable optional blocks in base module and monolithic policy.
-- This requires checkpolicy 1.30.1.
--- Fix vpn module declaration.
--- Numerous fixes from Dan Walsh.
--- Change build order to preserve m4 line number information so policy
-- compile errors are useful again.
--- Additional MLS interfaces from Chad Hanson.
--- Move some rules out of domain_type() and domain_base_type()
-- to the TE file, to use the domain attribute to take advantage
-- of space savings from attribute use.
--- Add global stack smashing protector rule for urandom access from
-- Petre Rodan.
--- Fix temporary rules at the bottom of portmap.
--- Updated comments in mls file from Chad Hanson.
--- Patches from Dan Walsh:
-- Fri, 17 Mar 2006
-- Wed, 29 Mar 2006
-- Tue, 11 Apr 2006
-- Fri, 14 Apr 2006
-- Tue, 18 Apr 2006
-- Thu, 20 Apr 2006
-- Tue, 02 May 2006
-- Mon, 15 May 2006
-- Thu, 18 May 2006
-- Tue, 06 Jun 2006
-- Mon, 12 Jun 2006
-- Tue, 20 Jun 2006
-- Wed, 26 Jul 2006
-- Wed, 23 Aug 2006
-- Thu, 31 Aug 2006
-- Fri, 01 Sep 2006
-- Tue, 05 Sep 2006
-- Wed, 20 Sep 2006
-- Fri, 22 Sep 2006
-- Mon, 25 Sep 2006
--- Added modules:
-- afs
-- amavis (Erich Schubert)
-- apt (Erich Schubert)
-- asterisk
-- audioentropy
-- authbind
-- backup
-- calamaris
-- cipe
-- clamav (Erich Schubert)
-- clockspeed (Petre Rodan)
-- courier
-- dante
-- dcc
-- ddclient
-- dpkg (Erich Schubert)
-- dnsmasq
-- ethereal
-- evolution
-- games
-- gatekeeper
-- gift
-- gnome (James Carter)
-- imaze
-- ircd
-- jabber
-- monop
-- mozilla
-- mplayer
-- munin
-- nagios
-- nessus
-- netlabel (Paul Moore)
-- nsd
-- ntop
-- nx
-- oav
-- oddjob (Dan Walsh)
-- openca
-- openvpn (Petre Rodan)
-- perdition
-- portslave
-- postgrey
-- pxe
-- pyzor (Dan Walsh)
-- qmail (Petre Rodan)
-- razor
-- resmgr
-- rhgb
-- rssh
-- snort
-- soundserver
-- speedtouch
-- sxid
-- thunderbird
-- tor (Erich Schubert)
-- transproxy
-- tripwire
-- uptime
-- uwimap
-- vmware
-- watchdog
-- xen (Dan Walsh)
-- xprint
-- yam
--
--* Tue Mar 07 2006 Chris PeBenito - 20060307
--- Make all interface parameters required.
--- Move boot_t, system_map_t, and modules_object_t to files module,
-- and move bootloader to admin layer.
--- Add semanage policy for semodule from Dan Walsh.
--- Remove allow_execmem from targeted policy domain_base_type().
--- Add users_extra and seusers support.
--- Postfix fixes from Serge Hallyn.
--- Run python and shell directly to interpret scripts so policy
-- sources need not be executable.
--- Add desc tag XML to booleans and tunables, and add summary
-- to param XML tag, to make future translations possible.
--- Remove unused lvm_vg_t.
--- Many interface renames to improve naming consistency.
--- Merge xdm into xserver.
--- Remove kernel module reversed interfaces.
--- Add filename attribute to module XML tag and lineno attribute to
-- interface XML tag.
--- Changed QUIET build option to a yes or no option.
--- Add a Makefile used for compiling loadable modules in a
-- user's development environment, building against policy headers.
--- Add Make target for installing policy headers.
--- Separate per-userdomain template expansion from the userdomain
-- module and add infrastructure to expand templates in the modules
-- that own the template.
--- Enable secadm only for MLS policies.
--- Remove role change rules in su and sudo since this functionality has been
-- removed from these programs.
--- Add ctags Make target from Thomas Bleher.
--- Collapse commands with grep piped to sed into one sed command.
--- Fix type_change bug in term_user_pty().
--- Move ice_tmp_t from miscfiles to xserver.
--- Login fixes from Serge Hallyn.
--- Move xserver_log_t from xdm to xserver.
--- Add lpr per-userdomain policy to lpd.
--- Miscellaneous fixes from Dan Walsh.
--- Change initrc_var_run_t interface noun from script_pid to utmp,
-- for greater clarity.
--- Added modules:
-- certwatch
-- mono (Dan Walsh)
-- mrtg
-- portage
-- tvtime
-- userhelper
-- usernetctl
-- wine (Dan Walsh)
-- xserver
--
--* Tue Jan 17 2006 Chris PeBenito - 20060117
--- Adds support for generating corenetwork interfaces based on attributes
-- in addition to types.
--- Permits the listing of multiple nodes in a network_node() that will be
-- given the same type.
--- Add two new permission sets for stream sockets.
--- Rename file type transition interfaces verb from create to
-- filetrans to differentiate it from create interfaces without
-- type transitions.
--- Fix expansion of interfaces from disabled modules.
--- Rsync can be long running from init,
-- added rules to allow this.
--- Add polyinstantiation build option.
--- Add setcontext to the association object class.
--- Add apache relay and db connect tunables.
--- Rename texrel_shlib_t to textrel_shlib_t.
--- Add swat to samba module.
--- Numerous miscellaneous fixes from Dan Walsh.
--- Added modules:
-- alsa
-- automount
-- cdrecord
-- daemontools (Petre Rodan)
-- ddcprobe
-- djbdns (Petre Rodan)
-- fetchmail
-- irc
-- java
-- lockdev
-- logwatch (Dan Walsh)
-- openct
-- prelink (Dan Walsh)
-- publicfile (Petre Rodan)
-- readahead
-- roundup
-- screen
-- slocate (Dan Walsh)
-- slrnpull
-- smartmon
-- sysstat
-- ucspitcp (Petre Rodan)
-- usbmodules
-- vbetool (Dan Walsh)
--
--* Wed Dec 07 2005 Chris PeBenito - 20051207
--- Add unlabeled IPSEC association rule to domains with
-- networking permissions.
--- Merge systemuser back in to users, as these files
-- do not need to be split.
--- Add check for duplicate interface/template definitions.
--- Move domain, files, and corecommands modules to kernel
-- layer to resolve some layering inconsistencies.
--- Move policy build options out of Makefile into build.conf.
--- Add yppasswd to nis module.
--- Change optional_policy() to refer to the module name
-- rather than modulename.te.
--- Fix labeling targets to use installed file_contexts rather
-- than partial file_contexts in the policy source directory.
--- Fix build process to use make's internal vpath functions
-- to detect modules rather than using subshells and find.
--- Add install target for modular policy.
--- Add load target for modular policy.
--- Add appconfig dependency to the load target.
--- Miscellaneous fixes from Dan Walsh.
--- Fix corenetwork gen_context()'s to expand during the policy
-- build phase instead of during the generation phase.
--- Added policies:
-- amanda
-- avahi
-- canna
-- cyrus
-- dbskk
-- dovecot
-- distcc
-- i18n_input
-- irqbalance
-- lpd
-- networkmanager
-- pegasus
-- postfix
-- procmail
-- radius
-- rdisc
-- rpc
-- spamassassin
-- timidity
-- xdm
-- xfs
--
--* Wed Oct 19 2005 Chris PeBenito - 20051019
--- Many fixes to make loadable modules build.
--- Add targets for sechecker.
--- Updated to sedoctool to read bool files and tunable
-- files separately.
--- Changed the xml tag of to to be consistent
-- with gen_bool().
--- Modified the implementation of segenxml to use regular
-- expressions.
--- Rename context_template() to gen_context() to clarify
-- that its not a Reference Policy template, but a support
-- macro.
--- Add disable_*_trans bool support for targeted policy.
--- Add MLS module to handle MLS constraint exceptions,
-- such as reading up and writing down.
--- Fix errors uncovered by sediff.
--- Added policies:
-- anaconda
-- apache
-- apm
-- arpwatch
-- bluetooth
-- dmidecode
-- finger
-- ftp
-- kudzu
-- mailman
-- ppp
-- radvd
-- sasl
-- webalizer
--
--* Thu Sep 22 2005 Chris PeBenito - 20050922
--- Make logrotate, sendmail, sshd, and rpm policies
-- unconfined in the targeted policy so no special
-- modules.conf is required.
--- Add experimental MCS support.
--- Add appconfig for MLS.
--- Add equivalents for old can_resolve(), can_ldap(), and
-- can_portmap() to sysnetwork.
--- Fix base module compile issues.
--- Added policies:
-- cpucontrol
-- cvs
-- ktalk
-- portmap
-- postgresql
-- rlogin
-- samba
-- snmp
-- stunnel
-- telnet
-- tftp
-- uucp
-- vpn
-- zebra
--
--* Wed Sep 07 2005 Chris PeBenito - 20050907
--- Fix errors uncovered by sediff.
--- Doc tool will explicitly say a module does not have interfaces
-- or templates on the module page.
--- Added policies:
-- comsat
-- dbus
-- dhcp
-- dictd
-- hal
-- inn
-- ntp
-- squid
--
--* Fri Aug 26 2005 Chris PeBenito - 20050826
--- Add Makefile support for building loadable modules.
--- Add genclassperms.py tool to add require blocks
-- for loadable modules.
--- Change sedoctool to make required modules part of base
-- by default, otherwise make as modules, in modules.conf.
--- Fix segenxml to handle modules with no interfaces.
--- Rename ipsec connect interface for consistency.
--- Add missing parts of unix stream socket connect interface
-- of ipsec.
--- Rename inetd connect interface for consistency.
--- Rename interface for purging contents of tmp, for clarity,
-- since it allows deletion of classes other than file.
--- Misc. cleanups.
--- Added policies:
-- acct
-- bind
-- firstboot
-- gpm
-- howl
-- ldap
-- loadkeys
-- mysql
-- privoxy
-- quota
-- rshd
-- rsync
-- su
-- sudo
-- tcpd
-- tmpreaper
-- updfstab
--
--* Tue Aug 2 2005 Chris PeBenito - 20050802
--- Fix comparison bug in fc_sort.
--- Fix handling of ordered and unordered HTML lists.
--- Corenetwork now supports multiple network interfaces having the
-- same type.
--- Doc tool now creates pages for global Booleans and global tunables.
--- Doc tool now links directly to the interface/template in the
-- module page when it is selected in the interface/template index.
--- Added support for layer summaries.
--- Added policies:
-- ipsec
-- nscd
-- pcmcia
-- raid
--
--* Thu Jul 7 2005 Chris PeBenito - 20050707
--- Changed xml to have modules encapsulated by layer tags, rather
-- than putting layer="foo" in the module tags. Also in the future
-- we can put a summary and description for each layer.
--- Added tool to infer interface, module, and layer tags. This will
-- now list all interfaces, even if they are missing xml docs.
--- Shortened xml tag names.
--- Added macros to declare interfaces and templates.
--- Added interface call trace.
--- Updated all xml documentation for shorter and inferred tags.
--- Doc tool now displays templates in the web pages.
--- Doc tool retains the user's settings in modules.conf and
-- tunables.conf if the files already exist.
--- Modules.conf behavior has been changed to be a list of all
-- available modules, and the user can specify if the module is
-- built as a loadable module, included in the monolithic policy,
-- or excluded.
--- Added policies:
-- fstools (fsck, mkfs, swapon, etc. tools)
-- logrotate
-- inetd
-- kerberos
-- nis (ypbind and ypserv)
-- ssh (server, client, and agent)
-- unconfined
--- Added infrastructure for targeted policy support, only missing
-- transition boolean support.
--
--* Wed Jun 15 2005 Chris PeBenito - 20050615
-- - Initial release
diff --git a/Makefile b/Makefile
-index ec7b5cb..7bfdfc6 100644
+index 85d4cfb..7bfdfc6 100644
--- a/Makefile
+++ b/Makefile
@@ -61,6 +61,7 @@ SEMODULE ?= $(tc_usrsbindir)/semodule
@@ -2140,15 +10,7 @@ index ec7b5cb..7bfdfc6 100644
LOADPOLICY ?= $(tc_usrsbindir)/load_policy
SETFILES ?= $(tc_sbindir)/setfiles
XMLLINT ?= $(BINDIR)/xmllint
-@@ -97,7 +98,6 @@ support := support
- genxml := $(PYTHON) -E $(support)/segenxml.py
- gendoc := $(PYTHON) -E $(support)/sedoctool.py
- genperm := $(PYTHON) -E $(support)/genclassperms.py
--policyvers := $(PYTHON) -E $(support)/policyvers.py
- fcsort := $(tmpdir)/fc_sort
- setbools := $(AWK) -f $(support)/set_bools_tuns.awk
- get_type_attr_decl := $(SED) -r -f $(support)/get_type_attr_decl.sed
-@@ -250,7 +250,7 @@ seusers := $(appconf)/seusers
+@@ -249,7 +250,7 @@ seusers := $(appconf)/seusers
appdir := $(contextpath)
user_default_contexts := $(wildcard config/appconfig-$(TYPE)/*_default_contexts)
user_default_contexts_names := $(addprefix $(contextpath)/users/,$(subst _default_contexts,,$(notdir $(user_default_contexts))))
@@ -2157,7 +19,7 @@ index ec7b5cb..7bfdfc6 100644
net_contexts := $(builddir)net_contexts
all_layers := $(shell find $(wildcard $(moddir)/*) -maxdepth 0 -type d)
-@@ -609,15 +609,17 @@ resetlabels:
+@@ -608,15 +609,17 @@ resetlabels:
# Clean everything
#
bare: clean
@@ -2196,26 +58,6 @@ index 313d837..ef3c532 100644
@echo "Success."
########################################
-diff --git a/Rules.monolithic b/Rules.monolithic
-index 808a539..7c4d035 100644
---- a/Rules.monolithic
-+++ b/Rules.monolithic
-@@ -5,7 +5,7 @@
-
- # determine the policy version and current kernel version if possible
- pv := $(shell $(CHECKPOLICY) -V |cut -f 1 -d ' ')
--kv := $(shell $(policyvers))
-+kv := $(shell cat /selinux/policyvers)
-
- # dont print version warnings if we are unable to determine
- # the currently running kernel's policy version
-diff --git a/VERSION b/VERSION
-index d060af8..37b3df8 100644
---- a/VERSION
-+++ b/VERSION
-@@ -1 +1 @@
--2.20130424
-+2.20120725
diff --git a/config/appconfig-mcs/staff_u_default_contexts b/config/appconfig-mcs/staff_u_default_contexts
index 881a292..80110a4 100644
--- a/config/appconfig-mcs/staff_u_default_contexts
@@ -2961,7 +803,7 @@ index 3a45f23..f4754f0 100644
# fork
# setexec
diff --git a/policy/flask/access_vectors b/policy/flask/access_vectors
-index a94b169..33cd946 100644
+index 28802c5..33cd946 100644
--- a/policy/flask/access_vectors
+++ b/policy/flask/access_vectors
@@ -329,6 +329,7 @@ class process
@@ -3009,7 +851,17 @@ index a94b169..33cd946 100644
}
# Define the access vector interpretation for controlling
-@@ -865,3 +877,20 @@ inherits database
+@@ -827,6 +839,9 @@ class kernel_service
+
+ class tun_socket
+ inherits socket
++{
++ attach_queue
++}
+
+ class x_pointer
+ inherits x_device
+@@ -862,3 +877,20 @@ inherits database
implement
execute
}
@@ -3304,7 +1156,7 @@ index 216b3d1..064ec83 100644
+
') dnl end enable_mcs
diff --git a/policy/mls b/policy/mls
-index f11e5e2..094a319 100644
+index d218387..094a319 100644
--- a/policy/mls
+++ b/policy/mls
@@ -156,9 +156,6 @@ mlsconstrain filesystem { mount remount unmount relabelfrom quotamod }
@@ -3349,54 +1201,11 @@ index f11e5e2..094a319 100644
#
# MLS policy for the process class
#
-@@ -666,42 +666,6 @@ mlsconstrain x_application_data { paste_after_confirm }
- ( l1 dom l2 );
-
-
--#
--# MLS policy for the x_pointer class
--#
--
--# the x_pointer "read" ops
--mlsconstrain x_pointer { getattr use read getfocus grab }
-- (( l1 dom l2 ) or
-- (( t1 == mlsxwinreadtoclr ) and ( h1 dom l2 )) or
-- ( t1 == mlsxwinread ));
--
--# the x_pointer "write" ops (implicit single level)
--mlsconstrain x_pointer { setattr write setfocus bell force_cursor freeze manage }
-- (( l1 eq l2 ) or
-- (( t1 == mlsxwinwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
-- ( t1 == mlsxwinwritexinput ) or
-- ( t1 == mlsxwinwrite ));
--
--
--#
--# MLS policy for the x_keyboard class
--#
--
--# the x_keyboard "read" ops
--mlsconstrain x_keyboard { getattr use read getfocus grab }
-- (( l1 dom l2 ) or
-- (( t1 == mlsxwinreadtoclr ) and ( h1 dom l2 )) or
-- ( t1 == mlsxwinread ));
--
--# the x_keyboard "write" ops (implicit single level)
--mlsconstrain x_keyboard { setattr write setfocus bell force_cursor freeze manage }
-- (( l1 eq l2 ) or
-- (( t1 == mlsxwinwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
-- ( t1 == mlsxwinwritexinput ) or
-- ( t1 == mlsxwinwrite ));
--
--
-
- #
- # MLS policy for the dbus class
diff --git a/policy/modules/admin/bootloader.fc b/policy/modules/admin/bootloader.fc
-index 2626ebf..5745bb2 100644
+index 7a6f06f..5745bb2 100644
--- a/policy/modules/admin/bootloader.fc
+++ b/policy/modules/admin/bootloader.fc
-@@ -1,11 +1,16 @@
+@@ -1,9 +1,16 @@
+/etc/default/grub -- gen_context(system_u:object_r:bootloader_etc_t,s0)
+/etc/lilo\.conf.* gen_context(system_u:object_r:bootloader_etc_t,s0)
+/etc/yaboot\.conf.* gen_context(system_u:object_r:bootloader_etc_t,s0)
@@ -3417,8 +1226,6 @@ index 2626ebf..5745bb2 100644
+/usr/sbin/zipl -- gen_context(system_u:object_r:bootloader_exec_t,s0)
-/usr/sbin/grub -- gen_context(system_u:object_r:bootloader_exec_t,s0)
--/usr/sbin/grub2-bios-setup -- gen_context(system_u:object_r:bootloader_exec_t,s0)
--/usr/sbin/grub2-probe -- gen_context(system_u:object_r:bootloader_exec_t,s0)
+/var/lib/os-prober(/.*)? gen_context(system_u:object_r:bootloader_var_lib_t,s0)
diff --git a/policy/modules/admin/bootloader.if b/policy/modules/admin/bootloader.if
index cc8df9d..34c2a4e 100644
@@ -3575,15 +1382,10 @@ index cc8df9d..34c2a4e 100644
+ files_etc_filetrans($1,bootloader_etc_t,file, "zipl.conf")
+')
diff --git a/policy/modules/admin/bootloader.te b/policy/modules/admin/bootloader.te
-index 0fd5c5f..ee8e830 100644
+index e3dbbb8..ee8e830 100644
--- a/policy/modules/admin/bootloader.te
+++ b/policy/modules/admin/bootloader.te
-@@ -1,12 +1,12 @@
--policy_module(bootloader, 1.14.0)
-+policy_module(bootloader, 1.13.2)
-
- ########################################
- #
+@@ -5,8 +5,8 @@ policy_module(bootloader, 1.13.2)
# Declarations
#
@@ -4013,16 +1815,10 @@ index c6ca761..0c86bfd 100644
')
diff --git a/policy/modules/admin/netutils.te b/policy/modules/admin/netutils.te
-index c44c359..b0a385b 100644
+index 8128de8..b0a385b 100644
--- a/policy/modules/admin/netutils.te
+++ b/policy/modules/admin/netutils.te
-@@ -1,4 +1,4 @@
--policy_module(netutils, 1.12.1)
-+policy_module(netutils, 1.11.2)
-
- ########################################
- #
-@@ -7,10 +7,10 @@ policy_module(netutils, 1.12.1)
+@@ -7,10 +7,10 @@ policy_module(netutils, 1.11.2)
##
##
@@ -4077,12 +1873,10 @@ index c44c359..b0a385b 100644
userdom_use_all_users_fds(netutils_t)
optional_policy(`
-@@ -106,15 +109,14 @@ optional_policy(`
+@@ -106,13 +109,14 @@ optional_policy(`
#
allow ping_t self:capability { setuid net_raw };
--# When ping is installed with capabilities instead of setuid
--allow ping_t self:process { getcap setcap };
+allow ping_t self:process setcap;
+
dontaudit ping_t self:capability sys_tty_config;
@@ -4097,7 +1891,7 @@ index c44c359..b0a385b 100644
corenet_all_recvfrom_netlabel(ping_t)
corenet_tcp_sendrecv_generic_if(ping_t)
corenet_raw_sendrecv_generic_if(ping_t)
-@@ -124,6 +126,7 @@ corenet_raw_bind_generic_node(ping_t)
+@@ -122,6 +126,7 @@ corenet_raw_bind_generic_node(ping_t)
corenet_tcp_sendrecv_all_ports(ping_t)
fs_dontaudit_getattr_xattr_fs(ping_t)
@@ -4105,7 +1899,7 @@ index c44c359..b0a385b 100644
domain_use_interactive_fds(ping_t)
-@@ -131,14 +134,13 @@ files_read_etc_files(ping_t)
+@@ -129,14 +134,13 @@ files_read_etc_files(ping_t)
files_dontaudit_search_var(ping_t)
kernel_read_system_state(ping_t)
@@ -4123,7 +1917,7 @@ index c44c359..b0a385b 100644
ifdef(`hide_broken_symptoms',`
init_dontaudit_use_fds(ping_t)
-@@ -149,11 +151,25 @@ ifdef(`hide_broken_symptoms',`
+@@ -147,11 +151,25 @@ ifdef(`hide_broken_symptoms',`
')
')
@@ -4149,7 +1943,7 @@ index c44c359..b0a385b 100644
pcmcia_use_cardmgr_fds(ping_t)
')
-@@ -161,6 +177,15 @@ optional_policy(`
+@@ -159,6 +177,15 @@ optional_policy(`
hotplug_use_fds(ping_t)
')
@@ -4165,7 +1959,7 @@ index c44c359..b0a385b 100644
########################################
#
# Traceroute local policy
-@@ -174,7 +199,6 @@ allow traceroute_t self:udp_socket create_socket_perms;
+@@ -172,7 +199,6 @@ allow traceroute_t self:udp_socket create_socket_perms;
kernel_read_system_state(traceroute_t)
kernel_read_network_state(traceroute_t)
@@ -4173,7 +1967,7 @@ index c44c359..b0a385b 100644
corenet_all_recvfrom_netlabel(traceroute_t)
corenet_tcp_sendrecv_generic_if(traceroute_t)
corenet_udp_sendrecv_generic_if(traceroute_t)
-@@ -198,6 +222,7 @@ fs_dontaudit_getattr_xattr_fs(traceroute_t)
+@@ -196,6 +222,7 @@ fs_dontaudit_getattr_xattr_fs(traceroute_t)
domain_use_interactive_fds(traceroute_t)
files_read_etc_files(traceroute_t)
@@ -4181,7 +1975,7 @@ index c44c359..b0a385b 100644
files_dontaudit_search_var(traceroute_t)
init_use_fds(traceroute_t)
-@@ -206,11 +231,17 @@ auth_use_nsswitch(traceroute_t)
+@@ -204,11 +231,17 @@ auth_use_nsswitch(traceroute_t)
logging_send_syslog_msg(traceroute_t)
@@ -4971,15 +2765,10 @@ index 99e3903..7270808 100644
########################################
diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te
-index 1d732f1..049a211 100644
+index d555767..049a211 100644
--- a/policy/modules/admin/usermanage.te
+++ b/policy/modules/admin/usermanage.te
-@@ -1,22 +1,22 @@
--policy_module(usermanage, 1.19.0)
-+policy_module(usermanage, 1.18.1)
-
- ########################################
- #
+@@ -5,18 +5,18 @@ policy_module(usermanage, 1.18.1)
# Declarations
#
@@ -5101,7 +2890,7 @@ index 1d732f1..049a211 100644
files_read_etc_runtime_files(chfn_t)
files_dontaudit_search_var(chfn_t)
files_dontaudit_search_home(chfn_t)
-@@ -120,12 +135,13 @@ files_dontaudit_search_home(chfn_t)
+@@ -120,19 +135,29 @@ files_dontaudit_search_home(chfn_t)
# /usr/bin/passwd asks for w access to utmp, but it will operate
# correctly without it. Do not audit write denials to utmp.
init_dontaudit_rw_utmp(chfn_t)
@@ -5111,17 +2900,17 @@ index 1d732f1..049a211 100644
logging_send_syslog_msg(chfn_t)
--seutil_read_file_contexts(chfn_t)
+-# uses unix_chkpwd for checking passwords
+-seutil_dontaudit_search_config(chfn_t)
+userdom_manage_user_tmp_files(chfn_t)
+userdom_tmp_filetrans_user_tmp(chfn_t, { file })
userdom_use_unpriv_users_fds(chfn_t)
# user generally runs this from their home directory, so do not audit a search
-@@ -133,7 +149,13 @@ userdom_use_unpriv_users_fds(chfn_t)
+ # on user home dir
userdom_dontaudit_search_user_home_content(chfn_t)
- optional_policy(`
-- nscd_run(chfn_t, chfn_roles)
++optional_policy(`
+ rssh_exec(chfn_t)
+')
+
@@ -5129,10 +2918,12 @@ index 1d732f1..049a211 100644
+optional_policy(`
+ # allow to exec tmux
+ screen_exec(chfn_t)
- ')
-
++')
++
########################################
-@@ -212,8 +234,8 @@ selinux_compute_create_context(groupadd_t)
+ #
+ # Crack local policy
+@@ -209,8 +234,8 @@ selinux_compute_create_context(groupadd_t)
selinux_compute_relabel_context(groupadd_t)
selinux_compute_user_contexts(groupadd_t)
@@ -5143,7 +2934,7 @@ index 1d732f1..049a211 100644
init_use_fds(groupadd_t)
init_read_utmp(groupadd_t)
-@@ -221,8 +243,8 @@ init_dontaudit_write_utmp(groupadd_t)
+@@ -218,8 +243,8 @@ init_dontaudit_write_utmp(groupadd_t)
domain_use_interactive_fds(groupadd_t)
@@ -5153,7 +2944,7 @@ index 1d732f1..049a211 100644
files_read_etc_runtime_files(groupadd_t)
files_read_usr_symlinks(groupadd_t)
-@@ -232,14 +254,15 @@ corecmd_exec_bin(groupadd_t)
+@@ -229,14 +254,15 @@ corecmd_exec_bin(groupadd_t)
logging_send_audit_msgs(groupadd_t)
logging_send_syslog_msg(groupadd_t)
@@ -5172,7 +2963,7 @@ index 1d732f1..049a211 100644
auth_relabel_shadow(groupadd_t)
auth_etc_filetrans_shadow(groupadd_t)
-@@ -256,7 +279,8 @@ optional_policy(`
+@@ -253,7 +279,8 @@ optional_policy(`
')
optional_policy(`
@@ -5182,7 +2973,7 @@ index 1d732f1..049a211 100644
')
optional_policy(`
-@@ -273,7 +297,7 @@ optional_policy(`
+@@ -270,7 +297,7 @@ optional_policy(`
# Passwd local policy
#
@@ -5191,7 +2982,7 @@ index 1d732f1..049a211 100644
dontaudit passwd_t self:capability sys_tty_config;
allow passwd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow passwd_t self:process { setrlimit setfscreate };
-@@ -288,6 +312,7 @@ allow passwd_t self:shm create_shm_perms;
+@@ -285,6 +312,7 @@ allow passwd_t self:shm create_shm_perms;
allow passwd_t self:sem create_sem_perms;
allow passwd_t self:msgq create_msgq_perms;
allow passwd_t self:msg { send receive };
@@ -5199,7 +2990,7 @@ index 1d732f1..049a211 100644
allow passwd_t crack_db_t:dir list_dir_perms;
read_files_pattern(passwd_t, crack_db_t, crack_db_t)
-@@ -296,6 +321,7 @@ kernel_read_kernel_sysctls(passwd_t)
+@@ -293,6 +321,7 @@ kernel_read_kernel_sysctls(passwd_t)
# for SSP
dev_read_urand(passwd_t)
@@ -5207,7 +2998,7 @@ index 1d732f1..049a211 100644
fs_getattr_xattr_fs(passwd_t)
fs_search_auto_mountpoints(passwd_t)
-@@ -310,26 +336,38 @@ selinux_compute_create_context(passwd_t)
+@@ -307,26 +336,38 @@ selinux_compute_create_context(passwd_t)
selinux_compute_relabel_context(passwd_t)
selinux_compute_user_contexts(passwd_t)
@@ -5251,7 +3042,7 @@ index 1d732f1..049a211 100644
# /usr/bin/passwd asks for w access to utmp, but it will operate
# correctly without it. Do not audit write denials to utmp.
init_dontaudit_rw_utmp(passwd_t)
-@@ -338,12 +376,11 @@ init_use_fds(passwd_t)
+@@ -335,12 +376,11 @@ init_use_fds(passwd_t)
logging_send_audit_msgs(passwd_t)
logging_send_syslog_msg(passwd_t)
@@ -5265,27 +3056,27 @@ index 1d732f1..049a211 100644
userdom_use_unpriv_users_fds(passwd_t)
# make sure that getcon succeeds
userdom_getattr_all_users(passwd_t)
-@@ -352,9 +389,18 @@ userdom_read_user_tmp_files(passwd_t)
+@@ -349,9 +389,18 @@ userdom_read_user_tmp_files(passwd_t)
# user generally runs this from their home directory, so do not audit a search
# on user home dir
userdom_dontaudit_search_user_home_content(passwd_t)
+userdom_stream_connect(passwd_t)
-+
-+optional_policy(`
+
+ optional_policy(`
+- nscd_run(passwd_t, passwd_roles)
+ gnome_exec_keyringd(passwd_t)
+ gnome_manage_cache_home_dir(passwd_t)
+ gnome_manage_generic_cache_sockets(passwd_t)
+ gnome_stream_connect_gkeyringd(passwd_t)
+')
-
- optional_policy(`
-- nscd_run(passwd_t, passwd_roles)
++
++optional_policy(`
+ #nscd_run(passwd_t, passwd_roles)
+ nscd_domtrans(passwd_t)
')
########################################
-@@ -401,9 +447,10 @@ dev_read_urand(sysadm_passwd_t)
+@@ -398,9 +447,10 @@ dev_read_urand(sysadm_passwd_t)
fs_getattr_xattr_fs(sysadm_passwd_t)
fs_search_auto_mountpoints(sysadm_passwd_t)
@@ -5298,7 +3089,7 @@ index 1d732f1..049a211 100644
auth_manage_shadow(sysadm_passwd_t)
auth_relabel_shadow(sysadm_passwd_t)
auth_etc_filetrans_shadow(sysadm_passwd_t)
-@@ -416,7 +463,6 @@ files_read_usr_files(sysadm_passwd_t)
+@@ -413,7 +463,6 @@ files_read_usr_files(sysadm_passwd_t)
domain_use_interactive_fds(sysadm_passwd_t)
@@ -5306,7 +3097,7 @@ index 1d732f1..049a211 100644
files_relabel_etc_files(sysadm_passwd_t)
files_read_etc_runtime_files(sysadm_passwd_t)
# for nscd lookups
-@@ -426,19 +472,17 @@ files_dontaudit_search_pids(sysadm_passwd_t)
+@@ -423,19 +472,17 @@ files_dontaudit_search_pids(sysadm_passwd_t)
# correctly without it. Do not audit write denials to utmp.
init_dontaudit_rw_utmp(sysadm_passwd_t)
@@ -5328,7 +3119,7 @@ index 1d732f1..049a211 100644
')
########################################
-@@ -446,7 +490,8 @@ optional_policy(`
+@@ -443,7 +490,8 @@ optional_policy(`
# Useradd local policy
#
@@ -5338,7 +3129,7 @@ index 1d732f1..049a211 100644
dontaudit useradd_t self:capability sys_tty_config;
allow useradd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow useradd_t self:process setfscreate;
-@@ -461,6 +506,10 @@ allow useradd_t self:unix_stream_socket create_stream_socket_perms;
+@@ -458,6 +506,10 @@ allow useradd_t self:unix_stream_socket create_stream_socket_perms;
allow useradd_t self:unix_dgram_socket sendto;
allow useradd_t self:unix_stream_socket connectto;
@@ -5349,7 +3140,7 @@ index 1d732f1..049a211 100644
# for getting the number of groups
kernel_read_kernel_sysctls(useradd_t)
-@@ -468,36 +517,37 @@ corecmd_exec_shell(useradd_t)
+@@ -465,36 +517,37 @@ corecmd_exec_shell(useradd_t)
# Execute /usr/bin/{passwd,chfn,chsh} and /usr/sbin/{useradd,vipw}.
corecmd_exec_bin(useradd_t)
@@ -5399,7 +3190,7 @@ index 1d732f1..049a211 100644
auth_manage_shadow(useradd_t)
auth_relabel_shadow(useradd_t)
auth_etc_filetrans_shadow(useradd_t)
-@@ -508,33 +558,36 @@ init_rw_utmp(useradd_t)
+@@ -505,33 +558,36 @@ init_rw_utmp(useradd_t)
logging_send_audit_msgs(useradd_t)
logging_send_syslog_msg(useradd_t)
@@ -5429,10 +3220,10 @@ index 1d732f1..049a211 100644
userdom_use_unpriv_users_fds(useradd_t)
# Add/remove user home directories
-userdom_manage_user_home_dirs(useradd_t)
--userdom_home_filetrans_user_home_dir(useradd_t)
+ userdom_home_filetrans_user_home_dir(useradd_t)
-userdom_manage_user_home_content_dirs(useradd_t)
-userdom_manage_user_home_content_files(useradd_t)
- userdom_home_filetrans_user_home_dir(useradd_t)
+-userdom_home_filetrans_user_home_dir(useradd_t)
-userdom_user_home_dir_filetrans_user_home_content(useradd_t, notdevfile_class_set)
+userdom_manage_home_role(system_r, useradd_t)
+userdom_delete_all_user_home_content(useradd_t)
@@ -5450,7 +3241,7 @@ index 1d732f1..049a211 100644
optional_policy(`
apache_manage_all_user_content(useradd_t)
')
-@@ -545,7 +598,12 @@ optional_policy(`
+@@ -542,7 +598,12 @@ optional_policy(`
')
optional_policy(`
@@ -5464,7 +3255,7 @@ index 1d732f1..049a211 100644
')
optional_policy(`
-@@ -553,6 +611,11 @@ optional_policy(`
+@@ -550,6 +611,11 @@ optional_policy(`
')
optional_policy(`
@@ -5476,7 +3267,7 @@ index 1d732f1..049a211 100644
tunable_policy(`samba_domain_controller',`
samba_append_log(useradd_t)
')
-@@ -562,3 +625,12 @@ optional_policy(`
+@@ -559,3 +625,12 @@ optional_policy(`
rpm_use_fds(useradd_t)
rpm_rw_pipes(useradd_t)
')
@@ -5660,15 +3451,8 @@ index 7590165..85186a9 100644
+tunable_policy(`use_fusefs_home_dirs',`
+ fs_mounton_fusefs(seunshare_domain)
')
-diff --git a/policy/modules/contrib b/policy/modules/contrib
-index 298b887..662a00b 160000
---- a/policy/modules/contrib
-+++ b/policy/modules/contrib
-@@ -1 +1 @@
--Subproject commit 298b887411b663a7da40a7a465915a7352bac80d
-+Subproject commit 662a00bca8f52af8056f41abd0fdec77ea835b2a
diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
-index 33e0f8d..3656744 100644
+index 644d4d7..3656744 100644
--- a/policy/modules/kernel/corecommands.fc
+++ b/policy/modules/kernel/corecommands.fc
@@ -1,9 +1,10 @@
@@ -5739,11 +3523,8 @@ index 33e0f8d..3656744 100644
/etc/X11/xdm/GiveConsole -- gen_context(system_u:object_r:bin_t,s0)
/etc/X11/xdm/TakeConsole -- gen_context(system_u:object_r:bin_t,s0)
/etc/X11/xdm/Xsetup_0 -- gen_context(system_u:object_r:bin_t,s0)
-@@ -132,13 +145,14 @@ ifdef(`distro_debian',`
- # /lib
- #
+@@ -134,10 +147,12 @@ ifdef(`distro_debian',`
--/lib/nut/.* -- gen_context(system_u:object_r:bin_t,s0)
/lib/readahead(/.*)? gen_context(system_u:object_r:bin_t,s0)
/lib/security/pam_krb5/pam_krb5_storetmp -- gen_context(system_u:object_r:bin_t,s0)
-/lib/systemd/systemd.* -- gen_context(system_u:object_r:bin_t,s0)
@@ -5756,7 +3537,7 @@ index 33e0f8d..3656744 100644
ifdef(`distro_gentoo',`
/lib/dhcpcd/dhcpcd-run-hooks -- gen_context(system_u:object_r:bin_t,s0)
-@@ -149,10 +163,12 @@ ifdef(`distro_gentoo',`
+@@ -148,10 +163,12 @@ ifdef(`distro_gentoo',`
/lib/rcscripts/net\.modules\.d/helpers\.d/udhcpc-.* -- gen_context(system_u:object_r:bin_t,s0)
')
@@ -5770,7 +3551,7 @@ index 33e0f8d..3656744 100644
/sbin/.* gen_context(system_u:object_r:bin_t,s0)
/sbin/insmod_ksymoops_clean -- gen_context(system_u:object_r:bin_t,s0)
/sbin/mkfs\.cramfs -- gen_context(system_u:object_r:bin_t,s0)
-@@ -168,6 +184,7 @@ ifdef(`distro_gentoo',`
+@@ -167,6 +184,7 @@ ifdef(`distro_gentoo',`
/opt/(.*/)?sbin(/.*)? gen_context(system_u:object_r:bin_t,s0)
/opt/google/talkplugin(/.*)? gen_context(system_u:object_r:bin_t,s0)
@@ -5778,7 +3559,7 @@ index 33e0f8d..3656744 100644
/opt/gutenprint/cups/lib/filter(/.*)? gen_context(system_u:object_r:bin_t,s0)
-@@ -179,38 +196,52 @@ ifdef(`distro_gentoo',`
+@@ -178,33 +196,49 @@ ifdef(`distro_gentoo',`
/opt/vmware/workstation/lib/lib/wrapper-gtk24\.sh -- gen_context(system_u:object_r:bin_t,s0)
')
@@ -5813,7 +3594,6 @@ index 33e0f8d..3656744 100644
/usr/(.*/)?sbin(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/lib(.*/)?sbin(/.*)? gen_context(system_u:object_r:bin_t,s0)
--/usr/lib/avahi/avahi-daemon-check-dns\.sh -- gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/jvm/java(.*/)bin(/.*) gen_context(system_u:object_r:bin_t,s0)
+/usr/lib(.*/)?bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/lib/ccache/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
@@ -5838,17 +3618,12 @@ index 33e0f8d..3656744 100644
/usr/lib/dpkg/.+ -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/emacsen-common/.* gen_context(system_u:object_r:bin_t,s0)
/usr/lib/gimp/.*/plug-ins(/.*)? gen_context(system_u:object_r:bin_t,s0)
--/usr/lib/gnome-settings-daemon/.* -- gen_context(system_u:object_r:bin_t,s0)
- /usr/lib/gvfs/.* -- gen_context(system_u:object_r:bin_t,s0)
- /usr/lib/ipsec/.* -- gen_context(system_u:object_r:bin_t,s0)
- /usr/lib/kde4/libexec/.* -- gen_context(system_u:object_r:bin_t,s0)
-@@ -218,19 +249,31 @@ ifdef(`distro_gentoo',`
+@@ -215,18 +249,31 @@ ifdef(`distro_gentoo',`
/usr/lib/mailman/mail(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/lib/mediawiki/math/texvc.* gen_context(system_u:object_r:bin_t,s0)
/usr/lib/misc/sftp-server -- gen_context(system_u:object_r:bin_t,s0)
-/usr/lib/nagios/plugins(/.*)? gen_context(system_u:object_r:bin_t,s0)
-/usr/lib/netsaint/plugins(/.*)? gen_context(system_u:object_r:bin_t,s0)
--/usr/lib/NetworkManager/nm\-.* -- gen_context(system_u:object_r:bin_t,s0)
-/usr/lib/news/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
-/usr/lib/nspluginwrapper/np.* gen_context(system_u:object_r:bin_t,s0)
-/usr/lib/portage/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
@@ -5882,7 +3657,7 @@ index 33e0f8d..3656744 100644
/usr/lib/xfce4/exo-1/exo-compose-mail-1 -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/xfce4/exo-1/exo-helper-1 -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/xfce4/panel/migrate -- gen_context(system_u:object_r:bin_t,s0)
-@@ -245,26 +288,39 @@ ifdef(`distro_gentoo',`
+@@ -241,26 +288,39 @@ ifdef(`distro_gentoo',`
/usr/lib/debug/sbin(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/debug/usr/bin(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/debug/usr/sbin(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
@@ -5927,7 +3702,7 @@ index 33e0f8d..3656744 100644
/usr/sbin/scponlyc -- gen_context(system_u:object_r:shell_exec_t,s0)
/usr/sbin/sesh -- gen_context(system_u:object_r:shell_exec_t,s0)
/usr/sbin/smrsh -- gen_context(system_u:object_r:shell_exec_t,s0)
-@@ -273,6 +329,7 @@ ifdef(`distro_gentoo',`
+@@ -269,6 +329,7 @@ ifdef(`distro_gentoo',`
/usr/share/ajaxterm/qweb.py.* -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/apr-0/build/[^/]+\.sh -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/apr-0/build/libtool -- gen_context(system_u:object_r:bin_t,s0)
@@ -5935,7 +3710,7 @@ index 33e0f8d..3656744 100644
/usr/share/dayplanner/dayplanner -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/debconf/.+ -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/denyhosts/scripts(/.*)? gen_context(system_u:object_r:bin_t,s0)
-@@ -280,10 +337,15 @@ ifdef(`distro_gentoo',`
+@@ -276,10 +337,15 @@ ifdef(`distro_gentoo',`
/usr/share/cluster/.*\.sh gen_context(system_u:object_r:bin_t,s0)
/usr/share/cluster/ocf-shellfuncs -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/cluster/svclib_nfslock -- gen_context(system_u:object_r:bin_t,s0)
@@ -5951,7 +3726,7 @@ index 33e0f8d..3656744 100644
/usr/share/gnucash/finance-quote-check -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/gnucash/finance-quote-helper -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/hal/device-manager/hal-device-manager -- gen_context(system_u:object_r:bin_t,s0)
-@@ -298,16 +360,22 @@ ifdef(`distro_gentoo',`
+@@ -294,16 +360,22 @@ ifdef(`distro_gentoo',`
/usr/share/selinux/devel/policygentool -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/smolt/client(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/share/shorewall/compiler\.pl -- gen_context(system_u:object_r:bin_t,s0)
@@ -5976,7 +3751,7 @@ index 33e0f8d..3656744 100644
ifdef(`distro_debian',`
/usr/lib/ConsoleKit/.* -- gen_context(system_u:object_r:bin_t,s0)
-@@ -325,20 +393,27 @@ ifdef(`distro_redhat', `
+@@ -321,20 +393,27 @@ ifdef(`distro_redhat', `
/etc/gdm/[^/]+ -d gen_context(system_u:object_r:bin_t,s0)
/etc/gdm/[^/]+/.* gen_context(system_u:object_r:bin_t,s0)
@@ -6005,7 +3780,7 @@ index 33e0f8d..3656744 100644
/usr/share/pwlib/make/ptlib-config -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/pydict/pydict\.py -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/rhn/rhn_applet/applet\.py -- gen_context(system_u:object_r:bin_t,s0)
-@@ -346,6 +421,7 @@ ifdef(`distro_redhat', `
+@@ -342,6 +421,7 @@ ifdef(`distro_redhat', `
/usr/share/ssl/misc(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/share/switchdesk/switchdesk-gui\.py -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/system-config-date/system-config-date\.py -- gen_context(system_u:object_r:bin_t,s0)
@@ -6013,7 +3788,7 @@ index 33e0f8d..3656744 100644
/usr/share/system-config-selinux/polgen\.py -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/system-config-selinux/system-config-selinux\.py -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/system-config-display/system-config-display -- gen_context(system_u:object_r:bin_t,s0)
-@@ -387,11 +463,16 @@ ifdef(`distro_suse', `
+@@ -383,11 +463,16 @@ ifdef(`distro_suse', `
#
# /var
#
@@ -6031,7 +3806,7 @@ index 33e0f8d..3656744 100644
/usr/lib/yp/.+ -- gen_context(system_u:object_r:bin_t,s0)
/var/qmail/bin -d gen_context(system_u:object_r:bin_t,s0)
-@@ -401,3 +482,12 @@ ifdef(`distro_suse', `
+@@ -397,3 +482,12 @@ ifdef(`distro_suse', `
ifdef(`distro_suse',`
/var/lib/samba/bin/.+ gen_context(system_u:object_r:bin_t,s0)
')
@@ -6302,15 +4077,9 @@ index 9e9263a..77e6c8c 100644
+ filetrans_pattern($1, bin_t, $2, $3, $4)
+')
diff --git a/policy/modules/kernel/corecommands.te b/policy/modules/kernel/corecommands.te
-index 20c76cf..a784e8e 100644
+index 43090a0..a784e8e 100644
--- a/policy/modules/kernel/corecommands.te
+++ b/policy/modules/kernel/corecommands.te
-@@ -1,4 +1,4 @@
--policy_module(corecommands, 1.18.1)
-+policy_module(corecommands, 1.17.3)
-
- ########################################
- #
@@ -13,7 +13,8 @@ attribute exec_type;
#
# bin_t is the type of files in the system bin/sbin directories.
@@ -7893,15 +5662,10 @@ index 8e0f9cd..b9f45b9 100644
define(`create_packet_interfaces',``
diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
-index b191055..8a190ce 100644
+index 4edc40d..8a190ce 100644
--- a/policy/modules/kernel/corenetwork.te.in
+++ b/policy/modules/kernel/corenetwork.te.in
-@@ -1,10 +1,11 @@
--policy_module(corenetwork, 1.19.2)
-+policy_module(corenetwork, 1.18.4)
-
- ########################################
- #
+@@ -5,6 +5,7 @@ policy_module(corenetwork, 1.18.4)
# Declarations
#
@@ -7972,7 +5736,7 @@ index b191055..8a190ce 100644
# reserved_port_t is the type of INET port numbers below 1024.
#
type reserved_port_t, port_type, reserved_port_type;
-@@ -84,55 +107,69 @@ network_port(amanda, udp,10080-10082,s0, tcp,10080-10083,s0)
+@@ -84,54 +107,69 @@ network_port(amanda, udp,10080-10082,s0, tcp,10080-10083,s0)
network_port(amavisd_recv, tcp,10024,s0)
network_port(amavisd_send, tcp,10025,s0)
network_port(amqp, udp,5671-5672,s0, tcp,5671-5672,s0)
@@ -8040,7 +5804,7 @@ index b191055..8a190ce 100644
network_port(ftp_data, tcp,20,s0)
network_port(gatekeeper, udp,1718,s0, udp,1719,s0, tcp,1721,s0, tcp,7000,s0)
+network_port(gear, tcp,43273,s0, udp,43273,s0)
- network_port(gdomap, tcp,538,s0, udp,538,s0)
++network_port(gdomap, tcp,538,s0, udp,538,s0)
network_port(gds_db, tcp,3050,s0, udp,3050,s0)
network_port(giftd, tcp,1213,s0)
network_port(git, tcp,9418,s0, udp,9418,s0)
@@ -8050,7 +5814,7 @@ index b191055..8a190ce 100644
network_port(gopher, tcp,70,s0, udp,70,s0)
network_port(gpsd, tcp,2947,s0)
network_port(hadoop_datanode, tcp,50010,s0)
-@@ -140,45 +177,52 @@ network_port(hadoop_namenode, tcp,8020,s0)
+@@ -139,45 +177,52 @@ network_port(hadoop_namenode, tcp,8020,s0)
network_port(hddtemp, tcp,7634,s0)
network_port(howl, tcp,5335,s0, udp,5353,s0)
network_port(hplip, tcp,1782,s0, tcp,2207,s0, tcp,2208,s0, tcp, 8290,s0, tcp,50000,s0, tcp,50002,s0, tcp,8292,s0, tcp,9100,s0, tcp,9101,s0, tcp,9102,s0, tcp,9220,s0, tcp,9221,s0, tcp,9222,s0, tcp,9280,s0, tcp,9281,s0, tcp,9282,s0, tcp,9290,s0, tcp,9291,s0)
@@ -8118,7 +5882,7 @@ index b191055..8a190ce 100644
network_port(msnp, tcp,1863,s0, udp,1863,s0)
network_port(mssql, tcp,1433-1434,s0, udp,1433-1434,s0)
network_port(ms_streaming, tcp,1755,s0, udp,1755,s0)
-@@ -186,26 +230,36 @@ network_port(munin, tcp,4949,s0, udp,4949,s0)
+@@ -185,26 +230,36 @@ network_port(munin, tcp,4949,s0, udp,4949,s0)
network_port(mxi, tcp,8005,s0, udp,8005,s0)
network_port(mysqld, tcp,1186,s0, tcp,3306,s0, tcp,63132-63164,s0)
network_port(mysqlmanagerd, tcp,2273,s0)
@@ -8159,7 +5923,7 @@ index b191055..8a190ce 100644
network_port(portmap, udp,111,s0, tcp,111,s0)
network_port(postfix_policyd, tcp,10031,s0)
network_port(postgresql, tcp,5432,s0)
-@@ -215,66 +269,74 @@ network_port(prelude, tcp,4690,s0, udp,4690,s0)
+@@ -214,64 +269,74 @@ network_port(prelude, tcp,4690,s0, udp,4690,s0)
network_port(presence, tcp,5298-5299,s0, udp,5298-5299,s0)
network_port(printer, tcp,515,s0)
network_port(ptal, tcp,5703,s0)
@@ -8174,7 +5938,7 @@ index b191055..8a190ce 100644
network_port(radsec, tcp,2083,s0)
network_port(razor, tcp,2703,s0)
+network_port(time, tcp,37,s0, udp,37,s0)
- network_port(redis, tcp,6379,s0)
++network_port(redis, tcp,6379,s0)
network_port(repository, tcp, 6363, s0)
network_port(ricci, tcp,11111,s0, udp,11111,s0)
network_port(ricci_modcluster, tcp,16851,s0, udp,16851,s0)
@@ -8228,7 +5992,6 @@ index b191055..8a190ce 100644
+network_port(tram, tcp, 4567, s0)
network_port(transproxy, tcp,8081,s0)
network_port(trisoap, tcp,10200,s0, udp,10200,s0)
--network_port(trivnet1, tcp, 8200, s0, udp, 8200, s0)
network_port(ups, tcp,3493,s0)
network_port(utcpserver) # no defined portcon
network_port(uucpd, tcp,540,s0)
@@ -8246,7 +6009,7 @@ index b191055..8a190ce 100644
network_port(winshadow, tcp,3161,s0, udp,3261,s0)
network_port(wsdapi, tcp,5357,s0, udp,5357,s0)
network_port(wsicopy, tcp,3378,s0, udp,3378,s0)
-@@ -288,19 +350,23 @@ network_port(zabbix_agent, tcp,10050,s0)
+@@ -285,19 +350,23 @@ network_port(zabbix_agent, tcp,10050,s0)
network_port(zookeeper_client, tcp,2181,s0)
network_port(zookeeper_election, tcp,3888,s0)
network_port(zookeeper_leader, tcp,2888,s0)
@@ -8273,7 +6036,7 @@ index b191055..8a190ce 100644
########################################
#
-@@ -333,6 +399,8 @@ sid netif gen_context(system_u:object_r:netif_t,s0 - mls_systemhigh)
+@@ -330,6 +399,8 @@ sid netif gen_context(system_u:object_r:netif_t,s0 - mls_systemhigh)
build_option(`enable_mls',`
network_interface(lo, lo, s0 - mls_systemhigh)
@@ -8282,7 +6045,7 @@ index b191055..8a190ce 100644
',`
typealias netif_t alias { lo_netif_t netif_lo_t };
')
-@@ -345,9 +413,28 @@ typealias netif_t alias { lo_netif_t netif_lo_t };
+@@ -342,9 +413,28 @@ typealias netif_t alias { lo_netif_t netif_lo_t };
allow corenet_unconfined_type node_type:node *;
allow corenet_unconfined_type netif_type:netif *;
allow corenet_unconfined_type packet_type:packet *;
@@ -10949,15 +8712,9 @@ index 76f285e..830c1c5 100644
+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "card9")
+')
diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te
-index 0b1a871..b31a5e8 100644
+index 6529bd9..b31a5e8 100644
--- a/policy/modules/kernel/devices.te
+++ b/policy/modules/kernel/devices.te
-@@ -1,4 +1,4 @@
--policy_module(devices, 1.15.0)
-+policy_module(devices, 1.14.5)
-
- ########################################
- #
@@ -15,11 +15,12 @@ attribute devices_unconfined_type;
#
type device_t;
@@ -11771,7 +9528,7 @@ index cf04cb5..a290c56 100644
+ ')
+')
diff --git a/policy/modules/kernel/files.fc b/policy/modules/kernel/files.fc
-index b876c48..1a210d2 100644
+index c2c6e05..1a210d2 100644
--- a/policy/modules/kernel/files.fc
+++ b/policy/modules/kernel/files.fc
@@ -18,6 +18,7 @@ ifdef(`distro_redhat',`
@@ -12013,16 +9770,14 @@ index b876c48..1a210d2 100644
/var/tmp/.* <>
/var/tmp/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh)
/var/tmp/lost\+found/.* <>
-@@ -269,5 +294,6 @@ ifndef(`distro_redhat',`
-
+@@ -270,3 +295,5 @@ ifndef(`distro_redhat',`
ifdef(`distro_debian',`
/var/run/motd -- gen_context(system_u:object_r:initrc_var_run_t,s0)
--/var/run/motd\.dynamic -- gen_context(system_u:object_r:initrc_var_run_t,s0)
')
+/nsr(/.*)? gen_context(system_u:object_r:var_t,s0)
+/nsr/logs(/.*)? gen_context(system_u:object_r:var_log_t,s0)
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
-index f962f76..255728e 100644
+index 64ff4d7..255728e 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -19,6 +19,136 @@
@@ -12861,103 +10616,94 @@ index f962f76..255728e 100644
## Do not audit attempts to set the attributes on all mount points.
##
##
-@@ -1655,38 +2097,38 @@ interface(`files_dontaudit_search_all_mountpoints',`
-
- ########################################
- ##
--## List all mount points.
-+## Do not audit listing of all mount points.
- ##
- ##
- ##
--## Domain allowed access.
-+## Domain to not audit.
- ##
- ##
- #
--interface(`files_list_all_mountpoints',`
-+interface(`files_dontaudit_list_all_mountpoints',`
- gen_require(`
- attribute mountpoint;
- ')
-
-- allow $1 mountpoint:dir list_dir_perms;
-+ dontaudit $1 mountpoint:dir list_dir_perms;
- ')
+@@ -1673,6 +2115,24 @@ interface(`files_dontaudit_list_all_mountpoints',`
########################################
##
--## Do not audit listing of all mount points.
+## Write all mount points.
- ##
- ##
- ##
--## Domain to not audit.
++##
++##
++##
+## Domain allowed access.
- ##
- ##
- #
--interface(`files_dontaudit_list_all_mountpoints',`
-- gen_require(`
-- attribute mountpoint;
-- ')
++##
++##
++#
+interface(`files_write_all_mountpoints',`
+ gen_require(`
+ attribute mountpoint;
+ ')
-
-- dontaudit $1 mountpoint:dir list_dir_perms;
++
+ allow $1 mountpoint:dir write;
- ')
-
- ########################################
-@@ -1709,72 +2151,145 @@ interface(`files_dontaudit_write_all_mountpoints',`
++')
++
++########################################
++##
+ ## Do not audit attempts to write to mount points.
+ ##
+ ##
+@@ -1691,6 +2151,42 @@ interface(`files_dontaudit_write_all_mountpoints',`
########################################
##
--## List the contents of the root directory.
+## Do not audit attempts to unmount all mount points.
- ##
- ##
- ##
--## Domain allowed access.
++##
++##
++##
+## Domain to not audit.
- ##
- ##
- #
--interface(`files_list_root',`
++##
++##
++#
+interface(`files_dontaudit_unmount_all_mountpoints',`
- gen_require(`
-- type root_t;
++ gen_require(`
+ attribute mountpoint;
- ')
-
-- allow $1 root_t:dir list_dir_perms;
-- allow $1 root_t:lnk_file { read_lnk_file_perms ioctl lock };
++ ')
++
+ dontaudit $1 mountpoint:filesystem unmount;
- ')
-
- ########################################
- ##
--## Do not audit attempts to write to / dirs.
++')
++
++########################################
++##
+## Write all file type directories.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`files_write_all_dirs',`
++ gen_require(`
++ attribute file_type;
++ ')
++
++ allow $1 file_type:dir write;
++')
++
++########################################
++##
+ ## List the contents of the root directory.
##
##
- ##
--## Domain to not audit.
-+## Domain allowed access.
+@@ -1707,7 +2203,6 @@ interface(`files_list_root',`
+ allow $1 root_t:dir list_dir_perms;
+ allow $1 root_t:lnk_file { read_lnk_file_perms ioctl lock };
+ ')
+-
+ ########################################
+ ##
+ ## Do not audit attempts to write to / dirs.
+@@ -1718,18 +2213,17 @@ interface(`files_list_root',`
##
##
#
-interface(`files_dontaudit_write_root_dirs',`
-+interface(`files_write_all_dirs',`
++interface(`files_write_root_dirs',`
gen_require(`
-- type root_t;
-+ attribute file_type;
+ type root_t;
')
- dontaudit $1 root_t:dir write;
-+ allow $1 file_type:dir write;
++ allow $1 root_t:dir write;
')
-###################
@@ -12965,59 +10711,15 @@ index f962f76..255728e 100644
##
-## Do not audit attempts to write
-## files in the root directory.
-+## List the contents of the root directory.
++## Do not audit attempts to write to / dirs.
##
##
##
--## Domain to not audit.
-+## Domain allowed access.
+@@ -1737,7 +2231,26 @@ interface(`files_dontaudit_write_root_dirs',`
##
##
#
-interface(`files_dontaudit_rw_root_dir',`
-+interface(`files_list_root',`
- gen_require(`
- type root_t;
- ')
-
-- dontaudit $1 root_t:dir rw_dir_perms;
-+ allow $1 root_t:dir list_dir_perms;
-+ allow $1 root_t:lnk_file { read_lnk_file_perms ioctl lock };
- ')
--
- ########################################
- ##
--## Create an object in the root directory, with a private
--## type using a type transition.
-+## Do not audit attempts to write to / dirs.
- ##
- ##
- ##
--## Domain allowed access.
-+## Domain to not audit.
- ##
- ##
--##
--##
-+#
-+interface(`files_write_root_dirs',`
-+ gen_require(`
-+ type root_t;
-+ ')
-+
-+ allow $1 root_t:dir write;
-+')
-+
-+########################################
-+##
-+## Do not audit attempts to write to / dirs.
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
+interface(`files_dontaudit_write_root_dirs',`
+ gen_require(`
+ type root_t;
@@ -13038,15 +10740,13 @@ index f962f76..255728e 100644
+##
+#
+interface(`files_dontaudit_rw_root_dir',`
-+ gen_require(`
-+ type root_t;
-+ ')
-+
-+ dontaudit $1 root_t:dir rw_dir_perms;
-+')
-+
-+########################################
-+##
+ gen_require(`
+ type root_t;
+ ')
+@@ -1747,6 +2260,26 @@ interface(`files_dontaudit_rw_root_dir',`
+
+ ########################################
+ ##
+## Do not audit attempts to check the
+## access on root directory.
+##
@@ -13067,20 +10767,10 @@ index f962f76..255728e 100644
+
+########################################
+##
-+## Create an object in the root directory, with a private
-+## type using a type transition.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+##
- ## The type of the object to be created.
- ##
- ##
-@@ -1892,25 +2407,25 @@ interface(`files_delete_root_dir_entry',`
+ ## Create an object in the root directory, with a private
+ ## type using a type transition.
+ ##
+@@ -1874,25 +2407,25 @@ interface(`files_delete_root_dir_entry',`
########################################
##
@@ -13112,7 +10802,7 @@ index f962f76..255728e 100644
##
##
##
-@@ -1923,7 +2438,7 @@ interface(`files_relabel_rootfs',`
+@@ -1905,7 +2438,7 @@ interface(`files_relabel_rootfs',`
type root_t;
')
@@ -13121,7 +10811,7 @@ index f962f76..255728e 100644
')
########################################
-@@ -1946,6 +2461,42 @@ interface(`files_unmount_rootfs',`
+@@ -1928,6 +2461,42 @@ interface(`files_unmount_rootfs',`
########################################
##
@@ -13164,7 +10854,7 @@ index f962f76..255728e 100644
## Get attributes of the /boot directory.
##
##
-@@ -2181,6 +2732,24 @@ interface(`files_relabelfrom_boot_files',`
+@@ -2163,6 +2732,24 @@ interface(`files_relabelfrom_boot_files',`
relabelfrom_files_pattern($1, boot_t, boot_t)
')
@@ -13189,7 +10879,7 @@ index f962f76..255728e 100644
######################################
##
## Read symbolic links in the /boot directory.
-@@ -2645,6 +3214,24 @@ interface(`files_rw_etc_dirs',`
+@@ -2627,6 +3214,24 @@ interface(`files_rw_etc_dirs',`
allow $1 etc_t:dir rw_dir_perms;
')
@@ -13214,7 +10904,7 @@ index f962f76..255728e 100644
##########################################
##
## Manage generic directories in /etc
-@@ -2716,6 +3303,7 @@ interface(`files_read_etc_files',`
+@@ -2698,6 +3303,7 @@ interface(`files_read_etc_files',`
allow $1 etc_t:dir list_dir_perms;
read_files_pattern($1, etc_t, etc_t)
read_lnk_files_pattern($1, etc_t, etc_t)
@@ -13222,7 +10912,7 @@ index f962f76..255728e 100644
')
########################################
-@@ -2724,7 +3312,7 @@ interface(`files_read_etc_files',`
+@@ -2706,7 +3312,7 @@ interface(`files_read_etc_files',`
##
##
##
@@ -13231,7 +10921,7 @@ index f962f76..255728e 100644
##
##
#
-@@ -2780,6 +3368,25 @@ interface(`files_manage_etc_files',`
+@@ -2762,6 +3368,25 @@ interface(`files_manage_etc_files',`
########################################
##
@@ -13257,7 +10947,7 @@ index f962f76..255728e 100644
## Delete system configuration files in /etc.
##
##
-@@ -2798,6 +3405,24 @@ interface(`files_delete_etc_files',`
+@@ -2780,6 +3405,24 @@ interface(`files_delete_etc_files',`
########################################
##
@@ -13282,7 +10972,7 @@ index f962f76..255728e 100644
## Execute generic files in /etc.
##
##
-@@ -2963,24 +3588,6 @@ interface(`files_delete_boot_flag',`
+@@ -2945,24 +3588,6 @@ interface(`files_delete_boot_flag',`
########################################
##
@@ -13307,7 +10997,7 @@ index f962f76..255728e 100644
## Read files in /etc that are dynamically
## created on boot, such as mtab.
##
-@@ -3021,9 +3628,7 @@ interface(`files_read_etc_runtime_files',`
+@@ -3003,9 +3628,7 @@ interface(`files_read_etc_runtime_files',`
########################################
##
@@ -13318,7 +11008,7 @@ index f962f76..255728e 100644
##
##
##
-@@ -3031,18 +3636,17 @@ interface(`files_read_etc_runtime_files',`
+@@ -3013,18 +3636,17 @@ interface(`files_read_etc_runtime_files',`
##
##
#
@@ -13340,7 +11030,7 @@ index f962f76..255728e 100644
##
##
##
-@@ -3060,6 +3664,26 @@ interface(`files_dontaudit_write_etc_runtime_files',`
+@@ -3042,6 +3664,26 @@ interface(`files_dontaudit_write_etc_runtime_files',`
########################################
##
@@ -13367,7 +11057,7 @@ index f962f76..255728e 100644
## Read and write files in /etc that are dynamically
## created on boot, such as mtab.
##
-@@ -3077,6 +3701,7 @@ interface(`files_rw_etc_runtime_files',`
+@@ -3059,6 +3701,7 @@ interface(`files_rw_etc_runtime_files',`
allow $1 etc_t:dir list_dir_perms;
rw_files_pattern($1, etc_t, etc_runtime_t)
@@ -13375,7 +11065,7 @@ index f962f76..255728e 100644
')
########################################
-@@ -3098,6 +3723,7 @@ interface(`files_manage_etc_runtime_files',`
+@@ -3080,6 +3723,7 @@ interface(`files_manage_etc_runtime_files',`
')
manage_files_pattern($1, { etc_t etc_runtime_t }, etc_runtime_t)
@@ -13383,7 +11073,7 @@ index f962f76..255728e 100644
')
########################################
-@@ -3150,6 +3776,44 @@ interface(`files_getattr_isid_type_dirs',`
+@@ -3132,6 +3776,44 @@ interface(`files_getattr_isid_type_dirs',`
########################################
##
@@ -13428,7 +11118,7 @@ index f962f76..255728e 100644
## Do not audit attempts to search directories on new filesystems
## that have not yet been labeled.
##
-@@ -3223,11 +3887,10 @@ interface(`files_delete_isid_type_dirs',`
+@@ -3205,11 +3887,10 @@ interface(`files_delete_isid_type_dirs',`
delete_dirs_pattern($1, file_t, file_t)
')
@@ -13442,7 +11132,7 @@ index f962f76..255728e 100644
##
##
##
-@@ -3235,18 +3898,18 @@ interface(`files_delete_isid_type_dirs',`
+@@ -3217,18 +3898,18 @@ interface(`files_delete_isid_type_dirs',`
##
##
#
@@ -13465,7 +11155,7 @@ index f962f76..255728e 100644
##
##
##
-@@ -3254,12 +3917,88 @@ interface(`files_manage_isid_type_dirs',`
+@@ -3236,17 +3917,17 @@ interface(`files_manage_isid_type_dirs',`
##
##
#
@@ -13477,11 +11167,144 @@ index f962f76..255728e 100644
- allow $1 file_t:dir { search_dir_perms mounton };
+ allow $1 file_t:dir mounton;
+ ')
+
+ ########################################
+ ##
+-## Read files on new filesystems
++## Relabelfrom all file opbjects on new filesystems
+ ## that have not yet been labeled.
+ ##
+ ##
+@@ -3255,18 +3936,18 @@ interface(`files_mounton_isid_type_dirs',`
+ ##
+ ##
+ #
+-interface(`files_read_isid_type_files',`
++interface(`files_relabelfrom_isid_type',`
+ gen_require(`
+ type file_t;
+ ')
+
+- allow $1 file_t:file read_file_perms;
++ dontaudit $1 file_t:dir_file_class_set relabelfrom;
+ ')
+
+ ########################################
+ ##
+-## Delete files on new filesystems
+-## that have not yet been labeled.
++## Create, read, write, and delete directories
++## on new filesystems that have not yet been labeled.
+ ##
+ ##
+ ##
+@@ -3274,18 +3955,18 @@ interface(`files_read_isid_type_files',`
+ ##
+ ##
+ #
+-interface(`files_delete_isid_type_files',`
++interface(`files_manage_isid_type_dirs',`
+ gen_require(`
+ type file_t;
+ ')
+
+- delete_files_pattern($1, file_t, file_t)
++ allow $1 file_t:dir manage_dir_perms;
+ ')
+
+ ########################################
+ ##
+-## Delete symbolic links on new filesystems
+-## that have not yet been labeled.
++## Mount a filesystem on a directory on new filesystems
++## that has not yet been labeled.
+ ##
+ ##
+ ##
+@@ -3293,18 +3974,18 @@ interface(`files_delete_isid_type_files',`
+ ##
+ ##
+ #
+-interface(`files_delete_isid_type_symlinks',`
++interface(`files_mounton_isid_type_dirs',`
+ gen_require(`
+ type file_t;
+ ')
+
+- delete_lnk_files_pattern($1, file_t, file_t)
++ allow $1 file_t:dir { search_dir_perms mounton };
+ ')
+
+ ########################################
+ ##
+-## Delete named pipes on new filesystems
+-## that have not yet been labeled.
++## Mount a filesystem on a new chr_file
++## that has not yet been labeled.
+ ##
+ ##
+ ##
+@@ -3312,17 +3993,17 @@ interface(`files_delete_isid_type_symlinks',`
+ ##
+ ##
+ #
+-interface(`files_delete_isid_type_fifo_files',`
++interface(`files_mounton_isid_type_chr_file',`
+ gen_require(`
+- type file_t;
++ type unlabeled_t;
+ ')
+
+- delete_fifo_files_pattern($1, file_t, file_t)
++ allow $1 unlabeled_t:chr_file mounton;
+ ')
+
+ ########################################
+ ##
+-## Delete named sockets on new filesystems
++## Read files on new filesystems
+ ## that have not yet been labeled.
+ ##
+ ##
+@@ -3331,17 +4012,17 @@ interface(`files_delete_isid_type_fifo_files',`
+ ##
+ ##
+ #
+-interface(`files_delete_isid_type_sock_files',`
++interface(`files_read_isid_type_files',`
+ gen_require(`
+ type file_t;
+ ')
+
+- delete_sock_files_pattern($1, file_t, file_t)
++ allow $1 file_t:file read_file_perms;
+ ')
+
+ ########################################
+ ##
+-## Delete block files on new filesystems
++## Delete files on new filesystems
+ ## that have not yet been labeled.
+ ##
+ ##
+@@ -3350,12 +4031,88 @@ interface(`files_delete_isid_type_sock_files',`
+ ##
+ ##
+ #
+-interface(`files_delete_isid_type_blk_files',`
++interface(`files_delete_isid_type_files',`
+ gen_require(`
+ type file_t;
+ ')
+
+- delete_blk_files_pattern($1, file_t, file_t)
++ delete_files_pattern($1, file_t, file_t)
+')
+
+########################################
+##
-+## Relabelfrom all file opbjects on new filesystems
++## Delete symbolic links on new filesystems
+## that have not yet been labeled.
+##
+##
@@ -13490,18 +11313,18 @@ index f962f76..255728e 100644
+##
+##
+#
-+interface(`files_relabelfrom_isid_type',`
++interface(`files_delete_isid_type_symlinks',`
+ gen_require(`
+ type file_t;
+ ')
+
-+ dontaudit $1 file_t:dir_file_class_set relabelfrom;
++ delete_lnk_files_pattern($1, file_t, file_t)
+')
+
+########################################
+##
-+## Create, read, write, and delete directories
-+## on new filesystems that have not yet been labeled.
++## Delete named pipes on new filesystems
++## that have not yet been labeled.
+##
+##
+##
@@ -13509,18 +11332,18 @@ index f962f76..255728e 100644
+##
+##
+#
-+interface(`files_manage_isid_type_dirs',`
++interface(`files_delete_isid_type_fifo_files',`
+ gen_require(`
+ type file_t;
+ ')
+
-+ allow $1 file_t:dir manage_dir_perms;
++ delete_fifo_files_pattern($1, file_t, file_t)
+')
+
+########################################
+##
-+## Mount a filesystem on a directory on new filesystems
-+## that has not yet been labeled.
++## Delete named sockets on new filesystems
++## that have not yet been labeled.
+##
+##
+##
@@ -13528,18 +11351,18 @@ index f962f76..255728e 100644
+##
+##
+#
-+interface(`files_mounton_isid_type_dirs',`
++interface(`files_delete_isid_type_sock_files',`
+ gen_require(`
+ type file_t;
+ ')
+
-+ allow $1 file_t:dir { search_dir_perms mounton };
++ delete_sock_files_pattern($1, file_t, file_t)
+')
+
+########################################
+##
-+## Mount a filesystem on a new chr_file
-+## that has not yet been labeled.
++## Delete block files on new filesystems
++## that have not yet been labeled.
+##
+##
+##
@@ -13547,16 +11370,16 @@ index f962f76..255728e 100644
+##
+##
+#
-+interface(`files_mounton_isid_type_chr_file',`
++interface(`files_delete_isid_type_blk_files',`
+ gen_require(`
-+ type unlabeled_t;
++ type file_t;
+ ')
+
-+ allow $1 unlabeled_t:chr_file mounton;
++ delete_blk_files_pattern($1, file_t, file_t)
')
########################################
-@@ -3473,6 +4212,25 @@ interface(`files_rw_isid_type_blk_files',`
+@@ -3455,6 +4212,25 @@ interface(`files_rw_isid_type_blk_files',`
########################################
##
@@ -13582,7 +11405,7 @@ index f962f76..255728e 100644
## Create, read, write, and delete block device nodes
## on new filesystems that have not yet been labeled.
##
-@@ -3552,6 +4310,27 @@ interface(`files_dontaudit_getattr_home_dir',`
+@@ -3534,6 +4310,27 @@ interface(`files_dontaudit_getattr_home_dir',`
########################################
##
@@ -13610,7 +11433,7 @@ index f962f76..255728e 100644
## Search home directories root (/home).
##
##
-@@ -3814,20 +4593,38 @@ interface(`files_list_mnt',`
+@@ -3796,20 +4593,38 @@ interface(`files_list_mnt',`
######################################
##
@@ -13654,7 +11477,7 @@ index f962f76..255728e 100644
')
########################################
-@@ -4217,6 +5014,172 @@ interface(`files_read_world_readable_sockets',`
+@@ -4199,6 +5014,172 @@ interface(`files_read_world_readable_sockets',`
allow $1 readable_t:sock_file read_sock_file_perms;
')
@@ -13827,7 +11650,7 @@ index f962f76..255728e 100644
########################################
##
## Allow the specified type to associate
-@@ -4239,6 +5202,26 @@ interface(`files_associate_tmp',`
+@@ -4221,6 +5202,26 @@ interface(`files_associate_tmp',`
########################################
##
@@ -13854,7 +11677,7 @@ index f962f76..255728e 100644
## Get the attributes of the tmp directory (/tmp).
##
##
-@@ -4252,17 +5235,37 @@ interface(`files_getattr_tmp_dirs',`
+@@ -4234,17 +5235,37 @@ interface(`files_getattr_tmp_dirs',`
type tmp_t;
')
@@ -13893,7 +11716,7 @@ index f962f76..255728e 100644
##
##
#
-@@ -4289,6 +5292,7 @@ interface(`files_search_tmp',`
+@@ -4271,6 +5292,7 @@ interface(`files_search_tmp',`
type tmp_t;
')
@@ -13901,7 +11724,7 @@ index f962f76..255728e 100644
allow $1 tmp_t:dir search_dir_perms;
')
-@@ -4325,6 +5329,7 @@ interface(`files_list_tmp',`
+@@ -4307,6 +5329,7 @@ interface(`files_list_tmp',`
type tmp_t;
')
@@ -13909,7 +11732,7 @@ index f962f76..255728e 100644
allow $1 tmp_t:dir list_dir_perms;
')
-@@ -4334,7 +5339,7 @@ interface(`files_list_tmp',`
+@@ -4316,7 +5339,7 @@ interface(`files_list_tmp',`
##
##
##
@@ -13918,7 +11741,7 @@ index f962f76..255728e 100644
##
##
#
-@@ -4346,6 +5351,25 @@ interface(`files_dontaudit_list_tmp',`
+@@ -4328,6 +5351,25 @@ interface(`files_dontaudit_list_tmp',`
dontaudit $1 tmp_t:dir list_dir_perms;
')
@@ -13944,7 +11767,7 @@ index f962f76..255728e 100644
########################################
##
## Remove entries from the tmp directory.
-@@ -4361,6 +5385,7 @@ interface(`files_delete_tmp_dir_entry',`
+@@ -4343,6 +5385,7 @@ interface(`files_delete_tmp_dir_entry',`
type tmp_t;
')
@@ -13952,12 +11775,13 @@ index f962f76..255728e 100644
allow $1 tmp_t:dir del_entry_dir_perms;
')
-@@ -4402,6 +5427,32 @@ interface(`files_manage_generic_tmp_dirs',`
+@@ -4384,25 +5427,33 @@ interface(`files_manage_generic_tmp_dirs',`
########################################
##
+-## Manage temporary files and directories in /tmp.
+## Allow shared library text relocations in tmp files.
-+##
+ ##
+##
+##
+## Allow shared library text relocations in tmp files.
@@ -13966,26 +11790,58 @@ index f962f76..255728e 100644
+## This is added to support java policy.
+##
+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
+ ##
+ ##
+ ## Domain allowed access.
+ ##
+ ##
+ #
+-interface(`files_manage_generic_tmp_files',`
+interface(`files_execmod_tmp',`
-+ gen_require(`
+ gen_require(`
+- type tmp_t;
+ attribute tmpfile;
+ ')
+
+- manage_files_pattern($1, tmp_t, tmp_t)
++ allow $1 tmpfile:file execmod;
+ ')
+
+ ########################################
+ ##
+-## Read symbolic links in the tmp directory (/tmp).
++## Manage temporary files and directories in /tmp.
+ ##
+ ##
+ ##
+@@ -4410,7 +5461,25 @@ interface(`files_manage_generic_tmp_files',`
+ ##
+ ##
+ #
+-interface(`files_read_generic_tmp_symlinks',`
++interface(`files_manage_generic_tmp_files',`
++ gen_require(`
++ type tmp_t;
+ ')
+
-+ allow $1 tmpfile:file execmod;
++ manage_files_pattern($1, tmp_t, tmp_t)
+')
+
+########################################
+##
- ## Manage temporary files and directories in /tmp.
- ##
- ##
-@@ -4456,6 +5507,42 @@ interface(`files_rw_generic_tmp_sockets',`
++## Read symbolic links in the tmp directory (/tmp).
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`files_read_generic_tmp_symlinks',`
+ gen_require(`
+ type tmp_t;
+ ')
+@@ -4438,6 +5507,42 @@ interface(`files_rw_generic_tmp_sockets',`
########################################
##
@@ -14028,7 +11884,7 @@ index f962f76..255728e 100644
## Set the attributes of all tmp directories.
##
##
-@@ -4474,6 +5561,60 @@ interface(`files_setattr_all_tmp_dirs',`
+@@ -4456,6 +5561,60 @@ interface(`files_setattr_all_tmp_dirs',`
########################################
##
@@ -14089,7 +11945,7 @@ index f962f76..255728e 100644
## List all tmp directories.
##
##
-@@ -4519,7 +5660,7 @@ interface(`files_relabel_all_tmp_dirs',`
+@@ -4501,7 +5660,7 @@ interface(`files_relabel_all_tmp_dirs',`
##
##
##
@@ -14098,7 +11954,7 @@ index f962f76..255728e 100644
##
##
#
-@@ -4579,7 +5720,7 @@ interface(`files_relabel_all_tmp_files',`
+@@ -4561,7 +5720,7 @@ interface(`files_relabel_all_tmp_files',`
##
##
##
@@ -14107,7 +11963,7 @@ index f962f76..255728e 100644
##
##
#
-@@ -4611,6 +5752,44 @@ interface(`files_read_all_tmp_files',`
+@@ -4593,6 +5752,44 @@ interface(`files_read_all_tmp_files',`
########################################
##
@@ -14152,7 +12008,7 @@ index f962f76..255728e 100644
## Create an object in the tmp directories, with a private
## type using a type transition.
##
-@@ -4664,6 +5843,16 @@ interface(`files_purge_tmp',`
+@@ -4646,6 +5843,16 @@ interface(`files_purge_tmp',`
delete_lnk_files_pattern($1, tmpfile, tmpfile)
delete_fifo_files_pattern($1, tmpfile, tmpfile)
delete_sock_files_pattern($1, tmpfile, tmpfile)
@@ -14169,7 +12025,7 @@ index f962f76..255728e 100644
')
########################################
-@@ -5112,6 +6301,24 @@ interface(`files_create_kernel_symbol_table',`
+@@ -5094,6 +6301,24 @@ interface(`files_create_kernel_symbol_table',`
########################################
##
@@ -14194,7 +12050,7 @@ index f962f76..255728e 100644
## Read system.map in the /boot directory.
##
##
-@@ -5241,6 +6448,24 @@ interface(`files_list_var',`
+@@ -5223,6 +6448,24 @@ interface(`files_list_var',`
########################################
##
@@ -14219,7 +12075,7 @@ index f962f76..255728e 100644
## Create, read, write, and delete directories
## in the /var directory.
##
-@@ -5328,7 +6553,7 @@ interface(`files_dontaudit_rw_var_files',`
+@@ -5310,7 +6553,7 @@ interface(`files_dontaudit_rw_var_files',`
type var_t;
')
@@ -14228,7 +12084,7 @@ index f962f76..255728e 100644
')
########################################
-@@ -5525,6 +6750,23 @@ interface(`files_rw_var_lib_dirs',`
+@@ -5507,6 +6750,23 @@ interface(`files_rw_var_lib_dirs',`
rw_dirs_pattern($1, var_lib_t, var_lib_t)
')
@@ -14252,7 +12108,7 @@ index f962f76..255728e 100644
########################################
##
## Create objects in the /var/lib directory
-@@ -5596,6 +6838,25 @@ interface(`files_read_var_lib_symlinks',`
+@@ -5578,6 +6838,25 @@ interface(`files_read_var_lib_symlinks',`
read_lnk_files_pattern($1, { var_t var_lib_t }, var_lib_t)
')
@@ -14278,7 +12134,7 @@ index f962f76..255728e 100644
# cjp: the next two interfaces really need to be fixed
# in some way. They really neeed their own types.
-@@ -5641,7 +6902,7 @@ interface(`files_manage_mounttab',`
+@@ -5623,7 +6902,7 @@ interface(`files_manage_mounttab',`
########################################
##
@@ -14287,7 +12143,7 @@ index f962f76..255728e 100644
##
##
##
-@@ -5649,12 +6910,13 @@ interface(`files_manage_mounttab',`
+@@ -5631,12 +6910,13 @@ interface(`files_manage_mounttab',`
##
##
#
@@ -14303,7 +12159,7 @@ index f962f76..255728e 100644
')
########################################
-@@ -5672,6 +6934,7 @@ interface(`files_search_locks',`
+@@ -5654,6 +6934,7 @@ interface(`files_search_locks',`
type var_t, var_lock_t;
')
@@ -14311,7 +12167,7 @@ index f962f76..255728e 100644
allow $1 var_lock_t:lnk_file read_lnk_file_perms;
search_dirs_pattern($1, var_t, var_lock_t)
')
-@@ -5698,7 +6961,26 @@ interface(`files_dontaudit_search_locks',`
+@@ -5680,7 +6961,26 @@ interface(`files_dontaudit_search_locks',`
########################################
##
@@ -14339,7 +12195,7 @@ index f962f76..255728e 100644
##
##
##
-@@ -5706,13 +6988,12 @@ interface(`files_dontaudit_search_locks',`
+@@ -5688,13 +6988,12 @@ interface(`files_dontaudit_search_locks',`
##
##
#
@@ -14356,7 +12212,7 @@ index f962f76..255728e 100644
')
########################################
-@@ -5731,7 +7012,7 @@ interface(`files_rw_lock_dirs',`
+@@ -5713,7 +7012,7 @@ interface(`files_rw_lock_dirs',`
type var_t, var_lock_t;
')
@@ -14365,7 +12221,7 @@ index f962f76..255728e 100644
rw_dirs_pattern($1, var_t, var_lock_t)
')
-@@ -5764,7 +7045,6 @@ interface(`files_create_lock_dirs',`
+@@ -5746,7 +7045,6 @@ interface(`files_create_lock_dirs',`
## Domain allowed access.
##
##
@@ -14373,7 +12229,7 @@ index f962f76..255728e 100644
#
interface(`files_relabel_all_lock_dirs',`
gen_require(`
-@@ -5779,7 +7059,7 @@ interface(`files_relabel_all_lock_dirs',`
+@@ -5761,7 +7059,7 @@ interface(`files_relabel_all_lock_dirs',`
########################################
##
@@ -14382,7 +12238,7 @@ index f962f76..255728e 100644
##
##
##
-@@ -5787,13 +7067,33 @@ interface(`files_relabel_all_lock_dirs',`
+@@ -5769,13 +7067,33 @@ interface(`files_relabel_all_lock_dirs',`
##
##
#
@@ -14417,7 +12273,7 @@ index f962f76..255728e 100644
allow $1 var_lock_t:dir list_dir_perms;
getattr_files_pattern($1, var_lock_t, var_lock_t)
')
-@@ -5809,13 +7109,12 @@ interface(`files_getattr_generic_locks',`
+@@ -5791,13 +7109,12 @@ interface(`files_getattr_generic_locks',`
##
#
interface(`files_delete_generic_locks',`
@@ -14435,7 +12291,7 @@ index f962f76..255728e 100644
')
########################################
-@@ -5834,9 +7133,7 @@ interface(`files_manage_generic_locks',`
+@@ -5816,9 +7133,7 @@ interface(`files_manage_generic_locks',`
type var_t, var_lock_t;
')
@@ -14446,7 +12302,7 @@ index f962f76..255728e 100644
manage_files_pattern($1, var_lock_t, var_lock_t)
')
-@@ -5878,8 +7175,7 @@ interface(`files_read_all_locks',`
+@@ -5860,8 +7175,7 @@ interface(`files_read_all_locks',`
type var_t, var_lock_t;
')
@@ -14456,7 +12312,7 @@ index f962f76..255728e 100644
allow $1 lockfile:dir list_dir_perms;
read_files_pattern($1, lockfile, lockfile)
read_lnk_files_pattern($1, lockfile, lockfile)
-@@ -5901,8 +7197,7 @@ interface(`files_manage_all_locks',`
+@@ -5883,8 +7197,7 @@ interface(`files_manage_all_locks',`
type var_t, var_lock_t;
')
@@ -14466,7 +12322,7 @@ index f962f76..255728e 100644
manage_dirs_pattern($1, lockfile, lockfile)
manage_files_pattern($1, lockfile, lockfile)
manage_lnk_files_pattern($1, lockfile, lockfile)
-@@ -5939,8 +7234,7 @@ interface(`files_lock_filetrans',`
+@@ -5921,8 +7234,7 @@ interface(`files_lock_filetrans',`
type var_t, var_lock_t;
')
@@ -14476,7 +12332,7 @@ index f962f76..255728e 100644
filetrans_pattern($1, var_lock_t, $2, $3, $4)
')
-@@ -5979,7 +7273,7 @@ interface(`files_setattr_pid_dirs',`
+@@ -5961,7 +7273,7 @@ interface(`files_setattr_pid_dirs',`
type var_run_t;
')
@@ -14485,7 +12341,7 @@ index f962f76..255728e 100644
allow $1 var_run_t:dir setattr;
')
-@@ -5999,10 +7293,48 @@ interface(`files_search_pids',`
+@@ -5981,33 +7293,108 @@ interface(`files_search_pids',`
type var_t, var_run_t;
')
@@ -14494,26 +12350,40 @@ index f962f76..255728e 100644
search_dirs_pattern($1, var_t, var_run_t)
')
+-########################################
+######################################
-+##
+ ##
+-## Do not audit attempts to search
+-## the /var/run directory.
+## Add and remove entries from pid directories.
-+##
-+##
+ ##
+ ##
+-##
+-## Domain to not audit.
+-##
+##
+## Domain allowed access.
+##
-+##
-+#
+ ##
+ #
+-interface(`files_dontaudit_search_pids',`
+- gen_require(`
+- type var_run_t;
+- ')
+interface(`files_rw_pid_dirs',`
+ gen_require(`
+ type var_run_t;
+ ')
-+
+
+- dontaudit $1 var_run_t:lnk_file read_lnk_file_perms;
+- dontaudit $1 var_run_t:dir search_dir_perms;
+ allow $1 var_run_t:dir rw_dir_perms;
-+')
-+
+ ')
+
+-########################################
+#######################################
-+##
+ ##
+-## List the contents of the runtime process
+## Create generic pid directory.
+##
+##
@@ -14531,100 +12401,88 @@ index f962f76..255728e 100644
+ allow $1 var_run_t:dir create_dir_perms;
+')
+
- ########################################
- ##
- ## Do not audit attempts to search
-@@ -6025,40 +7357,77 @@ interface(`files_dontaudit_search_pids',`
-
- ########################################
- ##
--## List the contents of the runtime process
--## ID directories (/var/run).
++########################################
++##
+## Do not audit attempts to search
-+## the all /var/run directory.
- ##
- ##
- ##
--## Domain allowed access.
-+## Domain to not audit.
- ##
- ##
- #
--interface(`files_list_pids',`
-+interface(`files_dontaudit_search_all_pids',`
- gen_require(`
-- type var_t, var_run_t;
-+ attribute pidfile;
- ')
-
-- allow $1 var_run_t:lnk_file read_lnk_file_perms;
-- list_dirs_pattern($1, var_t, var_run_t)
-+ dontaudit $1 pidfile:dir search_dir_perms;
- ')
-
- ########################################
- ##
--## Read generic process ID files.
-+## Allow search the all /var/run directory.
- ##
- ##
- ##
--## Domain allowed access.
++## the /var/run directory.
++##
++##
++##
+## Domain to not audit.
- ##
- ##
- #
--interface(`files_read_generic_pids',`
-+interface(`files_search_all_pids',`
- gen_require(`
-- type var_t, var_run_t;
-+ attribute pidfile;
- ')
-
-- allow $1 var_run_t:lnk_file read_lnk_file_perms;
-+ allow $1 pidfile:dir search_dir_perms;
++##
++##
++#
++interface(`files_dontaudit_search_pids',`
++ gen_require(`
++ type var_run_t;
++ ')
++
++ dontaudit $1 var_run_t:lnk_file read_lnk_file_perms;
++ dontaudit $1 var_run_t:dir search_dir_perms;
+')
+
+########################################
+##
-+## List the contents of the runtime process
-+## ID directories (/var/run).
++## Do not audit attempts to search
++## the all /var/run directory.
+##
+##
+##
-+## Domain allowed access.
++## Domain to not audit.
+##
+##
+#
-+interface(`files_list_pids',`
++interface(`files_dontaudit_search_all_pids',`
+ gen_require(`
-+ type var_t, var_run_t;
++ attribute pidfile;
+ ')
+
-+ files_search_pids($1)
-+ list_dirs_pattern($1, var_t, var_run_t)
++ dontaudit $1 pidfile:dir search_dir_perms;
+')
+
+########################################
+##
-+## Read generic process ID files.
++## Allow search the all /var/run directory.
+##
+##
+##
-+## Domain allowed access.
++## Domain to not audit.
+##
+##
+#
-+interface(`files_read_generic_pids',`
++interface(`files_search_all_pids',`
+ gen_require(`
-+ type var_t, var_run_t;
++ attribute pidfile;
+ ')
+
++ allow $1 pidfile:dir search_dir_perms;
++')
++
++########################################
++##
++## List the contents of the runtime process
+ ## ID directories (/var/run).
+ ##
+ ##
+@@ -6021,7 +7408,7 @@ interface(`files_list_pids',`
+ type var_t, var_run_t;
+ ')
+
+- allow $1 var_run_t:lnk_file read_lnk_file_perms;
++ files_search_pids($1)
+ list_dirs_pattern($1, var_t, var_run_t)
+ ')
+
+@@ -6040,7 +7427,7 @@ interface(`files_read_generic_pids',`
+ type var_t, var_run_t;
+ ')
+
+- allow $1 var_run_t:lnk_file read_lnk_file_perms;
+ files_search_pids($1)
list_dirs_pattern($1, var_t, var_run_t)
read_files_pattern($1, var_run_t, var_run_t)
')
-@@ -6078,7 +7447,7 @@ interface(`files_write_generic_pid_pipes',`
+@@ -6060,7 +7447,7 @@ interface(`files_write_generic_pid_pipes',`
type var_run_t;
')
@@ -14633,7 +12491,7 @@ index f962f76..255728e 100644
allow $1 var_run_t:fifo_file write;
')
-@@ -6140,7 +7509,6 @@ interface(`files_pid_filetrans',`
+@@ -6122,7 +7509,6 @@ interface(`files_pid_filetrans',`
')
allow $1 var_t:dir search_dir_perms;
@@ -14641,7 +12499,7 @@ index f962f76..255728e 100644
filetrans_pattern($1, var_run_t, $2, $3, $4)
')
-@@ -6169,6 +7537,24 @@ interface(`files_pid_filetrans_lock_dir',`
+@@ -6151,6 +7537,24 @@ interface(`files_pid_filetrans_lock_dir',`
########################################
##
@@ -14666,7 +12524,7 @@ index f962f76..255728e 100644
## Read and write generic process ID files.
##
##
-@@ -6182,7 +7568,7 @@ interface(`files_rw_generic_pids',`
+@@ -6164,7 +7568,7 @@ interface(`files_rw_generic_pids',`
type var_t, var_run_t;
')
@@ -14675,7 +12533,7 @@ index f962f76..255728e 100644
list_dirs_pattern($1, var_t, var_run_t)
rw_files_pattern($1, var_run_t, var_run_t)
')
-@@ -6249,55 +7635,43 @@ interface(`files_dontaudit_ioctl_all_pids',`
+@@ -6231,55 +7635,43 @@ interface(`files_dontaudit_ioctl_all_pids',`
########################################
##
@@ -14738,7 +12596,7 @@ index f962f76..255728e 100644
##
##
##
-@@ -6305,42 +7679,35 @@ interface(`files_delete_all_pids',`
+@@ -6287,42 +7679,35 @@ interface(`files_delete_all_pids',`
##
##
#
@@ -14788,7 +12646,7 @@ index f962f76..255728e 100644
##
##
##
-@@ -6348,18 +7715,18 @@ interface(`files_manage_all_pids',`
+@@ -6330,18 +7715,18 @@ interface(`files_manage_all_pids',`
##
##
#
@@ -14812,7 +12670,7 @@ index f962f76..255728e 100644
##
##
##
-@@ -6367,37 +7734,40 @@ interface(`files_mounton_all_poly_members',`
+@@ -6349,37 +7734,40 @@ interface(`files_mounton_all_poly_members',`
##
##
#
@@ -14864,7 +12722,7 @@ index f962f76..255728e 100644
##
##
##
-@@ -6405,18 +7775,17 @@ interface(`files_dontaudit_search_spool',`
+@@ -6387,18 +7775,17 @@ interface(`files_dontaudit_search_spool',`
##
##
#
@@ -14887,7 +12745,7 @@ index f962f76..255728e 100644
##
##
##
-@@ -6424,18 +7793,18 @@ interface(`files_list_spool',`
+@@ -6406,18 +7793,18 @@ interface(`files_list_spool',`
##
##
#
@@ -14911,7 +12769,7 @@ index f962f76..255728e 100644
##
##
##
-@@ -6443,19 +7812,18 @@ interface(`files_manage_generic_spool_dirs',`
+@@ -6425,19 +7812,18 @@ interface(`files_manage_generic_spool_dirs',`
##
##
#
@@ -14936,7 +12794,7 @@ index f962f76..255728e 100644
##
##
##
-@@ -6463,55 +7831,112 @@ interface(`files_read_generic_spool',`
+@@ -6445,55 +7831,130 @@ interface(`files_read_generic_spool',`
##
##
#
@@ -14964,11 +12822,6 @@ index f962f76..255728e 100644
##
##
-##
--##
--## Type to which the created node will be transitioned.
--##
--##
--##
+##
+#
+interface(`files_delete_all_pids',`
@@ -14992,12 +12845,11 @@ index f962f76..255728e 100644
+##
+##
##
--## Object class(es) (single or set including {}) for which this
--## the transition will occur.
+-## Type to which the created node will be transitioned.
+## Domain allowed access.
##
##
--##
+-##
+#
+interface(`files_delete_all_pid_dirs',`
+ gen_require(`
@@ -15043,15 +12895,37 @@ index f962f76..255728e 100644
+##
+##
##
--## The name of the object being created.
+-## Object class(es) (single or set including {}) for which this
+-## the transition will occur.
+## Type of the file to be used as a
+## spool file.
##
##
+-##
+##
++#
++interface(`files_spool_file',`
++ gen_require(`
++ attribute spoolfile;
++ ')
++
++ files_type($1)
++ typeattribute $1 spoolfile;
++')
++
++########################################
++##
++## Create all spool sockets
++##
++##
+ ##
+-## The name of the object being created.
++## Domain allowed access.
+ ##
+ ##
#
-interface(`files_spool_filetrans',`
-+interface(`files_spool_file',`
++interface(`files_create_all_spool_sockets',`
gen_require(`
- type var_t, var_spool_t;
+ attribute spoolfile;
@@ -15059,24 +12933,23 @@ index f962f76..255728e 100644
- allow $1 var_t:dir search_dir_perms;
- filetrans_pattern($1, var_spool_t, $2, $3, $4)
-+ files_type($1)
-+ typeattribute $1 spoolfile;
++ allow $1 spoolfile:sock_file create_sock_file_perms;
')
########################################
##
-## Allow access to manage all polyinstantiated
-## directories on the system.
-+## Create all spool sockets
++## Delete all spool sockets
##
##
##
-@@ -6519,53 +7944,17 @@ interface(`files_spool_filetrans',`
+@@ -6501,16 +7962,208 @@ interface(`files_spool_filetrans',`
##
##
#
-interface(`files_polyinstantiate_all',`
-+interface(`files_create_all_spool_sockets',`
++interface(`files_delete_all_spool_sockets',`
gen_require(`
- attribute polydir, polymember, polyparent;
- type poly_t;
@@ -15085,64 +12958,10 @@ index f962f76..255728e 100644
- # Need to give access to /selinux/member
- selinux_compute_member($1)
--
-- # Need sys_admin capability for mounting
-- allow $1 self:capability { chown fsetid sys_admin fowner };
--
-- # Need to give access to the directories to be polyinstantiated
-- allow $1 polydir:dir { create open getattr search write add_name setattr mounton rmdir };
--
-- # Need to give access to the polyinstantiated subdirectories
-- allow $1 polymember:dir search_dir_perms;
--
-- # Need to give access to parent directories where original
-- # is remounted for polyinstantiation aware programs (like gdm)
-- allow $1 polyparent:dir { getattr mounton };
--
-- # Need to give permission to create directories where applicable
-- allow $1 self:process setfscreate;
-- allow $1 polymember: dir { create setattr relabelto };
-- allow $1 polydir: dir { write add_name open };
-- allow $1 polyparent:dir { open read write remove_name add_name relabelfrom relabelto };
--
-- # Default type for mountpoints
-- allow $1 poly_t:dir { create mounton };
-- fs_unmount_xattr_fs($1)
--
-- fs_mount_tmpfs($1)
-- fs_unmount_tmpfs($1)
--
-- ifdef(`distro_redhat',`
-- # namespace.init
-- files_search_tmp($1)
-- files_search_home($1)
-- corecmd_exec_bin($1)
-- seutil_domtrans_setfiles($1)
-- ')
-+ allow $1 spoolfile:sock_file create_sock_file_perms;
- ')
-
- ########################################
- ##
--## Unconfined access to files.
-+## Delete all spool sockets
- ##
- ##
- ##
-@@ -6573,10 +7962,802 @@ interface(`files_polyinstantiate_all',`
- ##
- ##
- #
--interface(`files_unconfined',`
-+interface(`files_delete_all_spool_sockets',`
- gen_require(`
-- attribute files_unconfined_type;
-+ attribute spoolfile;
-+ ')
-+
+ allow $1 spoolfile:sock_file delete_sock_file_perms;
+')
-+
+
+- # Need sys_admin capability for mounting
+########################################
+##
+## Relabel to and from all spool
@@ -15337,54 +13156,10 @@ index f962f76..255728e 100644
+ selinux_compute_member($1)
+
+ # Need sys_admin capability for mounting
-+ allow $1 self:capability { chown fsetid sys_admin fowner };
-+
-+ # Need to give access to the directories to be polyinstantiated
-+ allow $1 polydir:dir { create open getattr search write add_name setattr mounton rmdir };
-+
-+ # Need to give access to the polyinstantiated subdirectories
-+ allow $1 polymember:dir search_dir_perms;
-+
-+ # Need to give access to parent directories where original
-+ # is remounted for polyinstantiation aware programs (like gdm)
-+ allow $1 polyparent:dir { getattr mounton };
-+
-+ # Need to give permission to create directories where applicable
-+ allow $1 self:process setfscreate;
-+ allow $1 polymember: dir { create setattr relabelto };
-+ allow $1 polydir: dir { write add_name open };
-+ allow $1 polyparent:dir { open read write remove_name add_name relabelfrom relabelto };
-+
-+ # Default type for mountpoints
-+ allow $1 poly_t:dir { create mounton };
-+ fs_unmount_xattr_fs($1)
-+
-+ fs_mount_tmpfs($1)
-+ fs_unmount_tmpfs($1)
-+
-+ ifdef(`distro_redhat',`
-+ # namespace.init
-+ files_search_tmp($1)
-+ files_search_home($1)
-+ corecmd_exec_bin($1)
-+ seutil_domtrans_setfiles($1)
-+ ')
-+')
-+
-+########################################
-+##
-+## Unconfined access to files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`files_unconfined',`
-+ gen_require(`
-+ attribute files_unconfined_type;
- ')
+ allow $1 self:capability { chown fsetid sys_admin fowner };
+
+ # Need to give access to the directories to be polyinstantiated
+@@ -6562,3 +8215,549 @@ interface(`files_unconfined',`
typeattribute $1 files_unconfined_type;
')
@@ -15935,15 +13710,10 @@ index f962f76..255728e 100644
+ allow $1 etc_t:service status;
+')
diff --git a/policy/modules/kernel/files.te b/policy/modules/kernel/files.te
-index 1a03abd..b5a89ba 100644
+index 148d87a..b5a89ba 100644
--- a/policy/modules/kernel/files.te
+++ b/policy/modules/kernel/files.te
-@@ -1,16 +1,20 @@
--policy_module(files, 1.18.1)
-+policy_module(files, 1.17.5)
-
- ########################################
- #
+@@ -5,12 +5,16 @@ policy_module(files, 1.17.5)
# Declarations
#
@@ -16051,7 +13821,7 @@ index 1a03abd..b5a89ba 100644
files_mountpoint(root_t)
files_poly_parent(root_t)
kernel_rootfs_mountpoint(root_t)
-@@ -133,45 +156,54 @@ genfscon rootfs / gen_context(system_u:object_r:root_t,s0)
+@@ -133,52 +156,63 @@ genfscon rootfs / gen_context(system_u:object_r:root_t,s0)
#
type src_t;
files_mountpoint(src_t)
@@ -16104,9 +13874,10 @@ index 1a03abd..b5a89ba 100644
type var_lock_t;
+files_base_file(var_lock_t)
files_lock_file(var_lock_t)
- files_mountpoint(var_lock_t)
++files_mountpoint(var_lock_t)
-@@ -180,6 +212,7 @@ files_mountpoint(var_lock_t)
+ #
+ # var_run_t is the type of /var/run, usually
# used for pid and other runtime files.
#
type var_run_t;
@@ -16114,7 +13885,7 @@ index 1a03abd..b5a89ba 100644
files_pid_file(var_run_t)
files_mountpoint(var_run_t)
-@@ -187,7 +220,9 @@ files_mountpoint(var_run_t)
+@@ -186,7 +220,9 @@ files_mountpoint(var_run_t)
# var_spool_t is the type of /var/spool
#
type var_spool_t;
@@ -16124,7 +13895,7 @@ index 1a03abd..b5a89ba 100644
########################################
#
-@@ -226,10 +261,11 @@ fs_associate_tmpfs(tmpfsfile)
+@@ -225,10 +261,11 @@ fs_associate_tmpfs(tmpfsfile)
# Create/access any file in a labeled filesystem;
allow files_unconfined_type file_type:{ file chr_file } ~execmod;
allow files_unconfined_type file_type:{ dir lnk_file sock_file fifo_file blk_file } *;
@@ -16138,7 +13909,7 @@ index 1a03abd..b5a89ba 100644
allow files_unconfined_type file_type:file execmod;
')
diff --git a/policy/modules/kernel/filesystem.fc b/policy/modules/kernel/filesystem.fc
-index d7c11a0..7b26d12 100644
+index cda5588..7b26d12 100644
--- a/policy/modules/kernel/filesystem.fc
+++ b/policy/modules/kernel/filesystem.fc
@@ -1,9 +1,12 @@
@@ -16157,22 +13928,14 @@ index d7c11a0..7b26d12 100644
/dev/shm/.* <>
/lib/udev/devices/hugepages -d gen_context(system_u:object_r:hugetlbfs_t,s0)
-@@ -11,13 +14,12 @@
- /lib/udev/devices/shm -d gen_context(system_u:object_r:tmpfs_t,s0)
+@@ -12,5 +15,11 @@
/lib/udev/devices/shm/.* <>
--/sys/fs/cgroup -d gen_context(system_u:object_r:cgroup_t,s0)
--/sys/fs/cgroup/.* <>
--
--/sys/fs/pstore -d gen_context(system_u:object_r:pstore_t,s0)
--/sys/fs/pstore/.* <>
-+# for systemd systems:
+ # for systemd systems:
+-/sys/fs/cgroup -d gen_context(system_u:object_r:cgroup_t,s0)
+-/sys/fs/cgroup/.* <>
+/sys/fs/cgroup(/.*)? gen_context(system_u:object_r:cgroup_t,s0)
-
--ifdef(`distro_debian',`
--/var/run/shm -d gen_context(system_u:object_r:tmpfs_t,s0)
--/var/run/shm/.* <>
--')
++
+/usr/lib/udev/devices/hugepages -d gen_context(system_u:object_r:hugetlbfs_t,s0)
+/usr/lib/udev/devices/hugepages/.* <>
+/usr/lib/udev/devices/shm -d gen_context(system_u:object_r:tmpfs_t,s0)
@@ -17596,15 +15359,9 @@ index 8416beb..c6cd3eb 100644
+ fs_tmpfs_filetrans($1, cgroup_t, lnk_file, "cpuacct")
+')
diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te
-index e7d1738..bf31a0e 100644
+index 9e603f5..bf31a0e 100644
--- a/policy/modules/kernel/filesystem.te
+++ b/policy/modules/kernel/filesystem.te
-@@ -1,4 +1,4 @@
--policy_module(filesystem, 1.17.2)
-+policy_module(filesystem, 1.16.2)
-
- ########################################
- #
@@ -26,14 +26,18 @@ fs_use_xattr ext2 gen_context(system_u:object_r:fs_t,s0);
fs_use_xattr ext3 gen_context(system_u:object_r:fs_t,s0);
fs_use_xattr ext4 gen_context(system_u:object_r:fs_t,s0);
@@ -17632,7 +15389,7 @@ index e7d1738..bf31a0e 100644
type bdev_t;
fs_type(bdev_t)
-@@ -63,15 +68,22 @@ fs_type(binfmt_misc_fs_t)
+@@ -63,12 +68,18 @@ fs_type(binfmt_misc_fs_t)
files_mountpoint(binfmt_misc_fs_t)
genfscon binfmt_misc / gen_context(system_u:object_r:binfmt_misc_fs_t,s0)
@@ -17650,14 +15407,9 @@ index e7d1738..bf31a0e 100644
-type cgroup_t;
+type cgroup_t alias cgroupfs_t;
fs_type(cgroup_t)
-+files_type(cgroup_t)
+ files_type(cgroup_t)
files_mountpoint(cgroup_t)
--dev_associate_sysfs(cgroup_t)
-+dev_associate_sysfs(cgroup_t) # only for systemd systems
- genfscon cgroup / gen_context(system_u:object_r:cgroup_t,s0)
-
- type configfs_t;
-@@ -88,6 +100,11 @@ fs_noxattr_type(ecryptfs_t)
+@@ -89,6 +100,11 @@ fs_noxattr_type(ecryptfs_t)
files_mountpoint(ecryptfs_t)
genfscon ecryptfs / gen_context(system_u:object_r:ecryptfs_t,s0)
@@ -17669,7 +15421,7 @@ index e7d1738..bf31a0e 100644
type futexfs_t;
fs_type(futexfs_t)
genfscon futexfs / gen_context(system_u:object_r:futexfs_t,s0)
-@@ -96,6 +113,7 @@ type hugetlbfs_t;
+@@ -97,6 +113,7 @@ type hugetlbfs_t;
fs_type(hugetlbfs_t)
files_mountpoint(hugetlbfs_t)
fs_use_trans hugetlbfs gen_context(system_u:object_r:hugetlbfs_t,s0);
@@ -17677,7 +15429,7 @@ index e7d1738..bf31a0e 100644
type ibmasmfs_t;
fs_type(ibmasmfs_t)
-@@ -118,17 +136,16 @@ genfscon mvfs / gen_context(system_u:object_r:mvfs_t,s0)
+@@ -119,12 +136,17 @@ genfscon mvfs / gen_context(system_u:object_r:mvfs_t,s0)
type nfsd_fs_t;
fs_type(nfsd_fs_t)
@@ -17688,18 +15440,14 @@ index e7d1738..bf31a0e 100644
fs_type(oprofilefs_t)
genfscon oprofilefs / gen_context(system_u:object_r:oprofilefs_t,s0)
--type pstore_t;
--fs_type(pstore_t)
--files_mountpoint(pstore_t)
--dev_associate_sysfs(pstore_t)
--genfscon pstore / gen_context(system_u:object_r:pstore_t,s0)
+type pstorefs_t;
+fs_type(pstorefs_t)
+genfscon pstore / gen_context(system_u:object_r:pstorefs_t,s0)
-
++
type ramfs_t;
fs_type(ramfs_t)
-@@ -150,11 +167,6 @@ fs_type(spufs_t)
+ files_mountpoint(ramfs_t)
+@@ -145,11 +167,6 @@ fs_type(spufs_t)
genfscon spufs / gen_context(system_u:object_r:spufs_t,s0)
files_mountpoint(spufs_t)
@@ -17711,7 +15459,7 @@ index e7d1738..bf31a0e 100644
type sysv_t;
fs_noxattr_type(sysv_t)
files_mountpoint(sysv_t)
-@@ -172,16 +184,19 @@ type vxfs_t;
+@@ -167,6 +184,8 @@ type vxfs_t;
fs_noxattr_type(vxfs_t)
files_mountpoint(vxfs_t)
genfscon vxfs / gen_context(system_u:object_r:vxfs_t,s0)
@@ -17720,10 +15468,7 @@ index e7d1738..bf31a0e 100644
#
# tmpfs_t is the type for tmpfs filesystems
- #
- type tmpfs_t;
--dev_associate(tmpfs_t)
- fs_type(tmpfs_t)
+@@ -176,6 +195,8 @@ fs_type(tmpfs_t)
files_type(tmpfs_t)
files_mountpoint(tmpfs_t)
files_poly_parent(tmpfs_t)
@@ -17732,7 +15477,7 @@ index e7d1738..bf31a0e 100644
# Use a transition SID based on the allocating task SID and the
# filesystem SID to label inodes in the following filesystem types,
-@@ -261,6 +276,8 @@ genfscon udf / gen_context(system_u:object_r:iso9660_t,s0)
+@@ -255,6 +276,8 @@ genfscon udf / gen_context(system_u:object_r:iso9660_t,s0)
type removable_t;
allow removable_t noxattrfs:filesystem associate;
fs_noxattr_type(removable_t)
@@ -17741,7 +15486,7 @@ index e7d1738..bf31a0e 100644
files_mountpoint(removable_t)
#
-@@ -280,6 +297,7 @@ genfscon ncpfs / gen_context(system_u:object_r:nfs_t,s0)
+@@ -274,6 +297,7 @@ genfscon ncpfs / gen_context(system_u:object_r:nfs_t,s0)
genfscon reiserfs / gen_context(system_u:object_r:nfs_t,s0)
genfscon panfs / gen_context(system_u:object_r:nfs_t,s0)
genfscon gadgetfs / gen_context(system_u:object_r:nfs_t,s0)
@@ -17758,7 +15503,7 @@ index 7be4ddf..f7021a0 100644
+
+/sys/class/net/ib.* gen_context(system_u:object_r:sysctl_net_t,s0)
diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
-index e100d88..1debeb2 100644
+index 649e458..1debeb2 100644
--- a/policy/modules/kernel/kernel.if
+++ b/policy/modules/kernel/kernel.if
@@ -126,6 +126,24 @@ interface(`kernel_setsched',`
@@ -18159,17 +15904,16 @@ index e100d88..1debeb2 100644
## Allow caller to relabel unlabeled files.
##
##
-@@ -2630,6 +2866,9 @@ interface(`kernel_sendrecv_unlabeled_association',`
- ')
-
+@@ -2632,7 +2868,7 @@ interface(`kernel_sendrecv_unlabeled_association',`
allow $1 unlabeled_t:association { sendto recvfrom };
-+
-+ # temporary hack until labeling on packets is supported
+
+ # temporary hack until labeling on packets is supported
+- allow $1 unlabeled_t:packet { send recv };
+# allow $1 unlabeled_t:packet { send recv };
')
########################################
-@@ -2667,6 +2906,24 @@ interface(`kernel_dontaudit_sendrecv_unlabeled_association',`
+@@ -2670,6 +2906,24 @@ interface(`kernel_dontaudit_sendrecv_unlabeled_association',`
########################################
##
@@ -18194,7 +15938,7 @@ index e100d88..1debeb2 100644
## Receive TCP packets from an unlabeled connection.
##
##
-@@ -2694,6 +2951,25 @@ interface(`kernel_tcp_recvfrom_unlabeled',`
+@@ -2697,6 +2951,25 @@ interface(`kernel_tcp_recvfrom_unlabeled',`
########################################
##
@@ -18220,7 +15964,7 @@ index e100d88..1debeb2 100644
## Do not audit attempts to receive TCP packets from an unlabeled
## connection.
##
-@@ -2803,6 +3079,33 @@ interface(`kernel_raw_recvfrom_unlabeled',`
+@@ -2806,6 +3079,33 @@ interface(`kernel_raw_recvfrom_unlabeled',`
allow $1 unlabeled_t:rawip_socket recvfrom;
')
@@ -18254,7 +15998,7 @@ index e100d88..1debeb2 100644
########################################
##
-@@ -2958,6 +3261,24 @@ interface(`kernel_relabelfrom_unlabeled_database',`
+@@ -2961,6 +3261,24 @@ interface(`kernel_relabelfrom_unlabeled_database',`
########################################
##
@@ -18279,7 +16023,7 @@ index e100d88..1debeb2 100644
## Unconfined access to kernel module resources.
##
##
-@@ -2972,5 +3293,300 @@ interface(`kernel_unconfined',`
+@@ -2975,5 +3293,300 @@ interface(`kernel_unconfined',`
')
typeattribute $1 kern_unconfined;
@@ -18582,15 +16326,9 @@ index e100d88..1debeb2 100644
+ list_dirs_pattern($1, sysctl_vm_overcommit_t, sysctl_vm_overcommit_t)
')
diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
-index 8dbab4c..cdc610d 100644
+index 6fac350..cdc610d 100644
--- a/policy/modules/kernel/kernel.te
+++ b/policy/modules/kernel/kernel.te
-@@ -1,4 +1,4 @@
--policy_module(kernel, 1.17.1)
-+policy_module(kernel, 1.16.1)
-
- ########################################
- #
@@ -25,6 +25,9 @@ attribute kern_unconfined;
# regular entries in proc
attribute proc_type;
@@ -18932,15 +16670,9 @@ index b08a6e8..43d504b 100644
+ refpolicywarn(`$0() has been deprecated, please remove mcs_constrained() instead.')
+')
diff --git a/policy/modules/kernel/mcs.te b/policy/modules/kernel/mcs.te
-index 2da98c2..8067370 100644
+index 5cbeb54..8067370 100644
--- a/policy/modules/kernel/mcs.te
+++ b/policy/modules/kernel/mcs.te
-@@ -1,4 +1,4 @@
--policy_module(mcs, 1.3.0)
-+policy_module(mcs, 1.2.1)
-
- ########################################
- #
@@ -11,3 +11,4 @@ attribute mcssetcats;
attribute mcswriteall;
attribute mcsreadall;
@@ -18954,7 +16686,7 @@ index 7be4ddf..4d4c577 100644
-# This module currently does not have any file contexts.
+/selinux -l gen_context(system_u:object_r:security_t,s0)
diff --git a/policy/modules/kernel/selinux.if b/policy/modules/kernel/selinux.if
-index 6d0811d..a02d444 100644
+index 81440c5..a02d444 100644
--- a/policy/modules/kernel/selinux.if
+++ b/policy/modules/kernel/selinux.if
@@ -40,7 +40,7 @@ interface(`selinux_labeled_boolean',`
@@ -19022,17 +16754,17 @@ index 6d0811d..a02d444 100644
allow $1 security_t:filesystem getattr;
')
-@@ -220,7 +234,9 @@ interface(`selinux_search_fs',`
+@@ -220,6 +234,9 @@ interface(`selinux_search_fs',`
type security_t;
')
+ dev_getattr_sysfs_fs($1)
- dev_search_sysfs($1)
++ dev_search_sysfs($1)
+ allow $1 security_t:lnk_file read_lnk_file_perms;
allow $1 security_t:dir search_dir_perms;
')
-@@ -244,6 +260,28 @@ interface(`selinux_dontaudit_search_fs',`
+@@ -243,6 +260,28 @@ interface(`selinux_dontaudit_search_fs',`
########################################
##
@@ -19061,7 +16793,7 @@ index 6d0811d..a02d444 100644
## Do not audit attempts to read
## generic selinuxfs entries
##
-@@ -258,6 +296,7 @@ interface(`selinux_dontaudit_read_fs',`
+@@ -257,6 +296,7 @@ interface(`selinux_dontaudit_read_fs',`
type security_t;
')
@@ -19069,24 +16801,22 @@ index 6d0811d..a02d444 100644
dontaudit $1 security_t:dir search_dir_perms;
dontaudit $1 security_t:file read_file_perms;
')
-@@ -279,7 +318,8 @@ interface(`selinux_get_enforce_mode',`
+@@ -278,6 +318,8 @@ interface(`selinux_get_enforce_mode',`
type security_t;
')
-- dev_search_sysfs($1)
+ selinux_get_fs_mount($1)
+ allow $1 security_t:lnk_file read_lnk_file_perms;
allow $1 security_t:dir list_dir_perms;
allow $1 security_t:file read_file_perms;
')
-@@ -310,22 +350,9 @@ interface(`selinux_set_enforce_mode',`
+@@ -308,21 +350,9 @@ interface(`selinux_set_enforce_mode',`
gen_require(`
type security_t;
attribute can_setenforce;
- bool secure_mode_policyload;
')
-- dev_search_sysfs($1)
- allow $1 security_t:dir list_dir_perms;
- allow $1 security_t:file rw_file_perms;
typeattribute $1 can_setenforce;
@@ -19102,7 +16832,7 @@ index 6d0811d..a02d444 100644
')
########################################
-@@ -342,22 +369,14 @@ interface(`selinux_load_policy',`
+@@ -339,21 +369,14 @@ interface(`selinux_load_policy',`
gen_require(`
type security_t;
attribute can_load_policy;
@@ -19110,7 +16840,7 @@ index 6d0811d..a02d444 100644
')
+ dev_getattr_sysfs_fs($1)
- dev_search_sysfs($1)
++ dev_search_sysfs($1)
+ allow $1 security_t:lnk_file read_lnk_file_perms;
allow $1 security_t:dir list_dir_perms;
allow $1 security_t:file rw_file_perms;
@@ -19127,17 +16857,17 @@ index 6d0811d..a02d444 100644
')
########################################
-@@ -375,7 +394,9 @@ interface(`selinux_read_policy',`
+@@ -371,6 +394,9 @@ interface(`selinux_read_policy',`
type security_t;
')
+ dev_getattr_sysfs_fs($1)
- dev_search_sysfs($1)
++ dev_search_sysfs($1)
+ allow $1 security_t:lnk_file read_lnk_file_perms;
allow $1 security_t:dir list_dir_perms;
allow $1 security_t:file read_file_perms;
allow $1 security_t:security read_policy;
-@@ -438,19 +459,16 @@ interface(`selinux_set_boolean',`
+@@ -433,17 +459,16 @@ interface(`selinux_set_boolean',`
interface(`selinux_set_generic_booleans',`
gen_require(`
type security_t;
@@ -19146,8 +16876,7 @@ index 6d0811d..a02d444 100644
+ typeattribute $1 can_setbool;
+ dev_getattr_sysfs_fs($1)
- dev_search_sysfs($1)
--
++ dev_search_sysfs($1)
+ allow $1 security_t:lnk_file read_lnk_file_perms;
allow $1 security_t:dir list_dir_perms;
allow $1 security_t:file rw_file_perms;
@@ -19161,7 +16890,7 @@ index 6d0811d..a02d444 100644
')
########################################
-@@ -479,25 +497,16 @@ interface(`selinux_set_all_booleans',`
+@@ -472,23 +497,16 @@ interface(`selinux_set_all_booleans',`
gen_require(`
type security_t, secure_mode_policyload_t;
attribute boolean_type;
@@ -19171,8 +16900,7 @@ index 6d0811d..a02d444 100644
+ typeattribute $1 can_setbool;
+ dev_getattr_sysfs_fs($1)
- dev_search_sysfs($1)
--
++ dev_search_sysfs($1)
+ allow $1 security_t:lnk_file read_lnk_file_perms;
allow $1 security_t:dir list_dir_perms;
- allow $1 { boolean_type -secure_mode_policyload_t }:file rw_file_perms;
@@ -19193,77 +16921,77 @@ index 6d0811d..a02d444 100644
')
########################################
-@@ -528,7 +537,9 @@ interface(`selinux_set_parameters',`
+@@ -519,6 +537,9 @@ interface(`selinux_set_parameters',`
attribute can_setsecparam;
')
+ dev_getattr_sysfs_fs($1)
- dev_search_sysfs($1)
++ dev_search_sysfs($1)
+ allow $1 security_t:lnk_file read_lnk_file_perms;
allow $1 security_t:dir list_dir_perms;
allow $1 security_t:file rw_file_perms;
allow $1 security_t:security setsecparam;
-@@ -552,7 +563,9 @@ interface(`selinux_validate_context',`
+@@ -542,6 +563,9 @@ interface(`selinux_validate_context',`
type security_t;
')
+ dev_getattr_sysfs_fs($1)
- dev_search_sysfs($1)
++ dev_search_sysfs($1)
+ allow $1 security_t:lnk_file read_lnk_file_perms;
allow $1 security_t:dir list_dir_perms;
allow $1 security_t:file rw_file_perms;
allow $1 security_t:security check_context;
-@@ -595,7 +608,9 @@ interface(`selinux_compute_access_vector',`
+@@ -584,6 +608,9 @@ interface(`selinux_compute_access_vector',`
type security_t;
')
+ dev_getattr_sysfs_fs($1)
- dev_search_sysfs($1)
++ dev_search_sysfs($1)
+ allow $1 security_t:lnk_file read_lnk_file_perms;
allow $1 security_t:dir list_dir_perms;
allow $1 security_t:file rw_file_perms;
allow $1 security_t:security compute_av;
-@@ -617,7 +632,9 @@ interface(`selinux_compute_create_context',`
+@@ -605,6 +632,9 @@ interface(`selinux_compute_create_context',`
type security_t;
')
+ dev_getattr_sysfs_fs($1)
- dev_search_sysfs($1)
++ dev_search_sysfs($1)
+ allow $1 security_t:lnk_file read_lnk_file_perms;
allow $1 security_t:dir list_dir_perms;
allow $1 security_t:file rw_file_perms;
allow $1 security_t:security compute_create;
-@@ -639,7 +656,9 @@ interface(`selinux_compute_member',`
+@@ -626,6 +656,9 @@ interface(`selinux_compute_member',`
type security_t;
')
+ dev_getattr_sysfs_fs($1)
- dev_search_sysfs($1)
++ dev_search_sysfs($1)
+ allow $1 security_t:lnk_file read_lnk_file_perms;
allow $1 security_t:dir list_dir_perms;
allow $1 security_t:file rw_file_perms;
allow $1 security_t:security compute_member;
-@@ -669,7 +688,9 @@ interface(`selinux_compute_relabel_context',`
+@@ -655,6 +688,9 @@ interface(`selinux_compute_relabel_context',`
type security_t;
')
+ dev_getattr_sysfs_fs($1)
- dev_search_sysfs($1)
++ dev_search_sysfs($1)
+ allow $1 security_t:lnk_file read_lnk_file_perms;
allow $1 security_t:dir list_dir_perms;
allow $1 security_t:file rw_file_perms;
allow $1 security_t:security compute_relabel;
-@@ -690,7 +711,9 @@ interface(`selinux_compute_user_contexts',`
+@@ -675,6 +711,9 @@ interface(`selinux_compute_user_contexts',`
type security_t;
')
+ dev_getattr_sysfs_fs($1)
- dev_search_sysfs($1)
++ dev_search_sysfs($1)
+ allow $1 security_t:lnk_file read_lnk_file_perms;
allow $1 security_t:dir list_dir_perms;
allow $1 security_t:file rw_file_perms;
allow $1 security_t:security compute_user;
-@@ -712,4 +735,29 @@ interface(`selinux_unconfined',`
+@@ -696,4 +735,29 @@ interface(`selinux_unconfined',`
')
typeattribute $1 selinux_unconfined_type;
@@ -19294,15 +17022,9 @@ index 6d0811d..a02d444 100644
')
+
diff --git a/policy/modules/kernel/selinux.te b/policy/modules/kernel/selinux.te
-index e0a973b..85f484d 100644
+index 522ab32..85f484d 100644
--- a/policy/modules/kernel/selinux.te
+++ b/policy/modules/kernel/selinux.te
-@@ -1,4 +1,4 @@
--policy_module(selinux, 1.12.1)
-+policy_module(selinux, 1.12.0)
-
- ########################################
- #
@@ -17,6 +17,7 @@ gen_bool(secure_mode_policyload,false)
attribute boolean_type;
attribute can_load_policy;
@@ -19412,7 +17134,7 @@ index 54f1827..39faa3f 100644
+/usr/lib/udev/devices/loop.* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
+/usr/lib/udev/devices/fuse -c gen_context(system_u:object_r:fuse_device_t,s0)
diff --git a/policy/modules/kernel/storage.if b/policy/modules/kernel/storage.if
-index 64c4cd0..ca6c727 100644
+index 1700ef2..ca6c727 100644
--- a/policy/modules/kernel/storage.if
+++ b/policy/modules/kernel/storage.if
@@ -22,6 +22,26 @@ interface(`storage_getattr_fixed_disk_dev',`
@@ -19467,25 +17189,10 @@ index 64c4cd0..ca6c727 100644
dev_add_entry_generic_dirs($1)
')
-@@ -260,18 +284,55 @@ interface(`storage_manage_fixed_disk',`
- ## Domain allowed access.
- ##
- ##
--##
--##
--## Optional filename of the block device to be created
--##
--##
- #
- interface(`storage_dev_filetrans_fixed_disk',`
- gen_require(`
- type fixed_disk_device_t;
- ')
+@@ -269,6 +293,48 @@ interface(`storage_dev_filetrans_fixed_disk',`
+ dev_filetrans($1, fixed_disk_device_t, blk_file)
+ ')
-- dev_filetrans($1, fixed_disk_device_t, blk_file, $2)
-+ dev_filetrans($1, fixed_disk_device_t, blk_file)
-+')
-+
+#######################################
+##
+## Create block devices in /dev with the fixed disk type
@@ -19526,10 +17233,12 @@ index 64c4cd0..ca6c727 100644
+ dev_filetrans($1, fixed_disk_device_t, chr_file, "raw7")
+ dev_filetrans($1, fixed_disk_device_t, chr_file, "raw8")
+ dev_filetrans($1, fixed_disk_device_t, chr_file, "raw9")
- ')
-
++')
++
########################################
-@@ -295,6 +356,25 @@ interface(`storage_tmpfs_filetrans_fixed_disk',`
+ ##
+ ## Create block devices in on a tmpfs filesystem with the
+@@ -290,6 +356,25 @@ interface(`storage_tmpfs_filetrans_fixed_disk',`
########################################
##
@@ -19555,7 +17264,7 @@ index 64c4cd0..ca6c727 100644
## Relabel fixed disk device nodes.
##
##
-@@ -716,6 +796,24 @@ interface(`storage_dontaudit_raw_write_removable_device',`
+@@ -711,6 +796,24 @@ interface(`storage_dontaudit_raw_write_removable_device',`
dontaudit $1 removable_device_t:blk_file write_blk_file_perms;
')
@@ -19580,7 +17289,7 @@ index 64c4cd0..ca6c727 100644
########################################
##
## Allow the caller to directly read
-@@ -813,3 +911,452 @@ interface(`storage_unconfined',`
+@@ -808,3 +911,452 @@ interface(`storage_unconfined',`
typeattribute $1 storage_unconfined_type;
')
@@ -20048,10 +17757,10 @@ index 156c333..02f5a3c 100644
+ dev_manage_generic_blk_files(fixed_disk_raw_write)
+')
diff --git a/policy/modules/kernel/terminal.fc b/policy/modules/kernel/terminal.fc
-index 0ea25b6..a3e5a1e 100644
+index 7d45d15..a3e5a1e 100644
--- a/policy/modules/kernel/terminal.fc
+++ b/policy/modules/kernel/terminal.fc
-@@ -14,12 +14,13 @@
+@@ -14,11 +14,13 @@
/dev/ip2[^/]* -c gen_context(system_u:object_r:tty_device_t,s0)
/dev/isdn.* -c gen_context(system_u:object_r:tty_device_t,s0)
/dev/ptmx -c gen_context(system_u:object_r:ptmx_t,s0)
@@ -20061,13 +17770,12 @@ index 0ea25b6..a3e5a1e 100644
+/dev/sclp_line[0-9]+ -c gen_context(system_u:object_r:tty_device_t,s0)
/dev/tty -c gen_context(system_u:object_r:devtty_t,s0)
/dev/ttySG.* -c gen_context(system_u:object_r:tty_device_t,s0)
--/dev/vport[0-9]p[0-9]+ -c gen_context(system_u:object_r:virtio_device_t,s0)
+/dev/ttyUSB[0-9]+ -c gen_context(system_u:object_r:usbtty_device_t,s0)
+/dev/vport[0-9]p[0-9]+ -c gen_context(system_u:object_r:virtio_device_t,s0)
/dev/xvc[^/]* -c gen_context(system_u:object_r:tty_device_t,s0)
/dev/pty/.* -c gen_context(system_u:object_r:bsdpty_device_t,s0)
-@@ -42,3 +43,7 @@ ifdef(`distro_gentoo',`
+@@ -41,3 +43,7 @@ ifdef(`distro_gentoo',`
# used by init scripts to initally populate udev /dev
/lib/udev/devices/console -c gen_context(system_u:object_r:console_device_t,s0)
')
@@ -20076,7 +17784,7 @@ index 0ea25b6..a3e5a1e 100644
+
+/usr/lib/udev/devices/pts -d gen_context(system_u:object_r:devpts_t,s0-mls_systemhigh)
diff --git a/policy/modules/kernel/terminal.if b/policy/modules/kernel/terminal.if
-index cbb729b..e3722ab 100644
+index 771bce1..e3722ab 100644
--- a/policy/modules/kernel/terminal.if
+++ b/policy/modules/kernel/terminal.if
@@ -124,7 +124,7 @@ interface(`term_user_tty',`
@@ -20452,10 +18160,11 @@ index cbb729b..e3722ab 100644
##
##
#
-@@ -1513,21 +1713,435 @@ interface(`term_dontaudit_use_all_user_ttys',`
+@@ -1512,3 +1712,436 @@ interface(`term_dontaudit_use_all_user_ttys',`
+ refpolicywarn(`$0() is deprecated, use term_dontaudit_use_all_ttys() instead.')
term_dontaudit_use_all_ttys($1)
')
-
++
+####################################
+##
+## Getattr on the virtio console.
@@ -20474,27 +18183,17 @@ index cbb729b..e3722ab 100644
+ allow $1 virtio_device_t:chr_file getattr_chr_file_perms;
+')
+
- #####################################
- ##
--## Read from and write virtio console.
++#####################################
++##
+## Read from and write to the virtio console.
- ##
- ##
--##
--## Domain allowed access.
--##
++##
++##
+##
+## Domain allowed access.
+##
- ##
- #
- interface(`term_use_virtio_console',`
-- gen_require(`
-- type virtio_device_t;
-- ')
--
-- dev_list_all_dev_nodes($1)
-- allow $1 virtio_device_t:chr_file rw_term_perms;
++##
++#
++interface(`term_use_virtio_console',`
+ gen_require(`
+ type virtio_device_t;
+ ')
@@ -20897,17 +18596,11 @@ index cbb729b..e3722ab 100644
+ dev_filetrans($1, tty_device_t, chr_file, "xvc7")
+ dev_filetrans($1, tty_device_t, chr_file, "xvc8")
+ dev_filetrans($1, tty_device_t, chr_file, "xvc9")
- ')
++')
diff --git a/policy/modules/kernel/terminal.te b/policy/modules/kernel/terminal.te
-index 66e116a..a97d7cc 100644
+index c0b88bf..a97d7cc 100644
--- a/policy/modules/kernel/terminal.te
+++ b/policy/modules/kernel/terminal.te
-@@ -1,4 +1,4 @@
--policy_module(terminal, 1.11.1)
-+policy_module(terminal, 1.10.1)
-
- ########################################
- #
@@ -29,6 +29,7 @@ files_mountpoint(devpts_t)
fs_associate_tmpfs(devpts_t)
fs_type(devpts_t)
@@ -20916,7 +18609,7 @@ index 66e116a..a97d7cc 100644
#
# devtty_t is the type of /dev/tty.
-@@ -54,8 +55,11 @@ dev_node(tty_device_t)
+@@ -54,5 +55,11 @@ dev_node(tty_device_t)
#
# usbtty_device_t is the type of /dev/usr/tty*
#
@@ -20924,12 +18617,12 @@ index 66e116a..a97d7cc 100644
-dev_node(usbtty_device_t)
+type usbtty_device_t;
+term_tty(usbtty_device_t)
-
++
+#
+# virtio_device_t is the type of /dev/vport[0-9]p[0-9]
+#
- type virtio_device_t, serial_device;
- dev_node(virtio_device_t)
++type virtio_device_t, serial_device;
++dev_node(virtio_device_t)
diff --git a/policy/modules/kernel/unlabelednet.fc b/policy/modules/kernel/unlabelednet.fc
new file mode 100644
index 0000000..f310b9d
@@ -21071,16 +18764,10 @@ index 234a940..d340f20 100644
########################################
##
diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te
-index 0fef1fc..147eab1 100644
+index 5da7870..147eab1 100644
--- a/policy/modules/roles/staff.te
+++ b/policy/modules/roles/staff.te
-@@ -1,4 +1,4 @@
--policy_module(staff, 2.4.0)
-+policy_module(staff, 2.3.1)
-
- ########################################
- #
-@@ -8,12 +8,71 @@ policy_module(staff, 2.4.0)
+@@ -8,12 +8,71 @@ policy_module(staff, 2.3.1)
role staff_r;
userdom_unpriv_user_template(staff)
@@ -21476,15 +19163,10 @@ index ff92430..36740ea 100644
##
## Execute a generic bin program in the sysadm domain.
diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
-index 2522ca6..e49b8da 100644
+index 88d0028..e49b8da 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
-@@ -1,43 +1,91 @@
--policy_module(sysadm, 2.6.1)
-+policy_module(sysadm, 2.5.1)
-
- ########################################
- #
+@@ -5,39 +5,87 @@ policy_module(sysadm, 2.5.1)
# Declarations
#
@@ -21667,18 +19349,21 @@ index 2522ca6..e49b8da 100644
dmesg_exec(sysadm_t)
')
-@@ -156,6 +217,10 @@ optional_policy(`
+@@ -156,11 +217,11 @@ optional_policy(`
')
optional_policy(`
+- fstools_run(sysadm_t, sysadm_r)
+ firewalld_dbus_chat(sysadm_t)
-+')
-+
-+optional_policy(`
- fstools_run(sysadm_t, sysadm_r)
')
-@@ -175,6 +240,13 @@ optional_policy(`
+ optional_policy(`
+- git_role(sysadm_r, sysadm_t)
++ fstools_run(sysadm_t, sysadm_r)
+ ')
+
+ optional_policy(`
+@@ -179,6 +240,13 @@ optional_policy(`
ipsec_stream_connect(sysadm_t)
# for lsof
ipsec_getattr_key_sockets(sysadm_t)
@@ -21692,7 +19377,7 @@ index 2522ca6..e49b8da 100644
')
optional_policy(`
-@@ -182,15 +254,20 @@ optional_policy(`
+@@ -186,15 +254,20 @@ optional_policy(`
')
optional_policy(`
@@ -21704,19 +19389,19 @@ index 2522ca6..e49b8da 100644
- libs_run_ldconfig(sysadm_t, sysadm_r)
+ kerberos_exec_kadmind(sysadm_t)
+ kerberos_filetrans_named_content(sysadm_t)
++')
++
++optional_policy(`
++ kudzu_run(sysadm_t, sysadm_r)
')
optional_policy(`
- lockdev_role(sysadm_r, sysadm_t)
-+ kudzu_run(sysadm_t, sysadm_r)
-+')
-+
-+optional_policy(`
+ libs_run_ldconfig(sysadm_t, sysadm_r)
')
optional_policy(`
-@@ -210,22 +287,20 @@ optional_policy(`
+@@ -214,22 +287,20 @@ optional_policy(`
modutils_run_depmod(sysadm_t, sysadm_r)
modutils_run_insmod(sysadm_t, sysadm_r)
modutils_run_update_mods(sysadm_t, sysadm_r)
@@ -21745,7 +19430,7 @@ index 2522ca6..e49b8da 100644
')
optional_policy(`
-@@ -237,14 +312,28 @@ optional_policy(`
+@@ -241,14 +312,28 @@ optional_policy(`
')
optional_policy(`
@@ -21774,7 +19459,7 @@ index 2522ca6..e49b8da 100644
')
optional_policy(`
-@@ -252,10 +341,20 @@ optional_policy(`
+@@ -256,10 +341,20 @@ optional_policy(`
')
optional_policy(`
@@ -21795,7 +19480,7 @@ index 2522ca6..e49b8da 100644
portage_run(sysadm_t, sysadm_r)
portage_run_fetch(sysadm_t, sysadm_r)
portage_run_gcc_config(sysadm_t, sysadm_r)
-@@ -266,35 +365,41 @@ optional_policy(`
+@@ -270,35 +365,41 @@ optional_policy(`
')
optional_policy(`
@@ -21844,7 +19529,7 @@ index 2522ca6..e49b8da 100644
')
optional_policy(`
-@@ -308,6 +413,7 @@ optional_policy(`
+@@ -312,6 +413,7 @@ optional_policy(`
optional_policy(`
screen_role_template(sysadm, sysadm_r, sysadm_t)
@@ -21852,7 +19537,7 @@ index 2522ca6..e49b8da 100644
')
optional_policy(`
-@@ -315,12 +421,20 @@ optional_policy(`
+@@ -319,12 +421,20 @@ optional_policy(`
')
optional_policy(`
@@ -21874,7 +19559,7 @@ index 2522ca6..e49b8da 100644
')
optional_policy(`
-@@ -345,7 +459,18 @@ optional_policy(`
+@@ -349,7 +459,18 @@ optional_policy(`
')
optional_policy(`
@@ -21894,7 +19579,7 @@ index 2522ca6..e49b8da 100644
')
optional_policy(`
-@@ -356,19 +481,15 @@ optional_policy(`
+@@ -360,19 +481,15 @@ optional_policy(`
')
optional_policy(`
@@ -21916,7 +19601,7 @@ index 2522ca6..e49b8da 100644
')
optional_policy(`
-@@ -380,10 +501,6 @@ optional_policy(`
+@@ -384,10 +501,6 @@ optional_policy(`
')
optional_policy(`
@@ -21927,7 +19612,7 @@ index 2522ca6..e49b8da 100644
usermanage_run_admin_passwd(sysadm_t, sysadm_r)
usermanage_run_groupadd(sysadm_t, sysadm_r)
usermanage_run_useradd(sysadm_t, sysadm_r)
-@@ -391,6 +508,9 @@ optional_policy(`
+@@ -395,6 +508,9 @@ optional_policy(`
optional_policy(`
virt_stream_connect(sysadm_t)
@@ -21937,7 +19622,7 @@ index 2522ca6..e49b8da 100644
')
optional_policy(`
-@@ -398,31 +518,34 @@ optional_policy(`
+@@ -402,31 +518,34 @@ optional_policy(`
')
optional_policy(`
@@ -21978,7 +19663,7 @@ index 2522ca6..e49b8da 100644
auth_role(sysadm_r, sysadm_t)
')
-@@ -435,10 +558,6 @@ ifndef(`distro_redhat',`
+@@ -439,10 +558,6 @@ ifndef(`distro_redhat',`
')
optional_policy(`
@@ -21989,7 +19674,7 @@ index 2522ca6..e49b8da 100644
dbus_role_template(sysadm, sysadm_r, sysadm_t)
optional_policy(`
-@@ -459,15 +578,79 @@ ifndef(`distro_redhat',`
+@@ -463,15 +578,79 @@ ifndef(`distro_redhat',`
')
optional_policy(`
@@ -23123,22 +20808,22 @@ index 3835596..fbca2be 100644
########################################
##
diff --git a/policy/modules/roles/unprivuser.te b/policy/modules/roles/unprivuser.te
-index 6d77e81..c3271fb 100644
+index cdfddf4..c3271fb 100644
--- a/policy/modules/roles/unprivuser.te
+++ b/policy/modules/roles/unprivuser.te
-@@ -1,4 +1,11 @@
--policy_module(unprivuser, 2.4.0)
-+policy_module(unprivuser, 2.3.1)
-+
+@@ -1,5 +1,12 @@
+ policy_module(unprivuser, 2.3.1)
+
+##
+##
+## Allow unprivileged user to create and transition to svirt domains.
+##
+##
+gen_tunable(unprivuser_use_svirt, false)
-
++
# this module should be named user, but that is
# a compile error since user is a keyword.
+
@@ -12,12 +19,102 @@ role user_r;
userdom_unpriv_user_template(user)
@@ -23666,15 +21351,9 @@ index 9d2f311..9e87525 100644
+ postgresql_filetrans_named_content($1)
')
diff --git a/policy/modules/services/postgresql.te b/policy/modules/services/postgresql.te
-index 0306134..19dfc1f 100644
+index 346d011..19dfc1f 100644
--- a/policy/modules/services/postgresql.te
+++ b/policy/modules/services/postgresql.te
-@@ -1,4 +1,4 @@
--policy_module(postgresql, 1.16.0)
-+policy_module(postgresql, 1.15.4)
-
- gen_require(`
- class db_database all_db_database_perms;
@@ -19,25 +19,32 @@ gen_require(`
#
@@ -24635,16 +22314,10 @@ index fe0c682..e8dcfa7 100644
+ ps_process_pattern($1, sshd_t)
+')
diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
-index cc877c7..980e658 100644
+index 5fc0391..980e658 100644
--- a/policy/modules/services/ssh.te
+++ b/policy/modules/services/ssh.te
-@@ -1,4 +1,4 @@
--policy_module(ssh, 2.4.2)
-+policy_module(ssh, 2.3.3)
-
- ########################################
- #
-@@ -6,43 +6,65 @@ policy_module(ssh, 2.4.2)
+@@ -6,43 +6,65 @@ policy_module(ssh, 2.3.3)
#
##
@@ -24725,21 +22398,19 @@ index cc877c7..980e658 100644
type ssh_t;
type ssh_exec_t;
-@@ -73,9 +95,11 @@ type ssh_home_t;
+@@ -73,6 +95,11 @@ type ssh_home_t;
typealias ssh_home_t alias { home_ssh_t user_ssh_home_t user_home_ssh_t staff_home_ssh_t sysadm_home_ssh_t };
typealias ssh_home_t alias { auditadm_home_ssh_t secadm_home_ssh_t };
userdom_user_home_content(ssh_home_t)
+files_poly_parent(ssh_home_t)
-
--type sshd_keytab_t;
--files_type(sshd_keytab_t)
++
+ifdef(`enable_mcs',`
+ init_ranged_daemon_domain(sshd_t, sshd_exec_t, s0 - mcs_systemhigh)
+')
##############################
#
-@@ -86,6 +110,7 @@ allow ssh_t self:capability { setuid setgid dac_override dac_read_search };
+@@ -83,6 +110,7 @@ allow ssh_t self:capability { setuid setgid dac_override dac_read_search };
allow ssh_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow ssh_t self:fd use;
allow ssh_t self:fifo_file rw_fifo_file_perms;
@@ -24747,7 +22418,7 @@ index cc877c7..980e658 100644
allow ssh_t self:unix_dgram_socket { create_socket_perms sendto };
allow ssh_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow ssh_t self:shm create_shm_perms;
-@@ -93,15 +118,11 @@ allow ssh_t self:sem create_sem_perms;
+@@ -90,15 +118,11 @@ allow ssh_t self:sem create_sem_perms;
allow ssh_t self:msgq create_msgq_perms;
allow ssh_t self:msg { send receive };
allow ssh_t self:tcp_socket create_stream_socket_perms;
@@ -24764,7 +22435,7 @@ index cc877c7..980e658 100644
manage_files_pattern(ssh_t, ssh_tmpfs_t, ssh_tmpfs_t)
manage_lnk_files_pattern(ssh_t, ssh_tmpfs_t, ssh_tmpfs_t)
manage_fifo_files_pattern(ssh_t, ssh_tmpfs_t, ssh_tmpfs_t)
-@@ -110,33 +131,42 @@ fs_tmpfs_filetrans(ssh_t, ssh_tmpfs_t, { dir file lnk_file sock_file fifo_file }
+@@ -107,33 +131,42 @@ fs_tmpfs_filetrans(ssh_t, ssh_tmpfs_t, { dir file lnk_file sock_file fifo_file }
manage_dirs_pattern(ssh_t, ssh_home_t, ssh_home_t)
manage_sock_files_pattern(ssh_t, ssh_home_t, ssh_home_t)
@@ -24812,7 +22483,7 @@ index cc877c7..980e658 100644
dev_read_urand(ssh_t)
fs_getattr_all_fs(ssh_t)
-@@ -157,40 +187,46 @@ files_read_var_files(ssh_t)
+@@ -154,40 +187,46 @@ files_read_var_files(ssh_t)
logging_send_syslog_msg(ssh_t)
logging_read_generic_logs(ssh_t)
@@ -24878,7 +22549,7 @@ index cc877c7..980e658 100644
')
optional_policy(`
-@@ -198,6 +234,7 @@ optional_policy(`
+@@ -195,6 +234,7 @@ optional_policy(`
xserver_domtrans_xauth(ssh_t)
')
@@ -24886,7 +22557,7 @@ index cc877c7..980e658 100644
##############################
#
# ssh_keysign_t local policy
-@@ -209,6 +246,7 @@ allow ssh_keysign_t self:unix_stream_socket create_socket_perms;
+@@ -206,6 +246,7 @@ allow ssh_keysign_t self:unix_stream_socket create_socket_perms;
allow ssh_keysign_t sshd_key_t:file { getattr read };
dev_read_urand(ssh_keysign_t)
@@ -24894,13 +22565,11 @@ index cc877c7..980e658 100644
files_read_etc_files(ssh_keysign_t)
-@@ -226,39 +264,56 @@ optional_policy(`
+@@ -223,33 +264,56 @@ optional_policy(`
# so a tunnel can point to another ssh tunnel
allow sshd_t self:netlink_route_socket r_netlink_socket_perms;
allow sshd_t self:key { search link write };
-
--allow sshd_t sshd_keytab_t:file read_file_perms;
--
-manage_dirs_pattern(sshd_t, sshd_tmp_t, sshd_tmp_t)
-manage_files_pattern(sshd_t, sshd_tmp_t, sshd_tmp_t)
-manage_sock_files_pattern(sshd_t, sshd_tmp_t, sshd_tmp_t)
@@ -24927,9 +22596,6 @@ index cc877c7..980e658 100644
+corenet_tcp_bind_vnc_port(sshd_t)
corenet_sendrecv_xserver_server_packets(sshd_t)
--ifdef(`distro_debian',`
-- allow sshd_t self:process { getcap setcap };
--')
+auth_exec_login_program(sshd_t)
+auth_signal_chk_passwd(sshd_t)
+
@@ -24939,7 +22605,7 @@ index cc877c7..980e658 100644
+userdom_spec_domtrans_unpriv_users(sshd_t)
+userdom_signal_unpriv_users(sshd_t)
+userdom_dyntransition_unpriv_users(sshd_t)
-
++
tunable_policy(`ssh_sysadm_login',`
# Relabel and access ptys created by sshd
# ioctl is necessary for logout() processing for utmp entry and for w to
@@ -24965,7 +22631,7 @@ index cc877c7..980e658 100644
')
optional_policy(`
-@@ -266,12 +321,28 @@ optional_policy(`
+@@ -257,11 +321,28 @@ optional_policy(`
')
optional_policy(`
@@ -24986,8 +22652,7 @@ index cc877c7..980e658 100644
')
optional_policy(`
-- kerberos_read_keytab(sshd_t)
-- kerberos_use(sshd_t)
+- kerberos_keytab_template(sshd, sshd_t)
+ lvm_domtrans(sshd_t)
+')
+
@@ -24996,7 +22661,7 @@ index cc877c7..980e658 100644
')
optional_policy(`
-@@ -279,6 +350,10 @@ optional_policy(`
+@@ -269,6 +350,10 @@ optional_policy(`
')
optional_policy(`
@@ -25007,7 +22672,7 @@ index cc877c7..980e658 100644
rpm_use_script_fds(sshd_t)
')
-@@ -289,13 +364,93 @@ optional_policy(`
+@@ -279,13 +364,93 @@ optional_policy(`
')
optional_policy(`
@@ -25101,7 +22766,7 @@ index cc877c7..980e658 100644
########################################
#
# ssh_keygen local policy
-@@ -304,19 +459,33 @@ optional_policy(`
+@@ -294,19 +459,33 @@ optional_policy(`
# ssh_keygen_t is the type of the ssh-keygen program when run at install time
# and by sysadm_t
@@ -25136,7 +22801,7 @@ index cc877c7..980e658 100644
dev_read_urand(ssh_keygen_t)
term_dontaudit_use_console(ssh_keygen_t)
-@@ -332,7 +501,14 @@ auth_use_nsswitch(ssh_keygen_t)
+@@ -322,7 +501,14 @@ auth_use_nsswitch(ssh_keygen_t)
logging_send_syslog_msg(ssh_keygen_t)
@@ -25151,7 +22816,7 @@ index cc877c7..980e658 100644
optional_policy(`
seutil_sigchld_newrole(ssh_keygen_t)
-@@ -341,3 +517,148 @@ optional_policy(`
+@@ -331,3 +517,148 @@ optional_policy(`
optional_policy(`
udev_read_db(ssh_keygen_t)
')
@@ -25301,7 +22966,7 @@ index cc877c7..980e658 100644
+')
+
diff --git a/policy/modules/services/xserver.fc b/policy/modules/services/xserver.fc
-index 8274418..696dd0e 100644
+index d1f64a0..696dd0e 100644
--- a/policy/modules/services/xserver.fc
+++ b/policy/modules/services/xserver.fc
@@ -2,13 +2,36 @@
@@ -25382,12 +23047,13 @@ index 8274418..696dd0e 100644
# /usr
#
--/usr/s?bin/gdm(3)? -- gen_context(system_u:object_r:xdm_exec_t,s0)
+-/usr/(s)?bin/gdm(3)? -- gen_context(system_u:object_r:xdm_exec_t,s0)
+-/usr/(s)?bin/gdm-binary -- gen_context(system_u:object_r:xdm_exec_t,s0)
+-/usr/(s)?bin/lxdm(-binary)? -- gen_context(system_u:object_r:xdm_exec_t,s0)
+-/usr/(s)?bin/[xkw]dm -- gen_context(system_u:object_r:xdm_exec_t,s0)
+/usr/sbin/mdm-binary -- gen_context(system_u:object_r:xdm_exec_t,s0)
+/usr/s?bin/gdm3? -- gen_context(system_u:object_r:xdm_exec_t,s0)
- /usr/s?bin/gdm-binary -- gen_context(system_u:object_r:xdm_exec_t,s0)
--/usr/s?bin/lxdm(-binary)? -- gen_context(system_u:object_r:xdm_exec_t,s0)
--/usr/s?bin/[xkw]dm -- gen_context(system_u:object_r:xdm_exec_t,s0)
++/usr/s?bin/gdm-binary -- gen_context(system_u:object_r:xdm_exec_t,s0)
+/usr/s?bin/lightdm* -- gen_context(system_u:object_r:xdm_exec_t,s0)
+/usr/s?bin/lxdm(-binary)? -- gen_context(system_u:object_r:xdm_exec_t,s0)
+/usr/s?bin/[mxgkw]dm -- gen_context(system_u:object_r:xdm_exec_t,s0)
@@ -25407,7 +23073,7 @@ index 8274418..696dd0e 100644
/usr/lib/qt-.*/etc/settings(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0)
-@@ -92,26 +131,51 @@ ifndef(`distro_debian',`
+@@ -92,25 +131,51 @@ ifndef(`distro_debian',`
/var/lib/gdm(3)?(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0)
/var/lib/lxdm(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0)
@@ -25436,7 +23102,6 @@ index 8274418..696dd0e 100644
+
+/var/spool/[mg]dm(/.*)? gen_context(system_u:object_r:xdm_spool_t,s0)
--/var/run/gdm(3)?(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0)
/var/run/gdm(3)?\.pid -- gen_context(system_u:object_r:xdm_var_run_t,s0)
+/var/run/[kgm]dm(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0)
+/var/run/gdm_socket -s gen_context(system_u:object_r:xdm_var_run_t,s0)
@@ -25445,7 +23110,7 @@ index 8274418..696dd0e 100644
/var/run/lxdm\.auth -- gen_context(system_u:object_r:xdm_var_run_t,s0)
/var/run/lxdm\.pid -- gen_context(system_u:object_r:xdm_var_run_t,s0)
/var/run/lxdm(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0)
--/var/run/slim.* gen_context(system_u:object_r:xdm_var_run_t,s0)
+-/var/run/slim(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0)
+/var/run/slim(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0)
+/var/run/slim.* -- gen_context(system_u:object_r:xdm_var_run_t,s0)
/var/run/xauth(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0)
@@ -27100,15 +24765,9 @@ index 6bf0ecc..30ca475 100644
+')
+
diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
-index 8b40377..5be1645 100644
+index 2696452..5be1645 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
-@@ -1,4 +1,4 @@
--policy_module(xserver, 3.9.4)
-+policy_module(xserver, 3.8.4)
-
- gen_require(`
- class x_drawable all_x_drawable_perms;
@@ -26,28 +26,59 @@ gen_require(`
#
@@ -27178,7 +24837,7 @@ index 8b40377..5be1645 100644
# X Events
attribute xevent_type;
-@@ -107,67 +138,85 @@ xserver_object_types_template(remote)
+@@ -107,44 +138,54 @@ xserver_object_types_template(remote)
xserver_common_x_domain_template(remote, remote_t)
type user_fonts_t;
@@ -27234,10 +24893,7 @@ index 8b40377..5be1645 100644
typealias xauth_tmp_t alias { auditadm_xauth_tmp_t secadm_xauth_tmp_t };
userdom_user_tmp_file(xauth_tmp_t)
- # this is not actually a device, its a pipe
- type xconsole_device_t;
- files_type(xconsole_device_t)
--dev_associate(xconsole_device_t)
+@@ -154,19 +195,28 @@ files_type(xconsole_device_t)
fs_associate_tmpfs(xconsole_device_t)
files_associate_tmp(xconsole_device_t)
@@ -27269,7 +24925,7 @@ index 8b40377..5be1645 100644
type xdm_var_lib_t;
files_type(xdm_var_lib_t)
-@@ -175,13 +224,27 @@ files_type(xdm_var_lib_t)
+@@ -174,13 +224,27 @@ files_type(xdm_var_lib_t)
type xdm_var_run_t;
files_pid_file(xdm_var_run_t)
@@ -27298,7 +24954,7 @@ index 8b40377..5be1645 100644
# type for /var/lib/xkb
type xkb_var_lib_t;
files_type(xkb_var_lib_t)
-@@ -194,14 +257,12 @@ typealias xserver_t alias { auditadm_xserver_t secadm_xserver_t xdm_xserver_t };
+@@ -193,14 +257,12 @@ typealias xserver_t alias { auditadm_xserver_t secadm_xserver_t xdm_xserver_t };
init_system_domain(xserver_t, xserver_exec_t)
ubac_constrained(xserver_t)
@@ -27317,7 +24973,7 @@ index 8b40377..5be1645 100644
userdom_user_tmpfs_file(xserver_tmpfs_t)
type xsession_exec_t;
-@@ -226,21 +287,33 @@ optional_policy(`
+@@ -225,21 +287,33 @@ optional_policy(`
#
allow iceauth_t iceauth_home_t:file manage_file_perms;
@@ -27332,12 +24988,16 @@ index 8b40377..5be1645 100644
-userdom_use_user_terminals(iceauth_t)
+userdom_use_inherited_user_terminals(iceauth_t)
userdom_read_user_tmp_files(iceauth_t)
-+userdom_read_all_users_state(iceauth_t)
-+userdom_home_manager(iceauth_t)
-
+-
-tunable_policy(`use_nfs_home_dirs',`
- fs_manage_nfs_files(iceauth_t)
-')
+-
+-tunable_policy(`use_samba_home_dirs',`
+- fs_manage_cifs_files(iceauth_t)
++userdom_read_all_users_state(iceauth_t)
++userdom_home_manager(iceauth_t)
++
+ifdef(`hide_broken_symptoms',`
+ dev_dontaudit_read_urand(iceauth_t)
+ dev_dontaudit_rw_dri(iceauth_t)
@@ -27345,9 +25005,7 @@ index 8b40377..5be1645 100644
+ fs_dontaudit_list_inotifyfs(iceauth_t)
+ fs_dontaudit_rw_anon_inodefs_files(iceauth_t)
+ term_dontaudit_use_unallocated_ttys(iceauth_t)
-
--tunable_policy(`use_samba_home_dirs',`
-- fs_manage_cifs_files(iceauth_t)
++
+ userdom_dontaudit_read_user_home_content_files(iceauth_t)
+ userdom_dontaudit_write_user_home_content_files(iceauth_t)
+ userdom_dontaudit_write_user_tmp_files(iceauth_t)
@@ -27358,7 +25016,7 @@ index 8b40377..5be1645 100644
')
########################################
-@@ -248,48 +321,90 @@ tunable_policy(`use_samba_home_dirs',`
+@@ -247,48 +321,90 @@ tunable_policy(`use_samba_home_dirs',`
# Xauth local policy
#
@@ -27460,7 +25118,7 @@ index 8b40377..5be1645 100644
ssh_sigchld(xauth_t)
ssh_read_pipes(xauth_t)
ssh_dontaudit_rw_tcp_sockets(xauth_t)
-@@ -300,64 +415,109 @@ optional_policy(`
+@@ -299,64 +415,109 @@ optional_policy(`
# XDM Local policy
#
@@ -27580,7 +25238,7 @@ index 8b40377..5be1645 100644
# connect to xdm xserver over stream socket
stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t)
-@@ -366,20 +526,30 @@ stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t)
+@@ -365,20 +526,30 @@ stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t)
delete_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t)
delete_sock_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t)
@@ -27613,7 +25271,7 @@ index 8b40377..5be1645 100644
corenet_all_recvfrom_netlabel(xdm_t)
corenet_tcp_sendrecv_generic_if(xdm_t)
corenet_udp_sendrecv_generic_if(xdm_t)
-@@ -389,38 +559,49 @@ corenet_tcp_sendrecv_all_ports(xdm_t)
+@@ -388,38 +559,49 @@ corenet_tcp_sendrecv_all_ports(xdm_t)
corenet_udp_sendrecv_all_ports(xdm_t)
corenet_tcp_bind_generic_node(xdm_t)
corenet_udp_bind_generic_node(xdm_t)
@@ -27667,7 +25325,7 @@ index 8b40377..5be1645 100644
files_read_etc_files(xdm_t)
files_read_var_files(xdm_t)
-@@ -431,9 +612,28 @@ files_list_mnt(xdm_t)
+@@ -430,9 +612,28 @@ files_list_mnt(xdm_t)
files_read_usr_files(xdm_t)
# Poweroff wants to create the /poweroff file when run from xdm
files_create_boot_flag(xdm_t)
@@ -27696,7 +25354,7 @@ index 8b40377..5be1645 100644
storage_dontaudit_read_fixed_disk(xdm_t)
storage_dontaudit_write_fixed_disk(xdm_t)
-@@ -442,28 +642,45 @@ storage_dontaudit_raw_read_removable_device(xdm_t)
+@@ -441,28 +642,45 @@ storage_dontaudit_raw_read_removable_device(xdm_t)
storage_dontaudit_raw_write_removable_device(xdm_t)
storage_dontaudit_setattr_removable_dev(xdm_t)
storage_dontaudit_rw_scsi_generic(xdm_t)
@@ -27745,7 +25403,7 @@ index 8b40377..5be1645 100644
userdom_dontaudit_use_unpriv_user_fds(xdm_t)
userdom_create_all_users_keys(xdm_t)
-@@ -472,24 +689,151 @@ userdom_read_user_home_content_files(xdm_t)
+@@ -471,24 +689,151 @@ userdom_read_user_home_content_files(xdm_t)
# Search /proc for any user domain processes.
userdom_read_all_users_state(xdm_t)
userdom_signal_all_users(xdm_t)
@@ -27903,7 +25561,7 @@ index 8b40377..5be1645 100644
tunable_policy(`xdm_sysadm_login',`
userdom_xsession_spec_domtrans_all_users(xdm_t)
# FIXME:
-@@ -503,11 +847,26 @@ tunable_policy(`xdm_sysadm_login',`
+@@ -502,11 +847,26 @@ tunable_policy(`xdm_sysadm_login',`
')
optional_policy(`
@@ -27930,11 +25588,14 @@ index 8b40377..5be1645 100644
')
optional_policy(`
-@@ -519,7 +878,28 @@ optional_policy(`
- dbus_connect_system_bus(xdm_t)
+@@ -514,12 +874,57 @@ optional_policy(`
+ ')
- optional_policy(`
-- accountsd_dbus_chat(xdm_t)
+ optional_policy(`
++ dbus_system_bus_client(xdm_t)
++ dbus_connect_system_bus(xdm_t)
++
++ optional_policy(`
+ bluetooth_dbus_chat(xdm_t)
+ ')
+
@@ -27957,10 +25618,13 @@ index 8b40377..5be1645 100644
+
+ optional_policy(`
+ networkmanager_dbus_chat(xdm_t)
- ')
- ')
-
-@@ -530,6 +910,21 @@ optional_policy(`
++ ')
++')
++
++optional_policy(`
+ # Talk to the console mouse server.
+ gpm_stream_connect(xdm_t)
+ gpm_setattr_gpmctl(xdm_t)
')
optional_policy(`
@@ -27982,7 +25646,7 @@ index 8b40377..5be1645 100644
hostname_exec(xdm_t)
')
-@@ -547,28 +942,78 @@ optional_policy(`
+@@ -537,28 +942,78 @@ optional_policy(`
')
optional_policy(`
@@ -28070,7 +25734,7 @@ index 8b40377..5be1645 100644
')
optional_policy(`
-@@ -580,6 +1025,14 @@ optional_policy(`
+@@ -570,6 +1025,14 @@ optional_policy(`
')
optional_policy(`
@@ -28085,7 +25749,7 @@ index 8b40377..5be1645 100644
xfs_stream_connect(xdm_t)
')
-@@ -594,7 +1047,7 @@ type_transition xserver_t xserver_t:x_colormap root_xcolormap_t;
+@@ -584,7 +1047,7 @@ type_transition xserver_t xserver_t:x_colormap root_xcolormap_t;
type_transition root_xdrawable_t input_xevent_t:x_event root_input_xevent_t;
allow xserver_t { root_xdrawable_t x_domain }:x_drawable send;
@@ -28094,7 +25758,7 @@ index 8b40377..5be1645 100644
# setuid/setgid for the wrapper program to change UID
# sys_rawio is for iopl access - should not be needed for frame-buffer
-@@ -604,8 +1057,11 @@ allow xserver_t input_xevent_t:x_event send;
+@@ -594,8 +1057,11 @@ allow xserver_t input_xevent_t:x_event send;
# execheap needed until the X module loader is fixed.
# NVIDIA Needs execstack
@@ -28107,7 +25771,7 @@ index 8b40377..5be1645 100644
allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow xserver_t self:fd use;
allow xserver_t self:fifo_file rw_fifo_file_perms;
-@@ -618,8 +1074,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
+@@ -608,8 +1074,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow xserver_t self:tcp_socket create_stream_socket_perms;
allow xserver_t self:udp_socket create_socket_perms;
@@ -28123,7 +25787,7 @@ index 8b40377..5be1645 100644
manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
manage_sock_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
-@@ -627,6 +1090,10 @@ files_tmp_filetrans(xserver_t, xserver_tmp_t, { file dir sock_file })
+@@ -617,6 +1090,10 @@ files_tmp_filetrans(xserver_t, xserver_tmp_t, { file dir sock_file })
filetrans_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t, sock_file)
@@ -28134,7 +25798,7 @@ index 8b40377..5be1645 100644
manage_dirs_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
manage_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
manage_lnk_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
-@@ -638,12 +1105,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
+@@ -628,12 +1105,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
files_search_var_lib(xserver_t)
@@ -28156,7 +25820,7 @@ index 8b40377..5be1645 100644
kernel_read_system_state(xserver_t)
kernel_read_device_sysctls(xserver_t)
-@@ -651,12 +1125,12 @@ kernel_read_modprobe_sysctls(xserver_t)
+@@ -641,12 +1125,12 @@ kernel_read_modprobe_sysctls(xserver_t)
# Xorg wants to check if kernel is tainted
kernel_read_kernel_sysctls(xserver_t)
kernel_write_proc_files(xserver_t)
@@ -28170,7 +25834,7 @@ index 8b40377..5be1645 100644
corenet_all_recvfrom_netlabel(xserver_t)
corenet_tcp_sendrecv_generic_if(xserver_t)
corenet_udp_sendrecv_generic_if(xserver_t)
-@@ -677,23 +1151,28 @@ dev_rw_apm_bios(xserver_t)
+@@ -667,23 +1151,28 @@ dev_rw_apm_bios(xserver_t)
dev_rw_agp(xserver_t)
dev_rw_framebuffer(xserver_t)
dev_manage_dri_dev(xserver_t)
@@ -28202,7 +25866,7 @@ index 8b40377..5be1645 100644
# brought on by rhgb
files_search_mnt(xserver_t)
-@@ -704,7 +1183,16 @@ fs_getattr_xattr_fs(xserver_t)
+@@ -694,7 +1183,16 @@ fs_getattr_xattr_fs(xserver_t)
fs_search_nfs(xserver_t)
fs_search_auto_mountpoints(xserver_t)
fs_search_ramfs(xserver_t)
@@ -28220,7 +25884,7 @@ index 8b40377..5be1645 100644
mls_xwin_read_to_clearance(xserver_t)
selinux_validate_context(xserver_t)
-@@ -718,20 +1206,18 @@ init_getpgid(xserver_t)
+@@ -708,20 +1206,18 @@ init_getpgid(xserver_t)
term_setattr_unallocated_ttys(xserver_t)
term_use_unallocated_ttys(xserver_t)
@@ -28244,7 +25908,7 @@ index 8b40377..5be1645 100644
userdom_search_user_home_dirs(xserver_t)
userdom_use_user_ttys(xserver_t)
-@@ -739,8 +1225,6 @@ userdom_setattr_user_ttys(xserver_t)
+@@ -729,8 +1225,6 @@ userdom_setattr_user_ttys(xserver_t)
userdom_read_user_tmp_files(xserver_t)
userdom_rw_user_tmpfs_files(xserver_t)
@@ -28253,7 +25917,7 @@ index 8b40377..5be1645 100644
ifndef(`distro_redhat',`
allow xserver_t self:process { execmem execheap execstack };
domain_mmap_low_uncond(xserver_t)
-@@ -785,16 +1269,44 @@ optional_policy(`
+@@ -775,16 +1269,44 @@ optional_policy(`
')
optional_policy(`
@@ -28299,7 +25963,7 @@ index 8b40377..5be1645 100644
unconfined_domtrans(xserver_t)
')
-@@ -803,6 +1315,10 @@ optional_policy(`
+@@ -793,6 +1315,10 @@ optional_policy(`
')
optional_policy(`
@@ -28310,7 +25974,7 @@ index 8b40377..5be1645 100644
xfs_stream_connect(xserver_t)
')
-@@ -818,10 +1334,10 @@ allow xserver_t xdm_t:shm rw_shm_perms;
+@@ -808,10 +1334,10 @@ allow xserver_t xdm_t:shm rw_shm_perms;
# NB we do NOT allow xserver_t xdm_var_lib_t:dir, only access to an open
# handle of a file inside the dir!!!
@@ -28324,7 +25988,7 @@ index 8b40377..5be1645 100644
# Label pid and temporary files with derived types.
manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
-@@ -829,7 +1345,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
+@@ -819,7 +1345,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
manage_sock_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
# Run xkbcomp.
@@ -28333,7 +25997,7 @@ index 8b40377..5be1645 100644
can_exec(xserver_t, xkb_var_lib_t)
# VNC v4 module in X server
-@@ -842,26 +1358,21 @@ init_use_fds(xserver_t)
+@@ -832,26 +1358,21 @@ init_use_fds(xserver_t)
# to read ROLE_home_t - examine this in more detail
# (xauth?)
userdom_read_user_home_content_files(xserver_t)
@@ -28368,7 +26032,7 @@ index 8b40377..5be1645 100644
')
optional_policy(`
-@@ -912,7 +1423,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
+@@ -902,7 +1423,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
allow x_domain root_xdrawable_t:x_drawable { getattr setattr list_child add_child remove_child send receive hide show };
# operations allowed on my windows
allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive };
@@ -28377,7 +26041,7 @@ index 8b40377..5be1645 100644
# operations allowed on all windows
allow x_domain x_domain:x_drawable { getattr get_property set_property remove_child };
-@@ -966,11 +1477,31 @@ allow x_domain self:x_resource { read write };
+@@ -956,11 +1477,31 @@ allow x_domain self:x_resource { read write };
# can mess with the screensaver
allow x_domain xserver_t:x_screen { getattr saver_getattr };
@@ -28409,7 +26073,7 @@ index 8b40377..5be1645 100644
tunable_policy(`! xserver_object_manager',`
# should be xserver_unconfined(x_domain),
# but typeattribute doesnt work in conditionals
-@@ -992,18 +1523,150 @@ tunable_policy(`! xserver_object_manager',`
+@@ -982,18 +1523,150 @@ tunable_policy(`! xserver_object_manager',`
allow x_domain xevent_type:{ x_event x_synthetic_event } *;
')
@@ -28733,7 +26397,7 @@ index c6fdab7..af71c62 100644
sudo_sigchld(application_domain_type)
')
diff --git a/policy/modules/system/authlogin.fc b/policy/modules/system/authlogin.fc
-index 2479587..ed25543 100644
+index 28ad538..ed25543 100644
--- a/policy/modules/system/authlogin.fc
+++ b/policy/modules/system/authlogin.fc
@@ -1,14 +1,28 @@
@@ -28797,7 +26461,7 @@ index 2479587..ed25543 100644
/var/cache/coolkey(/.*)? gen_context(system_u:object_r:auth_cache_t,s0)
-@@ -30,21 +56,24 @@ ifdef(`distro_gentoo', `
+@@ -30,20 +56,24 @@ ifdef(`distro_gentoo', `
/var/lib/abl(/.*)? gen_context(system_u:object_r:var_auth_t,s0)
/var/lib/pam_ssh(/.*)? gen_context(system_u:object_r:var_auth_t,s0)
@@ -28825,9 +26489,7 @@ index 2479587..ed25543 100644
/var/run/sepermit(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0)
/var/run/sudo(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0)
-/var/run/user(/.*)? gen_context(system_u:object_r:var_auth_t,s0)
--/var/(db|adm)/sudo(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0)
--/var/lib/sudo(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0)
-+/var/(db|lib|adm)/sudo(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0)
+ /var/(db|lib|adm)/sudo(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0)
diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if
index 3efd5b6..3accfe3 100644
--- a/policy/modules/system/authlogin.if
@@ -29692,15 +27354,10 @@ index 3efd5b6..3accfe3 100644
+ allow $1 login_pgm:process sigchld;
+')
diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te
-index 09b791d..837948b 100644
+index 104037e..837948b 100644
--- a/policy/modules/system/authlogin.te
+++ b/policy/modules/system/authlogin.te
-@@ -1,10 +1,23 @@
--policy_module(authlogin, 2.5.1)
-+policy_module(authlogin, 2.4.2)
-
- ########################################
- #
+@@ -5,6 +5,19 @@ policy_module(authlogin, 2.4.2)
# Declarations
#
@@ -30223,15 +27880,9 @@ index d475c2d..55305d5 100644
+ files_etc_filetrans($1, adjtime_t, file, "adjtime" )
+')
diff --git a/policy/modules/system/clock.te b/policy/modules/system/clock.te
-index edece47..7fcd27a 100644
+index 3694bfe..7fcd27a 100644
--- a/policy/modules/system/clock.te
+++ b/policy/modules/system/clock.te
-@@ -1,4 +1,4 @@
--policy_module(clock, 1.7.0)
-+policy_module(clock, 1.6.2)
-
- ########################################
- #
@@ -46,18 +46,19 @@ fs_search_auto_mountpoints(hwclock_t)
term_dontaudit_use_console(hwclock_t)
@@ -30267,7 +27918,7 @@ index edece47..7fcd27a 100644
')
diff --git a/policy/modules/system/fstools.fc b/policy/modules/system/fstools.fc
-index 948ce2a..ce0abe6 100644
+index a97a096..ce0abe6 100644
--- a/policy/modules/system/fstools.fc
+++ b/policy/modules/system/fstools.fc
@@ -1,4 +1,3 @@
@@ -30283,11 +27934,8 @@ index 948ce2a..ce0abe6 100644
/sbin/parted -- gen_context(system_u:object_r:fsadm_exec_t,s0)
/sbin/partprobe -- gen_context(system_u:object_r:fsadm_exec_t,s0)
/sbin/partx -- gen_context(system_u:object_r:fsadm_exec_t,s0)
-@@ -33,17 +31,57 @@
- /sbin/resize.*fs -- gen_context(system_u:object_r:fsadm_exec_t,s0)
- /sbin/scsi_info -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+@@ -35,13 +33,55 @@
/sbin/sfdisk -- gen_context(system_u:object_r:fsadm_exec_t,s0)
--/sbin/swapoff -- gen_context(system_u:object_r:fsadm_exec_t,s0)
/sbin/swapon.* -- gen_context(system_u:object_r:fsadm_exec_t,s0)
/sbin/tune2fs -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+/sbin/xfs_growfs -- gen_context(system_u:object_r:fsadm_exec_t,s0)
@@ -30324,7 +27972,7 @@ index 948ce2a..ce0abe6 100644
+/usr/sbin/mkfs.* -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+/usr/sbin/mkraid -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+/usr/sbin/mkreiserfs -- gen_context(system_u:object_r:fsadm_exec_t,s0)
- /usr/sbin/parted -- gen_context(system_u:object_r:fsadm_exec_t,s0)
++/usr/sbin/parted -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+/usr/sbin/partprobe -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+/usr/sbin/partx -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+/usr/sbin/raidautorun -- gen_context(system_u:object_r:fsadm_exec_t,s0)
@@ -30372,15 +28020,9 @@ index 016a770..1effeb4 100644
+ files_pid_filetrans($1, fsadm_var_run_t, dir, "blkid")
+')
diff --git a/policy/modules/system/fstools.te b/policy/modules/system/fstools.te
-index 3f48d30..9eebe0b 100644
+index 6c4b6ee..9eebe0b 100644
--- a/policy/modules/system/fstools.te
+++ b/policy/modules/system/fstools.te
-@@ -1,4 +1,4 @@
--policy_module(fstools, 1.16.1)
-+policy_module(fstools, 1.15.0)
-
- ########################################
- #
@@ -13,6 +13,9 @@ role system_r types fsadm_t;
type fsadm_log_t;
logging_log_file(fsadm_log_t)
@@ -30576,15 +28218,9 @@ index e4376aa..2c98c56 100644
+ allow $1 getty_unit_file_t:service start;
+')
diff --git a/policy/modules/system/getty.te b/policy/modules/system/getty.te
-index f6743ea..4740426 100644
+index fc38c9c..4740426 100644
--- a/policy/modules/system/getty.te
+++ b/policy/modules/system/getty.te
-@@ -1,4 +1,4 @@
--policy_module(getty, 1.10.0)
-+policy_module(getty, 1.9.1)
-
- ########################################
- #
@@ -27,6 +27,17 @@ files_tmp_file(getty_tmp_t)
type getty_var_run_t;
files_pid_file(getty_var_run_t)
@@ -30672,16 +28308,10 @@ index 187f04f..cf0af09 100644
interface(`hostname_exec',`
gen_require(`
diff --git a/policy/modules/system/hostname.te b/policy/modules/system/hostname.te
-index 24a7889..51e9aef 100644
+index f6cbda9..51e9aef 100644
--- a/policy/modules/system/hostname.te
+++ b/policy/modules/system/hostname.te
-@@ -1,4 +1,4 @@
--policy_module(hostname, 1.8.1)
-+policy_module(hostname, 1.8.0)
-
- ########################################
- #
-@@ -23,40 +23,46 @@ dontaudit hostname_t self:capability sys_tty_config;
+@@ -23,39 +23,46 @@ dontaudit hostname_t self:capability sys_tty_config;
kernel_list_proc(hostname_t)
kernel_read_proc_symlinks(hostname_t)
@@ -30719,7 +28349,6 @@ index 24a7889..51e9aef 100644
-miscfiles_read_localization(hostname_t)
--sysnet_dontaudit_rw_dhcpc_udp_sockets(hostname_t)
sysnet_dontaudit_rw_dhcpc_unix_stream_sockets(hostname_t)
sysnet_read_config(hostname_t)
sysnet_dns_name_resolve(hostname_t)
@@ -30759,15 +28388,9 @@ index 40eb10c..2a0a32c 100644
corecmd_search_bin($1)
diff --git a/policy/modules/system/hotplug.te b/policy/modules/system/hotplug.te
-index b2097e7..7ebb938 100644
+index bb5c4a6..7ebb938 100644
--- a/policy/modules/system/hotplug.te
+++ b/policy/modules/system/hotplug.te
-@@ -1,4 +1,4 @@
--policy_module(hotplug, 1.16.0)
-+policy_module(hotplug, 1.15.1)
-
- ########################################
- #
@@ -23,7 +23,7 @@ files_pid_file(hotplug_var_run_t)
#
@@ -30820,7 +28443,7 @@ index b2097e7..7ebb938 100644
')
diff --git a/policy/modules/system/init.fc b/policy/modules/system/init.fc
-index bc0ffc8..9d960bb 100644
+index 9a4d3a7..9d960bb 100644
--- a/policy/modules/system/init.fc
+++ b/policy/modules/system/init.fc
@@ -1,6 +1,9 @@
@@ -30845,7 +28468,7 @@ index bc0ffc8..9d960bb 100644
/sbin/init(ng)? -- gen_context(system_u:object_r:init_exec_t,s0)
# because nowadays, /sbin/init is often a symlink to /sbin/upstart
/sbin/upstart -- gen_context(system_u:object_r:init_exec_t,s0)
-@@ -42,20 +50,33 @@ ifdef(`distro_gentoo', `
+@@ -42,19 +50,33 @@ ifdef(`distro_gentoo', `
#
/usr/bin/sepg_ctl -- gen_context(system_u:object_r:initrc_exec_t,s0)
@@ -30870,7 +28493,6 @@ index bc0ffc8..9d960bb 100644
#
# /var
#
--/var/run/initctl -p gen_context(system_u:object_r:initctl_t,s0)
+/var/lib/systemd(/.*)? gen_context(system_u:object_r:init_var_lib_t,s0)
/var/run/utmp -- gen_context(system_u:object_r:initrc_var_run_t,s0)
/var/run/runlevel\.dir gen_context(system_u:object_r:initrc_var_run_t,s0)
@@ -30880,13 +28502,13 @@ index bc0ffc8..9d960bb 100644
ifdef(`distro_debian',`
/var/run/hotkey-setup -- gen_context(system_u:object_r:initrc_var_run_t,s0)
-@@ -74,3 +95,4 @@ ifdef(`distro_suse', `
+@@ -73,3 +95,4 @@ ifdef(`distro_suse', `
/var/run/setleds-on -- gen_context(system_u:object_r:initrc_var_run_t,s0)
/var/run/sysconfig(/.*)? gen_context(system_u:object_r:initrc_var_run_t,s0)
')
+/var/run/systemd(/.*)? gen_context(system_u:object_r:init_var_run_t,s0)
diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
-index 79a45f6..6a39d34 100644
+index 24e7804..6a39d34 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -1,5 +1,21 @@
@@ -31670,82 +29292,33 @@ index 79a45f6..6a39d34 100644
## init scripts over dbus.
##
##
-@@ -1488,47 +1827,45 @@ interface(`init_use_script_ptys',`
-
- ########################################
- ##
--## Read and write inherited init script ptys.
-+## Do not audit attempts to read and
-+## write the init script pty.
- ##
- ##
- ##
--## Domain allowed access.
-+## Domain to not audit.
- ##
- ##
- #
--interface(`init_use_inherited_script_ptys',`
-+interface(`init_dontaudit_use_script_ptys',`
- gen_require(`
- type initrc_devpts_t;
- ')
-
-- term_list_ptys($1)
-- allow $1 initrc_devpts_t:chr_file { getattr read write ioctl };
--
-- init_use_fds($1)
-+ dontaudit $1 initrc_devpts_t:chr_file { rw_term_perms lock append };
- ')
+@@ -1526,6 +1865,25 @@ interface(`init_getattr_script_status_files',`
########################################
##
--## Do not audit attempts to read and
--## write the init script pty.
-+## Get the attributes of init script
++## Manage init script
+## status files.
- ##
- ##
- ##
--## Domain to not audit.
++##
++##
++##
+## Domain allowed access.
- ##
- ##
- #
--interface(`init_dontaudit_use_script_ptys',`
-+interface(`init_getattr_script_status_files',`
- gen_require(`
-- type initrc_devpts_t;
++##
++##
++#
++interface(`init_manage_script_status_files',`
++ gen_require(`
+ type initrc_state_t;
- ')
-
-- dontaudit $1 initrc_devpts_t:chr_file { rw_term_perms lock append };
-+ getattr_files_pattern($1, initrc_state_t, initrc_state_t)
- ')
-
- ########################################
- ##
--## Get the attributes of init script
-+## Manage init script
++ ')
++
++ manage_files_pattern($1, initrc_state_t, initrc_state_t)
++')
++
++########################################
++##
+ ## Do not audit attempts to read init script
## status files.
##
- ##
-@@ -1537,12 +1874,12 @@ interface(`init_dontaudit_use_script_ptys',`
- ##
- ##
- #
--interface(`init_getattr_script_status_files',`
-+interface(`init_manage_script_status_files',`
- gen_require(`
- type initrc_state_t;
- ')
-
-- getattr_files_pattern($1, initrc_state_t, initrc_state_t)
-+ manage_files_pattern($1, initrc_state_t, initrc_state_t)
- ')
-
- ########################################
-@@ -1605,6 +1942,24 @@ interface(`init_rw_script_tmp_files',`
+@@ -1584,6 +1942,24 @@ interface(`init_rw_script_tmp_files',`
########################################
##
@@ -31770,7 +29343,7 @@ index 79a45f6..6a39d34 100644
## Create files in a init script
## temporary data directory.
##
-@@ -1677,6 +2032,43 @@ interface(`init_read_utmp',`
+@@ -1656,6 +2032,43 @@ interface(`init_read_utmp',`
########################################
##
@@ -31814,7 +29387,7 @@ index 79a45f6..6a39d34 100644
## Do not audit attempts to write utmp.
##
##
-@@ -1765,7 +2157,7 @@ interface(`init_dontaudit_rw_utmp',`
+@@ -1744,7 +2157,7 @@ interface(`init_dontaudit_rw_utmp',`
type initrc_var_run_t;
')
@@ -31823,7 +29396,7 @@ index 79a45f6..6a39d34 100644
')
########################################
-@@ -1806,6 +2198,133 @@ interface(`init_pid_filetrans_utmp',`
+@@ -1785,6 +2198,133 @@ interface(`init_pid_filetrans_utmp',`
files_pid_filetrans($1, initrc_var_run_t, file, "utmp")
')
@@ -31957,7 +29530,7 @@ index 79a45f6..6a39d34 100644
########################################
##
## Allow the specified domain to connect to daemon with a tcp socket
-@@ -1840,3 +2359,450 @@ interface(`init_udp_recvfrom_all_daemons',`
+@@ -1819,3 +2359,450 @@ interface(`init_udp_recvfrom_all_daemons',`
')
corenet_udp_recvfrom_labeled($1, daemon)
')
@@ -32409,15 +29982,9 @@ index 79a45f6..6a39d34 100644
+ files_etc_filetrans($1, machineid_t, file, "machine-id" )
+')
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
-index 17eda24..3b2baa7 100644
+index dd3be8d..3b2baa7 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
-@@ -1,4 +1,4 @@
--policy_module(init, 1.20.1)
-+policy_module(init, 1.19.6)
-
- gen_require(`
- class passwd rootok;
@@ -11,10 +11,31 @@ gen_require(`
##
@@ -32956,19 +30523,19 @@ index 17eda24..3b2baa7 100644
')
########################################
-@@ -225,9 +570,9 @@ optional_policy(`
+@@ -225,8 +570,9 @@ optional_policy(`
#
allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
-allow initrc_t self:capability ~{ sys_admin sys_module };
-+allow initrc_t self:capability ~{ sys_ptrace audit_control audit_write sys_admin sys_module };
- allow initrc_t self:capability2 block_suspend;
-dontaudit initrc_t self:capability sys_module; # sysctl is triggering this
++allow initrc_t self:capability ~{ sys_ptrace audit_control audit_write sys_admin sys_module };
++allow initrc_t self:capability2 block_suspend;
+dontaudit initrc_t self:capability { sys_ptrace sys_module }; # sysctl is triggering this
allow initrc_t self:passwd rootok;
allow initrc_t self:key manage_key_perms;
-@@ -258,12 +603,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
+@@ -257,12 +603,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
allow initrc_t initrc_var_run_t:file manage_file_perms;
files_pid_filetrans(initrc_t, initrc_var_run_t, file)
@@ -32985,7 +30552,7 @@ index 17eda24..3b2baa7 100644
manage_dirs_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
manage_files_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
-@@ -279,23 +628,36 @@ kernel_change_ring_buffer_level(initrc_t)
+@@ -278,23 +628,36 @@ kernel_change_ring_buffer_level(initrc_t)
kernel_clear_ring_buffer(initrc_t)
kernel_get_sysvipc_info(initrc_t)
kernel_read_all_sysctls(initrc_t)
@@ -33028,7 +30595,7 @@ index 17eda24..3b2baa7 100644
corenet_tcp_sendrecv_all_ports(initrc_t)
corenet_udp_sendrecv_all_ports(initrc_t)
corenet_tcp_connect_all_ports(initrc_t)
-@@ -303,9 +665,11 @@ corenet_sendrecv_all_client_packets(initrc_t)
+@@ -302,9 +665,11 @@ corenet_sendrecv_all_client_packets(initrc_t)
dev_read_rand(initrc_t)
dev_read_urand(initrc_t)
@@ -33040,7 +30607,7 @@ index 17eda24..3b2baa7 100644
dev_rw_sysfs(initrc_t)
dev_list_usbfs(initrc_t)
dev_read_framebuffer(initrc_t)
-@@ -313,8 +677,10 @@ dev_write_framebuffer(initrc_t)
+@@ -312,8 +677,10 @@ dev_write_framebuffer(initrc_t)
dev_read_realtime_clock(initrc_t)
dev_read_sound_mixer(initrc_t)
dev_write_sound_mixer(initrc_t)
@@ -33051,7 +30618,7 @@ index 17eda24..3b2baa7 100644
dev_delete_lvm_control_dev(initrc_t)
dev_manage_generic_symlinks(initrc_t)
dev_manage_generic_files(initrc_t)
-@@ -322,8 +688,7 @@ dev_manage_generic_files(initrc_t)
+@@ -321,8 +688,7 @@ dev_manage_generic_files(initrc_t)
dev_delete_generic_symlinks(initrc_t)
dev_getattr_all_blk_files(initrc_t)
dev_getattr_all_chr_files(initrc_t)
@@ -33061,7 +30628,7 @@ index 17eda24..3b2baa7 100644
domain_kill_all_domains(initrc_t)
domain_signal_all_domains(initrc_t)
-@@ -332,7 +697,6 @@ domain_sigstop_all_domains(initrc_t)
+@@ -331,7 +697,6 @@ domain_sigstop_all_domains(initrc_t)
domain_sigchld_all_domains(initrc_t)
domain_read_all_domains_state(initrc_t)
domain_getattr_all_domains(initrc_t)
@@ -33069,7 +30636,7 @@ index 17eda24..3b2baa7 100644
domain_getsession_all_domains(initrc_t)
domain_use_interactive_fds(initrc_t)
# for lsof which is used by alsa shutdown:
-@@ -340,6 +704,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
+@@ -339,6 +704,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
domain_dontaudit_getattr_all_tcp_sockets(initrc_t)
domain_dontaudit_getattr_all_dgram_sockets(initrc_t)
domain_dontaudit_getattr_all_pipes(initrc_t)
@@ -33077,7 +30644,7 @@ index 17eda24..3b2baa7 100644
files_getattr_all_dirs(initrc_t)
files_getattr_all_files(initrc_t)
-@@ -347,14 +712,15 @@ files_getattr_all_symlinks(initrc_t)
+@@ -346,14 +712,15 @@ files_getattr_all_symlinks(initrc_t)
files_getattr_all_pipes(initrc_t)
files_getattr_all_sockets(initrc_t)
files_purge_tmp(initrc_t)
@@ -33095,7 +30662,7 @@ index 17eda24..3b2baa7 100644
files_read_usr_files(initrc_t)
files_manage_urandom_seed(initrc_t)
files_manage_generic_spool(initrc_t)
-@@ -364,8 +730,12 @@ files_list_isid_type_dirs(initrc_t)
+@@ -363,8 +730,12 @@ files_list_isid_type_dirs(initrc_t)
files_mounton_isid_type_dirs(initrc_t)
files_list_default(initrc_t)
files_mounton_default(initrc_t)
@@ -33109,7 +30676,7 @@ index 17eda24..3b2baa7 100644
fs_list_inotifyfs(initrc_t)
fs_register_binary_executable_type(initrc_t)
# rhgb-console writes to ramfs
-@@ -375,10 +745,11 @@ fs_mount_all_fs(initrc_t)
+@@ -374,10 +745,11 @@ fs_mount_all_fs(initrc_t)
fs_unmount_all_fs(initrc_t)
fs_remount_all_fs(initrc_t)
fs_getattr_all_fs(initrc_t)
@@ -33123,7 +30690,7 @@ index 17eda24..3b2baa7 100644
mcs_process_set_categories(initrc_t)
mls_file_read_all_levels(initrc_t)
-@@ -387,6 +758,7 @@ mls_process_read_up(initrc_t)
+@@ -386,6 +758,7 @@ mls_process_read_up(initrc_t)
mls_process_write_down(initrc_t)
mls_rangetrans_source(initrc_t)
mls_fd_share_all_levels(initrc_t)
@@ -33131,7 +30698,7 @@ index 17eda24..3b2baa7 100644
selinux_get_enforce_mode(initrc_t)
-@@ -398,6 +770,7 @@ term_use_all_terms(initrc_t)
+@@ -397,6 +770,7 @@ term_use_all_terms(initrc_t)
term_reset_tty_labels(initrc_t)
auth_rw_login_records(initrc_t)
@@ -33139,7 +30706,7 @@ index 17eda24..3b2baa7 100644
auth_setattr_login_records(initrc_t)
auth_rw_lastlog(initrc_t)
auth_read_pam_pid(initrc_t)
-@@ -416,20 +789,18 @@ logging_read_all_logs(initrc_t)
+@@ -415,20 +789,18 @@ logging_read_all_logs(initrc_t)
logging_append_all_logs(initrc_t)
logging_read_audit_config(initrc_t)
@@ -33163,7 +30730,7 @@ index 17eda24..3b2baa7 100644
ifdef(`distro_debian',`
dev_setattr_generic_dirs(initrc_t)
-@@ -451,7 +822,6 @@ ifdef(`distro_gentoo',`
+@@ -450,7 +822,6 @@ ifdef(`distro_gentoo',`
allow initrc_t self:process setfscreate;
dev_create_null_dev(initrc_t)
dev_create_zero_dev(initrc_t)
@@ -33171,7 +30738,7 @@ index 17eda24..3b2baa7 100644
term_create_console_dev(initrc_t)
# unfortunately /sbin/rc does stupid tricks
-@@ -486,6 +856,10 @@ ifdef(`distro_gentoo',`
+@@ -485,6 +856,10 @@ ifdef(`distro_gentoo',`
sysnet_setattr_config(initrc_t)
optional_policy(`
@@ -33182,7 +30749,7 @@ index 17eda24..3b2baa7 100644
alsa_read_lib(initrc_t)
')
-@@ -506,7 +880,7 @@ ifdef(`distro_redhat',`
+@@ -505,7 +880,7 @@ ifdef(`distro_redhat',`
# Red Hat systems seem to have a stray
# fd open from the initrd
@@ -33191,7 +30758,7 @@ index 17eda24..3b2baa7 100644
files_dontaudit_read_root_files(initrc_t)
# These seem to be from the initrd
-@@ -521,6 +895,7 @@ ifdef(`distro_redhat',`
+@@ -520,6 +895,7 @@ ifdef(`distro_redhat',`
files_create_boot_dirs(initrc_t)
files_create_boot_flag(initrc_t)
files_rw_boot_symlinks(initrc_t)
@@ -33199,7 +30766,7 @@ index 17eda24..3b2baa7 100644
# wants to read /.fonts directory
files_read_default_files(initrc_t)
files_mountpoint(initrc_tmp_t)
-@@ -541,6 +916,7 @@ ifdef(`distro_redhat',`
+@@ -540,6 +916,7 @@ ifdef(`distro_redhat',`
miscfiles_rw_localization(initrc_t)
miscfiles_setattr_localization(initrc_t)
miscfiles_relabel_localization(initrc_t)
@@ -33207,7 +30774,7 @@ index 17eda24..3b2baa7 100644
miscfiles_read_fonts(initrc_t)
miscfiles_read_hwdata(initrc_t)
-@@ -550,8 +926,44 @@ ifdef(`distro_redhat',`
+@@ -549,8 +926,44 @@ ifdef(`distro_redhat',`
')
optional_policy(`
@@ -33252,7 +30819,7 @@ index 17eda24..3b2baa7 100644
')
optional_policy(`
-@@ -559,14 +971,31 @@ ifdef(`distro_redhat',`
+@@ -558,14 +971,31 @@ ifdef(`distro_redhat',`
rpc_write_exports(initrc_t)
rpc_manage_nfs_state_data(initrc_t)
')
@@ -33284,7 +30851,7 @@ index 17eda24..3b2baa7 100644
')
')
-@@ -577,6 +1006,39 @@ ifdef(`distro_suse',`
+@@ -576,6 +1006,39 @@ ifdef(`distro_suse',`
')
')
@@ -33324,7 +30891,7 @@ index 17eda24..3b2baa7 100644
optional_policy(`
amavis_search_lib(initrc_t)
amavis_setattr_pid_files(initrc_t)
-@@ -589,6 +1051,8 @@ optional_policy(`
+@@ -588,6 +1051,8 @@ optional_policy(`
optional_policy(`
apache_read_config(initrc_t)
apache_list_modules(initrc_t)
@@ -33333,7 +30900,7 @@ index 17eda24..3b2baa7 100644
')
optional_policy(`
-@@ -610,6 +1074,7 @@ optional_policy(`
+@@ -609,6 +1074,7 @@ optional_policy(`
optional_policy(`
cgroup_stream_connect_cgred(initrc_t)
@@ -33341,7 +30908,7 @@ index 17eda24..3b2baa7 100644
')
optional_policy(`
-@@ -626,6 +1091,17 @@ optional_policy(`
+@@ -625,6 +1091,17 @@ optional_policy(`
')
optional_policy(`
@@ -33359,7 +30926,7 @@ index 17eda24..3b2baa7 100644
dev_getattr_printer_dev(initrc_t)
cups_read_log(initrc_t)
-@@ -642,9 +1118,13 @@ optional_policy(`
+@@ -641,9 +1118,13 @@ optional_policy(`
dbus_connect_system_bus(initrc_t)
dbus_system_bus_client(initrc_t)
dbus_read_config(initrc_t)
@@ -33373,7 +30940,7 @@ index 17eda24..3b2baa7 100644
')
optional_policy(`
-@@ -657,15 +1137,11 @@ optional_policy(`
+@@ -656,15 +1137,11 @@ optional_policy(`
')
optional_policy(`
@@ -33391,7 +30958,7 @@ index 17eda24..3b2baa7 100644
')
optional_policy(`
-@@ -686,6 +1162,15 @@ optional_policy(`
+@@ -685,6 +1162,15 @@ optional_policy(`
')
optional_policy(`
@@ -33407,7 +30974,7 @@ index 17eda24..3b2baa7 100644
inn_exec_config(initrc_t)
')
-@@ -726,6 +1211,7 @@ optional_policy(`
+@@ -725,6 +1211,7 @@ optional_policy(`
lpd_list_spool(initrc_t)
lpd_read_config(initrc_t)
@@ -33415,7 +30982,7 @@ index 17eda24..3b2baa7 100644
')
optional_policy(`
-@@ -743,7 +1229,13 @@ optional_policy(`
+@@ -742,7 +1229,13 @@ optional_policy(`
')
optional_policy(`
@@ -33430,7 +30997,7 @@ index 17eda24..3b2baa7 100644
mta_dontaudit_read_spool_symlinks(initrc_t)
')
-@@ -766,6 +1258,10 @@ optional_policy(`
+@@ -765,6 +1258,10 @@ optional_policy(`
')
optional_policy(`
@@ -33441,7 +31008,7 @@ index 17eda24..3b2baa7 100644
postgresql_manage_db(initrc_t)
postgresql_read_config(initrc_t)
')
-@@ -775,10 +1271,20 @@ optional_policy(`
+@@ -774,10 +1271,20 @@ optional_policy(`
')
optional_policy(`
@@ -33462,7 +31029,7 @@ index 17eda24..3b2baa7 100644
quota_manage_flags(initrc_t)
')
-@@ -787,6 +1293,10 @@ optional_policy(`
+@@ -786,6 +1293,10 @@ optional_policy(`
')
optional_policy(`
@@ -33473,7 +31040,7 @@ index 17eda24..3b2baa7 100644
fs_write_ramfs_sockets(initrc_t)
fs_search_ramfs(initrc_t)
-@@ -808,8 +1318,6 @@ optional_policy(`
+@@ -807,8 +1318,6 @@ optional_policy(`
# bash tries ioctl for some reason
files_dontaudit_ioctl_all_pids(initrc_t)
@@ -33482,7 +31049,7 @@ index 17eda24..3b2baa7 100644
')
optional_policy(`
-@@ -818,6 +1326,10 @@ optional_policy(`
+@@ -817,6 +1326,10 @@ optional_policy(`
')
optional_policy(`
@@ -33493,7 +31060,7 @@ index 17eda24..3b2baa7 100644
# shorewall-init script run /var/lib/shorewall/firewall
shorewall_lib_domtrans(initrc_t)
')
-@@ -827,10 +1339,12 @@ optional_policy(`
+@@ -826,10 +1339,12 @@ optional_policy(`
squid_manage_logs(initrc_t)
')
@@ -33506,7 +31073,7 @@ index 17eda24..3b2baa7 100644
optional_policy(`
ssh_dontaudit_read_server_keys(initrc_t)
-@@ -857,12 +1371,35 @@ optional_policy(`
+@@ -856,12 +1371,35 @@ optional_policy(`
')
optional_policy(`
@@ -33543,7 +31110,7 @@ index 17eda24..3b2baa7 100644
ifdef(`distro_redhat',`
# system-config-services causes avc messages that should be dontaudited
-@@ -872,6 +1409,18 @@ optional_policy(`
+@@ -871,6 +1409,18 @@ optional_policy(`
optional_policy(`
mono_domtrans(initrc_t)
')
@@ -33562,7 +31129,7 @@ index 17eda24..3b2baa7 100644
')
optional_policy(`
-@@ -887,6 +1436,10 @@ optional_policy(`
+@@ -886,6 +1436,10 @@ optional_policy(`
')
optional_policy(`
@@ -33573,7 +31140,7 @@ index 17eda24..3b2baa7 100644
# Set device ownerships/modes.
xserver_setattr_console_pipes(initrc_t)
-@@ -897,3 +1450,218 @@ optional_policy(`
+@@ -896,3 +1450,218 @@ optional_policy(`
optional_policy(`
zebra_read_config(initrc_t)
')
@@ -34054,15 +31621,9 @@ index 0d4c8d3..3a3ec52 100644
+ ps_process_pattern($1, ipsec_mgmt_t)
+')
diff --git a/policy/modules/system/ipsec.te b/policy/modules/system/ipsec.te
-index 312cd04..5338f4d 100644
+index 9e54bf9..5338f4d 100644
--- a/policy/modules/system/ipsec.te
+++ b/policy/modules/system/ipsec.te
-@@ -1,4 +1,4 @@
--policy_module(ipsec, 1.14.0)
-+policy_module(ipsec, 1.13.3)
-
- ########################################
- #
@@ -48,6 +48,9 @@ init_system_domain(ipsec_mgmt_t, ipsec_mgmt_exec_t)
corecmd_shell_entry_type(ipsec_mgmt_t)
role system_r types ipsec_mgmt_t;
@@ -34352,10 +31913,10 @@ index 312cd04..5338f4d 100644
+userdom_use_inherited_user_terminals(setkey_t)
+userdom_read_user_tmp_files(setkey_t)
diff --git a/policy/modules/system/iptables.fc b/policy/modules/system/iptables.fc
-index 73a1c4e..957deb0 100644
+index 1b93eb7..957deb0 100644
--- a/policy/modules/system/iptables.fc
+++ b/policy/modules/system/iptables.fc
-@@ -1,22 +1,32 @@
+@@ -1,21 +1,32 @@
/etc/rc\.d/init\.d/ip6?tables -- gen_context(system_u:object_r:iptables_initrc_exec_t,s0)
-/etc/rc\.d/init\.d/ebtables -- gen_context(system_u:object_r:iptables_initrc_exec_t,s0)
-/etc/sysconfig/ip6?tables.* -- gen_context(system_u:object_r:iptables_conf_t,s0)
@@ -34383,7 +31944,6 @@ index 73a1c4e..957deb0 100644
/sbin/ipvsadm-save -- gen_context(system_u:object_r:iptables_exec_t,s0)
/sbin/xtables-multi -- gen_context(system_u:object_r:iptables_exec_t,s0)
--/usr/sbin/conntrack -- gen_context(system_u:object_r:iptables_exec_t,s0)
+/usr/sbin/ebtables -- gen_context(system_u:object_r:iptables_exec_t,s0)
+/usr/sbin/ebtables-restore -- gen_context(system_u:object_r:iptables_exec_t,s0)
/usr/sbin/ipchains.* -- gen_context(system_u:object_r:iptables_exec_t,s0)
@@ -34445,15 +32005,9 @@ index c42fbc3..174cfdb 100644
##
## Set the attributes of iptables config files.
diff --git a/policy/modules/system/iptables.te b/policy/modules/system/iptables.te
-index be8ed1e..187eadd 100644
+index 5dfa44b..187eadd 100644
--- a/policy/modules/system/iptables.te
+++ b/policy/modules/system/iptables.te
-@@ -1,4 +1,4 @@
--policy_module(iptables, 1.14.0)
-+policy_module(iptables, 1.13.1)
-
- ########################################
- #
@@ -16,15 +16,15 @@ role iptables_roles types iptables_t;
type iptables_initrc_exec_t;
init_script_file(iptables_initrc_exec_t)
@@ -35077,15 +32631,9 @@ index 808ba93..57a68da 100644
+ files_etc_filetrans($1, ld_so_cache_t, file, "ld.so.preload~")
+')
diff --git a/policy/modules/system/libraries.te b/policy/modules/system/libraries.te
-index 54f8fa5..5a985c8 100644
+index 23a645e..5a985c8 100644
--- a/policy/modules/system/libraries.te
+++ b/policy/modules/system/libraries.te
-@@ -1,4 +1,4 @@
--policy_module(libraries, 2.10.0)
-+policy_module(libraries, 2.9.2)
-
- ########################################
- #
@@ -32,14 +32,14 @@ files_tmp_file(ldconfig_tmp_t)
# lib_t is the type of files in the system lib directories.
#
@@ -35273,15 +32821,9 @@ index 0e3c2a9..ea9bd57 100644
+ userdom_admin_home_dir_filetrans($1, local_login_home_t, file, ".hushlogin")
+')
diff --git a/policy/modules/system/locallogin.te b/policy/modules/system/locallogin.te
-index 446fa99..7b55414 100644
+index c04ac46..7b55414 100644
--- a/policy/modules/system/locallogin.te
+++ b/policy/modules/system/locallogin.te
-@@ -1,4 +1,4 @@
--policy_module(locallogin, 1.12.0)
-+policy_module(locallogin, 1.11.1)
-
- ########################################
- #
@@ -13,9 +13,8 @@ auth_login_entry_type(local_login_t)
type local_login_lock_t;
files_lock_file(local_login_lock_t)
@@ -36107,14 +33649,10 @@ index 4e94884..8de26ad 100644
+ logging_log_filetrans($1, var_log_t, dir, "anaconda")
+')
diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
-index 59b04c1..93ce51a 100644
+index 39ea221..93ce51a 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
-@@ -1,9 +1,24 @@
--policy_module(logging, 1.20.1)
-+policy_module(logging, 1.19.6)
-
- ########################################
+@@ -4,6 +4,21 @@ policy_module(logging, 1.19.6)
#
# Declarations
#
@@ -36309,26 +33847,23 @@ index 59b04c1..93ce51a 100644
mls_file_read_all_levels(klogd_t)
-@@ -353,15 +394,13 @@ optional_policy(`
-
+@@ -354,12 +395,12 @@ optional_policy(`
# chown fsetid for syslog-ng
# sys_admin for the integrated klog of syslog-ng and metalog
--# sys_nice for rsyslog
# cjp: why net_admin!
--allow syslogd_t self:capability { dac_override sys_resource sys_tty_config net_admin sys_admin sys_nice chown fsetid };
+-allow syslogd_t self:capability { dac_override sys_resource sys_tty_config net_admin sys_admin chown fsetid };
+allow syslogd_t self:capability { sys_ptrace dac_override sys_resource sys_tty_config ipc_lock net_admin setgid setuid sys_admin sys_nice chown fsetid setuid setgid net_raw };
dontaudit syslogd_t self:capability sys_tty_config;
+allow syslogd_t self:capability2 { syslog block_suspend };
# setpgid for metalog
# setrlimit for syslog-ng
-# getsched for syslog-ng
--# setsched for rsyslog
--allow syslogd_t self:process { signal_perms setpgid setrlimit getsched setsched };
+-allow syslogd_t self:process { signal_perms setpgid setrlimit getsched };
+allow syslogd_t self:process { signal_perms getcap setcap setpgid getsched setsched setrlimit };
# receive messages to be logged
allow syslogd_t self:unix_dgram_socket create_socket_perms;
allow syslogd_t self:unix_stream_socket create_stream_socket_perms;
-@@ -369,8 +408,10 @@ allow syslogd_t self:unix_dgram_socket sendto;
+@@ -367,8 +408,10 @@ allow syslogd_t self:unix_dgram_socket sendto;
allow syslogd_t self:fifo_file rw_fifo_file_perms;
allow syslogd_t self:udp_socket create_socket_perms;
allow syslogd_t self:tcp_socket create_stream_socket_perms;
@@ -36339,7 +33874,15 @@ index 59b04c1..93ce51a 100644
# Create and bind to /dev/log or /var/run/log.
allow syslogd_t devlog_t:sock_file manage_sock_file_perms;
-@@ -389,30 +430,41 @@ manage_dirs_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t)
+@@ -377,6 +420,7 @@ files_pid_filetrans(syslogd_t, devlog_t, sock_file)
+ # create/append log files.
+ manage_files_pattern(syslogd_t, var_log_t, var_log_t)
+ rw_fifo_files_pattern(syslogd_t, var_log_t, var_log_t)
++files_search_spool(syslogd_t)
+
+ # Allow access for syslog-ng
+ allow syslogd_t var_log_t:dir { create setattr };
+@@ -386,28 +430,41 @@ manage_dirs_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t)
manage_files_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t)
files_tmp_filetrans(syslogd_t, syslogd_tmp_t, { dir file })
@@ -36356,12 +33899,11 @@ index 59b04c1..93ce51a 100644
+kernel_rw_stream_socket_perms(syslogd_t)
kernel_read_system_state(syslogd_t)
- kernel_read_network_state(syslogd_t)
++kernel_read_network_state(syslogd_t)
kernel_read_kernel_sysctls(syslogd_t)
kernel_read_proc_symlinks(syslogd_t)
# Allow access to /proc/kmsg for syslog-ng
kernel_read_messages(syslogd_t)
--kernel_read_vm_sysctls(syslogd_t)
+kernel_request_load_module(syslogd_t)
kernel_clear_ring_buffer(syslogd_t)
kernel_change_ring_buffer_level(syslogd_t)
@@ -36385,7 +33927,7 @@ index 59b04c1..93ce51a 100644
# syslog-ng can listen and connect on tcp port 514 (rsh)
corenet_tcp_sendrecv_generic_if(syslogd_t)
corenet_tcp_sendrecv_generic_node(syslogd_t)
-@@ -422,6 +474,8 @@ corenet_tcp_bind_rsh_port(syslogd_t)
+@@ -417,6 +474,8 @@ corenet_tcp_bind_rsh_port(syslogd_t)
corenet_tcp_connect_rsh_port(syslogd_t)
# Allow users to define additional syslog ports to connect to
corenet_tcp_bind_syslogd_port(syslogd_t)
@@ -36394,7 +33936,7 @@ index 59b04c1..93ce51a 100644
corenet_tcp_connect_syslogd_port(syslogd_t)
corenet_tcp_connect_postgresql_port(syslogd_t)
corenet_tcp_connect_mysqld_port(syslogd_t)
-@@ -432,9 +486,26 @@ corenet_sendrecv_syslogd_server_packets(syslogd_t)
+@@ -427,9 +486,26 @@ corenet_sendrecv_syslogd_server_packets(syslogd_t)
corenet_sendrecv_postgresql_client_packets(syslogd_t)
corenet_sendrecv_mysqld_client_packets(syslogd_t)
@@ -36422,7 +33964,7 @@ index 59b04c1..93ce51a 100644
domain_use_interactive_fds(syslogd_t)
files_read_etc_files(syslogd_t)
-@@ -447,14 +518,19 @@ files_read_kernel_symbol_table(syslogd_t)
+@@ -442,14 +518,19 @@ files_read_kernel_symbol_table(syslogd_t)
files_var_lib_filetrans(syslogd_t, syslogd_var_lib_t, { file dir })
fs_getattr_all_fs(syslogd_t)
@@ -36442,7 +33984,7 @@ index 59b04c1..93ce51a 100644
# for sending messages to logged in users
init_read_utmp(syslogd_t)
init_dontaudit_write_utmp(syslogd_t)
-@@ -466,11 +542,11 @@ init_use_fds(syslogd_t)
+@@ -461,11 +542,11 @@ init_use_fds(syslogd_t)
# cjp: this doesnt make sense
logging_send_syslog_msg(syslogd_t)
@@ -36457,7 +33999,7 @@ index 59b04c1..93ce51a 100644
ifdef(`distro_gentoo',`
# default gentoo syslog-ng config appends kernel
-@@ -497,6 +573,8 @@ optional_policy(`
+@@ -492,6 +573,8 @@ optional_policy(`
optional_policy(`
cron_manage_log_files(syslogd_t)
cron_generic_log_filetrans_log(syslogd_t, file, "cron.log")
@@ -36466,7 +34008,7 @@ index 59b04c1..93ce51a 100644
')
optional_policy(`
-@@ -507,15 +585,40 @@ optional_policy(`
+@@ -502,15 +585,40 @@ optional_policy(`
')
optional_policy(`
@@ -36507,7 +34049,7 @@ index 59b04c1..93ce51a 100644
')
optional_policy(`
-@@ -526,3 +629,26 @@ optional_policy(`
+@@ -521,3 +629,26 @@ optional_policy(`
# log to the xconsole
xserver_rw_console(syslogd_t)
')
@@ -36535,10 +34077,10 @@ index 59b04c1..93ce51a 100644
+
+logging_stream_connect_syslog(syslog_client_type)
diff --git a/policy/modules/system/lvm.fc b/policy/modules/system/lvm.fc
-index 6b91740..633e449 100644
+index 879bb1e..633e449 100644
--- a/policy/modules/system/lvm.fc
+++ b/policy/modules/system/lvm.fc
-@@ -23,6 +23,8 @@ ifdef(`distro_gentoo',`
+@@ -23,28 +23,35 @@ ifdef(`distro_gentoo',`
/etc/lvmtab(/.*)? gen_context(system_u:object_r:lvm_metadata_t,s0)
/etc/lvmtab\.d(/.*)? gen_context(system_u:object_r:lvm_metadata_t,s0)
@@ -36547,7 +34089,10 @@ index 6b91740..633e449 100644
#
# /lib
#
-@@ -33,19 +35,23 @@ ifdef(`distro_gentoo',`
+ /lib/lvm-10/.* -- gen_context(system_u:object_r:lvm_exec_t,s0)
+ /lib/lvm-200/.* -- gen_context(system_u:object_r:lvm_exec_t,s0)
++/lib/udev/udisks-lvm-pv-export -- gen_context(system_u:object_r:lvm_exec_t,s0)
+
#
# /sbin
#
@@ -36572,7 +34117,7 @@ index 6b91740..633e449 100644
/sbin/lvmiopversion -- gen_context(system_u:object_r:lvm_exec_t,s0)
/sbin/lvmsadc -- gen_context(system_u:object_r:lvm_exec_t,s0)
/sbin/lvmsar -- gen_context(system_u:object_r:lvm_exec_t,s0)
-@@ -89,8 +95,72 @@ ifdef(`distro_gentoo',`
+@@ -88,8 +95,72 @@ ifdef(`distro_gentoo',`
#
# /usr
#
@@ -36647,7 +34192,7 @@ index 6b91740..633e449 100644
#
# /var
-@@ -98,5 +168,9 @@ ifdef(`distro_gentoo',`
+@@ -97,5 +168,9 @@ ifdef(`distro_gentoo',`
/var/cache/multipathd(/.*)? gen_context(system_u:object_r:lvm_metadata_t,s0)
/var/lib/multipath(/.*)? gen_context(system_u:object_r:lvm_var_lib_t,s0)
/var/lock/lvm(/.*)? gen_context(system_u:object_r:lvm_lock_t,s0)
@@ -36827,15 +34372,9 @@ index 58bc27f..f887230 100644
+')
+
diff --git a/policy/modules/system/lvm.te b/policy/modules/system/lvm.te
-index 79048c4..b22837c 100644
+index e8c59a5..b22837c 100644
--- a/policy/modules/system/lvm.te
+++ b/policy/modules/system/lvm.te
-@@ -1,4 +1,4 @@
--policy_module(lvm, 1.15.2)
-+policy_module(lvm, 1.14.1)
-
- ########################################
- #
@@ -12,6 +12,9 @@ init_daemon_domain(clvmd_t, clvmd_exec_t)
type clvmd_initrc_exec_t;
init_script_file(clvmd_initrc_exec_t)
@@ -37061,7 +34600,7 @@ index 79048c4..b22837c 100644
bootloader_rw_tmp_files(lvm_t)
')
-@@ -333,16 +374,31 @@ optional_policy(`
+@@ -333,14 +374,30 @@ optional_policy(`
')
optional_policy(`
@@ -37090,10 +34629,8 @@ index 79048c4..b22837c 100644
+
+optional_policy(`
udev_read_db(lvm_t)
-- udev_read_pid_files(lvm_t)
')
- optional_policy(`
diff --git a/policy/modules/system/miscfiles.fc b/policy/modules/system/miscfiles.fc
index 9fe8e01..83acb32 100644
--- a/policy/modules/system/miscfiles.fc
@@ -37418,14 +34955,10 @@ index fc28bc3..faa2281 100644
+ files_var_filetrans($1, public_content_t, dir, "ftp")
+')
diff --git a/policy/modules/system/miscfiles.te b/policy/modules/system/miscfiles.te
-index 1361961..8f8d80d 100644
+index d6293de..8f8d80d 100644
--- a/policy/modules/system/miscfiles.te
+++ b/policy/modules/system/miscfiles.te
-@@ -1,10 +1,9 @@
--policy_module(miscfiles, 1.11.0)
-+policy_module(miscfiles, 1.10.2)
-
- ########################################
+@@ -4,7 +4,6 @@ policy_module(miscfiles, 1.10.2)
#
# Declarations
#
@@ -37622,15 +35155,10 @@ index 7449974..23bbbf2 100644
+ files_kernel_modules_filetrans($1, modules_dep_t, file, "modules.dep.bin")
+')
diff --git a/policy/modules/system/modutils.te b/policy/modules/system/modutils.te
-index 7a363b8..82004c9 100644
+index 7a49e28..82004c9 100644
--- a/policy/modules/system/modutils.te
+++ b/policy/modules/system/modutils.te
-@@ -1,11 +1,11 @@
--policy_module(modutils, 1.14.0)
-+policy_module(modutils, 1.13.3)
-
- ########################################
- #
+@@ -5,7 +5,7 @@ policy_module(modutils, 1.13.3)
# Declarations
#
@@ -37894,10 +35422,10 @@ index 7a363b8..82004c9 100644
ifdef(`distro_gentoo',`
diff --git a/policy/modules/system/mount.fc b/policy/modules/system/mount.fc
-index a38605e..f035d9f 100644
+index 72c746e..f035d9f 100644
--- a/policy/modules/system/mount.fc
+++ b/policy/modules/system/mount.fc
-@@ -1,6 +1,26 @@
+@@ -1,4 +1,26 @@
+/bin/fusermount -- gen_context(system_u:object_r:fusermount_exec_t,s0)
/bin/mount.* -- gen_context(system_u:object_r:mount_exec_t,s0)
/bin/umount.* -- gen_context(system_u:object_r:mount_exec_t,s0)
@@ -37905,8 +35433,7 @@ index a38605e..f035d9f 100644
-/usr/bin/fusermount -- gen_context(system_u:object_r:mount_exec_t,s0)
+/dev/\.mount(/.*)? gen_context(system_u:object_r:mount_var_run_t,s0)
+/run/mount(/.*)? gen_context(system_u:object_r:mount_var_run_t,s0)
-
--/var/run/mount(/.*)? gen_context(system_u:object_r:mount_var_run_t,s0)
++
+/sbin/mount.* -- gen_context(system_u:object_r:mount_exec_t,s0)
+/sbin/umount.* -- gen_context(system_u:object_r:mount_exec_t,s0)
+
@@ -38252,15 +35779,10 @@ index 4584457..8a190ae 100644
+ domtrans_pattern($1, mount_ecryptfs_exec_t, mount_ecryptfs_t)
')
diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te
-index 459a0ef..d941116 100644
+index 6a50270..d941116 100644
--- a/policy/modules/system/mount.te
+++ b/policy/modules/system/mount.te
-@@ -1,47 +1,62 @@
--policy_module(mount, 1.16.1)
-+policy_module(mount, 1.15.1)
-
- ########################################
- #
+@@ -5,40 +5,58 @@ policy_module(mount, 1.15.1)
# Declarations
#
@@ -38296,8 +35818,13 @@ index 459a0ef..d941116 100644
type mount_tmp_t;
files_tmp_file(mount_tmp_t)
- type mount_var_run_t;
- files_pid_file(mount_var_run_t)
+-# causes problems with interfaces when
+-# this is optionally declared in monolithic
+-# policy--duplicate type declaration
+-type unconfined_mount_t;
+-application_domain(unconfined_mount_t, mount_exec_t)
++type mount_var_run_t;
++files_pid_file(mount_var_run_t)
+dev_associate(mount_var_run_t)
+
+# showmount - show mount information for an NFS server
@@ -38311,12 +35838,7 @@ index 459a0ef..d941116 100644
+type mount_ecryptfs_exec_t;
+application_domain(mount_ecryptfs_t, mount_ecryptfs_exec_t)
+role system_r types mount_ecryptfs_t;
-
--# causes problems with interfaces when
--# this is optionally declared in monolithic
--# policy--duplicate type declaration
--type unconfined_mount_t;
--application_domain(unconfined_mount_t, mount_exec_t)
++
+type mount_ecryptfs_tmpfs_t;
+files_tmpfs_file(mount_ecryptfs_tmpfs_t)
@@ -38336,20 +35858,16 @@ index 459a0ef..d941116 100644
allow mount_t mount_loopback_t:file read_file_perms;
-@@ -52,15 +67,24 @@ can_exec(mount_t, mount_exec_t)
+@@ -49,9 +67,24 @@ can_exec(mount_t, mount_exec_t)
files_tmp_filetrans(mount_t, mount_tmp_t, { file dir })
--create_dirs_pattern(mount_t, mount_var_run_t, mount_var_run_t)
--create_files_pattern(mount_t, mount_var_run_t, mount_var_run_t)
--rw_files_pattern(mount_t, mount_var_run_t, mount_var_run_t)
--files_pid_filetrans(mount_t, mount_var_run_t, dir, "mount")
+manage_dirs_pattern(mount_t,mount_var_run_t,mount_var_run_t)
+manage_files_pattern(mount_t,mount_var_run_t,mount_var_run_t)
+files_pid_filetrans(mount_t,mount_var_run_t,{ dir file })
+files_var_filetrans(mount_t,mount_var_run_t,dir)
+dev_filetrans(mount_t, mount_var_run_t, dir)
-
++
+# In order to mount reiserfs_t
+kernel_dontaudit_getattr_core_if(mount_t)
+kernel_list_unlabeled(mount_t)
@@ -38358,15 +35876,15 @@ index 459a0ef..d941116 100644
kernel_read_system_state(mount_t)
+kernel_read_network_state(mount_t)
kernel_read_kernel_sysctls(mount_t)
+-kernel_dontaudit_getattr_core_if(mount_t)
+kernel_relabelfrom_unlabeled_fs(mount_t)
+kernel_manage_debugfs(mount_t)
- kernel_setsched(mount_t)
--kernel_dontaudit_getattr_core_if(mount_t)
++kernel_setsched(mount_t)
+kernel_use_fds(mount_t)
kernel_dontaudit_write_debugfs_dirs(mount_t)
kernel_dontaudit_write_proc_dirs(mount_t)
# To load binfmt_misc kernel module
-@@ -69,60 +93,87 @@ kernel_request_load_module(mount_t)
+@@ -60,31 +93,47 @@ kernel_request_load_module(mount_t)
# required for mount.smbfs
corecmd_exec_bin(mount_t)
@@ -38417,8 +35935,7 @@ index 459a0ef..d941116 100644
files_read_isid_type_files(mount_t)
# For reading cert files
files_read_usr_files(mount_t)
--files_list_all_mountpoints(mount_t)
-+files_list_mnt(mount_t)
+@@ -92,28 +141,39 @@ files_list_mnt(mount_t)
files_dontaudit_write_all_mountpoints(mount_t)
files_dontaudit_setattr_all_mountpoints(mount_t)
@@ -38464,7 +35981,7 @@ index 459a0ef..d941116 100644
term_dontaudit_manage_pty_dirs(mount_t)
auth_use_nsswitch(mount_t)
-@@ -130,16 +181,21 @@ auth_use_nsswitch(mount_t)
+@@ -121,16 +181,21 @@ auth_use_nsswitch(mount_t)
init_use_fds(mount_t)
init_use_script_ptys(mount_t)
init_dontaudit_getattr_initctl(mount_t)
@@ -38488,7 +36005,7 @@ index 459a0ef..d941116 100644
ifdef(`distro_redhat',`
optional_policy(`
-@@ -155,26 +211,27 @@ ifdef(`distro_ubuntu',`
+@@ -146,26 +211,27 @@ ifdef(`distro_ubuntu',`
')
')
@@ -38528,7 +36045,7 @@ index 459a0ef..d941116 100644
corenet_tcp_bind_generic_port(mount_t)
corenet_udp_bind_generic_port(mount_t)
corenet_tcp_bind_reserved_port(mount_t)
-@@ -188,6 +245,9 @@ optional_policy(`
+@@ -179,6 +245,9 @@ optional_policy(`
fs_search_rpc(mount_t)
rpc_stub(mount_t)
@@ -38538,7 +36055,7 @@ index 459a0ef..d941116 100644
')
optional_policy(`
-@@ -195,6 +255,40 @@ optional_policy(`
+@@ -186,6 +255,40 @@ optional_policy(`
')
optional_policy(`
@@ -38579,7 +36096,7 @@ index 459a0ef..d941116 100644
ifdef(`hide_broken_symptoms',`
# for a bug in the X server
rhgb_dontaudit_rw_stream_sockets(mount_t)
-@@ -203,28 +297,132 @@ optional_policy(`
+@@ -194,24 +297,132 @@ optional_policy(`
')
optional_policy(`
@@ -38595,10 +36112,10 @@ index 459a0ef..d941116 100644
+optional_policy(`
+ #modutils_run_insmod(mount_t, mount_roles)
+ modutils_domtrans_insmod(mount_t)
- modutils_read_module_deps(mount_t)
- ')
-
- optional_policy(`
++ modutils_read_module_deps(mount_t)
++')
++
++optional_policy(`
+ fstools_domtrans(mount_t)
+ #fstools_run(mount_t, mount_roles)
+')
@@ -39435,15 +36952,9 @@ index 3822072..270bde3 100644
+ allow semanage_t $1:dbus send_msg;
+')
diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
-index dc46420..8dae06f 100644
+index ec01d0b..8dae06f 100644
--- a/policy/modules/system/selinuxutil.te
+++ b/policy/modules/system/selinuxutil.te
-@@ -1,4 +1,4 @@
--policy_module(selinuxutil, 1.17.2)
-+policy_module(selinuxutil, 1.17.0)
-
- gen_require(`
- bool secure_mode;
@@ -11,14 +11,16 @@ gen_require(`
attribute can_write_binary_policy;
@@ -39969,7 +37480,7 @@ index dc46420..8dae06f 100644
')
########################################
-@@ -522,111 +598,196 @@ ifdef(`distro_ubuntu',`
+@@ -522,108 +598,196 @@ ifdef(`distro_ubuntu',`
# Setfiles local policy
#
@@ -39994,8 +37505,6 @@ index dc46420..8dae06f 100644
-kernel_dontaudit_list_all_sysctls(setfiles_t)
-
-dev_relabel_all_dev_nodes(setfiles_t)
--# to handle when /dev/console needs to be relabeled
--dev_rw_generic_chr_files(setfiles_t)
-
-domain_use_interactive_fds(setfiles_t)
-domain_dontaudit_search_all_domains_state(setfiles_t)
@@ -40005,7 +37514,6 @@ index dc46420..8dae06f 100644
-files_list_all(setfiles_t)
-files_relabel_all_files(setfiles_t)
-files_read_usr_symlinks(setfiles_t)
--files_dontaudit_read_all_symlinks(setfiles_t)
-
-fs_getattr_xattr_fs(setfiles_t)
-fs_list_all(setfiles_t)
@@ -40311,7 +37819,7 @@ index 1447687..d5e6fb9 100644
seutil_read_config(setrans_t)
diff --git a/policy/modules/system/sysnetwork.fc b/policy/modules/system/sysnetwork.fc
-index 40edc18..95f4458 100644
+index 346a7cc..95f4458 100644
--- a/policy/modules/system/sysnetwork.fc
+++ b/policy/modules/system/sysnetwork.fc
@@ -17,23 +17,29 @@ ifdef(`distro_debian',`
@@ -40379,18 +37887,23 @@ index 40edc18..95f4458 100644
/usr/sbin/tc -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
#
-@@ -77,3 +99,6 @@ ifdef(`distro_debian',`
- /var/run/network(/.*)? gen_context(system_u:object_r:net_conf_t,s0)
+@@ -72,3 +94,11 @@ ifdef(`distro_redhat',`
+ ifdef(`distro_gentoo',`
+ /var/lib/dhcpc(/.*)? gen_context(system_u:object_r:dhcpc_state_t,s0)
')
-
++
++ifdef(`distro_debian',`
++/var/run/network(/.*)? gen_context(system_u:object_r:net_conf_t,s0)
++')
++
+/var/run/netns(/.*)? gen_context(system_u:object_r:ifconfig_var_run_t,s0)
+/etc/firestarter/firestarter\.sh gen_context(system_u:object_r:dhcpc_helper_exec_t,s0)
+
diff --git a/policy/modules/system/sysnetwork.if b/policy/modules/system/sysnetwork.if
-index 2cea692..fd3a212 100644
+index 6944526..fd3a212 100644
--- a/policy/modules/system/sysnetwork.if
+++ b/policy/modules/system/sysnetwork.if
-@@ -38,11 +38,30 @@ interface(`sysnet_domtrans_dhcpc',`
+@@ -38,11 +38,49 @@ interface(`sysnet_domtrans_dhcpc',`
#
interface(`sysnet_run_dhcpc',`
gen_require(`
@@ -40418,10 +37931,29 @@ index 2cea692..fd3a212 100644
+ ')
+
+ seutil_run_setfiles(dhcpc_t, $2)
++')
++
++########################################
++##
++## Do not audit attempts to read and
++## write dhcpc udp socket descriptors.
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`sysnet_dontaudit_rw_dhcpc_udp_sockets',`
++ gen_require(`
++ type dhcpc_t;
++ ')
++
++ dontaudit $1 dhcpc_t:udp_socket { read write };
')
########################################
-@@ -231,7 +250,7 @@ interface(`sysnet_rw_dhcp_config',`
+@@ -212,7 +250,7 @@ interface(`sysnet_rw_dhcp_config',`
')
files_search_etc($1)
@@ -40430,7 +37962,7 @@ index 2cea692..fd3a212 100644
')
########################################
-@@ -269,6 +288,7 @@ interface(`sysnet_read_dhcpc_state',`
+@@ -250,6 +288,7 @@ interface(`sysnet_read_dhcpc_state',`
type dhcpc_state_t;
')
@@ -40438,7 +37970,7 @@ index 2cea692..fd3a212 100644
read_files_pattern($1, dhcpc_state_t, dhcpc_state_t)
')
-@@ -290,6 +310,43 @@ interface(`sysnet_delete_dhcpc_state',`
+@@ -271,6 +310,43 @@ interface(`sysnet_delete_dhcpc_state',`
delete_files_pattern($1, dhcpc_state_t, dhcpc_state_t)
')
@@ -40482,10 +38014,16 @@ index 2cea692..fd3a212 100644
#######################################
##
## Set the attributes of network config files.
-@@ -311,6 +368,44 @@ interface(`sysnet_setattr_config',`
+@@ -287,7 +363,45 @@ interface(`sysnet_setattr_config',`
+ ')
- #######################################
- ##
+ files_search_etc($1)
+- allow $1 net_conf_t:file setattr;
++ allow $1 net_conf_t:file setattr_file_perms;
++')
++
++#######################################
++##
+## Allow caller to relabel net_conf files
+##
+##
@@ -40520,16 +38058,19 @@ index 2cea692..fd3a212 100644
+ ')
+
+ allow $1 net_conf_t:file relabelto;
-+')
-+
-+#######################################
-+##
- ## Read network config files.
- ##
- ##
-@@ -355,7 +450,10 @@ interface(`sysnet_read_config',`
- ')
+ ')
+
+ #######################################
+@@ -329,8 +443,17 @@ interface(`sysnet_read_config',`
+ files_search_etc($1)
+ allow $1 net_conf_t:file read_file_perms;
++ ifdef(`distro_debian',`
++ files_search_pids($1)
++ allow $1 net_conf_t:dir list_dir_perms;
++ read_files_pattern($1, net_conf_t, net_conf_t)
++ ')
++
ifdef(`distro_redhat',`
+ files_search_all_pids($1)
+ init_search_pid_dirs($1)
@@ -40538,7 +38079,7 @@ index 2cea692..fd3a212 100644
read_files_pattern($1, net_conf_t, net_conf_t)
')
')
-@@ -438,6 +536,42 @@ interface(`sysnet_etc_filetrans_config',`
+@@ -413,6 +536,42 @@ interface(`sysnet_etc_filetrans_config',`
')
files_etc_filetrans($1, net_conf_t, file, $2)
@@ -40581,7 +38122,7 @@ index 2cea692..fd3a212 100644
')
#######################################
-@@ -453,7 +587,7 @@ interface(`sysnet_etc_filetrans_config',`
+@@ -428,12 +587,51 @@ interface(`sysnet_etc_filetrans_config',`
interface(`sysnet_manage_config',`
gen_require(`
type net_conf_t;
@@ -40590,9 +38131,11 @@ index 2cea692..fd3a212 100644
allow $1 net_conf_t:file manage_file_perms;
-@@ -463,7 +597,41 @@ interface(`sysnet_manage_config',`
- ')
-
++ ifdef(`distro_debian',`
++ files_search_pids($1)
++ manage_files_pattern($1, net_conf_t, net_conf_t)
++ ')
++
ifdef(`distro_redhat',`
+ files_search_all_pids($1)
+ init_search_pid_dirs($1)
@@ -40632,7 +38175,7 @@ index 2cea692..fd3a212 100644
')
')
-@@ -501,6 +669,7 @@ interface(`sysnet_delete_dhcpc_pid',`
+@@ -471,6 +669,7 @@ interface(`sysnet_delete_dhcpc_pid',`
type dhcpc_var_run_t;
')
@@ -40640,7 +38183,7 @@ index 2cea692..fd3a212 100644
allow $1 dhcpc_var_run_t:file unlink;
')
-@@ -610,6 +779,25 @@ interface(`sysnet_signull_ifconfig',`
+@@ -580,6 +779,25 @@ interface(`sysnet_signull_ifconfig',`
########################################
##
@@ -40666,7 +38209,7 @@ index 2cea692..fd3a212 100644
## Read the DHCP configuration files.
##
##
-@@ -626,6 +814,7 @@ interface(`sysnet_read_dhcp_config',`
+@@ -596,6 +814,7 @@ interface(`sysnet_read_dhcp_config',`
files_search_etc($1)
allow $1 dhcp_etc_t:dir list_dir_perms;
read_files_pattern($1, dhcp_etc_t, dhcp_etc_t)
@@ -40674,7 +38217,7 @@ index 2cea692..fd3a212 100644
')
########################################
-@@ -647,6 +836,26 @@ interface(`sysnet_search_dhcp_state',`
+@@ -617,6 +836,26 @@ interface(`sysnet_search_dhcp_state',`
allow $1 dhcp_state_t:dir search_dir_perms;
')
@@ -40701,7 +38244,7 @@ index 2cea692..fd3a212 100644
########################################
##
## Create DHCP state data.
-@@ -711,8 +920,6 @@ interface(`sysnet_dns_name_resolve',`
+@@ -681,8 +920,6 @@ interface(`sysnet_dns_name_resolve',`
allow $1 self:udp_socket create_socket_perms;
allow $1 self:netlink_route_socket r_netlink_socket_perms;
@@ -40710,7 +38253,7 @@ index 2cea692..fd3a212 100644
corenet_tcp_sendrecv_generic_if($1)
corenet_udp_sendrecv_generic_if($1)
corenet_tcp_sendrecv_generic_node($1)
-@@ -720,8 +927,13 @@ interface(`sysnet_dns_name_resolve',`
+@@ -690,8 +927,13 @@ interface(`sysnet_dns_name_resolve',`
corenet_tcp_sendrecv_dns_port($1)
corenet_udp_sendrecv_dns_port($1)
corenet_tcp_connect_dns_port($1)
@@ -40724,7 +38267,7 @@ index 2cea692..fd3a212 100644
sysnet_read_config($1)
optional_policy(`
-@@ -750,8 +962,6 @@ interface(`sysnet_use_ldap',`
+@@ -720,8 +962,6 @@ interface(`sysnet_use_ldap',`
allow $1 self:tcp_socket create_socket_perms;
@@ -40733,7 +38276,7 @@ index 2cea692..fd3a212 100644
corenet_tcp_sendrecv_generic_if($1)
corenet_tcp_sendrecv_generic_node($1)
corenet_tcp_sendrecv_ldap_port($1)
-@@ -760,9 +970,14 @@ interface(`sysnet_use_ldap',`
+@@ -730,9 +970,14 @@ interface(`sysnet_use_ldap',`
# Support for LDAPS
dev_read_rand($1)
@@ -40748,7 +38291,7 @@ index 2cea692..fd3a212 100644
')
########################################
-@@ -784,7 +999,6 @@ interface(`sysnet_use_portmap',`
+@@ -754,7 +999,6 @@ interface(`sysnet_use_portmap',`
allow $1 self:udp_socket create_socket_perms;
corenet_all_recvfrom_unlabeled($1)
@@ -40756,7 +38299,7 @@ index 2cea692..fd3a212 100644
corenet_tcp_sendrecv_generic_if($1)
corenet_udp_sendrecv_generic_if($1)
corenet_tcp_sendrecv_generic_node($1)
-@@ -796,3 +1010,125 @@ interface(`sysnet_use_portmap',`
+@@ -766,3 +1010,125 @@ interface(`sysnet_use_portmap',`
sysnet_read_config($1)
')
@@ -40883,15 +38426,10 @@ index 2cea692..fd3a212 100644
+ files_pid_filetrans($1, ifconfig_var_run_t, dir, "netns")
+')
diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
-index a392fc4..f94755e 100644
+index b7686d5..f94755e 100644
--- a/policy/modules/system/sysnetwork.te
+++ b/policy/modules/system/sysnetwork.te
-@@ -1,10 +1,17 @@
--policy_module(sysnetwork, 1.15.4)
-+policy_module(sysnetwork, 1.14.6)
-
- ########################################
- #
+@@ -5,6 +5,13 @@ policy_module(sysnetwork, 1.14.6)
# Declarations
#
@@ -40916,20 +38454,16 @@ index a392fc4..f94755e 100644
type dhcpc_state_t;
files_type(dhcpc_state_t)
-@@ -36,22 +45,22 @@ type ifconfig_exec_t;
+@@ -36,18 +45,22 @@ type ifconfig_exec_t;
init_system_domain(ifconfig_t, ifconfig_exec_t)
role system_r types ifconfig_t;
--type net_conf_t alias resolv_conf_t;
--files_type(net_conf_t)
+type ifconfig_var_run_t;
+files_pid_file(ifconfig_var_run_t)
+files_mountpoint(ifconfig_var_run_t)
-
--ifdef(`distro_debian',`
-- init_daemon_run_dir(net_conf_t, "network")
--')
-+type net_conf_t alias resolv_conf_t;
++
+ type net_conf_t alias resolv_conf_t;
+-files_type(net_conf_t)
+files_config_file(net_conf_t)
########################################
@@ -40946,7 +38480,7 @@ index a392fc4..f94755e 100644
allow dhcpc_t self:fifo_file rw_fifo_file_perms;
allow dhcpc_t self:tcp_socket create_stream_socket_perms;
-@@ -64,8 +73,11 @@ read_lnk_files_pattern(dhcpc_t, dhcp_etc_t, dhcp_etc_t)
+@@ -60,8 +73,11 @@ read_lnk_files_pattern(dhcpc_t, dhcp_etc_t, dhcp_etc_t)
exec_files_pattern(dhcpc_t, dhcp_etc_t, dhcp_etc_t)
allow dhcpc_t dhcp_state_t:file read_file_perms;
@@ -40958,7 +38492,7 @@ index a392fc4..f94755e 100644
# create pid file
manage_files_pattern(dhcpc_t, dhcpc_var_run_t, dhcpc_var_run_t)
-@@ -74,6 +86,8 @@ files_pid_filetrans(dhcpc_t, dhcpc_var_run_t, { file dir })
+@@ -70,6 +86,8 @@ files_pid_filetrans(dhcpc_t, dhcpc_var_run_t, { file dir })
# Allow read/write to /etc/resolv.conf and /etc/ntp.conf. Note that any files
# in /etc created by dhcpcd will be labelled net_conf_t.
@@ -40967,7 +38501,7 @@ index a392fc4..f94755e 100644
sysnet_manage_config(dhcpc_t)
files_etc_filetrans(dhcpc_t, net_conf_t, file)
-@@ -95,39 +109,40 @@ kernel_rw_net_sysctls(dhcpc_t)
+@@ -91,14 +109,13 @@ kernel_rw_net_sysctls(dhcpc_t)
corecmd_exec_bin(dhcpc_t)
corecmd_exec_shell(dhcpc_t)
@@ -40988,14 +38522,10 @@ index a392fc4..f94755e 100644
corenet_tcp_sendrecv_all_ports(dhcpc_t)
corenet_udp_sendrecv_all_ports(dhcpc_t)
corenet_tcp_bind_all_nodes(dhcpc_t)
- corenet_udp_bind_all_nodes(dhcpc_t)
- corenet_tcp_bind_dhcpc_port(dhcpc_t)
- corenet_udp_bind_dhcpc_port(dhcpc_t)
--corenet_udp_bind_all_unreserved_ports(dhcpc_t)
+@@ -108,21 +125,24 @@ corenet_udp_bind_dhcpc_port(dhcpc_t)
corenet_tcp_connect_all_ports(dhcpc_t)
corenet_sendrecv_dhcpd_client_packets(dhcpc_t)
--corenet_sendrecv_all_server_packets(dhcpc_t)
-+corenet_sendrecv_dhcpc_server_packets(dhcpc_t)
+ corenet_sendrecv_dhcpc_server_packets(dhcpc_t)
+corenet_dontaudit_udp_bind_all_reserved_ports(dhcpc_t)
+corenet_udp_bind_all_unreserved_ports(dhcpc_t)
@@ -41019,7 +38549,7 @@ index a392fc4..f94755e 100644
fs_getattr_all_fs(dhcpc_t)
fs_search_auto_mountpoints(dhcpc_t)
-@@ -137,11 +152,15 @@ term_dontaudit_use_all_ptys(dhcpc_t)
+@@ -132,11 +152,15 @@ term_dontaudit_use_all_ptys(dhcpc_t)
term_dontaudit_use_unallocated_ttys(dhcpc_t)
term_dontaudit_use_generic_ptys(dhcpc_t)
@@ -41036,7 +38566,7 @@ index a392fc4..f94755e 100644
modutils_run_insmod(dhcpc_t, dhcpc_roles)
-@@ -161,7 +180,14 @@ ifdef(`distro_ubuntu',`
+@@ -156,7 +180,14 @@ ifdef(`distro_ubuntu',`
')
optional_policy(`
@@ -41052,7 +38582,7 @@ index a392fc4..f94755e 100644
')
optional_policy(`
-@@ -179,10 +205,6 @@ optional_policy(`
+@@ -174,10 +205,6 @@ optional_policy(`
')
optional_policy(`
@@ -41063,7 +38593,7 @@ index a392fc4..f94755e 100644
hotplug_getattr_config_dirs(dhcpc_t)
hotplug_search_config(dhcpc_t)
-@@ -195,23 +217,36 @@ optional_policy(`
+@@ -190,23 +217,36 @@ optional_policy(`
optional_policy(`
netutils_run_ping(dhcpc_t, dhcpc_roles)
netutils_run(dhcpc_t, dhcpc_roles)
@@ -41100,7 +38630,7 @@ index a392fc4..f94755e 100644
')
optional_policy(`
-@@ -221,7 +256,11 @@ optional_policy(`
+@@ -216,7 +256,11 @@ optional_policy(`
optional_policy(`
seutil_sigchld_newrole(dhcpc_t)
@@ -41113,7 +38643,7 @@ index a392fc4..f94755e 100644
')
optional_policy(`
-@@ -233,6 +272,10 @@ optional_policy(`
+@@ -228,6 +272,10 @@ optional_policy(`
')
optional_policy(`
@@ -41124,7 +38654,7 @@ index a392fc4..f94755e 100644
vmware_append_log(dhcpc_t)
')
-@@ -264,12 +307,24 @@ allow ifconfig_t self:msgq create_msgq_perms;
+@@ -259,12 +307,24 @@ allow ifconfig_t self:msgq create_msgq_perms;
allow ifconfig_t self:msg { send receive };
# Create UDP sockets, necessary when called from dhcpc
allow ifconfig_t self:udp_socket create_socket_perms;
@@ -41149,7 +38679,7 @@ index a392fc4..f94755e 100644
kernel_use_fds(ifconfig_t)
kernel_read_system_state(ifconfig_t)
kernel_read_network_state(ifconfig_t)
-@@ -279,14 +334,32 @@ kernel_rw_net_sysctls(ifconfig_t)
+@@ -274,14 +334,32 @@ kernel_rw_net_sysctls(ifconfig_t)
corenet_rw_tun_tap_dev(ifconfig_t)
@@ -41182,7 +38712,7 @@ index a392fc4..f94755e 100644
fs_getattr_xattr_fs(ifconfig_t)
fs_search_auto_mountpoints(ifconfig_t)
-@@ -299,33 +372,51 @@ term_dontaudit_use_all_ptys(ifconfig_t)
+@@ -294,31 +372,51 @@ term_dontaudit_use_all_ptys(ifconfig_t)
term_dontaudit_use_ptmx(ifconfig_t)
term_dontaudit_use_generic_ptys(ifconfig_t)
@@ -41203,11 +38733,10 @@ index a392fc4..f94755e 100644
seutil_use_runinit_fds(ifconfig_t)
--sysnet_dontaudit_rw_dhcpc_udp_sockets(ifconfig_t)
+-userdom_use_user_terminals(ifconfig_t)
+sysnet_dns_name_resolve(ifconfig_t)
+sysnet_filetrans_named_content_ifconfig(ifconfig_t)
-
--userdom_use_user_terminals(ifconfig_t)
++
+userdom_use_inherited_user_terminals(ifconfig_t)
userdom_use_all_users_fds(ifconfig_t)
@@ -41240,22 +38769,21 @@ index a392fc4..f94755e 100644
optional_policy(`
dev_dontaudit_rw_cardmgr(ifconfig_t)
')
-@@ -336,12 +427,11 @@ ifdef(`hide_broken_symptoms',`
- ')
-
- optional_policy(`
-- devicekit_read_pid_files(ifconfig_t)
-+ dnsmasq_domtrans(ifconfig_t)
+@@ -329,8 +427,11 @@ ifdef(`hide_broken_symptoms',`
')
optional_policy(`
- hal_dontaudit_rw_pipes(ifconfig_t)
- hal_dontaudit_rw_dgram_sockets(ifconfig_t)
++ dnsmasq_domtrans(ifconfig_t)
++')
++
++optional_policy(`
+ devicekit_dontaudit_read_pid_files(ifconfig_t)
')
optional_policy(`
-@@ -350,7 +440,15 @@ optional_policy(`
+@@ -339,7 +440,15 @@ optional_policy(`
')
optional_policy(`
@@ -41272,7 +38800,7 @@ index a392fc4..f94755e 100644
')
optional_policy(`
-@@ -371,3 +469,13 @@ optional_policy(`
+@@ -360,3 +469,13 @@ optional_policy(`
xen_append_log(ifconfig_t)
xen_dontaudit_rw_unix_stream_sockets(ifconfig_t)
')
@@ -43450,7 +40978,7 @@ index 0000000..ea7a44f
+read_lnk_files_pattern(systemd_domain, systemd_home_t, systemd_home_t)
+
diff --git a/policy/modules/system/udev.fc b/policy/modules/system/udev.fc
-index f41857e..49fd32e 100644
+index 40928d8..49fd32e 100644
--- a/policy/modules/system/udev.fc
+++ b/policy/modules/system/udev.fc
@@ -1,6 +1,8 @@
@@ -43481,7 +41009,7 @@ index f41857e..49fd32e 100644
-/usr/lib/systemd/systemd-udevd -- gen_context(system_u:object_r:udev_exec_t,s0)
-
-/var/run/PackageKit/udev(/.*)? gen_context(system_u:object_r:udev_var_run_t,s0)
--/var/run/udev(/.*)? gen_context(system_u:object_r:udev_var_run_t,s0)
+-/var/run/udev(/.*)? gen_context(system_u:object_r:udev_tbl_t,s0)
+/usr/bin/udevadm -- gen_context(system_u:object_r:udev_exec_t,s0)
+
+/usr/sbin/start_udev -- gen_context(system_u:object_r:udev_exec_t,s0)
@@ -43503,7 +41031,7 @@ index f41857e..49fd32e 100644
ifdef(`distro_debian',`
/var/run/xen-hotplug -d gen_context(system_u:object_r:udev_var_run_t,s0)
diff --git a/policy/modules/system/udev.if b/policy/modules/system/udev.if
-index 9a1650d..d7e8a01 100644
+index 0f64692..d7e8a01 100644
--- a/policy/modules/system/udev.if
+++ b/policy/modules/system/udev.if
@@ -34,6 +34,7 @@ interface(`udev_domtrans',`
@@ -43708,7 +41236,7 @@ index 9a1650d..d7e8a01 100644
+ role system_r;
')
-- files_search_pids($1)
+- files_search_var_lib($1)
- manage_files_pattern($1, udev_var_run_t, udev_var_run_t)
+ allow $1 udev_t:netlink_kobject_uevent_socket create_socket_perms;
+')
@@ -43747,15 +41275,9 @@ index 9a1650d..d7e8a01 100644
########################################
diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
-index 39f185f..26bc8ba 100644
+index a5ec88b..26bc8ba 100644
--- a/policy/modules/system/udev.te
+++ b/policy/modules/system/udev.te
-@@ -1,4 +1,4 @@
--policy_module(udev, 1.16.2)
-+policy_module(udev, 1.15.4)
-
- ########################################
- #
@@ -17,16 +17,17 @@ init_daemon_domain(udev_t, udev_exec_t)
type udev_etc_t alias etc_udev_t;
files_config_file(udev_etc_t)
@@ -43777,7 +41299,7 @@ index 39f185f..26bc8ba 100644
ifdef(`enable_mcs',`
kernel_ranged_domtrans_to(udev_t, udev_exec_t, s0 - mcs_systemhigh)
init_ranged_daemon_domain(udev_t, udev_exec_t, s0 - mcs_systemhigh)
-@@ -37,10 +38,11 @@ ifdef(`enable_mcs',`
+@@ -37,9 +38,11 @@ ifdef(`enable_mcs',`
# Local policy
#
@@ -43785,14 +41307,13 @@ index 39f185f..26bc8ba 100644
+allow udev_t self:capability { chown dac_override dac_read_search fowner fsetid sys_admin mknod net_raw net_admin sys_nice sys_rawio sys_resource setuid setgid sys_nice };
+allow udev_t self:capability2 { block_suspend compromise_kernel };
dontaudit udev_t self:capability sys_tty_config;
--allow udev_t self:capability2 block_suspend;
-allow udev_t self:process ~{ setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+
+allow udev_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow udev_t self:process { execmem setfscreate };
allow udev_t self:fd use;
allow udev_t self:fifo_file rw_fifo_file_perms;
-@@ -54,6 +56,7 @@ allow udev_t self:unix_dgram_socket sendto;
+@@ -53,6 +56,7 @@ allow udev_t self:unix_dgram_socket sendto;
allow udev_t self:unix_stream_socket connectto;
allow udev_t self:netlink_kobject_uevent_socket create_socket_perms;
allow udev_t self:rawip_socket create_socket_perms;
@@ -43800,10 +41321,11 @@ index 39f185f..26bc8ba 100644
allow udev_t udev_exec_t:file write;
can_exec(udev_t, udev_exec_t)
-@@ -64,31 +67,41 @@ can_exec(udev_t, udev_helper_exec_t)
+@@ -63,31 +67,41 @@ can_exec(udev_t, udev_helper_exec_t)
# read udev config
allow udev_t udev_etc_t:file read_file_perms;
+-# create udev database in /dev/.udevdb
-allow udev_t udev_tbl_t:file manage_file_perms;
-dev_filetrans(udev_t, udev_tbl_t, file)
+allow udev_t udev_tmp_t:dir manage_dir_perms;
@@ -43819,8 +41341,7 @@ index 39f185f..26bc8ba 100644
+manage_sock_files_pattern(udev_t, udev_var_run_t, udev_var_run_t)
manage_files_pattern(udev_t, udev_var_run_t, udev_var_run_t)
manage_lnk_files_pattern(udev_t, udev_var_run_t, udev_var_run_t)
--manage_sock_files_pattern(udev_t, udev_var_run_t, udev_var_run_t)
--files_pid_filetrans(udev_t, udev_var_run_t, dir, "udev")
+-files_pid_filetrans(udev_t, udev_var_run_t, { dir file })
+files_pid_filetrans(udev_t, udev_var_run_t, { file dir })
+allow udev_t udev_var_run_t:file mounton;
+allow udev_t udev_var_run_t:dir mounton;
@@ -43848,7 +41369,7 @@ index 39f185f..26bc8ba 100644
#https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=235182
kernel_rw_net_sysctls(udev_t)
-@@ -99,6 +112,7 @@ corecmd_exec_all_executables(udev_t)
+@@ -98,6 +112,7 @@ corecmd_exec_all_executables(udev_t)
dev_rw_sysfs(udev_t)
dev_manage_all_dev_nodes(udev_t)
@@ -43856,7 +41377,7 @@ index 39f185f..26bc8ba 100644
dev_rw_generic_files(udev_t)
dev_delete_generic_files(udev_t)
dev_search_usbfs(udev_t)
-@@ -107,23 +121,31 @@ dev_relabel_all_dev_nodes(udev_t)
+@@ -106,23 +121,31 @@ dev_relabel_all_dev_nodes(udev_t)
# preserved, instead of short circuiting the relabel
dev_relabel_generic_symlinks(udev_t)
dev_manage_generic_symlinks(udev_t)
@@ -43892,7 +41413,7 @@ index 39f185f..26bc8ba 100644
mls_file_read_all_levels(udev_t)
mls_file_write_all_levels(udev_t)
-@@ -145,17 +167,20 @@ auth_use_nsswitch(udev_t)
+@@ -144,17 +167,20 @@ auth_use_nsswitch(udev_t)
init_read_utmp(udev_t)
init_dontaudit_write_utmp(udev_t)
init_getattr_initctl(udev_t)
@@ -43914,37 +41435,20 @@ index 39f185f..26bc8ba 100644
seutil_read_config(udev_t)
seutil_read_default_contexts(udev_t)
-@@ -169,24 +194,13 @@ sysnet_read_dhcpc_pid(udev_t)
+@@ -168,7 +194,11 @@ sysnet_read_dhcpc_pid(udev_t)
sysnet_delete_dhcpc_pid(udev_t)
sysnet_signal_dhcpc(udev_t)
sysnet_manage_config(udev_t)
-sysnet_etc_filetrans_config(udev_t)
--
--userdom_dontaudit_search_user_home_content(udev_t)
+sysnet_filetrans_named_content(udev_t)
+#sysnet_etc_filetrans_config(udev_t)
-
--ifdef(`distro_debian',`
-- files_pid_filetrans(udev_t, udev_var_run_t, dir, "xen-hotplug")
++
+systemd_login_read_pid_files(udev_t)
+systemd_getattr_unit_files(udev_t)
-- optional_policy(`
-- # for /usr/lib/avahi/avahi-daemon-check-dns.sh
-- kernel_read_vm_sysctls(udev_t)
-- corenet_udp_bind_generic_node(udev_t)
-- miscfiles_read_generic_certs(udev_t)
-- avahi_create_pid_dirs(udev_t)
-- avahi_initrc_domtrans(udev_t)
-- avahi_manage_pid_files(udev_t)
-- avahi_filetrans_pid(udev_t, dir, "avahi-daemon")
-- ')
--')
-+userdom_dontaudit_search_user_home_content(udev_t)
+ userdom_dontaudit_search_user_home_content(udev_t)
- ifdef(`distro_gentoo',`
- # during boot, init scripts use /dev/.rcsysinit
-@@ -195,16 +209,9 @@ ifdef(`distro_gentoo',`
+@@ -179,16 +209,9 @@ ifdef(`distro_gentoo',`
')
ifdef(`distro_redhat',`
@@ -43963,7 +41467,7 @@ index 39f185f..26bc8ba 100644
# for arping used for static IP addresses on PCMCIA ethernet
netutils_domtrans(udev_t)
-@@ -242,24 +249,38 @@ optional_policy(`
+@@ -226,19 +249,38 @@ optional_policy(`
optional_policy(`
cups_domtrans_config(udev_t)
@@ -43972,12 +41476,10 @@ index 39f185f..26bc8ba 100644
optional_policy(`
dbus_system_bus_client(udev_t)
-- dbus_use_system_bus_fds(udev_t)
-
- optional_policy(`
-- consolekit_dbus_chat(udev_t)
++
++ optional_policy(`
+ systemd_dbus_chat_logind(udev_t)
- ')
++ ')
')
optional_policy(`
@@ -44004,21 +41506,18 @@ index 39f185f..26bc8ba 100644
')
optional_policy(`
-@@ -281,11 +302,11 @@ optional_policy(`
+@@ -264,6 +306,10 @@ optional_policy(`
')
optional_policy(`
-- lvm_domtrans(udev_t)
-+ mount_domtrans(udev_t)
- ')
-
- optional_policy(`
-- mount_domtrans(udev_t)
+ networkmanager_dbus_chat(udev_t)
++')
++
++optional_policy(`
+ openct_read_pid_files(udev_t)
+ openct_domtrans(udev_t)
')
-
- optional_policy(`
-@@ -303,6 +324,15 @@ optional_policy(`
+@@ -278,6 +324,15 @@ optional_policy(`
')
optional_policy(`
@@ -44034,7 +41533,7 @@ index 39f185f..26bc8ba 100644
unconfined_signal(udev_t)
')
-@@ -315,6 +345,7 @@ optional_policy(`
+@@ -290,6 +345,7 @@ optional_policy(`
kernel_read_xen_state(udev_t)
xen_manage_log(udev_t)
xen_read_image_files(udev_t)
@@ -44069,7 +41568,7 @@ index 0abaf84..8b34dbc 100644
-/usr/lib/openoffice/program/[^/]+\.bin -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
-')
diff --git a/policy/modules/system/unconfined.if b/policy/modules/system/unconfined.if
-index 5ca20a9..01e03ec 100644
+index db7aabb..01e03ec 100644
--- a/policy/modules/system/unconfined.if
+++ b/policy/modules/system/unconfined.if
@@ -12,53 +12,57 @@
@@ -44147,16 +41646,15 @@ index 5ca20a9..01e03ec 100644
# auditallow $1 self:process execstack;
')
-@@ -67,6 +71,8 @@ interface(`unconfined_domain_noaudit',`
- ')
-
+@@ -69,6 +73,7 @@ interface(`unconfined_domain_noaudit',`
optional_policy(`
-+ # Communicate via dbusd.
-+ dbus_system_bus_unconfined($1)
- dbus_unconfined($1)
+ # Communicate via dbusd.
+ dbus_system_bus_unconfined($1)
++ dbus_unconfined($1)
')
-@@ -121,9 +127,13 @@ interface(`unconfined_domain_noaudit',`
+ optional_policy(`
+@@ -122,9 +127,13 @@ interface(`unconfined_domain_noaudit',`
##
#
interface(`unconfined_domain',`
@@ -44171,7 +41669,7 @@ index 5ca20a9..01e03ec 100644
auditallow $1 self:process execheap;
')
')
-@@ -149,7 +159,7 @@ interface(`unconfined_domain',`
+@@ -150,7 +159,7 @@ interface(`unconfined_domain',`
##
#
interface(`unconfined_alias_domain',`
@@ -44180,7 +41678,7 @@ index 5ca20a9..01e03ec 100644
')
########################################
-@@ -175,414 +185,5 @@ interface(`unconfined_alias_domain',`
+@@ -176,414 +185,5 @@ interface(`unconfined_alias_domain',`
##
#
interface(`unconfined_execmem_alias_program',`
@@ -44597,14 +42095,10 @@ index 5ca20a9..01e03ec 100644
+ refpolicywarn(`$0() has been deprecated.')
')
diff --git a/policy/modules/system/unconfined.te b/policy/modules/system/unconfined.te
-index 5fe902d..61f19e9 100644
+index 0280b32..61f19e9 100644
--- a/policy/modules/system/unconfined.te
+++ b/policy/modules/system/unconfined.te
-@@ -1,207 +1,7 @@
--policy_module(unconfined, 3.5.1)
-+policy_module(unconfined, 3.5.0)
-
- ########################################
+@@ -4,237 +4,4 @@ policy_module(unconfined, 3.5.0)
#
# Declarations
#
@@ -44680,6 +42174,40 @@ index 5fe902d..61f19e9 100644
-')
-
-optional_policy(`
+- init_dbus_chat_script(unconfined_t)
+-
+- dbus_stub(unconfined_t)
+-
+- optional_policy(`
+- avahi_dbus_chat(unconfined_t)
+- ')
+-
+- optional_policy(`
+- bluetooth_dbus_chat(unconfined_t)
+- ')
+-
+- optional_policy(`
+- consolekit_dbus_chat(unconfined_t)
+- ')
+-
+- optional_policy(`
+- cups_dbus_chat_config(unconfined_t)
+- ')
+-
+- optional_policy(`
+- hal_dbus_chat(unconfined_t)
+- ')
+-
+- optional_policy(`
+- networkmanager_dbus_chat(unconfined_t)
+- ')
+-
+- optional_policy(`
+- oddjob_dbus_chat(unconfined_t)
+- ')
+-')
+-
+-optional_policy(`
- firstboot_run(unconfined_t, unconfined_r)
-')
-
@@ -44749,10 +42277,6 @@ index 5fe902d..61f19e9 100644
-')
-
-optional_policy(`
-- rtkit_scheduled(unconfined_t)
--')
--
--optional_policy(`
- rpm_run(unconfined_t, unconfined_r)
-')
-
@@ -44775,10 +42299,6 @@ index 5fe902d..61f19e9 100644
-')
-
-optional_policy(`
-- unconfined_dbus_chat(unconfined_t)
--')
--
--optional_policy(`
- usermanage_run_admin_passwd(unconfined_t, unconfined_r)
-')
-
@@ -44807,7 +42327,14 @@ index 5fe902d..61f19e9 100644
-unconfined_domain_noaudit(unconfined_execmem_t)
-
-optional_policy(`
+- dbus_stub(unconfined_execmem_t)
+-
+- init_dbus_chat_script(unconfined_execmem_t)
- unconfined_dbus_chat(unconfined_execmem_t)
+-
+- optional_policy(`
+- hal_dbus_chat(unconfined_execmem_t)
+- ')
-')
+attribute unconfined_services;
diff --git a/policy/modules/system/userdomain.fc b/policy/modules/system/userdomain.fc
@@ -44847,7 +42374,7 @@ index db75976..cb4a211 100644
+/var/tmp/hsperfdata_root gen_context(system_u:object_r:user_tmp_t,s0)
+
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
-index 9dc60c6..4ce3586 100644
+index 3c5dba7..4ce3586 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -30,9 +30,11 @@ template(`userdom_base_user_template',`
@@ -46006,7 +43533,7 @@ index 9dc60c6..4ce3586 100644
##############################
#
# Local policy
-@@ -907,53 +1190,134 @@ template(`userdom_restricted_xwindows_user_template',`
+@@ -907,42 +1190,99 @@ template(`userdom_restricted_xwindows_user_template',`
#
# Local policy
#
@@ -46101,27 +43628,26 @@ index 9dc60c6..4ce3586 100644
+ optional_policy(`
+ cups_dbus_chat($1_usertype)
+ cups_dbus_chat_config($1_usertype)
-+ ')
-+
-+ optional_policy(`
+ ')
+
+ optional_policy(`
+- cups_dbus_chat($1_t)
+ devicekit_dbus_chat($1_usertype)
+ devicekit_dbus_chat_disk($1_usertype)
+ devicekit_dbus_chat_power($1_usertype)
-+ ')
-+
-+ optional_policy(`
-+ fprintd_dbus_chat($1_t)
')
optional_policy(`
-- cups_dbus_chat($1_t)
+- gnome_role_template($1, $1_r, $1_t)
++ fprintd_dbus_chat($1_t)
++ ')
++
++ optional_policy(`
+ realmd_dbus_chat($1_t)
')
optional_policy(`
-- gnome_role_template($1, $1_r, $1_t)
- wm_role_template($1, $1_r, $1_t)
- ')
+@@ -951,12 +1291,33 @@ template(`userdom_restricted_xwindows_user_template',`
')
optional_policy(`
@@ -46156,7 +43682,7 @@ index 9dc60c6..4ce3586 100644
')
#######################################
-@@ -987,27 +1351,33 @@ template(`userdom_unpriv_user_template', `
+@@ -990,27 +1351,33 @@ template(`userdom_unpriv_user_template', `
#
# Inherit rules for ordinary users.
@@ -46194,7 +43720,7 @@ index 9dc60c6..4ce3586 100644
fs_manage_noxattr_fs_files($1_t)
fs_manage_noxattr_fs_dirs($1_t)
# Write floppies
-@@ -1018,23 +1388,60 @@ template(`userdom_unpriv_user_template', `
+@@ -1021,23 +1388,60 @@ template(`userdom_unpriv_user_template', `
')
')
@@ -46251,21 +43777,21 @@ index 9dc60c6..4ce3586 100644
+ optional_policy(`
+ mount_run_fusermount($1_t, $1_r)
+ mount_read_pid_files($1_t)
++ ')
++
++ optional_policy(`
++ wine_role_template($1, $1_r, $1_t)
')
optional_policy(`
- netutils_run_ping_cond($1_t, $1_r)
- netutils_run_traceroute_cond($1_t, $1_r)
-+ wine_role_template($1, $1_r, $1_t)
-+ ')
-+
-+ optional_policy(`
+ postfix_run_postdrop($1_t, $1_r)
+ postfix_search_spool($1_t)
')
# Run pppd in pppd_t by default for user
-@@ -1043,7 +1450,9 @@ template(`userdom_unpriv_user_template', `
+@@ -1046,7 +1450,9 @@ template(`userdom_unpriv_user_template', `
')
optional_policy(`
@@ -46276,7 +43802,7 @@ index 9dc60c6..4ce3586 100644
')
')
-@@ -1079,7 +1488,9 @@ template(`userdom_unpriv_user_template', `
+@@ -1082,7 +1488,9 @@ template(`userdom_unpriv_user_template', `
template(`userdom_admin_user_template',`
gen_require(`
attribute admindomain;
@@ -46287,7 +43813,7 @@ index 9dc60c6..4ce3586 100644
')
##############################
-@@ -1095,6 +1506,7 @@ template(`userdom_admin_user_template',`
+@@ -1098,6 +1506,7 @@ template(`userdom_admin_user_template',`
role system_r types $1_t;
typeattribute $1_t admindomain;
@@ -46295,7 +43821,7 @@ index 9dc60c6..4ce3586 100644
ifdef(`direct_sysadm_daemon',`
domain_system_change_exemption($1_t)
-@@ -1105,14 +1517,8 @@ template(`userdom_admin_user_template',`
+@@ -1108,14 +1517,8 @@ template(`userdom_admin_user_template',`
# $1_t local policy
#
@@ -46312,7 +43838,7 @@ index 9dc60c6..4ce3586 100644
kernel_read_software_raid_state($1_t)
kernel_getattr_core_if($1_t)
-@@ -1128,6 +1534,7 @@ template(`userdom_admin_user_template',`
+@@ -1131,6 +1534,7 @@ template(`userdom_admin_user_template',`
kernel_sigstop_unlabeled($1_t)
kernel_signull_unlabeled($1_t)
kernel_sigchld_unlabeled($1_t)
@@ -46320,7 +43846,7 @@ index 9dc60c6..4ce3586 100644
corenet_tcp_bind_generic_port($1_t)
# allow setting up tunnels
-@@ -1145,10 +1552,15 @@ template(`userdom_admin_user_template',`
+@@ -1148,10 +1552,15 @@ template(`userdom_admin_user_template',`
dev_rename_all_blk_files($1_t)
dev_rename_all_chr_files($1_t)
dev_create_generic_symlinks($1_t)
@@ -46336,7 +43862,7 @@ index 9dc60c6..4ce3586 100644
domain_dontaudit_ptrace_all_domains($1_t)
# signal all domains:
domain_kill_all_domains($1_t)
-@@ -1159,29 +1571,38 @@ template(`userdom_admin_user_template',`
+@@ -1162,29 +1571,38 @@ template(`userdom_admin_user_template',`
domain_sigchld_all_domains($1_t)
# for lsof
domain_getattr_all_sockets($1_t)
@@ -46379,7 +43905,7 @@ index 9dc60c6..4ce3586 100644
# The following rule is temporary until such time that a complete
# policy management infrastructure is in place so that an administrator
-@@ -1191,6 +1612,8 @@ template(`userdom_admin_user_template',`
+@@ -1194,6 +1612,8 @@ template(`userdom_admin_user_template',`
# But presently necessary for installing the file_contexts file.
seutil_manage_bin_policy($1_t)
@@ -46388,7 +43914,7 @@ index 9dc60c6..4ce3586 100644
userdom_manage_user_home_content_dirs($1_t)
userdom_manage_user_home_content_files($1_t)
userdom_manage_user_home_content_symlinks($1_t)
-@@ -1198,13 +1621,17 @@ template(`userdom_admin_user_template',`
+@@ -1201,13 +1621,17 @@ template(`userdom_admin_user_template',`
userdom_manage_user_home_content_sockets($1_t)
userdom_user_home_dir_filetrans_user_home_content($1_t, { dir file lnk_file fifo_file sock_file })
@@ -46407,7 +43933,7 @@ index 9dc60c6..4ce3586 100644
optional_policy(`
postgresql_unconfined($1_t)
')
-@@ -1240,7 +1667,7 @@ template(`userdom_admin_user_template',`
+@@ -1243,7 +1667,7 @@ template(`userdom_admin_user_template',`
##
##
#
@@ -46416,7 +43942,7 @@ index 9dc60c6..4ce3586 100644
allow $1 self:capability { dac_read_search dac_override };
corecmd_exec_shell($1)
-@@ -1250,6 +1677,8 @@ template(`userdom_security_admin_template',`
+@@ -1253,6 +1677,8 @@ template(`userdom_security_admin_template',`
dev_relabel_all_dev_nodes($1)
files_create_boot_flag($1)
@@ -46425,7 +43951,7 @@ index 9dc60c6..4ce3586 100644
# Necessary for managing /boot/efi
fs_manage_dos_files($1)
-@@ -1262,8 +1691,10 @@ template(`userdom_security_admin_template',`
+@@ -1265,8 +1691,10 @@ template(`userdom_security_admin_template',`
selinux_set_enforce_mode($1)
selinux_set_all_booleans($1)
selinux_set_parameters($1)
@@ -46437,7 +43963,7 @@ index 9dc60c6..4ce3586 100644
auth_relabel_shadow($1)
init_exec($1)
-@@ -1274,29 +1705,31 @@ template(`userdom_security_admin_template',`
+@@ -1277,29 +1705,31 @@ template(`userdom_security_admin_template',`
logging_read_audit_config($1)
seutil_manage_bin_policy($1)
@@ -46480,7 +44006,7 @@ index 9dc60c6..4ce3586 100644
')
optional_policy(`
-@@ -1357,14 +1790,17 @@ interface(`userdom_user_home_content',`
+@@ -1360,14 +1790,17 @@ interface(`userdom_user_home_content',`
gen_require(`
attribute user_home_content_type;
type user_home_t;
@@ -46499,7 +44025,7 @@ index 9dc60c6..4ce3586 100644
')
########################################
-@@ -1405,6 +1841,51 @@ interface(`userdom_user_tmpfs_file',`
+@@ -1408,6 +1841,51 @@ interface(`userdom_user_tmpfs_file',`
##
## Allow domain to attach to TUN devices created by administrative users.
##
@@ -46551,7 +44077,7 @@ index 9dc60c6..4ce3586 100644
##
##
## Domain allowed access.
-@@ -1509,11 +1990,31 @@ interface(`userdom_search_user_home_dirs',`
+@@ -1512,11 +1990,31 @@ interface(`userdom_search_user_home_dirs',`
')
allow $1 user_home_dir_t:dir search_dir_perms;
@@ -46583,7 +44109,7 @@ index 9dc60c6..4ce3586 100644
## Do not audit attempts to search user home directories.
##
##
-@@ -1555,6 +2056,14 @@ interface(`userdom_list_user_home_dirs',`
+@@ -1558,6 +2056,14 @@ interface(`userdom_list_user_home_dirs',`
allow $1 user_home_dir_t:dir list_dir_perms;
files_search_home($1)
@@ -46598,7 +44124,7 @@ index 9dc60c6..4ce3586 100644
')
########################################
-@@ -1570,9 +2079,11 @@ interface(`userdom_list_user_home_dirs',`
+@@ -1573,9 +2079,11 @@ interface(`userdom_list_user_home_dirs',`
interface(`userdom_dontaudit_list_user_home_dirs',`
gen_require(`
type user_home_dir_t;
@@ -46610,7 +44136,7 @@ index 9dc60c6..4ce3586 100644
')
########################################
-@@ -1629,6 +2140,42 @@ interface(`userdom_relabelto_user_home_dirs',`
+@@ -1632,6 +2140,42 @@ interface(`userdom_relabelto_user_home_dirs',`
allow $1 user_home_dir_t:dir relabelto;
')
@@ -46653,7 +44179,7 @@ index 9dc60c6..4ce3586 100644
########################################
##
## Create directories in the home dir root with
-@@ -1704,10 +2251,12 @@ interface(`userdom_user_home_domtrans',`
+@@ -1707,10 +2251,12 @@ interface(`userdom_user_home_domtrans',`
#
interface(`userdom_dontaudit_search_user_home_content',`
gen_require(`
@@ -46668,7 +44194,7 @@ index 9dc60c6..4ce3586 100644
')
########################################
-@@ -1741,10 +2290,12 @@ interface(`userdom_list_all_user_home_content',`
+@@ -1744,10 +2290,12 @@ interface(`userdom_list_all_user_home_content',`
#
interface(`userdom_list_user_home_content',`
gen_require(`
@@ -46683,7 +44209,7 @@ index 9dc60c6..4ce3586 100644
')
########################################
-@@ -1769,7 +2320,25 @@ interface(`userdom_manage_user_home_content_dirs',`
+@@ -1772,7 +2320,25 @@ interface(`userdom_manage_user_home_content_dirs',`
########################################
##
@@ -46710,7 +44236,7 @@ index 9dc60c6..4ce3586 100644
##
##
##
-@@ -1779,53 +2348,70 @@ interface(`userdom_manage_user_home_content_dirs',`
+@@ -1782,53 +2348,70 @@ interface(`userdom_manage_user_home_content_dirs',`
#
interface(`userdom_delete_all_user_home_content_dirs',`
gen_require(`
@@ -46793,7 +44319,7 @@ index 9dc60c6..4ce3586 100644
## Do not audit attempts to set the
## attributes of user home files.
##
-@@ -1845,6 +2431,25 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',`
+@@ -1848,6 +2431,25 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',`
########################################
##
@@ -46819,7 +44345,7 @@ index 9dc60c6..4ce3586 100644
## Mmap user home files.
##
##
-@@ -1875,14 +2480,36 @@ interface(`userdom_mmap_user_home_content_files',`
+@@ -1878,14 +2480,36 @@ interface(`userdom_mmap_user_home_content_files',`
interface(`userdom_read_user_home_content_files',`
gen_require(`
type user_home_dir_t, user_home_t;
@@ -46857,7 +44383,7 @@ index 9dc60c6..4ce3586 100644
## Do not audit attempts to read user home files.
##
##
-@@ -1893,11 +2520,14 @@ interface(`userdom_read_user_home_content_files',`
+@@ -1896,11 +2520,14 @@ interface(`userdom_read_user_home_content_files',`
#
interface(`userdom_dontaudit_read_user_home_content_files',`
gen_require(`
@@ -46875,59 +44401,62 @@ index 9dc60c6..4ce3586 100644
')
########################################
-@@ -1938,7 +2568,25 @@ interface(`userdom_dontaudit_write_user_home_content_files',`
+@@ -1941,7 +2568,7 @@ interface(`userdom_dontaudit_write_user_home_content_files',`
########################################
##
-## Delete all user home content files.
+## Delete files in a user home subdirectory.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`userdom_delete_user_home_content_files',`
-+ gen_require(`
-+ type user_home_t;
-+ ')
-+
-+ allow $1 user_home_t:file delete_file_perms;
-+')
-+
-+########################################
-+##
-+## Delete all files in a user home subdirectory.
##
##
##
-@@ -1948,17 +2596,15 @@ interface(`userdom_dontaudit_write_user_home_content_files',`
+@@ -1949,19 +2576,17 @@ interface(`userdom_dontaudit_write_user_home_content_files',`
+ ##
+ ##
#
- interface(`userdom_delete_all_user_home_content_files',`
+-interface(`userdom_delete_all_user_home_content_files',`
++interface(`userdom_delete_user_home_content_files',`
gen_require(`
- attribute user_home_content_type;
- type user_home_dir_t;
-+ attribute user_home_type;
++ type user_home_t;
')
- userdom_search_user_home_content($1)
-- delete_files_pattern($1, { user_home_dir_t user_home_content_type }, user_home_content_type)
-+ allow $1 user_home_type:file delete_file_perms;
+- delete_files_pattern($1 { user_home_dir_t user_home_content_type }, user_home_content_type)
++ allow $1 user_home_t:file delete_file_perms;
')
########################################
##
-## Delete files in a user home subdirectory.
-+## Delete sock files in a user home subdirectory.
++## Delete all files in a user home subdirectory.
##
##
##
-@@ -1966,12 +2612,48 @@ interface(`userdom_delete_all_user_home_content_files',`
+@@ -1969,12 +2594,66 @@ interface(`userdom_delete_all_user_home_content_files',`
##
##
#
-interface(`userdom_delete_user_home_content_files',`
++interface(`userdom_delete_all_user_home_content_files',`
++ gen_require(`
++ attribute user_home_type;
++ ')
++
++ allow $1 user_home_type:file delete_file_perms;
++')
++
++########################################
++##
++## Delete sock files in a user home subdirectory.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
+interface(`userdom_delete_user_home_content_sock_files',`
gen_require(`
type user_home_t;
@@ -46974,7 +44503,7 @@ index 9dc60c6..4ce3586 100644
')
########################################
-@@ -2007,8 +2689,7 @@ interface(`userdom_read_user_home_content_symlinks',`
+@@ -2010,8 +2689,7 @@ interface(`userdom_read_user_home_content_symlinks',`
type user_home_dir_t, user_home_t;
')
@@ -46984,7 +44513,7 @@ index 9dc60c6..4ce3586 100644
')
########################################
-@@ -2024,20 +2705,14 @@ interface(`userdom_read_user_home_content_symlinks',`
+@@ -2027,20 +2705,14 @@ interface(`userdom_read_user_home_content_symlinks',`
#
interface(`userdom_exec_user_home_content_files',`
gen_require(`
@@ -47009,7 +44538,7 @@ index 9dc60c6..4ce3586 100644
########################################
##
-@@ -2120,7 +2795,7 @@ interface(`userdom_manage_user_home_content_symlinks',`
+@@ -2123,7 +2795,7 @@ interface(`userdom_manage_user_home_content_symlinks',`
########################################
##
@@ -47018,7 +44547,7 @@ index 9dc60c6..4ce3586 100644
##
##
##
-@@ -2128,19 +2803,17 @@ interface(`userdom_manage_user_home_content_symlinks',`
+@@ -2131,19 +2803,17 @@ interface(`userdom_manage_user_home_content_symlinks',`
##
##
#
@@ -47042,7 +44571,7 @@ index 9dc60c6..4ce3586 100644
##
##
##
-@@ -2148,12 +2821,12 @@ interface(`userdom_delete_all_user_home_content_symlinks',`
+@@ -2151,12 +2821,12 @@ interface(`userdom_delete_all_user_home_content_symlinks',`
##
##
#
@@ -47058,7 +44587,7 @@ index 9dc60c6..4ce3586 100644
')
########################################
-@@ -2390,11 +3063,11 @@ interface(`userdom_dontaudit_manage_user_tmp_dirs',`
+@@ -2393,11 +3063,11 @@ interface(`userdom_dontaudit_manage_user_tmp_dirs',`
#
interface(`userdom_read_user_tmp_files',`
gen_require(`
@@ -47073,7 +44602,7 @@ index 9dc60c6..4ce3586 100644
files_search_tmp($1)
')
-@@ -2414,7 +3087,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',`
+@@ -2417,7 +3087,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',`
type user_tmp_t;
')
@@ -47082,7 +44611,7 @@ index 9dc60c6..4ce3586 100644
')
########################################
-@@ -2538,6 +3211,26 @@ interface(`userdom_manage_user_tmp_files',`
+@@ -2541,6 +3211,26 @@ interface(`userdom_manage_user_tmp_files',`
########################################
##
## Create, read, write, and delete user
@@ -47109,7 +44638,7 @@ index 9dc60c6..4ce3586 100644
## temporary symbolic links.
##
##
-@@ -2566,6 +3259,27 @@ interface(`userdom_manage_user_tmp_symlinks',`
+@@ -2569,6 +3259,27 @@ interface(`userdom_manage_user_tmp_symlinks',`
##
##
#
@@ -47137,7 +44666,7 @@ index 9dc60c6..4ce3586 100644
interface(`userdom_manage_user_tmp_pipes',`
gen_require(`
type user_tmp_t;
-@@ -2661,6 +3375,25 @@ interface(`userdom_tmp_filetrans_user_tmp',`
+@@ -2664,6 +3375,25 @@ interface(`userdom_tmp_filetrans_user_tmp',`
files_tmp_filetrans($1, user_tmp_t, $2, $3)
')
@@ -47163,7 +44692,7 @@ index 9dc60c6..4ce3586 100644
########################################
##
## Read user tmpfs files.
-@@ -2677,13 +3410,14 @@ interface(`userdom_read_user_tmpfs_files',`
+@@ -2680,13 +3410,14 @@ interface(`userdom_read_user_tmpfs_files',`
')
read_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
@@ -47179,7 +44708,7 @@ index 9dc60c6..4ce3586 100644
##
##
##
-@@ -2704,7 +3438,7 @@ interface(`userdom_rw_user_tmpfs_files',`
+@@ -2707,7 +3438,7 @@ interface(`userdom_rw_user_tmpfs_files',`
########################################
##
@@ -47188,7 +44717,7 @@ index 9dc60c6..4ce3586 100644
##
##
##
-@@ -2712,14 +3446,30 @@ interface(`userdom_rw_user_tmpfs_files',`
+@@ -2715,14 +3446,30 @@ interface(`userdom_rw_user_tmpfs_files',`
##
##
#
@@ -47223,7 +44752,7 @@ index 9dc60c6..4ce3586 100644
')
########################################
-@@ -2814,6 +3564,24 @@ interface(`userdom_use_user_ttys',`
+@@ -2817,6 +3564,24 @@ interface(`userdom_use_user_ttys',`
########################################
##
@@ -47248,7 +44777,7 @@ index 9dc60c6..4ce3586 100644
## Read and write a user domain pty.
##
##
-@@ -2832,22 +3600,34 @@ interface(`userdom_use_user_ptys',`
+@@ -2835,22 +3600,34 @@ interface(`userdom_use_user_ptys',`
########################################
##
@@ -47291,7 +44820,7 @@ index 9dc60c6..4ce3586 100644
##
##
##
-@@ -2856,14 +3636,33 @@ interface(`userdom_use_user_ptys',`
+@@ -2859,14 +3636,33 @@ interface(`userdom_use_user_ptys',`
##
##
#
@@ -47329,7 +44858,7 @@ index 9dc60c6..4ce3586 100644
')
########################################
-@@ -2882,8 +3681,27 @@ interface(`userdom_dontaudit_use_user_terminals',`
+@@ -2885,8 +3681,27 @@ interface(`userdom_dontaudit_use_user_terminals',`
type user_tty_device_t, user_devpts_t;
')
@@ -47359,7 +44888,7 @@ index 9dc60c6..4ce3586 100644
')
########################################
-@@ -2955,69 +3773,68 @@ interface(`userdom_spec_domtrans_unpriv_users',`
+@@ -2958,69 +3773,68 @@ interface(`userdom_spec_domtrans_unpriv_users',`
allow unpriv_userdomain $1:process sigchld;
')
@@ -47460,7 +44989,7 @@ index 9dc60c6..4ce3586 100644
##
##
##
-@@ -3025,12 +3842,12 @@ interface(`userdom_manage_unpriv_user_semaphores',`
+@@ -3028,12 +3842,12 @@ interface(`userdom_manage_unpriv_user_semaphores',`
##
##
#
@@ -47475,7 +45004,7 @@ index 9dc60c6..4ce3586 100644
')
########################################
-@@ -3094,7 +3911,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
+@@ -3097,7 +3911,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
domain_entry_file_spec_domtrans($1, unpriv_userdomain)
allow unpriv_userdomain $1:fd use;
@@ -47484,7 +45013,7 @@ index 9dc60c6..4ce3586 100644
allow unpriv_userdomain $1:process sigchld;
')
-@@ -3110,16 +3927,18 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
+@@ -3113,16 +3927,18 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
#
interface(`userdom_search_user_home_content',`
gen_require(`
@@ -47506,7 +45035,7 @@ index 9dc60c6..4ce3586 100644
##
##
##
-@@ -3127,35 +3946,17 @@ interface(`userdom_search_user_home_content',`
+@@ -3130,35 +3946,17 @@ interface(`userdom_search_user_home_content',`
##
##
#
@@ -47545,7 +45074,7 @@ index 9dc60c6..4ce3586 100644
##
##
##
-@@ -3214,7 +4015,25 @@ interface(`userdom_dontaudit_use_user_ptys',`
+@@ -3217,7 +4015,25 @@ interface(`userdom_dontaudit_use_user_ptys',`
type user_devpts_t;
')
@@ -47572,7 +45101,7 @@ index 9dc60c6..4ce3586 100644
')
########################################
-@@ -3269,7 +4088,83 @@ interface(`userdom_write_user_tmp_files',`
+@@ -3272,7 +4088,83 @@ interface(`userdom_write_user_tmp_files',`
type user_tmp_t;
')
@@ -47657,7 +45186,7 @@ index 9dc60c6..4ce3586 100644
')
########################################
-@@ -3287,7 +4182,7 @@ interface(`userdom_dontaudit_use_user_ttys',`
+@@ -3290,7 +4182,7 @@ interface(`userdom_dontaudit_use_user_ttys',`
type user_tty_device_t;
')
@@ -47666,7 +45195,7 @@ index 9dc60c6..4ce3586 100644
')
########################################
-@@ -3306,6 +4201,7 @@ interface(`userdom_read_all_users_state',`
+@@ -3309,6 +4201,7 @@ interface(`userdom_read_all_users_state',`
')
read_files_pattern($1, userdomain, userdomain)
@@ -47674,7 +45203,7 @@ index 9dc60c6..4ce3586 100644
kernel_search_proc($1)
')
-@@ -3382,6 +4278,42 @@ interface(`userdom_signal_all_users',`
+@@ -3385,6 +4278,42 @@ interface(`userdom_signal_all_users',`
allow $1 userdomain:process signal;
')
@@ -47717,7 +45246,7 @@ index 9dc60c6..4ce3586 100644
########################################
##
## Send a SIGCHLD signal to all user domains.
-@@ -3402,6 +4334,24 @@ interface(`userdom_sigchld_all_users',`
+@@ -3405,6 +4334,24 @@ interface(`userdom_sigchld_all_users',`
########################################
##
@@ -47742,7 +45271,7 @@ index 9dc60c6..4ce3586 100644
## Create keys for all user domains.
##
##
-@@ -3420,6 +4370,24 @@ interface(`userdom_create_all_users_keys',`
+@@ -3423,6 +4370,24 @@ interface(`userdom_create_all_users_keys',`
########################################
##
@@ -47767,7 +45296,7 @@ index 9dc60c6..4ce3586 100644
## Send a dbus message to all user domains.
##
##
-@@ -3435,4 +4403,1664 @@ interface(`userdom_dbus_send_all_users',`
+@@ -3438,4 +4403,1664 @@ interface(`userdom_dbus_send_all_users',`
')
allow $1 userdomain:dbus send_msg;
@@ -49433,16 +46962,10 @@ index 9dc60c6..4ce3586 100644
+ ')
')
diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te
-index f4ac38d..37730c1 100644
+index e2b538b..37730c1 100644
--- a/policy/modules/system/userdomain.te
+++ b/policy/modules/system/userdomain.te
-@@ -1,4 +1,4 @@
--policy_module(userdomain, 4.9.1)
-+policy_module(userdomain, 4.8.5)
-
- ########################################
- #
-@@ -7,48 +7,43 @@ policy_module(userdomain, 4.9.1)
+@@ -7,48 +7,43 @@ policy_module(userdomain, 4.8.5)
##
##
@@ -50115,32 +47638,3 @@ index b96e9b3..ff7340f 100644
QUIET ?= y
genxml := $(PYTHON) $(HEADERDIR)/support/segenxml.py
-diff --git a/support/fc_sort.c b/support/fc_sort.c
-index e03ef3b..6c43035 100644
---- a/support/fc_sort.c
-+++ b/support/fc_sort.c
-@@ -1,4 +1,4 @@
--/* Copyright 2005,2013 Tresys Technology
-+/* Copyright 2005, Tresys Technology
- *
- * Some parts of this came from matchpathcon.c in libselinux
- */
-@@ -523,7 +523,7 @@ int main(int argc, char *argv[])
- fc_merge_sort(master);
-
- /* Open the output file. */
-- if (!(out_file = fopen(output_name, "w"))) {
-+ if (!(out_file = fopen(argv[2], "w"))) {
- printf("Error: failure opening output file for write.\n");
- return -1;
- }
-diff --git a/support/policyvers.py b/support/policyvers.py
-deleted file mode 100644
-index 0d969a4..0000000
---- a/support/policyvers.py
-+++ /dev/null
-@@ -1,4 +0,0 @@
--#!/usr/bin/python
--import selinux
--if selinux.is_selinux_enabled():
-- print selinux.security_policyvers()
diff --git a/policy-f20-contrib.patch b/policy-f20-contrib.patch
index 061e335..b11cf3b 100644
--- a/policy-f20-contrib.patch
+++ b/policy-f20-contrib.patch
@@ -1,1085 +1,8 @@
-diff --git a/Changelog b/Changelog
-deleted file mode 100644
-index 8b9356a..0000000
---- a/Changelog
-+++ /dev/null
-@@ -1,1071 +0,0 @@
--* Wed Apr 24 2013 Chris PeBenito - 2.20130424
--Chris PeBenito (18):
-- Rewrite of mcelog module from Guido Trentalancia
-- Remove unnecessary lines in mcelog.te.
-- Slight rearrangement in mcelog.te.
-- Module version bump for mcelog update from Guido Trentalancia.
-- Module version bump for ntp module fixes from Dominick Grift.
-- Module version bump for fc substitutions optimizations from Sven
-- Vermeulen.
-- Module version bump for postfix/mta misc fixes from Sven Vermeulen.
-- Module version bump for init_daemon_run_dirs usage from Sven Vermeulen.
-- Turn off all tunables by default, from Guido Trentalancia.
-- Module version bump for tunable default change.
-- Module version bump for saslauthd tcp mysql connections from Mika Flueger.
-- Move kernel request line in quota.
-- Module version bump for quota kernel module request from Mika Pflueger.
-- Module version bump for djbdns ports fixes from Russell Coker.
-- Remove stray + in keystone.te.
-- Whitespace fixes in cron.fc.
-- Module version bump for pulseaudio type_transition conflict fix from Sven
-- Vermeulen.
-- Bump module versions for release.
--
--Dominick Grift (889):
-- Initial BIRD Internet Routing Daemon policy
-- oident daemon fixes
-- Introduce ntp_conf_t
-- Allow ntp_admin() to manage ntp_drift_t content.
-- List etc_t directories
-- Use "Role allowed access." for consistency
-- Use permissions sets for compatibility.
-- Remove getattr permision from ntp_admin()
-- Initial Sensord policy module
-- Various block_suspend capability2 support from Fedora
-- Gitolite3 support from Fedora
-- /var/lib/sqlgrey is greylist milter data from Fedora
-- Terminal related fixes for plymouthd from Fedora Support block_suspend
-- capability2 for plymouth
-- Support minimal polkit in new location
-- Support ldap for user authentication from Fedora
-- Sanlock sends kill signals to non-root processes from Fedora Various
-- other capabilities for sanlock from Fedora
-- Initial support for sqlgrey from Fedora
-- Tor reads network sysctls from Fedora
-- GPG agent reads /dev/random from Fedora
-- Freshclam reads system and network state from Fedora
-- Execute wpa_cli in the NetworkManager_t domain for wicd from Fedora
-- lpstat.cups reads fips_enabled from Fedora
-- Initial system tap compile server policy module
-- Systemtap server admin manages stapserver_var_lib_t content
-- Telepathy Idle reads gschemas.compiled from Fedora
-- Initial slpd policy module
-- Initial lightsquid policy module
-- Initial wdmd policy module
-- Initial mailscanner policy module and some depencies.
-- Support slpd log rotation
-- Initial numad policy module
-- Open log files for append only
-- CGClear reads CGConfig files from Fedora Cosmetic changes to cgroup
-- policy module File contexts of cgroup app executables files in
-- /sbin also apply to /usr/sbin Make cgroup_admin() a bit more
-- compact
-- Initial svnserve policy module
-- Various small changes to ucspitcp
-- Initial fcoe policy module
-- Initial lldpad policy module
-- fcoemon sends to lldpad with a dgram socket
-- Initial quantum policy module
-- Initial dspam policy module
-- Module version bump for Telepathy file context spec fixes from Laurent
-- Bigonville.
-- Initial isns policy module
-- Various changes to tcs policy module
-- Initial ctdb policy module
-- Various changes to the sblim policy module and its dependencies
-- Initial polipo policy module
-- Module version bump for networkmanager fixes
-- Fixes to the polipo policy module
-- Module version bump for smartmon fixes from Laurent Bigonville.
-- Module version bump for accountsd file context spec fix from Laurent
-- Bigonville.
-- Various changes to the raid module
-- Module version bump for rtkit file context spec fix from Laurent
-- Bigonville
-- Initial couchdb policy module
-- Changes to the bind policy module
-- Initial dnssectrigger policy module
-- Initial man2html policy module
-- Initial openhpi policy module
-- Bind sends/receives http server instead of client packets conditionally
-- Two file context regular expression fixes by Eric Paris
-- Type mdadm_t is no longer a unconfined type
-- Initial pkcs policy module
-- Initial cfengine policy module
-- Initial keystone policy module
-- Initial l2tp policy module
-- Initial mongodb policy module
-- cfengine whitespace cleanup
-- Changes to the accountsservice policy module
-- Changes to the acct policy module
-- Changes to the ada policy module
-- changes to the afs policy module
-- Changes to the accountsservice policy module
-- Changes to the aiccu policy module
-- Changes to the aide policy module
-- Syntax error in afs_admin()
-- Changes to the aisexec policy module
-- Changes to the alsa policy module
-- Changes to the amanda policy module
-- Changes to the amavisd policy module and relevant dependencies
-- Changes to the amtu policy module
-- Changes to the anaconda policy module
-- Changes to the abrt policy module and relevant dependencies
-- numad sends/receives msgs from Fedora
-- Amtu executable file in installed in /usr/sbin in Fedora
-- The (usr/)? expression does not work consistently so better not use it
-- at all
-- Changes to the httpd policy module
-- Merge branch 'master' of
-- ssh://dgrift@oss.tresys.com/home/git/refpolicy-contrib
-- Fixes to the apache policy module and dependencies
-- Changes to the apcupsd policy module
-- Role attributes for lightsquid application domain
-- Changes to the mailscanner module
-- Changes to the svnserve policy module
-- Changes to the quantum policy module
-- Changes to the dspam module
-- Changes to the ctdb policy module
-- Changes to the couchdb policy module
-- Changes to the openhpid policy module
-- Changes to the keystone policy module
-- Changes to the l2tp policy module
-- Changes to the apm module and relevant dependencies
-- Changes to the arpwatch policy module
-- Changes to the apcupsd policy module
-- Changes to the abrt policy module
-- Changes to the apache policy module
-- Changes to the asterisk policy module and dependencies
-- Changes to the authbind policy module
-- Changes to the automount policy module
-- Change acpid lock file context spec
-- Changes to the avahi policy module and dependencies
-- Changes to the awstats policy module
-- Changes to the bacula policy module
-- Changes to the bcfg2 policy module
-- Changes to the apt policy module
-- Changes to the apache policy module
-- Changes to the backup module
-- Changes to the bind policy module
-- Bird module clean up
-- Fix arpwatch connected_stream_socket_perms
-- Changes to the bitlbee policy module
-- Changes to the blueman policy module
-- Changes to the bluetooth policy module
-- Changes to the brctl policy module
-- Changes to the apache policy module
-- Changes to the bugzilla policy module
-- Changes to the calamaris policy module
-- Implement lightsquid_admin()
-- Changes to the apache policy module and dependencies
-- Initial boinc policy module
-- Initial callweaver policy module
-- Changes to the canna policy module
-- Changes to the ccs policy module
-- Changes to the cdrecord policy module
-- Changes to the certmaster policy module and various role attribute fixes
-- cdrecord needs to read and write callers unix domain stream socket not
-- create it
-- Changes to the certmonger policy module and its dependencies
-- Initial cachefilesd policy module
-- Changes to the certwatch policy module
-- Changes to the chronyd policy module
-- Changes to the cipe policy module
-- Changes to the clamav policy module
-- Various network clean up
-- Add dev_rw_cachefiles() to cachefilesd policy module
-- Changes to the clockspeed policy module
-- Changes to the clogd policy module
-- Changes to the cmirrord policy module
-- Changes to the cobbler policy module
-- Changes to the colord policy module
-- Changes to the comsat policy module
-- Initial collectd policy module
-- Initial condor policy module and relevant dependencies
-- Changes to the consolekit policy module and relevant dependencies
-- Changes to the corosync policy module and relevant dependencies
-- Clean up couchdb network rules
-- Changes to the courier policy module
-- Changes to the cpucontrol policy module
-- Changes to the cpufreqselector policy module
-- Changes to the cron policy module and relevant dependencies
-- Changes to the cups policy module and relevant dependencies
-- Changes to the cvs policy module
-- Remove redundant connect avperms
-- Changes to the cyphesis policy module
-- Remove redundant rules from apache_admin()
-- Changes to the cyrus policy module
-- Changes to the daemontools policy module
-- Changes to the dante policy module
-- Modify dbadm boolean descriptions
-- Changes to the dbus policy module and its dependencies
-- Changes to the dcc policy module
-- Changes to the ddclient policy module
-- Changes to the ddcprobe policy module
-- Changes to the denyhosts policy module
-- Changes to the devicekit policy module and relevant dependencies
-- Changes to the dhcpd policy module
-- Changes tothe dictd policy module
-- Changes to the discc policy module
-- Changes to the djbdns policy module
-- Changes to the dkim policy module
-- Changes to the dmidecode policy module
-- Module bump for Laurent Bigonville trousers init script file context
-- specification fix
-- Module bump for Laurent Bigonville libvirt init script file context
-- specification fix
-- Changes to the dnsmasq policy module and relevant dependencies
-- Changes to the dovecot policy module
-- Changes to the dpkg policy module
-- Changes to the entropyd policy module
-- Changes to the evolution policy module
-- Changes to the exim policy module and relevant dependencies
-- Changes to the cron policy module
-- Changes to the fail2ban policy module
-- fcoemon XML clean up
-- Changes to the fetchmail policy module
-- Changes to the fingerd policy module
-- Initial firewalld policy module
-- Changes to the firstboot policy module
-- Changes to the fprint policy module and relevant dependencies
-- Changes to the ftp module
-- Changes to the games policy module
-- Clean up evolution and cdrecord XML
-- Changes to the gatekeeper policy module
-- Changes to the gift policy module
-- Changes to the git policy module
-- Changes to the gitosis policy module
-- Changes to the glance policy module
-- Initial glusterfs policy module
-- Add gatekeeper newline
-- Deprecate glusterd_admin() use glusterfs_admin() instead
-- Portage module version bump for autofs support by Matthew Thode and
-- clean up
-- cfengine: This location is now labeled with a cfengine private type
-- Changes to the slpd policy module
-- Changes to the gnomeclock policy module and relevant dependencies
-- Changes to the gpg policy module
-- Changes to the gpm policy module
-- Changes to the gpsd policy module and relevant dependencies
-- changes to the guest policy module
-- Changes to the gnomeclock policy module
-- Deprecate various DBUS interfaces and relevant dependencies
-- Changes to the cachefilesd policy module
-- Remove file context specification for kgpg which is a GUI frontend to
-- GPG. Domain transition to gpg_t will happen when kgpg runs gpg.
-- (rhbz#862229)
-- Initial mandb policy module
-- Changes to the hadoop policy module
-- Changes to the hald policy module
-- Changes to the hddtemp policy module
-- Changes to the howl policy module
-- changes to the mandb policy module
-- Changes to the dbus policy module
-- Changes to the rpm policy module
-- Changes to the i18n_input policy module
-- Changes to the icecast policy module
-- Changes to the ifplugd policy module
-- Changes to the imaze policy module
-- Changes to the inetd policy module and relevant dependencies
-- Changes to the innd policy module
-- Changes to the irc policy module
-- Changes to the ircd policy module
-- Changes to the irc policy module
-- Changes to the dbus policy module
-- Changes to the avahi policy module
-- Changes to the bluetooth policy module
-- Changes to the aiccu policy module
-- Changes to the bacula policy module
-- Changes to the boinc policy module
-- Changes to the bugzilla policy module
-- Changes to the ccs policy module
-- Changes to the clamav policy module
-- Changes to the cobbler policy module
-- Changes to the cyphesis policy module
-- Changes to the dante policy module
-- Changes to the dbskk policy module
-- Changes to the ddclient policy module
-- Changes to the denyhosts policy module
-- Changes to the dnssectrigger policy module
-- Changes to the dovecot policy module
-- Changes to the drbd policy module
-- Changes to the evolution policy module
-- Changes to the fail2ban policy module
-- Changes to the firewalld policy module
-- Changes to the firstboot policy module
-- Changes to the games policy module
-- Changes to the gift policy module
-- Changes to the glance policy module
-- Changes to the hald policy module
-- Changes to the dbus policy module
-- Changes to the git policy module
-- Changes to the polipo policy module
-- Changes to the firewalld policy module
-- Changes to the gpg policy module
-- Tab clean up in ircbalance file context file
-- Changes to the irqbalance policy module
-- Tab clean up in iscsi file context file
-- Changes to the iscsi policy module
-- Tab clean up in jabber file context file
-- Changes to the jabberd policy module
-- Changes to the pyicqt policy module
-- Tab clean up in java file context file
-- Changes to the java policy module
-- Changes to the dbus policy module
-- Changes to the gnome policy module
-- Changes to the apache policy module
-- Changes to the accountsd policy module
-- Changes to the alsa policy module
-- Changes to the evolution policy module
-- Changes to the bluetooth policy module
-- Changes to the games policy module
-- Changes to the gift policy module
-- Changes to the gpg policy module
-- Changes to the hadoop policy module
-- Tab clean up in kdump file context file
-- Changes to the kdump policy module
-- Changes to the gpg policy module
-- Changes to the dbus policy module
-- Changes to the evolution policy module
-- Changes to the gpm policy module
-- Version bump for evolution file context fixes by Laurent Bigonville
-- Version bump for nut file context fixes by Laurent Bigonville
-- Changes to the kdumpgui policy module
-- Tab clean up in kerberos file context file
-- Changes to the kerberos policy module and relevant dependencies
-- Changes to the kerneloops policy module
-- Tab clean up in kerberos file context file
-- Changes to the kismet policy module
-- Clean up amavis XML header
-- Initial keyboardd policy module
-- Tab clean up in ksmtuned file context file
-- Changes to the ksmtuned policy module
-- Tab clean up in ktalk file context file
-- Changes to the ktalk policy module
-- Changes to the kudzu policy module
-- Initial iodine policy module
-- Initial dirmngr policy module
-- Changes to the iodine policy module
-- Changes to the kerberos policy module
-- Changes to the kdumpgui policy module
-- Update deprecated interface calls ( gnome_read_config ->
-- gnome_read_generic_home_content )
-- Changes to the mozilla policy module
-- Changes to the thunderbird policy module
-- Changes to the l2tp policy module
-- Tab clean up in ldap file context file
-- Changes to the ldap policy module
-- Tab clean up in likewise file context file
-- Changes to the likewise policy module
-- Tab clean up in lircd file context file
-- Changes to the lircd policy module
-- Changes to the livecd policy module
-- Tab clean up in loadkeys file context file
-- Changes to the loadkeys policy module and relevant dependencies
-- Tab clean up in lockdev file context file
-- Changes to the lockdev policy module
-- Tab clean up in logrotate file context file
-- Changes to the logrotate policy module and relevant dependencies
-- Tab clean up in logwatch file context file
-- Changes to the logrotate policy module
-- Changes to the logwatch policy module
-- Tab clean up in lpd file context file
-- Changes to the lpd policy module
-- Tab clean up in cron policy module
-- Changes to the lpd policy module
-- Changes to the consolekit policy module
-- Tab fix in cron policy module
-- Tab clean up in mailman file context file
-- Changes to the mailman policy module and relevant dependencies
-- Tab clean up in mcelog file context file
-- Changes to the mcelog policy module
-- Tab clean up in mediawiki file context file
-- Mediawiki XML clean up
-- Tab clean up in memcached file context file
-- Changes to the memcached policy module
-- Changes to the apache policy module
-- Tab clean up in milter file context file
-- Changes to the milter policy module and relevant dependencies
-- Changes to the modemmanager policy module
-- Tab clean up in mojomojo file context file
-- Changes to the mojomojo policy module and relevant dependencies
-- Changes to the gpg policy module
-- Changes to the mongodb policy module
-- Changes to the mono policy module
-- Changes to the monop policy module
-- Tab clean up in mozilla file context file
-- Changes to the mozilla policy module and relevant dependencies
-- Changes to the mozilla policy module
-- Changes to the apache policy module
-- Tab clean up in mpd file context file
-- Changes to the mpd policy module
-- Tab clean up in mplayer file context file
-- Changes to the evolution policy module
-- Changes to the mplayer policy module
-- Changes to the irc policy module
-- Tab clean up in mrtg file context file
-- Changes to the mrtg policy module
-- Tab clean up in mta file context file
-- Changes to the mta policy module and relevant dependencies
-- Changes to the mta policy module and relevant dependencies
-- Get rid of mozilla_conf_t as it is unused
-- Changes to the logrotate policy module
-- Changes to the logwatch policy module
-- Changes to the java policy module
-- Changes to the apache module and relevant dependencies
-- Tab clean up in munin file context file
-- Changes to the munin policy module and relevant dependencies
-- Tab clean up in mysql file context file
-- Changes to mysqld policy module
-- Changes to various policy modules
-- Changes to the munin policy module
-- Changes to the dovecot policy module
-- Changes to various policy modules
-- Changes to the mta policy module
-- Changes to the certmonger policy module and relavant dependencies
-- Tab clean up in nagios file context file
-- Changes to the nagios policy module and relevant dependencies
-- Changes to the modutils policy module
-- Tab cleanup in the nessus file context file
-- Changes to the nessus policy module
-- Tab clean up in the network manager file context file
-- Changes to the networkmanager policy module and relevant dependencies
-- Changes to the mozilla policy module
-- Changes to the cobbler policy module
-- Initial rngd policy module
-- Tab clean up in the nis file context file
-- Changes to the nis policy module
-- Tab clean up in the nscd file context file
-- Changes to the nscd policy module
-- Tab clean up in the nsd file context file
-- Changes to the nsd policy module
-- Tab clean up in the nslcd file context file
-- Changes to the nslcd policy module
-- Tab clean up in the ntop file context file
-- Changes to the ntop policy module
-- Tab clean up in the ntp file context file
-- Changes to the ntp policy module
-- Changes to the numad policy module
-- Tab clean up in the nut file context file
-- Changes to the nut policy module
-- Tab clean up in the nx file context file
-- Changes to the nx policy module
-- Changes to the oav policy module
-- Initial obex policy module
-- Tab clean up in the oddjob file context file
-- Tab clean up in gpg policy module
-- Changes to the oddjob policy module
-- Changes to the mozilla policy module
-- Initial pacemaker policy module
-- Tab clean up in the oidentd file context file
-- Changes to the oident policy module
-- Tab clean up in the openca file context file
-- Changes to the openca policy module
-- Tab clean up in the openct file context file
-- Changes to the openct policy module
-- Tab clean up in the openvpn file context file
-- Changes to the openvpn policy module
-- Tab clean up in the pads file context file
-- Changes to the pads policy module
-- Tab clean up in the passenger file context file
-- Changes to the passenger policy module and relevant dependencies
-- Tab clean up in the pcmcia file context file
-- Changes to the pcmcia policy module
-- Tab clean up in the pcscd file context file
-- Changes to the pcscd policy module and relevant dependencies
-- Tab clean up in the pegasus file context file
-- Changes to the pegasus policy module
-- Tab clean up in the perdition file context file
-- Changes to the perdition policy module
-- Tab clean up in the pingd file context file
-- Changes to the pingd policy module
-- Changes to the plymouthd policy module
-- Changes to the mozilla policy module
-- Changes to the plymouth policy module
-- Tab clean up in the podsleuth file context file
-- Changes to the podsleuth policy module
-- Tab clean up in the policykit file context file
-- Changes to the policykit policy module and relevant dependencies
-- Tab clean up in the portage file context file
-- Changes to the portage policy module
-- Tab clean up in the portmap file context file
-- Changes to the portmap policy module
-- Tab clean up in the portreserve file context file
-- Changes to the portreserve policy module
-- Tab clean up in the portslave file context file
-- Changes to the portslave policy module and relevant dependencies
-- Tab clean up in the postfix file context file
-- Changes to the postfix policy module and relevant dependencies
-- Fixes to various policy modules
-- Tab clean up in the postfixpolicyd file context file
-- Changes to the postfixpolicyd policy module
-- Tab clean up in the postgrey file context file
-- Changes to the postgrey policy module
-- Tab clean up in the ppp file context file
-- Changes to the ppp policy module and relevant dependencies
-- Tab clean up in the prelink file context file
-- Changes to the prelink policy module and relevant dependencies
-- Tab clean up in the prelude file context file
-- Changes to the prelude policy module
-- Tab clean up in the privoxy file context file
-- Changes to the privoxy policy module
-- Tab clean up in the procmail file context file
-- Changes to the procmail policy module
-- Tab clean up in the psad file context file
-- Changes to the psad policy module
-- Changes to the ptchown policy module
-- Tab clean up in the publicfile file context file
-- Changes to the publicfile policy module
-- Fix a fatal syntax error in mozilla_plugin_role()
-- Changes to the plymouth policy module
-- Changes to the policykit policy module
-- Module version bump for fixes in shorewall, fail2ban and portage policy
-- modules by Sven Vermeulen
-- Tab clean up in the puppet file context file
-- Changes to ther puppet policy module and relevant dependencies
-- Initial pwauth policy module
-- Tab clean up in the pxe file context file
-- Changes to the pxe policy module
-- Tab clean up in the pyzor file context file
-- Changes to the pyzor policy module
-- Tab clean up in the qemu file context file
-- Changes to the qemu policy module
-- Tab clean up in the virt file context file
-- Changes to the virt policy module and relevant depedencies
-- Changes to the virt policy module
-- Changes to the cron policy module
-- Changes to the qemu policy module
-- Changes to the virt policy module
-- Epylog wants sys_nice and setsched
-- Tab clean up in the qmail file context file
-- Changes to the qmail policy module
-- Tab clean up in the qpid file context file
-- Changes to the qpid policy module
-- Tab clean up in the quota file context file
-- Changes to the quota policy module and relevant dependencies
-- Initial rabbitmq policy module
-- Tab clean up in the radius file context file
-- Changes to the radius policy module
-- Tab clean up in the radvd file context file
-- Changes to the radvd policy module
-- Changes to the raid policy module
-- Tab clean up in the razor file context file
-- Changes to the razor policy module and relevant dependencies
-- Smokeping cgi needs to run ping with a domain transition Remove
-- redundant socket create already provided by
-- sysnet_dns_name_resolve()
-- Changes to the virt policy module
-- Changes to the apache policy module
-- Changes to the gnome policy module
-- Changes to the rdisc policy mpdule
-- Changes to the readahead policy module
-- Changes to the remotelogin policy module
-- Tab clean up in the resmgr file context file
-- Changes to the resmgr policy module
-- Tab clean up in the rgmanager file context file
-- Changes to the rgmanager policy module
-- Initial Realmd policy module and relevant dependencies
-- Fix resmgrd init script file context specification
-- Changes to the cups policy module
-- automount reads overcommit_memory
-- Changes to the networkmanager policy module
-- Freshclam manages amavis spool content
-- Changes to the tftp policy module
-- Changes to the cobbler policy module
-- Tab clean up in the rhcs file context file
-- Changes to the rhcs policy module and relevant dependencies
-- Tab clean up in the rhgb file context file
-- Changes to the rhgb policy module
-- Tab clean up in the rhsmcertd file context file
-- Changes to the rhsmcertd policy module
-- Tab clean up in the ricci file context file
-- Changes to the ricci policy module
-- Tab clean up in the rlogin file context file
-- Changes to the rlogin policy module
-- Tab clean up in the roundup file context file
-- Changes to the roundup policy module
-- Changes to the remotelogin policy module
-- Changes to the apache policy module
-- Changes to the awstats policy module
-- fix puppet_admin() need to require types that it uses
-- Replace wrong type in puppet_admin()
-- Fix a syntax error in ricci_domtrans()
-- Catch all rpcbind content in /var/run
-- Changes to the cups policy module
-- Tab clean up in the rpc file context file
-- Changes to the rpc policy module
-- Tab clean up in the rpcbind file context file
-- Changes to the rpcbind policy module
-- Tab clean up in the rpm file context file
-- Changes to the rpm policy module and depedencies
-- Changes to the rshd policy module
-- Changes to the virt policy module
-- Changes to the rssh policy module
-- Tab clean up in the rsync file context file
-- Fix a typo in apache XML
-- Changes to the rsync policy module
-- Changes to the rtkit policy module
-- Tab clean up in the rwho file context file
-- Changes to the rwho policy module
-- Reads /proc/sys/kernel/random/poolsize
-- Tab clean up in the samba file context file
-- Changes to the samba policy module and relevant dependencies
-- Tab clean up in the sambagui file context file
-- Changes to the sambagui policy module
-- Initial firewallgui policy module
-- Tab clean up in the samhain file context file
-- Changes to the samhain policy module
-- Tab clean up in the sanlock file context file
-- Changes to the sanlock policy module and relevant dependencies
-- Tab clean up in the sasl file context file
-- Changes to the sasl policy module
-- Chnages to the sblim policy module
-- Tab clean up in the screen file context file
-- Changes to the screen policy module
-- Tab clean up in the sectoolm file context file
-- Changes to firewallgui policy module
-- Changes to the sectoolm policy module
-- Tab clean up in the sendmail file context file
-- Changes to the sendmail policy module and relevant dependencies
-- Tab clean up in the setroubleshoot file context file
-- Changes to the setroubleshoot policy module
-- Tab clean up in the shorewall file context file
-- Changes to the shorewall policy module
-- Tab clean up in the shutdown file context file
-- Changes to the shutdown policy module and relevant dependencies
-- Tab clean up in the slocate file context file
-- Changes to the slocate policy module and relevant dependencies
-- These domains transition to shutdown domain now so they no longer need
-- direct access
-- Re-add missing network rule in screen policy module
-- fail2ban server sets scheduler
-- shutdown XML clean up
-- libvirtd sets kernel scheduler
-- mongod reads cpuinfo_max_freq
-- Changes to the slrnpull policy module
-- Tab clean up in the smartmon file context file
-- Changes to the smartmon policy module
-- Tab clean up in the smokeping file context file
-- Changes to the smokeping policy module
-- Tab clean up in the smoltclient file context file
-- Changes to the smoltclient policy module
-- Tab clean up in the snmp file context file
-- Changes to the snmp policy module
-- Tab clean up in the snort file context file
-- Changes to the snort policy module
-- Changes to the sosreport policy module and relevant dependencies
-- Tab clean up in the soundserver file context file
-- Changes to the soundserver policy module
-- Tab clean up in the spamassassin file context file
-- Changes to the spamassassin policy module and relevant dependendies
-- spamassassin_role callers create ~/.spamd with the spamd_home_t user
-- home type instead
-- Re-add sys_admin capability that was lost with porting from Fedora
-- Move mailscanner content to mailscanner module
-- Changes to the speedtouch policy module
-- Tab clean up in the squid file context file
-- Changes to the squid policy module
-- Changes to the sssd policy module
-- Tab clean up in the stunnel file context file
-- Changes to the stunnel policy module
-- Tab clean up in the sxid file context file
-- Changes to the sxid policy module
-- Tab clean up in the sysstat file context file
-- Changes to the sysstat policy module
-- Tab clean up in the tcpd file context file
-- Changes to the tcpd policy module
-- Changes to the tcsd policy module
-- Tab clean up in the telepathy file context file
-- Changes to the telepathy policy module
-- Tab clean up in the telnet file context file
-- Changes to the telnet policy module
-- Tab clean up in the tftp file context file
-- Changes to the tftp policy module
-- Tab clean up in the tgtd file context file
-- Changes to the tgtd policy module
-- Tab clean up in the thunderbird file context file
-- Changes to the thunderbird policy module
-- Catch /var/log/cron directory as well
-- Dovecot module version bump for fixes by Sven Vermeulen
-- Portage module version bump for fixes by Sven Vermeulen
-- Cron module version bump for fixes by Sven Vermeulen
-- Changes to the exim policy module
-- Entropyd reads /proc/meminfo
-- Blueman reads tmp_t directories
-- Do not audit attempts by cups config to read tmp_t directories
-- Do not audit attempts by fail2ban to read tmp_t directories
-- Do not audit attempts by firewalld to read tmp_t directories
-- Gnomeclock reads urandom and realtime clock
-- Kdumpctl needs sys_chroot capability
-- Various kdumpgui fixes from Fedora
-- Do not audit attempts by logwatch to read tmp_t directories
-- Catch all alias files
-- Refine aliases file transition with names
-- Realmd dbus chat policykit and networkmanager from Fedora
-- Do not audit attempts by tuned to read tmp_t directories
-- Changes to the timidity policy module
-- Tab clean up in the tmpreaper file context file
-- Changes to the tmpreaper policy module and relevant dependencies
-- Tab clean up in the tor file context file
-- Changes to the tor policy module
-- Changes to the transproxy policy module
-- Tab clean up in the tripwire file context file
-- Changes to the tripwire policy module
-- Tab clean up in the tuned file context file
-- Changes to the tuned policy module
-- Tab clean up in the tvtime file context file
-- Changes to the tvtime policy module
-- Changes to the tzdata policy module
-- Changes to the ucspitcp policy module
-- Tab clean up in the ulogd file context file
-- Changes to the ulogd policy module
-- Tab clean up in the uml file context file
-- Changes to the uml policy module
-- Make it so that irc clients can also get attributes of cifs, nfs, fuse
-- and other file systems
-- Changes to the updfstab policy module
-- Changes to the uptime policy module
-- Tab clean up in the usbmodules file context file
-- Changes to the usbmodule policy module
-- Changes to the usbmuxd policy module
-- Tab clean up in the userhelper file context file
-- Screen sends child terminated signals to all interactive fd domains
-- Changes to the userhelper policy module and relevant dependencies
-- Changes to the virt policy module
-- Module version bump for fail2ban changes by Sven Vermeulen
-- Changes to the rpm policy module
-- fix smartmon init script file context specification
-- Changes to the usernetctl policy module
-- Tab clean up in the uucp file context file
-- Changes to the uucp policy module
-- Changes to the virt policy module
-- Tab clean up in the uuid file context file
-- Changes to the uuidd policy module
-- Tab clean up in the uwimap file context file
-- Changes to the uwimap policy module
-- Tab clean up in the varnishd file context file
-- Changes to the varnishd policy module
-- Changes to the vbetool policy module
-- Tab clean up in the vdagent file context file
-- Changes to the vdagent policy module
-- Tab clean up in the vhostmd file context file
-- Changes to the vhostmd policy module
-- Changes to the vlock policy module
-- Tab clean up in the vmware file context file
-- Changes to the vmware policy module
-- Tab clean up in the vnstatd file context file
-- Changes to the vnstatd policy module
-- Tab clean up in the vpn file context file
-- Changes to the vpnc policy module
-- Tab clean up in the w3c file context file
-- Changes to the w3c policy module
-- Tab clean up in the watchdog file context file
-- Changes to the watchdog policy module
-- Changes to the wdmd policy module
-- Changes to the webadm policy modules
-- Changes to the webalizer policy module
-- White space fix in apache policy module
-- Changes to the wine policy module
-- Tab clean up in the wireshark file context file
-- Changes to the wireshark policy module
-- Tab clean up in the wm file context file
-- Changes to the wm policy module
-- Changes to the inn policy module
-- Move man cache file type to miscfiles
-- Changes to the inn policy module
-- More accurate dbadm boolean descriptions
-- mysql_admin() has access to ~/.my.cnf files
-- Tab clean up in the xen file context file
-- Changes to the xen policy module and relevant dependencies
-- Tab clean up in the xfs file context file
-- Changes to the xfs policy module
-- Changes to the xguest policy module and relevant dependencies
-- Changes to the xprint policy module
-- Changes to the xscreensaver policy module
-- Tab clean up in the yam file context file
-- Changes to the yam policy module
-- Tab clean up in the zabbix file context file
-- Changes to the zabbix policy module
-- Tab clean up in the zarafa file context file
-- Changes to the zarafa policy module
-- Tab clean up in the zebra file context file
-- Changes to the zebra policy module
-- Changes to the zosremote policy module
-- Changes to the mysql policy module
-- Tab clean up in the pulseaudio file context file
-- Changes to the pulseaudio policy module and relevant dependencies
-- Changes to the pulseaudio policy module
-- One chown too many
-- Changes to the mplayer policy module
-- The prelink cron script now runs in its own domain
-- Initial smstools policy module
-- Initial openvswitch policy module and relevant dependencies
-- Reads pcsd pid files
-- Reads random device
-- winbind manages smbd pid sock files from Fedora
-- Changes to the bind policy module
-- CG rules daemon reads all sysctls
-- Runs consoletype and searches nfs state data from Fedora
-- Support munin unbound plugin from Fedora
-- Zabbix sends signals from Fedora
-- Blueman sets scheduler and sends signals from Fedora
-- pcscd_read_pub_files is deprecated, use pcscd_read_pid_files instead
-- Module version bumps for fixes in portage and virt modules by Sven
-- Vermeulen
-- Policy module version bumps for various changes by Sven Vermeulen
-- Changes to the openvpn policy module
-- Module version bumps for various fixes by Sven Vermeulen
-- Changes to the mandb policy module
-- Changes to the tmpreaper policy module
-- Changes to the munin policy module
-- Changes to the rngd policy module
-- Changes to the awstats policy module and relevant dependencies
-- Changes to the apache policy module
-- Changes to various policy modules
-- Changes to the abrt policy module
-- Changes to the passenger policy module and relevant depedencies
-- Changes to the pegagus policy module
-- Changes to the mta policy module
-- Changes to the fetchmail policy module
-- Changes to the bitlbee policy module
-- Changes to the blueman policy module and relevant dependencies
-- Changes to the amavis policy module
-- Changes to the userhelper policy module
-- Changes to the blueman policy module
-- Changes to the squid policy module
-- Changes to the sblim policy module
-- Changes to the kdumpgui policy module
-- Changes to the mailman policy module
-- Changes to the realmd policy module
-- Changes to the raid policy module
-- Changes to the samba policy module
-- Changes to the various policy modules
-- Changes to the snmp policy module
-- Changes to the spamassassin policy module
-- Changes to the sssd policy module
-- Changes to the l2tpd policy module
-- Changes to the shorewall policy module
-- Changes to the xen policy module
-- Changes to the tftp policy modules
-- Changes to the accountsd policy module
-- Changes to the tgtd policy module
-- Changes to the corosync policy module
-- Changes to the kdump policy module
-- Changes to the openvswitch policy module
-- Changes to the mpd policy module
-- Changes to the mozilla policy module
-- Changes to the zarafa policy module
-- Changes to the boinc policy module
-- Changes to the setroubleshoot policy module
-- Changes to the dspam policy module
-- Changes to the rgrmanager policy module and relevant dependencies
-- Changes to the svnserve policy module
-- Changes to the virt policy module
-- Changes to the prelink policy module
-- Changes to the apache policy module
-- Changes to the gnomeclock policy module
-- Changes to various policy modules
-- Changes to the pegagus policy module
-- Changes to the shorewall policy module
-- Changes to the kerberos policy module
-- Changes to the rhcs policy module
-- Changes to the irc policy module
-- Changes to the clamav policy module
-- Changes to the mrtg policy module
-- Changes to the munin policy module
-- Changes to the amavis policy module
-- Changes to the ppp policy module
-- Initial jockey policy module
-- Module version bumps for "several named transition for directories
-- created in /var/run by initscripts" in various modules by Laurent
-- Bigonville
-- Module version bumps for fixes in various modules by Laurent Bigonville
-- Module version bump for changes to the consolekit policy module by
-- Laurent Bigonville
-- Changes to the stunnel policy module
-- Module version bumps for fixes in various modules by Sven Vermeulen
-- Changes to the virt policy module
-- Changes to the apache policy module
-- Changes to the wm policy module
-- Changes to the samba policy module
-- Changes to the certmonger policy module
-- Changes to the mozilla policy module
-- Changes to the corosync policy module
-- Changes to the pacemaker policy module
-- Changes to the tuned policy module
-- Changes to the cups module and relevant dependencies
-- Changes to the rhsmcertd policy module
-- Changes to the lpd policy module
-- Changes to the munin policy module
-- Changes to the ntp policy module
-- Changes to the tor policy module
-- Changes to the firewalld policy module
-- Changes to the dspam policy module
-- Changes to the setroubleshoot policy module
-- Changes to the condor policy module
-- Changes to the kerberos policy module
-- Changes to the passenger policy module
-- Changes to the ppp policy module
-- Changes to the the dkim policy module
-- Changes to the abrt policy module
-- Changes to the lircd policy module
-- Changes to the dkim policy module
-- Changes to the virt policy module
-- Changes to the munin policy module
-- Changes to the dovecot policy module
-- Changes to the cobbler policy module
-- Changes to the userhelper policy module
-- Changes to the logwatch policy module
-- Changes to the wdmd policy module and relevant dependencies
-- Changes to the nscd policy module and relevant dependencies
-- Changes to the dbus policy module
-- Module version bumps for fixes in various policy modules by Laurent
-- Bigonville
-- Changes to the cups policy module
-- Changes to the dbus policy module
-- Changes to the apcupsd policy module
-- Remove redundant net_bind_service capabilities in various modules
-- Changes to the virt policy module
-- Changes to the puppet policy module
-- Module version bumps for fixes in various policy module by Sven
-- Vermeulen
-- Module version bumps for file context fixes in various policy modules by
-- Laurent Bigonville
-- Make httpd_manage_all_user_content() do what it advertises
-- Add more networking rules to mplayer policy module for compatibility
-- Fix fcronsighup file context. Should be crontab_exec_t as per previous
-- spec
-- Module version bumps for changes in various modules by Sven Vermeulen
-- Move asterisk_exec() and modify XML header
-- Consolekit creates /var/run/console directories with a type transition
-- unconditionally
-- Module version bump in consolekit policy module for changes by Sven
-- Vermeulen
-- The imaplogin executable file should be courier_pop_exec_t according to
-- existing file context specification
-- Module version bump for changes to the fail2ban policy module by Sven
-- Vermeulen
-- Modules version bumps for changes in various policy modules by Sven
-- Vermeulen
--
--Laurent Bigonville (28):
-- Add Debian locations for Telepathy connection managers
-- Label telepathy-rakia as telepathy-sofiasip
-- Allow smartd daemon to write in /var/lib/smartmontools directory
-- Add Debian location for smartd daemon initscript
-- Add Debian location for accounts-daemon daemon
-- Add Debian location for rtkit-daemon daemon
-- Add Debian location for tcsd init script
-- Add Debian location for libvirtd init script
-- Add Debian location for evolution executables
-- Add Debian locationis for nut executables and configuration files
-- Add several named transition for directories created in /var/run by
-- initscripts
-- Run packagekit under apt_t context on Debian distribution
-- Add proper label for colord daemon in debian
-- Allow the system dbus to search cgroup directories
-- Allow virtd_t context to read sysctl_crypto_t
-- Allow colord_t context to read sysctl_crypto_t
-- Add proper label for gconfd-2 daemon in Debian
-- Ensure that consolekit can create /var/run/console directory on Debian
-- Properly label nm-dispatcher.action on Debian
-- policykit.fc: Properly label polkit-agent-helper-1 on Debian
-- cups.fc: Properly label cups-pk-helper-mechanism on Debian
-- Allow pcscd the fsetid capability
-- Allow networkmanager_t to read crypto_sysctl_t
-- Allow virsh_t context to read sysctl_crypto_t
-- Allow cupsd_t to read cupsd_log_t
-- gnomeclock.fc: Properly label gsd-datetime-mechanism in Debian
-- ptchown.fc: Properly label pt_chown executable in Debian
-- Label /usr/bin/kvm as qemu_exec_t
--
--Matthew Thode (2):
-- added autofs support and nsswitch support
-- removing refrences to named_var_lib_t as it doesn't exist anymore for
-- bind.if
--
--Mika Pflüger (3):
-- Allow saslauthd_t to talk to mysqld via TCP
-- Quota policy adjustments: * Allow quota_t to load kernel modules
-- Debian locations for dovecot deliver and dovecot auth.
--
--Russell Coker (1):
-- Fix djbdns ports
--
--Sven Vermeulen (75):
-- Update with new substitutions
-- Mark the pid directory as a pid directory
-- Add in transitions for queue types when the queues are created
-- Fix typo in interface postfix_exec_postqueue
-- Allow maildelivery to use dotlock files in the mail spool
-- Allow postfix local to change ownership of mailfiles
-- Use libexec location for postfix binaries
-- Allow initrc_t to create run dirs for contrib modules
-- Update logwatch location in file context
-- Sandbox is an inherent part of the portage inner workings
-- Fix startup issue with fail2ban-client
-- Be able to get output from fail2ban-client
-- Ignore searches when ran from the user home directory
-- Shorewall admins execute shorewall too
-- Shorewall needs sys_admin capability for manipulating network stack
-- Be able to display dovecot errors
-- Remove transition to ldconfig
-- Adding interfaces for handling cron log files
-- Fail2ban client checks state of log files before telling the server
-- Support mysql init script
-- Support initial creation of mysql database files
-- Portage fetch domain needs to access certificates
-- Make samba domtrans optional in virt
-- Fix typo in tunable declaration for fcron_crond
-- Introducing cron_manage_log_files interface
-- Introduce dontaudit interfaces for leaked fd and unix stream sockets
-- Dontaudit attempts by system_mail_t to use leaked fd or stream sockets
-- Support at service
-- Additional postfix admin requirements
-- Reintroduce postfix_var_run_t for pid directory and fowner capability
-- Postfix deferred queue should not mark mails as postfix_spool_maildrop_t
-- Running qemu with SDL support requires more xserver-related privileges
-- Fix typo in clockspeed comment
-- Support openvpn status file
-- Asterisk voicemail messages are generated from tmp
-- Make rtkit calls optional
-- Gentoo installs dovecot certs in /etc/ssl/dovecot
-- Moving sandbox code to sandbox section (v2)
-- Allow sandbox to log violations
-- Use rw_fifo_file_perms
-- Apache should not depend on gpg
-- Named init script creates rundir
-- Add ~/.maildir as a valid maildir destination
-- Support stunnel_read_config for startup
-- Updates on stunnel policy
-- More .maildir fixes
-- Mark make.profile entry as portage_conf_t (v2)
-- Move mta call (coding style)
-- Changes to puppet domain
-- Allow rpc admin to run exportfs
-- Grant sys_admin capability to puppet
-- Puppet module helper scripts are puppet_var_lib_t
-- Support netlink_route_socket creation for puppet
-- Puppet initscript creates /run/puppet
-- Puppet runs statfs against selinuxfs
-- mplayer streams HTTP resources
-- fcron and fcronsighup binaries are moved
-- Asterisk needs to search through logs
-- Denial in mail log on node bind
-- Fix typo in mcelog_admin (missing bracket)
-- Add in contexts for fcron rm.systab and systab.tmp
-- Remove pulseaudio filename_trans conflict
-- Allow asterisk admins to execute asterisk binary directly
-- Support tagfiles for consolekit
-- ConsoleKit needs to read the dbus machine-id
-- File context updates for courier-imap
-- Update on file contexts for OpenLDAP
-- Update on file contexts for wpa_supplicant
-- Allow IRC clients to read certificates
-- Allow reading /proc/self for fail2ban due to FAM support
-- Update file contexts for puppet
-- Support ~/.tmux.conf as tmux configuration file
-- Add setuid/setgid capability to ulogd_t
-- Support tmux control socket
-- Postfix creates defer(red) queue locations
--
diff --git a/abrt.fc b/abrt.fc
-index 1a93dc5..b5f4f9a 100644
+index e4f84de..b5f4f9a 100644
--- a/abrt.fc
+++ b/abrt.fc
-@@ -1,31 +1,48 @@
+@@ -1,30 +1,48 @@
-/etc/abrt(/.*)? gen_context(system_u:object_r:abrt_etc_t,s0)
-/etc/rc\.d/init\.d/abrt -- gen_context(system_u:object_r:abrt_initrc_exec_t,s0)
+/etc/abrt(/.*)? gen_context(system_u:object_r:abrt_etc_t,s0)
@@ -1108,7 +31,6 @@ index 1a93dc5..b5f4f9a 100644
-/usr/sbin/abrtd -- gen_context(system_u:object_r:abrt_exec_t,s0)
-/usr/sbin/abrt-dbus -- gen_context(system_u:object_r:abrt_exec_t,s0)
--/usr/sbin/abrt-upload-watch -- gen_context(system_u:object_r:abrt_upload_watch_exec_t,s0)
+/var/cache/abrt(/.*)? gen_context(system_u:object_r:abrt_var_cache_t,s0)
+/var/cache/abrt-di(/.*)? gen_context(system_u:object_r:abrt_var_cache_t,s0)
+
@@ -1646,16 +568,16 @@ index 058d908..cf17e67 100644
+')
+
diff --git a/abrt.te b/abrt.te
-index eb50f07..1dc58bb 100644
+index cc43d25..1dc58bb 100644
--- a/abrt.te
+++ b/abrt.te
@@ -1,4 +1,4 @@
--policy_module(abrt, 1.4.1)
+-policy_module(abrt, 1.3.4)
+policy_module(abrt, 1.2.0)
########################################
#
-@@ -6,118 +6,134 @@ policy_module(abrt, 1.4.1)
+@@ -6,105 +6,134 @@ policy_module(abrt, 1.3.4)
#
##
@@ -1673,23 +595,18 @@ index eb50f07..1dc58bb 100644
##
-##
--## Determine whether abrt-handle-upload
--## can modify public files used for public file
--## transfer services in /var/spool/abrt-upload/.
+-## Determine whether ABRT can run in
+-## the abrt_handle_event_t domain to
+-## handle ABRT event scripts.
-##
+##
+## Allow abrt-handle-upload to modify public files
+## used for public file transfer services in /var/spool/abrt-upload/.
+##
- ##
- gen_tunable(abrt_upload_watch_anon_write, true)
-
- ##
--##
--## Determine whether ABRT can run in
--## the abrt_handle_event_t domain to
--## handle ABRT event scripts.
--##
++##
++gen_tunable(abrt_upload_watch_anon_write, true)
++
++##
+##
+## Allow ABRT to run in abrt_handle_event_t domain
+## to handle ABRT event scripts
@@ -1801,15 +718,13 @@ index eb50f07..1dc58bb 100644
+abrt_basic_types_template(abrt_watch_log)
init_daemon_domain(abrt_watch_log_t, abrt_watch_log_exec_t)
--type abrt_upload_watch_t, abrt_domain;
--type abrt_upload_watch_exec_t;
-+# Support for abrt-upload-watch
-+abrt_basic_types_template(abrt_upload_watch)
- init_daemon_domain(abrt_upload_watch_t, abrt_upload_watch_exec_t)
-
-ifdef(`enable_mcs',`
- init_ranged_daemon_domain(abrt_t, abrt_exec_t, s0 - mcs_systemhigh)
-')
++# Support for abrt-upload-watch
++abrt_basic_types_template(abrt_upload_watch)
++init_daemon_domain(abrt_upload_watch_t, abrt_upload_watch_exec_t)
++
+type abrt_upload_watch_tmp_t;
+files_tmp_file(abrt_upload_watch_tmp_t)
@@ -1841,7 +756,7 @@ index eb50f07..1dc58bb 100644
manage_files_pattern(abrt_t, abrt_var_log_t, abrt_var_log_t)
logging_log_filetrans(abrt_t, abrt_var_log_t, file)
-@@ -125,23 +141,30 @@ manage_dirs_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t)
+@@ -112,23 +141,30 @@ manage_dirs_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t)
manage_files_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t)
manage_lnk_files_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t)
files_tmp_filetrans(abrt_t, abrt_tmp_t, { file dir })
@@ -1874,7 +789,7 @@ index eb50f07..1dc58bb 100644
kernel_request_load_module(abrt_t)
kernel_rw_kernel_sysctl(abrt_t)
-@@ -150,16 +173,14 @@ corecmd_exec_shell(abrt_t)
+@@ -137,16 +173,14 @@ corecmd_exec_shell(abrt_t)
corecmd_read_all_executables(abrt_t)
corenet_all_recvfrom_netlabel(abrt_t)
@@ -1893,7 +808,7 @@ index eb50f07..1dc58bb 100644
dev_getattr_all_chr_files(abrt_t)
dev_getattr_all_blk_files(abrt_t)
-@@ -176,29 +197,43 @@ files_getattr_all_files(abrt_t)
+@@ -163,29 +197,43 @@ files_getattr_all_files(abrt_t)
files_read_config_files(abrt_t)
files_read_etc_runtime_files(abrt_t)
files_read_var_symlinks(abrt_t)
@@ -1927,9 +842,9 @@ index eb50f07..1dc58bb 100644
+logging_read_syslog_pid(abrt_t)
+
+auth_use_nsswitch(abrt_t)
-
-+init_read_utmp(abrt_t)
+
++init_read_utmp(abrt_t)
+
+miscfiles_read_generic_certs(abrt_t)
miscfiles_read_public_files(abrt_t)
+miscfiles_dontaudit_access_check_cert(abrt_t)
@@ -1940,7 +855,7 @@ index eb50f07..1dc58bb 100644
tunable_policy(`abrt_anon_write',`
miscfiles_manage_public_files(abrt_t)
-@@ -206,15 +241,11 @@ tunable_policy(`abrt_anon_write',`
+@@ -193,15 +241,11 @@ tunable_policy(`abrt_anon_write',`
optional_policy(`
apache_list_modules(abrt_t)
@@ -1957,7 +872,7 @@ index eb50f07..1dc58bb 100644
')
optional_policy(`
-@@ -222,6 +253,20 @@ optional_policy(`
+@@ -209,6 +253,20 @@ optional_policy(`
')
optional_policy(`
@@ -1978,7 +893,7 @@ index eb50f07..1dc58bb 100644
policykit_domtrans_auth(abrt_t)
policykit_read_lib(abrt_t)
policykit_read_reload(abrt_t)
-@@ -234,6 +279,11 @@ optional_policy(`
+@@ -221,6 +279,11 @@ optional_policy(`
')
optional_policy(`
@@ -1990,7 +905,7 @@ index eb50f07..1dc58bb 100644
rpm_exec(abrt_t)
rpm_dontaudit_manage_db(abrt_t)
rpm_manage_cache(abrt_t)
-@@ -243,6 +293,7 @@ optional_policy(`
+@@ -230,6 +293,7 @@ optional_policy(`
rpm_signull(abrt_t)
')
@@ -1998,7 +913,7 @@ index eb50f07..1dc58bb 100644
optional_policy(`
sendmail_domtrans(abrt_t)
')
-@@ -253,9 +304,21 @@ optional_policy(`
+@@ -240,9 +304,21 @@ optional_policy(`
sosreport_delete_tmp_files(abrt_t)
')
@@ -2021,7 +936,7 @@ index eb50f07..1dc58bb 100644
#
allow abrt_handle_event_t self:fifo_file rw_fifo_file_perms;
-@@ -266,9 +329,13 @@ tunable_policy(`abrt_handle_event',`
+@@ -253,9 +329,13 @@ tunable_policy(`abrt_handle_event',`
can_exec(abrt_t, abrt_handle_event_exec_t)
')
@@ -2036,7 +951,7 @@ index eb50f07..1dc58bb 100644
#
allow abrt_helper_t self:capability { chown setgid sys_nice };
-@@ -281,6 +348,7 @@ manage_dirs_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
+@@ -268,6 +348,7 @@ manage_dirs_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
manage_files_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
manage_lnk_files_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
files_var_filetrans(abrt_helper_t, abrt_var_cache_t, { file dir })
@@ -2044,7 +959,7 @@ index eb50f07..1dc58bb 100644
read_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t)
read_lnk_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t)
-@@ -289,15 +357,20 @@ corecmd_read_all_executables(abrt_helper_t)
+@@ -276,15 +357,20 @@ corecmd_read_all_executables(abrt_helper_t)
domain_read_all_domains_state(abrt_helper_t)
@@ -2065,7 +980,7 @@ index eb50f07..1dc58bb 100644
userdom_dontaudit_read_user_home_content_files(abrt_helper_t)
userdom_dontaudit_read_user_tmp_files(abrt_helper_t)
dev_dontaudit_read_all_blk_files(abrt_helper_t)
-@@ -305,11 +378,25 @@ ifdef(`hide_broken_symptoms',`
+@@ -292,11 +378,25 @@ ifdef(`hide_broken_symptoms',`
dev_dontaudit_write_all_chr_files(abrt_helper_t)
dev_dontaudit_write_all_blk_files(abrt_helper_t)
fs_dontaudit_rw_anon_inodefs_files(abrt_helper_t)
@@ -2092,7 +1007,7 @@ index eb50f07..1dc58bb 100644
#
allow abrt_retrace_coredump_t self:fifo_file rw_fifo_file_perms;
-@@ -327,10 +414,12 @@ corecmd_exec_shell(abrt_retrace_coredump_t)
+@@ -314,10 +414,12 @@ corecmd_exec_shell(abrt_retrace_coredump_t)
dev_read_urand(abrt_retrace_coredump_t)
@@ -2106,7 +1021,7 @@ index eb50f07..1dc58bb 100644
optional_policy(`
rpm_exec(abrt_retrace_coredump_t)
rpm_dontaudit_manage_db(abrt_retrace_coredump_t)
-@@ -343,10 +432,11 @@ optional_policy(`
+@@ -330,10 +432,11 @@ optional_policy(`
#######################################
#
@@ -2120,7 +1035,7 @@ index eb50f07..1dc58bb 100644
allow abrt_retrace_worker_t self:fifo_file rw_fifo_file_perms;
domtrans_pattern(abrt_retrace_worker_t, abrt_retrace_coredump_exec_t, abrt_retrace_coredump_t)
-@@ -365,46 +455,64 @@ corecmd_exec_shell(abrt_retrace_worker_t)
+@@ -352,46 +455,64 @@ corecmd_exec_shell(abrt_retrace_worker_t)
dev_read_urand(abrt_retrace_worker_t)
@@ -2190,7 +1105,7 @@ index eb50f07..1dc58bb 100644
read_files_pattern(abrt_watch_log_t, abrt_etc_t, abrt_etc_t)
-@@ -413,27 +521,50 @@ domtrans_pattern(abrt_watch_log_t, abrt_dump_oops_exec_t, abrt_dump_oops_t)
+@@ -400,16 +521,50 @@ domtrans_pattern(abrt_watch_log_t, abrt_dump_oops_exec_t, abrt_dump_oops_t)
corecmd_exec_bin(abrt_watch_log_t)
logging_read_all_logs(abrt_watch_log_t)
@@ -2202,12 +1117,14 @@ index eb50f07..1dc58bb 100644
#######################################
#
--# Upload watch local policy
+-# Global local policy
+# abrt-upload-watch local policy
#
+-kernel_read_system_state(abrt_domain)
+allow abrt_upload_watch_t self:capability { dac_override chown };
-+
+
+-files_read_etc_files(abrt_domain)
+manage_files_pattern(abrt_upload_watch_t, abrt_upload_watch_tmp_t, abrt_upload_watch_tmp_t)
+manage_dirs_pattern(abrt_upload_watch_t, abrt_upload_watch_tmp_t, abrt_upload_watch_tmp_t)
+manage_lnk_files_pattern(abrt_upload_watch_t, abrt_upload_watch_tmp_t, abrt_upload_watch_tmp_t)
@@ -2217,38 +1134,33 @@ index eb50f07..1dc58bb 100644
+
+manage_dirs_pattern(abrt_upload_watch_t, abrt_var_cache_t, abrt_var_cache_t)
+
- corecmd_exec_bin(abrt_upload_watch_t)
-
++corecmd_exec_bin(abrt_upload_watch_t)
++
+dev_read_urand(abrt_upload_watch_t)
+
+files_search_spool(abrt_upload_watch_t)
-+
+
+-logging_send_syslog_msg(abrt_domain)
+auth_read_passwd(abrt_upload_watch_t)
-+
- tunable_policy(`abrt_upload_watch_anon_write',`
-- miscfiles_manage_public_files(abrt_upload_watch_t)
+
+-miscfiles_read_localization(abrt_domain)
++tunable_policy(`abrt_upload_watch_anon_write',`
+ miscfiles_manage_public_files(abrt_upload_watch_t)
+')
+
+optional_policy(`
+ dbus_system_bus_client(abrt_upload_watch_t)
- ')
-
- #######################################
- #
--# Global local policy
++')
++
++#######################################
++#
+# Local policy for all abrt domain
- #
-
--kernel_read_system_state(abrt_domain)
++#
++
+allow abrt_domain abrt_var_run_t:sock_file write_sock_file_perms;
+allow abrt_domain abrt_var_run_t:unix_stream_socket connectto;
-
- files_read_etc_files(abrt_domain)
--
--logging_send_syslog_msg(abrt_domain)
--
--miscfiles_read_localization(abrt_domain)
++
++files_read_etc_files(abrt_domain)
diff --git a/accountsd.fc b/accountsd.fc
index f9d8d7a..0682710 100644
--- a/accountsd.fc
@@ -2320,14 +1232,10 @@ index bd5ec9a..a5ed692 100644
+ allow $1 accountsd_unit_file_t:service all_service_perms;
')
diff --git a/accountsd.te b/accountsd.te
-index 3593510..6e0a894 100644
+index 313b33f..6e0a894 100644
--- a/accountsd.te
+++ b/accountsd.te
-@@ -1,9 +1,13 @@
--policy_module(accountsd, 1.1.0)
-+policy_module(accountsd, 1.0.6)
-
- gen_require(`
+@@ -4,6 +4,10 @@ gen_require(`
class passwd all_passwd_perms;
')
@@ -2363,16 +1271,18 @@ index 3593510..6e0a894 100644
fs_getattr_xattr_fs(accountsd_t)
fs_list_inotifyfs(accountsd_t)
-@@ -48,7 +55,7 @@ auth_use_nsswitch(accountsd_t)
+@@ -48,8 +55,9 @@ auth_use_nsswitch(accountsd_t)
auth_read_login_records(accountsd_t)
auth_read_shadow(accountsd_t)
-miscfiles_read_localization(accountsd_t)
+init_dbus_chat(accountsd_t)
- logging_list_logs(accountsd_t)
++logging_list_logs(accountsd_t)
logging_send_syslog_msg(accountsd_t)
-@@ -66,9 +73,16 @@ optional_policy(`
+ logging_set_loginuid(accountsd_t)
+
+@@ -65,9 +73,16 @@ optional_policy(`
')
optional_policy(`
@@ -2434,15 +1344,9 @@ index 81280d0..bc4038b 100644
domain_system_change_exemption($1)
role_transition $2 acct_initrc_exec_t system_r;
diff --git a/acct.te b/acct.te
-index 8b9ad83..d538827 100644
+index 1a1c91a..d538827 100644
--- a/acct.te
+++ b/acct.te
-@@ -1,4 +1,4 @@
--policy_module(acct, 1.6.0)
-+policy_module(acct, 1.5.1)
-
- ########################################
- #
@@ -40,8 +40,6 @@ corecmd_exec_shell(acct_t)
dev_read_sysfs(acct_t)
dev_read_urand(acct_t)
@@ -2470,15 +1374,9 @@ index 8b9ad83..d538827 100644
userdom_dontaudit_use_unpriv_user_fds(acct_t)
diff --git a/ada.te b/ada.te
-index 8d42c97..8ce8f26 100644
+index 8b5ad06..8ce8f26 100644
--- a/ada.te
+++ b/ada.te
-@@ -1,4 +1,4 @@
--policy_module(ada, 1.5.0)
-+policy_module(ada, 1.4.1)
-
- ########################################
- #
@@ -20,7 +20,7 @@ role ada_roles types ada_t;
allow ada_t self:process { execstack execmem };
@@ -2539,15 +1437,9 @@ index 3b41be6..97d99f9 100644
afs_initrc_domtrans($1)
domain_system_change_exemption($1)
diff --git a/afs.te b/afs.te
-index 90ce637..7726644 100644
+index 6690cdf..7726644 100644
--- a/afs.te
+++ b/afs.te
-@@ -1,4 +1,4 @@
--policy_module(afs, 1.9.0)
-+policy_module(afs, 1.8.2)
-
- ########################################
- #
@@ -83,8 +83,16 @@ files_var_filetrans(afs_t, afs_cache_t, { file dir })
kernel_rw_afs_state(afs_t)
@@ -2721,15 +1613,9 @@ index 3b5dcb9..fbe187f 100644
domain_system_change_exemption($1)
role_transition $2 aiccu_initrc_exec_t system_r;
diff --git a/aiccu.te b/aiccu.te
-index 5d2b90e..7564732 100644
+index 72c33c2..7564732 100644
--- a/aiccu.te
+++ b/aiccu.te
-@@ -1,4 +1,4 @@
--policy_module(aiccu, 1.1.0)
-+policy_module(aiccu, 1.0.2)
-
- ########################################
- #
@@ -48,7 +48,6 @@ corenet_all_recvfrom_unlabeled(aiccu_t)
corenet_tcp_bind_generic_node(aiccu_t)
corenet_tcp_sendrecv_generic_if(aiccu_t)
@@ -2766,18 +1652,15 @@ index 5d2b90e..7564732 100644
sysnet_domtrans_ifconfig(aiccu_t)
')
diff --git a/aide.fc b/aide.fc
-index b2f47de..4b99c25 100644
+index df6e4d0..4b99c25 100644
--- a/aide.fc
+++ b/aide.fc
-@@ -1,7 +1,6 @@
--/usr/bin/aide -- gen_context(system_u:object_r:aide_exec_t,mls_systemhigh)
- /usr/sbin/aide -- gen_context(system_u:object_r:aide_exec_t,mls_systemhigh)
-
--/var/lib/aide(/.*)? gen_context(system_u:object_r:aide_db_t,mls_systemhigh)
-+/var/lib/aide(/.*) gen_context(system_u:object_r:aide_db_t,mls_systemhigh)
+@@ -3,4 +3,4 @@
+ /var/lib/aide(/.*) gen_context(system_u:object_r:aide_db_t,mls_systemhigh)
/var/log/aide(/.*)? gen_context(system_u:object_r:aide_log_t,mls_systemhigh)
- /var/log/aide\.log.* -- gen_context(system_u:object_r:aide_log_t,mls_systemhigh)
+-/var/log/aide\.log -- gen_context(system_u:object_r:aide_log_t,mls_systemhigh)
++/var/log/aide\.log.* -- gen_context(system_u:object_r:aide_log_t,mls_systemhigh)
diff --git a/aide.if b/aide.if
index 01cbb67..94a4a24 100644
--- a/aide.if
@@ -2798,15 +1681,9 @@ index 01cbb67..94a4a24 100644
files_list_etc($1)
diff --git a/aide.te b/aide.te
-index 03831e6..a8e2f01 100644
+index 4b28ab3..a8e2f01 100644
--- a/aide.te
+++ b/aide.te
-@@ -1,4 +1,4 @@
--policy_module(aide, 1.7.1)
-+policy_module(aide, 1.6.1)
-
- ########################################
- #
@@ -10,6 +10,7 @@ attribute_role aide_roles;
type aide_t;
type aide_exec_t;
@@ -2875,15 +1752,9 @@ index a2997fa..861cebd 100644
domain_system_change_exemption($1)
role_transition $2 aisexec_initrc_exec_t system_r;
diff --git a/aisexec.te b/aisexec.te
-index 4e4f063..3b5354f 100644
+index 196f7cf..3b5354f 100644
--- a/aisexec.te
+++ b/aisexec.te
-@@ -1,4 +1,4 @@
--policy_module(aisexec, 1.2.0)
-+policy_module(aisexec, 1.1.1)
-
- ########################################
- #
@@ -63,6 +63,7 @@ files_pid_filetrans(aisexec_t, aisexec_var_run_t, { file sock_file })
kernel_read_system_state(aisexec_t)
@@ -3088,20 +1959,10 @@ index 0000000..a95a4ad
+')
+
diff --git a/alsa.fc b/alsa.fc
-index 33d9d31..6620b08 100644
+index 5de1e01..6620b08 100644
--- a/alsa.fc
+++ b/alsa.fc
-@@ -1,9 +1,5 @@
- HOME_DIR/\.asoundrc -- gen_context(system_u:object_r:alsa_home_t,s0)
-
--ifdef(`distro_debian',`
--/\.config(/.*)? gen_context(system_u:object_r:alsa_var_lib_t,s0)
--')
--
- /bin/alsaunmute -- gen_context(system_u:object_r:alsa_exec_t,s0)
-
- /etc/alsa/asound\.state -- gen_context(system_u:object_r:alsa_etc_rw_t,s0)
-@@ -23,4 +19,10 @@ ifdef(`distro_debian',`
+@@ -19,4 +19,10 @@ HOME_DIR/\.asoundrc -- gen_context(system_u:object_r:alsa_home_t,s0)
/usr/share/alsa/alsa\.conf gen_context(system_u:object_r:alsa_etc_rw_t,s0)
/usr/share/alsa/pcm(/.*)? gen_context(system_u:object_r:alsa_etc_rw_t,s0)
@@ -3114,7 +1975,7 @@ index 33d9d31..6620b08 100644
+
+/var/run/alsactl\.pid -- gen_context(system_u:object_r:alsa_var_run_t,s0)
diff --git a/alsa.if b/alsa.if
-index ca8d8cf..cc78465 100644
+index 708b743..cc78465 100644
--- a/alsa.if
+++ b/alsa.if
@@ -168,6 +168,7 @@ interface(`alsa_manage_home_files',`
@@ -3125,7 +1986,7 @@ index ca8d8cf..cc78465 100644
')
########################################
-@@ -210,68 +211,85 @@ interface(`alsa_relabel_home_files',`
+@@ -210,49 +211,85 @@ interface(`alsa_relabel_home_files',`
########################################
##
@@ -3140,11 +2001,6 @@ index ca8d8cf..cc78465 100644
##
##
-##
--##
--## Class of the object being created.
--##
--##
--##
+#
+interface(`alsa_read_lib',`
+ gen_require(`
@@ -3161,43 +2017,40 @@ index ca8d8cf..cc78465 100644
+##
+##
##
--## The name of the object being created.
+-## Class of the object being created.
+## Domain allowed access.
##
##
- #
--interface(`alsa_home_filetrans_alsa_home',`
+-##
++#
+interface(`alsa_filetrans_home_content',`
- gen_require(`
- type alsa_home_t;
- ')
-
-- userdom_user_home_dir_filetrans($1, alsa_home_t, $2, $3)
++ gen_require(`
++ type alsa_home_t;
++ ')
++
+ userdom_user_home_dir_filetrans($1, alsa_home_t, file, ".asoundrc")
- ')
-
- ########################################
- ##
--## Read Alsa lib files.
++')
++
++########################################
++##
+## Transition to alsa named content
- ##
- ##
++##
++##
##
--## Domain allowed access.
+-## The name of the object being created.
+## Domain allowed access.
##
##
#
--interface(`alsa_read_lib',`
+-interface(`alsa_home_filetrans_alsa_home',`
+interface(`alsa_filetrans_named_content',`
gen_require(`
-+ type alsa_home_t;
+ type alsa_home_t;
+ type alsa_etc_rw_t;
- type alsa_var_lib_t;
++ type alsa_var_lib_t;
')
-- files_search_var_lib($1)
-- read_files_pattern($1, alsa_var_lib_t, alsa_var_lib_t)
+- userdom_user_home_dir_filetrans($1, alsa_home_t, $2, $3)
+ files_etc_filetrans($1, alsa_etc_rw_t, file, "asound.state")
+ files_etc_filetrans($1, alsa_etc_rw_t, dir, "pcm")
+ files_etc_filetrans($1, alsa_etc_rw_t, dir, "asound")
@@ -3206,10 +2059,9 @@ index ca8d8cf..cc78465 100644
+ files_var_lib_filetrans($1, alsa_var_lib_t, dir, "alsa")
')
--#########################################
-+########################################
+ ########################################
##
--## Write Alsa lib files.
+-## Read Alsa lib files.
+## Execute alsa server in the alsa domain.
##
##
@@ -3219,7 +2071,7 @@ index ca8d8cf..cc78465 100644
##
##
#
--interface(`alsa_write_lib',`
+-interface(`alsa_read_lib',`
+interface(`alsa_systemctl',`
gen_require(`
- type alsa_var_lib_t;
@@ -3228,7 +2080,7 @@ index ca8d8cf..cc78465 100644
')
- files_search_var_lib($1)
-- write_files_pattern($1, alsa_var_lib_t, alsa_var_lib_t)
+- read_files_pattern($1, alsa_var_lib_t, alsa_var_lib_t)
+ systemd_exec_systemctl($1)
+ allow $1 alsa_unit_file_t:file read_file_perms;
+ allow $1 alsa_unit_file_t:service manage_service_perms;
@@ -3236,16 +2088,10 @@ index ca8d8cf..cc78465 100644
+ ps_process_pattern($1, alsa_t)
')
diff --git a/alsa.te b/alsa.te
-index 4b153f1..e1c91b5 100644
+index cda6d20..e1c91b5 100644
--- a/alsa.te
+++ b/alsa.te
-@@ -1,4 +1,4 @@
--policy_module(alsa, 1.12.2)
-+policy_module(alsa, 1.11.4)
-
- ########################################
- #
-@@ -15,25 +15,32 @@ role alsa_roles types alsa_t;
+@@ -15,22 +15,32 @@ role alsa_roles types alsa_t;
type alsa_etc_rw_t;
files_config_file(alsa_etc_rw_t)
@@ -3255,9 +2101,6 @@ index 4b153f1..e1c91b5 100644
type alsa_tmp_t;
files_tmp_file(alsa_tmp_t)
--type alsa_tmpfs_t;
--files_tmpfs_file(alsa_tmpfs_t)
--
type alsa_var_lib_t;
files_type(alsa_var_lib_t)
@@ -3283,7 +2126,7 @@ index 4b153f1..e1c91b5 100644
allow alsa_t self:sem create_sem_perms;
allow alsa_t self:shm create_shm_perms;
allow alsa_t self:unix_stream_socket { accept listen };
-@@ -46,28 +53,31 @@ files_etc_filetrans(alsa_t, alsa_etc_rw_t, file)
+@@ -43,6 +53,9 @@ files_etc_filetrans(alsa_t, alsa_etc_rw_t, file)
can_exec(alsa_t, alsa_exec_t)
@@ -3293,11 +2136,7 @@ index 4b153f1..e1c91b5 100644
manage_dirs_pattern(alsa_t, alsa_tmp_t, alsa_tmp_t)
manage_files_pattern(alsa_t, alsa_tmp_t, alsa_tmp_t)
files_tmp_filetrans(alsa_t, alsa_tmp_t, { dir file })
- userdom_user_tmp_filetrans(alsa_t, alsa_tmp_t, { dir file })
-
--allow alsa_t alsa_tmpfs_t:file manage_file_perms;
--fs_tmpfs_filetrans(alsa_t, alsa_tmpfs_t, file)
--
+@@ -51,7 +64,13 @@ userdom_user_tmp_filetrans(alsa_t, alsa_tmp_t, { dir file })
manage_dirs_pattern(alsa_t, alsa_var_lib_t, alsa_var_lib_t)
manage_files_pattern(alsa_t, alsa_var_lib_t, alsa_var_lib_t)
@@ -3311,17 +2150,15 @@ index 4b153f1..e1c91b5 100644
corecmd_exec_bin(alsa_t)
--dev_getattr_fs(alsa_t)
- dev_read_sound(alsa_t)
+@@ -59,7 +78,6 @@ dev_read_sound(alsa_t)
dev_read_sysfs(alsa_t)
--dev_read_urand(alsa_t)
dev_write_sound(alsa_t)
-files_read_usr_files(alsa_t)
files_search_var_lib(alsa_t)
term_dontaudit_use_console(alsa_t)
-@@ -80,35 +90,10 @@ init_use_fds(alsa_t)
+@@ -72,8 +90,6 @@ init_use_fds(alsa_t)
logging_send_syslog_msg(alsa_t)
@@ -3330,33 +2167,6 @@ index 4b153f1..e1c91b5 100644
userdom_manage_unpriv_user_semaphores(alsa_t)
userdom_manage_unpriv_user_shared_mem(alsa_t)
userdom_search_user_home_dirs(alsa_t)
-
--ifdef(`distro_debian',`
-- term_dontaudit_use_unallocated_ttys(alsa_t)
--
-- # Gnome 3.4 bug
-- dev_associate(alsa_tmpfs_t)
--
-- allow alsa_t self:capability kill;
--
-- manage_lnk_files_pattern(alsa_t, alsa_var_lib_t, alsa_var_lib_t)
-- files_root_filetrans(alsa_t, alsa_var_lib_t, dir, ".config")
--
-- fs_list_tmpfs(alsa_t)
--
-- optional_policy(`
-- dbus_read_lib_files(alsa_t)
-- ')
--
-- optional_policy(`
-- pulseaudio_run(alsa_t, system_r)
-- pulseaudio_tmpfs_content(alsa_tmpfs_t)
-- ')
--')
--
- optional_policy(`
- hal_use_fds(alsa_t)
- hal_write_log(alsa_t)
diff --git a/amanda.fc b/amanda.fc
index 7f4dfbc..e5c9f45 100644
--- a/amanda.fc
@@ -3378,15 +2188,9 @@ index 7f4dfbc..e5c9f45 100644
/usr/sbin/amrecover -- gen_context(system_u:object_r:amanda_recover_exec_t,s0)
diff --git a/amanda.te b/amanda.te
-index 519051c..f367ba0 100644
+index ed45974..f367ba0 100644
--- a/amanda.te
+++ b/amanda.te
-@@ -1,4 +1,4 @@
--policy_module(amanda, 1.15.0)
-+policy_module(amanda, 1.14.2)
-
- #######################################
- #
@@ -9,11 +9,14 @@ attribute_role amanda_recover_roles;
roleattribute system_r amanda_recover_roles;
@@ -3546,15 +2350,9 @@ index 60d4f8c..18ef077 100644
domain_system_change_exemption($1)
role_transition $2 amavis_initrc_exec_t system_r;
diff --git a/amavis.te b/amavis.te
-index 91fa72a..a95b541 100644
+index ab55ba7..a95b541 100644
--- a/amavis.te
+++ b/amavis.te
-@@ -1,4 +1,4 @@
--policy_module(amavis, 1.15.0)
-+policy_module(amavis, 1.14.3)
-
- ########################################
- #
@@ -39,7 +39,7 @@ type amavis_quarantine_t;
files_type(amavis_quarantine_t)
@@ -3637,26 +2435,10 @@ index 91fa72a..a95b541 100644
postfix_read_config(amavis_t)
postfix_list_spool(amavis_t)
')
-diff --git a/amtu.fc b/amtu.fc
-index b21a14a..67e5f70 100644
---- a/amtu.fc
-+++ b/amtu.fc
-@@ -1,4 +1,5 @@
- /etc/rc\.d/init\.d/amtu -- gen_context(system_u:object_r:amtu_initrc_exec_t,s0)
-
- /usr/bin/amtu -- gen_context(system_u:object_r:amtu_exec_t,s0)
-+
- /usr/sbin/amtu -- gen_context(system_u:object_r:amtu_exec_t,s0)
diff --git a/amtu.te b/amtu.te
-index 16d0d66..486e9ed 100644
+index c960f92..486e9ed 100644
--- a/amtu.te
+++ b/amtu.te
-@@ -1,4 +1,4 @@
--policy_module(amtu, 1.3.0)
-+policy_module(amtu, 1.2.3)
-
- ########################################
- #
@@ -24,11 +24,10 @@ kernel_read_system_state(amtu_t)
files_manage_boot_files(amtu_t)
@@ -3742,14 +2524,10 @@ index 14a61b7..21bbf36 100644
+')
+
diff --git a/anaconda.te b/anaconda.te
-index aa44abf..f226596 100644
+index 6f1384c..f226596 100644
--- a/anaconda.te
+++ b/anaconda.te
-@@ -1,9 +1,13 @@
--policy_module(anaconda, 1.7.0)
-+policy_module(anaconda, 1.6.1)
-
- gen_require(`
+@@ -4,6 +4,10 @@ gen_require(`
class passwd all_passwd_perms;
')
@@ -4477,10 +3255,10 @@ index 0000000..cb58319
+ spamassassin_read_pid_files(antivirus_domain)
+')
diff --git a/apache.fc b/apache.fc
-index 7caefc3..044b13d 100644
+index 550a69e..044b13d 100644
--- a/apache.fc
+++ b/apache.fc
-@@ -1,162 +1,214 @@
+@@ -1,161 +1,214 @@
-HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_user_content_t,s0)
-HOME_DIR/((www)|(web)|(public_html))/cgi-bin(/.+)? gen_context(system_u:object_r:httpd_user_script_exec_t,s0)
+HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_user_content_t,s0)
@@ -4785,7 +3563,7 @@ index 7caefc3..044b13d 100644
-/var/spool/viewvc(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t, s0)
-
-/var/www(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
--/var/www(/.*)?/logs(/.*)? gen_context(system_u:object_r:httpd_sys_ra_content_t,s0)
+-/var/www(/.*)?/logs(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
-/var/www/[^/]*/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
-/var/www/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
-/var/www/gallery/albums(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
@@ -4795,7 +3573,6 @@ index 7caefc3..044b13d 100644
-/var/www/html/configuration\.php gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
-/var/www/html/wp-content(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
-/var/www/icons(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
--/var/www/miq/vmdb/log(/.*)? gen_context(system_u:object_r:httpd_sys_ra_content_t,s0)
-/var/www/moodledata(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
-/var/www/perl(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
-/var/www/svn(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
@@ -4835,7 +3612,7 @@ index 7caefc3..044b13d 100644
+/var/run/dirsrv/admin-serv.* gen_context(system_u:object_r:httpd_var_run_t,s0)
+/opt/dirsrv/var/run/dirsrv/dsgw/cookies(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0)
diff --git a/apache.if b/apache.if
-index f6eb485..fca846b 100644
+index 83e899c..fca846b 100644
--- a/apache.if
+++ b/apache.if
@@ -1,9 +1,9 @@
@@ -5000,11 +3777,11 @@ index f6eb485..fca846b 100644
- ')
+ # privileged users run the script:
+ domtrans_pattern(httpd_exec_scripts, httpd_$1_script_exec_t, httpd_$1_script_t)
-+
-+ allow httpd_exec_scripts httpd_$1_script_exec_t:file read_file_perms;
- tunable_policy(`httpd_enable_cgi && httpd_unified && httpd_builtin_scripting',`
- filetrans_pattern(httpd_t, httpd_$1_content_t, httpd_$1_rw_content_t, { file dir fifo_file lnk_file sock_file })
++ allow httpd_exec_scripts httpd_$1_script_exec_t:file read_file_perms;
++
+ # apache runs the script:
+ domtrans_pattern(httpd_t, httpd_$1_script_exec_t, httpd_$1_script_t)
+ allow httpd_t httpd_$1_script_t:unix_dgram_socket sendto;
@@ -5236,10 +4013,12 @@ index f6eb485..fca846b 100644
- dontaudit $1 httpd_t:fifo_file rw_fifo_file_perms;
+ dontaudit $1 httpd_t:fifo_file rw_inherited_fifo_file_perms;
-+')
-+
-+########################################
-+##
+ ')
+
+ ########################################
+ ##
+-## Do not audit attempts to read and
+-## write httpd unix domain stream sockets.
+## Allow attempts to read and write Apache
+## unix domain stream sockets.
+##
@@ -5255,12 +4034,10 @@ index f6eb485..fca846b 100644
+ ')
+
+ allow $1 httpd_t:unix_stream_socket { getattr read write };
- ')
-
- ########################################
- ##
--## Do not audit attempts to read and
--## write httpd unix domain stream sockets.
++')
++
++########################################
++##
+## Do not audit attempts to read and write Apache
+## unix domain stream sockets.
##
@@ -5728,11 +4505,31 @@ index f6eb485..fca846b 100644
-########################################
+######################################
++##
++## Allow the specified domain to read
++## apache system content rw files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++#
++interface(`apache_read_sys_content_rw_files',`
++ gen_require(`
++ type httpd_sys_rw_content_t;
++ ')
++
++ read_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
++')
++
++######################################
##
-## Create, read, write, and delete
-## httpd system rw content.
+## Allow the specified domain to read
-+## apache system content rw files.
++## apache system content rw dirs.
##
##
##
@@ -5742,32 +4539,12 @@ index f6eb485..fca846b 100644
+##
#
-interface(`apache_manage_sys_rw_content',`
-+interface(`apache_read_sys_content_rw_files',`
++interface(`apache_read_sys_content_rw_dirs',`
gen_require(`
type httpd_sys_rw_content_t;
')
- apache_search_sys_content($1)
-+ read_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
-+')
-+
-+######################################
-+##
-+## Allow the specified domain to read
-+## apache system content rw dirs.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+#
-+interface(`apache_read_sys_content_rw_dirs',`
-+ gen_require(`
-+ type httpd_sys_rw_content_t;
-+ ')
-+
+ list_dirs_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
+')
+
@@ -5946,18 +4723,16 @@ index f6eb485..fca846b 100644
##
##
##
-@@ -1071,18 +1274,21 @@ interface(`apache_search_sys_scripts',`
+@@ -1070,13 +1273,22 @@ interface(`apache_search_sys_scripts',`
+ ##
#
interface(`apache_manage_all_user_content',`
- gen_require(`
-- type httpd_user_content_t, httpd_user_content_rw_t, httpd_user_content_ra_t;
-- type httpd_user_htaccess_t, httpd_user_script_exec_t;
+- refpolicywarn(`$0($*) has been deprecated, use apache_manage_all_content() instead.')
+- apache_manage_all_content($1)
++ gen_require(`
+ attribute httpd_user_content_type, httpd_user_script_exec_type;
- ')
-
-- manage_dirs_pattern($1, { httpd_user_content_t httpd_user_content_rw_t httpd_user_content_ra_t httpd_user_script_exec_t }, { httpd_user_content_t httpd_user_content_rw_t httpd_user_content_ra_t httpd_user_script_exec_t })
-- manage_files_pattern($1, { httpd_user_content_t httpd_user_content_rw_t httpd_user_content_ra_t httpd_user_script_exec_t httpd_user_htaccess_t }, { httpd_user_content_t httpd_user_content_rw_t httpd_user_content_ra_t httpd_user_script_exec_t httpd_user_htaccess_t })
-- manage_lnk_files_pattern($1, { httpd_user_content_t httpd_user_content_rw_t httpd_user_content_ra_t httpd_user_script_exec_t }, { httpd_user_content_t httpd_user_content_rw_t httpd_user_content_ra_t httpd_user_script_exec_t })
++ ')
++
+ manage_dirs_pattern($1, httpd_user_content_type, httpd_user_content_type)
+ manage_files_pattern($1, httpd_user_content_type, httpd_user_content_type)
+ manage_lnk_files_pattern($1, httpd_user_content_type, httpd_user_content_type)
@@ -5974,7 +4749,7 @@ index f6eb485..fca846b 100644
##
##
##
-@@ -1100,7 +1306,8 @@ interface(`apache_search_sys_script_state',`
+@@ -1094,7 +1306,8 @@ interface(`apache_search_sys_script_state',`
########################################
##
@@ -5984,7 +4759,7 @@ index f6eb485..fca846b 100644
##
##
##
-@@ -1117,10 +1324,29 @@ interface(`apache_read_tmp_files',`
+@@ -1111,10 +1324,29 @@ interface(`apache_read_tmp_files',`
read_files_pattern($1, httpd_tmp_t, httpd_tmp_t)
')
@@ -6016,7 +4791,7 @@ index f6eb485..fca846b 100644
##
##
##
-@@ -1133,7 +1359,7 @@ interface(`apache_dontaudit_write_tmp_files',`
+@@ -1127,7 +1359,7 @@ interface(`apache_dontaudit_write_tmp_files',`
type httpd_tmp_t;
')
@@ -6025,7 +4800,7 @@ index f6eb485..fca846b 100644
')
########################################
-@@ -1142,6 +1368,9 @@ interface(`apache_dontaudit_write_tmp_files',`
+@@ -1136,6 +1368,9 @@ interface(`apache_dontaudit_write_tmp_files',`
##
##
##
@@ -6035,7 +4810,7 @@ index f6eb485..fca846b 100644
## This is an interface to support third party modules
## and its use is not allowed in upstream reference
## policy.
-@@ -1171,8 +1400,30 @@ interface(`apache_cgi_domain',`
+@@ -1165,8 +1400,30 @@ interface(`apache_cgi_domain',`
########################################
##
@@ -6068,16 +4843,16 @@ index f6eb485..fca846b 100644
##
##
##
-@@ -1189,18 +1440,19 @@ interface(`apache_cgi_domain',`
+@@ -1183,18 +1440,19 @@ interface(`apache_cgi_domain',`
interface(`apache_admin',`
gen_require(`
attribute httpdcontent, httpd_script_exec_type;
- attribute httpd_script_domains, httpd_htaccess_type;
type httpd_t, httpd_config_t, httpd_log_t;
- type httpd_modules_t, httpd_lock_t, httpd_helper_t;
-- type httpd_var_run_t, httpd_passwd_t, httpd_suexec_t;
+- type httpd_var_run_t, httpd_keytab_t, httpd_passwd_t;
- type httpd_suexec_tmp_t, httpd_tmp_t, httpd_rotatelogs_t;
-- type httpd_initrc_exec_t, httpd_keytab_t;
+- type httpd_initrc_exec_t, httpd_suexec_t;
+ type httpd_modules_t, httpd_lock_t, httpd_bool_t;
+ type httpd_var_run_t, httpd_php_tmp_t, httpd_initrc_exec_t;
+ type httpd_suexec_tmp_t, httpd_tmp_t;
@@ -6097,12 +4872,12 @@ index f6eb485..fca846b 100644
init_labeled_script_domtrans($1, httpd_initrc_exec_t)
domain_system_change_exemption($1)
-@@ -1210,10 +1462,10 @@ interface(`apache_admin',`
+@@ -1204,10 +1462,10 @@ interface(`apache_admin',`
apache_manage_all_content($1)
miscfiles_manage_public_files($1)
- files_search_etc($1)
-- admin_pattern($1, { httpd_keytab_t httpd_config_t })
+- admin_pattern($1, { httpd_config_t httpd_keytab_t })
+ files_list_etc($1)
+ admin_pattern($1, httpd_config_t)
@@ -6111,7 +4886,7 @@ index f6eb485..fca846b 100644
admin_pattern($1, httpd_log_t)
admin_pattern($1, httpd_modules_t)
-@@ -1224,9 +1476,141 @@ interface(`apache_admin',`
+@@ -1218,9 +1476,141 @@ interface(`apache_admin',`
admin_pattern($1, httpd_var_run_t)
files_pid_filetrans($1, httpd_var_run_t, file)
@@ -6258,11 +5033,11 @@ index f6eb485..fca846b 100644
+ filetrans_pattern($1, { httpd_user_content_t httpd_user_script_exec_t }, httpd_user_htaccess_t, file, ".htaccess")
')
diff --git a/apache.te b/apache.te
-index 6649962..17c4c9a 100644
+index 1a82e29..17c4c9a 100644
--- a/apache.te
+++ b/apache.te
-@@ -1,300 +1,381 @@
--policy_module(apache, 2.7.2)
+@@ -1,297 +1,381 @@
+-policy_module(apache, 2.6.10)
+policy_module(apache, 2.4.0)
+
+#
@@ -6760,14 +5535,12 @@ index 6649962..17c4c9a 100644
type httpd_initrc_exec_t;
init_script_file(httpd_initrc_exec_t)
--type httpd_keytab_t;
--files_type(httpd_keytab_t)
+type httpd_unit_file_t;
+ifdef(`distro_redhat',`
+ typealias httpd_unit_file_t alias phpfpm_unit_file_t;
+')
+systemd_unit_file(httpd_unit_file_t)
-
++
type httpd_lock_t;
files_lock_file(httpd_lock_t)
@@ -6794,7 +5567,7 @@ index 6649962..17c4c9a 100644
type httpd_rotatelogs_t;
type httpd_rotatelogs_exec_t;
init_daemon_domain(httpd_rotatelogs_t, httpd_rotatelogs_exec_t)
-@@ -302,10 +383,8 @@ init_daemon_domain(httpd_rotatelogs_t, httpd_rotatelogs_exec_t)
+@@ -299,10 +383,8 @@ init_daemon_domain(httpd_rotatelogs_t, httpd_rotatelogs_exec_t)
type httpd_squirrelmail_t;
files_type(httpd_squirrelmail_t)
@@ -6807,7 +5580,7 @@ index 6649962..17c4c9a 100644
type httpd_suexec_exec_t;
domain_type(httpd_suexec_t)
domain_entry_file(httpd_suexec_t, httpd_suexec_exec_t)
-@@ -314,9 +393,19 @@ role system_r types httpd_suexec_t;
+@@ -311,9 +393,19 @@ role system_r types httpd_suexec_t;
type httpd_suexec_tmp_t;
files_tmp_file(httpd_suexec_tmp_t)
@@ -6829,7 +5602,7 @@ index 6649962..17c4c9a 100644
type httpd_tmp_t;
files_tmp_file(httpd_tmp_t)
-@@ -326,12 +415,19 @@ files_tmpfs_file(httpd_tmpfs_t)
+@@ -323,12 +415,19 @@ files_tmpfs_file(httpd_tmpfs_t)
apache_content_template(user)
ubac_constrained(httpd_user_script_t)
@@ -6849,7 +5622,7 @@ index 6649962..17c4c9a 100644
typealias httpd_user_content_t alias { httpd_auditadm_content_t httpd_secadm_content_t };
typealias httpd_user_content_t alias { httpd_staff_script_ro_t httpd_sysadm_script_ro_t };
typealias httpd_user_content_t alias { httpd_auditadm_script_ro_t httpd_secadm_script_ro_t };
-@@ -346,33 +442,40 @@ typealias httpd_user_rw_content_t alias { httpd_auditadm_script_rw_t httpd_secad
+@@ -343,33 +442,40 @@ typealias httpd_user_rw_content_t alias { httpd_auditadm_script_rw_t httpd_secad
typealias httpd_user_ra_content_t alias { httpd_staff_script_ra_t httpd_sysadm_script_ra_t };
typealias httpd_user_ra_content_t alias { httpd_auditadm_script_ra_t httpd_secadm_script_ra_t };
@@ -6901,7 +5674,7 @@ index 6649962..17c4c9a 100644
allow httpd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow httpd_t self:fd use;
allow httpd_t self:sock_file read_sock_file_perms;
-@@ -381,30 +484,37 @@ allow httpd_t self:shm create_shm_perms;
+@@ -378,28 +484,37 @@ allow httpd_t self:shm create_shm_perms;
allow httpd_t self:sem create_sem_perms;
allow httpd_t self:msgq create_msgq_perms;
allow httpd_t self:msg { send receive };
@@ -6926,9 +5699,8 @@ index 6649962..17c4c9a 100644
read_files_pattern(httpd_t, httpd_config_t, httpd_config_t)
read_lnk_files_pattern(httpd_t, httpd_config_t, httpd_config_t)
--allow httpd_t httpd_keytab_t:file read_file_perms;
+can_exec(httpd_t, httpd_exec_t)
-
++
allow httpd_t httpd_lock_t:file manage_file_perms;
files_lock_filetrans(httpd_t, httpd_lock_t, file)
@@ -6945,7 +5717,7 @@ index 6649962..17c4c9a 100644
logging_log_filetrans(httpd_t, httpd_log_t, file)
allow httpd_t httpd_modules_t:dir list_dir_perms;
-@@ -412,14 +522,21 @@ mmap_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t)
+@@ -407,14 +522,21 @@ mmap_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t)
read_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t)
read_lnk_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t)
@@ -6967,7 +5739,7 @@ index 6649962..17c4c9a 100644
allow httpd_t httpd_sys_script_t:unix_stream_socket connectto;
manage_dirs_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
-@@ -450,140 +567,174 @@ manage_dirs_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
+@@ -445,140 +567,174 @@ manage_dirs_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
manage_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
manage_lnk_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
@@ -7041,10 +5813,10 @@ index 6649962..17c4c9a 100644
+# execute perl
+corecmd_exec_bin(httpd_t)
+corecmd_exec_shell(httpd_t)
-+
+
+domain_use_interactive_fds(httpd_t)
+domain_dontaudit_read_all_domains_state(httpd_t)
-
++
+files_dontaudit_search_all_pids(httpd_t)
files_dontaudit_getattr_all_pids(httpd_t)
-files_read_usr_files(httpd_t)
@@ -7207,7 +5979,7 @@ index 6649962..17c4c9a 100644
')
tunable_policy(`httpd_enable_cgi && httpd_use_nfs',`
-@@ -594,28 +745,50 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',`
+@@ -589,28 +745,50 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',`
fs_cifs_domtrans(httpd_t, httpd_sys_script_t)
')
@@ -7267,7 +6039,7 @@ index 6649962..17c4c9a 100644
')
tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
-@@ -624,68 +797,44 @@ tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
+@@ -619,68 +797,44 @@ tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
fs_read_nfs_symlinks(httpd_t)
')
@@ -7358,7 +6130,7 @@ index 6649962..17c4c9a 100644
')
tunable_policy(`httpd_setrlimit',`
-@@ -695,49 +844,48 @@ tunable_policy(`httpd_setrlimit',`
+@@ -690,49 +844,48 @@ tunable_policy(`httpd_setrlimit',`
tunable_policy(`httpd_ssi_exec',`
corecmd_shell_domtrans(httpd_t, httpd_sys_script_t)
@@ -7439,7 +6211,7 @@ index 6649962..17c4c9a 100644
')
optional_policy(`
-@@ -749,24 +897,32 @@ optional_policy(`
+@@ -744,24 +897,32 @@ optional_policy(`
')
optional_policy(`
@@ -7478,7 +6250,7 @@ index 6649962..17c4c9a 100644
')
optional_policy(`
-@@ -775,6 +931,10 @@ optional_policy(`
+@@ -770,6 +931,10 @@ optional_policy(`
tunable_policy(`httpd_dbus_avahi',`
avahi_dbus_chat(httpd_t)
')
@@ -7489,28 +6261,19 @@ index 6649962..17c4c9a 100644
')
optional_policy(`
-@@ -786,35 +946,58 @@ optional_policy(`
+@@ -781,34 +946,58 @@ optional_policy(`
')
optional_policy(`
-- kerberos_manage_host_rcache(httpd_t)
-- kerberos_read_keytab(httpd_t)
-- kerberos_tmp_filetrans_host_rcache(httpd_t, file, "HTTP_23")
-- kerberos_tmp_filetrans_host_rcache(httpd_t, file, "HTTP_48")
-- kerberos_use(httpd_t)
+ tunable_policy(`httpd_enable_cgi && httpd_use_gpg',`
+ gpg_domtrans_web(httpd_t)
+ ')
- ')
-
- optional_policy(`
-- ldap_stream_connect(httpd_t)
++')
++
++optional_policy(`
+ gssproxy_stream_connect(httpd_t)
+')
-
-- tunable_policy(`httpd_can_network_connect_ldap',`
-- ldap_tcp_connect(httpd_t)
-- ')
++
+optional_policy(`
+ ipa_search_lib(httpd_t)
+')
@@ -7527,14 +6290,21 @@ index 6649962..17c4c9a 100644
+')
+
+optional_policy(`
-+ kerberos_keytab_template(httpd, httpd_t)
+ kerberos_keytab_template(httpd, httpd_t)
+- kerberos_manage_host_rcache(httpd_t)
+- kerberos_tmp_filetrans_host_rcache(httpd_t, file, "HTTP_23")
+- kerberos_tmp_filetrans_host_rcache(httpd_t, file, "HTTP_48")
+ kerberos_tmp_filetrans_host_rcache(httpd_t, "HTTP_23")
+ kerberos_tmp_filetrans_host_rcache(httpd_t, "HTTP_48")
-+')
-+
-+optional_policy(`
+ ')
+
+ optional_policy(`
+ # needed by FreeIPA
-+ ldap_stream_connect(httpd_t)
+ ldap_stream_connect(httpd_t)
+-
+- tunable_policy(`httpd_can_network_connect_ldap',`
+- ldap_tcp_connect(httpd_t)
+- ')
+ ldap_read_certs(httpd_t)
')
@@ -7561,7 +6331,7 @@ index 6649962..17c4c9a 100644
tunable_policy(`httpd_manage_ipa',`
memcached_manage_pid_files(httpd_t)
-@@ -822,8 +1005,18 @@ optional_policy(`
+@@ -816,8 +1005,18 @@ optional_policy(`
')
optional_policy(`
@@ -7580,7 +6350,7 @@ index 6649962..17c4c9a 100644
tunable_policy(`httpd_can_network_connect_db',`
mysql_tcp_connect(httpd_t)
-@@ -832,6 +1025,7 @@ optional_policy(`
+@@ -826,6 +1025,7 @@ optional_policy(`
optional_policy(`
nagios_read_config(httpd_t)
@@ -7588,7 +6358,7 @@ index 6649962..17c4c9a 100644
')
optional_policy(`
-@@ -842,20 +1036,40 @@ optional_policy(`
+@@ -836,20 +1036,40 @@ optional_policy(`
')
optional_policy(`
@@ -7635,7 +6405,7 @@ index 6649962..17c4c9a 100644
')
optional_policy(`
-@@ -863,19 +1077,35 @@ optional_policy(`
+@@ -857,19 +1077,35 @@ optional_policy(`
')
optional_policy(`
@@ -7671,7 +6441,7 @@ index 6649962..17c4c9a 100644
udev_read_db(httpd_t)
')
-@@ -883,65 +1113,173 @@ optional_policy(`
+@@ -877,65 +1113,173 @@ optional_policy(`
yam_read_content(httpd_t)
')
@@ -7867,7 +6637,7 @@ index 6649962..17c4c9a 100644
files_dontaudit_search_pids(httpd_suexec_t)
files_search_home(httpd_suexec_t)
-@@ -950,123 +1288,74 @@ auth_use_nsswitch(httpd_suexec_t)
+@@ -944,123 +1288,74 @@ auth_use_nsswitch(httpd_suexec_t)
logging_search_logs(httpd_suexec_t)
logging_send_syslog_msg(httpd_suexec_t)
@@ -8022,7 +6792,7 @@ index 6649962..17c4c9a 100644
mysql_read_config(httpd_suexec_t)
tunable_policy(`httpd_can_network_connect_db',`
-@@ -1083,172 +1372,106 @@ optional_policy(`
+@@ -1077,172 +1372,106 @@ optional_policy(`
')
')
@@ -8044,11 +6814,11 @@ index 6649962..17c4c9a 100644
-allow httpd_script_domains self:unix_stream_socket connectto;
-
-allow httpd_script_domains httpd_sys_content_t:dir search_dir_perms;
--
--append_files_pattern(httpd_script_domains, httpd_log_t, httpd_log_t)
--read_lnk_files_pattern(httpd_script_domains, httpd_log_t, httpd_log_t)
+allow httpd_sys_script_t self:process getsched;
+-append_files_pattern(httpd_script_domains, httpd_log_t, httpd_log_t)
+-read_lnk_files_pattern(httpd_script_domains, httpd_log_t, httpd_log_t)
+-
-kernel_dontaudit_search_sysctl(httpd_script_domains)
-kernel_dontaudit_search_kernel_sysctl(httpd_script_domains)
-
@@ -8194,8 +6964,7 @@ index 6649962..17c4c9a 100644
-allow httpd_sys_script_t httpd_t:tcp_socket { read write };
-
-dontaudit httpd_sys_script_t httpd_config_t:dir search;
-+corenet_all_recvfrom_netlabel(httpd_sys_script_t)
-
+-
-allow httpd_sys_script_t httpd_squirrelmail_t:file { append_file_perms read_file_perms };
-
-allow httpd_sys_script_t squirrelmail_spool_t:dir list_dir_perms;
@@ -8221,7 +6990,8 @@ index 6649962..17c4c9a 100644
- corenet_sendrecv_pop_client_packets(httpd_sys_script_t)
- corenet_tcp_connect_pop_port(httpd_sys_script_t)
- corenet_tcp_sendrecv_pop_port(httpd_sys_script_t)
--
++corenet_all_recvfrom_netlabel(httpd_sys_script_t)
+
- mta_send_mail(httpd_sys_script_t)
- mta_signal_system_mail(httpd_sys_script_t)
+tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
@@ -8259,7 +7029,7 @@ index 6649962..17c4c9a 100644
')
tunable_policy(`httpd_read_user_content',`
-@@ -1256,64 +1479,74 @@ tunable_policy(`httpd_read_user_content',`
+@@ -1250,64 +1479,74 @@ tunable_policy(`httpd_read_user_content',`
')
tunable_policy(`httpd_use_cifs',`
@@ -8356,7 +7126,7 @@ index 6649962..17c4c9a 100644
########################################
#
-@@ -1321,8 +1554,15 @@ miscfiles_read_localization(httpd_rotatelogs_t)
+@@ -1315,8 +1554,15 @@ miscfiles_read_localization(httpd_rotatelogs_t)
#
optional_policy(`
@@ -8373,7 +7143,7 @@ index 6649962..17c4c9a 100644
')
########################################
-@@ -1330,49 +1570,38 @@ optional_policy(`
+@@ -1324,49 +1570,38 @@ optional_policy(`
# User content local policy
#
@@ -8438,7 +7208,7 @@ index 6649962..17c4c9a 100644
kernel_read_system_state(httpd_passwd_t)
corecmd_exec_bin(httpd_passwd_t)
-@@ -1382,38 +1611,100 @@ dev_read_urand(httpd_passwd_t)
+@@ -1376,38 +1611,100 @@ dev_read_urand(httpd_passwd_t)
domain_use_interactive_fds(httpd_passwd_t)
@@ -8665,15 +7435,9 @@ index f3c0aba..cbe3d4a 100644
+ files_etc_filetrans(apcupsd_t, apcupsd_power_t, file, "powerfail")
')
diff --git a/apcupsd.te b/apcupsd.te
-index 080bc4d..a813b6c 100644
+index b236327..a813b6c 100644
--- a/apcupsd.te
+++ b/apcupsd.te
-@@ -1,4 +1,4 @@
--policy_module(apcupsd, 1.9.0)
-+policy_module(apcupsd, 1.8.4)
-
- ########################################
- #
@@ -24,6 +24,12 @@ files_tmp_file(apcupsd_tmp_t)
type apcupsd_var_run_t;
files_pid_file(apcupsd_var_run_t)
@@ -8827,15 +7591,9 @@ index 1a7a97e..1d29dce 100644
domain_system_change_exemption($1)
role_transition $2 apmd_initrc_exec_t system_r;
diff --git a/apm.te b/apm.te
-index 7fd431b..1d8a844 100644
+index 3590e2f..1d8a844 100644
--- a/apm.te
+++ b/apm.te
-@@ -1,4 +1,4 @@
--policy_module(apm, 1.12.0)
-+policy_module(apm, 1.11.4)
-
- ########################################
- #
@@ -35,6 +35,9 @@ files_type(apmd_var_lib_t)
type apmd_var_run_t;
files_pid_file(apmd_var_run_t)
@@ -8929,54 +7687,11 @@ index 7fd431b..1d8a844 100644
')
optional_policy(`
-diff --git a/apt.fc b/apt.fc
-index 7b20801..1fd6888 100644
---- a/apt.fc
-+++ b/apt.fc
-@@ -1,11 +1,9 @@
--/etc/cron\.daily/apt -- gen_context(system_u:object_r:apt_exec_t,s0)
--
- ifndef(`distro_redhat',`
- /usr/bin/apt-get -- gen_context(system_u:object_r:apt_exec_t,s0)
- /usr/bin/apt-shell -- gen_context(system_u:object_r:apt_exec_t,s0)
- /usr/bin/aptitude -- gen_context(system_u:object_r:apt_exec_t,s0)
--/usr/sbin/synaptic -- gen_context(system_u:object_r:apt_exec_t,s0)
- /usr/lib/packagekit/packagekitd -- gen_context(system_u:object_r:apt_exec_t,s0)
-+/usr/sbin/synaptic -- gen_context(system_u:object_r:apt_exec_t,s0)
- /var/cache/PackageKit(/.*)? gen_context(system_u:object_r:apt_var_cache_t,s0)
- /var/lib/PackageKit(/.*)? gen_context(system_u:object_r:apt_var_lib_t,s0)
- ')
diff --git a/apt.if b/apt.if
-index cde81d2..970736b 100644
+index e2414c4..970736b 100644
--- a/apt.if
+++ b/apt.if
-@@ -21,25 +21,6 @@ interface(`apt_domtrans',`
-
- ########################################
- ##
--## Execute the apt in the caller domain.
--##
--##
--##
--## Domain allowed access.
--##
--##
--#
--interface(`apt_exec',`
-- gen_require(`
-- type apt_exec_t;
-- ')
--
-- corecmd_search_bin($1)
-- can_exec($1, apt_exec_t)
--')
--
--########################################
--##
- ## Execute apt programs in the apt domain.
- ##
- ##
-@@ -171,7 +152,7 @@ interface(`apt_read_cache',`
+@@ -152,7 +152,7 @@ interface(`apt_read_cache',`
files_search_var($1)
allow $1 apt_var_cache_t:dir list_dir_perms;
@@ -8986,24 +7701,10 @@ index cde81d2..970736b 100644
')
diff --git a/apt.te b/apt.te
-index efa8530..d82403c 100644
+index e2d8d52..d82403c 100644
--- a/apt.te
+++ b/apt.te
-@@ -1,4 +1,4 @@
--policy_module(apt, 1.8.1)
-+policy_module(apt, 1.7.5)
-
- ########################################
- #
-@@ -77,15 +77,12 @@ files_var_lib_filetrans(apt_t, apt_var_lib_t, dir)
- allow apt_t apt_var_log_t:file manage_file_perms;
- logging_log_filetrans(apt_t, apt_var_log_t, file)
-
--can_exec(apt_t, apt_exec_t)
--
- kernel_read_system_state(apt_t)
- kernel_read_kernel_sysctls(apt_t)
-
+@@ -83,7 +83,6 @@ kernel_read_kernel_sysctls(apt_t)
corecmd_exec_bin(apt_t)
corecmd_exec_shell(apt_t)
@@ -9011,14 +7712,7 @@ index efa8530..d82403c 100644
corenet_all_recvfrom_netlabel(apt_t)
corenet_tcp_sendrecv_generic_if(apt_t)
corenet_tcp_sendrecv_generic_node(apt_t)
-@@ -94,45 +91,37 @@ corenet_tcp_sendrecv_all_ports(apt_t)
- corenet_sendrecv_all_client_packets(apt_t)
- corenet_tcp_connect_all_ports(apt_t)
-
--dev_list_sysfs(apt_t)
- dev_read_urand(apt_t)
-
- domain_getattr_all_domains(apt_t)
+@@ -98,27 +97,24 @@ domain_getattr_all_domains(apt_t)
domain_use_interactive_fds(apt_t)
files_exec_usr_files(apt_t)
@@ -9044,22 +7738,10 @@ index efa8530..d82403c 100644
sysnet_read_config(apt_t)
-userdom_use_user_terminals(apt_t)
--
--optional_policy(`
-- backup_manage_store_files(apt_t)
--')
+userdom_use_inherited_user_terminals(apt_t)
optional_policy(`
cron_system_entry(apt_t, apt_exec_t)
- ')
-
- optional_policy(`
-- dbus_system_domain(apt_t, apt_exec_t)
-+ dbus_system_domain(apt_t, apt_exec_t)
- ')
-
- optional_policy(`
diff --git a/arpwatch.fc b/arpwatch.fc
index 9ca0d0f..9a1a61f 100644
--- a/arpwatch.fc
@@ -9134,15 +7816,9 @@ index 50c9b9c..51c8cc0 100644
+ allow $1 arpwatch_unit_file_t:service all_service_perms;
')
diff --git a/arpwatch.te b/arpwatch.te
-index 2d7bf34..fd6911a 100644
+index fa18c76..fd6911a 100644
--- a/arpwatch.te
+++ b/arpwatch.te
-@@ -1,4 +1,4 @@
--policy_module(arpwatch, 1.11.0)
-+policy_module(arpwatch, 1.10.4)
-
- ########################################
- #
@@ -21,6 +21,9 @@ files_tmp_file(arpwatch_tmp_t)
type arpwatch_var_run_t;
files_pid_file(arpwatch_var_run_t)
@@ -9203,10 +7879,36 @@ index 2d7bf34..fd6911a 100644
userdom_dontaudit_use_unpriv_user_fds(arpwatch_t)
diff --git a/asterisk.if b/asterisk.if
-index 2077053..6ffd87d 100644
+index 7268a04..6ffd87d 100644
--- a/asterisk.if
+++ b/asterisk.if
-@@ -124,16 +124,18 @@ interface(`asterisk_admin',`
+@@ -19,6 +19,25 @@ interface(`asterisk_domtrans',`
+ domtrans_pattern($1, asterisk_exec_t, asterisk_t)
+ ')
+
++######################################
++##
++## Execute asterisk in the caller domain.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`asterisk_exec',`
++ gen_require(`
++ type asterisk_exec_t;
++ ')
++
++ corecmd_search_bin($1)
++ can_exec($1, asterisk_exec_t)
++')
++
+ #####################################
+ ##
+ ## Connect to asterisk over a unix domain.
+@@ -105,9 +124,13 @@ interface(`asterisk_admin',`
type asterisk_var_lib_t, asterisk_initrc_exec_t;
')
@@ -9221,23 +7923,10 @@ index 2077053..6ffd87d 100644
init_labeled_script_domtrans($1, asterisk_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 asterisk_initrc_exec_t system_r;
- allow $2 system_r;
-
-- asterisk_exec($1)
--
- files_list_tmp($1)
- admin_pattern($1, asterisk_tmp_t)
-
diff --git a/asterisk.te b/asterisk.te
-index 7e41350..4f8a8a5 100644
+index 5439f1c..4f8a8a5 100644
--- a/asterisk.te
+++ b/asterisk.te
-@@ -1,4 +1,4 @@
--policy_module(asterisk, 1.12.1)
-+policy_module(asterisk, 1.11.3)
-
- ########################################
- #
@@ -19,7 +19,7 @@ type asterisk_log_t;
logging_log_file(asterisk_log_t)
@@ -9247,22 +7936,25 @@ index 7e41350..4f8a8a5 100644
type asterisk_tmp_t;
files_tmp_file(asterisk_tmp_t)
-@@ -54,12 +54,12 @@ read_lnk_files_pattern(asterisk_t, asterisk_etc_t, asterisk_etc_t)
-
- manage_dirs_pattern(asterisk_t, asterisk_log_t, asterisk_log_t)
- manage_files_pattern(asterisk_t, asterisk_log_t, asterisk_log_t)
--logging_log_filetrans(asterisk_t, asterisk_log_t, { file dir })
+@@ -52,13 +52,14 @@ allow asterisk_t asterisk_etc_t:dir list_dir_perms;
+ read_files_pattern(asterisk_t, asterisk_etc_t, asterisk_etc_t)
+ read_lnk_files_pattern(asterisk_t, asterisk_etc_t, asterisk_etc_t)
+
+-append_files_pattern(asterisk_t, asterisk_log_t, asterisk_log_t)
+-create_files_pattern(asterisk_t, asterisk_log_t, asterisk_log_t)
+-setattr_files_pattern(asterisk_t, asterisk_log_t, asterisk_log_t)
++manage_dirs_pattern(asterisk_t, asterisk_log_t, asterisk_log_t)
++manage_files_pattern(asterisk_t, asterisk_log_t, asterisk_log_t)
+logging_log_filetrans(asterisk_t, asterisk_log_t, {file dir})
manage_dirs_pattern(asterisk_t, asterisk_spool_t, asterisk_spool_t)
manage_files_pattern(asterisk_t, asterisk_spool_t, asterisk_spool_t)
manage_lnk_files_pattern(asterisk_t, asterisk_spool_t, asterisk_spool_t)
--files_spool_filetrans(asterisk_t, asterisk_spool_t, { dir file })
+files_spool_file(asterisk_t, asterisk_spool_t, {dir file})
manage_dirs_pattern(asterisk_t, asterisk_tmp_t, asterisk_tmp_t)
manage_files_pattern(asterisk_t, asterisk_tmp_t, asterisk_tmp_t)
-@@ -73,11 +73,11 @@ fs_tmpfs_filetrans(asterisk_t, asterisk_tmpfs_t, { dir file lnk_file sock_file f
+@@ -72,11 +73,11 @@ fs_tmpfs_filetrans(asterisk_t, asterisk_tmpfs_t, { dir file lnk_file sock_file f
manage_files_pattern(asterisk_t, asterisk_var_lib_t, asterisk_var_lib_t)
@@ -9276,7 +7968,7 @@ index 7e41350..4f8a8a5 100644
can_exec(asterisk_t, asterisk_exec_t)
kernel_read_kernel_sysctls(asterisk_t)
-@@ -88,7 +88,6 @@ kernel_request_load_module(asterisk_t)
+@@ -87,7 +88,6 @@ kernel_request_load_module(asterisk_t)
corecmd_exec_bin(asterisk_t)
corecmd_exec_shell(asterisk_t)
@@ -9284,7 +7976,7 @@ index 7e41350..4f8a8a5 100644
corenet_all_recvfrom_netlabel(asterisk_t)
corenet_tcp_sendrecv_generic_if(asterisk_t)
corenet_udp_sendrecv_generic_if(asterisk_t)
-@@ -136,7 +135,6 @@ dev_read_urand(asterisk_t)
+@@ -135,7 +135,6 @@ dev_read_urand(asterisk_t)
domain_use_interactive_fds(asterisk_t)
@@ -9292,11 +7984,8 @@ index 7e41350..4f8a8a5 100644
files_search_spool(asterisk_t)
files_dontaudit_search_home(asterisk_t)
-@@ -147,11 +145,8 @@ fs_search_auto_mountpoints(asterisk_t)
-
- auth_use_nsswitch(asterisk_t)
+@@ -148,8 +147,6 @@ auth_use_nsswitch(asterisk_t)
--logging_search_logs(asterisk_t)
logging_send_syslog_msg(asterisk_t)
-miscfiles_read_localization(asterisk_t)
@@ -9304,16 +7993,6 @@ index 7e41350..4f8a8a5 100644
userdom_dontaudit_use_unpriv_user_fds(asterisk_t)
userdom_dontaudit_search_user_home_dirs(asterisk_t)
-diff --git a/authbind.te b/authbind.te
-index dd9d215..a194e01 100644
---- a/authbind.te
-+++ b/authbind.te
-@@ -1,4 +1,4 @@
--policy_module(authbind, 1.3.0)
-+policy_module(authbind, 1.2.1)
-
- ########################################
- #
diff --git a/authconfig.fc b/authconfig.fc
new file mode 100644
index 0000000..4579cfe
@@ -9509,7 +8188,7 @@ index 92adb37..0a2ffc6 100644
/var/lock/subsys/autofs -- gen_context(system_u:object_r:automount_lock_t,s0)
diff --git a/automount.if b/automount.if
-index f24e369..b0bed70 100644
+index 089430a..b0bed70 100644
--- a/automount.if
+++ b/automount.if
@@ -29,7 +29,6 @@ interface(`automount_domtrans',`
@@ -9576,11 +8255,10 @@ index f24e369..b0bed70 100644
## All of the rules required to
## administrate an automount environment.
##
-@@ -153,20 +194,21 @@ interface(`automount_admin',`
+@@ -153,11 +194,16 @@ interface(`automount_admin',`
gen_require(`
type automount_t, automount_lock_t, automount_tmp_t;
type automount_var_run_t, automount_initrc_exec_t;
-- type automount_keytab_t;
+ type automount_unit_file_t;
')
@@ -9595,15 +8273,7 @@ index f24e369..b0bed70 100644
init_labeled_script_domtrans($1, automount_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 automount_initrc_exec_t system_r;
- allow $2 system_r;
-
-- files_list_etc($1)
-- admin_pattern($1, automount_keytab_t)
--
- files_list_var($1)
- admin_pattern($1, automount_lock_t)
-
-@@ -175,4 +217,8 @@ interface(`automount_admin',`
+@@ -171,4 +217,8 @@ interface(`automount_admin',`
files_list_pids($1)
admin_pattern($1, automount_var_run_t)
@@ -9613,35 +8283,16 @@ index f24e369..b0bed70 100644
+ allow $1 automount_unit_file_t:service all_service_perms;
')
diff --git a/automount.te b/automount.te
-index 27d2f40..11dbe9d 100644
+index a579c3b..11dbe9d 100644
--- a/automount.te
+++ b/automount.te
-@@ -1,4 +1,4 @@
--policy_module(automount, 1.14.1)
-+policy_module(automount, 1.13.3)
-
- ########################################
- #
-@@ -12,8 +12,8 @@ init_daemon_domain(automount_t, automount_exec_t)
- type automount_initrc_exec_t;
- init_script_file(automount_initrc_exec_t)
-
--type automount_keytab_t;
--files_type(automount_keytab_t)
-+type automount_var_run_t;
-+files_pid_file(automount_var_run_t)
-
- type automount_lock_t;
- files_lock_file(automount_lock_t)
-@@ -22,15 +22,16 @@ type automount_tmp_t;
+@@ -22,12 +22,16 @@ type automount_tmp_t;
files_tmp_file(automount_tmp_t)
files_mountpoint(automount_tmp_t)
--type automount_var_run_t;
--files_pid_file(automount_var_run_t)
+type automount_unit_file_t;
+systemd_unit_file(automount_unit_file_t)
-
++
########################################
#
# Local policy
@@ -9653,16 +8304,7 @@ index 27d2f40..11dbe9d 100644
dontaudit automount_t self:capability sys_tty_config;
allow automount_t self:process { signal_perms getpgid setpgid setsched setrlimit };
allow automount_t self:fifo_file rw_fifo_file_perms;
-@@ -39,8 +40,6 @@ allow automount_t self:rawip_socket create_socket_perms;
-
- can_exec(automount_t, automount_exec_t)
-
--allow automount_t automount_keytab_t:file read_file_perms;
--
- allow automount_t automount_lock_t:file manage_file_perms;
- files_lock_filetrans(automount_t, automount_lock_t, file)
-
-@@ -67,7 +66,6 @@ kernel_dontaudit_search_xen_state(automount_t)
+@@ -62,7 +66,6 @@ kernel_dontaudit_search_xen_state(automount_t)
corecmd_exec_bin(automount_t)
corecmd_exec_shell(automount_t)
@@ -9670,7 +8312,7 @@ index 27d2f40..11dbe9d 100644
corenet_all_recvfrom_netlabel(automount_t)
corenet_tcp_sendrecv_generic_if(automount_t)
corenet_udp_sendrecv_generic_if(automount_t)
-@@ -91,6 +89,7 @@ corenet_udp_bind_all_rpc_ports(automount_t)
+@@ -86,6 +89,7 @@ corenet_udp_bind_all_rpc_ports(automount_t)
files_dontaudit_write_var_dirs(automount_t)
files_getattr_all_dirs(automount_t)
@@ -9678,7 +8320,7 @@ index 27d2f40..11dbe9d 100644
files_getattr_default_dirs(automount_t)
files_getattr_home_dir(automount_t)
files_getattr_isid_type_dirs(automount_t)
-@@ -101,7 +100,6 @@ files_mount_all_file_type_fs(automount_t)
+@@ -96,7 +100,6 @@ files_mount_all_file_type_fs(automount_t)
files_mounton_all_mountpoints(automount_t)
files_mounton_mnt(automount_t)
files_read_etc_runtime_files(automount_t)
@@ -9686,7 +8328,7 @@ index 27d2f40..11dbe9d 100644
files_search_boot(automount_t)
files_search_all(automount_t)
files_unmount_all_file_type_fs(automount_t)
-@@ -113,6 +111,7 @@ fs_manage_autofs_symlinks(automount_t)
+@@ -108,6 +111,7 @@ fs_manage_autofs_symlinks(automount_t)
fs_mount_all_fs(automount_t)
fs_mount_autofs(automount_t)
fs_read_nfs_files(automount_t)
@@ -9694,7 +8336,7 @@ index 27d2f40..11dbe9d 100644
fs_search_all(automount_t)
fs_search_auto_mountpoints(automount_t)
fs_unmount_all_fs(automount_t)
-@@ -135,22 +134,24 @@ auth_use_nsswitch(automount_t)
+@@ -130,15 +134,18 @@ auth_use_nsswitch(automount_t)
logging_send_syslog_msg(automount_t)
logging_search_logs(automount_t)
@@ -9717,15 +8359,7 @@ index 27d2f40..11dbe9d 100644
fstools_domtrans(automount_t)
')
- optional_policy(`
-+ kerberos_keytab_template(automount, automount_t)
- kerberos_read_config(automount_t)
-- kerberos_read_keytab(automount_t)
-- kerberos_use(automount_t)
- kerberos_dontaudit_write_config(automount_t)
- ')
-
-@@ -166,3 +167,8 @@ optional_policy(`
+@@ -160,3 +167,8 @@ optional_policy(`
optional_policy(`
udev_read_db(automount_t)
')
@@ -9747,142 +8381,49 @@ index e9fe2ca..4c2d076 100644
/usr/sbin/avahi-dnsconfd -- gen_context(system_u:object_r:avahi_exec_t,s0)
/usr/sbin/avahi-autoipd -- gen_context(system_u:object_r:avahi_exec_t,s0)
diff --git a/avahi.if b/avahi.if
-index 9078c3d..33fe57b 100644
+index aebe7cb..33fe57b 100644
--- a/avahi.if
+++ b/avahi.if
-@@ -21,25 +21,6 @@ interface(`avahi_domtrans',`
-
+@@ -97,7 +97,7 @@ interface(`avahi_dbus_chat',`
########################################
##
--## Execute avahi init scripts in the
--## init script domain.
--##
--##
--##
--## Domain allowed to transition.
--##
--##
--#
--interface(`avahi_initrc_domtrans',`
-- gen_require(`
-- type avahi_initrc_exec_t;
-- ')
--
-- init_labeled_script_domtrans($1, avahi_initrc_exec_t)
--')
--
--########################################
--##
- ## Send generic signals to avahi.
+ ## Connect to avahi using a unix
+-$$ stream socket.
++## stream socket.
##
##
-@@ -135,63 +116,6 @@ interface(`avahi_stream_connect',`
-
- ########################################
- ##
--## Create avahi pid directories.
--##
--##
--##
--## Domain allowed access.
--##
--##
--#
--interface(`avahi_create_pid_dirs',`
-- gen_require(`
-- type avahi_var_run_t;
-- ')
--
-- files_search_pids($1)
-- allow $1 avahi_var_run_t:dir create_dir_perms;
--')
--
--########################################
--##
--## Set attributes of avahi pid directories.
--##
--##
--##
--## Domain allowed access.
--##
--##
--#
--interface(`avahi_setattr_pid_dirs',`
-- gen_require(`
-- type avahi_var_run_t;
-- ')
--
-- files_search_pids($1)
-- allow $1 avahi_var_run_t:dir setattr_dir_perms;
--')
--
--########################################
--##
--## Create, read, and write avahi pid files.
--##
--##
--##
--## Domain allowed access.
--##
--##
--#
--interface(`avahi_manage_pid_files',`
-- gen_require(`
-- type avahi_var_run_t;
-- ')
--
-- files_search_pids($1)
-- manage_files_pattern($1, avahi_var_run_t, avahi_var_run_t)
--')
--
--########################################
--##
- ## Do not audit attempts to search
- ## avahi pid directories.
- ##
-@@ -211,31 +135,25 @@ interface(`avahi_dontaudit_search_pid',`
+ ##
+@@ -135,6 +135,29 @@ interface(`avahi_dontaudit_search_pid',`
########################################
##
--## Create specified objects in generic
--## pid directories with the avahi pid file type.
+## Execute avahi server in the avahi domain.
- ##
- ##
- ##
--## Domain allowed access.
--##
--##
--##
--##
--## Class of the object being created.
--##
--##
--##
--##
--## The name of the object being created.
++##
++##
++##
+## Domain allowed to transition.
- ##
- ##
- #
--interface(`avahi_filetrans_pid',`
++##
++##
++#
+interface(`avahi_systemctl',`
- gen_require(`
-- type avahi_var_run_t;
++ gen_require(`
+ type avahi_t;
+ type avahi_unit_file_t;
- ')
-
-- files_pid_filetrans($1, avahi_var_run_t, $2, $3)
++ ')
++
+ systemd_exec_systemctl($1)
+ allow $1 avahi_unit_file_t:file read_file_perms;
+ allow $1 avahi_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, avahi_t)
- ')
-
- ########################################
-@@ -258,13 +176,18 @@ interface(`avahi_filetrans_pid',`
++')
++
++########################################
++##
+ ## All of the rules required to
+ ## administrate an avahi environment.
+ ##
+@@ -153,12 +176,17 @@ interface(`avahi_dontaudit_search_pid',`
interface(`avahi_admin',`
gen_require(`
type avahi_t, avahi_var_run_t, avahi_initrc_exec_t;
@@ -9894,16 +8435,14 @@ index 9078c3d..33fe57b 100644
+ allow $1 avahi_t:process signal_perms;
ps_process_pattern($1, avahi_t)
-- avahi_initrc_domtrans($1)
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 avahi_t:process ptrace;
+ ')
+
-+ init_labeled_script_domtrans($1, avahi_initrc_exec_t)
+ init_labeled_script_domtrans($1, avahi_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 avahi_initrc_exec_t system_r;
- allow $2 system_r;
-@@ -274,4 +197,8 @@ interface(`avahi_admin',`
+@@ -169,4 +197,8 @@ interface(`avahi_admin',`
files_search_var_lib($1)
admin_pattern($1, avahi_var_lib_t)
@@ -9913,15 +8452,9 @@ index 9078c3d..33fe57b 100644
+ allow $1 avahi_unit_file_t:service all_service_perms;
')
diff --git a/avahi.te b/avahi.te
-index b8355b3..f1f2bcf 100644
+index 60e76be..f1f2bcf 100644
--- a/avahi.te
+++ b/avahi.te
-@@ -1,4 +1,4 @@
--policy_module(avahi, 1.14.1)
-+policy_module(avahi, 1.13.2)
-
- ########################################
- #
@@ -17,6 +17,10 @@ files_pid_file(avahi_var_lib_t)
type avahi_var_run_t;
@@ -9980,15 +8513,9 @@ index b8355b3..f1f2bcf 100644
')
diff --git a/awstats.te b/awstats.te
-index c1b16c3..116176d 100644
+index d6ab824..116176d 100644
--- a/awstats.te
+++ b/awstats.te
-@@ -1,4 +1,4 @@
--policy_module(awstats, 1.5.0)
-+policy_module(awstats, 1.4.4)
-
- ########################################
- #
@@ -52,8 +52,6 @@ corecmd_exec_shell(awstats_t)
dev_read_urand(awstats_t)
@@ -10023,54 +8550,10 @@ index c1b16c3..116176d 100644
files_search_var_lib(httpd_awstats_script_t)
-
-apache_read_log(httpd_awstats_script_t)
-diff --git a/backup.fc b/backup.fc
-index 349c26f..075621d 100644
---- a/backup.fc
-+++ b/backup.fc
-@@ -1,5 +1,4 @@
- /etc/cron\.daily/aptitude -- gen_context(system_u:object_r:backup_exec_t,s0)
--/etc/cron\.daily/passwd -- gen_context(system_u:object_r:backup_exec_t,s0)
- /etc/cron\.daily/standard -- gen_context(system_u:object_r:backup_exec_t,s0)
-
- /var/backups(/.*)? gen_context(system_u:object_r:backup_store_t,s0)
-diff --git a/backup.if b/backup.if
-index fe3f740..894810e 100644
---- a/backup.if
-+++ b/backup.if
-@@ -45,23 +45,3 @@ interface(`backup_run',`
- backup_domtrans($1)
- roleattribute $2 backup_roles;
- ')
--
--########################################
--##
--## Create, read, and write backup
--## store files.
--##
--##
--##
--## Domain allowed access.
--##
--##
--#
--interface(`backup_manage_store_files',`
-- gen_require(`
-- type backup_store_t;
-- ')
--
-- files_search_var($1)
-- manage_files_pattern($1, backup_store_t, backup_store_t)
--')
diff --git a/backup.te b/backup.te
-index 7811450..c10d39c 100644
+index d6ceef4..c10d39c 100644
--- a/backup.te
+++ b/backup.te
-@@ -1,4 +1,4 @@
--policy_module(backup, 1.6.2)
-+policy_module(backup, 1.5.2)
-
- ########################################
- #
@@ -38,7 +38,6 @@ kernel_read_kernel_sysctls(backup_t)
corecmd_exec_bin(backup_t)
corecmd_exec_shell(backup_t)
@@ -10101,15 +8584,9 @@ index dcd774e..c240ffa 100644
allow $1 bacula_t:process { ptrace signal_perms };
diff --git a/bacula.te b/bacula.te
-index f16b000..a6d4fb0 100644
+index 3beba2f..a6d4fb0 100644
--- a/bacula.te
+++ b/bacula.te
-@@ -1,4 +1,4 @@
--policy_module(bacula, 1.2.0)
-+policy_module(bacula, 1.1.1)
-
- ########################################
- #
@@ -43,16 +43,18 @@ role bacula_admin_roles types bacula_admin_t;
# Local policy
#
@@ -10240,15 +8717,9 @@ index ec95d36..7132e1e 100644
+ ')
')
diff --git a/bcfg2.te b/bcfg2.te
-index c3fd7b1..271b976 100644
+index 536ec3c..271b976 100644
--- a/bcfg2.te
+++ b/bcfg2.te
-@@ -1,4 +1,4 @@
--policy_module(bcfg2, 1.1.0)
-+policy_module(bcfg2, 1.0.1)
-
- ########################################
- #
@@ -15,6 +15,9 @@ init_script_file(bcfg2_initrc_exec_t)
type bcfg2_var_lib_t;
files_type(bcfg2_var_lib_t)
@@ -10394,7 +8865,7 @@ index 2b9a3a1..750788c 100644
+/var/named/dynamic(/.*)? gen_context(system_u:object_r:named_cache_t,s0)
+')
diff --git a/bind.if b/bind.if
-index 531a8f2..43b445c 100644
+index 866a1e2..43b445c 100644
--- a/bind.if
+++ b/bind.if
@@ -20,6 +20,29 @@ interface(`bind_initrc_domtrans',`
@@ -10515,13 +8986,12 @@ index 531a8f2..43b445c 100644
## All of the rules required to
## administrate an bind environment.
##
-@@ -362,13 +445,20 @@ interface(`bind_udp_chat_named',`
+@@ -362,12 +445,20 @@ interface(`bind_udp_chat_named',`
interface(`bind_admin',`
gen_require(`
type named_t, named_tmp_t, named_log_t;
- type named_cache_t, named_zone_t, named_initrc_exec_t;
- type dnssec_t, ndc_t, named_conf_t, named_var_run_t;
-- type named_keytab_t;
+ type named_conf_t, named_var_run_t, named_cache_t;
+ type named_zone_t, named_initrc_exec_t;
+ type dnssec_t, ndc_t, named_keytab_t;
@@ -10541,18 +9011,15 @@ index 531a8f2..43b445c 100644
init_labeled_script_domtrans($1, named_initrc_exec_t)
domain_system_change_exemption($1)
-@@ -382,7 +472,9 @@ interface(`bind_admin',`
- admin_pattern($1, named_log_t)
-
+@@ -383,11 +474,15 @@ interface(`bind_admin',`
files_list_etc($1)
-- admin_pattern($1, { named_keytab_t named_conf_t })
-+ admin_pattern($1, named_conf_t)
-+
-+ admin_pattern($1, named_keytab_t)
+ admin_pattern($1, named_conf_t)
++ admin_pattern($1, named_keytab_t)
++
files_list_var($1)
admin_pattern($1, { dnssec_t named_cache_t named_zone_t })
-@@ -390,5 +482,7 @@ interface(`bind_admin',`
+
files_list_pids($1)
admin_pattern($1, named_var_run_t)
@@ -10562,15 +9029,9 @@ index 531a8f2..43b445c 100644
+ allow $1 named_unit_file_t:service all_service_perms;
')
diff --git a/bind.te b/bind.te
-index 1241123..93ffa1d 100644
+index 076ffee..93ffa1d 100644
--- a/bind.te
+++ b/bind.te
-@@ -1,4 +1,4 @@
--policy_module(bind, 1.13.1)
-+policy_module(bind, 1.12.8)
-
- ########################################
- #
@@ -34,7 +34,7 @@ type named_checkconf_exec_t;
init_system_domain(named_t, named_checkconf_exec_t)
@@ -10580,18 +9041,17 @@ index 1241123..93ffa1d 100644
files_mountpoint(named_conf_t)
# for secondary zone files
-@@ -44,8 +44,8 @@ files_type(named_cache_t)
+@@ -44,6 +44,9 @@ files_type(named_cache_t)
type named_initrc_exec_t;
init_script_file(named_initrc_exec_t)
--type named_keytab_t;
--files_type(named_keytab_t)
+type named_unit_file_t;
+systemd_unit_file(named_unit_file_t)
-
++
type named_log_t;
logging_log_file(named_log_t)
-@@ -71,8 +71,9 @@ role ndc_roles types ndc_t;
+
+@@ -68,8 +71,9 @@ role ndc_roles types ndc_t;
# Local policy
#
@@ -10602,12 +9062,9 @@ index 1241123..93ffa1d 100644
allow named_t self:process { setsched getcap setcap setrlimit signal_perms };
allow named_t self:fifo_file rw_fifo_file_perms;
allow named_t self:unix_stream_socket { accept listen };
-@@ -87,11 +88,9 @@ read_lnk_files_pattern(named_t, named_conf_t, named_conf_t)
- manage_files_pattern(named_t, named_cache_t, named_cache_t)
- manage_lnk_files_pattern(named_t, named_cache_t, named_cache_t)
+@@ -86,9 +90,7 @@ manage_lnk_files_pattern(named_t, named_cache_t, named_cache_t)
--allow named_t named_keytab_t:file read_file_perms;
-+can_exec(named_t, named_exec_t)
+ can_exec(named_t, named_exec_t)
-append_files_pattern(named_t, named_log_t, named_log_t)
-create_files_pattern(named_t, named_log_t, named_log_t)
@@ -10616,16 +9073,7 @@ index 1241123..93ffa1d 100644
logging_log_filetrans(named_t, named_log_t, file)
manage_dirs_pattern(named_t, named_tmp_t, named_tmp_t)
-@@ -103,8 +102,6 @@ manage_files_pattern(named_t, named_var_run_t, named_var_run_t)
- manage_sock_files_pattern(named_t, named_var_run_t, named_var_run_t)
- files_pid_filetrans(named_t, named_var_run_t, { dir file sock_file })
-
--can_exec(named_t, named_exec_t)
--
- allow named_t named_zone_t:dir list_dir_perms;
- read_files_pattern(named_t, named_zone_t, named_zone_t)
- read_lnk_files_pattern(named_t, named_zone_t, named_zone_t)
-@@ -115,7 +112,6 @@ kernel_read_network_state(named_t)
+@@ -110,7 +112,6 @@ kernel_read_network_state(named_t)
corecmd_search_bin(named_t)
@@ -10633,7 +9081,7 @@ index 1241123..93ffa1d 100644
corenet_all_recvfrom_netlabel(named_t)
corenet_tcp_sendrecv_generic_if(named_t)
corenet_udp_sendrecv_generic_if(named_t)
-@@ -144,6 +140,7 @@ corenet_tcp_sendrecv_all_ports(named_t)
+@@ -139,6 +140,7 @@ corenet_tcp_sendrecv_all_ports(named_t)
dev_read_sysfs(named_t)
dev_read_rand(named_t)
dev_read_urand(named_t)
@@ -10641,7 +9089,7 @@ index 1241123..93ffa1d 100644
domain_use_interactive_fds(named_t)
-@@ -175,6 +172,15 @@ tunable_policy(`named_write_master_zones',`
+@@ -170,6 +172,15 @@ tunable_policy(`named_write_master_zones',`
')
optional_policy(`
@@ -10657,18 +9105,15 @@ index 1241123..93ffa1d 100644
dbus_system_domain(named_t, named_exec_t)
init_dbus_chat_script(named_t)
-@@ -187,8 +193,8 @@ optional_policy(`
- ')
+@@ -183,6 +194,7 @@ optional_policy(`
optional_policy(`
-- kerberos_read_keytab(named_t)
-- kerberos_use(named_t)
-+ kerberos_keytab_template(named, named_t)
+ kerberos_keytab_template(named, named_t)
+ kerberos_tmp_filetrans_host_rcache(named_t, "DNS_25")
')
optional_policy(`
-@@ -215,7 +221,8 @@ optional_policy(`
+@@ -209,7 +221,8 @@ optional_policy(`
#
allow ndc_t self:capability { dac_override net_admin };
@@ -10678,7 +9123,7 @@ index 1241123..93ffa1d 100644
allow ndc_t self:fifo_file rw_fifo_file_perms;
allow ndc_t self:unix_stream_socket { accept listen };
-@@ -229,10 +236,9 @@ allow ndc_t named_conf_t:lnk_file read_lnk_file_perms;
+@@ -223,10 +236,9 @@ allow ndc_t named_conf_t:lnk_file read_lnk_file_perms;
allow ndc_t named_zone_t:dir search_dir_perms;
@@ -10690,7 +9135,7 @@ index 1241123..93ffa1d 100644
corenet_all_recvfrom_netlabel(ndc_t)
corenet_tcp_sendrecv_generic_if(ndc_t)
corenet_tcp_sendrecv_generic_node(ndc_t)
-@@ -242,6 +248,9 @@ corenet_tcp_bind_generic_node(ndc_t)
+@@ -236,6 +248,9 @@ corenet_tcp_bind_generic_node(ndc_t)
corenet_tcp_connect_rndc_port(ndc_t)
corenet_sendrecv_rndc_client_packets(ndc_t)
@@ -10700,7 +9145,7 @@ index 1241123..93ffa1d 100644
domain_use_interactive_fds(ndc_t)
files_search_pids(ndc_t)
-@@ -257,7 +266,7 @@ init_use_script_ptys(ndc_t)
+@@ -251,7 +266,7 @@ init_use_script_ptys(ndc_t)
logging_send_syslog_msg(ndc_t)
@@ -10710,15 +9155,9 @@ index 1241123..93ffa1d 100644
userdom_use_user_terminals(ndc_t)
diff --git a/bird.te b/bird.te
-index 1d60c27..f53b135 100644
+index d4d71ec..f53b135 100644
--- a/bird.te
+++ b/bird.te
-@@ -1,4 +1,4 @@
--policy_module(bird, 1.1.0)
-+policy_module(bird, 1.0.2)
-
- ########################################
- #
@@ -51,7 +51,6 @@ corenet_tcp_connect_bgp_port(bird_t)
corenet_tcp_sendrecv_bgp_port(bird_t)
@@ -10747,15 +9186,9 @@ index e73fb79..2badfc0 100644
domain_system_change_exemption($1)
role_transition $2 bitlbee_initrc_exec_t system_r;
diff --git a/bitlbee.te b/bitlbee.te
-index f5c1a48..48a96b7 100644
+index ac8c91e..48a96b7 100644
--- a/bitlbee.te
+++ b/bitlbee.te
-@@ -1,4 +1,4 @@
--policy_module(bitlbee, 1.5.0)
-+policy_module(bitlbee, 1.4.4)
-
- ########################################
- #
@@ -35,9 +35,12 @@ files_pid_file(bitlbee_var_run_t)
allow bitlbee_t self:capability { dac_override kill setgid setuid sys_nice };
@@ -10840,16 +9273,10 @@ index 16ec525..1dd4059 100644
########################################
diff --git a/blueman.te b/blueman.te
-index 3a5032e..63a4b1d 100644
+index bc5c984..63a4b1d 100644
--- a/blueman.te
+++ b/blueman.te
-@@ -1,4 +1,4 @@
--policy_module(blueman, 1.1.0)
-+policy_module(blueman, 1.0.4)
-
- ########################################
- #
-@@ -7,7 +7,7 @@ policy_module(blueman, 1.1.0)
+@@ -7,7 +7,7 @@ policy_module(blueman, 1.0.4)
type blueman_t;
type blueman_exec_t;
@@ -11075,15 +9502,9 @@ index c723a0a..aa3283e 100644
+ allow $1 bluetooth_unit_file_t:service all_service_perms;
')
diff --git a/bluetooth.te b/bluetooth.te
-index 851769e..a4110db 100644
+index 6f09d24..a4110db 100644
--- a/bluetooth.te
+++ b/bluetooth.te
-@@ -1,4 +1,4 @@
--policy_module(bluetooth, 3.5.0)
-+policy_module(bluetooth, 3.4.5)
-
- ########################################
- #
@@ -49,6 +49,9 @@ files_type(bluetooth_var_lib_t)
type bluetooth_var_run_t;
files_pid_file(bluetooth_var_run_t)
@@ -11153,7 +9574,7 @@ index 851769e..a4110db 100644
miscfiles_read_fonts(bluetooth_t)
miscfiles_read_hwdata(bluetooth_t)
-@@ -130,6 +143,10 @@ userdom_dontaudit_use_unpriv_user_fds(bluetooth_t)
+@@ -130,8 +143,13 @@ userdom_dontaudit_use_unpriv_user_fds(bluetooth_t)
userdom_dontaudit_use_user_terminals(bluetooth_t)
userdom_dontaudit_search_user_home_dirs(bluetooth_t)
@@ -11163,8 +9584,11 @@ index 851769e..a4110db 100644
+
optional_policy(`
dbus_system_bus_client(bluetooth_t)
- dbus_connect_system_bus(bluetooth_t)
-@@ -200,7 +217,6 @@ dev_read_urand(bluetooth_helper_t)
++ dbus_connect_system_bus(bluetooth_t)
+
+ optional_policy(`
+ cups_dbus_chat(bluetooth_t)
+@@ -199,7 +217,6 @@ dev_read_urand(bluetooth_helper_t)
domain_read_all_domains_state(bluetooth_helper_t)
files_read_etc_runtime_files(bluetooth_helper_t)
@@ -11415,33 +9839,33 @@ index 02fefaa..fbcef10 100644
+ ')
')
diff --git a/boinc.te b/boinc.te
-index 687d4c4..b326c23 100644
+index 7c92aa1..b326c23 100644
--- a/boinc.te
+++ b/boinc.te
-@@ -1,4 +1,4 @@
--policy_module(boinc, 1.1.1)
+@@ -1,11 +1,20 @@
+-policy_module(boinc, 1.0.3)
+policy_module(boinc, 1.0.0)
########################################
#
-@@ -7,12 +7,14 @@ policy_module(boinc, 1.1.1)
-
- ##
- ##
--## Determine whether boinc can execmem/execstack.
-+## Allow boinc_domain execmem/execstack.
- ##
- ##
- gen_tunable(boinc_execmem, true)
+ # Declarations
+ #
-type boinc_t;
++##
++##
++## Allow boinc_domain execmem/execstack.
++##
++##
++gen_tunable(boinc_execmem, true)
++
+attribute boinc_domain;
+
+type boinc_t, boinc_domain;
type boinc_exec_t;
init_daemon_domain(boinc_t, boinc_exec_t)
-@@ -28,107 +30,122 @@ files_tmpfs_file(boinc_tmpfs_t)
+@@ -21,107 +30,122 @@ files_tmpfs_file(boinc_tmpfs_t)
type boinc_var_lib_t;
files_type(boinc_var_lib_t)
@@ -11621,7 +10045,7 @@ index 687d4c4..b326c23 100644
term_getattr_all_ptys(boinc_t)
term_getattr_unallocated_ttys(boinc_t)
-@@ -137,59 +154,69 @@ init_read_utmp(boinc_t)
+@@ -130,55 +154,69 @@ init_read_utmp(boinc_t)
logging_send_syslog_msg(boinc_t)
@@ -11629,19 +10053,16 @@ index 687d4c4..b326c23 100644
-miscfiles_read_localization(boinc_t)
+modutils_dontaudit_exec_insmod(boinc_t)
--tunable_policy(`boinc_execmem',`
-- allow boinc_t self:process { execstack execmem };
+-optional_policy(`
+- mta_send_mail(boinc_t)
-')
+xserver_stream_connect(boinc_t)
optional_policy(`
- mta_send_mail(boinc_t)
+- sysnet_dns_name_resolve(boinc_t)
++ mta_send_mail(boinc_t)
')
--optional_policy(`
-- sysnet_dns_name_resolve(boinc_t)
--')
--
########################################
#
-# Project local policy
@@ -11714,15 +10135,9 @@ index 687d4c4..b326c23 100644
+ unconfined_domain(boinc_project_t)
+')
diff --git a/brctl.te b/brctl.te
-index c5a9113..6294955 100644
+index bcd1e87..6294955 100644
--- a/brctl.te
+++ b/brctl.te
-@@ -1,4 +1,4 @@
--policy_module(brctl, 1.7.0)
-+policy_module(brctl, 1.6.2)
-
- ########################################
- #
@@ -34,12 +34,9 @@ dev_write_sysfs_dirs(brctl_t)
domain_use_interactive_fds(brctl_t)
@@ -11797,16 +10212,10 @@ index 1b22262..bf0cefa 100644
+ ')
')
diff --git a/bugzilla.te b/bugzilla.te
-index 18623e3..57f094e 100644
+index 41f8251..57f094e 100644
--- a/bugzilla.te
+++ b/bugzilla.te
-@@ -1,4 +1,4 @@
--policy_module(bugzilla, 1.1.0)
-+policy_module(bugzilla, 1.0.4)
-
- ########################################
- #
-@@ -7,6 +7,9 @@ policy_module(bugzilla, 1.1.0)
+@@ -7,6 +7,9 @@ policy_module(bugzilla, 1.0.4)
apache_content_template(bugzilla)
@@ -12168,11 +10577,11 @@ index 8de2ab9..3b41945 100644
+ domtrans_pattern($1, cachefilesd_exec_t, cachefilesd_t)
')
diff --git a/cachefilesd.te b/cachefilesd.te
-index a3760bc..2d9508e 100644
+index 581c8ef..2d9508e 100644
--- a/cachefilesd.te
+++ b/cachefilesd.te
@@ -1,52 +1,144 @@
--policy_module(cachefilesd, 1.1.0)
+-policy_module(cachefilesd, 1.0.1)
+###############################################################################
+#
+# Copyright (C) 2006, 2010 Red Hat, Inc. All Rights Reserved.
@@ -12352,15 +10761,9 @@ index cd9c528..ba793b7 100644
')
diff --git a/calamaris.te b/calamaris.te
-index 7e57460..de28437 100644
+index f4f21d3..de28437 100644
--- a/calamaris.te
+++ b/calamaris.te
-@@ -1,4 +1,4 @@
--policy_module(calamaris, 1.8.0)
-+policy_module(calamaris, 1.7.2)
-
- ########################################
- #
@@ -41,19 +41,23 @@ kernel_read_system_state(calamaris_t)
corecmd_exec_bin(calamaris_t)
@@ -12391,15 +10794,9 @@ index 7e57460..de28437 100644
optional_policy(`
diff --git a/callweaver.te b/callweaver.te
-index 0e5be4c..44e5b7d 100644
+index 528051e..44e5b7d 100644
--- a/callweaver.te
+++ b/callweaver.te
-@@ -1,4 +1,4 @@
--policy_module(callweaver, 1.1.0)
-+policy_module(callweaver, 1.0.2)
-
- ########################################
- #
@@ -84,4 +84,3 @@ term_use_ptmx(callweaver_t)
auth_use_nsswitch(callweaver_t)
@@ -12425,15 +10822,9 @@ index 400db07..f416e22 100644
domain_system_change_exemption($1)
role_transition $2 canna_initrc_exec_t system_r;
diff --git a/canna.te b/canna.te
-index 9fe6162..32b7796 100644
+index 4ec0626..32b7796 100644
--- a/canna.te
+++ b/canna.te
-@@ -1,4 +1,4 @@
--policy_module(canna, 1.12.0)
-+policy_module(canna, 1.11.1)
-
- ########################################
- #
@@ -52,7 +52,6 @@ files_pid_filetrans(canna_t, canna_var_run_t, { dir sock_file })
kernel_read_kernel_sysctls(canna_t)
kernel_read_system_state(canna_t)
@@ -12493,15 +10884,9 @@ index 5ded72d..cb94e5e 100644
files_search_var_lib($1)
admin_pattern($1, ccs_var_lib_t)
diff --git a/ccs.te b/ccs.te
-index 658134d..476aaa3 100644
+index b85b53b..476aaa3 100644
--- a/ccs.te
+++ b/ccs.te
-@@ -1,4 +1,4 @@
--policy_module(ccs, 1.6.0)
-+policy_module(ccs, 1.5.2)
-
- ########################################
- #
@@ -37,7 +37,7 @@ files_pid_file(ccs_var_run_t)
allow ccs_t self:capability { ipc_owner ipc_lock sys_nice sys_resource sys_admin };
@@ -12562,15 +10947,9 @@ index fbc20f6..4de4a00 100644
ps_process_pattern($2, cdrecord_t)
')
diff --git a/cdrecord.te b/cdrecord.te
-index 16883c9..a7555c0 100644
+index 55fb26a..a7555c0 100644
--- a/cdrecord.te
+++ b/cdrecord.te
-@@ -1,4 +1,4 @@
--policy_module(cdrecord, 2.6.0)
-+policy_module(cdrecord, 2.5.2)
-
- ########################################
- #
@@ -41,8 +41,6 @@ dev_read_sysfs(cdrecord_t)
domain_interactive_fd(cdrecord_t)
domain_use_interactive_fds(cdrecord_t)
@@ -12630,15 +11009,9 @@ index 0c53b18..ef29f6e 100644
domain_system_change_exemption($1)
role_transition $2 certmaster_initrc_exec_t system_r;
diff --git a/certmaster.te b/certmaster.te
-index 4a87873..2b571c7 100644
+index bf82163..2b571c7 100644
--- a/certmaster.te
+++ b/certmaster.te
-@@ -1,4 +1,4 @@
--policy_module(certmaster, 1.3.0)
-+policy_module(certmaster, 1.2.1)
-
- ########################################
- #
@@ -65,11 +65,10 @@ corenet_tcp_sendrecv_certmaster_port(certmaster_t)
dev_read_urand(certmaster_t)
@@ -12695,15 +11068,9 @@ index 008f8ef..144c074 100644
admin_pattern($1, certmonger_var_run_t)
')
diff --git a/certmonger.te b/certmonger.te
-index 550b287..3a07ee5 100644
+index 2354e21..3a07ee5 100644
--- a/certmonger.te
+++ b/certmonger.te
-@@ -1,4 +1,4 @@
--policy_module(certmonger, 1.2.0)
-+policy_module(certmonger, 1.1.5)
-
- ########################################
- #
@@ -18,6 +18,9 @@ files_type(certmonger_var_lib_t)
type certmonger_var_run_t;
files_pid_file(certmonger_var_run_t)
@@ -12845,15 +11212,9 @@ index 550b287..3a07ee5 100644
+ ')
+')
diff --git a/certwatch.te b/certwatch.te
-index 171fafb..1a4bd9c 100644
+index 403af41..1a4bd9c 100644
--- a/certwatch.te
+++ b/certwatch.te
-@@ -1,4 +1,4 @@
--policy_module(certwatch, 1.8.0)
-+policy_module(certwatch, 1.7.2)
-
- ########################################
- #
@@ -20,33 +20,45 @@ role certwatch_roles types certwatch_t;
allow certwatch_t self:capability sys_nice;
@@ -13006,15 +11367,9 @@ index a731122..5279d4e 100644
')
+
diff --git a/cfengine.te b/cfengine.te
-index fbe3ad9..168f01f 100644
+index 8af5bbe..168f01f 100644
--- a/cfengine.te
+++ b/cfengine.te
-@@ -1,4 +1,4 @@
--policy_module(cfengine, 1.1.0)
-+policy_module(cfengine, 1.0.2)
-
- ########################################
- #
@@ -41,18 +41,13 @@ create_files_pattern(cfengine_domain, cfengine_log_t, cfengine_log_t)
setattr_files_pattern(cfengine_domain, cfengine_log_t, cfengine_log_t)
logging_log_filetrans(cfengine_domain, cfengine_log_t, dir)
@@ -13069,15 +11424,9 @@ index 85ca63f..1d1c99c 100644
admin_pattern($1, { cgconfig_etc_t cgrules_etc_t })
files_list_etc($1)
diff --git a/cgroup.te b/cgroup.te
-index 80a88a2..a4c2efb 100644
+index fdee107..a4c2efb 100644
--- a/cgroup.te
+++ b/cgroup.te
-@@ -1,4 +1,4 @@
--policy_module(cgroup, 1.2.0)
-+policy_module(cgroup, 1.1.3)
-
- ########################################
- #
@@ -25,8 +25,8 @@ files_pid_file(cgred_var_run_t)
type cgrules_etc_t;
files_config_file(cgrules_etc_t)
@@ -13746,15 +12095,9 @@ index 32e8265..0de4af3 100644
+ allow $1 chronyd_unit_file_t:service all_service_perms;
')
diff --git a/chronyd.te b/chronyd.te
-index e5b621c..d0c8001 100644
+index 914ee2d..d0c8001 100644
--- a/chronyd.te
+++ b/chronyd.te
-@@ -1,4 +1,4 @@
--policy_module(chronyd, 1.2.0)
-+policy_module(chronyd, 1.1.4)
-
- ########################################
- #
@@ -18,6 +18,9 @@ files_type(chronyd_keys_t)
type chronyd_tmpfs_t;
files_tmpfs_file(chronyd_tmpfs_t)
@@ -14068,15 +12411,9 @@ index 0000000..f257547
+')
+
diff --git a/cipe.te b/cipe.te
-index a0aa693..9b86dd1 100644
+index 28c8475..9b86dd1 100644
--- a/cipe.te
+++ b/cipe.te
-@@ -1,4 +1,4 @@
--policy_module(cipe, 1.6.0)
-+policy_module(cipe, 1.5.1)
-
- ########################################
- #
@@ -29,7 +29,6 @@ kernel_read_system_state(ciped_t)
corecmd_exec_shell(ciped_t)
corecmd_exec_bin(ciped_t)
@@ -14365,15 +12702,9 @@ index 4cc4a5c..99c5cca 100644
+
')
diff --git a/clamav.te b/clamav.te
-index ce3836a..c8c9a5a 100644
+index 8e1fef9..c8c9a5a 100644
--- a/clamav.te
+++ b/clamav.te
-@@ -1,4 +1,4 @@
--policy_module(clamav, 1.11.0)
-+policy_module(clamav, 1.10.6)
-
- ##
- ##
@@ -38,6 +38,9 @@ files_config_file(clamd_etc_t)
type clamd_initrc_exec_t;
init_script_file(clamd_initrc_exec_t)
@@ -14514,15 +12845,9 @@ index ce3836a..c8c9a5a 100644
')
diff --git a/clockspeed.te b/clockspeed.te
-index d3e2a67..4b8cddc 100644
+index b59c592..4b8cddc 100644
--- a/clockspeed.te
+++ b/clockspeed.te
-@@ -1,4 +1,4 @@
--policy_module(clockspeed, 1.6.0)
-+policy_module(clockspeed, 1.5.1)
-
- ########################################
- #
@@ -29,7 +29,6 @@ allow clockspeed_cli_t self:udp_socket create_socket_perms;
read_files_pattern(clockspeed_cli_t, clockspeed_var_lib_t, clockspeed_var_lib_t)
@@ -14563,15 +12888,9 @@ index d3e2a67..4b8cddc 100644
optional_policy(`
daemontools_service_domain(clockspeed_srv_t, clockspeed_srv_exec_t)
diff --git a/clogd.te b/clogd.te
-index 4a5b3d1..685edff 100644
+index 29782b8..685edff 100644
--- a/clogd.te
+++ b/clogd.te
-@@ -1,4 +1,4 @@
--policy_module(clogd, 1.1.0)
-+policy_module(clogd, 1.0.1)
-
- ########################################
- #
@@ -41,9 +41,6 @@ storage_raw_write_fixed_disk(clogd_t)
logging_send_syslog_msg(clogd_t)
@@ -15029,15 +13348,9 @@ index cc4e7cb..f348d27 100644
domain_system_change_exemption($1)
role_transition $2 cmirrord_initrc_exec_t system_r;
diff --git a/cmirrord.te b/cmirrord.te
-index bbdd396..e4c023c 100644
+index d8e9958..e4c023c 100644
--- a/cmirrord.te
+++ b/cmirrord.te
-@@ -1,4 +1,4 @@
--policy_module(cmirrord, 1.1.0)
-+policy_module(cmirrord, 1.0.1)
-
- ########################################
- #
@@ -23,7 +23,7 @@ files_pid_file(cmirrord_var_run_t)
# Local policy
#
@@ -15152,15 +13465,9 @@ index c223f81..8b567c1 100644
- admin_pattern($1, { httpd_cobbler_content_t httpd_cobbler_content_ra_t httpd_cobbler_content_rw_t })
')
diff --git a/cobbler.te b/cobbler.te
-index 5f306dd..3a38b11 100644
+index 2a71346..3a38b11 100644
--- a/cobbler.te
+++ b/cobbler.te
-@@ -1,4 +1,4 @@
--policy_module(cobbler, 1.2.0)
-+policy_module(cobbler, 1.1.4)
-
- ########################################
- #
@@ -81,6 +81,7 @@ manage_dirs_pattern(cobblerd_t, cobbler_var_lib_t, cobbler_var_lib_t)
manage_files_pattern(cobblerd_t, cobbler_var_lib_t, cobbler_var_lib_t)
manage_lnk_files_pattern(cobblerd_t, cobbler_var_lib_t, cobbler_var_lib_t)
@@ -15864,16 +14171,10 @@ index 6471fa8..f8b4a5b 100644
+
+auth_read_passwd(httpd_collectd_script_t)
diff --git a/colord.fc b/colord.fc
-index 71639eb..22e0385 100644
+index 717ea0b..22e0385 100644
--- a/colord.fc
+++ b/colord.fc
-@@ -1,11 +1,10 @@
--/usr/lib/colord/colord -- gen_context(system_u:object_r:colord_exec_t,s0)
--/usr/lib/colord/colord-sane -- gen_context(system_u:object_r:colord_exec_t,s0)
--
- /usr/lib/[^/]*/colord/colord -- gen_context(system_u:object_r:colord_exec_t,s0)
- /usr/lib/[^/]*/colord/colord-sane -- gen_context(system_u:object_r:colord_exec_t,s0)
-
+@@ -4,5 +4,7 @@
/usr/libexec/colord -- gen_context(system_u:object_r:colord_exec_t,s0)
/usr/libexec/colord-sane -- gen_context(system_u:object_r:colord_exec_t,s0)
@@ -15935,16 +14236,10 @@ index 8e27a37..825f537 100644
+ ps_process_pattern($1, colord_t)
+')
diff --git a/colord.te b/colord.te
-index 9f2dfb2..3547d05 100644
+index 09f18e2..3547d05 100644
--- a/colord.te
+++ b/colord.te
-@@ -1,4 +1,4 @@
--policy_module(colord, 1.1.0)
-+policy_module(colord, 1.0.2)
-
- ########################################
- #
-@@ -8,6 +8,7 @@ policy_module(colord, 1.1.0)
+@@ -8,6 +8,7 @@ policy_module(colord, 1.0.2)
type colord_t;
type colord_exec_t;
dbus_system_domain(colord_t, colord_exec_t)
@@ -15977,7 +14272,7 @@ index 9f2dfb2..3547d05 100644
manage_dirs_pattern(colord_t, colord_tmp_t, colord_tmp_t)
manage_files_pattern(colord_t, colord_tmp_t, colord_tmp_t)
-@@ -74,52 +81,52 @@ dev_read_video_dev(colord_t)
+@@ -74,22 +81,21 @@ dev_read_video_dev(colord_t)
dev_write_video_dev(colord_t)
dev_rw_printer(colord_t)
dev_read_rand(colord_t)
@@ -16004,25 +14299,22 @@ index 9f2dfb2..3547d05 100644
storage_getattr_fixed_disk_dev(colord_t)
storage_getattr_removable_dev(colord_t)
- storage_read_scsi_generic(colord_t)
- storage_write_scsi_generic(colord_t)
+@@ -98,25 +104,29 @@ storage_write_scsi_generic(colord_t)
--init_read_state(colord_t)
--
auth_use_nsswitch(colord_t)
--logging_send_syslog_msg(colord_t)
+init_read_state(colord_t)
++
+ logging_send_syslog_msg(colord_t)
-miscfiles_read_localization(colord_t)
-+logging_send_syslog_msg(colord_t)
++systemd_read_logind_sessions_files(colord_t)
-tunable_policy(`use_nfs_home_dirs',`
- fs_getattr_nfs(colord_t)
- fs_read_nfs_files(colord_t)
-')
-+systemd_read_logind_sessions_files(colord_t)
-
+-
-tunable_policy(`use_samba_home_dirs',`
- fs_getattr_cifs(colord_t)
- fs_read_cifs_files(colord_t)
@@ -16035,7 +14327,6 @@ index 9f2dfb2..3547d05 100644
optional_policy(`
cups_read_config(colord_t)
cups_read_rw_config(colord_t)
-- cups_read_state(colord_t)
cups_stream_connect(colord_t)
cups_dbus_chat(colord_t)
+ cups_read_state(colord_t)
@@ -16048,12 +14339,10 @@ index 9f2dfb2..3547d05 100644
')
optional_policy(`
-@@ -135,5 +142,17 @@ optional_policy(`
-
+@@ -133,3 +143,16 @@ optional_policy(`
optional_policy(`
udev_read_db(colord_t)
-- udev_read_pid_files(colord_t)
-+')
+ ')
+
+optional_policy(`
+ xserver_dbus_chat_xdm(colord_t)
@@ -16066,17 +14355,11 @@ index 9f2dfb2..3547d05 100644
+
+optional_policy(`
+ zoneminder_rw_tmpfs_files(colord_t)
- ')
++')
diff --git a/comsat.te b/comsat.te
-index c63cf85..88c4f19 100644
+index 3f6e4dc..88c4f19 100644
--- a/comsat.te
+++ b/comsat.te
-@@ -1,4 +1,4 @@
--policy_module(comsat, 1.8.0)
-+policy_module(comsat, 1.7.1)
-
- ########################################
- #
@@ -37,6 +37,13 @@ kernel_read_kernel_sysctls(comsat_t)
kernel_read_network_state(comsat_t)
kernel_read_system_state(comsat_t)
@@ -16101,18 +14384,16 @@ index c63cf85..88c4f19 100644
mta_getattr_spool(comsat_t)
diff --git a/condor.fc b/condor.fc
-index ad2b696..c4450f7 100644
+index 23dc348..c4450f7 100644
--- a/condor.fc
+++ b/condor.fc
-@@ -1,6 +1,5 @@
--/etc/condor(/.*)? gen_context(system_u:object_r:condor_conf_t,s0)
--
+@@ -1,4 +1,5 @@
/etc/rc\.d/init\.d/condor -- gen_context(system_u:object_r:condor_initrc_exec_t,s0)
+/usr/lib/systemd/system/condor.* -- gen_context(system_u:object_r:condor_unit_file_t,s0)
/usr/sbin/condor_collector -- gen_context(system_u:object_r:condor_collector_exec_t,s0)
/usr/sbin/condor_master -- gen_context(system_u:object_r:condor_master_exec_t,s0)
-@@ -10,6 +9,8 @@
+@@ -8,6 +9,8 @@
/usr/sbin/condor_startd -- gen_context(system_u:object_r:condor_startd_exec_t,s0)
/usr/sbin/condor_starter -- gen_context(system_u:object_r:condor_startd_exec_t,s0)
@@ -16122,10 +14403,10 @@ index ad2b696..c4450f7 100644
/var/lib/condor/execute(/.*)? gen_context(system_u:object_r:condor_var_lib_t,s0)
diff --git a/condor.if b/condor.if
-index 881d92f..e979b3d 100644
+index 3fe3cb8..e979b3d 100644
--- a/condor.if
+++ b/condor.if
-@@ -1,84 +1,396 @@
+@@ -1,81 +1,396 @@
-## High-Throughput Computing System.
+
+## policy for condor
@@ -16366,15 +14647,10 @@ index 881d92f..e979b3d 100644
#
-interface(`condor_admin',`
+interface(`condor_read_lib_files',`
- gen_require(`
-- attribute condor_domain;
-- type condor_initrc_exec_config_t, condor_log_t;
-- type condor_var_lib_t, condor_var_lock_t, condor_schedd_tmp_t;
-- type condor_var_run_t, condor_startd_tmp_t, condor_conf_t;
++ gen_require(`
+ type condor_var_lib_t;
- ')
-
-- allow $1 condor_domain:process { ptrace signal_perms };
++ ')
++
+ files_search_var_lib($1)
+ read_files_pattern($1, condor_var_lib_t, condor_var_lib_t)
+')
@@ -16447,10 +14723,15 @@ index 881d92f..e979b3d 100644
+##
+#
+interface(`condor_read_pid_files',`
-+ gen_require(`
+ gen_require(`
+- attribute condor_domain;
+- type condor_initrc_exec_config_t, condor_log_t;
+- type condor_var_lib_t, condor_var_lock_t, condor_schedd_tmp_t;
+- type condor_var_run_t, condor_startd_tmp_t;
+ type condor_var_run_t;
-+ ')
-+
+ ')
+
+- allow $1 condor_domain:process { ptrace signal_perms };
+ files_search_pids($1)
+ allow $1 condor_var_run_t:file read_file_perms;
+')
@@ -16478,11 +14759,7 @@ index 881d92f..e979b3d 100644
+
ps_process_pattern($1, condor_domain)
+')
-
-- init_labeled_script_domtrans($1, condor_initrc_exec_t)
-- domain_system_change_exemption($1)
-- role_transition $2 condor_initrc_exec_t system_r;
-- allow $2 system_r;
++
+#######################################
+##
+## Read and write condor_startd server TCP sockets.
@@ -16498,8 +14775,10 @@ index 881d92f..e979b3d 100644
+ type condor_startd_t;
+ ')
-- files_search_etc($1)
-- admin_pattern($1, condor_conf_t)
+- init_labeled_script_domtrans($1, condor_initrc_exec_t)
+- domain_system_change_exemption($1)
+- role_transition $2 condor_initrc_exec_t system_r;
+- allow $2 system_r;
+ allow $1 condor_startd_t:tcp_socket rw_socket_perms;
+')
+
@@ -16564,7 +14843,7 @@ index 881d92f..e979b3d 100644
files_search_var_lib($1)
admin_pattern($1, condor_var_lib_t)
-@@ -88,4 +400,13 @@ interface(`condor_admin',`
+@@ -85,4 +400,13 @@ interface(`condor_admin',`
files_search_tmp($1)
admin_pattern($1, { condor_schedd_tmp_t condor_startd_tmp_t })
@@ -16579,27 +14858,20 @@ index 881d92f..e979b3d 100644
+ ')
')
diff --git a/condor.te b/condor.te
-index ce9f040..8fb887d 100644
+index 3f2b672..8fb887d 100644
--- a/condor.te
+++ b/condor.te
-@@ -1,4 +1,4 @@
--policy_module(condor, 1.0.1)
-+policy_module(condor, 1.0.0)
-
- ########################################
- #
-@@ -34,8 +34,8 @@ files_tmp_file(condor_startd_tmp_t)
+@@ -34,6 +34,9 @@ files_tmp_file(condor_startd_tmp_t)
type condor_startd_tmpfs_t;
files_tmpfs_file(condor_startd_tmpfs_t)
--type condor_conf_t;
--files_config_file(condor_conf_t)
+type condor_etc_rw_t;
+files_config_file(condor_etc_rw_t)
-
++
type condor_log_t;
logging_log_file(condor_log_t)
-@@ -49,6 +49,9 @@ files_lock_file(condor_var_lock_t)
+
+@@ -46,6 +49,9 @@ files_lock_file(condor_var_lock_t)
type condor_var_run_t;
files_pid_file(condor_var_run_t)
@@ -16609,7 +14881,7 @@ index ce9f040..8fb887d 100644
condor_domain_template(collector)
condor_domain_template(negotiator)
condor_domain_template(procd)
-@@ -60,12 +63,18 @@ condor_domain_template(startd)
+@@ -57,15 +63,21 @@ condor_domain_template(startd)
# Global local policy
#
@@ -16624,14 +14896,19 @@ index ce9f040..8fb887d 100644
+allow condor_domain self:udp_socket create_socket_perms;
+allow condor_domain self:unix_stream_socket create_stream_socket_perms;
+allow condor_domain self:netlink_route_socket r_netlink_socket_perms;
-
--rw_files_pattern(condor_domain, condor_conf_t, condor_conf_t)
++
+allow condor_domain condor_etc_rw_t:dir list_dir_perms;
+rw_files_pattern(condor_domain, condor_etc_rw_t, condor_etc_rw_t)
manage_dirs_pattern(condor_domain, condor_log_t, condor_log_t)
- manage_files_pattern(condor_domain, condor_log_t, condor_log_t)
-@@ -86,16 +95,14 @@ files_pid_filetrans(condor_domain, condor_var_run_t, { dir file fifo_file })
+-append_files_pattern(condor_domain, condor_log_t, condor_log_t)
+-create_files_pattern(condor_domain, condor_log_t, condor_log_t)
+-getattr_files_pattern(condor_domain, condor_log_t, condor_log_t)
++manage_files_pattern(condor_domain, condor_log_t, condor_log_t)
+ logging_log_filetrans(condor_domain, condor_log_t, { dir file })
+
+ manage_dirs_pattern(condor_domain, condor_var_lib_t, condor_var_lib_t)
+@@ -83,16 +95,14 @@ files_pid_filetrans(condor_domain, condor_var_run_t, { dir file fifo_file })
allow condor_domain condor_master_t:process signull;
allow condor_domain condor_master_t:tcp_socket getattr;
@@ -16649,18 +14926,19 @@ index ce9f040..8fb887d 100644
corenet_tcp_sendrecv_generic_if(condor_domain)
corenet_tcp_sendrecv_generic_node(condor_domain)
-@@ -109,9 +116,7 @@ dev_read_rand(condor_domain)
+@@ -106,9 +116,9 @@ dev_read_rand(condor_domain)
dev_read_sysfs(condor_domain)
dev_read_urand(condor_domain)
-logging_send_syslog_msg(condor_domain)
--
--miscfiles_read_localization(condor_domain)
+auth_read_passwd(condor_domain)
- sysnet_dns_name_resolve(condor_domain)
+-miscfiles_read_localization(condor_domain)
++sysnet_dns_name_resolve(condor_domain)
-@@ -130,7 +135,7 @@ optional_policy(`
+ tunable_policy(`condor_tcp_network_connect',`
+ corenet_sendrecv_all_client_packets(condor_domain)
+@@ -125,7 +135,7 @@ optional_policy(`
# Master local policy
#
@@ -16669,7 +14947,7 @@ index ce9f040..8fb887d 100644
allow condor_master_t condor_domain:process { sigkill signal };
-@@ -138,6 +143,10 @@ manage_dirs_pattern(condor_master_t, condor_master_tmp_t, condor_master_tmp_t)
+@@ -133,6 +143,10 @@ manage_dirs_pattern(condor_master_t, condor_master_tmp_t, condor_master_tmp_t)
manage_files_pattern(condor_master_t, condor_master_tmp_t, condor_master_tmp_t)
files_tmp_filetrans(condor_master_t, condor_master_tmp_t, { file dir })
@@ -16680,7 +14958,7 @@ index ce9f040..8fb887d 100644
corenet_udp_sendrecv_generic_if(condor_master_t)
corenet_udp_sendrecv_generic_node(condor_master_t)
corenet_tcp_bind_generic_node(condor_master_t)
-@@ -157,6 +166,8 @@ domain_read_all_domains_state(condor_master_t)
+@@ -152,6 +166,8 @@ domain_read_all_domains_state(condor_master_t)
auth_use_nsswitch(condor_master_t)
@@ -16689,7 +14967,7 @@ index ce9f040..8fb887d 100644
optional_policy(`
mta_send_mail(condor_master_t)
mta_read_config(condor_master_t)
-@@ -174,6 +185,8 @@ allow condor_collector_t condor_master_t:udp_socket rw_socket_perms;
+@@ -169,6 +185,8 @@ allow condor_collector_t condor_master_t:udp_socket rw_socket_perms;
kernel_read_network_state(condor_collector_t)
@@ -16698,7 +14976,7 @@ index ce9f040..8fb887d 100644
#####################################
#
# Negotiator local policy
-@@ -183,6 +196,8 @@ allow condor_negotiator_t self:capability { setuid setgid };
+@@ -178,6 +196,8 @@ allow condor_negotiator_t self:capability { setuid setgid };
allow condor_negotiator_t condor_master_t:tcp_socket rw_stream_socket_perms;
allow condor_negotiator_t condor_master_t:udp_socket getattr;
@@ -16707,15 +14985,17 @@ index ce9f040..8fb887d 100644
######################################
#
# Procd local policy
-@@ -192,6 +207,7 @@ allow condor_procd_t self:capability { fowner chown kill dac_override sys_ptrace
+@@ -185,7 +205,8 @@ allow condor_negotiator_t condor_master_t:udp_socket getattr;
- allow condor_procd_t condor_domain:process sigkill;
+ allow condor_procd_t self:capability { fowner chown kill dac_override sys_ptrace };
+-allow condor_procd_t condor_startd_t:process sigkill;
++allow condor_procd_t condor_domain:process sigkill;
+
+
domain_read_all_domains_state(condor_procd_t)
- #######################################
-@@ -206,6 +222,8 @@ allow condor_schedd_t condor_master_t:udp_socket getattr;
+@@ -201,6 +222,8 @@ allow condor_schedd_t condor_master_t:udp_socket getattr;
allow condor_schedd_t condor_var_lock_t:dir manage_file_perms;
@@ -16724,7 +15004,7 @@ index ce9f040..8fb887d 100644
domtrans_pattern(condor_schedd_t, condor_procd_exec_t, condor_procd_t)
domtrans_pattern(condor_schedd_t, condor_startd_exec_t, condor_startd_t)
-@@ -214,6 +232,8 @@ manage_files_pattern(condor_schedd_t, condor_schedd_tmp_t, condor_schedd_tmp_t)
+@@ -209,6 +232,8 @@ manage_files_pattern(condor_schedd_t, condor_schedd_tmp_t, condor_schedd_tmp_t)
relabel_files_pattern(condor_schedd_t, condor_schedd_tmp_t, condor_schedd_tmp_t)
files_tmp_filetrans(condor_schedd_t, condor_schedd_tmp_t, { file dir })
@@ -16733,7 +15013,7 @@ index ce9f040..8fb887d 100644
#####################################
#
# Startd local policy
-@@ -238,11 +258,10 @@ domain_read_all_domains_state(condor_startd_t)
+@@ -233,11 +258,10 @@ domain_read_all_domains_state(condor_startd_t)
mcs_process_set_categories(condor_startd_t)
init_domtrans_script(condor_startd_t)
@@ -16746,7 +15026,7 @@ index ce9f040..8fb887d 100644
optional_policy(`
ssh_basic_client_template(condor_startd, condor_startd_t, system_r)
ssh_domtrans(condor_startd_t)
-@@ -254,3 +273,7 @@ optional_policy(`
+@@ -249,3 +273,7 @@ optional_policy(`
kerberos_use(condor_startd_ssh_t)
')
')
@@ -17110,15 +15390,9 @@ index 5b830ec..0647a3b 100644
+ ps_process_pattern($1, consolekit_t)
+')
diff --git a/consolekit.te b/consolekit.te
-index bd18063..580dff0 100644
+index 5f0c793..580dff0 100644
--- a/consolekit.te
+++ b/consolekit.te
-@@ -1,4 +1,4 @@
--policy_module(consolekit, 1.9.0)
-+policy_module(consolekit, 1.8.4)
-
- ########################################
- #
@@ -19,21 +19,23 @@ type consolekit_var_run_t;
files_pid_file(consolekit_var_run_t)
init_daemon_run_dir(consolekit_var_run_t, "ConsoleKit")
@@ -17148,14 +15422,14 @@ index bd18063..580dff0 100644
manage_dirs_pattern(consolekit_t, consolekit_var_run_t, consolekit_var_run_t)
manage_files_pattern(consolekit_t, consolekit_var_run_t, consolekit_var_run_t)
-@@ -54,42 +56,44 @@ dev_read_sysfs(consolekit_t)
+@@ -54,37 +56,36 @@ dev_read_sysfs(consolekit_t)
domain_read_all_domains_state(consolekit_t)
domain_use_interactive_fds(consolekit_t)
-domain_dontaudit_ptrace_all_domains(consolekit_t)
-files_read_usr_files(consolekit_t)
-+# needs to read /var/lib/dbus/machine-id
+ # needs to read /var/lib/dbus/machine-id
files_read_var_lib_files(consolekit_t)
files_search_all_mountpoints(consolekit_t)
@@ -17168,11 +15442,9 @@ index bd18063..580dff0 100644
auth_use_nsswitch(consolekit_t)
auth_manage_pam_console_data(consolekit_t)
auth_write_login_records(consolekit_t)
--auth_create_pam_console_data_dirs(consolekit_t)
--auth_pid_filetrans_pam_var_console(consolekit_t, dir, "console")
-+
-+init_read_utmp(consolekit_t)
++init_read_utmp(consolekit_t)
++
logging_send_syslog_msg(consolekit_t)
logging_send_audit_msgs(consolekit_t)
@@ -17187,25 +15459,17 @@ index bd18063..580dff0 100644
-tunable_policy(`use_nfs_home_dirs',`
- fs_read_nfs_files(consolekit_t)
+-')
+userdom_home_reader(consolekit_t)
-+
-+optional_policy(`
-+ cron_read_system_job_lib_files(consolekit_t)
- ')
-tunable_policy(`use_samba_home_dirs',`
- fs_read_cifs_files(consolekit_t)
-+ifdef(`distro_debian',`
-+ auth_create_pam_console_data_dirs(consolekit_t)
-+ auth_pid_filetrans_pam_var_console(consolekit_t, dir, "console")
++optional_policy(`
++ cron_read_system_job_lib_files(consolekit_t)
')
- optional_policy(`
-- dbus_read_lib_files(consolekit_t)
- dbus_system_domain(consolekit_t, consolekit_exec_t)
-
- optional_policy(`
-@@ -109,13 +113,6 @@ optional_policy(`
+ ifdef(`distro_debian',`
+@@ -112,13 +113,6 @@ optional_policy(`
')
')
@@ -17352,15 +15616,9 @@ index 694a037..b836c07 100644
+ allow $1 corosync_unit_file_t:service all_service_perms;
')
diff --git a/corosync.te b/corosync.te
-index d5aa1e4..691ca11 100644
+index eeea48d..691ca11 100644
--- a/corosync.te
+++ b/corosync.te
-@@ -1,4 +1,4 @@
--policy_module(corosync, 1.1.0)
-+policy_module(corosync, 1.0.7)
-
- ########################################
- #
@@ -28,6 +28,9 @@ logging_log_file(corosync_var_log_t)
type corosync_var_run_t;
files_pid_file(corosync_var_run_t)
@@ -17453,50 +15711,33 @@ index c086302..5d94628 100644
+
+/usr/lib/erlang/lib/couch-.*/priv/couchjs -- gen_context(system_u:object_r:couchdb_js_exec_t,s0)
diff --git a/couchdb.if b/couchdb.if
-index 715a826..3f0c0dc 100644
+index 83d6744..3f0c0dc 100644
--- a/couchdb.if
+++ b/couchdb.if
-@@ -2,7 +2,7 @@
+@@ -2,6 +2,44 @@
########################################
##
--## Read couchdb log files.
+## Allow to read couchdb log files.
- ##
- ##
- ##
-@@ -15,13 +15,13 @@ interface(`couchdb_read_log_files',`
- type couchdb_log_t;
- ')
-
-- logging_search_logs($1)
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`couchdb_read_log_files',`
++ gen_require(`
++ type couchdb_log_t;
++ ')
++
+ files_search_var_lib($1)
- read_files_pattern($1, couchdb_log_t, couchdb_log_t)
- ')
-
- ########################################
- ##
--## Read, write, and create couchdb lib files.
++ read_files_pattern($1, couchdb_log_t, couchdb_log_t)
++')
++
++########################################
++##
+## Allow to read couchdb lib files.
- ##
- ##
- ##
-@@ -29,7 +29,7 @@ interface(`couchdb_read_log_files',`
- ##
- ##
- #
--interface(`couchdb_manage_lib_files',`
-+interface(`couchdb_read_lib_files',`
- gen_require(`
- type couchdb_var_lib_t;
- ')
-@@ -40,7 +40,46 @@ interface(`couchdb_manage_lib_files',`
-
- ########################################
- ##
--## Read couchdb config files.
-+## All of the rules required to
-+## administrate an couchdb environment.
+##
+##
+##
@@ -17504,6 +15745,25 @@ index 715a826..3f0c0dc 100644
+##
+##
+#
++interface(`couchdb_read_lib_files',`
++ gen_require(`
++ type couchdb_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ read_files_pattern($1, couchdb_var_lib_t, couchdb_var_lib_t)
++')
++
++########################################
++##
+ ## All of the rules required to
+ ## administrate an couchdb environment.
+ ##
+@@ -10,6 +48,151 @@
+ ## Domain allowed access.
+ ##
+ ##
++#
+interface(`couchdb_manage_lib_files',`
+ gen_require(`
+ type couchdb_var_lib_t;
@@ -17535,30 +15795,38 @@ index 715a826..3f0c0dc 100644
+########################################
+##
+## Allow to read couchdb conf files.
- ##
- ##
- ##
-@@ -53,13 +92,13 @@ interface(`couchdb_read_conf_files',`
- type couchdb_conf_t;
- ')
-
-- files_search_etc($1)
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`couchdb_read_conf_files',`
++ gen_require(`
++ type couchdb_conf_t;
++ ')
++
+ files_search_var_lib($1)
- read_files_pattern($1, couchdb_conf_t, couchdb_conf_t)
- ')
-
- ########################################
- ##
--## Read couchdb pid files.
++ read_files_pattern($1, couchdb_conf_t, couchdb_conf_t)
++')
++
++########################################
++##
+## Read couchdb PID files.
- ##
- ##
- ##
-@@ -73,19 +112,87 @@ interface(`couchdb_read_pid_files',`
- ')
-
- files_search_pids($1)
-- read_files_pattern($1, couchdb_var_run_t, couchdb_var_run_t)
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`couchdb_read_pid_files',`
++ gen_require(`
++ type couchdb_var_run_t;
++ ')
++
++ files_search_pids($1)
+ allow $1 couchdb_var_run_t:file read_file_perms;
+')
+
@@ -17603,20 +15871,17 @@ index 715a826..3f0c0dc 100644
+ manage_files_pattern($1, couchdb_var_lib_t, couchdb_var_lib_t)
+ manage_files_pattern($1, couchdb_var_run_t, couchdb_var_run_t)
+ manage_files_pattern($1, couchdb_conf_t, couchdb_conf_t)
- ')
-
- ########################################
- ##
--## All of the rules required to
--## administrate an couchdb environment.
++')
++
++########################################
++##
+## Execute couchdb server in the couchdb domain.
- ##
- ##
- ##
--## Domain allowed access.
++##
++##
++##
+## Domain allowed to transition.
- ##
- ##
++##
++##
+#
+interface(`couchdb_systemctl',`
+ gen_require(`
@@ -17646,7 +15911,7 @@ index 715a826..3f0c0dc 100644
##
##
## Role allowed access.
-@@ -95,14 +202,19 @@ interface(`couchdb_read_pid_files',`
+@@ -19,14 +202,19 @@
#
interface(`couchdb_admin',`
gen_require(`
@@ -17667,7 +15932,7 @@ index 715a826..3f0c0dc 100644
init_labeled_script_domtrans($1, couchdb_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 couchdb_initrc_exec_t system_r;
-@@ -122,4 +234,13 @@ interface(`couchdb_admin',`
+@@ -46,4 +234,13 @@ interface(`couchdb_admin',`
files_search_pids($1)
admin_pattern($1, couchdb_var_run_t)
@@ -17682,15 +15947,9 @@ index 715a826..3f0c0dc 100644
+ ')
')
diff --git a/couchdb.te b/couchdb.te
-index ae1c1b1..509e73c 100644
+index 503adab..509e73c 100644
--- a/couchdb.te
+++ b/couchdb.te
-@@ -1,4 +1,4 @@
--policy_module(couchdb, 1.1.1)
-+policy_module(couchdb, 1.0.2)
-
- ########################################
- #
@@ -27,6 +27,13 @@ files_type(couchdb_var_lib_t)
type couchdb_var_run_t;
files_pid_file(couchdb_var_run_t)
@@ -17773,18 +16032,11 @@ index ae1c1b1..509e73c 100644
-miscfiles_read_localization(couchdb_t)
diff --git a/courier.fc b/courier.fc
-index 2f017a0..cbecde8 100644
+index 8a4b596..cbecde8 100644
--- a/courier.fc
+++ b/courier.fc
-@@ -4,24 +4,23 @@
- /usr/bin/imapd -- gen_context(system_u:object_r:courier_pop_exec_t,s0)
-
- /usr/sbin/authdaemond -- gen_context(system_u:object_r:courier_authdaemon_exec_t,s0)
--/usr/sbin/courier-imapd -- gen_context(system_u:object_r:courier_pop_exec_t,s0)
- /usr/sbin/courierlogger -- gen_context(system_u:object_r:courier_exec_t,s0)
- /usr/sbin/courierldapaliasd -- gen_context(system_u:object_r:courier_exec_t,s0)
+@@ -9,17 +9,18 @@
/usr/sbin/couriertcpd -- gen_context(system_u:object_r:courier_tcpd_exec_t,s0)
--/usr/sbin/imaplogin -- gen_context(system_u:object_r:courier_pop_exec_t,s0)
/usr/lib/courier/authlib/.* -- gen_context(system_u:object_r:courier_authdaemon_exec_t,s0)
-/usr/lib/courier/courier-authlib/.* -- gen_context(system_u:object_r:courier_authdaemon_exec_t,s0)
@@ -17987,15 +16239,9 @@ index 10f820f..acdb179 100644
allow $1 courier_spool_t:fifo_file rw_fifo_file_perms;
')
diff --git a/courier.te b/courier.te
-index ae3bc70..1499c3f 100644
+index 77bb077..1499c3f 100644
--- a/courier.te
+++ b/courier.te
-@@ -1,4 +1,4 @@
--policy_module(courier, 1.14.0)
-+policy_module(courier, 1.13.2)
-
- ########################################
- #
@@ -18,7 +18,7 @@ type courier_etc_t;
files_config_file(courier_etc_t)
@@ -18074,15 +16320,9 @@ index ae3bc70..1499c3f 100644
########################################
#
diff --git a/cpucontrol.te b/cpucontrol.te
-index af72c4e..155a337 100644
+index 2f1aad6..155a337 100644
--- a/cpucontrol.te
+++ b/cpucontrol.te
-@@ -1,4 +1,4 @@
--policy_module(cpucontrol, 1.4.0)
-+policy_module(cpucontrol, 1.3.2)
-
- ########################################
- #
@@ -42,8 +42,6 @@ term_dontaudit_use_console(cpucontrol_domain)
init_use_fds(cpucontrol_domain)
init_use_script_ptys(cpucontrol_domain)
@@ -18117,15 +16357,9 @@ index af72c4e..155a337 100644
-miscfiles_read_localization(cpuspeed_t)
+logging_send_syslog_msg(cpuspeed_t)
diff --git a/cpufreqselector.te b/cpufreqselector.te
-index 6cedb87..7fd7d8f 100644
+index a3bbc21..7fd7d8f 100644
--- a/cpufreqselector.te
+++ b/cpufreqselector.te
-@@ -1,4 +1,4 @@
--policy_module(cpufreqselector, 1.4.0)
-+policy_module(cpufreqselector, 1.3.1)
-
- ########################################
- #
@@ -14,21 +14,17 @@ init_daemon_domain(cpufreqselector_t, cpufreqselector_exec_t)
# Local policy
#
@@ -18160,79 +16394,47 @@ index 6cedb87..7fd7d8f 100644
+ xserver_dbus_chat_xdm(cpufreqselector_t)
+')
diff --git a/cron.fc b/cron.fc
-index ad0bae9..a665f12 100644
+index 6e76215..a665f12 100644
--- a/cron.fc
+++ b/cron.fc
-@@ -1,66 +1,74 @@
--/etc/rc\.d/init\.d/(anacron|atd) -- gen_context(system_u:object_r:crond_initrc_exec_t,s0)
-+/etc/rc\.d/init\.d/atd -- gen_context(system_u:object_r:crond_initrc_exec_t,s0)
-
--/etc/cron\.d(/.*)? gen_context(system_u:object_r:system_cron_spool_t,s0)
--/etc/crontab -- gen_context(system_u:object_r:system_cron_spool_t,s0)
-+/etc/cron\.d(/.*)? gen_context(system_u:object_r:system_cron_spool_t,s0)
-+/etc/crontab -- gen_context(system_u:object_r:system_cron_spool_t,s0)
+@@ -3,6 +3,9 @@
+ /etc/cron\.d(/.*)? gen_context(system_u:object_r:system_cron_spool_t,s0)
+ /etc/crontab -- gen_context(system_u:object_r:system_cron_spool_t,s0)
--/usr/bin/at -- gen_context(system_u:object_r:crontab_exec_t,s0)
--/usr/bin/(f)?crontab -- gen_context(system_u:object_r:crontab_exec_t,s0)
+/usr/lib/systemd/system/atd.* -- gen_context(system_u:object_r:crond_unit_file_t,s0)
+/usr/lib/systemd/system/crond.* -- gen_context(system_u:object_r:crond_unit_file_t,s0)
++
+ /usr/bin/at -- gen_context(system_u:object_r:crontab_exec_t,s0)
+ /usr/bin/(f)?crontab -- gen_context(system_u:object_r:crontab_exec_t,s0)
+
+@@ -12,9 +15,7 @@
+ /usr/sbin/fcron -- gen_context(system_u:object_r:crond_exec_t,s0)
+ /usr/sbin/fcronsighup -- gen_context(system_u:object_r:crontab_exec_t,s0)
--/usr/libexec/fcron -- gen_context(system_u:object_r:crond_exec_t,s0)
--/usr/libexec/fcronsighup -- gen_context(system_u:object_r:crontab_exec_t,s0)
-+/usr/bin/at -- gen_context(system_u:object_r:crontab_exec_t,s0)
-+/usr/bin/(f)?crontab -- gen_context(system_u:object_r:crontab_exec_t,s0)
-
--/usr/sbin/anacron -- gen_context(system_u:object_r:anacron_exec_t,s0)
--/usr/sbin/atd -- gen_context(system_u:object_r:crond_exec_t,s0)
--/usr/sbin/cron(d)? -- gen_context(system_u:object_r:crond_exec_t,s0)
--/usr/sbin/fcron -- gen_context(system_u:object_r:crond_exec_t,s0)
--/usr/sbin/fcronsighup -- gen_context(system_u:object_r:crontab_exec_t,s0)
-+/usr/sbin/anacron -- gen_context(system_u:object_r:anacron_exec_t,s0)
-+/usr/sbin/atd -- gen_context(system_u:object_r:crond_exec_t,s0)
-+/usr/sbin/cron(d)? -- gen_context(system_u:object_r:crond_exec_t,s0)
-+/usr/sbin/fcron -- gen_context(system_u:object_r:crond_exec_t,s0)
-+/usr/sbin/fcronsighup -- gen_context(system_u:object_r:crontab_exec_t,s0)
-
--/var/lib/glpi/files(/.*)? gen_context(system_u:object_r:cron_var_lib_t,s0)
+-/var/lib/glpi/files(/.*)? gen_context(system_u:object_r:cron_var_lib_t,s0)
+-
+-/var/log/cron.* gen_context(system_u:object_r:cron_log_t,s0)
+/var/log/cron.* gen_context(system_u:object_r:cron_log_t,s0)
-+/var/log/rpmpkgs.* -- gen_context(system_u:object_r:cron_log_t,s0)
-
--/var/log/cron.* gen_context(system_u:object_r:cron_log_t,s0)
--/var/log/rpmpkgs.* -- gen_context(system_u:object_r:cron_log_t,s0)
-+/var/run/anacron\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0)
-+/var/run/atd\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0)
-+/var/run/crond?\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0)
-+/var/run/crond?\.reboot -- gen_context(system_u:object_r:crond_var_run_t,s0)
-+/var/run/fcron\.fifo -s gen_context(system_u:object_r:crond_var_run_t,s0)
-+/var/run/fcron\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0)
-+/var/run/.*cron.* -- gen_context(system_u:object_r:crond_var_run_t,s0)
-
--/var/run/anacron\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0)
--/var/run/atd\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0)
--/var/run/cron(d)?\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0)
--/var/run/cron(d)?\.reboot -- gen_context(system_u:object_r:crond_var_run_t,s0)
--/var/run/fcron\.fifo -s gen_context(system_u:object_r:crond_var_run_t,s0)
--/var/run/fcron\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0)
--/var/run/.*cron.* -- gen_context(system_u:object_r:crond_var_run_t,s0)
-+/var/spool/anacron(/.*)? gen_context(system_u:object_r:system_cron_spool_t,s0)
-+/var/spool/at(/.*)? gen_context(system_u:object_r:user_cron_spool_t,s0)
-
--/var/spool/anacron(/.*)? gen_context(system_u:object_r:system_cron_spool_t,s0)
--/var/spool/at(/.*)? gen_context(system_u:object_r:user_cron_spool_t,s0)
--/var/spool/at/atspool(/.*)? gen_context(system_u:object_r:user_cron_spool_log_t,s0)
+ /var/log/rpmpkgs.* -- gen_context(system_u:object_r:cron_log_t,s0)
+
+ /var/run/anacron\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0)
+@@ -27,13 +28,23 @@
+
+ /var/spool/anacron(/.*)? gen_context(system_u:object_r:system_cron_spool_t,s0)
+ /var/spool/at(/.*)? gen_context(system_u:object_r:user_cron_spool_t,s0)
+-/var/spool/at/atspool(/.*)? gen_context(system_u:object_r:user_cron_spool_log_t,s0)
+
+-/var/spool/cron -d gen_context(system_u:object_r:cron_spool_t,s0)
+/var/spool/cron -d gen_context(system_u:object_r:user_cron_spool_t,s0)
-+#/var/spool/cron/root -- gen_context(system_u:object_r:sysadm_cron_spool_t,s0)
-+/var/spool/cron/[^/]* -- <>
+ #/var/spool/cron/root -- gen_context(system_u:object_r:sysadm_cron_spool_t,s0)
+ /var/spool/cron/[^/]* -- <>
--/var/spool/cron -d gen_context(system_u:object_r:cron_spool_t,s0)
--#/var/spool/cron/root -- gen_context(system_u:object_r:sysadm_cron_spool_t,s0)
--/var/spool/cron/[^/]* -- <>
+-/var/spool/cron/crontabs -d gen_context(system_u:object_r:cron_spool_t,s0)
+ifdef(`distro_gentoo',`
+/var/spool/cron/lastrun -d gen_context(system_u:object_r:crond_tmp_t,s0)
+/var/spool/cron/lastrun/[^/]* -- <>
+')
-
--/var/spool/cron/crontabs -d gen_context(system_u:object_r:cron_spool_t,s0)
++
+ifdef(`distro_suse', `
+/var/spool/cron/lastrun -d gen_context(system_u:object_r:crond_tmp_t,s0)
+/var/spool/cron/lastrun/[^/]* -- <>
@@ -18243,39 +16445,31 @@ index ad0bae9..a665f12 100644
/var/spool/cron/crontabs/.* -- <>
#/var/spool/cron/crontabs/root -- gen_context(system_u:object_r:sysadm_cron_spool_t,s0)
--/var/spool/fcron -d gen_context(system_u:object_r:cron_spool_t,s0)
--/var/spool/fcron/.* <>
-+/var/spool/fcron -d gen_context(system_u:object_r:cron_spool_t,s0)
-+/var/spool/fcron/.* <>
- /var/spool/fcron/systab\.orig -- gen_context(system_u:object_r:system_cron_spool_t,s0)
--/var/spool/fcron/systab -- gen_context(system_u:object_r:system_cron_spool_t,s0)
--/var/spool/fcron/systab\.tmp -- gen_context(system_u:object_r:system_cron_spool_t,s0)
-+/var/spool/fcron/systab -- gen_context(system_u:object_r:system_cron_spool_t,s0)
+@@ -44,18 +55,20 @@
/var/spool/fcron/new\.systab -- gen_context(system_u:object_r:system_cron_spool_t,s0)
--/var/spool/fcron/rm\.systab -- gen_context(system_u:object_r:system_cron_spool_t,s0)
ifdef(`distro_debian',`
--/var/spool/cron/atjobs -d gen_context(system_u:object_r:cron_spool_t,s0)
+-/var/spool/cron/atjobs -d gen_context(system_u:object_r:cron_spool_t,s0)
+/var/log/prelink.log.* -- gen_context(system_u:object_r:cron_log_t,s0)
+
+/var/spool/cron/atjobs -d gen_context(system_u:object_r:cron_spool_t,s0)
/var/spool/cron/atjobs/[^/]* -- <>
--/var/spool/cron/atspool -d gen_context(system_u:object_r:cron_spool_t,s0)
+-/var/spool/cron/atspool -d gen_context(system_u:object_r:cron_spool_t,s0)
+/var/spool/cron/atspool -d gen_context(system_u:object_r:cron_spool_t,s0)
')
ifdef(`distro_gentoo',`
--/var/spool/cron/lastrun -d gen_context(system_u:object_r:crond_tmp_t,s0)
+-/var/spool/cron/lastrun -d gen_context(system_u:object_r:crond_tmp_t,s0)
+/var/spool/cron/lastrun -d gen_context(system_u:object_r:crond_tmp_t,s0)
/var/spool/cron/lastrun/[^/]* -- <>
')
-ifdef(`distro_suse',`
--/var/spool/cron/lastrun -d gen_context(system_u:object_r:crond_tmp_t,s0)
+-/var/spool/cron/lastrun -d gen_context(system_u:object_r:crond_tmp_t,s0)
+ifdef(`distro_suse', `
+/var/spool/cron/lastrun -d gen_context(system_u:object_r:crond_tmp_t,s0)
/var/spool/cron/lastrun/[^/]* -- <>
--/var/spool/cron/tabs -d gen_context(system_u:object_r:cron_spool_t,s0)
+-/var/spool/cron/tabs -d gen_context(system_u:object_r:cron_spool_t,s0)
+/var/spool/cron/tabs -d gen_context(system_u:object_r:cron_spool_t,s0)
')
diff --git a/cron.if b/cron.if
@@ -19243,11 +17437,11 @@ index 1303b30..058864e 100644
+ logging_log_filetrans($1, cron_log_t, $2, $3)
')
diff --git a/cron.te b/cron.te
-index 7de3859..439a761 100644
+index 28e1b86..439a761 100644
--- a/cron.te
+++ b/cron.te
@@ -1,4 +1,4 @@
--policy_module(cron, 2.6.3)
+-policy_module(cron, 2.5.10)
+policy_module(cron, 2.2.1)
gen_require(`
@@ -19486,7 +17680,7 @@ index 7de3859..439a761 100644
logging_log_filetrans(crond_t, cron_log_t, file)
manage_files_pattern(crond_t, crond_var_run_t, crond_var_run_t)
-@@ -237,73 +180,68 @@ manage_files_pattern(crond_t, cron_spool_t, cron_spool_t)
+@@ -237,72 +180,68 @@ manage_files_pattern(crond_t, cron_spool_t, cron_spool_t)
manage_dirs_pattern(crond_t, crond_tmp_t, crond_tmp_t)
manage_files_pattern(crond_t, crond_tmp_t, crond_tmp_t)
@@ -19557,7 +17751,7 @@ index 7de3859..439a761 100644
+# Read from /var/spool/cron.
files_search_var_lib(crond_t)
files_search_default(crond_t)
- files_read_all_locks(crond_t)
++files_read_all_locks(crond_t)
-mls_fd_share_all_levels(crond_t)
+fs_manage_cgroup_dirs(crond_t)
@@ -19590,7 +17784,7 @@ index 7de3859..439a761 100644
auth_use_nsswitch(crond_t)
logging_send_audit_msgs(crond_t)
-@@ -312,41 +250,46 @@ logging_set_loginuid(crond_t)
+@@ -311,41 +250,46 @@ logging_set_loginuid(crond_t)
seutil_read_config(crond_t)
seutil_read_default_contexts(crond_t)
@@ -19653,7 +17847,7 @@ index 7de3859..439a761 100644
')
optional_policy(`
-@@ -354,118 +297,149 @@ optional_policy(`
+@@ -353,102 +297,136 @@ optional_policy(`
')
optional_policy(`
@@ -19751,7 +17945,6 @@ index 7de3859..439a761 100644
allow system_cronjob_t self:capability { dac_override dac_read_search chown setgid setuid fowner net_bind_service fsetid sys_nice };
+
allow system_cronjob_t self:process { signal_perms getsched setsched };
--allow system_cronjob_t self:fd use;
allow system_cronjob_t self:fifo_file rw_fifo_file_perms;
allow system_cronjob_t self:passwd rootok;
@@ -19822,10 +18015,7 @@ index 7de3859..439a761 100644
allow system_cronjob_t cron_spool_t:dir list_dir_perms;
allow system_cronjob_t cron_spool_t:file rw_file_perms;
--allow system_cronjob_t crond_tmp_t:file { read write };
--
- kernel_read_kernel_sysctls(system_cronjob_t)
- kernel_read_network_state(system_cronjob_t)
+@@ -457,11 +435,11 @@ kernel_read_network_state(system_cronjob_t)
kernel_read_system_state(system_cronjob_t)
kernel_read_software_raid_state(system_cronjob_t)
@@ -19838,7 +18028,7 @@ index 7de3859..439a761 100644
corenet_all_recvfrom_netlabel(system_cronjob_t)
corenet_tcp_sendrecv_generic_if(system_cronjob_t)
corenet_udp_sendrecv_generic_if(system_cronjob_t)
-@@ -485,6 +459,7 @@ fs_getattr_all_symlinks(system_cronjob_t)
+@@ -481,6 +459,7 @@ fs_getattr_all_symlinks(system_cronjob_t)
fs_getattr_all_pipes(system_cronjob_t)
fs_getattr_all_sockets(system_cronjob_t)
@@ -19846,7 +18036,7 @@ index 7de3859..439a761 100644
domain_dontaudit_read_all_domains_state(system_cronjob_t)
files_exec_etc_files(system_cronjob_t)
-@@ -495,17 +470,20 @@ files_getattr_all_files(system_cronjob_t)
+@@ -491,15 +470,19 @@ files_getattr_all_files(system_cronjob_t)
files_getattr_all_symlinks(system_cronjob_t)
files_getattr_all_pipes(system_cronjob_t)
files_getattr_all_sockets(system_cronjob_t)
@@ -19861,18 +18051,15 @@ index 7de3859..439a761 100644
-mls_file_read_to_clearance(system_cronjob_t)
-
--init_domtrans_script(system_cronjob_t)
--init_read_utmp(system_cronjob_t)
init_use_script_fds(system_cronjob_t)
+init_read_utmp(system_cronjob_t)
+init_dontaudit_rw_utmp(system_cronjob_t)
+# prelink tells init to restart it self, we either need to allow or dontaudit
+init_telinit(system_cronjob_t)
-+init_domtrans_script(system_cronjob_t)
+ init_domtrans_script(system_cronjob_t)
auth_use_nsswitch(system_cronjob_t)
-
-@@ -516,20 +494,26 @@ logging_read_generic_logs(system_cronjob_t)
+@@ -511,20 +494,26 @@ logging_read_generic_logs(system_cronjob_t)
logging_send_audit_msgs(system_cronjob_t)
logging_send_syslog_msg(system_cronjob_t)
@@ -19902,7 +18089,7 @@ index 7de3859..439a761 100644
selinux_validate_context(system_cronjob_t)
selinux_compute_access_vector(system_cronjob_t)
selinux_compute_create_context(system_cronjob_t)
-@@ -539,27 +523,26 @@ tunable_policy(`cron_can_relabel',`
+@@ -534,10 +523,18 @@ tunable_policy(`cron_can_relabel',`
')
optional_policy(`
@@ -19914,30 +18101,25 @@ index 7de3859..439a761 100644
+ apache_manage_lib(system_cronjob_t)
+ apache_delete_cache_dirs(system_cronjob_t)
+ apache_delete_cache_files(system_cronjob_t)
++')
++
++optional_policy(`
++ bind_read_config(system_cronjob_t)
')
optional_policy(`
-- cyrus_manage_data(system_cronjob_t)
-+ bind_read_config(system_cronjob_t)
- ')
+@@ -546,10 +543,6 @@ optional_policy(`
optional_policy(`
-- dbus_system_bus_client(system_cronjob_t)
+ dbus_system_bus_client(system_cronjob_t)
-
- optional_policy(`
- networkmanager_dbus_chat(system_cronjob_t)
- ')
-+ cyrus_manage_data(system_cronjob_t)
- ')
-
- optional_policy(`
-- devicekit_read_pid_files(system_cronjob_t)
-- devicekit_append_inherited_log_files(system_cronjob_t)
-+ dbus_system_bus_client(system_cronjob_t)
')
optional_policy(`
-@@ -591,6 +574,7 @@ optional_policy(`
+@@ -581,6 +574,7 @@ optional_policy(`
optional_policy(`
mta_read_config(system_cronjob_t)
mta_send_mail(system_cronjob_t)
@@ -19945,22 +18127,24 @@ index 7de3859..439a761 100644
')
optional_policy(`
-@@ -598,7 +582,23 @@ optional_policy(`
+@@ -588,15 +582,23 @@ optional_policy(`
')
optional_policy(`
+- postfix_read_config(system_cronjob_t)
+ networkmanager_dbus_chat(system_cronjob_t)
-+')
-+
-+optional_policy(`
- postfix_read_config(system_cronjob_t)
+ ')
+
+ optional_policy(`
++ postfix_read_config(system_cronjob_t)
+')
+
+optional_policy(`
-+ prelink_delete_cache(system_cronjob_t)
-+ prelink_manage_lib(system_cronjob_t)
-+ prelink_manage_log(system_cronjob_t)
-+ prelink_read_cache(system_cronjob_t)
+ prelink_delete_cache(system_cronjob_t)
+ prelink_manage_lib(system_cronjob_t)
+ prelink_manage_log(system_cronjob_t)
+ prelink_read_cache(system_cronjob_t)
+- prelink_relabelfrom_lib(system_cronjob_t)
+ prelink_relabel_lib(system_cronjob_t)
+')
+
@@ -19969,7 +18153,7 @@ index 7de3859..439a761 100644
')
optional_policy(`
-@@ -608,6 +608,7 @@ optional_policy(`
+@@ -606,6 +608,7 @@ optional_policy(`
optional_policy(`
spamassassin_manage_lib_files(system_cronjob_t)
@@ -19977,7 +18161,7 @@ index 7de3859..439a761 100644
')
optional_policy(`
-@@ -615,12 +616,24 @@ optional_policy(`
+@@ -613,12 +616,24 @@ optional_policy(`
')
optional_policy(`
@@ -20004,7 +18188,7 @@ index 7de3859..439a761 100644
#
allow cronjob_t self:process { signal_perms setsched };
-@@ -628,12 +641,32 @@ allow cronjob_t self:fifo_file rw_fifo_file_perms;
+@@ -626,12 +641,32 @@ allow cronjob_t self:fifo_file rw_fifo_file_perms;
allow cronjob_t self:unix_stream_socket create_stream_socket_perms;
allow cronjob_t self:unix_dgram_socket create_socket_perms;
@@ -20038,7 +18222,7 @@ index 7de3859..439a761 100644
corenet_all_recvfrom_netlabel(cronjob_t)
corenet_tcp_sendrecv_generic_if(cronjob_t)
corenet_udp_sendrecv_generic_if(cronjob_t)
-@@ -641,84 +674,148 @@ corenet_tcp_sendrecv_generic_node(cronjob_t)
+@@ -639,84 +674,148 @@ corenet_tcp_sendrecv_generic_node(cronjob_t)
corenet_udp_sendrecv_generic_node(cronjob_t)
corenet_tcp_sendrecv_all_ports(cronjob_t)
corenet_udp_sendrecv_all_ports(cronjob_t)
@@ -20128,30 +18312,31 @@ index 7de3859..439a761 100644
+# Unconfined cronjobs local policy
#
--type unconfined_cronjob_t;
--domain_type(unconfined_cronjob_t)
--domain_cron_exemption_target(unconfined_cronjob_t)
--
--dontaudit crond_t unconfined_cronjob_t:process { noatsecure siginh rlimitinh };
+ optional_policy(`
+- type unconfined_cronjob_t;
+- domain_type(unconfined_cronjob_t)
+- domain_cron_exemption_target(unconfined_cronjob_t)
-
--tunable_policy(`cron_userdomain_transition',`
-- dontaudit crond_t unconfined_cronjob_t:process transition;
-- dontaudit crond_t unconfined_cronjob_t:fd use;
-- dontaudit crond_t unconfined_cronjob_t:key manage_key_perms;
--',`
-+optional_policy(`
+ # Permit a transition from the crond_t domain to this domain.
+ # The transition is requested explicitly by the modified crond
+ # via setexeccon. There is no way to set up an automatic
+ # transition, since crontabs are configuration files, not executables.
- allow crond_t unconfined_cronjob_t:process transition;
-+ dontaudit crond_t unconfined_cronjob_t:process { noatsecure siginh rlimitinh };
- allow crond_t unconfined_cronjob_t:fd use;
-- allow crond_t unconfined_cronjob_t:key manage_key_perms;
-+
-+ unconfined_domain(unconfined_cronjob_t)
++ allow crond_t unconfined_cronjob_t:process transition;
+ dontaudit crond_t unconfined_cronjob_t:process { noatsecure siginh rlimitinh };
++ allow crond_t unconfined_cronjob_t:fd use;
+
+ unconfined_domain(unconfined_cronjob_t)
+')
-+
+
+- tunable_policy(`cron_userdomain_transition',`
+- dontaudit crond_t unconfined_cronjob_t:process transition;
+- dontaudit crond_t unconfined_cronjob_t:fd use;
+- dontaudit crond_t unconfined_cronjob_t:key manage_key_perms;
+- ',`
+- allow crond_t unconfined_cronjob_t:process transition;
+- allow crond_t unconfined_cronjob_t:fd use;
+- allow crond_t unconfined_cronjob_t:key manage_key_perms;
+- ')
+##############################
+#
+# crontab common policy
@@ -20210,10 +18395,9 @@ index 7de3859..439a761 100644
+ # fcron wants an instant update of a crontab change for the administrator
+ # also crontab does a security check for crontab -u
+ dontaudit crontab_domain crond_t:process signal;
- ')
-
- optional_policy(`
-- unconfined_domain(unconfined_cronjob_t)
++')
++
++optional_policy(`
+ ssh_dontaudit_use_ptys(crontab_domain)
+')
+
@@ -20533,15 +18717,9 @@ index b25b01d..e99c5c6 100644
')
+
diff --git a/ctdb.te b/ctdb.te
-index 001b502..7725178 100644
+index 6ce66e7..7725178 100644
--- a/ctdb.te
+++ b/ctdb.te
-@@ -1,4 +1,4 @@
--policy_module(ctdb, 1.1.0)
-+policy_module(ctdb, 1.0.3)
-
- ########################################
- #
@@ -24,6 +24,9 @@ files_tmp_file(ctdbd_tmp_t)
type ctdbd_var_lib_t;
files_type(ctdbd_var_lib_t)
@@ -20770,7 +18948,7 @@ index 949011e..9437dbe 100644
+/etc/opt/brother/Printers/(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+/opt/brother/Printers(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
diff --git a/cups.if b/cups.if
-index 3023be7..c18145d 100644
+index 06da9a0..c18145d 100644
--- a/cups.if
+++ b/cups.if
@@ -200,10 +200,13 @@ interface(`cups_dbus_chat_config',`
@@ -20788,39 +18966,37 @@ index 3023be7..c18145d 100644
')
########################################
-@@ -306,22 +309,25 @@ interface(`cups_stream_connect_ptal',`
+@@ -306,6 +309,29 @@ interface(`cups_stream_connect_ptal',`
########################################
##
--## Read the process state (/proc/pid) of cupsd.
+## Execute cupsd server in the cupsd domain.
- ##
- ##
- ##
--## Domain allowed access.
++##
++##
++##
+## Domain allowed to transition.
- ##
- ##
- #
--interface(`cups_read_state',`
++##
++##
++#
+interface(`cupsd_systemctl',`
- gen_require(`
- type cupsd_t;
++ gen_require(`
++ type cupsd_t;
+ type cupsd_unit_file_t;
- ')
-
-- allow $1 cupsd_t:dir search_dir_perms;
-- allow $1 cupsd_t:file read_file_perms;
-- allow $1 cupsd_t:lnk_file read_lnk_file_perms;
++ ')
++
+ systemd_exec_systemctl($1)
+ allow $1 cupsd_unit_file_t:file read_file_perms;
+ allow $1 cupsd_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, cupsd_t)
- ')
-
- ########################################
-@@ -344,18 +350,23 @@ interface(`cups_read_state',`
++')
++
++########################################
++##
+ ## All of the rules required to
+ ## administrate an cups environment.
+ ##
+@@ -324,18 +350,23 @@ interface(`cups_stream_connect_ptal',`
interface(`cups_admin',`
gen_require(`
type cupsd_t, cupsd_tmp_t, cupsd_lpd_tmp_t;
@@ -20849,7 +19025,7 @@ index 3023be7..c18145d 100644
init_labeled_script_domtrans($1, cupsd_initrc_exec_t)
domain_system_change_exemption($1)
-@@ -368,13 +379,64 @@ interface(`cups_admin',`
+@@ -348,13 +379,64 @@ interface(`cups_admin',`
logging_list_logs($1)
admin_pattern($1, cupsd_log_t)
@@ -20920,15 +19096,10 @@ index 3023be7..c18145d 100644
+ ps_process_pattern($1, cupsd_t)
')
diff --git a/cups.te b/cups.te
-index c91813c..e694e2f 100644
+index 9f34c2e..e694e2f 100644
--- a/cups.te
+++ b/cups.te
-@@ -1,23 +1,35 @@
--policy_module(cups, 1.16.2)
-+policy_module(cups, 1.15.9)
-
- ########################################
- #
+@@ -5,19 +5,31 @@ policy_module(cups, 1.15.9)
# Declarations
#
@@ -21094,8 +19265,15 @@ index c91813c..e694e2f 100644
allow cupsd_t cupsd_exec_t:dir search_dir_perms;
allow cupsd_t cupsd_exec_t:lnk_file read_lnk_file_perms;
-@@ -136,22 +169,23 @@ manage_dirs_pattern(cupsd_t, cupsd_log_t, cupsd_log_t)
- manage_files_pattern(cupsd_t, cupsd_log_t, cupsd_log_t)
+@@ -133,28 +166,26 @@ allow cupsd_t cupsd_lock_t:file manage_file_perms;
+ files_lock_filetrans(cupsd_t, cupsd_lock_t, file)
+
+ manage_dirs_pattern(cupsd_t, cupsd_log_t, cupsd_log_t)
+-append_files_pattern(cupsd_t, cupsd_log_t, cupsd_log_t)
+-create_files_pattern(cupsd_t, cupsd_log_t, cupsd_log_t)
+-read_files_pattern(cupsd_t, cupsd_log_t, cupsd_log_t)
+-setattr_files_pattern(cupsd_t, cupsd_log_t, cupsd_log_t)
++manage_files_pattern(cupsd_t, cupsd_log_t, cupsd_log_t)
logging_log_filetrans(cupsd_t, cupsd_log_t, { file dir })
+manage_files_pattern(cupsd_t, cupsd_var_lib_t, cupsd_var_lib_t)
@@ -21122,7 +19300,7 @@ index c91813c..e694e2f 100644
stream_connect_pattern(cupsd_t, ptal_var_run_t, ptal_var_run_t, ptal_t)
allow cupsd_t ptal_var_run_t:sock_file setattr_sock_file_perms;
-@@ -159,11 +193,9 @@ allow cupsd_t ptal_var_run_t:sock_file setattr_sock_file_perms;
+@@ -162,11 +193,9 @@ allow cupsd_t ptal_var_run_t:sock_file setattr_sock_file_perms;
can_exec(cupsd_t, { cupsd_exec_t cupsd_interface_t })
kernel_read_system_state(cupsd_t)
@@ -21134,7 +19312,7 @@ index c91813c..e694e2f 100644
corenet_all_recvfrom_netlabel(cupsd_t)
corenet_tcp_sendrecv_generic_if(cupsd_t)
corenet_udp_sendrecv_generic_if(cupsd_t)
-@@ -186,12 +218,20 @@ corenet_dontaudit_tcp_bind_all_reserved_ports(cupsd_t)
+@@ -189,12 +218,20 @@ corenet_dontaudit_tcp_bind_all_reserved_ports(cupsd_t)
corenet_tcp_bind_all_rpc_ports(cupsd_t)
corenet_tcp_connect_all_ports(cupsd_t)
@@ -21159,7 +19337,7 @@ index c91813c..e694e2f 100644
dev_rw_input_dev(cupsd_t)
dev_rw_generic_usb_dev(cupsd_t)
dev_rw_usbfs(cupsd_t)
-@@ -203,7 +243,6 @@ domain_use_interactive_fds(cupsd_t)
+@@ -206,7 +243,6 @@ domain_use_interactive_fds(cupsd_t)
files_getattr_boot_dirs(cupsd_t)
files_list_spool(cupsd_t)
files_read_etc_runtime_files(cupsd_t)
@@ -21167,7 +19345,7 @@ index c91813c..e694e2f 100644
files_exec_usr_files(cupsd_t)
# for /var/lib/defoma
files_read_var_lib_files(cupsd_t)
-@@ -212,17 +251,19 @@ files_read_world_readable_files(cupsd_t)
+@@ -215,17 +251,19 @@ files_read_world_readable_files(cupsd_t)
files_read_world_readable_symlinks(cupsd_t)
files_read_var_files(cupsd_t)
files_read_var_symlinks(cupsd_t)
@@ -21189,7 +19367,7 @@ index c91813c..e694e2f 100644
mls_fd_use_all_levels(cupsd_t)
mls_file_downgrade(cupsd_t)
mls_file_write_all_levels(cupsd_t)
-@@ -232,6 +273,8 @@ mls_socket_write_all_levels(cupsd_t)
+@@ -235,6 +273,8 @@ mls_socket_write_all_levels(cupsd_t)
term_search_ptys(cupsd_t)
term_use_unallocated_ttys(cupsd_t)
@@ -21198,7 +19376,7 @@ index c91813c..e694e2f 100644
selinux_compute_access_vector(cupsd_t)
selinux_validate_context(cupsd_t)
-@@ -244,22 +287,27 @@ auth_dontaudit_read_pam_pid(cupsd_t)
+@@ -247,23 +287,28 @@ auth_dontaudit_read_pam_pid(cupsd_t)
auth_rw_faillog(cupsd_t)
auth_use_nsswitch(cupsd_t)
@@ -21220,18 +19398,19 @@ index c91813c..e694e2f 100644
userdom_dontaudit_use_unpriv_user_fds(cupsd_t)
+userdom_dontaudit_search_user_home_dirs(cupsd_t)
- userdom_dontaudit_search_user_home_content(cupsd_t)
-+userdom_dontaudit_use_unpriv_user_fds(cupsd_t)
+userdom_dontaudit_search_user_home_content(cupsd_t)
-+
++userdom_dontaudit_use_unpriv_user_fds(cupsd_t)
+ userdom_dontaudit_search_user_home_content(cupsd_t)
+
+tunable_policy(`cups_execmem',`
+ allow cupsd_t self:process { execmem execstack };
+')
+
-
++
optional_policy(`
apm_domtrans_client(cupsd_t)
-@@ -272,6 +320,8 @@ optional_policy(`
+ ')
+@@ -275,6 +320,8 @@ optional_policy(`
optional_policy(`
dbus_system_bus_client(cupsd_t)
@@ -21240,7 +19419,7 @@ index c91813c..e694e2f 100644
userdom_dbus_send_all_users(cupsd_t)
optional_policy(`
-@@ -282,8 +332,10 @@ optional_policy(`
+@@ -285,8 +332,10 @@ optional_policy(`
hal_dbus_chat(cupsd_t)
')
@@ -21251,7 +19430,7 @@ index c91813c..e694e2f 100644
')
')
-@@ -296,8 +348,8 @@ optional_policy(`
+@@ -299,8 +348,8 @@ optional_policy(`
')
optional_policy(`
@@ -21261,7 +19440,7 @@ index c91813c..e694e2f 100644
')
optional_policy(`
-@@ -306,7 +358,6 @@ optional_policy(`
+@@ -309,7 +358,6 @@ optional_policy(`
optional_policy(`
lpd_exec_lpr(cupsd_t)
@@ -21269,7 +19448,7 @@ index c91813c..e694e2f 100644
lpd_read_config(cupsd_t)
lpd_relabel_spool(cupsd_t)
')
-@@ -334,7 +385,11 @@ optional_policy(`
+@@ -337,7 +385,11 @@ optional_policy(`
')
optional_policy(`
@@ -21282,7 +19461,7 @@ index c91813c..e694e2f 100644
')
########################################
-@@ -342,12 +397,11 @@ optional_policy(`
+@@ -345,12 +397,11 @@ optional_policy(`
# Configuration daemon local policy
#
@@ -21298,7 +19477,7 @@ index c91813c..e694e2f 100644
allow cupsd_config_t cupsd_t:process signal;
ps_process_pattern(cupsd_config_t, cupsd_t)
-@@ -372,18 +426,16 @@ manage_dirs_pattern(cupsd_config_t, cupsd_config_var_run_t, cupsd_config_var_run
+@@ -375,18 +426,16 @@ manage_dirs_pattern(cupsd_config_t, cupsd_config_var_run_t, cupsd_config_var_run
manage_files_pattern(cupsd_config_t, cupsd_config_var_run_t, cupsd_config_var_run_t)
files_pid_filetrans(cupsd_config_t, cupsd_config_var_run_t, { dir file })
@@ -21319,7 +19498,7 @@ index c91813c..e694e2f 100644
corenet_all_recvfrom_netlabel(cupsd_config_t)
corenet_tcp_sendrecv_generic_if(cupsd_config_t)
corenet_tcp_sendrecv_generic_node(cupsd_config_t)
-@@ -392,20 +444,12 @@ corenet_tcp_sendrecv_all_ports(cupsd_config_t)
+@@ -395,20 +444,12 @@ corenet_tcp_sendrecv_all_ports(cupsd_config_t)
corenet_sendrecv_all_client_packets(cupsd_config_t)
corenet_tcp_connect_all_ports(cupsd_config_t)
@@ -21340,7 +19519,7 @@ index c91813c..e694e2f 100644
fs_search_auto_mountpoints(cupsd_config_t)
domain_use_interactive_fds(cupsd_config_t)
-@@ -417,11 +461,6 @@ auth_use_nsswitch(cupsd_config_t)
+@@ -420,11 +461,6 @@ auth_use_nsswitch(cupsd_config_t)
logging_send_syslog_msg(cupsd_config_t)
@@ -21352,7 +19531,7 @@ index c91813c..e694e2f 100644
userdom_dontaudit_use_unpriv_user_fds(cupsd_config_t)
userdom_dontaudit_search_user_home_dirs(cupsd_config_t)
userdom_read_all_users_state(cupsd_config_t)
-@@ -449,9 +488,12 @@ optional_policy(`
+@@ -452,9 +488,12 @@ optional_policy(`
')
optional_policy(`
@@ -21366,7 +19545,7 @@ index c91813c..e694e2f 100644
')
optional_policy(`
-@@ -487,10 +529,6 @@ optional_policy(`
+@@ -490,10 +529,6 @@ optional_policy(`
# Lpd local policy
#
@@ -21377,7 +19556,7 @@ index c91813c..e694e2f 100644
allow cupsd_lpd_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
allow cupsd_lpd_t { cupsd_etc_t cupsd_rw_etc_t }:dir list_dir_perms;
-@@ -508,28 +546,16 @@ stream_connect_pattern(cupsd_lpd_t, cupsd_var_run_t, cupsd_var_run_t, cupsd_t)
+@@ -511,31 +546,23 @@ stream_connect_pattern(cupsd_lpd_t, cupsd_var_run_t, cupsd_var_run_t, cupsd_t)
kernel_read_kernel_sysctls(cupsd_lpd_t)
kernel_read_system_state(cupsd_lpd_t)
@@ -21390,24 +19569,18 @@ index c91813c..e694e2f 100644
corenet_sendrecv_ipp_client_packets(cupsd_lpd_t)
corenet_tcp_connect_ipp_port(cupsd_lpd_t)
--corenet_tcp_sendrecv_ipp_port(cupsd_lpd_t)
--
--corenet_sendrecv_printer_server_packets(cupsd_lpd_t)
- corenet_tcp_bind_printer_port(cupsd_lpd_t)
--corenet_tcp_sendrecv_printer_port(cupsd_lpd_t)
--
--corenet_sendrecv_printer_client_packets(cupsd_lpd_t)
- corenet_tcp_connect_printer_port(cupsd_lpd_t)
--
++corenet_tcp_bind_printer_port(cupsd_lpd_t)
++corenet_tcp_connect_printer_port(cupsd_lpd_t)
+ corenet_tcp_sendrecv_ipp_port(cupsd_lpd_t)
+
-dev_read_urand(cupsd_lpd_t)
-dev_read_rand(cupsd_lpd_t)
-
-fs_getattr_xattr_fs(cupsd_lpd_t)
-+corenet_tcp_sendrecv_ipp_port(cupsd_lpd_t)
-
+-
files_search_home(cupsd_lpd_t)
-@@ -537,9 +563,6 @@ auth_use_nsswitch(cupsd_lpd_t)
+ auth_use_nsswitch(cupsd_lpd_t)
logging_send_syslog_msg(cupsd_lpd_t)
@@ -21417,7 +19590,7 @@ index c91813c..e694e2f 100644
optional_policy(`
inetd_service_domain(cupsd_lpd_t, cupsd_lpd_exec_t)
')
-@@ -550,7 +573,6 @@ optional_policy(`
+@@ -546,7 +573,6 @@ optional_policy(`
#
allow cups_pdf_t self:capability { chown fowner fsetid setuid setgid dac_override };
@@ -21425,7 +19598,7 @@ index c91813c..e694e2f 100644
allow cups_pdf_t self:unix_stream_socket create_stream_socket_perms;
append_files_pattern(cups_pdf_t, cupsd_log_t, cupsd_log_t)
-@@ -566,148 +588,23 @@ fs_search_auto_mountpoints(cups_pdf_t)
+@@ -562,148 +588,23 @@ fs_search_auto_mountpoints(cups_pdf_t)
kernel_read_system_state(cups_pdf_t)
@@ -21547,15 +19720,17 @@ index c91813c..e694e2f 100644
-userdom_dontaudit_use_unpriv_user_fds(hplip_t)
-userdom_dontaudit_search_user_home_dirs(hplip_t)
-userdom_dontaudit_search_user_home_content(hplip_t)
--
--optional_policy(`
++userdom_home_manager(cups_pdf_t)
+
+ optional_policy(`
- dbus_system_bus_client(hplip_t)
-
- optional_policy(`
- userdom_dbus_send_all_users(hplip_t)
- ')
--')
--
++ gnome_read_config(cups_pdf_t)
+ ')
+
-optional_policy(`
- lpd_read_config(hplip_t)
- lpd_manage_spool(hplip_t)
@@ -21564,20 +19739,18 @@ index c91813c..e694e2f 100644
-optional_policy(`
- seutil_sigchld_newrole(hplip_t)
-')
-+userdom_home_manager(cups_pdf_t)
-
- optional_policy(`
+-
+-optional_policy(`
- snmp_read_snmp_var_lib_files(hplip_t)
-+ gnome_read_config(cups_pdf_t)
- ')
-
+-')
+-
-optional_policy(`
- udev_read_db(hplip_t)
-')
########################################
#
-@@ -735,7 +632,6 @@ kernel_read_kernel_sysctls(ptal_t)
+@@ -731,7 +632,6 @@ kernel_read_kernel_sysctls(ptal_t)
kernel_list_proc(ptal_t)
kernel_read_proc_symlinks(ptal_t)
@@ -21585,7 +19758,7 @@ index c91813c..e694e2f 100644
corenet_all_recvfrom_netlabel(ptal_t)
corenet_tcp_sendrecv_generic_if(ptal_t)
corenet_tcp_sendrecv_generic_node(ptal_t)
-@@ -745,13 +641,11 @@ corenet_sendrecv_ptal_server_packets(ptal_t)
+@@ -741,13 +641,11 @@ corenet_sendrecv_ptal_server_packets(ptal_t)
corenet_tcp_bind_ptal_port(ptal_t)
corenet_tcp_sendrecv_ptal_port(ptal_t)
@@ -21599,7 +19772,7 @@ index c91813c..e694e2f 100644
files_read_etc_runtime_files(ptal_t)
fs_getattr_all_fs(ptal_t)
-@@ -759,8 +653,6 @@ fs_search_auto_mountpoints(ptal_t)
+@@ -755,8 +653,6 @@ fs_search_auto_mountpoints(ptal_t)
logging_send_syslog_msg(ptal_t)
@@ -21608,7 +19781,7 @@ index c91813c..e694e2f 100644
sysnet_read_config(ptal_t)
userdom_dontaudit_use_unpriv_user_fds(ptal_t)
-@@ -773,3 +665,4 @@ optional_policy(`
+@@ -769,3 +665,4 @@ optional_policy(`
optional_policy(`
udev_read_db(ptal_t)
')
@@ -21625,7 +19798,7 @@ index 75c8be9..9dcffb2 100644
/opt/cvs(/.*)? gen_context(system_u:object_r:cvs_data_t,s0)
diff --git a/cvs.if b/cvs.if
-index 64775fd..089c8d4 100644
+index 9fa7ffb..089c8d4 100644
--- a/cvs.if
+++ b/cvs.if
@@ -1,5 +1,23 @@
@@ -21677,10 +19850,12 @@ index 64775fd..089c8d4 100644
## All of the rules required to
## administrate an cvs environment
##
-@@ -60,19 +96,22 @@ interface(`cvs_admin',`
+@@ -59,12 +95,18 @@ interface(`cvs_exec',`
+ interface(`cvs_admin',`
gen_require(`
type cvs_t, cvs_tmp_t, cvs_initrc_exec_t;
- type cvs_data_t, cvs_var_run_t, cvs_keytab_t;
+- type cvs_data_t, cvs_var_run_t;
++ type cvs_data_t, cvs_var_run_t, cvs_keytab_t;
+ type cvs_home_t;
')
@@ -21696,15 +19871,7 @@ index 64775fd..089c8d4 100644
init_labeled_script_domtrans($1, cvs_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 cvs_initrc_exec_t system_r;
- allow $2 system_r;
-
-- files_search_etc($1)
-- admin_pattern($1, cvs_keytab_t)
--
- files_list_tmp($1)
- admin_pattern($1, cvs_tmp_t)
-
-@@ -81,4 +120,7 @@ interface(`cvs_admin',`
+@@ -78,4 +120,7 @@ interface(`cvs_admin',`
files_list_pids($1)
admin_pattern($1, cvs_var_run_t)
@@ -21713,16 +19880,10 @@ index 64775fd..089c8d4 100644
+ admin_pattern($1, cvs_home_t)
')
diff --git a/cvs.te b/cvs.te
-index 0f77550..d7cdaaf 100644
+index 53fc3af..d7cdaaf 100644
--- a/cvs.te
+++ b/cvs.te
-@@ -1,4 +1,4 @@
--policy_module(cvs, 1.10.2)
-+policy_module(cvs, 1.9.1)
-
- ########################################
- #
-@@ -11,12 +11,12 @@ policy_module(cvs, 1.10.2)
+@@ -11,11 +11,12 @@ policy_module(cvs, 1.9.1)
## password files.
##
##
@@ -21732,21 +19893,11 @@ index 0f77550..d7cdaaf 100644
type cvs_t;
type cvs_exec_t;
inetd_tcp_service_domain(cvs_t, cvs_exec_t)
--init_daemon_domain(cvs_t, cvs_exec_t)
+init_domain(cvs_t, cvs_exec_t)
application_executable_file(cvs_exec_t)
type cvs_data_t; # customizable
-@@ -25,32 +25,32 @@ files_type(cvs_data_t)
- type cvs_initrc_exec_t;
- init_script_file(cvs_initrc_exec_t)
-
--type cvs_keytab_t;
--files_type(cvs_keytab_t)
--
- type cvs_tmp_t;
- files_tmp_file(cvs_tmp_t)
-
+@@ -30,16 +31,22 @@ files_tmp_file(cvs_tmp_t)
type cvs_var_run_t;
files_pid_file(cvs_var_run_t)
@@ -21763,46 +19914,30 @@ index 0f77550..d7cdaaf 100644
allow cvs_t self:process signal_perms;
allow cvs_t self:fifo_file rw_fifo_file_perms;
allow cvs_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
--allow cvs_t self:tcp_socket { accept listen };
-+
+
+userdom_search_user_home_dirs(cvs_t)
+allow cvs_t cvs_home_t:file read_file_perms;
-
++
manage_dirs_pattern(cvs_t, cvs_data_t, cvs_data_t)
manage_files_pattern(cvs_t, cvs_data_t, cvs_data_t)
manage_lnk_files_pattern(cvs_t, cvs_data_t, cvs_data_t)
+@@ -58,6 +65,15 @@ kernel_read_network_state(cvs_t)
+ corecmd_exec_bin(cvs_t)
+ corecmd_exec_shell(cvs_t)
--allow cvs_t cvs_keytab_t:file read_file_perms;
--
- manage_dirs_pattern(cvs_t, cvs_tmp_t, cvs_tmp_t)
- manage_files_pattern(cvs_t, cvs_tmp_t, cvs_tmp_t)
- files_tmp_filetrans(cvs_t, cvs_tmp_t, { dir file })
-@@ -62,17 +62,17 @@ kernel_read_kernel_sysctls(cvs_t)
- kernel_read_system_state(cvs_t)
- kernel_read_network_state(cvs_t)
-
--corenet_all_recvfrom_unlabeled(cvs_t)
-+corecmd_exec_bin(cvs_t)
-+corecmd_exec_shell(cvs_t)
-+
- corenet_all_recvfrom_netlabel(cvs_t)
- corenet_tcp_sendrecv_generic_if(cvs_t)
++corenet_all_recvfrom_netlabel(cvs_t)
++corenet_tcp_sendrecv_generic_if(cvs_t)
+corenet_udp_sendrecv_generic_if(cvs_t)
- corenet_tcp_sendrecv_generic_node(cvs_t)
--
--corenet_sendrecv_cvs_server_packets(cvs_t)
++corenet_tcp_sendrecv_generic_node(cvs_t)
+corenet_udp_sendrecv_generic_node(cvs_t)
+corenet_tcp_sendrecv_all_ports(cvs_t)
+corenet_udp_sendrecv_all_ports(cvs_t)
- corenet_tcp_bind_cvs_port(cvs_t)
--corenet_tcp_sendrecv_cvs_port(cvs_t)
--
--corecmd_exec_bin(cvs_t)
--corecmd_exec_shell(cvs_t)
-
++corenet_tcp_bind_cvs_port(cvs_t)
++
dev_read_urand(cvs_t)
-@@ -86,26 +86,23 @@ auth_use_nsswitch(cvs_t)
+ files_read_etc_runtime_files(cvs_t)
+@@ -70,18 +86,16 @@ auth_use_nsswitch(cvs_t)
init_read_utmp(cvs_t)
@@ -21824,31 +19959,16 @@ index 0f77550..d7cdaaf 100644
allow cvs_t self:capability dac_override;
auth_tunable_read_shadow(cvs_t)
')
-
- optional_policy(`
-+ kerberos_keytab_template(cvs, cvs_t)
- kerberos_read_config(cvs_t)
-- kerberos_read_keytab(cvs_t)
-- kerberos_use(cvs_t)
- kerberos_dontaudit_write_config(cvs_t)
- ')
-
-@@ -120,4 +117,5 @@ optional_policy(`
+@@ -103,4 +117,5 @@ optional_policy(`
read_files_pattern(httpd_cvs_script_t, cvs_data_t, cvs_data_t)
manage_dirs_pattern(httpd_cvs_script_t, cvs_tmp_t, cvs_tmp_t)
manage_files_pattern(httpd_cvs_script_t, cvs_tmp_t, cvs_tmp_t)
+ files_tmp_filetrans(httpd_cvs_script_t, cvs_tmp_t, { file dir })
')
diff --git a/cyphesis.te b/cyphesis.te
-index 77ffc73..556f1ac 100644
+index 916427f..556f1ac 100644
--- a/cyphesis.te
+++ b/cyphesis.te
-@@ -1,4 +1,4 @@
--policy_module(cyphesis, 1.3.0)
-+policy_module(cyphesis, 1.2.2)
-
- ########################################
- #
@@ -48,7 +48,6 @@ kernel_read_kernel_sysctls(cyphesis_t)
corecmd_search_bin(cyphesis_t)
corecmd_getattr_bin_files(cyphesis_t)
@@ -21872,7 +19992,7 @@ index 77ffc73..556f1ac 100644
optional_policy(`
diff --git a/cyrus.if b/cyrus.if
-index 83bfda6..a2860e3 100644
+index 6508280..a2860e3 100644
--- a/cyrus.if
+++ b/cyrus.if
@@ -20,6 +20,25 @@ interface(`cyrus_manage_data',`
@@ -21901,11 +20021,8 @@ index 83bfda6..a2860e3 100644
########################################
##
## Connect to Cyrus using a unix
-@@ -61,20 +80,20 @@ interface(`cyrus_admin',`
- gen_require(`
- type cyrus_t, cyrus_tmp_t, cyrus_var_lib_t;
+@@ -63,9 +82,13 @@ interface(`cyrus_admin',`
type cyrus_var_run_t, cyrus_initrc_exec_t;
-- type cyrus_keytab_t;
')
- allow $1 cyrus_t:process { ptrace signal_perms };
@@ -21919,35 +20036,11 @@ index 83bfda6..a2860e3 100644
init_labeled_script_domtrans($1, cyrus_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 cyrus_initrc_exec_t system_r;
- allow $2 system_r;
-
-- files_list_etc($1)
-- admin_pattern($1, cyrus_keytab_t)
--
- files_list_tmp($1)
- admin_pattern($1, cyrus_tmp_t)
-
diff --git a/cyrus.te b/cyrus.te
-index 4283f2d..bf8db3c 100644
+index 395f97c..bf8db3c 100644
--- a/cyrus.te
+++ b/cyrus.te
-@@ -1,4 +1,4 @@
--policy_module(cyrus, 1.13.1)
-+policy_module(cyrus, 1.12.2)
-
- ########################################
- #
-@@ -12,9 +12,6 @@ init_daemon_domain(cyrus_t, cyrus_exec_t)
- type cyrus_initrc_exec_t;
- init_script_file(cyrus_initrc_exec_t)
-
--type cyrus_keytab_t;
--files_type(cyrus_keytab_t)
--
- type cyrus_tmp_t;
- files_tmp_file(cyrus_tmp_t)
-
-@@ -29,7 +26,7 @@ files_pid_file(cyrus_var_run_t)
+@@ -26,7 +26,7 @@ files_pid_file(cyrus_var_run_t)
# Local policy
#
@@ -21956,16 +20049,7 @@ index 4283f2d..bf8db3c 100644
dontaudit cyrus_t self:capability sys_tty_config;
allow cyrus_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow cyrus_t self:process setrlimit;
-@@ -44,8 +41,6 @@ allow cyrus_t self:unix_dgram_socket sendto;
- allow cyrus_t self:unix_stream_socket { accept connectto listen };
- allow cyrus_t self:tcp_socket { accept listen };
-
--allow cyrus_t cyrus_keytab_t:file read_file_perms;
--
- manage_dirs_pattern(cyrus_t, cyrus_tmp_t, cyrus_tmp_t)
- manage_files_pattern(cyrus_t, cyrus_tmp_t, cyrus_tmp_t)
- files_tmp_filetrans(cyrus_t, cyrus_tmp_t, { dir file })
-@@ -63,7 +58,6 @@ kernel_read_kernel_sysctls(cyrus_t)
+@@ -58,7 +58,6 @@ kernel_read_kernel_sysctls(cyrus_t)
kernel_read_system_state(cyrus_t)
kernel_read_all_sysctls(cyrus_t)
@@ -21973,7 +20057,7 @@ index 4283f2d..bf8db3c 100644
corenet_all_recvfrom_netlabel(cyrus_t)
corenet_tcp_sendrecv_generic_if(cyrus_t)
corenet_tcp_sendrecv_generic_node(cyrus_t)
-@@ -76,6 +70,9 @@ corenet_tcp_bind_mail_port(cyrus_t)
+@@ -71,6 +70,9 @@ corenet_tcp_bind_mail_port(cyrus_t)
corenet_sendrecv_lmtp_server_packets(cyrus_t)
corenet_tcp_bind_lmtp_port(cyrus_t)
@@ -21983,7 +20067,7 @@ index 4283f2d..bf8db3c 100644
corenet_sendrecv_pop_server_packets(cyrus_t)
corenet_tcp_bind_pop_port(cyrus_t)
-@@ -95,8 +92,6 @@ domain_use_interactive_fds(cyrus_t)
+@@ -90,8 +92,6 @@ domain_use_interactive_fds(cyrus_t)
files_list_var_lib(cyrus_t)
files_read_etc_runtime_files(cyrus_t)
@@ -21992,7 +20076,7 @@ index 4283f2d..bf8db3c 100644
fs_getattr_all_fs(cyrus_t)
fs_search_auto_mountpoints(cyrus_t)
-@@ -107,7 +102,6 @@ libs_exec_lib_files(cyrus_t)
+@@ -102,7 +102,6 @@ libs_exec_lib_files(cyrus_t)
logging_send_syslog_msg(cyrus_t)
@@ -22000,21 +20084,18 @@ index 4283f2d..bf8db3c 100644
miscfiles_read_generic_certs(cyrus_t)
userdom_use_unpriv_users_fds(cyrus_t)
-@@ -121,8 +115,11 @@ optional_policy(`
+@@ -116,6 +115,10 @@ optional_policy(`
')
optional_policy(`
-- kerberos_read_keytab(cyrus_t)
-- kerberos_use(cyrus_t)
+ dirsrv_stream_connect(cyrus_t)
+')
+
+optional_policy(`
-+ kerberos_keytab_template(cyrus, cyrus_t)
+ kerberos_keytab_template(cyrus, cyrus_t)
')
- optional_policy(`
-@@ -134,8 +131,8 @@ optional_policy(`
+@@ -128,8 +131,8 @@ optional_policy(`
')
optional_policy(`
@@ -22035,15 +20116,9 @@ index 3b3d9a0..6c8106a 100644
')
+
diff --git a/daemontools.te b/daemontools.te
-index ee1b4aa..2569147 100644
+index 0165962..2569147 100644
--- a/daemontools.te
+++ b/daemontools.te
-@@ -1,4 +1,4 @@
--policy_module(daemontools, 1.3.0)
-+policy_module(daemontools, 1.2.1)
-
- ########################################
- #
@@ -44,7 +44,10 @@ allow svc_multilog_t svc_start_t:process sigchld;
allow svc_multilog_t svc_start_t:fd use;
allow svc_multilog_t svc_start_t:fifo_file rw_fifo_file_perms;
@@ -22091,15 +20166,9 @@ index ee1b4aa..2569147 100644
-
-miscfiles_read_localization(svc_start_t)
diff --git a/dante.te b/dante.te
-index 5a5e290..fff0987 100644
+index 98a2d6a..fff0987 100644
--- a/dante.te
+++ b/dante.te
-@@ -1,4 +1,4 @@
--policy_module(dante, 1.9.0)
-+policy_module(dante, 1.8.2)
-
- ########################################
- #
@@ -53,7 +53,6 @@ dev_read_sysfs(dante_t)
domain_use_interactive_fds(dante_t)
@@ -22109,15 +20178,9 @@ index 5a5e290..fff0987 100644
fs_getattr_all_fs(dante_t)
diff --git a/dbadm.te b/dbadm.te
-index b60c464..f7c0e61 100644
+index a67870a..f7c0e61 100644
--- a/dbadm.te
+++ b/dbadm.te
-@@ -1,4 +1,4 @@
--policy_module(dbadm, 1.1.0)
-+policy_module(dbadm, 1.0.1)
-
- ########################################
- #
@@ -23,14 +23,14 @@ gen_tunable(dbadm_read_user_files, false)
role dbadm_r;
@@ -22151,23 +20214,10 @@ index b60c464..f7c0e61 100644
+optional_policy(`
+ sudo_role_template(dbadm, dbadm_r, dbadm_t)
+')
-diff --git a/dbskk.fc b/dbskk.fc
-index 6fb8fea..7af2590 100644
---- a/dbskk.fc
-+++ b/dbskk.fc
-@@ -1 +1,2 @@
-+
- /usr/sbin/dbskkd-cdb -- gen_context(system_u:object_r:dbskkd_exec_t,s0)
diff --git a/dbskk.te b/dbskk.te
-index f55c420..719583e 100644
+index 188e2e6..719583e 100644
--- a/dbskk.te
+++ b/dbskk.te
-@@ -1,4 +1,4 @@
--policy_module(dbskk, 1.6.0)
-+policy_module(dbskk, 1.5.1)
-
- ########################################
- #
@@ -36,7 +36,6 @@ kernel_read_kernel_sysctls(dbskkd_t)
kernel_read_system_state(dbskkd_t)
kernel_read_network_state(dbskkd_t)
@@ -22231,7 +20281,7 @@ index dda905b..ccd0ba9 100644
/var/named/chroot/var/run/dbus(/.*)? gen_context(system_u:object_r:system_dbusd_var_run_t,s0)
+')
diff --git a/dbus.if b/dbus.if
-index 62d22cb..8cc440f 100644
+index afcf3a2..8cc440f 100644
--- a/dbus.if
+++ b/dbus.if
@@ -1,4 +1,4 @@
@@ -22693,7 +20743,7 @@ index 62d22cb..8cc440f 100644
##
##
##
-@@ -349,20 +362,18 @@ interface(`dbus_read_config',`
+@@ -349,19 +362,18 @@ interface(`dbus_read_config',`
##
##
#
@@ -22707,7 +20757,6 @@ index 62d22cb..8cc440f 100644
- files_search_var_lib($1)
- read_files_pattern($1, system_dbusd_var_lib_t, system_dbusd_var_lib_t)
-- read_lnk_files_pattern($1, system_dbusd_var_lib_t, system_dbusd_var_lib_t)
+ allow $1 system_dbusd_t:dbus send_msg;
')
@@ -22719,7 +20768,7 @@ index 62d22cb..8cc440f 100644
##
##
##
-@@ -370,26 +381,20 @@ interface(`dbus_read_lib_files',`
+@@ -369,26 +381,20 @@ interface(`dbus_read_lib_files',`
##
##
#
@@ -22752,7 +20801,7 @@ index 62d22cb..8cc440f 100644
##
##
## Type to be used as a domain.
-@@ -397,81 +402,67 @@ interface(`dbus_manage_lib_files',`
+@@ -396,81 +402,67 @@ interface(`dbus_manage_lib_files',`
##
##
##
@@ -22862,7 +20911,7 @@ index 62d22cb..8cc440f 100644
##
##
##
-@@ -479,18 +470,18 @@ interface(`dbus_spec_session_domain',`
+@@ -478,18 +470,18 @@ interface(`dbus_spec_session_domain',`
##
##
#
@@ -22886,7 +20935,7 @@ index 62d22cb..8cc440f 100644
##
##
##
-@@ -498,98 +489,80 @@ interface(`dbus_connect_system_bus',`
+@@ -497,98 +489,80 @@ interface(`dbus_connect_system_bus',`
##
##
#
@@ -23013,7 +21062,7 @@ index 62d22cb..8cc440f 100644
##
##
##
-@@ -597,28 +570,49 @@ interface(`dbus_use_system_bus_fds',`
+@@ -596,28 +570,49 @@ interface(`dbus_use_system_bus_fds',`
##
##
#
@@ -23072,11 +21121,11 @@ index 62d22cb..8cc440f 100644
+ files_var_filetrans($1, system_dbusd_var_lib_t, dir, "ibus")
')
diff --git a/dbus.te b/dbus.te
-index c9998c8..2ead441 100644
+index 2c2e7e1..2ead441 100644
--- a/dbus.te
+++ b/dbus.te
@@ -1,20 +1,18 @@
--policy_module(dbus, 1.19.0)
+-policy_module(dbus, 1.18.8)
+policy_module(dbus, 1.17.0)
gen_require(`
@@ -23452,8 +21501,8 @@ index c9998c8..2ead441 100644
# Unconfined access to this module
#
--allow dbusd_unconfined { system_dbusd_t session_bus_type dbusd_session_bus_client dbusd_system_bus_client }:dbus all_dbus_perms;
--allow { dbusd_session_bus_client dbusd_system_bus_client } dbusd_unconfined:dbus send_msg;
+-allow dbusd_unconfined { dbusd_session_bus_client dbusd_system_bus_client }:dbus send_msg;
+-allow dbusd_unconfined { system_dbusd_t session_bus_type }:dbus all_dbus_perms;
+allow dbusd_unconfined session_bus_type:dbus all_dbus_perms;
+allow dbusd_unconfined dbusd_unconfined:dbus all_dbus_perms;
+allow session_bus_type dbusd_unconfined:dbus send_msg;
@@ -23483,15 +21532,9 @@ index a5c21e0..4639421 100644
stream_connect_pattern($1, dcc_var_t, dccifd_var_run_t, dccifd_t)
')
diff --git a/dcc.te b/dcc.te
-index 353fa4a..cecb0da 100644
+index 15d908f..cecb0da 100644
--- a/dcc.te
+++ b/dcc.te
-@@ -1,4 +1,4 @@
--policy_module(dcc, 1.12.0)
-+policy_module(dcc, 1.11.1)
-
- ########################################
- #
@@ -45,7 +45,7 @@ type dcc_var_t;
files_type(dcc_var_t)
@@ -23661,15 +21704,9 @@ index 5606b40..cd18cf2 100644
domain_system_change_exemption($1)
role_transition $2 ddclient_initrc_exec_t system_r;
diff --git a/ddclient.te b/ddclient.te
-index a4caa1b..2efb435 100644
+index 0b4b8b9..2efb435 100644
--- a/ddclient.te
+++ b/ddclient.te
-@@ -1,4 +1,4 @@
--policy_module(ddclient, 1.10.0)
-+policy_module(ddclient, 1.9.2)
-
- ########################################
- #
@@ -38,9 +38,13 @@ files_pid_file(ddclient_var_run_t)
# Declarations
#
@@ -23722,15 +21759,9 @@ index a4caa1b..2efb435 100644
sysnet_exec_ifconfig(ddclient_t)
sysnet_dns_name_resolve(ddclient_t)
diff --git a/ddcprobe.te b/ddcprobe.te
-index 8fa4bb9..2496e02 100644
+index ceb9bf4..2496e02 100644
--- a/ddcprobe.te
+++ b/ddcprobe.te
-@@ -1,4 +1,4 @@
--policy_module(ddcprobe, 1.3.0)
-+policy_module(ddcprobe, 1.2.1)
-
- ########################################
- #
@@ -34,9 +34,7 @@ dev_read_urand(ddcprobe_t)
dev_read_raw_memory(ddcprobe_t)
dev_wx_raw_memory(ddcprobe_t)
@@ -23783,15 +21814,9 @@ index a7326da..c87b5b7 100644
admin_pattern($1, denyhosts_var_lock_t)
')
diff --git a/denyhosts.te b/denyhosts.te
-index 583a527..7f0c21f 100644
+index bcb9770..7f0c21f 100644
--- a/denyhosts.te
+++ b/denyhosts.te
-@@ -1,4 +1,4 @@
--policy_module(denyhosts, 1.1.0)
-+policy_module(denyhosts, 1.0.2)
-
- ########################################
- #
@@ -25,6 +25,9 @@ logging_log_file(denyhosts_var_log_t)
#
# Local policy
@@ -23839,7 +21864,7 @@ index 583a527..7f0c21f 100644
+ gnome_dontaudit_search_config(denyhosts_t)
+')
diff --git a/devicekit.if b/devicekit.if
-index 8ce99ff..3b4f593 100644
+index d294865..3b4f593 100644
--- a/devicekit.if
+++ b/devicekit.if
@@ -1,4 +1,4 @@
@@ -23893,122 +21918,56 @@ index 8ce99ff..3b4f593 100644
')
########################################
-@@ -83,7 +99,7 @@ interface(`devicekit_dbus_chat_disk',`
+@@ -83,7 +99,46 @@ interface(`devicekit_dbus_chat_disk',`
########################################
##
-## Send generic signals to devicekit power.
+## Use file descriptors for devicekit_disk.
- ##
- ##
- ##
-@@ -91,39 +107,38 @@ interface(`devicekit_dbus_chat_disk',`
- ##
- ##
- #
--interface(`devicekit_signal_power',`
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
+interface(`devicekit_use_fds_disk',`
- gen_require(`
-- type devicekit_power_t;
++ gen_require(`
+ type devicekit_disk_t;
- ')
-
-- allow $1 devicekit_power_t:process signal;
++ ')
++
+ allow $1 devicekit_disk_t:fd use;
- ')
-
- ########################################
- ##
--## Send and receive messages from
--## devicekit power over dbus.
++')
++
++########################################
++##
+## Dontaudit Send and receive messages from
+## devicekit disk over dbus.
- ##
- ##
- ##
--## Domain allowed access.
++##
++##
++##
+## Domain to not audit.
- ##
- ##
- #
--interface(`devicekit_dbus_chat_power',`
++##
++##
++#
+interface(`devicekit_dontaudit_dbus_chat_disk',`
- gen_require(`
-- type devicekit_power_t;
-+ type devicekit_disk_t;
- class dbus send_msg;
- ')
-
-- allow $1 devicekit_power_t:dbus send_msg;
-- allow devicekit_power_t $1:dbus send_msg;
-+ dontaudit $1 devicekit_disk_t:dbus send_msg;
-+ dontaudit devicekit_disk_t $1:dbus send_msg;
- ')
-
- ########################################
- ##
--## Use and inherit devicekit power
--## file descriptors.
-+## Send signal devicekit power
- ##
- ##
- ##
-@@ -131,17 +146,18 @@ interface(`devicekit_dbus_chat_power',`
- ##
- ##
- #
--interface(`devicekit_use_fds_power',`
-+interface(`devicekit_signal_power',`
- gen_require(`
- type devicekit_power_t;
- ')
-
-- allow $1 devicekit_power_t:fd use;
-+ allow $1 devicekit_power_t:process signal;
- ')
-
- ########################################
- ##
--## Append inherited devicekit log files.
-+## Send and receive messages from
-+## devicekit power over dbus.
- ##
- ##
- ##
-@@ -149,40 +165,56 @@ interface(`devicekit_use_fds_power',`
- ##
- ##
- #
-+interface(`devicekit_dbus_chat_power',`
+ gen_require(`
-+ type devicekit_power_t;
++ type devicekit_disk_t;
+ class dbus send_msg;
+ ')
+
-+ allow $1 devicekit_power_t:dbus send_msg;
-+ allow devicekit_power_t $1:dbus send_msg;
++ dontaudit $1 devicekit_disk_t:dbus send_msg;
++ dontaudit devicekit_disk_t $1:dbus send_msg;
+')
+
-+#######################################
++########################################
+##
-+## Append inherited devicekit log files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
- interface(`devicekit_append_inherited_log_files',`
- gen_require(`
- type devicekit_var_log_t;
- ')
-
-- logging_search_logs($1)
-- allow $1 devicekit_var_log_t:file { getattr_file_perms append };
--
-- devicekit_use_fds_power($1)
-+ allow $1 devicekit_var_log_t:file append_inherited_file_perms;
++## Send signal devicekit power
+ ##
+ ##
+ ##
+@@ -120,29 +175,46 @@ interface(`devicekit_dbus_chat_power',`
+ allow devicekit_power_t $1:dbus send_msg;
')
-########################################
@@ -24016,26 +21975,44 @@ index 8ce99ff..3b4f593 100644
##
-## Create, read, write, and delete
-## devicekit log files.
-+## Do not audit attempts to write the devicekit
-+## log files.
++## Append inherited devicekit log files.
##
##
-##
-## Domain allowed access.
-##
+##
-+## Domain to not audit.
++## Domain allowed access.
+##
##
#
-interface(`devicekit_manage_log_files',`
-+interface(`devicekit_dontaudit_rw_log',`
++interface(`devicekit_append_inherited_log_files',`
gen_require(`
type devicekit_var_log_t;
')
- logging_search_logs($1)
- manage_files_pattern($1, devicekit_var_log_t, devicekit_var_log_t)
++ allow $1 devicekit_var_log_t:file append_inherited_file_perms;
++')
++
++#######################################
++##
++## Do not audit attempts to write the devicekit
++## log files.
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`devicekit_dontaudit_rw_log',`
++ gen_require(`
++ type devicekit_var_log_t;
++ ')
++
+ dontaudit $1 devicekit_var_log_t:file rw_file_perms;
')
@@ -24046,7 +22023,7 @@ index 8ce99ff..3b4f593 100644
##
##
##
-@@ -190,13 +222,13 @@ interface(`devicekit_manage_log_files',`
+@@ -150,13 +222,13 @@ interface(`devicekit_manage_log_files',`
##
##
#
@@ -24064,7 +22041,7 @@ index 8ce99ff..3b4f593 100644
')
########################################
-@@ -220,11 +252,30 @@ interface(`devicekit_read_pid_files',`
+@@ -180,11 +252,30 @@ interface(`devicekit_read_pid_files',`
########################################
##
@@ -24096,7 +22073,7 @@ index 8ce99ff..3b4f593 100644
## Domain allowed access.
##
##
-@@ -235,22 +286,59 @@ interface(`devicekit_manage_pid_files',`
+@@ -195,22 +286,59 @@ interface(`devicekit_manage_pid_files',`
')
files_search_pids($1)
@@ -24160,7 +22137,7 @@ index 8ce99ff..3b4f593 100644
##
##
##
-@@ -259,21 +347,48 @@ interface(`devicekit_admin',`
+@@ -219,21 +347,48 @@ interface(`devicekit_admin',`
gen_require(`
type devicekit_t, devicekit_disk_t, devicekit_power_t;
type devicekit_var_lib_t, devicekit_var_run_t, devicekit_tmp_t;
@@ -24219,16 +22196,10 @@ index 8ce99ff..3b4f593 100644
+ logging_log_filetrans($1, devicekit_var_log_t, file, "pm-suspend.log")
')
diff --git a/devicekit.te b/devicekit.te
-index 77a5003..cd1d88d 100644
+index ff933af..cd1d88d 100644
--- a/devicekit.te
+++ b/devicekit.te
-@@ -1,4 +1,4 @@
--policy_module(devicekit, 1.3.1)
-+policy_module(devicekit, 1.2.1)
-
- ########################################
- #
-@@ -7,15 +7,15 @@ policy_module(devicekit, 1.3.1)
+@@ -7,15 +7,15 @@ policy_module(devicekit, 1.2.1)
type devicekit_t;
type devicekit_exec_t;
@@ -24270,7 +22241,7 @@ index 77a5003..cd1d88d 100644
allow devicekit_disk_t self:process { getsched signal_perms };
allow devicekit_disk_t self:fifo_file rw_fifo_file_perms;
allow devicekit_disk_t self:netlink_kobject_uevent_socket create_socket_perms;
-@@ -81,15 +79,15 @@ allow devicekit_disk_t devicekit_var_run_t:dir mounton;
+@@ -81,10 +79,11 @@ allow devicekit_disk_t devicekit_var_run_t:dir mounton;
manage_dirs_pattern(devicekit_disk_t, devicekit_var_run_t, devicekit_var_run_t)
manage_files_pattern(devicekit_disk_t, devicekit_var_run_t, devicekit_var_run_t)
files_pid_filetrans(devicekit_disk_t, devicekit_var_run_t, { dir file })
@@ -24283,12 +22254,7 @@ index 77a5003..cd1d88d 100644
kernel_read_fs_sysctls(devicekit_disk_t)
kernel_read_network_state(devicekit_disk_t)
kernel_read_software_raid_state(devicekit_disk_t)
- kernel_read_system_state(devicekit_disk_t)
--kernel_read_vm_sysctls(devicekit_disk_t)
- kernel_request_load_module(devicekit_disk_t)
- kernel_setsched(devicekit_disk_t)
-
-@@ -99,6 +97,8 @@ corecmd_getattr_all_executables(devicekit_disk_t)
+@@ -98,6 +97,8 @@ corecmd_getattr_all_executables(devicekit_disk_t)
dev_getattr_all_chr_files(devicekit_disk_t)
dev_getattr_mtrr_dev(devicekit_disk_t)
@@ -24297,7 +22263,7 @@ index 77a5003..cd1d88d 100644
dev_getattr_usbfs_dirs(devicekit_disk_t)
dev_manage_generic_files(devicekit_disk_t)
dev_read_urand(devicekit_disk_t)
-@@ -117,8 +117,8 @@ files_getattr_all_pipes(devicekit_disk_t)
+@@ -116,8 +117,8 @@ files_getattr_all_pipes(devicekit_disk_t)
files_manage_boot_dirs(devicekit_disk_t)
files_manage_isid_type_dirs(devicekit_disk_t)
files_manage_mnt_dirs(devicekit_disk_t)
@@ -24307,7 +22273,7 @@ index 77a5003..cd1d88d 100644
fs_getattr_all_fs(devicekit_disk_t)
fs_list_inotifyfs(devicekit_disk_t)
-@@ -135,18 +135,18 @@ storage_raw_write_fixed_disk(devicekit_disk_t)
+@@ -134,16 +135,18 @@ storage_raw_write_fixed_disk(devicekit_disk_t)
storage_raw_read_removable_device(devicekit_disk_t)
storage_raw_write_removable_device(devicekit_disk_t)
@@ -24316,10 +22282,9 @@ index 77a5003..cd1d88d 100644
auth_use_nsswitch(devicekit_disk_t)
- logging_send_syslog_msg(devicekit_disk_t)
-
-miscfiles_read_localization(devicekit_disk_t)
--
++logging_send_syslog_msg(devicekit_disk_t)
+
userdom_read_all_users_state(devicekit_disk_t)
userdom_search_user_home_dirs(devicekit_disk_t)
+userdom_manage_user_tmp_dirs(devicekit_disk_t)
@@ -24329,7 +22294,7 @@ index 77a5003..cd1d88d 100644
dbus_system_bus_client(devicekit_disk_t)
allow devicekit_disk_t devicekit_t:dbus send_msg;
-@@ -170,6 +170,7 @@ optional_policy(`
+@@ -167,6 +170,7 @@ optional_policy(`
optional_policy(`
mount_domtrans(devicekit_disk_t)
@@ -24337,7 +22302,7 @@ index 77a5003..cd1d88d 100644
')
optional_policy(`
-@@ -183,25 +184,35 @@ optional_policy(`
+@@ -180,6 +184,11 @@ optional_policy(`
')
optional_policy(`
@@ -24348,10 +22313,8 @@ index 77a5003..cd1d88d 100644
+optional_policy(`
udev_domtrans(devicekit_disk_t)
udev_read_db(devicekit_disk_t)
-- udev_read_pid_files(devicekit_disk_t)
')
-
- optional_policy(`
+@@ -188,12 +197,19 @@ optional_policy(`
virt_manage_images(devicekit_disk_t)
')
@@ -24372,11 +22335,7 @@ index 77a5003..cd1d88d 100644
allow devicekit_power_t self:process { getsched signal_perms };
allow devicekit_power_t self:fifo_file rw_fifo_file_perms;
allow devicekit_power_t self:unix_dgram_socket create_socket_perms;
--allow devicekit_power_t self:unix_stream_socket create_socket_perms;
- allow devicekit_power_t self:netlink_kobject_uevent_socket create_socket_perms;
-
- manage_dirs_pattern(devicekit_power_t, devicekit_tmp_t, devicekit_tmp_t)
-@@ -212,9 +223,7 @@ manage_dirs_pattern(devicekit_power_t, devicekit_var_lib_t, devicekit_var_lib_t)
+@@ -207,9 +223,7 @@ manage_dirs_pattern(devicekit_power_t, devicekit_var_lib_t, devicekit_var_lib_t)
manage_files_pattern(devicekit_power_t, devicekit_var_lib_t, devicekit_var_lib_t)
files_var_lib_filetrans(devicekit_power_t, devicekit_var_lib_t, dir)
@@ -24387,14 +22346,7 @@ index 77a5003..cd1d88d 100644
logging_log_filetrans(devicekit_power_t, devicekit_var_log_t, file)
manage_dirs_pattern(devicekit_power_t, devicekit_var_run_t, devicekit_var_run_t)
-@@ -241,27 +250,22 @@ dev_rw_generic_chr_files(devicekit_power_t)
- dev_rw_netcontrol(devicekit_power_t)
- dev_rw_sysfs(devicekit_power_t)
- dev_read_rand(devicekit_power_t)
--dev_getattr_all_blk_files(devicekit_power_t)
- dev_getattr_all_chr_files(devicekit_power_t)
-
- domain_read_all_domains_state(devicekit_power_t)
+@@ -242,17 +256,16 @@ domain_read_all_domains_state(devicekit_power_t)
files_read_kernel_img(devicekit_power_t)
files_read_etc_runtime_files(devicekit_power_t)
@@ -24409,28 +22361,24 @@ index 77a5003..cd1d88d 100644
auth_use_nsswitch(devicekit_power_t)
--init_all_labeled_script_domtrans(devicekit_power_t)
--init_read_utmp(devicekit_power_t)
--
-miscfiles_read_localization(devicekit_power_t)
+seutil_exec_setfiles(devicekit_power_t)
sysnet_domtrans_ifconfig(devicekit_power_t)
sysnet_domtrans_dhcpc(devicekit_power_t)
-@@ -277,6 +281,12 @@ optional_policy(`
- ')
+@@ -269,9 +282,11 @@ optional_policy(`
optional_policy(`
-+ cron_initrc_domtrans(devicekit_power_t)
+ cron_initrc_domtrans(devicekit_power_t)
+ cron_systemctl(devicekit_power_t)
-+')
-+
-+optional_policy(`
+ ')
+
+ optional_policy(`
+ dbus_system_domain(devicekit_power_t, devicekit_power_exec_t)
dbus_system_bus_client(devicekit_power_t)
allow devicekit_power_t devicekit_t:dbus send_msg;
-@@ -307,8 +317,11 @@ optional_policy(`
+@@ -302,8 +317,11 @@ optional_policy(`
')
optional_policy(`
@@ -24443,15 +22391,7 @@ index 77a5003..cd1d88d 100644
hal_manage_pid_dirs(devicekit_power_t)
hal_manage_pid_files(devicekit_power_t)
')
-@@ -337,7 +350,6 @@ optional_policy(`
-
- optional_policy(`
- udev_read_db(devicekit_power_t)
-- udev_manage_pid_files(devicekit_power_t)
- ')
-
- optional_policy(`
-@@ -347,3 +359,9 @@ optional_policy(`
+@@ -341,3 +359,9 @@ optional_policy(`
optional_policy(`
vbetool_domtrans(devicekit_power_t)
')
@@ -24462,24 +22402,16 @@ index 77a5003..cd1d88d 100644
+')
+
diff --git a/dhcp.fc b/dhcp.fc
-index 8182c48..333d214 100644
+index 7956248..333d214 100644
--- a/dhcp.fc
+++ b/dhcp.fc
-@@ -1,8 +1,10 @@
+@@ -1,4 +1,6 @@
/etc/rc\.d/init\.d/dhcpd(6)? -- gen_context(system_u:object_r:dhcpd_initrc_exec_t,s0)
+/usr/lib/systemd/system/dhcpcd.* -- gen_context(system_u:object_r:dhcpd_unit_file_t,s0)
+/usr/lib/systemd/system/dhcpd.* -- gen_context(system_u:object_r:dhcpd_unit_file_t,s0)
--/usr/sbin/dhcpd.* -- gen_context(system_u:object_r:dhcpd_exec_t,s0)
-+/usr/sbin/dhcpd.* -- gen_context(system_u:object_r:dhcpd_exec_t,s0)
-
--/var/lib/dhcpd(/.*)? gen_context(system_u:object_r:dhcpd_state_t,s0)
--/var/lib/dhcp(3)?/dhcpd\.leases.* -- gen_context(system_u:object_r:dhcpd_state_t,s0)
-+/var/lib/dhcpd(/.*)? gen_context(system_u:object_r:dhcpd_state_t,s0)
-+/var/lib/dhcp(3)?/dhcpd\.leases.* -- gen_context(system_u:object_r:dhcpd_state_t,s0)
+ /usr/sbin/dhcpd.* -- gen_context(system_u:object_r:dhcpd_exec_t,s0)
--/var/run/dhcpd(6)?\.pid -- gen_context(system_u:object_r:dhcpd_var_run_t,s0)
-+/var/run/dhcpd(6)?\.pid -- gen_context(system_u:object_r:dhcpd_var_run_t,s0)
diff --git a/dhcp.if b/dhcp.if
index c697edb..31d45bf 100644
--- a/dhcp.if
@@ -24552,15 +22484,9 @@ index c697edb..31d45bf 100644
+ allow $1 dhcpd_unit_file_t:service all_service_perms;
')
diff --git a/dhcp.te b/dhcp.te
-index 98a24b9..5d61f10 100644
+index c93c3db..5d61f10 100644
--- a/dhcp.te
+++ b/dhcp.te
-@@ -1,4 +1,4 @@
--policy_module(dhcp, 1.11.0)
-+policy_module(dhcp, 1.10.1)
-
- ########################################
- #
@@ -20,6 +20,9 @@ init_daemon_domain(dhcpd_t, dhcpd_exec_t)
type dhcpd_initrc_exec_t;
init_script_file(dhcpd_initrc_exec_t)
@@ -24651,15 +22577,9 @@ index 3cc3494..cb0a1f4 100644
init_labeled_script_domtrans($1, dictd_initrc_exec_t)
domain_system_change_exemption($1)
diff --git a/dictd.te b/dictd.te
-index 433d3c5..43b800a 100644
+index fd4a602..43b800a 100644
--- a/dictd.te
+++ b/dictd.te
-@@ -1,4 +1,4 @@
--policy_module(dictd, 1.8.0)
-+policy_module(dictd, 1.7.1)
-
- ########################################
- #
@@ -43,7 +43,6 @@ files_pid_filetrans(dictd_t, dictd_var_run_t, file)
kernel_read_system_state(dictd_t)
kernel_read_kernel_sysctls(dictd_t)
@@ -25478,15 +23398,9 @@ index 24d8c74..1790ec5 100644
')
diff --git a/distcc.te b/distcc.te
-index 898b2f4..83fb340 100644
+index b441a4d..83fb340 100644
--- a/distcc.te
+++ b/distcc.te
-@@ -1,4 +1,4 @@
--policy_module(distcc, 1.9.0)
-+policy_module(distcc, 1.8.2)
-
- ########################################
- #
@@ -47,7 +47,6 @@ files_pid_filetrans(distccd_t, distccd_var_run_t, file)
kernel_read_system_state(distccd_t)
kernel_read_kernel_sysctls(distccd_t)
@@ -25533,15 +23447,9 @@ index 671d3c0..6d36c95 100644
#####################################
diff --git a/djbdns.te b/djbdns.te
-index 87ca536..df50e4c 100644
+index 463d290..df50e4c 100644
--- a/djbdns.te
+++ b/djbdns.te
-@@ -1,4 +1,4 @@
--policy_module(djbdns, 1.6.0)
-+policy_module(djbdns, 1.5.3)
-
- ########################################
- #
@@ -48,6 +48,10 @@ corenet_udp_bind_generic_port(djbdns_domain)
files_search_var(djbdns_domain)
@@ -25565,25 +23473,6 @@ index 5818418..674367b 100644
/var/run/dkim-milter(/.*)? gen_context(system_u:object_r:dkim_milter_data_t,s0)
/var/run/dkim-milter\.pid -- gen_context(system_u:object_r:dkim_milter_data_t,s0)
-diff --git a/dkim.te b/dkim.te
-index 6a73d60..0d2eb21 100644
---- a/dkim.te
-+++ b/dkim.te
-@@ -1,4 +1,4 @@
--policy_module(dkim, 1.2.0)
-+policy_module(dkim, 1.1.3)
-
- ########################################
- #
-@@ -13,8 +13,6 @@ init_script_file(dkim_milter_initrc_exec_t)
- type dkim_milter_private_key_t;
- files_type(dkim_milter_private_key_t)
-
--init_daemon_run_dir(dkim_milter_data_t, "opendkim")
--
- ########################################
- #
- # Local policy
diff --git a/dmidecode.if b/dmidecode.if
index 41c3f67..653a1ec 100644
--- a/dmidecode.if
@@ -25615,30 +23504,11 @@ index 41c3f67..653a1ec 100644
##
## Execute dmidecode in the dmidecode
diff --git a/dmidecode.te b/dmidecode.te
-index aa0ef6e..8d4d843 100644
+index c947c2c..8d4d843 100644
--- a/dmidecode.te
+++ b/dmidecode.te
-@@ -1,4 +1,4 @@
--policy_module(dmidecode, 1.5.1)
-+policy_module(dmidecode, 1.4.1)
-
- ########################################
- #
-@@ -20,15 +20,17 @@ role dmidecode_roles types dmidecode_t;
-
- allow dmidecode_t self:capability sys_rawio;
-
--dev_read_raw_memory(dmidecode_t)
- dev_read_sysfs(dmidecode_t)
-+dev_read_raw_memory(dmidecode_t)
-
--domain_use_interactive_fds(dmidecode_t)
-+mls_file_read_all_levels(dmidecode_t)
+@@ -29,4 +29,8 @@ files_list_usr(dmidecode_t)
- files_list_usr(dmidecode_t)
-
--mls_file_read_all_levels(dmidecode_t)
--
locallogin_use_fds(dmidecode_t)
-userdom_use_user_terminals(dmidecode_t)
@@ -25933,15 +23803,9 @@ index 19aa0b8..b9895ba 100644
+ allow $1 dnsmasq_unit_file_t:service all_service_perms;
')
diff --git a/dnsmasq.te b/dnsmasq.te
-index 37a3b7b..34a4c71 100644
+index ba14bcf..34a4c71 100644
--- a/dnsmasq.te
+++ b/dnsmasq.te
-@@ -1,4 +1,4 @@
--policy_module(dnsmasq, 1.10.0)
-+policy_module(dnsmasq, 1.9.3)
-
- ########################################
- #
@@ -24,6 +24,9 @@ logging_log_file(dnsmasq_var_log_t)
type dnsmasq_var_run_t;
files_pid_file(dnsmasq_var_run_t)
@@ -26204,15 +24068,9 @@ index 0000000..64f1a64
+
+')
diff --git a/dnssectrigger.te b/dnssectrigger.te
-index c7bb4e7..fddd51f 100644
+index ef36d73..fddd51f 100644
--- a/dnssectrigger.te
+++ b/dnssectrigger.te
-@@ -1,4 +1,4 @@
--policy_module(dnssectrigger, 1.1.0)
-+policy_module(dnssectrigger, 1.0.1)
-
- ########################################
- #
@@ -67,8 +67,6 @@ files_read_etc_runtime_files(dnssec_triggerd_t)
logging_send_syslog_msg(dnssec_triggerd_t)
@@ -26991,7 +24849,7 @@ index c880070..4448055 100644
-/var/spool/dovecot(/.*)? gen_context(system_u:object_r:dovecot_spool_t,s0)
+/var/spool/dovecot(/.*)? gen_context(system_u:object_r:dovecot_spool_t,s0)
diff --git a/dovecot.if b/dovecot.if
-index d5badb7..f3e446c 100644
+index dbcac59..f3e446c 100644
--- a/dovecot.if
+++ b/dovecot.if
@@ -1,29 +1,49 @@
@@ -27151,7 +25009,7 @@ index d5badb7..f3e446c 100644
##
##
##
-@@ -132,22 +168,24 @@ interface(`dovecot_write_inherited_tmp_files',`
+@@ -132,21 +168,24 @@ interface(`dovecot_write_inherited_tmp_files',`
##
##
##
@@ -27167,7 +25025,6 @@ index d5badb7..f3e446c 100644
- type dovecot_spool_t, dovecot_var_lib_t, dovecot_initrc_exec_t;
- type dovecot_var_run_t, dovecot_cert_t, dovecot_passwd_t;
- type dovecot_tmp_t, dovecot_auth_tmp_t, dovecot_deliver_tmp_t;
-- type dovecot_keytab_t;
+ type dovecot_t, dovecot_etc_t, dovecot_auth_tmp_t;
+ type dovecot_spool_t, dovecot_var_lib_t, dovecot_var_log_t;
+ type dovecot_var_run_t, dovecot_tmp_t, dovecot_keytab_t;
@@ -27183,12 +25040,9 @@ index d5badb7..f3e446c 100644
init_labeled_script_domtrans($1, dovecot_initrc_exec_t)
domain_system_change_exemption($1)
-@@ -155,22 +193,27 @@ interface(`dovecot_admin',`
- allow $2 system_r;
-
+@@ -156,20 +195,25 @@ interface(`dovecot_admin',`
files_list_etc($1)
-- admin_pattern($1, { dovecot_keytab_t dovecot_etc_t })
-+ admin_pattern($1, dovecot_etc_t)
+ admin_pattern($1, dovecot_etc_t)
- logging_list_logs($1)
- admin_pattern($1, dovecot_var_log_t)
@@ -27219,16 +25073,16 @@ index d5badb7..f3e446c 100644
+ admin_pattern($1, dovecot_passwd_t)
')
diff --git a/dovecot.te b/dovecot.te
-index 0aabc7e..38bfca8 100644
+index a7bfaf0..38bfca8 100644
--- a/dovecot.te
+++ b/dovecot.te
@@ -1,4 +1,4 @@
--policy_module(dovecot, 1.16.1)
+-policy_module(dovecot, 1.15.6)
+policy_module(dovecot, 1.14.0)
########################################
#
-@@ -7,12 +7,10 @@ policy_module(dovecot, 1.16.1)
+@@ -7,12 +7,10 @@ policy_module(dovecot, 1.15.6)
attribute dovecot_domain;
@@ -27253,14 +25107,7 @@ index 0aabc7e..38bfca8 100644
domain_type(dovecot_deliver_t)
domain_entry_file(dovecot_deliver_t, dovecot_deliver_exec_t)
role system_r types dovecot_deliver_t;
-@@ -38,18 +35,16 @@ files_config_file(dovecot_etc_t)
- type dovecot_initrc_exec_t;
- init_script_file(dovecot_initrc_exec_t)
-
--type dovecot_keytab_t;
--files_type(dovecot_keytab_t)
--
- type dovecot_passwd_t;
+@@ -42,11 +39,12 @@ type dovecot_passwd_t;
files_type(dovecot_passwd_t)
type dovecot_spool_t;
@@ -27274,7 +25121,7 @@ index 0aabc7e..38bfca8 100644
type dovecot_var_lib_t;
files_type(dovecot_var_lib_t)
-@@ -59,20 +54,18 @@ logging_log_file(dovecot_var_log_t)
+@@ -56,20 +54,18 @@ logging_log_file(dovecot_var_log_t)
type dovecot_var_run_t;
files_pid_file(dovecot_var_run_t)
@@ -27300,7 +25147,7 @@ index 0aabc7e..38bfca8 100644
corecmd_exec_bin(dovecot_domain)
corecmd_exec_shell(dovecot_domain)
-@@ -81,39 +74,46 @@ dev_read_sysfs(dovecot_domain)
+@@ -78,37 +74,46 @@ dev_read_sysfs(dovecot_domain)
dev_read_rand(dovecot_domain)
dev_read_urand(dovecot_domain)
@@ -27335,8 +25182,7 @@ index 0aabc7e..38bfca8 100644
-allow dovecot_t dovecot_cert_t:lnk_file read_lnk_file_perms;
+read_files_pattern(dovecot_t, dovecot_cert_t, dovecot_cert_t)
+read_lnk_files_pattern(dovecot_t, dovecot_cert_t, dovecot_cert_t)
-
--allow dovecot_t dovecot_keytab_t:file read_file_perms;
++
+allow dovecot_t dovecot_etc_t:dir list_dir_perms;
+read_files_pattern(dovecot_t, dovecot_etc_t, dovecot_etc_t)
+read_lnk_files_pattern(dovecot_t, dovecot_etc_t, dovecot_etc_t)
@@ -27361,7 +25207,7 @@ index 0aabc7e..38bfca8 100644
logging_log_filetrans(dovecot_t, dovecot_var_log_t, { file dir })
manage_dirs_pattern(dovecot_t, dovecot_spool_t, dovecot_spool_t)
-@@ -125,45 +125,35 @@ manage_files_pattern(dovecot_t, dovecot_var_run_t, dovecot_var_run_t)
+@@ -120,45 +125,35 @@ manage_files_pattern(dovecot_t, dovecot_var_run_t, dovecot_var_run_t)
manage_lnk_files_pattern(dovecot_t, dovecot_var_run_t, dovecot_var_run_t)
manage_sock_files_pattern(dovecot_t, dovecot_var_run_t, dovecot_var_run_t)
manage_fifo_files_pattern(dovecot_t, dovecot_var_run_t, dovecot_var_run_t)
@@ -27418,7 +25264,7 @@ index 0aabc7e..38bfca8 100644
init_getattr_utmp(dovecot_t)
-@@ -171,37 +161,29 @@ auth_use_nsswitch(dovecot_t)
+@@ -166,44 +161,42 @@ auth_use_nsswitch(dovecot_t)
miscfiles_read_generic_certs(dovecot_t)
@@ -27431,12 +25277,6 @@ index 0aabc7e..38bfca8 100644
- fs_manage_nfs_files(dovecot_t)
- fs_manage_nfs_symlinks(dovecot_t)
-')
--
--tunable_policy(`use_samba_home_dirs',`
-- fs_manage_cifs_dirs(dovecot_t)
-- fs_manage_cifs_files(dovecot_t)
-- fs_manage_cifs_symlinks(dovecot_t)
--')
+userdom_home_manager(dovecot_t)
+userdom_dontaudit_use_unpriv_user_fds(dovecot_t)
+userdom_manage_user_home_content_dirs(dovecot_t)
@@ -27446,13 +25286,20 @@ index 0aabc7e..38bfca8 100644
+userdom_manage_user_home_content_sockets(dovecot_t)
+userdom_filetrans_home_content(dovecot_t)
+-tunable_policy(`use_samba_home_dirs',`
+- fs_manage_cifs_dirs(dovecot_t)
+- fs_manage_cifs_files(dovecot_t)
+- fs_manage_cifs_symlinks(dovecot_t)
++optional_policy(`
++ mta_manage_home_rw(dovecot_t)
++ mta_manage_spool(dovecot_t)
+ ')
+
optional_policy(`
+ kerberos_keytab_template(dovecot, dovecot_t)
- kerberos_manage_host_rcache(dovecot_t)
-- kerberos_read_keytab(dovecot_t)
- kerberos_tmp_filetrans_host_rcache(dovecot_t, file, "imap_0")
-- kerberos_use(dovecot_t)
-+ mta_manage_home_rw(dovecot_t)
-+ mta_manage_spool(dovecot_t)
++ kerberos_tmp_filetrans_host_rcache(dovecot_t, "imap_0")
')
optional_policy(`
@@ -27460,29 +25307,27 @@ index 0aabc7e..38bfca8 100644
- mta_manage_mail_home_rw_content(dovecot_t)
- mta_home_filetrans_mail_home_rw(dovecot_t, dir, "Maildir")
- mta_home_filetrans_mail_home_rw(dovecot_t, dir, ".maildir")
-+ kerberos_keytab_template(dovecot, dovecot_t)
-+ kerberos_tmp_filetrans_host_rcache(dovecot_t, "imap_0")
++ gnome_manage_data(dovecot_t)
')
optional_policy(`
- postgresql_stream_connect(dovecot_t)
-+ gnome_manage_data(dovecot_t)
++ postfix_manage_private_sockets(dovecot_t)
++ postfix_search_spool(dovecot_t)
')
optional_policy(`
-@@ -210,6 +192,11 @@ optional_policy(`
+- postfix_manage_private_sockets(dovecot_t)
+- postfix_search_spool(dovecot_t)
++ postgresql_stream_connect(dovecot_t)
')
optional_policy(`
-+ postgresql_stream_connect(dovecot_t)
-+')
-+
-+optional_policy(`
+ # Handle sieve scripts
sendmail_domtrans(dovecot_t)
')
-@@ -227,46 +214,65 @@ optional_policy(`
+@@ -221,46 +214,65 @@ optional_policy(`
########################################
#
@@ -27557,7 +25402,7 @@ index 0aabc7e..38bfca8 100644
mysql_stream_connect(dovecot_auth_t)
mysql_read_config(dovecot_auth_t)
mysql_tcp_connect(dovecot_auth_t)
-@@ -277,15 +283,30 @@ optional_policy(`
+@@ -271,15 +283,30 @@ optional_policy(`
')
optional_policy(`
@@ -27589,7 +25434,7 @@ index 0aabc7e..38bfca8 100644
allow dovecot_deliver_t dovecot_cert_t:dir search_dir_perms;
append_files_pattern(dovecot_deliver_t, dovecot_var_log_t, dovecot_var_log_t)
-@@ -295,35 +316,44 @@ manage_files_pattern(dovecot_deliver_t, dovecot_deliver_tmp_t, dovecot_deliver_t
+@@ -289,35 +316,44 @@ manage_files_pattern(dovecot_deliver_t, dovecot_deliver_tmp_t, dovecot_deliver_t
files_tmp_filetrans(dovecot_deliver_t, dovecot_deliver_tmp_t, { file dir })
allow dovecot_deliver_t dovecot_var_run_t:dir list_dir_perms;
@@ -27651,92 +25496,13 @@ index 0aabc7e..38bfca8 100644
mta_read_queue(dovecot_deliver_t)
')
-@@ -332,5 +362,6 @@ optional_policy(`
+@@ -326,5 +362,6 @@ optional_policy(`
')
optional_policy(`
+ # Handle sieve scripts
sendmail_domtrans(dovecot_deliver_t)
')
-diff --git a/dpkg.fc b/dpkg.fc
-index eec3c48..751c251 100644
---- a/dpkg.fc
-+++ b/dpkg.fc
-@@ -1,5 +1,3 @@
--/etc/cron\.daily/dpkg -- gen_context(system_u:object_r:dpkg_exec_t,s0)
--
- /usr/bin/debsums -- gen_context(system_u:object_r:dpkg_exec_t,s0)
- /usr/bin/dpkg -- gen_context(system_u:object_r:dpkg_exec_t,s0)
- /usr/bin/dselect -- gen_context(system_u:object_r:dpkg_exec_t,s0)
-diff --git a/dpkg.if b/dpkg.if
-index fdc06d6..9aa68a6 100644
---- a/dpkg.if
-+++ b/dpkg.if
-@@ -21,25 +21,6 @@ interface(`dpkg_domtrans',`
-
- ########################################
- ##
--## Execute the dkpg in the caller domain.
--##
--##
--##
--## Domain allowed access.
--##
--##
--#
--interface(`dpkg_exec',`
-- gen_require(`
-- type dpkg_exec_t;
-- ')
--
-- corecmd_search_bin($1)
-- can_exec($1, dpkg_exec_t)
--')
--
--########################################
--##
- ## Execute dpkg_script programs in
- ## the dpkg_script domain.
- ##
-diff --git a/dpkg.te b/dpkg.te
-index 50af48c..998d765 100644
---- a/dpkg.te
-+++ b/dpkg.te
-@@ -1,4 +1,4 @@
--policy_module(dpkg, 1.10.1)
-+policy_module(dpkg, 1.10.0)
-
- ########################################
- #
-@@ -137,7 +137,7 @@ storage_raw_read_fixed_disk(dpkg_t)
-
- auth_dontaudit_read_shadow(dpkg_t)
-
--init_all_labeled_script_domtrans(dpkg_t)
-+init_domtrans_script(dpkg_t)
- init_use_script_ptys(dpkg_t)
-
- libs_exec_ld_so(dpkg_t)
-@@ -161,10 +161,6 @@ optional_policy(`
- ')
-
- optional_policy(`
-- backup_manage_store_files(dpkg_t)
--')
--
--optional_policy(`
- cron_system_entry(dpkg_t, dpkg_exec_t)
- ')
-
-@@ -276,7 +272,7 @@ term_use_all_terms(dpkg_script_t)
- auth_dontaudit_getattr_shadow(dpkg_script_t)
- files_manage_non_auth_files(dpkg_script_t)
-
--init_all_labeled_script_domtrans(dpkg_script_t)
-+init_domtrans_script(dpkg_script_t)
- init_use_script_fds(dpkg_script_t)
-
- libs_exec_ld_so(dpkg_script_t)
diff --git a/drbd.fc b/drbd.fc
index 671a3fb..c781675 100644
--- a/drbd.fc
@@ -27893,15 +25659,9 @@ index 9a21639..26c5986 100644
')
+
diff --git a/drbd.te b/drbd.te
-index f2516cc..bdd8883 100644
+index 8e5ee54..bdd8883 100644
--- a/drbd.te
+++ b/drbd.te
-@@ -1,4 +1,4 @@
--policy_module(drbd, 1.1.0)
-+policy_module(drbd, 1.0.1)
-
- ########################################
- #
@@ -28,7 +28,7 @@ dontaudit drbd_t self:capability sys_tty_config;
allow drbd_t self:fifo_file rw_fifo_file_perms;
allow drbd_t self:unix_stream_socket create_stream_socket_perms;
@@ -28223,15 +25983,9 @@ index 18f2452..a446210 100644
+
')
diff --git a/dspam.te b/dspam.te
-index ef62363..b619351 100644
+index 266cb8f..b619351 100644
--- a/dspam.te
+++ b/dspam.te
-@@ -1,4 +1,4 @@
--policy_module(dspam, 1.1.0)
-+policy_module(dspam, 1.0.5)
-
- ########################################
- #
@@ -28,6 +28,9 @@ files_pid_file(dspam_var_run_t)
allow dspam_t self:capability net_admin;
@@ -28305,27 +26059,11 @@ index ef62363..b619351 100644
+optional_policy(`
+ procmail_domtrans(dspam_t)
+')
-diff --git a/entropyd.fc b/entropyd.fc
-index ee38542..c698711 100644
---- a/entropyd.fc
-+++ b/entropyd.fc
-@@ -4,4 +4,4 @@
- /usr/sbin/haveged -- gen_context(system_u:object_r:entropyd_exec_t,s0)
-
- /var/run/audio-entropyd\.pid -- gen_context(system_u:object_r:entropyd_var_run_t,s0)
--/var/run/haveged\.pid -- gen_context(system_u:object_r:entropyd_var_run_t,s0)
-+/var/run/haveged\.pid -- gen_context(system_u:object_r:entropyd_var_run_t,s0)
diff --git a/entropyd.te b/entropyd.te
-index b8b8328..dc22b89 100644
+index a0da189..dc22b89 100644
--- a/entropyd.te
+++ b/entropyd.te
-@@ -1,4 +1,4 @@
--policy_module(entropyd, 1.8.0)
-+policy_module(entropyd, 1.7.2)
-
- ########################################
- #
-@@ -12,7 +12,7 @@ policy_module(entropyd, 1.8.0)
+@@ -12,7 +12,7 @@ policy_module(entropyd, 1.7.2)
## the entropy feeds.
##
##
@@ -28365,15 +26103,9 @@ index 597f305..8520653 100644
/tmp/\.exchange-USER(/.*)? gen_context(system_u:object_r:evolution_exchange_tmp_t,s0)
diff --git a/evolution.te b/evolution.te
-index c99e07c..3742ee1 100644
+index 94fb625..3742ee1 100644
--- a/evolution.te
+++ b/evolution.te
-@@ -1,4 +1,4 @@
--policy_module(evolution, 2.4.0)
-+policy_module(evolution, 2.3.7)
-
- ########################################
- #
@@ -168,7 +168,6 @@ dev_read_urand(evolution_t)
domain_dontaudit_read_all_domains_state(evolution_t)
@@ -28415,8 +26147,21 @@ index c99e07c..3742ee1 100644
fs_search_auto_mountpoints(evolution_server_t)
+diff --git a/exim.fc b/exim.fc
+index dc0254b..9df498d 100644
+--- a/exim.fc
++++ b/exim.fc
+@@ -3,6 +3,8 @@
+ /usr/sbin/exim[0-9]? -- gen_context(system_u:object_r:exim_exec_t,s0)
+ /usr/sbin/exim_tidydb -- gen_context(system_u:object_r:exim_exec_t,s0)
+
++/var/lib/exim[0-9]?(/.*)? gen_context(system_u:object_r:exim_var_lib_t,s0)
++
+ /var/log/exim[0-9]?(/.*)? gen_context(system_u:object_r:exim_log_t,s0)
+
+ /var/run/exim[0-9]?(/.*)? gen_context(system_u:object_r:exim_var_run_t,s0)
diff --git a/exim.if b/exim.if
-index 9bbc690..4a8d053 100644
+index 6041113..4a8d053 100644
--- a/exim.if
+++ b/exim.if
@@ -21,35 +21,51 @@ interface(`exim_domtrans',`
@@ -28541,7 +26286,52 @@ index 9bbc690..4a8d053 100644
##
##
##
-@@ -276,7 +292,6 @@ interface(`exim_manage_var_lib_files',`
+@@ -225,6 +241,44 @@ interface(`exim_manage_spool_files',`
+
+ ########################################
+ ##
++## Read exim var lib files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`exim_read_var_lib_files',`
++ gen_require(`
++ type exim_var_lib_t;
++ ')
++
++ read_files_pattern($1, exim_var_lib_t, exim_var_lib_t)
++ files_search_var_lib($1)
++')
++
++########################################
++##
++## Create, read, and write exim var lib files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`exim_manage_var_lib_files',`
++ gen_require(`
++ type exim_var_lib_t;
++ ')
++
++ manage_files_pattern($1, exim_var_lib_t, exim_var_lib_t)
++ files_search_var_lib($1)
++')
++
++########################################
++##
+ ## All of the rules required to
+ ## administrate an exim environment.
+ ##
+@@ -238,22 +292,29 @@ interface(`exim_manage_spool_files',`
## Role allowed access.
##
##
@@ -28549,8 +26339,9 @@ index 9bbc690..4a8d053 100644
#
interface(`exim_admin',`
gen_require(`
-@@ -285,10 +300,14 @@ interface(`exim_admin',`
- type exim_keytab_t;
+ type exim_t, exim_spool_t, exim_log_t;
+ type exim_var_run_t, exim_initrc_exec_t, exim_tmp_t;
++ type exim_keytab_t;
')
- allow $1 exim_t:process { ptrace signal_perms };
@@ -28566,21 +26357,31 @@ index 9bbc690..4a8d053 100644
domain_system_change_exemption($1)
role_transition $2 exim_initrc_exec_t system_r;
allow $2 system_r;
+
++ files_search_etc($1)
++ admin_pattern($1, exim_keytab_t)
++
+ files_search_spool($1)
+ admin_pattern($1, exim_spool_t)
+
diff --git a/exim.te b/exim.te
-index 4086c51..5495c90 100644
+index 19325ce..5495c90 100644
--- a/exim.te
+++ b/exim.te
-@@ -45,9 +45,6 @@ mta_agent_executable(exim_exec_t)
+@@ -1,4 +1,4 @@
+-policy_module(exim, 1.5.4)
++policy_module(exim, 1.6.1)
+
+ ########################################
+ #
+@@ -45,11 +45,14 @@ mta_agent_executable(exim_exec_t)
type exim_initrc_exec_t;
init_script_file(exim_initrc_exec_t)
--type exim_keytab_t;
--files_type(exim_keytab_t)
--
- type exim_var_lib_t;
- files_type(exim_var_lib_t)
-
-@@ -55,7 +52,7 @@ type exim_log_t;
++type exim_var_lib_t;
++files_type(exim_var_lib_t)
++
+ type exim_log_t;
logging_log_file(exim_log_t)
type exim_spool_t;
@@ -28589,17 +26390,31 @@ index 4086c51..5495c90 100644
type exim_tmp_t;
files_tmp_file(exim_tmp_t)
-@@ -78,8 +75,6 @@ allow exim_t self:fifo_file rw_fifo_file_perms;
+@@ -57,6 +60,10 @@ files_tmp_file(exim_tmp_t)
+ type exim_var_run_t;
+ files_pid_file(exim_var_run_t)
+
++ifdef(`distro_debian',`
++ init_daemon_run_dir(exim_var_run_t, "exim4")
++')
++
+ ########################################
+ #
+ # Local policy
+@@ -68,6 +75,8 @@ allow exim_t self:fifo_file rw_fifo_file_perms;
allow exim_t self:unix_stream_socket { accept listen };
allow exim_t self:tcp_socket { accept listen };
--allow exim_t exim_keytab_t:file read_file_perms;
--
- manage_files_pattern(exim_t, exim_var_lib_t, exim_var_lib_t)
-
++manage_files_pattern(exim_t, exim_var_lib_t, exim_var_lib_t)
++
append_files_pattern(exim_t, exim_log_t, exim_log_t)
-@@ -105,11 +100,10 @@ can_exec(exim_t, exim_exec_t)
- kernel_read_crypto_sysctls(exim_t)
+ create_files_pattern(exim_t, exim_log_t, exim_log_t)
+ setattr_files_pattern(exim_t, exim_log_t, exim_log_t)
+@@ -88,13 +97,13 @@ files_pid_filetrans(exim_t, exim_var_run_t, { dir file })
+
+ can_exec(exim_t, exim_exec_t)
+
++kernel_read_crypto_sysctls(exim_t)
kernel_read_kernel_sysctls(exim_t)
kernel_read_network_state(exim_t)
-kernel_dontaudit_read_system_state(exim_t)
@@ -28611,7 +26426,15 @@ index 4086c51..5495c90 100644
corenet_all_recvfrom_netlabel(exim_t)
corenet_tcp_sendrecv_generic_if(exim_t)
corenet_udp_sendrecv_generic_if(exim_t)
-@@ -151,10 +145,10 @@ fs_getattr_xattr_fs(exim_t)
+@@ -123,6 +132,7 @@ corenet_tcp_connect_spamd_port(exim_t)
+
+ dev_read_rand(exim_t)
+ dev_read_urand(exim_t)
++dev_read_sysfs(exim_t)
+
+ domain_use_interactive_fds(exim_t)
+
+@@ -135,10 +145,10 @@ fs_getattr_xattr_fs(exim_t)
fs_list_inotifyfs(exim_t)
auth_use_nsswitch(exim_t)
@@ -28623,7 +26446,7 @@ index 4086c51..5495c90 100644
miscfiles_read_generic_certs(exim_t)
userdom_dontaudit_search_user_home_dirs(exim_t)
-@@ -170,9 +164,9 @@ tunable_policy(`exim_can_connect_db',`
+@@ -154,9 +164,9 @@ tunable_policy(`exim_can_connect_db',`
corenet_sendrecv_mssql_client_packets(exim_t)
corenet_tcp_connect_mssql_port(exim_t)
corenet_tcp_sendrecv_mssql_port(exim_t)
@@ -28636,7 +26459,7 @@ index 4086c51..5495c90 100644
')
tunable_policy(`exim_read_user_files',`
-@@ -186,8 +180,8 @@ tunable_policy(`exim_manage_user_files',`
+@@ -170,13 +180,14 @@ tunable_policy(`exim_manage_user_files',`
')
optional_policy(`
@@ -28647,12 +26470,17 @@ index 4086c51..5495c90 100644
')
optional_policy(`
-@@ -205,13 +199,7 @@ optional_policy(`
+ cron_read_pipes(exim_t)
+ cron_rw_system_job_pipes(exim_t)
++ cron_use_system_job_fds(exim_t)
+ ')
+
+ optional_policy(`
+@@ -188,12 +199,7 @@ optional_policy(`
')
optional_policy(`
-- kerberos_read_keytab(exim_t)
-- kerberos_use(exim_t)
+- kerberos_keytab_template(exim, exim_t)
-')
-
-optional_policy(`
@@ -28662,7 +26490,7 @@ index 4086c51..5495c90 100644
')
optional_policy(`
-@@ -236,6 +224,7 @@ optional_policy(`
+@@ -218,6 +224,7 @@ optional_policy(`
optional_policy(`
procmail_domtrans(exim_t)
@@ -28937,16 +26765,10 @@ index 50d0084..6565422 100644
fail2ban_run_client($1, $2)
diff --git a/fail2ban.te b/fail2ban.te
-index cf0e567..4acb314 100644
+index 0872e50..4acb314 100644
--- a/fail2ban.te
+++ b/fail2ban.te
-@@ -1,4 +1,4 @@
--policy_module(fail2ban, 1.5.0)
-+policy_module(fail2ban, 1.4.9)
-
- ########################################
- #
-@@ -37,13 +37,11 @@ role fail2ban_client_roles types fail2ban_client_t;
+@@ -37,7 +37,7 @@ role fail2ban_client_roles types fail2ban_client_t;
#
allow fail2ban_t self:capability { dac_read_search dac_override sys_tty_config };
@@ -28955,13 +26777,7 @@ index cf0e567..4acb314 100644
allow fail2ban_t self:fifo_file rw_fifo_file_perms;
allow fail2ban_t self:unix_stream_socket { accept connectto listen };
allow fail2ban_t self:tcp_socket { accept listen };
-
--read_files_pattern(fail2ban_t, fail2ban_t, fail2ban_t)
--
- append_files_pattern(fail2ban_t, fail2ban_log_t, fail2ban_log_t)
- create_files_pattern(fail2ban_t, fail2ban_log_t, fail2ban_log_t)
- setattr_files_pattern(fail2ban_t, fail2ban_log_t, fail2ban_log_t)
-@@ -67,7 +65,6 @@ kernel_read_system_state(fail2ban_t)
+@@ -65,7 +65,6 @@ kernel_read_system_state(fail2ban_t)
corecmd_exec_bin(fail2ban_t)
corecmd_exec_shell(fail2ban_t)
@@ -28969,7 +26785,7 @@ index cf0e567..4acb314 100644
corenet_all_recvfrom_netlabel(fail2ban_t)
corenet_tcp_sendrecv_generic_if(fail2ban_t)
corenet_tcp_sendrecv_generic_node(fail2ban_t)
-@@ -82,7 +79,6 @@ domain_use_interactive_fds(fail2ban_t)
+@@ -80,7 +79,6 @@ domain_use_interactive_fds(fail2ban_t)
domain_dontaudit_read_all_domains_state(fail2ban_t)
files_read_etc_runtime_files(fail2ban_t)
@@ -28977,7 +26793,7 @@ index cf0e567..4acb314 100644
files_list_var(fail2ban_t)
files_dontaudit_list_tmp(fail2ban_t)
-@@ -92,24 +88,38 @@ fs_getattr_all_fs(fail2ban_t)
+@@ -90,24 +88,38 @@ fs_getattr_all_fs(fail2ban_t)
auth_use_nsswitch(fail2ban_t)
logging_read_all_logs(fail2ban_t)
@@ -29020,7 +26836,7 @@ index cf0e567..4acb314 100644
iptables_domtrans(fail2ban_t)
')
-@@ -118,6 +128,10 @@ optional_policy(`
+@@ -116,6 +128,10 @@ optional_policy(`
')
optional_policy(`
@@ -29031,7 +26847,7 @@ index cf0e567..4acb314 100644
shorewall_domtrans(fail2ban_t)
')
-@@ -131,22 +145,30 @@ allow fail2ban_client_t self:unix_stream_socket { create connect write read };
+@@ -129,22 +145,30 @@ allow fail2ban_client_t self:unix_stream_socket { create connect write read };
domtrans_pattern(fail2ban_client_t, fail2ban_exec_t, fail2ban_t)
@@ -29067,15 +26883,9 @@ index cf0e567..4acb314 100644
+ apache_read_log(fail2ban_client_t)
+')
diff --git a/fcoe.te b/fcoe.te
-index ce358fb..28dec44 100644
+index 79b9273..28dec44 100644
--- a/fcoe.te
+++ b/fcoe.te
-@@ -1,4 +1,4 @@
--policy_module(fcoe, 1.1.0)
-+policy_module(fcoe, 1.0.1)
-
- ########################################
- #
@@ -20,25 +20,31 @@ files_pid_file(fcoemon_var_run_t)
# Local policy
#
@@ -29113,7 +26923,7 @@ index ce358fb..28dec44 100644
+ networkmanager_dgram_send(fcoemon_t)
+')
diff --git a/fetchmail.fc b/fetchmail.fc
-index 133b8ee..fef9bff 100644
+index 2486e2a..fef9bff 100644
--- a/fetchmail.fc
+++ b/fetchmail.fc
@@ -1,4 +1,5 @@
@@ -29126,7 +26936,7 @@ index 133b8ee..fef9bff 100644
/var/mail/\.fetchmail-UIDL-cache -- gen_context(system_u:object_r:fetchmail_uidl_cache_t,s0)
--/var/run/fetchmail.* gen_context(system_u:object_r:fetchmail_var_run_t,s0)
+-/var/run/fetchmail/.* -- gen_context(system_u:object_r:fetchmail_var_run_t,s0)
+/var/run/fetchmail.* gen_context(system_u:object_r:fetchmail_var_run_t,s0)
diff --git a/fetchmail.if b/fetchmail.if
index c3f7916..cab3954 100644
@@ -29153,15 +26963,9 @@ index c3f7916..cab3954 100644
admin_pattern($1, fetchmail_etc_t)
diff --git a/fetchmail.te b/fetchmail.te
-index 742559a..2e94f0e 100644
+index f0388cb..2e94f0e 100644
--- a/fetchmail.te
+++ b/fetchmail.te
-@@ -1,4 +1,4 @@
--policy_module(fetchmail, 1.13.2)
-+policy_module(fetchmail, 1.12.2)
-
- ########################################
- #
@@ -32,15 +32,13 @@ files_type(fetchmail_uidl_cache_t)
#
# Local policy
@@ -29183,7 +26987,7 @@ index 742559a..2e94f0e 100644
manage_dirs_pattern(fetchmail_t, fetchmail_var_run_t, fetchmail_var_run_t)
manage_files_pattern(fetchmail_t, fetchmail_var_run_t, fetchmail_var_run_t)
--files_pid_filetrans(fetchmail_t, fetchmail_var_run_t, { file dir })
+-files_pid_filetrans(fetchmail_t, fetchmail_var_run_t, dir)
+files_pid_filetrans(fetchmail_t, fetchmail_var_run_t, {file dir})
+
+list_dirs_pattern(fetchmail_t, fetchmail_home_t, fetchmail_home_t)
@@ -29229,15 +27033,9 @@ index 742559a..2e94f0e 100644
optional_policy(`
procmail_domtrans(fetchmail_t)
diff --git a/finger.te b/finger.te
-index 35da09d..92245bf 100644
+index af4b6d7..92245bf 100644
--- a/finger.te
+++ b/finger.te
-@@ -1,4 +1,4 @@
--policy_module(finger, 1.10.0)
-+policy_module(finger, 1.9.1)
-
- ########################################
- #
@@ -45,7 +45,6 @@ logging_log_filetrans(fingerd_t, fingerd_log_t, file)
kernel_read_kernel_sysctls(fingerd_t)
kernel_read_system_state(fingerd_t)
@@ -29282,31 +27080,32 @@ index 21d7b84..0e272bd 100644
/etc/firewalld(/.*)? gen_context(system_u:object_r:firewalld_etc_rw_t,s0)
diff --git a/firewalld.if b/firewalld.if
-index c62c567..1893f7f 100644
+index 5cf6ac6..1893f7f 100644
--- a/firewalld.if
+++ b/firewalld.if
-@@ -2,7 +2,7 @@
+@@ -2,6 +2,66 @@
########################################
##
--## Read firewalld configuration files.
+## Read firewalld config
- ##
- ##
- ##
-@@ -10,7 +10,7 @@
- ##
- ##
- #
--interface(`firewalld_read_config_files',`
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
+interface(`firewalld_read_config',`
- gen_require(`
- type firewalld_etc_rw_t;
- ')
-@@ -21,6 +21,47 @@ interface(`firewalld_read_config_files',`
-
- ########################################
- ##
++ gen_require(`
++ type firewalld_etc_rw_t;
++ ')
++
++ files_search_etc($1)
++ read_files_pattern($1, firewalld_etc_rw_t, firewalld_etc_rw_t)
++')
++
++########################################
++##
+## Execute firewalld server in the firewalld domain.
+##
+##
@@ -29351,41 +27150,37 @@ index c62c567..1893f7f 100644
## Send and receive messages from
## firewalld over dbus.
##
-@@ -42,8 +83,8 @@ interface(`firewalld_dbus_chat',`
+@@ -23,8 +83,27 @@ interface(`firewalld_dbus_chat',`
########################################
##
--## Do not audit attempts to read, snd
--## write firewalld temporary files.
+-## All of the rules required to
+-## administrate an firewalld environment.
+## Dontaudit attempts to write
+## firewalld tmp files.
- ##
- ##
- ##
-@@ -51,18 +92,18 @@ interface(`firewalld_dbus_chat',`
- ##
- ##
- #
--interface(`firewalld_dontaudit_rw_tmp_files',`
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
+interface(`firewalld_dontaudit_write_tmp_files',`
- gen_require(`
- type firewalld_tmp_t;
- ')
-
-- dontaudit $1 firewalld_tmp_t:file { read write };
++ gen_require(`
++ type firewalld_tmp_t;
++ ')
++
+ dontaudit $1 firewalld_tmp_t:file write;
- ')
-
- ########################################
- ##
--## All of the rules required to
--## administrate an firewalld environment.
++')
++
++########################################
++##
+## All of the rules required to administrate
+## an firewalld environment
##
##
##
-@@ -79,14 +120,18 @@ interface(`firewalld_dontaudit_rw_tmp_files',`
+@@ -41,14 +120,18 @@ interface(`firewalld_dbus_chat',`
interface(`firewalld_admin',`
gen_require(`
type firewalld_t, firewalld_initrc_exec_t;
@@ -29407,7 +27202,7 @@ index c62c567..1893f7f 100644
domain_system_change_exemption($1)
role_transition $2 firewalld_initrc_exec_t system_r;
allow $2 system_r;
-@@ -97,6 +142,9 @@ interface(`firewalld_admin',`
+@@ -59,6 +142,9 @@ interface(`firewalld_admin',`
logging_search_logs($1)
admin_pattern($1, firewalld_var_log_t)
@@ -29420,42 +27215,32 @@ index c62c567..1893f7f 100644
+ allow $1 firewalld_unit_file_t:service all_service_perms;
')
diff --git a/firewalld.te b/firewalld.te
-index 98072a3..bacc80c 100644
+index c8014f8..bacc80c 100644
--- a/firewalld.te
+++ b/firewalld.te
-@@ -1,4 +1,4 @@
--policy_module(firewalld, 1.1.1)
-+policy_module(firewalld, 1.0.6)
+@@ -21,11 +21,20 @@ logging_log_file(firewalld_var_log_t)
+ type firewalld_var_run_t;
+ files_pid_file(firewalld_var_run_t)
- ########################################
- #
-@@ -18,17 +18,22 @@ files_config_file(firewalld_etc_rw_t)
- type firewalld_var_log_t;
- logging_log_file(firewalld_var_log_t)
-
-+type firewalld_var_run_t;
-+files_pid_file(firewalld_var_run_t)
-+
+type firewalld_unit_file_t;
+systemd_unit_file(firewalld_unit_file_t)
+
- type firewalld_tmp_t;
- files_tmp_file(firewalld_tmp_t)
-
--type firewalld_var_run_t;
--files_pid_file(firewalld_var_run_t)
++type firewalld_tmp_t;
++files_tmp_file(firewalld_tmp_t)
++
+type firewalld_tmpfs_t;
+files_tmpfs_file(firewalld_tmpfs_t)
-
++
########################################
#
# Local policy
#
-
- allow firewalld_t self:capability { dac_override net_admin };
++allow firewalld_t self:capability { dac_override net_admin };
dontaudit firewalld_t self:capability sys_tty_config;
allow firewalld_t self:fifo_file rw_fifo_file_perms;
-@@ -37,6 +42,7 @@ allow firewalld_t self:udp_socket create_socket_perms;
+ allow firewalld_t self:unix_stream_socket { accept listen };
+@@ -33,6 +42,7 @@ allow firewalld_t self:udp_socket create_socket_perms;
manage_dirs_pattern(firewalld_t, firewalld_etc_rw_t, firewalld_etc_rw_t)
manage_files_pattern(firewalld_t, firewalld_etc_rw_t, firewalld_etc_rw_t)
@@ -29463,28 +27248,29 @@ index 98072a3..bacc80c 100644
allow firewalld_t firewalld_var_log_t:file append_file_perms;
allow firewalld_t firewalld_var_log_t:file create_file_perms;
-@@ -46,10 +52,15 @@ logging_log_filetrans(firewalld_t, firewalld_var_log_t, file)
+@@ -40,11 +50,21 @@ allow firewalld_t firewalld_var_log_t:file read_file_perms;
+ allow firewalld_t firewalld_var_log_t:file setattr_file_perms;
+ logging_log_filetrans(firewalld_t, firewalld_var_log_t, file)
- manage_files_pattern(firewalld_t, firewalld_tmp_t, firewalld_tmp_t)
- files_tmp_filetrans(firewalld_t, firewalld_tmp_t, file)
--allow firewalld_t firewalld_tmp_t:file mmap_file_perms;
++manage_files_pattern(firewalld_t, firewalld_tmp_t, firewalld_tmp_t)
++files_tmp_filetrans(firewalld_t, firewalld_tmp_t, file)
+allow firewalld_t firewalld_tmp_t:file execute;
+
+manage_files_pattern(firewalld_t, firewalld_tmpfs_t, firewalld_tmpfs_t)
+fs_tmpfs_filetrans(firewalld_t, firewalld_tmpfs_t, file)
+allow firewalld_t firewalld_tmpfs_t:file execute;
-
++
manage_files_pattern(firewalld_t, firewalld_var_run_t, firewalld_var_run_t)
files_pid_filetrans(firewalld_t, firewalld_var_run_t, file)
+can_exec(firewalld_t, firewalld_var_run_t)
kernel_read_network_state(firewalld_t)
kernel_read_system_state(firewalld_t)
-@@ -59,24 +70,20 @@ corecmd_exec_bin(firewalld_t)
- corecmd_exec_shell(firewalld_t)
++kernel_rw_net_sysctls(firewalld_t)
- dev_read_urand(firewalld_t)
--dev_search_sysfs(firewalld_t)
+ corecmd_exec_bin(firewalld_t)
+ corecmd_exec_shell(firewalld_t)
+@@ -53,20 +73,17 @@ dev_read_urand(firewalld_t)
domain_use_interactive_fds(firewalld_t)
@@ -29510,7 +27296,7 @@ index 98072a3..bacc80c 100644
optional_policy(`
dbus_system_domain(firewalld_t, firewalld_exec_t)
-@@ -95,6 +102,10 @@ optional_policy(`
+@@ -85,9 +102,17 @@ optional_policy(`
')
optional_policy(`
@@ -29521,20 +27307,13 @@ index 98072a3..bacc80c 100644
iptables_domtrans(firewalld_t)
')
-@@ -103,5 +114,5 @@ optional_policy(`
- ')
-
optional_policy(`
-- networkmanager_read_state(firewalld_t)
-+ NetworkManager_read_state(firewalld_t)
+ modutils_domtrans_insmod(firewalld_t)
')
-diff --git a/firewallgui.fc b/firewallgui.fc
-index 94ab048..ef1f43d 100644
---- a/firewallgui.fc
-+++ b/firewallgui.fc
-@@ -1 +1 @@
--/usr/share/system-config-firewall/system-config-firewall-mechanism\.py -- gen_context(system_u:object_r:firewallgui_exec_t,s0)
-+/usr/share/system-config-firewall/system-config-firewall-mechanism.py -- gen_context(system_u:object_r:firewallgui_exec_t,s0)
++
++optional_policy(`
++ NetworkManager_read_state(firewalld_t)
++')
diff --git a/firewallgui.if b/firewallgui.if
index e6866d1..941f4ef 100644
--- a/firewallgui.if
@@ -29547,15 +27326,9 @@ index e6866d1..941f4ef 100644
+ dontaudit $1 firewallgui_t:fifo_file rw_inherited_fifo_file_perms;
')
diff --git a/firewallgui.te b/firewallgui.te
-index 2094546..86b8098 100644
+index c5ceab1..86b8098 100644
--- a/firewallgui.te
+++ b/firewallgui.te
-@@ -1,4 +1,4 @@
--policy_module(firewallgui, 1.1.0)
-+policy_module(firewallgui, 1.0.1)
-
- ########################################
- #
@@ -36,8 +36,10 @@ corecmd_exec_shell(firewallgui_t)
dev_read_sysfs(firewallgui_t)
dev_read_urand(firewallgui_t)
@@ -29723,11 +27496,11 @@ index 280f875..f3a67c9 100644
##
##
diff --git a/firstboot.te b/firstboot.te
-index 5010f04..a415012 100644
+index c12c067..a415012 100644
--- a/firstboot.te
+++ b/firstboot.te
@@ -1,7 +1,7 @@
--policy_module(firstboot, 1.13.0)
+-policy_module(firstboot, 1.12.3)
+policy_module(firstboot, 1.12.0)
gen_require(`
@@ -29860,15 +27633,9 @@ index 5010f04..a415012 100644
optional_policy(`
diff --git a/fprintd.te b/fprintd.te
-index 92a6479..2cbb61f 100644
+index c81b6e8..2cbb61f 100644
--- a/fprintd.te
+++ b/fprintd.te
-@@ -1,4 +1,4 @@
--policy_module(fprintd, 1.2.0)
-+policy_module(fprintd, 1.1.1)
-
- ########################################
- #
@@ -20,23 +20,28 @@ files_type(fprintd_var_lib_t)
allow fprintd_t self:capability sys_nice;
allow fprintd_t self:process { getsched setsched signal sigkill };
@@ -30245,7 +28012,7 @@ index ddb75c1..44f74e6 100644
/etc/rc\.d/init\.d/vsftpd -- gen_context(system_u:object_r:ftpd_initrc_exec_t,s0)
diff --git a/ftp.if b/ftp.if
-index 4498143..97fb494 100644
+index d062080..97fb494 100644
--- a/ftp.if
+++ b/ftp.if
@@ -1,5 +1,66 @@
@@ -30315,11 +28082,8 @@ index 4498143..97fb494 100644
#######################################
##
## Execute a dyntransition to run anon sftpd.
-@@ -176,11 +237,13 @@ interface(`ftp_admin',`
- type ftpd_etc_t, ftpd_lock_t, sftpd_t;
- type ftpd_var_run_t, xferlog_t, anon_sftpd_t;
+@@ -178,8 +239,11 @@ interface(`ftp_admin',`
type ftpd_initrc_exec_t, ftpdctl_tmp_t;
-- type ftpd_keytab_t;
')
- allow $1 { ftpd_t ftpdctl_t sftpd_t anon_sftpd }:process { ptrace signal_perms };
@@ -30331,16 +28095,7 @@ index 4498143..97fb494 100644
init_labeled_script_domtrans($1, ftpd_initrc_exec_t)
domain_system_change_exemption($1)
-@@ -193,7 +256,7 @@ interface(`ftp_admin',`
- admin_pattern($1, { ftpd_tmp_t ftpdctl_tmp_t })
-
- files_list_etc($1)
-- admin_pattern($1, { ftpd_etc_t ftpd_keytab_t })
-+ admin_pattern($1, ftpd_etc_t)
-
- files_list_var($1)
- admin_pattern($1, ftpd_lock_t)
-@@ -204,5 +267,9 @@ interface(`ftp_admin',`
+@@ -203,5 +267,9 @@ interface(`ftp_admin',`
logging_list_logs($1)
admin_pattern($1, xferlog_t)
@@ -30351,16 +28106,10 @@ index 4498143..97fb494 100644
ftp_run_ftpdctl($1, $2)
')
diff --git a/ftp.te b/ftp.te
-index 36838c2..de8e914 100644
+index e50f33c..de8e914 100644
--- a/ftp.te
+++ b/ftp.te
-@@ -1,4 +1,4 @@
--policy_module(ftp, 1.15.1)
-+policy_module(ftp, 1.14.1)
-
- ########################################
- #
-@@ -13,7 +13,7 @@ policy_module(ftp, 1.15.1)
+@@ -13,7 +13,7 @@ policy_module(ftp, 1.14.1)
## be labeled public_content_rw_t.
##
##
@@ -30403,23 +28152,17 @@ index 36838c2..de8e914 100644
##
##
-@@ -124,8 +131,8 @@ files_config_file(ftpd_etc_t)
+@@ -124,6 +131,9 @@ files_config_file(ftpd_etc_t)
type ftpd_initrc_exec_t;
init_script_file(ftpd_initrc_exec_t)
--type ftpd_keytab_t;
--files_type(ftpd_keytab_t)
+type ftpd_unit_file_t;
+systemd_unit_file(ftpd_unit_file_t)
-
++
type ftpd_lock_t;
files_lock_file(ftpd_lock_t)
-@@ -179,11 +186,12 @@ allow ftpd_t self:key manage_key_perms;
-
- allow ftpd_t ftpd_etc_t:file read_file_perms;
--allow ftpd_t ftpd_keytab_t:file read_file_perms;
--
+@@ -179,6 +189,9 @@ allow ftpd_t ftpd_etc_t:file read_file_perms;
allow ftpd_t ftpd_lock_t:file manage_file_perms;
files_lock_filetrans(ftpd_t, ftpd_lock_t, file)
@@ -30429,7 +28172,7 @@ index 36838c2..de8e914 100644
manage_dirs_pattern(ftpd_t, ftpd_tmpfs_t, ftpd_tmpfs_t)
manage_files_pattern(ftpd_t, ftpd_tmpfs_t, ftpd_tmpfs_t)
manage_lnk_files_pattern(ftpd_t, ftpd_tmpfs_t, ftpd_tmpfs_t)
-@@ -198,22 +206,19 @@ files_pid_filetrans(ftpd_t, ftpd_var_run_t, { file dir })
+@@ -193,22 +206,19 @@ files_pid_filetrans(ftpd_t, ftpd_var_run_t, { file dir })
allow ftpd_t ftpdctl_tmp_t:sock_file delete_sock_file_perms;
@@ -30456,7 +28199,7 @@ index 36838c2..de8e914 100644
corenet_all_recvfrom_netlabel(ftpd_t)
corenet_tcp_sendrecv_generic_if(ftpd_t)
corenet_udp_sendrecv_generic_if(ftpd_t)
-@@ -229,9 +234,12 @@ corenet_tcp_bind_ftp_port(ftpd_t)
+@@ -224,9 +234,12 @@ corenet_tcp_bind_ftp_port(ftpd_t)
corenet_sendrecv_ftp_data_server_packets(ftpd_t)
corenet_tcp_bind_ftp_data_port(ftpd_t)
@@ -30470,7 +28213,7 @@ index 36838c2..de8e914 100644
files_read_etc_runtime_files(ftpd_t)
files_search_var_lib(ftpd_t)
-@@ -250,7 +258,6 @@ logging_send_audit_msgs(ftpd_t)
+@@ -245,7 +258,6 @@ logging_send_audit_msgs(ftpd_t)
logging_send_syslog_msg(ftpd_t)
logging_set_loginuid(ftpd_t)
@@ -30478,7 +28221,7 @@ index 36838c2..de8e914 100644
miscfiles_read_public_files(ftpd_t)
seutil_dontaudit_search_config(ftpd_t)
-@@ -259,32 +266,50 @@ sysnet_use_ldap(ftpd_t)
+@@ -254,32 +266,50 @@ sysnet_use_ldap(ftpd_t)
userdom_dontaudit_use_unpriv_user_fds(ftpd_t)
userdom_dontaudit_search_user_home_dirs(ftpd_t)
@@ -30536,7 +28279,7 @@ index 36838c2..de8e914 100644
')
tunable_policy(`ftpd_use_passive_mode',`
-@@ -304,22 +329,19 @@ tunable_policy(`ftpd_connect_db',`
+@@ -299,22 +329,19 @@ tunable_policy(`ftpd_connect_db',`
corenet_sendrecv_mssql_client_packets(ftpd_t)
corenet_tcp_connect_mssql_port(ftpd_t)
corenet_tcp_sendrecv_mssql_port(ftpd_t)
@@ -30564,19 +28307,16 @@ index 36838c2..de8e914 100644
userdom_tmp_filetrans_user_tmp(ftpd_t, { dir file })
')
-@@ -364,9 +386,8 @@ optional_policy(`
- optional_policy(`
+@@ -360,7 +387,7 @@ optional_policy(`
selinux_validate_context(ftpd_t)
-- kerberos_read_keytab(ftpd_t)
+ kerberos_keytab_template(ftpd, ftpd_t)
- kerberos_tmp_filetrans_host_rcache(ftpd_t, file, "host_0")
-- kerberos_use(ftpd_t)
-+ kerberos_keytab_template(ftpd, ftpd_t)
+ kerberos_tmp_filetrans_host_rcache(ftpd_t, "host_0")
')
optional_policy(`
-@@ -416,21 +437,20 @@ optional_policy(`
+@@ -410,21 +437,20 @@ optional_policy(`
#
stream_connect_pattern(ftpdctl_t, ftpd_var_run_t, ftpd_var_run_t, ftpd_t)
@@ -30600,7 +28340,7 @@ index 36838c2..de8e914 100644
miscfiles_read_public_files(anon_sftpd_t)
-@@ -443,23 +463,34 @@ tunable_policy(`sftpd_anon_write',`
+@@ -437,23 +463,34 @@ tunable_policy(`sftpd_anon_write',`
# Sftpd local policy
#
@@ -30641,7 +28381,7 @@ index 36838c2..de8e914 100644
')
tunable_policy(`sftpd_enable_homedirs && use_nfs_home_dirs',`
-@@ -481,21 +512,11 @@ tunable_policy(`sftpd_anon_write',`
+@@ -475,21 +512,11 @@ tunable_policy(`sftpd_anon_write',`
tunable_policy(`sftpd_full_access',`
allow sftpd_t self:capability { dac_override dac_read_search };
fs_read_noxattr_fs_files(sftpd_t)
@@ -30695,15 +28435,9 @@ index e2a3e0d..50ebd40 100644
+ manage_files_pattern($1, games_data_t, games_data_t)
+')
diff --git a/games.te b/games.te
-index e5b15fb..879c59a 100644
+index 572fb12..879c59a 100644
--- a/games.te
+++ b/games.te
-@@ -1,4 +1,4 @@
--policy_module(games, 2.3.0)
-+policy_module(games, 2.2.4)
-
- ########################################
- #
@@ -76,8 +76,6 @@ init_use_script_ptys(games_srv_t)
logging_send_syslog_msg(games_srv_t)
@@ -30748,15 +28482,9 @@ index e5b15fb..879c59a 100644
')
diff --git a/gatekeeper.te b/gatekeeper.te
-index 2820368..10a1bbe 100644
+index fc3b036..10a1bbe 100644
--- a/gatekeeper.te
+++ b/gatekeeper.te
-@@ -1,4 +1,4 @@
--policy_module(gatekeeper, 1.8.0)
-+policy_module(gatekeeper, 1.7.1)
-
- ########################################
- #
@@ -57,7 +57,6 @@ kernel_read_kernel_sysctls(gatekeeper_t)
corecmd_list_bin(gatekeeper_t)
@@ -30781,135 +28509,6 @@ index 2820368..10a1bbe 100644
sysnet_read_config(gatekeeper_t)
userdom_dontaudit_use_unpriv_user_fds(gatekeeper_t)
-diff --git a/gdomap.fc b/gdomap.fc
-deleted file mode 100644
-index 0735238..0000000
---- a/gdomap.fc
-+++ /dev/null
-@@ -1,7 +0,0 @@
--/etc/default/gdomap -- gen_context(system_u:object_r:gdomap_conf_t,s0)
--
--/etc/rc\.d/init\.d/gdomap -- gen_context(system_u:object_r:gdomap_initrc_exec_t,s0)
--
--/usr/bin/gdomap -- gen_context(system_u:object_r:gdomap_exec_t,s0)
--
--/var/run/gdomap\.pid -- gen_context(system_u:object_r:gdomap_var_run_t,s0)
-diff --git a/gdomap.if b/gdomap.if
-deleted file mode 100644
-index 7d6b6b7..0000000
---- a/gdomap.if
-+++ /dev/null
-@@ -1,58 +0,0 @@
--## GNUstep distributed object mapper.
--
--########################################
--##
--## Read gdomap configuration files.
--##
--##
--##
--## Domain allowed access.
--##
--##
--#
--interface(`gdomap_read_config',`
-- gen_require(`
-- type gdomap_conf_t;
-- ')
--
-- files_search_etc($1)
-- allow $1 gdomap_conf_t:file read_file_perms;
--')
--
--########################################
--##
--## All of the rules required to
--## administrate an gdomap environment.
--##
--##
--##
--## Domain allowed access.
--##
--##
--##
--##
--## Role allowed access.
--##
--##
--##
--#
--interface(`gdomap_admin',`
-- gen_require(`
-- type gdomap_t, gdomap_conf_t, gdomap_initrc_exec_t;
-- type gdomap_var_run_t;
-- ')
--
-- allow $1 gdomap_t:process { ptrace signal_perms };
-- ps_process_pattern($1, gdomap_t)
--
-- init_labeled_script_domtrans($1, gdomap_initrc_exec_t)
-- domain_system_change_exemption($1)
-- role_transition $2 gdomap_initrc_exec_t system_r;
-- allow $2 system_r;
--
-- files_search_etc($1)
-- admin_pattern($1, gdomap_conf_t)
--
-- files_search_pids($1)
-- admin_pattern($1, gdomap_var_run_t)
--')
-diff --git a/gdomap.te b/gdomap.te
-deleted file mode 100644
-index db7b56c..0000000
---- a/gdomap.te
-+++ /dev/null
-@@ -1,46 +0,0 @@
--policy_module(gdomap, 1.0.1)
--
--########################################
--#
--# Declarations
--#
--
--type gdomap_t;
--type gdomap_exec_t;
--init_daemon_domain(gdomap_t, gdomap_exec_t)
--
--type gdomap_initrc_exec_t;
--init_script_file(gdomap_initrc_exec_t)
--
--type gdomap_conf_t;
--files_config_file(gdomap_conf_t)
--
--type gdomap_var_run_t;
--files_pid_file(gdomap_var_run_t)
--
--########################################
--#
--# Local policy
--#
--
--allow gdomap_t self:capability { setuid sys_chroot net_bind_service setgid };
--allow gdomap_t self:tcp_socket { listen accept };
--
--allow gdomap_t gdomap_var_run_t:file manage_file_perms;
--files_pid_filetrans(gdomap_t, gdomap_var_run_t, file, "gdomap.pid")
--
--corenet_sendrecv_gdomap_server_packets(gdomap_t)
--corenet_tcp_bind_generic_node(gdomap_t)
--corenet_tcp_bind_gdomap_port(gdomap_t)
--corenet_tcp_sendrecv_gdomap_port(gdomap_t)
--corenet_udp_bind_generic_node(gdomap_t)
--corenet_udp_bind_gdomap_port(gdomap_t)
--corenet_udp_sendrecv_gdomap_port(gdomap_t)
--
--domain_use_interactive_fds(gdomap_t)
--
--files_search_tmp(gdomap_t)
--
--auth_use_nsswitch(gdomap_t)
--
--logging_send_syslog_msg(gdomap_t)
diff --git a/gear.fc b/gear.fc
new file mode 100644
index 0000000..98c012c
@@ -31598,15 +29197,9 @@ index 0000000..e61eed9
+ pcscd_stream_connect(geoclue_t)
+')
diff --git a/gift.te b/gift.te
-index 8a820fa..af76abb 100644
+index 395238e..af76abb 100644
--- a/gift.te
+++ b/gift.te
-@@ -1,4 +1,4 @@
--policy_module(gift, 2.4.0)
-+policy_module(gift, 2.3.4)
-
- ########################################
- #
@@ -67,17 +67,7 @@ auth_use_nsswitch(gift_t)
userdom_dontaudit_read_user_home_content_files(gift_t)
@@ -31698,15 +29291,9 @@ index 1e29af1..6c64f55 100644
+ userdom_user_home_dir_filetrans($1, git_user_content_t, dir, "public_git")
+')
diff --git a/git.te b/git.te
-index dc49c71..6acc1f0 100644
+index 93b0301..6acc1f0 100644
--- a/git.te
+++ b/git.te
-@@ -1,4 +1,4 @@
--policy_module(git, 1.3.2)
-+policy_module(git, 1.2.3)
-
- ########################################
- #
@@ -49,14 +49,6 @@ gen_tunable(git_session_users, false)
##
@@ -31722,13 +29309,7 @@ index dc49c71..6acc1f0 100644
## Determine whether Git system daemon
## can search home directories.
##
-@@ -87,16 +79,15 @@ apache_content_template(git)
- type git_system_t, git_daemon;
- type gitd_exec_t;
- inetd_service_domain(git_system_t, gitd_exec_t)
--init_daemon_domain(git_system_t, gitd_exec_t)
-
- type git_session_t, git_daemon;
+@@ -92,10 +84,10 @@ type git_session_t, git_daemon;
userdom_user_application_domain(git_session_t, gitd_exec_t)
role git_session_roles types git_session_t;
@@ -31741,7 +29322,7 @@ index dc49c71..6acc1f0 100644
userdom_user_home_content(git_user_content_t)
########################################
-@@ -110,6 +101,8 @@ list_dirs_pattern(git_session_t, git_user_content_t, git_user_content_t)
+@@ -109,6 +101,8 @@ list_dirs_pattern(git_session_t, git_user_content_t, git_user_content_t)
read_files_pattern(git_session_t, git_user_content_t, git_user_content_t)
userdom_search_user_home_dirs(git_session_t)
@@ -31750,7 +29331,7 @@ index dc49c71..6acc1f0 100644
corenet_all_recvfrom_netlabel(git_session_t)
corenet_all_recvfrom_unlabeled(git_session_t)
corenet_tcp_bind_generic_node(git_session_t)
-@@ -130,9 +123,7 @@ tunable_policy(`git_session_bind_all_unreserved_ports',`
+@@ -129,9 +123,7 @@ tunable_policy(`git_session_bind_all_unreserved_ports',`
corenet_tcp_sendrecv_all_ports(git_session_t)
')
@@ -31761,25 +29342,19 @@ index dc49c71..6acc1f0 100644
tunable_policy(`use_nfs_home_dirs',`
fs_getattr_nfs(git_session_t)
-@@ -158,15 +149,10 @@ tunable_policy(`use_samba_home_dirs',`
+@@ -157,6 +149,11 @@ tunable_policy(`use_samba_home_dirs',`
list_dirs_pattern(git_system_t, git_sys_content_t, git_sys_content_t)
read_files_pattern(git_system_t, git_sys_content_t, git_sys_content_t)
--corenet_all_recvfrom_unlabeled(git_system_t)
--corenet_all_recvfrom_netlabel(git_system_t)
--corenet_tcp_sendrecv_generic_if(git_system_t)
--corenet_tcp_sendrecv_generic_node(git_system_t)
--corenet_tcp_bind_generic_node(git_system_t)
+kernel_read_network_state(git_system_t)
+kernel_read_system_state(git_system_t)
-
--corenet_sendrecv_git_server_packets(git_system_t)
- corenet_tcp_bind_git_port(git_system_t)
--corenet_tcp_sendrecv_git_port(git_system_t)
-
++
++corenet_tcp_bind_git_port(git_system_t)
++
files_search_var_lib(git_system_t)
-@@ -176,6 +162,10 @@ logging_send_syslog_msg(git_system_t)
+ auth_use_nsswitch(git_system_t)
+@@ -165,6 +162,10 @@ logging_send_syslog_msg(git_system_t)
tunable_policy(`git_system_enable_homedirs',`
userdom_search_user_home_dirs(git_system_t)
@@ -31790,7 +29365,7 @@ index dc49c71..6acc1f0 100644
')
tunable_policy(`git_system_enable_homedirs && use_nfs_home_dirs',`
-@@ -259,6 +249,11 @@ tunable_policy(`git_cgi_use_nfs',`
+@@ -248,6 +249,11 @@ tunable_policy(`git_cgi_use_nfs',`
fs_dontaudit_read_nfs_files(httpd_git_script_t)
')
@@ -31802,7 +29377,7 @@ index dc49c71..6acc1f0 100644
########################################
#
# Git global policy
-@@ -266,12 +261,9 @@ tunable_policy(`git_cgi_use_nfs',`
+@@ -255,12 +261,9 @@ tunable_policy(`git_cgi_use_nfs',`
allow git_daemon self:fifo_file rw_fifo_file_perms;
@@ -31817,15 +29392,9 @@ index dc49c71..6acc1f0 100644
-miscfiles_read_localization(git_daemon)
diff --git a/gitosis.te b/gitosis.te
-index 582db0a..d3acb1a 100644
+index 3194b76..d3acb1a 100644
--- a/gitosis.te
+++ b/gitosis.te
-@@ -1,4 +1,4 @@
--policy_module(gitosis, 1.4.0)
-+policy_module(gitosis, 1.3.2)
-
- ########################################
- #
@@ -52,12 +52,8 @@ corecmd_exec_shell(gitosis_t)
dev_read_urand(gitosis_t)
@@ -31906,15 +29475,10 @@ index 9eacb2c..2769682 100644
init_labeled_script_domtrans($1, { glance_api_initrc_exec_t glance_registry_initrc_exec_t })
domain_system_change_exemption($1)
diff --git a/glance.te b/glance.te
-index 5cd0909..2d17fe6 100644
+index e0a4f46..2d17fe6 100644
--- a/glance.te
+++ b/glance.te
-@@ -1,14 +1,20 @@
--policy_module(glance, 1.1.0)
-+policy_module(glance, 1.0.2)
-
- ########################################
- #
+@@ -5,10 +5,16 @@ policy_module(glance, 1.0.2)
# Declarations
#
@@ -32532,11 +30096,11 @@ index 05233c8..0000000
-')
diff --git a/glusterfs.te b/glusterfs.te
deleted file mode 100644
-index 4e95c7e..0000000
+index fd02acc..0000000
--- a/glusterfs.te
+++ /dev/null
-@@ -1,105 +0,0 @@
--policy_module(glusterfs, 1.1.2)
+@@ -1,102 +0,0 @@
+-policy_module(glusterfs, 1.0.1)
-
-########################################
-#
@@ -32563,7 +30127,7 @@ index 4e95c7e..0000000
-files_pid_file(glusterd_var_run_t)
-
-type glusterd_var_lib_t;
--files_type(glusterd_var_lib_t)
+-files_type(glusterd_var_lib_t);
-
-########################################
-#
@@ -32593,8 +30157,7 @@ index 4e95c7e..0000000
-
-manage_dirs_pattern(glusterd_t, glusterd_var_run_t, glusterd_var_run_t)
-manage_files_pattern(glusterd_t, glusterd_var_run_t, glusterd_var_run_t)
--manage_sock_files_pattern(glusterd_t, glusterd_var_run_t, glusterd_var_run_t)
--files_pid_filetrans(glusterd_t, glusterd_var_run_t, { dir file sock_file })
+-files_pid_filetrans(glusterd_t, glusterd_var_run_t, { dir file })
-
-manage_dirs_pattern(glusterd_t, glusterd_var_lib_t, glusterd_var_lib_t)
-manage_files_pattern(glusterd_t, glusterd_var_lib_t, glusterd_var_lib_t)
@@ -32630,8 +30193,6 @@ index 4e95c7e..0000000
-dev_read_sysfs(glusterd_t)
-dev_read_urand(glusterd_t)
-
--domain_read_all_domains_state(glusterd_t)
--
-domain_use_interactive_fds(glusterd_t)
-
-files_read_usr_files(glusterd_t)
@@ -32716,10 +30277,10 @@ index e39de43..5edcb83 100644
+/usr/libexec/gnome-system-monitor-mechanism -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
+/usr/libexec/kde(3|4)/ksysguardprocesslist_helper -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
diff --git a/gnome.if b/gnome.if
-index ab09d61..ba8cb38 100644
+index d03fd43..ba8cb38 100644
--- a/gnome.if
+++ b/gnome.if
-@@ -1,125 +1,157 @@
+@@ -1,123 +1,157 @@
-## GNU network object model environment.
+## GNU network object model environment (GNOME)
@@ -32908,15 +30469,15 @@ index ab09d61..ba8cb38 100644
+ gnome_manage_generic_home_dirs($1_gkeyringd_t)
+ gnome_read_generic_data_home_files($1_gkeyringd_t)
+ gnome_read_generic_data_home_dirs($1_gkeyringd_t)
-
- optional_policy(`
-- gnome_dbus_chat_gkeyringd($1, $3)
++
++ optional_policy(`
+ telepathy_mission_control_read_state($1_gkeyringd_t)
+ telepathy_gabble_stream_connect_to($1_gkeyringd_t,gkeyringd_tmp_t,gkeyringd_tmp_t)
- ')
- ')
- ')
++ ')
++ ')
++')
+- gnome_dbus_chat_gkeyringd($1, $3)
+#######################################
+##
+## Allow domain to run gkeyring in the $1_gkeyringd_t domain.
@@ -32941,11 +30502,11 @@ index ab09d61..ba8cb38 100644
+ gen_require(`
+ type $1_gkeyringd_t;
+ type gkeyringd_exec_t;
-+ ')
+ ')
+ role $2 types $1_gkeyringd_t;
+ domtrans_pattern($3, gkeyringd_exec_t, $1_gkeyringd_t)
-+')
-+
+ ')
+
########################################
##
-## Execute gconf in the caller domain.
@@ -32953,7 +30514,7 @@ index ab09d61..ba8cb38 100644
##
##
##
-@@ -127,18 +159,18 @@ template(`gnome_role_template',`
+@@ -125,18 +159,18 @@ template(`gnome_role_template',`
##
##
#
@@ -32977,7 +30538,7 @@ index ab09d61..ba8cb38 100644
##
##
##
-@@ -146,119 +178,114 @@ interface(`gnome_exec_gconf',`
+@@ -144,119 +178,114 @@ interface(`gnome_exec_gconf',`
##
##
#
@@ -33134,7 +30695,7 @@ index ab09d61..ba8cb38 100644
##
##
##
-@@ -266,15 +293,21 @@ interface(`gnome_create_generic_home_dirs',`
+@@ -264,15 +293,21 @@ interface(`gnome_create_generic_home_dirs',`
##
##
#
@@ -33161,7 +30722,7 @@ index ab09d61..ba8cb38 100644
##
##
##
-@@ -282,57 +315,89 @@ interface(`gnome_setattr_config_dirs',`
+@@ -280,57 +315,89 @@ interface(`gnome_setattr_config_dirs',`
##
##
#
@@ -33269,7 +30830,7 @@ index ab09d61..ba8cb38 100644
##
##
##
-@@ -340,15 +405,18 @@ interface(`gnome_read_generic_home_content',`
+@@ -338,15 +405,18 @@ interface(`gnome_read_generic_home_content',`
##
##
#
@@ -33293,7 +30854,7 @@ index ab09d61..ba8cb38 100644
##
##
##
-@@ -356,22 +424,18 @@ interface(`gnome_manage_config',`
+@@ -354,22 +424,18 @@ interface(`gnome_manage_config',`
##
##
#
@@ -33321,7 +30882,7 @@ index ab09d61..ba8cb38 100644
##
##
##
-@@ -379,53 +443,37 @@ interface(`gnome_manage_generic_home_content',`
+@@ -377,53 +443,37 @@ interface(`gnome_manage_generic_home_content',`
##
##
#
@@ -33383,7 +30944,7 @@ index ab09d61..ba8cb38 100644
##
##
##
-@@ -433,17 +481,18 @@ interface(`gnome_home_filetrans',`
+@@ -431,17 +481,18 @@ interface(`gnome_home_filetrans',`
##
##
#
@@ -33406,7 +30967,7 @@ index ab09d61..ba8cb38 100644
##
##
##
-@@ -451,23 +500,18 @@ interface(`gnome_create_generic_gconf_home_dirs',`
+@@ -449,23 +500,18 @@ interface(`gnome_create_generic_gconf_home_dirs',`
##
##
#
@@ -33434,7 +30995,7 @@ index ab09d61..ba8cb38 100644
##
##
##
-@@ -475,22 +519,18 @@ interface(`gnome_read_generic_gconf_home_content',`
+@@ -473,22 +519,18 @@ interface(`gnome_read_generic_gconf_home_content',`
##
##
#
@@ -33461,7 +31022,7 @@ index ab09d61..ba8cb38 100644
##
##
##
-@@ -498,79 +538,59 @@ interface(`gnome_manage_generic_gconf_home_content',`
+@@ -496,79 +538,59 @@ interface(`gnome_manage_generic_gconf_home_content',`
##
##
#
@@ -33559,7 +31120,7 @@ index ab09d61..ba8cb38 100644
##
##
##
-@@ -579,12 +599,12 @@ interface(`gnome_home_filetrans_gnome_home',`
+@@ -577,12 +599,12 @@ interface(`gnome_home_filetrans_gnome_home',`
##
##
##
@@ -33574,7 +31135,7 @@ index ab09d61..ba8cb38 100644
##
##
##
-@@ -593,18 +613,18 @@ interface(`gnome_home_filetrans_gnome_home',`
+@@ -591,18 +613,18 @@ interface(`gnome_home_filetrans_gnome_home',`
##
##
#
@@ -33599,7 +31160,7 @@ index ab09d61..ba8cb38 100644
##
##
##
-@@ -612,46 +632,80 @@ interface(`gnome_gconf_home_filetrans',`
+@@ -610,46 +632,80 @@ interface(`gnome_gconf_home_filetrans',`
##
##
#
@@ -33697,7 +31258,7 @@ index ab09d61..ba8cb38 100644
##
##
##
-@@ -659,46 +713,64 @@ interface(`gnome_dbus_chat_gkeyringd',`
+@@ -657,46 +713,64 @@ interface(`gnome_dbus_chat_gkeyringd',`
##
##
#
@@ -33779,7 +31340,7 @@ index ab09d61..ba8cb38 100644
##
##
##
-@@ -706,12 +778,985 @@ interface(`gnome_stream_connect_gkeyringd',`
+@@ -704,12 +778,985 @@ interface(`gnome_stream_connect_gkeyringd',`
##
##
#
@@ -34771,11 +32332,11 @@ index ab09d61..ba8cb38 100644
+ type_transition $1 gkeyringd_exec_t:process $2;
')
diff --git a/gnome.te b/gnome.te
-index 63893eb..ea1115c 100644
+index 20f726b..ea1115c 100644
--- a/gnome.te
+++ b/gnome.te
@@ -1,18 +1,36 @@
--policy_module(gnome, 2.3.0)
+-policy_module(gnome, 2.2.5)
+policy_module(gnome, 2.2.0)
##############################
@@ -35091,22 +32652,21 @@ index 63893eb..ea1115c 100644
+
+userdom_use_inherited_user_terminals(gnomedomain)
diff --git a/gnomeclock.fc b/gnomeclock.fc
-index f9ba8cd..e4c1b83 100644
+index b687443..e4c1b83 100644
--- a/gnomeclock.fc
+++ b/gnomeclock.fc
-@@ -1,7 +1,9 @@
+@@ -1,5 +1,9 @@
+/usr/lib/systemd/systemd-timedated -- gen_context(system_u:object_r:gnomeclock_exec_t,s0)
+
/usr/libexec/gnome-clock-applet-mechanism -- gen_context(system_u:object_r:gnomeclock_exec_t,s0)
-/usr/libexec/gsd-datetime-mechanism -- gen_context(system_u:object_r:gnomeclock_exec_t,s0)
+/usr/libexec/gsd-datetime-mechanism -- gen_context(system_u:object_r:gnomeclock_exec_t,s0)
-
--/usr/libexec/kde(3|4)/kcmdatetimehelper -- gen_context(system_u:object_r:gnomeclock_exec_t,s0)
++
+/usr/libexec/kde3/kcmdatetimehelper -- gen_context(system_u:object_r:gnomeclock_exec_t,s0)
+/usr/libexec/kde4/kcmdatetimehelper -- gen_context(system_u:object_r:gnomeclock_exec_t,s0)
--/usr/lib/gnome-settings-daemon/gsd-datetime-mechanism -- gen_context(system_u:object_r:gnomeclock_exec_t,s0)
+-/usr/libexec/kde(3|4)/kcmdatetimehelper -- gen_context(system_u:object_r:gnomeclock_exec_t,s0)
diff --git a/gnomeclock.if b/gnomeclock.if
index 3f55702..25c7ab8 100644
--- a/gnomeclock.if
@@ -35166,11 +32726,11 @@ index 3f55702..25c7ab8 100644
##
##
diff --git a/gnomeclock.te b/gnomeclock.te
-index 7cd7435..c728009 100644
+index 6d79eb5..c728009 100644
--- a/gnomeclock.te
+++ b/gnomeclock.te
@@ -1,86 +1,99 @@
--policy_module(gnomeclock, 1.1.0)
+-policy_module(gnomeclock, 1.0.5)
+policy_module(gnomeclock, 1.0.0)
########################################
@@ -35615,11 +33175,11 @@ index 180f1b7..951b790 100644
+ userdom_user_home_dir_filetrans($1, gpg_secret_t, dir, ".gnupg")
+')
diff --git a/gpg.te b/gpg.te
-index 0e97e82..2153214 100644
+index 44cf341..2153214 100644
--- a/gpg.te
+++ b/gpg.te
@@ -1,47 +1,47 @@
--policy_module(gpg, 2.8.0)
+-policy_module(gpg, 2.7.3)
+policy_module(gpg, 2.6.0)
########################################
@@ -36139,15 +33699,9 @@ index 0e97e82..2153214 100644
+ miscfiles_manage_public_files(gpg_web_t)
')
diff --git a/gpm.te b/gpm.te
-index 69734fd..68b2eb8 100644
+index 3226f52..68b2eb8 100644
--- a/gpm.te
+++ b/gpm.te
-@@ -1,4 +1,4 @@
--policy_module(gpm, 1.9.0)
-+policy_module(gpm, 1.8.2)
-
- ########################################
- #
@@ -13,7 +13,7 @@ type gpm_initrc_exec_t;
init_script_file(gpm_initrc_exec_t)
@@ -36179,15 +33733,9 @@ index 69734fd..68b2eb8 100644
optional_policy(`
seutil_sigchld_newrole(gpm_t)
diff --git a/gpsd.te b/gpsd.te
-index fe3895e..3085534 100644
+index 25f09ae..3085534 100644
--- a/gpsd.te
+++ b/gpsd.te
-@@ -1,4 +1,4 @@
--policy_module(gpsd, 1.2.0)
-+policy_module(gpsd, 1.1.1)
-
- ########################################
- #
@@ -28,11 +28,12 @@ files_pid_file(gpsd_var_run_t)
#
@@ -36511,15 +34059,9 @@ index 0000000..bbd5979
+ kerberos_manage_host_rcache(gssproxy_t)
+')
diff --git a/guest.te b/guest.te
-index 19cdbe1..93d2d83 100644
+index d928711..93d2d83 100644
--- a/guest.te
+++ b/guest.te
-@@ -1,4 +1,4 @@
--policy_module(guest, 1.3.0)
-+policy_module(guest, 1.2.1)
-
- ########################################
- #
@@ -20,4 +20,4 @@ optional_policy(`
apache_role(guest_r, guest_t)
')
@@ -36527,15 +34069,9 @@ index 19cdbe1..93d2d83 100644
-#gen_user(guest_u, user, guest_r, s0, s0)
+gen_user(guest_u, user, guest_r, s0, s0)
diff --git a/hadoop.te b/hadoop.te
-index e151378..f44ad99 100644
+index e62bcb7..f44ad99 100644
--- a/hadoop.te
+++ b/hadoop.te
-@@ -1,4 +1,4 @@
--policy_module(hadoop, 1.3.0)
-+policy_module(hadoop, 1.2.5)
-
- ########################################
- #
@@ -155,7 +155,6 @@ dev_read_urand(hadoop_t)
domain_use_interactive_fds(hadoop_t)
@@ -36569,44 +34105,10 @@ index e151378..f44ad99 100644
fs_getattr_xattr_fs(zookeeper_server_t)
-diff --git a/hal.fc b/hal.fc
-index c9f4520..2899bad 100644
---- a/hal.fc
-+++ b/hal.fc
-@@ -1,5 +1,5 @@
--/etc/hal/capability\.d/printer_update\.hal -- gen_context(system_u:object_r:hald_exec_t,s0)
- /etc/hal/device\.d/printer_remove\.hal -- gen_context(system_u:object_r:hald_exec_t,s0)
-+/etc/hal/capability\.d/printer_update\.hal -- gen_context(system_u:object_r:hald_exec_t,s0)
-
- /usr/bin/hal-setup-keymap -- gen_context(system_u:object_r:hald_keymap_exec_t,s0)
-
-@@ -9,14 +9,14 @@
- /usr/libexec/hal-system-sonypic -- gen_context(system_u:object_r:hald_sonypic_exec_t,s0)
- /usr/libexec/hald-addon-macbookpro-backlight -- gen_context(system_u:object_r:hald_mac_exec_t,s0)
- /usr/libexec/hald-addon-macbook-backlight -- gen_context(system_u:object_r:hald_mac_exec_t,s0)
-+/usr/sbin/radeontool -- gen_context(system_u:object_r:hald_mac_exec_t,s0)
-
- /usr/sbin/hald -- gen_context(system_u:object_r:hald_exec_t,s0)
--/usr/sbin/radeontool -- gen_context(system_u:object_r:hald_mac_exec_t,s0)
-
- /var/cache/hald(/.*)? gen_context(system_u:object_r:hald_cache_t,s0)
-
--/var/lib/cache/hald(/.*)? gen_context(system_u:object_r:hald_cache_t,s0)
- /var/lib/hal(/.*)? gen_context(system_u:object_r:hald_var_lib_t,s0)
-+/var/lib/cache/hald(/.*)? gen_context(system_u:object_r:hald_cache_t,s0)
-
- /var/log/pm(/.*)? gen_context(system_u:object_r:hald_log_t,s0)
-
diff --git a/hal.te b/hal.te
-index bbccc79..85b6f3e 100644
+index 0801fe1..85b6f3e 100644
--- a/hal.te
+++ b/hal.te
-@@ -1,4 +1,4 @@
--policy_module(hal, 1.15.0)
-+policy_module(hal, 1.14.5)
-
- ########################################
- #
@@ -61,7 +61,6 @@ files_type(hald_var_lib_t)
# Common local policy
#
@@ -36643,15 +34145,9 @@ index 1728071..77e71ea 100644
domain_system_change_exemption($1)
role_transition $2 hddtemp_initrc_exec_t system_r;
diff --git a/hddtemp.te b/hddtemp.te
-index 9e11b98..588c964 100644
+index 18d76bb..588c964 100644
--- a/hddtemp.te
+++ b/hddtemp.te
-@@ -1,4 +1,4 @@
--policy_module(hddtemp, 1.2.0)
-+policy_module(hddtemp, 1.1.1)
-
- ########################################
- #
@@ -26,7 +26,6 @@ allow hddtemp_t self:tcp_socket { accept listen };
allow hddtemp_t hddtemp_etc_t:file read_file_perms;
@@ -36676,15 +34172,9 @@ index 9e11b98..588c964 100644
-miscfiles_read_localization(hddtemp_t)
diff --git a/howl.te b/howl.te
-index b9e60ec..4e0f8ba 100644
+index e207823..4e0f8ba 100644
--- a/howl.te
+++ b/howl.te
-@@ -1,4 +1,4 @@
--policy_module(howl, 1.10.0)
-+policy_module(howl, 1.9.1)
-
- ########################################
- #
@@ -36,7 +36,6 @@ kernel_request_load_module(howl_t)
kernel_list_proc(howl_t)
kernel_read_proc_symlinks(howl_t)
@@ -36703,14 +34193,13 @@ index b9e60ec..4e0f8ba 100644
userdom_dontaudit_search_user_home_dirs(howl_t)
diff --git a/hypervkvp.fc b/hypervkvp.fc
-index b46130e..e2ae3b2 100644
---- a/hypervkvp.fc
+new file mode 100644
+index 0000000..e2ae3b2
+--- /dev/null
+++ b/hypervkvp.fc
-@@ -1,3 +1,10 @@
--/etc/rc\.d/init\.d/hypervkvpd -- gen_context(system_u:object_r:hypervkvpd_initrc_exec_t,s0)
+@@ -0,0 +1,10 @@
+/etc/rc\.d/init\.d/hypervkvpd -- gen_context(system_u:object_r:hypervkvp_initrc_exec_t,s0)
-
--/usr/sbin/hv_kvp_daemon -- gen_context(system_u:object_r:hypervkvpd_exec_t,s0)
++
+/usr/lib/systemd/system/hypervvssd.* -- gen_context(system_u:object_r:hypervvssd_unit_file_t,s0)
+
+/usr/sbin/hv_kvp_daemon -- gen_context(system_u:object_r:hypervkvp_exec_t,s0)
@@ -36720,11 +34209,11 @@ index b46130e..e2ae3b2 100644
+
+/var/lib/hyperv(/.*)? gen_context(system_u:object_r:hypervkvp_var_lib_t,s0)
diff --git a/hypervkvp.if b/hypervkvp.if
-index 6517fad..b7ca833 100644
---- a/hypervkvp.if
+new file mode 100644
+index 0000000..b7ca833
+--- /dev/null
+++ b/hypervkvp.if
-@@ -1,32 +1,134 @@
--## HyperV key value pair (KVP).
+@@ -0,0 +1,134 @@
+
+## policy for hypervkvp
+
@@ -36785,20 +34274,17 @@ index 6517fad..b7ca833 100644
+ allow $1 hypervkvp_var_lib_t:dir list_dir_perms;
+ read_files_pattern($1, hypervkvp_var_lib_t, hypervkvp_var_lib_t)
+')
-
- ########################################
- ##
--## All of the rules required to
--## administrate an hypervkvp environment.
++
++########################################
++##
+## Create, read, write, and delete
+## hypervkvp lib files.
- ##
- ##
- ##
- ## Domain allowed access.
- ##
- ##
--##
++##
++##
++##
++## Domain allowed access.
++##
++##
+#
+interface(`hypervkvp_manage_lib_files',`
+ gen_require(`
@@ -36838,16 +34324,13 @@ index 6517fad..b7ca833 100644
+## an hypervkvp environment
+##
+##
- ##
--## Role allowed access.
++##
+## Domain allowed access.
- ##
- ##
--##
- #
- interface(`hypervkvp_admin',`
- gen_require(`
-- type hypervkvpd_t, hypervkvpd_initrc_exec_t;
++##
++##
++#
++interface(`hypervkvp_admin',`
++ gen_require(`
+ type hypervkvp_t;
+ type hypervkvp_unit_file_t;
+ ')
@@ -36857,35 +34340,29 @@ index 6517fad..b7ca833 100644
+
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 hypervkvp_t:process ptrace;
- ')
-
-- allow $1 hypervkvpd_t:process { ptrace signal_perms };
-- ps_process_pattern($1, hypervkvpd_t)
++ ')
++
+ hypervkvp_manage_lib_files($1)
-
-- init_labeled_script_domtrans($1, hypervkvpd_initrc_exec_t)
-- domain_system_change_exemption($1)
-- role_transition $2 hypervkvpd_initrc_exec_t system_r;
-- allow $2 system_r;
++
+ hypervkvp_systemctl($1)
+ admin_pattern($1, hypervkvp_unit_file_t)
+ allow $1 hypervkvp_unit_file_t:service all_service_perms;
- ')
++')
diff --git a/hypervkvp.te b/hypervkvp.te
-index 4eb7041..97144bc 100644
---- a/hypervkvp.te
+new file mode 100644
+index 0000000..97144bc
+--- /dev/null
+++ b/hypervkvp.te
-@@ -5,24 +5,75 @@ policy_module(hypervkvp, 1.0.0)
- # Declarations
- #
-
--type hypervkvpd_t;
--type hypervkvpd_exec_t;
--init_daemon_domain(hypervkvpd_t, hypervkvpd_exec_t)
+@@ -0,0 +1,79 @@
++policy_module(hypervkvp, 1.0.0)
++
++########################################
++#
++# Declarations
++#
++
+attribute hyperv_domain;
-
--type hypervkvpd_initrc_exec_t;
--init_script_file(hypervkvpd_initrc_exec_t)
++
+type hypervkvp_t, hyperv_domain;
+type hypervkvp_exec_t;
+init_daemon_domain(hypervkvp_t, hypervkvp_exec_t)
@@ -36905,10 +34382,9 @@ index 4eb7041..97144bc 100644
+
+type hypervvssd_unit_file_t;
+systemd_unit_file(hypervvssd_unit_file_t)
-
- ########################################
- #
--# Local policy
++
++########################################
++#
+# hyperv domain local policy
+#
+
@@ -36924,12 +34400,10 @@ index 4eb7041..97144bc 100644
+dev_read_sysfs(hyperv_domain)
+
+########################################
- #
++#
+# hypervkvp local policy
- #
-
--allow hypervkvpd_t self:fifo_file rw_fifo_file_perms;
--allow hypervkvpd_t self:unix_stream_socket create_stream_socket_perms;
++#
++
+manage_dirs_pattern(hypervkvp_t, hypervkvp_var_lib_t, hypervkvp_var_lib_t)
+manage_files_pattern(hypervkvp_t, hypervkvp_var_lib_t, hypervkvp_var_lib_t)
+files_var_lib_filetrans(hypervkvp_t, hypervkvp_var_lib_t, dir)
@@ -36944,8 +34418,7 @@ index 4eb7041..97144bc 100644
+logging_send_syslog_msg(hypervkvp_t)
+
+sysnet_dns_name_resolve(hypervkvp_t)
-
--logging_send_syslog_msg(hypervkvpd_t)
++
+userdom_dontaudit_search_admin_dir(hypervkvp_t)
+
+optional_policy(`
@@ -36956,22 +34429,14 @@ index 4eb7041..97144bc 100644
+#
+# hypervvssd local policy
+#
-
--miscfiles_read_localization(hypervkvpd_t)
++
+allow hypervvssd_t self:capability sys_admin;
-
--sysnet_dns_name_resolve(hypervkvpd_t)
++
+logging_send_syslog_msg(hypervvssd_t)
diff --git a/i18n_input.te b/i18n_input.te
-index 369a056..a738d7f 100644
+index 3bed8fa..a738d7f 100644
--- a/i18n_input.te
+++ b/i18n_input.te
-@@ -1,4 +1,4 @@
--policy_module(i18n_input, 1.9.0)
-+policy_module(i18n_input, 1.8.1)
-
- ########################################
- #
@@ -45,7 +45,6 @@ can_exec(i18n_input_t, i18n_input_exec_t)
kernel_read_kernel_sysctls(i18n_input_t)
kernel_read_system_state(i18n_input_t)
@@ -37030,15 +34495,9 @@ index 580b533..c267cea 100644
domain_system_change_exemption($1)
role_transition $2 icecast_initrc_exec_t system_r;
diff --git a/icecast.te b/icecast.te
-index a9e573a..bd3a837 100644
+index ac6f9d5..bd3a837 100644
--- a/icecast.te
+++ b/icecast.te
-@@ -1,4 +1,4 @@
--policy_module(icecast, 1.2.0)
-+policy_module(icecast, 1.1.1)
-
- ########################################
- #
@@ -65,11 +65,9 @@ dev_read_sysfs(icecast_t)
dev_read_urand(icecast_t)
dev_read_rand(icecast_t)
@@ -37066,15 +34525,9 @@ index 8999899..96909ae 100644
init_labeled_script_domtrans($1, ifplugd_initrc_exec_t)
diff --git a/ifplugd.te b/ifplugd.te
-index b0546b4..c4a9fcb 100644
+index 6910e49..c4a9fcb 100644
--- a/ifplugd.te
+++ b/ifplugd.te
-@@ -1,4 +1,4 @@
--policy_module(ifplugd, 1.1.0)
-+policy_module(ifplugd, 1.0.1)
-
- ########################################
- #
@@ -10,7 +10,7 @@ type ifplugd_exec_t;
init_daemon_domain(ifplugd_t, ifplugd_exec_t)
@@ -37100,15 +34553,9 @@ index b0546b4..c4a9fcb 100644
sysnet_domtrans_ifconfig(ifplugd_t)
diff --git a/imaze.te b/imaze.te
-index 1eb24d8..08a489c 100644
+index 05387d1..08a489c 100644
--- a/imaze.te
+++ b/imaze.te
-@@ -1,4 +1,4 @@
--policy_module(imaze, 1.8.0)
-+policy_module(imaze, 1.7.1)
-
- ########################################
- #
@@ -45,7 +45,6 @@ kernel_list_proc(imazesrv_t)
kernel_read_kernel_sysctls(imazesrv_t)
kernel_read_proc_symlinks(imazesrv_t)
@@ -37126,21 +34573,6 @@ index 1eb24d8..08a489c 100644
userdom_use_unpriv_users_fds(imazesrv_t)
userdom_dontaudit_search_user_home_dirs(imazesrv_t)
-diff --git a/inetd.fc b/inetd.fc
-index 0374509..2a5a686 100644
---- a/inetd.fc
-+++ b/inetd.fc
-@@ -5,8 +5,9 @@
- /usr/sbin/identd -- gen_context(system_u:object_r:inetd_child_exec_t,s0)
- /usr/sbin/in\..*d -- gen_context(system_u:object_r:inetd_child_exec_t,s0)
-
-+/usr/sbin/inetd -- gen_context(system_u:object_r:inetd_exec_t,s0)
- /usr/sbin/rlinetd -- gen_context(system_u:object_r:inetd_exec_t,s0)
--/usr/sbin/(x)?inetd -- gen_context(system_u:object_r:inetd_exec_t,s0)
-+/usr/sbin/xinetd -- gen_context(system_u:object_r:inetd_exec_t,s0)
-
- /var/log/(x)?inetd\.log.* -- gen_context(system_u:object_r:inetd_log_t,s0)
-
diff --git a/inetd.if b/inetd.if
index fbb54e7..05c3777 100644
--- a/inetd.if
@@ -37159,15 +34591,9 @@ index fbb54e7..05c3777 100644
########################################
diff --git a/inetd.te b/inetd.te
-index c6450df..420305b 100644
+index 1a5ed62..420305b 100644
--- a/inetd.te
+++ b/inetd.te
-@@ -1,4 +1,4 @@
--policy_module(inetd, 1.13.0)
-+policy_module(inetd, 1.12.2)
-
- ########################################
- #
@@ -37,9 +37,9 @@ ifdef(`enable_mcs',`
# Local policy
#
@@ -37317,15 +34743,9 @@ index eb87f23..d3d32c3 100644
init_labeled_script_domtrans($1, innd_initrc_exec_t)
diff --git a/inn.te b/inn.te
-index d39f0cc..5967395 100644
+index 5aab5d0..5967395 100644
--- a/inn.te
+++ b/inn.te
-@@ -1,4 +1,4 @@
--policy_module(inn, 1.11.0)
-+policy_module(inn, 1.10.3)
-
- ########################################
- #
@@ -26,6 +26,7 @@ files_pid_file(innd_var_run_t)
type news_spool_t;
@@ -37436,9 +34856,15 @@ index a0bfbd0..a3b02e6 100644
## administrate an iodined environment
##
diff --git a/iodine.te b/iodine.te
-index d443fee..6cbbf7d 100644
+index 94ec5f8..6cbbf7d 100644
--- a/iodine.te
+++ b/iodine.te
+@@ -1,4 +1,4 @@
+-policy_module(iodine, 1.0.2)
++policy_module(iodine, 1.1.0)
+
+ ########################################
+ #
@@ -12,6 +12,9 @@ init_daemon_domain(iodined_t, iodined_exec_t)
type iodined_initrc_exec_t;
init_script_file(iodined_initrc_exec_t)
@@ -37695,15 +35121,9 @@ index ac00fb0..36ef2e5 100644
+ userdom_user_home_dir_filetrans($1, irssi_home_t, dir, "irclogs")
')
diff --git a/irc.te b/irc.te
-index 2636503..abf0b2d 100644
+index ecad9c7..abf0b2d 100644
--- a/irc.te
+++ b/irc.te
-@@ -1,4 +1,4 @@
--policy_module(irc, 2.3.1)
-+policy_module(irc, 2.2.3)
-
- ########################################
- #
@@ -31,13 +31,35 @@ typealias irc_home_t alias { user_irc_home_t staff_irc_home_t sysadm_irc_home_t
typealias irc_home_t alias { auditadm_irc_home_t secadm_irc_home_t };
userdom_user_home_content(irc_home_t)
@@ -37779,11 +35199,10 @@ index 2636503..abf0b2d 100644
fs_getattr_all_fs(irc_t)
fs_search_auto_mountpoints(irc_t)
-@@ -106,17 +122,18 @@ auth_use_nsswitch(irc_t)
+@@ -106,15 +122,18 @@ auth_use_nsswitch(irc_t)
init_read_utmp(irc_t)
init_dontaudit_lock_utmp(irc_t)
--miscfiles_read_generic_certs(irc_t)
-miscfiles_read_localization(irc_t)
userdom_use_user_terminals(irc_t)
@@ -37797,12 +35216,11 @@ index 2636503..abf0b2d 100644
+userdom_use_inherited_user_terminals(irc_t)
tunable_policy(`irc_use_any_tcp_ports',`
-- allow irc_t self:tcp_socket { accept listen };
+ allow irc_t self:tcp_socket create_stream_socket_perms;
corenet_sendrecv_all_server_packets(irc_t)
corenet_tcp_bind_all_unreserved_ports(irc_t)
corenet_sendrecv_all_client_packets(irc_t)
-@@ -124,18 +141,71 @@ tunable_policy(`irc_use_any_tcp_ports',`
+@@ -122,18 +141,71 @@ tunable_policy(`irc_use_any_tcp_ports',`
corenet_tcp_sendrecv_all_ports(irc_t)
')
@@ -37898,15 +35316,9 @@ index ade9803..3620c9a 100644
files_search_var_lib($1)
diff --git a/ircd.te b/ircd.te
-index efaf4b1..40e440c 100644
+index e9f746e..40e440c 100644
--- a/ircd.te
+++ b/ircd.te
-@@ -1,4 +1,4 @@
--policy_module(ircd, 1.8.0)
-+policy_module(ircd, 1.7.1)
-
- ########################################
- #
@@ -52,7 +52,6 @@ kernel_read_kernel_sysctls(ircd_t)
corecmd_exec_bin(ircd_t)
@@ -37925,30 +35337,22 @@ index efaf4b1..40e440c 100644
userdom_dontaudit_search_user_home_dirs(ircd_t)
diff --git a/irqbalance.te b/irqbalance.te
-index e1f302d..947efe0 100644
+index c5a8112..947efe0 100644
--- a/irqbalance.te
+++ b/irqbalance.te
-@@ -1,4 +1,4 @@
--policy_module(irqbalance, 1.6.0)
-+policy_module(irqbalance, 1.5.1)
-
- ########################################
- #
-@@ -22,7 +22,13 @@ files_pid_file(irqbalance_var_run_t)
+@@ -22,6 +22,12 @@ files_pid_file(irqbalance_var_run_t)
allow irqbalance_t self:capability { setpcap net_admin };
dontaudit irqbalance_t self:capability sys_tty_config;
--allow irqbalance_t self:process { getcap getsched setcap signal_perms };
+
+ifdef(`hide_broken_symptoms',`
+ # caused by some bogus kernel code
+ dontaudit irqbalance_t self:capability sys_module;
+')
+
-+allow irqbalance_t self:process { getcap setcap signal_perms };
+ allow irqbalance_t self:process { getcap setcap signal_perms };
allow irqbalance_t self:udp_socket create_socket_perms;
- manage_files_pattern(irqbalance_t, irqbalance_var_run_t, irqbalance_var_run_t)
@@ -35,7 +41,6 @@ kernel_rw_irq_sysctls(irqbalance_t)
dev_read_sysfs(irqbalance_t)
@@ -38107,15 +35511,9 @@ index 1a35420..a7e1562 100644
logging_search_logs($1)
admin_pattern($1, iscsi_log_t)
diff --git a/iscsi.te b/iscsi.te
-index ca020fa..b25cfd0 100644
+index 57304e4..b25cfd0 100644
--- a/iscsi.te
+++ b/iscsi.te
-@@ -1,4 +1,4 @@
--policy_module(iscsi, 1.9.0)
-+policy_module(iscsi, 1.8.2)
-
- ########################################
- #
@@ -9,8 +9,8 @@ type iscsid_t;
type iscsid_exec_t;
init_daemon_domain(iscsid_t, iscsid_exec_t)
@@ -38265,7 +35663,7 @@ index 59ad3b3..bd02cc8 100644
+
+/var/spool/pyicq-t(/.*)? gen_context(system_u:object_r:pyicqt_var_spool_t,s0)
diff --git a/jabber.if b/jabber.if
-index 7eb3811..01673a4 100644
+index 16b1666..01673a4 100644
--- a/jabber.if
+++ b/jabber.if
@@ -1,29 +1,76 @@
@@ -38459,7 +35857,7 @@ index 7eb3811..01673a4 100644
role_transition $2 jabberd_initrc_exec_t system_r;
allow $2 system_r;
-- files_search_locks($1)
+- files_search_locks($1))
- admin_pattern($1, jabberd_lock_t)
-
- logging_search_logs($1)
@@ -38476,11 +35874,11 @@ index 7eb3811..01673a4 100644
- admin_pattern($1, jabberd_var_run_t)
')
diff --git a/jabber.te b/jabber.te
-index af67c36..62d511b 100644
+index bb12c90..62d511b 100644
--- a/jabber.te
+++ b/jabber.te
@@ -1,4 +1,4 @@
--policy_module(jabber, 1.10.0)
+-policy_module(jabber, 1.9.1)
+policy_module(jabber, 1.8.0)
########################################
@@ -38696,16 +36094,10 @@ index af67c36..62d511b 100644
-auth_use_nsswitch(jabberd_router_t)
+sysnet_read_config(jabberd_domain)
diff --git a/java.te b/java.te
-index a7ae153..5459aa3 100644
+index b3fcfbb..5459aa3 100644
--- a/java.te
+++ b/java.te
-@@ -1,4 +1,4 @@
--policy_module(java, 2.7.0)
-+policy_module(java, 2.6.3)
-
- ########################################
- #
-@@ -11,7 +11,7 @@ policy_module(java, 2.7.0)
+@@ -11,7 +11,7 @@ policy_module(java, 2.6.3)
## its stack executable.
##
##
@@ -39748,11 +37140,11 @@ index 3a00b3a..21efcc4 100644
+ allow $1 kdump_unit_file_t:service all_service_perms;
')
diff --git a/kdump.te b/kdump.te
-index 715fc21..58bd992 100644
+index 70f3007..58bd992 100644
--- a/kdump.te
+++ b/kdump.te
@@ -1,4 +1,4 @@
--policy_module(kdump, 1.3.0)
+-policy_module(kdump, 1.2.3)
+policy_module(kdump, 1.2.0)
#######################################
@@ -39956,11 +37348,11 @@ index 182ab8b..8b1d9c2 100644
+')
+
diff --git a/kdumpgui.te b/kdumpgui.te
-index 2990962..12ff296 100644
+index e7f5c81..12ff296 100644
--- a/kdumpgui.te
+++ b/kdumpgui.te
@@ -1,83 +1,92 @@
--policy_module(kdumpgui, 1.2.0)
+-policy_module(kdumpgui, 1.1.4)
+policy_module(kdumpgui, 1.1.0)
########################################
@@ -40348,7 +37740,7 @@ index 4fe75fd..b029c28 100644
+/var/tmp/ldap_487 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0)
+/var/tmp/ldap_55 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0)
diff --git a/kerberos.if b/kerberos.if
-index f6c00d8..b573f79 100644
+index f9de9fc..b573f79 100644
--- a/kerberos.if
+++ b/kerberos.if
@@ -1,27 +1,29 @@
@@ -40529,62 +37921,98 @@ index f6c00d8..b573f79 100644
##
##
##
-@@ -182,27 +178,27 @@ interface(`kerberos_rw_config',`
+@@ -182,75 +178,7 @@ interface(`kerberos_rw_config',`
########################################
##
-## Create, read, write, and delete
-## kerberos home files.
-+## Read the kerberos key table.
- ##
- ##
- ##
- ## Domain allowed access.
- ##
- ##
-+##
- #
+-##
+-##
+-##
+-## Domain allowed access.
+-##
+-##
+-#
-interface(`kerberos_manage_krb5_home_files',`
-+interface(`kerberos_read_keytab',`
- gen_require(`
+- gen_require(`
- type krb5_home_t;
-+ type krb5_keytab_t;
- ')
-
+- ')
+-
- userdom_search_user_home_dirs($1)
- allow $1 krb5_home_t:file manage_file_perms;
-+ files_search_etc($1)
-+ allow $1 krb5_keytab_t:file read_file_perms;
- ')
+-')
+-
+-########################################
+-##
+-## Relabel kerberos home files.
+-##
+-##
+-##
+-## Domain allowed access.
+-##
+-##
+-#
+-interface(`kerberos_relabel_krb5_home_files',`
+- gen_require(`
+- type krb5_home_t;
+- ')
+-
+- userdom_search_user_home_dirs($1)
+- allow $1 krb5_home_t:file relabel_file_perms;
+-')
+-
+-########################################
+-##
+-## Create objects in user home
+-## directories with the krb5 home type.
+-##
+-##
+-##
+-## Domain allowed access.
+-##
+-##
+-##
+-##
+-## Class of the object being created.
+-##
+-##
+-##
+-##
+-## The name of the object being created.
+-##
+-##
+-#
+-interface(`kerberos_home_filetrans_krb5_home',`
+- gen_require(`
+- type krb5_home_t;
+- ')
+-
+- userdom_user_home_dir_filetrans($1, krb5_home_t, $2, $3)
+-')
+-
+-########################################
+-##
+-## Read kerberos key table files.
++## Read the kerberos key table.
+ ##
+ ##
+ ##
+@@ -270,7 +198,7 @@ interface(`kerberos_read_keytab',`
########################################
##
--## Relabel kerberos home files.
+-## Read and write kerberos key table files.
+## Read/Write the kerberos key table.
##
##
##
-@@ -210,322 +206,329 @@ interface(`kerberos_manage_krb5_home_files',`
- ##
- ##
- #
--interface(`kerberos_relabel_krb5_home_files',`
-+interface(`kerberos_rw_keytab',`
- gen_require(`
-- type krb5_home_t;
-+ type krb5_keytab_t;
- ')
-
-- userdom_search_user_home_dirs($1)
-- allow $1 krb5_home_t:file relabel_file_perms;
-+ files_search_etc($1)
-+ allow $1 krb5_keytab_t:file rw_file_perms;
- ')
+@@ -289,40 +217,13 @@ interface(`kerberos_rw_keytab',`
########################################
##
--## Create objects in user home
--## directories with the krb5 home type.
+-## Create, read, write, and delete
+-## kerberos key table files.
+## Create keytab file in /etc
##
##
@@ -40592,6 +38020,27 @@ index f6c00d8..b573f79 100644
## Domain allowed access.
##
##
+-#
+-interface(`kerberos_manage_keytab_files',`
+- gen_require(`
+- type krb5_keytab_t;
+- ')
+-
+- files_search_etc($1)
+- allow $1 krb5_keytab_t:file manage_file_perms;
+-')
+-
+-########################################
+-##
+-## Create specified objects in generic
+-## etc directories with the kerberos
+-## keytab file type.
+-##
+-##
+-##
+-## Domain allowed access.
+-##
+-##
-##
-##
-## Class of the object being created.
@@ -40600,193 +38049,139 @@ index f6c00d8..b573f79 100644
##
##
## The name of the object being created.
- ##
- ##
- #
--interface(`kerberos_home_filetrans_krb5_home',`
-+interface(`kerberos_etc_filetrans_keytab',`
- gen_require(`
-- type krb5_home_t;
-+ type krb5_keytab_t;
+@@ -334,13 +235,13 @@ interface(`kerberos_etc_filetrans_keytab',`
+ type krb5_keytab_t;
')
-- userdom_user_home_dir_filetrans($1, krb5_home_t, $2, $3)
+- files_etc_filetrans($1, krb5_keytab_t, $2, $3)
+ allow $1 krb5_keytab_t:file manage_file_perms;
+ files_etc_filetrans($1, krb5_keytab_t, file, $2)
')
########################################
##
--## Read kerberos key table files.
+-## Create a derived type for kerberos
+-## keytab files.
+## Create a derived type for kerberos keytab
##
-+##
-+##
-+## The prefix to be used for deriving type names.
-+##
-+##
- ##
+ ##
##
- ## Domain allowed access.
- ##
+@@ -354,21 +255,21 @@ interface(`kerberos_etc_filetrans_keytab',`
##
--##
#
--interface(`kerberos_read_keytab',`
-- gen_require(`
-- type krb5_keytab_t;
-- ')
-+template(`kerberos_keytab_template',`
+ template(`kerberos_keytab_template',`
+ gen_require(`
+ attribute kerberos_keytab_domain;
+ ')
-- files_search_etc($1)
-- allow $1 krb5_keytab_t:file read_file_perms;
+- ########################################
+- #
+- # Declarations
+- #
+ typeattribute $2 kerberos_keytab_domain;
-+
-+ type $1_keytab_t;
-+ files_type($1_keytab_t)
-+
+
+ type $1_keytab_t;
+ files_type($1_keytab_t)
+
+- ########################################
+- #
+- # Policy
+- #
+ allow $2 self:process setfscreate;
+ allow $2 $1_keytab_t:file read_file_perms;
-+
+
+- allow $2 $1_keytab_t:file read_file_perms;
+ seutil_read_file_contexts($2)
+ seutil_read_config($2)
+ selinux_get_enforce_mode($2)
-+
-+ kerberos_read_keytab($2)
-+ kerberos_use($2)
- ')
+
+ kerberos_read_keytab($2)
+ kerberos_use($2)
+@@ -376,7 +277,26 @@ template(`kerberos_keytab_template',`
########################################
##
--## Read and write kerberos key table files.
+-## Read kerberos kdc configuration files.
+## Read the kerberos kdc configuration file (/etc/krb5kdc.conf).
- ##
- ##
- ##
- ## Domain allowed access.
- ##
- ##
++##
++##
++##
++## Domain allowed access.
++##
++##
+##
- #
--interface(`kerberos_rw_keytab',`
-- gen_require(`
-- type krb5_keytab_t;
-- ')
++#
+interface(`kerberos_keytab_domains',`
+ gen_require(`
+ attribute kerberos_keytab_domain;
+ ')
-
-- files_search_etc($1)
-- allow $1 krb5_keytab_t:file rw_file_perms;
++
+ typeattribute $1 kerberos_keytab_domain;
- ')
-
- ########################################
- ##
--## Create, read, write, and delete
--## kerberos key table files.
++')
++
++########################################
++##
+## Read the kerberos kdc configuration file (/etc/krb5kdc.conf).
##
##
##
- ## Domain allowed access.
- ##
- ##
-+##
- #
--interface(`kerberos_manage_keytab_files',`
-+interface(`kerberos_read_kdc_config',`
- gen_require(`
-- type krb5_keytab_t;
-+ type krb5kdc_conf_t;
- ')
-
- files_search_etc($1)
-- allow $1 krb5_keytab_t:file manage_file_perms;
-+ read_files_pattern($1, krb5kdc_conf_t, krb5kdc_conf_t)
- ')
+@@ -396,8 +316,7 @@ interface(`kerberos_read_kdc_config',`
########################################
##
--## Create specified objects in generic
--## etc directories with the kerberos
--## keytab file type.
+-## Create, read, write, and delete
+-## kerberos host rcache files.
+## Read the kerberos kdc configuration file (/etc/krb5kdc.conf).
##
##
##
- ## Domain allowed access.
- ##
- ##
--##
--##
--## Class of the object being created.
--##
--##
--##
--##
--## The name of the object being created.
--##
--##
-+##
- #
--interface(`kerberos_etc_filetrans_keytab',`
-+interface(`kerberos_manage_host_rcache',`
- gen_require(`
-- type krb5_keytab_t;
-+ type krb5_host_rcache_t;
+@@ -411,34 +330,99 @@ interface(`kerberos_manage_host_rcache',`
+ type krb5_host_rcache_t;
')
-- files_etc_filetrans($1, krb5_keytab_t, $2, $3)
+ # creates files as system_u no matter what the selinux user
+ # cjp: should be in the below tunable but typeattribute
+ # does not work in conditionals
-+ domain_obj_id_change_exemption($1)
-+
+ domain_obj_id_change_exemption($1)
+
+- tunable_policy(`allow_kerberos',`
+ tunable_policy(`kerberos_enabled',`
-+ allow $1 self:process setfscreate;
-+
-+ selinux_validate_context($1)
-+
-+ seutil_read_file_contexts($1)
-+
+ allow $1 self:process setfscreate;
+
+ selinux_validate_context($1)
+
+ seutil_read_file_contexts($1)
+
+ files_rw_generic_tmp_dir($1)
+ manage_files_pattern($1, krb5_host_rcache_t, krb5_host_rcache_t)
-+ files_search_tmp($1)
-+ ')
+ files_search_tmp($1)
+- allow $1 krb5_host_rcache_t:file manage_file_perms;
+ ')
')
########################################
##
--## Create a derived type for kerberos
--## keytab files.
+-## Create objects in generic temporary
+-## directories with the kerberos host
+-## rcache type.
+## All of the rules required to administrate
+## an kerberos environment
##
--##
-+##
+ ##
##
--## The prefix to be used for deriving type names.
+-## Domain allowed to transition.
+## Domain allowed access.
##
##
--##
+-##
+##
##
--## Domain allowed access.
+-## Class of the object being created.
+## The role to be allowed to manage the kerberos domain.
- ##
- ##
++##
++##
+##
- #
--template(`kerberos_keytab_template',`
-- refpolicywarn(`$0($*) has been deprecated.')
-- kerberos_read_keytab($2)
-- kerberos_use($2)
++#
+interface(`kerberos_admin',`
+ gen_require(`
+ type kadmind_t, krb5kdc_t, kerberos_initrc_exec_t;
@@ -40835,120 +38230,36 @@ index f6c00d8..b573f79 100644
+ admin_pattern($1, krb5kdc_tmp_t)
+
+ admin_pattern($1, krb5kdc_var_run_t)
- ')
-
- ########################################
- ##
--## Read kerberos kdc configuration files.
++')
++
++########################################
++##
+## Type transition files created in /tmp
+## to the krb5_host_rcache type.
- ##
- ##
- ##
- ## Domain allowed access.
- ##
- ##
--##
-+##
++##
++##
+##
-+## The name of the object being created.
-+##
-+##
- #
--interface(`kerberos_read_kdc_config',`
-+interface(`kerberos_tmp_filetrans_host_rcache',`
- gen_require(`
-- type krb5kdc_conf_t;
-+ type krb5_host_rcache_t;
- ')
-
-- files_search_etc($1)
-- read_files_pattern($1, krb5kdc_conf_t, krb5kdc_conf_t)
-+ manage_files_pattern($1, krb5_host_rcache_t, krb5_host_rcache_t)
-+ files_tmp_filetrans($1, krb5_host_rcache_t, file, $2)
- ')
-
- ########################################
- ##
--## Create, read, write, and delete
--## kerberos host rcache files.
-+## read kerberos homedir content (.k5login)
- ##
- ##
- ##
- ## Domain allowed access.
- ##
- ##
--##
- #
--interface(`kerberos_manage_host_rcache',`
-+interface(`kerberos_read_home_content',`
- gen_require(`
-- type krb5_host_rcache_t;
-+ type krb5_home_t;
- ')
-
-- domain_obj_id_change_exemption($1)
--
-- tunable_policy(`allow_kerberos',`
-- allow $1 self:process setfscreate;
--
-- selinux_validate_context($1)
--
-- seutil_read_file_contexts($1)
--
-- files_search_tmp($1)
-- allow $1 krb5_host_rcache_t:file manage_file_perms;
-- ')
-+ userdom_search_user_home_dirs($1)
-+ read_files_pattern($1, krb5_home_t, krb5_home_t)
- ')
-
- ########################################
- ##
--## Create objects in generic temporary
--## directories with the kerberos host
--## rcache type.
-+## create kerberos content in the in the /root directory
-+## with an correct label.
- ##
- ##
- ##
--## Domain allowed to transition.
--##
--##
--##
--##
--## Class of the object being created.
--##
--##
--##
--##
--## The name of the object being created.
+## Domain allowed access.
##
##
- #
--interface(`kerberos_tmp_filetrans_host_rcache',`
-+interface(`kerberos_filetrans_admin_home_content',`
- gen_require(`
-- type krb5_host_rcache_t;
-+ type krb5_home_t;
+ ##
+@@ -452,12 +436,13 @@ interface(`kerberos_tmp_filetrans_host_rcache',`
+ type krb5_host_rcache_t;
')
- files_tmp_filetrans($1, krb5_host_rcache_t, $2, $3)
-+ userdom_admin_home_dir_filetrans($1, krb5_home_t, file, ".k5login")
++ manage_files_pattern($1, krb5_host_rcache_t, krb5_host_rcache_t)
++ files_tmp_filetrans($1, krb5_host_rcache_t, file, $2)
')
########################################
##
-## Connect to krb524 service.
-+## Transition to kerberos named content
++## read kerberos homedir content (.k5login)
##
##
##
--## Domain allowed access.
-+## Domain allowed access.
+@@ -465,82 +450,85 @@ interface(`kerberos_tmp_filetrans_host_rcache',`
##
##
#
@@ -40963,27 +38274,43 @@ index f6c00d8..b573f79 100644
-
- corenet_sendrecv_kerberos_master_client_packets($1)
- corenet_udp_sendrecv_kerberos_master_port($1)
-+interface(`kerberos_filetrans_home_content',`
++interface(`kerberos_read_home_content',`
+ gen_require(`
+ type krb5_home_t;
')
+
-+ userdom_user_home_dir_filetrans($1, krb5_home_t, file, ".k5login")
++ userdom_search_user_home_dirs($1)
++ read_files_pattern($1, krb5_home_t, krb5_home_t)
')
########################################
##
-## All of the rules required to
-## administrate an kerberos environment.
-+## Transition to kerberos named content
++## create kerberos content in the in the /root directory
++## with an correct label.
##
##
##
--## Domain allowed access.
--##
--##
+ ## Domain allowed access.
+ ##
+ ##
-##
--##
++#
++interface(`kerberos_filetrans_admin_home_content',`
++ gen_require(`
++ type krb5_home_t;
++ ')
++
++ userdom_admin_home_dir_filetrans($1, krb5_home_t, file, ".k5login")
++')
++
++########################################
++##
++## Transition to kerberos named content
++##
++##
+ ##
-## Role allowed access.
+## Domain allowed access.
##
@@ -40991,14 +38318,14 @@ index f6c00d8..b573f79 100644
-##
#
-interface(`kerberos_admin',`
-+interface(`kerberos_filetrans_named_content',`
++interface(`kerberos_filetrans_home_content',`
gen_require(`
- type kadmind_t, krb5kdc_t, kerberos_initrc_exec_t;
- type kadmind_log_t, kadmind_tmp_t, kadmind_var_run_t;
- type krb5_conf_t, krb5_keytab_t, krb5kdc_conf_t;
+- type krb5_conf_t, krb5_keytab_t, krb5kdc_conf_t;
- type krb5kdc_principal_t, krb5kdc_tmp_t, kpropd_t;
- type krb5kdc_var_run_t, krb5_host_rcache_t;
-+ type krb5kdc_principal_t;
++ type krb5_home_t;
')
- allow $1 { kadmind_t krb5kdc_t kpropd }:process { ptrace signal_perms };
@@ -41026,10 +38353,27 @@ index f6c00d8..b573f79 100644
-
- files_list_pids($1)
- admin_pattern($1, { kadmind_var_run_t krb5kdc_var_run_t })
--
++ userdom_user_home_dir_filetrans($1, krb5_home_t, file, ".k5login")
++')
+
- files_list_etc($1)
- admin_pattern($1, krb5_conf_t)
--
++########################################
++##
++## Transition to kerberos named content
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`kerberos_filetrans_named_content',`
++ gen_require(`
++ type krb5_conf_t, krb5_keytab_t, krb5kdc_conf_t;
++ type krb5kdc_principal_t;
++ ')
+
files_etc_filetrans($1, krb5_conf_t, file, "krb5.conf")
-
- admin_pattern($1, { krb5_keytab_t krb5kdc_principal_t })
@@ -41056,16 +38400,16 @@ index f6c00d8..b573f79 100644
+ kerberos_tmp_filetrans_host_rcache($1, "ldap_55")
')
diff --git a/kerberos.te b/kerberos.te
-index 8833d59..31ad037 100644
+index 3465a9a..31ad037 100644
--- a/kerberos.te
+++ b/kerberos.te
@@ -1,4 +1,4 @@
--policy_module(kerberos, 1.12.0)
+-policy_module(kerberos, 1.11.7)
+policy_module(kerberos, 1.11.0)
########################################
#
-@@ -6,11 +6,13 @@ policy_module(kerberos, 1.12.0)
+@@ -6,11 +6,13 @@ policy_module(kerberos, 1.11.7)
#
##
@@ -41457,15 +38801,9 @@ index 714448f..fa0c994 100644
domain_system_change_exemption($1)
role_transition $2 kerneloops_initrc_exec_t system_r;
diff --git a/kerneloops.te b/kerneloops.te
-index bcdb295..7f1061d 100644
+index 1101985..7f1061d 100644
--- a/kerneloops.te
+++ b/kerneloops.te
-@@ -1,4 +1,4 @@
--policy_module(kerneloops, 1.5.0)
-+policy_module(kerneloops, 1.4.1)
-
- ########################################
- #
@@ -31,7 +31,6 @@ kernel_read_ring_buffer(kerneloops_t)
domain_use_interactive_fds(kerneloops_t)
@@ -41536,15 +38874,9 @@ index 8982b91..6134ef2 100644
+ allow $1 keyboardd_t:fifo_file read_fifo_file_perms;
')
diff --git a/keyboardd.te b/keyboardd.te
-index 628b78b..a60b664 100644
+index adfe3dc..a60b664 100644
--- a/keyboardd.te
+++ b/keyboardd.te
-@@ -1,4 +1,4 @@
--policy_module(keyboardd, 1.1.0)
-+policy_module(keyboardd, 1.0.1)
-
- ########################################
- #
@@ -19,6 +19,3 @@ allow keyboardd_t self:unix_stream_socket create_stream_socket_perms;
files_manage_etc_runtime_files(keyboardd_t)
@@ -41569,7 +38901,7 @@ index b273d80..6a07210 100644
+
+/var/run/keystone(/.*)? gen_context(system_u:object_r:keystone_var_run_t,s0)
diff --git a/keystone.if b/keystone.if
-index e88fb16..f20248c 100644
+index d3e7fc9..f20248c 100644
--- a/keystone.if
+++ b/keystone.if
@@ -1,42 +1,218 @@
@@ -41793,7 +39125,8 @@ index e88fb16..f20248c 100644
logging_search_logs($1)
admin_pattern($1, keystone_log_t)
- files_search_var_lib($1)
+- files_search_var_lib($1
++ files_search_var_lib($1)
admin_pattern($1, keystone_var_lib_t)
- files_search_tmp($1)
@@ -41807,15 +39140,9 @@ index e88fb16..f20248c 100644
+ ')
')
diff --git a/keystone.te b/keystone.te
-index 9929647..6009a94 100644
+index 3494d9b..6009a94 100644
--- a/keystone.te
+++ b/keystone.te
-@@ -1,4 +1,4 @@
--policy_module(keystone, 1.1.0)
-+policy_module(keystone, 1.0.1)
-
- ########################################
- #
@@ -18,13 +18,20 @@ logging_log_file(keystone_log_t)
type keystone_var_lib_t;
files_type(keystone_var_lib_t)
@@ -41914,15 +39241,9 @@ index aa2a337..7ff229f 100644
files_search_var_lib($1)
admin_pattern($1, kismet_var_lib_t)
diff --git a/kismet.te b/kismet.te
-index 8ad0d4d..e60f701 100644
+index ea64ed5..e60f701 100644
--- a/kismet.te
+++ b/kismet.te
-@@ -1,4 +1,4 @@
--policy_module(kismet, 1.7.0)
-+policy_module(kismet, 1.6.1)
-
- ########################################
- #
@@ -81,25 +81,22 @@ kernel_read_network_state(kismet_t)
corecmd_exec_bin(kismet_t)
@@ -41970,7 +39291,7 @@ index e736c45..4b1e1e4 100644
/var/log/ksmtuned.* gen_context(system_u:object_r:ksmtuned_log_t,s0)
diff --git a/ksmtuned.if b/ksmtuned.if
-index 93a64bc..3ac0b8b 100644
+index c530214..3ac0b8b 100644
--- a/ksmtuned.if
+++ b/ksmtuned.if
@@ -38,6 +38,29 @@ interface(`ksmtuned_initrc_domtrans',`
@@ -42026,15 +39347,15 @@ index 93a64bc..3ac0b8b 100644
- domain_system_change_exemption($1)
- role_transition $2 ksmtuned_initrc_exec_t system_r;
- allow $2 system_r;
--
-- allow $1 ksmtuned_t:process { ptrace signal_perms };
+ allow $1 ksmtuned_t:process signal_perms;
- ps_process_pattern($1, ksmtuned_t)
++ ps_process_pattern($1, ksmtuned_t)
+- allow $1 ksmtuned_t:process { ptrace signal_perms };
+- ps_process_pattern(ksmtumed_t)
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 ksmtuned_t:process ptrace;
+ ')
-+
+
files_list_pids($1)
admin_pattern($1, ksmtuned_var_run_t)
@@ -42046,15 +39367,10 @@ index 93a64bc..3ac0b8b 100644
+ allow $1 ksmtuned_unit_file_t:service all_service_perms;
')
diff --git a/ksmtuned.te b/ksmtuned.te
-index 8eef134..fd0a17f 100644
+index c1539b5..fd0a17f 100644
--- a/ksmtuned.te
+++ b/ksmtuned.te
-@@ -1,14 +1,31 @@
--policy_module(ksmtuned, 1.1.1)
-+policy_module(ksmtuned, 1.0.1)
-
- ########################################
- #
+@@ -5,10 +5,27 @@ policy_module(ksmtuned, 1.0.1)
# Declarations
#
@@ -42196,20 +39512,13 @@ index 19777b8..55d1556 100644
+ ')
+')
diff --git a/ktalk.te b/ktalk.te
-index c5548c5..f932c32 100644
+index 2cf3815..f932c32 100644
--- a/ktalk.te
+++ b/ktalk.te
-@@ -1,4 +1,4 @@
--policy_module(ktalk, 1.9.2)
-+policy_module(ktalk, 1.8.1)
-
- ########################################
- #
-@@ -7,12 +7,15 @@ policy_module(ktalk, 1.9.2)
+@@ -7,11 +7,15 @@ policy_module(ktalk, 1.8.1)
type ktalkd_t;
type ktalkd_exec_t;
--init_daemon_domain(ktalkd_t, ktalkd_exec_t)
+init_domain(ktalkd_t, ktalkd_exec_t)
inetd_udp_service_domain(ktalkd_t, ktalkd_exec_t)
@@ -42222,24 +39531,19 @@ index c5548c5..f932c32 100644
type ktalkd_tmp_t;
files_tmp_file(ktalkd_tmp_t)
-@@ -36,21 +39,21 @@ kernel_read_kernel_sysctls(ktalkd_t)
+@@ -35,11 +39,21 @@ kernel_read_kernel_sysctls(ktalkd_t)
kernel_read_system_state(ktalkd_t)
kernel_read_network_state(ktalkd_t)
--corenet_all_recvfrom_unlabeled(ktalkd_t)
- corenet_all_recvfrom_netlabel(ktalkd_t)
++corenet_all_recvfrom_netlabel(ktalkd_t)
+corenet_tcp_sendrecv_generic_if(ktalkd_t)
- corenet_udp_sendrecv_generic_if(ktalkd_t)
++corenet_udp_sendrecv_generic_if(ktalkd_t)
+corenet_tcp_sendrecv_generic_node(ktalkd_t)
- corenet_udp_sendrecv_generic_node(ktalkd_t)
--corenet_udp_bind_generic_node(ktalkd_t)
--
--corenet_sendrecv_ktalkd_server_packets(ktalkd_t)
++corenet_udp_sendrecv_generic_node(ktalkd_t)
+corenet_tcp_sendrecv_all_ports(ktalkd_t)
+corenet_udp_sendrecv_all_ports(ktalkd_t)
- corenet_udp_bind_ktalkd_port(ktalkd_t)
--corenet_udp_sendrecv_ktalkd_port(ktalkd_t)
-
++corenet_udp_bind_ktalkd_port(ktalkd_t)
++
dev_read_urand(ktalkd_t)
fs_getattr_xattr_fs(ktalkd_t)
@@ -42250,7 +39554,7 @@ index c5548c5..f932c32 100644
auth_use_nsswitch(ktalkd_t)
-@@ -58,4 +61,5 @@ init_read_utmp(ktalkd_t)
+@@ -47,4 +61,5 @@ init_read_utmp(ktalkd_t)
logging_send_syslog_msg(ktalkd_t)
@@ -42277,15 +39581,9 @@ index 5297064..6ba8108 100644
domain_system_change_exemption($1)
role_transition $2 kudzu_initrc_exec_t system_r;
diff --git a/kudzu.te b/kudzu.te
-index 1664036..34aa63b 100644
+index 9725f1a..34aa63b 100644
--- a/kudzu.te
+++ b/kudzu.te
-@@ -1,4 +1,4 @@
--policy_module(kudzu, 1.9.0)
-+policy_module(kudzu, 1.8.2)
-
- ########################################
- #
@@ -63,7 +63,6 @@ dev_rwx_zero(kudzu_t)
domain_use_interactive_fds(kudzu_t)
@@ -42560,15 +39858,9 @@ index 73e2803..34ca3aa 100644
role_transition $2 l2tpd_initrc_exec_t system_r;
allow $2 system_r;
diff --git a/l2tp.te b/l2tp.te
-index bb06a7f..bbbda10 100644
+index 19f2b97..bbbda10 100644
--- a/l2tp.te
+++ b/l2tp.te
-@@ -1,4 +1,4 @@
--policy_module(l2tp, 1.1.0)
-+policy_module(l2tp, 1.0.5)
-
- ########################################
- #
@@ -27,7 +27,7 @@ files_pid_file(l2tpd_var_run_t)
#
@@ -42636,10 +39928,10 @@ index bb06a7f..bbbda10 100644
ppp_signal(l2tpd_t)
ppp_kill(l2tpd_t)
diff --git a/ldap.fc b/ldap.fc
-index b7e5679..6692d91 100644
+index bc25c95..6692d91 100644
--- a/ldap.fc
+++ b/ldap.fc
-@@ -1,29 +1,26 @@
+@@ -1,8 +1,11 @@
/etc/ldap/slapd\.conf -- gen_context(system_u:object_r:slapd_etc_t,s0)
-/etc/openldap/certs(/.*)? gen_context(system_u:object_r:slapd_cert_t,s0)
+
@@ -42653,19 +39945,7 @@ index b7e5679..6692d91 100644
/usr/sbin/slapd -- gen_context(system_u:object_r:slapd_exec_t,s0)
--/usr/lib/openldap/slapd -- gen_context(system_u:object_r:slapd_exec_t,s0)
- /usr/lib/slapd -- gen_context(system_u:object_r:slapd_exec_t,s0)
-
- /var/lib/ldap(/.*)? gen_context(system_u:object_r:slapd_db_t,s0)
- /var/lib/ldap/replog(/.*)? gen_context(system_u:object_r:slapd_replog_t,s0)
-
--/var/lib/openldap-data(/.*)? gen_context(system_u:object_r:slapd_db_t,s0)
--/var/lib/openldap-ldbm(/.*)? gen_context(system_u:object_r:slapd_db_t,s0)
--/var/lib/openldap-slurpd(/.*)? gen_context(system_u:object_r:slapd_db_t,s0)
--
- /var/lock/subsys/ldap -- gen_context(system_u:object_r:slapd_lock_t,s0)
- /var/lock/subsys/slapd -- gen_context(system_u:object_r:slapd_lock_t,s0)
-
+@@ -17,8 +20,7 @@
/var/log/ldap.* gen_context(system_u:object_r:slapd_log_t,s0)
/var/log/slapd.* gen_context(system_u:object_r:slapd_log_t,s0)
@@ -42679,7 +39959,7 @@ index b7e5679..6692d91 100644
+/var/run/slapd\.args -- gen_context(system_u:object_r:slapd_var_run_t,s0)
+/var/run/slapd\.pid -- gen_context(system_u:object_r:slapd_var_run_t,s0)
diff --git a/ldap.if b/ldap.if
-index 3602712..4ac8f2d 100644
+index ee0c7cc..4ac8f2d 100644
--- a/ldap.if
+++ b/ldap.if
@@ -1,8 +1,68 @@
@@ -42886,7 +40166,7 @@ index 3602712..4ac8f2d 100644
type slapd_t, slapd_tmp_t, slapd_replog_t;
type slapd_lock_t, slapd_etc_t, slapd_var_run_t;
- type slapd_initrc_exec_t, slapd_log_t, slapd_cert_t;
-- type slapd_db_t, slapd_keytab_t;
+- type slapd_db_t;
+ type slapd_initrc_exec_t;
+ type slapd_unit_file_t;
')
@@ -42905,7 +40185,7 @@ index 3602712..4ac8f2d 100644
allow $2 system_r;
files_list_etc($1)
-- admin_pattern($1, { slapd_etc_t slapd_db_t slapd_cert_t slapd_keytab_t })
+- admin_pattern($1, { slapd_etc_t slapd_db_t slapd_cert_t })
+ admin_pattern($1, slapd_etc_t)
- files_list_locks($1)
@@ -42929,27 +40209,20 @@ index 3602712..4ac8f2d 100644
+ allow $1 slapd_unit_file_t:service all_service_perms;
')
diff --git a/ldap.te b/ldap.te
-index 4c2b111..d0fdb7c 100644
+index d7d9b09..d0fdb7c 100644
--- a/ldap.te
+++ b/ldap.te
-@@ -1,4 +1,4 @@
--policy_module(ldap, 1.11.1)
-+policy_module(ldap, 1.10.2)
-
- ########################################
- #
-@@ -21,8 +21,8 @@ files_config_file(slapd_etc_t)
+@@ -21,6 +21,9 @@ files_config_file(slapd_etc_t)
type slapd_initrc_exec_t;
init_script_file(slapd_initrc_exec_t)
--type slapd_keytab_t;
--files_type(slapd_keytab_t)
+type slapd_unit_file_t;
+systemd_unit_file(slapd_unit_file_t)
-
++
type slapd_lock_t;
files_lock_file(slapd_lock_t)
-@@ -49,7 +49,7 @@ files_pid_file(slapd_var_run_t)
+
+@@ -46,7 +49,7 @@ files_pid_file(slapd_var_run_t)
allow slapd_t self:capability { kill setgid setuid net_raw dac_override dac_read_search };
dontaudit slapd_t self:capability sys_tty_config;
@@ -42958,13 +40231,7 @@ index 4c2b111..d0fdb7c 100644
allow slapd_t self:fifo_file rw_fifo_file_perms;
allow slapd_t self:tcp_socket { accept listen };
-@@ -63,15 +63,11 @@ manage_lnk_files_pattern(slapd_t, slapd_db_t, slapd_db_t)
-
- allow slapd_t slapd_etc_t:file read_file_perms;
-
--allow slapd_t slapd_keytab_t:file read_file_perms;
--
- allow slapd_t slapd_lock_t:file manage_file_perms;
+@@ -64,9 +67,7 @@ allow slapd_t slapd_lock_t:file manage_file_perms;
files_lock_filetrans(slapd_t, slapd_lock_t, file)
manage_dirs_pattern(slapd_t, slapd_log_t, slapd_log_t)
@@ -42975,7 +40242,7 @@ index 4c2b111..d0fdb7c 100644
logging_log_filetrans(slapd_t, slapd_log_t, { file dir })
manage_dirs_pattern(slapd_t, slapd_replog_t, slapd_replog_t)
-@@ -93,7 +89,6 @@ files_pid_filetrans(slapd_t, slapd_var_run_t, { dir file sock_file })
+@@ -88,7 +89,6 @@ files_pid_filetrans(slapd_t, slapd_var_run_t, { dir file sock_file })
kernel_read_system_state(slapd_t)
kernel_read_kernel_sysctls(slapd_t)
@@ -42983,7 +40250,7 @@ index 4c2b111..d0fdb7c 100644
corenet_all_recvfrom_netlabel(slapd_t)
corenet_tcp_sendrecv_generic_if(slapd_t)
corenet_tcp_sendrecv_generic_node(slapd_t)
-@@ -115,26 +110,23 @@ fs_getattr_all_fs(slapd_t)
+@@ -110,25 +110,23 @@ fs_getattr_all_fs(slapd_t)
fs_search_auto_mountpoints(slapd_t)
files_read_etc_runtime_files(slapd_t)
@@ -43002,13 +40269,11 @@ index 4c2b111..d0fdb7c 100644
userdom_dontaudit_search_user_home_dirs(slapd_t)
optional_policy(`
+ kerberos_keytab_template(slapd, slapd_t)
- kerberos_manage_host_rcache(slapd_t)
-- kerberos_read_keytab(slapd_t)
- kerberos_tmp_filetrans_host_rcache(slapd_t, file, "ldapmap1_0")
- kerberos_tmp_filetrans_host_rcache(slapd_t, file, "ldap_487")
- kerberos_tmp_filetrans_host_rcache(slapd_t, file, "ldap_55")
-- kerberos_use(slapd_t)
-+ kerberos_keytab_template(slapd, slapd_t)
+ kerberos_tmp_filetrans_host_rcache(slapd_t, "ldapmap1_0")
+ kerberos_tmp_filetrans_host_rcache(slapd_t, "ldap_487")
+ kerberos_tmp_filetrans_host_rcache(slapd_t, "ldap_55")
@@ -43029,15 +40294,9 @@ index 33a28b9..33ffe24 100644
+ ')
')
diff --git a/lightsquid.te b/lightsquid.te
-index 09c4f27..308accb 100644
+index 40a2607..308accb 100644
--- a/lightsquid.te
+++ b/lightsquid.te
-@@ -1,4 +1,4 @@
--policy_module(lightsquid, 1.1.0)
-+policy_module(lightsquid, 1.0.2)
-
- ########################################
- #
@@ -31,11 +31,6 @@ corecmd_exec_shell(lightsquid_t)
dev_read_urand(lightsquid_t)
@@ -43193,15 +40452,9 @@ index bd20e8c..3393a01 100644
- admin_pattern($1, { lwregd_var_run_t netlogond_var_run_t srvsvcd_var_run_t })
-')
diff --git a/likewise.te b/likewise.te
-index d8c2442..e86ead6 100644
+index 408fbe3..e86ead6 100644
--- a/likewise.te
+++ b/likewise.te
-@@ -1,4 +1,4 @@
--policy_module(likewise, 1.3.0)
-+policy_module(likewise, 1.2.1)
-
- #################################
- #
@@ -26,7 +26,7 @@ type likewise_var_lib_t;
files_type(likewise_var_lib_t)
@@ -43266,15 +40519,9 @@ index dff21a7..b6981c8 100644
init_labeled_script_domtrans($1, lircd_initrc_exec_t)
domain_system_change_exemption($1)
diff --git a/lircd.te b/lircd.te
-index 483c87b..1150694 100644
+index 98b5405..1150694 100644
--- a/lircd.te
+++ b/lircd.te
-@@ -1,4 +1,4 @@
--policy_module(lircd, 1.2.0)
-+policy_module(lircd, 1.1.2)
-
- ########################################
- #
@@ -13,7 +13,7 @@ type lircd_initrc_exec_t;
init_script_file(lircd_initrc_exec_t)
@@ -43342,15 +40589,9 @@ index e354181..c6b2383 100644
########################################
diff --git a/livecd.te b/livecd.te
-index 2f974bf..a920c08 100644
+index 33f64b5..a920c08 100644
--- a/livecd.te
+++ b/livecd.te
-@@ -1,4 +1,4 @@
--policy_module(livecd, 1.3.0)
-+policy_module(livecd, 1.2.1)
-
- ########################################
- #
@@ -21,9 +21,11 @@ files_tmp_file(livecd_tmp_t)
# Local policy
#
@@ -43431,15 +40672,9 @@ index d18c960..fb5b674 100644
domain_system_change_exemption($1)
role_transition $2 lldpad_initrc_exec_t system_r;
diff --git a/lldpad.te b/lldpad.te
-index 2a491d9..07f58a5 100644
+index 648def0..07f58a5 100644
--- a/lldpad.te
+++ b/lldpad.te
-@@ -1,4 +1,4 @@
--policy_module(lldpad, 1.1.0)
-+policy_module(lldpad, 1.0.1)
-
- ########################################
- #
@@ -26,7 +26,7 @@ files_pid_file(lldpad_var_run_t)
# Local policy
#
@@ -43468,15 +40703,9 @@ index 2a491d9..07f58a5 100644
+ networkmanager_dgram_send(lldpad_t)
+')
diff --git a/loadkeys.te b/loadkeys.te
-index d2f4643..bd5406a 100644
+index 6cbb977..bd5406a 100644
--- a/loadkeys.te
+++ b/loadkeys.te
-@@ -1,4 +1,4 @@
--policy_module(loadkeys, 1.9.0)
-+policy_module(loadkeys, 1.8.1)
-
- ########################################
- #
@@ -25,20 +25,19 @@ kernel_read_system_state(loadkeys_t)
corecmd_exec_bin(loadkeys_t)
corecmd_exec_shell(loadkeys_t)
@@ -43532,15 +40761,9 @@ index 4313b8b..cd1435c 100644
##
## Role access for lockdev.
diff --git a/lockdev.te b/lockdev.te
-index 61db5a0..30bfb76 100644
+index db87831..30bfb76 100644
--- a/lockdev.te
+++ b/lockdev.te
-@@ -1,4 +1,4 @@
--policy_module(lockdev, 1.5.0)
-+policy_module(lockdev, 1.4.1)
-
- ########################################
- #
@@ -36,4 +36,5 @@ fs_getattr_xattr_fs(lockdev_t)
logging_send_syslog_msg(lockdev_t)
@@ -43620,11 +40843,11 @@ index dd8e01a..9cd6b0b 100644
##
##
diff --git a/logrotate.te b/logrotate.te
-index be0ab84..5c1e801 100644
+index 7bab8e5..5c1e801 100644
--- a/logrotate.te
+++ b/logrotate.te
@@ -1,20 +1,26 @@
--policy_module(logrotate, 1.15.0)
+-policy_module(logrotate, 1.14.5)
+policy_module(logrotate, 1.14.0)
########################################
@@ -43767,9 +40990,8 @@ index be0ab84..5c1e801 100644
-auth_manage_login_records(logrotate_t)
-auth_use_nsswitch(logrotate_t)
-
--init_all_labeled_script_domtrans(logrotate_t)
+# cjp: why is this needed?
-+init_domtrans_script(logrotate_t)
+ init_domtrans_script(logrotate_t)
logging_manage_all_logs(logrotate_t)
logging_send_syslog_msg(logrotate_t)
@@ -43940,30 +41162,20 @@ index be0ab84..5c1e801 100644
logging_read_all_logs(logrotate_mail_t)
+manage_files_pattern(logrotate_mail_t, logrotate_tmp_t, logrotate_tmp_t)
diff --git a/logwatch.te b/logwatch.te
-index ab65034..9125f9f 100644
+index 4256a4c..9125f9f 100644
--- a/logwatch.te
+++ b/logwatch.te
-@@ -1,4 +1,4 @@
--policy_module(logwatch, 1.12.2)
-+policy_module(logwatch, 1.11.6)
-
- #################################
- #
-@@ -6,16 +6,16 @@ policy_module(logwatch, 1.12.2)
+@@ -5,9 +5,17 @@ policy_module(logwatch, 1.11.6)
+ # Declarations
#
- ##
--##
--## Determine whether logwatch can connect
--## to mail over the network.
--##
++##
+##
+## Allow epylog to send mail
+##
- ##
--gen_tunable(logwatch_can_network_connect_mail, false)
++##
+gen_tunable(logwatch_can_sendmail, false)
-
++
type logwatch_t;
type logwatch_exec_t;
-init_system_domain(logwatch_t, logwatch_exec_t)
@@ -43972,7 +41184,7 @@ index ab65034..9125f9f 100644
type logwatch_cache_t;
files_type(logwatch_cache_t)
-@@ -45,7 +45,8 @@ allow logwatch_t self:unix_stream_socket { accept listen };
+@@ -37,7 +45,8 @@ allow logwatch_t self:unix_stream_socket { accept listen };
manage_dirs_pattern(logwatch_t, logwatch_cache_t, logwatch_cache_t)
manage_files_pattern(logwatch_t, logwatch_cache_t, logwatch_cache_t)
@@ -43982,7 +41194,7 @@ index ab65034..9125f9f 100644
files_lock_filetrans(logwatch_t, logwatch_lock_t, file)
manage_dirs_pattern(logwatch_t, logwatch_tmp_t, logwatch_tmp_t)
-@@ -75,10 +76,11 @@ files_list_var(logwatch_t)
+@@ -67,10 +76,11 @@ files_list_var(logwatch_t)
files_search_all(logwatch_t)
files_read_var_symlinks(logwatch_t)
files_read_etc_runtime_files(logwatch_t)
@@ -43995,7 +41207,7 @@ index ab65034..9125f9f 100644
fs_dontaudit_list_auto_mountpoints(logwatch_t)
fs_list_inotifyfs(logwatch_t)
-@@ -100,32 +102,18 @@ libs_read_lib_files(logwatch_t)
+@@ -92,13 +102,14 @@ libs_read_lib_files(logwatch_t)
logging_read_all_logs(logwatch_t)
logging_send_syslog_msg(logwatch_t)
@@ -44011,26 +41223,7 @@ index ab65034..9125f9f 100644
mta_sendmail_domtrans(logwatch_t, logwatch_mail_t)
mta_getattr_spool(logwatch_t)
-
--tunable_policy(`logwatch_can_network_connect_mail',`
-- corenet_all_recvfrom_unlabeled(logwatch_t)
-- corenet_all_recvfrom_netlabel(logwatch_t)
-- corenet_tcp_sendrecv_generic_if(logwatch_t)
-- corenet_tcp_sendrecv_generic_node(logwatch_t)
--
-- corenet_sendrecv_smtp_client_packets(logwatch_t)
-- corenet_tcp_connect_smtp_port(logwatch_t)
-- corenet_tcp_sendrecv_smtp_port(logwatch_t)
--
-- corenet_sendrecv_pop_client_packets(logwatch_t)
-- corenet_tcp_connect_pop_port(logwatch_t)
-- corenet_tcp_sendrecv_pop_port(logwatch_t)
--')
--
- tunable_policy(`use_nfs_home_dirs',`
- fs_list_nfs(logwatch_t)
- ')
-@@ -160,6 +148,12 @@ optional_policy(`
+@@ -137,6 +148,12 @@ optional_policy(`
')
optional_policy(`
@@ -44043,7 +41236,7 @@ index ab65034..9125f9f 100644
rpc_search_nfs_state_data(logwatch_t)
')
-@@ -168,6 +162,13 @@ optional_policy(`
+@@ -145,6 +162,13 @@ optional_policy(`
samba_read_share_files(logwatch_t)
')
@@ -44057,7 +41250,7 @@ index ab65034..9125f9f 100644
########################################
#
# Mail local policy
-@@ -187,6 +188,19 @@ dev_read_sysfs(logwatch_mail_t)
+@@ -164,6 +188,19 @@ dev_read_sysfs(logwatch_mail_t)
logging_read_all_logs(logwatch_mail_t)
@@ -44270,15 +41463,9 @@ index 6256371..ce2acb8 100644
can_exec($1, lpr_exec_t)
')
diff --git a/lpd.te b/lpd.te
-index 39d3164..15f3748 100644
+index b9270f7..15f3748 100644
--- a/lpd.te
+++ b/lpd.te
-@@ -1,4 +1,4 @@
--policy_module(lpd, 1.14.0)
-+policy_module(lpd, 1.13.5)
-
- ########################################
- #
@@ -48,7 +48,7 @@ userdom_user_tmp_file(lpr_tmp_t)
type print_spool_t;
typealias print_spool_t alias { user_print_spool_t staff_print_spool_t sysadm_print_spool_t };
@@ -44430,32 +41617,29 @@ index 39d3164..15f3748 100644
+ mozilla_plugin_dontaudit_rw_tmp_files(lpr_t)
')
diff --git a/lsm.fc b/lsm.fc
-index c455730..d60293d 100644
---- a/lsm.fc
+new file mode 100644
+index 0000000..d60293d
+--- /dev/null
+++ b/lsm.fc
-@@ -1,3 +1,7 @@
--/usr/bin/lsmd -- gen_context(system_u:object_r:lsmd_exec_t,s0)
+@@ -0,0 +1,7 @@
+/usr/bin/lsmd -- gen_context(system_u:object_r:lsmd_exec_t,s0)
-
--/var/run/lsm(/.*)? gen_context(system_u:object_r:lsmd_var_run_t,s0)
++
+/usr/bin/.*_lsmplugin -- gen_context(system_u:object_r:lsmd_plugin_exec_t,s0)
+
+/usr/lib/systemd/system/libstoragemgmt.* -- gen_context(system_u:object_r:lsmd_unit_file_t,s0)
+
+/var/run/lsm(/.*)? gen_context(system_u:object_r:lsmd_var_run_t,s0)
diff --git a/lsm.if b/lsm.if
-index d314333..da30c5d 100644
---- a/lsm.if
+new file mode 100644
+index 0000000..da30c5d
+--- /dev/null
+++ b/lsm.if
-@@ -1,25 +1,85 @@
--## Storage array management library.
+@@ -0,0 +1,99 @@
+
+## libStorageMgmt plug-in daemon
-
- ########################################
- ##
--## All of the rules required to administrate
--## an lsmd environment.
++
++########################################
++##
+## Execute TEMPLATE in the lsmd domin.
+##
+##
@@ -44475,13 +41659,12 @@ index d314333..da30c5d 100644
+########################################
+##
+## Read lsmd PID files.
- ##
- ##
- ##
- ## Domain allowed access.
- ##
- ##
--##
++##
++##
++##
++## Domain allowed access.
++##
++##
+#
+interface(`lsmd_read_pid_files',`
+ gen_require(`
@@ -44523,26 +41706,24 @@ index d314333..da30c5d 100644
+## an lsmd environment
+##
+##
- ##
--## Role allowed access.
++##
+## Domain allowed access.
- ##
- ##
- ##
- #
- interface(`lsmd_admin',`
- gen_require(`
-- type lsmd_t, type lsmd_var_run_t;
++##
++##
++##
++#
++interface(`lsmd_admin',`
++ gen_require(`
+ type lsmd_t;
+ type lsmd_var_run_t;
+ type lsmd_unit_file_t;
- ')
-
- allow $1 lsmd_t:process { ptrace signal_perms };
-@@ -27,4 +87,13 @@ interface(`lsmd_admin',`
-
- files_search_pids($1)
- admin_pattern($1, lsmd_var_run_t)
++ ')
++
++ allow $1 lsmd_t:process { ptrace signal_perms };
++ ps_process_pattern($1, lsmd_t)
++
++ files_search_pids($1)
++ admin_pattern($1, lsmd_var_run_t)
+
+ lsmd_systemctl($1)
+ admin_pattern($1, lsmd_unit_file_t)
@@ -44552,15 +41733,19 @@ index d314333..da30c5d 100644
+ systemd_passwd_agent_exec($1)
+ systemd_read_fifo_file_passwd_run($1)
+ ')
- ')
++')
diff --git a/lsm.te b/lsm.te
-index 4ec0eea..7e8fde0 100644
---- a/lsm.te
+new file mode 100644
+index 0000000..7e8fde0
+--- /dev/null
+++ b/lsm.te
-@@ -4,6 +4,13 @@ policy_module(lsm, 1.0.0)
- #
- # Declarations
- #
+@@ -0,0 +1,90 @@
++policy_module(lsm, 1.0.0)
++
++########################################
++#
++# Declarations
++#
+##
+##
+## Determine whether lsmd_plugin can
@@ -44568,13 +41753,14 @@ index 4ec0eea..7e8fde0 100644
+##
+##
+gen_tunable(lsmd_plugin_connect_any, false)
-
- type lsmd_t;
- type lsmd_exec_t;
-@@ -12,12 +19,23 @@ init_daemon_domain(lsmd_t, lsmd_exec_t)
- type lsmd_var_run_t;
- files_pid_file(lsmd_var_run_t)
-
++
++type lsmd_t;
++type lsmd_exec_t;
++init_daemon_domain(lsmd_t, lsmd_exec_t)
++
++type lsmd_var_run_t;
++files_pid_file(lsmd_var_run_t)
++
+type lsmd_unit_file_t;
+systemd_unit_file(lsmd_unit_file_t)
+
@@ -44586,25 +41772,23 @@ index 4ec0eea..7e8fde0 100644
+type lsmd_plugin_tmp_t;
+files_tmp_file(lsmd_plugin_tmp_t)
+
- ########################################
- #
--# Local policy
++########################################
++#
+# lsmd local policy
- #
--
--allow lsmd_t self:capability setgid;
++#
+allow lsmd_t self:capability { setgid };
+allow lsmd_t self:process { fork };
- allow lsmd_t self:unix_stream_socket create_stream_socket_perms;
-
- manage_dirs_pattern(lsmd_t, lsmd_var_run_t, lsmd_var_run_t)
-@@ -26,4 +44,47 @@ manage_lnk_files_pattern(lsmd_t, lsmd_var_run_t, lsmd_var_run_t)
- manage_sock_files_pattern(lsmd_t, lsmd_var_run_t, lsmd_var_run_t)
- files_pid_filetrans(lsmd_t, lsmd_var_run_t, { dir file sock_file })
-
++allow lsmd_t self:unix_stream_socket create_stream_socket_perms;
++
++manage_dirs_pattern(lsmd_t, lsmd_var_run_t, lsmd_var_run_t)
++manage_files_pattern(lsmd_t, lsmd_var_run_t, lsmd_var_run_t)
++manage_lnk_files_pattern(lsmd_t, lsmd_var_run_t, lsmd_var_run_t)
++manage_sock_files_pattern(lsmd_t, lsmd_var_run_t, lsmd_var_run_t)
++files_pid_filetrans(lsmd_t, lsmd_var_run_t, { dir file sock_file })
++
+corecmd_exec_bin(lsmd_t)
+
- logging_send_syslog_msg(lsmd_t)
++logging_send_syslog_msg(lsmd_t)
+
+########################################
+#
@@ -44647,13 +41831,10 @@ index 4ec0eea..7e8fde0 100644
+
+sysnet_read_config(lsmd_plugin_t)
diff --git a/mailman.fc b/mailman.fc
-index 995d0a5..bbe6b01 100644
+index 7fa381b..bbe6b01 100644
--- a/mailman.fc
+++ b/mailman.fc
-@@ -1,11 +1,14 @@
--/etc/cron\.(daily|monthly)/mailman -- gen_context(system_u:object_r:mailman_queue_exec_t,s0)
-+/etc/cron\.daily/mailman -- gen_context(system_u:object_r:mailman_queue_exec_t,s0)
-+/etc/cron\.monthly/mailman -- gen_context(system_u:object_r:mailman_queue_exec_t,s0)
+@@ -3,10 +3,12 @@
/etc/mailman.* gen_context(system_u:object_r:mailman_data_t,s0)
@@ -44978,14 +42159,10 @@ index 108c0f1..a248501 100644
domtrans_pattern($1, mailman_queue_exec_t, mailman_queue_t)
')
diff --git a/mailman.te b/mailman.te
-index ac81c7f..a057913 100644
+index 8eaf51b..a057913 100644
--- a/mailman.te
+++ b/mailman.te
-@@ -1,9 +1,15 @@
--policy_module(mailman, 1.10.0)
-+policy_module(mailman, 1.9.4)
-
- ########################################
+@@ -4,6 +4,12 @@ policy_module(mailman, 1.9.4)
#
# Declarations
#
@@ -45076,7 +42253,7 @@ index ac81c7f..a057913 100644
+ fs_manage_fusefs_symlinks(mailman_domain)
+')
diff --git a/mailscanner.if b/mailscanner.if
-index 214cb44..bd1d48e 100644
+index 0293f34..bd1d48e 100644
--- a/mailscanner.if
+++ b/mailscanner.if
@@ -2,29 +2,27 @@
@@ -45149,7 +42326,7 @@ index 214cb44..bd1d48e 100644
admin_pattern($1, mscan_etc_t)
+ files_list_etc($1)
-- files_search_pids($1)
+- files_search_pids($1
admin_pattern($1, mscan_var_run_t)
-
- files_search_spool($1)
@@ -45157,15 +42334,9 @@ index 214cb44..bd1d48e 100644
+ files_list_pids($1)
')
diff --git a/mailscanner.te b/mailscanner.te
-index 6b6e2e1..cec64d0 100644
+index 725ba32..cec64d0 100644
--- a/mailscanner.te
+++ b/mailscanner.te
-@@ -1,4 +1,4 @@
--policy_module(mailscanner, 1.1.0)
-+policy_module(mailscanner, 1.0.2)
-
- ########################################
- #
@@ -34,6 +34,7 @@ allow mscan_t self:process signal;
allow mscan_t self:fifo_file rw_fifo_file_perms;
@@ -45373,14 +42544,13 @@ index e08c55d..9e634bd 100644
+
+')
diff --git a/mandb.fc b/mandb.fc
-index 8ae78b5..c127555 100644
+index 2de0f64..c127555 100644
--- a/mandb.fc
+++ b/mandb.fc
@@ -1 +1,12 @@
--/etc/cron\.(daily|weekly)/man-db.* -- gen_context(system_u:object_r:mandb_exec_t,s0)
+HOME_DIR/\.manpath -- gen_context(system_u:object_r:mandb_home_t,s0)
+
-+/etc/cron.daily/man-db\.cron -- gen_context(system_u:object_r:mandb_exec_t,s0)
+ /etc/cron.daily/man-db\.cron -- gen_context(system_u:object_r:mandb_exec_t,s0)
+
+/usr/bin/mandb -- gen_context(system_u:object_r:mandb_exec_t,s0)
+
@@ -45629,16 +42799,10 @@ index 327f3f7..4f61561 100644
+ ')
')
diff --git a/mandb.te b/mandb.te
-index e6136fd..8fc7de0 100644
+index 5a414e0..8fc7de0 100644
--- a/mandb.te
+++ b/mandb.te
-@@ -1,4 +1,4 @@
--policy_module(mandb, 1.1.1)
-+policy_module(mandb, 1.0.3)
-
- ########################################
- #
-@@ -10,48 +10,54 @@ roleattribute system_r mandb_roles;
+@@ -10,28 +10,54 @@ roleattribute system_r mandb_roles;
type mandb_t;
type mandb_exec_t;
@@ -45660,12 +42824,11 @@ index e6136fd..8fc7de0 100644
# Local policy
#
--allow mandb_t self:capability { setuid setgid };
- allow mandb_t self:process { setsched signal };
+-allow mandb_t self:process signal;
++allow mandb_t self:process { setsched signal };
allow mandb_t self:fifo_file rw_fifo_file_perms;
allow mandb_t self:unix_stream_socket create_stream_socket_perms;
--kernel_read_kernel_sysctls(mandb_t)
+manage_dirs_pattern(mandb_t, mandb_cache_t, mandb_cache_t)
+manage_files_pattern(mandb_t, mandb_cache_t, mandb_cache_t)
+manage_lnk_files_pattern(mandb_t, mandb_cache_t, mandb_cache_t)
@@ -45681,9 +42844,6 @@ index e6136fd..8fc7de0 100644
kernel_read_system_state(mandb_t)
corecmd_exec_bin(mandb_t)
--corecmd_exec_shell(mandb_t)
--
--dev_search_sysfs(mandb_t)
domain_use_interactive_fds(mandb_t)
@@ -45694,21 +42854,6 @@ index e6136fd..8fc7de0 100644
+fs_getattr_all_fs(mandb_t)
miscfiles_manage_man_cache(mandb_t)
--miscfiles_read_man_pages(mandb_t)
--miscfiles_read_localization(mandb_t)
--
--ifdef(`distro_debian',`
-- optional_policy(`
-- apt_exec(mandb_t)
-- apt_read_db(mandb_t)
-- ')
--
-- optional_policy(`
-- dpkg_exec(mandb_t)
-- dpkg_read_db(mandb_t)
-- userdom_dontaudit_search_user_home_dirs(mandb_t)
-- ')
--')
+miscfiles_setattr_man_pages(mandb_t)
optional_policy(`
@@ -45716,7 +42861,7 @@ index e6136fd..8fc7de0 100644
')
+
diff --git a/mcelog.if b/mcelog.if
-index f89651e..c73214d 100644
+index 9dbe694..c73214d 100644
--- a/mcelog.if
+++ b/mcelog.if
@@ -19,6 +19,25 @@ interface(`mcelog_domtrans',`
@@ -45745,16 +42890,18 @@ index f89651e..c73214d 100644
########################################
##
## All of the rules required to
+@@ -56,6 +75,6 @@ interface(`mcelog_admin',`
+ logging_search_logs($1)
+ admin_pattern($1, mcelog_log_t)
+
+- files_search_pids($1
++ files_search_pids($1)
+ admin_pattern($1, mcelog_var_run_t)
+ ')
diff --git a/mcelog.te b/mcelog.te
-index 59b3b3d..2b4e761 100644
+index 13ea191..2b4e761 100644
--- a/mcelog.te
+++ b/mcelog.te
-@@ -1,4 +1,4 @@
--policy_module(mcelog, 1.2.0)
-+policy_module(mcelog, 1.1.3)
-
- ########################################
- #
@@ -36,13 +36,6 @@ gen_tunable(mcelog_foreground, false)
##
gen_tunable(mcelog_server, false)
@@ -46169,15 +43316,9 @@ index 1d4eb19..650014e 100644
admin_pattern($1, memcached_var_run_t)
')
diff --git a/memcached.te b/memcached.te
-index 29b7521..4396320 100644
+index 4926208..4396320 100644
--- a/memcached.te
+++ b/memcached.te
-@@ -1,4 +1,4 @@
--policy_module(memcached, 1.3.1)
-+policy_module(memcached, 1.2.3)
-
- ########################################
- #
@@ -20,7 +20,7 @@ files_pid_file(memcached_var_run_t)
# Local policy
#
@@ -46187,7 +43328,15 @@ index 29b7521..4396320 100644
dontaudit memcached_t self:capability sys_tty_config;
allow memcached_t self:process { setrlimit signal_perms };
allow memcached_t self:tcp_socket { accept listen };
-@@ -59,4 +59,3 @@ term_dontaudit_use_console(memcached_t)
+@@ -51,10 +51,11 @@ corenet_tcp_sendrecv_all_ports(memcached_t)
+ corenet_udp_bind_memcache_port(memcached_t)
+ corenet_udp_sendrecv_all_ports(memcached_t)
+
++dev_read_sysfs(memcached_t)
++
+ term_dontaudit_use_all_ptys(memcached_t)
+ term_dontaudit_use_all_ttys(memcached_t)
+ term_dontaudit_use_console(memcached_t)
auth_use_nsswitch(memcached_t)
@@ -46375,11 +43524,11 @@ index cba62db..562833a 100644
+ delete_files_pattern($1, dkim_milter_data_t, dkim_milter_data_t)
+')
diff --git a/milter.te b/milter.te
-index 4dc99f4..9c51c34 100644
+index 92508b2..9c51c34 100644
--- a/milter.te
+++ b/milter.te
@@ -1,77 +1,121 @@
--policy_module(milter, 1.5.0)
+-policy_module(milter, 1.4.2)
+policy_module(milter, 1.4.0)
########################################
@@ -46578,340 +43727,6 @@ index 4dc99f4..9c51c34 100644
optional_policy(`
spamassassin_domtrans_client(spamass_milter_t)
')
-diff --git a/minidlna.fc b/minidlna.fc
-deleted file mode 100644
-index 02c1b50..0000000
---- a/minidlna.fc
-+++ /dev/null
-@@ -1,14 +0,0 @@
--/etc/rc\.d/init\.d/minidlna -- gen_context(system_u:object_r:minidlna_initrc_exec_t,s0)
--
--/etc/minidlna\.conf -- gen_context(system_u:object_r:minidlna_conf_t,s0)
--
--/usr/sbin/minidlna -- gen_context(system_u:object_r:minidlna_exec_t,s0)
--
--/var/cache/minidlna(/.*)? gen_context(system_u:object_r:minidlna_db_t,s0)
--
--/var/lib/minidlna(/.*)? gen_context(system_u:object_r:minidlna_db_t,s0)
--
--/var/log/minidlna(/.*)? gen_context(system_u:object_r:minidlna_log_t,s0)
--/var/log/minidlna\.log.* -- gen_context(system_u:object_r:minidlna_log_t,s0)
--
--/var/run/minidlna(/.*)? gen_context(system_u:object_r:minidlna_var_run_t,s0)
-diff --git a/minidlna.if b/minidlna.if
-deleted file mode 100644
-index 358917a..0000000
---- a/minidlna.if
-+++ /dev/null
-@@ -1,64 +0,0 @@
--## MiniDLNA lightweight DLNA/UPnP media server
--
--########################################
--##
--## All of the rules required to
--## administrate an minidlna environment.
--##
--##
--##
--## Domain allowed access.
--##
--##
--##
--##
--## Role allowed access.
--##
--##
--##
--#
--interface(`minidlna_admin',`
-- gen_require(`
-- type minidlna_t, minidlna_var_run_t, minidlna_initrc_exec_t;
-- type minidlna_conf_t, minidlna_log_t, minidlna_db_t;
-- ')
--
-- allow $1 minidlna_t:process { ptrace signal_perms };
-- ps_process_pattern($1, minidlna_t)
--
-- minidlna_initrc_domtrans($1)
-- domain_system_change_exemption($1)
-- role_transition $2 minidlna_initrc_exec_t system_r;
-- allow $2 system_r;
--
-- files_search_etc($1)
-- admin_pattern($1, minidlna_conf_t)
--
-- logging_search_logs($1)
-- admin_pattern($1, minidlna_log_t)
--
-- files_search_var_lib($1)
-- admin_pattern($1, minidlna_db_t)
--
-- files_search_pids($1)
-- admin_pattern($1, minidlna_var_run_t)
--')
--
--########################################
--##
--## Execute minidlna init scripts in
--## the initrc domain.
--##
--##
--##
--## Domain allowed to transition.
--##
--##
--#
--interface(`minidlna_initrc_domtrans',`
-- gen_require(`
-- type minidlna_initrc_exec_t;
-- ')
--
-- init_labeled_script_domtrans($1, minidlna_initrc_exec_t)
--')
-diff --git a/minidlna.te b/minidlna.te
-deleted file mode 100644
-index 4911ac0..0000000
---- a/minidlna.te
-+++ /dev/null
-@@ -1,102 +0,0 @@
--policy_module(minidlna, 0.1)
--
--#############################################
--#
--# Declarations
--#
--
--##
--##
--## Determine whether minidlna can read generic user content.
--##
--##
--gen_tunable(minidlna_read_generic_user_content, false)
--
--type minidlna_t;
--type minidlna_exec_t;
--init_daemon_domain(minidlna_t, minidlna_exec_t)
--
--type minidlna_conf_t;
--files_config_file(minidlna_conf_t)
--
--type minidlna_db_t;
--files_type(minidlna_db_t)
--
--type minidlna_initrc_exec_t;
--init_script_file(minidlna_initrc_exec_t)
--
--type minidlna_log_t;
--logging_log_file(minidlna_log_t)
--
--type minidlna_var_run_t;
--files_pid_file(minidlna_var_run_t)
--
--###############################################
--#
--# Local policy
--#
--
--allow minidlna_t self:process setsched;
--allow minidlna_t self:tcp_socket create_stream_socket_perms;
--allow minidlna_t self:udp_socket create_socket_perms;
--allow minidlna_t self:netlink_route_socket r_netlink_socket_perms;
--allow minidlna_t minidlna_conf_t:file read_file_perms;
--
--allow minidlna_t minidlna_db_t:dir { create_dir_perms rw_dir_perms };
--allow minidlna_t minidlna_db_t:file manage_file_perms;
--
--allow minidlna_t minidlna_log_t:file append_file_perms;
--create_files_pattern(minidlna_t, minidlna_log_t, minidlna_log_t)
--
--allow minidlna_t minidlna_var_run_t:file manage_file_perms;
--allow minidlna_t minidlna_var_run_t:dir rw_dir_perms;
--files_pid_filetrans(minidlna_t, minidlna_var_run_t, file)
--
--kernel_read_fs_sysctls(minidlna_t)
--kernel_read_system_state(minidlna_t)
--
--corecmd_exec_bin(minidlna_t)
--corecmd_exec_shell(minidlna_t)
--
--corenet_all_recvfrom_netlabel(minidlna_t)
--corenet_all_recvfrom_unlabeled(minidlna_t)
--
--corenet_sendrecv_ssdp_server_packets(minidlna_t)
--corenet_sendrecv_trivnet1_server_packets(minidlna_t)
--
--corenet_tcp_bind_generic_node(minidlna_t)
--corenet_tcp_bind_trivnet1_port(minidlna_t)
--corenet_tcp_sendrecv_generic_if(minidlna_t)
--corenet_tcp_sendrecv_generic_node(minidlna_t)
--corenet_tcp_sendrecv_trivnet1_port(minidlna_t)
--
--corenet_udp_bind_generic_node(minidlna_t)
--corenet_udp_bind_ssdp_port(minidlna_t)
--corenet_udp_sendrecv_generic_if(minidlna_t)
--corenet_udp_sendrecv_generic_node(minidlna_t)
--corenet_udp_sendrecv_ssdp_port(minidlna_t)
--
--files_search_var_lib(minidlna_t)
--
--auth_use_nsswitch(minidlna_t)
--
--logging_search_logs(minidlna_t)
--
--miscfiles_read_localization(minidlna_t)
--miscfiles_read_public_files(minidlna_t)
--
--tunable_policy(`minidlna_read_generic_user_content',`
-- userdom_list_user_tmp(minidlna_t)
-- userdom_read_user_home_content_files(minidlna_t)
-- userdom_read_user_home_content_symlinks(minidlna_t)
-- userdom_read_user_tmp_files(minidlna_t)
-- userdom_read_user_tmp_symlinks(minidlna_t)
--',`
-- files_dontaudit_list_home(minidlna_t)
-- files_dontaudit_list_tmp(minidlna_t)
--
-- userdom_dontaudit_list_user_home_dirs(minidlna_t)
-- userdom_dontaudit_list_user_tmp(minidlna_t)
-- userdom_dontaudit_read_user_home_content_files(minidlna_t)
-- userdom_dontaudit_read_user_tmp_files(minidlna_t)
--')
-diff --git a/minissdpd.fc b/minissdpd.fc
-deleted file mode 100644
-index 4970404..0000000
---- a/minissdpd.fc
-+++ /dev/null
-@@ -1,8 +0,0 @@
--/etc/default/minissdpd -- gen_context(system_u:object_r:minissdpd_conf_t,s0)
--
--/etc/rc\.d/init\.d/minissdpd -- gen_context(system_u:object_r:minissdpd_initrc_exec_t,s0)
--
--/usr/sbin/minissdpd -- gen_context(system_u:object_r:minissdpd_exec_t,s0)
--
--/var/run/minissdpd\.pid -- gen_context(system_u:object_r:minissdpd_var_run_t,s0)
--/var/run/minissdpd\.sock -s gen_context(system_u:object_r:minissdpd_var_run_t,s0)
-diff --git a/minissdpd.if b/minissdpd.if
-deleted file mode 100644
-index b330161..0000000
---- a/minissdpd.if
-+++ /dev/null
-@@ -1,58 +0,0 @@
--## Daemon used by MiniUPnPc to speed up device discoveries.
--
--########################################
--##
--## Read minissdpd configuration files.
--##
--##
--##
--## Domain allowed access.
--##
--##
--#
--interface(`minissdpd_read_config',`
-- gen_require(`
-- type minissdpd_conf_t;
-- ')
--
-- files_search_etc($1)
-- allow $1 minissdpd_conf_t:file read_file_perms;
--')
--
--########################################
--##
--## All of the rules required to
--## administrate an minissdpd environment.
--##
--##
--##
--## Domain allowed access.
--##
--##
--##
--##
--## Role allowed access.
--##
--##
--##
--#
--interface(`minissdpd_admin',`
-- gen_require(`
-- type minissdpd_t, minissdpd_initrc_exec_t, minissdpd_conf_t;
-- type minissdpd_var_run_t
-- ')
--
-- allow $1 minissdpd_t:process { ptrace signal_perms };
-- ps_process_pattern($1, minissdpd_t)
--
-- init_labeled_script_domtrans($1, minissdpd_initrc_exec_t)
-- domain_system_change_exemption($1)
-- role_transition $2 minissdpd_initrc_exec_t system_r;
-- allow $2 system_r;
--
-- files_search_etc($1)
-- admin_pattern($1, minissdpd_conf_t)
--
-- files_search_pids($1)
-- admin_pattern($1, minissdpd_var_run_t)
--')
-diff --git a/minissdpd.te b/minissdpd.te
-deleted file mode 100644
-index 34d75a7..0000000
---- a/minissdpd.te
-+++ /dev/null
-@@ -1,51 +0,0 @@
--policy_module(minissdpd, 1.0.0)
--
--########################################
--#
--# Declarations
--#
--
--type minissdpd_t;
--type minissdpd_exec_t;
--init_daemon_domain(minissdpd_t, minissdpd_exec_t)
--
--type minissdpd_initrc_exec_t;
--init_script_file(minissdpd_initrc_exec_t)
--
--type minissdpd_conf_t;
--files_config_file(minissdpd_conf_t)
--
--type minissdpd_var_run_t;
--files_pid_file(minissdpd_var_run_t)
--
--########################################
--#
--# Local policy
--#
--
--allow minissdpd_t self:capability { sys_module net_admin };
--allow minissdpd_t self:netlink_route_socket r_netlink_socket_perms;
--allow minissdpd_t self:udp_socket create_socket_perms;
--allow minissdpd_t self:unix_dgram_socket create_socket_perms;
--
--allow minissdpd_t minissdpd_var_run_t:file manage_file_perms;
--allow minissdpd_t minissdpd_var_run_t:sock_file manage_sock_file_perms;
--files_pid_filetrans(minissdpd_t, minissdpd_var_run_t, { file sock_file })
--
--kernel_load_module(minissdpd_t)
--kernel_read_network_state(minissdpd_t)
--kernel_request_load_module(minissdpd_t)
--
--corenet_all_recvfrom_unlabeled(minissdpd_t)
--corenet_all_recvfrom_netlabel(minissdpd_t)
--corenet_udp_sendrecv_generic_if(minissdpd_t)
--corenet_udp_sendrecv_generic_node(minissdpd_t)
--corenet_udp_bind_generic_node(minissdpd_t)
--
--corenet_sendrecv_ssdp_server_packets(minissdpd_t)
--corenet_udp_bind_ssdp_port(minissdpd_t)
--corenet_udp_sendrecv_ssdp_port(minissdpd_t)
--
--logging_send_syslog_msg(minissdpd_t)
--
--miscfiles_read_localization(minissdpd_t)
-\ No newline at end of file
diff --git a/mip6d.fc b/mip6d.fc
new file mode 100644
index 0000000..767bbad
@@ -48059,9 +44874,15 @@ index b1ac8b5..9b22bea 100644
+ ')
+')
diff --git a/modemmanager.te b/modemmanager.te
-index d15eb5b..25f2cfe 100644
+index cb4c13d..25f2cfe 100644
--- a/modemmanager.te
+++ b/modemmanager.te
+@@ -1,4 +1,4 @@
+-policy_module(modemmanager, 1.1.1)
++policy_module(modemmanager, 1.2.1)
+
+ ########################################
+ #
@@ -11,6 +11,9 @@ init_daemon_domain(modemmanager_t, modemmanager_exec_t)
typealias modemmanager_t alias ModemManager_t;
typealias modemmanager_exec_t alias ModemManager_exec_t;
@@ -48099,6 +44920,12 @@ index d15eb5b..25f2cfe 100644
logging_send_syslog_msg(modemmanager_t)
+@@ -54,4 +59,5 @@ optional_policy(`
+
+ optional_policy(`
+ udev_read_db(modemmanager_t)
++ udev_manage_pid_files(modemmanager_t)
+ ')
diff --git a/mojomojo.if b/mojomojo.if
index 73952f4..b19a6ee 100644
--- a/mojomojo.if
@@ -48112,15 +44939,10 @@ index 73952f4..b19a6ee 100644
interface(`mojomojo_admin',`
refpolicywarn(`$0($*) has been deprecated, use apache_admin() instead.')
diff --git a/mojomojo.te b/mojomojo.te
-index b94102e..3652584 100644
+index 7e534cf..3652584 100644
--- a/mojomojo.te
+++ b/mojomojo.te
-@@ -1,25 +1,45 @@
--policy_module(mojomojo, 1.1.0)
-+policy_module(mojomojo, 1.0.1)
-
- ########################################
- #
+@@ -5,21 +5,41 @@ policy_module(mojomojo, 1.0.1)
# Declarations
#
@@ -48183,15 +45005,9 @@ index 6fcfc31..9e6d170 100644
/var/lib/mongo.* gen_context(system_u:object_r:mongod_var_lib_t,s0)
diff --git a/mongodb.te b/mongodb.te
-index 169f236..c27b44b 100644
+index 4de8949..c27b44b 100644
--- a/mongodb.te
+++ b/mongodb.te
-@@ -1,4 +1,4 @@
--policy_module(mongodb, 1.1.0)
-+policy_module(mongodb, 1.0.2)
-
- ########################################
- #
@@ -49,13 +49,12 @@ corenet_all_recvfrom_unlabeled(mongod_t)
corenet_all_recvfrom_netlabel(mongod_t)
corenet_tcp_sendrecv_generic_if(mongod_t)
@@ -48209,15 +45025,9 @@ index 169f236..c27b44b 100644
-miscfiles_read_localization(mongod_t)
diff --git a/mono.te b/mono.te
-index a6a8643..3dc493c 100644
+index d287fe9..3dc493c 100644
--- a/mono.te
+++ b/mono.te
-@@ -1,4 +1,4 @@
--policy_module(mono, 1.9.0)
-+policy_module(mono, 1.8.1)
-
- ########################################
- #
@@ -28,7 +28,7 @@ allow mono_domain self:process { signal getsched execheap execmem execstack };
# local policy
#
@@ -48241,15 +45051,9 @@ index 8fdaece..5440757 100644
files_search_pids($1)
diff --git a/monop.te b/monop.te
-index 5f93763..84944d1 100644
+index 4462c0e..84944d1 100644
--- a/monop.te
+++ b/monop.te
-@@ -1,4 +1,4 @@
--policy_module(monop, 1.8.0)
-+policy_module(monop, 1.7.1)
-
- ########################################
- #
@@ -43,7 +43,6 @@ kernel_read_kernel_sysctls(monopd_t)
kernel_list_proc(monopd_t)
kernel_read_proc_symlinks(monopd_t)
@@ -49469,16 +46273,16 @@ index 6194b80..ecab2e6 100644
')
+
diff --git a/mozilla.te b/mozilla.te
-index 11ac8e4..c4db163 100644
+index 6a306ee..c4db163 100644
--- a/mozilla.te
+++ b/mozilla.te
@@ -1,4 +1,4 @@
--policy_module(mozilla, 2.8.0)
+-policy_module(mozilla, 2.7.4)
+policy_module(mozilla, 2.6.0)
########################################
#
-@@ -6,17 +6,56 @@ policy_module(mozilla, 2.8.0)
+@@ -6,17 +6,56 @@ policy_module(mozilla, 2.7.4)
#
##
@@ -50613,16 +47417,10 @@ index 5fa77c7..2e01c7d 100644
domain_system_change_exemption($1)
role_transition $2 mpd_initrc_exec_t system_r;
diff --git a/mpd.te b/mpd.te
-index fe72523..b8c9bf1 100644
+index 7c8afcc..b8c9bf1 100644
--- a/mpd.te
+++ b/mpd.te
-@@ -1,4 +1,4 @@
--policy_module(mpd, 1.1.1)
-+policy_module(mpd, 1.0.4)
-
- ########################################
- #
-@@ -7,6 +7,13 @@ policy_module(mpd, 1.1.1)
+@@ -7,6 +7,13 @@ policy_module(mpd, 1.0.4)
##
##
@@ -50636,7 +47434,7 @@ index fe72523..b8c9bf1 100644
## Determine whether mpd can traverse
## user home directories.
##
-@@ -62,6 +69,12 @@ files_type(mpd_var_lib_t)
+@@ -62,18 +69,25 @@ files_type(mpd_var_lib_t)
type mpd_user_data_t;
userdom_user_home_content(mpd_user_data_t) # customizable
@@ -50649,7 +47447,13 @@ index fe72523..b8c9bf1 100644
########################################
#
# Local policy
-@@ -74,6 +87,7 @@ allow mpd_t self:unix_stream_socket { accept connectto listen };
+ #
+
+ allow mpd_t self:capability { dac_override kill setgid setuid };
+-allow mpd_t self:process { getsched setsched setrlimit signal signull };
++allow mpd_t self:process { getsched setsched setrlimit signal signull setcap };
+ allow mpd_t self:fifo_file rw_fifo_file_perms;
+ allow mpd_t self:unix_stream_socket { accept connectto listen };
allow mpd_t self:unix_dgram_socket sendto;
allow mpd_t self:tcp_socket { accept listen };
allow mpd_t self:netlink_kobject_uevent_socket create_socket_perms;
@@ -50780,16 +47584,10 @@ index 861d5e9..1c3d5a5 100644
+ userdom_user_home_dir_filetrans($1, mplayer_home_t, dir, ".mplayer")
+')
diff --git a/mplayer.te b/mplayer.te
-index 0f03cd9..f92829c 100644
+index 9aca704..f92829c 100644
--- a/mplayer.te
+++ b/mplayer.te
-@@ -1,4 +1,4 @@
--policy_module(mplayer, 2.5.0)
-+policy_module(mplayer, 2.4.4)
-
- ########################################
- #
-@@ -11,7 +11,7 @@ policy_module(mplayer, 2.5.0)
+@@ -11,7 +11,7 @@ policy_module(mplayer, 2.4.4)
## its stack executable.
##
##
@@ -50835,31 +47633,7 @@ index 0f03cd9..f92829c 100644
allow mencoder_t self:process { execmem execstack };
')
-@@ -130,7 +129,6 @@ tunable_policy(`use_samba_home_dirs',`
- allow mplayer_t self:process { signal_perms getsched };
- allow mplayer_t self:fifo_file rw_fifo_file_perms;
- allow mplayer_t self:sem create_sem_perms;
--allow mplayer_t self:udp_socket create_socket_perms;
-
- allow mplayer_t mplayer_etc_t:dir list_dir_perms;
- allow mplayer_t mplayer_etc_t:file read_file_perms;
-@@ -156,15 +154,6 @@ kernel_read_kernel_sysctls(mplayer_t)
- corecmd_exec_bin(mplayer_t)
- corecmd_exec_shell(mplayer_t)
-
--corenet_all_recvfrom_unlabeled(mplayer_t)
--corenet_all_recvfrom_netlabel(mplayer_t)
--corenet_tcp_sendrecv_generic_if(mplayer_t)
--corenet_tcp_sendrecv_generic_node(mplayer_t)
--
--corenet_tcp_connect_http_port(mplayer_t)
--corenet_tcp_sendrecv_http_port(mplayer_t)
--corenet_sendrecv_http_client_packets(mplayer_t)
--
- dev_read_rand(mplayer_t)
- dev_read_realtime_clock(mplayer_t)
- dev_read_sound_mixer(mplayer_t)
-@@ -183,7 +172,6 @@ files_dontaudit_getattr_non_security_files(mplayer_t)
+@@ -173,7 +172,6 @@ files_dontaudit_getattr_non_security_files(mplayer_t)
files_read_non_security_files(mplayer_t)
files_list_home(mplayer_t)
files_read_etc_runtime_files(mplayer_t)
@@ -50867,7 +47641,7 @@ index 0f03cd9..f92829c 100644
fs_getattr_all_fs(mplayer_t)
fs_search_auto_mountpoints(mplayer_t)
-@@ -204,7 +192,7 @@ userdom_tmp_filetrans_user_tmp(mplayer_t, { dir file })
+@@ -194,7 +192,7 @@ userdom_tmp_filetrans_user_tmp(mplayer_t, { dir file })
userdom_manage_user_home_content_dirs(mplayer_t)
userdom_manage_user_home_content_files(mplayer_t)
@@ -50876,7 +47650,7 @@ index 0f03cd9..f92829c 100644
userdom_write_user_tmp_sockets(mplayer_t)
-@@ -221,15 +209,15 @@ ifndef(`enable_mls',`
+@@ -211,15 +209,15 @@ ifndef(`enable_mls',`
fs_read_iso9660_files(mplayer_t)
')
@@ -50896,7 +47670,7 @@ index 0f03cd9..f92829c 100644
allow mplayer_t self:process { execmem execstack };
')
-@@ -245,7 +233,7 @@ tunable_policy(`use_samba_home_dirs',`
+@@ -235,7 +233,7 @@ tunable_policy(`use_samba_home_dirs',`
fs_manage_cifs_symlinks(mplayer_t)
')
@@ -50936,15 +47710,9 @@ index c595094..2346458 100644
##
##
diff --git a/mrtg.te b/mrtg.te
-index 65a246a..9411154 100644
+index c97c177..9411154 100644
--- a/mrtg.te
+++ b/mrtg.te
-@@ -1,4 +1,4 @@
--policy_module(mrtg, 1.9.0)
-+policy_module(mrtg, 1.8.2)
-
- ########################################
- #
@@ -65,7 +65,6 @@ kernel_read_kernel_sysctls(mrtg_t)
corecmd_exec_bin(mrtg_t)
corecmd_exec_shell(mrtg_t)
@@ -52184,11 +48952,11 @@ index ed81cac..837a43a 100644
+ mta_filetrans_admin_home_content($1)
+')
diff --git a/mta.te b/mta.te
-index ff1d68c..bff8488 100644
+index afd2fad..bff8488 100644
--- a/mta.te
+++ b/mta.te
@@ -1,4 +1,4 @@
--policy_module(mta, 2.7.3)
+-policy_module(mta, 2.6.5)
+policy_module(mta, 2.5.0)
########################################
@@ -52214,7 +48982,7 @@ index ff1d68c..bff8488 100644
type sendmail_exec_t;
mta_agent_executable(sendmail_exec_t)
-@@ -43,180 +43,79 @@ role system_r types system_mail_t;
+@@ -43,178 +43,79 @@ role system_r types system_mail_t;
mta_base_mail_template(user)
typealias user_mail_t alias { staff_mail_t sysadm_mail_t };
typealias user_mail_t alias { auditadm_mail_t secadm_mail_t };
@@ -52254,7 +49022,6 @@ index ff1d68c..bff8488 100644
-
-can_exec(user_mail_domain, { mta_exec_type sendmail_exec_t })
-
--kernel_read_crypto_sysctls(user_mail_domain)
-kernel_read_system_state(user_mail_domain)
-kernel_read_kernel_sysctls(user_mail_domain)
-kernel_read_network_state(user_mail_domain)
@@ -52309,7 +49076,6 @@ index ff1d68c..bff8488 100644
- exim_domtrans(user_mail_domain)
- exim_manage_log(user_mail_domain)
- exim_manage_spool_files(user_mail_domain)
-- exim_read_var_lib_files(user_mail_domain)
-')
-
-optional_policy(`
@@ -52390,11 +49156,11 @@ index ff1d68c..bff8488 100644
+
+manage_dirs_pattern(system_mail_t, mail_home_rw_t, mail_home_rw_t)
+manage_files_pattern(system_mail_t, mail_home_rw_t, mail_home_rw_t)
-
--userdom_use_user_terminals(system_mail_t)
++
+allow system_mail_t mail_home_t:file manage_file_perms;
+userdom_admin_home_dir_filetrans(system_mail_t, mail_home_t, file)
-+
+
+-userdom_use_user_terminals(system_mail_t)
+
+logging_append_all_logs(system_mail_t)
+
@@ -52432,7 +49198,7 @@ index ff1d68c..bff8488 100644
')
optional_policy(`
-@@ -225,18 +124,21 @@ optional_policy(`
+@@ -223,18 +124,18 @@ optional_policy(`
')
optional_policy(`
@@ -52451,16 +49217,18 @@ index ff1d68c..bff8488 100644
optional_policy(`
- courier_stream_connect_authdaemon(system_mail_t)
-+ courier_manage_spool_dirs(system_mail_t)
-+ courier_manage_spool_files(system_mail_t)
-+ courier_rw_spool_pipes(system_mail_t)
- ')
-
- optional_policy(`
-@@ -244,9 +146,10 @@ optional_policy(`
+ courier_manage_spool_dirs(system_mail_t)
+ courier_manage_spool_files(system_mail_t)
+ courier_rw_spool_pipes(system_mail_t)
+@@ -245,14 +146,10 @@ optional_policy(`
')
optional_policy(`
+- exim_domtrans(system_mail_t)
+- exim_manage_log(system_mail_t)
+-')
+-
+-optional_policy(`
- fail2ban_dontaudit_rw_stream_sockets(system_mail_t)
- fail2ban_append_log(system_mail_t)
- fail2ban_rw_inherited_tmp_files(system_mail_t)
@@ -52471,7 +49239,7 @@ index ff1d68c..bff8488 100644
')
optional_policy(`
-@@ -258,10 +161,17 @@ optional_policy(`
+@@ -264,10 +161,17 @@ optional_policy(`
')
optional_policy(`
@@ -52489,7 +49257,7 @@ index ff1d68c..bff8488 100644
nagios_read_tmp_files(system_mail_t)
')
-@@ -272,6 +182,19 @@ optional_policy(`
+@@ -278,6 +182,19 @@ optional_policy(`
manage_fifo_files_pattern(system_mail_t, etc_aliases_t, etc_aliases_t)
manage_sock_files_pattern(system_mail_t, etc_aliases_t, etc_aliases_t)
files_etc_filetrans(system_mail_t, etc_aliases_t, { file lnk_file sock_file fifo_file })
@@ -52509,7 +49277,7 @@ index ff1d68c..bff8488 100644
')
optional_policy(`
-@@ -279,6 +202,10 @@ optional_policy(`
+@@ -285,6 +202,10 @@ optional_policy(`
')
optional_policy(`
@@ -52520,7 +49288,7 @@ index ff1d68c..bff8488 100644
userdom_dontaudit_use_user_ptys(system_mail_t)
optional_policy(`
-@@ -287,42 +214,36 @@ optional_policy(`
+@@ -293,42 +214,36 @@ optional_policy(`
')
optional_policy(`
@@ -52573,7 +49341,7 @@ index ff1d68c..bff8488 100644
allow mailserver_delivery mail_spool_t:dir list_dir_perms;
create_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
-@@ -331,40 +252,26 @@ append_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
+@@ -337,40 +252,26 @@ append_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
create_lnk_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
read_lnk_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
@@ -52622,7 +49390,7 @@ index ff1d68c..bff8488 100644
files_search_var_lib(mailserver_delivery)
mailman_domtrans(mailserver_delivery)
-@@ -372,6 +279,17 @@ optional_policy(`
+@@ -378,6 +279,17 @@ optional_policy(`
')
optional_policy(`
@@ -52640,7 +49408,7 @@ index ff1d68c..bff8488 100644
postfix_rw_inherited_master_pipes(mailserver_delivery)
')
-@@ -381,24 +299,176 @@ optional_policy(`
+@@ -387,24 +299,176 @@ optional_policy(`
########################################
#
@@ -53155,16 +49923,17 @@ index b744fe3..e713bb6 100644
init_labeled_script_domtrans($1, munin_initrc_exec_t)
domain_system_change_exemption($1)
diff --git a/munin.te b/munin.te
-index b708708..0911867 100644
+index 97370e4..0911867 100644
--- a/munin.te
+++ b/munin.te
-@@ -1,4 +1,4 @@
--policy_module(munin, 1.9.1)
-+policy_module(munin, 1.8.10)
-
- ########################################
- #
-@@ -44,41 +44,40 @@ files_tmpfs_file(services_munin_plugin_tmpfs_t)
+@@ -37,44 +37,47 @@ munin_plugin_template(disk)
+ munin_plugin_template(mail)
+ munin_plugin_template(selinux)
+ munin_plugin_template(services)
++
++type services_munin_plugin_tmpfs_t;
++files_tmpfs_file(services_munin_plugin_tmpfs_t)
++
munin_plugin_template(system)
munin_plugin_template(unconfined)
@@ -53213,7 +49982,7 @@ index b708708..0911867 100644
optional_policy(`
nscd_use(munin_plugin_domain)
-@@ -118,7 +117,7 @@ manage_dirs_pattern(munin_t, munin_var_lib_t, munin_var_lib_t)
+@@ -114,7 +117,7 @@ manage_dirs_pattern(munin_t, munin_var_lib_t, munin_var_lib_t)
manage_files_pattern(munin_t, munin_var_lib_t, munin_var_lib_t)
manage_lnk_files_pattern(munin_t, munin_var_lib_t, munin_var_lib_t)
@@ -53222,7 +49991,7 @@ index b708708..0911867 100644
manage_dirs_pattern(munin_t, munin_var_run_t, munin_var_run_t)
manage_files_pattern(munin_t, munin_var_run_t, munin_var_run_t)
-@@ -134,7 +133,6 @@ kernel_read_all_sysctls(munin_t)
+@@ -130,7 +133,6 @@ kernel_read_all_sysctls(munin_t)
corecmd_exec_bin(munin_t)
corecmd_exec_shell(munin_t)
@@ -53230,7 +49999,7 @@ index b708708..0911867 100644
corenet_all_recvfrom_netlabel(munin_t)
corenet_tcp_sendrecv_generic_if(munin_t)
corenet_tcp_sendrecv_generic_node(munin_t)
-@@ -157,7 +155,6 @@ domain_use_interactive_fds(munin_t)
+@@ -153,7 +155,6 @@ domain_use_interactive_fds(munin_t)
domain_read_all_domains_state(munin_t)
files_read_etc_runtime_files(munin_t)
@@ -53238,7 +50007,7 @@ index b708708..0911867 100644
files_list_spool(munin_t)
fs_getattr_all_fs(munin_t)
-@@ -169,7 +166,6 @@ logging_send_syslog_msg(munin_t)
+@@ -165,7 +166,6 @@ logging_send_syslog_msg(munin_t)
logging_read_all_logs(munin_t)
miscfiles_read_fonts(munin_t)
@@ -53246,7 +50015,7 @@ index b708708..0911867 100644
miscfiles_setattr_fonts_cache_dirs(munin_t)
sysnet_exec_ifconfig(munin_t)
-@@ -177,13 +173,6 @@ sysnet_exec_ifconfig(munin_t)
+@@ -173,13 +173,6 @@ sysnet_exec_ifconfig(munin_t)
userdom_dontaudit_use_unpriv_user_fds(munin_t)
userdom_dontaudit_search_user_home_dirs(munin_t)
@@ -53260,7 +50029,7 @@ index b708708..0911867 100644
optional_policy(`
cron_system_entry(munin_t, munin_exec_t)
-@@ -217,7 +206,6 @@ optional_policy(`
+@@ -213,7 +206,6 @@ optional_policy(`
optional_policy(`
postfix_list_spool(munin_t)
@@ -53268,7 +50037,7 @@ index b708708..0911867 100644
')
optional_policy(`
-@@ -246,21 +234,23 @@ allow disk_munin_plugin_t self:tcp_socket create_stream_socket_perms;
+@@ -242,21 +234,23 @@ allow disk_munin_plugin_t self:tcp_socket create_stream_socket_perms;
rw_files_pattern(disk_munin_plugin_t, munin_var_lib_t, munin_var_lib_t)
@@ -53296,7 +50065,7 @@ index b708708..0911867 100644
sysnet_read_config(disk_munin_plugin_t)
-@@ -272,6 +262,10 @@ optional_policy(`
+@@ -268,6 +262,10 @@ optional_policy(`
fstools_exec(disk_munin_plugin_t)
')
@@ -53307,7 +50076,7 @@ index b708708..0911867 100644
####################################
#
# Mail local policy
-@@ -279,27 +273,38 @@ optional_policy(`
+@@ -275,27 +273,38 @@ optional_policy(`
allow mail_munin_plugin_t self:capability dac_override;
@@ -53350,15 +50119,17 @@ index b708708..0911867 100644
')
optional_policy(`
-@@ -326,7 +331,6 @@ allow services_munin_plugin_t self:netlink_route_socket r_netlink_socket_perms;
-
- manage_files_pattern(services_munin_plugin_t, services_munin_plugin_tmpfs_t, services_munin_plugin_tmpfs_t)
- manage_dirs_pattern(services_munin_plugin_t, services_munin_plugin_tmpfs_t, services_munin_plugin_tmpfs_t)
--fs_tmpfs_filetrans(services_munin_plugin_t, services_munin_plugin_tmpfs_t, { dir file })
+@@ -320,6 +329,9 @@ allow services_munin_plugin_t self:tcp_socket create_stream_socket_perms;
+ allow services_munin_plugin_t self:udp_socket create_socket_perms;
+ allow services_munin_plugin_t self:netlink_route_socket r_netlink_socket_perms;
++manage_files_pattern(services_munin_plugin_t, services_munin_plugin_tmpfs_t, services_munin_plugin_tmpfs_t)
++manage_dirs_pattern(services_munin_plugin_t, services_munin_plugin_tmpfs_t, services_munin_plugin_tmpfs_t)
++
corenet_sendrecv_all_client_packets(services_munin_plugin_t)
corenet_tcp_connect_all_ports(services_munin_plugin_t)
-@@ -339,7 +343,7 @@ dev_read_rand(services_munin_plugin_t)
+ corenet_tcp_connect_http_port(services_munin_plugin_t)
+@@ -331,7 +343,7 @@ dev_read_rand(services_munin_plugin_t)
sysnet_read_config(services_munin_plugin_t)
optional_policy(`
@@ -53367,7 +50138,7 @@ index b708708..0911867 100644
')
optional_policy(`
-@@ -348,6 +352,10 @@ optional_policy(`
+@@ -340,6 +352,10 @@ optional_policy(`
')
optional_policy(`
@@ -53378,7 +50149,7 @@ index b708708..0911867 100644
lpd_exec_lpr(services_munin_plugin_t)
')
-@@ -361,7 +369,11 @@ optional_policy(`
+@@ -353,7 +369,11 @@ optional_policy(`
')
optional_policy(`
@@ -53391,7 +50162,7 @@ index b708708..0911867 100644
')
optional_policy(`
-@@ -393,6 +405,7 @@ read_files_pattern(system_munin_plugin_t, munin_log_t, munin_log_t)
+@@ -385,6 +405,7 @@ read_files_pattern(system_munin_plugin_t, munin_log_t, munin_log_t)
kernel_read_network_state(system_munin_plugin_t)
kernel_read_all_sysctls(system_munin_plugin_t)
@@ -53399,7 +50170,7 @@ index b708708..0911867 100644
dev_read_sysfs(system_munin_plugin_t)
dev_read_urand(system_munin_plugin_t)
-@@ -421,3 +434,32 @@ optional_policy(`
+@@ -413,3 +434,32 @@ optional_policy(`
optional_policy(`
unconfined_domain(unconfined_munin_plugin_t)
')
@@ -53433,14 +50204,13 @@ index b708708..0911867 100644
+ apache_search_sys_content(munin_t)
+')
diff --git a/mysql.fc b/mysql.fc
-index 06f8666..297f831 100644
+index c48dc17..297f831 100644
--- a/mysql.fc
+++ b/mysql.fc
-@@ -1,12 +1,25 @@
+@@ -1,11 +1,25 @@
-HOME_DIR/\.my\.cnf -- gen_context(system_u:object_r:mysqld_home_t,s0)
-
-/etc/my\.cnf -- gen_context(system_u:object_r:mysqld_etc_t,s0)
--/etc/my\.cnf\.d(/.*)? gen_context(system_u:object_r:mysqld_etc_t,s0)
-/etc/mysql(/.*)? gen_context(system_u:object_r:mysqld_etc_t,s0)
-
-/etc/rc\.d/init\.d/mysqld? -- gen_context(system_u:object_r:mysqld_initrc_exec_t,s0)
@@ -53471,7 +50241,7 @@ index 06f8666..297f831 100644
/usr/bin/mysqld_safe -- gen_context(system_u:object_r:mysqld_safe_exec_t,s0)
/usr/bin/mysql_upgrade -- gen_context(system_u:object_r:mysqld_exec_t,s0)
-@@ -14,14 +27,17 @@ HOME_DIR/\.my\.cnf -- gen_context(system_u:object_r:mysqld_home_t,s0)
+@@ -13,13 +27,17 @@ HOME_DIR/\.my\.cnf -- gen_context(system_u:object_r:mysqld_home_t,s0)
/usr/sbin/mysqld(-max)? -- gen_context(system_u:object_r:mysqld_exec_t,s0)
/usr/sbin/mysqlmanager -- gen_context(system_u:object_r:mysqlmanagerd_exec_t,s0)
@@ -53486,7 +50256,6 @@ index 06f8666..297f831 100644
+/var/lib/mysql(/.*)? gen_context(system_u:object_r:mysqld_db_t,s0)
+/var/lib/mysql/mysql\.sock -s gen_context(system_u:object_r:mysqld_var_run_t,s0)
--/var/log/mariadb(/.*)? gen_context(system_u:object_r:mysqld_log_t,s0)
-/var/log/mysql.* -- gen_context(system_u:object_r:mysqld_log_t,s0)
+/var/log/mariadb(/.*)? gen_context(system_u:object_r:mysqld_log_t,s0)
+/var/log/mysql.* gen_context(system_u:object_r:mysqld_log_t,s0)
@@ -54050,16 +50819,16 @@ index 687af38..a77dc09 100644
+ mysql_stream_connect($1)
')
diff --git a/mysql.te b/mysql.te
-index 7584bbe..dfca76c 100644
+index 9f6179e..dfca76c 100644
--- a/mysql.te
+++ b/mysql.te
@@ -1,4 +1,4 @@
--policy_module(mysql, 1.14.1)
+-policy_module(mysql, 1.13.5)
+policy_module(mysql, 1.13.0)
########################################
#
-@@ -6,20 +6,15 @@ policy_module(mysql, 1.14.1)
+@@ -6,20 +6,15 @@ policy_module(mysql, 1.13.5)
#
##
@@ -54101,7 +50870,7 @@ index 7584bbe..dfca76c 100644
type mysqld_initrc_exec_t;
init_script_file(mysqld_initrc_exec_t)
-@@ -62,24 +59,24 @@ files_pid_file(mysqlmanagerd_var_run_t)
+@@ -62,27 +59,29 @@ files_pid_file(mysqlmanagerd_var_run_t)
# Local policy
#
@@ -54131,9 +50900,16 @@ index 7584bbe..dfca76c 100644
allow mysqld_t mysqld_etc_t:lnk_file read_lnk_file_perms;
+allow mysqld_t mysqld_etc_t:dir list_dir_perms;
- manage_dirs_pattern(mysqld_t, mysqld_log_t, mysqld_log_t)
- manage_files_pattern(mysqld_t, mysqld_log_t, mysqld_log_t)
-@@ -95,50 +92,60 @@ manage_files_pattern(mysqld_t, mysqld_var_run_t, mysqld_var_run_t)
+-allow mysqld_t mysqld_log_t:file { append_file_perms create_file_perms setattr_file_perms };
+-logging_log_filetrans(mysqld_t, mysqld_log_t, file)
++manage_dirs_pattern(mysqld_t, mysqld_log_t, mysqld_log_t)
++manage_files_pattern(mysqld_t, mysqld_log_t, mysqld_log_t)
++manage_lnk_files_pattern(mysqld_t, mysqld_log_t, mysqld_log_t)
++logging_log_filetrans(mysqld_t, mysqld_log_t, { dir file })
+
+ manage_dirs_pattern(mysqld_t, mysqld_tmp_t, mysqld_tmp_t)
+ manage_files_pattern(mysqld_t, mysqld_tmp_t, mysqld_tmp_t)
+@@ -93,50 +92,60 @@ manage_files_pattern(mysqld_t, mysqld_var_run_t, mysqld_var_run_t)
manage_sock_files_pattern(mysqld_t, mysqld_var_run_t, mysqld_var_run_t)
files_pid_filetrans(mysqld_t, mysqld_var_run_t, { dir file sock_file })
@@ -54211,7 +50987,7 @@ index 7584bbe..dfca76c 100644
')
optional_policy(`
-@@ -146,6 +153,10 @@ optional_policy(`
+@@ -144,6 +153,10 @@ optional_policy(`
')
optional_policy(`
@@ -54222,7 +50998,7 @@ index 7584bbe..dfca76c 100644
seutil_sigchld_newrole(mysqld_t)
')
-@@ -155,31 +166,25 @@ optional_policy(`
+@@ -153,29 +166,25 @@ optional_policy(`
#######################################
#
@@ -54247,10 +51023,10 @@ index 7584bbe..dfca76c 100644
-allow mysqld_safe_t mysqld_etc_t:lnk_file read_lnk_file_perms;
+domtrans_pattern(mysqld_safe_t, mysqld_exec_t, mysqld_t)
- list_dirs_pattern(mysqld_safe_t, mysqld_log_t, mysqld_log_t)
--manage_files_pattern(mysqld_safe_t, mysqld_log_t, mysqld_log_t)
- manage_lnk_files_pattern(mysqld_safe_t, mysqld_log_t, mysqld_log_t)
+-allow mysqld_safe_t mysqld_log_t:file { append_file_perms create_file_perms setattr_file_perms };
-logging_log_filetrans(mysqld_safe_t, mysqld_log_t, file)
++list_dirs_pattern(mysqld_safe_t, mysqld_log_t, mysqld_log_t)
++manage_lnk_files_pattern(mysqld_safe_t, mysqld_log_t, mysqld_log_t)
+manage_files_pattern(mysqld_safe_t, mysqld_log_t, mysqld_log_t)
manage_files_pattern(mysqld_safe_t, mysqld_var_run_t, mysqld_var_run_t)
@@ -54261,7 +51037,7 @@ index 7584bbe..dfca76c 100644
kernel_read_system_state(mysqld_safe_t)
kernel_read_kernel_sysctls(mysqld_safe_t)
-@@ -187,21 +192,29 @@ kernel_read_kernel_sysctls(mysqld_safe_t)
+@@ -183,21 +192,29 @@ kernel_read_kernel_sysctls(mysqld_safe_t)
corecmd_exec_bin(mysqld_safe_t)
corecmd_exec_shell(mysqld_safe_t)
@@ -54277,9 +51053,9 @@ index 7584bbe..dfca76c 100644
+files_dontaudit_access_check_root(mysqld_safe_t)
files_dontaudit_search_all_mountpoints(mysqld_safe_t)
+files_dontaudit_getattr_all_dirs(mysqld_safe_t)
-+
-+files_write_root_dirs(mysqld_safe_t)
++files_write_root_dirs(mysqld_safe_t)
++
+logging_log_filetrans(mysqld_safe_t, mysqld_log_t, file)
logging_send_syslog_msg(mysqld_safe_t)
@@ -54297,7 +51073,7 @@ index 7584bbe..dfca76c 100644
optional_policy(`
hostname_exec(mysqld_safe_t)
-@@ -209,7 +222,7 @@ optional_policy(`
+@@ -205,7 +222,7 @@ optional_policy(`
########################################
#
@@ -54306,7 +51082,7 @@ index 7584bbe..dfca76c 100644
#
allow mysqlmanagerd_t self:capability { dac_override kill };
-@@ -218,11 +231,12 @@ allow mysqlmanagerd_t self:fifo_file rw_fifo_file_perms;
+@@ -214,11 +231,12 @@ allow mysqlmanagerd_t self:fifo_file rw_fifo_file_perms;
allow mysqlmanagerd_t self:tcp_socket create_stream_socket_perms;
allow mysqlmanagerd_t self:unix_stream_socket create_stream_socket_perms;
@@ -54324,7 +51100,7 @@ index 7584bbe..dfca76c 100644
domtrans_pattern(mysqlmanagerd_t, mysqld_exec_t, mysqld_t)
-@@ -230,31 +244,20 @@ manage_files_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t)
+@@ -226,31 +244,20 @@ manage_files_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t)
manage_sock_files_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t)
filetrans_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t, { file sock_file })
@@ -55007,15 +51783,9 @@ index 0641e97..cad402c 100644
+ admin_pattern($1, nrpe_etc_t)
')
diff --git a/nagios.te b/nagios.te
-index 7b3e682..39bcd98 100644
+index 44ad3b7..39bcd98 100644
--- a/nagios.te
+++ b/nagios.te
-@@ -1,4 +1,4 @@
--policy_module(nagios, 1.13.0)
-+policy_module(nagios, 1.12.3)
-
- ########################################
- #
@@ -27,7 +27,7 @@ type nagios_var_run_t;
files_pid_file(nagios_var_run_t)
@@ -55421,15 +52191,9 @@ index db9578f..4309e3d 100644
')
+
diff --git a/ncftool.te b/ncftool.te
-index 71f30ba..c8baed2 100644
+index b13c0b1..c8baed2 100644
--- a/ncftool.te
+++ b/ncftool.te
-@@ -1,4 +1,4 @@
--policy_module(ncftool, 1.2.0)
-+policy_module(ncftool, 1.1.2)
-
- ########################################
- #
@@ -22,6 +22,7 @@ role ncftool_roles types ncftool_t;
allow ncftool_t self:capability net_admin;
@@ -55478,15 +52242,9 @@ index 71f30ba..c8baed2 100644
optional_policy(`
diff --git a/nessus.te b/nessus.te
-index fe1068b..173a2c0 100644
+index 56c0fbd..173a2c0 100644
--- a/nessus.te
+++ b/nessus.te
-@@ -1,4 +1,4 @@
--policy_module(nessus, 1.9.0)
-+policy_module(nessus, 1.8.1)
-
- ########################################
- #
@@ -58,7 +58,6 @@ kernel_read_kernel_sysctls(nessusd_t)
corecmd_exec_bin(nessusd_t)
@@ -55513,10 +52271,10 @@ index fe1068b..173a2c0 100644
userdom_dontaudit_use_unpriv_user_fds(nessusd_t)
diff --git a/networkmanager.fc b/networkmanager.fc
-index 94b9734..dfb99d2 100644
+index a1fb3c3..dfb99d2 100644
--- a/networkmanager.fc
+++ b/networkmanager.fc
-@@ -1,44 +1,47 @@
+@@ -1,43 +1,47 @@
-/etc/rc\.d/init\.d/wicd -- gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/wicd -- gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0)
@@ -55548,7 +52306,6 @@ index 94b9734..dfb99d2 100644
+/usr/libexec/nm-dispatcher.action -- gen_context(system_u:object_r:NetworkManager_exec_t,s0)
-/usr/bin/NetworkManager -- gen_context(system_u:object_r:NetworkManager_exec_t,s0)
--/usr/bin/wpa_cli -- gen_context(system_u:object_r:wpa_cli_exec_t,s0)
-/usr/bin/wpa_supplicant -- gen_context(system_u:object_r:NetworkManager_exec_t,s0)
+/sbin/wpa_cli -- gen_context(system_u:object_r:wpa_cli_exec_t,s0)
+/sbin/wpa_supplicant -- gen_context(system_u:object_r:NetworkManager_exec_t,s0)
@@ -55589,7 +52346,7 @@ index 94b9734..dfb99d2 100644
+/var/run/wpa_supplicant(/.*)? gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
/var/run/wpa_supplicant-global -s gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
diff --git a/networkmanager.if b/networkmanager.if
-index 86dc29d..9b302e8 100644
+index 0e8508c..9b302e8 100644
--- a/networkmanager.if
+++ b/networkmanager.if
@@ -2,7 +2,7 @@
@@ -55727,72 +52484,50 @@ index 86dc29d..9b302e8 100644
##
##
##
-@@ -133,29 +158,31 @@ interface(`networkmanager_dbus_chat',`
- allow NetworkManager_t $1:dbus send_msg;
- ')
+@@ -135,7 +160,29 @@ interface(`networkmanager_dbus_chat',`
--#######################################
-+########################################
+ ########################################
##
--## Read metworkmanager process state files.
+-## Send generic signals to networkmanager.
+## Do not audit attempts to send and
+## receive messages from NetworkManager
+## over dbus.
- ##
- ##
- ##
--## Domain allowed access.
++##
++##
++##
+## Domain to not audit.
- ##
- ##
- #
--interface(`networkmanager_read_state',`
++##
++##
++#
+interface(`networkmanager_dontaudit_dbus_chat',`
- gen_require(`
- type NetworkManager_t;
++ gen_require(`
++ type NetworkManager_t;
+ class dbus send_msg;
- ')
-
-- allow $1 NetworkManager_t:dir search_dir_perms;
-- allow $1 NetworkManager_t:file read_file_perms;
-- allow $1 NetworkManager_t:lnk_file read_lnk_file_perms;
++ ')
++
+ dontaudit $1 NetworkManager_t:dbus send_msg;
+ dontaudit NetworkManager_t $1:dbus send_msg;
- ')
-
- ########################################
- ##
--## Send generic signals to networkmanager.
++')
++
++########################################
++##
+## Send a generic signal to NetworkManager
##
##
##
-@@ -173,8 +200,7 @@ interface(`networkmanager_signal',`
+@@ -153,7 +200,7 @@ interface(`networkmanager_signal',`
########################################
##
--## Create, read, and write
--## networkmanager library files.
+-## Read networkmanager lib files.
+## Read NetworkManager lib files.
##
##
##
-@@ -182,18 +208,38 @@ interface(`networkmanager_signal',`
- ##
- ##
- #
--interface(`networkmanager_manage_lib_files',`
-+interface(`networkmanager_read_lib_files',`
- gen_require(`
- type NetworkManager_var_lib_t;
- ')
+@@ -171,9 +218,28 @@ interface(`networkmanager_read_lib_files',`
+ read_files_pattern($1, NetworkManager_var_lib_t, NetworkManager_var_lib_t)
+ ')
- files_search_var_lib($1)
-- manage_files_pattern($1, NetworkManager_var_lib_t, NetworkManager_var_lib_t)
-+ list_dirs_pattern($1, NetworkManager_var_lib_t, NetworkManager_var_lib_t)
-+ read_files_pattern($1, NetworkManager_var_lib_t, NetworkManager_var_lib_t)
-+')
-+
+#######################################
+##
+## Read NetworkManager conf files.
@@ -55810,70 +52545,64 @@ index 86dc29d..9b302e8 100644
+
+ allow $1 NetworkManager_etc_t:dir list_dir_perms;
+ read_files_pattern($1,NetworkManager_etc_t,NetworkManager_etc_t)
- ')
-
++')
++
########################################
##
--## Read networkmanager lib files.
+-## Append networkmanager log files.
+## Read NetworkManager PID files.
##
##
##
-@@ -201,19 +247,18 @@ interface(`networkmanager_manage_lib_files',`
+@@ -181,19 +247,18 @@ interface(`networkmanager_read_lib_files',`
##
##
#
--interface(`networkmanager_read_lib_files',`
+-interface(`networkmanager_append_log_files',`
+interface(`networkmanager_read_pid_files',`
gen_require(`
-- type NetworkManager_var_lib_t;
+- type NetworkManager_log_t;
+ type NetworkManager_var_run_t;
')
-- files_search_var_lib($1)
-- list_dirs_pattern($1, NetworkManager_var_lib_t, NetworkManager_var_lib_t)
-- read_files_pattern($1, NetworkManager_var_lib_t, NetworkManager_var_lib_t)
+- logging_search_logs($1)
+- allow $1 NetworkManager_log_t:dir list_dir_perms;
+- append_files_pattern($1, NetworkManager_log_t, NetworkManager_log_t)
+ files_search_pids($1)
+ read_files_pattern($1, NetworkManager_var_run_t, NetworkManager_var_run_t)
')
########################################
##
--## Append networkmanager log files.
+-## Read networkmanager pid files.
+## Manage NetworkManager PID files.
##
##
##
-@@ -221,19 +266,18 @@ interface(`networkmanager_read_lib_files',`
+@@ -201,25 +266,97 @@ interface(`networkmanager_append_log_files',`
##
##
#
--interface(`networkmanager_append_log_files',`
+-interface(`networkmanager_read_pid_files',`
+interface(`networkmanager_manage_pid_files',`
- gen_require(`
-- type NetworkManager_log_t;
++ gen_require(`
+ type NetworkManager_var_run_t;
- ')
-
-- logging_search_logs($1)
-- allow $1 NetworkManager_log_t:dir list_dir_perms;
-- append_files_pattern($1, NetworkManager_log_t, NetworkManager_log_t)
++ ')
++
+ files_search_pids($1)
+ manage_files_pattern($1, NetworkManager_var_run_t, NetworkManager_var_run_t)
- ')
-
- ########################################
- ##
--## Read networkmanager pid files.
++')
++
++########################################
++##
+## Manage NetworkManager PID sock files.
- ##
- ##
- ##
-@@ -241,45 +285,78 @@ interface(`networkmanager_append_log_files',`
- ##
- ##
- #
--interface(`networkmanager_read_pid_files',`
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
+interface(`networkmanager_manage_pid_sock_files',`
gen_require(`
type NetworkManager_var_run_t;
@@ -55884,22 +52613,18 @@ index 86dc29d..9b302e8 100644
+ manage_sock_files_pattern($1, NetworkManager_var_run_t, NetworkManager_var_run_t)
')
--####################################
-+########################################
+ ########################################
##
--## Connect to networkmanager over
--## a unix domain stream socket.
+-## All of the rules required to
+-## administrate an networkmanager environment.
+## Create objects in /etc with a private
+## type using a type_transition.
##
##
--##
--## Domain allowed access.
--##
-+##
-+## Domain allowed access.
-+##
-+##
+ ##
+ ## Domain allowed access.
+ ##
+ ##
+##
+##
+## Private file type.
@@ -55914,31 +52639,25 @@ index 86dc29d..9b302e8 100644
+##
+## The name of the object being created.
+##
- ##
- #
--interface(`networkmanager_stream_connect',`
++##
++#
+interface(`networkmanager_pid_filetrans',`
- gen_require(`
-- type NetworkManager_t, NetworkManager_var_run_t;
++ gen_require(`
+ type NetworkManager_var_run_t;
- ')
-
-- files_search_pids($1)
-- stream_connect_pattern($1, NetworkManager_var_run_t, NetworkManager_var_run_t, NetworkManager_t)
++ ')
++
+ filetrans_pattern($1, NetworkManager_var_run_t, $2, $3, $4)
- ')
-
- ########################################
- ##
--## All of the rules required to
--## administrate an networkmanager environment.
++')
++
++########################################
++##
+## Delete NetworkManager PID files.
- ##
- ##
- ##
- ## Domain allowed access.
- ##
- ##
++##
++##
++##
++## Domain allowed access.
++##
++##
+#
+interface(`networkmanager_delete_pid_files',`
+ gen_require(`
@@ -55962,7 +52681,7 @@ index 86dc29d..9b302e8 100644
##
##
## Role allowed access.
-@@ -287,33 +364,170 @@ interface(`networkmanager_stream_connect',`
+@@ -227,33 +364,170 @@ interface(`networkmanager_read_pid_files',`
##
##
#
@@ -56153,11 +52872,11 @@ index 86dc29d..9b302e8 100644
+ logging_log_filetrans($1, NetworkManager_var_lib_t, file, "wpa_supplicant.log")
')
diff --git a/networkmanager.te b/networkmanager.te
-index 55f2009..9e9b2dc 100644
+index 0b48a30..9e9b2dc 100644
--- a/networkmanager.te
+++ b/networkmanager.te
@@ -1,4 +1,4 @@
--policy_module(networkmanager, 1.15.2)
+-policy_module(networkmanager, 1.14.7)
+policy_module(networkmanager, 1.14.0)
########################################
@@ -56188,7 +52907,7 @@ index 55f2009..9e9b2dc 100644
# Local policy
#
--allow NetworkManager_t self:capability { fowner chown fsetid kill setgid setuid sys_nice dac_override net_admin net_raw ipc_lock };
+-allow NetworkManager_t self:capability { chown fsetid kill setgid setuid sys_nice dac_override net_admin net_raw ipc_lock };
-dontaudit NetworkManager_t self:capability { sys_tty_config sys_module sys_ptrace };
-allow NetworkManager_t self:process { ptrace getcap setcap setpgid getsched setsched signal_perms };
+# networkmanager will ptrace itself if gdb is installed
@@ -56519,13 +53238,12 @@ index 55f2009..9e9b2dc 100644
')
optional_policy(`
-@@ -320,14 +380,19 @@ optional_policy(`
+@@ -320,13 +380,19 @@ optional_policy(`
')
optional_policy(`
- udev_exec(NetworkManager_t)
- udev_read_db(NetworkManager_t)
-- udev_read_pid_files(NetworkManager_t)
+ systemd_write_inhibit_pipes(NetworkManager_t)
+ systemd_read_logind_sessions_files(NetworkManager_t)
+ systemd_dbus_chat_logind(NetworkManager_t)
@@ -56544,7 +53262,7 @@ index 55f2009..9e9b2dc 100644
')
optional_policy(`
-@@ -357,6 +422,4 @@ rw_sock_files_pattern(wpa_cli_t, NetworkManager_var_run_t, NetworkManager_var_ru
+@@ -356,6 +422,4 @@ rw_sock_files_pattern(wpa_cli_t, NetworkManager_var_run_t, NetworkManager_var_ru
init_dontaudit_use_fds(wpa_cli_t)
init_use_script_ptys(wpa_cli_t)
@@ -56993,11 +53711,11 @@ index 46e55c3..6e4e061 100644
+ allow $1 nis_unit_file_t:service all_service_perms;
')
diff --git a/nis.te b/nis.te
-index 3a6b035..6aeb9dd 100644
+index 3e4a31c..6aeb9dd 100644
--- a/nis.te
+++ b/nis.te
@@ -1,12 +1,10 @@
--policy_module(nis, 1.12.0)
+-policy_module(nis, 1.11.1)
+policy_module(nis, 1.11.0)
########################################
@@ -58076,11 +54794,11 @@ index 8f2ab09..bc2c7fe 100644
+ allow $1 nscd_unit_file_t:service all_service_perms;
')
diff --git a/nscd.te b/nscd.te
-index bcd7d0a..2bbc3a6 100644
+index df4c10f..2bbc3a6 100644
--- a/nscd.te
+++ b/nscd.te
@@ -1,36 +1,37 @@
--policy_module(nscd, 1.11.0)
+-policy_module(nscd, 1.10.3)
+policy_module(nscd, 1.10.0)
gen_require(`
@@ -58387,11 +55105,11 @@ index a9c60ff..ad4f14a 100644
+ refpolicywarn(`$0($*) has been deprecated.')
')
diff --git a/nsd.te b/nsd.te
-index 47bb1d2..b3662dd 100644
+index dde7f42..b3662dd 100644
--- a/nsd.te
+++ b/nsd.te
@@ -1,4 +1,4 @@
--policy_module(nsd, 1.8.0)
+-policy_module(nsd, 1.7.1)
+policy_module(nsd, 1.7.0)
########################################
@@ -58686,11 +55404,11 @@ index 97df768..852d1c6 100644
+ admin_pattern($1, nslcd_var_run_t, nslcd_var_run_t)
')
diff --git a/nslcd.te b/nslcd.te
-index 421bf1a..c37998e 100644
+index a3e56f0..c37998e 100644
--- a/nslcd.te
+++ b/nslcd.te
@@ -1,4 +1,4 @@
--policy_module(nslcd, 1.4.1)
+-policy_module(nslcd, 1.3.1)
+policy_module(nslcd, 1.3.0)
########################################
@@ -58712,7 +55430,7 @@ index 421bf1a..c37998e 100644
allow nslcd_t nslcd_conf_t:file read_file_perms;
-@@ -36,16 +36,12 @@ files_pid_filetrans(nslcd_t, nslcd_var_run_t, { file dir })
+@@ -36,14 +36,12 @@ files_pid_filetrans(nslcd_t, nslcd_var_run_t, { file dir })
kernel_read_system_state(nslcd_t)
@@ -58726,13 +55444,11 @@ index 421bf1a..c37998e 100644
-corenet_sendrecv_ldap_client_packets(nslcd_t)
corenet_tcp_connect_ldap_port(nslcd_t)
-corenet_tcp_sendrecv_ldap_port(nslcd_t)
--
--dev_read_sysfs(nslcd_t)
+corenet_sendrecv_ldap_client_packets(nslcd_t)
files_read_usr_symlinks(nslcd_t)
files_list_tmp(nslcd_t)
-@@ -54,10 +50,14 @@ auth_use_nsswitch(nslcd_t)
+@@ -52,10 +50,14 @@ auth_use_nsswitch(nslcd_t)
logging_send_syslog_msg(nslcd_t)
@@ -59570,15 +56286,9 @@ index 0000000..7d839fe
+ pulseaudio_setattr_home_dir(nsplugin_t)
+')
diff --git a/ntop.te b/ntop.te
-index 8ec7859..0f7f5e4 100644
+index 52757d8..0f7f5e4 100644
--- a/ntop.te
+++ b/ntop.te
-@@ -1,4 +1,4 @@
--policy_module(ntop, 1.10.0)
-+policy_module(ntop, 1.9.2)
-
- ########################################
- #
@@ -33,6 +33,7 @@ allow ntop_t self:capability { net_raw setgid setuid sys_admin net_admin };
dontaudit ntop_t self:capability sys_tty_config;
allow ntop_t self:process signal_perms;
@@ -59622,7 +56332,7 @@ index af3c91e..6882a3f 100644
/var/lib/sntp-kod(/.*)? gen_context(system_u:object_r:ntp_drift_t,s0)
diff --git a/ntp.if b/ntp.if
-index e96a309..24f45be 100644
+index b59196f..24f45be 100644
--- a/ntp.if
+++ b/ntp.if
@@ -1,4 +1,4 @@
@@ -59671,7 +56381,7 @@ index e96a309..24f45be 100644
')
########################################
-@@ -98,23 +117,46 @@ interface(`ntp_initrc_domtrans',`
+@@ -98,6 +117,48 @@ interface(`ntp_initrc_domtrans',`
init_labeled_script_domtrans($1, ntpd_initrc_exec_t)
')
@@ -59694,37 +56404,33 @@ index e96a309..24f45be 100644
+ allow $1 ntpd_unit_file_t:file read_file_perms;
+')
+
- ########################################
- ##
--## Read ntp drift files.
++########################################
++##
+## Execute ntpd server in the ntpd domain.
- ##
- ##
- ##
--## Domain allowed access.
++##
++##
++##
+## Domain allowed to transition.
- ##
- ##
- #
--interface(`ntp_read_drift_files',`
++##
++##
++#
+interface(`ntp_systemctl',`
- gen_require(`
-- type ntp_drift_t;
++ gen_require(`
+ type ntpd_unit_file_t;
+ type ntpd_t;
- ')
-
-- files_search_var_lib($1)
-- read_files_pattern($1, ntp_drift_t, ntp_drift_t)
++ ')
++
+ systemd_exec_systemctl($1)
+ allow $1 ntpd_unit_file_t:file read_file_perms;
+ allow $1 ntpd_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, ntpd_t)
- ')
-
++')
++
########################################
-@@ -141,8 +183,27 @@ interface(`ntp_rw_shm',`
+ ##
+ ## Read and write ntpd shared memory.
+@@ -122,8 +183,27 @@ interface(`ntp_rw_shm',`
########################################
##
@@ -59754,7 +56460,7 @@ index e96a309..24f45be 100644
##
##
##
-@@ -151,7 +212,7 @@ interface(`ntp_rw_shm',`
+@@ -132,7 +212,7 @@ interface(`ntp_rw_shm',`
##
##
##
@@ -59763,7 +56469,7 @@ index e96a309..24f45be 100644
##
##
##
-@@ -159,20 +220,22 @@ interface(`ntp_rw_shm',`
+@@ -140,20 +220,22 @@ interface(`ntp_rw_shm',`
interface(`ntp_admin',`
gen_require(`
type ntpd_t, ntpd_tmp_t, ntpd_log_t;
@@ -59786,18 +56492,12 @@ index e96a309..24f45be 100644
allow $2 system_r;
- files_list_etc($1)
-- admin_pattern($1, { ntpd_key_t ntp_conf_t })
+- admin_pattern($1, { ntpd_key_t ntp_conf_t ntp_drift_t })
+ admin_pattern($1, ntpd_key_t)
logging_list_logs($1)
admin_pattern($1, ntpd_log_t)
-@@ -180,11 +243,33 @@ interface(`ntp_admin',`
- files_list_tmp($1)
- admin_pattern($1, ntpd_tmp_t)
-
-- files_list_var_lib($1)
-- admin_pattern($1, ntp_drift_t)
--
+@@ -164,5 +246,30 @@ interface(`ntp_admin',`
files_list_pids($1)
admin_pattern($1, ntpd_var_run_t)
@@ -59830,15 +56530,9 @@ index e96a309..24f45be 100644
+ files_var_lib_filetrans($1, ntp_drift_t, file, "sntp-kod")
')
diff --git a/ntp.te b/ntp.te
-index f81b113..ae081d4 100644
+index b90e343..ae081d4 100644
--- a/ntp.te
+++ b/ntp.te
-@@ -1,4 +1,4 @@
--policy_module(ntp, 1.11.0)
-+policy_module(ntp, 1.10.3)
-
- ########################################
- #
@@ -18,6 +18,9 @@ role ntpd_roles types ntpd_t;
type ntpd_initrc_exec_t;
init_script_file(ntpd_initrc_exec_t)
@@ -60031,16 +56725,16 @@ index 0d3c270..709dda1 100644
+ ')
')
diff --git a/numad.te b/numad.te
-index b0a1be4..f050103 100644
+index f5d145d..f050103 100644
--- a/numad.te
+++ b/numad.te
@@ -1,4 +1,4 @@
--policy_module(numad, 1.1.0)
+-policy_module(numad, 1.0.3)
+policy_module(numad, 1.0.0)
########################################
#
-@@ -8,37 +8,44 @@ policy_module(numad, 1.1.0)
+@@ -8,37 +8,44 @@ policy_module(numad, 1.0.3)
type numad_t;
type numad_exec_t;
init_daemon_domain(numad_t, numad_exec_t)
@@ -60223,16 +56917,16 @@ index 57c0161..4534676 100644
+ ps_process_pattern($1, nut_t)
')
diff --git a/nut.te b/nut.te
-index 5b2cb0d..8ee90b0 100644
+index 0c9deb7..8ee90b0 100644
--- a/nut.te
+++ b/nut.te
@@ -1,4 +1,4 @@
--policy_module(nut, 1.3.0)
+-policy_module(nut, 1.2.4)
+policy_module(nut, 1.2.0)
########################################
#
-@@ -7,131 +7,124 @@ policy_module(nut, 1.3.0)
+@@ -7,131 +7,124 @@ policy_module(nut, 1.2.4)
attribute nut_domain;
@@ -60499,15 +57193,9 @@ index 251d681..50ae2a9 100644
+ filetrans_pattern($1, nx_server_var_lib_t, nx_server_home_ssh_t, dir, ".ssh")
+')
diff --git a/nx.te b/nx.te
-index 091f872..d181d03 100644
+index b1832ca..d181d03 100644
--- a/nx.te
+++ b/nx.te
-@@ -1,4 +1,4 @@
--policy_module(nx, 1.7.0)
-+policy_module(nx, 1.6.1)
-
- ########################################
- #
@@ -27,6 +27,9 @@ files_type(nx_server_var_lib_t)
type nx_server_var_run_t;
files_pid_file(nx_server_var_run_t)
@@ -60550,15 +57238,9 @@ index 091f872..d181d03 100644
sysnet_read_config(nx_server_t)
diff --git a/oav.te b/oav.te
-index b09c4c4..1a9e754 100644
+index 75fdf58..1a9e754 100644
--- a/oav.te
+++ b/oav.te
-@@ -1,4 +1,4 @@
--policy_module(oav, 1.10.0)
-+policy_module(oav, 1.9.1)
-
- ########################################
- #
@@ -95,7 +95,6 @@ dev_read_sysfs(scannerdaemon_t)
domain_use_interactive_fds(scannerdaemon_t)
@@ -60990,11 +57672,11 @@ index c87bd2a..7de054a 100644
+ ')
')
diff --git a/oddjob.te b/oddjob.te
-index e403097..edc3e32 100644
+index 296a1d3..edc3e32 100644
--- a/oddjob.te
+++ b/oddjob.te
@@ -1,12 +1,10 @@
--policy_module(oddjob, 1.10.0)
+-policy_module(oddjob, 1.9.2)
+policy_module(oddjob, 1.9.0)
########################################
@@ -61091,37 +57773,18 @@ index e403097..edc3e32 100644
+userdom_home_manager(oddjob_mkhomedir_t)
+userdom_stream_connect(oddjob_mkhomedir_t)
+
-diff --git a/oident.te b/oident.te
-index edfad9d..cd22d87 100644
---- a/oident.te
-+++ b/oident.te
-@@ -1,4 +1,4 @@
--policy_module(oident, 2.3.0)
-+policy_module(oident, 2.2.1)
-
- ########################################
- #
-diff --git a/openca.te b/openca.te
-index 0fc3a58..d808ab0 100644
---- a/openca.te
-+++ b/openca.te
-@@ -1,4 +1,4 @@
--policy_module(openca, 1.3.0)
-+policy_module(openca, 1.2.1)
-
- ########################################
- #
diff --git a/openct.te b/openct.te
-index 3b6920e..428ae48 100644
+index 8467596..428ae48 100644
--- a/openct.te
+++ b/openct.te
-@@ -1,4 +1,4 @@
--policy_module(openct, 1.6.1)
-+policy_module(openct, 1.5.1)
+@@ -22,18 +22,19 @@ files_pid_file(openct_var_run_t)
- ########################################
- #
-@@ -29,12 +29,12 @@ manage_files_pattern(openct_t, openct_var_run_t, openct_var_run_t)
+ dontaudit openct_t self:capability sys_tty_config;
+ allow openct_t self:process signal_perms;
++allow openct_t self:netlink_kobject_uevent_socket create_socket_perms;
+
+ manage_dirs_pattern(openct_t, openct_var_run_t, openct_var_run_t)
+ manage_files_pattern(openct_t, openct_var_run_t, openct_var_run_t)
manage_sock_files_pattern(openct_t, openct_var_run_t, openct_var_run_t)
files_pid_filetrans(openct_t, openct_var_run_t, { dir file sock_file })
@@ -61136,7 +57799,7 @@ index 3b6920e..428ae48 100644
dev_read_sysfs(openct_t)
dev_rw_usbfs(openct_t)
dev_rw_smartcard(openct_t)
-@@ -42,15 +42,12 @@ dev_rw_generic_usb_dev(openct_t)
+@@ -41,15 +42,12 @@ dev_rw_generic_usb_dev(openct_t)
domain_use_interactive_fds(openct_t)
@@ -61153,15 +57816,9 @@ index 3b6920e..428ae48 100644
userdom_dontaudit_search_user_home_dirs(openct_t)
diff --git a/openhpi.te b/openhpi.te
-index 8de6191..e66751b 100644
+index 7f398c0..e66751b 100644
--- a/openhpi.te
+++ b/openhpi.te
-@@ -1,4 +1,4 @@
--policy_module(openhpi, 1.1.0)
-+policy_module(openhpi, 1.0.1)
-
- ########################################
- #
@@ -50,7 +50,6 @@ corenet_tcp_sendrecv_openhpid_port(openhpid_t)
dev_read_urand(openhpid_t)
@@ -63137,16 +59794,10 @@ index 6837e9a..21e6dae 100644
domain_system_change_exemption($1)
role_transition $2 openvpn_initrc_exec_t system_r;
diff --git a/openvpn.te b/openvpn.te
-index 63957a3..baf76c1 100644
+index 3270ff9..baf76c1 100644
--- a/openvpn.te
+++ b/openvpn.te
-@@ -1,4 +1,4 @@
--policy_module(openvpn, 1.12.2)
-+policy_module(openvpn, 1.11.3)
-
- ########################################
- #
-@@ -6,6 +6,13 @@ policy_module(openvpn, 1.12.2)
+@@ -6,6 +6,13 @@ policy_module(openvpn, 1.11.3)
#
##
@@ -63160,25 +59811,22 @@ index 63957a3..baf76c1 100644
##
## Determine whether openvpn can
## read generic user home content files.
-@@ -14,12 +21,12 @@ policy_module(openvpn, 1.12.2)
+@@ -13,6 +20,14 @@ policy_module(openvpn, 1.11.3)
+ ##
gen_tunable(openvpn_enable_homedirs, false)
- ##
--##
--## Determine whether openvpn can
--## connect to the TCP network.
--##
++##
+##
+## Determine whether openvpn can
+## connect to the TCP network.
+##
- ##
--gen_tunable(openvpn_can_network_connect, false)
++##
+gen_tunable(openvpn_can_network_connect, true)
-
++
attribute_role openvpn_roles;
-@@ -34,14 +41,17 @@ files_config_file(openvpn_etc_t)
+ type openvpn_t;
+@@ -26,12 +41,18 @@ files_config_file(openvpn_etc_t)
type openvpn_etc_rw_t;
files_config_file(openvpn_etc_rw_t)
@@ -63191,14 +59839,13 @@ index 63957a3..baf76c1 100644
type openvpn_status_t;
logging_log_file(openvpn_status_t)
--type openvpn_tmp_t;
--files_tmp_file(openvpn_tmp_t)
+type openvpn_var_lib_t;
+files_type(openvpn_var_lib_t)
-
++
type openvpn_var_log_t;
logging_log_file(openvpn_var_log_t)
-@@ -54,7 +64,7 @@ files_pid_file(openvpn_var_run_t)
+
+@@ -43,7 +64,7 @@ files_pid_file(openvpn_var_run_t)
# Local policy
#
@@ -63207,14 +59854,13 @@ index 63957a3..baf76c1 100644
allow openvpn_t self:process { signal getsched setsched };
allow openvpn_t self:fifo_file rw_fifo_file_perms;
allow openvpn_t self:unix_dgram_socket sendto;
-@@ -73,13 +83,14 @@ filetrans_pattern(openvpn_t, openvpn_etc_t, openvpn_etc_rw_t, file)
+@@ -62,10 +83,14 @@ filetrans_pattern(openvpn_t, openvpn_etc_t, openvpn_etc_rw_t, file)
allow openvpn_t openvpn_status_t:file manage_file_perms;
logging_log_filetrans(openvpn_t, openvpn_status_t, file, "openvpn-status.log")
--allow openvpn_t openvpn_tmp_t:file manage_file_perms;
+manage_files_pattern(openvpn_t, openvpn_tmp_t, openvpn_tmp_t)
- files_tmp_filetrans(openvpn_t, openvpn_tmp_t, file)
-
++files_tmp_filetrans(openvpn_t, openvpn_tmp_t, file)
++
+manage_files_pattern(openvpn_t, openvpn_var_lib_t, openvpn_var_lib_t)
+files_var_lib_filetrans(openvpn_t, openvpn_var_lib_t, { dir file })
+
@@ -63226,7 +59872,7 @@ index 63957a3..baf76c1 100644
logging_log_filetrans(openvpn_t, openvpn_var_log_t, file)
manage_dirs_pattern(openvpn_t, openvpn_var_run_t, openvpn_var_run_t)
-@@ -97,7 +108,6 @@ kernel_request_load_module(openvpn_t)
+@@ -83,7 +108,6 @@ kernel_request_load_module(openvpn_t)
corecmd_exec_bin(openvpn_t)
corecmd_exec_shell(openvpn_t)
@@ -63234,7 +59880,7 @@ index 63957a3..baf76c1 100644
corenet_all_recvfrom_netlabel(openvpn_t)
corenet_tcp_sendrecv_generic_if(openvpn_t)
corenet_udp_sendrecv_generic_if(openvpn_t)
-@@ -117,13 +127,15 @@ corenet_udp_sendrecv_openvpn_port(openvpn_t)
+@@ -103,13 +127,15 @@ corenet_udp_sendrecv_openvpn_port(openvpn_t)
corenet_sendrecv_http_server_packets(openvpn_t)
corenet_tcp_bind_http_port(openvpn_t)
corenet_sendrecv_http_client_packets(openvpn_t)
@@ -63251,7 +59897,7 @@ index 63957a3..baf76c1 100644
corenet_rw_tun_tap_dev(openvpn_t)
dev_read_rand(openvpn_t)
-@@ -132,21 +144,31 @@ files_read_etc_runtime_files(openvpn_t)
+@@ -118,21 +144,31 @@ files_read_etc_runtime_files(openvpn_t)
fs_getattr_all_fs(openvpn_t)
fs_search_auto_mountpoints(openvpn_t)
@@ -63286,22 +59932,20 @@ index 63957a3..baf76c1 100644
')
tunable_policy(`openvpn_enable_homedirs && use_nfs_home_dirs',`
-@@ -158,9 +180,11 @@ tunable_policy(`openvpn_enable_homedirs && use_samba_home_dirs',`
+@@ -143,11 +179,25 @@ tunable_policy(`openvpn_enable_homedirs && use_samba_home_dirs',`
+ fs_read_cifs_files(openvpn_t)
')
- tunable_policy(`openvpn_can_network_connect',`
-- corenet_sendrecv_all_client_packets(openvpn_t)
-- corenet_tcp_connect_all_ports(openvpn_t)
-- corenet_tcp_sendrecv_all_ports(openvpn_t)
++tunable_policy(`openvpn_can_network_connect',`
+ corenet_tcp_connect_all_ports(openvpn_t)
+')
+
+optional_policy(`
+ brctl_domtrans(openvpn_t)
- ')
-
++')
++
optional_policy(`
-@@ -168,6 +192,12 @@ optional_policy(`
+ daemontools_service_domain(openvpn_t, openvpn_exec_t)
')
optional_policy(`
@@ -63314,7 +59958,7 @@ index 63957a3..baf76c1 100644
dbus_system_bus_client(openvpn_t)
dbus_connect_system_bus(openvpn_t)
-@@ -175,3 +205,27 @@ optional_policy(`
+@@ -155,3 +205,27 @@ optional_policy(`
networkmanager_dbus_chat(openvpn_t)
')
')
@@ -63643,11 +60287,11 @@ index 9b15730..eedd136 100644
+ ')
')
diff --git a/openvswitch.te b/openvswitch.te
-index 44dbc99..452ad74 100644
+index 508fedf..452ad74 100644
--- a/openvswitch.te
+++ b/openvswitch.te
@@ -1,4 +1,4 @@
--policy_module(openvswitch, 1.1.1)
+-policy_module(openvswitch, 1.0.1)
+policy_module(openvswitch, 1.0.0)
########################################
@@ -63666,7 +60310,13 @@ index 44dbc99..452ad74 100644
type openvswitch_var_lib_t;
files_type(openvswitch_var_lib_t)
-@@ -27,20 +24,28 @@ files_tmp_file(openvswitch_tmp_t)
+@@ -21,23 +18,34 @@ files_type(openvswitch_var_lib_t)
+ type openvswitch_log_t;
+ logging_log_file(openvswitch_log_t)
+
++type openvswitch_tmp_t;
++files_tmp_file(openvswitch_tmp_t)
++
type openvswitch_var_run_t;
files_pid_file(openvswitch_var_run_t)
@@ -63703,7 +60353,7 @@ index 44dbc99..452ad74 100644
manage_dirs_pattern(openvswitch_t, openvswitch_var_lib_t, openvswitch_var_lib_t)
manage_files_pattern(openvswitch_t, openvswitch_var_lib_t, openvswitch_var_lib_t)
-@@ -48,9 +53,7 @@ manage_lnk_files_pattern(openvswitch_t, openvswitch_var_lib_t, openvswitch_var_l
+@@ -45,45 +53,57 @@ manage_lnk_files_pattern(openvswitch_t, openvswitch_var_lib_t, openvswitch_var_l
files_var_lib_filetrans(openvswitch_t, openvswitch_var_lib_t, { dir file lnk_file })
manage_dirs_pattern(openvswitch_t, openvswitch_log_t, openvswitch_log_t)
@@ -63714,7 +60364,14 @@ index 44dbc99..452ad74 100644
manage_lnk_files_pattern(openvswitch_t, openvswitch_log_t, openvswitch_log_t)
logging_log_filetrans(openvswitch_t, openvswitch_log_t, { dir file lnk_file })
-@@ -65,33 +68,42 @@ manage_sock_files_pattern(openvswitch_t, openvswitch_var_run_t, openvswitch_var_
++manage_dirs_pattern(openvswitch_t, openvswitch_tmp_t, openvswitch_tmp_t)
++manage_files_pattern(openvswitch_t, openvswitch_tmp_t, openvswitch_tmp_t)
++manage_lnk_files_pattern(openvswitch_t, openvswitch_tmp_t, openvswitch_tmp_t)
++files_tmp_filetrans(openvswitch_t, openvswitch_tmp_t, { file dir })
++
+ manage_dirs_pattern(openvswitch_t, openvswitch_var_run_t, openvswitch_var_run_t)
+ manage_files_pattern(openvswitch_t, openvswitch_var_run_t, openvswitch_var_run_t)
+ manage_sock_files_pattern(openvswitch_t, openvswitch_var_run_t, openvswitch_var_run_t)
manage_lnk_files_pattern(openvswitch_t, openvswitch_var_run_t, openvswitch_var_run_t)
files_pid_filetrans(openvswitch_t, openvswitch_var_run_t, { dir file lnk_file })
@@ -64532,15 +61189,10 @@ index 9682d9a..d47f913 100644
+ ')
')
diff --git a/pacemaker.te b/pacemaker.te
-index 6e6efb6..993c92c 100644
+index 3dd8ada..993c92c 100644
--- a/pacemaker.te
+++ b/pacemaker.te
-@@ -1,10 +1,17 @@
--policy_module(pacemaker, 1.1.0)
-+policy_module(pacemaker, 1.0.2)
-
- ########################################
- #
+@@ -5,6 +5,13 @@ policy_module(pacemaker, 1.0.2)
# Declarations
#
@@ -64663,15 +61315,9 @@ index 6e097c9..503c97a 100644
domain_system_change_exemption($1)
role_transition $2 pads_initrc_exec_t system_r;
diff --git a/pads.te b/pads.te
-index 078adc4..446e5ca 100644
+index 29a7364..446e5ca 100644
--- a/pads.te
+++ b/pads.te
-@@ -1,4 +1,4 @@
--policy_module(pads, 1.1.0)
-+policy_module(pads, 1.0.1)
-
- ########################################
- #
@@ -25,8 +25,11 @@ files_pid_file(pads_var_run_t)
#
@@ -64900,11 +61546,11 @@ index bf59ef7..2d8335f 100644
+')
+
diff --git a/passenger.te b/passenger.te
-index 08ec33b..d688bab 100644
+index 4e114ff..d688bab 100644
--- a/passenger.te
+++ b/passenger.te
@@ -1,4 +1,4 @@
--policy_module(passanger, 1.1.1)
+-policy_module(passanger, 1.0.3)
+policy_module(passanger, 1.0.0)
########################################
@@ -64951,7 +61597,7 @@ index 08ec33b..d688bab 100644
manage_dirs_pattern(passenger_t, passenger_var_run_t, passenger_var_run_t)
manage_files_pattern(passenger_t, passenger_var_run_t, passenger_var_run_t)
-@@ -45,7 +50,11 @@ manage_fifo_files_pattern(passenger_t, passenger_var_run_t, passenger_var_run_t)
+@@ -45,19 +50,22 @@ manage_fifo_files_pattern(passenger_t, passenger_var_run_t, passenger_var_run_t)
manage_sock_files_pattern(passenger_t, passenger_var_run_t, passenger_var_run_t)
files_pid_filetrans(passenger_t, passenger_var_run_t, { file dir sock_file })
@@ -64964,8 +61610,8 @@ index 08ec33b..d688bab 100644
kernel_read_system_state(passenger_t)
kernel_read_kernel_sysctls(passenger_t)
-@@ -53,13 +62,10 @@ kernel_read_network_state(passenger_t)
- kernel_read_net_sysctls(passenger_t)
++kernel_read_network_state(passenger_t)
++kernel_read_net_sysctls(passenger_t)
corenet_all_recvfrom_netlabel(passenger_t)
-corenet_all_recvfrom_unlabeled(passenger_t)
@@ -64979,7 +61625,7 @@ index 08ec33b..d688bab 100644
corecmd_exec_bin(passenger_t)
corecmd_exec_shell(passenger_t)
-@@ -68,8 +74,6 @@ dev_read_urand(passenger_t)
+@@ -66,19 +74,20 @@ dev_read_urand(passenger_t)
domain_read_all_domains_state(passenger_t)
@@ -64988,7 +61634,13 @@ index 08ec33b..d688bab 100644
auth_use_nsswitch(passenger_t)
logging_send_syslog_msg(passenger_t)
-@@ -83,6 +87,7 @@ userdom_dontaudit_use_user_terminals(passenger_t)
+
+ miscfiles_read_localization(passenger_t)
+
++sysnet_exec_ifconfig(passenger_t)
++
+ userdom_dontaudit_use_user_terminals(passenger_t)
+
optional_policy(`
apache_append_log(passenger_t)
apache_read_sys_content(passenger_t)
@@ -64996,7 +61648,7 @@ index 08ec33b..d688bab 100644
')
optional_policy(`
-@@ -94,14 +99,21 @@ optional_policy(`
+@@ -90,14 +99,21 @@ optional_policy(`
')
optional_policy(`
@@ -65025,15 +61677,9 @@ index 08ec33b..d688bab 100644
+ rpm_read_db(passenger_t)
')
diff --git a/pcmcia.te b/pcmcia.te
-index 8176e4a..49baca5 100644
+index 3ad10b5..49baca5 100644
--- a/pcmcia.te
+++ b/pcmcia.te
-@@ -1,4 +1,4 @@
--policy_module(pcmcia, 1.7.0)
-+policy_module(pcmcia, 1.6.1)
-
- ########################################
- #
@@ -88,20 +88,17 @@ libs_exec_lib_files(cardmgr_t)
logging_send_syslog_msg(cardmgr_t)
@@ -65553,15 +62199,9 @@ index 43d50f9..7f77d32 100644
########################################
diff --git a/pcscd.te b/pcscd.te
-index 1fb1964..a958595 100644
+index 96db654..a958595 100644
--- a/pcscd.te
+++ b/pcscd.te
-@@ -1,4 +1,4 @@
--policy_module(pcscd, 1.8.0)
-+policy_module(pcscd, 1.7.3)
-
- ########################################
- #
@@ -22,10 +22,11 @@ init_daemon_run_dir(pcscd_var_run_t, "pcscd")
#
@@ -65779,11 +62419,11 @@ index d2fc677..ded726f 100644
')
+
diff --git a/pegasus.te b/pegasus.te
-index 608f454..37539ec 100644
+index 7bcf327..37539ec 100644
--- a/pegasus.te
+++ b/pegasus.te
@@ -1,17 +1,16 @@
--policy_module(pegasus, 1.9.0)
+-policy_module(pegasus, 1.8.3)
+policy_module(pegasus, 1.8.0)
########################################
@@ -66292,16 +62932,6 @@ index 608f454..37539ec 100644
virt_domtrans(pegasus_t)
virt_stream_connect(pegasus_t)
virt_manage_config(pegasus_t)
-diff --git a/perdition.te b/perdition.te
-index 9feb1ef..39027de 100644
---- a/perdition.te
-+++ b/perdition.te
-@@ -1,4 +1,4 @@
--policy_module(perdition, 1.8.0)
-+policy_module(perdition, 1.7.1)
-
- ########################################
- #
diff --git a/pesign.fc b/pesign.fc
new file mode 100644
index 0000000..7b54c39
@@ -66497,15 +63127,9 @@ index 21a6ecb..b99e4cb 100644
domain_system_change_exemption($1)
role_transition $2 pingd_initrc_exec_t system_r;
diff --git a/pingd.te b/pingd.te
-index ab01060..1ee68e9 100644
+index 0f77942..1ee68e9 100644
--- a/pingd.te
+++ b/pingd.te
-@@ -1,4 +1,4 @@
--policy_module(pingd, 1.1.0)
-+policy_module(pingd, 1.0.1)
-
- ########################################
- #
@@ -10,7 +10,7 @@ type pingd_exec_t;
init_daemon_domain(pingd_t, pingd_exec_t)
@@ -67051,7 +63675,7 @@ index 0000000..a989aea
+sysnet_read_config(piranha_domain)
diff --git a/pkcs.fc b/pkcs.fc
deleted file mode 100644
-index 9a72226..0000000
+index f9dc0be..0000000
--- a/pkcs.fc
+++ /dev/null
@@ -1,7 +0,0 @@
@@ -67061,7 +63685,7 @@ index 9a72226..0000000
-
-/var/lib/opencryptoki(/.*)? gen_context(system_u:object_r:pkcs_slotd_var_lib_t,s0)
-
--/var/run/pkcsslotd.* gen_context(system_u:object_r:pkcs_slotd_var_run_t,s0)
+-/var/run/pkcsslotd\.pid -- gen_context(system_u:object_r:pkcs_slotd_var_run_t,s0)
diff --git a/pkcs.if b/pkcs.if
deleted file mode 100644
index 69be2aa..0000000
@@ -67115,11 +63739,11 @@ index 69be2aa..0000000
-')
diff --git a/pkcs.te b/pkcs.te
deleted file mode 100644
-index 8eb3f7b..0000000
+index 977b972..0000000
--- a/pkcs.te
+++ /dev/null
-@@ -1,60 +0,0 @@
--policy_module(pkcs, 1.0.1)
+@@ -1,58 +0,0 @@
+-policy_module(pkcs, 1.0.0)
-
-########################################
-#
@@ -67150,7 +63774,7 @@ index 8eb3f7b..0000000
-# Local policy
-#
-
--allow pkcs_slotd_t self:capability { fsetid kill chown };
+-allow pkcs_slotd_t self:capability kill;
-allow pkcs_slotd_t self:fifo_file rw_fifo_file_perms;
-allow pkcs_slotd_t self:sem create_sem_perms;
-allow pkcs_slotd_t self:shm create_shm_perms;
@@ -67161,10 +63785,8 @@ index 8eb3f7b..0000000
-manage_lnk_files_pattern(pkcs_slotd_t, pkcs_slotd_var_lib_t, pkcs_slotd_var_lib_t)
-files_var_lib_filetrans(pkcs_slotd_t, pkcs_slotd_var_lib_t, dir)
-
--manage_dirs_pattern(pkcs_slotd_t, pkcs_slotd_var_run_t, pkcs_slotd_var_run_t)
-manage_files_pattern(pkcs_slotd_t, pkcs_slotd_var_run_t, pkcs_slotd_var_run_t)
--manage_sock_files_pattern(pkcs_slotd_t, pkcs_slotd_var_run_t, pkcs_slotd_var_run_t)
--files_pid_filetrans(pkcs_slotd_t, pkcs_slotd_var_run_t, { sock_file file dir })
+-files_pid_filetrans(pkcs_slotd_t, pkcs_slotd_var_run_t, file)
-
-manage_dirs_pattern(pkcs_slotd_t, pkcs_slotd_tmp_t, pkcs_slotd_tmp_t)
-manage_files_pattern(pkcs_slotd_t, pkcs_slotd_tmp_t, pkcs_slotd_tmp_t)
@@ -68434,11 +65056,11 @@ index 30e751f..61feb3a 100644
admin_pattern($1, plymouthd_var_run_t)
')
diff --git a/plymouthd.te b/plymouthd.te
-index 3078ce9..b78836f 100644
+index b1f412b..b78836f 100644
--- a/plymouthd.te
+++ b/plymouthd.te
@@ -1,4 +1,4 @@
--policy_module(plymouthd, 1.2.0)
+-policy_module(plymouthd, 1.1.4)
+policy_module(plymouthd, 1.0.1)
########################################
@@ -68560,15 +65182,9 @@ index 3078ce9..b78836f 100644
hal_dontaudit_write_log(plymouth_t)
hal_dontaudit_rw_pipes(plymouth_t)
diff --git a/podsleuth.te b/podsleuth.te
-index 9123f71..b196183 100644
+index a14b3bc..b196183 100644
--- a/podsleuth.te
+++ b/podsleuth.te
-@@ -1,4 +1,4 @@
--policy_module(podsleuth, 1.7.0)
-+policy_module(podsleuth, 1.6.1)
-
- ########################################
- #
@@ -29,7 +29,8 @@ userdom_user_tmpfs_file(podsleuth_tmpfs_t)
#
@@ -68882,16 +65498,16 @@ index 032a84d..be00a65 100644
+ allow $1 policykit_auth_t:process signal;
')
diff --git a/policykit.te b/policykit.te
-index ee91778..55d1871 100644
+index 49694e8..55d1871 100644
--- a/policykit.te
+++ b/policykit.te
@@ -1,4 +1,4 @@
--policy_module(policykit, 1.3.0)
+-policy_module(policykit, 1.2.8)
+policy_module(policykit, 1.1.0)
########################################
#
-@@ -7,9 +7,6 @@ policy_module(policykit, 1.3.0)
+@@ -7,9 +7,6 @@ policy_module(policykit, 1.2.8)
attribute policykit_domain;
@@ -69489,16 +66105,16 @@ index ae27bb7..d00f6ba 100644
+ allow $1 polipo_unit_file_t:service all_service_perms;
')
diff --git a/polipo.te b/polipo.te
-index 9764bfe..6646219 100644
+index 316d53a..6646219 100644
--- a/polipo.te
+++ b/polipo.te
@@ -1,4 +1,4 @@
--policy_module(polipo, 1.1.1)
+-policy_module(polipo, 1.0.4)
+policy_module(polipo, 1.0.0)
########################################
#
-@@ -7,19 +7,27 @@ policy_module(polipo, 1.1.1)
+@@ -7,19 +7,27 @@ policy_module(polipo, 1.0.4)
##
##
@@ -69565,7 +66181,7 @@ index 9764bfe..6646219 100644
type polipo_cache_t;
files_type(polipo_cache_t)
-@@ -56,116 +63,98 @@ files_type(polipo_cache_t)
+@@ -56,112 +63,98 @@ files_type(polipo_cache_t)
type polipo_log_t;
logging_log_file(polipo_log_t)
@@ -69672,24 +66288,24 @@ index 9764bfe..6646219 100644
optional_policy(`
- cron_system_entry(polipo_system_t, polipo_exec_t)
+ cron_system_entry(polipo_t, polipo_exec_t)
++')
++
++tunable_policy(`polipo_connect_all_unreserved',`
++ corenet_tcp_connect_all_unreserved_ports(polipo_t)
')
-tunable_policy(`polipo_system_use_cifs',`
- fs_manage_cifs_files(polipo_system_t)
-',`
- fs_dontaudit_read_cifs_files(polipo_system_t)
-+tunable_policy(`polipo_connect_all_unreserved',`
-+ corenet_tcp_connect_all_unreserved_ports(polipo_t)
++tunable_policy(`polipo_use_cifs',`
++ fs_manage_cifs_files(polipo_t)
')
-tunable_policy(`polipo_system_use_nfs',`
- fs_manage_nfs_files(polipo_system_t)
-',`
- fs_dontaudit_read_nfs_files(polipo_system_t)
-+tunable_policy(`polipo_use_cifs',`
-+ fs_manage_cifs_files(polipo_t)
-+')
-+
+tunable_policy(`polipo_use_nfs',`
+ fs_manage_nfs_files(polipo_t)
')
@@ -69708,21 +66324,17 @@ index 9764bfe..6646219 100644
-corenet_tcp_sendrecv_generic_if(polipo_daemon)
-corenet_tcp_sendrecv_generic_node(polipo_daemon)
-corenet_tcp_bind_generic_node(polipo_daemon)
--
++read_files_pattern(polipo_session_t, polipo_config_home_t, polipo_config_home_t)
++manage_files_pattern(polipo_session_t, polipo_cache_home_t, polipo_cache_home_t)
+
-corenet_sendrecv_http_client_packets(polipo_daemon)
-corenet_tcp_sendrecv_http_port(polipo_daemon)
-corenet_tcp_connect_http_port(polipo_daemon)
-+read_files_pattern(polipo_session_t, polipo_config_home_t, polipo_config_home_t)
-+manage_files_pattern(polipo_session_t, polipo_cache_home_t, polipo_cache_home_t)
++auth_use_nsswitch(polipo_session_t)
-corenet_sendrecv_http_cache_server_packets(polipo_daemon)
-corenet_tcp_sendrecv_http_cache_port(polipo_daemon)
-corenet_tcp_bind_http_cache_port(polipo_daemon)
-+auth_use_nsswitch(polipo_session_t)
-
--corenet_sendrecv_tor_client_packets(polipo_daemon)
--corenet_tcp_sendrecv_tor_port(polipo_daemon)
--corenet_tcp_connect_tor_port(polipo_daemon)
+userdom_use_user_terminals(polipo_session_t)
-files_read_usr_files(polipo_daemon)
@@ -69749,15 +66361,9 @@ index 67e8c12..18b89d7 100644
allow $1 self:capability { fowner fsetid mknod setgid setuid chown dac_override net_raw };
diff --git a/portage.te b/portage.te
-index b410c67..b9b5418 100644
+index a95fc4a..b9b5418 100644
--- a/portage.te
+++ b/portage.te
-@@ -1,4 +1,4 @@
--policy_module(portage, 1.14.0)
-+policy_module(portage, 1.13.7)
-
- ########################################
- #
@@ -108,7 +108,6 @@ domain_use_interactive_fds(gcc_config_t)
files_manage_etc_files(gcc_config_t)
@@ -69794,15 +66400,9 @@ index cd45831..69406ee 100644
/var/run/portmap\.upgrade-state -- gen_context(system_u:object_r:portmap_var_run_t,s0)
/var/run/portmap_mapping -- gen_context(system_u:object_r:portmap_var_run_t,s0)
diff --git a/portmap.te b/portmap.te
-index 18b255e..04a202e 100644
+index 738c13b..04a202e 100644
--- a/portmap.te
+++ b/portmap.te
-@@ -1,4 +1,4 @@
--policy_module(portmap, 1.11.0)
-+policy_module(portmap, 1.10.1)
-
- ########################################
- #
@@ -45,7 +45,6 @@ files_pid_filetrans(portmap_t, portmap_var_run_t, file)
kernel_read_system_state(portmap_t)
kernel_read_kernel_sysctls(portmap_t)
@@ -69871,15 +66471,9 @@ index 5ad5291..7f1ae2a 100644
portreserve_initrc_domtrans($1)
domain_system_change_exemption($1)
diff --git a/portreserve.te b/portreserve.te
-index 00b01e2..49758db 100644
+index a38b57a..49758db 100644
--- a/portreserve.te
+++ b/portreserve.te
-@@ -1,4 +1,4 @@
--policy_module(portreserve, 1.4.0)
-+policy_module(portreserve, 1.3.1)
-
- ########################################
- #
@@ -41,7 +41,6 @@ files_pid_filetrans(portreserve_t, portreserve_var_run_t, { file sock_file dir }
corecmd_getattr_bin_files(portreserve_t)
@@ -69900,15 +66494,9 @@ index 00b01e2..49758db 100644
+ sssd_search_lib(portreserve_t)
+')
diff --git a/portslave.te b/portslave.te
-index cbe36c1..a7d7c55 100644
+index e85e33d..a7d7c55 100644
--- a/portslave.te
+++ b/portslave.te
-@@ -1,4 +1,4 @@
--policy_module(portslave, 1.8.0)
-+policy_module(portslave, 1.7.2)
-
- ########################################
- #
@@ -48,7 +48,6 @@ kernel_read_kernel_sysctls(portslave_t)
corecmd_exec_bin(portslave_t)
corecmd_exec_shell(portslave_t)
@@ -70019,7 +66607,7 @@ index c0e8785..c0e0959 100644
+/var/spool/postfix/bounce(/.*)? gen_context(system_u:object_r:postfix_spool_bounce_t,s0)
/var/spool/postfix/flush(/.*)? gen_context(system_u:object_r:postfix_spool_flush_t,s0)
diff --git a/postfix.if b/postfix.if
-index ded95ec..d8a163f 100644
+index 2e23946..d8a163f 100644
--- a/postfix.if
+++ b/postfix.if
@@ -1,4 +1,4 @@
@@ -70739,7 +67327,7 @@ index ded95ec..d8a163f 100644
##
##
##
-@@ -710,38 +801,137 @@ interface(`postfix_domtrans_user_mail_handler',`
+@@ -710,37 +801,137 @@ interface(`postfix_domtrans_user_mail_handler',`
#
interface(`postfix_admin',`
gen_require(`
@@ -70747,7 +67335,6 @@ index ded95ec..d8a163f 100644
- type postfix_initrc_exec_t, postfix_prng_t, postfix_etc_t;
- type postfix_data_t, postfix_var_run_t, postfix_public_t;
- type postfix_private_t, postfix_map_tmp_t, postfix_exec_t;
-- type postfix_keytab_t;
+ attribute postfix_spool_type;
+ type postfix_bounce_t, postfix_cleanup_t, postfix_local_t;
+ type postfix_master_t, postfix_pickup_t, postfix_qmgr_t;
@@ -70801,7 +67388,7 @@ index ded95ec..d8a163f 100644
allow $2 system_r;
- files_search_etc($1)
-- admin_pattern($1, { postfix_prng_t postfix_etc_t postfix_exec_t postfix_keytab_t })
+- admin_pattern($1, { postfix_prng_t postfix_etc_t postfix_exec_t })
+ admin_pattern($1, postfix_data_t)
- files_search_spool($1)
@@ -70899,16 +67486,16 @@ index ded95ec..d8a163f 100644
+ postfix_config_filetrans($1, postfix_prng_t, file, "prng_exch")
')
diff --git a/postfix.te b/postfix.te
-index 5cfb83e..f88edc4 100644
+index 191a66f..f88edc4 100644
--- a/postfix.te
+++ b/postfix.te
@@ -1,4 +1,4 @@
--policy_module(postfix, 1.15.1)
+-policy_module(postfix, 1.14.10)
+policy_module(postfix, 1.14.0)
########################################
#
-@@ -6,27 +6,23 @@ policy_module(postfix, 1.15.1)
+@@ -6,27 +6,23 @@ policy_module(postfix, 1.14.10)
#
##
@@ -70942,13 +67529,7 @@ index 5cfb83e..f88edc4 100644
postfix_server_domain_template(cleanup)
-@@ -36,22 +32,22 @@ files_config_file(postfix_etc_t)
- type postfix_exec_t;
- application_executable_file(postfix_exec_t)
-
--type postfix_keytab_t;
--files_type(postfix_keytab_t)
--
+@@ -39,16 +35,19 @@ application_executable_file(postfix_exec_t)
postfix_server_domain_template(local)
mta_mailserver_delivery(postfix_local_t)
@@ -70969,7 +67550,7 @@ index 5cfb83e..f88edc4 100644
mta_mailserver(postfix_t, postfix_master_exec_t)
type postfix_initrc_exec_t;
-@@ -63,6 +59,7 @@ postfix_server_domain_template(pipe)
+@@ -60,6 +59,7 @@ postfix_server_domain_template(pipe)
postfix_user_domain_template(postdrop)
mta_mailserver_user_agent(postfix_postdrop_t)
@@ -70977,7 +67558,7 @@ index 5cfb83e..f88edc4 100644
postfix_user_domain_template(postqueue)
mta_mailserver_user_agent(postfix_postqueue_t)
-@@ -83,13 +80,13 @@ mta_mailserver_sender(postfix_smtp_t)
+@@ -80,13 +80,13 @@ mta_mailserver_sender(postfix_smtp_t)
postfix_server_domain_template(smtpd)
type postfix_spool_t, postfix_spool_type;
@@ -70994,7 +67575,7 @@ index 5cfb83e..f88edc4 100644
type postfix_public_t;
files_type(postfix_public_t)
-@@ -97,6 +94,7 @@ files_type(postfix_public_t)
+@@ -94,6 +94,7 @@ files_type(postfix_public_t)
type postfix_var_run_t;
files_pid_file(postfix_var_run_t)
@@ -71002,7 +67583,7 @@ index 5cfb83e..f88edc4 100644
type postfix_data_t;
files_type(postfix_data_t)
-@@ -105,164 +103,61 @@ mta_mailserver_delivery(postfix_virtual_t)
+@@ -102,160 +103,61 @@ mta_mailserver_delivery(postfix_virtual_t)
########################################
#
@@ -71120,10 +67701,9 @@ index 5cfb83e..f88edc4 100644
allow postfix_master_t postfix_data_t:dir manage_dir_perms;
allow postfix_master_t postfix_data_t:file manage_file_perms;
--allow postfix_master_t postfix_keytab_t:file read_file_perms;
-+allow postfix_master_t postfix_map_exec_t:file { mmap_file_perms lock };
-
-allow postfix_master_t postfix_map_exec_t:file { mmap_file_perms ioctl lock };
++allow postfix_master_t postfix_map_exec_t:file { mmap_file_perms lock };
++
+allow postfix_master_t postfix_postdrop_exec_t:file getattr_file_perms;
-allow postfix_master_t { postfix_postdrop_exec_t postfix_postqueue_exec_t }:file getattr_file_perms;
@@ -71155,7 +67735,7 @@ index 5cfb83e..f88edc4 100644
manage_files_pattern(postfix_master_t, postfix_spool_flush_t, postfix_spool_flush_t)
manage_lnk_files_pattern(postfix_master_t, postfix_spool_flush_t, postfix_spool_flush_t)
-filetrans_pattern(postfix_master_t, postfix_spool_t, postfix_spool_flush_t, dir, "flush")
--
+
-create_dirs_pattern(postfix_master_t, postfix_spool_t, postfix_private_t)
-manage_fifo_files_pattern(postfix_master_t, postfix_private_t, postfix_private_t)
-manage_sock_files_pattern(postfix_master_t, postfix_private_t, postfix_private_t)
@@ -71172,17 +67752,15 @@ index 5cfb83e..f88edc4 100644
-delete_files_pattern(postfix_master_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
-rename_files_pattern(postfix_master_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
-setattr_dirs_pattern(postfix_master_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
--filetrans_pattern(postfix_master_t, postfix_spool_t, postfix_spool_maildrop_t, dir, "defer")
--filetrans_pattern(postfix_master_t, postfix_spool_t, postfix_spool_maildrop_t, dir, "deferred")
-filetrans_pattern(postfix_master_t, postfix_spool_t, postfix_spool_maildrop_t, dir, "maildrop")
-
+-
-create_dirs_pattern(postfix_master_t, postfix_spool_t, postfix_var_run_t)
-setattr_dirs_pattern(postfix_master_t, postfix_var_run_t, postfix_var_run_t)
-filetrans_pattern(postfix_master_t, postfix_spool_t, postfix_var_run_t, dir, "pid")
+-
+-can_exec(postfix_master_t, postfix_exec_t)
+manage_files_pattern(postfix_master_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
--can_exec(postfix_master_t, postfix_exec_t)
--
-domtrans_pattern(postfix_master_t, postfix_postqueue_exec_t, postfix_postqueue_t)
-domtrans_pattern(postfix_master_t, postfix_showq_exec_t, postfix_showq_t)
+kernel_read_all_sysctls(postfix_master_t)
@@ -71191,7 +67769,7 @@ index 5cfb83e..f88edc4 100644
corenet_all_recvfrom_netlabel(postfix_master_t)
corenet_tcp_sendrecv_generic_if(postfix_master_t)
corenet_udp_sendrecv_generic_if(postfix_master_t)
-@@ -270,65 +165,50 @@ corenet_tcp_sendrecv_generic_node(postfix_master_t)
+@@ -263,64 +165,50 @@ corenet_tcp_sendrecv_generic_node(postfix_master_t)
corenet_udp_sendrecv_generic_node(postfix_master_t)
corenet_tcp_sendrecv_all_ports(postfix_master_t)
corenet_udp_sendrecv_all_ports(postfix_master_t)
@@ -71253,11 +67831,6 @@ index 5cfb83e..f88edc4 100644
-optional_policy(`
- cyrus_stream_connect(postfix_master_t)
--')
--
--optional_policy(`
-- kerberos_read_keytab(postfix_master_t)
-- kerberos_use(postfix_master_t)
+ifdef(`distro_redhat',`
+ # for newer main.cf that uses /etc/aliases
+ mta_manage_aliases(postfix_master_t)
@@ -71265,6 +67838,10 @@ index 5cfb83e..f88edc4 100644
')
optional_policy(`
+- kerberos_keytab_template(postfix, postfix_t)
+-')
+-
+-optional_policy(`
- mailman_manage_data_files(postfix_master_t)
+ cyrus_stream_connect(postfix_master_t)
')
@@ -71275,7 +67852,7 @@ index 5cfb83e..f88edc4 100644
')
optional_policy(`
-@@ -341,12 +221,14 @@ optional_policy(`
+@@ -333,12 +221,14 @@ optional_policy(`
########################################
#
@@ -71292,7 +67869,7 @@ index 5cfb83e..f88edc4 100644
manage_dirs_pattern(postfix_bounce_t, postfix_spool_t, postfix_spool_t)
manage_files_pattern(postfix_bounce_t, postfix_spool_t, postfix_spool_t)
-@@ -363,37 +245,34 @@ manage_lnk_files_pattern(postfix_bounce_t, postfix_spool_bounce_t, postfix_spool
+@@ -355,37 +245,34 @@ manage_lnk_files_pattern(postfix_bounce_t, postfix_spool_bounce_t, postfix_spool
########################################
#
@@ -71339,7 +67916,7 @@ index 5cfb83e..f88edc4 100644
optional_policy(`
mailman_read_data_files(postfix_cleanup_t)
-@@ -401,36 +280,50 @@ optional_policy(`
+@@ -393,36 +280,50 @@ optional_policy(`
########################################
#
@@ -71399,7 +67976,7 @@ index 5cfb83e..f88edc4 100644
')
optional_policy(`
-@@ -442,16 +335,25 @@ optional_policy(`
+@@ -434,16 +335,25 @@ optional_policy(`
')
optional_policy(`
@@ -71425,7 +68002,7 @@ index 5cfb83e..f88edc4 100644
procmail_domtrans(postfix_local_t)
')
-@@ -466,15 +368,17 @@ optional_policy(`
+@@ -458,15 +368,17 @@ optional_policy(`
########################################
#
@@ -71449,7 +68026,7 @@ index 5cfb83e..f88edc4 100644
manage_dirs_pattern(postfix_map_t, postfix_map_tmp_t, postfix_map_tmp_t)
manage_files_pattern(postfix_map_t, postfix_map_tmp_t, postfix_map_tmp_t)
-@@ -484,14 +388,15 @@ kernel_read_kernel_sysctls(postfix_map_t)
+@@ -476,14 +388,15 @@ kernel_read_kernel_sysctls(postfix_map_t)
kernel_dontaudit_list_proc(postfix_map_t)
kernel_dontaudit_read_system_state(postfix_map_t)
@@ -71469,7 +68046,7 @@ index 5cfb83e..f88edc4 100644
corecmd_list_bin(postfix_map_t)
corecmd_read_bin_symlinks(postfix_map_t)
-@@ -500,7 +405,6 @@ corecmd_read_bin_pipes(postfix_map_t)
+@@ -492,7 +405,6 @@ corecmd_read_bin_pipes(postfix_map_t)
corecmd_read_bin_sockets(postfix_map_t)
files_list_home(postfix_map_t)
@@ -71477,7 +68054,7 @@ index 5cfb83e..f88edc4 100644
files_read_etc_runtime_files(postfix_map_t)
files_dontaudit_search_var(postfix_map_t)
-@@ -508,21 +412,22 @@ auth_use_nsswitch(postfix_map_t)
+@@ -500,21 +412,22 @@ auth_use_nsswitch(postfix_map_t)
logging_send_syslog_msg(postfix_map_t)
@@ -71503,7 +68080,7 @@ index 5cfb83e..f88edc4 100644
stream_connect_pattern(postfix_pickup_t, postfix_private_t, postfix_private_t, postfix_master_t)
rw_fifo_files_pattern(postfix_pickup_t, postfix_public_t, postfix_public_t)
-@@ -532,21 +437,21 @@ allow postfix_pickup_t postfix_spool_t:dir list_dir_perms;
+@@ -524,21 +437,21 @@ allow postfix_pickup_t postfix_spool_t:dir list_dir_perms;
read_files_pattern(postfix_pickup_t, postfix_spool_t, postfix_spool_t)
delete_files_pattern(postfix_pickup_t, postfix_spool_t, postfix_spool_t)
@@ -71529,7 +68106,7 @@ index 5cfb83e..f88edc4 100644
write_fifo_files_pattern(postfix_pipe_t, postfix_public_t, postfix_public_t)
-@@ -557,6 +462,10 @@ domtrans_pattern(postfix_pipe_t, postfix_postdrop_exec_t, postfix_postdrop_t)
+@@ -549,6 +462,10 @@ domtrans_pattern(postfix_pipe_t, postfix_postdrop_exec_t, postfix_postdrop_t)
corecmd_exec_bin(postfix_pipe_t)
optional_policy(`
@@ -71540,7 +68117,7 @@ index 5cfb83e..f88edc4 100644
dovecot_domtrans_deliver(postfix_pipe_t)
')
-@@ -584,19 +493,26 @@ optional_policy(`
+@@ -576,19 +493,26 @@ optional_policy(`
########################################
#
@@ -71572,7 +68149,7 @@ index 5cfb83e..f88edc4 100644
term_dontaudit_use_all_ptys(postfix_postdrop_t)
term_dontaudit_use_all_ttys(postfix_postdrop_t)
-@@ -611,10 +527,7 @@ optional_policy(`
+@@ -603,10 +527,7 @@ optional_policy(`
cron_system_entry(postfix_postdrop_t, postfix_postdrop_exec_t)
')
@@ -71584,7 +68161,7 @@ index 5cfb83e..f88edc4 100644
optional_policy(`
fstools_read_pipes(postfix_postdrop_t)
')
-@@ -629,17 +542,24 @@ optional_policy(`
+@@ -621,17 +542,24 @@ optional_policy(`
#######################################
#
@@ -71612,7 +68189,7 @@ index 5cfb83e..f88edc4 100644
init_sigchld_script(postfix_postqueue_t)
init_use_script_fds(postfix_postqueue_t)
-@@ -655,69 +575,77 @@ optional_policy(`
+@@ -647,67 +575,77 @@ optional_policy(`
########################################
#
@@ -71693,12 +68270,11 @@ index 5cfb83e..f88edc4 100644
rw_files_pattern(postfix_smtp_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
--corenet_tcp_bind_generic_node(postfix_smtp_t)
+# for spampd
+corenet_tcp_connect_spamd_port(postfix_master_t)
+
+files_search_all_mountpoints(postfix_smtp_t)
-
++
optional_policy(`
cyrus_stream_connect(postfix_smtp_t)
')
@@ -71709,7 +68285,7 @@ index 5cfb83e..f88edc4 100644
')
optional_policy(`
-@@ -730,28 +658,32 @@ optional_policy(`
+@@ -720,28 +658,32 @@ optional_policy(`
########################################
#
@@ -71750,7 +68326,7 @@ index 5cfb83e..f88edc4 100644
optional_policy(`
dovecot_stream_connect_auth(postfix_smtpd_t)
-@@ -764,6 +696,7 @@ optional_policy(`
+@@ -754,6 +696,7 @@ optional_policy(`
optional_policy(`
milter_stream_connect_all(postfix_smtpd_t)
@@ -71758,7 +68334,7 @@ index 5cfb83e..f88edc4 100644
')
optional_policy(`
-@@ -774,31 +707,99 @@ optional_policy(`
+@@ -764,31 +707,99 @@ optional_policy(`
sasl_connect(postfix_smtpd_t)
')
@@ -71890,15 +68466,9 @@ index 5de8173..985b877 100644
init_labeled_script_domtrans($1, postfix_policyd_initrc_exec_t)
domain_system_change_exemption($1)
diff --git a/postfixpolicyd.te b/postfixpolicyd.te
-index ea1582a..77d4cd9 100644
+index 70f0533..77d4cd9 100644
--- a/postfixpolicyd.te
+++ b/postfixpolicyd.te
-@@ -1,4 +1,4 @@
--policy_module(postfixpolicyd, 1.3.0)
-+policy_module(postfixpolicyd, 1.2.1)
-
- ########################################
- #
@@ -34,7 +34,6 @@ allow postfix_policyd_t postfix_policyd_conf_t:lnk_file read_lnk_file_perms;
manage_files_pattern(postfix_policyd_t, postfix_policyd_var_run_t, postfix_policyd_var_run_t)
files_pid_filetrans(postfix_policyd_t, postfix_policyd_var_run_t, file)
@@ -71957,15 +68527,9 @@ index b9e71b5..a7502cd 100644
domain_system_change_exemption($1)
role_transition $2 postgrey_initrc_exec_t system_r;
diff --git a/postgrey.te b/postgrey.te
-index fd58805..04e3809 100644
+index 3b11496..04e3809 100644
--- a/postgrey.te
+++ b/postgrey.te
-@@ -1,4 +1,4 @@
--policy_module(postgrey, 1.9.0)
-+policy_module(postgrey, 1.8.1)
-
- ########################################
- #
@@ -16,7 +16,7 @@ type postgrey_initrc_exec_t;
init_script_file(postgrey_initrc_exec_t)
@@ -72566,16 +69130,16 @@ index cd8b8b9..6c73980 100644
+ allow $1 pppd_unit_file_t:service all_service_perms;
')
diff --git a/ppp.te b/ppp.te
-index d616ca3..3ed75e7 100644
+index b2b5dba..3ed75e7 100644
--- a/ppp.te
+++ b/ppp.te
@@ -1,4 +1,4 @@
--policy_module(ppp, 1.14.0)
+-policy_module(ppp, 1.13.5)
+policy_module(ppp, 1.13.0)
########################################
#
-@@ -6,41 +6,47 @@ policy_module(ppp, 1.14.0)
+@@ -6,41 +6,47 @@ policy_module(ppp, 1.13.5)
#
##
@@ -73085,16 +69649,16 @@ index 20d4697..e6605c1 100644
+ files_etc_filetrans($1, prelink_cache_t, file, "prelink.cache")
+')
diff --git a/prelink.te b/prelink.te
-index 8e26216..e04bdd6 100644
+index c0f047a..e04bdd6 100644
--- a/prelink.te
+++ b/prelink.te
@@ -1,4 +1,4 @@
--policy_module(prelink, 1.11.0)
+-policy_module(prelink, 1.10.2)
+policy_module(prelink, 1.10.0)
########################################
#
-@@ -6,13 +6,10 @@ policy_module(prelink, 1.11.0)
+@@ -6,13 +6,10 @@ policy_module(prelink, 1.10.2)
attribute prelink_object;
@@ -73459,15 +70023,9 @@ index c83a838..f41a4f7 100644
admin_pattern($1, prelude_lml_tmp_t)
')
diff --git a/prelude.te b/prelude.te
-index 8f44609..f7eb5e0 100644
+index db864df..f7eb5e0 100644
--- a/prelude.te
+++ b/prelude.te
-@@ -1,4 +1,4 @@
--policy_module(prelude, 1.4.0)
-+policy_module(prelude, 1.3.2)
-
- ########################################
- #
@@ -13,7 +13,7 @@ type prelude_initrc_exec_t;
init_script_file(prelude_initrc_exec_t)
@@ -73585,15 +70143,9 @@ index bdcee30..34f3143 100644
init_labeled_script_domtrans($1, privoxy_initrc_exec_t)
domain_system_change_exemption($1)
diff --git a/privoxy.te b/privoxy.te
-index ec21f80..072d425 100644
+index 85b1c9a..072d425 100644
--- a/privoxy.te
+++ b/privoxy.te
-@@ -1,4 +1,4 @@
--policy_module(privoxy, 1.12.0)
-+policy_module(privoxy, 1.11.1)
-
- ########################################
- #
@@ -85,6 +85,7 @@ corenet_sendrecv_tor_client_packets(privoxy_t)
corenet_tcp_connect_tor_port(privoxy_t)
corenet_tcp_sendrecv_tor_port(privoxy_t)
@@ -73792,11 +70344,11 @@ index 00edeab..166e9c3 100644
+ read_files_pattern($1, procmail_home_t, procmail_home_t)
')
diff --git a/procmail.te b/procmail.te
-index cc426e6..f3e6fbf 100644
+index d447152..f3e6fbf 100644
--- a/procmail.te
+++ b/procmail.te
@@ -1,4 +1,4 @@
--policy_module(procmail, 1.13.1)
+-policy_module(procmail, 1.12.2)
+policy_module(procmail, 1.12.0)
########################################
@@ -73827,7 +70379,7 @@ index cc426e6..f3e6fbf 100644
allow procmail_t procmail_log_t:dir setattr_dir_perms;
create_files_pattern(procmail_t, procmail_log_t, procmail_log_t)
append_files_pattern(procmail_t, procmail_log_t, procmail_log_t)
-@@ -40,83 +44,98 @@ logging_log_filetrans(procmail_t, procmail_log_t, { file dir })
+@@ -40,89 +44,108 @@ logging_log_filetrans(procmail_t, procmail_log_t, { file dir })
allow procmail_t procmail_tmp_t:file manage_file_perms;
files_tmp_filetrans(procmail_t, procmail_tmp_t, file)
@@ -73962,16 +70514,18 @@ index cc426e6..f3e6fbf 100644
postfix_dontaudit_rw_local_tcp_sockets(procmail_t)
postfix_dontaudit_use_fds(procmail_t)
postfix_read_spool_files(procmail_t)
-@@ -126,11 +145,18 @@ optional_policy(`
- ')
-
- optional_policy(`
-+ nagios_search_spool(procmail_t)
+ postfix_read_local_state(procmail_t)
+ postfix_read_master_state(procmail_t)
+- postfix_rw_master_pipes(procmail_t)
++ postfix_rw_inherited_master_pipes(procmail_t)
+')
+
+optional_policy(`
- pyzor_domtrans(procmail_t)
- pyzor_signal(procmail_t)
++ nagios_search_spool(procmail_t)
+ ')
+
+ optional_policy(`
+@@ -131,6 +154,9 @@ optional_policy(`
')
optional_policy(`
@@ -74485,15 +71039,9 @@ index d4dcf78..3cce82e 100644
admin_pattern($1, psad_tmp_t)
')
diff --git a/psad.te b/psad.te
-index b5d717b..718c847 100644
+index 5427bb6..718c847 100644
--- a/psad.te
+++ b/psad.te
-@@ -1,4 +1,4 @@
--policy_module(psad, 1.1.0)
-+policy_module(psad, 1.0.1)
-
- ########################################
- #
@@ -66,7 +66,6 @@ kernel_read_net_sysctls(psad_t)
corecmd_exec_bin(psad_t)
corecmd_exec_shell(psad_t)
@@ -74519,24 +71067,10 @@ index b5d717b..718c847 100644
sysnet_exec_ifconfig(psad_t)
optional_policy(`
-diff --git a/ptchown.fc b/ptchown.fc
-index dd96822..9fc398e 100644
---- a/ptchown.fc
-+++ b/ptchown.fc
-@@ -1,3 +1 @@
- /usr/libexec/pt_chown -- gen_context(system_u:object_r:ptchown_exec_t,s0)
--
--/usr/lib/pt_chown -- gen_context(system_u:object_r:ptchown_exec_t,s0)
diff --git a/ptchown.te b/ptchown.te
-index 28d2abc..2da9eca 100644
+index d67905e..2da9eca 100644
--- a/ptchown.te
+++ b/ptchown.te
-@@ -1,4 +1,4 @@
--policy_module(ptchown, 1.2.0)
-+policy_module(ptchown, 1.1.2)
-
- ########################################
- #
@@ -21,7 +21,6 @@ role ptchown_roles types ptchown_t;
allow ptchown_t self:capability { chown fowner fsetid setuid };
allow ptchown_t self:process { getcap setcap };
@@ -74551,16 +71085,6 @@ index 28d2abc..2da9eca 100644
-miscfiles_read_localization(ptchown_t)
+auth_read_passwd(ptchown_t)
-diff --git a/publicfile.te b/publicfile.te
-index 3246bef..d7df1b3 100644
---- a/publicfile.te
-+++ b/publicfile.te
-@@ -1,4 +1,4 @@
--policy_module(publicfile, 1.2.0)
-+policy_module(publicfile, 1.1.1)
-
- ########################################
- #
diff --git a/pulseaudio.fc b/pulseaudio.fc
index 6864479..0e7d875 100644
--- a/pulseaudio.fc
@@ -74585,10 +71109,10 @@ index 6864479..0e7d875 100644
+/var/lib/pulse(/.*)? gen_context(system_u:object_r:pulseaudio_var_lib_t,s0)
+/var/run/pulse(/.*)? gen_context(system_u:object_r:pulseaudio_var_run_t,s0)
diff --git a/pulseaudio.if b/pulseaudio.if
-index 45843b5..99cfa95 100644
+index fa3dc8e..99cfa95 100644
--- a/pulseaudio.if
+++ b/pulseaudio.if
-@@ -2,43 +2,44 @@
+@@ -2,47 +2,44 @@
########################################
##
@@ -74619,16 +71143,20 @@ index 45843b5..99cfa95 100644
- pulseaudio_run($2, $1)
+ role $1 types pulseaudio_t;
-+
-+ # Transition from the user domain to the derived domain.
-+ domtrans_pattern($2, pulseaudio_exec_t, pulseaudio_t)
- allow $2 pulseaudio_t:process { ptrace signal_perms };
- ps_process_pattern($2, pulseaudio_t)
+- ps_process_pattern($2, pulseaudio_t)
++ # Transition from the user domain to the derived domain.
++ domtrans_pattern($2, pulseaudio_exec_t, pulseaudio_t)
- allow $2 pulseaudio_home_t:dir { manage_dir_perms relabel_dir_perms };
- allow $2 pulseaudio_home_t:file { manage_file_perms relabel_file_perms };
- allow $2 pulseaudio_home_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms };
++ ps_process_pattern($2, pulseaudio_t)
+
+- userdom_user_home_dir_filetrans($2, pulseaudio_home_t, dir, ".pulse")
+- userdom_user_home_dir_filetrans($2, pulseaudio_home_t, file, ".esd_auth")
+- userdom_user_home_dir_filetrans($2, pulseaudio_home_t, file, ".pulse-cookie")
+ allow pulseaudio_t $2:process { signal signull };
+ allow $2 pulseaudio_t:process { signal signull sigkill };
+ ps_process_pattern(pulseaudio_t, $2)
@@ -74650,7 +71178,7 @@ index 45843b5..99cfa95 100644
')
########################################
-@@ -65,9 +66,8 @@ interface(`pulseaudio_domtrans',`
+@@ -69,9 +66,8 @@ interface(`pulseaudio_domtrans',`
########################################
##
@@ -74662,7 +71190,7 @@ index 45843b5..99cfa95 100644
##
##
##
-@@ -82,16 +82,16 @@ interface(`pulseaudio_domtrans',`
+@@ -86,16 +82,16 @@ interface(`pulseaudio_domtrans',`
#
interface(`pulseaudio_run',`
gen_require(`
@@ -74682,7 +71210,7 @@ index 45843b5..99cfa95 100644
##
##
##
-@@ -104,13 +104,12 @@ interface(`pulseaudio_exec',`
+@@ -108,13 +104,12 @@ interface(`pulseaudio_exec',`
type pulseaudio_exec_t;
')
@@ -74697,7 +71225,7 @@ index 45843b5..99cfa95 100644
##
##
##
-@@ -128,7 +127,7 @@ interface(`pulseaudio_dontaudit_exec',`
+@@ -132,7 +127,7 @@ interface(`pulseaudio_dontaudit_exec',`
########################################
##
@@ -74706,7 +71234,7 @@ index 45843b5..99cfa95 100644
## processes.
##
##
-@@ -147,8 +146,8 @@ interface(`pulseaudio_signull',`
+@@ -151,8 +146,8 @@ interface(`pulseaudio_signull',`
#####################################
##
@@ -74717,7 +71245,7 @@ index 45843b5..99cfa95 100644
##
##
##
-@@ -158,11 +157,15 @@ interface(`pulseaudio_signull',`
+@@ -162,11 +157,15 @@ interface(`pulseaudio_signull',`
#
interface(`pulseaudio_stream_connect',`
gen_require(`
@@ -74735,7 +71263,7 @@ index 45843b5..99cfa95 100644
')
########################################
-@@ -188,9 +191,9 @@ interface(`pulseaudio_dbus_chat',`
+@@ -192,9 +191,9 @@ interface(`pulseaudio_dbus_chat',`
########################################
##
@@ -74747,7 +71275,7 @@ index 45843b5..99cfa95 100644
##
## Domain allowed access.
##
-@@ -201,148 +204,190 @@ interface(`pulseaudio_setattr_home_dir',`
+@@ -205,148 +204,190 @@ interface(`pulseaudio_setattr_home_dir',`
type pulseaudio_home_t;
')
@@ -74986,16 +71514,16 @@ index 45843b5..99cfa95 100644
+ ps_process_pattern($1, pulseaudio_t)
')
diff --git a/pulseaudio.te b/pulseaudio.te
-index 6643b49..d261e97 100644
+index e31bbe1..d261e97 100644
--- a/pulseaudio.te
+++ b/pulseaudio.te
@@ -1,4 +1,4 @@
--policy_module(pulseaudio, 1.6.0)
+-policy_module(pulseaudio, 1.5.4)
+policy_module(pulseaudio, 1.5.0)
########################################
#
-@@ -8,61 +8,49 @@ policy_module(pulseaudio, 1.6.0)
+@@ -8,61 +8,49 @@ policy_module(pulseaudio, 1.5.4)
attribute pulseaudio_client;
attribute pulseaudio_tmpfsfile;
@@ -75003,7 +71531,7 @@ index 6643b49..d261e97 100644
-
type pulseaudio_t;
type pulseaudio_exec_t;
--# init_daemon_domain(pulseaudio_t, pulseaudio_exec_t)
+-init_daemon_domain(pulseaudio_t, pulseaudio_exec_t)
+#init_daemon_domain(pulseaudio_t, pulseaudio_exec_t)
userdom_user_application_domain(pulseaudio_t, pulseaudio_exec_t)
-role pulseaudio_roles types pulseaudio_t;
@@ -75087,7 +71615,7 @@ index 6643b49..d261e97 100644
can_exec(pulseaudio_t, pulseaudio_exec_t)
-@@ -85,62 +70,57 @@ kernel_read_kernel_sysctls(pulseaudio_t)
+@@ -85,60 +70,57 @@ kernel_read_kernel_sysctls(pulseaudio_t)
corecmd_exec_bin(pulseaudio_t)
@@ -75139,8 +71667,6 @@ index 6643b49..d261e97 100644
logging_send_syslog_msg(pulseaudio_t)
-miscfiles_read_localization(pulseaudio_t)
--
--userdom_read_user_tmpfs_files(pulseaudio_t)
userdom_search_user_home_dirs(pulseaudio_t)
userdom_write_user_tmp_sockets(pulseaudio_t)
@@ -75168,7 +71694,7 @@ index 6643b49..d261e97 100644
')
optional_policy(`
-@@ -153,8 +133,9 @@ optional_policy(`
+@@ -151,8 +133,9 @@ optional_policy(`
optional_policy(`
dbus_system_domain(pulseaudio_t, pulseaudio_exec_t)
@@ -75180,7 +71706,7 @@ index 6643b49..d261e97 100644
optional_policy(`
consolekit_dbus_chat(pulseaudio_t)
-@@ -174,29 +155,49 @@ optional_policy(`
+@@ -172,29 +155,49 @@ optional_policy(`
')
optional_policy(`
@@ -75232,7 +71758,7 @@ index 6643b49..d261e97 100644
#
# Client local policy
#
-@@ -210,8 +211,6 @@ delete_files_pattern(pulseaudio_client, pulseaudio_tmpfsfile, pulseaudio_tmpfsfi
+@@ -208,8 +211,6 @@ delete_files_pattern(pulseaudio_client, pulseaudio_tmpfsfile, pulseaudio_tmpfsfi
fs_getattr_tmpfs(pulseaudio_client)
@@ -75241,7 +71767,7 @@ index 6643b49..d261e97 100644
corenet_tcp_sendrecv_generic_if(pulseaudio_client)
corenet_tcp_sendrecv_generic_node(pulseaudio_client)
-@@ -220,40 +219,31 @@ corenet_tcp_connect_pulseaudio_port(pulseaudio_client)
+@@ -218,36 +219,31 @@ corenet_tcp_connect_pulseaudio_port(pulseaudio_client)
corenet_tcp_sendrecv_pulseaudio_port(pulseaudio_client)
pulseaudio_stream_connect(pulseaudio_client)
@@ -75274,10 +71800,6 @@ index 6643b49..d261e97 100644
- fs_manage_cifs_dirs(pulseaudio_client)
- fs_manage_cifs_files(pulseaudio_client)
- fs_read_cifs_symlinks(pulseaudio_client)
--')
--
--optional_policy(`
-- pulseaudio_dbus_chat(pulseaudio_client)
+ fs_getattr_cifs(pulseaudio_client)
+ fs_manage_cifs_dirs(pulseaudio_client)
+ fs_manage_cifs_files(pulseaudio_client)
@@ -75285,19 +71807,19 @@ index 6643b49..d261e97 100644
')
optional_policy(`
-- rtkit_scheduled(pulseaudio_client)
+- pulseaudio_dbus_chat(pulseaudio_client)
+ pulseaudio_dbus_chat(pulseaudio_client)
')
optional_policy(`
-- unconfined_signull(pulseaudio_client)
+- rtkit_scheduled(pulseaudio_client)
+ rtkit_scheduled(pulseaudio_client)
')
diff --git a/puppet.fc b/puppet.fc
-index d68e26d..cad91e2 100644
+index 4ecda09..cad91e2 100644
--- a/puppet.fc
+++ b/puppet.fc
-@@ -1,18 +1,20 @@
+@@ -1,14 +1,20 @@
-/etc/puppet(/.*)? gen_context(system_u:object_r:puppet_etc_t,s0)
+/etc/puppet(/.*)? gen_context(system_u:object_r:puppet_etc_t,s0)
@@ -75306,27 +71828,23 @@ index d68e26d..cad91e2 100644
+/etc/rc\.d/init\.d/puppet -- gen_context(system_u:object_r:puppetagent_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/puppetmaster -- gen_context(system_u:object_r:puppetmaster_initrc_exec_t,s0)
--/usr/bin/puppetca -- gen_context(system_u:object_r:puppetca_exec_t,s0)
--/usr/bin/puppetd -- gen_context(system_u:object_r:puppet_exec_t,s0)
--/usr/bin/puppetmasterd -- gen_context(system_u:object_r:puppetmaster_exec_t,s0)
+-/usr/sbin/puppetca -- gen_context(system_u:object_r:puppetca_exec_t,s0)
+-/usr/sbin/puppetd -- gen_context(system_u:object_r:puppet_exec_t,s0)
+-/usr/sbin/puppetmasterd -- gen_context(system_u:object_r:puppetmaster_exec_t,s0)
+#helper scripts
+/usr/bin/start-puppet-agent -- gen_context(system_u:object_r:puppetagent_exec_t,s0)
+/usr/bin/start-puppet-master -- gen_context(system_u:object_r:puppetmaster_exec_t,s0)
--/usr/sbin/puppetca -- gen_context(system_u:object_r:puppetca_exec_t,s0)
--/usr/sbin/puppetd -- gen_context(system_u:object_r:puppet_exec_t,s0)
--/usr/sbin/puppetmasterd -- gen_context(system_u:object_r:puppetmaster_exec_t,s0)
+-/var/lib/puppet(/.*)? gen_context(system_u:object_r:puppet_var_lib_t,s0)
+/usr/bin/puppetca -- gen_context(system_u:object_r:puppetca_exec_t,s0)
+/usr/bin/puppetd -- gen_context(system_u:object_r:puppetagent_exec_t,s0)
+/usr/bin/puppetmasterd -- gen_context(system_u:object_r:puppetmaster_exec_t,s0)
--/var/lib/puppet(/.*)? gen_context(system_u:object_r:puppet_var_lib_t,s0)
+-/var/log/puppet(/.*)? gen_context(system_u:object_r:puppet_log_t,s0)
+/usr/sbin/puppetca -- gen_context(system_u:object_r:puppetca_exec_t,s0)
+/usr/sbin/puppetd -- gen_context(system_u:object_r:puppetagent_exec_t,s0)
+/usr/sbin/puppetmasterd -- gen_context(system_u:object_r:puppetmaster_exec_t,s0)
--/var/log/puppet(/.*)? gen_context(system_u:object_r:puppet_log_t,s0)
--
-/var/run/puppet(/.*)? gen_context(system_u:object_r:puppet_var_run_t,s0)
+/var/lib/puppet(/.*)? gen_context(system_u:object_r:puppet_var_lib_t,s0)
+/var/log/puppet(/.*)? gen_context(system_u:object_r:puppet_log_t,s0)
@@ -75673,10 +72191,16 @@ index 7cb8b1f..9422c90 100644
+ allow $1 puppet_var_run_t:dir search_dir_perms;
')
diff --git a/puppet.te b/puppet.te
-index 618dcfe..0903e67 100644
+index f2309f4..0903e67 100644
--- a/puppet.te
+++ b/puppet.te
-@@ -6,25 +6,32 @@ policy_module(puppet, 1.4.0)
+@@ -1,4 +1,4 @@
+-policy_module(puppet, 1.3.7)
++policy_module(puppet, 1.4.0)
+
+ ########################################
+ #
+@@ -6,25 +6,32 @@ policy_module(puppet, 1.3.7)
#
##
@@ -76345,15 +72869,9 @@ index 3078e34..215df88 100644
-
-miscfiles_read_localization(pwauth_t)
diff --git a/pxe.te b/pxe.te
-index 06bec9b..6dae5e5 100644
+index 72db707..6dae5e5 100644
--- a/pxe.te
+++ b/pxe.te
-@@ -1,4 +1,4 @@
--policy_module(pxe, 1.5.0)
-+policy_module(pxe, 1.4.1)
-
- ########################################
- #
@@ -50,15 +50,12 @@ dev_read_sysfs(pxe_t)
domain_use_interactive_fds(pxe_t)
@@ -76440,11 +72958,11 @@ index 0ccea82..0000000
-')
diff --git a/pyicqt.te b/pyicqt.te
deleted file mode 100644
-index f2863de..0000000
+index 99bebbd..0000000
--- a/pyicqt.te
+++ /dev/null
@@ -1,92 +0,0 @@
--policy_module(pyicqt, 1.1.0)
+-policy_module(pyicqt, 1.0.1)
-
-########################################
-#
@@ -76692,11 +73210,11 @@ index 593c03d..2c411af 100644
+ admin_pattern($1, pyzor_var_lib_t)
')
diff --git a/pyzor.te b/pyzor.te
-index 2439d13..86daaba 100644
+index 6c456d2..86daaba 100644
--- a/pyzor.te
+++ b/pyzor.te
@@ -1,61 +1,82 @@
--policy_module(pyzor, 2.3.0)
+-policy_module(pyzor, 2.2.1)
+policy_module(pyzor, 2.1.0)
########################################
@@ -76937,15 +73455,14 @@ index 2439d13..86daaba 100644
+ logging_send_syslog_msg(pyzord_t)
+')
diff --git a/qemu.fc b/qemu.fc
-index 86ea53c..64d877e 100644
+index 6b53fa4..64d877e 100644
--- a/qemu.fc
+++ b/qemu.fc
-@@ -1,6 +1,4 @@
+@@ -1,5 +1,4 @@
-/usr/bin/qemu -- gen_context(system_u:object_r:qemu_exec_t,s0)
+/usr/bin/qemu -- gen_context(system_u:object_r:qemu_exec_t,s0)
/usr/bin/qemu-system-.* -- gen_context(system_u:object_r:qemu_exec_t,s0)
/usr/bin/qemu-kvm -- gen_context(system_u:object_r:qemu_exec_t,s0)
--/usr/bin/kvm -- gen_context(system_u:object_r:qemu_exec_t,s0)
-
/usr/libexec/qemu.* -- gen_context(system_u:object_r:qemu_exec_t,s0)
diff --git a/qemu.if b/qemu.if
@@ -77318,16 +73835,16 @@ index eaf56b8..580f9ee 100644
#
interface(`qemu_entry_type',`
diff --git a/qemu.te b/qemu.te
-index 4f90743..695c857 100644
+index 2e824eb..695c857 100644
--- a/qemu.te
+++ b/qemu.te
@@ -1,4 +1,4 @@
--policy_module(qemu, 1.8.0)
+-policy_module(qemu, 1.7.4)
+policy_module(qemu, 1.7.0)
########################################
#
-@@ -6,28 +6,58 @@ policy_module(qemu, 1.8.0)
+@@ -6,28 +6,58 @@ policy_module(qemu, 1.7.4)
#
##
@@ -77736,11 +74253,11 @@ index e4f0000..05e219e 100644
+ allow $1 qmail_spool_t:fifo_file rw_fifo_file_perms;
+')
diff --git a/qmail.te b/qmail.te
-index 8742944..af2850e 100644
+index 1bef513..af2850e 100644
--- a/qmail.te
+++ b/qmail.te
@@ -1,11 +1,11 @@
--policy_module(qmail, 1.6.1)
+-policy_module(qmail, 1.5.1)
+policy_module(qmail, 1.5.0)
########################################
@@ -77762,7 +74279,7 @@ index 8742944..af2850e 100644
type qmail_inject_exec_t;
domain_type(qmail_inject_t)
domain_entry_file(qmail_inject_t, qmail_inject_exec_t)
-@@ -32,21 +32,22 @@ qmail_child_domain_template(qmail_lspawn, qmail_start_t)
+@@ -32,18 +32,22 @@ qmail_child_domain_template(qmail_lspawn, qmail_start_t)
mta_mailserver_delivery(qmail_lspawn_t)
qmail_child_domain_template(qmail_queue, qmail_inject_t)
@@ -77777,11 +74294,8 @@ index 8742944..af2850e 100644
qmail_child_domain_template(qmail_send, qmail_start_t)
+
qmail_child_domain_template(qmail_smtpd, qmail_tcp_env_t)
--qmail_child_domain_template(qmail_splogger, qmail_start_t)
-
--type qmail_keytab_t;
--files_type(qmail_keytab_t)
-+qmail_child_domain_template(qmail_splogger, qmail_start_t)
++
+ qmail_child_domain_template(qmail_splogger, qmail_start_t)
type qmail_spool_t;
-files_type(qmail_spool_t)
@@ -77789,7 +74303,7 @@ index 8742944..af2850e 100644
type qmail_start_t;
type qmail_start_exec_t;
-@@ -58,28 +59,8 @@ application_domain(qmail_tcp_env_t, qmail_tcp_env_exec_t)
+@@ -55,28 +59,8 @@ application_domain(qmail_tcp_env_t, qmail_tcp_env_exec_t)
########################################
#
@@ -77820,7 +74334,7 @@ index 8742944..af2850e 100644
#
read_files_pattern(qmail_clean_t, qmail_spool_t, qmail_spool_t)
-@@ -87,11 +68,12 @@ delete_files_pattern(qmail_clean_t, qmail_spool_t, qmail_spool_t)
+@@ -84,11 +68,12 @@ delete_files_pattern(qmail_clean_t, qmail_spool_t, qmail_spool_t)
########################################
#
@@ -77835,7 +74349,7 @@ index 8742944..af2850e 100644
allow qmail_inject_t qmail_queue_exec_t:file read_file_perms;
-@@ -99,18 +81,18 @@ corecmd_search_bin(qmail_inject_t)
+@@ -96,18 +81,18 @@ corecmd_search_bin(qmail_inject_t)
files_search_var(qmail_inject_t)
@@ -77858,7 +74372,7 @@ index 8742944..af2850e 100644
manage_dirs_pattern(qmail_local_t, qmail_alias_home_t, qmail_alias_home_t)
manage_files_pattern(qmail_local_t, qmail_alias_home_t, qmail_alias_home_t)
-@@ -137,12 +119,17 @@ mta_append_spool(qmail_local_t)
+@@ -134,12 +119,17 @@ mta_append_spool(qmail_local_t)
qmail_domtrans_queue(qmail_local_t)
optional_policy(`
@@ -77877,7 +74391,7 @@ index 8742944..af2850e 100644
#
allow qmail_lspawn_t self:capability { setuid setgid };
-@@ -156,21 +143,23 @@ allow qmail_lspawn_t qmail_local_exec_t:file read_file_perms;
+@@ -153,21 +143,23 @@ allow qmail_lspawn_t qmail_local_exec_t:file read_file_perms;
read_files_pattern(qmail_lspawn_t, qmail_spool_t, qmail_spool_t)
@@ -77904,7 +74418,7 @@ index 8742944..af2850e 100644
manage_dirs_pattern(qmail_queue_t, qmail_spool_t, qmail_spool_t)
manage_files_pattern(qmail_queue_t, qmail_spool_t, qmail_spool_t)
-@@ -186,28 +175,34 @@ optional_policy(`
+@@ -183,28 +175,34 @@ optional_policy(`
########################################
#
@@ -77946,7 +74460,7 @@ index 8742944..af2850e 100644
#
allow qmail_rspawn_t self:process signal_perms;
-@@ -217,9 +212,12 @@ allow qmail_rspawn_t qmail_remote_exec_t:file read_file_perms;
+@@ -214,9 +212,12 @@ allow qmail_rspawn_t qmail_remote_exec_t:file read_file_perms;
rw_files_pattern(qmail_rspawn_t, qmail_spool_t, qmail_spool_t)
@@ -77960,7 +74474,7 @@ index 8742944..af2850e 100644
#
allow qmail_send_t self:process signal_perms;
-@@ -237,15 +235,14 @@ optional_policy(`
+@@ -234,7 +235,8 @@ optional_policy(`
########################################
#
@@ -77970,25 +74484,7 @@ index 8742944..af2850e 100644
#
allow qmail_smtpd_t self:process signal_perms;
- allow qmail_smtpd_t self:fifo_file write_fifo_file_perms;
- allow qmail_smtpd_t self:tcp_socket create_socket_perms;
-
--allow qmail_smtpd_t qmail_keytab_t:file read_file_perms;
--
- allow qmail_smtpd_t qmail_queue_exec_t:file read_file_perms;
-
- dev_read_rand(qmail_smtpd_t)
-@@ -258,8 +255,7 @@ optional_policy(`
- ')
-
- optional_policy(`
-- kerberos_read_keytab(qmail_smtpd_t)
-- kerberos_use(qmail_smtpd_t)
-+ kerberos_keytab_template(qmail, qmail_smtpd_t)
- ')
-
- optional_policy(`
-@@ -268,26 +264,26 @@ optional_policy(`
+@@ -262,26 +264,26 @@ optional_policy(`
########################################
#
@@ -78020,7 +74516,7 @@ index 8742944..af2850e 100644
can_exec(qmail_start_t, qmail_start_exec_t)
-@@ -304,7 +300,8 @@ optional_policy(`
+@@ -298,7 +300,8 @@ optional_policy(`
########################################
#
@@ -78031,7 +74527,7 @@ index 8742944..af2850e 100644
allow qmail_tcp_env_t qmail_smtpd_exec_t:file read_file_perms;
diff --git a/qpid.if b/qpid.if
-index fe2adf8..f7e9c70 100644
+index cd51b96..f7e9c70 100644
--- a/qpid.if
+++ b/qpid.if
@@ -1,4 +1,4 @@
@@ -78299,7 +74795,7 @@ index fe2adf8..f7e9c70 100644
+ allow $1 qpidd_t:process ptrace;
+ ')
-- files_search_var_lib($1)
+- files_search_var_lib($1(
- admin_pattern($1, qpidd_var_lib_t)
+ qpidd_initrc_domtrans($1)
+ domain_system_change_exemption($1)
@@ -78315,15 +74811,9 @@ index fe2adf8..f7e9c70 100644
+ admin_pattern($1, qpidd_var_run_t)
')
diff --git a/qpid.te b/qpid.te
-index 83eb09e..f7670b2 100644
+index 76f5b39..f7670b2 100644
--- a/qpid.te
+++ b/qpid.te
-@@ -1,4 +1,4 @@
--policy_module(qpid, 1.1.0)
-+policy_module(qpid, 1.0.1)
-
- ########################################
- #
@@ -12,6 +12,9 @@ init_daemon_domain(qpidd_t, qpidd_exec_t)
type qpidd_initrc_exec_t;
init_script_file(qpidd_initrc_exec_t)
@@ -78761,11 +75251,11 @@ index afc0068..3105104 100644
+ ')
')
diff --git a/quantum.te b/quantum.te
-index 8644d8b..7cc3063 100644
+index 769d1fd..7cc3063 100644
--- a/quantum.te
+++ b/quantum.te
@@ -1,96 +1,180 @@
--policy_module(quantum, 1.1.0)
+-policy_module(quantum, 1.0.2)
+policy_module(quantum, 1.0.3)
########################################
@@ -79294,11 +75784,11 @@ index da64218..3fb8575 100644
+ domtrans_pattern($1, quota_nld_exec_t, quota_nld_t)
')
diff --git a/quota.te b/quota.te
-index f47c8e8..1aee969 100644
+index 4b2c272..1aee969 100644
--- a/quota.te
+++ b/quota.te
@@ -1,16 +1,14 @@
--policy_module(quota, 1.6.0)
+-policy_module(quota, 1.5.2)
+policy_module(quota, 1.5.0)
########################################
@@ -79465,15 +75955,10 @@ index 2c3d338..7d49554 100644
init_labeled_script_domtrans($1, rabbitmq_initrc_exec_t)
domain_system_change_exemption($1)
diff --git a/rabbitmq.te b/rabbitmq.te
-index dc3b0ed..f1b94dd 100644
+index 3698b51..f1b94dd 100644
--- a/rabbitmq.te
+++ b/rabbitmq.te
-@@ -1,17 +1,18 @@
--policy_module(rabbitmq, 1.0.2)
-+policy_module(rabbitmq, 1.0.0)
-
- ########################################
- #
+@@ -5,13 +5,14 @@ policy_module(rabbitmq, 1.0.0)
# Declarations
#
@@ -79504,7 +75989,7 @@ index dc3b0ed..f1b94dd 100644
type rabbitmq_var_log_t;
logging_log_file(rabbitmq_var_log_t)
-@@ -27,98 +31,92 @@ files_pid_file(rabbitmq_var_run_t)
+@@ -27,80 +31,92 @@ files_pid_file(rabbitmq_var_run_t)
######################################
#
@@ -79523,63 +76008,55 @@ index dc3b0ed..f1b94dd 100644
-append_files_pattern(rabbitmq_beam_t, rabbitmq_var_log_t, rabbitmq_var_log_t)
-create_files_pattern(rabbitmq_beam_t, rabbitmq_var_log_t, rabbitmq_var_log_t)
-setattr_files_pattern(rabbitmq_beam_t, rabbitmq_var_log_t, rabbitmq_var_log_t)
--
--manage_dirs_pattern(rabbitmq_beam_t, rabbitmq_var_run_t, rabbitmq_var_run_t)
--manage_files_pattern(rabbitmq_beam_t, rabbitmq_var_run_t, rabbitmq_var_run_t)
--
--can_exec(rabbitmq_beam_t, rabbitmq_beam_exec_t)
+allow rabbitmq_t self:capability setuid;
--domtrans_pattern(rabbitmq_beam_t, rabbitmq_epmd_exec_t, rabbitmq_epmd_t)
+-manage_dirs_pattern(rabbitmq_beam_t, rabbitmq_var_run_t, rabbitmq_var_run_t)
+-manage_files_pattern(rabbitmq_beam_t, rabbitmq_var_run_t, rabbitmq_var_run_t)
+allow rabbitmq_t self:process { setsched signal signull };
+allow rabbitmq_t self:fifo_file rw_fifo_file_perms;
+allow rabbitmq_t self:tcp_socket { accept listen };
--kernel_read_system_state(rabbitmq_beam_t)
--kernel_read_fs_sysctls(rabbitmq_beam_t)
+-can_exec(rabbitmq_beam_t, rabbitmq_beam_exec_t)
+manage_dirs_pattern(rabbitmq_t, rabbitmq_var_lib_t, rabbitmq_var_lib_t)
+manage_files_pattern(rabbitmq_t, rabbitmq_var_lib_t, rabbitmq_var_lib_t)
+manage_lnk_files_pattern(rabbitmq_t, rabbitmq_var_lib_t, rabbitmq_var_lib_t)
+files_var_lib_filetrans(rabbitmq_t, rabbitmq_var_lib_t, { dir file })
--corecmd_exec_bin(rabbitmq_beam_t)
--corecmd_exec_shell(rabbitmq_beam_t)
+-domtrans_pattern(rabbitmq_beam_t, rabbitmq_epmd_exec_t, rabbitmq_epmd_t)
+manage_dirs_pattern(rabbitmq_t, rabbitmq_var_log_t, rabbitmq_var_log_t)
+manage_files_pattern(rabbitmq_t, rabbitmq_var_log_t, rabbitmq_var_log_t)
+manage_lnk_files_pattern(rabbitmq_t, rabbitmq_var_log_t, rabbitmq_var_log_t)
+logging_log_filetrans(rabbitmq_t, rabbitmq_var_log_t, { dir file })
--corenet_all_recvfrom_unlabeled(rabbitmq_beam_t)
--corenet_all_recvfrom_netlabel(rabbitmq_beam_t)
--corenet_tcp_sendrecv_generic_if(rabbitmq_beam_t)
--corenet_tcp_sendrecv_generic_node(rabbitmq_beam_t)
--corenet_tcp_bind_generic_node(rabbitmq_beam_t)
+-kernel_read_system_state(rabbitmq_beam_t)
+manage_dirs_pattern(rabbitmq_t, rabbitmq_var_lock_t, rabbitmq_var_lock_t)
+manage_files_pattern(rabbitmq_t, rabbitmq_var_lock_t, rabbitmq_var_lock_t)
+files_lock_filetrans(rabbitmq_t, rabbitmq_var_lock_t, file)
--corenet_sendrecv_amqp_server_packets(rabbitmq_beam_t)
--corenet_tcp_bind_amqp_port(rabbitmq_beam_t)
--corenet_tcp_sendrecv_amqp_port(rabbitmq_beam_t)
+-corecmd_exec_bin(rabbitmq_beam_t)
+-corecmd_exec_shell(rabbitmq_beam_t)
+manage_dirs_pattern(rabbitmq_t, rabbitmq_var_run_t, rabbitmq_var_run_t)
+manage_files_pattern(rabbitmq_t, rabbitmq_var_run_t, rabbitmq_var_run_t)
+manage_lnk_files_pattern(rabbitmq_t, rabbitmq_var_run_t, rabbitmq_var_run_t)
+files_pid_filetrans(rabbitmq_t, rabbitmq_var_run_t, { dir file })
--corenet_sendrecv_epmd_client_packets(rabbitmq_beam_t)
--corenet_tcp_connect_epmd_port(rabbitmq_beam_t)
--corenet_tcp_sendrecv_epmd_port(rabbitmq_beam_t)
+-corenet_all_recvfrom_unlabeled(rabbitmq_beam_t)
+-corenet_all_recvfrom_netlabel(rabbitmq_beam_t)
+-corenet_tcp_sendrecv_generic_if(rabbitmq_beam_t)
+-corenet_tcp_sendrecv_generic_node(rabbitmq_beam_t)
+-corenet_tcp_bind_generic_node(rabbitmq_beam_t)
+kernel_read_system_state(rabbitmq_t)
+kernel_read_fs_sysctls(rabbitmq_t)
--corenet_sendrecv_couchdb_server_packets(rabbitmq_beam_t)
--corenet_tcp_bind_couchdb_port(rabbitmq_beam_t)
--corenet_tcp_sendrecv_couchdb_port(rabbitmq_beam_t)
+-corenet_sendrecv_amqp_server_packets(rabbitmq_beam_t)
+-corenet_tcp_bind_amqp_port(rabbitmq_beam_t)
+-corenet_tcp_sendrecv_amqp_port(rabbitmq_beam_t)
+corecmd_exec_bin(rabbitmq_t)
+corecmd_exec_shell(rabbitmq_t)
--dev_read_sysfs(rabbitmq_beam_t)
--dev_read_urand(rabbitmq_beam_t)
+-corenet_sendrecv_epmd_client_packets(rabbitmq_beam_t)
+-corenet_tcp_connect_epmd_port(rabbitmq_beam_t)
+-corenet_tcp_sendrecv_epmd_port(rabbitmq_beam_t)
+corenet_tcp_bind_generic_node(rabbitmq_t)
+corenet_udp_bind_generic_node(rabbitmq_t)
+corenet_all_recvfrom_unlabeled(rabbitmq_t)
@@ -79602,28 +76079,18 @@ index dc3b0ed..f1b94dd 100644
+corenet_tcp_sendrecv_epmd_port(rabbitmq_t)
+corenet_tcp_connect_http_port(rabbitmq_t)
--fs_getattr_all_fs(rabbitmq_beam_t)
--fs_search_cgroup_dirs(rabbitmq_beam_t)
+-dev_read_sysfs(rabbitmq_beam_t)
+domain_read_all_domains_state(rabbitmq_t)
-files_read_etc_files(rabbitmq_beam_t)
+auth_read_passwd(rabbitmq_t)
+auth_use_pam(rabbitmq_t)
--storage_getattr_fixed_disk_dev(rabbitmq_beam_t)
+-miscfiles_read_localization(rabbitmq_beam_t)
+files_getattr_all_mountpoints(rabbitmq_t)
--miscfiles_read_localization(rabbitmq_beam_t)
--
-sysnet_dns_name_resolve(rabbitmq_beam_t)
-
-- optional_policy(`
-- couchdb_manage_lib_files(rabbitmq_beam_t)
-- couchdb_read_conf_files(rabbitmq_beam_t)
-- couchdb_read_log_files(rabbitmq_beam_t)
-- couchdb_read_pid_files(rabbitmq_beam_t)
-- ')
--
-########################################
-#
-# Epmd local policy
@@ -79671,16 +76138,9 @@ index dc3b0ed..f1b94dd 100644
-miscfiles_read_localization(rabbitmq_epmd_t)
diff --git a/radius.fc b/radius.fc
-index d447e85..4125f6d 100644
+index c84b7ae..4125f6d 100644
--- a/radius.fc
+++ b/radius.fc
-@@ -1,5 +1,5 @@
- /etc/cron\.(daily|monthly)/radiusd -- gen_context(system_u:object_r:radiusd_exec_t,s0)
--/etc/cron\.((daily)|(weekly)|(monthly))/freeradius -- gen_context(system_u:object_r:radiusd_exec_t,s0)
-+/etc/cron\.(daily|weekly|monthly)/freeradius -- gen_context(system_u:object_r:radiusd_exec_t,s0)
-
- /etc/rc\.d/init\.d/radiusd -- gen_context(system_u:object_r:radiusd_initrc_exec_t,s0)
-
@@ -9,7 +9,9 @@
/usr/sbin/radiusd -- gen_context(system_u:object_r:radiusd_exec_t,s0)
/usr/sbin/freeradius -- gen_context(system_u:object_r:radiusd_exec_t,s0)
@@ -79754,15 +76214,9 @@ index 4460582..60cf556 100644
+
')
diff --git a/radius.te b/radius.te
-index 403a4fe..eb72458 100644
+index 1e7927f..eb72458 100644
--- a/radius.te
+++ b/radius.te
-@@ -1,4 +1,4 @@
--policy_module(radius, 1.13.0)
-+policy_module(radius, 1.12.1)
-
- ########################################
- #
@@ -27,6 +27,9 @@ files_type(radiusd_var_lib_t)
type radiusd_var_run_t;
files_pid_file(radiusd_var_run_t)
@@ -79866,15 +76320,9 @@ index ac7058d..48739ac 100644
init_labeled_script_domtrans($1, radvd_initrc_exec_t)
domain_system_change_exemption($1)
diff --git a/radvd.te b/radvd.te
-index 6d162e4..046f5b8 100644
+index b31f2d7..046f5b8 100644
--- a/radvd.te
+++ b/radvd.te
-@@ -1,4 +1,4 @@
--policy_module(radvd, 1.14.0)
-+policy_module(radvd, 1.13.1)
-
- ########################################
- #
@@ -65,8 +65,6 @@ auth_use_nsswitch(radvd_t)
logging_send_syslog_msg(radvd_t)
@@ -80123,15 +76571,9 @@ index 951db7f..c0cabe8 100644
+ files_etc_filetrans($1, mdadm_conf_t, file, "mdadm.conf")
')
diff --git a/raid.te b/raid.te
-index c99753f..36acb6c 100644
+index 2c1730b..36acb6c 100644
--- a/raid.te
+++ b/raid.te
-@@ -1,4 +1,4 @@
--policy_module(raid, 1.13.1)
-+policy_module(raid, 1.12.5)
-
- ########################################
- #
@@ -15,6 +15,18 @@ role mdadm_roles types mdadm_t;
type mdadm_initrc_exec_t;
init_script_file(mdadm_initrc_exec_t)
@@ -80151,7 +76593,7 @@ index c99753f..36acb6c 100644
type mdadm_var_run_t alias mdadm_map_t;
files_pid_file(mdadm_var_run_t)
dev_associate(mdadm_var_run_t)
-@@ -25,44 +37,72 @@ dev_associate(mdadm_var_run_t)
+@@ -25,43 +37,72 @@ dev_associate(mdadm_var_run_t)
#
allow mdadm_t self:capability { dac_override sys_admin ipc_lock };
@@ -80224,7 +76666,7 @@ index c99753f..36acb6c 100644
-files_dontaudit_getattr_all_files(mdadm_t)
+files_dontaudit_getattr_tmpfs_files(mdadm_t)
- fs_getattr_all_fs(mdadm_t)
++fs_getattr_all_fs(mdadm_t)
fs_list_auto_mountpoints(mdadm_t)
fs_list_hugetlbfs(mdadm_t)
fs_rw_cgroup_files(mdadm_t)
@@ -80233,7 +76675,7 @@ index c99753f..36acb6c 100644
mls_file_read_all_levels(mdadm_t)
mls_file_write_all_levels(mdadm_t)
-@@ -71,15 +111,22 @@ storage_dev_filetrans_fixed_disk(mdadm_t)
+@@ -70,15 +111,22 @@ storage_dev_filetrans_fixed_disk(mdadm_t)
storage_manage_fixed_disk(mdadm_t)
storage_read_scsi_generic(mdadm_t)
storage_write_scsi_generic(mdadm_t)
@@ -80257,7 +76699,7 @@ index c99753f..36acb6c 100644
userdom_dontaudit_use_unpriv_user_fds(mdadm_t)
userdom_dontaudit_search_user_home_content(mdadm_t)
-@@ -90,17 +137,38 @@ optional_policy(`
+@@ -89,17 +137,38 @@ optional_policy(`
')
optional_policy(`
@@ -80774,11 +77216,11 @@ index 1e4b523..fee3b7c 100644
##
##
diff --git a/razor.te b/razor.te
-index 68455f9..4e15f29 100644
+index 5ddedbc..4e15f29 100644
--- a/razor.te
+++ b/razor.te
@@ -1,139 +1,128 @@
--policy_module(razor, 2.4.0)
+-policy_module(razor, 2.3.2)
+policy_module(razor, 2.3.0)
########################################
@@ -81141,7 +77583,7 @@ index 9196c1d..b775931 100644
userdom_dontaudit_use_unpriv_user_fds(rdisc_t)
diff --git a/readahead.fc b/readahead.fc
-index f01b32f..0428aee 100644
+index f307db4..0428aee 100644
--- a/readahead.fc
+++ b/readahead.fc
@@ -1,7 +1,10 @@
@@ -81155,7 +77597,7 @@ index f01b32f..0428aee 100644
+
/var/lib/readahead(/.*)? gen_context(system_u:object_r:readahead_var_lib_t,s0)
--/var/run/readahead.* gen_context(system_u:object_r:readahead_var_run_t,s0)
+-/var/run/readahead,* gen_context(system_u:object_r:readahead_var_run_t,s0)
+/var/run/systemd/readahead(/.*)? gen_context(system_u:object_r:readahead_var_run_t,s0)
diff --git a/readahead.if b/readahead.if
index 661bb88..06f69c4 100644
@@ -81190,15 +77632,9 @@ index 661bb88..06f69c4 100644
+')
+
diff --git a/readahead.te b/readahead.te
-index c0b02c9..8ee7e70 100644
+index f1512d6..8ee7e70 100644
--- a/readahead.te
+++ b/readahead.te
-@@ -1,4 +1,4 @@
--policy_module(readahead, 1.13.0)
-+policy_module(readahead, 1.12.2)
-
- ########################################
- #
@@ -15,6 +15,7 @@ typealias readahead_var_lib_t alias readahead_etc_rw_t;
type readahead_var_run_t;
@@ -81413,16 +77849,16 @@ index bff31df..3b2a829 100644
+')
+
diff --git a/realmd.te b/realmd.te
-index 5bc878b..3baa71a 100644
+index 9a8f052..3baa71a 100644
--- a/realmd.te
+++ b/realmd.te
@@ -1,4 +1,4 @@
--policy_module(realmd, 1.1.0)
+-policy_module(realmd, 1.0.2)
+policy_module(realmd, 1.0.0)
########################################
#
-@@ -7,47 +7,89 @@ policy_module(realmd, 1.1.0)
+@@ -7,47 +7,89 @@ policy_module(realmd, 1.0.2)
type realmd_t;
type realmd_exec_t;
@@ -81598,38 +78034,33 @@ index 5bc878b..3baa71a 100644
+ unconfined_domain_noaudit(realmd_consolehelper_t)
')
diff --git a/redis.fc b/redis.fc
-index e240ac9..741b785 100644
---- a/redis.fc
+new file mode 100644
+index 0000000..741b785
+--- /dev/null
+++ b/redis.fc
-@@ -1,9 +1,12 @@
- /etc/rc\.d/init\.d/redis -- gen_context(system_u:object_r:redis_initrc_exec_t,s0)
-
--/usr/sbin/redis-server -- gen_context(system_u:object_r:redis_exec_t,s0)
+@@ -0,0 +1,12 @@
++/etc/rc\.d/init\.d/redis -- gen_context(system_u:object_r:redis_initrc_exec_t,s0)
++
+/usr/lib/systemd/system/redis.* -- gen_context(system_u:object_r:redis_unit_file_t,s0)
-
--/var/lib/redis(/.*)? gen_context(system_u:object_r:redis_var_lib_t,s0)
++
+/usr/sbin/redis-server -- gen_context(system_u:object_r:redis_exec_t,s0)
-
--/var/log/redis(/.*)? gen_context(system_u:object_r:redis_log_t,s0)
++
+/var/lib/redis(/.*)? gen_context(system_u:object_r:redis_var_lib_t,s0)
-
--/var/run/redis(/.*)? gen_context(system_u:object_r:redis_var_run_t,s0)
++
+/var/log/redis(/.*)? gen_context(system_u:object_r:redis_log_t,s0)
+
+/var/run/redis(/.*)? gen_context(system_u:object_r:redis_var_run_t,s0)
+/var/run/redis\.sock -- gen_context(system_u:object_r:redis_var_run_t,s0)
diff --git a/redis.if b/redis.if
-index 16c8ecb..2640ab5 100644
---- a/redis.if
+new file mode 100644
+index 0000000..2640ab5
+--- /dev/null
+++ b/redis.if
-@@ -1,9 +1,224 @@
--## Advanced key-value store.
+@@ -0,0 +1,266 @@
+## Advanced key-value store
-
- ########################################
- ##
--## All of the rules required to
--## administrate an redis environment.
++
++########################################
++##
+## Execute redis server in the redis domin.
+##
+##
@@ -81847,30 +78278,41 @@ index 16c8ecb..2640ab5 100644
+##
+## All of the rules required to administrate
+## an redis environment
- ##
- ##
- ##
-@@ -20,7 +235,7 @@
- interface(`redis_admin',`
- gen_require(`
- type redis_t, redis_initrc_exec_t, redis_var_lib_t;
-- type redis_log_t, redis_var_run_t;
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++##
++## Role allowed access.
++##
++##
++##
++#
++interface(`redis_admin',`
++ gen_require(`
++ type redis_t, redis_initrc_exec_t, redis_var_lib_t;
+ type redis_log_t, redis_var_run_t, redis_unit_file_t;
- ')
-
- allow $1 redis_t:process { ptrace signal_perms };
-@@ -32,11 +247,20 @@ interface(`redis_admin',`
- allow $2 system_r;
-
- logging_search_logs($1)
-- admin_pattern($!, redis_log_t)
++ ')
++
++ allow $1 redis_t:process { ptrace signal_perms };
++ ps_process_pattern($1, redis_t)
++
++ init_labeled_script_domtrans($1, redis_initrc_exec_t)
++ domain_system_change_exemption($1)
++ role_transition $2 redis_initrc_exec_t system_r;
++ allow $2 system_r;
++
++ logging_search_logs($1)
+ admin_pattern($1, redis_log_t)
-
- files_search_var_lib($1)
- admin_pattern($1, redis_var_lib_t)
-
- files_search_pids($1)
- admin_pattern($1, redis_var_run_t)
++
++ files_search_var_lib($1)
++ admin_pattern($1, redis_var_lib_t)
++
++ files_search_pids($1)
++ admin_pattern($1, redis_var_run_t)
+
+ redis_systemctl($1)
+ admin_pattern($1, redis_unit_file_t)
@@ -81880,56 +78322,76 @@ index 16c8ecb..2640ab5 100644
+ systemd_passwd_agent_exec($1)
+ systemd_read_fifo_file_passwd_run($1)
+ ')
- ')
++')
diff --git a/redis.te b/redis.te
-index 25cd417..51cd1fe 100644
---- a/redis.te
+new file mode 100644
+index 0000000..51cd1fe
+--- /dev/null
+++ b/redis.te
-@@ -1,4 +1,4 @@
--policy_module(redis, 1.0.1)
+@@ -0,0 +1,64 @@
+policy_module(redis, 1.0.0)
-
- ########################################
- #
-@@ -21,9 +21,12 @@ files_type(redis_var_lib_t)
- type redis_var_run_t;
- files_pid_file(redis_var_run_t)
-
++
++########################################
++#
++# Declarations
++#
++
++type redis_t;
++type redis_exec_t;
++init_daemon_domain(redis_t, redis_exec_t)
++
++type redis_initrc_exec_t;
++init_script_file(redis_initrc_exec_t)
++
++type redis_log_t;
++logging_log_file(redis_log_t)
++
++type redis_var_lib_t;
++files_type(redis_var_lib_t)
++
++type redis_var_run_t;
++files_pid_file(redis_var_run_t)
++
+type redis_unit_file_t;
+systemd_unit_file(redis_unit_file_t)
+
- ########################################
- #
--# Local policy
++########################################
++#
+# redis local policy
- #
-
- allow redis_t self:process { setrlimit signal_perms };
-@@ -42,18 +45,13 @@ manage_lnk_files_pattern(redis_t, redis_var_lib_t, redis_var_lib_t)
- manage_dirs_pattern(redis_t, redis_var_run_t, redis_var_run_t)
- manage_files_pattern(redis_t, redis_var_run_t, redis_var_run_t)
- manage_lnk_files_pattern(redis_t, redis_var_run_t, redis_var_run_t)
++#
++
++allow redis_t self:process { setrlimit signal_perms };
++allow redis_t self:fifo_file rw_fifo_file_perms;
++allow redis_t self:unix_stream_socket create_stream_socket_perms;
++allow redis_t self:tcp_socket create_stream_socket_perms;
++
++manage_dirs_pattern(redis_t, redis_log_t, redis_log_t)
++manage_files_pattern(redis_t, redis_log_t, redis_log_t)
++manage_lnk_files_pattern(redis_t, redis_log_t, redis_log_t)
++
++manage_dirs_pattern(redis_t, redis_var_lib_t, redis_var_lib_t)
++manage_files_pattern(redis_t, redis_var_lib_t, redis_var_lib_t)
++manage_lnk_files_pattern(redis_t, redis_var_lib_t, redis_var_lib_t)
++
++manage_dirs_pattern(redis_t, redis_var_run_t, redis_var_run_t)
++manage_files_pattern(redis_t, redis_var_run_t, redis_var_run_t)
++manage_lnk_files_pattern(redis_t, redis_var_run_t, redis_var_run_t)
+manage_sock_files_pattern(redis_t, redis_var_run_t, redis_var_run_t)
+files_pid_filetrans(redis_t, redis_var_run_t, { sock_file })
-
- kernel_read_system_state(redis_t)
-
--corenet_all_recvfrom_unlabeled(redis_t)
--corenet_all_recvfrom_netlabel(redis_t)
--corenet_tcp_sendrecv_generic_if(redis_t)
--corenet_tcp_sendrecv_generic_node(redis_t)
- corenet_tcp_bind_generic_node(redis_t)
--
--corenet_sendrecv_redis_server_packets(redis_t)
- corenet_tcp_bind_redis_port(redis_t)
--corenet_tcp_sendrecv_redis_port(redis_t)
-
- dev_read_sysfs(redis_t)
- dev_read_urand(redis_t)
-@@ -63,3 +61,4 @@ logging_send_syslog_msg(redis_t)
- miscfiles_read_localization(redis_t)
-
- sysnet_dns_name_resolve(redis_t)
++
++kernel_read_system_state(redis_t)
++
++corenet_tcp_bind_generic_node(redis_t)
++corenet_tcp_bind_redis_port(redis_t)
++
++dev_read_sysfs(redis_t)
++dev_read_urand(redis_t)
++
++logging_send_syslog_msg(redis_t)
++
++miscfiles_read_localization(redis_t)
++
++sysnet_dns_name_resolve(redis_t)
+
diff --git a/remotelogin.fc b/remotelogin.fc
index 327baf0..d8691bd 100644
@@ -82010,11 +78472,11 @@ index a9ce68e..92520aa 100644
+ allow $1 remote_login_t:process signull;
')
diff --git a/remotelogin.te b/remotelogin.te
-index ae30871..bef8238 100644
+index c51a32c..bef8238 100644
--- a/remotelogin.te
+++ b/remotelogin.te
@@ -1,4 +1,4 @@
--policy_module(remotelogin, 1.8.0)
+-policy_module(remotelogin, 1.7.2)
+policy_module(remotelogin, 1.7.0)
########################################
@@ -82131,15 +78593,9 @@ index ae30871..bef8238 100644
')
diff --git a/resmgr.te b/resmgr.te
-index f6eb358..6bef328 100644
+index 6f219b3..6bef328 100644
--- a/resmgr.te
+++ b/resmgr.te
-@@ -1,4 +1,4 @@
--policy_module(resmgr, 1.3.0)
-+policy_module(resmgr, 1.2.2)
-
- ########################################
- #
@@ -42,7 +42,6 @@ dev_getattr_scanner_dev(resmgrd_t)
domain_use_interactive_fds(resmgrd_t)
@@ -82384,16 +78840,16 @@ index 1c2f9aa..a4133dc 100644
+ allow $1 rgmanager_var_lib_t:dir search_dir_perms;
+')
diff --git a/rgmanager.te b/rgmanager.te
-index c8a1e16..1ad9c12 100644
+index b418d1c..1ad9c12 100644
--- a/rgmanager.te
+++ b/rgmanager.te
@@ -1,4 +1,4 @@
--policy_module(rgmanager, 1.3.0)
+-policy_module(rgmanager, 1.2.2)
+policy_module(rgmanager, 1.2.0)
########################################
#
-@@ -6,10 +6,9 @@ policy_module(rgmanager, 1.3.0)
+@@ -6,10 +6,9 @@ policy_module(rgmanager, 1.2.2)
#
##
@@ -82724,7 +79180,7 @@ index 47de2d6..5ad36aa 100644
+/var/log/cluster/rgmanager\.log.* -- gen_context(system_u:object_r:cluster_var_log_t,s0)
+/var/log/pcsd(/.*)? gen_context(system_u:object_r:cluster_var_log_t,s0)
diff --git a/rhcs.if b/rhcs.if
-index c8bdea2..1337d42 100644
+index 56bc01f..1337d42 100644
--- a/rhcs.if
+++ b/rhcs.if
@@ -1,19 +1,19 @@
@@ -82768,7 +79224,7 @@ index c8bdea2..1337d42 100644
manage_files_pattern($1_t, $1_var_run_t, $1_var_run_t)
manage_fifo_files_pattern($1_t, $1_var_run_t, $1_var_run_t)
manage_sock_files_pattern($1_t, $1_var_run_t, $1_var_run_t)
-- files_pid_filetrans($1_t, $1_var_run_t, { dir file sock_file fifo_file })
+- files_pid_filetrans($1_t, $1_var_run_t, { dir file fifo_file })
+ files_pid_filetrans($1_t, $1_var_run_t, { file sock_file fifo_file })
- optional_policy(`
@@ -83486,15 +79942,9 @@ index c8bdea2..1337d42 100644
+ allow $1 cluster_unit_file_t:service all_service_perms;
')
diff --git a/rhcs.te b/rhcs.te
-index 6cf79c4..a8f6097 100644
+index 2c2de9a..a8f6097 100644
--- a/rhcs.te
+++ b/rhcs.te
-@@ -1,4 +1,4 @@
--policy_module(rhcs, 1.2.1)
-+policy_module(rhcs, 1.1.4)
-
- ########################################
- #
@@ -20,6 +20,35 @@ gen_tunable(fenced_can_network_connect, false)
##
gen_tunable(fenced_can_ssh, false)
@@ -84862,15 +81312,9 @@ index 6dbc905..4b17c93 100644
- admin_pattern($1, rhsmcertd_lock_t)
')
diff --git a/rhsmcertd.te b/rhsmcertd.te
-index d32e1a2..7dc8f6e 100644
+index 1cedd70..7dc8f6e 100644
--- a/rhsmcertd.te
+++ b/rhsmcertd.te
-@@ -1,4 +1,4 @@
--policy_module(rhsmcertd, 1.1.1)
-+policy_module(rhsmcertd, 1.0.2)
-
- ########################################
- #
@@ -18,6 +18,9 @@ logging_log_file(rhsmcertd_log_t)
type rhsmcertd_lock_t;
files_lock_file(rhsmcertd_lock_t)
@@ -84907,7 +81351,7 @@ index d32e1a2..7dc8f6e 100644
manage_dirs_pattern(rhsmcertd_t, rhsmcertd_var_lib_t, rhsmcertd_var_lib_t)
manage_files_pattern(rhsmcertd_t, rhsmcertd_var_lib_t, rhsmcertd_var_lib_t)
-@@ -51,24 +57,51 @@ files_pid_filetrans(rhsmcertd_t, rhsmcertd_var_run_t, { file dir })
+@@ -51,22 +57,51 @@ files_pid_filetrans(rhsmcertd_t, rhsmcertd_var_run_t, { file dir })
kernel_read_network_state(rhsmcertd_t)
kernel_read_system_state(rhsmcertd_t)
@@ -84933,13 +81377,13 @@ index d32e1a2..7dc8f6e 100644
+files_create_boot_flag(rhsmcertd_t)
+
+auth_read_passwd(rhsmcertd_t)
-+
-+libs_exec_ldconfig(rhsmcertd_t)
-
- init_read_state(rhsmcertd_t)
-miscfiles_read_localization(rhsmcertd_t)
-miscfiles_read_generic_certs(rhsmcertd_t)
++libs_exec_ldconfig(rhsmcertd_t)
++
++init_read_state(rhsmcertd_t)
++
+logging_send_syslog_msg(rhsmcertd_t)
+
+miscfiles_manage_cert_files(rhsmcertd_t)
@@ -85197,15 +81641,9 @@ index 2ab3ed1..23d579c 100644
role_transition $2 ricci_initrc_exec_t system_r;
allow $2 system_r;
diff --git a/ricci.te b/ricci.te
-index 0ba2569..a265af9 100644
+index 9702ed2..a265af9 100644
--- a/ricci.te
+++ b/ricci.te
-@@ -1,4 +1,4 @@
--policy_module(ricci, 1.8.0)
-+policy_module(ricci, 1.7.4)
-
- ########################################
- #
@@ -115,7 +115,6 @@ kernel_read_system_state(ricci_t)
corecmd_exec_bin(ricci_t)
@@ -85448,34 +81886,10 @@ index 050479d..0e1b364 100644
type rlogind_home_t;
')
diff --git a/rlogin.te b/rlogin.te
-index ee27948..15d7ca6 100644
+index d34cdec..15d7ca6 100644
--- a/rlogin.te
+++ b/rlogin.te
-@@ -1,4 +1,4 @@
--policy_module(rlogin, 1.11.3)
-+policy_module(rlogin, 1.10.1)
-
- ########################################
- #
-@@ -9,7 +9,6 @@ type rlogind_t;
- type rlogind_exec_t;
- auth_login_pgm_domain(rlogind_t)
- inetd_service_domain(rlogind_t, rlogind_exec_t)
--init_daemon_domain(rlogind_t, rlogind_exec_t)
-
- type rlogind_devpts_t;
- term_login_pty(rlogind_devpts_t)
-@@ -17,9 +16,6 @@ term_login_pty(rlogind_devpts_t)
- type rlogind_home_t;
- userdom_user_home_content(rlogind_home_t)
-
--type rlogind_keytab_t;
--files_type(rlogind_keytab_t)
--
- type rlogind_tmp_t;
- files_tmp_file(rlogind_tmp_t)
-
-@@ -34,18 +30,17 @@ files_pid_file(rlogind_var_run_t)
+@@ -30,7 +30,9 @@ files_pid_file(rlogind_var_run_t)
allow rlogind_t self:capability { fsetid chown fowner setuid setgid sys_tty_config dac_override };
allow rlogind_t self:process signal_perms;
allow rlogind_t self:fifo_file rw_fifo_file_perms;
@@ -85486,38 +81900,32 @@ index ee27948..15d7ca6 100644
allow rlogind_t rlogind_devpts_t:chr_file { rw_chr_file_perms setattr_chr_file_perms };
term_create_pty(rlogind_t, rlogind_devpts_t)
+@@ -39,7 +41,6 @@ allow rlogind_t rlogind_home_t:file read_file_perms;
- allow rlogind_t rlogind_home_t:file read_file_perms;
-
--allow rlogind_t rlogind_keytab_t:file read_file_perms;
--
manage_dirs_pattern(rlogind_t, rlogind_tmp_t, rlogind_tmp_t)
manage_files_pattern(rlogind_t, rlogind_tmp_t, rlogind_tmp_t)
-files_tmp_filetrans(rlogind_t, rlogind_tmp_t, { dir file })
manage_files_pattern(rlogind_t, rlogind_var_run_t, rlogind_var_run_t)
files_pid_filetrans(rlogind_t, rlogind_var_run_t, file)
-@@ -56,14 +51,15 @@ kernel_read_kernel_sysctls(rlogind_t)
+@@ -50,7 +51,6 @@ kernel_read_kernel_sysctls(rlogind_t)
kernel_read_system_state(rlogind_t)
kernel_read_network_state(rlogind_t)
-corenet_all_recvfrom_unlabeled(rlogind_t)
corenet_all_recvfrom_netlabel(rlogind_t)
corenet_tcp_sendrecv_generic_if(rlogind_t)
-+corenet_udp_sendrecv_generic_if(rlogind_t)
- corenet_tcp_sendrecv_generic_node(rlogind_t)
--
--corenet_sendrecv_rlogind_server_packets(rlogind_t)
-+corenet_udp_sendrecv_generic_node(rlogind_t)
-+corenet_tcp_sendrecv_all_ports(rlogind_t)
-+corenet_udp_sendrecv_all_ports(rlogind_t)
+ corenet_udp_sendrecv_generic_if(rlogind_t)
+@@ -58,6 +58,8 @@ corenet_tcp_sendrecv_generic_node(rlogind_t)
+ corenet_udp_sendrecv_generic_node(rlogind_t)
+ corenet_tcp_sendrecv_all_ports(rlogind_t)
+ corenet_udp_sendrecv_all_ports(rlogind_t)
+corenet_tcp_bind_rlogin_port(rlogind_t)
- corenet_tcp_bind_rlogind_port(rlogind_t)
--corenet_tcp_sendrecv_rlogind_port(rlogind_t)
++corenet_tcp_bind_rlogind_port(rlogind_t)
dev_read_urand(rlogind_t)
-@@ -73,6 +69,7 @@ fs_getattr_all_fs(rlogind_t)
+@@ -67,6 +69,7 @@ fs_getattr_all_fs(rlogind_t)
fs_search_auto_mountpoints(rlogind_t)
auth_domtrans_chk_passwd(rlogind_t)
@@ -85525,7 +81933,7 @@ index ee27948..15d7ca6 100644
auth_rw_login_records(rlogind_t)
auth_use_nsswitch(rlogind_t)
-@@ -83,31 +80,23 @@ init_rw_utmp(rlogind_t)
+@@ -77,30 +80,23 @@ init_rw_utmp(rlogind_t)
logging_send_syslog_msg(rlogind_t)
@@ -85557,29 +81965,25 @@ index ee27948..15d7ca6 100644
+rlogin_read_home_content(rlogind_t)
optional_policy(`
-- kerberos_read_keytab(rlogind_t)
+ kerberos_keytab_template(rlogind, rlogind_t)
- kerberos_tmp_filetrans_host_rcache(rlogind_t, file, "host_0")
- kerberos_manage_host_rcache(rlogind_t)
-- kerberos_use(rlogind_t)
-+ kerberos_keytab_template(rlogind, rlogind_t)
+ kerberos_tmp_filetrans_host_rcache(rlogind_t, "host_0")
')
optional_policy(`
diff --git a/rngd.fc b/rngd.fc
-index fa19aa8..276eb3a 100644
+index 5dd779e..276eb3a 100644
--- a/rngd.fc
+++ b/rngd.fc
-@@ -1,5 +1,5 @@
+@@ -1,3 +1,5 @@
/etc/rc\.d/init\.d/rngd -- gen_context(system_u:object_r:rngd_initrc_exec_t,s0)
--/usr/sbin/rngd -- gen_context(system_u:object_r:rngd_exec_t,s0)
+/usr/lib/systemd/system/rngd.* -- gen_context(system_u:object_r:rngd_unit_file_t,s0)
-
--/var/run/rngd\.pid -- gen_context(system_u:object_r:rngd_var_run_t,s0)
-+/usr/sbin/rngd -- gen_context(system_u:object_r:rngd_exec_t,s0)
++
+ /usr/sbin/rngd -- gen_context(system_u:object_r:rngd_exec_t,s0)
diff --git a/rngd.if b/rngd.if
-index 13f788f..9c83bc9 100644
+index 0e759a2..9c83bc9 100644
--- a/rngd.if
+++ b/rngd.if
@@ -2,6 +2,28 @@
@@ -85611,14 +82015,14 @@ index 13f788f..9c83bc9 100644
## All of the rules required to
## administrate an rng environment.
##
-@@ -17,19 +39,24 @@
+@@ -17,16 +39,24 @@
##
##
#
-interface(`rngd_admin',`
+interface(`rng_admin',`
gen_require(`
-- type rngd_t, rngd_initrc_exec_t, rngd_var_run_t;
+- type rngd_t, rngd_initrc_exec_t;
+ type rngd_t, rngd_initrc_exec_t, rngd_unit_file_t;
')
@@ -85634,50 +82038,26 @@ index 13f788f..9c83bc9 100644
domain_system_change_exemption($1)
role_transition $2 rngd_initrc_exec_t system_r;
allow $2 system_r;
-
-- files_search_pids($1)
-- admin_pattern($1, rngd_var_run_t)
++
+ rng_systemctl_rngd($1)
+ admin_pattern($1, rngd_unit_file_t)
+ allow $1 rngd_unit_file_t:service all_service_perms;
')
diff --git a/rngd.te b/rngd.te
-index a7b7717..2519caa 100644
+index 35c1427..2519caa 100644
--- a/rngd.te
+++ b/rngd.te
-@@ -1,4 +1,4 @@
--policy_module(rngd, 1.1.0)
-+policy_module(rngd, 1.0.2)
-
- ########################################
- #
-@@ -12,22 +12,19 @@ init_daemon_domain(rngd_t, rngd_exec_t)
+@@ -12,6 +12,9 @@ init_daemon_domain(rngd_t, rngd_exec_t)
type rngd_initrc_exec_t;
init_script_file(rngd_initrc_exec_t)
--type rngd_var_run_t;
--files_pid_file(rngd_var_run_t)
+type rngd_unit_file_t;
+systemd_unit_file(rngd_unit_file_t)
-
++
########################################
#
# Local policy
- #
-
--allow rngd_t self:capability { ipc_lock sys_admin };
-+allow rngd_t self:capability sys_admin;
- allow rngd_t self:process signal;
- allow rngd_t self:fifo_file rw_fifo_file_perms;
- allow rngd_t self:unix_stream_socket { accept listen };
-
--allow rngd_t rngd_var_run_t:file manage_file_perms;
--files_pid_filetrans(rngd_t, rngd_var_run_t, file, "rngd.pid")
--
- kernel_rw_kernel_sysctl(rngd_t)
-
- dev_read_rand(rngd_t)
-@@ -35,8 +32,5 @@ dev_read_urand(rngd_t)
+@@ -29,8 +32,5 @@ dev_read_urand(rngd_t)
dev_rw_tpm(rngd_t)
dev_write_rand(rngd_t)
@@ -85704,15 +82084,9 @@ index 975bb6a..ce4f5ea 100644
init_labeled_script_domtrans($1, roundup_initrc_exec_t)
domain_system_change_exemption($1)
diff --git a/roundup.te b/roundup.te
-index ccb5991..3b74aae 100644
+index 353960c..3b74aae 100644
--- a/roundup.te
+++ b/roundup.te
-@@ -1,4 +1,4 @@
--policy_module(roundup, 1.8.0)
-+policy_module(roundup, 1.7.1)
-
- ########################################
- #
@@ -41,7 +41,6 @@ kernel_read_proc_symlinks(roundup_t)
corecmd_exec_bin(roundup_t)
@@ -85787,7 +82161,7 @@ index a6fb30c..b0c22f7 100644
+/var/run/rpc\.statd\.pid -- gen_context(system_u:object_r:rpcd_var_run_t,s0)
+
diff --git a/rpc.if b/rpc.if
-index 0bf13c2..eec0a35 100644
+index 3bd6446..eec0a35 100644
--- a/rpc.if
+++ b/rpc.if
@@ -1,4 +1,4 @@
@@ -86243,7 +82617,7 @@ index 0bf13c2..eec0a35 100644
- attribute rpc_domain;
- type nfsd_initrc_exec_t, rpcd_initrc_exec_t, exports_t;
- type var_lib_nfs_t, rpcd_var_run_t, gssd_tmp_t;
-- type nfsd_ro_t, nfsd_rw_t, gssd_keytab_t;
+- type nfsd_ro_t, nfsd_rw_t;
+ type var_lib_nfs_t;
')
@@ -86256,7 +82630,7 @@ index 0bf13c2..eec0a35 100644
- allow $2 system_r;
-
- files_list_etc($1)
-- admin_pattern($1, { gssd_keytab_t exports_t })
+- admin_pattern($1, exports_t)
-
- files_list_var_lib($1)
- admin_pattern($1, var_lib_nfs_t)
@@ -86276,16 +82650,16 @@ index 0bf13c2..eec0a35 100644
+ allow $1 var_lib_nfs_t:file relabel_file_perms;
')
diff --git a/rpc.te b/rpc.te
-index 2da9fca..fbbff71 100644
+index e5212e6..fbbff71 100644
--- a/rpc.te
+++ b/rpc.te
@@ -1,4 +1,4 @@
--policy_module(rpc, 1.15.1)
+-policy_module(rpc, 1.14.6)
+policy_module(rpc, 1.14.0)
########################################
#
-@@ -6,143 +6,76 @@ policy_module(rpc, 1.15.1)
+@@ -6,24 +6,20 @@ policy_module(rpc, 1.14.6)
#
##
@@ -86320,15 +82694,7 @@ index 2da9fca..fbbff71 100644
type exports_t;
files_config_file(exports_t)
-
- rpc_domain_template(gssd)
-
--type gssd_keytab_t;
--files_type(gssd_keytab_t)
--
- type gssd_tmp_t;
- files_tmp_file(gssd_tmp_t)
-
+@@ -36,110 +32,50 @@ files_tmp_file(gssd_tmp_t)
type rpcd_var_run_t;
files_pid_file(rpcd_var_run_t)
@@ -86453,7 +82819,7 @@ index 2da9fca..fbbff71 100644
kernel_read_sysctl(rpcd_t)
kernel_rw_fs_sysctls(rpcd_t)
kernel_dontaudit_getattr_core_if(rpcd_t)
-@@ -163,21 +96,26 @@ fs_getattr_all_fs(rpcd_t)
+@@ -160,13 +96,14 @@ fs_getattr_all_fs(rpcd_t)
storage_getattr_fixed_disk_dev(rpcd_t)
@@ -86464,29 +82830,26 @@ index 2da9fca..fbbff71 100644
miscfiles_read_generic_certs(rpcd_t)
-seutil_dontaudit_search_config(rpcd_t)
+-
+-userdom_signal_all_users(rpcd_t)
+userdom_signal_unpriv_users(rpcd_t)
+userdom_read_user_home_content_files(rpcd_t)
--userdom_signal_all_users(rpcd_t)
-+optional_policy(`
-+ automount_signal(rpcd_t)
-+ automount_dontaudit_write_pipes(rpcd_t)
-+')
-
--ifdef(`distro_debian',`
-- term_dontaudit_use_unallocated_ttys(rpcd_t)
-+optional_policy(`
-+ domain_unconfined_signal(rpcd_t)
- ')
-
optional_policy(`
-- automount_signal(rpcd_t)
-- automount_dontaudit_write_pipes(rpcd_t)
-+ quota_manage_db(rpcd_t)
+ automount_signal(rpcd_t)
+@@ -174,19 +111,27 @@ optional_policy(`
')
optional_policy(`
-@@ -185,15 +123,15 @@ optional_policy(`
++ domain_unconfined_signal(rpcd_t)
++')
++
++optional_policy(`
++ quota_manage_db(rpcd_t)
++')
++
++optional_policy(`
+ nis_read_ypserv_config(rpcd_t)
')
optional_policy(`
@@ -86505,7 +82868,7 @@ index 2da9fca..fbbff71 100644
')
########################################
-@@ -202,41 +140,56 @@ optional_policy(`
+@@ -195,41 +140,56 @@ optional_policy(`
#
allow nfsd_t self:capability { dac_override dac_read_search sys_admin sys_resource };
@@ -86570,7 +82933,7 @@ index 2da9fca..fbbff71 100644
miscfiles_manage_public_files(nfsd_t)
')
-@@ -245,7 +198,6 @@ tunable_policy(`nfs_export_all_rw',`
+@@ -238,7 +198,6 @@ tunable_policy(`nfs_export_all_rw',`
dev_getattr_all_chr_files(nfsd_t)
fs_read_noxattr_fs_files(nfsd_t)
@@ -86578,7 +82941,7 @@ index 2da9fca..fbbff71 100644
')
tunable_policy(`nfs_export_all_ro',`
-@@ -257,12 +209,12 @@ tunable_policy(`nfs_export_all_ro',`
+@@ -250,12 +209,12 @@ tunable_policy(`nfs_export_all_ro',`
fs_read_noxattr_fs_files(nfsd_t)
@@ -86593,7 +82956,7 @@ index 2da9fca..fbbff71 100644
')
########################################
-@@ -270,16 +222,15 @@ optional_policy(`
+@@ -263,7 +222,7 @@ optional_policy(`
# GSSD local policy
#
@@ -86602,9 +82965,7 @@ index 2da9fca..fbbff71 100644
allow gssd_t self:process { getsched setsched };
allow gssd_t self:fifo_file rw_fifo_file_perms;
--allow gssd_t gssd_keytab_t:file read_file_perms;
--
- manage_dirs_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t)
+@@ -271,6 +230,7 @@ manage_dirs_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t)
manage_files_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t)
files_tmp_filetrans(gssd_t, gssd_tmp_t, { file dir })
@@ -86612,7 +82973,7 @@ index 2da9fca..fbbff71 100644
kernel_read_network_state(gssd_t)
kernel_read_network_state_symlinks(gssd_t)
kernel_request_load_module(gssd_t)
-@@ -288,25 +239,30 @@ kernel_signal(gssd_t)
+@@ -279,25 +239,30 @@ kernel_signal(gssd_t)
corecmd_exec_bin(gssd_t)
@@ -86646,15 +83007,12 @@ index 2da9fca..fbbff71 100644
')
optional_policy(`
-@@ -314,10 +270,12 @@ optional_policy(`
- ')
+@@ -306,8 +271,11 @@ optional_policy(`
optional_policy(`
+ kerberos_keytab_template(gssd, gssd_t)
- kerberos_manage_host_rcache(gssd_t)
-- kerberos_read_keytab(gssd_t)
- kerberos_tmp_filetrans_host_rcache(gssd_t, file, "nfs_0")
-- kerberos_use(gssd_t)
-+ kerberos_keytab_template(gssd, gssd_t)
+ kerberos_tmp_filetrans_host_rcache(gssd_t, "nfs_0")
+')
+
@@ -86818,15 +83176,9 @@ index 3b5e9ee..ff1163f 100644
+ admin_pattern($1, rpcbind_var_run_t)
')
diff --git a/rpcbind.te b/rpcbind.te
-index 54de77c..56cb0c2 100644
+index c49828c..56cb0c2 100644
--- a/rpcbind.te
+++ b/rpcbind.te
-@@ -1,4 +1,4 @@
--policy_module(rpcbind, 1.6.1)
-+policy_module(rpcbind, 1.5.4)
-
- ########################################
- #
@@ -42,7 +42,6 @@ kernel_read_system_state(rpcbind_t)
kernel_read_network_state(rpcbind_t)
kernel_request_load_module(rpcbind_t)
@@ -86835,18 +83187,21 @@ index 54de77c..56cb0c2 100644
corenet_all_recvfrom_netlabel(rpcbind_t)
corenet_tcp_sendrecv_generic_if(rpcbind_t)
corenet_udp_sendrecv_generic_if(rpcbind_t)
-@@ -68,8 +67,8 @@ auth_use_nsswitch(rpcbind_t)
+@@ -62,12 +61,11 @@ corecmd_exec_shell(rpcbind_t)
+
+ domain_use_interactive_fds(rpcbind_t)
- logging_send_syslog_msg(rpcbind_t)
+-files_read_etc_files(rpcbind_t)
+ files_read_etc_runtime_files(rpcbind_t)
+
+-logging_send_syslog_msg(rpcbind_t)
++auth_use_nsswitch(rpcbind_t)
-miscfiles_read_localization(rpcbind_t)
-+sysnet_dns_name_resolve(rpcbind_t)
++logging_send_syslog_msg(rpcbind_t)
+
+ sysnet_dns_name_resolve(rpcbind_t)
--ifdef(`distro_debian',`
-- term_dontaudit_use_unallocated_ttys(rpcbind_t)
-+optional_policy(`
-+ nis_use_ypbind(rpcbind_t)
- ')
diff --git a/rpm.fc b/rpm.fc
index ebe91fc..576ca21 100644
--- a/rpm.fc
@@ -86970,7 +83325,7 @@ index ebe91fc..576ca21 100644
+/sbin/cpio -- gen_context(system_u:object_r:rpm_exec_t,s0)
')
diff --git a/rpm.if b/rpm.if
-index ef3b225..e9dbd7e 100644
+index 0628d50..e9dbd7e 100644
--- a/rpm.if
+++ b/rpm.if
@@ -1,8 +1,8 @@
@@ -87552,7 +83907,7 @@ index ef3b225..e9dbd7e 100644
- admin_pattern($1, rpm_var_run_t)
-
- fs_search_tmpfs($1)
-- admin_pattern($1, { rpm_tmpfs_t rpm_script_tmpfs_t })
+- admin_pattern($1, { rpm_tmpfs_t rpm_script_tmpfs_t }
-
- rpm_run($1, $2)
+ allow $1 rpm_script_t:fd use;
@@ -87561,11 +83916,11 @@ index ef3b225..e9dbd7e 100644
+ allow rpm_script_t $1:process sigchld;
')
diff --git a/rpm.te b/rpm.te
-index 6fc360e..a461faa 100644
+index 5cbe81c..a461faa 100644
--- a/rpm.te
+++ b/rpm.te
@@ -1,15 +1,13 @@
--policy_module(rpm, 1.16.0)
+-policy_module(rpm, 1.15.3)
+policy_module(rpm, 1.15.0)
+
+attribute rpm_transition_domain;
@@ -88088,11 +84443,11 @@ index 7ad29c0..2e87d76 100644
domtrans_pattern($1, rshd_exec_t, rshd_t)
')
diff --git a/rshd.te b/rshd.te
-index 864e089..24cf46d 100644
+index f842825..24cf46d 100644
--- a/rshd.te
+++ b/rshd.te
-@@ -1,68 +1,75 @@
--policy_module(rshd, 1.8.1)
+@@ -1,62 +1,75 @@
+-policy_module(rshd, 1.7.1)
+policy_module(rshd, 1.7.0)
########################################
@@ -88104,9 +84459,6 @@ index 864e089..24cf46d 100644
type rshd_exec_t;
-auth_login_pgm_domain(rshd_t)
inetd_tcp_service_domain(rshd_t, rshd_exec_t)
--
--type rshd_keytab_t;
--files_type(rshd_keytab_t)
+domain_subj_id_change_exemption(rshd_t)
+domain_role_change_exemption(rshd_t)
+role system_r types rshd_t;
@@ -88122,8 +84474,6 @@ index 864e089..24cf46d 100644
allow rshd_t self:fifo_file rw_fifo_file_perms;
allow rshd_t self:tcp_socket create_stream_socket_perms;
--allow rshd_t rshd_keytab_t:file read_file_perms;
--
kernel_read_kernel_sysctls(rshd_t)
-corenet_all_recvfrom_unlabeled(rshd_t)
@@ -88185,24 +84535,16 @@ index 864e089..24cf46d 100644
+userdom_home_reader(rshd_t)
optional_policy(`
+ kerberos_keytab_template(rshd, rshd_t)
- kerberos_manage_host_rcache(rshd_t)
-- kerberos_read_keytab(rshd_t)
- kerberos_tmp_filetrans_host_rcache(rshd_t, file, "host_0")
-- kerberos_use(rshd_t)
-+ kerberos_keytab_template(rshd, rshd_t)
')
optional_policy(`
diff --git a/rssh.te b/rssh.te
-index 5c5465f..7ee8502 100644
+index d1fd97f..7ee8502 100644
--- a/rssh.te
+++ b/rssh.te
-@@ -1,4 +1,4 @@
--policy_module(rssh, 2.3.0)
-+policy_module(rssh, 2.2.1)
-
- ########################################
- #
@@ -60,18 +60,14 @@ manage_files_pattern(rssh_t, rssh_rw_t, rssh_rw_t)
kernel_read_system_state(rssh_t)
kernel_read_kernel_sysctls(rssh_t)
@@ -88522,16 +84864,16 @@ index f1140ef..8afe362 100644
+ files_pid_filetrans($1, rsync_var_run_t, file, "rsyncd.lock")
')
diff --git a/rsync.te b/rsync.te
-index abeb302..7a6ca6c 100644
+index e3e7c96..7a6ca6c 100644
--- a/rsync.te
+++ b/rsync.te
@@ -1,4 +1,4 @@
--policy_module(rsync, 1.13.0)
+-policy_module(rsync, 1.12.2)
+policy_module(rsync, 1.12.0)
########################################
#
-@@ -6,67 +6,45 @@ policy_module(rsync, 1.13.0)
+@@ -6,67 +6,45 @@ policy_module(rsync, 1.12.2)
#
##
@@ -89067,7 +85409,7 @@ index 0000000..9a5164c
+ unconfined_domain(rtas_errd_t)
+')
diff --git a/rtkit.if b/rtkit.if
-index e904ec4..051addd 100644
+index bd35afe..051addd 100644
--- a/rtkit.if
+++ b/rtkit.if
@@ -15,7 +15,6 @@ interface(`rtkit_daemon_domtrans',`
@@ -89078,7 +85420,7 @@ index e904ec4..051addd 100644
domtrans_pattern($1, rtkit_daemon_exec_t, rtkit_daemon_t)
')
-@@ -42,56 +41,43 @@ interface(`rtkit_daemon_dbus_chat',`
+@@ -42,55 +41,43 @@ interface(`rtkit_daemon_dbus_chat',`
########################################
##
@@ -89102,7 +85444,6 @@ index e904ec4..051addd 100644
- allow rtkit_daemon_t $1:process { getsched setsched };
-
-- kernel_search_proc($1)
- ps_process_pattern(rtkit_daemon_t, $1)
-
- optional_policy(`
@@ -89151,15 +85492,9 @@ index e904ec4..051addd 100644
+ rtkit_daemon_dbus_chat($1)
')
diff --git a/rtkit.te b/rtkit.te
-index 7eea21f..29a8e9e 100644
+index 3f5a8ef..29a8e9e 100644
--- a/rtkit.te
+++ b/rtkit.te
-@@ -1,4 +1,4 @@
--policy_module(rtkit, 1.2.0)
-+policy_module(rtkit, 1.1.2)
-
- ########################################
- #
@@ -31,8 +31,6 @@ auth_use_nsswitch(rtkit_daemon_t)
logging_send_syslog_msg(rtkit_daemon_t)
@@ -89187,15 +85522,9 @@ index 0360ff0..e6cb34f 100644
init_labeled_script_domtrans($1, rwho_initrc_exec_t)
domain_system_change_exemption($1)
diff --git a/rwho.te b/rwho.te
-index 7fb75f4..6746952 100644
+index 9927d29..6746952 100644
--- a/rwho.te
+++ b/rwho.te
-@@ -1,4 +1,4 @@
--policy_module(rwho, 1.7.0)
-+policy_module(rwho, 1.6.1)
-
- ########################################
- #
@@ -16,7 +16,7 @@ type rwho_log_t;
files_type(rwho_log_t)
@@ -89333,7 +85662,7 @@ index b8b66ff..d1fa967 100644
+/var/lib/samba/scripts(/.*)? gen_context(system_u:object_r:samba_unconfined_script_exec_t,s0)
+')
diff --git a/samba.if b/samba.if
-index 50d07fb..a6bab06 100644
+index aee75af..a6bab06 100644
--- a/samba.if
+++ b/samba.if
@@ -1,8 +1,12 @@
@@ -89998,7 +86327,7 @@ index 50d07fb..a6bab06 100644
##
##
##
-@@ -684,42 +840,71 @@ interface(`samba_stream_connect_winbind',`
+@@ -684,41 +840,71 @@ interface(`samba_stream_connect_winbind',`
interface(`samba_admin',`
gen_require(`
type nmbd_t, nmbd_var_run_t, smbd_var_run_t;
@@ -90007,25 +86336,24 @@ index 50d07fb..a6bab06 100644
- type samba_etc_t, samba_share_t, samba_initrc_exec_t;
- type swat_var_run_t, swat_tmp_t, winbind_log_t;
- type winbind_var_run_t, winbind_tmp_t;
-- type smbd_keytab_t;
+ type smbd_t, smbd_tmp_t, samba_secrets_t;
+ type samba_initrc_exec_t, samba_log_t, samba_var_t;
+ type samba_etc_t, samba_share_t, winbind_log_t;
+ type swat_var_run_t, swat_tmp_t, samba_unconfined_script_exec_t;
+ type winbind_var_run_t, winbind_tmp_t, samba_unconfined_script_t;
+ type samba_unit_file_t;
-+ ')
-+
+ ')
+
+- allow $1 { nmbd_t smbd_t }:process { ptrace signal_perms };
+- ps_process_pattern($1, { nmbd_t smbd_t })
+ allow $1 smbd_t:process signal_perms;
+ ps_process_pattern($1, smbd_t)
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 smbd_t:process ptrace;
+ allow $1 nmbd_t:process ptrace;
+ allow $1 samba_unconfined_script_t:process ptrace;
- ')
-
-- allow $1 { nmbd_t smbd_t }:process { ptrace signal_perms };
-- ps_process_pattern($1, { nmbd_t smbd_t })
++ ')
++
+ allow $1 nmbd_t:process signal_perms;
+ ps_process_pattern($1, nmbd_t)
+
@@ -90042,11 +86370,11 @@ index 50d07fb..a6bab06 100644
role_transition $2 samba_initrc_exec_t system_r;
allow $2 system_r;
+- files_list_etc($1)
+ admin_pattern($1, nmbd_var_run_t)
+
-+ admin_pattern($1, samba_etc_t)
- files_list_etc($1)
-- admin_pattern($1, { samba_etc_t smbd_keytab_t })
+ admin_pattern($1, samba_etc_t)
++ files_list_etc($1)
+ admin_pattern($1, samba_log_t)
logging_list_logs($1)
@@ -90091,16 +86419,16 @@ index 50d07fb..a6bab06 100644
+ allow $1 samba_unit_file_t:service all_service_perms;
')
diff --git a/samba.te b/samba.te
-index 2b7c441..8736764 100644
+index 57c034b..8736764 100644
--- a/samba.te
+++ b/samba.te
@@ -1,4 +1,4 @@
--policy_module(samba, 1.16.3)
+-policy_module(samba, 1.15.7)
+policy_module(samba, 1.15.0)
#################################
#
-@@ -6,100 +6,80 @@ policy_module(samba, 1.16.3)
+@@ -6,100 +6,80 @@ policy_module(samba, 1.15.7)
#
##
@@ -90255,7 +86583,7 @@ index 2b7c441..8736764 100644
type samba_net_tmp_t;
files_tmp_file(samba_net_tmp_t)
-@@ -136,25 +119,26 @@ files_type(samba_var_t)
+@@ -136,7 +119,7 @@ files_type(samba_var_t)
type smbcontrol_t;
type smbcontrol_exec_t;
application_domain(smbcontrol_t, smbcontrol_exec_t)
@@ -90264,11 +86592,7 @@ index 2b7c441..8736764 100644
type smbd_t;
type smbd_exec_t;
- init_daemon_domain(smbd_t, smbd_exec_t)
-
--type smbd_keytab_t;
--files_type(smbd_keytab_t)
--
+@@ -145,13 +128,17 @@ init_daemon_domain(smbd_t, smbd_exec_t)
type smbd_tmp_t;
files_tmp_file(smbd_tmp_t)
@@ -90288,7 +86612,7 @@ index 2b7c441..8736764 100644
type swat_t;
type swat_exec_t;
-@@ -173,28 +157,29 @@ type winbind_exec_t;
+@@ -170,27 +157,29 @@ type winbind_exec_t;
init_daemon_domain(winbind_t, winbind_exec_t)
type winbind_helper_t;
@@ -90316,7 +86640,7 @@ index 2b7c441..8736764 100644
#
-
allow samba_net_t self:capability { sys_chroot sys_nice dac_read_search dac_override };
- allow samba_net_t self:capability2 block_suspend;
++allow samba_net_t self:capability2 block_suspend;
allow samba_net_t self:process { getsched setsched };
-allow samba_net_t self:unix_stream_socket { accept listen };
+allow samba_net_t self:unix_dgram_socket create_socket_perms;
@@ -90326,7 +86650,7 @@ index 2b7c441..8736764 100644
allow samba_net_t samba_etc_t:file read_file_perms;
-@@ -210,17 +195,22 @@ manage_files_pattern(samba_net_t, samba_var_t, samba_var_t)
+@@ -206,17 +195,22 @@ manage_files_pattern(samba_net_t, samba_var_t, samba_var_t)
manage_lnk_files_pattern(samba_net_t, samba_var_t, samba_var_t)
files_var_filetrans(samba_net_t, samba_var_t, dir, "samba")
@@ -90353,7 +86677,7 @@ index 2b7c441..8736764 100644
dev_read_urand(samba_net_t)
-@@ -233,15 +223,16 @@ auth_manage_cache(samba_net_t)
+@@ -229,15 +223,16 @@ auth_manage_cache(samba_net_t)
logging_send_syslog_msg(samba_net_t)
@@ -90374,7 +86698,7 @@ index 2b7c441..8736764 100644
')
optional_policy(`
-@@ -249,46 +240,56 @@ optional_policy(`
+@@ -245,44 +240,56 @@ optional_policy(`
')
optional_policy(`
@@ -90421,8 +86745,7 @@ index 2b7c441..8736764 100644
-allow smbd_t samba_etc_t:file { rw_file_perms setattr_file_perms };
+allow smbd_t nmbd_var_run_t:file rw_file_perms;
+stream_connect_pattern(smbd_t, nmbd_var_run_t, nmbd_var_run_t, nmbd_t)
-
--allow smbd_t smbd_keytab_t:file read_file_perms;
++
+allow smbd_t samba_etc_t:file { rw_file_perms setattr };
manage_dirs_pattern(smbd_t, samba_log_t, samba_log_t)
@@ -90444,7 +86767,7 @@ index 2b7c441..8736764 100644
manage_lnk_files_pattern(smbd_t, samba_share_t, samba_share_t)
allow smbd_t samba_share_t:filesystem { getattr quotaget };
-@@ -298,20 +299,26 @@ manage_lnk_files_pattern(smbd_t, samba_var_t, samba_var_t)
+@@ -292,20 +299,26 @@ manage_lnk_files_pattern(smbd_t, samba_var_t, samba_var_t)
manage_sock_files_pattern(smbd_t, samba_var_t, samba_var_t)
files_var_filetrans(smbd_t, samba_var_t, dir, "samba")
@@ -90475,7 +86798,7 @@ index 2b7c441..8736764 100644
kernel_getattr_core_if(smbd_t)
kernel_getattr_message_if(smbd_t)
-@@ -321,42 +328,34 @@ kernel_read_kernel_sysctls(smbd_t)
+@@ -315,42 +328,34 @@ kernel_read_kernel_sysctls(smbd_t)
kernel_read_software_raid_state(smbd_t)
kernel_read_system_state(smbd_t)
@@ -90530,7 +86853,7 @@ index 2b7c441..8736764 100644
fs_getattr_all_fs(smbd_t)
fs_getattr_all_dirs(smbd_t)
-@@ -366,44 +365,55 @@ fs_getattr_rpc_dirs(smbd_t)
+@@ -360,44 +365,55 @@ fs_getattr_rpc_dirs(smbd_t)
fs_list_inotifyfs(smbd_t)
fs_get_all_fs_quotas(smbd_t)
@@ -90597,7 +86920,7 @@ index 2b7c441..8736764 100644
')
tunable_policy(`samba_domain_controller',`
-@@ -419,20 +429,10 @@ tunable_policy(`samba_domain_controller',`
+@@ -413,20 +429,10 @@ tunable_policy(`samba_domain_controller',`
')
tunable_policy(`samba_enable_home_dirs',`
@@ -90620,7 +86943,7 @@ index 2b7c441..8736764 100644
tunable_policy(`samba_share_nfs',`
fs_manage_nfs_dirs(smbd_t)
fs_manage_nfs_files(smbd_t)
-@@ -441,6 +441,7 @@ tunable_policy(`samba_share_nfs',`
+@@ -435,6 +441,7 @@ tunable_policy(`samba_share_nfs',`
fs_manage_nfs_named_sockets(smbd_t)
')
@@ -90628,7 +86951,7 @@ index 2b7c441..8736764 100644
tunable_policy(`samba_share_fusefs',`
fs_manage_fusefs_dirs(smbd_t)
fs_manage_fusefs_files(smbd_t)
-@@ -448,17 +449,6 @@ tunable_policy(`samba_share_fusefs',`
+@@ -442,17 +449,6 @@ tunable_policy(`samba_share_fusefs',`
fs_search_fusefs(smbd_t)
')
@@ -90646,7 +86969,7 @@ index 2b7c441..8736764 100644
optional_policy(`
ccs_read_config(smbd_t)
')
-@@ -466,6 +456,7 @@ optional_policy(`
+@@ -460,6 +456,7 @@ optional_policy(`
optional_policy(`
ctdbd_stream_connect(smbd_t)
ctdbd_manage_lib_files(smbd_t)
@@ -90654,22 +86977,19 @@ index 2b7c441..8736764 100644
')
optional_policy(`
-@@ -474,8 +465,13 @@ optional_policy(`
+@@ -473,6 +470,11 @@ optional_policy(`
')
optional_policy(`
-- kerberos_read_keytab(smbd_t)
- kerberos_use(smbd_t)
-+ kerberos_keytab_template(smbd, smbd_t)
++ ldap_stream_connect(smbd_t)
++ dirsrv_stream_connect(smbd_t)
+')
+
+optional_policy(`
-+ ldap_stream_connect(smbd_t)
-+ dirsrv_stream_connect(smbd_t)
+ lpd_exec_lpr(smbd_t)
')
- optional_policy(`
-@@ -488,6 +484,10 @@ optional_policy(`
+@@ -482,6 +484,10 @@ optional_policy(`
')
optional_policy(`
@@ -90680,7 +87000,7 @@ index 2b7c441..8736764 100644
rpc_search_nfs_state_data(smbd_t)
')
-@@ -499,9 +499,36 @@ optional_policy(`
+@@ -493,9 +499,36 @@ optional_policy(`
udev_read_db(smbd_t)
')
@@ -90718,7 +87038,7 @@ index 2b7c441..8736764 100644
#
dontaudit nmbd_t self:capability sys_tty_config;
-@@ -512,9 +539,11 @@ allow nmbd_t self:msg { send receive };
+@@ -506,9 +539,11 @@ allow nmbd_t self:msg { send receive };
allow nmbd_t self:msgq create_msgq_perms;
allow nmbd_t self:sem create_sem_perms;
allow nmbd_t self:shm create_shm_perms;
@@ -90733,7 +87053,7 @@ index 2b7c441..8736764 100644
manage_dirs_pattern(nmbd_t, { smbd_var_run_t nmbd_var_run_t }, nmbd_var_run_t)
manage_files_pattern(nmbd_t, nmbd_var_run_t, nmbd_var_run_t)
-@@ -526,20 +555,15 @@ read_files_pattern(nmbd_t, samba_etc_t, samba_etc_t)
+@@ -520,20 +555,15 @@ read_files_pattern(nmbd_t, samba_etc_t, samba_etc_t)
read_lnk_files_pattern(nmbd_t, samba_etc_t, samba_etc_t)
manage_dirs_pattern(nmbd_t, samba_log_t, samba_log_t)
@@ -90757,7 +87077,7 @@ index 2b7c441..8736764 100644
kernel_getattr_core_if(nmbd_t)
kernel_getattr_message_if(nmbd_t)
-@@ -548,52 +572,42 @@ kernel_read_network_state(nmbd_t)
+@@ -542,52 +572,42 @@ kernel_read_network_state(nmbd_t)
kernel_read_software_raid_state(nmbd_t)
kernel_read_system_state(nmbd_t)
@@ -90806,14 +87126,14 @@ index 2b7c441..8736764 100644
-
userdom_use_unpriv_users_fds(nmbd_t)
-userdom_user_home_dir_filetrans_user_home_content(nmbd_t, { file dir })
-+userdom_dontaudit_search_user_home_dirs(nmbd_t)
-
+-
-tunable_policy(`samba_export_all_ro',`
- fs_read_noxattr_fs_files(nmbd_t)
- files_list_non_auth_dirs(nmbd_t)
- files_read_non_auth_files(nmbd_t)
-')
--
++userdom_dontaudit_search_user_home_dirs(nmbd_t)
+
-tunable_policy(`samba_export_all_rw',`
- fs_read_noxattr_fs_files(nmbd_t)
- files_manage_non_auth_files(nmbd_t)
@@ -90824,7 +87144,7 @@ index 2b7c441..8736764 100644
')
optional_policy(`
-@@ -606,20 +620,26 @@ optional_policy(`
+@@ -600,19 +620,26 @@ optional_policy(`
########################################
#
@@ -90844,19 +87164,19 @@ index 2b7c441..8736764 100644
-read_files_pattern(smbcontrol_t, { nmbd_var_run_t smbd_var_run_t }, { nmbd_var_run_t smbd_var_run_t })
+allow smbcontrol_t nmbd_t:process { signal signull };
+read_files_pattern(smbcontrol_t, nmbd_var_run_t, nmbd_var_run_t)
-
--manage_files_pattern(smbcontrol_t, samba_var_t, samba_var_t)
++
+allow smbcontrol_t smbd_t:process { signal signull };
+read_files_pattern(smbcontrol_t, smbd_var_run_t, smbd_var_run_t)
+allow smbcontrol_t winbind_t:process { signal signull };
+files_search_var_lib(smbcontrol_t)
samba_read_config(smbcontrol_t)
+-samba_rw_var_files(smbcontrol_t)
+manage_files_pattern(smbcontrol_t, samba_var_t, samba_var_t)
samba_search_var(smbcontrol_t)
samba_read_winbind_pid(smbcontrol_t)
-@@ -627,16 +647,12 @@ domain_use_interactive_fds(smbcontrol_t)
+@@ -620,16 +647,12 @@ domain_use_interactive_fds(smbcontrol_t)
dev_read_urand(smbcontrol_t)
@@ -90874,7 +87194,7 @@ index 2b7c441..8736764 100644
optional_policy(`
ctdbd_stream_connect(smbcontrol_t)
-@@ -644,22 +660,23 @@ optional_policy(`
+@@ -637,22 +660,23 @@ optional_policy(`
########################################
#
@@ -90906,7 +87226,7 @@ index 2b7c441..8736764 100644
allow smbmount_t samba_secrets_t:file manage_file_perms;
-@@ -668,26 +685,22 @@ manage_files_pattern(smbmount_t, samba_var_t, samba_var_t)
+@@ -661,26 +685,22 @@ manage_files_pattern(smbmount_t, samba_var_t, samba_var_t)
manage_lnk_files_pattern(smbmount_t, samba_var_t, samba_var_t)
files_var_filetrans(smbmount_t, samba_var_t, dir, "samba")
@@ -90942,7 +87262,7 @@ index 2b7c441..8736764 100644
fs_getattr_cifs(smbmount_t)
fs_mount_cifs(smbmount_t)
-@@ -699,58 +712,77 @@ fs_read_cifs_files(smbmount_t)
+@@ -692,58 +712,77 @@ fs_read_cifs_files(smbmount_t)
storage_raw_read_fixed_disk(smbmount_t)
storage_raw_write_fixed_disk(smbmount_t)
@@ -91034,7 +87354,7 @@ index 2b7c441..8736764 100644
manage_dirs_pattern(swat_t, swat_tmp_t, swat_tmp_t)
manage_files_pattern(swat_t, swat_tmp_t, swat_tmp_t)
-@@ -759,17 +791,13 @@ files_tmp_filetrans(swat_t, swat_tmp_t, { file dir })
+@@ -752,17 +791,13 @@ files_tmp_filetrans(swat_t, swat_tmp_t, { file dir })
manage_files_pattern(swat_t, swat_var_run_t, swat_var_run_t)
files_pid_filetrans(swat_t, swat_var_run_t, file)
@@ -91058,7 +87378,7 @@ index 2b7c441..8736764 100644
kernel_read_kernel_sysctls(swat_t)
kernel_read_system_state(swat_t)
-@@ -777,36 +805,25 @@ kernel_read_network_state(swat_t)
+@@ -770,36 +805,25 @@ kernel_read_network_state(swat_t)
corecmd_search_bin(swat_t)
@@ -91101,7 +87421,7 @@ index 2b7c441..8736764 100644
auth_domtrans_chk_passwd(swat_t)
auth_use_nsswitch(swat_t)
-@@ -818,10 +835,11 @@ logging_send_syslog_msg(swat_t)
+@@ -811,10 +835,11 @@ logging_send_syslog_msg(swat_t)
logging_send_audit_msgs(swat_t)
logging_search_logs(swat_t)
@@ -91115,7 +87435,7 @@ index 2b7c441..8736764 100644
optional_policy(`
cups_read_rw_config(swat_t)
cups_stream_connect(swat_t)
-@@ -840,17 +858,20 @@ optional_policy(`
+@@ -833,17 +858,20 @@ optional_policy(`
# Winbind local policy
#
@@ -91141,7 +87461,7 @@ index 2b7c441..8736764 100644
allow winbind_t samba_etc_t:dir list_dir_perms;
read_files_pattern(winbind_t, samba_etc_t, samba_etc_t)
-@@ -860,9 +881,7 @@ manage_files_pattern(winbind_t, samba_etc_t, samba_secrets_t)
+@@ -853,9 +881,7 @@ manage_files_pattern(winbind_t, samba_etc_t, samba_secrets_t)
filetrans_pattern(winbind_t, samba_etc_t, samba_secrets_t, file)
manage_dirs_pattern(winbind_t, samba_log_t, samba_log_t)
@@ -91152,7 +87472,7 @@ index 2b7c441..8736764 100644
manage_lnk_files_pattern(winbind_t, samba_log_t, samba_log_t)
manage_dirs_pattern(winbind_t, samba_var_t, samba_var_t)
-@@ -873,23 +892,21 @@ files_var_filetrans(winbind_t, samba_var_t, dir, "samba")
+@@ -866,23 +892,21 @@ files_var_filetrans(winbind_t, samba_var_t, dir, "samba")
rw_files_pattern(winbind_t, smbd_tmp_t, smbd_tmp_t)
@@ -91182,7 +87502,7 @@ index 2b7c441..8736764 100644
manage_sock_files_pattern(winbind_t, smbd_var_run_t, smbd_var_run_t)
kernel_read_network_state(winbind_t)
-@@ -898,13 +915,17 @@ kernel_read_system_state(winbind_t)
+@@ -891,13 +915,17 @@ kernel_read_system_state(winbind_t)
corecmd_exec_bin(winbind_t)
@@ -91203,7 +87523,7 @@ index 2b7c441..8736764 100644
corenet_tcp_connect_smbd_port(winbind_t)
corenet_tcp_connect_epmap_port(winbind_t)
corenet_tcp_connect_all_unreserved_ports(winbind_t)
-@@ -912,10 +933,6 @@ corenet_tcp_connect_all_unreserved_ports(winbind_t)
+@@ -905,10 +933,6 @@ corenet_tcp_connect_all_unreserved_ports(winbind_t)
dev_read_sysfs(winbind_t)
dev_read_urand(winbind_t)
@@ -91214,7 +87534,7 @@ index 2b7c441..8736764 100644
fs_getattr_all_fs(winbind_t)
fs_search_auto_mountpoints(winbind_t)
-@@ -924,26 +941,43 @@ auth_domtrans_chk_passwd(winbind_t)
+@@ -917,26 +941,43 @@ auth_domtrans_chk_passwd(winbind_t)
auth_use_nsswitch(winbind_t)
auth_manage_cache(winbind_t)
@@ -91260,7 +87580,7 @@ index 2b7c441..8736764 100644
')
optional_policy(`
-@@ -959,31 +993,29 @@ optional_policy(`
+@@ -952,31 +993,29 @@ optional_policy(`
# Winbind helper local policy
#
@@ -91298,7 +87618,7 @@ index 2b7c441..8736764 100644
optional_policy(`
apache_append_log(winbind_helper_t)
-@@ -997,25 +1029,38 @@ optional_policy(`
+@@ -990,25 +1029,38 @@ optional_policy(`
########################################
#
@@ -91351,15 +87671,9 @@ index 2b7c441..8736764 100644
+ can_exec(smbd_t, samba_unconfined_script_exec_t)
')
diff --git a/sambagui.te b/sambagui.te
-index e18b0a2..9c40dbd 100644
+index d9f8784..9c40dbd 100644
--- a/sambagui.te
+++ b/sambagui.te
-@@ -1,4 +1,4 @@
--policy_module(sambagui, 1.2.0)
-+policy_module(sambagui, 1.1.2)
-
- ########################################
- #
@@ -28,14 +28,14 @@ corecmd_exec_shell(sambagui_t)
dev_dontaudit_read_urand(sambagui_t)
@@ -91400,15 +87714,9 @@ index f0236d6..78a792a 100644
########################################
diff --git a/samhain.te b/samhain.te
-index c41ce4b..bd9a4c7 100644
+index 931312b..bd9a4c7 100644
--- a/samhain.te
+++ b/samhain.te
-@@ -1,4 +1,4 @@
--policy_module(samhain, 1.2.0)
-+policy_module(samhain, 1.1.1)
-
- ########################################
- #
@@ -88,8 +88,6 @@ auth_read_login_records(samhain_domain)
init_read_utmp(samhain_domain)
@@ -92666,16 +88974,16 @@ index cd6c213..34b861a 100644
+ allow $1 sanlock_unit_file_t:service all_service_perms;
')
diff --git a/sanlock.te b/sanlock.te
-index 0045465..e19c914 100644
+index a34eac4..e19c914 100644
--- a/sanlock.te
+++ b/sanlock.te
@@ -1,4 +1,4 @@
--policy_module(sanlock, 1.1.0)
+-policy_module(sanlock, 1.0.2)
+policy_module(sanlock,1.0.0)
########################################
#
-@@ -6,21 +6,26 @@ policy_module(sanlock, 1.1.0)
+@@ -6,21 +6,26 @@ policy_module(sanlock, 1.0.2)
#
##
@@ -92834,7 +89142,7 @@ index 54f41c2..7e58679 100644
+/var/lib/sasl2(/.*)? gen_context(system_u:object_r:saslauthd_var_run_t,s0)
/var/run/saslauthd(/.*)? gen_context(system_u:object_r:saslauthd_var_run_t,s0)
diff --git a/sasl.if b/sasl.if
-index 8c3c151..3e6a93f 100644
+index b2f388a..3e6a93f 100644
--- a/sasl.if
+++ b/sasl.if
@@ -1,4 +1,4 @@
@@ -92854,12 +89162,11 @@ index 8c3c151..3e6a93f 100644
##
##
##
-@@ -38,21 +38,21 @@ interface(`sasl_connect',`
+@@ -38,11 +38,15 @@ interface(`sasl_connect',`
#
interface(`sasl_admin',`
gen_require(`
- type saslauthd_t, saslauthd_var_run_t, saslauthd_initrc_exec_t;
-- type saslauthd_keytab_t;
+ type saslauthd_t, saslauthd_var_run_t;
+ type saslauthd_initrc_exec_t;
')
@@ -92873,26 +89180,17 @@ index 8c3c151..3e6a93f 100644
init_labeled_script_domtrans($1, saslauthd_initrc_exec_t)
domain_system_change_exemption($1)
- role_transition $2 saslauthd_initrc_exec_t system_r;
- allow $2 system_r;
-
-- files_list_etc($1)
-- admin_pattern($1, saslauthd_keytab_t)
--
- files_list_pids($1)
- admin_pattern($1, saslauthd_var_run_t)
- ')
diff --git a/sasl.te b/sasl.te
-index 6c3bc20..1c9e41b 100644
+index a63b875..1c9e41b 100644
--- a/sasl.te
+++ b/sasl.te
@@ -1,4 +1,4 @@
--policy_module(sasl, 1.15.1)
+-policy_module(sasl, 1.14.3)
+policy_module(sasl, 1.14.0)
########################################
#
-@@ -6,12 +6,11 @@ policy_module(sasl, 1.15.1)
+@@ -6,12 +6,11 @@ policy_module(sasl, 1.14.3)
#
##
@@ -92909,30 +89207,18 @@ index 6c3bc20..1c9e41b 100644
type saslauthd_t;
type saslauthd_exec_t;
-@@ -20,9 +19,6 @@ init_daemon_domain(saslauthd_t, saslauthd_exec_t)
- type saslauthd_initrc_exec_t;
- init_script_file(saslauthd_initrc_exec_t)
-
--type saslauthd_keytab_t;
--files_type(saslauthd_keytab_t)
--
- type saslauthd_var_run_t;
- files_pid_file(saslauthd_var_run_t)
-
-@@ -35,9 +31,9 @@ allow saslauthd_t self:capability { setgid setuid sys_nice };
+@@ -32,7 +31,9 @@ allow saslauthd_t self:capability { setgid setuid sys_nice };
dontaudit saslauthd_t self:capability sys_tty_config;
allow saslauthd_t self:process { setsched signal_perms };
allow saslauthd_t self:fifo_file rw_fifo_file_perms;
-allow saslauthd_t self:unix_stream_socket { accept listen };
--
--allow saslauthd_t saslauthd_keytab_t:file read_file_perms;
+allow saslauthd_t self:unix_dgram_socket create_socket_perms;
+allow saslauthd_t self:unix_stream_socket create_stream_socket_perms;
+allow saslauthd_t self:tcp_socket create_socket_perms;
manage_dirs_pattern(saslauthd_t, saslauthd_var_run_t, saslauthd_var_run_t)
manage_files_pattern(saslauthd_t, saslauthd_var_run_t, saslauthd_var_run_t)
-@@ -48,29 +44,20 @@ kernel_read_kernel_sysctls(saslauthd_t)
+@@ -43,29 +44,20 @@ kernel_read_kernel_sysctls(saslauthd_t)
kernel_read_system_state(saslauthd_t)
kernel_rw_afs_state(saslauthd_t)
@@ -92968,7 +89254,7 @@ index 6c3bc20..1c9e41b 100644
fs_getattr_all_fs(saslauthd_t)
fs_search_auto_mountpoints(saslauthd_t)
-@@ -78,34 +65,37 @@ selinux_compute_access_vector(saslauthd_t)
+@@ -73,33 +65,37 @@ selinux_compute_access_vector(saslauthd_t)
auth_use_pam(saslauthd_t)
@@ -93000,12 +89286,10 @@ index 6c3bc20..1c9e41b 100644
')
optional_policy(`
-- kerberos_read_keytab(saslauthd_t)
++ kerberos_tmp_filetrans_host_rcache(saslauthd_t, "host_0")
+ kerberos_keytab_template(saslauthd, saslauthd_t)
- kerberos_manage_host_rcache(saslauthd_t)
- kerberos_tmp_filetrans_host_rcache(saslauthd_t, file, "host_0")
-- kerberos_use(saslauthd_t)
-+ kerberos_tmp_filetrans_host_rcache(saslauthd_t, "host_0")
-+ kerberos_keytab_template(saslauthd, saslauthd_t)
')
optional_policy(`
@@ -93225,16 +89509,10 @@ index 98c9e0a..562666e 100644
files_search_pids($1)
admin_pattern($1, sblim_var_run_t)
diff --git a/sblim.te b/sblim.te
-index 299756b..21c15bb 100644
+index 4a23d84..21c15bb 100644
--- a/sblim.te
+++ b/sblim.te
-@@ -1,4 +1,4 @@
--policy_module(sblim, 1.1.0)
-+policy_module(sblim, 1.0.3)
-
- ########################################
- #
-@@ -7,13 +7,11 @@ policy_module(sblim, 1.1.0)
+@@ -7,13 +7,11 @@ policy_module(sblim, 1.0.3)
attribute sblim_domain;
@@ -93383,13 +89661,12 @@ index 299756b..21c15bb 100644
+ rpm_dontaudit_manage_db(sblim_sfcbd_t)
+')
diff --git a/screen.fc b/screen.fc
-index e7c2cf7..b73334e 100644
+index ac04d27..b73334e 100644
--- a/screen.fc
+++ b/screen.fc
-@@ -1,9 +1,19 @@
+@@ -1,8 +1,19 @@
-HOME_DIR/\.screen(/.*)? gen_context(system_u:object_r:screen_home_t,s0)
-HOME_DIR/\.screenrc -- gen_context(system_u:object_r:screen_home_t,s0)
--HOME_DIR/\.tmux\.conf -- gen_context(system_u:object_r:screen_home_t,s0)
+#
+# /home
+#
@@ -93414,7 +89691,7 @@ index e7c2cf7..b73334e 100644
+/var/run/screen(/.*)? gen_context(system_u:object_r:screen_var_run_t,s0)
+/var/run/tmux(/.*)? gen_context(system_u:object_r:screen_var_run_t,s0)
diff --git a/screen.if b/screen.if
-index be5cce2..4dd623e 100644
+index c21ddcc..4dd623e 100644
--- a/screen.if
+++ b/screen.if
@@ -1,4 +1,4 @@
@@ -93435,7 +89712,7 @@ index be5cce2..4dd623e 100644
')
########################################
-@@ -35,50 +34,48 @@ template(`screen_role_template',`
+@@ -35,49 +34,48 @@ template(`screen_role_template',`
#
type $1_screen_t, screen_domain;
@@ -93479,7 +89756,6 @@ index be5cce2..4dd623e 100644
-
- userdom_user_home_dir_filetrans($3, screen_home_t, dir, ".screen")
- userdom_user_home_dir_filetrans($3, screen_home_t, file, ".screenrc")
-- userdom_user_home_dir_filetrans($3, screen_home_t, file, ".tmux.conf")
+ manage_fifo_files_pattern($3, screen_home_t, screen_home_t)
+ manage_dirs_pattern($3, screen_home_t, screen_home_t)
+ manage_files_pattern($3, screen_home_t, screen_home_t)
@@ -93510,7 +89786,7 @@ index be5cce2..4dd623e 100644
tunable_policy(`use_samba_home_dirs',`
fs_cifs_domtrans($1_screen_t, $3)
-@@ -88,3 +85,41 @@ template(`screen_role_template',`
+@@ -87,3 +85,41 @@ template(`screen_role_template',`
fs_nfs_domtrans($1_screen_t, $3)
')
')
@@ -93553,11 +89829,11 @@ index be5cce2..4dd623e 100644
+')
+
diff --git a/screen.te b/screen.te
-index 5466a73..ee69aa7 100644
+index f095081..ee69aa7 100644
--- a/screen.te
+++ b/screen.te
@@ -1,13 +1,11 @@
--policy_module(screen, 2.6.0)
+-policy_module(screen, 2.5.3)
+policy_module(screen, 2.5.0)
########################################
@@ -93584,7 +89860,7 @@ index 5466a73..ee69aa7 100644
type screen_var_run_t;
typealias screen_var_run_t alias { user_screen_var_run_t staff_screen_var_run_t sysadm_screen_var_run_t };
typealias screen_var_run_t alias { auditadm_screen_var_run_t secadm_screen_var_run_t screen_dir_t };
-@@ -30,34 +23,35 @@ ubac_constrained(screen_var_run_t)
+@@ -30,33 +23,35 @@ ubac_constrained(screen_var_run_t)
########################################
#
@@ -93599,13 +89875,12 @@ index 5466a73..ee69aa7 100644
-allow screen_domain self:fd use;
allow screen_domain self:fifo_file rw_fifo_file_perms;
-allow screen_domain self:tcp_socket { accept listen };
--allow screen_domain self:unix_stream_socket { accept connectto listen };
+-allow screen_domain self:unix_stream_socket connectto;
-
-manage_dirs_pattern(screen_domain, screen_tmp_t, screen_tmp_t)
-manage_files_pattern(screen_domain, screen_tmp_t, screen_tmp_t)
-manage_fifo_files_pattern(screen_domain, screen_tmp_t, screen_tmp_t)
-files_tmp_filetrans(screen_domain, screen_tmp_t, { file dir })
--filetrans_pattern(screen_domain, screen_tmp_t, screen_var_run_t, sock_file)
+allow screen_domain self:tcp_socket create_stream_socket_perms;
+allow screen_domain self:udp_socket create_socket_perms;
+# Internal screen networking
@@ -93634,7 +89909,7 @@ index 5466a73..ee69aa7 100644
kernel_read_kernel_sysctls(screen_domain)
corecmd_list_bin(screen_domain)
-@@ -66,55 +60,39 @@ corecmd_read_bin_symlinks(screen_domain)
+@@ -65,55 +60,39 @@ corecmd_read_bin_symlinks(screen_domain)
corecmd_read_bin_pipes(screen_domain)
corecmd_read_bin_sockets(screen_domain)
@@ -93742,16 +90017,16 @@ index c78a569..9007451 100644
- allow sectoolm_t $2:unix_dgram_socket sendto;
-')
diff --git a/sectoolm.te b/sectoolm.te
-index 4bc8c13..b6a0bbd 100644
+index 8193bf1..b6a0bbd 100644
--- a/sectoolm.te
+++ b/sectoolm.te
@@ -1,4 +1,4 @@
--policy_module(sectoolm, 1.1.0)
+-policy_module(sectoolm, 1.0.1)
+policy_module(sectoolm, 1.0.0)
########################################
#
-@@ -7,7 +7,7 @@ policy_module(sectoolm, 1.1.0)
+@@ -7,7 +7,7 @@ policy_module(sectoolm, 1.0.1)
type sectoolm_t;
type sectoolm_exec_t;
@@ -93859,7 +90134,7 @@ index d14b6bf..da5d41d 100644
+/var/run/sendmail\.pid -- gen_context(system_u:object_r:sendmail_var_run_t,s0)
+/var/run/sm-client\.pid -- gen_context(system_u:object_r:sendmail_var_run_t,s0)
diff --git a/sendmail.if b/sendmail.if
-index 35ad2a7..133d993 100644
+index 88e753f..133d993 100644
--- a/sendmail.if
+++ b/sendmail.if
@@ -1,4 +1,4 @@
@@ -94046,10 +90321,9 @@ index 35ad2a7..133d993 100644
########################################
##
-## Execute sendmail in the unconfined sendmail domain.
-+## Set the attributes of sendmail pid files.
- ##
- ##
- ##
+-##
+-##
+-##
-## Domain allowed to transition.
-##
-##
@@ -94072,9 +90346,10 @@ index 35ad2a7..133d993 100644
-## sendmail domain, and allow the
-## specified role the unconfined
-## sendmail domain.
--##
--##
--##
++## Set the attributes of sendmail pid files.
+ ##
+ ##
+ ##
-## Domain allowed to transition.
-##
-##
@@ -94108,12 +90383,11 @@ index 35ad2a7..133d993 100644
##
##
##
-@@ -353,20 +304,20 @@ interface(`sendmail_run_unconfined',`
+@@ -353,13 +304,17 @@ interface(`sendmail_run_unconfined',`
interface(`sendmail_admin',`
gen_require(`
type sendmail_t, sendmail_initrc_exec_t, sendmail_log_t;
- type sendmail_tmp_t, sendmail_var_run_t, unconfined_sendmail_t;
-- type sendmail_keytab_t;
+ type sendmail_tmp_t, sendmail_var_run_t;
+ type mail_spool_t;
')
@@ -94131,13 +90405,7 @@ index 35ad2a7..133d993 100644
domain_system_change_exemption($1)
role_transition $2 sendmail_initrc_exec_t system_r;
-- files_list_etc($1)
-- admin_pattern($1, sendmail_keytab_t)
--
- logging_list_logs($1)
- admin_pattern($1, sendmail_log_t)
-
-@@ -376,6 +327,6 @@ interface(`sendmail_admin',`
+@@ -372,6 +327,6 @@ interface(`sendmail_admin',`
files_list_pids($1)
admin_pattern($1, sendmail_var_run_t)
@@ -94147,11 +90415,11 @@ index 35ad2a7..133d993 100644
+ admin_pattern($1, mail_spool_t)
')
diff --git a/sendmail.te b/sendmail.te
-index 12700b4..65aed74 100644
+index 5f35d78..65aed74 100644
--- a/sendmail.te
+++ b/sendmail.te
-@@ -1,21 +1,10 @@
--policy_module(sendmail, 1.12.1)
+@@ -1,18 +1,10 @@
+-policy_module(sendmail, 1.11.5)
+policy_module(sendmail, 1.11.0)
########################################
@@ -94167,13 +90435,10 @@ index 12700b4..65aed74 100644
-type sendmail_initrc_exec_t;
-init_script_file(sendmail_initrc_exec_t)
-
--type sendmail_keytab_t;
--files_type(sendmail_keytab_t)
--
type sendmail_log_t;
logging_log_file(sendmail_log_t)
-@@ -29,29 +18,27 @@ type sendmail_t;
+@@ -26,27 +18,27 @@ type sendmail_t;
mta_sendmail_mailserver(sendmail_t)
mta_mailserver_delivery(sendmail_t)
mta_mailserver_sender(sendmail_t)
@@ -94199,8 +90464,6 @@ index 12700b4..65aed74 100644
allow sendmail_t self:fifo_file rw_fifo_file_perms;
-allow sendmail_t self:unix_stream_socket { accept listen };
-allow sendmail_t self:tcp_socket { accept listen };
--
--allow sendmail_t sendmail_keytab_t:file read_file_perms;
+allow sendmail_t self:unix_stream_socket create_stream_socket_perms;
+allow sendmail_t self:unix_dgram_socket create_socket_perms;
+allow sendmail_t self:tcp_socket create_stream_socket_perms;
@@ -94215,7 +90478,7 @@ index 12700b4..65aed74 100644
logging_log_filetrans(sendmail_t, sendmail_log_t, { file dir })
manage_dirs_pattern(sendmail_t, sendmail_tmp_t, sendmail_tmp_t)
-@@ -63,33 +50,21 @@ files_pid_filetrans(sendmail_t, sendmail_var_run_t, file)
+@@ -58,33 +50,21 @@ files_pid_filetrans(sendmail_t, sendmail_var_run_t, file)
kernel_read_network_state(sendmail_t)
kernel_read_kernel_sysctls(sendmail_t)
@@ -94253,7 +90516,7 @@ index 12700b4..65aed74 100644
fs_getattr_all_fs(sendmail_t)
fs_search_auto_mountpoints(sendmail_t)
-@@ -98,35 +73,49 @@ fs_rw_anon_inodefs_files(sendmail_t)
+@@ -93,35 +73,49 @@ fs_rw_anon_inodefs_files(sendmail_t)
term_dontaudit_use_console(sendmail_t)
term_dontaudit_use_generic_ptys(sendmail_t)
@@ -94309,7 +90572,7 @@ index 12700b4..65aed74 100644
')
optional_policy(`
-@@ -134,8 +123,8 @@ optional_policy(`
+@@ -129,8 +123,8 @@ optional_policy(`
')
optional_policy(`
@@ -94320,21 +90583,15 @@ index 12700b4..65aed74 100644
')
optional_policy(`
-@@ -159,8 +148,11 @@ optional_policy(`
+@@ -158,14 +152,27 @@ optional_policy(`
')
optional_policy(`
-- kerberos_read_keytab(sendmail_t)
-- kerberos_use(sendmail_t)
-+ kerberos_keytab_template(sendmail, sendmail_t)
++ inn_write_inherited_news_lib(sendmail_t)
+')
+
+optional_policy(`
-+ inn_write_inherited_news_lib(sendmail_t)
- ')
-
- optional_policy(`
-@@ -168,10 +160,19 @@ optional_policy(`
+ milter_stream_connect_all(sendmail_t)
')
optional_policy(`
@@ -94354,7 +90611,7 @@ index 12700b4..65aed74 100644
postfix_domtrans_postdrop(sendmail_t)
postfix_domtrans_master(sendmail_t)
postfix_domtrans_postqueue(sendmail_t)
-@@ -193,21 +194,13 @@ optional_policy(`
+@@ -187,21 +194,13 @@ optional_policy(`
')
optional_policy(`
@@ -94657,16 +90914,16 @@ index 3a9a70b..903109c 100644
logging_list_logs($1)
admin_pattern($1, setroubleshoot_var_log_t)
diff --git a/setroubleshoot.te b/setroubleshoot.te
-index ce67935..0f1e101 100644
+index 49b12ae..0f1e101 100644
--- a/setroubleshoot.te
+++ b/setroubleshoot.te
@@ -1,4 +1,4 @@
--policy_module(setroubleshoot, 1.12.1)
+-policy_module(setroubleshoot, 1.11.2)
+policy_module(setroubleshoot, 1.11.0)
########################################
#
-@@ -7,43 +7,52 @@ policy_module(setroubleshoot, 1.12.1)
+@@ -7,43 +7,52 @@ policy_module(setroubleshoot, 1.11.2)
type setroubleshootd_t alias setroubleshoot_t;
type setroubleshootd_exec_t;
@@ -94767,7 +91024,15 @@ index ce67935..0f1e101 100644
files_list_all(setroubleshootd_t)
files_getattr_all_files(setroubleshootd_t)
files_getattr_all_pipes(setroubleshootd_t)
-@@ -109,27 +117,24 @@ init_read_utmp(setroubleshootd_t)
+@@ -101,33 +109,32 @@ selinux_read_policy(setroubleshootd_t)
+ term_dontaudit_use_all_ptys(setroubleshootd_t)
+ term_dontaudit_use_all_ttys(setroubleshootd_t)
+
++mls_dbus_recv_all_levels(setroubleshootd_t)
++
+ auth_use_nsswitch(setroubleshootd_t)
+
+ init_read_utmp(setroubleshootd_t)
init_dontaudit_write_utmp(setroubleshootd_t)
libs_exec_ld_so(setroubleshootd_t)
@@ -94800,7 +91065,7 @@ index ce67935..0f1e101 100644
')
optional_policy(`
-@@ -137,10 +142,18 @@ optional_policy(`
+@@ -135,10 +142,18 @@ optional_policy(`
')
optional_policy(`
@@ -94819,7 +91084,7 @@ index ce67935..0f1e101 100644
rpm_exec(setroubleshootd_t)
rpm_signull(setroubleshootd_t)
rpm_read_db(setroubleshootd_t)
-@@ -150,26 +163,36 @@ optional_policy(`
+@@ -148,26 +163,36 @@ optional_policy(`
########################################
#
@@ -94858,7 +91123,7 @@ index ce67935..0f1e101 100644
files_list_tmp(setroubleshoot_fixit_t)
auth_use_nsswitch(setroubleshoot_fixit_t)
-@@ -177,23 +200,26 @@ auth_use_nsswitch(setroubleshoot_fixit_t)
+@@ -175,23 +200,26 @@ auth_use_nsswitch(setroubleshoot_fixit_t)
logging_send_audit_msgs(setroubleshoot_fixit_t)
logging_send_syslog_msg(setroubleshoot_fixit_t)
@@ -95319,15 +91584,9 @@ index 1aeef8a..d5ce40a 100644
admin_pattern($1, shorewall_etc_t)
diff --git a/shorewall.te b/shorewall.te
-index 7710b9f..e0ebb61 100644
+index ca03de6..e0ebb61 100644
--- a/shorewall.te
+++ b/shorewall.te
-@@ -1,4 +1,4 @@
--policy_module(shorewall, 1.4.0)
-+policy_module(shorewall, 1.3.5)
-
- ########################################
- #
@@ -34,6 +34,7 @@ logging_log_file(shorewall_log_t)
allow shorewall_t self:capability { dac_override net_admin net_raw setuid setgid sys_nice sys_admin };
@@ -95547,15 +91806,9 @@ index d1706bf..87ab4a7 100644
##
##
diff --git a/shutdown.te b/shutdown.te
-index e2544e1..8804935 100644
+index 7880d1f..8804935 100644
--- a/shutdown.te
+++ b/shutdown.te
-@@ -1,4 +1,4 @@
--policy_module(shutdown, 1.2.0)
-+policy_module(shutdown, 1.1.2)
-
- ########################################
- #
@@ -44,7 +44,7 @@ files_read_generic_pids(shutdown_t)
mls_file_write_to_clearance(shutdown_t)
@@ -95592,56 +91845,20 @@ index e2544e1..8804935 100644
xserver_dontaudit_write_log(shutdown_t)
+ xserver_xdm_append_log(shutdown_t)
')
-diff --git a/slocate.fc b/slocate.fc
-index 5844628..6eede98 100644
---- a/slocate.fc
-+++ b/slocate.fc
-@@ -1,7 +1,3 @@
--/etc/cron\.daily/[sm]locate -- gen_context(system_u:object_r:locate_exec_t,s0)
--
--/usr/bin/updatedb.* -- gen_context(system_u:object_r:locate_exec_t,s0)
-+/usr/bin/updatedb -- gen_context(system_u:object_r:locate_exec_t, s0)
-
- /var/lib/[sm]locate(/.*)? gen_context(system_u:object_r:locate_var_lib_t,s0)
--
--/var/run/mlocate\.daily\.lock -- gen_context(system_u:object_r:locate_var_run_t,s0)
diff --git a/slocate.te b/slocate.te
-index 7292dc0..f2745d2 100644
+index ba26427..f2745d2 100644
--- a/slocate.te
+++ b/slocate.te
-@@ -1,4 +1,4 @@
--policy_module(slocate, 1.12.2)
-+policy_module(slocate, 1.11.1)
-
- #################################
- #
-@@ -12,9 +12,6 @@ init_system_domain(locate_t, locate_exec_t)
- type locate_var_lib_t;
- files_type(locate_var_lib_t)
-
--type locate_var_run_t;
--files_pid_file(locate_var_run_t)
--
- ########################################
+@@ -18,7 +18,7 @@ files_type(locate_var_lib_t)
#
- # Local policy
-@@ -28,24 +25,22 @@ allow locate_t self:unix_stream_socket create_socket_perms;
- manage_dirs_pattern(locate_t, locate_var_lib_t, locate_var_lib_t)
- manage_files_pattern(locate_t, locate_var_lib_t, locate_var_lib_t)
-
--allow locate_t locate_var_run_t:file manage_file_perms;
--files_pid_filetrans(locate_t, locate_var_run_t, file, "mlocate.daily.lock")
--
--can_exec(locate_t, locate_exec_t)
--
- kernel_read_system_state(locate_t)
- kernel_dontaudit_search_network_state(locate_t)
- kernel_dontaudit_search_sysctl(locate_t)
- corecmd_exec_bin(locate_t)
--corecmd_exec_shell(locate_t)
+ allow locate_t self:capability { chown dac_read_search dac_override fowner fsetid };
+-allow locate_t self:process { execmem execheap execstack signal };
++allow locate_t self:process { execmem execheap execstack signal setsched };
+ allow locate_t self:fifo_file rw_fifo_file_perms;
+ allow locate_t self:unix_stream_socket create_socket_perms;
- dev_getattr_all_blk_files(locate_t)
+@@ -35,8 +35,12 @@ dev_getattr_all_blk_files(locate_t)
dev_getattr_all_chr_files(locate_t)
files_list_all(locate_t)
@@ -95654,7 +91871,7 @@ index 7292dc0..f2745d2 100644
files_getattr_all_pipes(locate_t)
files_getattr_all_sockets(locate_t)
files_read_etc_runtime_files(locate_t)
-@@ -62,7 +57,6 @@ fs_read_noxattr_fs_symlinks(locate_t)
+@@ -53,7 +57,6 @@ fs_read_noxattr_fs_symlinks(locate_t)
auth_use_nsswitch(locate_t)
@@ -95662,7 +91879,7 @@ index 7292dc0..f2745d2 100644
ifdef(`enable_mls',`
files_dontaudit_getattr_all_dirs(locate_t)
-@@ -71,3 +65,8 @@ ifdef(`enable_mls',`
+@@ -62,3 +65,8 @@ ifdef(`enable_mls',`
optional_policy(`
cron_system_entry(locate_t, locate_exec_t)
')
@@ -95740,15 +91957,9 @@ index ca32e89..98278dd 100644
+
')
diff --git a/slpd.te b/slpd.te
-index 731512a..5efa3fd 100644
+index 66ac42a..5efa3fd 100644
--- a/slpd.te
+++ b/slpd.te
-@@ -1,4 +1,4 @@
--policy_module(slpd, 1.1.0)
-+policy_module(slpd, 1.0.3)
-
- ########################################
- #
@@ -23,7 +23,7 @@ files_pid_file(slpd_var_run_t)
# Local policy
#
@@ -95783,15 +91994,9 @@ index 731512a..5efa3fd 100644
+
+sysnet_dns_name_resolve(slpd_t)
diff --git a/slrnpull.te b/slrnpull.te
-index 59eb07f..3dfc982 100644
+index 5437237..3dfc982 100644
--- a/slrnpull.te
+++ b/slrnpull.te
-@@ -1,4 +1,4 @@
--policy_module(slrnpull, 1.5.0)
-+policy_module(slrnpull, 1.4.1)
-
- ########################################
- #
@@ -13,7 +13,7 @@ type slrnpull_var_run_t;
files_pid_file(slrnpull_var_run_t)
@@ -95818,16 +92023,6 @@ index 59eb07f..3dfc982 100644
userdom_dontaudit_use_unpriv_user_fds(slrnpull_t)
userdom_dontaudit_search_user_home_dirs(slrnpull_t)
-diff --git a/smartmon.fc b/smartmon.fc
-index 36e908f..2c29fc5 100644
---- a/smartmon.fc
-+++ b/smartmon.fc
-@@ -1,4 +1,4 @@
--/etc/rc\.d/init\.d/(smartd|smartmontools) -- gen_context(system_u:object_r:fsdaemon_initrc_exec_t,s0)
-+/etc/rc\.d/init\.d/((smartd)|(smartmontools)) -- gen_context(system_u:object_r:fsdaemon_initrc_exec_t,s0)
-
- /usr/sbin/smartd -- gen_context(system_u:object_r:fsdaemon_exec_t,s0)
-
diff --git a/smartmon.if b/smartmon.if
index e0644b5..ea347cc 100644
--- a/smartmon.if
@@ -95848,15 +92043,9 @@ index e0644b5..ea347cc 100644
domain_system_change_exemption($1)
role_transition $2 fsdaemon_initrc_exec_t system_r;
diff --git a/smartmon.te b/smartmon.te
-index 9cf6582..60d6c41 100644
+index 9ade9c5..60d6c41 100644
--- a/smartmon.te
+++ b/smartmon.te
-@@ -1,4 +1,4 @@
--policy_module(smartmon, 1.12.0)
-+policy_module(smartmon, 1.11.3)
-
- ########################################
- #
@@ -60,21 +60,27 @@ kernel_read_system_state(fsdaemon_t)
corecmd_exec_all_executables(fsdaemon_t)
@@ -95943,15 +92132,9 @@ index 1fa51c1..82e111c 100644
smokeping_initrc_domtrans($1)
domain_system_change_exemption($1)
diff --git a/smokeping.te b/smokeping.te
-index ec031a0..4689a59 100644
+index a8b1aaf..4689a59 100644
--- a/smokeping.te
+++ b/smokeping.te
-@@ -1,4 +1,4 @@
--policy_module(smokeping, 1.2.0)
-+policy_module(smokeping, 1.1.2)
-
- ########################################
- #
@@ -24,6 +24,7 @@ files_type(smokeping_var_lib_t)
#
@@ -95988,23 +92171,10 @@ index ec031a0..4689a59 100644
sysnet_dns_name_resolve(httpd_smokeping_cgi_script_t)
netutils_domtrans_ping(httpd_smokeping_cgi_script_t)
-diff --git a/smoltclient.fc b/smoltclient.fc
-index 1ff2958..27ddf8d 100644
---- a/smoltclient.fc
-+++ b/smoltclient.fc
-@@ -1 +1 @@
--/usr/share/smolt/client/sendProfile\.py -- gen_context(system_u:object_r:smoltclient_exec_t,s0)
-+/usr/share/smolt/client/sendProfile.py -- gen_context(system_u:object_r:smoltclient_exec_t,s0)
diff --git a/smoltclient.te b/smoltclient.te
-index b3f2c6f..d8d4623 100644
+index 9c8f9a5..d8d4623 100644
--- a/smoltclient.te
+++ b/smoltclient.te
-@@ -1,4 +1,4 @@
--policy_module(smoltclient, 1.2.0)
-+policy_module(smoltclient, 1.1.1)
-
- ########################################
- #
@@ -40,6 +40,7 @@ corenet_tcp_sendrecv_generic_node(smoltclient_t)
corenet_sendrecv_http_client_packets(smoltclient_t)
@@ -96381,18 +92551,6 @@ index 0000000..1fad7b8
+logging_send_syslog_msg(smsd_t)
+
+sysnet_dns_name_resolve(smsd_t)
-diff --git a/smstools.fc b/smstools.fc
-index 4afc690..8e7d825 100644
---- a/smstools.fc
-+++ b/smstools.fc
-@@ -1,6 +1,6 @@
- /etc/smsd\.conf -- gen_context(system_u:object_r:smsd_conf_t,s0)
-
--/etc/rc\.d/init\.d/(smsd|smstools) -- gen_context(system_u:object_r:smsd_initrc_exec_t,s0)
-+/etc/rc\.d/init\.d/((smsd)|(smstools)) -- gen_context(system_u:object_r:smsd_initrc_exec_t,s0)
-
- /usr/sbin/smsd -- gen_context(system_u:object_r:smsd_exec_t,s0)
-
diff --git a/smstools.if b/smstools.if
index cbfe369..6594af3 100644
--- a/smstools.if
@@ -96640,12 +92798,11 @@ index 0000000..3591c8e
+ unconfined_domain(snapperd_t)
+')
diff --git a/snmp.fc b/snmp.fc
-index 2f0a2f2..50d80f4 100644
+index c73fa24..50d80f4 100644
--- a/snmp.fc
+++ b/snmp.fc
@@ -1,6 +1,6 @@
--/etc/rc\.d/init\.d/(snmpd|snmptrapd) -- gen_context(system_u:object_r:snmpd_initrc_exec_t,s0)
-+/etc/rc\.d/init\.d/((snmpd)|(snmptrapd)) -- gen_context(system_u:object_r:snmpd_initrc_exec_t,s0)
+ /etc/rc\.d/init\.d/((snmpd)|(snmptrapd)) -- gen_context(system_u:object_r:snmpd_initrc_exec_t,s0)
-/usr/sbin/snmptrap -- gen_context(system_u:object_r:snmpd_exec_t,s0)
+/usr/sbin/snmpd -- gen_context(system_u:object_r:snmpd_exec_t,s0)
@@ -96782,15 +92939,9 @@ index 7a9cc9d..86cbca9 100644
init_labeled_script_domtrans($1, snmpd_initrc_exec_t)
domain_system_change_exemption($1)
diff --git a/snmp.te b/snmp.te
-index 9dcaeb8..e0f790d 100644
+index 81864ce..e0f790d 100644
--- a/snmp.te
+++ b/snmp.te
-@@ -1,4 +1,4 @@
--policy_module(snmp, 1.14.0)
-+policy_module(snmp, 1.13.4)
-
- ########################################
- #
@@ -27,14 +27,16 @@ files_type(snmpd_var_lib_t)
#
@@ -96886,20 +93037,6 @@ index 9dcaeb8..e0f790d 100644
mta_search_queue(snmpd_t)
')
-diff --git a/snort.fc b/snort.fc
-index 591b9a1..24a8e1b 100644
---- a/snort.fc
-+++ b/snort.fc
-@@ -3,8 +3,8 @@
- /etc/snort(/.*)? gen_context(system_u:object_r:snort_etc_t,s0)
-
- /usr/bin/snort -- gen_context(system_u:object_r:snort_exec_t,s0)
--/usr/sbin/snort -- gen_context(system_u:object_r:snort_exec_t,s0)
-
-+/usr/sbin/snort -- gen_context(system_u:object_r:snort_exec_t,s0)
- /usr/sbin/snort-plain -- gen_context(system_u:object_r:snort_exec_t,s0)
-
- /var/log/snort(/.*)? gen_context(system_u:object_r:snort_log_t,s0)
diff --git a/snort.if b/snort.if
index 7d86b34..5f58180 100644
--- a/snort.if
@@ -96933,15 +93070,9 @@ index 7d86b34..5f58180 100644
+ files_list_pids($1)
')
diff --git a/snort.te b/snort.te
-index 1af72df..6e335a9 100644
+index ccd28bb..6e335a9 100644
--- a/snort.te
+++ b/snort.te
-@@ -1,4 +1,4 @@
--policy_module(snort, 1.11.0)
-+policy_module(snort, 1.10.1)
-
- ########################################
- #
@@ -32,10 +32,13 @@ files_pid_file(snort_var_run_t)
allow snort_t self:capability { setgid setuid net_admin net_raw dac_override };
dontaudit snort_t self:capability sys_tty_config;
@@ -97011,25 +93142,10 @@ index 634c6b4..e1edfd9 100644
########################################
diff --git a/sosreport.te b/sosreport.te
-index f2f507d..08a6332 100644
+index 703efa3..08a6332 100644
--- a/sosreport.te
+++ b/sosreport.te
-@@ -1,4 +1,4 @@
--policy_module(sosreport, 1.3.1)
-+policy_module(sosreport, 1.2.2)
-
- ########################################
- #
-@@ -13,15 +13,15 @@ type sosreport_exec_t;
- application_domain(sosreport_t, sosreport_exec_t)
- role sosreport_roles types sosreport_t;
-
--type sosreport_var_run_t;
--files_pid_file(sosreport_var_run_t)
--
- type sosreport_tmp_t;
- files_tmp_file(sosreport_tmp_t)
-
+@@ -19,6 +19,9 @@ files_tmp_file(sosreport_tmp_t)
type sosreport_tmpfs_t;
files_tmpfs_file(sosreport_tmpfs_t)
@@ -97039,14 +93155,14 @@ index f2f507d..08a6332 100644
optional_policy(`
pulseaudio_tmpfs_content(sosreport_tmpfs_t)
')
-@@ -31,12 +31,14 @@ optional_policy(`
+@@ -28,11 +31,14 @@ optional_policy(`
# Local policy
#
-allow sosreport_t self:capability { kill net_admin net_raw setuid sys_admin sys_nice dac_override };
-+allow sosreport_t self:capability { kill net_admin net_raw setuid sys_admin sys_nice dac_override chown };
- dontaudit sosreport_t self:capability sys_ptrace;
-allow sosreport_t self:process { setsched signull };
++allow sosreport_t self:capability { kill net_admin net_raw setuid sys_admin sys_nice dac_override chown };
++dontaudit sosreport_t self:capability sys_ptrace;
+allow sosreport_t self:process { setpgid setsched signal_perms };
allow sosreport_t self:fifo_file rw_fifo_file_perms;
allow sosreport_t self:tcp_socket { accept listen };
@@ -97056,24 +93172,20 @@ index f2f507d..08a6332 100644
manage_dirs_pattern(sosreport_t, sosreport_tmp_t, sosreport_tmp_t)
manage_files_pattern(sosreport_t, sosreport_tmp_t, sosreport_tmp_t)
-@@ -44,20 +46,32 @@ manage_lnk_files_pattern(sosreport_t, sosreport_tmp_t, sosreport_tmp_t)
+@@ -40,6 +46,12 @@ manage_lnk_files_pattern(sosreport_t, sosreport_tmp_t, sosreport_tmp_t)
files_root_filetrans(sosreport_t, sosreport_tmp_t, file, ".ismount-test-file")
files_tmp_filetrans(sosreport_t, sosreport_tmp_t, { file dir })
--manage_files_pattern(sosreport_t, sosreport_tmpfs_t, sosreport_tmpfs_t)
--fs_tmpfs_filetrans(sosreport_t, sosreport_tmpfs_t, file)
--
- manage_files_pattern(sosreport_t, sosreport_var_run_t, sosreport_var_run_t)
- manage_dirs_pattern(sosreport_t, sosreport_var_run_t, sosreport_var_run_t)
- manage_sock_files_pattern(sosreport_t, sosreport_var_run_t, sosreport_var_run_t)
- manage_lnk_files_pattern(sosreport_t, sosreport_var_run_t, sosreport_var_run_t)
- files_pid_filetrans(sosreport_t, sosreport_var_run_t, { file dir sock_file })
-
-+manage_files_pattern(sosreport_t, sosreport_tmpfs_t, sosreport_tmpfs_t)
-+fs_tmpfs_filetrans(sosreport_t, sosreport_tmpfs_t, file)
++manage_files_pattern(sosreport_t, sosreport_var_run_t, sosreport_var_run_t)
++manage_dirs_pattern(sosreport_t, sosreport_var_run_t, sosreport_var_run_t)
++manage_sock_files_pattern(sosreport_t, sosreport_var_run_t, sosreport_var_run_t)
++manage_lnk_files_pattern(sosreport_t, sosreport_var_run_t, sosreport_var_run_t)
++files_pid_filetrans(sosreport_t, sosreport_var_run_t, { file dir sock_file })
+
- kernel_read_network_state(sosreport_t)
- kernel_read_all_sysctls(sosreport_t)
+ manage_files_pattern(sosreport_t, sosreport_tmpfs_t, sosreport_tmpfs_t)
+ fs_tmpfs_filetrans(sosreport_t, sosreport_tmpfs_t, file)
+
+@@ -48,6 +60,18 @@ kernel_read_all_sysctls(sosreport_t)
kernel_read_software_raid_state(sosreport_t)
kernel_search_debugfs(sosreport_t)
kernel_read_messages(sosreport_t)
@@ -97092,17 +93204,25 @@ index f2f507d..08a6332 100644
corecmd_exec_all_executables(sosreport_t)
-@@ -69,6 +83,9 @@ dev_read_urand(sosreport_t)
+@@ -58,6 +82,10 @@ dev_read_rand(sosreport_t)
+ dev_read_urand(sosreport_t)
dev_read_raw_memory(sosreport_t)
dev_read_sysfs(sosreport_t)
- dev_rw_generic_usb_dev(sosreport_t)
++dev_rw_generic_usb_dev(sosreport_t)
+dev_rw_lvm_control(sosreport_t)
+dev_getattr_all_chr_files(sosreport_t)
+dev_getattr_all_blk_files(sosreport_t)
domain_getattr_all_domains(sosreport_t)
domain_read_all_domains_state(sosreport_t)
-@@ -83,7 +100,6 @@ files_list_all(sosreport_t)
+@@ -65,12 +93,13 @@ domain_getattr_all_sockets(sosreport_t)
+ domain_getattr_all_pipes(sosreport_t)
+
+ files_getattr_all_sockets(sosreport_t)
++files_getattr_all_files(sosreport_t)
++files_getattr_all_pipes(sosreport_t)
+ files_exec_etc_files(sosreport_t)
+ files_list_all(sosreport_t)
files_read_config_files(sosreport_t)
files_read_generic_tmp_files(sosreport_t)
files_read_non_auth_files(sosreport_t)
@@ -97110,7 +93230,7 @@ index f2f507d..08a6332 100644
files_read_var_lib_files(sosreport_t)
files_read_var_symlinks(sosreport_t)
files_read_kernel_modules(sosreport_t)
-@@ -92,30 +108,49 @@ files_manage_etc_runtime_files(sosreport_t)
+@@ -79,27 +108,49 @@ files_manage_etc_runtime_files(sosreport_t)
files_etc_filetrans_etc_runtime(sosreport_t, file)
fs_getattr_all_fs(sosreport_t)
@@ -97122,8 +93242,8 @@ index f2f507d..08a6332 100644
+term_getattr_pty_fs(sosreport_t)
+term_getattr_all_ptys(sosreport_t)
- term_use_generic_ptys(sosreport_t)
-
++term_use_generic_ptys(sosreport_t)
++
+# some config files do not have configfile attribute
+# sosreport needs to read various files on system
+files_read_non_security_files(sosreport_t)
@@ -97150,7 +93270,7 @@ index f2f507d..08a6332 100644
optional_policy(`
abrt_manage_pid_files(sosreport_t)
abrt_manage_cache(sosreport_t)
- abrt_stream_connect(sosreport_t)
++ abrt_stream_connect(sosreport_t)
+ abrt_signal(sosreport_t)
+')
+
@@ -97163,7 +93283,7 @@ index f2f507d..08a6332 100644
')
optional_policy(`
-@@ -127,6 +162,16 @@ optional_policy(`
+@@ -111,6 +162,16 @@ optional_policy(`
')
optional_policy(`
@@ -97180,7 +93300,7 @@ index f2f507d..08a6332 100644
fstools_domtrans(sosreport_t)
')
-@@ -136,6 +181,10 @@ optional_policy(`
+@@ -120,6 +181,10 @@ optional_policy(`
optional_policy(`
hal_dbus_chat(sosreport_t)
')
@@ -97191,7 +93311,7 @@ index f2f507d..08a6332 100644
')
optional_policy(`
-@@ -147,15 +196,40 @@ optional_policy(`
+@@ -131,15 +196,40 @@ optional_policy(`
')
optional_policy(`
@@ -97255,15 +93375,9 @@ index a5abc5a..b9eff74 100644
domain_system_change_exemption($1)
role_transition $2 soundd_initrc_exec_t system_r;
diff --git a/soundserver.te b/soundserver.te
-index 0919e0c..b6c0d16 100644
+index db1bc6f..b6c0d16 100644
--- a/soundserver.te
+++ b/soundserver.te
-@@ -1,4 +1,4 @@
--policy_module(soundserver, 1.9.0)
-+policy_module(soundserver, 1.8.1)
-
- ########################################
- #
@@ -65,7 +65,6 @@ kernel_read_kernel_sysctls(soundd_t)
kernel_list_proc(soundd_t)
kernel_read_proc_symlinks(soundd_t)
@@ -97809,16 +93923,16 @@ index 1499b0b..6950cab 100644
- spamassassin_role($2, $1)
')
diff --git a/spamassassin.te b/spamassassin.te
-index cc58e35..e8531d9 100644
+index 4faa7e0..e8531d9 100644
--- a/spamassassin.te
+++ b/spamassassin.te
@@ -1,4 +1,4 @@
--policy_module(spamassassin, 2.6.1)
+-policy_module(spamassassin, 2.5.8)
+policy_module(spamassassin, 2.5.0)
########################################
#
-@@ -7,50 +7,23 @@ policy_module(spamassassin, 2.6.1)
+@@ -7,50 +7,23 @@ policy_module(spamassassin, 2.5.8)
##
##
@@ -98253,29 +94367,29 @@ index cc58e35..e8531d9 100644
')
optional_policy(`
-- mta_send_mail(spamc_t)
-- mta_read_config(spamc_t)
-- mta_read_queue(spamc_t)
++ postfix_domtrans_postdrop(spamc_t)
++ postfix_search_spool(spamc_t)
++ postfix_rw_local_pipes(spamc_t)
++ postfix_rw_inherited_master_pipes(spamc_t)
++')
++
++optional_policy(`
+ mta_send_mail(spamc_t)
+ mta_read_config(spamc_t)
+ mta_read_queue(spamc_t)
- sendmail_rw_pipes(spamc_t)
-- sendmail_stub(spamc_t)
+ sendmail_stub(spamc_t)
-')
-
-optional_policy(`
- postfix_domtrans_postdrop(spamc_t)
- postfix_search_spool(spamc_t)
- postfix_rw_local_pipes(spamc_t)
- postfix_rw_inherited_master_pipes(spamc_t)
- ')
-
-+optional_policy(`
-+ mta_send_mail(spamc_t)
-+ mta_read_config(spamc_t)
-+ mta_read_queue(spamc_t)
-+ sendmail_stub(spamc_t)
+- postfix_domtrans_postdrop(spamc_t)
+- postfix_search_spool(spamc_t)
+- postfix_rw_local_pipes(spamc_t)
+- postfix_rw_master_pipes(spamc_t)
+ sendmail_rw_pipes(spamc_t)
+ sendmail_dontaudit_rw_tcp_sockets(spamc_t)
-+')
-+
+ ')
+
########################################
#
-# Daemon local policy
@@ -98811,15 +94925,9 @@ index 0000000..931fa6c
+dev_read_urand(speech-dispatcher_t)
+
diff --git a/speedtouch.te b/speedtouch.te
-index b38b8b1..388ce0a 100644
+index 9025dbd..388ce0a 100644
--- a/speedtouch.te
+++ b/speedtouch.te
-@@ -1,4 +1,4 @@
--policy_module(speedtouch, 1.5.0)
-+policy_module(speedtouch, 1.4.1)
-
- #######################################
- #
@@ -39,16 +39,12 @@ dev_read_usbfs(speedmgmt_t)
domain_use_interactive_fds(speedmgmt_t)
@@ -98907,15 +95015,9 @@ index 5e1f053..e7820bc 100644
domain_system_change_exemption($1)
role_transition $2 squid_initrc_exec_t system_r;
diff --git a/squid.te b/squid.te
-index 03472ed..d892e00 100644
+index 221c560..d892e00 100644
--- a/squid.te
+++ b/squid.te
-@@ -1,4 +1,4 @@
--policy_module(squid, 1.12.1)
-+policy_module(squid, 1.11.2)
-
- ########################################
- #
@@ -29,7 +29,7 @@ type squid_cache_t;
files_type(squid_cache_t)
@@ -98950,7 +95052,14 @@ index 03472ed..d892e00 100644
########################################
#
# Local policy
-@@ -78,14 +85,16 @@ manage_files_pattern(squid_t, squid_log_t, squid_log_t)
+@@ -74,20 +81,20 @@ allow squid_t squid_conf_t:file read_file_perms;
+ allow squid_t squid_conf_t:lnk_file read_lnk_file_perms;
+
+ manage_dirs_pattern(squid_t, squid_log_t, squid_log_t)
+-append_files_pattern(squid_t, squid_log_t, squid_log_t)
+-create_files_pattern(squid_t, squid_log_t, squid_log_t)
+-setattr_files_pattern(squid_t, squid_log_t, squid_log_t)
++manage_files_pattern(squid_t, squid_log_t, squid_log_t)
manage_lnk_files_pattern(squid_t, squid_log_t, squid_log_t)
logging_log_filetrans(squid_t, squid_log_t, { file dir })
@@ -98970,7 +95079,7 @@ index 03472ed..d892e00 100644
files_pid_filetrans(squid_t, squid_var_run_t, file)
can_exec(squid_t, squid_exec_t)
-@@ -94,7 +103,6 @@ kernel_read_kernel_sysctls(squid_t)
+@@ -96,7 +103,6 @@ kernel_read_kernel_sysctls(squid_t)
kernel_read_system_state(squid_t)
kernel_read_network_state(squid_t)
@@ -98978,7 +95087,7 @@ index 03472ed..d892e00 100644
corenet_all_recvfrom_netlabel(squid_t)
corenet_tcp_sendrecv_generic_if(squid_t)
corenet_udp_sendrecv_generic_if(squid_t)
-@@ -132,6 +140,7 @@ corenet_tcp_sendrecv_gopher_port(squid_t)
+@@ -134,6 +140,7 @@ corenet_tcp_sendrecv_gopher_port(squid_t)
corenet_udp_sendrecv_gopher_port(squid_t)
corenet_sendrecv_squid_server_packets(squid_t)
@@ -98986,7 +95095,7 @@ index 03472ed..d892e00 100644
corenet_tcp_bind_squid_port(squid_t)
corenet_udp_bind_squid_port(squid_t)
corenet_tcp_sendrecv_squid_port(squid_t)
-@@ -154,7 +163,6 @@ dev_read_urand(squid_t)
+@@ -156,7 +163,6 @@ dev_read_urand(squid_t)
domain_use_interactive_fds(squid_t)
files_read_etc_runtime_files(squid_t)
@@ -98994,7 +95103,7 @@ index 03472ed..d892e00 100644
files_search_spool(squid_t)
files_dontaudit_getattr_tmp_dirs(squid_t)
files_getattr_home_dir(squid_t)
-@@ -176,7 +184,6 @@ libs_exec_lib_files(squid_t)
+@@ -178,7 +184,6 @@ libs_exec_lib_files(squid_t)
logging_send_syslog_msg(squid_t)
miscfiles_read_generic_certs(squid_t)
@@ -99002,7 +95111,7 @@ index 03472ed..d892e00 100644
userdom_use_unpriv_users_fds(squid_t)
userdom_dontaudit_search_user_home_dirs(squid_t)
-@@ -198,6 +205,8 @@ tunable_policy(`squid_use_tproxy',`
+@@ -200,6 +205,8 @@ tunable_policy(`squid_use_tproxy',`
optional_policy(`
apache_content_template(squid)
@@ -99011,7 +95120,7 @@ index 03472ed..d892e00 100644
corenet_all_recvfrom_unlabeled(httpd_squid_script_t)
corenet_all_recvfrom_netlabel(httpd_squid_script_t)
corenet_tcp_sendrecv_generic_if(httpd_squid_script_t)
-@@ -207,18 +216,18 @@ optional_policy(`
+@@ -209,18 +216,18 @@ optional_policy(`
corenet_tcp_connect_http_cache_port(httpd_squid_script_t)
corenet_tcp_sendrecv_http_cache_port(httpd_squid_script_t)
@@ -99037,7 +95146,7 @@ index 03472ed..d892e00 100644
')
optional_policy(`
-@@ -236,3 +245,24 @@ optional_policy(`
+@@ -238,3 +245,24 @@ optional_policy(`
optional_policy(`
udev_read_db(squid_t)
')
@@ -99485,11 +95594,11 @@ index a240455..3dd6f00 100644
- admin_pattern($1, sssd_log_t)
')
diff --git a/sssd.te b/sssd.te
-index 2d8db1f..b400fb6 100644
+index 8b537aa..b400fb6 100644
--- a/sssd.te
+++ b/sssd.te
@@ -1,4 +1,4 @@
--policy_module(sssd, 1.2.0)
+-policy_module(sssd, 1.1.4)
+policy_module(sssd, 1.1.0)
########################################
@@ -99907,15 +96016,9 @@ index 0000000..337d201
+')
+
diff --git a/stunnel.te b/stunnel.te
-index 27a8480..47f1802 100644
+index 9992e62..47f1802 100644
--- a/stunnel.te
+++ b/stunnel.te
-@@ -1,4 +1,4 @@
--policy_module(stunnel, 1.11.0)
-+policy_module(stunnel, 1.10.2)
-
- ########################################
- #
@@ -48,7 +48,6 @@ kernel_read_network_state(stunnel_t)
corecmd_exec_bin(stunnel_t)
@@ -100098,15 +96201,9 @@ index 2ac91b6..dd2ac36 100644
')
+
diff --git a/svnserve.te b/svnserve.te
-index 49d688d..84cdcac 100644
+index c6aaac7..84cdcac 100644
--- a/svnserve.te
+++ b/svnserve.te
-@@ -1,4 +1,4 @@
--policy_module(svnserve, 1.1.0)
-+policy_module(svnserve, 1.0.2)
-
- ########################################
- #
@@ -12,12 +12,18 @@ init_daemon_domain(svnserve_t, svnserve_exec_t)
type svnserve_initrc_exec_t;
init_script_file(svnserve_initrc_exec_t)
@@ -100544,15 +96641,9 @@ index 0000000..6e39c4f
+
+
diff --git a/sxid.te b/sxid.te
-index 01a9d0a..1973f71 100644
+index c9824cb..1973f71 100644
--- a/sxid.te
+++ b/sxid.te
-@@ -1,4 +1,4 @@
--policy_module(sxid, 1.8.0)
-+policy_module(sxid, 1.7.1)
-
- ########################################
- #
@@ -40,7 +40,6 @@ kernel_read_kernel_sysctls(sxid_t)
corecmd_exec_bin(sxid_t)
corecmd_exec_shell(sxid_t)
@@ -100580,15 +96671,9 @@ index 01a9d0a..1973f71 100644
userdom_dontaudit_use_unpriv_user_fds(sxid_t)
diff --git a/sysstat.te b/sysstat.te
-index b92f677..c81d332 100644
+index c8b80b2..c81d332 100644
--- a/sysstat.te
+++ b/sysstat.te
-@@ -1,4 +1,4 @@
--policy_module(sysstat, 1.8.0)
-+policy_module(sysstat, 1.7.1)
-
- ########################################
- #
@@ -24,9 +24,7 @@ allow sysstat_t self:capability { dac_override sys_admin sys_resource sys_tty_co
allow sysstat_t self:fifo_file rw_fifo_file_perms;
@@ -100706,11 +96791,11 @@ index c755e2d..0000000
-')
diff --git a/systemtap.te b/systemtap.te
deleted file mode 100644
-index ffde368..0000000
+index 6c06a84..0000000
--- a/systemtap.te
+++ /dev/null
@@ -1,101 +0,0 @@
--policy_module(systemtap, 1.1.0)
+-policy_module(systemtap, 1.0.2)
-
-########################################
-#
@@ -100812,15 +96897,9 @@ index ffde368..0000000
- rpm_exec(stapserver_t)
-')
diff --git a/tcpd.te b/tcpd.te
-index 2d6d2c2..1e1a075 100644
+index f388db3..1e1a075 100644
--- a/tcpd.te
+++ b/tcpd.te
-@@ -1,4 +1,4 @@
--policy_module(tcpd, 1.5.0)
-+policy_module(tcpd, 1.4.1)
-
- ########################################
- #
@@ -23,7 +23,6 @@ manage_dirs_pattern(tcpd_t, tcpd_tmp_t, tcpd_tmp_t)
manage_files_pattern(tcpd_t, tcpd_tmp_t, tcpd_tmp_t)
files_tmp_filetrans(tcpd_t, tcpd_tmp_t, { file dir })
@@ -100846,17 +96925,6 @@ index 2d6d2c2..1e1a075 100644
sysnet_read_config(tcpd_t)
inetd_domtrans_child(tcpd_t)
-diff --git a/tcsd.fc b/tcsd.fc
-index c2c2636..a38b954 100644
---- a/tcsd.fc
-+++ b/tcsd.fc
-@@ -1,4 +1,5 @@
--/etc/rc\.d/init\.d/(tcsd|trousers) -- gen_context(system_u:object_r:tcsd_initrc_exec_t,s0)
-+/etc/rc\.d/init\.d/tcsd -- gen_context(system_u:object_r:tcsd_initrc_exec_t,s0)
-+/etc/rc\.d/init\.d/trousers -- gen_context(system_u:object_r:tcsd_initrc_exec_t,s0)
-
- /usr/sbin/tcsd -- gen_context(system_u:object_r:tcsd_exec_t,s0)
-
diff --git a/tcsd.if b/tcsd.if
index b42ec1d..91b8f71 100644
--- a/tcsd.if
@@ -100875,16 +96943,10 @@ index b42ec1d..91b8f71 100644
tcsd_initrc_domtrans($1)
domain_system_change_exemption($1)
diff --git a/tcsd.te b/tcsd.te
-index b26d44a..14da480 100644
+index ac8213a..14da480 100644
--- a/tcsd.te
+++ b/tcsd.te
-@@ -1,4 +1,4 @@
--policy_module(tcsd, 1.1.1)
-+policy_module(tcsd, 1.0.3)
-
- ########################################
- #
-@@ -41,12 +41,8 @@ corenet_tcp_sendrecv_tcs_port(tcsd_t)
+@@ -41,10 +41,8 @@ corenet_tcp_sendrecv_tcs_port(tcsd_t)
dev_read_urand(tcsd_t)
dev_rw_tpm(tcsd_t)
@@ -100892,20 +96954,19 @@ index b26d44a..14da480 100644
-
auth_use_nsswitch(tcsd_t)
- init_read_utmp(tcsd_t)
+-logging_send_syslog_msg(tcsd_t)
++init_read_utmp(tcsd_t)
- logging_send_syslog_msg(tcsd_t)
--
-miscfiles_read_localization(tcsd_t)
++logging_send_syslog_msg(tcsd_t)
diff --git a/telepathy.fc b/telepathy.fc
-index 6c7f8f8..03fc880 100644
+index c7de0cf..03fc880 100644
--- a/telepathy.fc
+++ b/telepathy.fc
-@@ -1,35 +1,23 @@
+@@ -1,34 +1,23 @@
-HOME_DIR/\.cache/\.mc_connections -- gen_context(system_u:object_r:telepathy_mission_control_cache_home_t,s0)
+HOME_DIR/\.cache/\.mc_connections -- gen_context(system_u:object_r:telepathy_mission_control_cache_home_t, s0)
HOME_DIR/\.cache/telepathy(/.*)? gen_context(system_u:object_r:telepathy_cache_home_t, s0)
--HOME_DIR/\.cache/telepathy/avatars/gabble(/.*)? gen_context(system_u:object_r:telepathy_gabble_cache_home_t, s0)
HOME_DIR/\.cache/telepathy/logger(/.*)? gen_context(system_u:object_r:telepathy_logger_cache_home_t,s0)
-HOME_DIR/\.cache/telepathy/gabble(/.*)? gen_context(system_u:object_r:telepathy_gabble_cache_home_t,s0)
-HOME_DIR/\.cache/wocky(/.*)? gen_context(system_u:object_r:telepathy_gabble_cache_home_t,s0)
@@ -101374,11 +97435,11 @@ index 42946bc..9f70e4c 100644
+ can_exec($1, telepathy_executable)
')
diff --git a/telepathy.te b/telepathy.te
-index 9afcbc9..5a41683 100644
+index e9c0964..5a41683 100644
--- a/telepathy.te
+++ b/telepathy.te
@@ -1,29 +1,28 @@
--policy_module(telepathy, 1.4.2)
+-policy_module(telepathy, 1.3.5)
+policy_module(telepathy, 1.3.0)
########################################
@@ -101417,7 +97478,7 @@ index 9afcbc9..5a41683 100644
telepathy_domain_template(gabble)
-@@ -67,179 +66,147 @@ userdom_user_home_content(telepathy_sunshine_home_t)
+@@ -67,176 +66,147 @@ userdom_user_home_content(telepathy_sunshine_home_t)
#######################################
#
@@ -101488,14 +97549,14 @@ index 9afcbc9..5a41683 100644
- corenet_sendrecv_generic_client_packets(telepathy_gabble_t)
corenet_tcp_connect_generic_port(telepathy_gabble_t)
- corenet_tcp_sendrecv_generic_port(telepathy_gabble_t)
--')
--
--tunable_policy(`use_nfs_home_dirs',`
-- fs_manage_nfs_dirs(telepathy_gabble_t)
-- fs_manage_nfs_files(telepathy_gabble_t)
+ corenet_sendrecv_generic_client_packets(telepathy_gabble_t)
')
+-tunable_policy(`use_nfs_home_dirs',`
+- fs_manage_nfs_dirs(telepathy_gabble_t)
+- fs_manage_nfs_files(telepathy_gabble_t)
+-')
+-
-tunable_policy(`use_samba_home_dirs',`
- fs_manage_cifs_dirs(telepathy_gabble_t)
- fs_manage_cifs_files(telepathy_gabble_t)
@@ -101610,19 +97671,16 @@ index 9afcbc9..5a41683 100644
+userdom_search_user_home_dirs(telepathy_mission_control_t)
-manage_dirs_pattern(telepathy_mission_control_t, telepathy_mission_control_data_home_t, telepathy_mission_control_data_home_t)
--manage_files_pattern(telepathy_mission_control_t, telepathy_mission_control_data_home_t, telepathy_mission_control_data_home_t)
--filetrans_pattern(telepathy_mission_control_t, telepathy_data_home_t, telepathy_mission_control_data_home_t, dir, "mission-control")
+manage_files_pattern(telepathy_mission_control_t, telepathy_gabble_cache_home_t, telepathy_gabble_cache_home_t)
+manage_dirs_pattern(telepathy_mission_control_t, telepathy_gabble_cache_home_t, telepathy_gabble_cache_home_t)
-
--manage_files_pattern(telepathy_mission_control_t, telepathy_mission_control_cache_home_t, telepathy_mission_control_cache_home_t)
--# gnome_cache_filetrans(telepathy_mission_control_t, telepathy_mission_control_cache_home_t, file, ".mc_connections")
++
+manage_dirs_pattern(telepathy_mission_control_t, { telepathy_data_home_t telepathy_mission_control_data_home_t }, { telepathy_data_home_t telepathy_mission_control_data_home_t })
-+manage_files_pattern(telepathy_mission_control_t, telepathy_mission_control_data_home_t, telepathy_mission_control_data_home_t)
+ manage_files_pattern(telepathy_mission_control_t, telepathy_mission_control_data_home_t, telepathy_mission_control_data_home_t)
+-filetrans_pattern(telepathy_mission_control_t, telepathy_data_home_t, telepathy_mission_control_data_home_t, dir, "mission-control")
+filetrans_pattern(telepathy_mission_control_t, telepathy_data_home_t, telepathy_mission_control_data_home_t, { dir file })
--manage_dirs_pattern(telepathy_mission_control_t, telepathy_gabble_cache_home_t, telepathy_gabble_cache_home_t)
--manage_files_pattern(telepathy_mission_control_t, telepathy_gabble_cache_home_t, telepathy_gabble_cache_home_t)
+-manage_files_pattern(telepathy_mission_control_t, telepathy_mission_control_cache_home_t, telepathy_mission_control_cache_home_t)
+-# gnome_cache_filetrans(telepathy_mission_control_t, telepathy_mission_control_cache_home_t, file, ".mc_connections")
+optional_policy(`
+ gnome_data_filetrans(telepathy_mission_control_t, telepathy_data_home_t, dir)
+ gnome_manage_home_config(telepathy_mission_control_t)
@@ -101648,7 +97706,7 @@ index 9afcbc9..5a41683 100644
optional_policy(`
dbus_system_bus_client(telepathy_mission_control_t)
-@@ -248,59 +215,51 @@ optional_policy(`
+@@ -245,59 +215,51 @@ optional_policy(`
devicekit_dbus_chat_power(telepathy_mission_control_t)
')
optional_policy(`
@@ -101723,7 +97781,7 @@ index 9afcbc9..5a41683 100644
init_read_state(telepathy_msn_t)
-@@ -310,18 +269,19 @@ logging_send_syslog_msg(telepathy_msn_t)
+@@ -307,18 +269,19 @@ logging_send_syslog_msg(telepathy_msn_t)
miscfiles_read_all_certs(telepathy_msn_t)
@@ -101748,7 +97806,7 @@ index 9afcbc9..5a41683 100644
')
optional_policy(`
-@@ -332,43 +292,33 @@ optional_policy(`
+@@ -329,43 +292,33 @@ optional_policy(`
')
')
@@ -101797,7 +97855,7 @@ index 9afcbc9..5a41683 100644
')
optional_policy(`
-@@ -381,73 +331,53 @@ optional_policy(`
+@@ -378,73 +331,53 @@ optional_policy(`
#######################################
#
@@ -101881,7 +97939,7 @@ index 9afcbc9..5a41683 100644
optional_policy(`
xserver_read_xdm_pid(telepathy_sunshine_t)
xserver_stream_connect(telepathy_sunshine_t)
-@@ -455,31 +385,49 @@ optional_policy(`
+@@ -452,31 +385,49 @@ optional_policy(`
#######################################
#
@@ -101939,45 +97997,21 @@ index 9afcbc9..5a41683 100644
')
+
diff --git a/telnet.te b/telnet.te
-index d7c8633..1bdef51 100644
+index 9f89916..1bdef51 100644
--- a/telnet.te
+++ b/telnet.te
-@@ -1,4 +1,4 @@
--policy_module(telnet, 1.11.3)
-+policy_module(telnet, 1.10.2)
-
- ########################################
- #
-@@ -8,14 +8,10 @@ policy_module(telnet, 1.11.3)
- type telnetd_t;
- type telnetd_exec_t;
- inetd_service_domain(telnetd_t, telnetd_exec_t)
--init_daemon_domain(telnetd_t, telnetd_exec_t)
-
- type telnetd_devpts_t;
- term_login_pty(telnetd_devpts_t)
-
--type telnetd_keytab_t;
--files_type(telnetd_keytab_t)
--
- type telnetd_tmp_t;
- files_tmp_file(telnetd_tmp_t)
-
-@@ -30,16 +26,17 @@ files_pid_file(telnetd_var_run_t)
+@@ -26,13 +26,17 @@ files_pid_file(telnetd_var_run_t)
allow telnetd_t self:capability { fsetid chown fowner setuid setgid sys_tty_config dac_override };
allow telnetd_t self:process signal_perms;
allow telnetd_t self:fifo_file rw_fifo_file_perms;
--allow telnetd_t self:tcp_socket { accept listen };
+allow telnetd_t self:tcp_socket connected_stream_socket_perms;
+allow telnetd_t self:udp_socket create_socket_perms;
+# for identd; cjp: this should probably only be inetd_child rules?
+allow telnetd_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
allow telnetd_t telnetd_devpts_t:chr_file { rw_chr_file_perms setattr_chr_file_perms };
--term_create_pty(telnetd_t, telnetd_devpts_t)
-
--allow telnetd_t telnetd_keytab_t:file read_file_perms;
-+term_create_pty(telnetd_t, telnetd_devpts_t)
++
+ term_create_pty(telnetd_t, telnetd_devpts_t)
manage_dirs_pattern(telnetd_t, telnetd_tmp_t, telnetd_tmp_t)
manage_files_pattern(telnetd_t, telnetd_tmp_t, telnetd_tmp_t)
@@ -101985,26 +98019,23 @@ index d7c8633..1bdef51 100644
manage_files_pattern(telnetd_t, telnetd_var_run_t, telnetd_var_run_t)
files_pid_filetrans(telnetd_t, telnetd_var_run_t, file)
-@@ -48,14 +45,14 @@ kernel_read_kernel_sysctls(telnetd_t)
+@@ -41,7 +45,6 @@ kernel_read_kernel_sysctls(telnetd_t)
kernel_read_system_state(telnetd_t)
kernel_read_network_state(telnetd_t)
-corenet_all_recvfrom_unlabeled(telnetd_t)
corenet_all_recvfrom_netlabel(telnetd_t)
corenet_tcp_sendrecv_generic_if(telnetd_t)
-+corenet_udp_sendrecv_generic_if(telnetd_t)
- corenet_tcp_sendrecv_generic_node(telnetd_t)
--
--corenet_sendrecv_telnetd_server_packets(telnetd_t)
-+corenet_udp_sendrecv_generic_node(telnetd_t)
-+corenet_tcp_sendrecv_all_ports(telnetd_t)
-+corenet_udp_sendrecv_all_ports(telnetd_t)
- corenet_tcp_bind_telnetd_port(telnetd_t)
--corenet_tcp_sendrecv_telnetd_port(telnetd_t)
+ corenet_udp_sendrecv_generic_if(telnetd_t)
+@@ -49,6 +52,7 @@ corenet_tcp_sendrecv_generic_node(telnetd_t)
+ corenet_udp_sendrecv_generic_node(telnetd_t)
+ corenet_tcp_sendrecv_all_ports(telnetd_t)
+ corenet_udp_sendrecv_all_ports(telnetd_t)
++corenet_tcp_bind_telnetd_port(telnetd_t)
corecmd_search_bin(telnetd_t)
-@@ -63,7 +60,6 @@ dev_read_urand(telnetd_t)
+@@ -56,7 +60,6 @@ dev_read_urand(telnetd_t)
domain_interactive_fd(telnetd_t)
@@ -102012,7 +98043,7 @@ index d7c8633..1bdef51 100644
files_read_etc_runtime_files(telnetd_t)
files_search_home(telnetd_t)
-@@ -76,12 +72,12 @@ init_rw_utmp(telnetd_t)
+@@ -69,12 +72,12 @@ init_rw_utmp(telnetd_t)
logging_send_syslog_msg(telnetd_t)
@@ -102027,25 +98058,21 @@ index d7c8633..1bdef51 100644
tunable_policy(`use_nfs_home_dirs',`
fs_search_nfs(telnetd_t)
-@@ -92,10 +88,9 @@ tunable_policy(`use_samba_home_dirs',`
- ')
+@@ -86,7 +89,7 @@ tunable_policy(`use_samba_home_dirs',`
optional_policy(`
-- kerberos_read_keytab(telnetd_t)
+ kerberos_keytab_template(telnetd, telnetd_t)
- kerberos_tmp_filetrans_host_rcache(telnetd_t, file, "host_0")
-+ kerberos_keytab_template(telnetd, telnetd_t)
+ kerberos_tmp_filetrans_host_rcache(telnetd_t, "host_0")
kerberos_manage_host_rcache(telnetd_t)
-- kerberos_use(telnetd_t)
')
- optional_policy(`
diff --git a/tftp.fc b/tftp.fc
-index 3dd87da..621f343 100644
+index 93a5bf4..621f343 100644
--- a/tftp.fc
+++ b/tftp.fc
@@ -1,9 +1,9 @@
--/etc/(x)?inetd\.d/tftp -- gen_context(system_u:object_r:tftpd_conf_t,s0)
+-/etc/xinetd\.d/tftp -- gen_context(system_u:object_r:tftpd_conf_t,s0)
+/etc/xinetd\.d/tftp -- gen_context(system_u:object_r:tftpd_etc_t,s0)
/usr/sbin/atftpd -- gen_context(system_u:object_r:tftpd_exec_t,s0)
@@ -102295,16 +98322,16 @@ index 9957e30..cf0b925 100644
+ tftp_manage_config($1)
')
diff --git a/tftp.te b/tftp.te
-index cfaa2a1..a3b440c 100644
+index f455e70..a3b440c 100644
--- a/tftp.te
+++ b/tftp.te
@@ -1,4 +1,4 @@
--policy_module(tftp, 1.13.0)
+-policy_module(tftp, 1.12.4)
+policy_module(tftp, 1.12.0)
########################################
#
-@@ -6,30 +6,24 @@ policy_module(tftp, 1.13.0)
+@@ -6,30 +6,24 @@ policy_module(tftp, 1.12.4)
#
##
@@ -102497,15 +98524,9 @@ index 5406b6e..dc5b46e 100644
admin_pattern($1, tgtd_tmpfs_t)
')
diff --git a/tgtd.te b/tgtd.te
-index d010963..704a0e2 100644
+index c93c973..704a0e2 100644
--- a/tgtd.te
+++ b/tgtd.te
-@@ -1,4 +1,4 @@
--policy_module(tgtd, 1.3.1)
-+policy_module(tgtd, 1.2.3)
-
- ########################################
- #
@@ -29,7 +29,7 @@ files_pid_file(tgtd_var_run_t)
# Local policy
#
@@ -102515,7 +98536,7 @@ index d010963..704a0e2 100644
allow tgtd_t self:capability2 block_suspend;
allow tgtd_t self:process { setrlimit signal };
allow tgtd_t self:fifo_file rw_fifo_file_perms;
-@@ -56,32 +56,30 @@ files_pid_filetrans(tgtd_t,tgtd_var_run_t, { file sock_file })
+@@ -56,29 +56,30 @@ files_pid_filetrans(tgtd_t,tgtd_var_run_t, { file sock_file })
kernel_read_system_state(tgtd_t)
kernel_read_fs_sysctls(tgtd_t)
@@ -102529,11 +98550,8 @@ index d010963..704a0e2 100644
corenet_sendrecv_iscsi_server_packets(tgtd_t)
corenet_tcp_bind_iscsi_port(tgtd_t)
--corenet_tcp_sendrecv_iscsi_port(tgtd_t)
--
--corenet_sendrecv_iscsi_client_packets(tgtd_t)
- corenet_tcp_connect_isns_port(tgtd_t)
-+corenet_tcp_sendrecv_iscsi_port(tgtd_t)
++corenet_tcp_connect_isns_port(tgtd_t)
+ corenet_tcp_sendrecv_iscsi_port(tgtd_t)
dev_read_sysfs(tgtd_t)
@@ -103091,15 +99109,9 @@ index 0000000..dd6ba2c
+ corenet_dontaudit_udp_bind_generic_node(thumb_t)
+')
diff --git a/thunderbird.te b/thunderbird.te
-index 5e867da..fc265b8 100644
+index 4257ede..fc265b8 100644
--- a/thunderbird.te
+++ b/thunderbird.te
-@@ -1,4 +1,4 @@
--policy_module(thunderbird, 2.4.0)
-+policy_module(thunderbird, 2.3.4)
-
- ########################################
- #
@@ -53,7 +53,6 @@ kernel_read_system_state(thunderbird_t)
corecmd_exec_shell(thunderbird_t)
@@ -103152,15 +99164,9 @@ index 5e867da..fc265b8 100644
ifndef(`enable_mls',`
fs_search_removable(thunderbird_t)
diff --git a/timidity.te b/timidity.te
-index 97cd155..a1ef2d2 100644
+index 67ca5c5..a1ef2d2 100644
--- a/timidity.te
+++ b/timidity.te
-@@ -1,4 +1,4 @@
--policy_module(timidity, 1.10.0)
-+policy_module(timidity, 1.9.1)
-
- ########################################
- #
@@ -36,7 +36,6 @@ fs_tmpfs_filetrans(timidity_t, timidity_tmpfs_t, { dir file lnk_file sock_file f
kernel_read_kernel_sysctls(timidity_t)
kernel_read_system_state(timidity_t)
@@ -103178,29 +99184,11 @@ index 97cd155..a1ef2d2 100644
files_search_tmp(timidity_t)
fs_search_auto_mountpoints(timidity_t)
-diff --git a/tmpreaper.fc b/tmpreaper.fc
-index d19a6cf..ed08c94 100644
---- a/tmpreaper.fc
-+++ b/tmpreaper.fc
-@@ -1,5 +1,5 @@
--/etc/rc\.d/init\.d/mountall-bootclean\.sh -- gen_context(system_u:object_r:tmpreaper_exec_t,s0)
--/etc/rc\.d/init\.d/mountnfs-bootclean\.sh -- gen_context(system_u:object_r:tmpreaper_exec_t,s0)
-+/etc/rc\.d/init\.d/mountall-bootclean.sh -- gen_context(system_u:object_r:tmpreaper_exec_t,s0)
-+/etc/rc\.d/init\.d/mountnfs-bootclean.sh -- gen_context(system_u:object_r:tmpreaper_exec_t,s0)
-
- /usr/sbin/tmpreaper -- gen_context(system_u:object_r:tmpreaper_exec_t,s0)
- /usr/sbin/tmpwatch -- gen_context(system_u:object_r:tmpreaper_exec_t,s0)
diff --git a/tmpreaper.te b/tmpreaper.te
-index 585a77f..9ae28c6 100644
+index a4a949c..9ae28c6 100644
--- a/tmpreaper.te
+++ b/tmpreaper.te
-@@ -1,4 +1,4 @@
--policy_module(tmpreaper, 1.7.1)
-+policy_module(tmpreaper, 1.6.3)
-
- ########################################
- #
-@@ -8,6 +8,7 @@ policy_module(tmpreaper, 1.7.1)
+@@ -8,6 +8,7 @@ policy_module(tmpreaper, 1.6.3)
type tmpreaper_t;
type tmpreaper_exec_t;
init_system_domain(tmpreaper_t, tmpreaper_exec_t)
@@ -103208,11 +99196,7 @@ index 585a77f..9ae28c6 100644
########################################
#
-@@ -15,48 +16,45 @@ init_system_domain(tmpreaper_t, tmpreaper_exec_t)
- #
-
- allow tmpreaper_t self:capability { dac_override dac_read_search fowner };
--allow tmpreaper_t self:fifo_file rw_fifo_file_perms;
+@@ -18,20 +19,25 @@ allow tmpreaper_t self:capability { dac_override dac_read_search fowner };
kernel_list_unlabeled(tmpreaper_t)
kernel_read_system_state(tmpreaper_t)
@@ -103220,9 +99204,6 @@ index 585a77f..9ae28c6 100644
dev_read_urand(tmpreaper_t)
--corecmd_exec_bin(tmpreaper_t)
--corecmd_exec_shell(tmpreaper_t)
--
fs_getattr_xattr_fs(tmpreaper_t)
fs_list_all(tmpreaper_t)
+fs_setattr_tmpfs_dirs(tmpreaper_t)
@@ -103245,19 +99226,13 @@ index 585a77f..9ae28c6 100644
mls_file_read_all_levels(tmpreaper_t)
mls_file_write_all_levels(tmpreaper_t)
- auth_use_nsswitch(tmpreaper_t)
+@@ -39,14 +45,16 @@ auth_use_nsswitch(tmpreaper_t)
--init_use_inherited_script_ptys(tmpreaper_t)
--
logging_send_syslog_msg(tmpreaper_t)
-miscfiles_read_localization(tmpreaper_t)
miscfiles_delete_man_pages(tmpreaper_t)
--ifdef(`distro_debian',`
-- term_dontaudit_use_unallocated_ttys(tmpreaper_t)
--')
--
ifdef(`distro_redhat',`
- userdom_list_all_user_home_content(tmpreaper_t)
+ userdom_list_user_home_content(tmpreaper_t)
@@ -103270,7 +99245,7 @@ index 585a77f..9ae28c6 100644
')
optional_policy(`
-@@ -64,6 +62,7 @@ optional_policy(`
+@@ -54,6 +62,7 @@ optional_policy(`
')
optional_policy(`
@@ -103278,7 +99253,7 @@ index 585a77f..9ae28c6 100644
apache_list_cache(tmpreaper_t)
apache_delete_cache_dirs(tmpreaper_t)
apache_delete_cache_files(tmpreaper_t)
-@@ -79,11 +78,19 @@ optional_policy(`
+@@ -69,7 +78,19 @@ optional_policy(`
')
optional_policy(`
@@ -103288,10 +99263,9 @@ index 585a77f..9ae28c6 100644
+
+optional_policy(`
+ mandb_delete_cache(tmpreaper_t)
- ')
-
- optional_policy(`
-- plymouthd_exec_plymouth(tmpreaper_t)
++')
++
++optional_policy(`
+ sandbox_list(tmpreaper_t)
+ sandbox_delete_dirs(tmpreaper_t)
+ sandbox_delete_files(tmpreaper_t)
@@ -103794,14 +99768,11 @@ index 0000000..5a263b2
+ tomcat_search_lib(tomcat_domain)
+')
diff --git a/tor.fc b/tor.fc
-index dce42ec..ac02092 100644
+index 6b9d449..ac02092 100644
--- a/tor.fc
+++ b/tor.fc
-@@ -3,8 +3,11 @@
- /etc/rc\.d/init\.d/tor -- gen_context(system_u:object_r:tor_initrc_exec_t,s0)
+@@ -6,6 +6,8 @@
- /usr/bin/tor -- gen_context(system_u:object_r:tor_exec_t,s0)
-+
/usr/sbin/tor -- gen_context(system_u:object_r:tor_exec_t,s0)
+/usr/lib/systemd/system/tor.* -- gen_context(system_u:object_r:tor_unit_file_t,s0)
@@ -103879,16 +99850,10 @@ index 61c2e07..5e1df41 100644
+ ')
')
diff --git a/tor.te b/tor.te
-index 5ceacde..ea77295 100644
+index 964a395..ea77295 100644
--- a/tor.te
+++ b/tor.te
-@@ -1,4 +1,4 @@
--policy_module(tor, 1.9.0)
-+policy_module(tor, 1.8.4)
-
- ########################################
- #
-@@ -13,6 +13,13 @@ policy_module(tor, 1.9.0)
+@@ -13,6 +13,13 @@ policy_module(tor, 1.8.4)
##
gen_tunable(tor_bind_all_unreserved_ports, false)
@@ -103955,15 +99920,9 @@ index 5ceacde..ea77295 100644
seutil_sigchld_newrole(tor_t)
')
diff --git a/transproxy.te b/transproxy.te
-index 34973ee..494a46d 100644
+index 20d1a28..494a46d 100644
--- a/transproxy.te
+++ b/transproxy.te
-@@ -1,4 +1,4 @@
--policy_module(transproxy, 1.8.0)
-+policy_module(transproxy, 1.7.1)
-
- ########################################
- #
@@ -32,7 +32,6 @@ kernel_read_kernel_sysctls(transproxy_t)
kernel_list_proc(transproxy_t)
kernel_read_proc_symlinks(transproxy_t)
@@ -103989,15 +99948,9 @@ index 34973ee..494a46d 100644
userdom_dontaudit_use_unpriv_user_fds(transproxy_t)
diff --git a/tripwire.te b/tripwire.te
-index 03aa6b7..2c989b4 100644
+index 2e1110d..2c989b4 100644
--- a/tripwire.te
+++ b/tripwire.te
-@@ -1,4 +1,4 @@
--policy_module(tripwire, 1.3.0)
-+policy_module(tripwire, 1.2.1)
-
- ########################################
- #
@@ -86,7 +86,7 @@ files_getattr_all_sockets(tripwire_t)
logging_send_syslog_msg(tripwire_t)
@@ -104037,18 +99990,6 @@ index 03aa6b7..2c989b4 100644
-
-userdom_use_user_terminals(siggen_t)
+userdom_use_inherited_user_terminals(siggen_t)
-diff --git a/tuned.fc b/tuned.fc
-index 956587a..23ba272 100644
---- a/tuned.fc
-+++ b/tuned.fc
-@@ -1,6 +1,6 @@
- /etc/rc\.d/init\.d/tuned -- gen_context(system_u:object_r:tuned_initrc_exec_t,s0)
-
--/etc/tuned(/.*)? gen_context(system_u:object_r:tuned_etc_t,s0)
-+/etc/tuned(/.)? gen_context(system_u:object_r:tuned_etc_t,s0)
- /etc/tuned/active_profile -- gen_context(system_u:object_r:tuned_rw_etc_t,s0)
-
- /usr/sbin/tuned -- gen_context(system_u:object_r:tuned_exec_t,s0)
diff --git a/tuned.if b/tuned.if
index e29db63..061fb98 100644
--- a/tuned.if
@@ -104069,15 +100010,9 @@ index e29db63..061fb98 100644
domain_system_change_exemption($1)
role_transition $2 tuned_initrc_exec_t system_r;
diff --git a/tuned.te b/tuned.te
-index 393a330..3f42127 100644
+index 7116181..3f42127 100644
--- a/tuned.te
+++ b/tuned.te
-@@ -1,4 +1,4 @@
--policy_module(tuned, 1.2.0)
-+policy_module(tuned, 1.1.4)
-
- ########################################
- #
@@ -21,6 +21,9 @@ files_config_file(tuned_rw_etc_t)
type tuned_log_t;
logging_log_file(tuned_log_t)
@@ -104240,15 +100175,9 @@ index 1bb0f7c..372be2f 100644
##
## Role access for tvtime
diff --git a/tvtime.te b/tvtime.te
-index afd2d6c..20099b0 100644
+index 3292fcc..20099b0 100644
--- a/tvtime.te
+++ b/tvtime.te
-@@ -1,4 +1,4 @@
--policy_module(tvtime, 2.3.0)
-+policy_module(tvtime, 2.2.1)
-
- ########################################
- #
@@ -42,7 +42,6 @@ allow tvtime_t self:unix_stream_socket rw_stream_socket_perms;
manage_dirs_pattern(tvtime_t, tvtime_home_t, tvtime_home_t)
manage_files_pattern(tvtime_t, tvtime_home_t, tvtime_home_t)
@@ -104292,15 +100221,9 @@ index afd2d6c..20099b0 100644
optional_policy(`
xserver_user_x_domain_template(tvtime, tvtime_t, tvtime_tmpfs_t)
diff --git a/tzdata.te b/tzdata.te
-index 221c43b..9f86987 100644
+index aa6ae96..9f86987 100644
--- a/tzdata.te
+++ b/tzdata.te
-@@ -1,4 +1,4 @@
--policy_module(tzdata, 1.5.0)
-+policy_module(tzdata, 1.4.1)
-
- ########################################
- #
@@ -27,11 +27,10 @@ term_dontaudit_list_ptys(tzdata_t)
locallogin_dontaudit_use_fds(tzdata_t)
@@ -104315,15 +100238,9 @@ index 221c43b..9f86987 100644
optional_policy(`
postfix_search_spool(tzdata_t)
diff --git a/ucspitcp.te b/ucspitcp.te
-index 7745b72..0fbc46e 100644
+index 5e365c2..0fbc46e 100644
--- a/ucspitcp.te
+++ b/ucspitcp.te
-@@ -1,4 +1,4 @@
--policy_module(ucspitcp, 1.4.0)
-+policy_module(ucspitcp, 1.3.1)
-
- ########################################
- #
@@ -33,7 +33,6 @@ corenet_udp_sendrecv_all_ports(rblsmtpd_t)
corenet_tcp_bind_generic_node(rblsmtpd_t)
corenet_udp_bind_generic_port(rblsmtpd_t)
@@ -104358,22 +100275,14 @@ index 9b95c3e..a892845 100644
init_labeled_script_domtrans($1, ulogd_initrc_exec_t)
domain_system_change_exemption($1)
diff --git a/ulogd.te b/ulogd.te
-index de35e5f..022c367 100644
+index c6acbbe..022c367 100644
--- a/ulogd.te
+++ b/ulogd.te
-@@ -1,4 +1,4 @@
--policy_module(ulogd, 1.3.0)
-+policy_module(ulogd, 1.2.1)
-
- ########################################
- #
-@@ -26,11 +26,13 @@ logging_log_file(ulogd_var_log_t)
- # Local policy
+@@ -27,10 +27,12 @@ logging_log_file(ulogd_var_log_t)
#
--allow ulogd_t self:capability { net_admin setuid setgid sys_nice };
+ allow ulogd_t self:capability { net_admin sys_nice };
-allow ulogd_t self:process setsched;
-+allow ulogd_t self:capability { net_admin sys_nice };
+allow ulogd_t self:process { setsched };
allow ulogd_t self:netlink_nflog_socket create_socket_perms;
+allow ulogd_t self:netlink_route_socket r_netlink_socket_perms;
@@ -104410,15 +100319,9 @@ index ab5c1d0..d13105e 100644
allow $2 { uml_ro_t uml_rw_t uml_tmp_t uml_exec_t }:dir { manage_dir_perms relabel_dir_perms };
allow $2 { uml_ro_t uml_rw_t uml_tmp_t uml_tmpfs_t uml_exec_t }:file { manage_file_perms relabel_file_perms };
diff --git a/uml.te b/uml.te
-index b68bd49..423afe4 100644
+index dc03cc5..423afe4 100644
--- a/uml.te
+++ b/uml.te
-@@ -1,4 +1,4 @@
--policy_module(uml, 2.3.0)
-+policy_module(uml, 2.2.1)
-
- ########################################
- #
@@ -90,7 +90,6 @@ kernel_write_proc_files(uml_t)
corecmd_exec_bin(uml_t)
@@ -104463,15 +100366,9 @@ index b68bd49..423afe4 100644
userdom_dontaudit_search_user_home_dirs(uml_switch_t)
diff --git a/updfstab.te b/updfstab.te
-index 5ceb912..acbf304 100644
+index 2d871b8..acbf304 100644
--- a/updfstab.te
+++ b/updfstab.te
-@@ -1,4 +1,4 @@
--policy_module(updfstab, 1.6.0)
-+policy_module(updfstab, 1.5.1)
-
- ########################################
- #
@@ -66,8 +66,6 @@ init_use_script_ptys(updfstab_t)
logging_search_logs(updfstab_t)
logging_send_syslog_msg(updfstab_t)
@@ -104507,15 +100404,9 @@ index 01a3234..19f4724 100644
')
diff --git a/uptime.te b/uptime.te
-index 58397dc..8e5b35c 100644
+index 09741f6..8e5b35c 100644
--- a/uptime.te
+++ b/uptime.te
-@@ -1,4 +1,4 @@
--policy_module(uptime, 1.5.0)
-+policy_module(uptime, 1.4.1)
-
- ########################################
- #
@@ -16,7 +16,7 @@ type uptimed_initrc_exec_t;
init_script_file(uptimed_initrc_exec_t)
@@ -104535,15 +100426,9 @@ index 58397dc..8e5b35c 100644
userdom_dontaudit_search_user_home_dirs(uptimed_t)
diff --git a/usbmodules.te b/usbmodules.te
-index 279e511..3aa7952 100644
+index cb9b5bb..3aa7952 100644
--- a/usbmodules.te
+++ b/usbmodules.te
-@@ -1,4 +1,4 @@
--policy_module(usbmodules, 1.3.0)
-+policy_module(usbmodules, 1.2.1)
-
- ########################################
- #
@@ -24,8 +24,6 @@ files_list_kernel_modules(usbmodules_t)
dev_list_usbfs(usbmodules_t)
dev_rw_usbfs(usbmodules_t)
@@ -104653,15 +100538,9 @@ index 1ec5e99..88e287d 100644
+ allow $1 usbmuxd_unit_file_t:service all_service_perms;
+')
diff --git a/usbmuxd.te b/usbmuxd.te
-index 34a8917..6a13ab8 100644
+index 8840be6..6a13ab8 100644
--- a/usbmuxd.te
+++ b/usbmuxd.te
-@@ -1,4 +1,4 @@
--policy_module(usbmuxd, 1.2.0)
-+policy_module(usbmuxd, 1.1.1)
-
- ########################################
- #
@@ -10,34 +10,54 @@ roleattribute system_r usbmuxd_roles;
type usbmuxd_t;
@@ -104742,7 +100621,7 @@ index c416a83..cd83b89 100644
+/usr/sbin/userhelper -- gen_context(system_u:object_r:userhelper_exec_t,s0)
+/usr/bin/consolehelper -- gen_context(system_u:object_r:consolehelper_exec_t,s0)
diff --git a/userhelper.if b/userhelper.if
-index 98b51fd..cd80e83 100644
+index cf118fd..cd80e83 100644
--- a/userhelper.if
+++ b/userhelper.if
@@ -1,4 +1,4 @@
@@ -104805,46 +100684,52 @@ index 98b51fd..cd80e83 100644
+ allow $1_userhelper_t self:unix_dgram_socket sendto;
+ allow $1_userhelper_t self:unix_stream_socket connectto;
+ allow $1_userhelper_t self:sock_file read_sock_file_perms;
-+
+
+- allow $1_consolehelper_t $3:unix_stream_socket connectto;
+ #Transition to the derived domain.
+ domtrans_pattern($3, userhelper_exec_t, $1_userhelper_t)
-- allow $1_consolehelper_t $3:unix_stream_socket connectto;
+- domtrans_pattern($3, consolehelper_exec_t, $1_consolehelper_t)
+ allow $1_userhelper_t userhelper_conf_t:dir rw_dir_perms;
+ rw_files_pattern($1_userhelper_t, userhelper_conf_t, userhelper_conf_t)
-- domtrans_pattern($3, consolehelper_exec_t, $1_consolehelper_t)
-+ can_exec($1_userhelper_t, userhelper_exec_t)
-
- allow $3 $1_consolehelper_t:process { ptrace signal_perms };
- ps_process_pattern($3, $1_consolehelper_t)
-+ dontaudit $3 $1_userhelper_t:process signal;
++ can_exec($1_userhelper_t, userhelper_exec_t)
- auth_use_pam($1_consolehelper_t)
++ dontaudit $3 $1_userhelper_t:process signal;
+
+- optional_policy(`
+- dbus_connect_all_session_bus($1_consolehelper_t)
+ kernel_read_all_sysctls($1_userhelper_t)
+ kernel_getattr_debugfs($1_userhelper_t)
+ kernel_read_system_state($1_userhelper_t)
-- optional_policy(`
-- dbus_connect_all_session_bus($1_consolehelper_t)
+- optional_policy(`
+- userhelper_dbus_chat_all_consolehelper($3)
+- ')
+- ')
+ # Execute shells
+ corecmd_exec_shell($1_userhelper_t)
+ # By default, revert to the calling domain when a program is executed
+ corecmd_bin_domtrans($1_userhelper_t, $3)
-- optional_policy(`
-- userhelper_dbus_chat_all_consolehelper($3)
-- ')
-- ')
+- ########################################
+- #
+- # Userhelper local policy
+- #
+ # Inherit descriptors from the current session.
+ domain_use_interactive_fds($1_userhelper_t)
+ # for when the user types "exec userhelper" at the command line
+ domain_sigchld_interactive_fds($1_userhelper_t)
-+
+
+- domtrans_pattern($3, userhelper_exec_t, $1_userhelper_t)
+ dev_read_urand($1_userhelper_t)
+ # Read /dev directories and any symbolic links.
+ dev_list_all_dev_nodes($1_userhelper_t)
-+
+
+- dontaudit $3 $1_userhelper_t:process signal;
+ files_list_var_lib($1_userhelper_t)
+ # Read the /etc/security/default_type file
+ files_read_etc_files($1_userhelper_t)
@@ -104853,7 +100738,8 @@ index 98b51fd..cd80e83 100644
+ files_read_var_symlinks($1_userhelper_t)
+ # for some PAM modules and for cwd
+ files_search_home($1_userhelper_t)
-+
+
+- corecmd_bin_domtrans($1_userhelper_t, $3)
+ fs_search_auto_mountpoints($1_userhelper_t)
+ fs_read_nfs_files($1_userhelper_t)
+ fs_read_nfs_symlinks($1_userhelper_t)
@@ -104875,33 +100761,24 @@ index 98b51fd..cd80e83 100644
+ term_use_all_ttys($1_userhelper_t)
+ term_use_all_ptys($1_userhelper_t)
-- ########################################
-- #
-- # Userhelper local policy
-- #
-+ auth_domtrans_chk_passwd($1_userhelper_t)
+ auth_domtrans_chk_passwd($1_userhelper_t)
+ auth_manage_pam_pid($1_userhelper_t)
+ auth_manage_var_auth($1_userhelper_t)
+ auth_search_pam_console_data($1_userhelper_t)
-+ auth_use_nsswitch($1_userhelper_t)
+ auth_use_nsswitch($1_userhelper_t)
-- domtrans_pattern($3, userhelper_exec_t, $1_userhelper_t)
+ logging_send_syslog_msg($1_userhelper_t)
-
-- dontaudit $3 $1_userhelper_t:process signal;
++
+ # Inherit descriptors from the current session.
+ init_use_fds($1_userhelper_t)
+ # Write to utmp.
+ init_manage_utmp($1_userhelper_t)
+ init_pid_filetrans_utmp($1_userhelper_t)
-
-- corecmd_bin_domtrans($1_userhelper_t, $3)
-
-- auth_domtrans_chk_passwd($1_userhelper_t)
-- auth_use_nsswitch($1_userhelper_t)
++
++
+ seutil_read_config($1_userhelper_t)
+ seutil_read_default_contexts($1_userhelper_t)
-
++
+ # Allow $1_userhelper_t to transition to user domains.
userdom_bin_spec_domtrans_unpriv_users($1_userhelper_t)
userdom_entry_spec_domtrans_unpriv_users($1_userhelper_t)
@@ -104982,14 +100859,14 @@ index 98b51fd..cd80e83 100644
##
##
##
-@@ -206,14 +263,82 @@ interface(`userhelper_exec',`
+@@ -206,6 +263,93 @@ interface(`userhelper_exec',`
type userhelper_exec_t;
')
- corecmd_search_bin($1)
can_exec($1, userhelper_exec_t)
')
-
++
+#######################################
+##
+## The role template for the consolehelper module.
@@ -105060,33 +100937,29 @@ index 98b51fd..cd80e83 100644
+ ')
+')
+
- ########################################
- ##
--## Execute the consolehelper program
--## in the caller domain.
++########################################
++##
+## Execute the consolehelper program in the caller domain.
- ##
- ##
- ##
-@@ -221,11 +346,10 @@ interface(`userhelper_exec',`
- ##
- ##
- #
--interface(`userhelper_exec_consolehelper',`
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
+interface(`userhelper_exec_console',`
- gen_require(`
- type consolehelper_exec_t;
- ')
-
-- corecmd_search_bin($1)
- can_exec($1, consolehelper_exec_t)
- ')
++ gen_require(`
++ type consolehelper_exec_t;
++ ')
++
++ can_exec($1, consolehelper_exec_t)
++')
diff --git a/userhelper.te b/userhelper.te
-index 42cfce0..cc18d6f 100644
+index 274ed9c..cc18d6f 100644
--- a/userhelper.te
+++ b/userhelper.te
@@ -1,15 +1,12 @@
--policy_module(userhelper, 1.8.1)
+-policy_module(userhelper, 1.7.3)
+policy_module(userhelper, 1.7.0)
########################################
@@ -105306,16 +101179,10 @@ index 7deec55..c542887 100644
')
diff --git a/usernetctl.te b/usernetctl.te
-index f973af8..465c661 100644
+index dd3f01e..465c661 100644
--- a/usernetctl.te
+++ b/usernetctl.te
-@@ -1,4 +1,4 @@
--policy_module(usernetctl, 1.7.0)
-+policy_module(usernetctl, 1.6.1)
-
- ########################################
- #
-@@ -6,12 +6,12 @@ policy_module(usernetctl, 1.7.0)
+@@ -6,12 +6,12 @@ policy_module(usernetctl, 1.6.1)
#
attribute_role usernetctl_roles;
@@ -105406,15 +101273,9 @@ index af9acc0..cdaf82e 100644
admin_pattern($1, uucpd_log_t)
diff --git a/uucp.te b/uucp.te
-index 849f607..c09534e 100644
+index 380902c..c09534e 100644
--- a/uucp.te
+++ b/uucp.te
-@@ -1,4 +1,4 @@
--policy_module(uucp, 1.13.0)
-+policy_module(uucp, 1.12.1)
-
- ########################################
- #
@@ -31,7 +31,7 @@ type uucpd_ro_t;
files_type(uucpd_ro_t)
@@ -105513,15 +101374,9 @@ index 6e48653..6abf74a 100644
uuidd_initrc_domtrans($1)
domain_system_change_exemption($1)
diff --git a/uuidd.te b/uuidd.te
-index f8e52fc..2b332c5 100644
+index e670f55..2b332c5 100644
--- a/uuidd.te
+++ b/uuidd.te
-@@ -1,4 +1,4 @@
--policy_module(uuidd, 1.1.0)
-+policy_module(uuidd, 1.0.1)
-
- ########################################
- #
@@ -42,6 +42,4 @@ dev_read_urand(uuidd_t)
domain_use_interactive_fds(uuidd_t)
@@ -105529,25 +101384,10 @@ index f8e52fc..2b332c5 100644
-files_read_etc_files(uuidd_t)
-miscfiles_read_localization(uuidd_t)
-diff --git a/uwimap.fc b/uwimap.fc
-index e85c4ae..3c504c6 100644
---- a/uwimap.fc
-+++ b/uwimap.fc
-@@ -1,3 +1,3 @@
--/usr/sbin/imapd -- gen_context(system_u:object_r:imapd_exec_t,s0)
-+/usr/sbin/imapd -- gen_context(system_u:object_r:imapd_exec_t,s0)
-
- /var/run/imapd\.pid -- gen_context(system_u:object_r:imapd_var_run_t,s0)
diff --git a/uwimap.te b/uwimap.te
-index acdc78a..d120c52 100644
+index b81e5c8..d120c52 100644
--- a/uwimap.te
+++ b/uwimap.te
-@@ -1,4 +1,4 @@
--policy_module(uwimap, 1.10.0)
-+policy_module(uwimap, 1.9.3)
-
- ########################################
- #
@@ -37,7 +37,6 @@ kernel_read_kernel_sysctls(imapd_t)
kernel_list_proc(imapd_t)
kernel_read_proc_symlinks(imapd_t)
@@ -105662,15 +101502,9 @@ index 9d4d8cb..1189323 100644
tunable_policy(`varnishd_connect_any',`
corenet_sendrecv_all_client_packets(varnishd_t)
diff --git a/vbetool.te b/vbetool.te
-index 2a61f75..b33d259 100644
+index 14e1eec..b33d259 100644
--- a/vbetool.te
+++ b/vbetool.te
-@@ -1,4 +1,4 @@
--policy_module(vbetool, 1.7.0)
-+policy_module(vbetool, 1.6.1)
-
- ########################################
- #
@@ -27,6 +27,7 @@ role vbetool_roles types vbetool_t;
#
@@ -105785,15 +101619,9 @@ index 31c752e..ef52235 100644
init_labeled_script_domtrans($1, vdagentd_initrc_exec_t)
domain_system_change_exemption($1)
diff --git a/vdagent.te b/vdagent.te
-index 87da8a2..9ed83d0 100644
+index 77be35a..9ed83d0 100644
--- a/vdagent.te
+++ b/vdagent.te
-@@ -1,4 +1,4 @@
--policy_module(vdagent, 1.1.1)
-+policy_module(vdagent, 1.0.2)
-
- ########################################
- #
@@ -25,6 +25,7 @@ logging_log_file(vdagent_log_t)
dontaudit vdagent_t self:capability sys_admin;
@@ -105802,31 +101630,29 @@ index 87da8a2..9ed83d0 100644
allow vdagent_t self:fifo_file rw_fifo_file_perms;
allow vdagent_t self:unix_stream_socket { accept listen };
-@@ -39,23 +40,25 @@ create_files_pattern(vdagent_t, vdagent_log_t, vdagent_log_t)
+@@ -39,20 +40,25 @@ create_files_pattern(vdagent_t, vdagent_log_t, vdagent_log_t)
setattr_files_pattern(vdagent_t, vdagent_log_t, vdagent_log_t)
logging_log_filetrans(vdagent_t, vdagent_log_t, file)
+kernel_request_load_module(vdagent_t)
+
dev_rw_input_dev(vdagent_t)
--dev_rw_mtrr(vdagent_t)
dev_read_sysfs(vdagent_t)
dev_dontaudit_write_mtrr(vdagent_t)
-files_read_etc_files(vdagent_t)
-+init_read_state(vdagent_t)
+-
+ init_read_state(vdagent_t)
--term_use_virtio_console(vdagent_t)
+-logging_send_syslog_msg(vdagent_t)
+systemd_read_logind_sessions_files(vdagent_t)
+systemd_login_read_pid_files(vdagent_t)
--init_read_state(vdagent_t)
+-miscfiles_read_localization(vdagent_t)
+term_use_virtio_console(vdagent_t)
++
++logging_send_syslog_msg(vdagent_t)
- logging_send_syslog_msg(vdagent_t)
-
--miscfiles_read_localization(vdagent_t)
--
userdom_read_all_users_state(vdagent_t)
+xserver_read_xdm_state(vdagent_t)
@@ -105854,15 +101680,9 @@ index 22edd58..c3a5364 100644
domain_system_change_exemption($1)
role_transition $2 vhostmd_initrc_exec_t system_r;
diff --git a/vhostmd.te b/vhostmd.te
-index 3d11c6a..b96e329 100644
+index 0be8535..b96e329 100644
--- a/vhostmd.te
+++ b/vhostmd.te
-@@ -1,4 +1,4 @@
--policy_module(vhostmd, 1.1.0)
-+policy_module(vhostmd, 1.0.1)
-
- ########################################
- #
@@ -58,14 +58,11 @@ dev_read_urand(vhostmd_t)
dev_read_sysfs(vhostmd_t)
@@ -105887,10 +101707,10 @@ index 3d11c6a..b96e329 100644
optional_policy(`
diff --git a/virt.fc b/virt.fc
-index a4f20bc..9ccc90c 100644
+index c30da4c..9ccc90c 100644
--- a/virt.fc
+++ b/virt.fc
-@@ -1,51 +1,97 @@
+@@ -1,52 +1,97 @@
-HOME_DIR/\.libvirt(/.*)? gen_context(system_u:object_r:virt_home_t,s0)
-HOME_DIR/\.libvirt/qemu(/.*)? gen_context(system_u:object_r:svirt_home_t,s0)
-HOME_DIR/\.virtinst(/.*)? gen_context(system_u:object_r:virt_home_t,s0)
@@ -105921,7 +101741,8 @@ index a4f20bc..9ccc90c 100644
+/etc/xen/[^/]* -d gen_context(system_u:object_r:virt_etc_rw_t,s0)
+/etc/xen/.*/.* gen_context(system_u:object_r:virt_etc_rw_t,s0)
--/etc/rc\.d/init\.d/(libvirt-bin|libvirtd) -- gen_context(system_u:object_r:virtd_initrc_exec_t,s0)
+-/etc/rc\.d/init\.d/libvirt-bin -- gen_context(system_u:object_r:virtd_initrc_exec_t,s0)
+-/etc/rc\.d/init\.d/libvirtd -- gen_context(system_u:object_r:virtd_initrc_exec_t,s0)
+/usr/libexec/libvirt_lxc -- gen_context(system_u:object_r:virtd_lxc_exec_t,s0)
+/usr/libexec/qemu-bridge-helper gen_context(system_u:object_r:virt_bridgehelper_exec_t,s0)
@@ -105958,24 +101779,32 @@ index a4f20bc..9ccc90c 100644
+/var/lib/libvirt/images(/.*)? gen_context(system_u:object_r:virt_image_t,s0)
+/var/lib/libvirt/isos(/.*)? gen_context(system_u:object_r:virt_content_t,s0)
+/var/lib/libvirt/qemu(/.*)? gen_context(system_u:object_r:qemu_var_run_t,s0-mls_systemhigh)
-+
+
+-/var/log/log(/.*)? gen_context(system_u:object_r:virt_log_t,s0)
+-/var/log/libvirt(/.*)? gen_context(system_u:object_r:virt_log_t,s0)
+-/var/log/vdsm(/.*)? gen_context(system_u:object_r:virt_log_t,s0)
+-
+-/var/vdsm(/.*)? gen_context(system_u:object_r:virt_var_run_t,s0)
+-
+-/var/run/libguestfs(/.*)? gen_context(system_u:object_r:virt_var_run_t,s0)
+/var/lock/xl -- gen_context(system_u:object_r:virt_log_t,s0)
+/var/log/log(/.*)? gen_context(system_u:object_r:virt_log_t,s0)
+/var/log/libvirt(/.*)? gen_context(system_u:object_r:virt_log_t,s0)
+/var/log/vdsm(/.*)? gen_context(system_u:object_r:virt_log_t,s0)
-+/var/run/libvirtd\.pid -- gen_context(system_u:object_r:virt_var_run_t,s0)
-+/var/run/libvirt(/.*)? gen_context(system_u:object_r:virt_var_run_t,s0)
+ /var/run/libvirtd\.pid -- gen_context(system_u:object_r:virt_var_run_t,s0)
+ /var/run/libvirt(/.*)? gen_context(system_u:object_r:virt_var_run_t,s0)
+-/var/run/libvirt/lxc(/.*)? gen_context(system_u:object_r:virtd_lxc_var_run_t,s0)
+-/var/run/libvirt-sandbox(/.*)? gen_context(system_u:object_r:virtd_lxc_var_run_t,s0)
+-/var/run/libvirt/qemu(/.*)? gen_context(system_u:object_r:svirt_var_run_t,s0-mls_systemhigh)
+-/var/run/user/[^/]*/libguestfs(/.*)? gen_context(system_u:object_r:virt_home_t,s0)
+-/var/run/vdsm(/.*)? gen_context(system_u:object_r:virt_var_run_t,s0)
+/var/run/libvirt/qemu(/.*)? gen_context(system_u:object_r:qemu_var_run_t,s0-mls_systemhigh)
+/var/run/libvirt/lxc(/.*)? gen_context(system_u:object_r:virt_lxc_var_run_t,s0)
+/var/run/libvirt-sandbox(/.*)? gen_context(system_u:object_r:virt_lxc_var_run_t,s0)
+/var/run/vdsm(/.*)? gen_context(system_u:object_r:virt_var_run_t,s0)
-
--/var/log/log(/.*)? gen_context(system_u:object_r:virt_log_t,s0)
--/var/log/libvirt(/.*)? gen_context(system_u:object_r:virt_log_t,s0)
--/var/log/vdsm(/.*)? gen_context(system_u:object_r:virt_log_t,s0)
++
+/var/vdsm(/.*)? gen_context(system_u:object_r:virt_var_run_t,s0)
-
--/var/vdsm(/.*)? gen_context(system_u:object_r:virt_var_run_t,s0)
++
+# support for AEOLUS project
+/usr/bin/imagefactory -- gen_context(system_u:object_r:virtd_exec_t,s0)
+/usr/bin/imgfac\.py -- gen_context(system_u:object_r:virtd_exec_t,s0)
@@ -105984,15 +101813,7 @@ index a4f20bc..9ccc90c 100644
+/var/lib/oz(/.*)? gen_context(system_u:object_r:virt_var_lib_t,s0)
+/var/lib/oz/isos(/.*)? gen_context(system_u:object_r:virt_content_t,s0)
+/var/lib/vdsm(/.*)? gen_context(system_u:object_r:virt_content_t,s0)
-
--/var/run/libguestfs(/.*)? gen_context(system_u:object_r:virt_var_run_t,s0)
--/var/run/libvirtd\.pid -- gen_context(system_u:object_r:virt_var_run_t,s0)
--/var/run/libvirt(/.*)? gen_context(system_u:object_r:virt_var_run_t,s0)
--/var/run/libvirt/lxc(/.*)? gen_context(system_u:object_r:virtd_lxc_var_run_t,s0)
--/var/run/libvirt-sandbox(/.*)? gen_context(system_u:object_r:virtd_lxc_var_run_t,s0)
--/var/run/libvirt/qemu(/.*)? gen_context(system_u:object_r:svirt_var_run_t,s0-mls_systemhigh)
--/var/run/user/[^/]*/libguestfs(/.*)? gen_context(system_u:object_r:virt_home_t,s0)
--/var/run/vdsm(/.*)? gen_context(system_u:object_r:virt_var_run_t,s0)
++
+# add support vios-proxy-*
+/usr/bin/vios-proxy-host -- gen_context(system_u:object_r:virtd_exec_t,s0)
+/usr/bin/vios-proxy-guest -- gen_context(system_u:object_r:virtd_exec_t,s0)
@@ -106027,7 +101848,7 @@ index a4f20bc..9ccc90c 100644
+/var/log/qemu-ga\.log.* -- gen_context(system_u:object_r:virt_qemu_ga_log_t,s0)
+/var/log/qemu-ga(/.*)? gen_context(system_u:object_r:virt_qemu_ga_log_t,s0)
diff --git a/virt.if b/virt.if
-index facdee8..c7a2d97 100644
+index 9dec06c..c7a2d97 100644
--- a/virt.if
+++ b/virt.if
@@ -1,120 +1,51 @@
@@ -107801,7 +103622,7 @@ index facdee8..c7a2d97 100644
- type virt_bridgehelper_t, virt_qmf_t, virt_var_lib_t;
- type virt_var_run_t, virt_tmp_t, virt_log_t;
- type virt_lock_t, svirt_var_run_t, virt_etc_rw_t;
-- type virt_etc_t, svirt_cache_t, virtd_keytab_t;
+- type virt_etc_t, svirt_cache_t;
+ attribute virt_domain;
+ attribute virt_system_domain;
+ attribute svirt_file_type;
@@ -107834,7 +103655,7 @@ index facdee8..c7a2d97 100644
- admin_pattern($1, { virt_tmp_type virt_tmp_t })
-
- files_search_etc($1)
-- admin_pattern($1, { virt_etc_t virt_etc_rw_t virtd_keytab_t })
+- admin_pattern($1, { virt_etc_t virt_etc_rw_t })
-
- logging_search_logs($1)
- admin_pattern($1, virt_log_t)
@@ -107879,11 +103700,11 @@ index facdee8..c7a2d97 100644
+ typeattribute $1 sandbox_caps_domain;
')
diff --git a/virt.te b/virt.te
-index f03dcf5..92d1a81 100644
+index 1f22fba..92d1a81 100644
--- a/virt.te
+++ b/virt.te
-@@ -1,149 +1,223 @@
--policy_module(virt, 1.7.4)
+@@ -1,147 +1,224 @@
+-policy_module(virt, 1.6.10)
+policy_module(virt, 1.5.0)
########################################
@@ -108169,16 +103990,15 @@ index f03dcf5..92d1a81 100644
+type virtd_initrc_exec_t, virt_file_type;
init_script_file(virtd_initrc_exec_t)
--type virtd_keytab_t;
--files_type(virtd_keytab_t)
+type qemu_var_run_t, virt_file_type;
+typealias qemu_var_run_t alias svirt_var_run_t;
+files_pid_file(qemu_var_run_t)
+mls_trusted_object(qemu_var_run_t)
-
++
ifdef(`enable_mcs',`
init_ranged_daemon_domain(virtd_t, virtd_exec_t, s0 - mcs_systemhigh)
-@@ -153,299 +227,132 @@ ifdef(`enable_mls',`
+ ')
+@@ -150,295 +227,132 @@ ifdef(`enable_mls',`
init_ranged_daemon_domain(virtd_t, virtd_exec_t, s0 - mls_systemhigh)
')
@@ -108240,7 +104060,6 @@ index f03dcf5..92d1a81 100644
-allow virt_domain self:process { signal getsched signull };
-allow virt_domain self:fifo_file rw_fifo_file_perms;
--allow virt_domain self:netlink_kobject_uevent_socket create_socket_perms;
-allow virt_domain self:netlink_route_socket r_netlink_socket_perms;
-allow virt_domain self:shm create_shm_perms;
-allow virt_domain self:tcp_socket create_stream_socket_perms;
@@ -108387,7 +104206,6 @@ index f03dcf5..92d1a81 100644
-tunable_policy(`virt_use_usb',`
- dev_rw_usbfs(virt_domain)
- dev_read_sysfs(virt_domain)
-- fs_getattr_dos_fs(virt_domain)
- fs_manage_dos_dirs(virt_domain)
- fs_manage_dos_files(virt_domain)
-')
@@ -108502,7 +104320,7 @@ index f03dcf5..92d1a81 100644
+')
+
allow virtd_t self:fifo_file { manage_fifo_file_perms relabelfrom relabelto };
--allow virtd_t self:unix_stream_socket { accept connectto listen relabelfrom relabelto };
+-allow virtd_t self:unix_stream_socket { accept connectto listen };
-allow virtd_t self:tcp_socket { accept listen };
+allow virtd_t self:unix_stream_socket { connectto create_stream_socket_perms relabelfrom relabelto };
+allow virtd_t self:tcp_socket create_stream_socket_perms;
@@ -108530,7 +104348,11 @@ index f03dcf5..92d1a81 100644
manage_files_pattern(virtd_t, virt_content_t, virt_content_t)
-filetrans_pattern(virtd_t, virt_home_t, virt_content_t, dir, "isos")
--allow virtd_t virtd_keytab_t:file read_file_perms;
+-allow virtd_t svirt_var_run_t:file relabel_file_perms;
+-manage_dirs_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t)
+-manage_files_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t)
+-manage_sock_files_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t)
+-filetrans_pattern(virtd_t, virt_var_run_t, svirt_var_run_t, dir, "qemu")
+allow virtd_t virt_domain:process { getattr getsched setsched transition signal signull sigkill };
+allow virtd_t svirt_sandbox_domain:process { getattr getsched setsched transition signal signull sigkill };
+allow virt_domain virtd_t:fd use;
@@ -108539,12 +104361,7 @@ index f03dcf5..92d1a81 100644
+
+can_exec(virtd_t, qemu_exec_t)
+can_exec(virt_domain, qemu_exec_t)
-
--allow virtd_t svirt_var_run_t:file relabel_file_perms;
--manage_dirs_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t)
--manage_files_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t)
--manage_sock_files_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t)
--filetrans_pattern(virtd_t, virt_var_run_t, svirt_var_run_t, dir, "qemu")
++
+allow virtd_t qemu_var_run_t:file relabel_file_perms;
+manage_dirs_pattern(virtd_t, qemu_var_run_t, qemu_var_run_t)
+manage_files_pattern(virtd_t, qemu_var_run_t, qemu_var_run_t)
@@ -108554,7 +104371,7 @@ index f03dcf5..92d1a81 100644
read_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
read_lnk_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
-@@ -455,42 +362,29 @@ manage_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t)
+@@ -448,42 +362,29 @@ manage_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t)
manage_lnk_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t)
filetrans_pattern(virtd_t, virt_etc_t, virt_etc_rw_t, dir)
@@ -108601,7 +104418,7 @@ index f03dcf5..92d1a81 100644
logging_log_filetrans(virtd_t, virt_log_t, { file dir })
manage_dirs_pattern(virtd_t, virt_var_lib_t, virt_var_lib_t)
-@@ -503,16 +397,12 @@ manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
+@@ -496,16 +397,12 @@ manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
manage_sock_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
files_pid_filetrans(virtd_t, virt_var_run_t, { file dir })
@@ -108623,7 +104440,7 @@ index f03dcf5..92d1a81 100644
kernel_read_system_state(virtd_t)
kernel_read_network_state(virtd_t)
kernel_rw_net_sysctls(virtd_t)
-@@ -520,6 +410,7 @@ kernel_read_kernel_sysctls(virtd_t)
+@@ -513,6 +410,7 @@ kernel_read_kernel_sysctls(virtd_t)
kernel_request_load_module(virtd_t)
kernel_search_debugfs(virtd_t)
kernel_setsched(virtd_t)
@@ -108631,7 +104448,7 @@ index f03dcf5..92d1a81 100644
corecmd_exec_bin(virtd_t)
corecmd_exec_shell(virtd_t)
-@@ -527,24 +418,16 @@ corecmd_exec_shell(virtd_t)
+@@ -520,24 +418,16 @@ corecmd_exec_shell(virtd_t)
corenet_all_recvfrom_netlabel(virtd_t)
corenet_tcp_sendrecv_generic_if(virtd_t)
corenet_tcp_sendrecv_generic_node(virtd_t)
@@ -108659,7 +104476,7 @@ index f03dcf5..92d1a81 100644
dev_rw_sysfs(virtd_t)
dev_read_urand(virtd_t)
dev_read_rand(virtd_t)
-@@ -555,22 +438,27 @@ dev_rw_vhost(virtd_t)
+@@ -548,22 +438,27 @@ dev_rw_vhost(virtd_t)
dev_setattr_generic_usb_dev(virtd_t)
dev_relabel_generic_usb_dev(virtd_t)
@@ -108692,7 +104509,7 @@ index f03dcf5..92d1a81 100644
fs_rw_anon_inodefs_files(virtd_t)
fs_list_inotifyfs(virtd_t)
fs_manage_cgroup_dirs(virtd_t)
-@@ -601,15 +489,18 @@ term_use_ptmx(virtd_t)
+@@ -594,15 +489,18 @@ term_use_ptmx(virtd_t)
auth_use_nsswitch(virtd_t)
@@ -108712,7 +104529,7 @@ index f03dcf5..92d1a81 100644
selinux_validate_context(virtd_t)
-@@ -620,18 +511,26 @@ seutil_read_file_contexts(virtd_t)
+@@ -613,18 +511,26 @@ seutil_read_file_contexts(virtd_t)
sysnet_signull_ifconfig(virtd_t)
sysnet_signal_ifconfig(virtd_t)
sysnet_domtrans_ifconfig(virtd_t)
@@ -108749,7 +104566,7 @@ index f03dcf5..92d1a81 100644
tunable_policy(`virt_use_nfs',`
fs_manage_nfs_dirs(virtd_t)
-@@ -640,7 +539,7 @@ tunable_policy(`virt_use_nfs',`
+@@ -633,7 +539,7 @@ tunable_policy(`virt_use_nfs',`
')
tunable_policy(`virt_use_samba',`
@@ -108758,7 +104575,7 @@ index f03dcf5..92d1a81 100644
fs_manage_cifs_files(virtd_t)
fs_read_cifs_symlinks(virtd_t)
')
-@@ -665,20 +564,12 @@ optional_policy(`
+@@ -658,20 +564,12 @@ optional_policy(`
')
optional_policy(`
@@ -108779,7 +104596,7 @@ index f03dcf5..92d1a81 100644
')
optional_policy(`
-@@ -691,20 +582,25 @@ optional_policy(`
+@@ -684,14 +582,20 @@ optional_policy(`
dnsmasq_kill(virtd_t)
dnsmasq_signull(virtd_t)
dnsmasq_create_pid_dirs(virtd_t)
@@ -108802,14 +104619,7 @@ index f03dcf5..92d1a81 100644
iptables_manage_config(virtd_t)
')
- optional_policy(`
-- kerberos_read_keytab(virtd_t)
-- kerberos_use(virtd_t)
-+ kerberos_keytab_template(virtd, virtd_t)
- ')
-
- optional_policy(`
-@@ -712,11 +608,13 @@ optional_policy(`
+@@ -704,11 +608,13 @@ optional_policy(`
')
optional_policy(`
@@ -108823,7 +104633,7 @@ index f03dcf5..92d1a81 100644
policykit_domtrans_auth(virtd_t)
policykit_domtrans_resolve(virtd_t)
policykit_read_lib(virtd_t)
-@@ -727,10 +625,18 @@ optional_policy(`
+@@ -719,10 +625,18 @@ optional_policy(`
')
optional_policy(`
@@ -108842,11 +104652,8 @@ index f03dcf5..92d1a81 100644
kernel_read_xen_state(virtd_t)
kernel_write_xen_state(virtd_t)
-@@ -743,47 +649,279 @@ optional_policy(`
- optional_policy(`
- udev_domtrans(virtd_t)
+@@ -737,44 +651,277 @@ optional_policy(`
udev_read_db(virtd_t)
-- udev_read_pid_files(virtd_t)
')
-########################################
@@ -108992,7 +104799,7 @@ index f03dcf5..92d1a81 100644
+# I think we need these for now.
+miscfiles_read_public_files(virt_domain)
+miscfiles_read_generic_certs(virt_domain)
-
++
+storage_raw_read_removable_device(virt_domain)
+
+sysnet_read_config(virt_domain)
@@ -109102,7 +104909,7 @@ index f03dcf5..92d1a81 100644
+init_system_domain(virsh_t, virsh_exec_t)
+typealias virsh_t alias xm_t;
+typealias virsh_exec_t alias xm_exec_t;
-+
+
+allow virsh_t self:capability { setpcap dac_override ipc_lock sys_admin sys_chroot sys_nice sys_tty_config };
+allow virsh_t self:process { getcap getsched setsched setcap setexec signal };
+allow virsh_t self:fifo_file rw_fifo_file_perms;
@@ -109146,7 +104953,7 @@ index f03dcf5..92d1a81 100644
kernel_read_system_state(virsh_t)
kernel_read_network_state(virsh_t)
kernel_read_kernel_sysctls(virsh_t)
-@@ -794,25 +932,18 @@ kernel_write_xen_state(virsh_t)
+@@ -785,25 +932,18 @@ kernel_write_xen_state(virsh_t)
corecmd_exec_bin(virsh_t)
corecmd_exec_shell(virsh_t)
@@ -109173,7 +104980,7 @@ index f03dcf5..92d1a81 100644
fs_getattr_all_fs(virsh_t)
fs_manage_xenfs_dirs(virsh_t)
-@@ -821,23 +952,25 @@ fs_search_auto_mountpoints(virsh_t)
+@@ -812,23 +952,25 @@ fs_search_auto_mountpoints(virsh_t)
storage_raw_read_fixed_disk(virsh_t)
@@ -109190,10 +104997,10 @@ index f03dcf5..92d1a81 100644
-logging_send_syslog_msg(virsh_t)
+systemd_exec_systemctl(virsh_t)
++
++auth_read_passwd(virsh_t)
-miscfiles_read_localization(virsh_t)
-+auth_read_passwd(virsh_t)
-+
+logging_send_syslog_msg(virsh_t)
sysnet_dns_name_resolve(virsh_t)
@@ -109207,7 +105014,7 @@ index f03dcf5..92d1a81 100644
tunable_policy(`virt_use_nfs',`
fs_manage_nfs_dirs(virsh_t)
-@@ -856,14 +989,20 @@ optional_policy(`
+@@ -847,14 +989,20 @@ optional_policy(`
')
optional_policy(`
@@ -109229,7 +105036,7 @@ index f03dcf5..92d1a81 100644
xen_stream_connect(virsh_t)
xen_stream_connect_xenstore(virsh_t)
')
-@@ -888,49 +1027,65 @@ optional_policy(`
+@@ -879,49 +1027,65 @@ optional_policy(`
kernel_read_xen_state(virsh_ssh_t)
kernel_write_xen_state(virsh_ssh_t)
@@ -109313,7 +105120,7 @@ index f03dcf5..92d1a81 100644
corecmd_exec_bin(virtd_lxc_t)
corecmd_exec_shell(virtd_lxc_t)
-@@ -942,17 +1097,16 @@ dev_read_urand(virtd_lxc_t)
+@@ -933,17 +1097,16 @@ dev_read_urand(virtd_lxc_t)
domain_use_interactive_fds(virtd_lxc_t)
@@ -109333,7 +105140,7 @@ index f03dcf5..92d1a81 100644
fs_getattr_all_fs(virtd_lxc_t)
fs_manage_tmpfs_dirs(virtd_lxc_t)
fs_manage_tmpfs_chr_files(virtd_lxc_t)
-@@ -964,8 +1118,23 @@ fs_rw_cgroup_files(virtd_lxc_t)
+@@ -955,8 +1118,23 @@ fs_rw_cgroup_files(virtd_lxc_t)
fs_unmount_all_fs(virtd_lxc_t)
fs_relabelfrom_tmpfs(virtd_lxc_t)
@@ -109357,7 +105164,7 @@ index f03dcf5..92d1a81 100644
selinux_get_enforce_mode(virtd_lxc_t)
selinux_get_fs_mount(virtd_lxc_t)
selinux_validate_context(virtd_lxc_t)
-@@ -974,194 +1143,317 @@ selinux_compute_create_context(virtd_lxc_t)
+@@ -965,194 +1143,317 @@ selinux_compute_create_context(virtd_lxc_t)
selinux_compute_relabel_context(virtd_lxc_t)
selinux_compute_user_contexts(virtd_lxc_t)
@@ -109769,10 +105576,10 @@ index f03dcf5..92d1a81 100644
+
+list_dirs_pattern(svirt_qemu_net_t, virt_content_t, virt_content_t)
+read_files_pattern(svirt_qemu_net_t, virt_content_t, virt_content_t)
++
++append_files_pattern(svirt_qemu_net_t, virt_log_t, virt_log_t)
-allow svirt_prot_exec_t self:process { execmem execstack };
-+append_files_pattern(svirt_qemu_net_t, virt_log_t, virt_log_t)
-+
+kernel_read_irq_sysctls(svirt_qemu_net_t)
+
+dev_read_sysfs(svirt_qemu_net_t)
@@ -109815,7 +105622,7 @@ index f03dcf5..92d1a81 100644
allow virt_qmf_t self:tcp_socket create_stream_socket_perms;
allow virt_qmf_t self:netlink_route_socket create_netlink_socket_perms;
-@@ -1174,12 +1466,12 @@ dev_read_sysfs(virt_qmf_t)
+@@ -1165,12 +1466,12 @@ dev_read_sysfs(virt_qmf_t)
dev_read_rand(virt_qmf_t)
dev_read_urand(virt_qmf_t)
@@ -109830,7 +105637,7 @@ index f03dcf5..92d1a81 100644
sysnet_read_config(virt_qmf_t)
optional_policy(`
-@@ -1192,9 +1484,8 @@ optional_policy(`
+@@ -1183,9 +1484,8 @@ optional_policy(`
########################################
#
@@ -109841,7 +105648,7 @@ index f03dcf5..92d1a81 100644
allow virt_bridgehelper_t self:process { setcap getcap };
allow virt_bridgehelper_t self:capability { setpcap setgid setuid net_admin };
allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms;
-@@ -1207,5 +1498,219 @@ kernel_read_network_state(virt_bridgehelper_t)
+@@ -1198,5 +1498,219 @@ kernel_read_network_state(virt_bridgehelper_t)
corenet_rw_tun_tap_dev(virt_bridgehelper_t)
@@ -110064,15 +105871,9 @@ index f03dcf5..92d1a81 100644
+
+allow sandbox_caps_domain self:capability { chown dac_override fowner kill setgid setuid setpcap net_bind_service net_raw sys_chroot mknod audit_write setfcap };
diff --git a/vlock.te b/vlock.te
-index 6b72968..b5285e7 100644
+index 9ead775..b5285e7 100644
--- a/vlock.te
+++ b/vlock.te
-@@ -1,4 +1,4 @@
--policy_module(vlock, 1.2.0)
-+policy_module(vlock, 1.1.1)
-
- ########################################
- #
@@ -38,7 +38,7 @@ auth_use_pam(vlock_t)
init_dontaudit_rw_utmp(vlock_t)
@@ -110342,15 +106143,9 @@ index 20a1fb2..470ea95 100644
allow $2 { vmware_tmp_t vmware_file_t }:dir { manage_dir_perms relabel_dir_perms };
allow $2 { vmware_conf_t vmware_file_t vmware_tmp_t vmware_tmpfs_t }:file { manage_file_perms relabel_file_perms };
diff --git a/vmware.te b/vmware.te
-index 4ad1894..d7ec42b 100644
+index 3a56513..d7ec42b 100644
--- a/vmware.te
+++ b/vmware.te
-@@ -1,4 +1,4 @@
--policy_module(vmware, 2.7.0)
-+policy_module(vmware, 2.6.1)
-
- ########################################
- #
@@ -65,7 +65,8 @@ ifdef(`enable_mcs',`
# Host local policy
#
@@ -110468,15 +106263,9 @@ index 137ac44..b644854 100644
domain_system_change_exemption($1)
role_transition $2 vnstatd_initrc_exec_t system_r;
diff --git a/vnstatd.te b/vnstatd.te
-index e2220ae..ff18188 100644
+index febc3e5..ff18188 100644
--- a/vnstatd.te
+++ b/vnstatd.te
-@@ -1,4 +1,4 @@
--policy_module(vnstatd, 1.1.0)
-+policy_module(vnstatd, 1.0.1)
-
- ########################################
- #
@@ -36,7 +36,7 @@ allow vnstatd_t self:unix_stream_socket { accept listen };
manage_dirs_pattern(vnstatd_t, vnstatd_var_lib_t, vnstatd_var_lib_t)
@@ -110625,16 +106414,16 @@ index 7a7f342..afedcba 100644
##
##
diff --git a/vpn.te b/vpn.te
-index 95b26d1..38a4bf3 100644
+index 9329eae..38a4bf3 100644
--- a/vpn.te
+++ b/vpn.te
@@ -1,4 +1,4 @@
--policy_module(vpn, 1.16.0)
+-policy_module(vpn, 1.15.1)
+policy_module(vpn, 1.15.0)
########################################
#
-@@ -6,6 +6,7 @@ policy_module(vpn, 1.16.0)
+@@ -6,6 +6,7 @@ policy_module(vpn, 1.15.1)
#
attribute_role vpnc_roles;
@@ -110745,27 +106534,11 @@ index 95b26d1..38a4bf3 100644
- seutil_use_newrole_fds(vpnc_t)
+ networkmanager_manage_pid_files(vpnc_t)
')
-diff --git a/w3c.fc b/w3c.fc
-index 463c799..4834796 100644
---- a/w3c.fc
-+++ b/w3c.fc
-@@ -1,4 +1,4 @@
--/usr/lib/cgi-bin/check -- gen_context(system_u:object_r:httpd_w3c_validator_script_exec_t,s0)
-+/usr/lib/cgi-bin/check gen_context(system_u:object_r:httpd_w3c_validator_script_exec_t,s0)
-
- /usr/share/w3c-markup-validator(/.*)? gen_context(system_u:object_r:httpd_w3c_validator_content_t,s0)
- /usr/share/w3c-markup-validator/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_w3c_validator_script_exec_t,s0)
diff --git a/w3c.te b/w3c.te
-index b14d6a9..d3cf4a8 100644
+index bcb76b6..d3cf4a8 100644
--- a/w3c.te
+++ b/w3c.te
-@@ -1,4 +1,4 @@
--policy_module(w3c, 1.1.0)
-+policy_module(w3c, 1.0.1)
-
- ########################################
- #
-@@ -7,10 +7,17 @@ policy_module(w3c, 1.1.0)
+@@ -7,10 +7,17 @@ policy_module(w3c, 1.0.1)
apache_content_template(w3c_validator)
@@ -110801,15 +106574,9 @@ index eecd0e0..8df2e8c 100644
/var/run/watchdog\.pid -- gen_context(system_u:object_r:watchdog_var_run_t,s0)
diff --git a/watchdog.te b/watchdog.te
-index 3548317..026b259 100644
+index 29f79e8..026b259 100644
--- a/watchdog.te
+++ b/watchdog.te
-@@ -1,4 +1,4 @@
--policy_module(watchdog, 1.8.0)
-+policy_module(watchdog, 1.7.1)
-
- #################################
- #
@@ -12,29 +12,41 @@ init_daemon_domain(watchdog_t, watchdog_exec_t)
type watchdog_initrc_exec_t;
init_script_file(watchdog_initrc_exec_t)
@@ -111064,15 +106831,9 @@ index 1e3aec0..d17ff39 100644
+
')
diff --git a/wdmd.te b/wdmd.te
-index 4815a93..144c0e7 100644
+index ebbdaf6..144c0e7 100644
--- a/wdmd.te
+++ b/wdmd.te
-@@ -1,4 +1,4 @@
--policy_module(wdmd, 1.1.0)
-+policy_module(wdmd, 1.0.3)
-
- ########################################
- #
@@ -45,16 +45,15 @@ corecmd_exec_shell(wdmd_t)
dev_read_watchdog(wdmd_t)
dev_write_watchdog(wdmd_t)
@@ -111095,15 +106856,9 @@ index 4815a93..144c0e7 100644
+ rhcs_rw_cluster_tmpfs(wdmd_t)
')
diff --git a/webadm.te b/webadm.te
-index 2a6cae7..d26f598 100644
+index 708254f..d26f598 100644
--- a/webadm.te
+++ b/webadm.te
-@@ -1,4 +1,4 @@
--policy_module(webadm, 1.2.0)
-+policy_module(webadm, 1.1.1)
-
- ########################################
- #
@@ -25,6 +25,9 @@ role webadm_r;
userdom_base_user_template(webadm)
@@ -111139,15 +106894,9 @@ index 2a6cae7..d26f598 100644
tunable_policy(`webadm_manage_user_files',`
userdom_manage_user_home_content_files(webadm_t)
diff --git a/webalizer.te b/webalizer.te
-index ae919b9..3c09628 100644
+index cdca8c7..3c09628 100644
--- a/webalizer.te
+++ b/webalizer.te
-@@ -1,4 +1,4 @@
--policy_module(webalizer, 1.13.0)
-+policy_module(webalizer, 1.12.1)
-
- ########################################
- #
@@ -55,27 +55,35 @@ can_exec(webalizer_t, webalizer_exec_t)
kernel_read_kernel_sysctls(webalizer_t)
kernel_read_system_state(webalizer_t)
@@ -111362,16 +107111,10 @@ index fd2b6cc..938c4a7 100644
+')
+
diff --git a/wine.te b/wine.te
-index 491b87b..e5944be 100644
+index b51923c..e5944be 100644
--- a/wine.te
+++ b/wine.te
-@@ -1,4 +1,4 @@
--policy_module(wine, 1.11.0)
-+policy_module(wine, 1.10.1)
-
- ########################################
- #
-@@ -14,10 +14,11 @@ policy_module(wine, 1.11.0)
+@@ -14,10 +14,11 @@ policy_module(wine, 1.10.1)
##
gen_tunable(wine_mmap_zero_ignore, false)
@@ -111470,15 +107213,9 @@ index 491b87b..e5944be 100644
')
+
diff --git a/wireshark.te b/wireshark.te
-index ff6ef38..a2d910f 100644
+index cf5cab6..a2d910f 100644
--- a/wireshark.te
+++ b/wireshark.te
-@@ -1,4 +1,4 @@
--policy_module(wireshark, 2.4.0)
-+policy_module(wireshark, 2.3.1)
-
- ########################################
- #
@@ -34,7 +34,7 @@ userdom_user_tmpfs_file(wireshark_tmpfs_t)
# Local Policy
#
@@ -111541,7 +107278,7 @@ index 304ae09..c1d10a1 100644
-/usr/bin/twm -- gen_context(system_u:object_r:wm_exec_t,s0)
+/usr/bin/twm -- gen_context(system_u:object_r:wm_exec_t,s0)
diff --git a/wm.if b/wm.if
-index 95f888d..36b2f81 100644
+index 25b702d..36b2f81 100644
--- a/wm.if
+++ b/wm.if
@@ -1,4 +1,4 @@
@@ -111550,7 +107287,7 @@ index 95f888d..36b2f81 100644
#######################################
##
-@@ -29,69 +29,59 @@
+@@ -29,54 +29,46 @@
#
template(`wm_role_template',`
gen_require(`
@@ -111611,9 +107348,6 @@ index 95f888d..36b2f81 100644
- auth_use_nsswitch($1_wm_t)
-
-- xserver_role($2, $1_wm_t)
-- xserver_manage_core_devices($1_wm_t)
--
- optional_policy(`
- dbus_spec_session_bus_client($1, $1_wm_t)
- dbus_system_bus_client($1_wm_t)
@@ -111624,16 +107358,9 @@ index 95f888d..36b2f81 100644
- ')
-
optional_policy(`
-- gnome_stream_connect_gkeyringd($1, $1_wm_t)
-+ pulseaudio_run($1_wm_t, $2)
- ')
-
- optional_policy(`
-- pulseaudio_run($1_wm_t, $2)
-+ xserver_role($2, $1_wm_t)
-+ xserver_manage_core_devices($1_wm_t)
+ pulseaudio_run($1_wm_t, $2)
')
- ')
+@@ -89,7 +81,7 @@ template(`wm_role_template',`
########################################
##
@@ -111642,7 +107369,7 @@ index 95f888d..36b2f81 100644
##
##
##
-@@ -104,33 +94,5 @@ interface(`wm_exec',`
+@@ -102,33 +94,5 @@ interface(`wm_exec',`
type wm_exec_t;
')
@@ -111677,11 +107404,11 @@ index 95f888d..36b2f81 100644
- allow $1_wm_t $2:dbus send_msg;
-')
diff --git a/wm.te b/wm.te
-index 638d10f..20ce90b 100644
+index 7c7f7fa..20ce90b 100644
--- a/wm.te
+++ b/wm.te
-@@ -1,74 +1,88 @@
--policy_module(wm, 1.3.3)
+@@ -1,36 +1,88 @@
+-policy_module(wm, 1.2.5)
+policy_module(wm, 1.2.0)
+
+attribute wm_domain;
@@ -111694,44 +107421,39 @@ index 638d10f..20ce90b 100644
-attribute wm_domain;
-
type wm_exec_t;
- corecmd_executable_file(wm_exec_t)
-
+-
-########################################
-#
-# Common wm domain local policy
-#
--
++corecmd_executable_file(wm_exec_t)
+
allow wm_domain self:fifo_file rw_fifo_file_perms;
- allow wm_domain self:process { setcap setrlimit execmem signal_perms getsched setsched };
- allow wm_domain self:netlink_kobject_uevent_socket create_socket_perms;
+-allow wm_domain self:process getsched;
++allow wm_domain self:process { setcap setrlimit execmem signal_perms getsched setsched };
++allow wm_domain self:netlink_kobject_uevent_socket create_socket_perms;
+
allow wm_domain self:shm create_shm_perms;
allow wm_domain self:unix_dgram_socket create_socket_perms;
-kernel_read_system_state(wm_domain)
-
--corecmd_getattr_all_executables(wm_domain)
--
--dev_read_sound(wm_domain)
--dev_read_sysfs(wm_domain)
dev_read_urand(wm_domain)
--dev_rw_wireless(wm_domain)
+dev_read_sound(wm_domain)
- dev_write_sound(wm_domain)
--
--files_read_usr_files(wm_domain)
++dev_write_sound(wm_domain)
+dev_rw_wireless(wm_domain)
+dev_read_sysfs(wm_domain)
-
- fs_getattr_all_fs(wm_domain)
-
++
++fs_getattr_all_fs(wm_domain)
++
+corecmd_dontaudit_access_all_executables(wm_domain)
+corecmd_getattr_all_executables(wm_domain)
-+
+
+-files_read_usr_files(wm_domain)
+application_signull(wm_domain)
+
+init_read_state(wm_domain)
-+
+
miscfiles_read_fonts(wm_domain)
-miscfiles_read_localization(wm_domain)
@@ -111741,28 +107463,16 @@ index 638d10f..20ce90b 100644
+systemd_read_logind_sessions_files(wm_domain)
+systemd_write_inhibit_pipes(wm_domain)
+systemd_login_read_pid_files(wm_domain)
-
--userdom_manage_user_home_content_dirs(wm_domain)
--userdom_manage_user_home_content_files(wm_domain)
--userdom_user_home_dir_filetrans_user_home_content(wm_domain, { dir file })
++
+userdom_read_user_home_content_files(wm_domain)
-
--optional_policy(`
-- accountsd_dbus_chat(wm_domain)
--')
--
--optional_policy(`
-- bluetooth_dbus_chat(wm_domain)
--')
++
+udev_read_pid_files(wm_domain)
-
- optional_policy(`
-- devicekit_dbus_chat_power(wm_domain)
++
++optional_policy(`
+ gnome_stream_connect_gkeyringd(wm_domain)
- ')
-
- optional_policy(`
-- networkmanager_dbus_chat(wm_domain)
++')
++
++optional_policy(`
+ dbus_system_bus_client(wm_domain)
+ dbus_session_bus_client(wm_domain)
+ optional_policy(`
@@ -111788,22 +107498,22 @@ index 638d10f..20ce90b 100644
+ optional_policy(`
+ systemd_dbus_chat_logind(wm_domain)
+ ')
- ')
-
- optional_policy(`
-- policykit_dbus_chat(wm_domain)
++')
++
++optional_policy(`
+ pulseaudio_stream_connect(wm_domain)
- ')
-
- optional_policy(`
-- pulseaudio_stream_connect(wm_domain)
++')
++
++optional_policy(`
+ userhelper_exec_console(wm_domain)
- ')
++')
- optional_policy(`
-- userhelper_exec_consolehelper(wm_domain)
+-userdom_manage_user_home_content_dirs(wm_domain)
+-userdom_manage_user_home_content_files(wm_domain)
+-userdom_user_home_dir_filetrans_user_home_content(wm_domain, { dir file })
++optional_policy(`
+ xserver_manage_core_devices(wm_domain)
- ')
++')
diff --git a/xen.fc b/xen.fc
index 42d83b0..651d1cb 100644
--- a/xen.fc
@@ -112135,11 +107845,11 @@ index f93558c..16e29c1 100644
files_search_pids($1)
diff --git a/xen.te b/xen.te
-index 6f736a9..3fe3e35 100644
+index ed40676..3fe3e35 100644
--- a/xen.te
+++ b/xen.te
@@ -1,42 +1,34 @@
--policy_module(xen, 1.13.0)
+-policy_module(xen, 1.12.5)
+policy_module(xen, 1.12.0)
########################################
@@ -112831,15 +108541,9 @@ index 6f736a9..3fe3e35 100644
- fs_manage_xenfs_files(xm_ssh_t)
-')
diff --git a/xfs.te b/xfs.te
-index 0928c5d..7668014 100644
+index 0cea2cd..7668014 100644
--- a/xfs.te
+++ b/xfs.te
-@@ -1,4 +1,4 @@
--policy_module(xfs, 1.7.0)
-+policy_module(xfs, 1.6.1)
-
- ########################################
- #
@@ -41,7 +41,6 @@ can_exec(xfs_t, xfs_exec_t)
kernel_read_kernel_sysctls(xfs_t)
kernel_read_system_state(xfs_t)
@@ -112865,16 +108569,16 @@ index 0928c5d..7668014 100644
userdom_dontaudit_use_unpriv_user_fds(xfs_t)
diff --git a/xguest.te b/xguest.te
-index a64aad3..0f1f514 100644
+index 2882821..0f1f514 100644
--- a/xguest.te
+++ b/xguest.te
@@ -1,4 +1,4 @@
--policy_module(xguest, 1.2.0)
+-policy_module(xguest, 1.1.2)
+policy_module(xguest, 1.1.0)
########################################
#
-@@ -6,46 +6,47 @@ policy_module(xguest, 1.2.0)
+@@ -6,46 +6,47 @@ policy_module(xguest, 1.1.2)
#
##
@@ -113161,15 +108865,9 @@ index 3c44d84..ce5e69d 100644
sysnet_read_config(xprint_t)
diff --git a/xscreensaver.te b/xscreensaver.te
-index 04096a0..485e77d 100644
+index c9c9650..485e77d 100644
--- a/xscreensaver.te
+++ b/xscreensaver.te
-@@ -1,4 +1,4 @@
--policy_module(xscreensaver, 1.2.0)
-+policy_module(xscreensaver, 1.1.1)
-
- ########################################
- #
@@ -25,7 +25,6 @@ allow xscreensaver_t self:fifo_file rw_fifo_file_perms;
kernel_read_system_state(xscreensaver_t)
@@ -113191,15 +108889,9 @@ index 04096a0..485e77d 100644
xserver_user_x_domain_template(xscreensaver, xscreensaver_t, xscreensaver_tmpfs_t)
diff --git a/yam.te b/yam.te
-index 2695db2..910aeec 100644
+index d837e88..910aeec 100644
--- a/yam.te
+++ b/yam.te
-@@ -1,4 +1,4 @@
--policy_module(yam, 1.5.0)
-+policy_module(yam, 1.4.1)
-
- ########################################
- #
@@ -73,11 +73,11 @@ auth_use_nsswitch(yam_t)
logging_send_syslog_msg(yam_t)
@@ -113216,12 +108908,12 @@ index 2695db2..910aeec 100644
userdom_search_user_home_dirs(yam_t)
diff --git a/zabbix.fc b/zabbix.fc
-index c3b5a81..14dc7c6 100644
+index ce10cb1..14dc7c6 100644
--- a/zabbix.fc
+++ b/zabbix.fc
@@ -1,15 +1,23 @@
-+/etc/rc\.d/init\.d/((zabbix)|(zabbix-server)) -- gen_context(system_u:object_r:zabbix_initrc_exec_t,s0)
- /etc/rc\.d/init\.d/(zabbix|zabbix-server) -- gen_context(system_u:object_r:zabbix_initrc_exec_t,s0)
+ /etc/rc\.d/init\.d/((zabbix)|(zabbix-server)) -- gen_context(system_u:object_r:zabbix_initrc_exec_t,s0)
++/etc/rc\.d/init\.d/(zabbix|zabbix-server) -- gen_context(system_u:object_r:zabbix_initrc_exec_t,s0)
/etc/rc\.d/init\.d/zabbix-agentd -- gen_context(system_u:object_r:zabbix_agent_initrc_exec_t,s0)
/usr/bin/zabbix_server -- gen_context(system_u:object_r:zabbix_exec_t,s0)
@@ -113408,16 +109100,10 @@ index dd63de0..38ce620 100644
- admin_pattern($1, zabbix_tmpfs_t)
')
diff --git a/zabbix.te b/zabbix.te
-index 7f496c6..bf87704 100644
+index 46e4cd3..bf87704 100644
--- a/zabbix.te
+++ b/zabbix.te
-@@ -1,4 +1,4 @@
--policy_module(zabbix, 1.6.0)
-+policy_module(zabbix, 1.5.3)
-
- ########################################
- #
-@@ -6,27 +6,32 @@ policy_module(zabbix, 1.6.0)
+@@ -6,27 +6,32 @@ policy_module(zabbix, 1.5.3)
#
##
@@ -113904,11 +109590,11 @@ index 36e32df..3d08962 100644
+ manage_dirs_pattern($1, zarafa_var_lib_t, zarafa_var_lib_t)
')
diff --git a/zarafa.te b/zarafa.te
-index 3fded1c..ffeb7f4 100644
+index a4479b1..ffeb7f4 100644
--- a/zarafa.te
+++ b/zarafa.te
@@ -1,13 +1,18 @@
--policy_module(zarafa, 1.2.0)
+-policy_module(zarafa, 1.1.4)
+policy_module(zarafa, 1.1.0)
########################################
@@ -114305,16 +109991,16 @@ index 3416401..676925c 100644
+ allow $1 zebra_unit_file_t:service all_service_perms;
')
diff --git a/zebra.te b/zebra.te
-index 2e80d04..e2b8723 100644
+index b0803c2..e2b8723 100644
--- a/zebra.te
+++ b/zebra.te
@@ -1,4 +1,4 @@
--policy_module(zebra, 1.13.0)
+-policy_module(zebra, 1.12.1)
+policy_module(zebra, 1.12.0)
########################################
#
-@@ -6,23 +6,26 @@ policy_module(zebra, 1.13.0)
+@@ -6,23 +6,26 @@ policy_module(zebra, 1.12.1)
#
##
@@ -115068,15 +110754,9 @@ index b14698c..16e1581 100644
interface(`zosremote_run',`
gen_require(`
diff --git a/zosremote.te b/zosremote.te
-index bc6a5db..983b6c8 100644
+index 9ba9f81..983b6c8 100644
--- a/zosremote.te
+++ b/zosremote.te
-@@ -1,4 +1,4 @@
--policy_module(zosremote, 1.2.0)
-+policy_module(zosremote, 1.1.1)
-
- ########################################
- #
@@ -24,6 +24,4 @@ allow zos_remote_t self:unix_stream_socket { accept listen };
auth_use_nsswitch(zos_remote_t)