Add latest changes from selinux-policy.git

2014-01-10 14:55:21 +01:00 · 2014-01-10 14:55:21 +01:00 · 0a96c38442
parent 01969cfc26
commit 0a96c38442
2 changed files with 447 additions and 402 deletions
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@ -5400,7 +5400,7 @@ index 8e0f9cd..b9f45b9 100644
 
 define(`create_packet_interfaces',``
 diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
-index b191055..fd1a0d0 100644
+index b191055..51daa72 100644
 --- a/policy/modules/kernel/corenetwork.te.in
 +++ b/policy/modules/kernel/corenetwork.te.in
@@ -5,6 +5,7 @@ policy_module(corenetwork, 1.19.2)
@ -5609,7 +5609,7 @@ index b191055..fd1a0d0 100644
 network_port(msnp, tcp,1863,s0, udp,1863,s0)
 network_port(mssql, tcp,1433-1434,s0, udp,1433-1434,s0)
 network_port(ms_streaming, tcp,1755,s0, udp,1755,s0)
-@@ -186,26 +225,34 @@ network_port(munin, tcp,4949,s0, udp,4949,s0)
+@@ -186,26 +225,35 @@ network_port(munin, tcp,4949,s0, udp,4949,s0)
 network_port(mxi, tcp,8005,s0, udp,8005,s0)
 network_port(mysqld, tcp,1186,s0, tcp,3306,s0, tcp,63132-63164,s0)
 network_port(mysqlmanagerd, tcp,2273,s0)
@ -5628,6 +5628,7 @@ index b191055..fd1a0d0 100644
 network_port(oa_system, tcp,8022,s0, udp,8022,s0)
 -network_port(oracledb, tcp, 1521,s0,udp, 1521,s0, tcp,2483,s0,udp,2483,s0, tcp,2484,s0, udp,2484,s0)
 network_port(ocsp, tcp,9080,s0)
+network_port(openflow, tcp,6633,s0, tcp,6653,s0)
 network_port(openhpid, tcp,4743,s0, udp,4743,s0)
 network_port(openvpn, tcp,1194,s0, udp,1194,s0)
 +network_port(osapi_compute, tcp, 8774, s0)
@ -5648,7 +5649,7 @@ index b191055..fd1a0d0 100644
 network_port(portmap, udp,111,s0, tcp,111,s0)
 network_port(postfix_policyd, tcp,10031,s0)
 network_port(postgresql, tcp,5432,s0)
-@@ -215,39 +262,45 @@ network_port(prelude, tcp,4690,s0, udp,4690,s0)
+@@ -215,39 +263,45 @@ network_port(prelude, tcp,4690,s0, udp,4690,s0)
 network_port(presence, tcp,5298-5299,s0, udp,5298-5299,s0)
 network_port(printer, tcp,515,s0)
 network_port(ptal, tcp,5703,s0)
@ -5701,7 +5702,7 @@ index b191055..fd1a0d0 100644
 network_port(ssh, tcp,22,s0)
 network_port(stunnel) # no defined portcon
 network_port(svn, tcp,3690,s0, udp,3690,s0)
-@@ -259,8 +312,9 @@ network_port(syslog_tls, tcp,6514,s0, udp,6514,s0)
+@@ -259,8 +313,9 @@ network_port(syslog_tls, tcp,6514,s0, udp,6514,s0)
 network_port(tcs, tcp, 30003, s0)
 network_port(telnetd, tcp,23,s0)
 network_port(tftp, udp,69,s0)
@ -5712,7 +5713,7 @@ index b191055..fd1a0d0 100644
 network_port(transproxy, tcp,8081,s0)
 network_port(trisoap, tcp,10200,s0, udp,10200,s0)
 network_port(trivnet1, tcp, 8200, s0, udp, 8200, s0)
-@@ -271,10 +325,10 @@ network_port(varnishd, tcp,6081-6082,s0)
+@@ -271,10 +326,10 @@ network_port(varnishd, tcp,6081-6082,s0)
 network_port(virt, tcp,16509,s0, udp,16509,s0, tcp,16514,s0, udp,16514,s0)
 network_port(virtual_places, tcp,1533,s0, udp,1533,s0)
 network_port(virt_migration, tcp,49152-49216,s0)
@ -5725,7 +5726,7 @@ index b191055..fd1a0d0 100644
 network_port(winshadow, tcp,3161,s0, udp,3261,s0)
 network_port(wsdapi, tcp,5357,s0, udp,5357,s0)
 network_port(wsicopy, tcp,3378,s0, udp,3378,s0)
-@@ -288,19 +342,23 @@ network_port(zabbix_agent, tcp,10050,s0)
+@@ -288,19 +343,23 @@ network_port(zabbix_agent, tcp,10050,s0)
 network_port(zookeeper_client, tcp,2181,s0)
 network_port(zookeeper_election, tcp,3888,s0)
 network_port(zookeeper_leader, tcp,2888,s0)
@ -5752,7 +5753,7 @@ index b191055..fd1a0d0 100644
 
 ########################################
 #
-@@ -333,6 +391,8 @@ sid netif gen_context(system_u:object_r:netif_t,s0 - mls_systemhigh)
+@@ -333,6 +392,8 @@ sid netif gen_context(system_u:object_r:netif_t,s0 - mls_systemhigh)
 
 build_option(`enable_mls',`
 network_interface(lo, lo, s0 - mls_systemhigh)
@ -5761,7 +5762,7 @@ index b191055..fd1a0d0 100644
 ',`
 typealias netif_t alias { lo_netif_t netif_lo_t };
 ')
-@@ -345,9 +405,28 @@ typealias netif_t alias { lo_netif_t netif_lo_t };
+@@ -345,9 +406,28 @@ typealias netif_t alias { lo_netif_t netif_lo_t };
 allow corenet_unconfined_type node_type:node *;
 allow corenet_unconfined_type netif_type:netif *;
 allow corenet_unconfined_type packet_type:packet *;
@ -9407,7 +9408,7 @@ index b876c48..27f60c6 100644
 +/nsr(/.*)?			gen_context(system_u:object_r:var_t,s0)
 +/nsr/logs(/.*)?			gen_context(system_u:object_r:var_log_t,s0)
 diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
-index f962f76..35cd90c 100644
+index f962f76..5c44da2 100644
 --- a/policy/modules/kernel/files.if
 +++ b/policy/modules/kernel/files.if
@@ -19,6 +19,136 @@
@ -10081,7 +10082,31 @@ index f962f76..35cd90c 100644
 ##	List the contents of the root directory.
 ## </summary>
 ## <param name="domain">
-@@ -1765,6 +2171,26 @@ interface(`files_dontaudit_rw_root_dir',`
+@@ -1725,6 +2131,23 @@ interface(`files_list_root',`
+ 	allow $1 root_t:dir list_dir_perms;
+ 	allow $1 root_t:lnk_file { read_lnk_file_perms ioctl lock };
+ ')
+########################################
+## <summary>
+##	Do not audit attempts to write to / dirs.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`files_write_root_dirs',`
+	gen_require(`
+		type root_t;
+	')
+
+	allow $1 root_t:dir write;
+')
+ 
+ ########################################
+ ## <summary>
+@@ -1765,6 +2188,26 @@ interface(`files_dontaudit_rw_root_dir',`
 
 ########################################
 ## <summary>
@ -10108,7 +10133,7 @@ index f962f76..35cd90c 100644
 ##	Create an object in the root directory, with a private
 ##	type using a type transition.
 ## </summary>
-@@ -1892,25 +2318,25 @@ interface(`files_delete_root_dir_entry',`
+@@ -1892,25 +2335,25 @@ interface(`files_delete_root_dir_entry',`
 
 ########################################
 ## <summary>
@ -10140,7 +10165,7 @@ index f962f76..35cd90c 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -1923,7 +2349,7 @@ interface(`files_relabel_rootfs',`
+@@ -1923,7 +2366,7 @@ interface(`files_relabel_rootfs',`
 		type root_t;
 	')
 
@ -10149,7 +10174,7 @@ index f962f76..35cd90c 100644
 ')
 
 ########################################
-@@ -1946,6 +2372,24 @@ interface(`files_unmount_rootfs',`
+@@ -1946,6 +2389,24 @@ interface(`files_unmount_rootfs',`
 
 ########################################
 ## <summary>
@ -10174,7 +10199,7 @@ index f962f76..35cd90c 100644
 ##	Get attributes of the /boot directory.
 ## </summary>
 ## <param name="domain">
-@@ -2181,6 +2625,24 @@ interface(`files_relabelfrom_boot_files',`
+@@ -2181,6 +2642,24 @@ interface(`files_relabelfrom_boot_files',`
 	relabelfrom_files_pattern($1, boot_t, boot_t)
 ')
 
@ -10199,7 +10224,7 @@ index f962f76..35cd90c 100644
 ######################################
 ## <summary>
 ##	Read symbolic links in the /boot directory.
-@@ -2645,6 +3107,24 @@ interface(`files_rw_etc_dirs',`
+@@ -2645,6 +3124,24 @@ interface(`files_rw_etc_dirs',`
 	allow $1 etc_t:dir rw_dir_perms;
 ')
 
@ -10224,7 +10249,7 @@ index f962f76..35cd90c 100644
 ##########################################
 ## <summary>
 ## 	Manage generic directories in /etc
-@@ -2716,6 +3196,7 @@ interface(`files_read_etc_files',`
+@@ -2716,6 +3213,7 @@ interface(`files_read_etc_files',`
 	allow $1 etc_t:dir list_dir_perms;
 	read_files_pattern($1, etc_t, etc_t)
 	read_lnk_files_pattern($1, etc_t, etc_t)
@ -10232,7 +10257,7 @@ index f962f76..35cd90c 100644
 ')
 
 ########################################
-@@ -2724,7 +3205,7 @@ interface(`files_read_etc_files',`
+@@ -2724,7 +3222,7 @@ interface(`files_read_etc_files',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@ -10241,7 +10266,7 @@ index f962f76..35cd90c 100644
 ##	</summary>
 ## </param>
 #
-@@ -2780,6 +3261,25 @@ interface(`files_manage_etc_files',`
+@@ -2780,6 +3278,25 @@ interface(`files_manage_etc_files',`
 
 ########################################
 ## <summary>
@ -10267,7 +10292,7 @@ index f962f76..35cd90c 100644
 ##	Delete system configuration files in /etc.
 ## </summary>
 ## <param name="domain">
-@@ -2798,6 +3298,24 @@ interface(`files_delete_etc_files',`
+@@ -2798,6 +3315,24 @@ interface(`files_delete_etc_files',`
 
 ########################################
 ## <summary>
@ -10292,7 +10317,7 @@ index f962f76..35cd90c 100644
 ##	Execute generic files in /etc.
 ## </summary>
 ## <param name="domain">
-@@ -2963,24 +3481,6 @@ interface(`files_delete_boot_flag',`
+@@ -2963,24 +3498,6 @@ interface(`files_delete_boot_flag',`
 
 ########################################
 ## <summary>
@ -10317,7 +10342,7 @@ index f962f76..35cd90c 100644
 ##	Read files in /etc that are dynamically
 ##	created on boot, such as mtab.
 ## </summary>
-@@ -3021,9 +3521,7 @@ interface(`files_read_etc_runtime_files',`
+@@ -3021,9 +3538,7 @@ interface(`files_read_etc_runtime_files',`
 
 ########################################
 ## <summary>
@ -10328,7 +10353,7 @@ index f962f76..35cd90c 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -3031,18 +3529,17 @@ interface(`files_read_etc_runtime_files',`
+@@ -3031,18 +3546,17 @@ interface(`files_read_etc_runtime_files',`
 ##	</summary>
 ## </param>
 #
@ -10350,7 +10375,7 @@ index f962f76..35cd90c 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -3060,6 +3557,26 @@ interface(`files_dontaudit_write_etc_runtime_files',`
+@@ -3060,6 +3574,26 @@ interface(`files_dontaudit_write_etc_runtime_files',`
 
 ########################################
 ## <summary>
@ -10377,7 +10402,7 @@ index f962f76..35cd90c 100644
 ##	Read and write files in /etc that are dynamically
 ##	created on boot, such as mtab.
 ## </summary>
-@@ -3077,6 +3594,7 @@ interface(`files_rw_etc_runtime_files',`
+@@ -3077,6 +3611,7 @@ interface(`files_rw_etc_runtime_files',`
 
 	allow $1 etc_t:dir list_dir_perms;
 	rw_files_pattern($1, etc_t, etc_runtime_t)
@ -10385,7 +10410,7 @@ index f962f76..35cd90c 100644
 ')
 
 ########################################
-@@ -3098,6 +3616,7 @@ interface(`files_manage_etc_runtime_files',`
+@@ -3098,6 +3633,7 @@ interface(`files_manage_etc_runtime_files',`
 	')
 
 	manage_files_pattern($1, { etc_t etc_runtime_t }, etc_runtime_t)
@ -10393,58 +10418,11 @@ index f962f76..35cd90c 100644
 ')
 
 ########################################
-@@ -3150,45 +3669,64 @@ interface(`files_getattr_isid_type_dirs',`
+@@ -3150,6 +3686,25 @@ interface(`files_getattr_isid_type_dirs',`
 
 ########################################
 ## <summary>
-##	Do not audit attempts to search directories on new filesystems
 +##	Setattr of directories on new filesystems
- ##	that have not yet been labeled.
- ## </summary>
- ## <param name="domain">
- ##	<summary>
-##	Domain to not audit.
-+##	Domain allowed access.
- ##	</summary>
- ## </param>
- #
-interface(`files_dontaudit_search_isid_type_dirs',`
-+interface(`files_setattr_isid_type_dirs',`
- 	gen_require(`
- 		type file_t;
- 	')
- 
-	dontaudit $1 file_t:dir search_dir_perms;
-+	allow $1 file_t:dir setattr;
- ')
- 
- ########################################
- ## <summary>
-##	List the contents of directories on new filesystems
-+##	Do not audit attempts to search directories on new filesystems
- ##	that have not yet been labeled.
- ## </summary>
- ## <param name="domain">
- ##	<summary>
-##	Domain allowed access.
-+##	Domain to not audit.
- ##	</summary>
- ## </param>
- #
-interface(`files_list_isid_type_dirs',`
-+interface(`files_dontaudit_search_isid_type_dirs',`
- 	gen_require(`
- 		type file_t;
- 	')
- 
-	allow $1 file_t:dir list_dir_perms;
-+	dontaudit $1 file_t:dir search_dir_perms;
- ')
- 
- ########################################
- ## <summary>
-##	Read and write directories on new filesystems
-+##	List the contents of directories on new filesystems
 +##	that have not yet been labeled.
 +## </summary>
 +## <param name="domain">
@ -10453,21 +10431,20 @@ index f962f76..35cd90c 100644
 +##	</summary>
 +## </param>
 +#
-+interface(`files_list_isid_type_dirs',`
+interface(`files_setattr_isid_type_dirs',`
 +	gen_require(`
 +		type file_t;
 +	')
 +
-+	allow $1 file_t:dir list_dir_perms;
+	allow $1 file_t:dir setattr;
 +')
 +
 +########################################
 +## <summary>
-+##	Read and write directories on new filesystems
+ ##	Do not audit attempts to search directories on new filesystems
 ##	that have not yet been labeled.
 ## </summary>
- ## <param name="domain">
-@@ -3223,6 +3761,62 @@ interface(`files_delete_isid_type_dirs',`
+@@ -3223,6 +3778,62 @@ interface(`files_delete_isid_type_dirs',`
 
 	delete_dirs_pattern($1, file_t, file_t)
 ')
@ -10530,7 +10507,7 @@ index f962f76..35cd90c 100644
 
 ########################################
 ## <summary>
-@@ -3473,6 +4067,25 @@ interface(`files_rw_isid_type_blk_files',`
+@@ -3473,6 +4084,25 @@ interface(`files_rw_isid_type_blk_files',`
 
 ########################################
 ## <summary>
@ -10556,7 +10533,7 @@ index f962f76..35cd90c 100644
 ##	Create, read, write, and delete block device nodes
 ##	on new filesystems that have not yet been labeled.
 ## </summary>
-@@ -3814,20 +4427,38 @@ interface(`files_list_mnt',`
+@@ -3814,20 +4444,38 @@ interface(`files_list_mnt',`
 
 ######################################
 ## <summary>
@ -10600,7 +10577,7 @@ index f962f76..35cd90c 100644
 ')
 
 ########################################
-@@ -4217,6 +4848,172 @@ interface(`files_read_world_readable_sockets',`
+@@ -4217,6 +4865,172 @@ interface(`files_read_world_readable_sockets',`
 	allow $1 readable_t:sock_file read_sock_file_perms;
 ')
 
@ -10773,7 +10750,7 @@ index f962f76..35cd90c 100644
 ########################################
 ## <summary>
 ##	Allow the specified type to associate
-@@ -4239,6 +5036,26 @@ interface(`files_associate_tmp',`
+@@ -4239,6 +5053,26 @@ interface(`files_associate_tmp',`
 
 ########################################
 ## <summary>
@ -10800,7 +10777,7 @@ index f962f76..35cd90c 100644
 ##	Get the	attributes of the tmp directory (/tmp).
 ## </summary>
 ## <param name="domain">
-@@ -4252,17 +5069,37 @@ interface(`files_getattr_tmp_dirs',`
+@@ -4252,17 +5086,37 @@ interface(`files_getattr_tmp_dirs',`
 		type tmp_t;
 	')
 
@ -10839,7 +10816,7 @@ index f962f76..35cd90c 100644
 ##	</summary>
 ## </param>
 #
-@@ -4289,6 +5126,7 @@ interface(`files_search_tmp',`
+@@ -4289,6 +5143,7 @@ interface(`files_search_tmp',`
 		type tmp_t;
 	')
 
@ -10847,7 +10824,7 @@ index f962f76..35cd90c 100644
 	allow $1 tmp_t:dir search_dir_perms;
 ')
 
-@@ -4325,6 +5163,7 @@ interface(`files_list_tmp',`
+@@ -4325,6 +5180,7 @@ interface(`files_list_tmp',`
 		type tmp_t;
 	')
 
@ -10855,7 +10832,7 @@ index f962f76..35cd90c 100644
 	allow $1 tmp_t:dir list_dir_perms;
 ')
 
-@@ -4334,7 +5173,7 @@ interface(`files_list_tmp',`
+@@ -4334,7 +5190,7 @@ interface(`files_list_tmp',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@ -10864,7 +10841,7 @@ index f962f76..35cd90c 100644
 ##	</summary>
 ## </param>
 #
-@@ -4346,6 +5185,25 @@ interface(`files_dontaudit_list_tmp',`
+@@ -4346,6 +5202,25 @@ interface(`files_dontaudit_list_tmp',`
 	dontaudit $1 tmp_t:dir list_dir_perms;
 ')
 
@ -10890,7 +10867,7 @@ index f962f76..35cd90c 100644
 ########################################
 ## <summary>
 ##	Remove entries from the tmp directory.
-@@ -4361,6 +5219,7 @@ interface(`files_delete_tmp_dir_entry',`
+@@ -4361,6 +5236,7 @@ interface(`files_delete_tmp_dir_entry',`
 		type tmp_t;
 	')
 
@ -10898,7 +10875,7 @@ index f962f76..35cd90c 100644
 	allow $1 tmp_t:dir del_entry_dir_perms;
 ')
 
-@@ -4402,6 +5261,32 @@ interface(`files_manage_generic_tmp_dirs',`
+@@ -4402,6 +5278,32 @@ interface(`files_manage_generic_tmp_dirs',`
 
 ########################################
 ## <summary>
@ -10931,7 +10908,7 @@ index f962f76..35cd90c 100644
 ##	Manage temporary files and directories in /tmp.
 ## </summary>
 ## <param name="domain">
-@@ -4456,7 +5341,7 @@ interface(`files_rw_generic_tmp_sockets',`
+@@ -4456,7 +5358,7 @@ interface(`files_rw_generic_tmp_sockets',`
 
 ########################################
 ## <summary>
@ -10940,7 +10917,7 @@ index f962f76..35cd90c 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -4464,17 +5349,17 @@ interface(`files_rw_generic_tmp_sockets',`
+@@ -4464,17 +5366,17 @@ interface(`files_rw_generic_tmp_sockets',`
 ##	</summary>
 ## </param>
 #
@ -10962,7 +10939,7 @@ index f962f76..35cd90c 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -4482,34 +5367,124 @@ interface(`files_setattr_all_tmp_dirs',`
+@@ -4482,44 +5384,134 @@ interface(`files_setattr_all_tmp_dirs',`
 ##	</summary>
 ## </param>
 #
@ -11000,14 +10977,17 @@ index f962f76..35cd90c 100644
 -	allow $1 var_t:dir search_dir_perms;
 -	relabel_dirs_pattern($1, tmpfile, tmpfile)
 +	allow $1 tmpfile:dir { search_dir_perms setattr };
-+')
-+
-+########################################
-+## <summary>
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Do not audit attempts to get the attributes
+-##	of all tmp files.
 +##	Allow caller to read inherited tmp files.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+-##	Domain not to audit.
 +##	Domain allowed access.
 +##	</summary>
 +## </param>
@ -11094,10 +11074,20 @@ index f962f76..35cd90c 100644
 +
 +	allow $1 var_t:dir search_dir_perms;
 +	relabel_dirs_pattern($1, tmpfile, tmpfile)
- ')
- 
- ########################################
-@@ -4519,7 +5494,7 @@ interface(`files_relabel_all_tmp_dirs',`
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to get the attributes
+##	of all tmp files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+ ##	</summary>
+ ## </param>
+ #
+@@ -4579,7 +5571,7 @@ interface(`files_relabel_all_tmp_files',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@ -11106,16 +11096,7 @@ index f962f76..35cd90c 100644
 ##	</summary>
 ## </param>
 #
-@@ -4579,7 +5554,7 @@ interface(`files_relabel_all_tmp_files',`
- ## </summary>
- ## <param name="domain">
- ##	<summary>
-##	Domain not to audit.
-+##	Domain to not audit.
- ##	</summary>
- ## </param>
- #
-@@ -4611,6 +5586,44 @@ interface(`files_read_all_tmp_files',`
+@@ -4611,6 +5603,44 @@ interface(`files_read_all_tmp_files',`
 
 ########################################
 ## <summary>
@ -11160,7 +11141,7 @@ index f962f76..35cd90c 100644
 ##	Create an object in the tmp directories, with a private
 ##	type using a type transition.
 ## </summary>
-@@ -4664,6 +5677,16 @@ interface(`files_purge_tmp',`
+@@ -4664,6 +5694,16 @@ interface(`files_purge_tmp',`
 	delete_lnk_files_pattern($1, tmpfile, tmpfile)
 	delete_fifo_files_pattern($1, tmpfile, tmpfile)
 	delete_sock_files_pattern($1, tmpfile, tmpfile)
@ -11177,7 +11158,7 @@ index f962f76..35cd90c 100644
 ')
 
 ########################################
-@@ -5241,6 +6264,24 @@ interface(`files_list_var',`
+@@ -5241,6 +6281,24 @@ interface(`files_list_var',`
 
 ########################################
 ## <summary>
@ -11202,7 +11183,7 @@ index f962f76..35cd90c 100644
 ##	Create, read, write, and delete directories
 ##	in the /var directory.
 ## </summary>
-@@ -5527,6 +6568,25 @@ interface(`files_rw_var_lib_dirs',`
+@@ -5527,6 +6585,25 @@ interface(`files_rw_var_lib_dirs',`
 
 ########################################
 ## <summary>
@ -11228,7 +11209,7 @@ index f962f76..35cd90c 100644
 ##	Create objects in the /var/lib directory
 ## </summary>
 ## <param name="domain">
-@@ -5596,6 +6656,25 @@ interface(`files_read_var_lib_symlinks',`
+@@ -5596,6 +6673,25 @@ interface(`files_read_var_lib_symlinks',`
 	read_lnk_files_pattern($1, { var_t var_lib_t }, var_lib_t)
 ')
 
@ -11254,7 +11235,7 @@ index f962f76..35cd90c 100644
 # cjp: the next two interfaces really need to be fixed
 # in some way.  They really neeed their own types.
 
-@@ -5641,7 +6720,7 @@ interface(`files_manage_mounttab',`
+@@ -5641,7 +6737,7 @@ interface(`files_manage_mounttab',`
 
 ########################################
 ## <summary>
@ -11263,7 +11244,7 @@ index f962f76..35cd90c 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -5649,12 +6728,13 @@ interface(`files_manage_mounttab',`
+@@ -5649,12 +6745,13 @@ interface(`files_manage_mounttab',`
 ##	</summary>
 ## </param>
 #
@ -11279,7 +11260,7 @@ index f962f76..35cd90c 100644
 ')
 
 ########################################
-@@ -5672,6 +6752,7 @@ interface(`files_search_locks',`
+@@ -5672,6 +6769,7 @@ interface(`files_search_locks',`
 		type var_t, var_lock_t;
 	')
 
@ -11287,7 +11268,7 @@ index f962f76..35cd90c 100644
 	allow $1 var_lock_t:lnk_file read_lnk_file_perms;
 	search_dirs_pattern($1, var_t, var_lock_t)
 ')
-@@ -5698,7 +6779,26 @@ interface(`files_dontaudit_search_locks',`
+@@ -5698,7 +6796,26 @@ interface(`files_dontaudit_search_locks',`
 
 ########################################
 ## <summary>
@ -11315,7 +11296,7 @@ index f962f76..35cd90c 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -5706,13 +6806,12 @@ interface(`files_dontaudit_search_locks',`
+@@ -5706,13 +6823,12 @@ interface(`files_dontaudit_search_locks',`
 ##	</summary>
 ## </param>
 #
@ -11332,7 +11313,7 @@ index f962f76..35cd90c 100644
 ')
 
 ########################################
-@@ -5731,7 +6830,7 @@ interface(`files_rw_lock_dirs',`
+@@ -5731,7 +6847,7 @@ interface(`files_rw_lock_dirs',`
 		type var_t, var_lock_t;
 	')
 
@ -11341,7 +11322,7 @@ index f962f76..35cd90c 100644
 	rw_dirs_pattern($1, var_t, var_lock_t)
 ')
 
-@@ -5764,7 +6863,6 @@ interface(`files_create_lock_dirs',`
+@@ -5764,7 +6880,6 @@ interface(`files_create_lock_dirs',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
@ -11349,7 +11330,7 @@ index f962f76..35cd90c 100644
 #
 interface(`files_relabel_all_lock_dirs',`
 	gen_require(`
-@@ -5779,7 +6877,7 @@ interface(`files_relabel_all_lock_dirs',`
+@@ -5779,7 +6894,7 @@ interface(`files_relabel_all_lock_dirs',`
 
 ########################################
 ## <summary>
@ -11358,7 +11339,7 @@ index f962f76..35cd90c 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -5787,13 +6885,33 @@ interface(`files_relabel_all_lock_dirs',`
+@@ -5787,13 +6902,33 @@ interface(`files_relabel_all_lock_dirs',`
 ##	</summary>
 ## </param>
 #
@ -11393,7 +11374,7 @@ index f962f76..35cd90c 100644
 	allow $1 var_lock_t:dir list_dir_perms;
 	getattr_files_pattern($1, var_lock_t, var_lock_t)
 ')
-@@ -5809,13 +6927,12 @@ interface(`files_getattr_generic_locks',`
+@@ -5809,13 +6944,12 @@ interface(`files_getattr_generic_locks',`
 ## </param>
 #
 interface(`files_delete_generic_locks',`
@ -11411,7 +11392,7 @@ index f962f76..35cd90c 100644
 ')
 
 ########################################
-@@ -5834,9 +6951,7 @@ interface(`files_manage_generic_locks',`
+@@ -5834,9 +6968,7 @@ interface(`files_manage_generic_locks',`
 		type var_t, var_lock_t;
 	')
 
@ -11422,7 +11403,7 @@ index f962f76..35cd90c 100644
 	manage_files_pattern($1, var_lock_t, var_lock_t)
 ')
 
-@@ -5878,8 +6993,7 @@ interface(`files_read_all_locks',`
+@@ -5878,8 +7010,7 @@ interface(`files_read_all_locks',`
 		type var_t, var_lock_t;
 	')
 
@ -11432,7 +11413,7 @@ index f962f76..35cd90c 100644
 	allow $1 lockfile:dir list_dir_perms;
 	read_files_pattern($1, lockfile, lockfile)
 	read_lnk_files_pattern($1, lockfile, lockfile)
-@@ -5901,8 +7015,7 @@ interface(`files_manage_all_locks',`
+@@ -5901,8 +7032,7 @@ interface(`files_manage_all_locks',`
 		type var_t, var_lock_t;
 	')
 
@ -11442,7 +11423,7 @@ index f962f76..35cd90c 100644
 	manage_dirs_pattern($1, lockfile, lockfile)
 	manage_files_pattern($1, lockfile, lockfile)
 	manage_lnk_files_pattern($1, lockfile, lockfile)
-@@ -5939,8 +7052,7 @@ interface(`files_lock_filetrans',`
+@@ -5939,8 +7069,7 @@ interface(`files_lock_filetrans',`
 		type var_t, var_lock_t;
 	')
 
@ -11452,7 +11433,7 @@ index f962f76..35cd90c 100644
 	filetrans_pattern($1, var_lock_t, $2, $3, $4)
 ')
 
-@@ -5979,7 +7091,7 @@ interface(`files_setattr_pid_dirs',`
+@@ -5979,7 +7108,7 @@ interface(`files_setattr_pid_dirs',`
 		type var_run_t;
 	')
 
@ -11461,7 +11442,7 @@ index f962f76..35cd90c 100644
 	allow $1 var_run_t:dir setattr;
 ')
 
-@@ -5999,10 +7111,48 @@ interface(`files_search_pids',`
+@@ -5999,10 +7128,48 @@ interface(`files_search_pids',`
 		type var_t, var_run_t;
 	')
 
@ -11510,7 +11491,7 @@ index f962f76..35cd90c 100644
 ########################################
 ## <summary>
 ##	Do not audit attempts to search
-@@ -6025,28 +7175,47 @@ interface(`files_dontaudit_search_pids',`
+@@ -6025,27 +7192,46 @@ interface(`files_dontaudit_search_pids',`
 
 ########################################
 ## <summary>
@ -11541,7 +11522,6 @@ index f962f76..35cd90c 100644
 ########################################
 ## <summary>
 -##	Read generic process ID files.
-## </summary>
 +##	List the contents of the runtime process
 +##	ID directories (/var/run).
 +## </summary>
@ -11563,11 +11543,10 @@ index f962f76..35cd90c 100644
 +########################################
 +## <summary>
 +##	Read generic process ID files.
-+## </summary>
+ ## </summary>
 ## <param name="domain">
 ##	<summary>
- ##	Domain allowed access.
-@@ -6058,7 +7227,7 @@ interface(`files_read_generic_pids',`
+@@ -6058,7 +7244,7 @@ interface(`files_read_generic_pids',`
 		type var_t, var_run_t;
 	')
 
@ -11576,7 +11555,7 @@ index f962f76..35cd90c 100644
 	list_dirs_pattern($1, var_t, var_run_t)
 	read_files_pattern($1, var_run_t, var_run_t)
 ')
-@@ -6078,7 +7247,7 @@ interface(`files_write_generic_pid_pipes',`
+@@ -6078,7 +7264,7 @@ interface(`files_write_generic_pid_pipes',`
 		type var_run_t;
 	')
 
@ -11585,7 +11564,7 @@ index f962f76..35cd90c 100644
 	allow $1 var_run_t:fifo_file write;
 ')
 
-@@ -6140,7 +7309,6 @@ interface(`files_pid_filetrans',`
+@@ -6140,7 +7326,6 @@ interface(`files_pid_filetrans',`
 	')
 
 	allow $1 var_t:dir search_dir_perms;
@ -11593,7 +11572,7 @@ index f962f76..35cd90c 100644
 	filetrans_pattern($1, var_run_t, $2, $3, $4)
 ')
 
-@@ -6169,6 +7337,24 @@ interface(`files_pid_filetrans_lock_dir',`
+@@ -6169,6 +7354,24 @@ interface(`files_pid_filetrans_lock_dir',`
 
 ########################################
 ## <summary>
@ -11618,7 +11597,7 @@ index f962f76..35cd90c 100644
 ##	Read and write generic process ID files.
 ## </summary>
 ## <param name="domain">
-@@ -6182,7 +7368,7 @@ interface(`files_rw_generic_pids',`
+@@ -6182,7 +7385,7 @@ interface(`files_rw_generic_pids',`
 		type var_t, var_run_t;
 	')
 
@ -11627,7 +11606,7 @@ index f962f76..35cd90c 100644
 	list_dirs_pattern($1, var_t, var_run_t)
 	rw_files_pattern($1, var_run_t, var_run_t)
 ')
-@@ -6249,55 +7435,43 @@ interface(`files_dontaudit_ioctl_all_pids',`
+@@ -6249,55 +7452,43 @@ interface(`files_dontaudit_ioctl_all_pids',`
 
 ########################################
 ## <summary>
@ -11690,7 +11669,7 @@ index f962f76..35cd90c 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -6305,42 +7479,35 @@ interface(`files_delete_all_pids',`
+@@ -6305,42 +7496,35 @@ interface(`files_delete_all_pids',`
 ##	</summary>
 ## </param>
 #
@ -11740,7 +11719,7 @@ index f962f76..35cd90c 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -6348,18 +7515,18 @@ interface(`files_manage_all_pids',`
+@@ -6348,18 +7532,18 @@ interface(`files_manage_all_pids',`
 ##	</summary>
 ## </param>
 #
@ -11764,7 +11743,7 @@ index f962f76..35cd90c 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -6367,37 +7534,40 @@ interface(`files_mounton_all_poly_members',`
+@@ -6367,37 +7551,40 @@ interface(`files_mounton_all_poly_members',`
 ##	</summary>
 ## </param>
 #
@ -11816,7 +11795,7 @@ index f962f76..35cd90c 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -6405,18 +7575,17 @@ interface(`files_dontaudit_search_spool',`
+@@ -6405,18 +7592,17 @@ interface(`files_dontaudit_search_spool',`
 ##	</summary>
 ## </param>
 #
@ -11839,7 +11818,7 @@ index f962f76..35cd90c 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -6424,18 +7593,18 @@ interface(`files_list_spool',`
+@@ -6424,18 +7610,18 @@ interface(`files_list_spool',`
 ##	</summary>
 ## </param>
 #
@ -11863,7 +11842,7 @@ index f962f76..35cd90c 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -6443,19 +7612,18 @@ interface(`files_manage_generic_spool_dirs',`
+@@ -6443,19 +7629,18 @@ interface(`files_manage_generic_spool_dirs',`
 ##	</summary>
 ## </param>
 #
@ -11888,7 +11867,7 @@ index f962f76..35cd90c 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -6463,55 +7631,130 @@ interface(`files_read_generic_spool',`
+@@ -6463,55 +7648,130 @@ interface(`files_read_generic_spool',`
 ##	</summary>
 ## </param>
 #
@ -12038,7 +12017,7 @@ index f962f76..35cd90c 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -6519,64 +7762,767 @@ interface(`files_spool_filetrans',`
+@@ -6519,64 +7779,767 @@ interface(`files_spool_filetrans',`
 ##	</summary>
 ## </param>
 #
@ -21729,7 +21708,7 @@ index cc877c7..07f129b 100644
 +	xserver_rw_xdm_pipes(ssh_agent_type)
 +')
 diff --git a/policy/modules/services/xserver.fc b/policy/modules/services/xserver.fc
-index 8274418..830bb6f 100644
+index 8274418..abeb351 100644
 --- a/policy/modules/services/xserver.fc
 +++ b/policy/modules/services/xserver.fc
@@ -2,13 +2,35 @@
@ -21851,7 +21830,7 @@ index 8274418..830bb6f 100644
 +/var/log/lightdm(/.*)?		gen_context(system_u:object_r:xserver_log_t,s0)
 +/var/log/lxdm\.log.*	--	gen_context(system_u:object_r:xdm_log_t,s0)
 +/var/log/mdm(/.*)?		gen_context(system_u:object_r:xdm_log_t,s0)
-+/var/log/slim\.log	--	gen_context(system_u:object_r:xdm_log_t,s0)
+/var/log/slim\.log.*	--	gen_context(system_u:object_r:xdm_log_t,s0)
 /var/log/XFree86.*	--	gen_context(system_u:object_r:xserver_log_t,s0)
 /var/log/Xorg.*		--	gen_context(system_u:object_r:xserver_log_t,s0)
 +/var/log/nvidia-installer\.log.* --	gen_context(system_u:object_r:xserver_log_t,s0)
@ -29783,7 +29762,7 @@ index 17eda24..7acba2b 100644
 +    ')
 + ')
 diff --git a/policy/modules/system/ipsec.fc b/policy/modules/system/ipsec.fc
-index 662e79b..32fad12 100644
+index 662e79b..05d25b0 100644
 --- a/policy/modules/system/ipsec.fc
 +++ b/policy/modules/system/ipsec.fc
@@ -1,14 +1,23 @@
@ -29825,7 +29804,8 @@ index 662e79b..32fad12 100644
 /var/lock/subsys/ipsec		--	gen_context(system_u:object_r:ipsec_mgmt_lock_t,s0)
 +/var/lock/subsys/strongswan		--	gen_context(system_u:object_r:ipsec_mgmt_lock_t,s0)
 
- /var/log/pluto\.log		--	gen_context(system_u:object_r:ipsec_log_t,s0)
+-/var/log/pluto\.log		--	gen_context(system_u:object_r:ipsec_log_t,s0)
+/var/log/pluto\.log.*		--	gen_context(system_u:object_r:ipsec_log_t,s0)
 
 /var/racoon(/.*)?			gen_context(system_u:object_r:ipsec_var_run_t,s0)
 
@ -31424,7 +31404,7 @@ index 446fa99..050a2ac 100644
 -	nscd_use(sulogin_t)
 -')
 diff --git a/policy/modules/system/logging.fc b/policy/modules/system/logging.fc
-index b50c5fe..2faaaf2 100644
+index b50c5fe..e55a556 100644
 --- a/policy/modules/system/logging.fc
 +++ b/policy/modules/system/logging.fc
@@ -2,10 +2,13 @@
@ -31468,7 +31448,7 @@ index b50c5fe..2faaaf2 100644
 
 /var/lib/misc/syslog-ng.persist-? -- gen_context(system_u:object_r:syslogd_var_lib_t,s0)
 /var/lib/syslog-ng(/.*)? 	gen_context(system_u:object_r:syslogd_var_lib_t,s0)
-@@ -38,13 +54,13 @@ ifdef(`distro_suse', `
+@@ -38,21 +54,22 @@ ifdef(`distro_suse', `
 
 /var/log		-d	gen_context(system_u:object_r:var_log_t,s0-mls_systemhigh)
 /var/log/.*			gen_context(system_u:object_r:var_log_t,s0)
@ -31483,8 +31463,10 @@ index b50c5fe..2faaaf2 100644
 +/var/run/systemd/journal(/.*)?	gen_context(system_u:object_r:syslogd_var_run_t,mls_systemhigh)
 
 ifndef(`distro_gentoo',`
- /var/log/audit\.log	--	gen_context(system_u:object_r:auditd_log_t,mls_systemhigh)
-@@ -53,6 +69,7 @@ ifndef(`distro_gentoo',`
+-/var/log/audit\.log	--	gen_context(system_u:object_r:auditd_log_t,mls_systemhigh)
+/var/log/audit\.log.*	--	gen_context(system_u:object_r:auditd_log_t,mls_systemhigh)
+ ')
+ 
 ifdef(`distro_redhat',`
 /var/named/chroot/var/log -d	gen_context(system_u:object_r:var_log_t,s0)
 /var/named/chroot/dev/log -s	gen_context(system_u:object_r:devlog_t,s0)
@ -32362,7 +32344,7 @@ index 59b04c1..7b0ef85 100644
 +
 +logging_stream_connect_syslog(syslog_client_type)
 diff --git a/policy/modules/system/lvm.fc b/policy/modules/system/lvm.fc
-index 6b91740..b250b3e 100644
+index 6b91740..633e449 100644
 --- a/policy/modules/system/lvm.fc
 +++ b/policy/modules/system/lvm.fc
@@ -23,6 +23,8 @@ ifdef(`distro_gentoo',`
@ -32474,12 +32456,13 @@ index 6b91740..b250b3e 100644
 
 #
 # /var
-@@ -98,5 +168,8 @@ ifdef(`distro_gentoo',`
+@@ -98,5 +168,9 @@ ifdef(`distro_gentoo',`
 /var/cache/multipathd(/.*)?	gen_context(system_u:object_r:lvm_metadata_t,s0)
 /var/lib/multipath(/.*)?	gen_context(system_u:object_r:lvm_var_lib_t,s0)
 /var/lock/lvm(/.*)?		gen_context(system_u:object_r:lvm_lock_t,s0)
 +/var/lock/dmraid(/.*)?		gen_context(system_u:object_r:lvm_lock_t,s0)
 +/var/run/lvm(/.*)?     gen_context(system_u:object_r:lvm_var_run_t,s0)
+/var/run/multipathd(/.*)?   gen_context(system_u:object_r:lvm_var_run_t,s0)
 /var/run/multipathd\.sock -s	gen_context(system_u:object_r:lvm_var_run_t,s0)
 +/var/run/clvmd\.pid --  gen_context(system_u:object_r:clvmd_var_run_t,s0)
 /var/run/dmevent.*		gen_context(system_u:object_r:lvm_var_run_t,s0)
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch