##
-@@ -86,23 +109,45 @@ neverallow ~{ domain unlabeled_t } *:process *;
+@@ -15,6 +38,7 @@ gen_tunable(mmap_low_allowed, false)
+
+ # Mark process types as domains
+ attribute domain;
++attribute named_filetrans_domain;
+
+ # Transitions only allowed from domains to other domains
+ neverallow domain ~domain:process { transition dyntransition };
+@@ -86,23 +110,45 @@ neverallow ~{ domain unlabeled_t } *:process *;
allow domain self:dir list_dir_perms;
allow domain self:lnk_file { read_lnk_file_perms lock ioctl };
allow domain self:file rw_file_perms;
@@ -8488,7 +8532,7 @@ index cf04cb5..d02fa9e 100644
ifdef(`hide_broken_symptoms',`
# This check is in the general socket
-@@ -121,8 +166,18 @@ tunable_policy(`global_ssp',`
+@@ -121,8 +167,18 @@ tunable_policy(`global_ssp',`
')
optional_policy(`
@@ -8507,7 +8551,7 @@ index cf04cb5..d02fa9e 100644
')
optional_policy(`
-@@ -133,6 +188,8 @@ optional_policy(`
+@@ -133,6 +189,8 @@ optional_policy(`
optional_policy(`
xserver_dontaudit_use_xdm_fds(domain)
xserver_dontaudit_rw_xdm_pipes(domain)
@@ -8516,7 +8560,7 @@ index cf04cb5..d02fa9e 100644
')
########################################
-@@ -147,12 +204,18 @@ optional_policy(`
+@@ -147,12 +205,18 @@ optional_policy(`
# Use/sendto/connectto sockets created by any domain.
allow unconfined_domain_type domain:{ socket_class_set socket key_socket } *;
@@ -8536,165 +8580,168 @@ index cf04cb5..d02fa9e 100644
# Create/access any System V IPC objects.
allow unconfined_domain_type domain:{ sem msgq shm } *;
-@@ -166,5 +229,292 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock };
+@@ -166,5 +230,295 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock };
# act on all domains keys
allow unconfined_domain_type domain:key *;
-+corenet_filetrans_all_named_dev(unconfined_domain_type)
++corenet_filetrans_all_named_dev(named_filetrans_domain)
+
-+dev_filetrans_all_named_dev(unconfined_domain_type)
++dev_filetrans_all_named_dev(named_filetrans_domain))
+
# receive from all domains over labeled networking
domain_all_recvfrom_all_domains(unconfined_domain_type)
+
-+files_filetrans_named_content(unconfined_domain_type)
-+files_filetrans_system_conf_named_files(unconfined_domain_type)
++files_filetrans_named_content(named_filetrans_domain)
++files_filetrans_system_conf_named_files(named_filetrans_domain)
+files_config_all_files(unconfined_domain_type)
+dev_config_null_dev_service(unconfined_domain_type)
+
+optional_policy(`
-+ locallogin_filetrans_home_content(unconfined_domain_type)
++ locallogin_filetrans_home_content(named_filetrans_domain)
+')
+
+optional_policy(`
-+ mandb_filetrans_named_home_content(unconfined_domain_type)
++ mandb_filetrans_named_home_content(named_filetrans_domain)
+')
+
+optional_policy(`
-+ seutil_filetrans_named_content(unconfined_domain_type)
++ seutil_filetrans_named_content(named_filetrans_domain)
+')
+
-+storage_filetrans_all_named_dev(unconfined_domain_type)
++storage_filetrans_all_named_dev(named_filetrans_domain)
+
-+term_filetrans_all_named_dev(unconfined_domain_type)
++term_filetrans_all_named_dev(named_filetrans_domain)
+
+optional_policy(`
++ init_disable_services(unconfined_domain_type)
++ init_enable_services(unconfined_domain_type)
++ init_reload_services(unconfined_domain_type)
+ init_status(unconfined_domain_type)
+ init_reboot(unconfined_domain_type)
+ init_halt(unconfined_domain_type)
+ init_undefined(unconfined_domain_type)
-+ init_filetrans_named_content(unconfined_domain_type)
++ init_filetrans_named_content(named_filetrans_domain)
+')
+
+optional_policy(`
-+ auth_filetrans_named_content(unconfined_domain_type)
-+ auth_filetrans_admin_home_content(unconfined_domain_type)
++ auth_filetrans_named_content(named_filetrans_domain)
++ auth_filetrans_admin_home_content(named_filetrans_domain)
+')
+
+optional_policy(`
-+ libs_filetrans_named_content(unconfined_domain_type)
++ libs_filetrans_named_content(named_filetrans_domain)
+')
+
+optional_policy(`
-+ logging_filetrans_named_content(unconfined_domain_type)
++ logging_filetrans_named_content(named_filetrans_domain)
+')
+
+optional_policy(`
-+ miscfiles_filetrans_named_content(unconfined_domain_type)
++ miscfiles_filetrans_named_content(named_filetrans_domain)
+')
+
+optional_policy(`
-+ abrt_filetrans_named_content(unconfined_domain_type)
++ abrt_filetrans_named_content(named_filetrans_domain)
+')
+
+optional_policy(`
-+ alsa_filetrans_named_content(unconfined_domain_type)
++ alsa_filetrans_named_content(named_filetrans_domain)
+')
+
+optional_policy(`
-+ apache_filetrans_named_content(unconfined_domain_type)
++ apache_filetrans_named_content(named_filetrans_domain)
+')
+
+optional_policy(`
-+ apcupsd_filetrans_named_content(unconfined_domain_type)
++ apcupsd_filetrans_named_content(named_filetrans_domain)
+')
+
+optional_policy(`
-+ bootloader_filetrans_config(unconfined_domain_type)
++ bootloader_filetrans_config(named_filetrans_domain)
+')
+
+optional_policy(`
-+ clock_filetrans_named_content(unconfined_domain_type)
++ clock_filetrans_named_content(named_filetrans_domain)
+')
+
+optional_policy(`
-+ cups_filetrans_named_content(unconfined_domain_type)
++ cups_filetrans_named_content(named_filetrans_domain)
+')
+
+optional_policy(`
-+ devicekit_filetrans_named_content(unconfined_domain_type)
++ devicekit_filetrans_named_content(named_filetrans_domain)
+')
+
+optional_policy(`
-+ dnsmasq_filetrans_named_content(unconfined_domain_type)
++ dnsmasq_filetrans_named_content(named_filetrans_domain)
+')
+
+optional_policy(`
-+ gnome_filetrans_admin_home_content(unconfined_domain_type)
++ gnome_filetrans_admin_home_content(named_filetrans_domain)
+')
+
+optional_policy(`
-+ iscsi_filetrans_named_content(unconfined_domain_type)
++ iscsi_filetrans_named_content(named_filetrans_domain)
+')
+
+optional_policy(`
-+ kerberos_filetrans_named_content(unconfined_domain_type)
++ kerberos_filetrans_named_content(named_filetrans_domain)
+')
+
+optional_policy(`
-+ mta_filetrans_named_content(unconfined_domain_type)
++ mta_filetrans_named_content(named_filetrans_domain)
+')
+
+optional_policy(`
-+ mplayer_filetrans_home_content(unconfined_domain_type)
++ mplayer_filetrans_home_content(named_filetrans_domain)
+')
+
+optional_policy(`
-+ modules_filetrans_named_content(unconfined_domain_type)
++ modules_filetrans_named_content(named_filetrans_domain)
+')
+
+optional_policy(`
-+ mysql_filetrans_named_content(unconfined_domain_type)
++ mysql_filetrans_named_content(named_filetrans_domain)
+')
+
+optional_policy(`
-+ networkmanager_filetrans_named_content(unconfined_domain_type)
++ networkmanager_filetrans_named_content(named_filetrans_domain)
+')
+
+optional_policy(`
-+ ntp_filetrans_named_content(unconfined_domain_type)
++ ntp_filetrans_named_content(named_filetrans_domain)
+')
+
+optional_policy(`
-+ nx_filetrans_named_content(unconfined_domain_type)
++ nx_filetrans_named_content(named_filetrans_domain)
+')
+
+optional_policy(`
-+ postgresql_filetrans_named_content(unconfined_domain_type)
++ postgresql_filetrans_named_content(named_filetrans_domain)
+')
+
+optional_policy(`
-+ postfix_filetrans_named_content(unconfined_domain_type)
++ postfix_filetrans_named_content(named_filetrans_domain)
+')
+
+optional_policy(`
-+ prelink_filetrans_named_content(unconfined_domain_type)
++ prelink_filetrans_named_content(named_filetrans_domain)
+')
+
+optional_policy(`
-+ pulseaudio_filetrans_admin_home_content(unconfined_domain_type)
++ pulseaudio_filetrans_admin_home_content(named_filetrans_domain)
+')
+
+optional_policy(`
-+ quota_filetrans_named_content(unconfined_domain_type)
++ quota_filetrans_named_content(named_filetrans_domain)
+')
+
+optional_policy(`
-+ rpcbind_filetrans_named_content(unconfined_domain_type)
++ rpcbind_filetrans_named_content(named_filetrans_domain)
+')
+
+optional_policy(`
-+ sysnet_filetrans_named_content(unconfined_domain_type)
++ sysnet_filetrans_named_content(named_filetrans_domain)
+')
+
+optional_policy(`
@@ -8702,24 +8749,24 @@ index cf04cb5..d02fa9e 100644
+ systemd_login_reboot(unconfined_domain_type)
+ systemd_login_halt(unconfined_domain_type)
+ systemd_login_undefined(unconfined_domain_type)
-+ systemd_filetrans_named_hostname(unconfined_domain_type)
++ systemd_filetrans_named_hostname(named_filetrans_domain)
+')
+
+optional_policy(`
-+ tftp_filetrans_named_content(unconfined_domain_type)
++ tftp_filetrans_named_content(named_filetrans_domain)
+')
+
+optional_policy(`
-+ userdom_user_home_dir_filetrans_user_home_content(unconfined_domain_type, { dir file lnk_file fifo_file sock_file })
++ userdom_user_home_dir_filetrans_user_home_content(named_filetrans_domain, { dir file lnk_file fifo_file sock_file })
+')
+
+optional_policy(`
-+ ssh_filetrans_admin_home_content(unconfined_domain_type)
-+ ssh_filetrans_keys(unconfined_domain_type)
++ ssh_filetrans_admin_home_content(named_filetrans_domain)
++ ssh_filetrans_keys(unconfined_domain_type)
+')
+
+optional_policy(`
-+ virt_filetrans_named_content(unconfined_domain_type)
++ virt_filetrans_named_content(named_filetrans_domain)
+')
+
+selinux_getattr_fs(domain)
@@ -16685,7 +16732,7 @@ index 234a940..d340f20 100644
########################################
##
diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te
-index 5da7870..1a2de40 100644
+index 5da7870..28cfc6a 100644
--- a/policy/modules/roles/staff.te
+++ b/policy/modules/roles/staff.te
@@ -8,12 +8,68 @@ policy_module(staff, 2.3.1)
@@ -16757,7 +16804,7 @@ index 5da7870..1a2de40 100644
optional_policy(`
apache_role(staff_r, staff_t)
')
-@@ -23,11 +79,102 @@ optional_policy(`
+@@ -23,11 +79,106 @@ optional_policy(`
')
optional_policy(`
@@ -16858,10 +16905,14 @@ index 5da7870..1a2de40 100644
+ polipo_role(staff_r, staff_t)
+ polipo_named_filetrans_cache_home_dirs(staff_t)
+ polipo_named_filetrans_config_home_files(staff_t)
++')
++
++optional_policy(`
++ openvpn_exec(staff_t)
')
optional_policy(`
-@@ -35,15 +182,31 @@ optional_policy(`
+@@ -35,15 +186,31 @@ optional_policy(`
')
optional_policy(`
@@ -16895,7 +16946,7 @@ index 5da7870..1a2de40 100644
')
optional_policy(`
-@@ -52,10 +215,55 @@ optional_policy(`
+@@ -52,10 +219,55 @@ optional_policy(`
')
optional_policy(`
@@ -16951,7 +17002,7 @@ index 5da7870..1a2de40 100644
xserver_role(staff_r, staff_t)
')
-@@ -65,10 +273,6 @@ ifndef(`distro_redhat',`
+@@ -65,10 +277,6 @@ ifndef(`distro_redhat',`
')
optional_policy(`
@@ -16962,7 +17013,7 @@ index 5da7870..1a2de40 100644
cdrecord_role(staff_r, staff_t)
')
-@@ -78,10 +282,6 @@ ifndef(`distro_redhat',`
+@@ -78,10 +286,6 @@ ifndef(`distro_redhat',`
optional_policy(`
dbus_role_template(staff, staff_r, staff_t)
@@ -16973,7 +17024,7 @@ index 5da7870..1a2de40 100644
')
optional_policy(`
-@@ -101,10 +301,6 @@ ifndef(`distro_redhat',`
+@@ -101,10 +305,6 @@ ifndef(`distro_redhat',`
')
optional_policy(`
@@ -16984,7 +17035,7 @@ index 5da7870..1a2de40 100644
java_role(staff_r, staff_t)
')
-@@ -125,10 +321,6 @@ ifndef(`distro_redhat',`
+@@ -125,10 +325,6 @@ ifndef(`distro_redhat',`
')
optional_policy(`
@@ -16995,7 +17046,7 @@ index 5da7870..1a2de40 100644
pyzor_role(staff_r, staff_t)
')
-@@ -141,10 +333,6 @@ ifndef(`distro_redhat',`
+@@ -141,10 +337,6 @@ ifndef(`distro_redhat',`
')
optional_policy(`
@@ -17006,7 +17057,7 @@ index 5da7870..1a2de40 100644
spamassassin_role(staff_r, staff_t)
')
-@@ -176,3 +364,22 @@ ifndef(`distro_redhat',`
+@@ -176,3 +368,22 @@ ifndef(`distro_redhat',`
wireshark_role(staff_r, staff_t)
')
')
@@ -17058,10 +17109,10 @@ index ff92430..36740ea 100644
##
## Execute a generic bin program in the sysadm domain.
diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
-index 88d0028..e7c0869 100644
+index 88d0028..0459d20 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
-@@ -5,39 +5,82 @@ policy_module(sysadm, 2.5.1)
+@@ -5,39 +5,85 @@ policy_module(sysadm, 2.5.1)
# Declarations
#
@@ -17117,6 +17168,9 @@ index 88d0028..e7c0869 100644
+application_exec(sysadm_t)
+
+init_filetrans_named_content(sysadm_t)
++init_disable_services(sysadm_t)
++init_enable_services(sysadm_t)
++init_reload_services(sysadm_t)
init_exec(sysadm_t)
+init_exec_script_files(sysadm_t)
+init_dbus_chat(sysadm_t)
@@ -17155,7 +17209,7 @@ index 88d0028..e7c0869 100644
ifdef(`direct_sysadm_daemon',`
optional_policy(`
-@@ -55,13 +98,7 @@ ifdef(`distro_gentoo',`
+@@ -55,13 +101,7 @@ ifdef(`distro_gentoo',`
init_exec_rc(sysadm_t)
')
@@ -17170,7 +17224,7 @@ index 88d0028..e7c0869 100644
domain_ptrace_all_domains(sysadm_t)
')
-@@ -71,9 +108,9 @@ optional_policy(`
+@@ -71,9 +111,9 @@ optional_policy(`
optional_policy(`
apache_run_helper(sysadm_t, sysadm_r)
@@ -17181,7 +17235,7 @@ index 88d0028..e7c0869 100644
')
optional_policy(`
-@@ -87,6 +124,7 @@ optional_policy(`
+@@ -87,6 +127,7 @@ optional_policy(`
optional_policy(`
asterisk_stream_connect(sysadm_t)
@@ -17189,7 +17243,7 @@ index 88d0028..e7c0869 100644
')
optional_policy(`
-@@ -110,11 +148,17 @@ optional_policy(`
+@@ -110,11 +151,17 @@ optional_policy(`
')
optional_policy(`
@@ -17207,7 +17261,7 @@ index 88d0028..e7c0869 100644
')
optional_policy(`
-@@ -122,11 +166,19 @@ optional_policy(`
+@@ -122,11 +169,19 @@ optional_policy(`
')
optional_policy(`
@@ -17229,7 +17283,7 @@ index 88d0028..e7c0869 100644
')
optional_policy(`
-@@ -140,6 +192,10 @@ optional_policy(`
+@@ -140,6 +195,10 @@ optional_policy(`
')
optional_policy(`
@@ -17240,7 +17294,7 @@ index 88d0028..e7c0869 100644
dmesg_exec(sysadm_t)
')
-@@ -156,11 +212,11 @@ optional_policy(`
+@@ -156,11 +215,11 @@ optional_policy(`
')
optional_policy(`
@@ -17254,7 +17308,7 @@ index 88d0028..e7c0869 100644
')
optional_policy(`
-@@ -179,6 +235,13 @@ optional_policy(`
+@@ -179,6 +238,13 @@ optional_policy(`
ipsec_stream_connect(sysadm_t)
# for lsof
ipsec_getattr_key_sockets(sysadm_t)
@@ -17268,7 +17322,7 @@ index 88d0028..e7c0869 100644
')
optional_policy(`
-@@ -186,15 +249,20 @@ optional_policy(`
+@@ -186,15 +252,20 @@ optional_policy(`
')
optional_policy(`
@@ -17292,7 +17346,7 @@ index 88d0028..e7c0869 100644
')
optional_policy(`
-@@ -214,22 +282,20 @@ optional_policy(`
+@@ -214,22 +285,20 @@ optional_policy(`
modutils_run_depmod(sysadm_t, sysadm_r)
modutils_run_insmod(sysadm_t, sysadm_r)
modutils_run_update_mods(sysadm_t, sysadm_r)
@@ -17321,7 +17375,7 @@ index 88d0028..e7c0869 100644
')
optional_policy(`
-@@ -241,14 +307,27 @@ optional_policy(`
+@@ -241,14 +310,27 @@ optional_policy(`
')
optional_policy(`
@@ -17349,7 +17403,7 @@ index 88d0028..e7c0869 100644
')
optional_policy(`
-@@ -256,10 +335,20 @@ optional_policy(`
+@@ -256,10 +338,20 @@ optional_policy(`
')
optional_policy(`
@@ -17370,7 +17424,7 @@ index 88d0028..e7c0869 100644
portage_run(sysadm_t, sysadm_r)
portage_run_fetch(sysadm_t, sysadm_r)
portage_run_gcc_config(sysadm_t, sysadm_r)
-@@ -270,31 +359,36 @@ optional_policy(`
+@@ -270,31 +362,36 @@ optional_policy(`
')
optional_policy(`
@@ -17414,7 +17468,7 @@ index 88d0028..e7c0869 100644
')
optional_policy(`
-@@ -319,12 +413,18 @@ optional_policy(`
+@@ -319,12 +416,18 @@ optional_policy(`
')
optional_policy(`
@@ -17434,7 +17488,7 @@ index 88d0028..e7c0869 100644
')
optional_policy(`
-@@ -349,7 +449,18 @@ optional_policy(`
+@@ -349,7 +452,18 @@ optional_policy(`
')
optional_policy(`
@@ -17454,7 +17508,7 @@ index 88d0028..e7c0869 100644
')
optional_policy(`
-@@ -360,19 +471,15 @@ optional_policy(`
+@@ -360,19 +474,15 @@ optional_policy(`
')
optional_policy(`
@@ -17476,7 +17530,7 @@ index 88d0028..e7c0869 100644
')
optional_policy(`
-@@ -384,10 +491,6 @@ optional_policy(`
+@@ -384,10 +494,6 @@ optional_policy(`
')
optional_policy(`
@@ -17487,7 +17541,7 @@ index 88d0028..e7c0869 100644
usermanage_run_admin_passwd(sysadm_t, sysadm_r)
usermanage_run_groupadd(sysadm_t, sysadm_r)
usermanage_run_useradd(sysadm_t, sysadm_r)
-@@ -395,6 +498,9 @@ optional_policy(`
+@@ -395,6 +501,9 @@ optional_policy(`
optional_policy(`
virt_stream_connect(sysadm_t)
@@ -17497,7 +17551,7 @@ index 88d0028..e7c0869 100644
')
optional_policy(`
-@@ -402,31 +508,34 @@ optional_policy(`
+@@ -402,31 +511,34 @@ optional_policy(`
')
optional_policy(`
@@ -17538,7 +17592,7 @@ index 88d0028..e7c0869 100644
auth_role(sysadm_r, sysadm_t)
')
-@@ -439,10 +548,6 @@ ifndef(`distro_redhat',`
+@@ -439,10 +551,6 @@ ifndef(`distro_redhat',`
')
optional_policy(`
@@ -17549,7 +17603,7 @@ index 88d0028..e7c0869 100644
dbus_role_template(sysadm, sysadm_r, sysadm_t)
optional_policy(`
-@@ -463,15 +568,75 @@ ifndef(`distro_redhat',`
+@@ -463,15 +571,75 @@ ifndef(`distro_redhat',`
')
optional_policy(`
@@ -18308,10 +18362,10 @@ index 0000000..cf6582f
+
diff --git a/policy/modules/roles/unconfineduser.te b/policy/modules/roles/unconfineduser.te
new file mode 100644
-index 0000000..c8f13da
+index 0000000..9de7a1f
--- /dev/null
+++ b/policy/modules/roles/unconfineduser.te
-@@ -0,0 +1,329 @@
+@@ -0,0 +1,330 @@
+policy_module(unconfineduser, 1.0.0)
+
+########################################
@@ -18390,6 +18444,7 @@ index 0000000..c8f13da
+systemd_config_all_services(unconfined_t)
+
+unconfined_domain_noaudit(unconfined_t)
++domain_named_filetrans(unconfined_t)
+
+usermanage_run_passwd(unconfined_t, unconfined_r)
+
@@ -22453,7 +22508,7 @@ index 6bf0ecc..266289c 100644
+ dontaudit $1 xserver_log_t:dir search_dir_perms;
+')
diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
-index 2696452..fcf58c6 100644
+index 2696452..7e081fb 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -26,28 +26,59 @@ gen_require(`
@@ -22798,7 +22853,7 @@ index 2696452..fcf58c6 100644
ssh_sigchld(xauth_t)
ssh_read_pipes(xauth_t)
ssh_dontaudit_rw_tcp_sockets(xauth_t)
-@@ -299,64 +408,106 @@ optional_policy(`
+@@ -299,64 +408,107 @@ optional_policy(`
# XDM Local policy
#
@@ -22890,6 +22945,7 @@ index 2696452..fcf58c6 100644
manage_dirs_pattern(xdm_t, xdm_var_run_t, xdm_var_run_t)
manage_files_pattern(xdm_t, xdm_var_run_t, xdm_var_run_t)
++manage_lnk_files_pattern(xdm_t, xdm_var_run_t, xdm_var_run_t)
manage_fifo_files_pattern(xdm_t, xdm_var_run_t, xdm_var_run_t)
-files_pid_filetrans(xdm_t, xdm_var_run_t, { dir file fifo_file })
+manage_sock_files_pattern(xdm_t, xdm_var_run_t, xdm_var_run_t)
@@ -22915,7 +22971,7 @@ index 2696452..fcf58c6 100644
# connect to xdm xserver over stream socket
stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t)
-@@ -365,20 +516,27 @@ stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t)
+@@ -365,20 +517,27 @@ stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t)
delete_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t)
delete_sock_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t)
@@ -22945,7 +23001,7 @@ index 2696452..fcf58c6 100644
corenet_all_recvfrom_netlabel(xdm_t)
corenet_tcp_sendrecv_generic_if(xdm_t)
corenet_udp_sendrecv_generic_if(xdm_t)
-@@ -388,38 +546,48 @@ corenet_tcp_sendrecv_all_ports(xdm_t)
+@@ -388,38 +547,48 @@ corenet_tcp_sendrecv_all_ports(xdm_t)
corenet_udp_sendrecv_all_ports(xdm_t)
corenet_tcp_bind_generic_node(xdm_t)
corenet_udp_bind_generic_node(xdm_t)
@@ -22998,7 +23054,7 @@ index 2696452..fcf58c6 100644
files_read_etc_files(xdm_t)
files_read_var_files(xdm_t)
-@@ -430,9 +598,28 @@ files_list_mnt(xdm_t)
+@@ -430,9 +599,28 @@ files_list_mnt(xdm_t)
files_read_usr_files(xdm_t)
# Poweroff wants to create the /poweroff file when run from xdm
files_create_boot_flag(xdm_t)
@@ -23027,7 +23083,7 @@ index 2696452..fcf58c6 100644
storage_dontaudit_read_fixed_disk(xdm_t)
storage_dontaudit_write_fixed_disk(xdm_t)
-@@ -441,28 +628,43 @@ storage_dontaudit_raw_read_removable_device(xdm_t)
+@@ -441,28 +629,43 @@ storage_dontaudit_raw_read_removable_device(xdm_t)
storage_dontaudit_raw_write_removable_device(xdm_t)
storage_dontaudit_setattr_removable_dev(xdm_t)
storage_dontaudit_rw_scsi_generic(xdm_t)
@@ -23074,7 +23130,7 @@ index 2696452..fcf58c6 100644
userdom_dontaudit_use_unpriv_user_fds(xdm_t)
userdom_create_all_users_keys(xdm_t)
-@@ -471,24 +673,144 @@ userdom_read_user_home_content_files(xdm_t)
+@@ -471,24 +674,144 @@ userdom_read_user_home_content_files(xdm_t)
# Search /proc for any user domain processes.
userdom_read_all_users_state(xdm_t)
userdom_signal_all_users(xdm_t)
@@ -23225,7 +23281,7 @@ index 2696452..fcf58c6 100644
tunable_policy(`xdm_sysadm_login',`
userdom_xsession_spec_domtrans_all_users(xdm_t)
# FIXME:
-@@ -502,11 +824,26 @@ tunable_policy(`xdm_sysadm_login',`
+@@ -502,11 +825,26 @@ tunable_policy(`xdm_sysadm_login',`
')
optional_policy(`
@@ -23252,7 +23308,7 @@ index 2696452..fcf58c6 100644
')
optional_policy(`
-@@ -514,12 +851,72 @@ optional_policy(`
+@@ -514,12 +852,72 @@ optional_policy(`
')
optional_policy(`
@@ -23325,7 +23381,7 @@ index 2696452..fcf58c6 100644
hostname_exec(xdm_t)
')
-@@ -537,28 +934,78 @@ optional_policy(`
+@@ -537,28 +935,78 @@ optional_policy(`
')
optional_policy(`
@@ -23413,7 +23469,7 @@ index 2696452..fcf58c6 100644
')
optional_policy(`
-@@ -570,6 +1017,14 @@ optional_policy(`
+@@ -570,6 +1018,14 @@ optional_policy(`
')
optional_policy(`
@@ -23428,7 +23484,7 @@ index 2696452..fcf58c6 100644
xfs_stream_connect(xdm_t)
')
-@@ -594,8 +1049,11 @@ allow xserver_t input_xevent_t:x_event send;
+@@ -594,8 +1050,11 @@ allow xserver_t input_xevent_t:x_event send;
# execheap needed until the X module loader is fixed.
# NVIDIA Needs execstack
@@ -23441,7 +23497,7 @@ index 2696452..fcf58c6 100644
allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow xserver_t self:fd use;
allow xserver_t self:fifo_file rw_fifo_file_perms;
-@@ -608,8 +1066,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
+@@ -608,8 +1067,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow xserver_t self:tcp_socket create_stream_socket_perms;
allow xserver_t self:udp_socket create_socket_perms;
@@ -23457,7 +23513,7 @@ index 2696452..fcf58c6 100644
manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
manage_sock_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
-@@ -617,6 +1082,10 @@ files_tmp_filetrans(xserver_t, xserver_tmp_t, { file dir sock_file })
+@@ -617,6 +1083,10 @@ files_tmp_filetrans(xserver_t, xserver_tmp_t, { file dir sock_file })
filetrans_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t, sock_file)
@@ -23468,7 +23524,7 @@ index 2696452..fcf58c6 100644
manage_dirs_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
manage_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
manage_lnk_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
-@@ -628,12 +1097,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
+@@ -628,12 +1098,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
files_search_var_lib(xserver_t)
@@ -23490,7 +23546,7 @@ index 2696452..fcf58c6 100644
kernel_read_system_state(xserver_t)
kernel_read_device_sysctls(xserver_t)
-@@ -641,12 +1117,12 @@ kernel_read_modprobe_sysctls(xserver_t)
+@@ -641,12 +1118,12 @@ kernel_read_modprobe_sysctls(xserver_t)
# Xorg wants to check if kernel is tainted
kernel_read_kernel_sysctls(xserver_t)
kernel_write_proc_files(xserver_t)
@@ -23504,7 +23560,7 @@ index 2696452..fcf58c6 100644
corenet_all_recvfrom_netlabel(xserver_t)
corenet_tcp_sendrecv_generic_if(xserver_t)
corenet_udp_sendrecv_generic_if(xserver_t)
-@@ -667,23 +1143,28 @@ dev_rw_apm_bios(xserver_t)
+@@ -667,23 +1144,28 @@ dev_rw_apm_bios(xserver_t)
dev_rw_agp(xserver_t)
dev_rw_framebuffer(xserver_t)
dev_manage_dri_dev(xserver_t)
@@ -23536,7 +23592,7 @@ index 2696452..fcf58c6 100644
# brought on by rhgb
files_search_mnt(xserver_t)
-@@ -694,7 +1175,16 @@ fs_getattr_xattr_fs(xserver_t)
+@@ -694,7 +1176,16 @@ fs_getattr_xattr_fs(xserver_t)
fs_search_nfs(xserver_t)
fs_search_auto_mountpoints(xserver_t)
fs_search_ramfs(xserver_t)
@@ -23554,7 +23610,7 @@ index 2696452..fcf58c6 100644
mls_xwin_read_to_clearance(xserver_t)
selinux_validate_context(xserver_t)
-@@ -708,20 +1198,18 @@ init_getpgid(xserver_t)
+@@ -708,20 +1199,18 @@ init_getpgid(xserver_t)
term_setattr_unallocated_ttys(xserver_t)
term_use_unallocated_ttys(xserver_t)
@@ -23578,7 +23634,7 @@ index 2696452..fcf58c6 100644
userdom_search_user_home_dirs(xserver_t)
userdom_use_user_ttys(xserver_t)
-@@ -729,8 +1217,6 @@ userdom_setattr_user_ttys(xserver_t)
+@@ -729,8 +1218,6 @@ userdom_setattr_user_ttys(xserver_t)
userdom_read_user_tmp_files(xserver_t)
userdom_rw_user_tmpfs_files(xserver_t)
@@ -23587,7 +23643,7 @@ index 2696452..fcf58c6 100644
ifndef(`distro_redhat',`
allow xserver_t self:process { execmem execheap execstack };
domain_mmap_low_uncond(xserver_t)
-@@ -775,16 +1261,44 @@ optional_policy(`
+@@ -775,16 +1262,44 @@ optional_policy(`
')
optional_policy(`
@@ -23633,7 +23689,7 @@ index 2696452..fcf58c6 100644
unconfined_domtrans(xserver_t)
')
-@@ -793,6 +1307,10 @@ optional_policy(`
+@@ -793,6 +1308,10 @@ optional_policy(`
')
optional_policy(`
@@ -23644,7 +23700,7 @@ index 2696452..fcf58c6 100644
xfs_stream_connect(xserver_t)
')
-@@ -808,10 +1326,10 @@ allow xserver_t xdm_t:shm rw_shm_perms;
+@@ -808,10 +1327,10 @@ allow xserver_t xdm_t:shm rw_shm_perms;
# NB we do NOT allow xserver_t xdm_var_lib_t:dir, only access to an open
# handle of a file inside the dir!!!
@@ -23658,7 +23714,7 @@ index 2696452..fcf58c6 100644
# Label pid and temporary files with derived types.
manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
-@@ -819,7 +1337,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
+@@ -819,7 +1338,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
manage_sock_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
# Run xkbcomp.
@@ -23667,7 +23723,7 @@ index 2696452..fcf58c6 100644
can_exec(xserver_t, xkb_var_lib_t)
# VNC v4 module in X server
-@@ -832,26 +1350,21 @@ init_use_fds(xserver_t)
+@@ -832,26 +1351,21 @@ init_use_fds(xserver_t)
# to read ROLE_home_t - examine this in more detail
# (xauth?)
userdom_read_user_home_content_files(xserver_t)
@@ -23702,7 +23758,7 @@ index 2696452..fcf58c6 100644
')
optional_policy(`
-@@ -902,7 +1415,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
+@@ -902,7 +1416,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
allow x_domain root_xdrawable_t:x_drawable { getattr setattr list_child add_child remove_child send receive hide show };
# operations allowed on my windows
allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive };
@@ -23711,7 +23767,7 @@ index 2696452..fcf58c6 100644
# operations allowed on all windows
allow x_domain x_domain:x_drawable { getattr get_property set_property remove_child };
-@@ -956,11 +1469,31 @@ allow x_domain self:x_resource { read write };
+@@ -956,11 +1470,31 @@ allow x_domain self:x_resource { read write };
# can mess with the screensaver
allow x_domain xserver_t:x_screen { getattr saver_getattr };
@@ -23743,7 +23799,7 @@ index 2696452..fcf58c6 100644
tunable_policy(`! xserver_object_manager',`
# should be xserver_unconfined(x_domain),
# but typeattribute doesnt work in conditionals
-@@ -982,18 +1515,150 @@ tunable_policy(`! xserver_object_manager',`
+@@ -982,18 +1516,150 @@ tunable_policy(`! xserver_object_manager',`
allow x_domain xevent_type:{ x_event x_synthetic_event } *;
')
@@ -25995,7 +26051,7 @@ index 9a4d3a7..9d960bb 100644
')
+/var/run/systemd(/.*)? gen_context(system_u:object_r:init_var_run_t,s0)
diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
-index 24e7804..d0780a9 100644
+index 24e7804..c4155c7 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -1,5 +1,21 @@
@@ -26880,7 +26936,7 @@ index 24e7804..d0780a9 100644
########################################
##
## Allow the specified domain to connect to daemon with a tcp socket
-@@ -1819,3 +2284,306 @@ interface(`init_udp_recvfrom_all_daemons',`
+@@ -1819,3 +2284,360 @@ interface(`init_udp_recvfrom_all_daemons',`
')
corenet_udp_recvfrom_labeled($1, daemon)
')
@@ -27131,6 +27187,60 @@ index 24e7804..d0780a9 100644
+
+########################################
+##
++## Tell init to enable the services.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`init_enable_services',`
++ gen_require(`
++ type init_t;
++ ')
++
++ allow $1 init_t:system enable;
++')
++
++########################################
++##
++## Tell init to disable the services.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`init_disable_services',`
++ gen_require(`
++ type init_t;
++ ')
++
++ allow $1 init_t:system disable;
++')
++
++########################################
++##
++## Tell init to reload the services.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`init_reload_services',`
++ gen_require(`
++ type init_t;
++ ')
++
++ allow $1 init_t:system reload;
++')
++
++########################################
++##
+## Tell init to halt the system.
+##
+##
@@ -27188,7 +27298,7 @@ index 24e7804..d0780a9 100644
+ files_etc_filetrans($1, machineid_t, file, "machine-id" )
+')
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
-index dd3be8d..8cda2bb 100644
+index dd3be8d..6ad72c0 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -11,10 +11,24 @@ gen_require(`
@@ -27619,7 +27729,7 @@ index dd3be8d..8cda2bb 100644
')
optional_policy(`
-@@ -216,6 +456,27 @@ optional_policy(`
+@@ -216,7 +456,29 @@ optional_policy(`
')
optional_policy(`
@@ -27645,9 +27755,11 @@ index dd3be8d..8cda2bb 100644
+
+optional_policy(`
unconfined_domain(init_t)
++ domain_named_filetrans(init_t)
')
-@@ -225,8 +486,9 @@ optional_policy(`
+ ########################################
+@@ -225,8 +487,9 @@ optional_policy(`
#
allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
@@ -27659,7 +27771,7 @@ index dd3be8d..8cda2bb 100644
allow initrc_t self:passwd rootok;
allow initrc_t self:key manage_key_perms;
-@@ -257,12 +519,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
+@@ -257,12 +520,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
allow initrc_t initrc_var_run_t:file manage_file_perms;
files_pid_filetrans(initrc_t, initrc_var_run_t, file)
@@ -27676,7 +27788,7 @@ index dd3be8d..8cda2bb 100644
manage_dirs_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
manage_files_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
-@@ -278,23 +544,36 @@ kernel_change_ring_buffer_level(initrc_t)
+@@ -278,23 +545,36 @@ kernel_change_ring_buffer_level(initrc_t)
kernel_clear_ring_buffer(initrc_t)
kernel_get_sysvipc_info(initrc_t)
kernel_read_all_sysctls(initrc_t)
@@ -27719,7 +27831,7 @@ index dd3be8d..8cda2bb 100644
corenet_tcp_sendrecv_all_ports(initrc_t)
corenet_udp_sendrecv_all_ports(initrc_t)
corenet_tcp_connect_all_ports(initrc_t)
-@@ -302,9 +581,11 @@ corenet_sendrecv_all_client_packets(initrc_t)
+@@ -302,9 +582,11 @@ corenet_sendrecv_all_client_packets(initrc_t)
dev_read_rand(initrc_t)
dev_read_urand(initrc_t)
@@ -27731,7 +27843,7 @@ index dd3be8d..8cda2bb 100644
dev_rw_sysfs(initrc_t)
dev_list_usbfs(initrc_t)
dev_read_framebuffer(initrc_t)
-@@ -312,8 +593,10 @@ dev_write_framebuffer(initrc_t)
+@@ -312,8 +594,10 @@ dev_write_framebuffer(initrc_t)
dev_read_realtime_clock(initrc_t)
dev_read_sound_mixer(initrc_t)
dev_write_sound_mixer(initrc_t)
@@ -27742,7 +27854,7 @@ index dd3be8d..8cda2bb 100644
dev_delete_lvm_control_dev(initrc_t)
dev_manage_generic_symlinks(initrc_t)
dev_manage_generic_files(initrc_t)
-@@ -321,8 +604,7 @@ dev_manage_generic_files(initrc_t)
+@@ -321,8 +605,7 @@ dev_manage_generic_files(initrc_t)
dev_delete_generic_symlinks(initrc_t)
dev_getattr_all_blk_files(initrc_t)
dev_getattr_all_chr_files(initrc_t)
@@ -27752,7 +27864,7 @@ index dd3be8d..8cda2bb 100644
domain_kill_all_domains(initrc_t)
domain_signal_all_domains(initrc_t)
-@@ -331,7 +613,6 @@ domain_sigstop_all_domains(initrc_t)
+@@ -331,7 +614,6 @@ domain_sigstop_all_domains(initrc_t)
domain_sigchld_all_domains(initrc_t)
domain_read_all_domains_state(initrc_t)
domain_getattr_all_domains(initrc_t)
@@ -27760,7 +27872,7 @@ index dd3be8d..8cda2bb 100644
domain_getsession_all_domains(initrc_t)
domain_use_interactive_fds(initrc_t)
# for lsof which is used by alsa shutdown:
-@@ -339,6 +620,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
+@@ -339,6 +621,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
domain_dontaudit_getattr_all_tcp_sockets(initrc_t)
domain_dontaudit_getattr_all_dgram_sockets(initrc_t)
domain_dontaudit_getattr_all_pipes(initrc_t)
@@ -27768,7 +27880,7 @@ index dd3be8d..8cda2bb 100644
files_getattr_all_dirs(initrc_t)
files_getattr_all_files(initrc_t)
-@@ -346,14 +628,15 @@ files_getattr_all_symlinks(initrc_t)
+@@ -346,14 +629,15 @@ files_getattr_all_symlinks(initrc_t)
files_getattr_all_pipes(initrc_t)
files_getattr_all_sockets(initrc_t)
files_purge_tmp(initrc_t)
@@ -27786,7 +27898,7 @@ index dd3be8d..8cda2bb 100644
files_read_usr_files(initrc_t)
files_manage_urandom_seed(initrc_t)
files_manage_generic_spool(initrc_t)
-@@ -363,8 +646,12 @@ files_list_isid_type_dirs(initrc_t)
+@@ -363,8 +647,12 @@ files_list_isid_type_dirs(initrc_t)
files_mounton_isid_type_dirs(initrc_t)
files_list_default(initrc_t)
files_mounton_default(initrc_t)
@@ -27800,7 +27912,7 @@ index dd3be8d..8cda2bb 100644
fs_list_inotifyfs(initrc_t)
fs_register_binary_executable_type(initrc_t)
# rhgb-console writes to ramfs
-@@ -374,10 +661,11 @@ fs_mount_all_fs(initrc_t)
+@@ -374,10 +662,11 @@ fs_mount_all_fs(initrc_t)
fs_unmount_all_fs(initrc_t)
fs_remount_all_fs(initrc_t)
fs_getattr_all_fs(initrc_t)
@@ -27814,7 +27926,7 @@ index dd3be8d..8cda2bb 100644
mcs_process_set_categories(initrc_t)
mls_file_read_all_levels(initrc_t)
-@@ -386,6 +674,7 @@ mls_process_read_up(initrc_t)
+@@ -386,6 +675,7 @@ mls_process_read_up(initrc_t)
mls_process_write_down(initrc_t)
mls_rangetrans_source(initrc_t)
mls_fd_share_all_levels(initrc_t)
@@ -27822,7 +27934,7 @@ index dd3be8d..8cda2bb 100644
selinux_get_enforce_mode(initrc_t)
-@@ -397,6 +686,7 @@ term_use_all_terms(initrc_t)
+@@ -397,6 +687,7 @@ term_use_all_terms(initrc_t)
term_reset_tty_labels(initrc_t)
auth_rw_login_records(initrc_t)
@@ -27830,7 +27942,7 @@ index dd3be8d..8cda2bb 100644
auth_setattr_login_records(initrc_t)
auth_rw_lastlog(initrc_t)
auth_read_pam_pid(initrc_t)
-@@ -415,20 +705,18 @@ logging_read_all_logs(initrc_t)
+@@ -415,20 +706,18 @@ logging_read_all_logs(initrc_t)
logging_append_all_logs(initrc_t)
logging_read_audit_config(initrc_t)
@@ -27854,7 +27966,7 @@ index dd3be8d..8cda2bb 100644
ifdef(`distro_debian',`
dev_setattr_generic_dirs(initrc_t)
-@@ -450,7 +738,6 @@ ifdef(`distro_gentoo',`
+@@ -450,7 +739,6 @@ ifdef(`distro_gentoo',`
allow initrc_t self:process setfscreate;
dev_create_null_dev(initrc_t)
dev_create_zero_dev(initrc_t)
@@ -27862,7 +27974,7 @@ index dd3be8d..8cda2bb 100644
term_create_console_dev(initrc_t)
# unfortunately /sbin/rc does stupid tricks
-@@ -485,6 +772,10 @@ ifdef(`distro_gentoo',`
+@@ -485,6 +773,10 @@ ifdef(`distro_gentoo',`
sysnet_setattr_config(initrc_t)
optional_policy(`
@@ -27873,7 +27985,7 @@ index dd3be8d..8cda2bb 100644
alsa_read_lib(initrc_t)
')
-@@ -505,7 +796,7 @@ ifdef(`distro_redhat',`
+@@ -505,7 +797,7 @@ ifdef(`distro_redhat',`
# Red Hat systems seem to have a stray
# fd open from the initrd
@@ -27882,7 +27994,7 @@ index dd3be8d..8cda2bb 100644
files_dontaudit_read_root_files(initrc_t)
# These seem to be from the initrd
-@@ -520,6 +811,7 @@ ifdef(`distro_redhat',`
+@@ -520,6 +812,7 @@ ifdef(`distro_redhat',`
files_create_boot_dirs(initrc_t)
files_create_boot_flag(initrc_t)
files_rw_boot_symlinks(initrc_t)
@@ -27890,7 +28002,7 @@ index dd3be8d..8cda2bb 100644
# wants to read /.fonts directory
files_read_default_files(initrc_t)
files_mountpoint(initrc_tmp_t)
-@@ -540,6 +832,7 @@ ifdef(`distro_redhat',`
+@@ -540,6 +833,7 @@ ifdef(`distro_redhat',`
miscfiles_rw_localization(initrc_t)
miscfiles_setattr_localization(initrc_t)
miscfiles_relabel_localization(initrc_t)
@@ -27898,7 +28010,7 @@ index dd3be8d..8cda2bb 100644
miscfiles_read_fonts(initrc_t)
miscfiles_read_hwdata(initrc_t)
-@@ -549,8 +842,44 @@ ifdef(`distro_redhat',`
+@@ -549,8 +843,44 @@ ifdef(`distro_redhat',`
')
optional_policy(`
@@ -27943,7 +28055,7 @@ index dd3be8d..8cda2bb 100644
')
optional_policy(`
-@@ -558,14 +887,31 @@ ifdef(`distro_redhat',`
+@@ -558,14 +888,31 @@ ifdef(`distro_redhat',`
rpc_write_exports(initrc_t)
rpc_manage_nfs_state_data(initrc_t)
')
@@ -27975,7 +28087,7 @@ index dd3be8d..8cda2bb 100644
')
')
-@@ -576,6 +922,39 @@ ifdef(`distro_suse',`
+@@ -576,6 +923,39 @@ ifdef(`distro_suse',`
')
')
@@ -28015,7 +28127,7 @@ index dd3be8d..8cda2bb 100644
optional_policy(`
amavis_search_lib(initrc_t)
amavis_setattr_pid_files(initrc_t)
-@@ -588,6 +967,8 @@ optional_policy(`
+@@ -588,6 +968,8 @@ optional_policy(`
optional_policy(`
apache_read_config(initrc_t)
apache_list_modules(initrc_t)
@@ -28024,7 +28136,7 @@ index dd3be8d..8cda2bb 100644
')
optional_policy(`
-@@ -609,6 +990,7 @@ optional_policy(`
+@@ -609,6 +991,7 @@ optional_policy(`
optional_policy(`
cgroup_stream_connect_cgred(initrc_t)
@@ -28032,7 +28144,7 @@ index dd3be8d..8cda2bb 100644
')
optional_policy(`
-@@ -625,6 +1007,17 @@ optional_policy(`
+@@ -625,6 +1008,17 @@ optional_policy(`
')
optional_policy(`
@@ -28050,7 +28162,7 @@ index dd3be8d..8cda2bb 100644
dev_getattr_printer_dev(initrc_t)
cups_read_log(initrc_t)
-@@ -641,9 +1034,13 @@ optional_policy(`
+@@ -641,9 +1035,13 @@ optional_policy(`
dbus_connect_system_bus(initrc_t)
dbus_system_bus_client(initrc_t)
dbus_read_config(initrc_t)
@@ -28064,7 +28176,7 @@ index dd3be8d..8cda2bb 100644
')
optional_policy(`
-@@ -656,15 +1053,11 @@ optional_policy(`
+@@ -656,15 +1054,11 @@ optional_policy(`
')
optional_policy(`
@@ -28082,7 +28194,7 @@ index dd3be8d..8cda2bb 100644
')
optional_policy(`
-@@ -685,6 +1078,15 @@ optional_policy(`
+@@ -685,6 +1079,15 @@ optional_policy(`
')
optional_policy(`
@@ -28098,7 +28210,7 @@ index dd3be8d..8cda2bb 100644
inn_exec_config(initrc_t)
')
-@@ -725,6 +1127,7 @@ optional_policy(`
+@@ -725,6 +1128,7 @@ optional_policy(`
lpd_list_spool(initrc_t)
lpd_read_config(initrc_t)
@@ -28106,7 +28218,7 @@ index dd3be8d..8cda2bb 100644
')
optional_policy(`
-@@ -742,7 +1145,14 @@ optional_policy(`
+@@ -742,7 +1146,14 @@ optional_policy(`
')
optional_policy(`
@@ -28121,7 +28233,7 @@ index dd3be8d..8cda2bb 100644
mta_dontaudit_read_spool_symlinks(initrc_t)
')
-@@ -765,6 +1175,10 @@ optional_policy(`
+@@ -765,6 +1176,10 @@ optional_policy(`
')
optional_policy(`
@@ -28132,7 +28244,7 @@ index dd3be8d..8cda2bb 100644
postgresql_manage_db(initrc_t)
postgresql_read_config(initrc_t)
')
-@@ -774,10 +1188,20 @@ optional_policy(`
+@@ -774,10 +1189,20 @@ optional_policy(`
')
optional_policy(`
@@ -28153,7 +28265,7 @@ index dd3be8d..8cda2bb 100644
quota_manage_flags(initrc_t)
')
-@@ -786,6 +1210,10 @@ optional_policy(`
+@@ -786,6 +1211,10 @@ optional_policy(`
')
optional_policy(`
@@ -28164,7 +28276,7 @@ index dd3be8d..8cda2bb 100644
fs_write_ramfs_sockets(initrc_t)
fs_search_ramfs(initrc_t)
-@@ -807,8 +1235,6 @@ optional_policy(`
+@@ -807,8 +1236,6 @@ optional_policy(`
# bash tries ioctl for some reason
files_dontaudit_ioctl_all_pids(initrc_t)
@@ -28173,7 +28285,7 @@ index dd3be8d..8cda2bb 100644
')
optional_policy(`
-@@ -817,6 +1243,10 @@ optional_policy(`
+@@ -817,6 +1244,10 @@ optional_policy(`
')
optional_policy(`
@@ -28184,7 +28296,7 @@ index dd3be8d..8cda2bb 100644
# shorewall-init script run /var/lib/shorewall/firewall
shorewall_lib_domtrans(initrc_t)
')
-@@ -826,10 +1256,12 @@ optional_policy(`
+@@ -826,10 +1257,12 @@ optional_policy(`
squid_manage_logs(initrc_t)
')
@@ -28197,7 +28309,7 @@ index dd3be8d..8cda2bb 100644
optional_policy(`
ssh_dontaudit_read_server_keys(initrc_t)
-@@ -856,12 +1288,27 @@ optional_policy(`
+@@ -856,12 +1289,28 @@ optional_policy(`
')
optional_policy(`
@@ -28220,13 +28332,14 @@ index dd3be8d..8cda2bb 100644
optional_policy(`
unconfined_domain(initrc_t)
++ domain_named_filetrans(initrc_t)
+ domain_role_change_exemption(initrc_t)
+
+ files_tmp_filetrans(initrc_t, initrc_tmp_t, { dir_file_class_set })
ifdef(`distro_redhat',`
# system-config-services causes avc messages that should be dontaudited
-@@ -871,6 +1318,18 @@ optional_policy(`
+@@ -871,6 +1320,18 @@ optional_policy(`
optional_policy(`
mono_domtrans(initrc_t)
')
@@ -28245,7 +28358,7 @@ index dd3be8d..8cda2bb 100644
')
optional_policy(`
-@@ -886,6 +1345,10 @@ optional_policy(`
+@@ -886,6 +1347,10 @@ optional_policy(`
')
optional_policy(`
@@ -28256,7 +28369,7 @@ index dd3be8d..8cda2bb 100644
# Set device ownerships/modes.
xserver_setattr_console_pipes(initrc_t)
-@@ -896,3 +1359,196 @@ optional_policy(`
+@@ -896,3 +1361,196 @@ optional_policy(`
optional_policy(`
zebra_read_config(initrc_t)
')
@@ -28690,7 +28803,7 @@ index 0d4c8d3..a89c4a2 100644
+ ps_process_pattern($1, ipsec_mgmt_t)
+')
diff --git a/policy/modules/system/ipsec.te b/policy/modules/system/ipsec.te
-index 9e54bf9..9a068f6 100644
+index 9e54bf9..a0ba260 100644
--- a/policy/modules/system/ipsec.te
+++ b/policy/modules/system/ipsec.te
@@ -48,6 +48,9 @@ init_system_domain(ipsec_mgmt_t, ipsec_mgmt_exec_t)
@@ -28703,24 +28816,37 @@ index 9e54bf9..9a068f6 100644
type ipsec_mgmt_lock_t;
files_lock_file(ipsec_mgmt_lock_t)
-@@ -73,13 +76,15 @@ role system_r types setkey_t;
+@@ -72,14 +75,18 @@ role system_r types setkey_t;
+ # ipsec Local policy
#
- allow ipsec_t self:capability { net_admin dac_override dac_read_search setpcap sys_nice };
+-allow ipsec_t self:capability { net_admin dac_override dac_read_search setpcap sys_nice };
-dontaudit ipsec_t self:capability { sys_ptrace sys_tty_config };
++allow ipsec_t self:capability { net_admin dac_override dac_read_search setpcap sys_nice net_raw setuid };
+dontaudit ipsec_t self:capability sys_tty_config;
allow ipsec_t self:process { getcap setcap getsched signal setsched };
allow ipsec_t self:tcp_socket create_stream_socket_perms;
allow ipsec_t self:udp_socket create_socket_perms;
++allow ipsec_t self:packet_socket create_socket_perms;
allow ipsec_t self:key_socket create_socket_perms;
allow ipsec_t self:fifo_file read_fifo_file_perms;
allow ipsec_t self:netlink_xfrm_socket { create_netlink_socket_perms nlmsg_write };
+allow ipsec_t self:netlink_selinux_socket create_socket_perms;
+allow ipsec_t self:unix_stream_socket { create_stream_socket_perms connectto };
++allow ipsec_t self:netlink_route_socket { create_netlink_socket_perms write };
allow ipsec_t ipsec_initrc_exec_t:file read_file_perms;
-@@ -128,20 +133,21 @@ corecmd_exec_shell(ipsec_t)
+@@ -113,7 +120,7 @@ allow ipsec_mgmt_t ipsec_t:unix_stream_socket { read write };
+ allow ipsec_mgmt_t ipsec_t:process { rlimitinh sigchld };
+
+ kernel_read_kernel_sysctls(ipsec_t)
+-kernel_read_net_sysctls(ipsec_t)
++kernel_rw_net_sysctls(ipsec_t)
+ kernel_list_proc(ipsec_t)
+ kernel_read_proc_symlinks(ipsec_t)
+ # allow pluto to access /proc/net/ipsec_eroute;
+@@ -128,20 +135,22 @@ corecmd_exec_shell(ipsec_t)
corecmd_exec_bin(ipsec_t)
# Pluto needs network access
@@ -28742,6 +28868,7 @@ index 9e54bf9..9a068f6 100644
corenet_tcp_bind_isakmp_port(ipsec_t)
corenet_udp_bind_isakmp_port(ipsec_t)
corenet_udp_bind_ipsecnat_port(ipsec_t)
++corenet_udp_bind_dhcpc_port(ipsec_t)
corenet_sendrecv_generic_server_packets(ipsec_t)
corenet_sendrecv_isakmp_server_packets(ipsec_t)
+corenet_tcp_connect_http_port(ipsec_t)
@@ -28749,7 +28876,7 @@ index 9e54bf9..9a068f6 100644
dev_read_sysfs(ipsec_t)
dev_read_rand(ipsec_t)
-@@ -157,6 +163,8 @@ files_dontaudit_search_home(ipsec_t)
+@@ -157,6 +166,8 @@ files_dontaudit_search_home(ipsec_t)
fs_getattr_all_fs(ipsec_t)
fs_search_auto_mountpoints(ipsec_t)
@@ -28758,7 +28885,7 @@ index 9e54bf9..9a068f6 100644
term_use_console(ipsec_t)
term_dontaudit_use_all_ttys(ipsec_t)
-@@ -165,11 +173,13 @@ auth_use_nsswitch(ipsec_t)
+@@ -165,11 +176,13 @@ auth_use_nsswitch(ipsec_t)
init_use_fds(ipsec_t)
init_use_script_ptys(ipsec_t)
@@ -28773,7 +28900,7 @@ index 9e54bf9..9a068f6 100644
userdom_dontaudit_use_unpriv_user_fds(ipsec_t)
userdom_dontaudit_search_user_home_dirs(ipsec_t)
-@@ -187,10 +197,10 @@ optional_policy(`
+@@ -187,10 +200,10 @@ optional_policy(`
# ipsec_mgmt Local policy
#
@@ -28788,7 +28915,7 @@ index 9e54bf9..9a068f6 100644
allow ipsec_mgmt_t self:tcp_socket create_stream_socket_perms;
allow ipsec_mgmt_t self:udp_socket create_socket_perms;
allow ipsec_mgmt_t self:key_socket create_socket_perms;
-@@ -210,6 +220,7 @@ allow ipsec_mgmt_t ipsec_mgmt_var_run_t:file manage_file_perms;
+@@ -210,6 +223,7 @@ allow ipsec_mgmt_t ipsec_mgmt_var_run_t:file manage_file_perms;
files_pid_filetrans(ipsec_mgmt_t, ipsec_mgmt_var_run_t, file)
manage_files_pattern(ipsec_mgmt_t, ipsec_var_run_t, ipsec_var_run_t)
@@ -28796,7 +28923,7 @@ index 9e54bf9..9a068f6 100644
manage_lnk_files_pattern(ipsec_mgmt_t, ipsec_var_run_t, ipsec_var_run_t)
allow ipsec_mgmt_t ipsec_var_run_t:sock_file manage_sock_file_perms;
-@@ -246,6 +257,16 @@ kernel_read_kernel_sysctls(ipsec_mgmt_t)
+@@ -246,6 +260,16 @@ kernel_read_kernel_sysctls(ipsec_mgmt_t)
kernel_getattr_core_if(ipsec_mgmt_t)
kernel_getattr_message_if(ipsec_mgmt_t)
@@ -28813,7 +28940,7 @@ index 9e54bf9..9a068f6 100644
files_read_kernel_symbol_table(ipsec_mgmt_t)
files_getattr_kernel_modules(ipsec_mgmt_t)
-@@ -255,6 +276,8 @@ files_getattr_kernel_modules(ipsec_mgmt_t)
+@@ -255,6 +279,8 @@ files_getattr_kernel_modules(ipsec_mgmt_t)
corecmd_exec_bin(ipsec_mgmt_t)
corecmd_exec_shell(ipsec_mgmt_t)
@@ -28822,7 +28949,7 @@ index 9e54bf9..9a068f6 100644
dev_read_rand(ipsec_mgmt_t)
dev_read_urand(ipsec_mgmt_t)
-@@ -278,9 +301,10 @@ fs_getattr_xattr_fs(ipsec_mgmt_t)
+@@ -278,9 +304,10 @@ fs_getattr_xattr_fs(ipsec_mgmt_t)
fs_list_tmpfs(ipsec_mgmt_t)
term_use_console(ipsec_mgmt_t)
@@ -28834,7 +28961,7 @@ index 9e54bf9..9a068f6 100644
init_read_utmp(ipsec_mgmt_t)
init_use_script_ptys(ipsec_mgmt_t)
-@@ -290,15 +314,18 @@ init_labeled_script_domtrans(ipsec_mgmt_t, ipsec_initrc_exec_t)
+@@ -290,15 +317,18 @@ init_labeled_script_domtrans(ipsec_mgmt_t, ipsec_initrc_exec_t)
logging_send_syslog_msg(ipsec_mgmt_t)
@@ -28858,7 +28985,7 @@ index 9e54bf9..9a068f6 100644
optional_policy(`
consoletype_exec(ipsec_mgmt_t)
-@@ -322,6 +349,10 @@ optional_policy(`
+@@ -322,6 +352,10 @@ optional_policy(`
')
optional_policy(`
@@ -28869,7 +28996,16 @@ index 9e54bf9..9a068f6 100644
modutils_domtrans_insmod(ipsec_mgmt_t)
')
-@@ -370,13 +401,12 @@ kernel_request_load_module(racoon_t)
+@@ -335,7 +369,7 @@ optional_policy(`
+ #
+
+ allow racoon_t self:capability { net_admin net_bind_service };
+-allow racoon_t self:netlink_route_socket create_netlink_socket_perms;
++allow racoon_t self:netlink_route_socket { create_netlink_socket_perms };
+ allow racoon_t self:unix_dgram_socket { connect create ioctl write };
+ allow racoon_t self:netlink_selinux_socket { bind create read };
+ allow racoon_t self:udp_socket create_socket_perms;
+@@ -370,13 +404,12 @@ kernel_request_load_module(racoon_t)
corecmd_exec_shell(racoon_t)
corecmd_exec_bin(racoon_t)
@@ -28889,7 +29025,7 @@ index 9e54bf9..9a068f6 100644
corenet_udp_bind_isakmp_port(racoon_t)
corenet_udp_bind_ipsecnat_port(racoon_t)
-@@ -401,10 +431,11 @@ locallogin_use_fds(racoon_t)
+@@ -401,10 +434,11 @@ locallogin_use_fds(racoon_t)
logging_send_syslog_msg(racoon_t)
logging_send_audit_msgs(racoon_t)
@@ -28902,7 +29038,7 @@ index 9e54bf9..9a068f6 100644
auth_can_read_shadow_passwords(racoon_t)
tunable_policy(`racoon_read_shadow',`
auth_tunable_read_shadow(racoon_t)
-@@ -438,9 +469,9 @@ corenet_setcontext_all_spds(setkey_t)
+@@ -438,9 +472,9 @@ corenet_setcontext_all_spds(setkey_t)
locallogin_use_fds(setkey_t)
@@ -29619,7 +29755,7 @@ index 808ba93..9d8f729 100644
+ files_etc_filetrans($1, ld_so_cache_t, file, "ld.so.preload~")
+')
diff --git a/policy/modules/system/libraries.te b/policy/modules/system/libraries.te
-index 23a645e..1982e9c 100644
+index 23a645e..f0cbd38 100644
--- a/policy/modules/system/libraries.te
+++ b/policy/modules/system/libraries.te
@@ -32,14 +32,14 @@ files_tmp_file(ldconfig_tmp_t)
@@ -29694,17 +29830,19 @@ index 23a645e..1982e9c 100644
ifdef(`hide_broken_symptoms',`
ifdef(`distro_gentoo',`
# leaked fds from portage
-@@ -114,6 +126,9 @@ ifdef(`hide_broken_symptoms',`
+@@ -114,6 +126,11 @@ ifdef(`hide_broken_symptoms',`
')
')
+ dev_dontaudit_rw_lvm_control(ldconfig_t)
++ dev_dontaudit_read_all_chr_files(ldconfig_t)
++ dev_dontaudit_read_all_blk_files(ldconfig_t)
+ term_dontaudit_use_unallocated_ttys(ldconfig_t)
+
optional_policy(`
unconfined_dontaudit_rw_tcp_sockets(ldconfig_t)
')
-@@ -131,6 +146,14 @@ optional_policy(`
+@@ -131,6 +148,14 @@ optional_policy(`
')
optional_policy(`
@@ -29719,7 +29857,7 @@ index 23a645e..1982e9c 100644
puppet_rw_tmp(ldconfig_t)
')
-@@ -141,6 +164,3 @@ optional_policy(`
+@@ -141,6 +166,3 @@ optional_policy(`
rpm_manage_script_tmp_files(ldconfig_t)
')
@@ -30496,7 +30634,7 @@ index 4e94884..55d2481 100644
+ logging_log_filetrans($1, var_log_t, dir, "anaconda")
+')
diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
-index 39ea221..7094526 100644
+index 39ea221..692b00d 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
@@ -4,6 +4,21 @@ policy_module(logging, 1.19.6)
@@ -30591,13 +30729,12 @@ index 39ea221..7094526 100644
corenet_all_recvfrom_netlabel(auditd_t)
corenet_tcp_sendrecv_generic_if(auditd_t)
corenet_tcp_sendrecv_generic_node(auditd_t)
-@@ -183,16 +204,16 @@ logging_send_syslog_msg(auditd_t)
+@@ -183,16 +204,17 @@ logging_send_syslog_msg(auditd_t)
logging_domtrans_dispatcher(auditd_t)
logging_signal_dispatcher(auditd_t)
-miscfiles_read_localization(auditd_t)
+auth_use_nsswitch(auditd_t)
-+
mls_file_read_all_levels(auditd_t)
mls_file_write_all_levels(auditd_t) # Need to be able to write to /var/run/ directory
@@ -30608,11 +30745,13 @@ index 39ea221..7094526 100644
sysnet_dns_name_resolve(auditd_t)
-userdom_use_user_terminals(auditd_t)
++systemd_start_systemd_services(auditd_t)
++
+userdom_use_inherited_user_terminals(auditd_t)
userdom_dontaudit_use_unpriv_user_fds(auditd_t)
userdom_dontaudit_search_user_home_dirs(auditd_t)
-@@ -237,19 +258,29 @@ corecmd_exec_shell(audisp_t)
+@@ -237,19 +259,29 @@ corecmd_exec_shell(audisp_t)
domain_use_interactive_fds(audisp_t)
@@ -30643,7 +30782,7 @@ index 39ea221..7094526 100644
')
########################################
-@@ -268,7 +299,6 @@ files_spool_filetrans(audisp_remote_t, audit_spool_t, { dir file })
+@@ -268,7 +300,6 @@ files_spool_filetrans(audisp_remote_t, audit_spool_t, { dir file })
corecmd_exec_bin(audisp_remote_t)
@@ -30651,7 +30790,7 @@ index 39ea221..7094526 100644
corenet_all_recvfrom_netlabel(audisp_remote_t)
corenet_tcp_sendrecv_generic_if(audisp_remote_t)
corenet_tcp_sendrecv_generic_node(audisp_remote_t)
-@@ -280,10 +310,18 @@ corenet_sendrecv_audit_client_packets(audisp_remote_t)
+@@ -280,10 +311,18 @@ corenet_sendrecv_audit_client_packets(audisp_remote_t)
files_read_etc_files(audisp_remote_t)
@@ -30671,7 +30810,7 @@ index 39ea221..7094526 100644
sysnet_dns_name_resolve(audisp_remote_t)
-@@ -326,7 +364,6 @@ files_read_etc_files(klogd_t)
+@@ -326,7 +365,6 @@ files_read_etc_files(klogd_t)
logging_send_syslog_msg(klogd_t)
@@ -30679,7 +30818,7 @@ index 39ea221..7094526 100644
mls_file_read_all_levels(klogd_t)
-@@ -354,12 +391,12 @@ optional_policy(`
+@@ -354,12 +392,12 @@ optional_policy(`
# chown fsetid for syslog-ng
# sys_admin for the integrated klog of syslog-ng and metalog
# cjp: why net_admin!
@@ -30695,7 +30834,7 @@ index 39ea221..7094526 100644
# receive messages to be logged
allow syslogd_t self:unix_dgram_socket create_socket_perms;
allow syslogd_t self:unix_stream_socket create_stream_socket_perms;
-@@ -369,6 +406,7 @@ allow syslogd_t self:udp_socket create_socket_perms;
+@@ -369,6 +407,7 @@ allow syslogd_t self:udp_socket create_socket_perms;
allow syslogd_t self:tcp_socket create_stream_socket_perms;
allow syslogd_t syslog_conf_t:file read_file_perms;
@@ -30703,7 +30842,7 @@ index 39ea221..7094526 100644
# Create and bind to /dev/log or /var/run/log.
allow syslogd_t devlog_t:sock_file manage_sock_file_perms;
-@@ -377,6 +415,7 @@ files_pid_filetrans(syslogd_t, devlog_t, sock_file)
+@@ -377,6 +416,7 @@ files_pid_filetrans(syslogd_t, devlog_t, sock_file)
# create/append log files.
manage_files_pattern(syslogd_t, var_log_t, var_log_t)
rw_fifo_files_pattern(syslogd_t, var_log_t, var_log_t)
@@ -30711,7 +30850,7 @@ index 39ea221..7094526 100644
# Allow access for syslog-ng
allow syslogd_t var_log_t:dir { create setattr };
-@@ -386,22 +425,31 @@ manage_dirs_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t)
+@@ -386,22 +426,31 @@ manage_dirs_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t)
manage_files_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t)
files_tmp_filetrans(syslogd_t, syslogd_tmp_t, { dir file })
@@ -30746,7 +30885,7 @@ index 39ea221..7094526 100644
corenet_all_recvfrom_netlabel(syslogd_t)
corenet_udp_sendrecv_generic_if(syslogd_t)
corenet_udp_sendrecv_generic_node(syslogd_t)
-@@ -427,9 +475,26 @@ corenet_sendrecv_syslogd_server_packets(syslogd_t)
+@@ -427,9 +476,26 @@ corenet_sendrecv_syslogd_server_packets(syslogd_t)
corenet_sendrecv_postgresql_client_packets(syslogd_t)
corenet_sendrecv_mysqld_client_packets(syslogd_t)
@@ -30774,7 +30913,7 @@ index 39ea221..7094526 100644
domain_use_interactive_fds(syslogd_t)
files_read_etc_files(syslogd_t)
-@@ -442,14 +507,19 @@ files_read_kernel_symbol_table(syslogd_t)
+@@ -442,14 +508,19 @@ files_read_kernel_symbol_table(syslogd_t)
files_var_lib_filetrans(syslogd_t, syslogd_var_lib_t, { file dir })
fs_getattr_all_fs(syslogd_t)
@@ -30794,7 +30933,7 @@ index 39ea221..7094526 100644
# for sending messages to logged in users
init_read_utmp(syslogd_t)
init_dontaudit_write_utmp(syslogd_t)
-@@ -461,11 +531,10 @@ init_use_fds(syslogd_t)
+@@ -461,11 +532,10 @@ init_use_fds(syslogd_t)
# cjp: this doesnt make sense
logging_send_syslog_msg(syslogd_t)
@@ -30808,7 +30947,7 @@ index 39ea221..7094526 100644
ifdef(`distro_gentoo',`
# default gentoo syslog-ng config appends kernel
-@@ -502,15 +571,36 @@ optional_policy(`
+@@ -502,15 +572,36 @@ optional_policy(`
')
optional_policy(`
@@ -30845,7 +30984,7 @@ index 39ea221..7094526 100644
')
optional_policy(`
-@@ -521,3 +611,26 @@ optional_policy(`
+@@ -521,3 +612,26 @@ optional_policy(`
# log to the xconsole
xserver_rw_console(syslogd_t)
')
@@ -35097,10 +35236,10 @@ index 0000000..2cd29ba
+/var/run/initramfs(/.*)? <>
diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
new file mode 100644
-index 0000000..6862d53
+index 0000000..8a61b65
--- /dev/null
+++ b/policy/modules/system/systemd.if
-@@ -0,0 +1,1231 @@
+@@ -0,0 +1,1286 @@
+## SELinux policy for systemd components
+
+######################################
@@ -35906,6 +36045,61 @@ index 0000000..6862d53
+ init_config_all_script_files($1)
+')
+
++########################################
++##
++## Allow the specified domain to start systemd services.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`systemd_start_systemd_services',`
++ gen_require(`
++ attribute systemd_unit_file_t;
++ ')
++
++ allow $1 systemd_unit_file_t:service start;
++')
++
++#######################################
++##
++## Allow the specified domain to reload all systemd services.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`systemd_reload_systemd_services',`
++ gen_require(`
++ attribute systemd_unit_file_t;
++ ')
++
++ allow $1 systemd_unit_file_t:service reload;
++')
++
++########################################
++##
++## Allow the specified domain to modify the systemd configuration of
++## all systemd services
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`systemd_config_systemd_services',`
++ gen_require(`
++ attribute systemd_unit_file_t;
++ ')
++
++ allow $1 systemd_unit_file_t:service all_service_perms;
++ init_config_all_script_files($1)
++')
+
+########################################
+##
@@ -36334,10 +36528,10 @@ index 0000000..6862d53
+')
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
new file mode 100644
-index 0000000..b43a6c1
+index 0000000..13712f9
--- /dev/null
+++ b/policy/modules/system/systemd.te
-@@ -0,0 +1,654 @@
+@@ -0,0 +1,661 @@
+policy_module(systemd, 1.0.0)
+
+#######################################
@@ -36720,6 +36914,7 @@ index 0000000..b43a6c1
+')
+
+optional_policy(`
++ lpd_manage_spool(systemd_tmpfiles_t)
+ lpd_relabel_spool(systemd_tmpfiles_t)
+')
+
@@ -36747,6 +36942,7 @@ index 0000000..b43a6c1
+
+allow systemd_notify_t self:fifo_file rw_fifo_file_perms;
+allow systemd_notify_t self:unix_stream_socket create_stream_socket_perms;
++allow systemd_notify_t self:unix_dgram_socket create_socket_perms;
+
+domain_use_interactive_fds(systemd_notify_t)
+
@@ -36757,6 +36953,10 @@ index 0000000..b43a6c1
+init_rw_stream_sockets(systemd_notify_t)
+
+optional_policy(`
++ rhcs_read_log_cluster(systemd_notify_t)
++')
++
++optional_policy(`
+ readahead_manage_pid_files(systemd_notify_t)
+')
+
@@ -36972,6 +37172,8 @@ index 0000000..b43a6c1
+
+init_stream_connect(systemd_sysctl_t)
+
++logging_send_syslog_msg(systemd_sysctl_t)
++
+########################################
+#
+# Common rules for systemd domains
@@ -36991,7 +37193,6 @@ index 0000000..b43a6c1
+optional_policy(`
+ policykit_dbus_chat(systemd_domain)
+')
-+
diff --git a/policy/modules/system/udev.fc b/policy/modules/system/udev.fc
index 40928d8..49fd32e 100644
--- a/policy/modules/system/udev.fc
diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch
index 5d30ac99..9800f7ee 100644
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@@ -1468,7 +1468,7 @@ index 01cbb67..94a4a24 100644
files_list_etc($1)
diff --git a/aide.te b/aide.te
-index 4b28ab3..6e8746f 100644
+index 4b28ab3..f781a7a 100644
--- a/aide.te
+++ b/aide.te
@@ -10,6 +10,7 @@ attribute_role aide_roles;
@@ -1479,16 +1479,21 @@ index 4b28ab3..6e8746f 100644
role aide_roles types aide_t;
type aide_log_t;
-@@ -23,7 +24,7 @@ files_type(aide_db_t)
+@@ -23,22 +24,30 @@ files_type(aide_db_t)
# Local policy
#
-allow aide_t self:capability { dac_override fowner };
-+allow aide_t self:capability { dac_override fowner ipc_lock };
++allow aide_t self:capability { dac_override fowner ipc_lock sys_admin };
manage_files_pattern(aide_t, aide_db_t, aide_db_t)
++files_var_lib_filetrans(aide_t, aide_db_t, { dir file })
-@@ -34,11 +35,20 @@ logging_log_filetrans(aide_t, aide_log_t, file)
+-create_files_pattern(aide_t, aide_log_t, aide_log_t)
+-append_files_pattern(aide_t, aide_log_t, aide_log_t)
+-setattr_files_pattern(aide_t, aide_log_t, aide_log_t)
++manage_files_pattern(aide_t, aide_log_t, aide_log_t)
+ logging_log_filetrans(aide_t, aide_log_t, file)
files_read_all_files(aide_t)
files_read_all_symlinks(aide_t)
@@ -4528,7 +4533,7 @@ index 83e899c..c5be77c 100644
+ filetrans_pattern($1, { httpd_user_content_t httpd_user_script_exec_t }, httpd_user_htaccess_t, file, ".htaccess")
')
diff --git a/apache.te b/apache.te
-index 1a82e29..ffff859 100644
+index 1a82e29..a68bd53 100644
--- a/apache.te
+++ b/apache.te
@@ -1,297 +1,367 @@
@@ -5216,7 +5221,7 @@ index 1a82e29..ffff859 100644
allow httpd_t httpd_sys_script_t:unix_stream_socket connectto;
manage_dirs_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
-@@ -445,140 +551,163 @@ manage_dirs_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
+@@ -445,140 +551,164 @@ manage_dirs_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
manage_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
manage_lnk_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
@@ -5298,6 +5303,7 @@ index 1a82e29..ffff859 100644
-files_read_usr_files(httpd_t)
+files_exec_usr_files(httpd_t)
files_list_mnt(httpd_t)
++files_read_mnt_symlinks(httpd_t)
files_search_spool(httpd_t)
files_read_var_symlinks(httpd_t)
files_read_var_lib_files(httpd_t)
@@ -5445,7 +5451,7 @@ index 1a82e29..ffff859 100644
')
tunable_policy(`httpd_enable_cgi && httpd_use_nfs',`
-@@ -589,28 +718,50 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',`
+@@ -589,28 +719,50 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',`
fs_cifs_domtrans(httpd_t, httpd_sys_script_t)
')
@@ -5505,7 +5511,7 @@ index 1a82e29..ffff859 100644
')
tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
-@@ -619,68 +770,38 @@ tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
+@@ -619,68 +771,38 @@ tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
fs_read_nfs_symlinks(httpd_t)
')
@@ -5590,7 +5596,7 @@ index 1a82e29..ffff859 100644
')
tunable_policy(`httpd_setrlimit',`
-@@ -690,49 +811,48 @@ tunable_policy(`httpd_setrlimit',`
+@@ -690,49 +812,48 @@ tunable_policy(`httpd_setrlimit',`
tunable_policy(`httpd_ssi_exec',`
corecmd_shell_domtrans(httpd_t, httpd_sys_script_t)
@@ -5671,7 +5677,7 @@ index 1a82e29..ffff859 100644
')
optional_policy(`
-@@ -743,14 +863,6 @@ optional_policy(`
+@@ -743,14 +864,6 @@ optional_policy(`
ccs_read_config(httpd_t)
')
@@ -5686,7 +5692,7 @@ index 1a82e29..ffff859 100644
optional_policy(`
cron_system_entry(httpd_t, httpd_exec_t)
-@@ -765,6 +877,23 @@ optional_policy(`
+@@ -765,6 +878,23 @@ optional_policy(`
')
optional_policy(`
@@ -5710,7 +5716,7 @@ index 1a82e29..ffff859 100644
dbus_system_bus_client(httpd_t)
tunable_policy(`httpd_dbus_avahi',`
-@@ -781,34 +910,42 @@ optional_policy(`
+@@ -781,34 +911,42 @@ optional_policy(`
')
optional_policy(`
@@ -5764,7 +5770,7 @@ index 1a82e29..ffff859 100644
tunable_policy(`httpd_manage_ipa',`
memcached_manage_pid_files(httpd_t)
-@@ -816,8 +953,18 @@ optional_policy(`
+@@ -816,8 +954,18 @@ optional_policy(`
')
optional_policy(`
@@ -5783,7 +5789,7 @@ index 1a82e29..ffff859 100644
tunable_policy(`httpd_can_network_connect_db',`
mysql_tcp_connect(httpd_t)
-@@ -826,6 +973,7 @@ optional_policy(`
+@@ -826,6 +974,7 @@ optional_policy(`
optional_policy(`
nagios_read_config(httpd_t)
@@ -5791,7 +5797,7 @@ index 1a82e29..ffff859 100644
')
optional_policy(`
-@@ -836,20 +984,39 @@ optional_policy(`
+@@ -836,20 +985,39 @@ optional_policy(`
')
optional_policy(`
@@ -5837,7 +5843,7 @@ index 1a82e29..ffff859 100644
')
optional_policy(`
-@@ -857,19 +1024,35 @@ optional_policy(`
+@@ -857,19 +1025,35 @@ optional_policy(`
')
optional_policy(`
@@ -5873,7 +5879,7 @@ index 1a82e29..ffff859 100644
udev_read_db(httpd_t)
')
-@@ -877,65 +1060,170 @@ optional_policy(`
+@@ -877,65 +1061,170 @@ optional_policy(`
yam_read_content(httpd_t)
')
@@ -6066,7 +6072,7 @@ index 1a82e29..ffff859 100644
files_dontaudit_search_pids(httpd_suexec_t)
files_search_home(httpd_suexec_t)
-@@ -944,123 +1232,74 @@ auth_use_nsswitch(httpd_suexec_t)
+@@ -944,123 +1233,74 @@ auth_use_nsswitch(httpd_suexec_t)
logging_search_logs(httpd_suexec_t)
logging_send_syslog_msg(httpd_suexec_t)
@@ -6221,7 +6227,7 @@ index 1a82e29..ffff859 100644
mysql_read_config(httpd_suexec_t)
tunable_policy(`httpd_can_network_connect_db',`
-@@ -1077,172 +1316,104 @@ optional_policy(`
+@@ -1077,172 +1317,104 @@ optional_policy(`
')
')
@@ -6457,7 +6463,7 @@ index 1a82e29..ffff859 100644
')
tunable_policy(`httpd_read_user_content',`
-@@ -1250,64 +1421,74 @@ tunable_policy(`httpd_read_user_content',`
+@@ -1250,64 +1422,74 @@ tunable_policy(`httpd_read_user_content',`
')
tunable_policy(`httpd_use_cifs',`
@@ -6554,7 +6560,7 @@ index 1a82e29..ffff859 100644
########################################
#
-@@ -1315,8 +1496,15 @@ miscfiles_read_localization(httpd_rotatelogs_t)
+@@ -1315,8 +1497,15 @@ miscfiles_read_localization(httpd_rotatelogs_t)
#
optional_policy(`
@@ -6571,7 +6577,7 @@ index 1a82e29..ffff859 100644
')
########################################
-@@ -1324,49 +1512,36 @@ optional_policy(`
+@@ -1324,49 +1513,36 @@ optional_policy(`
# User content local policy
#
@@ -6635,7 +6641,7 @@ index 1a82e29..ffff859 100644
kernel_read_system_state(httpd_passwd_t)
corecmd_exec_bin(httpd_passwd_t)
-@@ -1376,38 +1551,99 @@ dev_read_urand(httpd_passwd_t)
+@@ -1376,38 +1552,99 @@ dev_read_urand(httpd_passwd_t)
domain_use_interactive_fds(httpd_passwd_t)
@@ -8988,7 +8994,7 @@ index 02fefaa..fbcef10 100644
+ ')
')
diff --git a/boinc.te b/boinc.te
-index 7c92aa1..f177ca5 100644
+index 7c92aa1..6b6cd51 100644
--- a/boinc.te
+++ b/boinc.te
@@ -1,11 +1,13 @@
@@ -9180,13 +9186,14 @@ index 7c92aa1..f177ca5 100644
term_getattr_all_ptys(boinc_t)
term_getattr_unallocated_ttys(boinc_t)
-@@ -130,55 +141,65 @@ init_read_utmp(boinc_t)
+@@ -130,55 +141,67 @@ init_read_utmp(boinc_t)
logging_send_syslog_msg(boinc_t)
-miscfiles_read_fonts(boinc_t)
-miscfiles_read_localization(boinc_t)
--
++xserver_stream_connect(boinc_t)
+
optional_policy(`
mta_send_mail(boinc_t)
')
@@ -12297,7 +12304,7 @@ index 954309e..f4db2ca 100644
')
+
diff --git a/collectd.te b/collectd.te
-index 6471fa8..ace40ae 100644
+index 6471fa8..b2709d1 100644
--- a/collectd.te
+++ b/collectd.te
@@ -26,8 +26,14 @@ files_type(collectd_var_lib_t)
@@ -12357,7 +12364,16 @@ index 6471fa8..ace40ae 100644
logging_send_syslog_msg(collectd_t)
-@@ -80,11 +90,17 @@ optional_policy(`
+@@ -75,16 +85,26 @@ tunable_policy(`collectd_tcp_network_connect',`
+ ')
+
+ optional_policy(`
++ netutils_domtrans_ping(collectd_t)
++')
++
++optional_policy(`
+ virt_read_config(collectd_t)
+ ')
########################################
#
@@ -24110,7 +24126,7 @@ index d062080..97fb494 100644
ftp_run_ftpdctl($1, $2)
')
diff --git a/ftp.te b/ftp.te
-index e50f33c..d9dca45 100644
+index e50f33c..6edd471 100644
--- a/ftp.te
+++ b/ftp.te
@@ -13,7 +13,7 @@ policy_module(ftp, 1.14.1)
@@ -24140,7 +24156,7 @@ index e50f33c..d9dca45 100644
+
+##
+##
-+## Allow samba to export ntfs/fusefs volumes.
++## Allow ftpd to use ntfs/fusefs volumes.
+##
+##
+gen_tunable(ftpd_use_fusefs, false)
@@ -25003,10 +25019,10 @@ index 0000000..1ed97fe
+
diff --git a/glusterd.te b/glusterd.te
new file mode 100644
-index 0000000..6ceb963
+index 0000000..cbe51a9
--- /dev/null
+++ b/glusterd.te
-@@ -0,0 +1,160 @@
+@@ -0,0 +1,164 @@
+policy_module(glusterfs, 1.0.1)
+
+##
@@ -25065,7 +25081,8 @@ index 0000000..6ceb963
+#
+
+allow glusterd_t self:capability { sys_admin sys_resource dac_override chown dac_read_search fowner setuid };
-+allow glusterd_t self:process { getcap setcap setrlimit signal };
++allow glusterd_t self:capability2 block_suspend;
++allow glusterd_t self:process { getcap setcap setrlimit signal_perms };
+allow glusterd_t self:fifo_file rw_fifo_file_perms;
+allow glusterd_t self:tcp_socket { accept listen };
+allow glusterd_t self:unix_stream_socket { accept listen connectto };
@@ -25096,6 +25113,9 @@ index 0000000..6ceb963
+can_exec(glusterd_t, glusterd_exec_t)
+
+kernel_read_system_state(glusterd_t)
++kernel_read_network_state(glusterd_t)
++kernel_read_net_sysctls(glusterd_t)
++kernel_request_load_module(glusterd_t)
+
+corecmd_exec_bin(glusterd_t)
+corecmd_exec_shell(glusterd_t)
@@ -31543,7 +31563,7 @@ index 182ab8b..8b1d9c2 100644
+')
+
diff --git a/kdumpgui.te b/kdumpgui.te
-index e7f5c81..8ff6f51 100644
+index e7f5c81..1a8d69e 100644
--- a/kdumpgui.te
+++ b/kdumpgui.te
@@ -1,4 +1,4 @@
@@ -31601,7 +31621,7 @@ index e7f5c81..8ff6f51 100644
files_etc_filetrans_etc_runtime(kdumpgui_t, file)
-files_read_usr_files(kdumpgui_t)
-+fs_read_dos_files(kdumpgui_t)
++fs_manage_dos_files(kdumpgui_t)
fs_getattr_all_fs(kdumpgui_t)
fs_list_hugetlbfs(kdumpgui_t)
-fs_read_dos_files(kdumpgui_t)
@@ -33762,7 +33782,7 @@ index bc25c95..6692d91 100644
+/var/run/slapd\.args -- gen_context(system_u:object_r:slapd_var_run_t,s0)
+/var/run/slapd\.pid -- gen_context(system_u:object_r:slapd_var_run_t,s0)
diff --git a/ldap.if b/ldap.if
-index ee0c7cc..446c507 100644
+index ee0c7cc..c54e3d2 100644
--- a/ldap.if
+++ b/ldap.if
@@ -1,8 +1,68 @@
@@ -33804,10 +33824,9 @@ index ee0c7cc..446c507 100644
+
+ init_labeled_script_domtrans($1, slapd_initrc_exec_t)
+')
-
- ########################################
- ##
--## List ldap database directories.
++
++########################################
++##
+## Execute slapd server in the slapd domain.
+##
+##
@@ -33828,9 +33847,10 @@ index ee0c7cc..446c507 100644
+
+ ps_process_pattern($1, slapd_t)
+')
-+
-+########################################
-+##
+
+ ########################################
+ ##
+-## List ldap database directories.
+## Read the contents of the OpenLDAP
+## database directories.
##
@@ -33870,41 +33890,82 @@ index ee0c7cc..446c507 100644
##
##
##
-@@ -55,8 +133,7 @@ interface(`ldap_use',`
+@@ -41,22 +119,27 @@ interface(`ldap_read_config',`
+
+ ########################################
+ ##
+-## Use LDAP over TCP connection. (Deprecated)
++## Read the OpenLDAP cert files.
+ ##
+ ##
+ ##
+ ## Domain allowed access.
+ ##
+ ##
++##
+ #
+-interface(`ldap_use',`
+- refpolicywarn(`$0($*) has been deprecated.')
++interface(`ldap_read_certs',`
++ gen_require(`
++ type slapd_cert_t;
++ ')
++
++ files_search_etc($1)
++ read_files_pattern($1, slapd_cert_t, slapd_cert_t)
+ ')
########################################
##
-## Connect to slapd over an unix
-## stream socket.
-+## Connect to slapd over an unix stream socket.
++## Use LDAP over TCP connection. (Deprecated)
##
##
##
-@@ -75,29 +152,8 @@ interface(`ldap_stream_connect',`
+@@ -64,18 +147,13 @@ interface(`ldap_use',`
+ ##
+ ##
+ #
+-interface(`ldap_stream_connect',`
+- gen_require(`
+- type slapd_t, slapd_var_run_t;
+- ')
+-
+- files_search_pids($1)
+- stream_connect_pattern($1, slapd_var_run_t, slapd_var_run_t, slapd_t)
++interface(`ldap_use',`
++ refpolicywarn(`$0($*) has been deprecated.')
+ ')
########################################
##
-## Connect to ldap over the network.
--##
--##
--##
--## Domain allowed access.
--##
--##
--#
++## Connect to slapd over an unix stream socket.
+ ##
+ ##
+ ##
+@@ -83,21 +161,19 @@ interface(`ldap_stream_connect',`
+ ##
+ ##
+ #
-interface(`ldap_tcp_connect',`
-- gen_require(`
++interface(`ldap_stream_connect',`
+ gen_require(`
- type slapd_t;
-- ')
--
++ type slapd_t, slapd_var_run_t;
+ ')
+
- corenet_sendrecv_ldap_client_packets($1)
- corenet_tcp_connect_ldap_port($1)
- corenet_tcp_recvfrom_labeled($1, slapd_t)
- corenet_tcp_sendrecv_ldap_port($1)
--')
--
--########################################
--##
++ files_search_pids($1)
++ stream_connect_pattern($1, slapd_var_run_t, slapd_var_run_t, slapd_t)
+ ')
+
+ ########################################
+ ##
-## All of the rules required to
-## administrate an ldap environment.
+## All of the rules required to administrate
@@ -33912,7 +33973,7 @@ index ee0c7cc..446c507 100644
##
##
##
-@@ -106,7 +162,7 @@ interface(`ldap_tcp_connect',`
+@@ -106,7 +182,7 @@ interface(`ldap_tcp_connect',`
##
##
##
@@ -33921,7 +33982,7 @@ index ee0c7cc..446c507 100644
##
##
##
-@@ -115,28 +171,28 @@ interface(`ldap_admin',`
+@@ -115,28 +191,28 @@ interface(`ldap_admin',`
gen_require(`
type slapd_t, slapd_tmp_t, slapd_replog_t;
type slapd_lock_t, slapd_etc_t, slapd_var_run_t;
@@ -33959,7 +34020,7 @@ index ee0c7cc..446c507 100644
admin_pattern($1, slapd_replog_t)
files_list_tmp($1)
-@@ -144,4 +200,8 @@ interface(`ldap_admin',`
+@@ -144,4 +220,8 @@ interface(`ldap_admin',`
files_list_pids($1)
admin_pattern($1, slapd_var_run_t)
@@ -38048,7 +38109,7 @@ index 6ffaba2..154cade 100644
+/usr/lib/nspluginwrapper/plugin-config -- gen_context(system_u:object_r:mozilla_plugin_config_exec_t,s0)
+')
diff --git a/mozilla.if b/mozilla.if
-index 6194b80..f54f1e8 100644
+index 6194b80..97e35b2 100644
--- a/mozilla.if
+++ b/mozilla.if
@@ -1,146 +1,75 @@
@@ -38364,7 +38425,7 @@ index 6194b80..f54f1e8 100644
')
########################################
-@@ -303,102 +195,98 @@ interface(`mozilla_domtrans',`
+@@ -303,102 +195,99 @@ interface(`mozilla_domtrans',`
type mozilla_t, mozilla_exec_t;
')
@@ -38398,6 +38459,7 @@ index 6194b80..f54f1e8 100644
+ domtrans_pattern($1, mozilla_plugin_config_exec_t, mozilla_plugin_config_t)
+ allow mozilla_plugin_t $1:process signull;
+ dontaudit mozilla_plugin_config_t $1:file read_inherited_file_perms;
++ dontaudit mozilla_plugin_t $1:process signal;
+ allow $1 mozilla_plugin_t:unix_stream_socket { connectto rw_socket_perms };
+ allow $1 mozilla_plugin_t:fd use;
+
@@ -38514,7 +38576,7 @@ index 6194b80..f54f1e8 100644
')
########################################
-@@ -424,8 +312,7 @@ interface(`mozilla_dbus_chat',`
+@@ -424,8 +313,7 @@ interface(`mozilla_dbus_chat',`
########################################
##
@@ -38524,7 +38586,7 @@ index 6194b80..f54f1e8 100644
##
##
##
-@@ -433,76 +320,108 @@ interface(`mozilla_dbus_chat',`
+@@ -433,76 +321,108 @@ interface(`mozilla_dbus_chat',`
##
##
#
@@ -38662,7 +38724,7 @@ index 6194b80..f54f1e8 100644
##
##
##
-@@ -510,19 +429,18 @@ interface(`mozilla_plugin_read_tmpfs_files',`
+@@ -510,19 +430,18 @@ interface(`mozilla_plugin_read_tmpfs_files',`
##
##
#
@@ -38687,7 +38749,7 @@ index 6194b80..f54f1e8 100644
##
##
##
-@@ -530,45 +448,53 @@ interface(`mozilla_plugin_delete_tmpfs_files',`
+@@ -530,45 +449,53 @@ interface(`mozilla_plugin_delete_tmpfs_files',`
##
##
#
@@ -39842,7 +39904,7 @@ index 5fa77c7..2e01c7d 100644
domain_system_change_exemption($1)
role_transition $2 mpd_initrc_exec_t system_r;
diff --git a/mpd.te b/mpd.te
-index 7c8afcc..97f2b6f 100644
+index 7c8afcc..2f41af9 100644
--- a/mpd.te
+++ b/mpd.te
@@ -62,6 +62,9 @@ files_type(mpd_var_lib_t)
@@ -39905,6 +39967,15 @@ index 7c8afcc..97f2b6f 100644
tunable_policy(`mpd_enable_homedirs',`
userdom_search_user_home_dirs(mpd_t)
+@@ -191,7 +202,7 @@ optional_policy(`
+ ')
+
+ optional_policy(`
+- pulseaudio_domtrans(mpd_t)
++ pulseaudio_exec(mpd_t)
+ ')
+
+ optional_policy(`
@@ -199,6 +210,16 @@ optional_policy(`
')
@@ -51088,20 +51159,54 @@ index 0000000..c1eed44
+ ssh_dontaudit_read_server_keys(openshift_cron_t)
+')
diff --git a/openvpn.fc b/openvpn.fc
-index 300213f..6f0d2e4 100644
+index 300213f..4cdfe09 100644
--- a/openvpn.fc
+++ b/openvpn.fc
-@@ -1,4 +1,5 @@
+@@ -1,10 +1,13 @@
/etc/openvpn(/.*)? gen_context(system_u:object_r:openvpn_etc_t,s0)
+/etc/openvpn/scripts(/.*)? gen_context(system_u:object_r:openvpn_unconfined_script_exec_t,s0)
/etc/openvpn/ipp\.txt -- gen_context(system_u:object_r:openvpn_etc_rw_t,s0)
/etc/rc\.d/init\.d/openvpn -- gen_context(system_u:object_r:openvpn_initrc_exec_t,s0)
+
+ /usr/sbin/openvpn -- gen_context(system_u:object_r:openvpn_exec_t,s0)
+
++/var/lib/openvpn(/.*)? gen_context(system_u:object_r:openvpn_var_lib_t,s0)
++
+ /var/log/openvpn-status\.log.* -- gen_context(system_u:object_r:openvpn_status_t,s0)
+ /var/log/openvpn.* gen_context(system_u:object_r:openvpn_var_log_t,s0)
+
diff --git a/openvpn.if b/openvpn.if
-index 6837e9a..af8f9d0 100644
+index 6837e9a..21e6dae 100644
--- a/openvpn.if
+++ b/openvpn.if
-@@ -147,9 +147,13 @@ interface(`openvpn_admin',`
+@@ -23,6 +23,25 @@ interface(`openvpn_domtrans',`
+ ########################################
+ ##
+ ## Execute openvpn clients in the
++## caller domain.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`openvpn_exec',`
++ gen_require(`
++ type openvpn_exec_t;
++ ')
++
++ can_exec($1, openvpn_exec_t)
++')
++
++########################################
++##
++## Execute openvpn clients in the
+ ## openvpn domain, and allow the
+ ## specified role the openvpn domain.
+ ##
+@@ -147,9 +166,13 @@ interface(`openvpn_admin',`
type openvpn_status_t;
')
@@ -51117,7 +51222,7 @@ index 6837e9a..af8f9d0 100644
domain_system_change_exemption($1)
role_transition $2 openvpn_initrc_exec_t system_r;
diff --git a/openvpn.te b/openvpn.te
-index 3270ff9..8e252e4 100644
+index 3270ff9..8a6fbc2 100644
--- a/openvpn.te
+++ b/openvpn.te
@@ -6,6 +6,13 @@ policy_module(openvpn, 1.11.3)
@@ -51134,7 +51239,7 @@ index 3270ff9..8e252e4 100644
##
## Determine whether openvpn can
## read generic user home content files.
-@@ -26,6 +33,9 @@ files_config_file(openvpn_etc_t)
+@@ -26,12 +33,18 @@ files_config_file(openvpn_etc_t)
type openvpn_etc_rw_t;
files_config_file(openvpn_etc_rw_t)
@@ -51144,7 +51249,16 @@ index 3270ff9..8e252e4 100644
type openvpn_initrc_exec_t;
init_script_file(openvpn_initrc_exec_t)
-@@ -43,7 +53,7 @@ files_pid_file(openvpn_var_run_t)
+ type openvpn_status_t;
+ logging_log_file(openvpn_status_t)
+
++type openvpn_var_lib_t;
++files_type(openvpn_var_lib_t)
++
+ type openvpn_var_log_t;
+ logging_log_file(openvpn_var_log_t)
+
+@@ -43,7 +56,7 @@ files_pid_file(openvpn_var_run_t)
# Local policy
#
@@ -51153,17 +51267,20 @@ index 3270ff9..8e252e4 100644
allow openvpn_t self:process { signal getsched setsched };
allow openvpn_t self:fifo_file rw_fifo_file_perms;
allow openvpn_t self:unix_dgram_socket sendto;
-@@ -62,6 +72,9 @@ filetrans_pattern(openvpn_t, openvpn_etc_t, openvpn_etc_rw_t, file)
+@@ -62,6 +75,12 @@ filetrans_pattern(openvpn_t, openvpn_etc_t, openvpn_etc_rw_t, file)
allow openvpn_t openvpn_status_t:file manage_file_perms;
logging_log_filetrans(openvpn_t, openvpn_status_t, file, "openvpn-status.log")
+manage_files_pattern(openvpn_t, openvpn_tmp_t, openvpn_tmp_t)
+files_tmp_filetrans(openvpn_t, openvpn_tmp_t, file)
++
++manage_files_pattern(openvpn_t, openvpn_var_lib_t, openvpn_var_lib_t)
++files_var_lib_filetrans(openvpn_t, openvpn_var_lib_t, { dir file })
+
manage_dirs_pattern(openvpn_t, openvpn_var_log_t, openvpn_var_log_t)
append_files_pattern(openvpn_t, openvpn_var_log_t, openvpn_var_log_t)
create_files_pattern(openvpn_t, openvpn_var_log_t, openvpn_var_log_t)
-@@ -83,7 +96,6 @@ kernel_request_load_module(openvpn_t)
+@@ -83,7 +102,6 @@ kernel_request_load_module(openvpn_t)
corecmd_exec_bin(openvpn_t)
corecmd_exec_shell(openvpn_t)
@@ -51171,7 +51288,7 @@ index 3270ff9..8e252e4 100644
corenet_all_recvfrom_netlabel(openvpn_t)
corenet_tcp_sendrecv_generic_if(openvpn_t)
corenet_udp_sendrecv_generic_if(openvpn_t)
-@@ -105,11 +117,12 @@ corenet_tcp_bind_http_port(openvpn_t)
+@@ -105,11 +123,12 @@ corenet_tcp_bind_http_port(openvpn_t)
corenet_sendrecv_http_client_packets(openvpn_t)
corenet_tcp_connect_http_port(openvpn_t)
corenet_tcp_sendrecv_http_port(openvpn_t)
@@ -51185,7 +51302,7 @@ index 3270ff9..8e252e4 100644
corenet_rw_tun_tap_dev(openvpn_t)
dev_read_rand(openvpn_t)
-@@ -121,18 +134,24 @@ fs_search_auto_mountpoints(openvpn_t)
+@@ -121,18 +140,24 @@ fs_search_auto_mountpoints(openvpn_t)
auth_use_pam(openvpn_t)
@@ -51213,7 +51330,7 @@ index 3270ff9..8e252e4 100644
')
tunable_policy(`openvpn_enable_homedirs && use_nfs_home_dirs',`
-@@ -155,3 +174,27 @@ optional_policy(`
+@@ -155,3 +180,27 @@ optional_policy(`
networkmanager_dbus_chat(openvpn_t)
')
')
@@ -65786,7 +65903,7 @@ index 951db7f..7736755 100644
+ allow $1 mdadm_exec_t:file { getattr_file_perms execute };
')
diff --git a/raid.te b/raid.te
-index 2c1730b..f60c494 100644
+index 2c1730b..1e9ad6b 100644
--- a/raid.te
+++ b/raid.te
@@ -15,6 +15,12 @@ role mdadm_roles types mdadm_t;
@@ -65838,7 +65955,7 @@ index 2c1730b..f60c494 100644
corecmd_exec_bin(mdadm_t)
corecmd_exec_shell(mdadm_t)
-@@ -49,19 +63,25 @@ corecmd_exec_shell(mdadm_t)
+@@ -49,19 +63,26 @@ corecmd_exec_shell(mdadm_t)
dev_rw_sysfs(mdadm_t)
dev_dontaudit_getattr_all_blk_files(mdadm_t)
dev_dontaudit_getattr_all_chr_files(mdadm_t)
@@ -65849,6 +65966,7 @@ index 2c1730b..f60c494 100644
+dev_read_kvm(mdadm_t)
+dev_read_nvram(mdadm_t)
+dev_read_generic_files(mdadm_t)
++dev_read_generic_usb_dev(mdadm_t)
+domain_read_all_domains_state(mdadm_t)
domain_use_interactive_fds(mdadm_t)
@@ -65866,7 +65984,7 @@ index 2c1730b..f60c494 100644
mls_file_read_all_levels(mdadm_t)
mls_file_write_all_levels(mdadm_t)
-@@ -70,15 +90,19 @@ storage_dev_filetrans_fixed_disk(mdadm_t)
+@@ -70,15 +91,19 @@ storage_dev_filetrans_fixed_disk(mdadm_t)
storage_manage_fixed_disk(mdadm_t)
storage_read_scsi_generic(mdadm_t)
storage_write_scsi_generic(mdadm_t)
@@ -65887,7 +66005,7 @@ index 2c1730b..f60c494 100644
userdom_dontaudit_use_unpriv_user_fds(mdadm_t)
userdom_dontaudit_search_user_home_content(mdadm_t)
-@@ -97,9 +121,17 @@ optional_policy(`
+@@ -97,9 +122,17 @@ optional_policy(`
')
optional_policy(`
@@ -67559,10 +67677,10 @@ index b418d1c..1ad9c12 100644
xen_domtrans_xm(rgmanager_t)
')
diff --git a/rhcs.fc b/rhcs.fc
-index 47de2d6..347ddf7 100644
+index 47de2d6..98a4280 100644
--- a/rhcs.fc
+++ b/rhcs.fc
-@@ -1,31 +1,80 @@
+@@ -1,31 +1,85 @@
-/etc/rc\.d/init\.d/dlm -- gen_context(system_u:object_r:dlm_controld_initrc_exec_t,s0)
-/etc/rc\.d/init\.d/foghorn -- gen_context(system_u:object_r:foghorn_initrc_exec_t,s0)
+/usr/sbin/dlm_controld -- gen_context(system_u:object_r:dlm_controld_exec_t,s0)
@@ -67633,6 +67751,7 @@ index 47de2d6..347ddf7 100644
+
+/usr/lib/systemd/system/corosync.* -- gen_context(system_u:object_r:cluster_unit_file_t,s0)
+/usr/lib/systemd/system/pacemaker.* -- gen_context(system_u:object_r:cluster_unit_file_t,s0)
++/usr/lib/systemd/system/pcsd.* -- gen_context(system_u:object_r:cluster_unit_file_t,s0)
+
+/usr/sbin/aisexec -- gen_context(system_u:object_r:cluster_exec_t,s0)
+/usr/sbin/corosync -- gen_context(system_u:object_r:cluster_exec_t,s0)
@@ -67644,12 +67763,15 @@ index 47de2d6..347ddf7 100644
+/usr/sbin/rgmanager -- gen_context(system_u:object_r:cluster_exec_t,s0)
+/usr/sbin/pacemakerd -- gen_context(system_u:object_r:cluster_exec_t,s0)
+
++/usr/lib/pcsd/pcsd -- gen_context(system_u:object_r:cluster_exec_t,s0)
++
+/usr/lib/heartbeat(/.*)? gen_context(system_u:object_r:cluster_var_lib_t,s0)
+/usr/lib/heartbeat/heartbeat -- gen_context(system_u:object_r:cluster_exec_t,s0)
+/var/lib/heartbeat(/.*)? gen_context(system_u:object_r:cluster_var_lib_t,s0)
+/var/lib/corosync(/.*)? gen_context(system_u:object_r:cluster_var_lib_t,s0)
+/var/lib/openais(/.*)? gen_context(system_u:object_r:cluster_var_lib_t,s0)
+/var/lib/pacemaker(/.*)? gen_context(system_u:object_r:cluster_var_lib_t,s0)
++/var/lib/pcsd(/.*)? gen_context(system_u:object_r:cluster_var_lib_t,s0)
+/var/lib/pengine(/.*)? gen_context(system_u:object_r:cluster_var_lib_t,s0)
+
+/var/run/aisexec.* gen_context(system_u:object_r:cluster_var_run_t,s0)
@@ -67666,6 +67788,7 @@ index 47de2d6..347ddf7 100644
+/var/log/cluster/cpglockd\.log.* -- gen_context(system_u:object_r:cluster_var_log_t,s0)
+/var/log/cluster/corosync\.log.* -- gen_context(system_u:object_r:cluster_var_log_t,s0)
+/var/log/cluster/rgmanager\.log.* -- gen_context(system_u:object_r:cluster_var_log_t,s0)
++/var/log/pcsd(/.*)? gen_context(system_u:object_r:cluster_var_log_t,s0)
diff --git a/rhcs.if b/rhcs.if
index 56bc01f..4699b1b 100644
--- a/rhcs.if
@@ -68373,7 +68496,7 @@ index 56bc01f..4699b1b 100644
+ allow $1 cluster_unit_file_t:service all_service_perms;
')
diff --git a/rhcs.te b/rhcs.te
-index 2c2de9a..1e8d8dc 100644
+index 2c2de9a..a4a6d82 100644
--- a/rhcs.te
+++ b/rhcs.te
@@ -20,6 +20,27 @@ gen_tunable(fenced_can_network_connect, false)
@@ -68796,12 +68919,15 @@ index 2c2de9a..1e8d8dc 100644
#######################################
#
# foghorn local policy
-@@ -223,14 +505,16 @@ corenet_tcp_sendrecv_agentx_port(foghorn_t)
+@@ -221,16 +503,18 @@ corenet_sendrecv_agentx_client_packets(foghorn_t)
+ corenet_tcp_connect_agentx_port(foghorn_t)
+ corenet_tcp_sendrecv_agentx_port(foghorn_t)
++corenet_tcp_connect_snmp_port(foghorn_t)
++
dev_read_urand(foghorn_t)
-files_read_usr_files(foghorn_t)
-+
+logging_send_syslog_msg(foghorn_t)
optional_policy(`
@@ -68810,7 +68936,6 @@ index 2c2de9a..1e8d8dc 100644
optional_policy(`
- snmp_read_snmp_var_lib_files(foghorn_t)
-+ #snmp_manage_var_lib_dirs(foghorn_t)
+ snmp_manage_var_lib_files(foghorn_t)
snmp_stream_connect(foghorn_t)
')
@@ -68824,7 +68949,7 @@ index 2c2de9a..1e8d8dc 100644
optional_policy(`
lvm_exec(gfs_controld_t)
dev_rw_lvm_control(gfs_controld_t)
-@@ -275,10 +561,36 @@ domtrans_pattern(groupd_t, fenced_exec_t, fenced_t)
+@@ -275,10 +561,39 @@ domtrans_pattern(groupd_t, fenced_exec_t, fenced_t)
dev_list_sysfs(groupd_t)
@@ -68858,12 +68983,15 @@ index 2c2de9a..1e8d8dc 100644
+corenet_tcp_connect_commplex_main_port(haproxy_t)
+corenet_tcp_bind_commplex_main_port(haproxy_t)
+
++corenet_tcp_connect_fmpro_internal_port(haproxy_t)
++corenet_tcp_connect_rtp_media_port(haproxy_t)
++
+sysnet_dns_name_resolve(haproxy_t)
+
######################################
#
# qdiskd local policy
-@@ -321,6 +633,8 @@ storage_raw_write_fixed_disk(qdiskd_t)
+@@ -321,6 +636,8 @@ storage_raw_write_fixed_disk(qdiskd_t)
auth_use_nsswitch(qdiskd_t)
@@ -72020,7 +72148,7 @@ index 0628d50..84f2fd7 100644
+ allow rpm_script_t $1:process sigchld;
')
diff --git a/rpm.te b/rpm.te
-index 5cbe81c..90177fd 100644
+index 5cbe81c..5b28e97 100644
--- a/rpm.te
+++ b/rpm.te
@@ -1,15 +1,13 @@
@@ -72401,11 +72529,11 @@ index 5cbe81c..90177fd 100644
logging_send_syslog_msg(rpm_script_t)
-miscfiles_read_localization(rpm_script_t)
-+miscfiles_filetrans_named_content(rpm_script_t)
-
+-
-modutils_run_depmod(rpm_script_t, rpm_roles)
-modutils_run_insmod(rpm_script_t, rpm_roles)
--
++miscfiles_filetrans_named_content(rpm_script_t)
+
-seutil_run_loadpolicy(rpm_script_t, rpm_roles)
-seutil_run_setfiles(rpm_script_t, rpm_roles)
-seutil_run_semanage(rpm_script_t, rpm_roles)
@@ -72419,7 +72547,7 @@ index 5cbe81c..90177fd 100644
ifdef(`distro_redhat',`
optional_policy(`
-@@ -363,40 +379,58 @@ ifdef(`distro_redhat',`
+@@ -363,41 +379,61 @@ ifdef(`distro_redhat',`
')
')
@@ -72486,9 +72614,12 @@ index 5cbe81c..90177fd 100644
optional_policy(`
+ unconfined_domain_noaudit(rpm_script_t)
unconfined_domtrans(rpm_script_t)
++ domain_named_filetrans(rpm_script_t)
++
optional_policy(`
-@@ -409,6 +443,6 @@ optional_policy(`
+ java_domtrans_unconfined(rpm_script_t)
+@@ -409,6 +445,6 @@ optional_policy(`
')
optional_policy(`
@@ -77085,7 +77216,7 @@ index 98c9e0a..df51942 100644
files_search_pids($1)
admin_pattern($1, sblim_var_run_t)
diff --git a/sblim.te b/sblim.te
-index 4a23d84..49c7362 100644
+index 4a23d84..d90604c 100644
--- a/sblim.te
+++ b/sblim.te
@@ -7,13 +7,9 @@ policy_module(sblim, 1.0.3)
@@ -77115,7 +77246,7 @@ index 4a23d84..49c7362 100644
corenet_tcp_sendrecv_generic_if(sblim_domain)
corenet_tcp_sendrecv_generic_node(sblim_domain)
-@@ -44,19 +37,13 @@ corenet_tcp_sendrecv_repository_port(sblim_domain)
+@@ -44,19 +37,15 @@ corenet_tcp_sendrecv_repository_port(sblim_domain)
dev_read_sysfs(sblim_domain)
@@ -77124,7 +77255,8 @@ index 4a23d84..49c7362 100644
-files_read_etc_files(sblim_domain)
-
-miscfiles_read_localization(sblim_domain)
--
++auth_read_passwd(sblim_domain)
+
########################################
#
# Gatherd local policy
@@ -77137,7 +77269,7 @@ index 4a23d84..49c7362 100644
allow sblim_gatherd_t self:fifo_file rw_fifo_file_perms;
allow sblim_gatherd_t self:unix_stream_socket { accept listen };
-@@ -84,6 +71,8 @@ storage_raw_read_removable_device(sblim_gatherd_t)
+@@ -84,6 +73,8 @@ storage_raw_read_removable_device(sblim_gatherd_t)
init_read_utmp(sblim_gatherd_t)
@@ -77146,7 +77278,7 @@ index 4a23d84..49c7362 100644
sysnet_dns_name_resolve(sblim_gatherd_t)
term_getattr_pty_fs(sblim_gatherd_t)
-@@ -103,8 +92,9 @@ optional_policy(`
+@@ -103,8 +94,9 @@ optional_policy(`
')
optional_policy(`
@@ -77157,8 +77289,12 @@ index 4a23d84..49c7362 100644
')
optional_policy(`
-@@ -119,4 +109,6 @@ optional_policy(`
+@@ -117,6 +109,10 @@ optional_policy(`
+ # Reposd local policy
+ #
++corenet_tcp_bind_generic_node(sblim_reposd_t)
++
corenet_sendrecv_repository_server_packets(sblim_reposd_t)
corenet_tcp_bind_repository_port(sblim_reposd_t)
-corenet_tcp_bind_generic_node(sblim_domain)
@@ -82364,7 +82500,7 @@ index a240455..54c5c1f 100644
- admin_pattern($1, sssd_log_t)
')
diff --git a/sssd.te b/sssd.te
-index 8b537aa..eaa7a83 100644
+index 8b537aa..e9632c3 100644
--- a/sssd.te
+++ b/sssd.te
@@ -1,4 +1,4 @@
@@ -82453,7 +82589,7 @@ index 8b537aa..eaa7a83 100644
auth_domtrans_chk_passwd(sssd_t)
auth_domtrans_upd_passwd(sssd_t)
auth_manage_cache(sssd_t)
-@@ -112,18 +105,30 @@ logging_send_syslog_msg(sssd_t)
+@@ -112,18 +105,31 @@ logging_send_syslog_msg(sssd_t)
logging_send_audit_msgs(sssd_t)
miscfiles_read_generic_certs(sssd_t)
@@ -82483,6 +82619,7 @@ index 8b537aa..eaa7a83 100644
+
+optional_policy(`
+ ldap_stream_connect(sssd_t)
++ ldap_read_certs(sssd_t)
+')
+
+userdom_home_reader(sssd_t)
@@ -85747,7 +85884,7 @@ index 67ca5c5..a1ef2d2 100644
fs_search_auto_mountpoints(timidity_t)
diff --git a/tmpreaper.te b/tmpreaper.te
-index a4a949c..e56b59e 100644
+index a4a949c..9ae28c6 100644
--- a/tmpreaper.te
+++ b/tmpreaper.te
@@ -8,6 +8,7 @@ policy_module(tmpreaper, 1.6.3)
@@ -85815,13 +85952,12 @@ index a4a949c..e56b59e 100644
apache_list_cache(tmpreaper_t)
apache_delete_cache_dirs(tmpreaper_t)
apache_delete_cache_files(tmpreaper_t)
-@@ -69,7 +78,20 @@ optional_policy(`
+@@ -69,7 +78,19 @@ optional_policy(`
')
optional_policy(`
- lpd_manage_spool(tmpreaper_t)
-+ lpd_list_spool(tmpreaper_t)
-+ lpd_read_spool(tmpreaper_t)
++ lpd_manage_spool(tmpreaper_t)
+')
+
+optional_policy(`
@@ -89995,7 +90131,7 @@ index 9dec06c..378880d 100644
+ allow $1 svirt_image_t:chr_file rw_file_perms;
')
diff --git a/virt.te b/virt.te
-index 1f22fba..a8d17af 100644
+index 1f22fba..6b715d6 100644
--- a/virt.te
+++ b/virt.te
@@ -1,94 +1,97 @@
@@ -91362,7 +91498,7 @@ index 1f22fba..a8d17af 100644
term_use_generic_ptys(virtd_lxc_t)
term_use_ptmx(virtd_lxc_t)
-@@ -973,21 +1041,40 @@ auth_use_nsswitch(virtd_lxc_t)
+@@ -973,21 +1041,39 @@ auth_use_nsswitch(virtd_lxc_t)
logging_send_syslog_msg(virtd_lxc_t)
@@ -91405,13 +91541,12 @@ index 1f22fba..a8d17af 100644
-
-allow svirt_lxc_domain self:capability { kill setuid setgid dac_override sys_boot };
-allow svirt_lxc_domain self:process { execstack execmem getattr signal_perms getsched setsched setcap setpgid };
-+allow svirt_lxc_domain self:capability { kill setuid setgid dac_override sys_boot ipc_lock };
+allow svirt_lxc_domain self:key manage_key_perms;
-+allow svirt_lxc_domain self:process { execstack execmem getattr signal_perms getsched setsched setcap setpgid setrlimit };
++allow svirt_lxc_domain self:process { getattr signal_perms getsched setsched setcap setpgid setrlimit };
allow svirt_lxc_domain self:fifo_file manage_file_perms;
allow svirt_lxc_domain self:sem create_sem_perms;
allow svirt_lxc_domain self:shm create_shm_perms;
-@@ -995,18 +1082,16 @@ allow svirt_lxc_domain self:msgq create_msgq_perms;
+@@ -995,18 +1081,16 @@ allow svirt_lxc_domain self:msgq create_msgq_perms;
allow svirt_lxc_domain self:unix_stream_socket { create_stream_socket_perms connectto };
allow svirt_lxc_domain self:unix_dgram_socket { sendto create_socket_perms };
@@ -91438,7 +91573,7 @@ index 1f22fba..a8d17af 100644
manage_dirs_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
manage_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
-@@ -1015,17 +1100,14 @@ manage_sock_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
+@@ -1015,17 +1099,14 @@ manage_sock_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
manage_fifo_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
rw_chr_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
rw_blk_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
@@ -91458,7 +91593,7 @@ index 1f22fba..a8d17af 100644
kernel_dontaudit_search_kernel_sysctl(svirt_lxc_domain)
corecmd_exec_all_executables(svirt_lxc_domain)
-@@ -1037,21 +1119,20 @@ files_dontaudit_getattr_all_pipes(svirt_lxc_domain)
+@@ -1037,21 +1118,20 @@ files_dontaudit_getattr_all_pipes(svirt_lxc_domain)
files_dontaudit_getattr_all_sockets(svirt_lxc_domain)
files_dontaudit_list_all_mountpoints(svirt_lxc_domain)
files_dontaudit_write_etc_runtime_files(svirt_lxc_domain)
@@ -91485,7 +91620,7 @@ index 1f22fba..a8d17af 100644
auth_dontaudit_read_login_records(svirt_lxc_domain)
auth_dontaudit_write_login_records(svirt_lxc_domain)
auth_search_pam_console_data(svirt_lxc_domain)
-@@ -1063,96 +1144,92 @@ init_dontaudit_write_utmp(svirt_lxc_domain)
+@@ -1063,96 +1143,93 @@ init_dontaudit_write_utmp(svirt_lxc_domain)
libs_dontaudit_setattr_lib_files(svirt_lxc_domain)
@@ -91531,11 +91666,12 @@ index 1f22fba..a8d17af 100644
+virt_lxc_domain_template(svirt_lxc_net)
-allow svirt_lxc_net_t self:capability { chown dac_read_search dac_override fowner fsetid net_raw net_admin sys_admin sys_nice sys_ptrace sys_resource setpcap };
-+allow svirt_lxc_net_t self:capability { chown dac_read_search dac_override fowner fsetid net_raw net_admin net_bind_service sys_admin sys_nice sys_ptrace sys_resource setpcap };
++allow svirt_lxc_net_t self:capability { kill setuid setgid sys_boot ipc_lock chown dac_read_search dac_override fowner fsetid net_raw net_admin net_bind_service sys_chroot sys_admin sys_nice sys_ptrace sys_resource setpcap };
dontaudit svirt_lxc_net_t self:capability2 block_suspend;
-allow svirt_lxc_net_t self:process setrlimit;
-allow svirt_lxc_net_t self:tcp_socket { accept listen };
-allow svirt_lxc_net_t self:netlink_route_socket nlmsg_write;
++allow svirt_lxc_net_t self:process { execstack execmem };
+allow svirt_lxc_net_t self:netlink_socket create_socket_perms;
+allow svirt_lxc_net_t self:udp_socket create_socket_perms;
+allow svirt_lxc_net_t self:tcp_socket create_stream_socket_perms;
diff --git a/policy-rawhide-roleattribute.patch b/policy-rawhide-roleattribute.patch
deleted file mode 100644
index ee99cdb9..00000000
--- a/policy-rawhide-roleattribute.patch
+++ /dev/null
@@ -1,1128 +0,0 @@
-commit cfa63bfedb3b94a2b78bc3ee394cf7132167e45b
-Author: Miroslav Grepl
-Date: Thu Jun 7 02:18:29 2012 +0200
-
- roleattribute patch
-
-diff --git a/policy/modules/admin/bootloader.if b/policy/modules/admin/bootloader.if
-index 4a50807..5e914db 100644
---- a/policy/modules/admin/bootloader.if
-+++ b/policy/modules/admin/bootloader.if
-@@ -56,11 +56,21 @@ interface(`bootloader_exec',`
- #
- interface(`bootloader_run',`
- gen_require(`
-- attribute_role bootloader_roles;
-+ type bootloader_t;
-+ #attribute_role bootloader_roles;
- ')
-
-+ #bootloader_domtrans($1)
-+ #roleattribute $2 bootloader_roles;
-+
- bootloader_domtrans($1)
-- roleattribute $2 bootloader_roles;
-+
-+ role $2 types bootloader_t;
-+
-+ ifdef(`distro_redhat',`
-+ # for mke2fs
-+ mount_run(bootloader_t, $2)
-+ ')
- ')
-
- ########################################
-diff --git a/policy/modules/admin/bootloader.te b/policy/modules/admin/bootloader.te
-index 81a08e4..e717a21 100644
---- a/policy/modules/admin/bootloader.te
-+++ b/policy/modules/admin/bootloader.te
-@@ -5,8 +5,8 @@ policy_module(bootloader, 1.13.0)
- # Declarations
- #
-
--attribute_role bootloader_roles;
--roleattribute system_r bootloader_roles;
-+#attribute_role bootloader_roles;
-+#roleattribute system_r bootloader_roles;
-
- #
- # boot_runtime_t is the type for /boot/kernel.h,
-@@ -19,7 +19,8 @@ files_type(boot_runtime_t)
- type bootloader_t;
- type bootloader_exec_t;
- application_domain(bootloader_t, bootloader_exec_t)
--role bootloader_roles types bootloader_t;
-+#role bootloader_roles types bootloader_t;
-+role system_r types bootloader_t;
-
- #
- # bootloader_etc_t is the configuration file,
-@@ -174,7 +175,8 @@ ifdef(`distro_redhat',`
- files_manage_isid_type_chr_files(bootloader_t)
-
- # for mke2fs
-- mount_run(bootloader_t, bootloader_roles)
-+ #mount_run(bootloader_t, bootloader_roles)
-+ mount_domtrans(bootloader_t)
-
- optional_policy(`
- unconfined_domain(bootloader_t)
-diff --git a/policy/modules/admin/usermanage.if b/policy/modules/admin/usermanage.if
-index 4d387af..764260e 100644
---- a/policy/modules/admin/usermanage.if
-+++ b/policy/modules/admin/usermanage.if
-@@ -37,11 +37,16 @@ interface(`usermanage_domtrans_chfn',`
- #
- interface(`usermanage_run_chfn',`
- gen_require(`
-- attribute_role chfn_roles;
-+ #attribute_role chfn_roles;
-+ type chfn_t;
- ')
-
-+ #usermanage_domtrans_chfn($1)
-+ #roleattribute $2 chfn_roles;
-+
- usermanage_domtrans_chfn($1)
-- roleattribute $2 chfn_roles;
-+ role $2 types chfn_t;
-+
- ')
-
- ########################################
-@@ -101,11 +106,19 @@ interface(`usermanage_access_check_groupadd',`
- #
- interface(`usermanage_run_groupadd',`
- gen_require(`
-- attribute_role groupadd_roles;
-+ type groupadd_t;
-+ #attribute_role groupadd_roles;
- ')
-
-+ #usermanage_domtrans_groupadd($1)
-+ #roleattribute $2 groupadd_roles;
- usermanage_domtrans_groupadd($1)
-- roleattribute $2 groupadd_roles;
-+ role $2 types groupadd_t;
-+
-+ optional_policy(`
-+ nscd_run(groupadd_t, $2)
-+ ')
-+
- ')
-
- ########################################
-@@ -163,11 +176,17 @@ interface(`usermanage_kill_passwd',`
- #
- interface(`usermanage_run_passwd',`
- gen_require(`
-- attribute_role passwd_roles;
-+ type type passwd_t;
-+ #attribute_role passwd_roles;
- ')
-
-+ #usermanage_domtrans_passwd($1)
-+ #roleattribute $2 passwd_roles;
-+
- usermanage_domtrans_passwd($1)
-- roleattribute $2 passwd_roles;
-+ role $2 types passwd_t;
-+ auth_run_chk_passwd(passwd_t, $2)
-+
- ')
-
- ########################################
-@@ -229,11 +248,20 @@ interface(`usermanage_domtrans_admin_passwd',`
- #
- interface(`usermanage_run_admin_passwd',`
- gen_require(`
-- attribute_role sysadm_passwd_roles;
-+ type sysadm_passwd_t;
-+ #attribute_role sysadm_passwd_roles;
- ')
-
-+ #usermanage_domtrans_admin_passwd($1)
-+ #roleattribute $2 sysadm_passwd_roles;
-+
- usermanage_domtrans_admin_passwd($1)
-- roleattribute $2 sysadm_passwd_roles;
-+ role $2 types sysadm_passwd_t;
-+
-+ optional_policy(`
-+ nscd_run(sysadm_passwd_t, $2)
-+ ')
-+
- ')
-
- ########################################
-@@ -292,11 +320,20 @@ interface(`usermanage_domtrans_useradd',`
- #
- interface(`usermanage_run_useradd',`
- gen_require(`
-- attribute_role useradd_roles;
-+ #attribute_role useradd_roles;
-+ type sysadm_passwd_t;
- ')
-
-- usermanage_domtrans_useradd($1)
-- roleattribute $2 useradd_roles;
-+ #usermanage_domtrans_useradd($1)
-+ #roleattribute $2 useradd_roles;
-+
-+ usermanage_domtrans_admin_passwd($1)
-+ role $2 types sysadm_passwd_t;
-+
-+ optional_policy(`
-+ nscd_run(sysadm_passwd_t, $2)
-+ ')
-+
- ')
-
- ########################################
-diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te
-index 446b743..a077b28 100644
---- a/policy/modules/admin/usermanage.te
-+++ b/policy/modules/admin/usermanage.te
-@@ -5,18 +5,18 @@ policy_module(usermanage, 1.17.3)
- # Declarations
- #
-
--attribute_role chfn_roles;
--role system_r types chfn_t;
-+#attribute_role chfn_roles;
-+#role system_r types chfn_t;
-
--attribute_role groupadd_roles;
-+#attribute_role groupadd_roles;
-
--attribute_role passwd_roles;
--roleattribute system_r passwd_roles;
-+#attribute_role passwd_roles;
-+#roleattribute system_r passwd_roles;
-
--attribute_role sysadm_passwd_roles;
--roleattribute system_r sysadm_passwd_roles;
-+#attribute_role sysadm_passwd_roles;
-+#roleattribute system_r sysadm_passwd_roles;
-
--attribute_role useradd_roles;
-+#attribute_role useradd_roles;
-
- type admin_passwd_exec_t;
- files_type(admin_passwd_exec_t)
-@@ -25,7 +25,8 @@ type chfn_t;
- type chfn_exec_t;
- domain_obj_id_change_exemption(chfn_t)
- application_domain(chfn_t, chfn_exec_t)
--role chfn_roles types chfn_t;
-+#role chfn_roles types chfn_t;
-+role system_r types chfn_t;
-
- type crack_t;
- type crack_exec_t;
-@@ -42,18 +43,21 @@ type groupadd_t;
- type groupadd_exec_t;
- domain_obj_id_change_exemption(groupadd_t)
- init_system_domain(groupadd_t, groupadd_exec_t)
--role groupadd_roles types groupadd_t;
-+#role groupadd_roles types groupadd_t;
-+
-
- type passwd_t;
- type passwd_exec_t;
- domain_obj_id_change_exemption(passwd_t)
- application_domain(passwd_t, passwd_exec_t)
--role passwd_roles types passwd_t;
-+#role passwd_roles types passwd_t;
-+role system_r types passwd_t;
-
- type sysadm_passwd_t;
- domain_obj_id_change_exemption(sysadm_passwd_t)
- application_domain(sysadm_passwd_t, admin_passwd_exec_t)
--role sysadm_passwd_roles types sysadm_passwd_t;
-+#role sysadm_passwd_roles types sysadm_passwd_t;
-+role system_r types sysadm_passwd_t;
-
- type sysadm_passwd_tmp_t;
- files_tmp_file(sysadm_passwd_tmp_t)
-@@ -62,7 +66,8 @@ type useradd_t;
- type useradd_exec_t;
- domain_obj_id_change_exemption(useradd_t)
- init_system_domain(useradd_t, useradd_exec_t)
--role useradd_roles types useradd_t;
-+#role useradd_roles types useradd_t;
-+role system_r types useradd_t;
-
- ########################################
- #
-@@ -106,11 +111,11 @@ fs_search_auto_mountpoints(chfn_t)
- dev_read_urand(chfn_t)
- dev_dontaudit_getattr_all(chfn_t)
-
--#auth_manage_passwd(chfn_t)
--#auth_use_pam(chfn_t)
--auth_run_chk_passwd(chfn_t, chfn_roles)
--auth_dontaudit_read_shadow(chfn_t)
--auth_use_nsswitch(chfn_t)
-+auth_manage_passwd(chfn_t)
-+auth_use_pam(chfn_t)
-+#auth_run_chk_passwd(chfn_t, chfn_roles)
-+#auth_dontaudit_read_shadow(chfn_t)
-+#auth_use_nsswitch(chfn_t)
-
- # allow checking if a shell is executable
- corecmd_check_exec_shell(chfn_t)
-@@ -250,7 +255,8 @@ logging_send_syslog_msg(groupadd_t)
-
- miscfiles_read_localization(groupadd_t)
-
--auth_run_chk_passwd(groupadd_t, groupadd_roles)
-+#auth_run_chk_passwd(groupadd_t, groupadd_roles)
-+auth_domtrans_chk_passwd(groupadd_t)
- auth_rw_lastlog(groupadd_t)
- auth_use_nsswitch(groupadd_t)
- auth_manage_passwd(groupadd_t)
-@@ -273,7 +279,8 @@ optional_policy(`
- ')
-
- optional_policy(`
-- nscd_run(groupadd_t, groupadd_roles)
-+# nscd_run(groupadd_t, groupadd_roles)
-+ nscd_domtrans(groupadd_t)
- ')
-
- optional_policy(`
-@@ -332,18 +339,18 @@ selinux_compute_user_contexts(passwd_t)
- term_use_all_inherited_terms(passwd_t)
- term_getattr_all_ptys(passwd_t)
-
--#auth_manage_passwd(passwd_t)
--#auth_manage_shadow(passwd_t)
--#auth_relabel_shadow(passwd_t)
--#auth_etc_filetrans_shadow(passwd_t)
--#auth_use_pam(passwd_t)
--
--auth_run_chk_passwd(passwd_t, passwd_roles)
- auth_manage_passwd(passwd_t)
- auth_manage_shadow(passwd_t)
- auth_relabel_shadow(passwd_t)
- auth_etc_filetrans_shadow(passwd_t)
--auth_use_nsswitch(passwd_t)
-+auth_use_pam(passwd_t)
-+
-+#auth_run_chk_passwd(passwd_t, passwd_roles)
-+#auth_manage_passwd(passwd_t)
-+#auth_manage_shadow(passwd_t)
-+#auth_relabel_shadow(passwd_t)
-+#auth_etc_filetrans_shadow(passwd_t)
-+#auth_use_nsswitch(passwd_t)
-
- # allow checking if a shell is executable
- corecmd_check_exec_shell(passwd_t)
-@@ -385,7 +392,8 @@ userdom_dontaudit_search_user_home_content(passwd_t)
- userdom_stream_connect(passwd_t)
-
- optional_policy(`
-- nscd_run(passwd_t, passwd_roles)
-+ #nscd_run(passwd_t, passwd_roles)
-+ nscd_domtrans(passwd_t)
- ')
-
- ########################################
-@@ -469,7 +477,8 @@ userdom_use_unpriv_users_fds(sysadm_passwd_t)
- userdom_dontaudit_search_user_home_content(sysadm_passwd_t)
-
- optional_policy(`
-- nscd_run(sysadm_passwd_t, sysadm_passwd_roles)
-+ nscd_domtrans(sysadm_passwd_t)
-+ #nscd_run(sysadm_passwd_t, sysadm_passwd_roles)
- ')
-
- ########################################
-@@ -525,7 +534,8 @@ seutil_manage_default_contexts(useradd_t)
- term_use_all_inherited_terms(useradd_t)
- term_getattr_all_ptys(useradd_t)
-
--auth_run_chk_passwd(useradd_t, useradd_roles)
-+#auth_run_chk_passwd(useradd_t, useradd_roles)
-+auth_domtrans_chk_passwd(useradd_t)
- auth_rw_lastlog(useradd_t)
- auth_rw_faillog(useradd_t)
- auth_use_nsswitch(useradd_t)
-@@ -547,15 +557,15 @@ miscfiles_read_localization(useradd_t)
- seutil_read_config(useradd_t)
- seutil_read_file_contexts(useradd_t)
- seutil_read_default_contexts(useradd_t)
--#seutil_domtrans_semanage(useradd_t)
--#seutil_domtrans_setfiles(useradd_t)
--#seutil_domtrans_loadpolicy(useradd_t)
--#seutil_manage_bin_policy(useradd_t)
--#seutil_manage_module_store(useradd_t)
--#seutil_get_semanage_trans_lock(useradd_t)
--#seutil_get_semanage_read_lock(useradd_t)
--seutil_run_semanage(useradd_t, useradd_roles)
--seutil_run_setfiles(useradd_t, useradd_roles)
-+seutil_domtrans_semanage(useradd_t)
-+seutil_domtrans_setfiles(useradd_t)
-+seutil_domtrans_loadpolicy(useradd_t)
-+seutil_manage_bin_policy(useradd_t)
-+seutil_manage_module_store(useradd_t)
-+seutil_get_semanage_trans_lock(useradd_t)
-+seutil_get_semanage_read_lock(useradd_t)
-+#seutil_run_semanage(useradd_t, useradd_roles)
-+#seutil_run_setfiles(useradd_t, useradd_roles)
-
- userdom_use_unpriv_users_fds(useradd_t)
- # Add/remove user home directories
-@@ -576,7 +586,8 @@ optional_policy(`
- ')
-
- optional_policy(`
-- nscd_run(useradd_t, useradd_roles)
-+ nscd_domtrans(useradd_t)
-+# nscd_run(useradd_t, useradd_roles)
- ')
-
- optional_policy(`
-diff --git a/policy/modules/system/iptables.if b/policy/modules/system/iptables.if
-index 174cfdb..7071460 100644
---- a/policy/modules/system/iptables.if
-+++ b/policy/modules/system/iptables.if
-@@ -38,11 +38,22 @@ interface(`iptables_domtrans',`
- #
- interface(`iptables_run',`
- gen_require(`
-- attribute_role iptables_roles;
-+ #attribute_role iptables_roles;
-+ type iptables_t;
- ')
-
-+ #iptables_domtrans($1)
-+ #roleattribute $2 iptables_roles;
-+
- iptables_domtrans($1)
-- roleattribute $2 iptables_roles;
-+ role $2 types iptables_t;
-+
-+ sysnet_run_ifconfig(iptables_t, $2)
-+
-+ optional_policy(`
-+ modutils_run_insmod(iptables_t, $2)
-+ ')
-+
- ')
-
- ########################################
-diff --git a/policy/modules/system/iptables.te b/policy/modules/system/iptables.te
-index cc8d773..36e02fa 100644
---- a/policy/modules/system/iptables.te
-+++ b/policy/modules/system/iptables.te
-@@ -5,13 +5,14 @@ policy_module(iptables, 1.13.0)
- # Declarations
- #
-
--attribute_role iptables_roles;
--roleattribute system_r iptables_roles;
-+#attribute_role iptables_roles;
-+#roleattribute system_r iptables_roles;
-
- type iptables_t;
- type iptables_exec_t;
- init_system_domain(iptables_t, iptables_exec_t)
--role iptables_roles types iptables_t;
-+#role iptables_roles types iptables_t;
-+role system_r types iptables_t;
-
- type iptables_initrc_exec_t;
- init_script_file(iptables_initrc_exec_t)
-@@ -97,7 +98,8 @@ logging_send_syslog_msg(iptables_t)
-
- miscfiles_read_localization(iptables_t)
-
--sysnet_run_ifconfig(iptables_t, iptables_roles)
-+#sysnet_run_ifconfig(iptables_t, iptables_roles)
-+sysnet_domtrans_ifconfig(iptables_t)
- sysnet_dns_name_resolve(iptables_t)
-
- userdom_use_inherited_user_terminals(iptables_t)
-@@ -119,7 +121,8 @@ optional_policy(`
- ')
-
- optional_policy(`
-- modutils_run_insmod(iptables_t, iptables_roles)
-+ modutils_domtrans_insmod(iptables_t)
-+ #modutils_run_insmod(iptables_t, iptables_roles)
- ')
-
- optional_policy(`
-diff --git a/policy/modules/system/modutils.if b/policy/modules/system/modutils.if
-index 786f87a..2debedc 100644
---- a/policy/modules/system/modutils.if
-+++ b/policy/modules/system/modutils.if
-@@ -345,11 +345,18 @@ interface(`modutils_domtrans_update_mods',`
- #
- interface(`modutils_run_update_mods',`
- gen_require(`
-- attribute_role update_modules_roles;
-+ #attribute_role update_modules_roles;
-+ type update_modules_t;
- ')
-
-+ #modutils_domtrans_update_mods($1)
-+ #roleattribute $2 update_modules_roles;
-+
- modutils_domtrans_update_mods($1)
-- roleattribute $2 update_modules_roles;
-+ role $2 types update_modules_t;
-+
-+ modutils_run_insmod(update_modules_t, $2)
-+
- ')
-
- ########################################
-diff --git a/policy/modules/system/modutils.te b/policy/modules/system/modutils.te
-index b83608d..86a7107 100644
---- a/policy/modules/system/modutils.te
-+++ b/policy/modules/system/modutils.te
-@@ -5,7 +5,7 @@ policy_module(modutils, 1.12.1)
- # Declarations
- #
-
--attribute_role update_modules_roles;
-+#attribute_role update_modules_roles;
-
- type depmod_t;
- type depmod_exec_t;
-@@ -30,8 +30,9 @@ files_type(modules_dep_t)
- type update_modules_t;
- type update_modules_exec_t;
- init_system_domain(update_modules_t, update_modules_exec_t)
--roleattribute system_r update_modules_roles;
--role update_modules_roles types update_modules_t;
-+#roleattribute system_r update_modules_roles;
-+#role update_modules_roles types update_modules_t;
-+role system_r types update_modules_t;
-
- type update_modules_tmp_t;
- files_tmp_file(update_modules_tmp_t)
-@@ -318,7 +319,7 @@ logging_send_syslog_msg(update_modules_t)
-
- miscfiles_read_localization(update_modules_t)
-
--modutils_run_insmod(update_modules_t, update_modules_roles)
-+#modutils_run_insmod(update_modules_t, update_modules_roles)
-
- userdom_use_inherited_user_terminals(update_modules_t)
- userdom_dontaudit_search_user_home_dirs(update_modules_t)
-diff --git a/policy/modules/system/mount.if b/policy/modules/system/mount.if
-index 52e78b8..4881d86 100644
---- a/policy/modules/system/mount.if
-+++ b/policy/modules/system/mount.if
-@@ -44,11 +44,36 @@ interface(`mount_domtrans',`
- #
- interface(`mount_run',`
- gen_require(`
-- attribute_role mount_roles;
-+ #attribute_role mount_roles;
-+ type mount_t;
- ')
-
-+ #mount_domtrans($1)
-+ #roleattribute $2 mount_roles;
-+
- mount_domtrans($1)
-- roleattribute $2 mount_roles;
-+ role $2 types mount_t;
-+
-+ optional_policy(`
-+ fstools_run(mount_t, $2)
-+ ')
-+
-+ optional_policy(`
-+ lvm_run(mount_t, $2)
-+ ')
-+
-+ optional_policy(`
-+ modutils_run_insmod(mount_t, $2)
-+ ')
-+
-+ optional_policy(`
-+ rpc_run_rpcd(mount_t, $2)
-+ ')
-+
-+ optional_policy(`
-+ samba_run_smbmount(mount_t, $2)
-+ ')
-+
- ')
-
- ########################################
-diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te
-index cc76452..14320fe 100644
---- a/policy/modules/system/mount.te
-+++ b/policy/modules/system/mount.te
-@@ -12,13 +12,14 @@ policy_module(mount, 1.14.2)
- ##
- gen_tunable(allow_mount_anyfile, false)
-
--attribute_role mount_roles;
--roleattribute system_r mount_roles;
-+#attribute_role mount_roles;
-+#roleattribute system_r mount_roles;
-
- type mount_t;
- type mount_exec_t;
- init_system_domain(mount_t, mount_exec_t)
--role mount_roles types mount_t;
-+#role mount_roles types mount_t;
-+role system_r types mount_t;
-
- type fusermount_exec_t;
- domain_entry_file(mount_t, fusermount_exec_t)
-@@ -286,25 +287,28 @@ optional_policy(`
-
- # Needed for mount crypt https://bugzilla.redhat.com/show_bug.cgi?id=418711
- optional_policy(`
-- lvm_run(mount_t, mount_roles)
-+# lvm_run(mount_t, mount_roles)
-+ lvm_domtrans(mount_t)
- ')
-
- optional_policy(`
-- modutils_run_insmod(mount_t, mount_roles)
-+ #modutils_run_insmod(mount_t, mount_roles)
-+ modutils_domtrans_insmod(mount_t)
- modutils_read_module_deps(mount_t)
- ')
-
- optional_policy(`
-- fstools_run(mount_t, mount_roles)
-+ fstools_domtrans(mount_t)
-+ #fstools_run(mount_t, mount_roles)
- ')
-
- optional_policy(`
- rhcs_stream_connect_gfs_controld(mount_t)
- ')
-
--optional_policy(`
-- rpc_run_rpcd(mount_t, mount_roles)
--')
-+#optional_policy(`
-+# rpc_run_rpcd(mount_t, mount_roles)
-+#')
-
- # for kernel package installation
- optional_policy(`
-@@ -314,7 +318,8 @@ optional_policy(`
-
- optional_policy(`
- samba_read_config(mount_t)
-- samba_run_smbmount(mount_t, mount_roles)
-+ samba_domtrans_smbmount(mount_t)
-+ #samba_run_smbmount(mount_t, mount_roles)
- ')
-
- optional_policy(`
-diff --git a/policy/modules/system/selinuxutil.if b/policy/modules/system/selinuxutil.if
-index a853819..cebf588 100644
---- a/policy/modules/system/selinuxutil.if
-+++ b/policy/modules/system/selinuxutil.if
-@@ -192,11 +192,22 @@ interface(`seutil_domtrans_newrole',`
- #
- interface(`seutil_run_newrole',`
- gen_require(`
-- attribute_role newrole_roles;
-+ type newrole_t;
-+ #attribute_role newrole_roles;
- ')
-
-+ #seutil_domtrans_newrole($1)
-+ #roleattribute $2 newrole_roles;
-+
- seutil_domtrans_newrole($1)
-- roleattribute $2 newrole_roles;
-+ role $2 types newrole_t;
-+
-+ auth_run_upd_passwd(newrole_t, $2)
-+
-+ optional_policy(`
-+ namespace_init_run(newrole_t, $2)
-+ ')
-+
- ')
-
- ########################################
-diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
-index 2aee0c0..4c24e3e 100644
---- a/policy/modules/system/selinuxutil.te
-+++ b/policy/modules/system/selinuxutil.te
-@@ -14,7 +14,7 @@ attribute can_relabelto_binary_policy;
- attribute setfiles_domain;
- attribute seutil_semanage_domain;
-
--attribute_role newrole_roles;
-+#attribute_role newrole_roles;
-
- attribute_role run_init_roles;
- role system_r types run_init_t;
-@@ -65,7 +65,8 @@ application_domain(newrole_t, newrole_exec_t)
- domain_role_change_exemption(newrole_t)
- domain_obj_id_change_exemption(newrole_t)
- domain_interactive_fd(newrole_t)
--role newrole_roles types newrole_t;
-+#role newrole_roles types newrole_t;
-+role system_r types newrole_t;
-
- #
- # policy_config_t is the type of /etc/security/selinux/*
-@@ -299,10 +300,11 @@ term_relabel_all_ptys(newrole_t)
- term_getattr_unallocated_ttys(newrole_t)
- term_dontaudit_use_unallocated_ttys(newrole_t)
-
--auth_use_nsswitch(newrole_t)
--auth_run_chk_passwd(newrole_t, newrole_roles)
--auth_run_upd_passwd(newrole_t, newrole_roles)
--auth_rw_faillog(newrole_t)
-+#auth_use_nsswitch(newrole_t)
-+#auth_run_chk_passwd(newrole_t, newrole_roles)
-+#auth_run_upd_passwd(newrole_t, newrole_roles)
-+#auth_rw_faillog(newrole_t)
-+auth_use_pam(newrole_t)
-
- # Write to utmp.
- init_rw_utmp(newrole_t)
-@@ -322,9 +324,9 @@ optional_policy(`
- dbus_system_bus_client(newrole_t)
- ')
-
--optional_policy(`
-- namespace_init_run(newrole_t, newrole_roles)
--')
-+#optional_policy(`
-+# namespace_init_run(newrole_t, newrole_roles)
-+#')
-
-
- optional_policy(`
-diff --git a/policy/modules/system/sysnetwork.if b/policy/modules/system/sysnetwork.if
-index 7b08f77..949fdcc 100644
---- a/policy/modules/system/sysnetwork.if
-+++ b/policy/modules/system/sysnetwork.if
-@@ -38,11 +38,47 @@ interface(`sysnet_domtrans_dhcpc',`
- #
- interface(`sysnet_run_dhcpc',`
- gen_require(`
-- attribute_role dhcpc_roles;
-+ type dhcpc_t;
-+ #attribute_role dhcpc_roles;
- ')
-
-+ #sysnet_domtrans_dhcpc($1)
-+ #roleattribute $2 dhcpc_roles;
-+
- sysnet_domtrans_dhcpc($1)
-- roleattribute $2 dhcpc_roles;
-+ role $2 types dhcpc_t;
-+
-+ modutils_run_insmod(dhcpc_t, $2)
-+
-+ sysnet_run_ifconfig(dhcpc_t, $2)
-+
-+ optional_policy(`
-+ hostname_run(dhcpc_t, $2)
-+ ')
-+
-+ optional_policy(`
-+ netutils_run(dhcpc_t, $2)
-+ netutils_run_ping(dhcpc_t, $2)
-+ ')
-+
-+ optional_policy(`
-+ networkmanager_run(dhcpc_t, $2)
-+ ')
-+
-+ optional_policy(`
-+ nis_run_ypbind(dhcpc_t, $2)
-+ ')
-+
-+ optional_policy(`
-+ nscd_run(dhcpc_t, $2)
-+ ')
-+
-+ optional_policy(`
-+ ntp_run(dhcpc_t, $2)
-+ ')
-+
-+ seutil_run_setfiles(dhcpc_t, $2)
-+
- ')
-
- ########################################
-diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
-index 2d2b6ef..1bfcd4f 100644
---- a/policy/modules/system/sysnetwork.te
-+++ b/policy/modules/system/sysnetwork.te
-@@ -12,8 +12,8 @@ policy_module(sysnetwork, 1.13.2)
- ##
- gen_tunable(dhcpc_exec_iptables, false)
-
--attribute_role dhcpc_roles;
--roleattribute system_r dhcpc_roles;
-+#attribute_role dhcpc_roles;
-+#roleattribute system_r dhcpc_roles;
-
- # this is shared between dhcpc and dhcpd:
- type dhcp_etc_t;
-@@ -27,7 +27,8 @@ files_type(dhcp_state_t)
- type dhcpc_t;
- type dhcpc_exec_t;
- init_daemon_domain(dhcpc_t, dhcpc_exec_t)
--role dhcpc_roles types dhcpc_t;
-+#role dhcpc_roles types dhcpc_t;
-+role system_r types dhcpc_t;
-
- type dhcpc_helper_exec_t;
- init_script_file(dhcpc_helper_exec_t)
-@@ -159,9 +160,10 @@ logging_send_syslog_msg(dhcpc_t)
- miscfiles_read_generic_certs(dhcpc_t)
- miscfiles_read_localization(dhcpc_t)
-
--modutils_run_insmod(dhcpc_t, dhcpc_roles)
-+#modutils_run_insmod(dhcpc_t, dhcpc_roles)
-+modutils_domtrans_insmod(dhcpc_t)
-+#sysnet_run_ifconfig(dhcpc_t, dhcpc_roles)
-
--sysnet_run_ifconfig(dhcpc_t, dhcpc_roles)
-
- userdom_use_user_terminals(dhcpc_t)
- userdom_dontaudit_search_user_home_dirs(dhcpc_t)
-@@ -176,9 +178,9 @@ ifdef(`distro_ubuntu',`
- ')
- ')
-
--optional_policy(`
-- consoletype_run(dhcpc_t, dhcpc_roles)
--')
-+#optional_policy(`
-+# consoletype_run(dhcpc_t, dhcpc_roles)
-+#')
-
- optional_policy(`
- chronyd_initrc_domtrans(dhcpc_t)
-@@ -203,7 +205,8 @@ optional_policy(`
- ')
-
- optional_policy(`
-- hostname_run(dhcpc_t, dhcpc_roles)
-+ hostname_domtrans(dhcpc_t)
-+# hostname_run(dhcpc_t, dhcpc_roles)
- ')
-
- optional_policy(`
-commit 0a0c8b9d35398f3662db1b0bdb2f4c7761121ba1
-Author: Miroslav Grepl