* Mon Apr 15 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-30

- Allow alsa_t signal_perms, we probaly should search for any app that c - Add dontaudit for mozilla_plugin_t looking at the xdm_t sockets - Fix deny_ptrace boolean, certain ptrace leaked into the system - Allow winbind to manage kerberos_rcache_host - Allow spamd to create spamd_var_lib_t directories - Remove transition to mozilla_tmp_t by mozilla_t, to allow it to manage - Add mising nslcd_dontaudit_write_sock_file() interface - one more fix - Fix pki_read_tomcat_lib_files() interface - Allow certmonger to read pki-tomcat lib files - Allow certwatch to execute bin_t - Allow snmp to manage /var/lib/net-snmp files - Call snmp_manage_var_lib_files(fogorn_t) instead of snmp_manage_var_di - Fix vmware_role() interface - Fix cobbler_manage_lib_files() interface - Allow nagios check disk plugins to execute bin_t - Allow quantum to transition to openvswitch_t - Allow postdrop to stream connect to postfix-master - Allow quantum to stream connect to openvswitch - Add xserver_dontaudit_xdm_rw_stream_sockets() interface - Allow daemon to send dgrams to initrc_t - Allow kdm to start the power service to initiate a reboot or poweroff
2013-04-15 12:26:13 +02:00 · 2013-04-15 12:26:13 +02:00 · 1d348dfc25
commit 1d348dfc25
parent fa447f104a
3 changed files with 414 additions and 210 deletions
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@ -22234,7 +22234,7 @@ index d1f64a0..3be3d00 100644
 +/var/lib/pqsql/\.Xauthority.*	--	gen_context(system_u:object_r:xauth_home_t,s0)
 +
 diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if
-index 6bf0ecc..0ef3955 100644
+index 6bf0ecc..2706448 100644
 --- a/policy/modules/services/xserver.if
 +++ b/policy/modules/services/xserver.if
@@ -19,9 +19,10 @@
@ -23084,7 +23084,33 @@ index 6bf0ecc..0ef3955 100644
 	gen_require(`
 		type xserver_t;
 	')
-@@ -1226,6 +1595,26 @@ interface(`xserver_stream_connect',`
+@@ -1210,6 +1579,25 @@ interface(`xserver_dontaudit_rw_stream_sockets',`
 ########################################
 ## <summary>
 +##	Do not audit attempts to read and write xdm
 +##	unix domain stream sockets.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
 +##	Domain to not audit.
 +##	</summary>
 +## </param>
 +#
 +interface(`xserver_dontaudit_xdm_rw_stream_sockets',`
 +    gen_require(`
 +        type xdm_t;
 +    ')
 +
 +    dontaudit $1 xdm_t:unix_stream_socket { read write };
 +')
 +
 +########################################
 +## <summary>
 ##	Connect to the X server over a unix domain
 ##	stream socket.
 ## </summary>
@@ -1226,6 +1614,26 @@ interface(`xserver_stream_connect',`
 	files_search_tmp($1)
 	stream_connect_pattern($1, xserver_tmp_t, xserver_tmp_t, xserver_t)
@ -23111,7 +23137,7 @@ index 6bf0ecc..0ef3955 100644
 ')
 ########################################
-@@ -1251,7 +1640,7 @@ interface(`xserver_read_tmp_files',`
+@@ -1251,7 +1659,7 @@ interface(`xserver_read_tmp_files',`
 ## <summary>
 ##	Interface to provide X object permissions on a given X server to
 ##	an X client domain.  Gives the domain permission to read the
@ -23120,7 +23146,7 @@ index 6bf0ecc..0ef3955 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -1261,13 +1650,23 @@ interface(`xserver_read_tmp_files',`
+@@ -1261,13 +1669,23 @@ interface(`xserver_read_tmp_files',`
 #
 interface(`xserver_manage_core_devices',`
 	gen_require(`
@ -23145,7 +23171,7 @@ index 6bf0ecc..0ef3955 100644
 ')
 ########################################
-@@ -1284,10 +1683,604 @@ interface(`xserver_manage_core_devices',`
+@@ -1284,10 +1702,604 @@ interface(`xserver_manage_core_devices',`
 #
 interface(`xserver_unconfined',`
 	gen_require(`
@ -23753,7 +23779,7 @@ index 6bf0ecc..0ef3955 100644
 +	files_search_tmp($1)
 +')
 diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
-index 2696452..48c4924 100644
+index 2696452..d6f03e7 100644
 --- a/policy/modules/services/xserver.te
 +++ b/policy/modules/services/xserver.te
@@ -26,27 +26,50 @@ gen_require(`
@ -24318,7 +24344,7 @@ index 2696452..48c4924 100644
 storage_dontaudit_read_fixed_disk(xdm_t)
 storage_dontaudit_write_fixed_disk(xdm_t)
-@@ -441,28 +620,42 @@ storage_dontaudit_raw_read_removable_device(xdm_t)
+@@ -441,28 +620,43 @@ storage_dontaudit_raw_read_removable_device(xdm_t)
 storage_dontaudit_raw_write_removable_device(xdm_t)
 storage_dontaudit_setattr_removable_dev(xdm_t)
 storage_dontaudit_rw_scsi_generic(xdm_t)
@ -24361,10 +24387,11 @@ index 2696452..48c4924 100644
 -sysnet_read_config(xdm_t)
 +systemd_write_inhibit_pipes(xdm_t)
 +systemd_dbus_chat_localed(xdm_t)
 +systemd_start_power_services(xdm_t)
 userdom_dontaudit_use_unpriv_user_fds(xdm_t)
 userdom_create_all_users_keys(xdm_t)
-@@ -471,24 +664,43 @@ userdom_read_user_home_content_files(xdm_t)
+@@ -471,24 +665,43 @@ userdom_read_user_home_content_files(xdm_t)
 # Search /proc for any user domain processes.
 userdom_read_all_users_state(xdm_t)
 userdom_signal_all_users(xdm_t)
@ -24414,7 +24441,7 @@ index 2696452..48c4924 100644
 tunable_policy(`xdm_sysadm_login',`
 	userdom_xsession_spec_domtrans_all_users(xdm_t)
 	# FIXME:
-@@ -502,11 +714,26 @@ tunable_policy(`xdm_sysadm_login',`
+@@ -502,11 +715,26 @@ tunable_policy(`xdm_sysadm_login',`
 ')
 optional_policy(`
@ -24441,7 +24468,7 @@ index 2696452..48c4924 100644
 ')
 optional_policy(`
-@@ -514,12 +741,72 @@ optional_policy(`
+@@ -514,12 +742,72 @@ optional_policy(`
 ')
 optional_policy(`
@ -24514,7 +24541,7 @@ index 2696452..48c4924 100644
 	hostname_exec(xdm_t)
 ')
-@@ -537,28 +824,78 @@ optional_policy(`
+@@ -537,28 +825,78 @@ optional_policy(`
 ')
 optional_policy(`
@ -24602,7 +24629,7 @@ index 2696452..48c4924 100644
 ')
 optional_policy(`
-@@ -570,6 +907,14 @@ optional_policy(`
+@@ -570,6 +908,14 @@ optional_policy(`
 ')
 optional_policy(`
@ -24617,7 +24644,7 @@ index 2696452..48c4924 100644
 	xfs_stream_connect(xdm_t)
 ')
-@@ -594,8 +939,11 @@ allow xserver_t input_xevent_t:x_event send;
+@@ -594,8 +940,11 @@ allow xserver_t input_xevent_t:x_event send;
 # execheap needed until the X module loader is fixed.
 # NVIDIA Needs execstack
@ -24630,7 +24657,7 @@ index 2696452..48c4924 100644
 allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
 allow xserver_t self:fd use;
 allow xserver_t self:fifo_file rw_fifo_file_perms;
-@@ -608,8 +956,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
+@@ -608,8 +957,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
 allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto };
 allow xserver_t self:tcp_socket create_stream_socket_perms;
 allow xserver_t self:udp_socket create_socket_perms;
@ -24646,7 +24673,7 @@ index 2696452..48c4924 100644
 manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
 manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
 manage_sock_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
-@@ -617,6 +972,10 @@ files_tmp_filetrans(xserver_t, xserver_tmp_t, { file dir sock_file })
+@@ -617,6 +973,10 @@ files_tmp_filetrans(xserver_t, xserver_tmp_t, { file dir sock_file })
 filetrans_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t, sock_file)
@ -24657,7 +24684,7 @@ index 2696452..48c4924 100644
 manage_dirs_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
 manage_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
 manage_lnk_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
-@@ -628,12 +987,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
+@@ -628,12 +988,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
 manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
 files_search_var_lib(xserver_t)
@ -24679,7 +24706,7 @@ index 2696452..48c4924 100644
 kernel_read_system_state(xserver_t)
 kernel_read_device_sysctls(xserver_t)
-@@ -641,12 +1007,12 @@ kernel_read_modprobe_sysctls(xserver_t)
+@@ -641,12 +1008,12 @@ kernel_read_modprobe_sysctls(xserver_t)
 # Xorg wants to check if kernel is tainted
 kernel_read_kernel_sysctls(xserver_t)
 kernel_write_proc_files(xserver_t)
@ -24693,7 +24720,7 @@ index 2696452..48c4924 100644
 corenet_all_recvfrom_netlabel(xserver_t)
 corenet_tcp_sendrecv_generic_if(xserver_t)
 corenet_udp_sendrecv_generic_if(xserver_t)
-@@ -667,23 +1033,27 @@ dev_rw_apm_bios(xserver_t)
+@@ -667,23 +1034,27 @@ dev_rw_apm_bios(xserver_t)
 dev_rw_agp(xserver_t)
 dev_rw_framebuffer(xserver_t)
 dev_manage_dri_dev(xserver_t)
@ -24724,7 +24751,7 @@ index 2696452..48c4924 100644
 # brought on by rhgb
 files_search_mnt(xserver_t)
-@@ -694,7 +1064,16 @@ fs_getattr_xattr_fs(xserver_t)
+@@ -694,7 +1065,16 @@ fs_getattr_xattr_fs(xserver_t)
 fs_search_nfs(xserver_t)
 fs_search_auto_mountpoints(xserver_t)
 fs_search_ramfs(xserver_t)
@ -24742,7 +24769,7 @@ index 2696452..48c4924 100644
 mls_xwin_read_to_clearance(xserver_t)
 selinux_validate_context(xserver_t)
-@@ -708,20 +1087,18 @@ init_getpgid(xserver_t)
+@@ -708,20 +1088,18 @@ init_getpgid(xserver_t)
 term_setattr_unallocated_ttys(xserver_t)
 term_use_unallocated_ttys(xserver_t)
@ -24766,7 +24793,7 @@ index 2696452..48c4924 100644
 userdom_search_user_home_dirs(xserver_t)
 userdom_use_user_ttys(xserver_t)
-@@ -729,8 +1106,6 @@ userdom_setattr_user_ttys(xserver_t)
+@@ -729,8 +1107,6 @@ userdom_setattr_user_ttys(xserver_t)
 userdom_read_user_tmp_files(xserver_t)
 userdom_rw_user_tmpfs_files(xserver_t)
@ -24775,7 +24802,7 @@ index 2696452..48c4924 100644
 ifndef(`distro_redhat',`
 	allow xserver_t self:process { execmem execheap execstack };
 	domain_mmap_low_uncond(xserver_t)
-@@ -775,16 +1150,44 @@ optional_policy(`
+@@ -775,16 +1151,44 @@ optional_policy(`
 ')
 optional_policy(`
@ -24821,7 +24848,7 @@ index 2696452..48c4924 100644
 	unconfined_domtrans(xserver_t)
 ')
-@@ -793,6 +1196,10 @@ optional_policy(`
+@@ -793,6 +1197,10 @@ optional_policy(`
 ')
 optional_policy(`
@ -24832,7 +24859,7 @@ index 2696452..48c4924 100644
 	xfs_stream_connect(xserver_t)
 ')
-@@ -808,10 +1215,10 @@ allow xserver_t xdm_t:shm rw_shm_perms;
+@@ -808,10 +1216,10 @@ allow xserver_t xdm_t:shm rw_shm_perms;
 # NB we do NOT allow xserver_t xdm_var_lib_t:dir, only access to an open
 # handle of a file inside the dir!!!
@ -24846,7 +24873,7 @@ index 2696452..48c4924 100644
 # Label pid and temporary files with derived types.
 manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
-@@ -819,7 +1226,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
+@@ -819,7 +1227,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
 manage_sock_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
 # Run xkbcomp.
@ -24855,7 +24882,7 @@ index 2696452..48c4924 100644
 can_exec(xserver_t, xkb_var_lib_t)
 # VNC v4 module in X server
-@@ -832,26 +1239,21 @@ init_use_fds(xserver_t)
+@@ -832,26 +1240,21 @@ init_use_fds(xserver_t)
 # to read ROLE_home_t - examine this in more detail
 # (xauth?)
 userdom_read_user_home_content_files(xserver_t)
@ -24890,7 +24917,7 @@ index 2696452..48c4924 100644
 ')
 optional_policy(`
-@@ -902,7 +1304,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
+@@ -902,7 +1305,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
 allow x_domain root_xdrawable_t:x_drawable { getattr setattr list_child add_child remove_child send receive hide show };
 # operations allowed on my windows
 allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive };
@ -24899,7 +24926,7 @@ index 2696452..48c4924 100644
 # operations allowed on all windows
 allow x_domain x_domain:x_drawable { getattr get_property set_property remove_child };
-@@ -956,11 +1358,31 @@ allow x_domain self:x_resource { read write };
+@@ -956,11 +1359,31 @@ allow x_domain self:x_resource { read write };
 # can mess with the screensaver
 allow x_domain xserver_t:x_screen { getattr saver_getattr };
@ -24931,7 +24958,7 @@ index 2696452..48c4924 100644
 tunable_policy(`! xserver_object_manager',`
 	# should be xserver_unconfined(x_domain),
 	# but typeattribute doesnt work in conditionals
-@@ -982,18 +1404,40 @@ tunable_policy(`! xserver_object_manager',`
+@@ -982,18 +1405,40 @@ tunable_policy(`! xserver_object_manager',`
 	allow x_domain xevent_type:{ x_event x_synthetic_event } *;
 ')
@ -28170,7 +28197,7 @@ index 24e7804..1894886 100644
 +	allow $1 init_t:system undefined;
 +')
 diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
-index dd3be8d..84ffb31 100644
+index dd3be8d..969bda2 100644
 --- a/policy/modules/system/init.te
 +++ b/policy/modules/system/init.te
@@ -11,10 +11,24 @@ gen_require(`
@ -28277,7 +28304,7 @@ index dd3be8d..84ffb31 100644
 # is ~sys_module really needed? observed:
 # sys_boot
 # sys_tty_config
-@@ -110,12 +145,32 @@ allow init_t self:fifo_file rw_fifo_file_perms;
+@@ -110,12 +145,33 @@ allow init_t self:fifo_file rw_fifo_file_perms;
 # Re-exec itself
 can_exec(init_t, init_exec_t)
@ -28291,6 +28318,7 @@ index dd3be8d..84ffb31 100644
 +manage_files_pattern(init_t, initrc_state_t, initrc_state_t)
 +can_exec(init_t, initrc_state_t)
 +
 +allow daemon initrc_t:unix_dgram_socket sendto;
 +allow init_t initrc_t:unix_stream_socket { connectto create_stream_socket_perms };
 +allow initrc_t init_t:unix_stream_socket { connectto rw_stream_socket_perms sendto };
 +allow initrc_t init_t:fifo_file rw_fifo_file_perms;
@ -28316,7 +28344,7 @@ index dd3be8d..84ffb31 100644
 allow init_t initctl_t:fifo_file manage_fifo_file_perms;
 dev_filetrans(init_t, initctl_t, fifo_file)
-@@ -125,13 +180,17 @@ allow init_t initrc_var_run_t:file { rw_file_perms setattr };
+@@ -125,13 +181,17 @@ allow init_t initrc_var_run_t:file { rw_file_perms setattr };
 kernel_read_system_state(init_t)
 kernel_share_state(init_t)
@ -28335,7 +28363,7 @@ index dd3be8d..84ffb31 100644
 domain_getpgid_all_domains(init_t)
 domain_kill_all_domains(init_t)
-@@ -139,14 +198,20 @@ domain_signal_all_domains(init_t)
+@@ -139,14 +199,20 @@ domain_signal_all_domains(init_t)
 domain_signull_all_domains(init_t)
 domain_sigstop_all_domains(init_t)
 domain_sigchld_all_domains(init_t)
@ -28356,7 +28384,7 @@ index dd3be8d..84ffb31 100644
 # file descriptors inherited from the rootfs:
 files_dontaudit_rw_root_files(init_t)
 files_dontaudit_rw_root_chr_files(init_t)
-@@ -156,28 +221,48 @@ fs_list_inotifyfs(init_t)
+@@ -156,28 +222,48 @@ fs_list_inotifyfs(init_t)
 fs_write_ramfs_sockets(init_t)
 mcs_process_set_categories(init_t)
@ -28408,7 +28436,7 @@ index dd3be8d..84ffb31 100644
 ifdef(`distro_gentoo',`
 	allow init_t self:process { getcap setcap };
-@@ -186,29 +271,178 @@ ifdef(`distro_gentoo',`
+@@ -186,29 +272,178 @@ ifdef(`distro_gentoo',`
 ')
 ifdef(`distro_redhat',`
@ -28595,7 +28623,7 @@ index dd3be8d..84ffb31 100644
 ')
 optional_policy(`
-@@ -216,6 +450,27 @@ optional_policy(`
+@@ -216,6 +451,27 @@ optional_policy(`
 ')
 optional_policy(`
@ -28623,7 +28651,7 @@ index dd3be8d..84ffb31 100644
 	unconfined_domain(init_t)
 ')
-@@ -225,8 +480,9 @@ optional_policy(`
+@@ -225,8 +481,9 @@ optional_policy(`
 #
 allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
@ -28635,7 +28663,7 @@ index dd3be8d..84ffb31 100644
 allow initrc_t self:passwd rootok;
 allow initrc_t self:key manage_key_perms;
-@@ -257,12 +513,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
+@@ -257,12 +514,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
 allow initrc_t initrc_var_run_t:file manage_file_perms;
 files_pid_filetrans(initrc_t, initrc_var_run_t, file)
@ -28652,7 +28680,7 @@ index dd3be8d..84ffb31 100644
 manage_dirs_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
 manage_files_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
-@@ -278,23 +538,36 @@ kernel_change_ring_buffer_level(initrc_t)
+@@ -278,23 +539,36 @@ kernel_change_ring_buffer_level(initrc_t)
 kernel_clear_ring_buffer(initrc_t)
 kernel_get_sysvipc_info(initrc_t)
 kernel_read_all_sysctls(initrc_t)
@ -28695,7 +28723,7 @@ index dd3be8d..84ffb31 100644
 corenet_tcp_sendrecv_all_ports(initrc_t)
 corenet_udp_sendrecv_all_ports(initrc_t)
 corenet_tcp_connect_all_ports(initrc_t)
-@@ -302,9 +575,11 @@ corenet_sendrecv_all_client_packets(initrc_t)
+@@ -302,9 +576,11 @@ corenet_sendrecv_all_client_packets(initrc_t)
 dev_read_rand(initrc_t)
 dev_read_urand(initrc_t)
@ -28707,7 +28735,7 @@ index dd3be8d..84ffb31 100644
 dev_rw_sysfs(initrc_t)
 dev_list_usbfs(initrc_t)
 dev_read_framebuffer(initrc_t)
-@@ -312,8 +587,10 @@ dev_write_framebuffer(initrc_t)
+@@ -312,8 +588,10 @@ dev_write_framebuffer(initrc_t)
 dev_read_realtime_clock(initrc_t)
 dev_read_sound_mixer(initrc_t)
 dev_write_sound_mixer(initrc_t)
@ -28718,7 +28746,7 @@ index dd3be8d..84ffb31 100644
 dev_delete_lvm_control_dev(initrc_t)
 dev_manage_generic_symlinks(initrc_t)
 dev_manage_generic_files(initrc_t)
-@@ -321,8 +598,7 @@ dev_manage_generic_files(initrc_t)
+@@ -321,8 +599,7 @@ dev_manage_generic_files(initrc_t)
 dev_delete_generic_symlinks(initrc_t)
 dev_getattr_all_blk_files(initrc_t)
 dev_getattr_all_chr_files(initrc_t)
@ -28728,7 +28756,7 @@ index dd3be8d..84ffb31 100644
 domain_kill_all_domains(initrc_t)
 domain_signal_all_domains(initrc_t)
-@@ -331,7 +607,6 @@ domain_sigstop_all_domains(initrc_t)
+@@ -331,7 +608,6 @@ domain_sigstop_all_domains(initrc_t)
 domain_sigchld_all_domains(initrc_t)
 domain_read_all_domains_state(initrc_t)
 domain_getattr_all_domains(initrc_t)
@ -28736,7 +28764,7 @@ index dd3be8d..84ffb31 100644
 domain_getsession_all_domains(initrc_t)
 domain_use_interactive_fds(initrc_t)
 # for lsof which is used by alsa shutdown:
-@@ -339,6 +614,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
+@@ -339,6 +615,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
 domain_dontaudit_getattr_all_tcp_sockets(initrc_t)
 domain_dontaudit_getattr_all_dgram_sockets(initrc_t)
 domain_dontaudit_getattr_all_pipes(initrc_t)
@ -28744,7 +28772,7 @@ index dd3be8d..84ffb31 100644
 files_getattr_all_dirs(initrc_t)
 files_getattr_all_files(initrc_t)
-@@ -346,14 +622,15 @@ files_getattr_all_symlinks(initrc_t)
+@@ -346,14 +623,15 @@ files_getattr_all_symlinks(initrc_t)
 files_getattr_all_pipes(initrc_t)
 files_getattr_all_sockets(initrc_t)
 files_purge_tmp(initrc_t)
@ -28762,7 +28790,7 @@ index dd3be8d..84ffb31 100644
 files_read_usr_files(initrc_t)
 files_manage_urandom_seed(initrc_t)
 files_manage_generic_spool(initrc_t)
-@@ -363,8 +640,12 @@ files_list_isid_type_dirs(initrc_t)
+@@ -363,8 +641,12 @@ files_list_isid_type_dirs(initrc_t)
 files_mounton_isid_type_dirs(initrc_t)
 files_list_default(initrc_t)
 files_mounton_default(initrc_t)
@ -28776,7 +28804,7 @@ index dd3be8d..84ffb31 100644
 fs_list_inotifyfs(initrc_t)
 fs_register_binary_executable_type(initrc_t)
 # rhgb-console writes to ramfs
-@@ -374,10 +655,11 @@ fs_mount_all_fs(initrc_t)
+@@ -374,10 +656,11 @@ fs_mount_all_fs(initrc_t)
 fs_unmount_all_fs(initrc_t)
 fs_remount_all_fs(initrc_t)
 fs_getattr_all_fs(initrc_t)
@ -28790,7 +28818,7 @@ index dd3be8d..84ffb31 100644
 mcs_process_set_categories(initrc_t)
 mls_file_read_all_levels(initrc_t)
-@@ -386,6 +668,7 @@ mls_process_read_up(initrc_t)
+@@ -386,6 +669,7 @@ mls_process_read_up(initrc_t)
 mls_process_write_down(initrc_t)
 mls_rangetrans_source(initrc_t)
 mls_fd_share_all_levels(initrc_t)
@ -28798,7 +28826,7 @@ index dd3be8d..84ffb31 100644
 selinux_get_enforce_mode(initrc_t)
-@@ -397,6 +680,7 @@ term_use_all_terms(initrc_t)
+@@ -397,6 +681,7 @@ term_use_all_terms(initrc_t)
 term_reset_tty_labels(initrc_t)
 auth_rw_login_records(initrc_t)
@ -28806,7 +28834,7 @@ index dd3be8d..84ffb31 100644
 auth_setattr_login_records(initrc_t)
 auth_rw_lastlog(initrc_t)
 auth_read_pam_pid(initrc_t)
-@@ -415,20 +699,18 @@ logging_read_all_logs(initrc_t)
+@@ -415,20 +700,18 @@ logging_read_all_logs(initrc_t)
 logging_append_all_logs(initrc_t)
 logging_read_audit_config(initrc_t)
@ -28830,7 +28858,7 @@ index dd3be8d..84ffb31 100644
 ifdef(`distro_debian',`
 	dev_setattr_generic_dirs(initrc_t)
-@@ -450,7 +732,6 @@ ifdef(`distro_gentoo',`
+@@ -450,7 +733,6 @@ ifdef(`distro_gentoo',`
 	allow initrc_t self:process setfscreate;
 	dev_create_null_dev(initrc_t)
 	dev_create_zero_dev(initrc_t)
@ -28838,7 +28866,7 @@ index dd3be8d..84ffb31 100644
 	term_create_console_dev(initrc_t)
 	# unfortunately /sbin/rc does stupid tricks
-@@ -485,6 +766,10 @@ ifdef(`distro_gentoo',`
+@@ -485,6 +767,10 @@ ifdef(`distro_gentoo',`
 	sysnet_setattr_config(initrc_t)
 	optional_policy(`
@ -28849,7 +28877,7 @@ index dd3be8d..84ffb31 100644
 		alsa_read_lib(initrc_t)
 	')
-@@ -505,7 +790,7 @@ ifdef(`distro_redhat',`
+@@ -505,7 +791,7 @@ ifdef(`distro_redhat',`
 	# Red Hat systems seem to have a stray
 	# fd open from the initrd
@ -28858,7 +28886,7 @@ index dd3be8d..84ffb31 100644
 	files_dontaudit_read_root_files(initrc_t)
 	# These seem to be from the initrd
-@@ -520,6 +805,7 @@ ifdef(`distro_redhat',`
+@@ -520,6 +806,7 @@ ifdef(`distro_redhat',`
 	files_create_boot_dirs(initrc_t)
 	files_create_boot_flag(initrc_t)
 	files_rw_boot_symlinks(initrc_t)
@ -28866,7 +28894,7 @@ index dd3be8d..84ffb31 100644
 	# wants to read /.fonts directory
 	files_read_default_files(initrc_t)
 	files_mountpoint(initrc_tmp_t)
-@@ -540,6 +826,7 @@ ifdef(`distro_redhat',`
+@@ -540,6 +827,7 @@ ifdef(`distro_redhat',`
 	miscfiles_rw_localization(initrc_t)
 	miscfiles_setattr_localization(initrc_t)
 	miscfiles_relabel_localization(initrc_t)
@ -28874,7 +28902,7 @@ index dd3be8d..84ffb31 100644
 	miscfiles_read_fonts(initrc_t)
 	miscfiles_read_hwdata(initrc_t)
-@@ -549,8 +836,44 @@ ifdef(`distro_redhat',`
+@@ -549,8 +837,44 @@ ifdef(`distro_redhat',`
 	')
 	optional_policy(`
@ -28919,7 +28947,7 @@ index dd3be8d..84ffb31 100644
 	')
 	optional_policy(`
-@@ -558,14 +881,31 @@ ifdef(`distro_redhat',`
+@@ -558,14 +882,31 @@ ifdef(`distro_redhat',`
 		rpc_write_exports(initrc_t)
 		rpc_manage_nfs_state_data(initrc_t)
 	')
@ -28951,7 +28979,7 @@ index dd3be8d..84ffb31 100644
 	')
 ')
-@@ -576,6 +916,39 @@ ifdef(`distro_suse',`
+@@ -576,6 +917,39 @@ ifdef(`distro_suse',`
 	')
 ')
@ -28991,7 +29019,7 @@ index dd3be8d..84ffb31 100644
 optional_policy(`
 	amavis_search_lib(initrc_t)
 	amavis_setattr_pid_files(initrc_t)
-@@ -588,6 +961,8 @@ optional_policy(`
+@@ -588,6 +962,8 @@ optional_policy(`
 optional_policy(`
 	apache_read_config(initrc_t)
 	apache_list_modules(initrc_t)
@ -29000,7 +29028,7 @@ index dd3be8d..84ffb31 100644
 ')
 optional_policy(`
-@@ -609,6 +984,7 @@ optional_policy(`
+@@ -609,6 +985,7 @@ optional_policy(`
 optional_policy(`
 	cgroup_stream_connect_cgred(initrc_t)
@ -29008,7 +29036,7 @@ index dd3be8d..84ffb31 100644
 ')
 optional_policy(`
-@@ -625,6 +1001,17 @@ optional_policy(`
+@@ -625,6 +1002,17 @@ optional_policy(`
 ')
 optional_policy(`
@ -29026,7 +29054,7 @@ index dd3be8d..84ffb31 100644
 	dev_getattr_printer_dev(initrc_t)
 	cups_read_log(initrc_t)
-@@ -641,9 +1028,13 @@ optional_policy(`
+@@ -641,9 +1029,13 @@ optional_policy(`
 	dbus_connect_system_bus(initrc_t)
 	dbus_system_bus_client(initrc_t)
 	dbus_read_config(initrc_t)
@ -29040,7 +29068,7 @@ index dd3be8d..84ffb31 100644
 	')
 	optional_policy(`
-@@ -656,15 +1047,11 @@ optional_policy(`
+@@ -656,15 +1048,11 @@ optional_policy(`
 ')
 optional_policy(`
@ -29058,7 +29086,7 @@ index dd3be8d..84ffb31 100644
 ')
 optional_policy(`
-@@ -685,6 +1072,15 @@ optional_policy(`
+@@ -685,6 +1073,15 @@ optional_policy(`
 ')
 optional_policy(`
@ -29074,7 +29102,7 @@ index dd3be8d..84ffb31 100644
 	inn_exec_config(initrc_t)
 ')
-@@ -725,6 +1121,7 @@ optional_policy(`
+@@ -725,6 +1122,7 @@ optional_policy(`
 	lpd_list_spool(initrc_t)
 	lpd_read_config(initrc_t)
@ -29082,7 +29110,7 @@ index dd3be8d..84ffb31 100644
 ')
 optional_policy(`
-@@ -742,7 +1139,14 @@ optional_policy(`
+@@ -742,7 +1140,14 @@ optional_policy(`
 ')
 optional_policy(`
@ -29097,7 +29125,7 @@ index dd3be8d..84ffb31 100644
 	mta_dontaudit_read_spool_symlinks(initrc_t)
 ')
-@@ -765,6 +1169,10 @@ optional_policy(`
+@@ -765,6 +1170,10 @@ optional_policy(`
 ')
 optional_policy(`
@ -29108,7 +29136,7 @@ index dd3be8d..84ffb31 100644
 	postgresql_manage_db(initrc_t)
 	postgresql_read_config(initrc_t)
 ')
-@@ -774,10 +1182,20 @@ optional_policy(`
+@@ -774,10 +1183,20 @@ optional_policy(`
 ')
 optional_policy(`
@ -29129,7 +29157,7 @@ index dd3be8d..84ffb31 100644
 	quota_manage_flags(initrc_t)
 ')
-@@ -786,6 +1204,10 @@ optional_policy(`
+@@ -786,6 +1205,10 @@ optional_policy(`
 ')
 optional_policy(`
@ -29140,7 +29168,7 @@ index dd3be8d..84ffb31 100644
 	fs_write_ramfs_sockets(initrc_t)
 	fs_search_ramfs(initrc_t)
-@@ -807,8 +1229,6 @@ optional_policy(`
+@@ -807,8 +1230,6 @@ optional_policy(`
 	# bash tries ioctl for some reason
 	files_dontaudit_ioctl_all_pids(initrc_t)
@ -29149,7 +29177,7 @@ index dd3be8d..84ffb31 100644
 ')
 optional_policy(`
-@@ -817,6 +1237,10 @@ optional_policy(`
+@@ -817,6 +1238,10 @@ optional_policy(`
 ')
 optional_policy(`
@ -29160,7 +29188,7 @@ index dd3be8d..84ffb31 100644
 	# shorewall-init script run /var/lib/shorewall/firewall
 	shorewall_lib_domtrans(initrc_t)
 ')
-@@ -826,10 +1250,12 @@ optional_policy(`
+@@ -826,10 +1251,12 @@ optional_policy(`
 	squid_manage_logs(initrc_t)
 ')
@ -29173,7 +29201,7 @@ index dd3be8d..84ffb31 100644
 optional_policy(`
 	ssh_dontaudit_read_server_keys(initrc_t)
-@@ -856,12 +1282,27 @@ optional_policy(`
+@@ -856,12 +1283,27 @@ optional_policy(`
 ')
 optional_policy(`
@ -29202,7 +29230,7 @@ index dd3be8d..84ffb31 100644
 	ifdef(`distro_redhat',`
 		# system-config-services causes avc messages that should be dontaudited
-@@ -871,6 +1312,18 @@ optional_policy(`
+@@ -871,6 +1313,18 @@ optional_policy(`
 	optional_policy(`
 		mono_domtrans(initrc_t)
 	')
@ -29221,7 +29249,7 @@ index dd3be8d..84ffb31 100644
 ')
 optional_policy(`
-@@ -886,6 +1339,10 @@ optional_policy(`
+@@ -886,6 +1340,10 @@ optional_policy(`
 ')
 optional_policy(`
@ -29232,7 +29260,7 @@ index dd3be8d..84ffb31 100644
 	# Set device ownerships/modes.
 	xserver_setattr_console_pipes(initrc_t)
-@@ -896,3 +1353,196 @@ optional_policy(`
+@@ -896,3 +1354,196 @@ optional_policy(`
 optional_policy(`
 	zebra_read_config(initrc_t)
 ')
@ -29989,7 +30017,7 @@ index 5dfa44b..aa4d8fc 100644
 optional_policy(`
 diff --git a/policy/modules/system/libraries.fc b/policy/modules/system/libraries.fc
-index 73bb3c0..dbd708d 100644
+index 73bb3c0..aadfba0 100644
 --- a/policy/modules/system/libraries.fc
 +++ b/policy/modules/system/libraries.fc
@@ -1,3 +1,4 @@
@ -30063,16 +30091,18 @@ index 73bb3c0..dbd708d 100644
 /usr/lib/libADM5.*\.so(\.[^/]*)*	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/lib/libatiadlxx\.so(\.[^/]*)*	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/lib/win32/.*\.so(\.[^/]*)*		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
-@@ -141,6 +151,8 @@ ifdef(`distro_redhat',`
+@@ -141,19 +151,21 @@ ifdef(`distro_redhat',`
 /usr/lib/ati-fglrx/.+\.so(\..*)?	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/lib/fglrx/.*\.so(\.[^/]*)*		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/lib/libjs\.so.*			--	gen_context(system_u:object_r:textrel_shlib_t,s0)
 +/usr/lib/libjavascriptcoregtk[^/]*\.so.* --	gen_context(system_u:object_r:textrel_shlib_t,s0)
 +/usr/lib/libzvbi\.so(\.[^/]*)* 		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/lib/sse2/libx264\.so(\.[^/]*)* 	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
- /usr/lib(/.*)?/libnvidia.+\.so(\.[^/]*)* --	gen_context(system_u:object_r:textrel_shlib_t,s0)
+-/usr/lib(/.*)?/libnvidia.+\.so(\.[^/]*)* --	gen_context(system_u:object_r:textrel_shlib_t,s0)
 +/usr/lib/libnvidia\.so(\.[^/]*)* --	gen_context(system_u:object_r:textrel_shlib_t,s0)
 +/usr/lib.*/libnvidia\.so(\.[^/]*)* --	gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/lib(/.*)?/nvidia_drv.*\.so(\.[^/]*)* --	gen_context(system_u:object_r:textrel_shlib_t,s0)
-@@ -148,12 +160,11 @@ ifdef(`distro_redhat',`
+ /usr/lib/nero/plug-ins/libMP3\.so(\.[^/]*)* --	gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/lib/nvidia-graphics(-[^/]*/)?libGL(core)?\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/lib/nvidia-graphics(-[^/]*/)?libnvidia.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/lib/nvidia-graphics(-[^/]*/)?libXvMCNVIDIA\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@ -30088,7 +30118,7 @@ index 73bb3c0..dbd708d 100644
 /usr/NX/lib/libXcomp\.so.*		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/NX/lib/libjpeg\.so.* 		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
-@@ -182,11 +193,13 @@ ifdef(`distro_redhat',`
+@@ -182,11 +194,13 @@ ifdef(`distro_redhat',`
 # Fedora Core packages: gstreamer-plugins, compat-libstdc++, Glide3, libdv
 # 	HelixPlayer, SDL, xorg-x11, xorg-x11-libs, Hermes, valgrind, openoffice.org-libs, httpd - php
 HOME_DIR/.*/plugins/nppdf\.so.* 	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
@ -30102,7 +30132,7 @@ index 73bb3c0..dbd708d 100644
 /usr/lib/libfglrx_gamma\.so.* 		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/lib/mozilla/plugins/nppdf\.so 	-- 	gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/lib/mozilla/plugins/libvlcplugin\.so --	gen_context(system_u:object_r:textrel_shlib_t,s0)
-@@ -241,13 +254,11 @@ HOME_DIR/.*/plugins/nppdf\.so.* 	--	gen_context(system_u:object_r:textrel_shlib_
+@@ -241,13 +255,11 @@ HOME_DIR/.*/plugins/nppdf\.so.* 	--	gen_context(system_u:object_r:textrel_shlib_
 # Livna.org packages: xmms-mp3, ffmpeg, xvidcore, xine-lib, gsm, lame
 /usr/lib.*/libmpg123\.so(\.[^/]*)*	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
@ -30118,7 +30148,7 @@ index 73bb3c0..dbd708d 100644
 # Jai, Sun Microsystems (Jpackage SPRM)
 /usr/lib/libmlib_jai\.so		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
-@@ -269,20 +280,19 @@ HOME_DIR/.mozilla/plugins/nprhapengine\.so.* --	gen_context(system_u:object_r:te
+@@ -269,20 +281,19 @@ HOME_DIR/.mozilla/plugins/nprhapengine\.so.* --	gen_context(system_u:object_r:te
 # Java, Sun Microsystems (JPackage SRPM)
 /usr/(.*/)?jre.*/.*\.so(\.[^/]*)*	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
@ -30149,7 +30179,7 @@ index 73bb3c0..dbd708d 100644
 /usr/(.*/)?intellinux/SPPlugins/ADMPlugin\.apl -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-@@ -299,17 +309,154 @@ HOME_DIR/.mozilla/plugins/nprhapengine\.so.* --	gen_context(system_u:object_r:te
+@@ -299,17 +310,151 @@ HOME_DIR/.mozilla/plugins/nprhapengine\.so.* --	gen_context(system_u:object_r:te
 #
 /var/cache/ldconfig(/.*)?			gen_context(system_u:object_r:ldconfig_cache_t,s0)
@ -30201,8 +30231,6 @@ index 73bb3c0..dbd708d 100644
 +/usr/lib/googleearth/.*\.so.*    --     gen_context(system_u:object_r:textrel_shlib_t,s0)
 +/usr/lib/google-earth/.*\.so.*    --     gen_context(system_u:object_r:textrel_shlib_t,s0)
 +/opt/google-earth/.*\.so.*    --     gen_context(system_u:object_r:textrel_shlib_t,s0)
 +/opt/google/.*\.so.*    --     gen_context(system_u:object_r:textrel_shlib_t,s0)
 +/opt/google/chrome/.*\.so.*    --     gen_context(system_u:object_r:textrel_shlib_t,s0)
 +
 +/usr/lib/nspluginwrapper/np.*\.so	-- gen_context(system_u:object_r:lib_t,s0)
 +
@ -30307,7 +30335,6 @@ index 73bb3c0..dbd708d 100644
 +/opt/lgtonmc/bin/.*\.so(\.[0-9])?  	--  gen_context(system_u:object_r:textrel_shlib_t,s0)
 +/opt/google/picasa/.*\.dll	--  gen_context(system_u:object_r:textrel_shlib_t,s0)
 +/opt/google/picasa/.*\.yti	--  gen_context(system_u:object_r:textrel_shlib_t,s0)
 +/opt/google/talkplugin/.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
 +
 +/usr/sbin/ldconfig		--	gen_context(system_u:object_r:ldconfig_exec_t,s0)
 diff --git a/policy/modules/system/libraries.if b/policy/modules/system/libraries.if
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@ -1817,7 +1817,7 @@ index 708b743..c2edd9a 100644
 +	ps_process_pattern($1, alsa_t)
 +')
 diff --git a/alsa.te b/alsa.te
-index cda6d20..f19402e 100644
+index cda6d20..32d74d1 100644
 --- a/alsa.te
 +++ b/alsa.te
@@ -24,6 +24,9 @@ files_type(alsa_var_lib_t)
@ -1830,7 +1830,15 @@ index cda6d20..f19402e 100644
 ########################################
 #
 # Local policy
-@@ -59,7 +62,6 @@ dev_read_sound(alsa_t)
+@@ -31,6 +34,7 @@ userdom_user_home_content(alsa_home_t)
 allow alsa_t self:capability { dac_read_search dac_override setgid setuid ipc_owner };
 dontaudit alsa_t self:capability sys_admin;
 +allow alsa_t self:process signal_perms;
 allow alsa_t self:sem create_sem_perms;
 allow alsa_t self:shm create_shm_perms;
 allow alsa_t self:unix_stream_socket { accept listen };
@@ -59,7 +63,6 @@ dev_read_sound(alsa_t)
 dev_read_sysfs(alsa_t)
 dev_write_sound(alsa_t)
@ -1838,7 +1846,7 @@ index cda6d20..f19402e 100644
 files_search_var_lib(alsa_t)
 term_dontaudit_use_console(alsa_t)
-@@ -72,8 +74,6 @@ init_use_fds(alsa_t)
+@@ -72,8 +75,6 @@ init_use_fds(alsa_t)
 logging_send_syslog_msg(alsa_t)
@ -4398,7 +4406,7 @@ index 83e899c..c0ece1b 100644
 +	filetrans_pattern($1, { httpd_user_content_t httpd_user_script_exec_t }, httpd_user_htaccess_t, file, ".htaccess")
 ')
 diff --git a/apache.te b/apache.te
-index 1a82e29..dfaef83 100644
+index 1a82e29..25bd127 100644
 --- a/apache.te
 +++ b/apache.te
@@ -1,297 +1,353 @@
@ -5627,7 +5635,7 @@ index 1a82e29..dfaef83 100644
 ')
 optional_policy(`
-@@ -836,20 +952,34 @@ optional_policy(`
+@@ -836,20 +952,38 @@ optional_policy(`
 ')
 optional_policy(`
@ -5660,15 +5668,19 @@ index 1a82e29..dfaef83 100644
 -	')
 +optional_policy(`
 +	puppet_read_lib(httpd_t)
- ')
+')
- 
+
- optional_policy(`
+optional_policy(`
 -	puppet_read_lib_files(httpd_t)
 +	pwauth_domtrans(httpd_t)
 ')
 optional_policy(`
-@@ -857,6 +987,16 @@ optional_policy(`
+-	puppet_read_lib_files(httpd_t)
 +	rpm_dontaudit_read_db(httpd_t)
 ')
 optional_policy(`
@@ -857,6 +991,16 @@ optional_policy(`
 ')
 optional_policy(`
@ -5685,7 +5697,7 @@ index 1a82e29..dfaef83 100644
 	seutil_sigchld_newrole(httpd_t)
 ')
-@@ -865,6 +1005,7 @@ optional_policy(`
+@@ -865,6 +1009,7 @@ optional_policy(`
 ')
 optional_policy(`
@ -5693,7 +5705,7 @@ index 1a82e29..dfaef83 100644
 	snmp_dontaudit_read_snmp_var_lib_files(httpd_t)
 	snmp_dontaudit_write_snmp_var_lib_files(httpd_t)
 ')
-@@ -877,65 +1018,166 @@ optional_policy(`
+@@ -877,65 +1022,166 @@ optional_policy(`
 	yam_read_content(httpd_t)
 ')
@ -5759,11 +5771,10 @@ index 1a82e29..dfaef83 100644
 -',`
 -	userdom_dontaudit_use_user_terminals(httpd_helper_t)
 +	userdom_use_inherited_user_terminals(httpd_helper_t)
- ')
+')
- 
+
- ########################################
+########################################
- #
+#
 -# Suexec local policy
 +# Apache PHP script local policy
 +#
 +
@ -5822,10 +5833,11 @@ index 1a82e29..dfaef83 100644
 +	tunable_policy(`httpd_can_network_connect_db',`
 +		postgresql_tcp_connect(httpd_php_t)
 +	')
-+')
+ ')
-+
+ 
-+########################################
+ ########################################
-+#
+ #
 -# Suexec local policy
 +# Apache suexec local policy
 #
@ -5882,7 +5894,7 @@ index 1a82e29..dfaef83 100644
 files_dontaudit_search_pids(httpd_suexec_t)
 files_search_home(httpd_suexec_t)
-@@ -944,123 +1186,74 @@ auth_use_nsswitch(httpd_suexec_t)
+@@ -944,123 +1190,74 @@ auth_use_nsswitch(httpd_suexec_t)
 logging_search_logs(httpd_suexec_t)
 logging_send_syslog_msg(httpd_suexec_t)
@ -6037,7 +6049,7 @@ index 1a82e29..dfaef83 100644
 	mysql_read_config(httpd_suexec_t)
 	tunable_policy(`httpd_can_network_connect_db',`
-@@ -1077,172 +1270,104 @@ optional_policy(`
+@@ -1077,172 +1274,104 @@ optional_policy(`
 	')
 ')
@ -6065,13 +6077,13 @@ index 1a82e29..dfaef83 100644
 -
 -kernel_dontaudit_search_sysctl(httpd_script_domains)
 -kernel_dontaudit_search_kernel_sysctl(httpd_script_domains)
-
+allow httpd_sys_script_t self:process getsched;
 -corenet_all_recvfrom_unlabeled(httpd_script_domains)
 -corenet_all_recvfrom_netlabel(httpd_script_domains)
 -corenet_tcp_sendrecv_generic_if(httpd_script_domains)
 -corenet_tcp_sendrecv_generic_node(httpd_script_domains)
-+allow httpd_sys_script_t self:process getsched;
+-
 -corecmd_exec_all_executables(httpd_script_domains)
 +allow httpd_sys_script_t httpd_t:unix_stream_socket rw_stream_socket_perms;
 +allow httpd_sys_script_t httpd_t:tcp_socket { read write };
@ -6208,7 +6220,8 @@ index 1a82e29..dfaef83 100644
 -allow httpd_sys_script_t httpd_t:tcp_socket { read write };
 -
 -dontaudit httpd_sys_script_t httpd_config_t:dir search;
-
+corenet_all_recvfrom_netlabel(httpd_sys_script_t)
 -allow httpd_sys_script_t httpd_squirrelmail_t:file { append_file_perms read_file_perms };
 -
 -allow httpd_sys_script_t squirrelmail_spool_t:dir list_dir_perms;
@ -6234,8 +6247,7 @@ index 1a82e29..dfaef83 100644
 -	corenet_sendrecv_pop_client_packets(httpd_sys_script_t)
 -	corenet_tcp_connect_pop_port(httpd_sys_script_t)
 -	corenet_tcp_sendrecv_pop_port(httpd_sys_script_t)
-+corenet_all_recvfrom_netlabel(httpd_sys_script_t)
+-
 -	mta_send_mail(httpd_sys_script_t)
 -	mta_signal_system_mail(httpd_sys_script_t)
 +tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
@ -6273,7 +6285,7 @@ index 1a82e29..dfaef83 100644
 ')
 tunable_policy(`httpd_read_user_content',`
-@@ -1250,64 +1375,70 @@ tunable_policy(`httpd_read_user_content',`
+@@ -1250,64 +1379,70 @@ tunable_policy(`httpd_read_user_content',`
 ')
 tunable_policy(`httpd_use_cifs',`
@ -6367,7 +6379,7 @@ index 1a82e29..dfaef83 100644
 ########################################
 #
-@@ -1315,8 +1446,15 @@ miscfiles_read_localization(httpd_rotatelogs_t)
+@@ -1315,8 +1450,15 @@ miscfiles_read_localization(httpd_rotatelogs_t)
 #
 optional_policy(`
@ -6384,7 +6396,7 @@ index 1a82e29..dfaef83 100644
 ')
 ########################################
-@@ -1324,49 +1462,36 @@ optional_policy(`
+@@ -1324,49 +1466,36 @@ optional_policy(`
 # User content local policy
 #
@ -6448,7 +6460,7 @@ index 1a82e29..dfaef83 100644
 kernel_read_system_state(httpd_passwd_t)
 corecmd_exec_bin(httpd_passwd_t)
-@@ -1376,38 +1501,99 @@ dev_read_urand(httpd_passwd_t)
+@@ -1376,38 +1505,99 @@ dev_read_urand(httpd_passwd_t)
 domain_use_interactive_fds(httpd_passwd_t)
@ -8727,7 +8739,7 @@ index 02fefaa..fbcef10 100644
 +	')
 ')
 diff --git a/boinc.te b/boinc.te
-index 7c92aa1..4d8b6ae 100644
+index 7c92aa1..0a48a05 100644
 --- a/boinc.te
 +++ b/boinc.te
@@ -1,11 +1,13 @@
@ -8916,7 +8928,7 @@ index 7c92aa1..4d8b6ae 100644
 term_getattr_all_ptys(boinc_t)
 term_getattr_unallocated_ttys(boinc_t)
-@@ -130,55 +138,61 @@ init_read_utmp(boinc_t)
+@@ -130,55 +138,65 @@ init_read_utmp(boinc_t)
 logging_send_syslog_msg(boinc_t)
@ -8944,7 +8956,11 @@ index 7c92aa1..4d8b6ae 100644
 +allow boinc_t boinc_project_t:process sigkill;
 +allow boinc_t boinc_project_t:process noatsecure;
 +
-+allow boinc_project_t self:process { ptrace setcap getcap setpgid setsched signal signull sigkill sigstop };
+allow boinc_project_t self:process { setcap getcap setpgid setsched signal signull sigkill sigstop };
 +tunable_policy(`deny_ptrace',`',`
 +	allow boinc_project_t self:process ptrace;
 +')
 +
 +allow boinc_project_t self:process { execstack };
 manage_dirs_pattern(boinc_project_t, boinc_project_tmp_t, boinc_project_tmp_t)
@ -9561,6 +9577,21 @@ index b85b53b..476aaa3 100644
 ')
 optional_policy(`
 diff --git a/cdrecord.if b/cdrecord.if
 index fbc20f6..4de4a00 100644
 --- a/cdrecord.if
 +++ b/cdrecord.if
@@ -27,6 +27,9 @@ interface(`cdrecord_role',`
 	allow cdrecord_t $2:unix_stream_socket rw_socket_perms;
 -	allow $2 cdrecord_t:process { ptrace signal_perms };
 +	allow $2 cdrecord_t:process signal_perms;
 +	tunable_policy(`deny_ptrace',`',`
 +		allow $2 cdrecord_t:process ptrace;
 +	')
 	ps_process_pattern($2, cdrecord_t)
 ')
 diff --git a/cdrecord.te b/cdrecord.te
 index 55fb26a..a7555c0 100644
 --- a/cdrecord.te
@ -10224,10 +10255,10 @@ index 0000000..efebae7
 +')
 diff --git a/chrome.te b/chrome.te
 new file mode 100644
-index 0000000..a54bf63
+index 0000000..6300c78
 --- /dev/null
 +++ b/chrome.te
-@@ -0,0 +1,204 @@
+@@ -0,0 +1,205 @@
 +policy_module(chrome,1.0.0)
 +
 +########################################
@ -10259,6 +10290,7 @@ index 0000000..a54bf63
 +# chrome_sandbox local policy
 +#
 +allow chrome_sandbox_t self:capability { chown dac_override fsetid setgid setuid sys_admin sys_chroot sys_ptrace };
 +dontaudit chrome_sandbox_t self:capability sys_nice;
 +allow chrome_sandbox_t self:process { signal_perms setrlimit execmem execstack };
 +allow chrome_sandbox_t self:process setsched;
 +allow chrome_sandbox_t self:fifo_file manage_fifo_file_perms;
@ -11474,7 +11506,7 @@ index d8e9958..0046a69 100644
 	corosync_stream_connect(cmirrord_t)
 ')
 diff --git a/cobbler.if b/cobbler.if
-index c223f81..1f3d0b7 100644
+index c223f81..b2efe4b 100644
 --- a/cobbler.if
 +++ b/cobbler.if
@@ -38,6 +38,28 @@ interface(`cobblerd_initrc_domtrans',`
@ -11506,6 +11538,14 @@ index c223f81..1f3d0b7 100644
 ########################################
 ## <summary>
 ##	Read cobbler configuration files.
@@ -132,6 +154,7 @@ interface(`cobbler_manage_lib_files',`
 	files_search_var_lib($1)
 	manage_files_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t)
 +    manage_dirs_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t)
 ')
 ########################################
 diff --git a/cobbler.te b/cobbler.te
 index 2a71346..7b64dc9 100644
 --- a/cobbler.te
@ -23632,10 +23672,22 @@ index 395238e..af76abb 100644
 +userdom_use_inherited_user_terminals(giftd_t)
 +userdom_home_manager(gitd_t)
 diff --git a/git.if b/git.if
-index 1e29af1..a1c464e 100644
+index 1e29af1..c67e44e 100644
 --- a/git.if
 +++ b/git.if
-@@ -79,3 +79,21 @@ interface(`git_read_generic_sys_content_files',`
+@@ -37,7 +37,10 @@ template(`git_role',`
 	allow $2 git_user_content_t:file { exec_file_perms manage_file_perms relabel_file_perms };
 	userdom_user_home_dir_filetrans($2, git_user_content_t, dir, "public_git")
 -	allow $2 git_session_t:process { ptrace signal_perms };
 +	allow $2 git_session_t:process signal_perms;
 +	tunable_policy(`deny_ptrace',`',`
 +		allow $2 git_session_t:process ptrace;
 +	')
 	ps_process_pattern($2, git_session_t)
 	tunable_policy(`git_session_users',`
@@ -79,3 +82,21 @@ interface(`git_read_generic_sys_content_files',`
 		fs_read_nfs_files($1)
 	')
 ')
@ -28311,7 +28363,7 @@ index 48e7739..c3285c2 100644
 /etc/irssi\.conf	--	gen_context(system_u:object_r:irc_conf_t,s0)
 diff --git a/irc.if b/irc.if
-index ac00fb0..53e4fc7 100644
+index ac00fb0..36ef2e5 100644
 --- a/irc.if
 +++ b/irc.if
@@ -20,6 +20,7 @@ interface(`irc_role',`
@ -28322,20 +28374,30 @@ index ac00fb0..53e4fc7 100644
 	')
 	########################################
-@@ -39,10 +40,34 @@ interface(`irc_role',`
+@@ -37,12 +38,42 @@ interface(`irc_role',`
- 	ps_process_pattern($2, irc_t)
+ 	domtrans_pattern($2, irc_exec_t, irc_t)
 	allow $2 irc_t:process { ptrace signal_perms };
 	ps_process_pattern($2, irc_t)
 -	allow $2 irc_t:process { ptrace signal_perms };
 -
 -	allow $2 { irc_home_t irc_log_home_t irc_tmp_t }:dir { manage_dir_perms relabel_dir_perms };
 -	allow $2 { irc_home_t irc_log_home_t irc_tmp_t }:file { manage_file_perms relabel_file_perms };
 -	allow $2 { irc_home_t irc_log_home_t irc_tmp_t }:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms };
 -	userdom_user_home_dir_filetrans($2, irc_home_t, dir, ".irssi")
 -	userdom_user_home_dir_filetrans($2, irc_home_t, file, ".ircmotd")
 -	userdom_user_home_dir_filetrans($2, irc_log_home_t, dir, "irclogs")
 +	allow $2 irc_t:process signal_perms;
 +	tunable_policy(`deny_ptrace',`',`
 +		allow $2 irc_t:process ptrace;
 +	')
 +
 +	domtrans_pattern($2, irssi_exec_t, irssi_t)
 +
-+    allow $2 irssi_t:process signal_perms;
+	allow $2 irssi_t:process signal_perms;
-+    ps_process_pattern($2, irssi_t)
+	ps_process_pattern($2, irssi_t)
 +	tunable_policy(`deny_ptrace',`',`
 +		allow $2 irssi_t:process ptrace;
 +	')
 +
 +	allow $2 { irc_home_t irc_log_home_t irc_tmp_t irssi_home_t }:dir { manage_dir_perms relabel_dir_perms };
 +	allow $2 { irc_home_t irc_log_home_t irc_tmp_t irssi_home_t }:file { manage_file_perms relabel_file_perms };
@ -32832,19 +32894,24 @@ index e354181..c6b2383 100644
 ########################################
 diff --git a/livecd.te b/livecd.te
-index 33f64b5..06b1661 100644
+index 33f64b5..dcffc00 100644
 --- a/livecd.te
 +++ b/livecd.te
-@@ -21,7 +21,7 @@ files_tmp_file(livecd_tmp_t)
+@@ -21,9 +21,11 @@ files_tmp_file(livecd_tmp_t)
 # Local policy
 #
 -dontaudit livecd_t self:capability2 mac_admin;
 +allow livecd_t self:capability2 mac_admin;
- domain_ptrace_all_domains(livecd_t)
+-domain_ptrace_all_domains(livecd_t)
 +tunable_policy(`deny_ptrace',`',`
 +	domain_ptrace_all_domains(livecd_t)
 +')
-@@ -35,12 +35,13 @@ sysnet_etc_filetrans_config(livecd_t)
+ manage_dirs_pattern(livecd_t, livecd_tmp_t, livecd_tmp_t)
 manage_files_pattern(livecd_t, livecd_tmp_t, livecd_tmp_t)
@@ -35,12 +37,13 @@ sysnet_etc_filetrans_config(livecd_t)
 optional_policy(`
 	hal_dbus_chat(livecd_t)
 ')
@ -37051,7 +37118,7 @@ index 6194b80..116d9d2 100644
 ')
 +
 diff --git a/mozilla.te b/mozilla.te
-index 6a306ee..8faac8d 100644
+index 6a306ee..c2bf3d9 100644
 --- a/mozilla.te
 +++ b/mozilla.te
@@ -1,4 +1,4 @@
@ -37149,7 +37216,7 @@ index 6a306ee..8faac8d 100644
 ########################################
 #
 # Local policy
-@@ -75,23 +79,25 @@ optional_policy(`
+@@ -75,27 +79,30 @@ optional_policy(`
 allow mozilla_t self:capability { sys_nice setgid setuid };
 allow mozilla_t self:process { sigkill signal setsched getsched setrlimit };
 allow mozilla_t self:fifo_file rw_fifo_file_perms;
@ -37187,7 +37254,13 @@ index 6a306ee..8faac8d 100644
 manage_files_pattern(mozilla_t, mozilla_tmp_t, mozilla_tmp_t)
 manage_dirs_pattern(mozilla_t, mozilla_tmp_t, mozilla_tmp_t)
-@@ -103,76 +109,69 @@ manage_fifo_files_pattern(mozilla_t, mozilla_tmpfs_t, mozilla_tmpfs_t)
+-files_tmp_filetrans(mozilla_t, mozilla_tmp_t, { file dir })
 +# mozilla will manage user_tmp_t, so it will transition to it.
 +#files_tmp_filetrans(mozilla_t, mozilla_tmp_t, { file dir })
 manage_files_pattern(mozilla_t, mozilla_tmpfs_t, mozilla_tmpfs_t)
 manage_lnk_files_pattern(mozilla_t, mozilla_tmpfs_t, mozilla_tmpfs_t)
@@ -103,76 +110,69 @@ manage_fifo_files_pattern(mozilla_t, mozilla_tmpfs_t, mozilla_tmpfs_t)
 manage_sock_files_pattern(mozilla_t, mozilla_tmpfs_t, mozilla_tmpfs_t)
 fs_tmpfs_filetrans(mozilla_t, mozilla_tmpfs_t, { file lnk_file sock_file fifo_file })
@ -37295,7 +37368,7 @@ index 6a306ee..8faac8d 100644
 term_dontaudit_getattr_pty_dirs(mozilla_t)
-@@ -181,56 +180,73 @@ auth_use_nsswitch(mozilla_t)
+@@ -181,56 +181,73 @@ auth_use_nsswitch(mozilla_t)
 logging_send_syslog_msg(mozilla_t)
 miscfiles_read_fonts(mozilla_t)
@ -37406,7 +37479,7 @@ index 6a306ee..8faac8d 100644
 ')
 optional_policy(`
-@@ -244,19 +260,12 @@ optional_policy(`
+@@ -244,19 +261,12 @@ optional_policy(`
 optional_policy(`
 	cups_read_rw_config(mozilla_t)
@ -37428,7 +37501,7 @@ index 6a306ee..8faac8d 100644
 	optional_policy(`
 		networkmanager_dbus_chat(mozilla_t)
-@@ -265,33 +274,32 @@ optional_policy(`
+@@ -265,33 +275,32 @@ optional_policy(`
 optional_policy(`
 	gnome_stream_connect_gconf(mozilla_t)
@ -37476,7 +37549,7 @@ index 6a306ee..8faac8d 100644
 ')
 optional_policy(`
-@@ -300,221 +308,173 @@ optional_policy(`
+@@ -300,221 +309,173 @@ optional_policy(`
 ########################################
 #
@ -37792,7 +37865,7 @@ index 6a306ee..8faac8d 100644
 ')
 optional_policy(`
-@@ -523,36 +483,47 @@ optional_policy(`
+@@ -523,36 +484,47 @@ optional_policy(`
 ')
 optional_policy(`
@ -37853,7 +37926,7 @@ index 6a306ee..8faac8d 100644
 ')
 optional_policy(`
-@@ -560,7 +531,7 @@ optional_policy(`
+@@ -560,7 +532,7 @@ optional_policy(`
 ')
 optional_policy(`
@ -37862,7 +37935,7 @@ index 6a306ee..8faac8d 100644
 ')
 optional_policy(`
-@@ -568,108 +539,108 @@ optional_policy(`
+@@ -568,108 +540,109 @@ optional_policy(`
 ')
 optional_policy(`
@ -37877,6 +37950,7 @@ index 6a306ee..8faac8d 100644
 +	xserver_read_user_xauth(mozilla_plugin_t)
 +	xserver_append_xdm_home_files(mozilla_plugin_t)
 +	xserver_dontaudit_xdm_tmp_dirs(mozilla_plugin_t)
 +	xserver_dontaudit_xdm_rw_stream_sockets(mozilla_plugin_t)
 +	xserver_filetrans_fonts_cache_home_content(mozilla_plugin_t)
 ')
@ -42056,7 +42130,7 @@ index 0641e97..d7d9a79 100644
 +	admin_pattern($1, nrpe_etc_t)
 ')
 diff --git a/nagios.te b/nagios.te
-index 44ad3b7..f675581 100644
+index 44ad3b7..5ba0194 100644
 --- a/nagios.te
 +++ b/nagios.te
@@ -27,7 +27,7 @@ type nagios_var_run_t;
@ -42182,15 +42256,17 @@ index 44ad3b7..f675581 100644
 logging_send_syslog_msg(nagios_mail_plugin_t)
 sysnet_dns_name_resolve(nagios_mail_plugin_t)
-@@ -345,6 +340,7 @@ allow nagios_checkdisk_plugin_t self:capability { sys_admin sys_rawio };
+@@ -345,6 +340,9 @@ allow nagios_checkdisk_plugin_t self:capability { sys_admin sys_rawio };
 kernel_read_software_raid_state(nagios_checkdisk_plugin_t)
 +corecmd_exec_bin(nagios_checkdisk_plugin_t)
 +
 +files_getattr_all_dirs(nagios_checkdisk_plugin_t)
 files_getattr_all_mountpoints(nagios_checkdisk_plugin_t)
 files_read_etc_runtime_files(nagios_checkdisk_plugin_t)
-@@ -357,9 +353,11 @@ storage_raw_read_fixed_disk(nagios_checkdisk_plugin_t)
+@@ -357,9 +355,11 @@ storage_raw_read_fixed_disk(nagios_checkdisk_plugin_t)
 # Services local policy
 #
@ -42204,7 +42280,7 @@ index 44ad3b7..f675581 100644
 corecmd_exec_bin(nagios_services_plugin_t)
-@@ -411,6 +409,7 @@ manage_files_pattern(nagios_system_plugin_t, nagios_system_plugin_tmp_t, nagios_
+@@ -411,6 +411,7 @@ manage_files_pattern(nagios_system_plugin_t, nagios_system_plugin_tmp_t, nagios_
 manage_dirs_pattern(nagios_system_plugin_t, nagios_system_plugin_tmp_t, nagios_system_plugin_tmp_t)
 files_tmp_filetrans(nagios_system_plugin_t, nagios_system_plugin_tmp_t, { dir file })
@ -42212,7 +42288,7 @@ index 44ad3b7..f675581 100644
 kernel_read_kernel_sysctls(nagios_system_plugin_t)
 corecmd_exec_bin(nagios_system_plugin_t)
-@@ -420,10 +419,10 @@ dev_read_sysfs(nagios_system_plugin_t)
+@@ -420,10 +421,10 @@ dev_read_sysfs(nagios_system_plugin_t)
 domain_read_all_domains_state(nagios_system_plugin_t)
@ -42225,7 +42301,7 @@ index 44ad3b7..f675581 100644
 optional_policy(`
 	init_read_utmp(nagios_system_plugin_t)
 ')
-@@ -442,6 +441,14 @@ corecmd_exec_shell(nagios_eventhandler_plugin_t)
+@@ -442,6 +443,14 @@ corecmd_exec_shell(nagios_eventhandler_plugin_t)
 init_domtrans_script(nagios_eventhandler_plugin_t)
@ -42240,7 +42316,7 @@ index 44ad3b7..f675581 100644
 ########################################
 #
 # Unconfined plugin policy
-@@ -450,3 +457,6 @@ init_domtrans_script(nagios_eventhandler_plugin_t)
+@@ -450,3 +459,6 @@ init_domtrans_script(nagios_eventhandler_plugin_t)
 optional_policy(`
 	unconfined_domain(nagios_unconfined_plugin_t)
 ')
@ -47857,10 +47933,10 @@ index 0000000..f2d6119
 +/var/run/openshift(/.*)?               gen_context(system_u:object_r:openshift_var_run_t,s0)
 diff --git a/openshift.if b/openshift.if
 new file mode 100644
-index 0000000..bf9505f
+index 0000000..8a1731a
 --- /dev/null
 +++ b/openshift.if
-@@ -0,0 +1,651 @@
+@@ -0,0 +1,654 @@
 +
 +## <summary> policy for openshift </summary>
 +
@ -48254,7 +48330,7 @@ index 0000000..bf9505f
 +#
 +interface(`openshift_admin',`
 +	gen_require(`
-+		type openshift_t;
+		attribute openshift_domain;
 +		type openshift_initrc_exec_t;
 +		type openshift_cache_t;
 +		type openshift_log_t;
@ -48262,8 +48338,11 @@ index 0000000..bf9505f
 +		type openshift_var_run_t;
 +	')
 +
-+	allow $1 openshift_t:process { ptrace signal_perms };
+	allow $1 openshift_domain:process signal_perms;
-+	ps_process_pattern($1, openshift_t)
+	tunable_policy(`deny_ptrace',`',`
 +		allow $1 openshift_domain:process ptrace;
 +	')
 +	ps_process_pattern($1, openshift_domain)
 +
 +	openshift_initrc_domtrans($1)
 +	domain_system_change_exemption($1)
@ -48514,10 +48593,10 @@ index 0000000..bf9505f
 +')
 diff --git a/openshift.te b/openshift.te
 new file mode 100644
-index 0000000..989a48d
+index 0000000..461f551
 --- /dev/null
 +++ b/openshift.te
-@@ -0,0 +1,535 @@
+@@ -0,0 +1,541 @@
 +policy_module(openshift,1.0.0)
 +
 +gen_require(`
@ -48644,7 +48723,11 @@ index 0000000..989a48d
 +#
 +# Policy for all openshift domains
 +#
-+allow openshift_domain self:process all_process_perms;
+allow openshift_domain self:process ~ptrace;
 +tunable_policy(`deny_ptrace',`',`
 +	allow openshift_domain self:process ptrace;
 +')
 +
 +allow openshift_domain self:msg all_msg_perms;
 +allow openshift_domain self:msgq create_msgq_perms;
 +allow openshift_domain self:shm create_shm_perms;
@ -48861,7 +48944,9 @@ index 0000000..989a48d
 +dontaudit openshift_domain openshift_user_domain:process signull;
 +dontaudit openshift_domain openshift_user_domain:socket_class_set { read write };
 +
-+allow openshift_user_domain openshift_domain:process ptrace;
+tunable_policy(`deny_ptrace',`',`
 +	allow openshift_user_domain openshift_domain:process ptrace;
 +')
 +
 +mta_signal_user_agent(openshift_user_domain)
 +
@ -49191,7 +49276,7 @@ index 45d7cc5..baf8d21 100644
 -/var/run/openvswitch(/.*)?	gen_context(system_u:object_r:openvswitch_var_run_t,s0)
 +/etc/openvswitch(/.*)?		gen_context(system_u:object_r:openvswitch_rw_t,s0)
 diff --git a/openvswitch.if b/openvswitch.if
-index 9b15730..6563dba 100644
+index 9b15730..eedd136 100644
 --- a/openvswitch.if
 +++ b/openvswitch.if
@@ -1,13 +1,14 @@
@ -49255,9 +49340,10 @@ index 9b15730..6563dba 100644
 +	logging_search_logs($1)
 +	append_files_pattern($1, openvswitch_log_t, openvswitch_log_t)
 +')
-+
+ 
-+########################################
+ ########################################
-+## <summary>
+ ## <summary>
 -##	Read openvswitch pid files.
 +##	Manage openvswitch log files
 +## </summary>
 +## <param name="domain">
@ -49333,10 +49419,9 @@ index 9b15730..6563dba 100644
 +	files_search_var_lib($1)
 +	manage_files_pattern($1, openvswitch_var_lib_t, openvswitch_var_lib_t)
 +')
- 
+
- ########################################
+########################################
- ## <summary>
+## <summary>
 -##	Read openvswitch pid files.
 +##	Manage openvswitch lib directories.
 +## </summary>
 +## <param name="domain">
@ -49360,22 +49445,41 @@ index 9b15730..6563dba 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -40,44 +176,66 @@ interface(`openvswitch_read_pid_files',`
+@@ -40,44 +176,86 @@ interface(`openvswitch_read_pid_files',`
 ########################################
 ## <summary>
 -##	All of the rules required to
 -##	administrate an openvswitch environment.
-+##	Execute openvswitch server in the openvswitch domain.
+##	Allow stream connect to openvswitch.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	Domain allowed access.
+ ##	Domain allowed access.
 +##	Domain allowed to transition.
 ##	</summary>
 ## </param>
 -## <param name="role">
 +#
 +
 +interface(`openvswitch_stream_connect',`
 +    gen_require(`
 +            type openvswitch_t, openvswitch_var_run_t;
 +                ')
 +
 +    files_search_pids($1)
 +    stream_connect_pattern($1, openvswitch_var_run_t, openvswitch_var_run_t, openvswitch_t)
 +')
 +
 +########################################
 +## <summary>
 +##	Execute openvswitch server in the openvswitch domain.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
 +##	Domain allowed to transition.
 +##	</summary>
 +## </param>
 +#
 +interface(`openvswitch_systemctl',`
 +	gen_require(`
 +		type openvswitch_t;
@ -54844,7 +54948,7 @@ index 2e23946..589bbf2 100644
 +	postfix_config_filetrans($1, postfix_prng_t, file, "prng_exch")
 ')
 diff --git a/postfix.te b/postfix.te
-index 191a66f..7ceaec2 100644
+index 191a66f..7bb7d5b 100644
 --- a/postfix.te
 +++ b/postfix.te
@@ -1,4 +1,4 @@
@ -55444,7 +55548,7 @@ index 191a66f..7ceaec2 100644
 #
 allow postfix_pipe_t self:process setrlimit;
-@@ -576,19 +495,25 @@ optional_policy(`
+@@ -576,19 +495,26 @@ optional_policy(`
 ########################################
 #
@ -55459,6 +55563,7 @@ index 191a66f..7ceaec2 100644
 +
 +# Might be a leak, but I need a postfix expert to explain
 +allow postfix_postdrop_t postfix_local_t:unix_stream_socket { read write };
 +allow postfix_postdrop_t postfix_master_t:unix_stream_socket connectto;
 rw_fifo_files_pattern(postfix_postdrop_t, postfix_public_t, postfix_public_t)
 +rw_sock_files_pattern(postfix_postdrop_t, postfix_public_t, postfix_public_t)
@ -55475,7 +55580,7 @@ index 191a66f..7ceaec2 100644
 term_dontaudit_use_all_ptys(postfix_postdrop_t)
 term_dontaudit_use_all_ttys(postfix_postdrop_t)
-@@ -603,10 +528,7 @@ optional_policy(`
+@@ -603,10 +529,7 @@ optional_policy(`
 	cron_system_entry(postfix_postdrop_t, postfix_postdrop_exec_t)
 ')
@ -55487,7 +55592,7 @@ index 191a66f..7ceaec2 100644
 optional_policy(`
 	fstools_read_pipes(postfix_postdrop_t)
 ')
-@@ -621,17 +543,23 @@ optional_policy(`
+@@ -621,17 +544,23 @@ optional_policy(`
 #######################################
 #
@ -55514,7 +55619,7 @@ index 191a66f..7ceaec2 100644
 init_sigchld_script(postfix_postqueue_t)
 init_use_script_fds(postfix_postqueue_t)
-@@ -647,67 +575,77 @@ optional_policy(`
+@@ -647,67 +576,77 @@ optional_policy(`
 ########################################
 #
@ -55610,7 +55715,7 @@ index 191a66f..7ceaec2 100644
 ')
 optional_policy(`
-@@ -720,24 +658,27 @@ optional_policy(`
+@@ -720,24 +659,27 @@ optional_policy(`
 ########################################
 #
@ -55644,7 +55749,7 @@ index 191a66f..7ceaec2 100644
 fs_getattr_all_dirs(postfix_smtpd_t)
 fs_getattr_all_fs(postfix_smtpd_t)
-@@ -754,6 +695,7 @@ optional_policy(`
+@@ -754,6 +696,7 @@ optional_policy(`
 optional_policy(`
 	milter_stream_connect_all(postfix_smtpd_t)
@ -55652,7 +55757,7 @@ index 191a66f..7ceaec2 100644
 ')
 optional_policy(`
-@@ -764,31 +706,100 @@ optional_policy(`
+@@ -764,31 +707,100 @@ optional_policy(`
 	sasl_connect(postfix_smtpd_t)
 ')
@ -61929,7 +62034,7 @@ index afc0068..7616aa4 100644
 +	')
 ')
 diff --git a/quantum.te b/quantum.te
-index 769d1fd..7e6e161 100644
+index 769d1fd..5bbd65f 100644
 --- a/quantum.te
 +++ b/quantum.te
@@ -21,6 +21,9 @@ files_tmp_file(quantum_tmp_t)
@ -61966,12 +62071,17 @@ index 769d1fd..7e6e161 100644
 sysnet_domtrans_ifconfig(quantum_t)
 optional_policy(`
-@@ -94,3 +96,7 @@ optional_policy(`
+@@ -94,3 +96,12 @@ optional_policy(`
 	postgresql_tcp_connect(quantum_t)
 ')
 +
 +optional_policy(`
 +    openvswitch_domtrans(quantum_t)
 +    openvswitch_stream_connect(quantum_t)
 +')
 +
 +optional_policy(`
 +	sudo_exec(quantum_t)
 +')
 diff --git a/quota.fc b/quota.fc
@ -65118,7 +65228,7 @@ index 56bc01f..895e16e 100644
 +    allow $1 cluster_unit_file_t:service all_service_perms;
 ')
 diff --git a/rhcs.te b/rhcs.te
-index 2c2de9a..c839537 100644
+index 2c2de9a..38a33d7 100644
 --- a/rhcs.te
 +++ b/rhcs.te
@@ -20,6 +20,27 @@ gen_tunable(fenced_can_network_connect, false)
@ -65515,7 +65625,7 @@ index 2c2de9a..c839537 100644
 #######################################
 #
 # foghorn local policy
-@@ -223,14 +493,15 @@ corenet_tcp_sendrecv_agentx_port(foghorn_t)
+@@ -223,14 +493,16 @@ corenet_tcp_sendrecv_agentx_port(foghorn_t)
 dev_read_urand(foghorn_t)
@ -65529,11 +65639,12 @@ index 2c2de9a..c839537 100644
 optional_policy(`
 -	snmp_read_snmp_var_lib_files(foghorn_t)
-+    snmp_manage_var_lib_dirs(foghorn_t)
+    #snmp_manage_var_lib_dirs(foghorn_t)
 +    snmp_manage_var_lib_files(foghorn_t)
 	snmp_stream_connect(foghorn_t)
 ')
-@@ -257,6 +528,8 @@ storage_getattr_removable_dev(gfs_controld_t)
+@@ -257,6 +529,8 @@ storage_getattr_removable_dev(gfs_controld_t)
 init_rw_script_tmp_files(gfs_controld_t)
@ -65542,7 +65653,7 @@ index 2c2de9a..c839537 100644
 optional_policy(`
 	lvm_exec(gfs_controld_t)
 	dev_rw_lvm_control(gfs_controld_t)
-@@ -275,10 +548,10 @@ domtrans_pattern(groupd_t, fenced_exec_t, fenced_t)
+@@ -275,10 +549,10 @@ domtrans_pattern(groupd_t, fenced_exec_t, fenced_t)
 dev_list_sysfs(groupd_t)
@ -65555,7 +65666,7 @@ index 2c2de9a..c839537 100644
 ######################################
 #
 # qdiskd local policy
-@@ -321,6 +594,8 @@ storage_raw_write_fixed_disk(qdiskd_t)
+@@ -321,6 +595,8 @@ storage_raw_write_fixed_disk(qdiskd_t)
 auth_use_nsswitch(qdiskd_t)
@ -68129,7 +68240,7 @@ index ebe91fc..1609333 100644
 +/sbin/cpio			--	gen_context(system_u:object_r:rpm_exec_t,s0)
 ')
 diff --git a/rpm.if b/rpm.if
-index 0628d50..c73d362 100644
+index 0628d50..84f2fd7 100644
 --- a/rpm.if
 +++ b/rpm.if
@@ -1,8 +1,8 @@
@ -68493,16 +68604,37 @@ index 0628d50..c73d362 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -504,7 +565,7 @@ interface(`rpm_manage_db',`
+@@ -503,8 +564,28 @@ interface(`rpm_manage_db',`
 ########################################
 ## <summary>
 +##	Do not audit attempts to create, read,the RPM package database.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
 +##	Domain to not audit.
 +##	</summary>
 +## </param>
 +#
 +interface(`rpm_dontaudit_read_db',`
 +	gen_require(`
 +		type rpm_var_lib_t;
 +	')
 +
 +	dontaudit $1 rpm_var_lib_t:dir list_dir_perms;
 +	dontaudit $1 rpm_var_lib_t:file read_file_perms;
 +	dontaudit $1 rpm_var_lib_t:lnk_file read_lnk_file_perms;
 +')
 +
 +########################################
 +## <summary>
 ##	Do not audit attempts to create, read,
 -##	write, and delete rpm lib content.
 +##	write, and delete the RPM package database.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -517,7 +578,7 @@ interface(`rpm_dontaudit_manage_db',`
+@@ -517,7 +598,7 @@ interface(`rpm_dontaudit_manage_db',`
 		type rpm_var_lib_t;
 	')
@ -68511,7 +68643,7 @@ index 0628d50..c73d362 100644
 	dontaudit $1 rpm_var_lib_t:file manage_file_perms;
 	dontaudit $1 rpm_var_lib_t:lnk_file manage_lnk_file_perms;
 ')
-@@ -543,8 +604,7 @@ interface(`rpm_read_pid_files',`
+@@ -543,8 +624,7 @@ interface(`rpm_read_pid_files',`
 #####################################
 ## <summary>
@ -68521,7 +68653,7 @@ index 0628d50..c73d362 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -563,8 +623,7 @@ interface(`rpm_manage_pid_files',`
+@@ -563,8 +643,7 @@ interface(`rpm_manage_pid_files',`
 ######################################
 ## <summary>
@ -68531,7 +68663,7 @@ index 0628d50..c73d362 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -573,94 +632,72 @@ interface(`rpm_manage_pid_files',`
+@@ -573,94 +652,72 @@ interface(`rpm_manage_pid_files',`
 ## </param>
 #
 interface(`rpm_pid_filetrans',`
@ -68632,12 +68764,12 @@ index 0628d50..c73d362 100644
 -	allow $2 system_r;
 -
 -	admin_pattern($1, rpm_file_t)
 -
 -	files_list_var($1)
 -	admin_pattern($1, rpm_cache_t)
 +	typeattribute $1 rpm_transition_domain;
 +	allow $1 rpm_script_t:process transition;
 -	files_list_var($1)
 -	admin_pattern($1, rpm_cache_t)
 -
 -	files_list_tmp($1)
 -	admin_pattern($1, { rpm_tmp_t rpm_script_tmp_t })
 -
@ -70849,7 +70981,7 @@ index aee75af..a6bab06 100644
 +	allow $1 samba_unit_file_t:service all_service_perms;
 ')
 diff --git a/samba.te b/samba.te
-index 57c034b..b2eac61 100644
+index 57c034b..b4a043c 100644
 --- a/samba.te
 +++ b/samba.te
@@ -1,4 +1,4 @@
@ -71929,7 +72061,7 @@ index 57c034b..b2eac61 100644
 optional_policy(`
 	ctdbd_stream_connect(winbind_t)
-@@ -936,6 +937,10 @@ optional_policy(`
+@@ -936,7 +937,12 @@ optional_policy(`
 ')
 optional_policy(`
@ -71938,9 +72070,11 @@ index 57c034b..b2eac61 100644
 +
 +optional_policy(`
 	kerberos_use(winbind_t)
 +	kerberos_filetrans_named_content(winbind_t)
 ')
-@@ -952,31 +957,29 @@ optional_policy(`
+ optional_policy(`
@@ -952,31 +958,29 @@ optional_policy(`
 # Winbind helper local policy
 #
@ -71978,7 +72112,7 @@ index 57c034b..b2eac61 100644
 optional_policy(`
 	apache_append_log(winbind_helper_t)
-@@ -990,25 +993,38 @@ optional_policy(`
+@@ -990,25 +994,38 @@ optional_policy(`
 ########################################
 #
@ -77350,7 +77484,7 @@ index 1499b0b..3052bd2 100644
 -	spamassassin_role($2, $1)
 ')
 diff --git a/spamassassin.te b/spamassassin.te
-index 4faa7e0..1485a62 100644
+index 4faa7e0..4babad1 100644
 --- a/spamassassin.te
 +++ b/spamassassin.te
@@ -1,4 +1,4 @@
@ -77863,14 +77997,16 @@ index 4faa7e0..1485a62 100644
 logging_log_filetrans(spamd_t, spamd_log_t, file)
 manage_dirs_pattern(spamd_t, spamd_spool_t, spamd_spool_t)
-@@ -308,6 +403,7 @@ manage_dirs_pattern(spamd_t, spamd_tmp_t, spamd_tmp_t)
+@@ -308,7 +403,8 @@ manage_dirs_pattern(spamd_t, spamd_tmp_t, spamd_tmp_t)
 manage_files_pattern(spamd_t, spamd_tmp_t, spamd_tmp_t)
 files_tmp_filetrans(spamd_t, spamd_tmp_t, { file dir })
 -allow spamd_t spamd_var_lib_t:dir list_dir_perms;
 +# var/lib files for spamd
- allow spamd_t spamd_var_lib_t:dir list_dir_perms;
+manage_dirs_pattern(spamd_t, spamd_var_lib_t, spamd_var_lib_t)
 manage_files_pattern(spamd_t, spamd_var_lib_t, spamd_var_lib_t)
 manage_lnk_files_pattern(spamd_t, spamd_var_lib_t, spamd_var_lib_t)
@@ -317,12 +413,13 @@ manage_files_pattern(spamd_t, spamd_var_run_t, spamd_var_run_t)
 manage_sock_files_pattern(spamd_t, spamd_var_run_t, spamd_var_run_t)
 files_pid_filetrans(spamd_t, spamd_var_run_t, { file dir })
@ -87915,6 +88051,23 @@ index 9ead775..b5285e7 100644
 userdom_dontaudit_search_user_home_dirs(vlock_t)
 -userdom_use_user_terminals(vlock_t)
 +userdom_use_inherited_user_terminals(vlock_t)
 diff --git a/vmware.if b/vmware.if
 index 20a1fb2..470ea95 100644
 --- a/vmware.if
 +++ b/vmware.if
@@ -26,7 +26,11 @@ interface(`vmware_role',`
 	domtrans_pattern($2, vmware_exec_t, vmware_t)
 	ps_process_pattern($2, vmware_t)
 -	allow $2 vmware_t:process { ptrace signal_perms };
 +	allow $2 vmware_t:process signal_perms;
 +
 +	tunable_policy(`deny_ptrace',`',`
 +		allow $2 vmware_t:process ptrace;
 +	')
 	allow $2 { vmware_tmp_t vmware_file_t }:dir { manage_dir_perms relabel_dir_perms };
 	allow $2 { vmware_conf_t vmware_file_t vmware_tmp_t vmware_tmpfs_t }:file { manage_file_perms relabel_file_perms };
 diff --git a/vmware.te b/vmware.te
 index 3a56513..5721057 100644
 --- a/vmware.te
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@ -19,7 +19,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.12.1
-Release: 29%{?dist}
+Release: 30%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@ -526,7 +526,31 @@ SELinux Reference policy mls base module.
 %endif
 %changelog
-* Thu Apr 11 2013 Miroslav Grepl <mgrpel@redhat.com> 3.12.1-29
+* Mon Apr 15 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-30
 - Allow alsa_t signal_perms, we probaly should search for any app that can execute something without transition and give it signal_perms...
 - Add dontaudit for mozilla_plugin_t looking at the xdm_t sockets
 - Fix deny_ptrace boolean, certain ptrace leaked into the system
 - Allow winbind to manage kerberos_rcache_host
 - Allow spamd to create spamd_var_lib_t directories
 - Remove transition to mozilla_tmp_t by mozilla_t, to allow it to manage the users tmp dirs
 - Add mising nslcd_dontaudit_write_sock_file() interface
 - one more fix
 - Fix pki_read_tomcat_lib_files() interface
 - Allow certmonger to read pki-tomcat lib files
 - Allow certwatch to execute bin_t
 - Allow snmp to manage /var/lib/net-snmp files
 - Call snmp_manage_var_lib_files(fogorn_t) instead of snmp_manage_var_dirs
 - Fix vmware_role() interface
 - Fix cobbler_manage_lib_files() interface
 - Allow nagios check disk plugins to execute bin_t
 - Allow quantum to transition to openvswitch_t
 - Allow postdrop to stream connect to postfix-master
 - Allow quantum to stream connect to openvswitch
 - Add xserver_dontaudit_xdm_rw_stream_sockets() interface
 - Allow daemon to send dgrams to initrc_t
 - Allow kdm to start the power service to initiate a reboot or poweroff
 * Thu Apr 11 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-29
 - Add mising nslcd_dontaudit_write_sock_file() interface
 - one more fix
 - Fix pki_read_tomcat_lib_files() interface