* Tue Aug 12 2014 Lukas Vrabec <lvrabec@redhat.com> 3.12.1-72

- docker needs to be able to look at everything in /dev - Allow all processes to send themselves signals - Allow sysadm_t to create netlink_tcpdiag socket - sysadm_t should be allowed to communicate with networkmanager - These are required for bluejeans to work on a unconfined.pp disabled machine - docker needs setfcap - Allow svirt domains to manage chr files and blk files for mknod commands - Allow fail2ban to read audit logs - Allow cachefilesd_t to send itself signals - Allow smokeping cgi script to send syslog messages - Allow svirt sandbox domains to relabel content - Since apache content can be placed anywhere, we should just allow apache to search through any directory - These are required for bluejeans to work on a unconfined.pp disabled machine
2014-08-12 13:41:36 +02:00 · 2014-08-12 13:41:36 +02:00 · 3399c51143
commit 3399c51143
parent 0bd1c473cc
3 changed files with 378 additions and 324 deletions
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@ -6011,7 +6011,7 @@ index b31c054..5e37a40 100644
 +/usr/lib/udev/devices/null	-c	gen_context(system_u:object_r:null_device_t,s0)
 +/usr/lib/udev/devices/zero	-c	gen_context(system_u:object_r:zero_device_t,s0)
 diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
-index 76f285e..d86836b 100644
+index 76f285e..a3c0103 100644
 --- a/policy/modules/kernel/devices.if
 +++ b/policy/modules/kernel/devices.if
@@ -143,13 +143,32 @@ interface(`dev_relabel_all_dev_nodes',`
@ -6272,7 +6272,33 @@ index 76f285e..d86836b 100644
 ##	Create, delete, read, and write block device files.
 ## </summary>
 ## <param name="domain">
-@@ -1003,6 +1130,26 @@ interface(`dev_getattr_all_blk_files',`
+@@ -983,6 +1110,25 @@ interface(`dev_tmpfs_filetrans_dev',`
 ########################################
 ## <summary>
 +##	Allow getattr on all device nodes.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
 +##	Domain allowed access.
 +##	</summary>
 +## </param>
 +#
 +interface(`dev_getattr_all',`
 +	gen_require(`
 +		attribute device_node;
 +		type device_t;
 +	')
 +
 +	allow $1 { device_t device_node }:dir_file_class_set getattr;
 +')
 +
 +########################################
 +## <summary>
 ##	Getattr on all block file device nodes.
 ## </summary>
 ## <param name="domain">
@@ -1003,6 +1149,26 @@ interface(`dev_getattr_all_blk_files',`
 ########################################
 ## <summary>
@ -6299,7 +6325,7 @@ index 76f285e..d86836b 100644
 ##	Dontaudit getattr on all block file device nodes.
 ## </summary>
 ## <param name="domain">
-@@ -1034,6 +1181,7 @@ interface(`dev_dontaudit_getattr_all_blk_files',`
+@@ -1034,6 +1200,7 @@ interface(`dev_dontaudit_getattr_all_blk_files',`
 interface(`dev_getattr_all_chr_files',`
 	gen_require(`
 		attribute device_node;
@ -6307,7 +6333,7 @@ index 76f285e..d86836b 100644
 	')
 	getattr_chr_files_pattern($1, device_t, device_node)
-@@ -1206,6 +1354,42 @@ interface(`dev_create_all_chr_files',`
+@@ -1206,6 +1373,42 @@ interface(`dev_create_all_chr_files',`
 ########################################
 ## <summary>
@ -6350,7 +6376,7 @@ index 76f285e..d86836b 100644
 ##	Delete all block device files.
 ## </summary>
 ## <param name="domain">
-@@ -1560,25 +1744,6 @@ interface(`dev_relabel_autofs_dev',`
+@@ -1560,25 +1763,6 @@ interface(`dev_relabel_autofs_dev',`
 ########################################
 ## <summary>
@ -6376,7 +6402,7 @@ index 76f285e..d86836b 100644
 ##	Read and write the PCMCIA card manager device.
 ## </summary>
 ## <param name="domain">
-@@ -1682,6 +1847,26 @@ interface(`dev_filetrans_cardmgr',`
+@@ -1682,6 +1866,26 @@ interface(`dev_filetrans_cardmgr',`
 ########################################
 ## <summary>
@ -6403,7 +6429,7 @@ index 76f285e..d86836b 100644
 ##	Get the attributes of the CPU
 ##	microcode and id interfaces.
 ## </summary>
-@@ -1791,6 +1976,24 @@ interface(`dev_rw_crypto',`
+@@ -1791,6 +1995,24 @@ interface(`dev_rw_crypto',`
 	rw_chr_files_pattern($1, device_t, crypt_device_t)
 ')
@ -6428,7 +6454,7 @@ index 76f285e..d86836b 100644
 #######################################
 ## <summary>
 ##	Set the attributes of the dlm control devices.
-@@ -1883,6 +2086,25 @@ interface(`dev_rw_dri',`
+@@ -1883,6 +2105,25 @@ interface(`dev_rw_dri',`
 ########################################
 ## <summary>
@ -6454,7 +6480,7 @@ index 76f285e..d86836b 100644
 ##	Dontaudit read and write on the dri devices.
 ## </summary>
 ## <param name="domain">
-@@ -2017,7 +2239,7 @@ interface(`dev_rw_input_dev',`
+@@ -2017,7 +2258,7 @@ interface(`dev_rw_input_dev',`
 ########################################
 ## <summary>
@ -6463,7 +6489,7 @@ index 76f285e..d86836b 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -2025,17 +2247,19 @@ interface(`dev_rw_input_dev',`
+@@ -2025,17 +2266,73 @@ interface(`dev_rw_input_dev',`
 ##	</summary>
 ## </param>
 #
@ -6484,63 +6510,51 @@ index 76f285e..d86836b 100644
 ## <summary>
 -##	Set the attributes of the framebuffer device node.
 +##	Read ipmi devices.
- ## </summary>
+## </summary>
- ## <param name="domain">
+## <param name="domain">
- ##	<summary>
+##	<summary>
@@ -2043,36 +2267,35 @@ interface(`dev_getattr_framebuffer_dev',`
 ##	</summary>
 ## </param>
 #
 -interface(`dev_setattr_framebuffer_dev',`
 +interface(`dev_read_ipmi_dev',`
 	gen_require(`
 -		type device_t, framebuf_device_t;
 +		type device_t, ipmi_device_t;
 	')
 -	setattr_chr_files_pattern($1, device_t, framebuf_device_t)
 +	read_chr_files_pattern($1, device_t, ipmi_device_t)
 ')
 ########################################
 ## <summary>
 -##	Dot not audit attempts to set the attributes
 -##	of the framebuffer device node.
 +##	Read and write ipmi devices.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 -##	Domain to not audit.
 +##	Domain allowed access.
- ##	</summary>
+##	</summary>
- ## </param>
+## </param>
- #
+#
-interface(`dev_dontaudit_setattr_framebuffer_dev',`
+interface(`dev_read_ipmi_dev',`
-+interface(`dev_rw_ipmi_dev',`
+	gen_require(`
 	gen_require(`
 -		type framebuf_device_t;
 +		type device_t, ipmi_device_t;
- 	')
+	')
- 
+
-	dontaudit $1 framebuf_device_t:chr_file setattr;
+	read_chr_files_pattern($1, device_t, ipmi_device_t)
 +')
 +
 +########################################
 +## <summary>
 +##	Read and write ipmi devices.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
 +##	Domain allowed access.
 +##	</summary>
 +## </param>
 +#
 +interface(`dev_rw_ipmi_dev',`
 +	gen_require(`
 +		type device_t, ipmi_device_t;
 +	')
 +
 +	rw_chr_files_pattern($1, device_t, ipmi_device_t)
- ')
+')
- 
+
- ########################################
+########################################
- ## <summary>
+## <summary>
 -##	Read the framebuffer.
 +##	Get the attributes of the framebuffer device node.
- ## </summary>
+## </summary>
- ## <param name="domain">
+## <param name="domain">
- ##	<summary>
+##	<summary>
-@@ -2080,9 +2303,64 @@ interface(`dev_dontaudit_setattr_framebuffer_dev',`
+##	Domain allowed access.
- ##	</summary>
+##	</summary>
- ## </param>
+## </param>
- #
+#
 -interface(`dev_read_framebuffer',`
 +interface(`dev_getattr_framebuffer_dev',`
- 	gen_require(`
+	gen_require(`
 -		type framebuf_device_t;
 +		type device_t, framebuf_device_t;
 +	')
 +
@ -6550,57 +6564,10 @@ index 76f285e..d86836b 100644
 +########################################
 +## <summary>
 +##	Set the attributes of the framebuffer device node.
-+## </summary>
+ ## </summary>
-+## <param name="domain">
+ ## <param name="domain">
-+##	<summary>
+ ##	<summary>
-+##	Domain allowed access.
+@@ -2402,7 +2699,97 @@ interface(`dev_filetrans_lirc',`
 +##	</summary>
 +## </param>
 +#
 +interface(`dev_setattr_framebuffer_dev',`
 +	gen_require(`
 +		type device_t, framebuf_device_t;
 +	')
 +
 +	setattr_chr_files_pattern($1, device_t, framebuf_device_t)
 +')
 +
 +########################################
 +## <summary>
 +##	Dot not audit attempts to set the attributes
 +##	of the framebuffer device node.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
 +##	Domain to not audit.
 +##	</summary>
 +## </param>
 +#
 +interface(`dev_dontaudit_setattr_framebuffer_dev',`
 +	gen_require(`
 +		type framebuf_device_t;
 +	')
 +
 +	dontaudit $1 framebuf_device_t:chr_file setattr;
 +')
 +
 +########################################
 +## <summary>
 +##	Read the framebuffer.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
 +##	Domain allowed access.
 +##	</summary>
 +## </param>
 +#
 +interface(`dev_read_framebuffer',`
 +	gen_require(`
 +		type framebuf_device_t;
 	')
 	read_chr_files_pattern($1, device_t, framebuf_device_t)
@@ -2402,7 +2680,97 @@ interface(`dev_filetrans_lirc',`
 ########################################
 ## <summary>
@ -6699,7 +6666,7 @@ index 76f285e..d86836b 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -2725,7 +3093,7 @@ interface(`dev_write_misc',`
+@@ -2725,7 +3112,7 @@ interface(`dev_write_misc',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@ -6708,7 +6675,7 @@ index 76f285e..d86836b 100644
 ##	</summary>
 ## </param>
 #
-@@ -2903,20 +3271,20 @@ interface(`dev_getattr_mtrr_dev',`
+@@ -2903,20 +3290,20 @@ interface(`dev_getattr_mtrr_dev',`
 ########################################
 ## <summary>
@ -6733,7 +6700,7 @@ index 76f285e..d86836b 100644
 ##	</p>
 ## </desc>
 ## <param name="domain">
-@@ -2925,43 +3293,34 @@ interface(`dev_getattr_mtrr_dev',`
+@@ -2925,43 +3312,34 @@ interface(`dev_getattr_mtrr_dev',`
 ##	</summary>
 ## </param>
 #
@ -6789,7 +6756,7 @@ index 76f285e..d86836b 100644
 ##	range registers (MTRR).
 ## </summary>
 ## <param name="domain">
-@@ -2970,13 +3329,13 @@ interface(`dev_write_mtrr',`
+@@ -2970,13 +3348,13 @@ interface(`dev_write_mtrr',`
 ##	</summary>
 ## </param>
 #
@ -6806,7 +6773,7 @@ index 76f285e..d86836b 100644
 ')
 ########################################
-@@ -3144,6 +3503,42 @@ interface(`dev_create_null_dev',`
+@@ -3144,6 +3522,42 @@ interface(`dev_create_null_dev',`
 ########################################
 ## <summary>
@ -6849,7 +6816,7 @@ index 76f285e..d86836b 100644
 ##	Do not audit attempts to get the attributes
 ##	of the BIOS non-volatile RAM device.
 ## </summary>
-@@ -3163,6 +3558,24 @@ interface(`dev_dontaudit_getattr_nvram_dev',`
+@@ -3163,6 +3577,24 @@ interface(`dev_dontaudit_getattr_nvram_dev',`
 ########################################
 ## <summary>
@ -6874,7 +6841,7 @@ index 76f285e..d86836b 100644
 ##	Read and write BIOS non-volatile RAM.
 ## </summary>
 ## <param name="domain">
-@@ -3254,7 +3667,25 @@ interface(`dev_rw_printer',`
+@@ -3254,7 +3686,25 @@ interface(`dev_rw_printer',`
 ########################################
 ## <summary>
@ -6901,7 +6868,7 @@ index 76f285e..d86836b 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -3262,12 +3693,13 @@ interface(`dev_rw_printer',`
+@@ -3262,12 +3712,13 @@ interface(`dev_rw_printer',`
 ##	</summary>
 ## </param>
 #
@ -6918,7 +6885,7 @@ index 76f285e..d86836b 100644
 ')
 ########################################
-@@ -3399,7 +3831,7 @@ interface(`dev_dontaudit_read_rand',`
+@@ -3399,7 +3850,7 @@ interface(`dev_dontaudit_read_rand',`
 ########################################
 ## <summary>
@ -6927,7 +6894,7 @@ index 76f285e..d86836b 100644
 ##	number generator devices (e.g., /dev/random)
 ## </summary>
 ## <param name="domain">
-@@ -3413,7 +3845,7 @@ interface(`dev_dontaudit_append_rand',`
+@@ -3413,7 +3864,7 @@ interface(`dev_dontaudit_append_rand',`
 		type random_device_t;
 	')
@ -6936,7 +6903,7 @@ index 76f285e..d86836b 100644
 ')
 ########################################
-@@ -3855,7 +4287,7 @@ interface(`dev_getattr_sysfs_dirs',`
+@@ -3855,7 +4306,7 @@ interface(`dev_getattr_sysfs_dirs',`
 ########################################
 ## <summary>
@ -6945,7 +6912,7 @@ index 76f285e..d86836b 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -3863,53 +4295,53 @@ interface(`dev_getattr_sysfs_dirs',`
+@@ -3863,53 +4314,53 @@ interface(`dev_getattr_sysfs_dirs',`
 ##	</summary>
 ## </param>
 #
@ -7010,7 +6977,7 @@ index 76f285e..d86836b 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -3917,37 +4349,35 @@ interface(`dev_list_sysfs',`
+@@ -3917,37 +4368,35 @@ interface(`dev_list_sysfs',`
 ##	</summary>
 ## </param>
 #
@ -7055,7 +7022,7 @@ index 76f285e..d86836b 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -3955,26 +4385,145 @@ interface(`dev_dontaudit_write_sysfs_dirs',`
+@@ -3955,41 +4404,160 @@ interface(`dev_dontaudit_write_sysfs_dirs',`
 ##	</summary>
 ## </param>
 #
@ -7082,17 +7049,23 @@ index 76f285e..d86836b 100644
 -##	hardware installed on the system.
 -##	</p>
 -## </desc>
-+## <param name="domain">
+ ## <param name="domain">
-+##	<summary>
+ ##	<summary>
 -##	Domain allowed access.
 +##	Domain to not audit.
-+##	</summary>
+ ##	</summary>
-+## </param>
+ ## </param>
-+#
+-## <infoflow type="read" weight="10"/>
 #
 -interface(`dev_read_sysfs',`
 +interface(`dev_dontaudit_search_sysfs',`
-+	gen_require(`
+ 	gen_require(`
-+		type sysfs_t;
+ 		type sysfs_t;
-+	')
+ 	')
-+
+ 
 -	read_files_pattern($1, sysfs_t, sysfs_t)
 -	read_lnk_files_pattern($1, sysfs_t, sysfs_t)
 -
 +	dontaudit $1 sysfs_t:dir search_dir_perms;
 +')
 +
@ -7209,10 +7182,25 @@ index 76f285e..d86836b 100644
 +##	hardware installed on the system.
 +##	</p>
 +## </desc>
- ## <param name="domain">
+## <param name="domain">
- ##	<summary>
+##	<summary>
- ##	Domain allowed access.
+##	Domain allowed access.
-@@ -4016,6 +4565,62 @@ interface(`dev_rw_sysfs',`
+##	</summary>
 +## </param>
 +## <infoflow type="read" weight="10"/>
 +#
 +interface(`dev_read_sysfs',`
 +	gen_require(`
 +		type sysfs_t;
 +	')
 +
 +	read_files_pattern($1, sysfs_t, sysfs_t)
 +	read_lnk_files_pattern($1, sysfs_t, sysfs_t)
 +
 	list_dirs_pattern($1, sysfs_t, sysfs_t)
 ')
@@ -4016,6 +4584,62 @@ interface(`dev_rw_sysfs',`
 ########################################
 ## <summary>
@ -7275,7 +7263,7 @@ index 76f285e..d86836b 100644
 ##	Read and write the TPM device.
 ## </summary>
 ## <param name="domain">
-@@ -4113,6 +4718,25 @@ interface(`dev_write_urand',`
+@@ -4113,6 +4737,25 @@ interface(`dev_write_urand',`
 ########################################
 ## <summary>
@ -7301,7 +7289,7 @@ index 76f285e..d86836b 100644
 ##	Getattr generic the USB devices.
 ## </summary>
 ## <param name="domain">
-@@ -4409,9 +5033,9 @@ interface(`dev_rw_usbfs',`
+@@ -4409,9 +5052,9 @@ interface(`dev_rw_usbfs',`
 	read_lnk_files_pattern($1, usbfs_t, usbfs_t)
 ')
@ -7313,7 +7301,7 @@ index 76f285e..d86836b 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -4419,17 +5043,17 @@ interface(`dev_rw_usbfs',`
+@@ -4419,17 +5062,17 @@ interface(`dev_rw_usbfs',`
 ##	</summary>
 ## </param>
 #
@ -7336,7 +7324,7 @@ index 76f285e..d86836b 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -4437,12 +5061,12 @@ interface(`dev_getattr_video_dev',`
+@@ -4437,12 +5080,12 @@ interface(`dev_getattr_video_dev',`
 ##	</summary>
 ## </param>
 #
@ -7352,7 +7340,7 @@ index 76f285e..d86836b 100644
 ')
 ########################################
-@@ -4539,6 +5163,134 @@ interface(`dev_write_video_dev',`
+@@ -4539,6 +5182,134 @@ interface(`dev_write_video_dev',`
 ########################################
 ## <summary>
@ -7487,7 +7475,7 @@ index 76f285e..d86836b 100644
 ##	Allow read/write the vhost net device
 ## </summary>
 ## <param name="domain">
-@@ -4557,6 +5309,24 @@ interface(`dev_rw_vhost',`
+@@ -4557,6 +5328,24 @@ interface(`dev_rw_vhost',`
 ########################################
 ## <summary>
@ -7512,7 +7500,7 @@ index 76f285e..d86836b 100644
 ##	Read and write VMWare devices.
 ## </summary>
 ## <param name="domain">
-@@ -4762,6 +5532,44 @@ interface(`dev_rw_xserver_misc',`
+@@ -4762,6 +5551,44 @@ interface(`dev_rw_xserver_misc',`
 ########################################
 ## <summary>
@ -7557,7 +7545,7 @@ index 76f285e..d86836b 100644
 ##	Read and write to the zero device (/dev/zero).
 ## </summary>
 ## <param name="domain">
-@@ -4851,3 +5659,946 @@ interface(`dev_unconfined',`
+@@ -4851,3 +5678,946 @@ interface(`dev_unconfined',`
 	typeattribute $1 devices_unconfined_type;
 ')
@ -8831,7 +8819,7 @@ index 6a1e4d1..1b9b0b5 100644
 +	dontaudit $1 domain:dir_file_class_set audit_access;
 ')
 diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te
-index cf04cb5..32d58ca 100644
+index cf04cb5..8fd98fc 100644
 --- a/policy/modules/kernel/domain.te
 +++ b/policy/modules/kernel/domain.te
@@ -4,17 +4,41 @@ policy_module(domain, 1.11.0)
@ -8898,7 +8886,7 @@ index cf04cb5..32d58ca 100644
 # create child processes in the domain
 -allow domain self:process { fork sigchld };
-+allow domain self:process { getcap fork getsched sigchld };
+allow domain self:process { getcap fork getsched signal_perms };
 # Use trusted objects in /dev
 +dev_read_cpu_online(domain)
@ -21411,10 +21399,10 @@ index ff92430..36740ea 100644
 ## <summary>
 ##	Execute a generic bin program in the sysadm domain.
 diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
-index 2522ca6..4786c5e 100644
+index 2522ca6..3651c0c 100644
 --- a/policy/modules/roles/sysadm.te
 +++ b/policy/modules/roles/sysadm.te
-@@ -5,39 +5,86 @@ policy_module(sysadm, 2.6.1)
+@@ -5,39 +5,88 @@ policy_module(sysadm, 2.6.1)
 # Declarations
 #
@ -21428,11 +21416,12 @@ index 2522ca6..4786c5e 100644
 role sysadm_r;
 userdom_admin_user_template(sysadm)
 +allow sysadm_t self:netlink_tcpdiag_socket create_netlink_socket_perms;
 -ifndef(`enable_mls',`
 -	userdom_security_admin_template(sysadm_t, sysadm_r)
 -')
-
+ 
 ########################################
 #
 # Local policy
@ -21512,7 +21501,7 @@ index 2522ca6..4786c5e 100644
 ifdef(`direct_sysadm_daemon',`
 	optional_policy(`
-@@ -55,13 +102,7 @@ ifdef(`distro_gentoo',`
+@@ -55,13 +104,7 @@ ifdef(`distro_gentoo',`
 	init_exec_rc(sysadm_t)
 ')
@ -21527,7 +21516,7 @@ index 2522ca6..4786c5e 100644
 	domain_ptrace_all_domains(sysadm_t)
 ')
-@@ -71,9 +112,9 @@ optional_policy(`
+@@ -71,9 +114,9 @@ optional_policy(`
 optional_policy(`
 	apache_run_helper(sysadm_t, sysadm_r)
@ -21538,7 +21527,7 @@ index 2522ca6..4786c5e 100644
 ')
 optional_policy(`
-@@ -87,6 +128,7 @@ optional_policy(`
+@@ -87,6 +130,7 @@ optional_policy(`
 optional_policy(`
 	asterisk_stream_connect(sysadm_t)
@ -21546,7 +21535,7 @@ index 2522ca6..4786c5e 100644
 ')
 optional_policy(`
-@@ -110,11 +152,17 @@ optional_policy(`
+@@ -110,11 +154,17 @@ optional_policy(`
 ')
 optional_policy(`
@ -21564,7 +21553,7 @@ index 2522ca6..4786c5e 100644
 ')
 optional_policy(`
-@@ -122,11 +170,27 @@ optional_policy(`
+@@ -122,11 +172,27 @@ optional_policy(`
 ')
 optional_policy(`
@ -21594,7 +21583,7 @@ index 2522ca6..4786c5e 100644
 ')
 optional_policy(`
-@@ -140,6 +204,10 @@ optional_policy(`
+@@ -140,6 +206,10 @@ optional_policy(`
 ')
 optional_policy(`
@ -21605,7 +21594,7 @@ index 2522ca6..4786c5e 100644
 	dmesg_exec(sysadm_t)
 ')
-@@ -156,6 +224,10 @@ optional_policy(`
+@@ -156,6 +226,10 @@ optional_policy(`
 ')
 optional_policy(`
@ -21616,7 +21605,7 @@ index 2522ca6..4786c5e 100644
 	fstools_run(sysadm_t, sysadm_r)
 ')
-@@ -175,6 +247,13 @@ optional_policy(`
+@@ -175,6 +249,13 @@ optional_policy(`
 	ipsec_stream_connect(sysadm_t)
 	# for lsof
 	ipsec_getattr_key_sockets(sysadm_t)
@ -21630,7 +21619,7 @@ index 2522ca6..4786c5e 100644
 ')
 optional_policy(`
-@@ -182,15 +261,20 @@ optional_policy(`
+@@ -182,15 +263,20 @@ optional_policy(`
 ')
 optional_policy(`
@ -21654,7 +21643,7 @@ index 2522ca6..4786c5e 100644
 ')
 optional_policy(`
-@@ -210,22 +294,20 @@ optional_policy(`
+@@ -210,22 +296,20 @@ optional_policy(`
 	modutils_run_depmod(sysadm_t, sysadm_r)
 	modutils_run_insmod(sysadm_t, sysadm_r)
 	modutils_run_update_mods(sysadm_t, sysadm_r)
@ -21683,7 +21672,7 @@ index 2522ca6..4786c5e 100644
 ')
 optional_policy(`
-@@ -237,14 +319,27 @@ optional_policy(`
+@@ -237,14 +321,28 @@ optional_policy(`
 ')
 optional_policy(`
@ -21698,6 +21687,7 @@ index 2522ca6..4786c5e 100644
 optional_policy(`
 +	networkmanager_filetrans_named_content(sysadm_t)
 +	networkmanager_stream_connect(sysadm_t)
 +')
 +
 +optional_policy(`
@ -21711,7 +21701,7 @@ index 2522ca6..4786c5e 100644
 ')
 optional_policy(`
-@@ -252,10 +347,20 @@ optional_policy(`
+@@ -252,10 +350,20 @@ optional_policy(`
 ')
 optional_policy(`
@ -21732,7 +21722,7 @@ index 2522ca6..4786c5e 100644
 	portage_run(sysadm_t, sysadm_r)
 	portage_run_fetch(sysadm_t, sysadm_r)
 	portage_run_gcc_config(sysadm_t, sysadm_r)
-@@ -266,35 +371,41 @@ optional_policy(`
+@@ -266,35 +374,41 @@ optional_policy(`
 ')
 optional_policy(`
@ -21781,7 +21771,7 @@ index 2522ca6..4786c5e 100644
 ')
 optional_policy(`
-@@ -308,6 +419,7 @@ optional_policy(`
+@@ -308,6 +422,7 @@ optional_policy(`
 optional_policy(`
 	screen_role_template(sysadm, sysadm_r, sysadm_t)
@ -21789,7 +21779,7 @@ index 2522ca6..4786c5e 100644
 ')
 optional_policy(`
-@@ -315,12 +427,20 @@ optional_policy(`
+@@ -315,12 +430,20 @@ optional_policy(`
 ')
 optional_policy(`
@ -21811,7 +21801,7 @@ index 2522ca6..4786c5e 100644
 ')
 optional_policy(`
-@@ -345,7 +465,18 @@ optional_policy(`
+@@ -345,7 +468,18 @@ optional_policy(`
 ')
 optional_policy(`
@ -21831,7 +21821,7 @@ index 2522ca6..4786c5e 100644
 ')
 optional_policy(`
-@@ -356,19 +487,11 @@ optional_policy(`
+@@ -356,19 +490,11 @@ optional_policy(`
 ')
 optional_policy(`
@ -21852,7 +21842,7 @@ index 2522ca6..4786c5e 100644
 ')
 optional_policy(`
-@@ -380,10 +503,6 @@ optional_policy(`
+@@ -380,10 +506,6 @@ optional_policy(`
 ')
 optional_policy(`
@ -21863,7 +21853,7 @@ index 2522ca6..4786c5e 100644
 	usermanage_run_admin_passwd(sysadm_t, sysadm_r)
 	usermanage_run_groupadd(sysadm_t, sysadm_r)
 	usermanage_run_useradd(sysadm_t, sysadm_r)
-@@ -391,6 +510,9 @@ optional_policy(`
+@@ -391,6 +513,9 @@ optional_policy(`
 optional_policy(`
 	virt_stream_connect(sysadm_t)
@ -21873,7 +21863,7 @@ index 2522ca6..4786c5e 100644
 ')
 optional_policy(`
-@@ -398,31 +520,34 @@ optional_policy(`
+@@ -398,31 +523,34 @@ optional_policy(`
 ')
 optional_policy(`
@ -21914,7 +21904,7 @@ index 2522ca6..4786c5e 100644
 		auth_role(sysadm_r, sysadm_t)
 	')
-@@ -435,10 +560,6 @@ ifndef(`distro_redhat',`
+@@ -435,10 +563,6 @@ ifndef(`distro_redhat',`
 	')
 	optional_policy(`
@ -21925,7 +21915,7 @@ index 2522ca6..4786c5e 100644
 		dbus_role_template(sysadm, sysadm_r, sysadm_t)
 		optional_policy(`
-@@ -459,15 +580,79 @@ ifndef(`distro_redhat',`
+@@ -459,15 +583,79 @@ ifndef(`distro_redhat',`
 	')
 	optional_policy(`
@ -27130,7 +27120,7 @@ index 6bf0ecc..44be5f2 100644
 +')
 +
 diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
-index 8b40377..0777a7f 100644
+index 8b40377..635442b 100644
 --- a/policy/modules/services/xserver.te
 +++ b/policy/modules/services/xserver.te
@@ -26,28 +26,59 @@ gen_require(`
@ -27471,13 +27461,13 @@ index 8b40377..0777a7f 100644
 +ifdef(`hide_broken_symptoms',`
 +	term_dontaudit_use_unallocated_ttys(xauth_t)
 +	dev_dontaudit_rw_dri(xauth_t)
 ')
 optional_policy(`
 +	nx_var_lib_filetrans(xauth_t, xauth_home_t, file)
 +')
 +
 +optional_policy(`
 +	nx_var_lib_filetrans(xauth_t, xauth_home_t, file)
 ')
 optional_policy(`
 +	ssh_use_ptys(xauth_t)
 	ssh_sigchld(xauth_t)
 	ssh_read_pipes(xauth_t)
@ -27961,17 +27951,17 @@ index 8b40377..0777a7f 100644
 +    optional_policy(`
 +        accountsd_dbus_chat(xdm_t)
 +    ')
- 
+
- 	optional_policy(`
+	optional_policy(`
 -		accountsd_dbus_chat(xdm_t)
 +		bluetooth_dbus_chat(xdm_t)
 +	')
 +
 +	 optional_policy(`
 +		cpufreqselector_dbus_chat(xdm_t)
 +	')
-+
+ 
-+	optional_policy(`
+ 	optional_policy(`
 -		accountsd_dbus_chat(xdm_t)
 +		devicekit_dbus_chat_disk(xdm_t)
 +		devicekit_dbus_chat_power(xdm_t)
 +	')
@ -28279,7 +28269,7 @@ index 8b40377..0777a7f 100644
 ifndef(`distro_redhat',`
 	allow xserver_t self:process { execmem execheap execstack };
 	domain_mmap_low_uncond(xserver_t)
-@@ -785,17 +1267,44 @@ optional_policy(`
+@@ -785,17 +1267,50 @@ optional_policy(`
 ')
 optional_policy(`
@ -28315,6 +28305,12 @@ index 8b40377..0777a7f 100644
 +	tcpd_wrapped_domain(xserver_t, xserver_exec_t)
 +')
 +
 +optional_policy(`
 +	mozilla_plugin_read_state(xserver_t)
 +	mozilla_plugin_rw_tmp_files(xserver_t)
 +	mozilla_plugin_rw_tmpfs_files(xserver_t)
 +')
 +
 +optional_policy(`
 	udev_read_db(xserver_t)
 ')
@ -28326,7 +28322,7 @@ index 8b40377..0777a7f 100644
 ')
 optional_policy(`
-@@ -803,6 +1312,10 @@ optional_policy(`
+@@ -803,6 +1318,10 @@ optional_policy(`
 ')
 optional_policy(`
@ -28337,7 +28333,7 @@ index 8b40377..0777a7f 100644
 	xfs_stream_connect(xserver_t)
 ')
-@@ -818,18 +1331,17 @@ allow xserver_t xdm_t:shm rw_shm_perms;
+@@ -818,18 +1337,17 @@ allow xserver_t xdm_t:shm rw_shm_perms;
 # NB we do NOT allow xserver_t xdm_var_lib_t:dir, only access to an open
 # handle of a file inside the dir!!!
@ -28362,7 +28358,7 @@ index 8b40377..0777a7f 100644
 can_exec(xserver_t, xkb_var_lib_t)
 # VNC v4 module in X server
-@@ -842,26 +1354,21 @@ init_use_fds(xserver_t)
+@@ -842,26 +1360,21 @@ init_use_fds(xserver_t)
 # to read ROLE_home_t - examine this in more detail
 # (xauth?)
 userdom_read_user_home_content_files(xserver_t)
@ -28397,7 +28393,7 @@ index 8b40377..0777a7f 100644
 ')
 optional_policy(`
-@@ -912,7 +1419,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
+@@ -912,7 +1425,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
 allow x_domain root_xdrawable_t:x_drawable { getattr setattr list_child add_child remove_child send receive hide show };
 # operations allowed on my windows
 allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive };
@ -28406,7 +28402,7 @@ index 8b40377..0777a7f 100644
 # operations allowed on all windows
 allow x_domain x_domain:x_drawable { getattr get_property set_property remove_child };
-@@ -966,11 +1473,31 @@ allow x_domain self:x_resource { read write };
+@@ -966,11 +1479,31 @@ allow x_domain self:x_resource { read write };
 # can mess with the screensaver
 allow x_domain xserver_t:x_screen { getattr saver_getattr };
@ -28438,7 +28434,7 @@ index 8b40377..0777a7f 100644
 tunable_policy(`! xserver_object_manager',`
 	# should be xserver_unconfined(x_domain),
 	# but typeattribute doesnt work in conditionals
-@@ -992,18 +1519,148 @@ tunable_policy(`! xserver_object_manager',`
+@@ -992,18 +1525,148 @@ tunable_policy(`! xserver_object_manager',`
 	allow x_domain xevent_type:{ x_event x_synthetic_event } *;
 ')
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@ -5077,7 +5077,7 @@ index f6eb485..9eba5f5 100644
 +	filetrans_pattern($1, { httpd_user_content_t httpd_user_script_exec_t }, httpd_user_htaccess_t, file, ".htaccess")
 ')
 diff --git a/apache.te b/apache.te
-index 6649962..e755e58 100644
+index 6649962..a78899a 100644
 --- a/apache.te
 +++ b/apache.te
@@ -5,280 +5,339 @@ policy_module(apache, 2.7.2)
@ -5780,7 +5780,7 @@ index 6649962..e755e58 100644
 allow httpd_t httpd_sys_script_t:unix_stream_socket connectto;
 manage_dirs_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
-@@ -450,140 +567,172 @@ manage_dirs_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
+@@ -450,140 +567,173 @@ manage_dirs_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
 manage_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
 manage_lnk_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
@ -5864,6 +5864,7 @@ index 6649962..e755e58 100644
 +files_exec_usr_files(httpd_t)
 files_list_mnt(httpd_t)
 +files_read_mnt_symlinks(httpd_t)
 +files_search_all(httpd_t)
 files_search_spool(httpd_t)
 files_read_var_symlinks(httpd_t)
 files_read_var_lib_files(httpd_t)
@ -6018,7 +6019,7 @@ index 6649962..e755e58 100644
 ')
 tunable_policy(`httpd_enable_cgi && httpd_use_nfs',`
-@@ -594,28 +743,50 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',`
+@@ -594,28 +744,50 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',`
 	fs_cifs_domtrans(httpd_t, httpd_sys_script_t)
 ')
@ -6078,7 +6079,7 @@ index 6649962..e755e58 100644
 ')
 tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
-@@ -624,68 +795,44 @@ tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
+@@ -624,68 +796,44 @@ tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
 	fs_read_nfs_symlinks(httpd_t)
 ')
@ -6169,7 +6170,7 @@ index 6649962..e755e58 100644
 ')
 tunable_policy(`httpd_setrlimit',`
-@@ -695,49 +842,48 @@ tunable_policy(`httpd_setrlimit',`
+@@ -695,49 +843,48 @@ tunable_policy(`httpd_setrlimit',`
 tunable_policy(`httpd_ssi_exec',`
 	corecmd_shell_domtrans(httpd_t, httpd_sys_script_t)
@ -6250,7 +6251,7 @@ index 6649962..e755e58 100644
 ')
 optional_policy(`
-@@ -749,24 +895,32 @@ optional_policy(`
+@@ -749,24 +896,32 @@ optional_policy(`
 ')
 optional_policy(`
@ -6289,7 +6290,7 @@ index 6649962..e755e58 100644
 ')
 optional_policy(`
-@@ -775,6 +929,10 @@ optional_policy(`
+@@ -775,6 +930,10 @@ optional_policy(`
 	tunable_policy(`httpd_dbus_avahi',`
 		avahi_dbus_chat(httpd_t)
 	')
@ -6300,7 +6301,7 @@ index 6649962..e755e58 100644
 ')
 optional_policy(`
-@@ -786,35 +944,60 @@ optional_policy(`
+@@ -786,35 +945,60 @@ optional_policy(`
 ')
 optional_policy(`
@ -6374,7 +6375,7 @@ index 6649962..e755e58 100644
 	tunable_policy(`httpd_manage_ipa',`
 		memcached_manage_pid_files(httpd_t)
-@@ -822,8 +1005,18 @@ optional_policy(`
+@@ -822,8 +1006,18 @@ optional_policy(`
 ')
 optional_policy(`
@ -6393,7 +6394,7 @@ index 6649962..e755e58 100644
 	tunable_policy(`httpd_can_network_connect_db',`
 		mysql_tcp_connect(httpd_t)
-@@ -832,6 +1025,7 @@ optional_policy(`
+@@ -832,6 +1026,7 @@ optional_policy(`
 optional_policy(`
 	nagios_read_config(httpd_t)
@ -6401,7 +6402,7 @@ index 6649962..e755e58 100644
 ')
 optional_policy(`
-@@ -842,20 +1036,40 @@ optional_policy(`
+@@ -842,20 +1037,40 @@ optional_policy(`
 ')
 optional_policy(`
@ -6448,7 +6449,7 @@ index 6649962..e755e58 100644
 ')
 optional_policy(`
-@@ -863,19 +1077,35 @@ optional_policy(`
+@@ -863,19 +1078,35 @@ optional_policy(`
 ')
 optional_policy(`
@ -6484,7 +6485,7 @@ index 6649962..e755e58 100644
 	udev_read_db(httpd_t)
 ')
-@@ -883,65 +1113,189 @@ optional_policy(`
+@@ -883,65 +1114,189 @@ optional_policy(`
 	yam_read_content(httpd_t)
 ')
@ -6696,7 +6697,7 @@ index 6649962..e755e58 100644
 files_dontaudit_search_pids(httpd_suexec_t)
 files_search_home(httpd_suexec_t)
-@@ -950,123 +1304,74 @@ auth_use_nsswitch(httpd_suexec_t)
+@@ -950,123 +1305,74 @@ auth_use_nsswitch(httpd_suexec_t)
 logging_search_logs(httpd_suexec_t)
 logging_send_syslog_msg(httpd_suexec_t)
@ -6851,7 +6852,7 @@ index 6649962..e755e58 100644
 	mysql_read_config(httpd_suexec_t)
 	tunable_policy(`httpd_can_network_connect_db',`
-@@ -1083,172 +1388,106 @@ optional_policy(`
+@@ -1083,172 +1389,106 @@ optional_policy(`
 	')
 ')
@ -7088,7 +7089,7 @@ index 6649962..e755e58 100644
 ')
 tunable_policy(`httpd_read_user_content',`
-@@ -1256,64 +1495,74 @@ tunable_policy(`httpd_read_user_content',`
+@@ -1256,64 +1496,74 @@ tunable_policy(`httpd_read_user_content',`
 ')
 tunable_policy(`httpd_use_cifs',`
@ -7185,7 +7186,7 @@ index 6649962..e755e58 100644
 ########################################
 #
-@@ -1321,8 +1570,15 @@ miscfiles_read_localization(httpd_rotatelogs_t)
+@@ -1321,8 +1571,15 @@ miscfiles_read_localization(httpd_rotatelogs_t)
 #
 optional_policy(`
@ -7202,7 +7203,7 @@ index 6649962..e755e58 100644
 ')
 ########################################
-@@ -1330,49 +1586,38 @@ optional_policy(`
+@@ -1330,49 +1587,38 @@ optional_policy(`
 # User content local policy
 #
@ -7267,7 +7268,7 @@ index 6649962..e755e58 100644
 kernel_read_system_state(httpd_passwd_t)
 corecmd_exec_bin(httpd_passwd_t)
-@@ -1382,38 +1627,101 @@ dev_read_urand(httpd_passwd_t)
+@@ -1382,38 +1628,101 @@ dev_read_urand(httpd_passwd_t)
 domain_use_interactive_fds(httpd_passwd_t)
@ -10718,10 +10719,10 @@ index 8de2ab9..3b41945 100644
 +	domtrans_pattern($1, cachefilesd_exec_t, cachefilesd_t)
 ')
 diff --git a/cachefilesd.te b/cachefilesd.te
-index a3760bc..a570048 100644
+index a3760bc..660e5d3 100644
 --- a/cachefilesd.te
 +++ b/cachefilesd.te
-@@ -1,52 +1,124 @@
+@@ -1,52 +1,125 @@
 policy_module(cachefilesd, 1.1.0)
 -########################################
@ -10794,6 +10795,7 @@ index a3760bc..a570048 100644
 +# rules.
 +#
 allow cachefilesd_t self:capability { setuid setgid sys_admin dac_override };
 +allow cachefilesd_t self:process signal_perms;
 +# Allow manipulation of pid file
 +allow cachefilesd_t cachefilesd_var_run_t:file create_file_perms;
@ -24557,10 +24559,10 @@ index 0000000..76eb32e
 +')
 diff --git a/docker.te b/docker.te
 new file mode 100644
-index 0000000..96c47ea
+index 0000000..dfb6b04
 --- /dev/null
 +++ b/docker.te
-@@ -0,0 +1,273 @@
+@@ -0,0 +1,278 @@
 +policy_module(docker, 1.0.0)
 +
 +########################################
@ -24620,7 +24622,7 @@ index 0000000..96c47ea
 +#
 +# docker local policy
 +#
-+allow docker_t self:capability { chown fowner fsetid mknod net_admin net_bind_service };
+allow docker_t self:capability { chown fowner fsetid mknod net_admin net_bind_service setfcap };
 +allow docker_t self:process { getattr signal_perms };
 +allow docker_t self:fifo_file rw_fifo_file_perms;
 +allow docker_t self:unix_stream_socket create_stream_socket_perms;
@ -24754,7 +24756,7 @@ index 0000000..96c47ea
 +kernel_request_load_module(docker_t)
 +kernel_mounton_messages(docker_t)
 +
-+dev_getattr_all_blk_files(docker_t)
+dev_getattr_all(docker_t)
 +dev_getattr_sysfs_fs(docker_t)
 +dev_read_urand(docker_t)
 +dev_read_lvm_control(docker_t)
@ -24782,6 +24784,7 @@ index 0000000..96c47ea
 +fs_relabelfrom_xattr_fs(docker_t)
 +fs_relabelfrom_tmpfs(docker_t)
 +fs_read_tmpfs_symlinks(docker_t)
 +fs_list_hugetlbfs(docker_t)
 +
 +term_use_generic_ptys(docker_t)
 +term_use_ptmx(docker_t)
@ -24799,6 +24802,10 @@ index 0000000..96c47ea
 +userdom_read_all_users_state(docker_t)
 +
 +optional_policy(`
 +	gpm_getattr_gpmctl(docker_t)
 +')
 +
 +optional_policy(`
 +	dbus_system_bus_client(docker_t)
 +	init_dbus_chat(docker_t)
 +
@ -26745,7 +26752,7 @@ index 50d0084..94e1936 100644
 	fail2ban_run_client($1, $2)
 diff --git a/fail2ban.te b/fail2ban.te
-index cf0e567..2b435ed 100644
+index cf0e567..a743483 100644
 --- a/fail2ban.te
 +++ b/fail2ban.te
@@ -37,7 +37,7 @@ role fail2ban_client_roles types fail2ban_client_t;
@ -26773,9 +26780,11 @@ index cf0e567..2b435ed 100644
 files_list_var(fail2ban_t)
 files_dontaudit_list_tmp(fail2ban_t)
-@@ -93,23 +91,35 @@ auth_use_nsswitch(fail2ban_t)
+@@ -92,24 +90,37 @@ fs_getattr_all_fs(fail2ban_t)
 auth_use_nsswitch(fail2ban_t)
 logging_read_all_logs(fail2ban_t)
 +logging_read_audit_log(fail2ban_t)
 logging_send_syslog_msg(fail2ban_t)
 +logging_dontaudit_search_audit_logs(fail2ban_t)
@ -26813,7 +26822,7 @@ index cf0e567..2b435ed 100644
 	iptables_domtrans(fail2ban_t)
 ')
-@@ -118,6 +128,10 @@ optional_policy(`
+@@ -118,6 +129,10 @@ optional_policy(`
 ')
 optional_policy(`
@ -26824,7 +26833,7 @@ index cf0e567..2b435ed 100644
 	shorewall_domtrans(fail2ban_t)
 ')
-@@ -131,22 +145,30 @@ allow fail2ban_client_t self:unix_stream_socket { create connect write read };
+@@ -131,22 +146,30 @@ allow fail2ban_client_t self:unix_stream_socket { create connect write read };
 domtrans_pattern(fail2ban_client_t, fail2ban_exec_t, fail2ban_t)
@ -26851,7 +26860,7 @@ index cf0e567..2b435ed 100644
 logging_search_all_logs(fail2ban_client_t)
 -
 -miscfiles_read_localization(fail2ban_client_t)
-+logging_dontaudit_search_audit_logs(fail2ban_client_t)
+logging_read_audit_log(fail2ban_client_t)
 userdom_dontaudit_search_user_home_dirs(fail2ban_client_t)
 userdom_use_user_terminals(fail2ban_client_t)
@ -45713,7 +45722,7 @@ index 6ffaba2..549fb8c 100644
 +/usr/lib/nspluginwrapper/plugin-config			--	gen_context(system_u:object_r:mozilla_plugin_config_exec_t,s0)
 +')
 diff --git a/mozilla.if b/mozilla.if
-index 6194b80..7490fe3 100644
+index 6194b80..f741e56 100644
 --- a/mozilla.if
 +++ b/mozilla.if
@@ -1,146 +1,75 @@
@ -45778,10 +45787,7 @@ index 6194b80..7490fe3 100644
 -	allow $2 mozilla_t:shm rw_shm_perms;
 -
 -	stream_connect_pattern($2, mozilla_tmpfs_t, mozilla_tmpfs_t, mozilla_t)
-+	allow $2 mozilla_t:shm { associate getattr };
+-
 +	allow $2 mozilla_t:shm { unix_read unix_write };
 +	allow $2 mozilla_t:unix_stream_socket connectto;
 -	allow $2 { mozilla_home_t mozilla_plugin_home_t }:dir { manage_dir_perms relabel_dir_perms };
 -	allow $2 { mozilla_home_t mozilla_plugin_home_t }:file { manage_file_perms relabel_file_perms };
 -	allow $2 mozilla_home_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms };
@ -45789,6 +45795,11 @@ index 6194b80..7490fe3 100644
 -	userdom_user_home_dir_filetrans($2, mozilla_home_t, dir, ".mozilla")
 -	userdom_user_home_dir_filetrans($2, mozilla_home_t, dir, ".netscape")
 -	userdom_user_home_dir_filetrans($2, mozilla_home_t, dir, ".phoenix")
 +	allow $2 mozilla_t:shm { associate getattr };
 +	allow $2 mozilla_t:shm { unix_read unix_write };
 +	allow $2 mozilla_t:unix_stream_socket connectto;
 -	filetrans_pattern($2, mozilla_home_t, mozilla_plugin_home_t, dir, "plugins")
 +	# X access, Home files
 +	manage_dirs_pattern($2, mozilla_home_t, mozilla_home_t)
 +	manage_files_pattern($2, mozilla_home_t, mozilla_home_t)
@ -45797,15 +45808,13 @@ index 6194b80..7490fe3 100644
 +	relabel_files_pattern($2, mozilla_home_t, mozilla_home_t)
 +	relabel_lnk_files_pattern($2, mozilla_home_t, mozilla_home_t)
-	filetrans_pattern($2, mozilla_home_t, mozilla_plugin_home_t, dir, "plugins")
+-	allow $2 { mozilla_tmp_t mozilla_plugin_tmp_t }:dir { manage_dir_perms relabel_dir_perms };
 -	allow $2 { mozilla_tmp_t mozilla_plugin_tmp_t }:file { manage_file_perms relabel_file_perms };
 -	allow $2 mozilla_plugin_tmp_t:fifo_file { manage_fifo_file_perms relabel_fifo_file_perms };
 +	#should be remove then with adding of roleattribute
 +	mozilla_run_plugin(mozilla_t, $1)
 +	mozilla_dbus_chat($2)
 -	allow $2 { mozilla_tmp_t mozilla_plugin_tmp_t }:dir { manage_dir_perms relabel_dir_perms };
 -	allow $2 { mozilla_tmp_t mozilla_plugin_tmp_t }:file { manage_file_perms relabel_file_perms };
 -	allow $2 mozilla_plugin_tmp_t:fifo_file { manage_fifo_file_perms relabel_fifo_file_perms };
 -
 -	allow $2 { mozilla_tmpfs_t mozilla_plugin_tmpfs_t }:dir { manage_dir_perms relabel_dir_perms };
 -	allow $2 { mozilla_tmpfs_t mozilla_plugin_tmpfs_t }:file { manage_file_perms relabel_file_perms };
 -	allow $2 { mozilla_tmpfs_t mozilla_plugin_tmpfs_t }:fifo_file { manage_fifo_file_perms relabel_fifo_file_perms };
@ -45845,14 +45854,14 @@ index 6194b80..7490fe3 100644
 -	mozilla_run_plugin($2, $1)
 -	mozilla_run_plugin_config($2, $1)
-+	mozilla_filetrans_home_content($2)
+-
 -	allow $2 { mozilla_plugin_t mozilla_plugin_config_t }:process { ptrace signal_perms };
 -	ps_process_pattern($2, { mozilla_plugin_t mozilla_plugin_config_t })
 -
 -	allow $2 mozilla_plugin_t:unix_stream_socket rw_socket_perms;
 -	allow $2 mozilla_plugin_t:fd use;
-
+	mozilla_filetrans_home_content($2)
 -	stream_connect_pattern($2, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t, mozilla_plugin_t)
 -
 -	allow mozilla_plugin_t $2:process signull;
@ -46226,7 +46235,7 @@ index 6194b80..7490fe3 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -433,76 +356,144 @@ interface(`mozilla_dbus_chat',`
+@@ -433,57 +356,162 @@ interface(`mozilla_dbus_chat',`
 ##	</summary>
 ## </param>
 #
@ -46241,33 +46250,23 @@ index 6194b80..7490fe3 100644
 -	allow $1 mozilla_plugin_t:dbus send_msg;
 -	allow mozilla_plugin_t $1:dbus send_msg;
 +	allow $1 mozilla_t:tcp_socket rw_socket_perms;
- ')
+')
- 
+
 -########################################
 +#######################################
- ## <summary>
+## <summary>
 -##	Read and write mozilla TCP sockets.
 +##  Read mozilla_plugin tmpfs files
- ## </summary>
+## </summary>
- ## <param name="domain">
+## <param name="domain">
 -##	<summary>
 -##	Domain allowed access.
 -##	</summary>
 +##  <summary>
 +##  Domain allowed access
 +##  </summary>
- ## </param>
+## </param>
- #
+#
 -interface(`mozilla_rw_tcp_sockets',`
 -	gen_require(`
 -		type mozilla_t;
 -	')
 +interface(`mozilla_plugin_read_tmpfs_files',`
 +    gen_require(`
 +        type mozilla_plugin_tmpfs_t;
 +    ')
- 
+
 -	allow $1 mozilla_t:tcp_socket rw_socket_perms;
 +    allow $1 mozilla_plugin_tmpfs_t:file read_file_perms;
 +')
 +
@ -46291,8 +46290,7 @@ index 6194b80..7490fe3 100644
 ########################################
 ## <summary>
-##	Create, read, write, and delete
+-##	Read and write mozilla TCP sockets.
 -##	mozilla plugin rw files.
 +##	Delete mozilla_plugin tmpfs files
 ## </summary>
 ## <param name="domain">
@ -46302,15 +46300,14 @@ index 6194b80..7490fe3 100644
 ##	</summary>
 ## </param>
 #
-interface(`mozilla_manage_plugin_rw_files',`
+-interface(`mozilla_rw_tcp_sockets',`
 +interface(`mozilla_plugin_delete_tmpfs_files',`
 	gen_require(`
-		type mozilla_plugin_rw_t;
+-		type mozilla_t;
 +		type mozilla_plugin_tmpfs_t;
 	')
-	libs_search_lib($1)
+-	allow $1 mozilla_t:tcp_socket rw_socket_perms;
 -	manage_files_pattern($1, mozilla_plugin_rw_t, mozilla_plugin_rw_t)
 +	allow $1 mozilla_plugin_tmpfs_t:file delete_file_perms;
 +')
 +
@ -46352,7 +46349,8 @@ index 6194b80..7490fe3 100644
 ########################################
 ## <summary>
-##	Read mozilla_plugin tmpfs files.
+-##	Create, read, write, and delete
 -##	mozilla plugin rw files.
 +##	Dontaudit read/write to a mozilla_plugin leaks
 ## </summary>
 ## <param name="domain">
@ -46362,15 +46360,15 @@ index 6194b80..7490fe3 100644
 ##	</summary>
 ## </param>
 #
-interface(`mozilla_plugin_read_tmpfs_files',`
+-interface(`mozilla_manage_plugin_rw_files',`
 +interface(`mozilla_plugin_dontaudit_leaks',`
 	gen_require(`
-		type mozilla_plugin_tmpfs_t;
+-		type mozilla_plugin_rw_t;
 +		type mozilla_plugin_t;
 	')
-	fs_search_tmpfs($1)
+-	libs_search_lib($1)
-	allow $1 mozilla_plugin_tmpfs_t:file read_file_perms;
+-	manage_files_pattern($1, mozilla_plugin_rw_t, mozilla_plugin_rw_t)
 +	dontaudit $1 mozilla_plugin_t:unix_stream_socket { read write };
 +')
 +
@ -46389,22 +46387,40 @@ index 6194b80..7490fe3 100644
 +        type mozilla_plugin_tmp_t;
 +    ')
 +
 +    dontaudit $1 mozilla_plugin_tmp_t:file { read write };
 +')
 +
 +#######################################
 +## <summary>
 +##  Allow read/write to a mozilla_plugin tmp files.
 +## </summary>
 +## <param name="domain">
 +##  <summary>
 +##	Domain allowed access.
 +##  </summary>
 +## </param>
 +#
 +interface(`mozilla_plugin_rw_tmp_files',`
 +    gen_require(`
 +        type mozilla_plugin_tmp_t;
 +    ')
 +
 +    dontaudit $1 mozilla_plugin_tmp_t:file { read write };
 ')
 ########################################
 ## <summary>
-##	Delete mozilla_plugin tmpfs files.
+-##	Read mozilla_plugin tmpfs files.
 +##	Create, read, write, and delete
 +##	mozilla_plugin rw files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -510,19 +501,18 @@ interface(`mozilla_plugin_read_tmpfs_files',`
+@@ -491,18 +519,18 @@ interface(`mozilla_manage_plugin_rw_files',`
 ##	</summary>
 ## </param>
 #
-interface(`mozilla_plugin_delete_tmpfs_files',`
+-interface(`mozilla_plugin_read_tmpfs_files',`
 +interface(`mozilla_plugin_manage_rw_files',`
 	gen_require(`
 -		type mozilla_plugin_tmpfs_t;
@ -46412,28 +46428,53 @@ index 6194b80..7490fe3 100644
 	')
 -	fs_search_tmpfs($1)
-	allow $1 mozilla_plugin_tmpfs_t:file delete_file_perms;
+-	allow $1 mozilla_plugin_tmpfs_t:file read_file_perms;
 +	allow $1 mozilla_plugin_rw_t:file manage_file_perms;
 +	allow $1 mozilla_plugin_rw_t:dir rw_dir_perms;
 ')
 ########################################
 ## <summary>
-##	Create, read, write, and delete
+-##	Delete mozilla_plugin tmpfs files.
 -##	generic mozilla plugin home content.
 +##	read mozilla_plugin rw files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -530,45 +520,57 @@ interface(`mozilla_plugin_delete_tmpfs_files',`
+@@ -510,19 +538,18 @@ interface(`mozilla_plugin_read_tmpfs_files',`
 ##	</summary>
 ## </param>
 #
 -interface(`mozilla_plugin_delete_tmpfs_files',`
 +interface(`mozilla_plugin_read_rw_files',`
 	gen_require(`
 -		type mozilla_plugin_tmpfs_t;
 +		type mozilla_plugin_rw_t;
 	')
 -	fs_search_tmpfs($1)
 -	allow $1 mozilla_plugin_tmpfs_t:file delete_file_perms;
 +	read_files_pattern($1, mozilla_plugin_rw_t, mozilla_plugin_rw_t)
 ')
 ########################################
 ## <summary>
 -##	Create, read, write, and delete
 -##	generic mozilla plugin home content.
 +##	Create mozilla content in the user home directory
 +##	with an correct label.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -530,45 +557,57 @@ interface(`mozilla_plugin_delete_tmpfs_files',`
 ##	</summary>
 ## </param>
 #
 -interface(`mozilla_manage_generic_plugin_home_content',`
-+interface(`mozilla_plugin_read_rw_files',`
+interface(`mozilla_filetrans_home_content',`
 +
 	gen_require(`
 -		type mozilla_plugin_home_t;
-+		type mozilla_plugin_rw_t;
+		type mozilla_home_t;
 	')
 -	userdom_search_user_home_dirs($1)
@ -46442,42 +46483,6 @@ index 6194b80..7490fe3 100644
 -	allow $1 mozilla_plugin_home_t:fifo_file manage_fifo_file_perms;
 -	allow $1 mozilla_plugin_home_t:lnk_file manage_lnk_file_perms;
 -	allow $1 mozilla_plugin_home_t:sock_file manage_sock_file_perms;
 +	read_files_pattern($1, mozilla_plugin_rw_t, mozilla_plugin_rw_t)
 ')
 ########################################
 ## <summary>
 -##	Create objects in user home
 -##	directories with the generic mozilla
 -##	plugin home type.
 +##	Create mozilla content in the user home directory
 +##	with an correct label.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
 -## <param name="object_class">
 -##	<summary>
 -##	Class of the object being created.
 -##	</summary>
 -## </param>
 -## <param name="name" optional="true">
 -##	<summary>
 -##	The name of the object being created.
 -##	</summary>
 -## </param>
 #
 -interface(`mozilla_home_filetrans_plugin_home',`
 +interface(`mozilla_filetrans_home_content',`
 +
 	gen_require(`
 -		type mozilla_plugin_home_t;
 +		type mozilla_home_t;
 	')
 -	userdom_user_home_dir_filetrans($1, mozilla_plugin_home_t, $2, $3)
 +	userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".galeon")
 +	userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".java")
 +	userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".mozilla")
@ -46506,6 +46511,41 @@ index 6194b80..7490fe3 100644
 +		gnome_cache_filetrans($1, mozilla_home_t, dir, "icedtea-web")
 +	')
 ')
 ########################################
 ## <summary>
 -##	Create objects in user home
 -##	directories with the generic mozilla
 -##	plugin home type.
 +##	Allow the domain to read mozilla_plugin state files in /proc.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
 -## <param name="object_class">
 -##	<summary>
 -##	Class of the object being created.
 -##	</summary>
 -## </param>
 -## <param name="name" optional="true">
 -##	<summary>
 -##	The name of the object being created.
 -##	</summary>
 -## </param>
 #
 -interface(`mozilla_home_filetrans_plugin_home',`
 +interface(`mozilla_plugin_read_state',`
 	gen_require(`
 -		type mozilla_plugin_home_t;
 +		type mozilla_plugin_t;
 	')
 -	userdom_user_home_dir_filetrans($1, mozilla_plugin_home_t, $2, $3)
 +	kernel_search_proc($1)
 +	ps_process_pattern($1, mozilla_plugin_t)
 ')
 +
 diff --git a/mozilla.te b/mozilla.te
 index 11ac8e4..372b342 100644
@ -91569,7 +91609,7 @@ index 1fa51c1..82e111c 100644
 	smokeping_initrc_domtrans($1)
 	domain_system_change_exemption($1)
 diff --git a/smokeping.te b/smokeping.te
-index ec031a0..26b6da1 100644
+index ec031a0..61a9f8c 100644
 --- a/smokeping.te
 +++ b/smokeping.te
@@ -24,6 +24,7 @@ files_type(smokeping_var_lib_t)
@ -91597,7 +91637,7 @@ index ec031a0..26b6da1 100644
 mta_send_mail(smokeping_t)
 netutils_domtrans_ping(smokeping_t)
-@@ -60,17 +58,20 @@ netutils_domtrans_ping(smokeping_t)
+@@ -60,17 +58,22 @@ netutils_domtrans_ping(smokeping_t)
 optional_policy(`
 	apache_content_template(smokeping_cgi)
@ -91605,20 +91645,22 @@ index ec031a0..26b6da1 100644
 +
 +	manage_dirs_pattern(smokeping_cgi_script_t, smokeping_var_lib_t, smokeping_var_lib_t)
 +	manage_files_pattern(smokeping_cgi_script_t, smokeping_var_lib_t, smokeping_var_lib_t)
 +
 +	getattr_files_pattern(smokeping_cgi_script_t, smokeping_var_run_t, smokeping_var_run_t)
 -	manage_dirs_pattern(httpd_smokeping_cgi_script_t, smokeping_var_lib_t, smokeping_var_lib_t)
 -	manage_files_pattern(httpd_smokeping_cgi_script_t, smokeping_var_lib_t, smokeping_var_lib_t)
 +	getattr_files_pattern(smokeping_cgi_script_t, smokeping_var_run_t, smokeping_var_run_t)
 -	getattr_files_pattern(httpd_smokeping_cgi_script_t, smokeping_var_run_t, smokeping_var_run_t)
 +	files_read_etc_files(smokeping_cgi_script_t)
 +	files_search_tmp(smokeping_cgi_script_t)
 +	files_search_var_lib(smokeping_cgi_script_t)
 -	getattr_files_pattern(httpd_smokeping_cgi_script_t, smokeping_var_run_t, smokeping_var_run_t)
 +	auth_read_passwd(smokeping_cgi_script_t)
 -	files_read_etc_files(httpd_smokeping_cgi_script_t)
 -	files_search_tmp(httpd_smokeping_cgi_script_t)
 -	files_search_var_lib(httpd_smokeping_cgi_script_t)
-+	auth_read_passwd(smokeping_cgi_script_t)
+	logging_send_syslog_msg(smokeping_cgi_script_t)
 -	sysnet_dns_name_resolve(httpd_smokeping_cgi_script_t)
 +	sysnet_dns_name_resolve(smokeping_cgi_script_t)
@ -103067,7 +103109,7 @@ index facdee8..d179539 100644
 +	typeattribute $1 sandbox_caps_domain;
 ')
 diff --git a/virt.te b/virt.te
-index f03dcf5..f5766e6 100644
+index f03dcf5..eef3cb7 100644
 --- a/virt.te
 +++ b/virt.te
@@ -1,150 +1,227 @@
@ -104549,7 +104591,7 @@ index f03dcf5..f5766e6 100644
 selinux_get_enforce_mode(virtd_lxc_t)
 selinux_get_fs_mount(virtd_lxc_t)
 selinux_validate_context(virtd_lxc_t)
-@@ -974,194 +1153,316 @@ selinux_compute_create_context(virtd_lxc_t)
+@@ -974,194 +1153,317 @@ selinux_compute_create_context(virtd_lxc_t)
 selinux_compute_relabel_context(virtd_lxc_t)
 selinux_compute_user_contexts(virtd_lxc_t)
@ -104625,8 +104667,8 @@ index f03dcf5..f5766e6 100644
 +manage_lnk_files_pattern(svirt_sandbox_domain, svirt_sandbox_file_t, svirt_sandbox_file_t)
 +manage_sock_files_pattern(svirt_sandbox_domain, svirt_sandbox_file_t, svirt_sandbox_file_t)
 +manage_fifo_files_pattern(svirt_sandbox_domain, svirt_sandbox_file_t, svirt_sandbox_file_t)
-+allow svirt_sandbox_domain svirt_sandbox_file_t:chr_file setattr;
+manage_chr_files_pattern(svirt_sandbox_domain, svirt_sandbox_file_t, svirt_sandbox_file_t)
-+rw_chr_files_pattern(svirt_sandbox_domain, svirt_sandbox_file_t, svirt_sandbox_file_t)
+allow svirt_sandbox_domain svirt_sandbox_file_t:file { relabelfrom relabelto };
 +
 +allow svirt_sandbox_domain svirt_sandbox_file_t:blk_file setattr;
 +rw_blk_files_pattern(svirt_sandbox_domain, svirt_sandbox_file_t, svirt_sandbox_file_t)
@ -104845,6 +104887,7 @@ index f03dcf5..f5766e6 100644
 -kernel_read_network_state(svirt_lxc_net_t)
 -kernel_read_irq_sysctls(svirt_lxc_net_t)
 +allow svirt_lxc_net_t self:process { execstack execmem };
 +manage_chr_files_pattern(svirt_lxc_net_t, svirt_sandbox_file_t, svirt_sandbox_file_t)
 +
 +tunable_policy(`virt_sandbox_use_sys_admin',`
 +	allow svirt_lxc_net_t self:capability sys_admin;
@ -105004,7 +105047,7 @@ index f03dcf5..f5766e6 100644
 allow virt_qmf_t self:tcp_socket create_stream_socket_perms;
 allow virt_qmf_t self:netlink_route_socket create_netlink_socket_perms;
-@@ -1174,12 +1475,12 @@ dev_read_sysfs(virt_qmf_t)
+@@ -1174,12 +1476,12 @@ dev_read_sysfs(virt_qmf_t)
 dev_read_rand(virt_qmf_t)
 dev_read_urand(virt_qmf_t)
@ -105019,7 +105062,7 @@ index f03dcf5..f5766e6 100644
 sysnet_read_config(virt_qmf_t)
 optional_policy(`
-@@ -1192,9 +1493,8 @@ optional_policy(`
+@@ -1192,9 +1494,8 @@ optional_policy(`
 ########################################
 #
@ -105030,7 +105073,7 @@ index f03dcf5..f5766e6 100644
 allow virt_bridgehelper_t self:process { setcap getcap };
 allow virt_bridgehelper_t self:capability { setpcap setgid setuid net_admin };
 allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms;
-@@ -1207,5 +1507,218 @@ kernel_read_network_state(virt_bridgehelper_t)
+@@ -1207,5 +1508,218 @@ kernel_read_network_state(virt_bridgehelper_t)
 corenet_rw_tun_tap_dev(virt_bridgehelper_t)
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@ -19,7 +19,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.13.1
-Release: 71%{?dist}
+Release: 72%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@ -602,6 +602,21 @@ SELinux Reference policy mls base module.
 %endif
 %changelog
 * Tue Aug 12 2014 Lukas Vrabec <lvrabec@redhat.com> 3.12.1-72
 - docker needs to be able to look at everything in /dev
 - Allow all processes to send themselves signals
 - Allow sysadm_t to create netlink_tcpdiag socket
 - sysadm_t should be allowed to communicate with networkmanager
 - These are required for bluejeans to work on a unconfined.pp disabled machine
 - docker needs setfcap
 - Allow svirt domains to manage chr files and blk files for mknod commands
 - Allow fail2ban to read audit logs
 - Allow cachefilesd_t to send itself signals
 - Allow smokeping cgi script to send syslog messages
 - Allow svirt sandbox domains to relabel content
 - Since apache content can be placed anywhere, we should just allow apache to search through any directory
 - These are required for bluejeans to work on a unconfined.pp disabled machin
 * Mon Aug 4 2014 Miroslav Grepl <mgrepl@redhat.com> 3.13.1-71
 - shell_exec_t should not be in cockip.fc