+ ##
+@@ -4113,6 +5037,25 @@ interface(`dev_write_urand',`
########################################
##
@@ -8340,7 +8316,7 @@ index 76f285e..0aef35e 100644
## Getattr generic the USB devices.
##
##
-@@ -4123,7 +5023,7 @@ interface(`dev_write_urand',`
+@@ -4123,7 +5066,7 @@ interface(`dev_write_urand',`
#
interface(`dev_getattr_generic_usb_dev',`
gen_require(`
@@ -8349,445 +8325,274 @@ index 76f285e..0aef35e 100644
')
getattr_chr_files_pattern($1, device_t, usb_device_t)
-@@ -4330,28 +5230,180 @@ interface(`dev_search_usbfs',`
+@@ -4409,9 +5352,9 @@ interface(`dev_rw_usbfs',`
+ read_lnk_files_pattern($1, usbfs_t, usbfs_t)
+ ')
- ########################################
- ##
--## Allow caller to get a list of usb hardware.
-+## Allow caller to get a list of usb hardware.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`dev_list_usbfs',`
-+ gen_require(`
-+ type usbfs_t;
-+ ')
-+
-+ read_lnk_files_pattern($1, usbfs_t, usbfs_t)
-+ getattr_files_pattern($1, usbfs_t, usbfs_t)
-+
-+ list_dirs_pattern($1, usbfs_t, usbfs_t)
-+')
-+
-+########################################
-+##
-+## Set the attributes of usbfs filesystem.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`dev_setattr_usbfs_files',`
-+ gen_require(`
-+ type usbfs_t;
-+ ')
-+
-+ setattr_files_pattern($1, usbfs_t, usbfs_t)
-+ list_dirs_pattern($1, usbfs_t, usbfs_t)
-+')
-+
-+########################################
-+##
-+## Read USB hardware information using
-+## the usbfs filesystem interface.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`dev_read_usbfs',`
-+ gen_require(`
-+ type usbfs_t;
-+ ')
-+
-+ read_files_pattern($1, usbfs_t, usbfs_t)
-+ read_lnk_files_pattern($1, usbfs_t, usbfs_t)
-+ list_dirs_pattern($1, usbfs_t, usbfs_t)
-+')
-+
-+########################################
-+##
-+## Allow caller to modify usb hardware configuration files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`dev_rw_usbfs',`
-+ gen_require(`
-+ type usbfs_t;
-+ ')
-+
-+ list_dirs_pattern($1, usbfs_t, usbfs_t)
-+ rw_files_pattern($1, usbfs_t, usbfs_t)
-+ read_lnk_files_pattern($1, usbfs_t, usbfs_t)
-+')
-+
+-########################################
+######################################
-+##
-+## Read and write userio device.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`dev_rw_userio_dev',`
-+ gen_require(`
-+ type device_t, userio_device_t;
-+ ')
-+
-+ rw_chr_files_pattern($1, device_t, userio_device_t)
-+')
-+
-+########################################
-+##
-+## Get the attributes of video4linux devices.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`dev_getattr_video_dev',`
-+ gen_require(`
-+ type device_t, v4l_device_t;
-+ ')
-+
-+ getattr_chr_files_pattern($1, device_t, v4l_device_t)
-+')
-+
-+########################################
-+##
-+## Do not audit attempts to get the attributes
-+## of video4linux device nodes.
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`dev_dontaudit_getattr_video_dev',`
-+ gen_require(`
-+ type v4l_device_t;
-+ ')
-+
-+ dontaudit $1 v4l_device_t:chr_file getattr;
-+')
-+
-+########################################
-+##
-+## Set the attributes of video4linux device nodes.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`dev_setattr_video_dev',`
-+ gen_require(`
-+ type device_t, v4l_device_t;
-+ ')
-+
-+ setattr_chr_files_pattern($1, device_t, v4l_device_t)
-+')
-+
-+########################################
-+##
-+## Do not audit attempts to set the attributes
-+## of video4linux device nodes.
- ##
- ##
- ##
--## Domain allowed access.
-+## Domain to not audit.
- ##
- ##
- #
--interface(`dev_list_usbfs',`
-+interface(`dev_dontaudit_setattr_video_dev',`
- gen_require(`
-- type usbfs_t;
-+ type v4l_device_t;
- ')
-
-- read_lnk_files_pattern($1, usbfs_t, usbfs_t)
-- getattr_files_pattern($1, usbfs_t, usbfs_t)
--
-- list_dirs_pattern($1, usbfs_t, usbfs_t)
-+ dontaudit $1 v4l_device_t:chr_file setattr;
- ')
-
- ########################################
- ##
--## Set the attributes of usbfs filesystem.
-+## Read the video4linux devices.
- ##
- ##
- ##
-@@ -4359,19 +5411,17 @@ interface(`dev_list_usbfs',`
- ##
- ##
- #
--interface(`dev_setattr_usbfs_files',`
-+interface(`dev_read_video_dev',`
- gen_require(`
-- type usbfs_t;
-+ type device_t, v4l_device_t;
- ')
-
-- setattr_files_pattern($1, usbfs_t, usbfs_t)
-- list_dirs_pattern($1, usbfs_t, usbfs_t)
-+ read_chr_files_pattern($1, device_t, v4l_device_t)
- ')
-
- ########################################
- ##
--## Read USB hardware information using
--## the usbfs filesystem interface.
-+## Write the video4linux devices.
- ##
- ##
- ##
-@@ -4379,19 +5429,17 @@ interface(`dev_setattr_usbfs_files',`
- ##
- ##
- #
--interface(`dev_read_usbfs',`
-+interface(`dev_write_video_dev',`
- gen_require(`
-- type usbfs_t;
-+ type device_t, v4l_device_t;
- ')
-
-- read_files_pattern($1, usbfs_t, usbfs_t)
-- read_lnk_files_pattern($1, usbfs_t, usbfs_t)
-- list_dirs_pattern($1, usbfs_t, usbfs_t)
-+ write_chr_files_pattern($1, device_t, v4l_device_t)
- ')
-
- ########################################
- ##
--## Allow caller to modify usb hardware configuration files.
-+## Get the attributes of vfio devices.
- ##
- ##
- ##
-@@ -4399,37 +5447,36 @@ interface(`dev_read_usbfs',`
- ##
- ##
- #
--interface(`dev_rw_usbfs',`
-+interface(`dev_getattr_vfio_dev',`
- gen_require(`
-- type usbfs_t;
-+ type device_t, vfio_device_t;
- ')
-
-- list_dirs_pattern($1, usbfs_t, usbfs_t)
-- rw_files_pattern($1, usbfs_t, usbfs_t)
-- read_lnk_files_pattern($1, usbfs_t, usbfs_t)
-+ getattr_chr_files_pattern($1, device_t, vfio_device_t)
- ')
-
- ########################################
##
-## Get the attributes of video4linux devices.
-+## Do not audit attempts to get the attributes
-+## of vfio device nodes.
++## Read and write userio device.
##
##
##
--## Domain allowed access.
-+## Domain to not audit.
+@@ -4419,17 +5362,17 @@ interface(`dev_rw_usbfs',`
##
##
#
-interface(`dev_getattr_video_dev',`
-+interface(`dev_dontaudit_getattr_vfio_dev',`
++interface(`dev_rw_userio_dev',`
gen_require(`
- type device_t, v4l_device_t;
-+ type vfio_device_t;
++ type device_t, userio_device_t;
')
- getattr_chr_files_pattern($1, device_t, v4l_device_t)
-+ dontaudit $1 vfio_device_t:chr_file getattr;
++ rw_chr_files_pattern($1, device_t, userio_device_t)
')
-######################################
+########################################
##
-## Read and write userio device.
-+## Set the attributes of vfio device nodes.
++## Get the attributes of video4linux devices.
##
##
##
-@@ -4437,18 +5484,18 @@ interface(`dev_getattr_video_dev',`
+@@ -4437,12 +5380,12 @@ interface(`dev_getattr_video_dev',`
##
##
#
-interface(`dev_rw_userio_dev',`
-+interface(`dev_setattr_vfio_dev',`
++interface(`dev_getattr_video_dev',`
gen_require(`
- type device_t, userio_device_t;
-+ type device_t, vfio_device_t;
++ type device_t, v4l_device_t;
')
- rw_chr_files_pattern($1, device_t, userio_device_t)
-+ setattr_chr_files_pattern($1, device_t, vfio_device_t)
++ getattr_chr_files_pattern($1, device_t, v4l_device_t)
')
########################################
- ##
--## Do not audit attempts to get the attributes
--## of video4linux device nodes.
-+## Do not audit attempts to set the attributes
-+## of vfio device nodes.
- ##
- ##
- ##
-@@ -4456,17 +5503,17 @@ interface(`dev_rw_userio_dev',`
- ##
- ##
- #
--interface(`dev_dontaudit_getattr_video_dev',`
-+interface(`dev_dontaudit_setattr_vfio_dev',`
- gen_require(`
-- type v4l_device_t;
-+ type vfio_device_t;
- ')
-
-- dontaudit $1 v4l_device_t:chr_file getattr;
-+ dontaudit $1 vfio_device_t:chr_file setattr;
- ')
-
- ########################################
- ##
--## Set the attributes of video4linux device nodes.
-+## Read the vfio devices.
- ##
- ##
- ##
-@@ -4474,36 +5521,35 @@ interface(`dev_dontaudit_getattr_video_dev',`
- ##
- ##
- #
--interface(`dev_setattr_video_dev',`
-+interface(`dev_read_vfio_dev',`
- gen_require(`
-- type device_t, v4l_device_t;
-+ type device_t, vfio_device_t;
- ')
-
-- setattr_chr_files_pattern($1, device_t, v4l_device_t)
-+ read_chr_files_pattern($1, device_t, vfio_device_t)
- ')
-
- ########################################
- ##
--## Do not audit attempts to set the attributes
--## of video4linux device nodes.
-+## Write the vfio devices.
- ##
- ##
- ##
--## Domain to not audit.
-+## Domain allowed access.
- ##
- ##
- #
--interface(`dev_dontaudit_setattr_video_dev',`
-+interface(`dev_write_vfio_dev',`
- gen_require(`
-- type v4l_device_t;
-+ type device_t, vfio_device_t;
- ')
-
-- dontaudit $1 v4l_device_t:chr_file setattr;
-+ write_chr_files_pattern($1, device_t, vfio_device_t)
- ')
-
- ########################################
- ##
--## Read the video4linux devices.
-+## Read and write the VFIO devices.
- ##
- ##
- ##
-@@ -4511,17 +5557,17 @@ interface(`dev_dontaudit_setattr_video_dev',`
- ##
- ##
- #
--interface(`dev_read_video_dev',`
-+interface(`dev_rw_vfio_dev',`
- gen_require(`
-- type device_t, v4l_device_t;
-+ type device_t, vfio_device_t;
- ')
-
-- read_chr_files_pattern($1, device_t, v4l_device_t)
-+ rw_chr_files_pattern($1, device_t, vfio_device_t)
- ')
-
- ########################################
- ##
--## Write the video4linux devices.
-+## Allow read/write the vhost net device
- ##
- ##
- ##
-@@ -4529,17 +5575,17 @@ interface(`dev_read_video_dev',`
- ##
- ##
- #
--interface(`dev_write_video_dev',`
-+interface(`dev_rw_vhost',`
- gen_require(`
-- type device_t, v4l_device_t;
-+ type device_t, vhost_device_t;
- ')
-
-- write_chr_files_pattern($1, device_t, v4l_device_t)
-+ rw_chr_files_pattern($1, device_t, vhost_device_t)
- ')
+@@ -4539,7 +5482,7 @@ interface(`dev_write_video_dev',`
########################################
##
-## Allow read/write the vhost net device
-+## Allow read/write inheretid the vhost net device
++## Get the attributes of vfio devices.
##
##
##
-@@ -4547,12 +5593,12 @@ interface(`dev_write_video_dev',`
+@@ -4547,35 +5490,36 @@ interface(`dev_write_video_dev',`
##
##
#
-interface(`dev_rw_vhost',`
-+interface(`dev_rw_inherited_vhost',`
++interface(`dev_getattr_vfio_dev',`
gen_require(`
- type device_t, vhost_device_t;
+- type device_t, vhost_device_t;
++ type device_t, vfio_device_t;
')
- rw_chr_files_pattern($1, device_t, vhost_device_t)
-+ allow $1 vhost_device_t:chr_file rw_inherited_chr_file_perms;
++ getattr_chr_files_pattern($1, device_t, vfio_device_t)
')
########################################
-@@ -4630,6 +5676,24 @@ interface(`dev_write_watchdog',`
+ ##
+-## Read and write VMWare devices.
++## Do not audit attempts to get the attributes
++## of vfio device nodes.
+ ##
+ ##
+ ##
+-## Domain allowed access.
++## Domain to not audit.
+ ##
+ ##
+ #
+-interface(`dev_rw_vmware',`
++interface(`dev_dontaudit_getattr_vfio_dev',`
+ gen_require(`
+- type device_t, vmware_device_t;
++ type vfio_device_t;
+ ')
+
+- rw_chr_files_pattern($1, device_t, vmware_device_t)
++ dontaudit $1 vfio_device_t:chr_file getattr;
+ ')
+
+ ########################################
+ ##
+-## Read, write, and mmap VMWare devices.
++## Set the attributes of vfio device nodes.
+ ##
+ ##
+ ##
+@@ -4583,12 +5527,157 @@ interface(`dev_rw_vmware',`
+ ##
+ ##
+ #
+-interface(`dev_rwx_vmware',`
++interface(`dev_setattr_vfio_dev',`
+ gen_require(`
+- type device_t, vmware_device_t;
++ type device_t, vfio_device_t;
+ ')
+
+- dev_rw_vmware($1)
++ setattr_chr_files_pattern($1, device_t, vfio_device_t)
++')
++
++########################################
++##
++## Do not audit attempts to set the attributes
++## of vfio device nodes.
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`dev_dontaudit_setattr_vfio_dev',`
++ gen_require(`
++ type vfio_device_t;
++ ')
++
++ dontaudit $1 vfio_device_t:chr_file setattr;
++')
++
++########################################
++##
++## Read the vfio devices.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`dev_read_vfio_dev',`
++ gen_require(`
++ type device_t, vfio_device_t;
++ ')
++
++ read_chr_files_pattern($1, device_t, vfio_device_t)
++')
++
++########################################
++##
++## Write the vfio devices.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`dev_write_vfio_dev',`
++ gen_require(`
++ type device_t, vfio_device_t;
++ ')
++
++ write_chr_files_pattern($1, device_t, vfio_device_t)
++')
++
++########################################
++##
++## Read and write the VFIO devices.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`dev_rw_vfio_dev',`
++ gen_require(`
++ type device_t, vfio_device_t;
++ ')
++
++ rw_chr_files_pattern($1, device_t, vfio_device_t)
++')
++
++########################################
++##
++## Allow read/write the vhost net device
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`dev_rw_vhost',`
++ gen_require(`
++ type device_t, vhost_device_t;
++ ')
++
++ rw_chr_files_pattern($1, device_t, vhost_device_t)
++')
++
++########################################
++##
++## Allow read/write inheretid the vhost net device
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`dev_rw_inherited_vhost',`
++ gen_require(`
++ type device_t, vhost_device_t;
++ ')
++
++ allow $1 vhost_device_t:chr_file rw_inherited_chr_file_perms;
++')
++
++########################################
++##
++## Read and write VMWare devices.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`dev_rw_vmware',`
++ gen_require(`
++ type device_t, vmware_device_t;
++ ')
++
++ rw_chr_files_pattern($1, device_t, vmware_device_t)
++')
++
++########################################
++##
++## Read, write, and mmap VMWare devices.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`dev_rwx_vmware',`
++ gen_require(`
++ type device_t, vmware_device_t;
++ ')
++
++ dev_rw_vmware($1)
+ allow $1 vmware_device_t:chr_file execute;
+ ')
+
+@@ -4630,6 +5719,24 @@ interface(`dev_write_watchdog',`
########################################
##
@@ -8812,7 +8617,7 @@ index 76f285e..0aef35e 100644
## Read and write the the wireless device.
##
##
-@@ -4762,6 +5826,44 @@ interface(`dev_rw_xserver_misc',`
+@@ -4762,6 +5869,44 @@ interface(`dev_rw_xserver_misc',`
########################################
##
@@ -8857,7 +8662,7 @@ index 76f285e..0aef35e 100644
## Read and write to the zero device (/dev/zero).
##
##
-@@ -4851,3 +5953,1020 @@ interface(`dev_unconfined',`
+@@ -4851,3 +5996,1020 @@ interface(`dev_unconfined',`
typeattribute $1 devices_unconfined_type;
')
@@ -10364,7 +10169,7 @@ index 6a1e4d1..26e5558 100644
+ dontaudit $1 domain:dir_file_class_set audit_access;
')
diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te
-index cf04cb5..b5fe8e5 100644
+index cf04cb5..0715228 100644
--- a/policy/modules/kernel/domain.te
+++ b/policy/modules/kernel/domain.te
@@ -4,17 +4,41 @@ policy_module(domain, 1.11.0)
@@ -10497,8 +10302,11 @@ index cf04cb5..b5fe8e5 100644
')
########################################
-@@ -147,12 +217,18 @@ optional_policy(`
+@@ -145,14 +215,21 @@ optional_policy(`
+ # be used on an attribute.
+
# Use/sendto/connectto sockets created by any domain.
++allow unconfined_domain_type self:cap_userns all_cap_userns_perms;
allow unconfined_domain_type domain:{ socket_class_set socket key_socket } *;
+allow unconfined_domain_type domain:system all_system_perms;
@@ -10517,7 +10325,7 @@ index cf04cb5..b5fe8e5 100644
# Create/access any System V IPC objects.
allow unconfined_domain_type domain:{ sem msgq shm } *;
-@@ -160,11 +236,379 @@ allow unconfined_domain_type domain:msg { send receive };
+@@ -160,11 +237,379 @@ allow unconfined_domain_type domain:msg { send receive };
# For /proc/pid
allow unconfined_domain_type domain:dir list_dir_perms;
@@ -18093,7 +17901,7 @@ index d7c11a0..6b3331d 100644
/var/run/shm/.* <>
-')
diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
-index 8416beb..440c63f 100644
+index 8416beb..20099cd 100644
--- a/policy/modules/kernel/filesystem.if
+++ b/policy/modules/kernel/filesystem.if
@@ -631,6 +631,27 @@ interface(`fs_getattr_cgroup',`
@@ -18592,7 +18400,7 @@ index 8416beb..440c63f 100644
##
##
##
-@@ -1878,96 +2122,759 @@ interface(`fs_search_fusefs',`
+@@ -1878,135 +2122,151 @@ interface(`fs_search_fusefs',`
##
##
#
@@ -18698,6 +18506,7 @@ index 8416beb..440c63f 100644
-#
-interface(`fs_exec_fusefs_files',`
- gen_require(`
+- type fusefs_t;
+##
+##
+## Execute a file on a FUSE filesystem
@@ -18731,88 +18540,110 @@ index 8416beb..440c63f 100644
+interface(`fs_ecryptfs_domtrans',`
+ gen_require(`
+ type ecryptfs_t;
-+ ')
-+
+ ')
+
+- exec_files_pattern($1, fusefs_t, fusefs_t)
+ allow $1 ecryptfs_t:dir search_dir_perms;
+ domain_auto_transition_pattern($1, ecryptfs_t, $2)
-+')
-+
-+########################################
-+##
+ ')
+
+ ########################################
+ ##
+-## Create, read, write, and delete files
+-## on a FUSEFS filesystem.
+## Mount a FUSE filesystem.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
+ ##
+ ##
+ ##
+ ## Domain allowed access.
+ ##
+ ##
+-##
+ #
+-interface(`fs_manage_fusefs_files',`
+interface(`fs_mount_fusefs',`
-+ gen_require(`
-+ type fusefs_t;
-+ ')
-+
+ gen_require(`
+ type fusefs_t;
+ ')
+
+- manage_files_pattern($1, fusefs_t, fusefs_t)
+ allow $1 fusefs_t:filesystem mount;
-+')
-+
-+########################################
-+##
+ ')
+
+ ########################################
+ ##
+-## Do not audit attempts to create,
+-## read, write, and delete files
+-## on a FUSEFS filesystem.
+## Unmount a FUSE filesystem.
-+##
-+##
-+##
+ ##
+ ##
+ ##
+-## Domain to not audit.
+## Domain allowed access.
-+##
-+##
-+#
+ ##
+ ##
+ #
+-interface(`fs_dontaudit_manage_fusefs_files',`
+interface(`fs_unmount_fusefs',`
-+ gen_require(`
-+ type fusefs_t;
-+ ')
-+
+ gen_require(`
+ type fusefs_t;
+ ')
+
+- dontaudit $1 fusefs_t:file manage_file_perms;
+ allow $1 fusefs_t:filesystem unmount;
-+')
-+
-+########################################
-+##
+ ')
+
+ ########################################
+ ##
+-## Read symbolic links on a FUSEFS filesystem.
+## Mounton a FUSEFS filesystem.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
+ ##
+ ##
+ ##
+@@ -2014,145 +2274,194 @@ interface(`fs_dontaudit_manage_fusefs_files',`
+ ##
+ ##
+ #
+-interface(`fs_read_fusefs_symlinks',`
+interface(`fs_mounton_fusefs',`
-+ gen_require(`
-+ type fusefs_t;
-+ ')
-+
+ gen_require(`
+ type fusefs_t;
+ ')
+
+- allow $1 fusefs_t:dir list_dir_perms;
+- read_lnk_files_pattern($1, fusefs_t, fusefs_t)
+ allow $1 fusefs_t:dir mounton;
-+')
-+
-+########################################
-+##
+ ')
+
+ ########################################
+ ##
+-## Get the attributes of an hugetlbfs
+-## filesystem.
+## Search directories
+## on a FUSEFS filesystem.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
+ ##
+ ##
+ ##
+ ## Domain allowed access.
+ ##
+ ##
+##
-+#
+ #
+-interface(`fs_getattr_hugetlbfs',`
+interface(`fs_search_fusefs',`
-+ gen_require(`
+ gen_require(`
+- type hugetlbfs_t;
+ type fusefs_t;
-+ ')
-+
+ ')
+
+- allow $1 hugetlbfs_t:filesystem getattr;
+ allow $1 fusefs_t:dir search_dir_perms;
-+')
-+
-+########################################
-+##
+ ')
+
+ ########################################
+ ##
+-## List hugetlbfs.
+## Do not audit attempts to list the contents
+## of directories on a FUSEFS filesystem.
+##
@@ -18834,24 +18665,28 @@ index 8416beb..440c63f 100644
+##
+## Create, read, write, and delete directories
+## on a FUSEFS filesystem.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
+ ##
+ ##
+ ##
+ ## Domain allowed access.
+ ##
+ ##
+##
-+#
+ #
+-interface(`fs_list_hugetlbfs',`
+interface(`fs_manage_fusefs_dirs',`
-+ gen_require(`
+ gen_require(`
+- type hugetlbfs_t;
+ type fusefs_t;
-+ ')
-+
+ ')
+
+- allow $1 hugetlbfs_t:dir list_dir_perms;
+ allow $1 fusefs_t:dir manage_dir_perms;
-+')
-+
-+########################################
-+##
+ ')
+
+ ########################################
+ ##
+-## Manage hugetlbfs dirs.
+## Do not audit attempts to create, read,
+## write, and delete directories
+## on a FUSEFS filesystem.
@@ -18873,129 +18708,157 @@ index 8416beb..440c63f 100644
+########################################
+##
+## Read, a FUSEFS filesystem.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
+ ##
+ ##
+ ##
+ ## Domain allowed access.
+ ##
+ ##
+##
-+#
+ #
+-interface(`fs_manage_hugetlbfs_dirs',`
+interface(`fs_read_fusefs_files',`
-+ gen_require(`
+ gen_require(`
+- type hugetlbfs_t;
+ type fusefs_t;
-+ ')
-+
-+ read_files_pattern($1, fusefs_t, fusefs_t)
-+')
-+
-+########################################
-+##
-+## Execute files on a FUSEFS filesystem.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+#
-+interface(`fs_exec_fusefs_files',`
-+ gen_require(`
-+ type fusefs_t;
-+ ')
-+
-+ exec_files_pattern($1, fusefs_t, fusefs_t)
-+')
-+
-+########################################
-+##
-+## Make general progams in FUSEFS an entrypoint for
-+## the specified domain.
-+##
-+##
-+##
-+## The domain for which fusefs_t is an entrypoint.
-+##
-+##
-+#
-+interface(`fs_fusefs_entry_type',`
-+ gen_require(`
-+ type fusefs_t;
-+ ')
-+
-+ domain_entry_file($1, fusefs_t)
-+')
-+
-+########################################
-+##
-+## Make general progams in FUSEFS an entrypoint for
-+## the specified domain.
-+##
-+##
-+##
-+## The domain for which fusefs_t is an entrypoint.
-+##
-+##
-+#
-+interface(`fs_fusefs_entrypoint',`
-+ gen_require(`
-+ type fusefs_t;
-+ ')
-+
-+ allow $1 fusefs_t:file entrypoint;
-+')
-+
-+########################################
-+##
-+## Create, read, write, and delete files
-+## on a FUSEFS filesystem.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+#
-+interface(`fs_manage_fusefs_files',`
-+ gen_require(`
- type fusefs_t;
')
-- exec_files_pattern($1, fusefs_t, fusefs_t)
+- manage_dirs_pattern($1, hugetlbfs_t, hugetlbfs_t)
++ read_files_pattern($1, fusefs_t, fusefs_t)
+ ')
+
+ ########################################
+ ##
+-## Read and write hugetlbfs files.
++## Execute files on a FUSEFS filesystem.
+ ##
+ ##
+ ##
+ ## Domain allowed access.
+ ##
+ ##
++##
+ #
+-interface(`fs_rw_hugetlbfs_files',`
++interface(`fs_exec_fusefs_files',`
+ gen_require(`
+- type hugetlbfs_t;
++ type fusefs_t;
+ ')
+
+- rw_files_pattern($1, hugetlbfs_t, hugetlbfs_t)
++ exec_files_pattern($1, fusefs_t, fusefs_t)
+ ')
+
+ ########################################
+ ##
+-## Allow the type to associate to hugetlbfs filesystems.
++## Make general progams in FUSEFS an entrypoint for
++## the specified domain.
+ ##
+-##
++##
+ ##
+-## The type of the object to be associated.
++## The domain for which fusefs_t is an entrypoint.
+ ##
+ ##
+ #
+-interface(`fs_associate_hugetlbfs',`
++interface(`fs_fusefs_entry_type',`
+ gen_require(`
+- type hugetlbfs_t;
++ type fusefs_t;
+ ')
+
+- allow $1 hugetlbfs_t:filesystem associate;
++ domain_entry_file($1, fusefs_t)
+ ')
+
+ ########################################
+ ##
+-## Search inotifyfs filesystem.
++## Make general progams in FUSEFS an entrypoint for
++## the specified domain.
+ ##
+ ##
+ ##
+-## Domain allowed access.
++## The domain for which fusefs_t is an entrypoint.
+ ##
+ ##
+ #
+-interface(`fs_search_inotifyfs',`
++interface(`fs_fusefs_entrypoint',`
+ gen_require(`
+- type inotifyfs_t;
++ type fusefs_t;
+ ')
+
+- allow $1 inotifyfs_t:dir search_dir_perms;
++ allow $1 fusefs_t:file entrypoint;
+ ')
+
+ ########################################
+ ##
+-## List inotifyfs filesystem.
++## Create, read, write, and delete files
++## on a FUSEFS filesystem.
+ ##
+ ##
+ ##
+ ## Domain allowed access.
+ ##
+ ##
++##
+ #
+-interface(`fs_list_inotifyfs',`
++interface(`fs_manage_fusefs_files',`
+ gen_require(`
+- type inotifyfs_t;
++ type fusefs_t;
+ ')
+
+- allow $1 inotifyfs_t:dir list_dir_perms;
+ manage_files_pattern($1, fusefs_t, fusefs_t)
-+')
-+
-+########################################
-+##
+ ')
+
+ ########################################
+ ##
+-## Dontaudit List inotifyfs filesystem.
+## Do not audit attempts to create,
+## read, write, and delete files
+## on a FUSEFS filesystem.
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
+ ##
+ ##
+ ##
+@@ -2160,73 +2469,118 @@ interface(`fs_list_inotifyfs',`
+ ##
+ ##
+ #
+-interface(`fs_dontaudit_list_inotifyfs',`
+interface(`fs_dontaudit_manage_fusefs_files',`
-+ gen_require(`
+ gen_require(`
+- type inotifyfs_t;
+ type fusefs_t;
-+ ')
-+
+ ')
+
+- dontaudit $1 inotifyfs_t:dir list_dir_perms;
+ dontaudit $1 fusefs_t:file manage_file_perms;
-+')
-+
-+########################################
-+##
+ ')
+
+ ########################################
+ ##
+-## Create an object in a hugetlbfs filesystem, with a private
+-## type using a type transition.
+## Read symbolic links on a FUSEFS filesystem.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
+ ##
+ ##
+ ##
+ ## Domain allowed access.
+ ##
+ ##
+-##
+#
+interface(`fs_read_fusefs_symlinks',`
+ gen_require(`
@@ -19011,10 +18874,12 @@ index 8416beb..440c63f 100644
+## Manage symbolic links on a FUSEFS filesystem.
+##
+##
-+##
+ ##
+-## The type of the object to be created.
+## Domain allowed access.
-+##
-+##
+ ##
+ ##
+-##
+#
+interface(`fs_manage_fusefs_symlinks',`
+ gen_require(`
@@ -19049,78 +18914,101 @@ index 8416beb..440c63f 100644
+##
+##
+##
-+##
+ ##
+-## The object class of the object being created.
+## Domain allowed to transition.
-+##
-+##
+ ##
+ ##
+-##
+##
-+##
+ ##
+-## The name of the object being created.
+## The type of the new process.
-+##
-+##
-+#
+ ##
+ ##
+ #
+-interface(`fs_hugetlbfs_filetrans',`
+interface(`fs_fusefs_domtrans',`
-+ gen_require(`
+ gen_require(`
+- type hugetlbfs_t;
+ type fusefs_t;
-+ ')
-+
+ ')
+
+- allow $2 hugetlbfs_t:filesystem associate;
+- filetrans_pattern($1, hugetlbfs_t, $2, $3, $4)
+ allow $1 fusefs_t:dir search_dir_perms;
+ domain_auto_transition_pattern($1, fusefs_t, $2)
-+')
-+
-+########################################
-+##
+ ')
+
+ ########################################
+ ##
+-## Mount an iso9660 filesystem, which
+-## is usually used on CDs.
+## Get the attributes of a FUSEFS filesystem.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
+ ##
+ ##
+ ##
+ ## Domain allowed access.
+ ##
+ ##
+##
-+#
+ #
+-interface(`fs_mount_iso9660_fs',`
+interface(`fs_getattr_fusefs',`
-+ gen_require(`
+ gen_require(`
+- type iso9660_t;
+ type fusefs_t;
-+ ')
-+
+ ')
+
+- allow $1 iso9660_t:filesystem mount;
+ allow $1 fusefs_t:filesystem getattr;
-+')
-+
-+########################################
-+##
+ ')
+
+ ########################################
+ ##
+-## Remount an iso9660 filesystem, which
+-## is usually used on CDs. This allows
+-## some mount options to be changed.
+## Get the attributes of an hugetlbfs
+## filesystem.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
+ ##
+ ##
+ ##
+@@ -2234,18 +2588,17 @@ interface(`fs_mount_iso9660_fs',`
+ ##
+ ##
+ #
+-interface(`fs_remount_iso9660_fs',`
+interface(`fs_getattr_hugetlbfs',`
-+ gen_require(`
+ gen_require(`
+- type iso9660_t;
+ type hugetlbfs_t;
-+ ')
-+
+ ')
+
+- allow $1 iso9660_t:filesystem remount;
+ allow $1 hugetlbfs_t:filesystem getattr;
-+')
-+
-+########################################
-+##
+ ')
+
+ ########################################
+ ##
+-## Unmount an iso9660 filesystem, which
+-## is usually used on CDs.
+## List hugetlbfs.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
+ ##
+ ##
+ ##
+@@ -2253,38 +2606,611 @@ interface(`fs_remount_iso9660_fs',`
+ ##
+ ##
+ #
+-interface(`fs_unmount_iso9660_fs',`
+interface(`fs_list_hugetlbfs',`
-+ gen_require(`
+ gen_require(`
+- type iso9660_t;
+ type hugetlbfs_t;
-+ ')
-+
+ ')
+
+- allow $1 iso9660_t:filesystem unmount;
+ allow $1 hugetlbfs_t:dir list_dir_perms;
+')
+
@@ -19379,244 +19267,197 @@ index 8416beb..440c63f 100644
+ ')
+
+ allow $1 iso9660_t:filesystem unmount;
- ')
-
- ########################################
- ##
--## Create, read, write, and delete files
--## on a FUSEFS filesystem.
++')
++
++########################################
++##
+## Get the attributes of an iso9660
+## filesystem, which is usually used on CDs.
- ##
- ##
- ##
-@@ -1976,37 +2883,38 @@ interface(`fs_exec_fusefs_files',`
- ##
- ##
- #
--interface(`fs_manage_fusefs_files',`
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++#
+interface(`fs_getattr_iso9660_fs',`
- gen_require(`
-- type fusefs_t;
++ gen_require(`
+ type iso9660_t;
- ')
-
-- manage_files_pattern($1, fusefs_t, fusefs_t)
++ ')
++
+ allow $1 iso9660_t:filesystem getattr;
- ')
-
- ########################################
- ##
--## Do not audit attempts to create,
--## read, write, and delete files
--## on a FUSEFS filesystem.
++')
++
++########################################
++##
+## Read files on an iso9660 filesystem, which
+## is usually used on CDs.
- ##
- ##
- ##
--## Domain to not audit.
++##
++##
++##
+## Domain allowed access.
- ##
- ##
- #
--interface(`fs_dontaudit_manage_fusefs_files',`
++##
++##
++#
+interface(`fs_getattr_iso9660_files',`
- gen_require(`
-- type fusefs_t;
++ gen_require(`
+ type iso9660_t;
- ')
-
-- dontaudit $1 fusefs_t:file manage_file_perms;
++ ')
++
+ allow $1 iso9660_t:dir list_dir_perms;
+ allow $1 iso9660_t:file getattr;
- ')
-
- ########################################
- ##
--## Read symbolic links on a FUSEFS filesystem.
++')
++
++########################################
++##
+## Read files on an iso9660 filesystem, which
+## is usually used on CDs.
- ##
- ##
- ##
-@@ -2014,19 +2922,20 @@ interface(`fs_dontaudit_manage_fusefs_files',`
- ##
- ##
- #
--interface(`fs_read_fusefs_symlinks',`
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
+interface(`fs_read_iso9660_files',`
- gen_require(`
-- type fusefs_t;
++ gen_require(`
+ type iso9660_t;
- ')
-
-- allow $1 fusefs_t:dir list_dir_perms;
-- read_lnk_files_pattern($1, fusefs_t, fusefs_t)
++ ')
++
+ allow $1 iso9660_t:dir list_dir_perms;
+ read_files_pattern($1, iso9660_t, iso9660_t)
+ read_lnk_files_pattern($1, iso9660_t, iso9660_t)
- ')
-
++')
+
- ########################################
- ##
--## Get the attributes of an hugetlbfs
--## filesystem.
++
++########################################
++##
+## Mount kdbus filesystems.
- ##
- ##
- ##
-@@ -2034,17 +2943,17 @@ interface(`fs_read_fusefs_symlinks',`
- ##
- ##
- #
--interface(`fs_getattr_hugetlbfs',`
-+interface(`fs_mount_kdbus', `
- gen_require(`
-- type hugetlbfs_t;
-+ type kdbusfs_t;
- ')
-
-- allow $1 hugetlbfs_t:filesystem getattr;
-+ allow $1 kdbusfs_t:filesystem mount;
- ')
-
- ########################################
- ##
--## List hugetlbfs.
-+## Remount kdbus filesystems.
- ##
- ##
- ##
-@@ -2052,17 +2961,17 @@ interface(`fs_getattr_hugetlbfs',`
- ##
- ##
- #
--interface(`fs_list_hugetlbfs',`
-+interface(`fs_remount_kdbus', `
- gen_require(`
-- type hugetlbfs_t;
-+ type kdbusfs_t;
- ')
-
-- allow $1 hugetlbfs_t:dir list_dir_perms;
-+ allow $1 kdbusfs_t:filesystem remount;
- ')
-
- ########################################
- ##
--## Manage hugetlbfs dirs.
-+## Unmount kdbus filesystems.
- ##
- ##
- ##
-@@ -2070,17 +2979,17 @@ interface(`fs_list_hugetlbfs',`
- ##
- ##
- #
--interface(`fs_manage_hugetlbfs_dirs',`
-+interface(`fs_unmount_kdbus', `
- gen_require(`
-- type hugetlbfs_t;
-+ type kdbusfs_t;
- ')
-
-- manage_dirs_pattern($1, hugetlbfs_t, hugetlbfs_t)
-+ allow $1 kdbusfs_t:filesystem unmount;
- ')
-
- ########################################
- ##
--## Read and write hugetlbfs files.
-+## Get attributes of kdbus filesystems.
- ##
- ##
- ##
-@@ -2088,35 +2997,38 @@ interface(`fs_manage_hugetlbfs_dirs',`
- ##
- ##
- #
--interface(`fs_rw_hugetlbfs_files',`
-+interface(`fs_getattr_kdbus',`
- gen_require(`
-- type hugetlbfs_t;
-+ type kdbusfs_t;
- ')
-
-- rw_files_pattern($1, hugetlbfs_t, hugetlbfs_t)
-+ allow $1 kdbusfs_t:filesystem getattr;
- ')
-
- ########################################
- ##
--## Allow the type to associate to hugetlbfs filesystems.
-+## Search kdbusfs directories.
- ##
--##
++##
+##
- ##
--## The type of the object to be associated.
++##
+## Domain allowed access.
- ##
- ##
- #
--interface(`fs_associate_hugetlbfs',`
++##
++##
++#
++interface(`fs_mount_kdbus', `
++ gen_require(`
++ type kdbusfs_t;
++ ')
++
++ allow $1 kdbusfs_t:filesystem mount;
++')
++
++########################################
++##
++## Remount kdbus filesystems.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`fs_remount_kdbus', `
++ gen_require(`
++ type kdbusfs_t;
++ ')
++
++ allow $1 kdbusfs_t:filesystem remount;
++')
++
++########################################
++##
++## Unmount kdbus filesystems.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`fs_unmount_kdbus', `
++ gen_require(`
++ type kdbusfs_t;
++ ')
++
++ allow $1 kdbusfs_t:filesystem unmount;
++')
++
++########################################
++##
++## Get attributes of kdbus filesystems.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`fs_getattr_kdbus',`
++ gen_require(`
++ type kdbusfs_t;
++ ')
++
++ allow $1 kdbusfs_t:filesystem getattr;
++')
++
++########################################
++##
++## Search kdbusfs directories.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
+interface(`fs_search_kdbus_dirs',`
- gen_require(`
-- type hugetlbfs_t;
++ gen_require(`
+ type kdbusfs_t;
+
- ')
-
-- allow $1 hugetlbfs_t:filesystem associate;
++ ')
++
+ search_dirs_pattern($1, kdbusfs_t, kdbusfs_t)
+ fs_search_tmpfs($1)
+ dev_search_sysfs($1)
- ')
-
- ########################################
- ##
--## Search inotifyfs filesystem.
++')
++
++########################################
++##
+## Relabel kdbusfs directories.
- ##
- ##
- ##
-@@ -2124,17 +3036,18 @@ interface(`fs_associate_hugetlbfs',`
- ##
- ##
- #
--interface(`fs_search_inotifyfs',`
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
+interface(`fs_relabel_kdbus_dirs',`
- gen_require(`
-- type inotifyfs_t;
++ gen_require(`
+ type cgroup_t;
+
- ')
-
-- allow $1 inotifyfs_t:dir search_dir_perms;
++ ')
++
+ relabel_dirs_pattern($1, kdbusfs_t, kdbusfs_t)
- ')
-
- ########################################
- ##
--## List inotifyfs filesystem.
++')
++
++########################################
++##
+## List kdbusfs directories.
- ##
- ##
- ##
-@@ -2142,71 +3055,78 @@ interface(`fs_search_inotifyfs',`
- ##
- ##
- #
--interface(`fs_list_inotifyfs',`
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
+interface(`fs_list_kdbus_dirs',`
- gen_require(`
-- type inotifyfs_t;
++ gen_require(`
+ type kdbusfs_t;
- ')
-
-- allow $1 inotifyfs_t:dir list_dir_perms;
++ ')
++
+ list_dirs_pattern($1, kdbusfs_t, kdbusfs_t)
+ fs_search_tmpfs($1)
+ dev_search_sysfs($1)
@@ -19639,149 +19480,106 @@ index 8416beb..440c63f 100644
+
+ dontaudit $1 kdbusfs_t:dir search_dir_perms;
+ dev_dontaudit_search_sysfs($1)
- ')
-
- ########################################
- ##
--## Dontaudit List inotifyfs filesystem.
++')
++
++########################################
++##
+## Delete kdbusfs directories.
- ##
- ##
- ##
--## Domain to not audit.
++##
++##
++##
+## Domain allowed access.
- ##
- ##
- #
--interface(`fs_dontaudit_list_inotifyfs',`
++##
++##
++#
+interface(`fs_delete_kdbus_dirs', `
- gen_require(`
-- type inotifyfs_t;
++ gen_require(`
+ type kdbusfs_t;
- ')
-
-- dontaudit $1 inotifyfs_t:dir list_dir_perms;
++ ')
++
+ delete_dirs_pattern($1, kdbusfs_t, kdbusfs_t)
+ fs_search_tmpfs($1)
+ dev_search_sysfs($1)
- ')
-
- ########################################
- ##
--## Create an object in a hugetlbfs filesystem, with a private
--## type using a type transition.
++')
++
++########################################
++##
+## Manage kdbusfs directories.
- ##
- ##
- ##
- ## Domain allowed access.
- ##
- ##
--##
--##
--## The type of the object to be created.
--##
--##
--##
--##
--## The object class of the object being created.
--##
--##
--##
--##
--## The name of the object being created.
--##
--##
- #
--interface(`fs_hugetlbfs_filetrans',`
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
+interface(`fs_manage_kdbus_dirs',`
- gen_require(`
-- type hugetlbfs_t;
-- ')
++ gen_require(`
+ type kdbusfs_t;
-
-- allow $2 hugetlbfs_t:filesystem associate;
-- filetrans_pattern($1, hugetlbfs_t, $2, $3, $4)
++
+ ')
+ manage_dirs_pattern($1, kdbusfs_t, kdbusfs_t)
+ fs_search_tmpfs($1)
+ dev_search_sysfs($1)
- ')
-
- ########################################
- ##
--## Mount an iso9660 filesystem, which
--## is usually used on CDs.
++')
++
++########################################
++##
+## Read kdbusfs files.
- ##
- ##
- ##
-@@ -2214,19 +3134,21 @@ interface(`fs_hugetlbfs_filetrans',`
- ##
- ##
- #
--interface(`fs_mount_iso9660_fs',`
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
+interface(`fs_read_kdbus_files',`
- gen_require(`
-- type iso9660_t;
++ gen_require(`
+ type cgroup_t;
+
- ')
-
-- allow $1 iso9660_t:filesystem mount;
++ ')
++
+ read_files_pattern($1, kdbusfs_t, kdbusfs_t)
+ read_lnk_files_pattern($1, kdbusfs_t, kdbusfs_t)
+ fs_search_tmpfs($1)
+ dev_search_sysfs($1)
- ')
-
- ########################################
- ##
--## Remount an iso9660 filesystem, which
--## is usually used on CDs. This allows
--## some mount options to be changed.
++')
++
++########################################
++##
+## Write kdbusfs files.
- ##
- ##
- ##
-@@ -2234,18 +3156,19 @@ interface(`fs_mount_iso9660_fs',`
- ##
- ##
- #
--interface(`fs_remount_iso9660_fs',`
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
+interface(`fs_write_kdbus_files', `
- gen_require(`
-- type iso9660_t;
++ gen_require(`
+ type kdbusfs_t;
- ')
-
-- allow $1 iso9660_t:filesystem remount;
++ ')
++
+ write_files_pattern($1, kdbusfs_t, kdbusfs_t)
+ fs_search_tmpfs($1)
+ dev_search_sysfs($1)
- ')
-
- ########################################
- ##
--## Unmount an iso9660 filesystem, which
--## is usually used on CDs.
++')
++
++########################################
++##
+## Read and write kdbusfs files.
- ##
- ##
- ##
-@@ -2253,38 +3176,41 @@ interface(`fs_remount_iso9660_fs',`
- ##
- ##
- #
--interface(`fs_unmount_iso9660_fs',`
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
+interface(`fs_rw_kdbus_files',`
- gen_require(`
-- type iso9660_t;
++ gen_require(`
+ type kdbusfs_t;
+
- ')
-
-- allow $1 iso9660_t:filesystem unmount;
++ ')
++
+ read_lnk_files_pattern($1, kdbusfs_t, kdbusfs_t)
+ rw_files_pattern($1, kdbusfs_t, kdbusfs_t)
+ fs_search_tmpfs($1)
@@ -19897,272 +19695,119 @@ index 8416beb..440c63f 100644
## Search directories on a NFS filesystem.
##
##
-@@ -2439,152 +3384,228 @@ interface(`fs_list_nfs',`
- ##
- ##
- ##
--## Domain to not audit.
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`fs_dontaudit_list_nfs',`
-+ gen_require(`
-+ type nfs_t;
-+ ')
-+
-+ dontaudit $1 nfs_t:dir list_dir_perms;
-+')
-+
-+########################################
-+##
-+## Mounton a NFS filesystem.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`fs_mounton_nfs',`
-+ gen_require(`
-+ type nfs_t;
-+ ')
-+
-+ allow $1 nfs_t:dir mounton;
-+')
-+
-+########################################
-+##
-+## Read files on a NFS filesystem.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+#
-+interface(`fs_read_nfs_files',`
-+ gen_require(`
-+ type nfs_t;
-+ ')
-+
-+ fs_search_auto_mountpoints($1)
-+ allow $1 nfs_t:dir list_dir_perms;
-+ read_files_pattern($1, nfs_t, nfs_t)
-+')
-+
-+########################################
-+##
-+## Do not audit attempts to read
-+## files on a NFS filesystem.
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`fs_dontaudit_read_nfs_files',`
-+ gen_require(`
-+ type nfs_t;
-+ ')
-+
-+ dontaudit $1 nfs_t:file read_file_perms;
-+')
-+
-+########################################
-+##
-+## Read files on a NFS filesystem.
-+##
-+##
-+##
-+## Domain allowed access.
- ##
- ##
- #
--interface(`fs_dontaudit_list_nfs',`
-+interface(`fs_write_nfs_files',`
- gen_require(`
+@@ -2485,6 +3430,7 @@ interface(`fs_read_nfs_files',`
type nfs_t;
')
-- dontaudit $1 nfs_t:dir list_dir_perms;
+ fs_search_auto_mountpoints($1)
-+ allow $1 nfs_t:dir list_dir_perms;
-+ write_files_pattern($1, nfs_t, nfs_t)
+ allow $1 nfs_t:dir list_dir_perms;
+ read_files_pattern($1, nfs_t, nfs_t)
')
-
- ########################################
- ##
--## Mounton a NFS filesystem.
-+## Execute files on a NFS filesystem.
- ##
- ##
- ##
- ## Domain allowed access.
- ##
- ##
-+##
- #
--interface(`fs_mounton_nfs',`
-+interface(`fs_exec_nfs_files',`
- gen_require(`
+@@ -2523,6 +3469,7 @@ interface(`fs_write_nfs_files',`
type nfs_t;
')
-- allow $1 nfs_t:dir mounton;
-+ allow $1 nfs_t:dir list_dir_perms;
-+ exec_files_pattern($1, nfs_t, nfs_t)
++ fs_search_auto_mountpoints($1)
+ allow $1 nfs_t:dir list_dir_perms;
+ write_files_pattern($1, nfs_t, nfs_t)
')
+@@ -2549,6 +3496,44 @@ interface(`fs_exec_nfs_files',`
########################################
##
--## Read files on a NFS filesystem.
+## Make general progams in nfs an entrypoint for
+## the specified domain.
- ##
- ##
- ##
--## Domain allowed access.
++##
++##
++##
+## The domain for which nfs_t is an entrypoint.
- ##
- ##
--##
- #
--interface(`fs_read_nfs_files',`
++##
++##
++#
+interface(`fs_nfs_entry_type',`
- gen_require(`
- type nfs_t;
- ')
-
-- allow $1 nfs_t:dir list_dir_perms;
-- read_files_pattern($1, nfs_t, nfs_t)
++ gen_require(`
++ type nfs_t;
++ ')
++
+ domain_entry_file($1, nfs_t)
- ')
-
- ########################################
- ##
--## Do not audit attempts to read
--## files on a NFS filesystem.
++')
++
++########################################
++##
+## Make general progams in NFS an entrypoint for
+## the specified domain.
- ##
- ##
- ##
--## Domain to not audit.
++##
++##
++##
+## The domain for which nfs_t is an entrypoint.
- ##
- ##
- #
--interface(`fs_dontaudit_read_nfs_files',`
++##
++##
++#
+interface(`fs_nfs_entrypoint',`
- gen_require(`
- type nfs_t;
- ')
-
-- dontaudit $1 nfs_t:file read_file_perms;
++ gen_require(`
++ type nfs_t;
++ ')
++
+ allow $1 nfs_t:file entrypoint;
- ')
-
- ########################################
- ##
--## Read files on a NFS filesystem.
-+## Append files
-+## on a NFS filesystem.
++')
++
++########################################
++##
+ ## Append files
+ ## on a NFS filesystem.
##
- ##
- ##
- ## Domain allowed access.
- ##
- ##
-+##
- #
--interface(`fs_write_nfs_files',`
-+interface(`fs_append_nfs_files',`
- gen_require(`
- type nfs_t;
- ')
-
-- allow $1 nfs_t:dir list_dir_perms;
-- write_files_pattern($1, nfs_t, nfs_t)
-+ append_files_pattern($1, nfs_t, nfs_t)
- ')
-
- ########################################
- ##
--## Execute files on a NFS filesystem.
-+## Do not audit attempts to append files
-+## on a NFS filesystem.
- ##
- ##
- ##
--## Domain allowed access.
-+## Domain to not audit.
- ##
- ##
- ##
- #
--interface(`fs_exec_nfs_files',`
-+interface(`fs_dontaudit_append_nfs_files',`
- gen_require(`
- type nfs_t;
- ')
-
-- allow $1 nfs_t:dir list_dir_perms;
-- exec_files_pattern($1, nfs_t, nfs_t)
-+ dontaudit $1 nfs_t:file append_file_perms;
- ')
-
- ########################################
- ##
--## Append files
--## on a NFS filesystem.
-+## Read inherited files on a NFS filesystem.
- ##
- ##
- ##
- ## Domain allowed access.
- ##
- ##
--##
- #
--interface(`fs_append_nfs_files',`
-+interface(`fs_read_inherited_nfs_files',`
- gen_require(`
- type nfs_t;
- ')
-
-- append_files_pattern($1, nfs_t, nfs_t)
-+ allow $1 nfs_t:file read_inherited_file_perms;
- ')
+@@ -2569,7 +3554,7 @@ interface(`fs_append_nfs_files',`
########################################
##
-## dontaudit Append files
--## on a NFS filesystem.
-+## Read/write inherited files on a NFS filesystem.
++## Do not audit attempts to append files
+ ## on a NFS filesystem.
##
##
- ##
--## Domain to not audit.
-+## Domain allowed access.
- ##
- ##
--##
- #
--interface(`fs_dontaudit_append_nfs_files',`
-+interface(`fs_rw_inherited_nfs_files',`
- gen_require(`
- type nfs_t;
- ')
-
-- dontaudit $1 nfs_t:file append_file_perms;
-+ allow $1 nfs_t:file rw_inherited_file_perms;
- ')
+@@ -2589,6 +3574,42 @@ interface(`fs_dontaudit_append_nfs_files',`
########################################
+ ##
++## Read inherited files on a NFS filesystem.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`fs_read_inherited_nfs_files',`
++ gen_require(`
++ type nfs_t;
++ ')
++
++ allow $1 nfs_t:file read_inherited_file_perms;
++')
++
++########################################
++##
++## Read/write inherited files on a NFS filesystem.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`fs_rw_inherited_nfs_files',`
++ gen_require(`
++ type nfs_t;
++ ')
++
++ allow $1 nfs_t:file rw_inherited_file_perms;
++')
++
++########################################
++##
+ ## Do not audit attempts to read or
+ ## write files on a NFS filesystem.
+ ##
@@ -2603,7 +3624,7 @@ interface(`fs_dontaudit_rw_nfs_files',`
type nfs_t;
')
@@ -20314,11 +19959,95 @@ index 8416beb..440c63f 100644
## Mount a NFS server pseudo filesystem.
##
##
-@@ -3263,7 +4364,25 @@ interface(`fs_getattr_nfsd_files',`
- getattr_files_pattern($1, nfsd_fs_t, nfsd_fs_t)
- ')
-
--########################################
+@@ -3182,18 +4283,108 @@ interface(`fs_remount_nfsd_fs',`
+ ##
+ ##
+ #
+-interface(`fs_unmount_nfsd_fs',`
+- gen_require(`
+- type nfsd_fs_t;
+- ')
++interface(`fs_unmount_nfsd_fs',`
++ gen_require(`
++ type nfsd_fs_t;
++ ')
++
++ allow $1 nfsd_fs_t:filesystem unmount;
++')
++
++########################################
++##
++## Get the attributes of a NFS server
++## pseudo filesystem.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`fs_getattr_nfsd_fs',`
++ gen_require(`
++ type nfsd_fs_t;
++ ')
++
++ allow $1 nfsd_fs_t:filesystem getattr;
++')
++
++########################################
++##
++## Search NFS server directories.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`fs_search_nfsd_fs',`
++ gen_require(`
++ type nfsd_fs_t;
++ ')
++
++ allow $1 nfsd_fs_t:dir search_dir_perms;
++')
++
++########################################
++##
++## List NFS server directories.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`fs_list_nfsd_fs',`
++ gen_require(`
++ type nfsd_fs_t;
++ ')
++
++ allow $1 nfsd_fs_t:dir list_dir_perms;
++')
++
++########################################
++##
++## Getattr files on an nfsd filesystem
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`fs_getattr_nfsd_files',`
++ gen_require(`
++ type nfsd_fs_t;
++ ')
++
++ getattr_files_pattern($1, nfsd_fs_t, nfsd_fs_t)
++')
++
+#######################################
+##
+## read files on an nfsd filesystem
@@ -20333,93 +20062,128 @@ index 8416beb..440c63f 100644
+ gen_require(`
+ type nfsd_fs_t;
+ ')
-+
+
+- allow $1 nfsd_fs_t:filesystem unmount;
+ read_files_pattern($1, nfsd_fs_t, nfsd_fs_t)
-+')
-+
+ ')
+
+-########################################
+#######################################
##
- ## Read and write NFS server files.
+-## Get the attributes of a NFS server
+-## pseudo filesystem.
++## Read and write NFS server files.
##
-@@ -3283,6 +4402,78 @@ interface(`fs_rw_nfsd_fs',`
+ ##
+ ##
+@@ -3201,17 +4392,17 @@ interface(`fs_unmount_nfsd_fs',`
+ ##
+ ##
+ #
+-interface(`fs_getattr_nfsd_fs',`
++interface(`fs_rw_nfsd_fs',`
+ gen_require(`
+ type nfsd_fs_t;
+ ')
+
+- allow $1 nfsd_fs_t:filesystem getattr;
++ rw_files_pattern($1, nfsd_fs_t, nfsd_fs_t)
+ ')
########################################
##
+-## Search NFS server directories.
+## Getattr files on an nsfs filesystem
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
+ ##
+ ##
+ ##
+@@ -3219,35 +4410,35 @@ interface(`fs_getattr_nfsd_fs',`
+ ##
+ ##
+ #
+-interface(`fs_search_nfsd_fs',`
+interface(`fs_getattr_nsfs_files',`
-+ gen_require(`
+ gen_require(`
+- type nfsd_fs_t;
+ type nsfs_t;
-+ ')
-+
+ ')
+
+- allow $1 nfsd_fs_t:dir search_dir_perms;
+ getattr_files_pattern($1, nsfs_t, nsfs_t)
-+')
-+
+ ')
+
+-########################################
+#######################################
-+##
+ ##
+-## List NFS server directories.
+## Read nsfs inodes (e.g. /proc/pid/ns/uts)
-+##
-+##
+ ##
+ ##
+-##
+-## Domain allowed access.
+-##
+##
+## Domain allowed access.
+##
-+##
-+#
+ ##
+ #
+-interface(`fs_list_nfsd_fs',`
+interface(`fs_read_nsfs_files',`
-+ gen_require(`
+ gen_require(`
+- type nfsd_fs_t;
+- ')
+ type nsfs_t;
+ ')
-+
+
+- allow $1 nfsd_fs_t:dir list_dir_perms;
+ allow $1 nsfs_t:file read_file_perms;
-+')
-+
+ ')
+
+-########################################
+#######################################
-+##
+ ##
+-## Getattr files on an nfsd filesystem
+## Read and write nsfs inodes (e.g. /proc/pid/ns/uts)
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`fs_rw_nsfs_files',`
-+ gen_require(`
-+ type nsfs_t;
-+ ')
-+
-+ rw_files_pattern($1, nsfs_t, nsfs_t)
-+')
-+
-+########################################
-+##
-+## Manage NFS server files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`fs_manage_nfsd_fs',`
-+ gen_require(`
-+ type nfsd_fs_t;
-+ ')
-+
-+ manage_files_pattern($1, nfsd_fs_t, nfsd_fs_t)
-+')
-+
-+########################################
-+##
- ## Allow the type to associate to ramfs filesystems.
##
- ##
+ ##
+ ##
+@@ -3255,17 +4446,17 @@ interface(`fs_list_nfsd_fs',`
+ ##
+ ##
+ #
+-interface(`fs_getattr_nfsd_files',`
++interface(`fs_rw_nsfs_files',`
+ gen_require(`
+- type nfsd_fs_t;
++ type nsfs_t;
+ ')
+
+- getattr_files_pattern($1, nfsd_fs_t, nfsd_fs_t)
++ rw_files_pattern($1, nsfs_t, nsfs_t)
+ ')
+
+ ########################################
+ ##
+-## Read and write NFS server files.
++## Manage NFS server files.
+ ##
+ ##
+ ##
+@@ -3273,12 +4464,12 @@ interface(`fs_getattr_nfsd_files',`
+ ##
+ ##
+ #
+-interface(`fs_rw_nfsd_fs',`
++interface(`fs_manage_nfsd_fs',`
+ gen_require(`
+ type nfsd_fs_t;
+ ')
+
+- rw_files_pattern($1, nfsd_fs_t, nfsd_fs_t)
++ manage_files_pattern($1, nfsd_fs_t, nfsd_fs_t)
+ ')
+
+ ########################################
@@ -3392,7 +4583,7 @@ interface(`fs_search_ramfs',`
########################################
@@ -20497,186 +20261,116 @@ index 8416beb..440c63f 100644
## Get the attributes of a tmpfs
## filesystem.
##
-@@ -3866,12 +5093,49 @@ interface(`fs_relabelfrom_tmpfs',`
- type tmpfs_t;
- ')
-
-- allow $1 tmpfs_t:filesystem relabelfrom;
-+ allow $1 tmpfs_t:filesystem relabelfrom;
-+')
-+
-+########################################
-+##
-+## Get the attributes of tmpfs directories.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`fs_getattr_tmpfs_dirs',`
-+ gen_require(`
-+ type tmpfs_t;
-+ ')
-+
-+ allow $1 tmpfs_t:dir getattr;
-+')
-+
-+########################################
-+##
-+## Do not audit attempts to get the attributes
-+## of tmpfs directories.
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`fs_dontaudit_getattr_tmpfs_dirs',`
-+ gen_require(`
-+ type tmpfs_t;
-+ ')
-+
-+ dontaudit $1 tmpfs_t:dir getattr;
- ')
+@@ -3908,7 +5135,7 @@ interface(`fs_dontaudit_getattr_tmpfs_dirs',`
########################################
##
--## Get the attributes of tmpfs directories.
+-## Mount on tmpfs directories.
+## Set the attributes of tmpfs directories.
##
##
##
-@@ -3879,36 +5143,35 @@ interface(`fs_relabelfrom_tmpfs',`
+@@ -3916,17 +5143,17 @@ interface(`fs_dontaudit_getattr_tmpfs_dirs',`
##
##
#
--interface(`fs_getattr_tmpfs_dirs',`
+-interface(`fs_mounton_tmpfs',`
+interface(`fs_setattr_tmpfs_dirs',`
gen_require(`
type tmpfs_t;
')
-- allow $1 tmpfs_t:dir getattr;
+- allow $1 tmpfs_t:dir mounton;
+ allow $1 tmpfs_t:dir setattr;
')
########################################
##
--## Do not audit attempts to get the attributes
--## of tmpfs directories.
+-## Set the attributes of tmpfs directories.
+## Search tmpfs directories.
##
##
##
--## Domain to not audit.
-+## Domain allowed access.
+@@ -3934,17 +5161,17 @@ interface(`fs_mounton_tmpfs',`
##
##
#
--interface(`fs_dontaudit_getattr_tmpfs_dirs',`
+-interface(`fs_setattr_tmpfs_dirs',`
+interface(`fs_search_tmpfs',`
gen_require(`
type tmpfs_t;
')
-- dontaudit $1 tmpfs_t:dir getattr;
+- allow $1 tmpfs_t:dir setattr;
+ allow $1 tmpfs_t:dir search_dir_perms;
')
########################################
##
--## Mount on tmpfs directories.
+-## Search tmpfs directories.
+## List the contents of generic tmpfs directories.
##
##
##
-@@ -3916,35 +5179,36 @@ interface(`fs_dontaudit_getattr_tmpfs_dirs',`
+@@ -3952,17 +5179,36 @@ interface(`fs_setattr_tmpfs_dirs',`
##
##
#
--interface(`fs_mounton_tmpfs',`
+-interface(`fs_search_tmpfs',`
+interface(`fs_list_tmpfs',`
gen_require(`
type tmpfs_t;
')
-- allow $1 tmpfs_t:dir mounton;
+- allow $1 tmpfs_t:dir search_dir_perms;
+ allow $1 tmpfs_t:dir list_dir_perms;
')
########################################
##
--## Set the attributes of tmpfs directories.
+-## List the contents of generic tmpfs directories.
+## Do not audit attempts to list the
+## contents of generic tmpfs directories.
- ##
- ##
- ##
--## Domain allowed access.
++##
++##
++##
+## Domain to not audit.
- ##
- ##
- #
--interface(`fs_setattr_tmpfs_dirs',`
++##
++##
++#
+interface(`fs_dontaudit_list_tmpfs',`
- gen_require(`
- type tmpfs_t;
- ')
-
-- allow $1 tmpfs_t:dir setattr;
++ gen_require(`
++ type tmpfs_t;
++ ')
++
+ dontaudit $1 tmpfs_t:dir list_dir_perms;
- ')
-
- ########################################
- ##
--## Search tmpfs directories.
++')
++
++########################################
++##
+## Relabel directory on tmpfs filesystems.
##
##
##
-@@ -3952,17 +5216,17 @@ interface(`fs_setattr_tmpfs_dirs',`
+@@ -3970,31 +5216,48 @@ interface(`fs_search_tmpfs',`
##
##
#
--interface(`fs_search_tmpfs',`
+-interface(`fs_list_tmpfs',`
+interface(`fs_relabel_tmpfs_dirs',`
gen_require(`
type tmpfs_t;
')
-- allow $1 tmpfs_t:dir search_dir_perms;
-+ relabel_dirs_pattern($1, tmpfs_t, tmpfs_t)
- ')
-
- ########################################
- ##
--## List the contents of generic tmpfs directories.
-+## Relabel fifo_file on tmpfs filesystems.
- ##
- ##
- ##
-@@ -3970,31 +5234,30 @@ interface(`fs_search_tmpfs',`
- ##
- ##
- #
--interface(`fs_list_tmpfs',`
-+interface(`fs_relabel_tmpfs_fifo_files',`
- gen_require(`
- type tmpfs_t;
- ')
-
- allow $1 tmpfs_t:dir list_dir_perms;
-+ relabel_fifo_files_pattern($1, tmpfs_t, tmpfs_t)
++ relabel_dirs_pattern($1, tmpfs_t, tmpfs_t)
')
########################################
##
-## Do not audit attempts to list the
-## contents of generic tmpfs directories.
-+## Relabel files on tmpfs filesystems.
++## Relabel fifo_file on tmpfs filesystems.
##
##
##
@@ -20686,29 +20380,139 @@ index 8416beb..440c63f 100644
##
#
-interface(`fs_dontaudit_list_tmpfs',`
-+interface(`fs_relabel_tmpfs_files',`
++interface(`fs_relabel_tmpfs_fifo_files',`
gen_require(`
type tmpfs_t;
')
- dontaudit $1 tmpfs_t:dir list_dir_perms;
++ relabel_fifo_files_pattern($1, tmpfs_t, tmpfs_t)
++')
++
++########################################
++##
++## Relabel files on tmpfs filesystems.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`fs_relabel_tmpfs_files',`
++ gen_require(`
++ type tmpfs_t;
++ ')
++
+ relabel_files_pattern($1, tmpfs_t, tmpfs_t)
')
########################################
-@@ -4105,7 +5368,7 @@ interface(`fs_dontaudit_rw_tmpfs_files',`
+@@ -4066,33 +5329,161 @@ interface(`fs_tmpfs_filetrans',`
type tmpfs_t;
')
-- dontaudit $1 tmpfs_t:file rw_file_perms;
+- allow $2 tmpfs_t:filesystem associate;
+- filetrans_pattern($1, tmpfs_t, $2, $3, $4)
++ allow $2 tmpfs_t:filesystem associate;
++ filetrans_pattern($1, tmpfs_t, $2, $3, $4)
++')
++
++########################################
++##
++## Do not audit attempts to getattr
++## generic tmpfs files.
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`fs_dontaudit_getattr_tmpfs_files',`
++ gen_require(`
++ type tmpfs_t;
++ ')
++
++ dontaudit $1 tmpfs_t:file getattr;
++')
++
++########################################
++##
++## Do not audit attempts to read or write
++## generic tmpfs files.
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`fs_dontaudit_rw_tmpfs_files',`
++ gen_require(`
++ type tmpfs_t;
++ ')
++
+ dontaudit $1 tmpfs_t:file rw_inherited_file_perms;
- ')
-
- ########################################
-@@ -4165,6 +5428,24 @@ interface(`fs_rw_tmpfs_files',`
-
- ########################################
- ##
++')
++
++########################################
++##
++## Create, read, write, and delete
++## auto moutpoints.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`fs_manage_auto_mountpoints',`
++ gen_require(`
++ type autofs_t;
++ ')
++
++ allow $1 autofs_t:dir manage_dir_perms;
++')
++
++########################################
++##
++## Read generic tmpfs files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`fs_read_tmpfs_files',`
++ gen_require(`
++ type tmpfs_t;
++ ')
++
++ read_files_pattern($1, tmpfs_t, tmpfs_t)
++')
++
++########################################
++##
++## Read and write generic tmpfs files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`fs_rw_tmpfs_files',`
++ gen_require(`
++ type tmpfs_t;
++ ')
++
++ rw_files_pattern($1, tmpfs_t, tmpfs_t)
++')
++
++########################################
++##
+## Read and write generic tmpfs files.
+##
+##
@@ -20727,150 +20531,297 @@ index 8416beb..440c63f 100644
+
+########################################
+##
- ## Read tmpfs link files.
- ##
- ##
-@@ -4202,7 +5483,7 @@ interface(`fs_rw_tmpfs_chr_files',`
++## Read tmpfs link files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`fs_read_tmpfs_symlinks',`
++ gen_require(`
++ type tmpfs_t;
++ ')
++
++ read_lnk_files_pattern($1, tmpfs_t, tmpfs_t)
+ ')
########################################
##
--## dontaudit Read and write character nodes on tmpfs filesystems.
+-## Do not audit attempts to getattr
+-## generic tmpfs files.
++## Read and write character nodes on tmpfs filesystems.
+ ##
+ ##
+ ##
+-## Domain to not audit.
++## Domain allowed access.
+ ##
+ ##
+ #
+-interface(`fs_dontaudit_getattr_tmpfs_files',`
++interface(`fs_rw_tmpfs_chr_files',`
+ gen_require(`
+ type tmpfs_t;
+ ')
+
+- dontaudit $1 tmpfs_t:file getattr;
++ allow $1 tmpfs_t:dir list_dir_perms;
++ rw_chr_files_pattern($1, tmpfs_t, tmpfs_t)
+ ')
+
+ ########################################
+ ##
+-## Do not audit attempts to read or write
+-## generic tmpfs files.
+## Do not audit attempts to read and write character nodes on tmpfs filesystems.
##
##
##
-@@ -4221,6 +5502,60 @@ interface(`fs_dontaudit_use_tmpfs_chr_dev',`
+@@ -4100,72 +5491,72 @@ interface(`fs_dontaudit_getattr_tmpfs_files',`
+ ##
+ ##
+ #
+-interface(`fs_dontaudit_rw_tmpfs_files',`
++interface(`fs_dontaudit_use_tmpfs_chr_dev',`
+ gen_require(`
+ type tmpfs_t;
+ ')
+
+- dontaudit $1 tmpfs_t:file rw_file_perms;
++ dontaudit $1 tmpfs_t:dir list_dir_perms;
++ dontaudit $1 tmpfs_t:chr_file rw_chr_file_perms;
+ ')
########################################
##
+-## Create, read, write, and delete
+-## auto moutpoints.
+## Do not audit attempts to create character nodes on tmpfs filesystems.
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`fs_dontaudit_create_tmpfs_chr_dev',`
-+ gen_require(`
-+ type tmpfs_t;
-+ ')
-+
-+ dontaudit $1 tmpfs_t:chr_file create;
-+')
-+
-+########################################
-+##
-+## Do not audit attempts to dontaudit read block nodes on tmpfs filesystems.
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`fs_dontaudit_read_tmpfs_blk_dev',`
-+ gen_require(`
-+ type tmpfs_t;
-+ ')
-+
-+ dontaudit $1 tmpfs_t:blk_file read_blk_file_perms;
-+')
-+
-+########################################
-+##
-+## Do not audit attempts to read files on tmpfs filesystems.
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`fs_dontaudit_read_tmpfs_files',`
-+ gen_require(`
-+ type tmpfs_t;
-+ ')
-+
-+ dontaudit $1 tmpfs_t:blk_file read;
-+')
-+
-+########################################
-+##
- ## Relabel character nodes on tmpfs filesystems.
##
##
-@@ -4278,6 +5613,44 @@ interface(`fs_relabel_tmpfs_blk_file',`
+ ##
+-## Domain allowed access.
++## Domain to not audit.
+ ##
+ ##
+ #
+-interface(`fs_manage_auto_mountpoints',`
++interface(`fs_dontaudit_create_tmpfs_chr_dev',`
+ gen_require(`
+- type autofs_t;
++ type tmpfs_t;
+ ')
+
+- allow $1 autofs_t:dir manage_dir_perms;
++ dontaudit $1 tmpfs_t:chr_file create;
+ ')
########################################
##
-+## Relabel sock nodes on tmpfs filesystems.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`fs_relabel_tmpfs_sock_file',`
-+ gen_require(`
-+ type tmpfs_t;
-+ ')
-+
+-## Read generic tmpfs files.
++## Do not audit attempts to dontaudit read block nodes on tmpfs filesystems.
+ ##
+ ##
+ ##
+-## Domain allowed access.
++## Domain to not audit.
+ ##
+ ##
+ #
+-interface(`fs_read_tmpfs_files',`
++interface(`fs_dontaudit_read_tmpfs_blk_dev',`
+ gen_require(`
+ type tmpfs_t;
+ ')
+
+- read_files_pattern($1, tmpfs_t, tmpfs_t)
++ dontaudit $1 tmpfs_t:blk_file read_blk_file_perms;
+ ')
+
+ ########################################
+ ##
+-## Read and write generic tmpfs files.
++## Do not audit attempts to read files on tmpfs filesystems.
+ ##
+ ##
+ ##
+-## Domain allowed access.
++## Domain to not audit.
+ ##
+ ##
+ #
+-interface(`fs_rw_tmpfs_files',`
++interface(`fs_dontaudit_read_tmpfs_files',`
+ gen_require(`
+ type tmpfs_t;
+ ')
+
+- rw_files_pattern($1, tmpfs_t, tmpfs_t)
++ dontaudit $1 tmpfs_t:blk_file read;
+ ')
+
+ ########################################
+ ##
+-## Read tmpfs link files.
++## Relabel character nodes on tmpfs filesystems.
+ ##
+ ##
+ ##
+@@ -4173,17 +5564,18 @@ interface(`fs_rw_tmpfs_files',`
+ ##
+ ##
+ #
+-interface(`fs_read_tmpfs_symlinks',`
++interface(`fs_relabel_tmpfs_chr_file',`
+ gen_require(`
+ type tmpfs_t;
+ ')
+
+- read_lnk_files_pattern($1, tmpfs_t, tmpfs_t)
+ allow $1 tmpfs_t:dir list_dir_perms;
-+ relabel_sock_files_pattern($1, tmpfs_t, tmpfs_t)
-+')
-+
-+########################################
-+##
-+## Delete generic files in tmpfs directory.
-+##
-+##
-+##
++ relabel_chr_files_pattern($1, tmpfs_t, tmpfs_t)
+ ')
+
+ ########################################
+ ##
+-## Read and write character nodes on tmpfs filesystems.
++## Read and write block nodes on tmpfs filesystems.
+ ##
+ ##
+ ##
+@@ -4191,37 +5583,37 @@ interface(`fs_read_tmpfs_symlinks',`
+ ##
+ ##
+ #
+-interface(`fs_rw_tmpfs_chr_files',`
++interface(`fs_rw_tmpfs_blk_files',`
+ gen_require(`
+ type tmpfs_t;
+ ')
+
+ allow $1 tmpfs_t:dir list_dir_perms;
+- rw_chr_files_pattern($1, tmpfs_t, tmpfs_t)
++ rw_blk_files_pattern($1, tmpfs_t, tmpfs_t)
+ ')
+
+ ########################################
+ ##
+-## dontaudit Read and write character nodes on tmpfs filesystems.
++## Relabel block nodes on tmpfs filesystems.
+ ##
+ ##
+ ##
+-## Domain to not audit.
+## Domain allowed access.
-+##
-+##
-+#
+ ##
+ ##
+ #
+-interface(`fs_dontaudit_use_tmpfs_chr_dev',`
++interface(`fs_relabel_tmpfs_blk_file',`
+ gen_require(`
+ type tmpfs_t;
+ ')
+
+- dontaudit $1 tmpfs_t:dir list_dir_perms;
+- dontaudit $1 tmpfs_t:chr_file rw_chr_file_perms;
++ allow $1 tmpfs_t:dir list_dir_perms;
++ relabel_blk_files_pattern($1, tmpfs_t, tmpfs_t)
+ ')
+
+ ########################################
+ ##
+-## Relabel character nodes on tmpfs filesystems.
++## Relabel sock nodes on tmpfs filesystems.
+ ##
+ ##
+ ##
+@@ -4229,18 +5621,18 @@ interface(`fs_dontaudit_use_tmpfs_chr_dev',`
+ ##
+ ##
+ #
+-interface(`fs_relabel_tmpfs_chr_file',`
++interface(`fs_relabel_tmpfs_sock_file',`
+ gen_require(`
+ type tmpfs_t;
+ ')
+
+ allow $1 tmpfs_t:dir list_dir_perms;
+- relabel_chr_files_pattern($1, tmpfs_t, tmpfs_t)
++ relabel_sock_files_pattern($1, tmpfs_t, tmpfs_t)
+ ')
+
+ ########################################
+ ##
+-## Read and write block nodes on tmpfs filesystems.
++## Delete generic files in tmpfs directory.
+ ##
+ ##
+ ##
+@@ -4248,18 +5640,19 @@ interface(`fs_relabel_tmpfs_chr_file',`
+ ##
+ ##
+ #
+-interface(`fs_rw_tmpfs_blk_files',`
+interface(`fs_delete_tmpfs_files',`
-+ gen_require(`
-+ type tmpfs_t;
-+ ')
-+
+ gen_require(`
+ type tmpfs_t;
+ ')
+
+- allow $1 tmpfs_t:dir list_dir_perms;
+- rw_blk_files_pattern($1, tmpfs_t, tmpfs_t)
+ allow $1 tmpfs_t:dir del_entry_dir_perms;
+ allow $1 tmpfs_t:file_class_set delete_file_perms;
-+')
-+
-+########################################
-+##
- ## Read and write, create and delete generic
- ## files on tmpfs filesystems.
- ##
-@@ -4297,6 +5670,25 @@ interface(`fs_manage_tmpfs_files',`
+ ')
########################################
##
-+## Execute files on a tmpfs filesystem.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+#
-+interface(`fs_exec_tmpfs_files',`
-+ gen_require(`
-+ type tmpfs_t;
-+ ')
-+
-+ exec_files_pattern($1, tmpfs_t, tmpfs_t)
-+')
-+
-+########################################
-+##
- ## Read and write, create and delete symbolic
- ## links on tmpfs filesystems.
+-## Relabel block nodes on tmpfs filesystems.
++## Read and write, create and delete generic
++## files on tmpfs filesystems.
##
+ ##
+ ##
+@@ -4267,32 +5660,31 @@ interface(`fs_rw_tmpfs_blk_files',`
+ ##
+ ##
+ #
+-interface(`fs_relabel_tmpfs_blk_file',`
++interface(`fs_manage_tmpfs_files',`
+ gen_require(`
+ type tmpfs_t;
+ ')
+
+- allow $1 tmpfs_t:dir list_dir_perms;
+- relabel_blk_files_pattern($1, tmpfs_t, tmpfs_t)
++ manage_files_pattern($1, tmpfs_t, tmpfs_t)
+ ')
+
+ ########################################
+ ##
+-## Read and write, create and delete generic
+-## files on tmpfs filesystems.
++## Execute files on a tmpfs filesystem.
+ ##
+ ##
+ ##
+ ## Domain allowed access.
+ ##
+ ##
++##
+ #
+-interface(`fs_manage_tmpfs_files',`
++interface(`fs_exec_tmpfs_files',`
+ gen_require(`
+ type tmpfs_t;
+ ')
+
+- manage_files_pattern($1, tmpfs_t, tmpfs_t)
++ exec_files_pattern($1, tmpfs_t, tmpfs_t)
+ ')
+
+ ########################################
@@ -4407,6 +5799,25 @@ interface(`fs_search_xenfs',`
allow $1 xenfs_t:dir search_dir_perms;
')
@@ -20968,7 +20919,7 @@ index 8416beb..440c63f 100644
## Search all directories with a filesystem type.
##
##
-@@ -4912,3 +6364,82 @@ interface(`fs_unconfined',`
+@@ -4912,3 +6364,173 @@ interface(`fs_unconfined',`
typeattribute $1 filesystem_unconfined_type;
')
@@ -21051,6 +21002,97 @@ index 8416beb..440c63f 100644
+ rw_sock_files_pattern($1, onload_fs_t, onload_fs_t)
+')
+
++########################################
++##
++## Read and write tracefs_t files
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`fs_rw_tracefs_files',`
++ gen_require(`
++ type tracefs_t;
++ ')
++
++ rw_files_pattern($1, tracefs_t, tracefs_t)
++')
++
++########################################
++##
++## Create, read, write, and delete dirs
++## labeled as tracefs_t.
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++#
++interface(`fs_manage_tracefs_dirs',`
++ gen_require(`
++ type tracefs_t;
++ ')
++
++ manage_dirs_pattern($1, tracefs_t, tracefs_t)
++')
++
++########################################
++##
++## Mount tracefs filesystems.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`fs_mount_tracefs', `
++ gen_require(`
++ type tracefs_t;
++ ')
++
++ allow $1 tracefs_t:filesystem mount;
++')
++
++########################################
++##
++## Remount tracefs filesystems.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`fs_remount_tracefs', `
++ gen_require(`
++ type tracefs_t;
++ ')
++
++ allow $1 tracefs_t:filesystem remount;
++')
++
++########################################
++##
++## Unmount tracefs filesystems.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`fs_unmount_tracefs', `
++ gen_require(`
++ type cgroup_t;
++ ')
++
++ allow $1 tracefs_t:filesystem unmount;
++')
diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te
index e7d1738..59c1cb8 100644
--- a/policy/modules/kernel/filesystem.te
@@ -27069,10 +27111,10 @@ index 0000000..15b42ae
+
diff --git a/policy/modules/roles/unconfineduser.te b/policy/modules/roles/unconfineduser.te
new file mode 100644
-index 0000000..bca9f3c
+index 0000000..270e9a8
--- /dev/null
+++ b/policy/modules/roles/unconfineduser.te
-@@ -0,0 +1,349 @@
+@@ -0,0 +1,350 @@
+policy_module(unconfineduser, 1.0.0)
+
+########################################
@@ -27381,6 +27423,7 @@ index 0000000..bca9f3c
+
+optional_policy(`
+ oddjob_run_mkhomedir(unconfined_t, unconfined_r)
++ oddjob_run(unconfined_t, unconfined_r)
+')
+
+optional_policy(`
@@ -28285,7 +28328,7 @@ index 76d9f66..7528851 100644
+/root/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0)
+/root/\.shosts gen_context(system_u:object_r:ssh_home_t,s0)
diff --git a/policy/modules/services/ssh.if b/policy/modules/services/ssh.if
-index fe0c682..0ac21a6 100644
+index fe0c682..d55811f 100644
--- a/policy/modules/services/ssh.if
+++ b/policy/modules/services/ssh.if
@@ -32,10 +32,11 @@
@@ -28459,15 +28502,18 @@ index fe0c682..0ac21a6 100644
auth_rw_login_records($1_t)
auth_rw_faillog($1_t)
-@@ -234,6 +264,7 @@ template(`ssh_server_template', `
+@@ -233,7 +263,10 @@ template(`ssh_server_template', `
+ # for sshd subsystems, such as sftp-server.
corecmd_getattr_bin_files($1_t)
++ dev_rw_crypto($1_t)
++
domain_interactive_fd($1_t)
+ domain_dyntrans_type($1_t)
files_read_etc_files($1_t)
files_read_etc_runtime_files($1_t)
-@@ -241,35 +272,33 @@ template(`ssh_server_template', `
+@@ -241,35 +274,33 @@ template(`ssh_server_template', `
logging_search_logs($1_t)
@@ -28514,7 +28560,7 @@ index fe0c682..0ac21a6 100644
')
########################################
-@@ -292,14 +321,15 @@ template(`ssh_server_template', `
+@@ -292,14 +323,15 @@ template(`ssh_server_template', `
## User domain for the role
##
##
@@ -28531,7 +28577,7 @@ index fe0c682..0ac21a6 100644
')
##############################
-@@ -328,103 +358,56 @@ template(`ssh_role_template',`
+@@ -328,103 +360,56 @@ template(`ssh_role_template',`
# allow ps to show ssh
ps_process_pattern($3, ssh_t)
@@ -28631,12 +28677,12 @@ index fe0c682..0ac21a6 100644
- # transition back to normal privs upon exec
- fs_cifs_domtrans($1_ssh_agent_t, $3)
- ')
-+ userdom_home_manager($1_ssh_agent_t)
-
+-
- optional_policy(`
- nis_use_ypbind($1_ssh_agent_t)
- ')
--
++ userdom_home_manager($1_ssh_agent_t)
+
- optional_policy(`
- xserver_use_xdm_fds($1_ssh_agent_t)
- xserver_rw_xdm_pipes($1_ssh_agent_t)
@@ -28645,7 +28691,7 @@ index fe0c682..0ac21a6 100644
')
########################################
-@@ -496,8 +479,27 @@ interface(`ssh_read_pipes',`
+@@ -496,8 +481,27 @@ interface(`ssh_read_pipes',`
type sshd_t;
')
@@ -28674,7 +28720,7 @@ index fe0c682..0ac21a6 100644
########################################
##
## Read and write a ssh server unnamed pipe.
-@@ -513,7 +515,7 @@ interface(`ssh_rw_pipes',`
+@@ -513,7 +517,7 @@ interface(`ssh_rw_pipes',`
type sshd_t;
')
@@ -28683,7 +28729,7 @@ index fe0c682..0ac21a6 100644
')
########################################
-@@ -605,6 +607,24 @@ interface(`ssh_domtrans',`
+@@ -605,6 +609,24 @@ interface(`ssh_domtrans',`
########################################
##
@@ -28708,7 +28754,7 @@ index fe0c682..0ac21a6 100644
## Execute the ssh client in the caller domain.
##
##
-@@ -637,7 +657,7 @@ interface(`ssh_setattr_key_files',`
+@@ -637,7 +659,7 @@ interface(`ssh_setattr_key_files',`
type sshd_key_t;
')
@@ -28717,7 +28763,7 @@ index fe0c682..0ac21a6 100644
files_search_pids($1)
')
-@@ -662,6 +682,42 @@ interface(`ssh_agent_exec',`
+@@ -662,6 +684,42 @@ interface(`ssh_agent_exec',`
########################################
##
@@ -28760,7 +28806,7 @@ index fe0c682..0ac21a6 100644
## Read ssh home directory content
##
##
-@@ -701,6 +757,68 @@ interface(`ssh_domtrans_keygen',`
+@@ -701,6 +759,68 @@ interface(`ssh_domtrans_keygen',`
########################################
##
@@ -28829,7 +28875,7 @@ index fe0c682..0ac21a6 100644
## Read ssh server keys
##
##
-@@ -714,7 +832,26 @@ interface(`ssh_dontaudit_read_server_keys',`
+@@ -714,7 +834,26 @@ interface(`ssh_dontaudit_read_server_keys',`
type sshd_key_t;
')
@@ -28857,7 +28903,7 @@ index fe0c682..0ac21a6 100644
')
######################################
-@@ -754,3 +891,151 @@ interface(`ssh_delete_tmp',`
+@@ -754,3 +893,151 @@ interface(`ssh_delete_tmp',`
files_search_tmp($1)
delete_files_pattern($1, sshd_tmp_t, sshd_tmp_t)
')
@@ -37274,7 +37320,7 @@ index 79a45f6..9926eaf 100644
+ allow $1 init_var_lib_t:dir search_dir_perms;
+')
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
-index 17eda24..4616101 100644
+index 17eda24..5bee7df 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -11,10 +11,31 @@ gen_require(`
@@ -37385,20 +37431,21 @@ index 17eda24..4616101 100644
type initrc_devpts_t;
term_pty(initrc_devpts_t)
-@@ -98,7 +146,11 @@ ifdef(`enable_mls',`
+@@ -98,7 +146,12 @@ ifdef(`enable_mls',`
#
# Use capabilities. old rule:
-allow init_t self:capability ~sys_module;
+allow init_t self:capability ~{ audit_control audit_write sys_module };
+allow init_t self:capability2 ~{ mac_admin mac_override };
++allow init_t self:cap_userns all_cap_userns_perms;
+allow init_t self:tcp_socket { listen accept };
+allow init_t self:packet_socket create_socket_perms;
+allow init_t self:key manage_key_perms;
# is ~sys_module really needed? observed:
# sys_boot
# sys_tty_config
-@@ -108,14 +160,43 @@ allow init_t self:capability ~sys_module;
+@@ -108,14 +161,45 @@ allow init_t self:capability ~sys_module;
allow init_t self:fifo_file rw_fifo_file_perms;
@@ -37440,6 +37487,8 @@ index 17eda24..4616101 100644
+files_pid_filetrans(init_t, init_var_run_t, { dir file })
+allow init_t init_var_run_t:dir mounton;
+allow init_t init_var_run_t:sock_file relabelto;
++allow init_t init_var_run_t:blk_file getattr;
++allow init_t init_var_run_t:chr_file getattr;
+
+allow init_t machineid_t:file manage_file_perms;
+files_pid_filetrans(init_t, machineid_t, file, "machine-id")
@@ -37448,7 +37497,7 @@ index 17eda24..4616101 100644
allow init_t initctl_t:fifo_file manage_fifo_file_perms;
dev_filetrans(init_t, initctl_t, fifo_file)
-@@ -125,13 +206,23 @@ allow init_t initrc_var_run_t:file { rw_file_perms setattr };
+@@ -125,13 +209,23 @@ allow init_t initrc_var_run_t:file { rw_file_perms setattr };
kernel_read_system_state(init_t)
kernel_share_state(init_t)
@@ -37473,7 +37522,7 @@ index 17eda24..4616101 100644
domain_getpgid_all_domains(init_t)
domain_kill_all_domains(init_t)
-@@ -139,14 +230,24 @@ domain_signal_all_domains(init_t)
+@@ -139,14 +233,24 @@ domain_signal_all_domains(init_t)
domain_signull_all_domains(init_t)
domain_sigstop_all_domains(init_t)
domain_sigchld_all_domains(init_t)
@@ -37499,7 +37548,7 @@ index 17eda24..4616101 100644
# file descriptors inherited from the rootfs:
files_dontaudit_rw_root_files(init_t)
files_dontaudit_rw_root_chr_files(init_t)
-@@ -155,29 +256,68 @@ fs_list_inotifyfs(init_t)
+@@ -155,29 +259,68 @@ fs_list_inotifyfs(init_t)
# cjp: this may be related to /dev/log
fs_write_ramfs_sockets(init_t)
@@ -37573,7 +37622,7 @@ index 17eda24..4616101 100644
ifdef(`distro_gentoo',`
allow init_t self:process { getcap setcap };
-@@ -186,29 +326,264 @@ ifdef(`distro_gentoo',`
+@@ -186,29 +329,264 @@ ifdef(`distro_gentoo',`
')
ifdef(`distro_redhat',`
@@ -37847,7 +37896,7 @@ index 17eda24..4616101 100644
')
optional_policy(`
-@@ -216,7 +591,30 @@ optional_policy(`
+@@ -216,7 +594,30 @@ optional_policy(`
')
optional_policy(`
@@ -37879,7 +37928,7 @@ index 17eda24..4616101 100644
')
########################################
-@@ -225,9 +623,9 @@ optional_policy(`
+@@ -225,9 +626,9 @@ optional_policy(`
#
allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
@@ -37891,7 +37940,7 @@ index 17eda24..4616101 100644
allow initrc_t self:passwd rootok;
allow initrc_t self:key manage_key_perms;
-@@ -258,12 +656,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
+@@ -258,12 +659,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
allow initrc_t initrc_var_run_t:file manage_file_perms;
files_pid_filetrans(initrc_t, initrc_var_run_t, file)
@@ -37908,7 +37957,7 @@ index 17eda24..4616101 100644
manage_dirs_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
manage_files_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
-@@ -279,23 +681,36 @@ kernel_change_ring_buffer_level(initrc_t)
+@@ -279,23 +684,36 @@ kernel_change_ring_buffer_level(initrc_t)
kernel_clear_ring_buffer(initrc_t)
kernel_get_sysvipc_info(initrc_t)
kernel_read_all_sysctls(initrc_t)
@@ -37951,7 +38000,7 @@ index 17eda24..4616101 100644
corenet_tcp_sendrecv_all_ports(initrc_t)
corenet_udp_sendrecv_all_ports(initrc_t)
corenet_tcp_connect_all_ports(initrc_t)
-@@ -303,9 +718,11 @@ corenet_sendrecv_all_client_packets(initrc_t)
+@@ -303,9 +721,11 @@ corenet_sendrecv_all_client_packets(initrc_t)
dev_read_rand(initrc_t)
dev_read_urand(initrc_t)
@@ -37963,7 +38012,7 @@ index 17eda24..4616101 100644
dev_rw_sysfs(initrc_t)
dev_list_usbfs(initrc_t)
dev_read_framebuffer(initrc_t)
-@@ -313,8 +730,10 @@ dev_write_framebuffer(initrc_t)
+@@ -313,8 +733,10 @@ dev_write_framebuffer(initrc_t)
dev_read_realtime_clock(initrc_t)
dev_read_sound_mixer(initrc_t)
dev_write_sound_mixer(initrc_t)
@@ -37974,7 +38023,7 @@ index 17eda24..4616101 100644
dev_delete_lvm_control_dev(initrc_t)
dev_manage_generic_symlinks(initrc_t)
dev_manage_generic_files(initrc_t)
-@@ -322,8 +741,7 @@ dev_manage_generic_files(initrc_t)
+@@ -322,8 +744,7 @@ dev_manage_generic_files(initrc_t)
dev_delete_generic_symlinks(initrc_t)
dev_getattr_all_blk_files(initrc_t)
dev_getattr_all_chr_files(initrc_t)
@@ -37984,7 +38033,7 @@ index 17eda24..4616101 100644
domain_kill_all_domains(initrc_t)
domain_signal_all_domains(initrc_t)
-@@ -332,7 +750,6 @@ domain_sigstop_all_domains(initrc_t)
+@@ -332,7 +753,6 @@ domain_sigstop_all_domains(initrc_t)
domain_sigchld_all_domains(initrc_t)
domain_read_all_domains_state(initrc_t)
domain_getattr_all_domains(initrc_t)
@@ -37992,7 +38041,7 @@ index 17eda24..4616101 100644
domain_getsession_all_domains(initrc_t)
domain_use_interactive_fds(initrc_t)
# for lsof which is used by alsa shutdown:
-@@ -340,6 +757,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
+@@ -340,6 +760,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
domain_dontaudit_getattr_all_tcp_sockets(initrc_t)
domain_dontaudit_getattr_all_dgram_sockets(initrc_t)
domain_dontaudit_getattr_all_pipes(initrc_t)
@@ -38000,7 +38049,7 @@ index 17eda24..4616101 100644
files_getattr_all_dirs(initrc_t)
files_getattr_all_files(initrc_t)
-@@ -347,14 +765,15 @@ files_getattr_all_symlinks(initrc_t)
+@@ -347,14 +768,15 @@ files_getattr_all_symlinks(initrc_t)
files_getattr_all_pipes(initrc_t)
files_getattr_all_sockets(initrc_t)
files_purge_tmp(initrc_t)
@@ -38018,7 +38067,7 @@ index 17eda24..4616101 100644
files_read_usr_files(initrc_t)
files_manage_urandom_seed(initrc_t)
files_manage_generic_spool(initrc_t)
-@@ -364,8 +783,12 @@ files_list_isid_type_dirs(initrc_t)
+@@ -364,8 +786,12 @@ files_list_isid_type_dirs(initrc_t)
files_mounton_isid_type_dirs(initrc_t)
files_list_default(initrc_t)
files_mounton_default(initrc_t)
@@ -38032,7 +38081,7 @@ index 17eda24..4616101 100644
fs_list_inotifyfs(initrc_t)
fs_register_binary_executable_type(initrc_t)
# rhgb-console writes to ramfs
-@@ -375,10 +798,11 @@ fs_mount_all_fs(initrc_t)
+@@ -375,10 +801,11 @@ fs_mount_all_fs(initrc_t)
fs_unmount_all_fs(initrc_t)
fs_remount_all_fs(initrc_t)
fs_getattr_all_fs(initrc_t)
@@ -38046,7 +38095,7 @@ index 17eda24..4616101 100644
mcs_process_set_categories(initrc_t)
mls_file_read_all_levels(initrc_t)
-@@ -387,8 +811,10 @@ mls_process_read_up(initrc_t)
+@@ -387,8 +814,10 @@ mls_process_read_up(initrc_t)
mls_process_write_down(initrc_t)
mls_rangetrans_source(initrc_t)
mls_fd_share_all_levels(initrc_t)
@@ -38057,7 +38106,7 @@ index 17eda24..4616101 100644
storage_getattr_fixed_disk_dev(initrc_t)
storage_setattr_fixed_disk_dev(initrc_t)
-@@ -398,6 +824,7 @@ term_use_all_terms(initrc_t)
+@@ -398,6 +827,7 @@ term_use_all_terms(initrc_t)
term_reset_tty_labels(initrc_t)
auth_rw_login_records(initrc_t)
@@ -38065,7 +38114,7 @@ index 17eda24..4616101 100644
auth_setattr_login_records(initrc_t)
auth_rw_lastlog(initrc_t)
auth_read_pam_pid(initrc_t)
-@@ -416,20 +843,18 @@ logging_read_all_logs(initrc_t)
+@@ -416,20 +846,18 @@ logging_read_all_logs(initrc_t)
logging_append_all_logs(initrc_t)
logging_read_audit_config(initrc_t)
@@ -38089,7 +38138,7 @@ index 17eda24..4616101 100644
ifdef(`distro_debian',`
dev_setattr_generic_dirs(initrc_t)
-@@ -451,7 +876,6 @@ ifdef(`distro_gentoo',`
+@@ -451,7 +879,6 @@ ifdef(`distro_gentoo',`
allow initrc_t self:process setfscreate;
dev_create_null_dev(initrc_t)
dev_create_zero_dev(initrc_t)
@@ -38097,7 +38146,7 @@ index 17eda24..4616101 100644
term_create_console_dev(initrc_t)
# unfortunately /sbin/rc does stupid tricks
-@@ -486,6 +910,10 @@ ifdef(`distro_gentoo',`
+@@ -486,6 +913,10 @@ ifdef(`distro_gentoo',`
sysnet_setattr_config(initrc_t)
optional_policy(`
@@ -38108,7 +38157,7 @@ index 17eda24..4616101 100644
alsa_read_lib(initrc_t)
')
-@@ -506,7 +934,7 @@ ifdef(`distro_redhat',`
+@@ -506,7 +937,7 @@ ifdef(`distro_redhat',`
# Red Hat systems seem to have a stray
# fd open from the initrd
@@ -38117,7 +38166,7 @@ index 17eda24..4616101 100644
files_dontaudit_read_root_files(initrc_t)
# These seem to be from the initrd
-@@ -521,6 +949,7 @@ ifdef(`distro_redhat',`
+@@ -521,6 +952,7 @@ ifdef(`distro_redhat',`
files_create_boot_dirs(initrc_t)
files_create_boot_flag(initrc_t)
files_rw_boot_symlinks(initrc_t)
@@ -38125,7 +38174,7 @@ index 17eda24..4616101 100644
# wants to read /.fonts directory
files_read_default_files(initrc_t)
files_mountpoint(initrc_tmp_t)
-@@ -541,6 +970,7 @@ ifdef(`distro_redhat',`
+@@ -541,6 +973,7 @@ ifdef(`distro_redhat',`
miscfiles_rw_localization(initrc_t)
miscfiles_setattr_localization(initrc_t)
miscfiles_relabel_localization(initrc_t)
@@ -38133,7 +38182,7 @@ index 17eda24..4616101 100644
miscfiles_read_fonts(initrc_t)
miscfiles_read_hwdata(initrc_t)
-@@ -550,8 +980,44 @@ ifdef(`distro_redhat',`
+@@ -550,8 +983,44 @@ ifdef(`distro_redhat',`
')
optional_policy(`
@@ -38178,7 +38227,7 @@ index 17eda24..4616101 100644
')
optional_policy(`
-@@ -559,14 +1025,31 @@ ifdef(`distro_redhat',`
+@@ -559,14 +1028,31 @@ ifdef(`distro_redhat',`
rpc_write_exports(initrc_t)
rpc_manage_nfs_state_data(initrc_t)
')
@@ -38210,7 +38259,7 @@ index 17eda24..4616101 100644
')
')
-@@ -577,6 +1060,39 @@ ifdef(`distro_suse',`
+@@ -577,6 +1063,39 @@ ifdef(`distro_suse',`
')
')
@@ -38250,7 +38299,7 @@ index 17eda24..4616101 100644
optional_policy(`
amavis_search_lib(initrc_t)
amavis_setattr_pid_files(initrc_t)
-@@ -589,6 +1105,8 @@ optional_policy(`
+@@ -589,6 +1108,8 @@ optional_policy(`
optional_policy(`
apache_read_config(initrc_t)
apache_list_modules(initrc_t)
@@ -38259,7 +38308,7 @@ index 17eda24..4616101 100644
')
optional_policy(`
-@@ -610,6 +1128,7 @@ optional_policy(`
+@@ -610,6 +1131,7 @@ optional_policy(`
optional_policy(`
cgroup_stream_connect_cgred(initrc_t)
@@ -38267,7 +38316,7 @@ index 17eda24..4616101 100644
')
optional_policy(`
-@@ -626,6 +1145,17 @@ optional_policy(`
+@@ -626,6 +1148,17 @@ optional_policy(`
')
optional_policy(`
@@ -38285,7 +38334,7 @@ index 17eda24..4616101 100644
dev_getattr_printer_dev(initrc_t)
cups_read_log(initrc_t)
-@@ -642,9 +1172,13 @@ optional_policy(`
+@@ -642,9 +1175,13 @@ optional_policy(`
dbus_connect_system_bus(initrc_t)
dbus_system_bus_client(initrc_t)
dbus_read_config(initrc_t)
@@ -38299,7 +38348,7 @@ index 17eda24..4616101 100644
')
optional_policy(`
-@@ -657,15 +1191,11 @@ optional_policy(`
+@@ -657,15 +1194,11 @@ optional_policy(`
')
optional_policy(`
@@ -38317,7 +38366,7 @@ index 17eda24..4616101 100644
')
optional_policy(`
-@@ -686,6 +1216,15 @@ optional_policy(`
+@@ -686,6 +1219,15 @@ optional_policy(`
')
optional_policy(`
@@ -38333,7 +38382,7 @@ index 17eda24..4616101 100644
inn_exec_config(initrc_t)
')
-@@ -726,6 +1265,7 @@ optional_policy(`
+@@ -726,6 +1268,7 @@ optional_policy(`
lpd_list_spool(initrc_t)
lpd_read_config(initrc_t)
@@ -38341,7 +38390,7 @@ index 17eda24..4616101 100644
')
optional_policy(`
-@@ -743,7 +1283,13 @@ optional_policy(`
+@@ -743,7 +1286,13 @@ optional_policy(`
')
optional_policy(`
@@ -38356,7 +38405,7 @@ index 17eda24..4616101 100644
mta_dontaudit_read_spool_symlinks(initrc_t)
')
-@@ -766,6 +1312,10 @@ optional_policy(`
+@@ -766,6 +1315,10 @@ optional_policy(`
')
optional_policy(`
@@ -38367,7 +38416,7 @@ index 17eda24..4616101 100644
postgresql_manage_db(initrc_t)
postgresql_read_config(initrc_t)
')
-@@ -775,10 +1325,20 @@ optional_policy(`
+@@ -775,10 +1328,20 @@ optional_policy(`
')
optional_policy(`
@@ -38388,7 +38437,7 @@ index 17eda24..4616101 100644
quota_manage_flags(initrc_t)
')
-@@ -787,6 +1347,10 @@ optional_policy(`
+@@ -787,6 +1350,10 @@ optional_policy(`
')
optional_policy(`
@@ -38399,7 +38448,7 @@ index 17eda24..4616101 100644
fs_write_ramfs_sockets(initrc_t)
fs_search_ramfs(initrc_t)
-@@ -808,8 +1372,6 @@ optional_policy(`
+@@ -808,8 +1375,6 @@ optional_policy(`
# bash tries ioctl for some reason
files_dontaudit_ioctl_all_pids(initrc_t)
@@ -38408,7 +38457,7 @@ index 17eda24..4616101 100644
')
optional_policy(`
-@@ -818,6 +1380,10 @@ optional_policy(`
+@@ -818,6 +1383,10 @@ optional_policy(`
')
optional_policy(`
@@ -38419,7 +38468,7 @@ index 17eda24..4616101 100644
# shorewall-init script run /var/lib/shorewall/firewall
shorewall_lib_domtrans(initrc_t)
')
-@@ -827,10 +1393,12 @@ optional_policy(`
+@@ -827,10 +1396,12 @@ optional_policy(`
squid_manage_logs(initrc_t)
')
@@ -38432,7 +38481,7 @@ index 17eda24..4616101 100644
optional_policy(`
ssh_dontaudit_read_server_keys(initrc_t)
-@@ -857,21 +1425,62 @@ optional_policy(`
+@@ -857,21 +1428,62 @@ optional_policy(`
')
optional_policy(`
@@ -38496,7 +38545,7 @@ index 17eda24..4616101 100644
')
optional_policy(`
-@@ -887,6 +1496,10 @@ optional_policy(`
+@@ -887,6 +1499,10 @@ optional_policy(`
')
optional_policy(`
@@ -38507,7 +38556,7 @@ index 17eda24..4616101 100644
# Set device ownerships/modes.
xserver_setattr_console_pipes(initrc_t)
-@@ -897,3 +1510,218 @@ optional_policy(`
+@@ -897,3 +1513,218 @@ optional_policy(`
optional_policy(`
zebra_read_config(initrc_t)
')
@@ -39504,7 +39553,7 @@ index c42fbc3..bf211db 100644
+ files_pid_filetrans($1, iptables_var_run_t, file, "xtables.lock")
+')
diff --git a/policy/modules/system/iptables.te b/policy/modules/system/iptables.te
-index be8ed1e..e336bc1 100644
+index be8ed1e..fa11d0f 100644
--- a/policy/modules/system/iptables.te
+++ b/policy/modules/system/iptables.te
@@ -16,15 +16,18 @@ role iptables_roles types iptables_t;
@@ -39529,10 +39578,11 @@ index be8ed1e..e336bc1 100644
########################################
#
# Iptables local policy
-@@ -35,25 +38,32 @@ dontaudit iptables_t self:capability sys_tty_config;
+@@ -35,25 +38,33 @@ dontaudit iptables_t self:capability sys_tty_config;
allow iptables_t self:fifo_file rw_fifo_file_perms;
allow iptables_t self:process { sigchld sigkill sigstop signull signal };
allow iptables_t self:netlink_socket create_socket_perms;
++allow iptables_t self:netlink_generic_socket create_socket_perms;
+allow iptables_t self:netlink_netfilter_socket create_socket_perms;
allow iptables_t self:rawip_socket create_socket_perms;
@@ -39565,7 +39615,7 @@ index be8ed1e..e336bc1 100644
kernel_use_fds(iptables_t)
# needed by ipvsadm
-@@ -64,19 +74,23 @@ corenet_relabelto_all_packets(iptables_t)
+@@ -64,19 +75,23 @@ corenet_relabelto_all_packets(iptables_t)
corenet_dontaudit_rw_tun_tap_dev(iptables_t)
dev_read_sysfs(iptables_t)
@@ -39591,7 +39641,7 @@ index be8ed1e..e336bc1 100644
auth_use_nsswitch(iptables_t)
-@@ -85,15 +99,14 @@ init_use_script_ptys(iptables_t)
+@@ -85,15 +100,14 @@ init_use_script_ptys(iptables_t)
# to allow rules to be saved on reboot:
init_rw_script_tmp_files(iptables_t)
init_rw_script_stream_sockets(iptables_t)
@@ -39609,7 +39659,7 @@ index be8ed1e..e336bc1 100644
userdom_use_all_users_fds(iptables_t)
ifdef(`hide_broken_symptoms',`
-@@ -102,6 +115,9 @@ ifdef(`hide_broken_symptoms',`
+@@ -102,6 +116,9 @@ ifdef(`hide_broken_symptoms',`
optional_policy(`
fail2ban_append_log(iptables_t)
@@ -39619,7 +39669,7 @@ index be8ed1e..e336bc1 100644
')
optional_policy(`
-@@ -110,6 +126,13 @@ optional_policy(`
+@@ -110,6 +127,13 @@ optional_policy(`
')
optional_policy(`
@@ -39633,7 +39683,7 @@ index be8ed1e..e336bc1 100644
modutils_run_insmod(iptables_t, iptables_roles)
')
-@@ -124,6 +147,16 @@ optional_policy(`
+@@ -124,6 +148,16 @@ optional_policy(`
optional_policy(`
psad_rw_tmp_files(iptables_t)
@@ -39650,7 +39700,7 @@ index be8ed1e..e336bc1 100644
')
optional_policy(`
-@@ -135,9 +168,9 @@ optional_policy(`
+@@ -135,9 +169,9 @@ optional_policy(`
')
optional_policy(`
@@ -39697,7 +39747,7 @@ index 0000000..c814795
+fs_manage_kdbus_dirs(systemd_logind_t)
+fs_manage_kdbus_files(systemd_logind_t)
diff --git a/policy/modules/system/libraries.fc b/policy/modules/system/libraries.fc
-index 73bb3c0..8cf7041 100644
+index 73bb3c0..549c41b 100644
--- a/policy/modules/system/libraries.fc
+++ b/policy/modules/system/libraries.fc
@@ -1,3 +1,4 @@
@@ -39798,7 +39848,7 @@ index 73bb3c0..8cf7041 100644
-/usr/(local/)?.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:lib_t,s0)
-/usr/(local/)?lib(64)?/wine/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/(local/)?lib(64)?/(sse2/)?libfame-.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-+/usr/lib/systemd/libsystemd-shared-231\.so.* -- gen_context(system_u:object_r:lib_t,s0)
++/usr/lib/systemd/libsystemd-shared-[0-9]+\.so.* -- gen_context(system_u:object_r:lib_t,s0)
+
+/usr/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:lib_t,s0)
+/usr/lib/wine/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -48855,10 +48905,10 @@ index 0000000..16cd1ac
+')
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
new file mode 100644
-index 0000000..a111f4d
+index 0000000..8654fdf
--- /dev/null
+++ b/policy/modules/system/systemd.te
-@@ -0,0 +1,960 @@
+@@ -0,0 +1,965 @@
+policy_module(systemd, 1.0.0)
+
+#######################################
@@ -49226,6 +49276,8 @@ index 0000000..a111f4d
+allow systemd_networkd_t self:udp_socket create_socket_perms;
+allow systemd_networkd_t self:rawip_socket create_socket_perms;
+
++allow init_t systemd_networkd_t:netlink_route_socket create_netlink_socket_perms;
++
+manage_files_pattern(systemd_networkd_t, systemd_networkd_var_run_t, systemd_networkd_var_run_t)
+manage_lnk_files_pattern(systemd_networkd_t, systemd_networkd_var_run_t, systemd_networkd_var_run_t)
+manage_dirs_pattern(systemd_networkd_t, systemd_networkd_var_run_t, systemd_networkd_var_run_t)
@@ -49693,6 +49745,7 @@ index 0000000..a111f4d
+#
+# systemd_coredump domains
+#
++allow systemd_coredump_t self:cap_userns sys_ptrace;
+
+manage_files_pattern(systemd_coredump_t, systemd_coredump_tmpfs_t, systemd_coredump_tmpfs_t)
+fs_tmpfs_filetrans(systemd_coredump_t, systemd_coredump_tmpfs_t, file )
@@ -49812,6 +49865,8 @@ index 0000000..a111f4d
+# systemd_modules_load domain
+#
+
++allow systemd_modules_load_t self:capability sys_module;
++
+kernel_dgram_send(systemd_modules_load_t)
+
+dev_read_sysfs(systemd_modules_load_t)
@@ -51234,7 +51289,7 @@ index db75976..c54480a 100644
+/var/tmp/hsperfdata_root gen_context(system_u:object_r:user_tmp_t,s0)
+
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
-index 9dc60c6..236692c 100644
+index 9dc60c6..420907f 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -30,9 +30,11 @@ template(`userdom_base_user_template',`
@@ -52240,7 +52295,7 @@ index 9dc60c6..236692c 100644
userdom_change_password_template($1)
-@@ -761,82 +1012,112 @@ template(`userdom_login_user_template', `
+@@ -761,82 +1012,113 @@ template(`userdom_login_user_template', `
#
# User domain Local policy
#
@@ -52376,6 +52431,7 @@ index 9dc60c6..236692c 100644
optional_policy(`
- quota_dontaudit_getattr_db($1_t)
+ oddjob_run_mkhomedir($1_t, $1_r)
++ oddjob_run($1_t, $1_r)
')
+ optional_policy(`
@@ -52389,7 +52445,7 @@ index 9dc60c6..236692c 100644
')
')
-@@ -868,6 +1149,12 @@ template(`userdom_restricted_user_template',`
+@@ -868,6 +1150,12 @@ template(`userdom_restricted_user_template',`
typeattribute $1_t unpriv_userdomain;
domain_interactive_fd($1_t)
@@ -52402,7 +52458,7 @@ index 9dc60c6..236692c 100644
##############################
#
# Local policy
-@@ -907,53 +1194,137 @@ template(`userdom_restricted_xwindows_user_template',`
+@@ -907,53 +1195,137 @@ template(`userdom_restricted_xwindows_user_template',`
#
# Local policy
#
@@ -52554,7 +52610,7 @@ index 9dc60c6..236692c 100644
')
#######################################
-@@ -987,27 +1358,33 @@ template(`userdom_unpriv_user_template', `
+@@ -987,27 +1359,33 @@ template(`userdom_unpriv_user_template', `
#
# Inherit rules for ordinary users.
@@ -52592,7 +52648,7 @@ index 9dc60c6..236692c 100644
fs_manage_noxattr_fs_files($1_t)
fs_manage_noxattr_fs_dirs($1_t)
# Write floppies
-@@ -1018,23 +1395,63 @@ template(`userdom_unpriv_user_template', `
+@@ -1018,23 +1396,63 @@ template(`userdom_unpriv_user_template', `
')
')
@@ -52666,7 +52722,7 @@ index 9dc60c6..236692c 100644
')
# Run pppd in pppd_t by default for user
-@@ -1043,7 +1460,9 @@ template(`userdom_unpriv_user_template', `
+@@ -1043,7 +1461,9 @@ template(`userdom_unpriv_user_template', `
')
optional_policy(`
@@ -52677,7 +52733,7 @@ index 9dc60c6..236692c 100644
')
')
-@@ -1079,7 +1498,9 @@ template(`userdom_unpriv_user_template', `
+@@ -1079,7 +1499,9 @@ template(`userdom_unpriv_user_template', `
template(`userdom_admin_user_template',`
gen_require(`
attribute admindomain;
@@ -52688,7 +52744,7 @@ index 9dc60c6..236692c 100644
')
##############################
-@@ -1095,6 +1516,7 @@ template(`userdom_admin_user_template',`
+@@ -1095,6 +1517,7 @@ template(`userdom_admin_user_template',`
role system_r types $1_t;
typeattribute $1_t admindomain;
@@ -52696,7 +52752,7 @@ index 9dc60c6..236692c 100644
ifdef(`direct_sysadm_daemon',`
domain_system_change_exemption($1_t)
-@@ -1105,14 +1527,8 @@ template(`userdom_admin_user_template',`
+@@ -1105,14 +1528,8 @@ template(`userdom_admin_user_template',`
# $1_t local policy
#
@@ -52713,7 +52769,7 @@ index 9dc60c6..236692c 100644
kernel_read_software_raid_state($1_t)
kernel_getattr_core_if($1_t)
-@@ -1128,6 +1544,8 @@ template(`userdom_admin_user_template',`
+@@ -1128,6 +1545,8 @@ template(`userdom_admin_user_template',`
kernel_sigstop_unlabeled($1_t)
kernel_signull_unlabeled($1_t)
kernel_sigchld_unlabeled($1_t)
@@ -52722,7 +52778,7 @@ index 9dc60c6..236692c 100644
corenet_tcp_bind_generic_port($1_t)
# allow setting up tunnels
-@@ -1145,10 +1563,15 @@ template(`userdom_admin_user_template',`
+@@ -1145,10 +1564,15 @@ template(`userdom_admin_user_template',`
dev_rename_all_blk_files($1_t)
dev_rename_all_chr_files($1_t)
dev_create_generic_symlinks($1_t)
@@ -52738,7 +52794,7 @@ index 9dc60c6..236692c 100644
domain_dontaudit_ptrace_all_domains($1_t)
# signal all domains:
domain_kill_all_domains($1_t)
-@@ -1159,29 +1582,40 @@ template(`userdom_admin_user_template',`
+@@ -1159,29 +1583,40 @@ template(`userdom_admin_user_template',`
domain_sigchld_all_domains($1_t)
# for lsof
domain_getattr_all_sockets($1_t)
@@ -52783,7 +52839,7 @@ index 9dc60c6..236692c 100644
# The following rule is temporary until such time that a complete
# policy management infrastructure is in place so that an administrator
-@@ -1191,6 +1625,8 @@ template(`userdom_admin_user_template',`
+@@ -1191,6 +1626,8 @@ template(`userdom_admin_user_template',`
# But presently necessary for installing the file_contexts file.
seutil_manage_bin_policy($1_t)
@@ -52792,7 +52848,7 @@ index 9dc60c6..236692c 100644
userdom_manage_user_home_content_dirs($1_t)
userdom_manage_user_home_content_files($1_t)
userdom_manage_user_home_content_symlinks($1_t)
-@@ -1198,13 +1634,21 @@ template(`userdom_admin_user_template',`
+@@ -1198,13 +1635,21 @@ template(`userdom_admin_user_template',`
userdom_manage_user_home_content_sockets($1_t)
userdom_user_home_dir_filetrans_user_home_content($1_t, { dir file lnk_file fifo_file sock_file })
@@ -52815,7 +52871,7 @@ index 9dc60c6..236692c 100644
optional_policy(`
postgresql_unconfined($1_t)
')
-@@ -1240,7 +1684,7 @@ template(`userdom_admin_user_template',`
+@@ -1240,7 +1685,7 @@ template(`userdom_admin_user_template',`
##
##
#
@@ -52824,7 +52880,7 @@ index 9dc60c6..236692c 100644
allow $1 self:capability { dac_read_search dac_override };
corecmd_exec_shell($1)
-@@ -1250,6 +1694,8 @@ template(`userdom_security_admin_template',`
+@@ -1250,6 +1695,8 @@ template(`userdom_security_admin_template',`
dev_relabel_all_dev_nodes($1)
files_create_boot_flag($1)
@@ -52833,7 +52889,7 @@ index 9dc60c6..236692c 100644
# Necessary for managing /boot/efi
fs_manage_dos_files($1)
-@@ -1262,8 +1708,10 @@ template(`userdom_security_admin_template',`
+@@ -1262,8 +1709,10 @@ template(`userdom_security_admin_template',`
selinux_set_enforce_mode($1)
selinux_set_all_booleans($1)
selinux_set_parameters($1)
@@ -52845,7 +52901,7 @@ index 9dc60c6..236692c 100644
auth_relabel_shadow($1)
init_exec($1)
-@@ -1274,29 +1722,31 @@ template(`userdom_security_admin_template',`
+@@ -1274,29 +1723,31 @@ template(`userdom_security_admin_template',`
logging_read_audit_config($1)
seutil_manage_bin_policy($1)
@@ -52888,7 +52944,7 @@ index 9dc60c6..236692c 100644
')
optional_policy(`
-@@ -1357,14 +1807,17 @@ interface(`userdom_user_home_content',`
+@@ -1357,14 +1808,17 @@ interface(`userdom_user_home_content',`
gen_require(`
attribute user_home_content_type;
type user_home_t;
@@ -52907,7 +52963,7 @@ index 9dc60c6..236692c 100644
')
########################################
-@@ -1397,12 +1850,52 @@ interface(`userdom_user_tmp_file',`
+@@ -1397,12 +1851,52 @@ interface(`userdom_user_tmp_file',`
##
#
interface(`userdom_user_tmpfs_file',`
@@ -52961,7 +53017,7 @@ index 9dc60c6..236692c 100644
## Allow domain to attach to TUN devices created by administrative users.
##
##
-@@ -1509,11 +2002,31 @@ interface(`userdom_search_user_home_dirs',`
+@@ -1509,11 +2003,31 @@ interface(`userdom_search_user_home_dirs',`
')
allow $1 user_home_dir_t:dir search_dir_perms;
@@ -52993,7 +53049,7 @@ index 9dc60c6..236692c 100644
## Do not audit attempts to search user home directories.
##
##
-@@ -1555,6 +2068,14 @@ interface(`userdom_list_user_home_dirs',`
+@@ -1555,6 +2069,14 @@ interface(`userdom_list_user_home_dirs',`
allow $1 user_home_dir_t:dir list_dir_perms;
files_search_home($1)
@@ -53008,7 +53064,7 @@ index 9dc60c6..236692c 100644
')
########################################
-@@ -1570,9 +2091,11 @@ interface(`userdom_list_user_home_dirs',`
+@@ -1570,9 +2092,11 @@ interface(`userdom_list_user_home_dirs',`
interface(`userdom_dontaudit_list_user_home_dirs',`
gen_require(`
type user_home_dir_t;
@@ -53020,7 +53076,7 @@ index 9dc60c6..236692c 100644
')
########################################
-@@ -1613,6 +2136,24 @@ interface(`userdom_manage_user_home_dirs',`
+@@ -1613,6 +2137,24 @@ interface(`userdom_manage_user_home_dirs',`
########################################
##
@@ -53045,7 +53101,7 @@ index 9dc60c6..236692c 100644
## Relabel to user home directories.
##
##
-@@ -1631,6 +2172,59 @@ interface(`userdom_relabelto_user_home_dirs',`
+@@ -1631,6 +2173,59 @@ interface(`userdom_relabelto_user_home_dirs',`
########################################
##
@@ -53105,7 +53161,7 @@ index 9dc60c6..236692c 100644
## Create directories in the home dir root with
## the user home directory type.
##
-@@ -1704,10 +2298,12 @@ interface(`userdom_user_home_domtrans',`
+@@ -1704,10 +2299,12 @@ interface(`userdom_user_home_domtrans',`
#
interface(`userdom_dontaudit_search_user_home_content',`
gen_require(`
@@ -53120,7 +53176,7 @@ index 9dc60c6..236692c 100644
')
########################################
-@@ -1741,10 +2337,12 @@ interface(`userdom_list_all_user_home_content',`
+@@ -1741,10 +2338,12 @@ interface(`userdom_list_all_user_home_content',`
#
interface(`userdom_list_user_home_content',`
gen_require(`
@@ -53135,7 +53191,7 @@ index 9dc60c6..236692c 100644
')
########################################
-@@ -1769,7 +2367,7 @@ interface(`userdom_manage_user_home_content_dirs',`
+@@ -1769,7 +2368,7 @@ interface(`userdom_manage_user_home_content_dirs',`
########################################
##
@@ -53144,7 +53200,7 @@ index 9dc60c6..236692c 100644
##
##
##
-@@ -1777,19 +2375,17 @@ interface(`userdom_manage_user_home_content_dirs',`
+@@ -1777,19 +2376,17 @@ interface(`userdom_manage_user_home_content_dirs',`
##
##
#
@@ -53168,7 +53224,7 @@ index 9dc60c6..236692c 100644
##
##
##
-@@ -1797,55 +2393,55 @@ interface(`userdom_delete_all_user_home_content_dirs',`
+@@ -1797,55 +2394,55 @@ interface(`userdom_delete_all_user_home_content_dirs',`
##
##
#
@@ -53239,7 +53295,7 @@ index 9dc60c6..236692c 100644
##
##
##
-@@ -1853,18 +2449,19 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',`
+@@ -1853,18 +2450,19 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',`
##
##
#
@@ -53267,7 +53323,7 @@ index 9dc60c6..236692c 100644
##
##
##
-@@ -1872,18 +2469,71 @@ interface(`userdom_mmap_user_home_content_files',`
+@@ -1872,18 +2470,71 @@ interface(`userdom_mmap_user_home_content_files',`
##
##
#
@@ -53347,7 +53403,7 @@ index 9dc60c6..236692c 100644
##
##
##
-@@ -1891,13 +2541,113 @@ interface(`userdom_read_user_home_content_files',`
+@@ -1891,13 +2542,113 @@ interface(`userdom_read_user_home_content_files',`
##
##
#
@@ -53464,7 +53520,7 @@ index 9dc60c6..236692c 100644
')
########################################
-@@ -1938,7 +2688,7 @@ interface(`userdom_dontaudit_write_user_home_content_files',`
+@@ -1938,7 +2689,7 @@ interface(`userdom_dontaudit_write_user_home_content_files',`
########################################
##
@@ -53473,7 +53529,7 @@ index 9dc60c6..236692c 100644
##
##
##
-@@ -1946,10 +2696,9 @@ interface(`userdom_dontaudit_write_user_home_content_files',`
+@@ -1946,10 +2697,9 @@ interface(`userdom_dontaudit_write_user_home_content_files',`
##
##
#
@@ -53486,7 +53542,7 @@ index 9dc60c6..236692c 100644
')
userdom_search_user_home_content($1)
-@@ -1958,7 +2707,7 @@ interface(`userdom_delete_all_user_home_content_files',`
+@@ -1958,7 +2708,7 @@ interface(`userdom_delete_all_user_home_content_files',`
########################################
##
@@ -53495,7 +53551,7 @@ index 9dc60c6..236692c 100644
##
##
##
-@@ -1966,12 +2715,66 @@ interface(`userdom_delete_all_user_home_content_files',`
+@@ -1966,12 +2716,66 @@ interface(`userdom_delete_all_user_home_content_files',`
##
##
#
@@ -53564,7 +53620,7 @@ index 9dc60c6..236692c 100644
')
########################################
-@@ -2007,8 +2810,7 @@ interface(`userdom_read_user_home_content_symlinks',`
+@@ -2007,8 +2811,7 @@ interface(`userdom_read_user_home_content_symlinks',`
type user_home_dir_t, user_home_t;
')
@@ -53574,7 +53630,7 @@ index 9dc60c6..236692c 100644
')
########################################
-@@ -2024,20 +2826,14 @@ interface(`userdom_read_user_home_content_symlinks',`
+@@ -2024,20 +2827,14 @@ interface(`userdom_read_user_home_content_symlinks',`
#
interface(`userdom_exec_user_home_content_files',`
gen_require(`
@@ -53599,7 +53655,7 @@ index 9dc60c6..236692c 100644
########################################
##
-@@ -2120,7 +2916,7 @@ interface(`userdom_manage_user_home_content_symlinks',`
+@@ -2120,7 +2917,7 @@ interface(`userdom_manage_user_home_content_symlinks',`
########################################
##
@@ -53608,7 +53664,7 @@ index 9dc60c6..236692c 100644
##
##
##
-@@ -2128,19 +2924,17 @@ interface(`userdom_manage_user_home_content_symlinks',`
+@@ -2128,19 +2925,17 @@ interface(`userdom_manage_user_home_content_symlinks',`
##
##
#
@@ -53632,7 +53688,7 @@ index 9dc60c6..236692c 100644
##
##
##
-@@ -2148,12 +2942,12 @@ interface(`userdom_delete_all_user_home_content_symlinks',`
+@@ -2148,12 +2943,12 @@ interface(`userdom_delete_all_user_home_content_symlinks',`
##
##
#
@@ -53648,7 +53704,7 @@ index 9dc60c6..236692c 100644
')
########################################
-@@ -2388,18 +3182,54 @@ interface(`userdom_dontaudit_manage_user_tmp_dirs',`
+@@ -2388,18 +3183,54 @@ interface(`userdom_dontaudit_manage_user_tmp_dirs',`
##
##
#
@@ -53706,7 +53762,7 @@ index 9dc60c6..236692c 100644
## Do not audit attempts to read users
## temporary files.
##
-@@ -2414,7 +3244,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',`
+@@ -2414,7 +3245,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',`
type user_tmp_t;
')
@@ -53715,7 +53771,7 @@ index 9dc60c6..236692c 100644
')
########################################
-@@ -2455,6 +3285,25 @@ interface(`userdom_rw_user_tmp_files',`
+@@ -2455,6 +3286,25 @@ interface(`userdom_rw_user_tmp_files',`
rw_files_pattern($1, user_tmp_t, user_tmp_t)
files_search_tmp($1)
')
@@ -53741,7 +53797,7 @@ index 9dc60c6..236692c 100644
########################################
##
-@@ -2538,7 +3387,27 @@ interface(`userdom_manage_user_tmp_files',`
+@@ -2538,7 +3388,27 @@ interface(`userdom_manage_user_tmp_files',`
########################################
##
## Create, read, write, and delete user
@@ -53770,7 +53826,7 @@ index 9dc60c6..236692c 100644
##
##
##
-@@ -2566,6 +3435,27 @@ interface(`userdom_manage_user_tmp_symlinks',`
+@@ -2566,6 +3436,27 @@ interface(`userdom_manage_user_tmp_symlinks',`
##
##
#
@@ -53798,7 +53854,7 @@ index 9dc60c6..236692c 100644
interface(`userdom_manage_user_tmp_pipes',`
gen_require(`
type user_tmp_t;
-@@ -2661,6 +3551,21 @@ interface(`userdom_tmp_filetrans_user_tmp',`
+@@ -2661,6 +3552,21 @@ interface(`userdom_tmp_filetrans_user_tmp',`
files_tmp_filetrans($1, user_tmp_t, $2, $3)
')
@@ -53820,7 +53876,7 @@ index 9dc60c6..236692c 100644
########################################
##
## Read user tmpfs files.
-@@ -2672,18 +3577,13 @@ interface(`userdom_tmp_filetrans_user_tmp',`
+@@ -2672,18 +3578,13 @@ interface(`userdom_tmp_filetrans_user_tmp',`
##
#
interface(`userdom_read_user_tmpfs_files',`
@@ -53842,7 +53898,7 @@ index 9dc60c6..236692c 100644
##
##
##
-@@ -2692,19 +3592,13 @@ interface(`userdom_read_user_tmpfs_files',`
+@@ -2692,19 +3593,13 @@ interface(`userdom_read_user_tmpfs_files',`
##
#
interface(`userdom_rw_user_tmpfs_files',`
@@ -53865,7 +53921,7 @@ index 9dc60c6..236692c 100644
##
##
##
-@@ -2713,13 +3607,56 @@ interface(`userdom_rw_user_tmpfs_files',`
+@@ -2713,13 +3608,56 @@ interface(`userdom_rw_user_tmpfs_files',`
##
#
interface(`userdom_manage_user_tmpfs_files',`
@@ -53926,7 +53982,7 @@ index 9dc60c6..236692c 100644
')
########################################
-@@ -2814,6 +3751,24 @@ interface(`userdom_use_user_ttys',`
+@@ -2814,6 +3752,24 @@ interface(`userdom_use_user_ttys',`
########################################
##
@@ -53951,7 +54007,7 @@ index 9dc60c6..236692c 100644
## Read and write a user domain pty.
##
##
-@@ -2832,22 +3787,34 @@ interface(`userdom_use_user_ptys',`
+@@ -2832,22 +3788,34 @@ interface(`userdom_use_user_ptys',`
########################################
##
@@ -53994,7 +54050,7 @@ index 9dc60c6..236692c 100644
##
##
##
-@@ -2856,14 +3823,33 @@ interface(`userdom_use_user_ptys',`
+@@ -2856,14 +3824,33 @@ interface(`userdom_use_user_ptys',`
##
##
#
@@ -54032,7 +54088,7 @@ index 9dc60c6..236692c 100644
')
########################################
-@@ -2882,8 +3868,27 @@ interface(`userdom_dontaudit_use_user_terminals',`
+@@ -2882,8 +3869,27 @@ interface(`userdom_dontaudit_use_user_terminals',`
type user_tty_device_t, user_devpts_t;
')
@@ -54062,7 +54118,7 @@ index 9dc60c6..236692c 100644
')
########################################
-@@ -2955,6 +3960,42 @@ interface(`userdom_spec_domtrans_unpriv_users',`
+@@ -2955,6 +3961,42 @@ interface(`userdom_spec_domtrans_unpriv_users',`
allow unpriv_userdomain $1:process sigchld;
')
@@ -54105,7 +54161,7 @@ index 9dc60c6..236692c 100644
########################################
##
## Execute an Xserver session in all unprivileged user domains. This
-@@ -2978,24 +4019,6 @@ interface(`userdom_xsession_spec_domtrans_unpriv_users',`
+@@ -2978,24 +4020,6 @@ interface(`userdom_xsession_spec_domtrans_unpriv_users',`
allow unpriv_userdomain $1:process sigchld;
')
@@ -54130,7 +54186,7 @@ index 9dc60c6..236692c 100644
########################################
##
## Manage unpriviledged user SysV sempaphores.
-@@ -3014,9 +4037,9 @@ interface(`userdom_manage_unpriv_user_semaphores',`
+@@ -3014,9 +4038,9 @@ interface(`userdom_manage_unpriv_user_semaphores',`
allow $1 unpriv_userdomain:sem create_sem_perms;
')
@@ -54142,7 +54198,7 @@ index 9dc60c6..236692c 100644
## memory segments.
##
##
-@@ -3025,17 +4048,17 @@ interface(`userdom_manage_unpriv_user_semaphores',`
+@@ -3025,17 +4049,17 @@ interface(`userdom_manage_unpriv_user_semaphores',`
##
##
#
@@ -54163,7 +54219,7 @@ index 9dc60c6..236692c 100644
## memory segments.
##
##
-@@ -3044,12 +4067,12 @@ interface(`userdom_rw_unpriv_user_shared_mem',`
+@@ -3044,12 +4068,12 @@ interface(`userdom_rw_unpriv_user_shared_mem',`
##
##
#
@@ -54178,7 +54234,7 @@ index 9dc60c6..236692c 100644
')
########################################
-@@ -3094,7 +4117,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
+@@ -3094,7 +4118,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
domain_entry_file_spec_domtrans($1, unpriv_userdomain)
allow unpriv_userdomain $1:fd use;
@@ -54187,7 +54243,7 @@ index 9dc60c6..236692c 100644
allow unpriv_userdomain $1:process sigchld;
')
-@@ -3110,29 +4133,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
+@@ -3110,29 +4134,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
#
interface(`userdom_search_user_home_content',`
gen_require(`
@@ -54221,7 +54277,7 @@ index 9dc60c6..236692c 100644
')
########################################
-@@ -3214,7 +4221,25 @@ interface(`userdom_dontaudit_use_user_ptys',`
+@@ -3214,7 +4222,25 @@ interface(`userdom_dontaudit_use_user_ptys',`
type user_devpts_t;
')
@@ -54248,7 +54304,7 @@ index 9dc60c6..236692c 100644
')
########################################
-@@ -3269,12 +4294,13 @@ interface(`userdom_write_user_tmp_files',`
+@@ -3269,12 +4295,13 @@ interface(`userdom_write_user_tmp_files',`
type user_tmp_t;
')
@@ -54264,7 +54320,7 @@ index 9dc60c6..236692c 100644
##
##
##
-@@ -3282,54 +4308,56 @@ interface(`userdom_write_user_tmp_files',`
+@@ -3282,54 +4309,56 @@ interface(`userdom_write_user_tmp_files',`
##
##
#
@@ -54336,7 +54392,7 @@ index 9dc60c6..236692c 100644
##
##
##
-@@ -3337,17 +4365,91 @@ interface(`userdom_getattr_all_users',`
+@@ -3337,17 +4366,91 @@ interface(`userdom_getattr_all_users',`
##
##
#
@@ -54431,7 +54487,7 @@ index 9dc60c6..236692c 100644
## descriptors from any user domains.
##
##
-@@ -3382,6 +4484,42 @@ interface(`userdom_signal_all_users',`
+@@ -3382,6 +4485,42 @@ interface(`userdom_signal_all_users',`
allow $1 userdomain:process signal;
')
@@ -54474,7 +54530,7 @@ index 9dc60c6..236692c 100644
########################################
##
## Send a SIGCHLD signal to all user domains.
-@@ -3402,6 +4540,60 @@ interface(`userdom_sigchld_all_users',`
+@@ -3402,6 +4541,60 @@ interface(`userdom_sigchld_all_users',`
########################################
##
@@ -54535,7 +54591,7 @@ index 9dc60c6..236692c 100644
## Create keys for all user domains.
##
##
-@@ -3435,4 +4627,1781 @@ interface(`userdom_dbus_send_all_users',`
+@@ -3435,4 +4628,1781 @@ interface(`userdom_dbus_send_all_users',`
')
allow $1 userdomain:dbus send_msg;
diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch
index 7869f931..40b3d801 100644
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@@ -19101,7 +19101,7 @@ index 1303b30..f13c532 100644
+ logging_log_filetrans($1, cron_log_t, $2, $3)
')
diff --git a/cron.te b/cron.te
-index 7de3859..1444c2f 100644
+index 7de3859..e8010ba 100644
--- a/cron.te
+++ b/cron.te
@@ -11,46 +11,54 @@ gen_require(`
@@ -19454,7 +19454,7 @@ index 7de3859..1444c2f 100644
auth_use_nsswitch(crond_t)
logging_send_audit_msgs(crond_t)
-@@ -312,41 +264,46 @@ logging_set_loginuid(crond_t)
+@@ -312,41 +264,49 @@ logging_set_loginuid(crond_t)
seutil_read_config(crond_t)
seutil_read_default_contexts(crond_t)
@@ -19476,9 +19476,11 @@ index 7de3859..1444c2f 100644
- allow crond_t cronjob_t:process transition;
- allow crond_t cronjob_t:fd use;
- allow crond_t cronjob_t:key manage_key_perms;
--')
-+mta_send_mail(crond_t)
-+mta_system_content(cron_spool_t)
++optional_policy(`
++ mta_send_mail(crond_t)
++ mta_filetrans_admin_home_content(crond_t)
++ mta_system_content(cron_spool_t)
+ ')
ifdef(`distro_debian',`
+ # pam_limits is used
@@ -19517,7 +19519,7 @@ index 7de3859..1444c2f 100644
')
optional_policy(`
-@@ -354,103 +311,141 @@ optional_policy(`
+@@ -354,103 +314,141 @@ optional_policy(`
')
optional_policy(`
@@ -19690,7 +19692,7 @@ index 7de3859..1444c2f 100644
allow system_cronjob_t cron_spool_t:dir list_dir_perms;
allow system_cronjob_t cron_spool_t:file rw_file_perms;
-@@ -461,11 +456,11 @@ kernel_read_network_state(system_cronjob_t)
+@@ -461,11 +459,11 @@ kernel_read_network_state(system_cronjob_t)
kernel_read_system_state(system_cronjob_t)
kernel_read_software_raid_state(system_cronjob_t)
@@ -19703,7 +19705,7 @@ index 7de3859..1444c2f 100644
corenet_all_recvfrom_netlabel(system_cronjob_t)
corenet_tcp_sendrecv_generic_if(system_cronjob_t)
corenet_udp_sendrecv_generic_if(system_cronjob_t)
-@@ -485,6 +480,7 @@ fs_getattr_all_symlinks(system_cronjob_t)
+@@ -485,6 +483,7 @@ fs_getattr_all_symlinks(system_cronjob_t)
fs_getattr_all_pipes(system_cronjob_t)
fs_getattr_all_sockets(system_cronjob_t)
@@ -19711,7 +19713,7 @@ index 7de3859..1444c2f 100644
domain_dontaudit_read_all_domains_state(system_cronjob_t)
files_exec_etc_files(system_cronjob_t)
-@@ -495,17 +491,22 @@ files_getattr_all_files(system_cronjob_t)
+@@ -495,17 +494,22 @@ files_getattr_all_files(system_cronjob_t)
files_getattr_all_symlinks(system_cronjob_t)
files_getattr_all_pipes(system_cronjob_t)
files_getattr_all_sockets(system_cronjob_t)
@@ -19736,7 +19738,7 @@ index 7de3859..1444c2f 100644
auth_use_nsswitch(system_cronjob_t)
-@@ -516,20 +517,26 @@ logging_read_generic_logs(system_cronjob_t)
+@@ -516,20 +520,26 @@ logging_read_generic_logs(system_cronjob_t)
logging_send_audit_msgs(system_cronjob_t)
logging_send_syslog_msg(system_cronjob_t)
@@ -19766,7 +19768,7 @@ index 7de3859..1444c2f 100644
selinux_validate_context(system_cronjob_t)
selinux_compute_access_vector(system_cronjob_t)
selinux_compute_create_context(system_cronjob_t)
-@@ -539,10 +546,18 @@ tunable_policy(`cron_can_relabel',`
+@@ -539,10 +549,18 @@ tunable_policy(`cron_can_relabel',`
')
optional_policy(`
@@ -19785,7 +19787,7 @@ index 7de3859..1444c2f 100644
')
optional_policy(`
-@@ -551,10 +566,6 @@ optional_policy(`
+@@ -551,10 +569,6 @@ optional_policy(`
optional_policy(`
dbus_system_bus_client(system_cronjob_t)
@@ -19796,7 +19798,7 @@ index 7de3859..1444c2f 100644
')
optional_policy(`
-@@ -567,6 +578,10 @@ optional_policy(`
+@@ -567,6 +581,10 @@ optional_policy(`
')
optional_policy(`
@@ -19807,15 +19809,16 @@ index 7de3859..1444c2f 100644
ftp_read_log(system_cronjob_t)
')
-@@ -591,6 +606,7 @@ optional_policy(`
+@@ -591,6 +609,8 @@ optional_policy(`
optional_policy(`
mta_read_config(system_cronjob_t)
mta_send_mail(system_cronjob_t)
++ mta_filetrans_admin_home_content(system_cronjob_t)
+ mta_system_content(system_cron_spool_t)
')
optional_policy(`
-@@ -598,7 +614,23 @@ optional_policy(`
+@@ -598,7 +618,23 @@ optional_policy(`
')
optional_policy(`
@@ -19839,7 +19842,7 @@ index 7de3859..1444c2f 100644
')
optional_policy(`
-@@ -607,7 +639,12 @@ optional_policy(`
+@@ -607,7 +643,12 @@ optional_policy(`
')
optional_policy(`
@@ -19852,7 +19855,7 @@ index 7de3859..1444c2f 100644
')
optional_policy(`
-@@ -615,12 +652,27 @@ optional_policy(`
+@@ -615,12 +656,27 @@ optional_policy(`
')
optional_policy(`
@@ -19882,7 +19885,7 @@ index 7de3859..1444c2f 100644
#
allow cronjob_t self:process { signal_perms setsched };
-@@ -628,12 +680,32 @@ allow cronjob_t self:fifo_file rw_fifo_file_perms;
+@@ -628,12 +684,32 @@ allow cronjob_t self:fifo_file rw_fifo_file_perms;
allow cronjob_t self:unix_stream_socket create_stream_socket_perms;
allow cronjob_t self:unix_dgram_socket create_socket_perms;
@@ -19916,7 +19919,7 @@ index 7de3859..1444c2f 100644
corenet_all_recvfrom_netlabel(cronjob_t)
corenet_tcp_sendrecv_generic_if(cronjob_t)
corenet_udp_sendrecv_generic_if(cronjob_t)
-@@ -641,66 +713,141 @@ corenet_tcp_sendrecv_generic_node(cronjob_t)
+@@ -641,66 +717,141 @@ corenet_tcp_sendrecv_generic_node(cronjob_t)
corenet_udp_sendrecv_generic_node(cronjob_t)
corenet_tcp_sendrecv_all_ports(cronjob_t)
corenet_udp_sendrecv_all_ports(cronjob_t)
@@ -20794,7 +20797,7 @@ index 3023be7..4f0fe46 100644
+ files_var_filetrans($1, cupsd_rw_etc_t, dir, "cups")
')
diff --git a/cups.te b/cups.te
-index c91813c..65e9a4d 100644
+index c91813c..8aececf 100644
--- a/cups.te
+++ b/cups.te
@@ -5,19 +5,31 @@ policy_module(cups, 1.16.2)
@@ -21196,8 +21199,11 @@ index c91813c..65e9a4d 100644
allow cupsd_config_t cupsd_t:process signal;
ps_process_pattern(cupsd_config_t, cupsd_t)
-@@ -372,18 +436,16 @@ manage_dirs_pattern(cupsd_config_t, cupsd_config_var_run_t, cupsd_config_var_run
+@@ -370,20 +434,19 @@ allow cupsd_config_t cupsd_var_run_t:file read_file_perms;
+
+ manage_dirs_pattern(cupsd_config_t, cupsd_config_var_run_t, cupsd_config_var_run_t)
manage_files_pattern(cupsd_config_t, cupsd_config_var_run_t, cupsd_config_var_run_t)
++manage_sock_files_pattern(cupsd_config_t, cupsd_config_var_run_t, cupsd_config_var_run_t)
files_pid_filetrans(cupsd_config_t, cupsd_config_var_run_t, { dir file })
-read_files_pattern(cupsd_config_t, hplip_etc_t, hplip_etc_t)
@@ -21217,7 +21223,7 @@ index c91813c..65e9a4d 100644
corenet_all_recvfrom_netlabel(cupsd_config_t)
corenet_tcp_sendrecv_generic_if(cupsd_config_t)
corenet_tcp_sendrecv_generic_node(cupsd_config_t)
-@@ -392,20 +454,12 @@ corenet_tcp_sendrecv_all_ports(cupsd_config_t)
+@@ -392,20 +455,12 @@ corenet_tcp_sendrecv_all_ports(cupsd_config_t)
corenet_sendrecv_all_client_packets(cupsd_config_t)
corenet_tcp_connect_all_ports(cupsd_config_t)
@@ -21238,7 +21244,7 @@ index c91813c..65e9a4d 100644
fs_search_auto_mountpoints(cupsd_config_t)
domain_use_interactive_fds(cupsd_config_t)
-@@ -417,11 +471,6 @@ auth_use_nsswitch(cupsd_config_t)
+@@ -417,11 +472,6 @@ auth_use_nsswitch(cupsd_config_t)
logging_send_syslog_msg(cupsd_config_t)
@@ -21250,7 +21256,7 @@ index c91813c..65e9a4d 100644
userdom_dontaudit_use_unpriv_user_fds(cupsd_config_t)
userdom_dontaudit_search_user_home_dirs(cupsd_config_t)
userdom_read_all_users_state(cupsd_config_t)
-@@ -449,9 +498,12 @@ optional_policy(`
+@@ -449,9 +499,12 @@ optional_policy(`
')
optional_policy(`
@@ -21264,7 +21270,7 @@ index c91813c..65e9a4d 100644
')
optional_policy(`
-@@ -467,6 +519,10 @@ optional_policy(`
+@@ -467,6 +520,10 @@ optional_policy(`
')
optional_policy(`
@@ -21275,7 +21281,7 @@ index c91813c..65e9a4d 100644
rpm_read_db(cupsd_config_t)
')
-@@ -487,10 +543,6 @@ optional_policy(`
+@@ -487,10 +544,6 @@ optional_policy(`
# Lpd local policy
#
@@ -21286,7 +21292,7 @@ index c91813c..65e9a4d 100644
allow cupsd_lpd_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
allow cupsd_lpd_t { cupsd_etc_t cupsd_rw_etc_t }:dir list_dir_perms;
-@@ -508,15 +560,15 @@ stream_connect_pattern(cupsd_lpd_t, cupsd_var_run_t, cupsd_var_run_t, cupsd_t)
+@@ -508,15 +561,15 @@ stream_connect_pattern(cupsd_lpd_t, cupsd_var_run_t, cupsd_var_run_t, cupsd_t)
kernel_read_kernel_sysctls(cupsd_lpd_t)
kernel_read_system_state(cupsd_lpd_t)
@@ -21304,7 +21310,7 @@ index c91813c..65e9a4d 100644
corenet_tcp_sendrecv_ipp_port(cupsd_lpd_t)
corenet_sendrecv_printer_server_packets(cupsd_lpd_t)
-@@ -537,9 +589,6 @@ auth_use_nsswitch(cupsd_lpd_t)
+@@ -537,9 +590,6 @@ auth_use_nsswitch(cupsd_lpd_t)
logging_send_syslog_msg(cupsd_lpd_t)
@@ -21314,7 +21320,7 @@ index c91813c..65e9a4d 100644
optional_policy(`
inetd_service_domain(cupsd_lpd_t, cupsd_lpd_exec_t)
')
-@@ -550,7 +599,6 @@ optional_policy(`
+@@ -550,7 +600,6 @@ optional_policy(`
#
allow cups_pdf_t self:capability { chown fowner fsetid setuid setgid dac_override };
@@ -21322,7 +21328,7 @@ index c91813c..65e9a4d 100644
allow cups_pdf_t self:unix_stream_socket create_stream_socket_perms;
append_files_pattern(cups_pdf_t, cupsd_log_t, cupsd_log_t)
-@@ -566,148 +614,23 @@ fs_search_auto_mountpoints(cups_pdf_t)
+@@ -566,148 +615,23 @@ fs_search_auto_mountpoints(cups_pdf_t)
kernel_read_system_state(cups_pdf_t)
@@ -21474,7 +21480,7 @@ index c91813c..65e9a4d 100644
########################################
#
-@@ -735,7 +658,6 @@ kernel_read_kernel_sysctls(ptal_t)
+@@ -735,7 +659,6 @@ kernel_read_kernel_sysctls(ptal_t)
kernel_list_proc(ptal_t)
kernel_read_proc_symlinks(ptal_t)
@@ -21482,7 +21488,7 @@ index c91813c..65e9a4d 100644
corenet_all_recvfrom_netlabel(ptal_t)
corenet_tcp_sendrecv_generic_if(ptal_t)
corenet_tcp_sendrecv_generic_node(ptal_t)
-@@ -745,13 +667,11 @@ corenet_sendrecv_ptal_server_packets(ptal_t)
+@@ -745,13 +668,11 @@ corenet_sendrecv_ptal_server_packets(ptal_t)
corenet_tcp_bind_ptal_port(ptal_t)
corenet_tcp_sendrecv_ptal_port(ptal_t)
@@ -21496,7 +21502,7 @@ index c91813c..65e9a4d 100644
files_read_etc_runtime_files(ptal_t)
fs_getattr_all_fs(ptal_t)
-@@ -759,8 +679,6 @@ fs_search_auto_mountpoints(ptal_t)
+@@ -759,8 +680,6 @@ fs_search_auto_mountpoints(ptal_t)
logging_send_syslog_msg(ptal_t)
@@ -21505,7 +21511,7 @@ index c91813c..65e9a4d 100644
sysnet_read_config(ptal_t)
userdom_dontaudit_use_unpriv_user_fds(ptal_t)
-@@ -773,3 +691,4 @@ optional_policy(`
+@@ -773,3 +692,4 @@ optional_policy(`
optional_policy(`
udev_read_db(ptal_t)
')
@@ -25181,10 +25187,10 @@ index 0000000..b3784d8
+')
diff --git a/dirsrv.te b/dirsrv.te
new file mode 100644
-index 0000000..aa290b1
+index 0000000..89f1271
--- /dev/null
+++ b/dirsrv.te
-@@ -0,0 +1,200 @@
+@@ -0,0 +1,203 @@
+policy_module(dirsrv,1.0.0)
+
+########################################
@@ -25278,6 +25284,9 @@ index 0000000..aa290b1
+files_tmp_filetrans(dirsrv_t, dirsrv_tmp_t, { file dir })
+allow dirsrv_t dirsrv_tmp_t:file relabel_file_perms;
+
++read_files_pattern(dirsrv_t, dirsrv_share_t, dirsrv_share_t)
++list_dirs_pattern(dirsrv_t, dirsrv_share_t, dirsrv_share_t)
++
+kernel_read_network_state(dirsrv_t)
+kernel_read_system_state(dirsrv_t)
+kernel_read_kernel_sysctls(dirsrv_t)
@@ -28854,7 +28863,7 @@ index c62c567..a74f123 100644
+ allow $1 firewalld_unit_file_t:service all_service_perms;
')
diff --git a/firewalld.te b/firewalld.te
-index 98072a3..73c5573 100644
+index 98072a3..9670e41 100644
--- a/firewalld.te
+++ b/firewalld.te
@@ -21,9 +21,15 @@ logging_log_file(firewalld_var_log_t)
@@ -28898,7 +28907,7 @@ index 98072a3..73c5573 100644
kernel_read_network_state(firewalld_t)
kernel_read_system_state(firewalld_t)
-@@ -63,20 +77,21 @@ dev_search_sysfs(firewalld_t)
+@@ -63,20 +77,23 @@ dev_search_sysfs(firewalld_t)
domain_use_interactive_fds(firewalld_t)
@@ -28924,10 +28933,12 @@ index 98072a3..73c5573 100644
+sysnet_dns_name_resolve(firewalld_t)
+sysnet_manage_config_dirs(firewalld_t)
+sysnet_manage_config(firewalld_t)
++sysnet_relabelfrom_net_conf(firewalld_t)
++sysnet_relabelto_net_conf(firewalld_t)
optional_policy(`
dbus_system_domain(firewalld_t, firewalld_exec_t)
-@@ -95,6 +110,10 @@ optional_policy(`
+@@ -95,6 +112,10 @@ optional_policy(`
')
optional_policy(`
@@ -29256,11 +29267,14 @@ index 5010f04..3b73741 100644
optional_policy(`
diff --git a/fprintd.te b/fprintd.te
-index 92a6479..addf8a6 100644
+index 92a6479..59a65a4 100644
--- a/fprintd.te
+++ b/fprintd.te
-@@ -20,23 +20,26 @@ files_type(fprintd_var_lib_t)
+@@ -18,25 +18,29 @@ files_type(fprintd_var_lib_t)
+ #
+
allow fprintd_t self:capability sys_nice;
++allow fprintd_t self:capability2 wake_alarm;
allow fprintd_t self:process { getsched setsched signal sigkill };
allow fprintd_t self:fifo_file rw_fifo_file_perms;
+allow fprintd_t self:netlink_kobject_uevent_socket create_socket_perms;
@@ -29289,7 +29303,7 @@ index 92a6479..addf8a6 100644
userdom_use_user_ptys(fprintd_t)
userdom_read_all_users_state(fprintd_t)
-@@ -54,8 +57,17 @@ optional_policy(`
+@@ -54,8 +58,17 @@ optional_policy(`
')
')
@@ -37486,10 +37500,10 @@ index 6517fad..f183748 100644
+ allow $1 hypervkvp_unit_file_t:service all_service_perms;
')
diff --git a/hypervkvp.te b/hypervkvp.te
-index 4eb7041..d750c5c 100644
+index 4eb7041..572b64b 100644
--- a/hypervkvp.te
+++ b/hypervkvp.te
-@@ -5,24 +5,150 @@ policy_module(hypervkvp, 1.0.0)
+@@ -5,24 +5,152 @@ policy_module(hypervkvp, 1.0.0)
# Declarations
#
@@ -37577,6 +37591,8 @@ index 4eb7041..d750c5c 100644
+files_dontaudit_search_home(hypervkvp_t)
+
+fs_getattr_all_fs(hypervkvp_t)
++fs_read_hugetlbfs_files(hypervkvp_t)
++fs_list_hugetlbfs(hypervkvp_t)
+
+auth_use_nsswitch(hypervkvp_t)
+
@@ -38616,10 +38632,10 @@ index 0000000..1a30961
+')
diff --git a/ipa.te b/ipa.te
new file mode 100644
-index 0000000..e3b22a3
+index 0000000..81f38fe
--- /dev/null
+++ b/ipa.te
-@@ -0,0 +1,201 @@
+@@ -0,0 +1,202 @@
+policy_module(ipa, 1.0.0)
+
+########################################
@@ -38713,6 +38729,7 @@ index 0000000..e3b22a3
+logging_log_filetrans(ipa_helper_t, ipa_log_t, file)
+
+kernel_read_system_state(ipa_helper_t)
++kernel_read_network_state(ipa_helper_t)
+
+corenet_tcp_connect_ldap_port(ipa_helper_t)
+corenet_tcp_connect_smbd_port(ipa_helper_t)
@@ -38823,14 +38840,16 @@ index 0000000..e3b22a3
+')
diff --git a/ipmievd.fc b/ipmievd.fc
new file mode 100644
-index 0000000..caf1fe5
+index 0000000..afe4e83
--- /dev/null
+++ b/ipmievd.fc
-@@ -0,0 +1,5 @@
+@@ -0,0 +1,7 @@
+/usr/lib/systemd/system/ipmievd\.service -- gen_context(system_u:object_r:ipmievd_unit_file_t,s0)
+
+/usr/sbin/ipmievd -- gen_context(system_u:object_r:ipmievd_exec_t,s0)
+
++/usr/libexec/openipmi-helper -- gen_context(system_u:object_r:ipmievd_exec_t,s0)
++
+/var/run/ipmievd\.pid -- gen_context(system_u:object_r:ipmievd_var_run_t,s0)
diff --git a/ipmievd.if b/ipmievd.if
new file mode 100644
@@ -38960,10 +38979,10 @@ index 0000000..e86db54
+')
diff --git a/ipmievd.te b/ipmievd.te
new file mode 100644
-index 0000000..f8428ca
+index 0000000..32d7f6c
--- /dev/null
+++ b/ipmievd.te
-@@ -0,0 +1,32 @@
+@@ -0,0 +1,33 @@
+policy_module(ipmievd, 1.0.0)
+
+########################################
@@ -38992,7 +39011,8 @@ index 0000000..f8428ca
+manage_files_pattern(ipmievd_t, ipmievd_var_run_t, ipmievd_var_run_t)
+files_pid_filetrans(ipmievd_t, ipmievd_var_run_t, { file })
+
-+dev_rw_ipmi_dev(ipmievd_t)
++dev_manage_ipmi_dev(ipmievd_t)
++dev_filetrans_ipmi(ipmievd_t)
+
+logging_send_syslog_msg(ipmievd_t)
+
@@ -41394,7 +41414,7 @@ index 3a00b3a..92f125f 100644
+')
+
diff --git a/kdump.te b/kdump.te
-index 715fc21..3cac629 100644
+index 715fc21..9852a07 100644
--- a/kdump.te
+++ b/kdump.te
@@ -12,35 +12,58 @@ init_system_domain(kdump_t, kdump_exec_t)
@@ -41435,10 +41455,10 @@ index 715fc21..3cac629 100644
+manage_files_pattern(kdump_t, kdump_crash_t, kdump_crash_t)
+manage_lnk_files_pattern(kdump_t, kdump_crash_t, kdump_crash_t)
+files_var_filetrans(kdump_t, kdump_crash_t, dir, "crash")
++
++read_files_pattern(kdump_t, kdump_etc_t, kdump_etc_t)
-allow kdump_t kdump_etc_t:file read_file_perms;
-+read_files_pattern(kdump_t, kdump_etc_t, kdump_etc_t)
-+
+manage_dirs_pattern(kdump_t, kdump_lock_t, kdump_lock_t)
+manage_files_pattern(kdump_t, kdump_lock_t, kdump_lock_t)
+manage_lnk_files_pattern(kdump_t, kdump_lock_t, kdump_lock_t)
@@ -41501,7 +41521,7 @@ index 715fc21..3cac629 100644
kernel_read_system_state(kdumpctl_t)
-@@ -71,46 +107,56 @@ corecmd_exec_bin(kdumpctl_t)
+@@ -71,46 +107,60 @@ corecmd_exec_bin(kdumpctl_t)
corecmd_exec_shell(kdumpctl_t)
dev_read_sysfs(kdumpctl_t)
@@ -41538,6 +41558,10 @@ index 715fc21..3cac629 100644
-miscfiles_read_localization(kdumpctl_t)
+optional_policy(`
++ networkmanager_dbus_chat(kdumpctl_t)
++')
++
++optional_policy(`
+ gpg_exec(kdumpctl_t)
+')
@@ -45925,7 +45949,7 @@ index dd8e01a..9cd6b0b 100644
##
##
diff --git a/logrotate.te b/logrotate.te
-index be0ab84..9059174 100644
+index be0ab84..6f39336 100644
--- a/logrotate.te
+++ b/logrotate.te
@@ -5,16 +5,29 @@ policy_module(logrotate, 1.15.0)
@@ -46058,12 +46082,13 @@ index be0ab84..9059174 100644
files_manage_generic_spool(logrotate_t)
files_manage_generic_spool_dirs(logrotate_t)
files_getattr_generic_locks(logrotate_t)
-@@ -95,32 +134,55 @@ mls_process_write_to_clearance(logrotate_t)
+@@ -95,32 +134,56 @@ mls_process_write_to_clearance(logrotate_t)
selinux_get_fs_mount(logrotate_t)
selinux_get_enforce_mode(logrotate_t)
+application_exec_all(logrotate_t)
+
++auth_domtrans_chk_passwd(logrotate_t)
auth_manage_login_records(logrotate_t)
auth_use_nsswitch(logrotate_t)
@@ -46120,7 +46145,7 @@ index be0ab84..9059174 100644
')
optional_policy(`
-@@ -135,16 +197,17 @@ optional_policy(`
+@@ -135,16 +198,17 @@ optional_policy(`
optional_policy(`
apache_read_config(logrotate_t)
@@ -46140,7 +46165,7 @@ index be0ab84..9059174 100644
')
optional_policy(`
-@@ -170,6 +233,11 @@ optional_policy(`
+@@ -170,6 +234,11 @@ optional_policy(`
')
optional_policy(`
@@ -46152,7 +46177,7 @@ index be0ab84..9059174 100644
fail2ban_stream_connect(logrotate_t)
')
-@@ -178,7 +246,7 @@ optional_policy(`
+@@ -178,7 +247,7 @@ optional_policy(`
')
optional_policy(`
@@ -46161,7 +46186,7 @@ index be0ab84..9059174 100644
')
optional_policy(`
-@@ -198,17 +266,18 @@ optional_policy(`
+@@ -198,17 +267,18 @@ optional_policy(`
')
optional_policy(`
@@ -46183,7 +46208,7 @@ index be0ab84..9059174 100644
')
optional_policy(`
-@@ -216,6 +285,14 @@ optional_policy(`
+@@ -216,6 +286,14 @@ optional_policy(`
')
optional_policy(`
@@ -46198,7 +46223,7 @@ index be0ab84..9059174 100644
samba_exec_log(logrotate_t)
')
-@@ -228,26 +305,50 @@ optional_policy(`
+@@ -228,26 +306,50 @@ optional_policy(`
')
optional_policy(`
@@ -49894,10 +49919,10 @@ index 0000000..f5b98e6
+')
diff --git a/mock.te b/mock.te
new file mode 100644
-index 0000000..0dcf221
+index 0000000..c3fda0f
--- /dev/null
+++ b/mock.te
-@@ -0,0 +1,286 @@
+@@ -0,0 +1,288 @@
+policy_module(mock,1.0.0)
+
+##
@@ -50050,6 +50075,8 @@ index 0000000..0dcf221
+lvm_read_metadata(mock_t)
+lvm_getattr_exec_files(mock_t)
+
++miscfiles_dontaudit_write_generic_cert_files(mock_t)
++
+userdom_use_user_ptys(mock_t)
+userdom_use_user_ttys(mock_t)
+
@@ -50264,7 +50291,7 @@ index b1ac8b5..24782b3 100644
+ ')
+')
diff --git a/modemmanager.te b/modemmanager.te
-index d15eb5b..7f3c31d 100644
+index d15eb5b..2055876 100644
--- a/modemmanager.te
+++ b/modemmanager.te
@@ -11,6 +11,9 @@ init_daemon_domain(modemmanager_t, modemmanager_exec_t)
@@ -50306,14 +50333,18 @@ index d15eb5b..7f3c31d 100644
logging_send_syslog_msg(modemmanager_t)
-@@ -56,3 +63,7 @@ optional_policy(`
- udev_read_db(modemmanager_t)
- udev_manage_pid_files(modemmanager_t)
- ')
+@@ -50,6 +57,11 @@ optional_policy(`
+ optional_policy(`
+ policykit_dbus_chat(modemmanager_t)
+ ')
+
-+optional_policy(`
-+ systemd_dbus_chat_logind(modemmanager_t)
-+')
++ optional_policy(`
++ systemd_dbus_chat_logind(modemmanager_t)
++ systemd_write_inhibit_pipes(modemmanager_t)
++ ')
+ ')
+
+ optional_policy(`
diff --git a/mojomojo.fc b/mojomojo.fc
index 7b827ca..5ee8a0f 100644
--- a/mojomojo.fc
@@ -63065,10 +63096,10 @@ index 57c0161..c554eb6 100644
+ ps_process_pattern($1, nut_t)
')
diff --git a/nut.te b/nut.te
-index 5b2cb0d..7655e0b 100644
+index 5b2cb0d..1ac5cf5 100644
--- a/nut.te
+++ b/nut.te
-@@ -7,154 +7,148 @@ policy_module(nut, 1.3.0)
+@@ -7,154 +7,153 @@ policy_module(nut, 1.3.0)
attribute nut_domain;
@@ -63182,9 +63213,9 @@ index 5b2cb0d..7655e0b 100644
+allow nut_upsmon_t self:tcp_socket create_socket_perms;
+allow nut_upsmon_t self:unix_dgram_socket { create_socket_perms sendto };
+allow nut_upsmon_t self:unix_stream_socket { create_socket_perms connectto };
-+
-+read_files_pattern(nut_upsmon_t, nut_conf_t, nut_conf_t)
++read_files_pattern(nut_upsmon_t, nut_conf_t, nut_conf_t)
++
+kernel_read_kernel_sysctls(nut_upsmon_t)
kernel_read_system_state(nut_upsmon_t)
@@ -63229,6 +63260,11 @@ index 5b2cb0d..7655e0b 100644
shutdown_domtrans(nut_upsmon_t)
')
++optional_policy(`
++ dbus_system_bus_client(nut_upsmon_t)
++ systemd_dbus_chat_logind(nut_upsmon_t)
++')
++
########################################
#
-# Upsdrvctl local policy
@@ -63586,10 +63622,10 @@ index cd29ea8..d01d2c8 100644
')
')
diff --git a/oddjob.fc b/oddjob.fc
-index dd1d9ef..fbbe3ff 100644
+index dd1d9ef..c48733a 100644
--- a/oddjob.fc
+++ b/oddjob.fc
-@@ -1,10 +1,10 @@
+@@ -1,10 +1,12 @@
-/sbin/mkhomedir_helper -- gen_context(system_u:object_r:oddjob_mkhomedir_exec_t,s0)
-/usr/lib/oddjob/mkhomedir -- gen_context(system_u:object_r:oddjob_mkhomedir_exec_t,s0)
@@ -63600,13 +63636,15 @@ index dd1d9ef..fbbe3ff 100644
-/usr/sbin/oddjobd -- gen_context(system_u:object_r:oddjob_exec_t,s0)
-/usr/sbin/mkhomedir_helper -- gen_context(system_u:object_r:oddjob_mkhomedir_exec_t,s0)
++/usr/bin/oddjob_request -- gen_context(system_u:object_r:oddjob_exec_t,s0)
++
+/usr/sbin/mkhomedir_helper -- gen_context(system_u:object_r:oddjob_mkhomedir_exec_t,s0)
+/usr/sbin/oddjobd -- gen_context(system_u:object_r:oddjob_exec_t,s0)
-/var/run/oddjobd\.pid gen_context(system_u:object_r:oddjob_var_run_t,s0)
+/var/run/oddjobd\.pid gen_context(system_u:object_r:oddjob_var_run_t,s0)
diff --git a/oddjob.if b/oddjob.if
-index c87bd2a..4c17c99 100644
+index c87bd2a..284e4de 100644
--- a/oddjob.if
+++ b/oddjob.if
@@ -1,4 +1,8 @@
@@ -63718,7 +63756,7 @@ index c87bd2a..4c17c99 100644
##
##
##
-@@ -105,46 +141,71 @@ interface(`oddjob_domtrans_mkhomedir',`
+@@ -105,46 +141,96 @@ interface(`oddjob_domtrans_mkhomedir',`
#
interface(`oddjob_run_mkhomedir',`
gen_require(`
@@ -63732,25 +63770,48 @@ index c87bd2a..4c17c99 100644
')
-#####################################
-+#######################################
++########################################
##
-## Do not audit attempts to read and write
-## oddjob fifo files.
-+## Execute oddjob in the oddjob domain.
++## Execute the oddjob program in the oddjob domain.
##
##
--##
+ ##
-## Domain to not audit.
--##
++## Domain allowed to transition.
+ ##
+ ##
++##
++##
++## Role allowed access.
++##
++##
++##
+ #
+-interface(`oddjob_dontaudit_rw_fifo_files',`
++interface(`oddjob_run',`
+ gen_require(`
+ type oddjob_t;
+ ')
+
+- dontaudit $1 oddjob_t:fifo_file rw_fifo_file_perms;
++ oddjob_domtrans($1)
++ role $2 types oddjob_t;
+ ')
+
+-######################################
++#######################################
+ ##
+-## Send child terminated signals to oddjob.
++## Execute oddjob in the oddjob domain.
++##
++##
+##
+## Domain allowed to transition.
+##
- ##
- #
--interface(`oddjob_dontaudit_rw_fifo_files',`
-- gen_require(`
-- type oddjob_t;
-- ')
++##
++#
+interface(`oddjob_systemctl',`
+ gen_require(`
+ type oddjob_unit_file_t;
@@ -63761,15 +63822,12 @@ index c87bd2a..4c17c99 100644
+ init_reload_services($1)
+ allow $1 oddjob_unit_file_t:file read_file_perms;
+ allow $1 oddjob_unit_file_t:service manage_service_perms;
-
-- dontaudit $1 oddjob_t:fifo_file rw_fifo_file_perms;
++
+ ps_process_pattern($1, oddjob_t)
- ')
-
--######################################
++')
++
+########################################
- ##
--## Send child terminated signals to oddjob.
++##
+## Create a domain which can be started by init,
+## with a range transition.
##
@@ -79207,7 +79265,7 @@ index 7cb8b1f..bef7217 100644
+ allow $1 puppet_var_run_t:dir search_dir_perms;
')
diff --git a/puppet.te b/puppet.te
-index 618dcfe..8e08251 100644
+index 618dcfe..9f36ed5 100644
--- a/puppet.te
+++ b/puppet.te
@@ -6,25 +6,32 @@ policy_module(puppet, 1.4.0)
@@ -79269,7 +79327,7 @@ index 618dcfe..8e08251 100644
type puppetmaster_t;
type puppetmaster_exec_t;
-@@ -56,161 +62,170 @@ files_tmp_file(puppetmaster_tmp_t)
+@@ -56,161 +62,174 @@ files_tmp_file(puppetmaster_tmp_t)
########################################
#
@@ -79504,6 +79562,10 @@ index 618dcfe..8e08251 100644
optional_policy(`
- files_rw_var_files(puppet_t)
++ networkmanager_dbus_chat(puppetagent_t)
++')
++
++optional_policy(`
+ firewalld_dbus_chat(puppetagent_t)
+')
@@ -79514,28 +79576,28 @@ index 618dcfe..8e08251 100644
+ portage_domtrans(puppetagent_t)
+ portage_domtrans_fetch(puppetagent_t)
+ portage_domtrans_gcc_config(puppetagent_t)
- ')
-
- optional_policy(`
-- unconfined_domain(puppet_t)
++')
++
++optional_policy(`
+ files_rw_var_files(puppetagent_t)
+
+ rpm_domtrans(puppetagent_t)
+ rpm_manage_db(puppetagent_t)
+ rpm_manage_log(puppetagent_t)
++')
++
++optional_policy(`
++ shorewall_domtrans(puppetagent_t)
+ ')
+
+ optional_policy(`
+- unconfined_domain(puppet_t)
++ unconfined_domain_noaudit(puppetagent_t)
')
optional_policy(`
- usermanage_domtrans_groupadd(puppet_t)
- usermanage_domtrans_useradd(puppet_t)
-+ shorewall_domtrans(puppetagent_t)
-+')
-+
-+optional_policy(`
-+ unconfined_domain_noaudit(puppetagent_t)
-+')
-+
-+optional_policy(`
+ shorewall_domtrans(puppet_t)
')
@@ -79556,7 +79618,7 @@ index 618dcfe..8e08251 100644
allow puppetca_t puppet_var_lib_t:dir list_dir_perms;
manage_files_pattern(puppetca_t, puppet_var_lib_t, puppet_var_lib_t)
-@@ -221,6 +236,7 @@ allow puppetca_t puppet_log_t:dir search_dir_perms;
+@@ -221,6 +240,7 @@ allow puppetca_t puppet_log_t:dir search_dir_perms;
allow puppetca_t puppet_var_run_t:dir search_dir_perms;
kernel_read_system_state(puppetca_t)
@@ -79564,7 +79626,7 @@ index 618dcfe..8e08251 100644
kernel_read_kernel_sysctls(puppetca_t)
corecmd_exec_bin(puppetca_t)
-@@ -229,15 +245,12 @@ corecmd_exec_shell(puppetca_t)
+@@ -229,15 +249,12 @@ corecmd_exec_shell(puppetca_t)
dev_read_urand(puppetca_t)
dev_search_sysfs(puppetca_t)
@@ -79580,7 +79642,7 @@ index 618dcfe..8e08251 100644
miscfiles_read_generic_certs(puppetca_t)
seutil_read_file_contexts(puppetca_t)
-@@ -246,38 +259,48 @@ optional_policy(`
+@@ -246,38 +263,48 @@ optional_policy(`
hostname_exec(puppetca_t)
')
@@ -79645,7 +79707,7 @@ index 618dcfe..8e08251 100644
kernel_dontaudit_search_kernel_sysctl(puppetmaster_t)
kernel_read_network_state(puppetmaster_t)
-@@ -289,23 +312,24 @@ corecmd_exec_bin(puppetmaster_t)
+@@ -289,23 +316,24 @@ corecmd_exec_bin(puppetmaster_t)
corecmd_exec_shell(puppetmaster_t)
corenet_all_recvfrom_netlabel(puppetmaster_t)
@@ -79676,7 +79738,7 @@ index 618dcfe..8e08251 100644
selinux_validate_context(puppetmaster_t)
-@@ -314,26 +338,31 @@ auth_use_nsswitch(puppetmaster_t)
+@@ -314,26 +342,31 @@ auth_use_nsswitch(puppetmaster_t)
logging_send_syslog_msg(puppetmaster_t)
miscfiles_read_generic_certs(puppetmaster_t)
@@ -79713,7 +79775,7 @@ index 618dcfe..8e08251 100644
')
optional_policy(`
-@@ -342,3 +371,9 @@ optional_policy(`
+@@ -342,3 +375,9 @@ optional_policy(`
rpm_exec(puppetmaster_t)
rpm_read_db(puppetmaster_t)
')
@@ -83706,10 +83768,10 @@ index 951db7f..00e699d 100644
+ files_etc_filetrans($1, mdadm_conf_t, file, "mdadm.conf.anacbak")
')
diff --git a/raid.te b/raid.te
-index c99753f..c7b77bc 100644
+index c99753f..357db0b 100644
--- a/raid.te
+++ b/raid.te
-@@ -15,54 +15,102 @@ role mdadm_roles types mdadm_t;
+@@ -15,54 +15,103 @@ role mdadm_roles types mdadm_t;
type mdadm_initrc_exec_t;
init_script_file(mdadm_initrc_exec_t)
@@ -83798,6 +83860,7 @@ index c99753f..c7b77bc 100644
+dev_read_kvm(mdadm_t)
+dev_read_mei(mdadm_t)
+dev_read_nvram(mdadm_t)
++dev_read_nvme(mdadm_t)
+dev_read_generic_files(mdadm_t)
+dev_read_generic_usb_dev(mdadm_t)
+dev_read_urand(mdadm_t)
@@ -83821,7 +83884,7 @@ index c99753f..c7b77bc 100644
mls_file_read_all_levels(mdadm_t)
mls_file_write_all_levels(mdadm_t)
-@@ -71,15 +119,25 @@ storage_dev_filetrans_fixed_disk(mdadm_t)
+@@ -71,15 +120,25 @@ storage_dev_filetrans_fixed_disk(mdadm_t)
storage_manage_fixed_disk(mdadm_t)
storage_read_scsi_generic(mdadm_t)
storage_write_scsi_generic(mdadm_t)
@@ -83848,7 +83911,7 @@ index c99753f..c7b77bc 100644
userdom_dontaudit_use_unpriv_user_fds(mdadm_t)
userdom_dontaudit_search_user_home_content(mdadm_t)
-@@ -90,17 +148,38 @@ optional_policy(`
+@@ -90,17 +149,38 @@ optional_policy(`
')
optional_policy(`
@@ -84067,10 +84130,10 @@ index 0000000..d57006d
+')
diff --git a/rasdaemon.te b/rasdaemon.te
new file mode 100644
-index 0000000..6731d5c
+index 0000000..dcdca44
--- /dev/null
+++ b/rasdaemon.te
-@@ -0,0 +1,46 @@
+@@ -0,0 +1,51 @@
+policy_module(rasdaemon, 1.0.0)
+
+########################################
@@ -84107,6 +84170,11 @@ index 0000000..6731d5c
+dev_read_urand(rasdaemon_t)
+dev_rw_cpu_microcode(rasdaemon_t)
+
++fs_rw_tracefs_files(rasdaemon_t)
++fs_manage_tracefs_dirs(rasdaemon_t)
++fs_mount_tracefs(rasdaemon_t)
++fs_unmount_tracefs(rasdaemon_t)
++
+modutils_dontaudit_exec_insmod(rasdaemon_t) # more info here #1030277
+
+auth_use_nsswitch(rasdaemon_t)
@@ -86176,10 +86244,10 @@ index c8a1e16..2d409bf 100644
xen_domtrans_xm(rgmanager_t)
')
diff --git a/rhcs.fc b/rhcs.fc
-index 47de2d6..bc62d96 100644
+index 47de2d6..aa2272c 100644
--- a/rhcs.fc
+++ b/rhcs.fc
-@@ -1,31 +1,96 @@
+@@ -1,31 +1,101 @@
-/etc/rc\.d/init\.d/dlm -- gen_context(system_u:object_r:dlm_controld_initrc_exec_t,s0)
-/etc/rc\.d/init\.d/foghorn -- gen_context(system_u:object_r:foghorn_initrc_exec_t,s0)
+/usr/sbin/dlm_controld -- gen_context(system_u:object_r:dlm_controld_exec_t,s0)
@@ -86253,12 +86321,16 @@ index 47de2d6..bc62d96 100644
+/etc/rc\.d/init\.d/pacemaker -- gen_context(system_u:object_r:cluster_initrc_exec_t,s0)
+
+/usr/lib/systemd/system/corosync.* -- gen_context(system_u:object_r:cluster_unit_file_t,s0)
++/usr/lib/systemd/system/corosync-qnetd.* -- gen_context(system_u:object_r:cluster_unit_file_t,s0)
++/usr/lib/systemd/system/corosync-qdevice.* -- gen_context(system_u:object_r:cluster_unit_file_t,s0)
++
+/usr/lib/systemd/system/pacemaker.* -- gen_context(system_u:object_r:cluster_unit_file_t,s0)
+/usr/lib/systemd/system/pcsd.* -- gen_context(system_u:object_r:cluster_unit_file_t,s0)
+
+/usr/sbin/aisexec -- gen_context(system_u:object_r:cluster_exec_t,s0)
+/usr/sbin/corosync -- gen_context(system_u:object_r:cluster_exec_t,s0)
+/usr/sbin/corosync-notifyd -- gen_context(system_u:object_r:cluster_exec_t,s0)
++/usr/bin/corosync-qnetd -- gen_context(system_u:object_r:cluster_exec_t,s0)
+/usr/sbin/cpglockd -- gen_context(system_u:object_r:cluster_exec_t,s0)
+/usr/sbin/ccs_tool -- gen_context(system_u:object_r:cluster_exec_t,s0)
+/usr/sbin/cman_tool -- gen_context(system_u:object_r:cluster_exec_t,s0)
@@ -86268,6 +86340,7 @@ index 47de2d6..bc62d96 100644
+/usr/sbin/pacemaker_remoted -- gen_context(system_u:object_r:cluster_exec_t,s0)
+
+/usr/share/corosync/corosync -- gen_context(system_u:object_r:cluster_exec_t,s0)
++/usr/share/corosync/corosync-qdevice -- gen_context(system_u:object_r:cluster_exec_t,s0)
+
+/usr/share/cluster/fence_scsi_check\.pl -- gen_context(system_u:object_r:fenced_exec_t,s0)
+/usr/share/cluster/fence_scsi_check_hardreboot -- gen_context(system_u:object_r:fenced_exec_t,s0)
@@ -97572,10 +97645,10 @@ index 0000000..7a058a8
+')
diff --git a/sbd.te b/sbd.te
new file mode 100644
-index 0000000..8666aec
+index 0000000..f6e5b0f
--- /dev/null
+++ b/sbd.te
-@@ -0,0 +1,47 @@
+@@ -0,0 +1,52 @@
+policy_module(sbd, 1.0.0)
+
+########################################
@@ -97601,6 +97674,7 @@ index 0000000..8666aec
+allow sbd_t self:process { fork setsched signal_perms };
+allow sbd_t self:fifo_file rw_fifo_file_perms;
+allow sbd_t self:unix_stream_socket create_stream_socket_perms;
++allow sbd_t self:unix_dgram_socket create_socket_perms;
+
+manage_dirs_pattern(sbd_t, sbd_var_run_t, sbd_var_run_t)
+manage_files_pattern(sbd_t, sbd_var_run_t, sbd_var_run_t)
@@ -97608,6 +97682,8 @@ index 0000000..8666aec
+files_pid_filetrans(sbd_t, sbd_var_run_t, { dir file lnk_file })
+
+kernel_read_system_state(sbd_t)
++kernel_dgram_send(sbd_t)
++kernel_rw_kernel_sysctl(sbd_t)
+
+dev_read_rand(sbd_t)
+dev_write_watchdog(sbd_t)
@@ -97618,6 +97694,8 @@ index 0000000..8666aec
+
+miscfiles_read_localization(sbd_t)
+
++logging_send_syslog_msg(sbd_t)
++
+optional_policy(`
+ rhcs_rw_cluster_tmpfs(sbd_t)
+ rhcs_stream_connect_cluster(sbd_t)
@@ -104403,7 +104481,7 @@ index a240455..04419ae 100644
- admin_pattern($1, sssd_log_t)
')
diff --git a/sssd.te b/sssd.te
-index 2d8db1f..864ea2f 100644
+index 2d8db1f..a28dfe7 100644
--- a/sssd.te
+++ b/sssd.te
@@ -28,19 +28,28 @@ logging_log_file(sssd_var_log_t)
@@ -104425,7 +104503,7 @@ index 2d8db1f..864ea2f 100644
#
-allow sssd_t self:capability { chown dac_read_search dac_override kill net_admin sys_nice setgid setuid sys_admin sys_resource };
-+allow sssd_t self:capability { chown dac_read_search dac_override kill net_admin sys_nice fowner setgid setuid sys_admin sys_resource };
++allow sssd_t self:capability { ipc_lock chown dac_read_search dac_override kill net_admin sys_nice fowner setgid setuid sys_admin sys_resource };
allow sssd_t self:capability2 block_suspend;
allow sssd_t self:process { setfscreate setsched sigkill signal getsched setrlimit };
allow sssd_t self:fifo_file rw_fifo_file_perms;
@@ -104449,7 +104527,7 @@ index 2d8db1f..864ea2f 100644
logging_log_filetrans(sssd_t, sssd_var_log_t, file)
manage_dirs_pattern(sssd_t, sssd_var_run_t, sssd_var_run_t)
-@@ -62,17 +69,13 @@ files_pid_filetrans(sssd_t, sssd_var_run_t, { file dir })
+@@ -62,17 +69,14 @@ files_pid_filetrans(sssd_t, sssd_var_run_t, { file dir })
kernel_read_network_state(sssd_t)
kernel_read_system_state(sssd_t)
@@ -104468,10 +104546,11 @@ index 2d8db1f..864ea2f 100644
+corenet_tcp_connect_kerberos_password_port(sssd_t)
+corenet_tcp_connect_smbd_port(sssd_t)
+corenet_tcp_connect_http_port(sssd_t)
++corenet_tcp_connect_http_cache_port(sssd_t)
corecmd_exec_bin(sssd_t)
-@@ -83,28 +86,36 @@ domain_read_all_domains_state(sssd_t)
+@@ -83,28 +87,36 @@ domain_read_all_domains_state(sssd_t)
domain_obj_id_change_exemption(sssd_t)
files_list_tmp(sssd_t)
@@ -104512,7 +104591,7 @@ index 2d8db1f..864ea2f 100644
init_read_utmp(sssd_t)
-@@ -112,18 +123,64 @@ logging_send_syslog_msg(sssd_t)
+@@ -112,18 +124,64 @@ logging_send_syslog_msg(sssd_t)
logging_send_audit_msgs(sssd_t)
miscfiles_read_generic_certs(sssd_t)
@@ -113203,7 +113282,7 @@ index facdee8..816d860 100644
+ ps_process_pattern(virtd_t, $1)
')
diff --git a/virt.te b/virt.te
-index f03dcf5..cd95400 100644
+index f03dcf5..25d26d4 100644
--- a/virt.te
+++ b/virt.te
@@ -1,451 +1,402 @@
@@ -114215,7 +114294,7 @@ index f03dcf5..cd95400 100644
kernel_read_xen_state(virtd_t)
kernel_write_xen_state(virtd_t)
-@@ -746,44 +707,332 @@ optional_policy(`
+@@ -746,44 +707,335 @@ optional_policy(`
udev_read_pid_files(virtd_t)
')
@@ -114279,6 +114358,8 @@ index f03dcf5..cd95400 100644
+
+manage_files_pattern(virtlogd_t, virt_log_t, virt_log_t)
+
++append_files_pattern(virtlogd_t, svirt_image_t, svirt_image_t)
++
+
+# Allow virtlogd to look at /proc/$PID/status
+# to authenticate the connecting libvirtd
@@ -114387,9 +114468,10 @@ index f03dcf5..cd95400 100644
+dev_rw_qemu(virt_domain)
+dev_rw_inherited_vhost(virt_domain)
+dev_rw_infiniband_dev(virt_domain)
++dev_rw_dri(virt_domain)
+
+domain_use_interactive_fds(virt_domain)
-+
+
+files_read_mnt_symlinks(virt_domain)
+files_read_var_files(virt_domain)
+files_search_all(virt_domain)
@@ -114445,7 +114527,7 @@ index f03dcf5..cd95400 100644
+ sssd_dontaudit_read_lib(virt_domain)
+ sssd_dontaudit_read_public_files(virt_domain)
+')
-
++
+optional_policy(`
+ virt_read_config(virt_domain)
+ virt_read_lib_files(virt_domain)
@@ -114570,7 +114652,7 @@ index f03dcf5..cd95400 100644
kernel_read_system_state(virsh_t)
kernel_read_network_state(virsh_t)
kernel_read_kernel_sysctls(virsh_t)
-@@ -794,25 +1043,18 @@ kernel_write_xen_state(virsh_t)
+@@ -794,25 +1046,18 @@ kernel_write_xen_state(virsh_t)
corecmd_exec_bin(virsh_t)
corecmd_exec_shell(virsh_t)
@@ -114597,7 +114679,7 @@ index f03dcf5..cd95400 100644
fs_getattr_all_fs(virsh_t)
fs_manage_xenfs_dirs(virsh_t)
-@@ -821,23 +1063,25 @@ fs_search_auto_mountpoints(virsh_t)
+@@ -821,23 +1066,25 @@ fs_search_auto_mountpoints(virsh_t)
storage_raw_read_fixed_disk(virsh_t)
@@ -114631,7 +114713,7 @@ index f03dcf5..cd95400 100644
tunable_policy(`virt_use_nfs',`
fs_manage_nfs_dirs(virsh_t)
-@@ -856,14 +1100,20 @@ optional_policy(`
+@@ -856,14 +1103,20 @@ optional_policy(`
')
optional_policy(`
@@ -114653,7 +114735,7 @@ index f03dcf5..cd95400 100644
xen_stream_connect(virsh_t)
xen_stream_connect_xenstore(virsh_t)
')
-@@ -888,49 +1138,66 @@ optional_policy(`
+@@ -888,49 +1141,66 @@ optional_policy(`
kernel_read_xen_state(virsh_ssh_t)
kernel_write_xen_state(virsh_ssh_t)
@@ -114738,7 +114820,7 @@ index f03dcf5..cd95400 100644
corecmd_exec_bin(virtd_lxc_t)
corecmd_exec_shell(virtd_lxc_t)
-@@ -942,17 +1209,16 @@ dev_read_urand(virtd_lxc_t)
+@@ -942,17 +1212,16 @@ dev_read_urand(virtd_lxc_t)
domain_use_interactive_fds(virtd_lxc_t)
@@ -114758,7 +114840,7 @@ index f03dcf5..cd95400 100644
fs_getattr_all_fs(virtd_lxc_t)
fs_manage_tmpfs_dirs(virtd_lxc_t)
fs_manage_tmpfs_chr_files(virtd_lxc_t)
-@@ -964,8 +1230,23 @@ fs_rw_cgroup_files(virtd_lxc_t)
+@@ -964,8 +1233,23 @@ fs_rw_cgroup_files(virtd_lxc_t)
fs_unmount_all_fs(virtd_lxc_t)
fs_relabelfrom_tmpfs(virtd_lxc_t)
@@ -114782,7 +114864,7 @@ index f03dcf5..cd95400 100644
selinux_get_enforce_mode(virtd_lxc_t)
selinux_get_fs_mount(virtd_lxc_t)
selinux_validate_context(virtd_lxc_t)
-@@ -974,194 +1255,355 @@ selinux_compute_create_context(virtd_lxc_t)
+@@ -974,194 +1258,355 @@ selinux_compute_create_context(virtd_lxc_t)
selinux_compute_relabel_context(virtd_lxc_t)
selinux_compute_user_contexts(virtd_lxc_t)
@@ -115279,7 +115361,7 @@ index f03dcf5..cd95400 100644
allow virt_qmf_t self:tcp_socket create_stream_socket_perms;
allow virt_qmf_t self:netlink_route_socket create_netlink_socket_perms;
-@@ -1174,12 +1616,12 @@ dev_read_sysfs(virt_qmf_t)
+@@ -1174,12 +1619,12 @@ dev_read_sysfs(virt_qmf_t)
dev_read_rand(virt_qmf_t)
dev_read_urand(virt_qmf_t)
@@ -115294,7 +115376,7 @@ index f03dcf5..cd95400 100644
sysnet_read_config(virt_qmf_t)
optional_policy(`
-@@ -1192,7 +1634,7 @@ optional_policy(`
+@@ -1192,7 +1637,7 @@ optional_policy(`
########################################
#
@@ -115303,7 +115385,7 @@ index f03dcf5..cd95400 100644
#
allow virt_bridgehelper_t self:process { setcap getcap };
-@@ -1201,11 +1643,255 @@ allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms;
+@@ -1201,11 +1646,255 @@ allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms;
allow virt_bridgehelper_t self:tun_socket create_socket_perms;
allow virt_bridgehelper_t self:unix_dgram_socket create_socket_perms;
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 313bdb55..a7a4b7ab 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.13.1
-Release: 207%{?dist}
+Release: 208%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -648,6 +648,52 @@ exit 0
%endif
%changelog
+* Fri Aug 12 2016 Lukas Vrabec 3.13.1-208
+- Allow cups_config_t domain also mange sock_files. BZ(1361299)
+- Add wake_alarm capability to fprintd domain BZ(1362430)
+- Allow firewalld_t to relabel net_conf_t files. BZ(1365178)
+- Allow nut_upsmon_t domain to chat with logind vie dbus about scheduleing a shutdown when UPS battery is low. BZ(1361802)
+- Allow virtual machines to use dri devices. This allows use openCL GPU calculations. BZ(1337333)
+- Allow crond and cronjob domains to creating mail_home_rw_t objects in admin_home_t BZ(1366173)
+- Dontaudit mock to write to generic certs.
+- Add labeling for corosync-qdevice and corosync-qnetd daemons, to run as cluster_t
+- Revert "Label corosync-qnetd and corosync-qdevice as corosync_t domain"
+- Merge pull request #144 from rhatdan/modemmanager
+- Allow modemmanager to write to systemd inhibit pipes
+- Label corosync-qnetd and corosync-qdevice as corosync_t domain
+- Allow ipa_helper to read network state
+- Label oddjob_reqiest as oddjob_exec_t
+- Add interface oddjob_run()
+- Allow modemmanager chat with systemd_logind via dbus
+- Allow NetworkManager chat with puppetagent via dbus
+- Allow NetworkManager chat with kdumpctl via dbus
+- Allow sbd send msgs to syslog Allow sbd create dgram sockets. Allow sbd to communicate with kernel via dgram socket Allow sbd r/w kernel sysctls.
+- Allow ipmievd_t domain to re-create ipmi devices Label /usr/libexec/openipmi-helper as ipmievd_exec_t
+- Allow rasdaemon to use tracefs filesystem
+- Fix typo bug in dirsrv policy
+- Some logrotate scripts run su and then su runs unix_chkpwd. Allow logrotate_t domain to check passwd.
+- Add ipc_lock capability to sssd domain. Allow sssd connect to http_cache_t
+- Allow dirsrv to read dirsrv_share_t content
+- Allow virtlogd_t to append svirt_image_t files.
+- Allow hypervkvp domain to read hugetlbfs dir/files.
+- Allow mdadm daemon to read nvme_device_t blk files
+- Allow systemd_resolved to connect on system bus. BZ(1366334)
+- Allow systemd to create netlink_route_socket and communicate with systemd_networkd BZ(1306344)
+- Allow systemd-modules-load to load kernel modules in early boot. BZ(1322625)
+- label tcp/udp port 853 as dns_port_t. BZ(1365609)
+- Merge pull request #145 from rhatdan/init
+- systemd is doing a gettattr on blk and chr devices in /run
+- Allow selinuxusers and unconfineduser to run oddjob_request
+- Allow sshd server to acces to Crypto Express 4 (CEX4) devices.
+- Fix typo in device interfaces
+- Add interfaces for managing ipmi devices
+- Add interfaces to allow mounting/umounting tracefs filesystem
+- Add interfaces to allow rw tracefs filesystem
+- Merge branch 'rawhide-base' of github.com:fedora-selinux/selinux-policy into rawhide-base
+- Merge pull request #138 from rhatdan/userns
+- Allow iptables to creating netlink generic sockets.
+- Fix filecontext for systemd shared lib.
+
* Thu Aug 04 2016 Lukas Vrabec 3.13.1-207
- Fix filesystem inteface file, we don't have nsfs_fs_t type, just nsfs_t