--## Enabling secure mode disallows programs, such as
-+## disallow programs, such as
- ## newrole, from transitioning to administrative
- ## user domains.
- ##
-diff --git a/policy/global_tunables b/policy/global_tunables
-index 4705ab618..b82865c43 100644
---- a/policy/global_tunables
-+++ b/policy/global_tunables
-@@ -6,52 +6,59 @@
-
- ##
- ##
-@@ -68,15 +75,6 @@ gen_tunable(global_ssp,false)
-
- ##
- ##
--## Allow email client to various content.
--## nfs, samba, removable devices, and user temp
--## files
--##
--##
--gen_tunable(mail_read_content,false)
--
--##
--##
- ## Allow any files/directories to be exported read/write via NFS.
- ##
- ##
-@@ -105,9 +103,39 @@ gen_tunable(use_samba_home_dirs,false)
-
- ##
- ##
-+## Support ecryptfs home directories
-+##
-+##
-+gen_tunable(use_ecryptfs_home_dirs,false)
-+
-+##
-+##
-+## Support fusefs home directories
-+##
-+##
-+gen_tunable(use_fusefs_home_dirs,false)
-+
-+##
-+##
- ## Allow users to run TCP servers (bind to ports and accept connection from
- ## the same domain and outside users) disabling this forces FTP passive mode
- ## and may change other protocols.
- ##
- ##
--gen_tunable(user_tcp_server,false)
-+gen_tunable(selinuxuser_tcp_server,false)
-+
-+##
-+##
-+## Allow users to run UDP servers (bind to ports and accept connection from
-+## the same domain and outside users) disabling this may break avahi
-+## discovering services on the network and other udp related services.
-+##
-+##
-+gen_tunable(selinuxuser_udp_server,false)
-+
-+##
-+##
-+## Allow the mount commands to mount any directory or file.
-+##
-+##
-+gen_tunable(mount_anyfile, false)
-diff --git a/policy/mcs b/policy/mcs
-index 216b3d125..064ec83b6 100644
---- a/policy/mcs
-+++ b/policy/mcs
-@@ -1,4 +1,6 @@
- ifdef(`enable_mcs',`
-+default_range dir_file_class_set target low;
-+
- #
- # Define sensitivities
- #
-@@ -69,53 +71,56 @@ gen_levels(1,mcs_num_cats)
- # - /proc/pid operations are not constrained.
-
- mlsconstrain file { read ioctl lock execute execute_no_trans }
-- (( h1 dom h2 ) or ( t1 == mcsreadall ) or
-- (( t1 != mcs_constrained_type ) and (t2 == domain)));
-+ (( h1 dom h2 ) or ( t1 != mcs_constrained_type ));
-
- mlsconstrain file { write setattr append unlink link rename }
-- (( h1 dom h2 ) or ( t1 == mcswriteall ) or
-- (( t1 != mcs_constrained_type ) and (t2 == domain)));
-+ (( h1 dom h2 ) or ( t1 != mcs_constrained_type ));
-
- mlsconstrain dir { search read ioctl lock }
-- (( h1 dom h2 ) or ( t1 == mcsreadall ) or
-- (( t1 != mcs_constrained_type ) and (t2 == domain)));
-+ (( h1 dom h2 ) or ( t1 != mcs_constrained_type ));
-
- mlsconstrain dir { write setattr append unlink link rename add_name remove_name }
-- (( h1 dom h2 ) or ( t1 == mcswriteall ) or
-- (( t1 != mcs_constrained_type ) and (t2 == domain)));
-+ (( h1 dom h2 ) or ( t1 != mcs_constrained_type ));
-
- mlsconstrain fifo_file { open }
-- (( h1 dom h2 ) or ( t1 == mcsreadall ) or
-- (( t1 != mcs_constrained_type ) and ( t2 == domain )));
-+ (( h1 dom h2 ) or ( t1 != mcs_constrained_type ));
-
- mlsconstrain { lnk_file chr_file blk_file sock_file } { getattr read ioctl }
-- (( h1 dom h2 ) or ( t1 == mcsreadall ) or
-- (( t1 != mcs_constrained_type ) and (t2 == domain)));
-+ (( h1 dom h2 ) or ( t1 != mcs_constrained_type ));
-
- mlsconstrain { lnk_file chr_file blk_file sock_file } { write setattr }
-- (( h1 dom h2 ) or ( t1 == mcswriteall ) or
-- (( t1 != mcs_constrained_type ) and (t2 == domain)));
-+ (( h1 dom h2 ) or ( t1 != mcs_constrained_type ));
-+
-+mlsconstrain key { create link read search setattr view write }
-+ (( h1 dom h2 ) or ( t1 != mcs_constrained_type ));
-+
-+mlsconstrain { ipc sem msgq shm } { create destroy setattr write unix_write }
-+ (( h1 dom h2 ) or ( t1 != mcs_constrained_type ));
-
- # New filesystem object labels must be dominated by the relabeling subject
- # clearance, also the objects are single-level.
- mlsconstrain file { create relabelto }
-- (( h1 dom h2 ) and ( l2 eq h2 ));
-+ ((( h1 dom h2 ) and ( l2 eq h2 )) or
-+ ( t1 != mcs_constrained_type ));
-
- # new file labels must be dominated by the relabeling subject clearance
- mlsconstrain { dir file lnk_file chr_file blk_file sock_file fifo_file } { relabelfrom }
-- ( h1 dom h2 );
-+ (( h1 dom h2 ) or ( t1 != mcs_constrained_type ));
-+
-+mlsconstrain { file lnk_file fifo_file } { create relabelto }
-+ (( l2 eq h2 ) or ( t1 != mcs_constrained_type ));
-
- mlsconstrain { dir file lnk_file chr_file blk_file sock_file fifo_file } { create relabelto }
-- (( h1 dom h2 ) and ( l2 eq h2 ));
-+ (( h1 dom h2 ) or ( t1 != mcs_constrained_type ));
-
- mlsconstrain process { transition dyntransition }
-- (( h1 dom h2 ) or ( t1 == mcssetcats ));
-+ (( h1 dom h2 ) or ( t1 != mcs_constrained_type ));
-
- mlsconstrain process { ptrace }
-- (( h1 dom h2) or ( t1 == mcsptraceall ));
-+ (( h1 dom h2 ) or ( t1 != mcs_constrained_type ));
-
- mlsconstrain process { sigkill sigstop }
-- (( h1 dom h2 ) or ( t1 == mcskillall ));
-+ (( h1 dom h2 ) or ( t1 != mcs_constrained_type ));
-
- mlsconstrain process { signal }
- (( h1 dom h2 ) or ( t1 != mcs_constrained_type ));
-@@ -135,6 +140,9 @@ mlsconstrain { db_database db_schema db_table db_sequence db_view db_procedure d
- mlsconstrain { db_tuple } { insert relabelto }
- (( h1 dom h2 ) and ( l2 eq h2 ));
-
-+mlsconstrain context contains
-+ (( h1 dom h2 ) and ( l1 domby l2));
-+
- # Access control for any database objects based on MCS rules.
- mlsconstrain db_database { drop getattr setattr relabelfrom access install_module load_module get_param set_param }
- ( h1 dom h2 );
-@@ -166,4 +174,23 @@ mlsconstrain db_language { drop getattr setattr relabelfrom execute }
- mlsconstrain db_blob { drop getattr setattr relabelfrom read write import export }
- ( h1 dom h2 );
-
-+mlsconstrain { tcp_socket udp_socket rawip_socket } node_bind
-+ (( h1 dom h2 ) or ( t1 != mcs_constrained_type ));
-+
-+# the node recvfrom/sendto ops, the recvfrom permission is a "write" operation
-+# because the subject in this particular case is the remote domain which is
-+# writing data out the network node which is acting as the object
-+mlsconstrain { node } { recvfrom sendto }
-+ (( l1 dom l2 ) or (t1 != mcs_constrained_type));
-+
-+mlsconstrain { packet peer } { recv }
-+ (( l1 dom l2 ) or
-+ ((t1 != mcs_constrained_type) and (t2 != mcs_constrained_type)));
-+
-+# the netif ingress/egress ops, the ingress permission is a "write" operation
-+# because the subject in this particular case is the remote domain which is
-+# writing data out the network interface which is acting as the object
-+mlsconstrain { netif } { egress ingress }
-+ (( l1 dom l2 ) or (t1 != mcs_constrained_type));
-+
- ') dnl end enable_mcs
-diff --git a/policy/mls b/policy/mls
-index f11e5e2b7..c67dbb976 100644
---- a/policy/mls
-+++ b/policy/mls
-@@ -70,7 +70,9 @@ mlsconstrain { file lnk_file fifo_file } { create relabelto }
-
- # new file labels must be dominated by the relabeling subjects clearance
- mlsconstrain { dir file lnk_file chr_file blk_file sock_file fifo_file } relabelto
-- ( h1 dom h2 );
-+ (( h1 dom h2 ) or
-+ (( t1 == mlsfilerelabeltoclr ) and ( h1 dom l2 )) or
-+ ( t1 == mlsfilewrite ));
-
- # the file "read" ops (note the check is dominance of the low level)
- mlsconstrain { dir file lnk_file chr_file blk_file sock_file fifo_file } { read getattr execute }
-@@ -156,15 +158,12 @@ mlsconstrain filesystem { mount remount unmount relabelfrom quotamod }
- # these access vectors have no MLS restrictions
- # filesystem { transition associate }
-
--
--
--
- #
- # MLS policy for the socket classes
- #
-
- # new socket labels must be dominated by the relabeling subjects clearance
--mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket } relabelto
-+mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket netlink_rdma_socket netlink_crypto_socket } relabelto
- ( h1 dom h2 );
-
- # the socket "read+write" ops
-@@ -180,7 +179,7 @@ mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_s
-
-
- # the socket "read" ops (note the check is dominance of the low level)
--mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket } { read getattr listen accept getopt recv_msg }
-+mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket netlink_rdma_socket netlink_crypto_socket } { read getattr listen accept getopt recv_msg }
- (( l1 dom l2 ) or
- (( t1 == mlsnetreadtoclr ) and ( h1 dom l2 )) or
- ( t1 == mlsnetread ));
-@@ -191,11 +190,12 @@ mlsconstrain { netlink_route_socket netlink_firewall_socket netlink_tcpdiag_sock
- ( t1 == mlsnetread ));
-
- # the socket "write" ops
--mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket } { write setattr relabelfrom connect setopt shutdown }
-+mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket netlink_rdma_socket netlink_crypto_socket } { write setattr relabelfrom connect setopt shutdown }
- (( l1 eq l2 ) or
- (( t1 == mlsnetwriteranged ) and ( l1 dom l2 ) and ( l1 domby h2 )) or
- (( t1 == mlsnetwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
-- ( t1 == mlsnetwrite ));
-+ ( t1 == mlsnetwrite ) or
-+ ( t2 == mlstrustedobject ));
-
- # used by netlabel to restrict normal domains to same level connections
- mlsconstrain { tcp_socket udp_socket rawip_socket } recvfrom
-@@ -252,6 +252,11 @@ mlsconstrain msg receive
- (( t1 == mlsipcreadtoclr ) and ( h1 dom l2 )) or
- ( t1 == mlsipcread ));
-
-+mlsconstrain key { create link read search setattr view write }
-+ (( l1 eq l2 ) or
-+ (( t1 == mlsprocwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
-+ ( t1 == mlsprocwrite ));
-+
- # the ipc "write" ops (implicit single level)
- mlsconstrain { ipc sem msgq shm } { create destroy setattr write unix_write }
- (( l1 eq l2 ) or
-@@ -361,9 +366,6 @@ mlsconstrain { peer packet } { recv }
- (( t1 == mlsnetreadtoclr ) and ( h1 dom l2 )) or
- ( t1 == mlsnetread ));
-
--
--
--
- #
- # MLS policy for the process class
- #
-@@ -763,13 +765,14 @@ mlsconstrain context contains
- #
-
- # make sure these database classes are "single level"
--mlsconstrain { db_database db_schema db_table db_sequence db_view db_procedure db_language db_column db_blob } { create relabelto }
-+mlsconstrain { db_sequence db_view db_procedure db_language db_blob } { create relabelto }
- ( l2 eq h2 );
-+
- mlsconstrain { db_tuple } { insert relabelto }
- ( l2 eq h2 );
-
- # new database labels must be dominated by the relabeling subjects clearance
--mlsconstrain { db_database db_schema db_table db_sequence db_view db_procedure db_language db_column db_tuple db_blob } { relabelto }
-+mlsconstrain { db_database db_schema db_table db_column } { relabelto }
- ( h1 dom h2 );
-
- # the database "read" ops (note the check is dominance of the low level)
-@@ -833,7 +836,7 @@ mlsconstrain { db_tuple } { use select }
- ( t1 == mlsdbread ) or
- ( t2 == mlstrustedobject ));
-
--# the "single level" file "write" ops
-+# the "single level" database "write" ops
- mlsconstrain { db_database } { create drop setattr relabelfrom install_module load_module set_param }
- (( l1 eq l2 ) or
- (( t1 == mlsdbwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
-diff --git a/policy/modules/admin/bootloader.fc b/policy/modules/admin/bootloader.fc
-index 2626ebf95..5745bb240 100644
---- a/policy/modules/admin/bootloader.fc
-+++ b/policy/modules/admin/bootloader.fc
-@@ -1,11 +1,16 @@
-+/etc/default/grub -- gen_context(system_u:object_r:bootloader_etc_t,s0)
-+/etc/lilo\.conf.* gen_context(system_u:object_r:bootloader_etc_t,s0)
-+/etc/yaboot\.conf.* gen_context(system_u:object_r:bootloader_etc_t,s0)
-+/etc/zipl\.conf.* gen_context(system_u:object_r:bootloader_etc_t,s0)
-
--/etc/lilo\.conf.* -- gen_context(system_u:object_r:bootloader_etc_t,s0)
--/etc/yaboot\.conf.* -- gen_context(system_u:object_r:bootloader_etc_t,s0)
--
--/sbin/grub -- gen_context(system_u:object_r:bootloader_exec_t,s0)
-+/sbin/grub.* -- gen_context(system_u:object_r:bootloader_exec_t,s0)
- /sbin/lilo.* -- gen_context(system_u:object_r:bootloader_exec_t,s0)
- /sbin/ybin.* -- gen_context(system_u:object_r:bootloader_exec_t,s0)
-+/sbin/zipl -- gen_context(system_u:object_r:bootloader_exec_t,s0)
-+
-+/usr/sbin/grub.* -- gen_context(system_u:object_r:bootloader_exec_t,s0)
-+/usr/sbin/lilo.* -- gen_context(system_u:object_r:bootloader_exec_t,s0)
-+/usr/sbin/ybin.* -- gen_context(system_u:object_r:bootloader_exec_t,s0)
-+/usr/sbin/zipl -- gen_context(system_u:object_r:bootloader_exec_t,s0)
-
--/usr/sbin/grub -- gen_context(system_u:object_r:bootloader_exec_t,s0)
--/usr/sbin/grub2-bios-setup -- gen_context(system_u:object_r:bootloader_exec_t,s0)
--/usr/sbin/grub2-probe -- gen_context(system_u:object_r:bootloader_exec_t,s0)
-+/var/lib/os-prober(/.*)? gen_context(system_u:object_r:bootloader_var_lib_t,s0)
-diff --git a/policy/modules/admin/bootloader.if b/policy/modules/admin/bootloader.if
-index cc8df9d7d..90467f3af 100644
---- a/policy/modules/admin/bootloader.if
-+++ b/policy/modules/admin/bootloader.if
-@@ -19,6 +19,24 @@ interface(`bootloader_domtrans',`
- domtrans_pattern($1, bootloader_exec_t, bootloader_t)
- ')
-
-+######################################
-+##
-+## Execute bootloader in the caller domain.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`bootloader_exec',`
-+ gen_require(`
-+ type bootloader_exec_t;
-+ ')
-+
-+ can_exec($1, bootloader_exec_t)
-+')
-+
- ########################################
- ##
- ## Execute bootloader interactively and do
-@@ -38,16 +56,18 @@ interface(`bootloader_domtrans',`
- #
- interface(`bootloader_run',`
- gen_require(`
-+ type bootloader_t;
- attribute_role bootloader_roles;
- ')
-
- bootloader_domtrans($1)
- roleattribute $2 bootloader_roles;
-+
- ')
-
- ########################################
- ##
--## Execute bootloader in the caller domain.
-+## Read the bootloader configuration file.
- ##
- ##
- ##
-@@ -55,36 +75,37 @@ interface(`bootloader_run',`
- ##
- ##
- #
--interface(`bootloader_exec',`
-+interface(`bootloader_read_config',`
- gen_require(`
-- type bootloader_exec_t;
-+ type bootloader_etc_t;
- ')
-
-- corecmd_search_bin($1)
-- can_exec($1, bootloader_exec_t)
-+ allow $1 bootloader_etc_t:file read_file_perms;
- ')
-
- ########################################
- ##
--## Read the bootloader configuration file.
-+## Read and write the bootloader
-+## configuration file.
- ##
- ##
- ##
- ## Domain allowed access.
- ##
- ##
-+##
- #
--interface(`bootloader_read_config',`
-+interface(`bootloader_rw_config',`
- gen_require(`
- type bootloader_etc_t;
- ')
-
-- allow $1 bootloader_etc_t:file read_file_perms;
-+ allow $1 bootloader_etc_t:file rw_file_perms;
- ')
-
- ########################################
- ##
--## Read and write the bootloader
-+## Manage the bootloader
- ## configuration file.
- ##
- ##
-@@ -94,12 +115,12 @@ interface(`bootloader_read_config',`
- ##
- ##
- #
--interface(`bootloader_rw_config',`
-+interface(`bootloader_manage_config',`
- gen_require(`
- type bootloader_etc_t;
- ')
-
-- allow $1 bootloader_etc_t:file rw_file_perms;
-+ manage_files_pattern($1, bootloader_etc_t, bootloader_etc_t)
- ')
-
- ########################################
-@@ -119,7 +140,7 @@ interface(`bootloader_rw_tmp_files',`
- ')
-
- files_search_tmp($1)
-- allow $1 bootloader_tmp_t:file rw_file_perms;
-+ allow $1 bootloader_tmp_t:file rw_inherited_file_perms;
- ')
-
- ########################################
-@@ -141,3 +162,24 @@ interface(`bootloader_create_runtime_file',`
- allow $1 boot_runtime_t:file { create_file_perms rw_file_perms };
- files_boot_filetrans($1, boot_runtime_t, file)
- ')
-+
-+########################################
-+##
-+## Type transition files created in /etc
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`bootloader_filetrans_config',`
-+ gen_require(`
-+ type bootloader_etc_t;
-+ ')
-+
-+ files_etc_filetrans($1,bootloader_etc_t,file, "grub")
-+ files_etc_filetrans($1,bootloader_etc_t,file, "lilo.conf")
-+ files_etc_filetrans($1,bootloader_etc_t,file, "yaboot.conf")
-+ files_etc_filetrans($1,bootloader_etc_t,file, "zipl.conf")
-+')
-diff --git a/policy/modules/admin/bootloader.te b/policy/modules/admin/bootloader.te
-index 0fd5c5f2e..7ee6ec7a3 100644
---- a/policy/modules/admin/bootloader.te
-+++ b/policy/modules/admin/bootloader.te
-@@ -20,13 +20,20 @@ type bootloader_t;
- type bootloader_exec_t;
- application_domain(bootloader_t, bootloader_exec_t)
- role bootloader_roles types bootloader_t;
-+role system_r types bootloader_t;
-+
-+type bootloader_var_run_t;
-+files_pid_file(bootloader_var_run_t)
-+
-+type bootloader_var_lib_t;
-+files_type(bootloader_var_lib_t)
-
- #
- # bootloader_etc_t is the configuration file,
- # grub.conf, lilo.conf, etc.
- #
- type bootloader_etc_t alias etc_bootloader_t;
--files_type(bootloader_etc_t)
-+files_config_file(bootloader_etc_t)
-
- #
- # The temp file is used for initrd creation;
-@@ -41,7 +48,7 @@ dev_node(bootloader_tmp_t)
- # bootloader local policy
- #
-
--allow bootloader_t self:capability { dac_override dac_read_search fsetid sys_rawio sys_admin mknod chown };
-+allow bootloader_t self:capability { dac_read_search fsetid sys_rawio sys_admin sys_chroot mknod chown };
- allow bootloader_t self:process { signal_perms execmem };
- allow bootloader_t self:fifo_file rw_fifo_file_perms;
-
-@@ -59,6 +66,15 @@ files_tmp_filetrans(bootloader_t, bootloader_tmp_t, { dir file lnk_file chr_file
- # for tune2fs (cjp: ?)
- files_root_filetrans(bootloader_t, bootloader_tmp_t, file)
-
-+manage_dirs_pattern(bootloader_t, bootloader_var_run_t, bootloader_var_run_t)
-+manage_files_pattern(bootloader_t, bootloader_var_run_t, bootloader_var_run_t)
-+files_pid_filetrans(bootloader_t, bootloader_var_run_t, {dir file })
-+
-+manage_dirs_pattern(bootloader_t, bootloader_var_lib_t, bootloader_var_lib_t)
-+manage_files_pattern(bootloader_t, bootloader_var_lib_t, bootloader_var_lib_t)
-+manage_lnk_files_pattern(bootloader_t, bootloader_var_lib_t, bootloader_var_lib_t)
-+files_var_lib_filetrans(bootloader_t, bootloader_var_lib_t, {dir file })
-+
- kernel_getattr_core_if(bootloader_t)
- kernel_read_network_state(bootloader_t)
- kernel_read_system_state(bootloader_t)
-@@ -81,6 +97,8 @@ dev_rw_nvram(bootloader_t)
-
- fs_getattr_xattr_fs(bootloader_t)
- fs_getattr_tmpfs(bootloader_t)
-+fs_list_hugetlbfs(bootloader_t)
-+fs_list_tmpfs(bootloader_t)
- fs_read_tmpfs_symlinks(bootloader_t)
- #Needed for ia64
- fs_manage_dos_files(bootloader_t)
-@@ -89,7 +107,10 @@ mls_file_read_all_levels(bootloader_t)
- mls_file_write_all_levels(bootloader_t)
-
- term_getattr_all_ttys(bootloader_t)
-+term_getattr_all_ptys(bootloader_t)
- term_dontaudit_manage_pty_dirs(bootloader_t)
-+term_dontaudit_getattr_generic_ptys(bootloader_t)
-+term_use_unallocated_ttys(bootloader_t)
-
- corecmd_exec_all_executables(bootloader_t)
-
-@@ -98,12 +119,14 @@ domain_use_interactive_fds(bootloader_t)
- files_create_boot_dirs(bootloader_t)
- files_manage_boot_files(bootloader_t)
- files_manage_boot_symlinks(bootloader_t)
-+files_manage_kernel_modules(bootloader_t)
- files_read_etc_files(bootloader_t)
- files_exec_etc_files(bootloader_t)
- files_read_usr_src_files(bootloader_t)
- files_read_usr_files(bootloader_t)
- files_read_var_files(bootloader_t)
- files_read_kernel_modules(bootloader_t)
-+files_read_kernel_symbol_table(bootloader_t)
- # for nscd
- files_dontaudit_search_pids(bootloader_t)
- # for blkid.tab
-@@ -111,6 +134,8 @@ files_manage_etc_runtime_files(bootloader_t)
- files_etc_filetrans_etc_runtime(bootloader_t, file)
- files_dontaudit_search_home(bootloader_t)
-
-+
-+init_read_state(bootloader_t)
- init_getattr_initctl(bootloader_t)
- init_use_script_ptys(bootloader_t)
- init_use_script_fds(bootloader_t)
-@@ -118,19 +143,20 @@ init_rw_script_pipes(bootloader_t)
-
- libs_read_lib_files(bootloader_t)
- libs_exec_lib_files(bootloader_t)
-+libs_exec_ld_so(bootloader_t)
-
--logging_send_syslog_msg(bootloader_t)
--logging_rw_generic_logs(bootloader_t)
-+auth_use_nsswitch(bootloader_t)
-
--miscfiles_read_localization(bootloader_t)
-+logging_send_syslog_msg(bootloader_t)
-+logging_manage_generic_logs(bootloader_t)
-
- modutils_domtrans_insmod(bootloader_t)
-
- seutil_read_bin_policy(bootloader_t)
- seutil_read_loadpolicy(bootloader_t)
--seutil_dontaudit_search_config(bootloader_t)
-
--userdom_use_user_terminals(bootloader_t)
-+userdom_getattr_user_tmp_files(bootloader_t)
-+userdom_use_inherited_user_terminals(bootloader_t)
- userdom_dontaudit_search_user_home_dirs(bootloader_t)
-
- ifdef(`distro_debian',`
-@@ -174,6 +200,10 @@ ifdef(`distro_redhat',`
- ')
-
- optional_policy(`
-+ devicekit_dontaudit_read_pid_files(bootloader_t)
-+')
-+
-+optional_policy(`
- fstools_exec(bootloader_t)
- ')
-
-@@ -183,6 +213,14 @@ optional_policy(`
- ')
-
- optional_policy(`
-+ gpm_getattr_gpmctl(bootloader_t)
-+')
-+
-+optional_policy(`
-+ fsadm_manage_pid(bootloader_t)
-+')
-+
-+optional_policy(`
- kudzu_domtrans(bootloader_t)
- ')
-
-@@ -195,17 +233,18 @@ optional_policy(`
-
- optional_policy(`
- modutils_exec_insmod(bootloader_t)
-- modutils_read_module_deps(bootloader_t)
-- modutils_read_module_config(bootloader_t)
-- modutils_exec_insmod(bootloader_t)
- modutils_exec_depmod(bootloader_t)
- modutils_exec_update_mods(bootloader_t)
-+ modutils_domtrans_insmod_uncond(bootloader_t)
-+ modutils_list_module_config(bootloader_t)
-+ modutils_read_module_deps(bootloader_t)
-+ modutils_read_module_config(bootloader_t)
- ')
-
- optional_policy(`
-- nscd_use(bootloader_t)
-+ rpm_rw_pipes(bootloader_t)
- ')
-
- optional_policy(`
-- rpm_rw_pipes(bootloader_t)
-+ udev_read_pid_files(bootloader_t)
- ')
-diff --git a/policy/modules/admin/consoletype.fc b/policy/modules/admin/consoletype.fc
-index b7f053bf6..5d4fc3188 100644
---- a/policy/modules/admin/consoletype.fc
-+++ b/policy/modules/admin/consoletype.fc
-@@ -1,2 +1,4 @@
-
- /sbin/consoletype -- gen_context(system_u:object_r:consoletype_exec_t,s0)
-+
-+/usr/sbin/consoletype -- gen_context(system_u:object_r:consoletype_exec_t,s0)
-diff --git a/policy/modules/admin/consoletype.if b/policy/modules/admin/consoletype.if
-index 0f57d3bc0..655d07f01 100644
---- a/policy/modules/admin/consoletype.if
-+++ b/policy/modules/admin/consoletype.if
-@@ -19,10 +19,6 @@ interface(`consoletype_domtrans',`
-
- corecmd_search_bin($1)
- domtrans_pattern($1, consoletype_exec_t, consoletype_t)
--
-- ifdef(`hide_broken_symptoms', `
-- dontaudit consoletype_t $1:socket_class_set { read write };
-- ')
- ')
-
- ########################################
-diff --git a/policy/modules/admin/consoletype.te b/policy/modules/admin/consoletype.te
-index cd5e005ce..247259ac4 100644
---- a/policy/modules/admin/consoletype.te
-+++ b/policy/modules/admin/consoletype.te
-@@ -7,8 +7,8 @@ policy_module(consoletype, 1.10.0)
-
- type consoletype_t;
- type consoletype_exec_t;
--init_domain(consoletype_t, consoletype_exec_t)
--init_system_domain(consoletype_t, consoletype_exec_t)
-+application_domain(consoletype_t, consoletype_exec_t)
-+role system_r types consoletype_t;
-
- ########################################
- #
-@@ -47,14 +47,16 @@ fs_list_inotifyfs(consoletype_t)
- mls_file_read_all_levels(consoletype_t)
- mls_file_write_all_levels(consoletype_t)
-
--term_use_all_terms(consoletype_t)
-+term_use_all_inherited_terms(consoletype_t)
-+term_use_ptmx(consoletype_t)
-
- init_use_fds(consoletype_t)
- init_use_script_ptys(consoletype_t)
- init_use_script_fds(consoletype_t)
- init_rw_script_pipes(consoletype_t)
-+init_rw_inherited_script_tmp_files(consoletype_t)
-
--userdom_use_user_terminals(consoletype_t)
-+userdom_use_inherited_user_terminals(consoletype_t)
-
- ifdef(`distro_redhat',`
- fs_rw_tmpfs_chr_files(consoletype_t)
-@@ -79,16 +81,14 @@ optional_policy(`
- ')
-
- optional_policy(`
-- files_read_etc_files(consoletype_t)
-- firstboot_use_fds(consoletype_t)
-- firstboot_rw_pipes(consoletype_t)
-+ devicekit_dontaudit_read_pid_files(consoletype_t)
-+ devicekit_dontaudit_rw_log(consoletype_t)
- ')
-
- optional_policy(`
-- hal_dontaudit_use_fds(consoletype_t)
-- hal_dontaudit_rw_pipes(consoletype_t)
-- hal_dontaudit_rw_dgram_sockets(consoletype_t)
-- hal_dontaudit_write_log(consoletype_t)
-+ files_read_etc_files(consoletype_t)
-+ firstboot_use_fds(consoletype_t)
-+ firstboot_rw_pipes(consoletype_t)
- ')
-
- optional_policy(`
-@@ -114,6 +114,7 @@ optional_policy(`
-
- optional_policy(`
- userdom_use_unpriv_users_fds(consoletype_t)
-+ userdom_dontaudit_rw_dgram_socket(consoletype_t)
- ')
-
- optional_policy(`
-diff --git a/policy/modules/admin/dmesg.fc b/policy/modules/admin/dmesg.fc
-index d6cc2d970..0685b190d 100644
---- a/policy/modules/admin/dmesg.fc
-+++ b/policy/modules/admin/dmesg.fc
-@@ -1,2 +1,4 @@
-
- /bin/dmesg -- gen_context(system_u:object_r:dmesg_exec_t,s0)
-+
-+/usr/bin/dmesg -- gen_context(system_u:object_r:dmesg_exec_t,s0)
-diff --git a/policy/modules/admin/dmesg.te b/policy/modules/admin/dmesg.te
-index 72bc6d815..bb4a6f0d7 100644
---- a/policy/modules/admin/dmesg.te
-+++ b/policy/modules/admin/dmesg.te
-@@ -9,6 +9,10 @@ type dmesg_t;
- type dmesg_exec_t;
- init_system_domain(dmesg_t, dmesg_exec_t)
-
-+ifdef(`enable_mls',`
-+ init_ranged_daemon_domain(dmesg_t, dmesg_exec_t, mls_systemhigh)
-+')
-+
- ########################################
- #
- # Local policy
-@@ -19,14 +23,18 @@ dontaudit dmesg_t self:capability sys_tty_config;
-
- allow dmesg_t self:process signal_perms;
-
-+kernel_read_system_state(dmesg_t)
- kernel_read_kernel_sysctls(dmesg_t)
- kernel_read_ring_buffer(dmesg_t)
- kernel_clear_ring_buffer(dmesg_t)
- kernel_change_ring_buffer_level(dmesg_t)
- kernel_list_proc(dmesg_t)
- kernel_read_proc_symlinks(dmesg_t)
-+kernel_dontaudit_write_kernel_sysctl(dmesg_t)
-
- dev_read_sysfs(dmesg_t)
-+dev_read_kmsg(dmesg_t)
-+dev_read_raw_memory(dmesg_t)
-
- fs_search_auto_mountpoints(dmesg_t)
-
-@@ -44,10 +52,14 @@ init_use_script_ptys(dmesg_t)
- logging_send_syslog_msg(dmesg_t)
- logging_write_generic_logs(dmesg_t)
-
--miscfiles_read_localization(dmesg_t)
-+miscfiles_read_hwdata(dmesg_t)
-
- userdom_dontaudit_use_unpriv_user_fds(dmesg_t)
--userdom_use_user_terminals(dmesg_t)
-+userdom_use_inherited_user_terminals(dmesg_t)
-+
-+optional_policy(`
-+ abrt_rw_inherited_cache(dmesg_t)
-+')
-
- optional_policy(`
- seutil_sigchld_newrole(dmesg_t)
-diff --git a/policy/modules/admin/netutils.fc b/policy/modules/admin/netutils.fc
-index 407078f4b..1a09bead7 100644
---- a/policy/modules/admin/netutils.fc
-+++ b/policy/modules/admin/netutils.fc
-@@ -1,15 +1,22 @@
- /bin/ping.* -- gen_context(system_u:object_r:ping_exec_t,s0)
--/bin/tracepath.* -- gen_context(system_u:object_r:traceroute_exec_t,s0)
-+/bin/tracepath.* -- gen_context(system_u:object_r:traceroute_exec_t,s0)
- /bin/traceroute.* -- gen_context(system_u:object_r:traceroute_exec_t,s0)
-
- /sbin/arping -- gen_context(system_u:object_r:netutils_exec_t,s0)
-
- /usr/bin/lft -- gen_context(system_u:object_r:traceroute_exec_t,s0)
-+/usr/bin/mtr -- gen_context(system_u:object_r:traceroute_exec_t,s0)
- /usr/bin/nmap -- gen_context(system_u:object_r:traceroute_exec_t,s0)
-+/usr/bin/ping.* -- gen_context(system_u:object_r:ping_exec_t,s0)
-+/usr/bin/tracepath.* -- gen_context(system_u:object_r:traceroute_exec_t,s0)
- /usr/bin/traceroute.* -- gen_context(system_u:object_r:traceroute_exec_t,s0)
-
--/usr/sbin/fping -- gen_context(system_u:object_r:ping_exec_t,s0)
-+/usr/lib/heartbeat/send_arp -- gen_context(system_u:object_r:ping_exec_t,s0)
-+
-+/usr/sbin/arping -- gen_context(system_u:object_r:netutils_exec_t,s0)
-+/usr/sbin/fping.* -- gen_context(system_u:object_r:ping_exec_t,s0)
- /usr/sbin/traceroute.* -- gen_context(system_u:object_r:traceroute_exec_t,s0)
- /usr/sbin/hping2 -- gen_context(system_u:object_r:ping_exec_t,s0)
-+/usr/sbin/mtr -- gen_context(system_u:object_r:traceroute_exec_t,s0)
- /usr/sbin/send_arp -- gen_context(system_u:object_r:ping_exec_t,s0)
- /usr/sbin/tcpdump -- gen_context(system_u:object_r:netutils_exec_t,s0)
-diff --git a/policy/modules/admin/netutils.if b/policy/modules/admin/netutils.if
-index c6ca761c9..0c86bfd54 100644
---- a/policy/modules/admin/netutils.if
-+++ b/policy/modules/admin/netutils.if
-@@ -42,6 +42,7 @@ interface(`netutils_run',`
- ')
-
- netutils_domtrans($1)
-+ allow $1 netutils_t:process { signal sigkill };
- role $2 types netutils_t;
- ')
-
-@@ -161,6 +162,7 @@ interface(`netutils_run_ping',`
-
- netutils_domtrans_ping($1)
- role $2 types ping_t;
-+ allow $1 ping_t:process { signal sigkill };
- ')
-
- ########################################
-@@ -183,13 +185,14 @@ interface(`netutils_run_ping',`
- interface(`netutils_run_ping_cond',`
- gen_require(`
- type ping_t;
-- bool user_ping;
-+ bool selinuxuser_ping;
- ')
-
- role $2 types ping_t;
-
-- if ( user_ping ) {
-+ if ( selinuxuser_ping ) {
- netutils_domtrans_ping($1)
-+ allow $1 ping_t:process { signal sigkill };
- }
- ')
-
-@@ -254,6 +257,7 @@ interface(`netutils_run_traceroute',`
- ')
-
- netutils_domtrans_traceroute($1)
-+ allow $1 traceroute_t:process { signal sigkill };
- role $2 types traceroute_t;
- ')
-
-@@ -277,13 +281,14 @@ interface(`netutils_run_traceroute',`
- interface(`netutils_run_traceroute_cond',`
- gen_require(`
- type traceroute_t;
-- bool user_ping;
-+ bool selinuxuser_ping;
- ')
-
- role $2 types traceroute_t;
-
-- if( user_ping ) {
-+ if( selinuxuser_ping ) {
- netutils_domtrans_traceroute($1)
-+ allow $1 traceroute_t:process { signal sigkill };
- }
- ')
-
-diff --git a/policy/modules/admin/netutils.te b/policy/modules/admin/netutils.te
-index c44c3592a..2a3a90bf4 100644
---- a/policy/modules/admin/netutils.te
-+++ b/policy/modules/admin/netutils.te
-@@ -7,10 +7,10 @@ policy_module(netutils, 1.12.1)
-
- ##
- ##
--## Control users use of ping and traceroute
-+## Allow confined users the ability to execute the ping and traceroute commands.
- ##
- ##
--gen_tunable(user_ping, false)
-+gen_tunable(selinuxuser_ping, false)
-
- type netutils_t;
- type netutils_exec_t;
-@@ -33,25 +33,28 @@ init_system_domain(traceroute_t, traceroute_exec_t)
- #
-
- # Perform network administration operations and have raw access to the network.
--allow netutils_t self:capability { dac_read_search net_admin net_raw setuid setgid sys_chroot };
--dontaudit netutils_t self:capability { dac_override sys_tty_config };
-+allow netutils_t self:capability { chown dac_read_search net_admin net_raw setuid setgid sys_chroot setpcap };
-+dontaudit netutils_t self:capability { sys_tty_config };
- allow netutils_t self:process { setcap signal_perms };
- allow netutils_t self:netlink_route_socket create_netlink_socket_perms;
- allow netutils_t self:netlink_socket create_socket_perms;
-+# For tcpdump.
-+allow netutils_t self:netlink_netfilter_socket create_socket_perms;
- allow netutils_t self:packet_socket create_socket_perms;
- allow netutils_t self:udp_socket create_socket_perms;
- allow netutils_t self:tcp_socket create_stream_socket_perms;
- allow netutils_t self:socket create_socket_perms;
-+allow netutils_t self:netlink_socket create_socket_perms;
-
- manage_dirs_pattern(netutils_t, netutils_tmp_t, netutils_tmp_t)
- manage_files_pattern(netutils_t, netutils_tmp_t, netutils_tmp_t)
- files_tmp_filetrans(netutils_t, netutils_tmp_t, { file dir })
-
- kernel_search_proc(netutils_t)
--kernel_read_network_state(netutils_t)
- kernel_read_all_sysctls(netutils_t)
-+kernel_read_network_state(netutils_t)
-+kernel_request_load_module(netutils_t)
-
--corenet_all_recvfrom_unlabeled(netutils_t)
- corenet_all_recvfrom_netlabel(netutils_t)
- corenet_tcp_sendrecv_generic_if(netutils_t)
- corenet_raw_sendrecv_generic_if(netutils_t)
-@@ -66,6 +69,9 @@ corenet_sendrecv_all_client_packets(netutils_t)
- corenet_udp_bind_generic_node(netutils_t)
-
- dev_read_sysfs(netutils_t)
-+dev_read_usbmon_dev(netutils_t)
-+dev_write_usbmon_dev(netutils_t)
-+dev_rw_generic_usb_dev(netutils_t)
-
- fs_getattr_xattr_fs(netutils_t)
-
-@@ -80,15 +86,19 @@ init_use_script_ptys(netutils_t)
-
- auth_use_nsswitch(netutils_t)
-
--logging_send_syslog_msg(netutils_t)
-+libs_use_ld_so(netutils_t)
-
--miscfiles_read_localization(netutils_t)
-+logging_send_syslog_msg(netutils_t)
-
- term_dontaudit_use_console(netutils_t)
--userdom_use_user_terminals(netutils_t)
-+userdom_use_inherited_user_terminals(netutils_t)
- userdom_use_all_users_fds(netutils_t)
-
- optional_policy(`
-+ kdump_dontaudit_inherited_kdumpctl_tmp_pipes(netutils_t)
-+')
-+
-+optional_policy(`
- nis_use_ypbind(netutils_t)
- ')
-
-@@ -110,11 +120,10 @@ allow ping_t self:capability { setuid net_raw };
- allow ping_t self:process { getcap setcap };
- dontaudit ping_t self:capability sys_tty_config;
- allow ping_t self:tcp_socket create_socket_perms;
--allow ping_t self:rawip_socket { create ioctl read write bind getopt setopt };
--allow ping_t self:packet_socket { create ioctl read write bind getopt setopt };
-+allow ping_t self:rawip_socket create_socket_perms;
-+allow ping_t self:packet_socket create_socket_perms;
- allow ping_t self:netlink_route_socket create_netlink_socket_perms;
-
--corenet_all_recvfrom_unlabeled(ping_t)
- corenet_all_recvfrom_netlabel(ping_t)
- corenet_tcp_sendrecv_generic_if(ping_t)
- corenet_raw_sendrecv_generic_if(ping_t)
-@@ -124,6 +133,9 @@ corenet_raw_bind_generic_node(ping_t)
- corenet_tcp_sendrecv_all_ports(ping_t)
-
- fs_dontaudit_getattr_xattr_fs(ping_t)
-+fs_dontaudit_rw_anon_inodefs_files(ping_t)
-+
-+dev_read_urand(ping_t)
-
- domain_use_interactive_fds(ping_t)
-
-@@ -131,14 +143,14 @@ files_read_etc_files(ping_t)
- files_dontaudit_search_var(ping_t)
-
- kernel_read_system_state(ping_t)
-+kernel_read_network_state(ping_t)
-+kernel_request_load_module(ping_t)
-
- auth_use_nsswitch(ping_t)
-
--logging_send_syslog_msg(ping_t)
--
--miscfiles_read_localization(ping_t)
-+init_rw_inherited_script_tmp_files(ping_t)
-
--userdom_use_user_terminals(ping_t)
-+logging_send_syslog_msg(ping_t)
-
- ifdef(`hide_broken_symptoms',`
- init_dontaudit_use_fds(ping_t)
-@@ -146,14 +158,29 @@ ifdef(`hide_broken_symptoms',`
- optional_policy(`
- nagios_dontaudit_rw_log(ping_t)
- nagios_dontaudit_rw_pipes(ping_t)
-+ nagios_dontaudit_write_pipes_nrpe(ping_t)
- ')
- ')
-
-+term_use_all_inherited_terms(ping_t)
-+
-+tunable_policy(`selinuxuser_ping',`
-+ term_use_all_ttys(ping_t)
-+ term_use_all_ptys(ping_t)
-+',`
-+ term_dontaudit_use_all_ttys(ping_t)
-+ term_dontaudit_use_all_ptys(ping_t)
-+')
-+
- optional_policy(`
- munin_append_log(ping_t)
- ')
-
- optional_policy(`
-+ nagios_rw_inerited_tmp_files(ping_t)
-+')
-+
-+optional_policy(`
- pcmcia_use_cardmgr_fds(ping_t)
- ')
-
-@@ -161,6 +188,15 @@ optional_policy(`
- hotplug_use_fds(ping_t)
- ')
-
-+optional_policy(`
-+ openshift_rw_inherited_content(ping_t)
-+ openshift_dontaudit_rw_inherited_fifo_files(ping_t)
-+')
-+
-+optional_policy(`
-+ zabbix_read_tmp(ping_t)
-+')
-+
- ########################################
- #
- # Traceroute local policy
-@@ -174,7 +210,6 @@ allow traceroute_t self:udp_socket create_socket_perms;
- kernel_read_system_state(traceroute_t)
- kernel_read_network_state(traceroute_t)
-
--corenet_all_recvfrom_unlabeled(traceroute_t)
- corenet_all_recvfrom_netlabel(traceroute_t)
- corenet_tcp_sendrecv_generic_if(traceroute_t)
- corenet_udp_sendrecv_generic_if(traceroute_t)
-@@ -198,6 +233,7 @@ fs_dontaudit_getattr_xattr_fs(traceroute_t)
- domain_use_interactive_fds(traceroute_t)
-
- files_read_etc_files(traceroute_t)
-+files_read_usr_files(traceroute_t)
- files_dontaudit_search_var(traceroute_t)
-
- init_use_fds(traceroute_t)
-@@ -206,11 +242,17 @@ auth_use_nsswitch(traceroute_t)
-
- logging_send_syslog_msg(traceroute_t)
-
--miscfiles_read_localization(traceroute_t)
--
--userdom_use_user_terminals(traceroute_t)
-
- #rules needed for nmap
- dev_read_rand(traceroute_t)
- dev_read_urand(traceroute_t)
--files_read_usr_files(traceroute_t)
-+
-+term_use_all_inherited_terms(traceroute_t)
-+
-+tunable_policy(`selinuxuser_ping',`
-+ term_use_all_ttys(traceroute_t)
-+ term_use_all_ptys(traceroute_t)
-+',`
-+ term_dontaudit_use_all_ttys(traceroute_t)
-+ term_dontaudit_use_all_ptys(traceroute_t)
-+')
-diff --git a/policy/modules/admin/su.fc b/policy/modules/admin/su.fc
-index 688abc2ae..3d89250a6 100644
---- a/policy/modules/admin/su.fc
-+++ b/policy/modules/admin/su.fc
-@@ -3,3 +3,4 @@
-
- /usr/(local/)?bin/ksu -- gen_context(system_u:object_r:su_exec_t,s0)
- /usr/bin/kdesu -- gen_context(system_u:object_r:su_exec_t,s0)
-+/usr/bin/su -- gen_context(system_u:object_r:su_exec_t,s0)
-diff --git a/policy/modules/admin/su.if b/policy/modules/admin/su.if
-index 03ec5cafe..f483a97a6 100644
---- a/policy/modules/admin/su.if
-+++ b/policy/modules/admin/su.if
-@@ -41,13 +41,14 @@ template(`su_restricted_domain_template', `
-
- allow $2 $1_su_t:process signal;
-
-- allow $1_su_t self:capability { audit_control audit_write setuid setgid net_bind_service chown dac_override fowner sys_nice sys_resource };
-+ allow $1_su_t self:capability { audit_control audit_write setuid setgid net_bind_service chown dac_read_search fowner sys_nice sys_resource };
- dontaudit $1_su_t self:capability sys_tty_config;
- allow $1_su_t self:key { search write };
- allow $1_su_t self:process { setexec setsched setrlimit };
- allow $1_su_t self:fifo_file rw_fifo_file_perms;
- allow $1_su_t self:netlink_audit_socket { nlmsg_relay create_netlink_socket_perms };
- allow $1_su_t self:unix_stream_socket create_stream_socket_perms;
-+ allow $1_su_t self:netlink_selinux_socket create_socket_perms;
-
- # Transition from the user domain to this domain.
- domtrans_pattern($2, su_exec_t, $1_su_t)
-@@ -58,6 +59,7 @@ template(`su_restricted_domain_template', `
- allow $2 $1_su_t:fifo_file rw_file_perms;
- allow $2 $1_su_t:process sigchld;
-
-+ kernel_getattr_core_if($1_su_t)
- kernel_read_system_state($1_su_t)
- kernel_read_kernel_sysctls($1_su_t)
- kernel_search_key($1_su_t)
-@@ -86,10 +88,10 @@ template(`su_restricted_domain_template', `
- # Write to utmp.
- init_rw_utmp($1_su_t)
- init_search_script_keys($1_su_t)
-+ init_getattr_initctl($1_su_t)
-
- logging_send_syslog_msg($1_su_t)
-
-- miscfiles_read_localization($1_su_t)
-
- ifdef(`distro_redhat',`
- # RHEL5 and possibly newer releases incl. Fedora
-@@ -119,11 +121,6 @@ template(`su_restricted_domain_template', `
- userdom_spec_domtrans_unpriv_users($1_su_t)
- ')
-
-- ifdef(`hide_broken_symptoms',`
-- # dontaudit leaked sockets from parent
-- dontaudit $1_su_t $2:socket_class_set { read write };
-- ')
--
- optional_policy(`
- cron_read_pipes($1_su_t)
- ')
-@@ -172,14 +169,6 @@ template(`su_role_template',`
- role $2 types $1_su_t;
-
- allow $3 $1_su_t:process signal;
--
-- allow $1_su_t self:capability { audit_control audit_write setuid setgid net_bind_service chown dac_override fowner sys_nice sys_resource };
-- dontaudit $1_su_t self:capability sys_tty_config;
-- allow $1_su_t self:process { setexec setsched setrlimit };
-- allow $1_su_t self:fifo_file rw_fifo_file_perms;
-- allow $1_su_t self:netlink_audit_socket { nlmsg_relay create_netlink_socket_perms };
-- allow $1_su_t self:key { search write };
--
- allow $1_su_t $3:key search;
-
- # Transition from the user domain to this domain.
-@@ -194,125 +183,16 @@ template(`su_role_template',`
- allow $3 $1_su_t:process sigchld;
-
- kernel_read_system_state($1_su_t)
-- kernel_read_kernel_sysctls($1_su_t)
-- kernel_search_key($1_su_t)
-- kernel_link_key($1_su_t)
--
-- # for SSP
-- dev_read_urand($1_su_t)
--
-- fs_search_auto_mountpoints($1_su_t)
--
-- # needed for pam_rootok
-- selinux_compute_access_vector($1_su_t)
--
-- auth_domtrans_chk_passwd($1_su_t)
-- auth_dontaudit_read_shadow($1_su_t)
-- auth_use_nsswitch($1_su_t)
-- auth_rw_faillog($1_su_t)
--
-- corecmd_search_bin($1_su_t)
-+ kernel_dontaudit_getattr_core_if($1_su_t)
-
-- domain_use_interactive_fds($1_su_t)
-+ auth_use_pam($1_su_t)
-
-- files_read_etc_files($1_su_t)
-- files_read_etc_runtime_files($1_su_t)
-- files_search_var_lib($1_su_t)
-- files_dontaudit_getattr_tmp_dirs($1_su_t)
--
-- init_dontaudit_use_fds($1_su_t)
-- # Write to utmp.
-- init_rw_utmp($1_su_t)
-+ init_dontaudit_getattr_initctl($1_su_t)
-
- mls_file_write_all_levels($1_su_t)
-
- logging_send_syslog_msg($1_su_t)
-
-- miscfiles_read_localization($1_su_t)
--
-- userdom_use_user_terminals($1_su_t)
-- userdom_search_user_home_dirs($1_su_t)
--
-- ifdef(`distro_redhat',`
-- # RHEL5 and possibly newer releases incl. Fedora
-- auth_domtrans_upd_passwd($1_su_t)
--
-- optional_policy(`
-- locallogin_search_keys($1_su_t)
-- ')
-- ')
--
-- ifdef(`distro_rhel4',`
-- domain_role_change_exemption($1_su_t)
-- domain_subj_id_change_exemption($1_su_t)
-- domain_obj_id_change_exemption($1_su_t)
--
-- selinux_get_fs_mount($1_su_t)
-- selinux_validate_context($1_su_t)
-- selinux_compute_create_context($1_su_t)
-- selinux_compute_relabel_context($1_su_t)
-- selinux_compute_user_contexts($1_su_t)
--
-- # Relabel ttys and ptys.
-- term_relabel_all_ttys($1_su_t)
-- term_relabel_all_ptys($1_su_t)
-- # Close and re-open ttys and ptys to get the fd into the correct domain.
-- term_use_all_ttys($1_su_t)
-- term_use_all_ptys($1_su_t)
--
-- seutil_read_config($1_su_t)
-- seutil_read_default_contexts($1_su_t)
--
-- if(secure_mode) {
-- # Only allow transitions to unprivileged user domains.
-- userdom_spec_domtrans_unpriv_users($1_su_t)
-- } else {
-- # Allow transitions to all user domains
-- userdom_spec_domtrans_all_users($1_su_t)
-- }
--
-- optional_policy(`
-- unconfined_domtrans($1_su_t)
-- unconfined_signal($1_su_t)
-- ')
-- ')
--
-- ifdef(`hide_broken_symptoms',`
-- # dontaudit leaked sockets from parent
-- dontaudit $1_su_t $3:socket_class_set { read write };
-- ')
--
-- tunable_policy(`allow_polyinstantiation',`
-- fs_mount_xattr_fs($1_su_t)
-- fs_unmount_xattr_fs($1_su_t)
-- ')
--
-- tunable_policy(`use_nfs_home_dirs',`
-- fs_search_nfs($1_su_t)
-- ')
--
-- tunable_policy(`use_samba_home_dirs',`
-- fs_search_cifs($1_su_t)
-- ')
--
-- optional_policy(`
-- cron_read_pipes($1_su_t)
-- ')
--
-- optional_policy(`
-- kerberos_use($1_su_t)
-- ')
--
-- optional_policy(`
-- # used when the password has expired
-- usermanage_read_crack_db($1_su_t)
-- ')
--
-- # Modify .Xauthority file (via xauth program).
-- optional_policy(`
-- xserver_user_home_dir_filetrans_user_xauth($1_su_t)
-- xserver_domtrans_xauth($1_su_t)
-- ')
- ')
-
- #######################################
-diff --git a/policy/modules/admin/su.te b/policy/modules/admin/su.te
-index 85bb77e05..fdd7b656c 100644
---- a/policy/modules/admin/su.te
-+++ b/policy/modules/admin/su.te
-@@ -9,3 +9,82 @@ attribute su_domain_type;
-
- type su_exec_t;
- corecmd_executable_file(su_exec_t)
-+
-+allow su_domain_type self:capability { audit_control audit_write setuid setgid net_bind_service chown dac_read_search fowner sys_nice sys_resource };
-+dontaudit su_domain_type self:capability sys_tty_config;
-+allow su_domain_type self:process { setexec setsched setrlimit };
-+allow su_domain_type self:fifo_file rw_fifo_file_perms;
-+allow su_domain_type self:netlink_audit_socket { nlmsg_relay create_netlink_socket_perms };
-+allow su_domain_type self:key { search write };
-+
-+kernel_read_kernel_sysctls(su_domain_type)
-+kernel_search_key(su_domain_type)
-+kernel_link_key(su_domain_type)
-+
-+# for SSP
-+dev_read_urand(su_domain_type)
-+dev_dontaudit_getattr_all(su_domain_type)
-+
-+fs_search_auto_mountpoints(su_domain_type)
-+
-+# needed for pam_rootok
-+selinux_compute_access_vector(su_domain_type)
-+
-+corecmd_search_bin(su_domain_type)
-+
-+domain_use_interactive_fds(su_domain_type)
-+
-+files_read_etc_files(su_domain_type)
-+files_read_etc_runtime_files(su_domain_type)
-+files_search_var_lib(su_domain_type)
-+files_dontaudit_getattr_tmp_dirs(su_domain_type)
-+
-+init_dontaudit_use_fds(su_domain_type)
-+# Write to utmp.
-+init_rw_utmp(su_domain_type)
-+init_read_state(su_domain_type)
-+
-+userdom_use_user_terminals(su_domain_type)
-+userdom_search_user_home_dirs(su_domain_type)
-+userdom_search_admin_dir(su_domain_type)
-+
-+ifdef(`distro_redhat',`
-+ # RHEL5 and possibly newer releases incl. Fedora
-+ auth_domtrans_upd_passwd(su_domain_type)
-+
-+ optional_policy(`
-+ locallogin_search_keys(su_domain_type)
-+ ')
-+')
-+
-+tunable_policy(`polyinstantiation_enabled',`
-+ fs_mount_xattr_fs(su_domain_type)
-+ fs_unmount_xattr_fs(su_domain_type)
-+')
-+
-+tunable_policy(`use_nfs_home_dirs',`
-+ fs_search_nfs(su_domain_type)
-+')
-+
-+tunable_policy(`use_samba_home_dirs',`
-+ fs_search_cifs(su_domain_type)
-+')
-+
-+optional_policy(`
-+ cron_read_pipes(su_domain_type)
-+')
-+
-+optional_policy(`
-+ kerberos_use(su_domain_type)
-+')
-+
-+optional_policy(`
-+ # used when the password has expired
-+ usermanage_read_crack_db(su_domain_type)
-+')
-+
-+# Modify .Xauthority file (via xauth program).
-+optional_policy(`
-+ xserver_user_home_dir_filetrans_user_xauth(su_domain_type)
-+ xserver_domtrans_xauth(su_domain_type)
-+')
-diff --git a/policy/modules/admin/sudo.fc b/policy/modules/admin/sudo.fc
-index 7bddc02a4..2b59ed0a0 100644
---- a/policy/modules/admin/sudo.fc
-+++ b/policy/modules/admin/sudo.fc
-@@ -1,2 +1,4 @@
-
- /usr/bin/sudo(edit)? -- gen_context(system_u:object_r:sudo_exec_t,s0)
-+
-+/var/db/sudo(/.*)? gen_context(system_u:object_r:sudo_db_t,s0)
-diff --git a/policy/modules/admin/sudo.if b/policy/modules/admin/sudo.if
-index 096019932..2e75ec7de 100644
---- a/policy/modules/admin/sudo.if
-+++ b/policy/modules/admin/sudo.if
-@@ -32,6 +32,7 @@ template(`sudo_role_template',`
-
- gen_require(`
- type sudo_exec_t;
-+ type sudo_db_t;
- attribute sudodomain;
- ')
-
-@@ -45,27 +46,13 @@ template(`sudo_role_template',`
- domain_interactive_fd($1_sudo_t)
- domain_role_change_exemption($1_sudo_t)
- role $2 types $1_sudo_t;
-+ userdom_home_manager($1_sudo_t)
-
-- ##############################
-- #
-- # Local Policy
-- #
-+ type $1_sudo_tmp_t;
-+ files_tmp_file($1_sudo_tmp_t)
-
-- # Use capabilities.
-- allow $1_sudo_t self:capability { fowner setuid setgid dac_override sys_nice sys_resource };
-- allow $1_sudo_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
-- allow $1_sudo_t self:process { setexec setrlimit };
-- allow $1_sudo_t self:fd use;
-- allow $1_sudo_t self:fifo_file rw_fifo_file_perms;
-- allow $1_sudo_t self:shm create_shm_perms;
-- allow $1_sudo_t self:sem create_sem_perms;
-- allow $1_sudo_t self:msgq create_msgq_perms;
-- allow $1_sudo_t self:msg { send receive };
-- allow $1_sudo_t self:unix_dgram_socket create_socket_perms;
-- allow $1_sudo_t self:unix_stream_socket create_stream_socket_perms;
-- allow $1_sudo_t self:unix_dgram_socket sendto;
-- allow $1_sudo_t self:unix_stream_socket connectto;
-- allow $1_sudo_t self:key manage_key_perms;
-+ allow $1_sudo_t $1_sudo_tmp_t:file manage_file_perms;
-+ files_tmp_filetrans($1_sudo_t, $1_sudo_tmp_t, file)
-
- allow $1_sudo_t $3:key search;
-
-@@ -75,88 +62,30 @@ template(`sudo_role_template',`
- # By default, revert to the calling domain when a shell is executed.
- corecmd_shell_domtrans($1_sudo_t, $3)
- corecmd_bin_domtrans($1_sudo_t, $3)
-+ userdom_domtrans_user_home($1_sudo_t, $3)
-+ userdom_domtrans_user_tmp($1_sudo_t, $3)
-+ domain_entry_file($3, sudo_exec_t)
-+ domain_auto_transition_pattern($1_sudo_t, sudo_exec_t, $3)
-+
- allow $3 $1_sudo_t:fd use;
- allow $3 $1_sudo_t:fifo_file rw_fifo_file_perms;
- allow $3 $1_sudo_t:process signal_perms;
-
-- kernel_read_kernel_sysctls($1_sudo_t)
- kernel_read_system_state($1_sudo_t)
-- kernel_link_key($1_sudo_t)
--
-- corecmd_read_bin_symlinks($1_sudo_t)
-- corecmd_exec_all_executables($1_sudo_t)
--
-- dev_getattr_fs($1_sudo_t)
-- dev_read_urand($1_sudo_t)
-- dev_rw_generic_usb_dev($1_sudo_t)
-- dev_read_sysfs($1_sudo_t)
--
-- domain_use_interactive_fds($1_sudo_t)
-- domain_sigchld_interactive_fds($1_sudo_t)
-- domain_getattr_all_entry_files($1_sudo_t)
--
-- files_read_etc_files($1_sudo_t)
-- files_read_var_files($1_sudo_t)
-- files_read_usr_symlinks($1_sudo_t)
-- files_getattr_usr_files($1_sudo_t)
-- # for some PAM modules and for cwd
-- files_dontaudit_search_home($1_sudo_t)
-- files_list_tmp($1_sudo_t)
--
-- fs_search_auto_mountpoints($1_sudo_t)
-- fs_getattr_xattr_fs($1_sudo_t)
--
-- selinux_validate_context($1_sudo_t)
-- selinux_compute_relabel_context($1_sudo_t)
--
-- term_getattr_pty_fs($1_sudo_t)
-- term_relabel_all_ttys($1_sudo_t)
-- term_relabel_all_ptys($1_sudo_t)
-+ seutil_libselinux_linked($1_sudo_t)
-
- auth_run_chk_passwd($1_sudo_t, $2)
-- # sudo stores a token in the pam_pid directory
-- auth_manage_pam_pid($1_sudo_t)
- auth_use_nsswitch($1_sudo_t)
-
-- init_rw_utmp($1_sudo_t)
--
-- logging_send_audit_msgs($1_sudo_t)
- logging_send_syslog_msg($1_sudo_t)
-
-- miscfiles_read_localization($1_sudo_t)
--
-- seutil_search_default_contexts($1_sudo_t)
-- seutil_libselinux_linked($1_sudo_t)
--
-- userdom_spec_domtrans_all_users($1_sudo_t)
-- userdom_create_all_users_keys($1_sudo_t)
-- userdom_manage_user_home_content_files($1_sudo_t)
-- userdom_manage_user_home_content_symlinks($1_sudo_t)
-- userdom_manage_user_tmp_files($1_sudo_t)
-- userdom_manage_user_tmp_symlinks($1_sudo_t)
-- userdom_use_user_terminals($1_sudo_t)
-- # for some PAM modules and for cwd
-- userdom_dontaudit_search_user_home_content($1_sudo_t)
-- userdom_dontaudit_search_user_home_dirs($1_sudo_t)
--
-- ifdef(`hide_broken_symptoms', `
-- dontaudit $1_sudo_t $3:socket_class_set { read write };
-- ')
--
-- tunable_policy(`use_nfs_home_dirs',`
-- fs_manage_nfs_files($1_sudo_t)
-- ')
--
-- tunable_policy(`use_samba_home_dirs',`
-- fs_manage_cifs_files($1_sudo_t)
-- ')
--
- optional_policy(`
-- dbus_system_bus_client($1_sudo_t)
-+ mta_role($2, $1_sudo_t)
- ')
-
- optional_policy(`
-- fprintd_dbus_chat($1_sudo_t)
-+ kerberos_manage_host_rcache($1_sudo_t)
-+ kerberos_read_config($1_sudo_t)
- ')
-
- ')
-@@ -178,3 +107,41 @@ interface(`sudo_sigchld',`
-
- allow $1 sudodomain:process sigchld;
- ')
-+
-+#######################################
-+##
-+## Allow execute sudo in called domain.
-+## This interfaces is added for nova-stack policy.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`sudo_exec',`
-+ gen_require(`
-+ type sudo_exec_t;
-+ ')
-+
-+ can_exec($1, sudo_exec_t)
-+')
-+
-+######################################
-+##
-+## Allow to manage sudo database in called domain.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`sudo_manage_db',`
-+ gen_require(`
-+ type sudo_db_t;
-+ ')
-+
-+ manage_dirs_pattern($1, sudo_db_t, sudo_db_t)
-+ manage_files_pattern($1, sudo_db_t, sudo_db_t)
-+')
-diff --git a/policy/modules/admin/sudo.te b/policy/modules/admin/sudo.te
-index d9fce57ab..174f89336 100644
---- a/policy/modules/admin/sudo.te
-+++ b/policy/modules/admin/sudo.te
-@@ -7,3 +7,111 @@ attribute sudodomain;
-
- type sudo_exec_t;
- application_executable_file(sudo_exec_t)
-+
-+type sudo_db_t;
-+files_type(sudo_db_t)
-+mls_trusted_object(sudo_db_t)
-+
-+manage_dirs_pattern(sudodomain, sudo_db_t, sudo_db_t)
-+manage_files_pattern(sudodomain, sudo_db_t, sudo_db_t)
-+
-+##############################
-+#
-+# Local Policy
-+#
-+
-+# Use capabilities.
-+allow sudodomain self:capability { chown fowner setuid setgid dac_read_search dac_override sys_nice sys_resource };
-+dontaudit sudodomain self:capability net_admin;
-+allow sudodomain self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
-+allow sudodomain self:process { setexec setrlimit };
-+allow sudodomain self:fd use;
-+allow sudodomain self:fifo_file rw_fifo_file_perms;
-+allow sudodomain self:shm create_shm_perms;
-+allow sudodomain self:sem create_sem_perms;
-+allow sudodomain self:msgq create_msgq_perms;
-+allow sudodomain self:msg { send receive };
-+allow sudodomain self:unix_dgram_socket create_socket_perms;
-+allow sudodomain self:unix_stream_socket create_stream_socket_perms;
-+allow sudodomain self:unix_dgram_socket sendto;
-+allow sudodomain self:unix_stream_socket connectto;
-+allow sudodomain self:key manage_key_perms;
-+allow sudodomain self:netlink_kobject_uevent_socket create_socket_perms;
-+
-+kernel_getattr_core_if(sudodomain)
-+kernel_link_key(sudodomain)
-+kernel_read_kernel_sysctls(sudodomain)
-+
-+corecmd_read_bin_symlinks(sudodomain)
-+corecmd_exec_all_executables(sudodomain)
-+
-+dev_getattr_fs(sudodomain)
-+dev_read_urand(sudodomain)
-+dev_rw_generic_usb_dev(sudodomain)
-+dev_read_sysfs(sudodomain)
-+dev_dontaudit_getattr_all(sudodomain)
-+
-+domain_use_interactive_fds(sudodomain)
-+domain_sigchld_interactive_fds(sudodomain)
-+domain_getattr_all_entry_files(sudodomain)
-+
-+files_read_etc_files(sudodomain)
-+files_read_var_files(sudodomain)
-+files_read_usr_files(sudodomain)
-+# for some PAM modules and for cwd
-+files_dontaudit_search_home(sudodomain)
-+files_list_tmp(sudodomain)
-+
-+fs_search_auto_mountpoints(sudodomain)
-+fs_getattr_all_fs(sudodomain)
-+
-+selinux_validate_context(sudodomain)
-+selinux_compute_relabel_context(sudodomain)
-+
-+term_getattr_pty_fs(sudodomain)
-+term_relabel_all_ttys(sudodomain)
-+term_relabel_all_ptys(sudodomain)
-+
-+#auth_run_chk_passwd(sudodomain)
-+# sudo stores a token in the pam_pid directory
-+auth_manage_pam_pid(sudodomain)
-+auth_manage_faillog(sudodomain)
-+
-+application_signal(sudodomain)
-+
-+init_rw_utmp(sudodomain)
-+
-+logging_send_audit_msgs(sudodomain)
-+logging_set_audit_parameters(sudodomain)
-+
-+seutil_read_default_contexts(sudodomain)
-+
-+userdom_spec_domtrans_all_users(sudodomain)
-+userdom_manage_user_home_content_files(sudodomain)
-+userdom_manage_user_home_content_symlinks(sudodomain)
-+userdom_manage_user_tmp_files(sudodomain)
-+userdom_manage_user_tmp_symlinks(sudodomain)
-+userdom_use_user_terminals(sudodomain)
-+userdom_signal_all_users(sudodomain)
-+userdom_exec_user_home_content_files(sudodomain)
-+# for some PAM modules and for cwd
-+userdom_search_user_home_content(sudodomain)
-+userdom_search_admin_dir(sudodomain)
-+userdom_manage_all_users_keys(sudodomain)
-+
-+tunable_policy(`authlogin_yubikey',`
-+ auth_manage_home_content(sudodomain)
-+')
-+
-+optional_policy(`
-+ dbus_system_bus_client(sudodomain)
-+
-+ optional_policy(`
-+ systemd_dbus_chat_logind(sudodomain)
-+ init_getpgid(sudodomain)
-+ ')
-+')
-+
-+optional_policy(`
-+ fprintd_dbus_chat(sudodomain)
-+')
-diff --git a/policy/modules/admin/usermanage.fc b/policy/modules/admin/usermanage.fc
-index f82f0ce0a..7b8915d47 100644
---- a/policy/modules/admin/usermanage.fc
-+++ b/policy/modules/admin/usermanage.fc
-@@ -20,6 +20,7 @@ ifdef(`distro_gentoo',`
- /usr/sbin/groupmod -- gen_context(system_u:object_r:groupadd_exec_t,s0)
- /usr/sbin/grpconv -- gen_context(system_u:object_r:admin_passwd_exec_t,s0)
- /usr/sbin/grpunconv -- gen_context(system_u:object_r:admin_passwd_exec_t,s0)
-+/usr/sbin/newusers -- gen_context(system_u:object_r:useradd_exec_t,s0)
- /usr/sbin/pwconv -- gen_context(system_u:object_r:admin_passwd_exec_t,s0)
- /usr/sbin/pwunconv -- gen_context(system_u:object_r:admin_passwd_exec_t,s0)
- /usr/sbin/useradd -- gen_context(system_u:object_r:useradd_exec_t,s0)
-@@ -27,6 +28,7 @@ ifdef(`distro_gentoo',`
- /usr/sbin/usermod -- gen_context(system_u:object_r:useradd_exec_t,s0)
- /usr/sbin/vigr -- gen_context(system_u:object_r:admin_passwd_exec_t,s0)
- /usr/sbin/vipw -- gen_context(system_u:object_r:admin_passwd_exec_t,s0)
-+/usr/sbin/chpasswd -- gen_context(system_u:object_r:passwd_exec_t,s0)
-
- /usr/share/cracklib(/.*)? gen_context(system_u:object_r:crack_db_t,s0)
-
-diff --git a/policy/modules/admin/usermanage.if b/policy/modules/admin/usermanage.if
-index 99e3903ea..fa68362ea 100644
---- a/policy/modules/admin/usermanage.if
-+++ b/policy/modules/admin/usermanage.if
-@@ -17,10 +17,6 @@ interface(`usermanage_domtrans_chfn',`
-
- corecmd_search_bin($1)
- domtrans_pattern($1, chfn_exec_t, chfn_t)
--
-- ifdef(`hide_broken_symptoms',`
-- dontaudit chfn_t $1:socket_class_set { read write };
-- ')
- ')
-
- ########################################
-@@ -42,6 +38,7 @@ interface(`usermanage_domtrans_chfn',`
- interface(`usermanage_run_chfn',`
- gen_require(`
- attribute_role chfn_roles;
-+ type chfn_t;
- ')
-
- usermanage_domtrans_chfn($1)
-@@ -65,10 +62,25 @@ interface(`usermanage_domtrans_groupadd',`
-
- corecmd_search_bin($1)
- domtrans_pattern($1, groupadd_exec_t, groupadd_t)
-+')
-
-- ifdef(`hide_broken_symptoms',`
-- dontaudit groupadd_t $1:socket_class_set { read write };
-+########################################
-+##
-+## Check access to the groupadd executable.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`usermanage_access_check_groupadd',`
-+ gen_require(`
-+ type groupadd_exec_t;
- ')
-+
-+ corecmd_search_bin($1)
-+ allow $1 groupadd_exec_t:file { getattr_file_perms execute };
- ')
-
- ########################################
-@@ -90,6 +102,7 @@ interface(`usermanage_domtrans_groupadd',`
- #
- interface(`usermanage_run_groupadd',`
- gen_require(`
-+ type groupadd_t;
- attribute_role groupadd_roles;
- ')
-
-@@ -114,10 +127,6 @@ interface(`usermanage_domtrans_passwd',`
-
- corecmd_search_bin($1)
- domtrans_pattern($1, passwd_exec_t, passwd_t)
--
-- ifdef(`hide_broken_symptoms',`
-- dontaudit passwd_t $1:socket_class_set { read write };
-- ')
- ')
-
- ########################################
-@@ -174,6 +183,7 @@ interface(`usermanage_check_exec_passwd',`
- #
- interface(`usermanage_run_passwd',`
- gen_require(`
-+ type passwd_t;
- attribute_role passwd_roles;
- ')
-
-@@ -183,6 +193,25 @@ interface(`usermanage_run_passwd',`
-
- ########################################
- ##
-+## Check access to the passwd executable
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`usermanage_access_check_passwd',`
-+ gen_require(`
-+ type passwd_exec_t;
-+ ')
-+
-+ corecmd_search_bin($1)
-+ allow $1 passwd_exec_t:file { getattr_file_perms execute };
-+')
-+
-+########################################
-+##
- ## Execute password admin functions in
- ## the admin passwd domain.
- ##
-@@ -221,6 +250,7 @@ interface(`usermanage_domtrans_admin_passwd',`
- #
- interface(`usermanage_run_admin_passwd',`
- gen_require(`
-+ type sysadm_passwd_t;
- attribute_role sysadm_passwd_roles;
- ')
-
-@@ -263,10 +293,6 @@ interface(`usermanage_domtrans_useradd',`
-
- corecmd_search_bin($1)
- domtrans_pattern($1, useradd_exec_t, useradd_t)
--
-- ifdef(`hide_broken_symptoms',`
-- dontaudit useradd_t $1:socket_class_set { read write };
-- ')
- ')
-
- ########################################
-@@ -307,6 +333,7 @@ interface(`usermanage_check_exec_useradd',`
- interface(`usermanage_run_useradd',`
- gen_require(`
- attribute_role useradd_roles;
-+ type useradd_t;
- ')
-
- usermanage_domtrans_useradd($1)
-@@ -315,6 +342,25 @@ interface(`usermanage_run_useradd',`
-
- ########################################
- ##
-+## Check access to the useradd executable.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`usermanage_access_check_useradd',`
-+ gen_require(`
-+ type useradd_exec_t;
-+ ')
-+
-+ corecmd_search_bin($1)
-+ allow $1 useradd_exec_t:file { getattr_file_perms execute };
-+')
-+
-+########################################
-+##
- ## Read the crack database.
- ##
- ##
-diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te
-index 1d732f1e7..d3c0b2d97 100644
---- a/policy/modules/admin/usermanage.te
-+++ b/policy/modules/admin/usermanage.te
-@@ -26,6 +26,7 @@ type chfn_exec_t;
- domain_obj_id_change_exemption(chfn_t)
- application_domain(chfn_t, chfn_exec_t)
- role chfn_roles types chfn_t;
-+role system_r types chfn_t;
-
- type crack_t;
- type crack_exec_t;
-@@ -44,9 +45,11 @@ domain_obj_id_change_exemption(groupadd_t)
- init_system_domain(groupadd_t, groupadd_exec_t)
- role groupadd_roles types groupadd_t;
-
-+
- type passwd_t;
- type passwd_exec_t;
- domain_obj_id_change_exemption(passwd_t)
-+domain_system_change_exemption(passwd_t)
- application_domain(passwd_t, passwd_exec_t)
- role passwd_roles types passwd_t;
-
-@@ -61,15 +64,19 @@ files_tmp_file(sysadm_passwd_tmp_t)
- type useradd_t;
- type useradd_exec_t;
- domain_obj_id_change_exemption(useradd_t)
-+domain_system_change_exemption(useradd_t)
- init_system_domain(useradd_t, useradd_exec_t)
- role useradd_roles types useradd_t;
-
-+type useradd_var_run_t;
-+files_pid_file(useradd_var_run_t)
-+
- ########################################
- #
- # Chfn local policy
- #
-
--allow chfn_t self:capability { chown dac_override fsetid setuid setgid sys_resource };
-+allow chfn_t self:capability { chown dac_read_search fsetid setuid setgid sys_resource };
- allow chfn_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execheap execstack };
- allow chfn_t self:process { setrlimit setfscreate };
- allow chfn_t self:fd use;
-@@ -86,6 +93,7 @@ allow chfn_t self:unix_stream_socket connectto;
-
- kernel_read_system_state(chfn_t)
- kernel_read_kernel_sysctls(chfn_t)
-+kernel_dontaudit_getattr_core_if(chfn_t)
-
- selinux_get_fs_mount(chfn_t)
- selinux_validate_context(chfn_t)
-@@ -94,25 +102,29 @@ selinux_compute_create_context(chfn_t)
- selinux_compute_relabel_context(chfn_t)
- selinux_compute_user_contexts(chfn_t)
-
--term_use_all_ttys(chfn_t)
--term_use_all_ptys(chfn_t)
-+term_use_all_inherited_ttys(chfn_t)
-+term_use_all_inherited_ptys(chfn_t)
-+term_getattr_all_ptys(chfn_t)
-
- fs_getattr_xattr_fs(chfn_t)
- fs_search_auto_mountpoints(chfn_t)
-
- # for SSP
- dev_read_urand(chfn_t)
-+dev_dontaudit_getattr_all(chfn_t)
-
-+auth_manage_passwd(chfn_t)
-+auth_use_pam(chfn_t)
- auth_run_chk_passwd(chfn_t, chfn_roles)
--auth_dontaudit_read_shadow(chfn_t)
--auth_use_nsswitch(chfn_t)
-+#auth_dontaudit_read_shadow(chfn_t)
-+#auth_use_nsswitch(chfn_t)
-
- # allow checking if a shell is executable
- corecmd_check_exec_shell(chfn_t)
-+corecmd_exec_bin(chfn_t)
-
- domain_use_interactive_fds(chfn_t)
-
--files_manage_etc_files(chfn_t)
- files_read_etc_runtime_files(chfn_t)
- files_dontaudit_search_var(chfn_t)
- files_dontaudit_search_home(chfn_t)
-@@ -120,13 +132,15 @@ files_dontaudit_search_home(chfn_t)
- # /usr/bin/passwd asks for w access to utmp, but it will operate
- # correctly without it. Do not audit write denials to utmp.
- init_dontaudit_rw_utmp(chfn_t)
--
--miscfiles_read_localization(chfn_t)
-+init_dontaudit_getattr_initctl(chfn_t)
-
- logging_send_syslog_msg(chfn_t)
-
- seutil_read_file_contexts(chfn_t)
-
-+userdom_manage_user_tmp_files(chfn_t)
-+userdom_tmp_filetrans_user_tmp(chfn_t, { file })
-+
- userdom_use_unpriv_users_fds(chfn_t)
- # user generally runs this from their home directory, so do not audit a search
- # on user home dir
-@@ -136,6 +150,16 @@ optional_policy(`
- nscd_run(chfn_t, chfn_roles)
- ')
-
-+optional_policy(`
-+ rssh_exec(chfn_t)
-+')
-+
-+optional_policy(`
-+ # allow to exec tmux
-+ screen_exec(chfn_t)
-+')
-+
-+
- ########################################
- #
- # Crack local policy
-@@ -186,7 +210,7 @@ optional_policy(`
- # Groupadd local policy
- #
-
--allow groupadd_t self:capability { dac_override chown kill setuid sys_resource audit_write };
-+allow groupadd_t self:capability { dac_read_search dac_override chown kill setuid sys_resource audit_write };
- dontaudit groupadd_t self:capability { fsetid sys_tty_config };
- allow groupadd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execheap execstack };
- allow groupadd_t self:process { setrlimit setfscreate };
-@@ -212,17 +236,18 @@ selinux_compute_create_context(groupadd_t)
- selinux_compute_relabel_context(groupadd_t)
- selinux_compute_user_contexts(groupadd_t)
-
--term_use_all_ttys(groupadd_t)
--term_use_all_ptys(groupadd_t)
-+term_use_all_inherited_terms(groupadd_t)
-+term_getattr_all_ptys(groupadd_t)
-
- init_use_fds(groupadd_t)
- init_read_utmp(groupadd_t)
- init_dontaudit_write_utmp(groupadd_t)
-+init_dbus_chat(groupadd_t)
-
- domain_use_interactive_fds(groupadd_t)
-
--files_manage_etc_files(groupadd_t)
- files_relabel_etc_files(groupadd_t)
-+files_read_etc_files(groupadd_t)
- files_read_etc_runtime_files(groupadd_t)
- files_read_usr_symlinks(groupadd_t)
-
-@@ -232,14 +257,14 @@ corecmd_exec_bin(groupadd_t)
- logging_send_audit_msgs(groupadd_t)
- logging_send_syslog_msg(groupadd_t)
-
--miscfiles_read_localization(groupadd_t)
-
- auth_run_chk_passwd(groupadd_t, groupadd_roles)
- auth_rw_lastlog(groupadd_t)
- auth_use_nsswitch(groupadd_t)
-+auth_manage_passwd(groupadd_t)
-+auth_manage_shadow(groupadd_t)
- # these may be unnecessary due to the above
- # domtrans_chk_passwd() call.
--auth_manage_shadow(groupadd_t)
- auth_relabel_shadow(groupadd_t)
- auth_etc_filetrans_shadow(groupadd_t)
-
-@@ -251,6 +276,10 @@ userdom_use_unpriv_users_fds(groupadd_t)
- userdom_dontaudit_search_user_home_dirs(groupadd_t)
-
- optional_policy(`
-+ dbus_system_bus_client(groupadd_t)
-+')
-+
-+optional_policy(`
- dpkg_use_fds(groupadd_t)
- dpkg_rw_pipes(groupadd_t)
- ')
-@@ -273,7 +302,7 @@ optional_policy(`
- # Passwd local policy
- #
-
--allow passwd_t self:capability { chown dac_override fsetid setuid setgid sys_nice sys_resource };
-+allow passwd_t self:capability { chown dac_read_search dac_override ipc_lock fsetid setuid setgid sys_nice sys_resource sys_admin };
- dontaudit passwd_t self:capability sys_tty_config;
- allow passwd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
- allow passwd_t self:process { setrlimit setfscreate };
-@@ -288,6 +317,7 @@ allow passwd_t self:shm create_shm_perms;
- allow passwd_t self:sem create_sem_perms;
- allow passwd_t self:msgq create_msgq_perms;
- allow passwd_t self:msg { send receive };
-+allow passwd_t self:netlink_selinux_socket create_socket_perms;
-
- allow passwd_t crack_db_t:dir list_dir_perms;
- read_files_pattern(passwd_t, crack_db_t, crack_db_t)
-@@ -296,6 +326,7 @@ kernel_read_kernel_sysctls(passwd_t)
-
- # for SSP
- dev_read_urand(passwd_t)
-+dev_dontaudit_getattr_all(passwd_t)
-
- fs_getattr_xattr_fs(passwd_t)
- fs_search_auto_mountpoints(passwd_t)
-@@ -310,26 +341,34 @@ selinux_compute_create_context(passwd_t)
- selinux_compute_relabel_context(passwd_t)
- selinux_compute_user_contexts(passwd_t)
-
--term_use_all_ttys(passwd_t)
--term_use_all_ptys(passwd_t)
-+term_use_all_inherited_terms(passwd_t)
-+term_getattr_all_ptys(passwd_t)
-
- auth_run_chk_passwd(passwd_t, passwd_roles)
-+auth_manage_passwd(passwd_t)
-+auth_map_passwd(passwd_t)
- auth_manage_shadow(passwd_t)
-+auth_map_shadow(passwd_t)
- auth_relabel_shadow(passwd_t)
- auth_etc_filetrans_shadow(passwd_t)
--auth_use_nsswitch(passwd_t)
-+auth_use_pam(passwd_t)
-
- # allow checking if a shell is executable
- corecmd_check_exec_shell(passwd_t)
-+corecmd_exec_bin(passwd_t)
-+
-+corenet_tcp_connect_kerberos_password_port(passwd_t)
-
- domain_use_interactive_fds(passwd_t)
-
- files_read_etc_runtime_files(passwd_t)
--files_manage_etc_files(passwd_t)
-+files_read_usr_files(passwd_t)
- files_search_var(passwd_t)
- files_dontaudit_search_pids(passwd_t)
- files_relabel_etc_files(passwd_t)
-
-+term_search_ptys(passwd_t)
-+
- # /usr/bin/passwd asks for w access to utmp, but it will operate
- # correctly without it. Do not audit write denials to utmp.
- init_dontaudit_rw_utmp(passwd_t)
-@@ -338,12 +377,11 @@ init_use_fds(passwd_t)
- logging_send_audit_msgs(passwd_t)
- logging_send_syslog_msg(passwd_t)
-
--miscfiles_read_localization(passwd_t)
-
- seutil_read_config(passwd_t)
- seutil_read_file_contexts(passwd_t)
-
--userdom_use_user_terminals(passwd_t)
-+userdom_use_inherited_user_terminals(passwd_t)
- userdom_use_unpriv_users_fds(passwd_t)
- # make sure that getcon succeeds
- userdom_getattr_all_users(passwd_t)
-@@ -352,6 +390,20 @@ userdom_read_user_tmp_files(passwd_t)
- # user generally runs this from their home directory, so do not audit a search
- # on user home dir
- userdom_dontaudit_search_user_home_content(passwd_t)
-+userdom_stream_connect(passwd_t)
-+userdom_rw_stream(passwd_t)
-+
-+# needed by gnome-keyring
-+userdom_manage_user_tmp_files(passwd_t)
-+userdom_manage_user_tmp_sockets(passwd_t)
-+userdom_manage_user_tmp_dirs(passwd_t)
-+
-+optional_policy(`
-+ gnome_exec_keyringd(passwd_t)
-+ gnome_manage_cache_home_dir(passwd_t)
-+ gnome_manage_generic_cache_sockets(passwd_t)
-+ gnome_stream_connect_gkeyringd(passwd_t)
-+')
-
- optional_policy(`
- nscd_run(passwd_t, passwd_roles)
-@@ -362,7 +414,7 @@ optional_policy(`
- # Password admin local policy
- #
-
--allow sysadm_passwd_t self:capability { chown dac_override fsetid setuid setgid sys_resource };
-+allow sysadm_passwd_t self:capability { chown dac_read_search fsetid setuid setgid sys_resource };
- allow sysadm_passwd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
- allow sysadm_passwd_t self:process { setrlimit setfscreate };
- allow sysadm_passwd_t self:fd use;
-@@ -401,9 +453,10 @@ dev_read_urand(sysadm_passwd_t)
- fs_getattr_xattr_fs(sysadm_passwd_t)
- fs_search_auto_mountpoints(sysadm_passwd_t)
-
--term_use_all_ttys(sysadm_passwd_t)
--term_use_all_ptys(sysadm_passwd_t)
-+term_use_all_inherited_terms(sysadm_passwd_t)
-+term_getattr_all_ptys(sysadm_passwd_t)
-
-+auth_manage_passwd(sysadm_passwd_t)
- auth_manage_shadow(sysadm_passwd_t)
- auth_relabel_shadow(sysadm_passwd_t)
- auth_etc_filetrans_shadow(sysadm_passwd_t)
-@@ -416,7 +469,6 @@ files_read_usr_files(sysadm_passwd_t)
-
- domain_use_interactive_fds(sysadm_passwd_t)
-
--files_manage_etc_files(sysadm_passwd_t)
- files_relabel_etc_files(sysadm_passwd_t)
- files_read_etc_runtime_files(sysadm_passwd_t)
- # for nscd lookups
-@@ -426,12 +478,9 @@ files_dontaudit_search_pids(sysadm_passwd_t)
- # correctly without it. Do not audit write denials to utmp.
- init_dontaudit_rw_utmp(sysadm_passwd_t)
-
--miscfiles_read_localization(sysadm_passwd_t)
-
- logging_send_syslog_msg(sysadm_passwd_t)
-
--seutil_dontaudit_search_config(sysadm_passwd_t)
--
- userdom_use_unpriv_users_fds(sysadm_passwd_t)
- # user generally runs this from their home directory, so do not audit a search
- # on user home dir
-@@ -446,8 +495,10 @@ optional_policy(`
- # Useradd local policy
- #
-
--allow useradd_t self:capability { dac_override chown kill fowner fsetid setuid sys_resource };
--dontaudit useradd_t self:capability sys_tty_config;
-+allow useradd_t self:capability { dac_read_search dac_override chown kill fowner fsetid setuid sys_ptrace sys_resource sys_chroot };
-+
-+dontaudit useradd_t self:capability { net_admin sys_tty_config };
-+dontaudit useradd_t self:cap_userns { sys_ptrace };
- allow useradd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
- allow useradd_t self:process setfscreate;
- allow useradd_t self:fd use;
-@@ -461,6 +512,10 @@ allow useradd_t self:unix_stream_socket create_stream_socket_perms;
- allow useradd_t self:unix_dgram_socket sendto;
- allow useradd_t self:unix_stream_socket connectto;
-
-+manage_dirs_pattern(useradd_t, useradd_var_run_t, useradd_var_run_t)
-+manage_files_pattern(useradd_t, useradd_var_run_t, useradd_var_run_t)
-+files_pid_filetrans(useradd_t, useradd_var_run_t, dir)
-+
- # for getting the number of groups
- kernel_read_kernel_sysctls(useradd_t)
-
-@@ -468,29 +523,28 @@ corecmd_exec_shell(useradd_t)
- # Execute /usr/bin/{passwd,chfn,chsh} and /usr/sbin/{useradd,vipw}.
- corecmd_exec_bin(useradd_t)
-
-+kernel_getattr_core_if(useradd_t)
-+dev_dontaudit_getattr_all(useradd_t)
-+
- domain_use_interactive_fds(useradd_t)
- domain_read_all_domains_state(useradd_t)
-+domain_dontaudit_read_all_domains_state(useradd_t)
-
--files_manage_etc_files(useradd_t)
- files_search_var_lib(useradd_t)
- files_relabel_etc_files(useradd_t)
- files_read_etc_runtime_files(useradd_t)
-+files_manage_etc_files(useradd_t)
-+files_create_var_lib_dirs(useradd_t)
-+files_rw_var_lib_dirs(useradd_t)
-
- fs_search_auto_mountpoints(useradd_t)
- fs_getattr_xattr_fs(useradd_t)
-
- mls_file_upgrade(useradd_t)
-+mls_process_read_to_clearance(useradd_t)
-
--# Allow access to context for shadow file
--selinux_get_fs_mount(useradd_t)
--selinux_validate_context(useradd_t)
--selinux_compute_access_vector(useradd_t)
--selinux_compute_create_context(useradd_t)
--selinux_compute_relabel_context(useradd_t)
--selinux_compute_user_contexts(useradd_t)
--
--term_use_all_ttys(useradd_t)
--term_use_all_ptys(useradd_t)
-+term_use_all_inherited_terms(useradd_t)
-+term_getattr_all_ptys(useradd_t)
-
- auth_run_chk_passwd(useradd_t, useradd_roles)
- auth_rw_lastlog(useradd_t)
-@@ -498,45 +552,50 @@ auth_rw_faillog(useradd_t)
- auth_use_nsswitch(useradd_t)
- # these may be unnecessary due to the above
- # domtrans_chk_passwd() call.
-+auth_manage_passwd(useradd_t)
- auth_manage_shadow(useradd_t)
- auth_relabel_shadow(useradd_t)
- auth_etc_filetrans_shadow(useradd_t)
-
- init_use_fds(useradd_t)
- init_rw_utmp(useradd_t)
-+init_dbus_chat(useradd_t)
-
- logging_send_audit_msgs(useradd_t)
- logging_send_syslog_msg(useradd_t)
-
--miscfiles_read_localization(useradd_t)
-+
-+seutil_semanage_policy(useradd_t)
-+seutil_manage_file_contexts(useradd_t)
-+seutil_manage_config(useradd_t)
-+seutil_manage_login_config(useradd_t)
-+seutil_manage_default_contexts(useradd_t)
-
- seutil_read_config(useradd_t)
- seutil_read_file_contexts(useradd_t)
- seutil_read_default_contexts(useradd_t)
-+seutil_get_semanage_trans_lock(useradd_t)
-+seutil_get_semanage_read_lock(useradd_t)
- seutil_run_semanage(useradd_t, useradd_roles)
- seutil_run_setfiles(useradd_t, useradd_roles)
-+seutil_run_loadpolicy(useradd_t, useradd_roles)
-
- userdom_use_unpriv_users_fds(useradd_t)
- # Add/remove user home directories
--userdom_manage_user_home_dirs(useradd_t)
--userdom_home_filetrans_user_home_dir(useradd_t)
--userdom_manage_user_home_content_dirs(useradd_t)
--userdom_manage_user_home_content_files(useradd_t)
- userdom_home_filetrans_user_home_dir(useradd_t)
--userdom_user_home_dir_filetrans_user_home_content(useradd_t, notdevfile_class_set)
-+userdom_manage_home_role(system_r, useradd_t)
-+userdom_delete_all_user_home_content(useradd_t)
-
- optional_policy(`
- mta_manage_spool(useradd_t)
- ')
-
--ifdef(`distro_redhat',`
-- optional_policy(`
-- unconfined_domain(useradd_t)
-- ')
-+optional_policy(`
-+ apache_manage_all_user_content(useradd_t)
- ')
-
- optional_policy(`
-- apache_manage_all_user_content(useradd_t)
-+ dbus_system_bus_client(useradd_t)
- ')
-
- optional_policy(`
-@@ -545,14 +604,27 @@ optional_policy(`
- ')
-
- optional_policy(`
-+ kerberos_manage_kdc_var_lib(useradd_t)
-+')
-+
-+optional_policy(`
- nscd_run(useradd_t, useradd_roles)
- ')
-
- optional_policy(`
-+ openshift_manage_content(useradd_t)
-+')
-+
-+optional_policy(`
- puppet_rw_tmp(useradd_t)
- ')
-
- optional_policy(`
-+ rpc_list_nfs_state_data(useradd_t)
-+ rpc_read_nfs_state_data(useradd_t)
-+')
-+
-+optional_policy(`
- tunable_policy(`samba_domain_controller',`
- samba_append_log(useradd_t)
- ')
-@@ -562,3 +634,12 @@ optional_policy(`
- rpm_use_fds(useradd_t)
- rpm_rw_pipes(useradd_t)
- ')
-+
-+optional_policy(`
-+ smsd_manage_lib_files(useradd_t)
-+ smsd_manage_lib_dirs(useradd_t)
-+')
-+
-+optional_policy(`
-+ stapserver_manage_lib(useradd_t)
-+')
-diff --git a/policy/modules/apps/seunshare.if b/policy/modules/apps/seunshare.if
-index 1dc7a85d3..e4f6fc227 100644
---- a/policy/modules/apps/seunshare.if
-+++ b/policy/modules/apps/seunshare.if
-@@ -43,18 +43,18 @@ interface(`seunshare_run',`
- role $2 types seunshare_t;
-
- allow $1 seunshare_t:process signal_perms;
--
-- ifdef(`hide_broken_symptoms', `
-- dontaudit seunshare_t $1:tcp_socket rw_socket_perms;
-- dontaudit seunshare_t $1:udp_socket rw_socket_perms;
-- dontaudit seunshare_t $1:unix_stream_socket rw_socket_perms;
-- ')
- ')
-
- ########################################
- ##
--## Role access for seunshare
-+## The role template for the seunshare module.
- ##
-+##
-+##
-+## The prefix of the user role (e.g., user
-+## is the prefix for user_r).
-+##
-+##
- ##
- ##
- ## Role allowed access.
-@@ -66,15 +66,47 @@ interface(`seunshare_run',`
- ##
- ##
- #
--interface(`seunshare_role',`
-+interface(`seunshare_role_template',`
- gen_require(`
-- type seunshare_t;
-+ attribute seunshare_domain;
-+ type seunshare_exec_t;
- ')
-
-- role $2 types seunshare_t;
-+ type $1_seunshare_t, seunshare_domain;
-+ application_domain($1_seunshare_t, seunshare_exec_t)
-+ role $2 types $1_seunshare_t;
-
-- seunshare_domtrans($1)
-+ kernel_read_system_state($1_seunshare_t)
-+
-+ domain_dyntrans_type($1_seunshare_t)
-+
-+ auth_use_nsswitch($1_seunshare_t)
-+
-+ logging_send_syslog_msg($1_seunshare_t)
-+
-+ mls_process_set_level($1_seunshare_t)
-+
-+ domtrans_pattern($3, seunshare_exec_t, $1_seunshare_t)
-+ allow $1_seunshare_t $3:unix_stream_socket getattr;
-+
-+ # part of sandboxX.pp
-+ optional_policy(`
-+ sandbox_x_transition($1_seunshare_t, $2)
-+ ')
-+
-+ # part of sandbox.pp
-+ optional_policy(`
-+ sandbox_transition($1_seunshare_t, $2)
-+ ')
-+
-+ ps_process_pattern($3, $1_seunshare_t)
-+ dontaudit $1_seunshare_t $3:file read;
-+ allow $3 $1_seunshare_t:process signal_perms;
-+ allow $3 $1_seunshare_t:fd use;
-+
-+ allow $1_seunshare_t $3:process transition;
-+ dontaudit $1_seunshare_t $3:process { noatsecure siginh rlimitinh };
-
-- ps_process_pattern($2, seunshare_t)
-- allow $2 seunshare_t:process signal;
-+ corecmd_bin_domtrans($1_seunshare_t, $1_t)
-+ corecmd_shell_domtrans($1_seunshare_t, $1_t)
- ')
-diff --git a/policy/modules/apps/seunshare.te b/policy/modules/apps/seunshare.te
-index 759016583..1b9a61d18 100644
---- a/policy/modules/apps/seunshare.te
-+++ b/policy/modules/apps/seunshare.te
-@@ -5,40 +5,65 @@ policy_module(seunshare, 1.1.0)
- # Declarations
- #
-
--type seunshare_t;
-+attribute seunshare_domain;
- type seunshare_exec_t;
--application_domain(seunshare_t, seunshare_exec_t)
--role system_r types seunshare_t;
-
- ########################################
- #
- # seunshare local policy
- #
-+allow seunshare_domain self:capability { fowner setgid setuid dac_read_search setpcap sys_admin sys_nice };
-+allow seunshare_domain self:process { fork setexec signal getcap setcap setcurrent setsched };
-
--allow seunshare_t self:capability { setuid dac_override setpcap sys_admin };
--allow seunshare_t self:process { setexec signal getcap setcap };
-+allow seunshare_domain self:fifo_file rw_file_perms;
-+allow seunshare_domain self:unix_stream_socket create_stream_socket_perms;
-
--allow seunshare_t self:fifo_file rw_file_perms;
--allow seunshare_t self:unix_stream_socket create_stream_socket_perms;
-+corecmd_exec_shell(seunshare_domain)
-+corecmd_exec_bin(seunshare_domain)
-+corecmd_getattr_all_executables(seunshare_domain)
-
--corecmd_exec_shell(seunshare_t)
--corecmd_exec_bin(seunshare_t)
-+dev_read_urand(seunshare_domain)
-+dev_dontaudit_rw_dri(seunshare_domain)
-
--files_read_etc_files(seunshare_t)
--files_mounton_all_poly_members(seunshare_t)
-+files_search_all(seunshare_domain)
-+files_read_etc_files(seunshare_domain)
-+files_mounton_all_poly_members(seunshare_domain)
-+files_mounton_rootfs(seunshare_domain)
-+files_manage_generic_tmp_dirs(seunshare_domain)
-+files_relabelfrom_tmp_dirs(seunshare_domain)
-
--auth_use_nsswitch(seunshare_t)
--
--logging_send_syslog_msg(seunshare_t)
--
--miscfiles_read_localization(seunshare_t)
--
--userdom_use_user_terminals(seunshare_t)
-+fs_manage_cgroup_dirs(seunshare_domain)
-+fs_manage_cgroup_files(seunshare_domain)
-+fs_unmount_all_fs(seunshare_domain)
-
-+userdom_dontaudit_rw_user_tmp_pipes(seunshare_domain)
-+userdom_use_inherited_user_terminals(seunshare_domain)
-+userdom_list_user_home_content(seunshare_domain)
- ifdef(`hide_broken_symptoms', `
-- fs_dontaudit_rw_anon_inodefs_files(seunshare_t)
-+ fs_dontaudit_rw_anon_inodefs_files(seunshare_domain)
-+ fs_dontaudit_list_inotifyfs(seunshare_domain)
-
- optional_policy(`
-- mozilla_dontaudit_manage_user_home_files(seunshare_t)
-+ gnome_dontaudit_rw_inherited_config(seunshare_domain)
- ')
-+
-+ optional_policy(`
-+ mozilla_dontaudit_manage_user_home_files(seunshare_domain)
-+ mozilla_plugin_dontaudit_leaks(seunshare_domain)
-+ ')
-+')
-+optional_policy(`
-+ rsync_exec(seunshare_domain)
-+')
-+
-+tunable_policy(`use_nfs_home_dirs',`
-+ fs_mounton_nfs(seunshare_domain)
-+')
-+
-+tunable_policy(`use_samba_home_dirs',`
-+ fs_mounton_cifs(seunshare_domain)
-+')
-+
-+tunable_policy(`use_fusefs_home_dirs',`
-+ fs_mounton_fusefs(seunshare_domain)
- ')
-diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
-index 33e0f8dad..6fd767031 100644
---- a/policy/modules/kernel/corecommands.fc
-+++ b/policy/modules/kernel/corecommands.fc
-@@ -1,9 +1,10 @@
- #
- # /bin
- #
--/bin -d gen_context(system_u:object_r:bin_t,s0)
-+/bin gen_context(system_u:object_r:bin_t,s0)
- /bin/.* gen_context(system_u:object_r:bin_t,s0)
- /bin/d?ash -- gen_context(system_u:object_r:shell_exec_t,s0)
-+/bin/esh -- gen_context(system_u:object_r:shell_exec_t,s0)
- /bin/bash -- gen_context(system_u:object_r:shell_exec_t,s0)
- /bin/bash2 -- gen_context(system_u:object_r:shell_exec_t,s0)
- /bin/fish -- gen_context(system_u:object_r:shell_exec_t,s0)
-@@ -46,6 +47,7 @@ ifdef(`distro_redhat',`
- /etc/apcupsd/offbattery -- gen_context(system_u:object_r:bin_t,s0)
- /etc/apcupsd/onbattery -- gen_context(system_u:object_r:bin_t,s0)
-
-+/etc/auto\.[^/]* -- gen_context(system_u:object_r:bin_t,s0)
- /etc/avahi/.*\.action -- gen_context(system_u:object_r:bin_t,s0)
-
- /etc/cipe/ip-up.* -- gen_context(system_u:object_r:bin_t,s0)
-@@ -67,18 +69,33 @@ ifdef(`distro_redhat',`
- /etc/hotplug\.d/default/default.* gen_context(system_u:object_r:bin_t,s0)
-
- /etc/kde/env(/.*)? gen_context(system_u:object_r:bin_t,s0)
-+/etc/kde/kdm(/.*)? gen_context(system_u:object_r:bin_t,s0)
- /etc/kde/shutdown(/.*)? gen_context(system_u:object_r:bin_t,s0)
-
-+/etc/redhat-lsb(/.*)? gen_context(system_u:object_r:bin_t,s0)
-+
-+/etc/lxdm/LoginReady -- gen_context(system_u:object_r:bin_t,s0)
-+/etc/lxdm/Post.* -- gen_context(system_u:object_r:bin_t,s0)
-+/etc/lxdm/Pre.* -- gen_context(system_u:object_r:bin_t,s0)
-+/etc/lxdm/Xsession -- gen_context(system_u:object_r:bin_t,s0)
-+
-+/etc/sddm/Xsession -- gen_context(system_u:object_r:bin_t,s0)
-+/etc/sddm/wayland-session -- gen_context(system_u:object_r:bin_t,s0)
-+/etc/sddm/Xsetup -- gen_context(system_u:object_r:bin_t,s0)
-+/etc/sddm/Xstop -- gen_context(system_u:object_r:bin_t,s0)
-+
- /etc/mail/make -- gen_context(system_u:object_r:bin_t,s0)
-
- /etc/mcelog/.*-error-trigger -- gen_context(system_u:object_r:bin_t,s0)
- /etc/mcelog/.*\.local -- gen_context(system_u:object_r:bin_t,s0)
-+/etc/mcelog/.*\.setup -- gen_context(system_u:object_r:bin_t,s0)
-
- ifdef(`distro_redhat',`
- /etc/mcelog/triggers(/.*)? gen_context(system_u:object_r:bin_t,s0)
- ')
-
- /etc/mgetty\+sendfax/new_fax -- gen_context(system_u:object_r:bin_t,s0)
-+/etc/munin/plugins(/.*)? gen_context(system_u:object_r:bin_t,s0)
-
- /etc/netplug\.d(/.*)? gen_context(system_u:object_r:bin_t,s0)
-
-@@ -99,13 +116,12 @@ ifdef(`distro_redhat',`
-
- /etc/racoon/scripts(/.*)? gen_context(system_u:object_r:bin_t,s0)
-
--/etc/rc\.d/init\.d/functions -- gen_context(system_u:object_r:bin_t,s0)
-+/etc/init\.d/vboxdrv.* gen_context(system_u:object_r:bin_t,s0)
-
--/etc/security/namespace.init -- gen_context(system_u:object_r:bin_t,s0)
-+/etc/rc\.d/init\.d/functions -- gen_context(system_u:object_r:bin_t,s0)
-
- /etc/sysconfig/crond -- gen_context(system_u:object_r:bin_t,s0)
- /etc/sysconfig/init -- gen_context(system_u:object_r:bin_t,s0)
--/etc/sysconfig/libvirtd -- gen_context(system_u:object_r:bin_t,s0)
- /etc/sysconfig/netconsole -- gen_context(system_u:object_r:bin_t,s0)
- /etc/sysconfig/readonly-root -- gen_context(system_u:object_r:bin_t,s0)
-
-@@ -116,6 +132,9 @@ ifdef(`distro_redhat',`
-
- /etc/vmware-tools(/.*)? gen_context(system_u:object_r:bin_t,s0)
-
-+
-+/etc/wdmd\.d/checkquorum\.wdmd gen_context(system_u:object_r:bin_t,s0)
-+
- /etc/X11/xdm/GiveConsole -- gen_context(system_u:object_r:bin_t,s0)
- /etc/X11/xdm/TakeConsole -- gen_context(system_u:object_r:bin_t,s0)
- /etc/X11/xdm/Xsetup_0 -- gen_context(system_u:object_r:bin_t,s0)
-@@ -128,6 +147,8 @@ ifdef(`distro_debian',`
- /etc/mysql/debian-start -- gen_context(system_u:object_r:bin_t,s0)
- ')
-
-+/etc/dhcp/scripts(/.*)? gen_context(system_u:object_r:bin_t,s0)
-+
- #
- # /lib
- #
-@@ -135,10 +156,12 @@ ifdef(`distro_debian',`
- /lib/nut/.* -- gen_context(system_u:object_r:bin_t,s0)
- /lib/readahead(/.*)? gen_context(system_u:object_r:bin_t,s0)
- /lib/security/pam_krb5/pam_krb5_storetmp -- gen_context(system_u:object_r:bin_t,s0)
--/lib/systemd/systemd.* -- gen_context(system_u:object_r:bin_t,s0)
-+/usr/lib64/security/pam_krb5/pam_krb5_cchelper -- gen_context(system_u:object_r:bin_t,s0)
- /lib/udev/[^/]* -- gen_context(system_u:object_r:bin_t,s0)
-+/lib/udev/devices/MAKEDEV -l gen_context(system_u:object_r:bin_t,s0)
- /lib/udev/scsi_id -- gen_context(system_u:object_r:bin_t,s0)
- /lib/upstart(/.*)? gen_context(system_u:object_r:bin_t,s0)
-+/lib/security/pam_krb5(/.*)? gen_context(system_u:object_r:bin_t,s0)
-
- ifdef(`distro_gentoo',`
- /lib/dhcpcd/dhcpcd-run-hooks -- gen_context(system_u:object_r:bin_t,s0)
-@@ -149,10 +172,12 @@ ifdef(`distro_gentoo',`
- /lib/rcscripts/net\.modules\.d/helpers\.d/udhcpc-.* -- gen_context(system_u:object_r:bin_t,s0)
- ')
-
-+/usr/lib/erlang/erts.*/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
-+
- #
- # /sbin
- #
--/sbin -d gen_context(system_u:object_r:bin_t,s0)
-+/sbin gen_context(system_u:object_r:bin_t,s0)
- /sbin/.* gen_context(system_u:object_r:bin_t,s0)
- /sbin/insmod_ksymoops_clean -- gen_context(system_u:object_r:bin_t,s0)
- /sbin/mkfs\.cramfs -- gen_context(system_u:object_r:bin_t,s0)
-@@ -168,6 +193,7 @@ ifdef(`distro_gentoo',`
- /opt/(.*/)?sbin(/.*)? gen_context(system_u:object_r:bin_t,s0)
-
- /opt/google/talkplugin(/.*)? gen_context(system_u:object_r:bin_t,s0)
-+/opt/google/chrome(/.*)? gen_context(system_u:object_r:bin_t,s0)
-
- /opt/gutenprint/cups/lib/filter(/.*)? gen_context(system_u:object_r:bin_t,s0)
-
-@@ -179,34 +205,50 @@ ifdef(`distro_gentoo',`
- /opt/vmware/workstation/lib/lib/wrapper-gtk24\.sh -- gen_context(system_u:object_r:bin_t,s0)
- ')
-
-+/root/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
-+
- #
- # /usr
- #
-+/usr/bin -d gen_context(system_u:object_r:bin_t,s0)
- /usr/(.*/)?Bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
- /usr/(.*/)?bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
--/usr/bin/git-shell -- gen_context(system_u:object_r:shell_exec_t,s0)
-+/usr/bin/d?ash -- gen_context(system_u:object_r:shell_exec_t,s0)
-+/usr/bin/esh -- gen_context(system_u:object_r:shell_exec_t,s0)
-+/usr/bin/bash -- gen_context(system_u:object_r:shell_exec_t,s0)
-+/usr/bin/bash2 -- gen_context(system_u:object_r:shell_exec_t,s0)
- /usr/bin/fish -- gen_context(system_u:object_r:shell_exec_t,s0)
--/usr/bin/scponly -- gen_context(system_u:object_r:shell_exec_t,s0)
-+/usr/bin/ksh.* -- gen_context(system_u:object_r:shell_exec_t,s0)
-+/usr/bin/mksh -- gen_context(system_u:object_r:shell_exec_t,s0)
-+/usr/bin/mountpoint -- gen_context(system_u:object_r:bin_t,s0)
-+/usr/bin/pingus.* -- gen_context(system_u:object_r:bin_t,s0)
-+/usr/bin/sash -- gen_context(system_u:object_r:shell_exec_t,s0)
- /usr/bin/tcsh -- gen_context(system_u:object_r:shell_exec_t,s0)
-+/usr/bin/yash -- gen_context(system_u:object_r:shell_exec_t,s0)
-+/usr/bin/zsh.* -- gen_context(system_u:object_r:shell_exec_t,s0)
-
--/usr/lib(.*/)?bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
-+/usr/bin/git-shell -- gen_context(system_u:object_r:shell_exec_t,s0)
-+/usr/bin/scponly -- gen_context(system_u:object_r:shell_exec_t,s0)
-
- /usr/(.*/)?sbin(/.*)? gen_context(system_u:object_r:bin_t,s0)
- /usr/lib(.*/)?sbin(/.*)? gen_context(system_u:object_r:bin_t,s0)
-
- /usr/lib/avahi/avahi-daemon-check-dns\.sh -- gen_context(system_u:object_r:bin_t,s0)
-+/usr/lib/jvm/java(.*/)bin(/.*) gen_context(system_u:object_r:bin_t,s0)
-+/usr/lib(.*/)?bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
- /usr/lib/ccache/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
- /usr/lib/fence(/.*)? gen_context(system_u:object_r:bin_t,s0)
-+/usr/lib/libreoffice(/.*)?/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
- /usr/lib/pgsql/test/regress/.*\.sh -- gen_context(system_u:object_r:bin_t,s0)
- /usr/lib/qt.*/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
- /usr/lib/wicd/monitor\.py -- gen_context(system_u:object_r:bin_t, s0)
--/usr/lib/apt/methods.+ -- gen_context(system_u:object_r:bin_t,s0)
-+/usr/lib/apt/methods.+ -- gen_context(system_u:object_r:bin_t,s0)
-+/usr/lib/chromium-browser(/.*)? gen_context(system_u:object_r:bin_t,s0)
- /usr/lib/ConsoleKit/scripts(/.*)? gen_context(system_u:object_r:bin_t,s0)
--/usr/lib/ConsoleKit/run-session.d(/.*)? gen_context(system_u:object_r:bin_t,s0)
--/usr/lib/courier(/.*)? gen_context(system_u:object_r:bin_t,s0)
--/usr/lib/cups(/.*)? gen_context(system_u:object_r:bin_t,s0)
--/usr/lib/cyrus/.* -- gen_context(system_u:object_r:bin_t,s0)
--/usr/lib/cyrus-imapd/.* -- gen_context(system_u:object_r:bin_t,s0)
-+/usr/lib/ConsoleKit/run-session\.d(/.*)? gen_context(system_u:object_r:bin_t,s0)
-+/usr/lib/courier(/.*)? gen_context(system_u:object_r:bin_t,s0)
-+/usr/lib/cups(/.*)? gen_context(system_u:object_r:bin_t,s0)
-+/usr/lib/cyrus-imapd/.* -- gen_context(system_u:object_r:bin_t,s0)
- /usr/lib/dpkg/.+ -- gen_context(system_u:object_r:bin_t,s0)
- /usr/lib/emacsen-common/.* gen_context(system_u:object_r:bin_t,s0)
- /usr/lib/gimp/.*/plug-ins(/.*)? gen_context(system_u:object_r:bin_t,s0)
-@@ -218,19 +260,32 @@ ifdef(`distro_gentoo',`
- /usr/lib/mailman/mail(/.*)? gen_context(system_u:object_r:bin_t,s0)
- /usr/lib/mediawiki/math/texvc.* gen_context(system_u:object_r:bin_t,s0)
- /usr/lib/misc/sftp-server -- gen_context(system_u:object_r:bin_t,s0)
--/usr/lib/nagios/plugins(/.*)? gen_context(system_u:object_r:bin_t,s0)
--/usr/lib/netsaint/plugins(/.*)? gen_context(system_u:object_r:bin_t,s0)
-+/usr/lib/nagios/plugins/negate -- gen_context(system_u:object_r:bin_t,s0)
-+/usr/lib/nagios/plugins/urlize -- gen_context(system_u:object_r:bin_t,s0)
-+/usr/lib/nagios/plugins/utils.sh -- gen_context(system_u:object_r:bin_t,s0)
-+/usr/lib/nagios/plugins/utils.pm -- gen_context(system_u:object_r:bin_t,s0)
-+/usr/lib/netsaint/plugins(/.*)? gen_context(system_u:object_r:bin_t,s0)
-+/usr/lib/news/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
- /usr/lib/NetworkManager/nm\-.* -- gen_context(system_u:object_r:bin_t,s0)
--/usr/lib/news/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
--/usr/lib/nspluginwrapper/np.* gen_context(system_u:object_r:bin_t,s0)
--/usr/lib/portage/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
--/usr/lib/pm-utils(/.*)? gen_context(system_u:object_r:bin_t,s0)
-+/usr/lib/nspluginwrapper/np.* gen_context(system_u:object_r:bin_t,s0)
-+/usr/lib/ocf(/.*)? gen_context(system_u:object_r:bin_t,s0)
-+/usr/lib/portage/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
-+/usr/lib/pm-utils(/.*)? gen_context(system_u:object_r:bin_t,s0)
-+/usr/lib/readahead(/.*)? gen_context(system_u:object_r:bin_t,s0)
- /usr/lib/rpm/rpmd -- gen_context(system_u:object_r:bin_t,s0)
- /usr/lib/rpm/rpmk -- gen_context(system_u:object_r:bin_t,s0)
- /usr/lib/rpm/rpmq -- gen_context(system_u:object_r:bin_t,s0)
- /usr/lib/rpm/rpmv -- gen_context(system_u:object_r:bin_t,s0)
-+/usr/lib/tumbler-[^/]*/tumblerd -- gen_context(system_u:object_r:bin_t,s0)
-+/usr/lib/security/pam_krb5(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
- /usr/lib/sftp-server -- gen_context(system_u:object_r:bin_t,s0)
--/usr/lib/vte/gnome-pty-helper -- gen_context(system_u:object_r:bin_t,s0)
-+/usr/lib/systemd/system-sleep(/.*)? gen_context(system_u:object_r:bin_t,s0)
-+/usr/lib/vte/gnome-pty-helper -- gen_context(system_u:object_r:bin_t,s0)
-+/usr/lib/yaboot/addnote -- gen_context(system_u:object_r:bin_t,s0)
-+/usr/lib/udev/[^/]* -- gen_context(system_u:object_r:bin_t,s0)
-+/usr/lib/udev/devices/MAKEDEV -l gen_context(system_u:object_r:bin_t,s0)
-+/usr/lib/udev/scsi_id -- gen_context(system_u:object_r:bin_t,s0)
-+/usr/lib/upstart(/.*)? gen_context(system_u:object_r:bin_t,s0)
- /usr/lib/xfce4/exo-1/exo-compose-mail-1 -- gen_context(system_u:object_r:bin_t,s0)
- /usr/lib/xfce4/exo-1/exo-helper-1 -- gen_context(system_u:object_r:bin_t,s0)
- /usr/lib/xfce4/panel/migrate -- gen_context(system_u:object_r:bin_t,s0)
-@@ -245,26 +300,41 @@ ifdef(`distro_gentoo',`
- /usr/lib/debug/sbin(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
- /usr/lib/debug/usr/bin(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
- /usr/lib/debug/usr/sbin(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
-+/usr/lib/debug/usr/libexec(/.*)? gen_context(system_u:object_r:bin_t,s0)
-
- /usr/lib/[^/]*thunderbird[^/]*/thunderbird -- gen_context(system_u:object_r:bin_t,s0)
- /usr/lib/[^/]*thunderbird[^/]*/thunderbird-bin -- gen_context(system_u:object_r:bin_t,s0)
- /usr/lib/[^/]*thunderbird[^/]*/open-browser\.sh -- gen_context(system_u:object_r:bin_t,s0)
-+/usr/lib/xulrunner[^/]*/xulrunner[^/]* -- gen_context(system_u:object_r:bin_t,s0)
-+/usr/lib/xulrunner[^/]*/updater -- gen_context(system_u:object_r:bin_t,s0)
-+/usr/lib/xulrunner[^/]*/crashreporter -- gen_context(system_u:object_r:bin_t,s0)
-+
- /usr/lib/[^/]*/run-mozilla\.sh -- gen_context(system_u:object_r:bin_t,s0)
- /usr/lib/[^/]*/mozilla-xremote-client -- gen_context(system_u:object_r:bin_t,s0)
- /usr/lib/thunderbird.*/mozilla-xremote-client -- gen_context(system_u:object_r:bin_t,s0)
-
- /usr/lib/xen/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
--
- /usr/libexec(/.*)? gen_context(system_u:object_r:bin_t,s0)
-+
- /usr/libexec/git-core/git-shell -- gen_context(system_u:object_r:shell_exec_t,s0)
--/usr/libexec/sesh -- gen_context(system_u:object_r:shell_exec_t,s0)
-+/usr/libexec/cockpit-agent -- gen_context(system_u:object_r:shell_exec_t,s0)
-+/usr/bin/cockpit-bridge -- gen_context(system_u:object_r:shell_exec_t,s0)
-+/usr/libexec/sesh -- gen_context(system_u:object_r:shell_exec_t,s0)
-+/usr/libexec/sudo/sesh -- gen_context(system_u:object_r:shell_exec_t,s0)
-
- /usr/libexec/openssh/sftp-server -- gen_context(system_u:object_r:bin_t,s0)
-
--/usr/local/Brother(/.*)? gen_context(system_u:object_r:bin_t,s0)
--/usr/local/Printer(/.*)? gen_context(system_u:object_r:bin_t,s0)
--/usr/local/linuxprinter/filters(/.*)? gen_context(system_u:object_r:bin_t,s0)
-+/usr/lib/xfce4(/.*)? gen_context(system_u:object_r:bin_t,s0)
-+
-+/usr/Brother(/.*)? gen_context(system_u:object_r:bin_t,s0)
-+/usr/Printer(/.*)? gen_context(system_u:object_r:bin_t,s0)
-+/usr/Brother/(.*/)?inf/brprintconf.* gen_context(system_u:object_r:bin_t,s0)
-+/usr/Brother/(.*/)?inf/setup.* gen_context(system_u:object_r:bin_t,s0)
-+/usr/linuxprinter/filters(/.*)? gen_context(system_u:object_r:bin_t,s0)
-
-+/usr/sbin/insmod_ksymoops_clean -- gen_context(system_u:object_r:bin_t,s0)
-+/usr/sbin/mkfs\.cramfs -- gen_context(system_u:object_r:bin_t,s0)
-+/usr/sbin/nologin -- gen_context(system_u:object_r:shell_exec_t,s0)
- /usr/sbin/scponlyc -- gen_context(system_u:object_r:shell_exec_t,s0)
- /usr/sbin/sesh -- gen_context(system_u:object_r:shell_exec_t,s0)
- /usr/sbin/smrsh -- gen_context(system_u:object_r:shell_exec_t,s0)
-@@ -280,10 +350,14 @@ ifdef(`distro_gentoo',`
- /usr/share/cluster/.*\.sh gen_context(system_u:object_r:bin_t,s0)
- /usr/share/cluster/ocf-shellfuncs -- gen_context(system_u:object_r:bin_t,s0)
- /usr/share/cluster/svclib_nfslock -- gen_context(system_u:object_r:bin_t,s0)
-+/usr/share/cluster/SAPDatabase -- gen_context(system_u:object_r:bin_t,s0)
-+/usr/share/cluster/SAPInstance -- gen_context(system_u:object_r:bin_t,s0)
-+/usr/share/cluster/checkquorum.* -- gen_context(system_u:object_r:bin_t,s0)
- /usr/share/e16/misc(/.*)? gen_context(system_u:object_r:bin_t,s0)
- /usr/share/gedit-2/plugins/externaltools/tools(/.*)? gen_context(system_u:object_r:bin_t,s0)
- /usr/share/gitolite/hooks/common/update -- gen_context(system_u:object_r:bin_t,s0)
- /usr/share/gitolite/hooks/gitolite-admin/post-update -- gen_context(system_u:object_r:bin_t,s0)
-+/usr/share/gitolite3/commands(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
- /usr/share/gnucash/finance-quote-check -- gen_context(system_u:object_r:bin_t,s0)
- /usr/share/gnucash/finance-quote-helper -- gen_context(system_u:object_r:bin_t,s0)
- /usr/share/hal/device-manager/hal-device-manager -- gen_context(system_u:object_r:bin_t,s0)
-@@ -298,16 +372,22 @@ ifdef(`distro_gentoo',`
- /usr/share/selinux/devel/policygentool -- gen_context(system_u:object_r:bin_t,s0)
- /usr/share/smolt/client(/.*)? gen_context(system_u:object_r:bin_t,s0)
- /usr/share/shorewall/compiler\.pl -- gen_context(system_u:object_r:bin_t,s0)
--/usr/share/shorewall/configpath -- gen_context(system_u:object_r:bin_t,s0)
-+/usr/share/shorewall6?/configpath -- gen_context(system_u:object_r:bin_t,s0)
-+/usr/share/shorewall/getparams -- gen_context(system_u:object_r:bin_t,s0)
-+/usr/share/shorewall6?/wait4ifup -- gen_context(system_u:object_r:bin_t,s0)
- /usr/share/shorewall-perl(/.*)? gen_context(system_u:object_r:bin_t,s0)
- /usr/share/shorewall-shell(/.*)? gen_context(system_u:object_r:bin_t,s0)
- /usr/share/shorewall-lite(/.*)? gen_context(system_u:object_r:bin_t,s0)
- /usr/share/shorewall6-lite(/.*)? gen_context(system_u:object_r:bin_t,s0)
- /usr/share/spamassassin/sa-update\.cron gen_context(system_u:object_r:bin_t,s0)
-+/usr/share/texlive/texmf/web2c/mktex(dir|nam|upd) gen_context(system_u:object_r:bin_t,s0)
- /usr/share/turboprint/lib(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
-+/usr/share/tucan.*/tucan.py -- gen_context(system_u:object_r:bin_t,s0)
- /usr/share/vhostmd/scripts(/.*)? gen_context(system_u:object_r:bin_t,s0)
-+/usr/share/virtualbox/.*\.sh gen_context(system_u:object_r:bin_t,s0)
-+/usr/share/wicd/daemon(/.*)? gen_context(system_u:object_r:bin_t,s0)
-
--/usr/X11R6/lib(64)?/X11/xkb/xkbcomp -- gen_context(system_u:object_r:bin_t,s0)
-+/usr/X11R6/lib/X11/xkb/xkbcomp -- gen_context(system_u:object_r:bin_t,s0)
-
- ifdef(`distro_debian',`
- /usr/lib/ConsoleKit/.* -- gen_context(system_u:object_r:bin_t,s0)
-@@ -325,20 +405,27 @@ ifdef(`distro_redhat', `
- /etc/gdm/[^/]+ -d gen_context(system_u:object_r:bin_t,s0)
- /etc/gdm/[^/]+/.* gen_context(system_u:object_r:bin_t,s0)
-
-+/usr/lib/.*/scripts(/.*)? gen_context(system_u:object_r:bin_t,s0)
- /usr/lib/.*/program(/.*)? gen_context(system_u:object_r:bin_t,s0)
- /usr/lib/bluetooth(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
-+/usr/lib/nfs-utils/scripts(/.*)? gen_context(system_u:object_r:bin_t,s0)
-+/usr/lib/oracle/xe/apps(/.*)? gen_context(system_u:object_r:bin_t,s0)
-+/usr/lib/tuned/.*/.*\.sh -- gen_context(system_u:object_r:bin_t,s0)
- /usr/lib/vmware-tools/(s)?bin32(/.*)? gen_context(system_u:object_r:bin_t,s0)
- /usr/lib/vmware-tools/(s)?bin64(/.*)? gen_context(system_u:object_r:bin_t,s0)
- /usr/share/authconfig/authconfig-gtk\.py -- gen_context(system_u:object_r:bin_t,s0)
- /usr/share/authconfig/authconfig-tui\.py -- gen_context(system_u:object_r:bin_t,s0)
--/usr/share/authconfig/authconfig\.py -- gen_context(system_u:object_r:bin_t,s0)
-+#/usr/share/authconfig/authconfig\.py -- gen_context(system_u:object_r:bin_t,s0)
- /usr/share/cvs/contrib/rcs2log -- gen_context(system_u:object_r:bin_t,s0)
- /usr/share/clamav/clamd-gen -- gen_context(system_u:object_r:bin_t,s0)
- /usr/share/clamav/freshclam-sleep -- gen_context(system_u:object_r:bin_t,s0)
- /usr/share/createrepo(/.*)? gen_context(system_u:object_r:bin_t,s0)
-+/usr/share/doc/ghc/html/libraries/gen_contents_index -- gen_context(system_u:object_r:bin_t,s0)
- /usr/share/fedora-usermgmt/wrapper -- gen_context(system_u:object_r:bin_t,s0)
- /usr/share/hplip/[^/]* -- gen_context(system_u:object_r:bin_t,s0)
- /usr/share/hwbrowser/hwbrowser -- gen_context(system_u:object_r:bin_t,s0)
-+/usr/share/kde4/apps/kajongg/kajongg.py -- gen_context(system_u:object_r:bin_t,s0)
-+/usr/share/munin/plugins/plugin\.sh -- gen_context(system_u:object_r:bin_t,s0)
- /usr/share/pwlib/make/ptlib-config -- gen_context(system_u:object_r:bin_t,s0)
- /usr/share/pydict/pydict\.py -- gen_context(system_u:object_r:bin_t,s0)
- /usr/share/rhn/rhn_applet/applet\.py -- gen_context(system_u:object_r:bin_t,s0)
-@@ -346,6 +433,7 @@ ifdef(`distro_redhat', `
- /usr/share/ssl/misc(/.*)? gen_context(system_u:object_r:bin_t,s0)
- /usr/share/switchdesk/switchdesk-gui\.py -- gen_context(system_u:object_r:bin_t,s0)
- /usr/share/system-config-date/system-config-date\.py -- gen_context(system_u:object_r:bin_t,s0)
-+/usr/share/system-config-selinux/polgengui.py -- gen_context(system_u:object_r:bin_t,s0)
- /usr/share/system-config-selinux/polgen\.py -- gen_context(system_u:object_r:bin_t,s0)
- /usr/share/system-config-selinux/system-config-selinux\.py -- gen_context(system_u:object_r:bin_t,s0)
- /usr/share/system-config-display/system-config-display -- gen_context(system_u:object_r:bin_t,s0)
-@@ -387,17 +475,36 @@ ifdef(`distro_suse', `
- #
- # /var
- #
--/var/mailman/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
-+/var/mailman.*/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
-
- /var/ftp/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
-
- /var/lib/asterisk/agi-bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
-+/var/lib/dirsrv/scripts-INSTANCE -- gen_context(system_u:object_r:bin_t,s0)
-+/var/lib/iscan/interpreter gen_context(system_u:object_r:bin_t,s0)
-+/usr/lib/ruby/gems(/.*)?/helper-scripts(/.*)? gen_context(system_u:object_r:bin_t,s0)
-+/usr/share/gems(/.*)?/helper-scripts(/.*)? gen_context(system_u:object_r:bin_t,s0)
-+
- /usr/lib/yp/.+ -- gen_context(system_u:object_r:bin_t,s0)
-
- /var/qmail/bin -d gen_context(system_u:object_r:bin_t,s0)
- /var/qmail/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
- /var/qmail/rc -- gen_context(system_u:object_r:bin_t,s0)
-
-+/var/lib/glusterd/hooks/.*/.*\.sh -- gen_context(system_u:object_r:bin_t,s0)
-+/var/lib/glusterd/hooks/.*/.*\.py -- gen_context(system_u:object_r:bin_t,s0)
-+
- ifdef(`distro_suse',`
- /var/lib/samba/bin/.+ gen_context(system_u:object_r:bin_t,s0)
- ')
-+
-+/var/usrlocal/(.*/)?bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
-+
-+#
-+# /usr/lib
-+#
-+
-+/usr/lib/dracut(/.*)? gen_context(system_u:object_r:bin_t,s0)
-+/usr/lib/iscan/network -- gen_context(system_u:object_r:bin_t,s0)
-+/usr/lib/ruby/gems/.*/agents(/.*)? gen_context(system_u:object_r:bin_t,s0)
-+/usr/lib/virtualbox/VBoxManage -- gen_context(system_u:object_r:bin_t,s0)
-diff --git a/policy/modules/kernel/corecommands.if b/policy/modules/kernel/corecommands.if
-index 9e9263a68..464be5733 100644
---- a/policy/modules/kernel/corecommands.if
-+++ b/policy/modules/kernel/corecommands.if
-@@ -8,6 +8,22 @@
- ## run init.
- ##
-
-+#####################################
-+##
-+## corecmd stub bin_t interface. No access allowed.
-+##
-+##
-+##
-+## Domain allowed access
-+##
-+##
-+#
-+interface(`corecmd_stub_bin',`
-+ gen_require(`
-+ type bin_t;
-+ ')
-+')
-+
- ########################################
- ##
- ## Make the specified type usable for files
-@@ -68,9 +84,11 @@ interface(`corecmd_bin_alias',`
- interface(`corecmd_bin_entry_type',`
- gen_require(`
- type bin_t;
-+ type usr_t;
- ')
-
- domain_entry_file($1, bin_t)
-+ domain_entry_file($1, usr_t)
- ')
-
- ########################################
-@@ -122,6 +140,7 @@ interface(`corecmd_search_bin',`
- type bin_t;
- ')
-
-+ corecmd_read_bin_symlinks($1)
- search_dirs_pattern($1, bin_t, bin_t)
- ')
-
-@@ -158,6 +177,7 @@ interface(`corecmd_list_bin',`
- type bin_t;
- ')
-
-+ corecmd_read_bin_symlinks($1)
- list_dirs_pattern($1, bin_t, bin_t)
- ')
-
-@@ -203,7 +223,7 @@ interface(`corecmd_getattr_bin_files',`
- ##
- ##
- ##
--## Domain allowed access.
-+## Domain to not audit.
- ##
- ##
- #
-@@ -231,6 +251,7 @@ interface(`corecmd_read_bin_files',`
- type bin_t;
- ')
-
-+ corecmd_read_bin_symlinks($1)
- read_files_pattern($1, bin_t, bin_t)
- ')
-
-@@ -254,6 +275,24 @@ interface(`corecmd_dontaudit_write_bin_files',`
-
- ########################################
- ##
-+## Do not audit attempts to access check bin files.
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`corecmd_dontaudit_access_check_bin',`
-+ gen_require(`
-+ type bin_t;
-+ ')
-+
-+ dontaudit $1 bin_t:file audit_access;
-+')
-+
-+########################################
-+##
- ## Read symbolic links in bin directories.
- ##
- ##
-@@ -285,6 +324,7 @@ interface(`corecmd_read_bin_pipes',`
- type bin_t;
- ')
-
-+ corecmd_read_bin_symlinks(bin_t)
- read_fifo_files_pattern($1, bin_t, bin_t)
- ')
-
-@@ -303,6 +343,7 @@ interface(`corecmd_read_bin_sockets',`
- type bin_t;
- ')
-
-+ corecmd_read_bin_symlinks($1)
- read_sock_files_pattern($1, bin_t, bin_t)
- ')
-
-@@ -345,6 +386,10 @@ interface(`corecmd_exec_bin',`
- read_lnk_files_pattern($1, bin_t, bin_t)
- list_dirs_pattern($1, bin_t, bin_t)
- can_exec($1, bin_t)
-+
-+ ifdef(`enable_mls',`',`
-+ files_exec_all_base_ro_files($1)
-+ ')
- ')
-
- ########################################
-@@ -362,6 +407,7 @@ interface(`corecmd_manage_bin_files',`
- type bin_t;
- ')
-
-+ corecmd_read_bin_symlinks($1)
- manage_files_pattern($1, bin_t, bin_t)
- ')
-
-@@ -398,7 +444,8 @@ interface(`corecmd_mmap_bin_files',`
- type bin_t;
- ')
-
-- mmap_files_pattern($1, bin_t, bin_t)
-+ corecmd_read_bin_symlinks($1)
-+ mmap_exec_files_pattern($1, bin_t, bin_t)
- ')
-
- ########################################
-@@ -440,10 +487,14 @@ interface(`corecmd_mmap_bin_files',`
- interface(`corecmd_bin_spec_domtrans',`
- gen_require(`
- type bin_t;
-+ type usr_t;
- ')
-
- read_lnk_files_pattern($1, bin_t, bin_t)
- domain_transition_pattern($1, bin_t, $2)
-+
-+ read_lnk_files_pattern($1, usr_t, usr_t)
-+ domain_transition_pattern($1, usr_t, $2)
- ')
-
- ########################################
-@@ -483,10 +534,12 @@ interface(`corecmd_bin_spec_domtrans',`
- interface(`corecmd_bin_domtrans',`
- gen_require(`
- type bin_t;
-+ type usr_t;
- ')
-
- corecmd_bin_spec_domtrans($1, $2)
- type_transition $1 bin_t:process $2;
-+ type_transition $1 usr_t:process $2;
- ')
-
- ########################################
-@@ -945,6 +998,7 @@ interface(`corecmd_shell_domtrans',`
- interface(`corecmd_exec_chroot',`
- gen_require(`
- type chroot_exec_t;
-+ type bin_t;
- ')
-
- read_lnk_files_pattern($1, bin_t, bin_t)
-@@ -954,28 +1008,25 @@ interface(`corecmd_exec_chroot',`
-
- ########################################
- ##
--## Get the attributes of all executable files.
-+## Do not audit attempts to access check executable files.
- ##
- ##
- ##
--## Domain allowed access.
-+## Domain to not audit.
- ##
- ##
--##
- #
--interface(`corecmd_getattr_all_executables',`
-+interface(`corecmd_dontaudit_access_all_executables',`
- gen_require(`
- attribute exec_type;
-- type bin_t;
- ')
-
-- allow $1 bin_t:dir list_dir_perms;
-- getattr_files_pattern($1, bin_t, exec_type)
-+ dontaudit $1 exec_type:file audit_access;
- ')
-
- ########################################
- ##
--## Read all executable files.
-+## Get the attributes of all executable files.
- ##
- ##
- ##
-@@ -984,12 +1035,14 @@ interface(`corecmd_getattr_all_executables',`
- ##
- ##
- #
--interface(`corecmd_read_all_executables',`
-+interface(`corecmd_getattr_all_executables',`
- gen_require(`
- attribute exec_type;
-+ type bin_t;
- ')
-
-- read_files_pattern($1, exec_type, exec_type)
-+ allow $1 bin_t:dir list_dir_perms;
-+ getattr_files_pattern($1, bin_t, exec_type)
- ')
-
- ########################################
-@@ -1049,6 +1102,7 @@ interface(`corecmd_manage_all_executables',`
- type bin_t;
- ')
-
-+ manage_dirs_pattern($1, bin_t, exec_type)
- manage_files_pattern($1, bin_t, exec_type)
- manage_lnk_files_pattern($1, bin_t, bin_t)
- ')
-@@ -1089,5 +1143,76 @@ interface(`corecmd_mmap_all_executables',`
- type bin_t;
- ')
-
-- mmap_files_pattern($1, bin_t, exec_type)
-+ mmap_exec_files_pattern($1, bin_t, exec_type)
-+')
-+
-+########################################
-+##
-+## Read all executable files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+#
-+interface(`corecmd_read_all_executables',`
-+ gen_require(`
-+ attribute exec_type;
-+ ')
-+
-+ read_files_pattern($1, exec_type, exec_type)
-+')
-+
-+########################################
-+##
-+## Read all executable files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+#
-+interface(`corecmd_entrypoint_all_executables',`
-+ gen_require(`
-+ attribute exec_type;
-+ ')
-+
-+ allow $1 exec_type:file entrypoint;
-+')
-+
-+########################################
-+##
-+## Create objects in the /bin directory
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+##
-+## The type of the object to be created
-+##
-+##
-+##
-+##
-+## The object class.
-+##
-+##
-+##
-+##
-+## The name of the object being created.
-+##
-+##
-+#
-+interface(`corecmd_bin_filetrans',`
-+ gen_require(`
-+ type bin_t;
-+ ')
-+
-+ filetrans_pattern($1, bin_t, $2, $3, $4)
- ')
-diff --git a/policy/modules/kernel/corecommands.te b/policy/modules/kernel/corecommands.te
-index 20c76cff9..cc63dcc9c 100644
---- a/policy/modules/kernel/corecommands.te
-+++ b/policy/modules/kernel/corecommands.te
-@@ -13,7 +13,8 @@ attribute exec_type;
- #
- # bin_t is the type of files in the system bin/sbin directories.
- #
--type bin_t alias { ls_exec_t sbin_t };
-+type bin_t alias { ls_exec_t sbin_t unconfined_execmem_exec_t execmem_exec_t java_exec_t mono_exec_t };
-+files_ro_base_file(bin_t)
- corecmd_executable_file(bin_t)
- dev_associate(bin_t) #For /dev/MAKEDEV
-
-@@ -21,6 +22,7 @@ dev_associate(bin_t) #For /dev/MAKEDEV
- # shell_exec_t is the type of user shells such as /bin/bash.
- #
- type shell_exec_t;
-+files_ro_base_file(shell_exec_t)
- corecmd_executable_file(shell_exec_t)
-
- type chroot_exec_t;
-diff --git a/policy/modules/kernel/corenetwork.fc b/policy/modules/kernel/corenetwork.fc
-index f9b25c12f..9af1f7a61 100644
---- a/policy/modules/kernel/corenetwork.fc
-+++ b/policy/modules/kernel/corenetwork.fc
-@@ -8,3 +8,6 @@
-
- /lib/udev/devices/ppp -c gen_context(system_u:object_r:ppp_device_t,s0)
- /lib/udev/devices/net/.* -c gen_context(system_u:object_r:tun_tap_device_t,s0)
-+
-+/usr/lib/udev/devices/ppp -c gen_context(system_u:object_r:ppp_device_t,s0)
-+/usr/lib/udev/devices/net/.* -c gen_context(system_u:object_r:tun_tap_device_t,s0)
-diff --git a/policy/modules/kernel/corenetwork.if.in b/policy/modules/kernel/corenetwork.if.in
-index 07126bdcc..379aac1bb 100644
---- a/policy/modules/kernel/corenetwork.if.in
-+++ b/policy/modules/kernel/corenetwork.if.in
-@@ -55,6 +55,7 @@ interface(`corenet_reserved_port',`
- ')
-
- typeattribute $1 reserved_port_type;
-+ corenet_port($1)
- ')
-
- ########################################
-@@ -82,6 +83,7 @@ interface(`corenet_rpc_port',`
- ')
-
- typeattribute $1 rpc_port_type;
-+ corenet_port($1)
- ')
-
- ########################################
-@@ -615,6 +617,24 @@ interface(`corenet_raw_sendrecv_all_if',`
-
- ########################################
- ##
-+## Send and receive DCCP network traffic on generic nodes.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`corenet_dccp_sendrecv_generic_node',`
-+ gen_require(`
-+ type node_t;
-+ ')
-+
-+ allow $1 node_t:node { dccp_send dccp_recv sendto recvfrom };
-+')
-+
-+########################################
-+##
- ## Send and receive TCP network traffic on generic nodes.
- ##
- ##
-@@ -789,6 +809,24 @@ interface(`corenet_raw_sendrecv_generic_node',`
-
- ########################################
- ##
-+## Bind DCCP sockets to generic nodes.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`corenet_dccp_bind_generic_node',`
-+ gen_require(`
-+ type node_t;
-+ ')
-+
-+ allow $1 node_t:dccp_socket node_bind;
-+')
-+
-+########################################
-+##
- ## Bind TCP sockets to generic nodes.
- ##
- ##
-@@ -855,6 +893,44 @@ interface(`corenet_udp_bind_generic_node',`
-
- ########################################
- ##
-+## Dontaudit attempts to bind TCP sockets to generic nodes.
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+##
-+#
-+interface(`corenet_dontaudit_tcp_bind_generic_node',`
-+ gen_require(`
-+ type node_t;
-+ ')
-+
-+ dontaudit $1 node_t:tcp_socket node_bind;
-+')
-+
-+########################################
-+##
-+## Dontaudit attempts to bind UDP sockets to generic nodes.
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+##
-+#
-+interface(`corenet_dontaudit_udp_bind_generic_node',`
-+ gen_require(`
-+ type node_t;
-+ ')
-+
-+ dontaudit $1 node_t:udp_socket node_bind;
-+')
-+
-+########################################
-+##
- ## Bind raw sockets to genric nodes.
- ##
- ##
-@@ -928,6 +1004,24 @@ interface(`corenet_inout_generic_node',`
-
- ########################################
- ##
-+## Send and receive DCCP network traffic on all nodes.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`corenet_dccp_sendrecv_all_nodes',`
-+ gen_require(`
-+ attribute node_type;
-+ ')
-+
-+ allow $1 node_type:node { dccp_send dccp_recv sendto recvfrom };
-+')
-+
-+########################################
-+##
- ## Send and receive TCP network traffic on all nodes.
- ##
- ##
-@@ -1102,6 +1196,24 @@ interface(`corenet_raw_sendrecv_all_nodes',`
-
- ########################################
- ##
-+## Bind DCCP sockets to all nodes.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`corenet_dccp_bind_all_nodes',`
-+ gen_require(`
-+ attribute node_type;
-+ ')
-+
-+ allow $1 node_type:dccp_socket node_bind;
-+')
-+
-+########################################
-+##
- ## Bind TCP sockets to all nodes.
- ##
- ##
-@@ -1157,6 +1269,24 @@ interface(`corenet_raw_bind_all_nodes',`
-
- ########################################
- ##
-+## Send and receive DCCP network traffic on generic ports.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`corenet_dccp_sendrecv_generic_port',`
-+ gen_require(`
-+ type port_t, unreserved_port_t, ephemeral_port_t;
-+ ')
-+
-+ allow $1 { port_t unreserved_port_t ephemeral_port_t }:dccp_socket { send_msg recv_msg };
-+')
-+
-+########################################
-+##
- ## Send and receive TCP network traffic on generic ports.
- ##
- ##
-@@ -1167,10 +1297,30 @@ interface(`corenet_raw_bind_all_nodes',`
- #
- interface(`corenet_tcp_sendrecv_generic_port',`
- gen_require(`
-- type port_t;
-+ type port_t, unreserved_port_t, ephemeral_port_t;
-+ ')
-+
-+ allow $1 { port_t unreserved_port_t ephemeral_port_t }:tcp_socket { send_msg recv_msg };
-+')
-+
-+########################################
-+##
-+## Do not audit attempts to send and
-+## receive DCCP network traffic on
-+## generic ports.
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`corenet_dontaudit_dccp_sendrecv_generic_port',`
-+ gen_require(`
-+ type port_t, unreserved_port_t, ephemeral_port_t;
- ')
-
-- allow $1 port_t:tcp_socket { send_msg recv_msg };
-+ dontaudit $1 { port_t unreserved_port_t ephemeral_port_t }:dccp_socket { send_msg recv_msg };
- ')
-
- ########################################
-@@ -1185,10 +1335,10 @@ interface(`corenet_tcp_sendrecv_generic_port',`
- #
- interface(`corenet_dontaudit_tcp_sendrecv_generic_port',`
- gen_require(`
-- type port_t;
-+ type port_t, unreserved_port_t, ephemeral_port_t;
- ')
-
-- dontaudit $1 port_t:tcp_socket { send_msg recv_msg };
-+ dontaudit $1 { port_t unreserved_port_t ephemeral_port_t }:tcp_socket { send_msg recv_msg };
- ')
-
- ########################################
-@@ -1203,10 +1353,10 @@ interface(`corenet_dontaudit_tcp_sendrecv_generic_port',`
- #
- interface(`corenet_udp_send_generic_port',`
- gen_require(`
-- type port_t;
-+ type port_t, unreserved_port_t, ephemeral_port_t;
- ')
-
-- allow $1 port_t:udp_socket send_msg;
-+ allow $1 { port_t unreserved_port_t ephemeral_port_t }:udp_socket send_msg;
- ')
-
- ########################################
-@@ -1221,10 +1371,10 @@ interface(`corenet_udp_send_generic_port',`
- #
- interface(`corenet_udp_receive_generic_port',`
- gen_require(`
-- type port_t;
-+ type port_t, unreserved_port_t, ephemeral_port_t;
- ')
-
-- allow $1 port_t:udp_socket recv_msg;
-+ allow $1 { port_t unreserved_port_t ephemeral_port_t }:udp_socket recv_msg;
- ')
-
- ########################################
-@@ -1244,6 +1394,26 @@ interface(`corenet_udp_sendrecv_generic_port',`
-
- ########################################
- ##
-+## Bind DCCP sockets to generic ports.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`corenet_dccp_bind_generic_port',`
-+ gen_require(`
-+ type port_t, unreserved_port_t, ephemeral_port_t;
-+ attribute defined_port_type;
-+ ')
-+
-+ allow $1 { port_t unreserved_port_t ephemeral_port_t }:dccp_socket name_bind;
-+ dontaudit $1 defined_port_type:dccp_socket name_bind;
-+')
-+
-+########################################
-+##
- ## Bind TCP sockets to generic ports.
- ##
- ##
-@@ -1254,16 +1424,35 @@ interface(`corenet_udp_sendrecv_generic_port',`
- #
- interface(`corenet_tcp_bind_generic_port',`
- gen_require(`
-- type port_t;
-+ type port_t, unreserved_port_t, ephemeral_port_t;
- attribute defined_port_type;
- ')
-
-- allow $1 port_t:tcp_socket name_bind;
-+ allow $1 { port_t unreserved_port_t ephemeral_port_t }:tcp_socket name_bind;
- dontaudit $1 defined_port_type:tcp_socket name_bind;
- ')
-
- ########################################
- ##
-+## Do not audit attempts to bind DCCP
-+## sockets to generic ports.
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`corenet_dontaudit_dccp_bind_generic_port',`
-+ gen_require(`
-+ type port_t, unreserved_port_t, ephemeral_port_t;
-+ ')
-+
-+ dontaudit $1 { port_t unreserved_port_t ephemeral_port_t }:dccp_socket name_bind;
-+')
-+
-+########################################
-+##
- ## Do not audit bind TCP sockets to generic ports.
- ##
- ##
-@@ -1274,10 +1463,10 @@ interface(`corenet_tcp_bind_generic_port',`
- #
- interface(`corenet_dontaudit_tcp_bind_generic_port',`
- gen_require(`
-- type port_t;
-+ type port_t, unreserved_port_t, ephemeral_port_t;
- ')
-
-- dontaudit $1 port_t:tcp_socket name_bind;
-+ dontaudit $1 { port_t unreserved_port_t ephemeral_port_t }:tcp_socket name_bind;
- ')
-
- ########################################
-@@ -1292,16 +1481,34 @@ interface(`corenet_dontaudit_tcp_bind_generic_port',`
- #
- interface(`corenet_udp_bind_generic_port',`
- gen_require(`
-- type port_t;
-+ type port_t, unreserved_port_t, ephemeral_port_t;
- attribute defined_port_type;
- ')
-
-- allow $1 port_t:udp_socket name_bind;
-+ allow $1 { port_t unreserved_port_t ephemeral_port_t }:udp_socket name_bind;
- dontaudit $1 defined_port_type:udp_socket name_bind;
- ')
-
- ########################################
- ##
-+## Connect DCCP sockets to generic ports.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`corenet_dccp_connect_generic_port',`
-+ gen_require(`
-+ type port_t, unreserved_port_t,ephemeral_port_t;
-+ ')
-+
-+ allow $1 { port_t unreserved_port_t ephemeral_port_t }:dccp_socket name_connect;
-+')
-+
-+########################################
-+##
- ## Connect TCP sockets to generic ports.
- ##
- ##
-@@ -1312,10 +1519,28 @@ interface(`corenet_udp_bind_generic_port',`
- #
- interface(`corenet_tcp_connect_generic_port',`
- gen_require(`
-- type port_t;
-+ type port_t, unreserved_port_t, ephemeral_port_t;
-+ ')
-+
-+ allow $1 { port_t unreserved_port_t ephemeral_port_t }:tcp_socket name_connect;
-+')
-+
-+########################################
-+##
-+## Send and receive DCCP network traffic on all ports.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`corenet_dccp_sendrecv_all_ports',`
-+ gen_require(`
-+ attribute port_type;
- ')
-
-- allow $1 port_t:tcp_socket name_connect;
-+ allow $1 port_type:dccp_socket { send_msg recv_msg };
- ')
-
- ########################################
-@@ -1439,6 +1664,25 @@ interface(`corenet_udp_sendrecv_all_ports',`
-
- ########################################
- ##
-+## Bind DCCP sockets to all ports.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`corenet_dccp_bind_all_ports',`
-+ gen_require(`
-+ attribute port_type;
-+ ')
-+
-+ allow $1 port_type:dccp_socket name_bind;
-+ allow $1 self:capability net_bind_service;
-+')
-+
-+########################################
-+##
- ## Bind TCP sockets to all ports.
- ##
- ##
-@@ -1458,6 +1702,24 @@ interface(`corenet_tcp_bind_all_ports',`
-
- ########################################
- ##
-+## Do not audit attepts to bind DCCP sockets to any ports.
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`corenet_dontaudit_dccp_bind_all_ports',`
-+ gen_require(`
-+ attribute port_type;
-+ ')
-+
-+ dontaudit $1 port_type:dccp_socket name_bind;
-+')
-+
-+########################################
-+##
- ## Do not audit attepts to bind TCP sockets to any ports.
- ##
- ##
-@@ -1513,6 +1775,24 @@ interface(`corenet_dontaudit_udp_bind_all_ports',`
-
- ########################################
- ##
-+## Connect DCCP sockets to all ports.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`corenet_dccp_connect_all_ports',`
-+ gen_require(`
-+ attribute port_type;
-+ ')
-+
-+ allow $1 port_type:dccp_socket name_connect;
-+')
-+
-+########################################
-+##
- ## Connect TCP sockets to all ports.
- ##
- ##
-@@ -1559,6 +1839,25 @@ interface(`corenet_tcp_connect_all_ports',`
-
- ########################################
- ##
-+## Do not audit attempts to connect DCCP sockets
-+## to all ports.
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`corenet_dontaudit_dccp_connect_all_ports',`
-+ gen_require(`
-+ attribute port_type;
-+ ')
-+
-+ dontaudit $1 port_type:dccp_socket name_connect;
-+')
-+
-+########################################
-+##
- ## Do not audit attempts to connect TCP sockets
- ## to all ports.
- ##
-@@ -1578,6 +1877,24 @@ interface(`corenet_dontaudit_tcp_connect_all_ports',`
-
- ########################################
- ##
-+## Send and receive DCCP network traffic on generic reserved ports.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`corenet_dccp_sendrecv_reserved_port',`
-+ gen_require(`
-+ type reserved_port_t;
-+ ')
-+
-+ allow $1 reserved_port_t:dccp_socket { send_msg recv_msg };
-+')
-+
-+########################################
-+##
- ## Send and receive TCP network traffic on generic reserved ports.
- ##
- ##
-@@ -1647,7 +1964,26 @@ interface(`corenet_udp_sendrecv_reserved_port',`
-
- ########################################
- ##
--## Bind TCP sockets to generic reserved ports.
-+## Bind DCCP sockets to generic reserved ports.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`corenet_dccp_bind_reserved_port',`
-+ gen_require(`
-+ type reserved_port_t;
-+ ')
-+
-+ allow $1 reserved_port_t:dccp_socket name_bind;
-+ allow $1 self:capability net_bind_service;
-+')
-+
-+########################################
-+##
-+## Bind TCP sockets to generic reserved ports.
- ##
- ##
- ##
-@@ -1685,6 +2021,24 @@ interface(`corenet_udp_bind_reserved_port',`
-
- ########################################
- ##
-+## Connect DCCP sockets to generic reserved ports.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`corenet_dccp_connect_reserved_port',`
-+ gen_require(`
-+ type reserved_port_t;
-+ ')
-+
-+ allow $1 reserved_port_t:dccp_socket name_connect;
-+')
-+
-+########################################
-+##
- ## Connect TCP sockets to generic reserved ports.
- ##
- ##
-@@ -1703,6 +2057,24 @@ interface(`corenet_tcp_connect_reserved_port',`
-
- ########################################
- ##
-+## Send and receive DCCP network traffic on all reserved ports.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`corenet_dccp_sendrecv_all_reserved_ports',`
-+ gen_require(`
-+ attribute reserved_port_type;
-+ ')
-+
-+ allow $1 reserved_port_type:dccp_socket { send_msg recv_msg };
-+')
-+
-+########################################
-+##
- ## Send and receive TCP network traffic on all reserved ports.
- ##
- ##
-@@ -1772,6 +2144,25 @@ interface(`corenet_udp_sendrecv_all_reserved_ports',`
-
- ########################################
- ##
-+## Bind DCCP sockets to all reserved ports.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`corenet_dccp_bind_all_reserved_ports',`
-+ gen_require(`
-+ attribute reserved_port_type;
-+ ')
-+
-+ allow $1 reserved_port_type:dccp_socket name_bind;
-+ allow $1 self:capability net_bind_service;
-+')
-+
-+########################################
-+##
- ## Bind TCP sockets to all reserved ports.
- ##
- ##
-@@ -1791,6 +2182,24 @@ interface(`corenet_tcp_bind_all_reserved_ports',`
-
- ########################################
- ##
-+## Do not audit attempts to bind DCCP sockets to all reserved ports.
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`corenet_dontaudit_dccp_bind_all_reserved_ports',`
-+ gen_require(`
-+ attribute reserved_port_type;
-+ ')
-+
-+ dontaudit $1 reserved_port_type:dccp_socket name_bind;
-+')
-+
-+########################################
-+##
- ## Do not audit attempts to bind TCP sockets to all reserved ports.
- ##
- ##
-@@ -1846,6 +2255,24 @@ interface(`corenet_dontaudit_udp_bind_all_reserved_ports',`
-
- ########################################
- ##
-+## Bind DCCP sockets to all ports > 1024.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`corenet_dccp_bind_all_unreserved_ports',`
-+ gen_require(`
-+ attribute unreserved_port_type;
-+ ')
-+
-+ allow $1 unreserved_port_type:dccp_socket name_bind;
-+')
-+
-+########################################
-+##
- ## Bind TCP sockets to all ports > 1024.
- ##
- ##
-@@ -1864,6 +2291,24 @@ interface(`corenet_tcp_bind_all_unreserved_ports',`
-
- ########################################
- ##
-+## Bind TCP sockets to all ports > 1024.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`corenet_tcp_bind_unreserved_ports',`
-+ gen_require(`
-+ attribute unreserved_port_type;
-+ ')
-+
-+ allow $1 unreserved_port_type:tcp_socket name_bind;
-+')
-+
-+########################################
-+##
- ## Bind UDP sockets to all ports > 1024.
- ##
- ##
-@@ -1882,6 +2327,60 @@ interface(`corenet_udp_bind_all_unreserved_ports',`
-
- ########################################
- ##
-+## Bind TCP sockets to all ports > 32768.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`corenet_tcp_bind_all_ephemeral_ports',`
-+ gen_require(`
-+ attribute ephemeral_port_type;
-+ ')
-+
-+ allow $1 ephemeral_port_type:tcp_socket name_bind;
-+')
-+
-+########################################
-+##
-+## Bind UDP sockets to all ports > 32768.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`corenet_udp_bind_all_ephemeral_ports',`
-+ gen_require(`
-+ attribute ephemeral_port_type;
-+ ')
-+
-+ allow $1 ephemeral_port_type:udp_socket name_bind;
-+')
-+
-+########################################
-+##
-+## Connect DCCP sockets to reserved ports.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`corenet_dccp_connect_all_reserved_ports',`
-+ gen_require(`
-+ attribute reserved_port_type;
-+ ')
-+
-+ allow $1 reserved_port_type:dccp_socket name_connect;
-+')
-+
-+########################################
-+##
- ## Connect TCP sockets to reserved ports.
- ##
- ##
-@@ -1900,6 +2399,42 @@ interface(`corenet_tcp_connect_all_reserved_ports',`
-
- ########################################
- ##
-+## Connect DCCP sockets to all ports > 1024.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`corenet_dccp_connect_all_unreserved_ports',`
-+ gen_require(`
-+ attribute unreserved_port_type;
-+ ')
-+
-+ allow $1 unreserved_port_type:dccp_socket name_connect;
-+')
-+
-+#######################################
-+##
-+## Connect TCP sockets to ports > 1024.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`corenet_tcp_connect_unreserved_ports',`
-+ gen_require(`
-+ type unreserved_port_t;
-+ ')
-+
-+ allow $1 unreserved_port_t:tcp_socket name_connect;
-+')
-+
-+########################################
-+##
- ## Connect TCP sockets to all ports > 1024.
- ##
- ##
-@@ -1918,6 +2453,43 @@ interface(`corenet_tcp_connect_all_unreserved_ports',`
-
- ########################################
- ##
-+## Connect TCP sockets to all ports > 32768.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`corenet_tcp_connect_all_ephemeral_ports',`
-+ gen_require(`
-+ attribute ephemeral_port_type;
-+ ')
-+
-+ allow $1 ephemeral_port_type:tcp_socket name_connect;
-+')
-+
-+########################################
-+##
-+## Do not audit attempts to connect DCCP sockets
-+## all reserved ports.
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`corenet_dontaudit_dccp_connect_all_reserved_ports',`
-+ gen_require(`
-+ attribute reserved_port_type;
-+ ')
-+
-+ dontaudit $1 reserved_port_type:dccp_socket name_connect;
-+')
-+
-+########################################
-+##
- ## Do not audit attempts to connect TCP sockets
- ## all reserved ports.
- ##
-@@ -1937,6 +2509,24 @@ interface(`corenet_dontaudit_tcp_connect_all_reserved_ports',`
-
- ########################################
- ##
-+## Connect DCCP sockets to rpc ports.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`corenet_dccp_connect_all_rpc_ports',`
-+ gen_require(`
-+ attribute rpc_port_type;
-+ ')
-+
-+ allow $1 rpc_port_type:dccp_socket name_connect;
-+')
-+
-+########################################
-+##
- ## Connect TCP sockets to rpc ports.
- ##
- ##
-@@ -1955,6 +2545,25 @@ interface(`corenet_tcp_connect_all_rpc_ports',`
-
- ########################################
- ##
-+## Do not audit attempts to connect DCCP sockets
-+## all rpc ports.
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`corenet_dontaudit_dccp_connect_all_rpc_ports',`
-+ gen_require(`
-+ attribute rpc_port_type;
-+ ')
-+
-+ dontaudit $1 rpc_port_type:dccp_socket name_connect;
-+')
-+
-+########################################
-+##
- ## Do not audit attempts to connect TCP sockets
- ## all rpc ports.
- ##
-@@ -1993,6 +2602,42 @@ interface(`corenet_rw_tun_tap_dev',`
-
- ########################################
- ##
-+## Relabel to and from the TUN/TAP virtual network device.
-+##
-+##
-+##
-+## The domain allowed access.
-+##
-+##
-+#
-+interface(`corenet_relabel_tun_tap_dev',`
-+ gen_require(`
-+ type tun_tap_device_t;
-+ ')
-+
-+ relabel_chr_files_pattern($1, tun_tap_device_t, tun_tap_device_t)
-+')
-+
-+########################################
-+##
-+## Read and write inherited TUN/TAP virtual network device.
-+##
-+##
-+##
-+## The domain allowed access.
-+##
-+##
-+#
-+interface(`corenet_rw_inherited_tun_tap_dev',`
-+ gen_require(`
-+ type tun_tap_device_t;
-+ ')
-+
-+ allow $1 tun_tap_device_t:chr_file rw_inherited_chr_file_perms;
-+')
-+
-+########################################
-+##
- ## Do not audit attempts to read or write the TUN/TAP
- ## virtual network device.
- ##
-@@ -2020,31 +2665,50 @@ interface(`corenet_dontaudit_rw_tun_tap_dev',`
- ##
- ##
- #
--interface(`corenet_getattr_ppp_dev',`
-+interface(`corenet_getattr_ppp_dev',`
-+ gen_require(`
-+ type ppp_device_t;
-+ ')
-+
-+ allow $1 ppp_device_t:chr_file getattr;
-+')
-+
-+########################################
-+##
-+## Read and write the point-to-point device.
-+##
-+##
-+##
-+## The domain allowed access.
-+##
-+##
-+#
-+interface(`corenet_rw_ppp_dev',`
- gen_require(`
- type ppp_device_t;
- ')
-
-- allow $1 ppp_device_t:chr_file getattr;
-+ dev_list_all_dev_nodes($1)
-+ allow $1 ppp_device_t:chr_file rw_chr_file_perms;
- ')
-
- ########################################
- ##
--## Read and write the point-to-point device.
-+## Bind DCCP sockets to all RPC ports.
- ##
- ##
- ##
--## The domain allowed access.
-+## Domain allowed access.
- ##
- ##
- #
--interface(`corenet_rw_ppp_dev',`
-+interface(`corenet_dccp_bind_all_rpc_ports',`
- gen_require(`
-- type ppp_device_t;
-+ attribute rpc_port_type;
- ')
-
-- dev_list_all_dev_nodes($1)
-- allow $1 ppp_device_t:chr_file rw_chr_file_perms;
-+ allow $1 rpc_port_type:dccp_socket name_bind;
-+ allow $1 self:capability net_bind_service;
- ')
-
- ########################################
-@@ -2068,6 +2732,24 @@ interface(`corenet_tcp_bind_all_rpc_ports',`
-
- ########################################
- ##
-+## Do not audit attempts to bind DCCP sockets to all RPC ports.
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`corenet_dontaudit_dccp_bind_all_rpc_ports',`
-+ gen_require(`
-+ attribute rpc_port_type;
-+ ')
-+
-+ dontaudit $1 rpc_port_type:dccp_socket name_bind;
-+')
-+
-+########################################
-+##
- ## Do not audit attempts to bind TCP sockets to all RPC ports.
- ##
- ##
-@@ -2194,6 +2876,25 @@ interface(`corenet_tcp_recv_netlabel',`
-
- ########################################
- ##
-+## Receive DCCP packets from a NetLabel connection.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`corenet_dccp_recvfrom_netlabel',`
-+ gen_require(`
-+ type netlabel_peer_t;
-+ ')
-+
-+ allow $1 netlabel_peer_t:peer recv;
-+ allow $1 netlabel_peer_t:dccp_socket recvfrom;
-+')
-+
-+########################################
-+##
- ## Receive TCP packets from a NetLabel connection.
- ##
- ##
-@@ -2213,7 +2914,7 @@ interface(`corenet_tcp_recvfrom_netlabel',`
-
- ########################################
- ##
--## Receive TCP packets from an unlabled connection.
-+## Receive DCCP packets from an unlabled connection.
- ##
- ##
- ##
-@@ -2221,10 +2922,15 @@ interface(`corenet_tcp_recvfrom_netlabel',`
- ##
- ##
- #
--interface(`corenet_tcp_recvfrom_unlabeled',`
-- kernel_tcp_recvfrom_unlabeled($1)
-+interface(`corenet_dccp_recvfrom_unlabeled',`
-+ gen_require(`
-+ attribute corenet_unlabeled_type;
-+ ')
-+
-+ kernel_dccp_recvfrom_unlabeled($1)
- kernel_recvfrom_unlabeled_peer($1)
-
-+ typeattribute $1 corenet_unlabeled_type;
- # XXX - at some point the oubound/send access check will be removed
- # but for right now we need to keep this in place so as not to break
- # older systems
-@@ -2249,6 +2955,26 @@ interface(`corenet_dontaudit_tcp_recv_netlabel',`
-
- ########################################
- ##
-+## Do not audit attempts to receive DCCP packets from a NetLabel
-+## connection.
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`corenet_dontaudit_dccp_recvfrom_netlabel',`
-+ gen_require(`
-+ type netlabel_peer_t;
-+ ')
-+
-+ dontaudit $1 netlabel_peer_t:peer recv;
-+ dontaudit $1 netlabel_peer_t:dccp_socket recvfrom;
-+')
-+
-+########################################
-+##
- ## Do not audit attempts to receive TCP packets from a NetLabel
- ## connection.
- ##
-@@ -2269,6 +2995,27 @@ interface(`corenet_dontaudit_tcp_recvfrom_netlabel',`
-
- ########################################
- ##
-+## Do not audit attempts to receive DCCP packets from an unlabeled
-+## connection.
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`corenet_dontaudit_dccp_recvfrom_unlabeled',`
-+ kernel_dontaudit_dccp_recvfrom_unlabeled($1)
-+ kernel_dontaudit_recvfrom_unlabeled_peer($1)
-+
-+ # XXX - at some point the oubound/send access check will be removed
-+ # but for right now we need to keep this in place so as not to break
-+ # older systems
-+ kernel_dontaudit_sendrecv_unlabeled_association($1)
-+')
-+
-+########################################
-+##
- ## Do not audit attempts to receive TCP packets from an unlabeled
- ## connection.
- ##
-@@ -2533,15 +3280,10 @@ interface(`corenet_dontaudit_raw_recvfrom_unlabeled',`
- ##
- #
- interface(`corenet_all_recvfrom_unlabeled',`
-- kernel_tcp_recvfrom_unlabeled($1)
-- kernel_udp_recvfrom_unlabeled($1)
-- kernel_raw_recvfrom_unlabeled($1)
-- kernel_recvfrom_unlabeled_peer($1)
--
-- # XXX - at some point the oubound/send access check will be removed
-- # but for right now we need to keep this in place so as not to break
-- # older systems
-- kernel_sendrecv_unlabeled_association($1)
-+ gen_require(`
-+ attribute corenet_unlabeled_type;
-+ ')
-+ typeattribute $1 corenet_unlabeled_type;
- ')
-
- ########################################
-@@ -2567,11 +3309,34 @@ interface(`corenet_all_recvfrom_unlabeled',`
- #
- interface(`corenet_all_recvfrom_netlabel',`
- gen_require(`
-- type netlabel_peer_t;
-+ attribute netlabel_peer_type;
- ')
-
-- allow $1 netlabel_peer_t:peer recv;
-- allow $1 netlabel_peer_t:{ tcp_socket udp_socket rawip_socket } recvfrom;
-+ typeattribute $1 netlabel_peer_type;
-+')
-+
-+########################################
-+##
-+## Enable unlabeled net packets
-+##
-+##
-+##
-+## Allow unlabeled_packet_t to be used by all domains that use the network
-+##
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+#
-+interface(`corenet_enable_unlabeled_packets',`
-+ gen_require(`
-+ attribute corenet_unlabeled_type;
-+ ')
-+
-+ kernel_sendrecv_unlabeled_association(corenet_unlabeled_type)
- ')
-
- ########################################
-@@ -2585,6 +3350,7 @@ interface(`corenet_all_recvfrom_netlabel',`
- ##
- #
- interface(`corenet_dontaudit_all_recvfrom_unlabeled',`
-+ kernel_dontaudit_dccp_recvfrom_unlabeled($1)
- kernel_dontaudit_tcp_recvfrom_unlabeled($1)
- kernel_dontaudit_udp_recvfrom_unlabeled($1)
- kernel_dontaudit_raw_recvfrom_unlabeled($1)
-@@ -2613,7 +3379,35 @@ interface(`corenet_dontaudit_all_recvfrom_netlabel',`
- ')
-
- dontaudit $1 netlabel_peer_t:peer recv;
-- dontaudit $1 netlabel_peer_t:{ tcp_socket udp_socket rawip_socket } recvfrom;
-+ dontaudit $1 netlabel_peer_t:{ tcp_socket udp_socket rawip_socket dccp_socket } recvfrom;
-+')
-+
-+########################################
-+##
-+## Rules for receiving labeled DCCP packets.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+##
-+## Peer domain.
-+##
-+##
-+#
-+interface(`corenet_dccp_recvfrom_labeled',`
-+ allow { $1 $2 } self:association sendto;
-+ allow $1 $2:{ association dccp_socket } recvfrom;
-+ allow $2 $1:{ association dccp_socket } recvfrom;
-+
-+ allow $1 $2:peer recv;
-+ allow $2 $1:peer recv;
-+
-+ # allow receiving packets from MLS-only peers using NetLabel
-+ corenet_dccp_recvfrom_netlabel($1)
-+ corenet_dccp_recvfrom_netlabel($2)
- ')
-
- ########################################
-@@ -2727,6 +3521,7 @@ interface(`corenet_raw_recvfrom_labeled',`
- ##
- #
- interface(`corenet_all_recvfrom_labeled',`
-+ corenet_dccp_recvfrom_labeled($1, $2)
- corenet_tcp_recvfrom_labeled($1, $2)
- corenet_udp_recvfrom_labeled($1, $2)
- corenet_raw_recvfrom_labeled($1, $2)
-@@ -3134,3 +3929,188 @@ interface(`corenet_unconfined',`
-
- typeattribute $1 corenet_unconfined_type;
- ')
-+
-+########################################
-+##
-+## Dontaudit bind tcp sockets to defined ports.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`corenet_dontaudit_tcp_bind_all_defined_ports',`
-+ gen_require(`
-+ attribute defined_port_type;
-+ ')
-+ dontaudit $1 defined_port_type:tcp_socket name_bind;
-+')
-+
-+########################################
-+##
-+## Create all network named devices with the correct label
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`corenet_filetrans_all_named_dev',`
-+
-+ gen_require(`
-+ type tun_tap_device_t;
-+ type ppp_device_t;
-+ ')
-+
-+ dev_filetrans($1, tun_tap_device_t, chr_file, "tap0")
-+ dev_filetrans($1, tun_tap_device_t, chr_file, "tap1")
-+ dev_filetrans($1, tun_tap_device_t, chr_file, "tap2")
-+ dev_filetrans($1, tun_tap_device_t, chr_file, "tap3")
-+ dev_filetrans($1, tun_tap_device_t, chr_file, "tap4")
-+ dev_filetrans($1, tun_tap_device_t, chr_file, "tap5")
-+ dev_filetrans($1, tun_tap_device_t, chr_file, "tap6")
-+ dev_filetrans($1, tun_tap_device_t, chr_file, "tap7")
-+ dev_filetrans($1, tun_tap_device_t, chr_file, "tap8")
-+ dev_filetrans($1, tun_tap_device_t, chr_file, "tap9")
-+ dev_filetrans($1, tun_tap_device_t, chr_file, "tap10")
-+ dev_filetrans($1, tun_tap_device_t, chr_file, "tap11")
-+ dev_filetrans($1, tun_tap_device_t, chr_file, "tap12")
-+ dev_filetrans($1, tun_tap_device_t, chr_file, "tap13")
-+ dev_filetrans($1, tun_tap_device_t, chr_file, "tap14")
-+ dev_filetrans($1, tun_tap_device_t, chr_file, "tap15")
-+ dev_filetrans($1, tun_tap_device_t, chr_file, "tap16")
-+ dev_filetrans($1, tun_tap_device_t, chr_file, "tap17")
-+ dev_filetrans($1, tun_tap_device_t, chr_file, "tap18")
-+ dev_filetrans($1, tun_tap_device_t, chr_file, "tap19")
-+ dev_filetrans($1, tun_tap_device_t, chr_file, "tap20")
-+ dev_filetrans($1, tun_tap_device_t, chr_file, "tap21")
-+ dev_filetrans($1, tun_tap_device_t, chr_file, "tap22")
-+ dev_filetrans($1, tun_tap_device_t, chr_file, "tap23")
-+ dev_filetrans($1, tun_tap_device_t, chr_file, "tap24")
-+ dev_filetrans($1, tun_tap_device_t, chr_file, "tap25")
-+ dev_filetrans($1, tun_tap_device_t, chr_file, "tap26")
-+ dev_filetrans($1, tun_tap_device_t, chr_file, "tap27")
-+ dev_filetrans($1, tun_tap_device_t, chr_file, "tap28")
-+ dev_filetrans($1, tun_tap_device_t, chr_file, "tap29")
-+ dev_filetrans($1, ppp_device_t, chr_file, "ppp")
-+')
-+
-+########################################
-+##
-+## Define type to be an infiniband pkey type
-+##
-+##
-+##
-+## Define type to be an infiniband pkey type
-+##
-+##
-+## This is for supporting third party modules and its
-+## use is not allowed in upstream reference policy.
-+##
-+##
-+##
-+##
-+## Type to be used for infiniband pkeys.
-+##
-+##
-+#
-+interface(`corenet_ib_pkey',`
-+ gen_require(`
-+ attribute ibpkey_type;
-+ ')
-+
-+ typeattribute $1 ibpkey_type;
-+')
-+
-+########################################
-+##
-+## Access unlabeled infiniband pkeys.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`corenet_ib_access_unlabeled_pkeys',`
-+ kernel_ib_access_unlabeled_pkeys($1)
-+')
-+
-+########################################
-+##
-+## Access all labeled infiniband pkeys.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`corenet_ib_access_all_pkeys',`
-+ gen_require(`
-+ attribute ibpkey_type;
-+ ')
-+
-+ allow $1 ibpkey_type:infiniband_pkey access;
-+')
-+
-+########################################
-+##
-+## Define type to be an infiniband endport
-+##
-+##
-+##
-+## Define type to be an infiniband endport
-+##
-+##
-+## This is for supporting third party modules and its
-+## use is not allowed in upstream reference policy.
-+##
-+##
-+##
-+##
-+## Type to be used for infiniband endports.
-+##
-+##
-+#
-+interface(`corenet_ib_endport',`
-+ gen_require(`
-+ attribute ibendport_type;
-+ ')
-+
-+ typeattribute $1 ibendport_type;
-+')
-+
-+########################################
-+##
-+## Manage subnets on all labeled Infiniband endports
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`corenet_ib_manage_subnet_all_endports',`
-+ gen_require(`
-+ attribute ibendport_type;
-+ ')
-+
-+ allow $1 ibendport_type:infiniband_endport manage_subnet;
-+')
-+
-+########################################
-+##
-+## Manage subnet on all unlabeled Infiniband endports
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`corenet_ib_manage_subnet_unlabeled_endports',`
-+ kernel_ib_manage_subnet_unlabeled_endports($1)
-+')
-diff --git a/policy/modules/kernel/corenetwork.if.m4 b/policy/modules/kernel/corenetwork.if.m4
-index 8e0f9cd14..2fe34db47 100644
---- a/policy/modules/kernel/corenetwork.if.m4
-+++ b/policy/modules/kernel/corenetwork.if.m4
-@@ -631,6 +631,26 @@ interface(`corenet_udp_bind_$1_port',`
-
- ########################################
- ##
-+## Do not audit attempts to sbind to $1 port.
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+##
-+#
-+interface(`corenet_dontaudit_udp_bind_$1_port',`
-+ gen_require(`
-+ $3 $1_$2;
-+ ')
-+
-+ dontaudit dollarsone $1_$2:udp_socket name_bind;
-+ $4
-+')
-+
-+########################################
-+##
- ## Make a TCP connection to the $1 port.
- ##
- ##
-@@ -646,6 +666,23 @@ interface(`corenet_tcp_connect_$1_port',`
-
- allow dollarsone $1_$2:tcp_socket name_connect;
- ')
-+########################################
-+##
-+## Do not audit attempts to make a TCP connection to $1 port.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`corenet_dontaudit_tcp_connect_$1_port',`
-+ gen_require(`
-+ $3 $1_$2;
-+ ')
-+
-+ dontaudit dollarsone $1_$2:tcp_socket name_connect;
-+')
- '') dnl end create_port_interfaces
-
- define(`create_packet_interfaces',``
-@@ -776,6 +813,48 @@ interface(`corenet_relabelto_$1_packets',`
- ')
- '') dnl end create_port_interfaces
-
-+define(`create_ibpkey_interfaces',``
-+########################################
-+##
-+## Access the infiniband fabric on the $1 ibpkey.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+#
-+interface(`corenet_ib_access_$1_pkey',`
-+ gen_require(`
-+ $3 $1_$2;
-+ ')
-+
-+ allow dollarsone $1_$2:infiniband_pkey access;
-+')
-+'') dnl end create_ibpkey_interfaces
-+
-+define(`create_ibendport_interfaces',``
-+########################################
-+##
-+## Manage the subnet on $1 ibendport.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+#
-+interface(`corenet_ib_manage_subnet_$1_endport',`
-+ gen_require(`
-+ $3 $1_$2;
-+ ')
-+
-+ allow dollarsone $1_$2:infiniband_endport manage_subnet;
-+')
-+'') dnl end create_ibendport_interfaces
-+
- #
- # create_netif_*_interfaces(linux_interfacename)
- #
-@@ -851,3 +930,25 @@ define(`network_packet',`
- create_packet_interfaces($1_client)
- create_packet_interfaces($1_server)
- ')
-+
-+# create_ibpkey_*_interfaces(name, subnet_prefix, pkeynum,mls_sensitivity)
-+# (these wrap create_port_interfaces to handle attributes and types)
-+define(`create_ibpkey_type_interfaces',`create_ibpkey_interfaces($1,ibpkey_t,type,determine_reserved_capability(shift($*)))')
-+
-+#
-+# ib_pkey(name,subnet_prefix pkeynum mls_sensitivity)
-+#
-+define(`ib_pkey',`
-+create_ibpkey_type_interfaces($*)
-+')
-+
-+# create_ibendport_*_interfaces(name, devname, portnum,mls_sensitivity)
-+# (these wrap create_port_interfaces to handle attributes and types)
-+define(`create_ibendport_type_interfaces',`create_ibendport_interfaces($1,ibendport_t,type,determine_reserved_capability(shift($*)))')
-+
-+#
-+# ib_endport(name,device_name, portnum mls_sensitivity)
-+#
-+define(`ib_endport',`
-+create_ibendport_type_interfaces($*)
-+')
-diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
-index b191055f9..12aecdf4e 100644
---- a/policy/modules/kernel/corenetwork.te.in
-+++ b/policy/modules/kernel/corenetwork.te.in
-@@ -5,6 +5,7 @@ policy_module(corenetwork, 1.19.2)
- # Declarations
- #
-
-+attribute netlabel_peer_type;
- attribute client_packet_type;
- # This is an optimization for { port_type -port_t }
- attribute defined_port_type;
-@@ -14,12 +15,16 @@ attribute node_type;
- attribute packet_type;
- attribute port_type;
- attribute reserved_port_type;
-+attribute ephemeral_port_type;
- attribute rpc_port_type;
- attribute server_packet_type;
-+attribute ibpkey_type;
-+attribute ibendport_type;
- # This is an optimization for { port_type -reserved_port_type }
- attribute unreserved_port_type;
-
- attribute corenet_unconfined_type;
-+attribute corenet_unlabeled_type;
-
- type ppp_device_t;
- dev_node(ppp_device_t)
-@@ -29,6 +34,7 @@ dev_node(ppp_device_t)
- #
- type tun_tap_device_t;
- dev_node(tun_tap_device_t)
-+mls_trusted_object(tun_tap_device_t)
-
- ########################################
- #
-@@ -38,6 +44,18 @@ dev_node(tun_tap_device_t)
- #
- # client_packet_t is the default type of IPv4 and IPv6 client packets.
- #
-+type intranet_packet_t;
-+corenet_packet(intranet_packet_t)
-+
-+#
-+# client_packet_t is the default type of IPv4 and IPv6 client packets.
-+#
-+type internet_packet_t;
-+corenet_packet(internet_packet_t)
-+
-+#
-+# client_packet_t is the default type of IPv4 and IPv6 client packets.
-+#
- type client_packet_t, packet_type, client_packet_type;
-
- #
-@@ -46,6 +64,7 @@ type client_packet_t, packet_type, client_packet_type;
- #
- type netlabel_peer_t;
- sid netmsg gen_context(system_u:object_r:netlabel_peer_t,mls_systemhigh)
-+mcs_constrained(netlabel_peer_t)
-
- #
- # port_t is the default type of INET port numbers.
-@@ -59,6 +78,12 @@ sid port gen_context(system_u:object_r:port_t,s0)
- type unreserved_port_t, port_type, unreserved_port_type;
-
- #
-+# ephemeral_port_t is the default type of ephemeral port numbers.
-+# cat /proc/sys/net/ipv4/ip_local_port_range
-+#
-+type ephemeral_port_t, port_type, ephemeral_port_type;
-+
-+#
- # reserved_port_t is the type of INET port numbers below 1024.
- #
- type reserved_port_t, port_type, reserved_port_type;
-@@ -76,63 +101,83 @@ type server_packet_t, packet_type, server_packet_type;
- network_port(afs_bos, udp,7007,s0)
- network_port(afs_fs, tcp,2040,s0, udp,7000,s0, udp,7005,s0)
- network_port(afs_ka, udp,7004,s0)
--network_port(afs_pt, udp,7002,s0)
-+network_port(afs_pt, tcp,7002,s0, udp,7002,s0)
- network_port(afs_vl, udp,7003,s0)
- network_port(afs3_callback, tcp,7001,s0, udp,7001,s0)
- network_port(agentx, udp,705,s0, tcp,705,s0)
- network_port(amanda, udp,10080-10082,s0, tcp,10080-10083,s0)
- network_port(amavisd_recv, tcp,10024,s0)
- network_port(amavisd_send, tcp,10025,s0)
--network_port(amqp, udp,5671-5672,s0, tcp,5671-5672,s0)
--network_port(aol, udp,5190-5193,s0, tcp,5190-5193,s0)
-+network_port(amqp, udp,5671-5672,s0, tcp,5671-5672,s0, tcp,15672,s0)
-+network_port(aol, udp,5190-5193,s0, tcp,5190-5193,s0)
-+network_port(apc, tcp,3052,s0, udp,3052,s0)
- network_port(apcupsd, tcp,3551,s0, udp,3551,s0)
- network_port(apertus_ldp, tcp,539,s0, udp,539,s0)
--network_port(armtechdaemon, tcp,9292,s0, udp,9292,s0)
- network_port(asterisk, tcp,1720,s0, udp,2427,s0, udp,2727,s0, udp,4569,s0)
- network_port(audit, tcp,60,s0)
- network_port(auth, tcp,113,s0)
-+network_port(bacula, tcp,9103,s0, udp,9103,s0)
-+network_port(bctp, tcp,8999,s0, udp,8999,s0)
- network_port(bgp, tcp,179,s0, udp,179,s0, tcp,2605,s0, udp,2605,s0)
- network_port(boinc, tcp,31416,s0)
- network_port(boinc_client, tcp,1043,s0, udp,1034,s0)
-+network_port(brlp, tcp,4101,s0)
- network_port(biff) # no defined portcon
- network_port(certmaster, tcp,51235,s0)
-+network_port(collectd, udp,25826,s0)
- network_port(chronyd, udp,323,s0)
- network_port(clamd, tcp,3310,s0)
- network_port(clockspeed, udp,4041,s0)
- network_port(cluster, tcp,5149,s0, udp,5149,s0, tcp,40040,s0, tcp,50006-50008,s0, udp,50006-50008,s0)
- network_port(cma, tcp,1050,s0, udp,1050,s0)
- network_port(cobbler, tcp,25151,s0)
--network_port(commplex_link, tcp,5001,s0, udp,5001,s0)
-+network_port(commplex_link, tcp,4331,s0, tcp,5001,s0, udp,5001,s0)
- network_port(commplex_main, tcp,5000,s0, udp,5000,s0)
- network_port(comsat, udp,512,s0)
- network_port(condor, tcp,9618,s0, udp,9618,s0)
--network_port(couchdb, tcp,5984,s0, udp,5984,s0)
--network_port(cslistener, tcp,9000,s0, udp,9000,s0)
--network_port(ctdb, tcp,4379,s0, udp,4397,s0)
-+network_port(conman, tcp,7890,s0, udp,7890,s0)
-+network_port(connlcli, tcp,1358,s0, udp,1358,s0)
-+network_port(conntrackd, udp,3780,s0)
-+network_port(couchdb, tcp,5984,s0, udp,5984,s0, tcp,6984,s0, udp,6984,s0)
-+network_port(ctdb, tcp,4379,s0, udp,4379,s0)
- network_port(cvs, tcp,2401,s0, udp,2401,s0)
- network_port(cyphesis, tcp,6767,s0, tcp,6769,s0, tcp,6780-6799,s0, udp,32771,s0)
-+network_port(cyrus_imapd, tcp,2005,s0)
- network_port(daap, tcp,3689,s0, udp,3689,s0)
- network_port(dbskkd, tcp,1178,s0)
- network_port(dcc, udp,6276,s0, udp,6277,s0)
- network_port(dccm, tcp,5679,s0, udp,5679,s0)
-+network_port(dey_keyneg, tcp,8750,s0, udp,8750,s0)
-+network_port(dey_sapi, tcp,4330,s0)
- network_port(dhcpc, udp,68,s0, tcp,68,s0, udp,546,s0, tcp, 546,s0, udp,5546,s0, tcp,5546,s0)
- network_port(dhcpd, udp,67,s0, udp,547,s0, tcp, 547,s0, udp,548,s0, tcp, 548,s0, tcp,647,s0, udp,647,s0, tcp,847,s0, udp,847,s0, tcp,7911,s0)
- network_port(dict, tcp,2628,s0)
- network_port(distccd, tcp,3632,s0)
--network_port(dns, tcp,53,s0, udp,53,s0)
-+network_port(dogtag, tcp,7390,s0)
-+network_port(dns, udp,53,s0, tcp,53,s0, tcp,853,s0, udp,853,s0)
-+network_port(dnssec, tcp,8955,s0)
-+network_port(echo, tcp,7,s0, udp,7,s0)
- network_port(efs, tcp,520,s0)
- network_port(embrace_dp_c, tcp,3198,s0, udp,3198,s0)
- network_port(epmap, tcp,135,s0, udp,135,s0)
- network_port(epmd, tcp,4369,s0, udp,4369,s0)
-+network_port(fac_restore, tcp,5582,s0, udp,5582,s0)
- network_port(fingerd, tcp,79,s0)
--network_port(ftp, tcp,21,s0, tcp,990,s0, udp,990,s0)
-+network_port(fmpro_internal, tcp,5003,s0, udp,5003,s0)
-+network_port(flash, tcp,843,s0, tcp,1935,s0, udp,1935,s0)
-+network_port(freeipmi, tcp,9225,s0, udp,9225,s0)
-+network_port(ftp, tcp,21,s0, tcp,989,s0, udp,989,s0, tcp,990,s0, udp,990,s0)
- network_port(ftp_data, tcp,20,s0)
- network_port(gatekeeper, udp,1718,s0, udp,1719,s0, tcp,1721,s0, tcp,7000,s0)
-+network_port(gear, tcp,43273,s0, udp,43273,s0)
-+network_port(geneve, tcp,6080,s0)
- network_port(gdomap, tcp,538,s0, udp,538,s0)
- network_port(gds_db, tcp,3050,s0, udp,3050,s0)
- network_port(giftd, tcp,1213,s0)
- network_port(git, tcp,9418,s0, udp,9418,s0)
-+network_port(glance, tcp,9292,s0, udp,9292,s0)
- network_port(glance_registry, tcp,9191,s0, udp,9191,s0)
-+network_port(gluster, tcp,24007-24027,s0, tcp, 38465-38469,s0)
- network_port(gopher, tcp,70,s0, udp,70,s0)
- network_port(gpsd, tcp,2947,s0)
- network_port(hadoop_datanode, tcp,50010,s0)
-@@ -140,45 +185,61 @@ network_port(hadoop_namenode, tcp,8020,s0)
- network_port(hddtemp, tcp,7634,s0)
- network_port(howl, tcp,5335,s0, udp,5353,s0)
- network_port(hplip, tcp,1782,s0, tcp,2207,s0, tcp,2208,s0, tcp, 8290,s0, tcp,50000,s0, tcp,50002,s0, tcp,8292,s0, tcp,9100,s0, tcp,9101,s0, tcp,9102,s0, tcp,9220,s0, tcp,9221,s0, tcp,9222,s0, tcp,9280,s0, tcp,9281,s0, tcp,9282,s0, tcp,9290,s0, tcp,9291,s0)
--network_port(http, tcp,80,s0, tcp,443,s0, tcp,488,s0, tcp,8008,s0, tcp,8009,s0, tcp,8443,s0) #8443 is mod_nss default port
--network_port(http_cache, tcp,3128,s0, udp,3130,s0, tcp,8080,s0, tcp,8118,s0, tcp,10001-10010,s0) # 8118 is for privoxy
-+network_port(http, tcp,80,s0, tcp,81,s0, tcp,443,s0, tcp,488,s0, tcp,8008,s0, tcp,8009,s0, tcp,8443,s0,tcp,9000, s0) #8443 is mod_nss default port
-+network_port(http_cache, udp,3130,s0, tcp,8080,s0, tcp,8118,s0, tcp,8123,s0, tcp,10001-10010,s0) # 8118 is for privoxy
-+network_port(ibm_dt_2, tcp,1792,s0, udp,1792,s0)
-+network_port(intermapper, tcp,8181,s0)
- network_port(i18n_input, tcp,9010,s0)
- network_port(imaze, tcp,5323,s0, udp,5323,s0)
--network_port(inetd_child, tcp,1,s0, udp,1,s0, tcp,7,s0, udp,7,s0, tcp,9,s0, udp,9,s0, tcp,13,s0, udp,13,s0, tcp,19,s0, udp,19,s0, tcp,37,s0, udp,37,s0, tcp,512,s0, tcp,543,s0, tcp,544,s0, tcp,891,s0, udp,891,s0, tcp,892,s0, udp,892,s0, tcp,2105,s0, tcp,5666,s0)
-+network_port(inetd_child, tcp,1,s0, udp,1,s0, tcp,9,s0, udp,9,s0, tcp,13,s0, udp,13,s0, tcp,19,s0, udp,19,s0, tcp,512,s0, tcp,544,s0, tcp,891,s0, udp,891,s0, tcp,892,s0, udp,892,s0, tcp,5666,s0)
- network_port(innd, tcp,119,s0)
- network_port(interwise, tcp,7778,s0, udp,7778,s0)
- network_port(ionixnetmon, tcp,7410,s0, udp,7410,s0)
- network_port(ipmi, udp,623,s0, udp,664,s0)
- network_port(ipp, tcp,631,s0, udp,631,s0, tcp,8610-8614,s0, udp,8610-8614,s0)
- network_port(ipsecnat, tcp,4500,s0, udp,4500,s0)
--network_port(ircd, tcp,6667,s0)
-+network_port(ircd, tcp,6667,s0, tcp,6697,s0)
- network_port(isakmp, udp,500,s0)
- network_port(iscsi, tcp,3260,s0)
--network_port(isns, tcp,3205,s0, udp,3205,s0)
-+network_port(isns, tcp,3205,s0, udp,3205,s0, tcp,51954,s0)
- network_port(jabber_client, tcp,5222,s0, tcp,5223,s0)
--network_port(jabber_interserver, tcp,5269,s0)
--network_port(jboss_iiop, tcp,3528,s0, udp,3528,s0)
--network_port(kerberos, tcp,88,s0, udp,88,s0, tcp,750,s0, udp,750,s0)
--network_port(kerberos_admin, tcp,464,s0, udp,464,s0, tcp,749,s0)
--network_port(kerberos_master, tcp,4444,s0, udp,4444,s0)
--network_port(kismet, tcp,2501,s0)
-+network_port(jabber_interserver, tcp,5269,s0, tcp,5280,s0)
-+network_port(jabber_router, tcp,5347,s0)
-+network_port(jacorb, tcp,3528,s0, tcp,3529,s0)
-+network_port(jboss_debug, tcp,8787,s0, udp,8787,s0)
-+network_port(jboss_messaging, tcp,5445,s0, tcp,5455,s0)
-+network_port(jboss_management, tcp,4712,s0, udp,4712,s0, tcp,4447,s0, tcp,7600,s0, tcp,9123,s0, udp,9123,s0, tcp, 9990, s0, tcp, 9999, s0, tcp, 18001, s0)
-+network_port(kerberos, tcp,88,s0, udp,88,s0, tcp,750,s0, udp,750,s0, tcp,4444,s0, udp,4444,s0)
-+network_port(kerberos_admin, tcp,749,s0)
-+network_port(kerberos_password, tcp,464,s0, udp,464,s0)
-+network_port(keystone, tcp, 35357,s0, udp, 35357,s0)
-+network_port(kubernetes, tcp, 10250,s0, tcp, 4001,s0, tcp, 4194,s0)
-+network_port(lltng, tcp, 5345, s0)
-+network_port(llmnr, tcp, 5355, s0, udp, 5355,s0)
-+network_port(rabbitmq, tcp,25672,s0)
-+network_port(rkt, tcp,18112,s0)
-+network_port(rlogin, tcp,543,s0, tcp,2105,s0)
-+network_port(rtsclient, tcp,2501,s0)
- network_port(kprop, tcp,754,s0)
- network_port(ktalkd, udp,517,s0, udp,518,s0)
--network_port(l2tp, tcp,1701,s0, udp,1701,s0)
--network_port(ldap, tcp,389,s0, udp,389,s0, tcp,636,s0, udp,636,s0, tcp,3268,s0)
-+network_port(ldap, tcp,389,s0, udp,389,s0, tcp,636,s0, udp,636,s0, tcp,3268,s0, tcp,3269,s0, tcp, 7389,s0)
- network_port(lirc, tcp,8765,s0)
--network_port(lmtp, tcp,24,s0, udp,24,s0)
-+network_port(luci, tcp,8084,s0)
-+network_port(lmtp, tcp,24,s0, udp,24,s0, tcp,2003,s0)
- network_port(lrrd) # no defined portcon
-+network_port(lsm_plugin, tcp,18700,s0)
-+network_port(l2tp, tcp,1701,s0, udp,1701,s0)
- network_port(mail, tcp,2000,s0, tcp,3905,s0)
-+network_port(mailbox, tcp,2004,s0)
- network_port(matahari, tcp,49000,s0, udp,49000,s0)
- network_port(memcache, tcp,11211,s0, udp,11211,s0)
--network_port(milter) # no defined portcon
-+network_port(milter, tcp, 8890,s0, tcp, 8891,s0, tcp, 8893,s0) # no defined portcon
- network_port(mmcc, tcp,5050,s0, udp,5050,s0)
-+network_port(mongod, tcp,27017-27019,s0, tcp, 28017-28019,s0)
- network_port(monopd, tcp,1234,s0)
- network_port(mountd, tcp,20048,s0, udp,20048,s0)
- network_port(movaz_ssc, tcp,5252,s0, udp,5252,s0)
- network_port(mpd, tcp,6600,s0)
--network_port(msgsrvr, tcp,8787,s0, udp,8787,s0)
- network_port(msnp, tcp,1863,s0, udp,1863,s0)
- network_port(mssql, tcp,1433-1434,s0, udp,1433-1434,s0)
- network_port(ms_streaming, tcp,1755,s0, udp,1755,s0)
-@@ -186,101 +247,130 @@ network_port(munin, tcp,4949,s0, udp,4949,s0)
- network_port(mxi, tcp,8005,s0, udp,8005,s0)
- network_port(mysqld, tcp,1186,s0, tcp,3306,s0, tcp,63132-63164,s0)
- network_port(mysqlmanagerd, tcp,2273,s0)
-+network_port(mythtv, tcp,6543-6544,s0)
- network_port(nessus, tcp,1241,s0)
- network_port(netport, tcp,3129,s0, udp,3129,s0)
- network_port(netsupport, tcp,5404,s0, udp,5404,s0, tcp,5405,s0, udp,5405,s0)
--network_port(nfs, tcp,2049,s0, udp,2049,s0)
--network_port(nfsrdma, tcp,20049,s0, udp,20049,s0)
-+network_port(nfs, tcp,2049,s0, udp,2049,s0, tcp,20048-20049,s0, udp,20048-20049,s0)
- network_port(nmbd, udp,137,s0, udp,138,s0)
-+network_port(nodejs_debug, tcp,5858,s0, udp,5858,s0)
- network_port(ntop, tcp,3000-3001,s0, udp,3000-3001,s0)
- network_port(ntp, udp,123,s0)
-+network_port(oracle, tcp, 1521,s0,udp, 1521,s0, tcp,2483,s0,udp,2483,s0, tcp,2484,s0, udp,2484,s0)
- network_port(oa_system, tcp,8022,s0, udp,8022,s0)
--network_port(oracledb, tcp, 1521,s0,udp, 1521,s0, tcp,2483,s0,udp,2483,s0, tcp,2484,s0, udp,2484,s0)
- network_port(ocsp, tcp,9080,s0)
-+network_port(openflow, tcp,6633,s0, tcp,6653,s0)
- network_port(openhpid, tcp,4743,s0, udp,4743,s0)
- network_port(openvpn, tcp,1194,s0, udp,1194,s0)
-+network_port(openvswitch, tcp,6634,s0)
-+network_port(openqa, tcp,9526,s0)
-+network_port(openqa_websockets, tcp,9527,s0)
-+network_port(osapi_compute, tcp, 8774, s0)
-+network_port(ovsdb, tcp, 6640, s0)
- network_port(pdps, tcp,1314,s0, udp,1314,s0)
- network_port(pegasus_http, tcp,5988,s0)
- network_port(pegasus_https, tcp,5989,s0)
- network_port(pgpkeyserver, udp, 11371,s0, tcp,11371,s0)
- network_port(pingd, tcp,9125,s0)
-+network_port(pki_ca, tcp, 829, s0, tcp, 9180, s0, tcp, 9701, s0, tcp, 9443-9447, s0)
-+network_port(pki_kra, tcp, 10180, s0, tcp, 10701, s0, tcp, 10443-10446, s0)
-+network_port(pki_ocsp, tcp, 11180, s0, tcp, 11701, s0, tcp, 11443-11446, s0)
-+network_port(pki_tks, tcp, 13180, s0, tcp, 13701, s0, tcp, 13443-13446, s0)
-+network_port(pki_ra, tcp,12888-12889,s0)
-+network_port(pki_tps, tcp,7888-7889,s0)
- network_port(pktcable_cops, tcp,2126,s0, udp,2126,s0)
--network_port(pop, tcp,106,s0, tcp,109,s0, tcp,110,s0, tcp,143,s0, tcp,220,s0, tcp,993,s0, tcp,995,s0, tcp,1109,s0)
-+network_port(pop, tcp,106,s0, tcp,109,s0, tcp,110,s0, tcp,143,s0, tcp,220,s0, tcp,993,s0, tcp,995,s0, tcp,1109,s0, tcp,10993,s0)
- network_port(portmap, udp,111,s0, tcp,111,s0)
- network_port(postfix_policyd, tcp,10031,s0)
--network_port(postgresql, tcp,5432,s0)
-+network_port(postgresql, tcp,5432,s0, tcp,9898,s0)
- network_port(postgrey, tcp,60000,s0)
- network_port(pptp, tcp,1723,s0, udp,1723,s0)
- network_port(prelude, tcp,4690,s0, udp,4690,s0)
- network_port(presence, tcp,5298-5299,s0, udp,5298-5299,s0)
-+network_port(preupgrade, tcp, 8099, s0)
- network_port(printer, tcp,515,s0)
-+network_port(prosody, tcp,5280-5281,s0)
- network_port(ptal, tcp,5703,s0)
--network_port(pulseaudio, tcp,4713,s0)
-+network_port(pulseaudio, tcp,4713,s0, udp,4713,s0)
- network_port(puppet, tcp, 8140, s0)
- network_port(pxe, udp,4011,s0)
- network_port(pyzor, udp,24441,s0)
--network_port(radacct, udp,1646,s0, udp,1813,s0)
--network_port(radius, udp,1645,s0, udp,1812,s0)
-+network_port(neutron, tcp, 8775, s0, tcp,9696,s0, tcp,9697,s0)
-+network_port(nsd_control, tcp,8952,s0)
-+network_port(radacct, udp,1646,s0, tcp,1646,s0, tcp,1813,s0, udp,1813,s0)
-+network_port(radius, udp,1645,s0, tcp,1645,s0, tcp,1812,s0, udp,1812,s0, tcp,18120-18121,s0, udp,18120-18121, s0)
- network_port(radsec, tcp,2083,s0)
- network_port(razor, tcp,2703,s0)
--network_port(redis, tcp,6379,s0)
-+network_port(time, tcp,37,s0, udp,37,s0)
-+network_port(redis, tcp,6379,s0, tcp,26379,s0, tcp,16379,s0)
- network_port(repository, tcp, 6363, s0)
- network_port(ricci, tcp,11111,s0, udp,11111,s0)
- network_port(ricci_modcluster, tcp,16851,s0, udp,16851,s0)
- network_port(rlogind, tcp,513,s0)
--network_port(rndc, tcp,953,s0, udp,953,s0)
-+network_port(rndc, tcp,953,s0, udp,953,s0, tcp,8953,s0)
- network_port(router, udp,520,s0, udp,521,s0, tcp,521,s0)
- network_port(rsh, tcp,514,s0)
- network_port(rsync, tcp,873,s0, udp,873,s0)
--network_port(rtsp, tcp,554,s0, udp,554,s0)
-+network_port(rtp_media, tcp,5004-5005,s0, udp,5004-5005,s0)
-+network_port(rtsp, tcp,554,s0, udp,554,s0, tcp,8554,s0, udp,8554,s0)
- network_port(rwho, udp,513,s0)
-+network_port(salt, tcp,4505,s0, tcp,4506,s0)
- network_port(sap, tcp,9875,s0, udp,9875,s0)
-+network_port(saphostctrl, tcp,1128,s0, tcp,1129,s0)
- network_port(servistaitsm, tcp,3636,s0, udp,3636,s0)
-+network_port(sge, tcp,6444,s0, tcp,6445,s0)
-+network_port(shellinaboxd, tcp,4200,s0)
- network_port(sieve, tcp,4190,s0)
- network_port(sip, tcp,5060,s0, udp,5060,s0, tcp,5061,s0, udp,5061,s0)
- network_port(sixxsconfig, tcp,3874,s0, udp,3874,s0)
- network_port(smbd, tcp,137-139,s0, tcp,445,s0)
- network_port(smtp, tcp,25,s0, tcp,465,s0, tcp,587,s0)
--network_port(snmp, udp,161,s0, udp,162,s0, tcp,199,s0, tcp,1161,s0)
-+network_port(snmp, tcp,161-162,s0, udp,161-162,s0, tcp,199,s0, tcp, 1161, s0)
- network_port(socks) # no defined portcon
- network_port(soundd, tcp,8000,s0, tcp,9433,s0, tcp, 16001, s0)
--network_port(spamd, tcp,783,s0)
-+network_port(spamd, tcp,783,s0, tcp, 10026, s0, tcp, 10027, s0)
- network_port(speech, tcp,8036,s0)
--network_port(squid, udp,3401,s0, tcp,3401,s0, udp,4827,s0, tcp,4827,s0) # snmp and htcp
--network_port(ssdp, tcp,1900,s0, udp,1900,s0)
-+network_port(squid, tcp,3128,s0, udp,3401,s0, tcp,3401,s0, udp,4827,s0, tcp,4827,s0) # snmp and htcp
-+network_port(ssdp, tcp,1900,s0, udp, 1900, s0)
- network_port(ssh, tcp,22,s0)
- network_port(stunnel) # no defined portcon
- network_port(svn, tcp,3690,s0, udp,3690,s0)
- network_port(svrloc, tcp,427,s0, udp,427,s0)
- network_port(swat, tcp,901,s0)
-+network_port(swift, tcp,6200-6203,s0)
- network_port(sype_transport, tcp,9911,s0, udp,9911,s0)
--network_port(syslogd, udp,514,s0)
--network_port(syslog_tls, tcp,6514,s0, udp,6514,s0)
-+network_port(syslogd, udp,514,s0, udp,601,s0, tcp,601,s0, tcp,20514,s0, udp,20514,s0)
-+network_port(syslog_tls, tcp,6514,s0, udp,6514,s0, tcp,10514,s0, udp,10514,s0)
- network_port(tcs, tcp, 30003, s0)
- network_port(telnetd, tcp,23,s0)
- network_port(tftp, udp,69,s0)
--network_port(tor, tcp,6969,s0, tcp,9001,s0, tcp,9030,s0, tcp,9050,s0, tcp,9051,s0)
-+network_port(tor, tcp,6969,s0, tcp,9001,s0, tcp,9030,s0, tcp,9050,s0, tcp,9051,s0, tcp,9150,s0)
- network_port(traceroute, udp,64000-64010,s0)
-+network_port(tram, tcp, 4567, s0)
- network_port(transproxy, tcp,8081,s0)
- network_port(trisoap, tcp,10200,s0, udp,10200,s0)
- network_port(trivnet1, tcp, 8200, s0, udp, 8200, s0)
- network_port(ups, tcp,3493,s0)
- network_port(utcpserver) # no defined portcon
- network_port(uucpd, tcp,540,s0)
-+network_port(us_cli, tcp,8082,s0, udp,8082,s0, tcp,8083,s0, udp,8083,s0)
- network_port(varnishd, tcp,6081-6082,s0)
- network_port(virt, tcp,16509,s0, udp,16509,s0, tcp,16514,s0, udp,16514,s0)
- network_port(virtual_places, tcp,1533,s0, udp,1533,s0)
- network_port(virt_migration, tcp,49152-49216,s0)
--network_port(vnc, tcp,5900,s0)
-+network_port(vnc, tcp,5900-5983,s0, tcp,5985-5999,s0)
- network_port(wccp, udp,2048,s0)
- network_port(websm, tcp,9090,s0, udp,9090,s0)
--network_port(whois, tcp,43,s0, udp,43,s0, tcp,4321,s0, udp,4321,s0)
-+network_port(whois, tcp,43,s0, udp,43,s0, tcp, 4321, s0 , udp, 4321, s0 )
- network_port(winshadow, tcp,3161,s0, udp,3261,s0)
- network_port(wsdapi, tcp,5357,s0, udp,5357,s0)
- network_port(wsicopy, tcp,3378,s0, udp,3378,s0)
- network_port(xdmcp, udp,177,s0, tcp,177,s0)
- network_port(xen, tcp,8002,s0)
-+network_port(xinuexpansion3, tcp,2023,s0, udp,2023,s0)
-+network_port(xinuexpansion4, tcp,2024,s0, udp,2024,s0)
- network_port(xfs, tcp,7100,s0)
-+network_port(xodbc_connect, tcp,6632,s0)
- network_port(xserver, tcp,6000-6020,s0)
- network_port(zarafa, tcp,236,s0, tcp,237,s0)
- network_port(zabbix, tcp,10051,s0)
-@@ -288,19 +378,23 @@ network_port(zabbix_agent, tcp,10050,s0)
- network_port(zookeeper_client, tcp,2181,s0)
- network_port(zookeeper_election, tcp,3888,s0)
- network_port(zookeeper_leader, tcp,2888,s0)
--network_port(zebra, tcp,2600-2604,s0, tcp,2606,s0, udp,2600-2604,s0, udp,2606,s0)
-+network_port(zebra, tcp,2600-2604,s0, tcp,2606,s0, tcp,2608-2609,s0, udp,2600-2604,s0, udp,2606,s0, udp,2608-2609,s0)
- network_port(zented, tcp,1229,s0, udp,1229,s0)
- network_port(zope, tcp,8021,s0)
-
- # Defaults for reserved ports. Earlier portcon entries take precedence;
- # these entries just cover any remaining reserved ports not otherwise declared.
-
--portcon udp 1024-65535 gen_context(system_u:object_r:unreserved_port_t, s0)
--portcon tcp 1024-65535 gen_context(system_u:object_r:unreserved_port_t, s0)
- portcon tcp 512-1023 gen_context(system_u:object_r:hi_reserved_port_t, s0)
- portcon udp 512-1023 gen_context(system_u:object_r:hi_reserved_port_t, s0)
- portcon tcp 1-511 gen_context(system_u:object_r:reserved_port_t, s0)
- portcon udp 1-511 gen_context(system_u:object_r:reserved_port_t, s0)
-+portcon tcp 1024-32767 gen_context(system_u:object_r:unreserved_port_t, s0)
-+portcon tcp 32768-61000 gen_context(system_u:object_r:ephemeral_port_t, s0)
-+portcon tcp 61001-65535 gen_context(system_u:object_r:unreserved_port_t, s0)
-+portcon udp 1024-32767 gen_context(system_u:object_r:unreserved_port_t, s0)
-+portcon udp 32768-61000 gen_context(system_u:object_r:ephemeral_port_t, s0)
-+portcon udp 61001-65535 gen_context(system_u:object_r:unreserved_port_t, s0)
-
- ########################################
- #
-@@ -333,6 +427,8 @@ sid netif gen_context(system_u:object_r:netif_t,s0 - mls_systemhigh)
-
- build_option(`enable_mls',`
- network_interface(lo, lo, s0 - mls_systemhigh)
-+allow netlabel_peer_t lo_netif_t:netif ingress;
-+allow netlabel_peer_type lo_netif_t:netif egress;
- ',`
- typealias netif_t alias { lo_netif_t netif_lo_t };
- ')
-@@ -345,9 +441,34 @@ typealias netif_t alias { lo_netif_t netif_lo_t };
- allow corenet_unconfined_type node_type:node *;
- allow corenet_unconfined_type netif_type:netif *;
- allow corenet_unconfined_type packet_type:packet *;
-+allow corenet_unconfined_type port_type:dccp_socket { send_msg recv_msg name_connect };
- allow corenet_unconfined_type port_type:tcp_socket { send_msg recv_msg name_connect };
- allow corenet_unconfined_type port_type:udp_socket { send_msg recv_msg };
-
- # Bind to any network address.
--allow corenet_unconfined_type port_type:{ tcp_socket udp_socket rawip_socket } name_bind;
--allow corenet_unconfined_type node_type:{ tcp_socket udp_socket rawip_socket } node_bind;
-+allow corenet_unconfined_type port_type:{ dccp_socket tcp_socket udp_socket rawip_socket } name_bind;
-+allow corenet_unconfined_type node_type:{ dccp_socket tcp_socket udp_socket rawip_socket } node_bind;
-+
-+# Infiniband
-+corenet_ib_access_all_pkeys(corenet_unconfined_type)
-+corenet_ib_manage_subnet_all_endports(corenet_unconfined_type)
-+corenet_ib_access_unlabeled_pkeys(corenet_unconfined_type)
-+corenet_ib_manage_subnet_unlabeled_endports(corenet_unconfined_type)
-+
-+#
-+# Rules coverning the use of unlabeled types
-+#
-+kernel_dccp_recvfrom_unlabeled(corenet_unlabeled_type)
-+kernel_tcp_recvfrom_unlabeled(corenet_unlabeled_type)
-+kernel_udp_recvfrom_unlabeled(corenet_unlabeled_type)
-+kernel_raw_recvfrom_unlabeled(corenet_unlabeled_type)
-+kernel_recvfrom_unlabeled_peer(corenet_unlabeled_type)
-+
-+allow netlabel_peer_type netlabel_peer_t:peer recv;
-+allow netlabel_peer_type netlabel_peer_t:{ tcp_socket udp_socket rawip_socket dccp_socket } recvfrom;
-+allow netlabel_peer_t netif_t:netif { rawip_recv egress ingress };
-+allow netlabel_peer_t node_t:node recvfrom;
-+
-+typealias neutron_port_t alias quantum_port_t;
-+typealias neutron_server_packet_t alias quantum_server_packet_t;
-+typealias neutron_client_packet_t alias quantum_client_packet_t;
-diff --git a/policy/modules/kernel/corenetwork.te.m4 b/policy/modules/kernel/corenetwork.te.m4
-index 3f6e16889..abd046c56 100644
---- a/policy/modules/kernel/corenetwork.te.m4
-+++ b/policy/modules/kernel/corenetwork.te.m4
-@@ -86,6 +86,11 @@ define(`add_port_attribute',`dnl
- ifelse(eval(range_start($2) < 1024),1,`typeattribute $1 reserved_port_type;',`typeattribute $1 unreserved_port_type;')
- ')
-
-+define(`add_ephemeral_attribute',`dnl
-+ifelse(eval(range_start($3) >= 50000 && range_start($3) < 61001),1,`typeattribute $1 ephemeral_port_type;
-+',`ifelse(`$5',`',`',`add_ephemeral_attribute($1,shiftn(4,$*))')')dnl
-+')
-+
- # bindresvport in glibc starts searching for reserved ports at 512
- define(`add_rpc_attribute',`dnl
- ifelse(eval(range_start($3) >= 512 && range_start($3) < 1024),1,`typeattribute $1 rpc_port_type;
-@@ -101,6 +106,7 @@ type $1_client_packet_t, packet_type, client_packet_type;
- type $1_server_packet_t, packet_type, server_packet_type;
- ifelse(`$2',`',`',`add_port_attribute($1_port_t,$3)')dnl
- ifelse(`$2',`',`',`add_rpc_attribute($1_port_t,shift($*))')dnl
-+ifelse(`$2',`',`',`add_ephemeral_attribute($1_port_t,shift($*))')dnl
- ifelse(`$2',`',`',`declare_portcons($1_port_t,shift($*))')dnl
- ')
-
-@@ -111,3 +117,29 @@ define(`network_packet',`
- type $1_client_packet_t, packet_type, client_packet_type;
- type $1_server_packet_t, packet_type, server_packet_type;
- ')
-+
-+define(`declare_ibpkeycons',`dnl
-+ibpkeycon $2 $3 gen_context(system_u:object_r:$1,$4)
-+ifelse(`$5',`',`',`declare_ibpkeycons($1,shiftn(4,$*))')dnl
-+')
-+
-+#
-+# ib_pkey(nam, subnet_prefix, pkey_num, mls_sensitivity [,subnet_prefix, pkey_num, mls_sensitivity[,...]])
-+#
-+define(`ib_pkey',`
-+type $1_ibpkey_t, ibpkey_type;
-+ifelse(`$2',`',`',`declare_ibpkeycons($1_ibpkey_t,shift($*))')dnl
-+')
-+
-+define(`declare_ibendportcons',`dnl
-+ibendportcon $2 $3 gen_context(system_u:object_r:$1,$4)
-+ifelse(`$5',`',`',`declare_ibendportcons($1,shiftn(4,$*))')dnl
-+')
-+
-+#
-+# ib_endport (name, dev_name, port_num, mls_sensitivity [, dev_name, port_num mls_sensitivity[,...]])
-+#
-+define(`ib_endport',`
-+type $1_ibendport_t, ibendport_type;
-+ifelse(`$2',`',`',`declare_ibendportcons($1_ibendport_t,shift($*))')dnl
-+')
-diff --git a/policy/modules/kernel/devices.fc b/policy/modules/kernel/devices.fc
-index b31c05491..4e585f24c 100644
---- a/policy/modules/kernel/devices.fc
-+++ b/policy/modules/kernel/devices.fc
-@@ -15,15 +15,19 @@
- /dev/atibm -c gen_context(system_u:object_r:mouse_device_t,s0)
- /dev/audio.* -c gen_context(system_u:object_r:sound_device_t,s0)
- /dev/autofs.* -c gen_context(system_u:object_r:autofs_device_t,s0)
-+/dev/bsr.* -c gen_context(system_u:object_r:cpu_device_t,s0)
- /dev/beep -c gen_context(system_u:object_r:sound_device_t,s0)
- /dev/btrfs-control -c gen_context(system_u:object_r:lvm_control_t,s0)
--/dev/cachefiles -c gen_context(system_u:object_r:cachefiles_device_t,s0)
- /dev/controlD64 -c gen_context(system_u:object_r:xserver_misc_device_t,s0)
- /dev/crash -c gen_context(system_u:object_r:crash_device_t,mls_systemhigh)
- /dev/dahdi/.* -c gen_context(system_u:object_r:sound_device_t,s0)
--/dev/dmfm -c gen_context(system_u:object_r:sound_device_t,s0)
-+/dev/dlm.* -c gen_context(system_u:object_r:dlm_control_device_t,s0)
-+/dev/dmfm.* -c gen_context(system_u:object_r:sound_device_t,s0)
- /dev/dmmidi.* -c gen_context(system_u:object_r:sound_device_t,s0)
-+/dev/drm_dp_aux.* -c gen_context(system_u:object_r:xserver_misc_device_t,s0)
- /dev/dsp.* -c gen_context(system_u:object_r:sound_device_t,s0)
-+/dev/ecryptfs -c gen_context(system_u:object_r:ecryptfs_device_t,mls_systemhigh)
-+/dev/ptp.* -c gen_context(system_u:object_r:clock_device_t,s0)
- /dev/efirtc -c gen_context(system_u:object_r:clock_device_t,s0)
- /dev/elographics/e2201 -c gen_context(system_u:object_r:mouse_device_t,s0)
- /dev/em8300.* -c gen_context(system_u:object_r:v4l_device_t,s0)
-@@ -42,8 +46,15 @@
- /dev/hpet -c gen_context(system_u:object_r:clock_device_t,s0)
- /dev/hw_random -c gen_context(system_u:object_r:random_device_t,s0)
- /dev/hwrng -c gen_context(system_u:object_r:random_device_t,s0)
-+/dev/gpiochip[0-9]+ -c gen_context(system_u:object_r:gpio_device_t,s0)
- /dev/i915 -c gen_context(system_u:object_r:dri_device_t,s0)
- /dev/inportbm -c gen_context(system_u:object_r:mouse_device_t,s0)
-+/dev/infiniband/.* -c gen_context(system_u:object_r:infiniband_device_t,mls_systemhigh)
-+/dev/infiniband/issm[0-9]+ -c gen_context(system_u:object_r:infiniband_mgmt_device_t,mls_systemhigh)
-+/dev/infiniband/umad[0-9]+ -c gen_context(system_u:object_r:infiniband_mgmt_device_t,mls_systemhigh)
-+/dev/infiniband/.* -b gen_context(system_u:object_r:infiniband_device_t,mls_systemhigh)
-+/dev/infiniband/issm[0-9]+ -b gen_context(system_u:object_r:infiniband_mgmt_device_t,mls_systemhigh)
-+/dev/infiniband/umad[0-9]+ -b gen_context(system_u:object_r:infiniband_mgmt_device_t,mls_systemhigh)
- /dev/ipmi[0-9]+ -c gen_context(system_u:object_r:ipmi_device_t,s0)
- /dev/ipmi/[0-9]+ -c gen_context(system_u:object_r:ipmi_device_t,s0)
- /dev/irlpt[0-9]+ -c gen_context(system_u:object_r:printer_device_t,s0)
-@@ -61,8 +72,10 @@
- /dev/loop-control -c gen_context(system_u:object_r:loop_control_device_t,s0)
- /dev/lp.* -c gen_context(system_u:object_r:printer_device_t,s0)
- /dev/mcelog -c gen_context(system_u:object_r:kmsg_device_t,mls_systemhigh)
--/dev/mei -c gen_context(system_u:object_r:mei_device_t,s0)
-+/dev/media.* -c gen_context(system_u:object_r:v4l_device_t,s0)
-+/dev/mei[0-9]* -c gen_context(system_u:object_r:mei_device_t,s0)
- /dev/mem -c gen_context(system_u:object_r:memory_device_t,mls_systemhigh)
-+/dev/memory_bandwidth -c gen_context(system_u:object_r:memory_device_t,mls_systemhigh)
- /dev/mergemem -c gen_context(system_u:object_r:memory_device_t,mls_systemhigh)
- /dev/mga_vid.* -c gen_context(system_u:object_r:xserver_misc_device_t,s0)
- /dev/mice -c gen_context(system_u:object_r:mouse_device_t,s0)
-@@ -72,7 +85,9 @@
- /dev/mixer.* -c gen_context(system_u:object_r:sound_device_t,s0)
- /dev/mmetfgrab -c gen_context(system_u:object_r:scanner_device_t,s0)
- /dev/modem -c gen_context(system_u:object_r:modem_device_t,s0)
-+/dev/monwriter -c gen_context(system_u:object_r:monitor_device_t,s0)
- /dev/mpu401.* -c gen_context(system_u:object_r:sound_device_t,s0)
-+/dev/mpt[0-9]*ctl -c gen_context(system_u:object_r:mptctl_device_t,s0)
- /dev/msr.* -c gen_context(system_u:object_r:cpu_device_t,s0)
- /dev/net/vhost -c gen_context(system_u:object_r:vhost_device_t,s0)
- /dev/network_latency -c gen_context(system_u:object_r:netcontrol_device_t,s0)
-@@ -80,7 +95,10 @@
- /dev/noz.* -c gen_context(system_u:object_r:modem_device_t,s0)
- /dev/null -c gen_context(system_u:object_r:null_device_t,s0)
- /dev/nvidia.* -c gen_context(system_u:object_r:xserver_misc_device_t,s0)
-+/dev/nvme.* -c gen_context(system_u:object_r:nvme_device_t,s0)
-+/dev/nvme.* -b gen_context(system_u:object_r:nvme_device_t,s0)
- /dev/nvram -c gen_context(system_u:object_r:nvram_device_t,mls_systemhigh)
-+/dev/ndctl[0-9] -c gen_context(system_u:object_r:nvram_device_t,mls_systemhigh)
- /dev/oldmem -c gen_context(system_u:object_r:memory_device_t,mls_systemhigh)
- /dev/opengl -c gen_context(system_u:object_r:xserver_misc_device_t,s0)
- /dev/par.* -c gen_context(system_u:object_r:printer_device_t,s0)
-@@ -90,9 +108,11 @@
- /dev/pmu -c gen_context(system_u:object_r:power_device_t,s0)
- /dev/port -c gen_context(system_u:object_r:memory_device_t,mls_systemhigh)
- /dev/pps.* -c gen_context(system_u:object_r:clock_device_t,s0)
-+/dev/prandom -c gen_context(system_u:object_r:random_device_t,s0)
- /dev/(misc/)?psaux -c gen_context(system_u:object_r:mouse_device_t,s0)
- /dev/rmidi.* -c gen_context(system_u:object_r:sound_device_t,s0)
- /dev/radeon -c gen_context(system_u:object_r:dri_device_t,s0)
-+/dev/kfd -c gen_context(system_u:object_r:hsa_device_t,s0)
- /dev/radio.* -c gen_context(system_u:object_r:v4l_device_t,s0)
- /dev/random -c gen_context(system_u:object_r:random_device_t,s0)
- /dev/raw1394.* -c gen_context(system_u:object_r:v4l_device_t,s0)
-@@ -106,6 +126,7 @@
- /dev/snapshot -c gen_context(system_u:object_r:apm_bios_t,s0)
- /dev/sndstat -c gen_context(system_u:object_r:sound_device_t,s0)
- /dev/sonypi -c gen_context(system_u:object_r:v4l_device_t,s0)
-+/dev/spidev.* -c gen_context(system_u:object_r:usb_device_t,s0)
- /dev/tlk[0-3] -c gen_context(system_u:object_r:v4l_device_t,s0)
- /dev/tpm[0-9]* -c gen_context(system_u:object_r:tpm_device_t,s0)
- /dev/uinput -c gen_context(system_u:object_r:event_device_t,s0)
-@@ -118,6 +139,15 @@
- ifdef(`distro_suse', `
- /dev/usbscanner -c gen_context(system_u:object_r:scanner_device_t,s0)
- ')
-+/dev/vmci -c gen_context(system_u:object_r:vmci_device_t,s0)
-+/dev/vsock -c gen_context(system_u:object_r:vsock_device_t,s0)
-+/dev/vhci -c gen_context(system_u:object_r:vhost_device_t,s0)
-+/dev/vchiq -c gen_context(system_u:object_r:v4l_device_t,s0)
-+/dev/vc-mem -c gen_context(system_u:object_r:memory_device_t,mls_systemhigh)
-+/dev/vfio/(vfio)?[0-9]* -c gen_context(system_u:object_r:vfio_device_t,s0)
-+/dev/clp[0-9]* -c gen_context(system_u:object_r:vfio_device_t,s0)
-+/dev/sclp[0-9]* -c gen_context(system_u:object_r:vfio_device_t,s0)
-+/dev/vmcp[0-9]* -c gen_context(system_u:object_r:vfio_device_t,s0)
- /dev/vhost-net -c gen_context(system_u:object_r:vhost_device_t,s0)
- /dev/vbi.* -c gen_context(system_u:object_r:v4l_device_t,s0)
- /dev/vbox.* -c gen_context(system_u:object_r:xserver_misc_device_t,s0)
-@@ -129,12 +159,14 @@ ifdef(`distro_suse', `
- /dev/vttuner -c gen_context(system_u:object_r:v4l_device_t,s0)
- /dev/vtx.* -c gen_context(system_u:object_r:v4l_device_t,s0)
- /dev/watchdog.* -c gen_context(system_u:object_r:watchdog_device_t,s0)
-+/dev/cdc-wdm[0-9] -c gen_context(system_u:object_r:modem_device_t,s0)
- /dev/winradio.* -c gen_context(system_u:object_r:v4l_device_t,s0)
- /dev/z90crypt -c gen_context(system_u:object_r:crypt_device_t,s0)
- /dev/zero -c gen_context(system_u:object_r:zero_device_t,s0)
-
- /dev/bus/usb/.*/[0-9]+ -c gen_context(system_u:object_r:usb_device_t,s0)
-
-+/dev/ati/card.* -c gen_context(system_u:object_r:xserver_misc_device_t,s0)
- /dev/card.* -c gen_context(system_u:object_r:xserver_misc_device_t,s0)
- /dev/cmx.* -c gen_context(system_u:object_r:smartcard_device_t,s0)
-
-@@ -169,18 +201,27 @@ ifdef(`distro_suse', `
-
- /dev/s(ou)?nd/.* -c gen_context(system_u:object_r:sound_device_t,s0)
-
-+/dev/ss[0-9]+ -c gen_context(system_u:object_r:gpfs_device_t,s0)
-+
- /dev/touchscreen/ucb1x00 -c gen_context(system_u:object_r:mouse_device_t,s0)
- /dev/touchscreen/mk712 -c gen_context(system_u:object_r:mouse_device_t,s0)
-
-+/dev/uhid -c gen_context(system_u:object_r:uhid_device_t,s0)
-+
- /dev/usb/dc2xx.* -c gen_context(system_u:object_r:scanner_device_t,s0)
- /dev/usb/lp.* -c gen_context(system_u:object_r:printer_device_t,s0)
- /dev/usb/mdc800.* -c gen_context(system_u:object_r:scanner_device_t,s0)
- /dev/usb/scanner.* -c gen_context(system_u:object_r:scanner_device_t,s0)
-
-+/dev/vmbus/hv_vss -c gen_context(system_u:object_r:hypervvssd_device_t,s0)
-+/dev/vmbus/hv_kvp -c gen_context(system_u:object_r:hypervkvp_device_t,s0)
-+
- /dev/xen/blktap.* -c gen_context(system_u:object_r:xen_device_t,s0)
- /dev/xen/evtchn -c gen_context(system_u:object_r:xen_device_t,s0)
- /dev/xen/gntdev -c gen_context(system_u:object_r:xen_device_t,s0)
- /dev/xen/gntalloc -c gen_context(system_u:object_r:xen_device_t,s0)
-+/dev/xen/privcmd -c gen_context(system_u:object_r:xen_device_t,s0)
-+/dev/xen/xenbus -c gen_context(system_u:object_r:xen_device_t,s0)
-
- ifdef(`distro_debian',`
- # this is a static /dev dir "backup mount"
-@@ -198,12 +239,27 @@ ifdef(`distro_debian',`
- /lib/udev/devices/null -c gen_context(system_u:object_r:null_device_t,s0)
- /lib/udev/devices/zero -c gen_context(system_u:object_r:zero_device_t,s0)
-
--/sys(/.*)? gen_context(system_u:object_r:sysfs_t,s0)
--
- ifdef(`distro_redhat',`
- # originally from named.fc
- /var/named/chroot/dev -d gen_context(system_u:object_r:device_t,s0)
- /var/named/chroot/dev/null -c gen_context(system_u:object_r:null_device_t,s0)
- /var/named/chroot/dev/random -c gen_context(system_u:object_r:random_device_t,s0)
- /var/named/chroot/dev/zero -c gen_context(system_u:object_r:zero_device_t,s0)
-+/var/named/chroot_sdb/dev -d gen_context(system_u:object_r:device_t,s0)
-+/var/named/chroot_sdb/dev/null -c gen_context(system_u:object_r:null_device_t,s0)
-+/var/named/chroot_sdb/dev/random -c gen_context(system_u:object_r:random_device_t,s0)
-+/var/named/chroot_sdb/dev/zero -c gen_context(system_u:object_r:zero_device_t,s0)
-+/
-+/var/spool/postfix/dev -d gen_context(system_u:object_r:device_t,s0)
- ')
-+
-+#
-+# /sys
-+#
-+/sys(/.*)? gen_context(system_u:object_r:sysfs_t,s0)
-+/sys/devices/system/cpu/online gen_context(system_u:object_r:cpu_online_t,s0)
-+
-+/usr/lib/udev/devices(/.*)? gen_context(system_u:object_r:device_t,s0)
-+/usr/lib/udev/devices/lp.* -c gen_context(system_u:object_r:printer_device_t,s0)
-+/usr/lib/udev/devices/null -c gen_context(system_u:object_r:null_device_t,s0)
-+/usr/lib/udev/devices/zero -c gen_context(system_u:object_r:zero_device_t,s0)
-diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
-index 76f285ea6..e689c2c5b 100644
---- a/policy/modules/kernel/devices.if
-+++ b/policy/modules/kernel/devices.if
-@@ -143,13 +143,32 @@ interface(`dev_relabel_all_dev_nodes',`
- type device_t;
- ')
-
-- relabelfrom_dirs_pattern($1, device_t, device_node)
-- relabelfrom_files_pattern($1, device_t, device_node)
-- relabelfrom_lnk_files_pattern($1, device_t, { device_t device_node })
-- relabelfrom_fifo_files_pattern($1, device_t, device_node)
-- relabelfrom_sock_files_pattern($1, device_t, device_node)
-- relabel_blk_files_pattern($1, device_t, { device_t device_node })
-- relabel_chr_files_pattern($1, device_t, { device_t device_node })
-+ relabel_dirs_pattern($1, device_t, device_node)
-+ relabel_files_pattern($1, device_t, device_node)
-+ relabel_lnk_files_pattern($1, device_t, device_node)
-+ relabel_fifo_files_pattern($1, device_t, device_node)
-+ relabel_sock_files_pattern($1, device_t, device_node)
-+ relabel_blk_files_pattern($1, device_t, device_node)
-+ relabel_chr_files_pattern($1, device_t, device_node)
-+')
-+
-+########################################
-+##
-+## Allow full relabeling (to and from) of all device files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+#
-+interface(`dev_relabel_all_dev_files',`
-+ gen_require(`
-+ type device_t;
-+ ')
-+
-+ relabel_files_pattern($1, device_t, device_t)
- ')
-
- ########################################
-@@ -209,6 +228,24 @@ interface(`dev_dontaudit_list_all_dev_nodes',`
-
- ########################################
- ##
-+## Dontaudit attempts to list all device nodes.
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`dev_dontaudit_all_access_check',`
-+ gen_require(`
-+ attribute device_node;
-+ ')
-+
-+ dontaudit $1 device_node:file_class_set audit_access;
-+')
-+
-+########################################
-+##
- ## Add entries to directories in /dev.
- ##
- ##
-@@ -352,6 +389,24 @@ interface(`dev_read_generic_files',`
- read_files_pattern($1, device_t, device_t)
- ')
-
-+#######################################
-+##
-+## Read generic files in /dev.
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`dev_dontaudit_read_generic_files',`
-+ gen_require(`
-+ type device_t;
-+ ')
-+
-+ dontaudit $1 device_t:file { read getattr };
-+')
-+
- ########################################
- ##
- ## Read and write generic files in /dev.
-@@ -462,6 +517,42 @@ interface(`dev_getattr_generic_blk_files',`
-
- ########################################
- ##
-+## Rename generic block device nodes.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`dev_rename_generic_blk_files',`
-+ gen_require(`
-+ type device_t;
-+ ')
-+
-+ rename_blk_files_pattern($1, device_t, device_t)
-+')
-+
-+########################################
-+##
-+## write generic sock files in /dev.
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`dev_write_generic_sock_files',`
-+ gen_require(`
-+ type device_t;
-+ ')
-+
-+ write_sock_files_pattern($1, device_t, device_t)
-+')
-+
-+########################################
-+##
- ## Dontaudit getattr on generic block devices.
- ##
- ##
-@@ -570,6 +661,24 @@ interface(`dev_dontaudit_getattr_generic_chr_files',`
-
- ########################################
- ##
-+## Rename generic character device nodes.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`dev_rename_generic_chr_files',`
-+ gen_require(`
-+ type device_t;
-+ ')
-+
-+ rename_chr_files_pattern($1, device_t, device_t)
-+')
-+
-+########################################
-+##
- ## Dontaudit setattr for generic character device files.
- ##
- ##
-@@ -646,7 +755,7 @@ interface(`dev_rw_generic_blk_files',`
- ##
- ##
- ##
--## Domain to dontaudit access.
-+## Domain to not audit.
- ##
- ##
- #
-@@ -733,7 +842,7 @@ interface(`dev_dontaudit_setattr_generic_symlinks',`
-
- ########################################
- ##
--## Read symbolic links in device directories.
-+## Create symbolic links in device directories.
- ##
- ##
- ##
-@@ -741,17 +850,17 @@ interface(`dev_dontaudit_setattr_generic_symlinks',`
- ##
- ##
- #
--interface(`dev_read_generic_symlinks',`
-+interface(`dev_create_generic_symlinks',`
- gen_require(`
- type device_t;
- ')
-
-- allow $1 device_t:lnk_file read_lnk_file_perms;
-+ create_lnk_files_pattern($1, device_t, device_t)
- ')
-
- ########################################
- ##
--## Create symbolic links in device directories.
-+## Delete symbolic links in device directories.
- ##
- ##
- ##
-@@ -759,17 +868,17 @@ interface(`dev_read_generic_symlinks',`
- ##
- ##
- #
--interface(`dev_create_generic_symlinks',`
-+interface(`dev_delete_generic_symlinks',`
- gen_require(`
- type device_t;
- ')
-
-- create_lnk_files_pattern($1, device_t, device_t)
-+ delete_lnk_files_pattern($1, device_t, device_t)
- ')
-
- ########################################
- ##
--## Delete symbolic links in device directories.
-+## Read symbolic links in device directories.
- ##
- ##
- ##
-@@ -777,12 +886,12 @@ interface(`dev_create_generic_symlinks',`
- ##
- ##
- #
--interface(`dev_delete_generic_symlinks',`
-+interface(`dev_read_generic_symlinks',`
- gen_require(`
- type device_t;
- ')
-
-- delete_lnk_files_pattern($1, device_t, device_t)
-+ allow $1 device_t:lnk_file read_lnk_file_perms;
- ')
-
- ########################################
-@@ -877,6 +986,24 @@ interface(`dev_dontaudit_rw_generic_dev_nodes',`
-
- ########################################
- ##
-+## Read block device files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`dev_read_generic_blk_files',`
-+ gen_require(`
-+ type device_t;
-+ ')
-+
-+ read_blk_files_pattern($1, device_t, device_t)
-+')
-+
-+########################################
-+##
- ## Create, delete, read, and write block device files.
- ##
- ##
-@@ -983,6 +1110,25 @@ interface(`dev_tmpfs_filetrans_dev',`
-
- ########################################
- ##
-+## Allow getattr on all device nodes.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`dev_getattr_all',`
-+ gen_require(`
-+ attribute device_node;
-+ type device_t;
-+ ')
-+
-+ allow $1 { device_t device_node }:dir_file_class_set getattr;
-+')
-+
-+########################################
-+##
- ## Getattr on all block file device nodes.
- ##
- ##
-@@ -1003,6 +1149,26 @@ interface(`dev_getattr_all_blk_files',`
-
- ########################################
- ##
-+## Read on all block file device nodes.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+#
-+interface(`dev_read_all_blk_files',`
-+ gen_require(`
-+ attribute device_node;
-+ type device_t;
-+ ')
-+
-+ read_blk_files_pattern($1, device_t, device_node)
-+')
-+
-+########################################
-+##
- ## Dontaudit getattr on all block file device nodes.
- ##
- ##
-@@ -1034,6 +1200,7 @@ interface(`dev_dontaudit_getattr_all_blk_files',`
- interface(`dev_getattr_all_chr_files',`
- gen_require(`
- attribute device_node;
-+ type device_t;
- ')
-
- getattr_chr_files_pattern($1, device_t, device_node)
-@@ -1206,6 +1373,42 @@ interface(`dev_create_all_chr_files',`
-
- ########################################
- ##
-+## rw all inherited character device files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`dev_rw_all_inherited_chr_files',`
-+ gen_require(`
-+ attribute device_node;
-+ ')
-+
-+ allow $1 device_node:chr_file rw_inherited_chr_file_perms;
-+')
-+
-+########################################
-+##
-+## rw all inherited blk device files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`dev_rw_all_inherited_blk_files',`
-+ gen_require(`
-+ attribute device_node;
-+ ')
-+
-+ allow $1 device_node:blk_file rw_inherited_blk_file_perms;
-+')
-+
-+########################################
-+##
- ## Delete all block device files.
- ##
- ##
-@@ -1560,25 +1763,6 @@ interface(`dev_relabel_autofs_dev',`
-
- ########################################
- ##
--## Read and write cachefiles character
--## device nodes.
--##
--##
--##
--## Domain allowed access.
--##
--##
--#
--interface(`dev_rw_cachefiles',`
-- gen_require(`
-- type device_t, cachefiles_device_t;
-- ')
--
-- rw_chr_files_pattern($1, device_t, cachefiles_device_t)
--')
--
--########################################
--##
- ## Read and write the PCMCIA card manager device.
- ##
- ##
-@@ -1682,6 +1866,26 @@ interface(`dev_filetrans_cardmgr',`
-
- ########################################
- ##
-+## Automatic type transition to the type
-+## for xserver misc device nodes when
-+## created in /dev.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`dev_filetrans_xserver_misc',`
-+ gen_require(`
-+ type device_t, xserver_misc_device_t;
-+ ')
-+
-+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file )
-+')
-+
-+########################################
-+##
- ## Get the attributes of the CPU
- ## microcode and id interfaces.
- ##
-@@ -1791,6 +1995,24 @@ interface(`dev_rw_crypto',`
- rw_chr_files_pattern($1, device_t, crypt_device_t)
- ')
-
-+########################################
-+##
-+## Read and write the the ecrypt filesystem device.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`dev_rw_ecryptfs',`
-+ gen_require(`
-+ type device_t, ecryptfs_device_t;
-+ ')
-+
-+ rw_chr_files_pattern($1, device_t, ecryptfs_device_t)
-+')
-+
- #######################################
- ##
- ## Set the attributes of the dlm control devices.
-@@ -1865,7 +2087,7 @@ interface(`dev_setattr_dri_dev',`
-
- ########################################
- ##
--## Read and write the dri devices.
-+## Mmap the dri devices.
- ##
- ##
- ##
-@@ -1873,35 +2095,36 @@ interface(`dev_setattr_dri_dev',`
- ##
- ##
- #
--interface(`dev_rw_dri',`
-+interface(`dev_map_dri',`
- gen_require(`
- type device_t, dri_device_t;
- ')
-
-- rw_chr_files_pattern($1, device_t, dri_device_t)
-+ allow $1 dri_device_t:chr_file map;
- ')
-
- ########################################
- ##
--## Dontaudit read and write on the dri devices.
-+## Read and write the dri devices.
- ##
- ##
- ##
--## Domain to not audit.
-+## Domain allowed access.
- ##
- ##
- #
--interface(`dev_dontaudit_rw_dri',`
-+interface(`dev_rw_dri',`
- gen_require(`
-- type dri_device_t;
-+ type device_t, dri_device_t;
- ')
-
-- dontaudit $1 dri_device_t:chr_file rw_chr_file_perms;
-+ rw_chr_files_pattern($1, device_t, dri_device_t)
-+ allow $1 dri_device_t:chr_file map;
- ')
-
- ########################################
- ##
--## Create, read, write, and delete the dri devices.
-+## Read and write the dri devices.
- ##
- ##
- ##
-@@ -1909,26 +2132,63 @@ interface(`dev_dontaudit_rw_dri',`
- ##
- ##
- #
--interface(`dev_manage_dri_dev',`
-+interface(`dev_rw_inherited_dri',`
- gen_require(`
- type device_t, dri_device_t;
- ')
-
-- manage_chr_files_pattern($1, device_t, dri_device_t)
-+ allow $1 device_t:dir search_dir_perms;
-+ allow $1 dri_device_t:chr_file rw_inherited_chr_file_perms;
- ')
-
- ########################################
- ##
--## Automatic type transition to the type
--## for DRI device nodes when created in /dev.
-+## Dontaudit read and write on the dri devices.
- ##
- ##
- ##
--## Domain allowed access.
-+## Domain to not audit.
- ##
- ##
--##
--##
-+#
-+interface(`dev_dontaudit_rw_dri',`
-+ gen_require(`
-+ type dri_device_t;
-+ ')
-+
-+ dontaudit $1 dri_device_t:chr_file rw_chr_file_perms;
-+')
-+
-+########################################
-+##
-+## Create, read, write, and delete the dri devices.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`dev_manage_dri_dev',`
-+ gen_require(`
-+ type device_t, dri_device_t;
-+ ')
-+
-+ manage_chr_files_pattern($1, device_t, dri_device_t)
-+')
-+
-+########################################
-+##
-+## Automatic type transition to the type
-+## for DRI device nodes when created in /dev.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+##
- ## The name of the object being created.
- ##
- ##
-@@ -2017,6 +2277,181 @@ interface(`dev_rw_input_dev',`
-
- ########################################
- ##
-+## Read input event devices (/dev/input).
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`dev_rw_inherited_input_dev',`
-+ gen_require(`
-+ type device_t, event_device_t;
-+ ')
-+
-+ allow $1 device_t:dir search_dir_perms;
-+ allow $1 event_device_t:chr_file rw_inherited_chr_file_perms;
-+')
-+
-+########################################
-+##
-+## Read ipmi devices.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`dev_read_ipmi_dev',`
-+ gen_require(`
-+ type device_t, ipmi_device_t;
-+ ')
-+
-+ read_chr_files_pattern($1, device_t, ipmi_device_t)
-+')
-+
-+########################################
-+##
-+## Read and write ipmi devices.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`dev_rw_ipmi_dev',`
-+ gen_require(`
-+ type device_t, ipmi_device_t;
-+ ')
-+
-+ rw_chr_files_pattern($1, device_t, ipmi_device_t)
-+')
-+
-+########################################
-+##
-+## Manage ipmi devices.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`dev_manage_ipmi_dev',`
-+ gen_require(`
-+ type device_t, ipmi_device_t;
-+ ')
-+
-+ manage_chr_files_pattern($1, device_t, ipmi_device_t)
-+')
-+
-+########################################
-+##
-+## Automatic type transition to the type
-+## for PCMCIA card manager device nodes when
-+## created in /dev.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+##
-+## The name of the object being created.
-+##
-+##
-+#
-+interface(`dev_filetrans_ipmi',`
-+ gen_require(`
-+ type device_t, ipmi_device_t;
-+ ')
-+
-+ filetrans_pattern($1, device_t, ipmi_device_t, chr_file, $2)
-+')
-+
-+########################################
-+##
-+## Read infiniband devices.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`dev_read_infiniband_dev',`
-+ gen_require(`
-+ type device_t, infiniband_device_t;
-+ ')
-+
-+ read_chr_files_pattern($1, device_t, infiniband_device_t)
-+ read_blk_files_pattern($1, device_t, infiniband_device_t)
-+')
-+
-+########################################
-+##
-+## Read and write ipmi devices.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`dev_rw_infiniband_dev',`
-+ gen_require(`
-+ type device_t, infiniband_device_t;
-+ ')
-+
-+ rw_chr_files_pattern($1, device_t, infiniband_device_t)
-+ rw_blk_files_pattern($1, device_t, infiniband_device_t)
-+ allow $1 infiniband_device_t:chr_file map;
-+')
-+
-+########################################
-+##
-+## Read infiniband mgmt devices.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`dev_read_infiniband_mgmt_dev',`
-+ gen_require(`
-+ type device_t, infiniband_mgmt_device_t;
-+ ')
-+
-+ read_chr_files_pattern($1, device_t, infiniband_mgmt_device_t)
-+ read_blk_files_pattern($1, device_t, infiniband_mgmt_device_t)
-+')
-+
-+########################################
-+##
-+## Read and write ipmi devices.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`dev_rw_infiniband_mgmt_dev',`
-+ gen_require(`
-+ type device_t, infiniband_mgmt_device_t;
-+ ')
-+
-+ rw_chr_files_pattern($1, device_t, infiniband_mgmt_device_t)
-+ rw_blk_files_pattern($1, device_t, infiniband_mgmt_device_t)
-+')
-+
-+########################################
-+##
- ## Get the attributes of the framebuffer device node.
- ##
- ##
-@@ -2126,6 +2561,24 @@ interface(`dev_write_framebuffer',`
-
- ########################################
- ##
-+## Mmap the framebuffer.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`dev_map_framebuffer',`
-+ gen_require(`
-+ type framebuf_device_t;
-+ ')
-+
-+ allow $1 framebuf_device_t:file map;
-+')
-+
-+########################################
-+##
- ## Read and write the framebuffer.
- ##
- ##
-@@ -2402,7 +2855,7 @@ interface(`dev_filetrans_lirc',`
-
- ########################################
- ##
--## Get the attributes of the lvm comtrol device.
-+## Get the attributes of the loop comtrol device.
- ##
- ##
- ##
-@@ -2410,17 +2863,17 @@ interface(`dev_filetrans_lirc',`
- ##
- ##
- #
--interface(`dev_getattr_lvm_control',`
-+interface(`dev_getattr_loop_control',`
- gen_require(`
-- type device_t, lvm_control_t;
-+ type device_t, loop_control_device_t;
- ')
-
-- getattr_chr_files_pattern($1, device_t, lvm_control_t)
-+ getattr_chr_files_pattern($1, device_t, loop_control_device_t)
- ')
-
- ########################################
- ##
--## Read the lvm comtrol device.
-+## Read the loop comtrol device.
- ##
- ##
- ##
-@@ -2428,17 +2881,17 @@ interface(`dev_getattr_lvm_control',`
- ##
- ##
- #
--interface(`dev_read_lvm_control',`
-+interface(`dev_read_loop_control',`
- gen_require(`
-- type device_t, lvm_control_t;
-+ type device_t, loop_control_device_t;
- ')
-
-- read_chr_files_pattern($1, device_t, lvm_control_t)
-+ read_chr_files_pattern($1, device_t, loop_control_device_t)
- ')
-
- ########################################
- ##
--## Read and write the lvm control device.
-+## Read and write the loop control device.
- ##
- ##
- ##
-@@ -2446,17 +2899,17 @@ interface(`dev_read_lvm_control',`
- ##
- ##
- #
--interface(`dev_rw_lvm_control',`
-+interface(`dev_rw_loop_control',`
- gen_require(`
-- type device_t, lvm_control_t;
-+ type device_t, loop_control_device_t;
- ')
-
-- rw_chr_files_pattern($1, device_t, lvm_control_t)
-+ rw_chr_files_pattern($1, device_t, loop_control_device_t)
- ')
-
- ########################################
- ##
--## Do not audit attempts to read and write lvm control device.
-+## Do not audit attempts to read and write loop control device.
- ##
- ##
- ##
-@@ -2464,17 +2917,17 @@ interface(`dev_rw_lvm_control',`
- ##
- ##
- #
--interface(`dev_dontaudit_rw_lvm_control',`
-+interface(`dev_dontaudit_rw_loop_control',`
- gen_require(`
-- type lvm_control_t;
-+ type loop_control_device_t;
- ')
-
-- dontaudit $1 lvm_control_t:chr_file rw_file_perms;
-+ dontaudit $1 loop_control_device_t:chr_file rw_file_perms;
- ')
-
- ########################################
- ##
--## Delete the lvm control device.
-+## Delete the loop control device.
- ##
- ##
- ##
-@@ -2482,35 +2935,35 @@ interface(`dev_dontaudit_rw_lvm_control',`
- ##
- ##
- #
--interface(`dev_delete_lvm_control_dev',`
-+interface(`dev_delete_loop_control_dev',`
- gen_require(`
-- type device_t, lvm_control_t;
-+ type device_t, loop_control_device_t;
- ')
-
-- delete_chr_files_pattern($1, device_t, lvm_control_t)
-+ delete_chr_files_pattern($1, device_t, loop_control_device_t)
- ')
-
- ########################################
- ##
--## dontaudit getattr raw memory devices (e.g. /dev/mem).
-+## Get the attributes of the loop comtrol device.
- ##
- ##
- ##
--## Domain to not audit.
-+## Domain allowed access.
- ##
- ##
- #
--interface(`dev_dontaudit_getattr_memory_dev',`
-+interface(`dev_getattr_lvm_control',`
- gen_require(`
-- type memory_device_t;
-+ type device_t, lvm_control_t;
- ')
-
-- dontaudit $1 memory_device_t:chr_file getattr;
-+ getattr_chr_files_pattern($1, device_t, lvm_control_t)
- ')
-
- ########################################
- ##
--## Read raw memory devices (e.g. /dev/mem).
-+## Read the lvm comtrol device.
- ##
- ##
- ##
-@@ -2518,62 +2971,189 @@ interface(`dev_dontaudit_getattr_memory_dev',`
- ##
- ##
- #
--interface(`dev_read_raw_memory',`
-+interface(`dev_read_lvm_control',`
- gen_require(`
-- type device_t, memory_device_t;
-- attribute memory_raw_read;
-+ type device_t, lvm_control_t;
- ')
-
-- read_chr_files_pattern($1, device_t, memory_device_t)
--
-- allow $1 self:capability sys_rawio;
-- typeattribute $1 memory_raw_read;
-+ read_chr_files_pattern($1, device_t, lvm_control_t)
- ')
-
- ########################################
- ##
--## Do not audit attempts to read raw memory devices
--## (e.g. /dev/mem).
-+## Read and write the lvm control device.
- ##
- ##
- ##
--## Domain to not audit.
-+## Domain allowed access.
- ##
- ##
- #
--interface(`dev_dontaudit_read_raw_memory',`
-+interface(`dev_rw_lvm_control',`
- gen_require(`
-- type memory_device_t;
-+ type device_t, lvm_control_t;
- ')
-
-- dontaudit $1 memory_device_t:chr_file read_chr_file_perms;
-+ rw_chr_files_pattern($1, device_t, lvm_control_t)
- ')
-
- ########################################
- ##
--## Write raw memory devices (e.g. /dev/mem).
-+## Do not audit attempts to read and write lvm control device.
- ##
- ##
- ##
--## Domain allowed access.
-+## Domain to not audit.
- ##
- ##
- #
--interface(`dev_write_raw_memory',`
-+interface(`dev_dontaudit_rw_lvm_control',`
- gen_require(`
-- type device_t, memory_device_t;
-- attribute memory_raw_write;
-+ type lvm_control_t;
- ')
-
-- write_chr_files_pattern($1, device_t, memory_device_t)
--
-- allow $1 self:capability sys_rawio;
-- typeattribute $1 memory_raw_write;
-+ dontaudit $1 lvm_control_t:chr_file rw_file_perms;
- ')
-
- ########################################
- ##
--## Read and execute raw memory devices (e.g. /dev/mem).
-+## Delete the lvm control device.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`dev_delete_lvm_control_dev',`
-+ gen_require(`
-+ type device_t, lvm_control_t;
-+ ')
-+
-+ delete_chr_files_pattern($1, device_t, lvm_control_t)
-+')
-+
-+########################################
-+##
-+## dontaudit getattr raw memory devices (e.g. /dev/mem).
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`dev_dontaudit_getattr_memory_dev',`
-+ gen_require(`
-+ type memory_device_t;
-+ ')
-+
-+ dontaudit $1 memory_device_t:chr_file getattr;
-+')
-+
-+########################################
-+##
-+## Read raw memory devices (e.g. /dev/mem).
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`dev_read_raw_memory',`
-+ gen_require(`
-+ type device_t, memory_device_t;
-+ attribute memory_raw_read;
-+ ')
-+
-+ read_chr_files_pattern($1, device_t, memory_device_t)
-+ allow $1 memory_device_t:chr_file map;
-+
-+ allow $1 self:capability sys_rawio;
-+ typeattribute $1 memory_raw_read;
-+')
-+
-+########################################
-+##
-+## Allow to be reader of raw memory devices (e.g. /dev/mem).
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`dev_raw_memory_reader',`
-+ gen_require(`
-+ attribute memory_raw_read;
-+ ')
-+
-+ typeattribute $1 memory_raw_read;
-+')
-+
-+########################################
-+##
-+## Do not audit attempts to read raw memory devices
-+## (e.g. /dev/mem).
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`dev_dontaudit_read_raw_memory',`
-+ gen_require(`
-+ type memory_device_t;
-+ ')
-+
-+ dontaudit $1 memory_device_t:chr_file read_chr_file_perms;
-+')
-+
-+########################################
-+##
-+## Write raw memory devices (e.g. /dev/mem).
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`dev_write_raw_memory',`
-+ gen_require(`
-+ type device_t, memory_device_t;
-+ attribute memory_raw_write;
-+ ')
-+
-+ write_chr_files_pattern($1, device_t, memory_device_t)
-+
-+ allow $1 self:capability sys_rawio;
-+ typeattribute $1 memory_raw_write;
-+')
-+
-+########################################
-+##
-+## Allow to be writer of raw memory devices (e.g. /dev/mem).
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`dev_raw_memory_writer',`
-+ gen_require(`
-+ attribute memory_raw_write;
-+ ')
-+
-+ typeattribute $1 memory_raw_write;
-+')
-+
-+########################################
-+##
-+## Read and execute raw memory devices (e.g. /dev/mem).
- ##
- ##
- ##
-@@ -2587,7 +3167,7 @@ interface(`dev_rx_raw_memory',`
- ')
-
- dev_read_raw_memory($1)
-- allow $1 memory_device_t:chr_file execute;
-+ allow $1 memory_device_t:chr_file { map execute };
- ')
-
- ########################################
-@@ -2606,7 +3186,7 @@ interface(`dev_wx_raw_memory',`
- ')
-
- dev_write_raw_memory($1)
-- allow $1 memory_device_t:chr_file execute;
-+ allow $1 memory_device_t:chr_file { map execute };
- ')
-
- ########################################
-@@ -2725,7 +3305,7 @@ interface(`dev_write_misc',`
- ##
- ##
- ##
--## Domain allowed access.
-+## Domain to not audit.
- ##
- ##
- #
-@@ -2811,6 +3391,78 @@ interface(`dev_rw_modem',`
-
- ########################################
- ##
-+## Get the attributes of the monitor devices.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`dev_getattr_monitor_dev',`
-+ gen_require(`
-+ type device_t, monitor_device_t;
-+ ')
-+
-+ getattr_chr_files_pattern($1, device_t, monitor_device_t)
-+')
-+
-+########################################
-+##
-+## Set the attributes of the monitor devices.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`dev_setattr_monitor_dev',`
-+ gen_require(`
-+ type device_t, monitor_device_t;
-+ ')
-+
-+ setattr_chr_files_pattern($1, device_t, monitor_device_t)
-+')
-+
-+########################################
-+##
-+## Read the monitor devices.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`dev_read_monitor_dev',`
-+ gen_require(`
-+ type device_t, monitor_device_t;
-+ ')
-+
-+ read_chr_files_pattern($1, device_t, monitor_device_t)
-+')
-+
-+########################################
-+##
-+## Read and write to monitor devices.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`dev_rw_monitor_dev',`
-+ gen_require(`
-+ type device_t, monitor_device_t;
-+ ')
-+
-+ rw_chr_files_pattern($1, device_t, monitor_device_t)
-+')
-+
-+########################################
-+##
- ## Get the attributes of the mouse devices.
- ##
- ##
-@@ -2903,20 +3555,20 @@ interface(`dev_getattr_mtrr_dev',`
-
- ########################################
- ##
--## Read the memory type range
-+## Write the memory type range
- ## registers (MTRR). (Deprecated)
- ##
- ##
- ##
--## Read the memory type range
-+## Write the memory type range
- ## registers (MTRR). This interface has
- ## been deprecated, dev_rw_mtrr() should be
- ## used instead.
- ##
- ##
- ## The MTRR device ioctls can be used for
--## reading and writing; thus, read access to the
--## device cannot be separated from write access.
-+## reading and writing; thus, write access to the
-+## device cannot be separated from read access.
- ##
- ##
- ##
-@@ -2925,43 +3577,34 @@ interface(`dev_getattr_mtrr_dev',`
- ##
- ##
- #
--interface(`dev_read_mtrr',`
-+interface(`dev_write_mtrr',`
- refpolicywarn(`$0($*) has been replaced with dev_rw_mtrr().')
- dev_rw_mtrr($1)
- ')
-
- ########################################
- ##
--## Write the memory type range
--## registers (MTRR). (Deprecated)
-+## Do not audit attempts to write the memory type
-+## range registers (MTRR).
- ##
--##
--##
--## Write the memory type range
--## registers (MTRR). This interface has
--## been deprecated, dev_rw_mtrr() should be
--## used instead.
--##
--##
--## The MTRR device ioctls can be used for
--## reading and writing; thus, write access to the
--## device cannot be separated from read access.
--##
--##
- ##
- ##
--## Domain allowed access.
-+## Domain to not audit.
- ##
- ##
- #
--interface(`dev_write_mtrr',`
-- refpolicywarn(`$0($*) has been replaced with dev_rw_mtrr().')
-- dev_rw_mtrr($1)
-+interface(`dev_dontaudit_write_mtrr',`
-+ gen_require(`
-+ type mtrr_device_t;
-+ ')
-+
-+ dontaudit $1 mtrr_device_t:file write_file_perms;
-+ dontaudit $1 mtrr_device_t:chr_file write_chr_file_perms;
- ')
-
- ########################################
- ##
--## Do not audit attempts to write the memory type
-+## Do not audit attempts to read the memory type
- ## range registers (MTRR).
- ##
- ##
-@@ -2970,13 +3613,32 @@ interface(`dev_write_mtrr',`
- ##
- ##
- #
--interface(`dev_dontaudit_write_mtrr',`
-+interface(`dev_dontaudit_read_mtrr',`
- gen_require(`
- type mtrr_device_t;
- ')
-
-- dontaudit $1 mtrr_device_t:file write;
-- dontaudit $1 mtrr_device_t:chr_file write;
-+ dontaudit $1 mtrr_device_t:file { open read };
-+ dontaudit $1 mtrr_device_t:chr_file { open read };
-+')
-+
-+########################################
-+##
-+## Read the memory type range registers (MTRR).
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`dev_read_mtrr',`
-+ gen_require(`
-+ type device_t, mtrr_device_t;
-+ ')
-+
-+ read_files_pattern($1, device_t, mtrr_device_t)
-+ read_chr_files_pattern($1, device_t, mtrr_device_t)
- ')
-
- ########################################
-@@ -3144,44 +3806,43 @@ interface(`dev_create_null_dev',`
-
- ########################################
- ##
--## Do not audit attempts to get the attributes
--## of the BIOS non-volatile RAM device.
-+## Get the status of a null device service.
- ##
- ##
- ##
--## Domain to not audit.
-+## Domain allowed access.
- ##
- ##
- #
--interface(`dev_dontaudit_getattr_nvram_dev',`
-+interface(`dev_service_status_null_dev',`
- gen_require(`
-- type nvram_device_t;
-+ type null_device_t;
- ')
-
-- dontaudit $1 nvram_device_t:chr_file getattr;
-+ allow $1 null_device_t:service status;
- ')
-
- ########################################
- ##
--## Read and write BIOS non-volatile RAM.
-+## Configure null_device as a unit files.
- ##
- ##
- ##
--## Domain allowed access.
-+## Domain allowed to transition.
- ##
- ##
- #
--interface(`dev_rw_nvram',`
-+interface(`dev_config_null_dev_service',`
- gen_require(`
-- type nvram_device_t;
-+ type null_device_t;
- ')
-
-- rw_chr_files_pattern($1, device_t, nvram_device_t)
-+ allow $1 null_device_t:service manage_service_perms;
- ')
-
- ########################################
- ##
--## Get the attributes of the printer device nodes.
-+## Read Non-Volatile Memory Host Controller Interface.
- ##
- ##
- ##
-@@ -3189,9 +3850,102 @@ interface(`dev_rw_nvram',`
- ##
- ##
- #
--interface(`dev_getattr_printer_dev',`
-+interface(`dev_read_nvme',`
- gen_require(`
-- type device_t, printer_device_t;
-+ type nvme_device_t;
-+ ')
-+
-+ read_chr_files_pattern($1, device_t, nvme_device_t)
-+ read_blk_files_pattern($1, device_t, nvme_device_t)
-+')
-+
-+########################################
-+##
-+## Read/Write Non-Volatile Memory Host Controller Interface.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`dev_rw_nvme',`
-+ gen_require(`
-+ type nvme_device_t;
-+ ')
-+
-+ rw_chr_files_pattern($1, device_t, nvme_device_t)
-+ rw_blk_files_pattern($1, device_t, nvme_device_t)
-+')
-+
-+########################################
-+##
-+## Do not audit attempts to get the attributes
-+## of the BIOS non-volatile RAM device.
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`dev_dontaudit_getattr_nvram_dev',`
-+ gen_require(`
-+ type nvram_device_t;
-+ ')
-+
-+ dontaudit $1 nvram_device_t:chr_file getattr;
-+')
-+
-+########################################
-+##
-+## Read BIOS non-volatile RAM.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`dev_read_nvram',`
-+ gen_require(`
-+ type nvram_device_t;
-+ ')
-+
-+ read_chr_files_pattern($1, device_t, nvram_device_t)
-+')
-+
-+########################################
-+##
-+## Read and write BIOS non-volatile RAM.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`dev_rw_nvram',`
-+ gen_require(`
-+ type nvram_device_t;
-+ ')
-+
-+ rw_chr_files_pattern($1, device_t, nvram_device_t)
-+')
-+
-+########################################
-+##
-+## Get the attributes of the printer device nodes.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`dev_getattr_printer_dev',`
-+ gen_require(`
-+ type device_t, printer_device_t;
- ')
-
- getattr_chr_files_pattern($1, device_t, printer_device_t)
-@@ -3254,7 +4008,25 @@ interface(`dev_rw_printer',`
-
- ########################################
- ##
--## Read printk devices (e.g., /dev/kmsg /dev/mcelog)
-+## Relabel the printer device node.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`dev_relabel_printer',`
-+ gen_require(`
-+ type printer_device_t;
-+ ')
-+
-+ allow $1 printer_device_t:chr_file relabel_chr_file_perms;
-+')
-+
-+########################################
-+##
-+## Read and write the printer device.
- ##
- ##
- ##
-@@ -3262,12 +4034,13 @@ interface(`dev_rw_printer',`
- ##
- ##
- #
--interface(`dev_read_printk',`
-+interface(`dev_manage_printer',`
- gen_require(`
-- type device_t, printk_device_t;
-+ type device_t, printer_device_t;
- ')
-
-- read_chr_files_pattern($1, device_t, printk_device_t)
-+ manage_chr_files_pattern($1, device_t, printer_device_t)
-+ dev_filetrans_printer_named_dev($1)
- ')
-
- ########################################
-@@ -3399,7 +4172,7 @@ interface(`dev_dontaudit_read_rand',`
-
- ########################################
- ##
--## Do not audit attempts to append to random
-+## Do not audit attempts to append to the random
- ## number generator devices (e.g., /dev/random)
- ##
- ##
-@@ -3413,7 +4186,7 @@ interface(`dev_dontaudit_append_rand',`
- type random_device_t;
- ')
-
-- dontaudit $1 random_device_t:chr_file append_chr_file_perms;
-+ dontaudit $1 random_device_t:chr_file { append };
- ')
-
- ########################################
-@@ -3633,6 +4406,7 @@ interface(`dev_read_sound',`
- ')
-
- read_chr_files_pattern($1, device_t, sound_device_t)
-+ allow $1 sound_device_t:chr_file map;
- ')
-
- ########################################
-@@ -3669,6 +4443,7 @@ interface(`dev_read_sound_mixer',`
- ')
-
- read_chr_files_pattern($1, device_t, sound_device_t)
-+ allow $1 sound_device_t:chr_file map;
- ')
-
- ########################################
-@@ -3855,7 +4630,7 @@ interface(`dev_getattr_sysfs_dirs',`
-
- ########################################
- ##
--## Search the sysfs directories.
-+## Set the attributes of sysfs directories.
- ##
- ##
- ##
-@@ -3863,91 +4638,89 @@ interface(`dev_getattr_sysfs_dirs',`
- ##
- ##
- #
--interface(`dev_search_sysfs',`
-+interface(`dev_setattr_sysfs_dirs',`
- gen_require(`
- type sysfs_t;
- ')
-
-- search_dirs_pattern($1, sysfs_t, sysfs_t)
-+ allow $1 sysfs_t:dir setattr_dir_perms;
- ')
-
- ########################################
- ##
--## Do not audit attempts to search sysfs.
-+## Get attributes of sysfs filesystems.
- ##
- ##
- ##
--## Domain to not audit.
-+## Domain allowed access.
- ##
- ##
- #
--interface(`dev_dontaudit_search_sysfs',`
-+interface(`dev_getattr_sysfs_fs',`
- gen_require(`
- type sysfs_t;
- ')
-
-- dontaudit $1 sysfs_t:dir search_dir_perms;
-+ allow $1 sysfs_t:filesystem getattr;
- ')
-
- ########################################
- ##
--## List the contents of the sysfs directories.
-+## Mount a filesystem on /sys
- ##
- ##
- ##
--## Domain allowed access.
-+## Domain allow access.
- ##
- ##
- #
--interface(`dev_list_sysfs',`
-+interface(`dev_mounton_sysfs',`
- gen_require(`
- type sysfs_t;
- ')
-
-- list_dirs_pattern($1, sysfs_t, sysfs_t)
-+ allow $1 sysfs_t:dir mounton;
- ')
-
- ########################################
- ##
--## Write in a sysfs directories.
-+## Dontaudit attempts to mount a filesystem on /sys
- ##
- ##
- ##
--## Domain allowed access.
-+## Domain to not audit.
- ##
- ##
- #
--# cjp: added for cpuspeed
--interface(`dev_write_sysfs_dirs',`
-+interface(`dev_dontaudit_mounton_sysfs',`
- gen_require(`
- type sysfs_t;
- ')
-
-- allow $1 sysfs_t:dir write;
-+ dontaudit $1 sysfs_t:dir mounton;
- ')
-
- ########################################
- ##
--## Do not audit attempts to write in a sysfs directory.
-+## Mount sysfs filesystems.
- ##
- ##
- ##
--## Domain to not audit.
-+## Domain allowed access.
- ##
- ##
- #
--interface(`dev_dontaudit_write_sysfs_dirs',`
-+interface(`dev_mount_sysfs_fs',`
- gen_require(`
- type sysfs_t;
- ')
-
-- dontaudit $1 sysfs_t:dir write;
-+ allow $1 sysfs_t:filesystem mount;
- ')
-
- ########################################
- ##
--## Create, read, write, and delete sysfs
--## directories.
-+## Unmount sysfs filesystems.
- ##
- ##
- ##
-@@ -3955,68 +4728,53 @@ interface(`dev_dontaudit_write_sysfs_dirs',`
- ##
- ##
- #
--interface(`dev_manage_sysfs_dirs',`
-+interface(`dev_unmount_sysfs_fs',`
- gen_require(`
- type sysfs_t;
- ')
-
-- manage_dirs_pattern($1, sysfs_t, sysfs_t)
-+ allow $1 sysfs_t:filesystem unmount;
- ')
-
- ########################################
- ##
--## Read hardware state information.
-+## Search the sysfs directories.
- ##
--##
--##
--## Allow the specified domain to read the contents of
--## the sysfs filesystem. This filesystem contains
--## information, parameters, and other settings on the
--## hardware installed on the system.
--##
--##
- ##
- ##
- ## Domain allowed access.
- ##
- ##
--##
- #
--interface(`dev_read_sysfs',`
-+interface(`dev_search_sysfs',`
- gen_require(`
- type sysfs_t;
- ')
-
-- read_files_pattern($1, sysfs_t, sysfs_t)
-- read_lnk_files_pattern($1, sysfs_t, sysfs_t)
--
-- list_dirs_pattern($1, sysfs_t, sysfs_t)
-+ search_dirs_pattern($1, sysfs_t, sysfs_t)
- ')
-
- ########################################
- ##
--## Allow caller to modify hardware state information.
-+## Do not audit attempts to search sysfs.
- ##
- ##
- ##
--## Domain allowed access.
-+## Domain to not audit.
- ##
- ##
- #
--interface(`dev_rw_sysfs',`
-+interface(`dev_dontaudit_search_sysfs',`
- gen_require(`
- type sysfs_t;
- ')
-
-- rw_files_pattern($1, sysfs_t, sysfs_t)
-- read_lnk_files_pattern($1, sysfs_t, sysfs_t)
--
-- list_dirs_pattern($1, sysfs_t, sysfs_t)
-+ dontaudit $1 sysfs_t:dir search_dir_perms;
- ')
-
- ########################################
- ##
--## Read and write the TPM device.
-+## List the contents of the sysfs directories.
- ##
- ##
- ##
-@@ -4024,114 +4782,97 @@ interface(`dev_rw_sysfs',`
- ##
- ##
- #
--interface(`dev_rw_tpm',`
-+interface(`dev_list_sysfs',`
- gen_require(`
-- type device_t, tpm_device_t;
-+ type sysfs_t;
- ')
-
-- rw_chr_files_pattern($1, device_t, tpm_device_t)
-+ read_lnk_files_pattern($1, sysfs_t, sysfs_t)
-+ list_dirs_pattern($1, sysfs_t, sysfs_t)
- ')
-
- ########################################
- ##
--## Read from pseudo random number generator devices (e.g., /dev/urandom).
-+## Write in a sysfs directories.
- ##
--##
--##
--## Allow the specified domain to read from pseudo random number
--## generator devices (e.g., /dev/urandom). Typically this is
--## used in situations when a cryptographically secure random
--## number is not necessarily needed. One example is the Stack
--## Smashing Protector (SSP, formerly known as ProPolice) support
--## that may be compiled into programs.
--##
--##
--## Related interface:
--##
--##
--## - dev_read_rand()
--##
--##
--## Related tunable:
--##
--##
--##
- ##
- ##
- ## Domain allowed access.
- ##
- ##
--##
- #
--interface(`dev_read_urand',`
-+# cjp: added for cpuspeed
-+interface(`dev_write_sysfs_dirs',`
- gen_require(`
-- type device_t, urandom_device_t;
-+ type sysfs_t;
- ')
-
-- read_chr_files_pattern($1, device_t, urandom_device_t)
-+ allow $1 sysfs_t:dir write;
- ')
-
- ########################################
- ##
--## Do not audit attempts to read from pseudo
--## random devices (e.g., /dev/urandom)
-+## Access check for a sysfs directories.
- ##
- ##
- ##
--## Domain to not audit.
-+## Domain allowed access.
- ##
- ##
- #
--interface(`dev_dontaudit_read_urand',`
-+interface(`dev_access_check_sysfs',`
- gen_require(`
-- type urandom_device_t;
-+ type sysfs_t;
- ')
-
-- dontaudit $1 urandom_device_t:chr_file { getattr read };
-+ allow $1 sysfs_t:dir audit_access;
- ')
-
- ########################################
- ##
--## Write to the pseudo random device (e.g., /dev/urandom). This
--## sets the random number generator seed.
-+## Do not audit attempts to write in a sysfs directory.
- ##
- ##
- ##
--## Domain allowed access.
-+## Domain to not audit.
- ##
- ##
- #
--interface(`dev_write_urand',`
-+interface(`dev_dontaudit_write_sysfs_dirs',`
- gen_require(`
-- type device_t, urandom_device_t;
-+ type sysfs_t;
- ')
-
-- write_chr_files_pattern($1, device_t, urandom_device_t)
-+ dontaudit $1 sysfs_t:dir write;
- ')
-
- ########################################
- ##
--## Getattr generic the USB devices.
-+## Read cpu online hardware state information.
- ##
-+##
-+##
-+## Allow the specified domain to read /sys/devices/system/cpu/online file.
-+##
-+##
- ##
- ##
- ## Domain allowed access.
- ##
- ##
- #
--interface(`dev_getattr_generic_usb_dev',`
-+interface(`dev_read_cpu_online',`
- gen_require(`
-- type usb_device_t;
-+ type cpu_online_t;
- ')
-
-- getattr_chr_files_pattern($1, device_t, usb_device_t)
-+ dev_search_sysfs($1)
-+ read_files_pattern($1, cpu_online_t, cpu_online_t)
- ')
-
- ########################################
- ##
--## Setattr generic the USB devices.
-+## Relabel cpu online hardware state information.
- ##
- ##
- ##
-@@ -4139,35 +4880,50 @@ interface(`dev_getattr_generic_usb_dev',`
- ##
- ##
- #
--interface(`dev_setattr_generic_usb_dev',`
-+interface(`dev_relabel_cpu_online',`
- gen_require(`
-- type usb_device_t;
-+ type cpu_online_t;
-+ type sysfs_t;
- ')
-
-- setattr_chr_files_pattern($1, device_t, usb_device_t)
-+ dev_search_sysfs($1)
-+ allow $1 cpu_online_t:file relabel_file_perms;
- ')
-
-+
- ########################################
- ##
--## Read generic the USB devices.
-+## Read hardware state information.
- ##
-+##
-+##
-+## Allow the specified domain to read the contents of
-+## the sysfs filesystem. This filesystem contains
-+## information, parameters, and other settings on the
-+## hardware installed on the system.
-+##
-+##
- ##
- ##
- ## Domain allowed access.
- ##
- ##
-+##
- #
--interface(`dev_read_generic_usb_dev',`
-+interface(`dev_read_sysfs',`
- gen_require(`
-- type usb_device_t;
-+ type sysfs_t;
- ')
-
-- read_chr_files_pattern($1, device_t, usb_device_t)
-+ read_files_pattern($1, sysfs_t, sysfs_t)
-+ read_lnk_files_pattern($1, sysfs_t, sysfs_t)
-+
-+ list_dirs_pattern($1, sysfs_t, sysfs_t)
- ')
-
- ########################################
- ##
--## Read and write generic the USB devices.
-+## Allow caller to modify hardware state information.
- ##
- ##
- ##
-@@ -4175,17 +4931,20 @@ interface(`dev_read_generic_usb_dev',`
- ##
- ##
- #
--interface(`dev_rw_generic_usb_dev',`
-+interface(`dev_rw_sysfs',`
- gen_require(`
-- type device_t, usb_device_t;
-+ type sysfs_t;
- ')
-
-- rw_chr_files_pattern($1, device_t, usb_device_t)
--')
-+ rw_files_pattern($1, sysfs_t, sysfs_t)
-+ read_lnk_files_pattern($1, sysfs_t, sysfs_t)
-+
-+ list_dirs_pattern($1, sysfs_t, sysfs_t)
-+')
-
- ########################################
- ##
--## Relabel generic the USB devices.
-+## Relabel hardware state directories.
- ##
- ##
- ##
-@@ -4193,17 +4952,226 @@ interface(`dev_rw_generic_usb_dev',`
- ##
- ##
- #
--interface(`dev_relabel_generic_usb_dev',`
-+interface(`dev_relabel_sysfs_dirs',`
-+ gen_require(`
-+ type sysfs_t;
-+ ')
-+
-+ relabel_dirs_pattern($1, sysfs_t, sysfs_t)
-+')
-+
-+########################################
-+##
-+## Relabel hardware state files
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`dev_relabel_all_sysfs',`
-+ gen_require(`
-+ type sysfs_t;
-+ ')
-+
-+ relabel_dirs_pattern($1, sysfs_t, sysfs_t)
-+ relabel_files_pattern($1, sysfs_t, sysfs_t)
-+ relabel_lnk_files_pattern($1, sysfs_t, sysfs_t)
-+')
-+
-+########################################
-+##
-+## Allow caller to modify hardware state information.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`dev_manage_sysfs_dirs',`
-+ gen_require(`
-+ type sysfs_t;
-+ ')
-+
-+ manage_dirs_pattern($1, sysfs_t, sysfs_t)
-+')
-+
-+########################################
-+##
-+## Allow caller to modify hardware state information.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`dev_manage_sysfs',`
-+ gen_require(`
-+ type sysfs_t;
-+ ')
-+
-+ manage_dirs_pattern($1, sysfs_t, sysfs_t)
-+ manage_files_pattern($1, sysfs_t, sysfs_t)
-+')
-+
-+########################################
-+##
-+## Read and write the TPM device.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`dev_rw_tpm',`
-+ gen_require(`
-+ type device_t, tpm_device_t;
-+ ')
-+
-+ rw_chr_files_pattern($1, device_t, tpm_device_t)
-+')
-+
-+########################################
-+##
-+## Read from pseudo random number generator devices (e.g., /dev/urandom).
-+##
-+##
-+##
-+## Allow the specified domain to read from pseudo random number
-+## generator devices (e.g., /dev/urandom). Typically this is
-+## used in situations when a cryptographically secure random
-+## number is not necessarily needed. One example is the Stack
-+## Smashing Protector (SSP, formerly known as ProPolice) support
-+## that may be compiled into programs.
-+##
-+##
-+## Related interface:
-+##
-+##
-+## - dev_read_rand()
-+##
-+##
-+## Related tunable:
-+##
-+##
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+#
-+interface(`dev_read_urand',`
-+ gen_require(`
-+ type device_t, urandom_device_t;
-+ ')
-+
-+ read_chr_files_pattern($1, device_t, urandom_device_t)
-+')
-+
-+########################################
-+##
-+## Do not audit attempts to read from pseudo
-+## random devices (e.g., /dev/urandom)
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`dev_dontaudit_read_urand',`
-+ gen_require(`
-+ type urandom_device_t;
-+ ')
-+
-+ dontaudit $1 urandom_device_t:chr_file { getattr read };
-+')
-+
-+########################################
-+##
-+## Write to the pseudo random device (e.g., /dev/urandom). This
-+## sets the random number generator seed.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`dev_write_urand',`
-+ gen_require(`
-+ type device_t, urandom_device_t;
-+ ')
-+
-+ write_chr_files_pattern($1, device_t, urandom_device_t)
-+')
-+
-+########################################
-+##
-+## Do not audit attempts to write to pseudo
-+## random devices (e.g., /dev/urandom)
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`dev_dontaudit_write_urand',`
-+ gen_require(`
-+ type urandom_device_t;
-+ ')
-+
-+ dontaudit $1 urandom_device_t:chr_file write;
-+')
-+
-+########################################
-+##
-+## Getattr generic the USB devices.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`dev_getattr_generic_usb_dev',`
-+ gen_require(`
-+ type usb_device_t,device_t;
-+ ')
-+
-+ getattr_chr_files_pattern($1, device_t, usb_device_t)
-+')
-+
-+########################################
-+##
-+## Setattr generic the USB devices.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`dev_setattr_generic_usb_dev',`
- gen_require(`
- type usb_device_t;
- ')
-
-- relabel_chr_files_pattern($1, device_t, usb_device_t)
-+ setattr_chr_files_pattern($1, device_t, usb_device_t)
- ')
-
- ########################################
- ##
--## Read USB monitor devices.
-+## Read generic the USB devices.
- ##
- ##
- ##
-@@ -4211,17 +5179,17 @@ interface(`dev_relabel_generic_usb_dev',`
- ##
- ##
- #
--interface(`dev_read_usbmon_dev',`
-+interface(`dev_read_generic_usb_dev',`
- gen_require(`
-- type device_t, usbmon_device_t;
-+ type usb_device_t;
- ')
-
-- read_chr_files_pattern($1, device_t, usbmon_device_t)
-+ read_chr_files_pattern($1, device_t, usb_device_t)
- ')
-
- ########################################
- ##
--## Write USB monitor devices.
-+## Read and write generic the USB devices.
- ##
- ##
- ##
-@@ -4229,17 +5197,17 @@ interface(`dev_read_usbmon_dev',`
- ##
- ##
- #
--interface(`dev_write_usbmon_dev',`
-+interface(`dev_rw_generic_usb_dev',`
- gen_require(`
-- type device_t, usbmon_device_t;
-+ type device_t, usb_device_t;
- ')
-
-- write_chr_files_pattern($1, device_t, usbmon_device_t)
-+ rw_chr_files_pattern($1, device_t, usb_device_t)
- ')
-
- ########################################
- ##
--## Mount a usbfs filesystem.
-+## Relabel generic the USB devices.
- ##
- ##
- ##
-@@ -4247,35 +5215,536 @@ interface(`dev_write_usbmon_dev',`
- ##
- ##
- #
--interface(`dev_mount_usbfs',`
-+interface(`dev_relabel_generic_usb_dev',`
-+ gen_require(`
-+ type usb_device_t;
-+ ')
-+
-+ relabel_chr_files_pattern($1, device_t, usb_device_t)
-+')
-+
-+########################################
-+##
-+## Read USB monitor devices.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`dev_read_usbmon_dev',`
-+ gen_require(`
-+ type device_t, usbmon_device_t;
-+ ')
-+
-+ read_chr_files_pattern($1, device_t, usbmon_device_t)
-+')
-+
-+########################################
-+##
-+## Mmap USB monitor devices.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`dev_map_usbmon_dev',`
-+ gen_require(`
-+ type usbmon_device_t;
-+ ')
-+
-+ allow $1 usbmon_device_t:chr_file map;
-+')
-+
-+########################################
-+##
-+## Write USB monitor devices.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`dev_write_usbmon_dev',`
-+ gen_require(`
-+ type device_t, usbmon_device_t;
-+ ')
-+
-+ write_chr_files_pattern($1, device_t, usbmon_device_t)
-+')
-+
-+########################################
-+##
-+## Mount a usbfs filesystem.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`dev_mount_usbfs',`
-+ gen_require(`
-+ type usbfs_t;
-+ ')
-+
-+ allow $1 usbfs_t:filesystem mount;
-+')
-+
-+########################################
-+##
-+## Associate a file to a usbfs filesystem.
-+##
-+##
-+##
-+## The type of the file to be associated to usbfs.
-+##
-+##
-+#
-+interface(`dev_associate_usbfs',`
-+ gen_require(`
-+ type usbfs_t;
-+ ')
-+
-+ allow $1 usbfs_t:filesystem associate;
-+')
-+
-+########################################
-+##
-+## Get the attributes of a directory in the usb filesystem.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`dev_getattr_usbfs_dirs',`
-+ gen_require(`
-+ type usbfs_t;
-+ ')
-+
-+ allow $1 usbfs_t:dir getattr_dir_perms;
-+')
-+
-+########################################
-+##
-+## Do not audit attempts to get the attributes
-+## of a directory in the usb filesystem.
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`dev_dontaudit_getattr_usbfs_dirs',`
-+ gen_require(`
-+ type usbfs_t;
-+ ')
-+
-+ dontaudit $1 usbfs_t:dir getattr_dir_perms;
-+')
-+
-+########################################
-+##
-+## Search the directory containing USB hardware information.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`dev_search_usbfs',`
-+ gen_require(`
-+ type usbfs_t;
-+ ')
-+
-+ search_dirs_pattern($1, usbfs_t, usbfs_t)
-+')
-+
-+########################################
-+##
-+## Allow caller to get a list of usb hardware.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`dev_list_usbfs',`
-+ gen_require(`
-+ type usbfs_t;
-+ ')
-+
-+ read_lnk_files_pattern($1, usbfs_t, usbfs_t)
-+ getattr_files_pattern($1, usbfs_t, usbfs_t)
-+
-+ list_dirs_pattern($1, usbfs_t, usbfs_t)
-+')
-+
-+########################################
-+##
-+## Set the attributes of usbfs filesystem.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`dev_setattr_usbfs_files',`
-+ gen_require(`
-+ type usbfs_t;
-+ ')
-+
-+ setattr_files_pattern($1, usbfs_t, usbfs_t)
-+ list_dirs_pattern($1, usbfs_t, usbfs_t)
-+')
-+
-+########################################
-+##
-+## Read USB hardware information using
-+## the usbfs filesystem interface.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`dev_read_usbfs',`
-+ gen_require(`
-+ type usbfs_t;
-+ ')
-+
-+ read_files_pattern($1, usbfs_t, usbfs_t)
-+ read_lnk_files_pattern($1, usbfs_t, usbfs_t)
-+ list_dirs_pattern($1, usbfs_t, usbfs_t)
-+')
-+
-+########################################
-+##
-+## Allow caller to modify usb hardware configuration files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`dev_rw_usbfs',`
-+ gen_require(`
-+ type usbfs_t;
-+ ')
-+
-+ list_dirs_pattern($1, usbfs_t, usbfs_t)
-+ rw_files_pattern($1, usbfs_t, usbfs_t)
-+ read_lnk_files_pattern($1, usbfs_t, usbfs_t)
-+')
-+
-+######################################
-+##
-+## Read and write userio device.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`dev_rw_userio_dev',`
-+ gen_require(`
-+ type device_t, userio_device_t;
-+ ')
-+
-+ rw_chr_files_pattern($1, device_t, userio_device_t)
-+')
-+
-+########################################
-+##
-+## Get the attributes of video4linux devices.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`dev_getattr_video_dev',`
-+ gen_require(`
-+ type device_t, v4l_device_t;
-+ ')
-+
-+ getattr_chr_files_pattern($1, device_t, v4l_device_t)
-+')
-+
-+########################################
-+##
-+## Do not audit attempts to get the attributes
-+## of video4linux device nodes.
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`dev_dontaudit_getattr_video_dev',`
-+ gen_require(`
-+ type v4l_device_t;
-+ ')
-+
-+ dontaudit $1 v4l_device_t:chr_file getattr;
-+')
-+
-+########################################
-+##
-+## Set the attributes of video4linux device nodes.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`dev_setattr_video_dev',`
-+ gen_require(`
-+ type device_t, v4l_device_t;
-+ ')
-+
-+ setattr_chr_files_pattern($1, device_t, v4l_device_t)
-+')
-+
-+########################################
-+##
-+## Do not audit attempts to set the attributes
-+## of video4linux device nodes.
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`dev_dontaudit_setattr_video_dev',`
-+ gen_require(`
-+ type v4l_device_t;
-+ ')
-+
-+ dontaudit $1 v4l_device_t:chr_file setattr;
-+')
-+
-+########################################
-+##
-+## Read the video4linux devices.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`dev_read_video_dev',`
-+ gen_require(`
-+ type device_t, v4l_device_t;
-+ ')
-+
-+ read_chr_files_pattern($1, device_t, v4l_device_t)
-+')
-+
-+########################################
-+##
-+## Mmap the video4linux devices.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`dev_map_video_dev',`
-+ gen_require(`
-+ type device_t, v4l_device_t;
-+ ')
-+
-+ allow $1 v4l_device_t:chr_file map;
-+
-+')
-+
-+########################################
-+##
-+## Write the video4linux devices.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`dev_write_video_dev',`
-+ gen_require(`
-+ type device_t, v4l_device_t;
-+ ')
-+
-+ write_chr_files_pattern($1, device_t, v4l_device_t)
-+')
-+
-+########################################
-+##
-+## Get the attributes of vfio devices.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`dev_getattr_vfio_dev',`
-+ gen_require(`
-+ type device_t, vfio_device_t;
-+ ')
-+
-+ getattr_chr_files_pattern($1, device_t, vfio_device_t)
-+')
-+
-+########################################
-+##
-+## Do not audit attempts to get the attributes
-+## of vfio device nodes.
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`dev_dontaudit_getattr_vfio_dev',`
-+ gen_require(`
-+ type vfio_device_t;
-+ ')
-+
-+ dontaudit $1 vfio_device_t:chr_file getattr;
-+')
-+
-+########################################
-+##
-+## Set the attributes of vfio device nodes.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`dev_setattr_vfio_dev',`
-+ gen_require(`
-+ type device_t, vfio_device_t;
-+ ')
-+
-+ setattr_chr_files_pattern($1, device_t, vfio_device_t)
-+')
-+
-+########################################
-+##
-+## Do not audit attempts to set the attributes
-+## of vfio device nodes.
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`dev_dontaudit_setattr_vfio_dev',`
-+ gen_require(`
-+ type vfio_device_t;
-+ ')
-+
-+ dontaudit $1 vfio_device_t:chr_file setattr;
-+')
-+
-+########################################
-+##
-+## Read the vfio devices.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`dev_read_vfio_dev',`
-+ gen_require(`
-+ type device_t, vfio_device_t;
-+ ')
-+
-+ read_chr_files_pattern($1, device_t, vfio_device_t)
-+')
-+
-+########################################
-+##
-+## Write the vfio devices.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`dev_write_vfio_dev',`
-+ gen_require(`
-+ type device_t, vfio_device_t;
-+ ')
-+
-+ write_chr_files_pattern($1, device_t, vfio_device_t)
-+')
-+
-+########################################
-+##
-+## Read and write the VFIO devices.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`dev_rw_vfio_dev',`
- gen_require(`
-- type usbfs_t;
-+ type device_t, vfio_device_t;
- ')
-
-- allow $1 usbfs_t:filesystem mount;
-+ rw_chr_files_pattern($1, device_t, vfio_device_t)
- ')
-
- ########################################
- ##
--## Associate a file to a usbfs filesystem.
-+## Allow read/write the vhost net device
- ##
--##
-+##
- ##
--## The type of the file to be associated to usbfs.
-+## Domain allowed access.
- ##
- ##
- #
--interface(`dev_associate_usbfs',`
-+interface(`dev_rw_vhost',`
- gen_require(`
-- type usbfs_t;
-+ type device_t, vhost_device_t;
- ')
-
-- allow $1 usbfs_t:filesystem associate;
-+ rw_chr_files_pattern($1, device_t, vhost_device_t)
- ')
-
- ########################################
- ##
--## Get the attributes of a directory in the usb filesystem.
-+## Allow read/write inheretid the vhost net device
- ##
- ##
- ##
-@@ -4283,36 +5752,35 @@ interface(`dev_associate_usbfs',`
- ##
- ##
- #
--interface(`dev_getattr_usbfs_dirs',`
-+interface(`dev_rw_inherited_vhost',`
- gen_require(`
-- type usbfs_t;
-+ type device_t, vhost_device_t;
- ')
-
-- allow $1 usbfs_t:dir getattr_dir_perms;
-+ allow $1 vhost_device_t:chr_file rw_inherited_chr_file_perms;
- ')
-
- ########################################
- ##
--## Do not audit attempts to get the attributes
--## of a directory in the usb filesystem.
-+## Read and write VMWare devices.
- ##
- ##
- ##
--## Domain to not audit.
-+## Domain allowed access.
- ##
- ##
- #
--interface(`dev_dontaudit_getattr_usbfs_dirs',`
-+interface(`dev_rw_vmware',`
- gen_require(`
-- type usbfs_t;
-+ type device_t, vmware_device_t;
- ')
-
-- dontaudit $1 usbfs_t:dir getattr_dir_perms;
-+ rw_chr_files_pattern($1, device_t, vmware_device_t)
- ')
-
- ########################################
- ##
--## Search the directory containing USB hardware information.
-+## Read, write, and mmap VMWare devices.
- ##
- ##
- ##
-@@ -4320,17 +5788,18 @@ interface(`dev_dontaudit_getattr_usbfs_dirs',`
- ##
- ##
- #
--interface(`dev_search_usbfs',`
-+interface(`dev_rwx_vmware',`
- gen_require(`
-- type usbfs_t;
-+ type device_t, vmware_device_t;
- ')
-
-- search_dirs_pattern($1, usbfs_t, usbfs_t)
-+ dev_rw_vmware($1)
-+ allow $1 vmware_device_t:chr_file { map execute };
- ')
-
- ########################################
- ##
--## Allow caller to get a list of usb hardware.
-+## Read from watchdog devices.
- ##
- ##
- ##
-@@ -4338,20 +5807,17 @@ interface(`dev_search_usbfs',`
- ##
- ##
- #
--interface(`dev_list_usbfs',`
-+interface(`dev_read_watchdog',`
- gen_require(`
-- type usbfs_t;
-+ type device_t, watchdog_device_t;
- ')
-
-- read_lnk_files_pattern($1, usbfs_t, usbfs_t)
-- getattr_files_pattern($1, usbfs_t, usbfs_t)
--
-- list_dirs_pattern($1, usbfs_t, usbfs_t)
-+ read_chr_files_pattern($1, device_t, watchdog_device_t)
- ')
-
- ########################################
- ##
--## Set the attributes of usbfs filesystem.
-+## Write to watchdog devices.
- ##
- ##
- ##
-@@ -4359,19 +5825,17 @@ interface(`dev_list_usbfs',`
- ##
- ##
- #
--interface(`dev_setattr_usbfs_files',`
-+interface(`dev_write_watchdog',`
- gen_require(`
-- type usbfs_t;
-+ type device_t, watchdog_device_t;
- ')
-
-- setattr_files_pattern($1, usbfs_t, usbfs_t)
-- list_dirs_pattern($1, usbfs_t, usbfs_t)
-+ write_chr_files_pattern($1, device_t, watchdog_device_t)
- ')
-
- ########################################
- ##
--## Read USB hardware information using
--## the usbfs filesystem interface.
-+## RW to watchdog devices.
- ##
- ##
- ##
-@@ -4379,19 +5843,17 @@ interface(`dev_setattr_usbfs_files',`
- ##
- ##
- #
--interface(`dev_read_usbfs',`
-+interface(`dev_rw_watchdog',`
- gen_require(`
-- type usbfs_t;
-+ type device_t, watchdog_device_t;
- ')
-
-- read_files_pattern($1, usbfs_t, usbfs_t)
-- read_lnk_files_pattern($1, usbfs_t, usbfs_t)
-- list_dirs_pattern($1, usbfs_t, usbfs_t)
-+ rw_chr_files_pattern($1, device_t, watchdog_device_t)
- ')
-
- ########################################
- ##
--## Allow caller to modify usb hardware configuration files.
-+## Read and write the the wireless device.
- ##
- ##
- ##
-@@ -4399,19 +5861,17 @@ interface(`dev_read_usbfs',`
- ##
- ##
- #
--interface(`dev_rw_usbfs',`
-+interface(`dev_rw_wireless',`
- gen_require(`
-- type usbfs_t;
-+ type device_t, wireless_device_t;
- ')
-
-- list_dirs_pattern($1, usbfs_t, usbfs_t)
-- rw_files_pattern($1, usbfs_t, usbfs_t)
-- read_lnk_files_pattern($1, usbfs_t, usbfs_t)
-+ rw_chr_files_pattern($1, device_t, wireless_device_t)
- ')
-
- ########################################
- ##
--## Get the attributes of video4linux devices.
-+## Read and write Xen devices.
- ##
- ##
- ##
-@@ -4419,17 +5879,18 @@ interface(`dev_rw_usbfs',`
- ##
- ##
- #
--interface(`dev_getattr_video_dev',`
-+interface(`dev_rw_xen',`
- gen_require(`
-- type device_t, v4l_device_t;
-+ type device_t, xen_device_t;
- ')
-
-- getattr_chr_files_pattern($1, device_t, v4l_device_t)
-+ rw_chr_files_pattern($1, device_t, xen_device_t)
-+ allow $1 xen_device_t:chr_file map;
- ')
-
--######################################
-+########################################
- ##
--## Read and write userio device.
-+## Create, read, write, and delete Xen devices.
- ##
- ##
- ##
-@@ -4437,36 +5898,41 @@ interface(`dev_getattr_video_dev',`
- ##
- ##
- #
--interface(`dev_rw_userio_dev',`
-+interface(`dev_manage_xen',`
- gen_require(`
-- type device_t, userio_device_t;
-+ type device_t, xen_device_t;
- ')
-
-- rw_chr_files_pattern($1, device_t, userio_device_t)
-+ manage_chr_files_pattern($1, device_t, xen_device_t)
- ')
-
- ########################################
- ##
--## Do not audit attempts to get the attributes
--## of video4linux device nodes.
-+## Automatic type transition to the type
-+## for xen device nodes when created in /dev.
- ##
- ##
- ##
--## Domain to not audit.
-+## Domain allowed access.
-+##
-+##
-+##
-+##
-+## The name of the object being created.
- ##
- ##
- #
--interface(`dev_dontaudit_getattr_video_dev',`
-+interface(`dev_filetrans_xen',`
- gen_require(`
-- type v4l_device_t;
-+ type device_t, xen_device_t;
- ')
-
-- dontaudit $1 v4l_device_t:chr_file getattr;
-+ filetrans_pattern($1, device_t, xen_device_t, chr_file, $2)
- ')
-
- ########################################
- ##
--## Set the attributes of video4linux device nodes.
-+## Get the attributes of X server miscellaneous devices.
- ##
- ##
- ##
-@@ -4474,36 +5940,35 @@ interface(`dev_dontaudit_getattr_video_dev',`
- ##
- ##
- #
--interface(`dev_setattr_video_dev',`
-+interface(`dev_getattr_xserver_misc_dev',`
- gen_require(`
-- type device_t, v4l_device_t;
-+ type device_t, xserver_misc_device_t;
- ')
-
-- setattr_chr_files_pattern($1, device_t, v4l_device_t)
-+ getattr_chr_files_pattern($1, device_t, xserver_misc_device_t)
- ')
-
- ########################################
- ##
--## Do not audit attempts to set the attributes
--## of video4linux device nodes.
-+## Set the attributes of X server miscellaneous devices.
- ##
- ##
- ##
--## Domain to not audit.
-+## Domain allowed access.
- ##
- ##
- #
--interface(`dev_dontaudit_setattr_video_dev',`
-+interface(`dev_setattr_xserver_misc_dev',`
- gen_require(`
-- type v4l_device_t;
-+ type device_t, xserver_misc_device_t;
- ')
-
-- dontaudit $1 v4l_device_t:chr_file setattr;
-+ setattr_chr_files_pattern($1, device_t, xserver_misc_device_t)
- ')
-
- ########################################
- ##
--## Read the video4linux devices.
-+## Read and write X server miscellaneous devices.
- ##
- ##
- ##
-@@ -4511,35 +5976,36 @@ interface(`dev_dontaudit_setattr_video_dev',`
- ##
- ##
- #
--interface(`dev_read_video_dev',`
-+interface(`dev_rw_xserver_misc',`
- gen_require(`
-- type device_t, v4l_device_t;
-+ type device_t, xserver_misc_device_t;
- ')
-
-- read_chr_files_pattern($1, device_t, v4l_device_t)
-+ rw_chr_files_pattern($1, device_t, xserver_misc_device_t)
-+ allow $1 xserver_misc_device_t:chr_file map;
- ')
-
- ########################################
- ##
--## Write the video4linux devices.
-+## Dontaudit attempts to Read and write X server miscellaneous devices.
- ##
- ##
- ##
--## Domain allowed access.
-+## Domain to not audit.
- ##
- ##
- #
--interface(`dev_write_video_dev',`
-+interface(`dev_dontaudit_leaked_xserver_misc',`
- gen_require(`
-- type device_t, v4l_device_t;
-+ type xserver_misc_device_t;
- ')
-
-- write_chr_files_pattern($1, device_t, v4l_device_t)
-+ dontaudit $1 xserver_misc_device_t:chr_file { read write };
- ')
-
- ########################################
- ##
--## Allow read/write the vhost net device
-+## Read and write X server miscellaneous devices.
- ##
- ##
- ##
-@@ -4547,17 +6013,19 @@ interface(`dev_write_video_dev',`
- ##
- ##
- #
--interface(`dev_rw_vhost',`
-+interface(`dev_manage_xserver_misc',`
- gen_require(`
-- type device_t, vhost_device_t;
-+ type device_t, xserver_misc_device_t;
- ')
-
-- rw_chr_files_pattern($1, device_t, vhost_device_t)
-+ manage_chr_files_pattern($1, device_t, xserver_misc_device_t)
-+
-+ dev_filetrans_xserver_named_dev($1)
- ')
-
- ########################################
- ##
--## Read and write VMWare devices.
-+## Read and write to the zero device (/dev/zero).
- ##
- ##
- ##
-@@ -4565,17 +6033,17 @@ interface(`dev_rw_vhost',`
- ##
- ##
- #
--interface(`dev_rw_vmware',`
-+interface(`dev_rw_zero',`
- gen_require(`
-- type device_t, vmware_device_t;
-+ type device_t, zero_device_t;
- ')
-
-- rw_chr_files_pattern($1, device_t, vmware_device_t)
-+ rw_chr_files_pattern($1, device_t, zero_device_t)
- ')
-
- ########################################
- ##
--## Read, write, and mmap VMWare devices.
-+## Read, write, and execute the zero device (/dev/zero).
- ##
- ##
- ##
-@@ -4583,18 +6051,18 @@ interface(`dev_rw_vmware',`
- ##
- ##
- #
--interface(`dev_rwx_vmware',`
-+interface(`dev_rwx_zero',`
- gen_require(`
-- type device_t, vmware_device_t;
-+ type zero_device_t;
- ')
-
-- dev_rw_vmware($1)
-- allow $1 vmware_device_t:chr_file execute;
-+ dev_rw_zero($1)
-+ allow $1 zero_device_t:chr_file { map execute };
- ')
-
- ########################################
- ##
--## Read from watchdog devices.
-+## Execmod the zero device (/dev/zero).
- ##
- ##
- ##
-@@ -4602,17 +6070,18 @@ interface(`dev_rwx_vmware',`
- ##
- ##
- #
--interface(`dev_read_watchdog',`
-+interface(`dev_execmod_zero',`
- gen_require(`
-- type device_t, watchdog_device_t;
-+ type zero_device_t;
- ')
-
-- read_chr_files_pattern($1, device_t, watchdog_device_t)
-+ dev_rw_zero($1)
-+ allow $1 zero_device_t:chr_file execmod;
- ')
-
- ########################################
- ##
--## Write to watchdog devices.
-+## Create the zero device (/dev/zero).
- ##
- ##
- ##
-@@ -4620,17 +6089,17 @@ interface(`dev_read_watchdog',`
- ##
- ##
- #
--interface(`dev_write_watchdog',`
-+interface(`dev_create_zero_dev',`
- gen_require(`
-- type device_t, watchdog_device_t;
-+ type device_t, zero_device_t;
- ')
-
-- write_chr_files_pattern($1, device_t, watchdog_device_t)
-+ create_chr_files_pattern($1, device_t, zero_device_t)
- ')
-
- ########################################
- ##
--## Read and write the the wireless device.
-+## Unconfined access to devices.
- ##
- ##
- ##
-@@ -4638,35 +6107,36 @@ interface(`dev_write_watchdog',`
- ##
- ##
- #
--interface(`dev_rw_wireless',`
-+interface(`dev_unconfined',`
- gen_require(`
-- type device_t, wireless_device_t;
-+ attribute devices_unconfined_type;
- ')
-
-- rw_chr_files_pattern($1, device_t, wireless_device_t)
-+ typeattribute $1 devices_unconfined_type;
- ')
-
- ########################################
- ##
--## Read and write Xen devices.
-+## Dontaudit getattr on all device nodes.
- ##
- ##
- ##
--## Domain allowed access.
-+## Domain to not audit.
- ##
- ##
- #
--interface(`dev_rw_xen',`
-+interface(`dev_dontaudit_getattr_all',`
- gen_require(`
-- type device_t, xen_device_t;
-+ attribute device_node;
-+ type device_t;
- ')
-
-- rw_chr_files_pattern($1, device_t, xen_device_t)
-+ dontaudit $1 { device_t device_node }:dir_file_class_set getattr;
- ')
-
- ########################################
- ##
--## Create, read, write, and delete Xen devices.
-+## Get the attributes of the mei devices.
- ##
- ##
- ##
-@@ -4674,41 +6144,35 @@ interface(`dev_rw_xen',`
- ##
- ##
- #
--interface(`dev_manage_xen',`
-+interface(`dev_getattr_mei',`
- gen_require(`
-- type device_t, xen_device_t;
-+ type device_t, mei_device_t;
- ')
-
-- manage_chr_files_pattern($1, device_t, xen_device_t)
-+ getattr_chr_files_pattern($1, device_t, mei_device_t)
- ')
-
- ########################################
- ##
--## Automatic type transition to the type
--## for xen device nodes when created in /dev.
-+## Read the mei devices.
- ##
- ##
- ##
- ## Domain allowed access.
- ##
- ##
--##
--##
--## The name of the object being created.
--##
--##
- #
--interface(`dev_filetrans_xen',`
-+interface(`dev_read_mei',`
- gen_require(`
-- type device_t, xen_device_t;
-+ type device_t, mei_device_t;
- ')
-
-- filetrans_pattern($1, device_t, xen_device_t, chr_file, $2)
-+ read_chr_files_pattern($1, device_t, mei_device_t)
- ')
-
- ########################################
- ##
--## Get the attributes of X server miscellaneous devices.
-+## Read and write to mei devices.
- ##
- ##
- ##
-@@ -4716,17 +6180,17 @@ interface(`dev_filetrans_xen',`
- ##
- ##
- #
--interface(`dev_getattr_xserver_misc_dev',`
-+interface(`dev_rw_mei',`
- gen_require(`
-- type device_t, xserver_misc_device_t;
-+ type device_t, mei_device_t;
- ')
-
-- getattr_chr_files_pattern($1, device_t, xserver_misc_device_t)
-+ rw_chr_files_pattern($1, device_t, mei_device_t)
- ')
-
- ########################################
- ##
--## Set the attributes of X server miscellaneous devices.
-+## Read and write uhid devices.
- ##
- ##
- ##
-@@ -4734,17 +6198,18 @@ interface(`dev_getattr_xserver_misc_dev',`
- ##
- ##
- #
--interface(`dev_setattr_xserver_misc_dev',`
-+interface(`dev_rw_uhid_dev',`
- gen_require(`
-- type device_t, xserver_misc_device_t;
-+ type device_t, uhid_device_t;
- ')
-
-- setattr_chr_files_pattern($1, device_t, xserver_misc_device_t)
-+ rw_chr_files_pattern($1, device_t, uhid_device_t)
- ')
-
-+
- ########################################
- ##
--## Read and write X server miscellaneous devices.
-+## Allow read/write the hypervkvp device
- ##
- ##
- ##
-@@ -4752,17 +6217,17 @@ interface(`dev_setattr_xserver_misc_dev',`
- ##
- ##
- #
--interface(`dev_rw_xserver_misc',`
-+interface(`dev_rw_hypervkvp',`
- gen_require(`
-- type device_t, xserver_misc_device_t;
-+ type device_t, hypervkvp_device_t;
- ')
-
-- rw_chr_files_pattern($1, device_t, xserver_misc_device_t)
-+ rw_chr_files_pattern($1, device_t, hypervkvp_device_t)
- ')
-
- ########################################
- ##
--## Read and write to the zero device (/dev/zero).
-+## Allow read/write the hypervkvp device
- ##
- ##
- ##
-@@ -4770,17 +6235,17 @@ interface(`dev_rw_xserver_misc',`
- ##
- ##
- #
--interface(`dev_rw_zero',`
-+interface(`dev_read_gpfs',`
- gen_require(`
-- type device_t, zero_device_t;
-+ type device_t, gpfs_device_t;
- ')
-
-- rw_chr_files_pattern($1, device_t, zero_device_t)
-+ read_chr_files_pattern($1, device_t, gpfs_device_t)
- ')
-
- ########################################
- ##
--## Read, write, and execute the zero device (/dev/zero).
-+## Allow read/write the gpiochip device
- ##
- ##
- ##
-@@ -4788,18 +6253,17 @@ interface(`dev_rw_zero',`
- ##
- ##
- #
--interface(`dev_rwx_zero',`
-+interface(`dev_read_gpio',`
- gen_require(`
-- type zero_device_t;
-+ type device_t, gpio_device_t;
- ')
-
-- dev_rw_zero($1)
-- allow $1 zero_device_t:chr_file execute;
-+ read_chr_files_pattern($1, device_t, gpio_device_t)
- ')
-
- ########################################
- ##
--## Execmod the zero device (/dev/zero).
-+## Allow read/write the hypervvssd device
- ##
- ##
- ##
-@@ -4807,47 +6271,912 @@ interface(`dev_rwx_zero',`
- ##
- ##
- #
--interface(`dev_execmod_zero',`
-+interface(`dev_rw_hypervvssd',`
- gen_require(`
-- type zero_device_t;
-+ type device_t, hypervvssd_device_t;
- ')
-
-- dev_rw_zero($1)
-- allow $1 zero_device_t:chr_file execmod;
-+ rw_chr_files_pattern($1, device_t, hypervvssd_device_t)
- ')
-
- ########################################
- ##
--## Create the zero device (/dev/zero).
-+## Create all named devices with the correct label
- ##
- ##
- ##
--## Domain allowed access.
-+## Domain allowed access.
- ##
- ##
- #
--interface(`dev_create_zero_dev',`
-+interface(`dev_filetrans_printer_named_dev',`
-+
- gen_require(`
-- type device_t, zero_device_t;
-- ')
-+ type printer_device_t;
-
-- create_chr_files_pattern($1, device_t, zero_device_t)
-+ ')
-+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "irlpt0")
-+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "irlpt1")
-+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "irlpt2")
-+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "irlpt3")
-+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "irlpt4")
-+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "irlpt5")
-+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "irlpt6")
-+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "irlpt7")
-+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "irlpt8")
-+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "irlpt9")
-+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "lp0")
-+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "lp1")
-+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "lp2")
-+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "lp3")
-+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "lp4")
-+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "lp5")
-+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "lp6")
-+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "lp7")
-+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "lp8")
-+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "lp9")
-+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "par0")
-+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "par1")
-+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "par2")
-+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "par3")
-+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "par4")
-+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "par5")
-+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "par6")
-+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "par7")
-+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "par8")
-+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "par9")
-+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "usblp0")
-+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "usblp1")
-+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "usblp2")
-+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "usblp3")
-+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "usblp4")
-+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "usblp5")
-+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "usblp6")
-+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "usblp7")
-+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "usblp8")
-+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "usblp9")
- ')
-
- ########################################
- ##
--## Unconfined access to devices.
-+## Create all named devices with the correct label
- ##
- ##
- ##
--## Domain allowed access.
-+## Domain allowed access.
- ##
- ##
- #
--interface(`dev_unconfined',`
-- gen_require(`
-- attribute devices_unconfined_type;
-- ')
--
-- typeattribute $1 devices_unconfined_type;
-+interface(`dev_filetrans_all_named_dev',`
-+
-+gen_require(`
-+ type device_t;
-+ type usb_device_t;
-+ type uhid_device_t;
-+ type sound_device_t;
-+ type apm_bios_t;
-+ type mouse_device_t;
-+ type autofs_device_t;
-+ type lvm_control_t;
-+ type crash_device_t;
-+ type dlm_control_device_t;
-+ type clock_device_t;
-+ type v4l_device_t;
-+ type vsock_device_t;
-+ type vmci_device_t;
-+ type vfio_device_t;
-+ type event_device_t;
-+ type xen_device_t;
-+ type framebuf_device_t;
-+ type null_device_t;
-+ type random_device_t;
-+ type dri_device_t;
-+ type hsa_device_t;
-+ type ipmi_device_t;
-+ type memory_device_t;
-+ type kmsg_device_t;
-+ type qemu_device_t;
-+ type ksm_device_t;
-+ type kvm_device_t;
-+ type lirc_device_t;
-+ type cpu_device_t;
-+ type scanner_device_t;
-+ type modem_device_t;
-+ type monitor_device_t;
-+ type vhost_device_t;
-+ type netcontrol_device_t;
-+ type nvram_device_t;
-+ type power_device_t;
-+ type wireless_device_t;
-+ type tpm_device_t;
-+ type userio_device_t;
-+ type urandom_device_t;
-+ type usbmon_device_t;
-+ type vmware_device_t;
-+ type watchdog_device_t;
-+ type crypt_device_t;
-+ type zero_device_t;
-+ type smartcard_device_t;
-+ type mtrr_device_t;
-+ type ecryptfs_device_t;
-+ type mptctl_device_t;
-+ type hypervkvp_device_t;
-+ type hypervvssd_device_t;
-+ type gpfs_device_t;
-+ type gpio_device_t;
-+')
-+
-+ dev_filetrans_printer_named_dev($1)
-+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "admmidi0")
-+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "admmidi1")
-+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "admmidi2")
-+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "admmidi3")
-+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "admmidi4")
-+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "admmidi5")
-+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "admmidi6")
-+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "admmidi7")
-+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "admmidi8")
-+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "admmidi9")
-+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "adsp0")
-+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "adsp1")
-+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "adsp2")
-+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "adsp3")
-+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "adsp4")
-+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "adsp5")
-+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "adsp6")
-+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "adsp7")
-+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "adsp8")
-+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "adsp9")
-+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "aload0")
-+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "aload1")
-+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "aload2")
-+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "aload3")
-+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "aload4")
-+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "aload5")
-+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "aload6")
-+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "aload7")
-+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "aload8")
-+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "aload9")
-+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "amidi0")
-+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "amidi1")
-+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "amidi2")
-+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "amidi3")
-+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "amidi4")
-+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "amidi5")
-+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "amidi6")
-+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "amidi7")
-+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "amidi8")
-+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "amidi9")
-+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "amixer0")
-+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "amixer1")
-+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "amixer2")
-+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "amixer3")
-+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "amixer4")
-+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "amixer5")
-+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "amixer6")
-+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "amixer7")
-+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "amixer8")
-+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "amixer9")
-+ filetrans_pattern($1, device_t, apm_bios_t, chr_file, "apm_bios")
-+ filetrans_pattern($1, device_t, mouse_device_t, chr_file, "atibm")
-+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "audio0")
-+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "audio1")
-+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "audio2")
-+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "audio3")
-+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "audio4")
-+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "audio5")
-+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "audio6")
-+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "audio7")
-+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "audio8")
-+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "audio9")
-+ filetrans_pattern($1, device_t, ecryptfs_device_t, chr_file, "ecryptfs")
-+ filetrans_pattern($1, device_t, autofs_device_t, chr_file, "autofs0")
-+ filetrans_pattern($1, device_t, autofs_device_t, chr_file, "autofs1")
-+ filetrans_pattern($1, device_t, autofs_device_t, chr_file, "autofs2")
-+ filetrans_pattern($1, device_t, autofs_device_t, chr_file, "autofs3")
-+ filetrans_pattern($1, device_t, autofs_device_t, chr_file, "autofs4")
-+ filetrans_pattern($1, device_t, autofs_device_t, chr_file, "autofs5")
-+ filetrans_pattern($1, device_t, autofs_device_t, chr_file, "autofs6")
-+ filetrans_pattern($1, device_t, autofs_device_t, chr_file, "autofs7")
-+ filetrans_pattern($1, device_t, autofs_device_t, chr_file, "autofs8")
-+ filetrans_pattern($1, device_t, autofs_device_t, chr_file, "autofs9")
-+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "beep")
-+ filetrans_pattern($1, device_t, lvm_control_t, chr_file, "btrfs-control")
-+ filetrans_pattern($1, device_t, crash_device_t, chr_file, "crash")
-+ filetrans_pattern($1, device_t, dlm_control_device_t, chr_file, "dlm0")
-+ filetrans_pattern($1, device_t, dlm_control_device_t, chr_file, "dlm1")
-+ filetrans_pattern($1, device_t, dlm_control_device_t, chr_file, "dlm2")
-+ filetrans_pattern($1, device_t, dlm_control_device_t, chr_file, "dlm3")
-+ filetrans_pattern($1, device_t, dlm_control_device_t, chr_file, "dlm4")
-+ filetrans_pattern($1, device_t, dlm_control_device_t, chr_file, "dlm5")
-+ filetrans_pattern($1, device_t, dlm_control_device_t, chr_file, "dlm6")
-+ filetrans_pattern($1, device_t, dlm_control_device_t, chr_file, "dlm7")
-+ filetrans_pattern($1, device_t, dlm_control_device_t, chr_file, "dlm8")
-+ filetrans_pattern($1, device_t, dlm_control_device_t, chr_file, "dlm9")
-+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "dmfm")
-+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "dmmidi0")
-+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "dmmidi1")
-+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "dmmidi2")
-+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "dmmidi3")
-+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "dmmidi4")
-+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "dmmidi5")
-+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "dmmidi6")
-+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "dmmidi7")
-+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "dmmidi8")
-+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "dmmidi9")
-+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "dsp0")
-+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "dsp1")
-+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "dsp2")
-+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "dsp3")
-+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "dsp4")
-+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "dsp5")
-+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "dsp6")
-+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "dsp7")
-+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "dsp8")
-+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "dsp9")
-+ filetrans_pattern($1, device_t, clock_device_t, chr_file, "efirtc")
-+ filetrans_pattern($1, device_t, clock_device_t, chr_file, "ptp0")
-+ filetrans_pattern($1, device_t, clock_device_t, chr_file, "ptp1")
-+ filetrans_pattern($1, device_t, clock_device_t, chr_file, "ptp2")
-+ filetrans_pattern($1, device_t, clock_device_t, chr_file, "ptp3")
-+ filetrans_pattern($1, device_t, mouse_device_t, chr_file, "e2201")
-+ filetrans_pattern($1, device_t, vfio_device_t, chr_file, "vfio")
-+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "em83000")
-+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "em83001")
-+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "em83002")
-+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "em83003")
-+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "em83004")
-+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "em83005")
-+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "em83006")
-+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "em83007")
-+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "em83008")
-+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "em83009")
-+ filetrans_pattern($1, device_t, vsock_device_t, chr_file, "vsock")
-+ filetrans_pattern($1, device_t, vmci_device_t, chr_file, "vmci")
-+ filetrans_pattern($1, device_t, event_device_t, chr_file, "event0")
-+ filetrans_pattern($1, device_t, event_device_t, chr_file, "event1")
-+ filetrans_pattern($1, device_t, event_device_t, chr_file, "event2")
-+ filetrans_pattern($1, device_t, event_device_t, chr_file, "event3")
-+ filetrans_pattern($1, device_t, event_device_t, chr_file, "event4")
-+ filetrans_pattern($1, device_t, event_device_t, chr_file, "event5")
-+ filetrans_pattern($1, device_t, event_device_t, chr_file, "event6")
-+ filetrans_pattern($1, device_t, event_device_t, chr_file, "event7")
-+ filetrans_pattern($1, device_t, event_device_t, chr_file, "event8")
-+ filetrans_pattern($1, device_t, event_device_t, chr_file, "event9")
-+ filetrans_pattern($1, device_t, event_device_t, chr_file, "event10")
-+ filetrans_pattern($1, device_t, event_device_t, chr_file, "event11")
-+ filetrans_pattern($1, device_t, event_device_t, chr_file, "event12")
-+ filetrans_pattern($1, device_t, event_device_t, chr_file, "event13")
-+ filetrans_pattern($1, device_t, event_device_t, chr_file, "event14")
-+ filetrans_pattern($1, device_t, event_device_t, chr_file, "event15")
-+ filetrans_pattern($1, device_t, event_device_t, chr_file, "event16")
-+ filetrans_pattern($1, device_t, event_device_t, chr_file, "event17")
-+ filetrans_pattern($1, device_t, event_device_t, chr_file, "event18")
-+ filetrans_pattern($1, device_t, event_device_t, chr_file, "event19")
-+ filetrans_pattern($1, device_t, event_device_t, chr_file, "event20")
-+ filetrans_pattern($1, device_t, event_device_t, chr_file, "event21")
-+ filetrans_pattern($1, device_t, xen_device_t, chr_file, "evtchn")
-+ filetrans_pattern($1, device_t, framebuf_device_t, chr_file, "fb0")
-+ filetrans_pattern($1, device_t, framebuf_device_t, chr_file, "fb1")
-+ filetrans_pattern($1, device_t, framebuf_device_t, chr_file, "fb2")
-+ filetrans_pattern($1, device_t, framebuf_device_t, chr_file, "fb3")
-+ filetrans_pattern($1, device_t, framebuf_device_t, chr_file, "fb4")
-+ filetrans_pattern($1, device_t, framebuf_device_t, chr_file, "fb5")
-+ filetrans_pattern($1, device_t, framebuf_device_t, chr_file, "fb6")
-+ filetrans_pattern($1, device_t, framebuf_device_t, chr_file, "fb7")
-+ filetrans_pattern($1, device_t, framebuf_device_t, chr_file, "fb8")
-+ filetrans_pattern($1, device_t, framebuf_device_t, chr_file, "fb9")
-+ filetrans_pattern($1, device_t, null_device_t, chr_file, "full")
-+ filetrans_pattern($1, device_t, usb_device_t, chr_file, "fw0")
-+ filetrans_pattern($1, device_t, usb_device_t, chr_file, "fw1")
-+ filetrans_pattern($1, device_t, usb_device_t, chr_file, "fw2")
-+ filetrans_pattern($1, device_t, usb_device_t, chr_file, "fw3")
-+ filetrans_pattern($1, device_t, usb_device_t, chr_file, "fw4")
-+ filetrans_pattern($1, device_t, usb_device_t, chr_file, "fw5")
-+ filetrans_pattern($1, device_t, usb_device_t, chr_file, "fw6")
-+ filetrans_pattern($1, device_t, usb_device_t, chr_file, "fw7")
-+ filetrans_pattern($1, device_t, usb_device_t, chr_file, "fw8")
-+ filetrans_pattern($1, device_t, usb_device_t, chr_file, "fw9")
-+ filetrans_pattern($1, device_t, usb_device_t, chr_file, "000")
-+ filetrans_pattern($1, device_t, usb_device_t, chr_file, "001")
-+ filetrans_pattern($1, device_t, usb_device_t, chr_file, "002")
-+ filetrans_pattern($1, device_t, usb_device_t, chr_file, "003")
-+ filetrans_pattern($1, device_t, usb_device_t, chr_file, "004")
-+ filetrans_pattern($1, device_t, usb_device_t, chr_file, "005")
-+ filetrans_pattern($1, device_t, usb_device_t, chr_file, "006")
-+ filetrans_pattern($1, device_t, usb_device_t, chr_file, "007")
-+ filetrans_pattern($1, device_t, usb_device_t, chr_file, "008")
-+ filetrans_pattern($1, device_t, usb_device_t, chr_file, "009")
-+ filetrans_pattern($1, device_t, usb_device_t, chr_file, "010")
-+ filetrans_pattern($1, device_t, usb_device_t, chr_file, "011")
-+ filetrans_pattern($1, device_t, usb_device_t, chr_file, "012")
-+ filetrans_pattern($1, device_t, usb_device_t, chr_file, "013")
-+ filetrans_pattern($1, device_t, usb_device_t, chr_file, "014")
-+ filetrans_pattern($1, device_t, usb_device_t, chr_file, "015")
-+ filetrans_pattern($1, device_t, usb_device_t, chr_file, "016")
-+ filetrans_pattern($1, device_t, usb_device_t, chr_file, "017")
-+ filetrans_pattern($1, device_t, usb_device_t, chr_file, "018")
-+ filetrans_pattern($1, device_t, usb_device_t, chr_file, "019")
-+ filetrans_pattern($1, device_t, usb_device_t, chr_file, "020")
-+ filetrans_pattern($1, device_t, usb_device_t, chr_file, "021")
-+ filetrans_pattern($1, device_t, usb_device_t, chr_file, "022")
-+ filetrans_pattern($1, device_t, usb_device_t, chr_file, "023")
-+ filetrans_pattern($1, device_t, usb_device_t, chr_file, "024")
-+ filetrans_pattern($1, device_t, usb_device_t, chr_file, "025")
-+ filetrans_pattern($1, device_t, usb_device_t, chr_file, "026")
-+ filetrans_pattern($1, device_t, usb_device_t, chr_file, "027")
-+ filetrans_pattern($1, device_t, usb_device_t, chr_file, "028")
-+ filetrans_pattern($1, device_t, usb_device_t, chr_file, "029")
-+ filetrans_pattern($1, device_t, clock_device_t, chr_file, "gtrsc0")
-+ filetrans_pattern($1, device_t, clock_device_t, chr_file, "gtrsc1")
-+ filetrans_pattern($1, device_t, clock_device_t, chr_file, "gtrsc2")
-+ filetrans_pattern($1, device_t, clock_device_t, chr_file, "gtrsc3")
-+ filetrans_pattern($1, device_t, clock_device_t, chr_file, "gtrsc4")
-+ filetrans_pattern($1, device_t, clock_device_t, chr_file, "gtrsc5")
-+ filetrans_pattern($1, device_t, clock_device_t, chr_file, "gtrsc6")
-+ filetrans_pattern($1, device_t, clock_device_t, chr_file, "gtrsc7")
-+ filetrans_pattern($1, device_t, clock_device_t, chr_file, "gtrsc8")
-+ filetrans_pattern($1, device_t, clock_device_t, chr_file, "gtrsc9")
-+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "hfmodem")
-+ filetrans_pattern($1, device_t, usb_device_t, chr_file, "hiddev0")
-+ filetrans_pattern($1, device_t, usb_device_t, chr_file, "hiddev1")
-+ filetrans_pattern($1, device_t, usb_device_t, chr_file, "hiddev2")
-+ filetrans_pattern($1, device_t, usb_device_t, chr_file, "hiddev3")
-+ filetrans_pattern($1, device_t, usb_device_t, chr_file, "hiddev4")
-+ filetrans_pattern($1, device_t, usb_device_t, chr_file, "hiddev5")
-+ filetrans_pattern($1, device_t, usb_device_t, chr_file, "hiddev6")
-+ filetrans_pattern($1, device_t, usb_device_t, chr_file, "hiddev7")
-+ filetrans_pattern($1, device_t, usb_device_t, chr_file, "hiddev8")
-+ filetrans_pattern($1, device_t, usb_device_t, chr_file, "hiddev9")
-+ filetrans_pattern($1, device_t, usb_device_t, chr_file, "hidraw0")
-+ filetrans_pattern($1, device_t, usb_device_t, chr_file, "hidraw1")
-+ filetrans_pattern($1, device_t, usb_device_t, chr_file, "hidraw2")
-+ filetrans_pattern($1, device_t, usb_device_t, chr_file, "hidraw3")
-+ filetrans_pattern($1, device_t, usb_device_t, chr_file, "hidraw4")
-+ filetrans_pattern($1, device_t, usb_device_t, chr_file, "hidraw5")
-+ filetrans_pattern($1, device_t, usb_device_t, chr_file, "hidraw6")
-+ filetrans_pattern($1, device_t, usb_device_t, chr_file, "hidraw7")
-+ filetrans_pattern($1, device_t, usb_device_t, chr_file, "hidraw8")
-+ filetrans_pattern($1, device_t, usb_device_t, chr_file, "hidraw9")
-+ filetrans_pattern($1, device_t, clock_device_t, chr_file, "hpet")
-+ filetrans_pattern($1, device_t, random_device_t, chr_file, "hw_random")
-+ filetrans_pattern($1, device_t, random_device_t, chr_file, "hwrng")
-+ filetrans_pattern($1, device_t, dri_device_t, chr_file, "i915")
-+ filetrans_pattern($1, device_t, hsa_device_t, chr_file, "kfd")
-+ filetrans_pattern($1, device_t, mouse_device_t, chr_file, "inportbm")
-+ filetrans_pattern($1, device_t, ipmi_device_t, chr_file, "ipmi0")
-+ filetrans_pattern($1, device_t, ipmi_device_t, chr_file, "ipmi1")
-+ filetrans_pattern($1, device_t, ipmi_device_t, chr_file, "ipmi2")
-+ filetrans_pattern($1, device_t, ipmi_device_t, chr_file, "ipmi3")
-+ filetrans_pattern($1, device_t, ipmi_device_t, chr_file, "ipmi4")
-+ filetrans_pattern($1, device_t, ipmi_device_t, chr_file, "ipmi5")
-+ filetrans_pattern($1, device_t, ipmi_device_t, chr_file, "ipmi6")
-+ filetrans_pattern($1, device_t, ipmi_device_t, chr_file, "ipmi7")
-+ filetrans_pattern($1, device_t, ipmi_device_t, chr_file, "ipmi8")
-+ filetrans_pattern($1, device_t, ipmi_device_t, chr_file, "ipmi9")
-+ filetrans_pattern($1, device_t, mouse_device_t, chr_file, "jbm")
-+ filetrans_pattern($1, device_t, mouse_device_t, chr_file, "js0")
-+ filetrans_pattern($1, device_t, mouse_device_t, chr_file, "js1")
-+ filetrans_pattern($1, device_t, mouse_device_t, chr_file, "js2")
-+ filetrans_pattern($1, device_t, mouse_device_t, chr_file, "js3")
-+ filetrans_pattern($1, device_t, mouse_device_t, chr_file, "js4")
-+ filetrans_pattern($1, device_t, mouse_device_t, chr_file, "js5")
-+ filetrans_pattern($1, device_t, mouse_device_t, chr_file, "js6")
-+ filetrans_pattern($1, device_t, mouse_device_t, chr_file, "js7")
-+ filetrans_pattern($1, device_t, mouse_device_t, chr_file, "js8")
-+ filetrans_pattern($1, device_t, mouse_device_t, chr_file, "js9")
-+ filetrans_pattern($1, device_t, mouse_device_t, chr_file, "mouse0")
-+ filetrans_pattern($1, device_t, mouse_device_t, chr_file, "mouse1")
-+ filetrans_pattern($1, device_t, mouse_device_t, chr_file, "mouse2")
-+ filetrans_pattern($1, device_t, mouse_device_t, chr_file, "mouse3")
-+ filetrans_pattern($1, device_t, mouse_device_t, chr_file, "mouse4")
-+ filetrans_pattern($1, device_t, mouse_device_t, chr_file, "mouse5")
-+ filetrans_pattern($1, device_t, mouse_device_t, chr_file, "mouse6")
-+ filetrans_pattern($1, device_t, mouse_device_t, chr_file, "mouse7")
-+ filetrans_pattern($1, device_t, mouse_device_t, chr_file, "mouse8")
-+ filetrans_pattern($1, device_t, mouse_device_t, chr_file, "mouse9")
-+ filetrans_pattern($1, device_t, memory_device_t, chr_file, "kmem")
-+ filetrans_pattern($1, device_t, mptctl_device_t, chr_file, "mptctl")
-+ filetrans_pattern($1, device_t, mptctl_device_t, chr_file, "mpt0ctl")
-+ filetrans_pattern($1, device_t, mptctl_device_t, chr_file, "mpt1ctl")
-+ filetrans_pattern($1, device_t, mptctl_device_t, chr_file, "mpt2ctl")
-+ filetrans_pattern($1, device_t, mptctl_device_t, chr_file, "mpt3ctl")
-+ filetrans_pattern($1, device_t, mptctl_device_t, chr_file, "mpt4ctl")
-+ filetrans_pattern($1, device_t, mptctl_device_t, chr_file, "mpt5ctl")
-+ filetrans_pattern($1, device_t, mptctl_device_t, chr_file, "mpt6ctl")
-+ filetrans_pattern($1, device_t, mptctl_device_t, chr_file, "mpt7ctl")
-+ filetrans_pattern($1, device_t, mptctl_device_t, chr_file, "mpt8ctl")
-+ filetrans_pattern($1, device_t, mptctl_device_t, chr_file, "mpt9ctl")
-+ filetrans_pattern($1, device_t, kmsg_device_t, chr_file, "kmsg")
-+ filetrans_pattern($1, device_t, qemu_device_t, chr_file, "kqemu")
-+ filetrans_pattern($1, device_t, ksm_device_t, chr_file, "ksm")
-+ filetrans_pattern($1, device_t, kvm_device_t, chr_file, "kvm")
-+ filetrans_pattern($1, device_t, event_device_t, chr_file, "lik0")
-+ filetrans_pattern($1, device_t, event_device_t, chr_file, "lik1")
-+ filetrans_pattern($1, device_t, event_device_t, chr_file, "lik2")
-+ filetrans_pattern($1, device_t, event_device_t, chr_file, "lik3")
-+ filetrans_pattern($1, device_t, event_device_t, chr_file, "lik4")
-+ filetrans_pattern($1, device_t, event_device_t, chr_file, "lik5")
-+ filetrans_pattern($1, device_t, event_device_t, chr_file, "lik6")
-+ filetrans_pattern($1, device_t, event_device_t, chr_file, "lik7")
-+ filetrans_pattern($1, device_t, event_device_t, chr_file, "lik8")
-+ filetrans_pattern($1, device_t, event_device_t, chr_file, "lik9")
-+ filetrans_pattern($1, device_t, lirc_device_t, chr_file, "lirc0")
-+ filetrans_pattern($1, device_t, lirc_device_t, chr_file, "lirc1")
-+ filetrans_pattern($1, device_t, lirc_device_t, chr_file, "lirc2")
-+ filetrans_pattern($1, device_t, lirc_device_t, chr_file, "lirc3")
-+ filetrans_pattern($1, device_t, lirc_device_t, chr_file, "lirc4")
-+ filetrans_pattern($1, device_t, lirc_device_t, chr_file, "lirc5")
-+ filetrans_pattern($1, device_t, lirc_device_t, chr_file, "lirc6")
-+ filetrans_pattern($1, device_t, lirc_device_t, chr_file, "lirc7")
-+ filetrans_pattern($1, device_t, lirc_device_t, chr_file, "lirc8")
-+ filetrans_pattern($1, device_t, lirc_device_t, chr_file, "lirc9")
-+ filetrans_pattern($1, device_t, mouse_device_t, chr_file, "lircm")
-+ filetrans_pattern($1, device_t, mouse_device_t, chr_file, "logibm")
-+ filetrans_pattern($1, device_t, kmsg_device_t, chr_file, "mcelog")
-+ filetrans_pattern($1, device_t, memory_device_t, chr_file, "mem")
-+ filetrans_pattern($1, device_t, memory_device_t, chr_file, "mergemem")
-+ filetrans_pattern($1, device_t, mouse_device_t, chr_file, "mice")
-+ filetrans_pattern($1, device_t, cpu_device_t, chr_file, "microcode")
-+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "midi0")
-+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "midi1")
-+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "midi2")
-+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "midi3")
-+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "midi4")
-+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "midi5")
-+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "midi6")
-+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "midi7")
-+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "midi8")
-+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "midi9")
-+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "mixer0")
-+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "mixer1")
-+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "mixer2")
-+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "mixer3")
-+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "mixer4")
-+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "mixer5")
-+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "mixer6")
-+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "mixer7")
-+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "mixer8")
-+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "mixer9")
-+ filetrans_pattern($1, device_t, scanner_device_t, chr_file, "mmetfgrab")
-+ filetrans_pattern($1, device_t, modem_device_t, chr_file, "modem")
-+ filetrans_pattern($1, device_t, monitor_device_t, chr_file, "monwriter")
-+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "mpu4010")
-+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "mpu4011")
-+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "mpu4012")
-+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "mpu4013")
-+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "mpu4014")
-+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "mpu4015")
-+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "mpu4016")
-+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "mpu4017")
-+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "mpu4018")
-+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "mpu4019")
-+ filetrans_pattern($1, device_t, cpu_device_t, chr_file, "msr0")
-+ filetrans_pattern($1, device_t, cpu_device_t, chr_file, "msr1")
-+ filetrans_pattern($1, device_t, cpu_device_t, chr_file, "msr2")
-+ filetrans_pattern($1, device_t, cpu_device_t, chr_file, "msr3")
-+ filetrans_pattern($1, device_t, cpu_device_t, chr_file, "msr4")
-+ filetrans_pattern($1, device_t, cpu_device_t, chr_file, "msr5")
-+ filetrans_pattern($1, device_t, cpu_device_t, chr_file, "msr6")
-+ filetrans_pattern($1, device_t, cpu_device_t, chr_file, "msr7")
-+ filetrans_pattern($1, device_t, cpu_device_t, chr_file, "msr8")
-+ filetrans_pattern($1, device_t, cpu_device_t, chr_file, "msr9")
-+ filetrans_pattern($1, device_t, vhost_device_t, chr_file, "vhost")
-+ filetrans_pattern($1, device_t, netcontrol_device_t, chr_file, "network_latency")
-+ filetrans_pattern($1, device_t, netcontrol_device_t, chr_file, "network_throughput")
-+ filetrans_pattern($1, device_t, modem_device_t, chr_file, "noz0")
-+ filetrans_pattern($1, device_t, modem_device_t, chr_file, "noz1")
-+ filetrans_pattern($1, device_t, modem_device_t, chr_file, "noz2")
-+ filetrans_pattern($1, device_t, modem_device_t, chr_file, "noz3")
-+ filetrans_pattern($1, device_t, modem_device_t, chr_file, "noz4")
-+ filetrans_pattern($1, device_t, modem_device_t, chr_file, "noz5")
-+ filetrans_pattern($1, device_t, modem_device_t, chr_file, "noz6")
-+ filetrans_pattern($1, device_t, modem_device_t, chr_file, "noz7")
-+ filetrans_pattern($1, device_t, modem_device_t, chr_file, "noz8")
-+ filetrans_pattern($1, device_t, modem_device_t, chr_file, "noz9")
-+ filetrans_pattern($1, device_t, null_device_t, chr_file, "null")
-+ filetrans_pattern($1, device_t, nvram_device_t, chr_file, "nvram")
-+ filetrans_pattern($1, device_t, memory_device_t, chr_file, "oldmem")
-+ filetrans_pattern($1, device_t, mouse_device_t, chr_file, "pc110pad")
-+ filetrans_pattern($1, device_t, clock_device_t, chr_file, "pcfclock0")
-+ filetrans_pattern($1, device_t, clock_device_t, chr_file, "pcfclock1")
-+ filetrans_pattern($1, device_t, clock_device_t, chr_file, "pcfclock2")
-+ filetrans_pattern($1, device_t, clock_device_t, chr_file, "pcfclock3")
-+ filetrans_pattern($1, device_t, clock_device_t, chr_file, "pcfclock4")
-+ filetrans_pattern($1, device_t, clock_device_t, chr_file, "pcfclock5")
-+ filetrans_pattern($1, device_t, clock_device_t, chr_file, "pcfclock6")
-+ filetrans_pattern($1, device_t, clock_device_t, chr_file, "pcfclock7")
-+ filetrans_pattern($1, device_t, clock_device_t, chr_file, "pcfclock8")
-+ filetrans_pattern($1, device_t, clock_device_t, chr_file, "pcfclock9")
-+ filetrans_pattern($1, device_t, power_device_t, chr_file, "pmu")
-+ filetrans_pattern($1, device_t, memory_device_t, chr_file, "port")
-+ filetrans_pattern($1, device_t, clock_device_t, chr_file, "pps0")
-+ filetrans_pattern($1, device_t, clock_device_t, chr_file, "pps1")
-+ filetrans_pattern($1, device_t, clock_device_t, chr_file, "pps2")
-+ filetrans_pattern($1, device_t, clock_device_t, chr_file, "pps3")
-+ filetrans_pattern($1, device_t, clock_device_t, chr_file, "pps4")
-+ filetrans_pattern($1, device_t, clock_device_t, chr_file, "pps5")
-+ filetrans_pattern($1, device_t, clock_device_t, chr_file, "pps6")
-+ filetrans_pattern($1, device_t, clock_device_t, chr_file, "pps7")
-+ filetrans_pattern($1, device_t, clock_device_t, chr_file, "pps8")
-+ filetrans_pattern($1, device_t, clock_device_t, chr_file, "pps9")
-+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "rmidi0")
-+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "rmidi1")
-+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "rmidi2")
-+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "rmidi3")
-+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "rmidi4")
-+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "rmidi5")
-+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "rmidi6")
-+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "rmidi7")
-+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "rmidi8")
-+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "rmidi9")
-+ filetrans_pattern($1, device_t, dri_device_t, chr_file, "radeon")
-+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "radio0")
-+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "radio1")
-+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "radio2")
-+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "radio3")
-+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "radio4")
-+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "radio5")
-+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "radio6")
-+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "radio7")
-+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "radio8")
-+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "radio9")
-+ filetrans_pattern($1, device_t, random_device_t, chr_file, "random")
-+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "raw13940")
-+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "raw13941")
-+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "raw13942")
-+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "raw13943")
-+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "raw13944")
-+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "raw13945")
-+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "raw13946")
-+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "raw13947")
-+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "raw13948")
-+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "raw13949")
-+ filetrans_pattern($1, device_t, modem_device_t, chr_file, "cdc-wdm0")
-+ filetrans_pattern($1, device_t, modem_device_t, chr_file, "cdc-wdm1")
-+ filetrans_pattern($1, device_t, wireless_device_t, chr_file, "rfkill")
-+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "sequencer")
-+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "sequencer2")
-+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "smpte0")
-+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "smpte1")
-+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "smpte2")
-+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "smpte3")
-+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "smpte4")
-+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "smpte5")
-+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "smpte6")
-+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "smpte7")
-+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "smpte8")
-+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "smpte9")
-+ filetrans_pattern($1, device_t, power_device_t, chr_file, "smu")
-+ filetrans_pattern($1, device_t, apm_bios_t, chr_file, "snapshot")
-+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "sndstat")
-+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "sonypi")
-+ filetrans_pattern($1, device_t, tpm_device_t, chr_file, "tpm0")
-+ filetrans_pattern($1, device_t, tpm_device_t, chr_file, "tpm1")
-+ filetrans_pattern($1, device_t, tpm_device_t, chr_file, "tpm2")
-+ filetrans_pattern($1, device_t, tpm_device_t, chr_file, "tpm3")
-+ filetrans_pattern($1, device_t, tpm_device_t, chr_file, "tpm4")
-+ filetrans_pattern($1, device_t, tpm_device_t, chr_file, "tpm5")
-+ filetrans_pattern($1, device_t, tpm_device_t, chr_file, "tpm6")
-+ filetrans_pattern($1, device_t, tpm_device_t, chr_file, "tpm7")
-+ filetrans_pattern($1, device_t, tpm_device_t, chr_file, "tpm8")
-+ filetrans_pattern($1, device_t, tpm_device_t, chr_file, "tpm9")
-+ filetrans_pattern($1, device_t, event_device_t, chr_file, "uinput")
-+ filetrans_pattern($1, device_t, userio_device_t, chr_file, "uio0")
-+ filetrans_pattern($1, device_t, userio_device_t, chr_file, "uio1")
-+ filetrans_pattern($1, device_t, userio_device_t, chr_file, "uio2")
-+ filetrans_pattern($1, device_t, userio_device_t, chr_file, "uio3")
-+ filetrans_pattern($1, device_t, userio_device_t, chr_file, "uio4")
-+ filetrans_pattern($1, device_t, userio_device_t, chr_file, "uio5")
-+ filetrans_pattern($1, device_t, userio_device_t, chr_file, "uio6")
-+ filetrans_pattern($1, device_t, userio_device_t, chr_file, "uio7")
-+ filetrans_pattern($1, device_t, userio_device_t, chr_file, "uio8")
-+ filetrans_pattern($1, device_t, userio_device_t, chr_file, "uio9")
-+ filetrans_pattern($1, device_t, urandom_device_t, chr_file, "urandom")
-+ filetrans_pattern($1, device_t, usb_device_t, chr_file, "usb0")
-+ filetrans_pattern($1, device_t, usb_device_t, chr_file, "usb1")
-+ filetrans_pattern($1, device_t, usb_device_t, chr_file, "usb2")
-+ filetrans_pattern($1, device_t, usb_device_t, chr_file, "usb3")
-+ filetrans_pattern($1, device_t, usb_device_t, chr_file, "usb4")
-+ filetrans_pattern($1, device_t, usb_device_t, chr_file, "usb5")
-+ filetrans_pattern($1, device_t, usb_device_t, chr_file, "usb6")
-+ filetrans_pattern($1, device_t, usb_device_t, chr_file, "usb7")
-+ filetrans_pattern($1, device_t, usb_device_t, chr_file, "usb8")
-+ filetrans_pattern($1, device_t, usbmon_device_t, chr_file, "usbmon0")
-+ filetrans_pattern($1, device_t, usbmon_device_t, chr_file, "usbmon1")
-+ filetrans_pattern($1, device_t, usbmon_device_t, chr_file, "usbmon2")
-+ filetrans_pattern($1, device_t, usbmon_device_t, chr_file, "usbmon3")
-+ filetrans_pattern($1, device_t, usbmon_device_t, chr_file, "usbmon4")
-+ filetrans_pattern($1, device_t, usbmon_device_t, chr_file, "usbmon5")
-+ filetrans_pattern($1, device_t, usbmon_device_t, chr_file, "usbmon6")
-+ filetrans_pattern($1, device_t, usbmon_device_t, chr_file, "usbmon7")
-+ filetrans_pattern($1, device_t, usbmon_device_t, chr_file, "usbmon8")
-+ filetrans_pattern($1, device_t, usbmon_device_t, chr_file, "usbmon9")
-+ filetrans_pattern($1, device_t, scanner_device_t, chr_file, "usbscanner")
-+ filetrans_pattern($1, device_t, vhost_device_t, chr_file, "vhost-net")
-+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "vbi0")
-+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "vbi1")
-+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "vbi2")
-+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "vbi3")
-+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "vbi4")
-+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "vbi5")
-+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "vbi6")
-+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "vbi7")
-+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "vbi8")
-+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "vbi9")
-+ filetrans_pattern($1, device_t, vmware_device_t, chr_file, "vmmon")
-+ filetrans_pattern($1, device_t, vmware_device_t, chr_file, "vmnet0")
-+ filetrans_pattern($1, device_t, vmware_device_t, chr_file, "vmnet1")
-+ filetrans_pattern($1, device_t, vmware_device_t, chr_file, "vmnet2")
-+ filetrans_pattern($1, device_t, vmware_device_t, chr_file, "vmnet3")
-+ filetrans_pattern($1, device_t, vmware_device_t, chr_file, "vmnet4")
-+ filetrans_pattern($1, device_t, vmware_device_t, chr_file, "vmnet5")
-+ filetrans_pattern($1, device_t, vmware_device_t, chr_file, "vmnet6")
-+ filetrans_pattern($1, device_t, vmware_device_t, chr_file, "vmnet7")
-+ filetrans_pattern($1, device_t, vmware_device_t, chr_file, "vmnet8")
-+ filetrans_pattern($1, device_t, vmware_device_t, chr_file, "vmnet9")
-+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "media0")
-+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "media1")
-+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "media2")
-+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "media3")
-+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "media4")
-+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "media5")
-+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "media6")
-+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "media7")
-+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "media8")
-+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "media9")
-+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "video0")
-+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "video1")
-+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "video2")
-+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "video3")
-+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "video4")
-+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "video5")
-+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "video6")
-+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "video7")
-+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "video8")
-+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "video9")
-+ filetrans_pattern($1, device_t, mouse_device_t, chr_file, "vrtpanel")
-+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "vttuner")
-+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "vtx0")
-+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "vtx1")
-+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "vtx2")
-+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "vtx3")
-+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "vtx4")
-+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "vtx5")
-+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "vtx6")
-+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "vtx7")
-+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "vtx8")
-+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "vtx9")
-+ filetrans_pattern($1, device_t, watchdog_device_t, chr_file, "watchdog")
-+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "winradio0")
-+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "winradio1")
-+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "winradio2")
-+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "winradio3")
-+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "winradio4")
-+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "winradio5")
-+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "winradio6")
-+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "winradio7")
-+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "winradio8")
-+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "winradio9")
-+ filetrans_pattern($1, device_t, crypt_device_t, chr_file, "z90crypt")
-+ filetrans_pattern($1, device_t, zero_device_t, chr_file, "zero")
-+ filetrans_pattern($1, device_t, smartcard_device_t, chr_file, "cmx0")
-+ filetrans_pattern($1, device_t, smartcard_device_t, chr_file, "cmx1")
-+ filetrans_pattern($1, device_t, smartcard_device_t, chr_file, "cmx2")
-+ filetrans_pattern($1, device_t, smartcard_device_t, chr_file, "cmx3")
-+ filetrans_pattern($1, device_t, smartcard_device_t, chr_file, "cmx4")
-+ filetrans_pattern($1, device_t, smartcard_device_t, chr_file, "cmx5")
-+ filetrans_pattern($1, device_t, smartcard_device_t, chr_file, "cmx6")
-+ filetrans_pattern($1, device_t, smartcard_device_t, chr_file, "cmx7")
-+ filetrans_pattern($1, device_t, smartcard_device_t, chr_file, "cmx8")
-+ filetrans_pattern($1, device_t, smartcard_device_t, chr_file, "cmx9")
-+ filetrans_pattern($1, device_t, netcontrol_device_t, chr_file, "cpu_dma_latency")
-+ filetrans_pattern($1, device_t, cpu_device_t, chr_file, "cpu0")
-+ filetrans_pattern($1, device_t, cpu_device_t, chr_file, "cpu1")
-+ filetrans_pattern($1, device_t, cpu_device_t, chr_file, "cpu2")
-+ filetrans_pattern($1, device_t, cpu_device_t, chr_file, "cpu3")
-+ filetrans_pattern($1, device_t, cpu_device_t, chr_file, "cpu4")
-+ filetrans_pattern($1, device_t, cpu_device_t, chr_file, "cpu5")
-+ filetrans_pattern($1, device_t, cpu_device_t, chr_file, "cpu6")
-+ filetrans_pattern($1, device_t, cpu_device_t, chr_file, "cpu7")
-+ filetrans_pattern($1, device_t, cpu_device_t, chr_file, "cpu8")
-+ filetrans_pattern($1, device_t, cpu_device_t, chr_file, "cpu9")
-+ filetrans_pattern($1, device_t, mtrr_device_t, chr_file, "mtrr")
-+ filetrans_pattern($1, device_t, event_device_t, chr_file, "sensor0")
-+ filetrans_pattern($1, device_t, event_device_t, chr_file, "sensor1")
-+ filetrans_pattern($1, device_t, event_device_t, chr_file, "sensor2")
-+ filetrans_pattern($1, device_t, event_device_t, chr_file, "sensor3")
-+ filetrans_pattern($1, device_t, event_device_t, chr_file, "sensor4")
-+ filetrans_pattern($1, device_t, event_device_t, chr_file, "sensor5")
-+ filetrans_pattern($1, device_t, event_device_t, chr_file, "sensor6")
-+ filetrans_pattern($1, device_t, event_device_t, chr_file, "sensor7")
-+ filetrans_pattern($1, device_t, event_device_t, chr_file, "sensor8")
-+ filetrans_pattern($1, device_t, event_device_t, chr_file, "sensor9")
-+ filetrans_pattern($1, device_t, mouse_device_t, chr_file, "m0")
-+ filetrans_pattern($1, device_t, mouse_device_t, chr_file, "m1")
-+ filetrans_pattern($1, device_t, mouse_device_t, chr_file, "m2")
-+ filetrans_pattern($1, device_t, mouse_device_t, chr_file, "m3")
-+ filetrans_pattern($1, device_t, mouse_device_t, chr_file, "m4")
-+ filetrans_pattern($1, device_t, mouse_device_t, chr_file, "m5")
-+ filetrans_pattern($1, device_t, mouse_device_t, chr_file, "m6")
-+ filetrans_pattern($1, device_t, mouse_device_t, chr_file, "m7")
-+ filetrans_pattern($1, device_t, mouse_device_t, chr_file, "m8")
-+ filetrans_pattern($1, device_t, mouse_device_t, chr_file, "m9")
-+ filetrans_pattern($1, device_t, event_device_t, chr_file, "keyboard0")
-+ filetrans_pattern($1, device_t, event_device_t, chr_file, "keyboard1")
-+ filetrans_pattern($1, device_t, event_device_t, chr_file, "keyboard2")
-+ filetrans_pattern($1, device_t, event_device_t, chr_file, "keyboard3")
-+ filetrans_pattern($1, device_t, event_device_t, chr_file, "keyboard4")
-+ filetrans_pattern($1, device_t, event_device_t, chr_file, "keyboard5")
-+ filetrans_pattern($1, device_t, event_device_t, chr_file, "keyboard6")
-+ filetrans_pattern($1, device_t, event_device_t, chr_file, "keyboard7")
-+ filetrans_pattern($1, device_t, event_device_t, chr_file, "keyboard8")
-+ filetrans_pattern($1, device_t, event_device_t, chr_file, "keyboard9")
-+ filetrans_pattern($1, device_t, lvm_control_t, chr_file, "control")
-+ filetrans_pattern($1, device_t, mouse_device_t, chr_file, "ucb1x00")
-+ filetrans_pattern($1, device_t, mouse_device_t, chr_file, "mk712")
-+ filetrans_pattern($1, device_t, scanner_device_t, chr_file, "dc2xx0")
-+ filetrans_pattern($1, device_t, scanner_device_t, chr_file, "dc2xx1")
-+ filetrans_pattern($1, device_t, scanner_device_t, chr_file, "dc2xx2")
-+ filetrans_pattern($1, device_t, scanner_device_t, chr_file, "dc2xx3")
-+ filetrans_pattern($1, device_t, scanner_device_t, chr_file, "dc2xx4")
-+ filetrans_pattern($1, device_t, scanner_device_t, chr_file, "dc2xx5")
-+ filetrans_pattern($1, device_t, scanner_device_t, chr_file, "dc2xx6")
-+ filetrans_pattern($1, device_t, scanner_device_t, chr_file, "dc2xx7")
-+ filetrans_pattern($1, device_t, scanner_device_t, chr_file, "dc2xx8")
-+ filetrans_pattern($1, device_t, scanner_device_t, chr_file, "dc2xx9")
-+ filetrans_pattern($1, device_t, scanner_device_t, chr_file, "mdc8000")
-+ filetrans_pattern($1, device_t, scanner_device_t, chr_file, "mdc8001")
-+ filetrans_pattern($1, device_t, scanner_device_t, chr_file, "mdc8002")
-+ filetrans_pattern($1, device_t, scanner_device_t, chr_file, "mdc8003")
-+ filetrans_pattern($1, device_t, scanner_device_t, chr_file, "mdc8004")
-+ filetrans_pattern($1, device_t, scanner_device_t, chr_file, "mdc8005")
-+ filetrans_pattern($1, device_t, scanner_device_t, chr_file, "mdc8006")
-+ filetrans_pattern($1, device_t, scanner_device_t, chr_file, "mdc8007")
-+ filetrans_pattern($1, device_t, scanner_device_t, chr_file, "mdc8008")
-+ filetrans_pattern($1, device_t, scanner_device_t, chr_file, "mdc8009")
-+ filetrans_pattern($1, device_t, scanner_device_t, chr_file, "scanner0")
-+ filetrans_pattern($1, device_t, scanner_device_t, chr_file, "scanner1")
-+ filetrans_pattern($1, device_t, scanner_device_t, chr_file, "scanner2")
-+ filetrans_pattern($1, device_t, scanner_device_t, chr_file, "scanner3")
-+ filetrans_pattern($1, device_t, scanner_device_t, chr_file, "scanner4")
-+ filetrans_pattern($1, device_t, scanner_device_t, chr_file, "scanner5")
-+ filetrans_pattern($1, device_t, scanner_device_t, chr_file, "scanner6")
-+ filetrans_pattern($1, device_t, scanner_device_t, chr_file, "scanner7")
-+ filetrans_pattern($1, device_t, scanner_device_t, chr_file, "scanner8")
-+ filetrans_pattern($1, device_t, scanner_device_t, chr_file, "scanner9")
-+ filetrans_pattern($1, device_t, xen_device_t, chr_file, "blktap0")
-+ filetrans_pattern($1, device_t, xen_device_t, chr_file, "blktap1")
-+ filetrans_pattern($1, device_t, xen_device_t, chr_file, "blktap2")
-+ filetrans_pattern($1, device_t, xen_device_t, chr_file, "blktap3")
-+ filetrans_pattern($1, device_t, xen_device_t, chr_file, "blktap4")
-+ filetrans_pattern($1, device_t, xen_device_t, chr_file, "blktap5")
-+ filetrans_pattern($1, device_t, xen_device_t, chr_file, "blktap6")
-+ filetrans_pattern($1, device_t, xen_device_t, chr_file, "blktap7")
-+ filetrans_pattern($1, device_t, xen_device_t, chr_file, "blktap8")
-+ filetrans_pattern($1, device_t, xen_device_t, chr_file, "blktap9")
-+ filetrans_pattern($1, device_t, xen_device_t, chr_file, "gntdev")
-+ filetrans_pattern($1, device_t, xen_device_t, chr_file, "gntalloc")
-+ filetrans_pattern($1, device_t, xen_device_t, chr_file, "privcmd")
-+ filetrans_pattern($1, device_t, xen_device_t, chr_file, "xenbus")
-+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC0")
-+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC1")
-+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC2")
-+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC3")
-+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC4")
-+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC5")
-+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC6")
-+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC7")
-+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC8")
-+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC9")
-+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC10")
-+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC11")
-+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC12")
-+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC13")
-+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC14")
-+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC15")
-+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC16")
-+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC17")
-+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC18")
-+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC19")
-+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC20")
-+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC21")
-+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC22")
-+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC23")
-+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC24")
-+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC25")
-+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC26")
-+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC27")
-+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC28")
-+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC29")
-+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "patmgr0")
-+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "patmgr1")
-+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "srnd0")
-+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "srnd1")
-+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "srnd2")
-+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "srnd3")
-+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "srnd4")
-+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "srnd5")
-+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "srnd6")
-+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "srnd7")
-+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "tlk0")
-+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "tlk1")
-+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "tlk2")
-+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "tlk3")
-+ filetrans_pattern($1, device_t, usb_device_t, chr_file, "uba")
-+ filetrans_pattern($1, device_t, usb_device_t, chr_file, "ubb")
-+ filetrans_pattern($1, device_t, usb_device_t, chr_file, "ubc")
-+ filetrans_pattern($1, device_t, uhid_device_t, chr_file, "uhid")
-+ filetrans_pattern($1, device_t, hypervkvp_device_t, chr_file, "hv_kvp")
-+ filetrans_pattern($1, device_t, hypervvssd_device_t, chr_file, "hv_vss")
-+ filetrans_pattern($1, device_t, gpfs_device_t, chr_file, "ss0")
-+ filetrans_pattern($1, device_t, gpio_device_t, chr_file, "gpiochip0")
-+ filetrans_pattern($1, device_t, gpio_device_t, chr_file, "gpiochip1")
-+ filetrans_pattern($1, device_t, gpio_device_t, chr_file, "gpiochip2")
-+ dev_filetrans_xserver_named_dev($1)
-+')
-+
-+########################################
-+##
-+## Create all named devices with the correct label
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`dev_filetrans_xserver_named_dev',`
-+
-+ gen_require(`
-+ type xserver_misc_device_t;
-+ ')
-+
-+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "3dfx")
-+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "controlD64")
-+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "gfx")
-+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "graphics")
-+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "mga_vid0")
-+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "mga_vid1")
-+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "mga_vid2")
-+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "mga_vid3")
-+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "mga_vid4")
-+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "mga_vid5")
-+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "mga_vid6")
-+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "mga_vid7")
-+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "mga_vid8")
-+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "mga_vid9")
-+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "nvidia0")
-+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "nvidia1")
-+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "nvidia2")
-+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "nvidia3")
-+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "nvidia4")
-+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "nvidia5")
-+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "nvidia6")
-+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "nvidia7")
-+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "nvidia8")
-+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "nvidia9")
-+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "nvidiactl")
-+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "opengl")
-+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "vbox0")
-+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "vbox1")
-+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "vbox2")
-+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "vbox3")
-+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "vbox4")
-+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "vbox5")
-+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "vbox6")
-+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "vbox7")
-+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "vbox8")
-+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "vbox9")
-+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "vga_arbiter")
-+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "card0")
-+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "card1")
-+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "card2")
-+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "card3")
-+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "card4")
-+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "card5")
-+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "card6")
-+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "card7")
-+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "card8")
-+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "card9")
- ')
-diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te
-index 0b1a8715a..849b00191 100644
---- a/policy/modules/kernel/devices.te
-+++ b/policy/modules/kernel/devices.te
-@@ -15,11 +15,12 @@ attribute devices_unconfined_type;
- #
- type device_t;
- fs_associate_tmpfs(device_t)
--files_type(device_t)
-+files_base_file(device_t)
- files_mountpoint(device_t)
- files_associate_tmp(device_t)
- fs_type(device_t)
- fs_use_trans devtmpfs gen_context(system_u:object_r:device_t,s0);
-+dev_node(device_t)
-
- #
- # Type for /dev/agpgart
-@@ -43,9 +44,6 @@ type cardmgr_dev_t;
- dev_node(cardmgr_dev_t)
- files_tmp_file(cardmgr_dev_t)
-
--type cachefiles_device_t;
--dev_node(cachefiles_device_t)
--
- #
- # clock_device_t is the type of
- # /dev/rtc.
-@@ -65,6 +63,9 @@ dev_node(cpu_device_t)
- type crash_device_t;
- dev_node(crash_device_t)
-
-+type ecryptfs_device_t;
-+dev_node(ecryptfs_device_t)
-+
- # for the IBM zSeries z90crypt hardware ssl accelorator
- type crypt_device_t;
- dev_node(crypt_device_t)
-@@ -78,6 +79,9 @@ dev_node(dlm_control_device_t)
- type dri_device_t;
- dev_node(dri_device_t)
-
-+type hsa_device_t;
-+dev_node(hsa_device_t)
-+
- type event_device_t;
- dev_node(event_device_t)
-
-@@ -88,12 +92,45 @@ type framebuf_device_t;
- dev_node(framebuf_device_t)
-
- #
-+# Type for hyperv devices
-+#
-+type hypervkvp_device_t;
-+dev_node(hypervkvp_device_t)
-+
-+type hypervvssd_device_t;
-+dev_node(hypervvssd_device_t)
-+
-+#
-+# Type for /dev/ss0
-+#
-+type gpfs_device_t;
-+dev_node(gpfs_device_t)
-+
-+#
-+# Type for /dev/gpiochip*
-+#
-+type gpio_device_t;
-+dev_node(gpio_device_t)
-+
-+#
- # Type for /dev/ipmi/0
- #
- type ipmi_device_t;
- dev_node(ipmi_device_t)
-
- #
-+# Type for /dev/infiniband
-+#
-+type infiniband_device_t;
-+dev_node(infiniband_device_t)
-+
-+#
-+# Type for /dev/infiniband mgmt devices
-+#
-+type infiniband_mgmt_device_t;
-+dev_node(infiniband_mgmt_device_t)
-+
-+#
- # Type for /dev/kmsg
- #
- type kmsg_device_t;
-@@ -111,6 +148,7 @@ dev_node(ksm_device_t)
- #
- type kvm_device_t;
- dev_node(kvm_device_t)
-+mls_trusted_object(kvm_device_t)
-
- #
- # Type for /dev/lirc
-@@ -118,6 +156,9 @@ dev_node(kvm_device_t)
- type lirc_device_t;
- dev_node(lirc_device_t)
-
-+#
-+# Type for /dev/mapper/control
-+#
- type loop_control_device_t;
- dev_node(loop_control_device_t)
-
-@@ -150,16 +191,29 @@ type modem_device_t;
- dev_node(modem_device_t)
-
- #
-+# A general type for monitor devices.
-+#
-+type monitor_device_t;
-+dev_node(monitor_device_t)
-+
-+#
- # A more general type for mouse devices.
- #
- type mouse_device_t;
- dev_node(mouse_device_t)
-
- #
-+# Type for /dev/mptctl used to check RAID status.
-+#
-+type mptctl_device_t;
-+dev_node(mptctl_device_t)
-+
-+#
- # Type for /dev/cpu/mtrr and /proc/mtrr
- #
- type mtrr_device_t;
- dev_node(mtrr_device_t)
-+files_mountpoint(mtrr_device_t)
- genfscon proc /mtrr gen_context(system_u:object_r:mtrr_device_t,s0)
-
- #
-@@ -183,6 +237,12 @@ type nvram_device_t;
- dev_node(nvram_device_t)
-
- #
-+# Type for controller device nodes
-+#
-+type nvme_device_t;
-+dev_node(nvme_device_t)
-+
-+#
- # Type for /dev/pmu
- #
- type power_device_t;
-@@ -227,6 +287,10 @@ files_mountpoint(sysfs_t)
- fs_type(sysfs_t)
- genfscon sysfs / gen_context(system_u:object_r:sysfs_t,s0)
-
-+type cpu_online_t;
-+files_type(cpu_online_t)
-+dev_associate_sysfs(cpu_online_t)
-+
- #
- # Type for /dev/tpm
- #
-@@ -266,14 +330,30 @@ dev_node(usbmon_device_t)
- type userio_device_t;
- dev_node(userio_device_t)
-
-+#
-+# uhid_device_t is the type for /dev/uhid
-+#
-+type uhid_device_t;
-+dev_node(uhid_device_t)
-+
-+type vfio_device_t;
-+dev_node(vfio_device_t)
-+
- type v4l_device_t;
- dev_node(v4l_device_t)
-
-+type vsock_device_t;
-+dev_node(vsock_device_t)
-+
-+type vmci_device_t;
-+dev_node(vmci_device_t)
-+
- #
- # vhost_device_t is the type for /dev/vhost-net
- #
- type vhost_device_t;
- dev_node(vhost_device_t)
-+mls_trusted_object(vhost_device_t)
-
- # Type for vmware devices.
- type vmware_device_t;
-@@ -319,5 +399,8 @@ files_associate_tmp(device_node)
- #
-
- allow devices_unconfined_type self:capability sys_rawio;
--allow devices_unconfined_type device_node:{ blk_file chr_file } *;
--allow devices_unconfined_type mtrr_device_t:file *;
-+allow devices_unconfined_type device_node:{ blk_file lnk_file } *;
-+allow devices_unconfined_type device_node:{ file chr_file } ~{ execmod entrypoint };
-+allow devices_unconfined_type mtrr_device_t:file ~{ execmod entrypoint };
-+dev_getattr_all(devices_unconfined_type)
-+
-diff --git a/policy/modules/kernel/domain.if b/policy/modules/kernel/domain.if
-index 6a1e4d156..5fd375329 100644
---- a/policy/modules/kernel/domain.if
-+++ b/policy/modules/kernel/domain.if
-@@ -76,33 +76,8 @@ interface(`domain_type',`
- # start with basic domain
- domain_base_type($1)
-
-- ifdef(`distro_redhat',`
-- optional_policy(`
-- unconfined_use_fds($1)
-- ')
-- ')
--
-- # send init a sigchld and signull
-- optional_policy(`
-- init_sigchld($1)
-- init_signull($1)
-- ')
--
-- # these seem questionable:
--
-- optional_policy(`
-- rpm_use_fds($1)
-- rpm_read_pipes($1)
-- ')
--
-- optional_policy(`
-- selinux_dontaudit_getattr_fs($1)
-- selinux_dontaudit_read_fs($1)
-- ')
--
-- optional_policy(`
-- seutil_dontaudit_read_config($1)
-- ')
-+ # Only way to get corenet_unlabeled packets disabled to work
-+ corenet_all_recvfrom_unlabeled($1)
- ')
-
- ########################################
-@@ -128,11 +103,15 @@ interface(`domain_entry_file',`
- ')
-
- allow $1 $2:file entrypoint;
-- allow $1 $2:file { mmap_file_perms ioctl lock };
-+ allow $1 $2:file { mmap_exec_file_perms ioctl lock };
-
- typeattribute $2 entry_type;
-
- corecmd_executable_file($2)
-+
-+ #optional_policy(`
-+ # unconfined_exec_typebounds($2)
-+ #')
- ')
-
- ########################################
-@@ -513,6 +492,26 @@ interface(`domain_signull_all_domains',`
-
- ########################################
- ##
-+## Do not audit attempts to send
-+## signulls to all domains.
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+##
-+#
-+interface(`domain_dontaudit_signull_all_domains',`
-+ gen_require(`
-+ attribute domain;
-+ ')
-+
-+ dontaudit $1 domain:process signull;
-+')
-+
-+########################################
-+##
- ## Send a stop signal to all domains.
- ##
- ##
-@@ -571,6 +570,25 @@ interface(`domain_kill_all_domains',`
-
- ########################################
- ##
-+## Destroy all domains semaphores
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+#
-+interface(`domain_destroy_all_semaphores',`
-+ gen_require(`
-+ attribute domain;
-+ ')
-+
-+ allow $1 domain:sem destroy;
-+')
-+
-+########################################
-+##
- ## Search the process state directory (/proc/pid) of all domains.
- ##
- ##
-@@ -590,6 +608,42 @@ interface(`domain_search_all_domains_state',`
-
- ########################################
- ##
-+## Dontaudit search of process kernel keyrings
-+##
-+##
-+##
-+## Domain to dontaudit.
-+##
-+##
-+#
-+interface(`domain_dontaudit_search_all_domains_keyrings',`
-+ gen_require(`
-+ attribute domain;
-+ ')
-+
-+ dontaudit $1 domain:key search;
-+')
-+
-+########################################
-+##
-+## Dontaudit link of process kernel keyrings
-+##
-+##
-+##
-+## Domain to dontaudit.
-+##
-+##
-+#
-+interface(`domain_dontaudit_link_all_domains_keyrings',`
-+ gen_require(`
-+ attribute domain;
-+ ')
-+
-+ dontaudit $1 domain:key link;
-+')
-+
-+########################################
-+##
- ## Do not audit attempts to search the process
- ## state directory (/proc/pid) of all domains.
- ##
-@@ -631,7 +685,7 @@ interface(`domain_read_all_domains_state',`
-
- ########################################
- ##
--## Get the attributes of all domains of all domains.
-+## Get the attributes of all domains.
- ##
- ##
- ##
-@@ -655,7 +709,7 @@ interface(`domain_getattr_all_domains',`
- ##
- ##
- ##
--## Domain allowed access.
-+## Domain to not audit.
- ##
- ##
- #
-@@ -1356,6 +1410,24 @@ interface(`domain_manage_all_entry_files',`
-
- ########################################
- ##
-+## Relabel from domain types on files if a user managed to mislable
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`domain_relabelfrom',`
-+ gen_require(`
-+ attribute domain;
-+ ')
-+
-+ allow $1 domain:dir_file_class_set relabelfrom_file_perms;
-+')
-+
-+########################################
-+##
- ## Relabel to and from all entry point
- ## file types.
- ##
-@@ -1390,7 +1462,7 @@ interface(`domain_mmap_all_entry_files',`
- attribute entry_type;
- ')
-
-- allow $1 entry_type:file mmap_file_perms;
-+ allow $1 entry_type:file mmap_exec_file_perms;
- ')
-
- ########################################
-@@ -1421,7 +1493,7 @@ interface(`domain_entry_file_spec_domtrans',`
- ##
- ## Ability to mmap a low area of the address
- ## space conditionally, as configured by
--## /proc/sys/kernel/mmap_min_addr.
-+## /proc/sys/vm/mmap_min_addr.
- ## Preventing such mappings helps protect against
- ## exploiting null deref bugs in the kernel.
- ##
-@@ -1448,7 +1520,7 @@ interface(`domain_mmap_low',`
- ##
- ## Ability to mmap a low area of the address
- ## space unconditionally, as configured
--## by /proc/sys/kernel/mmap_min_addr.
-+## by /proc/sys/vm/mmap_min_addr.
- ## Preventing such mappings helps protect against
- ## exploiting null deref bugs in the kernel.
- ##
-@@ -1508,6 +1580,40 @@ interface(`domain_unconfined_signal',`
-
- ########################################
- ##
-+## Named Filetrans Domain.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`domain_named_filetrans',`
-+ gen_require(`
-+ attribute named_filetrans_domain;
-+ ')
-+
-+ typeattribute $1 named_filetrans_domain;
-+')
-+
-+#####################################
-+##
-+## named_filetrans_domain stub attribute interface. No access allowed.
-+##
-+##
-+##
-+## Domain allowed access
-+##
-+##
-+#
-+interface(`domain_stub_named_filetrans_domain',`
-+ gen_require(`
-+ attribute named_filetrans_domain;
-+ ')
-+')
-+
-+########################################
-+##
- ## Unconfined access to domains.
- ##
- ##
-@@ -1530,4 +1636,102 @@ interface(`domain_unconfined',`
- typeattribute $1 can_change_object_identity;
- typeattribute $1 set_curr_context;
- typeattribute $1 process_uncond_exempt;
-+
-+ mcs_process_set_categories($1)
-+
-+ userdom_filetrans_home_content($1)
-+ domain_named_filetrans($1)
-+')
-+
-+########################################
-+##
-+## Do not audit attempts to read or write
-+## all leaked sockets.
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`domain_dontaudit_leaks',`
-+ gen_require(`
-+ attribute domain;
-+ ')
-+
-+ dontaudit $1 domain:socket_class_set { read write };
-+')
-+
-+########################################
-+##
-+## Allow caller to transition to any domain
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`domain_transition_all',`
-+ gen_require(`
-+ attribute domain;
-+ ')
-+
-+ allow $1 domain:process transition;
-+')
-+
-+########################################
-+##
-+## Do not audit attempts to access check /proc
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`domain_dontaudit_access_check',`
-+ gen_require(`
-+ attribute domain;
-+ ')
-+
-+ dontaudit $1 domain:dir_file_class_set audit_access;
-+')
-+
-+########################################
-+##
-+## Allow set resource limits to all domains.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+#
-+interface(`domain_setrlimit_all_domains',`
-+ gen_require(`
-+ attribute domain;
-+ ')
-+
-+ allow $1 domain:process setrlimit;
-+')
-+
-+########################################
-+##
-+## Allow set resource limits to all domains.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+#
-+interface(`domain_rlimitinh_all_domains',`
-+ gen_require(`
-+ attribute domain;
-+ ')
-+
-+ allow $1 domain:process rlimitinh;
- ')
-diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te
-index cf04cb509..5831355b0 100644
---- a/policy/modules/kernel/domain.te
-+++ b/policy/modules/kernel/domain.te
-@@ -4,17 +4,49 @@ policy_module(domain, 1.11.0)
- #
- # Declarations
- #
-+##
-+##
-+## Allow all domains to use other domains file descriptors
-+##
-+##
-+#
-+gen_tunable(domain_fd_use, true)
-+
-+##
-+##
-+## Allow all domains to execute in fips_mode
-+##
-+##
-+#
-+gen_tunable(fips_mode, true)
-+
-+##
-+##
-+## Allow all domains to have the kernel load modules
-+##
-+##
-+#
-+gen_tunable(domain_kernel_load_modules, false)
-
- ##
- ##
- ## Control the ability to mmap a low area of the address space,
--## as configured by /proc/sys/kernel/mmap_min_addr.
-+## as configured by /proc/sys/vm/mmap_min_addr.
- ##
- ##
- gen_tunable(mmap_low_allowed, false)
-
-+##
-+##
-+## Allow all domains write to kmsg_device,
-+## while kernel is executed with systemd.log_target=kmsg parameter.
-+##
-+##
-+gen_tunable(domain_can_write_kmsg, false)
-+
- # Mark process types as domains
- attribute domain;
-+attribute named_filetrans_domain;
-
- # Transitions only allowed from domains to other domains
- neverallow domain ~domain:process { transition dyntransition };
-@@ -86,23 +118,59 @@ neverallow ~{ domain unlabeled_t } *:process *;
- allow domain self:dir list_dir_perms;
- allow domain self:lnk_file { read_lnk_file_perms lock ioctl };
- allow domain self:file rw_file_perms;
-+allow domain self:fifo_file rw_fifo_file_perms;
-+allow domain self:sem create_sem_perms;
-+allow domain self:shm create_shm_perms;
-+
- kernel_read_proc_symlinks(domain)
-+kernel_read_crypto_sysctls(domain)
-+kernel_read_vm_overcommit_sysctls(domain)
-+
- # Every domain gets the key ring, so we should default
- # to no one allowed to look at it; afs kernel support creates
- # a keyring
- kernel_dontaudit_search_key(domain)
- kernel_dontaudit_link_key(domain)
-+kernel_dontaudit_search_debugfs(domain)
-
- # create child processes in the domain
--allow domain self:process { fork sigchld };
-+allow domain self:process { getcap fork getsched signal_perms };
-
- # Use trusted objects in /dev
-+dev_read_cpu_online(domain)
- dev_rw_null(domain)
- dev_rw_zero(domain)
- term_use_controlling_term(domain)
-
-+# Allow all domains to read /dev/urandom. It is needed by all apps/services
-+# linked to libgcrypt. There is no harm to allow it by default.
-+dev_read_urand(domain)
-+
- # list the root directory
- files_list_root(domain)
-+# allow all domains to search through base_file_type directory, since users
-+# sometimes place labels within these directories. (samba_share_t) for example.
-+files_search_base_file_types(domain)
-+
-+files_read_inherited_tmp_files(domain)
-+files_append_inherited_tmp_files(domain)
-+files_read_all_base_ro_files(domain)
-+files_dontaduit_getattr_kernel_symbol_table(domain)
-+
-+# All executables should be able to search the directory they are in
-+corecmd_search_bin(domain)
-+
-+optional_policy(`
-+ userdom_search_admin_dir(domain)
-+')
-+
-+tunable_policy(`domain_can_write_kmsg',`
-+ dev_write_kmsg(domain)
-+')
-+
-+tunable_policy(`domain_kernel_load_modules',`
-+ kernel_request_load_module(domain)
-+')
-
- ifdef(`hide_broken_symptoms',`
- # This check is in the general socket
-@@ -121,8 +189,19 @@ tunable_policy(`global_ssp',`
- ')
-
- optional_policy(`
-+ afs_rw_cache(domain)
-+')
-+
-+optional_policy(`
- libs_use_ld_so(domain)
- libs_use_shared_libs(domain)
-+ libs_read_lib_files(domain)
-+')
-+
-+optional_policy(`
-+ miscfiles_read_localization(domain)
-+ miscfiles_read_man_pages(domain)
-+ miscfiles_read_fonts(domain)
- ')
-
- optional_policy(`
-@@ -133,6 +212,9 @@ optional_policy(`
- optional_policy(`
- xserver_dontaudit_use_xdm_fds(domain)
- xserver_dontaudit_rw_xdm_pipes(domain)
-+ xserver_dontaudit_append_xdm_home_files(domain)
-+ xserver_dontaudit_write_log(domain)
-+ xserver_dontaudit_xdm_rw_stream_sockets(domain)
- ')
-
- ########################################
-@@ -145,14 +227,21 @@ optional_policy(`
- # be used on an attribute.
-
- # Use/sendto/connectto sockets created by any domain.
-+allow unconfined_domain_type self:cap_userns all_cap_userns_perms;
- allow unconfined_domain_type domain:{ socket_class_set socket key_socket } *;
-
-+allow unconfined_domain_type domain:system all_system_perms;
- # Use descriptors and pipes created by any domain.
- allow unconfined_domain_type domain:fd use;
- allow unconfined_domain_type domain:fifo_file rw_file_perms;
-
-+allow unconfined_domain_type unconfined_domain_type:dbus send_msg;
-+
- # Act upon any other process.
--allow unconfined_domain_type domain:process ~{ transition dyntransition execmem execstack execheap };
-+allow unconfined_domain_type domain:process ~{ ptrace transition dyntransition execmem execstack execheap };
-+tunable_policy(`deny_ptrace',`',`
-+ allow unconfined_domain_type domain:process ptrace;
-+')
-
- # Create/access any System V IPC objects.
- allow unconfined_domain_type domain:{ sem msgq shm } *;
-@@ -160,11 +249,393 @@ allow unconfined_domain_type domain:msg { send receive };
-
- # For /proc/pid
- allow unconfined_domain_type domain:dir list_dir_perms;
--allow unconfined_domain_type domain:file rw_file_perms;
-+allow unconfined_domain_type domain:file manage_file_perms;
- allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock };
-
- # act on all domains keys
- allow unconfined_domain_type domain:key *;
-
-+corenet_filetrans_all_named_dev(named_filetrans_domain)
-+
-+dev_filetrans_all_named_dev(named_filetrans_domain)
-+
- # receive from all domains over labeled networking
- domain_all_recvfrom_all_domains(unconfined_domain_type)
-+
-+files_filetrans_named_content(named_filetrans_domain)
-+files_filetrans_system_conf_named_files(named_filetrans_domain)
-+files_config_all_files(unconfined_domain_type)
-+dev_config_null_dev_service(unconfined_domain_type)
-+
-+optional_policy(`
-+ kdump_filetrans_named_content(unconfined_domain_type)
-+')
-+
-+optional_policy(`
-+ fstools_filetrans_named_content_fsadm(named_filetrans_domain)
-+')
-+
-+optional_policy(`
-+ container_filetrans_named_content(named_filetrans_domain)
-+')
-+
-+optional_policy(`
-+ ipa_filetrans_named_content(named_filetrans_domain)
-+')
-+
-+optional_policy(`
-+ locallogin_filetrans_home_content(named_filetrans_domain)
-+')
-+
-+optional_policy(`
-+ mandb_filetrans_named_home_content(named_filetrans_domain)
-+')
-+
-+optional_policy(`
-+ snapper_filetrans_named_content(named_filetrans_domain)
-+')
-+
-+optional_policy(`
-+ seutil_filetrans_named_content(named_filetrans_domain)
-+')
-+
-+optional_policy(`
-+ wine_filetrans_named_content(named_filetrans_domain)
-+')
-+
-+storage_filetrans_all_named_dev(named_filetrans_domain)
-+
-+term_filetrans_all_named_dev(named_filetrans_domain)
-+
-+optional_policy(`
-+ init_disable_services(unconfined_domain_type)
-+ init_enable_services(unconfined_domain_type)
-+ init_reload_services(unconfined_domain_type)
-+ init_status(unconfined_domain_type)
-+ init_reboot(unconfined_domain_type)
-+ init_halt(unconfined_domain_type)
-+ init_undefined(unconfined_domain_type)
-+ init_filetrans_named_content(named_filetrans_domain)
-+')
-+
-+# Allow manage transient unit files
-+optional_policy(`
-+ init_start_transient_unit(unconfined_domain_type)
-+ init_stop_transient_unit(unconfined_domain_type)
-+ init_status_transient_unit(unconfined_domain_type)
-+ init_reload_transient_unit(unconfined_domain_type)
-+ init_enable_transient_unit(unconfined_domain_type)
-+ init_disable_transient_unit(unconfined_domain_type)
-+')
-+
-+optional_policy(`
-+ auth_filetrans_named_content(named_filetrans_domain)
-+ auth_filetrans_admin_home_content(named_filetrans_domain)
-+')
-+
-+optional_policy(`
-+ libs_filetrans_named_content(named_filetrans_domain)
-+')
-+
-+optional_policy(`
-+ logging_filetrans_named_content(named_filetrans_domain)
-+')
-+
-+optional_policy(`
-+ miscfiles_filetrans_named_content(named_filetrans_domain)
-+')
-+
-+optional_policy(`
-+ abrt_filetrans_named_content(named_filetrans_domain)
-+')
-+
-+optional_policy(`
-+ alsa_filetrans_named_content(named_filetrans_domain)
-+')
-+
-+optional_policy(`
-+ apache_filetrans_named_content(named_filetrans_domain)
-+')
-+
-+optional_policy(`
-+ apcupsd_filetrans_named_content(named_filetrans_domain)
-+')
-+
-+optional_policy(`
-+ bootloader_filetrans_config(named_filetrans_domain)
-+')
-+
-+optional_policy(`
-+ clock_filetrans_named_content(named_filetrans_domain)
-+')
-+
-+optional_policy(`
-+ cups_filetrans_named_content(named_filetrans_domain)
-+')
-+
-+optional_policy(`
-+ cvs_filetrans_home_content(named_filetrans_domain)
-+')
-+
-+optional_policy(`
-+ dbus_filetrans_named_content_system(named_filetrans_domain)
-+')
-+
-+optional_policy(`
-+ devicekit_filetrans_named_content(named_filetrans_domain)
-+')
-+
-+optional_policy(`
-+ dnsmasq_filetrans_named_content(named_filetrans_domain)
-+')
-+
-+optional_policy(`
-+ gnome_filetrans_admin_home_content(named_filetrans_domain)
-+')
-+
-+optional_policy(`
-+ iscsi_filetrans_named_content(named_filetrans_domain)
-+')
-+
-+optional_policy(`
-+ iptables_filetrans_named_content(named_filetrans_domain)
-+')
-+
-+optional_policy(`
-+ kerberos_filetrans_named_content(named_filetrans_domain)
-+')
-+
-+optional_policy(`
-+ mta_filetrans_named_content(named_filetrans_domain)
-+')
-+
-+optional_policy(`
-+ mplayer_filetrans_home_content(named_filetrans_domain)
-+')
-+
-+optional_policy(`
-+ modules_filetrans_named_content(named_filetrans_domain)
-+')
-+
-+optional_policy(`
-+ mysql_filetrans_named_content(named_filetrans_domain)
-+')
-+
-+optional_policy(`
-+ networkmanager_filetrans_named_content(named_filetrans_domain)
-+')
-+
-+optional_policy(`
-+ ntp_filetrans_named_content(named_filetrans_domain)
-+')
-+
-+optional_policy(`
-+ nx_filetrans_named_content(named_filetrans_domain)
-+')
-+
-+optional_policy(`
-+ plymouthd_filetrans_named_content(named_filetrans_domain)
-+')
-+
-+optional_policy(`
-+ postgresql_filetrans_named_content(named_filetrans_domain)
-+')
-+
-+optional_policy(`
-+ postfix_filetrans_named_content(named_filetrans_domain)
-+')
-+
-+optional_policy(`
-+ prelink_filetrans_named_content(named_filetrans_domain)
-+')
-+
-+optional_policy(`
-+ pulseaudio_filetrans_admin_home_content(named_filetrans_domain)
-+')
-+
-+optional_policy(`
-+ quota_filetrans_named_content(named_filetrans_domain)
-+')
-+
-+optional_policy(`
-+ rpcbind_filetrans_named_content(named_filetrans_domain)
-+')
-+
-+optional_policy(`
-+ rsync_filetrans_named_content(named_filetrans_domain)
-+')
-+
-+optional_policy(`
-+ sysnet_filetrans_named_content(named_filetrans_domain)
-+ sysnet_filetrans_named_content_ifconfig(named_filetrans_domain)
-+ sysnet_filetrans_named_content(unconfined_domain_type)
-+ sysnet_filetrans_named_content_ifconfig(unconfined_domain_type)
-+')
-+
-+optional_policy(`
-+ systemd_login_status(unconfined_domain_type)
-+ systemd_login_reboot(unconfined_domain_type)
-+ systemd_login_halt(unconfined_domain_type)
-+ systemd_login_undefined(unconfined_domain_type)
-+ systemd_filetrans_named_content(named_filetrans_domain)
-+ systemd_filetrans_named_hostname(named_filetrans_domain)
-+ systemd_filetrans_home_content(named_filetrans_domain)
-+ systemd_dontaudit_write_inherited_logind_sessions_pipes(domain)
-+')
-+
-+optional_policy(`
-+ sssd_filetrans_named_content(named_filetrans_domain)
-+')
-+
-+optional_policy(`
-+ tftp_filetrans_named_content(named_filetrans_domain)
-+')
-+
-+optional_policy(`
-+ userdom_user_home_dir_filetrans_user_home_content(named_filetrans_domain, { dir file lnk_file fifo_file sock_file })
-+')
-+
-+optional_policy(`
-+ ssh_filetrans_admin_home_content(named_filetrans_domain)
-+ ssh_filetrans_keys(unconfined_domain_type)
-+')
-+
-+optional_policy(`
-+ userdom_filetrans_named_user_tmp_files(named_filetrans_domain)
-+')
-+
-+optional_policy(`
-+ virt_filetrans_named_content(named_filetrans_domain)
-+')
-+
-+selinux_getattr_fs(domain)
-+selinux_search_fs(domain)
-+selinux_dontaudit_read_fs(domain)
-+
-+optional_policy(`
-+ seutil_dontaudit_read_config(domain)
-+')
-+
-+optional_policy(`
-+ init_sigchld(domain)
-+ init_signull(domain)
-+ init_read_machineid(domain)
-+')
-+
-+ifdef(`distro_redhat',`
-+ files_search_mnt(domain)
-+')
-+
-+# these seem questionable:
-+
-+optional_policy(`
-+ abrt_domtrans_helper(domain)
-+ abrt_read_pid_files(domain)
-+ abrt_read_state(domain)
-+ abrt_signull(domain)
-+ abrt_append_cache(domain)
-+ abrt_rw_fifo_file(domain)
-+')
-+
-+optional_policy(`
-+ sosreport_append_tmp_files(domain)
-+')
-+
-+tunable_policy(`domain_fd_use',`
-+ # Allow all domains to use fds past to them
-+ allow domain domain:fd use;
-+')
-+
-+optional_policy(`
-+ cron_dontaudit_write_system_job_tmp_files(domain)
-+ cron_rw_pipes(domain)
-+ cron_rw_system_job_pipes(domain)
-+')
-+
-+optional_policy(`
-+ devicekit_dbus_chat_power(domain)
-+')
-+
-+ifdef(`hide_broken_symptoms',`
-+ dontaudit domain self:capability { net_admin };
-+ dontaudit domain self:udp_socket listen;
-+ allow domain domain:key { link search };
-+ dontaudit domain domain:socket_class_set { read write };
-+ dontaudit domain self:capability sys_module;
-+')
-+
-+optional_policy(`
-+ ipsec_match_default_spd(domain)
-+')
-+
-+optional_policy(`
-+ ifdef(`hide_broken_symptoms',`
-+ afs_rw_udp_sockets(domain)
-+ ')
-+')
-+
-+optional_policy(`
-+ rolekit_dbus_chat(domain)
-+')
-+
-+optional_policy(`
-+ ssh_rw_pipes(domain)
-+')
-+
-+optional_policy(`
-+ unconfined_dontaudit_rw_pipes(domain)
-+ unconfined_sigchld(domain)
-+')
-+
-+# broken kernel
-+dontaudit can_change_object_identity can_change_object_identity:key link;
-+dontaudit domain self:file create;
-+
-+ifdef(`distro_redhat',`
-+ optional_policy(`
-+ unconfined_use_fds(domain)
-+ ')
-+')
-+
-+# these seem questionable:
-+
-+optional_policy(`
-+ puppet_rw_tmp(domain)
-+')
-+
-+dontaudit domain domain:process { noatsecure siginh rlimitinh } ;
-+
-+optional_policy(`
-+ rkhunter_append_lib_files(domain)
-+')
-+
-+optional_policy(`
-+ rpm_rw_script_inherited_pipes(domain)
-+ rpm_use_fds(domain)
-+ rpm_read_pipes(domain)
-+ rpm_search_log(domain)
-+ rpm_append_tmp_files(domain)
-+ rpm_dontaudit_leaks(domain)
-+ rpm_read_script_tmp_files(domain)
-+ rpm_inherited_fifo(domain)
-+ rpm_named_filetrans(named_filetrans_domain)
-+')
-+
-+tunable_policy(`fips_mode',`
-+ allow domain self:fifo_file manage_fifo_file_perms;
-+ kernel_read_kernel_sysctls(domain)
-+')
-+
-+optional_policy(`
-+ tunable_policy(`fips_mode',`
-+ prelink_exec(domain)
-+ ')
-+')
-+
-+optional_policy(`
-+ container_spc_stream_connect(domain)
-+')
-+
-+optional_policy(`
-+ unconfined_server_stream_connect(domain)
-+')
-diff --git a/policy/modules/kernel/files.fc b/policy/modules/kernel/files.fc
-index b876c48ad..2e591a538 100644
---- a/policy/modules/kernel/files.fc
-+++ b/policy/modules/kernel/files.fc
-@@ -18,6 +18,7 @@ ifdef(`distro_redhat',`
- /fsckoptions -- gen_context(system_u:object_r:etc_runtime_t,s0)
- /halt -- gen_context(system_u:object_r:etc_runtime_t,s0)
- /poweroff -- gen_context(system_u:object_r:etc_runtime_t,s0)
-+/[^/]+ -- gen_context(system_u:object_r:etc_runtime_t,s0)
- ')
-
- ifdef(`distro_suse',`
-@@ -27,7 +28,7 @@ ifdef(`distro_suse',`
- #
- # /boot
- #
--/boot -d gen_context(system_u:object_r:boot_t,s0)
-+/boot gen_context(system_u:object_r:boot_t,s0)
- /boot/.* gen_context(system_u:object_r:boot_t,s0)
- /boot/\.journal <>
- /boot/efi(/.*)?/System\.map(-.*)? -- gen_context(system_u:object_r:system_map_t,s0)
-@@ -38,27 +39,36 @@ ifdef(`distro_suse',`
- #
- # /emul
- #
--/emul -d gen_context(system_u:object_r:usr_t,s0)
-+/emul gen_context(system_u:object_r:usr_t,s0)
- /emul/.* gen_context(system_u:object_r:usr_t,s0)
-
- #
- # /etc
- #
--/etc -d gen_context(system_u:object_r:etc_t,s0)
-+/etc gen_context(system_u:object_r:etc_t,s0)
- /etc/.* gen_context(system_u:object_r:etc_t,s0)
- /etc/\.fstab\.hal\..+ -- gen_context(system_u:object_r:etc_runtime_t,s0)
-+/etc/\.updated -- gen_context(system_u:object_r:etc_runtime_t,s0)
- /etc/blkid(/.*)? gen_context(system_u:object_r:etc_runtime_t,s0)
- /etc/cmtab -- gen_context(system_u:object_r:etc_runtime_t,s0)
- /etc/fstab\.REVOKE -- gen_context(system_u:object_r:etc_runtime_t,s0)
- /etc/ioctl\.save -- gen_context(system_u:object_r:etc_runtime_t,s0)
- /etc/killpower -- gen_context(system_u:object_r:etc_runtime_t,s0)
--/etc/localtime -l gen_context(system_u:object_r:etc_t,s0)
--/etc/mtab -- gen_context(system_u:object_r:etc_runtime_t,s0)
--/etc/mtab~[0-9]* -- gen_context(system_u:object_r:etc_runtime_t,s0)
--/etc/mtab\.tmp -- gen_context(system_u:object_r:etc_runtime_t,s0)
--/etc/mtab\.fuselock -- gen_context(system_u:object_r:etc_runtime_t,s0)
-+/etc/mtab.* -- gen_context(system_u:object_r:etc_runtime_t,s0)
- /etc/nohotplug -- gen_context(system_u:object_r:etc_runtime_t,s0)
- /etc/nologin.* -- gen_context(system_u:object_r:etc_runtime_t,s0)
-+/etc/securetty -- gen_context(system_u:object_r:etc_runtime_t,s0)
-+
-+/etc/sysctl\.conf(\.old)? -- gen_context(system_u:object_r:system_conf_t,s0)
-+/etc/sysconfig/ebtables.* -- gen_context(system_u:object_r:system_conf_t,s0)
-+/etc/sysconfig/ip6?tables.* -- gen_context(system_u:object_r:system_conf_t,s0)
-+/etc/sysconfig/ipvsadm.* -- gen_context(system_u:object_r:system_conf_t,s0)
-+/etc/sysconfig/system-config-firewall.* -- gen_context(system_u:object_r:system_conf_t,s0)
-+/etc/yum\.repos\.d(/.*)? gen_context(system_u:object_r:system_conf_t,s0)
-+/etc/ostree/remotes.d(/.*)? gen_context(system_u:object_r:system_conf_t,s0)
-+
-+/ostree/repo(/.*)? gen_context(system_u:object_r:system_conf_t,s0)
-+/ostree/deploy/rhel-atomic-host/deploy(/.*)? gen_context(system_u:object_r:system_conf_t,s0)
-
- /etc/cups/client\.conf -- gen_context(system_u:object_r:etc_t,s0)
-
-@@ -70,7 +80,10 @@ ifdef(`distro_suse',`
-
- /etc/sysconfig/hwconf -- gen_context(system_u:object_r:etc_runtime_t,s0)
- /etc/sysconfig/iptables\.save -- gen_context(system_u:object_r:etc_runtime_t,s0)
--/etc/sysconfig/firstboot -- gen_context(system_u:object_r:etc_runtime_t,s0)
-+
-+/etc/xorg\.conf\.d/00-system-setup-keyboard\.conf -- gen_context(system_u:object_r:etc_runtime_t,s0)
-+/etc/X11/xorg\.conf\.d/00-system-setup-keyboard\.conf -- gen_context(system_u:object_r:etc_runtime_t,s0)
-+
-
- ifdef(`distro_gentoo', `
- /etc/profile\.env -- gen_context(system_u:object_r:etc_runtime_t,s0)
-@@ -78,10 +91,6 @@ ifdef(`distro_gentoo', `
- /etc/env\.d/.* -- gen_context(system_u:object_r:etc_runtime_t,s0)
- ')
-
--ifdef(`distro_redhat',`
--/etc/rhgb(/.*)? -d gen_context(system_u:object_r:mnt_t,s0)
--')
--
- ifdef(`distro_suse',`
- /etc/defkeymap\.map -- gen_context(system_u:object_r:etc_runtime_t,s0)
- /etc/rc\.d/init\.d/\.depend.* -- gen_context(system_u:object_r:etc_runtime_t,s0)
-@@ -104,7 +113,7 @@ HOME_ROOT/lost\+found/.* <>
- /initrd -d gen_context(system_u:object_r:root_t,s0)
-
- #
--# /lib(64)?
-+# /lib
- #
- /lib/modules(/.*)? gen_context(system_u:object_r:modules_object_t,s0)
-
-@@ -125,10 +134,13 @@ ifdef(`distro_debian',`
- #
- # Mount points; do not relabel subdirectories, since
- # we don't want to change any removable media by default.
--/media(/[^/]*) -l gen_context(system_u:object_r:mnt_t,s0)
-+/media(/[^/]*)? -l gen_context(system_u:object_r:mnt_t,s0)
- /media(/[^/]*)? -d gen_context(system_u:object_r:mnt_t,s0)
- /media/[^/]*/.* <>
- /media/\.hal-.* -- gen_context(system_u:object_r:mnt_t,s0)
-+/var/run/media(/[^/]*)? -d gen_context(system_u:object_r:mnt_t,s0)
-+/var/run/media/.* <>
-+/var/\.updated -- gen_context(system_u:object_r:etc_runtime_t,s0)
-
- #
- # /misc
-@@ -138,7 +150,7 @@ ifdef(`distro_debian',`
- #
- # /mnt
- #
--/mnt(/[^/]*) -l gen_context(system_u:object_r:mnt_t,s0)
-+/mnt(/[^/]*)? -l gen_context(system_u:object_r:mnt_t,s0)
- /mnt(/[^/]*)? -d gen_context(system_u:object_r:mnt_t,s0)
- /mnt/[^/]*/.* <>
-
-@@ -150,17 +162,22 @@ ifdef(`distro_debian',`
- #
- # /opt
- #
--/opt -d gen_context(system_u:object_r:usr_t,s0)
-+/opt gen_context(system_u:object_r:usr_t,s0)
- /opt/.* gen_context(system_u:object_r:usr_t,s0)
-
--/opt/(.*/)?var/lib(64)?(/.*)? gen_context(system_u:object_r:var_lib_t,s0)
-+/opt/(.*/)?var/lib(/.*)? gen_context(system_u:object_r:var_lib_t,s0)
-
- #
- # /proc
- #
--/proc -d <>
- /proc/.* <>
-
-+ifdef(`distro_redhat',`
-+/rhev -d gen_context(system_u:object_r:mnt_t,s0)
-+/rhev(/[^/]*)? -d gen_context(system_u:object_r:mnt_t,s0)
-+/rhev/[^/]*/.* gen_context(system_u:object_r:mnt_t,s0)
-+')
-+
- #
- # /run
- #
-@@ -169,6 +186,7 @@ ifdef(`distro_debian',`
- /run/.*\.*pid <>
- /run/lock(/.*)? gen_context(system_u:object_r:var_lock_t,s0)
-
-+/sandbox(/.*)? gen_context(system_u:object_r:tmp_t,s0)
- #
- # /selinux
- #
-@@ -178,13 +196,14 @@ ifdef(`distro_debian',`
- #
- # /srv
- #
--/srv -d gen_context(system_u:object_r:var_t,s0)
-+/srv gen_context(system_u:object_r:var_t,s0)
- /srv/.* gen_context(system_u:object_r:var_t,s0)
-
- #
- # /tmp
- #
--/tmp -d gen_context(system_u:object_r:tmp_t,s0-mls_systemhigh)
-+/tmp gen_context(system_u:object_r:tmp_t,s0-mls_systemhigh)
-+/tmp-inst gen_context(system_u:object_r:tmp_t,s0-mls_systemhigh)
- /tmp/.* <>
- /tmp/\.journal <>
-
-@@ -194,9 +213,11 @@ ifdef(`distro_debian',`
- #
- # /usr
- #
--/usr -d gen_context(system_u:object_r:usr_t,s0)
-+/usr gen_context(system_u:object_r:usr_t,s0)
- /usr/.* gen_context(system_u:object_r:usr_t,s0)
- /usr/\.journal <>
-+/export(/.*)? gen_context(system_u:object_r:usr_t,s0)
-+/ostree(/.*)? gen_context(system_u:object_r:usr_t,s0)
-
- /usr/doc(/.*)?/lib(/.*)? gen_context(system_u:object_r:usr_t,s0)
-
-@@ -204,15 +225,9 @@ ifdef(`distro_debian',`
-
- /usr/inclu.e(/.*)? gen_context(system_u:object_r:usr_t,s0)
-
--/usr/local/\.journal <>
--
--/usr/local/etc(/.*)? gen_context(system_u:object_r:etc_t,s0)
--
--/usr/local/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh)
--/usr/local/lost\+found/.* <>
--
- /usr/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh)
- /usr/lost\+found/.* <>
-+/usr/lib/modules(/.*)? gen_context(system_u:object_r:modules_object_t,s0)
-
- /usr/share/doc(/.*)?/README.* gen_context(system_u:object_r:usr_t,s0)
-
-@@ -220,8 +235,6 @@ ifdef(`distro_debian',`
- /usr/tmp/.* <>
-
- ifndef(`distro_redhat',`
--/usr/local/src(/.*)? gen_context(system_u:object_r:src_t,s0)
--
- /usr/src(/.*)? gen_context(system_u:object_r:src_t,s0)
- /usr/src/kernels/.+/lib(/.*)? gen_context(system_u:object_r:usr_t,s0)
- ')
-@@ -229,19 +242,33 @@ ifndef(`distro_redhat',`
- #
- # /var
- #
--/var -d gen_context(system_u:object_r:var_t,s0)
-+/var gen_context(system_u:object_r:var_t,s0)
- /var/.* gen_context(system_u:object_r:var_t,s0)
- /var/\.journal <>
-
--/var/db/.*\.db -- gen_context(system_u:object_r:etc_t,s0)
-+/var/db(/.*)? gen_context(system_u:object_r:system_db_t,s0)
-
- /var/ftp/etc(/.*)? gen_context(system_u:object_r:etc_t,s0)
-
-+/var/named/chroot/etc(/.*)? gen_context(system_u:object_r:etc_t,s0)
-+
- /var/lib(/.*)? gen_context(system_u:object_r:var_lib_t,s0)
-
- /var/lib/nfs/rpc_pipefs(/.*)? <>
-
--/var/lock(/.*)? gen_context(system_u:object_r:var_lock_t,s0)
-+/var/lib/stickshift/.stickshift-proxy.d(/.*)? gen_context(system_u:object_r:etc_t,s0)
-+/var/lib/stickshift/.limits.d(/.*)? gen_context(system_u:object_r:etc_t,s0)
-+
-+/var/lib/openshift/.openshift-proxy.d(/.*)? gen_context(system_u:object_r:etc_t,s0)
-+/var/lib/openshift/.stickshift-proxy.d(/.*)? gen_context(system_u:object_r:etc_t,s0)
-+/var/lib/openshift/.limits.d(/.*)? gen_context(system_u:object_r:etc_t,s0)
-+
-+/var/lib/servicelog/servicelog\.db -- gen_context(system_u:object_r:system_db_t,s0)
-+/var/lib/servicelog/servicelog\.db-journal -- gen_context(system_u:object_r:system_db_t,s0)
-+
-+/var/lock -d gen_context(system_u:object_r:var_lock_t,s0)
-+/var/lock -l gen_context(system_u:object_r:var_lock_t,s0)
-+/var/lock/.* <>
-
- /var/log/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh)
- /var/log/lost\+found/.* <>
-@@ -256,12 +283,14 @@ ifndef(`distro_redhat',`
- /var/run -l gen_context(system_u:object_r:var_run_t,s0)
- /var/run/.* gen_context(system_u:object_r:var_run_t,s0)
- /var/run/.*\.*pid <>
-+/var/run/lock/.* <>
-
- /var/spool(/.*)? gen_context(system_u:object_r:var_spool_t,s0)
- /var/spool/postfix/etc(/.*)? gen_context(system_u:object_r:etc_t,s0)
-
- /var/tmp -d gen_context(system_u:object_r:tmp_t,s0-mls_systemhigh)
- /var/tmp -l gen_context(system_u:object_r:tmp_t,s0)
-+/var/tmp-inst -d gen_context(system_u:object_r:tmp_t,s0-mls_systemhigh)
- /var/tmp/.* <>
- /var/tmp/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh)
- /var/tmp/lost\+found/.* <>
-@@ -271,3 +300,7 @@ ifdef(`distro_debian',`
- /var/run/motd -- gen_context(system_u:object_r:initrc_var_run_t,s0)
- /var/run/motd\.dynamic -- gen_context(system_u:object_r:initrc_var_run_t,s0)
- ')
-+/nsr(/.*)? gen_context(system_u:object_r:var_t,s0)
-+/nsr/logs(/.*)? gen_context(system_u:object_r:var_log_t,s0)
-+
-+/sysroot/ostree/deploy/.*-atomic/deploy(/.*)? gen_context(system_u:object_r:root_t,s0)
-diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
-index f962f76ad..b36aea185 100644
---- a/policy/modules/kernel/files.if
-+++ b/policy/modules/kernel/files.if
-@@ -19,6 +19,136 @@
- ## Comains the file initial SID.
- ##
-
-+#####################################
-+##
-+## files stub etc_t interface. No access allowed.
-+##
-+##
-+##
-+## Domain allowed access
-+##
-+##
-+#
-+interface(`files_stub_etc',`
-+ gen_require(`
-+ type etc_t;
-+ ')
-+')
-+
-+#####################################
-+##
-+## files stub var_lock_t interface. No access allowed.
-+##
-+##
-+##
-+## Domain allowed access
-+##
-+##
-+#
-+interface(`files_stub_var_lock',`
-+ gen_require(`
-+ type var_lock_t;
-+ ')
-+')
-+
-+#####################################
-+##
-+## files stub var_log_t interface. No access allowed.
-+##
-+##
-+##
-+## Domain allowed access
-+##
-+##
-+#
-+interface(`files_stub_var_log',`
-+ gen_require(`
-+ type var_log_t;
-+ ')
-+')
-+
-+#####################################
-+##
-+## files stub var_lib_t interface. No access allowed.
-+##
-+##
-+##
-+## Domain allowed access
-+##
-+##
-+#
-+interface(`files_stub_var_lib',`
-+ gen_require(`
-+ type var_lib_t;
-+ ')
-+')
-+
-+#####################################
-+##
-+## files stub var_run_t interface. No access allowed.
-+##
-+##
-+##
-+## Domain allowed access
-+##
-+##
-+#
-+interface(`files_stub_var_run',`
-+ gen_require(`
-+ type var_run_t;
-+ ')
-+')
-+
-+#####################################
-+##
-+## files stub var_run_t interface. No access allowed.
-+##
-+##
-+##
-+## Domain allowed access
-+##
-+##
-+#
-+interface(`files_stub_var_spool',`
-+ gen_require(`
-+ type var_spool_t;
-+ ')
-+')
-+
-+#####################################
-+##
-+## files stub var_run_t interface. No access allowed.
-+##
-+##
-+##
-+## Domain allowed access
-+##
-+##
-+#
-+interface(`files_stub_var',`
-+ gen_require(`
-+ type var_t;
-+ ')
-+')
-+
-+
-+#####################################
-+##
-+## files stub tmp_t interface. No access allowed.
-+##
-+##
-+##
-+## Domain allowed access
-+##
-+##
-+#
-+interface(`files_stub_tmp',`
-+ gen_require(`
-+ type tmp_t;
-+ ')
-+')
-+
-+
- ########################################
- ##
- ## Make the specified type usable for files
-@@ -55,6 +185,7 @@
- ## files_pid_file()
- ## files_security_file()
- ## files_security_mountpoint()
-+## files_spool_file()
- ## files_tmp_file()
- ## files_tmpfs_file()
- ## logging_log_file()
-@@ -125,44 +256,59 @@ interface(`files_security_file',`
- typeattribute $1 file_type, security_file_type, non_auth_file_type;
- ')
-
-+
- ########################################
- ##
- ## Make the specified type usable for
--## lock files.
-+## filesystem mount points.
- ##
- ##
- ##
--## Type to be used for lock files.
-+## Type to be used for mount points.
- ##
- ##
- #
--interface(`files_lock_file',`
-+interface(`files_mountpoint',`
- gen_require(`
-- attribute lockfile;
-+ attribute mountpoint;
- ')
-
- files_type($1)
-- typeattribute $1 lockfile;
-+ typeattribute $1 mountpoint;
- ')
-
- ########################################
- ##
--## Make the specified type usable for
--## filesystem mount points.
-+## Create a private type object in mountpoint dir
-+## with an automatic type transition
- ##
--##
-+##
- ##
--## Type to be used for mount points.
-+## Domain allowed access.
-+##
-+##
-+##
-+##
-+## The type of the object to be created.
-+##
-+##
-+##
-+##
-+## The object class of the object being created.
-+##
-+##
-+##
-+##
-+## The name of the object being created.
- ##
- ##
- #
--interface(`files_mountpoint',`
-+interface(`files_mountpoint_filetrans',`
- gen_require(`
- attribute mountpoint;
- ')
-
-- files_type($1)
-- typeattribute $1 mountpoint;
-+ filetrans_pattern($1, mountpoint, $2, $3, $4)
- ')
-
- ########################################
-@@ -188,6 +334,26 @@ interface(`files_security_mountpoint',`
- ########################################
- ##
- ## Make the specified type usable for
-+## lock files.
-+##
-+##
-+##
-+## Type to be used for lock files.
-+##
-+##
-+#
-+interface(`files_lock_file',`
-+ gen_require(`
-+ attribute lockfile;
-+ ')
-+
-+ files_type($1)
-+ typeattribute $1 lockfile;
-+')
-+
-+########################################
-+##
-+## Make the specified type usable for
- ## runtime process ID files.
- ##
- ##
-@@ -521,7 +687,7 @@ interface(`files_mounton_non_security',`
- attribute non_security_file_type;
- ')
-
-- allow $1 non_security_file_type:dir mounton;
-+ allow $1 non_security_file_type:dir { write setattr mounton };
- allow $1 non_security_file_type:file mounton;
- ')
-
-@@ -545,6 +711,24 @@ interface(`files_write_non_security_dirs',`
-
- ########################################
- ##
-+## Allow attempts to setattr any directory
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`files_setattr_non_security_dirs',`
-+ gen_require(`
-+ attribute non_security_file_type;
-+ ')
-+
-+ allow $1 non_security_file_type:dir { read setattr };
-+')
-+
-+########################################
-+##
- ## Allow attempts to manage non-security directories
- ##
- ##
-@@ -582,6 +766,42 @@ interface(`files_getattr_all_files',`
-
- ########################################
- ##
-+## Get the attributes of all chr files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`files_getattr_all_chr_files',`
-+ gen_require(`
-+ attribute file_type;
-+ ')
-+
-+ getattr_chr_files_pattern($1, file_type, file_type)
-+')
-+
-+########################################
-+##
-+## Get the attributes of all blk files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`files_getattr_all_blk_files',`
-+ gen_require(`
-+ attribute file_type;
-+ ')
-+
-+ getattr_blk_files_pattern($1, file_type, file_type)
-+')
-+
-+########################################
-+##
- ## Do not audit attempts to get the attributes
- ## of all files.
- ##
-@@ -620,6 +840,63 @@ interface(`files_dontaudit_getattr_non_security_files',`
-
- ########################################
- ##
-+## Do not audit attempts to search
-+## non security dirs.
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`files_dontaudit_search_non_security_dirs',`
-+ gen_require(`
-+ attribute non_security_file_type;
-+ ')
-+
-+ dontaudit $1 non_security_file_type:dir search_dir_perms;
-+')
-+
-+########################################
-+##
-+## Do not audit attempts to set the attributes
-+## of non security files.
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`files_dontaudit_setattr_non_security_files',`
-+ gen_require(`
-+ attribute non_security_file_type;
-+ ')
-+
-+ dontaudit $1 non_security_file_type:file setattr;
-+')
-+
-+########################################
-+##
-+## Do not audit attempts to set the attributes
-+## of non security directories.
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`files_dontaudit_setattr_non_security_dirs',`
-+ gen_require(`
-+ attribute non_security_file_type;
-+ ')
-+
-+ dontaudit $1 non_security_file_type:dir setattr;
-+')
-+
-+########################################
-+##
- ## Read all files.
- ##
- ##
-@@ -683,129 +960,261 @@ interface(`files_read_non_security_files',`
- attribute non_security_file_type;
- ')
-
-+ list_dirs_pattern($1, non_security_file_type, non_security_file_type)
- read_files_pattern($1, non_security_file_type, non_security_file_type)
- read_lnk_files_pattern($1, non_security_file_type, non_security_file_type)
- ')
-
- ########################################
- ##
--## Read all directories on the filesystem, except
--## the listed exceptions.
-+## Map all non-security files.
- ##
- ##
- ##
- ## Domain allowed access.
- ##
- ##
--##
--##
--## The types to be excluded. Each type or attribute
--## must be negated by the caller.
--##
--##
-+##
- #
--interface(`files_read_all_dirs_except',`
-+interface(`files_map_non_security_files',`
- gen_require(`
-- attribute file_type;
-+ attribute non_security_file_type;
- ')
-
-- allow $1 { file_type $2 }:dir list_dir_perms;
-+ allow $1 non_security_file_type:file map;
- ')
-
- ########################################
- ##
--## Read all files on the filesystem, except
--## the listed exceptions.
-+## Read/Write all inherited non-security files.
- ##
- ##
- ##
- ## Domain allowed access.
- ##
- ##
--##
--##
--## The types to be excluded. Each type or attribute
--## must be negated by the caller.
--##
--##
-+##
- #
--interface(`files_read_all_files_except',`
-+interface(`files_rw_inherited_non_security_files',`
- gen_require(`
-- attribute file_type;
-+ attribute non_security_file_type;
- ')
-
-- read_files_pattern($1, { file_type $2 }, { file_type $2 })
-+ allow $1 non_security_file_type:file { read write };
- ')
-
- ########################################
- ##
--## Read all symbolic links on the filesystem, except
--## the listed exceptions.
-+## Manage all non-security files.
- ##
- ##
- ##
- ## Domain allowed access.
- ##
- ##
--##
--##
--## The types to be excluded. Each type or attribute
--## must be negated by the caller.
--##
--##
-+##
- #
--interface(`files_read_all_symlinks_except',`
-+interface(`files_manage_non_security_files',`
- gen_require(`
-- attribute file_type;
-+ attribute non_security_file_type;
- ')
-
-- read_lnk_files_pattern($1, { file_type $2 }, { file_type $2 })
-+ manage_files_pattern($1, non_security_file_type, non_security_file_type)
-+ manage_lnk_files_pattern($1, non_security_file_type, non_security_file_type)
- ')
-
- ########################################
- ##
--## Get the attributes of all symbolic links.
-+## Relabel all non-security files.
- ##
- ##
- ##
- ## Domain allowed access.
- ##
- ##
-+##
- #
--interface(`files_getattr_all_symlinks',`
-+interface(`files_relabel_non_security_files',`
- gen_require(`
-- attribute file_type;
-+ attribute non_security_file_type;
- ')
-
-- getattr_lnk_files_pattern($1, file_type, file_type)
-+ relabel_files_pattern($1, non_security_file_type, non_security_file_type)
-+ allow $1 { non_security_file_type }:dir list_dir_perms;
-+ relabel_dirs_pattern($1, { non_security_file_type }, { non_security_file_type })
-+ relabel_files_pattern($1, { non_security_file_type }, { non_security_file_type })
-+ relabel_lnk_files_pattern($1, { non_security_file_type }, { non_security_file_type })
-+ relabel_fifo_files_pattern($1, { non_security_file_type }, { non_security_file_type })
-+ relabel_sock_files_pattern($1, { non_security_file_type }, { non_security_file_type })
-+ relabel_blk_files_pattern($1, { non_security_file_type }, { non_security_file_type })
-+ relabel_chr_files_pattern($1, { non_security_file_type }, { non_security_file_type })
-+
-+ # satisfy the assertions:
-+ seutil_relabelto_bin_policy($1)
- ')
-
- ########################################
- ##
--## Do not audit attempts to get the attributes
--## of all symbolic links.
-+## Search all base file dirs.
- ##
- ##
- ##
--## Domain to not audit.
-+## Domain allowed access.
- ##
- ##
- #
--interface(`files_dontaudit_getattr_all_symlinks',`
-+interface(`files_search_base_file_types',`
- gen_require(`
-- attribute file_type;
-+ attribute base_file_type;
- ')
-
-- dontaudit $1 file_type:lnk_file getattr;
-+ allow $1 base_file_type:dir search_dir_perms;
- ')
-
- ########################################
- ##
--## Do not audit attempts to read all symbolic links.
-+## Relabel all base file types.
- ##
- ##
- ##
--## Domain to not audit.
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`files_relabel_base_file_types',`
-+ gen_require(`
-+ attribute base_file_type;
-+ ')
-+
-+ allow $1 base_file_type:dir list_dir_perms;
-+ relabel_dirs_pattern($1, base_file_type , base_file_type )
-+ relabel_files_pattern($1, base_file_type , base_file_type )
-+ relabel_lnk_files_pattern($1, base_file_type , base_file_type )
-+ relabel_fifo_files_pattern($1, base_file_type , base_file_type )
-+ relabel_sock_files_pattern($1, base_file_type , base_file_type )
-+ relabel_blk_files_pattern($1, base_file_type , base_file_type )
-+ relabel_chr_files_pattern($1, base_file_type , base_file_type )
-+')
-+
-+########################################
-+##
-+## Read all directories on the filesystem, except
-+## the listed exceptions.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+##
-+## The types to be excluded. Each type or attribute
-+## must be negated by the caller.
-+##
-+##
-+#
-+interface(`files_read_all_dirs_except',`
-+ gen_require(`
-+ attribute file_type;
-+ ')
-+
-+ allow $1 { file_type $2 }:dir list_dir_perms;
-+')
-+
-+########################################
-+##
-+## Read all files on the filesystem, except
-+## the listed exceptions.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+##
-+## The types to be excluded. Each type or attribute
-+## must be negated by the caller.
-+##
-+##
-+#
-+interface(`files_read_all_files_except',`
-+ gen_require(`
-+ attribute file_type;
-+ ')
-+
-+ read_files_pattern($1, { file_type $2 }, { file_type $2 })
-+')
-+
-+########################################
-+##
-+## Read all symbolic links on the filesystem, except
-+## the listed exceptions.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+##
-+## The types to be excluded. Each type or attribute
-+## must be negated by the caller.
-+##
-+##
-+#
-+interface(`files_read_all_symlinks_except',`
-+ gen_require(`
-+ attribute file_type;
-+ ')
-+
-+ read_lnk_files_pattern($1, { file_type $2 }, { file_type $2 })
-+')
-+
-+########################################
-+##
-+## Get the attributes of all symbolic links.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`files_getattr_all_symlinks',`
-+ gen_require(`
-+ attribute file_type;
-+ ')
-+
-+ getattr_lnk_files_pattern($1, file_type, file_type)
-+')
-+
-+########################################
-+##
-+## Do not audit attempts to get the attributes
-+## of all symbolic links.
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`files_dontaudit_getattr_all_symlinks',`
-+ gen_require(`
-+ attribute file_type;
-+ ')
-+
-+ dontaudit $1 file_type:lnk_file getattr;
-+')
-+
-+########################################
-+##
-+## Do not audit attempts to read all symbolic links.
-+##
-+##
-+##
-+## Domain to not audit.
- ##
- ##
- #
-@@ -953,6 +1362,25 @@ interface(`files_dontaudit_getattr_non_security_pipes',`
-
- ########################################
- ##
-+## Do not audit attempts to read/write
-+## of non security named pipes.
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`files_dontaudit_rw_inherited_pipes',`
-+ gen_require(`
-+ attribute non_security_file_type;
-+ ')
-+
-+ dontaudit $1 non_security_file_type:fifo_file rw_inherited_fifo_file_perms;
-+')
-+
-+########################################
-+##
- ## Get the attributes of all named sockets.
- ##
- ##
-@@ -991,6 +1419,44 @@ interface(`files_dontaudit_getattr_all_sockets',`
-
- ########################################
- ##
-+## Do not audit attempts to read
-+## of all named sockets.
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`files_dontaudit_read_all_sockets',`
-+ gen_require(`
-+ attribute file_type;
-+ ')
-+
-+ dontaudit $1 file_type:sock_file read;
-+')
-+
-+########################################
-+##
-+## Do not audit attempts to read
-+## of all security file types.
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`files_dontaudit_read_all_non_security_files',`
-+ gen_require(`
-+ attribute non_security_file_type;
-+ ')
-+
-+ dontaudit $1 non_security_file_type:file read_file_perms;
-+')
-+
-+########################################
-+##
- ## Do not audit attempts to get the attributes
- ## of non security named sockets.
- ##
-@@ -1073,13 +1539,12 @@ interface(`files_relabel_all_files',`
- relabel_lnk_files_pattern($1, { file_type $2 }, { file_type $2 })
- relabel_fifo_files_pattern($1, { file_type $2 }, { file_type $2 })
- relabel_sock_files_pattern($1, { file_type $2 }, { file_type $2 })
-- # this is only relabelfrom since there should be no
-- # device nodes with file types.
-- relabelfrom_blk_files_pattern($1, { file_type $2 }, { file_type $2 })
-- relabelfrom_chr_files_pattern($1, { file_type $2 }, { file_type $2 })
-+ relabel_blk_files_pattern($1, { file_type $2 }, { file_type $2 })
-+ relabel_chr_files_pattern($1, { file_type $2 }, { file_type $2 })
-
- # satisfy the assertions:
- seutil_relabelto_bin_policy($1)
-+ auth_relabelto_shadow($1)
- ')
-
- ########################################
-@@ -1140,6 +1605,8 @@ interface(`files_manage_all_files',`
- # satisfy the assertions:
- seutil_create_bin_policy($1)
- files_manage_kernel_modules($1)
-+ auth_reader_shadow($1)
-+ auth_writer_shadow($1)
- ')
-
- ########################################
-@@ -1182,24 +1649,6 @@ interface(`files_list_all',`
-
- ########################################
- ##
--## Create all files as is.
--##
--##
--##
--## Domain allowed access.
--##
--##
--#
--interface(`files_create_all_files_as',`
-- gen_require(`
-- attribute file_type;
-- ')
--
-- allow $1 file_type:kernel_service create_files_as;
--')
--
--########################################
--##
- ## Do not audit attempts to search the
- ## contents of any directories on extended
- ## attribute filesystems.
-@@ -1444,8 +1893,8 @@ interface(`files_relabel_non_auth_files',`
- relabelfrom_blk_files_pattern($1, non_auth_file_type, non_auth_file_type)
- relabelfrom_chr_files_pattern($1, non_auth_file_type, non_auth_file_type)
-
-- # satisfy the assertions:
-- seutil_relabelto_bin_policy($1)
-+ # satisfy the assertions:
-+ seutil_relabelto_bin_policy($1)
- ')
-
- #############################################
-@@ -1601,6 +2050,24 @@ interface(`files_setattr_all_mountpoints',`
-
- ########################################
- ##
-+## Set the attributes of all mount points.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`files_relabelto_all_mountpoints',`
-+ gen_require(`
-+ attribute mountpoint;
-+ ')
-+
-+ allow $1 mountpoint:dir relabelto;
-+')
-+
-+########################################
-+##
- ## Do not audit attempts to set the attributes on all mount points.
- ##
- ##
-@@ -1691,6 +2158,24 @@ interface(`files_dontaudit_list_all_mountpoints',`
-
- ########################################
- ##
-+## Write all mount points.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`files_write_all_mountpoints',`
-+ gen_require(`
-+ attribute mountpoint;
-+ ')
-+
-+ allow $1 mountpoint:dir write;
-+')
-+
-+########################################
-+##
- ## Do not audit attempts to write to mount points.
- ##
- ##
-@@ -1703,81 +2188,210 @@ interface(`files_dontaudit_write_all_mountpoints',`
- gen_require(`
- attribute mountpoint;
- ')
-+ dontaudit $1 self:capability { dac_read_search };
-
- dontaudit $1 mountpoint:dir write;
- ')
-
- ########################################
- ##
--## List the contents of the root directory.
-+## Do not audit attempts to unmount all mount points.
- ##
- ##
- ##
--## Domain allowed access.
-+## Domain to not audit.
- ##
- ##
- #
--interface(`files_list_root',`
-+interface(`files_dontaudit_unmount_all_mountpoints',`
- gen_require(`
-- type root_t;
-+ attribute mountpoint;
- ')
-
-- allow $1 root_t:dir list_dir_perms;
-- allow $1 root_t:lnk_file { read_lnk_file_perms ioctl lock };
-+ dontaudit $1 mountpoint:filesystem unmount;
- ')
-
- ########################################
- ##
--## Do not audit attempts to write to / dirs.
-+## Read all mountpoint symbolic links.
- ##
- ##
- ##
--## Domain to not audit.
-+## Domain allowed access.
- ##
- ##
- #
--interface(`files_dontaudit_write_root_dirs',`
-+interface(`files_read_all_mountpoint_symlinks',`
- gen_require(`
-- type root_t;
-+ attribute mountpoint;
- ')
-
-- dontaudit $1 root_t:dir write;
-+ allow $1 mountpoint:lnk_file read_lnk_file_perms;
- ')
-
--###################
-+
-+########################################
- ##
--## Do not audit attempts to write
--## files in the root directory.
-+## Make all mountpoint as entrypoint.
- ##
- ##
- ##
--## Domain to not audit.
-+## Domain allowed access.
- ##
- ##
- #
--interface(`files_dontaudit_rw_root_dir',`
-+interface(`files_entrypoint_all_mountpoint',`
- gen_require(`
-- type root_t;
-+ attribute mountpoint;
- ')
-
-- dontaudit $1 root_t:dir rw_dir_perms;
-+ allow $1 mountpoint:file entrypoint;
- ')
-
- ########################################
- ##
--## Create an object in the root directory, with a private
--## type using a type transition.
-+## Remove all file type directories.
- ##
- ##
- ##
- ## Domain allowed access.
- ##
- ##
--##
--##
--## The type of the object to be created.
--##
--##
-+#
-+interface(`files_rmdir_all_dirs',`
-+ gen_require(`
-+ attribute file_type;
-+ ')
-+
-+ allow $1 file_type:dir rmdir;
-+')
-+
-+########################################
-+##
-+## Write all file type directories.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`files_write_all_dirs',`
-+ gen_require(`
-+ attribute file_type;
-+ ')
-+
-+ allow $1 file_type:dir write;
-+')
-+
-+########################################
-+##
-+## List the contents of the root directory.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`files_list_root',`
-+ gen_require(`
-+ type root_t;
-+ ')
-+
-+ allow $1 root_t:dir list_dir_perms;
-+ allow $1 root_t:lnk_file { read_lnk_file_perms ioctl lock };
-+')
-+########################################
-+##
-+## Do not audit attempts to write to / dirs.
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`files_write_root_dirs',`
-+ gen_require(`
-+ type root_t;
-+ ')
-+
-+ allow $1 root_t:dir write;
-+')
-+
-+########################################
-+##
-+## Do not audit attempts to write to / dirs.
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`files_dontaudit_write_root_dirs',`
-+ gen_require(`
-+ type root_t;
-+ ')
-+
-+ dontaudit $1 root_t:dir write;
-+')
-+
-+###################
-+##
-+## Do not audit attempts to write
-+## files in the root directory.
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`files_dontaudit_rw_root_dir',`
-+ gen_require(`
-+ type root_t;
-+ ')
-+
-+ dontaudit $1 root_t:dir rw_dir_perms;
-+')
-+
-+########################################
-+##
-+## Do not audit attempts to check the
-+## access on root directory.
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`files_dontaudit_access_check_root',`
-+ gen_require(`
-+ type root_t;
-+ ')
-+
-+ dontaudit $1 root_t:dir_file_class_set audit_access;
-+')
-+
-+
-+########################################
-+##
-+## Create an object in the root directory, with a private
-+## type using a type transition.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+##
-+## The type of the object to be created.
-+##
-+##
- ##
- ##
- ## The object class of the object being created.
-@@ -1892,25 +2506,25 @@ interface(`files_delete_root_dir_entry',`
-
- ########################################
- ##
--## Associate to root file system.
-+## Set attributes of the root directory.
- ##
--##
-+##
- ##
--## Type of the file to associate.
-+## Domain allowed access.
- ##
- ##
- #
--interface(`files_associate_rootfs',`
-+interface(`files_setattr_root_dirs',`
- gen_require(`
- type root_t;
- ')
-
-- allow $1 root_t:filesystem associate;
-+ allow $1 root_t:dir setattr_dir_perms;
- ')
-
- ########################################
- ##
--## Relabel to and from rootfs file system.
-+## Relabel a rootfs filesystem.
- ##
- ##
- ##
-@@ -1923,7 +2537,7 @@ interface(`files_relabel_rootfs',`
- type root_t;
- ')
-
-- allow $1 root_t:filesystem { relabelto relabelfrom };
-+ allow $1 root_t:filesystem relabel_file_perms;
- ')
-
- ########################################
-@@ -1946,6 +2560,42 @@ interface(`files_unmount_rootfs',`
-
- ########################################
- ##
-+## Mount a filesystem on the root file system
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`files_mounton_rootfs',`
-+ gen_require(`
-+ type root_t;
-+ ')
-+
-+ allow $1 root_t:dir { search_dir_perms mounton };
-+')
-+
-+########################################
-+##
-+## Mount a filesystem on the root file system
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`files_dontaudit_mounton_rootfs',`
-+ gen_require(`
-+ type root_t;
-+ ')
-+
-+ dontaudit $1 root_t:dir mounton;
-+')
-+
-+########################################
-+##
- ## Get attributes of the /boot directory.
- ##
- ##
-@@ -2181,6 +2831,24 @@ interface(`files_relabelfrom_boot_files',`
- relabelfrom_files_pattern($1, boot_t, boot_t)
- ')
-
-+########################################
-+##
-+## Relabel to files in the /boot directory.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`files_relabelto_boot_files',`
-+ gen_require(`
-+ type boot_t;
-+ ')
-+
-+ relabelto_files_pattern($1, boot_t, boot_t)
-+')
-+
- ######################################
- ##
- ## Read symbolic links in the /boot directory.
-@@ -2557,6 +3225,24 @@ interface(`files_read_default_pipes',`
-
- ########################################
- ##
-+## Mounton directories on filesystem /etc.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`files_mounton_etc',`
-+ gen_require(`
-+ type etc_t;
-+ ')
-+
-+ allow $1 etc_t:dir mounton;
-+')
-+
-+########################################
-+##
- ## Search the contents of /etc directories.
- ##
- ##
-@@ -2645,6 +3331,24 @@ interface(`files_rw_etc_dirs',`
- allow $1 etc_t:dir rw_dir_perms;
- ')
-
-+#######################################
-+##
-+## Dontaudit remove dir /etc directories.
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`files_dontaudit_remove_etc_dir',`
-+ gen_require(`
-+ type etc_t;
-+ ')
-+
-+ dontaudit $1 etc_t:dir rmdir;
-+')
-+
- ##########################################
- ##
- ## Manage generic directories in /etc
-@@ -2716,6 +3420,7 @@ interface(`files_read_etc_files',`
- allow $1 etc_t:dir list_dir_perms;
- read_files_pattern($1, etc_t, etc_t)
- read_lnk_files_pattern($1, etc_t, etc_t)
-+ files_read_etc_runtime_files($1)
- ')
-
- ########################################
-@@ -2724,7 +3429,7 @@ interface(`files_read_etc_files',`
- ##
- ##
- ##
--## Domain allowed access.
-+## Domain to not audit.
- ##
- ##
- #
-@@ -2780,6 +3485,25 @@ interface(`files_manage_etc_files',`
-
- ########################################
- ##
-+## Do not audit attempts to check the
-+## access on etc files
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`files_dontaudit_access_check_etc',`
-+ gen_require(`
-+ type etc_t;
-+ ')
-+
-+ dontaudit $1 etc_t:dir_file_class_set audit_access;
-+')
-+
-+########################################
-+##
- ## Delete system configuration files in /etc.
- ##
- ##
-@@ -2798,6 +3522,24 @@ interface(`files_delete_etc_files',`
-
- ########################################
- ##
-+## Remove entries from the etc directory.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`files_delete_etc_dir_entry',`
-+ gen_require(`
-+ type etc_t;
-+ ')
-+
-+ allow $1 etc_t:dir del_entry_dir_perms;
-+')
-+
-+########################################
-+##
- ## Execute generic files in /etc.
- ##
- ##
-@@ -2963,24 +3705,6 @@ interface(`files_delete_boot_flag',`
-
- ########################################
- ##
--## Do not audit attempts to set the attributes of the etc_runtime files
--##
--##
--##
--## Domain to not audit.
--##
--##
--#
--interface(`files_dontaudit_setattr_etc_runtime_files',`
-- gen_require(`
-- type etc_runtime_t;
-- ')
--
-- dontaudit $1 etc_runtime_t:file setattr;
--')
--
--########################################
--##
- ## Read files in /etc that are dynamically
- ## created on boot, such as mtab.
- ##
-@@ -3021,9 +3745,7 @@ interface(`files_read_etc_runtime_files',`
-
- ########################################
- ##
--## Do not audit attempts to read files
--## in /etc that are dynamically
--## created on boot, such as mtab.
-+## Do not audit attempts to set the attributes of the etc_runtime files
- ##
- ##
- ##
-@@ -3031,18 +3753,17 @@ interface(`files_read_etc_runtime_files',`
- ##
- ##
- #
--interface(`files_dontaudit_read_etc_runtime_files',`
-+interface(`files_dontaudit_setattr_etc_runtime_files',`
- gen_require(`
- type etc_runtime_t;
- ')
-
-- dontaudit $1 etc_runtime_t:file { getattr read };
-+ dontaudit $1 etc_runtime_t:file setattr;
- ')
-
- ########################################
- ##
--## Do not audit attempts to write
--## etc runtime files.
-+## Do not audit attempts to write etc_runtime files
- ##
- ##
- ##
-@@ -3060,6 +3781,26 @@ interface(`files_dontaudit_write_etc_runtime_files',`
-
- ########################################
- ##
-+## Do not audit attempts to read files
-+## in /etc that are dynamically
-+## created on boot, such as mtab.
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`files_dontaudit_read_etc_runtime_files',`
-+ gen_require(`
-+ type etc_runtime_t;
-+ ')
-+
-+ dontaudit $1 etc_runtime_t:file { getattr read };
-+')
-+
-+########################################
-+##
- ## Read and write files in /etc that are dynamically
- ## created on boot, such as mtab.
- ##
-@@ -3077,6 +3818,7 @@ interface(`files_rw_etc_runtime_files',`
-
- allow $1 etc_t:dir list_dir_perms;
- rw_files_pattern($1, etc_t, etc_runtime_t)
-+ read_lnk_files_pattern($1, etc_t, etc_t)
- ')
-
- ########################################
-@@ -3098,6 +3840,7 @@ interface(`files_manage_etc_runtime_files',`
- ')
-
- manage_files_pattern($1, { etc_t etc_runtime_t }, etc_runtime_t)
-+ read_lnk_files_pattern($1, etc_t, etc_runtime_t)
- ')
-
- ########################################
-@@ -3142,10 +3885,48 @@ interface(`files_etc_filetrans_etc_runtime',`
- #
- interface(`files_getattr_isid_type_dirs',`
- gen_require(`
-- type file_t;
-+ type unlabeled_t;
-+ ')
-+
-+ allow $1 unlabeled_t:dir getattr;
-+')
-+
-+########################################
-+##
-+## Getattr all file opbjects on new filesystems
-+## that have not yet been labeled.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`files_getattr_isid_type',`
-+ gen_require(`
-+ type unlabeled_t;
-+ ')
-+
-+ allow $1 unlabeled_t:dir_file_class_set getattr;
-+')
-+
-+########################################
-+##
-+## Setattr of directories on new filesystems
-+## that have not yet been labeled.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`files_setattr_isid_type_dirs',`
-+ gen_require(`
-+ type unlabeled_t;
- ')
-
-- allow $1 file_t:dir getattr;
-+ allow $1 unlabeled_t:dir setattr;
- ')
-
- ########################################
-@@ -3161,10 +3942,10 @@ interface(`files_getattr_isid_type_dirs',`
- #
- interface(`files_dontaudit_search_isid_type_dirs',`
- gen_require(`
-- type file_t;
-+ type unlabeled_t;
- ')
-
-- dontaudit $1 file_t:dir search_dir_perms;
-+ dontaudit $1 unlabeled_t:dir search_dir_perms;
- ')
-
- ########################################
-@@ -3180,10 +3961,10 @@ interface(`files_dontaudit_search_isid_type_dirs',`
- #
- interface(`files_list_isid_type_dirs',`
- gen_require(`
-- type file_t;
-+ type unlabeled_t;
- ')
-
-- allow $1 file_t:dir list_dir_perms;
-+ allow $1 unlabeled_t:dir list_dir_perms;
- ')
-
- ########################################
-@@ -3199,10 +3980,10 @@ interface(`files_list_isid_type_dirs',`
- #
- interface(`files_rw_isid_type_dirs',`
- gen_require(`
-- type file_t;
-+ type unlabeled_t;
- ')
-
-- allow $1 file_t:dir rw_dir_perms;
-+ allow $1 unlabeled_t:dir rw_dir_perms;
- ')
-
- ########################################
-@@ -3218,10 +3999,66 @@ interface(`files_rw_isid_type_dirs',`
- #
- interface(`files_delete_isid_type_dirs',`
- gen_require(`
-- type file_t;
-+ type unlabeled_t;
-+ ')
-+
-+ delete_dirs_pattern($1, unlabeled_t, unlabeled_t)
-+')
-+########################################
-+##
-+## Execute files on new filesystems
-+## that have not yet been labeled.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`files_exec_isid_files',`
-+ gen_require(`
-+ type unlabeled_t;
-+ ')
-+
-+ can_exec($1, unlabeled_t)
-+')
-+
-+########################################
-+##
-+## Moundon directories on new filesystems
-+## that have not yet been labeled.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`files_mounton_isid',`
-+ gen_require(`
-+ type unlabeled_t;
-+ ')
-+
-+ allow $1 unlabeled_t:dir mounton;
-+')
-+
-+########################################
-+##
-+## Relabelfrom all file opbjects on new filesystems
-+## that have not yet been labeled.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`files_relabelfrom_isid_type',`
-+ gen_require(`
-+ type unlabeled_t;
- ')
-
-- delete_dirs_pattern($1, file_t, file_t)
-+ dontaudit $1 unlabeled_t:dir_file_class_set relabelfrom;
- ')
-
- ########################################
-@@ -3237,10 +4074,10 @@ interface(`files_delete_isid_type_dirs',`
- #
- interface(`files_manage_isid_type_dirs',`
- gen_require(`
-- type file_t;
-+ type unlabeled_t;
- ')
-
-- allow $1 file_t:dir manage_dir_perms;
-+ allow $1 unlabeled_t:dir manage_dir_perms;
- ')
-
- ########################################
-@@ -3256,10 +4093,29 @@ interface(`files_manage_isid_type_dirs',`
- #
- interface(`files_mounton_isid_type_dirs',`
- gen_require(`
-- type file_t;
-+ type unlabeled_t;
-+ ')
-+
-+ allow $1 unlabeled_t:dir { search_dir_perms mounton };
-+')
-+
-+########################################
-+##
-+## Mount a filesystem on a new chr_file
-+## that has not yet been labeled.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`files_mounton_isid_type_chr_file',`
-+ gen_require(`
-+ type unlabeled_t;
- ')
-
-- allow $1 file_t:dir { search_dir_perms mounton };
-+ allow $1 unlabeled_t:chr_file mounton;
- ')
-
- ########################################
-@@ -3275,10 +4131,10 @@ interface(`files_mounton_isid_type_dirs',`
- #
- interface(`files_read_isid_type_files',`
- gen_require(`
-- type file_t;
-+ type unlabeled_t;
- ')
-
-- allow $1 file_t:file read_file_perms;
-+ allow $1 unlabeled_t:file read_file_perms;
- ')
-
- ########################################
-@@ -3294,10 +4150,10 @@ interface(`files_read_isid_type_files',`
- #
- interface(`files_delete_isid_type_files',`
- gen_require(`
-- type file_t;
-+ type unlabeled_t;
- ')
-
-- delete_files_pattern($1, file_t, file_t)
-+ delete_files_pattern($1, unlabeled_t, unlabeled_t)
- ')
-
- ########################################
-@@ -3313,10 +4169,10 @@ interface(`files_delete_isid_type_files',`
- #
- interface(`files_delete_isid_type_symlinks',`
- gen_require(`
-- type file_t;
-+ type unlabeled_t;
- ')
-
-- delete_lnk_files_pattern($1, file_t, file_t)
-+ delete_lnk_files_pattern($1, unlabeled_t, unlabeled_t)
- ')
-
- ########################################
-@@ -3332,10 +4188,10 @@ interface(`files_delete_isid_type_symlinks',`
- #
- interface(`files_delete_isid_type_fifo_files',`
- gen_require(`
-- type file_t;
-+ type unlabeled_t;
- ')
-
-- delete_fifo_files_pattern($1, file_t, file_t)
-+ delete_fifo_files_pattern($1, unlabeled_t, unlabeled_t)
- ')
-
- ########################################
-@@ -3351,10 +4207,10 @@ interface(`files_delete_isid_type_fifo_files',`
- #
- interface(`files_delete_isid_type_sock_files',`
- gen_require(`
-- type file_t;
-+ type unlabeled_t;
- ')
-
-- delete_sock_files_pattern($1, file_t, file_t)
-+ delete_sock_files_pattern($1, unlabeled_t, unlabeled_t)
- ')
-
- ########################################
-@@ -3370,10 +4226,10 @@ interface(`files_delete_isid_type_sock_files',`
- #
- interface(`files_delete_isid_type_blk_files',`
- gen_require(`
-- type file_t;
-+ type unlabeled_t;
- ')
-
-- delete_blk_files_pattern($1, file_t, file_t)
-+ delete_blk_files_pattern($1, unlabeled_t, unlabeled_t)
- ')
-
- ########################################
-@@ -3389,10 +4245,10 @@ interface(`files_delete_isid_type_blk_files',`
- #
- interface(`files_dontaudit_write_isid_chr_files',`
- gen_require(`
-- type file_t;
-+ type unlabeled_t;
- ')
-
-- dontaudit $1 file_t:chr_file write;
-+ dontaudit $1 unlabeled_t:chr_file write;
- ')
-
- ########################################
-@@ -3408,10 +4264,10 @@ interface(`files_dontaudit_write_isid_chr_files',`
- #
- interface(`files_delete_isid_type_chr_files',`
- gen_require(`
-- type file_t;
-+ type unlabeled_t;
- ')
-
-- delete_chr_files_pattern($1, file_t, file_t)
-+ delete_chr_files_pattern($1, unlabeled_t, unlabeled_t)
- ')
-
- ########################################
-@@ -3427,10 +4283,10 @@ interface(`files_delete_isid_type_chr_files',`
- #
- interface(`files_manage_isid_type_files',`
- gen_require(`
-- type file_t;
-+ type unlabeled_t;
- ')
-
-- allow $1 file_t:file manage_file_perms;
-+ allow $1 unlabeled_t:file manage_file_perms;
- ')
-
- ########################################
-@@ -3446,10 +4302,10 @@ interface(`files_manage_isid_type_files',`
- #
- interface(`files_manage_isid_type_symlinks',`
- gen_require(`
-- type file_t;
-+ type unlabeled_t;
- ')
-
-- allow $1 file_t:lnk_file manage_lnk_file_perms;
-+ allow $1 unlabeled_t:lnk_file manage_lnk_file_perms;
- ')
-
- ########################################
-@@ -3465,10 +4321,29 @@ interface(`files_manage_isid_type_symlinks',`
- #
- interface(`files_rw_isid_type_blk_files',`
- gen_require(`
-- type file_t;
-+ type unlabeled_t;
-+ ')
-+
-+ allow $1 unlabeled_t:blk_file rw_blk_file_perms;
-+')
-+
-+########################################
-+##
-+## rw any files inherited from another process
-+## on new filesystems that have not yet been labeled.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`files_rw_inherited_isid_type_files',`
-+ gen_require(`
-+ type unlabeled_t;
- ')
-
-- allow $1 file_t:blk_file rw_blk_file_perms;
-+ allow $1 unlabeled_t:file rw_inherited_file_perms;
- ')
-
- ########################################
-@@ -3484,10 +4359,10 @@ interface(`files_rw_isid_type_blk_files',`
- #
- interface(`files_manage_isid_type_blk_files',`
- gen_require(`
-- type file_t;
-+ type unlabeled_t;
- ')
-
-- allow $1 file_t:blk_file manage_blk_file_perms;
-+ allow $1 unlabeled_t:blk_file manage_blk_file_perms;
- ')
-
- ########################################
-@@ -3503,10 +4378,29 @@ interface(`files_manage_isid_type_blk_files',`
- #
- interface(`files_manage_isid_type_chr_files',`
- gen_require(`
-- type file_t;
-+ type unlabeled_t;
-+ ')
-+
-+ allow $1 unlabeled_t:chr_file manage_chr_file_perms;
-+')
-+
-+########################################
-+##
-+## Dontaudit Moundon directories on new filesystems
-+## that have not yet been labeled.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`files_dontaudit_mounton_isid',`
-+ gen_require(`
-+ type unlabeled_t;
- ')
-
-- allow $1 file_t:chr_file manage_chr_file_perms;
-+ dontaudit $1 unlabeled_t:dir mounton;
- ')
-
- ########################################
-@@ -3552,6 +4446,27 @@ interface(`files_dontaudit_getattr_home_dir',`
-
- ########################################
- ##
-+## Do not audit attempts to check the
-+## access on home root directory.
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`files_dontaudit_access_check_home_dir',`
-+ gen_require(`
-+ type home_root_t;
-+ ')
-+
-+ dontaudit $1 home_root_t:dir_file_class_set audit_access;
-+')
-+
-+
-+
-+########################################
-+##
- ## Search home directories root (/home).
- ##
- ##
-@@ -3814,20 +4729,38 @@ interface(`files_list_mnt',`
-
- ######################################
- ##
--## Do not audit attempts to list the contents of /mnt.
-+## dontaudit List the contents of /mnt.
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`files_dontaudit_list_mnt',`
-+ gen_require(`
-+ type mnt_t;
-+ ')
-+
-+ dontaudit $1 mnt_t:dir list_dir_perms;
-+')
-+
-+########################################
-+##
-+## Do not audit attempts to check the
-+## write access on mnt files
- ##
- ##
- ##
--## Domain allowed access.
-+## Domain to not audit.
- ##
- ##
- #
--interface(`files_dontaudit_list_mnt',`
-+interface(`files_dontaudit_access_check_mnt',`
- gen_require(`
- type mnt_t;
- ')
--
-- dontaudit $1 mnt_t:dir list_dir_perms;
-+ dontaudit $1 mnt_t:dir_file_class_set audit_access;
- ')
-
- ########################################
-@@ -3921,6 +4854,45 @@ interface(`files_read_mnt_symlinks',`
- read_lnk_files_pattern($1, mnt_t, mnt_t)
- ')
-
-+
-+########################################
-+##
-+## Load kernel module files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`files_load_kernel_modules',`
-+ gen_require(`
-+ type modules_object_t;
-+ ')
-+
-+ files_read_kernel_modules($1)
-+ allow $1 modules_object_t:system module_load;
-+')
-+
-+########################################
-+##
-+## Mmap kernel module files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`files_map_kernel_modules',`
-+ gen_require(`
-+ type modules_object_t;
-+ ')
-+
-+ allow $1 modules_object_t:file map;
-+
-+')
-+
- ########################################
- ##
- ## Create, read, write, and delete symbolic links in /mnt.
-@@ -4012,6 +4984,7 @@ interface(`files_read_kernel_modules',`
- allow $1 modules_object_t:dir list_dir_perms;
- read_files_pattern($1, modules_object_t, modules_object_t)
- read_lnk_files_pattern($1, modules_object_t, modules_object_t)
-+
- ')
-
- ########################################
-@@ -4217,174 +5190,292 @@ interface(`files_read_world_readable_sockets',`
- allow $1 readable_t:sock_file read_sock_file_perms;
- ')
-
--########################################
-+#######################################
- ##
--## Allow the specified type to associate
--## to a filesystem with the type of the
--## temporary directory (/tmp).
-+## Read manageable system configuration files in /etc
- ##
--##
--##
--## Type of the file to associate.
--##
-+##
-+##
-+## Domain allowed access.
-+##
- ##
- #
--interface(`files_associate_tmp',`
-- gen_require(`
-- type tmp_t;
-- ')
-+interface(`files_read_system_conf_files',`
-+ gen_require(`
-+ type etc_t, system_conf_t;
-+ ')
-
-- allow $1 tmp_t:filesystem associate;
-+ allow $1 etc_t:dir list_dir_perms;
-+ read_files_pattern($1, etc_t, system_conf_t)
-+ read_lnk_files_pattern($1, etc_t, system_conf_t)
- ')
-
--########################################
-+######################################
- ##
--## Get the attributes of the tmp directory (/tmp).
-+## Manage manageable system configuration files in /etc.
- ##
- ##
--##
--## Domain allowed access.
--##
-+##
-+## Domain allowed access.
-+##
- ##
- #
--interface(`files_getattr_tmp_dirs',`
-- gen_require(`
-- type tmp_t;
-- ')
-+interface(`files_manage_system_conf_files',`
-+ gen_require(`
-+ type etc_t, system_conf_t;
-+ ')
-
-- allow $1 tmp_t:dir getattr;
-+ manage_files_pattern($1, { etc_t system_conf_t }, system_conf_t)
-+ files_filetrans_system_conf_named_files($1)
- ')
-
--########################################
-+#####################################
- ##
--## Do not audit attempts to get the
--## attributes of the tmp directory (/tmp).
-+## File name transition for system configuration files in /etc.
- ##
- ##
--##
--## Domain allowed access.
--##
-+##
-+## Domain allowed access.
-+##
- ##
- #
--interface(`files_dontaudit_getattr_tmp_dirs',`
-- gen_require(`
-- type tmp_t;
-- ')
-+interface(`files_filetrans_system_conf_named_files',`
-+ gen_require(`
-+ type etc_t, system_conf_t, usr_t;
-+ ')
-
-- dontaudit $1 tmp_t:dir getattr;
-+ filetrans_pattern($1, etc_t, system_conf_t, file, "sysctl.conf")
-+ filetrans_pattern($1, etc_t, system_conf_t, file, "sysctl.conf.old")
-+ filetrans_pattern($1, etc_t, system_conf_t, file, "ebtables")
-+ filetrans_pattern($1, etc_t, system_conf_t, file, "ebtables.old")
-+ filetrans_pattern($1, etc_t, system_conf_t, file, "ebtables-config")
-+ filetrans_pattern($1, etc_t, system_conf_t, file, "ebtables-config.old")
-+ filetrans_pattern($1, etc_t, system_conf_t, file, "iptables")
-+ filetrans_pattern($1, etc_t, system_conf_t, file, "iptables.old")
-+ filetrans_pattern($1, etc_t, system_conf_t, file, "iptables-config")
-+ filetrans_pattern($1, etc_t, system_conf_t, file, "iptables-config.old")
-+ filetrans_pattern($1, etc_t, system_conf_t, file, "ip6tables")
-+ filetrans_pattern($1, etc_t, system_conf_t, file, "ip6tables.old")
-+ filetrans_pattern($1, etc_t, system_conf_t, file, "ip6tables-config")
-+ filetrans_pattern($1, etc_t, system_conf_t, file, "ip6tables-config.old")
-+ filetrans_pattern($1, etc_t, system_conf_t, file, "redhat.repo")
-+ filetrans_pattern($1, etc_t, system_conf_t, file, "system-config-firewall")
-+ filetrans_pattern($1, etc_t, system_conf_t, file, "system-config-firewall.old")
-+ filetrans_pattern($1, etc_t, system_conf_t, dir, "yum.repos.d")
-+ filetrans_pattern($1, etc_t, system_conf_t, dir, "remotes.d")
-+ filetrans_pattern($1, usr_t, system_conf_t, dir, "repo")
- ')
-
--########################################
-+######################################
- ##
--## Search the tmp directory (/tmp).
-+## Relabel manageable system configuration files in /etc.
- ##
- ##
--##
--## Domain allowed access.
--##
-+##
-+## Domain allowed access.
-+##
- ##
- #
--interface(`files_search_tmp',`
-- gen_require(`
-- type tmp_t;
-- ')
-+interface(`files_relabelto_system_conf_files',`
-+ gen_require(`
-+ type usr_t;
-+ ')
-
-- allow $1 tmp_t:dir search_dir_perms;
-+ relabelto_files_pattern($1, system_conf_t, system_conf_t)
- ')
-
--########################################
-+######################################
- ##
--## Do not audit attempts to search the tmp directory (/tmp).
-+## Relabel manageable system configuration files in /etc.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`files_relabelfrom_system_conf_files',`
-+ gen_require(`
-+ type usr_t;
-+ ')
-+
-+ relabelfrom_files_pattern($1, system_conf_t, system_conf_t)
-+')
-+
-+###################################
-+##
-+## Create files in /etc with the type used for
-+## the manageable system config files.
-+##
-+##
-+##
-+## The type of the process performing this action.
-+##
-+##
-+#
-+interface(`files_etc_filetrans_system_conf',`
-+ gen_require(`
-+ type etc_t, system_conf_t;
-+ ')
-+
-+ filetrans_pattern($1, etc_t, system_conf_t, file)
-+')
-+
-+######################################
-+##
-+## Manage manageable system db files in /var/lib.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`files_manage_system_db_files',`
-+ gen_require(`
-+ type var_lib_t, system_db_t;
-+ ')
-+
-+ manage_files_pattern($1, { var_lib_t system_db_t }, system_db_t)
-+ files_filetrans_system_db_named_files($1)
-+')
-+
-+######################################
-+##
-+## Map manageable system db files in /var/lib.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`files_map_system_db_files',`
-+ gen_require(`
-+ type system_db_t;
-+ ')
-+ allow $1 system_db_t:file map;
-+')
-+
-+#####################################
-+##
-+## File name transition for system db files in /var/lib.
- ##
- ##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`files_filetrans_system_db_named_files',`
-+ gen_require(`
-+ type var_lib_t, system_db_t;
-+ ')
-+
-+ filetrans_pattern($1, var_lib_t, system_db_t, file, "servicelog.db")
-+ filetrans_pattern($1, var_lib_t, system_db_t, file, "servicelog.db-journal")
-+')
-+
-+########################################
-+##
-+## Allow the specified type to associate
-+## to a filesystem with the type of the
-+## temporary directory (/tmp).
-+##
-+##
- ##
--## Domain to not audit.
-+## Type of the file to associate.
- ##
- ##
- #
--interface(`files_dontaudit_search_tmp',`
-+interface(`files_associate_tmp',`
- gen_require(`
- type tmp_t;
- ')
-
-- dontaudit $1 tmp_t:dir search_dir_perms;
-+ allow $1 tmp_t:filesystem associate;
- ')
-
- ########################################
- ##
--## Read the tmp directory (/tmp).
-+## Allow the specified type to associate
-+## to a filesystem with the type of the
-+## / file system
- ##
--##
-+##
- ##
--## Domain allowed access.
-+## Type of the file to associate.
- ##
- ##
- #
--interface(`files_list_tmp',`
-+interface(`files_associate_rootfs',`
- gen_require(`
-- type tmp_t;
-+ type root_t;
- ')
-
-- allow $1 tmp_t:dir list_dir_perms;
-+ allow $1 root_t:filesystem associate;
- ')
-
- ########################################
- ##
--## Do not audit listing of the tmp directory (/tmp).
-+## Get the attributes of the tmp directory (/tmp).
- ##
- ##
- ##
--## Domain not to audit.
-+## Domain allowed access.
- ##
- ##
- #
--interface(`files_dontaudit_list_tmp',`
-+interface(`files_getattr_tmp_dirs',`
- gen_require(`
- type tmp_t;
- ')
-
-- dontaudit $1 tmp_t:dir list_dir_perms;
-+ read_lnk_files_pattern($1, tmp_t, tmp_t)
-+ allow $1 tmp_t:dir getattr;
- ')
-
- ########################################
- ##
--## Remove entries from the tmp directory.
-+## Do not audit attempts to check the
-+## access on tmp files
- ##
- ##
- ##
--## Domain allowed access.
-+## Domain to not audit.
- ##
- ##
- #
--interface(`files_delete_tmp_dir_entry',`
-+interface(`files_dontaudit_access_check_tmp',`
- gen_require(`
-- type tmp_t;
-+ type etc_t;
- ')
-
-- allow $1 tmp_t:dir del_entry_dir_perms;
-+ dontaudit $1 tmp_t:dir_file_class_set audit_access;
- ')
-
- ########################################
- ##
--## Read files in the tmp directory (/tmp).
-+## Do not audit attempts to get the
-+## attributes of the tmp directory (/tmp).
- ##
- ##
- ##
--## Domain allowed access.
-+## Domain to not audit.
- ##
- ##
- #
--interface(`files_read_generic_tmp_files',`
-+interface(`files_dontaudit_getattr_tmp_dirs',`
- gen_require(`
- type tmp_t;
- ')
-
-- read_files_pattern($1, tmp_t, tmp_t)
-+ dontaudit $1 tmp_t:dir getattr;
- ')
-
- ########################################
- ##
--## Manage temporary directories in /tmp.
-+## Search the tmp directory (/tmp).
- ##
- ##
- ##
-@@ -4392,35 +5483,37 @@ interface(`files_read_generic_tmp_files',`
- ##
- ##
- #
--interface(`files_manage_generic_tmp_dirs',`
-+interface(`files_search_tmp',`
- gen_require(`
- type tmp_t;
- ')
-
-- manage_dirs_pattern($1, tmp_t, tmp_t)
-+ fs_search_tmpfs($1)
-+ read_lnk_files_pattern($1, tmp_t, tmp_t)
-+ allow $1 tmp_t:dir search_dir_perms;
- ')
-
- ########################################
- ##
--## Manage temporary files and directories in /tmp.
-+## Do not audit attempts to search the tmp directory (/tmp).
- ##
- ##
- ##
--## Domain allowed access.
-+## Domain to not audit.
- ##
- ##
- #
--interface(`files_manage_generic_tmp_files',`
-+interface(`files_dontaudit_search_tmp',`
- gen_require(`
- type tmp_t;
- ')
-
-- manage_files_pattern($1, tmp_t, tmp_t)
-+ dontaudit $1 tmp_t:dir search_dir_perms;
- ')
-
- ########################################
- ##
--## Read symbolic links in the tmp directory (/tmp).
-+## Read the tmp directory (/tmp).
- ##
- ##
- ##
-@@ -4428,35 +5521,55 @@ interface(`files_manage_generic_tmp_files',`
- ##
- ##
- #
--interface(`files_read_generic_tmp_symlinks',`
-+interface(`files_list_tmp',`
- gen_require(`
- type tmp_t;
- ')
-
- read_lnk_files_pattern($1, tmp_t, tmp_t)
-+ allow $1 tmp_t:dir list_dir_perms;
- ')
-
- ########################################
- ##
--## Read and write generic named sockets in the tmp directory (/tmp).
-+## Do not audit listing of the tmp directory (/tmp).
- ##
- ##
- ##
--## Domain allowed access.
-+## Domain to not audit.
- ##
- ##
- #
--interface(`files_rw_generic_tmp_sockets',`
-+interface(`files_dontaudit_list_tmp',`
- gen_require(`
- type tmp_t;
- ')
-
-- rw_sock_files_pattern($1, tmp_t, tmp_t)
-+ dontaudit $1 tmp_t:dir list_dir_perms;
-+')
-+
-+#######################################
-+##
-+## Allow read and write to the tmp directory (/tmp).
-+##
-+##
-+##
-+## Domain not to audit.
-+##
-+##
-+#
-+interface(`files_rw_generic_tmp_dir',`
-+ gen_require(`
-+ type tmp_t;
-+ ')
-+
-+ files_search_tmp($1)
-+ allow $1 tmp_t:dir rw_dir_perms;
- ')
-
- ########################################
- ##
--## Set the attributes of all tmp directories.
-+## Remove entries from the tmp directory.
- ##
- ##
- ##
-@@ -4464,17 +5577,18 @@ interface(`files_rw_generic_tmp_sockets',`
- ##
- ##
- #
--interface(`files_setattr_all_tmp_dirs',`
-+interface(`files_delete_tmp_dir_entry',`
- gen_require(`
-- attribute tmpfile;
-+ type tmp_t;
- ')
-
-- allow $1 tmpfile:dir { search_dir_perms setattr };
-+ files_search_tmp($1)
-+ allow $1 tmp_t:dir del_entry_dir_perms;
- ')
-
- ########################################
- ##
--## List all tmp directories.
-+## Read files in the tmp directory (/tmp).
- ##
- ##
- ##
-@@ -4482,59 +5596,61 @@ interface(`files_setattr_all_tmp_dirs',`
- ##
- ##
- #
--interface(`files_list_all_tmp',`
-+interface(`files_read_generic_tmp_files',`
- gen_require(`
-- attribute tmpfile;
-+ type tmp_t;
- ')
-
-- allow $1 tmpfile:dir list_dir_perms;
-+ read_files_pattern($1, tmp_t, tmp_t)
- ')
-
- ########################################
- ##
--## Relabel to and from all temporary
--## directory types.
-+## Manage temporary directories in /tmp.
- ##
- ##
- ##
- ## Domain allowed access.
- ##
- ##
--##
- #
--interface(`files_relabel_all_tmp_dirs',`
-+interface(`files_manage_generic_tmp_dirs',`
- gen_require(`
-- attribute tmpfile;
-- type var_t;
-+ type tmp_t;
- ')
-
-- allow $1 var_t:dir search_dir_perms;
-- relabel_dirs_pattern($1, tmpfile, tmpfile)
-+ manage_dirs_pattern($1, tmp_t, tmp_t)
- ')
-
- ########################################
- ##
--## Do not audit attempts to get the attributes
--## of all tmp files.
-+## Allow shared library text relocations in tmp files.
- ##
-+##
-+##
-+## Allow shared library text relocations in tmp files.
-+##
-+##
-+## This is added to support java policy.
-+##
-+##
- ##
- ##
--## Domain not to audit.
-+## Domain allowed access.
- ##
- ##
- #
--interface(`files_dontaudit_getattr_all_tmp_files',`
-+interface(`files_execmod_tmp',`
- gen_require(`
- attribute tmpfile;
- ')
-
-- dontaudit $1 tmpfile:file getattr;
-+ allow $1 tmpfile:file execmod;
- ')
-
- ########################################
- ##
--## Allow attempts to get the attributes
--## of all tmp files.
-+## Manage temporary files and directories in /tmp.
- ##
- ##
- ##
-@@ -4542,58 +5658,53 @@ interface(`files_dontaudit_getattr_all_tmp_files',`
- ##
- ##
- #
--interface(`files_getattr_all_tmp_files',`
-+interface(`files_manage_generic_tmp_files',`
- gen_require(`
-- attribute tmpfile;
-+ type tmp_t;
- ')
-
-- allow $1 tmpfile:file getattr;
-+ manage_files_pattern($1, tmp_t, tmp_t)
- ')
-
- ########################################
- ##
--## Relabel to and from all temporary
--## file types.
-+## Read symbolic links in the tmp directory (/tmp).
- ##
- ##
- ##
- ## Domain allowed access.
- ##
- ##
--##
- #
--interface(`files_relabel_all_tmp_files',`
-+interface(`files_read_generic_tmp_symlinks',`
- gen_require(`
-- attribute tmpfile;
-- type var_t;
-+ type tmp_t;
- ')
-
-- allow $1 var_t:dir search_dir_perms;
-- relabel_files_pattern($1, tmpfile, tmpfile)
-+ read_lnk_files_pattern($1, tmp_t, tmp_t)
- ')
-
- ########################################
- ##
--## Do not audit attempts to get the attributes
--## of all tmp sock_file.
-+## Read and write generic named sockets in the tmp directory (/tmp).
- ##
- ##
- ##
--## Domain not to audit.
-+## Domain allowed access.
- ##
- ##
- #
--interface(`files_dontaudit_getattr_all_tmp_sockets',`
-+interface(`files_rw_generic_tmp_sockets',`
- gen_require(`
-- attribute tmpfile;
-+ type tmp_t;
- ')
-
-- dontaudit $1 tmpfile:sock_file getattr;
-+ rw_sock_files_pattern($1, tmp_t, tmp_t)
- ')
-
- ########################################
- ##
--## Read all tmp files.
-+## Relabel a dir from the type used in /tmp.
- ##
- ##
- ##
-@@ -4601,51 +5712,35 @@ interface(`files_dontaudit_getattr_all_tmp_sockets',`
- ##
- ##
- #
--interface(`files_read_all_tmp_files',`
-+interface(`files_relabelfrom_tmp_dirs',`
- gen_require(`
-- attribute tmpfile;
-+ type tmp_t;
- ')
-
-- read_files_pattern($1, tmpfile, tmpfile)
-+ relabelfrom_dirs_pattern($1, tmp_t, tmp_t)
- ')
-
- ########################################
- ##
--## Create an object in the tmp directories, with a private
--## type using a type transition.
-+## Relabel a file from the type used in /tmp.
- ##
- ##
- ##
- ## Domain allowed access.
- ##
- ##
--##
--##
--## The type of the object to be created.
--##
--##
--##
--##
--## The object class of the object being created.
--##
--##
--##
--##
--## The name of the object being created.
--##
--##
- #
--interface(`files_tmp_filetrans',`
-+interface(`files_relabelfrom_tmp_files',`
- gen_require(`
- type tmp_t;
- ')
-
-- filetrans_pattern($1, tmp_t, $2, $3, $4)
-+ relabelfrom_files_pattern($1, tmp_t, tmp_t)
- ')
-
- ########################################
- ##
--## Delete the contents of /tmp.
-+## Set the attributes of all tmp directories.
- ##
- ##
- ##
-@@ -4653,22 +5748,17 @@ interface(`files_tmp_filetrans',`
- ##
- ##
- #
--interface(`files_purge_tmp',`
-+interface(`files_setattr_all_tmp_dirs',`
- gen_require(`
- attribute tmpfile;
- ')
-
-- allow $1 tmpfile:dir list_dir_perms;
-- delete_dirs_pattern($1, tmpfile, tmpfile)
-- delete_files_pattern($1, tmpfile, tmpfile)
-- delete_lnk_files_pattern($1, tmpfile, tmpfile)
-- delete_fifo_files_pattern($1, tmpfile, tmpfile)
-- delete_sock_files_pattern($1, tmpfile, tmpfile)
-+ allow $1 tmpfile:dir { search_dir_perms setattr };
- ')
-
- ########################################
- ##
--## Set the attributes of the /usr directory.
-+## Allow caller to read inherited tmp files.
- ##
- ##
- ##
-@@ -4676,17 +5766,17 @@ interface(`files_purge_tmp',`
- ##
- ##
- #
--interface(`files_setattr_usr_dirs',`
-+interface(`files_read_inherited_tmp_files',`
- gen_require(`
-- type usr_t;
-+ attribute tmpfile;
- ')
-
-- allow $1 usr_t:dir setattr;
-+ allow $1 tmpfile:file { append open read_inherited_file_perms };
- ')
-
- ########################################
- ##
--## Search the content of /usr.
-+## Allow caller to append inherited tmp files.
- ##
- ##
- ##
-@@ -4694,18 +5784,17 @@ interface(`files_setattr_usr_dirs',`
- ##
- ##
- #
--interface(`files_search_usr',`
-+interface(`files_append_inherited_tmp_files',`
- gen_require(`
-- type usr_t;
-+ attribute tmpfile;
- ')
-
-- allow $1 usr_t:dir search_dir_perms;
-+ allow $1 tmpfile:file append_inherited_file_perms;
- ')
-
- ########################################
- ##
--## List the contents of generic
--## directories in /usr.
-+## Allow caller to read and write inherited tmp files.
- ##
- ##
- ##
-@@ -4713,54 +5802,58 @@ interface(`files_search_usr',`
- ##
- ##
- #
--interface(`files_list_usr',`
-+interface(`files_rw_inherited_tmp_file',`
- gen_require(`
-- type usr_t;
-+ attribute tmpfile;
- ')
-
-- allow $1 usr_t:dir list_dir_perms;
-+ allow $1 tmpfile:file rw_inherited_file_perms;
- ')
-
- ########################################
- ##
--## Do not audit write of /usr dirs
-+## List all tmp directories.
- ##
- ##
- ##
--## Domain to not audit.
-+## Domain allowed access.
- ##
- ##
- #
--interface(`files_dontaudit_write_usr_dirs',`
-+interface(`files_list_all_tmp',`
- gen_require(`
-- type usr_t;
-+ attribute tmpfile;
- ')
-
-- dontaudit $1 usr_t:dir write;
-+ allow $1 tmpfile:dir list_dir_perms;
- ')
-
- ########################################
- ##
--## Add and remove entries from /usr directories.
-+## Relabel to and from all temporary
-+## directory types.
- ##
- ##
- ##
- ## Domain allowed access.
- ##
- ##
-+##
- #
--interface(`files_rw_usr_dirs',`
-+interface(`files_relabel_all_tmp_dirs',`
- gen_require(`
-- type usr_t;
-+ attribute tmpfile;
-+ type var_t;
- ')
-
-- allow $1 usr_t:dir rw_dir_perms;
-+ allow $1 var_t:dir search_dir_perms;
-+ relabel_dirs_pattern($1, tmpfile, tmpfile)
- ')
-
- ########################################
- ##
--## Do not audit attempts to add and remove
--## entries from /usr directories.
-+## Do not audit attempts to get the attributes
-+## of all tmp files.
- ##
- ##
- ##
-@@ -4768,17 +5861,18 @@ interface(`files_rw_usr_dirs',`
- ##
- ##
- #
--interface(`files_dontaudit_rw_usr_dirs',`
-+interface(`files_dontaudit_getattr_all_tmp_files',`
- gen_require(`
-- type usr_t;
-+ attribute tmpfile;
- ')
-
-- dontaudit $1 usr_t:dir rw_dir_perms;
-+ dontaudit $1 tmpfile:file getattr;
- ')
-
- ########################################
- ##
--## Delete generic directories in /usr in the caller domain.
-+## Allow attempts to get the attributes
-+## of all tmp files.
- ##
- ##
- ##
-@@ -4786,111 +5880,96 @@ interface(`files_dontaudit_rw_usr_dirs',`
- ##
- ##
- #
--interface(`files_delete_usr_dirs',`
-+interface(`files_getattr_all_tmp_files',`
- gen_require(`
-- type usr_t;
-+ attribute tmpfile;
- ')
-
-- delete_dirs_pattern($1, usr_t, usr_t)
-+ allow $1 tmpfile:file getattr;
- ')
-
- ########################################
- ##
--## Delete generic files in /usr in the caller domain.
-+## Relabel to and from all temporary
-+## file types.
- ##
- ##
- ##
- ## Domain allowed access.
- ##
- ##
-+##
- #
--interface(`files_delete_usr_files',`
-+interface(`files_relabel_all_tmp_files',`
- gen_require(`
-- type usr_t;
-+ attribute tmpfile;
-+ type var_t;
- ')
-
-- delete_files_pattern($1, usr_t, usr_t)
-+ allow $1 var_t:dir search_dir_perms;
-+ relabel_files_pattern($1, tmpfile, tmpfile)
- ')
-
- ########################################
- ##
--## Get the attributes of files in /usr.
-+## Do not audit attempts to get the attributes
-+## of all tmp sock_file.
- ##
- ##
- ##
--## Domain allowed access.
-+## Domain to not audit.
- ##
- ##
- #
--interface(`files_getattr_usr_files',`
-+interface(`files_dontaudit_getattr_all_tmp_sockets',`
- gen_require(`
-- type usr_t;
-+ attribute tmpfile;
- ')
-
-- getattr_files_pattern($1, usr_t, usr_t)
-+ dontaudit $1 tmpfile:sock_file getattr;
- ')
-
- ########################################
- ##
--## Read generic files in /usr.
-+## Read all tmp files.
- ##
--##
--##
--## Allow the specified domain to read generic
--## files in /usr. These files are various program
--## files that do not have more specific SELinux types.
--## Some examples of these files are:
--##
--##
--## - /usr/include/*
--## - /usr/share/doc/*
--## - /usr/share/info/*
--##
--##
--## Generally, it is safe for many domains to have
--## this access.
--##
--##
- ##
- ##
- ## Domain allowed access.
- ##
- ##
--##
- #
--interface(`files_read_usr_files',`
-+interface(`files_read_all_tmp_files',`
- gen_require(`
-- type usr_t;
-+ attribute tmpfile;
- ')
-
-- allow $1 usr_t:dir list_dir_perms;
-- read_files_pattern($1, usr_t, usr_t)
-- read_lnk_files_pattern($1, usr_t, usr_t)
-+ read_files_pattern($1, tmpfile, tmpfile)
- ')
-
- ########################################
- ##
--## Execute generic programs in /usr in the caller domain.
-+## Do not audit attempts to read or write
-+## all leaked tmpfiles files.
- ##
- ##
- ##
--## Domain allowed access.
-+## Domain to not audit.
- ##
- ##
- #
--interface(`files_exec_usr_files',`
-+interface(`files_dontaudit_tmp_file_leaks',`
- gen_require(`
-- type usr_t;
-+ attribute tmpfile;
- ')
-
-- allow $1 usr_t:dir list_dir_perms;
-- exec_files_pattern($1, usr_t, usr_t)
-- read_lnk_files_pattern($1, usr_t, usr_t)
-+ dontaudit $1 tmpfile:file rw_inherited_file_perms;
- ')
-
- ########################################
- ##
--## dontaudit write of /usr files
-+## Do allow attempts to read or write
-+## all leaked tmpfiles files.
- ##
- ##
- ##
-@@ -4898,35 +5977,51 @@ interface(`files_exec_usr_files',`
- ##
- ##
- #
--interface(`files_dontaudit_write_usr_files',`
-+interface(`files_rw_tmp_file_leaks',`
- gen_require(`
-- type usr_t;
-+ attribute tmpfile;
- ')
-
-- dontaudit $1 usr_t:file write;
-+ allow $1 tmpfile:file rw_inherited_file_perms;
- ')
-
- ########################################
- ##
--## Create, read, write, and delete files in the /usr directory.
-+## Create an object in the tmp directories, with a private
-+## type using a type transition.
- ##
- ##
- ##
- ## Domain allowed access.
- ##
- ##
-+##
-+##
-+## The type of the object to be created.
-+##
-+##
-+##
-+##
-+## The object class of the object being created.
-+##
-+##
-+##
-+##
-+## The name of the object being created.
-+##
-+##
- #
--interface(`files_manage_usr_files',`
-+interface(`files_tmp_filetrans',`
- gen_require(`
-- type usr_t;
-+ type tmp_t;
- ')
-
-- manage_files_pattern($1, usr_t, usr_t)
-+ filetrans_pattern($1, tmp_t, $2, $3, $4)
- ')
-
- ########################################
- ##
--## Relabel a file to the type used in /usr.
-+## Delete the contents of /tmp.
- ##
- ##
- ##
-@@ -4934,17 +6029,32 @@ interface(`files_manage_usr_files',`
- ##
- ##
- #
--interface(`files_relabelto_usr_files',`
-+interface(`files_purge_tmp',`
- gen_require(`
-- type usr_t;
-+ attribute tmpfile;
- ')
-
-- relabelto_files_pattern($1, usr_t, usr_t)
-+ allow $1 tmpfile:dir list_dir_perms;
-+ delete_dirs_pattern($1, tmpfile, tmpfile)
-+ delete_files_pattern($1, tmpfile, tmpfile)
-+ delete_lnk_files_pattern($1, tmpfile, tmpfile)
-+ delete_fifo_files_pattern($1, tmpfile, tmpfile)
-+ delete_sock_files_pattern($1, tmpfile, tmpfile)
-+ delete_chr_files_pattern($1, tmpfile, tmpfile)
-+ delete_blk_files_pattern($1, tmpfile, tmpfile)
-+ files_list_isid_type_dirs($1)
-+ files_delete_isid_type_dirs($1)
-+ files_delete_isid_type_files($1)
-+ files_delete_isid_type_symlinks($1)
-+ files_delete_isid_type_fifo_files($1)
-+ files_delete_isid_type_sock_files($1)
-+ files_delete_isid_type_blk_files($1)
-+ files_delete_isid_type_chr_files($1)
- ')
-
- ########################################
- ##
--## Relabel a file from the type used in /usr.
-+## Set the attributes of the /usr directory.
- ##
- ##
- ##
-@@ -4952,17 +6062,17 @@ interface(`files_relabelto_usr_files',`
- ##
- ##
- #
--interface(`files_relabelfrom_usr_files',`
-+interface(`files_setattr_usr_dirs',`
- gen_require(`
- type usr_t;
- ')
-
-- relabelfrom_files_pattern($1, usr_t, usr_t)
-+ allow $1 usr_t:dir setattr;
- ')
-
- ########################################
- ##
--## Read symbolic links in /usr.
-+## Search the content of /usr.
- ##
- ##
- ##
-@@ -4970,50 +6080,36 @@ interface(`files_relabelfrom_usr_files',`
- ##
- ##
- #
--interface(`files_read_usr_symlinks',`
-+interface(`files_search_usr',`
- gen_require(`
- type usr_t;
- ')
-
-- read_lnk_files_pattern($1, usr_t, usr_t)
-+ allow $1 usr_t:dir search_dir_perms;
- ')
-
- ########################################
- ##
--## Create objects in the /usr directory
-+## List the contents of generic
-+## directories in /usr.
- ##
- ##
- ##
- ## Domain allowed access.
- ##
- ##
--##
--##
--## The type of the object to be created
--##
--##
--##
--##
--## The object class.
--##
--##
--##
--##
--## The name of the object being created.
--##
--##
- #
--interface(`files_usr_filetrans',`
-+interface(`files_list_usr',`
- gen_require(`
- type usr_t;
- ')
-
-- filetrans_pattern($1, usr_t, $2, $3, $4)
-+ allow $1 usr_t:dir list_dir_perms;
- ')
-
- ########################################
- ##
--## Do not audit attempts to search /usr/src.
-+## Do not audit write of /usr dirs
- ##
- ##
- ##
-@@ -5021,17 +6117,17 @@ interface(`files_usr_filetrans',`
- ##
- ##
- #
--interface(`files_dontaudit_search_src',`
-+interface(`files_dontaudit_write_usr_dirs',`
- gen_require(`
-- type src_t;
-+ type usr_t;
- ')
-
-- dontaudit $1 src_t:dir search_dir_perms;
-+ dontaudit $1 usr_t:dir write;
- ')
-
- ########################################
- ##
--## Get the attributes of files in /usr/src.
-+## Add and remove entries from /usr directories.
- ##
- ##
- ##
-@@ -5039,41 +6135,36 @@ interface(`files_dontaudit_search_src',`
- ##
- ##
- #
--interface(`files_getattr_usr_src_files',`
-+interface(`files_rw_usr_dirs',`
- gen_require(`
-- type usr_t, src_t;
-+ type usr_t;
- ')
-
-- getattr_files_pattern($1, src_t, src_t)
--
-- # /usr/src/linux symlink:
-- read_lnk_files_pattern($1, usr_t, src_t)
-+ allow $1 usr_t:dir rw_dir_perms;
- ')
-
- ########################################
- ##
--## Read files in /usr/src.
-+## Do not audit attempts to add and remove
-+## entries from /usr directories.
- ##
- ##
- ##
--## Domain allowed access.
-+## Domain to not audit.
- ##
- ##
- #
--interface(`files_read_usr_src_files',`
-+interface(`files_dontaudit_rw_usr_dirs',`
- gen_require(`
-- type usr_t, src_t;
-+ type usr_t;
- ')
-
-- allow $1 usr_t:dir search_dir_perms;
-- read_files_pattern($1, { usr_t src_t }, src_t)
-- read_lnk_files_pattern($1, { usr_t src_t }, src_t)
-- allow $1 src_t:dir list_dir_perms;
-+ dontaudit $1 usr_t:dir rw_dir_perms;
- ')
-
- ########################################
- ##
--## Execute programs in /usr/src in the caller domain.
-+## Delete generic directories in /usr in the caller domain.
- ##
- ##
- ##
-@@ -5081,19 +6172,17 @@ interface(`files_read_usr_src_files',`
- ##
- ##
- #
--interface(`files_exec_usr_src_files',`
-+interface(`files_delete_usr_dirs',`
- gen_require(`
-- type usr_t, src_t;
-+ type usr_t;
- ')
-
-- list_dirs_pattern($1, usr_t, src_t)
-- exec_files_pattern($1, src_t, src_t)
-- read_lnk_files_pattern($1, src_t, src_t)
-+ delete_dirs_pattern($1, usr_t, usr_t)
- ')
-
- ########################################
- ##
--## Install a system.map into the /boot directory.
-+## Delete generic files in /usr in the caller domain.
- ##
- ##
- ##
-@@ -5101,18 +6190,17 @@ interface(`files_exec_usr_src_files',`
- ##
- ##
- #
--interface(`files_create_kernel_symbol_table',`
-+interface(`files_delete_usr_files',`
- gen_require(`
-- type boot_t, system_map_t;
-+ type usr_t;
- ')
-
-- allow $1 boot_t:dir { list_dir_perms add_entry_dir_perms };
-- allow $1 system_map_t:file { create_file_perms rw_file_perms };
-+ delete_files_pattern($1, usr_t, usr_t)
- ')
-
- ########################################
- ##
--## Read system.map in the /boot directory.
-+## Map files in /usr in the caller domain.
- ##
- ##
- ##
-@@ -5120,18 +6208,17 @@ interface(`files_create_kernel_symbol_table',`
- ##
- ##
- #
--interface(`files_read_kernel_symbol_table',`
-+interface(`files_mmap_usr_files',`
- gen_require(`
-- type boot_t, system_map_t;
-+ type usr_t;
- ')
-
-- allow $1 boot_t:dir list_dir_perms;
-- read_files_pattern($1, boot_t, system_map_t)
-+ allow $1 usr_t:file map;
- ')
-
- ########################################
- ##
--## Delete a system.map in the /boot directory.
-+## Get the attributes of files in /usr.
- ##
- ##
- ##
-@@ -5139,54 +6226,55 @@ interface(`files_read_kernel_symbol_table',`
- ##
- ##
- #
--interface(`files_delete_kernel_symbol_table',`
-+interface(`files_getattr_usr_files',`
- gen_require(`
-- type boot_t, system_map_t;
-+ type usr_t;
- ')
-
-- allow $1 boot_t:dir list_dir_perms;
-- delete_files_pattern($1, boot_t, system_map_t)
-+ getattr_files_pattern($1, usr_t, usr_t)
- ')
-
- ########################################
- ##
--## Search the contents of /var.
--##
--##
--##
--## Domain allowed access.
--##
--##
--#
--interface(`files_search_var',`
-- gen_require(`
-- type var_t;
-- ')
--
-- allow $1 var_t:dir search_dir_perms;
--')
--
--########################################
--##
--## Do not audit attempts to write to /var.
-+## Read generic files in /usr.
- ##
-+##
-+##
-+## Allow the specified domain to read generic
-+## files in /usr. These files are various program
-+## files that do not have more specific SELinux types.
-+## Some examples of these files are:
-+##
-+##
-+## - /usr/include/*
-+## - /usr/share/doc/*
-+## - /usr/share/info/*
-+##
-+##
-+## Generally, it is safe for many domains to have
-+## this access.
-+##
-+##
- ##
- ##
--## Domain to not audit.
-+## Domain allowed access.
- ##
- ##
-+##
- #
--interface(`files_dontaudit_write_var_dirs',`
-+interface(`files_read_usr_files',`
- gen_require(`
-- type var_t;
-+ type usr_t;
- ')
-
-- dontaudit $1 var_t:dir write;
-+ allow $1 usr_t:dir list_dir_perms;
-+ read_files_pattern($1, usr_t, usr_t)
-+ read_lnk_files_pattern($1, usr_t, usr_t)
- ')
-
- ########################################
- ##
--## Allow attempts to write to /var.dirs
-+## Execute generic programs in /usr in the caller domain.
- ##
- ##
- ##
-@@ -5194,18 +6282,19 @@ interface(`files_dontaudit_write_var_dirs',`
- ##
- ##
- #
--interface(`files_write_var_dirs',`
-+interface(`files_exec_usr_files',`
- gen_require(`
-- type var_t;
-+ type usr_t;
- ')
-
-- allow $1 var_t:dir write;
-+ allow $1 usr_t:dir list_dir_perms;
-+ exec_files_pattern($1, usr_t, usr_t)
-+ read_lnk_files_pattern($1, usr_t, usr_t)
- ')
-
- ########################################
- ##
--## Do not audit attempts to search
--## the contents of /var.
-+## dontaudit write of /usr files
- ##
- ##
- ##
-@@ -5213,17 +6302,17 @@ interface(`files_write_var_dirs',`
- ##
- ##
- #
--interface(`files_dontaudit_search_var',`
-+interface(`files_dontaudit_write_usr_files',`
- gen_require(`
-- type var_t;
-+ type usr_t;
- ')
-
-- dontaudit $1 var_t:dir search_dir_perms;
-+ dontaudit $1 usr_t:file write;
- ')
-
- ########################################
- ##
--## List the contents of /var.
-+## Create, read, write, and delete files in the /usr directory.
- ##
- ##
- ##
-@@ -5231,18 +6320,17 @@ interface(`files_dontaudit_search_var',`
- ##
- ##
- #
--interface(`files_list_var',`
-+interface(`files_manage_usr_files',`
- gen_require(`
-- type var_t;
-+ type usr_t;
- ')
-
-- allow $1 var_t:dir list_dir_perms;
-+ manage_files_pattern($1, usr_t, usr_t)
- ')
-
- ########################################
- ##
--## Create, read, write, and delete directories
--## in the /var directory.
-+## Relabel a file to the type used in /usr.
- ##
- ##
- ##
-@@ -5250,17 +6338,17 @@ interface(`files_list_var',`
- ##
- ##
- #
--interface(`files_manage_var_dirs',`
-+interface(`files_relabelto_usr_files',`
- gen_require(`
-- type var_t;
-+ type usr_t;
- ')
-
-- allow $1 var_t:dir manage_dir_perms;
-+ relabelto_files_pattern($1, usr_t, usr_t)
- ')
-
- ########################################
- ##
--## Read files in the /var directory.
-+## Relabel a file from the type used in /usr.
- ##
- ##
- ##
-@@ -5268,17 +6356,17 @@ interface(`files_manage_var_dirs',`
- ##
- ##
- #
--interface(`files_read_var_files',`
-+interface(`files_relabelfrom_usr_files',`
- gen_require(`
-- type var_t;
-+ type usr_t;
- ')
-
-- read_files_pattern($1, var_t, var_t)
-+ relabelfrom_files_pattern($1, usr_t, usr_t)
- ')
-
- ########################################
- ##
--## Append files in the /var directory.
-+## Read symbolic links in /usr.
- ##
- ##
- ##
-@@ -5286,36 +6374,50 @@ interface(`files_read_var_files',`
- ##
- ##
- #
--interface(`files_append_var_files',`
-+interface(`files_read_usr_symlinks',`
- gen_require(`
-- type var_t;
-+ type usr_t;
- ')
-
-- append_files_pattern($1, var_t, var_t)
-+ read_lnk_files_pattern($1, usr_t, usr_t)
- ')
-
- ########################################
- ##
--## Read and write files in the /var directory.
-+## Create objects in the /usr directory
- ##
- ##
- ##
- ## Domain allowed access.
- ##
- ##
-+##
-+##
-+## The type of the object to be created
-+##
-+##
-+##
-+##
-+## The object class.
-+##
-+##
-+##
-+##
-+## The name of the object being created.
-+##
-+##
- #
--interface(`files_rw_var_files',`
-+interface(`files_usr_filetrans',`
- gen_require(`
-- type var_t;
-+ type usr_t;
- ')
-
-- rw_files_pattern($1, var_t, var_t)
-+ filetrans_pattern($1, usr_t, $2, $3, $4)
- ')
-
- ########################################
- ##
--## Do not audit attempts to read and write
--## files in the /var directory.
-+## Do not audit attempts to search /usr/src.
- ##
- ##
- ##
-@@ -5323,17 +6425,17 @@ interface(`files_rw_var_files',`
- ##
- ##
- #
--interface(`files_dontaudit_rw_var_files',`
-+interface(`files_dontaudit_search_src',`
- gen_require(`
-- type var_t;
-+ type src_t;
- ')
-
-- dontaudit $1 var_t:file rw_file_perms;
-+ dontaudit $1 src_t:dir search_dir_perms;
- ')
-
- ########################################
- ##
--## Create, read, write, and delete files in the /var directory.
-+## Get the attributes of files in /usr/src.
- ##
- ##
- ##
-@@ -5341,17 +6443,20 @@ interface(`files_dontaudit_rw_var_files',`
- ##
- ##
- #
--interface(`files_manage_var_files',`
-+interface(`files_getattr_usr_src_files',`
- gen_require(`
-- type var_t;
-+ type usr_t, src_t;
- ')
-
-- manage_files_pattern($1, var_t, var_t)
-+ getattr_files_pattern($1, src_t, src_t)
-+
-+ # /usr/src/linux symlink:
-+ read_lnk_files_pattern($1, usr_t, src_t)
- ')
-
- ########################################
- ##
--## Read symbolic links in the /var directory.
-+## Read files in /usr/src.
- ##
- ##
- ##
-@@ -5359,18 +6464,20 @@ interface(`files_manage_var_files',`
- ##
- ##
- #
--interface(`files_read_var_symlinks',`
-+interface(`files_read_usr_src_files',`
- gen_require(`
-- type var_t;
-+ type usr_t, src_t;
- ')
-
-- read_lnk_files_pattern($1, var_t, var_t)
-+ allow $1 usr_t:dir search_dir_perms;
-+ read_files_pattern($1, { usr_t src_t }, src_t)
-+ read_lnk_files_pattern($1, { usr_t src_t }, src_t)
-+ allow $1 src_t:dir list_dir_perms;
- ')
-
- ########################################
- ##
--## Create, read, write, and delete symbolic
--## links in the /var directory.
-+## Execute programs in /usr/src in the caller domain.
- ##
- ##
- ##
-@@ -5378,50 +6485,75 @@ interface(`files_read_var_symlinks',`
- ##
- ##
- #
--interface(`files_manage_var_symlinks',`
-+interface(`files_exec_usr_src_files',`
- gen_require(`
-- type var_t;
-+ type usr_t, src_t;
- ')
-
-- manage_lnk_files_pattern($1, var_t, var_t)
-+ list_dirs_pattern($1, usr_t, src_t)
-+ exec_files_pattern($1, src_t, src_t)
-+ read_lnk_files_pattern($1, src_t, src_t)
- ')
-
- ########################################
- ##
--## Create objects in the /var directory
-+## Install a system.map into the /boot directory.
- ##
- ##
- ##
- ## Domain allowed access.
- ##
- ##
--##
--##
--## The type of the object to be created
--##
--##
--##
-+#
-+interface(`files_create_kernel_symbol_table',`
-+ gen_require(`
-+ type boot_t, system_map_t;
-+ ')
-+
-+ allow $1 boot_t:dir { list_dir_perms add_entry_dir_perms };
-+ allow $1 system_map_t:file { create_file_perms rw_file_perms };
-+')
-+
-+########################################
-+##
-+## Dontaudit getattr attempts on the system.map file
-+##
-+##
- ##
--## The object class.
-+## Domain to not audit.
- ##
- ##
--##
-+#
-+interface(`files_dontaduit_getattr_kernel_symbol_table',`
-+ gen_require(`
-+ type system_map_t;
-+ ')
-+
-+ dontaudit $1 system_map_t:file getattr;
-+')
-+
-+########################################
-+##
-+## Read system.map in the /boot directory.
-+##
-+##
- ##
--## The name of the object being created.
-+## Domain allowed access.
- ##
- ##
- #
--interface(`files_var_filetrans',`
-+interface(`files_read_kernel_symbol_table',`
- gen_require(`
-- type var_t;
-+ type boot_t, system_map_t;
- ')
-
-- filetrans_pattern($1, var_t, $2, $3, $4)
-+ allow $1 boot_t:dir list_dir_perms;
-+ read_files_pattern($1, boot_t, system_map_t)
- ')
-
- ########################################
- ##
--## Get the attributes of the /var/lib directory.
-+## Delete a system.map in the /boot directory.
- ##
- ##
- ##
-@@ -5429,69 +6561,54 @@ interface(`files_var_filetrans',`
- ##
- ##
- #
--interface(`files_getattr_var_lib_dirs',`
-+interface(`files_delete_kernel_symbol_table',`
- gen_require(`
-- type var_t, var_lib_t;
-+ type boot_t, system_map_t;
- ')
-
-- getattr_dirs_pattern($1, var_t, var_lib_t)
-+ allow $1 boot_t:dir list_dir_perms;
-+ delete_files_pattern($1, boot_t, system_map_t)
- ')
-
- ########################################
- ##
--## Search the /var/lib directory.
-+## Search the contents of /var.
- ##
--##
--##
--## Search the /var/lib directory. This is
--## necessary to access files or directories under
--## /var/lib that have a private type. For example, a
--## domain accessing a private library file in the
--## /var/lib directory:
--##
--##
--## allow mydomain_t mylibfile_t:file read_file_perms;
--## files_search_var_lib(mydomain_t)
--##
--##
- ##
- ##
- ## Domain allowed access.
- ##
- ##
--##
- #
--interface(`files_search_var_lib',`
-+interface(`files_search_var',`
- gen_require(`
-- type var_t, var_lib_t;
-+ type var_t;
- ')
-
-- search_dirs_pattern($1, var_t, var_lib_t)
-+ allow $1 var_t:dir search_dir_perms;
- ')
-
- ########################################
- ##
--## Do not audit attempts to search the
--## contents of /var/lib.
-+## Do not audit attempts to write to /var.
- ##
- ##
- ##
- ## Domain to not audit.
- ##
- ##
--##
- #
--interface(`files_dontaudit_search_var_lib',`
-+interface(`files_dontaudit_write_var_dirs',`
- gen_require(`
-- type var_lib_t;
-+ type var_t;
- ')
-
-- dontaudit $1 var_lib_t:dir search_dir_perms;
-+ dontaudit $1 var_t:dir write;
- ')
-
- ########################################
- ##
--## List the contents of the /var/lib directory.
-+## Allow attempts to write to /var.dirs
- ##
- ##
- ##
-@@ -5499,88 +6616,73 @@ interface(`files_dontaudit_search_var_lib',`
- ##
- ##
- #
--interface(`files_list_var_lib',`
-+interface(`files_write_var_dirs',`
- gen_require(`
-- type var_t, var_lib_t;
-+ type var_t;
- ')
-
-- list_dirs_pattern($1, var_t, var_lib_t)
-+ allow $1 var_t:dir write;
- ')
-
--###########################################
-+########################################
- ##
--## Read-write /var/lib directories
-+## Do not audit attempts to search
-+## the contents of /var.
- ##
- ##
- ##
--## Domain allowed access.
-+## Domain to not audit.
- ##
- ##
- #
--interface(`files_rw_var_lib_dirs',`
-+interface(`files_dontaudit_search_var',`
- gen_require(`
-- type var_lib_t;
-+ type var_t;
- ')
-
-- rw_dirs_pattern($1, var_lib_t, var_lib_t)
-+ dontaudit $1 var_t:dir search_dir_perms;
- ')
-
- ########################################
- ##
--## Create objects in the /var/lib directory
-+## List the contents of /var.
- ##
- ##
- ##
- ## Domain allowed access.
- ##
- ##
--##
--##
--## The type of the object to be created
--##
--##
--##
--##
--## The object class.
--##
--##
--##
--##
--## The name of the object being created.
--##
--##
- #
--interface(`files_var_lib_filetrans',`
-+interface(`files_list_var',`
- gen_require(`
-- type var_t, var_lib_t;
-+ type var_t;
- ')
-
-- allow $1 var_t:dir search_dir_perms;
-- filetrans_pattern($1, var_lib_t, $2, $3, $4)
-+ allow $1 var_t:dir list_dir_perms;
- ')
-
- ########################################
- ##
--## Read generic files in /var/lib.
-+## Do not audit listing of the var directory (/var).
- ##
- ##
- ##
--## Domain allowed access.
-+## Domain to not audit.
- ##
- ##
- #
--interface(`files_read_var_lib_files',`
-+interface(`files_dontaudit_list_var',`
- gen_require(`
-- type var_t, var_lib_t;
-+ type var_t;
- ')
-
-- allow $1 var_lib_t:dir list_dir_perms;
-- read_files_pattern($1, { var_t var_lib_t }, var_lib_t)
-+ dontaudit $1 var_t:dir list_dir_perms;
- ')
-
- ########################################
- ##
--## Read generic symbolic links in /var/lib
-+## Create, read, write, and delete directories
-+## in the /var directory.
- ##
- ##
- ##
-@@ -5588,21 +6690,17 @@ interface(`files_read_var_lib_files',`
- ##
- ##
- #
--interface(`files_read_var_lib_symlinks',`
-+interface(`files_manage_var_dirs',`
- gen_require(`
-- type var_t, var_lib_t;
-+ type var_t;
- ')
-
-- read_lnk_files_pattern($1, { var_t var_lib_t }, var_lib_t)
-+ allow $1 var_t:dir manage_dir_perms;
- ')
-
--# cjp: the next two interfaces really need to be fixed
--# in some way. They really neeed their own types.
--
- ########################################
- ##
--## Create, read, write, and delete the
--## pseudorandom number generator seed.
-+## Read files in the /var directory.
- ##
- ##
- ##
-@@ -5610,19 +6708,17 @@ interface(`files_read_var_lib_symlinks',`
- ##
- ##
- #
--interface(`files_manage_urandom_seed',`
-+interface(`files_read_var_files',`
- gen_require(`
-- type var_t, var_lib_t;
-+ type var_t;
- ')
-
-- allow $1 var_t:dir search_dir_perms;
-- manage_files_pattern($1, var_lib_t, var_lib_t)
-+ read_files_pattern($1, var_t, var_t)
- ')
-
- ########################################
- ##
--## Allow domain to manage mount tables
--## necessary for rpcd, nfsd, etc.
-+## Append files in the /var directory.
- ##
- ##
- ##
-@@ -5630,18 +6726,17 @@ interface(`files_manage_urandom_seed',`
- ##
- ##
- #
--interface(`files_manage_mounttab',`
-+interface(`files_append_var_files',`
- gen_require(`
-- type var_t, var_lib_t;
-+ type var_t;
- ')
-
-- allow $1 var_t:dir search_dir_perms;
-- manage_files_pattern($1, var_lib_t, var_lib_t)
-+ append_files_pattern($1, var_t, var_t)
- ')
-
- ########################################
- ##
--## Set the attributes of the generic lock directories.
-+## Read and write files in the /var directory.
- ##
- ##
- ##
-@@ -5649,56 +6744,54 @@ interface(`files_manage_mounttab',`
- ##
- ##
- #
--interface(`files_setattr_lock_dirs',`
-+interface(`files_rw_var_files',`
- gen_require(`
-- type var_t, var_lock_t;
-+ type var_t;
- ')
-
-- setattr_dirs_pattern($1, var_t, var_lock_t)
-+ rw_files_pattern($1, var_t, var_t)
- ')
-
- ########################################
- ##
--## Search the locks directory (/var/lock).
-+## Do not audit attempts to read and write
-+## files in the /var directory.
- ##
- ##
- ##
--## Domain allowed access.
-+## Domain to not audit.
- ##
- ##
- #
--interface(`files_search_locks',`
-+interface(`files_dontaudit_rw_var_files',`
- gen_require(`
-- type var_t, var_lock_t;
-+ type var_t;
- ')
-
-- allow $1 var_lock_t:lnk_file read_lnk_file_perms;
-- search_dirs_pattern($1, var_t, var_lock_t)
-+ dontaudit $1 var_t:file rw_inherited_file_perms;
- ')
-
- ########################################
- ##
--## Do not audit attempts to search the
--## locks directory (/var/lock).
-+## Create, read, write, and delete files in the /var directory.
- ##
- ##
- ##
--## Domain to not audit.
-+## Domain allowed access.
- ##
- ##
- #
--interface(`files_dontaudit_search_locks',`
-+interface(`files_manage_var_files',`
- gen_require(`
-- type var_lock_t;
-+ type var_t;
- ')
-
-- dontaudit $1 var_lock_t:lnk_file read_lnk_file_perms;
-- dontaudit $1 var_lock_t:dir search_dir_perms;
-+ manage_files_pattern($1, var_t, var_t)
- ')
-
- ########################################
- ##
--## List generic lock directories.
-+## Read symbolic links in the /var directory.
- ##
- ##
- ##
-@@ -5706,19 +6799,18 @@ interface(`files_dontaudit_search_locks',`
- ##
- ##
- #
--interface(`files_list_locks',`
-+interface(`files_read_var_symlinks',`
- gen_require(`
-- type var_t, var_lock_t;
-+ type var_t;
- ')
-
-- allow $1 var_lock_t:lnk_file read_lnk_file_perms;
-- list_dirs_pattern($1, var_t, var_lock_t)
-+ read_lnk_files_pattern($1, var_t, var_t)
- ')
-
- ########################################
- ##
--## Add and remove entries in the /var/lock
--## directories.
-+## Create, read, write, and delete symbolic
-+## links in the /var directory.
- ##
- ##
- ##
-@@ -5726,60 +6818,68 @@ interface(`files_list_locks',`
- ##
- ##
- #
--interface(`files_rw_lock_dirs',`
-+interface(`files_manage_var_symlinks',`
- gen_require(`
-- type var_t, var_lock_t;
-+ type var_t;
- ')
-
-- allow $1 var_lock_t:lnk_file read_lnk_file_perms;
-- rw_dirs_pattern($1, var_t, var_lock_t)
-+ manage_lnk_files_pattern($1, var_t, var_t)
- ')
-
- ########################################
- ##
--## Create lock directories
-+## Create objects in the /var directory
- ##
- ##
--##
--## Domain allowed access
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+##
-+## The type of the object to be created
-+##
-+##
-+##
-+##
-+## The object class.
-+##
-+##
-+##
-+##
-+## The name of the object being created.
- ##
- ##
- #
--interface(`files_create_lock_dirs',`
-+interface(`files_var_filetrans',`
- gen_require(`
-- type var_t, var_lock_t;
-+ type var_t;
- ')
-
-- allow $1 var_t:dir search_dir_perms;
-- allow $1 var_lock_t:lnk_file read_lnk_file_perms;
-- create_dirs_pattern($1, var_lock_t, var_lock_t)
-+ filetrans_pattern($1, var_t, $2, $3, $4)
- ')
-
-+
- ########################################
- ##
--## Relabel to and from all lock directory types.
-+## Relabel dirs in the /var directory.
- ##
- ##
- ##
- ## Domain allowed access.
- ##
- ##
--##
- #
--interface(`files_relabel_all_lock_dirs',`
-+interface(`files_relabel_var_dirs',`
- gen_require(`
-- attribute lockfile;
-- type var_t, var_lock_t;
-+ type var_t;
- ')
--
-- allow $1 var_t:dir search_dir_perms;
-- allow $1 var_lock_t:lnk_file read_lnk_file_perms;
-- relabel_dirs_pattern($1, lockfile, lockfile)
-+ allow $1 var_t:dir relabel_dir_perms;
- ')
-
- ########################################
- ##
--## Get the attributes of generic lock files.
-+## Get the attributes of the /var/lib directory.
- ##
- ##
- ##
-@@ -5787,84 +6887,87 @@ interface(`files_relabel_all_lock_dirs',`
- ##
- ##
- #
--interface(`files_getattr_generic_locks',`
-+interface(`files_getattr_var_lib_dirs',`
- gen_require(`
-- type var_t, var_lock_t;
-+ type var_t, var_lib_t;
- ')
-
-- allow $1 var_t:dir search_dir_perms;
-- allow $1 var_lock_t:lnk_file read_lnk_file_perms;
-- allow $1 var_lock_t:dir list_dir_perms;
-- getattr_files_pattern($1, var_lock_t, var_lock_t)
-+ getattr_dirs_pattern($1, var_t, var_lib_t)
- ')
-
- ########################################
- ##
--## Delete generic lock files.
-+## Search the /var/lib directory.
- ##
-+##
-+##
-+## Search the /var/lib directory. This is
-+## necessary to access files or directories under
-+## /var/lib that have a private type. For example, a
-+## domain accessing a private library file in the
-+## /var/lib directory:
-+##
-+##
-+## allow mydomain_t mylibfile_t:file read_file_perms;
-+## files_search_var_lib(mydomain_t)
-+##
-+##
- ##
- ##
- ## Domain allowed access.
- ##
- ##
-+##
- #
--interface(`files_delete_generic_locks',`
-+interface(`files_search_var_lib',`
- gen_require(`
-- type var_t, var_lock_t;
-+ type var_t, var_lib_t;
- ')
-
-- allow $1 var_t:dir search_dir_perms;
-- allow $1 var_lock_t:lnk_file read_lnk_file_perms;
-- delete_files_pattern($1, var_lock_t, var_lock_t)
-+ search_dirs_pattern($1, var_t, var_lib_t)
- ')
-
- ########################################
- ##
--## Create, read, write, and delete generic
--## lock files.
-+## Do not audit attempts to search the
-+## contents of /var/lib.
- ##
- ##
- ##
--## Domain allowed access.
-+## Domain to not audit.
- ##
- ##
-+##
- #
--interface(`files_manage_generic_locks',`
-+interface(`files_dontaudit_search_var_lib',`
- gen_require(`
-- type var_t, var_lock_t;
-+ type var_lib_t;
- ')
-
-- allow $1 var_t:dir search_dir_perms;
-- allow $1 var_lock_t:lnk_file read_lnk_file_perms;
-- manage_dirs_pattern($1, var_lock_t, var_lock_t)
-- manage_files_pattern($1, var_lock_t, var_lock_t)
-+ dontaudit $1 var_lib_t:dir search_dir_perms;
- ')
-
- ########################################
- ##
--## Delete all lock files.
-+## List the contents of the /var/lib directory.
- ##
- ##
- ##
- ## Domain allowed access.
- ##
- ##
--##
- #
--interface(`files_delete_all_locks',`
-+interface(`files_list_var_lib',`
- gen_require(`
-- attribute lockfile;
-- type var_t, var_lock_t;
-+ type var_t, var_lib_t;
- ')
-
-- allow $1 var_t:dir search_dir_perms;
-- allow $1 var_lock_t:lnk_file read_lnk_file_perms;
-- delete_files_pattern($1, lockfile, lockfile)
-+ list_dirs_pattern($1, var_t, var_lib_t)
- ')
-
--########################################
-+###########################################
- ##
--## Read all lock files.
-+## Read-write /var/lib directories
- ##
- ##
- ##
-@@ -5872,22 +6975,17 @@ interface(`files_delete_all_locks',`
- ##
- ##
- #
--interface(`files_read_all_locks',`
-+interface(`files_rw_var_lib_dirs',`
- gen_require(`
-- attribute lockfile;
-- type var_t, var_lock_t;
-+ type var_lib_t;
- ')
-
-- allow $1 var_lock_t:lnk_file read_lnk_file_perms;
-- allow $1 { var_t var_lock_t }:dir search_dir_perms;
-- allow $1 lockfile:dir list_dir_perms;
-- read_files_pattern($1, lockfile, lockfile)
-- read_lnk_files_pattern($1, lockfile, lockfile)
-+ rw_dirs_pattern($1, var_lib_t, var_lib_t)
- ')
-
- ########################################
- ##
--## manage all lock files.
-+## Create directories in /var/lib
- ##
- ##
- ##
-@@ -5895,37 +6993,32 @@ interface(`files_read_all_locks',`
- ##
- ##
- #
--interface(`files_manage_all_locks',`
-+interface(`files_create_var_lib_dirs',`
- gen_require(`
-- attribute lockfile;
-- type var_t, var_lock_t;
-+ type var_lib_t;
- ')
-
-- allow $1 var_lock_t:lnk_file read_lnk_file_perms;
-- allow $1 { var_t var_lock_t }:dir search_dir_perms;
-- manage_dirs_pattern($1, lockfile, lockfile)
-- manage_files_pattern($1, lockfile, lockfile)
-- manage_lnk_files_pattern($1, lockfile, lockfile)
-+ allow $1 var_lib_t:dir { create rw_dir_perms };
- ')
-
-+
- ########################################
- ##
--## Create an object in the locks directory, with a private
--## type using a type transition.
-+## Create objects in the /var/lib directory
- ##
- ##
- ##
- ## Domain allowed access.
- ##
- ##
--##
-+##
- ##
--## The type of the object to be created.
-+## The type of the object to be created
- ##
- ##
--##
-+##
- ##
--## The object class of the object being created.
-+## The object class.
- ##
- ##
- ##
-@@ -5934,20 +7027,1283 @@ interface(`files_manage_all_locks',`
- ##
- ##
- #
--interface(`files_lock_filetrans',`
-+interface(`files_var_lib_filetrans',`
- gen_require(`
-- type var_t, var_lock_t;
-+ type var_t, var_lib_t;
- ')
-
- allow $1 var_t:dir search_dir_perms;
-- allow $1 var_lock_t:lnk_file read_lnk_file_perms;
-- filetrans_pattern($1, var_lock_t, $2, $3, $4)
-+ filetrans_pattern($1, var_lib_t, $2, $3, $4)
- ')
-
- ########################################
- ##
--## Do not audit attempts to get the attributes
--## of the /var/run directory.
-+## Read generic files in /var/lib.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`files_read_var_lib_files',`
-+ gen_require(`
-+ type var_t, var_lib_t;
-+ ')
-+
-+ allow $1 var_lib_t:dir list_dir_perms;
-+ read_files_pattern($1, { var_t var_lib_t }, var_lib_t)
-+')
-+
-+########################################
-+##
-+## Read generic symbolic links in /var/lib
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`files_read_var_lib_symlinks',`
-+ gen_require(`
-+ type var_t, var_lib_t;
-+ ')
-+
-+ read_lnk_files_pattern($1, { var_t var_lib_t }, var_lib_t)
-+')
-+
-+########################################
-+##
-+## manage generic symbolic links
-+## in the /var/lib directory.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`files_manage_var_lib_symlinks',`
-+ gen_require(`
-+ type var_lib_t;
-+ ')
-+
-+ manage_lnk_files_pattern($1,var_lib_t,var_lib_t)
-+')
-+
-+# cjp: the next two interfaces really need to be fixed
-+# in some way. They really neeed their own types.
-+
-+########################################
-+##
-+## Create, read, write, and delete the
-+## pseudorandom number generator seed.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`files_manage_urandom_seed',`
-+ gen_require(`
-+ type var_t, var_lib_t;
-+ ')
-+
-+ allow $1 var_t:dir search_dir_perms;
-+ manage_files_pattern($1, var_lib_t, var_lib_t)
-+')
-+
-+
-+########################################
-+##
-+## Relabel to dirs in the /var/lib directory.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`files_relabelto_var_lib_dirs',`
-+ gen_require(`
-+ type var_lib_t;
-+ ')
-+ allow $1 var_lib_t:dir relabelto;
-+')
-+
-+
-+########################################
-+##
-+## Relabel dirs in the /var/lib directory.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`files_relabel_var_lib_dirs',`
-+ gen_require(`
-+ type var_lib_t;
-+ ')
-+ allow $1 var_lib_t:dir relabel_dir_perms;
-+')
-+
-+########################################
-+##
-+## Allow domain to manage mount tables
-+## necessary for rpcd, nfsd, etc.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`files_manage_mounttab',`
-+ gen_require(`
-+ type var_t, var_lib_t;
-+ ')
-+
-+ allow $1 var_t:dir search_dir_perms;
-+ manage_files_pattern($1, var_lib_t, var_lib_t)
-+')
-+
-+########################################
-+##
-+## List generic lock directories.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`files_list_locks',`
-+ gen_require(`
-+ type var_t, var_lock_t;
-+ ')
-+
-+ files_search_locks($1)
-+ list_dirs_pattern($1, var_t, var_lock_t)
-+')
-+
-+########################################
-+##
-+## Search the locks directory (/var/lock).
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`files_search_locks',`
-+ gen_require(`
-+ type var_t, var_lock_t;
-+ ')
-+
-+ files_search_pids($1)
-+ allow $1 var_lock_t:lnk_file read_lnk_file_perms;
-+ search_dirs_pattern($1, var_t, var_lock_t)
-+')
-+
-+########################################
-+##
-+## Do not audit attempts to search the
-+## locks directory (/var/lock).
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`files_dontaudit_search_locks',`
-+ gen_require(`
-+ type var_lock_t;
-+ ')
-+
-+ dontaudit $1 var_lock_t:lnk_file read_lnk_file_perms;
-+ dontaudit $1 var_lock_t:dir search_dir_perms;
-+')
-+
-+########################################
-+##
-+## Do not audit attempts to read/write inherited
-+## locks (/var/lock).
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`files_dontaudit_rw_inherited_locks',`
-+ gen_require(`
-+ type var_lock_t;
-+ ')
-+
-+ dontaudit $1 var_lock_t:file rw_inherited_file_perms;
-+')
-+
-+########################################
-+##
-+## Set the attributes of the /var/lock directory.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`files_setattr_lock_dirs',`
-+ gen_require(`
-+ type var_lock_t;
-+ ')
-+
-+ allow $1 var_lock_t:dir setattr;
-+')
-+
-+########################################
-+##
-+## Add and remove entries in the /var/lock
-+## directories.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`files_rw_lock_dirs',`
-+ gen_require(`
-+ type var_t, var_lock_t;
-+ ')
-+
-+ files_search_locks($1)
-+ rw_dirs_pattern($1, var_t, var_lock_t)
-+')
-+
-+########################################
-+##
-+## Create lock directories
-+##
-+##
-+##
-+## Domain allowed access
-+##
-+##
-+#
-+interface(`files_create_lock_dirs',`
-+ gen_require(`
-+ type var_t, var_lock_t;
-+ ')
-+
-+ allow $1 var_t:dir search_dir_perms;
-+ allow $1 var_lock_t:lnk_file read_lnk_file_perms;
-+ create_dirs_pattern($1, var_lock_t, var_lock_t)
-+')
-+
-+########################################
-+##
-+## Relabel to and from all lock directory types.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`files_relabel_all_lock_dirs',`
-+ gen_require(`
-+ attribute lockfile;
-+ type var_t, var_lock_t;
-+ ')
-+
-+ allow $1 var_t:dir search_dir_perms;
-+ allow $1 var_lock_t:lnk_file read_lnk_file_perms;
-+ relabel_dirs_pattern($1, lockfile, lockfile)
-+')
-+
-+########################################
-+##
-+## Relabel to and from all lock file types.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`files_relabel_all_lock_files',`
-+ gen_require(`
-+ attribute lockfile;
-+ type var_t, var_lock_t;
-+ ')
-+
-+ allow $1 var_t:dir search_dir_perms;
-+ allow $1 var_lock_t:lnk_file read_lnk_file_perms;
-+ relabel_files_pattern($1, lockfile, lockfile)
-+')
-+
-+########################################
-+##
-+## Get the attributes of generic lock files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`files_getattr_generic_locks',`
-+ gen_require(`
-+ type var_t, var_lock_t;
-+ ')
-+
-+ files_search_locks($1)
-+ allow $1 var_lock_t:dir list_dir_perms;
-+ getattr_files_pattern($1, var_lock_t, var_lock_t)
-+')
-+
-+########################################
-+##
-+## Delete generic lock files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`files_delete_generic_locks',`
-+ gen_require(`
-+ type var_t, var_lock_t;
-+ ')
-+
-+ files_search_locks($1)
-+ delete_files_pattern($1, var_lock_t, var_lock_t)
-+')
-+
-+########################################
-+##
-+## Create, read, write, and delete generic
-+## lock files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`files_manage_generic_locks',`
-+ gen_require(`
-+ type var_t, var_lock_t;
-+ ')
-+
-+ files_search_locks($1)
-+ manage_files_pattern($1, var_lock_t, var_lock_t)
-+')
-+
-+########################################
-+##
-+## Delete all lock files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+#
-+interface(`files_delete_all_locks',`
-+ gen_require(`
-+ attribute lockfile;
-+ type var_t, var_lock_t;
-+ ')
-+
-+ allow $1 var_t:dir search_dir_perms;
-+ allow $1 var_lock_t:lnk_file read_lnk_file_perms;
-+ delete_files_pattern($1, lockfile, lockfile)
-+')
-+
-+########################################
-+##
-+## Read all lock files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`files_read_all_locks',`
-+ gen_require(`
-+ attribute lockfile;
-+ type var_t, var_lock_t;
-+ ')
-+
-+ files_search_locks($1)
-+ allow $1 lockfile:dir list_dir_perms;
-+ read_files_pattern($1, lockfile, lockfile)
-+ read_lnk_files_pattern($1, lockfile, lockfile)
-+')
-+
-+########################################
-+##
-+## manage all lock files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`files_manage_all_locks',`
-+ gen_require(`
-+ attribute lockfile;
-+ type var_t, var_lock_t;
-+ ')
-+
-+ files_search_locks($1)
-+ manage_dirs_pattern($1, lockfile, lockfile)
-+ manage_files_pattern($1, lockfile, lockfile)
-+ manage_lnk_files_pattern($1, lockfile, lockfile)
-+')
-+
-+########################################
-+##
-+## Create an object in the locks directory, with a private
-+## type using a type transition.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+##
-+## The type of the object to be created.
-+##
-+##
-+##
-+##
-+## The object class of the object being created.
-+##
-+##
-+##
-+##
-+## The name of the object being created.
-+##
-+##
-+#
-+interface(`files_lock_filetrans',`
-+ gen_require(`
-+ type var_t, var_lock_t;
-+ ')
-+
-+ files_search_locks($1)
-+ filetrans_pattern($1, var_lock_t, $2, $3, $4)
-+')
-+
-+########################################
-+##
-+## Do not audit attempts to get the attributes
-+## of the /var/run directory.
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`files_dontaudit_getattr_pid_dirs',`
-+ gen_require(`
-+ type var_run_t;
-+ ')
-+
-+ dontaudit $1 var_run_t:lnk_file read_lnk_file_perms;
-+ dontaudit $1 var_run_t:dir getattr;
-+')
-+
-+########################################
-+##
-+## Set the attributes of the /var/run directory.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`files_setattr_pid_dirs',`
-+ gen_require(`
-+ type var_run_t;
-+ ')
-+
-+ files_search_pids($1)
-+ allow $1 var_run_t:dir setattr;
-+')
-+
-+########################################
-+##
-+## Search the contents of runtime process
-+## ID directories (/var/run).
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`files_search_pids',`
-+ gen_require(`
-+ type var_t, var_run_t;
-+ ')
-+
-+ allow $1 var_t:lnk_file read_lnk_file_perms;
-+ allow $1 var_run_t:lnk_file read_lnk_file_perms;
-+ search_dirs_pattern($1, var_t, var_run_t)
-+')
-+
-+######################################
-+##
-+## Add and remove entries from pid directories.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`files_rw_pid_dirs',`
-+ gen_require(`
-+ type var_run_t;
-+ ')
-+
-+ allow $1 var_run_t:dir rw_dir_perms;
-+')
-+
-+#######################################
-+##
-+## Create generic pid directory.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`files_create_var_run_dirs',`
-+ gen_require(`
-+ type var_t, var_run_t;
-+ ')
-+
-+ allow $1 var_t:dir search_dir_perms;
-+ allow $1 var_run_t:dir create_dir_perms;
-+')
-+
-+########################################
-+##
-+## Do not audit attempts to search
-+## the /var/run directory.
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`files_dontaudit_search_pids',`
-+ gen_require(`
-+ type var_run_t;
-+ ')
-+
-+ dontaudit $1 var_run_t:lnk_file read_lnk_file_perms;
-+ dontaudit $1 var_run_t:dir search_dir_perms;
-+')
-+
-+########################################
-+##
-+## Do not audit attempts to search
-+## the all /var/run directory.
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`files_dontaudit_search_all_pids',`
-+ gen_require(`
-+ attribute pidfile;
-+ ')
-+
-+ dontaudit $1 pidfile:dir search_dir_perms;
-+')
-+
-+########################################
-+##
-+## Allow search the all /var/run directory.
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`files_search_all_pids',`
-+ gen_require(`
-+ attribute pidfile;
-+ ')
-+
-+ allow $1 pidfile:dir search_dir_perms;
-+')
-+
-+########################################
-+##
-+## List the contents of the runtime process
-+## ID directories (/var/run).
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`files_list_pids',`
-+ gen_require(`
-+ type var_t, var_run_t;
-+ ')
-+
-+ files_search_pids($1)
-+ list_dirs_pattern($1, var_t, var_run_t)
-+')
-+
-+########################################
-+##
-+## Read generic process ID files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`files_read_generic_pids',`
-+ gen_require(`
-+ type var_t, var_run_t;
-+ ')
-+
-+ files_search_pids($1)
-+ list_dirs_pattern($1, var_t, var_run_t)
-+ read_files_pattern($1, var_run_t, var_run_t)
-+')
-+
-+########################################
-+##
-+## Write named generic process ID pipes
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`files_write_generic_pid_pipes',`
-+ gen_require(`
-+ type var_run_t;
-+ ')
-+
-+ files_search_pids($1)
-+ allow $1 var_run_t:fifo_file write;
-+')
-+
-+########################################
-+##
-+## Create an object in the process ID directory, with a private type.
-+##
-+##
-+##
-+## Create an object in the process ID directory (e.g., /var/run)
-+## with a private type. Typically this is used for creating
-+## private PID files in /var/run with the private type instead
-+## of the general PID file type. To accomplish this goal,
-+## either the program must be SELinux-aware, or use this interface.
-+##
-+##
-+## Related interfaces:
-+##
-+##
-+## - files_pid_file()
-+##
-+##
-+## Example usage with a domain that can create and
-+## write its PID file with a private PID file type in the
-+## /var/run directory:
-+##
-+##
-+## type mypidfile_t;
-+## files_pid_file(mypidfile_t)
-+## allow mydomain_t mypidfile_t:file { create_file_perms write_file_perms };
-+## files_pid_filetrans(mydomain_t, mypidfile_t, file)
-+##
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+##
-+## The type of the object to be created.
-+##
-+##
-+##
-+##
-+## The object class of the object being created.
-+##
-+##
-+##
-+##
-+## The name of the object being created.
-+##
-+##
-+##
-+#
-+interface(`files_pid_filetrans',`
-+ gen_require(`
-+ type var_t, var_run_t;
-+ ')
-+
-+ allow $1 var_t:dir search_dir_perms;
-+ filetrans_pattern($1, var_run_t, $2, $3, $4)
-+')
-+
-+########################################
-+##
-+## Create a generic lock directory within the run directories
-+##
-+##
-+##
-+## Domain allowed access
-+##
-+##
-+##
-+##
-+## The name of the object being created.
-+##
-+##
-+#
-+interface(`files_pid_filetrans_lock_dir',`
-+ gen_require(`
-+ type var_lock_t;
-+ ')
-+
-+ files_pid_filetrans($1, var_lock_t, dir, $2)
-+')
-+
-+########################################
-+##
-+## rw generic pid files inherited from another process
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`files_rw_inherited_generic_pid_files',`
-+ gen_require(`
-+ type var_run_t;
-+ ')
-+
-+ allow $1 var_run_t:file rw_inherited_file_perms;
-+')
-+
-+########################################
-+##
-+## Read and write generic process ID files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`files_rw_generic_pids',`
-+ gen_require(`
-+ type var_t, var_run_t;
-+ ')
-+
-+ files_search_pids($1)
-+ list_dirs_pattern($1, var_t, var_run_t)
-+ rw_files_pattern($1, var_run_t, var_run_t)
-+')
-+
-+########################################
-+##
-+## Do not audit attempts to get the attributes of
-+## daemon runtime data files.
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`files_dontaudit_getattr_all_pids',`
-+ gen_require(`
-+ attribute pidfile;
-+ type var_run_t;
-+ ')
-+
-+ dontaudit $1 var_run_t:lnk_file read_lnk_file_perms;
-+ dontaudit $1 pidfile:file getattr;
-+')
-+
-+########################################
-+##
-+## Do not audit attempts to write to daemon runtime data files.
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`files_dontaudit_write_all_pids',`
-+ gen_require(`
-+ attribute pidfile;
-+ ')
-+
-+ dontaudit $1 var_run_t:lnk_file read_lnk_file_perms;
-+ dontaudit $1 pidfile:file write;
-+')
-+
-+########################################
-+##
-+## Do not audit attempts to ioctl daemon runtime data files.
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`files_dontaudit_ioctl_all_pids',`
-+ gen_require(`
-+ attribute pidfile;
-+ type var_run_t;
-+ ')
-+
-+ dontaudit $1 var_run_t:lnk_file read_lnk_file_perms;
-+ dontaudit $1 pidfile:file ioctl;
-+')
-+
-+########################################
-+##
-+## Relable all pid directories
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`files_relabel_all_pid_dirs',`
-+ gen_require(`
-+ attribute pidfile;
-+ ')
-+
-+ relabel_dirs_pattern($1, pidfile, pidfile)
-+')
-+
-+########################################
-+##
-+## Delete all pid sockets
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`files_delete_all_pid_sockets',`
-+ gen_require(`
-+ attribute pidfile;
-+ ')
-+
-+ allow $1 pidfile:sock_file delete_sock_file_perms;
-+')
-+
-+########################################
-+##
-+## Create all pid sockets
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`files_create_all_pid_sockets',`
-+ gen_require(`
-+ attribute pidfile;
-+ ')
-+
-+ allow $1 pidfile:sock_file create_sock_file_perms;
-+')
-+
-+########################################
-+##
-+## Create all pid named pipes
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`files_create_all_pid_pipes',`
-+ gen_require(`
-+ attribute pidfile;
-+ ')
-+
-+ allow $1 pidfile:fifo_file create_fifo_file_perms;
-+')
-+
-+########################################
-+##
-+## Delete all pid named pipes
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`files_delete_all_pid_pipes',`
-+ gen_require(`
-+ attribute pidfile;
-+ ')
-+
-+ allow $1 pidfile:fifo_file delete_fifo_file_perms;
-+')
-+
-+########################################
-+##
-+## manage all pidfile directories
-+## in the /var/run directory.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`files_manage_all_pid_dirs',`
-+ gen_require(`
-+ attribute pidfile;
-+ ')
-+
-+ manage_dirs_pattern($1,pidfile,pidfile)
-+')
-+
-+
-+########################################
-+##
-+## Read all process ID files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+#
-+interface(`files_read_all_pids',`
-+ gen_require(`
-+ attribute pidfile;
-+ type var_t;
-+ ')
-+
-+ list_dirs_pattern($1, var_t, pidfile)
-+ read_files_pattern($1, pidfile, pidfile)
-+ read_lnk_files_pattern($1, pidfile, pidfile)
-+')
-+
-+########################################
-+##
-+## Relable all pid files
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`files_relabel_all_pid_files',`
-+ gen_require(`
-+ attribute pidfile;
-+ ')
-+
-+ relabel_files_pattern($1, pidfile, pidfile)
-+')
-+
-+########################################
-+##
-+## Execute generic programs in /var/run in the caller domain.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`files_exec_generic_pid_files',`
-+ gen_require(`
-+ type var_run_t;
-+ ')
-+
-+ exec_files_pattern($1, var_run_t, var_run_t)
-+')
-+
-+########################################
-+##
-+## Write all sockets
-+## in the /var/run directory.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`files_write_all_pid_sockets',`
-+ gen_require(`
-+ attribute pidfile;
-+ ')
-+
-+ allow $1 pidfile:sock_file write_sock_file_perms;
-+')
-+
-+########################################
-+##
-+## manage all pidfiles
-+## in the /var/run directory.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`files_manage_all_pids',`
-+ gen_require(`
-+ attribute pidfile;
-+ ')
-+
-+ manage_files_pattern($1,pidfile,pidfile)
-+')
-+
-+########################################
-+##
-+## Mount filesystems on all polyinstantiation
-+## member directories.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`files_mounton_all_poly_members',`
-+ gen_require(`
-+ attribute polymember;
-+ ')
-+
-+ allow $1 polymember:dir mounton;
-+')
-+
-+########################################
-+##
-+## Delete all process IDs.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+#
-+interface(`files_delete_all_pids',`
-+ gen_require(`
-+ attribute pidfile;
-+ type var_t, var_run_t;
-+ ')
-+
-+ files_search_pids($1)
-+ allow $1 var_t:dir search_dir_perms;
-+ allow $1 var_run_t:dir rmdir;
-+ allow $1 var_run_t:lnk_file delete_lnk_file_perms;
-+ delete_files_pattern($1, pidfile, pidfile)
-+ delete_fifo_files_pattern($1, pidfile, pidfile)
-+ delete_sock_files_pattern($1, pidfile, { pidfile var_run_t })
-+')
-+
-+########################################
-+##
-+## Delete all process ID directories.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`files_delete_all_pid_dirs',`
-+ gen_require(`
-+ attribute pidfile;
-+ type var_t, var_run_t;
-+ ')
-+
-+ files_search_pids($1)
-+ allow $1 var_t:dir search_dir_perms;
-+ delete_dirs_pattern($1, pidfile, pidfile)
-+')
-+
-+########################################
-+##
-+## Make the specified type a file
-+## used for spool files.
-+##
-+##
-+##
-+## Make the specified type usable for spool files.
-+## This will also make the type usable for files, making
-+## calls to files_type() redundant. Failure to use this interface
-+## for a spool file may result in problems with
-+## purging spool files.
-+##
-+##
-+## Related interfaces:
-+##
-+##
-+## - files_spool_filetrans()
-+##
-+##
-+## Example usage with a domain that can create and
-+## write its spool file in the system spool file
-+## directories (/var/spool):
-+##
-+##
-+## type myspoolfile_t;
-+## files_spool_file(myfile_spool_t)
-+## allow mydomain_t myfile_spool_t:file { create_file_perms write_file_perms };
-+## files_spool_filetrans(mydomain_t, myfile_spool_t, file)
-+##
-+##
-+##
-+##
-+## Type of the file to be used as a
-+## spool file.
-+##
-+##
-+##
-+#
-+interface(`files_spool_file',`
-+ gen_require(`
-+ attribute spoolfile;
-+ ')
-+
-+ files_type($1)
-+ typeattribute $1 spoolfile;
-+')
-+
-+########################################
-+##
-+## Create all spool sockets
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`files_create_all_spool_sockets',`
-+ gen_require(`
-+ attribute spoolfile;
-+ ')
-+
-+ allow $1 spoolfile:sock_file create_sock_file_perms;
-+')
-+
-+########################################
-+##
-+## Delete all spool sockets
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`files_delete_all_spool_sockets',`
-+ gen_require(`
-+ attribute spoolfile;
-+ ')
-+
-+ allow $1 spoolfile:sock_file delete_sock_file_perms;
-+')
-+
-+########################################
-+##
-+## Relabel to and from all spool
-+## directory types.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+#
-+interface(`files_relabel_all_spool_dirs',`
-+ gen_require(`
-+ attribute spoolfile;
-+ type var_t;
-+ ')
-+
-+ relabel_dirs_pattern($1, spoolfile, spoolfile)
-+')
-+
-+########################################
-+##
-+## Search the contents of generic spool
-+## directories (/var/spool).
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`files_search_spool',`
-+ gen_require(`
-+ type var_t, var_spool_t;
-+ ')
-+
-+ search_dirs_pattern($1, var_t, var_spool_t)
-+')
-+
-+########################################
-+##
-+## Do not audit attempts to search generic
-+## spool directories.
- ##
- ##
- ##
-@@ -5955,18 +8311,18 @@ interface(`files_lock_filetrans',`
- ##
- ##
- #
--interface(`files_dontaudit_getattr_pid_dirs',`
-+interface(`files_dontaudit_search_spool',`
- gen_require(`
-- type var_run_t;
-+ type var_spool_t;
- ')
-
-- dontaudit $1 var_run_t:lnk_file read_lnk_file_perms;
-- dontaudit $1 var_run_t:dir getattr;
-+ dontaudit $1 var_spool_t:dir search_dir_perms;
- ')
-
- ########################################
- ##
--## Set the attributes of the /var/run directory.
-+## List the contents of generic spool
-+## (/var/spool) directories.
- ##
- ##
- ##
-@@ -5974,19 +8330,18 @@ interface(`files_dontaudit_getattr_pid_dirs',`
- ##
- ##
- #
--interface(`files_setattr_pid_dirs',`
-+interface(`files_list_spool',`
- gen_require(`
-- type var_run_t;
-+ type var_t, var_spool_t;
- ')
-
-- allow $1 var_run_t:lnk_file read_lnk_file_perms;
-- allow $1 var_run_t:dir setattr;
-+ list_dirs_pattern($1, var_t, var_spool_t)
- ')
-
- ########################################
- ##
--## Search the contents of runtime process
--## ID directories (/var/run).
-+## Create, read, write, and delete generic
-+## spool directories (/var/spool).
- ##
- ##
- ##
-@@ -5994,39 +8349,38 @@ interface(`files_setattr_pid_dirs',`
- ##
- ##
- #
--interface(`files_search_pids',`
-+interface(`files_manage_generic_spool_dirs',`
- gen_require(`
-- type var_t, var_run_t;
-+ type var_t, var_spool_t;
- ')
-
-- allow $1 var_run_t:lnk_file read_lnk_file_perms;
-- search_dirs_pattern($1, var_t, var_run_t)
-+ allow $1 var_t:dir search_dir_perms;
-+ manage_dirs_pattern($1, var_spool_t, var_spool_t)
- ')
-
- ########################################
- ##
--## Do not audit attempts to search
--## the /var/run directory.
-+## Read generic spool files.
- ##
- ##
- ##
--## Domain to not audit.
-+## Domain allowed access.
- ##
- ##
- #
--interface(`files_dontaudit_search_pids',`
-+interface(`files_read_generic_spool',`
- gen_require(`
-- type var_run_t;
-+ type var_t, var_spool_t;
- ')
-
-- dontaudit $1 var_run_t:lnk_file read_lnk_file_perms;
-- dontaudit $1 var_run_t:dir search_dir_perms;
-+ list_dirs_pattern($1, var_t, var_spool_t)
-+ read_files_pattern($1, var_spool_t, var_spool_t)
- ')
-
- ########################################
- ##
--## List the contents of the runtime process
--## ID directories (/var/run).
-+## Create, read, write, and delete generic
-+## spool files.
- ##
- ##
- ##
-@@ -6034,38 +8388,55 @@ interface(`files_dontaudit_search_pids',`
- ##
- ##
- #
--interface(`files_list_pids',`
-+interface(`files_manage_generic_spool',`
- gen_require(`
-- type var_t, var_run_t;
-+ type var_t, var_spool_t;
- ')
-
-- allow $1 var_run_t:lnk_file read_lnk_file_perms;
-- list_dirs_pattern($1, var_t, var_run_t)
-+ allow $1 var_t:dir search_dir_perms;
-+ manage_files_pattern($1, var_spool_t, var_spool_t)
- ')
-
- ########################################
- ##
--## Read generic process ID files.
-+## Create objects in the spool directory
-+## with a private type with a type transition.
- ##
- ##
- ##
- ## Domain allowed access.
- ##
- ##
-+##
-+##
-+## Type to which the created node will be transitioned.
-+##
-+##
-+##
-+##
-+## Object class(es) (single or set including {}) for which this
-+## the transition will occur.
-+##
-+##
-+##
-+##
-+## The name of the object being created.
-+##
-+##
- #
--interface(`files_read_generic_pids',`
-+interface(`files_spool_filetrans',`
- gen_require(`
-- type var_t, var_run_t;
-+ type var_t, var_spool_t;
- ')
-
-- allow $1 var_run_t:lnk_file read_lnk_file_perms;
-- list_dirs_pattern($1, var_t, var_run_t)
-- read_files_pattern($1, var_run_t, var_run_t)
-+ allow $1 var_t:dir search_dir_perms;
-+ filetrans_pattern($1, var_spool_t, $2, $3, $4)
- ')
-
- ########################################
- ##
--## Write named generic process ID pipes
-+## Allow access to manage all polyinstantiated
-+## directories on the system.
- ##
- ##
- ##
-@@ -6073,43 +8444,75 @@ interface(`files_read_generic_pids',`
- ##
- ##
- #
--interface(`files_write_generic_pid_pipes',`
-+interface(`files_polyinstantiate_all',`
- gen_require(`
-- type var_run_t;
-+ attribute polydir, polymember, polyparent;
-+ type poly_t;
- ')
-
-- allow $1 var_run_t:lnk_file read_lnk_file_perms;
-- allow $1 var_run_t:fifo_file write;
-+ # Need to give access to /selinux/member
-+ selinux_compute_member($1)
-+
-+ # Need sys_admin capability for mounting
-+ allow $1 self:capability { chown fsetid sys_admin fowner };
-+
-+ # Need to give access to the directories to be polyinstantiated
-+ allow $1 polydir:dir { create open getattr search write add_name setattr mounton rmdir };
-+
-+ # Need to give access to the polyinstantiated subdirectories
-+ allow $1 polymember:dir search_dir_perms;
-+
-+ # Need to give access to parent directories where original
-+ # is remounted for polyinstantiation aware programs (like gdm)
-+ allow $1 polyparent:dir { getattr mounton };
-+
-+ # Need to give permission to create directories where applicable
-+ allow $1 self:process setfscreate;
-+ allow $1 polymember: dir { create setattr relabelto };
-+ allow $1 polydir: dir { write add_name open };
-+ allow $1 polyparent:dir { open read write remove_name add_name relabelfrom relabelto };
-+
-+ # Default type for mountpoints
-+ allow $1 poly_t:dir { create mounton };
-+ fs_unmount_xattr_fs($1)
-+
-+ fs_mount_tmpfs($1)
-+ fs_unmount_tmpfs($1)
-+
-+ ifdef(`distro_redhat',`
-+ # namespace.init
-+ files_search_tmp($1)
-+ files_search_home($1)
-+ corecmd_exec_bin($1)
-+ seutil_domtrans_setfiles($1)
-+ ')
- ')
-
- ########################################
- ##
--## Create an object in the process ID directory, with a private type.
-+## Unconfined access to files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`files_unconfined',`
-+ gen_require(`
-+ attribute files_unconfined_type;
-+ ')
-+
-+ typeattribute $1 files_unconfined_type;
-+')
-+
-+########################################
-+##
-+## Create a core files in /
- ##
- ##
- ##
--## Create an object in the process ID directory (e.g., /var/run)
--## with a private type. Typically this is used for creating
--## private PID files in /var/run with the private type instead
--## of the general PID file type. To accomplish this goal,
--## either the program must be SELinux-aware, or use this interface.
--##
--##
--## Related interfaces:
--##
--##
--## - files_pid_file()
--##
--##
--## Example usage with a domain that can create and
--## write its PID file with a private PID file type in the
--## /var/run directory:
--##
--##
--## type mypidfile_t;
--## files_pid_file(mypidfile_t)
--## allow mydomain_t mypidfile_t:file { create_file_perms write_file_perms };
--## files_pid_filetrans(mydomain_t, mypidfile_t, file)
-+## Create a core file in /,
- ##
- ##
- ##
-@@ -6117,14 +8520,82 @@ interface(`files_write_generic_pid_pipes',`
- ## Domain allowed access.
- ##
- ##
--##
-+##
-+#
-+interface(`files_manage_root_files',`
-+ gen_require(`
-+ type root_t;
-+ ')
-+
-+ manage_files_pattern($1, root_t, root_t)
-+')
-+
-+########################################
-+##
-+## Create a default directory
-+##
-+##
-+##
-+## Create a default_t direcrory
-+##
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+#
-+interface(`files_create_default_dir',`
-+ gen_require(`
-+ type default_t;
-+ ')
-+
-+ allow $1 default_t:dir create;
-+')
-+
-+########################################
-+##
-+## Create, default_t objects with an automatic
-+## type transition.
-+##
-+##
- ##
--## The type of the object to be created.
-+## Domain allowed access.
- ##
- ##
- ##
- ##
--## The object class of the object being created.
-+## The class of the object being created.
-+##
-+##
-+#
-+interface(`files_root_filetrans_default',`
-+ gen_require(`
-+ type root_t, default_t;
-+ ')
-+
-+ filetrans_pattern($1, root_t, default_t, $2)
-+')
-+
-+########################################
-+##
-+## Create, lib_t objects with an automatic
-+## type transition.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+##
-+## Type of the directory to be transitioned from
-+##
-+##
-+##
-+##
-+## The class of the object being created.
- ##
- ##
- ##
-@@ -6132,65 +8603,92 @@ interface(`files_write_generic_pid_pipes',`
- ## The name of the object being created.
- ##
- ##
--##
- #
--interface(`files_pid_filetrans',`
-+interface(`files_filetrans_lib',`
-+ gen_require(`
-+ type lib_t, lib_t;
-+ ')
-+
-+ filetrans_pattern($1, $2, lib_t, $3, $4)
-+')
-+
-+########################################
-+##
-+## manage generic symbolic links
-+## in the /var/run directory.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`files_manage_generic_pids_symlinks',`
-+ gen_require(`
-+ type var_run_t;
-+ ')
-+
-+ manage_lnk_files_pattern($1,var_run_t,var_run_t)
-+')
-+
-+########################################
-+##
-+## Do not audit attempts to getattr
-+## all tmpfs files.
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`files_dontaudit_getattr_tmpfs_files',`
- gen_require(`
-- type var_t, var_run_t;
-+ attribute tmpfsfile;
- ')
-
-- allow $1 var_t:dir search_dir_perms;
-- allow $1 var_run_t:lnk_file read_lnk_file_perms;
-- filetrans_pattern($1, var_run_t, $2, $3, $4)
-+ allow $1 tmpfsfile:file getattr;
- ')
-
- ########################################
- ##
--## Create a generic lock directory within the run directories
-+## Allow delete all tmpfs files.
- ##
- ##
--##
--## Domain allowed access
--##
--##
--##
- ##
--## The name of the object being created.
-+## Domain to not audit.
- ##
- ##
- #
--interface(`files_pid_filetrans_lock_dir',`
-+interface(`files_delete_tmpfs_files',`
- gen_require(`
-- type var_lock_t;
-+ attribute tmpfsfile;
- ')
-
-- files_pid_filetrans($1, var_lock_t, dir, $2)
-+ allow $1 tmpfsfile:file delete_file_perms;
- ')
-
- ########################################
- ##
--## Read and write generic process ID files.
-+## Allow read write all tmpfs files
- ##
- ##
- ##
--## Domain allowed access.
-+## Domain to not audit.
- ##
- ##
- #
--interface(`files_rw_generic_pids',`
-+interface(`files_rw_tmpfs_files',`
- gen_require(`
-- type var_t, var_run_t;
-+ attribute tmpfsfile;
- ')
-
-- allow $1 var_run_t:lnk_file read_lnk_file_perms;
-- list_dirs_pattern($1, var_t, var_run_t)
-- rw_files_pattern($1, var_run_t, var_run_t)
-+ allow $1 tmpfsfile:file { read write };
- ')
-
- ########################################
- ##
--## Do not audit attempts to get the attributes of
--## daemon runtime data files.
-+## Do not audit attempts to read security files
- ##
- ##
- ##
-@@ -6198,19 +8696,17 @@ interface(`files_rw_generic_pids',`
- ##
- ##
- #
--interface(`files_dontaudit_getattr_all_pids',`
-+interface(`files_dontaudit_read_security_files',`
- gen_require(`
-- attribute pidfile;
-- type var_run_t;
-+ attribute security_file_type;
- ')
-
-- dontaudit $1 var_run_t:lnk_file read_lnk_file_perms;
-- dontaudit $1 pidfile:file getattr;
-+ dontaudit $1 security_file_type:file read_file_perms;
- ')
-
- ########################################
- ##
--## Do not audit attempts to write to daemon runtime data files.
-+## Do not audit attempts to search security files
- ##
- ##
- ##
-@@ -6218,18 +8714,17 @@ interface(`files_dontaudit_getattr_all_pids',`
- ##
- ##
- #
--interface(`files_dontaudit_write_all_pids',`
-+interface(`files_dontaudit_search_security_files',`
- gen_require(`
-- attribute pidfile;
-+ attribute security_file_type;
- ')
-
-- dontaudit $1 var_run_t:lnk_file read_lnk_file_perms;
-- dontaudit $1 pidfile:file write;
-+ dontaudit $1 security_file_type:dir search_dir_perms;
- ')
-
- ########################################
- ##
--## Do not audit attempts to ioctl daemon runtime data files.
-+## Do not audit attempts to read security dirs
- ##
- ##
- ##
-@@ -6237,41 +8732,43 @@ interface(`files_dontaudit_write_all_pids',`
- ##
- ##
- #
--interface(`files_dontaudit_ioctl_all_pids',`
-+interface(`files_dontaudit_list_security_dirs',`
- gen_require(`
-- attribute pidfile;
-- type var_run_t;
-+ attribute security_file_type;
- ')
-
-- dontaudit $1 var_run_t:lnk_file read_lnk_file_perms;
-- dontaudit $1 pidfile:file ioctl;
-+ dontaudit $1 security_file_type:dir list_dir_perms;
- ')
-
- ########################################
- ##
--## Read all process ID files.
-+## rw any files inherited from another process
- ##
- ##
- ##
- ## Domain allowed access.
- ##
- ##
--##
-+##
-+##
-+## Object type.
-+##
-+##
- #
--interface(`files_read_all_pids',`
-+interface(`files_rw_all_inherited_files',`
- gen_require(`
-- attribute pidfile;
-- type var_t, var_run_t;
-+ attribute file_type;
- ')
-
-- allow $1 var_run_t:lnk_file read_lnk_file_perms;
-- list_dirs_pattern($1, var_t, pidfile)
-- read_files_pattern($1, pidfile, pidfile)
-+ allow $1 { file_type $2 }:file rw_inherited_file_perms;
-+ allow $1 { file_type $2 }:fifo_file rw_inherited_fifo_file_perms;
-+ allow $1 { file_type $2 }:sock_file rw_inherited_sock_file_perms;
-+ allow $1 { file_type $2 }:chr_file rw_inherited_chr_file_perms;
- ')
-
- ########################################
- ##
--## Delete all process IDs.
-+## Allow any file point to be the entrypoint of this domain
- ##
- ##
- ##
-@@ -6280,67 +8777,56 @@ interface(`files_read_all_pids',`
- ##
- ##
- #
--interface(`files_delete_all_pids',`
-+interface(`files_entrypoint_all_files',`
- gen_require(`
-- attribute pidfile;
-- type var_t, var_run_t;
-+ attribute file_type;
-+ type unlabeled_t;
- ')
--
-- allow $1 var_t:dir search_dir_perms;
-- allow $1 var_run_t:lnk_file read_lnk_file_perms;
-- allow $1 var_run_t:dir rmdir;
-- allow $1 var_run_t:lnk_file delete_lnk_file_perms;
-- delete_files_pattern($1, pidfile, pidfile)
-- delete_fifo_files_pattern($1, pidfile, pidfile)
-- delete_sock_files_pattern($1, pidfile, { pidfile var_run_t })
-+ allow $1 {file_type -unlabeled_t} :file entrypoint;
- ')
-
- ########################################
- ##
--## Delete all process ID directories.
-+## Do not audit attempts to rw inherited file perms
-+## of non security files.
- ##
- ##
- ##
--## Domain allowed access.
-+## Domain to not audit.
- ##
- ##
- #
--interface(`files_delete_all_pid_dirs',`
-+interface(`files_dontaudit_all_non_security_leaks',`
- gen_require(`
-- attribute pidfile;
-- type var_t, var_run_t;
-+ attribute non_security_file_type;
- ')
-
-- allow $1 var_t:dir search_dir_perms;
-- allow $1 var_run_t:lnk_file read_lnk_file_perms;
-- delete_dirs_pattern($1, pidfile, pidfile)
-+ dontaudit $1 non_security_file_type:file_class_set rw_inherited_file_perms;
- ')
-
- ########################################
- ##
--## Create, read, write and delete all
--## var_run (pid) content
-+## Do not audit attempts to read or write
-+## all leaked files.
- ##
- ##
- ##
--## Domain alloed access.
-+## Domain to not audit.
- ##
- ##
- #
--interface(`files_manage_all_pids',`
-+interface(`files_dontaudit_leaks',`
- gen_require(`
-- attribute pidfile;
-+ attribute file_type;
- ')
-
-- manage_dirs_pattern($1, pidfile, pidfile)
-- manage_files_pattern($1, pidfile, pidfile)
-- manage_lnk_files_pattern($1, pidfile, pidfile)
-+ dontaudit $1 file_type:file rw_inherited_file_perms;
-+ dontaudit $1 file_type:lnk_file { read };
- ')
-
- ########################################
- ##
--## Mount filesystems on all polyinstantiation
--## member directories.
-+## Allow domain to create_file_ass all types
- ##
- ##
- ##
-@@ -6348,37 +8834,37 @@ interface(`files_manage_all_pids',`
- ##
- ##
- #
--interface(`files_mounton_all_poly_members',`
-+interface(`files_create_as_is_all_files',`
- gen_require(`
-- attribute polymember;
-+ attribute file_type;
-+ class kernel_service create_files_as;
- ')
-
-- allow $1 polymember:dir mounton;
-+ allow $1 file_type:kernel_service create_files_as;
- ')
-
- ########################################
- ##
--## Search the contents of generic spool
--## directories (/var/spool).
-+## Do not audit attempts to check the
-+## access on all files
- ##
- ##
- ##
--## Domain allowed access.
-+## Domain to not audit.
- ##
- ##
- #
--interface(`files_search_spool',`
-+interface(`files_dontaudit_all_access_check',`
- gen_require(`
-- type var_t, var_spool_t;
-+ attribute file_type;
- ')
-
-- search_dirs_pattern($1, var_t, var_spool_t)
-+ dontaudit $1 file_type:dir_file_class_set audit_access;
- ')
-
- ########################################
- ##
--## Do not audit attempts to search generic
--## spool directories.
-+## Do not audit attempts to write to all files
- ##
- ##
- ##
-@@ -6386,132 +8872,227 @@ interface(`files_search_spool',`
- ##
- ##
- #
--interface(`files_dontaudit_search_spool',`
-+interface(`files_dontaudit_write_all_files',`
- gen_require(`
-- type var_spool_t;
-+ attribute file_type;
- ')
-
-- dontaudit $1 var_spool_t:dir search_dir_perms;
-+ dontaudit $1 file_type:dir_file_class_set write;
- ')
-
- ########################################
- ##
--## List the contents of generic spool
--## (/var/spool) directories.
-+## Allow domain to delete to all files
- ##
- ##
- ##
--## Domain allowed access.
-+## Domain to not audit.
- ##
- ##
- #
--interface(`files_list_spool',`
-+interface(`files_delete_all_non_security_files',`
- gen_require(`
-- type var_t, var_spool_t;
-+ attribute non_security_file_type;
- ')
-
-- list_dirs_pattern($1, var_t, var_spool_t)
-+ allow $1 non_security_file_type:dir del_entry_dir_perms;
-+ allow $1 non_security_file_type:file_class_set delete_file_perms;
- ')
-
- ########################################
- ##
--## Create, read, write, and delete generic
--## spool directories (/var/spool).
-+## Allow domain to delete to all dirs
- ##
- ##
- ##
--## Domain allowed access.
-+## Domain to not audit.
- ##
- ##
- #
--interface(`files_manage_generic_spool_dirs',`
-+interface(`files_delete_all_non_security_dirs',`
- gen_require(`
-- type var_t, var_spool_t;
-+ attribute non_security_file_type;
- ')
-
-- allow $1 var_t:dir search_dir_perms;
-- manage_dirs_pattern($1, var_spool_t, var_spool_t)
-+ allow $1 non_security_file_type:dir { del_entry_dir_perms delete_dir_perms };
- ')
-
- ########################################
- ##
--## Read generic spool files.
-+## Transition named content in the var_run_t directory
- ##
- ##
- ##
--## Domain allowed access.
-+## Domain allowed access.
- ##
- ##
- #
--interface(`files_read_generic_spool',`
-+interface(`files_filetrans_named_content',`
- gen_require(`
-- type var_t, var_spool_t;
-+ type etc_t;
-+ type mnt_t;
-+ type usr_t;
-+ type tmp_t;
-+ type var_t;
-+ type var_run_t;
-+ type var_lock_t;
-+ type tmp_t;
- ')
-
-- list_dirs_pattern($1, var_t, var_spool_t)
-- read_files_pattern($1, var_spool_t, var_spool_t)
-+ files_pid_filetrans($1, mnt_t, dir, "media")
-+ files_root_filetrans($1, etc_runtime_t, file, ".readahead")
-+ files_root_filetrans($1, etc_runtime_t, file, ".autorelabel")
-+ files_root_filetrans($1, mnt_t, dir, "afs")
-+ files_root_filetrans($1, mnt_t, dir, "misc")
-+ files_root_filetrans($1, mnt_t, dir, "net")
-+ files_root_filetrans($1, usr_t, dir, "export")
-+ files_root_filetrans($1, usr_t, dir, "opt")
-+ files_root_filetrans($1, usr_t, dir, "ostree")
-+ files_root_filetrans($1, usr_t, dir, "emul")
-+ files_root_filetrans($1, var_t, dir, "srv")
-+ files_root_filetrans($1, var_run_t, dir, "run")
-+ files_root_filetrans($1, var_run_t, lnk_file, "run")
-+ files_root_filetrans($1, var_lock_t, lnk_file, "lock")
-+ files_root_filetrans($1, tmp_t, dir, "sandbox")
-+ files_root_filetrans($1, tmp_t, dir, "tmp")
-+ files_root_filetrans($1, var_t, dir, "nsr")
-+ files_etc_filetrans($1, etc_t, file, "system-auth-ac")
-+ files_etc_filetrans($1, etc_t, file, "postlogin-ac")
-+ files_etc_filetrans($1, etc_t, file, "password-auth-ac")
-+ files_etc_filetrans($1, etc_t, file, "fingerprint-auth-ac")
-+ files_etc_filetrans($1, etc_t, file, "smartcard-auth-ac")
-+ files_etc_filetrans($1, etc_t, file, "hwdb.bin")
-+ files_etc_filetrans_etc_runtime($1, file, ".updated")
-+ files_etc_filetrans_etc_runtime($1, file, "runtime")
-+ files_etc_filetrans_etc_runtime($1, dir, "blkid")
-+ files_etc_filetrans_etc_runtime($1, dir, "cmtab")
-+ files_etc_filetrans_etc_runtime($1, file, "fstab.REVOKE")
-+ files_etc_filetrans_etc_runtime($1, file, "ioctl.save")
-+ files_etc_filetrans_etc_runtime($1, file, "nologin")
-+ files_etc_filetrans_etc_runtime($1, file, "securetty")
-+ files_etc_filetrans_etc_runtime($1, file, "ifstate")
-+ files_etc_filetrans_etc_runtime($1, file, "ptal-printd-like")
-+ files_etc_filetrans_etc_runtime($1, file, "hwconf")
-+ files_etc_filetrans_etc_runtime($1, file, "iptables.save")
-+ files_tmp_filetrans($1, tmp_t, dir, "tmp-inst")
-+ files_var_filetrans($1, tmp_t, dir, "tmp")
-+ files_var_filetrans($1, var_run_t, dir, "run")
-+ files_var_filetrans($1, etc_runtime_t, file, ".updated")
- ')
-
- ########################################
- ##
--## Create, read, write, and delete generic
--## spool files.
-+## Make the specified type a
-+## base file.
- ##
--##
-+##
-+##
-+## Identify file type as base file type. Tools will use this attribute,
-+## to help users diagnose problems.
-+##
-+##
-+##
- ##
--## Domain allowed access.
-+## Type to be used as a base files.
- ##
- ##
-+##
- #
--interface(`files_manage_generic_spool',`
-+interface(`files_base_file',`
- gen_require(`
-- type var_t, var_spool_t;
-+ attribute base_file_type;
- ')
--
-- allow $1 var_t:dir search_dir_perms;
-- manage_files_pattern($1, var_spool_t, var_spool_t)
-+ files_type($1)
-+ typeattribute $1 base_file_type;
- ')
-
- ########################################
- ##
--## Create objects in the spool directory
--## with a private type with a type transition.
-+## Make the specified type a
-+## base read only file.
- ##
--##
-+##
-+##
-+## Make the specified type readable for all domains.
-+##
-+##
-+##
- ##
--## Domain allowed access.
-+## Type to be used as a base read only files.
- ##
- ##
--##
-+##
-+#
-+interface(`files_ro_base_file',`
-+ gen_require(`
-+ attribute base_ro_file_type;
-+ ')
-+ files_base_file($1)
-+ typeattribute $1 base_ro_file_type;
-+')
-+
-+########################################
-+##
-+## Read all ro base files.
-+##
-+##
- ##
--## Type to which the created node will be transitioned.
-+## Domain allowed access.
- ##
- ##
--##
-+##
-+#
-+interface(`files_read_all_base_ro_files',`
-+ gen_require(`
-+ attribute base_ro_file_type;
-+ ')
-+
-+ list_dirs_pattern($1, base_ro_file_type, base_ro_file_type)
-+ read_files_pattern($1, base_ro_file_type, base_ro_file_type)
-+ read_lnk_files_pattern($1, base_ro_file_type, base_ro_file_type)
-+')
-+
-+########################################
-+##
-+## Execute all base ro files.
-+##
-+##
- ##
--## Object class(es) (single or set including {}) for which this
--## the transition will occur.
-+## Domain allowed access.
- ##
- ##
--##
-+##
-+#
-+interface(`files_exec_all_base_ro_files',`
-+ gen_require(`
-+ attribute base_ro_file_type;
-+ ')
-+
-+ can_exec($1, base_ro_file_type)
-+')
-+
-+########################################
-+##
-+## Allow the specified domain to modify the systemd configuration of
-+## any file.
-+##
-+##
- ##
--## The name of the object being created.
-+## Domain allowed access.
- ##
- ##
- #
--interface(`files_spool_filetrans',`
-+interface(`files_config_all_files',`
- gen_require(`
-- type var_t, var_spool_t;
-+ attribute file_type;
- ')
-
-- allow $1 var_t:dir search_dir_perms;
-- filetrans_pattern($1, var_spool_t, $2, $3, $4)
-+ allow $1 file_type:service all_service_perms;
- ')
-
- ########################################
- ##
--## Allow access to manage all polyinstantiated
--## directories on the system.
-+## Get the status of etc_t files
- ##
- ##
- ##
-@@ -6519,53 +9100,17 @@ interface(`files_spool_filetrans',`
- ##
- ##
- #
--interface(`files_polyinstantiate_all',`
-+interface(`files_status_etc',`
- gen_require(`
-- attribute polydir, polymember, polyparent;
-- type poly_t;
-+ type etc_t;
- ')
-
-- # Need to give access to /selinux/member
-- selinux_compute_member($1)
--
-- # Need sys_admin capability for mounting
-- allow $1 self:capability { chown fsetid sys_admin fowner };
--
-- # Need to give access to the directories to be polyinstantiated
-- allow $1 polydir:dir { create open getattr search write add_name setattr mounton rmdir };
--
-- # Need to give access to the polyinstantiated subdirectories
-- allow $1 polymember:dir search_dir_perms;
--
-- # Need to give access to parent directories where original
-- # is remounted for polyinstantiation aware programs (like gdm)
-- allow $1 polyparent:dir { getattr mounton };
--
-- # Need to give permission to create directories where applicable
-- allow $1 self:process setfscreate;
-- allow $1 polymember: dir { create setattr relabelto };
-- allow $1 polydir: dir { write add_name open };
-- allow $1 polyparent:dir { open read write remove_name add_name relabelfrom relabelto };
--
-- # Default type for mountpoints
-- allow $1 poly_t:dir { create mounton };
-- fs_unmount_xattr_fs($1)
--
-- fs_mount_tmpfs($1)
-- fs_unmount_tmpfs($1)
--
-- ifdef(`distro_redhat',`
-- # namespace.init
-- files_search_tmp($1)
-- files_search_home($1)
-- corecmd_exec_bin($1)
-- seutil_domtrans_setfiles($1)
-- ')
-+ allow $1 etc_t:service status;
- ')
-
- ########################################
- ##
--## Unconfined access to files.
-+## Dontaudit Mount a modules_object_t
- ##
- ##
- ##
-@@ -6573,10 +9118,10 @@ interface(`files_polyinstantiate_all',`
- ##
- ##
- #
--interface(`files_unconfined',`
-+interface(`files_dontaudit_mounton_modules_object',`
- gen_require(`
-- attribute files_unconfined_type;
-+ type modules_object_t;
- ')
-
-- typeattribute $1 files_unconfined_type;
-+ allow $1 modules_object_t:dir mounton;
- ')
-diff --git a/policy/modules/kernel/files.te b/policy/modules/kernel/files.te
-index 1a03abdd7..3221f8018 100644
---- a/policy/modules/kernel/files.te
-+++ b/policy/modules/kernel/files.te
-@@ -5,12 +5,16 @@ policy_module(files, 1.18.1)
- # Declarations
- #
-
-+attribute base_file_type;
-+attribute base_ro_file_type;
- attribute file_type;
- attribute files_unconfined_type;
- attribute lockfile;
- attribute mountpoint;
- attribute pidfile;
-+attribute spoolfile;
- attribute configfile;
-+attribute etcfile;
-
- # For labeling types that are to be polyinstantiated
- attribute polydir;
-@@ -48,47 +52,53 @@ attribute usercanread;
- #
- type boot_t;
- files_mountpoint(boot_t)
-+files_ro_base_file(boot_t)
-
- # default_t is the default type for files that do not
- # match any specification in the file_contexts configuration
- # other than the generic /.* specification.
- type default_t;
- files_mountpoint(default_t)
-+files_base_file(default_t)
-
- #
- # etc_t is the type of the system etc directories.
- #
- type etc_t, configfile;
--files_type(etc_t)
-+files_ro_base_file(etc_t)
-+
- # compatibility aliases for removed types:
- typealias etc_t alias automount_etc_t;
- typealias etc_t alias snmpd_etc_t;
-
-+# system_conf_t is a new type of various
-+# files in /etc/ that can be managed and
-+# created by several domains.
-+#
-+type system_conf_t, configfile;
-+files_ro_base_file(system_conf_t)
-+# compatibility aliases for removed type:
-+typealias system_conf_t alias iptables_conf_t;
-+
-+# system_db_t is a new type of various
-+# db files.
-+type system_db_t;
-+files_ro_base_file(system_db_t)
-+
- #
- # etc_runtime_t is the type of various
- # files in /etc that are automatically
- # generated during initialization.
- #
--type etc_runtime_t;
--files_type(etc_runtime_t)
--#Temporarily in policy until FC5 dissappears
--typealias etc_runtime_t alias firstboot_rw_t;
--
--#
--# file_t is the default type of a file that has not yet been
--# assigned an extended attribute (EA) value (when using a filesystem
--# that supports EAs).
--#
--type file_t;
--files_mountpoint(file_t)
--kernel_rootfs_mountpoint(file_t)
--sid file gen_context(system_u:object_r:file_t,s0)
-+type etc_runtime_t, configfile;
-+files_ro_base_file(etc_runtime_t)
-
- #
- # home_root_t is the type for the directory where user home directories
- # are created
- #
- type home_root_t;
-+files_base_file(home_root_t)
- files_mountpoint(home_root_t)
- files_poly_parent(home_root_t)
-
-@@ -96,12 +106,13 @@ files_poly_parent(home_root_t)
- # lost_found_t is the type for the lost+found directories.
- #
- type lost_found_t;
--files_type(lost_found_t)
-+files_base_file(lost_found_t)
-
- #
- # mnt_t is the type for mount points such as /mnt/cdrom
- #
- type mnt_t;
-+files_base_file(mnt_t)
- files_mountpoint(mnt_t)
-
- #
-@@ -123,6 +134,7 @@ files_type(readable_t)
- # root_t is the type for rootfs and the root directory.
- #
- type root_t;
-+files_base_file(root_t)
- files_mountpoint(root_t)
- files_poly_parent(root_t)
- kernel_rootfs_mountpoint(root_t)
-@@ -133,45 +145,54 @@ genfscon rootfs / gen_context(system_u:object_r:root_t,s0)
- #
- type src_t;
- files_mountpoint(src_t)
-+files_ro_base_file(src_t)
-
- #
- # system_map_t is for the system.map files in /boot
- #
- type system_map_t;
- files_type(system_map_t)
-+kernel_proc_type(system_map_t)
- genfscon proc /kallsyms gen_context(system_u:object_r:system_map_t,s0)
-
- #
- # tmp_t is the type of the temporary directories
- #
- type tmp_t;
-+files_base_file(tmp_t)
- files_tmp_file(tmp_t)
- files_mountpoint(tmp_t)
- files_poly(tmp_t)
- files_poly_parent(tmp_t)
-+typealias tmp_t alias firstboot_tmp_t;
-
- #
- # usr_t is the type for /usr.
- #
- type usr_t;
-+files_ro_base_file(usr_t)
- files_mountpoint(usr_t)
-
- #
- # var_t is the type of /var
- #
- type var_t;
-+files_base_file(var_t)
- files_mountpoint(var_t)
-
- #
- # var_lib_t is the type of /var/lib
- #
- type var_lib_t;
-+files_base_file(var_lib_t)
- files_mountpoint(var_lib_t)
-+files_poly(var_lib_t)
-
- #
- # var_lock_t is tye type of /var/lock
- #
- type var_lock_t;
-+files_base_file(var_lock_t)
- files_lock_file(var_lock_t)
- files_mountpoint(var_lock_t)
-
-@@ -180,6 +201,7 @@ files_mountpoint(var_lock_t)
- # used for pid and other runtime files.
- #
- type var_run_t;
-+files_base_file(var_run_t)
- files_pid_file(var_run_t)
- files_mountpoint(var_run_t)
-
-@@ -187,7 +209,9 @@ files_mountpoint(var_run_t)
- # var_spool_t is the type of /var/spool
- #
- type var_spool_t;
-+files_base_file(var_spool_t)
- files_tmp_file(var_spool_t)
-+files_spool_file(var_spool_t)
-
- ########################################
- #
-@@ -224,12 +248,13 @@ fs_associate_tmpfs(tmpfsfile)
- #
-
- # Create/access any file in a labeled filesystem;
--allow files_unconfined_type file_type:{ file chr_file } ~execmod;
-+allow files_unconfined_type file_type:{ file chr_file } ~{ execmod entrypoint };
- allow files_unconfined_type file_type:{ dir lnk_file sock_file fifo_file blk_file } *;
-+allow files_unconfined_type file_type:service *;
-
- # Mount/unmount any filesystem with the context= option.
--allow files_unconfined_type file_type:filesystem *;
-+allow files_unconfined_type file_type:filesystem all_filesystem_perms;
-
--tunable_policy(`allow_execmod',`
-+tunable_policy(`selinuxuser_execmod',`
- allow files_unconfined_type file_type:file execmod;
- ')
-diff --git a/policy/modules/kernel/filesystem.fc b/policy/modules/kernel/filesystem.fc
-index d7c11a0b3..f521a50f8 100644
---- a/policy/modules/kernel/filesystem.fc
-+++ b/policy/modules/kernel/filesystem.fc
-@@ -1,23 +1,28 @@
--/cgroup -d gen_context(system_u:object_r:cgroup_t,s0)
--/cgroup/.* <>
-+# ecryptfs does not support xattr
-+HOME_DIR/\.ecryptfs(/.*)? gen_context(system_u:object_r:ecryptfs_t,s0)
-+HOME_DIR/\.Private(/.*)? gen_context(system_u:object_r:ecryptfs_t,s0)
-
- /dev/hugepages -d gen_context(system_u:object_r:hugetlbfs_t,s0)
- /dev/hugepages(/.*)? <>
--/dev/shm -d gen_context(system_u:object_r:tmpfs_t,s0)
--/dev/shm/.* <>
-
--/lib/udev/devices/hugepages -d gen_context(system_u:object_r:hugetlbfs_t,s0)
--/lib/udev/devices/hugepages/.* <>
--/lib/udev/devices/shm -d gen_context(system_u:object_r:tmpfs_t,s0)
--/lib/udev/devices/shm/.* <>
-+/dev/shm -d gen_context(system_u:object_r:tmpfs_t,s0-mls_systemhigh)
-+/dev/shm/.* <>
-
-+/dev/oracleasm(/.*)? gen_context(system_u:object_r:oracleasmfs_t,s0)
-+
-+/usr/lib/udev/devices/hugepages -d gen_context(system_u:object_r:hugetlbfs_t,s0)
-+/usr/lib/udev/devices/hugepages/.* <>
-+/usr/lib/udev/devices/shm -d gen_context(system_u:object_r:tmpfs_t,s0)
-+/usr/lib/udev/devices/shm/.* <>
-+/var/run/user/[^/]*/gvfs -d gen_context(system_u:object_r:fusefs_t,s0)
-+/var/run/user/[^/]*/gvfs/.* <>
-+
-+# for systemd systems:
- /sys/fs/cgroup -d gen_context(system_u:object_r:cgroup_t,s0)
- /sys/fs/cgroup/.* <>
-
- /sys/fs/pstore -d gen_context(system_u:object_r:pstore_t,s0)
- /sys/fs/pstore/.* <>
-
--ifdef(`distro_debian',`
- /var/run/shm -d gen_context(system_u:object_r:tmpfs_t,s0)
- /var/run/shm/.* <>
--')
-diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
-index 8416beb43..a7af809a0 100644
---- a/policy/modules/kernel/filesystem.if
-+++ b/policy/modules/kernel/filesystem.if
-@@ -577,6 +577,24 @@ interface(`fs_mount_cgroup', `
-
- ########################################
- ##
-+## Allow the type to associate to cgroup filesystems.
-+##
-+##
-+##
-+## The type of the object to be associated.
-+##
-+##
-+#
-+interface(`fs_associate_cgroupfs',`
-+ gen_require(`
-+ type cgroup_t;
-+ ')
-+
-+ allow $1 cgroup_t:filesystem associate;
-+')
-+
-+########################################
-+##
- ## Remount cgroup filesystems.
- ##
- ##
-@@ -631,6 +649,27 @@ interface(`fs_getattr_cgroup',`
-
- ########################################
- ##
-+## Get attributes of cgroup files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`fs_getattr_cgroup_files',`
-+ gen_require(`
-+ type cgroup_t;
-+
-+ ')
-+
-+ getattr_files_pattern($1, cgroup_t, cgroup_t)
-+ fs_search_tmpfs($1)
-+ dev_search_sysfs($1)
-+')
-+
-+########################################
-+##
- ## Search cgroup directories.
- ##
- ##
-@@ -646,11 +685,31 @@ interface(`fs_search_cgroup_dirs',`
- ')
-
- search_dirs_pattern($1, cgroup_t, cgroup_t)
-+ fs_search_tmpfs($1)
- dev_search_sysfs($1)
- ')
-
- ########################################
- ##
-+## Relabel cgroup directories.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`fs_relabel_cgroup_dirs',`
-+ gen_require(`
-+ type cgroup_t;
-+
-+ ')
-+
-+ relabel_dirs_pattern($1, cgroup_t, cgroup_t)
-+')
-+
-+########################################
-+##
- ## list cgroup directories.
- ##
- ##
-@@ -659,15 +718,35 @@ interface(`fs_search_cgroup_dirs',`
- ##
- ##
- #
--interface(`fs_list_cgroup_dirs', `
-+interface(`fs_list_cgroup_dirs',`
- gen_require(`
- type cgroup_t;
- ')
-
- list_dirs_pattern($1, cgroup_t, cgroup_t)
-+ fs_search_tmpfs($1)
- dev_search_sysfs($1)
- ')
-
-+#######################################
-+##
-+## Do not audit attempts to search cgroup directories.
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`fs_dontaudit_search_cgroup_dirs', `
-+ gen_require(`
-+ type cgroup_t;
-+ ')
-+
-+ dontaudit $1 cgroup_t:dir search_dir_perms;
-+ dev_dontaudit_search_sysfs($1)
-+')
-+
- ########################################
- ##
- ## Delete cgroup directories.
-@@ -684,6 +763,7 @@ interface(`fs_delete_cgroup_dirs', `
- ')
-
- delete_dirs_pattern($1, cgroup_t, cgroup_t)
-+ fs_search_tmpfs($1)
- dev_search_sysfs($1)
- ')
-
-@@ -704,6 +784,7 @@ interface(`fs_manage_cgroup_dirs',`
- ')
-
- manage_dirs_pattern($1, cgroup_t, cgroup_t)
-+ fs_search_tmpfs($1)
- dev_search_sysfs($1)
- ')
-
-@@ -724,6 +805,8 @@ interface(`fs_read_cgroup_files',`
- ')
-
- read_files_pattern($1, cgroup_t, cgroup_t)
-+ read_lnk_files_pattern($1, cgroup_t, cgroup_t)
-+ fs_search_tmpfs($1)
- dev_search_sysfs($1)
- ')
-
-@@ -743,6 +826,7 @@ interface(`fs_write_cgroup_files', `
- ')
-
- write_files_pattern($1, cgroup_t, cgroup_t)
-+ fs_search_tmpfs($1)
- dev_search_sysfs($1)
- ')
-
-@@ -762,7 +846,9 @@ interface(`fs_rw_cgroup_files',`
-
- ')
-
-+ read_lnk_files_pattern($1, cgroup_t, cgroup_t)
- rw_files_pattern($1, cgroup_t, cgroup_t)
-+ fs_search_tmpfs($1)
- dev_search_sysfs($1)
- ')
-
-@@ -788,6 +874,25 @@ interface(`fs_dontaudit_rw_cgroup_files',`
-
- ########################################
- ##
-+## Relabel cgroup files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`fs_relabel_cgroup_files',`
-+ gen_require(`
-+ type cgroup_t;
-+
-+ ')
-+
-+ relabel_files_pattern($1, cgroup_t, cgroup_t)
-+')
-+
-+########################################
-+##
- ## Manage cgroup files.
- ##
- ##
-@@ -803,6 +908,8 @@ interface(`fs_manage_cgroup_files',`
- ')
-
- manage_files_pattern($1, cgroup_t, cgroup_t)
-+ manage_lnk_files_pattern($1, cgroup_t, cgroup_t)
-+ fs_search_tmpfs($1)
- dev_search_sysfs($1)
- ')
-
-@@ -826,6 +933,25 @@ interface(`fs_mounton_cgroup', `
-
- ########################################
- ##
-+## Read and write ceph files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`fs_rw_cephfs_files',`
-+ gen_require(`
-+ type cephfs_t;
-+
-+ ')
-+
-+ rw_files_pattern($1, cephfs_t, cephfs_t)
-+')
-+
-+########################################
-+##
- ## Do not audit attempts to read
- ## dirs on a CIFS or SMB filesystem.
- ##
-@@ -920,6 +1046,24 @@ interface(`fs_getattr_cifs',`
-
- ########################################
- ##
-+## Set the attributes of cifs directories.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`fs_setattr_cifs_dirs',`
-+ gen_require(`
-+ type cifs_t;
-+ ')
-+
-+ allow $1 cifs_t:dir setattr;
-+')
-+
-+########################################
-+##
- ## Search directories on a CIFS or SMB filesystem.
- ##
- ##
-@@ -1107,6 +1251,24 @@ interface(`fs_read_noxattr_fs_files',`
-
- ########################################
- ##
-+## Read/Write all inherited noxattrfs files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`fs_rw_inherited_noxattr_fs_files',`
-+ gen_require(`
-+ attribute noxattrfs;
-+ ')
-+
-+ allow $1 noxattrfs:file rw_inherited_file_perms;
-+')
-+
-+########################################
-+##
- ## Do not audit attempts to read all
- ## noxattrfs files.
- ##
-@@ -1245,7 +1407,7 @@ interface(`fs_append_cifs_files',`
-
- ########################################
- ##
--## dontaudit Append files
-+## Do not audit attempts to append files
- ## on a CIFS filesystem.
- ##
- ##
-@@ -1265,6 +1427,42 @@ interface(`fs_dontaudit_append_cifs_files',`
-
- ########################################
- ##
-+## Read inherited files on a CIFS or SMB filesystem.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`fs_read_inherited_cifs_files',`
-+ gen_require(`
-+ type cifs_t;
-+ ')
-+
-+ allow $1 cifs_t:file read_inherited_file_perms;
-+')
-+
-+########################################
-+##
-+## Read/Write inherited files on a CIFS or SMB filesystem.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`fs_rw_inherited_cifs_files',`
-+ gen_require(`
-+ type cifs_t;
-+ ')
-+
-+ allow $1 cifs_t:file rw_inherited_file_perms;
-+')
-+
-+########################################
-+##
- ## Do not audit attempts to read or
- ## write files on a CIFS or SMB filesystem.
- ##
-@@ -1279,7 +1477,7 @@ interface(`fs_dontaudit_rw_cifs_files',`
- type cifs_t;
- ')
-
-- dontaudit $1 cifs_t:file rw_file_perms;
-+ dontaudit $1 cifs_t:file rw_inherited_file_perms;
- ')
-
- ########################################
-@@ -1363,6 +1561,27 @@ interface(`fs_exec_cifs_files',`
-
- ########################################
- ##
-+## Mmap files on a CIFS or SMB
-+## network filesystem, in the caller
-+## domain.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+#
-+interface(`fs_map_cifs_files',`
-+ gen_require(`
-+ type cifs_t;
-+ ')
-+
-+ allow $1 cifs_t:file map;
-+')
-+
-+########################################
-+##
- ## Create, read, write, and delete directories
- ## on a CIFS or SMB network filesystem.
- ##
-@@ -1542,48 +1761,48 @@ interface(`fs_cifs_domtrans',`
- domain_auto_transition_pattern($1, cifs_t, $2)
- ')
-
--#######################################
-+########################################
- ##
--## Create, read, write, and delete dirs
--## on a configfs filesystem.
-+## Make general progams in cifs an entrypoint for
-+## the specified domain.
- ##
- ##
- ##
--## Domain allowed access.
-+## The domain for which cifs_t is an entrypoint.
- ##
- ##
- #
--interface(`fs_manage_configfs_dirs',`
-+interface(`fs_cifs_entry_type',`
- gen_require(`
-- type configfs_t;
-+ type cifs_t;
- ')
-
-- manage_dirs_pattern($1, configfs_t, configfs_t)
-+ domain_entry_file($1, cifs_t)
- ')
-
--#######################################
-+########################################
- ##
--## Create, read, write, and delete files
--## on a configfs filesystem.
-+## Make general progams in CIFS an entrypoint for
-+## the specified domain.
- ##
- ##
- ##
--## Domain allowed access.
-+## The domain for which cifs_t is an entrypoint.
- ##
- ##
- #
--interface(`fs_manage_configfs_files',`
-+interface(`fs_cifs_entrypoint',`
- gen_require(`
-- type configfs_t;
-+ type cifs_t;
- ')
-
-- manage_files_pattern($1, configfs_t, configfs_t)
-+ allow $1 cifs_t:file entrypoint;
- ')
-
--########################################
-+#######################################
- ##
--## Mount a DOS filesystem, such as
--## FAT32 or NTFS.
-+## dontaudit write dirs
-+## on a configfs filesystem.
- ##
- ##
- ##
-@@ -1591,19 +1810,18 @@ interface(`fs_manage_configfs_files',`
- ##
- ##
- #
--interface(`fs_mount_dos_fs',`
-+interface(`fs_dontaudit_write_configfs_dirs',`
- gen_require(`
-- type dosfs_t;
-+ type configfs_t;
- ')
-
-- allow $1 dosfs_t:filesystem mount;
-+ dontaudit $1 configfs_t:dir write;
- ')
-
--########################################
-+#######################################
- ##
--## Remount a DOS filesystem, such as
--## FAT32 or NTFS. This allows
--## some mount options to be changed.
-+## Read dirs
-+## on a configfs filesystem.
- ##
- ##
- ##
-@@ -1611,18 +1829,18 @@ interface(`fs_mount_dos_fs',`
- ##
- ##
- #
--interface(`fs_remount_dos_fs',`
-+interface(`fs_read_configfs_dirs',`
- gen_require(`
-- type dosfs_t;
-+ type configfs_t;
- ')
-
-- allow $1 dosfs_t:filesystem remount;
-+ list_dirs_pattern($1, configfs_t, configfs_t)
- ')
-
--########################################
-+#######################################
- ##
--## Unmount a DOS filesystem, such as
--## FAT32 or NTFS.
-+## Create, read, write, and delete dirs
-+## on a configfs filesystem.
- ##
- ##
- ##
-@@ -1630,38 +1848,37 @@ interface(`fs_remount_dos_fs',`
- ##
- ##
- #
--interface(`fs_unmount_dos_fs',`
-+interface(`fs_manage_configfs_dirs',`
- gen_require(`
-- type dosfs_t;
-+ type configfs_t;
- ')
-
-- allow $1 dosfs_t:filesystem unmount;
-+ manage_dirs_pattern($1, configfs_t, configfs_t)
- ')
-
--########################################
-+#######################################
- ##
--## Get the attributes of a DOS
--## filesystem, such as FAT32 or NTFS.
-+## Read files
-+## on a configfs filesystem.
- ##
- ##
- ##
- ## Domain allowed access.
- ##
- ##
--##
- #
--interface(`fs_getattr_dos_fs',`
-+interface(`fs_read_configfs_files',`
- gen_require(`
-- type dosfs_t;
-+ type configfs_t;
- ')
-
-- allow $1 dosfs_t:filesystem getattr;
-+ read_files_pattern($1, configfs_t, configfs_t)
- ')
-
--########################################
-+#######################################
- ##
--## Allow changing of the label of a
--## DOS filesystem using the context= mount option.
-+## Create, read, write, and delete files
-+## on a configfs filesystem.
- ##
- ##
- ##
-@@ -1669,17 +1886,18 @@ interface(`fs_getattr_dos_fs',`
- ##
- ##
- #
--interface(`fs_relabelfrom_dos_fs',`
-+interface(`fs_manage_configfs_files',`
- gen_require(`
-- type dosfs_t;
-+ type configfs_t;
- ')
-
-- allow $1 dosfs_t:filesystem relabelfrom;
-+ manage_files_pattern($1, configfs_t, configfs_t)
- ')
-
--########################################
-+#######################################
- ##
--## Search dosfs filesystem.
-+## Create, read, write, and delete files
-+## on a configfs filesystem.
- ##
- ##
- ##
-@@ -1687,17 +1905,17 @@ interface(`fs_relabelfrom_dos_fs',`
- ##
- ##
- #
--interface(`fs_search_dos',`
-+interface(`fs_manage_configfs_lnk_files',`
- gen_require(`
-- type dosfs_t;
-+ type configfs_t;
- ')
-
-- allow $1 dosfs_t:dir search_dir_perms;
-+ manage_lnk_files_pattern($1, configfs_t, configfs_t)
- ')
-
- ########################################
- ##
--## List dirs DOS filesystem.
-+## Unmount a configfs filesystem
- ##
- ##
- ##
-@@ -1705,18 +1923,151 @@ interface(`fs_search_dos',`
- ##
- ##
- #
--interface(`fs_list_dos',`
-+interface(`fs_unmount_configfs',`
- gen_require(`
-- type dosfs_t;
-+ type configfs_t;
- ')
-
-- list_dirs_pattern($1, dosfs_t, dosfs_t)
-+ allow $1 configfs_t:filesystem unmount;
- ')
-
- ########################################
- ##
--## Create, read, write, and delete dirs
--## on a DOS filesystem.
-+## Mount a DOS filesystem, such as
-+## FAT32 or NTFS.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`fs_mount_dos_fs',`
-+ gen_require(`
-+ type dosfs_t;
-+ ')
-+
-+ allow $1 dosfs_t:filesystem mount;
-+')
-+
-+########################################
-+##
-+## Remount a DOS filesystem, such as
-+## FAT32 or NTFS. This allows
-+## some mount options to be changed.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`fs_remount_dos_fs',`
-+ gen_require(`
-+ type dosfs_t;
-+ ')
-+
-+ allow $1 dosfs_t:filesystem remount;
-+')
-+
-+########################################
-+##
-+## Unmount a DOS filesystem, such as
-+## FAT32 or NTFS.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`fs_unmount_dos_fs',`
-+ gen_require(`
-+ type dosfs_t;
-+ ')
-+
-+ allow $1 dosfs_t:filesystem unmount;
-+')
-+
-+########################################
-+##
-+## Get the attributes of a DOS
-+## filesystem, such as FAT32 or NTFS.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+#
-+interface(`fs_getattr_dos_fs',`
-+ gen_require(`
-+ type dosfs_t;
-+ ')
-+
-+ allow $1 dosfs_t:filesystem getattr;
-+')
-+
-+########################################
-+##
-+## Allow changing of the label of a
-+## DOS filesystem using the context= mount option.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`fs_relabelfrom_dos_fs',`
-+ gen_require(`
-+ type dosfs_t;
-+ ')
-+
-+ allow $1 dosfs_t:filesystem relabelfrom;
-+')
-+
-+########################################
-+##
-+## Search dosfs filesystem.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`fs_search_dos',`
-+ gen_require(`
-+ type dosfs_t;
-+ ')
-+
-+ allow $1 dosfs_t:dir search_dir_perms;
-+')
-+
-+########################################
-+##
-+## List dirs DOS filesystem.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`fs_list_dos',`
-+ gen_require(`
-+ type dosfs_t;
-+ ')
-+
-+ list_dirs_pattern($1, dosfs_t, dosfs_t)
-+')
-+
-+########################################
-+##
-+## Create, read, write, and delete dirs
-+## on a DOS filesystem.
- ##
- ##
- ##
-@@ -1734,6 +2085,24 @@ interface(`fs_manage_dos_dirs',`
-
- ########################################
- ##
-+## Mmap files on a DOS filesystem.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`fs_map_dos_files',`
-+ gen_require(`
-+ type dosfs_t;
-+ ')
-+
-+ allow $1 dosfs_t:file map;
-+')
-+
-+########################################
-+##
- ## Read files on a DOS filesystem.
- ##
- ##
-@@ -1793,161 +2162,986 @@ interface(`fs_read_eventpollfs',`
- refpolicywarn(`$0($*) has been deprecated.')
- ')
-
-+
-+#######################################
-+##
-+## Search directories
-+## on a ecrypt filesystem.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`fs_search_ecryptfs',`
-+ gen_require(`
-+ type ecryptfs_t;
-+ ')
-+
-+ allow $1 ecryptfs_t:dir search_dir_perms;
-+')
-+
- ########################################
- ##
--## Mount a FUSE filesystem.
-+## Create, read, write, and delete directories
-+## on a FUSEFS filesystem.
- ##
- ##
- ##
- ## Domain allowed access.
- ##
- ##
-+##
- #
--interface(`fs_mount_fusefs',`
-+interface(`fs_manage_ecryptfs_dirs',`
- gen_require(`
-- type fusefs_t;
-+ type ecryptfs_t;
- ')
-
-- allow $1 fusefs_t:filesystem mount;
-+ manage_dirs_pattern($1, ecryptfs_t, ecryptfs_t)
-+ allow $1 ecryptfs_t:dir manage_dir_perms;
-+')
-+
-+#######################################
-+##
-+## Create, read, write, and delete files
-+## on a FUSEFS filesystem.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+#
-+interface(`fs_read_ecryptfs_files',`
-+ gen_require(`
-+ type ecryptfs_t;
-+ ')
-+
-+ read_files_pattern($1, ecryptfs_t, ecryptfs_t)
- ')
-
- ########################################
- ##
--## Unmount a FUSE filesystem.
-+## Create, read, write, and delete files
-+## on a FUSEFS filesystem.
- ##
- ##
- ##
- ## Domain allowed access.
- ##
- ##
-+##
- #
--interface(`fs_unmount_fusefs',`
-+interface(`fs_manage_ecryptfs_files',`
- gen_require(`
-- type fusefs_t;
-+ type ecryptfs_t;
- ')
-
-- allow $1 fusefs_t:filesystem unmount;
-+ manage_files_pattern($1, ecryptfs_t, ecryptfs_t)
- ')
-
- ########################################
- ##
--## Mounton a FUSEFS filesystem.
-+## Do not audit attempts to create,
-+## read, write, and delete files
-+## on a FUSEFS filesystem.
- ##
- ##
- ##
--## Domain allowed access.
-+## Domain to not audit.
- ##
- ##
- #
--interface(`fs_mounton_fusefs',`
-+interface(`fs_dontaudit_manage_ecryptfs_files',`
- gen_require(`
-- type fusefs_t;
-+ type ecryptfs_t;
- ')
-
-- allow $1 fusefs_t:dir mounton;
-+ dontaudit $1 ecryptfs_t:file manage_file_perms;
- ')
-
- ########################################
- ##
--## Search directories
--## on a FUSEFS filesystem.
-+## Read symbolic links on a FUSEFS filesystem.
- ##
- ##
- ##
- ## Domain allowed access.
- ##
- ##
--##
- #
--interface(`fs_search_fusefs',`
-+interface(`fs_read_ecryptfs_symlinks',`
- gen_require(`
-- type fusefs_t;
-+ type ecryptfs_t;
- ')
-
-- allow $1 fusefs_t:dir search_dir_perms;
-+ allow $1 ecryptfs_t:dir list_dir_perms;
-+ read_lnk_files_pattern($1, ecryptfs_t, ecryptfs_t)
-+')
-+
-+#######################################
-+##
-+## Dontaudit append files on ecrypt filesystem.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`fs_dontaudit_append_ecryptfs_files',`
-+ gen_require(`
-+ type ecryptfs_t;
-+ ')
-+ dontaudit $1 ecryptfs_t:file append;
- ')
-
- ########################################
- ##
--## Do not audit attempts to list the contents
--## of directories on a FUSEFS filesystem.
-+## Manage symbolic links on a FUSEFS filesystem.
- ##
- ##
- ##
--## Domain to not audit.
-+## Domain allowed access.
- ##
- ##
- #
--interface(`fs_dontaudit_list_fusefs',`
-+interface(`fs_manage_ecryptfs_symlinks',`
- gen_require(`
-- type fusefs_t;
-+ type ecryptfs_t;
- ')
-
-- dontaudit $1 fusefs_t:dir list_dir_perms;
-+ manage_lnk_files_pattern($1, ecryptfs_t, ecryptfs_t)
- ')
-
- ########################################
- ##
--## Create, read, write, and delete directories
--## on a FUSEFS filesystem.
-+## Execute a file on a FUSE filesystem
-+## in the specified domain.
- ##
-+##
-+##
-+## Execute a file on a FUSE filesystem
-+## in the specified domain. This allows
-+## the specified domain to execute any file
-+## on these filesystems in the specified
-+## domain. This is not suggested.
-+##
-+##
-+## No interprocess communication (signals, pipes,
-+## etc.) is provided by this interface since
-+## the domains are not owned by this module.
-+##
-+##
-+## This interface was added to handle
-+## home directories on FUSE filesystems,
-+## in particular used by the ssh-agent policy.
-+##
-+##
- ##
- ##
--## Domain allowed access.
-+## Domain allowed to transition.
-+##
-+##
-+##
-+##
-+## The type of the new process.
- ##
- ##
--##
- #
--interface(`fs_manage_fusefs_dirs',`
-+interface(`fs_ecryptfs_domtrans',`
- gen_require(`
-- type fusefs_t;
-+ type ecryptfs_t;
- ')
-
-- allow $1 fusefs_t:dir manage_dir_perms;
-+ allow $1 ecryptfs_t:dir search_dir_perms;
-+ domain_auto_transition_pattern($1, ecryptfs_t, $2)
- ')
-
- ########################################
- ##
--## Do not audit attempts to create, read,
--## write, and delete directories
--## on a FUSEFS filesystem.
-+## Mount a FUSE filesystem.
- ##
- ##
- ##
--## Domain to not audit.
-+## Domain allowed access.
- ##
- ##
- #
--interface(`fs_dontaudit_manage_fusefs_dirs',`
-+interface(`fs_mount_fusefs',`
- gen_require(`
- type fusefs_t;
- ')
-
-- dontaudit $1 fusefs_t:dir manage_dir_perms;
-+ allow $1 fusefs_t:filesystem mount;
-+')
-+
-+########################################
-+##
-+## Unmount a FUSE filesystem.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`fs_unmount_fusefs',`
-+ gen_require(`
-+ type fusefs_t;
-+ ')
-+
-+ allow $1 fusefs_t:filesystem unmount;
-+')
-+
-+########################################
-+##
-+## Mounton a FUSEFS filesystem.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`fs_mounton_fusefs',`
-+ gen_require(`
-+ type fusefs_t;
-+ ')
-+
-+ allow $1 fusefs_t:dir mounton;
-+')
-+
-+########################################
-+##
-+## Search directories
-+## on a FUSEFS filesystem.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+#
-+interface(`fs_search_fusefs',`
-+ gen_require(`
-+ type fusefs_t;
-+ ')
-+
-+ allow $1 fusefs_t:dir search_dir_perms;
-+')
-+
-+########################################
-+##
-+## Do not audit attempts to list the contents
-+## of directories on a FUSEFS filesystem.
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`fs_dontaudit_list_fusefs',`
-+ gen_require(`
-+ type fusefs_t;
-+ ')
-+
-+ dontaudit $1 fusefs_t:dir list_dir_perms;
-+')
-+
-+########################################
-+##
-+## Create, read, write, and delete directories
-+## on a FUSEFS filesystem.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+#
-+interface(`fs_manage_fusefs_dirs',`
-+ gen_require(`
-+ type fusefs_t;
-+ ')
-+
-+ allow $1 fusefs_t:dir manage_dir_perms;
-+')
-+
-+########################################
-+##
-+## Do not audit attempts to create, read,
-+## write, and delete directories
-+## on a FUSEFS filesystem.
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`fs_dontaudit_manage_fusefs_dirs',`
-+ gen_require(`
-+ type fusefs_t;
-+ ')
-+
-+ dontaudit $1 fusefs_t:dir manage_dir_perms;
-+')
-+
-+########################################
-+##
-+## Read, a FUSEFS filesystem.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+#
-+interface(`fs_read_fusefs_files',`
-+ gen_require(`
-+ type fusefs_t;
-+ ')
-+
-+ read_files_pattern($1, fusefs_t, fusefs_t)
-+')
-+
-+########################################
-+##
-+## Execute files on a FUSEFS filesystem.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+#
-+interface(`fs_exec_fusefs_files',`
-+ gen_require(`
-+ type fusefs_t;
-+ ')
-+
-+ exec_files_pattern($1, fusefs_t, fusefs_t)
-+')
-+
-+########################################
-+##
-+## mmap files on a FUSEFS filesystem.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+#
-+interface(`fs_mmap_fusefs_files',`
-+ gen_require(`
-+ type fusefs_t;
-+ ')
-+
-+ allow $1 fusefs_t:file map;
-+')
-+
-+########################################
-+##
-+## Make general progams in FUSEFS an entrypoint for
-+## the specified domain.
-+##
-+##
-+##
-+## The domain for which fusefs_t is an entrypoint.
-+##
-+##
-+#
-+interface(`fs_fusefs_entry_type',`
-+ gen_require(`
-+ type fusefs_t;
-+ ')
-+
-+ domain_entry_file($1, fusefs_t)
-+')
-+
-+########################################
-+##
-+## Make general progams in FUSEFS an entrypoint for
-+## the specified domain.
-+##
-+##
-+##
-+## The domain for which fusefs_t is an entrypoint.
-+##
-+##
-+#
-+interface(`fs_fusefs_entrypoint',`
-+ gen_require(`
-+ type fusefs_t;
-+ ')
-+
-+ allow $1 fusefs_t:file entrypoint;
-+')
-+
-+########################################
-+##
-+## Create, read, write, and delete files
-+## on a FUSEFS filesystem.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+#
-+interface(`fs_manage_fusefs_files',`
-+ gen_require(`
-+ type fusefs_t;
-+ ')
-+
-+ manage_files_pattern($1, fusefs_t, fusefs_t)
-+')
-+
-+########################################
-+##
-+## Do not audit attempts to create,
-+## read, write, and delete files
-+## on a FUSEFS filesystem.
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`fs_dontaudit_manage_fusefs_files',`
-+ gen_require(`
-+ type fusefs_t;
-+ ')
-+
-+ dontaudit $1 fusefs_t:file manage_file_perms;
-+')
-+
-+########################################
-+##
-+## Read symbolic links on a FUSEFS filesystem.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`fs_read_fusefs_symlinks',`
-+ gen_require(`
-+ type fusefs_t;
-+ ')
-+
-+ allow $1 fusefs_t:dir list_dir_perms;
-+ read_lnk_files_pattern($1, fusefs_t, fusefs_t)
-+')
-+
-+########################################
-+##
-+## Manage symbolic links on a FUSEFS filesystem.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`fs_manage_fusefs_symlinks',`
-+ gen_require(`
-+ type fusefs_t;
-+ ')
-+
-+ manage_lnk_files_pattern($1, fusefs_t, fusefs_t)
-+')
-+
-+########################################
-+##
-+## Execute a file on a FUSE filesystem
-+## in the specified domain.
-+##
-+##
-+##
-+## Execute a file on a FUSE filesystem
-+## in the specified domain. This allows
-+## the specified domain to execute any file
-+## on these filesystems in the specified
-+## domain. This is not suggested.
-+##
-+##
-+## No interprocess communication (signals, pipes,
-+## etc.) is provided by this interface since
-+## the domains are not owned by this module.
-+##
-+##
-+## This interface was added to handle
-+## home directories on FUSE filesystems,
-+## in particular used by the ssh-agent policy.
-+##
-+##
-+##
-+##
-+## Domain allowed to transition.
-+##
-+##
-+##
-+##
-+## The type of the new process.
-+##
-+##
-+#
-+interface(`fs_fusefs_domtrans',`
-+ gen_require(`
-+ type fusefs_t;
-+ ')
-+
-+ allow $1 fusefs_t:dir search_dir_perms;
-+ domain_auto_transition_pattern($1, fusefs_t, $2)
-+')
-+
-+########################################
-+##
-+## Get the attributes of a FUSEFS filesystem.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+#
-+interface(`fs_getattr_fusefs',`
-+ gen_require(`
-+ type fusefs_t;
-+ ')
-+
-+ allow $1 fusefs_t:filesystem getattr;
-+')
-+
-+########################################
-+##
-+## Get the attributes of an hugetlbfs
-+## filesystem.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`fs_getattr_hugetlbfs',`
-+ gen_require(`
-+ type hugetlbfs_t;
-+ ')
-+
-+ allow $1 hugetlbfs_t:filesystem getattr;
-+')
-+
-+########################################
-+##
-+## List hugetlbfs.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`fs_list_hugetlbfs',`
-+ gen_require(`
-+ type hugetlbfs_t;
-+ ')
-+
-+ allow $1 hugetlbfs_t:dir list_dir_perms;
-+')
-+
-+########################################
-+##
-+## Manage hugetlbfs dirs.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`fs_manage_hugetlbfs_dirs',`
-+ gen_require(`
-+ type hugetlbfs_t;
-+ ')
-+
-+ manage_dirs_pattern($1, hugetlbfs_t, hugetlbfs_t)
-+')
-+
-+########################################
-+##
-+## Read hugetlbfs files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`fs_read_hugetlbfs_files',`
-+ gen_require(`
-+ type hugetlbfs_t;
-+ ')
-+
-+ read_files_pattern($1, hugetlbfs_t, hugetlbfs_t)
-+')
-+
-+########################################
-+##
-+## Read and write hugetlbfs files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`fs_rw_hugetlbfs_files',`
-+ gen_require(`
-+ type hugetlbfs_t;
-+ ')
-+
-+ allow $1 hugetlbfs_t:file map;
-+ rw_files_pattern($1, hugetlbfs_t, hugetlbfs_t)
-+')
-+
-+########################################
-+##
-+## Manage hugetlbfs files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`fs_manage_hugetlbfs_files',`
-+ gen_require(`
-+ type hugetlbfs_t;
-+ ')
-+
-+ manage_files_pattern($1, hugetlbfs_t, hugetlbfs_t)
-+')
-+
-+########################################
-+##
-+## Execute hugetlbfs files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`fs_exec_hugetlbfs_files',`
-+ gen_require(`
-+ type hugetlbfs_t;
-+ ')
-+
-+ allow $1 hugetlbfs_t:dir list_dir_perms;
-+ exec_files_pattern($1, hugetlbfs_t, hugetlbfs_t)
-+')
-+
-+########################################
-+##
-+## Allow the type to associate to hugetlbfs filesystems.
-+##
-+##
-+##
-+## The type of the object to be associated.
-+##
-+##
-+#
-+interface(`fs_associate_hugetlbfs',`
-+ gen_require(`
-+ type hugetlbfs_t;
-+ ')
-+
-+ allow $1 hugetlbfs_t:filesystem associate;
-+')
-+
-+########################################
-+##
-+## List oracleasmfs.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`fs_list_oracleasmfs',`
-+ gen_require(`
-+ type oracleasmfs_t;
-+ ')
-+
-+ allow $1 oracleasmfs_t:dir list_dir_perms;
-+')
-+
-+########################################
-+##
-+## Get the attributes of an oracleasmfs
-+## filesystem.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`fs_getattr_oracleasmfs_fs',`
-+ gen_require(`
-+ type oracleasmfs_t;
-+ ')
-+
-+ allow $1 oracleasmfs_t:filesystem getattr;
-+')
-+
-+########################################
-+##
-+## Get the attributes of an oracleasmfs
-+## filesystem.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`fs_getattr_oracleasmfs',`
-+ gen_require(`
-+ type oracleasmfs_t;
-+ ')
-+
-+ allow $1 oracleasmfs_t:file getattr;
-+')
-+
-+########################################
-+##
-+## Get the attributes of an oracleasmfs
-+## filesystem.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`fs_setattr_oracleasmfs',`
-+ gen_require(`
-+ type oracleasmfs_t;
-+ ')
-+
-+ allow $1 oracleasmfs_t:file setattr;
-+')
-+
-+########################################
-+##
-+## Get the attributes of an oracleasmfs
-+## filesystem.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`fs_setattr_oracleasmfs_dirs',`
-+ gen_require(`
-+ type oracleasmfs_t;
-+ ')
-+
-+ allow $1 oracleasmfs_t:dir setattr;
-+')
-+
-+########################################
-+##
-+## Read and write the oracleasm device.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`fs_manage_oracleasm',`
-+ gen_require(`
-+ type oracleasmfs_t;
-+ ')
-+
-+ manage_dirs_pattern($1, oracleasmfs_t, oracleasmfs_t)
-+ manage_blk_files_pattern($1, oracleasmfs_t, oracleasmfs_t)
-+ dev_filetrans($1, oracleasmfs_t, dir, "oracleasm")
-+')
-+
-+########################################
-+##
-+## Search inotifyfs filesystem.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`fs_search_inotifyfs',`
-+ gen_require(`
-+ type inotifyfs_t;
-+ ')
-+
-+ allow $1 inotifyfs_t:dir search_dir_perms;
-+')
-+
-+########################################
-+##
-+## List inotifyfs filesystem.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`fs_list_inotifyfs',`
-+ gen_require(`
-+ type inotifyfs_t;
-+ ')
-+
-+ allow $1 inotifyfs_t:dir list_dir_perms;
-+ fs_read_anon_inodefs_files($1)
-+')
-+
-+########################################
-+##
-+## Do not audit attempts to list inotifyfs filesystem.
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`fs_dontaudit_list_inotifyfs',`
-+ gen_require(`
-+ type inotifyfs_t;
-+ ')
-+
-+ dontaudit $1 inotifyfs_t:dir list_dir_perms;
-+')
-+
-+########################################
-+##
-+## Create an object in a hugetlbfs filesystem, with a private
-+## type using a type transition.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+##
-+## The type of the object to be created.
-+##
-+##
-+##
-+##
-+## The object class of the object being created.
-+##
-+##
-+##
-+##
-+## The name of the object being created.
-+##
-+##
-+#
-+interface(`fs_hugetlbfs_filetrans',`
-+ gen_require(`
-+ type hugetlbfs_t;
-+ ')
-+
-+ allow $2 hugetlbfs_t:filesystem associate;
-+ filetrans_pattern($1, hugetlbfs_t, $2, $3, $4)
-+')
-+
-+########################################
-+##
-+## Mount an iso9660 filesystem, which
-+## is usually used on CDs.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`fs_mount_iso9660_fs',`
-+ gen_require(`
-+ type iso9660_t;
-+ ')
-+
-+ allow $1 iso9660_t:filesystem mount;
-+')
-+
-+########################################
-+##
-+## Remount an iso9660 filesystem, which
-+## is usually used on CDs. This allows
-+## some mount options to be changed.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`fs_remount_iso9660_fs',`
-+ gen_require(`
-+ type iso9660_t;
-+ ')
-+
-+ allow $1 iso9660_t:filesystem remount;
- ')
-
- ########################################
- ##
--## Read, a FUSEFS filesystem.
-+## Unmount an iso9660 filesystem, which
-+## is usually used on CDs.
- ##
- ##
- ##
- ## Domain allowed access.
- ##
- ##
--##
- #
--interface(`fs_read_fusefs_files',`
-+interface(`fs_unmount_iso9660_fs',`
- gen_require(`
-- type fusefs_t;
-+ type iso9660_t;
- ')
-
-- read_files_pattern($1, fusefs_t, fusefs_t)
-+ allow $1 iso9660_t:filesystem unmount;
- ')
-
- ########################################
- ##
--## Execute files on a FUSEFS filesystem.
-+## Get the attributes of an iso9660
-+## filesystem, which is usually used on CDs.
- ##
- ##
- ##
-@@ -1956,57 +3150,59 @@ interface(`fs_read_fusefs_files',`
- ##
- ##
- #
--interface(`fs_exec_fusefs_files',`
-+interface(`fs_getattr_iso9660_fs',`
- gen_require(`
-- type fusefs_t;
-+ type iso9660_t;
- ')
-
-- exec_files_pattern($1, fusefs_t, fusefs_t)
-+ allow $1 iso9660_t:filesystem getattr;
- ')
-
- ########################################
- ##
--## Create, read, write, and delete files
--## on a FUSEFS filesystem.
-+## Read files on an iso9660 filesystem, which
-+## is usually used on CDs.
- ##
- ##
- ##
- ## Domain allowed access.
- ##
- ##
--##
- #
--interface(`fs_manage_fusefs_files',`
-+interface(`fs_getattr_iso9660_files',`
- gen_require(`
-- type fusefs_t;
-+ type iso9660_t;
- ')
-
-- manage_files_pattern($1, fusefs_t, fusefs_t)
-+ allow $1 iso9660_t:dir list_dir_perms;
-+ allow $1 iso9660_t:file getattr;
- ')
-
- ########################################
- ##
--## Do not audit attempts to create,
--## read, write, and delete files
--## on a FUSEFS filesystem.
-+## Read files on an iso9660 filesystem, which
-+## is usually used on CDs.
- ##
- ##
- ##
--## Domain to not audit.
-+## Domain allowed access.
- ##
- ##
- #
--interface(`fs_dontaudit_manage_fusefs_files',`
-+interface(`fs_read_iso9660_files',`
- gen_require(`
-- type fusefs_t;
-+ type iso9660_t;
- ')
-
-- dontaudit $1 fusefs_t:file manage_file_perms;
-+ allow $1 iso9660_t:dir list_dir_perms;
-+ read_files_pattern($1, iso9660_t, iso9660_t)
-+ read_lnk_files_pattern($1, iso9660_t, iso9660_t)
- ')
-
-+
- ########################################
- ##
--## Read symbolic links on a FUSEFS filesystem.
-+## Mount kdbus filesystems.
- ##
- ##
- ##
-@@ -2014,19 +3210,17 @@ interface(`fs_dontaudit_manage_fusefs_files',`
- ##
- ##
- #
--interface(`fs_read_fusefs_symlinks',`
-+interface(`fs_mount_kdbus', `
- gen_require(`
-- type fusefs_t;
-+ type kdbusfs_t;
- ')
-
-- allow $1 fusefs_t:dir list_dir_perms;
-- read_lnk_files_pattern($1, fusefs_t, fusefs_t)
-+ allow $1 kdbusfs_t:filesystem mount;
- ')
-
- ########################################
- ##
--## Get the attributes of an hugetlbfs
--## filesystem.
-+## Remount kdbus filesystems.
- ##
- ##
- ##
-@@ -2034,17 +3228,17 @@ interface(`fs_read_fusefs_symlinks',`
- ##
- ##
- #
--interface(`fs_getattr_hugetlbfs',`
-+interface(`fs_remount_kdbus', `
- gen_require(`
-- type hugetlbfs_t;
-+ type kdbusfs_t;
- ')
-
-- allow $1 hugetlbfs_t:filesystem getattr;
-+ allow $1 kdbusfs_t:filesystem remount;
- ')
-
- ########################################
- ##
--## List hugetlbfs.
-+## Unmount kdbus filesystems.
- ##
- ##
- ##
-@@ -2052,17 +3246,17 @@ interface(`fs_getattr_hugetlbfs',`
- ##
- ##
- #
--interface(`fs_list_hugetlbfs',`
-+interface(`fs_unmount_kdbus', `
- gen_require(`
-- type hugetlbfs_t;
-+ type kdbusfs_t;
- ')
-
-- allow $1 hugetlbfs_t:dir list_dir_perms;
-+ allow $1 kdbusfs_t:filesystem unmount;
- ')
-
- ########################################
- ##
--## Manage hugetlbfs dirs.
-+## Get attributes of kdbus filesystems.
- ##
- ##
- ##
-@@ -2070,17 +3264,17 @@ interface(`fs_list_hugetlbfs',`
- ##
- ##
- #
--interface(`fs_manage_hugetlbfs_dirs',`
-+interface(`fs_getattr_kdbus',`
- gen_require(`
-- type hugetlbfs_t;
-+ type kdbusfs_t;
- ')
-
-- manage_dirs_pattern($1, hugetlbfs_t, hugetlbfs_t)
-+ allow $1 kdbusfs_t:filesystem getattr;
- ')
-
- ########################################
- ##
--## Read and write hugetlbfs files.
-+## Search kdbusfs directories.
- ##
- ##
- ##
-@@ -2088,35 +3282,39 @@ interface(`fs_manage_hugetlbfs_dirs',`
- ##
- ##
- #
--interface(`fs_rw_hugetlbfs_files',`
-+interface(`fs_search_kdbus_dirs',`
- gen_require(`
-- type hugetlbfs_t;
-+ type kdbusfs_t;
-+
- ')
-
-- rw_files_pattern($1, hugetlbfs_t, hugetlbfs_t)
-+ search_dirs_pattern($1, kdbusfs_t, kdbusfs_t)
-+ fs_search_tmpfs($1)
-+ dev_search_sysfs($1)
- ')
-
- ########################################
- ##
--## Allow the type to associate to hugetlbfs filesystems.
-+## Relabel kdbusfs directories.
- ##
--##
-+##
- ##
--## The type of the object to be associated.
-+## Domain allowed access.
- ##
- ##
- #
--interface(`fs_associate_hugetlbfs',`
-+interface(`fs_relabel_kdbus_dirs',`
- gen_require(`
-- type hugetlbfs_t;
-+ type kdbusfs_t;
-+
- ')
-
-- allow $1 hugetlbfs_t:filesystem associate;
-+ relabel_dirs_pattern($1, kdbusfs_t, kdbusfs_t)
- ')
-
- ########################################
- ##
--## Search inotifyfs filesystem.
-+## List kdbusfs directories.
- ##
- ##
- ##
-@@ -2124,89 +3322,78 @@ interface(`fs_associate_hugetlbfs',`
- ##
- ##
- #
--interface(`fs_search_inotifyfs',`
-+interface(`fs_list_kdbus_dirs',`
- gen_require(`
-- type inotifyfs_t;
-+ type kdbusfs_t;
- ')
-
-- allow $1 inotifyfs_t:dir search_dir_perms;
-+ list_dirs_pattern($1, kdbusfs_t, kdbusfs_t)
-+ fs_search_tmpfs($1)
-+ dev_search_sysfs($1)
- ')
-
--########################################
-+#######################################
- ##
--## List inotifyfs filesystem.
-+## Do not audit attempts to search kdbusfs directories.
- ##
- ##
--##
--## Domain allowed access.
--##
-+##
-+## Domain to not audit.
-+##
- ##
- #
--interface(`fs_list_inotifyfs',`
-- gen_require(`
-- type inotifyfs_t;
-- ')
-+interface(`fs_dontaudit_search_kdbus_dirs', `
-+ gen_require(`
-+ type kdbusfs_t;
-+ ')
-
-- allow $1 inotifyfs_t:dir list_dir_perms;
-+ dontaudit $1 kdbusfs_t:dir search_dir_perms;
-+ dev_dontaudit_search_sysfs($1)
- ')
-
- ########################################
- ##
--## Dontaudit List inotifyfs filesystem.
-+## Delete kdbusfs directories.
- ##
- ##
- ##
--## Domain to not audit.
-+## Domain allowed access.
- ##
- ##
- #
--interface(`fs_dontaudit_list_inotifyfs',`
-+interface(`fs_delete_kdbus_dirs', `
- gen_require(`
-- type inotifyfs_t;
-+ type kdbusfs_t;
- ')
-
-- dontaudit $1 inotifyfs_t:dir list_dir_perms;
-+ delete_dirs_pattern($1, kdbusfs_t, kdbusfs_t)
-+ fs_search_tmpfs($1)
-+ dev_search_sysfs($1)
- ')
-
- ########################################
- ##
--## Create an object in a hugetlbfs filesystem, with a private
--## type using a type transition.
-+## Manage kdbusfs directories.
- ##
- ##
- ##
- ## Domain allowed access.
- ##
- ##
--##
--##
--## The type of the object to be created.
--##
--##
--##
--##
--## The object class of the object being created.
--##
--##
--##
--##
--## The name of the object being created.
--##
--##
- #
--interface(`fs_hugetlbfs_filetrans',`
-+interface(`fs_manage_kdbus_dirs',`
- gen_require(`
-- type hugetlbfs_t;
-- ')
-+ type kdbusfs_t;
-
-- allow $2 hugetlbfs_t:filesystem associate;
-- filetrans_pattern($1, hugetlbfs_t, $2, $3, $4)
-+ ')
-+ manage_dirs_pattern($1, kdbusfs_t, kdbusfs_t)
-+ fs_search_tmpfs($1)
-+ dev_search_sysfs($1)
- ')
-
- ########################################
- ##
--## Mount an iso9660 filesystem, which
--## is usually used on CDs.
-+## Read kdbusfs files.
- ##
- ##
- ##
-@@ -2214,19 +3401,21 @@ interface(`fs_hugetlbfs_filetrans',`
- ##
- ##
- #
--interface(`fs_mount_iso9660_fs',`
-+interface(`fs_read_kdbus_files',`
- gen_require(`
-- type iso9660_t;
-+ type kdbusfs_t;
-+
- ')
-
-- allow $1 iso9660_t:filesystem mount;
-+ read_files_pattern($1, kdbusfs_t, kdbusfs_t)
-+ read_lnk_files_pattern($1, kdbusfs_t, kdbusfs_t)
-+ fs_search_tmpfs($1)
-+ dev_search_sysfs($1)
- ')
-
- ########################################
- ##
--## Remount an iso9660 filesystem, which
--## is usually used on CDs. This allows
--## some mount options to be changed.
-+## Write kdbusfs files.
- ##
- ##
- ##
-@@ -2234,18 +3423,19 @@ interface(`fs_mount_iso9660_fs',`
- ##
- ##
- #
--interface(`fs_remount_iso9660_fs',`
-+interface(`fs_write_kdbus_files', `
- gen_require(`
-- type iso9660_t;
-+ type kdbusfs_t;
- ')
-
-- allow $1 iso9660_t:filesystem remount;
-+ write_files_pattern($1, kdbusfs_t, kdbusfs_t)
-+ fs_search_tmpfs($1)
-+ dev_search_sysfs($1)
- ')
-
- ########################################
- ##
--## Unmount an iso9660 filesystem, which
--## is usually used on CDs.
-+## Read and write kdbusfs files.
- ##
- ##
- ##
-@@ -2253,38 +3443,41 @@ interface(`fs_remount_iso9660_fs',`
- ##
- ##
- #
--interface(`fs_unmount_iso9660_fs',`
-+interface(`fs_rw_kdbus_files',`
- gen_require(`
-- type iso9660_t;
-+ type kdbusfs_t;
-+
- ')
-
-- allow $1 iso9660_t:filesystem unmount;
-+ read_lnk_files_pattern($1, kdbusfs_t, kdbusfs_t)
-+ rw_files_pattern($1, kdbusfs_t, kdbusfs_t)
-+ fs_search_tmpfs($1)
-+ dev_search_sysfs($1)
- ')
-
- ########################################
- ##
--## Get the attributes of an iso9660
--## filesystem, which is usually used on CDs.
-+## Do not audit attempts to open,
-+## get attributes, read and write
-+## cgroup files.
- ##
- ##
- ##
--## Domain allowed access.
-+## Domain to not audit.
- ##
- ##
--##
- #
--interface(`fs_getattr_iso9660_fs',`
-+interface(`fs_dontaudit_rw_kdbus_files',`
- gen_require(`
-- type iso9660_t;
-+ type kdbusfs_t;
- ')
-
-- allow $1 iso9660_t:filesystem getattr;
-+ dontaudit $1 kdbusfs_t:file rw_file_perms;
- ')
-
- ########################################
- ##
--## Read files on an iso9660 filesystem, which
--## is usually used on CDs.
-+## Manage kdbusfs files.
- ##
- ##
- ##
-@@ -2292,19 +3485,21 @@ interface(`fs_getattr_iso9660_fs',`
- ##
- ##
- #
--interface(`fs_getattr_iso9660_files',`
-+interface(`fs_manage_kdbus_files',`
- gen_require(`
-- type iso9660_t;
-+ type kdbusfs_t;
-+
- ')
-
-- allow $1 iso9660_t:dir list_dir_perms;
-- allow $1 iso9660_t:file getattr;
-+ manage_files_pattern($1, kdbusfs_t, kdbusfs_t)
-+ manage_lnk_files_pattern($1, kdbusfs_t, kdbusfs_t)
-+ fs_search_tmpfs($1)
-+ dev_search_sysfs($1)
- ')
-
- ########################################
- ##
--## Read files on an iso9660 filesystem, which
--## is usually used on CDs.
-+## Mount on kdbusfs directories.
- ##
- ##
- ##
-@@ -2312,16 +3507,15 @@ interface(`fs_getattr_iso9660_files',`
- ##
- ##
- #
--interface(`fs_read_iso9660_files',`
-+interface(`fs_mounton_kdbus', `
- gen_require(`
-- type iso9660_t;
-+ type kdbusfs_t;
- ')
-
-- allow $1 iso9660_t:dir list_dir_perms;
-- read_files_pattern($1, iso9660_t, iso9660_t)
-- read_lnk_files_pattern($1, iso9660_t, iso9660_t)
-+ allow $1 kdbusfs_t:dir mounton;
- ')
-
-+
- ########################################
- ##
- ## Mount a NFS filesystem.
-@@ -2398,6 +3592,24 @@ interface(`fs_getattr_nfs',`
-
- ########################################
- ##
-+## Set the attributes of nfs directories.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`fs_setattr_nfs_dirs',`
-+ gen_require(`
-+ type nfs_t;
-+ ')
-+
-+ allow $1 nfs_t:dir setattr;
-+')
-+
-+########################################
-+##
- ## Search directories on a NFS filesystem.
- ##
- ##
-@@ -2485,6 +3697,7 @@ interface(`fs_read_nfs_files',`
- type nfs_t;
- ')
-
-+ fs_search_auto_mountpoints($1)
- allow $1 nfs_t:dir list_dir_perms;
- read_files_pattern($1, nfs_t, nfs_t)
- ')
-@@ -2523,6 +3736,7 @@ interface(`fs_write_nfs_files',`
- type nfs_t;
- ')
-
-+ fs_search_auto_mountpoints($1)
- allow $1 nfs_t:dir list_dir_perms;
- write_files_pattern($1, nfs_t, nfs_t)
- ')
-@@ -2549,6 +3763,44 @@ interface(`fs_exec_nfs_files',`
-
- ########################################
- ##
-+## Make general progams in nfs an entrypoint for
-+## the specified domain.
-+##
-+##
-+##
-+## The domain for which nfs_t is an entrypoint.
-+##
-+##
-+#
-+interface(`fs_nfs_entry_type',`
-+ gen_require(`
-+ type nfs_t;
-+ ')
-+
-+ domain_entry_file($1, nfs_t)
-+')
-+
-+########################################
-+##
-+## Make general progams in NFS an entrypoint for
-+## the specified domain.
-+##
-+##
-+##
-+## The domain for which nfs_t is an entrypoint.
-+##
-+##
-+#
-+interface(`fs_nfs_entrypoint',`
-+ gen_require(`
-+ type nfs_t;
-+ ')
-+
-+ allow $1 nfs_t:file entrypoint;
-+')
-+
-+########################################
-+##
- ## Append files
- ## on a NFS filesystem.
- ##
-@@ -2559,32 +3811,68 @@ interface(`fs_exec_nfs_files',`
- ##
- ##
- #
--interface(`fs_append_nfs_files',`
-+interface(`fs_append_nfs_files',`
-+ gen_require(`
-+ type nfs_t;
-+ ')
-+
-+ append_files_pattern($1, nfs_t, nfs_t)
-+')
-+
-+########################################
-+##
-+## Do not audit attempts to append files
-+## on a NFS filesystem.
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+##
-+#
-+interface(`fs_dontaudit_append_nfs_files',`
-+ gen_require(`
-+ type nfs_t;
-+ ')
-+
-+ dontaudit $1 nfs_t:file append_file_perms;
-+')
-+
-+########################################
-+##
-+## Read inherited files on a NFS filesystem.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`fs_read_inherited_nfs_files',`
- gen_require(`
- type nfs_t;
- ')
-
-- append_files_pattern($1, nfs_t, nfs_t)
-+ allow $1 nfs_t:file read_inherited_file_perms;
- ')
-
- ########################################
- ##
--## dontaudit Append files
--## on a NFS filesystem.
-+## Read/write inherited files on a NFS filesystem.
- ##
- ##
- ##
--## Domain to not audit.
-+## Domain allowed access.
- ##
- ##
--##
- #
--interface(`fs_dontaudit_append_nfs_files',`
-+interface(`fs_rw_inherited_nfs_files',`
- gen_require(`
- type nfs_t;
- ')
-
-- dontaudit $1 nfs_t:file append_file_perms;
-+ allow $1 nfs_t:file rw_inherited_file_perms;
- ')
-
- ########################################
-@@ -2603,7 +3891,7 @@ interface(`fs_dontaudit_rw_nfs_files',`
- type nfs_t;
- ')
-
-- dontaudit $1 nfs_t:file rw_file_perms;
-+ dontaudit $1 nfs_t:file rw_inherited_file_perms;
- ')
-
- ########################################
-@@ -2627,7 +3915,7 @@ interface(`fs_read_nfs_symlinks',`
-
- ########################################
- ##
--## Dontaudit read symbolic links on a NFS filesystem.
-+## Do not audit attempts to read symbolic links on a NFS filesystem.
- ##
- ##
- ##
-@@ -2719,6 +4007,65 @@ interface(`fs_search_rpc',`
-
- ########################################
- ##
-+## Do not audit attempts to list removable storage directories.
-+##
-+##
-+##
-+## Do not audit attempts to list removable storage directories
-+##
-+##
-+## This interface has been deprecated, and will
-+## be removed in the future.
-+##
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`fs_list_pstorefs',`
-+ refpolicywarn(`$0($*) has been deprecated.')
-+')
-+
-+########################################
-+##
-+## Do not audit attempts to list removable storage directories.
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`fs_list_pstore',`
-+ gen_require(`
-+ type pstore_t;
-+ ')
-+
-+ allow $1 pstore_t:dir list_dir_perms;
-+')
-+
-+########################################
-+##
-+## Relabel directory on removable storage.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`fs_relabel_pstore_dirs',`
-+ gen_require(`
-+ type pstore_t;
-+ ')
-+
-+ relabel_dirs_pattern($1, pstore_t, pstore_t)
-+')
-+
-+########################################
-+##
- ## Search removable storage directories.
- ##
- ##
-@@ -2741,7 +4088,7 @@ interface(`fs_search_removable',`
- ##
- ##
- ##
--## Domain not to audit.
-+## Domain to not audit.
- ##
- ##
- #
-@@ -2771,13 +4118,33 @@ interface(`fs_read_removable_files',`
- read_files_pattern($1, removable_t, removable_t)
- ')
-
-+
-+########################################
-+##
-+## mmap files on a removable files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+#
-+interface(`fs_mmap_removable_files',`
-+ gen_require(`
-+ type removable_t;
-+ ')
-+
-+ allow $1 removable_t:file map;
-+')
-+
- ########################################
- ##
- ## Do not audit attempts to read removable storage files.
- ##
- ##
- ##
--## Domain not to audit.
-+## Domain to not audit.
- ##
- ##
- #
-@@ -2970,6 +4337,7 @@ interface(`fs_manage_nfs_dirs',`
- type nfs_t;
- ')
-
-+ fs_search_auto_mountpoints($1)
- allow $1 nfs_t:dir manage_dir_perms;
- ')
-
-@@ -3010,11 +4378,31 @@ interface(`fs_manage_nfs_files',`
- type nfs_t;
- ')
-
-+ fs_search_auto_mountpoints($1)
- manage_files_pattern($1, nfs_t, nfs_t)
- ')
-
- ########################################
- ##
-+## mmap files on a NFS filesystem.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+#
-+interface(`fs_mmap_nfs_files',`
-+ gen_require(`
-+ type nfs_t;
-+ ')
-+
-+ allow $1 nfs_t:file map;
-+')
-+
-+########################################
-+##
- ## Do not audit attempts to create,
- ## read, write, and delete files
- ## on a NFS filesystem.
-@@ -3050,6 +4438,7 @@ interface(`fs_manage_nfs_symlinks',`
- type nfs_t;
- ')
-
-+ fs_search_auto_mountpoints($1)
- manage_lnk_files_pattern($1, nfs_t, nfs_t)
- ')
-
-@@ -3137,6 +4526,24 @@ interface(`fs_nfs_domtrans',`
-
- ########################################
- ##
-+## Mount on nfsd_fs directories.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`fs_mounton_nfsd_fs', `
-+ gen_require(`
-+ type nfsd_fs_t;
-+ ')
-+
-+ allow $1 nfsd_fs_t:dir mounton;
-+')
-+
-+########################################
-+##
- ## Mount a NFS server pseudo filesystem.
- ##
- ##
-@@ -3239,15 +4646,198 @@ interface(`fs_search_nfsd_fs',`
- #
- interface(`fs_list_nfsd_fs',`
- gen_require(`
-- type nfsd_fs_t;
-+ type nfsd_fs_t;
-+ ')
-+
-+ allow $1 nfsd_fs_t:dir list_dir_perms;
-+')
-+
-+########################################
-+##
-+## Getattr files on an nfsd filesystem
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`fs_getattr_nfsd_files',`
-+ gen_require(`
-+ type nfsd_fs_t;
-+ ')
-+
-+ getattr_files_pattern($1, nfsd_fs_t, nfsd_fs_t)
-+')
-+
-+#######################################
-+##
-+## read files on an nfsd filesystem
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`fs_read_nfsd_files',`
-+ gen_require(`
-+ type nfsd_fs_t;
-+ ')
-+
-+ read_files_pattern($1, nfsd_fs_t, nfsd_fs_t)
-+')
-+
-+#######################################
-+##
-+## Read and write NFS server files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`fs_rw_nfsd_fs',`
-+ gen_require(`
-+ type nfsd_fs_t;
-+ ')
-+
-+ rw_files_pattern($1, nfsd_fs_t, nfsd_fs_t)
-+')
-+
-+########################################
-+##
-+## Getattr files on an nsfs filesystem
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`fs_dontaudit_getattr_nsfs_files',`
-+ gen_require(`
-+ type nsfs_t;
-+ ')
-+
-+ dontaudit $1 nsfs_t:file getattr;
-+')
-+
-+
-+########################################
-+##
-+## Getattr files on an nsfs filesystem
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`fs_getattr_nsfs_files',`
-+ gen_require(`
-+ type nsfs_t;
-+ ')
-+
-+ getattr_files_pattern($1, nsfs_t, nsfs_t)
-+')
-+
-+#######################################
-+##
-+## Read nsfs inodes (e.g. /proc/pid/ns/uts)
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`fs_read_nsfs_files',`
-+ gen_require(`
-+ type nsfs_t;
-+ ')
-+
-+ allow $1 nsfs_t:file read_file_perms;
-+')
-+
-+#######################################
-+##
-+## Read and write nsfs inodes (e.g. /proc/pid/ns/uts)
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`fs_rw_nsfs_files',`
-+ gen_require(`
-+ type nsfs_t;
-+ ')
-+
-+ rw_files_pattern($1, nsfs_t, nsfs_t)
-+')
-+
-+
-+########################################
-+##
-+## Mount a nsfs filesystem.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`fs_mount_nsfs',`
-+ gen_require(`
-+ type nsfs_t;
-+ ')
-+
-+ allow $1 nsfs_t:filesystem mount;
-+')
-+
-+
-+########################################
-+##
-+## Remount a tmpfs filesystem.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`fs_remount_nsfs',`
-+ gen_require(`
-+ type nsfs_t;
-+ ')
-+
-+ allow $1 nsfs_t:filesystem remount;
-+')
-+
-+########################################
-+##
-+## Unmount a tmpfs filesystem.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`fs_unmount_nsfs',`
-+ gen_require(`
-+ type nsfs_t;
- ')
-
-- allow $1 nfsd_fs_t:dir list_dir_perms;
-+ allow $1 nsfs_t:filesystem unmount;
- ')
-
- ########################################
- ##
--## Getattr files on an nfsd filesystem
-+## Manage NFS server files.
- ##
- ##
- ##
-@@ -3255,35 +4845,35 @@ interface(`fs_list_nfsd_fs',`
- ##
- ##
- #
--interface(`fs_getattr_nfsd_files',`
-+interface(`fs_manage_nfsd_fs',`
- gen_require(`
- type nfsd_fs_t;
- ')
-
-- getattr_files_pattern($1, nfsd_fs_t, nfsd_fs_t)
-+ manage_files_pattern($1, nfsd_fs_t, nfsd_fs_t)
- ')
-
- ########################################
- ##
--## Read and write NFS server files.
-+## Allow the type to associate to ramfs filesystems.
- ##
--##
-+##
- ##
--## Domain allowed access.
-+## The type of the object to be associated.
- ##
- ##
- #
--interface(`fs_rw_nfsd_fs',`
-+interface(`fs_associate_ramfs',`
- gen_require(`
-- type nfsd_fs_t;
-+ type ramfs_t;
- ')
-
-- rw_files_pattern($1, nfsd_fs_t, nfsd_fs_t)
-+ allow $1 ramfs_t:filesystem associate;
- ')
-
- ########################################
- ##
--## Allow the type to associate to ramfs filesystems.
-+## Allow the type to associate to proc filesystems.
- ##
- ##
- ##
-@@ -3291,12 +4881,12 @@ interface(`fs_rw_nfsd_fs',`
- ##
- ##
- #
--interface(`fs_associate_ramfs',`
-+interface(`fs_associate_proc',`
- gen_require(`
-- type ramfs_t;
-+ type proc_t;
- ')
-
-- allow $1 ramfs_t:filesystem associate;
-+ allow $1 proc_t:filesystem associate;
- ')
-
- ########################################
-@@ -3392,7 +4982,7 @@ interface(`fs_search_ramfs',`
-
- ########################################
- ##
--## Dontaudit Search directories on a ramfs
-+## Do not audit attempts to search directories on a ramfs
- ##
- ##
- ##
-@@ -3429,7 +5019,7 @@ interface(`fs_manage_ramfs_dirs',`
-
- ########################################
- ##
--## Dontaudit read on a ramfs files.
-+## Do not audit attempts to read on a ramfs files.
- ##
- ##
- ##
-@@ -3447,7 +5037,7 @@ interface(`fs_dontaudit_read_ramfs_files',`
-
- ########################################
- ##
--## Dontaudit read on a ramfs fifo_files.
-+## Do not audit attempts to read on a ramfs fifo_files.
- ##
- ##
- ##
-@@ -3779,6 +5369,24 @@ interface(`fs_mount_tmpfs',`
-
- ########################################
- ##
-+## Dontaudit remount a tmpfs filesystem.
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`fs_dontaudit_remount_tmpfs',`
-+ gen_require(`
-+ type tmpfs_t;
-+ ')
-+
-+ dontaudit $1 tmpfs_t:filesystem remount;
-+')
-+
-+########################################
-+##
- ## Remount a tmpfs filesystem.
- ##
- ##
-@@ -3815,6 +5423,24 @@ interface(`fs_unmount_tmpfs',`
-
- ########################################
- ##
-+## Mount on tmpfs directories.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`fs_mounton_tmpfs', `
-+ gen_require(`
-+ type tmpfs_t;
-+ ')
-+
-+ allow $1 tmpfs_t:dir mounton;
-+')
-+
-+########################################
-+##
- ## Get the attributes of a tmpfs
- ## filesystem.
- ##
-@@ -3908,7 +5534,7 @@ interface(`fs_dontaudit_getattr_tmpfs_dirs',`
-
- ########################################
- ##
--## Mount on tmpfs directories.
-+## Set the attributes of tmpfs directories.
- ##
- ##
- ##
-@@ -3916,17 +5542,17 @@ interface(`fs_dontaudit_getattr_tmpfs_dirs',`
- ##
- ##
- #
--interface(`fs_mounton_tmpfs',`
-+interface(`fs_setattr_tmpfs_dirs',`
- gen_require(`
- type tmpfs_t;
- ')
-
-- allow $1 tmpfs_t:dir mounton;
-+ allow $1 tmpfs_t:dir setattr;
- ')
-
- ########################################
- ##
--## Set the attributes of tmpfs directories.
-+## Search tmpfs directories.
- ##
- ##
- ##
-@@ -3934,17 +5560,17 @@ interface(`fs_mounton_tmpfs',`
- ##
- ##
- #
--interface(`fs_setattr_tmpfs_dirs',`
-+interface(`fs_search_tmpfs',`
- gen_require(`
- type tmpfs_t;
- ')
-
-- allow $1 tmpfs_t:dir setattr;
-+ allow $1 tmpfs_t:dir search_dir_perms;
- ')
-
- ########################################
- ##
--## Search tmpfs directories.
-+## List the contents of generic tmpfs directories.
- ##
- ##
- ##
-@@ -3952,17 +5578,36 @@ interface(`fs_setattr_tmpfs_dirs',`
- ##
- ##
- #
--interface(`fs_search_tmpfs',`
-+interface(`fs_list_tmpfs',`
- gen_require(`
- type tmpfs_t;
- ')
-
-- allow $1 tmpfs_t:dir search_dir_perms;
-+ allow $1 tmpfs_t:dir list_dir_perms;
- ')
-
- ########################################
- ##
--## List the contents of generic tmpfs directories.
-+## Do not audit attempts to list the
-+## contents of generic tmpfs directories.
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`fs_dontaudit_list_tmpfs',`
-+ gen_require(`
-+ type tmpfs_t;
-+ ')
-+
-+ dontaudit $1 tmpfs_t:dir list_dir_perms;
-+')
-+
-+########################################
-+##
-+## Relabel directory on tmpfs filesystems.
- ##
- ##
- ##
-@@ -3970,31 +5615,48 @@ interface(`fs_search_tmpfs',`
- ##
- ##
- #
--interface(`fs_list_tmpfs',`
-+interface(`fs_relabel_tmpfs_dirs',`
- gen_require(`
- type tmpfs_t;
- ')
-
-- allow $1 tmpfs_t:dir list_dir_perms;
-+ relabel_dirs_pattern($1, tmpfs_t, tmpfs_t)
- ')
-
- ########################################
- ##
--## Do not audit attempts to list the
--## contents of generic tmpfs directories.
-+## Relabel fifo_file on tmpfs filesystems.
- ##
- ##
- ##
--## Domain to not audit.
-+## Domain allowed access.
- ##
- ##
- #
--interface(`fs_dontaudit_list_tmpfs',`
-+interface(`fs_relabel_tmpfs_fifo_files',`
- gen_require(`
- type tmpfs_t;
- ')
-
-- dontaudit $1 tmpfs_t:dir list_dir_perms;
-+ relabel_fifo_files_pattern($1, tmpfs_t, tmpfs_t)
-+')
-+
-+########################################
-+##
-+## Relabel files on tmpfs filesystems.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`fs_relabel_tmpfs_files',`
-+ gen_require(`
-+ type tmpfs_t;
-+ ')
-+
-+ relabel_files_pattern($1, tmpfs_t, tmpfs_t)
- ')
-
- ########################################
-@@ -4057,23 +5719,170 @@ interface(`fs_dontaudit_write_tmpfs_dirs',`
- ##
- ##
- ##
--## The name of the object being created.
-+## The name of the object being created.
-+##
-+##
-+#
-+interface(`fs_tmpfs_filetrans',`
-+ gen_require(`
-+ type tmpfs_t;
-+ ')
-+
-+ allow $2 tmpfs_t:filesystem associate;
-+ filetrans_pattern($1, tmpfs_t, $2, $3, $4)
-+')
-+
-+########################################
-+##
-+## Do not audit attempts to getattr
-+## generic tmpfs files.
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`fs_dontaudit_getattr_tmpfs_files',`
-+ gen_require(`
-+ type tmpfs_t;
-+ ')
-+
-+ dontaudit $1 tmpfs_t:file getattr;
-+')
-+
-+########################################
-+##
-+## Do not audit attempts to read or write
-+## generic tmpfs files.
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`fs_dontaudit_rw_tmpfs_files',`
-+ gen_require(`
-+ type tmpfs_t;
-+ ')
-+
-+ dontaudit $1 tmpfs_t:file rw_inherited_file_perms;
-+')
-+
-+########################################
-+##
-+## Create, read, write, and delete
-+## auto moutpoints.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`fs_manage_auto_mountpoints',`
-+ gen_require(`
-+ type autofs_t;
-+ ')
-+
-+ allow $1 autofs_t:dir manage_dir_perms;
-+')
-+
-+########################################
-+##
-+## Read generic tmpfs files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`fs_read_tmpfs_files',`
-+ gen_require(`
-+ type tmpfs_t;
-+ ')
-+
-+ read_files_pattern($1, tmpfs_t, tmpfs_t)
-+')
-+
-+########################################
-+##
-+## Read and write generic tmpfs files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`fs_rw_tmpfs_files',`
-+ gen_require(`
-+ type tmpfs_t;
-+ ')
-+
-+ rw_files_pattern($1, tmpfs_t, tmpfs_t)
-+')
-+
-+########################################
-+##
-+## Read and write generic tmpfs files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`fs_rw_inherited_tmpfs_files',`
-+ gen_require(`
-+ type tmpfs_t;
-+ ')
-+
-+ allow $1 tmpfs_t:file { read write };
-+')
-+
-+########################################
-+##
-+## Read tmpfs link files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`fs_read_tmpfs_symlinks',`
-+ gen_require(`
-+ type tmpfs_t;
-+ ')
-+
-+ read_lnk_files_pattern($1, tmpfs_t, tmpfs_t)
-+')
-+
-+########################################
-+##
-+## Read and write character nodes on tmpfs filesystems.
-+##
-+##
-+##
-+## Domain allowed access.
- ##
- ##
- #
--interface(`fs_tmpfs_filetrans',`
-+interface(`fs_rw_tmpfs_chr_files',`
- gen_require(`
- type tmpfs_t;
- ')
-
-- allow $2 tmpfs_t:filesystem associate;
-- filetrans_pattern($1, tmpfs_t, $2, $3, $4)
-+ allow $1 tmpfs_t:dir list_dir_perms;
-+ rw_chr_files_pattern($1, tmpfs_t, tmpfs_t)
- ')
-
- ########################################
- ##
--## Do not audit attempts to getattr
--## generic tmpfs files.
-+## Do not audit attempts to read and write character nodes on tmpfs filesystems.
- ##
- ##
- ##
-@@ -4081,18 +5890,18 @@ interface(`fs_tmpfs_filetrans',`
- ##
- ##
- #
--interface(`fs_dontaudit_getattr_tmpfs_files',`
-+interface(`fs_dontaudit_use_tmpfs_chr_dev',`
- gen_require(`
- type tmpfs_t;
- ')
-
-- dontaudit $1 tmpfs_t:file getattr;
-+ dontaudit $1 tmpfs_t:dir list_dir_perms;
-+ dontaudit $1 tmpfs_t:chr_file rw_chr_file_perms;
- ')
-
- ########################################
- ##
--## Do not audit attempts to read or write
--## generic tmpfs files.
-+## Do not audit attempts to create character nodes on tmpfs filesystems.
- ##
- ##
- ##
-@@ -4100,54 +5909,53 @@ interface(`fs_dontaudit_getattr_tmpfs_files',`
- ##
- ##
- #
--interface(`fs_dontaudit_rw_tmpfs_files',`
-+interface(`fs_dontaudit_create_tmpfs_chr_dev',`
- gen_require(`
- type tmpfs_t;
- ')
-
-- dontaudit $1 tmpfs_t:file rw_file_perms;
-+ dontaudit $1 tmpfs_t:chr_file create;
- ')
-
- ########################################
- ##
--## Create, read, write, and delete
--## auto moutpoints.
-+## Do not audit attempts to dontaudit read block nodes on tmpfs filesystems.
- ##
- ##
- ##
--## Domain allowed access.
-+## Domain to not audit.
- ##
- ##
- #
--interface(`fs_manage_auto_mountpoints',`
-+interface(`fs_dontaudit_read_tmpfs_blk_dev',`
- gen_require(`
-- type autofs_t;
-+ type tmpfs_t;
- ')
-
-- allow $1 autofs_t:dir manage_dir_perms;
-+ dontaudit $1 tmpfs_t:blk_file read_blk_file_perms;
- ')
-
- ########################################
- ##
--## Read generic tmpfs files.
-+## Do not audit attempts to read files on tmpfs filesystems.
- ##
- ##
- ##
--## Domain allowed access.
-+## Domain to not audit.
- ##
- ##
- #
--interface(`fs_read_tmpfs_files',`
-+interface(`fs_dontaudit_read_tmpfs_files',`
- gen_require(`
- type tmpfs_t;
- ')
-
-- read_files_pattern($1, tmpfs_t, tmpfs_t)
-+ dontaudit $1 tmpfs_t:blk_file read;
- ')
-
- ########################################
- ##
--## Read and write generic tmpfs files.
-+## Relabel character nodes on tmpfs filesystems.
- ##
- ##
- ##
-@@ -4155,17 +5963,18 @@ interface(`fs_read_tmpfs_files',`
- ##
- ##
- #
--interface(`fs_rw_tmpfs_files',`
-+interface(`fs_relabel_tmpfs_chr_file',`
- gen_require(`
- type tmpfs_t;
- ')
-
-- rw_files_pattern($1, tmpfs_t, tmpfs_t)
-+ allow $1 tmpfs_t:dir list_dir_perms;
-+ relabel_chr_files_pattern($1, tmpfs_t, tmpfs_t)
- ')
-
- ########################################
- ##
--## Read tmpfs link files.
-+## Read and write block nodes on tmpfs filesystems.
- ##
- ##
- ##
-@@ -4173,17 +5982,18 @@ interface(`fs_rw_tmpfs_files',`
- ##
- ##
- #
--interface(`fs_read_tmpfs_symlinks',`
-+interface(`fs_rw_tmpfs_blk_files',`
- gen_require(`
- type tmpfs_t;
- ')
-
-- read_lnk_files_pattern($1, tmpfs_t, tmpfs_t)
-+ allow $1 tmpfs_t:dir list_dir_perms;
-+ rw_blk_files_pattern($1, tmpfs_t, tmpfs_t)
- ')
-
- ########################################
- ##
--## Read and write character nodes on tmpfs filesystems.
-+## Relabel block nodes on tmpfs filesystems.
- ##
- ##
- ##
-@@ -4191,37 +6001,36 @@ interface(`fs_read_tmpfs_symlinks',`
- ##
- ##
- #
--interface(`fs_rw_tmpfs_chr_files',`
-+interface(`fs_getattr_tmpfs_blk_file',`
- gen_require(`
- type tmpfs_t;
- ')
-
-- allow $1 tmpfs_t:dir list_dir_perms;
-- rw_chr_files_pattern($1, tmpfs_t, tmpfs_t)
-+ allow $1 tmpfs_t:blk_file getattr;
- ')
-
- ########################################
- ##
--## dontaudit Read and write character nodes on tmpfs filesystems.
-+## Relabel block nodes on tmpfs filesystems.
- ##
- ##
- ##
--## Domain to not audit.
-+## Domain allowed access.
- ##
- ##
- #
--interface(`fs_dontaudit_use_tmpfs_chr_dev',`
-+interface(`fs_relabel_tmpfs_blk_file',`
- gen_require(`
- type tmpfs_t;
- ')
-
-- dontaudit $1 tmpfs_t:dir list_dir_perms;
-- dontaudit $1 tmpfs_t:chr_file rw_chr_file_perms;
-+ allow $1 tmpfs_t:dir list_dir_perms;
-+ relabel_blk_files_pattern($1, tmpfs_t, tmpfs_t)
- ')
-
- ########################################
- ##
--## Relabel character nodes on tmpfs filesystems.
-+## Relabel sock nodes on tmpfs filesystems.
- ##
- ##
- ##
-@@ -4229,18 +6038,18 @@ interface(`fs_dontaudit_use_tmpfs_chr_dev',`
- ##
- ##
- #
--interface(`fs_relabel_tmpfs_chr_file',`
-+interface(`fs_relabel_tmpfs_sock_file',`
- gen_require(`
- type tmpfs_t;
- ')
-
- allow $1 tmpfs_t:dir list_dir_perms;
-- relabel_chr_files_pattern($1, tmpfs_t, tmpfs_t)
-+ relabel_sock_files_pattern($1, tmpfs_t, tmpfs_t)
- ')
-
- ########################################
- ##
--## Read and write block nodes on tmpfs filesystems.
-+## Delete generic files in tmpfs directory.
- ##
- ##
- ##
-@@ -4248,18 +6057,19 @@ interface(`fs_relabel_tmpfs_chr_file',`
- ##
- ##
- #
--interface(`fs_rw_tmpfs_blk_files',`
-+interface(`fs_delete_tmpfs_files',`
- gen_require(`
- type tmpfs_t;
- ')
-
-- allow $1 tmpfs_t:dir list_dir_perms;
-- rw_blk_files_pattern($1, tmpfs_t, tmpfs_t)
-+ allow $1 tmpfs_t:dir del_entry_dir_perms;
-+ allow $1 tmpfs_t:file_class_set delete_file_perms;
- ')
-
- ########################################
- ##
--## Relabel block nodes on tmpfs filesystems.
-+## Read and write, create and delete generic
-+## files on tmpfs filesystems.
- ##
- ##
- ##
-@@ -4267,32 +6077,31 @@ interface(`fs_rw_tmpfs_blk_files',`
- ##
- ##
- #
--interface(`fs_relabel_tmpfs_blk_file',`
-+interface(`fs_manage_tmpfs_files',`
- gen_require(`
- type tmpfs_t;
- ')
-
-- allow $1 tmpfs_t:dir list_dir_perms;
-- relabel_blk_files_pattern($1, tmpfs_t, tmpfs_t)
-+ manage_files_pattern($1, tmpfs_t, tmpfs_t)
- ')
-
- ########################################
- ##
--## Read and write, create and delete generic
--## files on tmpfs filesystems.
-+## Execute files on a tmpfs filesystem.
- ##
- ##
- ##
- ## Domain allowed access.
- ##
- ##
-+##
- #
--interface(`fs_manage_tmpfs_files',`
-+interface(`fs_exec_tmpfs_files',`
- gen_require(`
- type tmpfs_t;
- ')
-
-- manage_files_pattern($1, tmpfs_t, tmpfs_t)
-+ exec_files_pattern($1, tmpfs_t, tmpfs_t)
- ')
-
- ########################################
-@@ -4407,6 +6216,25 @@ interface(`fs_search_xenfs',`
- allow $1 xenfs_t:dir search_dir_perms;
- ')
-
-+
-+########################################
-+##
-+## Read files on a XENFS filesystem.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`fs_read_xenfs_files',`
-+ gen_require(`
-+ type xenfs_t;
-+ ')
-+
-+ allow $1 xenfs_t:file read_file_perms;
-+')
-+
- ########################################
- ##
- ## Create, read, write, and delete directories
-@@ -4503,6 +6331,8 @@ interface(`fs_mount_all_fs',`
- ')
-
- allow $1 filesystem_type:filesystem mount;
-+# Mount checks write access on the dir
-+ allow $1 filesystem_type:dir write;
- ')
-
- ########################################
-@@ -4549,7 +6379,7 @@ interface(`fs_unmount_all_fs',`
- ##
- ##
- ## Allow the specified domain to
--## et the attributes of all filesystems.
-+## get the attributes of all filesystems.
- ## Example attributes:
- ##
- ##
-@@ -4596,6 +6426,26 @@ interface(`fs_dontaudit_getattr_all_fs',`
-
- ########################################
- ##
-+## Do not audit attempts to check the
-+## access on all filesystems.
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`fs_dontaudit_all_access_check',`
-+ gen_require(`
-+ attribute filesystem_type;
-+ ')
-+
-+ dontaudit $1 filesystem_type:dir_file_class_set audit_access;
-+')
-+
-+
-+########################################
-+##
- ## Get the quotas of all filesystems.
- ##
- ##
-@@ -4671,6 +6521,25 @@ interface(`fs_getattr_all_dirs',`
-
- ########################################
- ##
-+## Dontaudit Get the attributes of all directories
-+## with a filesystem type.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`fs_dontaudit_getattr_all_dirs',`
-+ gen_require(`
-+ attribute filesystem_type;
-+ ')
-+
-+ dontaudit $1 filesystem_type:dir getattr;
-+')
-+
-+########################################
-+##
- ## Search all directories with a filesystem type.
- ##
- ##
-@@ -4912,3 +6781,176 @@ interface(`fs_unconfined',`
-
- typeattribute $1 filesystem_unconfined_type;
- ')
-+
-+########################################
-+##
-+## Do not audit attempts to read or write
-+## all leaked filesystems files.
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`fs_dontaudit_leaks',`
-+ gen_require(`
-+ attribute filesystem_type;
-+ ')
-+
-+ dontaudit $1 filesystem_type:file rw_inherited_file_perms;
-+ dontaudit $1 filesystem_type:lnk_file { read };
-+')
-+
-+
-+########################################
-+##
-+## Transition named content in tmpfs_t directory
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`fs_tmpfs_filetrans_named_content',`
-+ gen_require(`
-+ type cgroup_t;
-+ type devlog_t;
-+ ')
-+
-+ fs_tmpfs_filetrans($1, cgroup_t, lnk_file, "cpu")
-+ fs_tmpfs_filetrans($1, cgroup_t, lnk_file, "cpuacct")
-+ fs_tmpfs_filetrans($1, devlog_t, lnk_file, "log")
-+')
-+
-+#######################################
-+##
-+## Read files in efivarfs
-+## - contains Linux Kernel configuration options for UEFI systems
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+#
-+interface(`fs_read_efivarfs_files',`
-+ gen_require(`
-+ type efivarfs_t;
-+ ')
-+
-+ read_files_pattern($1, efivarfs_t, efivarfs_t)
-+')
-+
-+########################################
-+##
-+## Read and write sockets of ONLOAD file system pipes.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`fs_rw_onload_sockets',`
-+ gen_require(`
-+ type onload_fs_t;
-+ ')
-+
-+ rw_sock_files_pattern($1, onload_fs_t, onload_fs_t)
-+ allow $1 onload_fs_t:sock_file ioctl;
-+')
-+
-+########################################
-+##
-+## Read and write tracefs_t files
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`fs_rw_tracefs_files',`
-+ gen_require(`
-+ type tracefs_t;
-+ ')
-+
-+ rw_files_pattern($1, tracefs_t, tracefs_t)
-+')
-+
-+########################################
-+##
-+## Create, read, write, and delete dirs
-+## labeled as tracefs_t.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+#
-+interface(`fs_manage_tracefs_dirs',`
-+ gen_require(`
-+ type tracefs_t;
-+ ')
-+
-+ manage_dirs_pattern($1, tracefs_t, tracefs_t)
-+')
-+
-+########################################
-+##
-+## Mount tracefs filesystems.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`fs_mount_tracefs', `
-+ gen_require(`
-+ type tracefs_t;
-+ ')
-+
-+ allow $1 tracefs_t:filesystem mount;
-+')
-+
-+########################################
-+##
-+## Remount tracefs filesystems.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`fs_remount_tracefs', `
-+ gen_require(`
-+ type tracefs_t;
-+ ')
-+
-+ allow $1 tracefs_t:filesystem remount;
-+')
-+
-+########################################
-+##
-+## Unmount tracefs filesystems.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`fs_unmount_tracefs', `
-+ gen_require(`
-+ type tracefs_t;
-+ ')
-+
-+ allow $1 tracefs_t:filesystem unmount;
-+')
-diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te
-index e7d173844..b10afaff0 100644
---- a/policy/modules/kernel/filesystem.te
-+++ b/policy/modules/kernel/filesystem.te
-@@ -26,14 +26,20 @@ fs_use_xattr ext2 gen_context(system_u:object_r:fs_t,s0);
- fs_use_xattr ext3 gen_context(system_u:object_r:fs_t,s0);
- fs_use_xattr ext4 gen_context(system_u:object_r:fs_t,s0);
- fs_use_xattr ext4dev gen_context(system_u:object_r:fs_t,s0);
-+fs_use_xattr f2fs gen_context(system_u:object_r:fs_t,s0);
- fs_use_xattr gfs gen_context(system_u:object_r:fs_t,s0);
- fs_use_xattr gfs2 gen_context(system_u:object_r:fs_t,s0);
- fs_use_xattr gpfs gen_context(system_u:object_r:fs_t,s0);
- fs_use_xattr jffs2 gen_context(system_u:object_r:fs_t,s0);
- fs_use_xattr jfs gen_context(system_u:object_r:fs_t,s0);
- fs_use_xattr lustre gen_context(system_u:object_r:fs_t,s0);
-+fs_use_xattr ocfs2 gen_context(system_u:object_r:fs_t,s0);
-+fs_use_xattr overlay gen_context(system_u:object_r:fs_t,s0);
- fs_use_xattr xfs gen_context(system_u:object_r:fs_t,s0);
-+fs_use_xattr squashfs gen_context(system_u:object_r:fs_t,s0);
- fs_use_xattr zfs gen_context(system_u:object_r:fs_t,s0);
-+fs_use_xattr fuse.glusterfs gen_context(system_u:object_r:fs_t,s0);
-+fs_use_xattr shiftfs gen_context(system_u:object_r:fs_t,s0);
-
- # Use the allocating task SID to label inodes in the following filesystem
- # types, and label the filesystem itself with the specified context.
-@@ -43,6 +49,7 @@ fs_use_xattr zfs gen_context(system_u:object_r:fs_t,s0);
- fs_use_task eventpollfs gen_context(system_u:object_r:fs_t,s0);
- fs_use_task pipefs gen_context(system_u:object_r:fs_t,s0);
- fs_use_task sockfs gen_context(system_u:object_r:fs_t,s0);
-+fs_use_task nsfs gen_context(system_u:object_r:fs_t,s0);
-
- ##############################
- #
-@@ -53,6 +60,7 @@ type anon_inodefs_t;
- fs_type(anon_inodefs_t)
- files_mountpoint(anon_inodefs_t)
- genfscon anon_inodefs / gen_context(system_u:object_r:anon_inodefs_t,s0)
-+mls_trusted_object(anon_inodefs_t)
-
- type bdev_t;
- fs_type(bdev_t)
-@@ -63,16 +71,28 @@ fs_type(binfmt_misc_fs_t)
- files_mountpoint(binfmt_misc_fs_t)
- genfscon binfmt_misc / gen_context(system_u:object_r:binfmt_misc_fs_t,s0)
-
-+type oracleasmfs_t;
-+fs_type(oracleasmfs_t)
-+dev_node(oracleasmfs_t)
-+files_mountpoint(oracleasmfs_t)
-+genfscon oracleasmfs / gen_context(system_u:object_r:oracleasmfs_t,s0)
-+
- type capifs_t;
- fs_type(capifs_t)
- files_mountpoint(capifs_t)
- genfscon capifs / gen_context(system_u:object_r:capifs_t,s0)
-
--type cgroup_t;
-+type cephfs_t;
-+fs_type(cephfs_t)
-+files_mountpoint(cephfs_t)
-+genfscon ceph / gen_context(system_u:object_r:cephfs_t,s0)
-+
-+type cgroup_t alias cgroupfs_t;
- fs_type(cgroup_t)
- files_mountpoint(cgroup_t)
- dev_associate_sysfs(cgroup_t)
- genfscon cgroup / gen_context(system_u:object_r:cgroup_t,s0)
-+genfscon cgroup2 / gen_context(system_u:object_r:cgroup_t,s0)
-
- type configfs_t;
- fs_type(configfs_t)
-@@ -88,6 +108,11 @@ fs_noxattr_type(ecryptfs_t)
- files_mountpoint(ecryptfs_t)
- genfscon ecryptfs / gen_context(system_u:object_r:ecryptfs_t,s0)
-
-+type efivarfs_t;
-+fs_noxattr_type(efivarfs_t)
-+files_mountpoint(efivarfs_t)
-+genfscon efivarfs / gen_context(system_u:object_r:efivarfs_t,s0)
-+
- type futexfs_t;
- fs_type(futexfs_t)
- genfscon futexfs / gen_context(system_u:object_r:futexfs_t,s0)
-@@ -96,6 +121,7 @@ type hugetlbfs_t;
- fs_type(hugetlbfs_t)
- files_mountpoint(hugetlbfs_t)
- fs_use_trans hugetlbfs gen_context(system_u:object_r:hugetlbfs_t,s0);
-+dev_associate(hugetlbfs_t)
-
- type ibmasmfs_t;
- fs_type(ibmasmfs_t)
-@@ -111,6 +137,12 @@ type inotifyfs_t;
- fs_type(inotifyfs_t)
- genfscon inotifyfs / gen_context(system_u:object_r:inotifyfs_t,s0)
-
-+type kdbusfs_t;
-+fs_type(kdbusfs_t)
-+files_mountpoint(kdbusfs_t)
-+dev_associate_sysfs(kdbusfs_t)
-+genfscon kdbusfs / gen_context(system_u:object_r:kdbusfs_t,s0)
-+
- type mvfs_t;
- fs_noxattr_type(mvfs_t)
- allow mvfs_t self:filesystem associate;
-@@ -118,13 +150,23 @@ genfscon mvfs / gen_context(system_u:object_r:mvfs_t,s0)
-
- type nfsd_fs_t;
- fs_type(nfsd_fs_t)
-+files_mountpoint(nfsd_fs_t)
- genfscon nfsd / gen_context(system_u:object_r:nfsd_fs_t,s0)
-
-+type nsfs_t;
-+fs_type(nsfs_t)
-+genfscon nsfs / gen_context(system_u:object_r:nsfs_t,s0)
-+
-+type onload_fs_t;
-+fs_type(onload_fs_t)
-+files_mountpoint(onload_fs_t)
-+genfscon onloadfs / gen_context(system_u:object_r:onload_fs_t,s0)
-+
- type oprofilefs_t;
- fs_type(oprofilefs_t)
- genfscon oprofilefs / gen_context(system_u:object_r:oprofilefs_t,s0)
-
--type pstore_t;
-+type pstore_t alias pstorefs_t;
- fs_type(pstore_t)
- files_mountpoint(pstore_t)
- dev_associate_sysfs(pstore_t)
-@@ -150,17 +192,16 @@ fs_type(spufs_t)
- genfscon spufs / gen_context(system_u:object_r:spufs_t,s0)
- files_mountpoint(spufs_t)
-
--type squash_t;
--fs_type(squash_t)
--genfscon squash / gen_context(system_u:object_r:squash_t,s0)
--files_mountpoint(squash_t)
--
- type sysv_t;
- fs_noxattr_type(sysv_t)
- files_mountpoint(sysv_t)
- genfscon sysv / gen_context(system_u:object_r:sysv_t,s0)
- genfscon v7 / gen_context(system_u:object_r:sysv_t,s0)
-
-+type tracefs_t;
-+fs_type(tracefs_t)
-+genfscon tracefs / gen_context(system_u:object_r:tracefs_t,s0)
-+
- type vmblock_t;
- fs_noxattr_type(vmblock_t)
- files_mountpoint(vmblock_t)
-@@ -172,6 +213,8 @@ type vxfs_t;
- fs_noxattr_type(vxfs_t)
- files_mountpoint(vxfs_t)
- genfscon vxfs / gen_context(system_u:object_r:vxfs_t,s0)
-+genfscon odmfs / gen_context(system_u:object_r:vxfs_t,s0)
-+genfscon vxclonefs / gen_context(system_u:object_r:vxfs_t,s0)
-
- #
- # tmpfs_t is the type for tmpfs filesystems
-@@ -182,6 +225,8 @@ fs_type(tmpfs_t)
- files_type(tmpfs_t)
- files_mountpoint(tmpfs_t)
- files_poly_parent(tmpfs_t)
-+dev_associate(tmpfs_t)
-+mls_trusted_object(tmpfs_t)
-
- # Use a transition SID based on the allocating task SID and the
- # filesystem SID to label inodes in the following filesystem types,
-@@ -261,6 +306,8 @@ genfscon udf / gen_context(system_u:object_r:iso9660_t,s0)
- type removable_t;
- allow removable_t noxattrfs:filesystem associate;
- fs_noxattr_type(removable_t)
-+files_type(removable_t)
-+dev_node(removable_t)
- files_mountpoint(removable_t)
-
- #
-@@ -280,6 +327,7 @@ genfscon ncpfs / gen_context(system_u:object_r:nfs_t,s0)
- genfscon reiserfs / gen_context(system_u:object_r:nfs_t,s0)
- genfscon panfs / gen_context(system_u:object_r:nfs_t,s0)
- genfscon gadgetfs / gen_context(system_u:object_r:nfs_t,s0)
-+genfscon 9p / gen_context(system_u:object_r:nfs_t,s0)
-
- ########################################
- #
-@@ -301,9 +349,10 @@ fs_associate_noxattr(noxattrfs)
- # Unconfined access to this module
- #
-
--allow filesystem_unconfined_type filesystem_type:filesystem *;
-+allow filesystem_unconfined_type filesystem_type:filesystem all_filesystem_perms;
-
- # Create/access other files. fs_type is to pick up various
- # pseudo filesystem types that are applied to both the filesystem
- # and its files.
--allow filesystem_unconfined_type filesystem_type:{ dir file lnk_file sock_file fifo_file chr_file blk_file } *;
-+allow filesystem_unconfined_type filesystem_type:{ file } ~entrypoint;
-+allow filesystem_unconfined_type filesystem_type:{ dir lnk_file sock_file fifo_file chr_file blk_file } *;
-diff --git a/policy/modules/kernel/kernel.fc b/policy/modules/kernel/kernel.fc
-index 7be4ddf74..9710b3336 100644
---- a/policy/modules/kernel/kernel.fc
-+++ b/policy/modules/kernel/kernel.fc
-@@ -1 +1,5 @@
--# This module currently does not have any file contexts.
-+
-+/sys/class/net/ib.* -- gen_context(system_u:object_r:sysctl_net_t,s0)
-+/sys/kernel/uevent_helper -- gen_context(system_u:object_r:usermodehelper_t,s0)
-+/sys/kernel/debug -d gen_context(system_u:object_r:debugfs_t,s0)
-+/sys/kernel/debug/.* <>
-diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
-index e100d886b..355a67b18 100644
---- a/policy/modules/kernel/kernel.if
-+++ b/policy/modules/kernel/kernel.if
-@@ -126,6 +126,24 @@ interface(`kernel_setsched',`
-
- ########################################
- ##
-+## Dontaudit attempts to set the priority of kernel threads.
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`kernel_dontaudit_setsched',`
-+ gen_require(`
-+ type kernel_t;
-+ ')
-+
-+ dontaudit $1 kernel_t:process setsched;
-+')
-+
-+########################################
-+##
- ## Send a SIGCHLD signal to kernel threads.
- ##
- ##
-@@ -180,6 +198,24 @@ interface(`kernel_signal',`
-
- ########################################
- ##
-+## Send signull to kernel threads.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`kernel_signull',`
-+ gen_require(`
-+ type kernel_t;
-+ ')
-+
-+ allow $1 kernel_t:process signull;
-+')
-+
-+########################################
-+##
- ## Allows the kernel to share state information with
- ## the caller.
- ##
-@@ -268,7 +304,7 @@ interface(`kernel_stream_connect',`
- type kernel_t;
- ')
-
-- allow $1 kernel_t:unix_stream_socket connectto;
-+ allow $1 kernel_t:unix_stream_socket { getattr connectto };
- ')
-
- ########################################
-@@ -286,7 +322,7 @@ interface(`kernel_rw_unix_dgram_sockets',`
- type kernel_t;
- ')
-
-- allow $1 kernel_t:unix_dgram_socket { read write ioctl };
-+ allow $1 kernel_t:unix_dgram_socket { getattr read write ioctl };
- ')
-
- ########################################
-@@ -441,6 +477,41 @@ interface(`kernel_dontaudit_link_key',`
-
- ########################################
- ##
-+## Allow view the kernel key ring.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`kernel_view_key',`
-+ gen_require(`
-+ type kernel_t;
-+ ')
-+
-+ allow $1 kernel_t:key view;
-+')
-+
-+########################################
-+##
-+## dontaudit view the kernel key ring.
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`kernel_dontaudit_view_key',`
-+ gen_require(`
-+ type kernel_t;
-+ ')
-+
-+ dontaudit $1 kernel_t:key view;
-+')
-+########################################
-+##
- ## Allows caller to read the ring buffer.
- ##
- ##
-@@ -762,8 +833,8 @@ interface(`kernel_manage_debugfs',`
- ')
-
- manage_files_pattern($1, debugfs_t, debugfs_t)
-+ manage_dirs_pattern($1,debugfs_t, debugfs_t)
- read_lnk_files_pattern($1, debugfs_t, debugfs_t)
-- list_dirs_pattern($1, debugfs_t, debugfs_t)
- ')
-
- ########################################
-@@ -786,6 +857,24 @@ interface(`kernel_mount_kvmfs',`
-
- ########################################
- ##
-+## Mount the proc filesystem.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`kernel_mount_proc',`
-+ gen_require(`
-+ type proc_t;
-+ ')
-+
-+ allow $1 proc_t:filesystem mount;
-+')
-+
-+########################################
-+##
- ## Unmount the proc filesystem.
- ##
- ##
-@@ -804,6 +893,24 @@ interface(`kernel_unmount_proc',`
-
- ########################################
- ##
-+## Mounton a proc filesystem.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`kernel_mounton_proc',`
-+ gen_require(`
-+ type proc_t;
-+ ')
-+
-+ allow $1 proc_t:dir mounton;
-+')
-+
-+########################################
-+##
- ## Get the attributes of the proc filesystem.
- ##
- ##
-@@ -841,6 +948,25 @@ interface(`kernel_dontaudit_setattr_proc_dirs',`
-
- ########################################
- ##
-+## Do not audit attempts to set the
-+## attributes of files in /proc.
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`kernel_dontaudit_setattr_proc_files',`
-+ gen_require(`
-+ type proc_t;
-+ ')
-+
-+ dontaudit $1 proc_t:file setattr;
-+')
-+
-+########################################
-+##
- ## Search directories in /proc.
- ##
- ##
-@@ -991,13 +1117,10 @@ interface(`kernel_read_proc_symlinks',`
- #
- interface(`kernel_read_system_state',`
- gen_require(`
-- type proc_t;
-+ attribute kernel_system_state_reader;
- ')
-
-- read_files_pattern($1, proc_t, proc_t)
-- read_lnk_files_pattern($1, proc_t, proc_t)
--
-- list_dirs_pattern($1, proc_t, proc_t)
-+ typeattribute $1 kernel_system_state_reader;
- ')
-
- ########################################
-@@ -1025,6 +1148,44 @@ interface(`kernel_write_proc_files',`
-
- ########################################
- ##
-+## Do not audit attempts to write the
-+## file in /proc.
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`kernel_dontaudit_write_proc_files',`
-+ gen_require(`
-+ type proc_t;
-+ ')
-+
-+ dontaudit $1 proc_t:file write;
-+')
-+
-+########################################
-+##
-+## Do not audit attempts to check the
-+## access on generic proc entries.
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`kernel_dontaudit_access_check_proc',`
-+ gen_require(`
-+ type proc_t;
-+ ')
-+
-+ dontaudit $1 proc_t:dir_file_class_set audit_access;
-+')
-+
-+########################################
-+##
- ## Do not audit attempts by caller to
- ## read system state information in proc.
- ##
-@@ -1208,6 +1369,24 @@ interface(`kernel_read_messages',`
-
- ########################################
- ##
-+## Allow caller to mounton the kernel messages file
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`kernel_mounton_messages',`
-+ gen_require(`
-+ type proc_kmsg_t;
-+ ')
-+
-+ allow $1 proc_kmsg_t:file mounton;
-+')
-+
-+########################################
-+##
- ## Allow caller to get the attributes of kernel message
- ## interface (/proc/kmsg).
- ##
-@@ -1458,6 +1637,25 @@ interface(`kernel_list_all_proc',`
-
- ########################################
- ##
-+## Allow attempts to mounton all proc directories.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`kernel_mounton_all_proc',`
-+ gen_require(`
-+ attribute proc_type;
-+ ')
-+
-+ allow $1 proc_type:dir mounton;
-+ allow $1 proc_type:file mounton;
-+')
-+
-+########################################
-+##
- ## Do not audit attempts to list all proc directories.
- ##
- ##
-@@ -1477,6 +1675,28 @@ interface(`kernel_dontaudit_list_all_proc',`
-
- ########################################
- ##
-+## Allow attempts to read all proc types.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`kernel_read_all_proc',`
-+ gen_require(`
-+ attribute proc_type;
-+ attribute can_dump_kernel;
-+ attribute can_receive_kernel_messages;
-+ ')
-+
-+ read_files_pattern($1, proc_type, proc_type)
-+ typeattribute $1 can_dump_kernel;
-+ typeattribute $1 can_receive_kernel_messages;
-+')
-+
-+########################################
-+##
- ## Do not audit attempts by caller to search
- ## the base directory of sysctls.
- ##
-@@ -1672,7 +1892,7 @@ interface(`kernel_read_net_sysctls',`
- ')
-
- read_files_pattern($1, { proc_t sysctl_t sysctl_net_t }, sysctl_net_t)
--
-+ read_lnk_files_pattern($1, { proc_t sysctl_t sysctl_net_t }, sysctl_net_t)
- list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_net_t)
- ')
-
-@@ -1693,7 +1913,7 @@ interface(`kernel_rw_net_sysctls',`
- ')
-
- rw_files_pattern($1, { proc_t sysctl_t sysctl_net_t }, sysctl_net_t)
--
-+ read_lnk_files_pattern($1, { proc_t sysctl_t sysctl_net_t }, sysctl_net_t)
- list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_net_t)
- ')
-
-@@ -1715,7 +1935,6 @@ interface(`kernel_read_unix_sysctls',`
- ')
-
- read_files_pattern($1, { proc_t sysctl_t sysctl_net_t }, sysctl_net_unix_t)
--
- list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_net_t)
- ')
-
-@@ -1750,16 +1969,9 @@ interface(`kernel_rw_unix_sysctls',`
- ## Domain allowed access.
- ##
- ##
--##
- #
- interface(`kernel_read_hotplug_sysctls',`
-- gen_require(`
-- type proc_t, sysctl_t, sysctl_kernel_t, sysctl_hotplug_t;
-- ')
--
-- read_files_pattern($1, { proc_t sysctl_t sysctl_kernel_t }, sysctl_hotplug_t)
--
-- list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_kernel_t)
-+ refpolicywarn(`$0($*) has been deprecated.')
- ')
-
- ########################################
-@@ -1771,16 +1983,9 @@ interface(`kernel_read_hotplug_sysctls',`
- ## Domain allowed access.
- ##
- ##
--##
- #
- interface(`kernel_rw_hotplug_sysctls',`
-- gen_require(`
-- type proc_t, sysctl_t, sysctl_kernel_t, sysctl_hotplug_t;
-- ')
--
-- rw_files_pattern($1, { proc_t sysctl_t sysctl_kernel_t }, sysctl_hotplug_t)
--
-- list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_kernel_t)
-+ refpolicywarn(`$0($*) has been deprecated.')
- ')
-
- ########################################
-@@ -1792,16 +1997,9 @@ interface(`kernel_rw_hotplug_sysctls',`
- ## Domain allowed access.
- ##
- ##
--##
- #
- interface(`kernel_read_modprobe_sysctls',`
-- gen_require(`
-- type proc_t, sysctl_t, sysctl_kernel_t, sysctl_modprobe_t;
-- ')
--
-- read_files_pattern($1, { proc_t sysctl_t sysctl_kernel_t }, sysctl_modprobe_t)
--
-- list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_kernel_t)
-+ refpolicywarn(`$0($*) has been deprecated.')
- ')
-
- ########################################
-@@ -1813,16 +2011,9 @@ interface(`kernel_read_modprobe_sysctls',`
- ## Domain allowed access.
- ##
- ##
--##
- #
- interface(`kernel_rw_modprobe_sysctls',`
-- gen_require(`
-- type proc_t, sysctl_t, sysctl_kernel_t, sysctl_modprobe_t;
-- ')
--
-- rw_files_pattern($1, { proc_t sysctl_t sysctl_kernel_t }, sysctl_modprobe_t)
--
-- list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_kernel_t)
-+ refpolicywarn(`$0($*) has been deprecated.')
- ')
-
- ########################################
-@@ -2048,9 +2239,10 @@ interface(`kernel_read_rpc_sysctls',`
- list_dirs_pattern($1, { proc_t proc_net_t }, sysctl_rpc_t)
- ')
-
-+
- ########################################
- ##
--## Read and write RPC sysctls.
-+## Read RPC sysctls.
- ##
- ##
- ##
-@@ -2059,38 +2251,38 @@ interface(`kernel_read_rpc_sysctls',`
- ##
- ##
- #
--interface(`kernel_rw_rpc_sysctls',`
-+interface(`kernel_rw_rpc_sysctls_dirs',`
- gen_require(`
- type proc_t, proc_net_t, sysctl_rpc_t;
- ')
-
-- rw_files_pattern($1, { proc_t proc_net_t sysctl_rpc_t }, sysctl_rpc_t)
--
-- list_dirs_pattern($1, { proc_t proc_net_t }, sysctl_rpc_t)
-+ rw_dirs_pattern($1, { proc_t proc_net_t }, sysctl_rpc_t)
- ')
-
- ########################################
- ##
--## Do not audit attempts to list all sysctl directories.
-+## Read and write RPC sysctls.
- ##
- ##
- ##
--## Domain to not audit.
-+## Domain allowed access.
- ##
- ##
-+##
- #
--interface(`kernel_dontaudit_list_all_sysctls',`
-+interface(`kernel_rw_rpc_sysctls',`
- gen_require(`
-- attribute sysctl_type;
-+ type proc_t, proc_net_t, sysctl_rpc_t;
- ')
-
-- dontaudit $1 sysctl_type:dir list_dir_perms;
-- dontaudit $1 sysctl_type:file getattr;
-+ rw_files_pattern($1, { proc_t proc_net_t sysctl_rpc_t }, sysctl_rpc_t)
-+
-+ list_dirs_pattern($1, { proc_t proc_net_t }, sysctl_rpc_t)
- ')
-
- ########################################
- ##
--## Allow caller to read all sysctls.
-+## Read and write RPC sysctls.
- ##
- ##
- ##
-@@ -2099,40 +2291,126 @@ interface(`kernel_dontaudit_list_all_sysctls',`
- ##
- ##
- #
--interface(`kernel_read_all_sysctls',`
-+interface(`kernel_create_rpc_sysctls',`
- gen_require(`
-- attribute sysctl_type;
-- type proc_t, proc_net_t;
-+ type proc_t, proc_net_t, sysctl_rpc_t;
- ')
-
-- # proc_net_t for /proc/net/rpc sysctls
-- read_files_pattern($1, { proc_t proc_net_t sysctl_type }, sysctl_type)
-+ create_files_pattern($1, { proc_t proc_net_t sysctl_rpc_t }, sysctl_rpc_t)
-
-- list_dirs_pattern($1, { proc_t proc_net_t }, sysctl_type)
- ')
-
- ########################################
- ##
--## Read and write all sysctls.
-+## Do not audit attempts to list all sysctl directories.
- ##
- ##
- ##
--## Domain allowed access.
-+## Domain to not audit.
- ##
- ##
--##
- #
--interface(`kernel_rw_all_sysctls',`
-+interface(`kernel_dontaudit_list_all_sysctls',`
- gen_require(`
- attribute sysctl_type;
-- type proc_t, proc_net_t;
- ')
-
-- # proc_net_t for /proc/net/rpc sysctls
-- rw_files_pattern($1, { proc_t proc_net_t sysctl_type }, sysctl_type)
-+ dontaudit $1 sysctl_type:dir list_dir_perms;
-+ dontaudit $1 sysctl_type:file read_file_perms;
-+')
-
-- allow $1 sysctl_type:dir list_dir_perms;
-- # why is setattr needed?
-+########################################
-+##
-+## Allow attempts to mounton all sysctl directories.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`kernel_mounton_all_sysctls',`
-+ gen_require(`
-+ attribute sysctl_type;
-+ ')
-+
-+ allow $1 sysctl_type:dir mounton;
-+')
-+
-+########################################
-+##
-+## Allow attempts to mounton all filesystems used by ProtectKernelTunables systemd feature.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`kernel_mounton_systemd_ProtectKernelTunables',`
-+ gen_require(`
-+ type sysctl_t;
-+ type sysctl_irq_t;
-+ type proc_t;
-+ type mtrr_device_t;
-+ type debugfs_t;
-+ type cgroup_t;
-+ ')
-+
-+ allow $1 sysctl_t:dir mounton;
-+ allow $1 sysctl_irq_t:dir mounton;
-+ allow $1 proc_t:dir mounton;
-+ allow $1 mtrr_device_t:dir mounton;
-+ allow $1 debugfs_t:dir mounton;
-+ allow $1 cgroup_t:dir mounton;
-+
-+')
-+
-+########################################
-+##
-+## Allow caller to read all sysctls.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+#
-+interface(`kernel_read_all_sysctls',`
-+ gen_require(`
-+ attribute sysctl_type;
-+ type proc_t, proc_net_t;
-+ ')
-+
-+ # proc_net_t for /proc/net/rpc sysctls
-+ read_files_pattern($1, { proc_t proc_net_t sysctl_type }, sysctl_type)
-+
-+ list_dirs_pattern($1, { proc_t proc_net_t }, sysctl_type)
-+')
-+
-+########################################
-+##
-+## Read and write all sysctls.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+#
-+interface(`kernel_rw_all_sysctls',`
-+ gen_require(`
-+ attribute sysctl_type;
-+ type proc_t, proc_net_t;
-+ ')
-+
-+ # proc_net_t for /proc/net/rpc sysctls
-+ rw_files_pattern($1, { proc_t proc_net_t sysctl_type }, sysctl_type)
-+
-+ allow $1 sysctl_type:dir list_dir_perms;
-+ # why is setattr needed?
- allow $1 sysctl_type:file setattr;
- ')
-
-@@ -2282,6 +2560,25 @@ interface(`kernel_list_unlabeled',`
-
- ########################################
- ##
-+## Delete unlabeled files
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`kernel_delete_unlabeled',`
-+ gen_require(`
-+ type unlabeled_t;
-+ ')
-+
-+ allow $1 unlabeled_t:dir delete_dir_perms;
-+ allow $1 unlabeled_t:dir_file_class_set delete_file_perms;
-+')
-+
-+########################################
-+##
- ## Read the process state (/proc/pid) of all unlabeled_t.
- ##
- ##
-@@ -2306,7 +2603,7 @@ interface(`kernel_read_unlabeled_state',`
- ##
- ##
- ##
--## Domain allowed access.
-+## Domain to not audit.
- ##
- ##
- #
-@@ -2488,6 +2785,24 @@ interface(`kernel_rw_unlabeled_blk_files',`
-
- ########################################
- ##
-+## Read and write unlabeled sockets.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`kernel_rw_unlabeled_socket',`
-+ gen_require(`
-+ type unlabeled_t;
-+ ')
-+
-+ allow $1 unlabeled_t:socket rw_socket_perms;
-+')
-+
-+########################################
-+##
- ## Do not audit attempts by caller to get attributes for
- ## unlabeled character devices.
- ##
-@@ -2525,6 +2840,24 @@ interface(`kernel_relabelfrom_unlabeled_dirs',`
-
- ########################################
- ##
-+## Allow caller to relabel unlabeled filesystems.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`kernel_relabelfrom_unlabeled_fs',`
-+ gen_require(`
-+ type unlabeled_t;
-+ ')
-+
-+ allow $1 unlabeled_t:filesystem relabelfrom;
-+')
-+
-+########################################
-+##
- ## Allow caller to relabel unlabeled files.
- ##
- ##
-@@ -2667,6 +3000,24 @@ interface(`kernel_dontaudit_sendrecv_unlabeled_association',`
-
- ########################################
- ##
-+## Receive DCCP packets from an unlabeled connection.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`kernel_dccp_recvfrom_unlabeled',`
-+ gen_require(`
-+ type unlabeled_t;
-+ ')
-+
-+ allow $1 unlabeled_t:dccp_socket recvfrom;
-+')
-+
-+########################################
-+##
- ## Receive TCP packets from an unlabeled connection.
- ##
- ##
-@@ -2694,6 +3045,25 @@ interface(`kernel_tcp_recvfrom_unlabeled',`
-
- ########################################
- ##
-+## Do not audit attempts to receive DCCP packets from an unlabeled
-+## connection.
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`kernel_dontaudit_dccp_recvfrom_unlabeled',`
-+ gen_require(`
-+ type unlabeled_t;
-+ ')
-+
-+ dontaudit $1 unlabeled_t:dccp_socket recvfrom;
-+')
-+
-+########################################
-+##
- ## Do not audit attempts to receive TCP packets from an unlabeled
- ## connection.
- ##
-@@ -2803,6 +3173,33 @@ interface(`kernel_raw_recvfrom_unlabeled',`
-
- allow $1 unlabeled_t:rawip_socket recvfrom;
- ')
-+########################################
-+##
-+## Read/Write Raw IP packets from an unlabeled connection.
-+##
-+##
-+##
-+## Receive Raw IP packets from an unlabeled connection.
-+##
-+##
-+## The corenetwork interface corenet_raw_recv_unlabeled() should
-+## be used instead of this one.
-+##
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`kernel_rw_unlabeled_rawip_socket',`
-+ gen_require(`
-+ type unlabeled_t;
-+ ')
-+
-+ allow $1 unlabeled_t:rawip_socket rw_socket_perms;
-+')
-+
-
- ########################################
- ##
-@@ -2958,6 +3355,24 @@ interface(`kernel_relabelfrom_unlabeled_database',`
-
- ########################################
- ##
-+## Relabel to unlabeled context .
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`kernel_relabelto_unlabeled',`
-+ gen_require(`
-+ type unlabeled_t;
-+ ')
-+
-+ allow $1 unlabeled_t:dir_file_class_set relabelto;
-+')
-+
-+########################################
-+##
- ## Unconfined access to kernel module resources.
- ##
- ##
-@@ -2972,5 +3387,685 @@ interface(`kernel_unconfined',`
- ')
-
- typeattribute $1 kern_unconfined;
-- kernel_load_module($1)
-+ kernel_load_module($1)
-+')
-+
-+########################################
-+##
-+## Allow the specified domain to getattr on
-+## the kernel with a unix socket.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`kernel_stream_read',`
-+ gen_require(`
-+ type kernel_t;
-+ ')
-+
-+ allow $1 kernel_t:unix_stream_socket { read getattr };
-+')
-+
-+#######################################
-+##
-+## Allow the specified domain to write on
-+## the kernel with a unix socket.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`kernel_stream_write',`
-+ gen_require(`
-+ type kernel_t;
-+ ')
-+
-+ allow $1 kernel_t:unix_stream_socket { write getattr };
-+')
-+
-+#######################################
-+##
-+## Allow the specified domain to read/write on
-+## the kernel with a unix stream socket.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`kernel_rw_stream_socket_perms',`
-+ gen_require(`
-+ type kernel_t;
-+ ')
-+
-+ allow $1 kernel_t:unix_stream_socket rw_socket_perms;
-+ allow $1 kernel_t:fd use;
-+')
-+
-+########################################
-+##
-+## Make the specified type usable for regular entries in proc
-+##
-+##
-+##
-+## Type to be used for /proc entries.
-+##
-+##
-+#
-+interface(`kernel_proc_type',`
-+ gen_require(`
-+ attribute proc_type;
-+ ')
-+
-+ typeattribute $1 proc_type;
-+')
-+
-+########################################
-+##
-+## Do not audit attempts by caller to get attributes on all sysctls.
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`kernel_dontaudit_getattr_all_sysctls',`
-+ gen_require(`
-+ attribute sysctl_type;
-+ ')
-+
-+ dontaudit $1 sysctl_type:file getattr;
- ')
-+
-+########################################
-+##
-+## Read the process state (/proc/pid) of the kernel.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`kernel_read_state',`
-+ gen_require(`
-+ type kernel_t;
-+ ')
-+
-+ allow $1 kernel_t:dir search_dir_perms;
-+ allow $1 kernel_t:file read_file_perms;
-+ allow $1 kernel_t:lnk_file read_lnk_file_perms;
-+')
-+
-+########################################
-+##
-+## Dontaudit attempts to read the process state (/proc/pid) of the kernel.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`kernel_dontaudit_read_state',`
-+ gen_require(`
-+ type kernel_t;
-+ ')
-+
-+ dontaudit $1 kernel_t:dir search_dir_perms;
-+ dontaudit $1 kernel_t:file read_file_perms;
-+ dontaudit $1 kernel_t:lnk_file read_lnk_file_perms;
-+')
-+
-+########################################
-+##
-+## Allow searching of numa state directory.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+#
-+interface(`kernel_search_numa_state',`
-+ gen_require(`
-+ type proc_t, proc_numa_t;
-+ ')
-+
-+ search_dirs_pattern($1, proc_t, proc_numa_t)
-+')
-+
-+########################################
-+##
-+## Do not audit attempts to search the numa
-+## state directory.
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+##
-+#
-+interface(`kernel_dontaudit_search_numa_state',`
-+ gen_require(`
-+ type proc_numa_t;
-+ ')
-+
-+ dontaudit $1 proc_numa_t:dir search;
-+')
-+
-+########################################
-+##
-+## Allow caller to read the numa state information.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+#
-+interface(`kernel_read_numa_state',`
-+ gen_require(`
-+ type proc_t, proc_numa_t;
-+ ')
-+
-+ read_files_pattern($1, { proc_t proc_numa_t }, proc_numa_t)
-+ read_lnk_files_pattern($1, { proc_t proc_numa_t }, proc_numa_t)
-+
-+ list_dirs_pattern($1, proc_t, proc_numa_t)
-+')
-+
-+########################################
-+##
-+## Allow caller to read the numa state symbolic links.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+#
-+interface(`kernel_read_numa_state_symlinks',`
-+ gen_require(`
-+ type proc_t, proc_numa_t;
-+ ')
-+
-+ read_lnk_files_pattern($1, { proc_t proc_numa_t }, proc_numa_t)
-+
-+ list_dirs_pattern($1, proc_t, proc_numa_t)
-+')
-+
-+########################################
-+##
-+## Allow caller to write numa state information.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+#
-+interface(`kernel_write_numa_state',`
-+ gen_require(`
-+ type proc_t, proc_numa_t;
-+ ')
-+
-+ write_files_pattern($1, { proc_t proc_numa_t }, proc_numa_t)
-+')
-+
-+########################################
-+##
-+## Allow caller to search virtual memory overcommit sysctls.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`kernel_search_vm_overcommit_sysctl',`
-+ gen_require(`
-+ type sysctl_vm_overcommit_t;
-+ ')
-+
-+ kernel_search_vm_sysctl($1)
-+ search_dirs_pattern($1, sysctl_vm_overcommit_t, sysctl_vm_overcommit_t)
-+')
-+
-+########################################
-+##
-+## Allow caller to read virtual memory overcommit sysctls.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+#
-+interface(`kernel_read_vm_overcommit_sysctls',`
-+ gen_require(`
-+ type sysctl_vm_overcommit_t;
-+ ')
-+
-+ kernel_search_vm_sysctl($1)
-+ read_files_pattern($1, sysctl_vm_overcommit_t, sysctl_vm_overcommit_t)
-+')
-+
-+########################################
-+##
-+## Read and write virtual memory overcommit sysctls.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+#
-+interface(`kernel_rw_vm_overcommit_sysctls',`
-+ gen_require(`
-+ type sysctl_vm_overcommit_t;
-+ ')
-+
-+ kernel_search_vm_sysctl($1)
-+ rw_files_pattern($1, sysctl_vm_overcommit_t, sysctl_vm_overcommit_t)
-+ list_dirs_pattern($1, sysctl_vm_overcommit_t, sysctl_vm_overcommit_t)
-+')
-+
-+########################################
-+##
-+## Do not audit attempts to search the security
-+## state directory.
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+##
-+#
-+interface(`kernel_dontaudit_search_security_state',`
-+ gen_require(`
-+ type proc_security_t;
-+ ')
-+
-+ dontaudit $1 proc_security_t:dir search;
-+')
-+
-+########################################
-+##
-+## Allow searching of security state directory.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+#
-+interface(`kernel_search_security_state',`
-+ gen_require(`
-+ type proc_security_t;
-+ ')
-+
-+ search_dirs_pattern($1, proc_t, proc_security_t)
-+')
-+
-+########################################
-+##
-+## Read the security state information.
-+##
-+##
-+##
-+## Allow the specified domain to read the security
-+## state information.
-+##
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+##
-+#
-+interface(`kernel_read_security_state',`
-+ gen_require(`
-+ type proc_t, proc_security_t;
-+ attribute sysctl_type;
-+ ')
-+
-+ read_files_pattern($1, { proc_t proc_security_t }, proc_security_t)
-+ read_lnk_files_pattern($1, { proc_t proc_security_t }, proc_security_t)
-+
-+ list_dirs_pattern($1, proc_t, proc_security_t)
-+ allow $1 sysctl_type:dir search_dir_perms;
-+')
-+
-+########################################
-+##
-+## Write the security state information.
-+##
-+##
-+##
-+## Allow the specified domain to write the security
-+## state information.
-+##
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+##
-+#
-+interface(`kernel_write_security_state',`
-+ gen_require(`
-+ type proc_t, proc_security_t;
-+ ')
-+
-+ write_files_pattern($1, { proc_t proc_security_t }, proc_security_t)
-+')
-+
-+########################################
-+##
-+## Allow caller to read the security state symbolic links.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`kernel_read_security_state_symlinks',`
-+ gen_require(`
-+ type proc_t, proc_security_t;
-+ ')
-+
-+ read_lnk_files_pattern($1, { proc_t proc_security_t }, proc_security_t)
-+
-+ list_dirs_pattern($1, proc_t, proc_security_t)
-+')
-+
-+########################################
-+##
-+## Access unlabeled infiniband pkeys.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`kernel_ib_access_unlabeled_pkeys',`
-+ gen_require(`
-+ type unlabeled_t;
-+ ')
-+
-+ allow $1 unlabeled_t:infiniband_pkey access;
-+')
-+
-+########################################
-+##
-+## Manage subnet on unlabeled Infiniband endports.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`kernel_ib_manage_subnet_unlabeled_endports',`
-+ gen_require(`
-+ type unlabeled_t;
-+ ')
-+
-+ allow $1 unlabeled_t:infiniband_endport manage_subnet;
-+')
-+
-+########################################
-+##
-+## Allow caller to read the security state symbolic links.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`kernel_rw_security_state',`
-+ gen_require(`
-+ type proc_t, proc_security_t;
-+ ')
-+
-+ rw_files_pattern($1, { proc_t proc_security_t }, proc_security_t)
-+
-+ list_dirs_pattern($1, proc_t, proc_security_t)
-+')
-+
-+########################################
-+##
-+## Do not audit attempts to search the usermodehelper
-+## state directory.
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+##
-+#
-+interface(`kernel_dontaudit_search_usermodehelper_state',`
-+ gen_require(`
-+ type usermodehelper_t;
-+ ')
-+
-+ dontaudit $1 usermodehelper_t:dir search;
-+')
-+
-+########################################
-+##
-+## Allow searching of usermodehelper state directory.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+#
-+interface(`kernel_search_usermodehelper_state',`
-+ gen_require(`
-+ type usermodehelper_t;
-+ ')
-+
-+ search_dirs_pattern($1, proc_t, usermodehelper_t)
-+')
-+
-+########################################
-+##
-+## Read the usermodehelper state information.
-+##
-+##
-+##
-+## Allow the specified domain to read the usermodehelpering
-+## state information. This includes several pieces
-+## of usermodehelpering information, such as usermodehelper interface
-+## names, usermodehelperfilter (iptables) statistics, protocol
-+## information, routes, and remote procedure call (RPC)
-+## information.
-+##
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+##
-+#
-+interface(`kernel_read_usermodehelper_state',`
-+ gen_require(`
-+ type proc_t, usermodehelper_t;
-+ ')
-+
-+ read_files_pattern($1, { proc_t usermodehelper_t }, usermodehelper_t)
-+ read_lnk_files_pattern($1, { proc_t usermodehelper_t }, usermodehelper_t)
-+
-+ list_dirs_pattern($1, proc_t, usermodehelper_t)
-+')
-+
-+########################################
-+##
-+## Allow caller to read the usermodehelper state symbolic links.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`kernel_read_usermodehelper_state_symlinks',`
-+ gen_require(`
-+ type proc_t, usermodehelper_t;
-+ ')
-+
-+ read_lnk_files_pattern($1, { proc_t usermodehelper_t }, usermodehelper_t)
-+
-+ list_dirs_pattern($1, proc_t, usermodehelper_t)
-+')
-+
-+########################################
-+##
-+## Read and write usermodehelper state
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+#
-+interface(`kernel_rw_usermodehelper_state',`
-+ gen_require(`
-+ type proc_t, usermodehelper_t;
-+ ')
-+
-+ dev_search_sysfs($1)
-+ rw_files_pattern($1, proc_t, usermodehelper_t)
-+ list_dirs_pattern($1, proc_t, usermodehelper_t)
-+')
-+
-+########################################
-+##
-+## Dontaudit write usermodehelper state
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+##
-+#
-+interface(`kernel_dontaudit_write_usermodehelper_state',`
-+ gen_require(`
-+ type usermodehelper_t;
-+ ')
-+
-+ dontaudit $1 usermodehelper_t:file write;
-+')
-+
-+########################################
-+##
-+## Relabel to usermodehelper context .
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`kernel_relabelto_usermodehelper',`
-+ gen_require(`
-+ type usermodehelper_t;
-+ ')
-+
-+ allow $1 usermodehelper_t:file relabelto;
-+')
-+
-+########################################
-+##
-+## Read netlink audit socket
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`kernel_read_netlink_audit_socket',`
-+ gen_require(`
-+ type kernel_t;
-+ ')
-+
-+ allow $1 kernel_t:netlink_audit_socket r_netlink_socket_perms;
-+')
-+
-+########################################
-+##
-+## Execute an unlabeled file in the specified domain.
-+##
-+##
-+##
-+## Domain allowed to transition.
-+##
-+##
-+##
-+##
-+## The type of the new process.
-+##
-+##
-+#
-+interface(`kernel_unlabeled_domtrans',`
-+ gen_require(`
-+ type unlabeled_t;
-+ ')
-+
-+ read_lnk_files_pattern($1, unlabeled_t, unlabeled_t)
-+ domain_transition_pattern($1, unlabeled_t, $2)
-+ type_transition $1 unlabeled_t:process $2;
-+')
-+
-+########################################
-+##
-+## Make general progams without labeles an entrypoint for
-+## the specified domain.
-+##
-+##
-+##
-+## The domain for which unlabeled_t is an entrypoint.
-+##
-+##
-+#
-+interface(`kernel_unlabeled_entry_type',`
-+ gen_require(`
-+ type unlabeled_t;
-+ ')
-+
-+ domain_entry_file($1, unlabeled_t)
-+')
-+
-diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
-index 8dbab4c5e..4818adb52 100644
---- a/policy/modules/kernel/kernel.te
-+++ b/policy/modules/kernel/kernel.te
-@@ -25,6 +25,9 @@ attribute kern_unconfined;
- # regular entries in proc
- attribute proc_type;
-
-+# attribute for domains which read proc_t
-+attribute kernel_system_state_reader;
-+
- # sysctls
- attribute sysctl_type;
-
-@@ -48,6 +51,7 @@ ifdef(`enable_mls',`
- type kernel_t, can_load_kernmodule;
- domain_base_type(kernel_t)
- mls_rangetrans_source(kernel_t)
-+mls_trusted_object(kernel_t)
- role system_r types kernel_t;
- sid kernel gen_context(system_u:system_r:kernel_t,mls_systemhigh)
-
-@@ -58,6 +62,8 @@ sid kernel gen_context(system_u:system_r:kernel_t,mls_systemhigh)
- type debugfs_t;
- files_mountpoint(debugfs_t)
- fs_type(debugfs_t)
-+dev_associate_sysfs(debugfs_t)
-+
- allow debugfs_t self:filesystem associate;
- genfscon debugfs / gen_context(system_u:object_r:debugfs_t,s0)
-
-@@ -95,9 +101,32 @@ genfscon proc /kcore gen_context(system_u:object_r:proc_kcore_t,mls_systemhigh)
- type proc_mdstat_t, proc_type;
- genfscon proc /mdstat gen_context(system_u:object_r:proc_mdstat_t,s0)
-
-+type proc_numa_t, proc_type;
-+genfscon proc /numatools gen_context(system_u:object_r:proc_numa_t,s0)
-+mls_trusted_object(proc_numa_t)
-+
- type proc_net_t, proc_type;
- genfscon proc /net gen_context(system_u:object_r:proc_net_t,s0)
-
-+type proc_security_t, proc_type;
-+genfscon proc /sys/fs/protected_hardlinks gen_context(system_u:object_r:proc_security_t,s0)
-+genfscon proc /sys/fs/protected_symlinks gen_context(system_u:object_r:proc_security_t,s0)
-+genfscon proc /sys/fs/suid_dumpable gen_context(system_u:object_r:proc_security_t,s0)
-+genfscon proc /sys/kernel/dmesg_restrict gen_context(system_u:object_r:proc_security_t,s0)
-+genfscon proc /sys/kernel/kptr_restrict gen_context(system_u:object_r:proc_security_t,s0)
-+genfscon proc /sys/kernel/modules_disabled gen_context(system_u:object_r:proc_security_t,s0)
-+genfscon proc /sys/kernel/randomize_va_space gen_context(system_u:object_r:proc_security_t,s0)
-+
-+type usermodehelper_t, proc_type, sysctl_type;
-+typealias usermodehelper_t alias sysctl_hotplug_t;
-+typealias usermodehelper_t alias sysctl_modprobe_t;
-+dev_associate_sysfs(usermodehelper_t)
-+genfscon proc /sys/kernel/core_pattern gen_context(system_u:object_r:usermodehelper_t,s0)
-+genfscon proc /sys/kernel/hotplug gen_context(system_u:object_r:usermodehelper_t,s0)
-+genfscon proc /sys/kernel/modprobe gen_context(system_u:object_r:usermodehelper_t,s0)
-+genfscon proc /sys/kernel/poweroff_cmd gen_context(system_u:object_r:usermodehelper_t,s0)
-+genfscon proc /sys/kernel/usermodehelper gen_context(system_u:object_r:usermodehelper_t,s0)
-+
- type proc_xen_t, proc_type;
- files_mountpoint(proc_xen_t)
- genfscon proc /xen gen_context(system_u:object_r:proc_xen_t,s0)
-@@ -114,10 +143,12 @@ genfscon proc /sys gen_context(system_u:object_r:sysctl_t,s0)
-
- # /proc/irq directory and files
- type sysctl_irq_t, sysctl_type;
-+fs_associate_proc(sysctl_irq_t)
- genfscon proc /irq gen_context(system_u:object_r:sysctl_irq_t,s0)
-
- # /proc/net/rpc directory and files
- type sysctl_rpc_t, sysctl_type;
-+fs_associate_proc(sysctl_rpc_t)
- genfscon proc /net/rpc gen_context(system_u:object_r:sysctl_rpc_t,s0)
-
- # /proc/sys/crypto directory and files
-@@ -133,14 +164,6 @@ genfscon proc /sys/fs gen_context(system_u:object_r:sysctl_fs_t,s0)
- type sysctl_kernel_t, sysctl_type;
- genfscon proc /sys/kernel gen_context(system_u:object_r:sysctl_kernel_t,s0)
-
--# /proc/sys/kernel/modprobe file
--type sysctl_modprobe_t, sysctl_type;
--genfscon proc /sys/kernel/modprobe gen_context(system_u:object_r:sysctl_modprobe_t,s0)
--
--# /proc/sys/kernel/hotplug file
--type sysctl_hotplug_t, sysctl_type;
--genfscon proc /sys/kernel/hotplug gen_context(system_u:object_r:sysctl_hotplug_t,s0)
--
- # /proc/sys/net directory and files
- type sysctl_net_t, sysctl_type;
- genfscon proc /sys/net gen_context(system_u:object_r:sysctl_net_t,s0)
-@@ -151,8 +174,13 @@ genfscon proc /sys/net/unix gen_context(system_u:object_r:sysctl_net_unix_t,s0)
-
- # /proc/sys/vm directory and files
- type sysctl_vm_t, sysctl_type;
-+fs_associate(sysctl_vm_t)
- genfscon proc /sys/vm gen_context(system_u:object_r:sysctl_vm_t,s0)
-
-+# /proc/sys/vm/overcommit_memory
-+type sysctl_vm_overcommit_t, sysctl_type;
-+genfscon proc /sys/vm/overcommit_memory gen_context(system_u:object_r:sysctl_vm_overcommit_t,s0)
-+
- # /proc/sys/dev directory and files
- type sysctl_dev_t, sysctl_type;
- genfscon proc /sys/dev gen_context(system_u:object_r:sysctl_dev_t,s0)
-@@ -165,6 +193,14 @@ genfscon proc /sys/dev gen_context(system_u:object_r:sysctl_dev_t,s0)
- type unlabeled_t;
- fs_associate(unlabeled_t)
- sid unlabeled gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
-+allow unlabeled_t self:filesystem associate;
-+
-+# Need the following because we are type alias of file_t.
-+files_type(unlabeled_t)
-+kernel_rootfs_mountpoint(unlabeled_t)
-+sid file gen_context(system_u:object_r:unlabeled_t,s0)
-+typealias unlabeled_t alias file_t;
-+neverallow * unlabeled_t:file entrypoint;
-
- # These initial sids are no longer used, and can be removed:
- sid any_socket gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
-@@ -189,6 +225,7 @@ sid tcp_socket gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
- # kernel local policy
- #
-
-+allow kernel_t self:capability2 mac_admin;
- allow kernel_t self:capability ~sys_module;
- allow kernel_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
- allow kernel_t self:shm create_shm_perms;
-@@ -233,7 +270,6 @@ allow unlabeled_t unlabeled_t:packet { forward_in forward_out };
- corenet_in_generic_if(unlabeled_t)
- corenet_in_generic_node(unlabeled_t)
-
--corenet_all_recvfrom_unlabeled(kernel_t)
- corenet_all_recvfrom_netlabel(kernel_t)
- # Kernel-generated traffic e.g., ICMP replies:
- corenet_raw_sendrecv_all_if(kernel_t)
-@@ -244,17 +280,26 @@ corenet_tcp_sendrecv_all_if(kernel_t)
- corenet_tcp_sendrecv_all_nodes(kernel_t)
- corenet_raw_send_generic_node(kernel_t)
- corenet_send_all_packets(kernel_t)
-+corenet_filetrans_all_named_dev(kernel_t)
-+
-+corenet_ib_access_all_pkeys(kernel_t)
-+corenet_ib_access_unlabeled_pkeys(kernel_t)
-+corenet_ib_manage_subnet_all_endports(kernel_t)
-+corenet_ib_manage_subnet_unlabeled_endports(kernel_t)
-
- dev_read_sysfs(kernel_t)
- dev_search_usbfs(kernel_t)
- # devtmpfs handling:
- dev_create_generic_dirs(kernel_t)
- dev_delete_generic_dirs(kernel_t)
--dev_create_generic_blk_files(kernel_t)
--dev_delete_generic_blk_files(kernel_t)
--dev_create_generic_chr_files(kernel_t)
--dev_delete_generic_chr_files(kernel_t)
-+dev_create_all_blk_files(kernel_t)
-+dev_delete_all_blk_files(kernel_t)
-+dev_create_all_chr_files(kernel_t)
-+dev_delete_all_chr_files(kernel_t)
- dev_mounton(kernel_t)
-+dev_filetrans_all_named_dev(kernel_t)
-+storage_filetrans_all_named_dev(kernel_t)
-+term_filetrans_all_named_dev(kernel_t)
-
- # Mount root file system. Used when loading a policy
- # from initrd, then mounting the root filesystem
-@@ -263,7 +308,8 @@ fs_unmount_all_fs(kernel_t)
-
- selinux_load_policy(kernel_t)
-
--term_use_console(kernel_t)
-+term_use_all_terms(kernel_t)
-+term_use_ptmx(kernel_t)
-
- corecmd_exec_shell(kernel_t)
- corecmd_list_bin(kernel_t)
-@@ -277,13 +323,23 @@ files_list_root(kernel_t)
- files_list_etc(kernel_t)
- files_list_home(kernel_t)
- files_read_usr_files(kernel_t)
-+files_manage_mounttab(kernel_t)
-+files_manage_generic_spool_dirs(kernel_t)
-
- mcs_process_set_categories(kernel_t)
-+mcs_file_read_all(kernel_t)
-+mcs_file_write_all(kernel_t)
-+mcs_socket_write_all_levels(kernel_t)
-
- mls_process_read_up(kernel_t)
- mls_process_write_down(kernel_t)
-+mls_file_downgrade(kernel_t)
- mls_file_write_all_levels(kernel_t)
- mls_file_read_all_levels(kernel_t)
-+mls_socket_write_all_levels(kernel_t)
-+mls_fd_share_all_levels(kernel_t)
-+mls_fd_use_all_levels(kernel_t)
-+mls_process_set_level(kernel_t)
-
- ifdef(`distro_redhat',`
- # Bugzilla 222337
-@@ -291,11 +347,29 @@ ifdef(`distro_redhat',`
- ')
-
- optional_policy(`
-+ abrt_filetrans_named_content(kernel_t)
-+ abrt_dump_oops_domtrans(kernel_t)
-+')
-+
-+optional_policy(`
-+ apache_filetrans_home_content(kernel_t)
-+')
-+
-+optional_policy(`
-+ gnome_filetrans_home_content(kernel_t)
-+')
-+
-+optional_policy(`
-+ kerberos_filetrans_home_content(kernel_t)
-+')
-+
-+optional_policy(`
- hotplug_search_config(kernel_t)
- ')
-
- optional_policy(`
- init_sigchld(kernel_t)
-+ init_dyntrans(kernel_t)
- ')
-
- optional_policy(`
-@@ -305,6 +379,19 @@ optional_policy(`
-
- optional_policy(`
- logging_send_syslog_msg(kernel_t)
-+ logging_manage_generic_logs(kernel_t)
-+')
-+
-+optional_policy(`
-+ mta_filetrans_home_content(kernel_t)
-+')
-+
-+optional_policy(`
-+ ssh_filetrans_home_content(kernel_t)
-+')
-+
-+optional_policy(`
-+ userdom_user_home_dir_filetrans_user_home_content(kernel_t, { file dir })
- ')
-
- optional_policy(`
-@@ -312,6 +399,11 @@ optional_policy(`
- ')
-
- optional_policy(`
-+ plymouthd_create_log(kernel_t)
-+ plymouthd_filetrans_named_content(kernel_t)
-+')
-+
-+optional_policy(`
- # nfs kernel server needs kernel UDP access. It is less risky and painful
- # to just give it everything.
- allow kernel_t self:tcp_socket create_stream_socket_perms;
-@@ -332,9 +424,6 @@ optional_policy(`
-
- sysnet_read_config(kernel_t)
-
-- rpc_manage_nfs_ro_content(kernel_t)
-- rpc_manage_nfs_rw_content(kernel_t)
-- rpc_tcp_rw_nfs_sockets(kernel_t)
- rpc_udp_rw_nfs_sockets(kernel_t)
-
- tunable_policy(`nfs_export_all_ro',`
-@@ -343,9 +432,7 @@ optional_policy(`
- fs_read_noxattr_fs_files(kernel_t)
- fs_read_noxattr_fs_symlinks(kernel_t)
-
-- files_list_non_auth_dirs(kernel_t)
-- files_read_non_auth_files(kernel_t)
-- files_read_non_auth_symlinks(kernel_t)
-+ files_read_non_security_files(kernel_t)
- ')
-
- tunable_policy(`nfs_export_all_rw',`
-@@ -354,7 +441,7 @@ optional_policy(`
- fs_read_noxattr_fs_files(kernel_t)
- fs_read_noxattr_fs_symlinks(kernel_t)
-
-- files_manage_non_auth_files(kernel_t)
-+ files_manage_non_security_files(kernel_t)
- ')
- ')
-
-@@ -364,9 +451,22 @@ optional_policy(`
- ')
-
- optional_policy(`
-+ systemd_coredump_domtrans(kernel_t)
-+')
-+
-+optional_policy(`
- unconfined_domain_noaudit(kernel_t)
- ')
-
-+optional_policy(`
-+ virt_filetrans_home_content(kernel_t)
-+')
-+
-+optional_policy(`
-+ xserver_xdm_manage_spool(kernel_t)
-+ xserver_filetrans_home_content(kernel_t)
-+')
-+
- ########################################
- #
- # Unlabeled process local policy
-@@ -388,6 +488,8 @@ optional_policy(`
- if( ! secure_mode_insmod ) {
- allow can_load_kernmodule self:capability sys_module;
-
-+ files_load_kernel_modules(can_load_kernmodule)
-+
- # load_module() calls stop_machine() which
- # calls sched_setscheduler()
- allow can_load_kernmodule self:capability sys_nice;
-@@ -399,14 +501,38 @@ if( ! secure_mode_insmod ) {
- # Rules for unconfined acccess to this module
- #
-
--allow kern_unconfined proc_type:{ dir file lnk_file } *;
-+allow kern_unconfined proc_type:{ file } ~entrypoint;
-+allow kern_unconfined proc_type:{ dir lnk_file } *;
-
--allow kern_unconfined sysctl_type:{ dir file } *;
-+allow kern_unconfined sysctl_type:{ file } ~entrypoint;
-+allow kern_unconfined sysctl_type:{ dir lnk_file } *;
-
- allow kern_unconfined kernel_t:system *;
-
--allow kern_unconfined unlabeled_t:dir_file_class_set *;
-+allow kern_unconfined unlabeled_t:{ dir lnk_file sock_file fifo_file chr_file blk_file } *;
-+allow kern_unconfined unlabeled_t:file ~entrypoint;
- allow kern_unconfined unlabeled_t:filesystem *;
- allow kern_unconfined unlabeled_t:association *;
- allow kern_unconfined unlabeled_t:packet *;
--allow kern_unconfined unlabeled_t:process ~{ transition dyntransition execmem execstack execheap };
-+allow kern_unconfined unlabeled_t:process ~{ ptrace transition dyntransition execmem execstack execheap };
-+
-+gen_require(`
-+ bool secure_mode_insmod;
-+')
-+
-+if( ! secure_mode_insmod ) {
-+ allow can_load_kernmodule self:capability sys_module;
-+ # load_module() calls stop_machine() which
-+ # calls sched_setscheduler()
-+ allow can_load_kernmodule self:capability sys_nice;
-+ kernel_setsched(can_load_kernmodule)
-+}
-+
-+#######################################
-+#
-+# Kernel system state reader policy
-+#
-+
-+read_files_pattern(kernel_system_state_reader, proc_t, proc_t)
-+read_lnk_files_pattern(kernel_system_state_reader, proc_t, proc_t)
-+list_dirs_pattern(kernel_system_state_reader, proc_t, proc_t)
-diff --git a/policy/modules/kernel/mcs.if b/policy/modules/kernel/mcs.if
-index b08a6e849..43d504b88 100644
---- a/policy/modules/kernel/mcs.if
-+++ b/policy/modules/kernel/mcs.if
-@@ -44,11 +44,7 @@ interface(`mcs_constrained',`
- ##
- #
- interface(`mcs_file_read_all',`
-- gen_require(`
-- attribute mcsreadall;
-- ')
--
-- typeattribute $1 mcsreadall;
-+ refpolicywarn(`$0() has been deprecated, please remove mcs_constrained() instead.')
- ')
-
- ########################################
-@@ -64,11 +60,7 @@ interface(`mcs_file_read_all',`
- ##
- #
- interface(`mcs_file_write_all',`
-- gen_require(`
-- attribute mcswriteall;
-- ')
--
-- typeattribute $1 mcswriteall;
-+ refpolicywarn(`$0() has been deprecated, please remove mcs_constrained() instead.')
- ')
-
- ########################################
-@@ -84,11 +76,7 @@ interface(`mcs_file_write_all',`
- ##
- #
- interface(`mcs_killall',`
-- gen_require(`
-- attribute mcskillall;
-- ')
--
-- typeattribute $1 mcskillall;
-+ refpolicywarn(`$0() has been deprecated, please remove mcs_constrained() instead.')
- ')
-
- ########################################
-@@ -104,11 +92,7 @@ interface(`mcs_killall',`
- ##
- #
- interface(`mcs_ptrace_all',`
-- gen_require(`
-- attribute mcsptraceall;
-- ')
--
-- typeattribute $1 mcsptraceall;
-+ refpolicywarn(`$0() has been deprecated, please remove mcs_constrained() instead.')
- ')
-
- ########################################
-@@ -130,3 +114,19 @@ interface(`mcs_process_set_categories',`
-
- typeattribute $1 mcssetcats;
- ')
-+
-+########################################
-+##
-+## Make specified domain MCS trusted
-+## for writing to sockets at any level.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+#
-+interface(`mcs_socket_write_all_levels',`
-+ refpolicywarn(`$0() has been deprecated, please remove mcs_constrained() instead.')
-+')
-diff --git a/policy/modules/kernel/mcs.te b/policy/modules/kernel/mcs.te
-index 2da98c257..31bed0a7c 100644
---- a/policy/modules/kernel/mcs.te
-+++ b/policy/modules/kernel/mcs.te
-@@ -11,3 +11,4 @@ attribute mcssetcats;
- attribute mcswriteall;
- attribute mcsreadall;
- attribute mcs_constrained_type;
-+attribute mcsnetwrite;
-diff --git a/policy/modules/kernel/mls.if b/policy/modules/kernel/mls.if
-index d178478da..42bf05bcd 100644
---- a/policy/modules/kernel/mls.if
-+++ b/policy/modules/kernel/mls.if
-@@ -100,6 +100,26 @@ interface(`mls_file_write_to_clearance',`
- ########################################
- ##
- ## Make specified domain MLS trusted
-+## for relabelto to files up to its clearance.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+#
-+interface(`mls_file_relabel_to_clearance',`
-+ gen_require(`
-+ attribute mlsfilerelabeltoclr;
-+ ')
-+
-+ typeattribute $1 mlsfilerelabeltoclr;
-+')
-+
-+########################################
-+##
-+## Make specified domain MLS trusted
- ## for writing to files at all levels. (Deprecated)
- ##
- ##
-diff --git a/policy/modules/kernel/mls.te b/policy/modules/kernel/mls.te
-index 8c7bd90d2..66ee5b9a1 100644
---- a/policy/modules/kernel/mls.te
-+++ b/policy/modules/kernel/mls.te
-@@ -12,6 +12,7 @@ attribute mlsfilewritetoclr;
- attribute mlsfilewriteinrange;
- attribute mlsfileupgrade;
- attribute mlsfiledowngrade;
-+attribute mlsfilerelabeltoclr;
-
- attribute mlsnetread;
- attribute mlsnetreadtoclr;
-diff --git a/policy/modules/kernel/selinux.fc b/policy/modules/kernel/selinux.fc
-index 7be4ddf74..4d4c577ad 100644
---- a/policy/modules/kernel/selinux.fc
-+++ b/policy/modules/kernel/selinux.fc
-@@ -1 +1 @@
--# This module currently does not have any file contexts.
-+/selinux -l gen_context(system_u:object_r:security_t,s0)
-diff --git a/policy/modules/kernel/selinux.if b/policy/modules/kernel/selinux.if
-index 6d0811da3..708f07490 100644
---- a/policy/modules/kernel/selinux.if
-+++ b/policy/modules/kernel/selinux.if
-@@ -40,7 +40,7 @@ interface(`selinux_labeled_boolean',`
-
- # because of this statement, any module which
- # calls this interface must be in the base module:
-- genfscon selinuxfs /booleans/$2 gen_context(system_u:object_r:$1,s0)
-+# genfscon selinuxfs /booleans/$2 gen_context(system_u:object_r:$1,s0)
- ')
-
- ########################################
-@@ -58,6 +58,9 @@ interface(`selinux_get_fs_mount',`
- type security_t;
- ')
-
-+ allow $1 security_t:lnk_file read_lnk_file_perms;
-+ dev_getattr_sysfs_fs($1)
-+ dev_search_sysfs($1)
- # starting in libselinux 2.0.5, init_selinuxmnt() will
- # attempt to short circuit by checking if SELINUXMNT
- # (/selinux) is already a selinuxfs
-@@ -87,6 +90,7 @@ interface(`selinux_dontaudit_get_fs_mount',`
- # starting in libselinux 2.0.5, init_selinuxmnt() will
- # attempt to short circuit by checking if SELINUXMNT
- # (/selinux) is already a selinuxfs
-+ dev_dontaudit_search_sysfs($1)
- dontaudit $1 security_t:filesystem getattr;
-
- # read /proc/filesystems to see if selinuxfs is supported
-@@ -109,6 +113,9 @@ interface(`selinux_mount_fs',`
- type security_t;
- ')
-
-+ dev_getattr_sysfs_fs($1)
-+ dev_search_sysfs($1)
-+ allow $1 security_t:lnk_file read_lnk_file_perms;
- allow $1 security_t:filesystem mount;
- ')
-
-@@ -128,6 +135,9 @@ interface(`selinux_remount_fs',`
- type security_t;
- ')
-
-+ dev_getattr_sysfs_fs($1)
-+ dev_search_sysfs($1)
-+ allow $1 security_t:lnk_file read_lnk_file_perms;
- allow $1 security_t:filesystem remount;
- ')
-
-@@ -146,6 +156,9 @@ interface(`selinux_unmount_fs',`
- type security_t;
- ')
-
-+ dev_getattr_sysfs_fs($1)
-+ dev_search_sysfs($1)
-+ allow $1 security_t:lnk_file read_lnk_file_perms;
- allow $1 security_t:filesystem unmount;
- ')
-
-@@ -164,6 +177,7 @@ interface(`selinux_getattr_fs',`
- type security_t;
- ')
-
-+ allow $1 security_t:lnk_file read_lnk_file_perms;
- allow $1 security_t:filesystem getattr;
- ')
-
-@@ -221,7 +235,12 @@ interface(`selinux_search_fs',`
- ')
-
- dev_search_sysfs($1)
-+ allow $1 security_t:lnk_file read_lnk_file_perms;
- allow $1 security_t:dir search_dir_perms;
-+
-+ optional_policy(`
-+ seutil_search_config($1)
-+ ')
- ')
-
- ########################################
-@@ -244,6 +263,28 @@ interface(`selinux_dontaudit_search_fs',`
-
- ########################################
- ##
-+## Mount on selinuxfs directories.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`selinux_mounton_fs',`
-+ gen_require(`
-+ type security_t;
-+ ')
-+
-+ dev_getattr_sysfs_fs($1)
-+ dev_search_sysfs($1)
-+ allow $1 security_t:lnk_file read_lnk_file_perms;
-+ allow $1 security_t:dir mounton;
-+')
-+
-+
-+########################################
-+##
- ## Do not audit attempts to read
- ## generic selinuxfs entries
- ##
-@@ -258,6 +299,7 @@ interface(`selinux_dontaudit_read_fs',`
- type security_t;
- ')
-
-+ selinux_dontaudit_getattr_fs($1)
- dontaudit $1 security_t:dir search_dir_perms;
- dontaudit $1 security_t:file read_file_perms;
- ')
-@@ -280,8 +322,10 @@ interface(`selinux_get_enforce_mode',`
- ')
-
- dev_search_sysfs($1)
-+ selinux_get_fs_mount($1)
- allow $1 security_t:dir list_dir_perms;
- allow $1 security_t:file read_file_perms;
-+ allow $1 security_t:lnk_file read_lnk_file_perms;
- ')
-
- ########################################
-@@ -310,22 +354,12 @@ interface(`selinux_set_enforce_mode',`
- gen_require(`
- type security_t;
- attribute can_setenforce;
-- bool secure_mode_policyload;
- ')
-
- dev_search_sysfs($1)
- allow $1 security_t:dir list_dir_perms;
- allow $1 security_t:file rw_file_perms;
- typeattribute $1 can_setenforce;
--
-- if(!secure_mode_policyload) {
-- allow $1 security_t:security setenforce;
--
-- ifdef(`distro_rhel4',`
-- # needed for systems without audit support
-- auditallow $1 security_t:security setenforce;
-- ')
-- }
- ')
-
- ########################################
-@@ -342,22 +376,13 @@ interface(`selinux_load_policy',`
- gen_require(`
- type security_t;
- attribute can_load_policy;
-- bool secure_mode_policyload;
- ')
-
- dev_search_sysfs($1)
- allow $1 security_t:dir list_dir_perms;
- allow $1 security_t:file rw_file_perms;
-+ allow $1 security_t:lnk_file read_lnk_file_perms;
- typeattribute $1 can_load_policy;
--
-- if(!secure_mode_policyload) {
-- allow $1 security_t:security load_policy;
--
-- ifdef(`distro_rhel4',`
-- # needed for systems without audit support
-- auditallow $1 security_t:security load_policy;
-- ')
-- }
- ')
-
- ########################################
-@@ -378,6 +403,7 @@ interface(`selinux_read_policy',`
- dev_search_sysfs($1)
- allow $1 security_t:dir list_dir_perms;
- allow $1 security_t:file read_file_perms;
-+ allow $1 security_t:lnk_file read_lnk_file_perms;
- allow $1 security_t:security read_policy;
- ')
-
-@@ -438,19 +464,15 @@ interface(`selinux_set_boolean',`
- interface(`selinux_set_generic_booleans',`
- gen_require(`
- type security_t;
-+ attribute can_setbool;
- ')
-
-+ typeattribute $1 can_setbool;
- dev_search_sysfs($1)
--
-+ allow $1 security_t:lnk_file read_lnk_file_perms;
- allow $1 security_t:dir list_dir_perms;
- allow $1 security_t:file rw_file_perms;
-
-- allow $1 security_t:security setbool;
--
-- ifdef(`distro_rhel4',`
-- # needed for systems without audit support
-- auditallow $1 security_t:security setbool;
-- ')
- ')
-
- ########################################
-@@ -479,25 +501,16 @@ interface(`selinux_set_all_booleans',`
- gen_require(`
- type security_t, secure_mode_policyload_t;
- attribute boolean_type;
-- bool secure_mode_policyload;
-+ attribute can_setbool;
- ')
-
-+ typeattribute $1 can_setbool;
-+ dev_getattr_sysfs_fs($1)
- dev_search_sysfs($1)
--
-+ allow $1 security_t:lnk_file read_lnk_file_perms;
- allow $1 security_t:dir list_dir_perms;
-- allow $1 { boolean_type -secure_mode_policyload_t }:file rw_file_perms;
-- allow $1 secure_mode_policyload_t:file read_file_perms;
--
-- allow $1 security_t:security setbool;
--
-- ifdef(`distro_rhel4',`
-- # needed for systems without audit support
-- auditallow $1 security_t:security setbool;
-- ')
--
-- if(!secure_mode_policyload) {
-- allow $1 secure_mode_policyload_t:file write_file_perms;
-- }
-+ allow $1 boolean_type:dir list_dir_perms;
-+ allow $1 boolean_type:file rw_file_perms;
- ')
-
- ########################################
-@@ -528,7 +541,9 @@ interface(`selinux_set_parameters',`
- attribute can_setsecparam;
- ')
-
-+ dev_getattr_sysfs_fs($1)
- dev_search_sysfs($1)
-+ allow $1 security_t:lnk_file read_lnk_file_perms;
- allow $1 security_t:dir list_dir_perms;
- allow $1 security_t:file rw_file_perms;
- allow $1 security_t:security setsecparam;
-@@ -552,7 +567,9 @@ interface(`selinux_validate_context',`
- type security_t;
- ')
-
-+ dev_getattr_sysfs_fs($1)
- dev_search_sysfs($1)
-+ allow $1 security_t:lnk_file read_lnk_file_perms;
- allow $1 security_t:dir list_dir_perms;
- allow $1 security_t:file rw_file_perms;
- allow $1 security_t:security check_context;
-@@ -595,7 +612,9 @@ interface(`selinux_compute_access_vector',`
- type security_t;
- ')
-
-+ dev_getattr_sysfs_fs($1)
- dev_search_sysfs($1)
-+ allow $1 security_t:lnk_file read_lnk_file_perms;
- allow $1 security_t:dir list_dir_perms;
- allow $1 security_t:file rw_file_perms;
- allow $1 security_t:security compute_av;
-@@ -617,7 +636,9 @@ interface(`selinux_compute_create_context',`
- type security_t;
- ')
-
-+ dev_getattr_sysfs_fs($1)
- dev_search_sysfs($1)
-+ allow $1 security_t:lnk_file read_lnk_file_perms;
- allow $1 security_t:dir list_dir_perms;
- allow $1 security_t:file rw_file_perms;
- allow $1 security_t:security compute_create;
-@@ -639,7 +660,9 @@ interface(`selinux_compute_member',`
- type security_t;
- ')
-
-+ dev_getattr_sysfs_fs($1)
- dev_search_sysfs($1)
-+ allow $1 security_t:lnk_file read_lnk_file_perms;
- allow $1 security_t:dir list_dir_perms;
- allow $1 security_t:file rw_file_perms;
- allow $1 security_t:security compute_member;
-@@ -669,7 +692,9 @@ interface(`selinux_compute_relabel_context',`
- type security_t;
- ')
-
-+ dev_getattr_sysfs_fs($1)
- dev_search_sysfs($1)
-+ allow $1 security_t:lnk_file read_lnk_file_perms;
- allow $1 security_t:dir list_dir_perms;
- allow $1 security_t:file rw_file_perms;
- allow $1 security_t:security compute_relabel;
-@@ -677,6 +702,29 @@ interface(`selinux_compute_relabel_context',`
-
- ########################################
- ##
-+## Allows caller to setcheckreqprot
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`selinux_setcheckreqprot',`
-+ gen_require(`
-+ type security_t;
-+ ')
-+
-+ dev_getattr_sysfs_fs($1)
-+ dev_search_sysfs($1)
-+ allow $1 security_t:lnk_file read_lnk_file_perms;
-+ allow $1 security_t:dir list_dir_perms;
-+ allow $1 security_t:file rw_file_perms;
-+ allow $1 security_t:security setcheckreqprot;
-+')
-+
-+########################################
-+##
- ## Allows caller to compute possible contexts for a user.
- ##
- ##
-@@ -690,7 +738,9 @@ interface(`selinux_compute_user_contexts',`
- type security_t;
- ')
-
-+ dev_getattr_sysfs_fs($1)
- dev_search_sysfs($1)
-+ allow $1 security_t:lnk_file read_lnk_file_perms;
- allow $1 security_t:dir list_dir_perms;
- allow $1 security_t:file rw_file_perms;
- allow $1 security_t:security compute_user;
-@@ -712,4 +762,28 @@ interface(`selinux_unconfined',`
- ')
-
- typeattribute $1 selinux_unconfined_type;
-+ selinux_set_all_booleans($1)
-+ selinux_load_policy($1)
-+ selinux_set_parameters($1)
-+ selinux_set_enforce_mode($1)
-+')
-+
-+########################################
-+##
-+## Generate a file context for a boolean type
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`selinux_genbool',`
-+ gen_require(`
-+ attribute boolean_type;
-+ ')
-+
-+ type $1, boolean_type;
-+ fs_type($1)
-+ mls_trusted_object($1)
- ')
-diff --git a/policy/modules/kernel/selinux.te b/policy/modules/kernel/selinux.te
-index e0a973ba1..7d3e431ee 100644
---- a/policy/modules/kernel/selinux.te
-+++ b/policy/modules/kernel/selinux.te
-@@ -17,6 +17,7 @@ gen_bool(secure_mode_policyload,false)
- attribute boolean_type;
- attribute can_load_policy;
- attribute can_setenforce;
-+attribute can_setbool;
- attribute can_setsecparam;
- attribute selinux_unconfined_type;
-
-@@ -36,9 +37,9 @@ sid security gen_context(system_u:object_r:security_t,mls_systemhigh)
- genfscon selinuxfs / gen_context(system_u:object_r:security_t,s0)
- genfscon securityfs / gen_context(system_u:object_r:security_t,s0)
-
--neverallow ~{ selinux_unconfined_type can_load_policy } security_t:security load_policy;
--neverallow ~{ selinux_unconfined_type can_setenforce } security_t:security setenforce;
--neverallow ~{ selinux_unconfined_type can_setsecparam } security_t:security setsecparam;
-+neverallow ~{ can_load_policy } security_t:security load_policy;
-+neverallow ~{ can_setenforce } security_t:security setenforce;
-+neverallow ~{ can_setsecparam } security_t:security setsecparam;
-
- ########################################
- #
-@@ -52,7 +53,7 @@ allow selinux_unconfined_type boolean_type:file read_file_perms;
- allow selinux_unconfined_type { boolean_type -secure_mode_policyload_t }:file write_file_perms;
-
- # Access the security API.
--allow selinux_unconfined_type security_t:security ~{ load_policy setenforce };
-+allow selinux_unconfined_type security_t:security ~{ load_policy setenforce setbool };
-
- ifdef(`distro_rhel4',`
- # needed for systems without audit support
-@@ -60,11 +61,28 @@ ifdef(`distro_rhel4',`
- ')
-
- if(!secure_mode_policyload) {
-- allow selinux_unconfined_type security_t:security { load_policy setenforce };
-- allow selinux_unconfined_type secure_mode_policyload_t:file write_file_perms;
-+ allow can_setenforce security_t:security setenforce;
-+ dev_getattr_sysfs_fs(can_setenforce)
-+ dev_search_sysfs(can_setenforce)
-+ allow can_setenforce security_t:dir list_dir_perms;
-+ allow can_setenforce security_t:file rw_file_perms;
-
- ifdef(`distro_rhel4',`
- # needed for systems without audit support
-- auditallow selinux_unconfined_type security_t:security { load_policy setenforce };
-+ auditallow can_setenforce security_t:security setenforce;
-+ ')
-+
-+ allow can_load_policy security_t:security load_policy;
-+
-+ ifdef(`distro_rhel4',`
-+ # needed for systems without audit support
-+ auditallow can_load_policy security_t:security load_policy;
-+ ')
-+
-+ allow can_setbool boolean_type:security setbool;
-+
-+ ifdef(`distro_rhel4',`
-+ # needed for systems without audit support
-+ auditallow can_setbool boolean_type:security setbool;
- ')
- }
-diff --git a/policy/modules/kernel/storage.fc b/policy/modules/kernel/storage.fc
-index 54f182702..6910c8869 100644
---- a/policy/modules/kernel/storage.fc
-+++ b/policy/modules/kernel/storage.fc
-@@ -7,6 +7,7 @@
- /dev/n?tpqic[12].* -c gen_context(system_u:object_r:tape_device_t,s0)
- /dev/[shmxv]d[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
- /dev/aztcd -b gen_context(system_u:object_r:removable_device_t,s0)
-+/dev/bcache[0-9]+ -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
- /dev/bpcd -b gen_context(system_u:object_r:removable_device_t,s0)
- /dev/bsg/.+ -c gen_context(system_u:object_r:scsi_generic_device_t,s0)
- /dev/cdu.* -b gen_context(system_u:object_r:removable_device_t,s0)
-@@ -28,7 +29,8 @@
- /dev/loop.* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
- /dev/lvm -c gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
- /dev/mcdx? -b gen_context(system_u:object_r:removable_device_t,s0)
--/dev/megadev.* -c gen_context(system_u:object_r:removable_device_t,s0)
-+/dev/megaraid_sas_ioctl_node -c gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
-+/dev/megadev.* -c gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
- /dev/mmcblk.* -b gen_context(system_u:object_r:removable_device_t,s0)
- /dev/mspblk.* -b gen_context(system_u:object_r:removable_device_t,s0)
- /dev/mtd.* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
-@@ -51,7 +53,8 @@ ifdef(`distro_redhat', `
- /dev/sjcd -b gen_context(system_u:object_r:removable_device_t,s0)
- /dev/sonycd -b gen_context(system_u:object_r:removable_device_t,s0)
- /dev/tape.* -c gen_context(system_u:object_r:tape_device_t,s0)
--/dev/tw[a-z][^/]+ -c gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
-+/dev/tgt -c gen_context(system_u:object_r:scsi_generic_device_t,s0)
-+/dev/tw[a-z][^/]* -c gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
- /dev/ub[a-z][^/]+ -b gen_context(system_u:object_r:removable_device_t,mls_systemhigh)
- /dev/ubd[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
- /dev/vd[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
-@@ -81,3 +84,6 @@ ifdef(`distro_redhat', `
-
- /lib/udev/devices/loop.* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
- /lib/udev/devices/fuse -c gen_context(system_u:object_r:fuse_device_t,s0)
-+
-+/usr/lib/udev/devices/loop.* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
-+/usr/lib/udev/devices/fuse -c gen_context(system_u:object_r:fuse_device_t,s0)
-diff --git a/policy/modules/kernel/storage.if b/policy/modules/kernel/storage.if
-index 64c4cd01c..52070af0b 100644
---- a/policy/modules/kernel/storage.if
-+++ b/policy/modules/kernel/storage.if
-@@ -22,6 +22,30 @@ interface(`storage_getattr_fixed_disk_dev',`
-
- ########################################
- ##
-+## Allow the caller to read/write inherited fixed disk
-+## device nodes.
-+##
-+##
-+##
-+## The domain allowed access.
-+##
-+##
-+#
-+interface(`storage_rw_inherited_fixed_disk_dev',`
-+ gen_require(`
-+ type fixed_disk_device_t;
-+ attribute fixed_disk_raw_read;
-+ attribute fixed_disk_raw_write;
-+ ')
-+
-+ allow $1 fixed_disk_device_t:chr_file { read write };
-+ allow $1 fixed_disk_device_t:blk_file { read write };
-+ typeattribute $1 fixed_disk_raw_read;
-+ typeattribute $1 fixed_disk_raw_write;
-+')
-+
-+########################################
-+##
- ## Do not audit attempts made by the caller to get
- ## the attributes of fixed disk device nodes.
- ##
-@@ -101,6 +125,8 @@ interface(`storage_raw_read_fixed_disk',`
- dev_list_all_dev_nodes($1)
- allow $1 fixed_disk_device_t:blk_file read_blk_file_perms;
- allow $1 fixed_disk_device_t:chr_file read_chr_file_perms;
-+ #577012
-+ allow $1 fixed_disk_device_t:lnk_file read_lnk_file_perms;
- typeattribute $1 fixed_disk_raw_read;
- ')
-
-@@ -186,6 +212,7 @@ interface(`storage_dontaudit_write_fixed_disk',`
- interface(`storage_raw_rw_fixed_disk',`
- storage_raw_read_fixed_disk($1)
- storage_raw_write_fixed_disk($1)
-+ dev_rw_generic_blk_files($1)
- ')
-
- ########################################
-@@ -205,6 +232,7 @@ interface(`storage_create_fixed_disk_dev',`
-
- allow $1 self:capability mknod;
- allow $1 fixed_disk_device_t:blk_file create_blk_file_perms;
-+ allow $1 fixed_disk_device_t:chr_file create_chr_file_perms;
- dev_add_entry_generic_dirs($1)
- ')
-
-@@ -274,6 +302,48 @@ interface(`storage_dev_filetrans_fixed_disk',`
- dev_filetrans($1, fixed_disk_device_t, blk_file, $2)
- ')
-
-+#######################################
-+##
-+## Create block devices in /dev with the fixed disk type
-+## via an automatic type transition.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`storage_dev_filetrans_named_fixed_disk',`
-+ gen_require(`
-+ type fixed_disk_device_t;
-+ ')
-+
-+ dev_filetrans($1, fixed_disk_device_t, chr_file, "jsflash")
-+ dev_filetrans($1, fixed_disk_device_t, chr_file, "lvm")
-+ dev_filetrans($1, fixed_disk_device_t, chr_file, "megaraid_sas_ioctl_node")
-+ dev_filetrans($1, fixed_disk_device_t, chr_file, "megadev0")
-+ dev_filetrans($1, fixed_disk_device_t, chr_file, "megadev1")
-+ dev_filetrans($1, fixed_disk_device_t, chr_file, "megadev2")
-+ dev_filetrans($1, fixed_disk_device_t, chr_file, "megadev3")
-+ dev_filetrans($1, fixed_disk_device_t, chr_file, "megadev4")
-+ dev_filetrans($1, fixed_disk_device_t, chr_file, "megadev5")
-+ dev_filetrans($1, fixed_disk_device_t, chr_file, "megadev6")
-+ dev_filetrans($1, fixed_disk_device_t, chr_file, "megadev7")
-+ dev_filetrans($1, fixed_disk_device_t, chr_file, "megadev8")
-+ dev_filetrans($1, fixed_disk_device_t, chr_file, "megadev9")
-+ dev_filetrans($1, fixed_disk_device_t, chr_file, "device-mapper")
-+ dev_filetrans($1, fixed_disk_device_t, chr_file, "raw0")
-+ dev_filetrans($1, fixed_disk_device_t, chr_file, "raw1")
-+ dev_filetrans($1, fixed_disk_device_t, chr_file, "raw2")
-+ dev_filetrans($1, fixed_disk_device_t, chr_file, "raw3")
-+ dev_filetrans($1, fixed_disk_device_t, chr_file, "raw4")
-+ dev_filetrans($1, fixed_disk_device_t, chr_file, "raw5")
-+ dev_filetrans($1, fixed_disk_device_t, chr_file, "raw6")
-+ dev_filetrans($1, fixed_disk_device_t, chr_file, "raw7")
-+ dev_filetrans($1, fixed_disk_device_t, chr_file, "raw8")
-+ dev_filetrans($1, fixed_disk_device_t, chr_file, "raw9")
-+')
-+
- ########################################
- ##
- ## Create block devices in on a tmpfs filesystem with the
-@@ -295,6 +365,25 @@ interface(`storage_tmpfs_filetrans_fixed_disk',`
-
- ########################################
- ##
-+## Create block devices in on a tmp filesystem with the
-+## fixed disk type via an automatic type transition.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`storage_tmp_filetrans_fixed_disk',`
-+ gen_require(`
-+ type fixed_disk_device_t;
-+ ')
-+
-+ files_tmp_filetrans($1, fixed_disk_device_t, blk_file)
-+')
-+
-+########################################
-+##
- ## Relabel fixed disk device nodes.
- ##
- ##
-@@ -478,6 +567,35 @@ interface(`storage_write_scsi_generic',`
- typeattribute $1 scsi_generic_write;
- ')
-
-+
-+########################################
-+##
-+## Allow the caller to directly read and write, in a
-+## generic fashion, from any SCSI device.
-+## This is extremly dangerous as it can bypass the
-+## SELinux protections for filesystem objects, and
-+## should only be used by trusted domains.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`storage_rw_inherited_scsi_generic',`
-+ gen_require(`
-+ attribute scsi_generic_read;
-+ attribute scsi_generic_write;
-+ type scsi_generic_device_t;
-+ ')
-+
-+ dev_list_all_dev_nodes($1)
-+ allow $1 scsi_generic_device_t:chr_file rw_inherited_chr_file_perms;
-+ allow $1 scsi_generic_device_t:chr_file rw_inherited_blk_file_perms;
-+ typeattribute $1 scsi_generic_write;
-+ typeattribute $1 scsi_generic_read;
-+')
-+
- ########################################
- ##
- ## Set attributes of the device nodes
-@@ -716,6 +834,24 @@ interface(`storage_dontaudit_raw_write_removable_device',`
- dontaudit $1 removable_device_t:blk_file write_blk_file_perms;
- ')
-
-+#######################################
-+##
-+## Alow read and write inherited removable devices.
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`storage_rw_inherited_removable_device',`
-+ gen_require(`
-+ type removable_device_t;
-+ ')
-+
-+ dontaudit $1 removable_device_t:blk_file { read write };
-+')
-+
- ########################################
- ##
- ## Allow the caller to directly read
-@@ -813,3 +949,452 @@ interface(`storage_unconfined',`
-
- typeattribute $1 storage_unconfined_type;
- ')
-+
-+########################################
-+##
-+## Create all named devices with the correct label
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`storage_filetrans_all_named_dev',`
-+
-+ gen_require(`
-+ type tape_device_t;
-+ type fixed_disk_device_t;
-+ type removable_device_t;
-+ type scsi_generic_device_t;
-+ type fuse_device_t;
-+ ')
-+
-+ dev_filetrans($1, tape_device_t, chr_file, "ht00")
-+ dev_filetrans($1, tape_device_t, chr_file, "ht01")
-+ dev_filetrans($1, tape_device_t, chr_file, "ht02")
-+ dev_filetrans($1, tape_device_t, chr_file, "ht03")
-+ dev_filetrans($1, tape_device_t, chr_file, "ht04")
-+ dev_filetrans($1, tape_device_t, chr_file, "ht05")
-+ dev_filetrans($1, tape_device_t, chr_file, "ht06")
-+ dev_filetrans($1, tape_device_t, chr_file, "ht07")
-+ dev_filetrans($1, tape_device_t, chr_file, "ht08")
-+ dev_filetrans($1, tape_device_t, chr_file, "ht09")
-+ dev_filetrans($1, tape_device_t, chr_file, "st00")
-+ dev_filetrans($1, tape_device_t, chr_file, "st01")
-+ dev_filetrans($1, tape_device_t, chr_file, "st02")
-+ dev_filetrans($1, tape_device_t, chr_file, "st03")
-+ dev_filetrans($1, tape_device_t, chr_file, "st04")
-+ dev_filetrans($1, tape_device_t, chr_file, "st05")
-+ dev_filetrans($1, tape_device_t, chr_file, "st06")
-+ dev_filetrans($1, tape_device_t, chr_file, "st07")
-+ dev_filetrans($1, tape_device_t, chr_file, "st08")
-+ dev_filetrans($1, tape_device_t, chr_file, "st09")
-+ dev_filetrans($1, tape_device_t, chr_file, "qft0")
-+ dev_filetrans($1, tape_device_t, chr_file, "qft1")
-+ dev_filetrans($1, tape_device_t, chr_file, "qft2")
-+ dev_filetrans($1, tape_device_t, chr_file, "qft3")
-+ dev_filetrans($1, tape_device_t, chr_file, "osst00")
-+ dev_filetrans($1, tape_device_t, chr_file, "osst01")
-+ dev_filetrans($1, tape_device_t, chr_file, "osst02")
-+ dev_filetrans($1, tape_device_t, chr_file, "osst03")
-+ dev_filetrans($1, tape_device_t, chr_file, "osst04")
-+ dev_filetrans($1, tape_device_t, chr_file, "osst05")
-+ dev_filetrans($1, tape_device_t, chr_file, "osst06")
-+ dev_filetrans($1, tape_device_t, chr_file, "osst07")
-+ dev_filetrans($1, tape_device_t, chr_file, "osst08")
-+ dev_filetrans($1, tape_device_t, chr_file, "osst09")
-+ dev_filetrans($1, tape_device_t, chr_file, "pt0")
-+ dev_filetrans($1, tape_device_t, chr_file, "pt1")
-+ dev_filetrans($1, tape_device_t, chr_file, "pt2")
-+ dev_filetrans($1, tape_device_t, chr_file, "pt3")
-+ dev_filetrans($1, tape_device_t, chr_file, "pt4")
-+ dev_filetrans($1, tape_device_t, chr_file, "pt5")
-+ dev_filetrans($1, tape_device_t, chr_file, "pt6")
-+ dev_filetrans($1, tape_device_t, chr_file, "pt7")
-+ dev_filetrans($1, tape_device_t, chr_file, "pt8")
-+ dev_filetrans($1, tape_device_t, chr_file, "pt9")
-+ dev_filetrans($1, tape_device_t, chr_file, "tpqic0")
-+ dev_filetrans($1, tape_device_t, chr_file, "tpqic1")
-+ dev_filetrans($1, tape_device_t, chr_file, "tpqic2")
-+ dev_filetrans($1, tape_device_t, chr_file, "tpqic3")
-+ dev_filetrans($1, tape_device_t, chr_file, "tpqic4")
-+ dev_filetrans($1, tape_device_t, chr_file, "tpqic5")
-+ dev_filetrans($1, tape_device_t, chr_file, "tpqic6")
-+ dev_filetrans($1, tape_device_t, chr_file, "tpqic7")
-+ dev_filetrans($1, tape_device_t, chr_file, "tpqic8")
-+ dev_filetrans($1, tape_device_t, chr_file, "tpqic9")
-+ dev_filetrans($1, removable_device_t, blk_file, "aztcd")
-+ dev_filetrans($1, removable_device_t, blk_file, "bpcd")
-+ dev_filetrans($1, removable_device_t, blk_file, "cdu0")
-+ dev_filetrans($1, removable_device_t, blk_file, "cdu1")
-+ dev_filetrans($1, removable_device_t, blk_file, "cdu2")
-+ dev_filetrans($1, removable_device_t, blk_file, "cdu3")
-+ dev_filetrans($1, removable_device_t, blk_file, "cdu4")
-+ dev_filetrans($1, removable_device_t, blk_file, "cdu5")
-+ dev_filetrans($1, removable_device_t, blk_file, "cdu6")
-+ dev_filetrans($1, removable_device_t, blk_file, "cdu7")
-+ dev_filetrans($1, removable_device_t, blk_file, "cdu8")
-+ dev_filetrans($1, removable_device_t, blk_file, "cdu9")
-+ dev_filetrans($1, removable_device_t, blk_file, "cm200")
-+ dev_filetrans($1, removable_device_t, blk_file, "cm201")
-+ dev_filetrans($1, removable_device_t, blk_file, "cm202")
-+ dev_filetrans($1, removable_device_t, blk_file, "cm203")
-+ dev_filetrans($1, removable_device_t, blk_file, "cm204")
-+ dev_filetrans($1, removable_device_t, blk_file, "cm205")
-+ dev_filetrans($1, removable_device_t, blk_file, "cm206")
-+ dev_filetrans($1, removable_device_t, blk_file, "cm207")
-+ dev_filetrans($1, removable_device_t, blk_file, "cm208")
-+ dev_filetrans($1, removable_device_t, blk_file, "cm209")
-+ dev_filetrans($1, fixed_disk_device_t, blk_file, "bcache0")
-+ dev_filetrans($1, fixed_disk_device_t, blk_file, "bcache1")
-+ dev_filetrans($1, fixed_disk_device_t, blk_file, "bcache2")
-+ dev_filetrans($1, fixed_disk_device_t, blk_file, "bcache3")
-+ dev_filetrans($1, fixed_disk_device_t, blk_file, "bcache4")
-+ dev_filetrans($1, fixed_disk_device_t, blk_file, "bcache5")
-+ dev_filetrans($1, fixed_disk_device_t, blk_file, "bcache6")
-+ dev_filetrans($1, fixed_disk_device_t, blk_file, "bcache7")
-+ dev_filetrans($1, fixed_disk_device_t, blk_file, "bcache8")
-+ dev_filetrans($1, fixed_disk_device_t, blk_file, "bcache9")
-+ dev_filetrans($1, fixed_disk_device_t, blk_file, "md0")
-+ dev_filetrans($1, fixed_disk_device_t, blk_file, "md1")
-+ dev_filetrans($1, fixed_disk_device_t, blk_file, "md2")
-+ dev_filetrans($1, fixed_disk_device_t, blk_file, "md3")
-+ dev_filetrans($1, fixed_disk_device_t, blk_file, "md4")
-+ dev_filetrans($1, fixed_disk_device_t, blk_file, "md5")
-+ dev_filetrans($1, fixed_disk_device_t, blk_file, "md6")
-+ dev_filetrans($1, fixed_disk_device_t, blk_file, "md7")
-+ dev_filetrans($1, fixed_disk_device_t, blk_file, "md8")
-+ dev_filetrans($1, fixed_disk_device_t, blk_file, "md9")
-+ dev_filetrans($1, fixed_disk_device_t, blk_file, "md126p1")
-+ dev_filetrans($1, fixed_disk_device_t, blk_file, "sda")
-+ dev_filetrans($1, fixed_disk_device_t, blk_file, "sda0")
-+ dev_filetrans($1, fixed_disk_device_t, blk_file, "sda1")
-+ dev_filetrans($1, fixed_disk_device_t, blk_file, "sda2")
-+ dev_filetrans($1, fixed_disk_device_t, blk_file, "sda3")
-+ dev_filetrans($1, fixed_disk_device_t, blk_file, "sda4")
-+ dev_filetrans($1, fixed_disk_device_t, blk_file, "sda5")
-+ dev_filetrans($1, fixed_disk_device_t, blk_file, "sda6")
-+ dev_filetrans($1, fixed_disk_device_t, blk_file, "sda7")
-+ dev_filetrans($1, fixed_disk_device_t, blk_file, "sda8")
-+ dev_filetrans($1, fixed_disk_device_t, blk_file, "sda9")
-+ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdb")
-+ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdb0")
-+ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdb1")
-+ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdb2")
-+ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdb3")
-+ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdb4")
-+ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdb5")
-+ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdb6")
-+ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdb7")
-+ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdb8")
-+ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdb9")
-+ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdc")
-+ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdc0")
-+ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdc1")
-+ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdc2")
-+ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdc3")
-+ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdc4")
-+ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdc5")
-+ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdc6")
-+ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdc7")
-+ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdc8")
-+ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdc9")
-+ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdd")
-+ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdd0")
-+ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdd1")
-+ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdd2")
-+ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdd3")
-+ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdd4")
-+ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdd5")
-+ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdd6")
-+ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdd7")
-+ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdd8")
-+ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdd9")
-+ dev_filetrans($1, fixed_disk_device_t, blk_file, "sde")
-+ dev_filetrans($1, fixed_disk_device_t, blk_file, "sde0")
-+ dev_filetrans($1, fixed_disk_device_t, blk_file, "sde1")
-+ dev_filetrans($1, fixed_disk_device_t, blk_file, "sde2")
-+ dev_filetrans($1, fixed_disk_device_t, blk_file, "sde3")
-+ dev_filetrans($1, fixed_disk_device_t, blk_file, "sde4")
-+ dev_filetrans($1, fixed_disk_device_t, blk_file, "sde5")
-+ dev_filetrans($1, fixed_disk_device_t, blk_file, "sde6")
-+ dev_filetrans($1, fixed_disk_device_t, blk_file, "sde7")
-+ dev_filetrans($1, fixed_disk_device_t, blk_file, "sde8")
-+ dev_filetrans($1, fixed_disk_device_t, blk_file, "sde9")
-+ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdf")
-+ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdf0")
-+ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdf1")
-+ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdf2")
-+ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdf3")
-+ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdf4")
-+ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdf5")
-+ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdf6")
-+ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdf7")
-+ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdf8")
-+ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdf9")
-+ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdg")
-+ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdg0")
-+ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdg1")
-+ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdg2")
-+ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdg3")
-+ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdg4")
-+ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdg5")
-+ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdg6")
-+ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdg7")
-+ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdg8")
-+ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdg9")
-+ dev_filetrans($1, fixed_disk_device_t, blk_file, "dm-0")
-+ dev_filetrans($1, fixed_disk_device_t, blk_file, "dm-1")
-+ dev_filetrans($1, fixed_disk_device_t, blk_file, "dm-2")
-+ dev_filetrans($1, fixed_disk_device_t, blk_file, "dm-3")
-+ dev_filetrans($1, fixed_disk_device_t, blk_file, "dm-4")
-+ dev_filetrans($1, fixed_disk_device_t, blk_file, "dm-5")
-+ dev_filetrans($1, fixed_disk_device_t, blk_file, "dm-6")
-+ dev_filetrans($1, fixed_disk_device_t, blk_file, "dm-7")
-+ dev_filetrans($1, fixed_disk_device_t, blk_file, "dm-8")
-+ dev_filetrans($1, fixed_disk_device_t, blk_file, "dm-9")
-+ dev_filetrans($1, removable_device_t, blk_file, "gscd")
-+ dev_filetrans($1, removable_device_t, blk_file, "hitcd")
-+ dev_filetrans($1, tape_device_t, blk_file, "ht0")
-+ dev_filetrans($1, tape_device_t, blk_file, "ht1")
-+ dev_filetrans($1, removable_device_t, blk_file, "hwcdrom")
-+ dev_filetrans($1, fixed_disk_device_t, blk_file, "initrd")
-+ dev_filetrans($1, fixed_disk_device_t, blk_file, "jsfd")
-+ dev_filetrans($1, fixed_disk_device_t, chr_file, "jsflash")
-+ dev_filetrans($1, fixed_disk_device_t, blk_file, "loop0")
-+ dev_filetrans($1, fixed_disk_device_t, blk_file, "loop1")
-+ dev_filetrans($1, fixed_disk_device_t, blk_file, "loop2")
-+ dev_filetrans($1, fixed_disk_device_t, blk_file, "loop3")
-+ dev_filetrans($1, fixed_disk_device_t, blk_file, "loop4")
-+ dev_filetrans($1, fixed_disk_device_t, blk_file, "loop5")
-+ dev_filetrans($1, fixed_disk_device_t, blk_file, "loop6")
-+ dev_filetrans($1, fixed_disk_device_t, blk_file, "loop7")
-+ dev_filetrans($1, fixed_disk_device_t, blk_file, "loop8")
-+ dev_filetrans($1, fixed_disk_device_t, blk_file, "loop9")
-+ dev_filetrans($1, fixed_disk_device_t, chr_file, "lvm")
-+ dev_filetrans($1, removable_device_t, blk_file, "mcd")
-+ dev_filetrans($1, removable_device_t, blk_file, "mcdx")
-+ dev_filetrans($1, fixed_disk_device_t, chr_file, "megaraid_sas_ioctl_node")
-+ dev_filetrans($1, fixed_disk_device_t, chr_file, "megadev0")
-+ dev_filetrans($1, fixed_disk_device_t, chr_file, "megadev1")
-+ dev_filetrans($1, fixed_disk_device_t, chr_file, "megadev2")
-+ dev_filetrans($1, fixed_disk_device_t, chr_file, "megadev3")
-+ dev_filetrans($1, fixed_disk_device_t, chr_file, "megadev4")
-+ dev_filetrans($1, fixed_disk_device_t, chr_file, "megadev5")
-+ dev_filetrans($1, fixed_disk_device_t, chr_file, "megadev6")
-+ dev_filetrans($1, fixed_disk_device_t, chr_file, "megadev7")
-+ dev_filetrans($1, fixed_disk_device_t, chr_file, "megadev8")
-+ dev_filetrans($1, fixed_disk_device_t, chr_file, "megadev9")
-+ dev_filetrans($1, removable_device_t, blk_file, "mmcblk0")
-+ dev_filetrans($1, removable_device_t, blk_file, "mmcblk1")
-+ dev_filetrans($1, removable_device_t, blk_file, "mmcblk2")
-+ dev_filetrans($1, removable_device_t, blk_file, "mmcblk3")
-+ dev_filetrans($1, removable_device_t, blk_file, "mmcblk4")
-+ dev_filetrans($1, removable_device_t, blk_file, "mmcblk5")
-+ dev_filetrans($1, removable_device_t, blk_file, "mmcblk6")
-+ dev_filetrans($1, removable_device_t, blk_file, "mmcblk7")
-+ dev_filetrans($1, removable_device_t, blk_file, "mmcblk8")
-+ dev_filetrans($1, removable_device_t, blk_file, "mmcblk9")
-+ dev_filetrans($1, removable_device_t, blk_file, "mspblk0")
-+ dev_filetrans($1, removable_device_t, blk_file, "mspblk1")
-+ dev_filetrans($1, removable_device_t, blk_file, "mspblk2")
-+ dev_filetrans($1, removable_device_t, blk_file, "mspblk3")
-+ dev_filetrans($1, removable_device_t, blk_file, "mspblk4")
-+ dev_filetrans($1, removable_device_t, blk_file, "mspblk5")
-+ dev_filetrans($1, removable_device_t, blk_file, "mspblk6")
-+ dev_filetrans($1, removable_device_t, blk_file, "mspblk7")
-+ dev_filetrans($1, removable_device_t, blk_file, "mspblk8")
-+ dev_filetrans($1, removable_device_t, blk_file, "mspblk9")
-+ dev_filetrans($1, fixed_disk_device_t, blk_file, "mtd0")
-+ dev_filetrans($1, fixed_disk_device_t, blk_file, "mtd1")
-+ dev_filetrans($1, fixed_disk_device_t, blk_file, "mtd2")
-+ dev_filetrans($1, fixed_disk_device_t, blk_file, "mtd3")
-+ dev_filetrans($1, fixed_disk_device_t, blk_file, "mtd4")
-+ dev_filetrans($1, fixed_disk_device_t, blk_file, "mtd5")
-+ dev_filetrans($1, fixed_disk_device_t, blk_file, "mtd6")
-+ dev_filetrans($1, fixed_disk_device_t, blk_file, "mtd7")
-+ dev_filetrans($1, fixed_disk_device_t, blk_file, "mtd8")
-+ dev_filetrans($1, fixed_disk_device_t, blk_file, "mtd9")
-+ dev_filetrans($1, removable_device_t, blk_file, "optcd")
-+ dev_filetrans($1, removable_device_t, blk_file, "pf0")
-+ dev_filetrans($1, removable_device_t, blk_file, "pf1")
-+ dev_filetrans($1, removable_device_t, blk_file, "pf2")
-+ dev_filetrans($1, removable_device_t, blk_file, "pf3")
-+ dev_filetrans($1, removable_device_t, blk_file, "pg0")
-+ dev_filetrans($1, removable_device_t, blk_file, "pg1")
-+ dev_filetrans($1, removable_device_t, blk_file, "pg2")
-+ dev_filetrans($1, removable_device_t, blk_file, "pg3")
-+ dev_filetrans($1, removable_device_t, blk_file, "pcd0")
-+ dev_filetrans($1, removable_device_t, blk_file, "pcd1")
-+ dev_filetrans($1, removable_device_t, blk_file, "pcd2")
-+ dev_filetrans($1, removable_device_t, blk_file, "pcd3")
-+ dev_filetrans($1, removable_device_t, chr_file, "pg0")
-+ dev_filetrans($1, removable_device_t, chr_file, "pg1")
-+ dev_filetrans($1, removable_device_t, chr_file, "pg2")
-+ dev_filetrans($1, removable_device_t, chr_file, "pg3")
-+ dev_filetrans($1, fixed_disk_device_t, blk_file, "ps3d0")
-+ dev_filetrans($1, fixed_disk_device_t, blk_file, "ps3d1")
-+ dev_filetrans($1, fixed_disk_device_t, blk_file, "ps3d2")
-+ dev_filetrans($1, fixed_disk_device_t, blk_file, "ps3d3")
-+ dev_filetrans($1, fixed_disk_device_t, blk_file, "ps3d4")
-+ dev_filetrans($1, fixed_disk_device_t, blk_file, "ps3d5")
-+ dev_filetrans($1, fixed_disk_device_t, blk_file, "ps3d6")
-+ dev_filetrans($1, fixed_disk_device_t, blk_file, "ps3d7")
-+ dev_filetrans($1, fixed_disk_device_t, blk_file, "ps3d8")
-+ dev_filetrans($1, fixed_disk_device_t, blk_file, "ps3d9")
-+ dev_filetrans($1, fixed_disk_device_t, blk_file, "ram0")
-+ dev_filetrans($1, fixed_disk_device_t, blk_file, "ram1")
-+ dev_filetrans($1, fixed_disk_device_t, blk_file, "ram2")
-+ dev_filetrans($1, fixed_disk_device_t, blk_file, "ram3")
-+ dev_filetrans($1, fixed_disk_device_t, blk_file, "ram4")
-+ dev_filetrans($1, fixed_disk_device_t, blk_file, "ram5")
-+ dev_filetrans($1, fixed_disk_device_t, blk_file, "ram6")
-+ dev_filetrans($1, fixed_disk_device_t, blk_file, "ram7")
-+ dev_filetrans($1, fixed_disk_device_t, blk_file, "ram8")
-+ dev_filetrans($1, fixed_disk_device_t, blk_file, "ram9")
-+ dev_filetrans($1, fixed_disk_device_t, blk_file, "ram10")
-+ dev_filetrans($1, fixed_disk_device_t, blk_file, "ram11")
-+ dev_filetrans($1, fixed_disk_device_t, blk_file, "ram12")
-+ dev_filetrans($1, fixed_disk_device_t, blk_file, "ram13")
-+ dev_filetrans($1, fixed_disk_device_t, blk_file, "ram14")
-+ dev_filetrans($1, fixed_disk_device_t, blk_file, "ram15")
-+ dev_filetrans($1, fixed_disk_device_t, blk_file, "rd0")
-+ dev_filetrans($1, fixed_disk_device_t, blk_file, "rd1")
-+ dev_filetrans($1, fixed_disk_device_t, blk_file, "rd2")
-+ dev_filetrans($1, fixed_disk_device_t, blk_file, "rd3")
-+ dev_filetrans($1, fixed_disk_device_t, blk_file, "rd4")
-+ dev_filetrans($1, fixed_disk_device_t, blk_file, "rd5")
-+ dev_filetrans($1, fixed_disk_device_t, blk_file, "rd6")
-+ dev_filetrans($1, fixed_disk_device_t, blk_file, "rd7")
-+ dev_filetrans($1, fixed_disk_device_t, blk_file, "rd8")
-+ dev_filetrans($1, fixed_disk_device_t, blk_file, "rd9")
-+ dev_filetrans($1, fixed_disk_device_t, blk_file, "root")
-+ dev_filetrans($1, removable_device_t, blk_file, "sbpcd0")
-+ dev_filetrans($1, removable_device_t, blk_file, "sbpcd1")
-+ dev_filetrans($1, removable_device_t, blk_file, "sbpcd2")
-+ dev_filetrans($1, removable_device_t, blk_file, "sbpcd3")
-+ dev_filetrans($1, removable_device_t, blk_file, "sbpcd4")
-+ dev_filetrans($1, removable_device_t, blk_file, "sbpcd5")
-+ dev_filetrans($1, removable_device_t, blk_file, "sbpcd6")
-+ dev_filetrans($1, removable_device_t, blk_file, "sbpcd7")
-+ dev_filetrans($1, removable_device_t, blk_file, "sbpcd8")
-+ dev_filetrans($1, removable_device_t, blk_file, "sbpcd9")
-+ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg0")
-+ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg1")
-+ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg2")
-+ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg3")
-+ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg4")
-+ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg5")
-+ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg6")
-+ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg7")
-+ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg8")
-+ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg9")
-+ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg10")
-+ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg11")
-+ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg12")
-+ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg13")
-+ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg14")
-+ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg15")
-+ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg16")
-+ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg17")
-+ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg18")
-+ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg19")
-+ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg20")
-+ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg21")
-+ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg22")
-+ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg23")
-+ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg24")
-+ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg25")
-+ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg26")
-+ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg27")
-+ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg28")
-+ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg29")
-+ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg30")
-+ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg31")
-+ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg32")
-+ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg33")
-+ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg34")
-+ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg35")
-+ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg36")
-+ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg37")
-+ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg38")
-+ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg39")
-+ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg40")
-+ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg41")
-+ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg42")
-+ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg43")
-+ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg44")
-+ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg45")
-+ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg46")
-+ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg47")
-+ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg48")
-+ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg49")
-+ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg50")
-+ dev_filetrans($1, removable_device_t, blk_file, "sr0")
-+ dev_filetrans($1, removable_device_t, blk_file, "sr1")
-+ dev_filetrans($1, removable_device_t, blk_file, "sr2")
-+ dev_filetrans($1, removable_device_t, blk_file, "sr3")
-+ dev_filetrans($1, removable_device_t, blk_file, "sr4")
-+ dev_filetrans($1, removable_device_t, blk_file, "sr5")
-+ dev_filetrans($1, removable_device_t, blk_file, "sr6")
-+ dev_filetrans($1, removable_device_t, blk_file, "sr7")
-+ dev_filetrans($1, removable_device_t, blk_file, "sr8")
-+ dev_filetrans($1, removable_device_t, blk_file, "sr9")
-+ dev_filetrans($1, removable_device_t, blk_file, "sjcd")
-+ dev_filetrans($1, removable_device_t, blk_file, "sonycd")
-+ dev_filetrans($1, tape_device_t, chr_file, "tape0")
-+ dev_filetrans($1, tape_device_t, chr_file, "tape1")
-+ dev_filetrans($1, tape_device_t, chr_file, "tape2")
-+ dev_filetrans($1, tape_device_t, chr_file, "tape3")
-+ dev_filetrans($1, tape_device_t, chr_file, "tape4")
-+ dev_filetrans($1, tape_device_t, chr_file, "tape5")
-+ dev_filetrans($1, tape_device_t, chr_file, "tape6")
-+ dev_filetrans($1, tape_device_t, chr_file, "tape7")
-+ dev_filetrans($1, tape_device_t, chr_file, "tape8")
-+ dev_filetrans($1, tape_device_t, chr_file, "tape9")
-+ dev_filetrans($1, fuse_device_t, chr_file, "fuse")
-+ dev_filetrans($1, fixed_disk_device_t, chr_file, "device-mapper")
-+ dev_filetrans($1, fixed_disk_device_t, chr_file, "raw0")
-+ dev_filetrans($1, fixed_disk_device_t, chr_file, "raw1")
-+ dev_filetrans($1, fixed_disk_device_t, chr_file, "raw2")
-+ dev_filetrans($1, fixed_disk_device_t, chr_file, "raw3")
-+ dev_filetrans($1, fixed_disk_device_t, chr_file, "raw4")
-+ dev_filetrans($1, fixed_disk_device_t, chr_file, "raw5")
-+ dev_filetrans($1, fixed_disk_device_t, chr_file, "raw6")
-+ dev_filetrans($1, fixed_disk_device_t, chr_file, "raw7")
-+ dev_filetrans($1, fixed_disk_device_t, chr_file, "raw8")
-+ dev_filetrans($1, fixed_disk_device_t, chr_file, "raw9")
-+ dev_filetrans($1, removable_device_t, chr_file, "rio500")
-+ dev_filetrans($1, fixed_disk_device_t, chr_file, "tw0")
-+ dev_filetrans($1, fixed_disk_device_t, chr_file, "tw1")
-+ dev_filetrans($1, fixed_disk_device_t, chr_file, "tw2")
-+ dev_filetrans($1, fixed_disk_device_t, chr_file, "tw3")
-+ dev_filetrans($1, fixed_disk_device_t, chr_file, "tw4")
-+ dev_filetrans($1, fixed_disk_device_t, chr_file, "tw5")
-+ dev_filetrans($1, fixed_disk_device_t, chr_file, "tw6")
-+ dev_filetrans($1, fixed_disk_device_t, chr_file, "tw7")
-+ dev_filetrans($1, fixed_disk_device_t, chr_file, "tw8")
-+ dev_filetrans($1, fixed_disk_device_t, chr_file, "tw9")
-+ dev_filetrans($1, fixed_disk_device_t, chr_file, "twa0")
-+ dev_filetrans($1, fixed_disk_device_t, chr_file, "twa1")
-+ dev_filetrans($1, fixed_disk_device_t, chr_file, "twa2")
-+ dev_filetrans($1, fixed_disk_device_t, chr_file, "twa3")
-+ dev_filetrans($1, fixed_disk_device_t, chr_file, "twa4")
-+ dev_filetrans($1, fixed_disk_device_t, chr_file, "twa5")
-+ dev_filetrans($1, fixed_disk_device_t, chr_file, "twa6")
-+ dev_filetrans($1, fixed_disk_device_t, chr_file, "twa7")
-+ dev_filetrans($1, fixed_disk_device_t, chr_file, "twa8")
-+ dev_filetrans($1, fixed_disk_device_t, chr_file, "twa9")
-+ dev_filetrans($1, fixed_disk_device_t, chr_file, "twa10")
-+ dev_filetrans($1, fixed_disk_device_t, chr_file, "twa11")
-+ dev_filetrans($1, fixed_disk_device_t, chr_file, "twa12")
-+ dev_filetrans($1, fixed_disk_device_t, chr_file, "twa13")
-+ dev_filetrans($1, fixed_disk_device_t, chr_file, "twa14")
-+ dev_filetrans($1, fixed_disk_device_t, chr_file, "twa15")
-+ dev_filetrans($1, fixed_disk_device_t, chr_file, "twa16")
-+ dev_filetrans($1, fixed_disk_device_t, chr_file, "twa17")
-+ dev_filetrans($1, fixed_disk_device_t, chr_file, "twa18")
-+ dev_filetrans($1, fixed_disk_device_t, chr_file, "twa19")
-+
-+')
-diff --git a/policy/modules/kernel/storage.te b/policy/modules/kernel/storage.te
-index 156c33310..02f5a3c91 100644
---- a/policy/modules/kernel/storage.te
-+++ b/policy/modules/kernel/storage.te
-@@ -57,3 +57,9 @@ dev_node(tape_device_t)
-
- allow storage_unconfined_type { fixed_disk_device_t removable_device_t }:blk_file *;
- allow storage_unconfined_type { scsi_generic_device_t tape_device_t }:chr_file *;
-+
-+# Since block devices are some times used before being labeled correctly
-+ifdef(`hide_broken_symptoms',`
-+ dev_read_generic_blk_files(fixed_disk_raw_read)
-+ dev_manage_generic_blk_files(fixed_disk_raw_write)
-+')
-diff --git a/policy/modules/kernel/terminal.fc b/policy/modules/kernel/terminal.fc
-index 0ea25b653..37069ae93 100644
---- a/policy/modules/kernel/terminal.fc
-+++ b/policy/modules/kernel/terminal.fc
-@@ -14,12 +14,13 @@
- /dev/ip2[^/]* -c gen_context(system_u:object_r:tty_device_t,s0)
- /dev/isdn.* -c gen_context(system_u:object_r:tty_device_t,s0)
- /dev/ptmx -c gen_context(system_u:object_r:ptmx_t,s0)
--/dev/pts/ptmx -c gen_context(system_u:object_r:ptmx_t,s0)
- /dev/rfcomm[0-9]+ -c gen_context(system_u:object_r:tty_device_t,s0)
- /dev/slamr[0-9]+ -c gen_context(system_u:object_r:tty_device_t,s0)
-+/dev/sclp_line[0-9]+ -c gen_context(system_u:object_r:tty_device_t,s0)
- /dev/tty -c gen_context(system_u:object_r:devtty_t,s0)
- /dev/ttySG.* -c gen_context(system_u:object_r:tty_device_t,s0)
--/dev/vport[0-9]p[0-9]+ -c gen_context(system_u:object_r:virtio_device_t,s0)
-+/dev/ttyUSB[0-9]+ -c gen_context(system_u:object_r:usbtty_device_t,s0)
-+/dev/vport.* -c gen_context(system_u:object_r:virtio_device_t,s0)
- /dev/xvc[^/]* -c gen_context(system_u:object_r:tty_device_t,s0)
-
- /dev/pty/.* -c gen_context(system_u:object_r:bsdpty_device_t,s0)
-@@ -42,3 +43,7 @@ ifdef(`distro_gentoo',`
- # used by init scripts to initally populate udev /dev
- /lib/udev/devices/console -c gen_context(system_u:object_r:console_device_t,s0)
- ')
-+
-+/lib/udev/devices/pts -d gen_context(system_u:object_r:devpts_t,s0-mls_systemhigh)
-+
-+/usr/lib/udev/devices/pts -d gen_context(system_u:object_r:devpts_t,s0-mls_systemhigh)
-diff --git a/policy/modules/kernel/terminal.if b/policy/modules/kernel/terminal.if
-index cbb729b66..ce0291ec6 100644
---- a/policy/modules/kernel/terminal.if
-+++ b/policy/modules/kernel/terminal.if
-@@ -124,7 +124,7 @@ interface(`term_user_tty',`
- type_change $1 ttynode:chr_file $2;
- ')
-
-- tunable_policy(`console_login',`
-+ tunable_policy(`login_console_enabled',`
- # When user logs in from /dev/console, relabel it
- # to user tty type as well.
- type_change $1 console_device_t:chr_file $2;
-@@ -133,6 +133,25 @@ interface(`term_user_tty',`
-
- ########################################
- ##
-+## Create the /dev/pts directory.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`term_create_pty_dir',`
-+ gen_require(`
-+ type devpts_t;
-+ ')
-+
-+ allow $1 devpts_t:dir create_dir_perms;
-+ dev_filetrans($1, devpts_t, dir, "devpts")
-+')
-+
-+########################################
-+##
- ## Create a pty in the /dev/pts directory.
- ##
- ##
-@@ -208,6 +227,27 @@ interface(`term_use_all_terms',`
-
- ########################################
- ##
-+## Read and write the inherited console, all inherited
-+## ttys and ptys.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+#
-+interface(`term_use_all_inherited_terms',`
-+ gen_require(`
-+ attribute ttynode, ptynode;
-+ type console_device_t, devpts_t, tty_device_t;
-+ ')
-+
-+ allow $1 { devpts_t console_device_t tty_device_t ttynode ptynode }:chr_file rw_inherited_term_perms;
-+')
-+
-+########################################
-+##
- ## Write to the console.
- ##
- ##
-@@ -274,7 +314,6 @@ interface(`term_dontaudit_read_console',`
- ## Domain allowed access.
- ##
- ##
--##
- #
- interface(`term_use_console',`
- gen_require(`
-@@ -299,9 +338,12 @@ interface(`term_use_console',`
- interface(`term_dontaudit_use_console',`
- gen_require(`
- type console_device_t;
-+ type tty_device_t;
- ')
-
-- dontaudit $1 console_device_t:chr_file rw_chr_file_perms;
-+ init_dontaudit_use_fds($1)
-+ dontaudit $1 console_device_t:chr_file rw_inherited_chr_file_perms;
-+ dontaudit $1 tty_device_t:chr_file rw_inherited_chr_file_perms;
- ')
-
- ########################################
-@@ -384,6 +426,42 @@ interface(`term_getattr_pty_fs',`
-
- ########################################
- ##
-+## Mount a pty filesystem
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`term_mount_pty_fs',`
-+ gen_require(`
-+ type devpts_t;
-+ ')
-+
-+ allow $1 devpts_t:filesystem mount;
-+')
-+
-+########################################
-+##
-+## Unmount a pty filesystem
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`term_unmount_pty_fs',`
-+ gen_require(`
-+ type devpts_t;
-+ ')
-+
-+ allow $1 devpts_t:filesystem unmount;
-+')
-+
-+########################################
-+##
- ## Relabel from and to pty filesystem.
- ##
- ##
-@@ -481,6 +559,24 @@ interface(`term_list_ptys',`
-
- ########################################
- ##
-+## Relabel the /dev/pts directory
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`term_relabel_ptys_dirs',`
-+ gen_require(`
-+ type devpts_t;
-+ ')
-+
-+ allow $1 devpts_t:dir relabel_dir_perms;
-+')
-+
-+########################################
-+##
- ## Do not audit attempts to read the
- ## /dev/pts directory.
- ##
-@@ -519,6 +615,23 @@ interface(`term_dontaudit_manage_pty_dirs',`
-
- ########################################
- ##
-+## Get the attributes of generic pty devices.
-+##
-+##
-+##
-+## Domain to allow
-+##
-+##
-+#
-+interface(`term_getattr_generic_ptys',`
-+ gen_require(`
-+ type devpts_t;
-+ ')
-+
-+ allow $1 devpts_t:chr_file getattr;
-+')
-+########################################
-+##
- ## Do not audit attempts to get the attributes
- ## of generic pty devices.
- ##
-@@ -620,7 +733,7 @@ interface(`term_use_generic_ptys',`
-
- ########################################
- ##
--## Dot not audit attempts to read and
-+## Do not audit attempts to read and
- ## write the generic pty type. This is
- ## generally only used in the targeted policy.
- ##
-@@ -635,6 +748,7 @@ interface(`term_dontaudit_use_generic_ptys',`
- type devpts_t;
- ')
-
-+ init_dontaudit_use_fds($1)
- dontaudit $1 devpts_t:chr_file { getattr read write ioctl };
- ')
-
-@@ -879,6 +993,26 @@ interface(`term_use_all_ptys',`
-
- ########################################
- ##
-+## Read and write all inherited ptys.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+#
-+interface(`term_use_all_inherited_ptys',`
-+ gen_require(`
-+ attribute ptynode;
-+ type devpts_t;
-+ ')
-+
-+ allow $1 ptynode:chr_file { rw_inherited_term_perms lock };
-+')
-+
-+########################################
-+##
- ## Do not audit attempts to read or write any ptys.
- ##
- ##
-@@ -892,7 +1026,7 @@ interface(`term_dontaudit_use_all_ptys',`
- attribute ptynode;
- ')
-
-- dontaudit $1 ptynode:chr_file { rw_term_perms lock append };
-+ dontaudit $1 ptynode:chr_file { rw_inherited_term_perms lock append };
- ')
-
- ########################################
-@@ -912,7 +1046,7 @@ interface(`term_relabel_all_ptys',`
- ')
-
- dev_list_all_dev_nodes($1)
-- relabel_chr_files_pattern($1, devpts_t, ptynode)
-+ relabel_chr_files_pattern($1, devpts_t, { ptynode devpts_t } )
- ')
-
- ########################################
-@@ -940,7 +1074,7 @@ interface(`term_getattr_all_user_ptys',`
- ##
- ##
- ##
--## Domain allowed access.
-+## Domain to not audit.
- ##
- ##
- #
-@@ -1067,6 +1201,28 @@ interface(`term_getattr_unallocated_ttys',`
-
- ########################################
- ##
-+## Allow open access for all unallocated
-+## tty device nodes.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`term_open_unallocated_ttys',`
-+ gen_require(`
-+ type tty_device_t;
-+ ')
-+
-+ dev_list_all_dev_nodes($1)
-+ allow $1 tty_device_t:chr_file open;
-+')
-+
-+
-+
-+########################################
-+##
- ## Do not audit attempts to get the attributes
- ## of all unallocated tty device nodes.
- ##
-@@ -1165,6 +1321,25 @@ interface(`term_relabel_unallocated_ttys',`
-
- ########################################
- ##
-+## Mounton unallocated tty device nodes.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+#
-+interface(`term_mounton_unallocated_ttys',`
-+ gen_require(`
-+ type tty_device_t;
-+ ')
-+
-+ allow $1 tty_device_t:chr_file mounton;
-+')
-+
-+########################################
-+##
- ## Relabel from all user tty types to
- ## the unallocated tty type.
- ##
-@@ -1259,7 +1434,47 @@ interface(`term_dontaudit_use_unallocated_ttys',`
- type tty_device_t;
- ')
-
-- dontaudit $1 tty_device_t:chr_file rw_chr_file_perms;
-+ init_dontaudit_use_fds($1)
-+ dontaudit $1 tty_device_t:chr_file rw_inherited_chr_file_perms;
-+')
-+
-+########################################
-+##
-+## Read and write USB tty character
-+## device nodes.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`term_use_usb_ttys',`
-+ gen_require(`
-+ type usbtty_device_t;
-+ ')
-+
-+ dev_list_all_dev_nodes($1)
-+ allow $1 usbtty_device_t:chr_file rw_chr_file_perms;
-+')
-+
-+#######################################
-+##
-+## Setattr on USB tty character
-+## device nodes.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`term_setattr_usb_ttys',`
-+ gen_require(`
-+ type usbtty_device_t;
-+ ')
-+
-+ allow $1 usbtty_device_t:chr_file setattr;
- ')
-
- ########################################
-@@ -1275,11 +1490,13 @@ interface(`term_dontaudit_use_unallocated_ttys',`
- #
- interface(`term_getattr_all_ttys',`
- gen_require(`
-+ type tty_device_t;
- attribute ttynode;
- ')
-
- dev_list_all_dev_nodes($1)
- allow $1 ttynode:chr_file getattr;
-+ allow $1 tty_device_t:chr_file getattr;
- ')
-
- ########################################
-@@ -1296,10 +1513,12 @@ interface(`term_getattr_all_ttys',`
- interface(`term_dontaudit_getattr_all_ttys',`
- gen_require(`
- attribute ttynode;
-+ type tty_device_t;
- ')
-
- dev_list_all_dev_nodes($1)
- dontaudit $1 ttynode:chr_file getattr;
-+ dontaudit $1 tty_device_t:chr_file getattr;
- ')
-
- ########################################
-@@ -1377,7 +1596,27 @@ interface(`term_use_all_ttys',`
- ')
-
- dev_list_all_dev_nodes($1)
-- allow $1 ttynode:chr_file rw_chr_file_perms;
-+ allow $1 ttynode:chr_file rw_term_perms;
-+')
-+
-+########################################
-+##
-+## Read and write all inherited ttys.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+#
-+interface(`term_use_all_inherited_ttys',`
-+ gen_require(`
-+ attribute ttynode;
-+ ')
-+
-+ dev_list_all_dev_nodes($1)
-+ allow $1 ttynode:chr_file rw_inherited_term_perms;
- ')
-
- ########################################
-@@ -1396,7 +1635,7 @@ interface(`term_dontaudit_use_all_ttys',`
- attribute ttynode;
- ')
-
-- dontaudit $1 ttynode:chr_file rw_chr_file_perms;
-+ dontaudit $1 ttynode:chr_file rw_inherited_chr_file_perms;
- ')
-
- ########################################
-@@ -1504,7 +1743,7 @@ interface(`term_use_all_user_ttys',`
- ##
- ##
- ##
--## Domain allowed access.
-+## Domain to not audit.
- ##
- ##
- #
-@@ -1513,21 +1752,435 @@ interface(`term_dontaudit_use_all_user_ttys',`
- term_dontaudit_use_all_ttys($1)
- ')
-
-+####################################
-+##
-+## Getattr on the virtio console.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`term_getattr_virtio_console',`
-+ gen_require(`
-+ type virtio_device_t;
-+ ')
-+
-+ allow $1 virtio_device_t:chr_file getattr_chr_file_perms;
-+')
-+
- #####################################
- ##
--## Read from and write virtio console.
-+## Read from and write to the virtio console.
- ##
- ##
--##
--## Domain allowed access.
--##
-+##
-+## Domain allowed access.
-+##
- ##
- #
- interface(`term_use_virtio_console',`
-- gen_require(`
-- type virtio_device_t;
-- ')
--
-- dev_list_all_dev_nodes($1)
-- allow $1 virtio_device_t:chr_file rw_term_perms;
-+ gen_require(`
-+ type virtio_device_t;
-+ ')
-+
-+ dev_list_all_dev_nodes($1)
-+ allow $1 virtio_device_t:chr_file rw_chr_file_perms;
-+')
-+
-+########################################
-+##
-+## Create all named term devices with the correct label
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`term_filetrans_all_named_dev',`
-+
-+ gen_require(`
-+ type tty_device_t;
-+ type bsdpty_device_t;
-+ type console_device_t;
-+ type ptmx_t;
-+ type devtty_t;
-+ type virtio_device_t;
-+ type devpts_t;
-+ type usbtty_device_t;
-+ ')
-+
-+ dev_filetrans($1, devtty_t, chr_file, "tty")
-+ dev_filetrans($1, tty_device_t, chr_file, "tty0")
-+ dev_filetrans($1, tty_device_t, chr_file, "tty1")
-+ dev_filetrans($1, tty_device_t, chr_file, "tty2")
-+ dev_filetrans($1, tty_device_t, chr_file, "tty3")
-+ dev_filetrans($1, tty_device_t, chr_file, "tty4")
-+ dev_filetrans($1, tty_device_t, chr_file, "tty5")
-+ dev_filetrans($1, tty_device_t, chr_file, "tty6")
-+ dev_filetrans($1, tty_device_t, chr_file, "tty7")
-+ dev_filetrans($1, tty_device_t, chr_file, "tty8")
-+ dev_filetrans($1, tty_device_t, chr_file, "tty9")
-+ dev_filetrans($1, tty_device_t, chr_file, "tty10")
-+ dev_filetrans($1, tty_device_t, chr_file, "tty11")
-+ dev_filetrans($1, tty_device_t, chr_file, "tty12")
-+ dev_filetrans($1, tty_device_t, chr_file, "tty13")
-+ dev_filetrans($1, tty_device_t, chr_file, "tty14")
-+ dev_filetrans($1, tty_device_t, chr_file, "tty15")
-+ dev_filetrans($1, tty_device_t, chr_file, "tty16")
-+ dev_filetrans($1, tty_device_t, chr_file, "tty17")
-+ dev_filetrans($1, tty_device_t, chr_file, "tty18")
-+ dev_filetrans($1, tty_device_t, chr_file, "tty19")
-+ dev_filetrans($1, tty_device_t, chr_file, "tty20")
-+ dev_filetrans($1, tty_device_t, chr_file, "tty21")
-+ dev_filetrans($1, tty_device_t, chr_file, "tty22")
-+ dev_filetrans($1, tty_device_t, chr_file, "tty23")
-+ dev_filetrans($1, tty_device_t, chr_file, "tty24")
-+ dev_filetrans($1, tty_device_t, chr_file, "tty25")
-+ dev_filetrans($1, tty_device_t, chr_file, "tty26")
-+ dev_filetrans($1, tty_device_t, chr_file, "tty27")
-+ dev_filetrans($1, tty_device_t, chr_file, "tty28")
-+ dev_filetrans($1, tty_device_t, chr_file, "tty29")
-+ dev_filetrans($1, tty_device_t, chr_file, "tty30")
-+ dev_filetrans($1, tty_device_t, chr_file, "tty31")
-+ dev_filetrans($1, tty_device_t, chr_file, "tty32")
-+ dev_filetrans($1, tty_device_t, chr_file, "tty33")
-+ dev_filetrans($1, tty_device_t, chr_file, "tty34")
-+ dev_filetrans($1, tty_device_t, chr_file, "tty35")
-+ dev_filetrans($1, tty_device_t, chr_file, "tty36")
-+ dev_filetrans($1, tty_device_t, chr_file, "tty37")
-+ dev_filetrans($1, tty_device_t, chr_file, "tty38")
-+ dev_filetrans($1, tty_device_t, chr_file, "tty39")
-+ dev_filetrans($1, tty_device_t, chr_file, "tty40")
-+ dev_filetrans($1, tty_device_t, chr_file, "tty41")
-+ dev_filetrans($1, tty_device_t, chr_file, "tty42")
-+ dev_filetrans($1, tty_device_t, chr_file, "tty43")
-+ dev_filetrans($1, tty_device_t, chr_file, "tty44")
-+ dev_filetrans($1, tty_device_t, chr_file, "tty45")
-+ dev_filetrans($1, tty_device_t, chr_file, "tty46")
-+ dev_filetrans($1, tty_device_t, chr_file, "tty47")
-+ dev_filetrans($1, tty_device_t, chr_file, "tty48")
-+ dev_filetrans($1, tty_device_t, chr_file, "tty49")
-+ dev_filetrans($1, tty_device_t, chr_file, "tty50")
-+ dev_filetrans($1, tty_device_t, chr_file, "tty51")
-+ dev_filetrans($1, tty_device_t, chr_file, "tty52")
-+ dev_filetrans($1, tty_device_t, chr_file, "tty53")
-+ dev_filetrans($1, tty_device_t, chr_file, "tty54")
-+ dev_filetrans($1, tty_device_t, chr_file, "tty55")
-+ dev_filetrans($1, tty_device_t, chr_file, "tty56")
-+ dev_filetrans($1, tty_device_t, chr_file, "tty57")
-+ dev_filetrans($1, tty_device_t, chr_file, "tty58")
-+ dev_filetrans($1, tty_device_t, chr_file, "tty59")
-+ dev_filetrans($1, tty_device_t, chr_file, "tty60")
-+ dev_filetrans($1, tty_device_t, chr_file, "tty61")
-+ dev_filetrans($1, tty_device_t, chr_file, "tty62")
-+ dev_filetrans($1, tty_device_t, chr_file, "tty63")
-+ dev_filetrans($1, tty_device_t, chr_file, "tty64")
-+ dev_filetrans($1, tty_device_t, chr_file, "tty65")
-+ dev_filetrans($1, tty_device_t, chr_file, "tty66")
-+ dev_filetrans($1, tty_device_t, chr_file, "tty67")
-+ dev_filetrans($1, tty_device_t, chr_file, "tty68")
-+ dev_filetrans($1, tty_device_t, chr_file, "tty69")
-+ dev_filetrans($1, tty_device_t, chr_file, "tty70")
-+ dev_filetrans($1, tty_device_t, chr_file, "tty71")
-+ dev_filetrans($1, tty_device_t, chr_file, "tty72")
-+ dev_filetrans($1, tty_device_t, chr_file, "tty73")
-+ dev_filetrans($1, tty_device_t, chr_file, "tty74")
-+ dev_filetrans($1, tty_device_t, chr_file, "tty75")
-+ dev_filetrans($1, tty_device_t, chr_file, "tty76")
-+ dev_filetrans($1, tty_device_t, chr_file, "tty77")
-+ dev_filetrans($1, tty_device_t, chr_file, "tty78")
-+ dev_filetrans($1, tty_device_t, chr_file, "tty79")
-+ dev_filetrans($1, tty_device_t, chr_file, "tty80")
-+ dev_filetrans($1, tty_device_t, chr_file, "tty81")
-+ dev_filetrans($1, tty_device_t, chr_file, "tty82")
-+ dev_filetrans($1, tty_device_t, chr_file, "tty83")
-+ dev_filetrans($1, tty_device_t, chr_file, "tty84")
-+ dev_filetrans($1, tty_device_t, chr_file, "tty85")
-+ dev_filetrans($1, tty_device_t, chr_file, "tty86")
-+ dev_filetrans($1, tty_device_t, chr_file, "tty87")
-+ dev_filetrans($1, tty_device_t, chr_file, "tty88")
-+ dev_filetrans($1, tty_device_t, chr_file, "tty89")
-+ dev_filetrans($1, tty_device_t, chr_file, "tty90")
-+ dev_filetrans($1, tty_device_t, chr_file, "tty91")
-+ dev_filetrans($1, tty_device_t, chr_file, "tty92")
-+ dev_filetrans($1, tty_device_t, chr_file, "tty93")
-+ dev_filetrans($1, tty_device_t, chr_file, "tty94")
-+ dev_filetrans($1, tty_device_t, chr_file, "tty95")
-+ dev_filetrans($1, tty_device_t, chr_file, "tty96")
-+ dev_filetrans($1, tty_device_t, chr_file, "tty97")
-+ dev_filetrans($1, tty_device_t, chr_file, "tty98")
-+ dev_filetrans($1, tty_device_t, chr_file, "tty99")
-+ dev_filetrans($1, tty_device_t, chr_file, "pty")
-+ dev_filetrans($1, tty_device_t, chr_file, "pty0")
-+ dev_filetrans($1, tty_device_t, chr_file, "pty1")
-+ dev_filetrans($1, tty_device_t, chr_file, "pty2")
-+ dev_filetrans($1, tty_device_t, chr_file, "pty3")
-+ dev_filetrans($1, tty_device_t, chr_file, "pty4")
-+ dev_filetrans($1, tty_device_t, chr_file, "pty5")
-+ dev_filetrans($1, tty_device_t, chr_file, "pty6")
-+ dev_filetrans($1, tty_device_t, chr_file, "pty7")
-+ dev_filetrans($1, tty_device_t, chr_file, "pty8")
-+ dev_filetrans($1, tty_device_t, chr_file, "pty9")
-+ dev_filetrans($1, tty_device_t, chr_file, "pty10")
-+ dev_filetrans($1, tty_device_t, chr_file, "pty11")
-+ dev_filetrans($1, tty_device_t, chr_file, "pty12")
-+ dev_filetrans($1, tty_device_t, chr_file, "pty13")
-+ dev_filetrans($1, tty_device_t, chr_file, "pty14")
-+ dev_filetrans($1, tty_device_t, chr_file, "pty15")
-+ dev_filetrans($1, tty_device_t, chr_file, "pty16")
-+ dev_filetrans($1, tty_device_t, chr_file, "pty17")
-+ dev_filetrans($1, tty_device_t, chr_file, "pty18")
-+ dev_filetrans($1, tty_device_t, chr_file, "pty19")
-+ dev_filetrans($1, tty_device_t, chr_file, "pty20")
-+ dev_filetrans($1, tty_device_t, chr_file, "pty21")
-+ dev_filetrans($1, tty_device_t, chr_file, "pty22")
-+ dev_filetrans($1, tty_device_t, chr_file, "pty23")
-+ dev_filetrans($1, tty_device_t, chr_file, "pty24")
-+ dev_filetrans($1, tty_device_t, chr_file, "pty25")
-+ dev_filetrans($1, tty_device_t, chr_file, "pty26")
-+ dev_filetrans($1, tty_device_t, chr_file, "pty27")
-+ dev_filetrans($1, tty_device_t, chr_file, "pty28")
-+ dev_filetrans($1, tty_device_t, chr_file, "pty29")
-+ dev_filetrans($1, tty_device_t, chr_file, "pty30")
-+ dev_filetrans($1, tty_device_t, chr_file, "pty31")
-+ dev_filetrans($1, tty_device_t, chr_file, "pty32")
-+ dev_filetrans($1, tty_device_t, chr_file, "pty33")
-+ dev_filetrans($1, tty_device_t, chr_file, "pty34")
-+ dev_filetrans($1, tty_device_t, chr_file, "pty35")
-+ dev_filetrans($1, tty_device_t, chr_file, "pty36")
-+ dev_filetrans($1, tty_device_t, chr_file, "pty37")
-+ dev_filetrans($1, tty_device_t, chr_file, "pty38")
-+ dev_filetrans($1, tty_device_t, chr_file, "pty39")
-+ dev_filetrans($1, tty_device_t, chr_file, "pty40")
-+ dev_filetrans($1, tty_device_t, chr_file, "pty41")
-+ dev_filetrans($1, tty_device_t, chr_file, "pty42")
-+ dev_filetrans($1, tty_device_t, chr_file, "pty43")
-+ dev_filetrans($1, tty_device_t, chr_file, "pty44")
-+ dev_filetrans($1, tty_device_t, chr_file, "pty45")
-+ dev_filetrans($1, tty_device_t, chr_file, "pty46")
-+ dev_filetrans($1, tty_device_t, chr_file, "pty47")
-+ dev_filetrans($1, tty_device_t, chr_file, "pty48")
-+ dev_filetrans($1, tty_device_t, chr_file, "pty49")
-+ dev_filetrans($1, tty_device_t, chr_file, "pty50")
-+ dev_filetrans($1, tty_device_t, chr_file, "pty51")
-+ dev_filetrans($1, tty_device_t, chr_file, "pty52")
-+ dev_filetrans($1, tty_device_t, chr_file, "pty53")
-+ dev_filetrans($1, tty_device_t, chr_file, "pty54")
-+ dev_filetrans($1, tty_device_t, chr_file, "pty55")
-+ dev_filetrans($1, tty_device_t, chr_file, "pty56")
-+ dev_filetrans($1, tty_device_t, chr_file, "pty57")
-+ dev_filetrans($1, tty_device_t, chr_file, "pty58")
-+ dev_filetrans($1, tty_device_t, chr_file, "pty59")
-+ dev_filetrans($1, tty_device_t, chr_file, "pty60")
-+ dev_filetrans($1, tty_device_t, chr_file, "pty61")
-+ dev_filetrans($1, tty_device_t, chr_file, "pty62")
-+ dev_filetrans($1, tty_device_t, chr_file, "pty63")
-+ dev_filetrans($1, tty_device_t, chr_file, "pty64")
-+ dev_filetrans($1, tty_device_t, chr_file, "pty65")
-+ dev_filetrans($1, tty_device_t, chr_file, "pty66")
-+ dev_filetrans($1, tty_device_t, chr_file, "pty67")
-+ dev_filetrans($1, tty_device_t, chr_file, "pty68")
-+ dev_filetrans($1, tty_device_t, chr_file, "pty69")
-+ dev_filetrans($1, tty_device_t, chr_file, "pty70")
-+ dev_filetrans($1, tty_device_t, chr_file, "pty71")
-+ dev_filetrans($1, tty_device_t, chr_file, "pty72")
-+ dev_filetrans($1, tty_device_t, chr_file, "pty73")
-+ dev_filetrans($1, tty_device_t, chr_file, "pty74")
-+ dev_filetrans($1, tty_device_t, chr_file, "pty75")
-+ dev_filetrans($1, tty_device_t, chr_file, "pty76")
-+ dev_filetrans($1, tty_device_t, chr_file, "pty77")
-+ dev_filetrans($1, tty_device_t, chr_file, "pty78")
-+ dev_filetrans($1, tty_device_t, chr_file, "pty79")
-+ dev_filetrans($1, tty_device_t, chr_file, "pty80")
-+ dev_filetrans($1, tty_device_t, chr_file, "pty81")
-+ dev_filetrans($1, tty_device_t, chr_file, "pty82")
-+ dev_filetrans($1, tty_device_t, chr_file, "pty83")
-+ dev_filetrans($1, tty_device_t, chr_file, "pty84")
-+ dev_filetrans($1, tty_device_t, chr_file, "pty85")
-+ dev_filetrans($1, tty_device_t, chr_file, "pty86")
-+ dev_filetrans($1, tty_device_t, chr_file, "pty87")
-+ dev_filetrans($1, tty_device_t, chr_file, "pty88")
-+ dev_filetrans($1, tty_device_t, chr_file, "pty89")
-+ dev_filetrans($1, tty_device_t, chr_file, "pty90")
-+ dev_filetrans($1, tty_device_t, chr_file, "pty91")
-+ dev_filetrans($1, tty_device_t, chr_file, "pty92")
-+ dev_filetrans($1, tty_device_t, chr_file, "pty93")
-+ dev_filetrans($1, tty_device_t, chr_file, "pty94")
-+ dev_filetrans($1, tty_device_t, chr_file, "pty95")
-+ dev_filetrans($1, tty_device_t, chr_file, "pty96")
-+ dev_filetrans($1, tty_device_t, chr_file, "pty97")
-+ dev_filetrans($1, tty_device_t, chr_file, "pty98")
-+ dev_filetrans($1, tty_device_t, chr_file, "pty99")
-+ dev_filetrans($1, tty_device_t, chr_file, "adb0")
-+ dev_filetrans($1, tty_device_t, chr_file, "adb1")
-+ dev_filetrans($1, tty_device_t, chr_file, "adb2")
-+ dev_filetrans($1, tty_device_t, chr_file, "adb3")
-+ dev_filetrans($1, tty_device_t, chr_file, "adb4")
-+ dev_filetrans($1, tty_device_t, chr_file, "adb5")
-+ dev_filetrans($1, tty_device_t, chr_file, "adb6")
-+ dev_filetrans($1, tty_device_t, chr_file, "adb7")
-+ dev_filetrans($1, tty_device_t, chr_file, "adb8")
-+ dev_filetrans($1, tty_device_t, chr_file, "adb9")
-+ dev_filetrans($1, tty_device_t, chr_file, "capi0")
-+ dev_filetrans($1, tty_device_t, chr_file, "capi1")
-+ dev_filetrans($1, tty_device_t, chr_file, "capi2")
-+ dev_filetrans($1, tty_device_t, chr_file, "capi3")
-+ dev_filetrans($1, tty_device_t, chr_file, "capi4")
-+ dev_filetrans($1, tty_device_t, chr_file, "capi5")
-+ dev_filetrans($1, tty_device_t, chr_file, "capi6")
-+ dev_filetrans($1, tty_device_t, chr_file, "capi7")
-+ dev_filetrans($1, tty_device_t, chr_file, "capi8")
-+ dev_filetrans($1, tty_device_t, chr_file, "capi9")
-+ dev_filetrans($1, console_device_t, chr_file, "console")
-+ dev_filetrans($1, tty_device_t, chr_file, "cu0")
-+ dev_filetrans($1, tty_device_t, chr_file, "cu1")
-+ dev_filetrans($1, tty_device_t, chr_file, "cu2")
-+ dev_filetrans($1, tty_device_t, chr_file, "cu3")
-+ dev_filetrans($1, tty_device_t, chr_file, "cu4")
-+ dev_filetrans($1, tty_device_t, chr_file, "cu5")
-+ dev_filetrans($1, tty_device_t, chr_file, "cu6")
-+ dev_filetrans($1, tty_device_t, chr_file, "cu7")
-+ dev_filetrans($1, tty_device_t, chr_file, "cu8")
-+ dev_filetrans($1, tty_device_t, chr_file, "cu9")
-+ dev_filetrans($1, tty_device_t, chr_file, "dcbri0")
-+ dev_filetrans($1, tty_device_t, chr_file, "dcbri1")
-+ dev_filetrans($1, tty_device_t, chr_file, "dcbri2")
-+ dev_filetrans($1, tty_device_t, chr_file, "dcbri3")
-+ dev_filetrans($1, tty_device_t, chr_file, "dcbri4")
-+ dev_filetrans($1, tty_device_t, chr_file, "dcbri5")
-+ dev_filetrans($1, tty_device_t, chr_file, "dcbri6")
-+ dev_filetrans($1, tty_device_t, chr_file, "dcbri7")
-+ dev_filetrans($1, tty_device_t, chr_file, "dcbri8")
-+ dev_filetrans($1, tty_device_t, chr_file, "dcbri9")
-+ dev_filetrans($1, tty_device_t, chr_file, "vcsa")
-+ dev_filetrans($1, tty_device_t, chr_file, "vcsb")
-+ dev_filetrans($1, tty_device_t, chr_file, "vcsc")
-+ dev_filetrans($1, tty_device_t, chr_file, "vcsd")
-+ dev_filetrans($1, tty_device_t, chr_file, "vcse")
-+ dev_filetrans($1, tty_device_t, chr_file, "hvc0")
-+ dev_filetrans($1, tty_device_t, chr_file, "hvc1")
-+ dev_filetrans($1, tty_device_t, chr_file, "hvc2")
-+ dev_filetrans($1, tty_device_t, chr_file, "hvc3")
-+ dev_filetrans($1, tty_device_t, chr_file, "hvc4")
-+ dev_filetrans($1, tty_device_t, chr_file, "hvc5")
-+ dev_filetrans($1, tty_device_t, chr_file, "hvc6")
-+ dev_filetrans($1, tty_device_t, chr_file, "hvc7")
-+ dev_filetrans($1, tty_device_t, chr_file, "hvc8")
-+ dev_filetrans($1, tty_device_t, chr_file, "hvc9")
-+ dev_filetrans($1, tty_device_t, chr_file, "hvsi0")
-+ dev_filetrans($1, tty_device_t, chr_file, "hvsi1")
-+ dev_filetrans($1, tty_device_t, chr_file, "hvsi2")
-+ dev_filetrans($1, tty_device_t, chr_file, "hvsi3")
-+ dev_filetrans($1, tty_device_t, chr_file, "hvsi4")
-+ dev_filetrans($1, tty_device_t, chr_file, "hvsi5")
-+ dev_filetrans($1, tty_device_t, chr_file, "hvsi6")
-+ dev_filetrans($1, tty_device_t, chr_file, "hvsi7")
-+ dev_filetrans($1, tty_device_t, chr_file, "hvsi8")
-+ dev_filetrans($1, tty_device_t, chr_file, "hvsi9")
-+ dev_filetrans($1, tty_device_t, chr_file, "ircomm0")
-+ dev_filetrans($1, tty_device_t, chr_file, "ircomm1")
-+ dev_filetrans($1, tty_device_t, chr_file, "ircomm2")
-+ dev_filetrans($1, tty_device_t, chr_file, "ircomm3")
-+ dev_filetrans($1, tty_device_t, chr_file, "ircomm4")
-+ dev_filetrans($1, tty_device_t, chr_file, "ircomm5")
-+ dev_filetrans($1, tty_device_t, chr_file, "ircomm6")
-+ dev_filetrans($1, tty_device_t, chr_file, "ircomm7")
-+ dev_filetrans($1, tty_device_t, chr_file, "ircomm8")
-+ dev_filetrans($1, tty_device_t, chr_file, "ircomm9")
-+ dev_filetrans($1, tty_device_t, chr_file, "isdn0")
-+ dev_filetrans($1, tty_device_t, chr_file, "isdn1")
-+ dev_filetrans($1, tty_device_t, chr_file, "isdn2")
-+ dev_filetrans($1, tty_device_t, chr_file, "isdn3")
-+ dev_filetrans($1, tty_device_t, chr_file, "isdn4")
-+ dev_filetrans($1, tty_device_t, chr_file, "isdn5")
-+ dev_filetrans($1, tty_device_t, chr_file, "isdn6")
-+ dev_filetrans($1, tty_device_t, chr_file, "isdn7")
-+ dev_filetrans($1, tty_device_t, chr_file, "isdn8")
-+ dev_filetrans($1, tty_device_t, chr_file, "isdn9")
-+ filetrans_pattern($1, devpts_t, ptmx_t, chr_file, "ptmx")
-+ dev_filetrans($1, ptmx_t, chr_file, "ptmx")
-+ dev_filetrans($1, tty_device_t, chr_file, "rfcomm0")
-+ dev_filetrans($1, tty_device_t, chr_file, "rfcomm1")
-+ dev_filetrans($1, tty_device_t, chr_file, "rfcomm2")
-+ dev_filetrans($1, tty_device_t, chr_file, "rfcomm3")
-+ dev_filetrans($1, tty_device_t, chr_file, "rfcomm4")
-+ dev_filetrans($1, tty_device_t, chr_file, "rfcomm5")
-+ dev_filetrans($1, tty_device_t, chr_file, "rfcomm6")
-+ dev_filetrans($1, tty_device_t, chr_file, "rfcomm7")
-+ dev_filetrans($1, tty_device_t, chr_file, "rfcomm8")
-+ dev_filetrans($1, tty_device_t, chr_file, "rfcomm9")
-+ dev_filetrans($1, tty_device_t, chr_file, "slamr0")
-+ dev_filetrans($1, tty_device_t, chr_file, "slamr1")
-+ dev_filetrans($1, tty_device_t, chr_file, "slamr2")
-+ dev_filetrans($1, tty_device_t, chr_file, "slamr3")
-+ dev_filetrans($1, tty_device_t, chr_file, "slamr4")
-+ dev_filetrans($1, tty_device_t, chr_file, "slamr5")
-+ dev_filetrans($1, tty_device_t, chr_file, "slamr6")
-+ dev_filetrans($1, tty_device_t, chr_file, "slamr7")
-+ dev_filetrans($1, tty_device_t, chr_file, "slamr8")
-+ dev_filetrans($1, tty_device_t, chr_file, "slamr9")
-+ dev_filetrans($1, tty_device_t, chr_file, "ttyACM0")
-+ dev_filetrans($1, tty_device_t, chr_file, "ttyACM1")
-+ dev_filetrans($1, tty_device_t, chr_file, "ttyACM2")
-+ dev_filetrans($1, tty_device_t, chr_file, "ttyACM3")
-+ dev_filetrans($1, tty_device_t, chr_file, "ttyACM4")
-+ dev_filetrans($1, tty_device_t, chr_file, "ttyACM5")
-+ dev_filetrans($1, tty_device_t, chr_file, "ttyACM6")
-+ dev_filetrans($1, tty_device_t, chr_file, "ttyACM7")
-+ dev_filetrans($1, tty_device_t, chr_file, "ttyACM8")
-+ dev_filetrans($1, tty_device_t, chr_file, "ttyACM9")
-+ dev_filetrans($1, tty_device_t, chr_file, "ttyS0")
-+ dev_filetrans($1, tty_device_t, chr_file, "ttyS1")
-+ dev_filetrans($1, tty_device_t, chr_file, "ttyS2")
-+ dev_filetrans($1, tty_device_t, chr_file, "ttyS3")
-+ dev_filetrans($1, tty_device_t, chr_file, "ttyS4")
-+ dev_filetrans($1, tty_device_t, chr_file, "ttyS5")
-+ dev_filetrans($1, tty_device_t, chr_file, "ttyS6")
-+ dev_filetrans($1, tty_device_t, chr_file, "ttyS7")
-+ dev_filetrans($1, tty_device_t, chr_file, "ttyS8")
-+ dev_filetrans($1, tty_device_t, chr_file, "ttyS9")
-+ dev_filetrans($1, tty_device_t, chr_file, "ttySG0")
-+ dev_filetrans($1, tty_device_t, chr_file, "ttySG1")
-+ dev_filetrans($1, tty_device_t, chr_file, "ttySG2")
-+ dev_filetrans($1, tty_device_t, chr_file, "ttySG3")
-+ dev_filetrans($1, tty_device_t, chr_file, "ttySG4")
-+ dev_filetrans($1, tty_device_t, chr_file, "ttySG5")
-+ dev_filetrans($1, tty_device_t, chr_file, "ttySG6")
-+ dev_filetrans($1, tty_device_t, chr_file, "ttySG7")
-+ dev_filetrans($1, tty_device_t, chr_file, "ttySG8")
-+ dev_filetrans($1, tty_device_t, chr_file, "ttySG9")
-+ dev_filetrans($1, usbtty_device_t, chr_file, "ttyUSB0")
-+ dev_filetrans($1, usbtty_device_t, chr_file, "ttyUSB1")
-+ dev_filetrans($1, usbtty_device_t, chr_file, "ttyUSB2")
-+ dev_filetrans($1, usbtty_device_t, chr_file, "ttyUSB3")
-+ dev_filetrans($1, usbtty_device_t, chr_file, "ttyUSB4")
-+ dev_filetrans($1, usbtty_device_t, chr_file, "ttyUSB5")
-+ dev_filetrans($1, usbtty_device_t, chr_file, "ttyUSB6")
-+ dev_filetrans($1, usbtty_device_t, chr_file, "ttyUSB7")
-+ dev_filetrans($1, usbtty_device_t, chr_file, "ttyUSB8")
-+ dev_filetrans($1, usbtty_device_t, chr_file, "ttyUSB9")
-+ dev_filetrans($1, virtio_device_t, chr_file, "vport0p0")
-+ dev_filetrans($1, virtio_device_t, chr_file, "vport0p1")
-+ dev_filetrans($1, virtio_device_t, chr_file, "vport0p2")
-+ dev_filetrans($1, virtio_device_t, chr_file, "vport0p3")
-+ dev_filetrans($1, virtio_device_t, chr_file, "vport0p4")
-+ dev_filetrans($1, virtio_device_t, chr_file, "vport0p5")
-+ dev_filetrans($1, virtio_device_t, chr_file, "vport0p6")
-+ dev_filetrans($1, virtio_device_t, chr_file, "vport0p7")
-+ dev_filetrans($1, virtio_device_t, chr_file, "vport0p8")
-+ dev_filetrans($1, virtio_device_t, chr_file, "vport0p9")
-+ dev_filetrans($1, devpts_t, dir, "pts")
-+ dev_filetrans($1, tty_device_t, chr_file, "xvc0")
-+ dev_filetrans($1, tty_device_t, chr_file, "xvc1")
-+ dev_filetrans($1, tty_device_t, chr_file, "xvc2")
-+ dev_filetrans($1, tty_device_t, chr_file, "xvc3")
-+ dev_filetrans($1, tty_device_t, chr_file, "xvc4")
-+ dev_filetrans($1, tty_device_t, chr_file, "xvc5")
-+ dev_filetrans($1, tty_device_t, chr_file, "xvc6")
-+ dev_filetrans($1, tty_device_t, chr_file, "xvc7")
-+ dev_filetrans($1, tty_device_t, chr_file, "xvc8")
-+ dev_filetrans($1, tty_device_t, chr_file, "xvc9")
- ')
-diff --git a/policy/modules/kernel/terminal.te b/policy/modules/kernel/terminal.te
-index 66e116a3f..a0a5d90fe 100644
---- a/policy/modules/kernel/terminal.te
-+++ b/policy/modules/kernel/terminal.te
-@@ -29,6 +29,7 @@ files_mountpoint(devpts_t)
- fs_associate_tmpfs(devpts_t)
- fs_type(devpts_t)
- fs_use_trans devpts gen_context(system_u:object_r:devpts_t,s0);
-+dev_associate(devpts_t)
-
- #
- # devtty_t is the type of /dev/tty.
-@@ -57,5 +58,8 @@ dev_node(tty_device_t)
- type usbtty_device_t, serial_device;
- dev_node(usbtty_device_t)
-
-+#
-+# virtio_device_t is the type of /dev/vport[0-9]p[0-9]
-+#
- type virtio_device_t, serial_device;
- dev_node(virtio_device_t)
-diff --git a/policy/modules/kernel/unlabelednet.fc b/policy/modules/kernel/unlabelednet.fc
-new file mode 100644
-index 000000000..f310b9d55
---- /dev/null
-+++ b/policy/modules/kernel/unlabelednet.fc
-@@ -0,0 +1 @@
-+# No unlabelednet file contexts.
-diff --git a/policy/modules/kernel/unlabelednet.if b/policy/modules/kernel/unlabelednet.if
-new file mode 100644
-index 000000000..0ce04703a
---- /dev/null
-+++ b/policy/modules/kernel/unlabelednet.if
-@@ -0,0 +1 @@
-+## Policy for allowing confined domains to use unlabeled_t packets
-diff --git a/policy/modules/kernel/unlabelednet.te b/policy/modules/kernel/unlabelednet.te
-new file mode 100644
-index 000000000..48caabc7e
---- /dev/null
-+++ b/policy/modules/kernel/unlabelednet.te
-@@ -0,0 +1,12 @@
-+policy_module(unlabelednet, 1.0.0)
-+
-+corenet_enable_unlabeled_packets()
-+
-+gen_require(`
-+ type unlabeled_t;
-+ attribute domain;
-+')
-+
-+# temporary hack until labeling on packets is supported
-+allow domain unlabeled_t:packet { send recv };
-+
-diff --git a/policy/modules/roles/auditadm.te b/policy/modules/roles/auditadm.te
-index 834a065de..404a5c677 100644
---- a/policy/modules/roles/auditadm.te
-+++ b/policy/modules/roles/auditadm.te
-@@ -7,14 +7,14 @@ policy_module(auditadm, 2.2.0)
-
- role auditadm_r;
- role system_r;
--userdom_unpriv_user_template(auditadm)
-+userdom_confined_admin_template(auditadm)
-
- ########################################
- #
- # Local policy
- #
-
--allow auditadm_t self:capability { dac_read_search dac_override };
-+allow auditadm_t self:capability { dac_read_search };
-
- kernel_read_ring_buffer(auditadm_t)
-
-@@ -22,16 +22,23 @@ corecmd_exec_shell(auditadm_t)
-
- domain_kill_all_domains(auditadm_t)
-
-+mls_file_read_all_levels(auditadm_t)
-+
-+selinux_read_policy(auditadm_t)
-+
- logging_send_syslog_msg(auditadm_t)
- logging_read_generic_logs(auditadm_t)
- logging_manage_audit_log(auditadm_t)
- logging_manage_audit_config(auditadm_t)
- logging_run_auditctl(auditadm_t, auditadm_r)
- logging_run_auditd(auditadm_t, auditadm_r)
-+logging_stream_connect_syslog(auditadm_t)
-
- seutil_run_runinit(auditadm_t, auditadm_r)
- seutil_read_bin_policy(auditadm_t)
-
-+userdom_dontaudit_search_admin_dir(auditadm_t)
-+
- optional_policy(`
- consoletype_exec(auditadm_t)
- ')
-diff --git a/policy/modules/roles/logadm.te b/policy/modules/roles/logadm.te
-index 3a45a3ef0..f31d79957 100644
---- a/policy/modules/roles/logadm.te
-+++ b/policy/modules/roles/logadm.te
-@@ -7,13 +7,12 @@ policy_module(logadm, 1.0.0)
-
- role logadm_r;
-
--userdom_base_user_template(logadm)
-+userdom_confined_admin_template(logadm)
-
- ########################################
- #
- # logadmin local policy
- #
-
--allow logadm_t self:capability { dac_override dac_read_search kill sys_ptrace sys_nice };
--
-+allow logadm_t self:capability { dac_read_search kill sys_nice };
- logging_admin(logadm_t, logadm_r)
-diff --git a/policy/modules/roles/secadm.te b/policy/modules/roles/secadm.te
-index da111206f..a5ac38465 100644
---- a/policy/modules/roles/secadm.te
-+++ b/policy/modules/roles/secadm.te
-@@ -7,19 +7,25 @@ policy_module(secadm, 2.4.0)
-
- role secadm_r;
-
--userdom_unpriv_user_template(secadm)
--userdom_security_admin_template(secadm_t, secadm_r)
-+userdom_confined_admin_template(secadm)
-+userdom_security_admin(secadm_t, secadm_r)
-+userdom_inherit_append_admin_home_files(secadm_t)
-+userdom_read_admin_home_files(secadm_t)
-+userdom_manage_tmp_role(secadm_r, secadm_t)
-
- ########################################
- #
- # Local policy
- #
-
--allow secadm_t self:capability { dac_read_search dac_override };
-+allow secadm_t self:capability { dac_read_search };
-+
-+kernel_read_system_state(secadm_t)
-
- corecmd_exec_shell(secadm_t)
-
- dev_relabel_all_dev_nodes(secadm_t)
-+dev_read_urand(secadm_t)
-
- domain_obj_id_change_exemption(secadm_t)
-
-@@ -30,8 +36,7 @@ mls_file_upgrade(secadm_t)
- mls_file_downgrade(secadm_t)
-
- auth_role(secadm_r, secadm_t)
--files_relabel_non_auth_files(secadm_t)
--auth_relabel_shadow(secadm_t)
-+files_relabel_all_files(secadm_t)
-
- init_exec(secadm_t)
-
-diff --git a/policy/modules/roles/staff.if b/policy/modules/roles/staff.if
-index 234a940f9..a92415a9d 100644
---- a/policy/modules/roles/staff.if
-+++ b/policy/modules/roles/staff.if
-@@ -1,4 +1,20 @@
--## Administrator's unprivileged user role
-+## Administrator's unprivileged user
-+
-+#####################################
-+##
-+## staff stub userdomain interface. No access allowed.
-+##
-+##
-+##
-+## Domain allowed access
-+##
-+##
-+#
-+interface(`staff_stub',`
-+ gen_require(`
-+ type staff_t;
-+ ')
-+')
-
- ########################################
- ##
-diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te
-index 0fef1fca2..6773aa784 100644
---- a/policy/modules/roles/staff.te
-+++ b/policy/modules/roles/staff.te
-@@ -8,11 +8,75 @@ policy_module(staff, 2.4.0)
- role staff_r;
-
- userdom_unpriv_user_template(staff)
-+fs_exec_noxattr(staff_t)
-+
-+##
-+##
-+## allow staff user to create and transition to svirt domains.
-+##
-+##
-+gen_tunable(staff_use_svirt, false)
-
- ########################################
- #
- # Local policy
- #
-+corenet_ib_access_unlabeled_pkeys(staff_t)
-+
-+kernel_read_ring_buffer(staff_t)
-+kernel_getattr_core_if(staff_t)
-+kernel_getattr_message_if(staff_t)
-+kernel_read_software_raid_state(staff_t)
-+kernel_read_fs_sysctls(staff_t)
-+kernel_read_numa_state(staff_t)
-+kernel_write_numa_state(staff_t)
-+
-+fs_read_hugetlbfs_files(staff_t)
-+files_dontaudit_read_all_symlinks(staff_t)
-+fs_read_tmpfs_files(staff_t)
-+
-+dev_read_cpuid(staff_t)
-+dev_read_kmsg(staff_t)
-+dev_map_video_dev(staff_t)
-+
-+domain_read_all_domains_state(staff_t)
-+domain_getcap_all_domains(staff_t)
-+domain_getsched_all_domains(staff_t)
-+domain_getattr_all_domains(staff_t)
-+domain_obj_id_change_exemption(staff_t)
-+
-+files_read_kernel_modules(staff_t)
-+
-+seutil_read_module_store(staff_t)
-+seutil_run_newrole(staff_t, staff_r)
-+seutil_dbus_chat_semanage(staff_t)
-+seutil_read_login_config(staff_t)
-+
-+storage_read_scsi_generic(staff_t)
-+storage_write_scsi_generic(staff_t)
-+
-+term_use_unallocated_ttys(staff_t)
-+
-+auth_domtrans_pam_console(staff_t)
-+
-+init_dbus_chat(staff_t)
-+init_dbus_chat_script(staff_t)
-+init_status(staff_t)
-+
-+miscfiles_read_hwdata(staff_t)
-+miscfiles_map_generic_certs(staff_t)
-+
-+ifndef(`enable_mls',`
-+ selinux_read_policy(staff_t)
-+')
-+
-+optional_policy(`
-+ abrt_read_cache(staff_t)
-+')
-+
-+optional_policy(`
-+ accountsd_read_lib_files(staff_t)
-+')
-
- optional_policy(`
- apache_role(staff_r, staff_t)
-@@ -23,11 +87,132 @@ optional_policy(`
- ')
-
- optional_policy(`
-+ blueman_dbus_chat(staff_t)
-+')
-+
-+optional_policy(`
-+ kdumpgui_dbus_chat(staff_t)
-+')
-+
-+optional_policy(`
-+ bluetooth_role(staff_r, staff_t)
-+')
-+
-+optional_policy(`
-+ chrome_role(staff_r, staff_t)
-+')
-+
-+optional_policy(`
-+ colord_dbus_chat(staff_t)
-+')
-+
-+optional_policy(`
- dbadm_role_change(staff_r)
- ')
-
- optional_policy(`
-- git_role(staff_r, staff_t)
-+ container_stream_connect(staff_t)
-+ container_runtime_exec(staff_t)
-+')
-+
-+optional_policy(`
-+ dirsrv_stream_connect(staff_t)
-+ dirsrv_manage_log(staff_t)
-+ dirsrv_manage_var_lib(staff_t)
-+ dirsrv_manage_var_run(staff_t)
-+ dirsrv_manage_config(staff_t)
-+')
-+
-+optional_policy(`
-+ dnsmasq_read_pid_files(staff_t)
-+')
-+
-+optional_policy(`
-+ dmesg_exec(staff_t)
-+')
-+
-+optional_policy(`
-+ firewalld_dbus_chat(staff_t)
-+')
-+
-+optional_policy(`
-+ firewallgui_dbus_chat(staff_t)
-+')
-+
-+optional_policy(`
-+ freqset_run(staff_t, staff_r)
-+')
-+
-+optional_policy(`
-+ fwupd_dbus_chat(staff_t)
-+ fwupd_read_cache_files(staff_t)
-+')
-+
-+optional_policy(`
-+ irc_role(staff_r, staff_t)
-+')
-+
-+optional_policy(`
-+ journalctl_role(staff_r, staff_t)
-+')
-+
-+optional_policy(`
-+ kerneloops_dbus_chat(staff_t)
-+')
-+
-+optional_policy(`
-+ logadm_role_change(staff_r)
-+')
-+
-+optional_policy(`
-+ lpd_list_spool(staff_t)
-+')
-+
-+optional_policy(`
-+ mandb_map_cache_files(staff_t)
-+')
-+
-+optional_policy(`
-+ mock_role(staff_r, staff_t)
-+')
-+
-+optional_policy(`
-+ mozilla_run_plugin(staff_t, staff_r)
-+')
-+
-+optional_policy(`
-+ modutils_read_module_config(staff_t)
-+ modutils_read_module_deps(staff_t)
-+')
-+
-+optional_policy(`
-+ netutils_run_ping(staff_t, staff_r)
-+ netutils_run_traceroute(staff_t, staff_r)
-+ netutils_signal_ping(staff_t)
-+ netutils_kill_ping(staff_t)
-+')
-+
-+optional_policy(`
-+ oident_manage_user_content(staff_t)
-+ oident_relabel_user_content(staff_t)
-+')
-+
-+optional_policy(`
-+ mta_role(staff_r, staff_t)
-+')
-+
-+optional_policy(`
-+ mysql_exec(staff_t)
-+')
-+
-+optional_policy(`
-+ polipo_role(staff_r, staff_t)
-+ polipo_named_filetrans_cache_home_dirs(staff_t)
-+ polipo_named_filetrans_config_home_files(staff_t)
-+')
-+
-+optional_policy(`
-+ openvpn_exec(staff_t)
- ')
-
- optional_policy(`
-@@ -35,20 +220,74 @@ optional_policy(`
- ')
-
- optional_policy(`
-+ rtkit_scheduled(staff_t)
-+')
-+
-+optional_policy(`
-+ rpm_dbus_chat(staff_t)
-+')
-+
-+optional_policy(`
-+ rwho_read_spool_files(staff_t)
-+')
-+
-+optional_policy(`
- secadm_role_change(staff_r)
- ')
-
- optional_policy(`
-- ssh_role_template(staff, staff_r, staff_t)
-+ sandbox_transition(staff_t, staff_r)
- ')
-
- optional_policy(`
-- sudo_role_template(staff, staff_r, staff_t)
-+ sandbox_x_transition(staff_t, staff_r)
-+')
-+
-+optional_policy(`
-+ screen_role_template(staff, staff_r, staff_t)
- ')
-
- optional_policy(`
- sysadm_role_change(staff_r)
- userdom_dontaudit_use_user_terminals(staff_t)
-+ userdom_dontaudit_read_admin_home_files(staff_t)
-+')
-+
-+optional_policy(`
-+ systemd_read_unit_files(staff_t)
-+ systemd_exec_systemctl(staff_t)
-+')
-+
-+optional_policy(`
-+ setroubleshoot_stream_connect(staff_t)
-+ setroubleshoot_dbus_chat(staff_t)
-+ setroubleshoot_dbus_chat_fixit(staff_t)
-+')
-+
-+optional_policy(`
-+ ssh_role_template(staff, staff_r, staff_t)
-+')
-+
-+optional_policy(`
-+ sudo_role_template(staff, staff_r, staff_t)
-+')
-+
-+optional_policy(`
-+ userhelper_console_role_template(staff, staff_r, staff_t)
-+')
-+
-+optional_policy(`
-+ unconfined_role_change(staff_r)
-+')
-+
-+optional_policy(`
-+ usbmuxd_stream_connect(staff_t)
-+')
-+
-+optional_policy(`
-+ virt_getattr_exec(staff_t)
-+ virt_search_images(staff_t)
-+ virt_stream_connect(staff_t)
- ')
-
- optional_policy(`
-@@ -56,7 +295,20 @@ optional_policy(`
- ')
-
- optional_policy(`
-- xserver_role(staff_r, staff_t)
-+ vmtools_run_helper(staff_t, staff_r)
-+')
-+
-+optional_policy(`
-+ vnstatd_read_lib_files(staff_t)
-+')
-+
-+optional_policy(`
-+ webadm_role_change(staff_r)
-+')
-+
-+optional_policy(`
-+ xserver_read_log(staff_t)
-+ xserver_run(staff_t, staff_r)
- ')
-
- ifndef(`distro_redhat',`
-@@ -65,10 +317,6 @@ ifndef(`distro_redhat',`
- ')
-
- optional_policy(`
-- bluetooth_role(staff_r, staff_t)
-- ')
--
-- optional_policy(`
- cdrecord_role(staff_r, staff_t)
- ')
-
-@@ -78,10 +326,6 @@ ifndef(`distro_redhat',`
-
- optional_policy(`
- dbus_role_template(staff, staff_r, staff_t)
--
-- optional_policy(`
-- gnome_role_template(staff, staff_r, staff_t)
-- ')
- ')
-
- optional_policy(`
-@@ -101,10 +345,6 @@ ifndef(`distro_redhat',`
- ')
-
- optional_policy(`
-- irc_role(staff_r, staff_t)
-- ')
--
-- optional_policy(`
- java_role(staff_r, staff_t)
- ')
-
-@@ -125,10 +365,6 @@ ifndef(`distro_redhat',`
- ')
-
- optional_policy(`
-- mta_role(staff_r, staff_t)
-- ')
--
-- optional_policy(`
- pyzor_role(staff_r, staff_t)
- ')
-
-@@ -141,10 +377,6 @@ ifndef(`distro_redhat',`
- ')
-
- optional_policy(`
-- screen_role_template(staff, staff_r, staff_t)
-- ')
--
-- optional_policy(`
- spamassassin_role(staff_r, staff_t)
- ')
-
-@@ -176,3 +408,24 @@ ifndef(`distro_redhat',`
- wireshark_role(staff_r, staff_t)
- ')
- ')
-+
-+tunable_policy(`selinuxuser_execmod',`
-+ userdom_execmod_user_home_files(staff_t)
-+')
-+
-+optional_policy(`
-+ virt_transition_svirt(staff_t, staff_r)
-+ virt_filetrans_home_content(staff_t)
-+')
-+
-+optional_policy(`
-+ tunable_policy(`staff_use_svirt',`
-+ allow staff_t self:fifo_file relabelfrom;
-+ dev_rw_kvm(staff_t)
-+ virt_manage_images(staff_t)
-+ virt_stream_connect_svirt(staff_t)
-+ virt_systemctl(staff_t)
-+ virt_rw_stream_sockets_svirt(staff_t)
-+ virt_exec(staff_t)
-+ ')
-+')
-diff --git a/policy/modules/roles/sysadm.if b/policy/modules/roles/sysadm.if
-index ff9243078..36740eab3 100644
---- a/policy/modules/roles/sysadm.if
-+++ b/policy/modules/roles/sysadm.if
-@@ -70,6 +70,23 @@ interface(`sysadm_shell_domtrans',`
- allow sysadm_t $1:process sigchld;
- ')
-
-+#######################################
-+##
-+## sysadm stub interface. No access allowed.
-+##
-+##
-+##
-+## Domain allowed access
-+##
-+##
-+#
-+interface(`sysadm_stub',`
-+ gen_require(`
-+ type sysadm_t;
-+ role sysadm_r;
-+ ')
-+')
-+
- ########################################
- ##
- ## Execute a generic bin program in the sysadm domain.
-diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
-index 2522ca6c0..b1c6b714d 100644
---- a/policy/modules/roles/sysadm.te
-+++ b/policy/modules/roles/sysadm.te
-@@ -5,39 +5,107 @@ policy_module(sysadm, 2.6.1)
- # Declarations
- #
-
--##
--##
--## Allow sysadm to debug or ptrace all processes.
--##
--##
--gen_tunable(allow_ptrace, false)
--
- role sysadm_r;
-
- userdom_admin_user_template(sysadm)
-+allow sysadm_t self:netlink_tcpdiag_socket create_netlink_socket_perms;
-
--ifndef(`enable_mls',`
-- userdom_security_admin_template(sysadm_t, sysadm_r)
--')
-
- ########################################
- #
- # Local policy
- #
-+kernel_read_fs_sysctls(sysadm_t)
-+kernel_read_all_proc(sysadm_t)
-
- corecmd_exec_shell(sysadm_t)
-
-+dev_filetrans_all_named_dev(sysadm_t)
-+
-+domain_dontaudit_read_all_domains_state(sysadm_t)
-+
-+files_read_kernel_modules(sysadm_t)
-+files_filetrans_named_content(sysadm_t)
-+files_status_etc(sysadm_t)
-+
-+fs_mount_fusefs(sysadm_t)
-+
-+storage_filetrans_all_named_dev(sysadm_t)
-+
-+term_filetrans_all_named_dev(sysadm_t)
-+
- mls_process_read_up(sysadm_t)
-+mls_file_read_all_levels(sysadm_t)
-+mls_file_write_all_levels(sysadm_t)
-+mls_file_read_to_clearance(sysadm_t)
-+mls_process_write_to_clearance(sysadm_t)
-+
-+storage_setattr_fixed_disk_dev(sysadm_t)
-
- ubac_process_exempt(sysadm_t)
- ubac_file_exempt(sysadm_t)
- ubac_fd_exempt(sysadm_t)
-
-+application_exec(sysadm_t)
-+
-+init_filetrans_named_content(sysadm_t)
-+init_disable_services(sysadm_t)
-+init_enable_services(sysadm_t)
-+init_reload_services(sysadm_t)
- init_exec(sysadm_t)
-+init_exec_script_files(sysadm_t)
-+init_dbus_chat(sysadm_t)
-+init_script_role_transition(sysadm_r)
-+init_status(sysadm_t)
-+init_reboot(sysadm_t)
-+init_halt(sysadm_t)
-+init_undefined(sysadm_t)
-+
-+logging_filetrans_named_content(sysadm_t)
-+logging_map_audit_config(sysadm_t)
-+logging_map_audit_log(sysadm_t)
-+
-+miscfiles_filetrans_named_content(sysadm_t)
-+miscfiles_read_hwdata(sysadm_t)
-+
-+sysnet_filetrans_named_content(sysadm_t)
-
- # Add/remove user home directories
-+userdom_manage_user_tmp_chr_files(sysadm_t)
- userdom_manage_user_home_dirs(sysadm_t)
- userdom_home_filetrans_user_home_dir(sysadm_t)
-+userdom_manage_tmp_role(sysadm_r, sysadm_t)
-+userdom_exec_admin_home_files(sysadm_t)
-+
-+corenet_ib_access_unlabeled_pkeys(sysadm_t)
-+corenet_ib_manage_subnet_unlabeled_endports(sysadm_t)
-+
-+optional_policy(`
-+ abrt_filetrans_named_content(sysadm_t)
-+')
-+
-+optional_policy(`
-+ alsa_filetrans_named_content(sysadm_t)
-+')
-+
-+optional_policy(`
-+ container_stream_connect(sysadm_t)
-+')
-+
-+optional_policy(`
-+ dirsrv_domtrans(sysadm_t)
-+ dirsrv_stream_connect(sysadm_t)
-+ dirsrv_manage_log(sysadm_t)
-+ dirsrv_manage_var_lib(sysadm_t)
-+ dirsrv_manage_var_run(sysadm_t)
-+ dirsrv_manage_config(sysadm_t)
-+ dirsrv_run(sysadm_t, sysadm_r)
-+')
-+
-+optional_policy(`
-+ ssh_filetrans_admin_home_content(sysadm_t)
-+ ssh_filetrans_keys(sysadm_t)
-+')
-
- ifdef(`direct_sysadm_daemon',`
- optional_policy(`
-@@ -55,13 +123,7 @@ ifdef(`distro_gentoo',`
- init_exec_rc(sysadm_t)
- ')
-
--ifndef(`enable_mls',`
-- logging_manage_audit_log(sysadm_t)
-- logging_manage_audit_config(sysadm_t)
-- logging_run_auditctl(sysadm_t, sysadm_r)
--')
--
--tunable_policy(`allow_ptrace',`
-+tunable_policy(`deny_ptrace',`',`
- domain_ptrace_all_domains(sysadm_t)
- ')
-
-@@ -71,9 +133,9 @@ optional_policy(`
-
- optional_policy(`
- apache_run_helper(sysadm_t, sysadm_r)
-+ apache_filetrans_named_content(sysadm_t)
- #apache_run_all_scripts(sysadm_t, sysadm_r)
- #apache_domtrans_sys_script(sysadm_t)
-- apache_role(sysadm_r, sysadm_t)
- ')
-
- optional_policy(`
-@@ -87,6 +149,7 @@ optional_policy(`
-
- optional_policy(`
- asterisk_stream_connect(sysadm_t)
-+ asterisk_exec(sysadm_t)
- ')
-
- optional_policy(`
-@@ -110,11 +173,17 @@ optional_policy(`
- ')
-
- optional_policy(`
-+ certmonger_dbus_chat(sysadm_t)
-+')
-+
-+optional_policy(`
- certwatch_run(sysadm_t, sysadm_r)
- ')
-
- optional_policy(`
- clock_run(sysadm_t, sysadm_r)
-+ clock_manage_adjtime(sysadm_t)
-+ clock_filetrans_named_content(sysadm_t)
- ')
-
- optional_policy(`
-@@ -122,11 +191,27 @@ optional_policy(`
- ')
-
- optional_policy(`
-- consoletype_run(sysadm_t, sysadm_r)
-+ cron_admin_role(sysadm_r, sysadm_t)
-+')
-+
-+optional_policy(`
-+ consoletype_exec(sysadm_t)
- ')
-
- optional_policy(`
-- cvs_exec(sysadm_t)
-+ daemonstools_run_start(sysadm_t, sysadm_r)
-+')
-+
-+optional_policy(`
-+ dbus_role_template(sysadm, sysadm_r, sysadm_t)
-+
-+ dontaudit sysadm_dbusd_t self:capability net_admin;
-+
-+ optional_policy(`
-+ systemd_dbus_chat_timedated(sysadm_t)
-+ systemd_dbus_chat_hostnamed(sysadm_t)
-+ systemd_dbus_chat_localed(sysadm_t)
-+ ')
- ')
-
- optional_policy(`
-@@ -140,6 +225,10 @@ optional_policy(`
- ')
-
- optional_policy(`
-+ devicekit_filetrans_named_content(sysadm_t)
-+')
-+
-+optional_policy(`
- dmesg_exec(sysadm_t)
- ')
-
-@@ -156,6 +245,10 @@ optional_policy(`
- ')
-
- optional_policy(`
-+ firewalld_dbus_chat(sysadm_t)
-+')
-+
-+optional_policy(`
- fstools_run(sysadm_t, sysadm_r)
- ')
-
-@@ -164,6 +257,11 @@ optional_policy(`
- ')
-
- optional_policy(`
-+ hwloc_admin(sysadm_t)
-+ hwloc_run_dhwd(sysadm_t, sysadm_r)
-+')
-+
-+optional_policy(`
- hadoop_role(sysadm_r, sysadm_t)
- ')
-
-@@ -172,13 +270,31 @@ optional_policy(`
- # at things (e.g., ipsec auto --status)
- # probably should create an ipsec_admin role for this kind of thing
- ipsec_exec_mgmt(sysadm_t)
-+ ipsec_read_pid(sysadm_t)
- ipsec_stream_connect(sysadm_t)
- # for lsof
- ipsec_getattr_key_sockets(sysadm_t)
-+ ipsec_run_setkey(sysadm_t, sysadm_r)
-+ ipsec_run_racoon(sysadm_t, sysadm_r)
-+ ipsec_stream_connect_racoon(sysadm_t)
-+
-+ optional_policy(`
-+ ipsec_mgmt_dbus_chat(sysadm_t)
-+ ')
- ')
-
- optional_policy(`
- iptables_run(sysadm_t, sysadm_r)
-+ iptables_filetrans_named_content(sysadm_t)
-+')
-+
-+optional_policy(`
-+ irc_role(sysadm_r, sysadm_t)
-+')
-+
-+optional_policy(`
-+ kerberos_exec_kadmind(sysadm_t)
-+ kerberos_filetrans_named_content(sysadm_t)
- ')
-
- optional_policy(`
-@@ -190,11 +306,12 @@ optional_policy(`
- ')
-
- optional_policy(`
-- lockdev_role(sysadm_r, sysadm_t)
-+ logrotate_run(sysadm_t, sysadm_r)
- ')
-
- optional_policy(`
-- logrotate_run(sysadm_t, sysadm_r)
-+ corenet_tcp_bind_ldap_port(sysadm_t)
-+ ldap_admin(sysadm_t, sysadm_r)
- ')
-
- optional_policy(`
-@@ -210,22 +327,21 @@ optional_policy(`
- modutils_run_depmod(sysadm_t, sysadm_r)
- modutils_run_insmod(sysadm_t, sysadm_r)
- modutils_run_update_mods(sysadm_t, sysadm_r)
-+ modutils_read_module_deps(sysadm_t)
-+ modules_filetrans_named_content(sysadm_t)
- ')
-
- optional_policy(`
- mount_run(sysadm_t, sysadm_r)
--')
--
--optional_policy(`
-- mozilla_role(sysadm_r, sysadm_t)
--')
--
--optional_policy(`
-- mplayer_role(sysadm_r, sysadm_t)
-+ mount_run_showmount(sysadm_t, sysadm_r)
- ')
-
- optional_policy(`
- mta_role(sysadm_r, sysadm_t)
-+ # this is defined in userdom_common_user_template
-+ #mta_filetrans_home_content(sysadm_t)
-+ mta_filetrans_admin_home_content(sysadm_t)
-+ mta_rw_aliases(sysadm_t)
- ')
-
- optional_policy(`
-@@ -237,14 +353,32 @@ optional_policy(`
- ')
-
- optional_policy(`
-+ ncftool_run(sysadm_t, sysadm_r)
-+')
-+
-+optional_policy(`
- netutils_run(sysadm_t, sysadm_r)
- netutils_run_ping(sysadm_t, sysadm_r)
- netutils_run_traceroute(sysadm_t, sysadm_r)
- ')
-
- optional_policy(`
-+ networkmanager_filetrans_named_content(sysadm_t)
-+ networkmanager_stream_connect(sysadm_t)
-+')
-+
-+optional_policy(`
- ntp_stub()
- corenet_udp_bind_ntp_port(sysadm_t)
-+ ntp_admin(sysadm_t, sysadm_r)
-+')
-+
-+optional_policy(`
-+ nx_filetrans_named_content(sysadm_t)
-+')
-+
-+optional_policy(`
-+ oddjob_dbus_chat(sysadm_t)
- ')
-
- optional_policy(`
-@@ -252,10 +386,20 @@ optional_policy(`
- ')
-
- optional_policy(`
-+ openvpn_run(sysadm_t, sysadm_r)
-+')
-+
-+optional_policy(`
- pcmcia_run_cardctl(sysadm_t, sysadm_r)
- ')
-
- optional_policy(`
-+ polipo_role(sysadm_r, sysadm_t)
-+ polipo_named_filetrans_admin_cache_home_dirs(sysadm_t)
-+ polipo_named_filetrans_admin_config_home_files(sysadm_t)
-+')
-+
-+optional_policy(`
- portage_run(sysadm_t, sysadm_r)
- portage_run_fetch(sysadm_t, sysadm_r)
- portage_run_gcc_config(sysadm_t, sysadm_r)
-@@ -266,35 +410,47 @@ optional_policy(`
- ')
-
- optional_policy(`
-- pyzor_role(sysadm_r, sysadm_t)
-+ postfix_admin(sysadm_t, sysadm_r)
- ')
-
- optional_policy(`
-- quota_run(sysadm_t, sysadm_r)
-+ postgresql_admin(sysadm_t, sysadm_r)
-+ postgresql_run(sysadm_t, sysadm_r)
- ')
-
- optional_policy(`
-- raid_run_mdadm(sysadm_r, sysadm_t)
-+ journalctl_role(sysadm_r, sysadm_t)
- ')
-
- optional_policy(`
-- razor_role(sysadm_r, sysadm_t)
-+ prelink_run(sysadm_t, sysadm_r)
- ')
-
- optional_policy(`
-- rpc_domtrans_nfsd(sysadm_t)
-+ puppet_run_puppetca(sysadm_t, sysadm_r)
-+ puppet_run(sysadm_t, sysadm_r)
- ')
-
- optional_policy(`
-- rpm_run(sysadm_t, sysadm_r)
-+ quota_filetrans_named_content(sysadm_t)
- ')
-
- optional_policy(`
-- rssh_role(sysadm_r, sysadm_t)
-+ raid_domtrans_mdadm(sysadm_t)
-+')
-+
-+optional_policy(`
-+ rpc_domtrans_nfsd(sysadm_t)
-+')
-+
-+optional_policy(`
-+ rpm_run(sysadm_t, sysadm_r)
-+ rpm_dbus_chat(sysadm_t, sysadm_r)
- ')
-
- optional_policy(`
- rsync_exec(sysadm_t)
-+ rsync_filetrans_named_content(sysadm_t)
- ')
-
- optional_policy(`
-@@ -308,6 +464,7 @@ optional_policy(`
-
- optional_policy(`
- screen_role_template(sysadm, sysadm_r, sysadm_t)
-+ allow sysadm_screen_t self:capability { dac_read_search };
- ')
-
- optional_policy(`
-@@ -315,12 +472,20 @@ optional_policy(`
- ')
-
- optional_policy(`
-+ setroubleshoot_stream_connect(sysadm_t)
-+ setroubleshoot_dbus_chat(sysadm_t)
-+ setroubleshoot_dbus_chat_fixit(sysadm_t)
-+')
-+
-+optional_policy(`
- seutil_run_setfiles(sysadm_t, sysadm_r)
- seutil_run_runinit(sysadm_t, sysadm_r)
-+ seutil_dbus_chat_semanage(sysadm_t)
-+ seutil_read_login_config(sysadm_t)
- ')
-
- optional_policy(`
-- spamassassin_role(sysadm_r, sysadm_t)
-+ shutdown_run(sysadm_t, sysadm_r)
- ')
-
- optional_policy(`
-@@ -345,30 +510,38 @@ optional_policy(`
- ')
-
- optional_policy(`
-- thunderbird_role(sysadm_r, sysadm_t)
-+ systemd_passwd_agent_run(sysadm_t, sysadm_r)
-+ systemd_config_all_services(sysadm_t)
-+ systemd_manage_all_unit_files(sysadm_t)
-+ systemd_manage_all_unit_lnk_files(sysadm_t)
-+ systemd_login_status(sysadm_t)
-+ systemd_login_reboot(sysadm_t)
-+ systemd_login_halt(sysadm_t)
-+ systemd_login_undefined(sysadm_t)
-+ systemd_tmpfiles_run(sysadm_t, sysadm_r)
- ')
-
- optional_policy(`
-- tripwire_run_siggen(sysadm_t, sysadm_r)
-- tripwire_run_tripwire(sysadm_t, sysadm_r)
-- tripwire_run_twadmin(sysadm_t, sysadm_r)
-- tripwire_run_twprint(sysadm_t, sysadm_r)
-+ systemd_exec_sysctl(sysadm_t)
- ')
-
- optional_policy(`
-- tvtime_role(sysadm_r, sysadm_t)
-+ tftp_filetrans_named_content(sysadm_t)
- ')
-
- optional_policy(`
-- tzdata_domtrans(sysadm_t)
-+ tripwire_run_siggen(sysadm_t, sysadm_r)
-+ tripwire_run_tripwire(sysadm_t, sysadm_r)
-+ tripwire_run_twadmin(sysadm_t, sysadm_r)
-+ tripwire_run_twprint(sysadm_t, sysadm_r)
- ')
-
- optional_policy(`
-- uml_role(sysadm_r, sysadm_t)
-+ tzdata_domtrans(sysadm_t)
- ')
-
- optional_policy(`
-- unconfined_domtrans(sysadm_t)
-+ udev_run(sysadm_t, sysadm_r)
- ')
-
- optional_policy(`
-@@ -380,10 +553,6 @@ optional_policy(`
- ')
-
- optional_policy(`
-- userhelper_role_template(sysadm, sysadm_r, sysadm_t)
--')
--
--optional_policy(`
- usermanage_run_admin_passwd(sysadm_t, sysadm_r)
- usermanage_run_groupadd(sysadm_t, sysadm_r)
- usermanage_run_useradd(sysadm_t, sysadm_r)
-@@ -391,6 +560,9 @@ optional_policy(`
-
- optional_policy(`
- virt_stream_connect(sysadm_t)
-+ virt_filetrans_home_content(sysadm_t)
-+ virt_manage_pid_dirs(sysadm_t)
-+ virt_transition_svirt_sandbox(sysadm_t, sysadm_r)
- ')
-
- optional_policy(`
-@@ -398,31 +570,34 @@ optional_policy(`
- ')
-
- optional_policy(`
-- vpn_run(sysadm_t, sysadm_r)
-+ vlock_run(sysadm_t, sysadm_r)
- ')
-
- optional_policy(`
-- webalizer_run(sysadm_t, sysadm_r)
-+ vpn_run(sysadm_t, sysadm_r)
- ')
-
- optional_policy(`
-- wireshark_role(sysadm_r, sysadm_t)
-+ webalizer_run(sysadm_t, sysadm_r)
- ')
-
- optional_policy(`
-- vlock_run(sysadm_t, sysadm_r)
-+ xserver_role(sysadm_r, sysadm_t)
- ')
-
- optional_policy(`
-- xserver_role(sysadm_r, sysadm_t)
-+ yam_run(sysadm_t, sysadm_r)
- ')
-
- optional_policy(`
-- yam_run(sysadm_t, sysadm_r)
-+ zebra_stream_connect(sysadm_t)
- ')
-
- ifndef(`distro_redhat',`
- optional_policy(`
-+ apache_role(sysadm_r, sysadm_t)
-+ ')
-+ optional_policy(`
- auth_role(sysadm_r, sysadm_t)
- ')
-
-@@ -435,10 +610,6 @@ ifndef(`distro_redhat',`
- ')
-
- optional_policy(`
-- cron_admin_role(sysadm_r, sysadm_t)
-- ')
--
-- optional_policy(`
- dbus_role_template(sysadm, sysadm_r, sysadm_t)
-
- optional_policy(`
-@@ -459,15 +630,79 @@ ifndef(`distro_redhat',`
- ')
-
- optional_policy(`
-- gpg_role(sysadm_r, sysadm_t)
-+ gnome_role_template(sysadm, sysadm_r, sysadm_t)
-+ gnome_filetrans_admin_home_content(sysadm_t)
- ')
-
- optional_policy(`
-- irc_role(sysadm_r, sysadm_t)
-+ gpg_role(sysadm_r, sysadm_t)
- ')
-
- optional_policy(`
- java_role(sysadm_r, sysadm_t)
- ')
--')
-
-+ optional_policy(`
-+ lockdev_role(sysadm_r, sysadm_t)
-+ ')
-+
-+ optional_policy(`
-+ mock_admin(sysadm_t)
-+ ')
-+
-+ optional_policy(`
-+ mozilla_role(sysadm_r, sysadm_t)
-+ ')
-+
-+ optional_policy(`
-+ mplayer_role(sysadm_r, sysadm_t)
-+ ')
-+
-+ optional_policy(`
-+ pyzor_role(sysadm_r, sysadm_t)
-+ ')
-+
-+ optional_policy(`
-+ razor_role(sysadm_r, sysadm_t)
-+ ')
-+
-+ optional_policy(`
-+ rssh_role(sysadm_r, sysadm_t)
-+ ')
-+
-+ optional_policy(`
-+ spamassassin_role(sysadm_r, sysadm_t)
-+ ')
-+
-+ optional_policy(`
-+ thunderbird_role(sysadm_r, sysadm_t)
-+ ')
-+
-+ optional_policy(`
-+ tvtime_role(sysadm_r, sysadm_t)
-+ ')
-+
-+ optional_policy(`
-+ uml_role(sysadm_r, sysadm_t)
-+ ')
-+
-+ optional_policy(`
-+ userhelper_role_template(sysadm, sysadm_r, sysadm_t)
-+ ')
-+
-+ optional_policy(`
-+ vmtools_run_helper(sysadm_t, sysadm_r)
-+ ')
-+
-+ optional_policy(`
-+ vmware_role(sysadm_r, sysadm_t)
-+ ')
-+
-+ optional_policy(`
-+ wireshark_role(sysadm_r, sysadm_t)
-+ ')
-+
-+ optional_policy(`
-+ xserver_role(sysadm_r, sysadm_t)
-+ ')
-+')
-diff --git a/policy/modules/roles/sysadm_secadm.fc b/policy/modules/roles/sysadm_secadm.fc
-new file mode 100644
-index 000000000..ae3b6db92
---- /dev/null
-+++ b/policy/modules/roles/sysadm_secadm.fc
-@@ -0,0 +1 @@
-+# No context
-diff --git a/policy/modules/roles/sysadm_secadm.if b/policy/modules/roles/sysadm_secadm.if
-new file mode 100644
-index 000000000..bd83148e1
---- /dev/null
-+++ b/policy/modules/roles/sysadm_secadm.if
-@@ -0,0 +1 @@
-+## No Interfaces
-diff --git a/policy/modules/roles/sysadm_secadm.te b/policy/modules/roles/sysadm_secadm.te
-new file mode 100644
-index 000000000..63bc79792
---- /dev/null
-+++ b/policy/modules/roles/sysadm_secadm.te
-@@ -0,0 +1,25 @@
-+policy_module(sysadm_secadm, 1.0.0)
-+
-+########################################
-+#
-+# Declarations
-+#
-+
-+gen_require(`
-+ type sysadm_t;
-+ role sysadm_r;
-+')
-+
-+userdom_security_admin_template(sysadm_t, sysadm_r)
-+
-+#######################################
-+#
-+# Local policy
-+#
-+
-+mls_file_write_all_levels(sysadm_t)
-+
-+logging_manage_audit_log(sysadm_t)
-+logging_manage_audit_config(sysadm_t)
-+logging_run_auditctl(sysadm_t, sysadm_r)
-+logging_stream_connect_syslog(sysadm_t)
-diff --git a/policy/modules/roles/unconfineduser.fc b/policy/modules/roles/unconfineduser.fc
-new file mode 100644
-index 000000000..d9efb902a
---- /dev/null
-+++ b/policy/modules/roles/unconfineduser.fc
-@@ -0,0 +1,8 @@
-+# Add programs here which should not be confined by SELinux
-+# e.g.:
-+# /usr/local/bin/appsrv -- gen_context(system_u:object_r:unconfined_exec_t,s0)
-+# For the time being until someone writes a sane policy, we need initrc to transition to unconfined_t
-+#/usr/bin/vncserver -- gen_context(system_u:object_r:unconfined_exec_t,s0)
-+
-+#/usr/sbin/xrdp -- gen_context(system_u:object_r:unconfined_exec_t,s0)
-+#/usr/sbin/xrdp-sesman -- gen_context(system_u:object_r:unconfined_exec_t,s0)
-diff --git a/policy/modules/roles/unconfineduser.if b/policy/modules/roles/unconfineduser.if
-new file mode 100644
-index 000000000..ecc53819c
---- /dev/null
-+++ b/policy/modules/roles/unconfineduser.if
-@@ -0,0 +1,764 @@
-+## Unconfined user role
-+
-+########################################
-+##
-+## Change from the unconfineduser role.
-+##
-+##
-+##
-+## Change from the unconfineduser role to
-+## the specified role.
-+##
-+##
-+## This is an interface to support third party modules
-+## and its use is not allowed in upstream reference
-+## policy.
-+##
-+##
-+##
-+##
-+## Role allowed access.
-+##
-+##
-+##
-+#
-+interface(`unconfined_role_change_to',`
-+ gen_require(`
-+ role unconfined_r;
-+ ')
-+
-+ allow unconfined_r $1;
-+')
-+
-+########################################
-+##
-+## Transition to the unconfined domain.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`unconfined_domtrans',`
-+ gen_require(`
-+ type unconfined_t, unconfined_exec_t;
-+ ')
-+
-+ domtrans_pattern($1,unconfined_exec_t,unconfined_t)
-+')
-+
-+########################################
-+##
-+## Execute specified programs in the unconfined domain.
-+##
-+##
-+##
-+## The type of the process performing this action.
-+##
-+##
-+##
-+##
-+## The role to allow the unconfined domain.
-+##
-+##
-+#
-+interface(`unconfined_run',`
-+ gen_require(`
-+ type unconfined_t;
-+ ')
-+
-+ unconfined_domtrans($1)
-+ role $2 types unconfined_t;
-+')
-+
-+########################################
-+##
-+## Transition to the unconfined domain by executing a shell.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`unconfined_shell_domtrans',`
-+ gen_require(`
-+ attribute unconfined_login_domain;
-+ ')
-+ typeattribute $1 unconfined_login_domain;
-+')
-+
-+########################################
-+##
-+## Allow unconfined to execute the specified program in
-+## the specified domain.
-+##
-+##
-+##
-+## Allow unconfined to execute the specified program in
-+## the specified domain.
-+##
-+##
-+## This is a interface to support third party modules
-+## and its use is not allowed in upstream reference
-+## policy.
-+##
-+##
-+##
-+##
-+## Domain to execute in.
-+##
-+##
-+##
-+##
-+## Domain entry point file.
-+##
-+##
-+#
-+interface(`unconfined_domtrans_to',`
-+ gen_require(`
-+ type unconfined_t;
-+ ')
-+
-+ domtrans_pattern(unconfined_t,$2,$1)
-+')
-+
-+########################################
-+##
-+## Allow unconfined to execute the specified program in
-+## the specified domain. Allow the specified domain the
-+## unconfined role and use of unconfined user terminals.
-+##
-+##
-+##
-+## Allow unconfined to execute the specified program in
-+## the specified domain. Allow the specified domain the
-+## unconfined role and use of unconfined user terminals.
-+##
-+##
-+## This is a interface to support third party modules
-+## and its use is not allowed in upstream reference
-+## policy.
-+##
-+##
-+##
-+##
-+## Domain to execute in.
-+##
-+##
-+##
-+##
-+## Domain entry point file.
-+##
-+##
-+#
-+interface(`unconfined_run_to',`
-+ gen_require(`
-+ type unconfined_t;
-+ role unconfined_r;
-+ ')
-+
-+ domtrans_pattern(unconfined_t,$2,$1)
-+ role unconfined_r types $1;
-+ userdom_use_user_terminals($1)
-+')
-+
-+######################################
-+##
-+## Stub unconfined role.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`unconfined_stub_role',`
-+ gen_require(`
-+ role unconfined_r;
-+ ')
-+')
-+
-+########################################
-+##
-+## Inherit file descriptors from the unconfined domain.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`unconfined_use_fds',`
-+ gen_require(`
-+ type unconfined_t;
-+ ')
-+
-+ allow $1 unconfined_t:fd use;
-+')
-+
-+########################################
-+##
-+## Send a SIGCHLD signal to the unconfined domain.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`unconfined_sigchld',`
-+ gen_require(`
-+ type unconfined_t;
-+ ')
-+
-+ allow $1 unconfined_t:process sigchld;
-+')
-+
-+########################################
-+##
-+## Send a SIGNULL signal to the unconfined domain.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`unconfined_signull',`
-+ gen_require(`
-+ type unconfined_t;
-+ ')
-+
-+ allow $1 unconfined_t:process signull;
-+')
-+
-+########################################
-+##
-+## Send generic signals to the unconfined domain.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`unconfined_signal',`
-+ gen_require(`
-+ type unconfined_t;
-+ ')
-+
-+ allow $1 unconfined_t:process signal;
-+')
-+
-+########################################
-+##
-+## Read unconfined domain unnamed pipes.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`unconfined_read_pipes',`
-+ gen_require(`
-+ type unconfined_t;
-+ ')
-+
-+ allow $1 unconfined_t:fifo_file read_fifo_file_perms;
-+')
-+
-+########################################
-+##
-+## Do not audit attempts to read unconfined domain unnamed pipes.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`unconfined_dontaudit_read_pipes',`
-+ gen_require(`
-+ type unconfined_t;
-+ ')
-+
-+ dontaudit $1 unconfined_t:fifo_file read;
-+')
-+
-+########################################
-+##
-+## Read and write unconfined domain unnamed pipes.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`unconfined_rw_pipes',`
-+ gen_require(`
-+ type unconfined_t;
-+ ')
-+
-+ allow $1 unconfined_t:fifo_file rw_fifo_file_perms;
-+')
-+
-+########################################
-+##
-+## Do not audit attempts to read and write
-+## unconfined domain unnamed pipes.
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`unconfined_dontaudit_rw_pipes',`
-+ gen_require(`
-+ type unconfined_t;
-+ ')
-+
-+ dontaudit $1 unconfined_t:fifo_file rw_file_perms;
-+')
-+
-+########################################
-+##
-+## Do not audit attempts to read and write
-+## unconfined domain stream.
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`unconfined_dontaudit_rw_stream',`
-+ gen_require(`
-+ type unconfined_t;
-+ ')
-+
-+ dontaudit $1 unconfined_t:unix_stream_socket rw_socket_perms;
-+')
-+
-+########################################
-+##
-+## Connect to the unconfined domain using
-+## a unix domain stream socket.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`unconfined_stream_connect',`
-+ gen_require(`
-+ type unconfined_t;
-+ ')
-+
-+ allow $1 unconfined_t:unix_stream_socket connectto;
-+')
-+
-+########################################
-+##
-+## Do not audit attempts to read or write
-+## unconfined domain tcp sockets.
-+##
-+##
-+##
-+## Do not audit attempts to read or write
-+## unconfined domain tcp sockets.
-+##
-+##
-+## This interface was added due to a broken
-+## symptom in ldconfig.
-+##
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`unconfined_dontaudit_rw_tcp_sockets',`
-+ gen_require(`
-+ type unconfined_t;
-+ ')
-+
-+ dontaudit $1 unconfined_t:tcp_socket { read write };
-+')
-+
-+########################################
-+##
-+## Do not audit attempts to read or write
-+## unconfined domain packet sockets.
-+##
-+##
-+##
-+## Do not audit attempts to read or write
-+## unconfined domain packet sockets.
-+##
-+##
-+## This interface was added due to a broken
-+## symptom.
-+##
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`unconfined_dontaudit_rw_packet_sockets',`
-+ gen_require(`
-+ type unconfined_t;
-+ ')
-+
-+ dontaudit $1 unconfined_t:packet_socket { read write };
-+')
-+
-+########################################
-+##
-+## Create keys for the unconfined domain.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`unconfined_create_keys',`
-+ gen_require(`
-+ type unconfined_t;
-+ ')
-+
-+ allow $1 unconfined_t:key create;
-+')
-+
-+########################################
-+##
-+## Dontaudit write process information for unconfined process.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`unconfined_dontaudit_write_state',`
-+ gen_require(`
-+ type unconfined_t;
-+ ')
-+
-+ dontaudit $1 unconfined_t:file write;
-+')
-+
-+########################################
-+##
-+## Dontaudit read process information for unconfined process.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`unconfined_dontaudit_read_state',`
-+ gen_require(`
-+ type unconfined_t;
-+ ')
-+
-+ dontaudit $1 unconfined_t:dir list_dir_perms;
-+ dontaudit $1 unconfined_t:file read_file_perms;
-+')
-+
-+########################################
-+##
-+## Write keys for the unconfined domain.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`unconfined_write_keys',`
-+ gen_require(`
-+ type unconfined_t;
-+ ')
-+
-+ allow $1 unconfined_t:key write;
-+')
-+
-+########################################
-+##
-+## Send messages to the unconfined domain over dbus.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`unconfined_dbus_send',`
-+ gen_require(`
-+ type unconfined_t;
-+ class dbus send_msg;
-+ ')
-+
-+ allow $1 unconfined_t:dbus send_msg;
-+')
-+
-+########################################
-+##
-+## Create communication channel with unconfined domain over dbus.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`unconfined_dbus_acquire_svc',`
-+ gen_require(`
-+ type unconfined_t;
-+ class dbus acquire_svc;
-+ ')
-+
-+ allow $1 unconfined_t:dbus acquire_svc;
-+')
-+
-+########################################
-+##
-+## Send and receive messages from
-+## unconfined_t over dbus.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`unconfined_dbus_chat',`
-+ gen_require(`
-+ type unconfined_t;
-+ class dbus send_msg;
-+ ')
-+
-+ allow $1 unconfined_t:dbus send_msg;
-+ allow unconfined_t $1:dbus send_msg;
-+')
-+
-+########################################
-+##
-+## Connect to the the unconfined DBUS
-+## for service (acquire_svc).
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`unconfined_dbus_connect',`
-+ gen_require(`
-+ type unconfined_t;
-+ class dbus acquire_svc;
-+ ')
-+
-+ allow $1 unconfined_t:dbus acquire_svc;
-+')
-+
-+########################################
-+##
-+## Allow ptrace of unconfined domain
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`unconfined_ptrace',`
-+ gen_require(`
-+ type unconfined_t;
-+ ')
-+
-+ allow $1 unconfined_t:process ptrace;
-+')
-+
-+########################################
-+##
-+## Read and write to unconfined shared memory.
-+##
-+##
-+##
-+## The type of the process performing this action.
-+##
-+##
-+#
-+interface(`unconfined_rw_shm',`
-+ gen_require(`
-+ type unconfined_t;
-+ ')
-+
-+ allow $1 unconfined_t:shm rw_shm_perms;
-+')
-+
-+########################################
-+##
-+## Allow apps to set rlimits on unconfined user
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`unconfined_set_rlimitnh',`
-+ gen_require(`
-+ type unconfined_t;
-+ ')
-+
-+ allow $1 unconfined_t:process rlimitinh;
-+')
-+
-+########################################
-+##
-+## Allow apps to setsched on unconfined user
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`unconfined_setsched',`
-+ gen_require(`
-+ type unconfined_t;
-+ ')
-+
-+ allow $1 unconfined_t:process setsched;
-+')
-+
-+########################################
-+##
-+## Get the process group of unconfined.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`unconfined_getpgid',`
-+ gen_require(`
-+ type unconfined_t;
-+ ')
-+
-+ allow $1 unconfined_t:process getpgid;
-+')
-+
-+########################################
-+##
-+## Change to the unconfined role.
-+##
-+##
-+##
-+## Role allowed access.
-+##
-+##
-+##
-+#
-+interface(`unconfined_role_change',`
-+ gen_require(`
-+ role unconfined_r;
-+ ')
-+
-+ allow $1 unconfined_r;
-+')
-+
-+########################################
-+##
-+## Allow domain to attach to TUN devices created by unconfined_t users.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`unconfined_attach_tun_iface',`
-+ gen_require(`
-+ type unconfined_t;
-+ ')
-+
-+ allow $1 unconfined_t:tun_socket relabelfrom;
-+ allow $1 self:tun_socket relabelto;
-+')
-+
-+########################################
-+##
-+## Allow domain to transition to unconfined_t user
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`unconfined_transition',`
-+ gen_require(`
-+ type unconfined_t;
-+ ')
-+
-+ domtrans_pattern($1,$2,unconfined_t)
-+ allow unconfined_t $2:file entrypoint;
-+ allow $1 unconfined_t:process signal_perms;
-+')
-+
-+########################################
-+##
-+## unconfined_t domain typebounds calling domain.
-+##
-+##
-+##
-+## Domain to be typebound.
-+##
-+##
-+#
-+interface(`unconfined_typebounds',`
-+ gen_require(`
-+ type unconfined_t;
-+ ')
-+
-+ typebounds unconfined_t $1;
-+')
-+
-+########################################
-+##
-+## unconfined_exec_t domain typebounds file_type.
-+##
-+##
-+##
-+## File type to be typebound.
-+##
-+##
-+#
-+interface(`unconfined_exec_typebounds',`
-+ gen_require(`
-+ type unconfined_exec_t;
-+ ')
-+
-+ typebounds unconfined_exec_t $1;
-+')
-+
-diff --git a/policy/modules/roles/unconfineduser.te b/policy/modules/roles/unconfineduser.te
-new file mode 100644
-index 000000000..93d7f8839
---- /dev/null
-+++ b/policy/modules/roles/unconfineduser.te
-@@ -0,0 +1,367 @@
-+policy_module(unconfineduser, 1.0.0)
-+
-+########################################
-+#
-+# Declarations
-+#
-+attribute unconfined_login_domain;
-+
-+##
-+##
-+## allow unconfined users to transition to the chrome sandbox domains when running chrome-sandbox
-+##
-+##
-+gen_tunable(unconfined_chrome_sandbox_transition, false)
-+
-+##
-+##
-+## Allow unconfined users to transition to the Mozilla plugin domain when running xulrunner plugin-container.
-+##
-+##
-+gen_tunable(unconfined_mozilla_plugin_transition, false)
-+
-+##
-+##
-+## Allow a user to login as an unconfined domain
-+##
-+##
-+gen_tunable(unconfined_login, true)
-+
-+# usage in this module of types created by these
-+# calls is not correct, however we dont currently
-+# have another method to add access to these types
-+userdom_base_user_template(unconfined)
-+userdom_manage_home_role(unconfined_r, unconfined_t)
-+userdom_manage_tmp_role(unconfined_r, unconfined_t)
-+userdom_unpriv_type(unconfined_t)
-+userdom_login_userdomain(unconfined_t)
-+userdom_home_filetrans_user_home_dir(unconfined_t)
-+
-+type unconfined_exec_t;
-+application_domain(unconfined_t, unconfined_exec_t)
-+role unconfined_r types unconfined_t;
-+role_transition system_r unconfined_exec_t unconfined_r;
-+allow system_r unconfined_r;
-+
-+domain_user_exemption_target(unconfined_t)
-+allow system_r unconfined_r;
-+allow unconfined_r system_r;
-+init_script_role_transition(unconfined_r)
-+role system_r types unconfined_t;
-+typealias unconfined_t alias unconfined_crontab_t;
-+
-+########################################
-+#
-+# Local policy
-+#
-+
-+dontaudit unconfined_t self:dir write;
-+dontaudit unconfined_t self:file setattr;
-+
-+allow unconfined_t self:system syslog_read;
-+dontaudit unconfined_t self:capability sys_module;
-+
-+allow unconfined_t file_type:system module_load;
-+
-+allow unconfined_t self:cap_userns all_cap_userns_perms;
-+
-+kernel_rw_unlabeled_socket(unconfined_t)
-+kernel_rw_unlabeled_rawip_socket(unconfined_t)
-+
-+files_create_boot_flag(unconfined_t)
-+files_create_default_dir(unconfined_t)
-+files_root_filetrans_default(unconfined_t, dir)
-+
-+init_domtrans_script(unconfined_t)
-+init_telinit(unconfined_t)
-+
-+logging_send_syslog_msg(unconfined_t)
-+
-+systemd_config_all_services(unconfined_t)
-+
-+unconfined_domain_noaudit(unconfined_t)
-+domain_named_filetrans(unconfined_t)
-+domain_transition_all(unconfined_t)
-+
-+usermanage_run_passwd(unconfined_t, unconfined_r)
-+
-+tunable_policy(`deny_execmem',`',`
-+ allow unconfined_t self:process execmem;
-+')
-+
-+tunable_policy(`selinuxuser_execstack',`
-+ allow unconfined_t self:process execstack;
-+')
-+
-+tunable_policy(`selinuxuser_execmod',`
-+ userdom_execmod_user_home_files(unconfined_t)
-+')
-+
-+tunable_policy(`unconfined_login',`
-+ corecmd_shell_domtrans(unconfined_login_domain,unconfined_t)
-+ allow unconfined_t unconfined_login_domain:fd use;
-+ allow unconfined_t unconfined_login_domain:fifo_file rw_file_perms;
-+ allow unconfined_t unconfined_login_domain:process sigchld;
-+')
-+
-+optional_policy(`
-+ gen_require(`
-+ type unconfined_t;
-+ ')
-+
-+ optional_policy(`
-+ abrt_dbus_chat(unconfined_t)
-+ abrt_run_helper(unconfined_t, unconfined_r)
-+ ')
-+
-+ optional_policy(`
-+ avahi_dbus_chat(unconfined_t)
-+ ')
-+
-+ optional_policy(`
-+ blueman_dbus_chat(unconfined_t)
-+ ')
-+
-+ optional_policy(`
-+ certmonger_dbus_chat(unconfined_t)
-+ ')
-+
-+ optional_policy(`
-+ devicekit_dbus_chat(unconfined_t)
-+ devicekit_dbus_chat_disk(unconfined_t)
-+ devicekit_dbus_chat_power(unconfined_t)
-+ ')
-+
-+ optional_policy(`
-+ hal_dbus_chat(unconfined_t)
-+ ')
-+
-+ optional_policy(`
-+ networkmanager_dbus_chat(unconfined_t)
-+ ')
-+
-+ optional_policy(`
-+ rtkit_scheduled(unconfined_t)
-+ ')
-+
-+ # Might remove later if this proves to be problematic, but would like to gather AVCs
-+ optional_policy(`
-+ thumb_role(unconfined_r, unconfined_t)
-+ ')
-+
-+ optional_policy(`
-+ setroubleshoot_dbus_chat(unconfined_t)
-+ setroubleshoot_dbus_chat_fixit(unconfined_t)
-+ ')
-+
-+ optional_policy(`
-+ sandbox_transition(unconfined_t, unconfined_r)
-+ ')
-+
-+ optional_policy(`
-+ sandbox_x_transition(unconfined_t, unconfined_r)
-+ ')
-+
-+ optional_policy(`
-+ vmtools_run_helper(unconfined_t, unconfined_r)
-+ ')
-+
-+ optional_policy(`
-+ gen_require(`
-+ type user_tmpfs_t;
-+ ')
-+
-+ xserver_rw_session(unconfined_t, user_tmpfs_t)
-+ xserver_dbus_chat_xdm(unconfined_t)
-+ ')
-+')
-+
-+ifdef(`distro_gentoo',`
-+ seutil_run_runinit(unconfined_t, unconfined_r)
-+ seutil_init_script_run_runinit(unconfined_t, unconfined_r)
-+')
-+
-+optional_policy(`
-+ accountsd_dbus_chat(unconfined_t)
-+')
-+
-+optional_policy(`
-+ cron_unconfined_role(unconfined_r, unconfined_t)
-+')
-+
-+optional_policy(`
-+ chrome_role_notrans(unconfined_r, unconfined_t)
-+
-+ tunable_policy(`unconfined_chrome_sandbox_transition',`
-+ chrome_domtrans_sandbox(unconfined_t)
-+ ')
-+')
-+
-+optional_policy(`
-+ container_runtime_entrypoint(unconfined_t)
-+')
-+
-+optional_policy(`
-+ oddjob_mkhomedir_entrypoint(unconfined_t)
-+')
-+
-+optional_policy(`
-+ dbus_role_template(unconfined, unconfined_r, unconfined_t)
-+ role system_r types unconfined_dbusd_t;
-+
-+ optional_policy(`
-+ unconfined_domain_noaudit(unconfined_dbusd_t)
-+
-+ optional_policy(`
-+ xserver_rw_shm(unconfined_dbusd_t)
-+ ')
-+ ')
-+
-+ init_dbus_chat(unconfined_t)
-+ init_dbus_chat_script(unconfined_t)
-+
-+ dbus_stub(unconfined_t)
-+
-+ optional_policy(`
-+ bluetooth_dbus_chat(unconfined_t)
-+ ')
-+
-+ optional_policy(`
-+ consolekit_dbus_chat(unconfined_t)
-+ ')
-+
-+ optional_policy(`
-+ cups_dbus_chat_config(unconfined_t)
-+ ')
-+
-+ optional_policy(`
-+ fprintd_dbus_chat(unconfined_t)
-+ ')
-+
-+ optional_policy(`
-+ systemd_dbus_chat_timedated(unconfined_t)
-+ gnome_dbus_chat_gconfdefault(unconfined_t)
-+ gnome_command_domtrans_gkeyringd(unconfined_dbusd_t,unconfined_t)
-+ ')
-+
-+ optional_policy(`
-+ gnome_filetrans_cert_home_content(unconfined_t)
-+ ')
-+
-+ optional_policy(`
-+ ipsec_mgmt_dbus_chat(unconfined_t)
-+ ')
-+
-+ optional_policy(`
-+ kerneloops_dbus_chat(unconfined_t)
-+ ')
-+
-+ optional_policy(`
-+ telepathy_command_domtrans(unconfined_dbusd_t, unconfined_t)
-+ ')
-+
-+ optional_policy(`
-+ oddjob_dbus_chat(unconfined_t)
-+ ')
-+
-+ optional_policy(`
-+ vpn_dbus_chat(unconfined_t)
-+ ')
-+
-+ optional_policy(`
-+ firewalld_dbus_chat(unconfined_t)
-+ ')
-+
-+ optional_policy(`
-+ firewallgui_dbus_chat(unconfined_t)
-+ ')
-+')
-+
-+optional_policy(`
-+ firstboot_run(unconfined_t, unconfined_r)
-+')
-+
-+optional_policy(`
-+ fsadm_manage_pid(unconfined_t)
-+')
-+
-+optional_policy(`
-+ gpsd_run(unconfined_t, unconfined_r)
-+')
-+
-+optional_policy(`
-+ anaconda_run_install(unconfined_t, unconfined_r)
-+')
-+
-+optional_policy(`
-+ java_run_unconfined(unconfined_t, unconfined_r)
-+')
-+
-+optional_policy(`
-+ livecd_run(unconfined_t, unconfined_r)
-+')
-+
-+#optional_policy(`
-+# mock_role(unconfined_r, unconfined_t)
-+#')
-+
-+optional_policy(`
-+ mozilla_role_plugin(unconfined_r)
-+
-+ tunable_policy(`unconfined_mozilla_plugin_transition', `
-+ mozilla_domtrans_plugin(unconfined_t)
-+ ')
-+')
-+
-+optional_policy(`
-+ ipa_run_helper(unconfined_t, unconfined_r)
-+')
-+
-+optional_policy(`
-+ chronyd_run_chronyc(unconfined_t, unconfined_r)
-+')
-+
-+optional_policy(`
-+ oddjob_run_mkhomedir(unconfined_t, unconfined_r)
-+ oddjob_run(unconfined_t, unconfined_r)
-+')
-+
-+optional_policy(`
-+ # Allow SELinux aware applications to request rpm_script execution
-+ rpm_transition_script(unconfined_t, unconfined_r)
-+ rpm_dbus_chat(unconfined_t)
-+')
-+
-+optional_policy(`
-+ optional_policy(`
-+ samba_run_unconfined_net(unconfined_t, unconfined_r)
-+ ')
-+
-+ samba_role_notrans(unconfined_r)
-+ samba_run_smbcontrol(unconfined_t, unconfined_r)
-+')
-+
-+optional_policy(`
-+ sysnet_run_dhcpc(unconfined_t, unconfined_r)
-+ sysnet_dbus_chat_dhcpc(unconfined_t)
-+ sysnet_role_transition_dhcpc(unconfined_r)
-+')
-+
-+optional_policy(`
-+ openshift_run(unconfined_usertype, unconfined_r)
-+')
-+
-+optional_policy(`
-+ virt_transition_svirt(unconfined_t, unconfined_r)
-+ virt_transition_svirt_sandbox(unconfined_t, unconfined_r)
-+ virt_sandbox_entrypoint(unconfined_t)
-+')
-+
-+optional_policy(`
-+ xserver_run(unconfined_t, unconfined_r)
-+ xserver_manage_home_fonts(unconfined_t)
-+ xserver_xsession_entry_type(unconfined_t)
-+')
-+
-+gen_user(unconfined_u, user, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)
-+
-diff --git a/policy/modules/roles/unprivuser.if b/policy/modules/roles/unprivuser.if
-index 383559646..fbca2be81 100644
---- a/policy/modules/roles/unprivuser.if
-+++ b/policy/modules/roles/unprivuser.if
-@@ -1,4 +1,4 @@
--## Generic unprivileged user role
-+## Generic unprivileged user
-
- ########################################
- ##
-diff --git a/policy/modules/roles/unprivuser.te b/policy/modules/roles/unprivuser.te
-index 6d77e81c5..74de33345 100644
---- a/policy/modules/roles/unprivuser.te
-+++ b/policy/modules/roles/unprivuser.te
-@@ -1,5 +1,12 @@
- policy_module(unprivuser, 2.4.0)
-
-+##
-+##
-+## Allow unprivileged user to create and transition to svirt domains.
-+##
-+##
-+gen_tunable(unprivuser_use_svirt, false)
-+
- # this module should be named user, but that is
- # a compile error since user is a keyword.
-
-@@ -12,12 +19,107 @@ role user_r;
-
- userdom_unpriv_user_template(user)
-
-+kernel_read_numa_state(user_t)
-+kernel_write_numa_state(user_t)
-+
-+fs_exec_noxattr(user_t)
-+fs_read_hugetlbfs_files(user_t)
-+
-+storage_read_scsi_generic(user_t)
-+storage_write_scsi_generic(user_t)
-+
-+seutil_read_module_store(user_t)
-+
-+init_dbus_chat(user_t)
-+init_status(user_t)
-+
-+tunable_policy(`selinuxuser_execmod',`
-+ userdom_execmod_user_home_files(user_t)
-+')
-+
-+optional_policy(`
-+ abrt_read_cache(user_t)
-+')
-+
- optional_policy(`
- apache_role(user_r, user_t)
- ')
-
- optional_policy(`
-- git_role(user_r, user_t)
-+ blueman_dbus_chat(user_t)
-+')
-+
-+optional_policy(`
-+ bluetooth_role(user_r, user_t)
-+')
-+
-+optional_policy(`
-+ colord_dbus_chat(user_t)
-+')
-+
-+optional_policy(`
-+ chrome_role(user_r, user_t)
-+')
-+
-+optional_policy(`
-+ dirsrv_stream_connect(user_t)
-+')
-+
-+optional_policy(`
-+ journalctl_role(user_r, user_t)
-+')
-+
-+optional_policy(`
-+ irc_role(user_r, user_t)
-+')
-+
-+optional_policy(`
-+ oident_manage_user_content(user_t)
-+ oident_relabel_user_content(user_t)
-+')
-+
-+optional_policy(`
-+ mozilla_run_plugin(user_t, user_r)
-+')
-+
-+optional_policy(`
-+ mta_role(user_r, user_t)
-+')
-+
-+optional_policy(`
-+ netutils_run_ping_cond(user_t, user_r)
-+ netutils_run_traceroute_cond(user_t, user_r)
-+')
-+
-+optional_policy(`
-+ polipo_role(user_r, user_t)
-+ polipo_named_filetrans_cache_home_dirs(user_t)
-+ polipo_named_filetrans_config_home_files(user_t)
-+')
-+
-+optional_policy(`
-+ rpm_dontaudit_dbus_chat(user_t)
-+')
-+
-+optional_policy(`
-+ rtkit_scheduled(user_t)
-+')
-+
-+optional_policy(`
-+ systemd_read_unit_files(user_t)
-+ systemd_exec_systemctl(user_t)
-+')
-+
-+optional_policy(`
-+ sandbox_transition(user_t, user_r)
-+')
-+
-+optional_policy(`
-+ sandbox_x_transition(user_t, user_r)
-+')
-+
-+optional_policy(`
-+ ssh_role_template(user, user_r, user_t)
- ')
-
- optional_policy(`
-@@ -25,11 +127,19 @@ optional_policy(`
- ')
-
- optional_policy(`
-- vlock_run(user_t, user_r)
-+ setroubleshoot_dontaudit_stream_connect(user_t)
- ')
-
-+#optional_policy(`
-+# telepathy_dbus_session_role(user_r, user_t)
-+#')
-+
- optional_policy(`
-- xserver_role(user_r, user_t)
-+ usbmuxd_stream_connect(user_t)
-+')
-+
-+optional_policy(`
-+ vlock_run(user_t, user_r)
- ')
-
- ifndef(`distro_redhat',`
-@@ -102,10 +212,6 @@ ifndef(`distro_redhat',`
- ')
-
- optional_policy(`
-- mta_role(user_r, user_t)
-- ')
--
-- optional_policy(`
- postgresql_role(user_r, user_t)
- ')
-
-@@ -128,7 +234,6 @@ ifndef(`distro_redhat',`
- optional_policy(`
- ssh_role_template(user, user_r, user_t)
- ')
--
- optional_policy(`
- su_role_template(user, user_r, user_t)
- ')
-@@ -160,4 +265,24 @@ ifndef(`distro_redhat',`
- optional_policy(`
- wireshark_role(user_r, user_t)
- ')
-+
-+ optional_policy(`
-+ xserver_run(user_t, user_r)
-+ ')
-+')
-+
-+optional_policy(`
-+ vmtools_run_helper(user_t, user_r)
-+')
-+
-+
-+optional_policy(`
-+ virt_transition_svirt(user_t, user_r)
-+ virt_filetrans_home_content(user_t)
-+')
-+
-+optional_policy(`
-+ tunable_policy(`unprivuser_use_svirt',`
-+ virt_manage_images(user_t)
-+ ')
- ')
-diff --git a/policy/modules/services/postgresql.fc b/policy/modules/services/postgresql.fc
-index a26f84f40..225d6961d 100644
---- a/policy/modules/services/postgresql.fc
-+++ b/policy/modules/services/postgresql.fc
-@@ -10,11 +10,17 @@
- #
- /usr/bin/initdb(\.sepgsql)? -- gen_context(system_u:object_r:postgresql_exec_t,s0)
- /usr/bin/(se)?postgres -- gen_context(system_u:object_r:postgresql_exec_t,s0)
-+/usr/bin/pg_ctl -- gen_context(system_u:object_r:postgresql_exec_t,s0)
-+/usr/bin/postgresql-check-db-dir -- gen_context(system_u:object_r:postgresql_exec_t,s0)
-+
-+/usr/libexec/postgresql-ctl -- gen_context(system_u:object_r:postgresql_exec_t,s0)
-
- /usr/lib/pgsql/test/regress(/.*)? gen_context(system_u:object_r:postgresql_db_t,s0)
- /usr/lib/pgsql/test/regress/pg_regress -- gen_context(system_u:object_r:postgresql_exec_t,s0)
- /usr/lib/postgresql/bin/.* -- gen_context(system_u:object_r:postgresql_exec_t,s0)
-
-+/usr/lib/systemd/system/postgresql.* -- gen_context(system_u:object_r:postgresql_unit_file_t,s0)
-+
- ifdef(`distro_debian', `
- /usr/lib/postgresql/.*/bin/.* -- gen_context(system_u:object_r:postgresql_exec_t,s0)
- ')
-@@ -28,9 +34,10 @@ ifdef(`distro_redhat', `
- #
- /var/lib/postgres(ql)?(/.*)? gen_context(system_u:object_r:postgresql_db_t,s0)
-
--/var/lib/pgsql/data(/.*)? gen_context(system_u:object_r:postgresql_db_t,s0)
-+/var/lib/pgsql(/.*)? gen_context(system_u:object_r:postgresql_db_t,s0)
- /var/lib/pgsql/logfile(/.*)? gen_context(system_u:object_r:postgresql_log_t,s0)
--/var/lib/pgsql/pgstartup\.log gen_context(system_u:object_r:postgresql_log_t,s0)
-+/var/lib/pgsql/.*\.log gen_context(system_u:object_r:postgresql_log_t,s0)
-+/var/lib/pgsql/data/pg_log(/.*)? gen_context(system_u:object_r:postgresql_log_t,s0)
-
- /var/lib/sepgsql(/.*)? gen_context(system_u:object_r:postgresql_db_t,s0)
- /var/lib/sepgsql/pgstartup\.log -- gen_context(system_u:object_r:postgresql_log_t,s0)
-@@ -45,4 +52,4 @@ ifdef(`distro_redhat', `
-
- /var/run/postgresql(/.*)? gen_context(system_u:object_r:postgresql_var_run_t,s0)
-
--/var/run/postmaster.* gen_context(system_u:object_r:postgresql_var_run_t,s0)
-+#/var/run/postmaster.* gen_context(system_u:object_r:postgresql_var_run_t,s0)
-diff --git a/policy/modules/services/postgresql.if b/policy/modules/services/postgresql.if
-index 9d2f31168..2d782e051 100644
---- a/policy/modules/services/postgresql.if
-+++ b/policy/modules/services/postgresql.if
-@@ -10,90 +10,46 @@
- ##
- ##
- ##
--##
-+##
- ## The type of the user domain.
- ##
- ##
- #
- interface(`postgresql_role',`
- gen_require(`
-- class db_database all_db_database_perms;
-- class db_schema all_db_schema_perms;
-- class db_table all_db_table_perms;
-- class db_sequence all_db_sequence_perms;
-- class db_view all_db_view_perms;
-- class db_procedure all_db_procedure_perms;
-- class db_language all_db_language_perms;
-- class db_column all_db_column_perms;
-- class db_tuple all_db_tuple_perms;
-- class db_blob all_db_blob_perms;
--
-- attribute sepgsql_client_type, sepgsql_database_type;
-- attribute sepgsql_schema_type, sepgsql_sysobj_table_type;
--
-- type sepgsql_trusted_proc_exec_t, sepgsql_trusted_proc_t;
-- type sepgsql_ranged_proc_exec_t, sepgsql_ranged_proc_t;
-- type user_sepgsql_blob_t, user_sepgsql_proc_exec_t;
-- type user_sepgsql_schema_t, user_sepgsql_seq_t;
-- type user_sepgsql_sysobj_t, user_sepgsql_table_t;
-- type user_sepgsql_view_t;
-- type sepgsql_temp_object_t;
-+ attribute sepgsql_client_type;
-+ type sepgsql_trusted_proc_t;
-+ type sepgsql_ranged_proc_t;
- ')
-
-- ########################################
-- #
-- # Declarations
-- #
--
- typeattribute $2 sepgsql_client_type;
- role $1 types sepgsql_trusted_proc_t;
- role $1 types sepgsql_ranged_proc_t;
-+')
-
-- ##############################
-- #
-- # Client local policy
-- #
--
-- tunable_policy(`sepgsql_enable_users_ddl',`
-- allow $2 user_sepgsql_schema_t:db_schema { create drop setattr };
-- allow $2 user_sepgsql_table_t:db_table { create drop setattr };
-- allow $2 user_sepgsql_table_t:db_column { create drop setattr };
-- allow $2 user_sepgsql_sysobj_t:db_tuple { update insert delete };
-- allow $2 user_sepgsql_seq_t:db_sequence { create drop setattr set_value };
-- allow $2 user_sepgsql_view_t:db_view { create drop setattr };
-- allow $2 user_sepgsql_proc_exec_t:db_procedure { create drop setattr };
-+########################################
-+##
-+## Execute the postgresql program in the postgresql domain.
-+##
-+##
-+##
-+## Domain allowed to transition.
-+##
-+##
-+##
-+##
-+## The role to allow the postgresql domain.
-+##
-+##
-+##
-+#
-+interface(`postgresql_run',`
-+ gen_require(`
-+ type postgresql_t;
- ')
-
-- allow $2 user_sepgsql_schema_t:db_schema { getattr search add_name remove_name };
-- type_transition $2 sepgsql_database_type:db_schema user_sepgsql_schema_t;
-- type_transition $2 sepgsql_database_type:db_schema sepgsql_temp_object_t "pg_temp";
--
-- allow $2 user_sepgsql_table_t:db_table { getattr select update insert delete lock };
-- allow $2 user_sepgsql_table_t:db_column { getattr select update insert };
-- allow $2 user_sepgsql_table_t:db_tuple { select update insert delete };
-- type_transition $2 sepgsql_schema_type:db_table user_sepgsql_table_t;
--
-- allow $2 user_sepgsql_sysobj_t:db_tuple { use select };
-- type_transition $2 sepgsql_sysobj_table_type:db_tuple user_sepgsql_sysobj_t;
--
-- allow $2 user_sepgsql_seq_t:db_sequence { getattr get_value next_value };
-- type_transition $2 sepgsql_schema_type:db_sequence user_sepgsql_seq_t;
--
-- allow $2 user_sepgsql_view_t:db_view { getattr expand };
-- type_transition $2 sepgsql_schema_type:db_view user_sepgsql_view_t;
--
-- allow $2 user_sepgsql_proc_exec_t:db_procedure { getattr execute };
-- type_transition $2 sepgsql_schema_type:db_procedure user_sepgsql_proc_exec_t;
--
-- allow $2 user_sepgsql_blob_t:db_blob { create drop getattr setattr read write import export };
-- type_transition $2 sepgsql_database_type:db_blob user_sepgsql_blob_t;
--
-- allow $2 sepgsql_ranged_proc_t:process transition;
-- type_transition $2 sepgsql_ranged_proc_exec_t:process sepgsql_ranged_proc_t;
-- allow sepgsql_ranged_proc_t $2:process dyntransition;
--
-- allow $2 sepgsql_trusted_proc_t:process transition;
-- type_transition $2 sepgsql_trusted_proc_exec_t:process sepgsql_trusted_proc_t;
-+ postgresql_domtrans($1)
-+ role $2 types postgresql_t;
- ')
-
- ########################################
-@@ -312,7 +268,7 @@ interface(`postgresql_search_db',`
- type postgresql_db_t;
- ')
-
-- allow $1 postgresql_db_t:dir search;
-+ allow $1 postgresql_db_t:dir search_dir_perms;
- ')
-
- ########################################
-@@ -324,14 +280,16 @@ interface(`postgresql_search_db',`
- ## Domain allowed access.
- ##
- ##
-+#
- interface(`postgresql_manage_db',`
- gen_require(`
- type postgresql_db_t;
- ')
-
-- allow $1 postgresql_db_t:dir rw_dir_perms;
-- allow $1 postgresql_db_t:file rw_file_perms;
-- allow $1 postgresql_db_t:lnk_file { getattr read };
-+ files_search_var_lib($1)
-+ manage_dirs_pattern($1, postgresql_db_t, postgresql_db_t)
-+ manage_files_pattern($1, postgresql_db_t, postgresql_db_t)
-+ manage_lnk_files_pattern($1, postgresql_db_t, postgresql_db_t)
- ')
-
- ########################################
-@@ -354,6 +312,24 @@ interface(`postgresql_domtrans',`
-
- ######################################
- ##
-+## Execute Postgresql in the caller domain.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`postgresql_exec',`
-+ gen_require(`
-+ type postgresql_exec_t;
-+ ')
-+
-+ can_exec($1, postgresql_exec_t)
-+')
-+
-+######################################
-+##
- ## Allow domain to signal postgresql
- ##
- ##
-@@ -421,7 +397,6 @@ interface(`postgresql_tcp_connect',`
- ## Domain allowed access.
- ##
- ##
--##
- #
- interface(`postgresql_stream_connect',`
- gen_require(`
-@@ -432,6 +407,7 @@ interface(`postgresql_stream_connect',`
-
- files_search_pids($1)
- files_search_tmp($1)
-+ stream_connect_pattern($1, { postgresql_var_run_t postgresql_tmp_t }, { postgresql_var_run_t postgresql_tmp_t }, postgresql_t)
- ')
-
- ########################################
-@@ -447,83 +423,10 @@ interface(`postgresql_stream_connect',`
- #
- interface(`postgresql_unpriv_client',`
- gen_require(`
-- class db_database all_db_database_perms;
-- class db_schema all_db_schema_perms;
-- class db_table all_db_table_perms;
-- class db_sequence all_db_sequence_perms;
-- class db_view all_db_view_perms;
-- class db_procedure all_db_procedure_perms;
-- class db_language all_db_language_perms;
-- class db_column all_db_column_perms;
-- class db_tuple all_db_tuple_perms;
-- class db_blob all_db_blob_perms;
--
- attribute sepgsql_client_type;
-- attribute sepgsql_database_type, sepgsql_schema_type;
-- attribute sepgsql_sysobj_table_type;
--
-- type sepgsql_ranged_proc_t, sepgsql_ranged_proc_exec_t;
-- type sepgsql_temp_object_t;
-- type sepgsql_trusted_proc_t, sepgsql_trusted_proc_exec_t;
-- type unpriv_sepgsql_blob_t, unpriv_sepgsql_proc_exec_t;
-- type unpriv_sepgsql_schema_t, unpriv_sepgsql_seq_t;
-- type unpriv_sepgsql_sysobj_t, unpriv_sepgsql_table_t;
-- type unpriv_sepgsql_view_t;
- ')
-
-- ########################################
-- #
-- # Declarations
-- #
--
- typeattribute $1 sepgsql_client_type;
--
-- ########################################
-- #
-- # Client local policy
-- #
--
-- type_transition $1 sepgsql_ranged_proc_exec_t:process sepgsql_ranged_proc_t;
-- allow $1 sepgsql_ranged_proc_t:process transition;
-- allow sepgsql_ranged_proc_t $1:process dyntransition;
--
-- type_transition $1 sepgsql_trusted_proc_exec_t:process sepgsql_trusted_proc_t;
-- allow $1 sepgsql_trusted_proc_t:process transition;
--
-- allow $1 unpriv_sepgsql_blob_t:db_blob { create drop getattr setattr read write import export };
-- type_transition $1 sepgsql_database_type:db_blob unpriv_sepgsql_blob_t;
--
-- allow $1 unpriv_sepgsql_proc_exec_t:db_procedure { getattr execute };
-- type_transition $1 sepgsql_schema_type:db_procedure unpriv_sepgsql_proc_exec_t;
--
-- allow $1 unpriv_sepgsql_schema_t:db_schema { getattr add_name remove_name };
-- type_transition $1 sepgsql_database_type:db_schema unpriv_sepgsql_schema_t;
-- type_transition $1 sepgsql_database_type:db_schema sepgsql_temp_object_t "pg_temp";
--
-- allow $1 unpriv_sepgsql_table_t:db_table { getattr select update insert delete lock };
-- allow $1 unpriv_sepgsql_table_t:db_column { getattr select update insert };
-- allow $1 unpriv_sepgsql_table_t:db_tuple { select update insert delete };
-- type_transition $1 sepgsql_schema_type:db_table unpriv_sepgsql_table_t;
--
-- allow $1 unpriv_sepgsql_seq_t:db_sequence { getattr get_value next_value set_value };
-- type_transition $1 sepgsql_schema_type:db_sequence unpriv_sepgsql_seq_t;
--
-- allow $1 unpriv_sepgsql_sysobj_t:db_tuple { use select };
-- type_transition $1 sepgsql_sysobj_table_type:db_tuple unpriv_sepgsql_sysobj_t;
--
-- allow $1 unpriv_sepgsql_view_t:db_view { getattr expand };
-- type_transition $1 sepgsql_schema_type:db_view unpriv_sepgsql_view_t;
--
--
-- tunable_policy(`sepgsql_enable_users_ddl',`
-- allow $1 unpriv_sepgsql_schema_t:db_schema { create drop setattr };
-- allow $1 unpriv_sepgsql_table_t:db_table { create drop setattr };
-- allow $1 unpriv_sepgsql_table_t:db_column { create drop setattr };
-- allow $1 unpriv_sepgsql_sysobj_t:db_tuple { update insert delete };
-- allow $1 unpriv_sepgsql_seq_t:db_sequence { create drop setattr };
-- allow $1 unpriv_sepgsql_view_t:db_view { create drop setattr };
-- allow $1 unpriv_sepgsql_proc_exec_t:db_procedure { create drop setattr };
-- ')
- ')
-
- ########################################
-@@ -547,6 +450,29 @@ interface(`postgresql_unconfined',`
-
- ########################################
- ##
-+## Transition to postgresql named content
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`postgresql_filetrans_named_content',`
-+ gen_require(`
-+ type postgresql_db_t;
-+ type postgresql_log_t;
-+ ')
-+
-+ files_var_lib_filetrans($1, postgresql_db_t, dir, "postgresql")
-+ files_var_lib_filetrans($1, postgresql_db_t, dir, "postgres")
-+ files_var_lib_filetrans($1, postgresql_db_t, dir, "pgsql")
-+ filetrans_pattern($1, postgresql_db_t, postgresql_log_t, dir, "logfile")
-+ filetrans_pattern($1, postgresql_db_t, postgresql_log_t, dir, "pg_log")
-+')
-+
-+########################################
-+##
- ## All of the rules required to administrate an postgresql environment
- ##
- ##
-@@ -563,35 +489,41 @@ interface(`postgresql_unconfined',`
- #
- interface(`postgresql_admin',`
- gen_require(`
-- attribute sepgsql_admin_type;
-- attribute sepgsql_client_type;
--
-- type postgresql_t, postgresql_var_run_t;
-- type postgresql_tmp_t, postgresql_db_t;
-- type postgresql_etc_t, postgresql_log_t;
-- type postgresql_initrc_exec_t;
-+ attribute sepgsql_admin_type, sepgsql_client_type;
-+ type postgresql_t, postgresql_var_run_t, postgresql_initrc_exec_t;
-+ type postgresql_tmp_t, postgresql_db_t, postgresql_log_t;
-+ type postgresql_etc_t;
- ')
-
- typeattribute $1 sepgsql_admin_type;
-
-- allow $1 postgresql_t:process { ptrace signal_perms };
-+ allow $1 postgresql_t:process signal_perms;
- ps_process_pattern($1, postgresql_t)
-+ tunable_policy(`deny_ptrace',`',`
-+ allow $1 postgresql_t:process ptrace;
-+ ')
-
- init_labeled_script_domtrans($1, postgresql_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 postgresql_initrc_exec_t system_r;
- allow $2 system_r;
-
-+ files_list_pids($1)
- admin_pattern($1, postgresql_var_run_t)
-
-+ files_list_var_lib($1)
- admin_pattern($1, postgresql_db_t)
-
-+ files_list_etc($1)
- admin_pattern($1, postgresql_etc_t)
-
-+ logging_list_logs($1)
- admin_pattern($1, postgresql_log_t)
-
-+ files_list_tmp($1)
- admin_pattern($1, postgresql_tmp_t)
-
- postgresql_tcp_connect($1)
- postgresql_stream_connect($1)
-+ postgresql_filetrans_named_content($1)
- ')
-diff --git a/policy/modules/services/postgresql.te b/policy/modules/services/postgresql.te
-index 03061349c..bb764b3d0 100644
---- a/policy/modules/services/postgresql.te
-+++ b/policy/modules/services/postgresql.te
-@@ -19,25 +19,32 @@ gen_require(`
- #
-
- ##
--##
--## Allow unprived users to execute DDL statement
--##
-+##
-+## Allow postgresql to use ssh and rsync for point-in-time recovery
-+##
-+##
-+gen_tunable(postgresql_can_rsync, false)
-+
-+##
-+##
-+## Allow unprivileged users to execute DDL statement
-+##
- ##
--gen_tunable(sepgsql_enable_users_ddl, false)
-+gen_tunable(postgresql_selinux_users_ddl, true)
-
- ##
- ##
- ## Allow transmit client label to foreign database
- ##
- ##
--gen_tunable(sepgsql_transmit_client_label, false)
-+gen_tunable(postgresql_selinux_transmit_client_label, false)
-
- ##
- ##
- ## Allow database admins to execute DML statement
- ##
- ##
--gen_tunable(sepgsql_unconfined_dbadm, false)
-+gen_tunable(postgresql_selinux_unconfined_dbadm, true)
-
- type postgresql_t;
- type postgresql_exec_t;
-@@ -52,6 +59,9 @@ files_config_file(postgresql_etc_t)
- type postgresql_initrc_exec_t;
- init_script_file(postgresql_initrc_exec_t)
-
-+type postgresql_unit_file_t;
-+systemd_unit_file(postgresql_unit_file_t)
-+
- type postgresql_lock_t;
- files_lock_file(postgresql_lock_t)
-
-@@ -224,7 +234,7 @@ postgresql_view_object(user_sepgsql_view_t)
- #
- # postgresql Local policy
- #
--allow postgresql_t self:capability { kill dac_override dac_read_search chown fowner fsetid setuid setgid sys_nice sys_tty_config sys_admin };
-+allow postgresql_t self:capability { kill dac_read_search chown fowner fsetid setuid setgid sys_nice sys_tty_config sys_admin };
- dontaudit postgresql_t self:capability { sys_tty_config sys_admin };
- allow postgresql_t self:process signal_perms;
- allow postgresql_t self:fifo_file rw_fifo_file_perms;
-@@ -236,7 +246,8 @@ allow postgresql_t self:udp_socket create_stream_socket_perms;
- allow postgresql_t self:unix_dgram_socket create_socket_perms;
- allow postgresql_t self:unix_stream_socket { create_stream_socket_perms connectto };
- allow postgresql_t self:netlink_selinux_socket create_socket_perms;
--tunable_policy(`sepgsql_transmit_client_label',`
-+
-+tunable_policy(`postgresql_selinux_transmit_client_label',`
- allow postgresql_t self:process { setsockcreate };
- ')
-
-@@ -270,18 +281,19 @@ manage_files_pattern(postgresql_t, postgresql_db_t, postgresql_db_t)
- manage_lnk_files_pattern(postgresql_t, postgresql_db_t, postgresql_db_t)
- manage_fifo_files_pattern(postgresql_t, postgresql_db_t, postgresql_db_t)
- manage_sock_files_pattern(postgresql_t, postgresql_db_t, postgresql_db_t)
--files_var_lib_filetrans(postgresql_t, postgresql_db_t, { dir file lnk_file sock_file fifo_file })
-+postgresql_filetrans_named_content(postgresql_t)
-
- allow postgresql_t postgresql_etc_t:dir list_dir_perms;
- read_files_pattern(postgresql_t, postgresql_etc_t, postgresql_etc_t)
- read_lnk_files_pattern(postgresql_t, postgresql_etc_t, postgresql_etc_t)
-
--allow postgresql_t postgresql_exec_t:lnk_file { getattr read };
-+allow postgresql_t postgresql_exec_t:lnk_file read_lnk_file_perms;
- can_exec(postgresql_t, postgresql_exec_t )
-
- allow postgresql_t postgresql_lock_t:file manage_file_perms;
- files_lock_filetrans(postgresql_t, postgresql_lock_t, file)
-
-+manage_dirs_pattern(postgresql_t, postgresql_log_t, postgresql_log_t)
- manage_files_pattern(postgresql_t, postgresql_log_t, postgresql_log_t)
- logging_log_filetrans(postgresql_t, postgresql_log_t, { file dir })
-
-@@ -291,6 +303,7 @@ manage_lnk_files_pattern(postgresql_t, postgresql_tmp_t, postgresql_tmp_t)
- manage_fifo_files_pattern(postgresql_t, postgresql_tmp_t, postgresql_tmp_t)
- manage_sock_files_pattern(postgresql_t, postgresql_tmp_t, postgresql_tmp_t)
- files_tmp_filetrans(postgresql_t, postgresql_tmp_t, { dir file sock_file })
-+allow postgresql_t postgresql_tmp_t:file map;
- fs_tmpfs_filetrans(postgresql_t, postgresql_tmp_t, { dir file lnk_file sock_file fifo_file })
-
- manage_dirs_pattern(postgresql_t, postgresql_var_run_t, postgresql_var_run_t)
-@@ -299,12 +312,12 @@ manage_sock_files_pattern(postgresql_t, postgresql_var_run_t, postgresql_var_run
- files_pid_filetrans(postgresql_t, postgresql_var_run_t, { dir file })
-
- kernel_read_kernel_sysctls(postgresql_t)
-+kernel_read_network_state(postgresql_t)
- kernel_read_system_state(postgresql_t)
- kernel_list_proc(postgresql_t)
- kernel_read_all_sysctls(postgresql_t)
- kernel_read_proc_symlinks(postgresql_t)
-
--corenet_all_recvfrom_unlabeled(postgresql_t)
- corenet_all_recvfrom_netlabel(postgresql_t)
- corenet_tcp_sendrecv_generic_if(postgresql_t)
- corenet_udp_sendrecv_generic_if(postgresql_t)
-@@ -342,8 +355,7 @@ domain_dontaudit_list_all_domains_state(postgresql_t)
- domain_use_interactive_fds(postgresql_t)
-
- files_dontaudit_search_home(postgresql_t)
--files_manage_etc_files(postgresql_t)
--files_search_etc(postgresql_t)
-+files_read_etc_files(postgresql_t)
- files_read_etc_runtime_files(postgresql_t)
- files_read_usr_files(postgresql_t)
-
-@@ -354,20 +366,28 @@ init_read_utmp(postgresql_t)
- logging_send_syslog_msg(postgresql_t)
- logging_send_audit_msgs(postgresql_t)
-
--miscfiles_read_localization(postgresql_t)
--
- seutil_libselinux_linked(postgresql_t)
- seutil_read_default_contexts(postgresql_t)
-
-+sysnet_use_ldap(postgresql_t)
-+
- userdom_dontaudit_use_unpriv_user_fds(postgresql_t)
- userdom_dontaudit_search_user_home_dirs(postgresql_t)
- userdom_dontaudit_use_user_terminals(postgresql_t)
-
- optional_policy(`
-+ ccs_read_config(postgresql_t)
-+')
-+
-+optional_policy(`
- mta_getattr_spool(postgresql_t)
- ')
-
--tunable_policy(`allow_execmem',`
-+optional_policy(`
-+ rhcs_manage_cluster_pid_files(postgresql_t)
-+')
-+
-+tunable_policy(`deny_execmem',`',`
- allow postgresql_t self:process execmem;
- ')
-
-@@ -485,10 +505,52 @@ dontaudit { postgresql_t sepgsql_admin_type sepgsql_client_type sepgsql_unconfin
- # It is always allowed to operate temporary objects for any database client.
- allow sepgsql_client_type sepgsql_temp_object_t:{db_schema db_table db_column db_tuple db_sequence db_view db_procedure} ~{ relabelto relabelfrom };
-
--# Note that permission of creation/deletion are eventually controlled by
--# create or drop permission of individual objects within shared schemas.
--# So, it just allows to create/drop user specific types.
--tunable_policy(`sepgsql_enable_users_ddl',`
-+##############################
-+#
-+# Client local policy
-+#
-+allow sepgsql_client_type user_sepgsql_schema_t:db_schema { getattr search add_name remove_name };
-+type_transition sepgsql_client_type sepgsql_database_type:db_schema user_sepgsql_schema_t;
-+type_transition sepgsql_client_type sepgsql_database_type:db_schema sepgsql_temp_object_t "pg_temp";
-+
-+allow sepgsql_client_type user_sepgsql_table_t:db_table { getattr select update insert delete lock };
-+allow sepgsql_client_type user_sepgsql_table_t:db_column { getattr select update insert };
-+allow sepgsql_client_type user_sepgsql_table_t:db_tuple { select update insert delete };
-+type_transition sepgsql_client_type sepgsql_schema_type:db_table user_sepgsql_table_t;
-+
-+allow sepgsql_client_type user_sepgsql_sysobj_t:db_tuple { use select };
-+type_transition sepgsql_client_type sepgsql_sysobj_table_type:db_tuple user_sepgsql_sysobj_t;
-+
-+allow sepgsql_client_type user_sepgsql_seq_t:db_sequence { getattr get_value next_value };
-+type_transition sepgsql_client_type sepgsql_schema_type:db_sequence user_sepgsql_seq_t;
-+
-+allow sepgsql_client_type user_sepgsql_view_t:db_view { getattr expand };
-+type_transition sepgsql_client_type sepgsql_schema_type:db_view user_sepgsql_view_t;
-+
-+allow sepgsql_client_type user_sepgsql_proc_exec_t:db_procedure { getattr execute };
-+type_transition sepgsql_client_type sepgsql_schema_type:db_procedure user_sepgsql_proc_exec_t;
-+
-+allow sepgsql_client_type user_sepgsql_blob_t:db_blob { create drop getattr setattr read write import export };
-+type_transition sepgsql_client_type sepgsql_database_type:db_blob user_sepgsql_blob_t;
-+
-+allow sepgsql_client_type sepgsql_ranged_proc_t:process transition;
-+type_transition sepgsql_client_type sepgsql_ranged_proc_exec_t:process sepgsql_ranged_proc_t;
-+allow sepgsql_ranged_proc_t sepgsql_client_type:process dyntransition;
-+
-+allow sepgsql_client_type sepgsql_trusted_proc_t:process transition;
-+type_transition sepgsql_client_type sepgsql_trusted_proc_exec_t:process sepgsql_trusted_proc_t;
-+
-+tunable_policy(`postgresql_selinux_users_ddl',`
-+ allow sepgsql_client_type user_sepgsql_schema_t:db_schema { create drop setattr };
-+ allow sepgsql_client_type user_sepgsql_table_t:db_table { create drop setattr };
-+ allow sepgsql_client_type user_sepgsql_table_t:db_column { create drop setattr };
-+ allow sepgsql_client_type user_sepgsql_sysobj_t:db_tuple { update insert delete };
-+ allow sepgsql_client_type user_sepgsql_seq_t:db_sequence { create drop setattr set_value };
-+ allow sepgsql_client_type user_sepgsql_view_t:db_view { create drop setattr };
-+ allow sepgsql_client_type user_sepgsql_proc_exec_t:db_procedure { create drop setattr };
-+ # Note that permission of creation/deletion are eventually controlled by
-+ # create or drop permission of individual objects within shared schemas.
-+ # So, it just allows to create/drop user specific types.
- allow sepgsql_client_type sepgsql_schema_t:db_schema { add_name remove_name };
- ')
-
-@@ -536,7 +598,7 @@ allow sepgsql_admin_type sepgsql_module_type:db_database install_module;
-
- kernel_relabelfrom_unlabeled_database(sepgsql_admin_type)
-
--tunable_policy(`sepgsql_unconfined_dbadm',`
-+tunable_policy(`postgresql_selinux_unconfined_dbadm',`
- allow sepgsql_admin_type sepgsql_database_type:db_database *;
-
- allow sepgsql_admin_type sepgsql_schema_type:db_schema *;
-@@ -589,3 +651,17 @@ allow sepgsql_unconfined_type sepgsql_blob_type:db_blob *;
- allow sepgsql_unconfined_type sepgsql_module_type:db_database install_module;
-
- kernel_relabelfrom_unlabeled_database(sepgsql_unconfined_type)
-+
-+optional_policy(`
-+ tunable_policy(`postgresql_can_rsync',`
-+ rsync_exec(postgresql_t)
-+ ')
-+')
-+
-+optional_policy(`
-+ tunable_policy(`postgresql_can_rsync',`
-+ ssh_exec(postgresql_t)
-+ ssh_read_user_home_files(postgresql_t)
-+ corenet_tcp_connect_ssh_port(postgresql_t)
-+ ')
-+')
-diff --git a/policy/modules/services/ssh.fc b/policy/modules/services/ssh.fc
-index 76d9f66ec..7528851ad 100644
---- a/policy/modules/services/ssh.fc
-+++ b/policy/modules/services/ssh.fc
-@@ -1,16 +1,42 @@
- HOME_DIR/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0)
-+HOME_DIR/\.ansible/cp/.* -s gen_context(system_u:object_r:ssh_home_t,s0)
-+HOME_DIR/\.shosts gen_context(system_u:object_r:ssh_home_t,s0)
-
--/etc/ssh/primes -- gen_context(system_u:object_r:sshd_key_t,s0)
--/etc/ssh/ssh_host.*_key -- gen_context(system_u:object_r:sshd_key_t,s0)
-+/var/lib/[^/]+/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0)
-+/var/lib/amanda/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0)
-+/var/lib/gitolite/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0)
-+/var/lib/gitolite3/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0)
-+/var/lib/nocpulse/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0)
-+/var/lib/one/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0)
-+/var/lib/openshift/[^/]+/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0)
-+/var/lib/openshift/gear/[^/]+/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0)
-+/var/lib/pgsql/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0)
-+/var/lib/stickshift/[^/]+/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0)
-+
-+/etc/rc\.d/init\.d/sshd -- gen_context(system_u:object_r:sshd_initrc_exec_t,s0)
-+
-+/etc/ssh/primes -- gen_context(system_u:object_r:sshd_key_t,s0)
-+/etc/ssh/ssh_host.*_key -- gen_context(system_u:object_r:sshd_key_t,s0)
-+/etc/ssh/ssh_host.*_key\.pub -- gen_context(system_u:object_r:sshd_key_t,s0)
-
- /usr/bin/ssh -- gen_context(system_u:object_r:ssh_exec_t,s0)
- /usr/bin/ssh-agent -- gen_context(system_u:object_r:ssh_agent_exec_t,s0)
- /usr/bin/ssh-keygen -- gen_context(system_u:object_r:ssh_keygen_exec_t,s0)
-
- /usr/lib/openssh/ssh-keysign -- gen_context(system_u:object_r:ssh_keysign_exec_t,s0)
-+/usr/lib/systemd/system/sshd.* -- gen_context(system_u:object_r:sshd_unit_file_t,s0)
-+/usr/lib/systemd/system/sshd-keygen.* -- gen_context(system_u:object_r:sshd_keygen_unit_file_t,s0)
-
-+/usr/libexec/nm-ssh-service -- gen_context(system_u:object_r:ssh_exec_t,s0)
- /usr/libexec/openssh/ssh-keysign -- gen_context(system_u:object_r:ssh_keysign_exec_t,s0)
-+/usr/libexec/openssh/sshd-keygen -- gen_context(system_u:object_r:sshd_keygen_exec_t,s0)
-
- /usr/sbin/sshd -- gen_context(system_u:object_r:sshd_exec_t,s0)
-+/usr/sbin/sshd-keygen -- gen_context(system_u:object_r:sshd_keygen_exec_t,s0)
-+/usr/sbin/gsisshd -- gen_context(system_u:object_r:sshd_exec_t,s0)
-
- /var/run/sshd\.init\.pid -- gen_context(system_u:object_r:sshd_var_run_t,s0)
-+/var/run/sshd\.pid -- gen_context(system_u:object_r:sshd_var_run_t,s0)
-+
-+/root/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0)
-+/root/\.shosts gen_context(system_u:object_r:ssh_home_t,s0)
-diff --git a/policy/modules/services/ssh.if b/policy/modules/services/ssh.if
-index fe0c68272..f0a61f830 100644
---- a/policy/modules/services/ssh.if
-+++ b/policy/modules/services/ssh.if
-@@ -32,10 +32,11 @@
- ##
- #
- template(`ssh_basic_client_template',`
--
- gen_require(`
- attribute ssh_server;
- type ssh_exec_t, sshd_key_t, sshd_tmp_t;
-+ type ssh_keysign_exec_t, ssh_keysign_t;
-+ type ssh_home_t;
- ')
-
- ##############################
-@@ -47,16 +48,12 @@ template(`ssh_basic_client_template',`
- application_domain($1_ssh_t, ssh_exec_t)
- role $3 types $1_ssh_t;
-
-- type $1_ssh_home_t;
-- files_type($1_ssh_home_t)
-- typealias $1_ssh_home_t alias $1_home_ssh_t;
--
- ##############################
- #
- # Client local policy
- #
-
-- allow $1_ssh_t self:capability { setuid setgid dac_override dac_read_search };
-+ allow $1_ssh_t self:capability { setuid setgid dac_read_search };
- allow $1_ssh_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
- allow $1_ssh_t self:fd use;
- allow $1_ssh_t self:fifo_file rw_fifo_file_perms;
-@@ -89,33 +86,38 @@ template(`ssh_basic_client_template',`
- # or "regular" (not special like sshd_extern_t) servers
- allow $2 ssh_server:unix_stream_socket rw_stream_socket_perms;
-
-+ # derived domain can execute ssh-keysign
-+ domtrans_pattern($1_ssh_t, ssh_keysign_exec_t, ssh_keysign_t)
-+ role $3 types ssh_keysign_t;
-+
- # allow ps to show ssh
- ps_process_pattern($2, $1_ssh_t)
-
- # user can manage the keys and config
-- manage_files_pattern($2, $1_ssh_home_t, $1_ssh_home_t)
-- manage_lnk_files_pattern($2, $1_ssh_home_t, $1_ssh_home_t)
-- manage_sock_files_pattern($2, $1_ssh_home_t, $1_ssh_home_t)
-+ manage_files_pattern($2, ssh_home_t, ssh_home_t)
-+ manage_lnk_files_pattern($2, ssh_home_t, ssh_home_t)
-+ manage_sock_files_pattern($2, ssh_home_t, ssh_home_t)
-
- # ssh client can manage the keys and config
-- manage_files_pattern($1_ssh_t, $1_ssh_home_t, $1_ssh_home_t)
-- read_lnk_files_pattern($1_ssh_t, $1_ssh_home_t, $1_ssh_home_t)
-+ manage_files_pattern($1_ssh_t, ssh_home_t, ssh_home_t)
-+ read_lnk_files_pattern($1_ssh_t, ssh_home_t, ssh_home_t)
-
- # ssh servers can read the user keys and config
-- allow ssh_server $1_ssh_home_t:dir list_dir_perms;
-- read_files_pattern(ssh_server, $1_ssh_home_t, $1_ssh_home_t)
-- read_lnk_files_pattern(ssh_server, $1_ssh_home_t, $1_ssh_home_t)
-+ allow ssh_server ssh_home_t:dir list_dir_perms;
-+ read_files_pattern(ssh_server, ssh_home_t, ssh_home_t)
-+ read_lnk_files_pattern(ssh_server, ssh_home_t, ssh_home_t)
-
- kernel_read_kernel_sysctls($1_ssh_t)
- kernel_read_system_state($1_ssh_t)
-
-- corenet_all_recvfrom_unlabeled($1_ssh_t)
- corenet_all_recvfrom_netlabel($1_ssh_t)
- corenet_tcp_sendrecv_generic_if($1_ssh_t)
- corenet_tcp_sendrecv_generic_node($1_ssh_t)
- corenet_tcp_sendrecv_all_ports($1_ssh_t)
- corenet_tcp_connect_ssh_port($1_ssh_t)
- corenet_sendrecv_ssh_client_packets($1_ssh_t)
-+ corenet_tcp_bind_generic_node($1_ssh_t)
-+ corenet_tcp_bind_all_unreserved_ports($1_ssh_t)
-
- dev_read_urand($1_ssh_t)
-
-@@ -139,7 +141,6 @@ template(`ssh_basic_client_template',`
- logging_send_syslog_msg($1_ssh_t)
- logging_read_generic_logs($1_ssh_t)
-
-- miscfiles_read_localization($1_ssh_t)
-
- seutil_read_config($1_ssh_t)
-
-@@ -148,6 +149,29 @@ template(`ssh_basic_client_template',`
- ')
- ')
-
-+######################################
-+##
-+## The template to define a domain to which sshd dyntransition.
-+##
-+##
-+##
-+## The prefix of the dyntransition domain
-+##
-+##
-+#
-+template(`ssh_dyntransition_domain_template',`
-+ gen_require(`
-+ attribute ssh_dyntransition_domain;
-+ ')
-+
-+ type $1, ssh_dyntransition_domain;
-+ domain_type($1)
-+ role system_r types $1;
-+
-+ optional_policy(`
-+ ssh_dyntransition_to($1)
-+ ')
-+')
- #######################################
- ##
- ## The template to define a ssh server.
-@@ -168,7 +192,11 @@ template(`ssh_basic_client_template',`
- ##
- ##
- #
--template(`ssh_server_template', `
-+template(`ssh_server_template',`
-+ gen_require(`
-+ type sshd_t;
-+ ')
-+
- type $1_t, ssh_server;
- auth_login_pgm_domain($1_t)
-
-@@ -181,20 +209,23 @@ template(`ssh_server_template', `
- type $1_var_run_t;
- files_pid_file($1_var_run_t)
-
-- allow $1_t self:capability { kill sys_chroot sys_nice sys_resource chown dac_override fowner fsetid setgid setuid sys_tty_config };
-+ allow $1_t self:capability { kill sys_admin sys_chroot sys_nice sys_resource chown dac_read_search fowner fsetid net_admin setgid setuid sys_tty_config };
- allow $1_t self:fifo_file rw_fifo_file_perms;
-- allow $1_t self:process { signal getsched setsched setrlimit setexec setkeycreate };
-+ allow $1_t self:process { getcap signal getsched setsched setrlimit setexec };
-+ allow $1_t self:process { signal getcap getsched setsched setrlimit setexec };
- allow $1_t self:tcp_socket create_stream_socket_perms;
- allow $1_t self:udp_socket create_socket_perms;
-+ allow $1_t self:tun_socket { create_socket_perms relabelfrom relabelto };
- # ssh agent connections:
- allow $1_t self:unix_stream_socket create_stream_socket_perms;
- allow $1_t self:shm create_shm_perms;
-
-- allow $1_t $1_devpts_t:chr_file { rw_chr_file_perms setattr getattr relabelfrom };
-+ allow $1_t $1_devpts_t:chr_file { rw_chr_file_perms setattr_chr_file_perms getattr_chr_file_perms relabelfrom };
- term_create_pty($1_t, $1_devpts_t)
-
-- manage_files_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t)
-- fs_tmpfs_filetrans($1_t, $1_tmpfs_t, file)
-+ #manage_files_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t)
-+ #fs_tmpfs_filetrans($1_t, $1_tmpfs_t, file)
-+ userdom_manage_tmp_role(system_r, sshd_t)
-
- allow $1_t $1_var_run_t:file manage_file_perms;
- files_pid_filetrans($1_t, $1_var_run_t, file)
-@@ -206,6 +237,7 @@ template(`ssh_server_template', `
-
- kernel_read_kernel_sysctls($1_t)
- kernel_read_network_state($1_t)
-+ kernel_request_load_module($1_t)
-
- corenet_all_recvfrom_unlabeled($1_t)
- corenet_all_recvfrom_netlabel($1_t)
-@@ -220,10 +252,13 @@ template(`ssh_server_template', `
- corenet_tcp_bind_generic_node($1_t)
- corenet_udp_bind_generic_node($1_t)
- corenet_tcp_bind_ssh_port($1_t)
-- corenet_tcp_connect_all_ports($1_t)
- corenet_sendrecv_ssh_server_packets($1_t)
-+ # -R qualifier
-+ corenet_sendrecv_ssh_server_packets($1_t)
-+ # tunnel feature and -w (net_admin capability also)
-+ corenet_rw_tun_tap_dev($1_t)
-
-- fs_dontaudit_getattr_all_fs($1_t)
-+ fs_getattr_all_fs($1_t)
-
- auth_rw_login_records($1_t)
- auth_rw_faillog($1_t)
-@@ -233,7 +268,10 @@ template(`ssh_server_template', `
- # for sshd subsystems, such as sftp-server.
- corecmd_getattr_bin_files($1_t)
-
-+ dev_rw_crypto($1_t)
-+
- domain_interactive_fd($1_t)
-+ domain_dyntrans_type($1_t)
-
- files_read_etc_files($1_t)
- files_read_etc_runtime_files($1_t)
-@@ -241,35 +279,33 @@ template(`ssh_server_template', `
-
- logging_search_logs($1_t)
-
-- miscfiles_read_localization($1_t)
--
-- userdom_create_all_users_keys($1_t)
- userdom_dontaudit_relabelfrom_user_ptys($1_t)
-- userdom_search_user_home_dirs($1_t)
-+ userdom_read_user_home_content_files($1_t)
-
- # Allow checking users mail at login
- optional_policy(`
- mta_getattr_spool($1_t)
- ')
-
-- tunable_policy(`use_nfs_home_dirs',`
-- fs_read_nfs_files($1_t)
-- fs_read_nfs_symlinks($1_t)
-- ')
--
-- tunable_policy(`use_samba_home_dirs',`
-- fs_read_cifs_files($1_t)
-- ')
-+ userdom_home_manager($1_t)
-
- optional_policy(`
- kerberos_use($1_t)
-- kerberos_manage_host_rcache($1_t)
-+ #kerberos_manage_host_rcache($1_t)
- ')
-
- optional_policy(`
- files_read_var_lib_symlinks($1_t)
- nx_spec_domtrans_server($1_t)
- ')
-+
-+ optional_policy(`
-+ rlogin_read_home_content($1_t)
-+ ')
-+
-+ optional_policy(`
-+ shutdown_getattr_exec_files($1_t)
-+ ')
- ')
-
- ########################################
-@@ -292,14 +328,15 @@ template(`ssh_server_template', `
- ## User domain for the role
- ##
- ##
-+##
- #
- template(`ssh_role_template',`
- gen_require(`
- attribute ssh_server, ssh_agent_type;
--
- type ssh_t, ssh_exec_t, ssh_tmpfs_t, ssh_home_t;
- type ssh_agent_exec_t, ssh_keysign_t, ssh_tmpfs_t;
- type ssh_agent_tmp_t;
-+ type cache_home_t;
- ')
-
- ##############################
-@@ -328,103 +365,56 @@ template(`ssh_role_template',`
-
- # allow ps to show ssh
- ps_process_pattern($3, ssh_t)
-- allow $3 ssh_t:process signal;
-+ allow $3 ssh_t:process signal_perms;
-
- # for rsync
- allow ssh_t $3:unix_stream_socket rw_socket_perms;
- allow ssh_t $3:unix_stream_socket connectto;
-+ allow ssh_t $3:key manage_key_perms;
-+ allow $3 ssh_t:key { write search read view };
-
- # user can manage the keys and config
- manage_files_pattern($3, ssh_home_t, ssh_home_t)
- manage_lnk_files_pattern($3, ssh_home_t, ssh_home_t)
- manage_sock_files_pattern($3, ssh_home_t, ssh_home_t)
- userdom_search_user_home_dirs($1_t)
-+ userdom_manage_tmp_role($2, ssh_t)
-
- ##############################
- #
- # SSH agent local policy
- #
-
-- allow $1_ssh_agent_t self:process setrlimit;
-- allow $1_ssh_agent_t self:capability setgid;
--
- allow $1_ssh_agent_t { $1_ssh_agent_t $3 }:process signull;
-
- allow $1_ssh_agent_t self:unix_stream_socket { create_stream_socket_perms connectto };
-
-- manage_dirs_pattern($1_ssh_agent_t, ssh_agent_tmp_t, ssh_agent_tmp_t)
-- manage_sock_files_pattern($1_ssh_agent_t, ssh_agent_tmp_t, ssh_agent_tmp_t)
-- files_tmp_filetrans($1_ssh_agent_t, ssh_agent_tmp_t, { dir sock_file })
--
- # for ssh-add
- stream_connect_pattern($3, ssh_agent_tmp_t, ssh_agent_tmp_t, $1_ssh_agent_t)
-+ stream_connect_pattern($3, cache_home_t, cache_home_t, $1_ssh_agent_t)
-
- # Allow the user shell to signal the ssh program.
-- allow $3 $1_ssh_agent_t:process signal;
-+ allow $3 $1_ssh_agent_t:process signal_perms;
-
- # allow ps to show ssh
- ps_process_pattern($3, $1_ssh_agent_t)
-
- domtrans_pattern($3, ssh_agent_exec_t, $1_ssh_agent_t)
-
-- kernel_read_kernel_sysctls($1_ssh_agent_t)
--
-- dev_read_urand($1_ssh_agent_t)
-- dev_read_rand($1_ssh_agent_t)
--
-- fs_search_auto_mountpoints($1_ssh_agent_t)
-+ kernel_read_system_state($1_ssh_agent_t)
-
- # transition back to normal privs upon exec
- corecmd_shell_domtrans($1_ssh_agent_t, $3)
- corecmd_bin_domtrans($1_ssh_agent_t, $3)
-
-- domain_use_interactive_fds($1_ssh_agent_t)
--
-- files_read_etc_files($1_ssh_agent_t)
-- files_read_etc_runtime_files($1_ssh_agent_t)
-- files_search_home($1_ssh_agent_t)
--
-- libs_read_lib_files($1_ssh_agent_t)
-+ auth_use_nsswitch($1_ssh_agent_t)
-
- logging_send_syslog_msg($1_ssh_agent_t)
-
-- miscfiles_read_localization($1_ssh_agent_t)
-- miscfiles_read_generic_certs($1_ssh_agent_t)
--
-- seutil_dontaudit_read_config($1_ssh_agent_t)
--
-- # Write to the user domain tty.
-- userdom_use_user_terminals($1_ssh_agent_t)
--
-- # for the transition back to normal privs upon exec
-- userdom_search_user_home_content($1_ssh_agent_t)
- userdom_user_home_domtrans($1_ssh_agent_t, $3)
-- allow $3 $1_ssh_agent_t:fd use;
-- allow $3 $1_ssh_agent_t:fifo_file rw_file_perms;
-- allow $3 $1_ssh_agent_t:process sigchld;
--
-- tunable_policy(`use_nfs_home_dirs',`
-- fs_manage_nfs_files($1_ssh_agent_t)
--
-- # transition back to normal privs upon exec
-- fs_nfs_domtrans($1_ssh_agent_t, $3)
-- ')
--
-- tunable_policy(`use_samba_home_dirs',`
-- fs_manage_cifs_files($1_ssh_agent_t)
--
-- # transition back to normal privs upon exec
-- fs_cifs_domtrans($1_ssh_agent_t, $3)
-- ')
--
-- optional_policy(`
-- nis_use_ypbind($1_ssh_agent_t)
-- ')
-+ userdom_home_manager($1_ssh_agent_t)
-
-- optional_policy(`
-- xserver_use_xdm_fds($1_ssh_agent_t)
-- xserver_rw_xdm_pipes($1_ssh_agent_t)
-- ')
-+ ssh_exec_keygen($3)
- ')
-
- ########################################
-@@ -496,8 +486,27 @@ interface(`ssh_read_pipes',`
- type sshd_t;
- ')
-
-- allow $1 sshd_t:fifo_file { getattr read };
-+ allow $1 sshd_t:fifo_file read_fifo_file_perms;
-+')
-+
-+######################################
-+##
-+## Read and write ssh server unix dgram sockets.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`ssh_rw_dgram_sockets',`
-+ gen_require(`
-+ type sshd_t;
-+ ')
-+
-+ allow $1 sshd_t:unix_dgram_socket rw_stream_socket_perms;
- ')
-+
- ########################################
- ##
- ## Read and write a ssh server unnamed pipe.
-@@ -513,7 +522,7 @@ interface(`ssh_rw_pipes',`
- type sshd_t;
- ')
-
-- allow $1 sshd_t:fifo_file { write read getattr ioctl };
-+ allow $1 sshd_t:fifo_file rw_inherited_fifo_file_perms;
- ')
-
- ########################################
-@@ -605,6 +614,24 @@ interface(`ssh_domtrans',`
-
- ########################################
- ##
-+## Execute sshd server in the sshd domain.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`ssh_initrc_domtrans',`
-+ gen_require(`
-+ type sshd_initrc_exec_t;
-+ ')
-+
-+ init_labeled_script_domtrans($1, sshd_initrc_exec_t)
-+')
-+
-+########################################
-+##
- ## Execute the ssh client in the caller domain.
- ##
- ##
-@@ -637,7 +664,7 @@ interface(`ssh_setattr_key_files',`
- type sshd_key_t;
- ')
-
-- allow $1 sshd_key_t:file setattr;
-+ allow $1 sshd_key_t:file setattr_file_perms;
- files_search_pids($1)
- ')
-
-@@ -662,6 +689,42 @@ interface(`ssh_agent_exec',`
-
- ########################################
- ##
-+## Getattr ssh home directory
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`ssh_getattr_user_home_dir',`
-+ gen_require(`
-+ type ssh_home_t;
-+ ')
-+
-+ allow $1 ssh_home_t:dir getattr;
-+')
-+
-+########################################
-+##
-+## Dontaudit search ssh home directory
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`ssh_dontaudit_search_user_home_dir',`
-+ gen_require(`
-+ type ssh_home_t;
-+ ')
-+
-+ dontaudit $1 ssh_home_t:dir search_dir_perms;
-+')
-+
-+########################################
-+##
- ## Read ssh home directory content
- ##
- ##
-@@ -701,6 +764,68 @@ interface(`ssh_domtrans_keygen',`
-
- ########################################
- ##
-+## Execute the ssh key generator in the caller domain.
-+##
-+##
-+##
-+## Domain allowed to transition.
-+##
-+##
-+#
-+interface(`ssh_exec_keygen',`
-+ gen_require(`
-+ type ssh_keygen_exec_t;
-+ ')
-+
-+ can_exec($1, ssh_keygen_exec_t)
-+')
-+
-+#######################################
-+##
-+## Execute ssh-keygen in the iptables domain, and
-+## allow the specified role the ssh-keygen domain.
-+##
-+##
-+##
-+## Domain allowed to transition.
-+##
-+##
-+##
-+##
-+## Role allowed access.
-+##
-+##
-+##
-+#
-+interface(`ssh_run_keygen',`
-+ gen_require(`
-+ type ssh_keygen_t;
-+ ')
-+
-+ role $2 types ssh_keygen_t;
-+ ssh_domtrans_keygen($1)
-+')
-+
-+########################################
-+##
-+## Getattr ssh server keys
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`ssh_getattr_server_keys',`
-+ gen_require(`
-+ type sshd_key_t;
-+ ')
-+
-+ allow $1 sshd_key_t:file getattr_file_perms;
-+')
-+
-+########################################
-+##
- ## Read ssh server keys
- ##
- ##
-@@ -714,7 +839,26 @@ interface(`ssh_dontaudit_read_server_keys',`
- type sshd_key_t;
- ')
-
-- dontaudit $1 sshd_key_t:file { getattr read };
-+ dontaudit $1 sshd_key_t:file read_file_perms;
-+')
-+
-+######################################
-+##
-+## Append ssh home directory content
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`ssh_append_home_files',`
-+ gen_require(`
-+ type ssh_home_t;
-+ ')
-+
-+ append_files_pattern($1, ssh_home_t, ssh_home_t)
-+ userdom_search_user_home_dirs($1)
- ')
-
- ######################################
-@@ -754,3 +898,151 @@ interface(`ssh_delete_tmp',`
- files_search_tmp($1)
- delete_files_pattern($1, sshd_tmp_t, sshd_tmp_t)
- ')
-+
-+#####################################
-+##
-+## Allow domain dyntransition to chroot_user_t domain.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`ssh_dyntransition_to',`
-+ gen_require(`
-+ type sshd_t;
-+ ')
-+
-+ allow sshd_t $1:process dyntransition;
-+ allow $1 sshd_t:process sigchld;
-+ allow sshd_t $1:process { getattr sigkill sigstop signull signal };
-+')
-+
-+########################################
-+##
-+## Create .ssh directory in the /root directory
-+## with an correct label.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`ssh_filetrans_admin_home_content',`
-+ gen_require(`
-+ type ssh_home_t;
-+ ')
-+
-+ userdom_admin_home_dir_filetrans($1, ssh_home_t, dir, ".ssh")
-+ userdom_admin_home_dir_filetrans($1, ssh_home_t, dir, ".shosts")
-+')
-+
-+########################################
-+##
-+## Create .ssh directory in the user home directory
-+## with an correct label.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`ssh_filetrans_home_content',`
-+
-+ gen_require(`
-+ type ssh_home_t;
-+ ')
-+
-+ userdom_user_home_dir_filetrans($1, ssh_home_t, dir, ".ssh")
-+ userdom_user_home_dir_filetrans($1, ssh_home_t, dir, ".shosts")
-+ files_var_lib_filetrans($1, ssh_home_t, dir, ".ssh")
-+')
-+
-+########################################
-+##
-+## Create .ssh directory in the user home directory
-+## with an correct label.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`ssh_filetrans_keys',`
-+
-+ gen_require(`
-+ type sshd_key_t;
-+ ')
-+
-+ files_etc_filetrans($1, sshd_key_t, file, ".ssh_host_key")
-+ files_etc_filetrans($1, sshd_key_t, file, ".ssh_host_dsa_key")
-+ files_etc_filetrans($1, sshd_key_t, file, ".ssh_host_rsa_key")
-+ files_etc_filetrans($1, sshd_key_t, file, ".ssh_host_key.pub")
-+ files_etc_filetrans($1, sshd_key_t, file, ".ssh_host_dsa_key.pub")
-+ files_etc_filetrans($1, sshd_key_t, file, ".ssh_host_rsa_key.pub")
-+')
-+
-+########################################
-+##
-+## Do not audit attempts to read and
-+## write the sshd pty type.
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`ssh_dontaudit_use_ptys',`
-+ gen_require(`
-+ type sshd_devpts_t;
-+ ')
-+
-+ dontaudit $1 sshd_devpts_t:chr_file { getattr read write ioctl };
-+')
-+
-+########################################
-+##
-+## Read and write inherited sshd pty type.
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`ssh_use_ptys',`
-+ gen_require(`
-+ type sshd_devpts_t;
-+ ')
-+
-+ allow $1 sshd_devpts_t:chr_file rw_inherited_chr_file_perms;
-+')
-+
-+########################################
-+##
-+## Execute sshd server in the sshd domain.
-+##
-+##
-+##
-+## Domain allowed to transition.
-+##
-+##
-+#
-+interface(`ssh_systemctl',`
-+ gen_require(`
-+ type sshd_t;
-+ type sshd_unit_file_t;
-+ ')
-+
-+ systemd_exec_systemctl($1)
-+ init_reload_services($1)
-+ allow $1 sshd_unit_file_t:file manage_file_perms;
-+ allow $1 sshd_unit_file_t:service manage_service_perms;
-+
-+ ps_process_pattern($1, sshd_t)
-+')
-diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
-index cc877c7b0..296d9c7dd 100644
---- a/policy/modules/services/ssh.te
-+++ b/policy/modules/services/ssh.te
-@@ -6,43 +6,69 @@ policy_module(ssh, 2.4.2)
- #
-
- ##
--##
--## allow host key based authentication
--##
-+##
-+## allow host key based authentication
-+##
-+##
-+gen_tunable(ssh_keysign, false)
-+
-+##
-+##
-+## Allow ssh logins as sysadm_r:sysadm_t
-+##
- ##
--gen_tunable(allow_ssh_keysign, false)
-+gen_tunable(ssh_sysadm_login, false)
-
- ##
- ##
--## Allow ssh logins as sysadm_r:sysadm_t
-+## Allow ssh with chroot env to read and write files
-+## in the user home directories
- ##
- ##
--gen_tunable(ssh_sysadm_login, false)
-+gen_tunable(ssh_chroot_rw_homedirs, false)
-
-+attribute ssh_dyntransition_domain;
- attribute ssh_server;
- attribute ssh_agent_type;
-
-+ssh_dyntransition_domain_template(chroot_user_t)
-+ssh_dyntransition_domain_template(sshd_sandbox_t)
-+ssh_dyntransition_domain_template(sshd_net_t)
-+
- type ssh_keygen_t;
- type ssh_keygen_exec_t;
- init_system_domain(ssh_keygen_t, ssh_keygen_exec_t)
--role system_r types ssh_keygen_t;
-+
-+type ssh_keygen_tmp_t;
-+files_tmp_file(ssh_keygen_tmp_t)
-+
-+type sshd_keygen_t;
-+type sshd_keygen_exec_t;
-+init_daemon_domain(sshd_keygen_t, sshd_keygen_exec_t)
-+
-+type sshd_keygen_unit_file_t;
-+systemd_unit_file(sshd_keygen_unit_file_t)
-
- type sshd_exec_t;
- corecmd_executable_file(sshd_exec_t)
-
- ssh_server_template(sshd)
- init_daemon_domain(sshd_t, sshd_exec_t)
-+mls_trusted_object(sshd_t)
-+mls_process_write_all_levels(sshd_t)
-+mls_dbus_send_all_levels(sshd_t)
-+
-+type sshd_initrc_exec_t;
-+init_script_file(sshd_initrc_exec_t)
-+
-+type sshd_unit_file_t;
-+systemd_unit_file(sshd_unit_file_t)
-
- type sshd_key_t;
- files_type(sshd_key_t)
-
--type sshd_tmp_t;
--files_tmp_file(sshd_tmp_t)
--files_poly_parent(sshd_tmp_t)
--
--ifdef(`enable_mcs',`
-- init_ranged_daemon_domain(sshd_t, sshd_exec_t, s0 - mcs_systemhigh)
--')
-+type sshd_keytab_t;
-+files_type(sshd_keytab_t)
-
- type ssh_t;
- type ssh_exec_t;
-@@ -67,25 +93,28 @@ userdom_user_application_domain(ssh_keysign_t, ssh_keysign_exec_t)
- type ssh_tmpfs_t;
- typealias ssh_tmpfs_t alias { user_ssh_tmpfs_t staff_ssh_tmpfs_t sysadm_ssh_tmpfs_t };
- typealias ssh_tmpfs_t alias { auditadm_ssh_tmpfs_t secadm_ssh_tmpfs_t };
--userdom_user_tmpfs_file(ssh_tmpfs_t)
-+userdom_user_tmp_file(ssh_tmpfs_t)
-
- type ssh_home_t;
- typealias ssh_home_t alias { home_ssh_t user_ssh_home_t user_home_ssh_t staff_home_ssh_t sysadm_home_ssh_t };
- typealias ssh_home_t alias { auditadm_home_ssh_t secadm_home_ssh_t };
- userdom_user_home_content(ssh_home_t)
-+files_poly_parent(ssh_home_t)
-
--type sshd_keytab_t;
--files_type(sshd_keytab_t)
-+ifdef(`enable_mcs',`
-+ init_ranged_daemon_domain(sshd_t, sshd_exec_t, s0 - mcs_systemhigh)
-+')
-
- ##############################
- #
- # SSH client local policy
- #
-
--allow ssh_t self:capability { setuid setgid dac_override dac_read_search };
-+allow ssh_t self:capability { setuid setgid dac_read_search };
- allow ssh_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
- allow ssh_t self:fd use;
- allow ssh_t self:fifo_file rw_fifo_file_perms;
-+allow ssh_t self:key manage_key_perms;
- allow ssh_t self:unix_dgram_socket { create_socket_perms sendto };
- allow ssh_t self:unix_stream_socket { create_stream_socket_perms connectto };
- allow ssh_t self:shm create_shm_perms;
-@@ -93,50 +122,55 @@ allow ssh_t self:sem create_sem_perms;
- allow ssh_t self:msgq create_msgq_perms;
- allow ssh_t self:msg { send receive };
- allow ssh_t self:tcp_socket create_stream_socket_perms;
-+can_exec(ssh_t, ssh_exec_t)
-
- # Read the ssh key file.
- allow ssh_t sshd_key_t:file read_file_perms;
-
--# Access the ssh temporary files.
--allow ssh_t sshd_tmp_t:dir manage_dir_perms;
--allow ssh_t sshd_tmp_t:file manage_file_perms;
--files_tmp_filetrans(ssh_t, sshd_tmp_t, { file dir })
--
- manage_files_pattern(ssh_t, ssh_tmpfs_t, ssh_tmpfs_t)
- manage_lnk_files_pattern(ssh_t, ssh_tmpfs_t, ssh_tmpfs_t)
- manage_fifo_files_pattern(ssh_t, ssh_tmpfs_t, ssh_tmpfs_t)
- manage_sock_files_pattern(ssh_t, ssh_tmpfs_t, ssh_tmpfs_t)
--fs_tmpfs_filetrans(ssh_t, ssh_tmpfs_t, { dir file lnk_file sock_file fifo_file })
-+#fs_tmpfs_filetrans(ssh_t, ssh_tmpfs_t, { dir file lnk_file sock_file fifo_file })
-
- manage_dirs_pattern(ssh_t, ssh_home_t, ssh_home_t)
- manage_sock_files_pattern(ssh_t, ssh_home_t, ssh_home_t)
--userdom_user_home_dir_filetrans(ssh_t, ssh_home_t, { dir sock_file })
-+userdom_user_home_dir_filetrans(ssh_t, ssh_home_t, sock_file)
-+userdom_user_home_content_filetrans(ssh_t, ssh_home_t, sock_file)
-+userdom_user_home_dir_filetrans(ssh_t, ssh_home_t, dir, ".ssh")
-+userdom_read_all_users_keys(ssh_t)
-+userdom_stream_connect(ssh_t)
-+userdom_search_admin_dir(sshd_t)
-
- # Allow the ssh program to communicate with ssh-agent.
- stream_connect_pattern(ssh_t, ssh_agent_tmp_t, ssh_agent_tmp_t, ssh_agent_type)
-
- allow ssh_t sshd_t:unix_stream_socket connectto;
-+allow ssh_t sshd_t:peer recv;
-
- # ssh client can manage the keys and config
- manage_files_pattern(ssh_t, ssh_home_t, ssh_home_t)
- read_lnk_files_pattern(ssh_t, ssh_home_t, ssh_home_t)
-
- # ssh servers can read the user keys and config
--allow ssh_server ssh_home_t:dir list_dir_perms;
--read_files_pattern(ssh_server, ssh_home_t, ssh_home_t)
--read_lnk_files_pattern(ssh_server, ssh_home_t, ssh_home_t)
-+manage_dirs_pattern(ssh_server, ssh_home_t, ssh_home_t)
-+manage_files_pattern(ssh_server, ssh_home_t, ssh_home_t)
-
- kernel_read_kernel_sysctls(ssh_t)
- kernel_read_system_state(ssh_t)
-
--corenet_all_recvfrom_unlabeled(ssh_t)
- corenet_all_recvfrom_netlabel(ssh_t)
- corenet_tcp_sendrecv_generic_if(ssh_t)
- corenet_tcp_sendrecv_generic_node(ssh_t)
- corenet_tcp_sendrecv_all_ports(ssh_t)
- corenet_tcp_connect_ssh_port(ssh_t)
-+corenet_tcp_connect_all_unreserved_ports(ssh_t)
- corenet_sendrecv_ssh_client_packets(ssh_t)
-+corenet_tcp_bind_generic_node(ssh_t)
-+#corenet_tcp_bind_all_unreserved_ports(ssh_t)
-+corenet_rw_tun_tap_dev(ssh_t)
-
-+dev_read_rand(ssh_t)
- dev_read_urand(ssh_t)
-
- fs_getattr_all_fs(ssh_t)
-@@ -157,40 +191,46 @@ files_read_var_files(ssh_t)
- logging_send_syslog_msg(ssh_t)
- logging_read_generic_logs(ssh_t)
-
-+term_use_ptmx(ssh_t)
-+
- auth_use_nsswitch(ssh_t)
-
--miscfiles_read_localization(ssh_t)
-+miscfiles_read_generic_certs(ssh_t)
-
- seutil_read_config(ssh_t)
-
- userdom_dontaudit_list_user_home_dirs(ssh_t)
- userdom_search_user_home_dirs(ssh_t)
-+userdom_search_admin_dir(ssh_t)
- # Write to the user domain tty.
--userdom_use_user_terminals(ssh_t)
--# needs to read krb tgt
-+userdom_use_inherited_user_terminals(ssh_t)
-+# needs to read krb/write tgt
- userdom_read_user_tmp_files(ssh_t)
--
--tunable_policy(`allow_ssh_keysign',`
-- domain_auto_trans(ssh_t, ssh_keysign_exec_t, ssh_keysign_t)
-- allow ssh_keysign_t ssh_t:fd use;
-- allow ssh_keysign_t ssh_t:process sigchld;
-- allow ssh_keysign_t ssh_t:fifo_file rw_file_perms;
-+userdom_write_user_tmp_files(ssh_t)
-+userdom_read_user_home_content_symlinks(ssh_t)
-+userdom_rw_inherited_user_home_content_files(ssh_t)
-+userdom_read_home_certs(ssh_t)
-+userdom_home_manager(ssh_t)
-+
-+tunable_policy(`ssh_keysign',`
-+ domtrans_pattern(ssh_t, ssh_keysign_exec_t, ssh_keysign_t)
- ')
-
--tunable_policy(`use_nfs_home_dirs',`
-- fs_manage_nfs_dirs(ssh_t)
-- fs_manage_nfs_files(ssh_t)
-+# for port forwarding
-+tunable_policy(`selinuxuser_tcp_server',`
-+ corenet_tcp_bind_ssh_port(ssh_t)
-+ corenet_tcp_bind_generic_node(ssh_t)
-+ corenet_tcp_bind_all_unreserved_ports(ssh_t)
- ')
-
--tunable_policy(`use_samba_home_dirs',`
-- fs_manage_cifs_dirs(ssh_t)
-- fs_manage_cifs_files(ssh_t)
-+ifdef(`enable_mcs',`
-+ optional_policy(`
-+ condor_startd_ranged_domtrans_to(sshd_t, sshd_exec_t, mcs_systemlow - mcs_systemhigh)
-+ ')
- ')
-
--# for port forwarding
--tunable_policy(`user_tcp_server',`
-- corenet_tcp_bind_ssh_port(ssh_t)
-- corenet_tcp_bind_generic_node(ssh_t)
-+optional_policy(`
-+ gnome_stream_connect_gkeyringd(ssh_t)
- ')
-
- optional_policy(`
-@@ -198,6 +238,7 @@ optional_policy(`
- xserver_domtrans_xauth(ssh_t)
- ')
-
-+
- ##############################
- #
- # ssh_keysign_t local policy
-@@ -209,6 +250,7 @@ allow ssh_keysign_t self:unix_stream_socket create_socket_perms;
- allow ssh_keysign_t sshd_key_t:file { getattr read };
-
- dev_read_urand(ssh_keysign_t)
-+dev_read_rand(ssh_keysign_t)
-
- files_read_etc_files(ssh_keysign_t)
-
-@@ -226,39 +268,58 @@ optional_policy(`
- # so a tunnel can point to another ssh tunnel
- allow sshd_t self:netlink_route_socket r_netlink_socket_perms;
- allow sshd_t self:key { search link write };
-+allow sshd_t self:process setcurrent;
-
- allow sshd_t sshd_keytab_t:file read_file_perms;
-
--manage_dirs_pattern(sshd_t, sshd_tmp_t, sshd_tmp_t)
--manage_files_pattern(sshd_t, sshd_tmp_t, sshd_tmp_t)
--manage_sock_files_pattern(sshd_t, sshd_tmp_t, sshd_tmp_t)
--files_tmp_filetrans(sshd_t, sshd_tmp_t, { dir file sock_file })
--
- kernel_search_key(sshd_t)
- kernel_link_key(sshd_t)
-+kernel_read_net_sysctls(sshd_t)
-+
-+files_search_all(sshd_t)
-+
-+fs_search_cgroup_dirs(sshd_t)
-+fs_rw_cgroup_files(sshd_t)
-
- term_use_all_ptys(sshd_t)
- term_setattr_all_ptys(sshd_t)
-+term_setattr_all_ttys(sshd_t)
- term_relabelto_all_ptys(sshd_t)
-+term_use_ptmx(sshd_t)
-
- # for X forwarding
- corenet_tcp_bind_xserver_port(sshd_t)
-+corenet_tcp_bind_vnc_port(sshd_t)
- corenet_sendrecv_xserver_server_packets(sshd_t)
-
--ifdef(`distro_debian',`
-- allow sshd_t self:process { getcap setcap };
--')
-+auth_exec_login_program(sshd_t)
-+auth_signal_chk_passwd(sshd_t)
-+
-+userdom_read_user_home_content_files(sshd_t)
-+userdom_read_user_home_content_symlinks(sshd_t)
-+#userdom_manage_tmp_role(system_r, sshd_t)
-+userdom_spec_domtrans_unpriv_users(sshd_t)
-+userdom_signal_unpriv_users(sshd_t)
-+userdom_dyntransition_unpriv_users(sshd_t)
-
- tunable_policy(`ssh_sysadm_login',`
- # Relabel and access ptys created by sshd
- # ioctl is necessary for logout() processing for utmp entry and for w to
- # display the tty.
- # some versions of sshd on the new SE Linux require setattr
-- userdom_spec_domtrans_all_users(sshd_t)
- userdom_signal_all_users(sshd_t)
--',`
-- userdom_spec_domtrans_unpriv_users(sshd_t)
-- userdom_signal_unpriv_users(sshd_t)
-+ userdom_spec_domtrans_all_users(sshd_t)
-+ userdom_dyntransition_admin_users(sshd_t)
-+')
-+
-+optional_policy(`
-+ amanda_search_var_lib(sshd_t)
-+')
-+
-+optional_policy(`
-+ condor_rw_lib_files(sshd_t)
-+ condor_rw_tcp_sockets_startd(sshd_t)
-+ condor_rw_tcp_sockets_schedd(sshd_t)
- ')
-
- optional_policy(`
-@@ -266,6 +327,19 @@ optional_policy(`
- ')
-
- optional_policy(`
-+ ftp_dyntrans_sftpd(sshd_t)
-+ ftp_dyntrans_anon_sftpd(sshd_t)
-+')
-+
-+optional_policy(`
-+ gitosis_manage_lib_files(sshd_t)
-+')
-+
-+optional_policy(`
-+ gnome_exec_keyringd(sshd_t)
-+')
-+
-+optional_policy(`
- inetd_tcp_service_domain(sshd_t, sshd_exec_t)
- ')
-
-@@ -275,10 +349,26 @@ optional_policy(`
- ')
-
- optional_policy(`
-+ lvm_domtrans(sshd_t)
-+')
-+
-+optional_policy(`
-+ munin_read_var_lib_files(sshd_t)
-+')
-+
-+optional_policy(`
-+ nx_read_home_files(sshd_t)
-+')
-+
-+optional_policy(`
- oddjob_domtrans_mkhomedir(sshd_t)
- ')
-
- optional_policy(`
-+ rpc_rw_gssd_keys(sshd_t)
-+')
-+
-+optional_policy(`
- rpm_use_script_fds(sshd_t)
- ')
-
-@@ -289,13 +379,94 @@ optional_policy(`
- ')
-
- optional_policy(`
-+ rsync_read_data(sshd_t)
-+')
-+
-+optional_policy(`
-+ systemd_exec_systemctl(sshd_t)
-+')
-+
-+optional_policy(`
-+ usermanage_domtrans_passwd(sshd_t)
-+ usermanage_read_crack_db(sshd_t)
-+')
-+
-+optional_policy(`
-+ openshift_dyntransition(sshd_t)
-+ openshift_transition(sshd_t)
-+ openshift_manage_tmp_files(sshd_t)
-+ openshift_manage_tmp_sockets(sshd_t)
-+ openshift_mounton_tmp(sshd_t)
-+ openshift_read_lib_files(sshd_t)
-+')
-+
-+optional_policy(`
-+ postgresql_search_db(sshd_t)
-+')
-+
-+optional_policy(`
- unconfined_shell_domtrans(sshd_t)
- ')
-
- optional_policy(`
-+ kernel_write_proc_files(sshd_t)
-+ virt_transition_svirt_sandbox(sshd_t, system_r)
-+ virt_stream_connect_sandbox(sshd_t)
-+ virt_stream_connect(sshd_t)
-+')
-+
-+optional_policy(`
- xserver_domtrans_xauth(sshd_t)
-+ xserver_xdm_signull(sshd_t)
- ')
-
-+ifdef(`TODO',`
-+ tunable_policy(`ssh_sysadm_login',`
-+ # Relabel and access ptys created by sshd
-+ # ioctl is necessary for logout() processing for utmp entry and for w to
-+ # display the tty.
-+ # some versions of sshd on the new SE Linux require setattr
-+ allow sshd_t ptyfile:chr_file relabelto;
-+
-+ optional_policy(`
-+ domain_trans(sshd_t, xauth_exec_t, userdomain)
-+ ')
-+ ',`
-+ optional_policy(`
-+ domain_trans(sshd_t, xauth_exec_t, unpriv_userdomain)
-+ ')
-+ # Relabel and access ptys created by sshd
-+ # ioctl is necessary for logout() processing for utmp entry and for w to
-+ # display the tty.
-+ # some versions of sshd on the new SE Linux require setattr
-+ allow sshd_t userpty_type:chr_file { relabelto rw_inherited_chr_file_perms setattr_chr_file_perms };
-+ ')
-+') dnl endif TODO
-+
-+########################################
-+#
-+# sshd-keygen local policy
-+#
-+
-+allow sshd_keygen_t self:capability { chown fsetid };
-+allow sshd_keygen_t self:fifo_file rw_fifo_file_perms;
-+allow sshd_keygen_t self:unix_stream_socket create_stream_socket_perms;
-+
-+allow sshd_keygen_t sshd_key_t:file manage_file_perms;
-+
-+kernel_read_system_state(sshd_keygen_t)
-+
-+corecmd_exec_bin(sshd_keygen_t)
-+
-+auth_use_nsswitch(sshd_keygen_t)
-+
-+files_rw_etc_dirs(sshd_keygen_t)
-+
-+#run restorecon
-+seutil_domtrans_setfiles(sshd_keygen_t)
-+
-+ssh_domtrans_keygen(sshd_keygen_t)
-+
- ########################################
- #
- # ssh_keygen local policy
-@@ -304,19 +475,33 @@ optional_policy(`
- # ssh_keygen_t is the type of the ssh-keygen program when run at install time
- # and by sysadm_t
-
-+allow ssh_keygen_t self:capability { dac_read_search };
- dontaudit ssh_keygen_t self:capability sys_tty_config;
- allow ssh_keygen_t self:process { sigchld sigkill sigstop signull signal };
--
- allow ssh_keygen_t self:unix_stream_socket create_stream_socket_perms;
-
- allow ssh_keygen_t sshd_key_t:file manage_file_perms;
- files_etc_filetrans(ssh_keygen_t, sshd_key_t, file)
-
-+manage_dirs_pattern(ssh_keygen_t, ssh_home_t, ssh_home_t)
-+manage_files_pattern(ssh_keygen_t, ssh_home_t, ssh_home_t)
-+userdom_admin_home_dir_filetrans(ssh_keygen_t, ssh_home_t, dir)
-+userdom_user_home_dir_filetrans(ssh_keygen_t, ssh_home_t, dir)
-+
-+manage_dirs_pattern(ssh_keygen_t, ssh_keygen_tmp_t, ssh_keygen_tmp_t)
-+manage_files_pattern(ssh_keygen_t, ssh_keygen_tmp_t, ssh_keygen_tmp_t)
-+files_tmp_filetrans(ssh_keygen_t, ssh_keygen_tmp_t, { file dir })
-+
-+kernel_read_system_state(ssh_keygen_t)
- kernel_read_kernel_sysctls(ssh_keygen_t)
-
-+corecmd_exec_shell(ssh_keygen_t)
-+corecmd_exec_bin(ssh_keygen_t)
-+
- fs_search_auto_mountpoints(ssh_keygen_t)
-
- dev_read_sysfs(ssh_keygen_t)
-+dev_read_rand(ssh_keygen_t)
- dev_read_urand(ssh_keygen_t)
-
- term_dontaudit_use_console(ssh_keygen_t)
-@@ -332,7 +517,9 @@ auth_use_nsswitch(ssh_keygen_t)
-
- logging_send_syslog_msg(ssh_keygen_t)
-
-+userdom_home_manager(ssh_keygen_t)
- userdom_dontaudit_use_unpriv_user_fds(ssh_keygen_t)
-+userdom_use_user_terminals(ssh_keygen_t)
-
- optional_policy(`
- seutil_sigchld_newrole(ssh_keygen_t)
-@@ -341,3 +528,150 @@ optional_policy(`
- optional_policy(`
- udev_read_db(ssh_keygen_t)
- ')
-+
-+####################################
-+#
-+# ssh_dyntransition domain local policy
-+#
-+
-+allow ssh_dyntransition_domain self:capability { setuid sys_chroot setgid };
-+allow ssh_dyntransition_domain self:unix_dgram_socket create_socket_perms;
-+
-+allow ssh_dyntransition_domain self:fifo_file rw_fifo_file_perms;
-+allow ssh_dyntransition_domain sshd_t:fd use;
-+
-+optional_policy(`
-+ ssh_rw_stream_sockets(ssh_dyntransition_domain)
-+ ssh_rw_tcp_sockets(ssh_dyntransition_domain)
-+')
-+
-+#####################################
-+#
-+# ssh_sandbox local policy
-+#
-+
-+allow sshd_t sshd_sandbox_t:process signal;
-+
-+init_ioctl_stream_sockets(sshd_sandbox_t)
-+
-+logging_send_audit_msgs(sshd_sandbox_t)
-+
-+#####################################
-+#
-+# sshd [net] child local policy
-+#
-+
-+allow sshd_t sshd_net_t:process signal;
-+
-+allow sshd_net_t self:process setrlimit;
-+
-+dev_rw_crypto(sshd_net_t)
-+
-+init_ioctl_stream_sockets(sshd_net_t)
-+init_rw_tcp_sockets(sshd_net_t)
-+
-+logging_send_audit_msgs(sshd_net_t)
-+
-+
-+######################################
-+#
-+# chroot_user_t local policy
-+#
-+allow chroot_user_t self:fifo_file rw_fifo_file_perms;
-+allow chroot_user_t self:unix_dgram_socket create_socket_perms;
-+
-+corecmd_exec_shell(chroot_user_t)
-+
-+domain_subj_id_change_exemption(chroot_user_t)
-+domain_role_change_exemption(chroot_user_t)
-+
-+term_search_ptys(chroot_user_t)
-+term_use_ptmx(chroot_user_t)
-+
-+fs_getattr_all_fs(chroot_user_t)
-+
-+userdom_read_user_home_content_files(chroot_user_t)
-+userdom_read_inherited_user_home_content_files(chroot_user_t)
-+userdom_read_user_home_content_symlinks(chroot_user_t)
-+userdom_exec_user_home_content_files(chroot_user_t)
-+userdom_use_inherited_user_ptys(chroot_user_t)
-+
-+tunable_policy(`ssh_chroot_rw_homedirs',`
-+ files_list_home(chroot_user_t)
-+ userdom_manage_user_home_content_files(chroot_user_t)
-+ userdom_manage_user_home_content_symlinks(chroot_user_t)
-+ userdom_manage_user_home_content_pipes(chroot_user_t)
-+ userdom_manage_user_home_content_sockets(chroot_user_t)
-+ userdom_manage_user_home_content_dirs(chroot_user_t)
-+')
-+
-+tunable_policy(`ssh_chroot_rw_homedirs && use_nfs_home_dirs',`
-+ fs_manage_nfs_dirs(chroot_user_t)
-+ fs_manage_nfs_files(chroot_user_t)
-+ fs_manage_nfs_symlinks(chroot_user_t)
-+')
-+
-+tunable_policy(`ssh_chroot_rw_homedirs && use_samba_home_dirs',`
-+ fs_manage_cifs_dirs(chroot_user_t)
-+ fs_manage_cifs_files(chroot_user_t)
-+ fs_manage_cifs_symlinks(chroot_user_t)
-+')
-+
-+tunable_policy(`ssh_chroot_rw_homedirs && use_fusefs_home_dirs',`
-+ fs_manage_fusefs_dirs(chroot_user_t)
-+ fs_manage_fusefs_files(chroot_user_t)
-+ fs_manage_fusefs_symlinks(chroot_user_t)
-+')
-+
-+tunable_policy(`use_samba_home_dirs',`
-+ fs_read_cifs_files(chroot_user_t)
-+ fs_read_cifs_symlinks(chroot_user_t)
-+')
-+
-+userdom_home_manager(chroot_user_t)
-+
-+optional_policy(`
-+ ssh_rw_dgram_sockets(chroot_user_t)
-+')
-+
-+optional_policy(`
-+ unconfined_shell_domtrans(chroot_user_t)
-+')
-+
-+######################################
-+#
-+# ssh_agent_type common policy local policy
-+#
-+allow ssh_agent_type self:process setrlimit;
-+allow ssh_agent_type self:capability setgid;
-+
-+manage_dirs_pattern(ssh_agent_type, ssh_agent_tmp_t, ssh_agent_tmp_t)
-+manage_sock_files_pattern(ssh_agent_type, ssh_agent_tmp_t, ssh_agent_tmp_t)
-+files_tmp_filetrans(ssh_agent_type, ssh_agent_tmp_t, { dir sock_file })
-+
-+kernel_read_kernel_sysctls(ssh_agent_type)
-+
-+dev_read_urand(ssh_agent_type)
-+dev_read_rand(ssh_agent_type)
-+
-+fs_search_auto_mountpoints(ssh_agent_type)
-+
-+domain_use_interactive_fds(ssh_agent_type)
-+
-+files_read_etc_files(ssh_agent_type)
-+files_read_etc_runtime_files(ssh_agent_type)
-+
-+libs_read_lib_files(ssh_agent_type)
-+
-+miscfiles_read_generic_certs(ssh_agent_type)
-+
-+# Write to the user domain tty.
-+userdom_use_inherited_user_terminals(ssh_agent_type)
-+
-+# for the transition back to normal privs upon exec
-+userdom_search_user_home_content(ssh_agent_type)
-+
-+optional_policy(`
-+ xserver_use_xdm_fds(ssh_agent_type)
-+ xserver_rw_xdm_pipes(ssh_agent_type)
-+')
-diff --git a/policy/modules/services/xserver.fc b/policy/modules/services/xserver.fc
-index 8274418c6..a47fd0b4d 100644
---- a/policy/modules/services/xserver.fc
-+++ b/policy/modules/services/xserver.fc
-@@ -2,13 +2,39 @@
- # HOME_DIR
- #
- HOME_DIR/\.fonts\.conf -- gen_context(system_u:object_r:user_fonts_config_t,s0)
-+HOME_DIR/\.fonts\.d(/.*)? gen_context(system_u:object_r:user_fonts_config_t,s0)
- HOME_DIR/\.fonts(/.*)? gen_context(system_u:object_r:user_fonts_t,s0)
-+HOME_DIR/\.local/share/fonts(/.*)? gen_context(system_u:object_r:user_fonts_t,s0)
-+HOME_DIR/\.local/share/xorg(/.*)? gen_context(system_u:object_r:xdm_home_t,s0)
-+HOME_DIR/\.fontconfig(/.*)? gen_context(system_u:object_r:user_fonts_cache_t,s0)
- HOME_DIR/\.fonts/auto(/.*)? gen_context(system_u:object_r:user_fonts_cache_t,s0)
- HOME_DIR/\.fonts\.cache-.* -- gen_context(system_u:object_r:user_fonts_cache_t,s0)
-+HOME_DIR/\.DCOP.* -- gen_context(system_u:object_r:iceauth_home_t,s0)
- HOME_DIR/\.ICEauthority.* -- gen_context(system_u:object_r:iceauth_home_t,s0)
- HOME_DIR/\.serverauth.* -- gen_context(system_u:object_r:xauth_home_t,s0)
- HOME_DIR/\.xauth.* -- gen_context(system_u:object_r:xauth_home_t,s0)
-+HOME_DIR/\.Xauth.* -- gen_context(system_u:object_r:xauth_home_t,s0)
- HOME_DIR/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0)
-+HOME_DIR/\.cache/gdm(/.*)? gen_context(system_u:object_r:xdm_home_t,s0)
-+HOME_DIR/\.xsession-errors.* -- gen_context(system_u:object_r:xdm_home_t,s0)
-+HOME_DIR/\.wayland-errors.* -- gen_context(system_u:object_r:xdm_home_t,s0)
-+HOME_DIR/\.dmrc.* -- gen_context(system_u:object_r:xdm_home_t,s0)
-+
-+/root/\.fonts\.conf -- gen_context(system_u:object_r:user_fonts_config_t,s0)
-+/root/\.fonts\.d(/.*)? gen_context(system_u:object_r:user_fonts_config_t,s0)
-+/root/\.fonts(/.*)? gen_context(system_u:object_r:user_fonts_t,s0)
-+/root/\.fontconfig(/.*)? gen_context(system_u:object_r:user_fonts_cache_t,s0)
-+/root/\.fonts/auto(/.*)? gen_context(system_u:object_r:user_fonts_cache_t,s0)
-+/root/\.fonts\.cache-.* -- gen_context(system_u:object_r:user_fonts_cache_t,s0)
-+/root/\.DCOP.* -- gen_context(system_u:object_r:iceauth_home_t,s0)
-+/root/\.ICEauthority.* -- gen_context(system_u:object_r:iceauth_home_t,s0)
-+/root/\.serverauth.* -- gen_context(system_u:object_r:xauth_home_t,s0)
-+/root/\.xauth.* -- gen_context(system_u:object_r:xauth_home_t,s0)
-+/root/\.Xauth.* -- gen_context(system_u:object_r:xauth_home_t,s0)
-+/root/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0)
-+/root/\.xsession-errors.* -- gen_context(system_u:object_r:xdm_home_t,s0)
-+/root/\.wayland-errors.* -- gen_context(system_u:object_r:xdm_home_t,s0)
-+/root/\.dmrc.* -- gen_context(system_u:object_r:xdm_home_t,s0)
-
- #
- # /dev
-@@ -22,13 +48,21 @@ HOME_DIR/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0)
- /etc/gdm(3)?/PreSession/.* -- gen_context(system_u:object_r:xsession_exec_t,s0)
- /etc/gdm(3)?/Xsession -- gen_context(system_u:object_r:xsession_exec_t,s0)
-
-+/etc/X11/xorg\.conf\.d(/.*)? gen_context(system_u:object_r:xserver_etc_t,s0)
-+/etc/[mg]dm(/.*)? gen_context(system_u:object_r:xdm_etc_t,s0)
-+/etc/[mg]dm/Init(/.*)? gen_context(system_u:object_r:xdm_unconfined_exec_t,s0)
-+/etc/[mg]dm/PostLogin(/.*)? gen_context(system_u:object_r:xdm_unconfined_exec_t,s0)
-+/etc/[mg]dm/PostSession(/.*)? gen_context(system_u:object_r:xdm_unconfined_exec_t,s0)
-+/etc/[mg]dm/PreSession(/.*)? gen_context(system_u:object_r:xdm_unconfined_exec_t,s0)
-+
- /etc/kde[34]?/kdm/Xstartup -- gen_context(system_u:object_r:xsession_exec_t,s0)
- /etc/kde[34]?/kdm/Xreset -- gen_context(system_u:object_r:xsession_exec_t,s0)
- /etc/kde[34]?/kdm/Xsession -- gen_context(system_u:object_r:xsession_exec_t,s0)
- /etc/kde[34]?/kdm/backgroundrc gen_context(system_u:object_r:xdm_var_run_t,s0)
-
--/etc/rc\.d/init\.d/x11-common -- gen_context(system_u:object_r:xdm_exec_t,s0)
-+/etc/opt/VirtualGL(/.*)? gen_context(system_u:object_r:xdm_rw_etc_t,s0)
-
-+/etc/rc\.d/init\.d/x11-common -- gen_context(system_u:object_r:xdm_exec_t,s0)
- /etc/X11/[wx]dm/Xreset.* -- gen_context(system_u:object_r:xsession_exec_t,s0)
- /etc/X11/[wxg]dm/Xsession -- gen_context(system_u:object_r:xsession_exec_t,s0)
- /etc/X11/wdm(/.*)? gen_context(system_u:object_r:xdm_rw_etc_t,s0)
-@@ -46,26 +80,37 @@ HOME_DIR/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0)
- # /tmp
- #
-
--/tmp/\.ICE-unix -d gen_context(system_u:object_r:xdm_tmp_t,s0)
--/tmp/\.ICE-unix/.* -s <>
--/tmp/\.X0-lock -- gen_context(system_u:object_r:xserver_tmp_t,s0)
--/tmp/\.X11-unix -d gen_context(system_u:object_r:xdm_tmp_t,s0)
--/tmp/\.X11-unix/.* -s <>
-+/tmp/\.font-unix(/.*)? gen_context(system_u:object_r:user_fonts_t,s0)
-
- #
- # /usr
- #
-
-+/usr/sbin/mdm-binary -- gen_context(system_u:object_r:xdm_exec_t,s0)
- /usr/s?bin/gdm(3)? -- gen_context(system_u:object_r:xdm_exec_t,s0)
- /usr/s?bin/gdm-binary -- gen_context(system_u:object_r:xdm_exec_t,s0)
-+/usr/s?bin/lightdm* -- gen_context(system_u:object_r:xdm_exec_t,s0)
- /usr/s?bin/lxdm(-binary)? -- gen_context(system_u:object_r:xdm_exec_t,s0)
--/usr/s?bin/[xkw]dm -- gen_context(system_u:object_r:xdm_exec_t,s0)
-+/usr/s?bin/[mxgkw]dm -- gen_context(system_u:object_r:xdm_exec_t,s0)
-+
-+/usr/bin/sddm -- gen_context(system_u:object_r:xdm_exec_t,s0)
-+/usr/bin/sddm-greeter -- gen_context(system_u:object_r:xdm_exec_t,s0)
- /usr/bin/gpe-dm -- gen_context(system_u:object_r:xdm_exec_t,s0)
- /usr/bin/iceauth -- gen_context(system_u:object_r:iceauth_exec_t,s0)
-+/usr/bin/razor-lightdm-.* -- gen_context(system_u:object_r:xdm_exec_t,s0)
- /usr/bin/slim -- gen_context(system_u:object_r:xdm_exec_t,s0)
- /usr/bin/Xair -- gen_context(system_u:object_r:xserver_exec_t,s0)
-+/usr/bin/Xephyr -- gen_context(system_u:object_r:xserver_exec_t,s0)
- /usr/bin/xauth -- gen_context(system_u:object_r:xauth_exec_t,s0)
- /usr/bin/Xorg -- gen_context(system_u:object_r:xserver_exec_t,s0)
-+/usr/bin/Xvnc -- gen_context(system_u:object_r:xserver_exec_t,s0)
-+/usr/bin/x11vnc -- gen_context(system_u:object_r:xserver_exec_t,s0)
-+/usr/bin/nvidia.* -- gen_context(system_u:object_r:xserver_exec_t,s0)
-+
-+/usr/libexec/Xorg\.bin -- gen_context(system_u:object_r:xserver_exec_t,s0)
-+/usr/libexec/Xorg\.wrap -- gen_context(system_u:object_r:xserver_exec_t,s0)
-+
-+/usr/libexec/gsd-backlight-helper -- gen_context(system_u:object_r:xserver_exec_t,s0)
-
- /usr/lib/qt-.*/etc/settings(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0)
-
-@@ -91,19 +136,34 @@ ifndef(`distro_debian',`
- /var/[xgkw]dm(/.*)? gen_context(system_u:object_r:xserver_log_t,s0)
-
- /var/lib/gdm(3)?(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0)
-+/var/lib/sddm(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0)
- /var/lib/lxdm(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0)
--/var/lib/[xkw]dm(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0)
-+/var/lib/lightdm(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0)
-+/var/lib/lightdm-data(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0)
-+/var/lib/[mxkwg]dm(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0)
- /var/lib/xkb(/.*)? gen_context(system_u:object_r:xkb_var_lib_t,s0)
-+/var/lib/xorg(/.*)? gen_context(system_u:object_r:xserver_var_lib_t,s0)
-+
-+/var/cache/lightdm(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0)
-+/var/cache/[mg]dm(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0)
-
--/var/log/[kwx]dm\.log.* -- gen_context(system_u:object_r:xserver_log_t,s0)
--/var/log/lxdm\.log -- gen_context(system_u:object_r:xserver_log_t,s0)
- /var/log/gdm(3)?(/.*)? gen_context(system_u:object_r:xserver_log_t,s0)
--/var/log/slim\.log -- gen_context(system_u:object_r:xserver_log_t,s0)
-+/var/log/[mkwx]dm\.log.* -- gen_context(system_u:object_r:xdm_log_t,s0)
-+/var/log/lightdm(/.*)? gen_context(system_u:object_r:xserver_log_t,s0)
-+/var/log/lxdm\.log.* -- gen_context(system_u:object_r:xdm_log_t,s0)
-+/var/log/mdm(/.*)? gen_context(system_u:object_r:xdm_log_t,s0)
-+/var/log/slim\.log.* -- gen_context(system_u:object_r:xdm_log_t,s0)
- /var/log/XFree86.* -- gen_context(system_u:object_r:xserver_log_t,s0)
- /var/log/Xorg.* -- gen_context(system_u:object_r:xserver_log_t,s0)
-+/var/log/nvidia-installer\.log.* -- gen_context(system_u:object_r:xserver_log_t,s0)
-+
-+/var/spool/[mg]dm(/.*)? gen_context(system_u:object_r:xdm_spool_t,s0)
-
- /var/run/gdm(3)?(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0)
- /var/run/gdm(3)?\.pid -- gen_context(system_u:object_r:xdm_var_run_t,s0)
-+/var/run/[kgm]dm(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0)
-+/var/run/gdm_socket -s gen_context(system_u:object_r:xdm_var_run_t,s0)
-+/var/run/lightdm(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0)
- /var/run/xdm\.pid -- gen_context(system_u:object_r:xdm_var_run_t,s0)
- /var/run/lxdm\.auth -- gen_context(system_u:object_r:xdm_var_run_t,s0)
- /var/run/lxdm\.pid -- gen_context(system_u:object_r:xdm_var_run_t,s0)
-@@ -111,7 +171,18 @@ ifndef(`distro_debian',`
- /var/run/slim.* gen_context(system_u:object_r:xdm_var_run_t,s0)
- /var/run/xauth(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0)
- /var/run/xdmctl(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0)
-+/var/run/sddm(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0)
-+
-+/var/run/video.rom -- gen_context(system_u:object_r:xserver_var_run_t,s0)
-+/var/run/xorg(/.*)? gen_context(system_u:object_r:xserver_var_run_t,s0)
-+/var/run/systemd/multi-session-x(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0)
-
- ifdef(`distro_suse',`
- /var/lib/pam_devperm/:0 -- gen_context(system_u:object_r:xdm_var_lib_t,s0)
- ')
-+
-+/var/lib/nxserver/home/\.xauth.* -- gen_context(system_u:object_r:xauth_home_t,s0)
-+/var/lib/nxserver/home/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0)
-+/var/lib/pqsql/\.xauth.* -- gen_context(system_u:object_r:xauth_home_t,s0)
-+/var/lib/pqsql/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0)
-+
-diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if
-index 6bf0ecc2d..a6b6087eb 100644
---- a/policy/modules/services/xserver.if
-+++ b/policy/modules/services/xserver.if
-@@ -18,100 +18,36 @@
- #
- interface(`xserver_restricted_role',`
- gen_require(`
-- type xserver_t, xserver_exec_t, xserver_tmp_t, xserver_tmpfs_t;
-- type user_fonts_t, user_fonts_cache_t, user_fonts_config_t;
-- type iceauth_t, iceauth_exec_t, iceauth_home_t;
-- type xauth_t, xauth_exec_t, xauth_home_t;
-+ type xauth_t, iceauth_t;
-+ attribute dridomain, x_userdomain;
- ')
-
-- role $1 types { xserver_t xauth_t iceauth_t };
--
-- # Xserver read/write client shm
-- allow xserver_t $2:fd use;
-- allow xserver_t $2:shm rw_shm_perms;
--
-- allow xserver_t $2:process signal;
--
-- allow xserver_t $2:shm rw_shm_perms;
--
-- allow $2 user_fonts_t:dir list_dir_perms;
-- allow $2 user_fonts_t:file read_file_perms;
--
-- allow $2 user_fonts_config_t:dir list_dir_perms;
-- allow $2 user_fonts_config_t:file read_file_perms;
--
-- manage_dirs_pattern($2, user_fonts_cache_t, user_fonts_cache_t)
-- manage_files_pattern($2, user_fonts_cache_t, user_fonts_cache_t)
--
-- stream_connect_pattern($2, xserver_tmp_t, xserver_tmp_t, xserver_t)
-- files_search_tmp($2)
--
-- # Communicate via System V shared memory.
-- allow $2 xserver_t:shm r_shm_perms;
-- allow $2 xserver_tmpfs_t:file read_file_perms;
--
-- # allow ps to show iceauth
-- ps_process_pattern($2, iceauth_t)
--
-- domtrans_pattern($2, iceauth_exec_t, iceauth_t)
--
-- allow $2 iceauth_home_t:file read_file_perms;
--
-- domtrans_pattern($2, xauth_exec_t, xauth_t)
--
-- allow $2 xauth_t:process signal;
--
-- # allow ps to show xauth
-- ps_process_pattern($2, xauth_t)
-- allow $2 xserver_t:process signal;
--
-- allow $2 xauth_home_t:file read_file_perms;
--
-- # for when /tmp/.X11-unix is created by the system
-- allow $2 xdm_t:fd use;
-- allow $2 xdm_t:fifo_file { getattr read write ioctl };
-- allow $2 xdm_tmp_t:dir search;
-- allow $2 xdm_tmp_t:sock_file { read write };
-- dontaudit $2 xdm_t:tcp_socket { read write };
--
-- # Client read xserver shm
-- allow $2 xserver_t:fd use;
-- allow $2 xserver_tmpfs_t:file read_file_perms;
--
-- # Read /tmp/.X0-lock
-- allow $2 xserver_tmp_t:file { getattr read };
--
-- dev_rw_xserver_misc($2)
-- dev_rw_power_management($2)
-- dev_read_input($2)
-- dev_read_misc($2)
-- dev_write_misc($2)
-- # open office is looking for the following
-- dev_getattr_agp_dev($2)
-- dev_dontaudit_rw_dri($2)
-- # GNOME checks for usb and other devices:
-- dev_rw_usbfs($2)
--
-- miscfiles_read_fonts($2)
-+ role $1 types { xauth_t iceauth_t };
-+ typeattribute $2 x_userdomain, dridomain;
-
-- xserver_common_x_domain_template(user, $2)
-- xserver_domtrans($2)
-- xserver_unconfined($2)
-- xserver_xsession_entry_type($2)
-- xserver_dontaudit_write_log($2)
-+ xserver_common_x_domain_template(user,$2)
- xserver_stream_connect_xdm($2)
-- # certain apps want to read xdm.pid file
-- xserver_read_xdm_pid($2)
-- # gnome-session creates socket under /tmp/.ICE-unix/
-- xserver_create_xdm_tmp_sockets($2)
-- # Needed for escd, remove if we get escd policy
-- xserver_manage_xdm_tmp_files($2)
-+ xserver_xdm_append_log($2)
-
-- # Client write xserver shm
-- tunable_policy(`allow_write_xshm',`
-- allow $2 xserver_t:shm rw_shm_perms;
-- allow $2 xserver_tmpfs_t:file rw_file_perms;
-+ xserver_dri_domain($2)
-+')
-+
-+########################################
-+##
-+## Domain wants to use direct io devices
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`xserver_dri_domain',`
-+ gen_require(`
-+ attribute dridomain;
- ')
-+
-+ typeattribute $1 dridomain;
- ')
-
- ########################################
-@@ -143,13 +79,15 @@ interface(`xserver_role',`
- allow $2 xserver_tmpfs_t:file rw_file_perms;
-
- allow $2 iceauth_home_t:file manage_file_perms;
-- allow $2 iceauth_home_t:file { relabelfrom relabelto };
-+ allow $2 iceauth_home_t:file relabel_file_perms;
-
- allow $2 xauth_home_t:file manage_file_perms;
-- allow $2 xauth_home_t:file { relabelfrom relabelto };
-+ allow $2 xauth_home_t:file relabel_file_perms;
-
-+ mls_xwin_read_to_clearance($2)
- manage_dirs_pattern($2, user_fonts_t, user_fonts_t)
- manage_files_pattern($2, user_fonts_t, user_fonts_t)
-+ allow $2 user_fonts_t:lnk_file read_lnk_file_perms;
- relabel_dirs_pattern($2, user_fonts_t, user_fonts_t)
- relabel_files_pattern($2, user_fonts_t, user_fonts_t)
-
-@@ -162,7 +100,6 @@ interface(`xserver_role',`
- manage_files_pattern($2, user_fonts_config_t, user_fonts_config_t)
- relabel_dirs_pattern($2, user_fonts_config_t, user_fonts_config_t)
- relabel_files_pattern($2, user_fonts_config_t, user_fonts_config_t)
--
- ')
-
- #######################################
-@@ -197,7 +134,7 @@ interface(`xserver_ro_session',`
- allow $1 xserver_t:process signal;
-
- # Read /tmp/.X0-lock
-- allow $1 xserver_tmp_t:file { getattr read };
-+ allow $1 xserver_tmp_t:file read_file_perms;
-
- # Client read xserver shm
- allow $1 xserver_t:fd use;
-@@ -227,7 +164,7 @@ interface(`xserver_rw_session',`
- type xserver_t, xserver_tmpfs_t;
- ')
-
-- xserver_ro_session($1,$2)
-+ xserver_ro_session($1, $2)
- allow $1 xserver_t:shm rw_shm_perms;
- allow $1 xserver_tmpfs_t:file rw_file_perms;
- ')
-@@ -255,7 +192,7 @@ interface(`xserver_non_drawing_client',`
-
- allow $1 self:x_gc { create setattr };
-
-- allow $1 xdm_var_run_t:dir search;
-+ allow $1 xdm_var_run_t:dir search_dir_perms;
- allow $1 xserver_t:unix_stream_socket connectto;
-
- allow $1 xextension_t:x_extension { query use };
-@@ -282,7 +219,7 @@ interface(`xserver_non_drawing_client',`
- interface(`xserver_user_client',`
- refpolicywarn(`$0() has been deprecated, please use xserver_user_x_domain_template instead.')
- gen_require(`
-- type xdm_t, xdm_tmp_t;
-+ type xdm_t;
- type xauth_home_t, iceauth_home_t, xserver_t, xserver_tmpfs_t;
- ')
-
-@@ -291,14 +228,14 @@ interface(`xserver_user_client',`
- allow $1 self:unix_stream_socket { connectto create_stream_socket_perms };
-
- # Read .Xauthority file
-- allow $1 xauth_home_t:file { getattr read };
-- allow $1 iceauth_home_t:file { getattr read };
-+ allow $1 xauth_home_t:file read_file_perms;
-+ allow $1 iceauth_home_t:file read_file_perms;
-
- # for when /tmp/.X11-unix is created by the system
- allow $1 xdm_t:fd use;
-- allow $1 xdm_t:fifo_file { getattr read write ioctl };
-- allow $1 xdm_tmp_t:dir search;
-- allow $1 xdm_tmp_t:sock_file { read write };
-+ allow $1 xdm_t:fifo_file rw_inherited_fifo_file_perms;
-+ userdom_search_user_tmp_dirs($1)
-+ userdom_rw_user_tmp_sock_files($1)
- dontaudit $1 xdm_t:tcp_socket { read write };
-
- # Allow connections to X server.
-@@ -316,7 +253,7 @@ interface(`xserver_user_client',`
- xserver_read_xdm_tmp_files($1)
-
- # Client write xserver shm
-- tunable_policy(`allow_write_xshm',`
-+ tunable_policy(`xserver_clients_write_xshm',`
- allow $1 xserver_t:shm rw_shm_perms;
- allow $1 xserver_tmpfs_t:file rw_file_perms;
- ')
-@@ -342,19 +279,23 @@ interface(`xserver_user_client',`
- #
- template(`xserver_common_x_domain_template',`
- gen_require(`
-- type root_xdrawable_t;
-+ type root_xdrawable_t, xdm_t, xserver_t;
- type xproperty_t, $1_xproperty_t;
- type xevent_t, client_xevent_t;
- type input_xevent_t, $1_input_xevent_t;
-
-- attribute x_domain;
-+ attribute x_domain, input_xevent_type;
- attribute xdrawable_type, xcolormap_type;
-- attribute input_xevent_type;
-
- class x_drawable all_x_drawable_perms;
- class x_property all_x_property_perms;
- class x_event all_x_event_perms;
- class x_synthetic_event all_x_synthetic_event_perms;
-+ class x_client destroy;
-+ class x_server manage;
-+ class x_screen { saver_setattr saver_hide saver_show show_cursor hide_cursor };
-+ class x_pointer { get_property set_property manage };
-+ class x_keyboard { read manage freeze };
- ')
-
- ##############################
-@@ -383,9 +324,18 @@ template(`xserver_common_x_domain_template',`
- allow $2 $1_input_xevent_t:{ x_event x_synthetic_event } receive;
- # can receive default events
- allow $2 client_xevent_t:{ x_event x_synthetic_event } receive;
-- allow $2 xevent_t:{ x_event x_synthetic_event } receive;
-+ allow $2 xevent_t:{ x_event x_synthetic_event } { send receive };
- # dont audit send failures
- dontaudit $2 input_xevent_type:x_event send;
-+
-+ allow $2 xdm_t:x_drawable { hide read add_child manage };
-+ allow $2 xdm_t:x_client destroy;
-+
-+ allow $2 root_xdrawable_t:x_drawable write;
-+ allow $2 xserver_t:x_server manage;
-+ allow $2 xserver_t:x_screen { show_cursor hide_cursor saver_setattr saver_hide saver_show };
-+ allow $2 xserver_t:x_pointer { get_property set_property manage };
-+ allow $2 xserver_t:x_keyboard { read manage freeze };
- ')
-
- #######################################
-@@ -444,8 +394,9 @@ template(`xserver_object_types_template',`
- #
- template(`xserver_user_x_domain_template',`
- gen_require(`
-- type xdm_t, xdm_tmp_t;
-- type xauth_home_t, iceauth_home_t, xserver_t, xserver_tmpfs_t;
-+ type xdm_t, xserver_tmpfs_t;
-+ type xdm_home_t;
-+ type xauth_home_t, iceauth_home_t, xserver_t;
- ')
-
- allow $2 self:shm create_shm_perms;
-@@ -456,11 +407,13 @@ template(`xserver_user_x_domain_template',`
- allow $2 xauth_home_t:file read_file_perms;
- allow $2 iceauth_home_t:file read_file_perms;
-
-+ xserver_filetrans_home_content($2)
-+
- # for when /tmp/.X11-unix is created by the system
- allow $2 xdm_t:fd use;
-- allow $2 xdm_t:fifo_file { getattr read write ioctl };
-- allow $2 xdm_tmp_t:dir search_dir_perms;
-- allow $2 xdm_tmp_t:sock_file { read write };
-+ allow $2 xdm_t:fifo_file rw_inherited_fifo_file_perms;
-+ userdom_search_user_tmp_dirs($2)
-+ userdom_rw_user_tmp_sock_files($2)
- dontaudit $2 xdm_t:tcp_socket { read write };
-
- # Allow connections to X server.
-@@ -472,20 +425,26 @@ template(`xserver_user_x_domain_template',`
- # for .xsession-errors
- userdom_dontaudit_write_user_home_content_files($2)
-
-- xserver_ro_session($2,$3)
-+ xserver_ro_session($2, $3)
- xserver_use_user_fonts($2)
-
-- xserver_read_xdm_tmp_files($2)
-+ userdom_read_user_tmp_files($2)
-+ xserver_read_xdm_pid($2)
-+ xserver_xdm_append_log($2)
-
- # X object manager
- xserver_object_types_template($1)
-- xserver_common_x_domain_template($1,$2)
-+ xserver_common_x_domain_template($1, $2)
-
- # Client write xserver shm
-- tunable_policy(`allow_write_xshm',`
-+ tunable_policy(`xserver_clients_write_xshm',`
- allow $2 xserver_t:shm rw_shm_perms;
- allow $2 xserver_tmpfs_t:file rw_file_perms;
- ')
-+
-+ tunable_policy(`selinuxuser_direct_dri_enabled',`
-+ dev_rw_dri($2)
-+ ')
- ')
-
- ########################################
-@@ -517,6 +476,7 @@ interface(`xserver_use_user_fonts',`
- # Read per user fonts
- allow $1 user_fonts_t:dir list_dir_perms;
- allow $1 user_fonts_t:file read_file_perms;
-+ allow $1 user_fonts_t:lnk_file read_lnk_file_perms;
-
- # Manipulate the global font cache
- manage_dirs_pattern($1, user_fonts_cache_t, user_fonts_cache_t)
-@@ -547,6 +507,42 @@ interface(`xserver_domtrans_xauth',`
- domtrans_pattern($1, xauth_exec_t, xauth_t)
- ')
-
-+######################################
-+##
-+## Allow exec of Xauthority program..
-+##
-+##
-+##
-+## Domain allowed to transition.
-+##
-+##
-+#
-+interface(`xserver_exec_xauth',`
-+ gen_require(`
-+ type xauth_t, xauth_exec_t;
-+ ')
-+
-+ can_exec($1, xauth_exec_t)
-+')
-+
-+########################################
-+##
-+## Dontaudit exec of Xauthority program.
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`xserver_dontaudit_exec_xauth',`
-+ gen_require(`
-+ type xauth_exec_t;
-+ ')
-+
-+ dontaudit $1 xauth_exec_t:file execute;
-+')
-+
- ########################################
- ##
- ## Create a Xauthority file in the user home directory.
-@@ -567,6 +563,24 @@ interface(`xserver_user_home_dir_filetrans_user_xauth',`
-
- ########################################
- ##
-+## Create a Xauthority file in the admin home directory.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`xserver_admin_home_dir_filetrans_xauth',`
-+ gen_require(`
-+ type xauth_home_t;
-+ ')
-+
-+ userdom_admin_home_dir_filetrans($1, xauth_home_t, file)
-+')
-+
-+########################################
-+##
- ## Read all users fonts, user font configurations,
- ## and manage all users font caches.
- ##
-@@ -598,6 +612,25 @@ interface(`xserver_read_user_xauth',`
-
- allow $1 xauth_home_t:file read_file_perms;
- userdom_search_user_home_dirs($1)
-+ xserver_read_xdm_pid($1)
-+')
-+
-+########################################
-+##
-+## Manage all users .Xauthority.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`xserver_manage_user_xauth',`
-+ gen_require(`
-+ type xauth_home_t;
-+ ')
-+
-+ allow $1 xauth_home_t:file manage_file_perms;
- ')
-
- ########################################
-@@ -615,7 +648,7 @@ interface(`xserver_setattr_console_pipes',`
- type xconsole_device_t;
- ')
-
-- allow $1 xconsole_device_t:fifo_file setattr;
-+ allow $1 xconsole_device_t:fifo_file setattr_fifo_file_perms;
- ')
-
- ########################################
-@@ -638,6 +671,25 @@ interface(`xserver_rw_console',`
-
- ########################################
- ##
-+## Read XDM state files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`xserver_read_state_xdm',`
-+ gen_require(`
-+ type xdm_t;
-+ ')
-+
-+ kernel_search_proc($1)
-+ ps_process_pattern($1, xdm_t)
-+')
-+
-+########################################
-+##
- ## Use file descriptors for xdm.
- ##
- ##
-@@ -651,7 +703,7 @@ interface(`xserver_use_xdm_fds',`
- type xdm_t;
- ')
-
-- allow $1 xdm_t:fd use;
-+ allow $1 xdm_t:fd use;
- ')
-
- ########################################
-@@ -670,7 +722,7 @@ interface(`xserver_dontaudit_use_xdm_fds',`
- type xdm_t;
- ')
-
-- dontaudit $1 xdm_t:fd use;
-+ dontaudit $1 xdm_t:fd use;
- ')
-
- ########################################
-@@ -688,7 +740,7 @@ interface(`xserver_rw_xdm_pipes',`
- type xdm_t;
- ')
-
-- allow $1 xdm_t:fifo_file { getattr read write };
-+ allow $1 xdm_t:fifo_file rw_inherited_fifo_file_perms;
- ')
-
- ########################################
-@@ -703,12 +755,11 @@ interface(`xserver_rw_xdm_pipes',`
- ##
- #
- interface(`xserver_dontaudit_rw_xdm_pipes',`
--
- gen_require(`
- type xdm_t;
- ')
-
-- dontaudit $1 xdm_t:fifo_file rw_fifo_file_perms;
-+ dontaudit $1 xdm_t:fifo_file rw_fifo_file_perms;
- ')
-
- ########################################
-@@ -765,16 +816,19 @@ interface(`xserver_manage_xdm_spool_files',`
- #
- interface(`xserver_stream_connect_xdm',`
- gen_require(`
-- type xdm_t, xdm_tmp_t;
-+ type xdm_t, xdm_var_run_t;
- ')
-
- files_search_tmp($1)
-- stream_connect_pattern($1, xdm_tmp_t, xdm_tmp_t, xdm_t)
-+ files_search_pids($1)
-+ stream_connect_pattern($1, { xdm_var_run_t }, { xdm_var_run_t }, xdm_t)
-+ userdom_stream_connect($1)
- ')
-
- ########################################
- ##
--## Read xdm-writable configuration files.
-+## Allow domain to append XDM unix domain
-+## stream socket.
- ##
- ##
- ##
-@@ -782,18 +836,18 @@ interface(`xserver_stream_connect_xdm',`
- ##
- ##
- #
--interface(`xserver_read_xdm_rw_config',`
-+
-+interface(`xserver_append_xdm_stream_socket',`
- gen_require(`
-- type xdm_rw_etc_t;
-+ type xdm_t;
- ')
-
-- files_search_etc($1)
-- allow $1 xdm_rw_etc_t:file read_file_perms;
-+ allow $1 xdm_t:unix_stream_socket append;
- ')
-
- ########################################
- ##
--## Set the attributes of XDM temporary directories.
-+## Read XDM files in user home directories.
- ##
- ##
- ##
-@@ -801,18 +855,18 @@ interface(`xserver_read_xdm_rw_config',`
- ##
- ##
- #
--interface(`xserver_setattr_xdm_tmp_dirs',`
-+interface(`xserver_read_xdm_home_files',`
- gen_require(`
-- type xdm_tmp_t;
-+ type xdm_home_t;
- ')
-
-- allow $1 xdm_tmp_t:dir setattr;
-+ userdom_search_user_home_dirs($1)
-+ allow $1 xdm_home_t:file read_file_perms;
- ')
-
- ########################################
- ##
--## Create a named socket in a XDM
--## temporary directory.
-+## Read xserver configuration files.
- ##
- ##
- ##
-@@ -820,19 +874,19 @@ interface(`xserver_setattr_xdm_tmp_dirs',`
- ##
- ##
- #
--interface(`xserver_create_xdm_tmp_sockets',`
-+interface(`xserver_read_config',`
- gen_require(`
-- type xdm_tmp_t;
-+ type xserver_etc_t;
- ')
-
-- files_search_tmp($1)
-- allow $1 xdm_tmp_t:dir list_dir_perms;
-- create_sock_files_pattern($1, xdm_tmp_t, xdm_tmp_t)
-+ files_search_etc($1)
-+ read_files_pattern($1, xserver_etc_t, xserver_etc_t)
-+ read_lnk_files_pattern($1, xserver_etc_t, xserver_etc_t)
- ')
-
- ########################################
- ##
--## Read XDM pid files.
-+## Manage xserver configuration files.
- ##
- ##
- ##
-@@ -840,18 +894,19 @@ interface(`xserver_create_xdm_tmp_sockets',`
- ##
- ##
- #
--interface(`xserver_read_xdm_pid',`
-+interface(`xserver_manage_config',`
- gen_require(`
-- type xdm_var_run_t;
-+ type xserver_etc_t;
- ')
-
-- files_search_pids($1)
-- allow $1 xdm_var_run_t:file read_file_perms;
-+ files_search_etc($1)
-+ manage_files_pattern($1, xserver_etc_t, xserver_etc_t)
-+ manage_lnk_files_pattern($1, xserver_etc_t, xserver_etc_t)
- ')
-
- ########################################
- ##
--## Read XDM var lib files.
-+## Read xdm-writable configuration files.
- ##
- ##
- ##
-@@ -859,110 +914,79 @@ interface(`xserver_read_xdm_pid',`
- ##
- ##
- #
--interface(`xserver_read_xdm_lib_files',`
-+interface(`xserver_read_xdm_rw_config',`
- gen_require(`
-- type xdm_var_lib_t;
-+ type xdm_rw_etc_t;
- ')
-
-- allow $1 xdm_var_lib_t:file read_file_perms;
-+ files_search_etc($1)
-+ allow $1 xdm_rw_etc_t:file read_file_perms;
- ')
-
- ########################################
- ##
--## Make an X session script an entrypoint for the specified domain.
-+## Search XDM temporary directories.
- ##
- ##
- ##
--## The domain for which the shell is an entrypoint.
-+## Domain allowed access.
- ##
- ##
- #
--interface(`xserver_xsession_entry_type',`
-- gen_require(`
-- type xsession_exec_t;
-- ')
--
-- domain_entry_file($1, xsession_exec_t)
-+interface(`xserver_search_xdm_tmp_dirs',`
-+ refpolicywarn(`$0() has been deprecated, please use userdom_search_user_tmp_dirs instead.')
-+ userdom_search_user_tmp_dirs($1)
- ')
-
- ########################################
- ##
--## Execute an X session in the target domain. This
--## is an explicit transition, requiring the
--## caller to use setexeccon().
-+## Set the attributes of XDM temporary directories.
- ##
--##
--##
--## Execute an Xsession in the target domain. This
--## is an explicit transition, requiring the
--## caller to use setexeccon().
--##
--##
--## No interprocess communication (signals, pipes,
--## etc.) is provided by this interface since
--## the domains are not owned by this module.
--##
--##
- ##
- ##
--## Domain allowed to transition.
--##
--##
--##
--##
--## The type of the shell process.
-+## Domain allowed access.
- ##
- ##
- #
--interface(`xserver_xsession_spec_domtrans',`
-- gen_require(`
-- type xsession_exec_t;
-- ')
--
-- domain_trans($1, xsession_exec_t, $2)
-+interface(`xserver_setattr_xdm_tmp_dirs',`
-+ refpolicywarn(`$0() has been deprecated, please use userdom_dontaudit_setattr_user_tmp instead.')
-+ userdom_dontaudit_setattr_user_tmp($1)
- ')
-
- ########################################
- ##
--## Get the attributes of X server logs.
-+## Dont audit attempts to set the attributes of XDM temporary directories.
- ##
- ##
- ##
--## Domain allowed access.
-+## Domain to not audit.
- ##
- ##
- #
--interface(`xserver_getattr_log',`
-- gen_require(`
-- type xserver_log_t;
-- ')
--
-- logging_search_logs($1)
-- allow $1 xserver_log_t:file getattr;
-+interface(`xserver_dontaudit_xdm_tmp_dirs',`
-+ refpolicywarn(`$0() has been deprecated, please use userdom_dontaudit_setattr_user_tmp instead.')
-+ userdom_dontaudit_setattr_user_tmp($1)
- ')
-
- ########################################
- ##
--## Do not audit attempts to write the X server
--## log files.
-+## Create a named socket in a XDM
-+## temporary directory.
- ##
- ##
- ##
--## Domain to not audit.
-+## Domain allowed access.
- ##
- ##
- #
--interface(`xserver_dontaudit_write_log',`
-- gen_require(`
-- type xserver_log_t;
-- ')
--
-- dontaudit $1 xserver_log_t:file { append write };
-+interface(`xserver_create_xdm_tmp_sockets',`
-+ refpolicywarn(`$0() has been deprecated, please use userdom_create_user_tmp_sockets instead.')
-+ userdom_create_user_tmp_sockets($1)
- ')
-
- ########################################
- ##
--## Delete X server log files.
-+## Read XDM pid files.
- ##
- ##
- ##
-@@ -970,20 +994,18 @@ interface(`xserver_dontaudit_write_log',`
- ##
- ##
- #
--interface(`xserver_delete_log',`
-+interface(`xserver_read_xdm_pid',`
- gen_require(`
-- type xserver_log_t;
-+ type xdm_var_run_t;
- ')
-
-- logging_search_logs($1)
-- allow $1 xserver_log_t:dir list_dir_perms;
-- delete_files_pattern($1, xserver_log_t, xserver_log_t)
-- delete_fifo_files_pattern($1, xserver_log_t, xserver_log_t)
-+ files_search_pids($1)
-+ read_files_pattern($1, xdm_var_run_t, xdm_var_run_t)
- ')
-
- ########################################
- ##
--## Read X keyboard extension libraries.
-+## Mmap XDM pid files.
- ##
- ##
- ##
-@@ -991,39 +1013,562 @@ interface(`xserver_delete_log',`
- ##
- ##
- #
--interface(`xserver_read_xkb_libs',`
-+interface(`xserver_map_xdm_pid',`
- gen_require(`
-- type xkb_var_lib_t;
-+ type xdm_var_run_t;
- ')
-
-- files_search_var_lib($1)
-- allow $1 xkb_var_lib_t:dir list_dir_perms;
-- read_files_pattern($1, xkb_var_lib_t, xkb_var_lib_t)
-- read_lnk_files_pattern($1, xkb_var_lib_t, xkb_var_lib_t)
-+ allow $1 xdm_var_run_t:file map;
- ')
-
--########################################
-+######################################
- ##
--## Read xdm temporary files.
-+## Dontaudit Read XDM pid files.
- ##
- ##
--##
--## Domain allowed access.
--##
-+##
-+## Domain to not audit.
-+##
- ##
- #
--interface(`xserver_read_xdm_tmp_files',`
-- gen_require(`
-- type xdm_tmp_t;
-- ')
-+interface(`xserver_dontaudit_read_xdm_pid',`
-+ gen_require(`
-+ type xdm_var_run_t;
-+ ')
-
-- files_search_tmp($1)
-- read_files_pattern($1, xdm_tmp_t, xdm_tmp_t)
-+ dontaudit $1 xdm_var_run_t:dir search_dir_perms;
-+ dontaudit $1 xdm_var_run_t:file read_file_perms;
- ')
-
- ########################################
- ##
--## Do not audit attempts to read xdm temporary files.
-+## Read XDM var lib files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`xserver_read_xdm_lib_files',`
-+ gen_require(`
-+ type xdm_var_lib_t;
-+ ')
-+
-+ read_files_pattern($1, xdm_var_lib_t, xdm_var_lib_t)
-+ read_lnk_files_pattern($1, xdm_var_lib_t, xdm_var_lib_t)
-+')
-+
-+########################################
-+##
-+## Read inherited XDM var lib files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`xserver_read_inherited_xdm_lib_files',`
-+ gen_require(`
-+ type xdm_var_lib_t;
-+ ')
-+
-+ allow $1 xdm_var_lib_t:file { read_inherited_file_perms map };
-+')
-+
-+########################################
-+##
-+## Make an X session script an entrypoint for the specified domain.
-+##
-+##
-+##
-+## The domain for which the shell is an entrypoint.
-+##
-+##
-+#
-+interface(`xserver_xsession_entry_type',`
-+ gen_require(`
-+ type xsession_exec_t;
-+ ')
-+
-+ domain_entry_file($1, xsession_exec_t)
-+')
-+
-+########################################
-+##
-+## Execute an X session in the target domain. This
-+## is an explicit transition, requiring the
-+## caller to use setexeccon().
-+##
-+##
-+##
-+## Execute an Xsession in the target domain. This
-+## is an explicit transition, requiring the
-+## caller to use setexeccon().
-+##
-+##
-+## No interprocess communication (signals, pipes,
-+## etc.) is provided by this interface since
-+## the domains are not owned by this module.
-+##
-+##
-+##
-+##
-+## Domain allowed to transition.
-+##
-+##
-+##
-+##
-+## The type of the shell process.
-+##
-+##
-+#
-+interface(`xserver_xsession_spec_domtrans',`
-+ gen_require(`
-+ type xsession_exec_t;
-+ ')
-+
-+ domain_trans($1, xsession_exec_t, $2)
-+')
-+
-+########################################
-+##
-+## Get the attributes of X server logs.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`xserver_getattr_log',`
-+ gen_require(`
-+ type xserver_log_t;
-+ ')
-+
-+ logging_search_logs($1)
-+ allow $1 xserver_log_t:file getattr_file_perms;
-+')
-+
-+#######################################
-+##
-+## Allow domain to read X server logs.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`xserver_read_log',`
-+ gen_require(`
-+ type xserver_log_t;
-+ ')
-+
-+ logging_search_logs($1)
-+ allow $1 xserver_log_t:file read_file_perms;
-+')
-+
-+########################################
-+##
-+## Do not audit attempts to write the X server
-+## log files.
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`xserver_dontaudit_write_log',`
-+ gen_require(`
-+ type xserver_log_t;
-+ ')
-+
-+ dontaudit $1 xserver_log_t:file rw_inherited_file_perms;
-+')
-+
-+########################################
-+##
-+## Delete X server log files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`xserver_delete_log',`
-+ gen_require(`
-+ type xserver_log_t;
-+ ')
-+
-+ logging_search_logs($1)
-+ allow $1 xserver_log_t:dir list_dir_perms;
-+ delete_files_pattern($1, xserver_log_t, xserver_log_t)
-+ delete_fifo_files_pattern($1, xserver_log_t, xserver_log_t)
-+')
-+
-+########################################
-+##
-+## Read X keyboard extension libraries.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`xserver_read_xkb_libs',`
-+ gen_require(`
-+ type xkb_var_lib_t;
-+ ')
-+
-+ files_search_var_lib($1)
-+ allow $1 xkb_var_lib_t:dir list_dir_perms;
-+ read_files_pattern($1, xkb_var_lib_t, xkb_var_lib_t)
-+ read_lnk_files_pattern($1, xkb_var_lib_t, xkb_var_lib_t)
-+')
-+
-+########################################
-+##
-+## Manage X keyboard extension libraries.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`xserver_manage_xkb_libs',`
-+ gen_require(`
-+ type xkb_var_lib_t;
-+ ')
-+
-+ files_search_var_lib($1)
-+ allow $1 xkb_var_lib_t:dir list_dir_perms;
-+ manage_files_pattern($1, xkb_var_lib_t, xkb_var_lib_t)
-+')
-+
-+########################################
-+##
-+## dontaudit access checks X keyboard extension libraries.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`xserver_dontaudit_xkb_libs_access',`
-+ gen_require(`
-+ type xkb_var_lib_t;
-+ ')
-+
-+ dontaudit $1 xkb_var_lib_t:dir audit_access;
-+ dontaudit $1 xkb_var_lib_t:file audit_access;
-+')
-+
-+########################################
-+##
-+## Read xdm config files.
-+##
-+##
-+##
-+## Domain to not audit
-+##
-+##
-+#
-+interface(`xserver_read_xdm_etc_files',`
-+ gen_require(`
-+ type xdm_etc_t;
-+ ')
-+
-+ files_search_etc($1)
-+ read_files_pattern($1, xdm_etc_t, xdm_etc_t)
-+ read_lnk_files_pattern($1, xdm_etc_t, xdm_etc_t)
-+')
-+
-+########################################
-+##
-+## Manage xdm config files.
-+##
-+##
-+##
-+## Domain to not audit
-+##
-+##
-+#
-+interface(`xserver_manage_xdm_etc_files',`
-+ gen_require(`
-+ type xdm_etc_t;
-+ ')
-+
-+ files_search_etc($1)
-+ manage_files_pattern($1, xdm_etc_t, xdm_etc_t)
-+')
-+
-+########################################
-+##
-+## Read xdm temporary files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`xserver_read_xdm_tmp_files',`
-+ refpolicywarn(`$0() has been deprecated, please use userdom_read_user_tmpfs_files instead.')
-+ userdom_read_user_tmpfs_files($1)
-+')
-+
-+########################################
-+##
-+## Do not audit attempts to read xdm temporary files.
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`xserver_dontaudit_read_xdm_tmp_files',`
-+ refpolicywarn(`$0() has been deprecated, please use userdom_dontaudit_read_user_tmp_files instead.')
-+ userdom_dontaudit_read_user_tmp_files($1)
-+')
-+
-+########################################
-+##
-+## Read write xdm temporary files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`xserver_rw_xdm_tmp_files',`
-+ refpolicywarn(`$0() has been deprecated, please use userdom_rw_user_tmpfs_files instead.')
-+ userdom_rw_user_tmpfs_files($1)
-+')
-+
-+########################################
-+##
-+## Create, read, write, and delete xdm temporary files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`xserver_manage_xdm_tmp_files',`
-+ refpolicywarn(`$0() has been deprecated, please use userdom_manage_user_tmp_files instead.')
-+ userdom_manage_user_tmp_files($1)
-+')
-+
-+########################################
-+##
-+## Create, read, write, and delete xdm temporary dirs.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`xserver_relabel_xdm_tmp_dirs',`
-+ refpolicywarn(`$0() has been deprecated, please use userdom_relabel_user_tmp_dirs instead.')
-+ userdom_relabel_user_tmp_dirs($1)
-+')
-+
-+########################################
-+##
-+## Create, read, write, and delete xdm temporary dirs.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`xserver_manage_xdm_tmp_dirs',`
-+ refpolicywarn(`$0() has been deprecated, please use userdom_manage_user_tmp_dirs instead.')
-+ userdom_manage_user_tmp_dirs($1)
-+')
-+
-+########################################
-+##
-+## Do not audit attempts to get the attributes of
-+## xdm temporary named sockets.
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`xserver_dontaudit_getattr_xdm_tmp_sockets',`
-+ refpolicywarn(`$0() has been deprecated, please use userdom_dontaudit_user_getattr_tmp_sockets instead.')
-+ userdom_dontaudit_user_getattr_tmp_sockets($1)
-+')
-+
-+########################################
-+##
-+## Execute the X server in the X server domain.
-+##
-+##
-+##
-+## Domain allowed to transition.
-+##
-+##
-+#
-+interface(`xserver_domtrans',`
-+ gen_require(`
-+ type xserver_t, xserver_exec_t;
-+ ')
-+
-+ allow $1 xserver_t:process siginh;
-+ domtrans_pattern($1, xserver_exec_t, xserver_t)
-+
-+ allow xserver_t $1:process getpgid;
-+')
-+
-+########################################
-+##
-+## Allow execute the X server.
-+##
-+##
-+##
-+## Domain allowed to transition.
-+##
-+##
-+#
-+interface(`xserver_exec',`
-+ gen_require(`
-+ type xserver_exec_t;
-+ ')
-+
-+ can_exec($1, xserver_exec_t)
-+')
-+
-+########################################
-+##
-+## Signal X servers
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`xserver_signal',`
-+ gen_require(`
-+ type xserver_t;
-+ ')
-+
-+ allow $1 xserver_t:process signal;
-+')
-+
-+########################################
-+##
-+## Send a null signal to xdm processes.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`xserver_xdm_signull',`
-+ gen_require(`
-+ type xdm_t;
-+ ')
-+
-+ allow $1 xdm_t:process signull;
-+')
-+
-+########################################
-+##
-+## Kill X servers
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`xserver_kill',`
-+ gen_require(`
-+ type xserver_t;
-+ ')
-+
-+ allow $1 xserver_t:process sigkill;
-+')
-+
-+########################################
-+##
-+## Read and write X server Sys V Shared
-+## memory segments.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`xserver_rw_shm',`
-+ gen_require(`
-+ type xserver_t;
-+ ')
-+
-+ allow $1 xserver_t:shm rw_shm_perms;
-+')
-+
-+########################################
-+##
-+## Do not audit attempts to read and write to
-+## X server sockets.
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`xserver_dontaudit_rw_tcp_sockets',`
-+ gen_require(`
-+ type xserver_t;
-+ ')
-+
-+ dontaudit $1 xserver_t:tcp_socket { read write };
-+')
-+
-+########################################
-+##
-+## Do not audit attempts to read and write X server
-+## unix domain stream sockets.
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`xserver_dontaudit_rw_stream_sockets',`
-+ gen_require(`
-+ type xserver_t;
-+ ')
-+
-+ dontaudit $1 xserver_t:unix_stream_socket { read write };
-+')
-+
-+########################################
-+##
-+## Do not audit attempts to read and write xdm
-+## unix domain stream sockets.
- ##
- ##
- ##
-@@ -1031,18 +1576,245 @@ interface(`xserver_read_xdm_tmp_files',`
- ##
- ##
- #
--interface(`xserver_dontaudit_read_xdm_tmp_files',`
-+interface(`xserver_dontaudit_xdm_rw_stream_sockets',`
-+ gen_require(`
-+ type xdm_t;
-+ ')
-+
-+ dontaudit $1 xdm_t:unix_stream_socket { append getattr ioctl read write };
-+')
-+
-+########################################
-+##
-+## Connect to the X server over a unix domain
-+## stream socket.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`xserver_stream_connect',`
-+ gen_require(`
-+ type xserver_t, xserver_tmp_t;
-+ ')
-+
-+ files_search_tmp($1)
-+ stream_connect_pattern($1, xserver_tmp_t, xserver_tmp_t, xserver_t)
-+ allow xserver_t $1:shm rw_shm_perms;
-+')
-+
-+######################################
-+##
-+## Dontaudit attempts to connect to xserver
-+## over a unix stream socket.
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`xserver_dontaudit_stream_connect',`
-+ gen_require(`
-+ type xserver_t, xserver_tmp_t;
-+ ')
-+
-+ stream_connect_pattern($1, xserver_tmp_t, xserver_tmp_t, xserver_t)
-+')
-+
-+########################################
-+##
-+## Read X server temporary files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`xserver_read_tmp_files',`
-+ gen_require(`
-+ type xserver_tmp_t;
-+ ')
-+
-+ allow $1 xserver_tmp_t:file read_file_perms;
-+ files_search_tmp($1)
-+')
-+
-+########################################
-+##
-+## Interface to provide X object permissions on a given X server to
-+## an X client domain. Gives the domain permission to read the
-+## virtual core keyboard and virtual core pointer devices.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`xserver_manage_core_devices',`
-+ gen_require(`
-+ type xserver_t, root_xdrawable_t, xevent_t;
-+ class x_device all_x_device_perms;
-+ class x_pointer all_x_pointer_perms;
-+ class x_keyboard all_x_keyboard_perms;
-+ class x_screen all_x_screen_perms;
-+ class x_drawable { manage };
-+ attribute x_domain;
-+ class x_drawable all_x_drawable_perms;
-+ class x_resource all_x_resource_perms;
-+ class x_synthetic_event all_x_synthetic_event_perms;
-+ class x_cursor all_x_cursor_perms;
-+ ')
-+
-+ allow $1 xserver_t:{ x_device x_pointer x_keyboard } *;
-+ allow $1 xserver_t:{ x_screen } setattr;
-+
-+ allow $1 x_domain:x_cursor all_x_cursor_perms;
-+ allow $1 x_domain:x_drawable all_x_drawable_perms;
-+ allow $1 x_domain:x_resource all_x_resource_perms;
-+ allow $1 root_xdrawable_t:x_drawable all_x_drawable_perms;
-+ allow $1 xevent_t:x_synthetic_event all_x_synthetic_event_perms;
-+')
-+
-+########################################
-+##
-+## Interface to provide X object permissions on a given X server to
-+## an X client domain. Gives the domain complete control over the
-+## display.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`xserver_unconfined',`
-+ gen_require(`
-+ attribute x_domain, xserver_unconfined_type;
-+ ')
-+
-+ typeattribute $1 x_domain;
-+ typeattribute $1 xserver_unconfined_type;
-+')
-+
-+########################################
-+##
-+## Dontaudit append to .xsession-errors file
-+##
-+##
-+##
-+## Domain to not audit
-+##
-+##
-+#
-+interface(`xserver_dontaudit_append_xdm_home_files',`
-+ gen_require(`
-+ type xdm_home_t;
-+ ')
-+
-+ dontaudit $1 xdm_home_t:file rw_inherited_file_perms;
-+
-+ tunable_policy(`use_nfs_home_dirs',`
-+ fs_dontaudit_rw_nfs_files($1)
-+ ')
-+
-+ tunable_policy(`use_samba_home_dirs',`
-+ fs_dontaudit_rw_cifs_files($1)
-+ ')
-+')
-+
-+########################################
-+##
-+## append to .xsession-errors file
-+##
-+##
-+##
-+## Domain to not audit
-+##
-+##
-+#
-+interface(`xserver_append_xdm_home_files',`
-+ gen_require(`
-+ type xdm_home_t, xserver_tmp_t;
-+ ')
-+
-+ allow $1 xdm_home_t:file append_file_perms;
-+ allow $1 xserver_tmp_t:file append_file_perms;
-+
-+ tunable_policy(`use_nfs_home_dirs',`
-+ fs_append_nfs_files($1)
-+ ')
-+
-+ tunable_policy(`use_samba_home_dirs',`
-+ fs_append_cifs_files($1)
-+ ')
-+')
-+
-+#######################################
-+##
-+## Allow search the xdm_spool files
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`xserver_xdm_search_spool',`
-+ gen_require(`
-+ type xdm_spool_t;
-+ ')
-+
-+ files_search_spool($1)
-+ search_dirs_pattern($1, xdm_spool_t, xdm_spool_t)
-+')
-+
-+######################################
-+##
-+## Allow read the xdm_spool files
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`xserver_xdm_read_spool',`
-+ gen_require(`
-+ type xdm_spool_t;
-+ ')
-+
-+ files_search_spool($1)
-+ read_files_pattern($1, xdm_spool_t, xdm_spool_t)
-+')
-+
-+########################################
-+##
-+## Manage the xdm_spool files
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`xserver_xdm_manage_spool',`
- gen_require(`
-- type xdm_tmp_t;
-+ type xdm_spool_t;
- ')
-
-- dontaudit $1 xdm_tmp_t:dir search_dir_perms;
-- dontaudit $1 xdm_tmp_t:file read_file_perms;
-+ files_search_spool($1)
-+ manage_files_pattern($1, xdm_spool_t, xdm_spool_t)
- ')
-
- ########################################
- ##
--## Read write xdm temporary files.
-+## Send and receive messages from
-+## xdm over dbus.
- ##
- ##
- ##
-@@ -1050,18 +1822,20 @@ interface(`xserver_dontaudit_read_xdm_tmp_files',`
- ##
- ##
- #
--interface(`xserver_rw_xdm_tmp_files',`
-+interface(`xserver_dbus_chat_xdm',`
- gen_require(`
-- type xdm_tmp_t;
-+ type xdm_t;
-+ class dbus send_msg;
- ')
-
-- allow $1 xdm_tmp_t:dir search_dir_perms;
-- allow $1 xdm_tmp_t:file rw_file_perms;
-+ allow $1 xdm_t:dbus send_msg;
-+ allow xdm_t $1:dbus send_msg;
- ')
-
- ########################################
- ##
--## Create, read, write, and delete xdm temporary files.
-+## Send and receive messages from
-+## xdm over dbus.
- ##
- ##
- ##
-@@ -1069,55 +1843,57 @@ interface(`xserver_rw_xdm_tmp_files',`
- ##
- ##
- #
--interface(`xserver_manage_xdm_tmp_files',`
-+interface(`xserver_dbus_chat',`
- gen_require(`
-- type xdm_tmp_t;
-+ type xserver_t;
-+ class dbus send_msg;
- ')
-
-- manage_files_pattern($1, xdm_tmp_t, xdm_tmp_t)
-+ allow $1 xserver_t:dbus send_msg;
-+ allow xserver_t $1:dbus send_msg;
- ')
-
- ########################################
- ##
--## Do not audit attempts to get the attributes of
--## xdm temporary named sockets.
-+## Read xserver files created in /var/run
- ##
- ##
- ##
--## Domain to not audit.
-+## Domain allowed access.
- ##
- ##
- #
--interface(`xserver_dontaudit_getattr_xdm_tmp_sockets',`
-+interface(`xserver_read_pid',`
- gen_require(`
-- type xdm_tmp_t;
-+ type xserver_var_run_t;
- ')
-
-- dontaudit $1 xdm_tmp_t:sock_file getattr;
-+ files_search_pids($1)
-+ read_files_pattern($1, xserver_var_run_t, xserver_var_run_t)
- ')
-
- ########################################
- ##
--## Execute the X server in the X server domain.
-+## Execute xserver files created in /var/run
- ##
- ##
- ##
--## Domain allowed to transition.
-+## Domain allowed access.
- ##
- ##
- #
--interface(`xserver_domtrans',`
-+interface(`xserver_exec_pid',`
- gen_require(`
-- type xserver_t, xserver_exec_t;
-+ type xserver_var_run_t;
- ')
-
-- allow $1 xserver_t:process siginh;
-- domtrans_pattern($1, xserver_exec_t, xserver_t)
-+ files_search_pids($1)
-+ exec_files_pattern($1, xserver_var_run_t, xserver_var_run_t)
- ')
-
- ########################################
- ##
--## Signal X servers
-+## Write xserver files created in /var/run
- ##
- ##
- ##
-@@ -1125,17 +1901,73 @@ interface(`xserver_domtrans',`
- ##
- ##
- #
--interface(`xserver_signal',`
-+interface(`xserver_write_pid',`
- gen_require(`
-- type xserver_t;
-+ type xserver_var_run_t;
- ')
-
-- allow $1 xserver_t:process signal;
-+ files_search_pids($1)
-+ write_files_pattern($1, xserver_var_run_t, xserver_var_run_t)
- ')
-
- ########################################
- ##
--## Kill X servers
-+## Allow append the xdm
-+## log files.
-+##
-+##
-+##
-+## Domain to not audit
-+##
-+##
-+#
-+interface(`xserver_xdm_append_log',`
-+ gen_require(`
-+ type xdm_log_t;
-+ attribute xdmhomewriter;
-+ ')
-+
-+ typeattribute $1 xdmhomewriter;
-+ allow $1 xdm_log_t:file append_inherited_file_perms;
-+')
-+
-+########################################
-+##
-+## Allow ioctl the xdm log files.
-+##
-+##
-+##
-+## Domain to not audit
-+##
-+##
-+#
-+interface(`xserver_xdm_ioctl_log',`
-+ gen_require(`
-+ type xdm_log_t;
-+ ')
-+
-+ allow $1 xdm_log_t:file ioctl;
-+')
-+
-+########################################
-+##
-+## Allow append the xdm
-+## tmp files.
-+##
-+##
-+##
-+## Domain to not audit
-+##
-+##
-+#
-+interface(`xserver_append_xdm_tmp_files',`
-+ refpolicywarn(`$0() has been deprecated, please use userdom_append_user_tmp_files instead.')
-+ userdom_append_user_tmp_files($1)
-+')
-+
-+########################################
-+##
-+## Read a user Iceauthority domain.
- ##
- ##
- ##
-@@ -1143,18 +1975,18 @@ interface(`xserver_signal',`
- ##
- ##
- #
--interface(`xserver_kill',`
-+interface(`xserver_read_user_iceauth',`
- gen_require(`
-- type xserver_t;
-+ type iceauth_home_t;
- ')
-
-- allow $1 xserver_t:process sigkill;
-+ # Read .Iceauthority file
-+ allow $1 iceauth_home_t:file read_file_perms;
- ')
-
- ########################################
- ##
--## Read and write X server Sys V Shared
--## memory segments.
-+## Read/write inherited user homedir fonts.
- ##
- ##
- ##
-@@ -1162,132 +1994,362 @@ interface(`xserver_kill',`
- ##
- ##
- #
--interface(`xserver_rw_shm',`
-+interface(`xserver_rw_inherited_user_fonts',`
- gen_require(`
-- type xserver_t;
-+ type user_fonts_t, user_fonts_config_t;
- ')
-
-- allow $1 xserver_t:shm rw_shm_perms;
-+ allow $1 user_fonts_t:file rw_inherited_file_perms;
-+ allow $1 user_fonts_t:file read_lnk_file_perms;
-+
-+ allow $1 user_fonts_config_t:file rw_inherited_file_perms;
- ')
-
- ########################################
- ##
--## Do not audit attempts to read and write to
--## X server sockets.
-+## Search XDM var lib dirs.
- ##
- ##
- ##
--## Domain to not audit.
-+## Domain allowed access.
- ##
- ##
- #
--interface(`xserver_dontaudit_rw_tcp_sockets',`
-+interface(`xserver_search_xdm_lib',`
- gen_require(`
-- type xserver_t;
-+ type xdm_var_lib_t;
- ')
-
-- dontaudit $1 xserver_t:tcp_socket { read write };
-+ allow $1 xdm_var_lib_t:dir search_dir_perms;
- ')
-
- ########################################
- ##
--## Do not audit attempts to read and write X server
--## unix domain stream sockets.
-+## Make an X executable an entrypoint for the specified domain.
- ##
- ##
- ##
--## Domain to not audit.
-+## The domain for which the shell is an entrypoint.
- ##
- ##
- #
--interface(`xserver_dontaudit_rw_stream_sockets',`
-+interface(`xserver_entry_type',`
-+ gen_require(`
-+ type xserver_exec_t;
-+ ')
-+
-+ domain_entry_file($1, xserver_exec_t)
-+')
-+
-+########################################
-+##
-+## Execute xsever in the xserver domain, and
-+## allow the specified role the xserver domain.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+##
-+## The role to be allowed the xserver domain.
-+##
-+##
-+##
-+#
-+interface(`xserver_run',`
- gen_require(`
- type xserver_t;
- ')
-
-- dontaudit $1 xserver_t:unix_stream_socket { read write };
-+ xserver_domtrans($1)
-+ role $2 types xserver_t;
- ')
-
- ########################################
- ##
--## Connect to the X server over a unix domain
--## stream socket.
-+## Execute xsever in the xserver domain, and
-+## allow the specified role the xserver domain.
- ##
- ##
- ##
- ## Domain allowed access.
- ##
- ##
-+##
-+##
-+## The role to be allowed the xserver domain.
-+##
-+##
-+##
- #
--interface(`xserver_stream_connect',`
-+interface(`xserver_run_xauth',`
- gen_require(`
-- type xserver_t, xserver_tmp_t;
-+ type xauth_t;
- ')
-
-- files_search_tmp($1)
-- stream_connect_pattern($1, xserver_tmp_t, xserver_tmp_t, xserver_t)
-+ xserver_domtrans_xauth($1)
-+ role $2 types xauth_t;
- ')
-
- ########################################
- ##
--## Read X server temporary files.
-+## Read user homedir fonts.
- ##
- ##
- ##
- ## Domain allowed access.
- ##
- ##
-+##
- #
--interface(`xserver_read_tmp_files',`
-+interface(`xserver_read_home_fonts',`
- gen_require(`
-- type xserver_tmp_t;
-+ type user_fonts_t, user_fonts_config_t;
- ')
-
-- allow $1 xserver_tmp_t:file read_file_perms;
-- files_search_tmp($1)
-+ list_dirs_pattern($1, user_fonts_t, user_fonts_t)
-+ read_files_pattern($1, user_fonts_t, user_fonts_t)
-+ read_lnk_files_pattern($1, user_fonts_t, user_fonts_t)
-+
-+ read_files_pattern($1, user_fonts_config_t, user_fonts_config_t)
- ')
-
- ########################################
- ##
--## Interface to provide X object permissions on a given X server to
--## an X client domain. Gives the domain permission to read the
--## virtual core keyboard and virtual core pointer devices.
-+## Manage user fonts dir.
- ##
- ##
- ##
- ## Domain allowed access.
- ##
- ##
-+##
- #
--interface(`xserver_manage_core_devices',`
-+interface(`xserver_manage_user_fonts_dir',`
- gen_require(`
-- type xserver_t;
-- class x_device all_x_device_perms;
-- class x_pointer all_x_pointer_perms;
-- class x_keyboard all_x_keyboard_perms;
-+ type user_fonts_t;
- ')
-
-- allow $1 xserver_t:{ x_device x_pointer x_keyboard } *;
-+ manage_dirs_pattern($1, user_fonts_t, user_fonts_t)
-+ files_tmp_filetrans($1, user_fonts_t, dir, ".font-unix")
- ')
-
- ########################################
- ##
--## Interface to provide X object permissions on a given X server to
--## an X client domain. Gives the domain complete control over the
--## display.
-+## Manage user homedir fonts.
- ##
- ##
- ##
- ## Domain allowed access.
- ##
- ##
-+##
- #
--interface(`xserver_unconfined',`
-+interface(`xserver_manage_home_fonts',`
- gen_require(`
-- attribute x_domain;
-- attribute xserver_unconfined_type;
-+ type user_fonts_t, user_fonts_config_t, user_fonts_cache_t;
- ')
-
-- typeattribute $1 x_domain;
-- typeattribute $1 xserver_unconfined_type;
-+ manage_dirs_pattern($1, user_fonts_t, user_fonts_t)
-+ manage_files_pattern($1, user_fonts_t, user_fonts_t)
-+ manage_lnk_files_pattern($1, user_fonts_t, user_fonts_t)
-+
-+ manage_files_pattern($1, user_fonts_config_t, user_fonts_config_t)
-+
-+# userdom_user_home_dir_filetrans($1, user_fonts_t, dir, ".fonts.d")
-+# userdom_user_home_dir_filetrans($1, user_fonts_t, dir, ".fonts")
-+# userdom_user_home_dir_filetrans($1, user_fonts_cache_t, dir, ".fontconfig")
-+')
-+
-+#######################################
-+##
-+## Transition to xserver .fontconfig named content
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`xserver_filetrans_fonts_cache_home_content',`
-+ gen_require(`
-+ type user_fonts_cache_t;
-+ ')
-+
-+ userdom_user_home_dir_filetrans($1, user_fonts_cache_t, dir, ".fontconfig")
-+')
-+
-+########################################
-+##
-+## Transition to xserver named content
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`xserver_filetrans_home_content',`
-+ gen_require(`
-+ type xdm_home_t, xauth_home_t, iceauth_home_t;
-+ type user_home_t, user_fonts_t, user_fonts_cache_t;
-+ type user_fonts_config_t;
-+ ')
-+
-+ userdom_user_home_dir_filetrans($1, xdm_home_t, file, ".dmrc")
-+ userdom_user_home_dir_filetrans($1, iceauth_home_t, file, ".ICEauthority")
-+ userdom_user_home_dir_filetrans($1, iceauth_home_t, file, ".ICEauthority-c")
-+ userdom_user_home_dir_filetrans($1, iceauth_home_t, file, ".ICEauthority-n")
-+ userdom_user_home_dir_filetrans($1, iceauth_home_t, file, ".DCOP")
-+ userdom_user_home_dir_filetrans($1, xauth_home_t, file, ".Xauthority")
-+ userdom_user_home_dir_filetrans($1, xauth_home_t, file, ".Xauthority-l")
-+ userdom_user_home_dir_filetrans($1, xauth_home_t, file, ".Xauthority-c")
-+ userdom_user_home_dir_filetrans($1, xauth_home_t, file, ".Xauthority-n")
-+ userdom_user_home_dir_filetrans($1, xauth_home_t, file, ".xauth")
-+ userdom_user_home_dir_filetrans($1, xauth_home_t, file, ".Xauth")
-+ userdom_user_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors")
-+ userdom_user_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-:0")
-+ userdom_user_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-:1")
-+ userdom_user_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-:2")
-+ userdom_user_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-:3")
-+ userdom_user_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-:4")
-+ userdom_user_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-:5")
-+ userdom_user_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-:6")
-+ userdom_user_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-:7")
-+ userdom_user_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-:8")
-+ userdom_user_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-:9")
-+ userdom_user_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-stamped")
-+ userdom_user_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-stamped.old")
-+ userdom_user_home_dir_filetrans($1, xdm_home_t, file, ".wayland-errors")
-+ userdom_user_home_dir_filetrans($1, user_fonts_config_t, file, ".fonts.conf")
-+ userdom_user_home_dir_filetrans($1, user_fonts_config_t, dir, ".fonts.d")
-+ userdom_user_home_dir_filetrans($1, user_fonts_t, dir, ".fonts")
-+ optional_policy(`
-+ gnome_data_filetrans($1, user_fonts_t, dir, "fonts")
-+ ')
-+ userdom_user_home_dir_filetrans($1, user_fonts_cache_t, dir, ".fontconfig")
-+ filetrans_pattern($1, user_fonts_t, user_fonts_cache_t, dir, "auto")
-+ files_tmp_filetrans($1, user_fonts_t, dir, ".font-unix")
-+')
-+
-+########################################
-+##
-+## Create xserver content in admin home
-+## directory with a named file transition.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`xserver_filetrans_admin_home_content',`
-+ gen_require(`
-+ type xdm_home_t, xauth_home_t, iceauth_home_t;
-+ type user_home_t, user_fonts_t, user_fonts_cache_t;
-+ type user_fonts_config_t;
-+ ')
-+
-+ userdom_admin_home_dir_filetrans($1, xdm_home_t, file, ".dmrc")
-+ userdom_admin_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors")
-+ userdom_admin_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-:0")
-+ userdom_admin_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-:1")
-+ userdom_admin_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-:2")
-+ userdom_admin_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-:3")
-+ userdom_admin_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-:4")
-+ userdom_admin_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-:5")
-+ userdom_admin_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-:6")
-+ userdom_admin_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-:7")
-+ userdom_admin_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-:8")
-+ userdom_admin_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-:9")
-+ userdom_admin_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-stamped")
-+ userdom_admin_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-stamped.old")
-+ userdom_admin_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors.old")
-+ userdom_admin_home_dir_filetrans($1, xdm_home_t, file, ".wayland-errors")
-+ userdom_admin_home_dir_filetrans($1, iceauth_home_t, file, ".DCOP")
-+ userdom_admin_home_dir_filetrans($1, iceauth_home_t, file, ".ICEauthority")
-+ userdom_admin_home_dir_filetrans($1, xauth_home_t, file, ".Xauthority")
-+ userdom_admin_home_dir_filetrans($1, xauth_home_t, file, ".Xauthority-l")
-+ userdom_admin_home_dir_filetrans($1, xauth_home_t, file, ".Xauthority-c")
-+ userdom_admin_home_dir_filetrans($1, xauth_home_t, file, ".xauth")
-+ userdom_admin_home_dir_filetrans($1, xauth_home_t, file, ".Xauth")
-+ userdom_admin_home_dir_filetrans($1, user_fonts_config_t, file, ".fonts.conf")
-+ userdom_admin_home_dir_filetrans($1, user_fonts_config_t, dir, ".fonts.d")
-+ userdom_admin_home_dir_filetrans($1, user_fonts_t, dir, ".fonts")
-+ userdom_admin_home_dir_filetrans($1, user_fonts_cache_t, dir, ".fontconfig")
-+
-+ optional_policy(`
-+ gnome_cache_filetrans($1, xdm_home_t, dir, "xdm")
-+ ')
-+')
-+
-+########################################
-+##
-+## Create objects in a xdm temporary directory
-+## with an automatic type transition to
-+## a specified private type.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+##
-+## The type of the object to create.
-+##
-+##
-+##
-+##
-+## The class of the object to be created.
-+##
-+##
-+##
-+##
-+## The name of the object being created.
-+##
-+##
-+#
-+interface(`xserver_xdm_tmp_filetrans',`
-+ refpolicywarn(`$0() has been deprecated, please use userdom_user_tmp_filetrans instead.')
-+ userdom_user_tmp_filetrans($1,$2, $3, $4)
-+')
-+
-+########################################
-+##
-+## Dontaudit search ssh home directory
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`xserver_dontaudit_search_log',`
-+ gen_require(`
-+ type xserver_log_t;
-+ ')
-+
-+ dontaudit $1 xserver_log_t:dir search_dir_perms;
- ')
-+
-+########################################
-+##
-+## Manage keys for xdm.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`xserver_rw_xdm_keys',`
-+ gen_require(`
-+ type xdm_t;
-+ ')
-+
-+ allow $1 xdm_t:key { read write setattr };
-+')
-+
-diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
-index 8b403774f..1d0aeba01 100644
---- a/policy/modules/services/xserver.te
-+++ b/policy/modules/services/xserver.te
-@@ -26,28 +26,66 @@ gen_require(`
- #
-
- ##
--##
--## Allows clients to write to the X server shared
--## memory segments.
--##
-+##
-+## Allows clients to write to the X server shared
-+## memory segments.
-+##
-+##
-+gen_tunable(xserver_clients_write_xshm, false)
-+
-+##
-+##
-+## Allows XServer to execute writable memory
-+##
- ##
--gen_tunable(allow_write_xshm, false)
-+gen_tunable(xserver_execmem, false)
-
- ##
- ##
--## Allow xdm logins as sysadm
-+## Allow the graphical login program to execute bootloader
- ##
- ##
-+gen_tunable(xdm_exec_bootloader, false)
-+
-+##
-+##
-+## Allow the graphical login program to login directly as sysadm_r:sysadm_t
-+##
-+##
- gen_tunable(xdm_sysadm_login, false)
-
- ##
--##
--## Support X userspace object manager
--##
-+##
-+## Allow the graphical login program to create files in HOME dirs as xdm_home_t.
-+##
-+##
-+gen_tunable(xdm_write_home, false)
-+
-+##
-+##
-+## Allows xdm_t to bind on vnc_port_t(5910)
-+##
-+##
-+gen_tunable(xdm_bind_vnc_tcp_port, false)
-+
-+##
-+##
-+## Support X userspace object manager
-+##
- ##
- gen_tunable(xserver_object_manager, false)
-
-+##
-+##
-+## Allow regular users direct dri device access
-+##
-+##
-+gen_tunable(selinuxuser_direct_dri_enabled, false)
-+
-+attribute xdmhomewriter;
-+attribute x_userdomain;
- attribute x_domain;
-+attribute dridomain;
-
- # X Events
- attribute xevent_type;
-@@ -107,44 +145,54 @@ xserver_object_types_template(remote)
- xserver_common_x_domain_template(remote, remote_t)
-
- type user_fonts_t;
--typealias user_fonts_t alias { staff_fonts_t sysadm_fonts_t };
-+typealias user_fonts_t alias { staff_fonts_t sysadm_fonts_t xfs_fonts_t };
- typealias user_fonts_t alias { auditadm_fonts_t secadm_fonts_t };
-+typealias user_fonts_t alias { xguest_fonts_t unconfined_fonts_t user_fonts_home_t };
-+typealias user_fonts_t alias xfs_tmp_t;
- userdom_user_home_content(user_fonts_t)
-+files_tmp_file(user_fonts_t)
-
- type user_fonts_cache_t;
- typealias user_fonts_cache_t alias { staff_fonts_cache_t sysadm_fonts_cache_t };
- typealias user_fonts_cache_t alias { auditadm_fonts_cache_t secadm_fonts_cache_t };
-+typealias user_fonts_cache_t alias { xguest_fonts_cache_t unconfined_fonts_cache_t };
- userdom_user_home_content(user_fonts_cache_t)
-
- type user_fonts_config_t;
- typealias user_fonts_config_t alias { staff_fonts_config_t sysadm_fonts_config_t };
- typealias user_fonts_config_t alias { auditadm_fonts_config_t secadm_fonts_config_t };
-+typealias user_fonts_config_t alias { fonts_config_home_t xguest_fonts_config_t unconfined_fonts_config_t };
- userdom_user_home_content(user_fonts_config_t)
-
- type iceauth_t;
- type iceauth_exec_t;
- typealias iceauth_t alias { user_iceauth_t staff_iceauth_t sysadm_iceauth_t };
-+typealias iceauth_t alias { xguest_iceauth_t };
- typealias iceauth_t alias { auditadm_iceauth_t secadm_iceauth_t };
- userdom_user_application_domain(iceauth_t, iceauth_exec_t)
-
- type iceauth_home_t;
- typealias iceauth_home_t alias { user_iceauth_home_t staff_iceauth_home_t sysadm_iceauth_home_t };
- typealias iceauth_home_t alias { auditadm_iceauth_home_t secadm_iceauth_home_t };
-+typealias iceauth_home_t alias { xguest_iceauth_home_t };
- userdom_user_home_content(iceauth_home_t)
-
- type xauth_t;
- type xauth_exec_t;
- typealias xauth_t alias { user_xauth_t staff_xauth_t sysadm_xauth_t };
- typealias xauth_t alias { auditadm_xauth_t secadm_xauth_t };
-+typealias xauth_t alias { xguest_xauth_t unconfined_xauth_t };
- userdom_user_application_domain(xauth_t, xauth_exec_t)
-
- type xauth_home_t;
- typealias xauth_home_t alias { user_xauth_home_t staff_xauth_home_t sysadm_xauth_home_t };
- typealias xauth_home_t alias { auditadm_xauth_home_t secadm_xauth_home_t };
-+typealias xauth_home_t alias { xguest_xauth_home_t unconfined_xauth_home_t };
- userdom_user_home_content(xauth_home_t)
-
- type xauth_tmp_t;
- typealias xauth_tmp_t alias { user_xauth_tmp_t staff_xauth_tmp_t sysadm_xauth_tmp_t };
-+typealias xauth_tmp_t alias { xguest_xauth_tmp_t unconfined_xauth_tmp_t };
- typealias xauth_tmp_t alias { auditadm_xauth_tmp_t secadm_xauth_tmp_t };
- userdom_user_tmp_file(xauth_tmp_t)
-
-@@ -155,19 +203,28 @@ dev_associate(xconsole_device_t)
- fs_associate_tmpfs(xconsole_device_t)
- files_associate_tmp(xconsole_device_t)
-
--type xdm_t;
-+type xdm_unconfined_exec_t;
-+application_executable_file(xdm_unconfined_exec_t)
-+
-+type xdm_t alias xdm_dbusd_t;
- type xdm_exec_t;
- auth_login_pgm_domain(xdm_t)
- init_domain(xdm_t, xdm_exec_t)
--init_daemon_domain(xdm_t, xdm_exec_t)
-+init_system_domain(xdm_t, xdm_exec_t)
- xserver_object_types_template(xdm)
- xserver_common_x_domain_template(xdm, xdm_t)
-
- type xdm_lock_t;
- files_lock_file(xdm_lock_t)
-
-+type xdm_etc_t;
-+files_config_file(xdm_etc_t)
-+
- type xdm_rw_etc_t;
--files_type(xdm_rw_etc_t)
-+files_config_file(xdm_rw_etc_t)
-+
-+type xdm_spool_t;
-+files_spool_file(xdm_spool_t)
-
- type xdm_var_lib_t;
- files_type(xdm_var_lib_t)
-@@ -175,13 +232,21 @@ files_type(xdm_var_lib_t)
- type xdm_var_run_t;
- files_pid_file(xdm_var_run_t)
-
--type xdm_tmp_t;
--files_tmp_file(xdm_tmp_t)
--typealias xdm_tmp_t alias ice_tmp_t;
-+type xserver_var_lib_t;
-+files_type(xserver_var_lib_t)
-+
-+type xserver_var_run_t;
-+files_pid_file(xserver_var_run_t)
-
- type xdm_tmpfs_t;
- files_tmpfs_file(xdm_tmpfs_t)
-
-+type xdm_home_t;
-+userdom_user_home_content(xdm_home_t)
-+
-+type xdm_log_t;
-+logging_log_file(xdm_log_t)
-+
- # type for /var/lib/xkb
- type xkb_var_lib_t;
- files_type(xkb_var_lib_t)
-@@ -194,15 +259,13 @@ typealias xserver_t alias { auditadm_xserver_t secadm_xserver_t xdm_xserver_t };
- init_system_domain(xserver_t, xserver_exec_t)
- ubac_constrained(xserver_t)
-
--type xserver_tmp_t;
--typealias xserver_tmp_t alias { user_xserver_tmp_t staff_xserver_tmp_t sysadm_xserver_tmp_t };
--typealias xserver_tmp_t alias { auditadm_xserver_tmp_t secadm_xserver_tmp_t xdm_xserver_tmp_t };
--userdom_user_tmp_file(xserver_tmp_t)
-+type xserver_etc_t;
-+files_config_file(xserver_etc_t)
-
- type xserver_tmpfs_t;
--typealias xserver_tmpfs_t alias { user_xserver_tmpfs_t staff_xserver_tmpfs_t sysadm_xserver_tmpfs_t };
--typealias xserver_tmpfs_t alias { auditadm_xserver_tmpfs_t secadm_xserver_tmpfs_t xdm_xserver_tmpfs_t };
--userdom_user_tmpfs_file(xserver_tmpfs_t)
-+typealias xserver_tmpfs_t alias { user_xserver_tmpfs_t staff_xserver_tmpfs_t sysadm_xserver_tmpfs_t xguest_xserver_tmpfs_t unconfined_xserver_tmpfs_t xdm_xserver_tmpfs_t };
-+typealias xserver_tmpfs_t alias { auditadm_xserver_tmpfs_t secadm_xserver_tmpfs_t };
-+userdom_user_tmp_file(xserver_tmpfs_t)
-
- type xsession_exec_t;
- corecmd_executable_file(xsession_exec_t)
-@@ -226,21 +289,35 @@ optional_policy(`
- #
-
- allow iceauth_t iceauth_home_t:file manage_file_perms;
--userdom_user_home_dir_filetrans(iceauth_t, iceauth_home_t, file)
-
- allow xdm_t iceauth_home_t:file read_file_perms;
-
-+dev_read_rand(iceauth_t)
-+
- fs_search_auto_mountpoints(iceauth_t)
-
--userdom_use_user_terminals(iceauth_t)
-+userdom_use_inherited_user_terminals(iceauth_t)
- userdom_read_user_tmp_files(iceauth_t)
-+userdom_read_all_users_state(iceauth_t)
-+userdom_home_manager(iceauth_t)
-
--tunable_policy(`use_nfs_home_dirs',`
-- fs_manage_nfs_files(iceauth_t)
--')
-+xserver_filetrans_home_content(iceauth_t)
-
--tunable_policy(`use_samba_home_dirs',`
-- fs_manage_cifs_files(iceauth_t)
-+ifdef(`hide_broken_symptoms',`
-+ dev_dontaudit_read_urand(iceauth_t)
-+ dev_dontaudit_rw_dri(iceauth_t)
-+ dev_dontaudit_rw_generic_dev_nodes(iceauth_t)
-+ fs_dontaudit_list_inotifyfs(iceauth_t)
-+ fs_dontaudit_rw_anon_inodefs_files(iceauth_t)
-+ term_dontaudit_use_unallocated_ttys(iceauth_t)
-+
-+ userdom_dontaudit_read_user_home_content_files(iceauth_t)
-+ userdom_dontaudit_write_user_home_content_files(iceauth_t)
-+ userdom_dontaudit_write_user_tmp_files(iceauth_t)
-+
-+ optional_policy(`
-+ mozilla_dontaudit_rw_user_home_files(iceauth_t)
-+ ')
- ')
-
- ########################################
-@@ -248,48 +325,91 @@ tunable_policy(`use_samba_home_dirs',`
- # Xauth local policy
- #
-
-+allow xauth_t self:capability { dac_read_search };
- allow xauth_t self:process signal;
-+allow xauth_t self:shm create_shm_perms;
- allow xauth_t self:unix_stream_socket create_stream_socket_perms;
-+allow xauth_t self:unix_dgram_socket create_socket_perms;
-+
-+allow xauth_t xdm_t:process sigchld;
-+allow xauth_t xserver_t:unix_stream_socket connectto;
-+
-+corenet_tcp_connect_xserver_port(xauth_t)
-
- allow xauth_t xauth_home_t:file manage_file_perms;
--userdom_user_home_dir_filetrans(xauth_t, xauth_home_t, file)
-+
-+manage_dirs_pattern(xauth_t, xdm_var_run_t, xdm_var_run_t)
-+manage_files_pattern(xauth_t, xdm_var_run_t, xdm_var_run_t)
-
- manage_dirs_pattern(xauth_t, xauth_tmp_t, xauth_tmp_t)
- manage_files_pattern(xauth_t, xauth_tmp_t, xauth_tmp_t)
- files_tmp_filetrans(xauth_t, xauth_tmp_t, { file dir })
-
--allow xdm_t xauth_home_t:file manage_file_perms;
--userdom_user_home_dir_filetrans(xdm_t, xauth_home_t, file)
-+stream_connect_pattern(xauth_t, xserver_tmp_t, xserver_tmp_t, xserver_t)
-
-+kernel_read_network_state(xauth_t)
-+kernel_read_system_state(xauth_t)
- kernel_request_load_module(xauth_t)
-
-+dev_read_rand(xauth_t)
-+dev_read_urand(xauth_t)
-+
- domain_use_interactive_fds(xauth_t)
-+domain_dontaudit_leaks(xauth_t)
-
- files_read_etc_files(xauth_t)
-+files_read_usr_files(xauth_t)
- files_search_pids(xauth_t)
-+files_dontaudit_getattr_all_dirs(xauth_t)
-+files_dontaudit_leaks(xauth_t)
-+files_var_lib_filetrans(xauth_t, xauth_home_t, file)
-
--fs_getattr_xattr_fs(xauth_t)
-+fs_dontaudit_leaks(xauth_t)
-+fs_getattr_all_fs(xauth_t)
- fs_search_auto_mountpoints(xauth_t)
-
--# cjp: why?
--term_use_ptmx(xauth_t)
-+# Probably a leak
-+term_dontaudit_use_ptmx(xauth_t)
-+term_dontaudit_use_console(xauth_t)
-
- auth_use_nsswitch(xauth_t)
-
--userdom_use_user_terminals(xauth_t)
-+userdom_use_inherited_user_terminals(xauth_t)
- userdom_read_user_tmp_files(xauth_t)
-+userdom_read_all_users_state(xauth_t)
-+userdom_search_user_home_dirs(xauth_t)
-+userdom_user_home_dir_filetrans(xauth_t, xauth_home_t, file)
-+userdom_user_home_dir_filetrans(xauth_t, xauth_home_t, file, ".Xauthority")
-+userdom_user_home_dir_filetrans(xauth_t, xauth_home_t, file, ".Xauthority-l")
-+userdom_user_home_dir_filetrans(xauth_t, xauth_home_t, file, ".Xauthority-c")
-+userdom_user_home_dir_filetrans(xauth_t, xauth_home_t, file, ".Xauthority-n")
-+userdom_user_home_dir_filetrans(xauth_t, xauth_home_t, file, ".xauth")
-+userdom_user_home_dir_filetrans(xauth_t, xauth_home_t, file, ".Xauth")
-
- xserver_rw_xdm_tmp_files(xauth_t)
-
--tunable_policy(`use_nfs_home_dirs',`
-- fs_manage_nfs_files(xauth_t)
-+ifdef(`hide_broken_symptoms',`
-+ fs_dontaudit_rw_anon_inodefs_files(xauth_t)
-+ fs_dontaudit_list_inotifyfs(xauth_t)
-+ userdom_manage_user_home_content_files(xauth_t)
-+ userdom_manage_user_tmp_files(xauth_t)
-+ dev_dontaudit_rw_generic_dev_nodes(xauth_t)
-+ miscfiles_read_fonts(xauth_t)
- ')
-
--tunable_policy(`use_samba_home_dirs',`
-- fs_manage_cifs_files(xauth_t)
-+userdom_home_manager(xauth_t)
-+
-+ifdef(`hide_broken_symptoms',`
-+ term_dontaudit_use_unallocated_ttys(xauth_t)
-+ dev_dontaudit_rw_dri(xauth_t)
-+')
-+
-+optional_policy(`
-+ nx_var_lib_filetrans(xauth_t, xauth_home_t, file)
- ')
-
- optional_policy(`
-+ ssh_use_ptys(xauth_t)
- ssh_sigchld(xauth_t)
- ssh_read_pipes(xauth_t)
- ssh_dontaudit_rw_tcp_sockets(xauth_t)
-@@ -300,64 +420,110 @@ optional_policy(`
- # XDM Local policy
- #
-
--allow xdm_t self:capability { setgid setuid sys_resource kill sys_tty_config mknod chown dac_override dac_read_search fowner fsetid ipc_owner sys_nice sys_rawio net_bind_service };
--allow xdm_t self:process { setexec setpgid getsched setsched setrlimit signal_perms setkeycreate };
-+allow xdm_t self:capability { setgid setuid sys_resource kill sys_tty_config mknod chown dac_read_search dac_override fowner fsetid ipc_owner sys_nice sys_rawio net_bind_service net_admin sys_ptrace };
-+allow xdm_t self:capability2 { block_suspend };
-+allow xdm_t self:cap_userns { kill };
-+dontaudit xdm_t self:capability sys_admin;
-+dontaudit xdm_t self:capability2 wake_alarm;
-+tunable_policy(`deny_ptrace',`',`
-+ allow xdm_t self:process ptrace;
-+')
-+
-+allow xdm_t self:process { setexec setpgid getattr getcap setcap getsched getsession setsched setrlimit signal_perms setkeycreate transition };
- allow xdm_t self:fifo_file rw_fifo_file_perms;
- allow xdm_t self:shm create_shm_perms;
- allow xdm_t self:sem create_sem_perms;
- allow xdm_t self:unix_stream_socket { connectto create_stream_socket_perms };
--allow xdm_t self:unix_dgram_socket create_socket_perms;
-+allow xdm_t self:unix_dgram_socket { create_socket_perms sendto };
- allow xdm_t self:tcp_socket create_stream_socket_perms;
- allow xdm_t self:udp_socket create_socket_perms;
-+allow xdm_t self:netlink_kobject_uevent_socket create_socket_perms;
-+allow xdm_t self:netlink_selinux_socket create_socket_perms;
- allow xdm_t self:socket create_socket_perms;
- allow xdm_t self:appletalk_socket create_socket_perms;
- allow xdm_t self:key { search link write };
-+allow xdm_t self:dbus { send_msg acquire_svc };
-+
-+allow xdm_t xauth_home_t:file manage_file_perms;
-+
-+allow xdm_t xserver_unconfined_type:process { signull };
-+
-+allow xdm_t xconsole_device_t:fifo_file { getattr_fifo_file_perms setattr_fifo_file_perms };
-+manage_dirs_pattern(xdm_t, xkb_var_lib_t, xkb_var_lib_t)
-+manage_files_pattern(xdm_t, xkb_var_lib_t, xkb_var_lib_t)
-
--allow xdm_t xconsole_device_t:fifo_file { getattr setattr };
-+manage_dirs_pattern(xdm_t, xdm_home_t, xdm_home_t)
-+manage_files_pattern(xdm_t, xdm_home_t, xdm_home_t)
-+xserver_filetrans_home_content(xdm_t)
-+xserver_filetrans_admin_home_content(xdm_t)
-+
-+#Handle mislabeled files in homedir
-+userdom_delete_user_home_content_files(xdm_t)
-+userdom_signull_unpriv_users(xdm_t)
-+userdom_dontaudit_read_admin_home_lnk_files(xdm_t)
-
- # Allow gdm to run gdm-binary
- can_exec(xdm_t, xdm_exec_t)
-+can_exec(xdm_t, xsession_exec_t)
-
- allow xdm_t xdm_lock_t:file manage_file_perms;
- files_lock_filetrans(xdm_t, xdm_lock_t, file)
-
-+read_lnk_files_pattern(xdm_t, xdm_etc_t, xdm_etc_t)
-+read_files_pattern(xdm_t, xdm_etc_t, xdm_etc_t)
- # wdm has its own config dir /etc/X11/wdm
- # this is ugly, daemons should not create files under /etc!
- manage_files_pattern(xdm_t, xdm_rw_etc_t, xdm_rw_etc_t)
-
--manage_dirs_pattern(xdm_t, xdm_tmp_t, xdm_tmp_t)
--manage_files_pattern(xdm_t, xdm_tmp_t, xdm_tmp_t)
--manage_sock_files_pattern(xdm_t, xdm_tmp_t, xdm_tmp_t)
--files_tmp_filetrans(xdm_t, xdm_tmp_t, { file dir sock_file })
-+userdom_manage_all_user_tmp_content(xdm_t)
-+userdom_exec_user_tmp_files(xdm_t)
-
- manage_dirs_pattern(xdm_t, xdm_tmpfs_t, xdm_tmpfs_t)
- manage_files_pattern(xdm_t, xdm_tmpfs_t, xdm_tmpfs_t)
- manage_lnk_files_pattern(xdm_t, xdm_tmpfs_t, xdm_tmpfs_t)
- manage_fifo_files_pattern(xdm_t, xdm_tmpfs_t, xdm_tmpfs_t)
- manage_sock_files_pattern(xdm_t, xdm_tmpfs_t, xdm_tmpfs_t)
--fs_tmpfs_filetrans(xdm_t, xdm_tmpfs_t, { dir file lnk_file sock_file fifo_file })
-+
-+manage_files_pattern(xdm_t, user_fonts_t, user_fonts_t)
-+
-+files_search_spool(xdm_t)
-+manage_dirs_pattern(xdm_t, xdm_spool_t, xdm_spool_t)
-+manage_files_pattern(xdm_t, xdm_spool_t, xdm_spool_t)
-+files_spool_filetrans(xdm_t, xdm_spool_t, { file dir })
-
- manage_dirs_pattern(xdm_t, xdm_var_lib_t, xdm_var_lib_t)
- manage_files_pattern(xdm_t, xdm_var_lib_t, xdm_var_lib_t)
--files_var_lib_filetrans(xdm_t, xdm_var_lib_t, file)
-+exec_files_pattern(xdm_t, xdm_var_lib_t, xdm_var_lib_t)
-+manage_lnk_files_pattern(xdm_t, xdm_var_lib_t, xdm_var_lib_t)
-+manage_sock_files_pattern(xdm_t, xdm_var_lib_t, xdm_var_lib_t)
-+files_var_lib_filetrans(xdm_t, xdm_var_lib_t, { file dir })
-+# Read machine-id
-+files_read_var_lib_files(xdm_t)
-
- manage_dirs_pattern(xdm_t, xdm_var_run_t, xdm_var_run_t)
- manage_files_pattern(xdm_t, xdm_var_run_t, xdm_var_run_t)
-+exec_files_pattern(xdm_t, xdm_var_run_t, xdm_var_run_t)
-+manage_lnk_files_pattern(xdm_t, xdm_var_run_t, xdm_var_run_t)
- manage_fifo_files_pattern(xdm_t, xdm_var_run_t, xdm_var_run_t)
--files_pid_filetrans(xdm_t, xdm_var_run_t, { dir file fifo_file })
-+manage_sock_files_pattern(xdm_t, xdm_var_run_t, xdm_var_run_t)
-+files_pid_filetrans(xdm_t, xdm_var_run_t, { dir file fifo_file sock_file })
-
--allow xdm_t xserver_t:process signal;
-+allow xdm_t xserver_t:process { getattr signal signull };
- allow xdm_t xserver_t:unix_stream_socket connectto;
-+allow xdm_t xserver_t:unix_dgram_socket sendto;
-
- allow xdm_t xserver_tmp_t:sock_file rw_sock_file_perms;
--allow xdm_t xserver_tmp_t:dir { setattr list_dir_perms };
-+allow xdm_t xserver_tmp_t:dir { setattr_dir_perms list_dir_perms };
-
- # transition to the xdm xserver
- domtrans_pattern(xdm_t, xserver_exec_t, xserver_t)
-+
-+ps_process_pattern(xserver_t, xdm_t)
- allow xserver_t xdm_t:process signal;
- allow xdm_t xserver_t:process { noatsecure siginh rlimitinh signal sigkill };
-
- allow xdm_t xserver_t:shm rw_shm_perms;
-+read_files_pattern(xdm_t, xserver_t, xserver_t)
-
- # connect to xdm xserver over stream socket
- stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t)
-@@ -366,20 +532,32 @@ stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t)
- delete_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t)
- delete_sock_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t)
-
-+manage_dirs_pattern(xdm_t, xdm_log_t, xdm_log_t)
-+manage_files_pattern(xdm_t, xdm_log_t, xdm_log_t)
-+manage_lnk_files_pattern(xdm_t, xdm_log_t, xdm_log_t)
-+manage_fifo_files_pattern(xdm_t, xdm_log_t, xdm_log_t)
-+logging_log_filetrans(xdm_t, xdm_log_t, { dir file })
-+
- manage_dirs_pattern(xdm_t, xserver_log_t, xserver_log_t)
- manage_files_pattern(xdm_t, xserver_log_t, xserver_log_t)
-+manage_lnk_files_pattern(xdm_t, xserver_log_t, xserver_log_t)
- manage_fifo_files_pattern(xdm_t, xserver_log_t, xserver_log_t)
--logging_log_filetrans(xdm_t, xserver_log_t, file)
-+files_var_filetrans(xdm_t, xserver_log_t, dir, "gdm")
-
- kernel_read_system_state(xdm_t)
-+kernel_read_device_sysctls(xdm_t)
- kernel_read_kernel_sysctls(xdm_t)
- kernel_read_net_sysctls(xdm_t)
- kernel_read_network_state(xdm_t)
-+kernel_request_load_module(xdm_t)
-+kernel_stream_connect(xdm_t)
-+kernel_view_key(xdm_t)
-+kernel_read_usermodehelper_state(xdm_t)
-
- corecmd_exec_shell(xdm_t)
- corecmd_exec_bin(xdm_t)
-+corecmd_dontaudit_access_all_executables(xdm_t)
-
--corenet_all_recvfrom_unlabeled(xdm_t)
- corenet_all_recvfrom_netlabel(xdm_t)
- corenet_tcp_sendrecv_generic_if(xdm_t)
- corenet_udp_sendrecv_generic_if(xdm_t)
-@@ -389,38 +567,51 @@ corenet_tcp_sendrecv_all_ports(xdm_t)
- corenet_udp_sendrecv_all_ports(xdm_t)
- corenet_tcp_bind_generic_node(xdm_t)
- corenet_udp_bind_generic_node(xdm_t)
-+corenet_udp_bind_ipp_port(xdm_t)
-+corenet_udp_bind_xdmcp_port(xdm_t)
- corenet_tcp_connect_all_ports(xdm_t)
- corenet_sendrecv_all_client_packets(xdm_t)
- # xdm tries to bind to biff_port_t
- corenet_dontaudit_tcp_bind_all_ports(xdm_t)
-
-+dev_rwx_zero(xdm_t)
- dev_read_rand(xdm_t)
--dev_read_sysfs(xdm_t)
-+dev_rw_sysfs(xdm_t)
- dev_getattr_framebuffer_dev(xdm_t)
- dev_setattr_framebuffer_dev(xdm_t)
- dev_getattr_mouse_dev(xdm_t)
- dev_setattr_mouse_dev(xdm_t)
- dev_rw_apm_bios(xdm_t)
-+dev_rw_input_dev(xdm_t)
- dev_setattr_apm_bios_dev(xdm_t)
- dev_rw_dri(xdm_t)
- dev_rw_agp(xdm_t)
-+dev_rw_wireless(xdm_t)
- dev_getattr_xserver_misc_dev(xdm_t)
- dev_setattr_xserver_misc_dev(xdm_t)
-+dev_rw_xserver_misc(xdm_t)
- dev_getattr_misc_dev(xdm_t)
- dev_setattr_misc_dev(xdm_t)
- dev_dontaudit_rw_misc(xdm_t)
--dev_getattr_video_dev(xdm_t)
-+dev_read_video_dev(xdm_t)
-+dev_write_video_dev(xdm_t)
- dev_setattr_video_dev(xdm_t)
- dev_getattr_scanner_dev(xdm_t)
- dev_setattr_scanner_dev(xdm_t)
--dev_getattr_sound_dev(xdm_t)
--dev_setattr_sound_dev(xdm_t)
-+dev_read_sound(xdm_t)
-+dev_write_sound(xdm_t)
- dev_getattr_power_mgmt_dev(xdm_t)
- dev_setattr_power_mgmt_dev(xdm_t)
-+dev_getattr_null_dev(xdm_t)
-+dev_setattr_null_dev(xdm_t)
-+dev_read_nvme(xdm_t)
-+dev_getattr_loop_control(xdm_t)
-
- domain_use_interactive_fds(xdm_t)
- # Do not audit denied probes of /proc.
- domain_dontaudit_read_all_domains_state(xdm_t)
-+domain_dontaudit_signal_all_domains(xdm_t)
-+domain_dontaudit_getattr_all_entry_files(xdm_t)
-
- files_read_etc_files(xdm_t)
- files_read_var_files(xdm_t)
-@@ -431,9 +622,30 @@ files_list_mnt(xdm_t)
- files_read_usr_files(xdm_t)
- # Poweroff wants to create the /poweroff file when run from xdm
- files_create_boot_flag(xdm_t)
-+files_dontaudit_getattr_boot_dirs(xdm_t)
-+files_dontaudit_write_usr_files(xdm_t)
-+files_dontaudit_access_check_etc(xdm_t)
-+files_dontaudit_getattr_all_dirs(xdm_t)
-+files_dontaudit_getattr_all_symlinks(xdm_t)
-+files_dontaudit_getattr_all_tmp_sockets(xdm_t)
-+files_dontaudit_all_access_check(xdm_t)
-+files_dontaudit_list_non_security(xdm_t)
-
- fs_getattr_all_fs(xdm_t)
- fs_search_auto_mountpoints(xdm_t)
-+fs_search_all(xdm_t)
-+fs_rw_anon_inodefs_files(xdm_t)
-+fs_mount_tmpfs(xdm_t)
-+fs_mounton_fusefs(xdm_t)
-+fs_list_inotifyfs(xdm_t)
-+fs_dontaudit_list_noxattr_fs(xdm_t)
-+fs_dontaudit_read_noxattr_fs_files(xdm_t)
-+fs_manage_cgroup_dirs(xdm_t)
-+fs_manage_cgroup_files(xdm_t)
-+mount_read_pid_files(xdm_t)
-+
-+mls_socket_write_to_clearance(xdm_t)
-+mls_trusted_object(xdm_t)
-
- storage_dontaudit_read_fixed_disk(xdm_t)
- storage_dontaudit_write_fixed_disk(xdm_t)
-@@ -442,28 +654,50 @@ storage_dontaudit_raw_read_removable_device(xdm_t)
- storage_dontaudit_raw_write_removable_device(xdm_t)
- storage_dontaudit_setattr_removable_dev(xdm_t)
- storage_dontaudit_rw_scsi_generic(xdm_t)
-+storage_dontaudit_rw_fuse(xdm_t)
-
- term_setattr_console(xdm_t)
--term_use_unallocated_ttys(xdm_t)
- term_setattr_unallocated_ttys(xdm_t)
-+term_use_all_terms(xdm_t)
-+term_relabel_all_ttys(xdm_t)
-+term_relabel_unallocated_ttys(xdm_t)
-+term_getattr_virtio_console(xdm_t)
-
- auth_domtrans_pam_console(xdm_t)
--auth_manage_pam_pid(xdm_t)
-+#auth_manage_pam_pid(xdm_t)
- auth_manage_pam_console_data(xdm_t)
-+auth_signal_pam(xdm_t)
- auth_rw_faillog(xdm_t)
- auth_write_login_records(xdm_t)
-
- # Run telinit->init to shutdown.
- init_telinit(xdm_t)
-+init_dbus_chat(xdm_t)
-+init_pid_filetrans(xdm_t, xdm_var_run_t, dir, "multi-session-x")
-+init_status(xdm_t)
-+
-+application_exec(xdm_t)
-
- libs_exec_lib_files(xdm_t)
-+libs_exec_ldconfig(xdm_t)
-+libs_dontaudit_setattr_lib_files(xdm_t)
-+libs_dontaudit_setattr_lib_dirs(xdm_t)
-
- logging_read_generic_logs(xdm_t)
-
--miscfiles_read_localization(xdm_t)
-+miscfiles_search_man_pages(xdm_t)
- miscfiles_read_fonts(xdm_t)
--
--sysnet_read_config(xdm_t)
-+miscfiles_manage_fonts_cache(xdm_t)
-+miscfiles_manage_localization(xdm_t)
-+miscfiles_read_hwdata(xdm_t)
-+
-+systemd_write_inhibit_pipes(xdm_t)
-+systemd_dbus_chat_localed(xdm_t)
-+systemd_dbus_chat_hostnamed(xdm_t)
-+systemd_start_power_services(xdm_t)
-+systemd_status_power_services(xdm_t)
-+systemd_hwdb_mmap_config(xdm_t)
-+systemd_hwdb_read_config(xdm_t)
-
- userdom_dontaudit_use_unpriv_user_fds(xdm_t)
- userdom_create_all_users_keys(xdm_t)
-@@ -472,24 +706,171 @@ userdom_read_user_home_content_files(xdm_t)
- # Search /proc for any user domain processes.
- userdom_read_all_users_state(xdm_t)
- userdom_signal_all_users(xdm_t)
-+userdom_stream_connect(xdm_t)
-+userdom_manage_user_tmp_dirs(xdm_t)
-+userdom_manage_user_tmp_files(xdm_t)
-+userdom_manage_user_tmp_sockets(xdm_t)
-+userdom_manage_tmp_role(system_r, xdm_t)
-+
-+#userdom_home_manager(xdm_t)
-+tunable_policy(`xdm_write_home',`
-+ userdom_user_home_dir_filetrans(xdm_t, xdm_home_t, { file lnk_file })
-+ userdom_admin_home_dir_filetrans(xdm_t, xdm_home_t, { file lnk_file })
-+',`
-+ userdom_user_home_dir_filetrans_user_home_content(xdm_t, { dir file lnk_file fifo_file sock_file })
-+')
-+
-+tunable_policy(`use_nfs_home_dirs',`
-+ fs_list_auto_mountpoints(xdm_t)
-+ fs_manage_nfs_dirs(xdm_t)
-+ fs_manage_nfs_files(xdm_t)
-+ fs_manage_nfs_symlinks(xdm_t)
-+ fs_append_nfs_files(xdm_t)
-+')
-+
-+tunable_policy(`use_samba_home_dirs',`
-+ fs_manage_cifs_dirs(xdm_t)
-+ fs_manage_cifs_files(xdm_t)
-+ fs_manage_cifs_symlinks(xdm_t)
-+ fs_append_cifs_files(xdm_t)
-+')
-+
-+tunable_policy(`use_fusefs_home_dirs',`
-+ fs_manage_fusefs_dirs(xdm_t)
-+ fs_manage_fusefs_files(xdm_t)
-+ fs_manage_fusefs_symlinks(xdm_t)
-+')
-+
-+tunable_policy(`use_ecryptfs_home_dirs',`
-+ fs_manage_ecryptfs_dirs(xdm_t)
-+ fs_manage_ecryptfs_files(xdm_t)
-+')
-+
-+### filename transitions ###
-+userdom_filetrans_generic_home_content(xdm_t)
-+
-+optional_policy(`
-+ dbus_stream_connect_session_bus(xdm_t)
-+')
-+
-+optional_policy(`
-+ cups_stream_connect(xdm_t)
-+')
-+
-+optional_policy(`
-+ colord_read_lib_files(xdm_t)
-+')
-+
-+optional_policy(`
-+ dbus_read_lib_files(xdm_t)
-+')
-+
-+optional_policy(`
-+ gnome_config_filetrans(xdm_t, home_cert_t, dir, "certificates")
-+')
-+
-+optional_policy(`
-+ apache_filetrans_home_content(xdm_t)
-+')
-+
-+optional_policy(`
-+ auth_filetrans_home_content(xdm_t)
-+')
-+
-+optional_policy(`
-+ geoclue_dbus_chat(xdm_t)
-+')
-+
-+optional_policy(`
-+ gnome_filetrans_home_content(xdm_t)
-+')
-+
-+optional_policy(`
-+ gpg_filetrans_home_content(xdm_t)
-+')
-+
-+optional_policy(`
-+ irc_filetrans_home_content(xdm_t)
-+')
-+
-+optional_policy(`
-+ kerberos_filetrans_home_content(xdm_t)
-+')
-+
-+optional_policy(`
-+ mozilla_filetrans_home_content(xdm_t)
-+')
-+
-+optional_policy(`
-+ mta_filetrans_home_content(xdm_t)
-+')
-+
-+optional_policy(`
-+ pulseaudio_filetrans_home_content(xdm_t)
-+')
-+
-+optional_policy(`
-+ remotelogin_signull(xdm_t)
-+')
-+
-+optional_policy(`
-+ spamassassin_filetrans_home_content(xdm_t)
-+ spamassassin_filetrans_admin_home_content(xdm_t)
-+')
-+
-+optional_policy(`
-+ ssh_filetrans_admin_home_content(xdm_t)
-+ ssh_filetrans_home_content(xdm_t)
-+')
-+
-+optional_policy(`
-+ telepathy_filetrans_home_content(xdm_t)
-+')
-+
-+optional_policy(`
-+ thumb_filetrans_home_content(xdm_t)
-+')
-+
-+optional_policy(`
-+ tvtime_filetrans_home_content(xdm_t)
-+')
-+
-+optional_policy(`
-+ virt_filetrans_home_content(xdm_t)
-+')
-+
-+### end of filename transitions ###
-+
-+application_signal(xdm_t)
-
- xserver_rw_session(xdm_t, xdm_tmpfs_t)
- xserver_unconfined(xdm_t)
-+xserver_domtrans_xauth(xdm_t)
-+
-+ifndef(`distro_redhat',`
-+ allow xdm_t self:process { execheap execmem };
-+')
-+
-+ifdef(`distro_rhel4',`
-+ allow xdm_t self:process { execheap execmem };
-+')
-
- tunable_policy(`use_nfs_home_dirs',`
-- fs_manage_nfs_dirs(xdm_t)
-- fs_manage_nfs_files(xdm_t)
-- fs_manage_nfs_symlinks(xdm_t)
- fs_exec_nfs_files(xdm_t)
- ')
-
- tunable_policy(`use_samba_home_dirs',`
-- fs_manage_cifs_dirs(xdm_t)
-- fs_manage_cifs_files(xdm_t)
-- fs_manage_cifs_symlinks(xdm_t)
- fs_exec_cifs_files(xdm_t)
- ')
-
-+optional_policy(`
-+ tunable_policy(`xdm_exec_bootloader',`
-+ bootloader_exec(xdm_t)
-+ files_read_boot_files(xdm_t)
-+ files_read_boot_symlinks(xdm_t)
-+ ')
-+')
-+
- tunable_policy(`xdm_sysadm_login',`
- userdom_xsession_spec_domtrans_all_users(xdm_t)
- # FIXME:
-@@ -502,12 +883,31 @@ tunable_policy(`xdm_sysadm_login',`
- # allow xserver_t xdm_tmpfs_t:file rw_file_perms;
- ')
-
-+tunable_policy(`xdm_bind_vnc_tcp_port',`
-+ corenet_tcp_bind_vnc_port(xdm_t)
-+')
-+
-+optional_policy(`
-+ accountsd_read_lib_files(xdm_t)
-+ accountsd_dbus_chat(xdm_t)
-+')
-+
-+optional_policy(`
-+ acct_dontaudit_list_data(xdm_t)
-+')
-+
-+optional_policy(`
-+ boinc_dontaudit_getattr_lib(xdm_t)
-+')
-+
- optional_policy(`
- alsa_domtrans(xdm_t)
-+ alsa_read_rw_config(xdm_t)
- ')
-
- optional_policy(`
- consolekit_dbus_chat(xdm_t)
-+ consolekit_read_log(xdm_t)
- ')
-
- optional_policy(`
-@@ -518,8 +918,40 @@ optional_policy(`
- dbus_system_bus_client(xdm_t)
- dbus_connect_system_bus(xdm_t)
-
-+ dbus_session_bus_client(xdm_t)
-+ dbus_connect_session_bus(xdm_t)
-+
-+ optional_policy(`
-+ accountsd_dbus_chat(xdm_t)
-+ ')
-+
-+ optional_policy(`
-+ bluetooth_dbus_chat(xdm_t)
-+ ')
-+
-+ optional_policy(`
-+ cpufreqselector_dbus_chat(xdm_t)
-+ ')
-+
-+ optional_policy(`
-+ devicekit_dbus_chat_disk(xdm_t)
-+ devicekit_dbus_chat_power(xdm_t)
-+ ')
-+
-+ optional_policy(`
-+ hal_dbus_chat(xdm_t)
-+ ')
-+
- optional_policy(`
-- accountsd_dbus_chat(xdm_t)
-+ gnomeclock_dbus_chat(xdm_t)
-+ ')
-+
-+ optional_policy(`
-+ modemmanager_dbus_chat(xdm_t)
-+ ')
-+
-+ optional_policy(`
-+ networkmanager_dbus_chat(xdm_t)
- ')
- ')
-
-@@ -530,6 +962,20 @@ optional_policy(`
- ')
-
- optional_policy(`
-+ gnome_stream_connect_gkeyringd(xdm_t)
-+ gnome_exec_gstreamer_home_files(xdm_t)
-+ gnome_exec_keyringd(xdm_t)
-+ gnome_delete_gkeyringd_tmp_content(xdm_t)
-+ gnome_manage_config(xdm_t)
-+ gnome_manage_gconf_home_files(xdm_t)
-+ gnome_read_config(xdm_t)
-+ gnome_read_usr_config(xdm_t)
-+ gnome_read_gconf_config(xdm_t)
-+ gnome_transition_gkeyringd(xdm_t)
-+ gnome_cache_filetrans(xdm_t, xdm_home_t, dir, "gdm")
-+')
-+
-+optional_policy(`
- hostname_exec(xdm_t)
- ')
-
-@@ -547,28 +993,78 @@ optional_policy(`
- ')
-
- optional_policy(`
-+ policykit_dbus_chat(xdm_t)
-+ policykit_domtrans_auth(xdm_t)
-+ policykit_read_lib(xdm_t)
-+ policykit_read_reload(xdm_t)
-+ policykit_signal_auth(xdm_t)
-+')
-+
-+optional_policy(`
-+ pcscd_stream_connect(xdm_t)
-+')
-+
-+optional_policy(`
-+ plymouthd_search_spool(xdm_t)
-+ plymouthd_exec_plymouth(xdm_t)
-+ plymouthd_stream_connect(xdm_t)
-+ plymouthd_read_log(xdm_t)
-+')
-+
-+optional_policy(`
-+ pulseaudio_exec(xdm_t)
-+ pulseaudio_dbus_chat(xdm_t)
-+ pulseaudio_stream_connect(xdm_t)
-+ pulseaudio_read_state(xserver_t)
-+')
-+
-+optional_policy(`
- resmgr_stream_connect(xdm_t)
- ')
-
- optional_policy(`
-+ rhev_stream_connect_agentd(xdm_t)
-+ rhev_read_pid_files_agentd(xdm_t)
-+')
-+
-+# On crash gdm execs gdb to dump stack
-+optional_policy(`
-+ rpm_exec(xdm_t)
-+ rpm_read_db(xdm_t)
-+ rpm_dontaudit_manage_db(xdm_t)
-+ rpm_dontaudit_dbus_chat(xdm_t)
-+')
-+
-+optional_policy(`
-+ rtkit_scheduled(xdm_t)
-+')
-+
-+optional_policy(`
- seutil_sigchld_newrole(xdm_t)
- ')
-
- optional_policy(`
-- udev_read_db(xdm_t)
-+ ssh_signull(xdm_t)
- ')
-
- optional_policy(`
-- unconfined_domain(xdm_t)
-- unconfined_domtrans(xdm_t)
-+ shutdown_domtrans(xdm_t)
-+')
-
-- ifndef(`distro_redhat',`
-- allow xdm_t self:process { execheap execmem };
-- ')
-+optional_policy(`
-+ telepathy_exec(xdm_t)
-+')
-
-- ifdef(`distro_rhel4',`
-- allow xdm_t self:process { execheap execmem };
-- ')
-+optional_policy(`
-+ udev_read_db(xdm_t)
-+')
-+
-+optional_policy(`
-+ unconfined_signal(xdm_t)
-+')
-+
-+optional_policy(`
-+ usbmuxd_stream_connect(xdm_t)
- ')
-
- optional_policy(`
-@@ -580,6 +1076,14 @@ optional_policy(`
- ')
-
- optional_policy(`
-+ vdagent_stream_connect(xdm_t)
-+')
-+
-+optional_policy(`
-+ wm_exec(xdm_t)
-+')
-+
-+optional_policy(`
- xfs_stream_connect(xdm_t)
- ')
-
-@@ -594,7 +1098,7 @@ type_transition xserver_t xserver_t:x_colormap root_xcolormap_t;
- type_transition root_xdrawable_t input_xevent_t:x_event root_input_xevent_t;
-
- allow xserver_t { root_xdrawable_t x_domain }:x_drawable send;
--allow xserver_t input_xevent_t:x_event send;
-+allow xserver_t xevent_type:x_event send;
-
- # setuid/setgid for the wrapper program to change UID
- # sys_rawio is for iopl access - should not be needed for frame-buffer
-@@ -604,8 +1108,11 @@ allow xserver_t input_xevent_t:x_event send;
- # execheap needed until the X module loader is fixed.
- # NVIDIA Needs execstack
-
--allow xserver_t self:capability { dac_override fowner fsetid setgid setuid ipc_owner sys_rawio sys_admin sys_nice sys_tty_config mknod net_bind_service };
-+allow xserver_t self:capability { sys_ptrace dac_read_search fowner fsetid setgid setuid ipc_owner sys_rawio sys_admin sys_nice sys_tty_config mknod net_bind_service };
-+
- dontaudit xserver_t self:capability chown;
-+#allow xserver_t self:capability2 compromise_kernel;
-+
- allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
- allow xserver_t self:fd use;
- allow xserver_t self:fifo_file rw_fifo_file_perms;
-@@ -618,8 +1125,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
- allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto };
- allow xserver_t self:tcp_socket create_stream_socket_perms;
- allow xserver_t self:udp_socket create_socket_perms;
-+allow xserver_t self:netlink_selinux_socket create_socket_perms;
- allow xserver_t self:netlink_kobject_uevent_socket create_socket_perms;
-
-+allow xserver_t { input_xevent_t input_xevent_type }:x_event send;
-+
-+domtrans_pattern(xserver_t, xauth_exec_t, xauth_t)
-+
-+allow xserver_t xauth_home_t:file read_file_perms;
-+
- manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
- manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
- manage_sock_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
-@@ -627,36 +1141,53 @@ files_tmp_filetrans(xserver_t, xserver_tmp_t, { file dir sock_file })
-
- filetrans_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t, sock_file)
-
-+allow xserver_t xserver_etc_t:dir list_dir_perms;
-+read_files_pattern(xserver_t, xserver_etc_t, xserver_etc_t)
-+read_lnk_files_pattern(xserver_t, xserver_etc_t, xserver_etc_t)
-+
- manage_dirs_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
- manage_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
- manage_lnk_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
- manage_fifo_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
- manage_sock_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
- fs_tmpfs_filetrans(xserver_t, xserver_tmpfs_t, { dir file lnk_file sock_file fifo_file })
-+allow xserver_t xserver_tmpfs_t:file map;
-
- manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
- manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
- files_search_var_lib(xserver_t)
-
--domtrans_pattern(xserver_t, xauth_exec_t, xauth_t)
--allow xserver_t xauth_home_t:file read_file_perms;
-+manage_dirs_pattern(xserver_t, xserver_var_lib_t, xserver_var_lib_t)
-+manage_files_pattern(xserver_t, xserver_var_lib_t, xserver_var_lib_t)
-+files_var_lib_filetrans(xserver_t, xserver_var_lib_t, dir)
-+
-+manage_dirs_pattern(xserver_t, xserver_var_run_t, xserver_var_run_t)
-+manage_files_pattern(xserver_t, xserver_var_run_t, xserver_var_run_t)
-+manage_sock_files_pattern(xserver_t, xdm_var_run_t, xdm_var_run_t)
-+files_pid_filetrans(xserver_t, xserver_var_run_t, { file dir })
-
- # Create files in /var/log with the xserver_log_t type.
- manage_files_pattern(xserver_t, xserver_log_t, xserver_log_t)
- logging_log_filetrans(xserver_t, xserver_log_t, file)
-+manage_files_pattern(xserver_t, xdm_log_t, xdm_log_t)
-+
-+manage_dirs_pattern(xserver_t, xdm_home_t, xdm_home_t)
-+manage_files_pattern(xserver_t, xdm_home_t, xdm_home_t)
-+manage_lnk_files_pattern(xserver_t, xdm_home_t, xdm_home_t)
-+gnome_data_filetrans(xserver_t, xdm_home_t, dir, "xorg")
-
- kernel_read_system_state(xserver_t)
- kernel_read_device_sysctls(xserver_t)
--kernel_read_modprobe_sysctls(xserver_t)
-+kernel_read_usermodehelper_state(xserver_t)
- # Xorg wants to check if kernel is tainted
- kernel_read_kernel_sysctls(xserver_t)
- kernel_write_proc_files(xserver_t)
-+kernel_request_load_module(xserver_t)
-
- # Run helper programs in xserver_t.
- corecmd_exec_bin(xserver_t)
- corecmd_exec_shell(xserver_t)
-
--corenet_all_recvfrom_unlabeled(xserver_t)
- corenet_all_recvfrom_netlabel(xserver_t)
- corenet_tcp_sendrecv_generic_if(xserver_t)
- corenet_udp_sendrecv_generic_if(xserver_t)
-@@ -677,23 +1208,29 @@ dev_rw_apm_bios(xserver_t)
- dev_rw_agp(xserver_t)
- dev_rw_framebuffer(xserver_t)
- dev_manage_dri_dev(xserver_t)
--dev_filetrans_dri(xserver_t)
-+dev_map_dri(xserver_t)
- dev_create_generic_dirs(xserver_t)
- dev_setattr_generic_dirs(xserver_t)
- # raw memory access is needed if not using the frame buffer
- dev_read_raw_memory(xserver_t)
- dev_wx_raw_memory(xserver_t)
-+dev_read_urand(xserver_t)
- # for other device nodes such as the NVidia binary-only driver
--dev_rw_xserver_misc(xserver_t)
-+dev_manage_xserver_misc(xserver_t)
-+dev_filetrans_xserver_misc(xserver_t)
-+
- # read events - the synaptics touchpad driver reads raw events
- dev_rw_input_dev(xserver_t)
-+dev_write_raw_memory(xserver_t)
- dev_rwx_zero(xserver_t)
-
--domain_dontaudit_search_all_domains_state(xserver_t)
-+domain_dontaudit_read_all_domains_state(xserver_t)
-+domain_signal_all_domains(xserver_t)
-
- files_read_etc_files(xserver_t)
- files_read_etc_runtime_files(xserver_t)
- files_read_usr_files(xserver_t)
-+files_rw_tmpfs_files(xserver_t)
-
- # brought on by rhgb
- files_search_mnt(xserver_t)
-@@ -705,6 +1242,14 @@ fs_search_nfs(xserver_t)
- fs_search_auto_mountpoints(xserver_t)
- fs_search_ramfs(xserver_t)
-
-+mls_file_read_to_clearance(xserver_t)
-+mls_file_write_all_levels(xserver_t)
-+mls_file_upgrade(xserver_t)
-+mls_process_write_to_clearance(xserver_t)
-+mls_socket_read_to_clearance(xserver_t)
-+mls_sysvipc_read_to_clearance(xserver_t)
-+mls_sysvipc_write_to_clearance(xserver_t)
-+mls_trusted_object(xserver_t)
- mls_xwin_read_to_clearance(xserver_t)
-
- selinux_validate_context(xserver_t)
-@@ -718,28 +1263,25 @@ init_getpgid(xserver_t)
- term_setattr_unallocated_ttys(xserver_t)
- term_use_unallocated_ttys(xserver_t)
-
--getty_use_fds(xserver_t)
--
- locallogin_use_fds(xserver_t)
-
- logging_send_syslog_msg(xserver_t)
- logging_send_audit_msgs(xserver_t)
-
--miscfiles_read_localization(xserver_t)
- miscfiles_read_fonts(xserver_t)
--
--modutils_domtrans_insmod(xserver_t)
-+miscfiles_read_hwdata(xserver_t)
-
- # read x_contexts
- seutil_read_default_contexts(xserver_t)
-+seutil_read_config(xserver_t)
-+seutil_read_file_contexts(xserver_t)
-
- userdom_search_user_home_dirs(xserver_t)
- userdom_use_user_ttys(xserver_t)
- userdom_setattr_user_ttys(xserver_t)
- userdom_read_user_tmp_files(xserver_t)
- userdom_rw_user_tmpfs_files(xserver_t)
--
--xserver_use_user_fonts(xserver_t)
-+userdom_map_tmp_files(xserver_t)
-
- ifndef(`distro_redhat',`
- allow xserver_t self:process { execmem execheap execstack };
-@@ -785,17 +1327,54 @@ optional_policy(`
- ')
-
- optional_policy(`
-+ consolekit_read_state(xserver_t)
-+')
-+
-+optional_policy(`
-+ devicekit_signal_power(xserver_t)
-+')
-+
-+optional_policy(`
-+ getty_use_fds(xserver_t)
-+')
-+
-+optional_policy(`
-+ modutils_domtrans_insmod(xserver_t)
-+')
-+
-+optional_policy(`
- rhgb_getpgid(xserver_t)
- rhgb_signal(xserver_t)
- ')
-
- optional_policy(`
-+ setrans_translate_context(xserver_t)
-+')
-+
-+optional_policy(`
-+ sandbox_rw_xserver_tmpfs_files(xserver_t)
-+')
-+
-+optional_policy(`
-+ tcpd_wrapped_domain(xserver_t, xserver_exec_t)
-+')
-+
-+optional_policy(`
-+ mozilla_plugin_read_state(xserver_t)
-+ mozilla_plugin_rw_tmp_files(xserver_t)
-+ mozilla_plugin_rw_tmpfs_files(xserver_t)
-+')
-+
-+optional_policy(`
-+ policykit_dbus_chat(xserver_t)
-+')
-+
-+optional_policy(`
- udev_read_db(xserver_t)
- ')
-
- optional_policy(`
-- unconfined_domain_noaudit(xserver_t)
-- unconfined_domtrans(xserver_t)
-+ unconfined_domain(xserver_t)
- ')
-
- optional_policy(`
-@@ -803,6 +1382,10 @@ optional_policy(`
- ')
-
- optional_policy(`
-+ wine_rw_shm(xserver_t)
-+')
-+
-+optional_policy(`
- xfs_stream_connect(xserver_t)
- ')
-
-@@ -818,18 +1401,17 @@ allow xserver_t xdm_t:shm rw_shm_perms;
-
- # NB we do NOT allow xserver_t xdm_var_lib_t:dir, only access to an open
- # handle of a file inside the dir!!!
--allow xserver_t xdm_var_lib_t:file { getattr read };
--dontaudit xserver_t xdm_var_lib_t:dir search;
-+allow xserver_t xdm_var_lib_t:file read_file_perms;
-+dontaudit xserver_t xdm_var_lib_t:dir search_dir_perms;
-
--allow xserver_t xdm_var_run_t:file read_file_perms;
-+read_files_pattern(xserver_t, xdm_var_run_t, xdm_var_run_t)
-
- # Label pid and temporary files with derived types.
--manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
--manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
--manage_sock_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
-+userdom_manage_user_tmp_files(xserver_t)
-+userdom_manage_user_tmp_sockets(xserver_t)
-
- # Run xkbcomp.
--allow xserver_t xkb_var_lib_t:lnk_file read;
-+allow xserver_t xkb_var_lib_t:lnk_file read_lnk_file_perms;
- can_exec(xserver_t, xkb_var_lib_t)
-
- # VNC v4 module in X server
-@@ -842,26 +1424,21 @@ init_use_fds(xserver_t)
- # to read ROLE_home_t - examine this in more detail
- # (xauth?)
- userdom_read_user_home_content_files(xserver_t)
-+userdom_read_all_users_state(xserver_t)
-+userdom_home_manager(xserver_t)
-
--tunable_policy(`use_nfs_home_dirs',`
-- fs_manage_nfs_dirs(xserver_t)
-- fs_manage_nfs_files(xserver_t)
-- fs_manage_nfs_symlinks(xserver_t)
--')
--
--tunable_policy(`use_samba_home_dirs',`
-- fs_manage_cifs_dirs(xserver_t)
-- fs_manage_cifs_files(xserver_t)
-- fs_manage_cifs_symlinks(xserver_t)
--')
-+xserver_use_user_fonts(xserver_t)
-
- optional_policy(`
- dbus_system_bus_client(xserver_t)
-- hal_dbus_chat(xserver_t)
-+
-+ optional_policy(`
-+ hal_dbus_chat(xserver_t)
-+ ')
- ')
-
- optional_policy(`
-- resmgr_stream_connect(xdm_t)
-+ mono_rw_shm(xserver_t)
- ')
-
- optional_policy(`
-@@ -912,7 +1489,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
- allow x_domain root_xdrawable_t:x_drawable { getattr setattr list_child add_child remove_child send receive hide show };
- # operations allowed on my windows
- allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive };
--allow x_domain self:x_drawable { blend };
-+allow x_domain self:x_drawable blend;
- # operations allowed on all windows
- allow x_domain x_domain:x_drawable { getattr get_property set_property remove_child };
-
-@@ -966,11 +1543,31 @@ allow x_domain self:x_resource { read write };
- # can mess with the screensaver
- allow x_domain xserver_t:x_screen { getattr saver_getattr };
-
-+# Device rules
-+allow x_domain xserver_t:x_device { read getattr use setattr setfocus grab bell };
-+allow x_domain xserver_t:x_screen getattr;
-+
- ########################################
- #
- # Rules for unconfined access to this module
- #
-
-+allow xserver_unconfined_type xserver_t:x_server *;
-+allow xserver_unconfined_type xdrawable_type:x_drawable *;
-+allow xserver_unconfined_type xserver_t:x_screen *;
-+allow xserver_unconfined_type x_domain:x_gc *;
-+allow xserver_unconfined_type xcolormap_type:x_colormap *;
-+allow xserver_unconfined_type xproperty_type:x_property *;
-+allow xserver_unconfined_type xselection_type:x_selection *;
-+allow xserver_unconfined_type x_domain:x_cursor *;
-+allow xserver_unconfined_type x_domain:x_client *;
-+allow xserver_unconfined_type { x_domain xserver_t }:x_device *;
-+allow xserver_unconfined_type { x_domain xserver_t }:x_pointer *;
-+allow xserver_unconfined_type { x_domain xserver_t }:x_keyboard *;
-+allow xserver_unconfined_type xextension_type:x_extension *;
-+allow xserver_unconfined_type { x_domain xserver_t }:x_resource *;
-+allow xserver_unconfined_type xevent_type:{ x_event x_synthetic_event } *;
-+
- tunable_policy(`! xserver_object_manager',`
- # should be xserver_unconfined(x_domain),
- # but typeattribute doesnt work in conditionals
-@@ -992,18 +1589,150 @@ tunable_policy(`! xserver_object_manager',`
- allow x_domain xevent_type:{ x_event x_synthetic_event } *;
- ')
-
--allow xserver_unconfined_type xserver_t:x_server *;
--allow xserver_unconfined_type xdrawable_type:x_drawable *;
--allow xserver_unconfined_type xserver_t:x_screen *;
--allow xserver_unconfined_type x_domain:x_gc *;
--allow xserver_unconfined_type xcolormap_type:x_colormap *;
--allow xserver_unconfined_type xproperty_type:x_property *;
--allow xserver_unconfined_type xselection_type:x_selection *;
--allow xserver_unconfined_type x_domain:x_cursor *;
--allow xserver_unconfined_type x_domain:x_client *;
--allow xserver_unconfined_type { x_domain xserver_t }:x_device *;
--allow xserver_unconfined_type { x_domain xserver_t }:x_pointer *;
--allow xserver_unconfined_type { x_domain xserver_t }:x_keyboard *;
--allow xserver_unconfined_type xextension_type:x_extension *;
--allow xserver_unconfined_type { x_domain xserver_t }:x_resource *;
--allow xserver_unconfined_type xevent_type:{ x_event x_synthetic_event } *;
-+tunable_policy(`xserver_execmem',`
-+ allow xserver_t self:process { execheap execmem execstack };
-+')
-+
-+# Hack to handle the problem of using the nvidia blobs
-+tunable_policy(`deny_execmem',`',`
-+ allow xdm_t self:process execmem;
-+')
-+
-+tunable_policy(`selinuxuser_execstack',`
-+ allow xdm_t self:process { execstack execmem };
-+')
-+
-+tunable_policy(`use_nfs_home_dirs',`
-+ fs_append_nfs_files(xdmhomewriter)
-+')
-+
-+optional_policy(`
-+ unconfined_rw_shm(xserver_t)
-+
-+ # xserver signals unconfined user on startx
-+ unconfined_signal(xserver_t)
-+ unconfined_getpgid(xserver_t)
-+')
-+
-+allow xdm_t xdm_unconfined_exec_t:dir search_dir_perms;
-+can_exec(xdm_t, xdm_unconfined_exec_t)
-+
-+optional_policy(`
-+ type xdm_unconfined_t;
-+ domain_type(xdm_unconfined_t)
-+ domain_entry_file(xdm_unconfined_t, xdm_unconfined_exec_t)
-+ role system_r types xdm_unconfined_t;
-+
-+ domtrans_pattern(xdm_t, xdm_unconfined_exec_t, xdm_unconfined_t)
-+ unconfined_domain(xdm_unconfined_t)
-+')
-+
-+# X Userdomain
-+# Xserver read/write client shm
-+allow xserver_t x_userdomain:fd use;
-+allow xserver_t x_userdomain:shm rw_shm_perms;
-+
-+allow xserver_t x_userdomain:process { getpgid signal };
-+
-+allow xserver_t x_userdomain:shm rw_shm_perms;
-+
-+allow x_userdomain xserver_t:unix_dgram_socket sendto;
-+
-+allow x_userdomain user_fonts_t:dir list_dir_perms;
-+allow x_userdomain user_fonts_t:file read_file_perms;
-+allow x_userdomain user_fonts_t:lnk_file read_lnk_file_perms;
-+
-+allow x_userdomain user_fonts_config_t:dir list_dir_perms;
-+allow x_userdomain user_fonts_config_t:file read_file_perms;
-+
-+manage_dirs_pattern(x_userdomain, user_fonts_cache_t, user_fonts_cache_t)
-+manage_files_pattern(x_userdomain, user_fonts_cache_t, user_fonts_cache_t)
-+
-+stream_connect_pattern(x_userdomain, xserver_tmp_t, xserver_tmp_t, xserver_t)
-+allow x_userdomain xserver_tmp_t:sock_file delete_sock_file_perms;
-+files_search_tmp(x_userdomain)
-+
-+# Communicate via System V shared memory.
-+allow x_userdomain xserver_t:shm r_shm_perms;
-+allow x_userdomain xserver_tmpfs_t:file read_file_perms;
-+
-+# allow ps to show iceauth
-+ps_process_pattern(x_userdomain, iceauth_t)
-+
-+domtrans_pattern(x_userdomain, iceauth_exec_t, iceauth_t)
-+
-+allow x_userdomain iceauth_home_t:file read_file_perms;
-+
-+domtrans_pattern(x_userdomain, xauth_exec_t, xauth_t)
-+
-+allow x_userdomain xauth_t:process signal;
-+
-+# allow ps to show xauth
-+ps_process_pattern(x_userdomain, xauth_t)
-+allow x_userdomain xserver_t:process signal;
-+
-+allow x_userdomain xauth_home_t:file read_file_perms;
-+
-+# for when /tmp/.X11-unix is created by the system
-+allow x_userdomain xdm_t:fd use;
-+allow x_userdomain xdm_t:fifo_file rw_inherited_fifo_file_perms;
-+userdom_search_user_tmp_dirs(x_userdomain)
-+userdom_rw_user_tmp_sock_files(x_userdomain)
-+dontaudit x_userdomain xdm_t:tcp_socket { read write };
-+
-+allow x_userdomain xdm_t:dbus send_msg;
-+allow xdm_t x_userdomain:dbus send_msg;
-+
-+# Client read xserver shm
-+allow x_userdomain xserver_t:fd use;
-+allow x_userdomain xserver_tmpfs_t:file read_file_perms;
-+
-+# Read /tmp/.X0-lock
-+allow x_userdomain xserver_tmp_t:file read_inherited_file_perms;
-+
-+dev_rw_xserver_misc(x_userdomain)
-+dev_rw_power_management(x_userdomain)
-+dev_read_input(x_userdomain)
-+dev_read_misc(x_userdomain)
-+dev_write_misc(x_userdomain)
-+# open office is looking for the following
-+dev_getattr_agp_dev(x_userdomain)
-+
-+# GNOME checks for usb and other devices:
-+dev_rw_usbfs(x_userdomain)
-+
-+miscfiles_read_fonts(x_userdomain)
-+miscfiles_setattr_fonts_cache_dirs(x_userdomain)
-+miscfiles_read_hwdata(x_userdomain)
-+
-+#xserver_common_x_domain_template(user, x_userdomain)
-+#xserver_domtrans(x_userdomain)
-+#xserver_unconfined(x_userdomain)
-+#xserver_xsession_entry_type(x_userdomain)
-+xserver_dontaudit_write_log(x_userdomain)
-+#xserver_stream_connect_xdm(x_userdomain)
-+# certain apps want to read xdm.pid file
-+xserver_read_xdm_pid(x_userdomain)
-+# gnome-session creates socket under /tmp/.ICE-unix/
-+xserver_create_xdm_tmp_sockets(x_userdomain)
-+# Needed for escd, remove if we get escd policy
-+xserver_manage_xdm_tmp_files(x_userdomain)
-+xserver_read_xdm_etc_files(x_userdomain)
-+#xserver_xdm_append_log(x_userdomain)
-+
-+term_use_virtio_console(x_userdomain)
-+# Client write xserver shm
-+tunable_policy(`xserver_clients_write_xshm',`
-+ allow x_userdomain xserver_t:shm rw_shm_perms;
-+ allow x_userdomain xserver_tmpfs_t:file rw_file_perms;
-+')
-+
-+optional_policy(`
-+ gnome_read_gconf_config(x_userdomain)
-+')
-+
-+tunable_policy(`selinuxuser_direct_dri_enabled',`
-+ dev_rw_dri(dridomain)
-+',`
-+ dev_dontaudit_rw_dri(dridomain)
-+')
-diff --git a/policy/modules/system/application.if b/policy/modules/system/application.if
-index 1b6619e64..be02b9618 100644
---- a/policy/modules/system/application.if
-+++ b/policy/modules/system/application.if
-@@ -43,6 +43,27 @@ interface(`application_executable_file',`
- corecmd_executable_file($1)
- ')
-
-+#######################################
-+##
-+## Make the specified type usable for files
-+## that are exectuables, such as binary programs.
-+## This does not include shared libraries.
-+##
-+##
-+##
-+## Type to be used for files.
-+##
-+##
-+#
-+interface(`application_executable_ioctl',`
-+ gen_require(`
-+ attribute application_exec_type;
-+ ')
-+
-+ allow $1 application_exec_type:file ioctl;
-+
-+')
-+
- ########################################
- ##
- ## Execute application executables in the caller domain.
-@@ -76,13 +97,30 @@ interface(`application_exec_all',`
- corecmd_dontaudit_exec_all_executables($1)
- corecmd_exec_bin($1)
- corecmd_exec_shell($1)
-- corecmd_exec_chroot($1)
-
- application_exec($1)
- ')
-
- ########################################
- ##
-+## Dontaudit execute all executable files.
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`application_dontaudit_exec',`
-+ gen_require(`
-+ attribute application_exec_type;
-+ ')
-+
-+ dontaudit $1 application_exec_type:file execute;
-+')
-+
-+########################################
-+##
- ## Create a domain for applications.
- ##
- ##
-@@ -189,6 +227,24 @@ interface(`application_dontaudit_signal',`
-
- ########################################
- ##
-+## Send kill signals to all application domains.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`application_sigkill',`
-+ gen_require(`
-+ attribute application_domain_type;
-+ ')
-+
-+ allow $1 application_domain_type:process sigkill;
-+')
-+
-+########################################
-+##
- ## Do not audit attempts to send kill signals
- ## to all application domains.
- ##
-@@ -205,3 +261,21 @@ interface(`application_dontaudit_sigkill',`
-
- dontaudit $1 application_domain_type:process sigkill;
- ')
-+
-+#######################################
-+##
-+## Getattr all application sockets.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`application_getattr_socket',`
-+ gen_require(`
-+ attribute application_domain_type;
-+ ')
-+
-+ allow $1 application_domain_type:socket_class_set getattr;
-+')
-diff --git a/policy/modules/system/application.te b/policy/modules/system/application.te
-index c6fdab72d..af71c62f7 100644
---- a/policy/modules/system/application.te
-+++ b/policy/modules/system/application.te
-@@ -6,15 +6,40 @@ attribute application_domain_type;
- # Executables to be run by user
- attribute application_exec_type;
-
-+domain_use_interactive_fds(application_domain_type)
-+
-+userdom_inherit_append_user_home_content_files(application_domain_type)
-+userdom_inherit_append_admin_home_files(application_domain_type)
-+userdom_inherit_append_user_tmp_files(application_domain_type)
-+userdom_rw_inherited_user_tmp_files(application_domain_type)
-+userdom_rw_inherited_user_pipes(application_domain_type)
-+logging_inherit_append_all_logs(application_domain_type)
-+
-+files_dontaudit_search_non_security_dirs(application_domain_type)
-+
-+auth_login_pgm_sigchld(application_domain_type)
-+
-+optional_policy(`
-+ afs_rw_udp_sockets(application_domain_type)
-+')
-+
- optional_policy(`
-+ cfengine_append_inherited_log(application_domain_type)
-+')
-+
-+optional_policy(`
-+ cron_rw_inherited_user_spool_files(application_domain_type)
- cron_sigchld(application_domain_type)
- ')
-
- optional_policy(`
-- ssh_sigchld(application_domain_type)
- ssh_rw_stream_sockets(application_domain_type)
- ')
-
- optional_policy(`
-+ screen_sigchld(application_domain_type)
-+')
-+
-+optional_policy(`
- sudo_sigchld(application_domain_type)
- ')
-diff --git a/policy/modules/system/authlogin.fc b/policy/modules/system/authlogin.fc
-index 247958765..890e1e293 100644
---- a/policy/modules/system/authlogin.fc
-+++ b/policy/modules/system/authlogin.fc
-@@ -1,14 +1,28 @@
-+HOME_DIR/\.yubico(/.*)? gen_context(system_u:object_r:auth_home_t,s0)
-+HOME_DIR/\.google_authenticator gen_context(system_u:object_r:auth_home_t,s0)
-+HOME_DIR/\.google_authenticator~ gen_context(system_u:object_r:auth_home_t,s0)
-+/root/\.yubico(/.*)? gen_context(system_u:object_r:auth_home_t,s0)
-+/root/\.google_authenticator gen_context(system_u:object_r:auth_home_t,s0)
-+/root/\.google_authenticator~ gen_context(system_u:object_r:auth_home_t,s0)
-
- /bin/login -- gen_context(system_u:object_r:login_exec_t,s0)
-
--/etc/\.pwd\.lock -- gen_context(system_u:object_r:shadow_t,s0)
--/etc/group\.lock -- gen_context(system_u:object_r:shadow_t,s0)
-+/etc/group\.lock -- gen_context(system_u:object_r:passwd_file_t,s0)
- /etc/gshadow.* -- gen_context(system_u:object_r:shadow_t,s0)
--/etc/passwd\.lock -- gen_context(system_u:object_r:shadow_t,s0)
-+/etc/nshadow.* -- gen_context(system_u:object_r:shadow_t,s0)
- /etc/shadow.* -- gen_context(system_u:object_r:shadow_t,s0)
-+/etc/security/opasswd -- gen_context(system_u:object_r:shadow_t,s0)
-+/etc/security/opasswd\.old -- gen_context(system_u:object_r:shadow_t,s0)
-+/etc/passwd\.lock -- gen_context(system_u:object_r:passwd_file_t,s0)
-+/etc/passwd\.adjunct.* -- gen_context(system_u:object_r:passwd_file_t,s0)
-+/etc/\.pwd\.lock -- gen_context(system_u:object_r:passwd_file_t,s0)
-+/etc/passwd[-\+]? -- gen_context(system_u:object_r:passwd_file_t,s0)
-+/etc/passwd\.OLD -- gen_context(system_u:object_r:passwd_file_t,s0)
-+/etc/ptmptmp -- gen_context(system_u:object_r:passwd_file_t,s0)
-+/etc/group[-\+]? -- gen_context(system_u:object_r:passwd_file_t,s0)
-
- /sbin/pam_console_apply -- gen_context(system_u:object_r:pam_console_exec_t,s0)
--/sbin/pam_timestamp_check -- gen_context(system_u:object_r:pam_exec_t,s0)
-+/sbin/pam_timestamp_check -- gen_context(system_u:object_r:pam_timestamp_exec_t,s0)
- /sbin/unix_chkpwd -- gen_context(system_u:object_r:chkpwd_exec_t,s0)
- /sbin/unix_update -- gen_context(system_u:object_r:updpwd_exec_t,s0)
- /sbin/unix_verify -- gen_context(system_u:object_r:chkpwd_exec_t,s0)
-@@ -16,13 +30,25 @@ ifdef(`distro_suse', `
- /sbin/unix2_chkpwd -- gen_context(system_u:object_r:chkpwd_exec_t,s0)
- ')
-
-+/usr/bin/login -- gen_context(system_u:object_r:login_exec_t,s0)
-+
- /usr/kerberos/sbin/login\.krb5 -- gen_context(system_u:object_r:login_exec_t,s0)
-
--/usr/sbin/utempter -- gen_context(system_u:object_r:utempter_exec_t,s0)
--/usr/sbin/validate -- gen_context(system_u:object_r:chkpwd_exec_t,s0)
-+/usr/sbin/pam_console_apply -- gen_context(system_u:object_r:pam_console_exec_t,s0)
-+/usr/sbin/pam_timestamp_check -- gen_context(system_u:object_r:pam_timestamp_exec_t,s0)
-+/usr/sbin/pwhistory_helper -- gen_context(system_u:object_r:updpwd_exec_t,s0)
-+/usr/sbin/unix_chkpwd -- gen_context(system_u:object_r:chkpwd_exec_t,s0)
-+/usr/sbin/unix_update -- gen_context(system_u:object_r:updpwd_exec_t,s0)
-+/usr/sbin/unix_verify -- gen_context(system_u:object_r:chkpwd_exec_t,s0)
- ifdef(`distro_gentoo', `
- /usr/sbin/unix_chkpwd -- gen_context(system_u:object_r:chkpwd_exec_t,s0)
- ')
-+/usr/sbin/utempter -- gen_context(system_u:object_r:utempter_exec_t,s0)
-+/usr/sbin/validate -- gen_context(system_u:object_r:chkpwd_exec_t,s0)
-+
-+/var/ace(/.*)? gen_context(system_u:object_r:var_auth_t,s0)
-+
-+/var/opt/quest/vas/vasd(/.*)? gen_context(system_u:object_r:var_auth_t,s0)
-
- /var/cache/coolkey(/.*)? gen_context(system_u:object_r:auth_cache_t,s0)
-
-@@ -30,21 +56,25 @@ ifdef(`distro_gentoo', `
-
- /var/lib/abl(/.*)? gen_context(system_u:object_r:var_auth_t,s0)
- /var/lib/pam_ssh(/.*)? gen_context(system_u:object_r:var_auth_t,s0)
-+/var/lib/pam_shield(/.*)? gen_context(system_u:object_r:var_auth_t,s0)
-+/var/lib/google-authenticator(/.*)? gen_context(system_u:object_r:var_auth_t,s0)
-
- /var/log/btmp.* -- gen_context(system_u:object_r:faillog_t,s0)
- /var/log/dmesg -- gen_context(system_u:object_r:var_log_t,s0)
--/var/log/faillog -- gen_context(system_u:object_r:faillog_t,s0)
--/var/log/lastlog -- gen_context(system_u:object_r:lastlog_t,s0)
-+/var/log/faillog.* -- gen_context(system_u:object_r:faillog_t,s0)
-+/var/log/lastlog.* -- gen_context(system_u:object_r:lastlog_t,s0)
- /var/log/syslog -- gen_context(system_u:object_r:var_log_t,s0)
--/var/log/tallylog -- gen_context(system_u:object_r:faillog_t,s0)
-+/var/log/tallylog.* -- gen_context(system_u:object_r:faillog_t,s0)
- /var/log/wtmp.* -- gen_context(system_u:object_r:wtmp_t,s0)
-
-+/var/lib/rsa(/.*)? gen_context(system_u:object_r:var_auth_t,s0)
-+/var/rsa(/.*)? gen_context(system_u:object_r:var_auth_t,s0)
-+
- /var/run/console(/.*)? gen_context(system_u:object_r:pam_var_console_t,s0)
- /var/run/faillock(/.*)? gen_context(system_u:object_r:faillog_t,s0)
- /var/run/pam_mount(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0)
- /var/run/pam_ssh(/.*)? gen_context(system_u:object_r:var_auth_t,s0)
- /var/run/sepermit(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0)
- /var/run/sudo(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0)
--/var/run/user(/.*)? gen_context(system_u:object_r:var_auth_t,s0)
- /var/(db|adm)/sudo(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0)
- /var/lib/sudo(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0)
-diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if
-index 3efd5b669..2ce58d86d 100644
---- a/policy/modules/system/authlogin.if
-+++ b/policy/modules/system/authlogin.if
-@@ -23,11 +23,17 @@ interface(`auth_role',`
- role $1 types chkpwd_t;
-
- # Transition from the user domain to this domain.
-- domtrans_pattern($2, chkpwd_exec_t, chkpwd_t)
-+ auth_domtrans_chkpwd($2)
-
- ps_process_pattern($2, chkpwd_t)
-
- dontaudit $2 shadow_t:file read_file_perms;
-+
-+ logging_send_syslog_msg($2)
-+ logging_send_audit_msgs($2)
-+
-+ usermanage_read_crack_db($2)
-+
- ')
-
- ########################################
-@@ -53,13 +59,18 @@ interface(`auth_use_pam',`
- auth_read_login_records($1)
- auth_append_login_records($1)
- auth_rw_lastlog($1)
-- auth_rw_faillog($1)
-+ auth_create_lastlog($1)
-+ auth_manage_faillog($1)
- auth_exec_pam($1)
- auth_use_nsswitch($1)
-
-+ init_rw_stream_sockets($1)
-+
- logging_send_audit_msgs($1)
- logging_send_syslog_msg($1)
-
-+ userdom_search_user_tmp_dirs($1)
-+
- optional_policy(`
- dbus_system_bus_client($1)
-
-@@ -78,8 +89,19 @@ interface(`auth_use_pam',`
- ')
-
- optional_policy(`
-+ locallogin_getattr_home_content($1)
-+ ')
-+
-+ optional_policy(`
- nis_authenticate($1)
- ')
-+
-+ optional_policy(`
-+ systemd_dbus_chat_logind($1)
-+ systemd_use_fds_logind($1)
-+ systemd_write_inherited_logind_sessions_pipes($1)
-+ systemd_read_logind_sessions_files($1)
-+ ')
- ')
-
- ########################################
-@@ -95,69 +117,67 @@ interface(`auth_use_pam',`
- interface(`auth_login_pgm_domain',`
- gen_require(`
- type var_auth_t, auth_cache_t;
-+ attribute polydomain;
-+ attribute login_pgm;
- ')
-
- domain_type($1)
-+ typeattribute $1 polydomain;
-+ typeattribute $1 login_pgm;
-+
- domain_subj_id_change_exemption($1)
- domain_role_change_exemption($1)
- domain_obj_id_change_exemption($1)
- role system_r types $1;
-
-- # Needed for pam_selinux_permit to cleanup properly
-- domain_read_all_domains_state($1)
-- domain_kill_all_domains($1)
--
-- # pam_keyring
-- allow $1 self:capability ipc_lock;
-- allow $1 self:process setkeycreate;
-- allow $1 self:key manage_key_perms;
--
-- files_list_var_lib($1)
-- manage_files_pattern($1, var_auth_t, var_auth_t)
--
-- manage_dirs_pattern($1, auth_cache_t, auth_cache_t)
-- manage_files_pattern($1, auth_cache_t, auth_cache_t)
-- manage_sock_files_pattern($1, auth_cache_t, auth_cache_t)
-- files_var_filetrans($1, auth_cache_t, dir)
--
-- # needed for afs - https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=253321
-- kernel_rw_afs_state($1)
--
-- # for fingerprint readers
-- dev_rw_input_dev($1)
-- dev_rw_generic_usb_dev($1)
--
-- files_read_etc_files($1)
--
-- fs_list_auto_mountpoints($1)
--
- selinux_get_fs_mount($1)
-- selinux_validate_context($1)
-- selinux_compute_access_vector($1)
-- selinux_compute_create_context($1)
-- selinux_compute_relabel_context($1)
-- selinux_compute_user_contexts($1)
-
- mls_file_read_all_levels($1)
- mls_file_write_all_levels($1)
- mls_file_upgrade($1)
- mls_file_downgrade($1)
- mls_process_set_level($1)
-+ mls_process_write_to_clearance($1)
- mls_fd_share_all_levels($1)
-
- auth_use_pam($1)
-+')
-
-- init_rw_utmp($1)
--
-- logging_set_loginuid($1)
-- logging_set_tty_audit($1)
-+########################################
-+##
-+## Read authlogin state files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`authlogin_read_state',`
-+ gen_require(`
-+ attribute polydomain;
-+ ')
-
-- seutil_read_config($1)
-- seutil_read_default_contexts($1)
-+ kernel_search_proc($1)
-+ ps_process_pattern($1, polydomain)
-+')
-
-- tunable_policy(`allow_polyinstantiation',`
-- files_polyinstantiate_all($1)
-+########################################
-+##
-+## Read and write a authlogin unnamed pipe.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`authlogin_rw_pipes',`
-+ gen_require(`
-+ attribute polydomain;
- ')
-+
-+ allow $1 polydomain:fifo_file rw_inherited_fifo_file_perms;
- ')
-
- ########################################
-@@ -231,6 +251,25 @@ interface(`auth_domtrans_login_program',`
-
- ########################################
- ##
-+## Execute a login_program in the caller domain.
-+##
-+##
-+##
-+## Domain allowed to transition.
-+##
-+##
-+#
-+interface(`auth_exec_login_program',`
-+ gen_require(`
-+ type login_exec_t;
-+ ')
-+
-+ corecmd_search_bin($1)
-+ can_exec($1, login_exec_t)
-+')
-+
-+########################################
-+##
- ## Execute a login_program in the target domain,
- ## with a range transition.
- ##
-@@ -322,6 +361,24 @@ interface(`auth_rw_cache',`
-
- ########################################
- ##
-+## Create authentication cache
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`auth_create_cache',`
-+ gen_require(`
-+ type auth_cache_t;
-+ ')
-+
-+ create_files_pattern($1, auth_cache_t, auth_cache_t)
-+')
-+
-+########################################
-+##
- ## Manage authentication cache
- ##
- ##
-@@ -337,6 +394,7 @@ interface(`auth_manage_cache',`
-
- manage_dirs_pattern($1, auth_cache_t, auth_cache_t)
- manage_files_pattern($1, auth_cache_t, auth_cache_t)
-+ allow $1 auth_cache_t:file map;
- ')
-
- #######################################
-@@ -402,6 +460,8 @@ interface(`auth_domtrans_chk_passwd',`
- optional_policy(`
- samba_stream_connect_winbind($1)
- ')
-+
-+ auth_domtrans_upd_passwd($1)
- ')
-
- ########################################
-@@ -428,6 +488,24 @@ interface(`auth_domtrans_chkpwd',`
-
- ########################################
- ##
-+## Execute chkpwd in the caller domain.
-+##
-+##
-+##
-+## Domain allowed to transition.
-+##
-+##
-+#
-+interface(`auth_exec_chkpwd',`
-+ gen_require(`
-+ type chkpwd_exec_t;
-+ ')
-+
-+ allow $1 chkpwd_exec_t:file execute;
-+')
-+
-+########################################
-+##
- ## Execute chkpwd programs in the chkpwd domain.
- ##
- ##
-@@ -448,6 +526,25 @@ interface(`auth_run_chk_passwd',`
-
- auth_domtrans_chk_passwd($1)
- role $2 types chkpwd_t;
-+ auth_run_upd_passwd($1, $2)
-+')
-+
-+########################################
-+##
-+## Send generic signals to chkpwd processes.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`auth_signal_chk_passwd',`
-+ gen_require(`
-+ type chkpwd_t;
-+ ')
-+
-+ allow $1 chkpwd_t:process signal;
- ')
-
- ########################################
-@@ -467,7 +564,6 @@ interface(`auth_domtrans_upd_passwd',`
-
- domtrans_pattern($1, updpwd_exec_t, updpwd_t)
- auth_dontaudit_read_shadow($1)
--
- ')
-
- ########################################
-@@ -534,6 +630,24 @@ interface(`auth_dontaudit_getattr_shadow',`
-
- ########################################
- ##
-+## Mmap the shadow passwords file.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`auth_map_shadow',`
-+ gen_require(`
-+ type shadow_t;
-+ ')
-+
-+ allow $1 shadow_t:file map;
-+')
-+
-+########################################
-+##
- ## Read the shadow passwords file (/etc/shadow)
- ##
- ##
-@@ -664,6 +778,11 @@ interface(`auth_manage_shadow',`
-
- allow $1 shadow_t:file manage_file_perms;
- typeattribute $1 can_read_shadow_passwords, can_write_shadow_passwords;
-+ files_var_filetrans($1, shadow_t, file, "shadow")
-+ files_var_filetrans($1, shadow_t, file, "shadow-")
-+ files_etc_filetrans($1, shadow_t, file, "gshadow")
-+ files_etc_filetrans($1, shadow_t, file, "nshadow")
-+ files_etc_filetrans($1, shadow_t, file, "opasswd")
- ')
-
- #######################################
-@@ -763,7 +882,50 @@ interface(`auth_rw_faillog',`
- ')
-
- logging_search_logs($1)
-- allow $1 faillog_t:file rw_file_perms;
-+ rw_files_pattern($1, faillog_t, faillog_t)
-+')
-+
-+########################################
-+##
-+## Relabel the login failure log.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`auth_relabel_faillog',`
-+ gen_require(`
-+ type faillog_t;
-+ ')
-+
-+ allow $1 faillog_t:dir relabel_dir_perms;
-+ allow $1 faillog_t:file relabel_file_perms;
-+')
-+
-+########################################
-+##
-+## Manage the login failure log.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`auth_manage_faillog',`
-+ gen_require(`
-+ type faillog_t;
-+ ')
-+
-+ logging_search_logs($1)
-+ files_search_pids($1)
-+ allow $1 faillog_t:dir manage_dir_perms;
-+ allow $1 faillog_t:file manage_file_perms;
-+ logging_log_named_filetrans($1, faillog_t, file, "tallylog")
-+ logging_log_named_filetrans($1, faillog_t, file, "faillog")
-+ logging_log_named_filetrans($1, faillog_t, file, "btmp")
- ')
-
- #######################################
-@@ -824,9 +986,29 @@ interface(`auth_rw_lastlog',`
- allow $1 lastlog_t:file { rw_file_perms lock setattr };
- ')
-
-+#######################################
-+##
-+## Manage create logins log.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`auth_create_lastlog',`
-+ gen_require(`
-+ type lastlog_t;
-+ ')
-+
-+ logging_search_logs($1)
-+ allow $1 lastlog_t:file create;
-+ logging_log_named_filetrans($1, lastlog_t, file, "lastlog")
-+')
-+
- ########################################
- ##
--## Execute pam programs in the pam domain.
-+## Execute pam timestamp programs in the pam timestamp domain.
- ##
- ##
- ##
-@@ -834,12 +1016,27 @@ interface(`auth_rw_lastlog',`
- ##
- ##
- #
--interface(`auth_domtrans_pam',`
-+interface(`auth_domtrans_pam_timestamp',`
- gen_require(`
-- type pam_t, pam_exec_t;
-+ type pam_timestamp_t, pam_timestamp_exec_t;
- ')
-
-- domtrans_pattern($1, pam_exec_t, pam_t)
-+ domtrans_pattern($1, pam_timestamp_exec_t, pam_timestamp_t)
-+')
-+
-+########################################
-+##
-+## Execute pam timestamp programs in the pam timestamp domain.
-+##
-+##
-+##
-+## Domain allowed to transition.
-+##
-+##
-+#
-+interface(`auth_domtrans_pam',`
-+ auth_domtrans_pam_timestamp($1)
-+ refpolicywarn(`$0() has been deprecated, please use auth_domtrans_pam_timestamp() instead.')
- ')
-
- ########################################
-@@ -854,15 +1051,15 @@ interface(`auth_domtrans_pam',`
- #
- interface(`auth_signal_pam',`
- gen_require(`
-- type pam_t;
-+ type pam_timestamp_t;
- ')
-
-- allow $1 pam_t:process signal;
-+ allow $1 pam_timestamp_t:process signal;
- ')
-
- ########################################
- ##
--## Execute pam programs in the PAM domain.
-+## Execute pam_timestamp programs in the PAM timestamp domain.
- ##
- ##
- ##
-@@ -875,13 +1072,33 @@ interface(`auth_signal_pam',`
- ##
- ##
- #
--interface(`auth_run_pam',`
-+interface(`auth_run_pam_timestamp',`
- gen_require(`
-- type pam_t;
-+ type pam_timestamp_t;
- ')
-
-- auth_domtrans_pam($1)
-- role $2 types pam_t;
-+ auth_domtrans_pam_timestamp($1)
-+ role $2 types pam_timestamp_t;
-+')
-+
-+########################################
-+##
-+## Execute pam_timestamp programs in the PAM timestamp domain.
-+##
-+##
-+##
-+## Domain allowed to transition.
-+##
-+##
-+##
-+##
-+## The role to allow the PAM domain.
-+##
-+##
-+#
-+interface(`auth_run_pam',`
-+ auth_run_pam_timestamp($1, $2)
-+ refpolicywarn(`$0() has been deprecated, please use auth_run_pam_timestamp.')
- ')
-
- ########################################
-@@ -959,9 +1176,30 @@ interface(`auth_manage_var_auth',`
- ')
-
- files_search_var($1)
-- allow $1 var_auth_t:dir manage_dir_perms;
-- allow $1 var_auth_t:file rw_file_perms;
-- allow $1 var_auth_t:lnk_file rw_lnk_file_perms;
-+
-+ manage_dirs_pattern($1, var_auth_t, var_auth_t)
-+ manage_files_pattern($1, var_auth_t, var_auth_t)
-+ manage_lnk_files_pattern($1, var_auth_t, var_auth_t)
-+')
-+
-+########################################
-+##
-+## Relabel all var auth files. Used by various other applications
-+## and pam applets etc.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`auth_relabel_var_auth_dirs',`
-+ gen_require(`
-+ type var_auth_t;
-+ ')
-+
-+ files_search_var($1)
-+ relabel_dirs_pattern($1, var_auth_t, var_auth_t)
- ')
-
- ########################################
-@@ -1040,6 +1278,10 @@ interface(`auth_manage_pam_pid',`
- files_search_pids($1)
- allow $1 pam_var_run_t:dir manage_dir_perms;
- allow $1 pam_var_run_t:file manage_file_perms;
-+ files_pid_filetrans($1, pam_var_run_t, dir, "pam_mount")
-+ files_pid_filetrans($1, pam_var_run_t, dir, "pam_ssh")
-+ files_pid_filetrans($1, pam_var_run_t, dir, "sepermit")
-+ files_pid_filetrans($1, pam_var_run_t, dir, "sudo")
- ')
-
- ########################################
-@@ -1176,6 +1418,7 @@ interface(`auth_manage_pam_console_data',`
- files_search_pids($1)
- manage_files_pattern($1, pam_var_console_t, pam_var_console_t)
- manage_lnk_files_pattern($1, pam_var_console_t, pam_var_console_t)
-+ files_pid_filetrans($1, pam_var_console_t, dir, "console")
- ')
-
- #######################################
-@@ -1576,6 +1819,25 @@ interface(`auth_setattr_login_records',`
-
- ########################################
- ##
-+## Relabel login record files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`auth_relabel_login_records',`
-+ gen_require(`
-+ type wtmp_t;
-+ ')
-+
-+ allow $1 wtmp_t:file relabel_file_perms;
-+')
-+
-+
-+########################################
-+##
- ## Read login records files (/var/log/wtmp).
- ##
- ##
-@@ -1726,24 +1988,63 @@ interface(`auth_manage_login_records',`
-
- logging_rw_generic_log_dirs($1)
- allow $1 wtmp_t:file manage_file_perms;
-+ logging_log_named_filetrans($1, wtmp_t, file, "wtmp")
- ')
-
- ########################################
- ##
--## Relabel login record files.
-+## Read access to the authlogin module.
- ##
-+##
-+##
-+## Read access to the authlogin module.
-+##
-+##
-+## Currently, this only allows assertions for
-+## the shadow passwords file (/etc/shadow) to
-+## be passed. No access is granted yet.
-+##
-+##
- ##
- ##
- ## Domain allowed access.
- ##
- ##
- #
--interface(`auth_relabel_login_records',`
-+interface(`auth_reader_shadow',`
- gen_require(`
-- type wtmp_t;
-+ attribute can_read_shadow_passwords;
- ')
-
-- allow $1 wtmp_t:file relabel_file_perms;
-+ typeattribute $1 can_read_shadow_passwords;
-+')
-+
-+########################################
-+##
-+## Write access to the authlogin module.
-+##
-+##
-+##
-+## Write access to the authlogin module.
-+##
-+##
-+## Currently, this only allows assertions for
-+## the shadow passwords file (/etc/shadow) to
-+## be passed. No access is granted yet.
-+##
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`auth_writer_shadow',`
-+ gen_require(`
-+ attribute can_write_shadow_passwords;
-+ ')
-+
-+ typeattribute $1 can_write_shadow_passwords;
- ')
-
- ########################################
-@@ -1767,11 +2068,13 @@ interface(`auth_relabel_login_records',`
- ##
- #
- interface(`auth_use_nsswitch',`
-- gen_require(`
-- attribute nsswitch_domain;
-- ')
-+ gen_require(`
-+ attribute nsswitch_domain;
-+ ')
-
- typeattribute $1 nsswitch_domain;
-+
-+ corenet_all_recvfrom_netlabel($1)
- ')
-
- ########################################
-@@ -1805,3 +2108,298 @@ interface(`auth_unconfined',`
- typeattribute $1 can_write_shadow_passwords;
- typeattribute $1 can_relabelto_shadow_passwords;
- ')
-+
-+########################################
-+##
-+## Transition to authlogin named content
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`auth_filetrans_named_content',`
-+ gen_require(`
-+ type shadow_t;
-+ type passwd_file_t;
-+ type faillog_t;
-+ type lastlog_t;
-+ type wtmp_t;
-+ type pam_var_console_t;
-+ type pam_var_run_t;
-+ type auth_cache_t;
-+ ')
-+
-+ files_etc_filetrans($1, passwd_file_t, file, "group")
-+ files_etc_filetrans($1, passwd_file_t, file, "group-")
-+ #files_etc_filetrans($1, passwd_file_t, file, "group+")
-+ files_etc_filetrans($1, passwd_file_t, file, "passwd")
-+ files_etc_filetrans($1, passwd_file_t, file, "passwd-")
-+ #files_etc_filetrans($1, passwd_file_t, file, "passwd+")
-+ files_etc_filetrans($1, passwd_file_t, file, "passwd.OLD")
-+ files_etc_filetrans($1, passwd_file_t, file, "ptmptmp")
-+ files_etc_filetrans($1, passwd_file_t, file, "passwd.lock")
-+ files_etc_filetrans($1, passwd_file_t, file, "group.lock")
-+ files_etc_filetrans($1, passwd_file_t, file, "passwd.adjunct")
-+ files_etc_filetrans($1, passwd_file_t, file, ".pwd.lock")
-+ files_etc_filetrans($1, shadow_t, file, "shadow")
-+ files_etc_filetrans($1, shadow_t, file, "shadow-")
-+ files_etc_filetrans($1, shadow_t, file, "gshadow")
-+ files_etc_filetrans($1, shadow_t, file, "opasswd")
-+ logging_log_named_filetrans($1, lastlog_t, file, "lastlog")
-+ logging_log_named_filetrans($1, faillog_t, file, "tallylog")
-+ logging_log_named_filetrans($1, faillog_t, file, "faillog")
-+ logging_log_named_filetrans($1, faillog_t, file, "btmp")
-+ files_pid_filetrans($1, faillog_t, file, "faillog")
-+ files_pid_filetrans($1, faillog_t, dir, "faillock")
-+ files_pid_filetrans($1, pam_var_console_t, dir, "console")
-+ files_pid_filetrans($1, pam_var_run_t, dir, "pam_mount")
-+ files_pid_filetrans($1, pam_var_run_t, dir, "pam_ssh")
-+ files_pid_filetrans($1, pam_var_run_t, dir, "sepermit")
-+ files_pid_filetrans($1, pam_var_run_t, dir, "sudo")
-+ logging_log_named_filetrans($1, wtmp_t, file, "wtmp")
-+ files_var_filetrans($1, auth_cache_t, dir, "coolkey")
-+')
-+
-+########################################
-+##
-+## Get the attributes of the passwd passwords file.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`auth_getattr_passwd',`
-+ gen_require(`
-+ type passwd_file_t;
-+ ')
-+
-+ files_search_etc($1)
-+ allow $1 passwd_file_t:file getattr;
-+')
-+
-+########################################
-+##
-+## Do not audit attempts to get the attributes
-+## of the passwd passwords file.
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`auth_dontaudit_getattr_passwd',`
-+ gen_require(`
-+ type passwd_file_t;
-+ ')
-+
-+ dontaudit $1 passwd_file_t:file getattr;
-+')
-+
-+########################################
-+##
-+## Read the passwd passwords file (/etc/passwd)
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`auth_read_passwd',`
-+ gen_require(`
-+ type passwd_file_t;
-+ ')
-+
-+ allow $1 passwd_file_t:file read_file_perms;
-+')
-+
-+########################################
-+##
-+## Mmap the passwd passwords file (/etc/passwd)
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`auth_map_passwd',`
-+ gen_require(`
-+ type passwd_file_t;
-+ ')
-+
-+ allow $1 passwd_file_t:file map;
-+')
-+
-+########################################
-+##
-+## Do not audit attempts to read the passwd
-+## password file (/etc/passwd).
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`auth_dontaudit_read_passwd',`
-+ gen_require(`
-+ type passwd_file_t;
-+ ')
-+
-+ dontaudit $1 passwd_file_t:file read_file_perms;
-+')
-+
-+########################################
-+##
-+## Create, read, write, and delete the passwd
-+## password file.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`auth_manage_passwd',`
-+ gen_require(`
-+ type passwd_file_t;
-+ ')
-+
-+ files_rw_etc_dirs($1)
-+ allow $1 passwd_file_t:file manage_file_perms;
-+ files_etc_filetrans($1, passwd_file_t, file, "passwd")
-+ files_etc_filetrans($1, passwd_file_t, file, "passwd-")
-+ files_etc_filetrans($1, passwd_file_t, file, "ptmptmp")
-+ files_etc_filetrans($1, passwd_file_t, file, "group")
-+ files_etc_filetrans($1, passwd_file_t, file, "group-")
-+ files_etc_filetrans($1, passwd_file_t, file, ".pwd.lock")
-+ files_etc_filetrans($1, passwd_file_t, file, "passwd.lock")
-+ files_etc_filetrans($1, passwd_file_t, file, "group.lock")
-+')
-+
-+########################################
-+##
-+## Create auth directory in the /root directory
-+## with an correct label.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`auth_filetrans_admin_home_content',`
-+ gen_require(`
-+ type auth_home_t;
-+ ')
-+
-+ userdom_admin_home_dir_filetrans($1, auth_home_t, file, ".google_authenticator")
-+ userdom_admin_home_dir_filetrans($1, auth_home_t, file, ".google_authenticator~")
-+ userdom_admin_home_dir_filetrans($1, auth_home_t, dir, ".yubico")
-+')
-+
-+
-+########################################
-+##
-+## Read the authorization data in the user home directory
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`auth_read_home_content',`
-+
-+ gen_require(`
-+ type auth_home_t;
-+ ')
-+
-+ userdom_search_user_home_dirs($1)
-+ read_files_pattern($1, auth_home_t, auth_home_t)
-+')
-+
-+########################################
-+##
-+## Read the authorization data in the user home directory
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`auth_manage_home_content',`
-+
-+ gen_require(`
-+ type auth_home_t;
-+ ')
-+
-+ userdom_search_user_home_dirs($1)
-+ manage_files_pattern($1, auth_home_t, auth_home_t)
-+ manage_dirs_pattern($1, auth_home_t, auth_home_t)
-+')
-+
-+########################################
-+##
-+## Create auth directory in the user home directory
-+## with an correct label.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`auth_filetrans_home_content',`
-+
-+ gen_require(`
-+ type auth_home_t;
-+ ')
-+
-+ userdom_user_home_dir_filetrans($1, auth_home_t, file, ".google_authenticator")
-+ userdom_user_home_dir_filetrans($1, auth_home_t, file, ".google_authenticator~")
-+ userdom_user_home_dir_filetrans($1, auth_home_t, dir, ".yubico")
-+')
-+
-+########################################
-+##
-+## Send a SIGCHLD signal to login programs.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`auth_login_pgm_sigchld',`
-+ gen_require(`
-+ attribute login_pgm;
-+ ')
-+
-+ allow $1 login_pgm:process sigchld;
-+')
-+
-+########################################
-+##
-+## Manage the keyrings of all login programs
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`auth_login_manage_key',`
-+ gen_require(`
-+ attribute login_pgm;
-+ ')
-+
-+ allow $1 login_pgm:key manage_key_perms;
-+')
-diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te
-index 09b791dcc..03feb4c8d 100644
---- a/policy/modules/system/authlogin.te
-+++ b/policy/modules/system/authlogin.te
-@@ -5,6 +5,19 @@ policy_module(authlogin, 2.5.1)
- # Declarations
- #
-
-+##
-+##
-+## Allow users to login using a radius server
-+##
-+##
-+gen_tunable(authlogin_radius, false)
-+
-+##
-+##
-+## Allow users to login using a yubikey OTP server or challenge response mode
-+##
-+##
-+gen_tunable(authlogin_yubikey, false)
-
- ##
- ##
-@@ -16,20 +29,26 @@ gen_tunable(authlogin_nsswitch_use_ldap, false)
- attribute can_read_shadow_passwords;
- attribute can_write_shadow_passwords;
- attribute can_relabelto_shadow_passwords;
-+attribute polydomain;
- attribute nsswitch_domain;
-+attribute login_pgm;
-
- type auth_cache_t;
- logging_log_file(auth_cache_t)
-
-+type auth_home_t;
-+userdom_user_home_content(auth_home_t)
-+
- type chkpwd_t, can_read_shadow_passwords;
- type chkpwd_exec_t;
- typealias chkpwd_t alias { user_chkpwd_t staff_chkpwd_t sysadm_chkpwd_t };
--typealias chkpwd_t alias { auditadm_chkpwd_t secadm_chkpwd_t };
-+typealias chkpwd_t alias { auditadm_chkpwd_t secadm_chkpwd_t system_chkpwd_t };
- application_domain(chkpwd_t, chkpwd_exec_t)
- role system_r types chkpwd_t;
-
- type faillog_t;
- logging_log_file(faillog_t)
-+mls_trusted_object(faillog_t)
-
- type lastlog_t;
- logging_log_file(lastlog_t)
-@@ -42,15 +61,15 @@ type pam_console_exec_t;
- init_system_domain(pam_console_t, pam_console_exec_t)
- role system_r types pam_console_t;
-
--type pam_t;
--domain_type(pam_t)
--role system_r types pam_t;
-+type pam_timestamp_t alias pam_t;
-+domain_type(pam_timestamp_t)
-+role system_r types pam_timestamp_t;
-
--type pam_exec_t;
--domain_entry_file(pam_t, pam_exec_t)
-+type pam_timestamp_exec_t alias pam_exec_t;
-+domain_entry_file(pam_timestamp_t, pam_timestamp_exec_t)
-
--type pam_tmp_t;
--files_tmp_file(pam_tmp_t)
-+type pam_timestamp_tmp_t;
-+files_tmp_file(pam_timestamp_tmp_t)
-
- type pam_var_console_t;
- files_pid_file(pam_var_console_t)
-@@ -64,6 +83,9 @@ neverallow ~can_read_shadow_passwords shadow_t:file read;
- neverallow ~can_write_shadow_passwords shadow_t:file { create write };
- neverallow ~can_relabelto_shadow_passwords shadow_t:file relabelto;
-
-+type passwd_file_t;
-+files_type(passwd_file_t)
-+
- type updpwd_t;
- type updpwd_exec_t;
- domain_type(updpwd_t)
-@@ -90,11 +112,11 @@ logging_log_file(wtmp_t)
- # Check password local policy
- #
-
--allow chkpwd_t self:capability { dac_override setuid };
-+allow chkpwd_t self:capability { dac_read_search setuid };
- dontaudit chkpwd_t self:capability sys_tty_config;
- allow chkpwd_t self:process { getattr signal };
-
--allow chkpwd_t shadow_t:file read_file_perms;
-+allow chkpwd_t shadow_t:file { read_file_perms map };
- files_list_etc(chkpwd_t)
-
- kernel_read_crypto_sysctls(chkpwd_t)
-@@ -109,6 +131,9 @@ dev_read_urand(chkpwd_t)
- files_read_etc_files(chkpwd_t)
- # for nscd
- files_dontaudit_search_var(chkpwd_t)
-+files_read_usr_symlinks(chkpwd_t)
-+files_list_tmp(chkpwd_t)
-+files_map_system_db_files(chkpwd_t)
-
- fs_dontaudit_getattr_xattr_fs(chkpwd_t)
-
-@@ -122,12 +147,11 @@ auth_use_nsswitch(chkpwd_t)
- logging_send_audit_msgs(chkpwd_t)
- logging_send_syslog_msg(chkpwd_t)
-
--miscfiles_read_localization(chkpwd_t)
-
- seutil_read_config(chkpwd_t)
- seutil_dontaudit_use_newrole_fds(chkpwd_t)
-
--userdom_use_user_terminals(chkpwd_t)
-+userdom_dontaudit_use_user_ttys(chkpwd_t)
-
- ifdef(`distro_ubuntu',`
- optional_policy(`
-@@ -141,6 +165,10 @@ optional_policy(`
- ')
-
- optional_policy(`
-+ dbus_system_bus_client(chkpwd_t)
-+')
-+
-+optional_policy(`
- kerberos_use(chkpwd_t)
- ')
-
-@@ -153,53 +181,52 @@ optional_policy(`
- # PAM local policy
- #
-
--allow pam_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
--dontaudit pam_t self:capability sys_tty_config;
-+allow pam_timestamp_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
-+dontaudit pam_timestamp_t self:capability sys_tty_config;
-
--allow pam_t self:fd use;
--allow pam_t self:fifo_file rw_file_perms;
--allow pam_t self:unix_dgram_socket create_socket_perms;
--allow pam_t self:unix_stream_socket rw_stream_socket_perms;
--allow pam_t self:unix_dgram_socket sendto;
--allow pam_t self:unix_stream_socket connectto;
--allow pam_t self:shm create_shm_perms;
--allow pam_t self:sem create_sem_perms;
--allow pam_t self:msgq create_msgq_perms;
--allow pam_t self:msg { send receive };
-+allow pam_timestamp_t self:fd use;
-+allow pam_timestamp_t self:fifo_file rw_file_perms;
-+allow pam_timestamp_t self:unix_dgram_socket create_socket_perms;
-+allow pam_timestamp_t self:unix_stream_socket rw_stream_socket_perms;
-+allow pam_timestamp_t self:unix_dgram_socket sendto;
-+allow pam_timestamp_t self:unix_stream_socket connectto;
-+allow pam_timestamp_t self:shm create_shm_perms;
-+allow pam_timestamp_t self:sem create_sem_perms;
-+allow pam_timestamp_t self:msgq create_msgq_perms;
-+allow pam_timestamp_t self:msg { send receive };
-
--delete_files_pattern(pam_t, pam_var_run_t, pam_var_run_t)
--read_files_pattern(pam_t, pam_var_run_t, pam_var_run_t)
--files_list_pids(pam_t)
-+delete_files_pattern(pam_timestamp_t, pam_var_run_t, pam_var_run_t)
-+read_files_pattern(pam_timestamp_t, pam_var_run_t, pam_var_run_t)
-+files_list_pids(pam_timestamp_t)
-
--allow pam_t pam_tmp_t:dir manage_dir_perms;
--allow pam_t pam_tmp_t:file manage_file_perms;
--files_tmp_filetrans(pam_t, pam_tmp_t, { file dir })
-+allow pam_timestamp_t pam_timestamp_tmp_t:dir manage_dir_perms;
-+allow pam_timestamp_t pam_timestamp_tmp_t:file manage_file_perms;
-+files_tmp_filetrans(pam_timestamp_t, pam_timestamp_tmp_t, { file dir })
-
--auth_use_nsswitch(pam_t)
-+auth_use_nsswitch(pam_timestamp_t)
-
--kernel_read_system_state(pam_t)
-+kernel_read_system_state(pam_timestamp_t)
-
--files_read_etc_files(pam_t)
-+files_read_etc_files(pam_timestamp_t)
-
--fs_search_auto_mountpoints(pam_t)
-+fs_search_auto_mountpoints(pam_timestamp_t)
-
--miscfiles_read_localization(pam_t)
-
--term_use_all_ttys(pam_t)
--term_use_all_ptys(pam_t)
-+term_use_all_ttys(pam_timestamp_t)
-+term_use_all_ptys(pam_timestamp_t)
-
--init_dontaudit_rw_utmp(pam_t)
-+init_dontaudit_rw_utmp(pam_timestamp_t)
-
--logging_send_syslog_msg(pam_t)
-+logging_send_syslog_msg(pam_timestamp_t)
-
- ifdef(`distro_ubuntu',`
- optional_policy(`
-- unconfined_domain(pam_t)
-+ unconfined_domain(pam_timestamp_t)
- ')
- ')
-
- optional_policy(`
-- locallogin_use_fds(pam_t)
-+ locallogin_use_fds(pam_timestamp_t)
- ')
-
- ########################################
-@@ -289,7 +316,6 @@ init_use_script_ptys(pam_console_t)
-
- logging_send_syslog_msg(pam_console_t)
-
--miscfiles_read_localization(pam_console_t)
- miscfiles_read_generic_certs(pam_console_t)
-
- seutil_read_file_contexts(pam_console_t)
-@@ -330,7 +356,7 @@ optional_policy(`
- # updpwd local policy
- #
-
--allow updpwd_t self:capability { chown dac_override };
-+allow updpwd_t self:capability { chown dac_read_search };
- allow updpwd_t self:process setfscreate;
- allow updpwd_t self:fifo_file rw_fifo_file_perms;
- allow updpwd_t self:unix_stream_socket create_stream_socket_perms;
-@@ -341,6 +367,11 @@ kernel_read_system_state(updpwd_t)
- dev_read_urand(updpwd_t)
-
- files_manage_etc_files(updpwd_t)
-+auth_manage_passwd(updpwd_t)
-+
-+mls_file_read_all_levels(updpwd_t)
-+mls_file_write_all_levels(updpwd_t)
-+mls_file_downgrade(updpwd_t)
-
- term_dontaudit_use_console(updpwd_t)
- term_dontaudit_use_unallocated_ttys(updpwd_t)
-@@ -350,9 +381,7 @@ auth_use_nsswitch(updpwd_t)
-
- logging_send_syslog_msg(updpwd_t)
-
--miscfiles_read_localization(updpwd_t)
--
--userdom_use_user_terminals(updpwd_t)
-+userdom_use_inherited_user_terminals(updpwd_t)
-
- ifdef(`distro_ubuntu',`
- optional_policy(`
-@@ -380,13 +409,15 @@ term_dontaudit_use_all_ttys(utempter_t)
- term_dontaudit_use_all_ptys(utempter_t)
- term_dontaudit_use_ptmx(utempter_t)
-
-+auth_use_nsswitch(utempter_t)
-+
- init_rw_utmp(utempter_t)
-
- domain_use_interactive_fds(utempter_t)
-
- logging_search_logs(utempter_t)
-
--userdom_use_user_terminals(utempter_t)
-+userdom_use_inherited_user_terminals(utempter_t)
- # Allow utemper to write to /tmp/.xses-*
- userdom_write_user_tmp_files(utempter_t)
-
-@@ -397,19 +428,29 @@ ifdef(`distro_ubuntu',`
- ')
-
- optional_policy(`
-- nscd_use(utempter_t)
-+ xserver_use_xdm_fds(utempter_t)
-+ xserver_rw_xdm_pipes(utempter_t)
-+')
-+
-+tunable_policy(`polyinstantiation_enabled',`
-+ files_polyinstantiate_all(polydomain)
- ')
-
- optional_policy(`
-- xserver_use_xdm_fds(utempter_t)
-- xserver_rw_xdm_pipes(utempter_t)
-+ tunable_policy(`polyinstantiation_enabled',`
-+ namespace_init_domtrans(polydomain)
-+ ')
- ')
-
--#######################################
-+######################################
- #
- # nsswitch_domain local policy
- #
-
-+allow nsswitch_domain self:key manage_key_perms;
-+
-+auth_read_passwd(nsswitch_domain)
-+
- files_list_var_lib(nsswitch_domain)
-
- # read /etc/nsswitch.conf
-@@ -417,15 +458,42 @@ files_read_etc_files(nsswitch_domain)
-
- sysnet_dns_name_resolve(nsswitch_domain)
-
-+systemd_hostnamed_read_config(nsswitch_domain)
-+
-+
-+tunable_policy(`authlogin_nsswitch_use_ldap',`
-+ allow nsswitch_domain self:tcp_socket create_socket_perms;
-+')
-+
-+tunable_policy(`authlogin_nsswitch_use_ldap',`
-+ corenet_tcp_sendrecv_generic_if(nsswitch_domain)
-+ corenet_tcp_sendrecv_generic_node(nsswitch_domain)
-+ corenet_tcp_sendrecv_ldap_port(nsswitch_domain)
-+ corenet_tcp_connect_ldap_port(nsswitch_domain)
-+ corenet_sendrecv_ldap_client_packets(nsswitch_domain)
-+')
-+
- tunable_policy(`authlogin_nsswitch_use_ldap',`
-- files_list_var_lib(nsswitch_domain)
-+ # Support for LDAPS
-+ dev_read_rand(nsswitch_domain)
-+ # LDAP Configuration using encrypted requires
-+ dev_read_urand(nsswitch_domain)
-+ sysnet_read_config(nsswitch_domain)
-+')
-
-+tunable_policy(`authlogin_nsswitch_use_ldap',`
- miscfiles_read_generic_certs(nsswitch_domain)
-- sysnet_use_ldap(nsswitch_domain)
- ')
-
- optional_policy(`
- tunable_policy(`authlogin_nsswitch_use_ldap',`
-+ dirsrv_stream_connect(nsswitch_domain)
-+ ')
-+')
-+
-+optional_policy(`
-+ tunable_policy(`authlogin_nsswitch_use_ldap',`
-+ ldap_read_certs(nsswitch_domain)
- ldap_stream_connect(nsswitch_domain)
- ')
- ')
-@@ -438,6 +506,7 @@ optional_policy(`
- likewise_stream_connect_lsassd(nsswitch_domain)
- ')
-
-+# can not wrap nis_use_ypbind or kerberos_use, but they both have booleans you can turn off.
- optional_policy(`
- kerberos_use(nsswitch_domain)
- ')
-@@ -456,10 +525,164 @@ optional_policy(`
-
- optional_policy(`
- sssd_stream_connect(nsswitch_domain)
-+ sssd_read_public_files(nsswitch_domain)
-+ sssd_read_lib_files(nsswitch_domain)
-+')
-+
-+#1134389
-+userdom_manage_all_users_keys(nsswitch_domain)
-+optional_policy(`
-+ sssd_manage_keys(nsswitch_domain)
-+')
-+
-+optional_policy(`
-+ rolekit_manage_keys(nsswitch_domain)
- ')
-
- optional_policy(`
- samba_stream_connect_winbind(nsswitch_domain)
-+ samba_stream_connect_nmbd(nsswitch_domain)
- samba_read_var_files(nsswitch_domain)
- samba_dontaudit_write_var_files(nsswitch_domain)
- ')
-+
-+optional_policy(`
-+ virt_read_lib_files(nsswitch_domain)
-+')
-+
-+#######################################
-+#
-+# Login Program local policy
-+#
-+
-+domain_read_all_domains_state(login_pgm)
-+corecmd_getattr_all_executables(login_pgm)
-+domain_kill_all_domains(login_pgm)
-+
-+allow login_pgm self:netlink_kobject_uevent_socket create_socket_perms;
-+allow login_pgm self:capability ipc_lock;
-+dontaudit login_pgm self:capability net_admin;
-+allow login_pgm self:process setkeycreate;
-+allow login_pgm self:key manage_key_perms;
-+userdom_manage_all_users_keys(login_pgm)
-+allow login_pgm nsswitch_domain:key manage_key_perms;
-+
-+files_list_var_lib(login_pgm)
-+manage_dirs_pattern(login_pgm, var_auth_t, var_auth_t)
-+manage_files_pattern(login_pgm, var_auth_t, var_auth_t)
-+manage_sock_files_pattern(login_pgm, var_auth_t, var_auth_t)
-+
-+manage_dirs_pattern(login_pgm, auth_cache_t, auth_cache_t)
-+manage_files_pattern(login_pgm, auth_cache_t, auth_cache_t)
-+manage_sock_files_pattern(login_pgm, auth_cache_t, auth_cache_t)
-+files_var_filetrans(login_pgm, auth_cache_t, dir, "coolkey")
-+allow login_pgm auth_cache_t:file map;
-+
-+manage_dirs_pattern(login_pgm, auth_home_t, auth_home_t)
-+manage_files_pattern(login_pgm, auth_home_t, auth_home_t)
-+auth_filetrans_admin_home_content(login_pgm)
-+auth_filetrans_home_content(login_pgm)
-+
-+# needed for afs - https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=253321
-+kernel_search_network_sysctl(login_pgm)
-+kernel_rw_afs_state(login_pgm)
-+
-+tunable_policy(`authlogin_radius',`
-+ corenet_udp_bind_all_unreserved_ports(login_pgm)
-+')
-+
-+tunable_policy(`authlogin_yubikey',`
-+ corenet_tcp_connect_http_port(login_pgm)
-+')
-+
-+corenet_tcp_connect_pki_ca_port(login_pgm)
-+
-+# for fingerprint readers
-+dev_rw_input_dev(login_pgm)
-+dev_rw_generic_usb_dev(login_pgm)
-+
-+files_read_config_files(login_pgm)
-+
-+fs_list_auto_mountpoints(login_pgm)
-+fs_manage_cgroup_dirs(login_pgm)
-+fs_manage_cgroup_files(login_pgm)
-+fs_read_ecryptfs_symlinks(login_pgm)
-+fs_read_ecryptfs_files(login_pgm)
-+
-+#fs_manage_kdbus_files(login_pgm)
-+#fs_manage_kdbus_dirs(login_pgm)
-+
-+selinux_validate_context(login_pgm)
-+selinux_compute_access_vector(login_pgm)
-+selinux_compute_create_context(login_pgm)
-+selinux_compute_relabel_context(login_pgm)
-+selinux_compute_user_contexts(login_pgm)
-+
-+auth_manage_faillog(login_pgm)
-+auth_manage_pam_pid(login_pgm)
-+
-+init_rw_utmp(login_pgm)
-+
-+logging_set_loginuid(login_pgm)
-+logging_set_tty_audit(login_pgm)
-+
-+miscfiles_dontaudit_write_generic_cert_files(login_pgm)
-+miscfiles_filetrans_named_content(login_pgm)
-+
-+seutil_read_config(login_pgm)
-+seutil_read_login_config(login_pgm)
-+seutil_read_default_contexts(login_pgm)
-+systemd_login_read_pid_files(login_pgm)
-+
-+userdom_set_rlimitnh(login_pgm)
-+userdom_read_user_home_content_symlinks(login_pgm)
-+userdom_delete_user_tmp_files(login_pgm)
-+userdom_search_admin_dir(login_pgm)
-+userdom_stream_connect(login_pgm)
-+userdom_manage_user_tmp_dirs(login_pgm)
-+userdom_manage_user_tmp_files(login_pgm)
-+
-+optional_policy(`
-+ afs_read_config(login_pgm)
-+ afs_rw_udp_sockets(login_pgm)
-+')
-+
-+optional_policy(`
-+ kerberos_read_config(login_pgm)
-+')
-+
-+optional_policy(`
-+ oddjob_dbus_chat(login_pgm)
-+ oddjob_domtrans_mkhomedir(login_pgm)
-+')
-+
-+optional_policy(`
-+ openct_stream_connect(login_pgm)
-+ openct_signull(login_pgm)
-+ openct_read_pid_files(login_pgm)
-+')
-+
-+optional_policy(`
-+ corecmd_exec_bin(login_pgm)
-+ storage_getattr_fixed_disk_dev(login_pgm)
-+ mount_domtrans(login_pgm)
-+ mount_domtrans_ecryptmount(login_pgm)
-+')
-+
-+optional_policy(`
-+ fprintd_dbus_chat(login_pgm)
-+')
-+
-+optional_policy(`
-+ realmd_dbus_chat(login_pgm)
-+')
-+
-+optional_policy(`
-+ # allow execute tmux
-+ screen_exec(login_pgm)
-+')
-+
-+optional_policy(`
-+ ssh_agent_exec(login_pgm)
-+ ssh_read_user_home_files(login_pgm)
-+')
-diff --git a/policy/modules/system/clock.fc b/policy/modules/system/clock.fc
-index c5e05ca70..c9ddbeeca 100644
---- a/policy/modules/system/clock.fc
-+++ b/policy/modules/system/clock.fc
-@@ -3,3 +3,5 @@
-
- /sbin/hwclock -- gen_context(system_u:object_r:hwclock_exec_t,s0)
-
-+/usr/sbin/hwclock -- gen_context(system_u:object_r:hwclock_exec_t,s0)
-+
-diff --git a/policy/modules/system/clock.if b/policy/modules/system/clock.if
-index d475c2deb..55305d5f3 100644
---- a/policy/modules/system/clock.if
-+++ b/policy/modules/system/clock.if
-@@ -117,3 +117,40 @@ interface(`clock_rw_adjtime',`
- allow $1 adjtime_t:file rw_file_perms;
- files_list_etc($1)
- ')
-+
-+########################################
-+##
-+## Manage clock drift adjustments.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`clock_manage_adjtime',`
-+ gen_require(`
-+ type adjtime_t;
-+ ')
-+
-+ allow $1 adjtime_t:file manage_file_perms;
-+ files_list_etc($1)
-+')
-+
-+########################################
-+##
-+## Transition to systemd clock content
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`clock_filetrans_named_content',`
-+ gen_require(`
-+ type adjtime_t;
-+ ')
-+
-+ files_etc_filetrans($1, adjtime_t, file, "adjtime" )
-+')
-diff --git a/policy/modules/system/clock.te b/policy/modules/system/clock.te
-index edece47dc..d71651f31 100644
---- a/policy/modules/system/clock.te
-+++ b/policy/modules/system/clock.te
-@@ -18,9 +18,9 @@ role system_r types hwclock_t;
- # Local policy
- #
-
--# Give hwclock the capabilities it requires. dac_override is a surprise,
-+# Give hwclock the capabilities it requires. is a surprise,
- # but hwclock does require it.
--allow hwclock_t self:capability { dac_override sys_rawio sys_time sys_tty_config };
-+allow hwclock_t self:capability { dac_read_search sys_rawio sys_time sys_tty_config };
- dontaudit hwclock_t self:capability sys_tty_config;
- allow hwclock_t self:process signal_perms;
- allow hwclock_t self:fifo_file rw_fifo_file_perms;
-@@ -46,18 +46,19 @@ fs_search_auto_mountpoints(hwclock_t)
-
- term_dontaudit_use_console(hwclock_t)
- term_use_unallocated_ttys(hwclock_t)
--term_use_all_ttys(hwclock_t)
--term_use_all_ptys(hwclock_t)
-+term_use_all_inherited_ttys(hwclock_t)
-+term_use_all_inherited_ptys(hwclock_t)
-
- domain_use_interactive_fds(hwclock_t)
-
-+auth_use_nsswitch(hwclock_t)
-+
- init_use_fds(hwclock_t)
- init_use_script_ptys(hwclock_t)
-
- logging_send_audit_msgs(hwclock_t)
- logging_send_syslog_msg(hwclock_t)
-
--miscfiles_read_localization(hwclock_t)
-
- optional_policy(`
- apm_append_log(hwclock_t)
-@@ -65,10 +66,6 @@ optional_policy(`
- ')
-
- optional_policy(`
-- nscd_use(hwclock_t)
--')
--
--optional_policy(`
- seutil_sigchld_newrole(hwclock_t)
- ')
-
-diff --git a/policy/modules/system/fstools.fc b/policy/modules/system/fstools.fc
-index 948ce2a32..8cab8aef2 100644
---- a/policy/modules/system/fstools.fc
-+++ b/policy/modules/system/fstools.fc
-@@ -1,4 +1,3 @@
--/sbin/badblocks -- gen_context(system_u:object_r:fsadm_exec_t,s0)
- /sbin/blkid -- gen_context(system_u:object_r:fsadm_exec_t,s0)
- /sbin/blockdev -- gen_context(system_u:object_r:fsadm_exec_t,s0)
- /sbin/cfdisk -- gen_context(system_u:object_r:fsadm_exec_t,s0)
-@@ -23,7 +22,6 @@
- /sbin/mkfs.* -- gen_context(system_u:object_r:fsadm_exec_t,s0)
- /sbin/mkraid -- gen_context(system_u:object_r:fsadm_exec_t,s0)
- /sbin/mkreiserfs -- gen_context(system_u:object_r:fsadm_exec_t,s0)
--/sbin/mkswap -- gen_context(system_u:object_r:fsadm_exec_t,s0)
- /sbin/parted -- gen_context(system_u:object_r:fsadm_exec_t,s0)
- /sbin/partprobe -- gen_context(system_u:object_r:fsadm_exec_t,s0)
- /sbin/partx -- gen_context(system_u:object_r:fsadm_exec_t,s0)
-@@ -36,14 +34,55 @@
- /sbin/swapoff -- gen_context(system_u:object_r:fsadm_exec_t,s0)
- /sbin/swapon.* -- gen_context(system_u:object_r:fsadm_exec_t,s0)
- /sbin/tune2fs -- gen_context(system_u:object_r:fsadm_exec_t,s0)
-+/sbin/xfs_growfs -- gen_context(system_u:object_r:fsadm_exec_t,s0)
-
- /usr/bin/partition_uuid -- gen_context(system_u:object_r:fsadm_exec_t,s0)
- /usr/bin/raw -- gen_context(system_u:object_r:fsadm_exec_t,s0)
- /usr/bin/scsi_unique_id -- gen_context(system_u:object_r:fsadm_exec_t,s0)
- /usr/bin/syslinux -- gen_context(system_u:object_r:fsadm_exec_t,s0)
-
-+/usr/lib/systemd/systemd-fsck -- gen_context(system_u:object_r:fsadm_exec_t,s0)
-+
-+/usr/sbin/blkid -- gen_context(system_u:object_r:fsadm_exec_t,s0)
-+/usr/sbin/blockdev -- gen_context(system_u:object_r:fsadm_exec_t,s0)
-+/usr/sbin/cfdisk -- gen_context(system_u:object_r:fsadm_exec_t,s0)
- /usr/sbin/clubufflush -- gen_context(system_u:object_r:fsadm_exec_t,s0)
-+/usr/sbin/dosfsck -- gen_context(system_u:object_r:fsadm_exec_t,s0)
-+/usr/sbin/dump -- gen_context(system_u:object_r:fsadm_exec_t,s0)
-+/usr/sbin/dumpe2fs -- gen_context(system_u:object_r:fsadm_exec_t,s0)
-+/usr/sbin/e2fsck -- gen_context(system_u:object_r:fsadm_exec_t,s0)
-+/usr/sbin/e4fsck -- gen_context(system_u:object_r:fsadm_exec_t,s0)
-+/usr/sbin/e2label -- gen_context(system_u:object_r:fsadm_exec_t,s0)
-+/usr/sbin/fdisk -- gen_context(system_u:object_r:fsadm_exec_t,s0)
-+/usr/sbin/findfs -- gen_context(system_u:object_r:fsadm_exec_t,s0)
-+/usr/sbin/fsck.* -- gen_context(system_u:object_r:fsadm_exec_t,s0)
-+/usr/sbin/hdparm -- gen_context(system_u:object_r:fsadm_exec_t,s0)
-+/usr/sbin/install-mbr -- gen_context(system_u:object_r:fsadm_exec_t,s0)
-+/usr/sbin/jfs_.* -- gen_context(system_u:object_r:fsadm_exec_t,s0)
-+/usr/sbin/losetup.* -- gen_context(system_u:object_r:fsadm_exec_t,s0)
-+/usr/sbin/lsraid -- gen_context(system_u:object_r:fsadm_exec_t,s0)
-+/usr/sbin/make_reiser4 -- gen_context(system_u:object_r:fsadm_exec_t,s0)
-+/usr/sbin/mkdosfs -- gen_context(system_u:object_r:fsadm_exec_t,s0)
-+/usr/sbin/mke2fs -- gen_context(system_u:object_r:fsadm_exec_t,s0)
-+/usr/sbin/mke4fs -- gen_context(system_u:object_r:fsadm_exec_t,s0)
-+/usr/sbin/mkfs.* -- gen_context(system_u:object_r:fsadm_exec_t,s0)
-+/usr/sbin/mkraid -- gen_context(system_u:object_r:fsadm_exec_t,s0)
-+/usr/sbin/mkreiserfs -- gen_context(system_u:object_r:fsadm_exec_t,s0)
- /usr/sbin/parted -- gen_context(system_u:object_r:fsadm_exec_t,s0)
-+/usr/sbin/partprobe -- gen_context(system_u:object_r:fsadm_exec_t,s0)
-+/usr/sbin/partx -- gen_context(system_u:object_r:fsadm_exec_t,s0)
-+/usr/sbin/raidautorun -- gen_context(system_u:object_r:fsadm_exec_t,s0)
-+/usr/sbin/raidstart -- gen_context(system_u:object_r:fsadm_exec_t,s0)
-+/usr/sbin/reiserfs(ck|tune) -- gen_context(system_u:object_r:fsadm_exec_t,s0)
-+/usr/sbin/resize.*fs -- gen_context(system_u:object_r:fsadm_exec_t,s0)
-+/usr/sbin/scsi_info -- gen_context(system_u:object_r:fsadm_exec_t,s0)
-+/usr/sbin/sfdisk -- gen_context(system_u:object_r:fsadm_exec_t,s0)
- /usr/sbin/smartctl -- gen_context(system_u:object_r:fsadm_exec_t,s0)
-+/usr/sbin/swapoff -- gen_context(system_u:object_r:fsadm_exec_t,s0)
-+/usr/sbin/swapon.* -- gen_context(system_u:object_r:fsadm_exec_t,s0)
-+/usr/sbin/tune2fs -- gen_context(system_u:object_r:fsadm_exec_t,s0)
-+/usr/sbin/xfs_growfs -- gen_context(system_u:object_r:fsadm_exec_t,s0)
-
- /var/log/fsck(/.*)? gen_context(system_u:object_r:fsadm_log_t,s0)
-+
-+/var/run/blkid(/.*)? gen_context(system_u:object_r:fsadm_var_run_t,s0)
-diff --git a/policy/modules/system/fstools.if b/policy/modules/system/fstools.if
-index 016a770b9..3fce820a5 100644
---- a/policy/modules/system/fstools.if
-+++ b/policy/modules/system/fstools.if
-@@ -154,3 +154,42 @@ interface(`fstools_getattr_swap_files',`
-
- allow $1 swapfile_t:file getattr;
- ')
-+
-+########################################
-+##
-+## Create, read, write, and delete the FSADM pid files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`fsadm_manage_pid',`
-+ gen_require(`
-+ type fsadm_var_run_t;
-+ ')
-+
-+ files_search_pids($1)
-+ manage_dirs_pattern($1, fsadm_var_run_t, fsadm_var_run_t)
-+ manage_files_pattern($1, fsadm_var_run_t, fsadm_var_run_t)
-+ fstools_filetrans_named_content_fsadm($1)
-+')
-+
-+########################################
-+##
-+## Transition to systemd content
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`fstools_filetrans_named_content_fsadm',`
-+ gen_require(`
-+ type fsadm_var_run_t;
-+ ')
-+
-+ files_pid_filetrans($1, fsadm_var_run_t, dir, "blkid")
-+')
-diff --git a/policy/modules/system/fstools.te b/policy/modules/system/fstools.te
-index 3f48d300a..cf67cf714 100644
---- a/policy/modules/system/fstools.te
-+++ b/policy/modules/system/fstools.te
-@@ -13,9 +13,15 @@ role system_r types fsadm_t;
- type fsadm_log_t;
- logging_log_file(fsadm_log_t)
-
-+type fsadm_var_run_t;
-+files_pid_file(fsadm_var_run_t)
-+
- type fsadm_tmp_t;
- files_tmp_file(fsadm_tmp_t)
-
-+type fsadm_tmpfs_t;
-+files_tmpfs_file(fsadm_tmpfs_t)
-+
- type swapfile_t; # customizable
- files_type(swapfile_t)
-
-@@ -25,7 +31,8 @@ files_type(swapfile_t)
- #
-
- # ipc_lock is for losetup
--allow fsadm_t self:capability { ipc_lock sys_rawio sys_admin sys_resource sys_tty_config dac_override dac_read_search };
-+allow fsadm_t self:capability { ipc_lock sys_rawio sys_admin sys_resource sys_tty_config dac_read_search };
-+dontaudit fsadm_t self:capability net_admin;
- allow fsadm_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execmem execheap };
- allow fsadm_t self:fd use;
- allow fsadm_t self:fifo_file rw_fifo_file_perms;
-@@ -41,10 +48,21 @@ allow fsadm_t self:msg { send receive };
-
- can_exec(fsadm_t, fsadm_exec_t)
-
--allow fsadm_t fsadm_tmp_t:dir manage_dir_perms;
--allow fsadm_t fsadm_tmp_t:file manage_file_perms;
-+manage_dirs_pattern(fsadm_t, fsadm_var_run_t, fsadm_var_run_t)
-+manage_files_pattern(fsadm_t, fsadm_var_run_t, fsadm_var_run_t)
-+files_pid_filetrans(fsadm_t, fsadm_var_run_t, {dir file })
-+
-+manage_dirs_pattern(fsadm_t, fsadm_tmp_t, fsadm_tmp_t)
-+manage_files_pattern(fsadm_t, fsadm_tmp_t, fsadm_tmp_t)
- files_tmp_filetrans(fsadm_t, fsadm_tmp_t, { file dir })
-
-+manage_dirs_pattern(fsadm_t, fsadm_tmpfs_t, fsadm_tmpfs_t)
-+manage_files_pattern(fsadm_t, fsadm_tmpfs_t, fsadm_tmpfs_t)
-+fs_tmpfs_filetrans(fsadm_t, fsadm_tmpfs_t, { file dir })
-+
-+files_create_boot_flag(fsadm_t)
-+files_setattr_root_dirs(fsadm_t)
-+
- # log files
- allow fsadm_t fsadm_log_t:dir setattr;
- manage_files_pattern(fsadm_t, fsadm_log_t, fsadm_log_t)
-@@ -53,6 +71,7 @@ logging_log_filetrans(fsadm_t, fsadm_log_t, file)
- # Enable swapping to files
- allow fsadm_t swapfile_t:file { rw_file_perms swapon };
-
-+kernel_get_sysvipc_info(fsadm_t)
- kernel_read_system_state(fsadm_t)
- kernel_read_kernel_sysctls(fsadm_t)
- kernel_request_load_module(fsadm_t)
-@@ -101,6 +120,8 @@ files_read_usr_files(fsadm_t)
- files_read_etc_files(fsadm_t)
- files_manage_lost_found(fsadm_t)
- files_manage_isid_type_dirs(fsadm_t)
-+# /etc/mtab is a link
-+files_read_etc_runtime_files(fsadm_t)
- # Write to /etc/mtab.
- files_manage_etc_runtime_files(fsadm_t)
- files_etc_filetrans_etc_runtime(fsadm_t, file)
-@@ -112,7 +133,6 @@ files_read_isid_type_files(fsadm_t)
- fs_search_auto_mountpoints(fsadm_t)
- fs_getattr_xattr_fs(fsadm_t)
- fs_rw_ramfs_pipes(fsadm_t)
--fs_rw_tmpfs_files(fsadm_t)
- # remount file system to apply changes
- fs_remount_xattr_fs(fsadm_t)
- # for /dev/shm
-@@ -120,6 +140,9 @@ fs_list_auto_mountpoints(fsadm_t)
- fs_search_tmpfs(fsadm_t)
- fs_getattr_tmpfs_dirs(fsadm_t)
- fs_read_tmpfs_symlinks(fsadm_t)
-+fs_manage_nfs_files(fsadm_t)
-+fs_manage_cifs_files(fsadm_t)
-+fs_rw_hugetlbfs_files(fsadm_t)
- # Recreate /mnt/cdrom.
- files_manage_mnt_dirs(fsadm_t)
- # for tune2fs
-@@ -133,21 +156,28 @@ storage_raw_write_fixed_disk(fsadm_t)
- storage_raw_read_removable_device(fsadm_t)
- storage_raw_write_removable_device(fsadm_t)
- storage_read_scsi_generic(fsadm_t)
-+storage_rw_fuse(fsadm_t)
- storage_swapon_fixed_disk(fsadm_t)
-
- term_use_console(fsadm_t)
-
-+auth_read_passwd(fsadm_t)
-+
-+init_read_state(fsadm_t)
- init_use_fds(fsadm_t)
- init_use_script_ptys(fsadm_t)
- init_dontaudit_getattr_initctl(fsadm_t)
-+init_stream_connect(fsadm_t)
-
- logging_send_syslog_msg(fsadm_t)
--
--miscfiles_read_localization(fsadm_t)
-+logging_send_audit_msgs(fsadm_t)
-+logging_stream_connect_syslog(fsadm_t)
-
- seutil_read_config(fsadm_t)
-
--userdom_use_user_terminals(fsadm_t)
-+term_use_all_inherited_terms(fsadm_t)
-+
-+userdom_rw_inherited_user_tmp_pipes(fsadm_t)
-
- ifdef(`distro_redhat',`
- optional_policy(`
-@@ -166,6 +196,11 @@ optional_policy(`
- ')
-
- optional_policy(`
-+ devicekit_dontaudit_read_pid_files(fsadm_t)
-+ devicekit_dontaudit_rw_log(fsadm_t)
-+')
-+
-+optional_policy(`
- hal_dontaudit_write_log(fsadm_t)
- ')
-
-@@ -179,6 +214,10 @@ optional_policy(`
- ')
-
- optional_policy(`
-+ mount_read_pid_files(fsadm_t)
-+')
-+
-+optional_policy(`
- nis_use_ypbind(fsadm_t)
- ')
-
-@@ -192,6 +231,10 @@ optional_policy(`
- ')
-
- optional_policy(`
-+ virt_read_blk_images(fsadm_t)
-+')
-+
-+optional_policy(`
- xen_append_log(fsadm_t)
- xen_rw_image_files(fsadm_t)
- ')
-diff --git a/policy/modules/system/getty.fc b/policy/modules/system/getty.fc
-index e1a1848a2..130688b95 100644
---- a/policy/modules/system/getty.fc
-+++ b/policy/modules/system/getty.fc
-@@ -3,10 +3,15 @@
-
- /sbin/.*getty -- gen_context(system_u:object_r:getty_exec_t,s0)
-
--/var/log/mgetty\.log.* -- gen_context(system_u:object_r:getty_log_t,s0)
--/var/log/vgetty\.log\..* -- gen_context(system_u:object_r:getty_log_t,s0)
-+/usr/lib/systemd/system/[^/]*getty.* -- gen_context(system_u:object_r:getty_unit_file_t,s0)
-+
-+/usr/sbin/.*getty -- gen_context(system_u:object_r:getty_exec_t,s0)
-+
-+/var/log/mgetty.*\.log.* -- gen_context(system_u:object_r:getty_log_t,s0)
-+/var/log/vgetty.*\.log.* -- gen_context(system_u:object_r:getty_log_t,s0)
-
- /var/run/mgetty\.pid.* -- gen_context(system_u:object_r:getty_var_run_t,s0)
-+/var/run/agetty\.reload.* -- gen_context(system_u:object_r:getty_var_run_t,s0)
-
- /var/spool/fax(/.*)? gen_context(system_u:object_r:getty_var_run_t,s0)
- /var/spool/voice(/.*)? gen_context(system_u:object_r:getty_var_run_t,s0)
-diff --git a/policy/modules/system/getty.if b/policy/modules/system/getty.if
-index e4376aa98..2c98c5647 100644
---- a/policy/modules/system/getty.if
-+++ b/policy/modules/system/getty.if
-@@ -96,3 +96,45 @@ interface(`getty_rw_config',`
- files_search_etc($1)
- allow $1 getty_etc_t:file rw_file_perms;
- ')
-+
-+########################################
-+##
-+## Execute getty server in the getty domain.
-+##
-+##
-+##
-+## Domain allowed to transition.
-+##
-+##
-+#
-+interface(`getty_systemctl',`
-+ gen_require(`
-+ type getty_unit_file_t;
-+ type getty_t;
-+ ')
-+
-+ systemd_exec_systemctl($1)
-+ allow $1 getty_unit_file_t:file read_file_perms;
-+ allow $1 getty_unit_file_t:service manage_service_perms;
-+
-+ ps_process_pattern($1, getty_t)
-+')
-+
-+########################################
-+##
-+## Start getty unit files domain.
-+##
-+##
-+##
-+## Domain allowed to transition.
-+##
-+##
-+#
-+interface(`getty_start_services',`
-+ gen_require(`
-+ type getty_unit_file_t;
-+ ')
-+
-+ systemd_exec_systemctl($1)
-+ allow $1 getty_unit_file_t:service start;
-+')
-diff --git a/policy/modules/system/getty.te b/policy/modules/system/getty.te
-index f6743ea19..743d661ec 100644
---- a/policy/modules/system/getty.te
-+++ b/policy/modules/system/getty.te
-@@ -27,13 +27,24 @@ files_tmp_file(getty_tmp_t)
- type getty_var_run_t;
- files_pid_file(getty_var_run_t)
-
-+type getty_unit_file_t;
-+systemd_unit_file(getty_unit_file_t)
-+
-+ifdef(`enable_mcs',`
-+ init_ranged_daemon_domain(getty_t, getty_exec_t, s0 - mcs_systemhigh)
-+')
-+
-+ifdef(`enable_mls',`
-+ init_ranged_daemon_domain(getty_t, getty_exec_t, mls_systemhigh)
-+')
-+
- ########################################
- #
- # Getty local policy
- #
-
- # Use capabilities.
--allow getty_t self:capability { dac_override chown setgid sys_resource sys_tty_config fowner fsetid };
-+allow getty_t self:capability { dac_read_search dac_override chown setgid sys_resource sys_tty_config fowner fsetid };
- dontaudit getty_t self:capability sys_tty_config;
- allow getty_t self:process { getpgid setpgid getsession signal_perms };
- allow getty_t self:fifo_file rw_fifo_file_perms;
-@@ -56,6 +67,7 @@ manage_files_pattern(getty_t, getty_var_run_t, getty_var_run_t)
- files_pid_filetrans(getty_t, getty_var_run_t, file)
-
- kernel_read_system_state(getty_t)
-+kernel_read_network_state(getty_t)
-
- # these two needed for receiving faxes
- corecmd_exec_bin(getty_t)
-@@ -83,8 +95,11 @@ term_use_unallocated_ttys(getty_t)
- term_setattr_all_ttys(getty_t)
- term_setattr_unallocated_ttys(getty_t)
- term_setattr_console(getty_t)
-+term_use_console(getty_t)
-+term_use_usb_ttys(getty_t)
-
- auth_rw_login_records(getty_t)
-+auth_use_nsswitch(getty_t)
-
- init_rw_utmp(getty_t)
- init_use_script_ptys(getty_t)
-@@ -94,7 +109,6 @@ locallogin_domtrans(getty_t)
-
- logging_send_syslog_msg(getty_t)
-
--miscfiles_read_localization(getty_t)
-
- ifdef(`distro_gentoo',`
- # Gentoo default /etc/issue makes agetty
-@@ -113,7 +127,7 @@ ifdef(`distro_ubuntu',`
- ')
- ')
-
--tunable_policy(`console_login',`
-+tunable_policy(`login_console_enabled',`
- # Support logging in from /dev/console
- term_use_console(getty_t)
- ',`
-@@ -121,11 +135,19 @@ tunable_policy(`console_login',`
- ')
-
- optional_policy(`
-+ hostname_exec(getty_t)
-+')
-+
-+optional_policy(`
-+ lockdev_manage_files(getty_t)
-+')
-+
-+optional_policy(`
- mta_send_mail(getty_t)
- ')
-
- optional_policy(`
-- nscd_use(getty_t)
-+ plymouthd_exec_plymouth(getty_t)
- ')
-
- optional_policy(`
-diff --git a/policy/modules/system/hostname.fc b/policy/modules/system/hostname.fc
-index 9dfecf77c..6d00f5c13 100644
---- a/policy/modules/system/hostname.fc
-+++ b/policy/modules/system/hostname.fc
-@@ -1,2 +1,4 @@
-
- /bin/hostname -- gen_context(system_u:object_r:hostname_exec_t,s0)
-+
-+/usr/bin/hostname -- gen_context(system_u:object_r:hostname_exec_t,s0)
-diff --git a/policy/modules/system/hostname.if b/policy/modules/system/hostname.if
-index 187f04f83..cf0af0991 100644
---- a/policy/modules/system/hostname.if
-+++ b/policy/modules/system/hostname.if
-@@ -53,7 +53,6 @@ interface(`hostname_run',`
- ## Domain allowed access.
- ##
- ##
--##
- #
- interface(`hostname_exec',`
- gen_require(`
-diff --git a/policy/modules/system/hostname.te b/policy/modules/system/hostname.te
-index 24a78897a..619b32ebe 100644
---- a/policy/modules/system/hostname.te
-+++ b/policy/modules/system/hostname.te
-@@ -23,33 +23,36 @@ dontaudit hostname_t self:capability sys_tty_config;
-
- kernel_list_proc(hostname_t)
- kernel_read_proc_symlinks(hostname_t)
-+kernel_read_network_state(hostname_t)
-
- dev_read_sysfs(hostname_t)
- # Early devtmpfs, before udev relabel
- dev_dontaudit_rw_generic_chr_files(hostname_t)
-
-+domain_dontaudit_leaks(hostname_t)
- domain_use_interactive_fds(hostname_t)
-
- files_read_etc_files(hostname_t)
-+files_dontaudit_leaks(hostname_t)
- files_dontaudit_search_var(hostname_t)
- # for when /usr is not mounted:
- files_dontaudit_search_isid_type_dirs(hostname_t)
-
- fs_getattr_xattr_fs(hostname_t)
- fs_search_auto_mountpoints(hostname_t)
-+fs_dontaudit_leaks(hostname_t)
- fs_dontaudit_use_tmpfs_chr_dev(hostname_t)
-
- term_dontaudit_use_console(hostname_t)
--term_use_all_ttys(hostname_t)
--term_use_all_ptys(hostname_t)
-+term_use_all_inherited_terms(hostname_t)
-
- init_use_fds(hostname_t)
- init_use_script_fds(hostname_t)
- init_use_script_ptys(hostname_t)
-+init_rw_inherited_script_tmp_files(hostname_t)
-
- logging_send_syslog_msg(hostname_t)
-
--miscfiles_read_localization(hostname_t)
-
- sysnet_dontaudit_rw_dhcpc_udp_sockets(hostname_t)
- sysnet_dontaudit_rw_dhcpc_unix_stream_sockets(hostname_t)
-@@ -57,10 +60,22 @@ sysnet_read_config(hostname_t)
- sysnet_dns_name_resolve(hostname_t)
-
- optional_policy(`
-+ kdump_dontaudit_inherited_kdumpctl_tmp_pipes(hostname_t)
-+')
-+
-+optional_policy(`
-+ mock_dontaudit_write_lib_chr_files(hostname_t)
-+')
-+
-+optional_policy(`
- nis_use_ypbind(hostname_t)
- ')
-
- optional_policy(`
-+ rhcs_manage_cluster_tmp_files(hostname_t)
-+')
-+
-+optional_policy(`
- xen_append_log(hostname_t)
- xen_dontaudit_use_fds(hostname_t)
- ')
-diff --git a/policy/modules/system/hotplug.fc b/policy/modules/system/hotplug.fc
-index caf736b3b..91c4c6f23 100644
---- a/policy/modules/system/hotplug.fc
-+++ b/policy/modules/system/hotplug.fc
-@@ -7,5 +7,8 @@
- /sbin/hotplug -- gen_context(system_u:object_r:hotplug_exec_t,s0)
- /sbin/netplugd -- gen_context(system_u:object_r:hotplug_exec_t,s0)
-
-+/usr/sbin/hotplug -- gen_context(system_u:object_r:hotplug_exec_t,s0)
-+/usr/sbin/netplugd -- gen_context(system_u:object_r:hotplug_exec_t,s0)
-+
- /var/run/usb(/.*)? gen_context(system_u:object_r:hotplug_var_run_t,s0)
- /var/run/hotplug(/.*)? gen_context(system_u:object_r:hotplug_var_run_t,s0)
-diff --git a/policy/modules/system/hotplug.if b/policy/modules/system/hotplug.if
-index 40eb10c60..2a0a32c2d 100644
---- a/policy/modules/system/hotplug.if
-+++ b/policy/modules/system/hotplug.if
-@@ -34,7 +34,7 @@ interface(`hotplug_domtrans',`
- #
- interface(`hotplug_exec',`
- gen_require(`
-- type hotplug_t;
-+ type hotplug_exec_t;
- ')
-
- corecmd_search_bin($1)
-diff --git a/policy/modules/system/hotplug.te b/policy/modules/system/hotplug.te
-index b2097e743..8d66956d0 100644
---- a/policy/modules/system/hotplug.te
-+++ b/policy/modules/system/hotplug.te
-@@ -23,9 +23,9 @@ files_pid_file(hotplug_var_run_t)
- #
-
- allow hotplug_t self:capability { net_admin sys_tty_config mknod sys_rawio };
--dontaudit hotplug_t self:capability { sys_module sys_admin sys_ptrace sys_tty_config };
-+dontaudit hotplug_t self:capability { sys_module sys_admin sys_tty_config };
- # for access("/etc/bashrc", X_OK) on Red Hat
--dontaudit hotplug_t self:capability { dac_override dac_read_search };
-+dontaudit hotplug_t self:capability { dac_read_search };
- allow hotplug_t self:process { setpgid getsession getattr signal_perms };
- allow hotplug_t self:fifo_file rw_file_perms;
- allow hotplug_t self:netlink_route_socket r_netlink_socket_perms;
-@@ -52,7 +52,6 @@ kernel_rw_net_sysctls(hotplug_t)
-
- files_read_kernel_modules(hotplug_t)
-
--corenet_all_recvfrom_unlabeled(hotplug_t)
- corenet_all_recvfrom_netlabel(hotplug_t)
- corenet_tcp_sendrecv_generic_if(hotplug_t)
- corenet_udp_sendrecv_generic_if(hotplug_t)
-@@ -96,6 +95,8 @@ init_domtrans_script(hotplug_t)
- # kernel threads inherit from shared descriptor table used by init
- init_dontaudit_rw_initctl(hotplug_t)
-
-+auth_use_nsswitch(hotplug_t)
-+
- logging_send_syslog_msg(hotplug_t)
- logging_search_logs(hotplug_t)
-
-@@ -103,9 +104,6 @@ logging_search_logs(hotplug_t)
- libs_read_lib_files(hotplug_t)
-
- miscfiles_read_hwdata(hotplug_t)
--miscfiles_read_localization(hotplug_t)
--
--seutil_dontaudit_search_config(hotplug_t)
-
- sysnet_read_config(hotplug_t)
-
-@@ -164,14 +162,6 @@ optional_policy(`
- ')
-
- optional_policy(`
-- nis_use_ypbind(hotplug_t)
--')
--
--optional_policy(`
-- nscd_use(hotplug_t)
--')
--
--optional_policy(`
- seutil_sigchld_newrole(hotplug_t)
- ')
-
-diff --git a/policy/modules/system/init.fc b/policy/modules/system/init.fc
-index bc0ffc84e..37b8ea5ec 100644
---- a/policy/modules/system/init.fc
-+++ b/policy/modules/system/init.fc
-@@ -1,6 +1,9 @@
- #
- # /etc
- #
-+/etc/init\.d/.* -- gen_context(system_u:object_r:initrc_exec_t,s0)
-+/etc/machine-id -- gen_context(system_u:object_r:machineid_t,s0)
-+
- /etc/rc\.d/rc -- gen_context(system_u:object_r:initrc_exec_t,s0)
- /etc/rc\.d/rc\.[^/]+ -- gen_context(system_u:object_r:initrc_exec_t,s0)
-
-@@ -29,6 +32,11 @@ ifdef(`distro_gentoo', `
- #
- # /sbin
- #
-+/bin/systemd -- gen_context(system_u:object_r:init_exec_t,s0)
-+
-+#
-+# /sbin
-+#
- /sbin/init(ng)? -- gen_context(system_u:object_r:init_exec_t,s0)
- # because nowadays, /sbin/init is often a symlink to /sbin/upstart
- /sbin/upstart -- gen_context(system_u:object_r:init_exec_t,s0)
-@@ -42,20 +50,36 @@ ifdef(`distro_gentoo', `
- #
- /usr/bin/sepg_ctl -- gen_context(system_u:object_r:initrc_exec_t,s0)
-
-+/usr/sbin/init(ng)? -- gen_context(system_u:object_r:init_exec_t,s0)
-+# because nowadays, /sbin/init is often a symlink to /sbin/upstart
-+/usr/sbin/upstart -- gen_context(system_u:object_r:init_exec_t,s0)
-+
-+/usr/lib/systemd/[^/]* -- gen_context(system_u:object_r:init_exec_t,s0)
-+/usr/lib/systemd/fedora[^/]* -- gen_context(system_u:object_r:initrc_exec_t,s0)
-+/usr/lib/systemd/system-generators/[^/]* -- gen_context(system_u:object_r:init_exec_t,s0)
-+
- /usr/libexec/dcc/start-.* -- gen_context(system_u:object_r:initrc_exec_t,s0)
- /usr/libexec/dcc/stop-.* -- gen_context(system_u:object_r:initrc_exec_t,s0)
-
- /usr/sbin/apachectl -- gen_context(system_u:object_r:initrc_exec_t,s0)
- /usr/sbin/open_init_pty -- gen_context(system_u:object_r:initrc_exec_t,s0)
-+/usr/sbin/startx -- gen_context(system_u:object_r:initrc_exec_t,s0)
-+/usr/bin/systemd -- gen_context(system_u:object_r:init_exec_t,s0)
-+
-+/usr/share/system-config-services/system-config-services-mechanism\.py -- gen_context(system_u:object_r:initrc_exec_t,s0)
-
- #
- # /var
- #
-+/var/lib/systemd(/.*)? gen_context(system_u:object_r:init_var_lib_t,s0)
- /var/run/initctl -p gen_context(system_u:object_r:initctl_t,s0)
-+/var/run/systemd/initctl/fifo -p gen_context(system_u:object_r:initctl_t,s0)
- /var/run/utmp -- gen_context(system_u:object_r:initrc_var_run_t,s0)
- /var/run/runlevel\.dir gen_context(system_u:object_r:initrc_var_run_t,s0)
- /var/run/random-seed -- gen_context(system_u:object_r:initrc_var_run_t,s0)
- /var/run/setmixer_flag -- gen_context(system_u:object_r:initrc_var_run_t,s0)
-+/var/run/systemd/machine-id -- gen_context(system_u:object_r:machineid_t,s0)
-+/var/run/systemd/journal/dev-log -s gen_context(system_u:object_r:devlog_t,s0)
-
- ifdef(`distro_debian',`
- /var/run/hotkey-setup -- gen_context(system_u:object_r:initrc_var_run_t,s0)
-@@ -74,3 +98,4 @@ ifdef(`distro_suse', `
- /var/run/setleds-on -- gen_context(system_u:object_r:initrc_var_run_t,s0)
- /var/run/sysconfig(/.*)? gen_context(system_u:object_r:initrc_var_run_t,s0)
- ')
-+/var/run/systemd(/.*)? gen_context(system_u:object_r:init_var_run_t,s0)
-diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
-index 79a45f62e..0244681f0 100644
---- a/policy/modules/system/init.if
-+++ b/policy/modules/system/init.if
-@@ -1,5 +1,21 @@
- ## System initialization programs (init and init scripts).
-
-+######################################
-+##
-+## initrc stub interface. No access allowed.
-+##
-+##
-+##
-+## Domain allowed access
-+##
-+##
-+#
-+interface(`init_stub_initrc',`
-+ gen_require(`
-+ type initrc_t;
-+ ')
-+')
-+
- ########################################
- ##
- ## Create a file type used for init scripts.
-@@ -106,7 +122,11 @@ interface(`init_domain',`
- role system_r types $1;
-
- domtrans_pattern(init_t, $2, $1)
-+ allow init_t $1:unix_stream_socket create_stream_socket_perms;
-+ allow $1 init_t:unix_dgram_socket sendto;
-
-+ allow init_t $1:process2 { nnp_transition nosuid_transition };
-+
- ifdef(`hide_broken_symptoms',`
- # RHEL4 systems seem to have a stray
- # fds open from the initrd
-@@ -115,6 +135,25 @@ interface(`init_domain',`
- ')
- ')
- ')
-+########################################
-+##
-+## Allow SELinux Domain trasition from sytemd
-+## into confined domain with NoNewPrivileges
-+## Systemd Security feature.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`init_nnp_daemon_domain',`
-+ gen_require(`
-+ type init_t;
-+ ')
-+
-+ allow init_t $1:process2 { nnp_transition nosuid_transition };
-+')
-
- ########################################
- ##
-@@ -192,50 +231,43 @@ interface(`init_ranged_domain',`
- interface(`init_daemon_domain',`
- gen_require(`
- attribute direct_run_init, direct_init, direct_init_entry;
-- type initrc_t;
-+ type init_t;
- role system_r;
- attribute daemon;
-+ attribute initrc_transition_domain;
-+ attribute initrc_domain;
- ')
-
- typeattribute $1 daemon;
-+ typeattribute $2 direct_init_entry;
-
- domain_type($1)
- domain_entry_file($1, $2)
-
-- role system_r types $1;
--
-- domtrans_pattern(initrc_t, $2, $1)
--
-- # daemons started from init will
-- # inherit fds from init for the console
-- init_dontaudit_use_fds($1)
-- term_dontaudit_use_console($1)
--
-- # init script ptys are the stdin/out/err
-- # when using run_init
-- init_use_script_ptys($1)
-+ type_transition initrc_domain $2:process $1;
-
- ifdef(`direct_sysadm_daemon',`
-- domtrans_pattern(direct_run_init, $2, $1)
-- allow direct_run_init $1:process { noatsecure siginh rlimitinh };
--
-+ type_transition direct_run_init $2:process $1;
- typeattribute $1 direct_init;
-- typeattribute $2 direct_init_entry;
--
-- userdom_dontaudit_use_user_terminals($1)
- ')
-+')
-
-- ifdef(`hide_broken_symptoms',`
-- # RHEL4 systems seem to have a stray
-- # fds open from the initrd
-- ifdef(`distro_rhel4',`
-- kernel_dontaudit_use_fds($1)
-- ')
-- ')
-+#######################################
-+##
-+## Create initrc domain.
-+##
-+##
-+##
-+## Type to be used as a initrc daemon domain.
-+##
-+##
-+#
-+interface(`init_initrc_domain',`
-+ gen_require(`
-+ attribute initrc_domain;
-+ ')
-
-- optional_policy(`
-- nscd_use($1)
-- ')
-+ typeattribute $1 initrc_domain;
- ')
-
- ########################################
-@@ -283,17 +315,20 @@ interface(`init_daemon_domain',`
- interface(`init_ranged_daemon_domain',`
- gen_require(`
- type initrc_t;
-+ type init_t;
- ')
-
-- init_daemon_domain($1, $2)
-+# init_daemon_domain($1, $2)
-
- ifdef(`enable_mcs',`
- range_transition initrc_t $2:process $3;
-+ range_transition init_t $2:process $3;
- ')
-
- ifdef(`enable_mls',`
- range_transition initrc_t $2:process $3;
- mls_rangetrans_target($1)
-+ range_transition init_t $2:process $3;
- ')
- ')
-
-@@ -336,23 +371,19 @@ interface(`init_ranged_daemon_domain',`
- #
- interface(`init_system_domain',`
- gen_require(`
-- type initrc_t;
-+ type init_t;
- role system_r;
-+ attribute initrc_transition_domain;
-+ attribute systemprocess, systemprocess_entry;
-+ attribute initrc_domain;
- ')
-
-+ typeattribute $1 systemprocess;
- application_domain($1, $2)
--
- role system_r types $1;
-+ typeattribute $2 systemprocess_entry;
-
-- domtrans_pattern(initrc_t, $2, $1)
--
-- ifdef(`hide_broken_symptoms',`
-- # RHEL4 systems seem to have a stray
-- # fds open from the initrd
-- ifdef(`distro_rhel4',`
-- kernel_dontaudit_use_fds($1)
-- ')
-- ')
-+ type_transition initrc_domain $2:process $1;
- ')
-
- ########################################
-@@ -401,20 +432,41 @@ interface(`init_system_domain',`
- interface(`init_ranged_system_domain',`
- gen_require(`
- type initrc_t;
-+ type init_t;
- ')
-
- init_system_domain($1, $2)
-
- ifdef(`enable_mcs',`
- range_transition initrc_t $2:process $3;
-+ range_transition init_t $2:process $3;
- ')
-
- ifdef(`enable_mls',`
- range_transition initrc_t $2:process $3;
-+ range_transition init_t $2:process $3;
- mls_rangetrans_target($1)
- ')
- ')
-
-+######################################
-+##
-+## Allow domain dyntransition to init_t domain.
-+##
-+##
-+##
-+## Domain allowed to transition.
-+##
-+##
-+#
-+interface(`init_dyntrans',`
-+ gen_require(`
-+ type init_t;
-+ ')
-+
-+ dyntrans_pattern($1, init_t)
-+')
-+
- ########################################
- ##
- ## Mark the file type as a daemon run dir, allowing initrc_t
-@@ -458,6 +510,26 @@ interface(`init_domtrans',`
- ')
-
- domtrans_pattern($1, init_exec_t, init_t)
-+ allow $1 init_exec_t:file map;
-+')
-+
-+
-+########################################
-+##
-+## Allow any file point to be the entrypoint of this domain.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`init_entrypoint_exec',`
-+ gen_require(`
-+ type init_exec_t;
-+ ')
-+
-+ allow $1 init_exec_t:file entrypoint;
- ')
-
- ########################################
-@@ -469,7 +541,6 @@ interface(`init_domtrans',`
- ## Domain allowed access.
- ##
- ##
--##
- #
- interface(`init_exec',`
- gen_require(`
-@@ -478,6 +549,48 @@ interface(`init_exec',`
-
- corecmd_search_bin($1)
- can_exec($1, init_exec_t)
-+
-+ optional_policy(`
-+ systemd_exec_systemctl($1)
-+ ')
-+')
-+
-+#######################################
-+##
-+## Check access to the init/systemd executable.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`init_access_check',`
-+ gen_require(`
-+ type init_exec_t;
-+ ')
-+
-+ corecmd_search_bin($1)
-+ allow $1 init_exec_t:file { getattr_file_perms execute };
-+')
-+
-+#######################################
-+##
-+## Dontaudit getattr on the init program.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+#
-+interface(`init_dontaudit_getattr_exec',`
-+ gen_require(`
-+ type init_exec_t;
-+ ')
-+
-+ dontaudit $1 init_exec_t:file getattr;
- ')
-
- ########################################
-@@ -566,6 +679,58 @@ interface(`init_sigchld',`
-
- ########################################
- ##
-+## Send generic signals to init.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`init_signal',`
-+ gen_require(`
-+ type init_t;
-+ ')
-+
-+ allow $1 init_t:process signal;
-+')
-+
-+########################################
-+##
-+## Create objects in the init_var_lib_t directories
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+##
-+## The type of the object to be created
-+##
-+##
-+##
-+##
-+## The object class.
-+##
-+##
-+##
-+##
-+## The name of the object being created.
-+##
-+##
-+#
-+interface(`init_var_lib_filetrans',`
-+ gen_require(`
-+ type init_var_lib_t;
-+ ')
-+
-+ files_search_var_lib($1)
-+ filetrans_pattern($1, init_var_lib_t, $2, $3, $4)
-+')
-+
-+########################################
-+##
- ## Connect to init with a unix socket.
- ##
- ##
-@@ -576,12 +741,87 @@ interface(`init_sigchld',`
- #
- interface(`init_stream_connect',`
- gen_require(`
-+ type init_t, init_var_run_t;
-+ ')
-+
-+ files_search_pids($1)
-+ stream_connect_pattern($1, init_var_run_t, init_var_run_t, init_t)
-+ allow $1 init_t:unix_stream_socket getattr;
-+')
-+
-+########################################
-+##
-+## Connect to init with a unix socket.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`init_stream_connectto',`
-+ gen_require(`
- type init_t;
- ')
-
-+ files_search_pids($1)
- allow $1 init_t:unix_stream_socket connectto;
- ')
-
-+#######################################
-+##
-+## Dontaudit Connect to init with a unix socket.
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`init_dontaudit_stream_connect',`
-+ gen_require(`
-+ type init_t;
-+ ')
-+
-+ dontaudit $1 init_t:unix_stream_socket connectto;
-+')
-+
-+######################################
-+##
-+## Dontaudit getattr to init with a unix socket.
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`init_dontaudit_getattr_stream_socket',`
-+ gen_require(`
-+ type init_t;
-+ ')
-+
-+ dontaudit $1 init_t:unix_stream_socket getattr;
-+')
-+
-+######################################
-+##
-+## Dontaudit read and write to init with a unix socket.
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`init_dontaudit_rw_stream_socket',`
-+ gen_require(`
-+ type init_t;
-+ ')
-+
-+ dontaudit $1 init_t:unix_stream_socket { getattr read write ioctl };
-+')
-+
- ########################################
- ##
- ## Inherit and use file descriptors from init.
-@@ -743,22 +983,24 @@ interface(`init_write_initctl',`
- interface(`init_telinit',`
- gen_require(`
- type initctl_t;
-+ type init_t;
- ')
-
-+ corecmd_exec_bin($1)
-+
- dev_list_all_dev_nodes($1)
- allow $1 initctl_t:fifo_file rw_fifo_file_perms;
-
- init_exec($1)
-
-- tunable_policy(`init_upstart',`
-- gen_require(`
-- type init_t;
-- ')
--
-- # upstart uses a datagram socket instead of initctl pipe
-- allow $1 self:unix_dgram_socket create_socket_perms;
-- allow $1 init_t:unix_dgram_socket sendto;
-- ')
-+ ps_process_pattern($1, init_t)
-+ allow $1 init_t:process signal;
-+ dontaudit $1 self:capability net_admin;
-+ # upstart uses a datagram socket instead of initctl pipe
-+ allow $1 self:unix_dgram_socket create_socket_perms;
-+ allow $1 init_t:unix_dgram_socket sendto;
-+ #576913
-+ allow $1 init_t:unix_stream_socket connectto;
- ')
-
- ########################################
-@@ -787,7 +1029,7 @@ interface(`init_rw_initctl',`
- ##
- ##
- ##
--## Domain allowed access.
-+## Domain to not audit.
- ##
- ##
- #
-@@ -830,11 +1072,12 @@ interface(`init_script_file_entry_type',`
- #
- interface(`init_spec_domtrans_script',`
- gen_require(`
-- type initrc_t, initrc_exec_t;
-+ type initrc_t;
-+ attribute init_script_file_type;
- ')
-
- files_list_etc($1)
-- spec_domtrans_pattern($1, initrc_exec_t, initrc_t)
-+ spec_domtrans_pattern($1, init_script_file_type, initrc_t)
-
- ifdef(`distro_gentoo',`
- gen_require(`
-@@ -845,11 +1088,11 @@ interface(`init_spec_domtrans_script',`
- ')
-
- ifdef(`enable_mcs',`
-- range_transition $1 initrc_exec_t:process s0;
-+ range_transition $1 init_script_file_type:process s0;
- ')
-
- ifdef(`enable_mls',`
-- range_transition $1 initrc_exec_t:process s0 - mls_systemhigh;
-+ range_transition $1 init_script_file_type:process s0 - mls_systemhigh;
- ')
- ')
-
-@@ -865,23 +1108,45 @@ interface(`init_spec_domtrans_script',`
- #
- interface(`init_domtrans_script',`
- gen_require(`
-- type initrc_t, initrc_exec_t;
-+ type initrc_t;
-+ attribute init_script_file_type;
-+ attribute initrc_transition_domain;
- ')
-+ typeattribute $1 initrc_transition_domain;
-
- files_list_etc($1)
-- domtrans_pattern($1, initrc_exec_t, initrc_t)
-+ domtrans_pattern($1, init_script_file_type, initrc_t)
-
- ifdef(`enable_mcs',`
-- range_transition $1 initrc_exec_t:process s0;
-+ range_transition $1 init_script_file_type:process s0;
- ')
-
- ifdef(`enable_mls',`
-- range_transition $1 initrc_exec_t:process s0 - mls_systemhigh;
-+ range_transition $1 init_script_file_type:process s0 - mls_systemhigh;
- ')
- ')
-
- ########################################
- ##
-+## Execute a file in a bin directory
-+## in the initrc_t domain
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`init_bin_domtrans_spec',`
-+ gen_require(`
-+ type initrc_t;
-+ ')
-+
-+ corecmd_bin_domtrans($1, initrc_t)
-+')
-+
-+########################################
-+##
- ## Execute a init script in a specified domain.
- ##
- ##
-@@ -933,9 +1198,14 @@ interface(`init_script_file_domtrans',`
- interface(`init_labeled_script_domtrans',`
- gen_require(`
- type initrc_t;
-+ attribute initrc_transition_domain;
- ')
-
-+ typeattribute $1 initrc_transition_domain;
-+ # service script searches all filesystems via mountpoint
-+ fs_search_all($1)
- domtrans_pattern($1, $2, initrc_t)
-+ allow $1 $2:file ioctl;
- files_search_etc($1)
- ')
-
-@@ -992,7 +1262,7 @@ interface(`init_run_daemon',`
-
- ########################################
- ##
--## Read the process state (/proc/pid) of init.
-+## Allow execute all init daemon executables type without transition.
- ##
- ##
- ##
-@@ -1000,38 +1270,37 @@ interface(`init_run_daemon',`
- ##
- ##
- #
--interface(`init_read_state',`
-+interface(`init_exec_notrans_direct_init_entry',`
- gen_require(`
-- type init_t;
-+ attribute direct_init_entry;
- ')
-
-- allow $1 init_t:dir search_dir_perms;
-- allow $1 init_t:file read_file_perms;
-- allow $1 init_t:lnk_file read_lnk_file_perms;
-+ allow $1 direct_init_entry:file execute_no_trans;
- ')
-
- ########################################
- ##
--## Ptrace init
-+## Read the process state (/proc/pid) of init.
- ##
- ##
- ##
- ## Domain allowed access.
- ##
- ##
--##
- #
--interface(`init_ptrace',`
-+interface(`init_read_state',`
- gen_require(`
- type init_t;
- ')
-
-- allow $1 init_t:process ptrace;
-+ allow $1 init_t:dir search_dir_perms;
-+ allow $1 init_t:file read_file_perms;
-+ allow $1 init_t:lnk_file read_lnk_file_perms;
- ')
-
- ########################################
- ##
--## Write an init script unnamed pipe.
-+## Dontaudit read the process state (/proc/pid) of init.
- ##
- ##
- ##
-@@ -1039,17 +1308,19 @@ interface(`init_ptrace',`
- ##
- ##
- #
--interface(`init_write_script_pipes',`
-+interface(`init_dontaudit_read_state',`
- gen_require(`
-- type initrc_t;
-+ type init_t;
- ')
-
-- allow $1 initrc_t:fifo_file write;
-+ dontaudit $1 init_t:dir search_dir_perms;
-+ dontaudit $1 init_t:file read_file_perms;
-+ dontaudit $1 init_t:lnk_file read_lnk_file_perms;
- ')
-
- ########################################
- ##
--## Get the attribute of init script entrypoint files.
-+## Read the process keyring of init.
- ##
- ##
- ##
-@@ -1057,18 +1328,17 @@ interface(`init_write_script_pipes',`
- ##
- ##
- #
--interface(`init_getattr_script_files',`
-+interface(`init_read_key',`
- gen_require(`
-- type initrc_exec_t;
-+ type init_t;
- ')
-
-- files_list_etc($1)
-- allow $1 initrc_exec_t:file getattr;
-+ allow $1 init_t:key read;
- ')
-
- ########################################
- ##
--## Read init scripts.
-+## Write the process keyring of init.
- ##
- ##
- ##
-@@ -1076,18 +1346,94 @@ interface(`init_getattr_script_files',`
- ##
- ##
- #
--interface(`init_read_script_files',`
-+interface(`init_write_key',`
- gen_require(`
-- type initrc_exec_t;
-+ type init_t;
- ')
-
-- files_search_etc($1)
-- allow $1 initrc_exec_t:file read_file_perms;
-+ allow $1 init_t:key read;
- ')
-
- ########################################
- ##
--## Execute init scripts in the caller domain.
-+## Ptrace init
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+#
-+interface(`init_ptrace',`
-+ gen_require(`
-+ type init_t;
-+ ')
-+
-+ tunable_policy(`deny_ptrace',`',`
-+ allow $1 init_t:process ptrace;
-+ ')
-+')
-+
-+########################################
-+##
-+## Write an init script unnamed pipe.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`init_write_script_pipes',`
-+ gen_require(`
-+ type initrc_t;
-+ ')
-+
-+ allow $1 initrc_t:fifo_file write;
-+')
-+
-+########################################
-+##
-+## Get the attribute of init script entrypoint files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`init_getattr_script_files',`
-+ gen_require(`
-+ type initrc_exec_t;
-+ ')
-+
-+ files_list_etc($1)
-+ allow $1 initrc_exec_t:file getattr;
-+')
-+
-+########################################
-+##
-+## Read init scripts.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`init_read_script_files',`
-+ gen_require(`
-+ type initrc_exec_t;
-+ ')
-+
-+ files_search_etc($1)
-+ allow $1 initrc_exec_t:file read_file_perms;
-+')
-+
-+########################################
-+##
-+## Execute init scripts in the caller domain.
- ##
- ##
- ##
-@@ -1125,6 +1471,63 @@ interface(`init_getattr_all_script_files',`
-
- ########################################
- ##
-+## Allow the specified domain to modify the systemd configuration of
-+## all init scripts.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`init_config_all_script_files',`
-+ gen_require(`
-+ attribute init_script_file_type;
-+ ')
-+
-+ allow $1 init_script_file_type:service all_service_perms;
-+')
-+
-+########################################
-+##
-+## Allow the specified domain to modify the systemd configuration of
-+## transient scripts.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`init_config_transient_files',`
-+ gen_require(`
-+ type init_var_run_t;
-+ ')
-+
-+ allow $1 init_var_run_t:service all_service_perms;
-+')
-+
-+########################################
-+##
-+## Allow the specified domain to modify the systemd configuration of
-+## transient scripts.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`init_manage_config_transient_files',`
-+ gen_require(`
-+ type init_var_run_t;
-+ ')
-+
-+ allow $1 init_var_run_t:service manage_service_perms;
-+')
-+
-+########################################
-+##
- ## Read all init script files.
- ##
- ##
-@@ -1144,6 +1547,24 @@ interface(`init_read_all_script_files',`
-
- #######################################
- ##
-+## Dontaudit getattr all init script files.
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`init_dontaudit_getattr_all_script_files',`
-+ gen_require(`
-+ attribute init_script_file_type;
-+ ')
-+
-+ dontaudit $1 init_script_file_type:file getattr;
-+')
-+
-+#######################################
-+##
- ## Dontaudit read all init script files.
- ##
- ##
-@@ -1195,12 +1616,7 @@ interface(`init_read_script_state',`
- ')
-
- kernel_search_proc($1)
-- read_files_pattern($1, initrc_t, initrc_t)
-- read_lnk_files_pattern($1, initrc_t, initrc_t)
-- list_dirs_pattern($1, initrc_t, initrc_t)
--
-- # should move this to separate interface
-- allow $1 initrc_t:process getattr;
-+ ps_process_pattern($1, initrc_t)
- ')
-
- ########################################
-@@ -1314,6 +1730,24 @@ interface(`init_signal_script',`
-
- ########################################
- ##
-+## Send kill signals to init scripts.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`init_sigkill_script',`
-+ gen_require(`
-+ type initrc_t;
-+ ')
-+
-+ allow $1 initrc_t:process sigkill;
-+')
-+
-+########################################
-+##
- ## Send null signals to init scripts.
- ##
- ##
-@@ -1440,6 +1874,27 @@ interface(`init_dbus_send_script',`
- ########################################
- ##
- ## Send and receive messages from
-+## init over dbus.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`init_dbus_chat',`
-+ gen_require(`
-+ type init_t;
-+ class dbus send_msg;
-+ ')
-+
-+ allow $1 init_t:dbus send_msg;
-+ allow init_t $1:dbus send_msg;
-+')
-+
-+########################################
-+##
-+## Send and receive messages from
- ## init scripts over dbus.
- ##
- ##
-@@ -1547,6 +2002,25 @@ interface(`init_getattr_script_status_files',`
-
- ########################################
- ##
-+## Manage init script
-+## status files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`init_manage_script_status_files',`
-+ gen_require(`
-+ type initrc_state_t;
-+ ')
-+
-+ manage_files_pattern($1, initrc_state_t, initrc_state_t)
-+')
-+
-+########################################
-+##
- ## Do not audit attempts to read init script
- ## status files.
- ##
-@@ -1605,6 +2079,42 @@ interface(`init_rw_script_tmp_files',`
-
- ########################################
- ##
-+## Do not audit attempts to read initrc_tmp_t files
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`init_dontaudit_write_initrc_tmp',`
-+ gen_require(`
-+ type initrc_tmp_t;
-+ ')
-+
-+ dontaudit $1 initrc_tmp_t:fifo_file write_fifo_file_perms;
-+')
-+
-+########################################
-+##
-+## Read and write init script inherited temporary data.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`init_rw_inherited_script_tmp_files',`
-+ gen_require(`
-+ type initrc_tmp_t;
-+ ')
-+
-+ allow $1 initrc_tmp_t:file rw_inherited_file_perms;
-+')
-+
-+########################################
-+##
- ## Create files in a init script
- ## temporary data directory.
- ##
-@@ -1677,6 +2187,43 @@ interface(`init_read_utmp',`
-
- ########################################
- ##
-+## Read utmp.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`init_read_machineid',`
-+ gen_require(`
-+ type machineid_t;
-+ ')
-+
-+ files_search_etc($1)
-+ allow $1 machineid_t:file read_file_perms;
-+')
-+
-+########################################
-+##
-+## Do not audit attempts to read utmp.
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`init_dontaudit_read_utmp',`
-+ gen_require(`
-+ type initrc_var_run_t;
-+ ')
-+
-+ dontaudit $1 initrc_var_run_t:file read_file_perms;
-+')
-+
-+########################################
-+##
- ## Do not audit attempts to write utmp.
- ##
- ##
-@@ -1765,7 +2312,7 @@ interface(`init_dontaudit_rw_utmp',`
- type initrc_var_run_t;
- ')
-
-- dontaudit $1 initrc_var_run_t:file { getattr read write append lock };
-+ dontaudit $1 initrc_var_run_t:file rw_file_perms;
- ')
-
- ########################################
-@@ -1806,30 +2353,157 @@ interface(`init_pid_filetrans_utmp',`
- files_pid_filetrans($1, initrc_var_run_t, file, "utmp")
- ')
-
--########################################
-+######################################
- ##
--## Allow the specified domain to connect to daemon with a tcp socket
-+## Allow search directory in the /run/systemd directory.
- ##
- ##
--##
--## Domain allowed access.
--##
-+##
-+## Domain allowed access.
-+##
- ##
- #
--interface(`init_tcp_recvfrom_all_daemons',`
-- gen_require(`
-- attribute daemon;
-- ')
-+interface(`init_search_pid_dirs',`
-+ gen_require(`
-+ type init_var_run_t;
-+ ')
-
-- corenet_tcp_recvfrom_labeled($1, daemon)
-+ allow $1 init_var_run_t:dir search_dir_perms;
- ')
-
--########################################
-+######################################
- ##
--## Allow the specified domain to connect to daemon with a udp socket
-+## Allow listing of the /run/systemd directory.
- ##
- ##
--##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`init_list_pid_dirs',`
-+ gen_require(`
-+ type init_var_run_t;
-+ ')
-+
-+ allow $1 init_var_run_t:dir list_dir_perms;
-+')
-+
-+#######################################
-+##
-+## Create a directory in the /run/systemd directory.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`init_create_pid_dirs',`
-+ gen_require(`
-+ type init_var_run_t;
-+ ')
-+
-+ allow $1 init_var_run_t:dir list_dir_perms;
-+ create_dirs_pattern($1, init_var_run_t, init_var_run_t)
-+')
-+
-+#######################################
-+##
-+## Create objects in /run/systemd directory
-+## with an automatic type transition to
-+## a specified private type.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+##
-+## The type of the object to create.
-+##
-+##
-+##
-+##
-+## The class of the object to be created.
-+##
-+##
-+##
-+##
-+## The name of the object being created.
-+##
-+##
-+#
-+interface(`init_pid_filetrans',`
-+ gen_require(`
-+ type init_var_run_t;
-+ ')
-+
-+ files_search_pids($1)
-+ filetrans_pattern($1, init_var_run_t, $2, $3, $4)
-+')
-+
-+#######################################
-+##
-+## Create objects in /run/systemd directory
-+## with an automatic type transition to
-+## a specified private type.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+##
-+## The type of the object to create.
-+##
-+##
-+##
-+##
-+## The class of the object to be created.
-+##
-+##
-+##
-+##
-+## The name of the object being created.
-+##
-+##
-+#
-+interface(`init_named_pid_filetrans',`
-+ gen_require(`
-+ type init_var_run_t;
-+ ')
-+
-+ files_search_pids($1)
-+ filetrans_pattern($1, init_var_run_t, $2, $3, $4)
-+')
-+
-+########################################
-+##
-+## Allow the specified domain to connect to daemon with a tcp socket
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`init_tcp_recvfrom_all_daemons',`
-+ gen_require(`
-+ attribute daemon;
-+ ')
-+
-+ corenet_tcp_recvfrom_labeled($1, daemon)
-+')
-+
-+########################################
-+##
-+## Allow the specified domain to connect to daemon with a udp socket
-+##
-+##
-+##
- ## Domain allowed access.
- ##
- ##
-@@ -1840,3 +2514,584 @@ interface(`init_udp_recvfrom_all_daemons',`
- ')
- corenet_udp_recvfrom_labeled($1, daemon)
- ')
-+
-+########################################
-+##
-+## Transition to system_r when execute an init script
-+##
-+##
-+##
-+## Execute a init script in a specified role
-+##
-+##
-+## No interprocess communication (signals, pipes,
-+## etc.) is provided by this interface since
-+## the domains are not owned by this module.
-+##
-+##
-+##
-+##
-+## Role to transition from.
-+##
-+##
-+#
-+interface(`init_script_role_transition',`
-+ gen_require(`
-+ attribute init_script_file_type;
-+ ')
-+
-+ role_transition $1 init_script_file_type system_r;
-+')
-+
-+########################################
-+##
-+## dontaudit read and write an leaked init scrip file descriptors
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`init_dontaudit_script_leaks',`
-+ gen_require(`
-+ type initrc_t;
-+ ')
-+
-+ dontaudit $1 initrc_t:socket_class_set { read write };
-+ dontaudit $1 initrc_t:shm rw_shm_perms;
-+ init_dontaudit_use_script_ptys($1)
-+ init_dontaudit_use_script_fds($1)
-+')
-+
-+#######################################
-+##
-+## Allow the specified domain to ioctl an
-+## init with a unix domain stream sockets.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`init_ioctl_stream_sockets',`
-+ gen_require(`
-+ type init_t;
-+ ')
-+
-+ allow $1 init_t:unix_stream_socket ioctl;
-+')
-+
-+########################################
-+##
-+## Allow the specified domain to read/write to
-+## init with a unix domain stream sockets.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`init_rw_stream_sockets',`
-+ gen_require(`
-+ type init_t;
-+ ')
-+
-+ allow $1 init_t:unix_stream_socket rw_stream_socket_perms;
-+')
-+
-+#######################################
-+##
-+## Allow the specified domain to write to
-+## init sock file.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`init_write_pid_socket',`
-+ gen_require(`
-+ type init_var_run_t;
-+ ')
-+
-+ allow $1 init_var_run_t:sock_file write;
-+')
-+
-+########################################
-+##
-+## Send a message to init over a unix domain
-+## datagram socket.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`init_dgram_send',`
-+ gen_require(`
-+ type init_t;
-+ ')
-+
-+ allow $1 init_t:unix_dgram_socket sendto;
-+')
-+
-+########################################
-+##
-+## Send a message to init over a unix domain
-+## stream socket.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`init_stream_send',`
-+ gen_require(`
-+ type init_t;
-+ ')
-+
-+ allow $1 init_t:unix_stream_socket sendto;
-+')
-+
-+########################################
-+##
-+## Create a file type used for init socket files.
-+##
-+##
-+##
-+## This defines a type that init can create sock_file within for
-+## impersonation purposes
-+##
-+##
-+##
-+##
-+## Type to be used for a sock file.
-+##
-+##
-+##
-+#
-+interface(`init_sock_file',`
-+ gen_require(`
-+ attribute init_sock_file_type;
-+ ')
-+
-+ typeattribute $1 init_sock_file_type;
-+
-+')
-+
-+########################################
-+##
-+## Read init unnamed pipes.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`init_read_pipes',`
-+ gen_require(`
-+ type init_var_run_t;
-+ ')
-+
-+ read_fifo_files_pattern($1, init_var_run_t, init_var_run_t)
-+')
-+
-+########################################
-+##
-+## Read/Write init unnamed pipes.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`init_rw_pipes',`
-+ gen_require(`
-+ type init_var_run_t;
-+ ')
-+
-+ rw_fifo_files_pattern($1, init_var_run_t, init_var_run_t)
-+')
-+
-+#######################################
-+##
-+## Read and write init TCP sockets.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`init_rw_tcp_sockets',`
-+ gen_require(`
-+ type init_t;
-+ ')
-+
-+ allow $1 init_t:tcp_socket { read write getattr };
-+')
-+
-+########################################
-+##
-+## Get the system status information from init
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`init_status',`
-+ gen_require(`
-+ type init_t;
-+ ')
-+
-+ allow $1 init_t:system status;
-+ allow $1 init_t:service status;
-+')
-+
-+########################################
-+##
-+## Stop system from init
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`init_stop',`
-+ gen_require(`
-+ type init_t;
-+ ')
-+
-+ allow $1 init_t:system stop;
-+')
-+
-+########################################
-+##
-+## Start system from init
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`init_start',`
-+ gen_require(`
-+ type init_t;
-+ ')
-+
-+ allow $1 init_t:system start;
-+')
-+
-+########################################
-+##
-+## Tell init to reboot the system.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`init_reboot',`
-+ gen_require(`
-+ type init_t;
-+ ')
-+
-+ allow $1 init_t:system reboot;
-+ systemd_config_power_services($1)
-+')
-+
-+########################################
-+##
-+## Tell init to enable the services.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`init_enable_services',`
-+ gen_require(`
-+ type init_t;
-+ ')
-+
-+ allow $1 init_t:system enable;
-+')
-+
-+########################################
-+##
-+## Tell init to disable the services.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`init_disable_services',`
-+ gen_require(`
-+ type init_t;
-+ ')
-+
-+ allow $1 init_t:system disable;
-+')
-+
-+########################################
-+##
-+## Tell init to reload the services.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`init_reload_services',`
-+ gen_require(`
-+ type init_t;
-+ ')
-+
-+ allow $1 init_t:system reload;
-+')
-+
-+########################################
-+##
-+## Tell init to halt the system.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`init_halt',`
-+ gen_require(`
-+ type init_t;
-+ ')
-+
-+ allow $1 init_t:system halt;
-+ systemd_config_power_services($1)
-+')
-+
-+########################################
-+##
-+## Tell init to do an unknown access.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`init_undefined',`
-+ gen_require(`
-+ type init_t;
-+ ')
-+
-+ allow $1 init_t:system undefined;
-+')
-+
-+########################################
-+##
-+## Tell init to do an unknown access.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`init_start_transient_unit',`
-+ gen_require(`
-+ type init_t;
-+ ')
-+
-+ allow $1 init_t:service start;
-+')
-+
-+########################################
-+##
-+## Tell init to do an unknown access.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`init_enable_transient_unit',`
-+ gen_require(`
-+ type init_t;
-+ ')
-+
-+ allow $1 init_t:service enable;
-+')
-+
-+########################################
-+##
-+## Tell init to do an unknown access.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`init_disable_transient_unit',`
-+ gen_require(`
-+ type init_t;
-+ ')
-+
-+ allow $1 init_t:service disable;
-+')
-+
-+########################################
-+##
-+## Tell init to do an unknown access.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`init_stop_transient_unit',`
-+ gen_require(`
-+ type init_t;
-+ ')
-+
-+ allow $1 init_t:service stop;
-+')
-+
-+########################################
-+##
-+## Tell init to do an unknown access.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`init_reload_transient_unit',`
-+ gen_require(`
-+ type init_t;
-+ ')
-+
-+ allow $1 init_t:service reload;
-+')
-+
-+########################################
-+##
-+## Tell init to do an unknown access.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`init_status_transient_unit',`
-+ gen_require(`
-+ type init_t;
-+ ')
-+
-+ allow $1 init_t:service status;
-+')
-+
-+########################################
-+##
-+## Tell init to do an unknown access.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`init_manage_transient_unit',`
-+ gen_require(`
-+ type init_t;
-+ ')
-+
-+ allow $1 init_t:service manage_service_perms;
-+')
-+
-+########################################
-+##
-+## Transition to init named content
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`init_filetrans_named_content',`
-+ gen_require(`
-+ type init_var_run_t;
-+ type initrc_var_run_t;
-+ type machineid_t;
-+ type initctl_t;
-+ type systemd_unit_file_t;
-+ ')
-+
-+ files_pid_filetrans($1, initrc_var_run_t, file, "utmp")
-+ files_pid_filetrans($1, init_var_run_t, file, "random-seed")
-+ files_etc_filetrans($1, machineid_t, file, "machine-id" )
-+ files_pid_filetrans($1, initctl_t, fifo_file, "fifo" )
-+ init_pid_filetrans($1, systemd_unit_file_t, dir, "generator")
-+ init_pid_filetrans($1, systemd_unit_file_t, dir, "system")
-+')
-+
-+########################################
-+##
-+## Read systemd lib files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`init_read_var_lib_files',`
-+ gen_require(`
-+ type init_var_lib_t;
-+ ')
-+
-+ files_search_var_lib($1)
-+ read_files_pattern($1, init_var_lib_t, init_var_lib_t)
-+')
-+
-+########################################
-+##
-+## Search systemd lib files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`init_search_var_lib_dirs',`
-+ gen_require(`
-+ type init_var_lib_t;
-+ ')
-+
-+ files_search_var_lib($1)
-+ allow $1 init_var_lib_t:dir search_dir_perms;
-+')
-+
-diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
-index 17eda2480..c60c4d8e0 100644
---- a/policy/modules/system/init.te
-+++ b/policy/modules/system/init.te
-@@ -11,10 +11,31 @@ gen_require(`
-
- ##
- ##
--## Enable support for upstart as the init program.
-+## Allow all daemons to use tcp wrappers.
- ##
- ##
--gen_tunable(init_upstart, false)
-+gen_tunable(daemons_use_tcp_wrapper, false)
-+
-+##
-+##
-+## Allow all daemons the ability to read/write terminals
-+##
-+##
-+gen_tunable(daemons_use_tty, false)
-+
-+##
-+##
-+## Allow all daemons to write corefiles to /
-+##
-+##
-+gen_tunable(daemons_dump_core, false)
-+
-+##
-+##
-+## Enable cluster mode for daemons.
-+##
-+##
-+gen_tunable(daemons_enable_cluster_mode, false)
-
- # used for direct running of init scripts
- # by admin domains
-@@ -25,9 +46,17 @@ attribute direct_init_entry;
- attribute init_script_domain_type;
- attribute init_script_file_type;
- attribute init_run_all_scripts_domain;
-+attribute initrc_transition_domain;
-+# Attribute used for systemd so domains can allow systemd to create sock_files
-+attribute init_sock_file_type;
-
- # Mark process types as daemons
- attribute daemon;
-+attribute systemprocess;
-+attribute systemprocess_entry;
-+
-+# Mark process types as initrc domain
-+attribute initrc_domain;
-
- # Mark file type as a daemon run directory
- attribute daemonrundir;
-@@ -35,12 +64,21 @@ attribute daemonrundir;
- #
- # init_t is the domain of the init process.
- #
--type init_t;
-+type init_t, initrc_transition_domain;
- type init_exec_t;
- domain_type(init_t)
- domain_entry_file(init_t, init_exec_t)
-+domain_role_change_exemption(init_t)
-+domain_subj_id_change_exemption(init_t)
- kernel_domtrans_to(init_t, init_exec_t)
- role system_r types init_t;
-+init_initrc_domain(init_t)
-+
-+#
-+# init_tmp_t is the type for content in /tmp directory
-+#
-+type init_tmp_t;
-+files_tmp_file(init_tmp_t)
-
- #
- # init_var_run_t is the type for /var/run/shutdown.pid.
-@@ -49,6 +87,15 @@ type init_var_run_t;
- files_pid_file(init_var_run_t)
-
- #
-+# init_var_lib_t is the type for /var/lib/systemd
-+#
-+type init_var_lib_t;
-+files_type(init_var_lib_t)
-+
-+type machineid_t;
-+files_config_file(machineid_t)
-+
-+#
- # initctl_t is the type of the named pipe created
- # by init during initialization. This pipe is used
- # to communicate with init.
-@@ -57,7 +104,7 @@ type initctl_t;
- files_type(initctl_t)
- mls_trusted_object(initctl_t)
-
--type initrc_t, init_script_domain_type, init_run_all_scripts_domain;
-+type initrc_t, initrc_domain, init_script_domain_type, init_run_all_scripts_domain;
- type initrc_exec_t, init_script_file_type;
- domain_type(initrc_t)
- domain_entry_file(initrc_t, initrc_exec_t)
-@@ -66,6 +113,7 @@ role system_r types initrc_t;
- # of the below init_upstart tunable
- # but this has a typeattribute in it
- corecmd_shell_entry_type(initrc_t)
-+corecmd_bin_entry_type(initrc_t)
-
- type initrc_devpts_t;
- term_pty(initrc_devpts_t)
-@@ -98,7 +146,12 @@ ifdef(`enable_mls',`
- #
-
- # Use capabilities. old rule:
--allow init_t self:capability ~sys_module;
-+allow init_t self:capability ~{ audit_control audit_write sys_module };
-+allow init_t self:capability2 ~{ mac_admin mac_override };
-+allow init_t self:cap_userns all_cap_userns_perms;
-+allow init_t self:tcp_socket { listen accept };
-+allow init_t self:packet_socket create_socket_perms;
-+allow init_t self:key manage_key_perms;
- # is ~sys_module really needed? observed:
- # sys_boot
- # sys_tty_config
-@@ -108,14 +161,49 @@ allow init_t self:capability ~sys_module;
-
- allow init_t self:fifo_file rw_fifo_file_perms;
-
-+allow init_t self:service manage_service_perms;
-+
- # Re-exec itself
- can_exec(init_t, init_exec_t)
--
--allow init_t initrc_t:unix_stream_socket connectto;
--
--# For /var/run/shutdown.pid.
--allow init_t init_var_run_t:file manage_file_perms;
--files_pid_filetrans(init_t, init_var_run_t, file)
-+# executing content in /run/initramfs
-+manage_files_pattern(init_t, initrc_state_t, initrc_state_t)
-+can_exec(init_t, initrc_state_t)
-+
-+allow daemon initrc_t:unix_dgram_socket sendto;
-+allow init_t initrc_t:unix_stream_socket { connectto create_stream_socket_perms };
-+allow initrc_t init_t:unix_stream_socket { connectto rw_stream_socket_perms sendto };
-+allow initrc_t init_t:fifo_file rw_fifo_file_perms;
-+
-+manage_files_pattern(init_t, init_tmp_t, init_tmp_t)
-+manage_dirs_pattern(init_t, init_tmp_t, init_tmp_t)
-+manage_lnk_files_pattern(init_t, init_tmp_t, init_tmp_t)
-+files_tmp_filetrans(init_t, init_tmp_t, { file })
-+
-+manage_dirs_pattern(init_t, init_var_lib_t, init_var_lib_t)
-+manage_files_pattern(init_t, init_var_lib_t, init_var_lib_t)
-+manage_lnk_files_pattern(init_t, init_var_lib_t, init_var_lib_t)
-+manage_sock_files_pattern(init_t, init_var_lib_t, init_var_lib_t)
-+files_var_lib_filetrans(init_t, init_var_lib_t, { dir file })
-+allow init_t init_var_lib_t:dir mounton;
-+
-+manage_dirs_pattern(init_t, init_var_run_t, init_var_run_t)
-+manage_files_pattern(init_t, init_var_run_t, init_var_run_t)
-+manage_lnk_files_pattern(init_t, init_var_run_t, init_var_run_t)
-+manage_sock_files_pattern(init_t, init_var_run_t, init_var_run_t)
-+manage_fifo_files_pattern(init_t, init_var_run_t, init_var_run_t)
-+manage_blk_files_pattern(init_t, init_var_run_t, init_var_run_t)
-+manage_chr_files_pattern(init_t, init_var_run_t, init_var_run_t)
-+files_pid_filetrans(init_t, init_var_run_t, { dir file blk_file chr_file fifo_file})
-+allow init_t init_var_run_t:dir mounton;
-+allow init_t init_var_run_t:sock_file relabelto;
-+allow init_t init_var_run_t:blk_file { getattr relabelto };
-+allow init_t init_var_run_t:chr_file { getattr relabelto };
-+allow init_t init_var_run_t:fifo_file { getattr relabelto };
-+
-+allow init_t machineid_t:file manage_file_perms;
-+files_pid_filetrans(init_t, machineid_t, file, "machine-id")
-+files_etc_filetrans(init_t, machineid_t, file, "machine-id")
-+allow init_t machineid_t:file mounton;
-
- allow init_t initctl_t:fifo_file manage_fifo_file_perms;
- dev_filetrans(init_t, initctl_t, fifo_file)
-@@ -125,13 +213,29 @@ allow init_t initrc_var_run_t:file { rw_file_perms setattr };
-
- kernel_read_system_state(init_t)
- kernel_share_state(init_t)
-+kernel_stream_connect(init_t)
-+kernel_rw_stream_socket_perms(init_t)
-+kernel_rw_unix_dgram_sockets(init_t)
-+kernel_mounton_systemd_ProtectKernelTunables(init_t)
-
- corecmd_exec_chroot(init_t)
- corecmd_exec_bin(init_t)
-
--dev_read_sysfs(init_t)
-+corenet_all_recvfrom_netlabel(init_t)
-+corenet_tcp_bind_all_ports(init_t)
-+corenet_udp_bind_all_ports(init_t)
-+
-+dev_create_all_chr_files(init_t)
-+dev_list_sysfs(init_t)
-+dev_manage_sysfs(init_t)
-+dev_read_urand(init_t)
-+dev_read_raw_memory(init_t)
- # Early devtmpfs
- dev_rw_generic_chr_files(init_t)
-+dev_filetrans_all_named_dev(init_t)
-+dev_write_watchdog(init_t)
-+dev_rw_inherited_input_dev(init_t)
-+dev_rw_dri(init_t)
-
- domain_getpgid_all_domains(init_t)
- domain_kill_all_domains(init_t)
-@@ -139,45 +243,105 @@ domain_signal_all_domains(init_t)
- domain_signull_all_domains(init_t)
- domain_sigstop_all_domains(init_t)
- domain_sigchld_all_domains(init_t)
--
--files_read_etc_files(init_t)
-+domain_read_all_domains_state(init_t)
-+domain_getattr_all_domains(init_t)
-+domain_setrlimit_all_domains(init_t)
-+domain_rlimitinh_all_domains(init_t)
-+
-+files_read_config_files(init_t)
-+files_read_all_pids(init_t)
-+files_read_system_conf_files(init_t)
- files_rw_generic_pids(init_t)
- files_dontaudit_search_isid_type_dirs(init_t)
-+files_read_isid_type_files(init_t)
-+files_read_etc_runtime_files(init_t)
-+files_manage_all_locks(init_t)
- files_manage_etc_runtime_files(init_t)
-+files_manage_etc_symlinks(init_t)
- files_etc_filetrans_etc_runtime(init_t, file)
- # Run /etc/X11/prefdm:
- files_exec_etc_files(init_t)
-+files_read_usr_files(init_t)
-+files_write_root_dirs(init_t)
- # file descriptors inherited from the rootfs:
- files_dontaudit_rw_root_files(init_t)
- files_dontaudit_rw_root_chr_files(init_t)
-+files_dontaudit_mounton_modules_object(init_t)
-+files_manage_mnt_dirs(init_t)
-+files_manage_mnt_files(init_t)
-
- fs_list_inotifyfs(init_t)
- # cjp: this may be related to /dev/log
- fs_write_ramfs_sockets(init_t)
-
-+fs_read_efivarfs_files(init_t)
-+fs_read_nfsd_files(init_t)
-+
-+fstools_getattr_swap_files(init_t)
-+
- mcs_process_set_categories(init_t)
--mcs_killall(init_t)
-
- mls_file_read_all_levels(init_t)
- mls_file_write_all_levels(init_t)
--mls_process_write_down(init_t)
-+mls_file_downgrade(init_t)
-+mls_file_upgrade(init_t)
- mls_fd_use_all_levels(init_t)
-+mls_fd_share_all_levels(init_t)
-+mls_process_set_level(init_t)
-+mls_process_write_down(init_t)
-+mls_socket_read_all_levels(init_t)
-+mls_socket_write_all_levels(init_t)
-+mls_rangetrans_source(init_t)
-
- selinux_set_all_booleans(init_t)
--
--term_use_all_terms(init_t)
-+selinux_load_policy(init_t)
-+selinux_mounton_fs(init_t)
-+allow init_t security_t:security load_policy;
-+
-+selinux_compute_access_vector(init_t)
-+selinux_compute_create_context(init_t)
-+selinux_compute_user_contexts(init_t)
-+selinux_validate_context(init_t)
-+selinux_unmount_fs(init_t)
-+
-+term_create_pty_dir(init_t)
-+term_use_unallocated_ttys(init_t)
-+term_use_console(init_t)
-+term_use_all_inherited_terms(init_t)
-+term_use_generic_ptys(init_t)
-
- # Run init scripts.
- init_domtrans_script(init_t)
-+init_exec_notrans_direct_init_entry(init_t)
-
- libs_rw_ld_so_cache(init_t)
-
-+logging_create_devlog_dev(init_t)
- logging_send_syslog_msg(init_t)
-+logging_send_audit_msgs(init_t)
- logging_rw_generic_logs(init_t)
-+logging_relabel_devlog_dev(init_t)
-+logging_manage_audit_config(init_t)
-+logging_create_syslog_netlink_audit_socket(init_t)
-
- seutil_read_config(init_t)
-+seutil_read_default_contexts(init_t)
-+seutil_read_module_store(init_t)
-+
-+miscfiles_manage_localization(init_t)
-+miscfiles_filetrans_named_content(init_t)
-+
-+udev_manage_rules_files(init_t)
-+
-+userdom_use_user_ttys(init_t)
-+userdom_manage_tmp_dirs(init_t)
-+userdom_manage_tmp_sockets(init_t)
-
--miscfiles_read_localization(init_t)
-+userdom_transition_login_userdomain(init_t)
-+userdom_noatsecure_login_userdomain(init_t)
-+userdom_sigchld_login_userdomain(init_t)
-+
-+allow init_t self:process setsched;
-
- ifdef(`distro_gentoo',`
- allow init_t self:process { getcap setcap };
-@@ -186,29 +350,304 @@ ifdef(`distro_gentoo',`
- ')
-
- ifdef(`distro_redhat',`
-+ fs_manage_tmpfs_files(init_t)
-+ fs_manage_tmpfs_symlinks(init_t)
-+ fs_manage_tmpfs_sockets(init_t)
-+ fs_manage_tmpfs_chr_files(init_t)
-+ fs_exec_tmpfs_files(init_t)
- fs_read_tmpfs_symlinks(init_t)
-- fs_rw_tmpfs_chr_files(init_t)
- fs_tmpfs_filetrans(init_t, initctl_t, fifo_file)
-+ fs_tmpfs_filetrans_named_content(init_t)
-+
-+ logging_stream_connect_syslog(init_t)
-+ logging_relabel_syslog_pid_socket(init_t)
- ')
-
--tunable_policy(`init_upstart',`
-- corecmd_shell_domtrans(init_t, initrc_t)
--',`
-- # Run the shell in the sysadm role for single-user mode.
-- # causes problems with upstart
-- sysadm_shell_domtrans(init_t)
-+corecmd_shell_domtrans(init_t, initrc_t)
-+
-+storage_raw_rw_fixed_disk(init_t)
-+
-+sysnet_read_dhcpc_state(init_t)
-+
-+optional_policy(`
-+ chronyd_read_keys(init_t)
-+')
-+
-+optional_policy(`
-+ fprintd_exec(init_t)
-+ fprintd_mounton_var_lib(init_t)
-+')
-+
-+optional_policy(`
-+ apache_delete_tmp(init_t)
-+ apache_noatsecure(init_t)
-+')
-+
-+optional_policy(`
-+ journalctl_exec(init_t)
-+')
-+
-+optional_policy(`
-+ kdump_read_crash(init_t)
-+ kdump_read_config(init_t)
-+')
-+
-+optional_policy(`
-+ gnome_filetrans_home_content(init_t)
-+ gnome_manage_data(init_t)
-+ gnome_manage_config(init_t)
-+')
-+
-+optional_policy(`
-+ gssproxy_noatsecure(init_t)
-+')
-+
-+optional_policy(`
-+ rpc_gssd_noatsecure(init_t)
-+')
-+
-+optional_policy(`
-+ anaconda_domtrans_install(init_t)
-+')
-+
-+optional_policy(`
-+ ipa_delete_tmp(init_t)
-+')
-+
-+optional_policy(`
-+ rpm_read_db(init_t)
-+')
-+
-+optional_policy(`
-+ iscsi_read_lib_files(init_t)
-+ iscsi_manage_lock(init_t)
-+')
-+
-+optional_policy(`
-+ modutils_domtrans_insmod(init_t)
-+ modutils_list_module_config(init_t)
-+')
-+
-+optional_policy(`
-+ postfix_exec(init_t)
-+ postfix_list_spool(init_t)
-+ mta_read_config(init_t)
-+ mta_manage_aliases(init_t)
- ')
-
- optional_policy(`
-- auth_rw_login_records(init_t)
-+ raid_relabel_mdadm_var_run_content(init_t)
- ')
-
- optional_policy(`
-+ systemd_allow_mount_dir(init_t)
-+')
-+
-+allow init_t self:system all_system_perms;
-+allow init_t self:unix_dgram_socket { create_socket_perms sendto };
-+allow init_t self:process { setkeycreate setsockcreate setfscreate setrlimit setexec };
-+allow init_t self:process { getcap setcap };
-+allow init_t self:unix_stream_socket { create_stream_socket_perms connectto recvfrom };
-+allow init_t self:netlink_kobject_uevent_socket create_socket_perms;
-+allow init_t self:netlink_selinux_socket create_socket_perms;
-+allow init_t self:unix_dgram_socket lock;
-+# Until systemd is fixed
-+allow daemon init_t:socket_class_set { getopt read getattr ioctl setopt write };
-+allow init_t self:udp_socket create_socket_perms;
-+allow init_t self:netlink_route_socket create_netlink_socket_perms;
-+
-+allow init_t initrc_t:unix_dgram_socket create_socket_perms;
-+
-+kernel_list_unlabeled(init_t)
-+kernel_read_network_state(init_t)
-+kernel_rw_all_sysctls(init_t)
-+kernel_rw_security_state(init_t)
-+kernel_rw_usermodehelper_state(init_t)
-+kernel_read_software_raid_state(init_t)
-+kernel_unmount_debugfs(init_t)
-+kernel_setsched(init_t)
-+
-+dev_write_kmsg(init_t)
-+dev_write_urand(init_t)
-+dev_rw_lvm_control(init_t)
-+dev_rw_autofs(init_t)
-+dev_manage_generic_symlinks(init_t)
-+dev_manage_generic_dirs(init_t)
-+dev_manage_generic_files(init_t)
-+dev_read_generic_chr_files(init_t)
-+dev_relabel_generic_dev_dirs(init_t)
-+dev_relabel_all_dev_nodes(init_t)
-+dev_relabel_all_dev_files(init_t)
-+dev_manage_sysfs_dirs(init_t)
-+dev_relabel_sysfs_dirs(init_t)
-+dev_rw_wireless(init_t)
-+
-+files_search_all(init_t)
-+files_mounton_all_mountpoints(init_t)
-+files_mounton_etc(init_t)
-+files_unmount_all_file_type_fs(init_t)
-+files_manage_all_pid_dirs(init_t)
-+files_manage_etc_dirs(init_t)
-+files_manage_generic_tmp_dirs(init_t)
-+files_relabel_all_pid_dirs(init_t)
-+files_relabel_all_pid_files(init_t)
-+files_create_all_pid_sockets(init_t)
-+files_delete_all_pids(init_t)
-+files_exec_generic_pid_files(init_t)
-+files_create_all_pid_pipes(init_t)
-+files_create_all_spool_sockets(init_t)
-+files_delete_all_spool_sockets(init_t)
-+files_manage_urandom_seed(init_t)
-+files_list_locks(init_t)
-+files_list_spool(init_t)
-+files_list_var(init_t)
-+files_list_boot(init_t)
-+files_list_home(init_t)
-+files_create_lock_dirs(init_t)
-+files_relabel_all_lock_dirs(init_t)
-+files_relabel_var_dirs(init_t)
-+files_relabel_var_lib_dirs(init_t)
-+files_read_kernel_modules(init_t)
-+files_map_kernel_modules(init_t)
-+files_dontaudit_mounton_isid(init_t)
-+fs_getattr_all_fs(init_t)
-+fs_manage_cgroup_dirs(init_t)
-+fs_manage_cgroup_files(init_t)
-+fs_manage_hugetlbfs_dirs(init_t)
-+fs_manage_tmpfs_dirs(init_t)
-+fs_relabel_tmpfs_blk_file(init_t)
-+fs_relabel_tmpfs_chr_file(init_t)
-+fs_relabel_pstore_dirs(init_t)
-+fs_relabel_tmpfs_dirs(init_t)
-+fs_relabel_tmpfs_files(init_t)
-+fs_relabel_tmpfs_fifo_files(init_t)
-+fs_mount_all_fs(init_t)
-+fs_unmount_all_fs(init_t)
-+fs_remount_all_fs(init_t)
-+fs_list_all(init_t)
-+fs_list_auto_mountpoints(init_t)
-+fs_register_binary_executable_type(init_t)
-+fs_relabel_tmpfs_sock_file(init_t)
-+fs_rw_tmpfs_files(init_t)
-+fs_relabel_cgroup_dirs(init_t)
-+fs_search_cgroup_dirs(init_t)
-+# for network namespaces
-+fs_read_nsfs_files(init_t)
-+
-+storage_getattr_removable_dev(init_t)
-+
-+term_relabel_ptys_dirs(init_t)
-+
-+auth_relabel_login_records(init_t)
-+auth_relabel_pam_console_data_dirs(init_t)
-+
-+clock_read_adjtime(init_t)
-+
-+init_read_script_state(init_t)
-+
-+modutils_read_module_config(init_t)
-+
-+seutil_read_file_contexts(init_t)
-+
-+systemd_exec_systemctl(init_t)
-+systemd_manage_home_content(init_t)
-+systemd_manage_unit_dirs(init_t)
-+systemd_manage_random_seed(init_t)
-+systemd_manage_all_unit_files(init_t)
-+systemd_logger_stream_connect(init_t)
-+systemd_login_manage_pid_files(init_t)
-+systemd_config_all_services(init_t)
-+systemd_relabelto_fifo_file_passwd_run(init_t)
-+systemd_relabel_unit_dirs(init_t)
-+systemd_relabel_unit_files(init_t)
-+systemd_manage_unit_dirs(initrc_t)
-+systemd_manage_unit_symlinks(initrc_t)
-+systemd_config_all_services(initrc_t)
-+systemd_read_unit_files(initrc_t)
-+systemd_login_status(init_t)
-+systemd_map_networkd_exec_files(init_t)
-+systemd_map_resolved_exec_files(init_t)
-+
-+create_sock_files_pattern(init_t, init_sock_file_type, init_sock_file_type)
-+
-+auth_use_nsswitch(init_t)
-+auth_rw_login_records(init_t)
-+auth_domtrans_chk_passwd(init_t)
-+
-+ifdef(`distro_redhat',`
-+ # it comes from setupr scripts used in systemd unit files
-+ # has been covered by initrc_t
-+ optional_policy(`
-+ bind_manage_config_dirs(init_t)
-+ bind_manage_config(init_t)
-+ bind_write_config(init_t)
-+ bind_setattr_zone_dirs(init_t)
-+ ')
-+
-+ optional_policy(`
-+ ipsec_read_config(init_t)
-+ ipsec_manage_pid(init_t)
-+ ipsec_stream_connect(init_t)
-+ ')
-+
-+ optional_policy(`
-+ rpc_manage_nfs_state_data(init_t)
-+ ')
-+
-+ optional_policy(`
-+ sysnet_relabelfrom_dhcpc_state(init_t)
-+ sysnet_setattr_dhcp_state(init_t)
-+ ')
-+')
-+
-+optional_policy(`
-+ lvm_rw_pipes(init_t)
-+ lvm_read_config(init_t)
-+')
-+
-+optional_policy(`
-+ lldpad_relabel_tmpfs(init_t)
-+')
-+
-+optional_policy(`
-+ consolekit_manage_log(init_t)
-+')
-+
-+optional_policy(`
-+ dbus_connect_system_bus(init_t)
- dbus_system_bus_client(init_t)
-+ dbus_delete_pid_files(init_t)
-+
-+ optional_policy(`
-+ devicekit_dbus_chat_power(init_t)
-+ ')
-+')
-+
-+optional_policy(`
-+ # /var/run/dovecot/login/ssl-parameters.dat is a hard link to
-+ # /var/lib/dovecot/ssl-parameters.dat and init tries to clean up
-+ # the directory. But we do not want to allow this.
-+ # The master process of dovecot will manage this file.
-+ dovecot_dontaudit_unlink_lib_files(initrc_t)
-+')
-+
-+optional_policy(`
-+ mount_rw_pid_files(init_t)
-+')
-+
-+optional_policy(`
-+ networkmanager_stream_connect(init_t)
-+ networkmanager_stream_connect(initrc_t)
- ')
-
- optional_policy(`
-- nscd_use(init_t)
-+ plymouthd_stream_connect(init_t)
-+ plymouthd_exec_plymouth(init_t)
-+ plymouthd_filetrans_named_content(init_t)
-+')
-+
-+optional_policy(`
-+ ssh_getattr_server_keys(init_t)
- ')
-
- optional_policy(`
-@@ -216,7 +655,36 @@ optional_policy(`
- ')
-
- optional_policy(`
-- unconfined_domain(init_t)
-+ rpcbind_filetrans_named_content(init_t)
-+ rpcbind_relabel_sock_file(init_t)
-+')
-+
-+optional_policy(`
-+ systemd_filetrans_named_content(init_t)
-+')
-+
-+optional_policy(`
-+ sysnet_filetrans_cloud_net_conf(init_t)
-+')
-+
-+optional_policy(`
-+ udev_read_db(init_t)
-+ udev_relabelto_db(init_t)
-+ udev_create_kobject_uevent_socket(init_t)
-+ udev_relabel_pid_sockfile(init_t)
-+')
-+
-+optional_policy(`
-+ xserver_relabel_xdm_tmp_dirs(init_t)
-+ xserver_manage_xdm_tmp_dirs(init_t)
-+ xserver_read_xdm_lib_files(init_t)
-+')
-+
-+optional_policy(`
-+ domain_named_filetrans(init_t)
-+ unconfined_server_domtrans(init_t)
-+ unconfined_server_noatsecure(init_t)
-+ unconfined_server_create_tcp_sockets(init_t)
- ')
-
- ########################################
-@@ -225,9 +693,9 @@ optional_policy(`
- #
-
- allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
--allow initrc_t self:capability ~{ sys_admin sys_module };
-+allow initrc_t self:capability ~{ sys_ptrace audit_control audit_write sys_admin sys_module };
- allow initrc_t self:capability2 block_suspend;
--dontaudit initrc_t self:capability sys_module; # sysctl is triggering this
-+dontaudit initrc_t self:capability { sys_ptrace sys_module }; # sysctl is triggering this
- allow initrc_t self:passwd rootok;
- allow initrc_t self:key manage_key_perms;
-
-@@ -258,12 +726,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
-
- allow initrc_t initrc_var_run_t:file manage_file_perms;
- files_pid_filetrans(initrc_t, initrc_var_run_t, file)
-+files_manage_generic_pids_symlinks(initrc_t)
-+files_create_var_run_dirs(initrc_t)
-+files_relabelfrom_isid_type(initrc_t)
-
- can_exec(initrc_t, initrc_tmp_t)
- manage_files_pattern(initrc_t, initrc_tmp_t, initrc_tmp_t)
- manage_dirs_pattern(initrc_t, initrc_tmp_t, initrc_tmp_t)
- manage_lnk_files_pattern(initrc_t, initrc_tmp_t, initrc_tmp_t)
- files_tmp_filetrans(initrc_t, initrc_tmp_t, { file dir })
-+allow initrc_t initrc_tmp_t:dir relabelfrom;
-
- manage_dirs_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
- manage_files_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
-@@ -279,23 +751,36 @@ kernel_change_ring_buffer_level(initrc_t)
- kernel_clear_ring_buffer(initrc_t)
- kernel_get_sysvipc_info(initrc_t)
- kernel_read_all_sysctls(initrc_t)
-+kernel_request_load_module(initrc_t)
- kernel_rw_all_sysctls(initrc_t)
- # for lsof which is used by alsa shutdown:
- kernel_dontaudit_getattr_message_if(initrc_t)
-+kernel_stream_connect(initrc_t)
-+files_read_kernel_modules(initrc_t)
-+files_read_config_files(initrc_t)
-+files_read_var_lib_symlinks(initrc_t)
-+files_setattr_pid_dirs(initrc_t)
-
- files_create_lock_dirs(initrc_t)
- files_pid_filetrans_lock_dir(initrc_t, "lock")
- files_read_kernel_symbol_table(initrc_t)
--files_setattr_lock_dirs(initrc_t)
-+files_exec_etc_files(initrc_t)
-+files_manage_etc_symlinks(initrc_t)
-+files_manage_system_conf_files(initrc_t)
-+
-+fs_manage_tmpfs_dirs(initrc_t)
-+fs_manage_tmpfs_symlinks(initrc_t)
-+fs_delete_tmpfs_files(initrc_t)
-+fs_tmpfs_filetrans(initrc_t, initrc_state_t, file)
-+fs_read_nfsd_files(initrc_t)
-
- corecmd_exec_all_executables(initrc_t)
-
--corenet_all_recvfrom_unlabeled(initrc_t)
- corenet_all_recvfrom_netlabel(initrc_t)
--corenet_tcp_sendrecv_all_if(initrc_t)
--corenet_udp_sendrecv_all_if(initrc_t)
--corenet_tcp_sendrecv_all_nodes(initrc_t)
--corenet_udp_sendrecv_all_nodes(initrc_t)
-+corenet_tcp_sendrecv_generic_if(initrc_t)
-+corenet_udp_sendrecv_generic_if(initrc_t)
-+corenet_tcp_sendrecv_generic_node(initrc_t)
-+corenet_udp_sendrecv_generic_node(initrc_t)
- corenet_tcp_sendrecv_all_ports(initrc_t)
- corenet_udp_sendrecv_all_ports(initrc_t)
- corenet_tcp_connect_all_ports(initrc_t)
-@@ -303,9 +788,11 @@ corenet_sendrecv_all_client_packets(initrc_t)
-
- dev_read_rand(initrc_t)
- dev_read_urand(initrc_t)
-+dev_dontaudit_read_kmsg(initrc_t)
- dev_write_kmsg(initrc_t)
- dev_write_rand(initrc_t)
- dev_write_urand(initrc_t)
-+dev_write_watchdog(initrc_t)
- dev_rw_sysfs(initrc_t)
- dev_list_usbfs(initrc_t)
- dev_read_framebuffer(initrc_t)
-@@ -313,8 +800,10 @@ dev_write_framebuffer(initrc_t)
- dev_read_realtime_clock(initrc_t)
- dev_read_sound_mixer(initrc_t)
- dev_write_sound_mixer(initrc_t)
-+dev_setattr_generic_dirs(initrc_t)
- dev_setattr_all_chr_files(initrc_t)
- dev_rw_lvm_control(initrc_t)
-+dev_rw_generic_chr_files(initrc_t)
- dev_delete_lvm_control_dev(initrc_t)
- dev_manage_generic_symlinks(initrc_t)
- dev_manage_generic_files(initrc_t)
-@@ -322,8 +811,7 @@ dev_manage_generic_files(initrc_t)
- dev_delete_generic_symlinks(initrc_t)
- dev_getattr_all_blk_files(initrc_t)
- dev_getattr_all_chr_files(initrc_t)
--# Early devtmpfs
--dev_rw_generic_chr_files(initrc_t)
-+dev_rw_xserver_misc(initrc_t)
-
- domain_kill_all_domains(initrc_t)
- domain_signal_all_domains(initrc_t)
-@@ -332,7 +820,6 @@ domain_sigstop_all_domains(initrc_t)
- domain_sigchld_all_domains(initrc_t)
- domain_read_all_domains_state(initrc_t)
- domain_getattr_all_domains(initrc_t)
--domain_dontaudit_ptrace_all_domains(initrc_t)
- domain_getsession_all_domains(initrc_t)
- domain_use_interactive_fds(initrc_t)
- # for lsof which is used by alsa shutdown:
-@@ -340,6 +827,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
- domain_dontaudit_getattr_all_tcp_sockets(initrc_t)
- domain_dontaudit_getattr_all_dgram_sockets(initrc_t)
- domain_dontaudit_getattr_all_pipes(initrc_t)
-+domain_obj_id_change_exemption(initrc_t)
-
- files_getattr_all_dirs(initrc_t)
- files_getattr_all_files(initrc_t)
-@@ -347,14 +835,15 @@ files_getattr_all_symlinks(initrc_t)
- files_getattr_all_pipes(initrc_t)
- files_getattr_all_sockets(initrc_t)
- files_purge_tmp(initrc_t)
--files_delete_all_locks(initrc_t)
-+files_manage_all_locks(initrc_t)
-+files_manage_boot_files(initrc_t)
- files_read_all_pids(initrc_t)
-+files_delete_root_files(initrc_t)
- files_delete_all_pids(initrc_t)
- files_delete_all_pid_dirs(initrc_t)
- files_read_etc_files(initrc_t)
- files_manage_etc_runtime_files(initrc_t)
- files_etc_filetrans_etc_runtime(initrc_t, file)
--files_exec_etc_files(initrc_t)
- files_read_usr_files(initrc_t)
- files_manage_urandom_seed(initrc_t)
- files_manage_generic_spool(initrc_t)
-@@ -364,8 +853,12 @@ files_list_isid_type_dirs(initrc_t)
- files_mounton_isid_type_dirs(initrc_t)
- files_list_default(initrc_t)
- files_mounton_default(initrc_t)
-+files_manage_mnt_dirs(initrc_t)
-+files_manage_mnt_files(initrc_t)
-
--fs_write_cgroup_files(initrc_t)
-+fs_delete_cgroup_dirs(initrc_t)
-+fs_list_cgroup_dirs(initrc_t)
-+fs_rw_cgroup_files(initrc_t)
- fs_list_inotifyfs(initrc_t)
- fs_register_binary_executable_type(initrc_t)
- # rhgb-console writes to ramfs
-@@ -375,10 +868,11 @@ fs_mount_all_fs(initrc_t)
- fs_unmount_all_fs(initrc_t)
- fs_remount_all_fs(initrc_t)
- fs_getattr_all_fs(initrc_t)
-+fs_search_all(initrc_t)
-+fs_getattr_nfsd_files(initrc_t)
-+fs_dontaudit_create_tmpfs_chr_dev(initrc_t)
-
- # initrc_t needs to do a pidof which requires ptrace
--mcs_ptrace_all(initrc_t)
--mcs_killall(initrc_t)
- mcs_process_set_categories(initrc_t)
-
- mls_file_read_all_levels(initrc_t)
-@@ -387,8 +881,10 @@ mls_process_read_up(initrc_t)
- mls_process_write_down(initrc_t)
- mls_rangetrans_source(initrc_t)
- mls_fd_share_all_levels(initrc_t)
-+mls_socket_write_to_clearance(initrc_t)
-
- selinux_get_enforce_mode(initrc_t)
-+selinux_setcheckreqprot(initrc_t)
-
- storage_getattr_fixed_disk_dev(initrc_t)
- storage_setattr_fixed_disk_dev(initrc_t)
-@@ -398,6 +894,7 @@ term_use_all_terms(initrc_t)
- term_reset_tty_labels(initrc_t)
-
- auth_rw_login_records(initrc_t)
-+auth_manage_faillog(initrc_t)
- auth_setattr_login_records(initrc_t)
- auth_rw_lastlog(initrc_t)
- auth_read_pam_pid(initrc_t)
-@@ -416,20 +913,18 @@ logging_read_all_logs(initrc_t)
- logging_append_all_logs(initrc_t)
- logging_read_audit_config(initrc_t)
-
--miscfiles_read_localization(initrc_t)
- # slapd needs to read cert files from its initscript
--miscfiles_read_generic_certs(initrc_t)
-+miscfiles_manage_generic_cert_files(initrc_t)
-
--modutils_read_module_config(initrc_t)
--modutils_domtrans_insmod(initrc_t)
-
- seutil_read_config(initrc_t)
-
-+userdom_read_admin_home_files(initrc_t)
- userdom_read_user_home_content_files(initrc_t)
- # Allow access to the sysadm TTYs. Note that this will give access to the
- # TTYs to any process in the initrc_t domain. Therefore, daemons and such
- # started from init should be placed in their own domain.
--userdom_use_user_terminals(initrc_t)
-+userdom_use_inherited_user_terminals(initrc_t)
-
- ifdef(`distro_debian',`
- dev_setattr_generic_dirs(initrc_t)
-@@ -451,7 +946,6 @@ ifdef(`distro_gentoo',`
- allow initrc_t self:process setfscreate;
- dev_create_null_dev(initrc_t)
- dev_create_zero_dev(initrc_t)
-- dev_create_generic_dirs(initrc_t)
- term_create_console_dev(initrc_t)
-
- # unfortunately /sbin/rc does stupid tricks
-@@ -486,6 +980,10 @@ ifdef(`distro_gentoo',`
- sysnet_setattr_config(initrc_t)
-
- optional_policy(`
-+ abrt_manage_pid_files(initrc_t)
-+ ')
-+
-+ optional_policy(`
- alsa_read_lib(initrc_t)
- ')
-
-@@ -506,7 +1004,7 @@ ifdef(`distro_redhat',`
-
- # Red Hat systems seem to have a stray
- # fd open from the initrd
-- kernel_dontaudit_use_fds(initrc_t)
-+ kernel_use_fds(initrc_t)
- files_dontaudit_read_root_files(initrc_t)
-
- # These seem to be from the initrd
-@@ -521,6 +1019,7 @@ ifdef(`distro_redhat',`
- files_create_boot_dirs(initrc_t)
- files_create_boot_flag(initrc_t)
- files_rw_boot_symlinks(initrc_t)
-+
- # wants to read /.fonts directory
- files_read_default_files(initrc_t)
- files_mountpoint(initrc_tmp_t)
-@@ -541,6 +1040,7 @@ ifdef(`distro_redhat',`
- miscfiles_rw_localization(initrc_t)
- miscfiles_setattr_localization(initrc_t)
- miscfiles_relabel_localization(initrc_t)
-+ miscfiles_filetrans_named_content(initrc_t)
-
- miscfiles_read_fonts(initrc_t)
- miscfiles_read_hwdata(initrc_t)
-@@ -550,8 +1050,44 @@ ifdef(`distro_redhat',`
- ')
-
- optional_policy(`
-+ abrt_manage_pid_files(initrc_t)
-+ ')
-+
-+ optional_policy(`
- bind_manage_config_dirs(initrc_t)
-+ bind_manage_config(initrc_t)
- bind_write_config(initrc_t)
-+ bind_setattr_zone_dirs(initrc_t)
-+ ')
-+
-+ optional_policy(`
-+ cyrus_write_data(initrc_t)
-+ ')
-+
-+ optional_policy(`
-+ devicekit_append_inherited_log_files(initrc_t)
-+ devicekit_dbus_chat_power(initrc_t)
-+ ')
-+
-+ optional_policy(`
-+ dirsrvadmin_read_config(initrc_t)
-+ dirsrv_manage_var_run(initrc_t)
-+ ')
-+
-+ optional_policy(`
-+ gnome_manage_gconf_config(initrc_t)
-+ ')
-+
-+ optional_policy(`
-+ ldap_read_db_files(initrc_t)
-+ ')
-+
-+ optional_policy(`
-+ ntp_filetrans_named_content(initrc_t)
-+ ')
-+
-+ optional_policy(`
-+ pulseaudio_stream_connect(initrc_t)
- ')
-
- optional_policy(`
-@@ -559,14 +1095,31 @@ ifdef(`distro_redhat',`
- rpc_write_exports(initrc_t)
- rpc_manage_nfs_state_data(initrc_t)
- ')
-+ optional_policy(`
-+ rpcbind_stream_connect(initrc_t)
-+ ')
-
- optional_policy(`
- sysnet_rw_dhcp_config(initrc_t)
- sysnet_manage_config(initrc_t)
-+ sysnet_manage_dhcpc_state(initrc_t)
-+ sysnet_relabelfrom_dhcpc_state(initrc_t)
-+ sysnet_relabelfrom_net_conf(initrc_t)
-+ sysnet_relabelto_net_conf(initrc_t)
-+ #sysnet_filetrans_named_content(initrc_t)
-+ ')
-+
-+ optional_policy(`
-+ tgtd_stream_connect(initrc_t)
-+ ')
-+
-+ optional_policy(`
-+ wdmd_manage_pid_files(initrc_t)
- ')
-
- optional_policy(`
- xserver_delete_log(initrc_t)
-+ xserver_manage_user_fonts_dir(initrc_t)
- ')
- ')
-
-@@ -577,6 +1130,39 @@ ifdef(`distro_suse',`
- ')
- ')
-
-+domain_dontaudit_use_interactive_fds(daemon)
-+
-+userdom_dontaudit_list_admin_dir(daemon)
-+userdom_dontaudit_search_user_tmp(daemon)
-+
-+tunable_policy(`daemons_use_tcp_wrapper',`
-+ corenet_tcp_connect_auth_port(daemon)
-+')
-+
-+tunable_policy(`daemons_use_tty',`
-+ term_use_unallocated_ttys(daemon)
-+ term_use_generic_ptys(daemon)
-+ term_use_all_ttys(daemon)
-+ term_use_all_ptys(daemon)
-+',`
-+ term_dontaudit_use_unallocated_ttys(daemon)
-+ term_dontaudit_use_generic_ptys(daemon)
-+ term_dontaudit_use_all_ttys(daemon)
-+ term_dontaudit_use_all_ptys(daemon)
-+ ')
-+
-+# system-config-services causes avc messages that should be dontaudited
-+tunable_policy(`daemons_dump_core',`
-+ files_manage_root_files(daemon)
-+')
-+
-+optional_policy(`
-+ unconfined_dontaudit_rw_pipes(daemon)
-+ unconfined_dontaudit_rw_stream(daemon)
-+ userdom_dontaudit_read_user_tmp_files(daemon)
-+ userdom_dontaudit_write_user_tmp_files(daemon)
-+')
-+
- optional_policy(`
- amavis_search_lib(initrc_t)
- amavis_setattr_pid_files(initrc_t)
-@@ -589,6 +1175,8 @@ optional_policy(`
- optional_policy(`
- apache_read_config(initrc_t)
- apache_list_modules(initrc_t)
-+ # webmin seems to cause this.
-+ apache_search_sys_content(daemon)
- ')
-
- optional_policy(`
-@@ -610,6 +1198,7 @@ optional_policy(`
-
- optional_policy(`
- cgroup_stream_connect_cgred(initrc_t)
-+ domain_setpriority_all_domains(initrc_t)
- ')
-
- optional_policy(`
-@@ -626,6 +1215,17 @@ optional_policy(`
- ')
-
- optional_policy(`
-+ chronyd_append_keys(initrc_t)
-+ chronyd_read_keys(initrc_t)
-+')
-+
-+optional_policy(`
-+ cron_read_pipes(initrc_t)
-+ # managing /etc/cron.d/mailman content
-+ cron_manage_system_spool(initrc_t)
-+')
-+
-+optional_policy(`
- dev_getattr_printer_dev(initrc_t)
-
- cups_read_log(initrc_t)
-@@ -642,9 +1242,13 @@ optional_policy(`
- dbus_connect_system_bus(initrc_t)
- dbus_system_bus_client(initrc_t)
- dbus_read_config(initrc_t)
-+ dbus_manage_lib_files(initrc_t)
-+
-+ init_dbus_chat(initrc_t)
-
- optional_policy(`
- consolekit_dbus_chat(initrc_t)
-+ consolekit_manage_log(initrc_t)
- ')
-
- optional_policy(`
-@@ -657,15 +1261,11 @@ optional_policy(`
- ')
-
- optional_policy(`
-- # /var/run/dovecot/login/ssl-parameters.dat is a hard link to
-- # /var/lib/dovecot/ssl-parameters.dat and init tries to clean up
-- # the directory. But we do not want to allow this.
-- # The master process of dovecot will manage this file.
-- dovecot_dontaudit_unlink_lib_files(initrc_t)
-+ ftp_read_config(initrc_t)
- ')
-
- optional_policy(`
-- ftp_read_config(initrc_t)
-+ glance_manage_pid_files(initrc_t)
- ')
-
- optional_policy(`
-@@ -686,6 +1286,15 @@ optional_policy(`
- ')
-
- optional_policy(`
-+ firewalld_dbus_chat(initrc_t)
-+')
-+
-+optional_policy(`
-+ modutils_read_module_config(initrc_t)
-+ modutils_domtrans_insmod(initrc_t)
-+')
-+
-+optional_policy(`
- inn_exec_config(initrc_t)
- ')
-
-@@ -726,6 +1335,7 @@ optional_policy(`
- lpd_list_spool(initrc_t)
-
- lpd_read_config(initrc_t)
-+ lpd_manage_spool(init_t)
- ')
-
- optional_policy(`
-@@ -743,7 +1353,13 @@ optional_policy(`
- ')
-
- optional_policy(`
-- mta_read_config(initrc_t)
-+ milter_delete_dkim_pid_files(initrc_t)
-+ milter_setattr_all_dirs(initrc_t)
-+')
-+
-+optional_policy(`
-+ mta_manage_aliases(initrc_t)
-+ mta_manage_config(initrc_t)
- mta_dontaudit_read_spool_symlinks(initrc_t)
- ')
-
-@@ -766,6 +1382,10 @@ optional_policy(`
- ')
-
- optional_policy(`
-+ plymouthd_stream_connect(initrc_t)
-+')
-+
-+optional_policy(`
- postgresql_manage_db(initrc_t)
- postgresql_read_config(initrc_t)
- ')
-@@ -775,10 +1395,20 @@ optional_policy(`
- ')
-
- optional_policy(`
-+ psad_setattr_fifo_file(initrc_t)
-+ psad_setattr_log(initrc_t)
-+ psad_write_log(initrc_t)
-+')
-+
-+optional_policy(`
- puppet_rw_tmp(initrc_t)
- ')
-
- optional_policy(`
-+ qpidd_manage_var_run(initrc_t)
-+')
-+
-+optional_policy(`
- quota_manage_flags(initrc_t)
- ')
-
-@@ -787,6 +1417,10 @@ optional_policy(`
- ')
-
- optional_policy(`
-+ ricci_manage_lib_files(initrc_t)
-+')
-+
-+optional_policy(`
- fs_write_ramfs_sockets(initrc_t)
- fs_search_ramfs(initrc_t)
-
-@@ -808,8 +1442,6 @@ optional_policy(`
- # bash tries ioctl for some reason
- files_dontaudit_ioctl_all_pids(initrc_t)
-
-- # why is this needed:
-- rpm_manage_db(initrc_t)
- ')
-
- optional_policy(`
-@@ -818,6 +1450,10 @@ optional_policy(`
- ')
-
- optional_policy(`
-+ sendmail_setattr_pid_files(initrc_t)
-+')
-+
-+optional_policy(`
- # shorewall-init script run /var/lib/shorewall/firewall
- shorewall_lib_domtrans(initrc_t)
- ')
-@@ -827,10 +1463,12 @@ optional_policy(`
- squid_manage_logs(initrc_t)
- ')
-
-+ifdef(`enabled_mls',`
- optional_policy(`
- # allow init scripts to su
- su_restricted_domain_template(initrc, initrc_t, system_r)
- ')
-+')
-
- optional_policy(`
- ssh_dontaudit_read_server_keys(initrc_t)
-@@ -857,21 +1495,63 @@ optional_policy(`
- ')
-
- optional_policy(`
-+ virt_read_config(init_t)
-+ virt_stream_connect(init_t)
-+ virt_noatsecure(init_t)
-+ virt_rlimitinh(init_t)
-+ virt_transition_svirt_sandbox(init_t, system_r)
-+ virt_manage_sandbox_files(init_t)
-+')
-+
-+optional_policy(`
-+ virt_manage_pid_dirs(initrc_t)
-+ virt_manage_cache(initrc_t)
-+ virt_manage_lib_files(initrc_t)
- virt_stream_connect(initrc_t)
-- virt_manage_virt_cache(initrc_t)
-+ virt_transition_svirt_sandbox(initrc_t, system_r)
-+')
-+
-+# Cron jobs used to start and stop services
-+optional_policy(`
-+ cron_rw_pipes(daemon)
-+ cron_rw_inherited_user_spool_files(daemon)
-+')
-+
-+optional_policy(`
-+ cfengine_append_inherited_log(daemon)
- ')
-
- optional_policy(`
- unconfined_domain(initrc_t)
-+ domain_named_filetrans(initrc_t)
-+ domain_role_change_exemption(initrc_t)
-+
-+ files_tmp_filetrans(initrc_t, initrc_tmp_t, { dir_file_class_set })
-
- ifdef(`distro_redhat',`
- # system-config-services causes avc messages that should be dontaudited
- unconfined_dontaudit_rw_pipes(daemon)
- ')
-
-+ optional_policy(`
-+ authconfig_domtrans(initrc_t)
-+ ')
-+
- optional_policy(`
- mono_domtrans(initrc_t)
- ')
-+
-+ # Allow SELinux aware applications to request rpm_script_t execution
-+ rpm_transition_script(initrc_t, system_r)
-+
-+ optional_policy(`
-+ rtkit_scheduled(initrc_t)
-+ ')
-+')
-+
-+optional_policy(`
-+ rpm_read_db(initrc_t)
-+ rpm_delete_db(initrc_t)
- ')
-
- optional_policy(`
-@@ -887,6 +1567,10 @@ optional_policy(`
- ')
-
- optional_policy(`
-+ sanlock_manage_pid_files(initrc_t)
-+')
-+
-+optional_policy(`
- # Set device ownerships/modes.
- xserver_setattr_console_pipes(initrc_t)
-
-@@ -897,3 +1581,218 @@ optional_policy(`
- optional_policy(`
- zebra_read_config(initrc_t)
- ')
-+
-+userdom_inherit_append_user_home_content_files(daemon)
-+userdom_inherit_append_user_tmp_files(daemon)
-+userdom_dontaudit_rw_stream(daemon)
-+
-+logging_inherit_append_all_logs(daemon)
-+
-+optional_policy(`
-+ # sudo service restart causes this
-+ unconfined_signull(daemon)
-+')
-+
-+
-+optional_policy(`
-+ xserver_dontaudit_append_xdm_home_files(daemon)
-+ tunable_policy(`use_nfs_home_dirs',`
-+ fs_dontaudit_rw_nfs_files(daemon)
-+ ')
-+ tunable_policy(`use_samba_home_dirs',`
-+ fs_dontaudit_rw_cifs_files(daemon)
-+ ')
-+')
-+
-+init_rw_script_stream_sockets(daemon)
-+
-+optional_policy(`
-+ abrt_stream_connect(daemon)
-+')
-+
-+optional_policy(`
-+ fail2ban_read_lib_files(daemon)
-+')
-+
-+optional_policy(`
-+ firstboot_dontaudit_leaks(daemon)
-+')
-+
-+init_rw_stream_sockets(daemon)
-+init_dontaudit_script_leaks(daemon)
-+
-+allow init_t var_run_t:dir relabelto;
-+
-+init_stream_connect(initrc_t)
-+
-+allow initrc_t daemon:process siginh;
-+allow daemon initrc_transition_domain:fifo_file rw_inherited_fifo_file_perms;
-+allow daemon initrc_transition_domain:fd use;
-+allow daemon init_var_run_t:dir search_dir_perms;
-+allow systemprocess init_var_run_t:dir search_dir_perms;
-+
-+allow init_t daemon:unix_stream_socket create_stream_socket_perms;
-+allow init_t daemon:unix_dgram_socket create_socket_perms;
-+allow init_t daemon:tcp_socket create_stream_socket_perms;
-+allow init_t daemon:udp_socket create_socket_perms;
-+allow daemon init_t:unix_dgram_socket sendto;
-+# need write to /var/run/systemd/notify
-+init_write_pid_socket(daemon)
-+allow daemon init_t:unix_stream_socket { append write read getattr ioctl };
-+
-+# daemons started from init will
-+# inherit fds from init for the console
-+init_dontaudit_use_fds(daemon)
-+term_dontaudit_use_console(daemon)
-+# init script ptys are the stdin/out/err
-+# when using run_init
-+init_use_script_ptys(daemon)
-+
-+allow init_t daemon:process siginh;
-+
-+ifdef(`hide_broken_symptoms',`
-+ # RHEL4 systems seem to have a stray
-+ # fds open from the initrd
-+ ifdef(`distro_rhel4',`
-+ kernel_dontaudit_use_fds(daemon)
-+ ')
-+
-+ dontaudit daemon init_t:dir search_dir_perms;
-+')
-+
-+optional_policy(`
-+ nscd_socket_use(daemon)
-+')
-+
-+optional_policy(`
-+ puppet_rw_tmp(daemon)
-+')
-+
-+allow direct_run_init daemon:process { noatsecure siginh rlimitinh };
-+
-+allow initrc_t systemprocess:process siginh;
-+allow systemprocess initrc_transition_domain:fifo_file rw_inherited_fifo_file_perms;
-+allow systemprocess initrc_transition_domain:fd use;
-+
-+dontaudit systemprocess init_t:unix_stream_socket getattr;
-+
-+allow init_t daemon:unix_stream_socket create_stream_socket_perms;
-+allow init_t daemon:unix_dgram_socket create_socket_perms;
-+allow daemon init_t:unix_stream_socket ioctl;
-+allow daemon init_t:unix_dgram_socket sendto;
-+# need write to /var/run/systemd/notify
-+init_write_pid_socket(daemon)
-+init_rw_inherited_script_tmp_files(daemon)
-+
-+# Handle upstart/systemd direct transition to a executable
-+allow init_t systemprocess:process { dyntransition siginh };
-+allow init_t systemprocess:unix_stream_socket create_stream_socket_perms;
-+allow init_t systemprocess:unix_dgram_socket create_socket_perms;
-+allow systemprocess init_t:unix_dgram_socket sendto;
-+allow systemprocess init_t:unix_stream_socket { append write read getattr ioctl };
-+
-+files_dontaudit_rw_inherited_locks(systemprocess)
-+files_dontaudit_tmp_file_leaks(systemprocess)
-+init_rw_inherited_script_tmp_files(systemprocess)
-+
-+logging_dontaudit_rw_inherited_generic_logs(systemprocess)
-+
-+userdom_dontaudit_search_user_home_dirs(systemprocess)
-+userdom_dontaudit_rw_stream(systemprocess)
-+userdom_dontaudit_write_user_tmp_files(systemprocess)
-+
-+tunable_policy(`daemons_use_tty',`
-+ term_use_all_ttys(systemprocess)
-+ term_use_all_ptys(systemprocess)
-+',`
-+ term_dontaudit_use_all_ttys(systemprocess)
-+ term_dontaudit_use_all_ptys(systemprocess)
-+')
-+
-+# these apps are often redirect output to random log files
-+logging_inherit_append_all_logs(systemprocess)
-+
-+optional_policy(`
-+ abrt_stream_connect(systemprocess)
-+')
-+
-+optional_policy(`
-+ cfengine_append_inherited_log(systemprocess)
-+')
-+
-+optional_policy(`
-+ cron_rw_pipes(systemprocess)
-+')
-+
-+optional_policy(`
-+ puppet_rw_tmp(systemprocess)
-+')
-+
-+optional_policy(`
-+ xserver_dontaudit_append_xdm_home_files(systemprocess)
-+')
-+
-+optional_policy(`
-+ unconfined_dontaudit_rw_pipes(systemprocess)
-+ unconfined_dontaudit_rw_stream(systemprocess)
-+ userdom_dontaudit_read_user_tmp_files(systemprocess)
-+')
-+
-+init_rw_script_stream_sockets(systemprocess)
-+
-+role system_r types systemprocess;
-+role system_r types daemon;
-+
-+#ifdef(`enable_mls',`
-+# mls_rangetrans_target(systemprocess)
-+#')
-+
-+allow initrc_domain daemon:process transition;
-+allow daemon initrc_domain:fd use;
-+allow daemon initrc_domain:fifo_file rw_inherited_fifo_file_perms;
-+allow daemon initrc_domain:process sigchld;
-+allow initrc_domain direct_init_entry:file { getattr open read execute };
-+
-+allow systemprocess initrc_domain:fd use;
-+allow systemprocess initrc_domain:fifo_file rw_inherited_fifo_file_perms;
-+allow systemprocess initrc_domain:process sigchld;
-+allow initrc_domain systemprocess_entry:file { getattr open read execute };
-+allow initrc_domain systemprocess:process transition;
-+
-+optional_policy(`
-+ systemd_getattr_unit_dirs(daemon)
-+ systemd_getattr_unit_dirs(systemprocess)
-+')
-+
-+optional_policy(`
-+ rgmanager_search_lib(initrc_domain)
-+')
-+
-+ifdef(`direct_sysadm_daemon',`
-+ allow daemon direct_run_init:fd use;
-+ allow daemon direct_run_init:fifo_file rw_inherited_fifo_file_perms;
-+ allow daemon direct_run_init:process sigchld;
-+ allow direct_run_init direct_init_entry:file { getattr open read execute };
-+')
-+
-+optional_policy(`
-+ tunable_policy(`daemons_enable_cluster_mode',`
-+ rhcs_manage_cluster_pid_files(daemon)
-+ rhcs_manage_cluster_lib_files(daemon)
-+ rhcs_rw_inherited_cluster_tmp_files(daemon)
-+ rhcs_stream_connect_cluster_to(daemon,daemon)
-+',`
-+ rhcs_read_cluster_lib_files(daemon)
-+ rhcs_read_cluster_pid_files(daemon)
-+ ')
-+
-+ ')
-+
-+optional_policy(`
-+ tunable_policy(`daemons_enable_cluster_mode',`
-+ #resource agents placed config files in /etc/cluster
-+ ccs_manage_config(daemon)
-+',`
-+ ccs_read_config(daemon)
-+ ')
-+ ')
-diff --git a/policy/modules/system/ipsec.fc b/policy/modules/system/ipsec.fc
-index 662e79be8..d32012ffe 100644
---- a/policy/modules/system/ipsec.fc
-+++ b/policy/modules/system/ipsec.fc
-@@ -1,14 +1,26 @@
- /etc/rc\.d/init\.d/ipsec -- gen_context(system_u:object_r:ipsec_initrc_exec_t,s0)
- /etc/rc\.d/init\.d/racoon -- gen_context(system_u:object_r:ipsec_initrc_exec_t,s0)
-+/etc/rc\.d/init\.d/strongswan -- gen_context(system_u:object_r:ipsec_initrc_exec_t,s0)
-
--/etc/ipsec\.secrets -- gen_context(system_u:object_r:ipsec_key_file_t,s0)
-+/usr/lib/systemd/system/ipsec.* -- gen_context(system_u:object_r:ipsec_mgmt_unit_file_t,s0)
-+/usr/lib/systemd/system/strongswan.* -- gen_context(system_u:object_r:ipsec_mgmt_unit_file_t,s0)
-+/usr/lib/systemd/system/strongswan-swanctl.* -- gen_context(system_u:object_r:ipsec_mgmt_unit_file_t,s0)
-+/usr/lib/systemd/system/strongimcv.* -- gen_context(system_u:object_r:ipsec_mgmt_unit_file_t,s0)
-+
-+/etc/ipsec\.secrets.* -- gen_context(system_u:object_r:ipsec_key_file_t,s0)
- /etc/ipsec\.conf -- gen_context(system_u:object_r:ipsec_conf_file_t,s0)
-+/etc/strongswan/ipsec\.secrets.* -- gen_context(system_u:object_r:ipsec_key_file_t,s0)
-+/etc/strongswan/ipsec\.conf -- gen_context(system_u:object_r:ipsec_conf_file_t,s0)
- /etc/racoon/psk\.txt -- gen_context(system_u:object_r:ipsec_key_file_t,s0)
-
- /etc/racoon(/.*)? gen_context(system_u:object_r:ipsec_conf_file_t,s0)
- /etc/racoon/certs(/.*)? gen_context(system_u:object_r:ipsec_key_file_t,s0)
-
-+/etc/strongswan(/.*)? gen_context(system_u:object_r:ipsec_conf_file_t,s0)
-+/etc/strongimcv(/.*)? gen_context(system_u:object_r:ipsec_conf_file_t,s0)
-+
- /etc/ipsec\.d(/.*)? gen_context(system_u:object_r:ipsec_key_file_t,s0)
-+/etc/strongswan/ipsec\.d(/.*)? gen_context(system_u:object_r:ipsec_key_file_t,s0)
-
- /sbin/setkey -- gen_context(system_u:object_r:setkey_exec_t,s0)
-
-@@ -26,16 +38,28 @@
- /usr/libexec/ipsec/pluto -- gen_context(system_u:object_r:ipsec_exec_t,s0)
- /usr/libexec/ipsec/spi -- gen_context(system_u:object_r:ipsec_exec_t,s0)
- /usr/libexec/nm-openswan-service -- gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0)
-+/usr/libexec/nm-libreswan-service -- gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0)
-+/usr/libexec/strongswan/.* -- gen_context(system_u:object_r:ipsec_exec_t,s0)
-+/usr/libexec/strongimcv/.* -- gen_context(system_u:object_r:ipsec_exec_t,s0)
-
- /usr/sbin/ipsec -- gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0)
- /usr/sbin/racoon -- gen_context(system_u:object_r:racoon_exec_t,s0)
- /usr/sbin/setkey -- gen_context(system_u:object_r:setkey_exec_t,s0)
-+/usr/sbin/strongswan -- gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0)
-+/usr/sbin/swanctl -- gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0)
-+/usr/sbin/strongimcv -- gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0)
-
- /var/lock/subsys/ipsec -- gen_context(system_u:object_r:ipsec_mgmt_lock_t,s0)
-+/var/lock/subsys/strongswan -- gen_context(system_u:object_r:ipsec_mgmt_lock_t,s0)
-
--/var/log/pluto\.log -- gen_context(system_u:object_r:ipsec_log_t,s0)
-+/var/log/pluto\.log.* -- gen_context(system_u:object_r:ipsec_log_t,s0)
-
- /var/racoon(/.*)? gen_context(system_u:object_r:ipsec_var_run_t,s0)
-
-+/var/run/charon\.ctl -s gen_context(system_u:object_r:ipsec_var_run_t,s0)
-+/var/run/charon\.vici -s gen_context(system_u:object_r:ipsec_var_run_t,s0)
-+/var/run/charon.* -- gen_context(system_u:object_r:ipsec_var_run_t,s0)
- /var/run/pluto(/.*)? gen_context(system_u:object_r:ipsec_var_run_t,s0)
- /var/run/racoon\.pid -- gen_context(system_u:object_r:ipsec_var_run_t,s0)
-+/var/run/pluto/ipsec\.info -- gen_context(system_u:object_r:ipsec_mgmt_var_run_t, s0)
-+/var/run/pluto/ipsec_setup\.pid -- gen_context(system_u:object_r:ipsec_mgmt_var_run_t, s0)
-diff --git a/policy/modules/system/ipsec.if b/policy/modules/system/ipsec.if
-index 0d4c8d35e..537aa4274 100644
---- a/policy/modules/system/ipsec.if
-+++ b/policy/modules/system/ipsec.if
-@@ -18,6 +18,24 @@ interface(`ipsec_domtrans',`
- domtrans_pattern($1, ipsec_exec_t, ipsec_t)
- ')
-
-+#######################################
-+##
-+## Allow read/write ipsec pipes
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`ipsec_rw_inherited_pipes',`
-+ gen_require(`
-+ type ipsec_t;
-+ ')
-+
-+ allow $1 ipsec_t:fifo_file rw_inherited_fifo_file_perms;
-+')
-+
- ########################################
- ##
- ## Connect to IPSEC using a unix domain stream socket.
-@@ -55,6 +73,64 @@ interface(`ipsec_domtrans_mgmt',`
- domtrans_pattern($1, ipsec_mgmt_exec_t, ipsec_mgmt_t)
- ')
-
-+#######################################
-+##
-+## Allow to create OBJECT in /etc with ipsec_key_file_t.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`ipsec_filetrans_key_file',`
-+ gen_require(`
-+ type ipsec_key_file_t;
-+ ')
-+
-+ files_etc_filetrans($1, ipsec_key_file_t, file)
-+')
-+
-+#######################################
-+##
-+## Allow to manage ipsec key files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`ipsec_manage_key_file',`
-+ gen_require(`
-+ type ipsec_key_file_t;
-+ ')
-+
-+ manage_files_pattern($1, ipsec_key_file_t, ipsec_key_file_t)
-+ files_etc_filetrans($1, ipsec_key_file_t, file, "ipsec.secrets")
-+')
-+
-+########################################
-+##
-+## Read the ipsec_mgmt_var_run_t files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`ipsec_mgmt_read_pid',`
-+ gen_require(`
-+ type ipsec_var_run_t;
-+ type ipsec_mgmt_var_run_t;
-+ ')
-+
-+ files_search_pids($1)
-+ read_files_pattern($1, ipsec_var_run_t, ipsec_mgmt_var_run_t)
-+')
-+
-+
- ########################################
- ##
- ## Connect to racoon using a unix domain stream socket.
-@@ -120,7 +196,6 @@ interface(`ipsec_exec_mgmt',`
- ##
- ##
- #
--#
- interface(`ipsec_signal_mgmt',`
- gen_require(`
- type ipsec_mgmt_t;
-@@ -139,7 +214,6 @@ interface(`ipsec_signal_mgmt',`
- ##
- ##
- #
--#
- interface(`ipsec_signull_mgmt',`
- gen_require(`
- type ipsec_mgmt_t;
-@@ -158,7 +232,6 @@ interface(`ipsec_signull_mgmt',`
- ##
- ##
- #
--#
- interface(`ipsec_kill_mgmt',`
- gen_require(`
- type ipsec_mgmt_t;
-@@ -167,6 +240,60 @@ interface(`ipsec_kill_mgmt',`
- allow $1 ipsec_mgmt_t:process sigkill;
- ')
-
-+########################################
-+##
-+## Send ipsec a general signal.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`ipsec_signal',`
-+ gen_require(`
-+ type ipsec_t;
-+ ')
-+
-+ allow $1 ipsec_t:process signal;
-+')
-+
-+########################################
-+##
-+## Send ipsec a null signal.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`ipsec_signull',`
-+ gen_require(`
-+ type ipsec_t;
-+ ')
-+
-+ allow $1 ipsec_t:process signull;
-+')
-+
-+########################################
-+##
-+## Send ipsec a kill signal.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`ipsec_kill',`
-+ gen_require(`
-+ type ipsec_t;
-+ ')
-+
-+ allow $1 ipsec_t:process sigkill;
-+')
-+
- ######################################
- ##
- ## Send and receive messages from
-@@ -225,6 +352,7 @@ interface(`ipsec_match_default_spd',`
-
- allow $1 ipsec_spd_t:association polmatch;
- allow $1 self:association sendto;
-+ allow $1 self:peer recv;
- ')
-
- ########################################
-@@ -267,6 +395,26 @@ interface(`ipsec_write_pid',`
-
- ########################################
- ##
-+## Allow read the IPSEC pid files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`ipsec_read_pid',`
-+ gen_require(`
-+ type ipsec_var_run_t;
-+ ')
-+
-+ files_search_pids($1)
-+ read_files_pattern($1, ipsec_var_run_t, ipsec_var_run_t)
-+ read_sock_files_pattern($1, ipsec_var_run_t, ipsec_var_run_t)
-+')
-+
-+########################################
-+##
- ## Create, read, write, and delete the IPSEC pid files.
- ##
- ##
-@@ -369,3 +517,27 @@ interface(`ipsec_run_setkey',`
- ipsec_domtrans_setkey($1)
- role $2 types setkey_t;
- ')
-+
-+#######################################
-+##
-+## Execute strongswan in the ipsec_mgmt domain.
-+##
-+##
-+##
-+## Domain allowed to transition.
-+##
-+##
-+#
-+interface(`ipsec_mgmt_systemctl',`
-+ gen_require(`
-+ type ipsec_mgmt_unit_file_t;
-+ type ipsec_mgmt_t;
-+ ')
-+
-+ systemd_exec_systemctl($1)
-+ init_reload_services($1)
-+ allow $1 ipsec_mgmt_unit_file_t:file read_file_perms;
-+ allow $1 ipsec_mgmt_unit_file_t:service manage_service_perms;
-+
-+ ps_process_pattern($1, ipsec_mgmt_t)
-+')
-diff --git a/policy/modules/system/ipsec.te b/policy/modules/system/ipsec.te
-index 312cd0417..45c4b21dc 100644
---- a/policy/modules/system/ipsec.te
-+++ b/policy/modules/system/ipsec.te
-@@ -48,6 +48,9 @@ init_system_domain(ipsec_mgmt_t, ipsec_mgmt_exec_t)
- corecmd_shell_entry_type(ipsec_mgmt_t)
- role system_r types ipsec_mgmt_t;
-
-+type ipsec_mgmt_unit_file_t;
-+systemd_unit_file(ipsec_mgmt_unit_file_t)
-+
- type ipsec_mgmt_lock_t;
- files_lock_file(ipsec_mgmt_lock_t)
-
-@@ -67,29 +70,44 @@ type setkey_exec_t;
- init_system_domain(setkey_t, setkey_exec_t)
- role system_r types setkey_t;
-
-+# The NetworkManager helper communicates the password via PTY
-+type ipsec_mgmt_devpts_t;
-+term_pty(ipsec_mgmt_devpts_t)
-+files_type(ipsec_mgmt_devpts_t)
-+
- ########################################
- #
- # ipsec Local policy
- #
-
--allow ipsec_t self:capability { net_admin dac_override dac_read_search setpcap sys_nice };
--dontaudit ipsec_t self:capability { sys_ptrace sys_tty_config };
--allow ipsec_t self:process { getcap setcap getsched signal setsched };
-+allow ipsec_t self:capability { net_admin dac_read_search setpcap sys_nice net_raw setuid setgid };
-+dontaudit ipsec_t self:capability sys_tty_config;
-+allow ipsec_t self:process { getcap setcap getsched signal signull setsched sigkill };
- allow ipsec_t self:tcp_socket create_stream_socket_perms;
- allow ipsec_t self:udp_socket create_socket_perms;
-+allow ipsec_t self:packet_socket create_socket_perms;
- allow ipsec_t self:key_socket create_socket_perms;
- allow ipsec_t self:fifo_file read_fifo_file_perms;
- allow ipsec_t self:netlink_xfrm_socket { create_netlink_socket_perms nlmsg_write };
-+allow ipsec_t self:netlink_selinux_socket create_socket_perms;
-+allow ipsec_t self:unix_stream_socket { create_stream_socket_perms connectto };
-+allow ipsec_t self:netlink_route_socket { create_netlink_socket_perms write };
-+allow ipsec_t self:tun_socket create_socket_perms;
-
- allow ipsec_t ipsec_initrc_exec_t:file read_file_perms;
-
- allow ipsec_t ipsec_conf_file_t:dir list_dir_perms;
--read_files_pattern(ipsec_t, ipsec_conf_file_t, ipsec_conf_file_t)
- read_lnk_files_pattern(ipsec_t, ipsec_conf_file_t, ipsec_conf_file_t)
-+manage_files_pattern(ipsec_t, ipsec_conf_file_t, ipsec_conf_file_t)
-+filetrans_pattern(ipsec_t, ipsec_conf_file_t, ipsec_key_file_t, file, "ipsec.secrets")
-
- allow ipsec_t ipsec_key_file_t:dir list_dir_perms;
--manage_files_pattern(ipsec_t, ipsec_key_file_t, ipsec_key_file_t)
- read_lnk_files_pattern(ipsec_t, ipsec_key_file_t, ipsec_key_file_t)
-+manage_files_pattern(ipsec_t, ipsec_key_file_t, ipsec_key_file_t)
-+allow ipsec_t ipsec_key_file_t:file map;
-+
-+manage_files_pattern(ipsec_t, ipsec_log_t, ipsec_log_t)
-+logging_log_filetrans(ipsec_t, ipsec_log_t, file, "pluto.log")
-
- manage_dirs_pattern(ipsec_t, ipsec_tmp_t, ipsec_tmp_t)
- manage_files_pattern(ipsec_t, ipsec_tmp_t, ipsec_tmp_t)
-@@ -101,6 +119,7 @@ manage_sock_files_pattern(ipsec_t, ipsec_var_run_t, ipsec_var_run_t)
- files_pid_filetrans(ipsec_t, ipsec_var_run_t, { dir file sock_file })
-
- can_exec(ipsec_t, ipsec_mgmt_exec_t)
-+can_exec(ipsec_t, ipsec_exec_t)
-
- # pluto runs an updown script (by calling popen()!) as this is by default
- # a shell script, we need to find a way to make things work without
-@@ -110,10 +129,10 @@ corecmd_shell_domtrans(ipsec_t, ipsec_mgmt_t)
- allow ipsec_mgmt_t ipsec_t:fd use;
- allow ipsec_mgmt_t ipsec_t:fifo_file rw_fifo_file_perms;
- allow ipsec_mgmt_t ipsec_t:unix_stream_socket { read write };
--allow ipsec_mgmt_t ipsec_t:process { rlimitinh sigchld };
-+allow ipsec_mgmt_t ipsec_t:process { rlimitinh sigchld signull };
-
- kernel_read_kernel_sysctls(ipsec_t)
--kernel_read_net_sysctls(ipsec_t)
-+kernel_rw_net_sysctls(ipsec_t)
- kernel_list_proc(ipsec_t)
- kernel_read_proc_symlinks(ipsec_t)
- # allow pluto to access /proc/net/ipsec_eroute;
-@@ -128,20 +147,24 @@ corecmd_exec_shell(ipsec_t)
- corecmd_exec_bin(ipsec_t)
-
- # Pluto needs network access
--corenet_all_recvfrom_unlabeled(ipsec_t)
--corenet_tcp_sendrecv_all_if(ipsec_t)
--corenet_raw_sendrecv_all_if(ipsec_t)
--corenet_tcp_sendrecv_all_nodes(ipsec_t)
--corenet_raw_sendrecv_all_nodes(ipsec_t)
-+corenet_tcp_sendrecv_generic_if(ipsec_t)
-+corenet_raw_sendrecv_generic_if(ipsec_t)
-+corenet_tcp_sendrecv_generic_node(ipsec_t)
-+corenet_raw_sendrecv_generic_node(ipsec_t)
- corenet_tcp_sendrecv_all_ports(ipsec_t)
--corenet_tcp_bind_all_nodes(ipsec_t)
--corenet_udp_bind_all_nodes(ipsec_t)
-+corenet_tcp_bind_generic_node(ipsec_t)
-+corenet_udp_bind_generic_node(ipsec_t)
- corenet_tcp_bind_reserved_port(ipsec_t)
- corenet_tcp_bind_isakmp_port(ipsec_t)
- corenet_udp_bind_isakmp_port(ipsec_t)
- corenet_udp_bind_ipsecnat_port(ipsec_t)
-+corenet_udp_bind_dhcpc_port(ipsec_t)
- corenet_sendrecv_generic_server_packets(ipsec_t)
- corenet_sendrecv_isakmp_server_packets(ipsec_t)
-+corenet_tcp_connect_http_port(ipsec_t)
-+corenet_tcp_connect_ldap_port(ipsec_t)
-+
-+corenet_rw_tun_tap_dev(ipsec_t)
-
- dev_read_sysfs(ipsec_t)
- dev_read_rand(ipsec_t)
-@@ -157,22 +180,34 @@ files_dontaudit_search_home(ipsec_t)
- fs_getattr_all_fs(ipsec_t)
- fs_search_auto_mountpoints(ipsec_t)
-
-+selinux_compute_access_vector(ipsec_t)
-+
- term_use_console(ipsec_t)
- term_dontaudit_use_all_ttys(ipsec_t)
-
-+auth_use_pam(ipsec_t)
- auth_use_nsswitch(ipsec_t)
-+auth_read_home_content(ipsec_t)
-
- init_use_fds(ipsec_t)
- init_use_script_ptys(ipsec_t)
-
-+logging_send_audit_msgs(ipsec_t)
- logging_send_syslog_msg(ipsec_t)
-
--miscfiles_read_localization(ipsec_t)
-+miscfiles_map_generic_certs(ipsec_t)
-
- sysnet_domtrans_ifconfig(ipsec_t)
-+sysnet_manage_config(ipsec_t)
-+sysnet_etc_filetrans_config(ipsec_t)
-
- userdom_dontaudit_use_unpriv_user_fds(ipsec_t)
- userdom_dontaudit_search_user_home_dirs(ipsec_t)
-+userdom_read_home_certs(ipsec_t)
-+
-+optional_policy(`
-+ iptables_domtrans(ipsec_t)
-+')
-
- optional_policy(`
- seutil_sigchld_newrole(ipsec_t)
-@@ -182,19 +217,30 @@ optional_policy(`
- udev_read_db(ipsec_t)
- ')
-
-+optional_policy(`
-+ dbus_system_bus_client(ipsec_t)
-+ dbus_connect_system_bus(ipsec_t)
-+
-+ optional_policy(`
-+ networkmanager_dbus_chat(ipsec_t)
-+ ')
-+')
-+
- ########################################
- #
- # ipsec_mgmt Local policy
- #
-
--allow ipsec_mgmt_t self:capability { dac_override dac_read_search net_admin setpcap sys_nice };
--dontaudit ipsec_mgmt_t self:capability { sys_ptrace sys_tty_config };
--allow ipsec_mgmt_t self:process { getsched ptrace setrlimit setsched signal };
--allow ipsec_mgmt_t self:unix_stream_socket create_stream_socket_perms;
-+allow ipsec_mgmt_t self:capability { dac_read_search net_admin setpcap sys_nice sys_ptrace };
-+dontaudit ipsec_mgmt_t self:capability sys_tty_config;
-+allow ipsec_mgmt_t self:process { getsched setrlimit setsched signal };
-+allow ipsec_mgmt_t self:unix_stream_socket { create_stream_socket_perms connectto };
- allow ipsec_mgmt_t self:tcp_socket create_stream_socket_perms;
- allow ipsec_mgmt_t self:udp_socket create_socket_perms;
- allow ipsec_mgmt_t self:key_socket create_socket_perms;
- allow ipsec_mgmt_t self:fifo_file rw_fifo_file_perms;
-+allow ipsec_mgmt_t self:netlink_xfrm_socket { create_netlink_socket_perms nlmsg_read };
-+allow ipsec_mgmt_t self:netlink_route_socket { create_netlink_socket_perms };
-
- allow ipsec_mgmt_t ipsec_mgmt_lock_t:file manage_file_perms;
- files_lock_filetrans(ipsec_mgmt_t, ipsec_mgmt_lock_t, file)
-@@ -208,12 +254,14 @@ logging_log_filetrans(ipsec_mgmt_t, ipsec_log_t, file)
-
- allow ipsec_mgmt_t ipsec_mgmt_var_run_t:file manage_file_perms;
- files_pid_filetrans(ipsec_mgmt_t, ipsec_mgmt_var_run_t, file)
-+filetrans_pattern(ipsec_mgmt_t, ipsec_var_run_t, ipsec_mgmt_var_run_t, file)
-
- manage_files_pattern(ipsec_mgmt_t, ipsec_var_run_t, ipsec_var_run_t)
-+manage_dirs_pattern(ipsec_mgmt_t, ipsec_var_run_t, ipsec_var_run_t)
- manage_lnk_files_pattern(ipsec_mgmt_t, ipsec_var_run_t, ipsec_var_run_t)
-
- allow ipsec_mgmt_t ipsec_var_run_t:sock_file manage_sock_file_perms;
--files_pid_filetrans(ipsec_mgmt_t, ipsec_var_run_t, sock_file)
-+files_pid_filetrans(ipsec_mgmt_t, ipsec_var_run_t, { dir sock_file })
-
- # _realsetup needs to be able to cat /var/run/pluto.pid,
- # run ps on that pid, and delete the file
-@@ -246,6 +294,16 @@ kernel_read_kernel_sysctls(ipsec_mgmt_t)
- kernel_getattr_core_if(ipsec_mgmt_t)
- kernel_getattr_message_if(ipsec_mgmt_t)
-
-+domain_dontaudit_getattr_all_sockets(ipsec_mgmt_t)
-+domain_dontaudit_getattr_all_pipes(ipsec_mgmt_t)
-+
-+dev_dontaudit_getattr_all_blk_files(ipsec_mgmt_t)
-+dev_dontaudit_getattr_all_chr_files(ipsec_mgmt_t)
-+
-+dev_read_sysfs(ipsec_mgmt_t)
-+
-+files_dontaudit_getattr_all_files(ipsec_mgmt_t)
-+files_dontaudit_getattr_all_sockets(ipsec_mgmt_t)
- files_read_kernel_symbol_table(ipsec_mgmt_t)
- files_getattr_kernel_modules(ipsec_mgmt_t)
-
-@@ -255,6 +313,8 @@ files_getattr_kernel_modules(ipsec_mgmt_t)
- corecmd_exec_bin(ipsec_mgmt_t)
- corecmd_exec_shell(ipsec_mgmt_t)
-
-+corenet_tcp_connect_rndc_port(ipsec_mgmt_t)
-+
- dev_read_rand(ipsec_mgmt_t)
- dev_read_urand(ipsec_mgmt_t)
-
-@@ -269,6 +329,7 @@ domain_dontaudit_rw_all_key_sockets(ipsec_mgmt_t)
- files_read_etc_files(ipsec_mgmt_t)
- files_exec_etc_files(ipsec_mgmt_t)
- files_read_etc_runtime_files(ipsec_mgmt_t)
-+files_list_kernel_modules(ipsec_mgmt_t)
- files_read_usr_files(ipsec_mgmt_t)
- files_dontaudit_getattr_default_dirs(ipsec_mgmt_t)
- files_dontaudit_getattr_default_files(ipsec_mgmt_t)
-@@ -278,9 +339,10 @@ fs_getattr_xattr_fs(ipsec_mgmt_t)
- fs_list_tmpfs(ipsec_mgmt_t)
-
- term_use_console(ipsec_mgmt_t)
--term_dontaudit_getattr_unallocated_ttys(ipsec_mgmt_t)
-+term_use_all_inherited_terms(ipsec_mgmt_t)
-
- auth_dontaudit_read_login_records(ipsec_mgmt_t)
-+auth_use_nsswitch(ipsec_mgmt_t)
-
- init_read_utmp(ipsec_mgmt_t)
- init_use_script_ptys(ipsec_mgmt_t)
-@@ -288,17 +350,28 @@ init_exec_script_files(ipsec_mgmt_t)
- init_use_fds(ipsec_mgmt_t)
- init_labeled_script_domtrans(ipsec_mgmt_t, ipsec_initrc_exec_t)
-
--logging_send_syslog_msg(ipsec_mgmt_t)
--
--miscfiles_read_localization(ipsec_mgmt_t)
-+ipsec_mgmt_systemctl(ipsec_mgmt_t)
-
--seutil_dontaudit_search_config(ipsec_mgmt_t)
-+logging_read_all_logs(ipsec_mgmt_t)
-+logging_send_syslog_msg(ipsec_mgmt_t)
-
- sysnet_manage_config(ipsec_mgmt_t)
- sysnet_domtrans_ifconfig(ipsec_mgmt_t)
- sysnet_etc_filetrans_config(ipsec_mgmt_t)
-
--userdom_use_user_terminals(ipsec_mgmt_t)
-+systemd_exec_systemctl(ipsec_mgmt_t)
-+
-+userdom_use_inherited_user_terminals(ipsec_mgmt_t)
-+
-+allow ipsec_mgmt_t ipsec_mgmt_devpts_t:chr_file rw_term_perms;
-+term_create_pty(ipsec_mgmt_t,ipsec_mgmt_devpts_t)
-+
-+optional_policy(`
-+ bind_domtrans(ipsec_mgmt_t)
-+ bind_read_dnssec_keys(ipsec_mgmt_t)
-+ bind_read_config(ipsec_mgmt_t)
-+ bind_read_state(ipsec_mgmt_t)
-+')
-
- optional_policy(`
- consoletype_exec(ipsec_mgmt_t)
-@@ -322,6 +395,10 @@ optional_policy(`
- ')
-
- optional_policy(`
-+ l2tpd_read_pid_files(ipsec_mgmt_t)
-+')
-+
-+optional_policy(`
- modutils_domtrans_insmod(ipsec_mgmt_t)
- ')
-
-@@ -335,7 +412,7 @@ optional_policy(`
- #
-
- allow racoon_t self:capability { net_admin net_bind_service };
--allow racoon_t self:netlink_route_socket create_netlink_socket_perms;
-+allow racoon_t self:netlink_route_socket { create_netlink_socket_perms };
- allow racoon_t self:unix_dgram_socket { connect create ioctl write };
- allow racoon_t self:netlink_selinux_socket { bind create read };
- allow racoon_t self:udp_socket create_socket_perms;
-@@ -370,13 +447,12 @@ kernel_request_load_module(racoon_t)
- corecmd_exec_shell(racoon_t)
- corecmd_exec_bin(racoon_t)
-
--corenet_all_recvfrom_unlabeled(racoon_t)
--corenet_tcp_sendrecv_all_if(racoon_t)
--corenet_udp_sendrecv_all_if(racoon_t)
--corenet_tcp_sendrecv_all_nodes(racoon_t)
--corenet_udp_sendrecv_all_nodes(racoon_t)
--corenet_tcp_bind_all_nodes(racoon_t)
--corenet_udp_bind_all_nodes(racoon_t)
-+corenet_tcp_sendrecv_generic_if(racoon_t)
-+corenet_udp_sendrecv_generic_if(racoon_t)
-+corenet_tcp_sendrecv_generic_node(racoon_t)
-+corenet_udp_sendrecv_generic_node(racoon_t)
-+corenet_tcp_bind_generic_node(racoon_t)
-+corenet_udp_bind_generic_node(racoon_t)
- corenet_udp_bind_isakmp_port(racoon_t)
- corenet_udp_bind_ipsecnat_port(racoon_t)
-
-@@ -401,10 +477,10 @@ locallogin_use_fds(racoon_t)
- logging_send_syslog_msg(racoon_t)
- logging_send_audit_msgs(racoon_t)
-
--miscfiles_read_localization(racoon_t)
--
- sysnet_exec_ifconfig(racoon_t)
-
-+auth_use_pam(racoon_t)
-+
- auth_can_read_shadow_passwords(racoon_t)
- tunable_policy(`racoon_read_shadow',`
- auth_tunable_read_shadow(racoon_t)
-@@ -438,9 +514,8 @@ corenet_setcontext_all_spds(setkey_t)
-
- locallogin_use_fds(setkey_t)
-
--miscfiles_read_localization(setkey_t)
-
- seutil_read_config(setkey_t)
-
--userdom_use_user_terminals(setkey_t)
--
-+userdom_use_inherited_user_terminals(setkey_t)
-+userdom_read_user_tmp_files(setkey_t)
-diff --git a/policy/modules/system/iptables.fc b/policy/modules/system/iptables.fc
-index 73a1c4e1e..1ca98b865 100644
---- a/policy/modules/system/iptables.fc
-+++ b/policy/modules/system/iptables.fc
-@@ -1,22 +1,49 @@
- /etc/rc\.d/init\.d/ip6?tables -- gen_context(system_u:object_r:iptables_initrc_exec_t,s0)
--/etc/rc\.d/init\.d/ebtables -- gen_context(system_u:object_r:iptables_initrc_exec_t,s0)
--/etc/sysconfig/ip6?tables.* -- gen_context(system_u:object_r:iptables_conf_t,s0)
--/etc/sysconfig/system-config-firewall.* -- gen_context(system_u:object_r:iptables_conf_t,s0)
-+/etc/rc\.d/init\.d/ebtables -- gen_context(system_u:object_r:iptables_initrc_exec_t,s0)
-+/etc/rc\.d/init\.d/nftables -- gen_context(system_u:object_r:iptables_initrc_exec_t,s0)
-
--/sbin/ebtables -- gen_context(system_u:object_r:iptables_exec_t,s0)
-+/usr/lib/systemd/system/arptables.* -- gen_context(system_u:object_r:iptables_unit_file_t,s0)
-+/usr/lib/systemd/system/iptables.* -- gen_context(system_u:object_r:iptables_unit_file_t,s0)
-+/usr/lib/systemd/system/ip6tables.* -- gen_context(system_u:object_r:iptables_unit_file_t,s0)
-+/usr/lib/systemd/system/ipset.* -- gen_context(system_u:object_r:iptables_unit_file_t,s0)
-+
-+/usr/libexec/iptables/iptables.init -- gen_context(system_u:object_r:iptables_exec_t,s0)
-+
-+/usr/libexec/ipset -- gen_context(system_u:object_r:iptables_exec_t,s0)
-+
-+/sbin/arptables -- gen_context(system_u:object_r:iptables_exec_t,s0)
-+/sbin/arptables-restore -- gen_context(system_u:object_r:iptables_exec_t,s0)
-+/sbin/arptables-save -- gen_context(system_u:object_r:iptables_exec_t,s0)
-+/sbin/ebtables -- gen_context(system_u:object_r:iptables_exec_t,s0)
- /sbin/ebtables-restore -- gen_context(system_u:object_r:iptables_exec_t,s0)
--/sbin/ipchains.* -- gen_context(system_u:object_r:iptables_exec_t,s0)
--/sbin/ip6?tables -- gen_context(system_u:object_r:iptables_exec_t,s0)
--/sbin/ip6?tables-restore -- gen_context(system_u:object_r:iptables_exec_t,s0)
--/sbin/ip6?tables-multi -- gen_context(system_u:object_r:iptables_exec_t,s0)
--/sbin/ipvsadm -- gen_context(system_u:object_r:iptables_exec_t,s0)
-+/sbin/ipchains.* -- gen_context(system_u:object_r:iptables_exec_t,s0)
-+/sbin/ip6?tables.* -- gen_context(system_u:object_r:iptables_exec_t,s0)
-+/sbin/ip6?tables-restore.* -- gen_context(system_u:object_r:iptables_exec_t,s0)
-+/sbin/ip6?tables-multi.* -- gen_context(system_u:object_r:iptables_exec_t,s0)
-+/sbin/ipset -- gen_context(system_u:object_r:iptables_exec_t,s0)
-+/sbin/ipvsadm -- gen_context(system_u:object_r:iptables_exec_t,s0)
- /sbin/ipvsadm-restore -- gen_context(system_u:object_r:iptables_exec_t,s0)
--/sbin/ipvsadm-save -- gen_context(system_u:object_r:iptables_exec_t,s0)
--/sbin/xtables-multi -- gen_context(system_u:object_r:iptables_exec_t,s0)
-+/sbin/ipvsadm-save -- gen_context(system_u:object_r:iptables_exec_t,s0)
-+/sbin/nft -- gen_context(system_u:object_r:iptables_exec_t,s0)
-+/sbin/xtables-multi -- gen_context(system_u:object_r:iptables_exec_t,s0)
-
--/usr/sbin/conntrack -- gen_context(system_u:object_r:iptables_exec_t,s0)
-+/usr/sbin/arptables -- gen_context(system_u:object_r:iptables_exec_t,s0)
-+/usr/sbin/conntrack -- gen_context(system_u:object_r:iptables_exec_t,s0)
-+/usr/sbin/ebtables -- gen_context(system_u:object_r:iptables_exec_t,s0)
-+/usr/sbin/ebtables-restore -- gen_context(system_u:object_r:iptables_exec_t,s0)
- /usr/sbin/ipchains.* -- gen_context(system_u:object_r:iptables_exec_t,s0)
--/usr/sbin/ipset -- gen_context(system_u:object_r:iptables_exec_t,s0)
--/usr/sbin/iptables -- gen_context(system_u:object_r:iptables_exec_t,s0)
--/usr/sbin/iptables-multi -- gen_context(system_u:object_r:iptables_exec_t,s0)
--/usr/sbin/iptables-restore -- gen_context(system_u:object_r:iptables_exec_t,s0)
-+/usr/sbin/ip6?tables.* -- gen_context(system_u:object_r:iptables_exec_t,s0)
-+/usr/sbin/ip6?tables-restore.* -- gen_context(system_u:object_r:iptables_exec_t,s0)
-+/usr/sbin/ip6?tables-multi.* -- gen_context(system_u:object_r:iptables_exec_t,s0)
-+/usr/sbin/ipset -- gen_context(system_u:object_r:iptables_exec_t,s0)
-+/usr/sbin/ipvsadm -- gen_context(system_u:object_r:iptables_exec_t,s0)
-+/usr/sbin/ipvsadm-restore -- gen_context(system_u:object_r:iptables_exec_t,s0)
-+/usr/sbin/ipvsadm-save -- gen_context(system_u:object_r:iptables_exec_t,s0)
-+/usr/sbin/xtables-multi -- gen_context(system_u:object_r:iptables_exec_t,s0)
-+
-+/var/lib/ebtables(/.*)? gen_context(system_u:object_r:iptables_var_lib_t,s0)
-+
-+/var/lock/subsys/iptables -- gen_context(system_u:object_r:iptables_lock_t,s0)
-+/var/lock/subsys/ip6tables -- gen_context(system_u:object_r:iptables_lock_t,s0)
-+
-+/var/run/xtables.* -- gen_context(system_u:object_r:iptables_var_run_t,s0)
-diff --git a/policy/modules/system/iptables.if b/policy/modules/system/iptables.if
-index c42fbc329..bf211dbee 100644
---- a/policy/modules/system/iptables.if
-+++ b/policy/modules/system/iptables.if
-@@ -17,10 +17,6 @@ interface(`iptables_domtrans',`
-
- corecmd_search_bin($1)
- domtrans_pattern($1, iptables_exec_t, iptables_t)
--
-- ifdef(`hide_broken_symptoms', `
-- dontaudit iptables_t $1:socket_class_set { read write };
-- ')
- ')
-
- ########################################
-@@ -86,6 +82,30 @@ interface(`iptables_initrc_domtrans',`
- init_labeled_script_domtrans($1, iptables_initrc_exec_t)
- ')
-
-+########################################
-+##
-+## Execute iptables server in the iptables domain.
-+##
-+##
-+##
-+## Domain allowed to transition.
-+##
-+##
-+#
-+interface(`iptables_systemctl',`
-+ gen_require(`
-+ type iptables_unit_file_t;
-+ type iptables_t;
-+ ')
-+
-+ systemd_exec_systemctl($1)
-+ init_reload_services($1)
-+ allow $1 iptables_unit_file_t:file read_file_perms;
-+ allow $1 iptables_unit_file_t:service manage_service_perms;
-+
-+ ps_process_pattern($1, iptables_t)
-+')
-+
- #####################################
- ##
- ## Set the attributes of iptables config files.
-@@ -163,3 +183,21 @@ interface(`iptables_manage_config',`
- files_search_etc($1)
- manage_files_pattern($1, iptables_conf_t, iptables_conf_t)
- ')
-+
-+########################################
-+##
-+## Transition to iptables named content
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`iptables_filetrans_named_content',`
-+ gen_require(`
-+ type iptables_var_run_t;
-+ ')
-+
-+ files_pid_filetrans($1, iptables_var_run_t, file, "xtables.lock")
-+')
-diff --git a/policy/modules/system/iptables.te b/policy/modules/system/iptables.te
-index be8ed1e6c..5a5a54d66 100644
---- a/policy/modules/system/iptables.te
-+++ b/policy/modules/system/iptables.te
-@@ -16,44 +16,62 @@ role iptables_roles types iptables_t;
- type iptables_initrc_exec_t;
- init_script_file(iptables_initrc_exec_t)
-
--type iptables_conf_t;
--files_config_file(iptables_conf_t)
--
- type iptables_tmp_t;
- files_tmp_file(iptables_tmp_t)
-
- type iptables_var_run_t;
- files_pid_file(iptables_var_run_t)
-
-+type iptables_var_lib_t;
-+files_pid_file(iptables_var_lib_t)
-+
-+type iptables_lock_t;
-+files_lock_file(iptables_lock_t)
-+
-+type iptables_unit_file_t;
-+systemd_unit_file(iptables_unit_file_t)
-+
- ########################################
- #
- # Iptables local policy
- #
-
--allow iptables_t self:capability { dac_read_search dac_override net_admin net_raw };
-+allow iptables_t self:capability { dac_read_search net_admin net_raw };
-+allow iptables_t self:cap_userns { dac_read_search net_admin net_raw };
- dontaudit iptables_t self:capability sys_tty_config;
- allow iptables_t self:fifo_file rw_fifo_file_perms;
- allow iptables_t self:process { sigchld sigkill sigstop signull signal };
- allow iptables_t self:netlink_socket create_socket_perms;
-+allow iptables_t self:netlink_generic_socket create_socket_perms;
-+allow iptables_t self:netlink_netfilter_socket create_socket_perms;
- allow iptables_t self:rawip_socket create_socket_perms;
-
--manage_files_pattern(iptables_t, iptables_conf_t, iptables_conf_t)
--files_etc_filetrans(iptables_t, iptables_conf_t, file)
-+files_manage_system_conf_files(iptables_t)
-+files_etc_filetrans_system_conf(iptables_t)
-
- manage_files_pattern(iptables_t, iptables_var_run_t, iptables_var_run_t)
- files_pid_filetrans(iptables_t, iptables_var_run_t, file)
-
-+manage_dirs_pattern(iptables_t, iptables_var_lib_t, iptables_var_lib_t)
-+manage_files_pattern(iptables_t, iptables_var_lib_t, iptables_var_lib_t)
-+manage_lnk_files_pattern(iptables_t, iptables_var_lib_t, iptables_var_lib_t)
-+files_var_lib_filetrans(iptables_t, iptables_var_lib_t, { file dir lnk_file })
-+
- can_exec(iptables_t, iptables_exec_t)
-
-+manage_files_pattern(iptables_t, iptables_lock_t, iptables_lock_t)
-+files_lock_filetrans(iptables_t, iptables_lock_t, file)
-+
- allow iptables_t iptables_tmp_t:dir manage_dir_perms;
- allow iptables_t iptables_tmp_t:file manage_file_perms;
- files_tmp_filetrans(iptables_t, iptables_tmp_t, { file dir })
-
-+kernel_getattr_proc(iptables_t)
- kernel_request_load_module(iptables_t)
- kernel_read_system_state(iptables_t)
- kernel_read_network_state(iptables_t)
- kernel_read_kernel_sysctls(iptables_t)
--kernel_read_modprobe_sysctls(iptables_t)
-+kernel_read_usermodehelper_state(iptables_t)
- kernel_use_fds(iptables_t)
-
- # needed by ipvsadm
-@@ -64,19 +82,24 @@ corenet_relabelto_all_packets(iptables_t)
- corenet_dontaudit_rw_tun_tap_dev(iptables_t)
-
- dev_read_sysfs(iptables_t)
-+dev_read_urand(iptables_t)
-+dev_read_rand(iptables_t)
-
- fs_getattr_xattr_fs(iptables_t)
- fs_search_auto_mountpoints(iptables_t)
- fs_list_inotifyfs(iptables_t)
-+fs_read_nsfs_files(iptables_t)
-
- mls_file_read_all_levels(iptables_t)
-
- term_dontaudit_use_console(iptables_t)
-+term_use_all_inherited_terms(iptables_t)
-
- domain_use_interactive_fds(iptables_t)
-
--files_read_etc_files(iptables_t)
--files_read_etc_runtime_files(iptables_t)
-+files_rw_etc_runtime_files(iptables_t)
-+files_rw_inherited_tmp_file(iptables_t)
-+files_read_kernel_modules(iptables_t)
-
- auth_use_nsswitch(iptables_t)
-
-@@ -85,15 +108,14 @@ init_use_script_ptys(iptables_t)
- # to allow rules to be saved on reboot:
- init_rw_script_tmp_files(iptables_t)
- init_rw_script_stream_sockets(iptables_t)
-+init_dontaudit_script_leaks(iptables_t)
-
- logging_send_syslog_msg(iptables_t)
-
--miscfiles_read_localization(iptables_t)
--
- sysnet_run_ifconfig(iptables_t, iptables_roles)
- sysnet_dns_name_resolve(iptables_t)
-
--userdom_use_user_terminals(iptables_t)
-+userdom_use_inherited_user_terminals(iptables_t)
- userdom_use_all_users_fds(iptables_t)
-
- ifdef(`hide_broken_symptoms',`
-@@ -101,7 +123,14 @@ ifdef(`hide_broken_symptoms',`
- ')
-
- optional_policy(`
-+ container_read_state(iptables_t)
-+')
-+
-+optional_policy(`
- fail2ban_append_log(iptables_t)
-+ fail2ban_read_log(iptables_t)
-+ fail2ban_dontaudit_leaks(iptables_t)
-+ fail2ban_rw_inherited_tmp_files(iptables_t)
- ')
-
- optional_policy(`
-@@ -110,7 +139,16 @@ optional_policy(`
- ')
-
- optional_policy(`
-+ firewalld_read_config(iptables_t)
-+ firewalld_read_pid_files(iptables_t)
-+ firewalld_dontaudit_write_tmp_files(iptables_t)
-+ firewalld_dontaudit_leaks(iptables_t)
-+')
-+
-+optional_policy(`
- modutils_run_insmod(iptables_t, iptables_roles)
-+ modutils_list_module_config(iptables_t)
-+ modutils_read_module_config(iptables_t)
- ')
-
- optional_policy(`
-@@ -119,11 +157,25 @@ optional_policy(`
- ')
-
- optional_policy(`
-+ plymouthd_exec_plymouth(iptables_t)
-+')
-+
-+optional_policy(`
- ppp_dontaudit_use_fds(iptables_t)
- ')
-
- optional_policy(`
- psad_rw_tmp_files(iptables_t)
-+ psad_write_log(iptables_t)
-+')
-+
-+optional_policy(`
-+ ctdbd_read_lib_files(iptables_t)
-+')
-+
-+optional_policy(`
-+ neutron_rw_inherited_pipes(iptables_t)
-+ neutron_sigchld(iptables_t)
- ')
-
- optional_policy(`
-@@ -132,12 +184,13 @@ optional_policy(`
-
- optional_policy(`
- seutil_sigchld_newrole(iptables_t)
-+ seutil_run_setfiles(iptables_t, iptables_roles)
- ')
-
- optional_policy(`
-+ shorewall_read_config(iptables_t)
- shorewall_read_tmp_files(iptables_t)
- shorewall_rw_lib_files(iptables_t)
-- shorewall_read_config(iptables_t)
- ')
-
- optional_policy(`
-diff --git a/policy/modules/system/kdbus.fc b/policy/modules/system/kdbus.fc
-new file mode 100644
-index 000000000..1bb8bf6d7
---- /dev/null
-+++ b/policy/modules/system/kdbus.fc
-@@ -0,0 +1 @@
-+# empty
-diff --git a/policy/modules/system/kdbus.if b/policy/modules/system/kdbus.if
-new file mode 100644
-index 000000000..6a1c9ed87
---- /dev/null
-+++ b/policy/modules/system/kdbus.if
-@@ -0,0 +1,2 @@
-+## Policy for kdbusfs.
-+
-diff --git a/policy/modules/system/kdbus.te b/policy/modules/system/kdbus.te
-new file mode 100644
-index 000000000..c8147952a
---- /dev/null
-+++ b/policy/modules/system/kdbus.te
-@@ -0,0 +1,14 @@
-+policy_module(kdbus,1.0.0)
-+
-+require {
-+ attribute login_pgm;
-+ type systemd_logind_t;
-+ }
-+
-+allow login_pgm self:capability ipc_owner;
-+
-+fs_manage_kdbus_files(login_pgm)
-+fs_manage_kdbus_dirs(login_pgm)
-+
-+fs_manage_kdbus_dirs(systemd_logind_t)
-+fs_manage_kdbus_files(systemd_logind_t)
-diff --git a/policy/modules/system/libraries.fc b/policy/modules/system/libraries.fc
-index 73bb3c00c..4ddc8145a 100644
---- a/policy/modules/system/libraries.fc
-+++ b/policy/modules/system/libraries.fc
-@@ -1,3 +1,4 @@
-+
- #
- # /emul
- #
-@@ -28,14 +29,17 @@ ifdef(`distro_redhat',`
- # /etc
- #
- /etc/ld\.so\.cache -- gen_context(system_u:object_r:ld_so_cache_t,s0)
-+/etc/ld\.so\.cache~ -- gen_context(system_u:object_r:ld_so_cache_t,s0)
- /etc/ld\.so\.preload -- gen_context(system_u:object_r:ld_so_cache_t,s0)
-+/etc/ld\.so\.preload~ -- gen_context(system_u:object_r:ld_so_cache_t,s0)
-
- /etc/ppp/plugins/rp-pppoe\.so -- gen_context(system_u:object_r:lib_t,s0)
-
- #
- # /lib(64)?
- #
--/lib -d gen_context(system_u:object_r:lib_t,s0)
-+/lib gen_context(system_u:object_r:lib_t,s0)
-+/lib64 gen_context(system_u:object_r:lib_t,s0)
- /lib/.* gen_context(system_u:object_r:lib_t,s0)
- /lib/ld-[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:ld_so_t,s0)
-
-@@ -52,9 +56,8 @@ ifdef(`distro_gentoo',`
- #
- # /opt
- #
--/opt/.*\.so gen_context(system_u:object_r:lib_t,s0)
-+/opt/.*\.so(\.[^/]*)* gen_context(system_u:object_r:lib_t,s0)
- /opt/(.*/)?lib(/.*)? gen_context(system_u:object_r:lib_t,s0)
--/opt/(.*/)?lib64(/.*)? gen_context(system_u:object_r:lib_t,s0)
- /opt/(.*/)?java/.+\.jar -- gen_context(system_u:object_r:lib_t,s0)
- /opt/(.*/)?jre.*/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
- /opt/(.*/)?jre/.+\.jar -- gen_context(system_u:object_r:lib_t,s0)
-@@ -98,11 +101,18 @@ ifdef(`distro_redhat',`
- #
- # /sbin
- #
--/sbin/ldconfig -- gen_context(system_u:object_r:ldconfig_exec_t,s0)
-+/sbin/ldconfig -- gen_context(system_u:object_r:ldconfig_exec_t,s0)
-+/sbin/sln -- gen_context(system_u:object_r:ldconfig_exec_t,s0)
-
- #
- # /usr
- #
-+/usr/lib -d gen_context(system_u:object_r:lib_t,s0)
-+/usr/lib/.* gen_context(system_u:object_r:lib_t,s0)
-+/usr/lib/ld-[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:ld_so_t,s0)
-+/usr/lib/gvfs/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:lib_t,s0)
-+/usr/lib/security/pam_poldi\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-+
- /usr/(.*/)?/HelixPlayer/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
- /usr/(.*/)?/RealPlayer/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-
-@@ -111,12 +121,12 @@ ifdef(`distro_redhat',`
- /usr/(.*/)?java/.+\.jsa -- gen_context(system_u:object_r:lib_t,s0)
-
- /usr/(.*/)?lib(/.*)? gen_context(system_u:object_r:lib_t,s0)
--/usr/(.*/)?lib64(/.*)? gen_context(system_u:object_r:lib_t,s0)
-
--/usr/(.*/)?lib(64)?(/.*)?/ld-[^/]*\.so(\.[^/]*)* gen_context(system_u:object_r:ld_so_t,s0)
-+/usr/(.*/)?lib(/.*)?/ld-[^/]*\.so(\.[^/]*)* gen_context(system_u:object_r:ld_so_t,s0)
-
- /usr/(.*/)?nvidia/.+\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-
-+/usr/lib/(sse2/)?libfame-.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
- /usr/lib/altivec/libavcodec\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
- /usr/lib/cedega/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
- /usr/lib/dovecot/(.*/)?lib.*\.so.* -- gen_context(system_u:object_r:lib_t,s0)
-@@ -125,13 +135,16 @@ ifdef(`distro_redhat',`
- /usr/lib/vlc/codec/libdmo_plugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
- /usr/lib/vlc/codec/librealaudio_plugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
- /usr/lib/libtfmessbsp\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-+/usr/lib/sasl2/libsasldb\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
- /usr/lib/xorg/libGL\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
- /usr/X11R6/lib/libGL\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
- /usr/lib/libGL\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
- /usr/lib/catalyst/libGL\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-+/usr/lib/catalyst/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
- /usr/lib/libADM5.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
- /usr/lib/libatiadlxx\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
- /usr/lib/win32/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-+/usr/lib/libGLdispatch.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-
- /usr/lib/ADM_plugins/videoFilter/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-
-@@ -141,19 +154,23 @@ ifdef(`distro_redhat',`
- /usr/lib/ati-fglrx/.+\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0)
- /usr/lib/fglrx/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
- /usr/lib/libjs\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-+/usr/lib/libjavascriptcoregtk[^/]*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-+/usr/lib/libzvbi\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
- /usr/lib/sse2/libx264\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
--/usr/lib(/.*)?/libnvidia.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-+/usr/lib/libnvidia\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-+/usr/lib.*/libnvidia\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
- /usr/lib(/.*)?/nvidia_drv.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
- /usr/lib/nero/plug-ins/libMP3\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
- /usr/lib/nvidia-graphics(-[^/]*/)?libGL(core)?\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
- /usr/lib/nvidia-graphics(-[^/]*/)?libnvidia.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
- /usr/lib/nvidia-graphics(-[^/]*/)?libXvMCNVIDIA\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
--/usr/lib/nvidia/libGL(core)?\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-+/usr/lib/nvidia.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
- /usr/lib/xorg/modules/glesx\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-
--/usr/(local/)?.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:lib_t,s0)
--/usr/(local/)?lib(64)?/wine/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
--/usr/(local/)?lib(64)?/(sse2/)?libfame-.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-+/usr/lib/systemd/libsystemd-shared-[0-9]+\.so.* -- gen_context(system_u:object_r:lib_t,s0)
-+
-+/usr/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:lib_t,s0)
-+/usr/lib/wine/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
- /usr/NX/lib/libXcomp\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
- /usr/NX/lib/libjpeg\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-
-@@ -182,11 +199,13 @@ ifdef(`distro_redhat',`
- # Fedora Core packages: gstreamer-plugins, compat-libstdc++, Glide3, libdv
- # HelixPlayer, SDL, xorg-x11, xorg-x11-libs, Hermes, valgrind, openoffice.org-libs, httpd - php
- HOME_DIR/.*/plugins/nppdf\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-+/usr/(.*/)?nprhapengine\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
- /usr/lib/allegro/(.*/)?alleg-vga\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
- /usr/lib/firefox-[^/]*/extensions(/.*)?/libqfaservices.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
- /usr/lib/firefox-[^/]*/plugins/nppdf.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
- /usr/lib/firefox/plugins/libractrl\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
- /usr/lib/libFLAC\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-+/usr/lib/dri/fglrx_dri.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
- /usr/lib/libfglrx_gamma\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
- /usr/lib/mozilla/plugins/nppdf\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
- /usr/lib/mozilla/plugins/libvlcplugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-@@ -241,13 +260,11 @@ HOME_DIR/.*/plugins/nppdf\.so.* -- gen_context(system_u:object_r:textrel_shlib_
-
- # Livna.org packages: xmms-mp3, ffmpeg, xvidcore, xine-lib, gsm, lame
- /usr/lib.*/libmpg123\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
--/usr/local(/.*)?/libmpg123\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-+/usr/lib/libmpg123\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-+/usr/libmpg123\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
- /usr/lib/codecs/drv[1-9c]\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-
--HOME_DIR/.*/plugins/nppdf\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
--HOME_DIR/.mozilla/plugins/nprhapengine\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
- /usr/lib/.*/nprhapengine\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
--/usr/local/(.*/)?nprhapengine\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-
- # Jai, Sun Microsystems (Jpackage SPRM)
- /usr/lib/libmlib_jai\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-@@ -269,20 +286,19 @@ HOME_DIR/.mozilla/plugins/nprhapengine\.so.* -- gen_context(system_u:object_r:te
-
- # Java, Sun Microsystems (JPackage SRPM)
- /usr/(.*/)?jre.*/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
--/usr/local/(.*/)?jre.*/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
- /usr/lib/(.*/)?jre.*/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-
--/usr/(local/)?Adobe/(.*/)?intellinux/nppdf\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
--/usr/(local/)?Adobe/(.*/)?intellinux/sidecars/* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-+/usr/Adobe/(.*/)?intellinux/nppdf\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-+/usr/Adobe/(.*/)?intellinux/sidecars/* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-
--/usr/(local/)?acroread/(.*/)?intellinux/nppdf\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
--/usr/(local/)?Adobe/(.*/)?lib/[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
--/usr/(local/)?acroread/(.*/)?lib/[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
--/usr/(local/)?Adobe/.*\.api -- gen_context(system_u:object_r:textrel_shlib_t,s0)
--/usr/(local/)?lib/xchat/plugins/systray\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
--/usr/(local/)?matlab.*/bin/glnx86/libmwlapack\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
--/usr/(local/)?matlab.*/bin/glnx86/(libmw(lapack|mathutil|services)|lapack|libmkl)\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
--/usr/(local/)?matlab.*/sys/os/glnx86/libtermcap\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-+/usr/acroread/(.*/)?intellinux/nppdf\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-+/usr/Adobe/(.*/)?lib/[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-+/usr/acroread/(.*/)?lib/[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-+/usr/Adobe/.*\.api -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-+/usr/lib/xchat/plugins/systray\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-+/usr/matlab.*/bin/glnx86/libmwlapack\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-+/usr/matlab.*/bin/glnx86/(libmw(lapack|mathutil|services)|lapack|libmkl)\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-+/usr/matlab.*/sys/os/glnx86/libtermcap\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-
- /usr/(.*/)?intellinux/SPPlugins/ADMPlugin\.apl -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-
-@@ -299,17 +315,159 @@ HOME_DIR/.mozilla/plugins/nprhapengine\.so.* -- gen_context(system_u:object_r:te
- #
- /var/cache/ldconfig(/.*)? gen_context(system_u:object_r:ldconfig_cache_t,s0)
-
--/var/ftp/lib(64)?(/.*)? gen_context(system_u:object_r:lib_t,s0)
--/var/ftp/lib(64)?/ld[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:ld_so_t,s0)
--
--/var/lib/spamassassin/compiled/.*\.so.* -- gen_context(system_u:object_r:lib_t,s0)
-+/var/ftp/lib(/.*)? gen_context(system_u:object_r:lib_t,s0)
-+/var/ftp/lib/ld[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:ld_so_t,s0)
-
- /var/mailman/pythonlib(/.*)?/.+\.so(\..*)? -- gen_context(system_u:object_r:lib_t,s0)
-
-+/var/named/chroot/lib(/.*)? gen_context(system_u:object_r:lib_t,s0)
-+/var/named/chroot/usr/lib(/.*)? gen_context(system_u:object_r:lib_t,s0)
-+
-+/usr/lib/pgsql/.*\.so.* -- gen_context(system_u:object_r:lib_t,s0)
-+/usr/lib/pgsql/test/regress/.*\.so.* -- gen_context(system_u:object_r:lib_t,s0)
-+/var/lib/spamassassin/compiled/.*\.so.* -- gen_context(system_u:object_r:lib_t,s0)
-+/usr/lib/xfce4/.*\.so.* -- gen_context(system_u:object_r:lib_t,s0)
-+
- ifdef(`distro_suse',`
- /var/lib/samba/bin/.+\.so(\.[^/]*)* -l gen_context(system_u:object_r:lib_t,s0)
- ')
-
--/var/spool/postfix/lib(64)?(/.*)? gen_context(system_u:object_r:lib_t,s0)
-+/usr/share/hplip/prnt/plugins(/.*)? gen_context(system_u:object_r:lib_t,s0)
-+/usr/share/squeezeboxserver/CPAN/arch/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-+
-+/var/spool/postfix/lib(/.*)? gen_context(system_u:object_r:lib_t,s0)
-+/var/spool/postfix/lib64(/.*)? gen_context(system_u:object_r:lib_t,s0)
- /var/spool/postfix/usr(/.*)? gen_context(system_u:object_r:lib_t,s0)
--/var/spool/postfix/lib(64)?/ld.*\.so.* -- gen_context(system_u:object_r:ld_so_t,s0)
-+/var/spool/postfix/lib/ld.*\.so.* -- gen_context(system_u:object_r:ld_so_t,s0)
-+
-+/usr/lib/libbcm_host\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-+/usr/lib/libmyth[^/]+\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-+/usr/lib/mythtv/filters/.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-+
-+/usr/lib/jvm/java(.*/)bin(/.*)?/.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-+
-+/usr/lib/oracle/.*/lib/libnnz10\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-+
-+/opt/altera9.1/quartus/linux/libccl_err\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-+
-+/opt/novell/groupwise/client/lib/libgwapijni\.so\.1 -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-+
-+/usr/lib/sse2/.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-+/usr/lib/i686/.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-+/usr/google-earth/.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-+/usr/lib/googleearth/.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-+/usr/lib/google-earth/.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-+/opt/google-earth/.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-+
-+/usr/lib/nspluginwrapper/np.*\.so -- gen_context(system_u:object_r:lib_t,s0)
-+
-+/usr/lib/oracle/.*/lib/libnnz.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-+/usr/lib/oracle/.*/lib/libclntsh\.so(\.[^/]*)* gen_context(system_u:object_r:textrel_shlib_t,s0)
-+
-+/opt/(.*/)?oracle/(.*/)?libnnz.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-+/usr/lib/libnnz11.so(\.[^/]*)* gen_context(system_u:object_r:textrel_shlib_t,s0)
-+/usr/lib/libxvidcore\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-+
-+
-+/opt/matlab.*\.so(\.[^/]*)* gen_context(system_u:object_r:textrel_shlib_t,s0)
-+/usr/matlab.*\.so(\.[^/]*)* gen_context(system_u:object_r:textrel_shlib_t,s0)
-+/opt/local/matlab.*\.so(\.[^/]*)* gen_context(system_u:object_r:textrel_shlib_t,s0)
-+
-+/usr/Zend/lib/ZendExtensionManager\.so gen_context(system_u:object_r:textrel_shlib_t,s0)
-+
-+/usr/lib/libcncpmslld328\.so(\.[^/]*)* gen_context(system_u:object_r:textrel_shlib_t,s0)
-+
-+/usr/lib/ICAClient/.*\.so(\.[^/]*)* gen_context(system_u:object_r:textrel_shlib_t,s0)
-+
-+/usr/lib/midori/.*\.so(\.[^/]*)* gen_context(system_u:object_r:textrel_shlib_t,s0)
-+
-+/usr/lib/libav.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-+
-+/usr/lib/xine/plugins/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-+
-+/usr/lib/yafaray/libDarkSky.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-+
-+/usr/lib/libpostproc\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-+
-+/usr/lib/libswscale\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-+
-+/usr/lib/libADM.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-+
-+/usr/lib/gstreamer-.*/[^/]*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-+
-+/usr/lib/libx264\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-+
-+/usr/lib/libmp3lame\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-+/usr/lib/libmpeg2\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-+
-+/usr/lib/.*/libflashplayer\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-+
-+/usr/lib/xorg/modules/dri/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-+/usr/X11R6/lib/modules/dri/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-+/usr/lib/dri/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-+
-+ifdef(`fixed',`
-+/usr/lib/libavfilter\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-+/usr/lib/libavdevice\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-+/usr/lib/libavformat.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-+/usr/lib/libavcodec.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-+/usr/lib/libavutil.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-+/usr/lib/libdv\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-+/usr/lib/libGLU\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-+/usr/lib/libgsm\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-+/usr/lib/libImlib2\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-+/usr/lib/libjackserver\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-+/usr/X11R6/lib/libOSMesa.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-+/usr/lib/libOSMesa.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-+/usr/lib/libSDL-.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-+/usr/lib/xulrunner-[^/]*/libgtkembedmoz\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-+/usr/lib/xulrunner-[^/]*/libxul\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-+# Flash plugin, Macromedia
-+/usr/lib/php/modules/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-+/usr/lib/httpd/modules/libphp5\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-+')
-+/opt/VBoxGuestAdditions.*/lib/VBox.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-+/var/lib/VBoxGuestAdditions.*/lib/.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-+
-+/usr/lib/nmm/liba52\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-+/opt/lampp/lib/libct\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-+/opt/lampp/lib/.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-+/opt/VirtualBox(/.*)?/VBox.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-+
-+/usr/lib/chromium-browser/.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-+/usr/zend/lib/apache2/libphp5\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-+
-+/usr/lib/python.*/site-packages/pymedia/muxer\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-+/usr/games/darwinia/lib/libSDL.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-+
-+/usr/lib/octagaplayer/libapplication\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-+/opt/AutoScan/usr/lib/libvte\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-+
-+/usr/bin/bsnes -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-+
-+/usr/lib/libGLcore\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-+
-+/usr/lib/libkmplayercommon\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-+
-+/opt/Unify/SQLBase/libgptsblmsui11\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-+
-+/opt/real/RealPlayer/plugins(/.*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-+
-+/opt/real/RealPlayer/codecs(/.*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-+
-+/usr/lib/vdpau/libvdpau_nvidia\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-+
-+/usr/lib/libGTL.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-+
-+/usr/lib/erlang/erts-[^/]*/bin/epmd -- gen_context(system_u:object_r:lib_t,s0)
-+
-+/usr/lib/nsr/(.*/)?.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-+/opt/lgtonmc/bin/.*\.so(\.[0-9])? -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-+/opt/google/picasa/.*\.dll -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-+/opt/google/picasa/.*\.yti -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-+/opt/google/chrome/.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-+/opt/google/talkplugin/.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-+/opt/google/[^/]*/.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-+
-+/usr/sbin/ldconfig -- gen_context(system_u:object_r:ldconfig_exec_t,s0)
-+/usr/sbin/sln -- gen_context(system_u:object_r:ldconfig_exec_t,s0)
-diff --git a/policy/modules/system/libraries.if b/policy/modules/system/libraries.if
-index 808ba93eb..16ed55e55 100644
---- a/policy/modules/system/libraries.if
-+++ b/policy/modules/system/libraries.if
-@@ -66,6 +66,25 @@ interface(`libs_exec_ldconfig',`
-
- ########################################
- ##
-+## Make ldconfig_exec_t entrypoint for
-+## the specified domain.
-+##
-+##
-+##
-+## The domain for which bin_t is an entrypoint.
-+##
-+##
-+#
-+interface(`libs_ldconfig_exec_entry_type',`
-+ gen_require(`
-+ type ldconfig_exec_t;
-+ ')
-+
-+ domain_entry_file($1, ldconfig_exec_t)
-+')
-+
-+########################################
-+##
- ## Use the dynamic link/loader for automatic loading
- ## of shared libraries.
- ##
-@@ -84,9 +103,9 @@ interface(`libs_use_ld_so',`
- allow $1 lib_t:dir list_dir_perms;
-
- read_lnk_files_pattern($1, lib_t, { lib_t ld_so_t })
-- mmap_files_pattern($1, lib_t, ld_so_t)
-+ mmap_exec_files_pattern($1, lib_t, { lib_t ld_so_t })
-
-- allow $1 ld_so_cache_t:file read_file_perms;
-+ allow $1 ld_so_cache_t:file { map read_file_perms };
- ')
-
- ########################################
-@@ -147,6 +166,7 @@ interface(`libs_manage_ld_so',`
- type lib_t, ld_so_t;
- ')
-
-+ read_lnk_files_pattern($1, lib_t, lib_t)
- manage_files_pattern($1, lib_t, ld_so_t)
- ')
-
-@@ -205,68 +225,87 @@ interface(`libs_search_lib',`
- type lib_t;
- ')
-
-+ read_lnk_files_pattern($1, lib_t, lib_t)
- allow $1 lib_t:dir search_dir_perms;
- ')
--
- ########################################
- ##
--## Do not audit attempts to write to library directories.
-+## dontaudit attempts to setattr on library files
- ##
--##
--##
--## Do not audit attempts to write to library directories.
--## Typically this is used to quiet attempts to recompile
--## python byte code.
--##
--##
- ##
- ##
- ## Domain to not audit.
- ##
- ##
- #
--interface(`libs_dontaudit_write_lib_dirs',`
-+interface(`libs_dontaudit_setattr_lib_files',`
- gen_require(`
- type lib_t;
- ')
-
-- dontaudit $1 lib_t:dir write;
-+ dontaudit $1 lib_t:file setattr;
- ')
-
- ########################################
- ##
--## Create, read, write, and delete library directories.
-+## dontaudit attempts to setattr on library dirs
- ##
- ##
- ##
--## Domain allowed access.
-+## Domain to not audit.
- ##
- ##
- #
--interface(`libs_manage_lib_dirs',`
-+interface(`libs_dontaudit_setattr_lib_dirs',`
- gen_require(`
- type lib_t;
- ')
-
-- allow $1 lib_t:dir manage_dir_perms;
-+ dontaudit $1 lib_t:dir setattr;
- ')
-
- ########################################
- ##
--## dontaudit attempts to setattr on library files
-+## Do not audit attempts to write to library directories.
- ##
-+##
-+##
-+## Do not audit attempts to write to library directories.
-+## Typically this is used to quiet attempts to recompile
-+## python byte code.
-+##
-+##
- ##
- ##
- ## Domain to not audit.
- ##
- ##
- #
--interface(`libs_dontaudit_setattr_lib_files',`
-+interface(`libs_dontaudit_write_lib_dirs',`
- gen_require(`
- type lib_t;
- ')
-
-- dontaudit $1 lib_t:file setattr;
-+ dontaudit $1 lib_t:dir write;
-+')
-+
-+########################################
-+##
-+## Create, read, write, and delete library directories.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`libs_manage_lib_dirs',`
-+ gen_require(`
-+ type lib_t;
-+ ')
-+
-+ read_lnk_files_pattern($1, lib_t, lib_t)
-+ allow $1 lib_t:dir manage_dir_perms;
- ')
-
- ########################################
-@@ -345,6 +384,7 @@ interface(`libs_manage_lib_files',`
- type lib_t;
- ')
-
-+ read_lnk_files_pattern($1, lib_t, lib_t)
- manage_files_pattern($1, lib_t, lib_t)
- ')
-
-@@ -421,7 +461,8 @@ interface(`libs_manage_shared_libs',`
- type lib_t, textrel_shlib_t;
- ')
-
-- manage_files_pattern($1, lib_t, { lib_t textrel_shlib_t })
-+ read_lnk_files_pattern($1, lib_t, lib_t)
-+ manage_files_pattern($1, { textrel_shlib_t lib_t }, { lib_t textrel_shlib_t })
- ')
-
- ########################################
-@@ -440,9 +481,10 @@ interface(`libs_use_shared_libs',`
- ')
-
- files_search_usr($1)
-- allow $1 lib_t:dir list_dir_perms;
-- read_lnk_files_pattern($1, lib_t, { lib_t textrel_shlib_t })
-- mmap_files_pattern($1, lib_t, { lib_t textrel_shlib_t })
-+ allow $1 { textrel_shlib_t lib_t }:dir list_dir_perms;
-+ read_lnk_files_pattern($1, { textrel_shlib_t lib_t }, { lib_t textrel_shlib_t })
-+ mmap_exec_files_pattern($1, { textrel_shlib_t lib_t }, { lib_t textrel_shlib_t })
-+# allow $1 lib_t:file execmod;
- allow $1 textrel_shlib_t:file execmod;
- ')
-
-@@ -483,7 +525,7 @@ interface(`libs_relabel_shared_libs',`
- type lib_t, textrel_shlib_t;
- ')
-
-- relabel_files_pattern($1, lib_t, { lib_t textrel_shlib_t })
-+ relabel_files_pattern($1, { textrel_shlib_t lib_t }, { lib_t textrel_shlib_t })
- ')
-
- ########################################
-@@ -534,3 +576,28 @@ interface(`lib_filetrans_shared_lib',`
- interface(`files_lib_filetrans_shared_lib',`
- refpolicywarn(`$0($*) has been deprecated.')
- ')
-+
-+########################################
-+##
-+## Transition to lib named content
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`libs_filetrans_named_content',`
-+ gen_require(`
-+ type lib_t;
-+ type ld_so_cache_t;
-+ type ldconfig_cache_t;
-+ ')
-+
-+ files_var_lib_filetrans($1,ldconfig_cache_t, dir, "debug")
-+ files_var_filetrans($1, ldconfig_cache_t, dir, "ldconfig")
-+ files_etc_filetrans($1, ld_so_cache_t, file, "ld.so.cache")
-+ files_etc_filetrans($1, ld_so_cache_t, file, "ld.so.cache~")
-+ files_etc_filetrans($1, ld_so_cache_t, file, "ld.so.preload")
-+ files_etc_filetrans($1, ld_so_cache_t, file, "ld.so.preload~")
-+')
-diff --git a/policy/modules/system/libraries.te b/policy/modules/system/libraries.te
-index 54f8fa5c8..7a660a06c 100644
---- a/policy/modules/system/libraries.te
-+++ b/policy/modules/system/libraries.te
-@@ -32,14 +32,14 @@ files_tmp_file(ldconfig_tmp_t)
- # lib_t is the type of files in the system lib directories.
- #
- type lib_t alias shlib_t;
--files_type(lib_t)
-+files_ro_base_file(lib_t)
-
- #
- # textrel_shlib_t is the type of shared objects in the system lib
- # directories, which require text relocation.
- #
- type textrel_shlib_t alias texrel_shlib_t;
--files_type(textrel_shlib_t)
-+files_ro_base_file(textrel_shlib_t)
-
- ifdef(`distro_gentoo',`
- # openrc unfortunately mounts a tmpfs
-@@ -57,11 +57,14 @@ optional_policy(`
- # ldconfig local policy
- #
-
--allow ldconfig_t self:capability { dac_override sys_chroot };
-+allow ldconfig_t self:capability { dac_read_search sys_chroot };
-
-+manage_dirs_pattern(ldconfig_t, ldconfig_cache_t, ldconfig_cache_t)
- manage_files_pattern(ldconfig_t, ldconfig_cache_t, ldconfig_cache_t)
-+files_var_filetrans(ldconfig_t, ldconfig_cache_t, dir, "ldconfig")
-+allow ldconfig_t ldconfig_cache_t:file map;
-
--allow ldconfig_t ld_so_cache_t:file manage_file_perms;
-+manage_files_pattern(ldconfig_t, ld_so_cache_t, ld_so_cache_t)
- files_etc_filetrans(ldconfig_t, ld_so_cache_t, file)
-
- manage_dirs_pattern(ldconfig_t, ldconfig_tmp_t, ldconfig_tmp_t)
-@@ -72,14 +75,19 @@ files_tmp_filetrans(ldconfig_t, ldconfig_tmp_t, { file dir lnk_file })
- manage_lnk_files_pattern(ldconfig_t, lib_t, lib_t)
-
- kernel_read_system_state(ldconfig_t)
-+kernel_read_network_state(ldconfig_t)
-
- fs_getattr_xattr_fs(ldconfig_t)
-
-+files_list_var_lib(ldconfig_t)
-+files_dontaudit_leaks(ldconfig_t)
-+files_manage_var_lib_symlinks(ldconfig_t)
-+
- corecmd_search_bin(ldconfig_t)
-
- domain_use_interactive_fds(ldconfig_t)
-
--files_search_var_lib(ldconfig_t)
-+files_search_home(ldconfig_t)
- files_read_etc_files(ldconfig_t)
- files_read_usr_files(ldconfig_t)
- files_search_tmp(ldconfig_t)
-@@ -90,11 +98,11 @@ files_delete_etc_files(ldconfig_t)
- init_use_script_ptys(ldconfig_t)
- init_read_script_tmp_files(ldconfig_t)
-
--miscfiles_read_localization(ldconfig_t)
-
- logging_send_syslog_msg(ldconfig_t)
-
--userdom_use_user_terminals(ldconfig_t)
-+term_use_console(ldconfig_t)
-+userdom_use_inherited_user_terminals(ldconfig_t)
- userdom_use_all_users_fds(ldconfig_t)
-
- ifdef(`distro_ubuntu',`
-@@ -103,6 +111,13 @@ ifdef(`distro_ubuntu',`
- ')
- ')
-
-+userdom_dontaudit_list_admin_dir(ldconfig_t)
-+userdom_list_user_home_dirs(ldconfig_t)
-+userdom_manage_user_home_content_files(ldconfig_t)
-+userdom_manage_user_tmp_files(ldconfig_t)
-+userdom_manage_user_tmp_symlinks(ldconfig_t)
-+userdom_rw_inherited_user_tmp_pipes(ldconfig_t)
-+
- ifdef(`hide_broken_symptoms',`
- ifdef(`distro_gentoo',`
- # leaked fds from portage
-@@ -114,6 +129,11 @@ ifdef(`hide_broken_symptoms',`
- ')
- ')
-
-+ dev_dontaudit_rw_lvm_control(ldconfig_t)
-+ dev_dontaudit_read_all_chr_files(ldconfig_t)
-+ dev_dontaudit_read_all_blk_files(ldconfig_t)
-+ term_dontaudit_use_unallocated_ttys(ldconfig_t)
-+
- optional_policy(`
- unconfined_dontaudit_rw_tcp_sockets(ldconfig_t)
- ')
-@@ -131,6 +151,18 @@ optional_policy(`
- ')
-
- optional_policy(`
-+ glusterd_dontaudit_read_lib_dirs(ldconfig_t)
-+')
-+
-+optional_policy(`
-+ gnome_append_generic_cache_files(ldconfig_t)
-+')
-+
-+optional_policy(`
-+ kdump_manage_kdumpctl_tmp_files(ldconfig_t)
-+')
-+
-+optional_policy(`
- puppet_rw_tmp(ldconfig_t)
- ')
-
-@@ -141,6 +173,3 @@ optional_policy(`
- rpm_manage_script_tmp_files(ldconfig_t)
- ')
-
--optional_policy(`
-- unconfined_domain(ldconfig_t)
--')
-diff --git a/policy/modules/system/locallogin.fc b/policy/modules/system/locallogin.fc
-index be6a81b80..a5303e920 100644
---- a/policy/modules/system/locallogin.fc
-+++ b/policy/modules/system/locallogin.fc
-@@ -1,3 +1,8 @@
-+HOME_DIR/\.hushlogin -- gen_context(system_u:object_r:local_login_home_t,s0)
-+/root/\.hushlogin -- gen_context(system_u:object_r:local_login_home_t,s0)
-
- /sbin/sulogin -- gen_context(system_u:object_r:sulogin_exec_t,s0)
- /sbin/sushell -- gen_context(system_u:object_r:sulogin_exec_t,s0)
-+
-+/usr/sbin/sulogin -- gen_context(system_u:object_r:sulogin_exec_t,s0)
-+/usr/sbin/sushell -- gen_context(system_u:object_r:sulogin_exec_t,s0)
-diff --git a/policy/modules/system/locallogin.if b/policy/modules/system/locallogin.if
-index 0e3c2a977..ea9bd57dc 100644
---- a/policy/modules/system/locallogin.if
-+++ b/policy/modules/system/locallogin.if
-@@ -129,3 +129,59 @@ interface(`locallogin_domtrans_sulogin',`
-
- domtrans_pattern($1, sulogin_exec_t, sulogin_t)
- ')
-+
-+#######################################
-+##
-+## Allow domain to gettatr local login home content
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`locallogin_getattr_home_content',`
-+ gen_require(`
-+ type local_login_home_t;
-+ ')
-+
-+ getattr_files_pattern($1, local_login_home_t, local_login_home_t)
-+')
-+
-+########################################
-+##
-+## create local login content in the in the /root directory
-+## with an correct label.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`locallogin_filetrans_admin_home_content',`
-+ gen_require(`
-+ type local_login_home_t;
-+ ')
-+
-+ userdom_admin_home_dir_filetrans($1, local_login_home_t, file, ".hushlogin")
-+')
-+
-+########################################
-+##
-+## Transition to local login named content
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`locallogin_filetrans_home_content',`
-+ gen_require(`
-+ type local_login_home_t;
-+ ')
-+
-+ userdom_user_home_dir_filetrans($1, local_login_home_t, file, ".hushlogin")
-+ userdom_admin_home_dir_filetrans($1, local_login_home_t, file, ".hushlogin")
-+')
-diff --git a/policy/modules/system/locallogin.te b/policy/modules/system/locallogin.te
-index 446fa9908..31ffd73ab 100644
---- a/policy/modules/system/locallogin.te
-+++ b/policy/modules/system/locallogin.te
-@@ -13,9 +13,8 @@ auth_login_entry_type(local_login_t)
- type local_login_lock_t;
- files_lock_file(local_login_lock_t)
-
--type local_login_tmp_t;
--files_tmp_file(local_login_tmp_t)
--files_poly_parent(local_login_tmp_t)
-+type local_login_home_t;
-+userdom_user_home_content(local_login_home_t)
-
- type sulogin_t;
- type sulogin_exec_t;
-@@ -27,14 +26,21 @@ init_domain(sulogin_t, sulogin_exec_t)
- init_system_domain(sulogin_t, sulogin_exec_t)
- role system_r types sulogin_t;
-
-+ifdef(`enable_mcs',`
-+ init_ranged_daemon_domain(sulogin_t, sulogin_exec_t, s0 - mcs_systemhigh)
-+')
-+
-+ifdef(`enable_mls',`
-+ init_ranged_daemon_domain(sulogin_t, sulogin_exec_t, s0 - mls_systemhigh)
-+')
-+
- ########################################
- #
- # Local login local policy
- #
-
--allow local_login_t self:capability { dac_override chown fowner fsetid kill setgid setuid sys_nice sys_resource sys_tty_config };
--allow local_login_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
--allow local_login_t self:process { setrlimit setexec };
-+allow local_login_t self:capability { dac_read_search dac_override chown fowner fsetid kill setgid setuid sys_admin sys_nice sys_resource sys_tty_config };
-+allow local_login_t self:process ~{ ptrace setcurrent setfscreate execmem execstack execheap };
- allow local_login_t self:fd use;
- allow local_login_t self:fifo_file rw_fifo_file_perms;
- allow local_login_t self:sock_file read_sock_file_perms;
-@@ -51,9 +57,7 @@ allow local_login_t self:key { search write link };
- allow local_login_t local_login_lock_t:file manage_file_perms;
- files_lock_filetrans(local_login_t, local_login_lock_t, file)
-
--allow local_login_t local_login_tmp_t:dir manage_dir_perms;
--allow local_login_t local_login_tmp_t:file manage_file_perms;
--files_tmp_filetrans(local_login_t, local_login_tmp_t, { file dir })
-+allow local_login_t local_login_home_t:file read_file_perms;
-
- kernel_read_system_state(local_login_t)
- kernel_read_kernel_sysctls(local_login_t)
-@@ -73,6 +77,8 @@ dev_getattr_power_mgmt_dev(local_login_t)
- dev_setattr_power_mgmt_dev(local_login_t)
- dev_getattr_sound_dev(local_login_t)
- dev_setattr_sound_dev(local_login_t)
-+dev_rw_generic_usb_dev(local_login_t)
-+dev_read_video_dev(local_login_t)
- dev_dontaudit_getattr_apm_bios_dev(local_login_t)
- dev_dontaudit_setattr_apm_bios_dev(local_login_t)
- dev_dontaudit_read_framebuffer(local_login_t)
-@@ -117,16 +123,18 @@ term_relabel_unallocated_ttys(local_login_t)
- term_relabel_all_ttys(local_login_t)
- term_setattr_all_ttys(local_login_t)
- term_setattr_unallocated_ttys(local_login_t)
-+term_relabel_all_ptys(local_login_t)
-+term_setattr_generic_ptys(local_login_t)
-
- auth_rw_login_records(local_login_t)
- auth_rw_faillog(local_login_t)
--auth_manage_pam_pid(local_login_t)
- auth_manage_pam_console_data(local_login_t)
- auth_domtrans_pam_console(local_login_t)
-+auth_use_nsswitch(local_login_t)
-
- init_dontaudit_use_fds(local_login_t)
-+init_stream_connect(local_login_t)
-
--miscfiles_read_localization(local_login_t)
-
- userdom_spec_domtrans_all_users(local_login_t)
- userdom_signal_all_users(local_login_t)
-@@ -141,19 +149,15 @@ ifdef(`distro_ubuntu',`
- ')
- ')
-
--tunable_policy(`console_login',`
-- # Able to relabel /dev/console to user tty types.
-- term_relabel_console(local_login_t)
--')
-+userdom_home_reader(local_login_t)
-+userdom_manage_tmp_files(local_login_t)
-+userdom_tmp_filetrans_user_tmp(local_login_t, file)
-
--tunable_policy(`use_nfs_home_dirs',`
-- fs_read_nfs_files(local_login_t)
-- fs_read_nfs_symlinks(local_login_t)
--')
--
--tunable_policy(`use_samba_home_dirs',`
-- fs_read_cifs_files(local_login_t)
-- fs_read_cifs_symlinks(local_login_t)
-+tunable_policy(`login_console_enabled',`
-+ term_use_console(local_login_t)
-+ # Able to relabel /dev/console to user tty types.
-+ term_relabel_console(local_login_t)
-+ term_setattr_console(local_login_t)
- ')
-
- optional_policy(`
-@@ -177,14 +181,6 @@ optional_policy(`
- ')
-
- optional_policy(`
-- nis_use_ypbind(local_login_t)
--')
--
--optional_policy(`
-- nscd_use(local_login_t)
--')
--
--optional_policy(`
- unconfined_shell_domtrans(local_login_t)
- ')
-
-@@ -195,6 +191,7 @@ optional_policy(`
- optional_policy(`
- xserver_read_xdm_tmp_files(local_login_t)
- xserver_rw_xdm_tmp_files(local_login_t)
-+ xserver_rw_xdm_keys(local_login_t)
- ')
-
- #################################
-@@ -202,7 +199,7 @@ optional_policy(`
- # Sulogin local policy
- #
-
--allow sulogin_t self:capability dac_override;
-+allow sulogin_t self:capability { dac_read_search sys_admin };
- allow sulogin_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
- allow sulogin_t self:fd use;
- allow sulogin_t self:fifo_file rw_fifo_file_perms;
-@@ -215,18 +212,30 @@ allow sulogin_t self:sem create_sem_perms;
- allow sulogin_t self:msgq create_msgq_perms;
- allow sulogin_t self:msg { send receive };
-
-+kernel_getattr_core_if(sulogin_t)
-+kernel_read_crypto_sysctls(sulogin_t)
- kernel_read_system_state(sulogin_t)
-
-+dev_getattr_all_chr_files(sulogin_t)
-+dev_getattr_all_blk_files(sulogin_t)
-+
-+dev_read_urand(sulogin_t)
-+dev_read_rand(sulogin_t)
-+
- fs_search_auto_mountpoints(sulogin_t)
- fs_rw_tmpfs_chr_files(sulogin_t)
-
- files_read_etc_files(sulogin_t)
- # because file systems are not mounted:
- files_dontaudit_search_isid_type_dirs(sulogin_t)
-+files_search_pids(sulogin_t)
-
- auth_read_shadow(sulogin_t)
-+auth_use_nsswitch(sulogin_t)
-
- init_getpgid_script(sulogin_t)
-+init_getpgid(sulogin_t)
-+init_getattr_initctl(sulogin_t)
-
- logging_send_syslog_msg(sulogin_t)
-
-@@ -235,17 +244,28 @@ seutil_read_default_contexts(sulogin_t)
-
- userdom_use_unpriv_users_fds(sulogin_t)
-
-+userdom_search_admin_dir(sulogin_t)
- userdom_search_user_home_dirs(sulogin_t)
- userdom_use_user_ptys(sulogin_t)
-
--sysadm_shell_domtrans(sulogin_t)
-+term_use_console(sulogin_t)
-+term_use_unallocated_ttys(sulogin_t)
-+term_use_generic_ptys(sulogin_t)
-+
-+ifdef(`enable_mls',`
-+ sysadm_shell_domtrans(sulogin_t)
-+',`
-+ optional_policy(`
-+ unconfined_shell_domtrans(sulogin_t)
-+ ')
-+')
-
- # suse and debian do not use pam with sulogin...
- ifdef(`distro_suse', `define(`sulogin_no_pam')')
- ifdef(`distro_debian', `define(`sulogin_no_pam')')
-
-+allow sulogin_t self:capability sys_tty_config;
- ifdef(`sulogin_no_pam', `
-- allow sulogin_t self:capability sys_tty_config;
- init_getpgid(sulogin_t)
- ', `
- allow sulogin_t self:process setexec;
-@@ -258,9 +278,5 @@ ifdef(`sulogin_no_pam', `
- ')
-
- optional_policy(`
-- nis_use_ypbind(sulogin_t)
--')
--
--optional_policy(`
-- nscd_use(sulogin_t)
-+ plymouthd_exec_plymouth(sulogin_t)
- ')
-diff --git a/policy/modules/system/logging.fc b/policy/modules/system/logging.fc
-index b50c5fe81..9eacd9ba1 100644
---- a/policy/modules/system/logging.fc
-+++ b/policy/modules/system/logging.fc
-@@ -1,11 +1,15 @@
--/dev/log -s gen_context(system_u:object_r:devlog_t,mls_systemhigh)
-+/dev/log -l gen_context(system_u:object_r:devlog_t,mls_systemhigh)
-
- /etc/rsyslog.conf gen_context(system_u:object_r:syslog_conf_t,s0)
- /etc/syslog.conf gen_context(system_u:object_r:syslog_conf_t,s0)
-+/etc/rsyslog.d(/.*)? gen_context(system_u:object_r:syslog_conf_t,s0)
- /etc/audit(/.*)? gen_context(system_u:object_r:auditd_etc_t,mls_systemhigh)
- /etc/rc\.d/init\.d/auditd -- gen_context(system_u:object_r:auditd_initrc_exec_t,s0)
- /etc/rc\.d/init\.d/rsyslog -- gen_context(system_u:object_r:syslogd_initrc_exec_t,s0)
-
-+/usr/lib/systemd/system/auditd.* -- gen_context(system_u:object_r:auditd_unit_file_t,s0)
-+/usr/lib/systemd/system/rsyslog.* -- gen_context(system_u:object_r:syslogd_unit_file_t,s0)
-+
- /sbin/audispd -- gen_context(system_u:object_r:audisp_exec_t,s0)
- /sbin/audisp-remote -- gen_context(system_u:object_r:audisp_remote_exec_t,s0)
- /sbin/auditctl -- gen_context(system_u:object_r:auditctl_exec_t,s0)
-@@ -17,12 +21,25 @@
- /sbin/syslogd -- gen_context(system_u:object_r:syslogd_exec_t,s0)
- /sbin/syslog-ng -- gen_context(system_u:object_r:syslogd_exec_t,s0)
-
-+/opt/zimbra/log(/.*)? gen_context(system_u:object_r:var_log_t,s0)
-+/opt/Symantec/scspagent/IDS/system(/.*)? gen_context(system_u:object_r:var_log_t,s0)
-+
-+/usr/lib/systemd/systemd-journald -- gen_context(system_u:object_r:syslogd_exec_t,s0)
-+/usr/lib/systemd/systemd-kmsg-syslogd -- gen_context(system_u:object_r:syslogd_exec_t,s0)
-+
-+/usr/centreon/log(/.*)? gen_context(system_u:object_r:var_log_t,s0)
-+
-+/usr/sbin/audispd -- gen_context(system_u:object_r:audisp_exec_t,s0)
-+/usr/sbin/audisp-remote -- gen_context(system_u:object_r:audisp_remote_exec_t,s0)
-+/usr/sbin/auditctl -- gen_context(system_u:object_r:auditctl_exec_t,s0)
-+/usr/sbin/auditd -- gen_context(system_u:object_r:auditd_exec_t,s0)
- /usr/sbin/klogd -- gen_context(system_u:object_r:klogd_exec_t,s0)
- /usr/sbin/metalog -- gen_context(system_u:object_r:syslogd_exec_t,s0)
-+/usr/sbin/minilogd -- gen_context(system_u:object_r:syslogd_exec_t,s0)
- /usr/sbin/rklogd -- gen_context(system_u:object_r:klogd_exec_t,s0)
- /usr/sbin/rsyslogd -- gen_context(system_u:object_r:syslogd_exec_t,s0)
--/usr/sbin/syslog-ng -- gen_context(system_u:object_r:syslogd_exec_t,s0)
- /usr/sbin/syslogd -- gen_context(system_u:object_r:syslogd_exec_t,s0)
-+/usr/sbin/syslog-ng -- gen_context(system_u:object_r:syslogd_exec_t,s0)
-
- /var/lib/misc/syslog-ng.persist-? -- gen_context(system_u:object_r:syslogd_var_lib_t,s0)
- /var/lib/syslog-ng(/.*)? gen_context(system_u:object_r:syslogd_var_lib_t,s0)
-@@ -38,21 +55,22 @@ ifdef(`distro_suse', `
-
- /var/log -d gen_context(system_u:object_r:var_log_t,s0-mls_systemhigh)
- /var/log/.* gen_context(system_u:object_r:var_log_t,s0)
--/var/log/boot\.log -- gen_context(system_u:object_r:var_log_t,mls_systemhigh)
- /var/log/messages[^/]* gen_context(system_u:object_r:var_log_t,mls_systemhigh)
- /var/log/secure[^/]* gen_context(system_u:object_r:var_log_t,mls_systemhigh)
- /var/log/maillog[^/]* gen_context(system_u:object_r:var_log_t,mls_systemhigh)
- /var/log/spooler[^/]* gen_context(system_u:object_r:var_log_t,mls_systemhigh)
- /var/log/audit(/.*)? gen_context(system_u:object_r:auditd_log_t,mls_systemhigh)
--/var/log/syslog-ng(/.*)? gen_context(system_u:object_r:syslogd_var_run_t,mls_systemhigh)
-+/var/run/log(/.*)? gen_context(system_u:object_r:syslogd_var_run_t,mls_systemhigh)
-+/var/run/systemd/journal(/.*)? gen_context(system_u:object_r:syslogd_var_run_t,mls_systemhigh)
-
- ifndef(`distro_gentoo',`
--/var/log/audit\.log -- gen_context(system_u:object_r:auditd_log_t,mls_systemhigh)
-+/var/log/audit\.log.* -- gen_context(system_u:object_r:auditd_log_t,mls_systemhigh)
- ')
-
- ifdef(`distro_redhat',`
- /var/named/chroot/var/log -d gen_context(system_u:object_r:var_log_t,s0)
- /var/named/chroot/dev/log -s gen_context(system_u:object_r:devlog_t,s0)
-+/var/spool/postfix/dev/log -s gen_context(system_u:object_r:devlog_t,s0)
- ')
-
- /var/run/audit_events -s gen_context(system_u:object_r:auditd_var_run_t,mls_systemhigh)
-@@ -65,11 +83,16 @@ ifdef(`distro_redhat',`
- /var/run/syslogd\.pid -- gen_context(system_u:object_r:syslogd_var_run_t,mls_systemhigh)
- /var/run/syslog-ng.ctl -- gen_context(system_u:object_r:syslogd_var_run_t,s0)
- /var/run/syslog-ng(/.*)? gen_context(system_u:object_r:syslogd_var_run_t,s0)
-+/var/run/systemd/journal/syslog -s gen_context(system_u:object_r:devlog_t,mls_systemhigh)
-
- /var/spool/audit(/.*)? gen_context(system_u:object_r:audit_spool_t,mls_systemhigh)
- /var/spool/bacula/log(/.*)? gen_context(system_u:object_r:var_log_t,s0)
- /var/spool/postfix/pid -d gen_context(system_u:object_r:var_run_t,s0)
--/var/spool/plymouth/boot\.log gen_context(system_u:object_r:var_log_t,mls_systemhigh)
- /var/spool/rsyslog(/.*)? gen_context(system_u:object_r:var_log_t,s0)
-
-+/var/stockmaniac/templates_cache(/.*)? gen_context(system_u:object_r:var_log_t,s0)
-+
- /var/tinydns/log/main(/.*)? gen_context(system_u:object_r:var_log_t,s0)
-+
-+/var/webmin(/.*)? gen_context(system_u:object_r:var_log_t,s0)
-+
-diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if
-index 4e9488463..c54641fbb 100644
---- a/policy/modules/system/logging.if
-+++ b/policy/modules/system/logging.if
-@@ -81,6 +81,24 @@ interface(`logging_dontaudit_send_audit_msgs',`
-
- ########################################
- ##
-+## Create netlink audit socket
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`logging_create_syslog_netlink_audit_socket',`
-+ gen_require(`
-+ type syslogd_t;
-+ ')
-+
-+ allow $1 syslogd_t:netlink_audit_socket create_netlink_socket_perms;
-+')
-+
-+########################################
-+##
- ## Set login uid
- ##
- ##
-@@ -146,6 +164,24 @@ interface(`logging_read_audit_log',`
-
- ########################################
- ##
-+## Map the audit log.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+#
-+interface(`logging_map_audit_log',`
-+ gen_require(`
-+ type auditd_log_t;
-+ ')
-+
-+ allow $1 auditd_log_t:file map;
-+')
-+########################################
-+##
- ## Execute auditctl in the auditctl domain.
- ##
- ##
-@@ -233,7 +269,7 @@ interface(`logging_run_auditd',`
-
- ########################################
- ##
--## Connect to auditdstored over an unix stream socket.
-+## Connect to auditdstored over a unix stream socket.
- ##
- ##
- ##
-@@ -318,7 +354,7 @@ interface(`logging_dispatcher_domain',`
-
- ########################################
- ##
--## Connect to the audit dispatcher over an unix stream socket.
-+## Connect to the audit dispatcher over a unix stream socket.
- ##
- ##
- ##
-@@ -496,6 +532,68 @@ interface(`logging_log_filetrans',`
- filetrans_pattern($1, var_log_t, $2, $3, $4)
- ')
-
-+#######################################
-+##
-+## Create an object in the log directory, with a private type.
-+##
-+##
-+##
-+## Allow the specified domain to create an object
-+## in the general system log directories (e.g., /var/log)
-+## with a private type. Typically this is used for creating
-+## private log files in /var/log with the private type instead
-+## of the general system log type. To accomplish this goal,
-+## either the program must be SELinux-aware, or use this interface.
-+##
-+##
-+## Related interfaces:
-+##
-+##
-+## - logging_log_file()
-+##
-+##
-+## Example usage with a domain that can create
-+## and append to a private log file stored in the
-+## general directories (e.g., /var/log):
-+##
-+##
-+## type mylogfile_t;
-+## logging_log_file(mylogfile_t)
-+## allow mydomain_t mylogfile_t:file { create_file_perms append_file_perms };
-+## logging_log_filetrans(mydomain_t, mylogfile_t, file)
-+##
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+##
-+## The type of the object to be created.
-+##
-+##
-+##
-+##
-+## The object class of the object being created.
-+##
-+##
-+##
-+##
-+## The name of the object being created.
-+##
-+##
-+##
-+#
-+interface(`logging_log_named_filetrans',`
-+ gen_require(`
-+ type var_log_t;
-+ ')
-+
-+ files_search_var($1)
-+ filetrans_pattern($1, var_log_t, $2, $3, $4)
-+')
-+
- ########################################
- ##
- ## Send system log messages.
-@@ -530,22 +628,107 @@ interface(`logging_log_filetrans',`
- #
- interface(`logging_send_syslog_msg',`
- gen_require(`
-- type syslogd_t, devlog_t;
-+ attribute syslog_client_type;
-+ ')
-+
-+ typeattribute $1 syslog_client_type;
-+')
-+
-+########################################
-+##
-+## Connect to the syslog control unix stream socket.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`logging_create_devlog_dev',`
-+ gen_require(`
-+ type devlog_t;
-+ ')
-+
-+ allow $1 devlog_t:lnk_file manage_lnk_file_perms;
-+ allow $1 devlog_t:sock_file manage_sock_file_perms;
-+ dev_filetrans($1, devlog_t, lnk_file, "log")
-+ init_pid_filetrans($1, devlog_t, sock_file, "syslog")
-+ logging_syslogd_pid_filetrans($1, devlog_t, sock_file, "dev-log")
-+')
-+
-+########################################
-+##
-+## Relabel the devlog sock_file.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`logging_relabel_devlog_dev',`
-+ gen_require(`
-+ type devlog_t;
-+ ')
-+
-+ allow $1 devlog_t:sock_file relabel_sock_file_perms;
-+ allow $1 devlog_t:lnk_file relabelto_lnk_file_perms;
-+')
-+
-+########################################
-+##
-+## Allow domain to read the syslog pid files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`logging_read_syslog_pid',`
-+ gen_require(`
-+ type syslogd_var_run_t;
-+ ')
-+
-+ read_files_pattern($1, syslogd_var_run_t, syslogd_var_run_t)
-+ list_dirs_pattern($1, syslogd_var_run_t, syslogd_var_run_t)
-+')
-+
-+########################################
-+##
-+## Relabel the syslog pid sock_file.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`logging_relabel_syslog_pid_socket',`
-+ gen_require(`
-+ type syslogd_var_run_t;
- ')
-
-- allow $1 devlog_t:lnk_file read_lnk_file_perms;
-- allow $1 devlog_t:sock_file write_sock_file_perms;
-+ allow $1 syslogd_var_run_t:sock_file relabel_sock_file_perms;
-+')
-
-- # the type of socket depends on the syslog daemon
-- allow $1 syslogd_t:unix_dgram_socket sendto;
-- allow $1 syslogd_t:unix_stream_socket connectto;
-- allow $1 self:unix_dgram_socket create_socket_perms;
-- allow $1 self:unix_stream_socket create_socket_perms;
-+########################################
-+##
-+## Connect to the syslog control unix stream socket.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`logging_stream_connect_syslog',`
-+ gen_require(`
-+ type syslogd_t, syslogd_var_run_t;
-+ ')
-
-- # If syslog is down, the glibc syslog() function
-- # will write to the console.
-- term_write_console($1)
-- term_dontaudit_read_console($1)
-+ files_search_pids($1)
-+ stream_connect_pattern($1, syslogd_var_run_t, syslogd_var_run_t, syslogd_t)
- ')
-
- ########################################
-@@ -571,6 +754,44 @@ interface(`logging_read_audit_config',`
-
- ########################################
- ##
-+## Map the auditd configuration files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+#
-+interface(`logging_map_audit_config',`
-+ gen_require(`
-+ type auditd_etc_t;
-+ ')
-+
-+ allow $1 auditd_etc_t:file map;
-+')
-+
-+########################################
-+##
-+## dontaudit search of auditd log files.
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+##
-+#
-+interface(`logging_dontaudit_search_audit_logs',`
-+ gen_require(`
-+ type auditd_log_t;
-+ ')
-+
-+ dontaudit $1 auditd_log_t:dir search_dir_perms;
-+')
-+
-+########################################
-+##
- ## dontaudit search of auditd configuration files.
- ##
- ##
-@@ -609,6 +830,25 @@ interface(`logging_read_syslog_config',`
-
- ########################################
- ##
-+## Manage syslog configuration files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+#
-+interface(`logging_manage_syslog_config',`
-+ gen_require(`
-+ type syslog_conf_t;
-+ ')
-+
-+ manage_files_pattern($1, syslog_conf_t, syslog_conf_t)
-+')
-+
-+########################################
-+##
- ## Allows the domain to open a file in the
- ## log directory, but does not allow the listing
- ## of the contents of the log directory.
-@@ -722,6 +962,25 @@ interface(`logging_setattr_all_log_dirs',`
- allow $1 logfile:dir setattr;
- ')
-
-+#######################################
-+##
-+## Relabel on all log dirs.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+#
-+interface(`logging_relabel_all_log_dirs',`
-+ gen_require(`
-+ attribute logfile;
-+ ')
-+
-+ relabel_dirs_pattern($1, logfile, logfile)
-+')
-+
- ########################################
- ##
- ## Do not audit attempts to get the attributes
-@@ -776,7 +1035,25 @@ interface(`logging_append_all_logs',`
- ')
-
- files_search_var($1)
-- append_files_pattern($1, var_log_t, logfile)
-+ append_files_pattern($1, logfile, logfile)
-+')
-+
-+########################################
-+##
-+## Append to all log files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`logging_inherit_append_all_logs',`
-+ gen_require(`
-+ attribute logfile;
-+ ')
-+
-+ allow $1 logfile:file { getattr append ioctl lock };
- ')
-
- ########################################
-@@ -858,8 +1135,9 @@ interface(`logging_manage_all_logs',`
- ')
-
- files_search_var($1)
-+ manage_dirs_pattern($1, logfile, logfile)
- manage_files_pattern($1, logfile, logfile)
-- read_lnk_files_pattern($1, logfile, logfile)
-+ manage_lnk_files_pattern($1, logfile, logfile)
- ')
-
- ########################################
-@@ -880,11 +1158,69 @@ interface(`logging_read_generic_logs',`
-
- files_search_var($1)
- allow $1 var_log_t:dir list_dir_perms;
-+ allow $1 var_log_t:file map;
- read_files_pattern($1, var_log_t, var_log_t)
- ')
-
- ########################################
- ##
-+## Link generic log files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+#
-+interface(`logging_link_generic_logs',`
-+ gen_require(`
-+ type var_log_t;
-+ ')
-+
-+ allow $1 var_log_t:file link;
-+')
-+
-+########################################
-+##
-+## Delete generic log files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+#
-+interface(`logging_delete_generic_logs',`
-+ gen_require(`
-+ type var_log_t;
-+ ')
-+
-+ allow $1 var_log_t:file unlink;
-+')
-+
-+########################################
-+##
-+## Map generic log files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+#
-+interface(`logging_mmap_generic_logs',`
-+ gen_require(`
-+ type var_log_t;
-+ ')
-+
-+ allow $1 var_log_t:file map;
-+')
-+
-+########################################
-+##
- ## Write generic log files.
- ##
- ##
-@@ -905,6 +1241,24 @@ interface(`logging_write_generic_logs',`
-
- ########################################
- ##
-+## Dontaudit read/Write inherited generic log files.
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`logging_dontaudit_rw_inherited_generic_logs',`
-+ gen_require(`
-+ type var_log_t;
-+ ')
-+
-+ dontaudit $1 var_log_t:file rw_inherited_file_perms;
-+')
-+
-+########################################
-+##
- ## Dontaudit Write generic log files.
- ##
- ##
-@@ -984,11 +1338,16 @@ interface(`logging_admin_audit',`
- type auditd_t, auditd_etc_t, auditd_log_t;
- type auditd_var_run_t;
- type auditd_initrc_exec_t;
-+ type auditd_unit_file_t;
- ')
-
-- allow $1 auditd_t:process { ptrace signal_perms };
-+ allow $1 auditd_t:process signal_perms;
- ps_process_pattern($1, auditd_t)
-
-+ tunable_policy(`deny_ptrace',`',`
-+ allow $1 auditd_t:process ptrace;
-+ ')
-+
- manage_dirs_pattern($1, auditd_etc_t, auditd_etc_t)
- manage_files_pattern($1, auditd_etc_t, auditd_etc_t)
-
-@@ -1004,6 +1363,55 @@ interface(`logging_admin_audit',`
- domain_system_change_exemption($1)
- role_transition $2 auditd_initrc_exec_t system_r;
- allow $2 system_r;
-+
-+ logging_systemctl_audit($1)
-+ admin_pattern($1, auditd_unit_file_t)
-+ allow $1 auditd_unit_file_t:service all_service_perms;
-+')
-+
-+########################################
-+##
-+## Execute auditd server in the auditd domain.
-+##
-+##
-+##
-+## Domain allowed to transition.
-+##
-+##
-+#
-+interface(`logging_systemctl_audit',`
-+ gen_require(`
-+ type auditd_t;
-+ type auditd_unit_file_t;
-+ ')
-+
-+ systemd_exec_systemctl($1)
-+ allow $1 auditd_unit_file_t:file read_file_perms;
-+ allow $1 auditd_unit_file_t:service manage_service_perms;
-+
-+ ps_process_pattern($1, auditd_t)
-+')
-+########################################
-+##
-+## Execute auditd server in the auditd domain.
-+##
-+##
-+##
-+## Domain allowed to transition.
-+##
-+##
-+#
-+interface(`logging_systemctl_syslogd',`
-+ gen_require(`
-+ type syslogd_t;
-+ type syslogd_unit_file_t;
-+ ')
-+
-+ systemd_exec_systemctl($1)
-+ allow $1 syslogd_unit_file_t:file read_file_perms;
-+ allow $1 syslogd_unit_file_t:service manage_service_perms;
-+
-+ ps_process_pattern($1, syslogd_t)
- ')
-
- ########################################
-@@ -1032,10 +1440,15 @@ interface(`logging_admin_syslog',`
- type syslogd_initrc_exec_t;
- ')
-
-- allow $1 syslogd_t:process { ptrace signal_perms };
-- allow $1 klogd_t:process { ptrace signal_perms };
-+ allow $1 self:capability2 syslog;
-+ allow $1 syslogd_t:process signal_perms;
-+ allow $1 klogd_t:process signal_perms;
- ps_process_pattern($1, syslogd_t)
- ps_process_pattern($1, klogd_t)
-+ tunable_policy(`deny_ptrace',`',`
-+ allow $1 syslogd_t:process ptrace;
-+ allow $1 klogd_t:process ptrace;
-+ ')
-
- manage_dirs_pattern($1, klogd_var_run_t, klogd_var_run_t)
- manage_files_pattern($1, klogd_var_run_t, klogd_var_run_t)
-@@ -1057,6 +1470,8 @@ interface(`logging_admin_syslog',`
- manage_files_pattern($1, syslogd_var_run_t, syslogd_var_run_t)
-
- logging_manage_all_logs($1)
-+ allow $1 logfile:dir relabel_dir_perms;
-+ allow $1 logfile:file relabel_file_perms;
-
- init_labeled_script_domtrans($1, syslogd_initrc_exec_t)
- domain_system_change_exemption($1)
-@@ -1085,3 +1500,110 @@ interface(`logging_admin',`
- logging_admin_audit($1, $2)
- logging_admin_syslog($1, $2)
- ')
-+
-+########################################
-+##
-+## Transition to syslog.conf
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`logging_filetrans_named_conf',`
-+ gen_require(`
-+ type syslog_conf_t;
-+ ')
-+
-+ files_etc_filetrans($1, syslog_conf_t, file, "syslog.conf")
-+ files_etc_filetrans($1, syslog_conf_t, file, "rsyslog.conf")
-+')
-+
-+########################################
-+##
-+## Transition to logging named content
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`logging_filetrans_named_content',`
-+ gen_require(`
-+ type var_log_t;
-+ type audit_spool_t;
-+ type syslogd_var_run_t;
-+ type syslog_conf_t;
-+ ')
-+
-+ files_pid_filetrans($1, syslogd_var_run_t, dir, "log")
-+ files_spool_filetrans($1, var_log_t, dir, "rsyslog")
-+ files_spool_filetrans($1, var_log_t, dir, "log")
-+ files_spool_filetrans($1, audit_spool_t, dir, "audit")
-+ files_var_filetrans($1, var_log_t, dir, "webmin")
-+
-+ files_etc_filetrans($1, syslog_conf_t, file, "syslog.conf")
-+ files_etc_filetrans($1, syslog_conf_t, file, "rsyslog.conf")
-+
-+ init_named_pid_filetrans($1, syslogd_var_run_t, dir, "journal")
-+
-+ logging_log_filetrans($1, var_log_t, dir, "anaconda")
-+')
-+
-+#######################################
-+##
-+## Create objects in /run/systemd/journal/ directory
-+## with an automatic type transition to
-+## a specified private type.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+##
-+## The type of the object to create.
-+##
-+##
-+##
-+##
-+## The class of the object to be created.
-+##
-+##
-+##
-+##
-+## The name of the object being created.
-+##
-+##
-+#
-+interface(`logging_syslogd_pid_filetrans',`
-+ gen_require(`
-+ type syslogd_var_run_t;
-+ ')
-+
-+ files_search_pids($1)
-+ filetrans_pattern($1, syslogd_var_run_t, $2, $3, $4)
-+')
-+
-+#######################################
-+##
-+## Map files in /run/log/journal/ directory.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`logging_mmap_journal',`
-+ gen_require(`
-+ type syslogd_var_run_t;
-+ ')
-+
-+ allow $1 syslogd_var_run_t:file map;
-+
-+')
-+
-diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
-index 59b04c1a2..d4fd81a7b 100644
---- a/policy/modules/system/logging.te
-+++ b/policy/modules/system/logging.te
-@@ -4,6 +4,29 @@ policy_module(logging, 1.20.1)
- #
- # Declarations
- #
-+attribute syslog_client_type;
-+
-+##
-+##
-+## Allow syslogd daemon to send mail
-+##
-+##
-+gen_tunable(logging_syslogd_can_sendmail, false)
-+
-+##
-+##
-+## Allow syslogd the ability to read/write terminals
-+##
-+##
-+gen_tunable(logging_syslogd_use_tty, true)
-+
-+##
-+##
-+## Allow syslogd the ability to call nagios plugins. It is
-+## turned on by omprog rsyslog plugin.
-+##
-+##
-+gen_tunable(logging_syslogd_run_nagios_plugins, false)
-
- attribute logfile;
-
-@@ -20,6 +43,7 @@ files_security_file(auditd_log_t)
- files_security_mountpoint(auditd_log_t)
-
- type audit_spool_t;
-+files_spool_file(audit_spool_t)
- files_security_file(audit_spool_t)
- files_security_mountpoint(audit_spool_t)
-
-@@ -33,6 +57,9 @@ init_script_file(auditd_initrc_exec_t)
- type auditd_var_run_t;
- files_pid_file(auditd_var_run_t)
-
-+type auditd_unit_file_t;
-+systemd_unit_file(auditd_unit_file_t)
-+
- type audisp_t;
- type audisp_exec_t;
- init_system_domain(audisp_t, audisp_exec_t)
-@@ -64,6 +91,7 @@ files_config_file(syslog_conf_t)
- type syslogd_t;
- type syslogd_exec_t;
- init_daemon_domain(syslogd_t, syslogd_exec_t)
-+mls_trusted_object(syslogd_t)
-
- type syslogd_initrc_exec_t;
- init_script_file(syslogd_initrc_exec_t)
-@@ -71,16 +99,23 @@ init_script_file(syslogd_initrc_exec_t)
- type syslogd_tmp_t;
- files_tmp_file(syslogd_tmp_t)
-
-+type syslogd_tmpfs_t;
-+files_tmpfs_file(syslogd_tmpfs_t)
-+
- type syslogd_var_lib_t;
- files_type(syslogd_var_lib_t)
-
- type syslogd_var_run_t;
- files_pid_file(syslogd_var_run_t)
-+mls_trusted_object(syslogd_var_run_t)
-
- type var_log_t;
- logging_log_file(var_log_t)
- files_mountpoint(var_log_t)
-
-+type syslogd_unit_file_t;
-+systemd_unit_file(syslogd_unit_file_t)
-+
- ifdef(`enable_mls',`
- init_ranged_daemon_domain(auditd_t, auditd_exec_t, mls_systemhigh)
- init_ranged_daemon_domain(syslogd_t, syslogd_exec_t, mls_systemhigh)
-@@ -91,11 +126,14 @@ ifdef(`enable_mls',`
- # Auditctl local policy
- #
-
--allow auditctl_t self:capability { fsetid dac_read_search dac_override };
-+allow auditctl_t self:capability { fsetid dac_read_search };
- allow auditctl_t self:netlink_audit_socket nlmsg_readpriv;
-
-+allow auditctl_t self:process getcap;
-+
- read_files_pattern(auditctl_t, auditd_etc_t, auditd_etc_t)
- allow auditctl_t auditd_etc_t:dir list_dir_perms;
-+allow auditctl_t auditd_etc_t:file map;
-
- # Needed for adding watches
- files_getattr_all_dirs(auditctl_t)
-@@ -111,7 +149,9 @@ domain_use_interactive_fds(auditctl_t)
-
- mls_file_read_all_levels(auditctl_t)
-
--term_use_all_terms(auditctl_t)
-+storage_getattr_removable_dev(auditctl_t)
-+
-+term_use_all_inherited_terms(auditctl_t)
-
- init_dontaudit_use_fds(auditctl_t)
-
-@@ -134,11 +174,12 @@ allow auditd_t self:fifo_file rw_fifo_file_perms;
- allow auditd_t self:tcp_socket create_stream_socket_perms;
-
- allow auditd_t auditd_etc_t:dir list_dir_perms;
--allow auditd_t auditd_etc_t:file read_file_perms;
-+allow auditd_t auditd_etc_t:file { read_file_perms map };
-
-+manage_dirs_pattern(auditd_t, auditd_log_t, auditd_log_t)
- manage_files_pattern(auditd_t, auditd_log_t, auditd_log_t)
- manage_lnk_files_pattern(auditd_t, auditd_log_t, auditd_log_t)
--allow auditd_t var_log_t:dir search_dir_perms;
-+logging_log_filetrans(auditd_t, auditd_log_t, dir, "audit")
-
- manage_files_pattern(auditd_t, auditd_var_run_t, auditd_var_run_t)
- manage_sock_files_pattern(auditd_t, auditd_var_run_t, auditd_var_run_t)
-@@ -148,6 +189,7 @@ kernel_read_kernel_sysctls(auditd_t)
- # Needs to be able to run dispatcher. see /etc/audit/auditd.conf
- # Probably want a transition, and a new auditd_helper app
- kernel_read_system_state(auditd_t)
-+kernel_read_network_state(auditd_t)
-
- dev_read_sysfs(auditd_t)
-
-@@ -155,9 +197,6 @@ fs_getattr_all_fs(auditd_t)
- fs_search_auto_mountpoints(auditd_t)
- fs_rw_anon_inodefs_files(auditd_t)
-
--selinux_search_fs(auditctl_t)
--
--corenet_all_recvfrom_unlabeled(auditd_t)
- corenet_all_recvfrom_netlabel(auditd_t)
- corenet_tcp_sendrecv_generic_if(auditd_t)
- corenet_tcp_sendrecv_generic_node(auditd_t)
-@@ -183,16 +222,17 @@ logging_send_syslog_msg(auditd_t)
- logging_domtrans_dispatcher(auditd_t)
- logging_signal_dispatcher(auditd_t)
-
--miscfiles_read_localization(auditd_t)
-+auth_use_nsswitch(auditd_t)
-
- mls_file_read_all_levels(auditd_t)
- mls_file_write_all_levels(auditd_t) # Need to be able to write to /var/run/ directory
--
--seutil_dontaudit_read_config(auditd_t)
-+mls_socket_write_all_levels(auditd_t)
-
- sysnet_dns_name_resolve(auditd_t)
-
--userdom_use_user_terminals(auditd_t)
-+systemd_start_systemd_services(auditd_t)
-+
-+userdom_use_inherited_user_terminals(auditd_t)
- userdom_dontaudit_use_unpriv_user_fds(auditd_t)
- userdom_dontaudit_search_user_home_dirs(auditd_t)
-
-@@ -219,7 +259,7 @@ optional_policy(`
- # audit dispatcher local policy
- #
-
--allow audisp_t self:capability { dac_override setpcap sys_nice };
-+allow audisp_t self:capability { dac_read_search setpcap sys_nice };
- allow audisp_t self:process { getcap signal_perms setcap setsched };
- allow audisp_t self:fifo_file rw_fifo_file_perms;
- allow audisp_t self:unix_stream_socket create_stream_socket_perms;
-@@ -237,19 +277,29 @@ corecmd_exec_shell(audisp_t)
-
- domain_use_interactive_fds(audisp_t)
-
-+fs_getattr_all_fs(audisp_t)
-+
- files_read_etc_files(audisp_t)
- files_read_etc_runtime_files(audisp_t)
-
-+mls_file_read_all_levels(audisp_t)
- mls_file_write_all_levels(audisp_t)
-+mls_socket_write_all_levels(audisp_t)
-+mls_dbus_send_all_levels(audisp_t)
-
--logging_send_syslog_msg(audisp_t)
-+auth_use_nsswitch(audisp_t)
-
--miscfiles_read_localization(audisp_t)
-+logging_send_syslog_msg(audisp_t)
-
- sysnet_dns_name_resolve(audisp_t)
-
- optional_policy(`
- dbus_system_bus_client(audisp_t)
-+ dbus_connect_system_bus(audisp_t)
-+
-+ optional_policy(`
-+ setroubleshoot_dbus_chat(audisp_t)
-+ ')
- ')
-
- ########################################
-@@ -266,9 +316,10 @@ manage_dirs_pattern(audisp_remote_t, audit_spool_t, audit_spool_t)
- manage_files_pattern(audisp_remote_t, audit_spool_t, audit_spool_t)
- files_spool_filetrans(audisp_remote_t, audit_spool_t, { dir file })
-
-+kernel_read_system_state(audisp_remote_t)
-+
- corecmd_exec_bin(audisp_remote_t)
-
--corenet_all_recvfrom_unlabeled(audisp_remote_t)
- corenet_all_recvfrom_netlabel(audisp_remote_t)
- corenet_tcp_sendrecv_generic_if(audisp_remote_t)
- corenet_tcp_sendrecv_generic_node(audisp_remote_t)
-@@ -280,13 +331,26 @@ corenet_sendrecv_audit_client_packets(audisp_remote_t)
-
- files_read_etc_files(audisp_remote_t)
-
-+mls_socket_write_all_levels(audisp_remote_t)
-+
- logging_send_syslog_msg(audisp_remote_t)
- logging_send_audit_msgs(audisp_remote_t)
-
--miscfiles_read_localization(audisp_remote_t)
-+auth_use_nsswitch(audisp_remote_t)
-+auth_append_login_records(audisp_remote_t)
-+
-+init_telinit(audisp_remote_t)
-+init_read_utmp(audisp_remote_t)
-+init_dontaudit_write_utmp(audisp_remote_t)
-
- sysnet_dns_name_resolve(audisp_remote_t)
-
-+systemd_start_power_services(audisp_remote_t)
-+
-+term_search_ptys(audisp_remote_t)
-+
-+userdom_use_user_ptys(audisp_remote_t)
-+
- ########################################
- #
- # klogd local policy
-@@ -326,7 +390,6 @@ files_read_etc_files(klogd_t)
-
- logging_send_syslog_msg(klogd_t)
-
--miscfiles_read_localization(klogd_t)
-
- mls_file_read_all_levels(klogd_t)
-
-@@ -355,13 +418,13 @@ optional_policy(`
- # sys_admin for the integrated klog of syslog-ng and metalog
- # sys_nice for rsyslog
- # cjp: why net_admin!
--allow syslogd_t self:capability { dac_override sys_resource sys_tty_config net_admin sys_admin sys_nice chown fsetid };
-+allow syslogd_t self:capability { sys_ptrace dac_read_search sys_resource sys_tty_config ipc_lock net_admin setgid setuid sys_admin sys_nice chown fsetid setuid setgid net_raw };
- dontaudit syslogd_t self:capability sys_tty_config;
-+dontaudit syslogd_t self:cap_userns sys_ptrace;
-+allow syslogd_t self:capability2 { syslog block_suspend };
- # setpgid for metalog
- # setrlimit for syslog-ng
--# getsched for syslog-ng
--# setsched for rsyslog
--allow syslogd_t self:process { signal_perms setpgid setrlimit getsched setsched };
-+allow syslogd_t self:process { signal_perms getcap setcap setpgid getsched setsched setrlimit };
- # receive messages to be logged
- allow syslogd_t self:unix_dgram_socket create_socket_perms;
- allow syslogd_t self:unix_stream_socket create_stream_socket_perms;
-@@ -369,15 +432,20 @@ allow syslogd_t self:unix_dgram_socket sendto;
- allow syslogd_t self:fifo_file rw_fifo_file_perms;
- allow syslogd_t self:udp_socket create_socket_perms;
- allow syslogd_t self:tcp_socket create_stream_socket_perms;
--
-+allow syslogd_t self:rawip_socket create_socket_perms;
-+allow syslogd_t self:netlink_audit_socket { r_netlink_socket_perms nlmsg_write };
- allow syslogd_t syslog_conf_t:file read_file_perms;
-+allow syslogd_t syslog_conf_t:dir list_dir_perms;
-
- # Create and bind to /dev/log or /var/run/log.
- allow syslogd_t devlog_t:sock_file manage_sock_file_perms;
-+# now is /dev/log lnk_file
-+allow syslogd_t devlog_t:lnk_file manage_lnk_file_perms;
- files_pid_filetrans(syslogd_t, devlog_t, sock_file)
-
- # create/append log files.
- manage_files_pattern(syslogd_t, var_log_t, var_log_t)
-+allow syslogd_t var_log_t:file map;
- rw_fifo_files_pattern(syslogd_t, var_log_t, var_log_t)
- files_search_spool(syslogd_t)
-
-@@ -389,30 +457,49 @@ manage_dirs_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t)
- manage_files_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t)
- files_tmp_filetrans(syslogd_t, syslogd_tmp_t, { dir file })
-
-+manage_dirs_pattern(syslogd_t, syslogd_tmpfs_t, syslogd_tmpfs_t)
-+manage_files_pattern(syslogd_t, syslogd_tmpfs_t, syslogd_tmpfs_t)
-+fs_tmpfs_filetrans(syslogd_t, syslogd_tmpfs_t, { dir file })
-+
-+manage_sock_files_pattern(syslogd_t, syslogd_var_lib_t, syslogd_var_lib_t)
- manage_files_pattern(syslogd_t, syslogd_var_lib_t, syslogd_var_lib_t)
-+allow syslogd_t syslogd_var_lib_t:file map;
- files_search_var_lib(syslogd_t)
-
--# manage pid file
-+manage_dirs_pattern(syslogd_t, syslogd_var_run_t, syslogd_var_run_t)
- manage_files_pattern(syslogd_t, syslogd_var_run_t, syslogd_var_run_t)
--files_pid_filetrans(syslogd_t, syslogd_var_run_t, file)
-+manage_sock_files_pattern(syslogd_t, syslogd_var_run_t, syslogd_var_run_t)
-+mmap_files_pattern(syslogd_t, syslogd_var_run_t, syslogd_var_run_t)
-+files_pid_filetrans(syslogd_t, syslogd_var_run_t, { file dir })
-
-+kernel_rw_stream_socket_perms(syslogd_t)
- kernel_read_system_state(syslogd_t)
- kernel_read_network_state(syslogd_t)
- kernel_read_kernel_sysctls(syslogd_t)
-+kernel_read_netlink_audit_socket(syslogd_t)
- kernel_read_proc_symlinks(syslogd_t)
- # Allow access to /proc/kmsg for syslog-ng
- kernel_read_messages(syslogd_t)
-+kernel_request_load_module(syslogd_t)
- kernel_read_vm_sysctls(syslogd_t)
- kernel_clear_ring_buffer(syslogd_t)
- kernel_change_ring_buffer_level(syslogd_t)
-+kernel_read_ring_buffer(syslogd_t)
-+
-+ifdef(`hide_broken_symptoms',`
-+ kernel_rw_unix_dgram_sockets(syslogd_t)
-+')
-+
-+corecmd_exec_bin(syslogd_t)
-+corecmd_exec_shell(syslogd_t)
-
--corenet_all_recvfrom_unlabeled(syslogd_t)
- corenet_all_recvfrom_netlabel(syslogd_t)
- corenet_udp_sendrecv_generic_if(syslogd_t)
- corenet_udp_sendrecv_generic_node(syslogd_t)
- corenet_udp_sendrecv_all_ports(syslogd_t)
- corenet_udp_bind_generic_node(syslogd_t)
- corenet_udp_bind_syslogd_port(syslogd_t)
-+corenet_udp_bind_syslog_tls_port(syslogd_t)
- # syslog-ng can listen and connect on tcp port 514 (rsh)
- corenet_tcp_sendrecv_generic_if(syslogd_t)
- corenet_tcp_sendrecv_generic_node(syslogd_t)
-@@ -422,6 +509,8 @@ corenet_tcp_bind_rsh_port(syslogd_t)
- corenet_tcp_connect_rsh_port(syslogd_t)
- # Allow users to define additional syslog ports to connect to
- corenet_tcp_bind_syslogd_port(syslogd_t)
-+corenet_tcp_bind_syslog_tls_port(syslogd_t)
-+corenet_tcp_connect_syslog_tls_port(syslogd_t)
- corenet_tcp_connect_syslogd_port(syslogd_t)
- corenet_tcp_connect_postgresql_port(syslogd_t)
- corenet_tcp_connect_mysqld_port(syslogd_t)
-@@ -432,9 +521,32 @@ corenet_sendrecv_syslogd_server_packets(syslogd_t)
- corenet_sendrecv_postgresql_client_packets(syslogd_t)
- corenet_sendrecv_mysqld_client_packets(syslogd_t)
-
-+tunable_policy(`logging_syslogd_use_tty',`
-+ term_use_all_ttys(syslogd_t)
-+ term_use_all_ptys(syslogd_t)
-+')
-+
-+tunable_policy(`logging_syslogd_can_sendmail',`
-+ # support for ommail module to send logs via mail
-+ corenet_tcp_connect_smtp_port(syslogd_t)
-+')
-+
-+optional_policy(`
-+ tunable_policy(`logging_syslogd_run_nagios_plugins',`
-+ nagios_domtrans_unconfined_plugins(syslogd_t)
-+ ')
-+')
-+
- dev_filetrans(syslogd_t, devlog_t, sock_file)
- dev_read_sysfs(syslogd_t)
--
-+dev_read_rand(syslogd_t)
-+dev_read_urand(syslogd_t)
-+# relating to systemd-kmsg-syslogd
-+dev_write_kmsg(syslogd_t)
-+dev_read_kmsg(syslogd_t)
-+
-+domain_read_all_domains_state(syslogd_t)
-+domain_getattr_all_domains(syslogd_t)
- domain_use_interactive_fds(syslogd_t)
-
- files_read_etc_files(syslogd_t)
-@@ -448,13 +560,17 @@ files_var_lib_filetrans(syslogd_t, syslogd_var_lib_t, { file dir })
-
- fs_getattr_all_fs(syslogd_t)
- fs_search_auto_mountpoints(syslogd_t)
-+fs_search_cgroup_dirs(syslogd_t)
-
- mls_file_write_all_levels(syslogd_t) # Need to be able to write to /var/run/ and /var/log directories
-+mls_socket_write_all_levels(syslogd_t) # Neet to be able to sendto dgram
-
- term_write_console(syslogd_t)
- # Allow syslog to a terminal
- term_write_unallocated_ttys(syslogd_t)
-+term_use_generic_ptys(syslogd_t)
-
-+init_stream_connect(syslogd_t)
- # for sending messages to logged in users
- init_read_utmp(syslogd_t)
- init_dontaudit_write_utmp(syslogd_t)
-@@ -466,11 +582,12 @@ init_use_fds(syslogd_t)
-
- # cjp: this doesnt make sense
- logging_send_syslog_msg(syslogd_t)
--
--miscfiles_read_localization(syslogd_t)
-+logging_manage_all_logs(syslogd_t)
-+logging_set_loginuid(syslogd_t)
-
- userdom_dontaudit_use_unpriv_user_fds(syslogd_t)
--userdom_dontaudit_search_user_home_dirs(syslogd_t)
-+userdom_search_user_home_dirs(syslogd_t)
-+userdom_rw_inherited_user_tmp_files(syslogd_t)
-
- ifdef(`distro_gentoo',`
- # default gentoo syslog-ng config appends kernel
-@@ -497,6 +614,7 @@ optional_policy(`
- optional_policy(`
- cron_manage_log_files(syslogd_t)
- cron_generic_log_filetrans_log(syslogd_t, file, "cron.log")
-+ cron_generic_log_filetrans_log(syslogd_t, file, "cron")
- ')
-
- optional_policy(`
-@@ -507,15 +625,45 @@ optional_policy(`
- ')
-
- optional_policy(`
-+ kerberos_keytab_template(syslogd, syslogd_t)
-+ kerberos_manage_host_rcache(syslogd_t)
-+ kerberos_read_config(syslogd_t)
-+')
-+
-+optional_policy(`
-+ mysql_read_config(syslogd_t)
- mysql_stream_connect(syslogd_t)
- ')
-
- optional_policy(`
-+ plymouthd_manage_log(syslogd_t)
-+')
-+
-+optional_policy(`
-+ postfix_search_spool(syslogd_t)
-+')
-+
-+optional_policy(`
- postgresql_stream_connect(syslogd_t)
- ')
-
- optional_policy(`
-+ psad_search_lib_files(syslogd_t)
-+')
-+
-+optional_policy(`
- seutil_sigchld_newrole(syslogd_t)
-+ snmp_read_snmp_var_lib_files(syslogd_t)
-+ snmp_dontaudit_write_snmp_var_lib_files(syslogd_t)
-+')
-+
-+optional_policy(`
-+ systemd_rw_coredump_tmpfs_files(syslogd_t)
-+ systemd_read_unit_files(syslogd_t)
-+')
-+
-+optional_policy(`
-+ daemontools_search_svc_dir(syslogd_t)
- ')
-
- optional_policy(`
-@@ -526,3 +674,29 @@ optional_policy(`
- # log to the xconsole
- xserver_rw_console(syslogd_t)
- ')
-+
-+#####################################################
-+#
-+# syslog client rules
-+#
-+allow syslog_client_type devlog_t:lnk_file read_lnk_file_perms;
-+allow syslog_client_type devlog_t:sock_file write_sock_file_perms;
-+
-+# the type of socket depends on the syslog daemon
-+allow syslog_client_type syslogd_t:unix_dgram_socket sendto;
-+allow syslog_client_type syslogd_t:unix_stream_socket connectto;
-+allow syslog_client_type self:unix_dgram_socket create_socket_perms;
-+allow syslog_client_type self:unix_stream_socket create_socket_perms;
-+
-+
-+kernel_stream_connect(syslog_client_type)
-+
-+# If syslog is down, the glibc syslog() function
-+# will write to the console.
-+term_write_console(syslog_client_type)
-+term_dontaudit_read_console(syslog_client_type)
-+ifdef(`hide_broken_symptoms',`
-+ kernel_dgram_send(syslog_client_type)
-+')
-+
-+logging_stream_connect_syslog(syslog_client_type)
-diff --git a/policy/modules/system/lvm.fc b/policy/modules/system/lvm.fc
-index 6b917403e..772411608 100644
---- a/policy/modules/system/lvm.fc
-+++ b/policy/modules/system/lvm.fc
-@@ -23,6 +23,8 @@ ifdef(`distro_gentoo',`
- /etc/lvmtab(/.*)? gen_context(system_u:object_r:lvm_metadata_t,s0)
- /etc/lvmtab\.d(/.*)? gen_context(system_u:object_r:lvm_metadata_t,s0)
-
-+/etc/multipath(/.*)? gen_context(system_u:object_r:lvm_metadata_t,s0)
-+
- #
- # /lib
- #
-@@ -33,22 +35,27 @@ ifdef(`distro_gentoo',`
- #
- # /sbin
- #
-+/sbin/mount\.crypt -- gen_context(system_u:object_r:lvm_exec_t,s0)
-+/sbin/umount\.crypt -- gen_context(system_u:object_r:lvm_exec_t,s0)
- /sbin/cryptsetup -- gen_context(system_u:object_r:lvm_exec_t,s0)
- /sbin/dmraid -- gen_context(system_u:object_r:lvm_exec_t,s0)
- /sbin/dmsetup -- gen_context(system_u:object_r:lvm_exec_t,s0)
- /sbin/dmsetup\.static -- gen_context(system_u:object_r:lvm_exec_t,s0)
- /sbin/e2fsadm -- gen_context(system_u:object_r:lvm_exec_t,s0)
-+/sbin/kpartx -- gen_context(system_u:object_r:lvm_exec_t,s0)
- /sbin/lvchange -- gen_context(system_u:object_r:lvm_exec_t,s0)
- /sbin/lvcreate -- gen_context(system_u:object_r:lvm_exec_t,s0)
- /sbin/lvdisplay -- gen_context(system_u:object_r:lvm_exec_t,s0)
- /sbin/lvextend -- gen_context(system_u:object_r:lvm_exec_t,s0)
--/sbin/lvm -- gen_context(system_u:object_r:lvm_exec_t,s0)
-+/sbin/lvm -- gen_context(system_u:object_r:lvm_exec_t,s0)
- /sbin/lvm\.static -- gen_context(system_u:object_r:lvm_exec_t,s0)
- /sbin/lvmchange -- gen_context(system_u:object_r:lvm_exec_t,s0)
- /sbin/lvmdiskscan -- gen_context(system_u:object_r:lvm_exec_t,s0)
-+/sbin/lvmetad -- gen_context(system_u:object_r:lvm_exec_t,s0)
- /sbin/lvmiopversion -- gen_context(system_u:object_r:lvm_exec_t,s0)
- /sbin/lvmsadc -- gen_context(system_u:object_r:lvm_exec_t,s0)
- /sbin/lvmsar -- gen_context(system_u:object_r:lvm_exec_t,s0)
-+/sbin/lvmpolld -- gen_context(system_u:object_r:lvm_exec_t,s0)
- /sbin/lvreduce -- gen_context(system_u:object_r:lvm_exec_t,s0)
- /sbin/lvremove -- gen_context(system_u:object_r:lvm_exec_t,s0)
- /sbin/lvrename -- gen_context(system_u:object_r:lvm_exec_t,s0)
-@@ -89,8 +96,77 @@ ifdef(`distro_gentoo',`
- #
- # /usr
- #
--/usr/sbin/clvmd -- gen_context(system_u:object_r:clvmd_exec_t,s0)
--/usr/sbin/lvm -- gen_context(system_u:object_r:lvm_exec_t,s0)
-+/usr/lib/systemd/generator/lvm.* gen_context(system_u:object_r:lvm_unit_file_t,s0)
-+/usr/lib/systemd/system/lvm2.*\.service gen_context(system_u:object_r:lvm_unit_file_t,s0)
-+
-+/usr/sbin/clvmd -- gen_context(system_u:object_r:clvmd_exec_t,s0)
-+/usr/sbin/cryptsetup -- gen_context(system_u:object_r:lvm_exec_t,s0)
-+/usr/sbin/dmeventd -- gen_context(system_u:object_r:lvm_exec_t,s0)
-+/usr/sbin/dmraid -- gen_context(system_u:object_r:lvm_exec_t,s0)
-+/usr/sbin/dmsetup -- gen_context(system_u:object_r:lvm_exec_t,s0)
-+/usr/sbin/dmsetup\.static -- gen_context(system_u:object_r:lvm_exec_t,s0)
-+/usr/sbin/e2fsadm -- gen_context(system_u:object_r:lvm_exec_t,s0)
-+/usr/sbin/kpartx -- gen_context(system_u:object_r:lvm_exec_t,s0)
-+/usr/sbin/lvchange -- gen_context(system_u:object_r:lvm_exec_t,s0)
-+/usr/sbin/lvcreate -- gen_context(system_u:object_r:lvm_exec_t,s0)
-+/usr/sbin/lvdisplay -- gen_context(system_u:object_r:lvm_exec_t,s0)
-+/usr/sbin/lvextend -- gen_context(system_u:object_r:lvm_exec_t,s0)
-+/usr/sbin/lvm -- gen_context(system_u:object_r:lvm_exec_t,s0)
-+/usr/sbin/lvm\.static -- gen_context(system_u:object_r:lvm_exec_t,s0)
-+/usr/sbin/lvmchange -- gen_context(system_u:object_r:lvm_exec_t,s0)
-+/usr/sbin/lvmdiskscan -- gen_context(system_u:object_r:lvm_exec_t,s0)
-+/usr/sbin/lvmetad -- gen_context(system_u:object_r:lvm_exec_t,s0)
-+/usr/sbin/lvmiopversion -- gen_context(system_u:object_r:lvm_exec_t,s0)
-+/usr/sbin/lvmsadc -- gen_context(system_u:object_r:lvm_exec_t,s0)
-+/usr/sbin/lvmsar -- gen_context(system_u:object_r:lvm_exec_t,s0)
-+/usr/sbin/lvmpolld -- gen_context(system_u:object_r:lvm_exec_t,s0)
-+/usr/sbin/lvmlockd -- gen_context(system_u:object_r:lvm_exec_t,s0)
-+/usr/sbin/lvreduce -- gen_context(system_u:object_r:lvm_exec_t,s0)
-+/usr/sbin/lvremove -- gen_context(system_u:object_r:lvm_exec_t,s0)
-+/usr/sbin/lvrename -- gen_context(system_u:object_r:lvm_exec_t,s0)
-+/usr/sbin/lvresize -- gen_context(system_u:object_r:lvm_exec_t,s0)
-+/usr/sbin/lvs -- gen_context(system_u:object_r:lvm_exec_t,s0)
-+/usr/sbin/lvscan -- gen_context(system_u:object_r:lvm_exec_t,s0)
-+/usr/sbin/mount\.crypt -- gen_context(system_u:object_r:lvm_exec_t,s0)
-+/usr/sbin/multipathd -- gen_context(system_u:object_r:lvm_exec_t,s0)
-+/usr/sbin/multipath\.static -- gen_context(system_u:object_r:lvm_exec_t,s0)
-+/usr/sbin/pvchange -- gen_context(system_u:object_r:lvm_exec_t,s0)
-+/usr/sbin/pvcreate -- gen_context(system_u:object_r:lvm_exec_t,s0)
-+/usr/sbin/pvdata -- gen_context(system_u:object_r:lvm_exec_t,s0)
-+/usr/sbin/pvdisplay -- gen_context(system_u:object_r:lvm_exec_t,s0)
-+/usr/sbin/pvmove -- gen_context(system_u:object_r:lvm_exec_t,s0)
-+/usr/sbin/pvremove -- gen_context(system_u:object_r:lvm_exec_t,s0)
-+/usr/sbin/pvs -- gen_context(system_u:object_r:lvm_exec_t,s0)
-+/usr/sbin/pvscan -- gen_context(system_u:object_r:lvm_exec_t,s0)
-+/usr/sbin/vgcfgbackup -- gen_context(system_u:object_r:lvm_exec_t,s0)
-+/usr/sbin/vgcfgrestore -- gen_context(system_u:object_r:lvm_exec_t,s0)
-+/usr/sbin/vgchange -- gen_context(system_u:object_r:lvm_exec_t,s0)
-+/usr/sbin/vgchange\.static -- gen_context(system_u:object_r:lvm_exec_t,s0)
-+/usr/sbin/vgck -- gen_context(system_u:object_r:lvm_exec_t,s0)
-+/usr/sbin/vgcreate -- gen_context(system_u:object_r:lvm_exec_t,s0)
-+/usr/sbin/vgdisplay -- gen_context(system_u:object_r:lvm_exec_t,s0)
-+/usr/sbin/vgexport -- gen_context(system_u:object_r:lvm_exec_t,s0)
-+/usr/sbin/vgextend -- gen_context(system_u:object_r:lvm_exec_t,s0)
-+/usr/sbin/vgimport -- gen_context(system_u:object_r:lvm_exec_t,s0)
-+/usr/sbin/vgmerge -- gen_context(system_u:object_r:lvm_exec_t,s0)
-+/usr/sbin/vgmknodes -- gen_context(system_u:object_r:lvm_exec_t,s0)
-+/usr/sbin/vgreduce -- gen_context(system_u:object_r:lvm_exec_t,s0)
-+/usr/sbin/vgremove -- gen_context(system_u:object_r:lvm_exec_t,s0)
-+/usr/sbin/vgrename -- gen_context(system_u:object_r:lvm_exec_t,s0)
-+/usr/sbin/vgs -- gen_context(system_u:object_r:lvm_exec_t,s0)
-+/usr/sbin/vgscan -- gen_context(system_u:object_r:lvm_exec_t,s0)
-+/usr/sbin/vgscan\.static -- gen_context(system_u:object_r:lvm_exec_t,s0)
-+/usr/sbin/vgsplit -- gen_context(system_u:object_r:lvm_exec_t,s0)
-+/usr/sbin/vgwrapper -- gen_context(system_u:object_r:lvm_exec_t,s0)
-+
-+/usr/lib/lvm-10/.* -- gen_context(system_u:object_r:lvm_exec_t,s0)
-+/usr/lib/lvm-200/.* -- gen_context(system_u:object_r:lvm_exec_t,s0)
-+/usr/lib/systemd/systemd-cryptsetup -- gen_context(system_u:object_r:lvm_exec_t,s0)
-+/usr/lib/systemd/system-generators/lvm2.* -- gen_context(system_u:object_r:lvm_exec_t,s0)
-+/usr/lib/storaged/storaged -- gen_context(system_u:object_r:lvm_exec_t,s0)
-+/usr/libexec/storaged/storaged -- gen_context(system_u:object_r:lvm_exec_t,s0)
-+/usr/lib/storaged/storaged-lvm-helper -- gen_context(system_u:object_r:lvm_exec_t,s0)
-+/usr/lib/udev/udisks-lvm-pv-export -- gen_context(system_u:object_r:lvm_exec_t,s0)
-
- #
- # /var
-@@ -98,5 +174,11 @@ ifdef(`distro_gentoo',`
- /var/cache/multipathd(/.*)? gen_context(system_u:object_r:lvm_metadata_t,s0)
- /var/lib/multipath(/.*)? gen_context(system_u:object_r:lvm_var_lib_t,s0)
- /var/lock/lvm(/.*)? gen_context(system_u:object_r:lvm_lock_t,s0)
-+/var/lock/dmraid(/.*)? gen_context(system_u:object_r:lvm_lock_t,s0)
-+/var/run/lvm(/.*)? gen_context(system_u:object_r:lvm_var_run_t,s0)
-+/var/run/multipathd(/.*)? gen_context(system_u:object_r:lvm_var_run_t,s0)
- /var/run/multipathd\.sock -s gen_context(system_u:object_r:lvm_var_run_t,s0)
-+/var/run/clvmd\.pid -- gen_context(system_u:object_r:clvmd_var_run_t,s0)
- /var/run/dmevent.* gen_context(system_u:object_r:lvm_var_run_t,s0)
-+
-+/var/run/storaged(/.*)? gen_context(system_u:object_r:lvm_var_run_t,s0)
-diff --git a/policy/modules/system/lvm.if b/policy/modules/system/lvm.if
-index 58bc27f22..90f567300 100644
---- a/policy/modules/system/lvm.if
-+++ b/policy/modules/system/lvm.if
-@@ -1,5 +1,41 @@
- ## Policy for logical volume management programs.
-
-+
-+#####################################
-+##
-+## lvm stub domain interface. No access allowed.
-+##
-+##
-+##
-+## Domain allowed access
-+##
-+##
-+#
-+interface(`lvm_stub',`
-+ gen_require(`
-+ type lvm_t;
-+ ')
-+')
-+
-+########################################
-+##
-+## Get the attribute of lvm entrypoint files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`lvm_getattr_exec_files',`
-+ gen_require(`
-+ type lvm_exec_t;
-+ ')
-+
-+ files_list_etc($1)
-+ allow $1 lvm_exec_t:file getattr;
-+')
-+
- ########################################
- ##
- ## Execute lvm programs in the lvm domain.
-@@ -86,6 +122,71 @@ interface(`lvm_read_config',`
-
- ########################################
- ##
-+## Read LVM configuration files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+#
-+interface(`lvm_read_metadata',`
-+ gen_require(`
-+ type lvm_etc_t;
-+ type lvm_metadata_t;
-+ ')
-+
-+ files_search_etc($1)
-+ allow $1 lvm_etc_t:dir list_dir_perms;
-+ read_files_pattern($1,lvm_metadata_t ,lvm_metadata_t)
-+')
-+
-+########################################
-+##
-+## Read LVM configuration files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+#
-+interface(`lvm_write_metadata',`
-+ gen_require(`
-+ type lvm_etc_t;
-+ type lvm_metadata_t;
-+ ')
-+
-+ files_search_etc($1)
-+ allow $1 lvm_etc_t:dir list_dir_perms;
-+ write_files_pattern($1,lvm_metadata_t ,lvm_metadata_t)
-+')
-+
-+########################################
-+##
-+## Manage LVM metadata files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+#
-+interface(`lvm_manage_metadata',`
-+ gen_require(`
-+ type lvm_metadata_t;
-+ ')
-+
-+ allow $1 lvm_metadata_t:dir list_dir_perms;
-+ manage_dirs_pattern($1, lvm_metadata_t, lvm_metadata_t)
-+ manage_files_pattern($1, lvm_metadata_t, lvm_metadata_t)
-+')
-+
-+########################################
-+##
- ## Manage LVM configuration files.
- ##
- ##
-@@ -105,6 +206,25 @@ interface(`lvm_manage_config',`
- manage_files_pattern($1, lvm_etc_t, lvm_etc_t)
- ')
-
-+########################################
-+##
-+## Connect to lvm using a unix domain stream socket.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`lvm_stream_connect',`
-+ gen_require(`
-+ type lvm_t, lvm_var_run_t;
-+ ')
-+
-+ files_search_pids($1)
-+ stream_connect_pattern($1, lvm_var_run_t, lvm_var_run_t, lvm_t)
-+')
-+
- ######################################
- ##
- ## Execute a domain transition to run clvmd.
-@@ -123,3 +243,175 @@ interface(`lvm_domtrans_clvmd',`
- corecmd_search_bin($1)
- domtrans_pattern($1, clvmd_exec_t, clvmd_t)
- ')
-+
-+########################################
-+##
-+## Read and write to lvm temporary file system.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`lvm_rw_clvmd_tmpfs_files',`
-+ gen_require(`
-+ type clvmd_tmpfs_t;
-+ ')
-+
-+ allow $1 clvmd_tmpfs_t:file rw_file_perms;
-+')
-+
-+########################################
-+##
-+## Delete lvm temporary file system.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`lvm_delete_clvmd_tmpfs_files',`
-+ gen_require(`
-+ type clvmd_tmpfs_t;
-+ ')
-+
-+ allow $1 clvmd_tmpfs_t:file unlink;
-+')
-+
-+########################################
-+##
-+## Send lvm a null signal.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`lvm_signull',`
-+ gen_require(`
-+ type lvm_t;
-+ ')
-+
-+ allow $1 lvm_t:process signull;
-+')
-+
-+########################################
-+##
-+## Send a message to lvm over the
-+## datagram socket.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`lvm_dgram_send',`
-+ gen_require(`
-+ type lvm_t;
-+ ')
-+
-+ allow $1 lvm_t:unix_dgram_socket sendto;
-+')
-+
-+########################################
-+##
-+## Read and write a lvm unnamed pipe.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`lvm_rw_pipes',`
-+ gen_require(`
-+ type lvm_var_run_t;
-+ ')
-+
-+ allow $1 lvm_var_run_t:fifo_file rw_fifo_file_perms;
-+')
-+
-+########################################
-+##
-+## Do not audit attempts to access check cert dirs/files.
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`lvm_dontaudit_access_check_lock',`
-+ gen_require(`
-+ type lvm_lock_t;
-+ ')
-+
-+ dontaudit $1 lvm_lock_t:dir audit_access;
-+')
-+
-+########################################
-+##
-+## Dontaudit read and write to lvm_lock_t dir.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`lvm_dontaudit_rw_lock_dir',`
-+ gen_require(`
-+ type lvm_lock_t;
-+ ')
-+
-+ dontaudit $1 lvm_lock_t:dir rw_file_perms;
-+')
-+
-+########################################
-+##
-+## Read the process state (/proc/pid) of lvm.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`lvm_read_state',`
-+ gen_require(`
-+ type lvm_t;
-+ ')
-+
-+ ps_process_pattern($1, lvm_t)
-+')
-+
-+########################################
-+##
-+## Create, read, write, and delete
-+## lvm lock files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`lvm_manage_lock',`
-+ gen_require(`
-+ type lvm_lock_t;
-+ ')
-+
-+ files_lock_filetrans($1, lvm_lock_t, dir, "lvm")
-+
-+ files_search_locks($1)
-+ manage_files_pattern($1, lvm_lock_t, lvm_lock_t)
-+ manage_dirs_pattern($1, lvm_lock_t, lvm_lock_t)
-+
-+')
-+
-+
-+
-diff --git a/policy/modules/system/lvm.te b/policy/modules/system/lvm.te
-index 79048c410..d404d6528 100644
---- a/policy/modules/system/lvm.te
-+++ b/policy/modules/system/lvm.te
-@@ -12,6 +12,9 @@ init_daemon_domain(clvmd_t, clvmd_exec_t)
- type clvmd_initrc_exec_t;
- init_script_file(clvmd_initrc_exec_t)
-
-+type clvmd_tmpfs_t alias clmvd_tmpfs_t;
-+files_tmpfs_file(clvmd_tmpfs_t)
-+
- type clvmd_var_run_t;
- files_pid_file(clvmd_var_run_t)
-
-@@ -24,7 +27,7 @@ domain_obj_id_change_exemption(lvm_t)
- role system_r types lvm_t;
-
- type lvm_etc_t;
--files_type(lvm_etc_t)
-+files_config_file(lvm_etc_t)
-
- type lvm_lock_t;
- files_lock_file(lvm_lock_t)
-@@ -41,6 +44,9 @@ files_pid_file(lvm_var_run_t)
- type lvm_tmp_t;
- files_tmp_file(lvm_tmp_t)
-
-+type lvm_unit_file_t;
-+systemd_unit_file(lvm_unit_file_t)
-+
- ########################################
- #
- # Cluster LVM daemon local policy
-@@ -49,15 +55,19 @@ files_tmp_file(lvm_tmp_t)
- allow clvmd_t self:capability { sys_nice chown ipc_lock sys_admin mknod };
- dontaudit clvmd_t self:capability sys_tty_config;
- allow clvmd_t self:process { signal_perms setsched };
--dontaudit clvmd_t self:process ptrace;
- allow clvmd_t self:socket create_socket_perms;
- allow clvmd_t self:fifo_file rw_fifo_file_perms;
- allow clvmd_t self:unix_stream_socket { connectto create_stream_socket_perms };
- allow clvmd_t self:tcp_socket create_stream_socket_perms;
- allow clvmd_t self:udp_socket create_socket_perms;
-
-+manage_dirs_pattern(clvmd_t, clvmd_tmpfs_t, clvmd_tmpfs_t)
-+manage_files_pattern(clvmd_t, clvmd_tmpfs_t,clvmd_tmpfs_t)
-+fs_tmpfs_filetrans(clvmd_t, clvmd_tmpfs_t, { dir file })
-+
-+manage_dirs_pattern(clvmd_t, clvmd_var_run_t, clvmd_var_run_t)
- manage_files_pattern(clvmd_t, clvmd_var_run_t, clvmd_var_run_t)
--files_pid_filetrans(clvmd_t, clvmd_var_run_t, file)
-+files_pid_filetrans(clvmd_t, clvmd_var_run_t, { file dir })
-
- read_files_pattern(clvmd_t, lvm_metadata_t, lvm_metadata_t)
-
-@@ -71,7 +81,6 @@ kernel_dontaudit_getattr_core_if(clvmd_t)
- corecmd_exec_shell(clvmd_t)
- corecmd_getattr_bin_files(clvmd_t)
-
--corenet_all_recvfrom_unlabeled(clvmd_t)
- corenet_all_recvfrom_netlabel(clvmd_t)
- corenet_tcp_sendrecv_generic_if(clvmd_t)
- corenet_udp_sendrecv_generic_if(clvmd_t)
-@@ -120,9 +129,6 @@ init_dontaudit_getattr_initctl(clvmd_t)
-
- logging_send_syslog_msg(clvmd_t)
-
--miscfiles_read_localization(clvmd_t)
--
--seutil_dontaudit_search_config(clvmd_t)
- seutil_sigchld_newrole(clvmd_t)
- seutil_read_config(clvmd_t)
- seutil_read_file_contexts(clvmd_t)
-@@ -141,6 +147,11 @@ ifdef(`distro_redhat',`
- ')
-
- optional_policy(`
-+ aisexec_stream_connect(clvmd_t)
-+ corosync_stream_connect(clvmd_t)
-+')
-+
-+optional_policy(`
- ccs_stream_connect(clvmd_t)
- ')
-
-@@ -165,20 +176,27 @@ optional_policy(`
- # DAC overrides and mknod for modifying /dev entries (vgmknodes)
- # rawio needed for dmraid
- # net_admin for multipath
--allow lvm_t self:capability { dac_override fowner ipc_lock sys_admin sys_nice mknod chown sys_resource sys_rawio net_admin };
-+allow lvm_t self:capability { dac_read_search fowner ipc_lock sys_admin sys_nice mknod chown sys_resource sys_rawio net_admin };
- dontaudit lvm_t self:capability sys_tty_config;
- allow lvm_t self:process { sigchld sigkill sigstop signull signal setfscreate };
- # LVM will complain a lot if it cannot set its priority.
- allow lvm_t self:process setsched;
-+allow lvm_t self:sem create_sem_perms;
- allow lvm_t self:file rw_file_perms;
- allow lvm_t self:fifo_file manage_fifo_file_perms;
- allow lvm_t self:unix_dgram_socket create_socket_perms;
-+allow lvm_t self:socket create_stream_socket_perms;
- allow lvm_t self:netlink_kobject_uevent_socket create_socket_perms;
- allow lvm_t self:sem create_sem_perms;
-
- allow lvm_t self:unix_stream_socket { connectto create_stream_socket_perms };
- allow lvm_t clvmd_t:unix_stream_socket { connectto rw_socket_perms };
-
-+allow lvm_t lvm_unit_file_t:file manage_file_perms;
-+systemd_unit_file_filetrans(lvm_t, lvm_unit_file_t, file)
-+systemd_create_unit_file_dirs(lvm_t)
-+systemd_create_unit_file_lnk(lvm_t)
-+
- manage_dirs_pattern(lvm_t, lvm_tmp_t, lvm_tmp_t)
- manage_files_pattern(lvm_t, lvm_tmp_t, lvm_tmp_t)
- files_tmp_filetrans(lvm_t, lvm_tmp_t, { file dir })
-@@ -191,10 +209,12 @@ read_lnk_files_pattern(lvm_t, lvm_exec_t, lvm_exec_t)
- can_exec(lvm_t, lvm_exec_t)
-
- # Creating lock files
-+manage_dirs_pattern(lvm_t, lvm_lock_t, lvm_lock_t)
- manage_files_pattern(lvm_t, lvm_lock_t, lvm_lock_t)
- create_dirs_pattern(lvm_t, lvm_lock_t, lvm_lock_t)
- files_lock_filetrans(lvm_t, lvm_lock_t, file)
- files_lock_filetrans(lvm_t, lvm_lock_t, dir, "lvm")
-+files_lock_filetrans(lvm_t, lvm_lock_t, dir, "dmraid")
-
- manage_dirs_pattern(lvm_t, lvm_var_lib_t, lvm_var_lib_t)
- manage_files_pattern(lvm_t, lvm_var_lib_t, lvm_var_lib_t)
-@@ -202,10 +222,13 @@ files_var_lib_filetrans(lvm_t, lvm_var_lib_t, { dir file })
-
- manage_dirs_pattern(lvm_t, lvm_var_run_t, lvm_var_run_t)
- manage_files_pattern(lvm_t, lvm_var_run_t, lvm_var_run_t)
-+manage_fifo_files_pattern(lvm_t, lvm_var_run_t, lvm_var_run_t)
- manage_sock_files_pattern(lvm_t, lvm_var_run_t, lvm_var_run_t)
--files_pid_filetrans(lvm_t, lvm_var_run_t, { file sock_file })
-+files_pid_filetrans(lvm_t, lvm_var_run_t, { dir file fifo_file sock_file })
-+init_pid_filetrans(lvm_t, lvm_var_run_t, { dir file fifo_file sock_file })
-
- read_files_pattern(lvm_t, lvm_etc_t, lvm_etc_t)
-+allow lvm_t lvm_etc_t:file map;
- read_lnk_files_pattern(lvm_t, lvm_etc_t, lvm_etc_t)
- # Write to /etc/lvm, /etc/lvmtab, /etc/lvmtab.d
- manage_files_pattern(lvm_t, lvm_metadata_t, lvm_metadata_t)
-@@ -220,6 +243,7 @@ kernel_read_kernel_sysctls(lvm_t)
- # it has no reason to need this
- kernel_dontaudit_getattr_core_if(lvm_t)
- kernel_use_fds(lvm_t)
-+kernel_request_load_module(lvm_t)
- kernel_search_debugfs(lvm_t)
-
- corecmd_exec_bin(lvm_t)
-@@ -230,11 +254,13 @@ dev_delete_generic_dirs(lvm_t)
- dev_read_rand(lvm_t)
- dev_read_urand(lvm_t)
- dev_rw_lvm_control(lvm_t)
-+dev_write_kmsg(lvm_t)
- dev_manage_generic_symlinks(lvm_t)
- dev_relabel_generic_dev_dirs(lvm_t)
- dev_manage_generic_blk_files(lvm_t)
- # Read /sys/block. Device mapper metadata is kept there.
--dev_read_sysfs(lvm_t)
-+# cryptsetup writes read_ahead_kb
-+dev_rw_sysfs(lvm_t)
- # cjp: this has no effect since LVM does not
- # have lnk_file relabelto for anything else.
- # perhaps this should be blk_files?
-@@ -246,6 +272,7 @@ dev_dontaudit_getattr_generic_chr_files(lvm_t)
- dev_dontaudit_getattr_generic_blk_files(lvm_t)
- dev_dontaudit_getattr_generic_pipes(lvm_t)
- dev_create_generic_dirs(lvm_t)
-+dev_rw_generic_files(lvm_t)
-
- domain_use_interactive_fds(lvm_t)
- domain_read_all_domains_state(lvm_t)
-@@ -255,17 +282,21 @@ files_read_etc_files(lvm_t)
- files_read_etc_runtime_files(lvm_t)
- # for when /usr is not mounted:
- files_dontaudit_search_isid_type_dirs(lvm_t)
-+fs_rw_inherited_tmpfs_files(lvm_t)
-
--fs_getattr_xattr_fs(lvm_t)
-+fs_getattr_all_fs(lvm_t)
- fs_search_auto_mountpoints(lvm_t)
- fs_list_tmpfs(lvm_t)
- fs_read_tmpfs_symlinks(lvm_t)
- fs_dontaudit_read_removable_files(lvm_t)
- fs_dontaudit_getattr_tmpfs_files(lvm_t)
- fs_rw_anon_inodefs_files(lvm_t)
-+fs_list_auto_mountpoints(lvm_t)
-+fs_list_hugetlbfs(lvm_t)
-
- mls_file_read_all_levels(lvm_t)
- mls_file_write_to_clearance(lvm_t)
-+mls_file_upgrade(lvm_t)
-
- selinux_get_fs_mount(lvm_t)
- selinux_validate_context(lvm_t)
-@@ -285,7 +316,7 @@ storage_dev_filetrans_fixed_disk(lvm_t)
- # Access raw devices and old /dev/lvm (c 109,0). Is this needed?
- storage_manage_fixed_disk(lvm_t)
-
--term_use_all_terms(lvm_t)
-+term_use_all_inherited_terms(lvm_t)
-
- init_use_fds(lvm_t)
- init_dontaudit_getattr_initctl(lvm_t)
-@@ -293,15 +324,23 @@ init_use_script_ptys(lvm_t)
- init_read_script_state(lvm_t)
-
- logging_send_syslog_msg(lvm_t)
-+logging_stream_connect_syslog(lvm_t)
-
--miscfiles_read_localization(lvm_t)
-+authlogin_rw_pipes(lvm_t)
-+auth_use_nsswitch(lvm_t)
-
- seutil_read_config(lvm_t)
- seutil_read_file_contexts(lvm_t)
- seutil_search_default_contexts(lvm_t)
- seutil_sigchld_newrole(lvm_t)
-
-+userdom_use_inherited_user_terminals(lvm_t)
- userdom_use_user_terminals(lvm_t)
-+userdom_rw_inherited_user_tmp_pipes(lvm_t)
-+userdom_rw_semaphores(lvm_t)
-+userdom_search_user_home_dirs(lvm_t)
-+
-+usermanage_read_crack_db(lvm_t)
-
- ifdef(`distro_redhat',`
- # this is from the initrd:
-@@ -313,6 +352,11 @@ ifdef(`distro_redhat',`
- ')
-
- optional_policy(`
-+ aisexec_stream_connect(lvm_t)
-+ corosync_stream_connect(lvm_t)
-+')
-+
-+optional_policy(`
- bootloader_rw_tmp_files(lvm_t)
- ')
-
-@@ -321,6 +365,10 @@ optional_policy(`
- ')
-
- optional_policy(`
-+ container_rw_sem(lvm_t)
-+')
-+
-+optional_policy(`
- gpm_dontaudit_getattr_gpmctl(lvm_t)
- ')
-
-@@ -333,14 +381,30 @@ optional_policy(`
- ')
-
- optional_policy(`
-+ livecd_rw_semaphores(lvm_t)
-+')
-+
-+optional_policy(`
- modutils_domtrans_insmod(lvm_t)
- ')
-
- optional_policy(`
-+ raid_read_mdadm_pid(lvm_t)
-+')
-+
-+optional_policy(`
- rpm_manage_script_tmp_files(lvm_t)
- ')
-
- optional_policy(`
-+ policykit_dbus_chat(lvm_t)
-+')
-+
-+optional_policy(`
-+ systemd_manage_passwd_run(lvm_t)
-+')
-+
-+optional_policy(`
- udev_read_db(lvm_t)
- udev_read_pid_files(lvm_t)
- ')
-diff --git a/policy/modules/system/miscfiles.fc b/policy/modules/system/miscfiles.fc
-index 9fe8e01e3..6aa1ea05a 100644
---- a/policy/modules/system/miscfiles.fc
-+++ b/policy/modules/system/miscfiles.fc
-@@ -9,11 +9,16 @@ ifdef(`distro_gentoo',`
- # /etc
- #
- /etc/avahi/etc/localtime -- gen_context(system_u:object_r:locale_t,s0)
--/etc/httpd/alias/[^/]*\.db(\.[^/]*)* -- gen_context(system_u:object_r:cert_t,s0)
--/etc/localtime -- gen_context(system_u:object_r:locale_t,s0)
-+/etc/docker/certs\.d(/.*)? gen_context(system_u:object_r:cert_t,s0)
-+/etc/httpd/alias(/.*)? gen_context(system_u:object_r:cert_t,s0)
-+/etc/localtime -l gen_context(system_u:object_r:locale_t,s0)
-+/etc/locale.conf -- gen_context(system_u:object_r:locale_t,s0)
- /etc/pki(/.*)? gen_context(system_u:object_r:cert_t,s0)
- /etc/ssl(/.*)? gen_context(system_u:object_r:cert_t,s0)
-+/etc/(letsencrypt|certbot)/(live|archive)(/.*)? gen_context(system_u:object_r:cert_t,s0)
-+/etc/ipa/nssdb(/.*)? gen_context(system_u:object_r:cert_t,s0)
- /etc/timezone -- gen_context(system_u:object_r:locale_t,s0)
-+/etc/vconsole.conf -- gen_context(system_u:object_r:locale_t,s0)
-
- ifdef(`distro_redhat',`
- /etc/sysconfig/clock -- gen_context(system_u:object_r:locale_t,s0)
-@@ -37,24 +42,20 @@ ifdef(`distro_redhat',`
-
- /usr/lib/perl5/man(/.*)? gen_context(system_u:object_r:man_t,s0)
-
--/usr/local/man(/.*)? gen_context(system_u:object_r:man_t,s0)
--/usr/local/share/man(/.*)? gen_context(system_u:object_r:man_t,s0)
--
--/usr/local/share/fonts(/.*)? gen_context(system_u:object_r:fonts_t,s0)
--
- /usr/man(/.*)? gen_context(system_u:object_r:man_t,s0)
-
- /usr/share/ca-certificates(/.*)? gen_context(system_u:object_r:cert_t,s0)
- /usr/share/fonts(/.*)? gen_context(system_u:object_r:fonts_t,s0)
--/usr/share/X11/fonts(/.*)? gen_context(system_u:object_r:fonts_t,s0)
- /usr/share/ghostscript/fonts(/.*)? gen_context(system_u:object_r:fonts_t,s0)
- /usr/share/locale(/.*)? gen_context(system_u:object_r:locale_t,s0)
- /usr/share/man(/.*)? gen_context(system_u:object_r:man_t,s0)
--/usr/share/X11/locale(/.*)? gen_context(system_u:object_r:locale_t,s0)
--/usr/share/zoneinfo(/.*)? gen_context(system_u:object_r:locale_t,s0)
--
-+/usr/share/pki/ca-certificates(/.*)? gen_context(system_u:object_r:cert_t,s0)
-+/usr/share/pki/ca-trust-source(/.*)? gen_context(system_u:object_r:cert_t,s0)
- /usr/share/ssl/certs(/.*)? gen_context(system_u:object_r:cert_t,s0)
- /usr/share/ssl/private(/.*)? gen_context(system_u:object_r:cert_t,s0)
-+/usr/share/X11/fonts(/.*)? gen_context(system_u:object_r:fonts_t,s0)
-+/usr/share/X11/locale(/.*)? gen_context(system_u:object_r:locale_t,s0)
-+/usr/share/zoneinfo(/.*)? gen_context(system_u:object_r:locale_t,s0)
-
- /usr/X11R6/lib/X11/fonts(/.*)? gen_context(system_u:object_r:fonts_t,s0)
-
-@@ -77,7 +78,7 @@ ifdef(`distro_redhat',`
-
- /var/cache/fontconfig(/.*)? gen_context(system_u:object_r:fonts_cache_t,s0)
- /var/cache/fonts(/.*)? gen_context(system_u:object_r:tetex_data_t,s0)
--/var/cache/man(/.*)? gen_context(system_u:object_r:man_cache_t,s0)
-+
-
- /var/named/chroot/etc/pki(/.*)? gen_context(system_u:object_r:cert_t,s0)
-
-@@ -89,7 +90,10 @@ ifdef(`distro_debian',`
- /var/lib/usbutils(/.*)? gen_context(system_u:object_r:hwdata_t,s0)
- ')
-
-+/var/lib/letsencrypt(/.*)? gen_context(system_u:object_r:cert_t,s0)
-+
- ifdef(`distro_redhat',`
-+/var/named/chroot/etc/localtime -- gen_context(system_u:object_r:locale_t,s0)
- /var/empty/sshd/etc/localtime -- gen_context(system_u:object_r:locale_t,s0)
- /var/spool/postfix/etc/localtime -- gen_context(system_u:object_r:locale_t,s0)
- ')
-diff --git a/policy/modules/system/miscfiles.if b/policy/modules/system/miscfiles.if
-index fc28bc31b..73fc71dbc 100644
---- a/policy/modules/system/miscfiles.if
-+++ b/policy/modules/system/miscfiles.if
-@@ -67,6 +67,27 @@ interface(`miscfiles_read_all_certs',`
-
- ########################################
- ##
-+## Read all SSL certificates.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+#
-+interface(`miscfiles_manage_all_certs',`
-+ gen_require(`
-+ attribute cert_type;
-+ ')
-+
-+ allow $1 cert_type:dir list_dir_perms;
-+ manage_files_pattern($1, cert_type, cert_type)
-+ manage_lnk_files_pattern($1, cert_type, cert_type)
-+')
-+
-+########################################
-+##
- ## Read generic SSL certificates.
- ##
- ##
-@@ -88,6 +109,25 @@ interface(`miscfiles_read_generic_certs',`
-
- ########################################
- ##
-+## mmap generic SSL certificates.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+#
-+interface(`miscfiles_map_generic_certs',`
-+ gen_require(`
-+ type cert_t;
-+ ')
-+
-+ allow $1 cert_t:file map;
-+')
-+
-+########################################
-+##
- ## Manage generic SSL certificates.
- ##
- ##
-@@ -106,6 +146,24 @@ interface(`miscfiles_manage_generic_cert_dirs',`
-
- ########################################
- ##
-+## Dontaudit attempts to write generic SSL certificates.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`miscfiles_dontaudit_write_generic_cert_files',`
-+ gen_require(`
-+ type cert_t;
-+ ')
-+
-+ dontaudit $1 cert_t:file write;
-+')
-+
-+########################################
-+##
- ## Manage generic SSL certificates.
- ##
- ##
-@@ -121,7 +179,7 @@ interface(`miscfiles_manage_generic_cert_files',`
- ')
-
- manage_files_pattern($1, cert_t, cert_t)
-- read_lnk_files_pattern($1, cert_t, cert_t)
-+ manage_lnk_files_pattern($1, cert_t, cert_t)
- ')
-
- ########################################
-@@ -156,6 +214,26 @@ interface(`miscfiles_manage_cert_dirs',`
-
- ########################################
- ##
-+## Do not audit attempts to access check cert dirs/files.
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`miscfiles_dontaudit_access_check_cert',`
-+ gen_require(`
-+ type cert_t;
-+ ')
-+
-+ dontaudit $1 cert_t:file audit_access;
-+ dontaudit $1 cert_t:dir audit_access;
-+')
-+
-+
-+########################################
-+##
- ## Manage SSL certificates.
- ##
- ##
-@@ -191,11 +269,13 @@ interface(`miscfiles_read_fonts',`
-
- allow $1 fonts_t:dir list_dir_perms;
- read_files_pattern($1, fonts_t, fonts_t)
-+ allow $1 fonts_t:file map;
- read_lnk_files_pattern($1, fonts_t, fonts_t)
-
- allow $1 fonts_cache_t:dir list_dir_perms;
- read_files_pattern($1, fonts_cache_t, fonts_cache_t)
- read_lnk_files_pattern($1, fonts_cache_t, fonts_cache_t)
-+ allow $1 fonts_cache_t:file map;
- ')
-
- ########################################
-@@ -414,6 +494,7 @@ interface(`miscfiles_read_localization',`
- allow $1 locale_t:dir list_dir_perms;
- read_files_pattern($1, locale_t, locale_t)
- read_lnk_files_pattern($1, locale_t, locale_t)
-+ allow $1 locale_t:file map;
- ')
-
- ########################################
-@@ -434,6 +515,7 @@ interface(`miscfiles_rw_localization',`
- files_search_usr($1)
- allow $1 locale_t:dir list_dir_perms;
- rw_files_pattern($1, locale_t, locale_t)
-+ manage_lnk_files_pattern($1, locale_t, locale_t)
- ')
-
- ########################################
-@@ -453,6 +535,7 @@ interface(`miscfiles_relabel_localization',`
-
- files_search_usr($1)
- relabel_files_pattern($1, locale_t, locale_t)
-+ relabel_lnk_files_pattern($1, locale_t, locale_t)
- ')
-
- ########################################
-@@ -470,7 +553,6 @@ interface(`miscfiles_legacy_read_localization',`
- type locale_t;
- ')
-
-- miscfiles_read_localization($1)
- allow $1 locale_t:file execute;
- ')
-
-@@ -531,6 +613,10 @@ interface(`miscfiles_read_man_pages',`
- allow $1 { man_cache_t man_t }:dir list_dir_perms;
- read_files_pattern($1, { man_cache_t man_t }, { man_cache_t man_t })
- read_lnk_files_pattern($1, { man_cache_t man_t }, { man_cache_t man_t })
-+
-+ optional_policy(`
-+ mandb_read_cache_files($1)
-+ ')
- ')
-
- ########################################
-@@ -554,6 +640,29 @@ interface(`miscfiles_delete_man_pages',`
- delete_dirs_pattern($1, { man_cache_t man_t }, { man_cache_t man_t })
- delete_files_pattern($1, { man_cache_t man_t }, { man_cache_t man_t })
- delete_lnk_files_pattern($1, { man_cache_t man_t }, { man_cache_t man_t })
-+ optional_policy(`
-+ mandb_setattr_cache_dirs($1)
-+ mandb_delete_cache($1)
-+ ')
-+')
-+#######################################
-+##
-+## Create, read, write, and delete man pages
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`miscfiles_setattr_man_pages',`
-+ gen_require(`
-+ type man_t;
-+ ')
-+
-+ files_search_usr($1)
-+
-+ allow $1 man_t:dir setattr;
- ')
-
- ########################################
-@@ -622,6 +731,30 @@ interface(`miscfiles_manage_man_cache',`
-
- ########################################
- ##
-+## Allow process to relabel man_pages info
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`miscfiles_relabel_man_pages',`
-+ gen_require(`
-+ type man_t;
-+ ')
-+
-+ files_search_usr($1)
-+ relabel_dirs_pattern($1, man_t, man_t)
-+ relabel_files_pattern($1, man_t, man_t)
-+
-+ optional_policy(`
-+ mandb_relabel_cache($1)
-+ ')
-+')
-+
-+########################################
-+##
- ## Read public files used for file
- ## transfer services.
- ##
-@@ -784,8 +917,11 @@ interface(`miscfiles_etc_filetrans_localization',`
- type locale_t;
- ')
-
-- files_etc_filetrans($1, locale_t, file)
--
-+ files_etc_filetrans($1, locale_t, { file lnk_file })
-+ files_etc_filetrans($1, locale_t, {lnk_file file}, "localtime" )
-+ files_etc_filetrans($1, locale_t, file, "locale.conf" )
-+ files_etc_filetrans($1, locale_t, file, "timezone" )
-+ files_etc_filetrans($1, locale_t, file, "vconsole.conf" )
- ')
-
- ########################################
-@@ -809,3 +945,81 @@ interface(`miscfiles_manage_localization',`
- manage_lnk_files_pattern($1, locale_t, locale_t)
- ')
-
-+########################################
-+##
-+## Transition to miscfiles locale named content
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`miscfiles_filetrans_locale_named_content',`
-+ gen_require(`
-+ type locale_t;
-+ ')
-+
-+ files_etc_filetrans($1, locale_t, { lnk_file file }, "localtime")
-+ files_etc_filetrans($1, locale_t, file, "locale.conf")
-+ files_etc_filetrans($1, locale_t, file, "vconsole.conf")
-+ files_etc_filetrans($1, locale_t, file, "locale.conf.new")
-+ files_etc_filetrans($1, locale_t, file, "timezone")
-+ files_etc_filetrans($1, locale_t, file, "clock")
-+ files_usr_filetrans($1, locale_t, dir, "locale")
-+ files_usr_filetrans($1, locale_t, dir, "zoneinfo")
-+')
-+
-+########################################
-+##
-+## Transition to miscfiles named content
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`miscfiles_filetrans_named_content',`
-+ gen_require(`
-+ type man_t;
-+ type cert_t;
-+ type fonts_t;
-+ type fonts_cache_t;
-+ type hwdata_t;
-+ type tetex_data_t;
-+ type public_content_t;
-+ ')
-+
-+ miscfiles_filetrans_locale_named_content($1)
-+ files_var_filetrans($1, man_t, dir, "man")
-+ files_etc_filetrans($1, cert_t, dir, "pki")
-+ files_usr_filetrans($1, cert_t, dir, "certs")
-+ files_var_lib_filetrans($1, cert_t, dir, "letsencrypt")
-+ files_usr_filetrans($1, fonts_t, dir, "fonts")
-+ files_usr_filetrans($1, hwdata_t, dir, "hwdata")
-+ files_var_filetrans($1, fonts_cache_t, dir, "fontconfig")
-+ files_var_filetrans($1, tetex_data_t, dir, "fonts")
-+ files_spool_filetrans($1, tetex_data_t, dir, "texmf")
-+ files_var_lib_filetrans($1, tetex_data_t, dir, "texmf")
-+ files_var_filetrans($1, public_content_t, dir, "ftp")
-+')
-+
-+
-+########################################
-+##
-+## Transition to miscfiles named content
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`miscfiles_filetrans_named_content_letsencrypt',`
-+ gen_require(`
-+ type cert_t;
-+ ')
-+
-+ files_var_lib_filetrans($1, cert_t, dir, "letsencrypt")
-+')
-diff --git a/policy/modules/system/miscfiles.te b/policy/modules/system/miscfiles.te
-index 1361961d0..be6b7fc80 100644
---- a/policy/modules/system/miscfiles.te
-+++ b/policy/modules/system/miscfiles.te
-@@ -4,7 +4,6 @@ policy_module(miscfiles, 1.11.0)
- #
- # Declarations
- #
--
- attribute cert_type;
-
- #
-@@ -48,10 +47,10 @@ files_type(man_cache_t)
- # Types for public content
- #
- type public_content_t; #, customizable;
--files_type(public_content_t)
-+files_mountpoint(public_content_t)
-
- type public_content_rw_t; #, customizable;
--files_type(public_content_rw_t)
-+files_mountpoint(public_content_rw_t)
-
- #
- # Base type for the tests directory.
-diff --git a/policy/modules/system/modutils.fc b/policy/modules/system/modutils.fc
-index 993367709..7875b79fa 100644
---- a/policy/modules/system/modutils.fc
-+++ b/policy/modules/system/modutils.fc
-@@ -10,8 +10,6 @@ ifdef(`distro_gentoo',`
- /etc/modprobe.devfs.* -- gen_context(system_u:object_r:modules_conf_t,s0)
- ')
-
--/lib/modules/[^/]+/modules\..+ -- gen_context(system_u:object_r:modules_dep_t,s0)
--
- /lib/modules/modprobe\.conf -- gen_context(system_u:object_r:modules_conf_t,s0)
-
- /sbin/depmod.* -- gen_context(system_u:object_r:depmod_exec_t,s0)
-@@ -23,3 +21,15 @@ ifdef(`distro_gentoo',`
- /sbin/update-modules -- gen_context(system_u:object_r:update_modules_exec_t,s0)
-
- /usr/bin/kmod -- gen_context(system_u:object_r:insmod_exec_t,s0)
-+
-+/usr/sbin/depmod.* -- gen_context(system_u:object_r:depmod_exec_t,s0)
-+/usr/sbin/generate-modprobe\.conf -- gen_context(system_u:object_r:update_modules_exec_t,s0)
-+/usr/sbin/insmod.* -- gen_context(system_u:object_r:insmod_exec_t,s0)
-+/usr/sbin/modprobe.* -- gen_context(system_u:object_r:insmod_exec_t,s0)
-+/usr/sbin/modules-update -- gen_context(system_u:object_r:update_modules_exec_t,s0)
-+/usr/sbin/rmmod.* -- gen_context(system_u:object_r:insmod_exec_t,s0)
-+/usr/sbin/update-modules -- gen_context(system_u:object_r:update_modules_exec_t,s0)
-+
-+/usr/lib/modules/modprobe\.conf -- gen_context(system_u:object_r:modules_conf_t,s0)
-+
-+/var/run/tmpfiles.d/kmod.conf -- gen_context(system_u:object_r:insmod_var_run_t,s0)
-diff --git a/policy/modules/system/modutils.if b/policy/modules/system/modutils.if
-index 7449974f6..b79290062 100644
---- a/policy/modules/system/modutils.if
-+++ b/policy/modules/system/modutils.if
-@@ -12,11 +12,28 @@
- #
- interface(`modutils_getattr_module_deps',`
- gen_require(`
-- type modules_dep_t;
-+ type modules_dep_t, modules_object_t;
- ')
-
- getattr_files_pattern($1, modules_object_t, modules_dep_t)
- ')
-+########################################
-+##
-+## Read the dependencies of kernel modules.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`modutils_read_module_deps_files',`
-+ gen_require(`
-+ type modules_dep_t;
-+ ')
-+
-+ allow $1 modules_dep_t:file read_file_perms;
-+')
-
- ########################################
- ##
-@@ -34,11 +51,50 @@ interface(`modutils_read_module_deps',`
- ')
-
- files_list_kernel_modules($1)
-+ files_read_kernel_modules($1)
- allow $1 modules_dep_t:file read_file_perms;
- ')
-
- ########################################
- ##
-+## Read the dependencies of kernel modules.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`modutils_delete_module_deps',`
-+ gen_require(`
-+ type modules_dep_t;
-+ ')
-+
-+ delete_files_pattern($1, modules_dep_t, modules_dep_t)
-+')
-+
-+########################################
-+##
-+## list the configuration options used when
-+## loading modules.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+#
-+interface(`modutils_list_module_config',`
-+ gen_require(`
-+ type modules_conf_t;
-+ ')
-+
-+ list_dirs_pattern($1, modules_conf_t, modules_conf_t)
-+')
-+
-+########################################
-+##
- ## Read the configuration options used when
- ## loading modules.
- ##
-@@ -163,6 +219,24 @@ interface(`modutils_domtrans_insmod',`
-
- ########################################
- ##
-+## Allow send signal to insmod.
-+##
-+##
-+##
-+## Domain allowed to transition.
-+##
-+##
-+#
-+interface(`modutils_signal_insmod',`
-+ gen_require(`
-+ type insmod_t;
-+ ')
-+
-+ allow $1 insmod_t:process signal;
-+')
-+
-+########################################
-+##
- ## Execute insmod in the insmod domain, and
- ## allow the specified role the insmod domain,
- ## and use the caller's terminal. Has a sigchld
-@@ -208,6 +282,24 @@ interface(`modutils_exec_insmod',`
- can_exec($1, insmod_exec_t)
- ')
-
-+#######################################
-+##
-+## Don't audit execute insmod in the caller domain.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`modutils_dontaudit_exec_insmod',`
-+ gen_require(`
-+ type insmod_exec_t;
-+ ')
-+
-+ dontaudit $1 insmod_exec_t:file exec_file_perms;
-+')
-+
- ########################################
- ##
- ## Execute depmod in the depmod domain.
-@@ -308,11 +400,18 @@ interface(`modutils_domtrans_update_mods',`
- #
- interface(`modutils_run_update_mods',`
- gen_require(`
-- attribute_role update_modules_roles;
-+ #attribute_role update_modules_roles;
-+ type update_modules_t;
- ')
-
-+ #modutils_domtrans_update_mods($1)
-+ #roleattribute $2 update_modules_roles;
-+
- modutils_domtrans_update_mods($1)
-- roleattribute $2 update_modules_roles;
-+ role $2 types update_modules_t;
-+
-+ modutils_run_insmod(update_modules_t, $2)
-+
- ')
-
- ########################################
-@@ -333,3 +432,39 @@ interface(`modutils_exec_update_mods',`
- corecmd_search_bin($1)
- can_exec($1, update_modules_exec_t)
- ')
-+
-+########################################
-+##
-+## Transition to modutils named content
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`modules_filetrans_named_content',`
-+ gen_require(`
-+ type modules_dep_t;
-+ type modules_conf_t;
-+ ')
-+
-+ files_etc_filetrans($1, modules_conf_t, file, "modprobe.conf")
-+ files_etc_filetrans($1, modules_conf_t, file, "modules.conf")
-+
-+ #files_kernel_modules_filetrans($1, modules_dep_t, file, "modules.alias")
-+ #files_kernel_modules_filetrans($1, modules_dep_t, file, "modules.alias.bin")
-+ #files_kernel_modules_filetrans($1, modules_dep_t, file, "modules.block")
-+ #files_kernel_modules_filetrans($1, modules_dep_t, file, "modules.builtin")
-+ #files_kernel_modules_filetrans($1, modules_dep_t, file, "modules.builtin.bin")
-+ #files_kernel_modules_filetrans($1, modules_dep_t, file, "modules.dep")
-+ #files_kernel_modules_filetrans($1, modules_dep_t, file, "modules.dep.bin")
-+ #files_kernel_modules_filetrans($1, modules_dep_t, file, "modules.devname")
-+ #files_kernel_modules_filetrans($1, modules_dep_t, file, "modules.drm")
-+ #files_kernel_modules_filetrans($1, modules_dep_t, file, "modules.modesetting")
-+ #files_kernel_modules_filetrans($1, modules_dep_t, file, "modules.networking")
-+ #files_kernel_modules_filetrans($1, modules_dep_t, file, "modules.order")
-+ #files_kernel_modules_filetrans($1, modules_dep_t, file, "modules.softdep")
-+ #files_kernel_modules_filetrans($1, modules_dep_t, file, "modules.symbols")
-+ #files_kernel_modules_filetrans($1, modules_dep_t, file, "modules.symbols.bin")
-+')
-diff --git a/policy/modules/system/modutils.te b/policy/modules/system/modutils.te
-index 7a363b8b2..69463d732 100644
---- a/policy/modules/system/modutils.te
-+++ b/policy/modules/system/modutils.te
-@@ -5,7 +5,7 @@ policy_module(modutils, 1.14.0)
- # Declarations
- #
-
--attribute_role update_modules_roles;
-+#attribute_role update_modules_roles;
-
- type depmod_t;
- type depmod_exec_t;
-@@ -16,11 +16,15 @@ type insmod_t;
- type insmod_exec_t;
- application_domain(insmod_t, insmod_exec_t)
- mls_file_write_all_levels(insmod_t)
-+mls_process_write_down(insmod_t)
- role system_r types insmod_t;
-
-+type insmod_var_run_t;
-+files_pid_file(insmod_var_run_t)
-+
- # module loading config
- type modules_conf_t;
--files_type(modules_conf_t)
-+files_config_file(modules_conf_t)
-
- # module dependencies
- type modules_dep_t;
-@@ -29,12 +33,16 @@ files_type(modules_dep_t)
- type update_modules_t;
- type update_modules_exec_t;
- init_system_domain(update_modules_t, update_modules_exec_t)
--roleattribute system_r update_modules_roles;
--role update_modules_roles types update_modules_t;
-+#roleattribute system_r update_modules_roles;
-+#role update_modules_roles types update_modules_t;
-+role system_r types update_modules_t;
-
- type update_modules_tmp_t;
- files_tmp_file(update_modules_tmp_t)
-
-+type insmod_tmpfs_t;
-+files_tmpfs_file(insmod_tmpfs_t)
-+
- ########################################
- #
- # depmod local policy
-@@ -54,12 +62,15 @@ corecmd_search_bin(depmod_t)
-
- domain_use_interactive_fds(depmod_t)
-
-+files_delete_kernel_modules(depmod_t)
- files_read_kernel_symbol_table(depmod_t)
- files_read_kernel_modules(depmod_t)
- files_read_etc_runtime_files(depmod_t)
- files_read_etc_files(depmod_t)
- files_read_usr_src_files(depmod_t)
- files_list_usr(depmod_t)
-+files_append_var_files(depmod_t)
-+files_read_boot_files(depmod_t)
-
- fs_getattr_xattr_fs(depmod_t)
-
-@@ -69,10 +80,12 @@ init_use_fds(depmod_t)
- init_use_script_fds(depmod_t)
- init_use_script_ptys(depmod_t)
-
--userdom_use_user_terminals(depmod_t)
-+userdom_use_inherited_user_terminals(depmod_t)
- # Read System.map from home directories.
- files_list_home(depmod_t)
- userdom_read_user_home_content_files(depmod_t)
-+userdom_manage_user_tmp_files(depmod_t)
-+userdom_home_reader(depmod_t)
-
- ifdef(`distro_ubuntu',`
- optional_policy(`
-@@ -80,12 +93,8 @@ ifdef(`distro_ubuntu',`
- ')
- ')
-
--tunable_policy(`use_nfs_home_dirs',`
-- fs_read_nfs_files(depmod_t)
--')
--
--tunable_policy(`use_samba_home_dirs',`
-- fs_read_cifs_files(depmod_t)
-+optional_policy(`
-+ bootloader_rw_tmp_files(insmod_t)
- ')
-
- optional_policy(`
-@@ -94,7 +103,6 @@ optional_policy(`
- ')
-
- optional_policy(`
-- # Read System.map from home directories.
- unconfined_domain(depmod_t)
- ')
-
-@@ -103,11 +111,12 @@ optional_policy(`
- # insmod local policy
- #
-
--allow insmod_t self:capability { dac_override net_raw sys_nice sys_tty_config };
-+allow insmod_t self:capability { dac_read_search mknod net_raw sys_nice sys_tty_config };
- allow insmod_t self:process { execmem sigchld sigkill sigstop signull signal };
-
- allow insmod_t self:udp_socket create_socket_perms;
- allow insmod_t self:rawip_socket create_socket_perms;
-+allow insmod_t self:shm create_shm_perms;
-
- # Read module config and dependency information
- list_dirs_pattern(insmod_t, modules_conf_t, modules_conf_t)
-@@ -115,20 +124,29 @@ read_files_pattern(insmod_t, modules_conf_t, modules_conf_t)
- list_dirs_pattern(insmod_t, modules_dep_t, modules_dep_t)
- read_files_pattern(insmod_t, modules_dep_t, modules_dep_t)
-
-+manage_dirs_pattern(insmod_t, insmod_var_run_t, insmod_var_run_t)
-+manage_files_pattern(insmod_t, insmod_var_run_t, insmod_var_run_t)
-+files_pid_filetrans(insmod_t, insmod_var_run_t, {dir file })
-+
- can_exec(insmod_t, insmod_exec_t)
-
-+manage_files_pattern(insmod_t,insmod_tmpfs_t,insmod_tmpfs_t)
-+fs_tmpfs_filetrans(insmod_t,insmod_tmpfs_t,file)
-+
- kernel_load_module(insmod_t)
--kernel_request_load_module(insmod_t)
-+files_manage_kernel_modules(insmod_t)
-+files_map_kernel_modules(insmod_t)
- kernel_read_system_state(insmod_t)
- kernel_read_network_state(insmod_t)
- kernel_write_proc_files(insmod_t)
- kernel_mount_debugfs(insmod_t)
- kernel_mount_kvmfs(insmod_t)
- kernel_read_debugfs(insmod_t)
-+kernel_request_load_module(insmod_t)
- # Rules for /proc/sys/kernel/tainted
- kernel_read_kernel_sysctls(insmod_t)
- kernel_rw_kernel_sysctl(insmod_t)
--kernel_read_hotplug_sysctls(insmod_t)
-+kernel_read_usermodehelper_state(insmod_t)
- kernel_setsched(insmod_t)
-
- corecmd_exec_bin(insmod_t)
-@@ -142,40 +160,55 @@ dev_rw_agp(insmod_t)
- dev_read_sound(insmod_t)
- dev_write_sound(insmod_t)
- dev_rw_apm_bios(insmod_t)
-+dev_create_generic_chr_files(insmod_t)
-
- domain_signal_all_domains(insmod_t)
- domain_use_interactive_fds(insmod_t)
-
- files_read_kernel_modules(insmod_t)
-+files_load_kernel_modules(insmod_t)
- files_read_etc_runtime_files(insmod_t)
- files_read_etc_files(insmod_t)
- files_read_usr_files(insmod_t)
- files_exec_etc_files(insmod_t)
-+# users installing vbox put kernel modules in /var/lib
-+files_read_var_lib_files(insmod_t)
-+files_read_kernel_symbol_table(insmod_t)
- # for nscd:
- files_dontaudit_search_pids(insmod_t)
- # for when /var is not mounted early in the boot:
- files_dontaudit_search_isid_type_dirs(insmod_t)
- # for locking: (cjp: ????)
- files_write_kernel_modules(insmod_t)
-+allow insmod_t modules_dep_t:file manage_file_perms;
-
- fs_getattr_xattr_fs(insmod_t)
- fs_dontaudit_use_tmpfs_chr_dev(insmod_t)
-+fs_mount_rpc_pipefs(insmod_t)
-+fs_search_rpc(insmod_t)
-+
-+auth_use_nsswitch(insmod_t)
-
- init_rw_initctl(insmod_t)
- init_use_fds(insmod_t)
- init_use_script_fds(insmod_t)
- init_use_script_ptys(insmod_t)
-+init_spec_domtrans_script(insmod_t)
-+init_rw_script_tmp_files(insmod_t)
-+init_dontaudit_getattr_stream_socket(insmod_t)
-
- logging_send_syslog_msg(insmod_t)
- logging_search_logs(insmod_t)
-
--miscfiles_read_localization(insmod_t)
--
- seutil_read_file_contexts(insmod_t)
-
--userdom_use_user_terminals(insmod_t)
--
-+term_use_all_inherited_terms(insmod_t)
- userdom_dontaudit_search_user_home_dirs(insmod_t)
-+# needed by depmod in MLS
-+userdom_manage_user_tmp_files(insmod_t)
-+userdom_manage_user_tmp_pipes(insmod_t)
-+userdom_manage_user_tmp_symlinks(insmod_t)
-+userdom_manage_user_tmp_dirs(insmod_t)
-
- kernel_domtrans_to(insmod_t, insmod_exec_t)
-
-@@ -184,28 +217,33 @@ optional_policy(`
- ')
-
- optional_policy(`
-- firstboot_dontaudit_rw_pipes(insmod_t)
-- firstboot_dontaudit_rw_stream_sockets(insmod_t)
-+ devicekit_use_fds_disk(insmod_t)
-+ devicekit_dontaudit_read_pid_files(insmod_t)
- ')
-
- optional_policy(`
-- hal_write_log(insmod_t)
-+ firstboot_dontaudit_leaks(insmod_t)
- ')
-
- optional_policy(`
-- hotplug_search_config(insmod_t)
-+ firewalld_dontaudit_write_tmp_files(insmod_t)
-+ firewallgui_dontaudit_rw_pipes(insmod_t)
- ')
-
- optional_policy(`
-- mount_domtrans(insmod_t)
-+ hal_write_log(insmod_t)
-+')
-+
-+optional_policy(`
-+ hotplug_search_config(insmod_t)
- ')
-
- optional_policy(`
-- nis_use_ypbind(insmod_t)
-+ kdump_manage_kdumpctl_tmp_files(insmod_t)
- ')
-
- optional_policy(`
-- nscd_use(insmod_t)
-+ mount_domtrans(insmod_t)
- ')
-
- optional_policy(`
-@@ -225,6 +263,7 @@ optional_policy(`
-
- optional_policy(`
- rpm_rw_pipes(insmod_t)
-+ rpm_manage_script_tmp_files(insmod_t)
- ')
-
- optional_policy(`
-@@ -233,6 +272,10 @@ optional_policy(`
- ')
-
- optional_policy(`
-+ virt_dontaudit_write_pipes(insmod_t)
-+')
-+
-+optional_policy(`
- # cjp: why is this needed:
- dev_rw_xserver_misc(insmod_t)
-
-@@ -291,11 +334,10 @@ init_use_script_ptys(update_modules_t)
-
- logging_send_syslog_msg(update_modules_t)
-
--miscfiles_read_localization(update_modules_t)
-
--modutils_run_insmod(update_modules_t, update_modules_roles)
-+#modutils_run_insmod(update_modules_t, update_modules_roles)
-
--userdom_use_user_terminals(update_modules_t)
-+userdom_use_inherited_user_terminals(update_modules_t)
- userdom_dontaudit_search_user_home_dirs(update_modules_t)
-
- ifdef(`distro_gentoo',`
-diff --git a/policy/modules/system/mount.fc b/policy/modules/system/mount.fc
-index a38605e50..f035d9fbb 100644
---- a/policy/modules/system/mount.fc
-+++ b/policy/modules/system/mount.fc
-@@ -1,6 +1,26 @@
-+/bin/fusermount -- gen_context(system_u:object_r:fusermount_exec_t,s0)
- /bin/mount.* -- gen_context(system_u:object_r:mount_exec_t,s0)
- /bin/umount.* -- gen_context(system_u:object_r:mount_exec_t,s0)
-
--/usr/bin/fusermount -- gen_context(system_u:object_r:mount_exec_t,s0)
-+/dev/\.mount(/.*)? gen_context(system_u:object_r:mount_var_run_t,s0)
-+/run/mount(/.*)? gen_context(system_u:object_r:mount_var_run_t,s0)
-
--/var/run/mount(/.*)? gen_context(system_u:object_r:mount_var_run_t,s0)
-+/sbin/mount.* -- gen_context(system_u:object_r:mount_exec_t,s0)
-+/sbin/umount.* -- gen_context(system_u:object_r:mount_exec_t,s0)
-+
-+/usr/bin/fusermount -- gen_context(system_u:object_r:fusermount_exec_t,s0)
-+/usr/bin/mount.* -- gen_context(system_u:object_r:mount_exec_t,s0)
-+/usr/bin/umount.* -- gen_context(system_u:object_r:mount_exec_t,s0)
-+
-+/usr/sbin/mount.* -- gen_context(system_u:object_r:mount_exec_t,s0)
-+/usr/sbin/umount.* -- gen_context(system_u:object_r:mount_exec_t,s0)
-+/usr/sbin/showmount -- gen_context(system_u:object_r:showmount_exec_t,s0)
-+
-+/var/cache/davfs2(/.*)? gen_context(system_u:object_r:mount_var_run_t,s0)
-+/var/run/davfs2(/.*)? gen_context(system_u:object_r:mount_var_run_t,s0)
-+/var/run/mount(/.*)? gen_context(system_u:object_r:mount_var_run_t,s0)
-+
-+/usr/sbin/mount\.ecryptfs_private -- gen_context(system_u:object_r:mount_ecryptfs_exec_t,s0)
-+/usr/sbin/mount\.ecryptfs -- gen_context(system_u:object_r:mount_ecryptfs_exec_t,s0)
-+/usr/sbin/umount\.ecryptfs_private -- gen_context(system_u:object_r:mount_ecryptfs_exec_t,s0)
-+/usr/sbin/umount\.ecryptfs -- gen_context(system_u:object_r:mount_ecryptfs_exec_t,s0)
-diff --git a/policy/modules/system/mount.if b/policy/modules/system/mount.if
-index 4584457b1..8f676d0c8 100644
---- a/policy/modules/system/mount.if
-+++ b/policy/modules/system/mount.if
-@@ -16,6 +16,13 @@ interface(`mount_domtrans',`
- ')
-
- domtrans_pattern($1, mount_exec_t, mount_t)
-+ mount_domtrans_fusermount($1)
-+
-+ allow $1 mount_t:fd use;
-+ ps_process_pattern(mount_t, $1)
-+
-+ allow mount_t $1:key write;
-+ allow mount_t $1:unix_stream_socket { read write };
- ')
-
- ########################################
-@@ -39,6 +46,7 @@ interface(`mount_domtrans',`
- interface(`mount_run',`
- gen_require(`
- attribute_role mount_roles;
-+ type mount_t;
- ')
-
- mount_domtrans($1)
-@@ -47,6 +55,110 @@ interface(`mount_run',`
-
- ########################################
- ##
-+## Execute fusermount in the mount domain, and
-+## allow the specified role the mount domain,
-+## and use the caller's terminal.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+##
-+## The role to be allowed the mount domain.
-+##
-+##
-+##
-+#
-+interface(`mount_run_fusermount',`
-+ gen_require(`
-+ type mount_t;
-+ ')
-+
-+ mount_domtrans_fusermount($1)
-+ role $2 types mount_t;
-+
-+ fstools_run(mount_t, $2)
-+')
-+
-+########################################
-+##
-+## Read mount PID files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`mount_read_pid_files',`
-+ gen_require(`
-+ type mount_var_run_t;
-+ ')
-+
-+ read_files_pattern($1, mount_var_run_t, mount_var_run_t)
-+ files_search_pids($1)
-+')
-+
-+########################################
-+##
-+## Read/write mount PID files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`mount_rw_pid_files',`
-+ gen_require(`
-+ type mount_var_run_t;
-+ ')
-+
-+ rw_files_pattern($1, mount_var_run_t, mount_var_run_t)
-+ files_search_pids($1)
-+')
-+
-+#######################################
-+##
-+## Do not audit attemps to write mount PID files.
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`mount_dontaudit_write_mount_pid',`
-+ gen_require(`
-+ type mount_var_run_t;
-+ ')
-+
-+ dontaudit $1 mount_var_run_t:file write;
-+')
-+
-+########################################
-+##
-+## Manage mount PID files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`mount_manage_pid_files',`
-+ gen_require(`
-+ type mount_var_run_t;
-+ ')
-+
-+ allow $1 mount_var_run_t:file manage_file_perms;
-+ files_search_pids($1)
-+')
-+
-+########################################
-+##
- ## Execute mount in the caller domain.
- ##
- ##
-@@ -91,7 +203,7 @@ interface(`mount_signal',`
- ##
- ##
- ##
--## The type of the process performing this action.
-+## Domain allowed access.
- ##
- ##
- #
-@@ -131,45 +243,205 @@ interface(`mount_send_nfs_client_request',`
-
- ########################################
- ##
--## Execute mount in the unconfined mount domain.
-+## Read the mount tmp directory
- ##
- ##
- ##
--## Domain allowed to transition.
-+## Domain allowed access.
- ##
- ##
- #
--interface(`mount_domtrans_unconfined',`
-+interface(`mount_list_tmp',`
- gen_require(`
-- type unconfined_mount_t, mount_exec_t;
-+ type mount_tmp_t;
- ')
-
-- domtrans_pattern($1, mount_exec_t, unconfined_mount_t)
-+ allow $1 mount_tmp_t:dir list_dir_perms;
- ')
-
- ########################################
- ##
--## Execute mount in the unconfined mount domain, and
--## allow the specified role the unconfined mount domain,
--## and use the caller's terminal.
-+## Execute fusermount in the mount domain.
- ##
- ##
- ##
--## Domain allowed to transition.
-+## Domain allowed access.
- ##
- ##
--##
-+#
-+interface(`mount_domtrans_fusermount',`
-+ gen_require(`
-+ type mount_t, fusermount_exec_t;
-+ ')
-+
-+ domtrans_pattern($1, fusermount_exec_t, mount_t)
-+ ps_process_pattern(mount_t, $1)
-+
-+ allow mount_t $1:unix_stream_socket { read write };
-+ allow $1 mount_t:fd use;
-+')
-+
-+########################################
-+##
-+## Execute fusermount.
-+##
-+##
- ##
--## Role allowed access.
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`mount_exec_fusermount',`
-+ gen_require(`
-+ type fusermount_exec_t;
-+ ')
-+
-+ can_exec($1, fusermount_exec_t)
-+')
-+
-+########################################
-+##
-+## dontaudit Execute fusermount.
-+##
-+##
-+##
-+## Domain to not audit.
- ##
- ##
-+#
-+interface(`mount_dontaudit_exec_fusermount',`
-+ gen_require(`
-+ type fusermount_exec_t;
-+ ')
-+
-+ dontaudit $1 fusermount_exec_t:file exec_file_perms;
-+')
-+
-+######################################
-+##
-+## Execute a domain transition to run showmount.
-+##
-+##
-+##
-+## Domain allowed to transition.
-+##
-+##
-+#
-+interface(`mount_domtrans_showmount',`
-+ gen_require(`
-+ type showmount_t, showmount_exec_t;
-+ ')
-+
-+ domtrans_pattern($1, showmount_exec_t, showmount_t)
-+')
-+
-+######################################
-+##
-+## Execute showmount in the showmount domain, and
-+## allow the specified role the showmount domain.
-+##
-+##
-+##
-+## Domain allowed access
-+##
-+##
-+##
-+##
-+## The role to be allowed the showmount domain.
-+##
-+##
-+#
-+interface(`mount_run_showmount',`
-+ gen_require(`
-+ type showmount_t;
-+ ')
-+
-+ mount_domtrans_showmount($1)
-+ role $2 types showmount_t;
-+')
-+
-+#######################################
-+##
-+## Transition to ecryptmount.
-+##
-+##
-+##
-+## Domain allowed to transition.
-+##
-+##
-+#
-+interface(`mount_domtrans_ecryptmount',`
-+ gen_require(`
-+ type mount_ecryptfs_t, mount_ecryptfs_exec_t;
-+ ')
-+
-+ corecmd_search_bin($1)
-+ domtrans_pattern($1, mount_ecryptfs_exec_t, mount_ecryptfs_t)
-+')
-+
-+#######################################
-+##
-+## Execute mount in the unconfined mount domain.
-+##
-+##
-+##
-+## Domain allowed to transition.
-+##
-+##
-+#
-+interface(`mount_domtrans_unconfined',`
-+ gen_require(`
-+ type unconfined_mount_t, mount_exec_t;
-+ ')
-+
-+ domtrans_pattern($1, mount_exec_t, unconfined_mount_t)
-+')
-+
-+#######################################
-+##
-+## Execute mount in the unconfined mount domain, and
-+## allow the specified role the unconfined mount domain,
-+## and use the caller's terminal.
-+##
-+##
-+##
-+## Domain allowed to transition.
-+##
-+##
-+##
-+##
-+## Role allowed access.
-+##
-+##
- ##
- #
- interface(`mount_run_unconfined',`
-+ gen_require(`
-+ type unconfined_mount_t;
-+ ')
-+
-+ mount_domtrans_unconfined($1)
-+ role $2 types unconfined_mount_t;
-+')
-+
-+########################################
-+##
-+## Allow mount programs to be an entrypoint for
-+## the specified domain.
-+##
-+##
-+##
-+## The domain for which mount programs is an entrypoint.
-+##
-+##
-+#
-+interface(`mount_entry_type',`
- gen_require(`
-- type unconfined_mount_t;
-+ type mount_ecryptfs_exec_t;
-+ type mount_exec_t;
- ')
-
-- mount_domtrans_unconfined($1)
-- role $2 types unconfined_mount_t;
-+ domain_entry_file($1, mount_ecryptfs_exec_t)
-+ domain_entry_file($1, mount_exec_t)
- ')
-+
-diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te
-index 459a0efbc..816066d07 100644
---- a/policy/modules/system/mount.te
-+++ b/policy/modules/system/mount.te
-@@ -5,13 +5,6 @@ policy_module(mount, 1.16.1)
- # Declarations
- #
-
--##
--##
--## Allow the mount command to mount any directory or file.
--##
--##
--gen_tunable(allow_mount_anyfile, false)
--
- attribute_role mount_roles;
- roleattribute system_r mount_roles;
-
-@@ -20,14 +13,37 @@ type mount_exec_t;
- init_system_domain(mount_t, mount_exec_t)
- role mount_roles types mount_t;
-
-+type fusermount_exec_t;
-+domain_entry_file(mount_t, fusermount_exec_t)
-+
-+typealias mount_t alias mount_ntfs_t;
-+typealias mount_exec_t alias mount_ntfs_exec_t;
-+
- type mount_loopback_t; # customizable
- files_type(mount_loopback_t)
-+typealias mount_loopback_t alias mount_loop_t;
-
- type mount_tmp_t;
- files_tmp_file(mount_tmp_t)
-
- type mount_var_run_t;
- files_pid_file(mount_var_run_t)
-+dev_associate(mount_var_run_t)
-+
-+# showmount - show mount information for an NFS server
-+
-+type showmount_t;
-+type showmount_exec_t;
-+application_domain(showmount_t, showmount_exec_t)
-+role system_r types showmount_t;
-+
-+type mount_ecryptfs_t;
-+type mount_ecryptfs_exec_t;
-+application_domain(mount_ecryptfs_t, mount_ecryptfs_exec_t)
-+role system_r types mount_ecryptfs_t;
-+
-+type mount_ecryptfs_tmpfs_t;
-+files_tmpfs_file(mount_ecryptfs_tmpfs_t)
-
- # causes problems with interfaces when
- # this is optionally declared in monolithic
-@@ -40,8 +56,12 @@ application_domain(unconfined_mount_t, mount_exec_t)
- # mount local policy
- #
-
--# setuid/setgid needed to mount cifs
--allow mount_t self:capability { ipc_lock sys_rawio sys_admin dac_override chown sys_tty_config setuid setgid };
-+# setuid/setgid needed to mount cifs
-+allow mount_t self:capability { fsetid fowner ipc_lock setpcap sys_rawio sys_resource sys_admin dac_read_search chown sys_tty_config setuid setgid sys_nice };
-+allow mount_t self:process { getcap getsched setsched setcap setrlimit signal };
-+allow mount_t self:fifo_file rw_fifo_file_perms;
-+allow mount_t self:unix_stream_socket create_stream_socket_perms;
-+allow mount_t self:unix_dgram_socket create_socket_perms;
-
- allow mount_t mount_loopback_t:file read_file_perms;
-
-@@ -52,13 +72,20 @@ can_exec(mount_t, mount_exec_t)
-
- files_tmp_filetrans(mount_t, mount_tmp_t, { file dir })
-
--create_dirs_pattern(mount_t, mount_var_run_t, mount_var_run_t)
--create_files_pattern(mount_t, mount_var_run_t, mount_var_run_t)
--rw_files_pattern(mount_t, mount_var_run_t, mount_var_run_t)
-+manage_dirs_pattern(mount_t,mount_var_run_t,mount_var_run_t)
-+manage_files_pattern(mount_t,mount_var_run_t,mount_var_run_t)
- files_pid_filetrans(mount_t, mount_var_run_t, dir, "mount")
-+dev_filetrans(mount_t, mount_var_run_t, dir)
-
- kernel_read_system_state(mount_t)
-+kernel_read_network_state(mount_t)
- kernel_read_kernel_sysctls(mount_t)
-+kernel_relabelfrom_unlabeled_fs(mount_t)
-+kernel_list_unlabeled(mount_t)
-+kernel_manage_debugfs(mount_t)
-+kernel_mount_unlabeled(mount_t)
-+kernel_unmount_unlabeled(mount_t)
-+kernel_use_fds(mount_t)
- kernel_setsched(mount_t)
- kernel_dontaudit_getattr_core_if(mount_t)
- kernel_dontaudit_write_debugfs_dirs(mount_t)
-@@ -69,31 +96,47 @@ kernel_request_load_module(mount_t)
- # required for mount.smbfs
- corecmd_exec_bin(mount_t)
-
-+dev_getattr_generic_blk_files(mount_t)
- dev_getattr_all_blk_files(mount_t)
- dev_list_all_dev_nodes(mount_t)
-+dev_read_usbfs(mount_t)
-+dev_read_rand(mount_t)
-+dev_read_urand(mount_t)
- dev_read_sysfs(mount_t)
- dev_dontaudit_write_sysfs_dirs(mount_t)
- dev_rw_lvm_control(mount_t)
- dev_dontaudit_getattr_all_chr_files(mount_t)
- dev_dontaudit_getattr_memory_dev(mount_t)
- dev_getattr_sound_dev(mount_t)
-+dev_rw_loop_control(mount_t)
-+
-+ifdef(`hide_broken_symptoms',`
-+ dev_rw_generic_blk_files(mount_t)
-+')
-+
- # Early devtmpfs, before udev relabel
- dev_dontaudit_rw_generic_chr_files(mount_t)
-
- domain_use_interactive_fds(mount_t)
-+domain_read_all_domains_state(mount_t)
-
- files_search_all(mount_t)
- files_read_etc_files(mount_t)
-+files_read_etc_runtime_files(mount_t)
- files_manage_etc_runtime_files(mount_t)
- files_etc_filetrans_etc_runtime(mount_t, file)
-+# for when /etc/mtab loses its type
-+files_delete_etc_files(mount_t)
- files_mounton_all_mountpoints(mount_t)
-+files_setattr_all_mountpoints(mount_t)
-+# ntfs-3g checks whether the mountpoint is writable before mounting
-+files_write_all_mountpoints(mount_t)
- files_unmount_rootfs(mount_t)
-+
- # These rules need to be generalized. Only admin, initrc should have it:
--files_relabelto_all_file_type_fs(mount_t)
-+files_relabel_all_file_type_fs(mount_t)
- files_mount_all_file_type_fs(mount_t)
- files_unmount_all_file_type_fs(mount_t)
--# for when /etc/mtab loses its type
--# cjp: this seems wrong, the type should probably be etc
- files_read_isid_type_files(mount_t)
- # For reading cert files
- files_read_usr_files(mount_t)
-@@ -101,28 +144,39 @@ files_list_all_mountpoints(mount_t)
- files_dontaudit_write_all_mountpoints(mount_t)
- files_dontaudit_setattr_all_mountpoints(mount_t)
-
--fs_getattr_xattr_fs(mount_t)
--fs_getattr_cifs(mount_t)
-+fs_list_all(mount_t)
-+fs_getattr_all_fs(mount_t)
- fs_mount_all_fs(mount_t)
- fs_unmount_all_fs(mount_t)
- fs_remount_all_fs(mount_t)
- fs_relabelfrom_all_fs(mount_t)
--fs_list_auto_mountpoints(mount_t)
-+fs_rw_anon_inodefs_files(mount_t)
- fs_rw_tmpfs_chr_files(mount_t)
-+fs_rw_nfsd_fs(mount_t)
-+fs_rw_removable_blk_files(mount_t)
-+#fs_manage_tmpfs_dirs(mount_t)
- fs_read_tmpfs_symlinks(mount_t)
-+fs_read_fusefs_files(mount_t)
-+fs_manage_nfs_dirs(mount_t)
-+fs_read_nfs_symlinks(mount_t)
-+fs_manage_cgroup_dirs(mount_t)
-+fs_manage_cgroup_files(mount_t)
- fs_dontaudit_write_tmpfs_dirs(mount_t)
-
--mls_file_read_all_levels(mount_t)
--mls_file_write_all_levels(mount_t)
-+mls_file_read_to_clearance(mount_t)
-+mls_file_write_to_clearance(mount_t)
-+mls_process_write_to_clearance(mount_t)
-
- selinux_get_enforce_mode(mount_t)
-+selinux_mounton_fs(mount_t)
-
- storage_raw_read_fixed_disk(mount_t)
- storage_raw_write_fixed_disk(mount_t)
- storage_raw_read_removable_device(mount_t)
- storage_raw_write_removable_device(mount_t)
-+storage_rw_fuse(mount_t)
-
--term_use_all_terms(mount_t)
-+term_use_all_inherited_terms(mount_t)
- term_dontaudit_manage_pty_dirs(mount_t)
-
- auth_use_nsswitch(mount_t)
-@@ -130,16 +184,21 @@ auth_use_nsswitch(mount_t)
- init_use_fds(mount_t)
- init_use_script_ptys(mount_t)
- init_dontaudit_getattr_initctl(mount_t)
-+init_stream_connect_script(mount_t)
-+init_rw_script_stream_sockets(mount_t)
-
- logging_send_syslog_msg(mount_t)
-
--miscfiles_read_localization(mount_t)
--
- sysnet_use_portmap(mount_t)
-
- seutil_read_config(mount_t)
-
-+systemd_passwd_agent_domtrans(mount_t)
-+
- userdom_use_all_users_fds(mount_t)
-+userdom_manage_user_home_content_dirs(mount_t)
-+userdom_read_user_home_content_symlinks(mount_t)
-+userdom_list_user_tmp(mount_t)
-
- ifdef(`distro_redhat',`
- optional_policy(`
-@@ -155,26 +214,27 @@ ifdef(`distro_ubuntu',`
- ')
- ')
-
--tunable_policy(`allow_mount_anyfile',`
-- files_list_non_auth_dirs(mount_t)
-- files_read_non_auth_files(mount_t)
-+corecmd_exec_shell(mount_t)
-+
-+tunable_policy(`mount_anyfile',`
-+ files_read_non_security_files(mount_t)
- files_mounton_non_security(mount_t)
-+ files_rw_inherited_non_security_files(mount_t)
- ')
-
- optional_policy(`
- # for nfs
-- corenet_all_recvfrom_unlabeled(mount_t)
- corenet_all_recvfrom_netlabel(mount_t)
-- corenet_tcp_sendrecv_all_if(mount_t)
-- corenet_raw_sendrecv_all_if(mount_t)
-- corenet_udp_sendrecv_all_if(mount_t)
-- corenet_tcp_sendrecv_all_nodes(mount_t)
-- corenet_raw_sendrecv_all_nodes(mount_t)
-- corenet_udp_sendrecv_all_nodes(mount_t)
-+ corenet_tcp_sendrecv_generic_if(mount_t)
-+ corenet_raw_sendrecv_generic_if(mount_t)
-+ corenet_udp_sendrecv_generic_if(mount_t)
-+ corenet_tcp_sendrecv_generic_node(mount_t)
-+ corenet_raw_sendrecv_generic_node(mount_t)
-+ corenet_udp_sendrecv_generic_node(mount_t)
- corenet_tcp_sendrecv_all_ports(mount_t)
- corenet_udp_sendrecv_all_ports(mount_t)
-- corenet_tcp_bind_all_nodes(mount_t)
-- corenet_udp_bind_all_nodes(mount_t)
-+ corenet_tcp_bind_generic_node(mount_t)
-+ corenet_udp_bind_generic_node(mount_t)
- corenet_tcp_bind_generic_port(mount_t)
- corenet_udp_bind_generic_port(mount_t)
- corenet_tcp_bind_reserved_port(mount_t)
-@@ -188,6 +248,9 @@ optional_policy(`
- fs_search_rpc(mount_t)
-
- rpc_stub(mount_t)
-+
-+ rpc_domtrans_rpcd(mount_t)
-+ rpcbind_stream_connect(mount_t)
- ')
-
- optional_policy(`
-@@ -195,6 +258,40 @@ optional_policy(`
- ')
-
- optional_policy(`
-+ cron_system_entry(mount_t, mount_exec_t)
-+')
-+
-+optional_policy(`
-+ devicekit_read_state_power(mount_t)
-+')
-+
-+optional_policy(`
-+ fsadm_manage_pid(mount_t)
-+')
-+
-+optional_policy(`
-+ glusterd_domtrans(mount_t)
-+')
-+
-+optional_policy(`
-+ dbus_system_bus_client(mount_t)
-+
-+ optional_policy(`
-+ hal_dbus_chat(mount_t)
-+ ')
-+')
-+
-+optional_policy(`
-+ glusterd_domtrans(mount_t)
-+')
-+
-+optional_policy(`
-+ hal_write_log(mount_t)
-+ hal_use_fds(mount_t)
-+ hal_dontaudit_rw_pipes(mount_t)
-+')
-+
-+optional_policy(`
- ifdef(`hide_broken_symptoms',`
- # for a bug in the X server
- rhgb_dontaudit_rw_stream_sockets(mount_t)
-@@ -203,28 +300,137 @@ optional_policy(`
- ')
-
- optional_policy(`
-+ livecd_rw_tmp_files(mount_t)
-+')
-+
-+# Needed for mount crypt https://bugzilla.redhat.com/show_bug.cgi?id=418711
-+optional_policy(`
-+ lvm_run(mount_t, mount_roles)
-+')
-+
-+optional_policy(`
-+ modutils_run_insmod(mount_t, mount_roles)
- modutils_read_module_deps(mount_t)
- ')
-
- optional_policy(`
-+ fstools_run(mount_t, mount_roles)
-+')
-+
-+optional_policy(`
-+ rhcs_stream_connect_gfs_controld(mount_t)
-+')
-+
-+optional_policy(`
-+ rpc_run_rpcd(mount_t, mount_roles)
-+')
-+
-+optional_policy(`
- puppet_rw_tmp(mount_t)
- ')
-
- # for kernel package installation
- optional_policy(`
- rpm_rw_pipes(mount_t)
-+ rpm_dontaudit_leaks(mount_t)
- ')
-
- optional_policy(`
-+ samba_read_config(mount_t)
- samba_run_smbmount(mount_t, mount_roles)
- ')
-
-+optional_policy(`
-+ ssh_exec(mount_t)
-+ ssh_append_home_files(mount_t)
-+')
-+
-+optional_policy(`
-+ usbmuxd_stream_connect(mount_t)
-+')
-+
-+optional_policy(`
-+ userhelper_exec_consolehelper(mount_t)
-+')
-+
-+optional_policy(`
-+ unconfined_write_keys(mount_t)
-+')
-+
-+optional_policy(`
-+ virt_read_blk_images(mount_t)
-+')
-+
-+optional_policy(`
-+ vmware_exec_host(mount_t)
-+')
-+
-+optional_policy(`
-+ unconfined_domain(mount_t)
-+')
-+
-+######################################
-+#
-+# showmount local policy
-+#
-+
-+allow showmount_t self:tcp_socket create_stream_socket_perms;
-+allow showmount_t self:udp_socket create_socket_perms;
-+
-+kernel_read_system_state(showmount_t)
-+
-+corenet_all_recvfrom_netlabel(showmount_t)
-+corenet_tcp_sendrecv_generic_if(showmount_t)
-+corenet_udp_sendrecv_generic_if(showmount_t)
-+corenet_tcp_sendrecv_generic_node(showmount_t)
-+corenet_udp_sendrecv_generic_node(showmount_t)
-+corenet_tcp_sendrecv_all_ports(showmount_t)
-+corenet_udp_sendrecv_all_ports(showmount_t)
-+corenet_tcp_bind_generic_node(showmount_t)
-+corenet_udp_bind_generic_node(showmount_t)
-+corenet_tcp_bind_all_rpc_ports(showmount_t)
-+corenet_udp_bind_all_rpc_ports(showmount_t)
-+corenet_tcp_connect_all_ports(showmount_t)
-+
-+files_read_etc_runtime_files(showmount_t)
-+
-+sysnet_dns_name_resolve(showmount_t)
-+
-+userdom_use_inherited_user_terminals(showmount_t)
-+
-+#######################################
-+#
-+# mount_ecryptfs local policy
-+#
-+
-+domtrans_pattern(mount_ecryptfs_t, mount_exec_t, mount_t)
-+
-+allow mount_ecryptfs_t self:capability setgid;
-+allow mount_ecryptfs_t self:capability { setuid sys_admin };
-+allow mount_ecryptfs_t self:fifo_file rw_fifo_file_perms;
-+allow mount_ecryptfs_t self:unix_stream_socket create_stream_socket_perms;
-+
-+manage_dirs_pattern(mount_ecryptfs_t, mount_ecryptfs_tmpfs_t, mount_ecryptfs_tmpfs_t)
-+manage_files_pattern(mount_ecryptfs_t, mount_ecryptfs_tmpfs_t, mount_ecryptfs_tmpfs_t)
-+fs_tmpfs_filetrans(mount_ecryptfs_t, mount_ecryptfs_tmpfs_t, { dir file })
-+userdom_rw_user_tmp_files(mount_ecryptfs_t)
-+
-+domain_use_interactive_fds(mount_ecryptfs_t)
-+
-+files_read_etc_files(mount_ecryptfs_t)
-+
-+fs_read_ecryptfs_symlinks(mount_ecryptfs_t)
-+fs_read_ecryptfs_files(mount_ecryptfs_t)
-+
-+auth_use_nsswitch(mount_ecryptfs_t)
-+auth_manage_pam_console_data(mount_ecryptfs_t)
-+
- ########################################
- #
- # Unconfined mount local policy
- #
-
- optional_policy(`
-- files_etc_filetrans_etc_runtime(unconfined_mount_t, file)
-- unconfined_domain(unconfined_mount_t)
-+ files_etc_filetrans_etc_runtime(unconfined_mount_t, file)
-+ unconfined_domain(unconfined_mount_t)
- ')
-diff --git a/policy/modules/system/netlabel.fc b/policy/modules/system/netlabel.fc
-index b263a8af5..15576ab83 100644
---- a/policy/modules/system/netlabel.fc
-+++ b/policy/modules/system/netlabel.fc
-@@ -1 +1,6 @@
- /sbin/netlabelctl -- gen_context(system_u:object_r:netlabel_mgmt_exec_t,s0)
-+
-+/usr/lib/systemd/system/netlabel.* -- gen_context(system_u:object_r:netlabel_mgmt_unit_file_t,s0)
-+
-+/usr/sbin/netlabelctl -- gen_context(system_u:object_r:netlabel_mgmt_exec_t,s0)
-+/usr/sbin/netlabel-config -- gen_context(system_u:object_r:netlabel_mgmt_exec_t,s0)
-diff --git a/policy/modules/system/netlabel.te b/policy/modules/system/netlabel.te
-index cbbda4a3e..d7c67bc40 100644
---- a/policy/modules/system/netlabel.te
-+++ b/policy/modules/system/netlabel.te
-@@ -7,9 +7,13 @@ policy_module(netlabel, 1.3.0)
-
- type netlabel_mgmt_t;
- type netlabel_mgmt_exec_t;
-+init_daemon_domain(netlabel_mgmt_t, netlabel_mgmt_exec_t)
- application_domain(netlabel_mgmt_t, netlabel_mgmt_exec_t)
- role system_r types netlabel_mgmt_t;
-
-+type netlabel_mgmt_unit_file_t;
-+systemd_unit_file(netlabel_mgmt_unit_file_t)
-+
- ########################################
- #
- # NetLabel Management Tools Local policy
-@@ -18,11 +22,23 @@ role system_r types netlabel_mgmt_t;
- # modify the network subsystem configuration
- allow netlabel_mgmt_t self:capability net_admin;
- allow netlabel_mgmt_t self:netlink_socket create_socket_perms;
-+allow netlabel_mgmt_t self:netlink_generic_socket create_socket_perms;
-+
-+can_exec(netlabel_mgmt_t, netlabel_mgmt_t)
-
- kernel_read_network_state(netlabel_mgmt_t)
-+kernel_read_system_state(netlabel_mgmt_t)
-+
-+corecmd_exec_bin(netlabel_mgmt_t)
-+corecmd_exec_shell(netlabel_mgmt_t)
-
- files_read_etc_files(netlabel_mgmt_t)
-
-+term_use_all_inherited_terms(netlabel_mgmt_t)
-+
- seutil_use_newrole_fds(netlabel_mgmt_t)
-
--userdom_use_user_terminals(netlabel_mgmt_t)
-+auth_read_passwd(netlabel_mgmt_t)
-+
-+userdom_use_inherited_user_terminals(netlabel_mgmt_t)
-+
-diff --git a/policy/modules/system/selinuxutil.fc b/policy/modules/system/selinuxutil.fc
-index d43f3b194..c5053dbbd 100644
---- a/policy/modules/system/selinuxutil.fc
-+++ b/policy/modules/system/selinuxutil.fc
-@@ -6,13 +6,15 @@
- /etc/selinux(/.*)? gen_context(system_u:object_r:selinux_config_t,s0)
- /etc/selinux/([^/]*/)?contexts(/.*)? gen_context(system_u:object_r:default_context_t,s0)
- /etc/selinux/([^/]*/)?contexts/files(/.*)? gen_context(system_u:object_r:file_context_t,s0)
--/etc/selinux/([^/]*/)?policy(/.*)? gen_context(system_u:object_r:policy_config_t,mls_systemhigh)
-+/etc/selinux/([^/]*/)?logins(/.*)? gen_context(system_u:object_r:selinux_login_config_t,s0)
-+/etc/selinux/([^/]*/)?policy(/.*)? gen_context(system_u:object_r:semanage_store_t,s0)
- /etc/selinux/([^/]*/)?setrans\.conf -- gen_context(system_u:object_r:selinux_config_t,mls_systemhigh)
--/etc/selinux/([^/]*/)?seusers -- gen_context(system_u:object_r:selinux_config_t,mls_systemhigh)
-+/etc/selinux/([^/]*/)?seusers -- gen_context(system_u:object_r:selinux_config_t,s0)
- /etc/selinux/([^/]*/)?modules/(active|tmp|previous)(/.*)? gen_context(system_u:object_r:semanage_store_t,s0)
-+/etc/selinux/(minimum|mls|targeted)/active(/.*)? gen_context(system_u:object_r:semanage_store_t,s0)
- /etc/selinux/([^/]*/)?modules/semanage\.read\.LOCK -- gen_context(system_u:object_r:semanage_read_lock_t,s0)
- /etc/selinux/([^/]*/)?modules/semanage\.trans\.LOCK -- gen_context(system_u:object_r:semanage_trans_lock_t,s0)
--/etc/selinux/([^/]*/)?users(/.*)? -- gen_context(system_u:object_r:selinux_config_t,mls_systemhigh)
-+/etc/selinux/([^/]*/)?users(/.*)? -- gen_context(system_u:object_r:selinux_config_t,s0)
-
- #
- # /root
-@@ -35,19 +37,30 @@
- /usr/lib/selinux(/.*)? gen_context(system_u:object_r:policy_src_t,s0)
-
- /usr/sbin/load_policy -- gen_context(system_u:object_r:load_policy_exec_t,s0)
-+/usr/sbin/restorecon -- gen_context(system_u:object_r:setfiles_exec_t,s0)
- /usr/sbin/restorecond -- gen_context(system_u:object_r:restorecond_exec_t,s0)
- /usr/sbin/run_init -- gen_context(system_u:object_r:run_init_exec_t,s0)
- /usr/sbin/setfiles.* -- gen_context(system_u:object_r:setfiles_exec_t,s0)
--/usr/sbin/setsebool -- gen_context(system_u:object_r:semanage_exec_t,s0)
-+/usr/sbin/setsebool -- gen_context(system_u:object_r:setsebool_exec_t,s0)
- /usr/sbin/semanage -- gen_context(system_u:object_r:semanage_exec_t,s0)
- /usr/sbin/semodule -- gen_context(system_u:object_r:semanage_exec_t,s0)
-+/usr/libexec/selinux/semanage_migrate_store -- gen_context(system_u:object_r:semanage_exec_t,s0)
-+/usr/share/system-config-selinux/system-config-selinux-dbus\.py -- gen_context(system_u:object_r:semanage_exec_t,s0)
-+/usr/share/system-config-selinux/selinux_server\.py -- gen_context(system_u:object_r:semanage_exec_t,s0)
-
- #
- # /var/lib
- #
--/var/lib/selinux(/.*)? gen_context(system_u:object_r:semanage_var_lib_t,s0)
-+/var/lib/selinux(/.*)? gen_context(system_u:object_r:semanage_store_t,s0)
-+/var/lib/selinux/[^/]+/semanage\.read\.LOCK -- gen_context(system_u:object_r:semanage_read_lock_t,s0)
-+/var/lib/selinux/[^/]+/semanage\.trans\.LOCK -- gen_context(system_u:object_r:semanage_trans_lock_t,s0)
-+/var/lib/sepolgen(/.*)? gen_context(system_u:object_r:selinux_config_t,s0)
-
- #
- # /var/run
- #
- /var/run/restorecond\.pid -- gen_context(system_u:object_r:restorecond_var_run_t,s0)
-+
-+
-+/etc/share/selinux/targeted(/.*)? gen_context(system_u:object_r:semanage_store_t,s0)
-+/etc/share/selinux/mls(/.*)? gen_context(system_u:object_r:semanage_store_t,s0)
-diff --git a/policy/modules/system/selinuxutil.if b/policy/modules/system/selinuxutil.if
-index 38220721d..abac74231 100644
---- a/policy/modules/system/selinuxutil.if
-+++ b/policy/modules/system/selinuxutil.if
-@@ -135,6 +135,42 @@ interface(`seutil_exec_loadpolicy',`
-
- ########################################
- ##
-+## Allow access check on load_policy.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`seutil_access_check_load_policy',`
-+ gen_require(`
-+ type load_policy_exec_t;
-+ ')
-+
-+ allow $1 load_policy_exec_t:file execute;
-+')
-+
-+########################################
-+##
-+## Dontaudit access check on load_policy.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`seutil_dontaudit_access_check_load_policy',`
-+ gen_require(`
-+ type load_policy_exec_t;
-+ ')
-+
-+ dontaudit $1 load_policy_exec_t:file audit_access;
-+')
-+
-+########################################
-+##
- ## Read the load_policy program file.
- ##
- ##
-@@ -192,11 +228,22 @@ interface(`seutil_domtrans_newrole',`
- #
- interface(`seutil_run_newrole',`
- gen_require(`
-- attribute_role newrole_roles;
-+ type newrole_t;
-+ #attribute_role newrole_roles;
- ')
-
-+ #seutil_domtrans_newrole($1)
-+ #roleattribute $2 newrole_roles;
-+
- seutil_domtrans_newrole($1)
-- roleattribute $2 newrole_roles;
-+ role $2 types newrole_t;
-+
-+ auth_run_upd_passwd(newrole_t, $2)
-+
-+ optional_policy(`
-+ namespace_init_run(newrole_t, $2)
-+ ')
-+
- ')
-
- ########################################
-@@ -359,6 +406,27 @@ interface(`seutil_exec_restorecon',`
-
- ########################################
- ##
-+## Execute restorecond in the caller domain.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+#
-+interface(`seutil_exec_restorecond',`
-+ gen_require(`
-+ type restorecond_exec_t;
-+ ')
-+
-+ files_search_usr($1)
-+ corecmd_search_bin($1)
-+ can_exec($1, restorecond_exec_t)
-+')
-+
-+########################################
-+##
- ## Execute run_init in the run_init domain.
- ##
- ##
-@@ -425,11 +493,20 @@ interface(`seutil_init_script_domtrans_runinit',`
- #
- interface(`seutil_run_runinit',`
- gen_require(`
-- attribute_role run_init_roles;
-+ #attribute_role run_init_roles;
-+ type run_init_t;
-+ role system_r;
- ')
-
-- seutil_domtrans_runinit($1)
-- roleattribute $2 run_init_roles;
-+ #seutil_domtrans_runinit($1)
-+ #roleattribute $2 run_init_roles;
-+
-+ auth_run_chk_passwd(run_init_t, $2)
-+ seutil_domtrans_runinit($1)
-+ role $2 types run_init_t;
-+
-+ allow $2 system_r;
-+
- ')
-
- ########################################
-@@ -461,11 +538,19 @@ interface(`seutil_run_runinit',`
- #
- interface(`seutil_init_script_run_runinit',`
- gen_require(`
-- attribute_role run_init_roles;
-+ #attribute_role run_init_roles;
-+ type run_init_t;
-+ role system_r;
- ')
-
-- seutil_init_script_domtrans_runinit($1)
-- roleattribute $2 run_init_roles;
-+ #seutil_init_script_domtrans_runinit($1)
-+ #roleattribute $2 run_init_roles;
-+ auth_run_chk_passwd(run_init_t, $2)
-+ seutil_init_script_domtrans_runinit($1)
-+ role $2 types run_init_t;
-+
-+ allow $2 system_r;
-+
- ')
-
- ########################################
-@@ -535,6 +620,53 @@ interface(`seutil_run_setfiles',`
-
- ########################################
- ##
-+## Execute setfiles in the setfiles domain.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`seutil_domtrans_setfiles_mac',`
-+ gen_require(`
-+ type setfiles_mac_t, setfiles_exec_t;
-+ ')
-+
-+ files_search_usr($1)
-+ corecmd_search_bin($1)
-+ domtrans_pattern($1, setfiles_exec_t, setfiles_mac_t)
-+')
-+
-+########################################
-+##
-+## Execute setfiles in the setfiles_mac domain, and
-+## allow the specified role the setfiles_mac domain,
-+## and use the caller's terminal.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+##
-+## The role to be allowed the setfiles_mac domain.
-+##
-+##
-+##
-+#
-+interface(`seutil_run_setfiles_mac',`
-+ gen_require(`
-+ type setfiles_mac_t;
-+ ')
-+
-+ seutil_domtrans_setfiles_mac($1)
-+ role $2 types setfiles_mac_t;
-+')
-+
-+########################################
-+##
- ## Execute setfiles in the caller domain.
- ##
- ##
-@@ -555,6 +687,42 @@ interface(`seutil_exec_setfiles',`
-
- ########################################
- ##
-+## Allow access check on setfiles.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`seutil_access_check_setfiles',`
-+ gen_require(`
-+ type setfiles_exec_t;
-+ ')
-+
-+ allow $1 setfiles_exec_t:file execute;
-+')
-+
-+########################################
-+##
-+## Dontaudit access check on setfiles.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`seutil_dontaudit_access_check_setfiles',`
-+ gen_require(`
-+ type setfiles_exec_t;
-+ ')
-+
-+ dontaudit $1 setfiles_exec_t:file audit_access;
-+')
-+
-+########################################
-+##
- ## Do not audit attempts to search the SELinux
- ## configuration directory (/etc/selinux).
- ##
-@@ -574,6 +742,25 @@ interface(`seutil_dontaudit_search_config',`
-
- ########################################
- ##
-+## Allow attempts to search the SELinux
-+## configuration directory (/etc/selinux).
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`seutil_search_config',`
-+ gen_require(`
-+ type selinux_config_t;
-+ ')
-+
-+ allow $1 selinux_config_t:dir search_dir_perms;
-+')
-+
-+########################################
-+##
- ## Do not audit attempts to read the SELinux
- ## userland configuration (/etc/selinux).
- ##
-@@ -680,10 +867,115 @@ interface(`seutil_manage_config',`
- ')
-
- files_search_etc($1)
-+ manage_dirs_pattern($1, selinux_config_t, selinux_config_t)
- manage_files_pattern($1, selinux_config_t, selinux_config_t)
- read_lnk_files_pattern($1, selinux_config_t, selinux_config_t)
- ')
-
-+######################################
-+##
-+## Create, read, write, and delete
-+## the general selinux configuration files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+#
-+interface(`seutil_manage_config_dirs',`
-+ gen_require(`
-+ type selinux_config_t;
-+ ')
-+
-+ files_search_etc($1)
-+ allow $1 selinux_config_t:dir manage_dir_perms;
-+')
-+
-+########################################
-+##
-+## Do not audit attempts to search the SELinux
-+## login configuration directory.
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`seutil_dontaudit_search_login_config',`
-+ gen_require(`
-+ type selinux_login_config_t;
-+ ')
-+
-+ dontaudit $1 selinux_login_config_t:dir search_dir_perms;
-+')
-+
-+########################################
-+##
-+## Do not audit attempts to read the SELinux
-+## login configuration.
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`seutil_dontaudit_read_login_config',`
-+ gen_require(`
-+ type selinux_login_config_t;
-+ ')
-+ dontaudit $1 selinux_login_config_t:dir search_dir_perms;
-+ dontaudit $1 selinux_login_config_t:file read_file_perms;
-+')
-+
-+########################################
-+##
-+## Read the SELinux login configuration files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`seutil_read_login_config',`
-+ gen_require(`
-+ type selinux_config_t;
-+ type selinux_login_config_t;
-+ ')
-+
-+ files_search_etc($1)
-+ allow $1 selinux_config_t:dir search_dir_perms;
-+ allow $1 selinux_login_config_t:dir list_dir_perms;
-+ read_files_pattern($1, selinux_login_config_t, selinux_login_config_t)
-+ read_lnk_files_pattern($1, selinux_login_config_t, selinux_login_config_t)
-+')
-+
-+########################################
-+##
-+## Read and write the SELinux login configuration files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`seutil_rw_login_config',`
-+ gen_require(`
-+ type selinux_config_t;
-+ type selinux_login_config_t;
-+ ')
-+
-+ files_search_etc($1)
-+ allow $1 selinux_config_t:dir search_dir_perms;
-+ allow $1 selinux_login_config_t:dir list_dir_perms;
-+ rw_files_pattern($1, selinux_login_config_t, selinux_login_config_t)
-+')
-+
- #######################################
- ##
- ## Create, read, write, and delete
-@@ -694,15 +986,62 @@ interface(`seutil_manage_config',`
- ## Domain allowed access.
- ##
- ##
--##
- #
--interface(`seutil_manage_config_dirs',`
-+interface(`seutil_rw_login_config_dirs',`
- gen_require(`
- type selinux_config_t;
-+ type selinux_login_config_t;
- ')
-
- files_search_etc($1)
-- allow $1 selinux_config_t:dir manage_dir_perms;
-+ allow $1 selinux_config_t:dir search_dir_perms;
-+ allow $1 selinux_login_config_t:dir rw_dir_perms;
-+')
-+
-+######################################
-+##
-+## Create, read, write, and delete
-+## the general selinux configuration files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`seutil_manage_login_config',`
-+ gen_require(`
-+ type selinux_config_t;
-+ type selinux_login_config_t;
-+ ')
-+
-+ files_search_etc($1)
-+ allow $1 selinux_config_t:dir search_dir_perms;
-+ manage_dirs_pattern($1, selinux_login_config_t, selinux_login_config_t)
-+ manage_files_pattern($1, selinux_login_config_t, selinux_login_config_t)
-+ read_lnk_files_pattern($1, selinux_login_config_t, selinux_login_config_t)
-+')
-+
-+######################################
-+##
-+## manage the login selinux configuration files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`seutil_manage_login_config_files',`
-+ gen_require(`
-+ type selinux_config_t;
-+ type selinux_login_config_t;
-+ ')
-+
-+ files_search_etc($1)
-+ allow $1 selinux_config_t:dir search_dir_perms;
-+ manage_files_pattern($1, selinux_login_config_t, selinux_login_config_t)
-+ read_lnk_files_pattern($1, selinux_login_config_t, selinux_login_config_t)
- ')
-
- ########################################
-@@ -746,6 +1085,29 @@ interface(`seutil_read_default_contexts',`
- read_files_pattern($1, default_context_t, default_context_t)
- ')
-
-+#######################################
-+##
-+## Read and write the default_contexts files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+#
-+interface(`seutil_rw_default_contexts',`
-+ gen_require(`
-+ type default_context_t;
-+ type selinux_config_t;
-+ ')
-+
-+ files_search_etc($1)
-+ allow $1 selinux_config_t:dir list_dir_perms;
-+ allow $1 default_context_t:dir list_dir_perms;
-+ rw_files_pattern($1, default_context_t, default_context_t)
-+')
-+
- ########################################
- ##
- ## Create, read, write, and delete the default_contexts files.
-@@ -784,7 +1146,10 @@ interface(`seutil_read_file_contexts',`
-
- files_search_etc($1)
- allow $1 { selinux_config_t default_context_t }:dir search_dir_perms;
-+ list_dirs_pattern($1, file_context_t, file_context_t)
- read_files_pattern($1, file_context_t, file_context_t)
-+ read_lnk_files_pattern($1, file_context_t, file_context_t)
-+ allow $1 file_context_t:file map;
- ')
-
- ########################################
-@@ -805,6 +1170,7 @@ interface(`seutil_dontaudit_read_file_contexts',`
-
- dontaudit $1 { selinux_config_t default_context_t file_context_t }:dir search_dir_perms;
- dontaudit $1 file_context_t:file read_file_perms;
-+ dontaudit $1 file_context_t:file map;
- ')
-
- ########################################
-@@ -825,6 +1191,7 @@ interface(`seutil_rw_file_contexts',`
- files_search_etc($1)
- allow $1 { selinux_config_t default_context_t }:dir search_dir_perms;
- rw_files_pattern($1, file_context_t, file_context_t)
-+ allow $1 file_context_t:file map;
- ')
-
- ########################################
-@@ -846,6 +1213,8 @@ interface(`seutil_manage_file_contexts',`
- files_search_etc($1)
- allow $1 { selinux_config_t default_context_t }:dir search_dir_perms;
- manage_files_pattern($1, file_context_t, file_context_t)
-+ manage_dirs_pattern($1, file_context_t, file_context_t)
-+ allow $1 file_context_t:file map;
- ')
-
- ########################################
-@@ -866,6 +1235,7 @@ interface(`seutil_read_bin_policy',`
- files_search_etc($1)
- allow $1 selinux_config_t:dir search_dir_perms;
- read_files_pattern($1, policy_config_t, policy_config_t)
-+ allow $1 policy_config_t:file map;
- ')
-
- ########################################
-@@ -999,6 +1369,26 @@ interface(`seutil_domtrans_semanage',`
-
- ########################################
- ##
-+## Execute a domain transition to run setsebool.
-+##
-+##
-+##
-+## Domain allowed to transition.
-+##
-+##
-+#
-+interface(`seutil_domtrans_setsebool',`
-+ gen_require(`
-+ type setsebool_t, setsebool_exec_t;
-+ ')
-+
-+ files_search_usr($1)
-+ corecmd_search_bin($1)
-+ domtrans_pattern($1, setsebool_exec_t, setsebool_t)
-+')
-+
-+########################################
-+##
- ## Execute semanage in the semanage domain, and
- ## allow the specified role the semanage domain,
- ## and use the caller's terminal.
-@@ -1017,11 +1407,125 @@ interface(`seutil_domtrans_semanage',`
- #
- interface(`seutil_run_semanage',`
- gen_require(`
-- attribute_role semanage_roles;
-+ #attribute_role semanage_roles;
-+ type semanage_t;
- ')
-
-+ #seutil_domtrans_semanage($1)
-+ #roleattribute $2 semanage_roles;
-+
- seutil_domtrans_semanage($1)
-- roleattribute $2 semanage_roles;
-+ seutil_run_setfiles(semanage_t, $2)
-+ seutil_run_loadpolicy(semanage_t, $2)
-+ role $2 types semanage_t;
-+
-+')
-+
-+########################################
-+##
-+## Execute setsebool in the semanage domain, and
-+## allow the specified role the semanage domain,
-+## and use the caller's terminal.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+##
-+## The role to be allowed the setsebool domain.
-+##
-+##
-+##
-+#
-+interface(`seutil_run_setsebool',`
-+ gen_require(`
-+ type semanage_t;
-+ ')
-+
-+ seutil_domtrans_setsebool($1)
-+ role $2 types setsebool_t;
-+')
-+
-+########################################
-+##
-+## List of the semanage
-+## module store.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`seutil_access_check_module_store',`
-+ gen_require(`
-+ type semanage_store_t;
-+ ')
-+
-+ files_search_etc($1)
-+ allow $1 semanage_store_t:dir_file_class_set audit_access;
-+')
-+
-+########################################
-+##
-+## Full management of the semanage
-+## module store.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`seutil_read_module_store',`
-+ gen_require(`
-+ type selinux_config_t, semanage_store_t;
-+ ')
-+
-+ files_search_etc($1)
-+ list_dirs_pattern($1, selinux_config_t, semanage_store_t)
-+ read_files_pattern($1, semanage_store_t, semanage_store_t)
-+ read_lnk_files_pattern($1, semanage_store_t, semanage_store_t)
-+')
-+
-+########################################
-+##
-+## Dontaudit read selinux module store
-+## module store.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`seutil_dontaudit_read_module_store',`
-+ gen_require(`
-+ type semanage_store_t;
-+ ')
-+
-+dontaudit $1 semanage_store_t:dir list_dir_perms;
-+dontaudit $1 semanage_store_t:file read_file_perms;
-+')
-+
-+#######################################
-+##
-+## Dontaudit access check on module store
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`seutil_dontaudit_access_check_semanage_module_store',`
-+ gen_require(`
-+ type semanage_store_t;
-+ ')
-+
-+ dontaudit $1 semanage_store_t:dir_file_class_set audit_access;
- ')
-
- ########################################
-@@ -1041,9 +1545,15 @@ interface(`seutil_manage_module_store',`
- ')
-
- files_search_etc($1)
-+ files_search_var($1)
- manage_dirs_pattern($1, selinux_config_t, semanage_store_t)
-+ manage_dirs_pattern($1, semanage_store_t, semanage_store_t)
- manage_files_pattern($1, semanage_store_t, semanage_store_t)
-+ manage_lnk_files_pattern($1, semanage_store_t, semanage_store_t)
- filetrans_pattern($1, selinux_config_t, semanage_store_t, dir, "modules")
-+ filetrans_pattern($1, selinux_config_t, semanage_store_t, dir, "active")
-+ filetrans_pattern($1, selinux_config_t, semanage_store_t, dir, "previous")
-+ filetrans_pattern($1, selinux_config_t, semanage_store_t, dir, "tmp")
- ')
-
- #######################################
-@@ -1067,6 +1577,24 @@ interface(`seutil_get_semanage_read_lock',`
-
- #######################################
- ##
-+## Dontaudit access check on module store
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`seutil_dontaudit_access_check_semanage_read_lock',`
-+ gen_require(`
-+ type semanage_read_lock_t;
-+ ')
-+
-+ dontaudit $1 semanage_read_lock_t:dir_file_class_set audit_access;
-+')
-+
-+#######################################
-+##
- ## Get trans lock on module store
- ##
- ##
-@@ -1137,3 +1665,121 @@ interface(`seutil_dontaudit_libselinux_linked',`
- selinux_dontaudit_get_fs_mount($1)
- seutil_dontaudit_read_config($1)
- ')
-+
-+#######################################
-+##
-+## All rules necessary to run semanage command
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`seutil_semanage_policy',`
-+ gen_require(`
-+ type semanage_tmp_t;
-+ type policy_config_t;
-+ attribute policy_manager_domain;
-+ ')
-+ typeattribute $1 policy_manager_domain;
-+
-+ kernel_read_system_state($1)
-+
-+ # Running genhomedircon requires this for finding all users
-+ auth_use_nsswitch($1)
-+
-+ mls_file_write_all_levels($1)
-+ mls_file_read_all_levels($1)
-+
-+ selinux_get_enforce_mode($1)
-+
-+ seutil_manage_bin_policy($1)
-+
-+ logging_send_syslog_msg($1)
-+')
-+
-+#######################################
-+##
-+## All rules necessary to run setfiles command
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`seutil_setfiles',`
-+
-+ gen_require(`
-+ attribute setfiles_domain;
-+ ')
-+ typeattribute $1 setfiles_domain;
-+
-+ kernel_read_system_state($1)
-+ seutil_libselinux_linked($1)
-+
-+ files_relabel_all_files($1)
-+
-+ mls_file_read_all_levels($1)
-+ mls_file_write_all_levels($1)
-+ mls_file_upgrade($1)
-+ mls_file_downgrade($1)
-+
-+ # this is to satisfy the assertion:
-+ auth_relabelto_shadow($1)
-+
-+ logging_send_syslog_msg($1)
-+')
-+
-+#####################################
-+##
-+## File name transition for selinux utility content
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`seutil_filetrans_named_content',`
-+ gen_require(`
-+ type default_context_t, semanage_store_t;
-+ type selinux_config_t, semanage_trans_lock_t;
-+ type file_context_t, selinux_login_config_t;
-+ ')
-+
-+ filetrans_pattern($1, selinux_config_t, default_context_t, dir, "contexts")
-+ filetrans_pattern($1, selinux_config_t, semanage_store_t, dir, "policy")
-+ filetrans_pattern($1, selinux_config_t, semanage_store_t, dir, "active")
-+ filetrans_pattern($1, selinux_config_t, semanage_store_t, dir, "tmp")
-+ filetrans_pattern($1, selinux_config_t, semanage_store_t, dir, "previous")
-+ filetrans_pattern($1, selinux_config_t, semanage_trans_lock_t, file, "semanage.read.LOCK")
-+ filetrans_pattern($1, selinux_config_t, semanage_trans_lock_t, file, "semanage.trans.LOCK")
-+ filetrans_pattern($1, selinux_config_t, selinux_login_config_t, dir, "logins")
-+ filetrans_pattern($1, default_context_t, file_context_t, dir, "files")
-+ userdom_admin_home_dir_filetrans($1, default_context_t, file, ".default_context")
-+')
-+
-+########################################
-+##
-+## Send and receive messages from
-+## semanage dbus server over dbus.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`seutil_dbus_chat_semanage',`
-+ gen_require(`
-+ type semanage_t;
-+ class dbus send_msg;
-+ ')
-+
-+ ps_process_pattern(semanage_t, $1)
-+
-+ allow $1 semanage_t:dbus send_msg;
-+ allow semanage_t $1:dbus send_msg;
-+')
-diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
-index dc4642022..d3320bdd9 100644
---- a/policy/modules/system/selinuxutil.te
-+++ b/policy/modules/system/selinuxutil.te
-@@ -11,14 +11,16 @@ gen_require(`
-
- attribute can_write_binary_policy;
- attribute can_relabelto_binary_policy;
-+attribute setfiles_domain;
-+attribute policy_manager_domain;
-
--attribute_role newrole_roles;
-+#attribute_role newrole_roles;
-
--attribute_role run_init_roles;
--role system_r types run_init_t;
-+#attribute_role run_init_roles;
-+#role system_r types run_init_t;
-
--attribute_role semanage_roles;
--roleattribute system_r semanage_roles;
-+#attribute_role semanage_roles;
-+#roleattribute system_r semanage_roles;
-
- #
- # selinux_config_t is the type applied to
-@@ -28,7 +30,13 @@ roleattribute system_r semanage_roles;
- # in the domain_type interface
- # (fix dup decl)
- type selinux_config_t;
--files_type(selinux_config_t)
-+files_security_file(selinux_config_t)
-+
-+type selinux_login_config_t;
-+files_security_file(selinux_login_config_t)
-+
-+type selinux_var_lib_t;
-+files_type(selinux_var_lib_t)
-
- type checkpolicy_t, can_write_binary_policy;
- type checkpolicy_exec_t;
-@@ -40,14 +48,14 @@ role system_r types checkpolicy_t;
- # /etc/selinux/*/contexts/*
- #
- type default_context_t;
--files_type(default_context_t)
-+files_security_file(default_context_t)
-
- #
- # file_context_t is the type applied to
- # /etc/selinux/*/contexts/files
- #
- type file_context_t;
--files_type(file_context_t)
-+files_security_file(file_context_t)
-
- type load_policy_t;
- type load_policy_exec_t;
-@@ -60,14 +68,20 @@ application_domain(newrole_t, newrole_exec_t)
- domain_role_change_exemption(newrole_t)
- domain_obj_id_change_exemption(newrole_t)
- domain_interactive_fd(newrole_t)
--role newrole_roles types newrole_t;
-+#role newrole_roles types newrole_t;
-+role system_r types newrole_t;
-
- #
- # policy_config_t is the type of /etc/security/selinux/*
- # the security server policy configuration.
- #
--type policy_config_t;
--files_type(policy_config_t)
-+#type policy_config_t;
-+#files_type(policy_config_t)
-+gen_require(`
-+ type semanage_store_t;
-+')
-+
-+typealias semanage_store_t alias { policy_config_t semanage_var_lib_t };
-
- neverallow ~can_relabelto_binary_policy policy_config_t:file relabelto;
- #neverallow ~can_write_binary_policy policy_config_t:file { write append };
-@@ -83,7 +97,6 @@ type restorecond_t;
- type restorecond_exec_t;
- init_daemon_domain(restorecond_t, restorecond_exec_t)
- domain_obj_id_change_exemption(restorecond_t)
--role system_r types restorecond_t;
-
- type restorecond_var_run_t;
- files_pid_file(restorecond_var_run_t)
-@@ -92,40 +105,49 @@ type run_init_t;
- type run_init_exec_t;
- application_domain(run_init_t, run_init_exec_t)
- domain_system_change_exemption(run_init_t)
--role run_init_roles types run_init_t;
-+#role run_init_roles types run_init_t;
-+role system_r types run_init_t;
-
- type semanage_t;
- type semanage_exec_t;
- application_domain(semanage_t, semanage_exec_t)
-+init_daemon_domain(semanage_t, semanage_exec_t)
- domain_interactive_fd(semanage_t)
--role semanage_roles types semanage_t;
-+#role semanage_roles types semanage_t;
-+role system_r types semanage_t;
-+
-+type setsebool_t;
-+type setsebool_exec_t;
-+init_system_domain(setsebool_t, setsebool_exec_t)
-
- type semanage_store_t;
--files_type(semanage_store_t)
-+files_security_file(semanage_store_t)
-
- type semanage_read_lock_t;
--files_type(semanage_read_lock_t)
-+files_lock_file(semanage_read_lock_t)
-
- type semanage_tmp_t;
- files_tmp_file(semanage_tmp_t)
-
--type semanage_trans_lock_t;
--files_type(semanage_trans_lock_t)
--
--type semanage_var_lib_t;
--files_type(semanage_var_lib_t)
-+type semanage_trans_lock_t;
-+files_lock_file(semanage_trans_lock_t)
-
- type setfiles_t alias restorecon_t, can_relabelto_binary_policy;
- type setfiles_exec_t alias restorecon_exec_t;
- init_system_domain(setfiles_t, setfiles_exec_t)
- domain_obj_id_change_exemption(setfiles_t)
-
-+type setfiles_mac_t;
-+domain_type(setfiles_mac_t)
-+domain_entry_file(setfiles_mac_t, setfiles_exec_t)
-+domain_obj_id_change_exemption(setfiles_mac_t)
-+
- ########################################
- #
- # Checkpolicy local policy
- #
-
--allow checkpolicy_t self:capability dac_override;
-+allow checkpolicy_t self:capability { dac_read_search };
-
- # able to create and modify binary policy files
- manage_files_pattern(checkpolicy_t, policy_config_t, policy_config_t)
-@@ -137,6 +159,7 @@ filetrans_add_pattern(checkpolicy_t, policy_src_t, policy_config_t, file)
- read_files_pattern(checkpolicy_t, policy_src_t, policy_src_t)
- read_lnk_files_pattern(checkpolicy_t, policy_src_t, policy_src_t)
- allow checkpolicy_t selinux_config_t:dir search_dir_perms;
-+allow checkpolicy_t selinux_login_config_t:dir search_dir_perms;
-
- domain_use_interactive_fds(checkpolicy_t)
-
-@@ -151,7 +174,7 @@ term_use_console(checkpolicy_t)
- init_use_fds(checkpolicy_t)
- init_use_script_ptys(checkpolicy_t)
-
--userdom_use_user_terminals(checkpolicy_t)
-+userdom_use_inherited_user_terminals(checkpolicy_t)
- userdom_use_all_users_fds(checkpolicy_t)
-
- ifdef(`distro_ubuntu',`
-@@ -165,10 +188,11 @@ ifdef(`distro_ubuntu',`
- # Load_policy local policy
- #
-
--allow load_policy_t self:capability dac_override;
-+allow load_policy_t self:capability { dac_read_search };
-
- # only allow read of policy config files
- read_files_pattern(load_policy_t, { policy_src_t policy_config_t }, policy_config_t)
-+allow load_policy_t policy_config_t:file map;
-
- domain_use_interactive_fds(load_policy_t)
-
-@@ -188,13 +212,13 @@ term_list_ptys(load_policy_t)
-
- init_use_script_fds(load_policy_t)
- init_use_script_ptys(load_policy_t)
--
--miscfiles_read_localization(load_policy_t)
-+init_write_script_pipes(load_policy_t)
-
- seutil_libselinux_linked(load_policy_t)
-
--userdom_use_user_terminals(load_policy_t)
-+userdom_use_inherited_user_terminals(load_policy_t)
- userdom_use_all_users_fds(load_policy_t)
-+userdom_dontaudit_read_user_tmp_files(load_policy_t)
-
- ifdef(`distro_ubuntu',`
- optional_policy(`
-@@ -205,6 +229,7 @@ ifdef(`distro_ubuntu',`
- ifdef(`hide_broken_symptoms',`
- # cjp: cover up stray file descriptors.
- dontaudit load_policy_t selinux_config_t:file write;
-+ dontaudit load_policy_t selinux_login_config_t:file write;
-
- optional_policy(`
- unconfined_dontaudit_read_pipes(load_policy_t)
-@@ -215,12 +240,21 @@ optional_policy(`
- portage_dontaudit_use_fds(load_policy_t)
- ')
-
-+optional_policy(`
-+ sssd_rw_inherited_pipes(load_policy_t)
-+')
-+
-+optional_policy(`
-+ # pki is leaking
-+ pki_dontaudit_write_log(load_policy_t)
-+')
-+
- ########################################
- #
- # Newrole local policy
- #
-
--allow newrole_t self:capability { fowner setuid setgid dac_override };
-+allow newrole_t self:capability { fowner setpcap setuid setgid dac_read_search };
- allow newrole_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execheap execstack };
- allow newrole_t self:process setexec;
- allow newrole_t self:fd use;
-@@ -232,7 +266,7 @@ allow newrole_t self:msgq create_msgq_perms;
- allow newrole_t self:msg { send receive };
- allow newrole_t self:unix_dgram_socket sendto;
- allow newrole_t self:unix_stream_socket { create_stream_socket_perms connectto };
--allow newrole_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
-+logging_send_audit_msgs(newrole_t)
-
- read_files_pattern(newrole_t, default_context_t, default_context_t)
- read_lnk_files_pattern(newrole_t, default_context_t, default_context_t)
-@@ -249,6 +283,7 @@ domain_use_interactive_fds(newrole_t)
- # for when the user types "exec newrole" at the command line:
- domain_sigchld_interactive_fds(newrole_t)
-
-+files_list_var(newrole_t)
- files_read_etc_files(newrole_t)
- files_read_var_files(newrole_t)
- files_read_var_symlinks(newrole_t)
-@@ -276,25 +311,34 @@ term_relabel_all_ptys(newrole_t)
- term_getattr_unallocated_ttys(newrole_t)
- term_dontaudit_use_unallocated_ttys(newrole_t)
-
--auth_use_nsswitch(newrole_t)
--auth_run_chk_passwd(newrole_t, newrole_roles)
--auth_run_upd_passwd(newrole_t, newrole_roles)
--auth_rw_faillog(newrole_t)
-+auth_use_pam(newrole_t)
-
- # Write to utmp.
- init_rw_utmp(newrole_t)
- init_use_fds(newrole_t)
-
--logging_send_syslog_msg(newrole_t)
--
--miscfiles_read_localization(newrole_t)
-
- seutil_libselinux_linked(newrole_t)
-
-+userdom_use_unpriv_users_fds(newrole_t)
- # for some PAM modules and for cwd
- userdom_dontaudit_search_user_home_content(newrole_t)
- userdom_search_user_home_dirs(newrole_t)
-
-+# need to talk with dbus
-+optional_policy(`
-+ dbus_system_bus_client(newrole_t)
-+')
-+
-+#optional_policy(`
-+# namespace_init_run(newrole_t, newrole_roles)
-+#')
-+
-+
-+optional_policy(`
-+ xserver_dontaudit_exec_xauth(newrole_t)
-+')
-+
- ifdef(`distro_ubuntu',`
- optional_policy(`
- unconfined_domain(newrole_t)
-@@ -309,7 +353,7 @@ if(secure_mode) {
- userdom_spec_domtrans_all_users(newrole_t)
- }
-
--tunable_policy(`allow_polyinstantiation',`
-+tunable_policy(`polyinstantiation_enabled',`
- files_polyinstantiate_all(newrole_t)
- ')
-
-@@ -318,7 +362,7 @@ tunable_policy(`allow_polyinstantiation',`
- # Restorecond local policy
- #
-
--allow restorecond_t self:capability { dac_override dac_read_search fowner };
-+allow restorecond_t self:capability { dac_read_search fowner };
- allow restorecond_t self:fifo_file rw_fifo_file_perms;
-
- allow restorecond_t restorecond_var_run_t:file manage_file_perms;
-@@ -328,9 +372,13 @@ kernel_use_fds(restorecond_t)
- kernel_rw_pipes(restorecond_t)
- kernel_read_system_state(restorecond_t)
-
-+dev_relabel_all_dev_nodes(restorecond_t)
-+
-+files_dontaudit_read_all_symlinks(restorecond_t)
-+
- fs_relabelfrom_noxattr_fs(restorecond_t)
- fs_dontaudit_list_nfs(restorecond_t)
--fs_getattr_xattr_fs(restorecond_t)
-+fs_getattr_all_fs(restorecond_t)
- fs_list_inotifyfs(restorecond_t)
-
- selinux_validate_context(restorecond_t)
-@@ -341,16 +389,17 @@ selinux_compute_user_contexts(restorecond_t)
-
- files_relabel_non_auth_files(restorecond_t )
- files_read_non_auth_files(restorecond_t)
-+
- auth_use_nsswitch(restorecond_t)
-
- locallogin_dontaudit_use_fds(restorecond_t)
-
- logging_send_syslog_msg(restorecond_t)
-
--miscfiles_read_localization(restorecond_t)
--
- seutil_libselinux_linked(restorecond_t)
-
-+userdom_read_user_home_content_symlinks(restorecond_t)
-+
- ifdef(`distro_ubuntu',`
- optional_policy(`
- unconfined_domain(restorecond_t)
-@@ -366,21 +415,24 @@ optional_policy(`
- # Run_init local policy
- #
-
--allow run_init_roles system_r;
-+#allow run_init_roles system_r;
-
- allow run_init_t self:process setexec;
- allow run_init_t self:capability setuid;
- allow run_init_t self:fifo_file rw_file_perms;
--allow run_init_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
-+logging_send_audit_msgs(run_init_t)
-
- # often the administrator runs such programs from a directory that is owned
- # by a different user or has restrictive SE permissions, do not want to audit
- # the failed access to the current directory
--dontaudit run_init_t self:capability { dac_override dac_read_search };
-+dontaudit run_init_t self:capability { dac_read_search };
-+
-+kernel_dontaudit_getattr_core_if(run_init_t)
-
- corecmd_exec_bin(run_init_t)
- corecmd_exec_shell(run_init_t)
-
-+dev_dontaudit_getattr_all(run_init_t)
- dev_dontaudit_list_all_dev_nodes(run_init_t)
-
- domain_use_interactive_fds(run_init_t)
-@@ -398,23 +450,30 @@ selinux_compute_create_context(run_init_t)
- selinux_compute_relabel_context(run_init_t)
- selinux_compute_user_contexts(run_init_t)
-
-+term_use_console(run_init_t)
-+
-+#auth_use_nsswitch(run_init_t)
-+#auth_run_chk_passwd(run_init_t, run_init_roles)
-+#auth_run_upd_passwd(run_init_t, run_init_roles)
-+#auth_dontaudit_read_shadow(run_init_t)
-+
- auth_use_nsswitch(run_init_t)
--auth_run_chk_passwd(run_init_t, run_init_roles)
--auth_run_upd_passwd(run_init_t, run_init_roles)
-+auth_domtrans_chk_passwd(run_init_t)
-+auth_domtrans_upd_passwd(run_init_t)
- auth_dontaudit_read_shadow(run_init_t)
-
-+
- init_spec_domtrans_script(run_init_t)
- # for utmp
- init_rw_utmp(run_init_t)
-+init_dontaudit_getattr_initctl(run_init_t)
-
- logging_send_syslog_msg(run_init_t)
-
--miscfiles_read_localization(run_init_t)
--
- seutil_libselinux_linked(run_init_t)
- seutil_read_default_contexts(run_init_t)
-
--userdom_use_user_terminals(run_init_t)
-+userdom_use_inherited_user_terminals(run_init_t)
-
- ifndef(`direct_sysadm_daemon',`
- ifdef(`distro_gentoo',`
-@@ -425,6 +484,19 @@ ifndef(`direct_sysadm_daemon',`
- ')
- ')
-
-+# need to talk with dbus
-+optional_policy(`
-+ dbus_system_bus_client(run_init_t)
-+')
-+
-+optional_policy(`
-+ gpm_dontaudit_getattr_gpmctl(run_init_t)
-+')
-+
-+optional_policy(`
-+ rpm_domtrans(run_init_t)
-+')
-+
- ifdef(`distro_ubuntu',`
- optional_policy(`
- unconfined_domain(run_init_t)
-@@ -440,81 +512,87 @@ optional_policy(`
- # semodule local policy
- #
-
--allow semanage_t self:capability { dac_override audit_write };
--allow semanage_t self:unix_stream_socket create_stream_socket_perms;
--allow semanage_t self:unix_dgram_socket create_socket_perms;
- allow semanage_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
--allow semanage_t self:fifo_file rw_fifo_file_perms;
--
--allow semanage_t policy_config_t:file rw_file_perms;
--
--allow semanage_t semanage_tmp_t:dir manage_dir_perms;
--allow semanage_t semanage_tmp_t:file manage_file_perms;
--files_tmp_filetrans(semanage_t, semanage_tmp_t, { file dir })
--
--manage_dirs_pattern(semanage_t, semanage_var_lib_t, semanage_var_lib_t)
--manage_files_pattern(semanage_t, semanage_var_lib_t, semanage_var_lib_t)
--
--kernel_read_system_state(semanage_t)
--kernel_read_kernel_sysctls(semanage_t)
--
--corecmd_exec_bin(semanage_t)
--
--dev_read_urand(semanage_t)
--
--domain_use_interactive_fds(semanage_t)
-
--files_read_etc_files(semanage_t)
--files_read_etc_runtime_files(semanage_t)
--files_read_usr_files(semanage_t)
--files_list_pids(semanage_t)
--
--mls_file_write_all_levels(semanage_t)
--mls_file_read_all_levels(semanage_t)
--
--selinux_validate_context(semanage_t)
--selinux_get_enforce_mode(semanage_t)
--selinux_getattr_fs(semanage_t)
--# for setsebool:
-+selinux_set_enforce_mode(semanage_t)
- selinux_set_all_booleans(semanage_t)
-+can_exec(semanage_t, semanage_exec_t)
-
--term_use_all_terms(semanage_t)
--
--# Running genhomedircon requires this for finding all users
--auth_use_nsswitch(semanage_t)
--
--locallogin_use_fds(semanage_t)
--
--logging_send_syslog_msg(semanage_t)
-+# Admins are creating pp files in random locations
-+files_read_non_security_files(semanage_t)
-
--miscfiles_read_localization(semanage_t)
--
--seutil_libselinux_linked(semanage_t)
-+seutil_semanage_policy(semanage_t)
- seutil_manage_file_contexts(semanage_t)
- seutil_manage_config(semanage_t)
--seutil_run_setfiles(semanage_t, semanage_roles)
--seutil_run_loadpolicy(semanage_t, semanage_roles)
--seutil_manage_bin_policy(semanage_t)
--seutil_use_newrole_fds(semanage_t)
--seutil_manage_module_store(semanage_t)
--seutil_get_semanage_trans_lock(semanage_t)
--seutil_get_semanage_read_lock(semanage_t)
-+seutil_rw_login_config(semanage_t)
-+seutil_domtrans_setfiles(semanage_t)
-+
-+#seutil_run_setfiles(semanage_t, semanage_roles)
-+#seutil_run_loadpolicy(semanage_t, semanage_roles)
-+#seutil_manage_bin_policy(semanage_t)
-+#seutil_use_newrole_fds(semanage_t)
-+#seutil_manage_module_store(semanage_t)
-+#seutil_get_semanage_trans_lock(semanage_t)
-+#seutil_get_semanage_read_lock(semanage_t)
- # netfilter_contexts:
- seutil_manage_default_contexts(semanage_t)
-
- # Handle pp files created in homedir and /tmp
- userdom_read_user_home_content_files(semanage_t)
- userdom_read_user_tmp_files(semanage_t)
-+userdom_home_reader(semanage_t)
-+userdom_map_tmp_files(semanage_t)
-
- ifdef(`distro_debian',`
- files_read_var_lib_files(semanage_t)
- files_read_var_lib_symlinks(semanage_t)
- ')
-
--ifdef(`distro_ubuntu',`
-- optional_policy(`
-- unconfined_domain(semanage_t)
-- ')
-+optional_policy(`
-+ dbus_system_domain(semanage_t, semanage_exec_t)
-+')
-+
-+optional_policy(`
-+ mock_manage_lib_files(semanage_t)
-+ mock_manage_lib_dirs(semanage_t)
-+')
-+
-+optional_policy(`
-+ unconfined_domain(semanage_t)
-+')
-+
-+####################################n####
-+#
-+# setsebool local policy
-+#
-+seutil_semanage_policy(setsebool_t)
-+selinux_set_all_booleans(setsebool_t)
-+
-+init_dontaudit_use_fds(setsebool_t)
-+
-+# Bug in semanage
-+seutil_domtrans_setfiles(setsebool_t)
-+seutil_manage_file_contexts(setsebool_t)
-+seutil_manage_default_contexts(setsebool_t)
-+seutil_manage_config(setsebool_t)
-+
-+########################################
-+#
-+# Setfiles mac local policy
-+#
-+seutil_setfiles(setfiles_mac_t)
-+allow setfiles_mac_t self:capability2 mac_admin;
-+kernel_relabelto_unlabeled(setfiles_mac_t)
-+
-+optional_policy(`
-+ files_dontaudit_write_isid_chr_files(setfiles_mac_t)
-+ livecd_dontaudit_leaks(setfiles_mac_t)
-+ livecd_rw_tmp_files(setfiles_mac_t)
-+ dev_dontaudit_write_all_chr_files(setfiles_mac_t)
-+')
-+
-+optional_policy(`
-+ unconfined_domain(setfiles_mac_t)
- ')
-
- ########################################
-@@ -522,111 +600,204 @@ ifdef(`distro_ubuntu',`
- # Setfiles local policy
- #
-
--allow setfiles_t self:capability { dac_override dac_read_search fowner };
--dontaudit setfiles_t self:capability sys_tty_config;
--allow setfiles_t self:fifo_file rw_file_perms;
--
--allow setfiles_t { policy_src_t policy_config_t file_context_t default_context_t }:dir list_dir_perms;
--allow setfiles_t { policy_src_t policy_config_t file_context_t default_context_t }:file read_file_perms;
--allow setfiles_t { policy_src_t policy_config_t file_context_t default_context_t }:lnk_file { read_lnk_file_perms ioctl lock };
--
--kernel_read_system_state(setfiles_t)
--kernel_relabelfrom_unlabeled_dirs(setfiles_t)
--kernel_relabelfrom_unlabeled_files(setfiles_t)
--kernel_relabelfrom_unlabeled_symlinks(setfiles_t)
--kernel_relabelfrom_unlabeled_pipes(setfiles_t)
--kernel_relabelfrom_unlabeled_sockets(setfiles_t)
--kernel_use_fds(setfiles_t)
--kernel_rw_pipes(setfiles_t)
--kernel_rw_unix_dgram_sockets(setfiles_t)
--kernel_dontaudit_list_all_proc(setfiles_t)
--kernel_dontaudit_list_all_sysctls(setfiles_t)
--
--dev_relabel_all_dev_nodes(setfiles_t)
--# to handle when /dev/console needs to be relabeled
--dev_rw_generic_chr_files(setfiles_t)
--
--domain_use_interactive_fds(setfiles_t)
--domain_dontaudit_search_all_domains_state(setfiles_t)
--
--files_read_etc_runtime_files(setfiles_t)
--files_read_etc_files(setfiles_t)
--files_list_all(setfiles_t)
--files_relabel_all_files(setfiles_t)
--files_read_usr_symlinks(setfiles_t)
--files_dontaudit_read_all_symlinks(setfiles_t)
--
--fs_getattr_xattr_fs(setfiles_t)
--fs_list_all(setfiles_t)
--fs_search_auto_mountpoints(setfiles_t)
--fs_relabelfrom_noxattr_fs(setfiles_t)
--
--mls_file_read_all_levels(setfiles_t)
--mls_file_write_all_levels(setfiles_t)
--mls_file_upgrade(setfiles_t)
--mls_file_downgrade(setfiles_t)
--
--selinux_validate_context(setfiles_t)
--selinux_compute_access_vector(setfiles_t)
--selinux_compute_create_context(setfiles_t)
--selinux_compute_relabel_context(setfiles_t)
--selinux_compute_user_contexts(setfiles_t)
--
--term_use_all_ttys(setfiles_t)
--term_use_all_ptys(setfiles_t)
--term_use_unallocated_ttys(setfiles_t)
--
--# this is to satisfy the assertion:
--auth_relabelto_shadow(setfiles_t)
--
--init_use_fds(setfiles_t)
--init_use_script_fds(setfiles_t)
--init_use_script_ptys(setfiles_t)
--init_exec_script_files(setfiles_t)
-+seutil_setfiles(setfiles_t)
-+# During boot in Rawhide
-+term_use_generic_ptys(setfiles_t)
-+
-+# needs to be able to read symlinks to make restorecon on symlink working
-+files_read_all_symlinks(setfiles_t)
-+allow setfiles_t file_context_t:file map;
-
- logging_send_audit_msgs(setfiles_t)
- logging_send_syslog_msg(setfiles_t)
-
--miscfiles_read_localization(setfiles_t)
-+optional_policy(`
-+ cloudform_dontaudit_write_cloud_log(setfiles_t)
-+')
-
--seutil_libselinux_linked(setfiles_t)
-+optional_policy(`
-+ devicekit_dontaudit_read_pid_files(setfiles_t)
-+ devicekit_dontaudit_rw_log(setfiles_t)
-+')
-
--userdom_use_all_users_fds(setfiles_t)
-+optional_policy(`
-+ # pki is leaking
-+ pki_dontaudit_write_log(setfiles_t)
-+')
-+
-+optional_policy(`
-+ kdump_rw_inherited_kdumpctl_tmp_pipes(setfiles_t)
-+')
-+
-+optional_policy(`
-+ xserver_append_xdm_tmp_files(setfiles_t)
-+')
-+
-+ifdef(`hide_broken_symptoms',`
-+
-+ optional_policy(`
-+ setroubleshoot_fixit_dontaudit_leaks(setfiles_t)
-+ setroubleshoot_fixit_dontaudit_leaks(setsebool_t)
-+ setroubleshoot_fixit_dontaudit_leaks(load_policy_t)
-+ ')
-+')
-+ifdef(`distro_ubuntu',`
-+ optional_policy(`
-+ unconfined_domain(setfiles_t)
-+ ')
-+')
-+
-+########################################
-+#
-+# Setfiles common policy
-+#
-+allow setfiles_domain self:capability { dac_read_search fowner };
-+dontaudit setfiles_domain self:capability sys_tty_config;
-+allow setfiles_domain self:fifo_file rw_file_perms;
-+dontaudit setfiles_domain self:dir relabelfrom;
-+dontaudit setfiles_domain self:file relabelfrom;
-+dontaudit setfiles_domain self:lnk_file relabelfrom;
-+
-+domain_relabelfrom(setfiles_domain)
-+
-+allow setfiles_domain { policy_src_t policy_config_t file_context_t default_context_t }:dir list_dir_perms;
-+allow setfiles_domain { policy_src_t policy_config_t file_context_t default_context_t }:file read_file_perms;
-+allow setfiles_domain { policy_src_t policy_config_t file_context_t default_context_t }:lnk_file { read_lnk_file_perms ioctl lock };
-+
-+logging_send_audit_msgs(setfiles_domain)
-+
-+kernel_relabelfrom_unlabeled_dirs(setfiles_domain)
-+kernel_relabelfrom_unlabeled_files(setfiles_domain)
-+kernel_relabelfrom_unlabeled_symlinks(setfiles_domain)
-+kernel_relabelfrom_unlabeled_pipes(setfiles_domain)
-+kernel_relabelfrom_unlabeled_sockets(setfiles_domain)
-+kernel_use_fds(setfiles_domain)
-+kernel_rw_pipes(setfiles_domain)
-+kernel_rw_unix_dgram_sockets(setfiles_domain)
-+kernel_dontaudit_list_all_proc(setfiles_domain)
-+kernel_read_all_sysctls(setfiles_domain)
-+kernel_read_network_state_symlinks(setfiles_domain)
-+
-+dev_relabel_all_dev_nodes(setfiles_domain)
-+dev_dontaudit_rw_lvm_control(setfiles_domain)
-+dev_dontaudit_read_rand(setfiles_domain)
-+dev_dontaudit_read_urand(setfiles_domain)
-+
-+domain_use_interactive_fds(setfiles_domain)
-+domain_read_all_domains_state(setfiles_domain)
-+
-+files_read_etc_runtime_files(setfiles_domain)
-+files_read_etc_files(setfiles_domain)
-+files_list_all(setfiles_domain)
-+files_list_isid_type_dirs(setfiles_domain)
-+files_read_isid_type_files(setfiles_domain)
-+files_dontaudit_read_all_symlinks(setfiles_domain)
-+
-+fs_getattr_all_fs(setfiles_domain)
-+fs_list_all(setfiles_domain)
-+fs_getattr_all_files(setfiles_domain)
-+fs_search_auto_mountpoints(setfiles_domain)
-+fs_relabelfrom_noxattr_fs(setfiles_domain)
-+fs_mount_tracefs(setfiles_domain)
-+
-+selinux_validate_context(setfiles_domain)
-+selinux_compute_access_vector(setfiles_domain)
-+selinux_compute_create_context(setfiles_domain)
-+selinux_compute_relabel_context(setfiles_domain)
-+selinux_compute_user_contexts(setfiles_domain)
-+
-+term_use_all_inherited_terms(setfiles_domain)
-+
-+init_use_fds(setfiles_domain)
-+init_use_script_fds(setfiles_domain)
-+init_use_script_ptys(setfiles_domain)
-+init_exec_script_files(setfiles_domain)
-+init_dontaudit_write_initrc_tmp(setfiles_domain)
-+
-+userdom_use_all_users_fds(setfiles_domain)
- # for config files in a home directory
--userdom_read_user_home_content_files(setfiles_t)
-+userdom_read_user_home_content_files(setfiles_domain)
-+userdom_read_admin_home_files(setfiles_domain)
-+userdom_rw_inherited_user_home_content_files(setfiles_domain)
-
- ifdef(`distro_debian',`
- # udev tmpfs is populated with static device nodes
- # and then relabeled afterwards; thus
- # /dev/console has the tmpfs type
-- fs_rw_tmpfs_chr_files(setfiles_t)
-+ fs_rw_tmpfs_chr_files(setfiles_domain)
- ')
-
--ifdef(`distro_redhat', `
-- fs_rw_tmpfs_chr_files(setfiles_t)
-- fs_rw_tmpfs_blk_files(setfiles_t)
-- fs_relabel_tmpfs_blk_file(setfiles_t)
-- fs_relabel_tmpfs_chr_file(setfiles_t)
-+ifdef(`distro_redhat',`
-+ fs_rw_tmpfs_chr_files(setfiles_domain)
-+ fs_rw_tmpfs_blk_files(setfiles_domain)
-+ fs_relabel_tmpfs_blk_file(setfiles_domain)
-+ fs_relabel_tmpfs_chr_file(setfiles_domain)
- ')
-
--ifdef(`distro_ubuntu',`
-- optional_policy(`
-- unconfined_domain(setfiles_t)
-- ')
-+optional_policy(`
-+ hotplug_use_fds(setfiles_domain)
- ')
-
--ifdef(`hide_broken_symptoms',`
-- optional_policy(`
-- udev_dontaudit_rw_dgram_sockets(setfiles_t)
-- ')
--
-- # cjp: cover up stray file descriptors.
-- optional_policy(`
-- unconfined_dontaudit_read_pipes(setfiles_t)
-- unconfined_dontaudit_rw_tcp_sockets(setfiles_t)
-- ')
-+optional_policy(`
-+ dbus_read_pid_files(setfiles_domain)
- ')
-
-+allow policy_manager_domain self:capability { dac_read_search sys_nice sys_resource };
-+dontaudit policy_manager_domain self:capability sys_tty_config;
-+allow policy_manager_domain self:process { signal setsched };
-+allow policy_manager_domain self:unix_stream_socket create_stream_socket_perms;
-+allow policy_manager_domain self:unix_dgram_socket create_socket_perms;
-+allow policy_manager_domain self:fifo_file rw_fifo_file_perms;
-+
-+dev_read_rand(policy_manager_domain)
-+dev_read_urand(policy_manager_domain)
-+
-+logging_send_audit_msgs(policy_manager_domain)
-+
-+# Domains that will manage policy
-+allow policy_manager_domain policy_config_t:file rw_file_perms;
-+
-+allow policy_manager_domain semanage_tmp_t:dir manage_dir_perms;
-+allow policy_manager_domain semanage_tmp_t:file manage_file_perms;
-+files_tmp_filetrans(policy_manager_domain, semanage_tmp_t, { file dir })
-+
-+kernel_read_kernel_sysctls(policy_manager_domain)
-+
-+corecmd_exec_bin(policy_manager_domain)
-+corecmd_exec_shell(policy_manager_domain)
-+
-+domain_use_interactive_fds(policy_manager_domain)
-+
-+files_read_etc_files(policy_manager_domain)
-+files_read_etc_runtime_files(policy_manager_domain)
-+files_read_usr_files(policy_manager_domain)
-+files_list_pids(policy_manager_domain)
-+fs_list_inotifyfs(policy_manager_domain)
-+fs_getattr_all_fs(policy_manager_domain)
-+
-+selinux_validate_context(policy_manager_domain)
-+selinux_read_policy(policy_manager_domain)
-+
-+term_use_all_inherited_terms(policy_manager_domain)
-+
-+locallogin_use_fds(policy_manager_domain)
-+
-+seutil_search_default_contexts(policy_manager_domain)
-+seutil_domtrans_loadpolicy(policy_manager_domain)
-+seutil_read_config(policy_manager_domain)
-+seutil_use_newrole_fds(policy_manager_domain)
-+seutil_manage_module_store(policy_manager_domain)
-+seutil_get_semanage_trans_lock(policy_manager_domain)
-+seutil_get_semanage_read_lock(policy_manager_domain)
-+
-+userdom_dontaudit_write_user_home_content_files(policy_manager_domain)
-+userdom_use_user_ptys(policy_manager_domain)
-+
-+files_rw_inherited_generic_pid_files(setfiles_domain)
-+files_rw_inherited_generic_pid_files(policy_manager_domain)
-+files_create_boot_flag(policy_manager_domain, ".autorelabel")
-+files_delete_boot_flag(policy_manager_domain)
-+
- optional_policy(`
-- hotplug_use_fds(setfiles_t)
-+ policykit_dbus_chat(policy_manager_domain)
- ')
-diff --git a/policy/modules/system/setrans.fc b/policy/modules/system/setrans.fc
-index bea462999..06e2834f7 100644
---- a/policy/modules/system/setrans.fc
-+++ b/policy/modules/system/setrans.fc
-@@ -2,4 +2,7 @@
-
- /sbin/mcstransd -- gen_context(system_u:object_r:setrans_exec_t,s0)
-
-+/usr/sbin/mcstransd -- gen_context(system_u:object_r:setrans_exec_t,s0)
-+
- /var/run/setrans(/.*)? gen_context(system_u:object_r:setrans_var_run_t,mls_systemhigh)
-+/var/run/mcstransd\.pid gen_context(system_u:object_r:setrans_var_run_t,mls_systemhigh)
-diff --git a/policy/modules/system/setrans.if b/policy/modules/system/setrans.if
-index efa9c27f6..536a514fc 100644
---- a/policy/modules/system/setrans.if
-+++ b/policy/modules/system/setrans.if
-@@ -40,3 +40,21 @@ interface(`setrans_translate_context',`
- stream_connect_pattern($1, setrans_var_run_t, setrans_var_run_t, setrans_t)
- files_list_pids($1)
- ')
-+#######################################
-+##
-+## Allow a domain to manage pid files
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`setrans_manage_pid_files',`
-+ gen_require(`
-+ type setrans_var_run_t;
-+ ')
-+
-+ files_search_pids($1)
-+ manage_files_pattern($1, setrans_var_run_t, setrans_var_run_t)
-+')
-diff --git a/policy/modules/system/setrans.te b/policy/modules/system/setrans.te
-index 1447687d5..0b1da4d3e 100644
---- a/policy/modules/system/setrans.te
-+++ b/policy/modules/system/setrans.te
-@@ -12,6 +12,7 @@ gen_require(`
- type setrans_t;
- type setrans_exec_t;
- init_daemon_domain(setrans_t, setrans_exec_t)
-+mls_trusted_object(setrans_t)
-
- type setrans_initrc_exec_t;
- init_script_file(setrans_initrc_exec_t)
-@@ -49,6 +50,7 @@ manage_files_pattern(setrans_t, setrans_var_run_t, setrans_var_run_t)
- manage_sock_files_pattern(setrans_t, setrans_var_run_t, setrans_var_run_t)
- files_pid_filetrans(setrans_t, setrans_var_run_t, { file dir })
-
-+kernel_read_system_state(setrans_t)
- kernel_read_kernel_sysctls(setrans_t)
- kernel_read_proc_symlinks(setrans_t)
-
-@@ -78,7 +80,6 @@ locallogin_dontaudit_use_fds(setrans_t)
-
- logging_send_syslog_msg(setrans_t)
-
--miscfiles_read_localization(setrans_t)
-
- seutil_read_config(setrans_t)
-
-diff --git a/policy/modules/system/sysnetwork.fc b/policy/modules/system/sysnetwork.fc
-index 40edc18ab..be7317733 100644
---- a/policy/modules/system/sysnetwork.fc
-+++ b/policy/modules/system/sysnetwork.fc
-@@ -17,23 +17,31 @@ ifdef(`distro_debian',`
- /etc/dhclient.*conf -- gen_context(system_u:object_r:dhcp_etc_t,s0)
- /etc/dhclient-script -- gen_context(system_u:object_r:dhcp_etc_t,s0)
- /etc/dhcpc.* gen_context(system_u:object_r:dhcp_etc_t,s0)
--/etc/dhcpd\.conf -- gen_context(system_u:object_r:dhcp_etc_t,s0)
--/etc/dhcp/dhcpd\.conf -- gen_context(system_u:object_r:dhcp_etc_t,s0)
-+/etc/dhcpd(6)?\.conf -- gen_context(system_u:object_r:dhcp_etc_t,s0)
-+/etc/dhcp/dhcpd(6)?\.conf -- gen_context(system_u:object_r:dhcp_etc_t,s0)
- /etc/ethers -- gen_context(system_u:object_r:net_conf_t,s0)
--/etc/hosts -- gen_context(system_u:object_r:net_conf_t,s0)
-+/etc/hosts[^/]* -- gen_context(system_u:object_r:net_conf_t,s0)
- /etc/hosts\.deny.* -- gen_context(system_u:object_r:net_conf_t,s0)
- /etc/denyhosts.* -- gen_context(system_u:object_r:net_conf_t,s0)
--/etc/resolv\.conf.* -- gen_context(system_u:object_r:net_conf_t,s0)
-+/etc/resolv\.conf.* gen_context(system_u:object_r:net_conf_t,s0)
-+/etc/resolv-secure.conf.* gen_context(system_u:object_r:net_conf_t,s0)
-+/etc/\.resolv\.conf.* gen_context(system_u:object_r:net_conf_t,s0)
- /etc/yp\.conf.* -- gen_context(system_u:object_r:net_conf_t,s0)
-+/etc/ntp\.conf -- gen_context(system_u:object_r:net_conf_t,s0)
-
--/etc/dhcp3(/.*)? gen_context(system_u:object_r:dhcp_etc_t,s0)
-+/etc/dhcp3?(/.*)? gen_context(system_u:object_r:dhcp_etc_t,s0)
- /etc/dhcp3?/dhclient.* gen_context(system_u:object_r:dhcp_etc_t,s0)
-
- ifdef(`distro_redhat',`
- /etc/sysconfig/network-scripts/.*resolv\.conf -- gen_context(system_u:object_r:net_conf_t,s0)
- /etc/sysconfig/networking(/.*)? gen_context(system_u:object_r:net_conf_t,s0)
- /etc/sysconfig/network-scripts(/.*)? gen_context(system_u:object_r:net_conf_t,s0)
-+/var/run/systemd/network(/.*)? gen_context(system_u:object_r:net_conf_t,s0)
-+/var/run/systemd/resolve/resolv\.conf -- gen_context(system_u:object_r:net_conf_t,s0)
- ')
-+/var/run/NetworkManager/resolv\.conf.* -- gen_context(system_u:object_r:net_conf_t,s0)
-+
-+/var/run/cloud-init(/.*)? gen_context(system_u:object_r:net_conf_t,s0)
-
- #
- # /sbin
-@@ -44,6 +52,7 @@ ifdef(`distro_redhat',`
- /sbin/ethtool -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
- /sbin/ifconfig -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
- /sbin/ip -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
-+/sbin/iw -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
- /sbin/ipx_configure -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
- /sbin/ipx_interface -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
- /sbin/ipx_internal_net -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
-@@ -55,6 +64,21 @@ ifdef(`distro_redhat',`
- #
- # /usr
- #
-+/usr/bin/ip -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
-+
-+/usr/sbin/dhclient.* -- gen_context(system_u:object_r:dhcpc_exec_t,s0)
-+/usr/sbin/dhcdbd -- gen_context(system_u:object_r:dhcpc_exec_t,s0)
-+/usr/sbin/dhcpcd -- gen_context(system_u:object_r:dhcpc_exec_t,s0)
-+/usr/sbin/ethtool -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
-+/usr/sbin/ifconfig -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
-+/usr/sbin/ip -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
-+/usr/sbin/iw -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
-+/usr/sbin/ipx_configure -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
-+/usr/sbin/ipx_interface -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
-+/usr/sbin/ipx_internal_net -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
-+/usr/sbin/iwconfig -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
-+/usr/sbin/mii-tool -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
-+/usr/sbin/pump -- gen_context(system_u:object_r:dhcpc_exec_t,s0)
- /usr/sbin/tc -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
-
- #
-@@ -77,3 +101,6 @@ ifdef(`distro_debian',`
- /var/run/network(/.*)? gen_context(system_u:object_r:net_conf_t,s0)
- ')
-
-+/var/run/netns(/.*)? gen_context(system_u:object_r:ifconfig_var_run_t,s0)
-+/etc/firestarter/firestarter\.sh gen_context(system_u:object_r:dhcpc_helper_exec_t,s0)
-+
-diff --git a/policy/modules/system/sysnetwork.if b/policy/modules/system/sysnetwork.if
-index 2cea692c0..9c68d9b24 100644
---- a/policy/modules/system/sysnetwork.if
-+++ b/policy/modules/system/sysnetwork.if
-@@ -38,11 +38,30 @@ interface(`sysnet_domtrans_dhcpc',`
- #
- interface(`sysnet_run_dhcpc',`
- gen_require(`
-+ type dhcpc_t;
- attribute_role dhcpc_roles;
- ')
-
- sysnet_domtrans_dhcpc($1)
- roleattribute $2 dhcpc_roles;
-+
-+ optional_policy(`
-+ networkmanager_run(dhcpc_t, $2)
-+ ')
-+
-+ optional_policy(`
-+ nis_run_ypbind(dhcpc_t, $2)
-+ ')
-+
-+ optional_policy(`
-+ nscd_run(dhcpc_t, $2)
-+ ')
-+
-+ optional_policy(`
-+ ntp_run(dhcpc_t, $2)
-+ ')
-+
-+ seutil_run_setfiles(dhcpc_t, $2)
- ')
-
- ########################################
-@@ -231,7 +250,7 @@ interface(`sysnet_rw_dhcp_config',`
- ')
-
- files_search_etc($1)
-- allow $1 dhcp_etc_t:file rw_file_perms;
-+ rw_files_pattern($1, dhcp_etc_t, dhcp_etc_t)
- ')
-
- ########################################
-@@ -269,6 +288,7 @@ interface(`sysnet_read_dhcpc_state',`
- type dhcpc_state_t;
- ')
-
-+ list_dirs_pattern($1, dhcpc_state_t, dhcpc_state_t)
- read_files_pattern($1, dhcpc_state_t, dhcpc_state_t)
- ')
-
-@@ -290,6 +310,43 @@ interface(`sysnet_delete_dhcpc_state',`
- delete_files_pattern($1, dhcpc_state_t, dhcpc_state_t)
- ')
-
-+########################################
-+##
-+## Allow caller to relabel dhcpc_state files
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`sysnet_relabelfrom_dhcpc_state',`
-+
-+ gen_require(`
-+ type dhcpc_state_t;
-+ ')
-+
-+ allow $1 dhcpc_state_t:file relabelfrom;
-+')
-+
-+#######################################
-+##
-+## Manage the dhcp client state files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`sysnet_manage_dhcpc_state',`
-+ gen_require(`
-+ type dhcpc_state_t;
-+ ')
-+
-+ manage_files_pattern($1, dhcpc_state_t, dhcpc_state_t)
-+')
-+
- #######################################
- ##
- ## Set the attributes of network config files.
-@@ -311,6 +368,44 @@ interface(`sysnet_setattr_config',`
-
- #######################################
- ##
-+## Allow caller to relabel net_conf files
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`sysnet_relabelfrom_net_conf',`
-+
-+ gen_require(`
-+ type net_conf_t;
-+ ')
-+
-+ allow $1 net_conf_t:file relabelfrom;
-+')
-+
-+######################################
-+##
-+## Allow caller to relabel net_conf files
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`sysnet_relabelto_net_conf',`
-+
-+ gen_require(`
-+ type net_conf_t;
-+ ')
-+
-+ allow $1 net_conf_t:file relabelto;
-+')
-+
-+#######################################
-+##
- ## Read network config files.
- ##
- ##
-@@ -355,7 +450,10 @@ interface(`sysnet_read_config',`
- ')
-
- ifdef(`distro_redhat',`
-+ files_search_all_pids($1)
-+ init_search_pid_dirs($1)
- allow $1 net_conf_t:dir list_dir_perms;
-+ allow $1 net_conf_t:lnk_file read_lnk_file_perms;
- read_files_pattern($1, net_conf_t, net_conf_t)
- ')
- ')
-@@ -438,6 +536,42 @@ interface(`sysnet_etc_filetrans_config',`
- ')
-
- files_etc_filetrans($1, net_conf_t, file, $2)
-+ files_etc_filetrans($1, net_conf_t, lnk_file, $2)
-+
-+')
-+
-+########################################
-+##
-+## Transition content to the type used for
-+## the network config files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+##
-+## The type of the directory to which the object will be created.
-+##
-+##
-+##
-+##
-+## The object class.
-+##
-+##
-+##
-+##
-+## The name of the object being created.
-+##
-+##
-+#
-+interface(`sysnet_filetrans_config_fromdir',`
-+ gen_require(`
-+ type net_conf_t;
-+ ')
-+
-+ filetrans_pattern($1, $2, net_conf_t, $3, $4)
- ')
-
- #######################################
-@@ -453,7 +587,7 @@ interface(`sysnet_etc_filetrans_config',`
- interface(`sysnet_manage_config',`
- gen_require(`
- type net_conf_t;
-- ')
-+ ')
-
- allow $1 net_conf_t:file manage_file_perms;
-
-@@ -463,7 +597,41 @@ interface(`sysnet_manage_config',`
- ')
-
- ifdef(`distro_redhat',`
-+ files_search_all_pids($1)
-+ init_search_pid_dirs($1)
-+ allow $1 net_conf_t:dir list_dir_perms;
- manage_files_pattern($1, net_conf_t, net_conf_t)
-+ manage_lnk_files_pattern($1, net_conf_t, net_conf_t)
-+ ')
-+')
-+
-+#######################################
-+##
-+## Create, read, write, and delete network config dirs.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`sysnet_manage_config_dirs',`
-+ gen_require(`
-+ type net_conf_t;
-+ ')
-+
-+ allow $1 net_conf_t:dir manage_dir_perms;
-+
-+ ifdef(`distro_debian',`
-+ files_search_pids($1)
-+ manage_dirs_pattern($1, net_conf_t, net_conf_t)
-+ ')
-+
-+ ifdef(`distro_redhat',`
-+ files_search_all_pids($1)
-+ init_search_pid_dirs($1)
-+ allow $1 net_conf_t:dir list_dir_perms;
-+ manage_dirs_pattern($1, net_conf_t, net_conf_t)
- ')
- ')
-
-@@ -501,11 +669,55 @@ interface(`sysnet_delete_dhcpc_pid',`
- type dhcpc_var_run_t;
- ')
-
-+ files_rw_pid_dirs($1)
- allow $1 dhcpc_var_run_t:file unlink;
- ')
-
- #######################################
- ##
-+## Manage the dhcp client pid file.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`sysnet_manage_dhcpc_pid',`
-+ gen_require(`
-+ type dhcpc_var_run_t;
-+ ')
-+
-+ files_rw_pid_dirs($1)
-+ manage_files_pattern($1, dhcpc_var_run_t, dhcpc_var_run_t)
-+')
-+
-+########################################
-+##
-+## Create specified objects in generic
-+## pid directories with the dhcpc pid file type.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+##
-+## The name of the object being created.
-+##
-+##
-+#
-+interface(`sysnet_filetrans_dhcpc_pid',`
-+ gen_require(`
-+ type dhcpc_var_run_t;
-+ ')
-+
-+ files_pid_filetrans($1, dhcpc_var_run_t, file, $2)
-+')
-+
-+#######################################
-+##
- ## Execute ifconfig in the ifconfig domain.
- ##
- ##
-@@ -610,6 +822,25 @@ interface(`sysnet_signull_ifconfig',`
-
- ########################################
- ##
-+## Send a kill signal to iconfig.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+#
-+interface(`sysnet_kill_ifconfig',`
-+ gen_require(`
-+ type ifconfig_t;
-+ ')
-+
-+ allow $1 ifconfig_t:process sigkill;
-+')
-+
-+########################################
-+##
- ## Read the DHCP configuration files.
- ##
- ##
-@@ -626,6 +857,7 @@ interface(`sysnet_read_dhcp_config',`
- files_search_etc($1)
- allow $1 dhcp_etc_t:dir list_dir_perms;
- read_files_pattern($1, dhcp_etc_t, dhcp_etc_t)
-+ allow $1 dhcp_etc_t:lnk_file read_lnk_file_perms;
- ')
-
- ########################################
-@@ -647,6 +879,26 @@ interface(`sysnet_search_dhcp_state',`
- allow $1 dhcp_state_t:dir search_dir_perms;
- ')
-
-+#######################################
-+##
-+## Set the attributes of network config files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`sysnet_setattr_dhcp_state',`
-+ gen_require(`
-+ type dhcp_state_t;
-+ ')
-+
-+ files_search_var_lib($1)
-+ allow $1 dhcp_state_t:file setattr_file_perms;
-+')
-+
-+
- ########################################
- ##
- ## Create DHCP state data.
-@@ -711,8 +963,6 @@ interface(`sysnet_dns_name_resolve',`
- allow $1 self:udp_socket create_socket_perms;
- allow $1 self:netlink_route_socket r_netlink_socket_perms;
-
-- corenet_all_recvfrom_unlabeled($1)
-- corenet_all_recvfrom_netlabel($1)
- corenet_tcp_sendrecv_generic_if($1)
- corenet_udp_sendrecv_generic_if($1)
- corenet_tcp_sendrecv_generic_node($1)
-@@ -720,14 +970,23 @@ interface(`sysnet_dns_name_resolve',`
- corenet_tcp_sendrecv_dns_port($1)
- corenet_udp_sendrecv_dns_port($1)
- corenet_tcp_connect_dns_port($1)
-+ corenet_tcp_connect_dnssec_port($1)
- corenet_sendrecv_dns_client_packets($1)
-
-+ files_search_all_pids($1)
-+
-+ miscfiles_read_generic_certs($1)
-+
- sysnet_read_config($1)
-
- optional_policy(`
- avahi_stream_connect($1)
- ')
-
-+ optional_policy(`
-+ dbus_stream_connect_system_dbusd($1)
-+ ')
-+
- optional_policy(`
- nscd_use($1)
- ')
-@@ -750,8 +1009,6 @@ interface(`sysnet_use_ldap',`
-
- allow $1 self:tcp_socket create_socket_perms;
-
-- corenet_all_recvfrom_unlabeled($1)
-- corenet_all_recvfrom_netlabel($1)
- corenet_tcp_sendrecv_generic_if($1)
- corenet_tcp_sendrecv_generic_node($1)
- corenet_tcp_sendrecv_ldap_port($1)
-@@ -760,9 +1017,14 @@ interface(`sysnet_use_ldap',`
-
- # Support for LDAPS
- dev_read_rand($1)
-+ # LDAP Configuration using encrypted requires
- dev_read_urand($1)
-
- sysnet_read_config($1)
-+
-+ optional_policy(`
-+ ldap_read_certs($1)
-+ ')
- ')
-
- ########################################
-@@ -784,7 +1046,6 @@ interface(`sysnet_use_portmap',`
- allow $1 self:udp_socket create_socket_perms;
-
- corenet_all_recvfrom_unlabeled($1)
-- corenet_all_recvfrom_netlabel($1)
- corenet_tcp_sendrecv_generic_if($1)
- corenet_udp_sendrecv_generic_if($1)
- corenet_tcp_sendrecv_generic_node($1)
-@@ -796,3 +1057,168 @@ interface(`sysnet_use_portmap',`
-
- sysnet_read_config($1)
- ')
-+
-+########################################
-+##
-+## Do not audit attempts to use
-+## the dhcp file descriptors.
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`sysnet_dontaudit_dhcpc_use_fds',`
-+ gen_require(`
-+ type dhcpc_t;
-+ ')
-+
-+ dontaudit $1 dhcpc_t:fd use;
-+')
-+
-+########################################
-+##
-+## Transition to system_r when execute an dhclient script
-+##
-+##
-+##
-+## Execute dhclient script in a specified role
-+##
-+##
-+## No interprocess communication (signals, pipes,
-+## etc.) is provided by this interface since
-+## the domains are not owned by this module.
-+##
-+##
-+##
-+##
-+## Role to transition from.
-+##
-+##
-+interface(`sysnet_role_transition_dhcpc',`
-+ gen_require(`
-+ type dhcpc_exec_t;
-+ ')
-+
-+ role_transition $1 dhcpc_exec_t system_r;
-+')
-+
-+########################################
-+##
-+## Transition to sysnet named content
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`sysnet_filetrans_named_content',`
-+ gen_require(`
-+ type net_conf_t;
-+ type systemd_resolved_var_run_t;
-+ ')
-+
-+ files_etc_filetrans($1, net_conf_t, file, "resolv.conf")
-+ files_etc_filetrans($1, net_conf_t, file, "resolv.conf.tmp")
-+ files_etc_filetrans($1, net_conf_t, file, "resolv.conf.fp-tmp")
-+ files_etc_filetrans($1, net_conf_t, file, "resolv.conf.fp-saved")
-+ files_etc_filetrans($1, net_conf_t, file, "resolv-secure.conf")
-+ files_etc_filetrans($1, net_conf_t, file, ".resolv.conf.dnssec-trigger")
-+ files_etc_filetrans($1, net_conf_t, file, ".resolv-secure.conf.dnssec-trigger")
-+ files_etc_filetrans($1, net_conf_t, lnk_file, ".resolv.conf")
-+ files_etc_filetrans($1, net_conf_t, lnk_file, "resolv.conf")
-+ files_etc_filetrans($1, net_conf_t, lnk_file, ".resolv.conf.NetworkManager")
-+ files_etc_filetrans($1, net_conf_t, file, "denyhosts")
-+ files_etc_filetrans($1, net_conf_t, file, "hosts")
-+ files_etc_filetrans($1, net_conf_t, file, "hosts.deny")
-+ files_etc_filetrans($1, net_conf_t, file, "ethers")
-+ files_etc_filetrans($1, net_conf_t, file, "yp.conf")
-+ files_etc_filetrans($1, net_conf_t, file, "ntp.conf")
-+ init_pid_filetrans($1, net_conf_t, dir, "network")
-+
-+ optional_policy(`
-+ networkmanager_pid_filetrans($1, net_conf_t, file, "resolv.conf")
-+ networkmanager_pid_filetrans($1, net_conf_t, file, "resolv.conf.tmp")
-+ ')
-+
-+ optional_policy(`
-+ sysnet_filetrans_config_fromdir($1,systemd_resolved_var_run_t, file, "resolv.conf")
-+ sysnet_filetrans_config_fromdir($1,systemd_resolved_var_run_t, file, "resolv.conf.tmp")
-+ ')
-+')
-+
-+########################################
-+##
-+## Transition to sysnet ifconfig named content
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`sysnet_manage_ifconfig_run',`
-+ gen_require(`
-+ type ifconfig_var_run_t;
-+ ')
-+
-+ manage_files_pattern($1, ifconfig_var_run_t, ifconfig_var_run_t)
-+ manage_dirs_pattern($1, ifconfig_var_run_t, ifconfig_var_run_t)
-+ manage_lnk_files_pattern($1, ifconfig_var_run_t, ifconfig_var_run_t)
-+')
-+
-+########################################
-+##
-+## Transition to sysnet ifconfig named content
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`sysnet_filetrans_named_content_ifconfig',`
-+ gen_require(`
-+ type ifconfig_var_run_t;
-+ ')
-+
-+ files_pid_filetrans($1, ifconfig_var_run_t, dir, "netns")
-+')
-+
-+########################################
-+##
-+## Transition to sysnet ifconfig named content
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`sysnet_filetrans_net_conf',`
-+ gen_require(`
-+ type net_conf_t;
-+ ')
-+
-+ files_etc_filetrans($1, net_conf_t, file)
-+')
-+
-+########################################
-+##
-+## Transition to cloud-init named content
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`sysnet_filetrans_cloud_net_conf',`
-+ gen_require(`
-+ type net_conf_t;
-+ ')
-+
-+ files_pid_filetrans($1, net_conf_t, dir, "cloud-init")
-+')
-diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
-index a392fc4bc..4870f76fd 100644
---- a/policy/modules/system/sysnetwork.te
-+++ b/policy/modules/system/sysnetwork.te
-@@ -5,6 +5,13 @@ policy_module(sysnetwork, 1.15.4)
- # Declarations
- #
-
-+##
-+##
-+## Allow dhcpc client applications to execute iptables commands
-+##
-+##
-+gen_tunable(dhcpc_exec_iptables, false)
-+
- attribute_role dhcpc_roles;
- roleattribute system_r dhcpc_roles;
-
-@@ -20,7 +27,9 @@ files_type(dhcp_state_t)
- type dhcpc_t;
- type dhcpc_exec_t;
- init_daemon_domain(dhcpc_t, dhcpc_exec_t)
--role dhcpc_roles types dhcpc_t;
-+
-+type dhcpc_helper_exec_t;
-+init_script_file(dhcpc_helper_exec_t)
-
- type dhcpc_state_t;
- files_type(dhcpc_state_t)
-@@ -36,8 +45,12 @@ type ifconfig_exec_t;
- init_system_domain(ifconfig_t, ifconfig_exec_t)
- role system_r types ifconfig_t;
-
-+type ifconfig_var_run_t;
-+files_pid_file(ifconfig_var_run_t)
-+files_mountpoint(ifconfig_var_run_t)
-+
- type net_conf_t alias resolv_conf_t;
--files_type(net_conf_t)
-+files_config_file(net_conf_t)
-
- ifdef(`distro_debian',`
- init_daemon_run_dir(net_conf_t, "network")
-@@ -47,11 +60,12 @@ ifdef(`distro_debian',`
- #
- # DHCP client local policy
- #
--allow dhcpc_t self:capability { dac_override fsetid net_admin net_raw net_bind_service setpcap sys_nice sys_resource sys_tty_config };
--dontaudit dhcpc_t self:capability { sys_tty_config sys_ptrace };
-+allow dhcpc_t self:capability { dac_read_search fsetid net_admin net_raw net_bind_service setpcap sys_nice sys_resource sys_tty_config };
-+dontaudit dhcpc_t self:capability sys_tty_config;
- # for access("/etc/bashrc", X_OK) on Red Hat
- dontaudit dhcpc_t self:capability { dac_read_search sys_module };
--allow dhcpc_t self:process { getsched getcap setcap setfscreate ptrace signal_perms };
-+allow dhcpc_t self:process { getsched setsched getcap setcap setfscreate signal_perms };
-+allow dhcpc_t self:cap_userns { net_bind_service };
-
- allow dhcpc_t self:fifo_file rw_fifo_file_perms;
- allow dhcpc_t self:tcp_socket create_stream_socket_perms;
-@@ -64,8 +78,11 @@ read_lnk_files_pattern(dhcpc_t, dhcp_etc_t, dhcp_etc_t)
- exec_files_pattern(dhcpc_t, dhcp_etc_t, dhcp_etc_t)
-
- allow dhcpc_t dhcp_state_t:file read_file_perms;
-+allow dhcpc_t dhcp_state_t:file relabel_file_perms;
-+
- manage_files_pattern(dhcpc_t, dhcpc_state_t, dhcpc_state_t)
- filetrans_pattern(dhcpc_t, dhcp_state_t, dhcpc_state_t, file)
-+allow dhcpc_t dhcpc_state_t:file { map relabel_file_perms };
-
- # create pid file
- manage_files_pattern(dhcpc_t, dhcpc_var_run_t, dhcpc_var_run_t)
-@@ -74,6 +91,8 @@ files_pid_filetrans(dhcpc_t, dhcpc_var_run_t, { file dir })
-
- # Allow read/write to /etc/resolv.conf and /etc/ntp.conf. Note that any files
- # in /etc created by dhcpcd will be labelled net_conf_t.
-+allow dhcpc_t net_conf_t:file manage_file_perms;
-+allow dhcpc_t net_conf_t:file relabel_file_perms;
- sysnet_manage_config(dhcpc_t)
- files_etc_filetrans(dhcpc_t, net_conf_t, file)
-
-@@ -95,14 +114,13 @@ kernel_rw_net_sysctls(dhcpc_t)
- corecmd_exec_bin(dhcpc_t)
- corecmd_exec_shell(dhcpc_t)
-
--corenet_all_recvfrom_unlabeled(dhcpc_t)
- corenet_all_recvfrom_netlabel(dhcpc_t)
--corenet_tcp_sendrecv_all_if(dhcpc_t)
--corenet_raw_sendrecv_all_if(dhcpc_t)
--corenet_udp_sendrecv_all_if(dhcpc_t)
--corenet_tcp_sendrecv_all_nodes(dhcpc_t)
--corenet_raw_sendrecv_all_nodes(dhcpc_t)
--corenet_udp_sendrecv_all_nodes(dhcpc_t)
-+corenet_tcp_sendrecv_generic_if(dhcpc_t)
-+corenet_raw_sendrecv_generic_if(dhcpc_t)
-+corenet_udp_sendrecv_generic_if(dhcpc_t)
-+corenet_tcp_sendrecv_generic_node(dhcpc_t)
-+corenet_raw_sendrecv_generic_node(dhcpc_t)
-+corenet_udp_sendrecv_generic_node(dhcpc_t)
- corenet_tcp_sendrecv_all_ports(dhcpc_t)
- corenet_udp_sendrecv_all_ports(dhcpc_t)
- corenet_tcp_bind_all_nodes(dhcpc_t)
-@@ -112,22 +130,25 @@ corenet_udp_bind_dhcpc_port(dhcpc_t)
- corenet_udp_bind_all_unreserved_ports(dhcpc_t)
- corenet_tcp_connect_all_ports(dhcpc_t)
- corenet_sendrecv_dhcpd_client_packets(dhcpc_t)
-+corenet_sendrecv_dhcpc_server_packets(dhcpc_t)
- corenet_sendrecv_all_server_packets(dhcpc_t)
-+corenet_dontaudit_udp_bind_all_reserved_ports(dhcpc_t)
-
- dev_read_sysfs(dhcpc_t)
- # for SSP:
- dev_read_urand(dhcpc_t)
-
-+domain_obj_id_change_exemption(dhcpc_t)
- domain_use_interactive_fds(dhcpc_t)
- domain_dontaudit_read_all_domains_state(dhcpc_t)
-
--files_read_etc_files(dhcpc_t)
- files_read_etc_runtime_files(dhcpc_t)
--files_read_usr_files(dhcpc_t)
- files_search_home(dhcpc_t)
- files_search_var_lib(dhcpc_t)
- files_dontaudit_search_locks(dhcpc_t)
- files_getattr_generic_locks(dhcpc_t)
-+files_rw_inherited_tmp_file(dhcpc_t)
-+files_dontaudit_rw_inherited_locks(dhcpc_t)
-
- fs_getattr_all_fs(dhcpc_t)
- fs_search_auto_mountpoints(dhcpc_t)
-@@ -137,16 +158,23 @@ term_dontaudit_use_all_ptys(dhcpc_t)
- term_dontaudit_use_unallocated_ttys(dhcpc_t)
- term_dontaudit_use_generic_ptys(dhcpc_t)
-
-+auth_use_nsswitch(dhcpc_t)
-+
- init_rw_utmp(dhcpc_t)
-+init_stream_connect(dhcpc_t)
-+init_stream_send(dhcpc_t)
-+
-+libs_exec_ldconfig(dhcpc_t)
-
- logging_send_syslog_msg(dhcpc_t)
-
--miscfiles_read_localization(dhcpc_t)
-+miscfiles_read_generic_certs(dhcpc_t)
-
- modutils_run_insmod(dhcpc_t, dhcpc_roles)
-
- sysnet_run_ifconfig(dhcpc_t, dhcpc_roles)
-
-+userdom_stream_connect(dhcpc_t)
- userdom_use_user_terminals(dhcpc_t)
- userdom_dontaudit_search_user_home_dirs(dhcpc_t)
-
-@@ -161,7 +189,21 @@ ifdef(`distro_ubuntu',`
- ')
-
- optional_policy(`
-- consoletype_run(dhcpc_t, dhcpc_roles)
-+ chronyd_initrc_domtrans(dhcpc_t)
-+ chronyd_systemctl(dhcpc_t)
-+ chronyd_domtrans(dhcpc_t)
-+ chronyd_read_keys(dhcpc_t)
-+')
-+
-+optional_policy(`
-+ cloudform_init_domtrans(dhcpc_t)
-+ cloudform_read_lib_files(dhcpc_t)
-+ cloudform_read_lib_lnk_files(dhcpc_t)
-+')
-+
-+optional_policy(`
-+ devicekit_dontaudit_rw_log(dhcpc_t)
-+ devicekit_dontaudit_read_pid_files(dhcpc_t)
- ')
-
- optional_policy(`
-@@ -179,10 +221,6 @@ optional_policy(`
- ')
-
- optional_policy(`
-- hal_dontaudit_rw_dgram_sockets(dhcpc_t)
--')
--
--optional_policy(`
- hotplug_getattr_config_dirs(dhcpc_t)
- hotplug_search_config(dhcpc_t)
-
-@@ -195,23 +233,31 @@ optional_policy(`
- optional_policy(`
- netutils_run_ping(dhcpc_t, dhcpc_roles)
- netutils_run(dhcpc_t, dhcpc_roles)
--',`
-- allow dhcpc_t self:capability setuid;
-- allow dhcpc_t self:rawip_socket create_socket_perms;
- ')
-
- optional_policy(`
-+ networkmanager_domtrans(dhcpc_t)
-+ networkmanager_read_pid_files(dhcpc_t)
-+ networkmanager_manage_lib(dhcpc_t)
-+ networkmanager_stream_connect(dhcpc_t)
-+')
-+
-+optional_policy(`
-+ nis_initrc_domtrans_ypbind(dhcpc_t)
- nis_read_ypbind_pid(dhcpc_t)
-+ nis_systemctl_ypbind(dhcpc_t)
- ')
-
- optional_policy(`
- nscd_initrc_domtrans(dhcpc_t)
-+ nscd_systemctl(dhcpc_t)
- nscd_domtrans(dhcpc_t)
- nscd_read_pid(dhcpc_t)
- ')
-
- optional_policy(`
- ntp_initrc_domtrans(dhcpc_t)
-+ ntp_systemctl(dhcpc_t)
- ')
-
- optional_policy(`
-@@ -221,7 +267,16 @@ optional_policy(`
-
- optional_policy(`
- seutil_sigchld_newrole(dhcpc_t)
-- seutil_dontaudit_search_config(dhcpc_t)
-+ seutil_domtrans_setfiles(dhcpc_t)
-+')
-+
-+optional_policy(`
-+ systemd_dbus_chat_hostnamed(dhcpc_t)
-+')
-+
-+optional_policy(`
-+ systemd_passwd_agent_domtrans(dhcpc_t)
-+ systemd_signal_passwd_agent(dhcpc_t)
- ')
-
- optional_policy(`
-@@ -233,6 +288,10 @@ optional_policy(`
- ')
-
- optional_policy(`
-+ virt_manage_pid_files(dhcpc_t)
-+')
-+
-+optional_policy(`
- vmware_append_log(dhcpc_t)
- ')
-
-@@ -264,32 +323,73 @@ allow ifconfig_t self:msgq create_msgq_perms;
- allow ifconfig_t self:msg { send receive };
- # Create UDP sockets, necessary when called from dhcpc
- allow ifconfig_t self:udp_socket create_socket_perms;
-+allow ifconfig_t self:appletalk_socket create_socket_perms;
- # for /sbin/ip
- allow ifconfig_t self:packet_socket create_socket_perms;
-+allow ifconfig_t self:netlink_socket create_socket_perms;
-+allow ifconfig_t self:netlink_generic_socket create_socket_perms;
- allow ifconfig_t self:netlink_route_socket create_netlink_socket_perms;
- allow ifconfig_t self:netlink_xfrm_socket { create_netlink_socket_perms nlmsg_read };
-+allow ifconfig_t self:tun_socket { relabelfrom relabelto create_socket_perms };
-+
- allow ifconfig_t self:tcp_socket { create ioctl };
-
-+can_exec(ifconfig_t, ifconfig_exec_t)
-+
-+manage_files_pattern(ifconfig_t, ifconfig_var_run_t, ifconfig_var_run_t)
-+manage_lnk_files_pattern(ifconfig_t, ifconfig_var_run_t, ifconfig_var_run_t)
-+create_dirs_pattern(ifconfig_t, ifconfig_var_run_t, ifconfig_var_run_t)
-+files_pid_filetrans(ifconfig_t, ifconfig_var_run_t, { file dir })
-+allow ifconfig_t ifconfig_var_run_t:file mounton;
-+allow ifconfig_t ifconfig_var_run_t:dir mounton;
-+
- kernel_use_fds(ifconfig_t)
- kernel_read_system_state(ifconfig_t)
- kernel_read_network_state(ifconfig_t)
- kernel_request_load_module(ifconfig_t)
- kernel_search_network_sysctl(ifconfig_t)
- kernel_rw_net_sysctls(ifconfig_t)
-+kernel_getattr_proc(ifconfig_t)
-+kernel_unmount_proc(ifconfig_t)
-
- corenet_rw_tun_tap_dev(ifconfig_t)
-
-+corecmd_exec_bin(ifconfig_t)
-+corecmd_exec_shell(ifconfig_t)
-+
- dev_read_sysfs(ifconfig_t)
- # for IPSEC setup:
- dev_read_urand(ifconfig_t)
-+# needed by tuned
-+dev_rw_netcontrol(ifconfig_t)
-+dev_mounton_sysfs(ifconfig_t)
-+dev_mount_sysfs_fs(ifconfig_t)
-+dev_unmount_sysfs_fs(ifconfig_t)
-+dev_getattr_sysfs_fs(ifconfig_t)
-
- domain_use_interactive_fds(ifconfig_t)
-+domain_read_all_domains_state(ifconfig_t)
-+
-+read_files_pattern(ifconfig_t, dhcpc_state_t, dhcpc_state_t)
-+
-+files_dontaudit_rw_inherited_pipes(ifconfig_t)
-+files_dontaudit_rw_inherited_locks(ifconfig_t)
-+files_dontaudit_read_root_files(ifconfig_t)
-+files_rw_inherited_tmp_file(ifconfig_t)
-+files_dontaudit_rw_var_files(ifconfig_t)
-+
-+files_mounton_rootfs(ifconfig_t)
-
- files_read_etc_files(ifconfig_t)
- files_read_etc_runtime_files(ifconfig_t)
-+files_read_usr_files(ifconfig_t)
-
- fs_getattr_xattr_fs(ifconfig_t)
-+fs_unmount_xattr_fs(ifconfig_t)
- fs_search_auto_mountpoints(ifconfig_t)
-+fs_read_nsfs_files(ifconfig_t)
-+fs_mount_nsfs(ifconfig_t)
-+fs_unmount_nsfs(ifconfig_t)
-
- selinux_dontaudit_getattr_fs(ifconfig_t)
-
-@@ -299,33 +399,51 @@ term_dontaudit_use_all_ptys(ifconfig_t)
- term_dontaudit_use_ptmx(ifconfig_t)
- term_dontaudit_use_generic_ptys(ifconfig_t)
-
--files_dontaudit_read_root_files(ifconfig_t)
-+auth_use_nsswitch(ifconfig_t)
-
- init_use_fds(ifconfig_t)
- init_use_script_ptys(ifconfig_t)
-+init_rw_inherited_script_tmp_files(ifconfig_t)
-
- libs_read_lib_files(ifconfig_t)
-
- logging_send_syslog_msg(ifconfig_t)
-
--miscfiles_read_localization(ifconfig_t)
--
--modutils_domtrans_insmod(ifconfig_t)
--
- seutil_use_runinit_fds(ifconfig_t)
-
-+sysnet_dns_name_resolve(ifconfig_t)
- sysnet_dontaudit_rw_dhcpc_udp_sockets(ifconfig_t)
-+sysnet_filetrans_named_content_ifconfig(ifconfig_t)
-
--userdom_use_user_terminals(ifconfig_t)
-+userdom_use_inherited_user_terminals(ifconfig_t)
- userdom_use_all_users_fds(ifconfig_t)
-
-+optional_policy(`
-+ hostname_exec(ifconfig_t)
-+')
-+
- ifdef(`distro_ubuntu',`
- optional_policy(`
- unconfined_domain(ifconfig_t)
- ')
- ')
-
-+optional_policy(`
-+ brctl_domtrans(ifconfig_t)
-+')
-+
-+optional_policy(`
-+ cfengine_dontaudit_write_log(ifconfig_t)
-+')
-+
-+optional_policy(`
-+ ctdbd_read_lib_files(ifconfig_t)
-+')
-+
- ifdef(`hide_broken_symptoms',`
-+ # caused by some bogus kernel code
-+ dontaudit ifconfig_t self:capability sys_module;
-+
- optional_policy(`
- dev_dontaudit_rw_cardmgr(ifconfig_t)
- ')
-@@ -336,7 +454,11 @@ ifdef(`hide_broken_symptoms',`
- ')
-
- optional_policy(`
-- devicekit_read_pid_files(ifconfig_t)
-+ dnsmasq_domtrans(ifconfig_t)
-+')
-+
-+optional_policy(`
-+ devicekit_dontaudit_read_pid_files(ifconfig_t)
- ')
-
- optional_policy(`
-@@ -350,7 +472,16 @@ optional_policy(`
- ')
-
- optional_policy(`
-- nis_use_ypbind(ifconfig_t)
-+ kdump_dontaudit_read_config(ifconfig_t)
-+ kdump_rw_inherited_kdumpctl_tmp_pipes(ifconfig_t)
-+')
-+
-+optional_policy(`
-+ libs_exec_ldconfig(ifconfig_t)
-+')
-+
-+optional_policy(`
-+ modutils_domtrans_insmod(ifconfig_t)
- ')
-
- optional_policy(`
-@@ -371,3 +502,17 @@ optional_policy(`
- xen_append_log(ifconfig_t)
- xen_dontaudit_rw_unix_stream_sockets(ifconfig_t)
- ')
-+
-+optional_policy(`
-+ iptables_domtrans(ifconfig_t)
-+')
-+
-+optional_policy(`
-+ tlp_manage_pid_files(ifconfig_t)
-+')
-+
-+optional_policy(`
-+ tunable_policy(`dhcpc_exec_iptables',`
-+ iptables_domtrans(dhcpc_t)
-+ ')
-+')
-diff --git a/policy/modules/system/systemd.fc b/policy/modules/system/systemd.fc
-new file mode 100644
-index 000000000..ce07ba149
---- /dev/null
-+++ b/policy/modules/system/systemd.fc
-@@ -0,0 +1,82 @@
-+HOME_DIR/\.local/share/systemd(/.*)? gen_context(system_u:object_r:systemd_home_t,s0)
-+/root/\.local/share/systemd(/.*)? gen_context(system_u:object_r:systemd_home_t,s0)
-+
-+/etc/.*hostname.* -- gen_context(system_u:object_r:hostname_etc_t,s0)
-+/etc/machine-info -- gen_context(system_u:object_r:hostname_etc_t,s0)
-+/etc/udev/.*hwdb.* -- gen_context(system_u:object_r:systemd_hwdb_etc_t,s0)
-+
-+/bin/systemd-notify -- gen_context(system_u:object_r:systemd_notify_exec_t,s0)
-+/bin/systemctl -- gen_context(system_u:object_r:systemd_systemctl_exec_t,s0)
-+/bin/systemd-tty-ask-password-agent -- gen_context(system_u:object_r:systemd_passwd_agent_exec_t,s0)
-+/bin/systemd-tmpfiles -- gen_context(system_u:object_r:systemd_tmpfiles_exec_t,s0)
-+/bin/systemd-coredump -- gen_context(system_u:object_r:systemd_coredump_exec_t,s0)
-+
-+/usr/bin/systemctl -- gen_context(system_u:object_r:systemd_systemctl_exec_t,s0)
-+/usr/bin/systemd-gnome-ask-password-agent -- gen_context(system_u:object_r:systemd_passwd_agent_exec_t,s0)
-+/usr/bin/systemd-notify -- gen_context(system_u:object_r:systemd_notify_exec_t,s0)
-+/usr/bin/systemd-tmpfiles -- gen_context(system_u:object_r:systemd_tmpfiles_exec_t,s0)
-+/usr/bin/systemd-tty-ask-password-agent -- gen_context(system_u:object_r:systemd_passwd_agent_exec_t,s0)
-+/usr/bin/systemd-hwdb -- gen_context(system_u:object_r:systemd_hwdb_exec_t,s0)
-+
-+/usr/lib/systemd/systemd-bootchart -- gen_context(system_u:object_r:systemd_bootchart_exec_t,s0)
-+
-+/usr/lib/systemd/systemd-initctl -- gen_context(system_u:object_r:systemd_initctl_exec_t,s0)
-+
-+/usr/lib/dracut/modules.d/.*\.service gen_context(system_u:object_r:systemd_unit_file_t,s0)
-+/usr/lib/systemd/system(/.*)? gen_context(system_u:object_r:systemd_unit_file_t,s0)
-+/run/systemd/transient(/.*)? gen_context(system_u:object_r:systemd_unit_file_t,s0)
-+/run/systemd/units(/.*)? gen_context(system_u:object_r:systemd_unit_file_t,s0)
-+/usr/lib/systemd/system/systemd-machined\.service -- gen_context(system_u:object_r:systemd_machined_unit_file_t,s0)
-+/usr/lib/systemd/system/systemd-networkd\.service gen_context(system_u:object_r:systemd_networkd_unit_file_t,s0)
-+/usr/lib/systemd/system/systemd-resolved\.service gen_context(system_u:object_r:systemd_resolved_unit_file_t,s0)
-+/usr/lib/systemd/system/systemd-modules-load\.service gen_context(system_u:object_r:systemd_modules_load_unit_file_t,s0)
-+/usr/lib/systemd/system/systemd-vconsole-setup\.service gen_context(system_u:object_r:systemd_vconsole_unit_file_t,s0)
-+/usr/lib/systemd/system/systemd-rfkill\.service -- gen_context(system_u:object_r:systemd_rfkill_unit_file_t,s0)
-+/usr/lib/systemd/system/systemd-time.*\.service -- gen_context(system_u:object_r:systemd_timedated_unit_file_t,s0)
-+/usr/lib/systemd/system/systemd-hwdb.*\.service -- gen_context(system_u:object_r:systemd_hwdb_unit_file_t,s0)
-+/usr/lib/systemd/system/systemd-bootchart.*\.service -- gen_context(system_u:object_r:systemd_bootchart_unit_file_t,s0)
-+
-+/usr/lib/systemd/system/.*halt.(service|target) -- gen_context(system_u:object_r:power_unit_file_t,s0)
-+/usr/lib/systemd/system/.*hibernate.*\.(service|target) -- gen_context(system_u:object_r:power_unit_file_t,s0)
-+/usr/lib/systemd/system/.*power.*\.(service|target) -- gen_context(system_u:object_r:power_unit_file_t,s0)
-+/usr/lib/systemd/system/.*reboot.*\.(service|target) -- gen_context(system_u:object_r:power_unit_file_t,s0)
-+/usr/lib/systemd/system/.*sleep.*\.(service|target) -- gen_context(system_u:object_r:power_unit_file_t,s0)
-+/usr/lib/systemd/system/.*shutdown.*\.(service|target) -- gen_context(system_u:object_r:power_unit_file_t,s0)
-+/usr/lib/systemd/system/.*suspend.*\.(service|target) -- gen_context(system_u:object_r:power_unit_file_t,s0)
-+/usr/lib/systemd/systemd-hostnamed -- gen_context(system_u:object_r:systemd_hostnamed_exec_t,s0)
-+/usr/lib/systemd/systemd-machined -- gen_context(system_u:object_r:systemd_machined_exec_t,s0)
-+/usr/lib/systemd/systemd-rfkill -- gen_context(system_u:object_r:systemd_rfkill_exec_t,s0)
-+/usr/lib/systemd/systemd-sysctl -- gen_context(system_u:object_r:systemd_sysctl_exec_t,s0)
-+/usr/lib/systemd/systemd-timedated -- gen_context(system_u:object_r:systemd_timedated_exec_t,s0)
-+/usr/lib/systemd/systemd-logind -- gen_context(system_u:object_r:systemd_logind_exec_t,s0)
-+/usr/lib/systemd/systemd-localed -- gen_context(system_u:object_r:systemd_localed_exec_t,s0)
-+/usr/lib/systemd/systemd-logger -- gen_context(system_u:object_r:systemd_logger_exec_t,s0)
-+/usr/lib/systemd/systemd-networkd -- gen_context(system_u:object_r:systemd_networkd_exec_t,s0)
-+/usr/lib/systemd/systemd-tmpfiles -- gen_context(system_u:object_r:systemd_tmpfiles_exec_t,s0)
-+/usr/lib/systemd/systemd-coredump -- gen_context(system_u:object_r:systemd_coredump_exec_t,s0)
-+/usr/lib/systemd/systemd-modules-load -- gen_context(system_u:object_r:systemd_modules_load_exec_t,s0)
-+/usr/lib/systemd/system-generators/systemd-gpt-auto-generator -- gen_context(system_u:object_r:systemd_gpt_generator_exec_t,s0)
-+/usr/lib/systemd/systemd-resolve(d|-host) gen_context(system_u:object_r:systemd_resolved_exec_t,s0)
-+
-+/var/lib/machines(/.*)? gen_context(system_u:object_r:systemd_machined_var_lib_t,s0)
-+/var/lib/systemd/rfkill(/.*)? gen_context(system_u:object_r:systemd_rfkill_var_lib_t,s0)
-+/var/lib/systemd/linger(/.*)? gen_context(system_u:object_r:systemd_logind_var_lib_t,mls_systemhigh)
-+/var/lib/random-seed gen_context(system_u:object_r:random_seed_t,mls_systemhigh)
-+/usr/lib/systemd/resolv.* -- gen_context(system_u:object_r:lib_t,s0)
-+/usr/var/lib/random-seed gen_context(system_u:object_r:random_seed_t,mls_systemhigh)
-+
-+/var/run/.*nologin.* gen_context(system_u:object_r:systemd_logind_var_run_t,s0)
-+/var/run/systemd/seats(/.*)? gen_context(system_u:object_r:systemd_logind_var_run_t,s0)
-+/var/run/systemd/sessions(/.*)? gen_context(system_u:object_r:systemd_logind_sessions_t,s0)
-+/var/run/systemd/shutdown(/.*)? gen_context(system_u:object_r:systemd_logind_var_run_t,s0)
-+/var/run/systemd/users(/.*)? gen_context(system_u:object_r:systemd_logind_var_run_t,s0)
-+/var/run/systemd/inhibit(/.*)? gen_context(system_u:object_r:systemd_logind_inhibit_var_run_t,s0)
-+/var/run/systemd/ask-password-block(/.*)? gen_context(system_u:object_r:systemd_passwd_var_run_t,s0)
-+/var/run/systemd/ask-password(/.*)? gen_context(system_u:object_r:systemd_passwd_var_run_t,s0)
-+/var/run/systemd/machines(/.*)? gen_context(system_u:object_r:systemd_machined_var_run_t,s0)
-+/var/run/systemd/resolve(/.*)? gen_context(system_u:object_r:systemd_resolved_var_run_t,s0)
-+/var/run/systemd/netif(/.*)? gen_context(system_u:object_r:systemd_networkd_var_run_t,s0)
-+
-+/var/run/log/bootchart.* -- gen_context(system_u:object_r:systemd_bootchart_var_run_t,s0)
-+
-+/var/run/initramfs(/.*)? <>
-diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
-new file mode 100644
-index 000000000..a739a2645
---- /dev/null
-+++ b/policy/modules/system/systemd.if
-@@ -0,0 +1,1916 @@
-+## SELinux policy for systemd components
-+
-+######################################
-+##
-+## Creates types and rules for a basic
-+## systemd domains.
-+##
-+##
-+##
-+## Prefix for the domain.
-+##
-+##
-+#
-+template(`systemd_domain_template',`
-+ gen_require(`
-+ attribute systemd_domain;
-+ ')
-+
-+ type $1_t, systemd_domain;
-+ type $1_exec_t;
-+ init_daemon_domain($1_t, $1_exec_t)
-+
-+ kernel_read_system_state($1_t)
-+
-+ auth_use_nsswitch($1_t)
-+')
-+
-+######################################
-+##
-+## Create a domain for processes which are started
-+## exuting systemctl.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`systemd_stub_unit_file',`
-+ gen_require(`
-+ type systemd_unit_file_t;
-+ ')
-+')
-+
-+#######################################
-+##
-+## Create a domain for processes which are started
-+## exuting systemctl.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`systemd_systemctl_domain',`
-+ gen_require(`
-+ type systemd_systemctl_exec_t;
-+ role system_r;
-+ attribute systemctl_domain;
-+ ')
-+
-+ type $1_systemctl_t, systemctl_domain;
-+ domain_type($1_systemctl_t)
-+ domain_entry_file($1_systemctl_t, systemd_systemctl_exec_t)
-+
-+ role system_r types $1_systemctl_t;
-+
-+ domtrans_pattern($1_t, systemd_systemctl_exec_t , $1_systemctl_t)
-+')
-+
-+########################################
-+##
-+## Execute systemctl in the caller domain.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`systemd_exec_systemctl',`
-+ gen_require(`
-+ type systemd_systemctl_exec_t;
-+ ')
-+
-+ corecmd_search_bin($1)
-+ can_exec($1, systemd_systemctl_exec_t)
-+
-+ fs_list_cgroup_dirs($1)
-+ fs_read_cgroup_files($1)
-+ systemd_list_unit_dirs($1)
-+ init_list_pid_dirs($1)
-+ init_read_state($1)
-+ init_stream_send($1)
-+ init_stream_connect($1)
-+
-+ systemd_login_list_pid_dirs($1)
-+ systemd_login_read_pid_files($1)
-+ systemd_passwd_agent_exec($1)
-+
-+ dontaudit $1 self:capability net_admin;
-+')
-+
-+#######################################
-+##
-+## Create a file type used for systemd unit files.
-+##
-+##
-+##
-+## Type to be used for an unit file.
-+##
-+##
-+#
-+interface(`systemd_unit_file',`
-+ gen_require(`
-+ attribute systemd_unit_file_type;
-+ ')
-+
-+ typeattribute $1 systemd_unit_file_type;
-+ files_type($1)
-+')
-+
-+######################################
-+##
-+## Allow domain to search systemd unit dirs.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`systemd_search_unit_dirs',`
-+ gen_require(`
-+ attribute systemd_unit_file_type;
-+ ')
-+
-+ files_search_var_lib($1)
-+ allow $1 systemd_unit_file_type:dir search_dir_perms;
-+')
-+
-+######################################
-+##
-+## Allow domain to list systemd unit dirs.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`systemd_list_unit_dirs',`
-+ gen_require(`
-+ attribute systemd_unit_file_type;
-+ ')
-+
-+ files_search_var_lib($1)
-+ allow $1 systemd_unit_file_type:dir list_dir_perms;
-+')
-+
-+######################################
-+##
-+## Allow domain to list systemd unit dirs.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`systemd_create_unit_dirs',`
-+ gen_require(`
-+ attribute systemd_unit_file_type;
-+ ')
-+
-+ files_search_var_lib($1)
-+ allow $1 systemd_unit_file_type:dir create;
-+')
-+
-+#####################################
-+##
-+## Allow domain to getattr all systemd unit files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`systemd_getattr_unit_files',`
-+ gen_require(`
-+ attribute systemd_unit_file_type;
-+ ')
-+
-+ files_search_var_lib($1)
-+ getattr_files_pattern($1, systemd_unit_file_type, systemd_unit_file_type)
-+')
-+
-+#####################################
-+##
-+## Allow domain to getattr all systemd unit directories.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`systemd_getattr_unit_dirs',`
-+ gen_require(`
-+ attribute systemd_unit_file_type;
-+ ')
-+
-+ allow $1 systemd_unit_file_type:dir getattr;
-+')
-+
-+######################################
-+##
-+## Allow domain to read all systemd unit files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`systemd_read_unit_files',`
-+ gen_require(`
-+ attribute systemd_unit_file_type;
-+ ')
-+
-+ files_search_var_lib($1)
-+ allow $1 systemd_unit_file_type:file read_file_perms;
-+ allow $1 systemd_unit_file_type:lnk_file read_lnk_file_perms;
-+ allow $1 systemd_unit_file_type:dir list_dir_perms;
-+')
-+
-+#####################################
-+##
-+## Dontaudit domain to read all systemd unit files.
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`systemd_dontaudit_read_unit_files',`
-+ gen_require(`
-+ attribute systemd_unit_file_type;
-+ ')
-+
-+ dontaudit $1 systemd_unit_file_type:file read_file_perms;
-+')
-+
-+######################################
-+##
-+## Read systemd_login PID files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`systemd_login_read_pid_files',`
-+ gen_require(`
-+ type systemd_logind_var_run_t;
-+ ')
-+
-+ files_search_pids($1)
-+ read_files_pattern($1, systemd_logind_var_run_t, systemd_logind_var_run_t)
-+')
-+
-+######################################
-+##
-+## Read systemd_resolved PID files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`systemd_resolved_read_pid',`
-+ gen_require(`
-+ type systemd_resolved_var_run_t;
-+ ')
-+
-+ files_search_pids($1)
-+ list_dirs_pattern($1, systemd_resolved_var_run_t, systemd_resolved_var_run_t)
-+ read_files_pattern($1, systemd_resolved_var_run_t, systemd_resolved_var_run_t)
-+')
-+
-+######################################
-+##
-+## Read systemd_login PID files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`systemd_login_manage_pid_files',`
-+ gen_require(`
-+ type systemd_logind_var_run_t;
-+ ')
-+
-+ files_search_pids($1)
-+ manage_files_pattern($1, systemd_logind_var_run_t, systemd_logind_var_run_t)
-+')
-+
-+
-+######################################
-+##
-+## Read systemd_login PID files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`systemd_login_filetrans_pid_files',`
-+ gen_require(`
-+ type systemd_logind_var_run_t;
-+ ')
-+
-+ files_pid_filetrans($1, systemd_logind_var_run_t, file, "nologin")
-+')
-+
-+######################################
-+##
-+## Read systemd_login PID files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`systemd_login_list_pid_dirs',`
-+ gen_require(`
-+ type systemd_logind_var_run_t;
-+ ')
-+
-+ files_search_pids($1)
-+ list_dirs_pattern($1, systemd_logind_var_run_t, systemd_logind_var_run_t)
-+')
-+
-+######################################
-+##
-+## Use and and inherited systemd
-+## logind file descriptors.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`systemd_use_fds_logind',`
-+ gen_require(`
-+ type systemd_logind_t;
-+ ')
-+
-+ allow $1 systemd_logind_t:fd use;
-+')
-+
-+######################################
-+##
-+## Read logind sessions files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`systemd_read_logind_sessions_files',`
-+ gen_require(`
-+ type systemd_logind_sessions_t;
-+ ')
-+
-+ init_search_pid_dirs($1)
-+ allow $1 systemd_logind_sessions_t:dir list_dir_perms;
-+ read_files_pattern($1, systemd_logind_sessions_t, systemd_logind_sessions_t)
-+')
-+
-+######################################
-+##
-+## Write inherited logind sessions pipes.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`systemd_write_inherited_logind_sessions_pipes',`
-+ gen_require(`
-+ type systemd_logind_sessions_t;
-+ type systemd_logind_t;
-+ ')
-+
-+ allow $1 systemd_logind_t:fd use;
-+ allow $1 systemd_logind_sessions_t:fifo_file write;
-+')
-+
-+######################################
-+##
-+## Dontaudit attempts to write inherited logind sessions pipes.
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`systemd_dontaudit_write_inherited_logind_sessions_pipes',`
-+ gen_require(`
-+ type systemd_logind_sessions_t;
-+ ')
-+
-+ dontaudit $1 systemd_logind_sessions_t:fifo_file write;
-+')
-+
-+######################################
-+##
-+## Write systemd inhibit pipes.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`systemd_write_inhibit_pipes',`
-+ gen_require(`
-+ type systemd_logind_inhibit_var_run_t;
-+ ')
-+
-+ allow $1 systemd_logind_inhibit_var_run_t:fifo_file write;
-+')
-+
-+########################################
-+##
-+## Send and receive messages from
-+## systemd logind over dbus.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`systemd_dbus_chat_logind',`
-+ gen_require(`
-+ type systemd_logind_t;
-+ class dbus send_msg;
-+ ')
-+
-+ allow $1 systemd_logind_t:dbus send_msg;
-+ allow systemd_logind_t $1:dbus send_msg;
-+ ps_process_pattern(systemd_logind_t, $1)
-+ allow systemd_logind_t $1:process signal;
-+ allow $1 systemd_logind_t:fd use;
-+')
-+
-+#######################################
-+##
-+## Execute a domain transition to run systemd-sysctl.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`systemd_domtrans_sysctl',`
-+ gen_require(`
-+ type systemd_sysctl_t, systemd_sysctl_exec_t;
-+ ')
-+
-+ domtrans_pattern($1, systemd_sysctl_exec_t, systemd_sysctl_t)
-+')
-+
-+#######################################
-+##
-+## Allow a domain to execute systemd-sysctl in the caller domain.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`systemd_exec_sysctl',`
-+ gen_require(`
-+ type systemd_sysctl_exec_t;
-+ ')
-+
-+ can_exec($1,systemd_sysctl_exec_t)
-+
-+')
-+
-+#######################################
-+##
-+## Allow a domain to execute systemd-sysctl in the caller domain.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`systemd_tmpfiles_exec',`
-+ gen_require(`
-+ type systemd_tmpfiles_exec_t;
-+ ')
-+
-+ can_exec($1,systemd_tmpfiles_exec_t)
-+
-+')
-+
-+#######################################
-+##
-+## Execute a domain transition to run systemd-tmpfiles.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`systemd_tmpfiles_domtrans',`
-+ gen_require(`
-+ type systemd_tmpfiles_t, systemd_tmpfiles_exec_t;
-+ ')
-+
-+ domtrans_pattern($1, systemd_tmpfiles_exec_t, systemd_tmpfiles_t)
-+')
-+
-+#######################################
-+##
-+## Execute a domain transition to run systemd-localed.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`systemd_localed_domtrans',`
-+ gen_require(`
-+ type systemd_localed_t, systemd_localed_exec_t;
-+ ')
-+
-+ domtrans_pattern($1, systemd_localed_exec_t, systemd_localed_t)
-+')
-+
-+########################################
-+##
-+## Execute a domain transition to run systemd-tty-ask-password-agent.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`systemd_passwd_agent_domtrans',`
-+ gen_require(`
-+ type systemd_passwd_agent_t, systemd_passwd_agent_exec_t;
-+ ')
-+
-+ domtrans_pattern($1, systemd_passwd_agent_exec_t, systemd_passwd_agent_t)
-+')
-+
-+#######################################
-+##
-+## Execute systemd-tty-ask-password-agent in the caller domain
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`systemd_passwd_agent_exec',`
-+ gen_require(`
-+ type systemd_passwd_agent_t, systemd_passwd_agent_exec_t;
-+ ')
-+
-+ can_exec($1, systemd_passwd_agent_exec_t)
-+ systemd_manage_passwd_run($1)
-+')
-+
-+########################################
-+##
-+## Execute a domain transition to run systemd_rfkill.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`systemd_rfkill_domtrans',`
-+ gen_require(`
-+ type systemd_rfkill_t, systemd_rfkill_exec_t;
-+ ')
-+
-+ domtrans_pattern($1, systemd_rfkill_exec_t, systemd_rfkill_t)
-+')
-+
-+########################################
-+##
-+## Execute a domain transition to run systemd_notify.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`systemd_notify_domtrans',`
-+ gen_require(`
-+ type systemd_notify_t, systemd_notify_exec_t;
-+ ')
-+
-+ domtrans_pattern($1, systemd_notify_exec_t, systemd_notify_t)
-+')
-+
-+########################################
-+##
-+## Execute systemd-tty-ask-password-agent in the systemd_passwd_agent domain, and
-+## allow the specified role the systemd_passwd_agent domain.
-+##
-+##
-+##
-+## Domain allowed access
-+##
-+##
-+##
-+##
-+## The role to be allowed the systemd_passwd_agent domain.
-+##
-+##
-+#
-+interface(`systemd_passwd_agent_run',`
-+ gen_require(`
-+ type systemd_passwd_agent_t;
-+ ')
-+
-+ systemd_passwd_agent_domtrans($1)
-+ role $2 types systemd_passwd_agent_t;
-+')
-+
-+########################################
-+##
-+## Execute systemd-tmpfiles in the systemd_tmpfiles_t domain, and
-+## allow the specified role the systemd_tmpfiles domain.
-+##
-+##
-+##
-+## Domain allowed access
-+##
-+##
-+##
-+##
-+## The role to be allowed the systemd_tmpfiles domain.
-+##
-+##
-+#
-+interface(`systemd_tmpfiles_run',`
-+ gen_require(`
-+ type systemd_tmpfiles_t;
-+ ')
-+
-+ systemd_passwd_agent_domtrans($1)
-+ role $2 types systemd_tmpfiles_t;
-+')
-+
-+########################################
-+##
-+## Role access for systemd_passwd_agent
-+##
-+##
-+##
-+## Role allowed access
-+##
-+##
-+##
-+##
-+## User domain for the role
-+##
-+##
-+#
-+interface(`systemd_passwd_agent_role',`
-+ gen_require(`
-+ type systemd_passwd_agent_t;
-+ ')
-+
-+ role $1 types systemd_passwd_agent_t;
-+
-+ systemd_passwd_agent_domtrans($2)
-+
-+ ps_process_pattern($2, systemd_passwd_agent_t)
-+ allow $2 systemd_passwd_agent_t:process signal;
-+')
-+
-+########################################
-+##
-+## Send generic signals to systemd_passwd_agent processes.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`systemd_signal_passwd_agent',`
-+ gen_require(`
-+ type systemd_passwd_agent_t;
-+ ')
-+
-+ allow $1 systemd_passwd_agent_t:process signal;
-+')
-+
-+######################################
-+##
-+## Allow to domain to read systemd-passwd pipe
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`systemd_read_fifo_file_passwd_run',`
-+ gen_require(`
-+ type systemd_passwd_var_run_t;
-+ ')
-+
-+ init_search_pid_dirs($1)
-+ read_sock_files_pattern($1, systemd_passwd_var_run_t, systemd_passwd_var_run_t)
-+')
-+
-+########################################
-+##
-+## Relabel to user home directories.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`systemd_relabelto_fifo_file_passwd_run',`
-+ gen_require(`
-+ type systemd_passwd_var_run_t;
-+ ')
-+
-+ allow $1 systemd_passwd_var_run_t:fifo_file relabelto;
-+')
-+
-+#######################################
-+##
-+## Relabel systemd unit directories
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`systemd_relabel_unit_dirs',`
-+ gen_require(`
-+ attribute systemd_unit_file_type;
-+ ')
-+
-+ relabel_dirs_pattern($1, systemd_unit_file_type, systemd_unit_file_type)
-+')
-+
-+#######################################
-+##
-+## Relabel systemd unit files
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`systemd_relabel_unit_files',`
-+ gen_require(`
-+ attribute systemd_unit_file_type;
-+ ')
-+
-+ relabel_files_pattern($1, systemd_unit_file_type, systemd_unit_file_type)
-+')
-+
-+#######################################
-+##
-+## Send generic signals to systemd_passwd_agent processes.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`systemd_manage_passwd_run',`
-+ gen_require(`
-+ type systemd_passwd_agent_t;
-+ type systemd_passwd_var_run_t;
-+ ')
-+
-+ init_search_pid_dirs($1)
-+ manage_files_pattern($1, systemd_passwd_var_run_t, systemd_passwd_var_run_t)
-+ manage_sock_files_pattern($1, systemd_passwd_var_run_t, systemd_passwd_var_run_t)
-+ manage_fifo_files_pattern($1, systemd_passwd_var_run_t, systemd_passwd_var_run_t)
-+
-+ allow systemd_passwd_agent_t $1:process signull;
-+ allow systemd_passwd_agent_t $1:unix_dgram_socket sendto;
-+')
-+
-+######################################
-+##
-+## Template for temporary sockets and files in /dev/.systemd/ask-password
-+## which are used by systemd-passwd-agent
-+##
-+##
-+##
-+## The prefix of the domain (e.g., user
-+## is the prefix for user_t).
-+##
-+##
-+#
-+interface(`systemd_passwd_agent_dev_template',`
-+ gen_require(`
-+ type systemd_passwd_agent_t;
-+ ')
-+
-+ type systemd_$1_device_t;
-+ files_type(systemd_$1_device_t)
-+ dev_associate(systemd_$1_device_t)
-+
-+ dev_filetrans($1_t, systemd_$1_device_t, { file sock_file })
-+ init_pid_filetrans($1_t, systemd_$1_device_t, { file sock_file })
-+ allow $1_t systemd_$1_device_t:file manage_file_perms;
-+ allow $1_t systemd_$1_device_t:sock_file manage_sock_file_perms;
-+
-+ allow systemd_passwd_agent_t $1_t:process signull;
-+ allow systemd_passwd_agent_t $1_t:unix_dgram_socket sendto;
-+ allow systemd_passwd_agent_t systemd_$1_device_t:sock_file write;
-+ allow systemd_passwd_agent_t systemd_$1_device_t:file read_file_perms;
-+')
-+
-+########################################
-+##
-+## Allow the specified domain to connect to
-+## systemd_logger with a unix socket.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`systemd_logger_stream_connect',`
-+ gen_require(`
-+ type systemd_logger_t;
-+ ')
-+
-+ allow $1 systemd_logger_t:unix_stream_socket connectto;
-+')
-+
-+########################################
-+##
-+## manage systemd unit dirs
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`systemd_manage_unit_dirs',`
-+ gen_require(`
-+ attribute systemd_unit_file_type;
-+ ')
-+
-+ manage_dirs_pattern($1, systemd_unit_file_type, systemd_unit_file_type)
-+')
-+
-+########################################
-+##
-+## manage systemd unit link files
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`systemd_manage_unit_symlinks',`
-+ gen_require(`
-+ attribute systemd_unit_file_type;
-+ ')
-+
-+ manage_lnk_files_pattern($1, systemd_unit_file_type, systemd_unit_file_type)
-+')
-+
-+########################################
-+##
-+## manage all systemd unit files
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`systemd_manage_all_unit_files',`
-+ gen_require(`
-+ attribute systemd_unit_file_type;
-+ ')
-+
-+ manage_files_pattern($1, systemd_unit_file_type, systemd_unit_file_type)
-+ manage_lnk_files_pattern($1, systemd_unit_file_type, systemd_unit_file_type)
-+')
-+
-+########################################
-+##
-+## manage all systemd unit lnk_files
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`systemd_manage_all_unit_lnk_files',`
-+ gen_require(`
-+ attribute systemd_unit_file_type;
-+ ')
-+
-+ manage_lnk_files_pattern($1, systemd_unit_file_type, systemd_unit_file_type)
-+')
-+
-+########################################
-+##
-+## Allow the specified domain to start all systemd services.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`systemd_start_all_services',`
-+ gen_require(`
-+ attribute systemd_unit_file_type;
-+ ')
-+
-+ allow $1 systemd_unit_file_type:service start;
-+')
-+
-+#######################################
-+##
-+## Allow the specified domain to reload all systemd services.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`systemd_reload_all_services',`
-+ gen_require(`
-+ attribute systemd_unit_file_type;
-+ ')
-+
-+ allow $1 systemd_unit_file_type:service reload;
-+')
-+
-+########################################
-+##
-+## Allow the specified domain to modify the systemd configuration of
-+## all systemd services
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`systemd_config_all_services',`
-+ gen_require(`
-+ attribute systemd_unit_file_type;
-+ ')
-+
-+ allow $1 systemd_unit_file_type:service all_service_perms;
-+ init_config_all_script_files($1)
-+')
-+
-+########################################
-+##
-+## Allow the specified domain to start systemd services.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`systemd_start_systemd_services',`
-+ gen_require(`
-+ type systemd_unit_file_t;
-+ ')
-+
-+ allow $1 systemd_unit_file_t:service start;
-+')
-+
-+#######################################
-+##
-+## Allow the specified domain to reload all systemd services.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`systemd_reload_systemd_services',`
-+ gen_require(`
-+ type systemd_unit_file_t;
-+ ')
-+
-+ allow $1 systemd_unit_file_t:service reload;
-+')
-+
-+########################################
-+##
-+## Allow the specified domain to modify the systemd configuration of
-+## all systemd services
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`systemd_config_systemd_services',`
-+ gen_require(`
-+ type systemd_unit_file_t;
-+ ')
-+
-+ allow $1 systemd_unit_file_t:service all_service_perms;
-+ init_config_all_script_files($1)
-+')
-+
-+########################################
-+##
-+## manage all systemd random seed file
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`systemd_manage_random_seed',`
-+ gen_require(`
-+ type random_seed_t;
-+ ')
-+
-+ allow $1 random_seed_t:file manage_file_perms;
-+ files_var_lib_filetrans($1, random_seed_t, file, "random_seed")
-+')
-+
-+########################################
-+##
-+## Allow process to read hostname config file.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+#
-+interface(`systemd_hostnamed_read_config',`
-+ gen_require(`
-+ type hostname_etc_t;
-+ ')
-+
-+ files_search_etc($1)
-+ allow $1 hostname_etc_t:file read_file_perms;
-+')
-+
-+########################################
-+##
-+## Allow process to manage hostname config file.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+#
-+interface(`systemd_hostnamed_manage_config',`
-+ gen_require(`
-+ type hostname_etc_t;
-+ ')
-+
-+ files_search_etc($1)
-+ allow $1 hostname_etc_t:file manage_file_perms;
-+ files_etc_filetrans($1, hostname_etc_t, file, "hostname")
-+')
-+
-+#######################################
-+##
-+## Create objects in /run/systemd/generator directory
-+## with an automatic type transition to
-+## a specified private type.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+##
-+## The type of the object to create.
-+##
-+##
-+##
-+##
-+## The class of the object to be created.
-+##
-+##
-+##
-+##
-+## The name of the object being created.
-+##
-+##
-+#
-+interface(`systemd_unit_file_filetrans',`
-+ gen_require(`
-+ type systemd_unit_file_t;
-+ ')
-+
-+ files_search_pids($1)
-+ filetrans_pattern($1, systemd_unit_file_t, $2, $3, $4)
-+')
-+
-+#######################################
-+##
-+## Create a directory in the /usr/lib/systemd/system directory.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`systemd_create_unit_file_dirs',`
-+ gen_require(`
-+ type systemd_unit_file_t;
-+ ')
-+
-+ create_dirs_pattern($1, systemd_unit_file_t, systemd_unit_file_t)
-+')
-+
-+#######################################
-+##
-+## Create a link in the /usr/lib/systemd/system directory.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`systemd_create_unit_file_lnk',`
-+ gen_require(`
-+ type systemd_unit_file_t;
-+ ')
-+
-+ create_lnk_files_pattern($1, systemd_unit_file_t, systemd_unit_file_t)
-+')
-+
-+########################################
-+##
-+## Transition to systemd named content
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`systemd_filetrans_named_content',`
-+ gen_require(`
-+ type systemd_passwd_var_run_t;
-+ type systemd_logind_var_run_t;
-+ type hostname_etc_t;
-+ type systemd_home_t;
-+ type systemd_rfkill_var_lib_t;
-+ ')
-+
-+ files_pid_filetrans($1, systemd_logind_var_run_t, file, "nologin")
-+ files_pid_filetrans($1, systemd_logind_var_run_t, file, "shutdown")
-+ init_named_pid_filetrans($1, systemd_passwd_var_run_t, dir, "ask-password-block")
-+ init_named_pid_filetrans($1, systemd_passwd_var_run_t, dir, "ask-password")
-+ files_etc_filetrans($1, hostname_etc_t, file, "hostname" )
-+ files_etc_filetrans($1, hostname_etc_t, file, "machine-info" )
-+ init_var_lib_filetrans($1, systemd_rfkill_var_lib_t, dir, "rfkill" )
-+')
-+
-+########################################
-+##
-+## read systemd homedir content
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`systemd_read_home_content',`
-+ gen_require(`
-+ type systemd_home_t;
-+ ')
-+
-+ optional_policy(`
-+ gnome_search_gconf_data_dir($1)
-+ ')
-+ read_files_pattern($1, systemd_home_t, systemd_home_t)
-+ read_lnk_files_pattern($1, systemd_home_t, systemd_home_t)
-+')
-+
-+########################################
-+##
-+## Manage systemd homedir content
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`systemd_manage_home_content',`
-+ gen_require(`
-+ type systemd_home_t;
-+ ')
-+
-+ optional_policy(`
-+ gnome_search_gconf_data_dir($1)
-+ ')
-+ manage_dirs_pattern($1, systemd_home_t, systemd_home_t)
-+ manage_files_pattern($1, systemd_home_t, systemd_home_t)
-+ manage_lnk_files_pattern($1, systemd_home_t, systemd_home_t)
-+
-+ systemd_filetrans_home_content($1)
-+')
-+
-+########################################
-+##
-+## Transition to systemd named content
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`systemd_filetrans_home_content',`
-+ gen_require(`
-+ type systemd_home_t;
-+ ')
-+
-+ optional_policy(`
-+ gnome_data_filetrans($1, systemd_home_t, dir, "systemd")
-+ ')
-+')
-+
-+########################################
-+##
-+## Transition to systemd named content for /etc/hostname
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`systemd_filetrans_named_hostname',`
-+ gen_require(`
-+ type hostname_etc_t;
-+ ')
-+
-+ files_etc_filetrans($1, hostname_etc_t, file, "hostname" )
-+ files_etc_filetrans($1, hostname_etc_t, file, "machine-info" )
-+')
-+
-+########################################
-+##
-+## Get the system status information from systemd_login
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`systemd_login_status',`
-+ gen_require(`
-+ type systemd_logind_t;
-+ ')
-+
-+ allow $1 systemd_logind_t:system status;
-+')
-+
-+########################################
-+##
-+## Send systemd_login a null signal.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`systemd_login_signull',`
-+ gen_require(`
-+ type systemd_logind_t;
-+ ')
-+
-+ allow $1 systemd_logind_t:process signull;
-+')
-+
-+########################################
-+##
-+## Tell systemd_login to reboot the system.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`systemd_login_reboot',`
-+ gen_require(`
-+ type systemd_logind_t;
-+ ')
-+
-+ allow $1 systemd_logind_t:system reboot;
-+')
-+
-+########################################
-+##
-+## Tell systemd_login to halt the system.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`systemd_login_halt',`
-+ gen_require(`
-+ type systemd_logind_t;
-+ ')
-+
-+ allow $1 systemd_logind_t:system halt;
-+')
-+
-+########################################
-+##
-+## Tell systemd_login to do an unknown access.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`systemd_login_undefined',`
-+ gen_require(`
-+ type systemd_logind_t;
-+ ')
-+
-+ allow $1 systemd_logind_t:system undefined;
-+')
-+
-+########################################
-+##
-+## Configure generic unit files domain.
-+##
-+##
-+##
-+## Domain allowed to transition.
-+##
-+##
-+#
-+interface(`systemd_config_generic_services',`
-+ gen_require(`
-+ type systemd_unit_file_t;
-+ ')
-+
-+ systemd_exec_systemctl($1)
-+ allow $1 systemd_unit_file_t:file read_file_perms;
-+ allow $1 systemd_unit_file_t:service manage_service_perms;
-+')
-+
-+########################################
-+##
-+## Configure power unit files domain.
-+##
-+##
-+##
-+## Domain allowed to transition.
-+##
-+##
-+#
-+interface(`systemd_config_power_services',`
-+ gen_require(`
-+ type power_unit_file_t;
-+ ')
-+
-+ systemd_exec_systemctl($1)
-+ allow $1 power_unit_file_t:file read_file_perms;
-+ allow $1 power_unit_file_t:service manage_service_perms;
-+')
-+
-+########################################
-+##
-+## Start power unit files domain.
-+##
-+##
-+##
-+## Domain allowed to transition.
-+##
-+##
-+#
-+interface(`systemd_start_power_services',`
-+ gen_require(`
-+ type power_unit_file_t;
-+ ')
-+
-+ systemd_exec_systemctl($1)
-+ allow $1 power_unit_file_t:service start;
-+')
-+
-+########################################
-+##
-+## Status power unit files domain.
-+##
-+##
-+##
-+## Domain allowed to transition.
-+##
-+##
-+#
-+interface(`systemd_status_power_services',`
-+ gen_require(`
-+ type power_unit_file_t;
-+ ')
-+
-+ systemd_exec_systemctl($1)
-+ allow $1 power_unit_file_t:service status;
-+')
-+
-+#######################################
-+##
-+## Start power unit files domain.
-+##
-+##
-+##
-+## Domain allowed to transition.
-+##
-+##
-+#
-+interface(`systemd_start_all_unit_files',`
-+ gen_require(`
-+ attribute systemd_unit_file_type;
-+ ')
-+
-+ systemd_exec_systemctl($1)
-+ allow $1 systemd_unit_file_type:service start;
-+')
-+
-+#######################################
-+##
-+## Start power unit files domain.
-+##
-+##
-+##
-+## Domain allowed to transition.
-+##
-+##
-+#
-+interface(`systemd_status_all_unit_files',`
-+ gen_require(`
-+ attribute systemd_unit_file_type;
-+ ')
-+
-+ systemd_exec_systemctl($1)
-+ allow $1 systemd_unit_file_type:service status;
-+')
-+
-+########################################
-+##
-+## Send and receive messages from
-+## systemd timedated over dbus.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`systemd_dbus_chat_timedated',`
-+ gen_require(`
-+ type systemd_timedated_t;
-+ class dbus send_msg;
-+ ')
-+
-+ allow $1 systemd_timedated_t:dbus send_msg;
-+ allow systemd_timedated_t $1:dbus send_msg;
-+ ps_process_pattern(systemd_timedated_t, $1)
-+')
-+
-+########################################
-+##
-+## Send and receive messages from
-+## systemd hostnamed over dbus.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`systemd_dbus_chat_hostnamed',`
-+ gen_require(`
-+ type systemd_hostnamed_t;
-+ class dbus send_msg;
-+ ')
-+
-+ allow $1 systemd_hostnamed_t:dbus send_msg;
-+ allow systemd_hostnamed_t $1:dbus send_msg;
-+ ps_process_pattern(systemd_hostnamed_t, $1)
-+')
-+
-+########################################
-+##
-+## Send and receive messages from
-+## systemd localed over dbus.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`systemd_dbus_chat_localed',`
-+ gen_require(`
-+ type systemd_localed_t;
-+ class dbus send_msg;
-+ ')
-+
-+ allow $1 systemd_localed_t:dbus send_msg;
-+ allow systemd_localed_t $1:dbus send_msg;
-+ ps_process_pattern(systemd_localed_t, $1)
-+')
-+
-+########################################
-+##
-+## Dontaudit attempts to send dbus domains chat messages
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`systemd_dontaudit_dbus_chat',`
-+ gen_require(`
-+ attribute systemd_domain;
-+ class dbus send_msg;
-+ ')
-+
-+ dontaudit $1 systemd_domain:dbus send_msg;
-+')
-+
-+######################################
-+##
-+## Read systemd-machined PID files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`systemd_machined_read_pid_files',`
-+ gen_require(`
-+ type systemd_machined_var_run_t;
-+ ')
-+
-+ files_search_pids($1)
-+ list_dirs_pattern($1, systemd_machined_var_run_t, systemd_machined_var_run_t)
-+ read_files_pattern($1, systemd_machined_var_run_t, systemd_machined_var_run_t)
-+')
-+
-+######################################
-+##
-+## Manage systemd-machined PID files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`systemd_machined_manage_pid_files',`
-+ gen_require(`
-+ type systemd_machined_var_run_t;
-+ ')
-+
-+ files_search_pids($1)
-+ manage_dirs_pattern($1, systemd_machined_var_run_t, systemd_machined_var_run_t)
-+ manage_files_pattern($1, systemd_machined_var_run_t, systemd_machined_var_run_t)
-+')
-+
-+######################################
-+##
-+## List systemd-machined PID files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`systemd_machined_list_pid_dirs',`
-+ gen_require(`
-+ type systemd_machined_var_run_t;
-+ ')
-+
-+ files_search_pids($1)
-+ list_dirs_pattern($1, systemd_machined_var_run_t, systemd_machined_var_run_t)
-+')
-+
-+
-+
-+########################################
-+##
-+## Search systemd-machined lib directories.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`systemd_machined_search_lib',`
-+ gen_require(`
-+ type systemd_machined_var_lib_t;
-+ ')
-+
-+ allow $1 systemd_machined_var_lib_t:dir search_dir_perms;
-+ files_search_var_lib($1)
-+')
-+
-+########################################
-+##
-+## Read systemd-machined lib files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`systemd_machined_read_lib_files',`
-+ gen_require(`
-+ type systemd_machined_var_lib_t;
-+ ')
-+
-+ files_search_var_lib($1)
-+ read_files_pattern($1, systemd_machined_var_lib_t, systemd_machined_var_lib_t)
-+')
-+
-+########################################
-+##
-+## Manage systemd-machined lib files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`systemd_machined_manage_lib_files',`
-+ gen_require(`
-+ type systemd_machined_var_lib_t;
-+ ')
-+
-+ files_search_var_lib($1)
-+ manage_files_pattern($1, systemd_machined_var_lib_t, systemd_machined_var_lib_t)
-+')
-+
-+########################################
-+##
-+## Send and receive messages from
-+## systemd machined over dbus.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`systemd_dbus_chat_machined',`
-+ gen_require(`
-+ type systemd_machined_t;
-+ class dbus send_msg;
-+ ')
-+
-+ allow $1 systemd_machined_t:dbus send_msg;
-+ allow systemd_machined_t $1:dbus send_msg;
-+ ps_process_pattern(systemd_machined_t, $1)
-+')
-+
-+#######################################
-+##
-+## Execute a domain transition to run systemd-coredump.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`systemd_coredump_domtrans',`
-+ gen_require(`
-+ type systemd_coredump_t, systemd_coredump_exec_t;
-+ ')
-+
-+ domtrans_pattern($1, systemd_coredump_exec_t, systemd_coredump_t)
-+')
-+
-+########################################
-+##
-+## Read and write to systemd-coredump temporary file system.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`systemd_rw_coredump_tmpfs_files',`
-+ gen_require(`
-+ type systemd_coredump_tmpfs_t;
-+ ')
-+
-+ allow $1 systemd_coredump_tmpfs_t:file rw_file_perms;
-+')
-+
-+########################################
-+##
-+## Allow process to read hwdb config file.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+#
-+interface(`systemd_hwdb_read_config',`
-+ gen_require(`
-+ type systemd_hwdb_etc_t;
-+ ')
-+
-+ files_search_etc($1)
-+ allow $1 systemd_hwdb_etc_t:file read_file_perms;
-+')
-+
-+########################################
-+##
-+## Allow process to mmap hwdb config file.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+#
-+interface(`systemd_hwdb_mmap_config',`
-+ gen_require(`
-+ type systemd_hwdb_etc_t;
-+ ')
-+
-+ allow $1 systemd_hwdb_etc_t:file map;
-+')
-+
-+########################################
-+##
-+## Allow process to manage hwdb config file.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+#
-+interface(`systemd_hwdb_manage_config',`
-+ gen_require(`
-+ type systemd_hwdb_etc_t;
-+ ')
-+
-+ files_search_etc($1)
-+ manage_files_pattern($1, systemd_hwdb_etc_t, systemd_hwdb_etc_t)
-+ mmap_files_pattern($1, systemd_hwdb_etc_t, systemd_hwdb_etc_t)
-+ allow $1 systemd_hwdb_etc_t:file {relabelfrom relabelto};
-+ files_etc_filetrans($1, systemd_hwdb_etc_t, file)
-+')
-+
-+########################################
-+##
-+## Allow process to mount directory configured in a
-+## systemd unit as ReadWriteDirectory or ReadOnlyDirectory.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+#
-+interface(`systemd_allow_mount_dir',`
-+ gen_require(`
-+ attribute systemd_mount_directory;
-+ ')
-+
-+ allow $1 systemd_mount_directory:dir mounton;
-+')
-+
-+########################################
-+##
-+## Mark the following type as mountable by systemd.
-+##
-+##
-+##
-+## Type to be authorized to be mounted
-+##
-+##
-+##
-+#
-+interface(`systemd_mount_dir',`
-+ gen_require(`
-+ attribute systemd_mount_directory;
-+ ')
-+
-+ files_type($1)
-+ typeattribute $1 systemd_mount_directory;
-+')
-+
-+########################################
-+##
-+## Mmap systemd_networkd_exec_t files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`systemd_map_networkd_exec_files',`
-+ gen_require(`
-+ type systemd_networkd_exec_t;
-+ ')
-+
-+ allow $1 systemd_networkd_exec_t:file map;
-+')
-+
-+########################################
-+##
-+## Mmap systemd_resolved_exec_t files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`systemd_map_resolved_exec_files',`
-+ gen_require(`
-+ type systemd_resolved_exec_t;
-+ ')
-+
-+ allow $1 systemd_resolved_exec_t:file map;
-+')
-diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
-new file mode 100644
-index 000000000..621b8cffc
---- /dev/null
-+++ b/policy/modules/system/systemd.te
-@@ -0,0 +1,1042 @@
-+policy_module(systemd, 1.0.0)
-+
-+#######################################
-+#
-+# Declarations
-+#
-+
-+attribute systemd_unit_file_type;
-+attribute systemd_domain;
-+attribute systemctl_domain;
-+attribute systemd_mount_directory;
-+
-+systemd_domain_template(systemd_logger)
-+systemd_domain_template(systemd_logind)
-+
-+# /run/systemd/sessions
-+type systemd_logind_sessions_t;
-+files_pid_file(systemd_logind_sessions_t)
-+
-+type systemd_logind_var_lib_t;
-+files_type(systemd_logind_var_lib_t)
-+
-+# /run/systemd/{seats, users}
-+type systemd_logind_var_run_t;
-+files_pid_file(systemd_logind_var_run_t)
-+
-+type systemd_logind_inhibit_var_run_t;
-+files_pid_file(systemd_logind_inhibit_var_run_t)
-+
-+type systemd_home_t;
-+userdom_user_home_content(systemd_home_t)
-+
-+type random_seed_t;
-+files_security_file(random_seed_t)
-+files_mountpoint(random_seed_t)
-+
-+systemd_domain_template(systemd_coredump)
-+
-+type systemd_coredump_tmpfs_t;
-+files_tmpfs_file(systemd_coredump_tmpfs_t)
-+
-+systemd_domain_template(systemd_hwdb)
-+
-+type systemd_hwdb_unit_file_t;
-+systemd_unit_file(systemd_hwdb_unit_file_t)
-+
-+systemd_domain_template(systemd_networkd)
-+init_nnp_daemon_domain(systemd_networkd_t)
-+
-+type systemd_networkd_unit_file_t;
-+systemd_unit_file(systemd_networkd_unit_file_t)
-+
-+type systemd_networkd_var_run_t;
-+files_pid_file(systemd_networkd_var_run_t)
-+files_mountpoint(systemd_networkd_var_run_t)
-+
-+systemd_domain_template(systemd_initctl)
-+
-+systemd_domain_template(systemd_bootchart)
-+
-+type systemd_bootchart_unit_file_t;
-+systemd_unit_file(systemd_bootchart_unit_file_t)
-+
-+type systemd_bootchart_var_run_t;
-+files_pid_file(systemd_bootchart_var_run_t)
-+
-+systemd_domain_template(systemd_resolved)
-+init_nnp_daemon_domain(systemd_resolved_t)
-+
-+type systemd_resolved_var_run_t;
-+files_pid_file(systemd_resolved_var_run_t)
-+files_mountpoint(systemd_resolved_var_run_t)
-+
-+type systemd_resolved_unit_file_t;
-+systemd_unit_file(systemd_resolved_unit_file_t)
-+
-+systemd_domain_template(systemd_modules_load)
-+
-+type systemd_modules_load_unit_file_t;
-+systemd_unit_file(systemd_modules_load_unit_file_t)
-+
-+# domain for systemd-tty-ask-password-agent and systemd-gnome-ask-password-agent
-+# systemd components
-+
-+systemd_domain_template(systemd_passwd_agent)
-+
-+type systemd_passwd_var_run_t alias systemd_device_t;
-+files_pid_file(systemd_passwd_var_run_t)
-+
-+# domain for systemd-tmpfiles component
-+systemd_domain_template(systemd_tmpfiles)
-+systemd_domain_template(systemd_notify)
-+
-+# type for systemd unit files
-+type systemd_unit_file_t;
-+systemd_unit_file(systemd_unit_file_t)
-+
-+type systemd_runtime_unit_file_t;
-+systemd_unit_file(systemd_runtime_unit_file_t)
-+
-+type power_unit_file_t;
-+systemd_unit_file(power_unit_file_t)
-+
-+type systemd_vconsole_unit_file_t;
-+systemd_unit_file(systemd_vconsole_unit_file_t)
-+
-+# executable for systemctl
-+type systemd_systemctl_exec_t;
-+corecmd_executable_file(systemd_systemctl_exec_t)
-+
-+systemd_domain_template(systemd_localed)
-+systemd_domain_template(systemd_hostnamed)
-+
-+type hostname_etc_t;
-+files_config_file(hostname_etc_t)
-+
-+type systemd_hwdb_etc_t;
-+files_config_file(systemd_hwdb_etc_t)
-+
-+systemd_domain_template(systemd_rfkill)
-+
-+type systemd_rfkill_unit_file_t;
-+systemd_unit_file(systemd_rfkill_unit_file_t)
-+
-+type systemd_rfkill_var_lib_t;
-+files_type(systemd_rfkill_var_lib_t)
-+
-+systemd_domain_template(systemd_timedated)
-+typeattribute systemd_timedated_t systemd_domain;
-+typealias systemd_timedated_t alias gnomeclock_t;
-+
-+type systemd_timedated_unit_file_t;
-+systemd_unit_file(systemd_timedated_unit_file_t)
-+
-+systemd_domain_template(systemd_sysctl)
-+
-+#domain for gpt-auto-generator
-+systemd_domain_template(systemd_gpt_generator)
-+
-+type systemd_gpt_generator_unit_file_t;
-+systemd_unit_file(systemd_gpt_generator_unit_file_t)
-+
-+#domain for systemd-machined
-+systemd_domain_template(systemd_machined)
-+
-+type systemd_machined_unit_file_t;
-+systemd_unit_file(systemd_machined_unit_file_t)
-+
-+# /run/systemd/machines
-+type systemd_machined_var_run_t;
-+files_pid_file(systemd_machined_var_run_t)
-+
-+# /var/lib/machines
-+type systemd_machined_var_lib_t;
-+files_type(systemd_machined_var_lib_t)
-+
-+#######################################
-+#
-+# Systemd_logind local policy
-+#
-+
-+# is for /run/user/$USER ($USER ownership is $USER:$USER)
-+allow systemd_logind_t self:capability { chown kill dac_read_search dac_override fowner sys_tty_config sys_admin };
-+allow systemd_logind_t self:capability2 block_suspend;
-+allow systemd_logind_t self:process getcap;
-+allow systemd_logind_t self:netlink_kobject_uevent_socket create_socket_perms;
-+allow systemd_logind_t self:unix_dgram_socket create_socket_perms;
-+
-+mls_file_read_all_levels(systemd_logind_t)
-+mls_file_write_all_levels(systemd_logind_t)
-+mls_dbus_send_all_levels(systemd_logind_t)
-+
-+files_delete_tmpfs_files(systemd_logind_t)
-+
-+fs_mount_tmpfs(systemd_logind_t)
-+fs_unmount_tmpfs(systemd_logind_t)
-+fs_list_tmpfs(systemd_logind_t)
-+
-+fs_read_efivarfs_files(systemd_logind_t)
-+
-+fs_manage_fusefs_dirs(systemd_logind_t)
-+fs_manage_fusefs_files(systemd_logind_t)
-+
-+manage_dirs_pattern(systemd_logind_t, systemd_logind_var_lib_t, systemd_logind_var_lib_t)
-+manage_files_pattern(systemd_logind_t, systemd_logind_var_lib_t, systemd_logind_var_lib_t)
-+init_var_lib_filetrans(systemd_logind_t, systemd_logind_var_lib_t, dir, "linger")
-+
-+manage_dirs_pattern(systemd_logind_t, { systemd_logind_sessions_t systemd_logind_var_run_t }, { systemd_logind_sessions_t systemd_logind_var_run_t })
-+manage_files_pattern(systemd_logind_t, { systemd_logind_sessions_t systemd_logind_var_run_t }, { systemd_logind_var_run_t systemd_logind_sessions_t })
-+manage_fifo_files_pattern(systemd_logind_t, systemd_logind_sessions_t, { systemd_logind_sessions_t systemd_logind_var_run_t })
-+init_named_pid_filetrans(systemd_logind_t, systemd_logind_sessions_t, dir, "sessions")
-+init_pid_filetrans(systemd_logind_t, systemd_logind_var_run_t, dir)
-+files_pid_filetrans(systemd_logind_t, systemd_logind_var_run_t, file)
-+
-+manage_dirs_pattern(systemd_logind_t, systemd_logind_inhibit_var_run_t, systemd_logind_inhibit_var_run_t)
-+manage_files_pattern(systemd_logind_t, systemd_logind_inhibit_var_run_t, systemd_logind_inhibit_var_run_t)
-+manage_fifo_files_pattern(systemd_logind_t, systemd_logind_inhibit_var_run_t, systemd_logind_inhibit_var_run_t)
-+manage_sock_files_pattern(systemd_logind_t, systemd_logind_inhibit_var_run_t, systemd_logind_inhibit_var_run_t)
-+
-+systemd_start_power_services(systemd_logind_t)
-+
-+dev_getattr_all_chr_files(systemd_logind_t)
-+dev_getattr_all_blk_files(systemd_logind_t)
-+dev_rw_sysfs(systemd_logind_t)
-+dev_rw_input_dev(systemd_logind_t)
-+dev_rw_dri(systemd_logind_t)
-+dev_setattr_all_chr_files(systemd_logind_t)
-+dev_setattr_dri_dev(systemd_logind_t)
-+dev_setattr_generic_usb_dev(systemd_logind_t)
-+dev_setattr_input_dev(systemd_logind_t)
-+dev_setattr_kvm_dev(systemd_logind_t)
-+dev_setattr_mouse_dev(systemd_logind_t)
-+dev_setattr_sound_dev(systemd_logind_t)
-+dev_setattr_video_dev(systemd_logind_t)
-+dev_write_kmsg(systemd_logind_t)
-+
-+domain_read_all_domains_state(systemd_logind_t)
-+domain_signal_all_domains(systemd_logind_t)
-+domain_signull_all_domains(systemd_logind_t)
-+domain_kill_all_domains(systemd_logind_t)
-+domain_destroy_all_semaphores(systemd_logind_t)
-+
-+# /etc/udev/udev.conf should probably have a private type if only for confined administration
-+# /etc/nsswitch.conf
-+
-+# /sys/fs/cgroup/systemd/user
-+fs_manage_cgroup_dirs(systemd_logind_t)
-+# write getattr open setattr
-+fs_manage_cgroup_files(systemd_logind_t)
-+fs_getattr_tmpfs(systemd_logind_t)
-+fs_read_tmpfs_symlinks(systemd_logind_t)
-+fs_mount_tmpfs(systemd_logind_t)
-+userdom_mounton_tmp_dirs(systemd_logind_t)
-+
-+storage_setattr_removable_dev(systemd_logind_t)
-+storage_setattr_scsi_generic_dev(systemd_logind_t)
-+
-+term_use_unallocated_ttys(systemd_logind_t)
-+
-+init_named_pid_filetrans(systemd_logind_t, systemd_logind_inhibit_var_run_t, dir, "inhibit")
-+
-+init_status(systemd_logind_t)
-+init_start(systemd_logind_t)
-+init_stop(systemd_logind_t)
-+init_signal(systemd_logind_t)
-+init_reboot(systemd_logind_t)
-+init_halt(systemd_logind_t)
-+init_undefined(systemd_logind_t)
-+init_signal_script(systemd_logind_t)
-+init_getattr_script_status_files(systemd_logind_t)
-+init_read_utmp(systemd_logind_t)
-+init_config_transient_files(systemd_logind_t)
-+
-+getty_systemctl(systemd_logind_t)
-+
-+systemd_config_generic_services(systemd_logind_t)
-+
-+# /run/user/.*
-+# Actually only have proof of it creating dirs and symlinks (/run/user/$USER/X11/display)
-+auth_manage_var_auth(systemd_logind_t)
-+
-+authlogin_read_state(systemd_logind_t)
-+
-+init_dbus_chat(systemd_logind_t)
-+init_dbus_chat_script(systemd_logind_t)
-+init_read_script_state(systemd_logind_t)
-+init_read_utmp(systemd_logind_t)
-+init_rw_stream_sockets(systemd_logind_t)
-+
-+logging_send_syslog_msg(systemd_logind_t)
-+
-+udev_read_db(systemd_logind_t)
-+udev_manage_rules_files(systemd_logind_t)
-+
-+userdom_destroy_unpriv_user_shared_mem(systemd_logind_t)
-+userdom_read_all_users_state(systemd_logind_t)
-+userdom_use_user_ttys(systemd_logind_t)
-+userdom_manage_tmp_role(system_r, systemd_logind_t)
-+userdom_manage_tmpfs_role(system_r, systemd_logind_t)
-+
-+xserver_dbus_chat(systemd_logind_t)
-+
-+optional_policy(`
-+ apache_read_tmp_files(systemd_logind_t)
-+')
-+
-+optional_policy(`
-+ cron_dbus_chat_crond(systemd_logind_t)
-+ cron_read_state_crond(systemd_logind_t)
-+')
-+
-+optional_policy(`
-+ dbus_connect_system_bus(systemd_logind_t)
-+ dbus_system_bus_client(systemd_logind_t)
-+ dbus_manage_session_tmp_dirs(systemd_logind_t)
-+')
-+
-+optional_policy(`
-+ devicekit_dbus_chat_power(systemd_logind_t)
-+ devicekit_dbus_chat_disk(systemd_logind_t)
-+ devicekit_dbus_chat(systemd_logind_t)
-+')
-+
-+optional_policy(`
-+ # we label /run/user/$USER/dconf as config_home_t
-+ gnome_manage_home_config_dirs(systemd_logind_t)
-+ gnome_manage_home_config(systemd_logind_t)
-+ gnome_manage_gkeyringd_tmp_dirs(systemd_logind_t)
-+ gnome_manage_gstreamer_home_dirs(systemd_logind_t)
-+')
-+
-+optional_policy(`
-+ nis_use_ypbind(systemd_logind_t)
-+')
-+
-+optional_policy(`
-+ rpm_dbus_chat(systemd_logind_t)
-+')
-+
-+optional_policy(`
-+ # It links /run/user/$USER/X11/display to /tmp/.X11-unix/X* sock_file
-+ xserver_search_xdm_tmp_dirs(systemd_logind_t)
-+')
-+
-+########################################
-+#
-+# systemd_machined local policy
-+#
-+
-+allow systemd_machined_t self:capability { dac_read_search setgid sys_admin sys_chroot sys_ptrace kill };
-+allow systemd_machined_t systemd_unit_file_t:service { status start };
-+allow systemd_machined_t self:unix_dgram_socket create_socket_perms;
-+
-+manage_dirs_pattern(systemd_machined_t, systemd_machined_var_run_t, systemd_machined_var_run_t)
-+manage_files_pattern(systemd_machined_t, systemd_machined_var_run_t, systemd_machined_var_run_t)
-+manage_lnk_files_pattern(systemd_machined_t, systemd_machined_var_run_t, systemd_machined_var_run_t)
-+init_pid_filetrans(systemd_machined_t, systemd_machined_var_run_t, dir, "machines")
-+
-+manage_dirs_pattern(systemd_machined_t, systemd_machined_var_lib_t, systemd_machined_var_lib_t)
-+manage_files_pattern(systemd_machined_t, systemd_machined_var_lib_t, systemd_machined_var_lib_t)
-+manage_lnk_files_pattern(systemd_machined_t, systemd_machined_var_lib_t, systemd_machined_var_lib_t)
-+init_var_lib_filetrans(systemd_machined_t, systemd_machined_var_lib_t, dir, "machines")
-+
-+fs_read_nsfs_files(systemd_machined_t)
-+
-+kernel_dgram_send(systemd_machined_t)
-+# This is a bug, but need for now.
-+kernel_read_unlabeled_state(systemd_machined_t)
-+
-+init_dbus_chat(systemd_machined_t)
-+init_status(systemd_machined_t)
-+init_start(systemd_machined_t)
-+init_stop(systemd_machined_t)
-+init_manage_config_transient_files(systemd_machined_t)
-+
-+userdom_dbus_send_all_users(systemd_machined_t)
-+
-+term_use_ptmx(systemd_machined_t)
-+
-+optional_policy(`
-+ dbus_connect_system_bus(systemd_machined_t)
-+ dbus_system_bus_client(systemd_machined_t)
-+')
-+
-+optional_policy(`
-+ container_read_share_files(systemd_machined_t)
-+ container_spc_read_state(systemd_machined_t)
-+')
-+
-+optional_policy(`
-+ mock_read_lib_files(systemd_machined_t)
-+')
-+
-+optional_policy(`
-+ virt_dbus_chat(systemd_machined_t)
-+ virt_sandbox_read_state(systemd_machined_t)
-+ virt_signal_sandbox(systemd_machined_t)
-+ virt_stream_connect_sandbox(systemd_machined_t)
-+ virt_rw_svirt_dev(systemd_machined_t)
-+ virt_getattr_sandbox_filesystem(systemd_machined_t)
-+ virt_read_sandbox_files(systemd_machined_t)
-+')
-+
-+#######################################
-+#
-+# systemd-networkd local policy
-+#
-+
-+allow systemd_networkd_t self:capability { dac_read_search dac_override net_admin net_raw setuid fowner chown setgid setpcap };
-+allow systemd_networkd_t self:process { getcap setcap };
-+
-+allow systemd_networkd_t self:netlink_kobject_uevent_socket create_socket_perms;
-+allow systemd_networkd_t self:netlink_route_socket { create_socket_perms nlmsg_read nlmsg_write };
-+allow systemd_networkd_t self:unix_dgram_socket create_socket_perms;
-+allow systemd_networkd_t self:packet_socket create_socket_perms;
-+allow systemd_networkd_t self:udp_socket create_socket_perms;
-+allow systemd_networkd_t self:rawip_socket create_socket_perms;
-+
-+allow init_t systemd_networkd_t:netlink_route_socket create_netlink_socket_perms;
-+
-+manage_files_pattern(systemd_networkd_t, systemd_networkd_var_run_t, systemd_networkd_var_run_t)
-+manage_lnk_files_pattern(systemd_networkd_t, systemd_networkd_var_run_t, systemd_networkd_var_run_t)
-+manage_dirs_pattern(systemd_networkd_t, systemd_networkd_var_run_t, systemd_networkd_var_run_t)
-+
-+kernel_dgram_send(systemd_networkd_t)
-+kernel_request_load_module(systemd_networkd_t)
-+kernel_rw_net_sysctls(systemd_networkd_t)
-+kernel_read_xen_state(systemd_networkd_t)
-+kernel_read_network_state(systemd_networkd_t)
-+
-+corenet_tcp_bind_all_nodes(systemd_networkd_t)
-+corenet_udp_bind_all_nodes(systemd_networkd_t)
-+corenet_tcp_bind_dhcpc_port(systemd_networkd_t)
-+corenet_udp_bind_dhcpc_port(systemd_networkd_t)
-+corenet_tcp_bind_dhcpd_port(systemd_networkd_t)
-+corenet_udp_bind_dhcpd_port(systemd_networkd_t)
-+
-+
-+fs_read_xenfs_files(systemd_networkd_t)
-+
-+dev_read_sysfs(systemd_networkd_t)
-+dev_write_kmsg(systemd_networkd_t)
-+
-+logging_send_syslog_msg(systemd_networkd_t)
-+
-+sysnet_manage_config(systemd_networkd_t)
-+sysnet_manage_config_dirs(systemd_networkd_t)
-+
-+systemd_dbus_chat_hostnamed(systemd_networkd_t)
-+
-+init_named_pid_filetrans(systemd_logind_t, systemd_networkd_var_run_t, dir, "netif")
-+
-+optional_policy(`
-+ dbus_system_bus_client(systemd_networkd_t)
-+ dbus_connect_system_bus(systemd_networkd_t)
-+')
-+
-+optional_policy(`
-+ udev_read_db(systemd_networkd_t)
-+')
-+
-+optional_policy(`
-+ unconfined_dbus_acquire_svc(systemd_networkd_t)
-+ unconfined_dbus_send(systemd_networkd_t)
-+')
-+
-+#######################################
-+#
-+# Local policy
-+#
-+
-+allow systemd_passwd_agent_t self:capability { chown sys_tty_config dac_read_search };
-+allow systemd_passwd_agent_t self:process { setsockcreate };
-+allow systemd_passwd_agent_t self:unix_dgram_socket create_socket_perms;
-+
-+manage_dirs_pattern(systemd_passwd_agent_t, systemd_passwd_var_run_t, systemd_passwd_var_run_t);
-+manage_files_pattern(systemd_passwd_agent_t, systemd_passwd_var_run_t, systemd_passwd_var_run_t);
-+manage_sock_files_pattern(systemd_passwd_agent_t, systemd_passwd_var_run_t, systemd_passwd_var_run_t);
-+manage_fifo_files_pattern(systemd_passwd_agent_t, systemd_passwd_var_run_t, systemd_passwd_var_run_t);
-+init_pid_filetrans(systemd_passwd_agent_t, systemd_passwd_var_run_t, { dir fifo_file file })
-+
-+domain_read_all_domains_state(systemd_passwd_agent_t)
-+
-+kernel_stream_connect(systemd_passwd_agent_t)
-+
-+dev_create_generic_dirs(systemd_passwd_agent_t)
-+dev_read_generic_files(systemd_passwd_agent_t)
-+dev_write_generic_sock_files(systemd_passwd_agent_t)
-+dev_write_kmsg(systemd_passwd_agent_t)
-+
-+term_read_console(systemd_passwd_agent_t)
-+
-+init_create_pid_dirs(systemd_passwd_agent_t)
-+init_rw_pipes(systemd_passwd_agent_t)
-+init_read_utmp(systemd_passwd_agent_t)
-+init_stream_connect(systemd_passwd_agent_t)
-+
-+logging_send_syslog_msg(systemd_passwd_agent_t)
-+
-+userdom_use_user_ptys(systemd_passwd_agent_t)
-+userdom_use_user_ttys(systemd_passwd_agent_t)
-+
-+optional_policy(`
-+ lvm_signull(systemd_passwd_agent_t)
-+')
-+
-+optional_policy(`
-+ plymouthd_stream_connect(systemd_passwd_agent_t)
-+')
-+
-+#######################################
-+#
-+# Local policy
-+#
-+
-+allow systemd_tmpfiles_t self:capability { chown dac_read_search dac_override fsetid fowner mknod sys_admin };
-+allow systemd_tmpfiles_t self:process { setfscreate };
-+
-+allow systemd_tmpfiles_t self:unix_dgram_socket create_socket_perms;
-+
-+kernel_read_network_state(systemd_tmpfiles_t)
-+kernel_request_load_module(systemd_tmpfiles_t)
-+kernel_relabelto_usermodehelper(systemd_tmpfiles_t)
-+
-+dev_write_kmsg(systemd_tmpfiles_t)
-+dev_rw_sysfs(systemd_tmpfiles_t)
-+dev_relabel_all_sysfs(systemd_tmpfiles_t)
-+dev_relabel_cpu_online(systemd_tmpfiles_t)
-+dev_read_cpu_online(systemd_tmpfiles_t)
-+dev_manage_all_dev_nodes(systemd_tmpfiles_t)
-+dev_relabel_all_dev_nodes(systemd_tmpfiles_t)
-+
-+domain_obj_id_change_exemption(systemd_tmpfiles_t)
-+
-+# systemd-tmpfiles relabel /run/lock and creates /run/lock/lockdev
-+fs_manage_tmpfs_dirs(systemd_tmpfiles_t)
-+fs_relabel_tmpfs_dirs(systemd_tmpfiles_t)
-+fs_list_all(systemd_tmpfiles_t)
-+
-+files_manage_non_auth_files(systemd_tmpfiles_t)
-+files_relabel_non_auth_files(systemd_tmpfiles_t)
-+files_list_lost_found(systemd_tmpfiles_t)
-+
-+mls_file_read_all_levels(systemd_tmpfiles_t)
-+mls_file_write_all_levels(systemd_tmpfiles_t)
-+mls_file_upgrade(systemd_tmpfiles_t)
-+
-+selinux_get_enforce_mode(systemd_tmpfiles_t)
-+selinux_setcheckreqprot(systemd_tmpfiles_t)
-+
-+auth_manage_faillog(systemd_tmpfiles_t)
-+auth_relabel_faillog(systemd_tmpfiles_t)
-+auth_manage_var_auth(systemd_tmpfiles_t)
-+auth_manage_login_records(systemd_tmpfiles_t)
-+auth_relabel_var_auth_dirs(systemd_tmpfiles_t)
-+auth_relabel_login_records(systemd_tmpfiles_t)
-+auth_setattr_login_records(systemd_tmpfiles_t)
-+
-+init_dgram_send(systemd_tmpfiles_t)
-+init_rw_stream_sockets(systemd_tmpfiles_t)
-+
-+logging_create_devlog_dev(systemd_tmpfiles_t)
-+logging_send_syslog_msg(systemd_tmpfiles_t)
-+logging_setattr_all_log_dirs(systemd_tmpfiles_t)
-+logging_relabel_all_log_dirs(systemd_tmpfiles_t)
-+
-+miscfiles_filetrans_named_content(systemd_tmpfiles_t)
-+miscfiles_manage_man_pages(systemd_tmpfiles_t)
-+miscfiles_relabel_man_pages(systemd_tmpfiles_t)
-+miscfiles_delete_man_pages(systemd_tmpfiles_t)
-+
-+ifdef(`distro_redhat',`
-+ userdom_list_user_home_content(systemd_tmpfiles_t)
-+ userdom_delete_all_user_home_content_dirs(systemd_tmpfiles_t)
-+ userdom_delete_all_user_home_content_files(systemd_tmpfiles_t)
-+ userdom_delete_all_user_home_content_sock_files(systemd_tmpfiles_t)
-+ userdom_delete_all_user_home_content_symlinks(systemd_tmpfiles_t)
-+ userdom_delete_admin_home_files(systemd_tmpfiles_t)
-+')
-+
-+optional_policy(`
-+ apache_delete_sys_content_rw(systemd_tmpfiles_t)
-+ apache_list_cache(systemd_tmpfiles_t)
-+ apache_delete_cache_dirs(systemd_tmpfiles_t)
-+ apache_delete_cache_files(systemd_tmpfiles_t)
-+ apache_setattr_cache_dirs(systemd_tmpfiles_t)
-+')
-+
-+
-+optional_policy(`
-+ auth_rw_login_records(systemd_tmpfiles_t)
-+')
-+
-+optional_policy(`
-+ # we have /run/user/$USER/dconf
-+ gnome_delete_home_config(systemd_tmpfiles_t)
-+ gnome_delete_home_config_dirs(systemd_tmpfiles_t)
-+ gnome_setattr_home_config_dirs(systemd_tmpfiles_t)
-+')
-+
-+optional_policy(`
-+ lpd_manage_spool(systemd_tmpfiles_t)
-+ lpd_relabel_spool(systemd_tmpfiles_t)
-+')
-+
-+optional_policy(`
-+ rpm_read_db(systemd_tmpfiles_t)
-+ rpm_delete_db(systemd_tmpfiles_t)
-+')
-+
-+optional_policy(`
-+ sandbox_list(systemd_tmpfiles_t)
-+ sandbox_delete_dirs(systemd_tmpfiles_t)
-+ sandbox_delete_files(systemd_tmpfiles_t)
-+ sandbox_delete_lnk_files(systemd_tmpfiles_t)
-+ sandbox_delete_pipes(systemd_tmpfiles_t)
-+ sandbox_delete_sock_files(systemd_tmpfiles_t)
-+ sandbox_setattr_dirs(systemd_tmpfiles_t)
-+')
-+
-+########################################
-+#
-+# systemd_notify local policy
-+#
-+allow systemd_notify_t self:capability chown;
-+allow systemd_notify_t self:process { fork setfscreate setsockcreate };
-+
-+allow systemd_notify_t self:fifo_file rw_fifo_file_perms;
-+allow systemd_notify_t self:unix_stream_socket create_stream_socket_perms;
-+allow systemd_notify_t self:unix_dgram_socket create_socket_perms;
-+
-+dev_write_kmsg(systemd_notify_t)
-+
-+domain_use_interactive_fds(systemd_notify_t)
-+
-+fs_getattr_cgroup_files(systemd_notify_t)
-+
-+init_rw_stream_sockets(systemd_notify_t)
-+
-+optional_policy(`
-+ rhcs_read_log_cluster(systemd_notify_t)
-+')
-+
-+optional_policy(`
-+ readahead_manage_pid_files(systemd_notify_t)
-+')
-+
-+########################################
-+#
-+# systemd_logger local policy
-+#
-+
-+allow systemd_logger_t self:capability { sys_admin chown kill };
-+allow systemd_logger_t self:process { fork setfscreate setsockcreate };
-+
-+allow systemd_logger_t self:fifo_file rw_fifo_file_perms;
-+allow systemd_logger_t self:unix_stream_socket create_stream_socket_perms;
-+
-+kernel_use_fds(systemd_logger_t)
-+
-+dev_write_kmsg(systemd_logger_t)
-+
-+domain_use_interactive_fds(systemd_logger_t)
-+
-+# only needs write
-+term_use_generic_ptys(systemd_logger_t)
-+
-+# /run/systemd/notify
-+init_write_pid_socket(systemd_logger_t)
-+
-+logging_send_syslog_msg(systemd_logger_t)
-+
-+########################################
-+#
-+# systemd_sysctl domains local policy
-+#
-+
-+allow systemctl_domain systemd_unit_file_type:dir search_dir_perms;
-+
-+fs_list_cgroup_dirs(systemctl_domain)
-+fs_read_cgroup_files(systemctl_domain)
-+
-+# needed by systemctl
-+init_dgram_send(systemctl_domain)
-+init_stream_connect(systemctl_domain)
-+init_read_state(systemctl_domain)
-+init_list_pid_dirs(systemctl_domain)
-+init_use_fds(systemctl_domain)
-+
-+#######################################
-+#
-+# Localed policy
-+#
-+allow systemd_localed_t self:process setfscreate;
-+allow systemd_localed_t self:fifo_file rw_fifo_file_perms;
-+allow systemd_localed_t self:unix_stream_socket create_stream_socket_perms;
-+allow systemd_localed_t self:unix_dgram_socket create_socket_perms;
-+
-+dev_write_kmsg(systemd_localed_t)
-+
-+files_mmap_usr_files(systemd_localed_t)
-+
-+init_dbus_chat(systemd_localed_t)
-+init_reload_services(systemd_localed_t)
-+
-+logging_stream_connect_syslog(systemd_localed_t)
-+logging_send_syslog_msg(systemd_localed_t)
-+
-+allow systemd_localed_t systemd_vconsole_unit_file_t:service start;
-+
-+miscfiles_manage_localization(systemd_localed_t)
-+miscfiles_etc_filetrans_localization(systemd_localed_t)
-+
-+userdom_dbus_send_all_users(systemd_localed_t)
-+
-+xserver_manage_config(systemd_localed_t)
-+
-+optional_policy(`
-+ dbus_connect_system_bus(systemd_localed_t)
-+ dbus_system_bus_client(systemd_localed_t)
-+')
-+
-+#######################################
-+#
-+# Hostnamed policy
-+#
-+allow systemd_hostnamed_t self:capability sys_admin;
-+dontaudit systemd_hostnamed_t self:capability sys_ptrace;
-+
-+allow systemd_hostnamed_t self:fifo_file rw_fifo_file_perms;
-+allow systemd_hostnamed_t self:unix_stream_socket create_stream_socket_perms;
-+allow systemd_hostnamed_t self:unix_dgram_socket create_socket_perms;
-+
-+manage_files_pattern(systemd_hostnamed_t, hostname_etc_t, hostname_etc_t)
-+manage_lnk_files_pattern(systemd_hostnamed_t, hostname_etc_t, hostname_etc_t)
-+files_etc_filetrans(systemd_hostnamed_t, hostname_etc_t, file)
-+
-+kernel_dgram_send(systemd_hostnamed_t)
-+kernel_read_xen_state(systemd_hostnamed_t)
-+kernel_read_sysctl(systemd_hostnamed_t)
-+
-+dev_write_kmsg(systemd_hostnamed_t)
-+dev_read_sysfs(systemd_hostnamed_t)
-+
-+fs_read_xenfs_files(systemd_hostnamed_t)
-+
-+init_status(systemd_hostnamed_t)
-+init_stream_connect(systemd_hostnamed_t)
-+
-+logging_send_syslog_msg(systemd_hostnamed_t)
-+
-+userdom_read_all_users_state(systemd_hostnamed_t)
-+userdom_dbus_send_all_users(systemd_hostnamed_t)
-+
-+optional_policy(`
-+ dbus_system_bus_client(systemd_hostnamed_t)
-+ dbus_connect_system_bus(systemd_hostnamed_t)
-+')
-+
-+#######################################
-+#
-+# rfkill policy
-+#
-+
-+allow systemd_rfkill_t self:capability net_admin;
-+allow systemd_rfkill_t self:netlink_kobject_uevent_socket create_socket_perms;
-+
-+manage_files_pattern(systemd_rfkill_t, systemd_rfkill_var_lib_t, systemd_rfkill_var_lib_t)
-+manage_dirs_pattern(systemd_rfkill_t, systemd_rfkill_var_lib_t, systemd_rfkill_var_lib_t)
-+init_var_lib_filetrans(systemd_rfkill_t, systemd_rfkill_var_lib_t, dir, "rfkill")
-+
-+kernel_dgram_send(systemd_rfkill_t)
-+
-+dev_read_sysfs(systemd_rfkill_t)
-+dev_rw_wireless(systemd_rfkill_t)
-+dev_write_kmsg(systemd_rfkill_t)
-+
-+init_search_var_lib_dirs(systemd_rfkill_t)
-+
-+optional_policy(`
-+ udev_read_db(systemd_rfkill_t)
-+')
-+
-+#######################################
-+#
-+# Timedated policy
-+#
-+
-+allow systemd_timedated_t self:capability { sys_nice sys_time dac_read_search };
-+allow systemd_timedated_t self:process { getattr getsched setfscreate };
-+allow systemd_timedated_t self:fifo_file rw_fifo_file_perms;
-+allow systemd_timedated_t self:unix_stream_socket create_stream_socket_perms;
-+allow systemd_timedated_t self:unix_dgram_socket create_socket_perms;
-+
-+allow systemd_timedated_t systemd_timedated_unit_file_t:service manage_service_perms;
-+
-+corecmd_exec_bin(systemd_timedated_t)
-+corecmd_exec_shell(systemd_timedated_t)
-+corecmd_dontaudit_access_check_bin(systemd_timedated_t)
-+
-+corenet_tcp_connect_time_port(systemd_timedated_t)
-+
-+dev_rw_realtime_clock(systemd_timedated_t)
-+dev_write_kmsg(systemd_timedated_t)
-+dev_read_sysfs(systemd_timedated_t)
-+
-+fs_getattr_xattr_fs(systemd_timedated_t)
-+
-+init_dbus_chat(systemd_timedated_t)
-+init_status(systemd_timedated_t)
-+
-+logging_send_syslog_msg(systemd_timedated_t)
-+
-+miscfiles_manage_localization(systemd_timedated_t)
-+miscfiles_etc_filetrans_localization(systemd_timedated_t)
-+
-+userdom_read_all_users_state(systemd_timedated_t)
-+
-+optional_policy(`
-+ chronyd_systemctl(systemd_timedated_t)
-+')
-+
-+optional_policy(`
-+ clock_manage_adjtime(systemd_timedated_t)
-+ clock_filetrans_named_content(systemd_timedated_t)
-+ clock_domtrans(systemd_timedated_t)
-+')
-+
-+optional_policy(`
-+ consolekit_dbus_chat(systemd_timedated_t)
-+')
-+
-+optional_policy(`
-+ consoletype_exec(systemd_timedated_t)
-+')
-+
-+optional_policy(`
-+ dbus_system_bus_client(systemd_timedated_t)
-+ dbus_connect_system_bus(systemd_timedated_t)
-+')
-+
-+optional_policy(`
-+ gnome_manage_usr_config(systemd_timedated_t)
-+ gnome_manage_home_config(systemd_timedated_t)
-+ gnome_manage_home_config_dirs(systemd_timedated_t)
-+')
-+
-+optional_policy(`
-+ ntp_domtrans_ntpdate(systemd_timedated_t)
-+ ntp_initrc_domtrans(systemd_timedated_t)
-+ init_dontaudit_getattr_all_script_files(systemd_timedated_t)
-+ init_dontaudit_getattr_exec(systemd_timedated_t)
-+ ntp_systemctl(systemd_timedated_t)
-+')
-+
-+optional_policy(`
-+ policykit_domtrans_auth(systemd_timedated_t)
-+ policykit_read_lib(systemd_timedated_t)
-+ policykit_read_reload(systemd_timedated_t)
-+')
-+
-+optional_policy(`
-+ xserver_manage_config(systemd_timedated_t)
-+ xserver_read_state_xdm(systemd_timedated_t)
-+')
-+
-+########################################
-+#
-+# systemd_sysctl domains local policy
-+#
-+allow systemd_sysctl_t self:capability { net_admin sys_admin sys_ptrace sys_rawio };
-+allow systemd_sysctl_t self:unix_dgram_socket create_socket_perms;
-+kernel_dgram_send(systemd_sysctl_t)
-+kernel_request_load_module(systemd_sysctl_t)
-+kernel_rw_all_sysctls(systemd_sysctl_t)
-+kernel_write_security_state(systemd_sysctl_t)
-+
-+files_read_system_conf_files(systemd_sysctl_t)
-+
-+dev_write_kmsg(systemd_sysctl_t)
-+
-+domain_use_interactive_fds(systemd_sysctl_t)
-+
-+init_stream_connect(systemd_sysctl_t)
-+
-+logging_send_syslog_msg(systemd_sysctl_t)
-+
-+#######################################
-+#
-+# systemd_coredump domains
-+#
-+allow systemd_coredump_t self:cap_userns sys_ptrace;
-+
-+manage_files_pattern(systemd_coredump_t, systemd_coredump_tmpfs_t, systemd_coredump_tmpfs_t)
-+fs_tmpfs_filetrans(systemd_coredump_t, systemd_coredump_tmpfs_t, file )
-+
-+optional_policy(`
-+ unconfined_domain(systemd_coredump_t)
-+')
-+
-+#######################################
-+#
-+# systemd_hwdb domain
-+#
-+manage_files_pattern(systemd_hwdb_t, systemd_hwdb_etc_t, systemd_hwdb_etc_t)
-+allow systemd_hwdb_t systemd_hwdb_etc_t:file {relabelfrom relabelto};
-+files_etc_filetrans(systemd_hwdb_t, systemd_hwdb_etc_t, file)
-+
-+
-+#######################################
-+#
-+# systemd_gpt_generator domain
-+#
-+
-+allow systemd_gpt_generator_t self:capability sys_rawio;
-+
-+dev_read_sysfs(systemd_gpt_generator_t)
-+dev_write_kmsg(systemd_gpt_generator_t)
-+dev_read_nvme(systemd_gpt_generator_t)
-+
-+fs_read_efivarfs_files(systemd_gpt_generator_t)
-+
-+fstools_exec(systemd_gpt_generator_t)
-+
-+storage_raw_read_fixed_disk(systemd_gpt_generator_t)
-+storage_raw_read_removable_device(systemd_gpt_generator_t)
-+
-+allow systemd_gpt_generator_t systemd_gpt_generator_unit_file_t:file manage_file_perms;
-+systemd_unit_file_filetrans(systemd_gpt_generator_t, systemd_gpt_generator_unit_file_t, file)
-+systemd_create_unit_file_dirs(systemd_gpt_generator_t)
-+systemd_create_unit_file_lnk(systemd_gpt_generator_t)
-+
-+#######################################
-+#
-+# systemd_resolved domain
-+#
-+
-+allow systemd_resolved_t self:capability { chown net_raw setgid setpcap setuid };
-+allow systemd_resolved_t self:process setcap;
-+allow systemd_resolved_t self:tcp_socket { accept listen };
-+allow systemd_resolved_t self:unix_dgram_socket create_socket_perms;
-+
-+manage_dirs_pattern(systemd_resolved_t, systemd_resolved_var_run_t, systemd_resolved_var_run_t)
-+manage_files_pattern(systemd_resolved_t, systemd_resolved_var_run_t, systemd_resolved_var_run_t)
-+init_pid_filetrans(systemd_resolved_t, systemd_resolved_var_run_t, dir)
-+
-+list_dirs_pattern(systemd_resolved_t, systemd_networkd_var_run_t, systemd_networkd_var_run_t)
-+read_files_pattern(systemd_resolved_t, systemd_networkd_var_run_t, systemd_networkd_var_run_t)
-+
-+kernel_dgram_send(systemd_resolved_t)
-+kernel_read_net_sysctls(systemd_resolved_t)
-+
-+auth_read_passwd(systemd_resolved_t)
-+
-+corenet_tcp_bind_llmnr_port(systemd_resolved_t)
-+corenet_udp_bind_llmnr_port(systemd_resolved_t)
-+corenet_tcp_connect_llmnr_port(systemd_resolved_t)
-+corenet_udp_bind_dns_port(systemd_resolved_t)
-+corenet_tcp_bind_dns_port(systemd_resolved_t)
-+
-+dev_write_kmsg(systemd_resolved_t)
-+dev_read_sysfs(systemd_resolved_t)
-+
-+sysnet_manage_config(systemd_resolved_t)
-+sysnet_filetrans_config_fromdir(systemd_resolved_t,systemd_resolved_var_run_t, file, "resolv.conf")
-+sysnet_filetrans_config_fromdir(systemd_resolved_t,systemd_resolved_var_run_t, file, "resolv.conf.tmp")
-+
-+userdom_dbus_send_all_users(systemd_resolved_t)
-+
-+optional_policy(`
-+ dbus_system_bus_client(systemd_resolved_t)
-+ dbus_connect_system_bus(systemd_resolved_t)
-+')
-+
-+optional_policy(`
-+ networkmanager_dbus_chat(systemd_resolved_t)
-+')
-+
-+########################################
-+#
-+# Common rules for systemd domains
-+#
-+allow systemd_domain self:process { setfscreate signal_perms };
-+allow systemd_domain self:unix_dgram_socket { create_socket_perms sendto };
-+dontaudit systemd_domain self:capability net_admin;
-+
-+dev_read_urand(systemd_domain)
-+
-+fs_search_all(systemd_domain)
-+fs_getattr_all_fs(systemd_domain)
-+
-+files_read_etc_files(systemd_domain)
-+files_read_etc_runtime_files(systemd_domain)
-+files_read_usr_files(systemd_domain)
-+
-+init_search_pid_dirs(systemd_domain)
-+init_start_transient_unit(systemd_domain)
-+init_stop_transient_unit(systemd_domain)
-+init_status_transient_unit(systemd_domain)
-+init_reload_transient_unit(systemd_domain)
-+init_read_state(systemd_domain)
-+
-+logging_stream_connect_syslog(systemd_domain)
-+
-+seutil_read_config(systemd_domain)
-+seutil_read_file_contexts(systemd_domain)
-+
-+optional_policy(`
-+ lvm_read_state(systemd_domain)
-+')
-+
-+optional_policy(`
-+ policykit_dbus_chat(systemd_domain)
-+')
-+
-+read_files_pattern(systemd_domain, systemd_home_t, systemd_home_t)
-+read_lnk_files_pattern(systemd_domain, systemd_home_t, systemd_home_t)
-+
-+#######################################
-+#
-+# systemd_modules_load domain
-+#
-+
-+allow systemd_modules_load_t self:system module_load;
-+
-+kernel_dgram_send(systemd_modules_load_t)
-+kernel_load_module(systemd_modules_load_t)
-+
-+dev_read_sysfs(systemd_modules_load_t)
-+
-+files_map_kernel_modules(systemd_modules_load_t)
-+files_read_kernel_modules(systemd_modules_load_t)
-+modutils_read_module_config(systemd_modules_load_t)
-+
-+
-+#######################################
-+#
-+# systemd_modules_load domain
-+#
-+
-+allow systemd_bootchart_t self:capability2 wake_alarm;
-+allow systemd_bootchart_t self:unix_dgram_socket create_socket_perms;
-+
-+kernel_dgram_send(systemd_bootchart_t)
-+kernel_rw_kernel_sysctl(systemd_bootchart_t)
-+dev_list_sysfs(systemd_bootchart_t)
-+
-+domain_read_all_domains_state(systemd_bootchart_t)
-+
-+manage_files_pattern(systemd_bootchart_t, systemd_bootchart_var_run_t, systemd_bootchart_var_run_t)
-+logging_syslogd_pid_filetrans(systemd_bootchart_t, systemd_bootchart_var_run_t, file)
-+
-+#######################################
-+#
-+# systemd_modules_load domain
-+#
-+allow systemd_initctl_t self:unix_dgram_socket create_socket_perms;
-+
-+kernel_dgram_send(systemd_initctl_t)
-+
-+init_rw_initctl(systemd_initctl_t)
-+init_stream_connectto(systemd_initctl_t)
-diff --git a/policy/modules/system/udev.fc b/policy/modules/system/udev.fc
-index f41857e09..49fd32e17 100644
---- a/policy/modules/system/udev.fc
-+++ b/policy/modules/system/udev.fc
-@@ -1,6 +1,8 @@
--/dev/\.udev(/.*)? -- gen_context(system_u:object_r:udev_tbl_t,s0)
--/dev/\.udevdb -- gen_context(system_u:object_r:udev_tbl_t,s0)
--/dev/udev\.tbl -- gen_context(system_u:object_r:udev_tbl_t,s0)
-+/bin/udevadm -- gen_context(system_u:object_r:udev_exec_t,s0)
-+
-+/dev/\.udev(/.*)? -- gen_context(system_u:object_r:udev_var_run_t,s0)
-+/dev/\.udevdb -- gen_context(system_u:object_r:udev_var_run_t,s0)
-+/dev/udev\.tbl -- gen_context(system_u:object_r:udev_var_run_t,s0)
-
- /etc/dev\.d/.+ -- gen_context(system_u:object_r:udev_helper_exec_t,s0)
-
-@@ -10,6 +12,7 @@
- /etc/udev/scripts/.+ -- gen_context(system_u:object_r:udev_helper_exec_t,s0)
-
- /lib/udev/udev-acl -- gen_context(system_u:object_r:udev_exec_t,s0)
-+/lib/udev/udevd -- gen_context(system_u:object_r:udev_exec_t,s0)
-
- ifdef(`distro_debian',`
- /lib/udev/create_static_nodes -- gen_context(system_u:object_r:udev_exec_t,s0)
-@@ -27,11 +30,23 @@ ifdef(`distro_redhat',`
- ')
-
- /usr/bin/udevinfo -- gen_context(system_u:object_r:udev_exec_t,s0)
--
--/usr/lib/systemd/systemd-udevd -- gen_context(system_u:object_r:udev_exec_t,s0)
--
--/var/run/PackageKit/udev(/.*)? gen_context(system_u:object_r:udev_var_run_t,s0)
--/var/run/udev(/.*)? gen_context(system_u:object_r:udev_var_run_t,s0)
-+/usr/bin/udevadm -- gen_context(system_u:object_r:udev_exec_t,s0)
-+
-+/usr/sbin/start_udev -- gen_context(system_u:object_r:udev_exec_t,s0)
-+/usr/sbin/udev -- gen_context(system_u:object_r:udev_exec_t,s0)
-+/usr/sbin/udevadm -- gen_context(system_u:object_r:udev_exec_t,s0)
-+/usr/sbin/udevd -- gen_context(system_u:object_r:udev_exec_t,s0)
-+/usr/sbin/udevsend -- gen_context(system_u:object_r:udev_exec_t,s0)
-+/usr/sbin/udevstart -- gen_context(system_u:object_r:udev_exec_t,s0)
-+/usr/sbin/wait_for_sysfs -- gen_context(system_u:object_r:udev_exec_t,s0)
-+
-+/usr/lib/systemd/systemd-udevd -- gen_context(system_u:object_r:udev_exec_t,s0)
-+/usr/lib/udev/udev-acl -- gen_context(system_u:object_r:udev_exec_t,s0)
-+/usr/lib/udev/udevd -- gen_context(system_u:object_r:udev_exec_t,s0)
-+
-+/var/run/PackageKit/udev(/.*)? gen_context(system_u:object_r:udev_var_run_t,s0)
-+/var/run/libgpod(/.*)? gen_context(system_u:object_r:udev_var_run_t,s0)
-+/var/run/udev(/.*)? gen_context(system_u:object_r:udev_var_run_t,s0)
-
- ifdef(`distro_debian',`
- /var/run/xen-hotplug -d gen_context(system_u:object_r:udev_var_run_t,s0)
-diff --git a/policy/modules/system/udev.if b/policy/modules/system/udev.if
-index 9a1650d37..d7e8a0193 100644
---- a/policy/modules/system/udev.if
-+++ b/policy/modules/system/udev.if
-@@ -34,6 +34,7 @@ interface(`udev_domtrans',`
- ')
-
- domtrans_pattern($1, udev_exec_t, udev_t)
-+ allow $1 udev_t:process noatsecure;
- ')
-
- ########################################
-@@ -88,8 +89,7 @@ interface(`udev_read_state',`
- ')
-
- kernel_search_proc($1)
-- allow $1 udev_t:file read_file_perms;
-- allow $1 udev_t:lnk_file read_lnk_file_perms;
-+ ps_process_pattern($1, udev_t)
- ')
-
- ########################################
-@@ -164,10 +164,10 @@ interface(`udev_manage_rules_files',`
- #
- interface(`udev_dontaudit_search_db',`
- gen_require(`
-- type udev_tbl_t;
-+ type udev_var_run_t;
- ')
-
-- dontaudit $1 udev_tbl_t:dir search_dir_perms;
-+ dontaudit $1 udev_var_run_t:dir search_dir_perms;
- ')
-
- ########################################
-@@ -187,25 +187,70 @@ interface(`udev_dontaudit_search_db',`
- ##
- #
- interface(`udev_read_db',`
-+ udev_read_pid_files($1)
-+')
-+
-+########################################
-+##
-+## Allow process to modify list of devices.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`udev_rw_db',`
- gen_require(`
-- type udev_tbl_t;
-+ type udev_var_run_t;
- ')
-
-- allow $1 udev_tbl_t:dir list_dir_perms;
-+ files_search_pids($1)
-+ dev_list_all_dev_nodes($1)
-+ rw_files_pattern($1, udev_var_run_t, udev_var_run_t)
-+')
-
-- read_files_pattern($1, udev_tbl_t, udev_tbl_t)
-- read_lnk_files_pattern($1, udev_tbl_t, udev_tbl_t)
-+########################################
-+##
-+## Allow process to modify relabelto udev database
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`udev_relabelto_db',`
-+ gen_require(`
-+ type udev_var_run_t;
-+ ')
-
-- dev_list_all_dev_nodes($1)
-+ files_search_pids($1)
-+ allow $1 udev_var_run_t:file relabelto_file_perms;
-+')
-
-- files_search_etc($1)
-+########################################
-+##
-+## Relabel the udev sock_file.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`udev_relabel_pid_sockfile',`
-+ gen_require(`
-+ type udev_var_run_t;
-+ ')
-
-- udev_search_pids($1)
-+ allow $1 udev_var_run_t:sock_file relabel_sock_file_perms;
- ')
-
- ########################################
- ##
--## Allow process to modify list of devices.
-+## Create, read, write, and delete
-+## udev pid files.
- ##
- ##
- ##
-@@ -213,13 +258,16 @@ interface(`udev_read_db',`
- ##
- ##
- #
--interface(`udev_rw_db',`
-+interface(`udev_read_pid_files',`
- gen_require(`
-- type udev_tbl_t;
-+ type udev_var_run_t;
- ')
-
- dev_list_all_dev_nodes($1)
-- allow $1 udev_tbl_t:file rw_file_perms;
-+ files_search_pids($1)
-+ allow $1 udev_var_run_t:dir list_dir_perms;
-+ read_files_pattern($1, udev_var_run_t, udev_var_run_t)
-+ read_lnk_files_pattern($1, udev_var_run_t, udev_var_run_t)
- ')
-
- ########################################
-@@ -263,7 +311,8 @@ interface(`udev_manage_pid_dirs',`
-
- ########################################
- ##
--## Read udev pid files.
-+## Create, read, write, and delete
-+## udev pid files.
- ##
- ##
- ##
-@@ -271,19 +320,44 @@ interface(`udev_manage_pid_dirs',`
- ##
- ##
- #
--interface(`udev_read_pid_files',`
-+interface(`udev_manage_pid_files',`
- gen_require(`
- type udev_var_run_t;
- ')
-
- files_search_pids($1)
-- read_files_pattern($1, udev_var_run_t, udev_var_run_t)
-+ manage_files_pattern($1, udev_var_run_t, udev_var_run_t)
- ')
-
--########################################
-+#######################################
- ##
--## Create, read, write, and delete
--## udev pid files.
-+## Execute udev in the udev domain, and
-+## allow the specified role the udev domain.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+##
-+## The role to be allowed the iptables domain.
-+##
-+##
-+##
-+#
-+interface(`udev_run',`
-+ gen_require(`
-+ type udev_t;
-+ ')
-+
-+ udev_domtrans($1)
-+ role $2 types udev_t;
-+')
-+
-+#######################################
-+##
-+## Allow caller to create kobject uevent socket for udev
- ##
- ##
- ##
-@@ -291,13 +365,45 @@ interface(`udev_read_pid_files',`
- ##
- ##
- #
--interface(`udev_manage_pid_files',`
-+interface(`udev_create_kobject_uevent_socket',`
- gen_require(`
-- type udev_var_run_t;
-+ type udev_t;
-+ role system_r;
- ')
-
-- files_search_pids($1)
-- manage_files_pattern($1, udev_var_run_t, udev_var_run_t)
-+ allow $1 udev_t:netlink_kobject_uevent_socket create_socket_perms;
-+')
-+
-+########################################
-+##
-+## Create a domain for processes
-+## which can be started by udev.
-+##
-+##
-+##
-+## Type to be used as a domain.
-+##
-+##
-+##
-+##
-+## Type of the program to be used as an entry point to this domain.
-+##
-+##
-+#
-+interface(`udev_system_domain',`
-+ gen_require(`
-+ type udev_t;
-+ role system_r;
-+ ')
-+
-+ domain_type($1)
-+ domain_entry_file($1, $2)
-+
-+ role system_r types $1;
-+
-+ domtrans_pattern(udev_t, $2, $1)
-+
-+ dontaudit $1 udev_t:unix_dgram_socket { read write };
- ')
-
- ########################################
-diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
-index 39f185f68..815aada78 100644
---- a/policy/modules/system/udev.te
-+++ b/policy/modules/system/udev.te
-@@ -17,16 +17,17 @@ init_daemon_domain(udev_t, udev_exec_t)
- type udev_etc_t alias etc_udev_t;
- files_config_file(udev_etc_t)
-
--type udev_tbl_t alias udev_tdb_t;
--files_type(udev_tbl_t)
--
- type udev_rules_t;
- files_type(udev_rules_t)
-
- type udev_var_run_t;
- files_pid_file(udev_var_run_t)
-+typealias udev_var_run_t alias udev_tbl_t;
- init_daemon_run_dir(udev_var_run_t, "udev")
-
-+type udev_tmp_t;
-+files_tmp_file(udev_tmp_t)
-+
- ifdef(`enable_mcs',`
- kernel_ranged_domtrans_to(udev_t, udev_exec_t, s0 - mcs_systemhigh)
- init_ranged_daemon_domain(udev_t, udev_exec_t, s0 - mcs_systemhigh)
-@@ -37,10 +38,10 @@ ifdef(`enable_mcs',`
- # Local policy
- #
-
--allow udev_t self:capability { chown dac_override dac_read_search fowner fsetid sys_admin mknod net_raw net_admin sys_nice sys_rawio sys_resource setuid setgid sys_nice sys_ptrace };
-+allow udev_t self:capability { chown dac_read_search dac_override fowner fsetid sys_admin mknod net_raw net_admin sys_nice sys_rawio sys_resource setuid setgid sys_nice };
-+allow udev_t self:capability2 { block_suspend wake_alarm };
- dontaudit udev_t self:capability sys_tty_config;
--allow udev_t self:capability2 block_suspend;
--allow udev_t self:process ~{ setcurrent setexec setfscreate setrlimit execmem execstack execheap };
-+allow udev_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
- allow udev_t self:process { execmem setfscreate };
- allow udev_t self:fd use;
- allow udev_t self:fifo_file rw_fifo_file_perms;
-@@ -53,7 +54,10 @@ allow udev_t self:unix_stream_socket { listen accept };
- allow udev_t self:unix_dgram_socket sendto;
- allow udev_t self:unix_stream_socket connectto;
- allow udev_t self:netlink_kobject_uevent_socket create_socket_perms;
-+allow udev_t self:netlink_generic_socket create_socket_perms;
- allow udev_t self:rawip_socket create_socket_perms;
-+allow udev_t self:netlink_socket create_socket_perms;
-+allow udev_t self:netlink_route_socket { create_socket_perms nlmsg_read nlmsg_write };
-
- allow udev_t udev_exec_t:file write;
- can_exec(udev_t, udev_exec_t)
-@@ -64,31 +68,39 @@ can_exec(udev_t, udev_helper_exec_t)
- # read udev config
- allow udev_t udev_etc_t:file read_file_perms;
-
--allow udev_t udev_tbl_t:file manage_file_perms;
--dev_filetrans(udev_t, udev_tbl_t, file)
-+allow udev_t udev_tmp_t:dir manage_dir_perms;
-+allow udev_t udev_tmp_t:file manage_file_perms;
-+files_tmp_filetrans(udev_t, udev_tmp_t, { file dir })
-
- list_dirs_pattern(udev_t, udev_rules_t, udev_rules_t)
--read_files_pattern(udev_t, udev_rules_t, udev_rules_t)
-+manage_files_pattern(udev_t, udev_rules_t, udev_rules_t)
-+manage_lnk_files_pattern(udev_t, udev_rules_t, udev_rules_t)
-
- manage_dirs_pattern(udev_t, udev_var_run_t, udev_var_run_t)
- manage_files_pattern(udev_t, udev_var_run_t, udev_var_run_t)
- manage_lnk_files_pattern(udev_t, udev_var_run_t, udev_var_run_t)
- manage_sock_files_pattern(udev_t, udev_var_run_t, udev_var_run_t)
- files_pid_filetrans(udev_t, udev_var_run_t, dir, "udev")
-+allow udev_t udev_var_run_t:file mounton;
-+allow udev_t udev_var_run_t:dir mounton;
-+allow udev_t udev_var_run_t:lnk_file relabel_lnk_file_perms;
-+dev_filetrans(udev_t, udev_var_run_t, { file lnk_file } )
-
-+kernel_load_module(udev_t)
- kernel_read_system_state(udev_t)
- kernel_request_load_module(udev_t)
- kernel_getattr_core_if(udev_t)
- kernel_use_fds(udev_t)
- kernel_read_device_sysctls(udev_t)
--kernel_read_hotplug_sysctls(udev_t)
--kernel_read_modprobe_sysctls(udev_t)
-+kernel_read_fs_sysctls(udev_t)
- kernel_read_kernel_sysctls(udev_t)
--kernel_rw_hotplug_sysctls(udev_t)
-+kernel_rw_usermodehelper_state(udev_t)
- kernel_rw_unix_dgram_sockets(udev_t)
- kernel_dgram_send(udev_t)
--kernel_signal(udev_t)
- kernel_search_debugfs(udev_t)
-+kernel_setsched(udev_t)
-+kernel_stream_connect(udev_t)
-+kernel_signal(udev_t)
-
- #https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=235182
- kernel_rw_net_sysctls(udev_t)
-@@ -99,6 +111,7 @@ corecmd_exec_all_executables(udev_t)
-
- dev_rw_sysfs(udev_t)
- dev_manage_all_dev_nodes(udev_t)
-+dev_rw_generic_usb_dev(udev_t)
- dev_rw_generic_files(udev_t)
- dev_delete_generic_files(udev_t)
- dev_search_usbfs(udev_t)
-@@ -107,23 +120,31 @@ dev_relabel_all_dev_nodes(udev_t)
- # preserved, instead of short circuiting the relabel
- dev_relabel_generic_symlinks(udev_t)
- dev_manage_generic_symlinks(udev_t)
-+dev_filetrans_all_named_dev(udev_t)
-
- domain_read_all_domains_state(udev_t)
--domain_dontaudit_ptrace_all_domains(udev_t) #pidof triggers these
-
- files_read_usr_files(udev_t)
- files_read_etc_runtime_files(udev_t)
--files_read_etc_files(udev_t)
-+files_read_kernel_modules(udev_t)
-+files_read_system_conf_files(udev_t)
-+
-+
-+# console_init manages files in /etc/sysconfig
-+files_manage_etc_files(udev_t)
- files_exec_etc_files(udev_t)
-+files_exec_usr_files(udev_t)
- files_dontaudit_search_isid_type_dirs(udev_t)
- files_getattr_generic_locks(udev_t)
- files_search_mnt(udev_t)
-+files_list_tmp(udev_t)
-
- fs_getattr_all_fs(udev_t)
- fs_list_inotifyfs(udev_t)
- fs_rw_anon_inodefs_files(udev_t)
--
--mcs_ptrace_all(udev_t)
-+fs_list_auto_mountpoints(udev_t)
-+fs_list_hugetlbfs(udev_t)
-+fs_read_cgroup_files(udev_t)
-
- mls_file_read_all_levels(udev_t)
- mls_file_write_all_levels(udev_t)
-@@ -145,17 +166,20 @@ auth_use_nsswitch(udev_t)
- init_read_utmp(udev_t)
- init_dontaudit_write_utmp(udev_t)
- init_getattr_initctl(udev_t)
-+init_stream_connect(udev_t)
-
- logging_search_logs(udev_t)
- logging_send_syslog_msg(udev_t)
- logging_send_audit_msgs(udev_t)
-+logging_stream_connect_syslog(udev_t)
-
--miscfiles_read_localization(udev_t)
- miscfiles_read_hwdata(udev_t)
-
- modutils_domtrans_insmod(udev_t)
- # read modules.inputmap:
- modutils_read_module_deps(udev_t)
-+modutils_list_module_config(udev_t)
-+modutils_read_module_config(udev_t)
-
- seutil_read_config(udev_t)
- seutil_read_default_contexts(udev_t)
-@@ -169,9 +193,14 @@ sysnet_read_dhcpc_pid(udev_t)
- sysnet_delete_dhcpc_pid(udev_t)
- sysnet_signal_dhcpc(udev_t)
- sysnet_manage_config(udev_t)
--sysnet_etc_filetrans_config(udev_t)
-+#sysnet_etc_filetrans_config(udev_t)
-+
-+systemd_login_read_pid_files(udev_t)
-+systemd_getattr_unit_files(udev_t)
-+systemd_hwdb_manage_config(udev_t)
-
- userdom_dontaudit_search_user_home_content(udev_t)
-+userdom_rw_inherited_user_tmp_pipes(udev_t)
-
- ifdef(`distro_debian',`
- files_pid_filetrans(udev_t, udev_var_run_t, dir, "xen-hotplug")
-@@ -195,16 +224,9 @@ ifdef(`distro_gentoo',`
- ')
-
- ifdef(`distro_redhat',`
-- fs_manage_tmpfs_dirs(udev_t)
-- fs_manage_tmpfs_files(udev_t)
-- fs_manage_tmpfs_symlinks(udev_t)
-- fs_manage_tmpfs_sockets(udev_t)
-- fs_manage_tmpfs_blk_files(udev_t)
-- fs_manage_tmpfs_chr_files(udev_t)
-- fs_relabel_tmpfs_blk_file(udev_t)
-- fs_relabel_tmpfs_chr_file(udev_t)
-+ fs_manage_hugetlbfs_dirs(udev_t)
-
-- term_search_ptys(udev_t)
-+ term_use_generic_ptys(udev_t)
-
- # for arping used for static IP addresses on PCMCIA ethernet
- netutils_domtrans(udev_t)
-@@ -242,6 +264,7 @@ optional_policy(`
-
- optional_policy(`
- cups_domtrans_config(udev_t)
-+ cups_read_config(udev_t)
- ')
-
- optional_policy(`
-@@ -249,17 +272,31 @@ optional_policy(`
- dbus_use_system_bus_fds(udev_t)
-
- optional_policy(`
-- consolekit_dbus_chat(udev_t)
-- ')
-+ systemd_dbus_chat_logind(udev_t)
-+ ')
- ')
-
- optional_policy(`
- devicekit_read_pid_files(udev_t)
- devicekit_dgram_send(udev_t)
-+ devicekit_domtrans_disk(udev_t)
-+')
-+
-+optional_policy(`
-+ gnome_read_home_config(udev_t)
-+')
-+
-+optional_policy(`
-+ gpsd_domtrans(udev_t)
-+')
-+
-+optional_policy(`
-+ kdump_systemctl(udev_t)
- ')
-
- optional_policy(`
- lvm_domtrans(udev_t)
-+ lvm_dgram_send(udev_t)
- ')
-
- optional_policy(`
-@@ -289,6 +326,10 @@ optional_policy(`
- ')
-
- optional_policy(`
-+ networkmanager_dbus_chat(udev_t)
-+')
-+
-+optional_policy(`
- openct_read_pid_files(udev_t)
- openct_domtrans(udev_t)
- ')
-@@ -303,6 +344,15 @@ optional_policy(`
- ')
-
- optional_policy(`
-+ radvd_read_pid_files(udev_t)
-+')
-+
-+optional_policy(`
-+ usbmuxd_domtrans(udev_t)
-+ usbmuxd_stream_connect(udev_t)
-+')
-+
-+optional_policy(`
- unconfined_signal(udev_t)
- ')
-
-@@ -315,6 +365,7 @@ optional_policy(`
- kernel_read_xen_state(udev_t)
- xen_manage_log(udev_t)
- xen_read_image_files(udev_t)
-+ xen_stream_connect_xenstore(udev_t)
- ')
-
- optional_policy(`
-diff --git a/policy/modules/system/unconfined.fc b/policy/modules/system/unconfined.fc
-index 0abaf8432..8b34dbc09 100644
---- a/policy/modules/system/unconfined.fc
-+++ b/policy/modules/system/unconfined.fc
-@@ -1,21 +1 @@
- # Add programs here which should not be confined by SELinux
--# e.g.:
--# /usr/local/bin/appsrv -- gen_context(system_u:object_r:unconfined_exec_t,s0)
--# For the time being until someone writes a sane policy, we need initrc to transition to unconfined_t
--/usr/bin/valgrind -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
--/usr/bin/vncserver -- gen_context(system_u:object_r:unconfined_exec_t,s0)
--
--/usr/lib/ia32el/ia32x_loader -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
--/usr/lib/openoffice\.org.*/program/.+\.bin -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
--
--/usr/local/RealPlayer/realplay\.bin -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
--
--ifdef(`distro_debian',`
--/usr/bin/gcj-dbtool-4\.1 -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
--/usr/bin/gij-4\.1 -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
--/usr/lib/openoffice/program/soffice\.bin -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
--')
--
--ifdef(`distro_gentoo',`
--/usr/lib/openoffice/program/[^/]+\.bin -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
--')
-diff --git a/policy/modules/system/unconfined.if b/policy/modules/system/unconfined.if
-index 5ca20a97d..7ffd0e0e3 100644
---- a/policy/modules/system/unconfined.if
-+++ b/policy/modules/system/unconfined.if
-@@ -12,53 +12,57 @@
- #
- interface(`unconfined_domain_noaudit',`
- gen_require(`
-- type unconfined_t;
- class dbus all_dbus_perms;
- class nscd all_nscd_perms;
- class passwd all_passwd_perms;
- ')
-
-- # Use most Linux capabilities
-- allow $1 self:capability ~sys_module;
-- allow $1 self:fifo_file manage_fifo_file_perms;
-+ # Use any Linux capability.
-+
-+ allow $1 self:capability ~{ sys_module };
-+ allow $1 self:capability2 ~{ mac_admin mac_override };
-+ allow $1 self:fifo_file { manage_fifo_file_perms relabelfrom relabelto };
-
- # Transition to myself, to make get_ordered_context_list happy.
-- allow $1 self:process transition;
-+ allow $1 self:process { dyntransition transition };
-
- # Write access is for setting attributes under /proc/self/attr.
-- allow $1 self:file rw_file_perms;
-+ allow $1 self:file manage_file_perms;
-+ allow $1 self:dir rw_dir_perms;
-
- # Userland object managers
-- allow $1 self:nscd *;
-- allow $1 self:dbus *;
-- allow $1 self:passwd *;
-- allow $1 self:association *;
-+ allow $1 self:nscd all_nscd_perms;
-+ allow $1 self:dbus all_dbus_perms;
-+ allow $1 self:passwd all_passwd_perms;
-+ allow $1 self:association all_association_perms;
-+ allow $1 self:socket_class_set create_socket_perms;
-
- kernel_unconfined($1)
- corenet_unconfined($1)
- dev_unconfined($1)
- domain_unconfined($1)
-- domain_dontaudit_read_all_domains_state($1)
-- domain_dontaudit_ptrace_all_domains($1)
- files_unconfined($1)
- fs_unconfined($1)
- selinux_unconfined($1)
-+ systemd_config_all_services($1)
-+
-+ domain_mmap_low($1)
-
-- tunable_policy(`allow_execheap',`
-+ ubac_process_exempt($1)
-+
-+ tunable_policy(`selinuxuser_execheap',`
- # Allow making the stack executable via mprotect.
- allow $1 self:process execheap;
- ')
-
-- tunable_policy(`allow_execmem',`
-+ tunable_policy(`deny_execmem',`',`
- # Allow making anonymous memory executable, e.g.
- # for runtime-code generation or executable stack.
- allow $1 self:process execmem;
- ')
-
-- tunable_policy(`allow_execstack',`
-- # Allow making the stack executable via mprotect;
-- # execstack implies execmem;
-- allow $1 self:process { execstack execmem };
-+ tunable_policy(`selinuxuser_execstack',`
-+ allow $1 self:process execstack;
- # auditallow $1 self:process execstack;
- ')
-
-@@ -67,6 +71,8 @@ interface(`unconfined_domain_noaudit',`
- ')
-
- optional_policy(`
-+ # Communicate via dbusd.
-+ dbus_system_bus_unconfined($1)
- dbus_unconfined($1)
- ')
-
-@@ -121,9 +127,13 @@ interface(`unconfined_domain_noaudit',`
- ##
- #
- interface(`unconfined_domain',`
-+ gen_require(`
-+ attribute unconfined_services;
-+ ')
-+
- unconfined_domain_noaudit($1)
-
-- tunable_policy(`allow_execheap',`
-+ tunable_policy(`selinuxuser_execheap',`
- auditallow $1 self:process execheap;
- ')
- ')
-@@ -149,7 +159,7 @@ interface(`unconfined_domain',`
- ##
- #
- interface(`unconfined_alias_domain',`
-- refpolicywarn(`$0($1) has been deprecated.')
-+ refpolicywarn(`$0() has been deprecated.')
- ')
-
- ########################################
-@@ -175,204 +185,12 @@ interface(`unconfined_alias_domain',`
- ##
- #
- interface(`unconfined_execmem_alias_program',`
-- refpolicywarn(`$0($1) has been deprecated.')
--')
--
--########################################
--##
--## Transition to the unconfined domain.
--##
--##
--##
--## Domain allowed to transition.
--##
--##
--#
--interface(`unconfined_domtrans',`
-- gen_require(`
-- type unconfined_t, unconfined_exec_t;
-- ')
--
-- domtrans_pattern($1, unconfined_exec_t, unconfined_t)
--')
--
--########################################
--##
--## Execute specified programs in the unconfined domain.
--##
--##
--##
--## Domain allowed to transition.
--##
--##
--##
--##
--## The role to allow the unconfined domain.
--##
--##
--#
--interface(`unconfined_run',`
-- gen_require(`
-- type unconfined_t;
-- ')
--
-- unconfined_domtrans($1)
-- role $2 types unconfined_t;
--')
--
--########################################
--##
--## Transition to the unconfined domain by executing a shell.
--##
--##
--##
--## Domain allowed to transition.
--##
--##
--#
--interface(`unconfined_shell_domtrans',`
-- gen_require(`
-- type unconfined_t;
-- ')
--
-- corecmd_shell_domtrans($1, unconfined_t)
-- allow unconfined_t $1:fd use;
-- allow unconfined_t $1:fifo_file rw_file_perms;
-- allow unconfined_t $1:process sigchld;
--')
--
--########################################
--##
--## Allow unconfined to execute the specified program in
--## the specified domain.
--##
--##
--##
--## Allow unconfined to execute the specified program in
--## the specified domain.
--##
--##
--## This is a interface to support third party modules
--## and its use is not allowed in upstream reference
--## policy.
--##
--##
--##
--##
--## Domain to execute in.
--##
--##
--##
--##
--## Domain entry point file.
--##
--##
--#
--interface(`unconfined_domtrans_to',`
-- gen_require(`
-- type unconfined_t;
-- ')
--
-- domtrans_pattern(unconfined_t,$2,$1)
--')
--
--########################################
--##
--## Allow unconfined to execute the specified program in
--## the specified domain. Allow the specified domain the
--## unconfined role and use of unconfined user terminals.
--##
--##
--##
--## Allow unconfined to execute the specified program in
--## the specified domain. Allow the specified domain the
--## unconfined role and use of unconfined user terminals.
--##
--##
--## This is a interface to support third party modules
--## and its use is not allowed in upstream reference
--## policy.
--##
--##
--##
--##
--## Domain to execute in.
--##
--##
--##
--##
--## Domain entry point file.
--##
--##
--#
--interface(`unconfined_run_to',`
-- gen_require(`
-- type unconfined_t;
-- role unconfined_r;
-- ')
--
-- domtrans_pattern(unconfined_t,$2,$1)
-- role unconfined_r types $1;
-- userdom_use_user_terminals($1)
--')
--
--########################################
--##
--## Inherit file descriptors from the unconfined domain.
--##
--##
--##
--## Domain allowed access.
--##
--##
--#
--interface(`unconfined_use_fds',`
-- gen_require(`
-- type unconfined_t;
-- ')
--
-- allow $1 unconfined_t:fd use;
--')
--
--########################################
--##
--## Send a SIGCHLD signal to the unconfined domain.
--##
--##
--##
--## Domain allowed access.
--##
--##
--#
--interface(`unconfined_sigchld',`
-- gen_require(`
-- type unconfined_t;
-- ')
--
-- allow $1 unconfined_t:process sigchld;
--')
--
--########################################
--##
--## Send a SIGNULL signal to the unconfined domain.
--##
--##
--##
--## Domain allowed access.
--##
--##
--#
--interface(`unconfined_signull',`
-- gen_require(`
-- type unconfined_t;
-- ')
--
-- allow $1 unconfined_t:process signull;
-+ refpolicywarn(`$0() has been deprecated.')
- ')
-
- ########################################
- ##
--## Send generic signals to the unconfined domain.
-+## Connect to unconfined_server with a unix socket.
- ##
- ##
- ##
-@@ -380,17 +198,19 @@ interface(`unconfined_signull',`
- ##
- ##
- #
--interface(`unconfined_signal',`
-+interface(`unconfined_server_stream_connect',`
- gen_require(`
-- type unconfined_t;
-+ type unconfined_service_t;
- ')
-
-- allow $1 unconfined_t:process signal;
-+ files_search_pids($1)
-+ files_write_generic_pid_pipes($1)
-+ allow $1 unconfined_service_t:unix_stream_socket { getattr connectto };
- ')
-
- ########################################
- ##
--## Read unconfined domain unnamed pipes.
-+## Connect to unconfined_server with a unix socket.
- ##
- ##
- ##
-@@ -398,120 +218,17 @@ interface(`unconfined_signal',`
- ##
- ##
- #
--interface(`unconfined_read_pipes',`
-- gen_require(`
-- type unconfined_t;
-- ')
--
-- allow $1 unconfined_t:fifo_file read_fifo_file_perms;
--')
--
--########################################
--##
--## Do not audit attempts to read unconfined domain unnamed pipes.
--##
--##
--##
--## Domain to not audit.
--##
--##
--#
--interface(`unconfined_dontaudit_read_pipes',`
-- gen_require(`
-- type unconfined_t;
-- ')
--
-- dontaudit $1 unconfined_t:fifo_file read;
--')
--
--########################################
--##
--## Read and write unconfined domain unnamed pipes.
--##
--##
--##
--## Domain allowed access.
--##
--##
--#
--interface(`unconfined_rw_pipes',`
-- gen_require(`
-- type unconfined_t;
-- ')
--
-- allow $1 unconfined_t:fifo_file rw_fifo_file_perms;
--')
--
--########################################
--##
--## Do not audit attempts to read and write
--## unconfined domain unnamed pipes.
--##
--##
--##
--## Domain to not audit.
--##
--##
--#
--interface(`unconfined_dontaudit_rw_pipes',`
-- gen_require(`
-- type unconfined_t;
-- ')
--
-- dontaudit $1 unconfined_t:fifo_file rw_file_perms;
--')
--
--########################################
--##
--## Connect to the unconfined domain using
--## a unix domain stream socket.
--##
--##
--##
--## Domain allowed access.
--##
--##
--#
--interface(`unconfined_stream_connect',`
-- gen_require(`
-- type unconfined_t;
-- ')
--
-- allow $1 unconfined_t:unix_stream_socket connectto;
--')
--
--########################################
--##
--## Do not audit attempts to read or write
--## unconfined domain tcp sockets.
--##
--##
--##
--## Do not audit attempts to read or write
--## unconfined domain tcp sockets.
--##
--##
--## This interface was added due to a broken
--## symptom in ldconfig.
--##
--##
--##
--##
--## Domain to not audit.
--##
--##
--#
--interface(`unconfined_dontaudit_rw_tcp_sockets',`
-+interface(`unconfined_server_domtrans',`
- gen_require(`
-- type unconfined_t;
-+ type unconfined_service_t;
- ')
-
-- dontaudit $1 unconfined_t:tcp_socket { read write };
-+ corecmd_bin_domtrans($1, unconfined_service_t)
- ')
-
- ########################################
- ##
--## Create keys for the unconfined domain.
-+## Allow caller domain to dbus chat unconfined_server.
- ##
- ##
- ##
-@@ -519,17 +236,19 @@ interface(`unconfined_dontaudit_rw_tcp_sockets',`
- ##
- ##
- #
--interface(`unconfined_create_keys',`
-+interface(`unconfined_server_dbus_chat',`
- gen_require(`
-- type unconfined_t;
-+ type unconfined_service_t;
-+ class dbus send_msg;
- ')
-
-- allow $1 unconfined_t:key create;
-+ allow $1 unconfined_service_t:dbus send_msg;
-+ allow unconfined_service_t $1:dbus send_msg;
- ')
-
- ########################################
- ##
--## Send messages to the unconfined domain over dbus.
-+## Send signull to unconfined_service_t.
- ##
- ##
- ##
-@@ -537,19 +256,17 @@ interface(`unconfined_create_keys',`
- ##
- ##
- #
--interface(`unconfined_dbus_send',`
-+interface(`unconfined_server_signull',`
- gen_require(`
-- type unconfined_t;
-- class dbus send_msg;
-+ type unconfined_service_t;
- ')
-
-- allow $1 unconfined_t:dbus send_msg;
-+ allow $1 unconfined_service_t:process signull;
- ')
-
- ########################################
- ##
--## Send and receive messages from
--## unconfined_t over dbus.
-+## Allow noatsecure.
- ##
- ##
- ##
-@@ -557,20 +274,17 @@ interface(`unconfined_dbus_send',`
- ##
- ##
- #
--interface(`unconfined_dbus_chat',`
-+interface(`unconfined_server_noatsecure',`
- gen_require(`
-- type unconfined_t;
-- class dbus send_msg;
-+ type unconfined_service_t;
- ')
-
-- allow $1 unconfined_t:dbus send_msg;
-- allow unconfined_t $1:dbus send_msg;
-+ allow $1 unconfined_service_t:process { noatsecure };
- ')
-
- ########################################
- ##
--## Connect to the the unconfined DBUS
--## for service (acquire_svc).
-+## Create unconfined_service_t TCP sockets.
- ##
- ##
- ##
-@@ -578,11 +292,10 @@ interface(`unconfined_dbus_chat',`
- ##
- ##
- #
--interface(`unconfined_dbus_connect',`
-+interface(`unconfined_server_create_tcp_sockets',`
- gen_require(`
-- type unconfined_t;
-- class dbus acquire_svc;
-+ type unconfined_service_t;
- ')
-
-- allow $1 unconfined_t:dbus acquire_svc;
-+ allow $1 unconfined_service_t:tcp_socket create_stream_socket_perms;
- ')
-diff --git a/policy/modules/system/unconfined.te b/policy/modules/system/unconfined.te
-index 5fe902db3..52a051d8a 100644
---- a/policy/modules/system/unconfined.te
-+++ b/policy/modules/system/unconfined.te
-@@ -1,207 +1,38 @@
--policy_module(unconfined, 3.5.1)
-+policy_module(unconfined, 3.5.0)
-
- ########################################
- #
- # Declarations
- #
-+attribute unconfined_services;
-
--# usage in this module of types created by these
--# calls is not correct, however we dont currently
--# have another method to add access to these types
--userdom_base_user_template(unconfined)
--userdom_manage_home_role(unconfined_r, unconfined_t)
--userdom_manage_tmp_role(unconfined_r, unconfined_t)
--userdom_manage_tmpfs_role(unconfined_r, unconfined_t)
-+type unconfined_service_t;
-+domain_type(unconfined_service_t)
-+role system_r types unconfined_service_t;
-+init_nnp_daemon_domain(unconfined_service_t)
-
--type unconfined_exec_t;
--init_system_domain(unconfined_t, unconfined_exec_t)
-+unconfined_domain(unconfined_service_t)
-
--type unconfined_execmem_t;
--type unconfined_execmem_exec_t;
--init_system_domain(unconfined_execmem_t, unconfined_execmem_exec_t)
--role unconfined_r types unconfined_execmem_t;
-+unconfined_stub_role()
-
--########################################
--#
--# Local policy
--#
--
--domtrans_pattern(unconfined_t, unconfined_execmem_exec_t, unconfined_execmem_t)
--
--files_create_boot_flag(unconfined_t)
--
--mcs_killall(unconfined_t)
--mcs_ptrace_all(unconfined_t)
--
--init_run_daemon(unconfined_t, unconfined_r)
--
--libs_run_ldconfig(unconfined_t, unconfined_r)
--
--logging_send_syslog_msg(unconfined_t)
--logging_run_auditctl(unconfined_t, unconfined_r)
--
--mount_run_unconfined(unconfined_t, unconfined_r)
--
--seutil_run_setfiles(unconfined_t, unconfined_r)
--seutil_run_semanage(unconfined_t, unconfined_r)
--
--unconfined_domain(unconfined_t)
--
--userdom_user_home_dir_filetrans_user_home_content(unconfined_t, { dir file lnk_file fifo_file sock_file })
--
--ifdef(`distro_gentoo',`
-- seutil_run_runinit(unconfined_t, unconfined_r)
-- seutil_init_script_run_runinit(unconfined_t, unconfined_r)
--')
--
--optional_policy(`
-- ada_domtrans(unconfined_t)
--')
--
--optional_policy(`
-- apache_run_helper(unconfined_t, unconfined_r)
-- apache_role(unconfined_r, unconfined_t)
--')
-+role unconfined_r types unconfined_service_t;
-
--optional_policy(`
-- bind_run_ndc(unconfined_t, unconfined_r)
--')
-+corecmd_bin_entry_type(unconfined_service_t)
-+corecmd_shell_entry_type(unconfined_service_t)
-
- optional_policy(`
-- bootloader_run(unconfined_t, unconfined_r)
-+ rpm_transition_script(unconfined_service_t, system_r)
- ')
-
- optional_policy(`
-- cron_unconfined_role(unconfined_r, unconfined_t)
-+ chronyd_run_chronyc(unconfined_service_t, system_r)
- ')
-
- optional_policy(`
-- firstboot_run(unconfined_t, unconfined_r)
-+ dbus_chat_system_bus(unconfined_service_t)
- ')
-
- optional_policy(`
-- ftp_run_ftpdctl(unconfined_t, unconfined_r)
--')
--
--optional_policy(`
-- hadoop_role(unconfined_r, unconfined_t)
--')
--
--optional_policy(`
-- inn_domtrans(unconfined_t)
--')
--
--optional_policy(`
-- java_run_unconfined(unconfined_t, unconfined_r)
--')
--
--optional_policy(`
-- lpd_run_checkpc(unconfined_t, unconfined_r)
--')
--
--optional_policy(`
-- modutils_run_update_mods(unconfined_t, unconfined_r)
--')
--
--optional_policy(`
-- mono_domtrans(unconfined_t)
--')
--
--optional_policy(`
-- mta_role(unconfined_r, unconfined_t)
--')
--
--optional_policy(`
-- oddjob_domtrans_mkhomedir(unconfined_t)
--')
--
--optional_policy(`
-- portage_run(unconfined_t, unconfined_r)
-- portage_run_fetch(unconfined_t, unconfined_r)
-- portage_run_gcc_config(unconfined_t, unconfined_r)
--')
--
--optional_policy(`
-- prelink_run(unconfined_t, unconfined_r)
--')
--
--optional_policy(`
-- portmap_run_helper(unconfined_t, unconfined_r)
--')
--
--optional_policy(`
-- postfix_run_map(unconfined_t, unconfined_r)
-- # cjp: this should probably be removed:
-- postfix_domtrans_master(unconfined_t)
--')
--
--optional_policy(`
-- pyzor_role(unconfined_r, unconfined_t)
--')
--
--optional_policy(`
-- # cjp: this should probably be removed:
-- rpc_domtrans_nfsd(unconfined_t)
--')
--
--optional_policy(`
-- rtkit_scheduled(unconfined_t)
--')
--
--optional_policy(`
-- rpm_run(unconfined_t, unconfined_r)
--')
--
--optional_policy(`
-- samba_run_net(unconfined_t, unconfined_r)
-- samba_run_winbind_helper(unconfined_t, unconfined_r)
--')
--
--optional_policy(`
-- spamassassin_role(unconfined_r, unconfined_t)
--')
--
--optional_policy(`
-- sysnet_run_dhcpc(unconfined_t, unconfined_r)
-- sysnet_dbus_chat_dhcpc(unconfined_t)
--')
--
--optional_policy(`
-- tzdata_run(unconfined_t, unconfined_r)
--')
--
--optional_policy(`
-- unconfined_dbus_chat(unconfined_t)
--')
--
--optional_policy(`
-- usermanage_run_admin_passwd(unconfined_t, unconfined_r)
--')
--
--optional_policy(`
-- vpn_run(unconfined_t, unconfined_r)
--')
--
--optional_policy(`
-- webalizer_run(unconfined_t, unconfined_r)
--')
--
--optional_policy(`
-- wine_domtrans(unconfined_t)
--')
--
--optional_policy(`
-- xserver_domtrans(unconfined_t)
--')
--
--########################################
--#
--# Unconfined Execmem Local policy
--#
--
--allow unconfined_execmem_t self:process { execstack execmem };
--unconfined_domain_noaudit(unconfined_execmem_t)
--
--optional_policy(`
-- unconfined_dbus_chat(unconfined_execmem_t)
-+ virt_transition_svirt(unconfined_service_t, system_r)
-+ virt_transition_svirt_sandbox(unconfined_service_t, system_r)
- ')
-diff --git a/policy/modules/system/userdomain.fc b/policy/modules/system/userdomain.fc
-index db7597682..c54480a1d 100644
---- a/policy/modules/system/userdomain.fc
-+++ b/policy/modules/system/userdomain.fc
-@@ -1,4 +1,37 @@
- HOME_DIR -d gen_context(system_u:object_r:user_home_dir_t,s0-mls_systemhigh)
-+HOME_DIR -l gen_context(system_u:object_r:user_home_dir_t,s0-mls_systemhigh)
- HOME_DIR/.+ gen_context(system_u:object_r:user_home_t,s0)
--
- /tmp/gconfd-USER -d gen_context(system_u:object_r:user_tmp_t,s0)
-+/root(/.*)? gen_context(system_u:object_r:admin_home_t,s0)
-+/root/\.cert(/.*)? gen_context(system_u:object_r:home_cert_t,s0)
-+/root/\.pki(/.*)? gen_context(system_u:object_r:home_cert_t,s0)
-+/root/\.debug(/.*)? <>
-+/dev/shm/pulse-shm.* gen_context(system_u:object_r:user_tmpfs_t,s0)
-+/dev/shm/mono.* gen_context(system_u:object_r:user_tmpfs_t,s0)
-+HOME_DIR/bin(/.*)? gen_context(system_u:object_r:home_bin_t,s0)
-+HOME_DIR/\.local/bin(/.*)? gen_context(system_u:object_r:home_bin_t,s0)
-+HOME_DIR/Audio(/.*)? gen_context(system_u:object_r:audio_home_t,s0)
-+HOME_DIR/Music(/.*)? gen_context(system_u:object_r:audio_home_t,s0)
-+HOME_DIR/\.cert(/.*)? gen_context(system_u:object_r:home_cert_t,s0)
-+HOME_DIR/\.local/share/networkmanagement/certificates(/.*)? gen_context(system_u:object_r:home_cert_t,s0)
-+HOME_DIR/\.kde/share/apps/networkmanagement/certificates(/.*)? gen_context(system_u:object_r:home_cert_t,s0)
-+HOME_DIR/\.pki(/.*)? gen_context(system_u:object_r:home_cert_t,s0)
-+HOME_DIR/\.gvfs/.* <>
-+HOME_DIR/\.debug(/.*)? <>
-+HOME_DIR/\.texlive2012(/.*)? gen_context(system_u:object_r:texlive_home_t,s0)
-+HOME_DIR/\.texlive2013(/.*)? gen_context(system_u:object_r:texlive_home_t,s0)
-+HOME_DIR/\.texlive2014(/.*)? gen_context(system_u:object_r:texlive_home_t,s0)
-+HOME_DIR/\.tmp -d gen_context(system_u:object_r:user_tmp_t,s0)
-+HOME_DIR/tmp -d gen_context(system_u:object_r:user_tmp_t,s0)
-+
-+/tmp/\.X0-lock -- gen_context(system_u:object_r:user_tmp_t,s0)
-+/tmp/\.X11-unix(/.*)? gen_context(system_u:object_r:user_tmp_t,s0)
-+/tmp/\.ICE-unix(/.*)? gen_context(system_u:object_r:user_tmp_t,s0)
-+
-+
-+
-+/var/run/user(/.*)? gen_context(system_u:object_r:user_tmp_t,s0)
-+
-+/tmp/hsperfdata_root gen_context(system_u:object_r:user_tmp_t,s0)
-+/var/tmp/hsperfdata_root gen_context(system_u:object_r:user_tmp_t,s0)
-+
-diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
-index 9dc60c6c0..8c0b17aa8 100644
---- a/policy/modules/system/userdomain.if
-+++ b/policy/modules/system/userdomain.if
-@@ -30,9 +30,11 @@ template(`userdom_base_user_template',`
- ')
-
- attribute $1_file_type;
-+ attribute $1_usertype;
-
-- type $1_t, userdomain;
-+ type $1_t, userdomain, $1_usertype;
- domain_type($1_t)
-+ role $1_r;
- corecmd_shell_entry_type($1_t)
- corecmd_bin_entry_type($1_t)
- domain_user_exemption_target($1_t)
-@@ -44,79 +46,133 @@ template(`userdom_base_user_template',`
- term_user_pty($1_t, user_devpts_t)
-
- term_user_tty($1_t, user_tty_device_t)
--
-- allow $1_t self:process { signal_perms getsched setsched share getpgid setpgid setcap getsession getattr };
-- allow $1_t self:fd use;
-- allow $1_t self:fifo_file rw_fifo_file_perms;
-- allow $1_t self:unix_dgram_socket { create_socket_perms sendto };
-- allow $1_t self:unix_stream_socket { create_stream_socket_perms connectto };
-- allow $1_t self:shm create_shm_perms;
-- allow $1_t self:sem create_sem_perms;
-- allow $1_t self:msgq create_msgq_perms;
-- allow $1_t self:msg { send receive };
-- allow $1_t self:context contains;
-- dontaudit $1_t self:socket create;
--
-- allow $1_t user_devpts_t:chr_file { setattr rw_chr_file_perms };
-- term_create_pty($1_t, user_devpts_t)
-+ term_dontaudit_getattr_generic_ptys($1_t)
-+
-+ allow $1_usertype $1_usertype:process { signal_perms getsched setsched share getpgid setpgid getcap setcap getsession getattr };
-+ tunable_policy(`deny_ptrace',`',`
-+ allow $1_usertype $1_usertype:process ptrace;
-+ ')
-+ allow $1_usertype $1_usertype:fd use;
-+ allow $1_usertype $1_t:key { create view read write search link setattr };
-+
-+ allow $1_usertype $1_usertype:fifo_file rw_fifo_file_perms;
-+ allow $1_usertype $1_usertype:unix_dgram_socket { create_socket_perms sendto };
-+ allow $1_usertype $1_usertype:unix_stream_socket { create_stream_socket_perms connectto };
-+ allow $1_usertype $1_usertype:shm create_shm_perms;
-+ allow $1_usertype $1_usertype:sem create_sem_perms;
-+ allow $1_usertype $1_usertype:msgq create_msgq_perms;
-+ allow $1_usertype $1_usertype:msg { send receive };
-+ allow $1_usertype $1_usertype:context contains;
-+ dontaudit $1_usertype $1_usertype:socket create;
-+
-+ allow $1_usertype user_devpts_t:chr_file { setattr rw_chr_file_perms };
-+ term_create_pty($1_usertype, user_devpts_t)
- # avoid annoying messages on terminal hangup on role change
-- dontaudit $1_t user_devpts_t:chr_file ioctl;
-+ dontaudit $1_usertype user_devpts_t:chr_file ioctl;
-
-- allow $1_t user_tty_device_t:chr_file { setattr rw_chr_file_perms };
-+ allow $1_usertype user_tty_device_t:chr_file { setattr rw_chr_file_perms };
- # avoid annoying messages on terminal hangup on role change
-- dontaudit $1_t user_tty_device_t:chr_file ioctl;
--
-- kernel_read_kernel_sysctls($1_t)
-- kernel_dontaudit_list_unlabeled($1_t)
-- kernel_dontaudit_getattr_unlabeled_files($1_t)
-- kernel_dontaudit_getattr_unlabeled_symlinks($1_t)
-- kernel_dontaudit_getattr_unlabeled_pipes($1_t)
-- kernel_dontaudit_getattr_unlabeled_sockets($1_t)
-- kernel_dontaudit_getattr_unlabeled_blk_files($1_t)
-- kernel_dontaudit_getattr_unlabeled_chr_files($1_t)
--
-- dev_dontaudit_getattr_all_blk_files($1_t)
-- dev_dontaudit_getattr_all_chr_files($1_t)
-+ dontaudit $1_usertype user_tty_device_t:chr_file ioctl;
-+
-+ application_exec_all($1_usertype)
-+
-+ kernel_read_kernel_sysctls($1_usertype)
-+ kernel_read_all_sysctls($1_usertype)
-+ kernel_dontaudit_list_unlabeled($1_usertype)
-+ kernel_dontaudit_getattr_unlabeled_files($1_usertype)
-+ kernel_dontaudit_getattr_unlabeled_symlinks($1_usertype)
-+ kernel_dontaudit_getattr_unlabeled_pipes($1_usertype)
-+ kernel_dontaudit_getattr_unlabeled_sockets($1_usertype)
-+ kernel_dontaudit_getattr_unlabeled_blk_files($1_usertype)
-+ kernel_dontaudit_getattr_unlabeled_chr_files($1_usertype)
-+ kernel_dontaudit_list_proc($1_usertype)
-+
-+ dev_dontaudit_getattr_all_blk_files($1_usertype)
-+ dev_dontaudit_getattr_all_chr_files($1_usertype)
-+ dev_getattr_mtrr_dev($1_t)
-
- # When the user domain runs ps, there will be a number of access
- # denials when ps tries to search /proc. Do not audit these denials.
-- domain_dontaudit_read_all_domains_state($1_t)
-- domain_dontaudit_getattr_all_domains($1_t)
-- domain_dontaudit_getsession_all_domains($1_t)
--
-- files_read_etc_files($1_t)
-- files_read_etc_runtime_files($1_t)
-- files_read_usr_files($1_t)
-+ domain_dontaudit_read_all_domains_state($1_usertype)
-+ domain_dontaudit_getattr_all_domains($1_usertype)
-+ domain_dontaudit_getsession_all_domains($1_usertype)
-+ dev_dontaudit_all_access_check($1_usertype)
-+
-+ files_read_etc_files($1_usertype)
-+ files_list_mnt($1_usertype)
-+ files_list_var($1_usertype)
-+ files_read_mnt_files($1_usertype)
-+ files_dontaudit_all_access_check($1_usertype)
-+ files_read_etc_runtime_files($1_usertype)
-+ files_read_usr_files($1_usertype)
-+ files_read_usr_src_files($1_usertype)
- # Read directories and files with the readable_t type.
- # This type is a general type for "world"-readable files.
-- files_list_world_readable($1_t)
-- files_read_world_readable_files($1_t)
-- files_read_world_readable_symlinks($1_t)
-- files_read_world_readable_pipes($1_t)
-- files_read_world_readable_sockets($1_t)
-+ files_list_world_readable($1_usertype)
-+ files_read_world_readable_files($1_usertype)
-+ files_read_world_readable_symlinks($1_usertype)
-+ files_read_world_readable_pipes($1_usertype)
-+ files_read_world_readable_sockets($1_usertype)
- # old broswer_domain():
-- files_dontaudit_list_non_security($1_t)
-- files_dontaudit_getattr_non_security_files($1_t)
-- files_dontaudit_getattr_non_security_symlinks($1_t)
-- files_dontaudit_getattr_non_security_pipes($1_t)
-- files_dontaudit_getattr_non_security_sockets($1_t)
-+ files_dontaudit_getattr_all_dirs($1_usertype)
-+ files_dontaudit_list_non_security($1_usertype)
-+ files_dontaudit_getattr_all_files($1_usertype)
-+ files_dontaudit_getattr_non_security_symlinks($1_usertype)
-+ files_dontaudit_getattr_non_security_pipes($1_usertype)
-+ files_dontaudit_getattr_non_security_sockets($1_usertype)
-+ files_dontaudit_setattr_etc_runtime_files($1_usertype)
-+
-+ files_exec_usr_files($1_t)
-+
-+ fs_list_cgroup_dirs($1_usertype)
-+ fs_dontaudit_rw_cgroup_files($1_usertype)
-+
-+ storage_rw_fuse($1_usertype)
-+
-+ auth_use_nsswitch($1_t)
-+
-+ init_stream_connect($1_usertype)
-+ # The library functions always try to open read-write first,
-+ # then fall back to read-only if it fails.
-+ init_dontaudit_rw_utmp($1_usertype)
-
-- libs_exec_ld_so($1_t)
-+ libs_exec_ld_so($1_usertype)
-
-- miscfiles_read_localization($1_t)
- miscfiles_read_generic_certs($1_t)
-
-- sysnet_read_config($1_t)
-+ miscfiles_read_all_certs($1_usertype)
-+ miscfiles_read_public_files($1_usertype)
-
-- tunable_policy(`allow_execmem',`
-+ systemd_dbus_chat_logind($1_usertype)
-+ systemd_read_logind_sessions_files($1_usertype)
-+ systemd_write_inhibit_pipes($1_usertype)
-+ systemd_write_inherited_logind_sessions_pipes($1_usertype)
-+ systemd_login_read_pid_files($1_usertype)
-+
-+ tunable_policy(`deny_execmem',`', `
- # Allow loading DSOs that require executable stack.
- allow $1_t self:process execmem;
- ')
-
-- tunable_policy(`allow_execmem && allow_execstack',`
-+ tunable_policy(`selinuxuser_execstack',`
- # Allow making the stack executable via mprotect.
- allow $1_t self:process execstack;
- ')
-+
-+ optional_policy(`
-+ abrt_stream_connect($1_usertype)
-+ ')
-+
-+ optional_policy(`
-+ fs_list_cgroup_dirs($1_usertype)
-+ ')
-+
-+ optional_policy(`
-+ ssh_rw_stream_sockets($1_usertype)
-+ ssh_rw_dgram_sockets($1_usertype)
-+ ssh_delete_tmp($1_t)
-+ ssh_signal($1_t)
-+ ')
- ')
-
- #######################################
-@@ -150,6 +206,8 @@ interface(`userdom_ro_home_role',`
- type user_home_t, user_home_dir_t;
- ')
-
-+ role $1 types { user_home_t user_home_dir_t };
-+
- ##############################
- #
- # Domain access to home dir
-@@ -167,27 +225,6 @@ interface(`userdom_ro_home_role',`
- read_sock_files_pattern($2, { user_home_t user_home_dir_t }, user_home_t)
- files_list_home($2)
-
-- tunable_policy(`use_nfs_home_dirs',`
-- fs_list_nfs($2)
-- fs_read_nfs_files($2)
-- fs_read_nfs_symlinks($2)
-- fs_read_nfs_named_sockets($2)
-- fs_read_nfs_named_pipes($2)
-- ',`
-- fs_dontaudit_list_nfs($2)
-- fs_dontaudit_read_nfs_files($2)
-- ')
--
-- tunable_policy(`use_samba_home_dirs',`
-- fs_list_cifs($2)
-- fs_read_cifs_files($2)
-- fs_read_cifs_symlinks($2)
-- fs_read_cifs_named_sockets($2)
-- fs_read_cifs_named_pipes($2)
-- ',`
-- fs_dontaudit_list_cifs($2)
-- fs_dontaudit_read_cifs_files($2)
-- ')
- ')
-
- #######################################
-@@ -219,8 +256,11 @@ interface(`userdom_ro_home_role',`
- interface(`userdom_manage_home_role',`
- gen_require(`
- type user_home_t, user_home_dir_t;
-+ attribute user_home_type;
- ')
-
-+ role $1 types { user_home_type user_home_dir_t };
-+
- ##############################
- #
- # Domain access to home dir
-@@ -229,43 +269,46 @@ interface(`userdom_manage_home_role',`
- type_member $2 user_home_dir_t:dir user_home_dir_t;
-
- # full control of the home directory
-+ allow $2 user_home_t:dir mounton;
- allow $2 user_home_t:file entrypoint;
-- manage_dirs_pattern($2, { user_home_dir_t user_home_t }, user_home_t)
-- manage_files_pattern($2, { user_home_dir_t user_home_t }, user_home_t)
-- manage_lnk_files_pattern($2, { user_home_dir_t user_home_t }, user_home_t)
-- manage_sock_files_pattern($2, { user_home_dir_t user_home_t }, user_home_t)
-- manage_fifo_files_pattern($2, { user_home_dir_t user_home_t }, user_home_t)
-- relabel_dirs_pattern($2, { user_home_dir_t user_home_t }, user_home_t)
-- relabel_files_pattern($2, { user_home_dir_t user_home_t }, user_home_t)
-- relabel_lnk_files_pattern($2, { user_home_dir_t user_home_t }, user_home_t)
-- relabel_sock_files_pattern($2, { user_home_dir_t user_home_t }, user_home_t)
-- relabel_fifo_files_pattern($2, { user_home_dir_t user_home_t }, user_home_t)
-- filetrans_pattern($2, user_home_dir_t, user_home_t, { dir file lnk_file sock_file fifo_file })
-+
-+ allow $2 user_home_type:dir_file_class_set { relabelto relabelfrom };
-+ allow $2 user_home_dir_t:lnk_file read_lnk_file_perms;
-+ manage_dirs_pattern($2, { user_home_dir_t user_home_type }, user_home_type)
-+ manage_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type)
-+ manage_lnk_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type)
-+ manage_sock_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type)
-+ manage_fifo_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type)
-+ relabel_dirs_pattern($2, { user_home_dir_t user_home_type }, user_home_type)
-+ relabel_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type)
-+ relabel_lnk_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type)
-+ relabel_sock_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type)
-+ relabel_fifo_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type)
-+ userdom_filetrans_home_content($2)
-+
- files_list_home($2)
-
- # cjp: this should probably be removed:
- allow $2 user_home_dir_t:dir { manage_dir_perms relabel_dir_perms };
-
- tunable_policy(`use_nfs_home_dirs',`
-+ fs_mount_nfs($2)
-+ fs_mounton_nfs($2)
- fs_manage_nfs_dirs($2)
- fs_manage_nfs_files($2)
- fs_manage_nfs_symlinks($2)
- fs_manage_nfs_named_sockets($2)
- fs_manage_nfs_named_pipes($2)
-- ',`
-- fs_dontaudit_manage_nfs_dirs($2)
-- fs_dontaudit_manage_nfs_files($2)
- ')
-
- tunable_policy(`use_samba_home_dirs',`
-+ fs_mount_cifs($2)
-+ fs_mounton_cifs($2)
- fs_manage_cifs_dirs($2)
- fs_manage_cifs_files($2)
- fs_manage_cifs_symlinks($2)
- fs_manage_cifs_named_sockets($2)
- fs_manage_cifs_named_pipes($2)
-- ',`
-- fs_dontaudit_manage_cifs_dirs($2)
-- fs_dontaudit_manage_cifs_files($2)
- ')
- ')
-
-@@ -273,6 +316,101 @@ interface(`userdom_manage_home_role',`
- ##
- ## Manage user temporary files
- ##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+#
-+interface(`userdom_manage_tmp_files',`
-+ gen_require(`
-+ type user_tmp_t;
-+ ')
-+
-+ manage_files_pattern($1, user_tmp_t, user_tmp_t)
-+')
-+
-+#######################################
-+##
-+## Mmap user temporary files
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+#
-+interface(`userdom_map_tmp_files',`
-+ gen_require(`
-+ type user_tmp_t;
-+ ')
-+
-+ allow $1 user_tmp_t:file map;
-+')
-+
-+#######################################
-+##
-+## Manage user temporary sockets
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+#
-+interface(`userdom_manage_tmp_sockets',`
-+ gen_require(`
-+ type user_tmp_t;
-+ ')
-+
-+ manage_sock_files_pattern($1, user_tmp_t, user_tmp_t)
-+')
-+
-+#######################################
-+##
-+## Manage user temporary directories
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+#
-+interface(`userdom_manage_tmp_dirs',`
-+ gen_require(`
-+ type user_tmp_t;
-+ ')
-+
-+ manage_dirs_pattern($1, user_tmp_t, user_tmp_t)
-+')
-+
-+#######################################
-+##
-+## Manage user temporary directories
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+#
-+interface(`userdom_mounton_tmp_dirs',`
-+ gen_require(`
-+ type user_tmp_t;
-+ ')
-+
-+ allow $1 user_tmp_t:dir mounton;
-+')
-+
-+#######################################
-+##
-+## Manage user temporary files
-+##
- ##
- ##
- ## Role allowed access.
-@@ -287,17 +425,65 @@ interface(`userdom_manage_home_role',`
- #
- interface(`userdom_manage_tmp_role',`
- gen_require(`
-+ attribute user_tmp_type;
- type user_tmp_t;
- ')
-
-+ role $1 types user_tmp_t;
-+
- files_poly_member_tmp($2, user_tmp_t)
-
-- manage_dirs_pattern($2, user_tmp_t, user_tmp_t)
-- manage_files_pattern($2, user_tmp_t, user_tmp_t)
-- manage_lnk_files_pattern($2, user_tmp_t, user_tmp_t)
-- manage_sock_files_pattern($2, user_tmp_t, user_tmp_t)
-- manage_fifo_files_pattern($2, user_tmp_t, user_tmp_t)
-+ allow $2 user_tmp_type:dir mounton;
-+ manage_dirs_pattern($2, user_tmp_type, user_tmp_type)
-+ manage_files_pattern($2, user_tmp_type, user_tmp_type)
-+ manage_lnk_files_pattern($2, user_tmp_type, user_tmp_type)
-+ manage_sock_files_pattern($2, user_tmp_type, user_tmp_type)
-+ manage_fifo_files_pattern($2, user_tmp_type, user_tmp_type)
- files_tmp_filetrans($2, user_tmp_t, { dir file lnk_file sock_file fifo_file })
-+ fs_tmpfs_filetrans($2, user_tmp_t, { dir file lnk_file sock_file fifo_file })
-+ relabel_dirs_pattern($2, user_tmp_type, user_tmp_type)
-+ relabel_files_pattern($2, user_tmp_type, user_tmp_type)
-+ relabel_lnk_files_pattern($2, user_tmp_type, user_tmp_type)
-+ relabel_sock_files_pattern($2, user_tmp_type, user_tmp_type)
-+ relabel_fifo_files_pattern($2, user_tmp_type, user_tmp_type)
-+')
-+
-+#######################################
-+##
-+## Dontaudit search of user bin dirs.
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`userdom_dontaudit_search_user_bin_dirs',`
-+ gen_require(`
-+ type home_bin_t;
-+ ')
-+
-+ dontaudit $1 home_bin_t:dir search_dir_perms;
-+')
-+
-+#######################################
-+##
-+## Execute user bin files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`userdom_exec_user_bin_files',`
-+ gen_require(`
-+ attribute user_home_type;
-+ type home_bin_t, user_home_dir_t;
-+ ')
-+
-+ exec_files_pattern($1, { user_home_dir_t user_home_type }, home_bin_t)
-+ files_search_home($1)
- ')
-
- #######################################
-@@ -317,11 +503,31 @@ interface(`userdom_exec_user_tmp_files',`
- ')
-
- exec_files_pattern($1, user_tmp_t, user_tmp_t)
-+ dontaudit $1 user_tmp_t:sock_file execute;
- files_search_tmp($1)
- ')
-
- #######################################
- ##
-+## Manage user temporary file system files
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+#
-+interface(`userdom_manage_tmpfs_files',`
-+ gen_require(`
-+ type user_tmpfs_t;
-+ ')
-+
-+ manage_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
-+')
-+
-+#######################################
-+##
- ## Role access for the user tmpfs type
- ## that the user has full access.
- ##
-@@ -347,60 +553,45 @@ interface(`userdom_exec_user_tmp_files',`
- ##
- #
- interface(`userdom_manage_tmpfs_role',`
-- gen_require(`
-- type user_tmpfs_t;
-- ')
--
-- manage_dirs_pattern($2, user_tmpfs_t, user_tmpfs_t)
-- manage_files_pattern($2, user_tmpfs_t, user_tmpfs_t)
-- manage_lnk_files_pattern($2, user_tmpfs_t, user_tmpfs_t)
-- manage_sock_files_pattern($2, user_tmpfs_t, user_tmpfs_t)
-- manage_fifo_files_pattern($2, user_tmpfs_t, user_tmpfs_t)
-- fs_tmpfs_filetrans($2, user_tmpfs_t, { dir file lnk_file sock_file fifo_file })
-+ refpolicywarn(`$0($*) has been deprecated, use userdom_manage_tmp_role() instead.')
-+ userdom_manage_tmp_role($1,$2)
- ')
-
- #######################################
- ##
--## The template allowing the user basic
-+## The interface allowing the user basic
- ## network permissions
- ##
--##
-+##
- ##
--## The prefix of the user domain (e.g., user
--## is the prefix for user_t).
-+## The user domain
- ##
- ##
- ##
- #
--template(`userdom_basic_networking_template',`
-- gen_require(`
-- type $1_t;
-- ')
-+interface(`userdom_basic_networking',`
-
-- allow $1_t self:tcp_socket create_stream_socket_perms;
-- allow $1_t self:udp_socket create_socket_perms;
-+ allow $1 self:tcp_socket create_stream_socket_perms;
-+ allow $1 self:udp_socket create_socket_perms;
-
-- corenet_all_recvfrom_unlabeled($1_t)
-- corenet_all_recvfrom_netlabel($1_t)
-- corenet_tcp_sendrecv_generic_if($1_t)
-- corenet_udp_sendrecv_generic_if($1_t)
-- corenet_tcp_sendrecv_generic_node($1_t)
-- corenet_udp_sendrecv_generic_node($1_t)
-- corenet_tcp_sendrecv_all_ports($1_t)
-- corenet_udp_sendrecv_all_ports($1_t)
-- corenet_tcp_connect_all_ports($1_t)
-- corenet_sendrecv_all_client_packets($1_t)
--
-- corenet_all_recvfrom_labeled($1_t, $1_t)
-+ corenet_tcp_sendrecv_generic_if($1)
-+ corenet_udp_sendrecv_generic_if($1)
-+ corenet_tcp_sendrecv_generic_node($1)
-+ corenet_udp_sendrecv_generic_node($1)
-+ corenet_tcp_sendrecv_all_ports($1)
-+ corenet_udp_sendrecv_all_ports($1)
-+ corenet_tcp_connect_all_ports($1)
-+ corenet_sendrecv_all_client_packets($1)
-
- optional_policy(`
-- init_tcp_recvfrom_all_daemons($1_t)
-- init_udp_recvfrom_all_daemons($1_t)
-+ init_tcp_recvfrom_all_daemons($1)
-+ init_udp_recvfrom_all_daemons($1)
- ')
-
- optional_policy(`
-- ipsec_match_default_spd($1_t)
-+ ipsec_match_default_spd($1)
- ')
-+
- ')
-
- #######################################
-@@ -431,6 +622,7 @@ template(`userdom_xwindows_client_template',`
- dev_dontaudit_rw_dri($1_t)
- # GNOME checks for usb and other devices:
- dev_rw_usbfs($1_t)
-+ dev_rw_generic_usb_dev($1_t)
-
- xserver_user_x_domain_template($1, $1_t, user_tmpfs_t)
- xserver_xsession_entry_type($1_t)
-@@ -463,8 +655,8 @@ template(`userdom_change_password_template',`
- ')
-
- optional_policy(`
-- usermanage_run_chfn($1_t, $1_r)
-- usermanage_run_passwd($1_t, $1_r)
-+ usermanage_run_chfn($1_t,$1_r)
-+ usermanage_run_passwd($1_t,$1_r)
- ')
- ')
-
-@@ -491,51 +683,69 @@ template(`userdom_common_user_template',`
- attribute unpriv_userdomain;
- ')
-
-- userdom_basic_networking_template($1)
-+ userdom_basic_networking($1_usertype)
-+ corenet_all_recvfrom_netlabel($1_t)
-
- ##############################
- #
- # User domain Local policy
- #
-+ allow $1_t self:packet_socket create_socket_perms;
-
- # evolution and gnome-session try to create a netlink socket
- dontaudit $1_t self:netlink_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown };
- dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write };
-+ allow $1_t self:netlink_kobject_uevent_socket create_socket_perms;
-+ allow $1_t self:socket create_socket_perms;
-
-- allow $1_t unpriv_userdomain:fd use;
-+ allow $1_usertype unpriv_userdomain:fd use;
-
- kernel_read_system_state($1_t)
-- kernel_read_network_state($1_t)
-- kernel_read_net_sysctls($1_t)
-+ kernel_read_network_state($1_usertype)
-+ kernel_read_software_raid_state($1_usertype)
-+ kernel_read_net_sysctls($1_usertype)
- # Very permissive allowing every domain to see every type:
-- kernel_get_sysvipc_info($1_t)
-+ kernel_get_sysvipc_info($1_usertype)
- # Find CDROM devices:
-- kernel_read_device_sysctls($1_t)
--
-- corecmd_exec_bin($1_t)
-+ kernel_read_device_sysctls($1_usertype)
-+ kernel_request_load_module($1_usertype)
-
-- corenet_udp_bind_generic_node($1_t)
-- corenet_udp_bind_generic_port($1_t)
-+ corenet_udp_bind_generic_node($1_usertype)
-+ corenet_udp_bind_generic_port($1_usertype)
-
-- dev_read_rand($1_t)
-- dev_write_sound($1_t)
-- dev_read_sound($1_t)
-- dev_read_sound_mixer($1_t)
-- dev_write_sound_mixer($1_t)
-+ dev_read_rand($1_usertype)
-+ dev_write_sound($1_usertype)
-+ dev_read_sound($1_usertype)
-+ dev_read_sound_mixer($1_usertype)
-+ dev_write_sound_mixer($1_usertype)
-+ dev_rw_inherited_input_dev($1_usertype)
-
-- files_exec_etc_files($1_t)
-- files_search_locks($1_t)
-+ files_exec_etc_files($1_usertype)
-+ files_search_locks($1_usertype)
- # Check to see if cdrom is mounted
-- files_search_mnt($1_t)
-+ files_search_mnt($1_usertype)
- # cjp: perhaps should cut back on file reads:
-- files_read_var_files($1_t)
-- files_read_var_symlinks($1_t)
-- files_read_generic_spool($1_t)
-- files_read_var_lib_files($1_t)
-+ files_read_var_files($1_usertype)
-+ files_read_var_symlinks($1_usertype)
-+ files_read_generic_spool($1_usertype)
-+ files_read_var_lib_files($1_usertype)
- # Stat lost+found.
-- files_getattr_lost_found_dirs($1_t)
-+ files_getattr_lost_found_dirs($1_usertype)
-+ files_read_config_files($1_usertype)
-+ fs_read_noxattr_fs_files($1_usertype)
-+ fs_read_noxattr_fs_symlinks($1_usertype)
-+ fs_rw_cgroup_files($1_usertype)
-+
-+ application_getattr_socket($1_usertype)
-+
-
-- fs_rw_cgroup_files($1_t)
-+ ifdef(`enable_mls',`
-+ init_rw_tcp_sockets($1_t)
-+ ')
-+
-+ logging_send_syslog_msg($1_t)
-+
-+ selinux_get_enforce_mode($1_t)
-
- # cjp: some of this probably can be removed
- selinux_get_fs_mount($1_t)
-@@ -546,93 +756,137 @@ template(`userdom_common_user_template',`
- selinux_compute_user_contexts($1_t)
-
- # for eject
-- storage_getattr_fixed_disk_dev($1_t)
-+ storage_getattr_fixed_disk_dev($1_usertype)
-
-- auth_use_nsswitch($1_t)
-- auth_read_login_records($1_t)
-- auth_search_pam_console_data($1_t)
-- auth_run_pam($1_t, $1_r)
-- auth_run_utempter($1_t, $1_r)
-+ auth_read_login_records($1_usertype)
-+ auth_run_pam_timestamp($1_t,$1_r)
-+ auth_run_utempter($1_t,$1_r)
-+ auth_filetrans_admin_home_content($1_t)
-
-- init_read_utmp($1_t)
-+ init_read_utmp($1_usertype)
-
-- seutil_read_file_contexts($1_t)
-- seutil_read_default_contexts($1_t)
-- seutil_run_newrole($1_t, $1_r)
-+ seutil_read_file_contexts($1_usertype)
-+ seutil_read_default_contexts($1_usertype)
-+ seutil_run_newrole($1_t,$1_r)
- seutil_exec_checkpolicy($1_t)
-- seutil_exec_setfiles($1_t)
-+ seutil_exec_setfiles($1_usertype)
- # for when the network connection is killed
- # this is needed when a login role can change
- # to this one.
- seutil_dontaudit_signal_newrole($1_t)
-
-- tunable_policy(`user_direct_mouse',`
-- dev_read_mouse($1_t)
-- ')
-+ term_getattr_all_ttys($1_t)
-
-- tunable_policy(`user_ttyfile_stat',`
-- term_getattr_all_ttys($1_t)
-+ optional_policy(`
-+ # Allow graphical boot to check battery lifespan
-+ apm_stream_connect($1_usertype)
- ')
-
- optional_policy(`
-- alsa_home_filetrans_alsa_home($1_t, file, ".asoundrc")
-- alsa_manage_home_files($1_t)
-- alsa_read_rw_config($1_t)
-- alsa_relabel_home_files($1_t)
-+ chrome_role($1_r, $1_usertype)
- ')
-
- optional_policy(`
-- # Allow graphical boot to check battery lifespan
-- apm_stream_connect($1_t)
-+ canna_stream_connect($1_usertype)
- ')
-
- optional_policy(`
-- canna_stream_connect($1_t)
-+ colord_read_lib_files($1_usertype)
- ')
-
- optional_policy(`
-- dbus_system_bus_client($1_t)
-+ dbus_system_bus_client($1_usertype)
-+
-+ allow $1_usertype $1_usertype:dbus send_msg;
-+
-+ optional_policy(`
-+ avahi_dbus_chat($1_usertype)
-+ ')
-+
-+ optional_policy(`
-+ bluetooth_dbus_chat($1_usertype)
-+ ')
-+
-+ optional_policy(`
-+ consolekit_dbus_chat($1_usertype)
-+ consolekit_read_log($1_usertype)
-+ ')
-+
-+ optional_policy(`
-+ devicekit_dbus_chat($1_usertype)
-+ devicekit_dbus_chat_power($1_usertype)
-+ devicekit_dbus_chat_disk($1_usertype)
-+ ')
-+
-+ optional_policy(`
-+ evolution_dbus_chat($1_usertype)
-+ evolution_alarm_dbus_chat($1_usertype)
-+ ')
-+
-+ optional_policy(`
-+ firewalld_dbus_chat($1_usertype)
-+ ')
-+
-+ optional_policy(`
-+ geoclue_dbus_chat($1_usertype)
-+ ')
-
- optional_policy(`
-- bluetooth_dbus_chat($1_t)
-+ gnome_dbus_chat_gconfdefault($1_usertype)
- ')
-
- optional_policy(`
-- consolekit_dbus_chat($1_t)
-+ hal_dbus_chat($1_usertype)
-+ ')
-+
-+ optional_policy(`
-+ hwloc_exec_dhwd($1_t)
-+ hwloc_read_runtime_files($1_t)
-+ ')
-+
-+ optional_policy(`
-+ kde_dbus_chat_backlighthelper($1_usertype)
- ')
-
-+ optional_policy(`
-+ memcached_stream_connect($1_usertype)
-+ ')
-+
- optional_policy(`
-- cups_dbus_chat_config($1_t)
-+ modemmanager_dbus_chat($1_usertype)
- ')
-
- optional_policy(`
-- hal_dbus_chat($1_t)
-+ networkmanager_dbus_chat($1_usertype)
-+ networkmanager_read_lib_files($1_usertype)
- ')
-
- optional_policy(`
-- networkmanager_dbus_chat($1_t)
-+ policykit_dbus_chat($1_usertype)
- ')
-
- optional_policy(`
-- policykit_dbus_chat($1_t)
-+ vpn_dbus_chat($1_usertype)
- ')
- ')
-
- optional_policy(`
-- inetd_use_fds($1_t)
-- inetd_rw_tcp_sockets($1_t)
-+ git_role($1_r, $1_t)
-+ ')
-+
-+ optional_policy(`
-+ inetd_use_fds($1_usertype)
-+ inetd_rw_tcp_sockets($1_usertype)
- ')
-
- optional_policy(`
-- inn_read_config($1_t)
-- inn_read_news_lib($1_t)
-- inn_read_news_spool($1_t)
-+ inn_read_config($1_usertype)
-+ inn_read_news_lib($1_usertype)
-+ inn_read_news_spool($1_usertype)
- ')
-
- optional_policy(`
-- kerberos_manage_krb5_home_files($1_t)
-- kerberos_relabel_krb5_home_files($1_t)
-- kerberos_home_filetrans_krb5_home($1_t, file, ".k5login")
-+ lircd_stream_connect($1_usertype)
- ')
-
- optional_policy(`
-@@ -642,23 +896,21 @@ template(`userdom_common_user_template',`
- optional_policy(`
- mpd_manage_user_data_content($1_t)
- mpd_relabel_user_data_content($1_t)
-+ mpd_stream_connect($1_t)
- ')
-
- # for running depmod as part of the kernel packaging process
- optional_policy(`
-- modutils_read_module_config($1_t)
-+ modutils_read_module_config($1_usertype)
- ')
-
- optional_policy(`
-- mta_rw_spool($1_t)
-+ mta_rw_spool($1_usertype)
-+ mta_manage_queue($1_usertype)
- ')
-
- optional_policy(`
-- mysql_manage_mysqld_home_files($1_t)
-- mysql_relabel_mysqld_home_files($1_t)
-- mysql_home_filetrans_mysqld_home($1_t, file, ".my.cnf")
--
-- tunable_policy(`allow_user_mysql_connect',`
-+ tunable_policy(`selinuxuser_mysql_connect_enabled',`
- mysql_stream_connect($1_t)
- ')
- ')
-@@ -671,7 +923,7 @@ template(`userdom_common_user_template',`
-
- optional_policy(`
- # to allow monitoring of pcmcia status
-- pcmcia_read_pid($1_t)
-+ pcmcia_read_pid($1_usertype)
- ')
-
- optional_policy(`
-@@ -680,9 +932,9 @@ template(`userdom_common_user_template',`
- ')
-
- optional_policy(`
-- tunable_policy(`allow_user_postgresql_connect',`
-- postgresql_stream_connect($1_t)
-- postgresql_tcp_connect($1_t)
-+ tunable_policy(`selinuxuser_postgresql_connect_enabled',`
-+ postgresql_stream_connect($1_usertype)
-+ postgresql_tcp_connect($1_usertype)
- ')
- ')
-
-@@ -693,32 +945,35 @@ template(`userdom_common_user_template',`
- ')
-
- optional_policy(`
-- resmgr_stream_connect($1_t)
-+ resmgr_stream_connect($1_usertype)
-+ ')
-+
-+ optional_policy(`
-+ rpc_dontaudit_getattr_exports($1_usertype)
-+ ')
-+
-+ optional_policy(`
-+ rpcbind_stream_connect($1_usertype)
- ')
-
- optional_policy(`
-- rpc_dontaudit_getattr_exports($1_t)
-- rpc_manage_nfs_rw_content($1_t)
-+ samba_stream_connect_winbind($1_usertype)
- ')
-
- optional_policy(`
-- samba_stream_connect_winbind($1_t)
-+ sandbox_transition($1_usertype, $1_r)
- ')
-
- optional_policy(`
-- slrnpull_search_spool($1_t)
-+ seunshare_role_template($1, $1_r, $1_t)
- ')
-
- optional_policy(`
-- usernetctl_run($1_t, $1_r)
-+ slrnpull_search_spool($1_usertype)
- ')
-
- optional_policy(`
-- virt_home_filetrans_virt_home($1_t, dir, ".libvirt")
-- virt_home_filetrans_virt_home($1_t, dir, ".virtinst")
-- virt_home_filetrans_virt_content($1_t, dir, "isos")
-- virt_home_filetrans_svirt_home($1_t, dir, "qemu")
-- virt_home_filetrans_virt_home($1_t, dir, "VirtualMachines")
-+ thumb_role($1_r, $1_usertype)
- ')
- ')
-
-@@ -743,17 +998,32 @@ template(`userdom_common_user_template',`
- template(`userdom_login_user_template', `
- gen_require(`
- class context contains;
-+ attribute login_userdomain;
- ')
-
- userdom_base_user_template($1)
-
-+ typeattribute $1_t login_userdomain;
-+
- userdom_manage_home_role($1_r, $1_t)
-
-- userdom_manage_tmp_role($1_r, $1_t)
-- userdom_manage_tmpfs_role($1_r, $1_t)
-+ userdom_manage_tmp_role($1_r, $1_usertype)
-+
-+ ifelse(`$1',`unconfined',`',`
-+ gen_tunable($1_exec_content, true)
-+
-+ tunable_policy(`$1_exec_content',`
-+ userdom_exec_user_tmp_files($1_usertype)
-+ userdom_exec_user_home_content_files($1_usertype)
-+ ')
-+ tunable_policy(`$1_exec_content && use_nfs_home_dirs',`
-+ fs_exec_nfs_files($1_usertype)
-+ ')
-
-- userdom_exec_user_tmp_files($1_t)
-- userdom_exec_user_home_content_files($1_t)
-+ tunable_policy(`$1_exec_content && use_samba_home_dirs',`
-+ fs_exec_cifs_files($1_usertype)
-+ ')
-+ ')
-
- userdom_change_password_template($1)
-
-@@ -761,86 +1031,121 @@ template(`userdom_login_user_template', `
- #
- # User domain Local policy
- #
--
-- allow $1_t self:capability { setgid chown fowner };
- dontaudit $1_t self:capability { sys_nice fsetid };
-+ allow $1_t self:process ~{ ptrace execmem execstack execheap };
-+
-+ tunable_policy(`selinuxuser_use_ssh_chroot',`
-+ allow $1_t self:capability { setuid setgid sys_chroot };
-+ ')
-
-- allow $1_t self:process ~{ setcurrent setexec setrlimit execmem execstack execheap };
- dontaudit $1_t self:process setrlimit;
- dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write };
-+ domain_dyntrans_type($1_t)
-
- allow $1_t self:context contains;
-
-- kernel_dontaudit_read_system_state($1_t)
-+ kernel_dontaudit_read_system_state($1_usertype)
-+ kernel_dontaudit_list_all_proc($1_usertype)
-
-- dev_read_sysfs($1_t)
-- dev_read_urand($1_t)
-+ dev_read_sysfs($1_usertype)
-+ dev_read_rand($1_usertype)
-+ dev_read_urand($1_usertype)
-
-- domain_use_interactive_fds($1_t)
-+ domain_use_interactive_fds($1_usertype)
- # Command completion can fire hundreds of denials
-- domain_dontaudit_exec_all_entry_files($1_t)
-+ domain_dontaudit_exec_all_entry_files($1_usertype)
-
-- files_dontaudit_list_default($1_t)
-- files_dontaudit_read_default_files($1_t)
-+ files_dontaudit_list_default($1_usertype)
-+ files_dontaudit_read_default_files($1_usertype)
- # Stat lost+found.
-- files_getattr_lost_found_dirs($1_t)
-+ files_getattr_lost_found_dirs($1_usertype)
-
-- fs_get_all_fs_quotas($1_t)
-- fs_getattr_all_fs($1_t)
-- fs_getattr_all_dirs($1_t)
-- fs_search_auto_mountpoints($1_t)
-- fs_list_cgroup_dirs($1_t)
-- fs_list_inotifyfs($1_t)
-- fs_rw_anon_inodefs_files($1_t)
-- fs_dontaudit_rw_cgroup_files($1_t)
-+ fs_get_all_fs_quotas($1_usertype)
-+ fs_getattr_all_fs($1_usertype)
-+ fs_search_all($1_usertype)
-+ fs_list_inotifyfs($1_usertype)
-+ fs_rw_anon_inodefs_files($1_usertype)
-
-+ auth_role($1_r, $1_t)
-+ auth_create_cache($1_t)
-+ auth_rw_cache($1_t)
-+ auth_search_pam_console_data($1_t)
-+ auth_dontaudit_read_login_records($1_t)
- auth_dontaudit_write_login_records($1_t)
-
- application_exec_all($1_t)
--
- # The library functions always try to open read-write first,
- # then fall back to read-only if it fails.
- init_dontaudit_rw_utmp($1_t)
-+
- # Stop warnings about access to /dev/console
-- init_dontaudit_use_fds($1_t)
-- init_dontaudit_use_script_fds($1_t)
-+ init_dontaudit_use_fds($1_usertype)
-+ init_dontaudit_use_script_fds($1_usertype)
-+
-+ # Needed by pam_selinux.so calling in systemd-users
-+ init_entrypoint_exec(login_userdomain)
-
-- libs_exec_lib_files($1_t)
-+ libs_exec_lib_files($1_usertype)
-
-- logging_dontaudit_getattr_all_logs($1_t)
-+ logging_dontaudit_getattr_all_logs($1_usertype)
-
-- miscfiles_read_man_pages($1_t)
- # for running TeX programs
-- miscfiles_read_tetex_data($1_t)
-- miscfiles_exec_tetex_data($1_t)
-+ miscfiles_read_tetex_data($1_usertype)
-+ miscfiles_exec_tetex_data($1_usertype)
-
-- seutil_read_config($1_t)
-+ seutil_read_config($1_usertype)
-+ seutil_read_file_contexts($1_usertype)
-+ seutil_read_default_contexts($1_usertype)
-+ seutil_exec_setfiles($1_usertype)
-
- optional_policy(`
-- cups_read_config($1_t)
-- cups_stream_connect($1_t)
-- cups_stream_connect_ptal($1_t)
-+ cups_read_config($1_usertype)
-+ cups_stream_connect($1_usertype)
-+ cups_stream_connect_ptal($1_usertype)
- ')
-
- optional_policy(`
-- kerberos_use($1_t)
-+ kerberos_use($1_usertype)
-+ init_write_key($1_usertype)
- ')
-
- optional_policy(`
-- mta_dontaudit_read_spool_symlinks($1_t)
-+ mysql_filetrans_named_content($1_usertype)
- ')
-
- optional_policy(`
-- quota_dontaudit_getattr_db($1_t)
-+ mta_dontaudit_read_spool_symlinks($1_usertype)
- ')
-
- optional_policy(`
-- rpm_read_db($1_t)
-- rpm_dontaudit_manage_db($1_t)
-+ quota_dontaudit_getattr_db($1_usertype)
- ')
--')
-
--#######################################
-+ optional_policy(`
-+ rpm_read_db($1_usertype)
-+ rpm_dontaudit_manage_db($1_usertype)
-+ rpm_read_cache($1_usertype)
-+ ')
-+
-+ optional_policy(`
-+ oddjob_run_mkhomedir($1_t, $1_r)
-+ oddjob_run($1_t, $1_r)
-+ ')
-+
-+ optional_policy(`
-+ chronyd_run_chronyc($1_t, $1_r)
-+ ')
-+
-+ optional_policy(`
-+ ipa_run_helper($1_t, $1_r)
-+ ')
-+
-+ optional_policy(`
-+ wine_filetrans_named_content($1_usertype)
-+ ')
-+')
-+
-+#######################################
- ##
- ## The template for creating a unprivileged login user.
- ##
-@@ -868,6 +1173,12 @@ template(`userdom_restricted_user_template',`
- typeattribute $1_t unpriv_userdomain;
- domain_interactive_fd($1_t)
-
-+ allow $1_usertype self:netlink_kobject_uevent_socket create_socket_perms;
-+ dontaudit $1_usertype self:netlink_audit_socket create_socket_perms;
-+
-+ seutil_read_file_contexts($1_t)
-+ seutil_read_default_contexts($1_t)
-+
- ##############################
- #
- # Local policy
-@@ -907,53 +1218,143 @@ template(`userdom_restricted_xwindows_user_template',`
- #
- # Local policy
- #
-+ allow $1_usertype self:cap_userns { sys_admin sys_chroot };
-+ dontaudit $1_usertype self:cap_userns sys_ptrace;
-+ allow $1_usertype self:dir { add_name write };
-
-- auth_role($1_r, $1_t)
-- auth_search_pam_console_data($1_t)
-+ kernel_stream_connect($1_usertype)
-+ fs_associate_proc($1_usertype)
-
-- dev_read_sound($1_t)
-- dev_write_sound($1_t)
-+ dev_read_sound($1_usertype)
-+ dev_write_sound($1_usertype)
- # gnome keyring wants to read this.
-- dev_dontaudit_read_rand($1_t)
-+ dev_dontaudit_read_rand($1_usertype)
-+ # temporarily allow since openoffice requires this
-+ dev_read_rand($1_usertype)
-+
-+ dev_read_video_dev($1_usertype)
-+ dev_write_video_dev($1_usertype)
-+ dev_rw_wireless($1_usertype)
-+
-+ libs_dontaudit_setattr_lib_files($1_usertype)
-+
-+ init_read_state($1_usertype)
-+ init_signal($1_usertype)
-+
-+ tunable_policy(`selinuxuser_rw_noexattrfile',`
-+ dev_rw_usbfs($1_t)
-+ dev_rw_generic_usb_dev($1_usertype)
-+
-+ fs_manage_noxattr_fs_files($1_usertype)
-+ fs_manage_noxattr_fs_dirs($1_usertype)
-+ fs_manage_dos_dirs($1_usertype)
-+ fs_manage_dos_files($1_usertype)
-+ storage_raw_read_removable_device($1_usertype)
-+ storage_raw_write_removable_device($1_usertype)
-+ ')
-
- logging_send_syslog_msg($1_t)
- logging_dontaudit_send_audit_msgs($1_t)
-
- # Need to to this just so screensaver will work. Should be moved to screensaver domain
-- logging_send_audit_msgs($1_t)
- selinux_get_enforce_mode($1_t)
-+ seutil_exec_restorecond($1_t)
-+ seutil_read_file_contexts($1_t)
-+ seutil_read_default_contexts($1_t)
-
- xserver_restricted_role($1_r, $1_t)
-
- optional_policy(`
-- alsa_read_rw_config($1_t)
-+ alsa_read_rw_config($1_usertype)
-+ ')
-+
-+ # cjp: needed by KDE apps
-+ # bug: #682499
-+ optional_policy(`
-+ gnome_read_usr_config($1_usertype)
-+ # cjp: telepathy F15 bugs
-+ telepathy_role($1_r, $1_t, $1)
-+ ')
-+
-+ optional_policy(`
-+ obex_role($1_r, $1_t, $1)
- ')
-
- optional_policy(`
-- dbus_role_template($1, $1_r, $1_t)
-- dbus_system_bus_client($1_t)
-+ dbus_role_template($1, $1_r, $1_usertype)
-+ dbus_system_bus_client($1_usertype)
-+ allow $1_usertype $1_usertype:dbus send_msg;
-
- optional_policy(`
-- consolekit_dbus_chat($1_t)
-+ abrt_dbus_chat($1_usertype)
-+ abrt_run_helper($1_usertype, $1_r)
- ')
-
- optional_policy(`
-- cups_dbus_chat($1_t)
-+ accountsd_dbus_chat($1_usertype)
-+ ')
-+
-+ optional_policy(`
-+ consolekit_dontaudit_read_log($1_usertype)
-+ consolekit_dbus_chat($1_usertype)
-+ ')
-+
-+ optional_policy(`
-+ cups_dbus_chat($1_usertype)
-+ cups_dbus_chat_config($1_usertype)
-+ ')
-+
-+ optional_policy(`
-+ devicekit_dbus_chat($1_usertype)
-+ devicekit_dbus_chat_disk($1_usertype)
-+ devicekit_dbus_chat_power($1_usertype)
-+ ')
-+
-+ optional_policy(`
-+ fprintd_dbus_chat($1_t)
-+ ')
-+
-+ optional_policy(`
-+ realmd_dbus_chat($1_t)
- ')
-
- optional_policy(`
- gnome_role_template($1, $1_r, $1_t)
-+ ')
-+
-+ optional_policy(`
- wm_role_template($1, $1_r, $1_t)
- ')
- ')
-
- optional_policy(`
-- java_role($1_r, $1_t)
-+ policykit_role($1_r, $1_usertype)
-+ ')
-+
-+ optional_policy(`
-+ pulseaudio_role($1_r, $1_usertype)
-+ pulseaudio_filetrans_admin_home_content($1_usertype)
-+ ')
-+
-+ optional_policy(`
-+ rtkit_scheduled($1_usertype)
-+ ')
-+
-+ optional_policy(`
-+ systemd_filetrans_home_content($1_usertype)
- ')
-
- optional_policy(`
- setroubleshoot_dontaudit_stream_connect($1_t)
- ')
-+
-+ optional_policy(`
-+ udev_read_db($1_usertype)
-+ ')
-+
-+ optional_policy(`
-+ xserver_xdm_ioctl_log($1_t)
-+ ')
- ')
-
- #######################################
-@@ -987,27 +1388,36 @@ template(`userdom_unpriv_user_template', `
- #
-
- # Inherit rules for ordinary users.
-- userdom_restricted_user_template($1)
-+ userdom_restricted_xwindows_user_template($1)
- userdom_common_user_template($1)
-
- ##############################
- #
- # Local policy
- #
-+ allow $1_t self:capability { setgid chown fowner };
-+
-+ corecmd_exec_chroot($1_t)
-
- # port access is audited even if dac would not have allowed it, so dontaudit it here
-- corenet_dontaudit_tcp_bind_all_reserved_ports($1_t)
-+# corenet_dontaudit_tcp_bind_all_reserved_ports($1_t)
- # Need the following rule to allow users to run vpnc
- corenet_tcp_bind_xserver_port($1_t)
-+ corenet_tcp_bind_generic_node($1_usertype)
-+
-+ init_domtrans($1_t)
-+ init_rw_stream_sockets($1_t)
-+
-+ storage_rw_fuse($1_t)
-
- files_exec_usr_files($1_t)
-- # cjp: why?
-+ # cjp: why?
- files_read_kernel_symbol_table($1_t)
-
- ifndef(`enable_mls',`
- fs_exec_noxattr($1_t)
-
-- tunable_policy(`user_rw_noexattrfile',`
-+ tunable_policy(`selinuxuser_rw_noexattrfile',`
- fs_manage_noxattr_fs_files($1_t)
- fs_manage_noxattr_fs_dirs($1_t)
- # Write floppies
-@@ -1018,23 +1428,64 @@ template(`userdom_unpriv_user_template', `
- ')
- ')
-
-- tunable_policy(`user_dmesg',`
-- kernel_read_ring_buffer($1_t)
-- ',`
-- kernel_dontaudit_read_ring_buffer($1_t)
-- ')
-+ miscfiles_read_hwdata($1_usertype)
-+
-+ fs_manage_cgroup_dirs($1_t)
-+ fs_mounton_fusefs($1_usertype)
-
- # Allow users to run TCP servers (bind to ports and accept connection from
- # the same domain and outside users) disabling this forces FTP passive mode
- # and may change other protocols
-- tunable_policy(`user_tcp_server',`
-- corenet_tcp_bind_generic_node($1_t)
-- corenet_tcp_bind_generic_port($1_t)
-+
-+ tunable_policy(`selinuxuser_share_music',`
-+ corenet_tcp_bind_daap_port($1_usertype)
-+ ')
-+
-+ tunable_policy(`selinuxuser_tcp_server',`
-+ corenet_tcp_bind_all_unreserved_ports($1_usertype)
-+ ')
-+
-+ tunable_policy(`selinuxuser_udp_server',`
-+ corenet_udp_bind_all_unreserved_ports($1_usertype)
-+ ')
-+ optional_policy(`
-+ cdrecord_role($1_r, $1_t)
-+ ')
-+
-+ optional_policy(`
-+ cron_role($1_r, $1_t)
-+ ')
-+
-+ optional_policy(`
-+ games_manage_data_files($1_usertype)
-+ ')
-+
-+ optional_policy(`
-+ gpg_role($1_r, $1_usertype)
-+ ')
-+
-+ optional_policy(`
-+ systemd_dbus_chat_timedated($1_t)
-+ systemd_dbus_chat_hostnamed($1_t)
-+ systemd_dbus_chat_localed($1_t)
-+ ')
-+
-+ optional_policy(`
-+ gpm_stream_connect($1_usertype)
-+ ')
-+
-+ optional_policy(`
-+ mount_run_fusermount($1_t, $1_r)
-+ mount_read_pid_files($1_t)
- ')
-
- optional_policy(`
-- netutils_run_ping_cond($1_t, $1_r)
-- netutils_run_traceroute_cond($1_t, $1_r)
-+ wine_role_template($1, $1_r, $1_t)
-+ ')
-+
-+ optional_policy(`
-+ postfix_run_postdrop($1_t, $1_r)
-+ postfix_search_spool($1_t)
- ')
-
- # Run pppd in pppd_t by default for user
-@@ -1043,7 +1494,9 @@ template(`userdom_unpriv_user_template', `
- ')
-
- optional_policy(`
-- setroubleshoot_stream_connect($1_t)
-+ vdagent_getattr_log($1_t)
-+ vdagent_getattr_exec_files($1_t)
-+ vdagent_stream_connect($1_t)
- ')
- ')
-
-@@ -1079,7 +1532,9 @@ template(`userdom_unpriv_user_template', `
- template(`userdom_admin_user_template',`
- gen_require(`
- attribute admindomain;
-- class passwd { passwd chfn chsh rootok };
-+ attribute confined_admindomain;
-+
-+ class passwd { passwd chfn chsh rootok crontab };
- ')
-
- ##############################
-@@ -1095,6 +1550,7 @@ template(`userdom_admin_user_template',`
- role system_r types $1_t;
-
- typeattribute $1_t admindomain;
-+ typeattribute $1_t confined_admindomain;
-
- ifdef(`direct_sysadm_daemon',`
- domain_system_change_exemption($1_t)
-@@ -1105,14 +1561,8 @@ template(`userdom_admin_user_template',`
- # $1_t local policy
- #
-
-- allow $1_t self:capability ~{ sys_module audit_control audit_write };
-- allow $1_t self:process { setexec setfscreate };
-- allow $1_t self:netlink_audit_socket nlmsg_readpriv;
-- allow $1_t self:tun_socket create;
-- # Set password information for other users.
-- allow $1_t self:passwd { passwd chfn chsh };
-- # Skip authentication when pam_rootok is specified.
-- allow $1_t self:passwd rootok;
-+ # Manipulate other users crontab.
-+ allow $1_t self:passwd crontab;
-
- kernel_read_software_raid_state($1_t)
- kernel_getattr_core_if($1_t)
-@@ -1128,6 +1578,8 @@ template(`userdom_admin_user_template',`
- kernel_sigstop_unlabeled($1_t)
- kernel_signull_unlabeled($1_t)
- kernel_sigchld_unlabeled($1_t)
-+ kernel_signal($1_t)
-+ kernel_stream_connect($1_t)
-
- corenet_tcp_bind_generic_port($1_t)
- # allow setting up tunnels
-@@ -1145,10 +1597,15 @@ template(`userdom_admin_user_template',`
- dev_rename_all_blk_files($1_t)
- dev_rename_all_chr_files($1_t)
- dev_create_generic_symlinks($1_t)
-+ dev_rw_generic_usb_dev($1_t)
-+ dev_rw_usbfs($1_t)
-+ dev_read_kmsg($1_t)
-+ dev_read_cpuid($1_t)
-
- domain_setpriority_all_domains($1_t)
- domain_read_all_domains_state($1_t)
- domain_getattr_all_domains($1_t)
-+ domain_getcap_all_domains($1_t)
- domain_dontaudit_ptrace_all_domains($1_t)
- # signal all domains:
- domain_kill_all_domains($1_t)
-@@ -1159,29 +1616,40 @@ template(`userdom_admin_user_template',`
- domain_sigchld_all_domains($1_t)
- # for lsof
- domain_getattr_all_sockets($1_t)
-+ domain_dontaudit_getattr_all_sockets($1_t)
-
- files_exec_usr_src_files($1_t)
-
- fs_getattr_all_fs($1_t)
-+ fs_getattr_all_files($1_t)
-+ fs_list_all($1_t)
- fs_set_all_quotas($1_t)
- fs_exec_noxattr($1_t)
-
- storage_raw_read_removable_device($1_t)
- storage_raw_write_removable_device($1_t)
-+ storage_dontaudit_read_fixed_disk($1_t)
-
-- term_use_all_terms($1_t)
-+ term_use_all_inherited_terms($1_t)
-+ term_use_unallocated_ttys($1_t)
-
- auth_getattr_shadow($1_t)
- # Manage almost all files
-- files_manage_non_auth_files($1_t)
-+ files_manage_non_security_dirs($1_t)
-+ files_manage_non_security_files($1_t)
- # Relabel almost all files
-- files_relabel_non_auth_files($1_t)
-+ files_relabel_non_security_files($1_t)
-+
-+ files_mounton_rootfs($1_t)
-
- init_telinit($1_t)
-
- logging_send_syslog_msg($1_t)
-
-- modutils_domtrans_insmod($1_t)
-+ optional_policy(`
-+ modutils_domtrans_insmod($1_t)
-+ modutils_domtrans_depmod($1_t)
-+ ')
-
- # The following rule is temporary until such time that a complete
- # policy management infrastructure is in place so that an administrator
-@@ -1191,6 +1659,8 @@ template(`userdom_admin_user_template',`
- # But presently necessary for installing the file_contexts file.
- seutil_manage_bin_policy($1_t)
-
-+ systemd_config_all_services($1_t)
-+
- userdom_manage_user_home_content_dirs($1_t)
- userdom_manage_user_home_content_files($1_t)
- userdom_manage_user_home_content_symlinks($1_t)
-@@ -1198,13 +1668,21 @@ template(`userdom_admin_user_template',`
- userdom_manage_user_home_content_sockets($1_t)
- userdom_user_home_dir_filetrans_user_home_content($1_t, { dir file lnk_file fifo_file sock_file })
-
-- tunable_policy(`user_rw_noexattrfile',`
-+ tunable_policy(`selinuxuser_rw_noexattrfile',`
- fs_manage_noxattr_fs_files($1_t)
- fs_manage_noxattr_fs_dirs($1_t)
- ',`
- fs_read_noxattr_fs_files($1_t)
- ')
-
-+ tunable_policy(`selinuxuser_tcp_server',`
-+ corenet_tcp_bind_all_unreserved_ports($1_t)
-+ ')
-+
-+ tunable_policy(`selinuxuser_udp_server',`
-+ corenet_udp_bind_all_unreserved_ports($1_t)
-+ ')
-+
- optional_policy(`
- postgresql_unconfined($1_t)
- ')
-@@ -1240,8 +1718,8 @@ template(`userdom_admin_user_template',`
- ##
- ##
- #
--template(`userdom_security_admin_template',`
-- allow $1 self:capability { dac_read_search dac_override };
-+template(`userdom_security_admin',`
-+ allow $1 self:capability { dac_read_search };
-
- corecmd_exec_shell($1)
-
-@@ -1250,6 +1728,8 @@ template(`userdom_security_admin_template',`
- dev_relabel_all_dev_nodes($1)
-
- files_create_boot_flag($1)
-+ files_create_default_dir($1)
-+ files_root_filetrans_default($1, dir)
-
- # Necessary for managing /boot/efi
- fs_manage_dos_files($1)
-@@ -1262,8 +1742,10 @@ template(`userdom_security_admin_template',`
- selinux_set_enforce_mode($1)
- selinux_set_all_booleans($1)
- selinux_set_parameters($1)
-+ selinux_read_policy($1)
-+
-+ files_relabel_all_files($1)
-
-- files_relabel_non_auth_files($1)
- auth_relabel_shadow($1)
-
- init_exec($1)
-@@ -1274,29 +1756,31 @@ template(`userdom_security_admin_template',`
- logging_read_audit_config($1)
-
- seutil_manage_bin_policy($1)
-- seutil_run_checkpolicy($1, $2)
-- seutil_run_loadpolicy($1, $2)
-- seutil_run_semanage($1, $2)
-+ seutil_manage_default_contexts($1)
-+ seutil_manage_file_contexts($1)
-+ seutil_manage_module_store($1)
-+ seutil_manage_config($1)
-+ seutil_manage_login_config($1)
-+ seutil_run_checkpolicy($1,$2)
-+ seutil_run_loadpolicy($1,$2)
-+ seutil_run_semanage($1,$2)
-+ seutil_run_setsebool($1,$2)
- seutil_run_setfiles($1, $2)
-
- optional_policy(`
-- aide_run($1, $2)
-+ aide_run($1,$2)
- ')
-
- optional_policy(`
- consoletype_exec($1)
- ')
-
-- optional_policy(`
-- dmesg_exec($1)
-- ')
--
-- optional_policy(`
-- ipsec_run_setkey($1, $2)
-+ optional_policy(`
-+ ipsec_run_setkey($1,$2)
- ')
-
- optional_policy(`
-- netlabel_run_mgmt($1, $2)
-+ netlabel_run_mgmt($1,$2)
- ')
-
- optional_policy(`
-@@ -1357,14 +1841,17 @@ interface(`userdom_user_home_content',`
- gen_require(`
- attribute user_home_content_type;
- type user_home_t;
-+ attribute user_home_type;
- ')
-
- typeattribute $1 user_home_content_type;
-
- allow $1 user_home_t:filesystem associate;
- files_type($1)
-- files_poly_member($1)
- ubac_constrained($1)
-+
-+ files_poly_member($1)
-+ typeattribute $1 user_home_type;
- ')
-
- ########################################
-@@ -1397,12 +1884,52 @@ interface(`userdom_user_tmp_file',`
- ##
- #
- interface(`userdom_user_tmpfs_file',`
-- files_tmpfs_file($1)
-+ refpolicywarn(`$0($*) has been deprecated, use userdom_user_tmp_file() instead.')
-+ userdom_user_tmp_file($1)
-+')
-+
-+########################################
-+##
-+## Make the specified type usable as
-+## user temporary content.
-+##
-+##
-+##
-+## Type to be used as a file in the
-+## generic temporary directory.
-+##
-+##
-+#
-+interface(`userdom_user_tmp_content',`
-+ gen_require(`
-+ attribute user_tmp_type;
-+ ')
-+
-+ typeattribute $1 user_tmp_type;
-+
-+ files_tmp_file($1)
- ubac_constrained($1)
- ')
-
- ########################################
- ##
-+## Make the specified type usable in a
-+## generic tmpfs_t directory.
-+##
-+##
-+##
-+## Type to be used as a file in the
-+## generic temporary directory.
-+##
-+##
-+#
-+interface(`userdom_user_tmpfs_content',`
-+ refpolicywarn(`$0($*) has been deprecated, use userdom_user_tmp_content() instead.')
-+ userdom_user_tmp_content($1)
-+')
-+
-+########################################
-+##
- ## Allow domain to attach to TUN devices created by administrative users.
- ##
- ##
-@@ -1509,11 +2036,31 @@ interface(`userdom_search_user_home_dirs',`
- ')
-
- allow $1 user_home_dir_t:dir search_dir_perms;
-+ allow $1 user_home_dir_t:lnk_file read_lnk_file_perms;
- files_search_home($1)
- ')
-
- ########################################
- ##
-+## Search user tmp directories.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`userdom_search_user_tmp_dirs',`
-+ gen_require(`
-+ type user_tmp_t;
-+ ')
-+
-+ files_search_tmp($1)
-+ allow $1 user_tmp_t:dir search_dir_perms;
-+')
-+
-+########################################
-+##
- ## Do not audit attempts to search user home directories.
- ##
- ##
-@@ -1555,6 +2102,14 @@ interface(`userdom_list_user_home_dirs',`
-
- allow $1 user_home_dir_t:dir list_dir_perms;
- files_search_home($1)
-+
-+ tunable_policy(`use_nfs_home_dirs',`
-+ fs_list_nfs($1)
-+ ')
-+
-+ tunable_policy(`use_samba_home_dirs',`
-+ fs_list_cifs($1)
-+ ')
- ')
-
- ########################################
-@@ -1570,9 +2125,11 @@ interface(`userdom_list_user_home_dirs',`
- interface(`userdom_dontaudit_list_user_home_dirs',`
- gen_require(`
- type user_home_dir_t;
-+ type user_home_t;
- ')
-
- dontaudit $1 user_home_dir_t:dir list_dir_perms;
-+ dontaudit $1 user_home_t:dir list_dir_perms;
- ')
-
- ########################################
-@@ -1613,6 +2170,24 @@ interface(`userdom_manage_user_home_dirs',`
-
- ########################################
- ##
-+## Create user home directories.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`userdom_dontaudit_manage_user_home_dirs',`
-+ gen_require(`
-+ type user_home_dir_t;
-+ ')
-+
-+ dontaudit $1 user_home_dir_t:dir manage_dir_perms;
-+')
-+
-+########################################
-+##
- ## Relabel to user home directories.
- ##
- ##
-@@ -1631,6 +2206,59 @@ interface(`userdom_relabelto_user_home_dirs',`
-
- ########################################
- ##
-+## Relabel to user home files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`userdom_relabelto_user_home_files',`
-+ gen_require(`
-+ type user_home_t;
-+ ')
-+
-+ allow $1 user_home_t:file relabelto;
-+')
-+########################################
-+##
-+## Relabel user home files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`userdom_relabel_user_home_files',`
-+ gen_require(`
-+ type user_home_t;
-+ ')
-+
-+ allow $1 user_home_t:file relabel_file_perms;
-+')
-+
-+########################################
-+##
-+## Relabel user home directories.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`userdom_relabel_user_home_dirs',`
-+ gen_require(`
-+ type user_home_dir_t;
-+ ')
-+
-+ allow $1 user_home_t:dir relabel_file_perms;
-+')
-+
-+########################################
-+##
- ## Create directories in the home dir root with
- ## the user home directory type.
- ##
-@@ -1704,10 +2332,12 @@ interface(`userdom_user_home_domtrans',`
- #
- interface(`userdom_dontaudit_search_user_home_content',`
- gen_require(`
-- type user_home_t;
-+ attribute user_home_type;
- ')
-
-- dontaudit $1 user_home_t:dir search_dir_perms;
-+ dontaudit $1 user_home_type:dir search_dir_perms;
-+ fs_dontaudit_list_nfs($1)
-+ fs_dontaudit_list_cifs($1)
- ')
-
- ########################################
-@@ -1741,10 +2371,12 @@ interface(`userdom_list_all_user_home_content',`
- #
- interface(`userdom_list_user_home_content',`
- gen_require(`
-- type user_home_t;
-+ type user_home_dir_t;
-+ attribute user_home_type;
- ')
-
-- allow $1 user_home_t:dir list_dir_perms;
-+ files_list_home($1)
-+ allow $1 { user_home_dir_t user_home_type }:dir list_dir_perms;
- ')
-
- ########################################
-@@ -1769,7 +2401,7 @@ interface(`userdom_manage_user_home_content_dirs',`
-
- ########################################
- ##
--## Delete all user home content directories.
-+## Delete directories in a user home subdirectory.
- ##
- ##
- ##
-@@ -1777,19 +2409,17 @@ interface(`userdom_manage_user_home_content_dirs',`
- ##
- ##
- #
--interface(`userdom_delete_all_user_home_content_dirs',`
-+interface(`userdom_delete_user_home_content_dirs',`
- gen_require(`
-- attribute user_home_content_type;
-- type user_home_dir_t;
-+ type user_home_t;
- ')
-
-- userdom_search_user_home_dirs($1)
-- delete_files_pattern($1, { user_home_dir_t user_home_content_type }, user_home_content_type)
-+ allow $1 user_home_t:dir delete_dir_perms;
- ')
-
- ########################################
- ##
--## Delete directories in a user home subdirectory.
-+## Delete all directories in a user home subdirectory.
- ##
- ##
- ##
-@@ -1797,45 +2427,155 @@ interface(`userdom_delete_all_user_home_content_dirs',`
- ##
- ##
- #
--interface(`userdom_delete_user_home_content_dirs',`
-+interface(`userdom_delete_all_user_home_content_dirs',`
- gen_require(`
-- type user_home_t;
-+ attribute user_home_type;
- ')
-
-- allow $1 user_home_t:dir delete_dir_perms;
-+ allow $1 user_home_type:dir delete_dir_perms;
- ')
-
- ########################################
- ##
--## Set attributes of all user home content directories.
-+## Set the attributes of user home files.
- ##
- ##
- ##
- ## Domain allowed access.
- ##
- ##
-+##
- #
--interface(`userdom_setattr_all_user_home_content_dirs',`
-+interface(`userdom_setattr_user_home_content_files',`
- gen_require(`
-- attribute user_home_content_type;
-+ type user_home_t;
- ')
-
-- userdom_search_user_home_dirs($1)
-- allow $1 user_home_content_type:dir setattr_dir_perms;
-+ allow $1 user_home_t:file setattr;
- ')
-
- ########################################
- ##
--## Do not audit attempts to set the
--## attributes of user home files.
-+## Set the attributes of user tmp files.
- ##
- ##
- ##
--## Domain to not audit.
-+## Domain allowed access.
- ##
- ##
-+##
- #
--interface(`userdom_dontaudit_setattr_user_home_content_files',`
-+interface(`userdom_setattr_user_tmp_files',`
-+ gen_require(`
-+ type user_tmp_t;
-+ ')
-+
-+ allow $1 user_tmp_t:file setattr;
-+')
-+
-+########################################
-+##
-+## Create a user tmp sockets.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`userdom_create_user_tmp_sockets',`
-+ gen_require(`
-+ type user_tmp_t;
-+ ')
-+
-+ files_search_tmp($1)
-+ allow $1 user_tmp_t:dir list_dir_perms;
-+ create_sock_files_pattern($1, user_tmp_t, user_tmp_t)
-+')
-+
-+########################################
-+##
-+## Dontaudit getattr on user tmp sockets.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`usedom_dontaudit_user_getattr_tmp_sockets',`
-+ refpolicywarn(`$0($*) has been deprecated, use userdom_getattr_user_tmp_files() instead.')
-+ userdom_getattr_user_tmp_files($1)
-+')
-+
-+########################################
-+##
-+## Dontaudit getattr on user tmp sockets.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`userdom_dontaudit_user_getattr_tmp_sockets',`
-+ gen_require(`
-+ type user_tmp_t;
-+ ')
-+
-+ dontaudit $1 user_tmp_t:sock_file getattr_sock_file_perms;
-+')
-+
-+########################################
-+##
-+## Relabel user tmp files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+#
-+interface(`userdom_relabel_user_tmp_files',`
-+ gen_require(`
-+ type user_tmp_t;
-+ ')
-+
-+ allow $1 user_tmp_t:file relabel_file_perms;
-+')
-+
-+########################################
-+##
-+## Relabel user tmp files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+#
-+interface(`userdom_relabel_user_tmp_dirs',`
-+ gen_require(`
-+ type user_tmp_t;
-+ ')
-+
-+ allow $1 user_tmp_t:dir relabel_dir_perms;
-+')
-+
-+########################################
-+##
-+## Do not audit attempts to set the
-+## attributes of user home files.
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`userdom_dontaudit_setattr_user_home_content_files',`
- gen_require(`
- type user_home_t;
- ')
-@@ -1845,6 +2585,25 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',`
-
- ########################################
- ##
-+## Set the attributes of all user home directories.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+#
-+interface(`userdom_setattr_all_user_home_content_dirs',`
-+ gen_require(`
-+ attribute user_home_type;
-+ ')
-+
-+ allow $1 user_home_type:dir setattr_dir_perms;
-+')
-+
-+########################################
-+##
- ## Mmap user home files.
- ##
- ##
-@@ -1858,12 +2617,30 @@ interface(`userdom_mmap_user_home_content_files',`
- type user_home_dir_t, user_home_t;
- ')
-
-- mmap_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t)
-+ mmap_exec_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t)
- files_search_home($1)
- ')
-
- ########################################
- ##
-+## map user home files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`userdom_map_user_home_files',`
-+ gen_require(`
-+ type user_home_t;
-+ ')
-+
-+ allow $1 user_home_t:file map;
-+')
-+
-+########################################
-+##
- ## Read user home files.
- ##
- ##
-@@ -1875,14 +2652,36 @@ interface(`userdom_mmap_user_home_content_files',`
- interface(`userdom_read_user_home_content_files',`
- gen_require(`
- type user_home_dir_t, user_home_t;
-+ attribute user_home_type;
- ')
-
-- read_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t)
-+ allow $1 user_home_dir_t:lnk_file read_lnk_file_perms;
-+ list_dirs_pattern($1, { user_home_dir_t user_home_type }, { user_home_dir_t user_home_type })
-+ read_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type)
- files_search_home($1)
- ')
-
- ########################################
- ##
-+## Do not audit attempts to getattr user home files.
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`userdom_dontaudit_getattr_user_home_content',`
-+ gen_require(`
-+ attribute user_home_type;
-+ ')
-+
-+ dontaudit $1 user_home_type:dir getattr;
-+ dontaudit $1 user_home_type:file getattr;
-+')
-+
-+########################################
-+##
- ## Do not audit attempts to read user home files.
- ##
- ##
-@@ -1893,11 +2692,14 @@ interface(`userdom_read_user_home_content_files',`
- #
- interface(`userdom_dontaudit_read_user_home_content_files',`
- gen_require(`
-- type user_home_t;
-+ attribute user_home_type;
-+ type user_home_dir_t;
- ')
-
-- dontaudit $1 user_home_t:dir list_dir_perms;
-- dontaudit $1 user_home_t:file read_file_perms;
-+ dontaudit $1 user_home_dir_t:dir list_dir_perms;
-+ dontaudit $1 user_home_type:dir list_dir_perms;
-+ dontaudit $1 user_home_type:file read_file_perms;
-+ dontaudit $1 user_home_type:lnk_file read_lnk_file_perms;
- ')
-
- ########################################
-@@ -1938,7 +2740,7 @@ interface(`userdom_dontaudit_write_user_home_content_files',`
-
- ########################################
- ##
--## Delete all user home content files.
-+## Delete files in a user home subdirectory.
- ##
- ##
- ##
-@@ -1946,10 +2748,9 @@ interface(`userdom_dontaudit_write_user_home_content_files',`
- ##
- ##
- #
--interface(`userdom_delete_all_user_home_content_files',`
-+interface(`userdom_delete_user_home_content_files',`
- gen_require(`
-- attribute user_home_content_type;
-- type user_home_dir_t;
-+ type user_home_t;
- ')
-
- userdom_search_user_home_content($1)
-@@ -1958,7 +2759,7 @@ interface(`userdom_delete_all_user_home_content_files',`
-
- ########################################
- ##
--## Delete files in a user home subdirectory.
-+## Delete all files in a user home subdirectory.
- ##
- ##
- ##
-@@ -1966,12 +2767,66 @@ interface(`userdom_delete_all_user_home_content_files',`
- ##
- ##
- #
--interface(`userdom_delete_user_home_content_files',`
-+interface(`userdom_delete_all_user_home_content_files',`
-+ gen_require(`
-+ attribute user_home_type;
-+ ')
-+
-+ allow $1 user_home_type:file delete_file_perms;
-+')
-+
-+########################################
-+##
-+## Delete sock files in a user home subdirectory.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`userdom_delete_user_home_content_sock_files',`
- gen_require(`
- type user_home_t;
- ')
-
-- allow $1 user_home_t:file delete_file_perms;
-+ allow $1 user_home_t:sock_file delete_file_perms;
-+')
-+
-+########################################
-+##
-+## Delete all sock files in a user home subdirectory.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`userdom_delete_all_user_home_content_sock_files',`
-+ gen_require(`
-+ attribute user_home_type;
-+ ')
-+
-+ allow $1 user_home_type:sock_file delete_file_perms;
-+')
-+
-+########################################
-+##
-+## Delete all files in a user home subdirectory.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`userdom_delete_all_user_home_content',`
-+ gen_require(`
-+ attribute user_home_type;
-+ ')
-+
-+ allow $1 user_home_type:dir_file_class_set delete_file_perms;
- ')
-
- ########################################
-@@ -2007,8 +2862,7 @@ interface(`userdom_read_user_home_content_symlinks',`
- type user_home_dir_t, user_home_t;
- ')
-
-- read_lnk_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t)
-- files_search_home($1)
-+ allow $1 { user_home_dir_t user_home_t }:lnk_file read_lnk_file_perms;
- ')
-
- ########################################
-@@ -2024,20 +2878,14 @@ interface(`userdom_read_user_home_content_symlinks',`
- #
- interface(`userdom_exec_user_home_content_files',`
- gen_require(`
-- type user_home_dir_t, user_home_t;
-+ type user_home_dir_t;
-+ attribute user_home_type;
- ')
-
- files_search_home($1)
-- exec_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t)
--
-- tunable_policy(`use_nfs_home_dirs',`
-- fs_exec_nfs_files($1)
-- ')
--
-- tunable_policy(`use_samba_home_dirs',`
-- fs_exec_cifs_files($1)
-+ exec_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type)
-+ dontaudit $1 user_home_type:sock_file execute;
- ')
--')
-
- ########################################
- ##
-@@ -2075,6 +2923,7 @@ interface(`userdom_manage_user_home_content_files',`
-
- manage_files_pattern($1, user_home_t, user_home_t)
- allow $1 user_home_dir_t:dir search_dir_perms;
-+ allow $1 user_home_t:file map;
- files_search_home($1)
- ')
-
-@@ -2120,7 +2969,7 @@ interface(`userdom_manage_user_home_content_symlinks',`
-
- ########################################
- ##
--## Delete all user home content symbolic links.
-+## Delete symbolic links in a user home directory.
- ##
- ##
- ##
-@@ -2128,19 +2977,17 @@ interface(`userdom_manage_user_home_content_symlinks',`
- ##
- ##
- #
--interface(`userdom_delete_all_user_home_content_symlinks',`
-+interface(`userdom_delete_user_home_content_symlinks',`
- gen_require(`
-- attribute user_home_content_type;
-- type user_home_dir_t;
-+ type user_home_t;
- ')
-
-- userdom_search_user_home_dirs($1)
-- delete_lnk_files_pattern($1, { user_home_dir_t user_home_content_type }, user_home_content_type)
-+ allow $1 user_home_t:lnk_file delete_lnk_file_perms;
- ')
-
- ########################################
- ##
--## Delete symbolic links in a user home directory.
-+## Delete all symbolic links in a user home directory.
- ##
- ##
- ##
-@@ -2148,12 +2995,12 @@ interface(`userdom_delete_all_user_home_content_symlinks',`
- ##
- ##
- #
--interface(`userdom_delete_user_home_content_symlinks',`
-+interface(`userdom_delete_all_user_home_content_symlinks',`
- gen_require(`
-- type user_home_t;
-+ attribute user_home_type;
- ')
-
-- allow $1 user_home_t:lnk_file delete_lnk_file_perms;
-+ allow $1 user_home_type:lnk_file delete_lnk_file_perms;
- ')
-
- ########################################
-@@ -2388,18 +3235,54 @@ interface(`userdom_dontaudit_manage_user_tmp_dirs',`
- ##
- ##
- #
-+interface(`userdom_getattr_user_tmp_files',`
-+ gen_require(`
-+ attribute user_tmp_type;
-+ ')
-+
-+ getattr_files_pattern($1, user_tmp_type, user_tmp_type)
-+ files_search_tmp($1)
-+')
-+
-+########################################
-+##
-+## Read user temporary files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
- interface(`userdom_read_user_tmp_files',`
- gen_require(`
-- type user_tmp_t;
-+ attribute user_tmp_type;
- ')
-
-- read_files_pattern($1, user_tmp_t, user_tmp_t)
-- allow $1 user_tmp_t:dir list_dir_perms;
-+ read_files_pattern($1, user_tmp_type, user_tmp_type)
-+ allow $1 user_tmp_type:dir list_dir_perms;
- files_search_tmp($1)
- ')
-
- ########################################
- ##
-+## Read user temporary files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`userdom_append_user_tmp_files',`
-+ gen_require(`
-+ type user_tmp_t;
-+ ')
-+ allow $1 user_tmp_t:file append_inherited_file_perms;
-+')
-+
-+########################################
-+##
- ## Do not audit attempts to read users
- ## temporary files.
- ##
-@@ -2414,7 +3297,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',`
- type user_tmp_t;
- ')
-
-- dontaudit $1 user_tmp_t:file read_file_perms;
-+ dontaudit $1 user_tmp_t:file read_inherited_file_perms;
- ')
-
- ########################################
-@@ -2455,6 +3338,25 @@ interface(`userdom_rw_user_tmp_files',`
- rw_files_pattern($1, user_tmp_t, user_tmp_t)
- files_search_tmp($1)
- ')
-+########################################
-+##
-+## Read and write user temporary files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`userdom_rw_user_tmp_sock_files',`
-+ gen_require(`
-+ type user_tmp_t;
-+ ')
-+
-+ allow $1 user_tmp_t:dir list_dir_perms;
-+ allow $1 user_tmp_t:sock_file rw_inherited_sock_file_perms;
-+ files_search_tmp($1)
-+')
-
- ########################################
- ##
-@@ -2538,7 +3440,7 @@ interface(`userdom_manage_user_tmp_files',`
- ########################################
- ##
- ## Create, read, write, and delete user
--## temporary symbolic links.
-+## temporary files.
- ##
- ##
- ##
-@@ -2546,7 +3448,27 @@ interface(`userdom_manage_user_tmp_files',`
- ##
- ##
- #
--interface(`userdom_manage_user_tmp_symlinks',`
-+interface(`userdom_filetrans_named_user_tmp_files',`
-+ gen_require(`
-+ type user_tmp_t;
-+ ')
-+
-+ files_tmp_filetrans($1, user_tmp_t, dir, "hsperfdata_root")
-+ files_search_tmp($1)
-+')
-+
-+########################################
-+##
-+## Create, read, write, and delete user
-+## temporary symbolic links.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`userdom_manage_user_tmp_symlinks',`
- gen_require(`
- type user_tmp_t;
- ')
-@@ -2566,6 +3488,27 @@ interface(`userdom_manage_user_tmp_symlinks',`
- ##
- ##
- #
-+interface(`userdom_rw_inherited_user_tmp_pipes',`
-+ gen_require(`
-+ type user_tmp_t;
-+ ')
-+
-+ allow $1 user_tmp_t:fifo_file rw_inherited_fifo_file_perms;
-+ files_search_tmp($1)
-+')
-+
-+
-+########################################
-+##
-+## Create, read, write, and delete user
-+## temporary named pipes.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
- interface(`userdom_manage_user_tmp_pipes',`
- gen_require(`
- type user_tmp_t;
-@@ -2661,6 +3604,21 @@ interface(`userdom_tmp_filetrans_user_tmp',`
- files_tmp_filetrans($1, user_tmp_t, $2, $3)
- ')
-
-+#######################################
-+##
-+## Getattr user tmpfs files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`userdom_getattr_user_tmpfs_files',`
-+ refpolicywarn(`$0($*) has been deprecated, use userdom_getattr_user_tmp_files() instead.')
-+ userdom_getattr_user_tmp_files($1)
-+')
-+
- ########################################
- ##
- ## Read user tmpfs files.
-@@ -2672,18 +3630,13 @@ interface(`userdom_tmp_filetrans_user_tmp',`
- ##
- #
- interface(`userdom_read_user_tmpfs_files',`
-- gen_require(`
-- type user_tmpfs_t;
-- ')
--
-- read_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
-- allow $1 user_tmpfs_t:dir list_dir_perms;
-- fs_search_tmpfs($1)
-+ refpolicywarn(`$0($*) has been deprecated, use userdom_read_user_tmp_files() instead.')
-+ userdom_read_user_tmp_files($1)
- ')
-
- ########################################
- ##
--## Read user tmpfs files.
-+## Read/Write user tmpfs files.
- ##
- ##
- ##
-@@ -2692,19 +3645,13 @@ interface(`userdom_read_user_tmpfs_files',`
- ##
- #
- interface(`userdom_rw_user_tmpfs_files',`
-- gen_require(`
-- type user_tmpfs_t;
-- ')
--
-- rw_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
-- read_lnk_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
-- allow $1 user_tmpfs_t:dir list_dir_perms;
-- fs_search_tmpfs($1)
-+ refpolicywarn(`$0($*) has been deprecated, use userdom_rw_user_tmp_files() instead.')
-+ userdom_rw_user_tmp_files($1)
- ')
-
- ########################################
- ##
--## Create, read, write, and delete user tmpfs files.
-+## Manage user tmpfs files.
- ##
- ##
- ##
-@@ -2713,13 +3660,56 @@ interface(`userdom_rw_user_tmpfs_files',`
- ##
- #
- interface(`userdom_manage_user_tmpfs_files',`
-+ refpolicywarn(`$0($*) has been deprecated, use userdom_manage_user_tmp_files() instead.')
-+ userdom_manage_user_tmp_files($1)
-+')
-+
-+########################################
-+##
-+## Read/Write inherited user tmpfs files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`userdom_rw_inherited_user_tmpfs_files',`
-+ refpolicywarn(`$0($*) has been deprecated, use userdom_rw_inherited_user_tmp_files instead.')
-+ userdom_rw_inherited_user_tmp_files($1)
-+')
-+
-+########################################
-+##
-+## Execute user tmpfs files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`userdom_execute_user_tmpfs_files',`
-+ refpolicywarn(`$0($*) has been deprecated, use userdom_execute_user_tmp_files instead.')
-+ userdom_execute_user_tmp_files($1)
-+')
-+
-+########################################
-+##
-+## Execute user tmpfs files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`userdom_execute_user_tmp_files',`
- gen_require(`
-- type user_tmpfs_t;
-+ type user_tmp_t;
- ')
-
-- manage_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
-- allow $1 user_tmpfs_t:dir list_dir_perms;
-- fs_search_tmpfs($1)
-+ allow $1 user_tmp_t:file execute;
- ')
-
- ########################################
-@@ -2814,6 +3804,24 @@ interface(`userdom_use_user_ttys',`
-
- ########################################
- ##
-+## Read and write a inherited user domain tty.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`userdom_use_inherited_user_ttys',`
-+ gen_require(`
-+ type user_tty_device_t;
-+ ')
-+
-+ allow $1 user_tty_device_t:chr_file rw_inherited_term_perms;
-+')
-+
-+########################################
-+##
- ## Read and write a user domain pty.
- ##
- ##
-@@ -2832,22 +3840,34 @@ interface(`userdom_use_user_ptys',`
-
- ########################################
- ##
--## Read and write a user TTYs and PTYs.
-+## Read and write a inherited user domain pty.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`userdom_use_inherited_user_ptys',`
-+ gen_require(`
-+ type user_devpts_t;
-+ ')
-+
-+ allow $1 user_devpts_t:chr_file rw_inherited_term_perms;
-+')
-+
-+########################################
-+##
-+## Read and write a inherited user TTYs and PTYs.
- ##
- ##
- ##
--## Allow the specified domain to read and write user
-+## Allow the specified domain to read and write inherited user
- ## TTYs and PTYs. This will allow the domain to
- ## interact with the user via the terminal. Typically
- ## all interactive applications will require this
- ## access.
- ##
--##
--## However, this also allows the applications to spy
--## on user sessions or inject information into the
--## user session. Thus, this access should likely
--## not be allowed for non-interactive domains.
--##
- ##
- ##
- ##
-@@ -2856,14 +3876,33 @@ interface(`userdom_use_user_ptys',`
- ##
- ##
- #
--interface(`userdom_use_user_terminals',`
-+interface(`userdom_use_inherited_user_terminals',`
- gen_require(`
- type user_tty_device_t, user_devpts_t;
- ')
-
-- allow $1 user_tty_device_t:chr_file rw_term_perms;
-- allow $1 user_devpts_t:chr_file rw_term_perms;
-- term_list_ptys($1)
-+ allow $1 user_tty_device_t:chr_file rw_inherited_term_perms;
-+ allow $1 user_devpts_t:chr_file rw_inherited_term_perms;
-+')
-+
-+#######################################
-+##
-+## Allow attempts to read and write
-+## a user domain tty and pty.
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`userdom_use_user_terminals',`
-+ gen_require(`
-+ type user_tty_device_t, user_devpts_t;
-+ ')
-+
-+ allow $1 user_tty_device_t:chr_file rw_term_perms;
-+ allow $1 user_devpts_t:chr_file rw_term_perms;
- ')
-
- ########################################
-@@ -2882,8 +3921,27 @@ interface(`userdom_dontaudit_use_user_terminals',`
- type user_tty_device_t, user_devpts_t;
- ')
-
-- dontaudit $1 user_tty_device_t:chr_file rw_term_perms;
-- dontaudit $1 user_devpts_t:chr_file rw_term_perms;
-+ dontaudit $1 user_tty_device_t:chr_file rw_inherited_term_perms;
-+ dontaudit $1 user_devpts_t:chr_file rw_inherited_term_perms;
-+')
-+
-+
-+########################################
-+##
-+## Get attributes of user domain tty and pty.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`userdom_getattr_user_terminals',`
-+ gen_require(`
-+ type user_tty_device_t, user_devpts_t;
-+ ')
-+
-+ allow $1 { user_tty_device_t user_devpts_t }:chr_file getattr_chr_file_perms;
- ')
-
- ########################################
-@@ -2955,6 +4013,42 @@ interface(`userdom_spec_domtrans_unpriv_users',`
- allow unpriv_userdomain $1:process sigchld;
- ')
-
-+#####################################
-+##
-+## Allow domain dyntrans to unpriv userdomain.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`userdom_dyntransition_unpriv_users',`
-+ gen_require(`
-+ attribute unpriv_userdomain;
-+ ')
-+
-+ allow $1 unpriv_userdomain:process dyntransition;
-+')
-+
-+####################################
-+##
-+## Allow domain dyntrans to admin userdomain.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`userdom_dyntransition_admin_users',`
-+ gen_require(`
-+ attribute admindomain;
-+ ')
-+
-+ allow $1 admindomain:process dyntransition;
-+')
-+
- ########################################
- ##
- ## Execute an Xserver session in all unprivileged user domains. This
-@@ -2978,24 +4072,6 @@ interface(`userdom_xsession_spec_domtrans_unpriv_users',`
- allow unpriv_userdomain $1:process sigchld;
- ')
-
--#######################################
--##
--## Read and write unpriviledged user SysV sempaphores.
--##
--##
--##
--## Domain allowed access.
--##
--##
--#
--interface(`userdom_rw_unpriv_user_semaphores',`
-- gen_require(`
-- attribute unpriv_userdomain;
-- ')
--
-- allow $1 unpriv_userdomain:sem rw_sem_perms;
--')
--
- ########################################
- ##
- ## Manage unpriviledged user SysV sempaphores.
-@@ -3014,9 +4090,9 @@ interface(`userdom_manage_unpriv_user_semaphores',`
- allow $1 unpriv_userdomain:sem create_sem_perms;
- ')
-
--#######################################
-+########################################
- ##
--## Read and write unpriviledged user SysV shared
-+## Manage unpriviledged user SysV shared
- ## memory segments.
- ##
- ##
-@@ -3025,17 +4101,17 @@ interface(`userdom_manage_unpriv_user_semaphores',`
- ##
- ##
- #
--interface(`userdom_rw_unpriv_user_shared_mem',`
-+interface(`userdom_manage_unpriv_user_shared_mem',`
- gen_require(`
- attribute unpriv_userdomain;
- ')
-
-- allow $1 unpriv_userdomain:shm rw_shm_perms;
-+ allow $1 unpriv_userdomain:shm create_shm_perms;
- ')
-
- ########################################
- ##
--## Manage unpriviledged user SysV shared
-+## Destroy unpriviledged user SysV shared
- ## memory segments.
- ##
- ##
-@@ -3044,12 +4120,12 @@ interface(`userdom_rw_unpriv_user_shared_mem',`
- ##
- ##
- #
--interface(`userdom_manage_unpriv_user_shared_mem',`
-+interface(`userdom_destroy_unpriv_user_shared_mem',`
- gen_require(`
- attribute unpriv_userdomain;
- ')
-
-- allow $1 unpriv_userdomain:shm create_shm_perms;
-+ allow $1 unpriv_userdomain:shm destroy;
- ')
-
- ########################################
-@@ -3094,7 +4170,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
-
- domain_entry_file_spec_domtrans($1, unpriv_userdomain)
- allow unpriv_userdomain $1:fd use;
-- allow unpriv_userdomain $1:fifo_file rw_file_perms;
-+ allow unpriv_userdomain $1:fifo_file rw_fifo_file_perms;
- allow unpriv_userdomain $1:process sigchld;
- ')
-
-@@ -3110,29 +4186,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
- #
- interface(`userdom_search_user_home_content',`
- gen_require(`
-- type user_home_dir_t, user_home_t;
-+ type user_home_dir_t;
-+ attribute user_home_type;
- ')
-
- files_list_home($1)
-- allow $1 { user_home_dir_t user_home_t }:dir search_dir_perms;
--')
--
--########################################
--##
--## Send signull to unprivileged user domains.
--##
--##
--##
--## Domain allowed access.
--##
--##
--#
--interface(`userdom_signull_unpriv_users',`
-- gen_require(`
-- attribute unpriv_userdomain;
-- ')
--
-- allow $1 unpriv_userdomain:process signull;
-+ allow $1 { user_home_dir_t user_home_type }:dir search_dir_perms;
-+ allow $1 { user_home_dir_t user_home_type }:lnk_file read_lnk_file_perms;
- ')
-
- ########################################
-@@ -3214,7 +4274,25 @@ interface(`userdom_dontaudit_use_user_ptys',`
- type user_devpts_t;
- ')
-
-- dontaudit $1 user_devpts_t:chr_file rw_file_perms;
-+ dontaudit $1 user_devpts_t:chr_file rw_inherited_file_perms;
-+')
-+
-+########################################
-+##
-+## Do not audit attempts to open user ptys.
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`userdom_dontaudit_open_user_ptys',`
-+ gen_require(`
-+ type user_devpts_t;
-+ ')
-+
-+ dontaudit $1 user_devpts_t:chr_file open;
- ')
-
- ########################################
-@@ -3269,12 +4347,13 @@ interface(`userdom_write_user_tmp_files',`
- type user_tmp_t;
- ')
-
-- allow $1 user_tmp_t:file write_file_perms;
-+ write_files_pattern($1, user_tmp_t, user_tmp_t)
- ')
-
- ########################################
- ##
--## Do not audit attempts to use user ttys.
-+## Do not audit attempts to write users
-+## temporary files.
- ##
- ##
- ##
-@@ -3282,54 +4361,56 @@ interface(`userdom_write_user_tmp_files',`
- ##
- ##
- #
--interface(`userdom_dontaudit_use_user_ttys',`
-+interface(`userdom_dontaudit_write_user_tmp_files',`
- gen_require(`
-- type user_tty_device_t;
-+ type user_tmp_t;
- ')
-
-- dontaudit $1 user_tty_device_t:chr_file rw_file_perms;
-+ dontaudit $1 user_tmp_t:file write;
- ')
-
- ########################################
- ##
--## Read the process state of all user domains.
-+## Do not audit attempts to delete users
-+## temporary files.
- ##
- ##
- ##
--## Domain allowed access.
-+## Domain to not audit.
- ##
- ##
- #
--interface(`userdom_read_all_users_state',`
-+interface(`userdom_dontaudit_delete_user_tmp_files',`
- gen_require(`
-- attribute userdomain;
-+ type user_tmp_t;
- ')
-
-- read_files_pattern($1, userdomain, userdomain)
-- kernel_search_proc($1)
-+ dontaudit $1 user_tmp_t:file delete_file_perms;
- ')
-
- ########################################
- ##
--## Get the attributes of all user domains.
-+## Do not audit attempts to read/write users
-+## temporary fifo files.
- ##
- ##
- ##
--## Domain allowed access.
-+## Domain to not audit.
- ##
- ##
- #
--interface(`userdom_getattr_all_users',`
-+interface(`userdom_dontaudit_rw_user_tmp_pipes',`
- gen_require(`
-- attribute userdomain;
-+ type user_tmp_t;
- ')
-
-- allow $1 userdomain:process getattr;
-+ dontaudit $1 user_tmp_t:fifo_file rw_inherited_fifo_file_perms;
- ')
-
- ########################################
- ##
--## Inherit the file descriptors from all user domains
-+## Allow domain to read/write inherited users
-+## fifo files.
- ##
- ##
- ##
-@@ -3337,17 +4418,91 @@ interface(`userdom_getattr_all_users',`
- ##
- ##
- #
--interface(`userdom_use_all_users_fds',`
-+interface(`userdom_rw_inherited_user_pipes',`
- gen_require(`
- attribute userdomain;
- ')
-
-- allow $1 userdomain:fd use;
-+ allow $1 userdomain:fifo_file rw_inherited_fifo_file_perms;
- ')
-
- ########################################
- ##
--## Do not audit attempts to inherit the file
-+## Do not audit attempts to use user ttys.
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`userdom_dontaudit_use_user_ttys',`
-+ gen_require(`
-+ type user_tty_device_t;
-+ ')
-+
-+ dontaudit $1 user_tty_device_t:chr_file rw_inherited_file_perms;
-+')
-+
-+########################################
-+##
-+## Read the process state of all user domains.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`userdom_read_all_users_state',`
-+ gen_require(`
-+ attribute userdomain;
-+ ')
-+
-+ read_files_pattern($1, userdomain, userdomain)
-+ read_lnk_files_pattern($1,userdomain,userdomain)
-+ kernel_search_proc($1)
-+')
-+
-+########################################
-+##
-+## Get the attributes of all user domains.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`userdom_getattr_all_users',`
-+ gen_require(`
-+ attribute userdomain;
-+ ')
-+
-+ allow $1 userdomain:process getattr;
-+')
-+
-+########################################
-+##
-+## Inherit the file descriptors from all user domains
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`userdom_use_all_users_fds',`
-+ gen_require(`
-+ attribute userdomain;
-+ ')
-+
-+ allow $1 userdomain:fd use;
-+')
-+
-+########################################
-+##
-+## Do not audit attempts to inherit the file
- ## descriptors from any user domains.
- ##
- ##
-@@ -3382,6 +4537,42 @@ interface(`userdom_signal_all_users',`
- allow $1 userdomain:process signal;
- ')
-
-+#######################################
-+##
-+## Send signull to all user domains.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`userdom_signull_all_users',`
-+ gen_require(`
-+ attribute userdomain;
-+ ')
-+
-+ allow $1 userdomain:process signull;
-+')
-+
-+########################################
-+##
-+## Send kill signals to all user domains.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`userdom_kill_all_users',`
-+ gen_require(`
-+ attribute userdomain;
-+ ')
-+
-+ allow $1 userdomain:process sigkill;
-+')
-+
- ########################################
- ##
- ## Send a SIGCHLD signal to all user domains.
-@@ -3402,6 +4593,60 @@ interface(`userdom_sigchld_all_users',`
-
- ########################################
- ##
-+## Read keys for all user domains.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`userdom_read_all_users_keys',`
-+ gen_require(`
-+ attribute userdomain;
-+ ')
-+
-+ allow $1 userdomain:key read;
-+')
-+
-+########################################
-+##
-+## Write keys for all user domains.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`userdom_write_all_users_keys',`
-+ gen_require(`
-+ attribute userdomain;
-+ ')
-+
-+ allow $1 userdomain:key write;
-+')
-+
-+########################################
-+##
-+## Read and write keys for all user domains.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`userdom_rw_all_users_keys',`
-+ gen_require(`
-+ attribute userdomain;
-+ ')
-+
-+ allow $1 userdomain:key { read view write };
-+')
-+
-+########################################
-+##
- ## Create keys for all user domains.
- ##
- ##
-@@ -3435,4 +4680,1853 @@ interface(`userdom_dbus_send_all_users',`
- ')
-
- allow $1 userdomain:dbus send_msg;
-+ ps_process_pattern($1, userdomain)
-+')
-+
-+########################################
-+##
-+## Allow apps to set rlimits on userdomain
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`userdom_set_rlimitnh',`
-+ gen_require(`
-+ attribute userdomain;
-+ ')
-+
-+ allow $1 userdomain:process rlimitinh;
-+')
-+
-+########################################
-+##
-+## Define this type as a Allow apps to set rlimits on userdomain
-+##
-+##
-+##
-+## The prefix of the user domain (e.g., user
-+## is the prefix for user_t).
-+##
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+template(`userdom_unpriv_usertype',`
-+ gen_require(`
-+ attribute unpriv_userdomain, userdomain;
-+ attribute $1_usertype;
-+ ')
-+ typeattribute $2 $1_usertype;
-+ typeattribute $2 unpriv_userdomain;
-+ typeattribute $2 userdomain;
-+
-+ auth_use_nsswitch($2)
-+ ubac_constrained($2)
-+')
-+
-+#######################################
-+##
-+## Define this type as a Allow apps to set rlimits on userdomain
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+template(`userdom_unpriv_type',`
-+ gen_require(`
-+ attribute unpriv_userdomain, userdomain;
-+ ')
-+ typeattribute $1 unpriv_userdomain;
-+ typeattribute $1 userdomain;
-+
-+ auth_use_nsswitch($1)
-+ ubac_constrained($1)
-+')
-+
-+########################################
-+##
-+## Connect to users over a unix stream socket.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`userdom_stream_connect',`
-+ gen_require(`
-+ type user_tmp_t;
-+ attribute userdomain;
-+ ')
-+
-+ stream_connect_pattern($1, user_tmp_t, user_tmp_t, userdomain)
-+')
-+
-+########################################
-+##
-+## Ptrace user domains.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`userdom_ptrace_all_users',`
-+ gen_require(`
-+ attribute userdomain;
-+ ')
-+
-+ tunable_policy(`deny_ptrace',`',`
-+ allow $1 userdomain:process ptrace;
-+ ')
-+')
-+
-+########################################
-+##
-+## dontaudit Search /root
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`userdom_dontaudit_search_admin_dir',`
-+ gen_require(`
-+ type admin_home_t;
-+ ')
-+
-+ dontaudit $1 admin_home_t:lnk_file read_lnk_file_perms;
-+ dontaudit $1 admin_home_t:dir search_dir_perms;
-+')
-+
-+########################################
-+##
-+## dontaudit list /root
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`userdom_dontaudit_list_admin_dir',`
-+ gen_require(`
-+ type admin_home_t;
-+ ')
-+
-+ dontaudit $1 admin_home_t:lnk_file read_lnk_file_perms;
-+ dontaudit $1 admin_home_t:dir list_dir_perms;
-+')
-+
-+########################################
-+##
-+## Allow domain to list /root
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`userdom_list_admin_dir',`
-+ gen_require(`
-+ type admin_home_t;
-+ ')
-+
-+ allow $1 admin_home_t:lnk_file read_lnk_file_perms;
-+ allow $1 admin_home_t:dir list_dir_perms;
-+')
-+
-+########################################
-+##
-+## Allow Search /root
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`userdom_search_admin_dir',`
-+ gen_require(`
-+ type admin_home_t;
-+ ')
-+
-+ allow $1 admin_home_t:lnk_file read_lnk_file_perms;
-+ allow $1 admin_home_t:dir search_dir_perms;
-+')
-+
-+########################################
-+##
-+## dontaudit create dirs /root
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`userdom_dontaudit_create_admin_dir',`
-+ gen_require(`
-+ type admin_home_t;
-+ ')
-+
-+ dontaudit $1 admin_home_t:dir create_dir_perms;
-+')
-+
-+########################################
-+##
-+## dontaudit manage dirs /root
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`userdom_dontaudit_manage_admin_dir',`
-+ gen_require(`
-+ type admin_home_t;
-+ ')
-+
-+ dontaudit $1 admin_home_t:dir manage_dir_perms;
-+')
-+
-+########################################
-+##
-+## dontaudit manage files /root
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`userdom_dontaudit_manage_admin_files',`
-+ gen_require(`
-+ type admin_home_t;
-+ ')
-+
-+ dontaudit $1 admin_home_t:file manage_file_perms;
-+')
-+
-+########################################
-+##
-+## RW unpriviledged user SysV sempaphores.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`userdom_rw_semaphores',`
-+ gen_require(`
-+ attribute unpriv_userdomain;
-+ ')
-+
-+ allow $1 unpriv_userdomain:sem rw_sem_perms;
-+')
-+
-+########################################
-+##
-+## Send a message to unpriv users over a unix domain
-+## datagram socket.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`userdom_dgram_send',`
-+ gen_require(`
-+ attribute unpriv_userdomain;
-+ ')
-+
-+ allow $1 unpriv_userdomain:unix_dgram_socket sendto;
-+')
-+
-+######################################
-+##
-+## Send a message to users over a unix domain
-+## datagram socket.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`userdom_users_dgram_send',`
-+ gen_require(`
-+ attribute userdomain;
-+ ')
-+
-+ allow $1 userdomain:unix_dgram_socket sendto;
-+')
-+
-+#######################################
-+##
-+## Allow execmod on files in homedirectory
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+#
-+interface(`userdom_execmod_user_home_files',`
-+ gen_require(`
-+ attribute user_home_type;
-+ ')
-+
-+ allow $1 user_home_type:file execmod;
-+')
-+
-+########################################
-+##
-+## Read admin home files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+#
-+interface(`userdom_read_admin_home_files',`
-+ gen_require(`
-+ type admin_home_t;
-+ ')
-+
-+ allow $1 admin_home_t:lnk_file read_lnk_file_perms;
-+ read_files_pattern($1, admin_home_t, admin_home_t)
-+')
-+
-+########################################
-+##
-+## Delete admin home files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+#
-+interface(`userdom_delete_admin_home_files',`
-+ gen_require(`
-+ type admin_home_t;
-+ ')
-+
-+ allow $1 admin_home_t:lnk_file read_lnk_file_perms;
-+ allow $1 admin_home_t:file delete_file_perms;
-+')
-+
-+########################################
-+##
-+## Execute admin home files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+#
-+interface(`userdom_exec_admin_home_files',`
-+ gen_require(`
-+ type admin_home_t;
-+ ')
-+
-+ allow $1 admin_home_t:lnk_file read_lnk_file_perms;
-+ exec_files_pattern($1, admin_home_t, admin_home_t)
-+')
-+
-+########################################
-+##
-+## Append files inherited
-+## in the /root directory.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`userdom_inherit_append_admin_home_files',`
-+ gen_require(`
-+ type admin_home_t;
-+ ')
-+
-+ allow $1 admin_home_t:file { getattr append };
-+')
-+
-+
-+#######################################
-+##
-+## Manage all files/directories in the homedir
-+##
-+##
-+##
-+## The user domain
-+##
-+##
-+##
-+#
-+interface(`userdom_manage_user_home_content',`
-+ gen_require(`
-+ type user_home_dir_t, user_home_t;
-+ attribute user_home_type;
-+ ')
-+
-+ files_list_home($1)
-+ manage_dirs_pattern($1, { user_home_dir_t user_home_type }, user_home_type)
-+ manage_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type)
-+ manage_lnk_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type)
-+ manage_sock_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type)
-+ manage_fifo_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type)
-+ filetrans_pattern($1, user_home_dir_t, user_home_t, { dir file lnk_file sock_file fifo_file })
-+
-+')
-+
-+######################################
-+##
-+## Manage all dirs in the homedir
-+##
-+##
-+##
-+## The user domain
-+##
-+##
-+#
-+interface(`userdom_manage_all_user_home_type_dirs',`
-+ gen_require(`
-+ type user_home_dir_t, user_home_t;
-+ attribute user_home_type;
-+ ')
-+
-+ files_list_home($1)
-+ manage_dirs_pattern($1, { user_home_dir_t user_home_type }, user_home_type)
-+')
-+
-+######################################
-+##
-+## Manage all files in the homedir
-+##
-+##
-+##
-+## The user domain
-+##
-+##
-+#
-+interface(`userdom_manage_all_user_home_type_files',`
-+ gen_require(`
-+ type user_home_dir_t, user_home_t;
-+ attribute user_home_type;
-+ ')
-+
-+ files_list_home($1)
-+ manage_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type)
-+ manage_lnk_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type)
-+')
-+
-+########################################
-+##
-+## Create objects in a user home directory
-+## with an automatic type transition to
-+## the user home file type.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+##
-+## The class of the object to be created.
-+##
-+##
-+#
-+interface(`userdom_user_home_dir_filetrans_pattern',`
-+ gen_require(`
-+ type user_home_dir_t, user_home_t;
-+ ')
-+
-+ type_transition $1 user_home_dir_t:$2 user_home_t;
-+')
-+
-+########################################
-+##
-+## Create objects in the /root directory
-+## with an automatic type transition to
-+## a specified private type.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+##
-+## The type of the object to create.
-+##
-+##
-+##
-+##
-+## The class of the object to be created.
-+##
-+##
-+##
-+##
-+## The name of the object being created.
-+##
-+##
-+#
-+interface(`userdom_admin_home_dir_filetrans',`
-+ gen_require(`
-+ type admin_home_t;
-+ ')
-+
-+ allow $1 admin_home_t:lnk_file read_lnk_file_perms;
-+ filetrans_pattern($1, admin_home_t, $2, $3, $4)
-+')
-+
-+########################################
-+##
-+## Send signull to unprivileged user domains.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`userdom_signull_unpriv_users',`
-+ gen_require(`
-+ attribute unpriv_userdomain;
-+ ')
-+
-+ allow $1 unpriv_userdomain:process signull;
-+')
-+
-+########################################
-+##
-+## Write all users files in /tmp
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`userdom_write_user_tmp_dirs',`
-+ gen_require(`
-+ type user_tmp_t;
-+ ')
-+
-+ write_files_pattern($1, user_tmp_t, user_tmp_t)
-+')
-+
-+########################################
-+##
-+## Manage keys for all user domains.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`userdom_manage_all_users_keys',`
-+ gen_require(`
-+ attribute userdomain;
-+ ')
-+
-+ allow $1 userdomain:key manage_key_perms;
-+')
-+
-+
-+########################################
-+##
-+## Do not audit attempts to read and write
-+## userdomain stream.
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`userdom_dontaudit_rw_stream',`
-+ gen_require(`
-+ attribute userdomain;
-+ ')
-+
-+ dontaudit $1 userdomain:unix_stream_socket rw_socket_perms;
-+')
-+
-+########################################
-+##
-+## Read and write userdomain stream.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`userdom_rw_stream',`
-+ gen_require(`
-+ attribute userdomain;
-+ ')
-+
-+ allow $1 userdomain:unix_stream_socket rw_socket_perms;
-+')
-+
-+########################################
-+##
-+## Read and write userdomain stream.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`userdom_connectto_stream',`
-+ gen_require(`
-+ attribute userdomain;
-+ ')
-+
-+ allow $1 userdomain:unix_stream_socket connectto;
-+')
-+
-+########################################
-+##
-+## Do not audit attempts to read and write
-+## unserdomain datagram socket.
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`userdom_dontaudit_rw_dgram_socket',`
-+ gen_require(`
-+ attribute userdomain;
-+ ')
-+
-+ dontaudit $1 userdomain:unix_dgram_socket { read write };
-+')
-+
-+########################################
-+##
-+## Append files
-+## in a user home subdirectory.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`userdom_append_user_home_content_files',`
-+ gen_require(`
-+ type user_home_dir_t, user_home_t;
-+ ')
-+
-+ append_files_pattern($1, user_home_t, user_home_t)
-+ allow $1 user_home_dir_t:dir search_dir_perms;
-+ files_search_home($1)
-+')
-+
-+########################################
-+##
-+## Read files inherited
-+## in a user home subdirectory.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`userdom_read_inherited_user_home_content_files',`
-+ gen_require(`
-+ attribute user_home_type;
-+ ')
-+
-+ allow $1 user_home_type:file { getattr read };
-+')
-+
-+########################################
-+##
-+## Dontaudit Read files inherited from the admin home dir.
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`userdom_dontaudit_read_inherited_admin_home_files',`
-+ gen_require(`
-+ type admin_home_t;
-+ ')
-+
-+ dontaudit $1 admin_home_t:file read_inherited_file_perms;
-+')
-+
-+########################################
-+##
-+## Dontaudit append files inherited from the admin home dir.
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`userdom_dontaudit_append_inherited_admin_home_file',`
-+ gen_require(`
-+ type admin_home_t;
-+ ')
-+
-+ dontaudit $1 admin_home_t:file append_inherited_file_perms;
-+')
-+
-+########################################
-+##
-+## Read/Write files inherited
-+## in a user home subdirectory.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`userdom_rw_inherited_user_home_content_files',`
-+ gen_require(`
-+ attribute user_home_type;
-+ ')
-+
-+ allow $1 user_home_type:file rw_inherited_file_perms;
-+')
-+
-+########################################
-+##
-+## Append files inherited
-+## in a user home subdirectory.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`userdom_inherit_append_user_home_content_files',`
-+ gen_require(`
-+ type user_home_t;
-+ ')
-+
-+ allow $1 user_home_t:file { getattr append };
-+')
-+
-+########################################
-+##
-+## Append files inherited
-+## in a user tmp files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`userdom_inherit_append_user_tmp_files',`
-+ gen_require(`
-+ type user_tmp_t;
-+ ')
-+
-+ allow $1 user_tmp_t:file { getattr append };
-+')
-+
-+######################################
-+##
-+## Read audio files in the users homedir.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+#
-+interface(`userdom_read_home_audio_files',`
-+ gen_require(`
-+ type audio_home_t;
-+ ')
-+
-+ userdom_search_user_home_dirs($1)
-+ allow $1 audio_home_t:dir list_dir_perms;
-+ read_files_pattern($1, audio_home_t, audio_home_t)
-+ read_lnk_files_pattern($1, audio_home_t, audio_home_t)
-+')
-+
-+######################################
-+##
-+## Manage texlive content in the users homedir.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+#
-+interface(`userdom_manage_home_texlive',`
-+ gen_require(`
-+ type texlive_home_t;
-+ ')
-+
-+ userdom_search_user_home_dirs($1)
-+ userdom_user_home_dir_filetrans($1, texlive_home_t, dir, ".texlive2012")
-+ userdom_user_home_dir_filetrans($1, texlive_home_t, dir, ".texlive2013")
-+ userdom_user_home_dir_filetrans($1, texlive_home_t, dir, ".texlive2014")
-+ manage_dirs_pattern($1, texlive_home_t, texlive_home_t)
-+ manage_files_pattern($1, texlive_home_t, texlive_home_t)
-+ manage_lnk_files_pattern($1, texlive_home_t, texlive_home_t)
-+ allow $1 texlive_home_t:file relabelfrom;
-+')
-+
-+########################################
-+##
-+## Do not audit attempts to write all user home content files.
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`userdom_dontaudit_write_all_user_home_content_files',`
-+ gen_require(`
-+ attribute user_home_type;
-+ ')
-+
-+ dontaudit $1 user_home_type:file write_inherited_file_perms;
-+')
-+
-+########################################
-+##
-+## Do not audit attempts to write all user tmp content files.
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`userdom_dontaudit_write_all_user_tmp_content_files',`
-+ gen_require(`
-+ attribute user_tmp_type;
-+ ')
-+
-+ dontaudit $1 user_tmp_type:file write_inherited_file_perms;
-+')
-+
-+########################################
-+##
-+## Manage all user temporary content.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`userdom_manage_all_user_tmp_content',`
-+ gen_require(`
-+ attribute user_tmp_type;
-+ ')
-+
-+ manage_dirs_pattern($1, user_tmp_type, user_tmp_type)
-+ manage_files_pattern($1, user_tmp_type, user_tmp_type)
-+ manage_lnk_files_pattern($1, user_tmp_type, user_tmp_type)
-+ manage_sock_files_pattern($1, user_tmp_type, user_tmp_type)
-+ manage_fifo_files_pattern($1, user_tmp_type, user_tmp_type)
-+ files_search_tmp($1)
-+')
-+
-+########################################
-+##
-+## List all user temporary content.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`userdom_list_all_user_tmp_content',`
-+ gen_require(`
-+ attribute user_tmp_type;
-+ ')
-+
-+ list_dirs_pattern($1, user_tmp_type, user_tmp_type)
-+ getattr_files_pattern($1, user_tmp_type, user_tmp_type)
-+ read_lnk_files_pattern($1, user_tmp_type, user_tmp_type)
-+ getattr_sock_files_pattern($1, user_tmp_type, user_tmp_type)
-+ getattr_fifo_files_pattern($1, user_tmp_type, user_tmp_type)
-+ files_search_var($1)
-+ files_search_tmp($1)
-+')
-+
-+########################################
-+##
-+## Manage all user tmpfs content.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`userdom_manage_all_user_tmpfs_content',`
-+ refpolicywarn(`$0($*) has been deprecated, use userdom_manage_all_user_tmp_content instead.')
-+ userdom_manage_all_user_tmp_content($1)
-+')
-+
-+########################################
-+##
-+## Delete all user temporary content.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`userdom_delete_all_user_tmp_content',`
-+ gen_require(`
-+ attribute user_tmp_type;
-+ ')
-+
-+ delete_dirs_pattern($1, user_tmp_type, user_tmp_type)
-+ delete_files_pattern($1, user_tmp_type, user_tmp_type)
-+ delete_lnk_files_pattern($1, user_tmp_type, user_tmp_type)
-+ delete_sock_files_pattern($1, user_tmp_type, user_tmp_type)
-+ delete_fifo_files_pattern($1, user_tmp_type, user_tmp_type)
-+ # /var/tmp
-+ files_search_var($1)
-+ files_delete_tmp_dir_entry($1)
-+')
-+
-+########################################
-+##
-+## Read system SSL certificates in the users homedir.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`userdom_read_home_certs',`
-+ gen_require(`
-+ attribute userdom_home_reader_certs_type;
-+ ')
-+
-+ typeattribute $1 userdom_home_reader_certs_type;
-+')
-+
-+########################################
-+##
-+## mmap system SSL certificates in the users homedir.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`userdom_map_home_certs',`
-+ gen_require(`
-+ type home_cert_t;
-+ ')
-+
-+ allow $1 home_cert_t:file map;
-+')
-+
-+########################################
-+##
-+## Manage system SSL certificates in the users homedir.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`userdom_manage_home_certs',`
-+ gen_require(`
-+ type home_cert_t;
-+ ')
-+
-+ allow $1 home_cert_t:dir list_dir_perms;
-+ manage_dirs_pattern($1, home_cert_t, home_cert_t)
-+ manage_files_pattern($1, home_cert_t, home_cert_t)
-+ manage_lnk_files_pattern($1, home_cert_t, home_cert_t)
-+
-+ userdom_user_home_dir_filetrans($1, home_cert_t, dir, ".cert")
-+ userdom_user_home_dir_filetrans($1, home_cert_t, dir, ".pki")
-+ userdom_admin_home_dir_filetrans($1, home_cert_t, dir, ".pki")
-+ userdom_admin_home_dir_filetrans($1, home_cert_t, dir, ".cert")
-+')
-+
-+#######################################
-+##
-+## Dontaudit Write system SSL certificates in the users homedir.
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`userdom_dontaudit_write_home_certs',`
-+ gen_require(`
-+ type home_cert_t;
-+ ')
-+
-+ dontaudit $1 home_cert_t:file write;
-+')
-+
-+########################################
-+##
-+## dontaudit Search getatrr /root files
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`userdom_dontaudit_getattr_admin_home_files',`
-+ gen_require(`
-+ type admin_home_t;
-+ ')
-+
-+ dontaudit $1 admin_home_t:file getattr;
-+')
-+
-+########################################
-+##
-+## dontaudit read /root lnk files
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`userdom_dontaudit_read_admin_home_lnk_files',`
-+ gen_require(`
-+ type admin_home_t;
-+ ')
-+
-+ dontaudit $1 admin_home_t:lnk_file read;
-+')
-+
-+########################################
-+##
-+## dontaudit read /root files
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`userdom_dontaudit_read_admin_home_files',`
-+ gen_require(`
-+ type admin_home_t;
-+ ')
-+
-+ dontaudit $1 admin_home_t:lnk_file read_lnk_file_perms;
-+ dontaudit $1 admin_home_t:file read_file_perms;
-+')
-+
-+########################################
-+##
-+## Create, read, write, and delete user
-+## temporary chr files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`userdom_manage_user_tmp_chr_files',`
-+ gen_require(`
-+ type user_tmp_t;
-+ ')
-+
-+ manage_chr_files_pattern($1, user_tmp_t, user_tmp_t)
-+ files_search_tmp($1)
-+')
-+
-+########################################
-+##
-+## Create, read, write, and delete user
-+## temporary blk files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`userdom_manage_user_tmp_blk_files',`
-+ gen_require(`
-+ type user_tmp_t;
-+ ')
-+
-+ manage_blk_files_pattern($1, user_tmp_t, user_tmp_t)
-+ files_search_tmp($1)
-+')
-+
-+########################################
-+##
-+## Dontaudit attempt to set attributes on user temporary directories.
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`userdom_dontaudit_setattr_user_tmp',`
-+ gen_require(`
-+ type user_tmp_t;
-+ ')
-+
-+ dontaudit $1 user_tmp_t:dir setattr;
-+')
-+
-+########################################
-+##
-+## Dontaudit attempt to set attributes on user temporary file system files.
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`userdom_dontaudit_setattr_user_tmpfs',`
-+ refpolicywarn(`$0($*) has been deprecated, use userdom_dontaudit_setattr_user_tmp() instead.')
-+ userdom_dontaudit_setattr_user_tmp($1)
-+')
-+
-+########################################
-+##
-+## Read all inherited users files in /tmp
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`userdom_read_inherited_user_tmp_files',`
-+ gen_require(`
-+ type user_tmp_t;
-+ ')
-+
-+ allow $1 user_tmp_t:file read_inherited_file_perms;
-+')
-+
-+########################################
-+##
-+## Read/write all inherited users files in /tmp
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`userdom_rw_inherited_user_tmp_files',`
-+ gen_require(`
-+ type user_tmp_t;
-+ ')
-+
-+ allow $1 user_tmp_t:file rw_inherited_file_perms;
-+')
-+
-+########################################
-+##
-+## Write all inherited users files in /tmp
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`userdom_write_inherited_user_tmp_files',`
-+ gen_require(`
-+ type user_tmp_t;
-+ ')
-+
-+ allow $1 user_tmp_t:file write;
-+')
-+
-+########################################
-+##
-+## Write all inherited users home files
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`userdom_rw_inherited_user_home_sock_files',`
-+ gen_require(`
-+ attribute user_home_type;
-+ ')
-+
-+ allow $1 user_home_type:sock_file write;
-+')
-+
-+########################################
-+##
-+## Delete all users files in /tmp
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`userdom_delete_user_tmp_files',`
-+ gen_require(`
-+ type user_tmp_t;
-+ ')
-+
-+ allow $1 user_tmp_t:file delete_file_perms;
-+')
-+
-+########################################
-+##
-+## Delete user tmpfs files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`userdom_delete_user_tmpfs_files',`
-+ refpolicywarn(`$0($*) has been deprecated, use userdom_delete_user_tmp_files instead.')
-+ userdom_delete_user_tmp_files($1)
-+')
-+
-+########################################
-+##
-+## Read/Write unpriviledged user SysV shared
-+## memory segments.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`userdom_rw_unpriv_user_shared_mem',`
-+ gen_require(`
-+ attribute unpriv_userdomain;
-+ ')
-+
-+ allow $1 unpriv_userdomain:shm rw_shm_perms;
-+')
-+
-+########################################
-+##
-+## Do not audit attempts to search user
-+## temporary directories.
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`userdom_dontaudit_search_user_tmp',`
-+ gen_require(`
-+ type user_tmp_t;
-+ ')
-+
-+ dontaudit $1 user_tmp_t:dir search_dir_perms;
-+')
-+
-+########################################
-+##
-+## Execute a file in a user home directory
-+## in the specified domain.
-+##
-+##
-+##
-+## Execute a file in a user home directory
-+## in the specified domain.
-+##
-+##
-+## No interprocess communication (signals, pipes,
-+## etc.) is provided by this interface since
-+## the domains are not owned by this module.
-+##
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+##
-+## The type of the new process.
-+##
-+##
-+#
-+interface(`userdom_domtrans_user_home',`
-+ gen_require(`
-+ type user_home_t;
-+ ')
-+
-+ read_lnk_files_pattern($1, user_home_t, user_home_t)
-+ domain_transition_pattern($1, user_home_t, $2)
-+ type_transition $1 user_home_t:process $2;
-+')
-+
-+########################################
-+##
-+## Execute a file in a user tmp directory
-+## in the specified domain.
-+##
-+##
-+##
-+## Execute a file in a user tmp directory
-+## in the specified domain.
-+##
-+##
-+## No interprocess communication (signals, pipes,
-+## etc.) is provided by this interface since
-+## the domains are not owned by this module.
-+##
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+##
-+## The type of the new process.
-+##
-+##
-+#
-+interface(`userdom_domtrans_user_tmp',`
-+ gen_require(`
-+ type user_tmp_t;
-+ ')
-+
-+ files_search_tmp($1)
-+ read_lnk_files_pattern($1, user_tmp_t, user_tmp_t)
-+ domain_transition_pattern($1, user_tmp_t, $2)
-+ type_transition $1 user_tmp_t:process $2;
-+')
-+
-+########################################
-+##
-+## Do not audit attempts to read all user home content files.
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`userdom_dontaudit_read_all_user_home_content_files',`
-+ gen_require(`
-+ attribute user_home_type;
-+ ')
-+
-+ dontaudit $1 user_home_type:file read_file_perms;
-+')
-+
-+########################################
-+##
-+## Do not audit attempts to read all user tmp content files.
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`userdom_dontaudit_read_all_user_tmp_content_files',`
-+ gen_require(`
-+ attribute user_tmp_type;
-+ ')
-+
-+ dontaudit $1 user_tmp_type:file read_file_perms;
-+')
-+
-+#######################################
-+##
-+## Read and write unpriviledged user SysV sempaphores.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`userdom_rw_unpriv_user_semaphores',`
-+ gen_require(`
-+ attribute unpriv_userdomain;
-+ ')
-+
-+ allow $1 unpriv_userdomain:sem rw_sem_perms;
-+')
-+
-+########################################
-+##
-+## Transition to userdom named content
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`userdom_filetrans_home_content',`
-+ gen_require(`
-+ attribute userdom_filetrans_type;
-+ ')
-+
-+ typeattribute $1 userdom_filetrans_type;
-+')
-+
-+########################################
-+##
-+## Make the specified type able to read content in user home dirs
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`userdom_home_reader',`
-+ gen_require(`
-+ attribute userdom_home_reader_type;
-+ ')
-+
-+ typeattribute $1 userdom_home_reader_type;
-+')
-+
-+
-+########################################
-+##
-+## Make the specified type able to manage content in user home dirs
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`userdom_home_manager',`
-+ gen_require(`
-+ attribute userdom_home_manager_type;
-+ ')
-+
-+ typeattribute $1 userdom_home_manager_type;
-+')
-+
-+########################################
-+##
-+## Create objects in the temporary filesystem directory
-+## with an automatic type transition to
-+## the user temporary filesystem type.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+##
-+## The class of the object to be created.
-+##
-+##
-+##
-+##
-+## The name of the object being created.
-+##
-+##
-+#
-+interface(`userdom_tmpfs_filetrans',`
-+ gen_require(`
-+ type user_tmpfs_t;
-+ ')
-+
-+ fs_tmpfs_filetrans($1, user_tmpfs_t, $2, $3)
-+')
-+
-+
-+#######################################
-+##
-+## Create objects in the temporary filesystem directory
-+## with an automatic type transition to
-+## the user temporary filesystem type.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+##
-+## The class of the object to be created.
-+##
-+##
-+##
-+##
-+## The name of the object being created.
-+##
-+##
-+##
-+##
-+## The name of the object being created.
-+##
-+##
-+#
-+interface(`userdom_tmpfs_filetrans_to',`
-+ gen_require(`
-+ type user_tmpfs_t;
-+ ')
-+
-+ filetrans_pattern($1, user_tmpfs_t, $2, $3, $4)
-+')
-+
-+######################################
-+##
-+## File name transition for generic home content files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`userdom_filetrans_generic_home_content',`
-+ gen_require(`
-+ type home_bin_t;
-+ type audio_home_t;
-+ type home_cert_t;
-+ type user_tmp_t;
-+ ')
-+
-+ userdom_user_home_dir_filetrans($1, home_bin_t, dir, "bin")
-+ userdom_user_home_dir_filetrans($1, audio_home_t, dir, "Audio")
-+ userdom_user_home_dir_filetrans($1, audio_home_t, dir, "Music")
-+ userdom_user_home_dir_filetrans($1, home_cert_t, dir, ".cert")
-+ userdom_user_home_dir_filetrans($1, home_cert_t, dir, ".pki")
-+ userdom_user_home_dir_filetrans($1, home_cert_t, dir, "certificates")
-+ userdom_user_home_dir_filetrans($1, user_tmp_t, dir, "tmp")
-+ userdom_user_home_dir_filetrans($1, user_tmp_t, dir, ".tmp")
-+
-+ optional_policy(`
-+ gnome_data_filetrans($1, home_cert_t, dir, "certificates")
-+ ')
-+')
-+
-+########################################
-+##
-+## Allow caller to transition to any userdomain
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`userdom_transition',`
-+ gen_require(`
-+ attribute userdomain;
-+ ')
-+
-+ allow $1 userdomain:process transition;
-+')
-+
-+########################################
-+##
-+## Allow caller to transition to login userdomain.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`userdom_transition_login_userdomain',`
-+ gen_require(`
-+ attribute login_userdomain;
-+ ')
-+
-+ allow $1 login_userdomain:process transition;
-+')
-+
-+########################################
-+##
-+## Allow caller noatsecure permission.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`userdom_noatsecure_login_userdomain',`
-+ gen_require(`
-+ attribute login_userdomain;
-+ ')
-+
-+ allow $1 login_userdomain:process noatsecure ;
-+')
-+
-+########################################
-+##
-+## Allow caller to send sigchld to login userdomain.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`userdom_sigchld_login_userdomain',`
-+ gen_require(`
-+ attribute login_userdomain;
-+ ')
-+
-+ allow $1 login_userdomain:process sigchld;
-+')
-+
-+########################################
-+##
-+## Add caller login userdomain attribute.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`userdom_login_userdomain',`
-+ gen_require(`
-+ attribute login_userdomain;
-+ ')
-+
-+ typeattribute $1 login_userdomain;
-+')
-+
-+########################################
-+##
-+## Do not audit attempts to check the
-+## access on user content files
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`userdom_dontaudit_access_check_user_content',`
-+ gen_require(`
-+ attribute user_home_type;
-+ ')
-+
-+ dontaudit $1 user_home_type:dir_file_class_set audit_access;
-+')
-+
-+#######################################
-+##
-+## The template containing the most basic rules common to confined admin.
-+##
-+##
-+##
-+## The template containing the most basic rules common to all users.
-+##
-+##
-+## This template creates a user domain, types, and
-+## rules for the user's tty and pty.
-+##
-+##
-+##
-+##
-+## The prefix of the user domain (e.g., user
-+## is the prefix for user_t).
-+##
-+##
-+##
-+#
-+template(`userdom_confined_admin_template',`
-+
-+ gen_require(`
-+ attribute confined_admindomain;
-+ attribute userdomain;
-+ type user_devpts_t, user_tty_device_t;
-+ class context contains;
-+ ')
-+
-+ type $1_t, userdomain, confined_admindomain;
-+ role $1_r;
-+ role $1_r types $1_t;
-+ domain_type($1_t)
-+ domain_user_exemption_target($1_t)
-+ ubac_constrained($1_t)
-+
-+ auth_use_nsswitch($1_t)
-+
-+ ifelse(`$1',`unconfined',`',`
-+ gen_tunable($1_exec_content, true)
-+
-+ tunable_policy(`$1_exec_content',`
-+ userdom_exec_user_tmp_files($1_t)
-+ userdom_exec_user_home_content_files($1_t)
-+ ')
-+ tunable_policy(`$1_exec_content && use_nfs_home_dirs',`
-+ fs_exec_nfs_files($1_t)
-+ ')
-+
-+ tunable_policy(`$1_exec_content && use_samba_home_dirs',`
-+ fs_exec_cifs_files($1_t)
-+ ')
-+ ')
-+')
-+
-+########################################
-+##
-+## Allow user to run as a secadm
-+##
-+##
-+##
-+## Create objects in a user home directory
-+## with an automatic type transition to
-+## a specified private type.
-+##
-+##
-+## This is a templated interface, and should only
-+## be called from a per-userdomain template.
-+##
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+##
-+## The role of the object to create.
-+##
-+##
-+#
-+template(`userdom_security_admin_template',`
-+ allow $1 self:capability { dac_read_search };
-+
-+ corecmd_exec_shell($1)
-+
-+ domain_obj_id_change_exemption($1)
-+
-+ dev_relabel_all_dev_nodes($1)
-+
-+ files_create_boot_flag($1)
-+ files_create_default_dir($1)
-+ files_root_filetrans_default($1, dir)
-+
-+ # Necessary for managing /boot/efi
-+ fs_manage_dos_files($1)
-+
-+ mls_process_read_up($1)
-+ mls_file_read_all_levels($1)
-+ mls_file_upgrade($1)
-+ mls_file_downgrade($1)
-+
-+ selinux_set_enforce_mode($1)
-+ selinux_set_all_booleans($1)
-+ selinux_set_parameters($1)
-+ selinux_read_policy($1)
-+
-+ files_relabel_all_files($1)
-+
-+ auth_relabel_shadow($1)
-+
-+ init_exec($1)
-+
-+ logging_send_syslog_msg($1)
-+ logging_read_audit_log($1)
-+ logging_read_generic_logs($1)
-+ logging_read_audit_config($1)
-+
-+ seutil_manage_bin_policy($1)
-+ seutil_manage_default_contexts($1)
-+ seutil_manage_file_contexts($1)
-+ seutil_manage_module_store($1)
-+ seutil_manage_config($1)
-+ seutil_manage_login_config($1)
-+ seutil_run_checkpolicy($1,$2)
-+ seutil_run_loadpolicy($1,$2)
-+ seutil_run_semanage($1,$2)
-+ seutil_run_setsebool($1,$2)
-+ seutil_run_setfiles($1, $2)
-+
-+ optional_policy(`
-+ aide_run($1,$2)
-+ ')
-+
-+ optional_policy(`
-+ consoletype_exec($1)
-+ ')
-+
-+ optional_policy(`
-+ ipsec_run_setkey($1,$2)
-+ ')
-+
-+ optional_policy(`
-+ netlabel_run_mgmt($1,$2)
-+ ')
-+
-+ optional_policy(`
-+ samhain_run($1, $2)
-+ ')
- ')
-diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te
-index f4ac38dc7..8bbc532c5 100644
---- a/policy/modules/system/userdomain.te
-+++ b/policy/modules/system/userdomain.te
-@@ -7,48 +7,43 @@ policy_module(userdomain, 4.9.1)
-
- ##
- ##
--## Allow users to connect to mysql
-+## Allow users to connect to the local mysql server
- ##
- ##
--gen_tunable(allow_user_mysql_connect, false)
-+gen_tunable(selinuxuser_mysql_connect_enabled, false)
-
- ##
- ##
- ## Allow users to connect to PostgreSQL
- ##
- ##
--gen_tunable(allow_user_postgresql_connect, false)
-+gen_tunable(selinuxuser_postgresql_connect_enabled, false)
-
- ##
- ##
--## Allow regular users direct mouse access
--##
--##
--gen_tunable(user_direct_mouse, false)
--
--##
--##
--## Allow users to read system messages.
-+## Allow user to r/w files on filesystems
-+## that do not have extended attributes (FAT, CDROM, FLOPPY)
- ##
- ##
--gen_tunable(user_dmesg, false)
-+gen_tunable(selinuxuser_rw_noexattrfile, false)
-
- ##
- ##
--## Allow user to r/w files on filesystems
--## that do not have extended attributes (FAT, CDROM, FLOPPY)
-+## Allow user music sharing
- ##
- ##
--gen_tunable(user_rw_noexattrfile, false)
-+gen_tunable(selinuxuser_share_music, false)
-
- ##
- ##
--## Allow w to display everyone
-+## Allow user to use ssh chroot environment.
- ##
- ##
--gen_tunable(user_ttyfile_stat, false)
-+gen_tunable(selinuxuser_use_ssh_chroot, false)
-
- attribute admindomain;
-+attribute login_userdomain;
-+attribute confined_admindomain;
-
- # all user domains
- attribute userdomain;
-@@ -58,6 +53,24 @@ attribute unpriv_userdomain;
-
- attribute user_home_content_type;
-
-+attribute userdom_home_reader_certs_type;
-+attribute userdom_home_reader_type;
-+attribute userdom_home_manager_type;
-+attribute userdom_filetrans_type;
-+
-+# unprivileged user domains
-+attribute user_home_type;
-+attribute user_tmp_type;
-+attribute user_tmpfs_type;
-+
-+type admin_home_t;
-+files_type(admin_home_t)
-+files_associate_tmp(admin_home_t)
-+fs_associate_tmpfs(admin_home_t)
-+files_mountpoint(admin_home_t)
-+files_poly_member(admin_home_t)
-+files_poly_parent(admin_home_t)
-+
- type user_home_dir_t alias { staff_home_dir_t sysadm_home_dir_t secadm_home_dir_t auditadm_home_dir_t unconfined_home_dir_t };
- fs_associate_tmpfs(user_home_dir_t)
- files_type(user_home_dir_t)
-@@ -70,26 +83,400 @@ ubac_constrained(user_home_dir_t)
-
- type user_home_t alias { staff_home_t sysadm_home_t secadm_home_t auditadm_home_t unconfined_home_t };
- typealias user_home_t alias { staff_untrusted_content_t sysadm_untrusted_content_t secadm_untrusted_content_t auditadm_untrusted_content_t unconfined_untrusted_content_t };
-+typeattribute user_home_t user_home_type;
- userdom_user_home_content(user_home_t)
- fs_associate_tmpfs(user_home_t)
- files_associate_tmp(user_home_t)
-+files_poly_member(user_home_t)
- files_poly_parent(user_home_t)
- files_mountpoint(user_home_t)
-+ubac_constrained(user_home_t)
-
- type user_devpts_t alias { staff_devpts_t sysadm_devpts_t secadm_devpts_t auditadm_devpts_t unconfined_devpts_t };
- dev_node(user_devpts_t)
- files_type(user_devpts_t)
- ubac_constrained(user_devpts_t)
-
--type user_tmp_t alias { staff_tmp_t sysadm_tmp_t secadm_tmp_t auditadm_tmp_t unconfined_tmp_t };
-+type user_tmp_t, user_tmp_type, user_tmpfs_type;
-+typealias user_tmp_t alias { screen_tmp_t winbind_tmp_t wine_tmp_t sshd_tmp_t staff_tmp_t sysadm_tmp_t secadm_tmp_t auditadm_tmp_t unconfined_tmp_t };
- typealias user_tmp_t alias { staff_untrusted_content_tmp_t sysadm_untrusted_content_tmp_t secadm_untrusted_content_tmp_t auditadm_untrusted_content_tmp_t unconfined_untrusted_content_tmp_t };
-+typealias user_tmp_t alias { user_tmpfs_t staff_tmpfs_t sysadm_tmpfs_t secadm_tmpfs_t auditadm_tmpfs_t unconfined_tmpfs_t };
-+typealias user_tmp_t alias xdm_tmp_t;
-+typealias user_tmp_t alias { xserver_tmp_t user_xserver_tmp_t staff_xserver_tmp_t sysadm_xserver_tmp_t ice_tmp_t };
- files_tmp_file(user_tmp_t)
-+files_tmpfs_file(user_tmp_t)
- userdom_user_home_content(user_tmp_t)
--
--type user_tmpfs_t alias { staff_tmpfs_t sysadm_tmpfs_t secadm_tmpfs_t auditadm_tmpfs_t unconfined_tmpfs_t };
--files_tmpfs_file(user_tmpfs_t)
--userdom_user_home_content(user_tmpfs_t)
-+files_poly_parent(user_tmp_t)
-+files_mountpoint(user_tmp_t)
-
- type user_tty_device_t alias { staff_tty_device_t sysadm_tty_device_t secadm_tty_device_t auditadm_tty_device_t unconfined_tty_device_t };
- dev_node(user_tty_device_t)
- ubac_constrained(user_tty_device_t)
-+
-+type audio_home_t;
-+userdom_user_home_content(audio_home_t)
-+ubac_constrained(audio_home_t)
-+
-+type texlive_home_t;
-+userdom_user_home_content(texlive_home_t)
-+ubac_constrained(texlive_home_t)
-+
-+type home_bin_t;
-+userdom_user_home_content(home_bin_t)
-+ubac_constrained(home_bin_t)
-+
-+type home_cert_t;
-+miscfiles_cert_type(home_cert_t)
-+userdom_user_home_content(home_cert_t)
-+ubac_constrained(home_cert_t)
-+
-+tunable_policy(`login_console_enabled',`
-+ term_use_console(userdomain)
-+')
-+
-+allow userdomain userdomain:process signull;
-+allow userdomain userdomain:fifo_file { map rw_inherited_fifo_file_perms };
-+dontaudit unpriv_userdomain self:rawip_socket create_socket_perms;
-+
-+# Nautilus causes this avc
-+domain_dontaudit_access_check(unpriv_userdomain)
-+dontaudit unpriv_userdomain self:dir setattr;
-+allow unpriv_userdomain self:file manage_file_perms;
-+allow unpriv_userdomain self:key manage_key_perms;
-+
-+mount_dontaudit_write_mount_pid(unpriv_userdomain)
-+mount_entry_type(unpriv_userdomain)
-+
-+optional_policy(`
-+ alsa_read_rw_config(unpriv_userdomain)
-+ alsa_manage_home_files(unpriv_userdomain)
-+ alsa_relabel_home_files(unpriv_userdomain)
-+')
-+
-+optional_policy(`
-+ gssproxy_stream_connect(userdomain)
-+')
-+
-+optional_policy(`
-+ gnome_filetrans_home_content(userdomain)
-+')
-+
-+optional_policy(`
-+ locallogin_filetrans_home_content(userdomain)
-+')
-+
-+optional_policy(`
-+ pcscd_stream_connect(userdomain)
-+')
-+
-+optional_policy(`
-+ ssh_filetrans_home_content(userdomain)
-+ ssh_rw_tcp_sockets(userdomain)
-+')
-+
-+optional_policy(`
-+ telepathy_filetrans_home_content(userdomain)
-+')
-+
-+optional_policy(`
-+ xserver_filetrans_home_content(userdomain)
-+')
-+
-+# rules for types which can read home certs
-+allow userdom_home_reader_certs_type home_cert_t:dir list_dir_perms;
-+read_files_pattern(userdom_home_reader_certs_type, home_cert_t, home_cert_t)
-+read_lnk_files_pattern(userdom_home_reader_certs_type, home_cert_t, home_cert_t)
-+userdom_search_user_home_content(userdom_home_reader_certs_type)
-+allow userdom_home_reader_certs_type home_cert_t:file map;
-+
-+tunable_policy(`use_ecryptfs_home_dirs',`
-+ fs_read_ecryptfs_files(userdom_home_reader_certs_type)
-+ fs_read_ecryptfs_symlinks(userdom_home_reader_certs_type)
-+')
-+
-+tunable_policy(`use_nfs_home_dirs',`
-+ fs_list_auto_mountpoints(userdom_home_reader_type)
-+ fs_read_nfs_files(userdom_home_reader_type)
-+')
-+
-+tunable_policy(`use_samba_home_dirs',`
-+ fs_read_cifs_files(userdom_home_reader_type)
-+')
-+
-+tunable_policy(`use_fusefs_home_dirs',`
-+ fs_read_fusefs_files(userdom_home_reader_type)
-+')
-+
-+tunable_policy(`use_ecryptfs_home_dirs',`
-+ fs_read_ecryptfs_files(userdom_home_reader_type)
-+ fs_read_ecryptfs_symlinks(userdom_home_reader_type)
-+')
-+
-+tunable_policy(`use_nfs_home_dirs',`
-+ fs_list_auto_mountpoints(userdom_home_manager_type)
-+ fs_manage_nfs_dirs(userdom_home_manager_type)
-+ fs_manage_nfs_files(userdom_home_manager_type)
-+ fs_manage_nfs_symlinks(userdom_home_manager_type)
-+ fs_mmap_nfs_files(userdom_home_manager_type)
-+')
-+
-+tunable_policy(`use_samba_home_dirs',`
-+ fs_manage_cifs_dirs(userdom_home_manager_type)
-+ fs_manage_cifs_files(userdom_home_manager_type)
-+ fs_manage_cifs_symlinks(userdom_home_manager_type)
-+ fs_map_cifs_files(userdom_home_manager_type)
-+')
-+
-+tunable_policy(`use_fusefs_home_dirs',`
-+ fs_manage_fusefs_dirs(userdom_home_manager_type)
-+ fs_manage_fusefs_files(userdom_home_manager_type)
-+ fs_manage_fusefs_symlinks(userdom_home_manager_type)
-+ fs_mmap_fusefs_files(userdom_home_manager_type)
-+')
-+
-+tunable_policy(`use_ecryptfs_home_dirs',`
-+ fs_manage_ecryptfs_dirs(userdom_home_manager_type)
-+ fs_manage_ecryptfs_files(userdom_home_manager_type)
-+ fs_manage_ecryptfs_symlinks(userdom_home_manager_type)
-+')
-+
-+# vi /etc/mtab can cause an avc trying to relabel to self.
-+dontaudit userdomain self:file relabelto;
-+
-+userdom_user_home_dir_filetrans_user_home_content(userdom_filetrans_type, { dir file lnk_file fifo_file sock_file })
-+userdom_user_home_dir_filetrans(userdom_filetrans_type, home_bin_t, dir, "bin")
-+userdom_user_home_dir_filetrans(userdom_filetrans_type, audio_home_t, dir, "Audio")
-+userdom_user_home_dir_filetrans(userdom_filetrans_type, audio_home_t, dir, "Music")
-+userdom_user_home_dir_filetrans(userdom_filetrans_type, home_cert_t, dir, ".cert")
-+userdom_user_home_dir_filetrans(userdom_filetrans_type, home_cert_t, dir, ".pki")
-+userdom_user_home_dir_filetrans(userdom_filetrans_type, home_cert_t, dir, "certificates")
-+userdom_user_home_dir_filetrans(userdom_filetrans_type, texlive_home_t, dir, ".texlive2012")
-+userdom_user_home_dir_filetrans(userdom_filetrans_type, texlive_home_t, dir, ".texlive2013")
-+userdom_user_home_dir_filetrans(userdom_filetrans_type, texlive_home_t, dir, ".texlive2014")
-+userdom_user_home_dir_filetrans(userdom_filetrans_type, user_tmp_t, dir, ".tmp")
-+userdom_user_home_dir_filetrans(userdom_filetrans_type, user_tmp_t, dir, "tmp")
-+
-+optional_policy(`
-+ gnome_config_filetrans(userdom_filetrans_type, home_cert_t, dir, "certificates")
-+ #gnome_admin_home_gconf_filetrans(userdom_filetrans_type, home_bin_t, dir, "bin")
-+')
-+
-+optional_policy(`
-+ alsa_filetrans_home_content(userdom_filetrans_type)
-+')
-+
-+optional_policy(`
-+ apache_filetrans_home_content(userdom_filetrans_type)
-+')
-+
-+optional_policy(`
-+ auth_filetrans_home_content(userdom_filetrans_type)
-+')
-+
-+optional_policy(`
-+ cvs_filetrans_home_content(userdom_filetrans_type)
-+')
-+
-+optional_policy(`
-+ gnome_filetrans_home_content(userdom_filetrans_type)
-+')
-+
-+optional_policy(`
-+ gpg_filetrans_home_content(userdom_filetrans_type)
-+')
-+
-+optional_policy(`
-+ irc_filetrans_home_content(userdom_filetrans_type)
-+')
-+
-+optional_policy(`
-+ kerberos_filetrans_home_content(userdom_filetrans_type)
-+')
-+
-+optional_policy(`
-+ mozilla_filetrans_home_content(userdom_filetrans_type)
-+')
-+
-+optional_policy(`
-+ mta_filetrans_home_content(userdom_filetrans_type)
-+')
-+
-+optional_policy(`
-+ pulseaudio_filetrans_home_content(userdom_filetrans_type)
-+')
-+
-+optional_policy(`
-+ spamassassin_filetrans_home_content(userdom_filetrans_type)
-+ spamassassin_filetrans_admin_home_content(userdom_filetrans_type)
-+')
-+
-+optional_policy(`
-+ ssh_filetrans_admin_home_content(userdom_filetrans_type)
-+ ssh_filetrans_home_content(userdom_filetrans_type)
-+')
-+
-+optional_policy(`
-+ telepathy_filetrans_home_content(userdom_filetrans_type)
-+')
-+
-+optional_policy(`
-+ thumb_filetrans_home_content(userdom_filetrans_type)
-+')
-+
-+optional_policy(`
-+ tvtime_filetrans_home_content(userdom_filetrans_type)
-+')
-+
-+optional_policy(`
-+ virt_filetrans_home_content(userdom_filetrans_type)
-+')
-+
-+optional_policy(`
-+ xserver_filetrans_home_content(userdom_filetrans_type)
-+ xserver_filetrans_admin_home_content(userdom_filetrans_type)
-+')
-+
-+############################################################
-+# Local Policy Confined Admin
-+#
-+gen_require(`
-+ class context contains;
-+ class passwd { passwd chfn chsh rootok };
-+')
-+
-+allow confined_admindomain self:capability ~{ sys_module audit_control audit_write };
-+allow confined_admindomain self:capability2 { block_suspend syslog };
-+allow confined_admindomain self:process { setexec setfscreate };
-+allow confined_admindomain self:netlink_audit_socket nlmsg_readpriv;
-+allow confined_admindomain self:tun_socket create_socket_perms;
-+allow confined_admindomain self:packet_socket create_socket_perms;
-+
-+# Set password information for other users.
-+allow confined_admindomain self:passwd { passwd chfn chsh };
-+# Skip authentication when pam_rootok is specified.
-+allow confined_admindomain self:passwd rootok;
-+
-+corecmd_shell_entry_type(confined_admindomain)
-+corecmd_bin_entry_type(confined_admindomain)
-+
-+term_user_pty(confined_admindomain, user_devpts_t)
-+term_user_tty(confined_admindomain, user_tty_device_t)
-+term_dontaudit_getattr_generic_ptys(confined_admindomain)
-+
-+allow confined_admindomain self:process { signal_perms getsched setsched share getpgid setpgid getcap setcap getsession getattr };
-+tunable_policy(`deny_ptrace',`',`
-+ allow confined_admindomain self:process ptrace;
-+')
-+allow confined_admindomain self:fd use;
-+allow confined_admindomain self:key manage_key_perms;
-+
-+allow confined_admindomain self:fifo_file rw_fifo_file_perms;
-+allow confined_admindomain self:unix_dgram_socket { create_socket_perms sendto };
-+allow confined_admindomain self:unix_stream_socket { create_stream_socket_perms connectto };
-+allow confined_admindomain self:shm create_shm_perms;
-+allow confined_admindomain self:sem create_sem_perms;
-+allow confined_admindomain self:msgq create_msgq_perms;
-+allow confined_admindomain self:msg { send receive };
-+allow confined_admindomain self:context contains;
-+dontaudit confined_admindomain self:socket create;
-+
-+allow confined_admindomain user_devpts_t:chr_file { setattr rw_chr_file_perms };
-+term_create_pty(confined_admindomain, user_devpts_t)
-+# avoid annoying messages on terminal hangup on role change
-+dontaudit confined_admindomain user_devpts_t:chr_file ioctl;
-+
-+allow confined_admindomain user_tty_device_t:chr_file { setattr rw_chr_file_perms };
-+# avoid annoying messages on terminal hangup on role change
-+dontaudit confined_admindomain user_tty_device_t:chr_file ioctl;
-+
-+application_exec_all(confined_admindomain)
-+
-+kernel_read_kernel_sysctls(confined_admindomain)
-+kernel_read_all_sysctls(confined_admindomain)
-+kernel_dontaudit_list_unlabeled(confined_admindomain)
-+kernel_dontaudit_getattr_unlabeled_files(confined_admindomain)
-+kernel_dontaudit_getattr_unlabeled_symlinks(confined_admindomain)
-+kernel_dontaudit_getattr_unlabeled_pipes(confined_admindomain)
-+kernel_dontaudit_getattr_unlabeled_sockets(confined_admindomain)
-+kernel_dontaudit_getattr_unlabeled_blk_files(confined_admindomain)
-+kernel_dontaudit_getattr_unlabeled_chr_files(confined_admindomain)
-+kernel_dontaudit_list_proc(confined_admindomain)
-+
-+dev_dontaudit_getattr_all_blk_files(confined_admindomain)
-+dev_dontaudit_getattr_all_chr_files(confined_admindomain)
-+dev_getattr_mtrr_dev(confined_admindomain)
-+
-+# When the user domain runs ps, there will be a number of access
-+# denials when ps tries to search /proc. Do not audit these denials.
-+domain_dontaudit_read_all_domains_state(confined_admindomain)
-+domain_dontaudit_getattr_all_domains(confined_admindomain)
-+domain_dontaudit_getsession_all_domains(confined_admindomain)
-+dev_dontaudit_all_access_check(confined_admindomain)
-+
-+files_read_etc_files(confined_admindomain)
-+files_list_mnt(confined_admindomain)
-+files_list_var(confined_admindomain)
-+files_read_mnt_files(confined_admindomain)
-+files_dontaudit_all_access_check(confined_admindomain)
-+files_read_etc_runtime_files(confined_admindomain)
-+files_read_usr_files(confined_admindomain)
-+files_read_usr_src_files(confined_admindomain)
-+# Read directories and files with the readable_t type.
-+# This type is a general type for "world"-readable files.
-+files_list_world_readable(confined_admindomain)
-+files_read_world_readable_files(confined_admindomain)
-+files_read_world_readable_symlinks(confined_admindomain)
-+files_read_world_readable_pipes(confined_admindomain)
-+files_read_world_readable_sockets(confined_admindomain)
-+# old broswer_domain():
-+files_dontaudit_getattr_all_dirs(confined_admindomain)
-+files_dontaudit_list_non_security(confined_admindomain)
-+files_dontaudit_getattr_all_files(confined_admindomain)
-+files_dontaudit_getattr_non_security_symlinks(confined_admindomain)
-+files_dontaudit_getattr_non_security_pipes(confined_admindomain)
-+files_dontaudit_getattr_non_security_sockets(confined_admindomain)
-+files_dontaudit_setattr_etc_runtime_files(confined_admindomain)
-+
-+files_exec_usr_files(confined_admindomain)
-+
-+fs_list_cgroup_dirs(confined_admindomain)
-+fs_dontaudit_rw_cgroup_files(confined_admindomain)
-+
-+storage_rw_fuse(confined_admindomain)
-+
-+init_stream_connect(confined_admindomain)
-+# The library functions always try to open read-write first,
-+# then fall back to read-only if it fails.
-+init_dontaudit_rw_utmp(confined_admindomain)
-+
-+libs_exec_ld_so(confined_admindomain)
-+
-+miscfiles_read_generic_certs(confined_admindomain)
-+
-+miscfiles_read_all_certs(confined_admindomain)
-+miscfiles_read_public_files(confined_admindomain)
-+
-+systemd_dbus_chat_logind(confined_admindomain)
-+systemd_read_logind_sessions_files(confined_admindomain)
-+systemd_write_inhibit_pipes(confined_admindomain)
-+systemd_write_inherited_logind_sessions_pipes(confined_admindomain)
-+systemd_login_read_pid_files(confined_admindomain)
-+tunable_policy(`deny_execmem',`', `
-+ # Allow loading DSOs that require executable stack.
-+ allow confined_admindomain self:process execmem;
-+')
-+
-+tunable_policy(`selinuxuser_execstack',`
-+ # Allow making the stack executable via mprotect.
-+ allow confined_admindomain self:process execstack;
-+')
-+
-+optional_policy(`
-+ fs_list_cgroup_dirs(confined_admindomain)
-+')
-+
-+optional_policy(`
-+ ssh_rw_stream_sockets(confined_admindomain)
-+ ssh_delete_tmp(confined_admindomain)
-+ ssh_signal(confined_admindomain)
-+')
-diff --git a/policy/policy_capabilities b/policy/policy_capabilities
-index db3cbca45..3cc5cf448 100644
---- a/policy/policy_capabilities
-+++ b/policy/policy_capabilities
-@@ -31,3 +31,21 @@ policycap network_peer_controls;
- # blk_file: open
- #
- policycap open_perms;
-+
-+
-+# Enable fine-grained labeling of cgroup and cgroup2 filesystems.
-+# Requires Linux v4.11 and later.
-+#
-+# Added checks:
-+# (none)
-+policycap cgroup_seclabel;
-+
-+# Enable NoNewPrivileges support. Requires libsepol 2.7+
-+# and kernel 4.14 (estimated).
-+#
-+# Checks enabled;
-+# process2: nnp_transition, nosuid_transition
-+#
-+policycap nnp_nosuid_transition;
-+
-+
-diff --git a/policy/support/file_patterns.spt b/policy/support/file_patterns.spt
-index 8b785c9a3..8aa8c3610 100644
---- a/policy/support/file_patterns.spt
-+++ b/policy/support/file_patterns.spt
-@@ -99,9 +99,21 @@ define(`read_files_pattern',`
- allow $1 $3:file read_file_perms;
- ')
-
-+define(`mmap_read_files_pattern',`
-+ allow $1 $2:dir search_dir_perms;
-+ allow $1 $3:file mmap_read_file_perms;
-+')
-+
- define(`mmap_files_pattern',`
-+ # deprecated 20171213
-+ refpolicywarn(`mmap_files_pattern() is deprecated, please use mmap_exec_files_pattern() instead')
- allow $1 $2:dir search_dir_perms;
-- allow $1 $3:file mmap_file_perms;
-+ allow $1 $3:file mmap_exec_file_perms;
-+')
-+
-+define(`mmap_exec_files_pattern',`
-+ allow $1 $2:dir search_dir_perms;
-+ allow $1 $3:file mmap_exec_file_perms;
- ')
-
- define(`exec_files_pattern',`
-@@ -124,6 +136,11 @@ define(`rw_files_pattern',`
- allow $1 $3:file rw_file_perms;
- ')
-
-+define(`mmap_rw_files_pattern',`
-+ allow $1 $2:dir search_dir_perms;
-+ allow $1 $3:file mmap_rw_file_perms;
-+')
-+
- define(`create_files_pattern',`
- allow $1 $2:dir add_entry_dir_perms;
- allow $1 $3:file create_file_perms;
-diff --git a/policy/support/misc_macros.spt b/policy/support/misc_macros.spt
-index 4ca5688c3..355ff953c 100644
---- a/policy/support/misc_macros.spt
-+++ b/policy/support/misc_macros.spt
-@@ -67,7 +67,7 @@ define(`gen_context',`$1`'ifdef(`enable_mls',`:$2')`'ifdef(`enable_mcs',`:s0`'if
- #
- # can_exec(domain,executable)
- #
--define(`can_exec',`allow $1 $2:file { mmap_file_perms ioctl lock execute_no_trans };')
-+define(`can_exec',`allow $1 $2:file { mmap_exec_file_perms ioctl lock execute_no_trans };')
-
- ########################################
- #
-diff --git a/policy/support/misc_patterns.spt b/policy/support/misc_patterns.spt
-index e79d54501..101086d66 100644
---- a/policy/support/misc_patterns.spt
-+++ b/policy/support/misc_patterns.spt
-@@ -4,7 +4,7 @@
- define(`domain_transition_pattern',`
- allow $1 $2:file { getattr open read execute };
- allow $1 $3:process transition;
-- dontaudit $1 $3:process { noatsecure siginh rlimitinh };
-+# dontaudit $1 $3:process { noatsecure siginh rlimitinh };
- ')
-
- # compatibility:
-@@ -15,7 +15,7 @@ define(`spec_domtrans_pattern',`
- domain_transition_pattern($1,$2,$3)
-
- allow $3 $1:fd use;
-- allow $3 $1:fifo_file rw_fifo_file_perms;
-+ allow $3 $1:fifo_file rw_inherited_fifo_file_perms;
- allow $3 $1:process sigchld;
- ')
-
-@@ -34,7 +34,7 @@ define(`domtrans_pattern',`
- domain_auto_transition_pattern($1,$2,$3)
-
- allow $3 $1:fd use;
-- allow $3 $1:fifo_file rw_fifo_file_perms;
-+ allow $3 $1:fifo_file rw_inherited_fifo_file_perms;
- allow $3 $1:process sigchld;
- ')
-
-diff --git a/policy/support/obj_perm_sets.spt b/policy/support/obj_perm_sets.spt
-index 6e9131723..d63bb8b45 100644
---- a/policy/support/obj_perm_sets.spt
-+++ b/policy/support/obj_perm_sets.spt
-@@ -28,8 +28,7 @@ define(`devfile_class_set', `{ chr_file blk_file }')
- #
- # All socket classes.
- #
--define(`socket_class_set', `{ tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket appletalk_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket }')
--
-+define(`socket_class_set', `{ tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket appletalk_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket netlink_rdma_socket netlink_crypto_socket dccp_socket }')
-
- #
- # Datagram socket classes.
-@@ -59,7 +58,7 @@ define(`mount_fs_perms', `{ mount remount unmount getattr }')
- #
- # Permissions for using sockets.
- #
--define(`rw_socket_perms', `{ ioctl read getattr write setattr append bind connect getopt setopt shutdown }')
-+define(`rw_socket_perms', `{ ioctl read getattr lock write setattr append bind connect getopt setopt shutdown }')
-
- #
- # Permissions for creating and using sockets.
-@@ -153,12 +152,22 @@ define(`relabel_dir_perms',`{ getattr relabelfrom relabelto }')
- #
- define(`getattr_file_perms',`{ getattr }')
- define(`setattr_file_perms',`{ setattr }')
--define(`read_file_perms',`{ getattr open read lock ioctl }')
--define(`mmap_file_perms',`{ getattr open read execute ioctl }')
--define(`exec_file_perms',`{ getattr open read execute ioctl execute_no_trans }')
--define(`append_file_perms',`{ getattr open append lock ioctl }')
--define(`write_file_perms',`{ getattr open write append lock ioctl }')
--define(`rw_file_perms',`{ getattr open read write append ioctl lock }')
-+define(`read_inherited_file_perms',`{ getattr read ioctl lock }')
-+define(`read_file_perms',`{ open read_inherited_file_perms }')
-+define(`mmap_file_perms',`{ getattr open map read execute ioctl }')
-+define(`mmap_read_inherited_file_perms',`{ getattr map read ioctl }')
-+define(`mmap_read_file_perms',`{ getattr open map read ioctl }')
-+define(`mmap_exec_inherited_file_perms',`{ getattr map read execute ioctl }')
-+define(`mmap_exec_file_perms',`{ getattr open map read execute ioctl }')
-+define(`exec_file_perms',`{ getattr open map read execute ioctl execute_no_trans }')
-+define(`append_inherited_file_perms',`{ getattr append }')
-+define(`append_file_perms',`{ open lock ioctl append_inherited_file_perms }')
-+define(`write_inherited_file_perms',`{ getattr write append lock ioctl }')
-+define(`write_file_perms',`{ open write_inherited_file_perms }')
-+define(`rw_inherited_file_perms',`{ getattr read write append ioctl lock }')
-+define(`rw_file_perms',`{ open rw_inherited_file_perms }')
-+define(`mmap_rw_inherited_file_perms',`{ getattr map read write ioctl }')
-+define(`mmap_rw_file_perms',`{ getattr open map read write ioctl }')
- define(`create_file_perms',`{ getattr create open }')
- define(`rename_file_perms',`{ getattr rename }')
- define(`delete_file_perms',`{ getattr unlink }')
-@@ -179,7 +188,7 @@ define(`rw_lnk_file_perms',`{ getattr read write lock ioctl }')
- define(`create_lnk_file_perms',`{ create getattr }')
- define(`rename_lnk_file_perms',`{ getattr rename }')
- define(`delete_lnk_file_perms',`{ getattr unlink }')
--define(`manage_lnk_file_perms',`{ create read write getattr setattr link unlink rename }')
-+define(`manage_lnk_file_perms',`{ create getattr setattr read write append rename link unlink ioctl lock }')
- define(`relabelfrom_lnk_file_perms',`{ getattr relabelfrom }')
- define(`relabelto_lnk_file_perms',`{ getattr relabelto }')
- define(`relabel_lnk_file_perms',`{ getattr relabelfrom relabelto }')
-@@ -192,7 +201,8 @@ define(`setattr_fifo_file_perms',`{ setattr }')
- define(`read_fifo_file_perms',`{ getattr open read lock ioctl }')
- define(`append_fifo_file_perms',`{ getattr open append lock ioctl }')
- define(`write_fifo_file_perms',`{ getattr open write append lock ioctl }')
--define(`rw_fifo_file_perms',`{ getattr open read write append ioctl lock }')
-+define(`rw_inherited_fifo_file_perms',`{ getattr read write append ioctl lock }')
-+define(`rw_fifo_file_perms',`{ open rw_inherited_fifo_file_perms }')
- define(`create_fifo_file_perms',`{ getattr create open }')
- define(`rename_fifo_file_perms',`{ getattr rename }')
- define(`delete_fifo_file_perms',`{ getattr unlink }')
-@@ -208,8 +218,9 @@ define(`getattr_sock_file_perms',`{ getattr }')
- define(`setattr_sock_file_perms',`{ setattr }')
- define(`read_sock_file_perms',`{ getattr open read }')
- define(`write_sock_file_perms',`{ getattr write open append }')
--define(`rw_sock_file_perms',`{ getattr open read write append }')
--define(`create_sock_file_perms',`{ getattr create open }')
-+define(`rw_inherited_sock_file_perms',`{ getattr read write append }')
-+define(`rw_sock_file_perms',`{ open rw_inherited_sock_file_perms }')
-+define(`create_sock_file_perms',`{ getattr setattr create open }')
- define(`rename_sock_file_perms',`{ getattr rename }')
- define(`delete_sock_file_perms',`{ getattr unlink }')
- define(`manage_sock_file_perms',`{ create open getattr setattr read write rename link unlink ioctl lock append }')
-@@ -225,7 +236,8 @@ define(`setattr_blk_file_perms',`{ setattr }')
- define(`read_blk_file_perms',`{ getattr open read lock ioctl }')
- define(`append_blk_file_perms',`{ getattr open append lock ioctl }')
- define(`write_blk_file_perms',`{ getattr open write append lock ioctl }')
--define(`rw_blk_file_perms',`{ getattr open read write append ioctl lock }')
-+define(`rw_inherited_blk_file_perms',`{ getattr read write append ioctl lock }')
-+define(`rw_blk_file_perms',`{ open rw_inherited_blk_file_perms }')
- define(`create_blk_file_perms',`{ getattr create }')
- define(`rename_blk_file_perms',`{ getattr rename }')
- define(`delete_blk_file_perms',`{ getattr unlink }')
-@@ -242,7 +254,8 @@ define(`setattr_chr_file_perms',`{ setattr }')
- define(`read_chr_file_perms',`{ getattr open read lock ioctl }')
- define(`append_chr_file_perms',`{ getattr open append lock ioctl }')
- define(`write_chr_file_perms',`{ getattr open write append lock ioctl }')
--define(`rw_chr_file_perms',`{ getattr open read write append ioctl lock }')
-+define(`rw_inherited_chr_file_perms',`{ getattr read write append ioctl lock }')
-+define(`rw_chr_file_perms',`{ open rw_inherited_chr_file_perms }')
- define(`create_chr_file_perms',`{ getattr create }')
- define(`rename_chr_file_perms',`{ getattr rename }')
- define(`delete_chr_file_perms',`{ getattr unlink }')
-@@ -259,7 +272,8 @@ define(`relabel_chr_file_perms',`{ getattr relabelfrom relabelto }')
- #
- # Use (read and write) terminals
- #
--define(`rw_term_perms', `{ getattr open read write append ioctl }')
-+define(`rw_inherited_term_perms', `{ getattr lock read write append ioctl }')
-+define(`rw_term_perms', `{ rw_inherited_term_perms open }')
-
- #
- # Sockets
-@@ -271,3 +285,8 @@ define(`server_stream_socket_perms', `{ client_stream_socket_perms listen accept
- # Keys
- #
- define(`manage_key_perms', `{ create link read search setattr view write } ')
-+
-+#
-+# Service
-+#
-+define(`manage_service_perms', `{ start stop status reload enable disable } ')
-diff --git a/policy/users b/policy/users
-index c4ebc7e43..30d6d7a71 100644
---- a/policy/users
-+++ b/policy/users
-@@ -15,7 +15,7 @@
- # and a user process should never be assigned the system user
- # identity.
- #
--gen_user(system_u,, system_r, s0, s0 - mls_systemhigh, mcs_allcats)
-+gen_user(system_u,, system_r unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats)
-
- #
- # user_u is a generic user identity for Linux users who have no
-@@ -24,12 +24,9 @@ gen_user(system_u,, system_r, s0, s0 - mls_systemhigh, mcs_allcats)
- # SELinux user identity for a Linux user. If you do not want to
- # permit any access to such users, then remove this entry.
- #
--gen_user(user_u, user, user_r, s0, s0)
--gen_user(staff_u, staff, staff_r sysadm_r ifdef(`enable_mls',`secadm_r auditadm_r'), s0, s0 - mls_systemhigh, mcs_allcats)
--gen_user(sysadm_u, sysadm, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats)
--
--# Until order dependence is fixed for users:
--gen_user(unconfined_u, unconfined, unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats)
-+gen_user(user_u, user, user_r, s0, s0 - mls_systemhigh, mcs_allcats)
-+gen_user(staff_u, user, staff_r system_r sysadm_r ifdef(`enable_mls',`secadm_r auditadm_r'), s0, s0 - mls_systemhigh, mcs_allcats)
-+gen_user(sysadm_u, user, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats)
-
- #
- # The following users correspond to Unix identities.
-@@ -38,8 +35,4 @@ gen_user(unconfined_u, unconfined, unconfined_r, s0, s0 - mls_systemhigh, mcs_al
- # role should use the staff_r role instead of the user_r role when
- # not in the sysadm_r.
- #
--ifdef(`direct_sysadm_daemon',`
-- gen_user(root, sysadm, sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r') system_r, s0, s0 - mls_systemhigh, mcs_allcats)
--',`
-- gen_user(root, sysadm, sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r'), s0, s0 - mls_systemhigh, mcs_allcats)
--')
-+gen_user(root, user, unconfined_r sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r') system_r, s0, s0 - mls_systemhigh, mcs_allcats)
-diff --git a/support/Makefile.devel b/support/Makefile.devel
-index b96e9b3d1..510ab8889 100644
---- a/support/Makefile.devel
-+++ b/support/Makefile.devel
-@@ -5,7 +5,7 @@ INSTALL ?= install
- M4 ?= m4
- SED ?= sed
- EINFO ?= echo
--PYTHON ?= python
-+PYTHON ?= python3
- CUT ?= cut
-
- NAME ?= $(shell $(AWK) -F= '/^SELINUXTYPE/{ print $$2 }' /etc/selinux/config)
-@@ -26,7 +26,6 @@ XMLLINT := $(BINDIR)/xmllint
- # set default build options if missing
- TYPE ?= standard
- DIRECT_INITRC ?= n
--POLY ?= n
- QUIET ?= y
-
- genxml := $(PYTHON) $(HEADERDIR)/support/segenxml.py
-diff --git a/support/comment_move_decl.sed b/support/comment_move_decl.sed
-index 00b94b6ad..90813480d 100644
---- a/support/comment_move_decl.sed
-+++ b/support/comment_move_decl.sed
-@@ -6,7 +6,7 @@
- /optional \{/,/} # end optional/b nextline
-
- /^[[:blank:]]*(attribute(_role)?|type(alias)?) /s/^/# this line was moved by the build process: &/
--/^[[:blank:]]*(port|node|netif|genfs)con /s/^/# this line was moved by the build process: &/
-+/^[[:blank:]]*(port|node|netif|genfs|ibpkey|ibendport)con /s/^/# this line was moved by the build process: &/
- /^[[:blank:]]*fs_use_(xattr|task|trans) /s/^/# this line was moved by the build process: &/
- /^[[:blank:]]*sid /s/^/# this line was moved by the build process: &/
- /^[[:blank:]]*bool /s/^/# this line was moved by the build process: &/
diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch
deleted file mode 100644
index ce3ef551..00000000
--- a/policy-rawhide-contrib.patch
+++ /dev/null
@@ -1,125648 +0,0 @@
-diff --git a/.gitignore b/.gitignore
-new file mode 100644
-index 000000000..bea575523
---- /dev/null
-+++ b/.gitignore
-@@ -0,0 +1 @@
-+TAGS
-diff --git a/abrt.fc b/abrt.fc
-index 1a93dc578..e948aef59 100644
---- a/abrt.fc
-+++ b/abrt.fc
-@@ -1,31 +1,47 @@
--/etc/abrt(/.*)? gen_context(system_u:object_r:abrt_etc_t,s0)
--/etc/rc\.d/init\.d/abrt -- gen_context(system_u:object_r:abrt_initrc_exec_t,s0)
-+/etc/abrt(/.*)? gen_context(system_u:object_r:abrt_etc_t,s0)
-+/etc/rc\.d/init\.d/abrt -- gen_context(system_u:object_r:abrt_initrc_exec_t,s0)
-
--/usr/bin/abrt-pyhook-helper -- gen_context(system_u:object_r:abrt_helper_exec_t,s0)
--/usr/bin/abrt-retrace-worker -- gen_context(system_u:object_r:abrt_retrace_worker_exec_t,s0)
--/usr/bin/coredump2packages -- gen_context(system_u:object_r:abrt_retrace_coredump_exec_t,s0)
--/usr/bin/retrace-server-worker -- gen_context(system_u:object_r:abrt_retrace_worker_exec_t,s0)
-+/usr/lib/systemd/system/abrt.* -- gen_context(system_u:object_r:abrt_unit_file_t,s0)
-+
-+/usr/bin/abrt-dump-.* -- gen_context(system_u:object_r:abrt_dump_oops_exec_t,s0)
-+/usr/bin/abrt-uefioops-oops -- gen_context(system_u:object_r:abrt_dump_oops_exec_t,s0)
-+/usr/bin/abrt-pyhook-helper -- gen_context(system_u:object_r:abrt_helper_exec_t,s0)
-+/usr/bin/abrt-retrace-worker -- gen_context(system_u:object_r:abrt_retrace_worker_exec_t,s0)
-+/usr/bin/abrt-watch-log -- gen_context(system_u:object_r:abrt_watch_log_exec_t,s0)
-+/usr/bin/retrace-server-worker -- gen_context(system_u:object_r:abrt_retrace_worker_exec_t,s0)
-+/usr/bin/coredump2packages -- gen_context(system_u:object_r:abrt_retrace_coredump_exec_t,s0)
-+
-+/usr/sbin/abrtd -- gen_context(system_u:object_r:abrt_exec_t,s0)
-+/usr/sbin/abrt-dbus -- gen_context(system_u:object_r:abrt_exec_t,s0)
-+/usr/sbin/abrt-harvest.* -- gen_context(system_u:object_r:abrt_exec_t,s0)
-+/usr/sbin/abrt-install-ccpp-hook -- gen_context(system_u:object_r:abrt_exec_t,s0)
-+/usr/sbin/abrt-upload-watch -- gen_context(system_u:object_r:abrt_upload_watch_exec_t,s0)
-
--/usr/libexec/abrt-pyhook-helper -- gen_context(system_u:object_r:abrt_helper_exec_t,s0)
- /usr/libexec/abrt-handle-event -- gen_context(system_u:object_r:abrt_handle_event_exec_t,s0)
--/usr/libexec/abrt-hook-python -- gen_context(system_u:object_r:abrt_helper_exec_t,s0)
-+/usr/libexec/abrt-hook-ccpp -- gen_context(system_u:object_r:abrt_dump_oops_exec_t,s0)
-+
-+/var/cache/abrt(/.*)? gen_context(system_u:object_r:abrt_var_cache_t,s0)
-+/var/cache/abrt-di(/.*)? gen_context(system_u:object_r:abrt_var_cache_t,s0)
-+/var/cache/abrt-retrace(/.*)? gen_context(system_u:object_r:abrt_retrace_cache_t,s0)
-+/var/cache/retrace-server(/.*)? gen_context(system_u:object_r:abrt_retrace_cache_t,s0)
-+
-+/var/log/abrt-logger.* -- gen_context(system_u:object_r:abrt_var_log_t,s0)
-+
-+/var/lib/abrt(/.*)? gen_context(system_u:object_r:abrt_var_lib_t,s0)
-+
-+/var/run/abrt\.pid -- gen_context(system_u:object_r:abrt_var_run_t,s0)
-+/var/run/abrtd?\.lock -- gen_context(system_u:object_r:abrt_var_run_t,s0)
-+/var/run/abrtd?\.socket -- gen_context(system_u:object_r:abrt_var_run_t,s0)
-+/var/run/abrt(/.*)? gen_context(system_u:object_r:abrt_var_run_t,s0)
-
--/usr/sbin/abrtd -- gen_context(system_u:object_r:abrt_exec_t,s0)
--/usr/sbin/abrt-dbus -- gen_context(system_u:object_r:abrt_exec_t,s0)
--/usr/sbin/abrt-upload-watch -- gen_context(system_u:object_r:abrt_upload_watch_exec_t,s0)
-+/var/spool/abrt(/.*)? gen_context(system_u:object_r:abrt_var_cache_t,s0)
-+/var/spool/abrt-retrace(/.*)? gen_context(system_u:object_r:abrt_retrace_spool_t,s0)
-+/var/spool/retrace-server(/.*)? gen_context(system_u:object_r:abrt_retrace_spool_t,s0)
-+/var/spool/faf(/.*)? gen_context(system_u:object_r:abrt_retrace_spool_t,s0)
-+/var/spool/debug(/.*)? gen_context(system_u:object_r:abrt_var_cache_t,s0)
-+/var/spool/rhsm/debug(/.*)? gen_context(system_u:object_r:abrt_var_cache_t,s0)
-
--/var/cache/abrt(/.*)? gen_context(system_u:object_r:abrt_var_cache_t,s0)
--/var/cache/abrt-di(/.*)? gen_context(system_u:object_r:abrt_var_cache_t,s0)
--/var/cache/abrt-retrace(/.*)? gen_context(system_u:object_r:abrt_retrace_cache_t,s0)
--/var/cache/retrace-server(/.*)? gen_context(system_u:object_r:abrt_retrace_cache_t,s0)
-+/var/tmp/abrt(/.*)? gen_context(system_u:object_r:abrt_var_cache_t,s0)
-
--/var/log/abrt-logger.* -- gen_context(system_u:object_r:abrt_var_log_t,s0)
-
--/var/run/abrt\.pid -- gen_context(system_u:object_r:abrt_var_run_t,s0)
--/var/run/abrtd?\.lock -- gen_context(system_u:object_r:abrt_var_run_t,s0)
--/var/run/abrtd?\.socket -s gen_context(system_u:object_r:abrt_var_run_t,s0)
--/var/run/abrt(/.*)? gen_context(system_u:object_r:abrt_var_run_t,s0)
-
--/var/spool/abrt(/.*)? gen_context(system_u:object_r:abrt_var_cache_t,s0)
--/var/spool/abrt-retrace(/.*)? gen_context(system_u:object_r:abrt_retrace_spool_t,s0)
--/var/spool/retrace-server(/.*)? gen_context(system_u:object_r:abrt_retrace_spool_t,s0)
-diff --git a/abrt.if b/abrt.if
-index 058d908e4..ee0c55969 100644
---- a/abrt.if
-+++ b/abrt.if
-@@ -1,4 +1,42 @@
--## Automated bug-reporting tool.
-+## ABRT - automated bug-reporting tool
-+
-+########################################
-+##
-+## abrt stub interface. No access allowed.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`abrt_stub',`
-+ gen_require(`
-+ type abrt_t;
-+ ')
-+')
-+
-+######################################
-+##
-+## Creates types and rules for a basic
-+## ABRT daemon domain.
-+##
-+##
-+##
-+## Prefix for the domain.
-+##
-+##
-+#
-+template(`abrt_basic_types_template',`
-+ gen_require(`
-+ attribute abrt_domain;
-+ ')
-+
-+ type $1_t, abrt_domain;
-+ type $1_exec_t;
-+
-+ kernel_read_system_state($1_t)
-+')
-
- ######################################
- ##
-@@ -21,6 +59,25 @@ interface(`abrt_domtrans',`
-
- ######################################
- ##
-+## Execute abrt_dump_oops in the abrt_dump_oops_t domain.
-+##
-+##
-+##
-+## Domain allowed to transition.
-+##
-+##
-+#
-+interface(`abrt_dump_oops_domtrans',`
-+ gen_require(`
-+ type abrt_dump_oops_t, abrt_dump_oops_exec_t;
-+ ')
-+
-+ corecmd_search_bin($1)
-+ domtrans_pattern($1, abrt_dump_oops_exec_t, abrt_dump_oops_t)
-+')
-+
-+######################################
-+##
- ## Execute abrt in the caller domain.
- ##
- ##
-@@ -40,7 +97,7 @@ interface(`abrt_exec',`
-
- ########################################
- ##
--## Send null signals to abrt.
-+## Send a null signal to abrt.
- ##
- ##
- ##
-@@ -58,7 +115,7 @@ interface(`abrt_signull',`
-
- ########################################
- ##
--## Read process state of abrt.
-+## Allow the domain to read abrt state files in /proc.
- ##
- ##
- ##
-@@ -71,12 +128,13 @@ interface(`abrt_read_state',`
- type abrt_t;
- ')
-
-+ kernel_search_proc($1)
- ps_process_pattern($1, abrt_t)
- ')
-
- ########################################
- ##
--## Connect to abrt over an unix stream socket.
-+## Connect to abrt over a unix stream socket.
- ##
- ##
- ##
-@@ -116,8 +174,7 @@ interface(`abrt_dbus_chat',`
-
- #####################################
- ##
--## Execute abrt-helper in the abrt
--## helper domain.
-+## Execute abrt-helper in the abrt-helper domain.
- ##
- ##
- ##
-@@ -130,15 +187,13 @@ interface(`abrt_domtrans_helper',`
- type abrt_helper_t, abrt_helper_exec_t;
- ')
-
-- corecmd_search_bin($1)
- domtrans_pattern($1, abrt_helper_exec_t, abrt_helper_t)
- ')
-
- ########################################
- ##
--## Execute abrt helper in the abrt
--## helper domain, and allow the
--## specified role the abrt helper domain.
-+## Execute abrt helper in the abrt_helper domain, and
-+## allow the specified role the abrt_helper domain.
- ##
- ##
- ##
-@@ -163,8 +218,7 @@ interface(`abrt_run_helper',`
-
- ########################################
- ##
--## Create, read, write, and delete
--## abrt cache files.
-+## Read abrt cache
- ##
- ##
- ##
-@@ -172,15 +226,56 @@ interface(`abrt_run_helper',`
- ##
- ##
- #
--interface(`abrt_cache_manage',`
-- refpolicywarn(`$0($*) has been deprecated, use abrt_manage_cache() instead.')
-- abrt_manage_cache($1)
-+interface(`abrt_read_cache',`
-+ gen_require(`
-+ type abrt_var_cache_t;
-+ ')
-+
-+ read_files_pattern($1, abrt_var_cache_t, abrt_var_cache_t)
-+ read_lnk_files_pattern($1, abrt_var_cache_t, abrt_var_cache_t)
- ')
-
- ########################################
- ##
--## Create, read, write, and delete
--## abrt cache content.
-+## Append abrt cache
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`abrt_append_cache',`
-+ gen_require(`
-+ type abrt_var_cache_t;
-+ ')
-+
-+
-+ allow $1 abrt_var_cache_t:file append_inherited_file_perms;
-+')
-+
-+########################################
-+##
-+## Read/Write inherited abrt cache
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`abrt_rw_inherited_cache',`
-+ gen_require(`
-+ type abrt_var_cache_t;
-+ ')
-+
-+
-+ allow $1 abrt_var_cache_t:file rw_inherited_file_perms;
-+')
-+
-+########################################
-+##
-+## Manage abrt cache
- ##
- ##
- ##
-@@ -193,7 +288,6 @@ interface(`abrt_manage_cache',`
- type abrt_var_cache_t;
- ')
-
-- files_search_var($1)
- manage_files_pattern($1, abrt_var_cache_t, abrt_var_cache_t)
- manage_lnk_files_pattern($1, abrt_var_cache_t, abrt_var_cache_t)
- manage_dirs_pattern($1, abrt_var_cache_t, abrt_var_cache_t)
-@@ -201,7 +295,7 @@ interface(`abrt_manage_cache',`
-
- ####################################
- ##
--## Read abrt configuration files.
-+## Read abrt configuration file.
- ##
- ##
- ##
-@@ -218,9 +312,29 @@ interface(`abrt_read_config',`
- read_files_pattern($1, abrt_etc_t, abrt_etc_t)
- ')
-
-+####################################
-+##
-+## Dontaudit read abrt configuration file.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`abrt_dontaudit_read_config',`
-+ gen_require(`
-+ type abrt_etc_t;
-+ ')
-+
-+ files_search_etc($1)
-+ dontaudit $1 abrt_etc_t:dir list_dir_perms;
-+ dontaudit $1 abrt_etc_t:file read_file_perms;
-+')
-+
- ######################################
- ##
--## Read abrt log files.
-+## Read abrt logs.
- ##
- ##
- ##
-@@ -258,8 +372,7 @@ interface(`abrt_read_pid_files',`
-
- ######################################
- ##
--## Create, read, write, and delete
--## abrt PID files.
-+## Create, read, write, and delete abrt PID files.
- ##
- ##
- ##
-@@ -276,10 +389,52 @@ interface(`abrt_manage_pid_files',`
- manage_files_pattern($1, abrt_var_run_t, abrt_var_run_t)
- ')
-
-+########################################
-+##
-+## Read and write abrt fifo files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`abrt_rw_fifo_file',`
-+ gen_require(`
-+ type abrt_t;
-+ ')
-+
-+ allow $1 abrt_t:fifo_file rw_inherited_fifo_file_perms;
-+')
-+
-+########################################
-+##
-+## Execute abrt server in the abrt domain.
-+##
-+##
-+##
-+## Domain allowed to transition.
-+##
-+##
-+#
-+interface(`abrt_systemctl',`
-+ gen_require(`
-+ type abrt_t;
-+ type abrt_unit_file_t;
-+ ')
-+
-+ systemd_exec_systemctl($1)
-+ init_reload_services($1)
-+ allow $1 abrt_unit_file_t:file manage_file_perms;
-+ allow $1 abrt_unit_file_t:service manage_service_perms;
-+
-+ ps_process_pattern($1, abrt_t)
-+')
-+
- #####################################
- ##
--## All of the rules required to
--## administrate an abrt environment,
-+## All of the rules required to administrate
-+## an abrt environment
- ##
- ##
- ##
-@@ -288,39 +443,174 @@ interface(`abrt_manage_pid_files',`
- ##
- ##
- ##
--## Role allowed access.
-+## The role to be allowed to manage the abrt domain.
- ##
- ##
- ##
- #
- interface(`abrt_admin',`
- gen_require(`
-- attribute abrt_domain;
-- type abrt_t, abrt_etc_t, abrt_initrc_exec_t;
-- type abrt_var_cache_t, abrt_var_log_t, abrt_retrace_cache_t;
-- type abrt_var_run_t, abrt_tmp_t, abrt_retrace_spool_t;
-+ type abrt_t, abrt_etc_t;
-+ type abrt_var_cache_t, abrt_var_log_t;
-+ type abrt_var_run_t, abrt_tmp_t;
-+ type abrt_initrc_exec_t;
-+ type abrt_unit_file_t;
- ')
-
-- allow $1 abrt_domain:process { ptrace signal_perms };
-- ps_process_pattern($1, abrt_domain)
-+ allow $1 abrt_t:process { signal_perms };
-+ ps_process_pattern($1, abrt_t)
-+
-+ tunable_policy(`deny_ptrace',`',`
-+ allow $1 abrt_t:process ptrace;
-+ ')
-
- init_labeled_script_domtrans($1, abrt_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 abrt_initrc_exec_t system_r;
- allow $2 system_r;
-
-- files_search_etc($1)
-+ files_list_etc($1)
- admin_pattern($1, abrt_etc_t)
-
-- logging_search_logs($1)
-+ logging_list_logs($1)
- admin_pattern($1, abrt_var_log_t)
-
-- files_search_var($1)
-- admin_pattern($1, { abrt_retrace_cache_t abrt_var_cache_t abrt_retrace_spool_t })
-+ files_list_var($1)
-+ admin_pattern($1, abrt_var_cache_t)
-
-- files_search_pids($1)
-+ files_list_pids($1)
- admin_pattern($1, abrt_var_run_t)
-
-- files_search_tmp($1)
-+ files_list_tmp($1)
- admin_pattern($1, abrt_tmp_t)
-+
-+ abrt_systemctl($1)
-+ admin_pattern($1, abrt_unit_file_t)
-+ allow $1 abrt_unit_file_t:service all_service_perms;
-+')
-+
-+####################################
-+##
-+## Execute abrt-retrace in the abrt-retrace domain.
-+##
-+##
-+##
-+## Domain allowed to transition.
-+##
-+##
-+#
-+interface(`abrt_domtrans_retrace_worker',`
-+ gen_require(`
-+ type abrt_retrace_worker_t, abrt_retrace_worker_exec_t;
-+ ')
-+
-+ corecmd_search_bin($1)
-+ domtrans_pattern($1, abrt_retrace_worker_exec_t, abrt_retrace_worker_t)
-+')
-+
-+######################################
-+##
-+## Manage abrt retrace server cache
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`abrt_manage_spool_retrace',`
-+ gen_require(`
-+ type abrt_retrace_spool_t;
-+ ')
-+
-+ manage_dirs_pattern($1, abrt_retrace_spool_t, abrt_retrace_spool_t)
-+ manage_files_pattern($1, abrt_retrace_spool_t, abrt_retrace_spool_t)
-+ manage_lnk_files_pattern($1, abrt_retrace_spool_t, abrt_retrace_spool_t)
-+ manage_sock_files_pattern($1, abrt_retrace_spool_t, abrt_retrace_spool_t)
- ')
-+
-+#####################################
-+##
-+## Read abrt retrace server cache
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`abrt_read_spool_retrace',`
-+ gen_require(`
-+ type abrt_retrace_spool_t;
-+ ')
-+
-+ list_dirs_pattern($1, abrt_retrace_spool_t, abrt_retrace_spool_t)
-+ read_files_pattern($1, abrt_retrace_spool_t, abrt_retrace_spool_t)
-+ read_lnk_files_pattern($1, abrt_retrace_spool_t, abrt_retrace_spool_t)
-+')
-+
-+
-+#####################################
-+##
-+## Read abrt retrace server cache
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`abrt_read_cache_retrace',`
-+ gen_require(`
-+ type abrt_retrace_cache_t;
-+ ')
-+
-+ list_dirs_pattern($1, abrt_retrace_cache_t, abrt_retrace_cache_t)
-+ read_files_pattern($1, abrt_retrace_cache_t, abrt_retrace_cache_t)
-+ read_lnk_files_pattern($1, abrt_retrace_cache_t, abrt_retrace_cache_t)
-+')
-+
-+########################################
-+##
-+## Do not audit attempts to write abrt sock files
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`abrt_dontaudit_write_sock_file',`
-+ gen_require(`
-+ type abrt_t;
-+ ')
-+
-+ dontaudit $1 abrt_t:sock_file write;
-+')
-+
-+########################################
-+##
-+## Transition to abrt named content
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`abrt_filetrans_named_content',`
-+ gen_require(`
-+ type abrt_tmp_t;
-+ type abrt_etc_t;
-+ type abrt_var_cache_t;
-+ type abrt_var_run_t;
-+ ')
-+
-+ files_tmp_filetrans($1, abrt_var_cache_t, dir, "abrt")
-+ files_etc_filetrans($1, abrt_etc_t, dir, "abrt")
-+ files_var_filetrans($1, abrt_var_cache_t, dir, "abrt")
-+ files_var_filetrans($1, abrt_var_cache_t, dir, "abrt-dix")
-+ files_var_filetrans($1, abrt_var_cache_t, dir, "debug")
-+ files_pid_filetrans($1, abrt_var_run_t, dir, "abrt")
-+')
-+
-diff --git a/abrt.te b/abrt.te
-index eb50f070f..c23bb4b86 100644
---- a/abrt.te
-+++ b/abrt.te
-@@ -6,11 +6,10 @@ policy_module(abrt, 1.4.1)
- #
-
- ##
--##
--## Determine whether ABRT can modify
--## public files used for public file
--## transfer services.
--##
-+##
-+## Allow ABRT to modify public files
-+## used for public file transfer services.
-+##
- ##
- gen_tunable(abrt_anon_write, false)
-
-@@ -37,87 +36,99 @@ attribute abrt_domain;
- attribute_role abrt_helper_roles;
- roleattribute system_r abrt_helper_roles;
-
--type abrt_t, abrt_domain;
--type abrt_exec_t;
-+abrt_basic_types_template(abrt)
- init_daemon_domain(abrt_t, abrt_exec_t)
-
- type abrt_initrc_exec_t;
- init_script_file(abrt_initrc_exec_t)
-
-+type abrt_unit_file_t;
-+systemd_unit_file(abrt_unit_file_t)
-+
- type abrt_etc_t;
- files_config_file(abrt_etc_t)
-
- type abrt_var_log_t;
- logging_log_file(abrt_var_log_t)
-
-+type abrt_var_lib_t;
-+files_type(abrt_var_lib_t)
-+
- type abrt_tmp_t;
- files_tmp_file(abrt_tmp_t)
-
- type abrt_var_cache_t;
- files_type(abrt_var_cache_t)
-+files_tmp_file(abrt_var_cache_t)
-+userdom_user_tmp_content(abrt_var_cache_t)
-
- type abrt_var_run_t;
- files_pid_file(abrt_var_run_t)
-
--type abrt_dump_oops_t, abrt_domain;
--type abrt_dump_oops_exec_t;
-+abrt_basic_types_template(abrt_dump_oops)
- init_system_domain(abrt_dump_oops_t, abrt_dump_oops_exec_t)
-+domain_obj_id_change_exemption(abrt_dump_oops_t)
-
--type abrt_handle_event_t, abrt_domain;
--type abrt_handle_event_exec_t;
--domain_type(abrt_handle_event_t)
--domain_entry_file(abrt_handle_event_t, abrt_handle_event_exec_t)
-+abrt_basic_types_template(abrt_handle_event)
-+application_domain(abrt_handle_event_t, abrt_handle_event_exec_t)
- role system_r types abrt_handle_event_t;
-
--type abrt_helper_t, abrt_domain;
--type abrt_helper_exec_t;
-+# type needed to allow all domains
-+# to handle /var/cache/abrt
-+# type needed to allow all domains
-+# to handle /var/cache/abrt
-+abrt_basic_types_template(abrt_helper)
- application_domain(abrt_helper_t, abrt_helper_exec_t)
- role abrt_helper_roles types abrt_helper_t;
-
--type abrt_retrace_coredump_t, abrt_domain;
--type abrt_retrace_coredump_exec_t;
--domain_type(abrt_retrace_coredump_t)
--domain_entry_file(abrt_retrace_coredump_t, abrt_retrace_coredump_exec_t)
--role system_r types abrt_retrace_coredump_t;
--
--type abrt_retrace_worker_t, abrt_domain;
--type abrt_retrace_worker_exec_t;
--domain_type(abrt_retrace_worker_t)
--domain_entry_file(abrt_retrace_worker_t, abrt_retrace_worker_exec_t)
-+abrt_basic_types_template(abrt_retrace_worker)
-+application_domain(abrt_retrace_worker_t, abrt_retrace_worker_exec_t)
- role system_r types abrt_retrace_worker_t;
-
-+abrt_basic_types_template(abrt_retrace_coredump)
-+application_domain(abrt_retrace_coredump_t, abrt_retrace_coredump_exec_t)
-+role system_r types abrt_retrace_coredump_t;
-+
- type abrt_retrace_cache_t;
- files_type(abrt_retrace_cache_t)
-
- type abrt_retrace_spool_t;
--files_type(abrt_retrace_spool_t)
-+files_spool_file(abrt_retrace_spool_t)
-
--type abrt_watch_log_t, abrt_domain;
--type abrt_watch_log_exec_t;
-+abrt_basic_types_template(abrt_watch_log)
- init_daemon_domain(abrt_watch_log_t, abrt_watch_log_exec_t)
-
--type abrt_upload_watch_t, abrt_domain;
--type abrt_upload_watch_exec_t;
-+abrt_basic_types_template(abrt_upload_watch)
- init_daemon_domain(abrt_upload_watch_t, abrt_upload_watch_exec_t)
-
-+type abrt_upload_watch_tmp_t;
-+files_tmp_file(abrt_upload_watch_tmp_t)
-+
-+
- ifdef(`enable_mcs',`
- init_ranged_daemon_domain(abrt_t, abrt_exec_t, s0 - mcs_systemhigh)
- ')
-
- ########################################
- #
--# Local policy
-+# abrt local policy
- #
-
--allow abrt_t self:capability { chown dac_override fowner fsetid kill setgid setuid sys_nice };
--dontaudit abrt_t self:capability sys_rawio;
-+allow abrt_t self:capability { chown dac_read_search dac_override fowner fsetid ipc_lock kill setgid setuid sys_nice sys_ptrace };
-+dontaudit abrt_t self:capability { net_admin sys_rawio sys_ptrace };
- allow abrt_t self:process { setpgid sigkill signal signull setsched getsched };
-+
- allow abrt_t self:fifo_file rw_fifo_file_perms;
--allow abrt_t self:tcp_socket { accept listen };
-+allow abrt_t self:tcp_socket create_stream_socket_perms;
-+allow abrt_t self:udp_socket create_socket_perms;
-+allow abrt_t self:unix_dgram_socket create_socket_perms;
-+allow abrt_t self:netlink_route_socket r_netlink_socket_perms;
-
--allow abrt_t abrt_etc_t:dir list_dir_perms;
-+# abrt etc files
-+list_dirs_pattern(abrt_t, abrt_etc_t, abrt_etc_t)
- rw_files_pattern(abrt_t, abrt_etc_t, abrt_etc_t)
-
-+# log file
- manage_files_pattern(abrt_t, abrt_var_log_t, abrt_var_log_t)
- logging_log_filetrans(abrt_t, abrt_var_log_t, file)
-
-@@ -125,48 +136,60 @@ manage_dirs_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t)
- manage_files_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t)
- manage_lnk_files_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t)
- files_tmp_filetrans(abrt_t, abrt_tmp_t, { file dir })
-+can_exec(abrt_t, abrt_tmp_t)
-
-+# abrt var/cache files
- manage_files_pattern(abrt_t, abrt_var_cache_t, abrt_var_cache_t)
- manage_dirs_pattern(abrt_t, abrt_var_cache_t, abrt_var_cache_t)
- manage_lnk_files_pattern(abrt_t, abrt_var_cache_t, abrt_var_cache_t)
- files_var_filetrans(abrt_t, abrt_var_cache_t, { file dir })
- files_spool_filetrans(abrt_t, abrt_var_cache_t, dir)
-+files_tmp_filetrans(abrt_t, abrt_var_cache_t, dir, "abrt")
-+allow abrt_t abrt_var_cache_t:file map;
-
-+# abrt pid files
- manage_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t)
- manage_dirs_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t)
- manage_sock_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t)
- manage_lnk_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t)
- files_pid_filetrans(abrt_t, abrt_var_run_t, { file dir sock_file })
-
--can_exec(abrt_t, abrt_tmp_t)
-+manage_files_pattern(abrt_t, abrt_upload_watch_tmp_t, abrt_upload_watch_tmp_t)
-+manage_dirs_pattern(abrt_t, abrt_upload_watch_tmp_t, abrt_upload_watch_tmp_t)
-+manage_lnk_files_pattern(abrt_t, abrt_upload_watch_tmp_t, abrt_upload_watch_tmp_t)
-
-+kernel_read_all_proc(abrt_t)
- kernel_read_ring_buffer(abrt_t)
--kernel_read_system_state(abrt_t)
-+kernel_read_network_state(abrt_t)
-+kernel_read_software_raid_state(abrt_t)
- kernel_request_load_module(abrt_t)
-+kernel_rw_usermodehelper_state(abrt_t)
- kernel_rw_kernel_sysctl(abrt_t)
-+# needed by docker BZ #1194280
-+kernel_read_net_sysctls(abrt_t)
-+kernel_rw_usermodehelper_state(abrt_t)
-
- corecmd_exec_bin(abrt_t)
- corecmd_exec_shell(abrt_t)
- corecmd_read_all_executables(abrt_t)
-
- corenet_all_recvfrom_netlabel(abrt_t)
--corenet_all_recvfrom_unlabeled(abrt_t)
- corenet_tcp_sendrecv_generic_if(abrt_t)
- corenet_tcp_sendrecv_generic_node(abrt_t)
--corenet_tcp_sendrecv_all_ports(abrt_t)
-+corenet_tcp_sendrecv_generic_port(abrt_t)
- corenet_tcp_bind_generic_node(abrt_t)
--
--corenet_sendrecv_all_client_packets(abrt_t)
- corenet_tcp_connect_http_port(abrt_t)
- corenet_tcp_connect_ftp_port(abrt_t)
- corenet_tcp_connect_all_ports(abrt_t)
-+corenet_sendrecv_http_client_packets(abrt_t)
-
- dev_getattr_all_chr_files(abrt_t)
- dev_getattr_all_blk_files(abrt_t)
- dev_read_rand(abrt_t)
- dev_read_urand(abrt_t)
- dev_rw_sysfs(abrt_t)
--dev_dontaudit_read_raw_memory(abrt_t)
-+dev_read_raw_memory(abrt_t)
-+dev_write_kmsg(abrt_t)
-
- domain_getattr_all_domains(abrt_t)
- domain_read_all_domains_state(abrt_t)
-@@ -176,29 +199,46 @@ files_getattr_all_files(abrt_t)
- files_read_config_files(abrt_t)
- files_read_etc_runtime_files(abrt_t)
- files_read_var_symlinks(abrt_t)
--files_read_usr_files(abrt_t)
-+files_read_var_lib_files(abrt_t)
-+files_read_generic_tmp_files(abrt_t)
- files_read_kernel_modules(abrt_t)
-+files_dontaudit_list_default(abrt_t)
- files_dontaudit_read_default_files(abrt_t)
- files_dontaudit_read_all_symlinks(abrt_t)
- files_dontaudit_getattr_all_sockets(abrt_t)
- files_list_mnt(abrt_t)
-+fs_list_all(abrt_t)
-
-+fs_list_inotifyfs(abrt_t)
- fs_getattr_all_fs(abrt_t)
- fs_getattr_all_dirs(abrt_t)
--fs_list_inotifyfs(abrt_t)
- fs_read_fusefs_files(abrt_t)
-+fs_mmap_fusefs_files(abrt_t)
- fs_read_noxattr_fs_files(abrt_t)
- fs_read_nfs_files(abrt_t)
- fs_read_nfs_symlinks(abrt_t)
- fs_search_all(abrt_t)
-+fs_getattr_nsfs_files(abrt_t)
-
--auth_use_nsswitch(abrt_t)
-+storage_dontaudit_read_fixed_disk(abrt_t)
-
- logging_read_generic_logs(abrt_t)
-+logging_mmap_journal(abrt_t)
-+logging_send_syslog_msg(abrt_t)
-+logging_stream_connect_syslog(abrt_t)
-+logging_read_syslog_pid(abrt_t)
-+
-+auth_use_nsswitch(abrt_t)
-
-+init_read_utmp(abrt_t)
-+
-+miscfiles_read_generic_certs(abrt_t)
- miscfiles_read_public_files(abrt_t)
-+miscfiles_dontaudit_access_check_cert(abrt_t)
-+miscfiles_dontaudit_write_generic_cert_files(abrt_t)
-
- userdom_dontaudit_read_user_home_content_files(abrt_t)
-+userdom_dontaudit_read_admin_home_files(abrt_t)
-
- tunable_policy(`abrt_anon_write',`
- miscfiles_manage_public_files(abrt_t)
-@@ -206,15 +246,11 @@ tunable_policy(`abrt_anon_write',`
-
- optional_policy(`
- apache_list_modules(abrt_t)
-- apache_read_module_files(abrt_t)
-+ apache_read_modules(abrt_t)
- ')
-
- optional_policy(`
- dbus_system_domain(abrt_t, abrt_exec_t)
--
-- optional_policy(`
-- policykit_dbus_chat(abrt_t)
-- ')
- ')
-
- optional_policy(`
-@@ -222,6 +258,37 @@ optional_policy(`
- ')
-
- optional_policy(`
-+ container_stream_connect(abrt_t)
-+')
-+
-+optional_policy(`
-+ kdump_read_crash(abrt_t)
-+')
-+
-+optional_policy(`
-+ lvm_dontaudit_rw_lock_dir(abrt_t)
-+')
-+
-+optional_policy(`
-+ mta_send_mail(abrt_t)
-+ mta_manage_home_rw(abrt_t)
-+')
-+
-+optional_policy(`
-+ mcelog_read_log(abrt_t)
-+')
-+
-+optional_policy(`
-+ mozilla_plugin_dontaudit_rw_tmp_files(abrt_t)
-+ mozilla_plugin_read_rw_files(abrt_t)
-+')
-+
-+optional_policy(`
-+ pcp_read_lib_files(abrt_t)
-+')
-+
-+optional_policy(`
-+ policykit_dbus_chat(abrt_t)
- policykit_domtrans_auth(abrt_t)
- policykit_read_lib(abrt_t)
- policykit_read_reload(abrt_t)
-@@ -234,18 +301,25 @@ optional_policy(`
- ')
-
- optional_policy(`
-+ puppet_read_lib(abrt_t)
-+')
-+
-+# to install debuginfo packages
-+optional_policy(`
- rpm_exec(abrt_t)
- rpm_dontaudit_manage_db(abrt_t)
- rpm_manage_cache(abrt_t)
- rpm_manage_log(abrt_t)
- rpm_manage_pid_files(abrt_t)
-+ rpm_read_tmp_files(abrt_t)
- rpm_read_db(abrt_t)
- rpm_signull(abrt_t)
- ')
-
--optional_policy(`
-- sendmail_domtrans(abrt_t)
--')
-+# to run mailx plugin
-+#optional_policy(`
-+# sendmail_domtrans(abrt_t)
-+#')
-
- optional_policy(`
- sosreport_domtrans(abrt_t)
-@@ -253,9 +327,21 @@ optional_policy(`
- sosreport_delete_tmp_files(abrt_t)
- ')
-
-+optional_policy(`
-+ sssd_stream_connect(abrt_t)
-+')
-+
-+optional_policy(`
-+ xserver_read_log(abrt_t)
-+')
-+
-+optional_policy(`
-+ udev_read_db(abrt_t)
-+')
-+
- #######################################
- #
--# Handle-event local policy
-+# abrt-handle-event local policy
- #
-
- allow abrt_handle_event_t self:fifo_file rw_fifo_file_perms;
-@@ -266,9 +352,13 @@ tunable_policy(`abrt_handle_event',`
- can_exec(abrt_t, abrt_handle_event_exec_t)
- ')
-
-+optional_policy(`
-+ unconfined_domain(abrt_handle_event_t)
-+')
-+
- ########################################
- #
--# Helper local policy
-+# abrt--helper local policy
- #
-
- allow abrt_helper_t self:capability { chown setgid sys_nice };
-@@ -281,6 +371,7 @@ manage_dirs_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
- manage_files_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
- manage_lnk_files_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
- files_var_filetrans(abrt_helper_t, abrt_var_cache_t, { file dir })
-+files_tmp_filetrans(abrt_helper_t, abrt_var_cache_t, dir, "abrt")
-
- read_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t)
- read_lnk_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t)
-@@ -289,15 +380,20 @@ corecmd_read_all_executables(abrt_helper_t)
-
- domain_read_all_domains_state(abrt_helper_t)
-
-+files_dontaudit_all_non_security_leaks(abrt_helper_t)
-+
- fs_list_inotifyfs(abrt_helper_t)
- fs_getattr_all_fs(abrt_helper_t)
-
- auth_use_nsswitch(abrt_helper_t)
-
-+logging_send_syslog_msg(abrt_helper_t)
-+
- term_dontaudit_use_all_ttys(abrt_helper_t)
- term_dontaudit_use_all_ptys(abrt_helper_t)
-
- ifdef(`hide_broken_symptoms',`
-+ domain_dontaudit_leaks(abrt_helper_t)
- userdom_dontaudit_read_user_home_content_files(abrt_helper_t)
- userdom_dontaudit_read_user_tmp_files(abrt_helper_t)
- dev_dontaudit_read_all_blk_files(abrt_helper_t)
-@@ -305,11 +401,25 @@ ifdef(`hide_broken_symptoms',`
- dev_dontaudit_write_all_chr_files(abrt_helper_t)
- dev_dontaudit_write_all_blk_files(abrt_helper_t)
- fs_dontaudit_rw_anon_inodefs_files(abrt_helper_t)
-+
-+ optional_policy(`
-+ rpm_dontaudit_leaks(abrt_helper_t)
-+ ')
-+')
-+
-+ifdef(`hide_broken_symptoms',`
-+ gen_require(`
-+ attribute domain;
-+ ')
-+
-+ allow abrt_t self:capability sys_resource;
-+ allow abrt_t domain:file write;
-+ allow abrt_t domain:process setrlimit;
- ')
-
- #######################################
- #
--# Retrace coredump policy
-+# abrt retrace coredump policy
- #
-
- allow abrt_retrace_coredump_t self:fifo_file rw_fifo_file_perms;
-@@ -327,10 +437,12 @@ corecmd_exec_shell(abrt_retrace_coredump_t)
-
- dev_read_urand(abrt_retrace_coredump_t)
-
--files_read_usr_files(abrt_retrace_coredump_t)
-+
-+logging_send_syslog_msg(abrt_retrace_coredump_t)
-
- sysnet_dns_name_resolve(abrt_retrace_coredump_t)
-
-+# to install debuginfo packages
- optional_policy(`
- rpm_exec(abrt_retrace_coredump_t)
- rpm_dontaudit_manage_db(abrt_retrace_coredump_t)
-@@ -343,10 +455,11 @@ optional_policy(`
-
- #######################################
- #
--# Retrace worker policy
-+# abrt retrace worker policy
- #
-
--allow abrt_retrace_worker_t self:capability setuid;
-+allow abrt_retrace_worker_t self:capability { setuid };
-+
- allow abrt_retrace_worker_t self:fifo_file rw_fifo_file_perms;
-
- domtrans_pattern(abrt_retrace_worker_t, abrt_retrace_coredump_exec_t, abrt_retrace_coredump_t)
-@@ -365,38 +478,90 @@ corecmd_exec_shell(abrt_retrace_worker_t)
-
- dev_read_urand(abrt_retrace_worker_t)
-
--files_read_usr_files(abrt_retrace_worker_t)
-+
-+logging_send_syslog_msg(abrt_retrace_worker_t)
-
- sysnet_dns_name_resolve(abrt_retrace_worker_t)
-
-+optional_policy(`
-+ mock_domtrans(abrt_retrace_worker_t)
-+ mock_manage_lib_files(abrt_t)
-+')
-+
- ########################################
- #
--# Dump oops local policy
-+# abrt_dump_oops local policy
- #
-
--allow abrt_dump_oops_t self:capability dac_override;
-+allow abrt_dump_oops_t self:capability { kill net_admin sys_ptrace ipc_lock fowner chown fsetid dac_read_search setuid setgid };
-+allow abrt_dump_oops_t self:cap_userns { kill sys_ptrace };
-+allow abrt_dump_oops_t self:process {setfscreate setcap};
- allow abrt_dump_oops_t self:fifo_file rw_fifo_file_perms;
--allow abrt_dump_oops_t self:unix_stream_socket { accept listen };
-+allow abrt_dump_oops_t self:unix_stream_socket create_stream_socket_perms;
-
- files_search_spool(abrt_dump_oops_t)
- manage_dirs_pattern(abrt_dump_oops_t, abrt_var_cache_t, abrt_var_cache_t)
- manage_files_pattern(abrt_dump_oops_t, abrt_var_cache_t, abrt_var_cache_t)
- manage_lnk_files_pattern(abrt_dump_oops_t, abrt_var_cache_t, abrt_var_cache_t)
- files_var_filetrans(abrt_dump_oops_t, abrt_var_cache_t, { file dir })
-+files_tmp_filetrans(abrt_dump_oops_t, abrt_var_cache_t, dir, "abrt")
-+
-+manage_dirs_pattern(abrt_dump_oops_t, abrt_var_lib_t, abrt_var_lib_t)
-+manage_files_pattern(abrt_dump_oops_t, abrt_var_lib_t, abrt_var_lib_t)
-
- read_files_pattern(abrt_dump_oops_t, abrt_var_run_t, abrt_var_run_t)
- read_lnk_files_pattern(abrt_dump_oops_t, abrt_var_run_t, abrt_var_run_t)
-
- read_files_pattern(abrt_dump_oops_t, abrt_etc_t, abrt_etc_t)
-
-+kernel_read_debugfs(abrt_dump_oops_t)
- kernel_read_kernel_sysctls(abrt_dump_oops_t)
- kernel_read_ring_buffer(abrt_dump_oops_t)
-+kernel_read_security_state(abrt_dump_oops_t)
-+
-+auth_read_passwd(abrt_dump_oops_t)
-+
-+corecmd_getattr_all_executables(abrt_dump_oops_t)
-+corecmd_exec_bin(abrt_dump_oops_t)
-+
-+dev_read_urand(abrt_dump_oops_t)
-+dev_read_rand(abrt_dump_oops_t)
-
- domain_use_interactive_fds(abrt_dump_oops_t)
-+domain_signull_all_domains(abrt_dump_oops_t)
-+domain_read_all_domains_state(abrt_dump_oops_t)
-+domain_getattr_all_domains(abrt_dump_oops_t)
-+
-+tunable_policy(`deny_ptrace',`',`
-+ domain_ptrace_all_domains(abrt_dump_oops_t)
-+')
-
-+files_manage_non_security_dirs(abrt_dump_oops_t)
-+files_manage_non_security_files(abrt_dump_oops_t)
-+
-+fs_getattr_all_fs(abrt_dump_oops_t)
- fs_list_inotifyfs(abrt_dump_oops_t)
-+fs_list_pstorefs(abrt_dump_oops_t)
-+fs_getattr_nsfs_files(abrt_dump_oops_t)
-+
-+selinux_compute_create_context(abrt_dump_oops_t)
-
- logging_read_generic_logs(abrt_dump_oops_t)
-+logging_read_syslog_pid(abrt_dump_oops_t)
-+logging_send_syslog_msg(abrt_dump_oops_t)
-+logging_mmap_generic_logs(abrt_dump_oops_t)
-+logging_mmap_journal(abrt_dump_oops_t)
-+
-+init_read_var_lib_files(abrt_dump_oops_t)
-+
-+optional_policy(`
-+ sssd_read_public_files(abrt_dump_oops_t)
-+ sssd_stream_connect(abrt_dump_oops_t)
-+')
-+
-+optional_policy(`
-+ xserver_exec(abrt_dump_oops_t)
-+')
-
- #######################################
- #
-@@ -404,25 +569,60 @@ logging_read_generic_logs(abrt_dump_oops_t)
- #
-
- allow abrt_watch_log_t self:fifo_file rw_fifo_file_perms;
--allow abrt_watch_log_t self:unix_stream_socket { accept listen };
-+allow abrt_watch_log_t self:unix_stream_socket create_stream_socket_perms;
-
- read_files_pattern(abrt_watch_log_t, abrt_etc_t, abrt_etc_t)
-
-+auth_read_passwd(abrt_watch_log_t)
-+auth_use_nsswitch(abrt_watch_log_t)
-+
- domtrans_pattern(abrt_watch_log_t, abrt_dump_oops_exec_t, abrt_dump_oops_t)
-
- corecmd_exec_bin(abrt_watch_log_t)
-
- logging_read_all_logs(abrt_watch_log_t)
-+logging_send_syslog_msg(abrt_watch_log_t)
-+
-+optional_policy(`
-+ gnome_list_home_config(abrt_watch_log_t)
-+')
-+
-+tunable_policy(`abrt_upload_watch_anon_write',`
-+ miscfiles_manage_public_files(abrt_upload_watch_t)
-+')
-
- #######################################
- #
- # Upload watch local policy
- #
-
-+allow abrt_upload_watch_t self:capability { dac_read_search chown fsetid };
-+
-+manage_files_pattern(abrt_upload_watch_t, abrt_upload_watch_tmp_t, abrt_upload_watch_tmp_t)
-+manage_dirs_pattern(abrt_upload_watch_t, abrt_upload_watch_tmp_t, abrt_upload_watch_tmp_t)
-+manage_lnk_files_pattern(abrt_upload_watch_t, abrt_upload_watch_tmp_t, abrt_upload_watch_tmp_t)
-+files_tmp_filetrans(abrt_upload_watch_t, abrt_upload_watch_tmp_t, {file dir})
-+
-+read_files_pattern(abrt_upload_watch_t, abrt_etc_t, abrt_etc_t)
-+
-+manage_dirs_pattern(abrt_upload_watch_t, abrt_var_cache_t, abrt_var_cache_t)
-+
-+abrt_dbus_chat(abrt_upload_watch_t)
-+
- corecmd_exec_bin(abrt_upload_watch_t)
-
-+dev_read_urand(abrt_upload_watch_t)
-+
-+files_search_spool(abrt_upload_watch_t)
-+
-+auth_read_passwd(abrt_upload_watch_t)
-+
- tunable_policy(`abrt_upload_watch_anon_write',`
-- miscfiles_manage_public_files(abrt_upload_watch_t)
-+ miscfiles_manage_public_files(abrt_upload_watch_t)
-+')
-+
-+optional_policy(`
-+ dbus_system_bus_client(abrt_upload_watch_t)
- ')
-
- #######################################
-@@ -430,10 +630,7 @@ tunable_policy(`abrt_upload_watch_anon_write',`
- # Global local policy
- #
-
--kernel_read_system_state(abrt_domain)
-+allow abrt_domain abrt_var_run_t:sock_file write_sock_file_perms;
-+allow abrt_domain abrt_var_run_t:unix_stream_socket connectto;
-
- files_read_etc_files(abrt_domain)
--
--logging_send_syslog_msg(abrt_domain)
--
--miscfiles_read_localization(abrt_domain)
-diff --git a/accountsd.fc b/accountsd.fc
-index f9d8d7a92..068271030 100644
---- a/accountsd.fc
-+++ b/accountsd.fc
-@@ -1,3 +1,5 @@
-+/usr/lib/systemd/system/accountsd.* -- gen_context(system_u:object_r:accountsd_unit_file_t,s0)
-+
- /usr/libexec/accounts-daemon -- gen_context(system_u:object_r:accountsd_exec_t,s0)
-
- /usr/lib/accountsservice/accounts-daemon -- gen_context(system_u:object_r:accountsd_exec_t,s0)
-diff --git a/accountsd.if b/accountsd.if
-index bd5ec9ab0..554177cd2 100644
---- a/accountsd.if
-+++ b/accountsd.if
-@@ -126,23 +126,51 @@ interface(`accountsd_manage_lib_files',`
- ##
- ##
- ##
--## Domain allowed access.
-+## Domain allowed to transition.
- ##
- ##
--##
-+#
-+interface(`accountsd_systemctl',`
-+ gen_require(`
-+ type accountsd_t;
-+ type accountsd_unit_file_t;
-+ ')
-+
-+ systemd_exec_systemctl($1)
-+ init_reload_services($1)
-+ allow $1 accountsd_unit_file_t:file read_file_perms;
-+ allow $1 accountsd_unit_file_t:service manage_service_perms;
-+
-+ ps_process_pattern($1, accountsd_t)
-+')
-+
-+########################################
-+##
-+## All of the rules required to administrate
-+## an accountsd environment
-+##
-+##
- ##
--## Role allowed access.
-+## Domain allowed access.
- ##
- ##
--##
- #
- interface(`accountsd_admin',`
- gen_require(`
- type accountsd_t;
-+ type accountsd_unit_file_t;
- ')
-
-- allow $1 accountsd_t:process { ptrace signal_perms };
-+ allow $1 accountsd_t:process signal_perms;
- ps_process_pattern($1, accountsd_t)
-
-+ tunable_policy(`deny_ptrace',`',`
-+ allow $1 accountsd_t:process ptrace;
-+ ')
-+
- accountsd_manage_lib_files($1)
-+
-+ accountsd_systemctl($1)
-+ admin_pattern($1, accountsd_unit_file_t)
-+ allow $1 accountsd_unit_file_t:service all_service_perms;
- ')
-diff --git a/accountsd.te b/accountsd.te
-index 3593510d8..15ce4ef6c 100644
---- a/accountsd.te
-+++ b/accountsd.te
-@@ -4,6 +4,10 @@ gen_require(`
- class passwd all_passwd_perms;
- ')
-
-+gen_require(`
-+ class passwd { passwd chfn chsh rootok crontab };
-+')
-+
- ########################################
- #
- # Declarations
-@@ -11,17 +15,21 @@ gen_require(`
-
- type accountsd_t;
- type accountsd_exec_t;
--dbus_system_domain(accountsd_t, accountsd_exec_t)
-+init_daemon_domain(accountsd_t, accountsd_exec_t)
-+role system_r types accountsd_t;
-
- type accountsd_var_lib_t;
- files_type(accountsd_var_lib_t)
-
-+type accountsd_unit_file_t;
-+systemd_unit_file(accountsd_unit_file_t)
-+
- ########################################
- #
- # Local policy
- #
-
--allow accountsd_t self:capability { chown dac_override setuid setgid sys_ptrace };
-+allow accountsd_t self:capability { chown dac_read_search setuid setgid sys_ptrace };
- allow accountsd_t self:process signal;
- allow accountsd_t self:fifo_file rw_fifo_file_perms;
- allow accountsd_t self:passwd { rootok passwd chfn chsh };
-@@ -38,7 +46,6 @@ corecmd_exec_bin(accountsd_t)
- dev_read_sysfs(accountsd_t)
-
- files_read_mnt_files(accountsd_t)
--files_read_usr_files(accountsd_t)
-
- fs_getattr_xattr_fs(accountsd_t)
- fs_list_inotifyfs(accountsd_t)
-@@ -48,12 +55,15 @@ auth_use_nsswitch(accountsd_t)
- auth_read_login_records(accountsd_t)
- auth_read_shadow(accountsd_t)
-
--miscfiles_read_localization(accountsd_t)
-+init_dbus_chat(accountsd_t)
-
- logging_list_logs(accountsd_t)
- logging_send_syslog_msg(accountsd_t)
- logging_set_loginuid(accountsd_t)
-
-+userdom_dontaudit_create_admin_dir(accountsd_t)
-+userdom_dontaudit_manage_admin_dir(accountsd_t)
-+
- userdom_read_user_tmp_files(accountsd_t)
- userdom_read_user_home_content_files(accountsd_t)
-
-@@ -66,9 +76,16 @@ optional_policy(`
- ')
-
- optional_policy(`
-+ dbus_system_domain(accountsd_t, accountsd_exec_t)
-+')
-+
-+optional_policy(`
- policykit_dbus_chat(accountsd_t)
- ')
-
- optional_policy(`
- xserver_read_xdm_tmp_files(accountsd_t)
-+ xserver_read_state_xdm(accountsd_t)
-+ xserver_dbus_chat_xdm(accountsd_t)
-+ xserver_manage_xdm_etc_files(accountsd_t)
- ')
-diff --git a/acct.if b/acct.if
-index 81280d008..bc4038b45 100644
---- a/acct.if
-+++ b/acct.if
-@@ -83,6 +83,24 @@ interface(`acct_manage_data',`
-
- ########################################
- ##
-+## Dontaudit Attempts to list acct_data directory
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`acct_dontaudit_list_data',`
-+ gen_require(`
-+ type acct_data_t;
-+ ')
-+
-+ dontaudit $1 acct_data_t:dir list_dir_perms;
-+')
-+
-+#######################################
-+##
- ## All of the rules required to
- ## administrate an acct environment.
- ##
-@@ -103,9 +121,13 @@ interface(`acct_admin',`
- type acct_t, acct_initrc_exec_t, acct_data_t;
- ')
-
-- allow $1 acct_t:process { ptrace signal_perms };
-+ allow $1 acct_t:process { signal_perms };
- ps_process_pattern($1, acct_t)
-
-+ tunable_policy(`deny_ptrace',`',`
-+ allow $1 acct_t:process ptrace;
-+ ')
-+
- init_labeled_script_domtrans($1, acct_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 acct_initrc_exec_t system_r;
-diff --git a/acct.te b/acct.te
-index 8b9ad83c5..f4f24864b 100644
---- a/acct.te
-+++ b/acct.te
-@@ -40,8 +40,6 @@ corecmd_exec_shell(acct_t)
- dev_read_sysfs(acct_t)
- dev_read_urand(acct_t)
-
--domain_use_interactive_fds(acct_t)
--
- fs_search_auto_mountpoints(acct_t)
- fs_getattr_xattr_fs(acct_t)
-
-@@ -49,7 +47,6 @@ term_dontaudit_use_console(acct_t)
- term_dontaudit_use_generic_ptys(acct_t)
-
- files_read_etc_runtime_files(acct_t)
--files_list_usr(acct_t)
-
- auth_use_nsswitch(acct_t)
-
-@@ -59,8 +56,6 @@ init_exec_script_files(acct_t)
-
- logging_send_syslog_msg(acct_t)
-
--miscfiles_read_localization(acct_t)
--
- userdom_dontaudit_search_user_home_dirs(acct_t)
- userdom_dontaudit_use_unpriv_user_fds(acct_t)
-
-diff --git a/ada.te b/ada.te
-index 8d42c97ae..2377f8f82 100644
---- a/ada.te
-+++ b/ada.te
-@@ -20,7 +20,7 @@ role ada_roles types ada_t;
-
- allow ada_t self:process { execstack execmem };
-
--userdom_use_user_terminals(ada_t)
-+userdom_use_inherited_user_terminals(ada_t)
-
- optional_policy(`
- unconfined_domain(ada_t)
-diff --git a/afs.fc b/afs.fc
-index 8926c1696..206ea16fd 100644
---- a/afs.fc
-+++ b/afs.fc
-@@ -3,6 +3,8 @@
- /etc/rc\.d/init\.d/openafs-client -- gen_context(system_u:object_r:afs_initrc_exec_t,s0)
- /etc/rc\.d/init\.d/(open)?afs -- gen_context(system_u:object_r:afs_initrc_exec_t,s0)
-
-+/usr/afs(/.*)? gen_context(system_u:object_r:afs_files_t,s0)
-+
- /usr/afs/bin/bosserver -- gen_context(system_u:object_r:afs_bosserver_exec_t,s0)
- /usr/afs/bin/fileserver -- gen_context(system_u:object_r:afs_fsserver_exec_t,s0)
- /usr/afs/bin/kaserver -- gen_context(system_u:object_r:afs_kaserver_exec_t,s0)
-@@ -10,6 +12,10 @@
- /usr/afs/bin/salvager -- gen_context(system_u:object_r:afs_fsserver_exec_t,s0)
- /usr/afs/bin/volserver -- gen_context(system_u:object_r:afs_fsserver_exec_t,s0)
- /usr/afs/bin/vlserver -- gen_context(system_u:object_r:afs_vlserver_exec_t,s0)
-+/usr/afs/bin/dafileserver -- gen_context(system_u:object_r:afs_fsserver_exec_t,s0)
-+/usr/afs/bin/davolserver -- gen_context(system_u:object_r:afs_fsserver_exec_t,s0)
-+/usr/afs/bin/salvageserver -- gen_context(system_u:object_r:afs_fsserver_exec_t,s0)
-+/usr/afs/bin/dasalvager -- gen_context(system_u:object_r:afs_fsserver_exec_t,s0)
-
- /usr/afs/db -d gen_context(system_u:object_r:afs_dbdir_t,s0)
- /usr/afs/db/pr.* -- gen_context(system_u:object_r:afs_pt_db_t,s0)
-diff --git a/afs.if b/afs.if
-index 3b41be699..97d99f979 100644
---- a/afs.if
-+++ b/afs.if
-@@ -40,6 +40,24 @@ interface(`afs_rw_udp_sockets',`
-
- ########################################
- ##
-+## Read AFS config data
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`afs_read_config',`
-+ gen_require(`
-+ type afs_config_t;
-+ ')
-+
-+ read_files_pattern($1, afs_config_t, afs_config_t)
-+')
-+
-+########################################
-+##
- ## Read and write afs cache files.
- ##
- ##
-@@ -95,13 +113,17 @@ interface(`afs_initrc_domtrans',`
- interface(`afs_admin',`
- gen_require(`
- attribute afs_domain;
-- type afs_initrc_exec_t, afs_dbdir_t, afs_pt_db_t;
-+ type afs_t, afs_initrc_exec_t, afs_dbdir_t, afs_pt_db_t;
- type afs_ka_db_t, afs_vl_db_t, afs_config_t;
- type afs_logfile_t, afs_cache_t, afs_files_t;
- ')
-
-- allow $1 afs_domain:process { ptrace signal_perms };
-- ps_process_pattern($1, afs_domain)
-+ allow $1 afs_t:process signal_perms;
-+ ps_process_pattern($1, afs_t)
-+
-+ tunable_policy(`deny_ptrace',`',`
-+ allow $1 afs_t:process ptrace;
-+ ')
-
- afs_initrc_domtrans($1)
- domain_system_change_exemption($1)
-diff --git a/afs.te b/afs.te
-index 90ce63748..9855b3b11 100644
---- a/afs.te
-+++ b/afs.te
-@@ -72,7 +72,7 @@ role system_r types afs_vlserver_t;
- # afs client local policy
- #
-
--allow afs_t self:capability { dac_override sys_admin sys_nice sys_tty_config };
-+allow afs_t self:capability { dac_read_search sys_admin sys_nice sys_tty_config };
- allow afs_t self:process { setsched signal };
- allow afs_t self:fifo_file rw_file_perms;
- allow afs_t self:unix_stream_socket { accept listen };
-@@ -83,8 +83,16 @@ files_var_filetrans(afs_t, afs_cache_t, { file dir })
-
- kernel_rw_afs_state(afs_t)
-
-+corenet_all_recvfrom_netlabel(afs_t)
-+corenet_tcp_sendrecv_generic_if(afs_t)
-+corenet_udp_sendrecv_generic_if(afs_t)
-+corenet_tcp_sendrecv_generic_node(afs_t)
-+corenet_udp_sendrecv_generic_node(afs_t)
-+corenet_tcp_sendrecv_all_ports(afs_t)
-+corenet_udp_sendrecv_all_ports(afs_t)
-+corenet_udp_bind_generic_node(afs_t)
-+
- files_mounton_mnt(afs_t)
--files_read_usr_files(afs_t)
- files_rw_etc_runtime_files(afs_t)
-
- fs_getattr_xattr_fs(afs_t)
-@@ -93,6 +101,12 @@ fs_read_nfs_symlinks(afs_t)
-
- logging_send_syslog_msg(afs_t)
-
-+sysnet_dns_name_resolve(afs_t)
-+
-+ifdef(`hide_broken_symptoms',`
-+ kernel_rw_unlabeled_files(afs_t)
-+')
-+
- ########################################
- #
- # AFS bossserver local policy
-@@ -105,8 +119,11 @@ can_exec(afs_bosserver_t, afs_bosserver_exec_t)
-
- manage_dirs_pattern(afs_bosserver_t, afs_config_t, afs_config_t)
- manage_files_pattern(afs_bosserver_t, afs_config_t, afs_config_t)
-+filetrans_pattern(afs_bosserver_t, afs_files_t, afs_config_t, dir, "local")
-
--allow afs_bosserver_t afs_dbdir_t:dir list_dir_perms;
-+manage_files_pattern(afs_bosserver_t, afs_dbdir_t, afs_dbdir_t)
-+manage_dirs_pattern(afs_bosserver_t, afs_dbdir_t, afs_dbdir_t)
-+filetrans_pattern(afs_bosserver_t, afs_files_t, afs_dbdir_t, dir, "db")
-
- allow afs_bosserver_t afs_fsserver_t:process signal_perms;
- domtrans_pattern(afs_bosserver_t, afs_fsserver_exec_t, afs_fsserver_t)
-@@ -125,7 +142,6 @@ domtrans_pattern(afs_bosserver_t, afs_vlserver_exec_t, afs_vlserver_t)
-
- kernel_read_kernel_sysctls(afs_bosserver_t)
-
--corenet_all_recvfrom_unlabeled(afs_bosserver_t)
- corenet_all_recvfrom_netlabel(afs_bosserver_t)
- corenet_udp_sendrecv_generic_if(afs_bosserver_t)
- corenet_udp_sendrecv_generic_node(afs_bosserver_t)
-@@ -136,24 +152,24 @@ corenet_sendrecv_afs_bos_server_packets(afs_bosserver_t)
- corenet_udp_sendrecv_afs_bos_port(afs_bosserver_t)
-
- files_list_home(afs_bosserver_t)
--files_read_usr_files(afs_bosserver_t)
-
- seutil_read_config(afs_bosserver_t)
-
-+optional_policy(`
-+ kerberos_read_config(afs_bosserver_t)
-+')
-+
- ########################################
- #
- # fileserver local policy
- #
-
--allow afs_fsserver_t self:capability { kill dac_override chown fowner sys_nice };
-+allow afs_fsserver_t self:capability { kill dac_read_search chown fowner sys_nice };
- dontaudit afs_fsserver_t self:capability fsetid;
- allow afs_fsserver_t self:process { setsched signal_perms };
- allow afs_fsserver_t self:fifo_file rw_fifo_file_perms;
- allow afs_fsserver_t self:tcp_socket create_stream_socket_perms;
-
--read_files_pattern(afs_fsserver_t, afs_config_t, afs_config_t)
--allow afs_fsserver_t afs_config_t:dir list_dir_perms;
--
- manage_dirs_pattern(afs_fsserver_t, afs_config_t, afs_config_t)
- manage_files_pattern(afs_fsserver_t, afs_config_t, afs_config_t)
-
-@@ -175,12 +191,14 @@ kernel_read_kernel_sysctls(afs_fsserver_t)
-
- corenet_all_recvfrom_unlabeled(afs_fsserver_t)
- corenet_all_recvfrom_netlabel(afs_fsserver_t)
-+corenet_tcp_bind_generic_node(afs_fsserver_t)
-+corenet_udp_bind_generic_node(afs_fsserver_t)
- corenet_tcp_sendrecv_generic_if(afs_fsserver_t)
- corenet_udp_sendrecv_generic_if(afs_fsserver_t)
- corenet_tcp_sendrecv_generic_node(afs_fsserver_t)
- corenet_udp_sendrecv_generic_node(afs_fsserver_t)
--corenet_tcp_bind_generic_node(afs_fsserver_t)
--corenet_udp_bind_generic_node(afs_fsserver_t)
-+corenet_tcp_sendrecv_all_ports(afs_fsserver_t)
-+corenet_udp_sendrecv_all_ports(afs_fsserver_t)
-
- corenet_sendrecv_afs_fs_server_packets(afs_fsserver_t)
- corenet_tcp_bind_afs_fs_port(afs_fsserver_t)
-@@ -190,7 +208,6 @@ corenet_udp_sendrecv_afs_fs_port(afs_fsserver_t)
-
- files_read_etc_runtime_files(afs_fsserver_t)
- files_list_home(afs_fsserver_t)
--files_read_usr_files(afs_fsserver_t)
- files_list_pids(afs_fsserver_t)
- files_dontaudit_search_mnt(afs_fsserver_t)
-
-@@ -224,7 +241,6 @@ manage_files_pattern(afs_kaserver_t, afs_logfile_t, afs_logfile_t)
-
- kernel_read_kernel_sysctls(afs_kaserver_t)
-
--corenet_all_recvfrom_unlabeled(afs_kaserver_t)
- corenet_all_recvfrom_netlabel(afs_kaserver_t)
- corenet_udp_sendrecv_generic_if(afs_kaserver_t)
- corenet_udp_sendrecv_generic_node(afs_kaserver_t)
-@@ -239,7 +255,6 @@ corenet_udp_bind_kerberos_port(afs_kaserver_t)
- corenet_udp_sendrecv_kerberos_port(afs_kaserver_t)
-
- files_list_home(afs_kaserver_t)
--files_read_usr_files(afs_kaserver_t)
-
- seutil_read_config(afs_kaserver_t)
-
-@@ -253,16 +268,12 @@ userdom_dontaudit_use_user_terminals(afs_kaserver_t)
- allow afs_ptserver_t self:unix_stream_socket create_stream_socket_perms;
- allow afs_ptserver_t self:tcp_socket create_stream_socket_perms;
-
--read_files_pattern(afs_ptserver_t, afs_config_t, afs_config_t)
--allow afs_ptserver_t afs_config_t:dir list_dir_perms;
--
- manage_dirs_pattern(afs_ptserver_t, afs_logfile_t, afs_logfile_t)
- manage_files_pattern(afs_ptserver_t, afs_logfile_t, afs_logfile_t)
-
- manage_files_pattern(afs_ptserver_t, afs_dbdir_t, afs_pt_db_t)
- filetrans_pattern(afs_ptserver_t, afs_dbdir_t, afs_pt_db_t, file)
-
--corenet_all_recvfrom_unlabeled(afs_ptserver_t)
- corenet_all_recvfrom_netlabel(afs_ptserver_t)
- corenet_tcp_sendrecv_generic_if(afs_ptserver_t)
- corenet_udp_sendrecv_generic_if(afs_ptserver_t)
-@@ -274,6 +285,8 @@ corenet_udp_bind_generic_node(afs_ptserver_t)
- corenet_udp_bind_afs_pt_port(afs_ptserver_t)
- corenet_sendrecv_afs_pt_server_packets(afs_ptserver_t)
-
-+sysnet_read_config(afs_ptserver_t)
-+
- userdom_dontaudit_use_user_terminals(afs_ptserver_t)
-
- ########################################
-@@ -284,16 +297,12 @@ userdom_dontaudit_use_user_terminals(afs_ptserver_t)
- allow afs_vlserver_t self:unix_stream_socket create_stream_socket_perms;
- allow afs_vlserver_t self:tcp_socket create_stream_socket_perms;
-
--read_files_pattern(afs_vlserver_t, afs_config_t, afs_config_t)
--allow afs_vlserver_t afs_config_t:dir list_dir_perms;
--
- manage_dirs_pattern(afs_vlserver_t, afs_logfile_t, afs_logfile_t)
- manage_files_pattern(afs_vlserver_t, afs_logfile_t, afs_logfile_t)
-
- manage_files_pattern(afs_vlserver_t, afs_dbdir_t, afs_vl_db_t)
- filetrans_pattern(afs_vlserver_t, afs_dbdir_t, afs_vl_db_t, file)
-
--corenet_all_recvfrom_unlabeled(afs_vlserver_t)
- corenet_all_recvfrom_netlabel(afs_vlserver_t)
- corenet_tcp_sendrecv_generic_if(afs_vlserver_t)
- corenet_udp_sendrecv_generic_if(afs_vlserver_t)
-@@ -314,8 +323,8 @@ userdom_dontaudit_use_user_terminals(afs_vlserver_t)
-
- allow afs_domain self:udp_socket create_socket_perms;
-
--files_read_etc_files(afs_domain)
--
--miscfiles_read_localization(afs_domain)
-+read_files_pattern(afs_domain, afs_config_t, afs_config_t)
-+allow afs_domain afs_config_t:dir list_dir_perms;
-
- sysnet_read_config(afs_domain)
-+
-diff --git a/aiccu.if b/aiccu.if
-index 3b5dcb947..fbe187fe1 100644
---- a/aiccu.if
-+++ b/aiccu.if
-@@ -79,9 +79,13 @@ interface(`aiccu_admin',`
- type aiccu_var_run_t;
- ')
-
-- allow $1 aiccu_t:process { ptrace signal_perms };
-+ allow $1 aiccu_t:process signal_perms;
- ps_process_pattern($1, aiccu_t)
-
-+ tunable_policy(`deny_ptrace',`',`
-+ allow $1 aiccu_t:process ptrace;
-+ ')
-+
- aiccu_initrc_domtrans($1)
- domain_system_change_exemption($1)
- role_transition $2 aiccu_initrc_exec_t system_r;
-diff --git a/aiccu.te b/aiccu.te
-index 5d2b90e04..7374df0b9 100644
---- a/aiccu.te
-+++ b/aiccu.te
-@@ -48,7 +48,6 @@ corenet_all_recvfrom_unlabeled(aiccu_t)
- corenet_tcp_bind_generic_node(aiccu_t)
- corenet_tcp_sendrecv_generic_if(aiccu_t)
- corenet_tcp_sendrecv_generic_node(aiccu_t)
--
- corenet_sendrecv_sixxsconfig_client_packets(aiccu_t)
- corenet_tcp_connect_sixxsconfig_port(aiccu_t)
- corenet_tcp_sendrecv_sixxsconfig_port(aiccu_t)
-@@ -60,17 +59,24 @@ domain_use_interactive_fds(aiccu_t)
- dev_read_rand(aiccu_t)
- dev_read_urand(aiccu_t)
-
--files_read_etc_files(aiccu_t)
-+
-+auth_read_passwd(aiccu_t)
-
- logging_send_syslog_msg(aiccu_t)
-
--miscfiles_read_localization(aiccu_t)
-+optional_policy(`
-+ gnome_dontaudit_search_config(aiccu_t)
-+')
-
- optional_policy(`
- modutils_domtrans_insmod(aiccu_t)
- ')
-
- optional_policy(`
-+ pcscd_stream_connect(aiccu_t)
-+')
-+
-+optional_policy(`
- sysnet_dns_name_resolve(aiccu_t)
- sysnet_domtrans_ifconfig(aiccu_t)
- ')
-diff --git a/aide.if b/aide.if
-index 01cbb67df..94a4a2406 100644
---- a/aide.if
-+++ b/aide.if
-@@ -67,9 +67,13 @@ interface(`aide_admin',`
- type aide_t, aide_db_t, aide_log_t;
- ')
-
-- allow $1 aide_t:process { ptrace signal_perms };
-+ allow $1 aide_t:process signal_perms;
- ps_process_pattern($1, aide_t)
-
-+ tunable_policy(`deny_ptrace',`',`
-+ allow $1 aide_t:process ptrace;
-+ ')
-+
- aide_run($1, $2)
-
- files_list_etc($1)
-diff --git a/aide.te b/aide.te
-index 03831e6e5..93a15b5de 100644
---- a/aide.te
-+++ b/aide.te
-@@ -10,6 +10,7 @@ attribute_role aide_roles;
- type aide_t;
- type aide_exec_t;
- application_domain(aide_t, aide_exec_t)
-+cron_system_entry(aide_t, aide_exec_t)
- role aide_roles types aide_t;
-
- type aide_log_t;
-@@ -23,23 +24,39 @@ files_type(aide_db_t)
- # Local policy
- #
-
--allow aide_t self:capability { dac_override fowner };
-+allow aide_t self:capability { dac_read_search fowner ipc_lock sys_admin };
-+allow aide_t self:process signal;
-
- manage_files_pattern(aide_t, aide_db_t, aide_db_t)
-+files_var_lib_filetrans(aide_t, aide_db_t, { dir file })
-
--create_files_pattern(aide_t, aide_log_t, aide_log_t)
--append_files_pattern(aide_t, aide_log_t, aide_log_t)
--setattr_files_pattern(aide_t, aide_log_t, aide_log_t)
-+manage_files_pattern(aide_t, aide_log_t, aide_log_t)
- logging_log_filetrans(aide_t, aide_log_t, file)
-
-+dev_read_rand(aide_t)
-+dev_read_urand(aide_t)
-+
- files_read_all_files(aide_t)
- files_read_all_symlinks(aide_t)
-+files_getattr_all_pipes(aide_t)
-+files_getattr_all_sockets(aide_t)
-+
-+mls_file_read_to_clearance(aide_t)
-+mls_file_write_to_clearance(aide_t)
-
- logging_send_audit_msgs(aide_t)
- logging_send_syslog_msg(aide_t)
-
--userdom_use_user_terminals(aide_t)
-+userdom_use_inherited_user_terminals(aide_t)
-+
-+optional_policy(`
-+ prelink_domtrans(aide_t)
-+')
-
- optional_policy(`
- seutil_use_newrole_fds(aide_t)
- ')
-+
-+optional_policy(`
-+ sssd_stream_connect(aide_t)
-+')
-diff --git a/aisexec.if b/aisexec.if
-index a2997fa57..861cebdf9 100644
---- a/aisexec.if
-+++ b/aisexec.if
-@@ -83,9 +83,13 @@ interface(`aisexecd_admin',`
- type aisexec_initrc_exec_t;
- ')
-
-- allow $1 aisexec_t:process { ptrace signal_perms };
-+ allow $1 aisexec_t:process signal_perms;
- ps_process_pattern($1, aisexec_t)
-
-+ tunable_policy(`deny_ptrace',`',`
-+ allow $1 aisexec_t:process ptrace;
-+ ')
-+
- init_labeled_script_domtrans($1, aisexec_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 aisexec_initrc_exec_t system_r;
-diff --git a/aisexec.te b/aisexec.te
-index 4e4f06364..808e067e8 100644
---- a/aisexec.te
-+++ b/aisexec.te
-@@ -63,6 +63,7 @@ files_pid_filetrans(aisexec_t, aisexec_var_run_t, { file sock_file })
- kernel_read_system_state(aisexec_t)
-
- corecmd_exec_bin(aisexec_t)
-+corecmd_exec_shell(aisexec_t)
-
- corenet_all_recvfrom_unlabeled(aisexec_t)
- corenet_all_recvfrom_netlabel(aisexec_t)
-@@ -95,8 +96,6 @@ init_rw_script_tmp_files(aisexec_t)
-
- logging_send_syslog_msg(aisexec_t)
-
--miscfiles_read_localization(aisexec_t)
--
- userdom_rw_unpriv_user_semaphores(aisexec_t)
- userdom_rw_unpriv_user_shared_mem(aisexec_t)
-
-@@ -105,6 +104,11 @@ optional_policy(`
- ')
-
- optional_policy(`
-+ corosync_domtrans(aisexec_t)
-+')
-+
-+optional_policy(`
-+ # to communication with RHCS
- rhcs_rw_dlm_controld_semaphores(aisexec_t)
-
- rhcs_rw_fenced_semaphores(aisexec_t)
-diff --git a/ajaxterm.fc b/ajaxterm.fc
-new file mode 100644
-index 000000000..aeb1888a7
---- /dev/null
-+++ b/ajaxterm.fc
-@@ -0,0 +1,6 @@
-+
-+/etc/rc\.d/init\.d/ajaxterm -- gen_context(system_u:object_r:ajaxterm_initrc_exec_t,s0)
-+
-+/usr/share/ajaxterm/ajaxterm\.py -- gen_context(system_u:object_r:ajaxterm_exec_t,s0)
-+
-+/var/run/ajaxterm\.pid -- gen_context(system_u:object_r:ajaxterm_var_run_t,s0)
-diff --git a/ajaxterm.if b/ajaxterm.if
-new file mode 100644
-index 000000000..7abe946d4
---- /dev/null
-+++ b/ajaxterm.if
-@@ -0,0 +1,90 @@
-+## policy for ajaxterm
-+
-+########################################
-+##
-+## Execute a domain transition to run ajaxterm.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`ajaxterm_domtrans',`
-+ gen_require(`
-+ type ajaxterm_t, ajaxterm_exec_t;
-+ ')
-+
-+ domtrans_pattern($1, ajaxterm_exec_t, ajaxterm_t)
-+')
-+
-+########################################
-+##
-+## Execute ajaxterm server in the ajaxterm domain.
-+##
-+##
-+##
-+## Domain allowed to transition.
-+##
-+##
-+#
-+interface(`ajaxterm_initrc_domtrans',`
-+ gen_require(`
-+ type ajaxterm_initrc_exec_t;
-+ ')
-+
-+ init_labeled_script_domtrans($1, ajaxterm_initrc_exec_t)
-+')
-+
-+#######################################
-+##
-+## Read and write the ajaxterm pty type.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`ajaxterm_rw_ptys',`
-+ gen_require(`
-+ type ajaxterm_devpts_t;
-+ ')
-+
-+ allow $1 ajaxterm_devpts_t:chr_file rw_inherited_term_perms;
-+')
-+
-+########################################
-+##
-+## All of the rules required to administrate
-+## an ajaxterm environment
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+##
-+## Role allowed access.
-+##
-+##
-+##
-+#
-+interface(`ajaxterm_admin',`
-+ gen_require(`
-+ type ajaxterm_t, ajaxterm_initrc_exec_t;
-+ ')
-+
-+ allow $1 ajaxterm_t:process signal_perms;
-+ ps_process_pattern($1, ajaxterm_t)
-+
-+ tunable_policy(`deny_ptrace',`',`
-+ allow $1 ajaxterm_t:process ptrace;
-+ ')
-+
-+ ajaxterm_initrc_domtrans($1)
-+ domain_system_change_exemption($1)
-+ role_transition $2 ajaxterm_initrc_exec_t system_r;
-+ allow $2 system_r;
-+')
-diff --git a/ajaxterm.te b/ajaxterm.te
-new file mode 100644
-index 000000000..a95a4adf3
---- /dev/null
-+++ b/ajaxterm.te
-@@ -0,0 +1,60 @@
-+policy_module(ajaxterm, 1.0.0)
-+
-+########################################
-+#
-+# Declarations
-+#
-+
-+type ajaxterm_t;
-+type ajaxterm_exec_t;
-+init_daemon_domain(ajaxterm_t, ajaxterm_exec_t)
-+
-+type ajaxterm_initrc_exec_t;
-+init_script_file(ajaxterm_initrc_exec_t)
-+
-+type ajaxterm_var_run_t;
-+files_pid_file(ajaxterm_var_run_t)
-+
-+type ajaxterm_devpts_t;
-+term_login_pty(ajaxterm_devpts_t)
-+
-+########################################
-+#
-+# ajaxterm local policy
-+#
-+allow ajaxterm_t self:capability setuid;
-+allow ajaxterm_t self:process { setpgid signal };
-+allow ajaxterm_t self:fifo_file rw_fifo_file_perms;
-+allow ajaxterm_t self:unix_stream_socket create_stream_socket_perms;
-+allow ajaxterm_t self:tcp_socket create_stream_socket_perms;
-+
-+allow ajaxterm_t ajaxterm_devpts_t:chr_file { rw_chr_file_perms setattr_chr_file_perms relabelfrom };
-+term_create_pty(ajaxterm_t, ajaxterm_devpts_t)
-+
-+manage_dirs_pattern(ajaxterm_t, ajaxterm_var_run_t, ajaxterm_var_run_t)
-+manage_files_pattern(ajaxterm_t, ajaxterm_var_run_t, ajaxterm_var_run_t)
-+files_pid_filetrans(ajaxterm_t, ajaxterm_var_run_t, { file dir })
-+
-+kernel_read_system_state(ajaxterm_t)
-+
-+corecmd_exec_bin(ajaxterm_t)
-+
-+corenet_tcp_bind_generic_node(ajaxterm_t)
-+corenet_tcp_bind_oa_system_port(ajaxterm_t)
-+
-+dev_read_urand(ajaxterm_t)
-+
-+domain_use_interactive_fds(ajaxterm_t)
-+
-+
-+sysnet_dns_name_resolve(ajaxterm_t)
-+
-+#######################################
-+#
-+# SSH component local policy
-+#
-+
-+optional_policy(`
-+ ssh_basic_client_template(ajaxterm, ajaxterm_t, system_r)
-+')
-+
-diff --git a/alsa.fc b/alsa.fc
-index 33d9d3111..58bf1829a 100644
---- a/alsa.fc
-+++ b/alsa.fc
-@@ -23,4 +23,10 @@ ifdef(`distro_debian',`
- /usr/share/alsa/alsa\.conf gen_context(system_u:object_r:alsa_etc_rw_t,s0)
- /usr/share/alsa/pcm(/.*)? gen_context(system_u:object_r:alsa_etc_rw_t,s0)
-
--/var/lib/alsa(/.*)? gen_context(system_u:object_r:alsa_var_lib_t,s0)
-+/var/lib/alsa(/.*)? gen_context(system_u:object_r:alsa_var_lib_t,s0)
-+
-+/var/lock/asound\.state\.lock -- gen_context(system_u:object_r:alsa_lock_t,s0)
-+
-+/usr/lib/systemd/system/alsa.* -- gen_context(system_u:object_r:alsa_unit_file_t,s0)
-+
-+/var/run/alsactl\.pid -- gen_context(system_u:object_r:alsa_var_run_t,s0)
-diff --git a/alsa.if b/alsa.if
-index ca8d8cf3b..053a30ad4 100644
---- a/alsa.if
-+++ b/alsa.if
-@@ -168,6 +168,7 @@ interface(`alsa_manage_home_files',`
-
- userdom_search_user_home_dirs($1)
- allow $1 alsa_home_t:file manage_file_perms;
-+ alsa_filetrans_home_content($1)
- ')
-
- ########################################
-@@ -210,51 +211,88 @@ interface(`alsa_relabel_home_files',`
-
- ########################################
- ##
--## Create objects in user home
--## directories with the generic alsa
--## home type.
-+## Read Alsa lib files.
- ##
- ##
- ##
- ## Domain allowed access.
- ##
- ##
--##
-+#
-+interface(`alsa_read_lib',`
-+ gen_require(`
-+ type alsa_var_lib_t;
-+ ')
-+
-+ files_search_var_lib($1)
-+ read_files_pattern($1, alsa_var_lib_t, alsa_var_lib_t)
-+')
-+
-+########################################
-+##
-+## Transition to alsa named content
-+##
-+##
- ##
--## Class of the object being created.
-+## Domain allowed access.
- ##
- ##
--##
-+#
-+interface(`alsa_filetrans_home_content',`
-+ gen_require(`
-+ type alsa_home_t;
-+ ')
-+
-+ userdom_user_home_dir_filetrans($1, alsa_home_t, file, ".asoundrc")
-+')
-+
-+########################################
-+##
-+## Transition to alsa named content
-+##
-+##
- ##
--## The name of the object being created.
-+## Domain allowed access.
- ##
- ##
- #
--interface(`alsa_home_filetrans_alsa_home',`
-+interface(`alsa_filetrans_named_content',`
- gen_require(`
- type alsa_home_t;
-+ type alsa_etc_rw_t;
-+ type alsa_var_lib_t;
- ')
-
-- userdom_user_home_dir_filetrans($1, alsa_home_t, $2, $3)
-+ files_etc_filetrans($1, alsa_etc_rw_t, file, "asound.state")
-+ files_etc_filetrans($1, alsa_etc_rw_t, dir, "pcm")
-+ files_etc_filetrans($1, alsa_etc_rw_t, dir, "asound")
-+ files_usr_filetrans($1, alsa_etc_rw_t, file, "alsa.conf")
-+ files_usr_filetrans($1, alsa_etc_rw_t, dir, "pcm")
-+ files_var_lib_filetrans($1, alsa_var_lib_t, dir, "alsa")
- ')
-
- ########################################
- ##
--## Read Alsa lib files.
-+## Execute alsa server in the alsa domain.
- ##
- ##
- ##
--## Domain allowed access.
-+## Domain allowed to transition.
- ##
- ##
- #
--interface(`alsa_read_lib',`
-+interface(`alsa_systemctl',`
- gen_require(`
-- type alsa_var_lib_t;
-+ type alsa_t;
-+ type alsa_unit_file_t;
- ')
-
-- files_search_var_lib($1)
-- read_files_pattern($1, alsa_var_lib_t, alsa_var_lib_t)
-+ systemd_exec_systemctl($1)
-+ init_reload_services($1)
-+ allow $1 alsa_unit_file_t:file read_file_perms;
-+ allow $1 alsa_unit_file_t:service manage_service_perms;
-+
-+ ps_process_pattern($1, alsa_t)
- ')
-
- #########################################
-diff --git a/alsa.te b/alsa.te
-index 4b153f179..9a0043caa 100644
---- a/alsa.te
-+++ b/alsa.te
-@@ -15,6 +15,9 @@ role alsa_roles types alsa_t;
- type alsa_etc_rw_t;
- files_config_file(alsa_etc_rw_t)
-
-+type alsa_lock_t;
-+files_lock_file(alsa_lock_t)
-+
- type alsa_tmp_t;
- files_tmp_file(alsa_tmp_t)
-
-@@ -24,16 +27,23 @@ files_tmpfs_file(alsa_tmpfs_t)
- type alsa_var_lib_t;
- files_type(alsa_var_lib_t)
-
-+type alsa_var_run_t;
-+files_pid_file(alsa_var_run_t)
-+
- type alsa_home_t;
- userdom_user_home_content(alsa_home_t)
-
-+type alsa_unit_file_t;
-+systemd_unit_file(alsa_unit_file_t)
-+
- ########################################
- #
- # Local policy
- #
-
--allow alsa_t self:capability { dac_read_search dac_override setgid setuid ipc_owner };
--dontaudit alsa_t self:capability sys_admin;
-+allow alsa_t self:capability { dac_read_search setgid setuid ipc_owner sys_nice };
-+dontaudit alsa_t self:capability { sys_tty_config sys_admin };
-+allow alsa_t self:process { getsched setsched signal_perms };
- allow alsa_t self:sem create_sem_perms;
- allow alsa_t self:shm create_shm_perms;
- allow alsa_t self:unix_stream_socket { accept listen };
-@@ -46,6 +56,9 @@ files_etc_filetrans(alsa_t, alsa_etc_rw_t, file)
-
- can_exec(alsa_t, alsa_exec_t)
-
-+manage_files_pattern(alsa_t, alsa_lock_t, alsa_lock_t)
-+files_lock_filetrans(alsa_t, alsa_lock_t, file)
-+
- manage_dirs_pattern(alsa_t, alsa_tmp_t, alsa_tmp_t)
- manage_files_pattern(alsa_t, alsa_tmp_t, alsa_tmp_t)
- files_tmp_filetrans(alsa_t, alsa_tmp_t, { dir file })
-@@ -57,7 +70,13 @@ fs_tmpfs_filetrans(alsa_t, alsa_tmpfs_t, file)
- manage_dirs_pattern(alsa_t, alsa_var_lib_t, alsa_var_lib_t)
- manage_files_pattern(alsa_t, alsa_var_lib_t, alsa_var_lib_t)
-
-+manage_files_pattern(alsa_t, alsa_var_run_t, alsa_var_run_t)
-+manage_dirs_pattern(alsa_t, alsa_var_run_t, alsa_var_run_t)
-+manage_lnk_files_pattern(alsa_t, alsa_var_run_t, alsa_var_run_t)
-+files_pid_filetrans(alsa_t, alsa_var_run_t, { file dir })
-+
- kernel_read_system_state(alsa_t)
-+kernel_signal(alsa_t)
-
- corecmd_exec_bin(alsa_t)
-
-@@ -67,7 +86,6 @@ dev_read_sysfs(alsa_t)
- dev_read_urand(alsa_t)
- dev_write_sound(alsa_t)
-
--files_read_usr_files(alsa_t)
- files_search_var_lib(alsa_t)
-
- term_dontaudit_use_console(alsa_t)
-@@ -80,8 +98,6 @@ init_use_fds(alsa_t)
-
- logging_send_syslog_msg(alsa_t)
-
--miscfiles_read_localization(alsa_t)
--
- userdom_manage_unpriv_user_semaphores(alsa_t)
- userdom_manage_unpriv_user_shared_mem(alsa_t)
- userdom_search_user_home_dirs(alsa_t)
-diff --git a/amanda.fc b/amanda.fc
-index 7f4dfbca3..e5c9f45b8 100644
---- a/amanda.fc
-+++ b/amanda.fc
-@@ -1,5 +1,6 @@
- /etc/amanda(/.*)? gen_context(system_u:object_r:amanda_config_t,s0)
- /etc/amanda/.*/tapelist(/.*)? gen_context(system_u:object_r:amanda_data_t,s0)
-+/etc/amanda/DailySet1(/.*)? gen_context(system_u:object_r:amanda_data_t,s0)
- /etc/amandates gen_context(system_u:object_r:amanda_amandates_t,s0)
- /etc/dumpdates gen_context(system_u:object_r:amanda_dumpdates_t,s0)
- # empty m4 string so the index macro is not invoked
-@@ -13,6 +14,8 @@
- /usr/lib/amanda/amidxtaped -- gen_context(system_u:object_r:amanda_inetd_exec_t,s0)
- /usr/lib/amanda/amindexd -- gen_context(system_u:object_r:amanda_inetd_exec_t,s0)
-
-+/usr/lib/systemd/system/amanda.* -- gen_context(system_u:object_r:amanda_unit_file_t,s0)
-+
- /usr/sbin/amandad -- gen_context(system_u:object_r:amanda_inetd_exec_t,s0)
- /usr/sbin/amrecover -- gen_context(system_u:object_r:amanda_recover_exec_t,s0)
-
-diff --git a/amanda.te b/amanda.te
-index 519051c7d..48d816150 100644
---- a/amanda.te
-+++ b/amanda.te
-@@ -9,11 +9,14 @@ attribute_role amanda_recover_roles;
- roleattribute system_r amanda_recover_roles;
-
- type amanda_t;
-+type amanda_exec_t;
- type amanda_inetd_exec_t;
--inetd_service_domain(amanda_t, amanda_inetd_exec_t)
-+application_executable_file(amanda_exec_t)
-+init_daemon_domain(amanda_t, amanda_inetd_exec_t)
-+role system_r types amanda_t;
-
--type amanda_exec_t;
--domain_entry_file(amanda_t, amanda_exec_t)
-+type amanda_unit_file_t;
-+systemd_unit_file(amanda_unit_file_t)
-
- type amanda_log_t;
- logging_log_file(amanda_log_t)
-@@ -33,6 +36,9 @@ files_type(amanda_gnutarlists_t)
- type amanda_tmp_t;
- files_tmp_file(amanda_tmp_t)
-
-+type amanda_tmpfs_t;
-+files_tmpfs_file(amanda_tmpfs_t)
-+
- type amanda_amandates_t;
- files_type(amanda_amandates_t)
-
-@@ -59,8 +65,8 @@ optional_policy(`
- # Local policy
- #
-
--allow amanda_t self:capability { chown dac_override setuid kill };
--allow amanda_t self:process { setpgid signal };
-+allow amanda_t self:capability { chown dac_read_search setuid kill sys_admin };
-+allow amanda_t self:process { getsched setsched setpgid signal };
- allow amanda_t self:fifo_file rw_fifo_file_perms;
- allow amanda_t self:unix_stream_socket { accept listen };
- allow amanda_t self:tcp_socket { accept listen };
-@@ -71,6 +77,7 @@ allow amanda_t amanda_config_t:file read_file_perms;
-
- manage_dirs_pattern(amanda_t, amanda_data_t, amanda_data_t)
- manage_files_pattern(amanda_t, amanda_data_t, amanda_data_t)
-+manage_lnk_files_pattern(amanda_t, amanda_data_t, amanda_data_t)
- filetrans_pattern(amanda_t, amanda_config_t, amanda_data_t, { file dir })
-
- allow amanda_t amanda_dumpdates_t:file rw_file_perms;
-@@ -81,6 +88,7 @@ allow amanda_t amanda_gnutarlists_t:lnk_file manage_lnk_file_perms;
-
- manage_dirs_pattern(amanda_t, amanda_var_lib_t, amanda_var_lib_t)
- manage_files_pattern(amanda_t, amanda_var_lib_t, amanda_var_lib_t)
-+files_var_lib_filetrans(amanda_t, amanda_var_lib_t, dir)
-
- manage_files_pattern(amanda_t, amanda_log_t, amanda_log_t)
- manage_dirs_pattern(amanda_t, amanda_log_t, amanda_log_t)
-@@ -90,6 +98,10 @@ manage_files_pattern(amanda_t, amanda_tmp_t, amanda_tmp_t)
- manage_dirs_pattern(amanda_t, amanda_tmp_t, amanda_tmp_t)
- files_tmp_filetrans(amanda_t, amanda_tmp_t, { file dir })
-
-+manage_files_pattern(amanda_t, amanda_tmpfs_t, amanda_tmpfs_t)
-+manage_dirs_pattern(amanda_t, amanda_tmpfs_t, amanda_tmpfs_t)
-+fs_tmpfs_filetrans(amanda_t, amanda_tmpfs_t, { dir })
-+
- can_exec(amanda_t, { amanda_exec_t amanda_inetd_exec_t })
-
- kernel_read_kernel_sysctls(amanda_t)
-@@ -100,13 +112,15 @@ kernel_dontaudit_read_proc_symlinks(amanda_t)
- corecmd_exec_shell(amanda_t)
- corecmd_exec_bin(amanda_t)
-
--corenet_all_recvfrom_unlabeled(amanda_t)
- corenet_all_recvfrom_netlabel(amanda_t)
- corenet_tcp_sendrecv_generic_if(amanda_t)
- corenet_tcp_sendrecv_generic_node(amanda_t)
- corenet_tcp_sendrecv_all_ports(amanda_t)
- corenet_tcp_bind_generic_node(amanda_t)
-
-+corenet_tcp_bind_amanda_port(amanda_t)
-+corenet_udp_bind_amanda_port(amanda_t)
-+
- corenet_sendrecv_all_server_packets(amanda_t)
- corenet_tcp_bind_all_rpc_ports(amanda_t)
- corenet_tcp_bind_generic_port(amanda_t)
-@@ -114,6 +128,7 @@ corenet_dontaudit_tcp_bind_all_ports(amanda_t)
-
- dev_getattr_all_blk_files(amanda_t)
- dev_getattr_all_chr_files(amanda_t)
-+dev_read_urand(amanda_t)
-
- files_read_etc_runtime_files(amanda_t)
- files_list_all(amanda_t)
-@@ -126,10 +141,12 @@ files_getattr_all_sockets(amanda_t)
-
- fs_getattr_xattr_fs(amanda_t)
- fs_list_all(amanda_t)
-+fs_getattr_tmpfs(amanda_t)
-
- storage_raw_read_fixed_disk(amanda_t)
- storage_read_tape(amanda_t)
- storage_write_tape(amanda_t)
-+storage_write_scsi_generic(amanda_t)
-
- auth_use_nsswitch(amanda_t)
- auth_read_shadow(amanda_t)
-@@ -141,7 +158,7 @@ logging_send_syslog_msg(amanda_t)
- # Recover local policy
- #
-
--allow amanda_recover_t self:capability { fowner fsetid kill setgid setuid chown dac_override };
-+allow amanda_recover_t self:capability { fowner fsetid kill setgid setuid chown dac_read_search };
- allow amanda_recover_t self:process { sigkill sigstop signal };
- allow amanda_recover_t self:fifo_file rw_fifo_file_perms;
- allow amanda_recover_t self:unix_stream_socket create_socket_perms;
-@@ -170,7 +187,6 @@ kernel_read_system_state(amanda_recover_t)
- corecmd_exec_shell(amanda_recover_t)
- corecmd_exec_bin(amanda_recover_t)
-
--corenet_all_recvfrom_unlabeled(amanda_recover_t)
- corenet_all_recvfrom_netlabel(amanda_recover_t)
- corenet_tcp_sendrecv_generic_if(amanda_recover_t)
- corenet_udp_sendrecv_generic_if(amanda_recover_t)
-@@ -195,12 +211,16 @@ files_search_tmp(amanda_recover_t)
-
- auth_use_nsswitch(amanda_recover_t)
-
--fstools_domtrans(amanda_t)
--fstools_signal(amanda_t)
--
- logging_search_logs(amanda_recover_t)
-
--miscfiles_read_localization(amanda_recover_t)
--
--userdom_use_user_terminals(amanda_recover_t)
-+userdom_use_inherited_user_terminals(amanda_recover_t)
- userdom_search_user_home_content(amanda_recover_t)
-+
-+optional_policy(`
-+ inetd_service_domain(amanda_t, amanda_inetd_exec_t)
-+')
-+
-+optional_policy(`
-+ fstools_domtrans(amanda_t)
-+ fstools_signal(amanda_t)
-+')
-diff --git a/amavis.fc b/amavis.fc
-index 17689a707..8aa684917 100644
---- a/amavis.fc
-+++ b/amavis.fc
-@@ -12,8 +12,6 @@ ifdef(`distro_debian',`
- /usr/sbin/amavisd-new-cronjob -- gen_context(system_u:object_r:amavis_exec_t,s0)
- ')
-
--/var/opt/f-secure(/.*)? gen_context(system_u:object_r:amavis_var_lib_t,s0)
--
- /var/amavis(/.*)? gen_context(system_u:object_r:amavis_var_lib_t,s0)
-
- /var/lib/amavis(/.*)? gen_context(system_u:object_r:amavis_var_lib_t,s0)
-diff --git a/amavis.if b/amavis.if
-index 60d4f8c90..18ef0772c 100644
---- a/amavis.if
-+++ b/amavis.if
-@@ -54,6 +54,7 @@ interface(`amavis_read_spool_files',`
-
- files_search_spool($1)
- read_files_pattern($1, amavis_spool_t, amavis_spool_t)
-+ allow $1 amavis_spool_t:dir list_dir_perms;
- ')
-
- ########################################
-@@ -153,6 +154,26 @@ interface(`amavis_read_lib_files',`
-
- ########################################
- ##
-+## Read and write amavis lib files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`amavis_rw_lib_files',`
-+ gen_require(`
-+ type amavis_var_lib_t;
-+ ')
-+
-+ rw_files_pattern($1, amavis_var_lib_t, amavis_var_lib_t)
-+ allow $1 amavis_var_lib_t:dir list_dir_perms;
-+ files_search_var_lib($1)
-+')
-+
-+########################################
-+##
- ## Create, read, write, and delete
- ## amavis lib files.
- ##
-@@ -234,9 +255,13 @@ interface(`amavis_admin',`
- type amavis_etc_t, amavis_quarantine_t, amavis_initrc_exec_t;
- ')
-
-- allow $1 amavis_t:process { ptrace signal_perms };
-+ allow $1 amavis_t:process signal_perms;
- ps_process_pattern($1, amavis_t)
-
-+ tunable_policy(`deny_ptrace',`',`
-+ allow $1 amavis_t:process ptrace;
-+ ')
-+
- amavis_initrc_domtrans($1)
- domain_system_change_exemption($1)
- role_transition $2 amavis_initrc_exec_t system_r;
-diff --git a/amavis.te b/amavis.te
-index 91fa72ae1..11a55da57 100644
---- a/amavis.te
-+++ b/amavis.te
-@@ -16,6 +16,7 @@ gen_tunable(amavis_use_jit, false)
- type amavis_t;
- type amavis_exec_t;
- init_daemon_domain(amavis_t, amavis_exec_t)
-+init_nnp_daemon_domain(amavis_t)
-
- type amavis_etc_t;
- files_config_file(amavis_etc_t)
-@@ -39,14 +40,14 @@ type amavis_quarantine_t;
- files_type(amavis_quarantine_t)
-
- type amavis_spool_t;
--files_type(amavis_spool_t)
-+files_spool_file(amavis_spool_t)
-
- ########################################
- #
- # Local policy
- #
-
--allow amavis_t self:capability { kill chown dac_override setgid setuid };
-+allow amavis_t self:capability { kill chown dac_read_search setgid setuid };
- dontaudit amavis_t self:capability sys_tty_config;
- allow amavis_t self:process signal_perms;
- allow amavis_t self:fifo_file rw_fifo_file_perms;
-@@ -67,9 +68,12 @@ manage_lnk_files_pattern(amavis_t, amavis_spool_t, amavis_spool_t)
- manage_sock_files_pattern(amavis_t, amavis_spool_t, amavis_spool_t)
- filetrans_pattern(amavis_t, amavis_spool_t, amavis_var_run_t, sock_file)
-
-+# tmp files
-+manage_dirs_pattern(amavis_t, amavis_tmp_t, amavis_tmp_t)
- manage_files_pattern(amavis_t, amavis_tmp_t, amavis_tmp_t)
-+manage_sock_files_pattern(amavis_t, amavis_tmp_t, amavis_tmp_t)
- allow amavis_t amavis_tmp_t:dir setattr_dir_perms;
--files_tmp_filetrans(amavis_t, amavis_tmp_t, file)
-+files_tmp_filetrans(amavis_t, amavis_tmp_t, { file dir sock_file } )
-
- manage_dirs_pattern(amavis_t, amavis_var_lib_t, amavis_var_lib_t)
- manage_files_pattern(amavis_t, amavis_var_lib_t, amavis_var_lib_t)
-@@ -95,7 +99,6 @@ kernel_dontaudit_read_proc_symlinks(amavis_t)
- corecmd_exec_bin(amavis_t)
- corecmd_exec_shell(amavis_t)
-
--corenet_all_recvfrom_unlabeled(amavis_t)
- corenet_all_recvfrom_netlabel(amavis_t)
- corenet_tcp_sendrecv_generic_if(amavis_t)
- corenet_udp_sendrecv_generic_if(amavis_t)
-@@ -118,6 +121,7 @@ corenet_dontaudit_udp_bind_all_ports(amavis_t)
-
- corenet_sendrecv_razor_client_packets(amavis_t)
- corenet_tcp_connect_razor_port(amavis_t)
-+corenet_tcp_connect_agentx_port(amavis_t)
-
- dev_read_rand(amavis_t)
- dev_read_sysfs(amavis_t)
-@@ -127,7 +131,6 @@ domain_use_interactive_fds(amavis_t)
- domain_dontaudit_read_all_domains_state(amavis_t)
-
- files_read_etc_runtime_files(amavis_t)
--files_read_usr_files(amavis_t)
- files_search_spool(amavis_t)
-
- fs_getattr_xattr_fs(amavis_t)
-@@ -141,14 +144,20 @@ init_stream_connect_script(amavis_t)
-
- logging_send_syslog_msg(amavis_t)
-
--miscfiles_read_localization(amavis_t)
-+miscfiles_read_generic_certs(amavis_t)
-+
-+sysnet_use_ldap(amavis_t)
-
- userdom_dontaudit_search_user_home_dirs(amavis_t)
-
- tunable_policy(`amavis_use_jit',`
-- allow amavis_t self:process execmem;
-+ allow amavis_t self:process execmem;
- ',`
-- dontaudit amavis_t self:process execmem;
-+ dontaudit amavis_t self:process execmem;
-+')
-+
-+optional_policy(`
-+ antivirus_domain_template(amavis_t)
- ')
-
- optional_policy(`
-@@ -173,6 +182,10 @@ optional_policy(`
- ')
-
- optional_policy(`
-+ nslcd_stream_connect(amavis_t)
-+')
-+
-+optional_policy(`
- postfix_read_config(amavis_t)
- postfix_list_spool(amavis_t)
- ')
-diff --git a/amtu.te b/amtu.te
-index 16d0d66eb..60abfd080 100644
---- a/amtu.te
-+++ b/amtu.te
-@@ -24,11 +24,10 @@ kernel_read_system_state(amtu_t)
-
- files_manage_boot_files(amtu_t)
- files_read_etc_runtime_files(amtu_t)
--files_read_etc_files(amtu_t)
-
- logging_send_audit_msgs(amtu_t)
-
--userdom_use_user_terminals(amtu_t)
-+userdom_use_inherited_user_terminals(amtu_t)
-
- optional_policy(`
- nscd_dontaudit_search_pid(amtu_t)
-diff --git a/anaconda.fc b/anaconda.fc
-index b098089d0..fe35bebfd 100644
---- a/anaconda.fc
-+++ b/anaconda.fc
-@@ -1 +1,13 @@
- # No file context specifications.
-+
-+/usr/libexec/anaconda/anaconda-yum -- gen_context(system_u:object_r:install_exec_t,s0)
-+/usr/sbin/anaconda -- gen_context(system_u:object_r:install_exec_t,s0)
-+
-+/usr/bin/initial-setup -- gen_context(system_u:object_r:install_exec_t,s0)
-+/usr/bin/ostree -- gen_context(system_u:object_r:install_exec_t,s0)
-+/usr/bin/rpm-ostree -- gen_context(system_u:object_r:install_exec_t,s0)
-+/usr/libexec/rpm-ostreed -- gen_context(system_u:object_r:install_exec_t,s0)
-+
-+/usr/bin/preupg.* -- gen_context(system_u:object_r:preupgrade_exec_t,s0)
-+/var/lib/preupgrade(/.*)? gen_context(system_u:object_r:preupgrade_data_t,s0)
-+/var/log/preupgrade(/.*)? gen_context(system_u:object_r:preupgrade_data_t,s0)
-diff --git a/anaconda.if b/anaconda.if
-index 14a61b7e1..76d93294d 100644
---- a/anaconda.if
-+++ b/anaconda.if
-@@ -1 +1,132 @@
- ## Anaconda installer.
-+
-+########################################
-+##
-+## Execute a domain transition to run install.
-+##
-+##
-+##
-+## Domain allowed to transition.
-+##
-+##
-+#
-+interface(`anaconda_domtrans_install',`
-+ gen_require(`
-+ type install_t, install_exec_t;
-+ ')
-+
-+ corecmd_search_bin($1)
-+ domtrans_pattern($1, install_exec_t, install_t)
-+')
-+
-+########################################
-+##
-+## Execute install in the install
-+## domain, and allow the specified
-+## role the install domain.
-+##
-+##
-+##
-+## Domain allowed to transition.
-+##
-+##
-+##
-+##
-+## Role allowed access.
-+##
-+##
-+#
-+interface(`anaconda_run_install',`
-+ gen_require(`
-+ type install_t;
-+ type install_exec_t;
-+ attribute_role install_roles;
-+ ')
-+
-+ anaconda_domtrans_install($1)
-+ roleattribute $2 install_roles;
-+ role_transition $2 install_exec_t system_r;
-+
-+ optional_policy(`
-+ rpm_transition_script(install_t, $2)
-+ ')
-+')
-+
-+########################################
-+##
-+## Execute preupgrade in the caller domain.
-+##
-+##
-+##
-+## Domain allowed to transition.
-+##
-+##
-+#
-+interface(`anaconda_exec_preupgrade',`
-+ gen_require(`
-+ type preupgrade_exec_t;
-+ ')
-+
-+ corecmd_search_bin($1)
-+ can_exec($1, preupgrade_exec_t)
-+')
-+
-+########################################
-+##
-+## Execute a domain transition to run preupgrade.
-+##
-+##
-+##
-+## Domain allowed to transition.
-+##
-+##
-+#
-+interface(`anaconda_domtrans_preupgrade',`
-+ gen_require(`
-+ type preupgrade_t, preupgrade_exec_t;
-+ ')
-+
-+ corecmd_search_bin($1)
-+ domtrans_pattern($1, preupgrade_exec_t, preupgrade_t)
-+')
-+
-+########################################
-+##
-+## Read preupgrade lib files
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`anaconda_read_lib_files_preupgrade',`
-+ gen_require(`
-+ type preupgrade_data_t;
-+ ')
-+
-+ read_files_pattern($1, preupgrade_data_t, preupgrade_data_t)
-+ read_lnk_files_pattern($1, preupgrade_data_t, preupgrade_data_t)
-+ files_search_var_lib($1)
-+')
-+
-+########################################
-+##
-+## Manage preupgrade lib files
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`anaconda_manage_lib_files_preupgrade',`
-+ gen_require(`
-+ type preupgrade_data_t;
-+ ')
-+
-+ manage_dirs_pattern($1, preupgrade_data_t, preupgrade_data_t)
-+ manage_files_pattern($1, preupgrade_data_t, preupgrade_data_t)
-+ manage_lnk_files_pattern($1, preupgrade_data_t, preupgrade_data_t)
-+ files_search_var_lib($1)
-+')
-diff --git a/anaconda.te b/anaconda.te
-index aa44abfe4..9e76516c2 100644
---- a/anaconda.te
-+++ b/anaconda.te
-@@ -4,6 +4,10 @@ gen_require(`
- class passwd all_passwd_perms;
- ')
-
-+gen_require(`
-+ class passwd { passwd chfn chsh rootok crontab };
-+')
-+
- ########################################
- #
- # Declarations
-@@ -16,6 +20,22 @@ domain_entry_file(anaconda_t, anaconda_exec_t)
- domain_obj_id_change_exemption(anaconda_t)
- role system_r types anaconda_t;
-
-+attribute_role install_roles;
-+roleattribute system_r install_roles;
-+
-+type install_t;
-+type install_exec_t;
-+application_domain(install_t, install_exec_t)
-+role install_roles types install_t;
-+
-+type preupgrade_t;
-+type preupgrade_exec_t;
-+application_domain(preupgrade_t, preupgrade_exec_t)
-+role system_r types preupgrade_t;
-+
-+type preupgrade_data_t;
-+files_type(preupgrade_data_t)
-+
- ########################################
- #
- # Local policy
-@@ -34,8 +54,9 @@ modutils_domtrans_insmod(anaconda_t)
- modutils_domtrans_depmod(anaconda_t)
-
- seutil_domtrans_semanage(anaconda_t)
-+seutil_domtrans_setsebool(anaconda_t)
-
--userdom_user_home_dir_filetrans_user_home_content(anaconda_t, { dir file lnk_file fifo_file sock_file })
-+userdom_filetrans_home_content(anaconda_t)
-
- optional_policy(`
- rpm_domtrans(anaconda_t)
-@@ -53,3 +74,55 @@ optional_policy(`
- optional_policy(`
- unconfined_domain_noaudit(anaconda_t)
- ')
-+
-+########################################
-+#
-+# Local policy
-+#
-+
-+allow install_t self:capability2 mac_admin;
-+
-+systemd_dbus_chat_localed(install_t)
-+systemd_dbus_chat_logind(install_t)
-+
-+tunable_policy(`deny_ptrace',`',`
-+ domain_ptrace_all_domains(install_t)
-+')
-+
-+optional_policy(`
-+ iscsid_run(install_t, install_roles)
-+')
-+
-+optional_policy(`
-+ mount_run(install_t, install_roles)
-+')
-+
-+optional_policy(`
-+ networkmanager_dbus_chat(install_t)
-+')
-+
-+optional_policy(`
-+ policykit_dbus_chat(install_t)
-+')
-+
-+optional_policy(`
-+ seutil_run_setfiles_mac(install_t, install_roles)
-+')
-+
-+optional_policy(`
-+ unconfined_domain_noaudit(install_t)
-+')
-+
-+
-+########################################
-+#
-+# Local policy
-+#
-+
-+manage_files_pattern(preupgrade_t, preupgrade_data_t, preupgrade_data_t)
-+manage_dirs_pattern(preupgrade_t, preupgrade_data_t, preupgrade_data_t)
-+manage_lnk_files_pattern(preupgrade_t, preupgrade_data_t, preupgrade_data_t)
-+
-+optional_policy(`
-+ unconfined_domain_noaudit(preupgrade_t)
-+')
-diff --git a/antivirus.fc b/antivirus.fc
-new file mode 100644
-index 000000000..219f32db0
---- /dev/null
-+++ b/antivirus.fc
-@@ -0,0 +1,44 @@
-+/etc/amavis(d)?\.conf -- gen_context(system_u:object_r:antivirus_conf_t,s0)
-+/etc/amavisd(/.*)? gen_context(system_u:object_r:antivirus_conf_t,s0)
-+
-+/etc/rc\.d/init\.d/amavis -- gen_context(system_u:object_r:antivirus_initrc_exec_t,s0)
-+/etc/rc\.d/init\.d/amavisd-snmp -- gen_context(system_u:object_r:antivirus_initrc_exec_t,s0)
-+/etc/rc\.d/init\.d/clamd.* -- gen_context(system_u:object_r:antivirus_initrc_exec_t,s0)
-+
-+/usr/lib/systemd/system/clamd.* -- gen_context(system_u:object_r:antivirus_unit_file_t,s0)
-+
-+/usr/lib/AntiVir/antivir -- gen_context(system_u:object_r:antivirus_exec_t,s0)
-+
-+/usr/sbin/amavi -- gen_context(system_u:object_r:antivirus_exec_t,s0)
-+/usr/sbin/amavisd.* -- gen_context(system_u:object_r:antivirus_exec_t,s0)
-+/usr/bin/clamscan -- gen_context(system_u:object_r:antivirus_exec_t,s0)
-+/usr/bin/clamdscan -- gen_context(system_u:object_r:antivirus_exec_t,s0)
-+/usr/bin/freshclam -- gen_context(system_u:object_r:antivirus_exec_t,s0)
-+
-+/usr/sbin/clamd -- gen_context(system_u:object_r:antivirus_exec_t,s0)
-+/usr/sbin/clamav-milter -- gen_context(system_u:object_r:antivirus_exec_t,s0)
-+
-+/var/clamav(/.*)? gen_context(system_u:object_r:antivirus_db_t,s0)
-+
-+/var/amavis(/.*)? gen_context(system_u:object_r:antivirus_db_t,s0)
-+/var/lib/amavis(/.*)? gen_context(system_u:object_r:antivirus_db_t,s0)
-+/var/lib/clamav(/.*)? gen_context(system_u:object_r:antivirus_db_t,s0)
-+/var/lib/clamav-unofficial-sigs(/.*)? gen_context(system_u:object_r:antivirus_db_t,s0)
-+/var/lib/clamd.* gen_context(system_u:object_r:antivirus_db_t,s0)
-+/var/opt/f-secure(/.*)? gen_context(system_u:object_r:antivirus_db_t,s0)
-+/var/spool/amavisd(/.*)? gen_context(system_u:object_r:antivirus_db_t,s0)
-+/var/virusmails(/.*)? gen_context(system_u:object_r:antivirus_db_t,s0)
-+
-+/var/log/amavisd\.log.* -- gen_context(system_u:object_r:antivirus_log_t,s0)
-+/var/log/clamav.* gen_context(system_u:object_r:antivirus_log_t,s0)
-+/var/log/freshclam.* -- gen_context(system_u:object_r:antivirus_log_t,s0)
-+/var/log/clamav/freshclam.* -- gen_context(system_u:object_r:antivirus_log_t,s0)
-+/var/log/clamd.* gen_context(system_u:object_r:antivirus_log_t,s0)
-+
-+/var/run/amavis(d)?(/.*)? gen_context(system_u:object_r:antivirus_var_run_t,s0)
-+/var/run/amavisd-snmp-subagent\.pid -- gen_context(system_u:object_r:antivirus_var_run_t,s0)
-+
-+/var/run/amavis(d)?/clamd\.pid -- gen_context(system_u:object_r:antivirus_var_run_t,s0)
-+/var/run/clamav.* gen_context(system_u:object_r:antivirus_var_run_t,s0)
-+/var/run/clamd.* gen_context(system_u:object_r:antivirus_var_run_t,s0)
-+
-diff --git a/antivirus.if b/antivirus.if
-new file mode 100644
-index 000000000..36251b926
---- /dev/null
-+++ b/antivirus.if
-@@ -0,0 +1,325 @@
-+## SELinux policy for antivirus programs - amavis, clamd, freshclam and clamscan
-+
-+######################################
-+##
-+## Creates types and rules for a basic
-+## antivirus domain.
-+##
-+##
-+##
-+## Prefix for the domain.
-+##
-+##
-+#
-+interface(`antivirus_domain_template',`
-+ gen_require(`
-+ attribute antivirus_domain;
-+ ')
-+
-+ typeattribute $1 antivirus_domain;
-+
-+ kernel_read_system_state($1)
-+')
-+
-+#######################################
-+##
-+## Execute a domain transition to run antivirus program.
-+##
-+##
-+##
-+## Domain allowed to transition.
-+##
-+##
-+#
-+interface(`antivirus_domtrans',`
-+ gen_require(`
-+ type antivirus_t, antivirus_exec_t;
-+ ')
-+
-+ domtrans_pattern($1, antivirus_exec_t, antivirus_t)
-+')
-+
-+#######################################
-+##
-+## Execute antivirus program without a transition.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`antivirus_exec',`
-+ gen_require(`
-+ type antivirus_exec_t;
-+ ')
-+
-+ can_exec($1, antivirus_exec_t)
-+')
-+
-+#######################################
-+##
-+## Connect to run antivirus program.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`antivirus_stream_connect',`
-+ gen_require(`
-+ type antivirus_t, antivirus_db_t, antivirus_var_run_t;
-+ ')
-+
-+ files_search_pids($1)
-+ stream_connect_pattern($1, antivirus_var_run_t, antivirus_var_run_t, antivirus_t)
-+ stream_connect_pattern($1, antivirus_db_t, antivirus_db_t, antivirus_t)
-+')
-+
-+#######################################
-+##
-+## Allow the specified domain to append
-+## to antivirus log files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`antivirus_append_log',`
-+ gen_require(`
-+ type antivirus_log_t;
-+ ')
-+
-+ logging_search_logs($1)
-+ allow $1 antivirus_log_t:dir list_dir_perms;
-+ append_files_pattern($1, antivirus_log_t, antivirus_log_t)
-+')
-+
-+#######################################
-+##
-+## Read antivirus configuration files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`antivirus_read_config',`
-+ gen_require(`
-+ type antivirus_conf_t;
-+ ')
-+
-+ files_search_etc($1)
-+ allow $1 antivirus_conf_t:file read_file_perms;
-+')
-+
-+#######################################
-+##
-+## Search antivirus db content directories.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`antivirus_search_db',`
-+ gen_require(`
-+ type antivirus_db_t;
-+ ')
-+
-+ files_search_var_lib($1)
-+ files_search_spool($1)
-+ allow $1 antivirus_db_t:dir search_dir_perms;
-+')
-+
-+######################################
-+##
-+## Read antivirus db content directories.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`antivirus_read_db',`
-+ gen_require(`
-+ type antivirus_db_t;
-+ ')
-+
-+ files_search_var_lib($1)
-+ files_search_spool($1)
-+ read_files_pattern($1, antivirus_db_t, antivirus_db_t)
-+ read_lnk_files_pattern($1, antivirus_db_t, antivirus_db_t)
-+')
-+
-+#####################################
-+##
-+## Read and write antivirus db content directories.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`antivirus_rw_db',`
-+ gen_require(`
-+ type antivirus_db_t;
-+ ')
-+
-+ files_search_var_lib($1)
-+ files_search_spool($1)
-+ write_files_pattern($1, antivirus_db_t, antivirus_db_t)
-+')
-+
-+####################################
-+##
-+## Manage antivirus db content directories.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`antivirus_manage_db',`
-+ gen_require(`
-+ type antivirus_db_t;
-+ ')
-+
-+ files_search_var_lib($1)
-+ files_search_spool($1)
-+ manage_files_pattern($1, antivirus_db_t, antivirus_db_t)
-+ manage_dirs_pattern($1, antivirus_db_t, antivirus_db_t)
-+')
-+
-+#######################################
-+##
-+## Manage antivirus pid content.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`antivirus_manage_pid',`
-+ gen_require(`
-+ type antivirus_var_run_t;
-+ ')
-+
-+ manage_dirs_pattern($1, antivirus_var_run_t, antivirus_var_run_t)
-+ manage_files_pattern($1, antivirus_var_run_t, antivirus_var_run_t)
-+')
-+
-+######################################
-+##
-+## Read antivirus state files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`antivirus_read_state_clamd',`
-+ gen_require(`
-+ type antivirus_t;
-+ ')
-+
-+ kernel_search_proc($1)
-+ ps_process_pattern($1, antivirus_t)
-+')
-+
-+######################################
-+##
-+## Execute antivirus server in the antivirus domain.
-+##
-+##
-+##
-+## Domain allowed to transition.
-+##
-+##
-+#
-+interface(`antivirus_systemctl',`
-+ gen_require(`
-+ type antivirus_t;
-+ type antivirus_unit_file_t;
-+ ')
-+
-+ systemd_exec_systemctl($1)
-+ init_reload_services($1)
-+ systemd_read_fifo_file_passwd_run($1)
-+ allow $1 antivirus_unit_file_t:file read_file_perms;
-+ allow $1 antivirus_unit_file_t:service manage_service_perms;
-+
-+ ps_process_pattern($1, antivirus_t)
-+')
-+
-+#######################################
-+##
-+## All of the rules required to administrate
-+## an antivirus programs environment
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+##
-+## The role to be allowed to manage the clamav domain.
-+##
-+##
-+##
-+#
-+interface(`antivirus_admin',`
-+ gen_require(`
-+ attribute antivirus_domain;
-+ type antivirus_t, antivirus_conf_t, antivirus_tmp_t;
-+ type antivirus_log_t, antivirus_db_t, antivirus_var_run_t;
-+ type antivirus_initrc_exec_t, antivirus_unit_file_t;
-+ ')
-+
-+ allow $1 antivirus_t:process signal_perms;
-+ ps_process_pattern($1, antivirus_t)
-+
-+ tunable_policy(`deny_ptrace',`',`
-+ allow $1 antivirus_t:process ptrace;
-+ ')
-+
-+ init_labeled_script_domtrans($1, antivirus_initrc_exec_t)
-+ domain_system_change_exemption($1)
-+ role_transition $2 antivirus_initrc_exec_t system_r;
-+ allow $2 system_r;
-+
-+ antivirus_systemctl($1)
-+ admin_pattern($1, antivirus_unit_file_t)
-+ allow $1 antivirus_unit_file_t:service all_service_perms;
-+
-+ files_list_etc($1)
-+ admin_pattern($1, antivirus_conf_t)
-+
-+ files_list_var_lib($1)
-+ admin_pattern($1, antivirus_db_t)
-+
-+ logging_list_logs($1)
-+ admin_pattern($1, antivirus_log_t)
-+
-+ files_list_pids($1)
-+ admin_pattern($1, antivirus_var_run_t)
-+
-+ files_list_tmp($1)
-+ admin_pattern($1, antivirus_tmp_t)
-+
-+ optional_policy(`
-+ systemd_passwd_agent_exec($1)
-+ systemd_read_fifo_file_passwd_run($1)
-+ ')
-+')
-diff --git a/antivirus.te b/antivirus.te
-new file mode 100644
-index 000000000..1d22415a4
---- /dev/null
-+++ b/antivirus.te
-@@ -0,0 +1,276 @@
-+policy_module(antivirus, 1.0.0)
-+
-+########################################
-+#
-+# Declarations
-+#
-+
-+##
-+##
-+## Allow antivirus programs to read non security files on a system
-+##
-+##
-+gen_tunable(antivirus_can_scan_system, false)
-+
-+##
-+##
-+## Determine whether antivirus programs can use JIT compiler.
-+##
-+##
-+gen_tunable(antivirus_use_jit, false)
-+
-+attribute antivirus_domain;
-+
-+type antivirus_t;
-+type antivirus_exec_t;
-+typeattribute antivirus_t antivirus_domain;
-+typealias antivirus_t alias { amavis_t clamd_t clamscan_t freshclam_t } ;
-+typealias antivirus_exec_t alias { amavis_exec_t clamd_exec_t clamscan_exec_t freshclam_exec_t };
-+init_daemon_domain(antivirus_t, antivirus_exec_t)
-+init_nnp_daemon_domain(antivirus_t)
-+
-+type antivirus_initrc_exec_t;
-+typealias antivirus_initrc_exec_t alias { clamd_initrc_exec_t amavis_initrc_exec_t };
-+init_script_file(antivirus_initrc_exec_t)
-+
-+type antivirus_unit_file_t;
-+typealias antivirus_unit_file_t alias { clamd_unit_file_t };
-+systemd_unit_file(antivirus_unit_file_t)
-+
-+type antivirus_conf_t;
-+typealias antivirus_conf_t alias { clamd_etc_t amavis_etc_t };
-+files_config_file(antivirus_conf_t)
-+
-+type antivirus_var_run_t;
-+typealias antivirus_var_run_t alias { amavis_var_run_t clamd_var_run_t clamd_sock_t };
-+files_pid_file(antivirus_var_run_t)
-+
-+type antivirus_log_t;
-+typealias antivirus_log_t alias { amavis_var_log_t clamd_var_log_t freshclam_var_log_t };
-+logging_log_file(antivirus_log_t)
-+
-+type antivirus_db_t;
-+typealias antivirus_db_t alias { amavis_var_lib_t amavis_quarantine_t amavis_spool_t clamd_var_lib_t };
-+files_type(antivirus_db_t)
-+
-+type antivirus_home_t;
-+userdom_user_home_content(antivirus_home_t)
-+
-+type antivirus_tmp_t;
-+typealias antivirus_tmp_t alias { amavis_tmp_t clamd_tmp_t clamscan_tmp_t };
-+files_tmp_file(antivirus_tmp_t)
-+
-+########################################
-+#
-+# antivirus domain local policy
-+#
-+
-+allow antivirus_domain self:capability { dac_read_search chown kill fsetid setgid setuid sys_admin };
-+dontaudit antivirus_domain self:capability sys_tty_config;
-+allow antivirus_domain self:process signal_perms;
-+
-+allow antivirus_domain self:fifo_file rw_fifo_file_perms;
-+allow antivirus_domain self:unix_stream_socket { accept connectto listen };
-+allow antivirus_domain self:tcp_socket { listen accept };
-+
-+allow antivirus_domain antivirus_conf_t:dir list_dir_perms;
-+read_files_pattern(antivirus_domain, antivirus_conf_t, antivirus_conf_t)
-+read_lnk_files_pattern(antivirus_domain, antivirus_conf_t, antivirus_conf_t)
-+
-+manage_files_pattern(antivirus_domain, antivirus_db_t, antivirus_db_t)
-+manage_dirs_pattern(antivirus_domain, antivirus_db_t, antivirus_db_t)
-+manage_lnk_files_pattern(antivirus_domain, antivirus_db_t, antivirus_db_t)
-+manage_sock_files_pattern(antivirus_domain, antivirus_db_t, antivirus_db_t)
-+allow antivirus_t antivirus_db_t:file map;
-+
-+manage_files_pattern(antivirus_domain, antivirus_home_t, antivirus_home_t)
-+manage_dirs_pattern(antivirus_domain, antivirus_home_t, antivirus_home_t)
-+manage_lnk_files_pattern(antivirus_domain, antivirus_home_t, antivirus_home_t)
-+manage_sock_files_pattern(antivirus_domain, antivirus_home_t, antivirus_home_t)
-+
-+manage_dirs_pattern(antivirus_domain, antivirus_tmp_t, antivirus_tmp_t)
-+manage_files_pattern(antivirus_domain, antivirus_tmp_t, antivirus_tmp_t)
-+manage_sock_files_pattern(antivirus_domain, antivirus_tmp_t, antivirus_tmp_t)
-+manage_lnk_files_pattern(antivirus_domain, antivirus_tmp_t, antivirus_tmp_t)
-+files_tmp_filetrans(antivirus_domain, antivirus_tmp_t, { file dir lnk_file sock_file } )
-+
-+manage_dirs_pattern(antivirus_domain, antivirus_log_t, antivirus_log_t)
-+manage_files_pattern(antivirus_domain, antivirus_log_t, antivirus_log_t)
-+manage_sock_files_pattern(antivirus_domain, antivirus_log_t, antivirus_log_t)
-+logging_log_filetrans(antivirus_domain, antivirus_log_t, { sock_file file dir })
-+
-+manage_dirs_pattern(antivirus_domain, antivirus_var_run_t, antivirus_var_run_t)
-+manage_files_pattern(antivirus_domain, antivirus_var_run_t, antivirus_var_run_t)
-+manage_sock_files_pattern(antivirus_domain, antivirus_var_run_t, antivirus_var_run_t)
-+files_pid_filetrans(antivirus_domain, antivirus_var_run_t, {file})
-+
-+can_exec(antivirus_domain, antivirus_exec_t)
-+
-+kernel_read_system_state(antivirus_t)
-+kernel_read_network_state(antivirus_domain)
-+kernel_read_all_sysctls(antivirus_domain)
-+
-+corecmd_exec_bin(antivirus_domain)
-+corecmd_exec_shell(antivirus_domain)
-+
-+corenet_all_recvfrom_netlabel(antivirus_t)
-+corenet_tcp_bind_all_unreserved_ports(antivirus_t)
-+corenet_dontaudit_tcp_bind_all_reserved_ports(antivirus_t)
-+corenet_tcp_sendrecv_generic_if(antivirus_t)
-+corenet_udp_sendrecv_generic_if(antivirus_t)
-+corenet_tcp_sendrecv_generic_node(antivirus_domain)
-+corenet_udp_sendrecv_generic_node(antivirus_domain)
-+corenet_tcp_sendrecv_all_ports(antivirus_domain)
-+corenet_udp_sendrecv_all_ports(antivirus_domain)
-+corenet_tcp_bind_generic_node(antivirus_domain)
-+corenet_udp_bind_generic_node(antivirus_domain)
-+
-+corenet_sendrecv_amavisd_send_client_packets(antivirus_domain)
-+corenet_tcp_connect_amavisd_send_port(antivirus_domain)
-+
-+corenet_sendrecv_amavisd_recv_server_packets(antivirus_domain)
-+corenet_tcp_bind_amavisd_recv_port(antivirus_domain)
-+
-+corenet_sendrecv_generic_server_packets(antivirus_domain)
-+corenet_udp_bind_generic_port(antivirus_domain)
-+corenet_dontaudit_udp_bind_all_ports(antivirus_domain)
-+
-+corenet_sendrecv_razor_client_packets(antivirus_domain)
-+corenet_tcp_connect_razor_port(antivirus_domain)
-+corenet_tcp_connect_agentx_port(antivirus_domain)
-+
-+corenet_tcp_connect_clamd_port(antivirus_domain)
-+
-+corenet_sendrecv_clamd_server_packets(antivirus_domain)
-+corenet_tcp_bind_clamd_port(antivirus_domain)
-+
-+corenet_sendrecv_http_client_packets(antivirus_domain)
-+corenet_tcp_connect_http_port(antivirus_domain)
-+corenet_tcp_sendrecv_http_port(antivirus_domain)
-+
-+corenet_sendrecv_http_cache_client_packets(antivirus_domain)
-+corenet_tcp_connect_http_cache_port(antivirus_domain)
-+corenet_tcp_sendrecv_http_cache_port(antivirus_domain)
-+
-+#support for MySQL/PostgreSQL
-+corenet_tcp_connect_mysqld_port(antivirus_domain)
-+corenet_tcp_connect_postgresql_port(antivirus_domain)
-+
-+corenet_sendrecv_snmp_client_packets(antivirus_domain)
-+corenet_tcp_connect_snmp_port(antivirus_domain)
-+
-+corenet_sendrecv_squid_client_packets(antivirus_domain)
-+corenet_tcp_connect_squid_port(antivirus_domain)
-+corenet_tcp_sendrecv_squid_port(antivirus_domain)
-+
-+dev_read_rand(antivirus_domain)
-+dev_read_sysfs(antivirus_domain)
-+dev_read_urand(antivirus_domain)
-+
-+domain_dontaudit_read_all_domains_state(antivirus_domain)
-+
-+files_dontaudit_read_security_files(antivirus_domain)
-+files_read_etc_runtime_files(antivirus_domain)
-+files_search_spool(antivirus_domain)
-+
-+fs_getattr_xattr_fs(antivirus_domain)
-+
-+auth_use_nsswitch(antivirus_t)
-+auth_dontaudit_read_shadow(antivirus_domain)
-+
-+init_read_state(antivirus_domain)
-+init_read_utmp(antivirus_domain)
-+init_stream_connect_script(antivirus_domain)
-+init_dontaudit_write_utmp(antivirus_domain)
-+
-+logging_send_syslog_msg(antivirus_t)
-+
-+miscfiles_read_generic_certs(antivirus_domain)
-+
-+sysnet_use_ldap(antivirus_domain)
-+
-+userdom_stream_connect(antivirus_domain)
-+userdom_dontaudit_search_user_home_dirs(antivirus_domain)
-+
-+tunable_policy(`antivirus_can_scan_system',`
-+ files_read_non_security_files(antivirus_domain)
-+ files_getattr_all_pipes(antivirus_domain)
-+ files_getattr_all_sockets(antivirus_domain)
-+ dev_getattr_all_blk_files(antivirus_domain)
-+ dev_getattr_all_chr_files(antivirus_domain)
-+')
-+
-+tunable_policy(`antivirus_use_jit',`
-+ allow antivirus_domain self:process execmem;
-+ allow antivirus_domain self:process execmem;
-+',`
-+ dontaudit antivirus_domain self:process execmem;
-+ dontaudit antivirus_domain self:process execmem;
-+')
-+
-+optional_policy(`
-+ apache_read_sys_content(antivirus_domain)
-+')
-+
-+optional_policy(`
-+ antivirus_systemctl(antivirus_domain)
-+')
-+
-+optional_policy(`
-+ cron_system_entry(antivirus_t, antivirus_exec_t)
-+ cron_use_fds(antivirus_domain)
-+ cron_use_system_job_fds(antivirus_domain)
-+ cron_rw_pipes(antivirus_domain)
-+')
-+
-+optional_policy(`
-+ dcc_domtrans_client(antivirus_domain)
-+ dcc_stream_connect_dccifd(antivirus_domain)
-+')
-+
-+optional_policy(`
-+ exim_read_spool_files(antivirus_domain)
-+')
-+
-+optional_policy(`
-+ mta_read_config(antivirus_domain)
-+ mta_read_queue(antivirus_domain)
-+ mta_send_mail(antivirus_domain)
-+')
-+
-+optional_policy(`
-+ nslcd_stream_connect(antivirus_domain)
-+')
-+
-+optional_policy(`
-+ mysql_stream_connect(antivirus_domain)
-+ corenet_tcp_connect_mysqld_port(antivirus_domain)
-+')
-+
-+optional_policy(`
-+ postfix_read_config(antivirus_domain)
-+ postfix_list_spool(antivirus_domain)
-+')
-+
-+optional_policy(`
-+ pyzor_domtrans(antivirus_domain)
-+ pyzor_signal(antivirus_domain)
-+')
-+
-+optional_policy(`
-+ razor_domtrans(antivirus_domain)
-+')
-+
-+optional_policy(`
-+ snmp_manage_var_lib_dirs(antivirus_domain)
-+ snmp_manage_var_lib_files(antivirus_domain)
-+ snmp_stream_connect(antivirus_domain)
-+')
-+
-+optional_policy(`
-+ spamd_stream_connect(clamd_t)
-+ spamassassin_exec(antivirus_domain)
-+ spamassassin_exec_client(antivirus_domain)
-+ spamassassin_read_lib_files(antivirus_domain)
-+ spamassassin_read_pid_files(antivirus_domain)
-+')
-diff --git a/apache.fc b/apache.fc
-index 7caefc353..966c2f3e6 100644
---- a/apache.fc
-+++ b/apache.fc
-@@ -1,162 +1,218 @@
--HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_user_content_t,s0)
--HOME_DIR/((www)|(web)|(public_html))/cgi-bin(/.+)? gen_context(system_u:object_r:httpd_user_script_exec_t,s0)
-+HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_user_content_t,s0)
-+HOME_DIR/((www)|(web)|(public_html))/cgi-bin(/.+)? gen_context(system_u:object_r:httpd_user_script_exec_t,s0)
- HOME_DIR/((www)|(web)|(public_html))(/.*)?/\.htaccess -- gen_context(system_u:object_r:httpd_user_htaccess_t,s0)
- HOME_DIR/((www)|(web)|(public_html))(/.*)?/logs(/.*)? gen_context(system_u:object_r:httpd_user_ra_content_t,s0)
-
--/etc/apache(2)?(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
--/etc/apache-ssl(2)?(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
--/etc/cherokee(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
--/etc/drupal.* gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
--/etc/horde(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
--/etc/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
--/etc/httpd(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
--/etc/httpd/conf/keytab -- gen_context(system_u:object_r:httpd_keytab_t,s0)
--/etc/httpd/logs gen_context(system_u:object_r:httpd_log_t,s0)
--/etc/httpd/modules gen_context(system_u:object_r:httpd_modules_t,s0)
--/etc/lighttpd(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
--/etc/mock/koji(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
--/etc/z-push(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
--
--/etc/rc\.d/init\.d/cherokee -- gen_context(system_u:object_r:httpd_initrc_exec_t,s0)
-+/etc/apache(2)?(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
-+/etc/apache-ssl(2)?(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
-+/etc/cherokee(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
-+/etc/drupal.* gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
-+/etc/glpi(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
-+/etc/owncloud(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
-+/etc/nextcloud(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
-+/etc/horde(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
-+/etc/rt(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
-+/etc/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
-+/etc/httpd(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
-+/etc/httpd/conf/keytab -- gen_context(system_u:object_r:httpd_keytab_t,s0)
-+/etc/httpd/logs gen_context(system_u:object_r:httpd_log_t,s0)
-+/etc/httpd/modules gen_context(system_u:object_r:httpd_modules_t,s0)
-+/etc/init\.d/cherokee -- gen_context(system_u:object_r:httpd_initrc_exec_t,s0)
-+/etc/lighttpd(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
-+/etc/mock/koji(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
-+/etc/nginx(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
-+/etc/opt/rh/rh-nginx18/nginx(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
- /etc/rc\.d/init\.d/httpd -- gen_context(system_u:object_r:httpd_initrc_exec_t,s0)
- /etc/rc\.d/init\.d/lighttpd -- gen_context(system_u:object_r:httpd_initrc_exec_t,s0)
-
--/etc/vhosts -- gen_context(system_u:object_r:httpd_config_t,s0)
--/etc/WebCalendar(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
--/etc/zabbix/web(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
-+/etc/thttpd\.conf -- gen_context(system_u:object_r:httpd_config_t,s0)
-+/etc/vhosts -- gen_context(system_u:object_r:httpd_config_t,s0)
-+/etc/WebCalendar(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
-+/etc/zabbix/web(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
-+/etc/z-push(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
-
--/opt/.*\.cgi -- gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
--/opt/dirsrv/var/run/dirsrv/dsgw/cookies(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0)
-+/usr/.*\.cgi -- gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
-+/opt/.*\.cgi -- gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
-+/usr/lib/systemd/system/httpd.* -- gen_context(system_u:object_r:httpd_unit_file_t,s0)
-+/usr/lib/systemd/system/thttpd.* -- gen_context(system_u:object_r:httpd_unit_file_t,s0)
-
--/srv/([^/]*/)?www(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
--/srv/gallery2(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
-+/usr/lib/systemd/system/php-fpm.* -- gen_context(system_u:object_r:httpd_unit_file_t,s0)
-+/usr/lib/systemd/system/nginx.* -- gen_context(system_u:object_r:httpd_unit_file_t,s0)
-
--/usr/.*\.cgi -- gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
-+/usr/libexec/httpd-ssl-pass-dialog -- gen_context(system_u:object_r:httpd_passwd_exec_t,s0)
-
--/usr/bin/htsslpass -- gen_context(system_u:object_r:httpd_helper_exec_t,s0)
--/usr/bin/mongrel_rails -- gen_context(system_u:object_r:httpd_exec_t,s0)
-+/srv/([^/]*/)?www(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
-+/srv/([^/]*/)?www/logs(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
-+/srv/gallery2(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
-+/srv/gallery2/smarty(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
-
--/usr/lib/apache-ssl/.+ -- gen_context(system_u:object_r:httpd_exec_t,s0)
--/usr/lib/apache(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0)
--/usr/lib/apache2/modules(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0)
--/usr/lib/apache(2)?/suexec(2)? -- gen_context(system_u:object_r:httpd_suexec_exec_t,s0)
--/usr/lib/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
--/usr/lib/cgi-bin/(nph-)?cgiwrap(d)? -- gen_context(system_u:object_r:httpd_suexec_exec_t,s0)
--/usr/lib/cherokee(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0)
--/usr/lib/dirsrv/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
--/usr/lib/httpd(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0)
--/usr/lib/lighttpd(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0)
-+/usr/bin/htsslpass -- gen_context(system_u:object_r:httpd_helper_exec_t,s0)
-+/usr/bin/mongrel_rails -- gen_context(system_u:object_r:httpd_exec_t,s0)
-+
-+/usr/share/joomla(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
-
--/usr/libexec/httpd-ssl-pass-dialog -- gen_context(system_u:object_r:httpd_passwd_exec_t,s0)
-+/usr/lib/apache-ssl/.+ -- gen_context(system_u:object_r:httpd_exec_t,s0)
-+/usr/lib/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
-+/usr/lib/apache(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0)
-+/usr/lib/apache2/modules(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0)
-+/usr/lib/apache(2)?/suexec(2)? -- gen_context(system_u:object_r:httpd_suexec_exec_t,s0)
-+/usr/lib/cgi-bin/(nph-)?cgiwrap(d)? -- gen_context(system_u:object_r:httpd_suexec_exec_t,s0)
-+/usr/lib/cherokee(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0)
-+/usr/lib/httpd(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0)
-+/usr/lib/lighttpd(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0)
-
--/usr/sbin/apache(2)? -- gen_context(system_u:object_r:httpd_exec_t,s0)
-+/usr/sbin/apache(2)? -- gen_context(system_u:object_r:httpd_exec_t,s0)
- /usr/sbin/apache-ssl(2)? -- gen_context(system_u:object_r:httpd_exec_t,s0)
--/usr/sbin/cherokee -- gen_context(system_u:object_r:httpd_exec_t,s0)
--/usr/sbin/httpd\.event -- gen_context(system_u:object_r:httpd_exec_t,s0)
-+/usr/sbin/cherokee -- gen_context(system_u:object_r:httpd_exec_t,s0)
-+/usr/sbin/httpd\.event -- gen_context(system_u:object_r:httpd_exec_t,s0)
- /usr/sbin/httpd(\.worker)? -- gen_context(system_u:object_r:httpd_exec_t,s0)
--/usr/sbin/lighttpd -- gen_context(system_u:object_r:httpd_exec_t,s0)
--/usr/sbin/rotatelogs -- gen_context(system_u:object_r:httpd_rotatelogs_exec_t,s0)
--/usr/sbin/suexec -- gen_context(system_u:object_r:httpd_suexec_exec_t,s0)
--
--ifdef(`distro_suse',`
--/usr/sbin/httpd2-.* -- gen_context(system_u:object_r:httpd_exec_t,s0)
-+/usr/sbin/htcacheclean -- gen_context(system_u:object_r:httpd_exec_t,s0)
-+/usr/sbin/lighttpd -- gen_context(system_u:object_r:httpd_exec_t,s0)
-+/usr/sbin/nginx -- gen_context(system_u:object_r:httpd_exec_t,s0)
-+/usr/sbin/php-fpm -- gen_context(system_u:object_r:httpd_exec_t,s0)
-+/usr/sbin/rotatelogs -- gen_context(system_u:object_r:httpd_rotatelogs_exec_t,s0)
-+/usr/sbin/suexec -- gen_context(system_u:object_r:httpd_suexec_exec_t,s0)
-+/usr/sbin/thttpd -- gen_context(system_u:object_r:httpd_exec_t,s0)
-+
-+ifdef(`distro_suse', `
-+/usr/sbin/httpd2-.* -- gen_context(system_u:object_r:httpd_exec_t,s0)
- ')
-
--/usr/share/dirsrv(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
--/usr/share/doc/ghc/html(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
--/usr/share/drupal.* gen_context(system_u:object_r:httpd_sys_content_t,s0)
--/usr/share/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
--/usr/share/icecast(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
--/usr/share/jetty/bin/jetty\.sh -- gen_context(system_u:object_r:httpd_exec_t,s0)
--/usr/share/mythweb(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
--/usr/share/mythweb/mythweb\.pl gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
--/usr/share/mythtv/mythweather/scripts(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
--/usr/share/mythtv/data(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
--/usr/share/ntop/html(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
--/usr/share/openca/htdocs(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
--/usr/share/selinux-policy[^/]*/html(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
--/usr/share/wordpress/.*\.php -- gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
--/usr/share/wordpress-mu/wp-config\.php -- gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
--/usr/share/wordpress-mu/wp-content(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
--/usr/share/wordpress/wp-content/uploads(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
--/usr/share/wordpress/wp-content/upgrade(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
--/usr/share/wordpress/wp-includes/.*\.php -- gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
--
--/var/cache/apache2(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
--/var/cache/httpd(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
--/var/cache/lighttpd(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
--/var/cache/mason(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
--/var/cache/mediawiki(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
--/var/cache/mod_.* gen_context(system_u:object_r:httpd_cache_t,s0)
--/var/cache/mod_gnutls(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
--/var/cache/mod_proxy(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
--/var/cache/mod_ssl(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
--/var/cache/php-.* gen_context(system_u:object_r:httpd_cache_t,s0)
-+/usr/share/drupal.* gen_context(system_u:object_r:httpd_sys_content_t,s0)
-+/usr/share/doc/ghc/html(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
-+
-+/usr/share/glpi(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
-+/usr/share/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
-+/usr/share/icecast(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
-+/usr/share/nginx/html(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
-+/usr/share/ntop/html(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
-+/usr/share/openca/htdocs(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
-+/usr/share/selinux-policy[^/]*/html(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
-+/usr/share/wordpress/.*\.php -- gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
-+/usr/share/wordpress-mu/wp-config\.php -- gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
-+/usr/share/wordpress-mu/wp-content(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
-+/usr/share/wordpress/wp-content/uploads(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
-+/usr/share/wordpress/wp-content/upgrade(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
-+/usr/share/wordpress/wp-includes/.*\.php -- gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
-+/usr/local/nagios/sbin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
-+/usr/share/z-push(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
-+
-+/var/cache/httpd(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
-+/var/cache/lighttpd(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
-+/var/cache/mason(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
-+/var/cache/mediawiki(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
-+/var/cache/mod_.* gen_context(system_u:object_r:httpd_cache_t,s0)
-+/var/cache/mod_gnutls(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
-+/var/cache/mod_proxy(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
-+/var/cache/mod_ssl(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
-+/var/cache/php-.* gen_context(system_u:object_r:httpd_cache_t,s0)
- /var/cache/php-eaccelerator(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
--/var/cache/php-mmcache(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
--/var/cache/rt3(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
--/var/cache/ssl.*\.sem -- gen_context(system_u:object_r:httpd_cache_t,s0)
--
--/var/lib/cacti/rra(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
--/var/lib/cherokee(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
--/var/lib/dav(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
--/var/lib/php(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
--/var/lib/dokuwiki(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
--/var/lib/drupal.* gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
--/var/lib/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
--/var/lib/httpd(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
--/var/lib/lighttpd(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
--/var/lib/php/session(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0)
--/var/lib/pootle/po(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
--/var/lib/rt3/data/RT-Shredder(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
-+/var/cache/php-mmcache(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
-+/var/cache/rt(3|4)(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
-+/var/cache/ssl.*\.sem -- gen_context(system_u:object_r:httpd_cache_t,s0)
-+
-+/var/lib/cacti/rra(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
-+/var/lib/cherokee(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
-+/var/lib/dav(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
-+/var/lib/ganglia(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
-+/var/lib/glpi(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
-+/var/lib/php(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
-+/var/lib/graphite-web(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
-+/var/lib/dokuwiki(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
-+/var/lib/drupal.* gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
-+/var/lib/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
-+/var/lib/httpd(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
-+/var/lib/ipsilon(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
-+/var/lib/lighttpd(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
-+/var/lib/moodle(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
-+/var/lib/mod_security(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
-+/var/lib/nginx(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
-+/var/opt/rh/rh-nginx18/lib/nginx(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
-+/var/lib/php/session(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0)
-+/var/lib/php/wsdlcache(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0)
-+
- /var/lib/squirrelmail/prefs(/.*)? gen_context(system_u:object_r:httpd_squirrelmail_t,s0)
--/var/lib/stickshift/.httpd.d(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
--/var/lib/svn(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
--/var/lib/trac(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
--/var/lib/z-push(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
--
--/var/log/apache(2)?(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
--/var/log/apache-ssl(2)?(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
--/var/log/cacti(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
--/var/log/cgiwrap\.log.* -- gen_context(system_u:object_r:httpd_log_t,s0)
--/var/log/cherokee(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
--/var/log/dirsrv/admin-serv(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
--/var/log/httpd(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
--/var/log/horde2(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
--/var/log/lighttpd(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
--/var/log/piranha(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
-+/var/lib/openshift/\.httpd\.d(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
-+/var/lib/openshift/\.log/httpd(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
-+/var/lib/owncloud(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
-+/var/lib/nextcloud(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
-+/var/lib/pootle/po(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
-+/var/lib/roundcubemail(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
-+/var/lib/rt(3|4)/data/RT-Shredder(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
-+/var/lib/stickshift/\.httpd\.d(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
-+/var/lib/svn(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
-+/var/lib/trac(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
-+/var/lib/z-push(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
-+
-+/var/log/apache(2)?(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
-+/var/log/apache-ssl(2)?(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
-+/var/log/glpi(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
-+/var/log/horizon(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
-+/var/log/cacti(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
-+/var/log/cgiwrap\.log.* -- gen_context(system_u:object_r:httpd_log_t,s0)
-+/var/log/cherokee(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
-+/var/log/graphite-web(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
-+/var/log/httpd(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
-+/var/log/lighttpd(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
-+/var/log/nginx(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
-+/var/opt/rh/rh-nginx18/log(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
-+/var/log/php-fpm(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
- /var/log/roundcubemail(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
- /var/log/suphp\.log.* -- gen_context(system_u:object_r:httpd_log_t,s0)
--/var/log/z-push(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
-+/var/log/thttpd\.log.* -- gen_context(system_u:object_r:httpd_log_t,s0)
-+/var/log/php_errors\.log.* -- gen_context(system_u:object_r:httpd_log_t,s0)
-+/var/log/z-push(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
-+ifdef(`distro_debian', `
-+/var/log/horde2(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
-+')
-
--/var/run/apache.* gen_context(system_u:object_r:httpd_var_run_t,s0)
--/var/run/cherokee\.pid -- gen_context(system_u:object_r:httpd_var_run_t,s0)
--/var/run/dirsrv/admin-serv.* gen_context(system_u:object_r:httpd_var_run_t,s0)
--/var/run/gcache_port -s gen_context(system_u:object_r:httpd_var_run_t,s0)
--/var/run/httpd.* gen_context(system_u:object_r:httpd_var_run_t,s0)
--/var/run/lighttpd(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0)
--/var/run/mod_.* gen_context(system_u:object_r:httpd_var_run_t,s0)
--/var/run/wsgi.* -s gen_context(system_u:object_r:httpd_var_run_t,s0)
--/var/run/user/apache(/.*)? gen_context(system_u:object_r:httpd_tmp_t,s0)
--
--/var/spool/gosa(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
--/var/spool/squirrelmail(/.*)? gen_context(system_u:object_r:squirrelmail_spool_t,s0)
--/var/spool/viewvc(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t, s0)
--
--/var/www(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
--/var/www(/.*)?/logs(/.*)? gen_context(system_u:object_r:httpd_sys_ra_content_t,s0)
--/var/www/[^/]*/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
--/var/www/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
--/var/www/gallery/albums(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
-+/var/run/apache.* gen_context(system_u:object_r:httpd_var_run_t,s0)
-+/var/run/cherokee\.pid -- gen_context(system_u:object_r:httpd_var_run_t,s0)
-+/var/run/gcache_port -s gen_context(system_u:object_r:httpd_var_run_t,s0)
-+/var/run/httpd.* gen_context(system_u:object_r:httpd_var_run_t,s0)
-+/var/run/lighttpd(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0)
-+/var/run/mod_.* gen_context(system_u:object_r:httpd_var_run_t,s0)
-+/var/run/nginx.* gen_context(system_u:object_r:httpd_var_run_t,s0)
-+/var/opt/rh/rh-nginx18/run/nginx(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0)
-+/var/run/php-fpm(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0)
-+/var/run/thttpd\.pid -- gen_context(system_u:object_r:httpd_var_run_t,s0)
-+/var/run/wsgi.* -s gen_context(system_u:object_r:httpd_var_run_t,s0)
-+/var/run/user/apache(/.*)? gen_context(system_u:object_r:httpd_tmp_t,s0)
-+
-+/var/spool/gosa(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
-+/var/spool/squirrelmail(/.*)? gen_context(system_u:object_r:squirrelmail_spool_t,s0)
-+/var/spool/viewvc(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t, s0)
-+
-+/var/www(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
-+/var/www(/.*)?/logs(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
-+/var/www/[^/]*/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
-+/var/www/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
- /var/www/html/[^/]*/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
--/var/www/html/[^/]*/sites/default/settings\.php -- gen_context(system_u:object_r:httpd_sys_rw_content_t, s0)
--/var/www/html/[^/]*/sites/default/files(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t, s0)
--/var/www/html/configuration\.php gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
--/var/www/html/wp-content(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
--/var/www/icons(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
--/var/www/miq/vmdb/log(/.*)? gen_context(system_u:object_r:httpd_sys_ra_content_t,s0)
--/var/www/moodledata(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
--/var/www/perl(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
--/var/www/svn(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
--/var/www/svn/conf(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
--/var/www/svn/hooks(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
-+/var/www/html(/.*)?/sites/default/settings\.php -- gen_context(system_u:object_r:httpd_sys_rw_content_t, s0)
-+/var/www/html(/.*)?/sites/default/files(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t, s0)
-+/var/www/html/configuration\.php gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
-+/var/www/html(/.*)?/wp-content(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
-+/var/www/html(/.*)?/wp_backups(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
-+/var/www/html(/.*)?/uploads(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
-+/var/www/html/owncloud/data(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
-+/var/www/html/nextcloud/data(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
-+/var/www/gallery/albums(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
-+/var/www/icons(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
-+/var/www/miq/vmdb/log(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
-+/var/www/moodledata(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
-+/var/www/moodle/data(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
-+/var/www/openshift/console/tmp(/.*)? gen_context(system_u:object_r:httpd_tmp_t,s0)
-+/var/www/openshift/console/log(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
-+/var/www/openshift/broker/httpd/logs(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
-+/var/www/openshift/console/httpd/logs(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
-+/var/www/openshift/broker/httpd/run(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0)
-+/var/www/openshift/console/httpd/run(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0)
-+/var/www/perl(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
-+/var/www/stickshift/[^/]*/log(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
-+/var/www/svn(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
-+/var/www/svn/hooks(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
-+/var/www/svn/conf(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
-+
-+/var/log/dirsrv/admin-serv(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
-+/var/run/dirsrv/admin-serv.* gen_context(system_u:object_r:httpd_var_run_t,s0)
-+/opt/dirsrv/var/run/dirsrv/dsgw/cookies(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0)
-diff --git a/apache.if b/apache.if
-index f6eb4851f..3628a384f 100644
---- a/apache.if
-+++ b/apache.if
-@@ -1,9 +1,9 @@
--## Various web servers.
-+## Apache web server
-
- ########################################
- ##
--## Create a set of derived types for
--## httpd web content.
-+## Create a set of derived types for apache
-+## web content.
- ##
- ##
- ##
-@@ -11,120 +11,233 @@
- ##
- ##
- #
--template(`apache_content_template',`
-+template(`apache_user_content_template',`
- gen_require(`
-- attribute httpdcontent, httpd_exec_scripts, httpd_script_exec_type;
-- attribute httpd_script_domains, httpd_htaccess_type;
-+ attribute httpd_exec_scripts, httpd_script_exec_type;
- type httpd_t, httpd_suexec_t;
-+ attribute httpd_script_type, httpd_user_content_type;
- ')
-
-- ########################################
-- #
-- # Declarations
-- #
--
-- ##
-- ##
-- ## Determine whether the script domain can
-- ## modify public files used for public file
-- ## transfer services. Directories/Files must
-- ## be labeled public_content_rw_t.
-- ##
-- ##
-- gen_tunable(allow_httpd_$1_script_anon_write, false)
--
-- type httpd_$1_content_t, httpdcontent; # customizable
-- typealias httpd_$1_content_t alias httpd_$1_script_ro_t;
-- files_type(httpd_$1_content_t)
--
-- type httpd_$1_htaccess_t, httpd_htaccess_type; # customizable;
-- files_type(httpd_$1_htaccess_t)
--
-- type httpd_$1_script_t, httpd_script_domains;
-- domain_type(httpd_$1_script_t)
-- role system_r types httpd_$1_script_t;
--
-- type httpd_$1_script_exec_t, httpd_script_exec_type; # customizable;
-- corecmd_shell_entry_type(httpd_$1_script_t)
-- domain_entry_file(httpd_$1_script_t, httpd_$1_script_exec_t)
--
-- type httpd_$1_rw_content_t, httpdcontent; # customizable
-- typealias httpd_$1_rw_content_t alias { httpd_$1_script_rw_t httpd_$1_content_rw_t };
-- files_type(httpd_$1_rw_content_t)
-+ #This type is for webpages
-+ type $1_content_t; # customizable;
-+ typeattribute $1_content_t httpd_user_content_type;
-+ typealias $1_content_t alias httpd_$1_script_ro_t;
-+ files_type($1_content_t)
-+
-+ # This type is used for .htaccess files
-+ type $1_htaccess_t, httpd_content_type; # customizable;
-+ typeattribute $1_htaccess_t httpd_user_content_type;
-+ files_type($1_htaccess_t)
-+
-+ # Type that CGI scripts run as
-+ type $1_script_t, httpd_script_type;
-+ domain_type($1_script_t)
-+ role system_r types $1_script_t;
-+
-+ kernel_read_system_state($1_script_t)
-+
-+ # This type is used for executable scripts files
-+ type $1_script_exec_t, httpd_script_exec_type; # customizable;
-+ typeattribute $1_script_exec_t httpd_user_content_type;
-+ domain_entry_file($1_script_t, $1_script_exec_t)
-+
-+ type $1_rw_content_t; # customizable
-+ typeattribute $1_rw_content_t httpd_user_content_type;
-+ typealias $1_rw_content_t alias { $1_script_rw_t $1_content_rw_t };
-+ files_type($1_rw_content_t)
-+
-+ type $1_ra_content_t, httpd_content_type; # customizable
-+ typeattribute $1_ra_content_t httpd_user_content_type;
-+ typealias $1_ra_content_t alias { $1_script_ra_t $1_content_ra_t };
-+ files_type($1_ra_content_t)
-+
-+ # Allow the script process to search the cgi directory, and users directory
-+ allow $1_script_t $1_content_t:dir search_dir_perms;
-+
-+ can_exec($1_script_t, $1_script_exec_t)
-+ allow $1_script_t $1_script_exec_t:dir list_dir_perms;
-+ allow $1_script_t $1_ra_content_t:dir { list_dir_perms add_entry_dir_perms };
-+ read_files_pattern($1_script_t, $1_ra_content_t, $1_ra_content_t)
-+ append_files_pattern($1_script_t, $1_ra_content_t, $1_ra_content_t)
-+ create_files_pattern($1_script_t, $1_ra_content_t, $1_ra_content_t)
-+ read_lnk_files_pattern($1_script_t, $1_ra_content_t, $1_ra_content_t)
-+
-+ allow $1_script_t $1_content_t:dir list_dir_perms;
-+ read_files_pattern($1_script_t, $1_content_t, $1_content_t)
-+ read_lnk_files_pattern($1_script_t, $1_content_t, $1_content_t)
-+
-+ manage_dirs_pattern($1_script_t, $1_rw_content_t, $1_rw_content_t)
-+ manage_files_pattern($1_script_t, $1_rw_content_t, $1_rw_content_t)
-+ manage_lnk_files_pattern($1_script_t, $1_rw_content_t, $1_rw_content_t)
-+ manage_fifo_files_pattern($1_script_t, $1_rw_content_t, $1_rw_content_t)
-+ manage_sock_files_pattern($1_script_t, $1_rw_content_t, $1_rw_content_t)
-+
-+ allow $1_script_t httpd_t:unix_stream_socket { ioctl accept getattr read write };
-+
-+ # Allow the web server to run scripts and serve pages
-+ tunable_policy(`httpd_builtin_scripting',`
-+ manage_dirs_pattern(httpd_t, $1_rw_content_t, $1_rw_content_t)
-+ manage_files_pattern(httpd_t, $1_rw_content_t, $1_rw_content_t)
-+ manage_lnk_files_pattern(httpd_t, $1_rw_content_t, $1_rw_content_t)
-+ rw_sock_files_pattern(httpd_t, $1_rw_content_t, $1_rw_content_t)
-
-- type httpd_$1_ra_content_t, httpdcontent; # customizable
-- typealias httpd_$1_ra_content_t alias { httpd_$1_script_ra_t httpd_$1_content_ra_t };
-- files_type(httpd_$1_ra_content_t)
-+ allow httpd_t $1_ra_content_t:dir { add_entry_dir_perms };
-+ read_files_pattern(httpd_t, $1_ra_content_t, $1_ra_content_t)
-+ append_files_pattern(httpd_t, $1_ra_content_t, $1_ra_content_t)
-+ create_files_pattern(httpd_t, $1_ra_content_t, $1_ra_content_t)
-+ read_lnk_files_pattern(httpd_t, $1_ra_content_t, $1_ra_content_t)
-
-- ########################################
-- #
-- # Policy
-- #
-+ ')
-
-- can_exec(httpd_$1_script_t, httpd_$1_script_exec_t)
-+ tunable_policy(`httpd_enable_cgi',`
-+ allow $1_script_t $1_script_exec_t:file entrypoint;
-
-- allow httpd_$1_script_t httpd_$1_ra_content_t:dir { list_dir_perms add_entry_dir_perms setattr_dir_perms };
-- allow httpd_$1_script_t httpd_$1_ra_content_t:file { append_file_perms read_file_perms create_file_perms setattr_file_perms };
-- allow httpd_$1_script_t httpd_$1_ra_content_t:lnk_file read_lnk_file_perms;
-+ domtrans_pattern(httpd_suexec_t, $1_script_exec_t, $1_script_t)
-
-- allow httpd_$1_script_t { httpd_$1_content_t httpd_$1_script_exec_t }:dir list_dir_perms;
-- allow httpd_$1_script_t httpd_$1_content_t:file read_file_perms;
-- allow httpd_$1_script_t { httpd_$1_content_t httpd_$1_script_exec_t }:lnk_file read_lnk_file_perms;
-+ # privileged users run the script:
-+ domtrans_pattern(httpd_exec_scripts, $1_script_exec_t, $1_script_t)
-
-- manage_dirs_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
-- manage_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
-- manage_lnk_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
-- manage_fifo_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
-- manage_sock_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
-- files_tmp_filetrans(httpd_$1_script_t, httpd_$1_rw_content_t, { dir file lnk_file sock_file fifo_file })
-+ allow httpd_exec_scripts $1_script_exec_t:file read_file_perms;
-
-- allow { httpd_t httpd_suexec_t } httpd_$1_content_t:dir list_dir_perms;
-- allow { httpd_t httpd_suexec_t } { httpd_$1_content_t httpd_$1_htaccess_t }:file read_file_perms;
-- allow { httpd_t httpd_suexec_t } httpd_$1_content_t:lnk_file read_lnk_file_perms;
-+ # apache runs the script:
-+ domtrans_pattern(httpd_t, $1_script_exec_t, $1_script_t)
-+ allow httpd_t $1_script_t:unix_dgram_socket sendto;
-+ ')
-+')
-
-- tunable_policy(`allow_httpd_$1_script_anon_write',`
-- miscfiles_manage_public_files(httpd_$1_script_t)
-+########################################
-+##
-+## Create a set of derived types for apache
-+## web content.
-+##
-+##
-+##
-+## The prefix to be used for deriving type names.
-+##
-+##
-+#
-+template(`apache_content_template',`
-+ gen_require(`
-+ attribute httpd_exec_scripts, httpd_script_exec_type;
-+ type httpd_t, httpd_suexec_t;
-+ attribute httpd_script_type, httpd_content_type;
- ')
-
-+ #This type is for webpages
-+ type $1_content_t; # customizable;
-+ typeattribute $1_content_t httpd_content_type;
-+ typealias $1_content_t alias httpd_$1_script_ro_t;
-+ files_type($1_content_t)
-+
-+ # This type is used for .htaccess files
-+ type $1_htaccess_t, httpd_content_type; # customizable;
-+ typeattribute $1_htaccess_t httpd_content_type;
-+ files_type($1_htaccess_t)
-+
-+ # Type that CGI scripts run as
-+ type $1_script_t, httpd_script_type;
-+ domain_type($1_script_t)
-+ role system_r types $1_script_t;
-+
-+ kernel_read_system_state($1_script_t)
-+
-+ # This type is used for executable scripts files
-+ type $1_script_exec_t, httpd_script_exec_type; # customizable;
-+ typeattribute $1_script_exec_t httpd_content_type;
-+ domain_entry_file($1_script_t, $1_script_exec_t)
-+
-+ type $1_rw_content_t; # customizable
-+ typeattribute $1_rw_content_t httpd_content_type;
-+ typealias $1_rw_content_t alias { $1_script_rw_t $1_content_rw_t };
-+ files_type($1_rw_content_t)
-+
-+ type $1_ra_content_t, httpd_content_type; # customizable
-+ typeattribute $1_ra_content_t httpd_content_type;
-+ typealias $1_ra_content_t alias { $1_script_ra_t $1_content_ra_t };
-+ files_type($1_ra_content_t)
-+
-+ # Allow the script process to search the cgi directory, and users directory
-+ allow $1_script_t $1_content_t:dir search_dir_perms;
-+
-+ can_exec($1_script_t, $1_script_exec_t)
-+ allow $1_script_t $1_script_exec_t:dir list_dir_perms;
-+ allow $1_script_t $1_ra_content_t:dir { list_dir_perms add_entry_dir_perms };
-+ read_files_pattern($1_script_t, $1_ra_content_t, $1_ra_content_t)
-+ append_files_pattern($1_script_t, $1_ra_content_t, $1_ra_content_t)
-+ create_files_pattern($1_script_t, $1_ra_content_t, $1_ra_content_t)
-+ read_lnk_files_pattern($1_script_t, $1_ra_content_t, $1_ra_content_t)
-+
-+ allow $1_script_t $1_content_t:dir list_dir_perms;
-+ read_files_pattern($1_script_t, $1_content_t, $1_content_t)
-+ read_lnk_files_pattern($1_script_t, $1_content_t, $1_content_t)
-+
-+ manage_dirs_pattern($1_script_t, $1_rw_content_t, $1_rw_content_t)
-+ manage_files_pattern($1_script_t, $1_rw_content_t, $1_rw_content_t)
-+ manage_lnk_files_pattern($1_script_t, $1_rw_content_t, $1_rw_content_t)
-+ manage_fifo_files_pattern($1_script_t, $1_rw_content_t, $1_rw_content_t)
-+ manage_sock_files_pattern($1_script_t, $1_rw_content_t, $1_rw_content_t)
-+
-+ allow $1_script_t httpd_t:unix_stream_socket { ioctl accept getattr read write shutdown };
-+
-+ # Allow the web server to run scripts and serve pages
- tunable_policy(`httpd_builtin_scripting',`
-- manage_dirs_pattern(httpd_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
-- manage_files_pattern(httpd_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
-- manage_fifo_files_pattern(httpd_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
-- manage_lnk_files_pattern(httpd_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
-- manage_sock_files_pattern(httpd_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
-+ manage_dirs_pattern(httpd_t, $1_rw_content_t, $1_rw_content_t)
-+ manage_files_pattern(httpd_t, $1_rw_content_t, $1_rw_content_t)
-+ manage_lnk_files_pattern(httpd_t, $1_rw_content_t, $1_rw_content_t)
-+ rw_sock_files_pattern(httpd_t, $1_rw_content_t, $1_rw_content_t)
-
-- allow httpd_t httpd_$1_ra_content_t:dir { list_dir_perms add_entry_dir_perms setattr_dir_perms };
-- allow httpd_t httpd_$1_ra_content_t:file { append_file_perms read_file_perms create_file_perms setattr_file_perms };
-- allow httpd_t httpd_$1_ra_content_t:lnk_file read_lnk_file_perms;
-- ')
-+ allow httpd_t $1_ra_content_t:dir { add_entry_dir_perms };
-+ read_files_pattern(httpd_t, $1_ra_content_t, $1_ra_content_t)
-+ append_files_pattern(httpd_t, $1_ra_content_t, $1_ra_content_t)
-+ create_files_pattern(httpd_t, $1_ra_content_t, $1_ra_content_t)
-+ read_lnk_files_pattern(httpd_t, $1_ra_content_t, $1_ra_content_t)
-
-- tunable_policy(`httpd_builtin_scripting && httpd_tmp_exec',`
-- can_exec(httpd_t, httpd_$1_rw_content_t)
- ')
-
- tunable_policy(`httpd_enable_cgi',`
-- allow httpd_$1_script_t httpd_$1_script_exec_t:file entrypoint;
-- domtrans_pattern({ httpd_t httpd_suexec_t httpd_exec_scripts }, httpd_$1_script_exec_t, httpd_$1_script_t)
-- ')
-+ allow $1_script_t $1_script_exec_t:file entrypoint;
-
-- tunable_policy(`httpd_enable_cgi && httpd_tmp_exec',`
-- can_exec(httpd_$1_script_t, httpd_$1_rw_content_t)
-- ')
-+ domtrans_pattern(httpd_suexec_t, $1_script_exec_t, $1_script_t)
-
-- tunable_policy(`httpd_enable_cgi && httpd_unified',`
-- allow httpd_$1_script_t { httpd_$1_content_t httpd_$1_ra_content_t }:file entrypoint;
-- allow httpd_$1_script_t { httpd_$1_content_t httpd_$1_ra_content_t }:dir manage_dir_perms;
-- allow httpd_$1_script_t { httpd_$1_content_t httpd_$1_ra_content_t }:file manage_file_perms;
-- ')
-+ # privileged users run the script:
-+ domtrans_pattern(httpd_exec_scripts, $1_script_exec_t, $1_script_t)
-+
-+ allow httpd_exec_scripts $1_script_exec_t:file read_file_perms;
-
-- tunable_policy(`httpd_enable_cgi && httpd_unified && httpd_builtin_scripting',`
-- filetrans_pattern(httpd_t, httpd_$1_content_t, httpd_$1_rw_content_t, { file dir fifo_file lnk_file sock_file })
-+ # apache runs the script:
-+ domtrans_pattern(httpd_t, $1_script_exec_t, $1_script_t)
-+ allow httpd_t $1_script_t:unix_dgram_socket sendto;
- ')
- ')
-
- ########################################
- ##
--## Role access for apache.
-+## Create a set of derived types for apache
-+## web content.
-+##
-+##
-+##
-+## The prefix to be used for deriving new type names.
-+##
-+##
-+##
-+##
-+## The prefix to be used for deriving old type names.
-+##
-+##
-+#
-+template(`apache_content_alias_template',`
-+ typealias $1_htaccess_t alias httpd_$2_htaccess_t;
-+ typealias $1_script_t alias httpd_$2_script_t;
-+ typealias $1_script_exec_t alias httpd_$2_script_exec_t;
-+ typealias $1_content_t alias httpd_$2_content_t;
-+ typealias $1_rw_content_t alias httpd_$2_script_rw_content_t;
-+ typealias $1_ra_content_t alias httpd_$2_script_ra_content_t;
-+')
-+
-+########################################
-+##
-+## Role access for apache
- ##
- ##
- ##
-@@ -133,47 +246,61 @@ template(`apache_content_template',`
- ##
- ##
- ##
--## User domain for the role.
-+## User domain for the role
- ##
- ##
- #
- interface(`apache_role',`
- gen_require(`
- attribute httpdcontent;
-- type httpd_user_content_t, httpd_user_htaccess_t;
-- type httpd_user_script_t, httpd_user_script_exec_t;
-- type httpd_user_ra_content_t, httpd_user_rw_content_t;
-+ type httpd_user_content_t, httpd_user_htaccess_t, httpd_user_script_t;
-+ type httpd_user_ra_content_t, httpd_user_rw_content_t, httpd_user_script_exec_t;
- ')
-
- role $1 types httpd_user_script_t;
-
-- allow $2 httpd_user_htaccess_t:file { manage_file_perms relabel_file_perms };
--
-- allow $2 httpd_user_content_t:dir { manage_dir_perms relabel_dir_perms };
-- allow $2 httpd_user_content_t:file { manage_file_perms relabel_file_perms };
-- allow $2 httpd_user_content_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms };
--
-- allow $2 httpd_user_ra_content_t:dir { manage_dir_perms relabel_dir_perms };
-- allow $2 httpd_user_ra_content_t:file { manage_file_perms relabel_file_perms };
-- allow $2 httpd_user_ra_content_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms };
--
-- allow $2 httpd_user_rw_content_t:dir { manage_dir_perms relabel_dir_perms };
-- allow $2 httpd_user_rw_content_t:file { manage_file_perms relabel_file_perms };
-- allow $2 httpd_user_rw_content_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms };
--
-- allow $2 httpd_user_script_exec_t:dir { manage_dir_perms relabel_dir_perms };
-- allow $2 httpd_user_script_exec_t:file { manage_file_perms relabel_file_perms };
-- allow $2 httpd_user_script_exec_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms };
--
-- userdom_user_home_dir_filetrans($2, httpd_user_content_t, dir, "public_html")
-- userdom_user_home_dir_filetrans($2, httpd_user_content_t, dir, "web")
-- userdom_user_home_dir_filetrans($2, httpd_user_content_t, dir, "www")
--
-- filetrans_pattern($2, httpd_user_content_t, httpd_user_htaccess_t, file, ".htaccess")
-- filetrans_pattern($2, httpd_user_content_t, httpd_user_script_exec_t, dir, "cgi-bin")
-- filetrans_pattern($2, httpd_user_content_t, httpd_user_ra_content_t, dir, "logs")
-+ allow $2 httpd_user_htaccess_t:file { manage_file_perms relabelto relabelfrom };
-+
-+ manage_dirs_pattern($2, httpd_user_content_t, httpd_user_content_t)
-+ manage_files_pattern($2, httpd_user_content_t, httpd_user_content_t)
-+ manage_lnk_files_pattern($2, httpd_user_content_t, httpd_user_content_t)
-+ relabel_dirs_pattern($2, httpd_user_content_t, httpd_user_content_t)
-+ relabel_files_pattern($2, httpd_user_content_t, httpd_user_content_t)
-+ relabel_lnk_files_pattern($2, httpd_user_content_t, httpd_user_content_t)
-+
-+ manage_dirs_pattern($2, httpd_user_ra_content_t, httpd_user_ra_content_t)
-+ manage_files_pattern($2, httpd_user_ra_content_t, httpd_user_ra_content_t)
-+ manage_lnk_files_pattern($2, httpd_user_ra_content_t, httpd_user_ra_content_t)
-+ relabel_dirs_pattern($2, httpd_user_ra_content_t, httpd_user_ra_content_t)
-+ relabel_files_pattern($2, httpd_user_ra_content_t, httpd_user_ra_content_t)
-+ relabel_lnk_files_pattern($2, httpd_user_ra_content_t, httpd_user_ra_content_t)
-+
-+ manage_dirs_pattern($2, httpd_user_content_t, httpd_user_content_t)
-+ manage_files_pattern($2, httpd_user_content_t, httpd_user_content_t)
-+ manage_lnk_files_pattern($2, httpd_user_content_t, httpd_user_content_t)
-+ relabel_dirs_pattern($2, httpd_user_content_t, httpd_user_content_t)
-+ relabel_files_pattern($2, httpd_user_content_t, httpd_user_content_t)
-+ relabel_lnk_files_pattern($2, httpd_user_content_t, httpd_user_content_t)
-+
-+ manage_dirs_pattern($2, httpd_user_rw_content_t, httpd_user_rw_content_t)
-+ manage_files_pattern($2, httpd_user_rw_content_t, httpd_user_rw_content_t)
-+ manage_lnk_files_pattern($2, httpd_user_rw_content_t, httpd_user_rw_content_t)
-+ relabel_dirs_pattern($2, httpd_user_rw_content_t, httpd_user_rw_content_t)
-+ relabel_files_pattern($2, httpd_user_rw_content_t, httpd_user_rw_content_t)
-+ relabel_lnk_files_pattern($2, httpd_user_rw_content_t, httpd_user_rw_content_t)
-+
-+ manage_dirs_pattern($2, httpd_user_script_exec_t, httpd_user_script_exec_t)
-+ manage_files_pattern($2, httpd_user_script_exec_t, httpd_user_script_exec_t)
-+ manage_lnk_files_pattern($2, httpd_user_script_exec_t, httpd_user_script_exec_t)
-+ relabel_dirs_pattern($2, httpd_user_script_exec_t, httpd_user_script_exec_t)
-+ relabel_files_pattern($2, httpd_user_script_exec_t, httpd_user_script_exec_t)
-+ relabel_lnk_files_pattern($2, httpd_user_script_exec_t, httpd_user_script_exec_t)
-+
-+ apache_exec_modules($2)
-+ apache_filetrans_home_content($2)
-
- tunable_policy(`httpd_enable_cgi',`
-+ # If a user starts a script by hand it gets the proper context
- domtrans_pattern($2, httpd_user_script_exec_t, httpd_user_script_t)
- ')
-
-@@ -184,7 +311,7 @@ interface(`apache_role',`
-
- ########################################
- ##
--## Read user httpd script executable files.
-+## Read httpd user scripts executables.
- ##
- ##
- ##
-@@ -204,7 +331,7 @@ interface(`apache_read_user_scripts',`
-
- ########################################
- ##
--## Read user httpd content.
-+## Read user web content.
- ##
- ##
- ##
-@@ -224,7 +351,27 @@ interface(`apache_read_user_content',`
-
- ########################################
- ##
--## Execute httpd with a domain transition.
-+## Manage user web content.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`apache_manage_user_content',`
-+ gen_require(`
-+ type httpd_user_content_t;
-+ ')
-+
-+ allow $1 httpd_user_content_t:dir manage_dir_perms;
-+ manage_files_pattern($1, httpd_user_content_t, httpd_user_content_t)
-+ manage_lnk_files_pattern($1, httpd_user_content_t, httpd_user_content_t)
-+')
-+
-+########################################
-+##
-+## Transition to apache.
- ##
- ##
- ##
-@@ -241,27 +388,47 @@ interface(`apache_domtrans',`
- domtrans_pattern($1, httpd_exec_t, httpd_t)
- ')
-
--########################################
-+######################################
- ##
--## Execute httpd server in the httpd domain.
-+## Allow the specified domain to execute apache
-+## in the caller domain.
- ##
- ##
- ##
--## Domain allowed to transition.
-+## Domain allowed access.
- ##
- ##
- #
--interface(`apache_initrc_domtrans',`
-+interface(`apache_exec',`
- gen_require(`
-- type httpd_initrc_exec_t;
-+ type httpd_exec_t;
- ')
-
-- init_labeled_script_domtrans($1, httpd_initrc_exec_t)
-+ can_exec($1, httpd_exec_t)
-+')
-+
-+######################################
-+##
-+## Allow the specified domain to execute apache suexec
-+## in the caller domain.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`apache_exec_suexec',`
-+ gen_require(`
-+ type httpd_suexec_exec_t;
-+ ')
-+
-+ can_exec($1, httpd_suexec_exec_t)
- ')
-
- #######################################
- ##
--## Send generic signals to httpd.
-+## Send a generic signal to apache.
- ##
- ##
- ##
-@@ -279,7 +446,7 @@ interface(`apache_signal',`
-
- ########################################
- ##
--## Send null signals to httpd.
-+## Send a null signal to apache.
- ##
- ##
- ##
-@@ -297,7 +464,7 @@ interface(`apache_signull',`
-
- ########################################
- ##
--## Send child terminated signals to httpd.
-+## Send a SIGCHLD signal to apache.
- ##
- ##
- ##
-@@ -315,8 +482,7 @@ interface(`apache_sigchld',`
-
- ########################################
- ##
--## Inherit and use file descriptors
--## from httpd.
-+## Inherit and use file descriptors from Apache.
- ##
- ##
- ##
-@@ -334,8 +500,8 @@ interface(`apache_use_fds',`
-
- ########################################
- ##
--## Do not audit attempts to read and
--## write httpd unnamed pipes.
-+## Do not audit attempts to read and write Apache
-+## unnamed pipes.
- ##
- ##
- ##
-@@ -348,13 +514,32 @@ interface(`apache_dontaudit_rw_fifo_file',`
- type httpd_t;
- ')
-
-- dontaudit $1 httpd_t:fifo_file rw_fifo_file_perms;
-+ dontaudit $1 httpd_t:fifo_file rw_inherited_fifo_file_perms;
-+')
-+
-+########################################
-+##
-+## Allow attempts to read and write Apache
-+## unix domain stream sockets.
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`apache_rw_stream_sockets',`
-+ gen_require(`
-+ type httpd_t;
-+ ')
-+
-+ allow $1 httpd_t:unix_stream_socket { getattr read write };
- ')
-
- ########################################
- ##
--## Do not audit attempts to read and
--## write httpd unix domain stream sockets.
-+## Do not audit attempts to read and write Apache
-+## unix domain stream sockets.
- ##
- ##
- ##
-@@ -367,13 +552,13 @@ interface(`apache_dontaudit_rw_stream_sockets',`
- type httpd_t;
- ')
-
-- dontaudit $1 httpd_t:unix_stream_socket { read write };
-+ dontaudit $1 httpd_t:unix_stream_socket { getattr read write };
- ')
-
- ########################################
- ##
--## Do not audit attempts to read and
--## write httpd TCP sockets.
-+## Do not audit attempts to read and write Apache
-+## TCP sockets.
- ##
- ##
- ##
-@@ -391,8 +576,7 @@ interface(`apache_dontaudit_rw_tcp_sockets',`
-
- ########################################
- ##
--## Create, read, write, and delete
--## all httpd content.
-+## Create, read, write, and delete all web content.
- ##
- ##
- ##
-@@ -417,7 +601,8 @@ interface(`apache_manage_all_content',`
-
- ########################################
- ##
--## Set attributes httpd cache directories.
-+## Allow domain to set the attributes
-+## of the APACHE cache directory.
- ##
- ##
- ##
-@@ -435,7 +620,8 @@ interface(`apache_setattr_cache_dirs',`
-
- ########################################
- ##
--## List httpd cache directories.
-+## Allow the specified domain to list
-+## Apache cache.
- ##
- ##
- ##
-@@ -453,7 +639,8 @@ interface(`apache_list_cache',`
-
- ########################################
- ##
--## Read and write httpd cache files.
-+## Allow the specified domain to read
-+## and write Apache cache files.
- ##
- ##
- ##
-@@ -471,7 +658,8 @@ interface(`apache_rw_cache_files',`
-
- ########################################
- ##
--## Delete httpd cache directories.
-+## Allow the specified domain to delete
-+## Apache cache dirs.
- ##
- ##
- ##
-@@ -489,7 +677,8 @@ interface(`apache_delete_cache_dirs',`
-
- ########################################
- ##
--## Delete httpd cache files.
-+## Allow the specified domain to delete
-+## Apache cache.
- ##
- ##
- ##
-@@ -507,49 +696,51 @@ interface(`apache_delete_cache_files',`
-
- ########################################
- ##
--## Read httpd configuration files.
-+## Allow the specified domain to search
-+## apache configuration dirs.
- ##
- ##
- ##
- ## Domain allowed access.
- ##
- ##
--##
- #
--interface(`apache_read_config',`
-+interface(`apache_search_config',`
- gen_require(`
- type httpd_config_t;
- ')
-
- files_search_etc($1)
-- allow $1 httpd_config_t:dir list_dir_perms;
-- read_files_pattern($1, httpd_config_t, httpd_config_t)
-- read_lnk_files_pattern($1, httpd_config_t, httpd_config_t)
-+ allow $1 httpd_config_t:dir search_dir_perms;
- ')
-
- ########################################
- ##
--## Search httpd configuration directories.
-+## Allow the specified domain to read
-+## apache configuration files.
- ##
- ##
- ##
- ## Domain allowed access.
- ##
- ##
-+##
- #
--interface(`apache_search_config',`
-+interface(`apache_read_config',`
- gen_require(`
- type httpd_config_t;
- ')
-
- files_search_etc($1)
-- allow $1 httpd_config_t:dir search_dir_perms;
-+ allow $1 httpd_config_t:dir list_dir_perms;
-+ read_files_pattern($1, httpd_config_t, httpd_config_t)
-+ read_lnk_files_pattern($1, httpd_config_t, httpd_config_t)
- ')
-
- ########################################
- ##
--## Create, read, write, and delete
--## httpd configuration files.
-+## Allow the specified domain to manage
-+## apache configuration files.
- ##
- ##
- ##
-@@ -570,8 +761,8 @@ interface(`apache_manage_config',`
-
- ########################################
- ##
--## Execute the Apache helper program
--## with a domain transition.
-+## Execute the Apache helper program with
-+## a domain transition.
- ##
- ##
- ##
-@@ -608,16 +799,38 @@ interface(`apache_domtrans_helper',`
- #
- interface(`apache_run_helper',`
- gen_require(`
-- attribute_role httpd_helper_roles;
-+ type httpd_helper_t;
- ')
-
- apache_domtrans_helper($1)
-- roleattribute $2 httpd_helper_roles;
-+ role $2 types httpd_helper_t;
-+')
-+
-+########################################
-+##
-+## dontaudit attempts to read
-+## apache log files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+#
-+interface(`apache_dontaudit_read_log',`
-+ gen_require(`
-+ type httpd_log_t;
-+ ')
-+
-+ dontaudit $1 httpd_log_t:file read_file_perms;
-+ dontaudit $1 httpd_log_t:lnk_file read_lnk_file_perms;
- ')
-
- ########################################
- ##
--## Read httpd log files.
-+## Allow the specified domain to read
-+## apache log files.
- ##
- ##
- ##
-@@ -639,7 +852,8 @@ interface(`apache_read_log',`
-
- ########################################
- ##
--## Append httpd log files.
-+## Allow the specified domain to append
-+## to apache log files.
- ##
- ##
- ##
-@@ -657,10 +871,29 @@ interface(`apache_append_log',`
- append_files_pattern($1, httpd_log_t, httpd_log_t)
- ')
-
-+#######################################
-+##
-+## Allow the specified domain to write
-+## to apache log files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`apache_write_log',`
-+ gen_require(`
-+ type httpd_log_t;
-+ ')
-+
-+ allow $1 httpd_log_t:file write;
-+')
-+
- ########################################
- ##
--## Do not audit attempts to append
--## httpd log files.
-+## Do not audit attempts to append to the
-+## Apache logs.
- ##
- ##
- ##
-@@ -678,8 +911,8 @@ interface(`apache_dontaudit_append_log',`
-
- ########################################
- ##
--## Create, read, write, and delete
--## httpd log files.
-+## Allow the specified domain to manage
-+## to apache var lib files.
- ##
- ##
- ##
-@@ -687,20 +920,21 @@ interface(`apache_dontaudit_append_log',`
- ##
- ##
- #
--interface(`apache_manage_log',`
-+interface(`apache_manage_lib',`
- gen_require(`
-- type httpd_log_t;
-+ type httpd_var_lib_t;
- ')
-
-- logging_search_logs($1)
-- manage_dirs_pattern($1, httpd_log_t, httpd_log_t)
-- manage_files_pattern($1, httpd_log_t, httpd_log_t)
-- read_lnk_files_pattern($1, httpd_log_t, httpd_log_t)
-+ files_search_var_lib($1)
-+ manage_dirs_pattern($1, httpd_var_lib_t, httpd_var_lib_t)
-+ manage_files_pattern($1, httpd_var_lib_t, httpd_var_lib_t)
-+ read_lnk_files_pattern($1, httpd_var_lib_t, httpd_var_lib_t)
- ')
-
--#######################################
-+########################################
- ##
--## Write apache log files.
-+## Allow the specified domain to manage
-+## to apache log files.
- ##
- ##
- ##
-@@ -708,19 +942,21 @@ interface(`apache_manage_log',`
- ##
- ##
- #
--interface(`apache_write_log',`
-+interface(`apache_manage_log',`
- gen_require(`
- type httpd_log_t;
- ')
-
- logging_search_logs($1)
-- write_files_pattern($1, httpd_log_t, httpd_log_t)
-+ manage_dirs_pattern($1, httpd_log_t, httpd_log_t)
-+ manage_files_pattern($1, httpd_log_t, httpd_log_t)
-+ read_lnk_files_pattern($1, httpd_log_t, httpd_log_t)
- ')
-
- ########################################
- ##
--## Do not audit attempts to search
--## httpd module directories.
-+## Do not audit attempts to search Apache
-+## module directories.
- ##
- ##
- ##
-@@ -738,7 +974,8 @@ interface(`apache_dontaudit_search_modules',`
-
- ########################################
- ##
--## List httpd module directories.
-+## Allow the specified domain to read
-+## the apache module directories.
- ##
- ##
- ##
-@@ -746,17 +983,19 @@ interface(`apache_dontaudit_search_modules',`
- ##
- ##
- #
--interface(`apache_list_modules',`
-+interface(`apache_read_modules',`
- gen_require(`
- type httpd_modules_t;
- ')
-
-- allow $1 httpd_modules_t:dir list_dir_perms;
-+ read_files_pattern($1, httpd_modules_t, httpd_modules_t)
- ')
-
- ########################################
- ##
--## Execute httpd module files.
-+## Allow the specified domain to list
-+## the contents of the apache modules
-+## directory.
- ##
- ##
- ##
-@@ -764,19 +1003,19 @@ interface(`apache_list_modules',`
- ##
- ##
- #
--interface(`apache_exec_modules',`
-+interface(`apache_list_modules',`
- gen_require(`
- type httpd_modules_t;
- ')
-
- allow $1 httpd_modules_t:dir list_dir_perms;
-- allow $1 httpd_modules_t:lnk_file read_lnk_file_perms;
-- can_exec($1, httpd_modules_t)
-+ read_lnk_files_pattern($1, httpd_modules_t, httpd_modules_t)
- ')
-
- ########################################
- ##
--## Read httpd module files.
-+## Allow the specified domain to execute
-+## apache modules.
- ##
- ##
- ##
-@@ -784,19 +1023,19 @@ interface(`apache_exec_modules',`
- ##
- ##
- #
--interface(`apache_read_module_files',`
-+interface(`apache_exec_modules',`
- gen_require(`
- type httpd_modules_t;
- ')
-
-- libs_search_lib($1)
-- read_files_pattern($1, httpd_modules_t, httpd_modules_t)
-+ allow $1 httpd_modules_t:dir list_dir_perms;
-+ allow $1 httpd_modules_t:lnk_file read_lnk_file_perms;
-+ can_exec($1, httpd_modules_t)
- ')
-
- ########################################
- ##
--## Execute a domain transition to
--## run httpd_rotatelogs.
-+## Execute a domain transition to run httpd_rotatelogs.
- ##
- ##
- ##
-@@ -809,13 +1048,50 @@ interface(`apache_domtrans_rotatelogs',`
- type httpd_rotatelogs_t, httpd_rotatelogs_exec_t;
- ')
-
-- corecmd_search_bin($1)
- domtrans_pattern($1, httpd_rotatelogs_exec_t, httpd_rotatelogs_t)
- ')
-
-+#######################################
-+##
-+## Execute httpd_rotatelogs in the caller domain.
-+##
-+##
-+##
-+## Domain allowed to transition.
-+##
-+##
-+#
-+interface(`apache_exec_rotatelogs',`
-+ gen_require(`
-+ type httpd_rotatelogs_exec_t;
-+ ')
-+
-+ can_exec($1, httpd_rotatelogs_exec_t)
-+')
-+
-+#######################################
-+##
-+## Execute httpd system scripts in the caller domain.
-+##
-+##
-+##
-+## Domain allowed to transition.
-+##
-+##
-+#
-+interface(`apache_exec_sys_script',`
-+ gen_require(`
-+ type httpd_sys_script_exec_t;
-+ ')
-+
-+ allow $1 httpd_sys_script_exec_t:dir search_dir_perms;
-+ can_exec($1, httpd_sys_script_exec_t)
-+')
-+
- ########################################
- ##
--## List httpd system content directories.
-+## Allow the specified domain to list
-+## apache system content files.
- ##
- ##
- ##
-@@ -829,13 +1105,14 @@ interface(`apache_list_sys_content',`
- ')
-
- list_dirs_pattern($1, httpd_sys_content_t, httpd_sys_content_t)
-+ read_lnk_files_pattern($1, httpd_sys_content_t, httpd_sys_content_t)
- files_search_var($1)
- ')
-
- ########################################
- ##
--## Create, read, write, and delete
--## httpd system content files.
-+## Allow the specified domain to manage
-+## apache system content files.
- ##
- ##
- ##
-@@ -844,6 +1121,7 @@ interface(`apache_list_sys_content',`
- ##
- ##
- #
-+# Note that httpd_sys_content_t is found in /var, /etc, /srv and /usr
- interface(`apache_manage_sys_content',`
- gen_require(`
- type httpd_sys_content_t;
-@@ -855,32 +1133,98 @@ interface(`apache_manage_sys_content',`
- manage_lnk_files_pattern($1, httpd_sys_content_t, httpd_sys_content_t)
- ')
-
--########################################
-+######################################
- ##
--## Create, read, write, and delete
--## httpd system rw content.
-+## Allow the specified domain to read
-+## apache system content rw files.
- ##
- ##
- ##
- ## Domain allowed access.
- ##
- ##
-+##
- #
--interface(`apache_manage_sys_rw_content',`
-+interface(`apache_read_sys_content_rw_files',`
- gen_require(`
- type httpd_sys_rw_content_t;
- ')
-
-- apache_search_sys_content($1)
-+ read_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
-+')
-+
-+######################################
-+##
-+## Allow the specified domain to read
-+## apache system content rw dirs.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+#
-+interface(`apache_read_sys_content_rw_dirs',`
-+ gen_require(`
-+ type httpd_sys_rw_content_t;
-+ ')
-+
-+ list_dirs_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
-+')
-+
-+######################################
-+##
-+## Allow the specified domain to manage
-+## apache system content rw files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+#
-+interface(`apache_manage_sys_content_rw',`
-+ gen_require(`
-+ type httpd_sys_rw_content_t;
-+ ')
-+
-+ files_search_var($1)
- manage_dirs_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
-- manage_files_pattern($1,httpd_sys_rw_content_t, httpd_sys_rw_content_t)
-+ manage_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
- manage_lnk_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
- ')
-
- ########################################
- ##
--## Execute all httpd scripts in the
--## system script domain.
-+## Allow the specified domain to delete
-+## apache system content rw files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+#
-+interface(`apache_delete_sys_content_rw',`
-+ gen_require(`
-+ type httpd_sys_rw_content_t;
-+ ')
-+
-+ files_search_tmp($1)
-+ delete_dirs_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
-+ delete_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
-+ delete_lnk_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
-+ delete_fifo_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
-+ delete_sock_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
-+')
-+
-+########################################
-+##
-+## Execute all web scripts in the system
-+## script domain.
- ##
- ##
- ##
-@@ -888,10 +1232,17 @@ interface(`apache_manage_sys_rw_content',`
- ##
- ##
- #
-+# cjp: this interface specifically added to allow
-+# sysadm_t to run scripts
- interface(`apache_domtrans_sys_script',`
- gen_require(`
- attribute httpdcontent;
-- type httpd_sys_script_t;
-+ type httpd_sys_script_exec_t;
-+ type httpd_sys_script_t, httpd_sys_content_t;
-+ ')
-+
-+ tunable_policy(`httpd_enable_cgi',`
-+ domtrans_pattern($1, httpd_sys_script_exec_t, httpd_sys_script_t)
- ')
-
- tunable_policy(`httpd_enable_cgi && httpd_unified',`
-@@ -901,9 +1252,8 @@ interface(`apache_domtrans_sys_script',`
-
- ########################################
- ##
--## Do not audit attempts to read and
--## write httpd system script unix
--## domain stream sockets.
-+## Do not audit attempts to read and write Apache
-+## system script unix domain stream sockets.
- ##
- ##
- ##
-@@ -916,7 +1266,7 @@ interface(`apache_dontaudit_rw_sys_script_stream_sockets',`
- type httpd_sys_script_t;
- ')
-
-- dontaudit $1 httpd_sys_script_t:unix_stream_socket { read write };
-+ dontaudit $1 httpd_sys_script_t:unix_stream_socket { getattr read write };
- ')
-
- ########################################
-@@ -941,7 +1291,7 @@ interface(`apache_domtrans_all_scripts',`
- ########################################
- ##
- ## Execute all user scripts in the user
--## script domain. Add user script domains
-+## script domain. Add user script domains
- ## to the specified role.
- ##
- ##
-@@ -954,6 +1304,7 @@ interface(`apache_domtrans_all_scripts',`
- ## Role allowed access.
- ##
- ##
-+##
- #
- interface(`apache_run_all_scripts',`
- gen_require(`
-@@ -966,7 +1317,8 @@ interface(`apache_run_all_scripts',`
-
- ########################################
- ##
--## Read httpd squirrelmail data files.
-+## Allow the specified domain to read
-+## apache squirrelmail data.
- ##
- ##
- ##
-@@ -979,12 +1331,13 @@ interface(`apache_read_squirrelmail_data',`
- type httpd_squirrelmail_t;
- ')
-
-- allow $1 httpd_squirrelmail_t:file read_file_perms;
-+ read_files_pattern($1, httpd_squirrelmail_t, httpd_squirrelmail_t)
- ')
-
- ########################################
- ##
--## Append httpd squirrelmail data files.
-+## Allow the specified domain to append
-+## apache squirrelmail data.
- ##
- ##
- ##
-@@ -1002,7 +1355,7 @@ interface(`apache_append_squirrelmail_data',`
-
- ########################################
- ##
--## Search httpd system content.
-+## Search apache system content.
- ##
- ##
- ##
-@@ -1015,13 +1368,12 @@ interface(`apache_search_sys_content',`
- type httpd_sys_content_t;
- ')
-
-- files_search_var($1)
- allow $1 httpd_sys_content_t:dir search_dir_perms;
- ')
-
- ########################################
- ##
--## Read httpd system content.
-+## Read apache system content.
- ##
- ##
- ##
-@@ -1041,7 +1393,7 @@ interface(`apache_read_sys_content',`
-
- ########################################
- ##
--## Search httpd system CGI directories.
-+## Search apache system CGI directories.
- ##
- ##
- ##
-@@ -1059,8 +1411,7 @@ interface(`apache_search_sys_scripts',`
-
- ########################################
- ##
--## Create, read, write, and delete all
--## user httpd content.
-+## Create, read, write, and delete all user web content.
- ##
- ##
- ##
-@@ -1071,18 +1422,21 @@ interface(`apache_search_sys_scripts',`
- #
- interface(`apache_manage_all_user_content',`
- gen_require(`
-- type httpd_user_content_t, httpd_user_content_rw_t, httpd_user_content_ra_t;
-- type httpd_user_htaccess_t, httpd_user_script_exec_t;
-+ attribute httpd_user_content_type, httpd_user_script_exec_type;
- ')
-
-- manage_dirs_pattern($1, { httpd_user_content_t httpd_user_content_rw_t httpd_user_content_ra_t httpd_user_script_exec_t }, { httpd_user_content_t httpd_user_content_rw_t httpd_user_content_ra_t httpd_user_script_exec_t })
-- manage_files_pattern($1, { httpd_user_content_t httpd_user_content_rw_t httpd_user_content_ra_t httpd_user_script_exec_t httpd_user_htaccess_t }, { httpd_user_content_t httpd_user_content_rw_t httpd_user_content_ra_t httpd_user_script_exec_t httpd_user_htaccess_t })
-- manage_lnk_files_pattern($1, { httpd_user_content_t httpd_user_content_rw_t httpd_user_content_ra_t httpd_user_script_exec_t }, { httpd_user_content_t httpd_user_content_rw_t httpd_user_content_ra_t httpd_user_script_exec_t })
-+ manage_dirs_pattern($1, httpd_user_content_type, httpd_user_content_type)
-+ manage_files_pattern($1, httpd_user_content_type, httpd_user_content_type)
-+ manage_lnk_files_pattern($1, httpd_user_content_type, httpd_user_content_type)
-+
-+ manage_dirs_pattern($1, httpd_user_script_exec_type, httpd_user_script_exec_type)
-+ manage_files_pattern($1, httpd_user_script_exec_type, httpd_user_script_exec_type)
-+ manage_lnk_files_pattern($1, httpd_user_script_exec_type, httpd_user_script_exec_type)
- ')
-
- ########################################
- ##
--## Search system script state directories.
-+## Search system script state directory.
- ##
- ##
- ##
-@@ -1100,7 +1454,8 @@ interface(`apache_search_sys_script_state',`
-
- ########################################
- ##
--## Read httpd tmp files.
-+## Allow the specified domain to read
-+## apache tmp files.
- ##
- ##
- ##
-@@ -1117,10 +1472,29 @@ interface(`apache_read_tmp_files',`
- read_files_pattern($1, httpd_tmp_t, httpd_tmp_t)
- ')
-
-+######################################
-+##
-+## Dontaudit attempts to read and write
-+## apache tmp files.
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`apache_dontaudit_rw_tmp_files',`
-+ gen_require(`
-+ type httpd_tmp_t;
-+ ')
-+
-+ dontaudit $1 httpd_tmp_t:file { read write };
-+')
-+
- ########################################
- ##
--## Do not audit attempts to write
--## httpd tmp files.
-+## Dontaudit attempts to write
-+## apache tmp files.
- ##
- ##
- ##
-@@ -1133,7 +1507,7 @@ interface(`apache_dontaudit_write_tmp_files',`
- type httpd_tmp_t;
- ')
-
-- dontaudit $1 httpd_tmp_t:file write_file_perms;
-+ dontaudit $1 httpd_tmp_t:file write;
- ')
-
- ########################################
-@@ -1142,6 +1516,9 @@ interface(`apache_dontaudit_write_tmp_files',`
- ##
- ##
- ##
-+## Execute CGI in the specified domain.
-+##
-+##
- ## This is an interface to support third party modules
- ## and its use is not allowed in upstream reference
- ## policy.
-@@ -1171,8 +1548,31 @@ interface(`apache_cgi_domain',`
-
- ########################################
- ##
--## All of the rules required to
--## administrate an apache environment.
-+## Execute httpd server in the httpd domain.
-+##
-+##
-+##
-+## Domain allowed to transition.
-+##
-+##
-+#
-+interface(`apache_systemctl',`
-+ gen_require(`
-+ type httpd_t;
-+ type httpd_unit_file_t;
-+ ')
-+
-+ systemd_exec_systemctl($1)
-+ init_reload_services($1)
-+ allow $1 httpd_unit_file_t:file read_file_perms;
-+ allow $1 httpd_unit_file_t:service manage_service_perms;
-+
-+ ps_process_pattern($1, httpd_t)
-+')
-+
-+########################################
-+##
-+## All of the rules required to administrate an apache environment
- ##
- ##
- ##
-@@ -1189,18 +1589,19 @@ interface(`apache_cgi_domain',`
- interface(`apache_admin',`
- gen_require(`
- attribute httpdcontent, httpd_script_exec_type;
-- attribute httpd_script_domains, httpd_htaccess_type;
- type httpd_t, httpd_config_t, httpd_log_t;
-- type httpd_modules_t, httpd_lock_t, httpd_helper_t;
-- type httpd_var_run_t, httpd_passwd_t, httpd_suexec_t;
-- type httpd_suexec_tmp_t, httpd_tmp_t, httpd_rotatelogs_t;
-- type httpd_initrc_exec_t, httpd_keytab_t;
-+ type httpd_modules_t, httpd_lock_t, httpd_bool_t;
-+ type httpd_var_run_t, httpd_php_tmp_t, httpd_initrc_exec_t;
-+ type httpd_suexec_tmp_t, httpd_tmp_t;
-+ type httpd_unit_file_t;
- ')
-
-- allow $1 { httpd_script_domains httpd_t httpd_helper_t }:process { ptrace signal_perms };
-- allow $1 { httpd_rotatelogs_t httpd_suexec_t httpd_passwd_t }:process { ptrace signal_perms };
-- ps_process_pattern($1, { httpd_script_domains httpd_t httpd_helper_t })
-- ps_process_pattern($1, { httpd_rotatelogs_t httpd_suexec_t httpd_passwd_t })
-+ allow $1 httpd_t:process signal_perms;
-+ ps_process_pattern($1, httpd_t)
-+
-+ tunable_policy(`deny_ptrace',`',`
-+ allow $1 httpd_t:process ptrace;
-+ ')
-
- init_labeled_script_domtrans($1, httpd_initrc_exec_t)
- domain_system_change_exemption($1)
-@@ -1210,10 +1611,10 @@ interface(`apache_admin',`
- apache_manage_all_content($1)
- miscfiles_manage_public_files($1)
-
-- files_search_etc($1)
-- admin_pattern($1, { httpd_keytab_t httpd_config_t })
-+ files_list_etc($1)
-+ admin_pattern($1, httpd_config_t)
-
-- logging_search_logs($1)
-+ logging_list_logs($1)
- admin_pattern($1, httpd_log_t)
-
- admin_pattern($1, httpd_modules_t)
-@@ -1224,9 +1625,219 @@ interface(`apache_admin',`
- admin_pattern($1, httpd_var_run_t)
- files_pid_filetrans($1, httpd_var_run_t, file)
-
-- admin_pattern($1, { httpdcontent httpd_script_exec_type httpd_htaccess_type })
-- admin_pattern($1, { httpd_tmp_t httpd_suexec_tmp_t })
-+ admin_pattern($1, httpdcontent)
-+ admin_pattern($1, httpd_script_exec_type)
-+
-+ seutil_domtrans_setfiles($1)
-+
-+ files_list_tmp($1)
-+ admin_pattern($1, httpd_tmp_t)
-+ admin_pattern($1, httpd_php_tmp_t)
-+ admin_pattern($1, httpd_suexec_tmp_t)
-+
-+ apache_systemctl($1)
-+ admin_pattern($1, httpd_unit_file_t)
-+ allow $1 httpd_unit_file_t:service all_service_perms;
-+
-+ apache_filetrans_named_content($1)
-+')
-+
-+########################################
-+##
-+## dontaudit read and write an leaked file descriptors
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`apache_dontaudit_leaks',`
-+ gen_require(`
-+ type httpd_t;
-+ type httpd_tmp_t;
-+ ')
-+
-+ dontaudit $1 httpd_t:fifo_file rw_inherited_fifo_file_perms;
-+ dontaudit $1 httpd_t:tcp_socket { read write };
-+ dontaudit $1 httpd_t:unix_dgram_socket { read write };
-+ dontaudit $1 httpd_t:unix_stream_socket { getattr read write };
-+ dontaudit $1 httpd_tmp_t:file { read write };
-+')
-+
-+########################################
-+##
-+## Transition to apache named content
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`apache_filetrans_named_content',`
-+ gen_require(`
-+ type httpd_sys_content_t, httpd_sys_rw_content_t;
-+ type httpd_tmp_t;
-+ ')
-+
-+
-+ apache_filetrans_home_content($1)
-+ files_usr_filetrans($1, httpd_sys_content_t, dir, "gallery2")
-+ files_usr_filetrans($1, httpd_sys_content_t, dir, "z-push")
-+ files_etc_filetrans($1, httpd_sys_content_t, dir, "z-push")
-+ files_etc_filetrans($1, httpd_sys_content_t, dir, "web")
-+ files_etc_filetrans($1, httpd_sys_content_t, dir, "WebCalendar")
-+ files_etc_filetrans($1, httpd_sys_content_t, dir, "htdig")
-+ files_etc_filetrans($1, httpd_sys_rw_content_t, dir, "horde")
-+ files_etc_filetrans($1, httpd_sys_rw_content_t, dir, "owncloud")
-+ files_etc_filetrans($1, httpd_sys_rw_content_t, dir, "nextcloud")
-+ filetrans_pattern($1, httpd_sys_content_t, httpd_sys_rw_content_t, file, "settings.php")
-+ filetrans_pattern($1, httpd_sys_content_t, httpd_sys_rw_content_t, dir, "smarty")
-+ filetrans_pattern($1, httpd_sys_content_t, httpd_sys_rw_content_t, dir, "uploads")
-+ filetrans_pattern($1, httpd_sys_content_t, httpd_sys_rw_content_t, dir, "wp-content")
-+ filetrans_pattern($1, httpd_sys_content_t, httpd_sys_rw_content_t, dir, "upgrade")
-+ userdom_user_tmp_filetrans($1, httpd_tmp_t, dir, "apache")
-+')
-+
-+########################################
-+##
-+## Allow any httpd_exec_t to be an entrypoint of this domain
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+#
-+interface(`apache_entrypoint',`
-+ gen_require(`
-+ type httpd_exec_t;
-+ ')
-+ allow $1 httpd_exec_t:file entrypoint;
-+')
-+
-+########################################
-+##
-+## Execute a httpd_exec_t in the specified domain.
-+##
-+##
-+##
-+## Domain allowed to transition.
-+##
-+##
-+##
-+##
-+## The type of the new process.
-+##
-+##
-+#
-+interface(`apache_exec_domtrans',`
-+ gen_require(`
-+ type httpd_exec_t;
-+ ')
-+
-+ domtrans_pattern($1, httpd_exec_t, $2)
-+')
-+
-+########################################
-+##
-+## Transition to apache home content
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`apache_filetrans_home_content',`
-+ gen_require(`
-+ type httpd_user_content_t, httpd_user_script_exec_t, httpd_user_htaccess_t;
-+ type httpd_user_content_ra_t;
-+ ')
-+
-+ userdom_user_home_dir_filetrans($1, httpd_user_content_t, dir, "public_html")
-+ userdom_user_home_dir_filetrans($1, httpd_user_content_t, dir, "www")
-+ userdom_user_home_dir_filetrans($1, httpd_user_content_t, dir, "web")
-+ filetrans_pattern($1, httpd_user_content_t, httpd_user_script_exec_t, dir, "cgi-bin")
-+ filetrans_pattern($1, httpd_user_content_t, httpd_user_content_ra_t, dir, "logs")
-+ filetrans_pattern($1, { httpd_user_content_t httpd_user_script_exec_t }, httpd_user_htaccess_t, file, ".htaccess")
-+')
-+
-+########################################
-+##
-+## Read apache pid files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`apache_read_pid_files',`
-+ gen_require(`
-+ type httpd_var_run_t;
-+ ')
-+
-+ files_search_pids($1)
-+ read_files_pattern($1, httpd_var_run_t, httpd_var_run_t)
-+')
-+
-+########################################
-+##
-+## Send and receive messages from
-+## httpd over dbus.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`apache_dbus_chat',`
-+ gen_require(`
-+ type httpd_t;
-+ class dbus send_msg;
-+ ')
-+
-+ allow $1 httpd_t:dbus send_msg;
-+ allow httpd_t $1:dbus send_msg;
-+ ps_process_pattern(httpd_t, $1)
-+')
-+
-+########################################
-+##
-+## Delete the httpd tmp.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`apache_delete_tmp',`
-+ gen_require(`
-+ type httpd_tmp_t;
-+ ')
-+
-+ allow $1 httpd_tmp_t:file unlink;
-+')
-+
-+########################################
-+##
-+## Allow httpd noatsecure
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`apache_noatsecure',`
-+ gen_require(`
-+ type httpd_t;
-+ ')
-
-- apache_run_all_scripts($1, $2)
-- apache_run_helper($1, $2)
-+ allow $1 httpd_t:process { noatsecure };
- ')
-diff --git a/apache.te b/apache.te
-index 6649962b6..c45ca1fb1 100644
---- a/apache.te
-+++ b/apache.te
-@@ -5,280 +5,346 @@ policy_module(apache, 2.7.2)
- # Declarations
- #
-
-+selinux_genbool(httpd_bool_t)
-+
- ##
--##
--## Determine whether httpd can modify
--## public files used for public file
--## transfer services. Directories/Files must
--## be labeled public_content_rw_t.
--##
-+##
-+## Allow Apache to modify public files
-+## used for public file transfer services. Directories/Files must
-+## be labeled public_content_rw_t.
-+##
- ##
--gen_tunable(allow_httpd_anon_write, false)
-+gen_tunable(httpd_anon_write, false)
-
- ##
--##
--## Determine whether httpd can use mod_auth_pam.
--##
-+##
-+## Dontaudit Apache to search dirs.
-+##
- ##
--gen_tunable(allow_httpd_mod_auth_pam, false)
-+gen_tunable(httpd_dontaudit_search_dirs, false)
-
- ##
--##
--## Determine whether httpd can use built in scripting.
--##
-+##
-+## Allow Apache to use mod_auth_pam
-+##
- ##
--gen_tunable(httpd_builtin_scripting, false)
-+gen_tunable(httpd_mod_auth_pam, false)
-
- ##
--##
--## Determine whether httpd can check spam.
--##
-+##
-+## Allow Apache to use mod_auth_ntlm_winbind
-+##
- ##
--gen_tunable(httpd_can_check_spam, false)
-+gen_tunable(httpd_mod_auth_ntlm_winbind, false)
-
- ##
--##
--## Determine whether httpd scripts and modules
--## can connect to the network using TCP.
--##
-+##
-+## Allow httpd scripts and modules execmem/execstack
-+##
-+##
-+gen_tunable(httpd_execmem, false)
-+
-+##
-+##
-+## Allow httpd processes to manage IPA content
-+##
-+##
-+gen_tunable(httpd_manage_ipa, false)
-+
-+##
-+##
-+## Allow httpd processes to run IPA helper.
-+##
-+##
-+gen_tunable(httpd_run_ipa, false)
-+
-+##
-+##
-+## Allow httpd to use built in scripting (usually php)
-+##
-+##
-+gen_tunable(httpd_builtin_scripting, false)
-+
-+##
-+##
-+## Allow HTTPD scripts and modules to connect to the network using TCP.
-+##
- ##
- gen_tunable(httpd_can_network_connect, false)
-
- ##
--##
--## Determine whether httpd scripts and modules
--## can connect to cobbler over the network.
--##
-+##
-+## Allow HTTPD scripts and modules to connect to cobbler over the network.
-+##
- ##
- gen_tunable(httpd_can_network_connect_cobbler, false)
-
- ##
--##
--## Determine whether scripts and modules can
--## connect to databases over the network.
--##
-+##
-+## Allow HTTPD scripts and modules to server cobbler files.
-+##
- ##
--gen_tunable(httpd_can_network_connect_db, false)
-+gen_tunable(httpd_serve_cobbler_files, false)
-
- ##
--##
--## Determine whether httpd can connect to
--## ldap over the network.
--##
-+##
-+## Allow HTTPD to connect to port 80 for graceful shutdown
-+##
- ##
--gen_tunable(httpd_can_network_connect_ldap, false)
-+gen_tunable(httpd_graceful_shutdown, false)
-
- ##
--##
--## Determine whether httpd can connect
--## to memcache server over the network.
--##
-+##
-+## Allow HTTPD scripts and modules to connect to databases over the network.
-+##
-+##
-+gen_tunable(httpd_can_network_connect_db, false)
-+
-+##
-+##
-+## Allow httpd to connect to memcache server
-+##
- ##
--gen_tunable(httpd_can_network_connect_memcache, false)
-+gen_tunable(httpd_can_network_memcache, false)
-
- ##
--##
--## Determine whether httpd can act as a relay.
--##
-+##
-+## Allow httpd to act as a relay
-+##
- ##
- gen_tunable(httpd_can_network_relay, false)
-
- ##
--##
--## Determine whether httpd daemon can
--## connect to zabbix over the network.
--##
-+##
-+## Allow http daemon to connect to zabbix
-+##
- ##
--gen_tunable(httpd_can_network_connect_zabbix, false)
-+gen_tunable(httpd_can_connect_zabbix, false)
-
- ##
--##
--## Determine whether httpd can send mail.
--##
-+##
-+## Allow http daemon to connect to mythtv
-+##
-+##
-+gen_tunable(httpd_can_connect_mythtv, false)
-+
-+##
-+##
-+## Allow http daemon to check spam
-+##
-+##
-+gen_tunable(httpd_can_check_spam, false)
-+
-+##
-+##
-+## Allow http daemon to send mail
-+##
- ##
- gen_tunable(httpd_can_sendmail, false)
-
- ##
--##
--## Determine whether httpd can communicate
--## with avahi service via dbus.
--##
-+##
-+## Allow Apache to communicate with avahi service via dbus
-+##
- ##
- gen_tunable(httpd_dbus_avahi, false)
-
- ##
--##
--## Determine wether httpd can use support.
--##
-+##
-+## Allow Apache to communicate with sssd service via dbus
-+##
- ##
--gen_tunable(httpd_enable_cgi, false)
-+gen_tunable(httpd_dbus_sssd, false)
-
- ##
--##
--## Determine whether httpd can act as a
--## FTP server by listening on the ftp port.
--##
-+##
-+## Allow httpd cgi support
-+##
- ##
--gen_tunable(httpd_enable_ftp_server, false)
-+gen_tunable(httpd_enable_cgi, false)
-
- ##
--##
--## Determine whether httpd can traverse
--## user home directories.
--##
-+##
-+## Allow httpd to act as a FTP server by
-+## listening on the ftp port.
-+##
- ##
--gen_tunable(httpd_enable_homedirs, false)
-+gen_tunable(httpd_enable_ftp_server, false)
-
- ##
--##
--## Determine whether httpd gpg can modify
--## public files used for public file
--## transfer services. Directories/Files must
--## be labeled public_content_rw_t.
--##
-+##
-+## Allow httpd to act as a FTP client
-+## connecting to the ftp port and ephemeral ports
-+##
- ##
--gen_tunable(httpd_gpg_anon_write, false)
-+gen_tunable(httpd_can_connect_ftp, false)
-
- ##
--##
--## Determine whether httpd can execute
--## its temporary content.
--##
-+##
-+## Allow httpd to connect to the ldap port
-+##
- ##
--gen_tunable(httpd_tmp_exec, false)
-+gen_tunable(httpd_can_connect_ldap, false)
-
- ##
--##
--## Determine whether httpd scripts and
--## modules can use execmem and execstack.
--##
-+##
-+## Allow httpd to read home directories
-+##
- ##
--gen_tunable(httpd_execmem, false)
-+gen_tunable(httpd_enable_homedirs, false)
-
- ##
--##
--## Determine whether httpd can connect
--## to port 80 for graceful shutdown.
--##
-+##
-+## Allow httpd to read user content
-+##
- ##
--gen_tunable(httpd_graceful_shutdown, false)
-+gen_tunable(httpd_read_user_content, false)
-
- ##
--##
--## Determine whether httpd can
--## manage IPA content files.
--##
-+##
-+## Allow Apache to run in stickshift mode, not transition to passenger
-+##
- ##
--gen_tunable(httpd_manage_ipa, false)
-+gen_tunable(httpd_run_stickshift, false)
-+
-
- ##
--##
--## Determine whether httpd can use mod_auth_ntlm_winbind.
--##
-+##
-+## Allow Apache to run preupgrade
-+##
- ##
--gen_tunable(httpd_mod_auth_ntlm_winbind, false)
-+gen_tunable(httpd_run_preupgrade, false)
-
- ##
--##
--## Determine whether httpd can read
--## generic user home content files.
--##
-+##
-+## Allow Apache to query NS records
-+##
- ##
--gen_tunable(httpd_read_user_content, false)
-+gen_tunable(httpd_verify_dns, false)
-
- ##
--##
--## Determine whether httpd can change
--## its resource limits.
--##
-+##
-+## Allow httpd daemon to change its resource limits
-+##
- ##
- gen_tunable(httpd_setrlimit, false)
-
- ##
--##
--## Determine whether httpd can run
--## SSI executables in the same domain
--## as system CGI scripts.
--##
-+##
-+## Allow HTTPD to run SSI executables in the same domain as system CGI scripts.
-+##
- ##
- gen_tunable(httpd_ssi_exec, false)
-
- ##
--##
--## Determine whether httpd can communicate
--## with the terminal. Needed for entering the
--## passphrase for certificates at the terminal.
--##
-+##
-+## Allow Apache to execute tmp content.
-+##
-+##
-+gen_tunable(httpd_tmp_exec, false)
-+
-+##
-+##
-+## Unify HTTPD to communicate with the terminal.
-+## Needed for entering the passphrase for certificates at
-+## the terminal.
-+##
- ##
- gen_tunable(httpd_tty_comm, false)
-
- ##
--##
--## Determine whether httpd can have full access
--## to its content types.
--##
-+##
-+## Unify HTTPD handling of all content files.
-+##
- ##
- gen_tunable(httpd_unified, false)
-
- ##
--##
--## Determine whether httpd can use
--## cifs file systems.
--##
-+##
-+## Allow httpd to access openstack ports
-+##
-+##
-+gen_tunable(httpd_use_openstack, false)
-+
-+##
-+##
-+## Allow httpd to access cifs file systems
-+##
- ##
- gen_tunable(httpd_use_cifs, false)
-
- ##
- ##
--## Determine whether httpd can
--## use fuse file systems.
-+## Allow httpd to access FUSE file systems
- ##
- ##
- gen_tunable(httpd_use_fusefs, false)
-
- ##
--##
--## Determine whether httpd can use gpg.
--##
-+##
-+## Allow httpd to run gpg
-+##
- ##
- gen_tunable(httpd_use_gpg, false)
-
- ##
--##
--## Determine whether httpd can use
--## nfs file systems.
--##
-+##
-+## Allow httpd to connect to sasl
-+##
-+##
-+gen_tunable(httpd_use_sasl, false)
-+
-+##
-+##
-+## Allow httpd to access nfs file systems
-+##
- ##
- gen_tunable(httpd_use_nfs, false)
-
-+##
-+##
-+## Allow apache scripts to write to public content, directories/files must be labeled public_rw_content_t.
-+##
-+##
-+gen_tunable(httpd_sys_script_anon_write, false)
-+
- attribute httpdcontent;
--attribute httpd_htaccess_type;
-+attribute httpd_user_content_type;
-+attribute httpd_content_type;
-
--# domains that can exec all scripts
-+# domains that can exec all users scripts
- attribute httpd_exec_scripts;
-
-+attribute httpd_script_type;
- attribute httpd_script_exec_type;
-+attribute httpd_user_script_exec_type;
-
--# all script domains
-+# user script domains
- attribute httpd_script_domains;
-
--attribute_role httpd_helper_roles;
--roleattribute system_r httpd_helper_roles;
--
- type httpd_t;
- type httpd_exec_t;
-+ifdef(`distro_redhat',`
-+ typealias httpd_t alias phpfpm_t;
-+ typealias httpd_exec_t alias phpfpm_exec_t;
-+')
- init_daemon_domain(httpd_t, httpd_exec_t)
-+role system_r types httpd_t;
-
-+# httpd_cache_t is the type given to the /var/cache/httpd
-+# directory and the files under that directory
- type httpd_cache_t;
- files_type(httpd_cache_t)
-
-+# httpd_config_t is the type given to the configuration files
- type httpd_config_t;
- files_config_file(httpd_config_t)
-
- type httpd_helper_t;
- type httpd_helper_exec_t;
--application_domain(httpd_helper_t, httpd_helper_exec_t)
--role httpd_helper_roles types httpd_helper_t;
-+domain_type(httpd_helper_t)
-+domain_entry_file(httpd_helper_t, httpd_helper_exec_t)
-+role system_r types httpd_helper_t;
-
- type httpd_initrc_exec_t;
- init_script_file(httpd_initrc_exec_t)
-@@ -286,15 +352,35 @@ init_script_file(httpd_initrc_exec_t)
- type httpd_keytab_t;
- files_type(httpd_keytab_t)
-
-+type httpd_unit_file_t;
-+ifdef(`distro_redhat',`
-+ typealias httpd_unit_file_t alias phpfpm_unit_file_t;
-+')
-+systemd_unit_file(httpd_unit_file_t)
-+
- type httpd_lock_t;
- files_lock_file(httpd_lock_t)
-
- type httpd_log_t;
-+ifdef(`distro_redhat',`
-+ typealias httpd_log_t alias phpfpm_log_t;
-+')
- logging_log_file(httpd_log_t)
-
-+# httpd_modules_t is the type given to module files (libraries)
-+# that come with Apache /etc/httpd/modules and /usr/lib/apache
- type httpd_modules_t;
- files_type(httpd_modules_t)
-
-+type httpd_php_t;
-+type httpd_php_exec_t;
-+domain_type(httpd_php_t)
-+domain_entry_file(httpd_php_t, httpd_php_exec_t)
-+role system_r types httpd_php_t;
-+
-+type httpd_php_tmp_t;
-+files_tmp_file(httpd_php_tmp_t)
-+
- type httpd_rotatelogs_t;
- type httpd_rotatelogs_exec_t;
- init_daemon_domain(httpd_rotatelogs_t, httpd_rotatelogs_exec_t)
-@@ -302,10 +388,8 @@ init_daemon_domain(httpd_rotatelogs_t, httpd_rotatelogs_exec_t)
- type httpd_squirrelmail_t;
- files_type(httpd_squirrelmail_t)
-
--type squirrelmail_spool_t;
--files_tmp_file(squirrelmail_spool_t)
--
--type httpd_suexec_t;
-+# SUEXEC runs user scripts as their own user ID
-+type httpd_suexec_t; #, daemon;
- type httpd_suexec_exec_t;
- domain_type(httpd_suexec_t)
- domain_entry_file(httpd_suexec_t, httpd_suexec_exec_t)
-@@ -314,9 +398,19 @@ role system_r types httpd_suexec_t;
- type httpd_suexec_tmp_t;
- files_tmp_file(httpd_suexec_tmp_t)
-
--apache_content_template(sys)
--corecmd_shell_entry_type(httpd_sys_script_t)
--typealias httpd_sys_content_t alias ntop_http_content_t;
-+# setup the system domain for system CGI scripts
-+apache_content_template(httpd_sys)
-+
-+typeattribute httpd_sys_content_t httpdcontent; # customizable
-+typeattribute httpd_sys_rw_content_t httpdcontent; # customizable
-+typeattribute httpd_sys_ra_content_t httpdcontent; # customizable
-+
-+# Removal of fastcgi, will cause problems without the following
-+typealias httpd_sys_script_exec_t alias httpd_fastcgi_script_exec_t;
-+typealias httpd_sys_content_t alias { httpd_fastcgi_content_t httpd_fastcgi_script_ro_t };
-+typealias httpd_sys_rw_content_t alias { httpd_fastcgi_rw_content_t httpd_fastcgi_script_rw_t };
-+typealias httpd_sys_ra_content_t alias httpd_fastcgi_script_ra_t;
-+typealias httpd_sys_script_t alias httpd_fastcgi_script_t;
-
- type httpd_tmp_t;
- files_tmp_file(httpd_tmp_t)
-@@ -324,14 +418,16 @@ files_tmp_file(httpd_tmp_t)
- type httpd_tmpfs_t;
- files_tmpfs_file(httpd_tmpfs_t)
-
--apache_content_template(user)
-+apache_user_content_template(httpd_user)
- ubac_constrained(httpd_user_script_t)
--userdom_user_home_content(httpd_user_content_t)
--userdom_user_home_content(httpd_user_htaccess_t)
--userdom_user_home_content(httpd_user_script_exec_t)
--userdom_user_home_content(httpd_user_ra_content_t)
--userdom_user_home_content(httpd_user_rw_content_t)
-+
-+typeattribute httpd_user_content_t httpdcontent;
-+typeattribute httpd_user_rw_content_t httpdcontent;
-+typeattribute httpd_user_ra_content_t httpdcontent;
-+
-+typeattribute httpd_user_script_t httpd_script_domains;
- typealias httpd_user_content_t alias { httpd_staff_content_t httpd_sysadm_content_t };
-+typealias httpd_user_content_t alias httpd_unconfined_content_t;
- typealias httpd_user_content_t alias { httpd_auditadm_content_t httpd_secadm_content_t };
- typealias httpd_user_content_t alias { httpd_staff_script_ro_t httpd_sysadm_script_ro_t };
- typealias httpd_user_content_t alias { httpd_auditadm_script_ro_t httpd_secadm_script_ro_t };
-@@ -346,33 +442,40 @@ typealias httpd_user_rw_content_t alias { httpd_auditadm_script_rw_t httpd_secad
- typealias httpd_user_ra_content_t alias { httpd_staff_script_ra_t httpd_sysadm_script_ra_t };
- typealias httpd_user_ra_content_t alias { httpd_auditadm_script_ra_t httpd_secadm_script_ra_t };
-
-+# for apache2 memory mapped files
- type httpd_var_lib_t;
- files_type(httpd_var_lib_t)
-
- type httpd_var_run_t;
-+ifdef(`distro_redhat',`
-+ typealias httpd_var_run_t alias phpfpm_var_run_t;
-+')
- files_pid_file(httpd_var_run_t)
-
--type httpd_passwd_t;
--type httpd_passwd_exec_t;
--domain_type(httpd_passwd_t)
--domain_entry_file(httpd_passwd_t, httpd_passwd_exec_t)
--role system_r types httpd_passwd_t;
-+# Removal of fastcgi, will cause problems without the following
-+typealias httpd_var_run_t alias httpd_fastcgi_var_run_t;
-
--type httpd_gpg_t;
--domain_type(httpd_gpg_t)
--role system_r types httpd_gpg_t;
-+# File Type of squirrelmail attachments
-+type squirrelmail_spool_t;
-+files_tmp_file(squirrelmail_spool_t)
-+files_spool_file(squirrelmail_spool_t)
-
- optional_policy(`
- prelink_object_file(httpd_modules_t)
- ')
-
-+type httpd_passwd_t;
-+type httpd_passwd_exec_t;
-+application_domain(httpd_passwd_t, httpd_passwd_exec_t)
-+role system_r types httpd_passwd_t;
-+
- ########################################
- #
--# Local policy
-+# Apache server local policy
- #
-
--allow httpd_t self:capability { chown dac_override kill setgid setuid sys_nice sys_tty_config };
--dontaudit httpd_t self:capability net_admin;
-+allow httpd_t self:capability { chown dac_read_search kill setgid setuid sys_nice sys_tty_config sys_chroot };
-+dontaudit httpd_t self:capability { net_admin sys_tty_config };
- allow httpd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
- allow httpd_t self:fd use;
- allow httpd_t self:sock_file read_sock_file_perms;
-@@ -381,30 +484,39 @@ allow httpd_t self:shm create_shm_perms;
- allow httpd_t self:sem create_sem_perms;
- allow httpd_t self:msgq create_msgq_perms;
- allow httpd_t self:msg { send receive };
--allow httpd_t self:unix_dgram_socket sendto;
--allow httpd_t self:unix_stream_socket { accept connectto listen };
--allow httpd_t self:tcp_socket { accept listen };
-+allow httpd_t self:unix_dgram_socket { create_socket_perms sendto };
-+allow httpd_t self:unix_stream_socket { create_stream_socket_perms connectto };
-+allow httpd_t self:tcp_socket create_stream_socket_perms;
-+allow httpd_t self:udp_socket create_socket_perms;
-+dontaudit httpd_t self:netlink_audit_socket create_socket_perms;
-
-+# Allow httpd_t to put files in /var/cache/httpd etc
- manage_dirs_pattern(httpd_t, httpd_cache_t, httpd_cache_t)
- manage_files_pattern(httpd_t, httpd_cache_t, httpd_cache_t)
- manage_lnk_files_pattern(httpd_t, httpd_cache_t, httpd_cache_t)
--files_var_filetrans(httpd_t, httpd_cache_t, dir)
-+files_var_filetrans(httpd_t, httpd_cache_t, { file dir })
-
-+# Allow the httpd_t to read the web servers config files
- allow httpd_t httpd_config_t:dir list_dir_perms;
- read_files_pattern(httpd_t, httpd_config_t, httpd_config_t)
- read_lnk_files_pattern(httpd_t, httpd_config_t, httpd_config_t)
-
-+can_exec(httpd_t, httpd_exec_t)
-+
- allow httpd_t httpd_keytab_t:file read_file_perms;
-
- allow httpd_t httpd_lock_t:file manage_file_perms;
- files_lock_filetrans(httpd_t, httpd_lock_t, file)
-
--allow httpd_t httpd_log_t:dir setattr_dir_perms;
-+allow httpd_t httpd_log_t:dir setattr;
- create_dirs_pattern(httpd_t, httpd_log_t, httpd_log_t)
- create_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
- append_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
-+setattr_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
- read_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
- read_lnk_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
-+# cjp: need to refine create interfaces to
-+# cut this back to add_name only
- logging_log_filetrans(httpd_t, httpd_log_t, file)
-
- allow httpd_t httpd_modules_t:dir list_dir_perms;
-@@ -412,13 +524,22 @@ mmap_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t)
- read_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t)
- read_lnk_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t)
-
-+apache_domtrans_rotatelogs(httpd_t)
-+# Apache-httpd needs to be able to send signals to the log rotate procs.
- allow httpd_t httpd_rotatelogs_t:process signal_perms;
-
- manage_dirs_pattern(httpd_t, httpd_squirrelmail_t, httpd_squirrelmail_t)
- manage_files_pattern(httpd_t, httpd_squirrelmail_t, httpd_squirrelmail_t)
- manage_lnk_files_pattern(httpd_t, httpd_squirrelmail_t, httpd_squirrelmail_t)
-+allow httpd_t httpd_squirrelmail_t:file map;
-+
-+allow httpd_t httpd_suexec_t:process { signal signull };
-+allow httpd_t httpd_suexec_t:file read_file_perms;
-
--allow httpd_t httpd_suexec_exec_t:file read_file_perms;
-+allow httpd_t httpd_sys_content_t:dir list_dir_perms;
-+read_files_pattern(httpd_t, httpd_sys_content_t, httpd_sys_content_t)
-+read_lnk_files_pattern(httpd_t, httpd_sys_content_t, httpd_sys_content_t)
-+allow httpd_t httpd_sys_content_t:file map;
-
- allow httpd_t httpd_sys_script_t:unix_stream_socket connectto;
-
-@@ -428,6 +549,7 @@ manage_sock_files_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
- manage_lnk_files_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
- files_tmp_filetrans(httpd_t, httpd_tmp_t, { file dir lnk_file sock_file })
- userdom_user_tmp_filetrans(httpd_t, httpd_tmp_t, dir)
-+allow httpd_t httpd_tmp_t:file map;
-
- manage_dirs_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t)
- manage_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t)
-@@ -438,6 +560,7 @@ fs_tmpfs_filetrans(httpd_t, httpd_tmpfs_t, { dir file lnk_file sock_file fifo_fi
-
- manage_dirs_pattern(httpd_t, httpd_var_lib_t, httpd_var_lib_t)
- manage_files_pattern(httpd_t, httpd_var_lib_t, httpd_var_lib_t)
-+manage_lnk_files_pattern(httpd_t, httpd_var_lib_t, httpd_var_lib_t)
- files_var_lib_filetrans(httpd_t, httpd_var_lib_t, { dir file })
-
- setattr_dirs_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t)
-@@ -450,140 +573,179 @@ manage_dirs_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
- manage_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
- manage_lnk_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
-
--can_exec(httpd_t, httpd_exec_t)
--
--domtrans_pattern(httpd_t, httpd_helper_exec_t, httpd_helper_t)
--domtrans_pattern(httpd_t, httpd_passwd_exec_t, httpd_passwd_t)
--domtrans_pattern(httpd_t, httpd_rotatelogs_exec_t, httpd_rotatelogs_t)
--domtrans_pattern(httpd_t, httpd_suexec_exec_t, httpd_suexec_t)
--
- kernel_read_kernel_sysctls(httpd_t)
--kernel_read_network_state(httpd_t)
-+# for modules that want to access /proc/meminfo
- kernel_read_system_state(httpd_t)
-+kernel_read_network_state(httpd_t)
- kernel_search_network_sysctl(httpd_t)
-
--corenet_all_recvfrom_unlabeled(httpd_t)
- corenet_all_recvfrom_netlabel(httpd_t)
- corenet_tcp_sendrecv_generic_if(httpd_t)
-+corenet_udp_sendrecv_generic_if(httpd_t)
- corenet_tcp_sendrecv_generic_node(httpd_t)
-+corenet_udp_sendrecv_generic_node(httpd_t)
-+corenet_tcp_sendrecv_all_ports(httpd_t)
-+corenet_udp_sendrecv_all_ports(httpd_t)
- corenet_tcp_bind_generic_node(httpd_t)
--
--corenet_sendrecv_http_server_packets(httpd_t)
-+corenet_udp_bind_generic_node(httpd_t)
- corenet_tcp_bind_http_port(httpd_t)
--corenet_tcp_sendrecv_http_port(httpd_t)
--
--corenet_sendrecv_http_cache_server_packets(httpd_t)
-+corenet_udp_bind_http_port(httpd_t)
- corenet_tcp_bind_http_cache_port(httpd_t)
--corenet_tcp_sendrecv_http_cache_port(httpd_t)
--
--corecmd_exec_bin(httpd_t)
--corecmd_exec_shell(httpd_t)
-+corenet_tcp_bind_ntop_port(httpd_t)
-+corenet_tcp_bind_jboss_management_port(httpd_t)
-+corenet_tcp_bind_jboss_messaging_port(httpd_t)
-+corenet_sendrecv_http_server_packets(httpd_t)
-+corenet_tcp_bind_puppet_port(httpd_t)
-+# Signal self for shutdown
-+tunable_policy(`httpd_graceful_shutdown',`
-+ corenet_tcp_connect_http_port(httpd_t)
-+')
-
- dev_read_sysfs(httpd_t)
- dev_read_rand(httpd_t)
- dev_read_urand(httpd_t)
- dev_rw_crypto(httpd_t)
-
--domain_use_interactive_fds(httpd_t)
-+files_dontaudit_write_all_mountpoints(httpd_t)
-
- fs_getattr_all_fs(httpd_t)
- fs_search_auto_mountpoints(httpd_t)
--
--fs_getattr_all_fs(httpd_t)
--fs_read_anon_inodefs_files(httpd_t)
- fs_read_iso9660_files(httpd_t)
--fs_search_auto_mountpoints(httpd_t)
-+fs_rw_anon_inodefs_files(httpd_t)
-+fs_rw_hugetlbfs_files(httpd_t)
-+fs_exec_hugetlbfs_files(httpd_t)
-+fs_list_inotifyfs(httpd_t)
-+
-+auth_use_nsswitch(httpd_t)
-+
-+application_exec_all(httpd_t)
-+
-+# execute perl
-+corecmd_exec_bin(httpd_t)
-+corecmd_exec_shell(httpd_t)
-+
-+domain_use_interactive_fds(httpd_t)
-+domain_dontaudit_read_all_domains_state(httpd_t)
-
-+files_dontaudit_search_all_pids(httpd_t)
- files_dontaudit_getattr_all_pids(httpd_t)
--files_read_usr_files(httpd_t)
-+files_exec_usr_files(httpd_t)
- files_list_mnt(httpd_t)
-+files_read_mnt_symlinks(httpd_t)
-+files_search_all(httpd_t)
- files_search_spool(httpd_t)
- files_read_var_symlinks(httpd_t)
- files_read_var_lib_files(httpd_t)
- files_search_home(httpd_t)
- files_getattr_home_dir(httpd_t)
-+# for modules that want to access /etc/mtab
- files_read_etc_runtime_files(httpd_t)
-+# Allow httpd_t to have access to files such as nisswitch.conf
-+# for tomcat
- files_read_var_lib_symlinks(httpd_t)
-
--auth_use_nsswitch(httpd_t)
-+fs_search_auto_mountpoints(httpd_sys_script_t)
-+# php uploads a file to /tmp and then execs programs to acton them
-+manage_dirs_pattern(httpd_sys_script_t, httpd_tmp_t, httpd_tmp_t)
-+manage_files_pattern(httpd_sys_script_t, httpd_tmp_t, httpd_tmp_t)
-+manage_sock_files_pattern(httpd_sys_script_t, httpd_tmp_t, httpd_tmp_t)
-+manage_fifo_files_pattern(httpd_sys_script_t, httpd_tmp_t, httpd_tmp_t)
-+manage_lnk_files_pattern(httpd_sys_script_t, httpd_tmp_t, httpd_tmp_t)
-+files_tmp_filetrans(httpd_sys_script_t, httpd_sys_rw_content_t, { dir file lnk_file sock_file fifo_file })
-
- libs_read_lib_files(httpd_t)
-
-+ifdef(`hide_broken_symptoms',`
-+ libs_exec_lib_files(httpd_t)
-+')
-+
- logging_send_syslog_msg(httpd_t)
-
--miscfiles_read_localization(httpd_t)
-+init_dontaudit_read_utmp(httpd_t)
-+
- miscfiles_read_fonts(httpd_t)
- miscfiles_read_public_files(httpd_t)
- miscfiles_read_generic_certs(httpd_t)
-+miscfiles_map_generic_certs(httpd_t)
- miscfiles_read_tetex_data(httpd_t)
--
--seutil_dontaudit_search_config(httpd_t)
-+miscfiles_dontaudit_access_check_cert(httpd_t)
-
- userdom_use_unpriv_users_fds(httpd_t)
-
--ifdef(`TODO',`
-- tunable_policy(`allow_httpd_mod_auth_pam',`
-- auth_domtrans_chk_passwd(httpd_t)
-+tunable_policy(`httpd_setrlimit',`
-+ allow httpd_t self:process setrlimit;
-+ allow httpd_t self:capability sys_resource;
-+')
-
-- logging_send_audit_msgs(httpd_t)
-- ')
-+tunable_policy(`httpd_anon_write',`
-+ miscfiles_manage_public_files(httpd_t)
- ')
-
--ifdef(`hide_broken_symptoms',`
-- libs_exec_lib_files(httpd_t)
-+tunable_policy(`httpd_dontaudit_search_dirs',`
-+ files_dontaudit_search_non_security_dirs(httpd_t)
- ')
-
--tunable_policy(`allow_httpd_anon_write',`
-- miscfiles_manage_public_files(httpd_t)
-+#
-+# We need optionals to be able to be within booleans to make this work
-+#
-+tunable_policy(`httpd_mod_auth_pam',`
-+ auth_domtrans_chkpwd(httpd_t)
-+ logging_send_audit_msgs(httpd_t)
-+')
-+
-+optional_policy(`
-+ tunable_policy(`httpd_mod_auth_ntlm_winbind',`
-+ samba_domtrans_winbind_helper(httpd_t)
-+ ')
- ')
-
- tunable_policy(`httpd_can_network_connect',`
-- corenet_sendrecv_all_client_packets(httpd_t)
- corenet_tcp_connect_all_ports(httpd_t)
-- corenet_tcp_sendrecv_all_ports(httpd_t)
- ')
-
- tunable_policy(`httpd_can_network_connect_db',`
-- corenet_sendrecv_gds_db_client_packets(httpd_t)
- corenet_tcp_connect_gds_db_port(httpd_t)
-- corenet_tcp_sendrecv_gds_db_port(httpd_t)
-- corenet_sendrecv_mssql_client_packets(httpd_t)
- corenet_tcp_connect_mssql_port(httpd_t)
-- corenet_tcp_sendrecv_mssql_port(httpd_t)
-- corenet_sendrecv_oracledb_client_packets(httpd_t)
-- corenet_tcp_connect_oracledb_port(httpd_t)
-- corenet_tcp_sendrecv_oracledb_port(httpd_t)
-+ corenet_tcp_connect_mongod_port(httpd_t)
-+ corenet_sendrecv_mssql_client_packets(httpd_t)
-+ corenet_tcp_connect_oracle_port(httpd_t)
-+ corenet_sendrecv_oracle_client_packets(httpd_t)
-+')
-+
-+tunable_policy(`httpd_can_network_memcache',`
-+ corenet_tcp_connect_memcache_port(httpd_t)
- ')
-
- tunable_policy(`httpd_can_network_relay',`
-- corenet_sendrecv_gopher_client_packets(httpd_t)
-+ # allow httpd to work as a relay
- corenet_tcp_connect_gopher_port(httpd_t)
-- corenet_tcp_sendrecv_gopher_port(httpd_t)
-- corenet_sendrecv_ftp_client_packets(httpd_t)
- corenet_tcp_connect_ftp_port(httpd_t)
-- corenet_tcp_sendrecv_ftp_port(httpd_t)
-- corenet_sendrecv_http_client_packets(httpd_t)
- corenet_tcp_connect_http_port(httpd_t)
-- corenet_tcp_sendrecv_http_port(httpd_t)
-- corenet_sendrecv_http_cache_client_packets(httpd_t)
- corenet_tcp_connect_http_cache_port(httpd_t)
-- corenet_tcp_sendrecv_http_cache_port(httpd_t)
-- corenet_sendrecv_squid_client_packets(httpd_t)
- corenet_tcp_connect_squid_port(httpd_t)
-- corenet_tcp_sendrecv_squid_port(httpd_t)
-+ corenet_tcp_connect_memcache_port(httpd_t)
-+ corenet_sendrecv_gopher_client_packets(httpd_t)
-+ corenet_sendrecv_ftp_client_packets(httpd_t)
-+ corenet_sendrecv_http_client_packets(httpd_t)
-+ corenet_sendrecv_http_cache_client_packets(httpd_t)
-+ corenet_sendrecv_squid_client_packets(httpd_t)
-+ corenet_tcp_connect_all_ephemeral_ports(httpd_t)
- ')
-
--tunable_policy(`httpd_builtin_scripting',`
-- exec_files_pattern(httpd_t, httpd_script_exec_type, httpd_script_exec_type)
-+tunable_policy(`httpd_execmem',`
-+ allow httpd_t self:process { execmem execstack };
-+ allow httpd_sys_script_t self:process { execmem execstack };
-+ allow httpd_suexec_t self:process { execmem execstack };
-+')
-
-- allow httpd_t httpdcontent:dir list_dir_perms;
-- allow httpd_t httpdcontent:file read_file_perms;
-- allow httpd_t httpdcontent:lnk_file read_lnk_file_perms;
-+tunable_policy(`httpd_enable_cgi && httpd_unified',`
-+ allow httpd_sys_script_t httpd_sys_content_t:file entrypoint;
-+ filetrans_pattern(httpd_sys_script_t, httpd_sys_content_t, httpd_sys_rw_content_t, { file dir lnk_file })
-+ can_exec(httpd_sys_script_t, httpd_sys_content_t)
- ')
-
--tunable_policy(`httpd_enable_cgi',`
-- allow httpd_t httpd_script_domains:process { signal sigkill sigstop };
-- allow httpd_t httpd_script_exec_type:dir list_dir_perms;
-+tunable_policy(`httpd_sys_script_anon_write',`
-+ miscfiles_manage_public_files(httpd_sys_script_t)
- ')
-
- tunable_policy(`httpd_enable_cgi && httpd_use_nfs',`
-@@ -594,28 +756,50 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',`
- fs_cifs_domtrans(httpd_t, httpd_sys_script_t)
- ')
-
--# tunable_policy(`httpd_enable_cgi && httpd_use_fusefs',`
--# fs_fusefs_domtrans(httpd_t, httpd_sys_script_t)
--# ')
-+tunable_policy(`httpd_enable_cgi && httpd_use_fusefs',`
-+ fs_fusefs_domtrans(httpd_t, httpd_sys_script_t)
-+')
-
- tunable_policy(`httpd_enable_cgi && httpd_unified && httpd_builtin_scripting',`
- domtrans_pattern(httpd_t, httpdcontent, httpd_sys_script_t)
-+ filetrans_pattern(httpd_t, httpd_sys_content_t, httpd_sys_rw_content_t, { file dir lnk_file })
-+ manage_dirs_pattern(httpd_t, httpdcontent, httpd_sys_rw_content_t)
-+ manage_files_pattern(httpd_t, httpdcontent, httpd_sys_rw_content_t)
-+ manage_lnk_files_pattern(httpd_t, httpdcontent, httpd_sys_rw_content_t)
-
- manage_dirs_pattern(httpd_t, httpdcontent, httpdcontent)
- manage_files_pattern(httpd_t, httpdcontent, httpdcontent)
-- manage_fifo_files_pattern(httpd_t, httpdcontent, httpdcontent)
- manage_lnk_files_pattern(httpd_t, httpdcontent, httpdcontent)
-- manage_sock_files_pattern(httpd_t, httpdcontent, httpdcontent)
-+')
-+
-+tunable_policy(`httpd_can_connect_ftp',`
-+ corenet_tcp_connect_ftp_port(httpd_t)
-+ corenet_tcp_connect_all_ephemeral_ports(httpd_t)
-+')
-+
-+tunable_policy(`httpd_can_connect_ldap',`
-+ corenet_tcp_connect_ldap_port(httpd_t)
-+')
-+
-+tunable_policy(`httpd_can_connect_mythtv',`
-+ corenet_tcp_connect_mythtv_port(httpd_t)
-+')
-+
-+tunable_policy(`httpd_can_connect_zabbix',`
-+ corenet_tcp_connect_zabbix_port(httpd_t)
- ')
-
- tunable_policy(`httpd_enable_ftp_server',`
-- corenet_sendrecv_ftp_server_packets(httpd_t)
- corenet_tcp_bind_ftp_port(httpd_t)
-- corenet_tcp_sendrecv_ftp_port(httpd_t)
-+ corenet_tcp_bind_all_ephemeral_ports(httpd_t)
- ')
-
--tunable_policy(`httpd_enable_homedirs',`
-- userdom_search_user_home_dirs(httpd_t)
-+tunable_policy(`httpd_tmp_exec && httpd_builtin_scripting',`
-+ can_exec(httpd_t, httpd_tmp_t)
-+')
-+
-+tunable_policy(`httpd_tmp_exec && httpd_enable_cgi',`
-+ can_exec(httpd_sys_script_t, httpd_tmp_t)
- ')
-
- tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
-@@ -624,68 +808,56 @@ tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
- fs_read_nfs_symlinks(httpd_t)
- ')
-
--tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs && httpd_builtin_scripting',`
-- fs_exec_nfs_files(httpd_t)
-+tunable_policy(`httpd_use_nfs',`
-+ fs_list_auto_mountpoints(httpd_t)
-+ fs_manage_nfs_dirs(httpd_t)
-+ fs_manage_nfs_files(httpd_t)
-+ fs_manage_nfs_symlinks(httpd_t)
-+')
-+
-+
-+optional_policy(`
-+ tunable_policy(`httpd_use_nfs',`
-+ automount_search_tmp_dirs(httpd_t)
-+ ')
- ')
-
- tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
-- fs_list_auto_mountpoints(httpd_t)
- fs_read_cifs_files(httpd_t)
- fs_read_cifs_symlinks(httpd_t)
- ')
-
--tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs && httpd_builtin_scripting',`
-- fs_exec_cifs_files(httpd_t)
-+tunable_policy(`httpd_can_sendmail',`
-+ # allow httpd to connect to mail servers
-+ corenet_tcp_connect_smtp_port(httpd_t)
-+ corenet_sendrecv_smtp_client_packets(httpd_t)
-+ corenet_tcp_connect_pop_port(httpd_t)
-+ corenet_sendrecv_pop_client_packets(httpd_t)
- ')
-
--tunable_policy(`httpd_execmem',`
-- allow httpd_t self:process { execmem execstack };
--')
--
--tunable_policy(`httpd_can_sendmail',`
-- corenet_sendrecv_smtp_client_packets(httpd_t)
-- corenet_tcp_connect_smtp_port(httpd_t)
-- corenet_tcp_sendrecv_smtp_port(httpd_t)
-- corenet_sendrecv_pop_client_packets(httpd_t)
-- corenet_tcp_connect_pop_port(httpd_t)
-- corenet_tcp_sendrecv_pop_port(httpd_t)
--
-- mta_send_mail(httpd_t)
-- mta_signal_system_mail(httpd_t)
-+optional_policy(`
-+ tunable_policy(`httpd_can_sendmail',`
-+ mta_send_mail(httpd_t)
-+ mta_signal_system_mail(httpd_t)
-+ ')
- ')
-
- optional_policy(`
-- tunable_policy(`httpd_can_network_connect_zabbix',`
-- zabbix_tcp_connect(httpd_t)
-- ')
--')
--
--optional_policy(`
-- tunable_policy(`httpd_can_sendmail && httpd_can_check_spam',`
-- spamassassin_domtrans_client(httpd_t)
-- ')
-+ tunable_policy(`httpd_can_sendmail',`
-+ postfix_rw_spool_maildrop_files(httpd_t)
-+ ')
- ')
-
--tunable_policy(`httpd_graceful_shutdown',`
-- corenet_sendrecv_http_client_packets(httpd_t)
-- corenet_tcp_connect_http_port(httpd_t)
-- corenet_tcp_sendrecv_http_port(httpd_t)
--')
--
--optional_policy(`
-- tunable_policy(`httpd_enable_cgi && httpd_use_gpg',`
-- gpg_spec_domtrans(httpd_t, httpd_gpg_t)
-- ')
--')
--
--optional_policy(`
-- tunable_policy(`httpd_mod_auth_ntlm_winbind',`
-- samba_domtrans_winbind_helper(httpd_t)
-- ')
-+tunable_policy(`httpd_use_cifs',`
-+ fs_manage_cifs_dirs(httpd_t)
-+ fs_manage_cifs_files(httpd_t)
-+ fs_manage_cifs_symlinks(httpd_t)
- ')
-
--tunable_policy(`httpd_read_user_content',`
-- userdom_read_user_home_content_files(httpd_t)
-+tunable_policy(`httpd_use_fusefs',`
-+ fs_manage_fusefs_dirs(httpd_t)
-+ fs_manage_fusefs_files(httpd_t)
-+ fs_manage_fusefs_symlinks(httpd_t)
- ')
-
- tunable_policy(`httpd_setrlimit',`
-@@ -695,49 +867,48 @@ tunable_policy(`httpd_setrlimit',`
-
- tunable_policy(`httpd_ssi_exec',`
- corecmd_shell_domtrans(httpd_t, httpd_sys_script_t)
-+ allow httpd_sys_script_t httpd_t:fd use;
-+ allow httpd_sys_script_t httpd_t:fifo_file rw_file_perms;
-+ allow httpd_sys_script_t httpd_t:process sigchld;
- ')
-
--tunable_policy(`httpd_tmp_exec && httpd_builtin_scripting',`
-- can_exec(httpd_t, httpd_tmp_t)
--')
--
-+# When the admin starts the server, the server wants to access
-+# the TTY or PTY associated with the session. The httpd appears
-+# to run correctly without this permission, so the permission
-+# are dontaudited here.
- tunable_policy(`httpd_tty_comm',`
-- userdom_use_user_terminals(httpd_t)
--',`
-- userdom_dontaudit_use_user_terminals(httpd_t)
-+ userdom_use_inherited_user_terminals(httpd_t)
-+ userdom_use_inherited_user_terminals(httpd_suexec_t)
- ')
-
--tunable_policy(`httpd_use_cifs',`
-- fs_list_auto_mountpoints(httpd_t)
-- fs_manage_cifs_dirs(httpd_t)
-- fs_manage_cifs_files(httpd_t)
-- fs_manage_cifs_symlinks(httpd_t)
--')
--
--tunable_policy(`httpd_use_cifs && httpd_builtin_scripting',`
-- fs_exec_cifs_files(httpd_t)
--')
-+optional_policy(`
-+ cobbler_list_config(httpd_t)
-+ cobbler_read_config(httpd_t)
-
--tunable_policy(`httpd_use_fusefs',`
-- fs_list_auto_mountpoints(httpd_t)
-- fs_manage_fusefs_dirs(httpd_t)
-- fs_manage_fusefs_files(httpd_t)
-- fs_read_fusefs_symlinks(httpd_t)
--')
-+ tunable_policy(`httpd_serve_cobbler_files',`
-+ cobbler_manage_lib_files(httpd_t)
-+',`
-+ cobbler_read_lib_files(httpd_t)
-+ cobbler_search_lib(httpd_t)
-+ ')
-
--tunable_policy(`httpd_use_fusefs && httpd_builtin_scripting',`
-- fs_exec_fusefs_files(httpd_t)
-+ tunable_policy(`httpd_can_network_connect_cobbler',`
-+ corenet_tcp_connect_cobbler_port(httpd_t)
-+ ')
- ')
-
--tunable_policy(`httpd_use_nfs',`
-- fs_list_auto_mountpoints(httpd_t)
-- fs_manage_nfs_dirs(httpd_t)
-- fs_manage_nfs_files(httpd_t)
-- fs_manage_nfs_symlinks(httpd_t)
-+optional_policy(`
-+ tunable_policy(`httpd_use_sasl',`
-+ sasl_connect(httpd_t)
-+ ')
- ')
-
--tunable_policy(`httpd_use_nfs && httpd_builtin_scripting',`
-- fs_exec_nfs_files(httpd_t)
-+optional_policy(`
-+ # Support for ABRT retrace server
-+ # mod_wsgi
-+ abrt_manage_spool_retrace(httpd_t)
-+ abrt_domtrans_retrace_worker(httpd_t)
-+ abrt_read_config(httpd_t)
- ')
-
- optional_policy(`
-@@ -749,24 +920,32 @@ optional_policy(`
- ')
-
- optional_policy(`
-- clamav_domtrans_clamscan(httpd_t)
-+ cron_system_entry(httpd_t, httpd_exec_t)
- ')
-
- optional_policy(`
-- cobbler_read_config(httpd_t)
-- cobbler_read_lib_files(httpd_t)
-+ cvs_read_data(httpd_t)
- ')
-
- optional_policy(`
-- cron_system_entry(httpd_t, httpd_exec_t)
-+ daemontools_service_domain(httpd_t, httpd_exec_t)
- ')
-
- optional_policy(`
-- cvs_read_data(httpd_t)
-+ #needed by FreeIPA
-+ dirsrv_stream_connect(httpd_t)
- ')
-
- optional_policy(`
-- daemontools_service_domain(httpd_t, httpd_exec_t)
-+ dirsrv_manage_config(httpd_t)
-+ dirsrv_manage_log(httpd_t)
-+ dirsrv_manage_var_run(httpd_t)
-+ dirsrv_read_share(httpd_t)
-+ dirsrv_signal(httpd_t)
-+ dirsrv_signull(httpd_t)
-+ dirsrvadmin_manage_config(httpd_t)
-+ dirsrvadmin_manage_tmp(httpd_t)
-+ dirsrvadmin_domtrans_unconfined_script_t(httpd_t)
- ')
-
- optional_policy(`
-@@ -775,6 +954,10 @@ optional_policy(`
- tunable_policy(`httpd_dbus_avahi',`
- avahi_dbus_chat(httpd_t)
- ')
-+
-+ tunable_policy(`httpd_dbus_sssd',`
-+ sssd_dbus_chat(httpd_t)
-+ ')
- ')
-
- optional_policy(`
-@@ -786,35 +969,62 @@ optional_policy(`
- ')
-
- optional_policy(`
-- kerberos_manage_host_rcache(httpd_t)
-- kerberos_read_keytab(httpd_t)
-- kerberos_tmp_filetrans_host_rcache(httpd_t, file, "HTTP_23")
-- kerberos_tmp_filetrans_host_rcache(httpd_t, file, "HTTP_48")
-- kerberos_use(httpd_t)
-+ tunable_policy(`httpd_enable_cgi && httpd_use_gpg',`
-+ gpg_domtrans_web(httpd_t)
-+ ')
- ')
-
- optional_policy(`
-- ldap_stream_connect(httpd_t)
-+ gssproxy_stream_connect(httpd_t)
-+')
-
-- tunable_policy(`httpd_can_network_connect_ldap',`
-- ldap_tcp_connect(httpd_t)
-- ')
-+optional_policy(`
-+ ipa_read_lib(httpd_t)
-+ ipa_manage_pid_files(httpd_t)
-+')
-+
-+optional_policy(`
-+ mirrormanager_manage_pid_files(httpd_t)
-+ mirrormanager_manage_pid_sock_files(httpd_t)
-+ mirrormanager_read_lib_files(httpd_t)
-+ mirrormanager_read_log(httpd_t)
-+')
-+
-+optional_policy(`
-+ jetty_admin(httpd_t)
-+')
-+
-+optional_policy(`
-+ kerberos_manage_host_rcache(httpd_t)
-+ kerberos_read_keytab(httpd_t)
-+ kerberos_read_kdc_config(httpd_t)
-+ kerberos_tmp_filetrans_host_rcache(httpd_t, "HTTP_23")
-+ kerberos_tmp_filetrans_host_rcache(httpd_t, "HTTP_48")
-+ kerberos_use(httpd_t)
-+')
-+
-+optional_policy(`
-+ # needed by FreeIPA
-+ ldap_stream_connect(httpd_t)
-+ ldap_read_certs(httpd_t)
- ')
-
- optional_policy(`
- mailman_signal_cgi(httpd_t)
- mailman_domtrans_cgi(httpd_t)
- mailman_read_data_files(httpd_t)
-+ # should have separate types for public and private archives
- mailman_search_data(httpd_t)
- mailman_read_archive(httpd_t)
- ')
-
- optional_policy(`
-- memcached_stream_connect(httpd_t)
-+ mediawiki_read_tmp_files(httpd_t)
-+ mediawiki_delete_tmp_files(httpd_t)
-+')
-
-- tunable_policy(`httpd_can_network_connect_memcache',`
-- memcached_tcp_connect(httpd_t)
-- ')
-+optional_policy(`
-+ memcached_stream_connect(httpd_t)
-
- tunable_policy(`httpd_manage_ipa',`
- memcached_manage_pid_files(httpd_t)
-@@ -822,8 +1032,31 @@ optional_policy(`
- ')
-
- optional_policy(`
-+ tunable_policy(`httpd_run_ipa',`
-+ oddjob_dbus_chat(httpd_t)
-+ ')
-+')
-+
-+optional_policy(`
-+ tunable_policy(`httpd_run_ipa',`
-+ ipa_domtrans_helper(httpd_t)
-+ ')
-+ ipa_cert_filetrans_named_content(httpd_t)
-+')
-+
-+optional_policy(`
-+ munin_read_config(httpd_t)
-+')
-+
-+optional_policy(`
-+ # Allow httpd to work with mysql
- mysql_read_config(httpd_t)
- mysql_stream_connect(httpd_t)
-+ mysql_rw_db_sockets(httpd_t)
-+
-+ optional_policy(`
-+ postgresql_stream_connect(httpd_t)
-+ ')
-
- tunable_policy(`httpd_can_network_connect_db',`
- mysql_tcp_connect(httpd_t)
-@@ -832,6 +1065,8 @@ optional_policy(`
-
- optional_policy(`
- nagios_read_config(httpd_t)
-+ nagios_read_lib(httpd_t)
-+ nagios_read_log(httpd_t)
- ')
-
- optional_policy(`
-@@ -842,20 +1077,48 @@ optional_policy(`
- ')
-
- optional_policy(`
-+ openshift_search_lib(httpd_t)
-+ openshift_initrc_signull(httpd_t)
-+ openshift_initrc_signal(httpd_t)
-+')
-+
-+optional_policy(`
-+ passenger_exec(httpd_t)
-+ passenger_kill(httpd_t)
-+ passenger_manage_pid_content(httpd_t)
-+')
-+
-+optional_policy(`
- pcscd_read_pid_files(httpd_t)
- ')
-
- optional_policy(`
-- postgresql_stream_connect(httpd_t)
-- postgresql_unpriv_client(httpd_t)
-+ pkcs11proxyd_stream_connect(httpd_t)
-+')
-
-- tunable_policy(`httpd_can_network_connect_db',`
-- postgresql_tcp_connect(httpd_t)
-- ')
-+optional_policy(`
-+ pki_apache_domain_signal(httpd_t)
-+ pki_manage_apache_config_files(httpd_t)
-+ pki_manage_apache_lib(httpd_t)
-+ pki_manage_apache_log_files(httpd_t)
-+ pki_manage_apache_run(httpd_t)
-+ pki_read_tomcat_cert(httpd_t)
- ')
-
- optional_policy(`
-- puppet_read_lib_files(httpd_t)
-+ puppet_read_lib(httpd_t)
-+')
-+
-+optional_policy(`
-+ pwauth_domtrans(httpd_t)
-+')
-+
-+optional_policy(`
-+ realmd_read_var_lib(httpd_t)
-+')
-+
-+optional_policy(`
-+ rpm_dontaudit_read_db(httpd_t)
- ')
-
- optional_policy(`
-@@ -863,16 +1126,31 @@ optional_policy(`
- ')
-
- optional_policy(`
-+ # Allow httpd to work with postgresql
-+ postgresql_stream_connect(httpd_t)
-+ postgresql_unpriv_client(httpd_t)
-+
-+ tunable_policy(`httpd_can_network_connect_db',`
-+ postgresql_tcp_connect(httpd_t)
-+ ')
-+')
-+
-+optional_policy(`
- seutil_sigchld_newrole(httpd_t)
- ')
-
- optional_policy(`
- smokeping_read_lib_files(httpd_t)
-+ smokeping_read_pid_files(httpd_t)
-+')
-+
-+optional_policy(`
-+ files_dontaudit_rw_usr_dirs(httpd_t)
-+ snmp_dontaudit_manage_snmp_var_lib_files(httpd_t)
- ')
-
- optional_policy(`
-- snmp_dontaudit_read_snmp_var_lib_files(httpd_t)
-- snmp_dontaudit_write_snmp_var_lib_files(httpd_t)
-+ thin_stream_connect(httpd_t)
- ')
-
- optional_policy(`
-@@ -883,65 +1161,189 @@ optional_policy(`
- yam_read_content(httpd_t)
- ')
-
-+optional_policy(`
-+ zarafa_manage_lib_files(httpd_t)
-+ zarafa_stream_connect_server(httpd_t)
-+ zarafa_search_config(httpd_t)
-+')
-+
-+optional_policy(`
-+ zoneminder_append_log(httpd_t)
-+ zoneminder_manage_lib_dirs(httpd_t)
-+ zoneminder_manage_lib_files(httpd_t)
-+ zoneminder_stream_connect(httpd_t)
-+ zoneminder_exec(httpd_t)
-+')
-+
- ########################################
- #
--# Helper local policy
-+# Apache helper local policy
- #
-
--read_files_pattern(httpd_helper_t, httpd_config_t, httpd_config_t)
-+domtrans_pattern(httpd_t, httpd_helper_exec_t, httpd_helper_t)
-
--append_files_pattern(httpd_helper_t, httpd_log_t, httpd_log_t)
--read_lnk_files_pattern(httpd_helper_t, httpd_log_t, httpd_log_t)
-+allow httpd_helper_t httpd_config_t:file read_file_perms;
-
--files_search_etc(httpd_helper_t)
-+allow httpd_helper_t httpd_log_t:file append_file_perms;
-
--logging_search_logs(httpd_helper_t)
- logging_send_syslog_msg(httpd_helper_t)
-
-+tunable_policy(`httpd_verify_dns',`
-+ corenet_udp_bind_all_ephemeral_ports(httpd_t)
-+')
-+
-+tunable_policy(`httpd_run_stickshift', `
-+ allow httpd_t self:capability { fowner fsetid sys_resource };
-+ dontaudit httpd_t self:capability sys_ptrace;
-+ allow httpd_t self:process setexec;
-+
-+ files_dontaudit_getattr_all_files(httpd_t)
-+ domain_getpgid_all_domains(httpd_t)
-+')
-+
-+optional_policy(`
-+ tunable_policy(`httpd_run_stickshift', `
-+ passenger_manage_lib_files(httpd_t)
-+ passenger_getattr_log_files(httpd_t)
-+ ',`
-+ passenger_domtrans(httpd_t)
-+ passenger_read_lib_files(httpd_t)
-+ passenger_stream_connect(httpd_t)
-+ passenger_manage_tmp_files(httpd_t)
-+ ')
-+')
-+
-+optional_policy(`
-+ tunable_policy(`httpd_run_stickshift', `
-+ oddjob_dbus_chat(httpd_t)
-+ ')
-+')
-+
-+optional_policy(`
-+ tunable_policy(`httpd_run_preupgrade', `
-+ anaconda_manage_lib_files_preupgrade(httpd_t)
-+ anaconda_domtrans_preupgrade(httpd_t)
-+ ',`
-+ anaconda_read_lib_files_preupgrade(httpd_t)
-+ anaconda_exec_preupgrade(httpd_t)
-+ ')
-+')
-+
-+optional_policy(`
-+ tunable_policy(`httpd_run_preupgrade', `
-+ corenet_tcp_bind_preupgrade_port(httpd_t)
-+ ')
-+')
-+
- tunable_policy(`httpd_tty_comm',`
-- userdom_use_user_terminals(httpd_helper_t)
--',`
-- userdom_dontaudit_use_user_terminals(httpd_helper_t)
-+ userdom_use_inherited_user_terminals(httpd_helper_t)
- ')
-
- ########################################
- #
--# Suexec local policy
-+# Apache PHP script local policy
-+#
-+
-+allow httpd_php_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
-+allow httpd_php_t self:fd use;
-+allow httpd_php_t self:fifo_file rw_fifo_file_perms;
-+allow httpd_php_t self:sock_file read_sock_file_perms;
-+allow httpd_php_t self:unix_dgram_socket create_socket_perms;
-+allow httpd_php_t self:unix_stream_socket create_stream_socket_perms;
-+allow httpd_php_t self:unix_dgram_socket sendto;
-+allow httpd_php_t self:unix_stream_socket connectto;
-+allow httpd_php_t self:shm create_shm_perms;
-+allow httpd_php_t self:sem create_sem_perms;
-+allow httpd_php_t self:msgq create_msgq_perms;
-+allow httpd_php_t self:msg { send receive };
-+
-+domtrans_pattern(httpd_t, httpd_php_exec_t, httpd_php_t)
-+
-+# allow php to read and append to apache logfiles
-+allow httpd_php_t httpd_log_t:file { read_file_perms append_file_perms };
-+
-+manage_dirs_pattern(httpd_php_t, httpd_php_tmp_t, httpd_php_tmp_t)
-+manage_files_pattern(httpd_php_t, httpd_php_tmp_t, httpd_php_tmp_t)
-+files_tmp_filetrans(httpd_php_t, httpd_php_tmp_t, { file dir })
-+
-+fs_search_auto_mountpoints(httpd_php_t)
-+
-+auth_use_nsswitch(httpd_php_t)
-+
-+libs_exec_lib_files(httpd_php_t)
-+
-+userdom_use_unpriv_users_fds(httpd_php_t)
-+
-+tunable_policy(`httpd_can_network_connect_db',`
-+ corenet_tcp_connect_gds_db_port(httpd_php_t)
-+ corenet_tcp_connect_mssql_port(httpd_php_t)
-+ corenet_sendrecv_mssql_client_packets(httpd_php_t)
-+ corenet_tcp_connect_oracle_port(httpd_php_t)
-+ corenet_sendrecv_oracle_client_packets(httpd_php_t)
-+')
-+
-+optional_policy(`
-+ mysql_stream_connect(httpd_php_t)
-+ mysql_rw_db_sockets(httpd_php_t)
-+ mysql_read_config(httpd_php_t)
-+
-+ tunable_policy(`httpd_can_network_connect_db',`
-+ mysql_tcp_connect(httpd_php_t)
-+ ')
-+')
-+
-+optional_policy(`
-+ postgresql_stream_connect(httpd_php_t)
-+ postgresql_unpriv_client(httpd_php_t)
-+
-+ tunable_policy(`httpd_can_network_connect_db',`
-+ postgresql_tcp_connect(httpd_php_t)
-+ ')
-+')
-+
-+########################################
-+#
-+# Apache suexec local policy
- #
-
- allow httpd_suexec_t self:capability { setuid setgid };
- allow httpd_suexec_t self:process signal_perms;
- allow httpd_suexec_t self:fifo_file rw_fifo_file_perms;
--allow httpd_suexec_t self:tcp_socket { accept listen };
--allow httpd_suexec_t self:unix_stream_socket { accept listen };
-+allow httpd_suexec_t self:unix_stream_socket create_stream_socket_perms;
-+
-+domtrans_pattern(httpd_t, httpd_suexec_exec_t, httpd_suexec_t)
-
- create_files_pattern(httpd_suexec_t, httpd_log_t, httpd_log_t)
- append_files_pattern(httpd_suexec_t, httpd_log_t, httpd_log_t)
- read_files_pattern(httpd_suexec_t, httpd_log_t, httpd_log_t)
--read_lnk_files_pattern(httpd_suexec_t, httpd_log_t, httpd_log_t)
-+
-+allow httpd_suexec_t httpd_t:fifo_file read_fifo_file_perms;
-
- manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
- manage_files_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
- files_tmp_filetrans(httpd_suexec_t, httpd_suexec_tmp_t, { file dir })
-
-+can_exec(httpd_suexec_t, httpd_sys_script_exec_t)
-+
-+read_files_pattern(httpd_suexec_t, httpd_user_content_t, httpd_user_content_t)
-+read_files_pattern(httpd_suexec_t, httpd_user_rw_content_t, httpd_user_rw_content_t)
-+read_files_pattern(httpd_suexec_t, httpd_user_ra_content_t, httpd_user_ra_content_t)
-+
- kernel_read_kernel_sysctls(httpd_suexec_t)
- kernel_list_proc(httpd_suexec_t)
- kernel_read_proc_symlinks(httpd_suexec_t)
-
--corenet_all_recvfrom_unlabeled(httpd_suexec_t)
--corenet_all_recvfrom_netlabel(httpd_suexec_t)
--corenet_tcp_sendrecv_generic_if(httpd_suexec_t)
--corenet_tcp_sendrecv_generic_node(httpd_suexec_t)
--
--corecmd_exec_bin(httpd_suexec_t)
--corecmd_exec_shell(httpd_suexec_t)
--
- dev_read_urand(httpd_suexec_t)
-
- fs_read_iso9660_files(httpd_suexec_t)
- fs_search_auto_mountpoints(httpd_suexec_t)
-
--files_read_usr_files(httpd_suexec_t)
-+application_exec_all(httpd_suexec_t)
-+
-+# for shell scripts
-+corecmd_exec_bin(httpd_suexec_t)
-+corecmd_exec_shell(httpd_suexec_t)
-+
- files_dontaudit_search_pids(httpd_suexec_t)
- files_search_home(httpd_suexec_t)
-
-@@ -950,123 +1352,75 @@ auth_use_nsswitch(httpd_suexec_t)
- logging_search_logs(httpd_suexec_t)
- logging_send_syslog_msg(httpd_suexec_t)
-
--miscfiles_read_localization(httpd_suexec_t)
- miscfiles_read_public_files(httpd_suexec_t)
-
--tunable_policy(`httpd_builtin_scripting',`
-- exec_files_pattern(httpd_suexec_t, httpd_script_exec_type, httpd_script_exec_type)
--
-- allow httpd_suexec_t httpdcontent:dir list_dir_perms;
-- allow httpd_suexec_t httpdcontent:file read_file_perms;
-- allow httpd_suexec_t httpdcontent:lnk_file read_lnk_file_perms;
--')
-+corenet_all_recvfrom_netlabel(httpd_suexec_t)
-
- tunable_policy(`httpd_can_network_connect',`
-+ allow httpd_suexec_t self:tcp_socket create_stream_socket_perms;
-+ allow httpd_suexec_t self:udp_socket create_socket_perms;
-+
-+ corenet_tcp_sendrecv_generic_if(httpd_suexec_t)
-+ corenet_udp_sendrecv_generic_if(httpd_suexec_t)
-+ corenet_tcp_sendrecv_generic_node(httpd_suexec_t)
-+ corenet_udp_sendrecv_generic_node(httpd_suexec_t)
-+ corenet_tcp_sendrecv_all_ports(httpd_suexec_t)
-+ corenet_udp_sendrecv_all_ports(httpd_suexec_t)
- corenet_tcp_connect_all_ports(httpd_suexec_t)
- corenet_sendrecv_all_client_packets(httpd_suexec_t)
-- corenet_tcp_sendrecv_all_ports(httpd_suexec_t)
- ')
-
- tunable_policy(`httpd_can_network_connect_db',`
-- corenet_sendrecv_gds_db_client_packets(httpd_suexec_t)
- corenet_tcp_connect_gds_db_port(httpd_suexec_t)
-- corenet_tcp_sendrecv_gds_db_port(httpd_suexec_t)
-- corenet_sendrecv_mssql_client_packets(httpd_suexec_t)
- corenet_tcp_connect_mssql_port(httpd_suexec_t)
-- corenet_tcp_sendrecv_mssql_port(httpd_suexec_t)
-- corenet_sendrecv_oracledb_client_packets(httpd_suexec_t)
-- corenet_tcp_connect_oracledb_port(httpd_suexec_t)
-- corenet_tcp_sendrecv_oracledb_port(httpd_suexec_t)
-+ corenet_sendrecv_mssql_client_packets(httpd_suexec_t)
-+ corenet_tcp_connect_oracle_port(httpd_suexec_t)
-+ corenet_sendrecv_oracle_client_packets(httpd_suexec_t)
- ')
-
-+domain_entry_file(httpd_sys_script_t, httpd_sys_content_t)
-+
- tunable_policy(`httpd_can_sendmail',`
-- corenet_sendrecv_smtp_client_packets(httpd_suexec_t)
-- corenet_tcp_connect_smtp_port(httpd_suexec_t)
-- corenet_tcp_sendrecv_smtp_port(httpd_suexec_t)
-- corenet_sendrecv_pop_client_packets(httpd_suexec_t)
-- corenet_tcp_connect_pop_port(httpd_suexec_t)
-- corenet_tcp_sendrecv_pop_port(httpd_suexec_t)
- mta_send_mail(httpd_suexec_t)
-- mta_signal_system_mail(httpd_suexec_t)
- ')
-
- tunable_policy(`httpd_enable_cgi && httpd_unified',`
-+ allow httpd_sys_script_t httpdcontent:file entrypoint;
- domtrans_pattern(httpd_suexec_t, httpdcontent, httpd_sys_script_t)
--')
--
--tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
-- fs_list_auto_mountpoints(httpd_suexec_t)
-- fs_read_cifs_files(httpd_suexec_t)
-- fs_read_cifs_symlinks(httpd_suexec_t)
--')
--
--tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs && httpd_builtin_scripting',`
-- fs_exec_cifs_files(httpd_suexec_t)
-+ manage_dirs_pattern(httpd_sys_script_t, httpdcontent, httpdcontent)
-+ manage_files_pattern(httpd_sys_script_t, httpdcontent, httpdcontent)
-+ manage_sock_files_pattern(httpd_sys_script_t, httpdcontent, httpdcontent)
-+ manage_lnk_files_pattern(httpd_sys_script_t, httpdcontent, httpdcontent)
- ')
-
- tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
-- fs_list_auto_mountpoints(httpd_suexec_t)
-+ fs_list_auto_mountpoints(httpd_suexec_t)
- fs_read_nfs_files(httpd_suexec_t)
- fs_read_nfs_symlinks(httpd_suexec_t)
--')
--
--tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs && httpd_builtin_scripting',`
- fs_exec_nfs_files(httpd_suexec_t)
- ')
-
--tunable_policy(`httpd_execmem',`
-- allow httpd_suexec_t self:process { execmem execstack };
--')
--
--tunable_policy(`httpd_tmp_exec',`
-- can_exec(httpd_suexec_t, httpd_suexec_tmp_t)
--')
--
--tunable_policy(`httpd_tty_comm',`
-- userdom_use_user_terminals(httpd_suexec_t)
--',`
-- userdom_dontaudit_use_user_terminals(httpd_suexec_t)
--')
--
--tunable_policy(`httpd_use_cifs',`
-- fs_list_auto_mountpoints(httpd_suexec_t)
-- fs_manage_cifs_dirs(httpd_suexec_t)
-- fs_manage_cifs_files(httpd_suexec_t)
-- fs_manage_cifs_symlinks(httpd_suexec_t)
--')
--
--tunable_policy(`httpd_use_cifs && httpd_builtin_scripting',`
-+tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
-+ fs_read_cifs_files(httpd_suexec_t)
-+ fs_read_cifs_symlinks(httpd_suexec_t)
- fs_exec_cifs_files(httpd_suexec_t)
- ')
-
--tunable_policy(`httpd_use_fusefs',`
-- fs_list_auto_mountpoints(httpd_suexec_t)
-- fs_manage_fusefs_dirs(httpd_suexec_t)
-- fs_manage_fusefs_files(httpd_suexec_t)
-- fs_read_fusefs_symlinks(httpd_suexec_t)
--')
--
--tunable_policy(`httpd_use_fusefs && httpd_builtin_scripting',`
-- fs_exec_fusefs_files(httpd_suexec_t)
--')
--
--tunable_policy(`httpd_use_nfs',`
-- fs_list_auto_mountpoints(httpd_suexec_t)
-- fs_manage_nfs_dirs(httpd_suexec_t)
-- fs_manage_nfs_files(httpd_suexec_t)
-- fs_manage_nfs_symlinks(httpd_suexec_t)
-+optional_policy(`
-+ apache_rw_stream_sockets(httpd_suexec_t)
- ')
-
--tunable_policy(`httpd_use_nfs && httpd_builtin_scripting',`
-- fs_exec_nfs_files(httpd_suexec_t)
-+optional_policy(`
-+ mailman_domtrans_cgi(httpd_suexec_t)
- ')
-
- optional_policy(`
-- mailman_domtrans_cgi(httpd_suexec_t)
-+ mta_stub(httpd_suexec_t)
- ')
-
- optional_policy(`
- mysql_stream_connect(httpd_suexec_t)
-+ mysql_rw_db_sockets(httpd_suexec_t)
- mysql_read_config(httpd_suexec_t)
-
- tunable_policy(`httpd_can_network_connect_db',`
-@@ -1083,172 +1437,107 @@ optional_policy(`
- ')
- ')
-
--tunable_policy(`httpd_read_user_content',`
-- userdom_read_user_home_content_files(httpd_suexec_t)
--')
--
--tunable_policy(`httpd_enable_homedirs',`
-- userdom_search_user_home_dirs(httpd_suexec_t)
--')
--
- ########################################
- #
--# Common script local policy
-+# Apache system script local policy
- #
-
--allow httpd_script_domains self:fifo_file rw_file_perms;
--allow httpd_script_domains self:unix_stream_socket connectto;
--
--allow httpd_script_domains httpd_sys_content_t:dir search_dir_perms;
--
--append_files_pattern(httpd_script_domains, httpd_log_t, httpd_log_t)
--read_lnk_files_pattern(httpd_script_domains, httpd_log_t, httpd_log_t)
--
--kernel_dontaudit_search_sysctl(httpd_script_domains)
--kernel_dontaudit_search_kernel_sysctl(httpd_script_domains)
-+allow httpd_sys_script_t self:process getsched;
-
--corenet_all_recvfrom_unlabeled(httpd_script_domains)
--corenet_all_recvfrom_netlabel(httpd_script_domains)
--corenet_tcp_sendrecv_generic_if(httpd_script_domains)
--corenet_tcp_sendrecv_generic_node(httpd_script_domains)
-+allow httpd_sys_script_t httpd_t:unix_stream_socket rw_stream_socket_perms;
-+allow httpd_sys_script_t httpd_t:tcp_socket { read write };
-
--corecmd_exec_all_executables(httpd_script_domains)
-+dontaudit httpd_sys_script_t httpd_config_t:dir search;
-
--dev_read_rand(httpd_script_domains)
--dev_read_urand(httpd_script_domains)
-+allow httpd_sys_script_t httpd_squirrelmail_t:file { append_file_perms read_file_perms };
-
--files_exec_etc_files(httpd_script_domains)
--files_read_etc_files(httpd_script_domains)
--files_search_home(httpd_script_domains)
-+allow httpd_sys_script_t squirrelmail_spool_t:dir list_dir_perms;
-+read_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_spool_t)
-+read_lnk_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_spool_t)
-
--libs_exec_ld_so(httpd_script_domains)
--libs_exec_lib_files(httpd_script_domains)
-+kernel_read_kernel_sysctls(httpd_sys_script_t)
-
--logging_search_logs(httpd_script_domains)
-+dev_list_sysfs(httpd_sys_script_t)
-
--miscfiles_read_fonts(httpd_script_domains)
--miscfiles_read_public_files(httpd_script_domains)
-+files_read_var_symlinks(httpd_sys_script_t)
-+files_search_var_lib(httpd_sys_script_t)
-+files_search_spool(httpd_sys_script_t)
-
--seutil_dontaudit_search_config(httpd_script_domains)
-+logging_send_syslog_msg(httpd_sys_script_t)
-+logging_inherit_append_all_logs(httpd_sys_script_t)
-
--tunable_policy(`httpd_enable_cgi && httpd_unified',`
-- allow httpd_script_domains httpdcontent:file entrypoint;
-+# Should we add a boolean?
-+apache_domtrans_rotatelogs(httpd_sys_script_t)
-
-- manage_dirs_pattern(httpd_script_domains, httpdcontent, httpdcontent)
-- manage_files_pattern(httpd_script_domains, httpdcontent, httpdcontent)
-- manage_lnk_files_pattern(httpd_script_domains, httpdcontent, httpdcontent)
-+auth_use_nsswitch(httpd_sys_script_t)
-
-- can_exec(httpd_script_domains, httpdcontent)
-+ifdef(`distro_redhat',`
-+ allow httpd_sys_script_t httpd_log_t:file append_file_perms;
- ')
-
--tunable_policy(`httpd_enable_cgi',`
-- allow httpd_script_domains self:process { setsched signal_perms };
-- allow httpd_script_domains self:unix_stream_socket create_stream_socket_perms;
--
-- kernel_read_system_state(httpd_script_domains)
--
-- fs_getattr_all_fs(httpd_script_domains)
--
-- files_read_etc_runtime_files(httpd_script_domains)
-- files_read_usr_files(httpd_script_domains)
--
-- libs_read_lib_files(httpd_script_domains)
--
-- miscfiles_read_localization(httpd_script_domains)
-+tunable_policy(`httpd_can_sendmail',`
-+ mta_send_mail(httpd_sys_script_t)
- ')
-
- optional_policy(`
-- tunable_policy(`httpd_enable_cgi && allow_ypbind',`
-- nis_use_ypbind_uncond(httpd_script_domains)
-+ tunable_policy(`httpd_can_sendmail && httpd_can_check_spam',`
-+ spamassassin_domtrans_client(httpd_t)
- ')
- ')
-
--tunable_policy(`httpd_enable_cgi && httpd_can_network_connect_db',`
-- corenet_sendrecv_gds_db_client_packets(httpd_script_domains)
-- corenet_tcp_connect_gds_db_port(httpd_script_domains)
-- corenet_tcp_sendrecv_gds_db_port(httpd_script_domains)
-- corenet_sendrecv_mssql_client_packets(httpd_script_domains)
-- corenet_tcp_connect_mssql_port(httpd_script_domains)
-- corenet_tcp_sendrecv_mssql_port(httpd_script_domains)
-- corenet_sendrecv_oracledb_client_packets(httpd_script_domains)
-- corenet_tcp_connect_oracledb_port(httpd_script_domains)
-- corenet_tcp_sendrecv_oracledb_port(httpd_script_domains)
--')
--
--optional_policy(`
-- mysql_read_config(httpd_script_domains)
-- mysql_stream_connect(httpd_script_domains)
--
-- tunable_policy(`httpd_enable_cgi && httpd_can_network_connect_db',`
-- mysql_tcp_connect(httpd_script_domains)
-- ')
-+tunable_policy(`httpd_can_network_connect_db',`
-+ corenet_tcp_connect_gds_db_port(httpd_sys_script_t)
-+ corenet_tcp_connect_mssql_port(httpd_sys_script_t)
-+ corenet_sendrecv_mssql_client_packets(httpd_sys_script_t)
-+ corenet_tcp_connect_oracle_port(httpd_sys_script_t)
-+ corenet_sendrecv_oracle_client_packets(httpd_sys_script_t)
- ')
-
--optional_policy(`
-- postgresql_stream_connect(httpd_script_domains)
-+fs_cifs_entry_type(httpd_sys_script_t)
-+fs_read_iso9660_files(httpd_sys_script_t)
-+fs_nfs_entry_type(httpd_sys_script_t)
-+fs_rw_anon_inodefs_files(httpd_sys_script_t)
-
-- tunable_policy(`httpd_enable_cgi && httpd_can_network_connect_db',`
-- postgresql_tcp_connect(httpd_script_domains)
-- ')
--')
-+tunable_policy(`httpd_use_nfs',`
-+ fs_list_auto_mountpoints(httpd_sys_script_t)
-+ fs_manage_nfs_dirs(httpd_sys_script_t)
-+ fs_manage_nfs_files(httpd_sys_script_t)
-+ fs_manage_nfs_symlinks(httpd_sys_script_t)
-+ fs_exec_nfs_files(httpd_sys_script_t)
-
--optional_policy(`
-- nscd_use(httpd_script_domains)
-+ fs_list_auto_mountpoints(httpd_suexec_t)
-+ fs_manage_nfs_dirs(httpd_suexec_t)
-+ fs_manage_nfs_files(httpd_suexec_t)
-+ fs_manage_nfs_symlinks(httpd_suexec_t)
-+ fs_exec_nfs_files(httpd_suexec_t)
- ')
-
--########################################
--#
--# System script local policy
--#
--
--allow httpd_sys_script_t self:tcp_socket { accept listen };
--
--allow httpd_sys_script_t httpd_t:tcp_socket { read write };
--
--dontaudit httpd_sys_script_t httpd_config_t:dir search;
--
--allow httpd_sys_script_t httpd_squirrelmail_t:file { append_file_perms read_file_perms };
--
--allow httpd_sys_script_t squirrelmail_spool_t:dir list_dir_perms;
--allow httpd_sys_script_t squirrelmail_spool_t:file read_file_perms;
--allow httpd_sys_script_t squirrelmail_spool_t:lnk_file read_lnk_file_perms;
--
--kernel_read_kernel_sysctls(httpd_sys_script_t)
-+corenet_all_recvfrom_netlabel(httpd_sys_script_t)
-
--fs_search_auto_mountpoints(httpd_sys_script_t)
--
--files_read_var_symlinks(httpd_sys_script_t)
--files_search_var_lib(httpd_sys_script_t)
--files_search_spool(httpd_sys_script_t)
--
--apache_domtrans_rotatelogs(httpd_sys_script_t)
--
--auth_use_nsswitch(httpd_sys_script_t)
--
--tunable_policy(`httpd_can_sendmail',`
-- corenet_sendrecv_smtp_client_packets(httpd_sys_script_t)
-- corenet_tcp_connect_smtp_port(httpd_sys_script_t)
-- corenet_tcp_sendrecv_smtp_port(httpd_sys_script_t)
-- corenet_sendrecv_pop_client_packets(httpd_sys_script_t)
-- corenet_tcp_connect_pop_port(httpd_sys_script_t)
-- corenet_tcp_sendrecv_pop_port(httpd_sys_script_t)
--
-- mta_send_mail(httpd_sys_script_t)
-- mta_signal_system_mail(httpd_sys_script_t)
-+tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
-+ allow httpd_sys_script_t self:tcp_socket create_stream_socket_perms;
-+ allow httpd_sys_script_t self:udp_socket create_socket_perms;
-+
-+ corenet_tcp_bind_generic_node(httpd_sys_script_t)
-+ corenet_udp_bind_generic_node(httpd_sys_script_t)
-+ corenet_tcp_sendrecv_generic_if(httpd_sys_script_t)
-+ corenet_udp_sendrecv_generic_if(httpd_sys_script_t)
-+ corenet_tcp_sendrecv_generic_node(httpd_sys_script_t)
-+ corenet_udp_sendrecv_generic_node(httpd_sys_script_t)
-+ corenet_tcp_sendrecv_all_ports(httpd_sys_script_t)
-+ corenet_udp_sendrecv_all_ports(httpd_sys_script_t)
-+ corenet_tcp_connect_all_ports(httpd_sys_script_t)
-+ corenet_sendrecv_all_client_packets(httpd_sys_script_t)
- ')
-
- tunable_policy(`httpd_enable_homedirs',`
- userdom_search_user_home_dirs(httpd_sys_script_t)
- ')
-
--tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
-- corenet_tcp_connect_all_ports(httpd_sys_script_t)
-- corenet_sendrecv_all_client_packets(httpd_sys_script_t)
-- corenet_tcp_sendrecv_all_ports(httpd_sys_script_t)
--')
--
--tunable_policy(`httpd_execmem',`
-- allow httpd_sys_script_t self:process { execmem execstack };
-+tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
-+ fs_list_auto_mountpoints(httpd_sys_script_t)
-+ fs_read_nfs_files(httpd_sys_script_t)
-+ fs_read_nfs_symlinks(httpd_sys_script_t)
- ')
-
- tunable_policy(`httpd_read_user_content',`
-@@ -1256,64 +1545,74 @@ tunable_policy(`httpd_read_user_content',`
- ')
-
- tunable_policy(`httpd_use_cifs',`
-- fs_list_auto_mountpoints(httpd_sys_script_t)
- fs_manage_cifs_dirs(httpd_sys_script_t)
- fs_manage_cifs_files(httpd_sys_script_t)
- fs_manage_cifs_symlinks(httpd_sys_script_t)
--')
--
--tunable_policy(`httpd_use_cifs && httpd_builtin_scripting',`
-- fs_exec_cifs_files(httpd_sys_script_t)
-+ fs_manage_cifs_dirs(httpd_suexec_t)
-+ fs_manage_cifs_files(httpd_suexec_t)
-+ fs_manage_cifs_symlinks(httpd_suexec_t)
-+ fs_exec_cifs_files(httpd_suexec_t)
- ')
-
- tunable_policy(`httpd_use_fusefs',`
-- fs_list_auto_mountpoints(httpd_sys_script_t)
- fs_manage_fusefs_dirs(httpd_sys_script_t)
- fs_manage_fusefs_files(httpd_sys_script_t)
-- fs_read_fusefs_symlinks(httpd_sys_script_t)
-+ fs_manage_fusefs_symlinks(httpd_sys_script_t)
-+ fs_manage_fusefs_dirs(httpd_suexec_t)
-+ fs_manage_fusefs_files(httpd_suexec_t)
-+ fs_manage_fusefs_symlinks(httpd_suexec_t)
-+ fs_exec_fusefs_files(httpd_suexec_t)
- ')
-
--tunable_policy(`httpd_use_fusefs && httpd_builtin_scripting',`
-- fs_exec_fusefs_files(httpd_sys_script_t)
-+tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
-+ fs_read_cifs_files(httpd_sys_script_t)
-+ fs_read_cifs_symlinks(httpd_sys_script_t)
- ')
-
--tunable_policy(`httpd_use_nfs',`
-- fs_list_auto_mountpoints(httpd_sys_script_t)
-- fs_manage_nfs_dirs(httpd_sys_script_t)
-- fs_manage_nfs_files(httpd_sys_script_t)
-- fs_manage_nfs_symlinks(httpd_sys_script_t)
-+optional_policy(`
-+ clamav_domtrans_clamscan(httpd_sys_script_t)
-+ clamav_domtrans_clamscan(httpd_t)
- ')
-
--tunable_policy(`httpd_use_nfs && httpd_builtin_scripting',`
-- fs_exec_nfs_files(httpd_sys_script_t)
-+optional_policy(`
-+ mysql_stream_connect(httpd_sys_script_t)
-+ mysql_rw_db_sockets(httpd_sys_script_t)
-+ mysql_read_config(httpd_sys_script_t)
-+
-+ tunable_policy(`httpd_can_network_connect_db',`
-+ mysql_tcp_connect(httpd_sys_script_t)
-+ ')
- ')
-
- optional_policy(`
-- clamav_domtrans_clamscan(httpd_sys_script_t)
-+ postgresql_stream_connect(httpd_sys_script_t)
-+ postgresql_unpriv_client(httpd_sys_script_t)
-+
-+ tunable_policy(`httpd_can_network_connect_db',`
-+ postgresql_tcp_connect(httpd_sys_script_t)
-+ ')
- ')
-
- optional_policy(`
-- postgresql_unpriv_client(httpd_sys_script_t)
-+ snmp_read_snmp_var_lib_files(httpd_sys_script_t)
- ')
-
- ########################################
- #
--# Rotatelogs local policy
-+# httpd_rotatelogs local policy
- #
-
--allow httpd_rotatelogs_t self:capability dac_override;
-+allow httpd_rotatelogs_t self:capability { dac_read_search };
-
- manage_files_pattern(httpd_rotatelogs_t, httpd_log_t, httpd_log_t)
--read_lnk_files_pattern(httpd_rotatelogs_t, httpd_log_t, httpd_log_t)
-
- kernel_read_kernel_sysctls(httpd_rotatelogs_t)
- kernel_dontaudit_list_proc(httpd_rotatelogs_t)
-+kernel_dontaudit_read_proc_symlinks(httpd_rotatelogs_t)
-
--files_read_etc_files(httpd_rotatelogs_t)
-
- logging_search_logs(httpd_rotatelogs_t)
-
--miscfiles_read_localization(httpd_rotatelogs_t)
-
- ########################################
- #
-@@ -1321,8 +1620,15 @@ miscfiles_read_localization(httpd_rotatelogs_t)
- #
-
- optional_policy(`
-- apache_content_template(unconfined)
-+ type httpd_unconfined_script_t;
-+ type httpd_unconfined_script_exec_t;
-+ domain_type(httpd_unconfined_script_t)
-+ domain_entry_file(httpd_unconfined_script_t, httpd_unconfined_script_exec_t)
-+ domtrans_pattern(httpd_t, httpd_unconfined_script_exec_t, httpd_unconfined_script_t)
- unconfined_domain(httpd_unconfined_script_t)
-+
-+ role system_r types httpd_unconfined_script_t;
-+ allow httpd_t httpd_unconfined_script_t:process signal_perms;
- ')
-
- ########################################
-@@ -1330,49 +1636,43 @@ optional_policy(`
- # User content local policy
- #
-
--tunable_policy(`httpd_enable_homedirs',`
-- userdom_search_user_home_dirs(httpd_user_script_t)
--')
-+auth_use_nsswitch(httpd_user_script_t)
-
--tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
-- fs_list_auto_mountpoints(httpd_user_script_t)
-- fs_read_cifs_files(httpd_user_script_t)
-- fs_read_cifs_symlinks(httpd_user_script_t)
--')
--
--tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs && httpd_builtin_scripting',`
-- fs_exec_cifs_files(httpd_user_script_t)
-+tunable_policy(`httpd_enable_cgi && httpd_unified',`
-+ allow httpd_user_script_t httpdcontent:file entrypoint;
-+ manage_dirs_pattern(httpd_user_script_t, httpd_user_content_t, httpd_user_content_t)
-+ manage_files_pattern(httpd_user_script_t, httpd_user_content_t, httpd_user_content_t)
-+ manage_dirs_pattern(httpd_user_script_t, httpd_user_ra_content_t, httpd_user_ra_content_t)
-+ manage_files_pattern(httpd_user_script_t, httpd_user_ra_content_t, httpd_user_ra_content_t)
- ')
-
--tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
-- fs_list_auto_mountpoints(httpd_user_script_t)
-- fs_read_nfs_files(httpd_user_script_t)
-- fs_read_nfs_symlinks(httpd_user_script_t)
--')
-+# allow accessing files/dirs below the users home dir
-+tunable_policy(`httpd_enable_homedirs',`
-+ userdom_search_user_home_content(httpd_t)
-+ userdom_search_user_home_content(httpd_suexec_t)
-+ userdom_search_user_home_content(httpd_user_script_t)
-
--tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs && httpd_builtin_scripting',`
-- fs_exec_nfs_files(httpd_user_script_t)
-+ read_files_pattern(httpd_t, httpd_user_content_type, httpd_user_content_type)
-+ read_lnk_files_pattern(httpd_t, httpd_user_content_type, httpd_user_content_type)
-+ list_dirs_pattern(httpd_t, httpd_user_content_type, httpd_user_content_type)
-+ allow httpd_t httpd_user_content_type:file map;
- ')
-
- tunable_policy(`httpd_read_user_content',`
-+ userdom_read_user_home_content_files(httpd_t)
-+ userdom_read_user_home_content_files(httpd_suexec_t)
- userdom_read_user_home_content_files(httpd_user_script_t)
- ')
-
--optional_policy(`
-- postgresql_unpriv_client(httpd_user_script_t)
--')
--
- ########################################
- #
--# Passwd local policy
-+# httpd_passwd local policy
- #
-
- allow httpd_passwd_t self:fifo_file manage_fifo_file_perms;
- allow httpd_passwd_t self:unix_stream_socket create_stream_socket_perms;
- allow httpd_passwd_t self:unix_dgram_socket create_socket_perms;
-
--dontaudit httpd_passwd_t httpd_config_t:file read_file_perms;
--
- kernel_read_system_state(httpd_passwd_t)
-
- corecmd_exec_bin(httpd_passwd_t)
-@@ -1384,36 +1684,109 @@ domain_use_interactive_fds(httpd_passwd_t)
-
- auth_use_nsswitch(httpd_passwd_t)
-
--miscfiles_read_generic_certs(httpd_passwd_t)
--miscfiles_read_localization(httpd_passwd_t)
-+init_dontaudit_read_state(httpd_passwd_t)
-
--########################################
--#
--# GPG local policy
--#
-+miscfiles_read_certs(httpd_passwd_t)
-
--allow httpd_gpg_t self:process setrlimit;
-+systemd_manage_passwd_run(httpd_passwd_t)
-+systemd_manage_passwd_run(httpd_t)
-+#systemd_passwd_agent_dev_template(httpd)
-
--allow httpd_gpg_t httpd_t:fd use;
--allow httpd_gpg_t httpd_t:fifo_file rw_fifo_file_perms;
--allow httpd_gpg_t httpd_t:process sigchld;
-+domtrans_pattern(httpd_t, httpd_passwd_exec_t, httpd_passwd_t)
-+dontaudit httpd_passwd_t httpd_config_t:file read;
-
--dev_read_rand(httpd_gpg_t)
--dev_read_urand(httpd_gpg_t)
-+search_dirs_pattern(httpd_script_type, httpd_sys_content_t, httpd_script_exec_type)
-+corecmd_shell_entry_type(httpd_script_type)
-
--files_read_usr_files(httpd_gpg_t)
-+allow httpd_script_type self:fifo_file rw_file_perms;
-+allow httpd_script_type self:unix_stream_socket connectto;
-
--miscfiles_read_localization(httpd_gpg_t)
-+allow httpd_script_type httpd_t:fifo_file write;
-+# apache should set close-on-exec
-+apache_dontaudit_leaks(httpd_script_type)
-
--tunable_policy(`httpd_gpg_anon_write',`
-- miscfiles_manage_public_files(httpd_gpg_t)
-+append_files_pattern(httpd_script_type, httpd_log_t, httpd_log_t)
-+logging_search_logs(httpd_script_type)
-+
-+kernel_dontaudit_search_sysctl(httpd_script_type)
-+kernel_dontaudit_search_kernel_sysctl(httpd_script_type)
-+
-+dev_read_rand(httpd_script_type)
-+dev_read_urand(httpd_script_type)
-+
-+corecmd_exec_all_executables(httpd_script_type)
-+application_exec_all(httpd_script_type)
-+
-+files_exec_etc_files(httpd_script_type)
-+files_search_home(httpd_script_type)
-+
-+libs_exec_ld_so(httpd_script_type)
-+libs_exec_lib_files(httpd_script_type)
-+
-+miscfiles_read_fonts(httpd_script_type)
-+miscfiles_read_public_files(httpd_script_type)
-+
-+allow httpd_t httpd_script_type:unix_stream_socket connectto;
-+
-+allow httpd_t httpd_script_exec_type:file read_file_perms;
-+allow httpd_t httpd_script_exec_type:lnk_file read_lnk_file_perms;
-+allow httpd_t httpd_script_type:process { signal sigkill sigstop signull };
-+allow httpd_t httpd_script_exec_type:dir list_dir_perms;
-+
-+allow httpd_script_type self:process { setsched signal_perms };
-+allow httpd_script_type self:unix_stream_socket create_stream_socket_perms;
-+allow httpd_script_type self:unix_dgram_socket create_socket_perms;
-+allow httpd_script_type httpd_t:unix_stream_socket rw_stream_socket_perms;
-+
-+allow httpd_script_type httpd_t:fd use;
-+allow httpd_script_type httpd_t:process sigchld;
-+
-+dontaudit httpd_script_type httpd_t:tcp_socket { read write };
-+dontaudit httpd_script_type httpd_t:unix_stream_socket { read write };
-+
-+fs_getattr_xattr_fs(httpd_script_type)
-+
-+files_read_etc_runtime_files(httpd_script_type)
-+
-+libs_read_lib_files(httpd_script_type)
-+
-+allow httpd_script_type httpd_sys_content_t:dir search_dir_perms;
-+
-+tunable_policy(`httpd_enable_cgi && nis_enabled',`
-+ nis_use_ypbind_uncond(httpd_script_type)
- ')
-
- optional_policy(`
-- apache_manage_sys_rw_content(httpd_gpg_t)
-+ nscd_socket_use(httpd_script_type)
-+')
-+
-+read_files_pattern(httpd_t, httpd_content_type, httpd_content_type)
-+allow httpd_t httpd_content_type:file map;
-+
-+tunable_policy(`httpd_builtin_scripting',`
-+ allow httpd_t httpd_content_type:dir search_dir_perms;
-+ allow httpd_suexec_t httpd_content_type:dir search_dir_perms;
-+
-+ allow httpd_t httpd_content_type:dir list_dir_perms;
-+ read_files_pattern(httpd_t, httpd_content_type, httpd_content_type)
-+ read_lnk_files_pattern(httpd_t, httpd_content_type, httpd_content_type)
-+')
-+
-+tunable_policy(`httpd_use_openstack',`
-+ corenet_tcp_connect_keystone_port(httpd_sys_script_t)
-+ corenet_tcp_connect_all_ephemeral_ports(httpd_t)
-+ corenet_tcp_connect_glance_port(httpd_sys_script_t)
-+ corenet_tcp_connect_osapi_compute_port(httpd_sys_script_t)
-+')
-+
-+tunable_policy(`httpd_use_openstack',`
-+ corenet_tcp_connect_osapi_compute_port(httpd_t)
-+ corenet_tcp_bind_commplex_main_port(httpd_t)
- ')
-
- optional_policy(`
-- gpg_entry_type(httpd_gpg_t)
-- gpg_exec(httpd_gpg_t)
-+ tunable_policy(`httpd_use_openstack',`
-+ keystone_read_log(httpd_t)
-+ ')
- ')
-+
-diff --git a/apcupsd.fc b/apcupsd.fc
-index 5ec0e13c8..97c204fe5 100644
---- a/apcupsd.fc
-+++ b/apcupsd.fc
-@@ -1,18 +1,23 @@
-+/etc/apcupsd/powerfail -- gen_context(system_u:object_r:apcupsd_power_t,s0)
-+
- /etc/rc\.d/init\.d/apcupsd -- gen_context(system_u:object_r:apcupsd_initrc_exec_t,s0)
-
-+/usr/lib/systemd/system/apcupsd.* -- gen_context(system_u:object_r:apcupsd_unit_file_t,s0)
-+
- /sbin/apcupsd -- gen_context(system_u:object_r:apcupsd_exec_t,s0)
-
- /usr/sbin/apcupsd -- gen_context(system_u:object_r:apcupsd_exec_t,s0)
-
- /var/lock/subsys/apcupsd -- gen_context(system_u:object_r:apcupsd_lock_t,s0)
-+/var/lock/LCK.. -- gen_context(system_u:object_r:apcupsd_lock_t,s0)
-
- /var/log/apcupsd\.events.* -- gen_context(system_u:object_r:apcupsd_log_t,s0)
- /var/log/apcupsd\.status.* -- gen_context(system_u:object_r:apcupsd_log_t,s0)
-
- /var/run/apcupsd\.pid -- gen_context(system_u:object_r:apcupsd_var_run_t,s0)
-
--/var/www/apcupsd/multimon\.cgi -- gen_context(system_u:object_r:httpd_apcupsd_cgi_script_exec_t,s0)
--/var/www/apcupsd/upsfstats\.cgi -- gen_context(system_u:object_r:httpd_apcupsd_cgi_script_exec_t,s0)
--/var/www/apcupsd/upsimage\.cgi -- gen_context(system_u:object_r:httpd_apcupsd_cgi_script_exec_t,s0)
--/var/www/apcupsd/upsstats\.cgi -- gen_context(system_u:object_r:httpd_apcupsd_cgi_script_exec_t,s0)
--/var/www/cgi-bin/apcgui(/.*)? gen_context(system_u:object_r:httpd_apcupsd_cgi_script_exec_t,s0)
-+/var/www/apcupsd/multimon\.cgi -- gen_context(system_u:object_r:apcupsd_cgi_script_exec_t,s0)
-+/var/www/apcupsd/upsfstats\.cgi -- gen_context(system_u:object_r:apcupsd_cgi_script_exec_t,s0)
-+/var/www/apcupsd/upsimage\.cgi -- gen_context(system_u:object_r:apcupsd_cgi_script_exec_t,s0)
-+/var/www/apcupsd/upsstats\.cgi -- gen_context(system_u:object_r:apcupsd_cgi_script_exec_t,s0)
-+/var/www/cgi-bin/apcgui(/.*)? gen_context(system_u:object_r:apcupsd_cgi_script_exec_t,s0)
-diff --git a/apcupsd.if b/apcupsd.if
-index f3c0abac6..f6e25eda4 100644
---- a/apcupsd.if
-+++ b/apcupsd.if
-@@ -102,7 +102,7 @@ interface(`apcupsd_append_log',`
- ########################################
- ##
- ## Execute a domain transition to
--## run httpd_apcupsd_cgi_script.
-+## run apcupsd_cgi_script.
- ##
- ##
- ##
-@@ -112,11 +112,11 @@ interface(`apcupsd_append_log',`
- #
- interface(`apcupsd_cgi_script_domtrans',`
- gen_require(`
-- type httpd_apcupsd_cgi_script_t, httpd_apcupsd_cgi_script_exec_t;
-+ type apcupsd_cgi_script_t, apcupsd_cgi_script_exec_t;
- ')
-
- files_search_var($1)
-- domtrans_pattern($1, httpd_apcupsd_cgi_script_exec_t, httpd_apcupsd_cgi_script_t)
-+ domtrans_pattern($1, apcupsd_cgi_script_exec_t, apcupsd_cgi_script_t)
-
- optional_policy(`
- apache_search_sys_content($1)
-@@ -125,6 +125,50 @@ interface(`apcupsd_cgi_script_domtrans',`
-
- ########################################
- ##
-+## Execute apcupsd server in the apcupsd domain.
-+##
-+##
-+##
-+## Domain allowed to transition.
-+##
-+##
-+#
-+interface(`apcupsd_systemctl',`
-+ gen_require(`
-+ type apcupsd_t;
-+ type apcupsd_unit_file_t;
-+ ')
-+
-+ systemd_exec_systemctl($1)
-+ init_reload_services($1)
-+ allow $1 apcupsd_unit_file_t:file read_file_perms;
-+ allow $1 apcupsd_unit_file_t:service manage_service_perms;
-+
-+ ps_process_pattern($1, apcupsd_t)
-+')
-+
-+########################################
-+##
-+## Create configuration files in /var/lock
-+## with a named file type transition.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`apcupsd_filetrans_named_content',`
-+ gen_require(`
-+ type apcupsd_lock_t;
-+ ')
-+
-+ files_lock_filetrans($1, apcupsd_lock_t, file, "apcupsd")
-+ files_lock_filetrans($1, apcupsd_lock_t, file, "LCK..")
-+')
-+
-+########################################
-+##
- ## All of the rules required to
- ## administrate an apcupsd environment.
- ##
-@@ -144,11 +188,17 @@ interface(`apcupsd_admin',`
- gen_require(`
- type apcupsd_t, apcupsd_tmp_t, apcupsd_log_t;
- type apcupsd_var_run_t, apcupsd_initrc_exec_t, apcupsd_lock_t;
-+ type apcupsd_unit_file_t;
-+ type apcupsd_power_t;
- ')
-
-- allow $1 apcupsd_t:process { ptrace signal_perms };
-+ allow $1 apcupsd_t:process signal_perms;
- ps_process_pattern($1, apcupsd_t)
-
-+ tunable_policy(`deny_ptrace',`',`
-+ allow $1 apcupsd_t:process ptrace;
-+ ')
-+
- apcupsd_initrc_domtrans($1, apcupsd_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 apcupsd_initrc_exec_t system_r;
-@@ -165,4 +215,11 @@ interface(`apcupsd_admin',`
-
- files_list_pids($1)
- admin_pattern($1, apcupsd_var_run_t)
-+
-+ apcupsd_systemctl($1)
-+ admin_pattern($1, apcupsd_unit_file_t)
-+ allow $1 apcupsd_unit_file_t:service all_service_perms;
-+
-+ manage_files_pattern($1, apcupsd_power_t, apcupsd_power_t)
-+ files_etc_filetrans(apcupsd_t, apcupsd_power_t, file, "powerfail")
- ')
-diff --git a/apcupsd.te b/apcupsd.te
-index 080bc4ddb..b73cf151d 100644
---- a/apcupsd.te
-+++ b/apcupsd.te
-@@ -24,12 +24,18 @@ files_tmp_file(apcupsd_tmp_t)
- type apcupsd_var_run_t;
- files_pid_file(apcupsd_var_run_t)
-
-+type apcupsd_power_t;
-+files_type(apcupsd_power_t)
-+
-+type apcupsd_unit_file_t;
-+systemd_unit_file(apcupsd_unit_file_t)
-+
- ########################################
- #
- # Local policy
- #
-
--allow apcupsd_t self:capability { dac_override setgid sys_tty_config };
-+allow apcupsd_t self:capability { dac_read_search setgid sys_tty_config };
- allow apcupsd_t self:process signal;
- allow apcupsd_t self:fifo_file rw_file_perms;
- allow apcupsd_t self:unix_stream_socket create_stream_socket_perms;
-@@ -38,9 +44,10 @@ allow apcupsd_t self:tcp_socket create_stream_socket_perms;
- allow apcupsd_t apcupsd_lock_t:file manage_file_perms;
- files_lock_filetrans(apcupsd_t, apcupsd_lock_t, file)
-
--append_files_pattern(apcupsd_t, apcupsd_log_t, apcupsd_log_t)
--create_files_pattern(apcupsd_t, apcupsd_log_t, apcupsd_log_t)
--setattr_files_pattern(apcupsd_t, apcupsd_log_t, apcupsd_log_t)
-+manage_files_pattern(apcupsd_t, apcupsd_power_t, apcupsd_power_t)
-+files_etc_filetrans(apcupsd_t, apcupsd_power_t, file, "powerfail")
-+
-+manage_files_pattern(apcupsd_t, apcupsd_log_t, apcupsd_log_t)
- logging_log_filetrans(apcupsd_t, apcupsd_log_t, file)
-
- manage_files_pattern(apcupsd_t, apcupsd_tmp_t, apcupsd_tmp_t)
-@@ -50,11 +57,11 @@ manage_files_pattern(apcupsd_t, apcupsd_var_run_t, apcupsd_var_run_t)
- files_pid_filetrans(apcupsd_t, apcupsd_var_run_t, file)
-
- kernel_read_system_state(apcupsd_t)
-+kernel_read_network_state(apcupsd_t)
-
- corecmd_exec_bin(apcupsd_t)
- corecmd_exec_shell(apcupsd_t)
-
--corenet_all_recvfrom_unlabeled(apcupsd_t)
- corenet_all_recvfrom_netlabel(apcupsd_t)
- corenet_tcp_sendrecv_generic_if(apcupsd_t)
- corenet_tcp_sendrecv_generic_node(apcupsd_t)
-@@ -67,26 +74,41 @@ corenet_tcp_bind_apcupsd_port(apcupsd_t)
- corenet_sendrecv_apcupsd_server_packets(apcupsd_t)
- corenet_tcp_sendrecv_apcupsd_port(apcupsd_t)
- corenet_tcp_connect_apcupsd_port(apcupsd_t)
-+corenet_udp_bind_apc_port(apcupsd_t)
-+corenet_udp_bind_snmp_port(apcupsd_t)
-
- corenet_udp_bind_snmp_port(apcupsd_t)
- corenet_sendrecv_snmp_server_packets(apcupsd_t)
- corenet_udp_sendrecv_snmp_port(apcupsd_t)
-
-+corenet_tcp_connect_smtp_port(apcupsd_t)
-+
-+fs_getattr_xattr_fs(apcupsd_t)
-+
-+dev_read_sysfs(apcupsd_t)
-+dev_read_urand(apcupsd_t)
-+
- dev_rw_generic_usb_dev(apcupsd_t)
-
--files_read_etc_files(apcupsd_t)
-+domain_signull_all_domains(apcupsd_t)
-+
- files_manage_etc_runtime_files(apcupsd_t)
- files_etc_filetrans_etc_runtime(apcupsd_t, file, "nologin")
-
--term_use_unallocated_ttys(apcupsd_t)
-+term_use_all_terms(apcupsd_t)
-+term_use_usb_ttys(apcupsd_t)
-
--logging_send_syslog_msg(apcupsd_t)
-+#apcupsd runs shutdown, probably need a shutdown domain
-+init_rw_utmp(apcupsd_t)
-+init_telinit(apcupsd_t)
-+
-+auth_use_nsswitch(apcupsd_t)
-
--miscfiles_read_localization(apcupsd_t)
-+logging_send_syslog_msg(apcupsd_t)
-
- sysnet_dns_name_resolve(apcupsd_t)
-
--userdom_use_user_ttys(apcupsd_t)
-+userdom_use_inherited_user_ttys(apcupsd_t)
-
- optional_policy(`
- hostname_exec(apcupsd_t)
-@@ -101,6 +123,11 @@ optional_policy(`
- shutdown_domtrans(apcupsd_t)
- ')
-
-+optional_policy(`
-+ systemd_start_power_services(apcupsd_t)
-+ systemd_status_power_services(apcupsd_t)
-+')
-+
- ########################################
- #
- # CGI local policy
-@@ -108,20 +135,20 @@ optional_policy(`
-
- optional_policy(`
- apache_content_template(apcupsd_cgi)
--
-- allow httpd_apcupsd_cgi_script_t self:tcp_socket create_stream_socket_perms;
-- allow httpd_apcupsd_cgi_script_t self:udp_socket create_socket_perms;
--
-- corenet_all_recvfrom_unlabeled(httpd_apcupsd_cgi_script_t)
-- corenet_all_recvfrom_netlabel(httpd_apcupsd_cgi_script_t)
-- corenet_tcp_sendrecv_generic_if(httpd_apcupsd_cgi_script_t)
-- corenet_tcp_sendrecv_generic_node(httpd_apcupsd_cgi_script_t)
-- corenet_tcp_sendrecv_all_ports(httpd_apcupsd_cgi_script_t)
-- corenet_sendrecv_apcupsd_client_packets(httpd_apcupsd_cgi_script_t)
-- corenet_tcp_connect_apcupsd_port(httpd_apcupsd_cgi_script_t)
-- corenet_udp_sendrecv_generic_if(httpd_apcupsd_cgi_script_t)
-- corenet_udp_sendrecv_generic_node(httpd_apcupsd_cgi_script_t)
-- corenet_udp_sendrecv_all_ports(httpd_apcupsd_cgi_script_t)
--
-- sysnet_dns_name_resolve(httpd_apcupsd_cgi_script_t)
-+ apache_content_alias_template(apcupsd_cgi, apcupsd_cgi)
-+
-+ allow apcupsd_cgi_script_t self:tcp_socket create_stream_socket_perms;
-+ allow apcupsd_cgi_script_t self:udp_socket create_socket_perms;
-+
-+ corenet_all_recvfrom_netlabel(apcupsd_cgi_script_t)
-+ corenet_tcp_sendrecv_generic_if(apcupsd_cgi_script_t)
-+ corenet_tcp_sendrecv_generic_node(apcupsd_cgi_script_t)
-+ corenet_tcp_sendrecv_all_ports(apcupsd_cgi_script_t)
-+ corenet_sendrecv_apcupsd_client_packets(apcupsd_cgi_script_t)
-+ corenet_tcp_connect_apcupsd_port(apcupsd_cgi_script_t)
-+ corenet_udp_sendrecv_generic_if(apcupsd_cgi_script_t)
-+ corenet_udp_sendrecv_generic_node(apcupsd_cgi_script_t)
-+ corenet_udp_sendrecv_all_ports(apcupsd_cgi_script_t)
-+
-+ sysnet_dns_name_resolve(apcupsd_cgi_script_t)
- ')
-diff --git a/apm.fc b/apm.fc
-index ce27d2fb3..b2ba16a04 100644
---- a/apm.fc
-+++ b/apm.fc
-@@ -1,3 +1,4 @@
-+/usr/lib/systemd/system/apmd.* -- gen_context(system_u:object_r:apmd_unit_file_t,s0)
- /etc/rc\.d/init\.d/acpid -- gen_context(system_u:object_r:apmd_initrc_exec_t,s0)
-
- /usr/bin/apm -- gen_context(system_u:object_r:apm_exec_t,s0)
-@@ -7,6 +8,8 @@
- /usr/sbin/powersaved -- gen_context(system_u:object_r:apmd_exec_t,s0)
-
- /var/lock/subsys/acpid -- gen_context(system_u:object_r:apmd_lock_t,s0)
-+/var/lock/subsys/lmt-req\.lock -- gen_context(system_u:object_r:apmd_lock_t,s0)
-+/var/lock/lmt-req\.lock -- gen_context(system_u:object_r:apmd_lock_t,s0)
-
- /var/log/acpid.* -- gen_context(system_u:object_r:apmd_log_t,s0)
-
-diff --git a/apm.if b/apm.if
-index 1a7a97e5c..2c7252a39 100644
---- a/apm.if
-+++ b/apm.if
-@@ -141,6 +141,30 @@ interface(`apm_stream_connect',`
-
- ########################################
- ##
-+## Execute apmd server in the apmd domain.
-+##
-+##
-+##
-+## Domain allowed to transition.
-+##
-+##
-+#
-+interface(`apmd_systemctl',`
-+ gen_require(`
-+ type apmd_t;
-+ type apmd_unit_file_t;
-+ ')
-+
-+ systemd_exec_systemctl($1)
-+ init_reload_services($1)
-+ allow $1 apmd_unit_file_t:file read_file_perms;
-+ allow $1 apmd_unit_file_t:service manage_service_perms;
-+
-+ ps_process_pattern($1, apmd_t)
-+')
-+
-+########################################
-+##
- ## All of the rules required to
- ## administrate an apm environment.
- ##
-@@ -163,9 +187,13 @@ interface(`apm_admin',`
- type apmd_tmp_t;
- ')
-
-- allow $1 apmd_t:process { ptrace signal_perms };
-+ allow $1 apmd_t:process { signal_perms };
- ps_process_pattern($1, apmd_t)
-
-+ tunable_policy(`deny_ptrace',`',`
-+ allow $1 apmd_t:process ptrace;
-+ ')
-+
- init_labeled_script_domtrans($1, apmd_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 apmd_initrc_exec_t system_r;
-diff --git a/apm.te b/apm.te
-index 7fd431bcd..ffb0792b8 100644
---- a/apm.te
-+++ b/apm.te
-@@ -35,12 +35,15 @@ files_type(apmd_var_lib_t)
- type apmd_var_run_t;
- files_pid_file(apmd_var_run_t)
-
-+type apmd_unit_file_t;
-+systemd_unit_file(apmd_unit_file_t)
-+
- ########################################
- #
- # Client local policy
- #
-
--allow apm_t self:capability { dac_override sys_admin };
-+allow apm_t self:capability { dac_read_search sys_admin sys_resource };
-
- kernel_read_system_state(apm_t)
-
-@@ -48,7 +51,7 @@ dev_rw_apm_bios(apm_t)
-
- fs_getattr_xattr_fs(apm_t)
-
--term_use_all_terms(apm_t)
-+term_use_all_inherited_terms(apm_t)
-
- domain_use_interactive_fds(apm_t)
-
-@@ -59,11 +62,12 @@ logging_send_syslog_msg(apm_t)
- # Server local policy
- #
-
--allow apmd_t self:capability { sys_admin sys_nice sys_time kill mknod };
--dontaudit apmd_t self:capability { setuid dac_override dac_read_search sys_ptrace sys_tty_config };
-+allow apmd_t self:capability { sys_admin sys_nice sys_time kill mknod sys_resource };
-+dontaudit apmd_t self:capability { setuid dac_read_search sys_tty_config };
- allow apmd_t self:process { signal_perms getsession };
- allow apmd_t self:fifo_file rw_fifo_file_perms;
- allow apmd_t self:netlink_socket create_socket_perms;
-+allow apmd_t self:netlink_generic_socket create_socket_perms;
- allow apmd_t self:unix_stream_socket { accept listen };
-
- allow apmd_t apmd_lock_t:file manage_file_perms;
-@@ -90,6 +94,7 @@ kernel_read_kernel_sysctls(apmd_t)
- kernel_rw_all_sysctls(apmd_t)
- kernel_read_system_state(apmd_t)
- kernel_write_proc_files(apmd_t)
-+kernel_request_load_module(apmd_t)
-
- dev_read_input(apmd_t)
- dev_read_mouse(apmd_t)
-@@ -114,8 +119,7 @@ fs_dontaudit_getattr_all_files(apmd_t)
- fs_dontaudit_getattr_all_symlinks(apmd_t)
- fs_dontaudit_getattr_all_pipes(apmd_t)
- fs_dontaudit_getattr_all_sockets(apmd_t)
--
--selinux_search_fs(apmd_t)
-+fs_read_cgroup_files(apmd_t)
-
- corecmd_exec_all_executables(apmd_t)
-
-@@ -129,6 +133,9 @@ domain_dontaudit_list_all_domains_state(apmd_t)
- auth_use_nsswitch(apmd_t)
-
- init_domtrans_script(apmd_t)
-+init_read_utmp(apmd_t)
-+init_telinit(apmd_t)
-+init_dbus_chat(apmd_t)
-
- libs_exec_ld_so(apmd_t)
- libs_exec_lib_files(apmd_t)
-@@ -136,17 +143,16 @@ libs_exec_lib_files(apmd_t)
- logging_send_audit_msgs(apmd_t)
- logging_send_syslog_msg(apmd_t)
-
--miscfiles_read_localization(apmd_t)
- miscfiles_read_hwdata(apmd_t)
-
- modutils_domtrans_insmod(apmd_t)
- modutils_read_module_config(apmd_t)
-
--seutil_dontaudit_read_config(apmd_t)
-+seutil_sigchld_newrole(apmd_t)
-
- userdom_dontaudit_use_unpriv_user_fds(apmd_t)
- userdom_dontaudit_search_user_home_dirs(apmd_t)
--userdom_dontaudit_search_user_home_content(apmd_t)
-+userdom_dontaudit_search_user_home_content(apmd_t) # Excessive?
-
- optional_policy(`
- automount_domtrans(apmd_t)
-@@ -206,11 +212,20 @@ optional_policy(`
- ')
-
- optional_policy(`
-- seutil_sigchld_newrole(apmd_t)
-+ shutdown_domtrans(apmd_t)
- ')
-
- optional_policy(`
-- shutdown_domtrans(apmd_t)
-+ sssd_search_lib(apmd_t)
-+')
-+
-+optional_policy(`
-+ systemd_dbus_chat_logind(apmd_t)
-+')
-+
-+optional_policy(`
-+ systemd_start_power_services(apmd_t)
-+ systemd_status_power_services(apmd_t)
- ')
-
- optional_policy(`
-diff --git a/apt.if b/apt.if
-index cde81d248..2fe02018a 100644
---- a/apt.if
-+++ b/apt.if
-@@ -171,7 +171,7 @@ interface(`apt_read_cache',`
-
- files_search_var($1)
- allow $1 apt_var_cache_t:dir list_dir_perms;
-- dontaudit $1 apt_var_cache_t:dir write_dir_perms;
-+ dontaudit $1 apt_var_cache_t:dir rw_dir_perms;
- allow $1 apt_var_cache_t:file read_file_perms;
- ')
-
-diff --git a/apt.te b/apt.te
-index efa853059..68f2e3676 100644
---- a/apt.te
-+++ b/apt.te
-@@ -39,7 +39,7 @@ logging_log_file(apt_var_log_t)
- # Local policy
- #
-
--allow apt_t self:capability { chown dac_override fowner fsetid };
-+allow apt_t self:capability { chown dac_read_search fowner fsetid };
- allow apt_t self:process { signal setpgid fork };
- allow apt_t self:fd use;
- allow apt_t self:fifo_file rw_fifo_file_perms;
-@@ -85,7 +85,6 @@ kernel_read_kernel_sysctls(apt_t)
- corecmd_exec_bin(apt_t)
- corecmd_exec_shell(apt_t)
-
--corenet_all_recvfrom_unlabeled(apt_t)
- corenet_all_recvfrom_netlabel(apt_t)
- corenet_tcp_sendrecv_generic_if(apt_t)
- corenet_tcp_sendrecv_generic_node(apt_t)
-@@ -101,27 +100,24 @@ domain_getattr_all_domains(apt_t)
- domain_use_interactive_fds(apt_t)
-
- files_exec_usr_files(apt_t)
--files_read_etc_files(apt_t)
- files_read_etc_runtime_files(apt_t)
-
- fs_getattr_all_fs(apt_t)
-
- term_create_pty(apt_t, apt_devpts_t)
- term_list_ptys(apt_t)
--term_use_all_terms(apt_t)
-+term_use_all_inherited_terms(apt_t)
-
- libs_exec_ld_so(apt_t)
- libs_exec_lib_files(apt_t)
-
- logging_send_syslog_msg(apt_t)
-
--miscfiles_read_localization(apt_t)
--
- seutil_use_newrole_fds(apt_t)
-
- sysnet_read_config(apt_t)
-
--userdom_use_user_terminals(apt_t)
-+userdom_use_inherited_user_terminals(apt_t)
-
- optional_policy(`
- backup_manage_store_files(apt_t)
-diff --git a/arpwatch.fc b/arpwatch.fc
-index 9ca0d0fb8..9a1a61f82 100644
---- a/arpwatch.fc
-+++ b/arpwatch.fc
-@@ -1,5 +1,7 @@
- /etc/rc\.d/init\.d/arpwatch -- gen_context(system_u:object_r:arpwatch_initrc_exec_t,s0)
-
-+/usr/lib/systemd/system/arpwatch.* -- gen_context(system_u:object_r:arpwatch_unit_file_t,s0)
-+
- /usr/sbin/arpwatch -- gen_context(system_u:object_r:arpwatch_exec_t,s0)
-
- /var/arpwatch(/.*)? gen_context(system_u:object_r:arpwatch_data_t,s0)
-diff --git a/arpwatch.if b/arpwatch.if
-index 50c9b9c87..533a555a2 100644
---- a/arpwatch.if
-+++ b/arpwatch.if
-@@ -119,6 +119,30 @@ interface(`arpwatch_dontaudit_rw_packet_sockets',`
-
- ########################################
- ##
-+## Execute arpwatch server in the arpwatch domain.
-+##
-+##
-+##
-+## Domain allowed to transition.
-+##
-+##
-+#
-+interface(`arpwatch_systemctl',`
-+ gen_require(`
-+ type arpwatch_t;
-+ type arpwatch_unit_file_t;
-+ ')
-+
-+ systemd_exec_systemctl($1)
-+ init_reload_services($1)
-+ allow $1 arpwatch_unit_file_t:file read_file_perms;
-+ allow $1 arpwatch_unit_file_t:service manage_service_perms;
-+
-+ ps_process_pattern($1, arpwatch_t)
-+')
-+
-+########################################
-+##
- ## All of the rules required to
- ## administrate an arpwatch environment.
- ##
-@@ -138,11 +162,16 @@ interface(`arpwatch_admin',`
- gen_require(`
- type arpwatch_t, arpwatch_tmp_t, arpwatch_initrc_exec_t;
- type arpwatch_data_t, arpwatch_var_run_t;
-+ type arpwatch_unit_file_t;
- ')
-
-- allow $1 arpwatch_t:process { ptrace signal_perms };
-+ allow $1 arpwatch_t:process signal_perms;
- ps_process_pattern($1, arpwatch_t)
-
-+ tunable_policy(`deny_ptrace',`',`
-+ allow $1 arpwatch_t:process ptrace;
-+ ')
-+
- arpwatch_initrc_domtrans($1)
- domain_system_change_exemption($1)
- role_transition $2 arpwatch_initrc_exec_t system_r;
-@@ -156,4 +185,8 @@ interface(`arpwatch_admin',`
-
- files_list_pids($1)
- admin_pattern($1, arpwatch_var_run_t)
-+
-+ arpwatch_systemctl($1)
-+ admin_pattern($1, arpwatch_unit_file_t)
-+ allow $1 arpwatch_unit_file_t:service all_service_perms;
- ')
-diff --git a/arpwatch.te b/arpwatch.te
-index 2d7bf345b..bb5b35fe4 100644
---- a/arpwatch.te
-+++ b/arpwatch.te
-@@ -21,6 +21,9 @@ files_tmp_file(arpwatch_tmp_t)
- type arpwatch_var_run_t;
- files_pid_file(arpwatch_var_run_t)
-
-+type arpwatch_unit_file_t;
-+systemd_unit_file(arpwatch_unit_file_t)
-+
- ########################################
- #
- # Local policy
-@@ -31,8 +34,10 @@ dontaudit arpwatch_t self:capability sys_tty_config;
- allow arpwatch_t self:process signal_perms;
- allow arpwatch_t self:unix_stream_socket { accept listen };
- allow arpwatch_t self:tcp_socket { accept listen };
--allow arpwatch_t self:packet_socket create_socket_perms;
-+allow arpwatch_t self:packet_socket { create_socket_perms map };
- allow arpwatch_t self:socket create_socket_perms;
-+allow arpwatch_t self:netlink_socket create_socket_perms;
-+allow arpwatch_t self:netlink_netfilter_socket create_socket_perms;
-
- manage_dirs_pattern(arpwatch_t, arpwatch_data_t, arpwatch_data_t)
- manage_files_pattern(arpwatch_t, arpwatch_data_t, arpwatch_data_t)
-@@ -45,13 +50,26 @@ files_tmp_filetrans(arpwatch_t, arpwatch_tmp_t, { file dir })
- manage_files_pattern(arpwatch_t, arpwatch_var_run_t, arpwatch_var_run_t)
- files_pid_filetrans(arpwatch_t, arpwatch_var_run_t, file)
-
--kernel_read_kernel_sysctls(arpwatch_t)
- kernel_read_network_state(arpwatch_t)
-+# meminfo
- kernel_read_system_state(arpwatch_t)
-+kernel_read_kernel_sysctls(arpwatch_t)
-+kernel_read_proc_symlinks(arpwatch_t)
- kernel_request_load_module(arpwatch_t)
-
-+corenet_all_recvfrom_netlabel(arpwatch_t)
-+corenet_tcp_sendrecv_generic_if(arpwatch_t)
-+corenet_udp_sendrecv_generic_if(arpwatch_t)
-+corenet_raw_sendrecv_generic_if(arpwatch_t)
-+corenet_tcp_sendrecv_generic_node(arpwatch_t)
-+corenet_udp_sendrecv_generic_node(arpwatch_t)
-+corenet_raw_sendrecv_generic_node(arpwatch_t)
-+corenet_tcp_sendrecv_all_ports(arpwatch_t)
-+corenet_udp_sendrecv_all_ports(arpwatch_t)
-+
- dev_read_sysfs(arpwatch_t)
- dev_read_usbmon_dev(arpwatch_t)
-+dev_map_usbmon_dev(arpwatch_t)
- dev_rw_generic_usb_dev(arpwatch_t)
-
- fs_getattr_all_fs(arpwatch_t)
-@@ -59,15 +77,12 @@ fs_search_auto_mountpoints(arpwatch_t)
-
- domain_use_interactive_fds(arpwatch_t)
-
--files_read_usr_files(arpwatch_t)
- files_search_var_lib(arpwatch_t)
-
- auth_use_nsswitch(arpwatch_t)
-
- logging_send_syslog_msg(arpwatch_t)
-
--miscfiles_read_localization(arpwatch_t)
--
- userdom_dontaudit_search_user_home_dirs(arpwatch_t)
- userdom_dontaudit_use_unpriv_user_fds(arpwatch_t)
-
-diff --git a/asterisk.if b/asterisk.if
-index 2077053ea..198a02ab4 100644
---- a/asterisk.if
-+++ b/asterisk.if
-@@ -124,9 +124,13 @@ interface(`asterisk_admin',`
- type asterisk_var_lib_t, asterisk_initrc_exec_t;
- ')
-
-- allow $1 asterisk_t:process { ptrace signal_perms };
-+ allow $1 asterisk_t:process signal_perms;
- ps_process_pattern($1, asterisk_t)
-
-+ tunable_policy(`deny_ptrace',`',`
-+ allow $1 asterisk_t:process ptrace;
-+ ')
-+
- init_labeled_script_domtrans($1, asterisk_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 asterisk_initrc_exec_t system_r;
-diff --git a/asterisk.te b/asterisk.te
-index 7e4135022..a0ff3fc8f 100644
---- a/asterisk.te
-+++ b/asterisk.te
-@@ -19,7 +19,7 @@ type asterisk_log_t;
- logging_log_file(asterisk_log_t)
-
- type asterisk_spool_t;
--files_type(asterisk_spool_t)
-+files_spool_file(asterisk_spool_t)
-
- type asterisk_tmp_t;
- files_tmp_file(asterisk_tmp_t)
-@@ -39,7 +39,7 @@ init_daemon_run_dir(asterisk_var_run_t, "asterisk")
- # Local policy
- #
-
--allow asterisk_t self:capability { dac_override chown setgid setuid sys_nice net_admin };
-+allow asterisk_t self:capability { dac_read_search chown setgid setuid sys_nice net_admin };
- dontaudit asterisk_t self:capability { sys_module sys_tty_config };
- allow asterisk_t self:process { getsched setsched signal_perms getcap setcap };
- allow asterisk_t self:fifo_file rw_fifo_file_perms;
-@@ -73,11 +73,11 @@ fs_tmpfs_filetrans(asterisk_t, asterisk_tmpfs_t, { dir file lnk_file sock_file f
-
- manage_files_pattern(asterisk_t, asterisk_var_lib_t, asterisk_var_lib_t)
-
-+manage_dirs_pattern(asterisk_t, asterisk_var_run_t, asterisk_var_run_t)
- manage_files_pattern(asterisk_t, asterisk_var_run_t, asterisk_var_run_t)
- manage_fifo_files_pattern(asterisk_t, asterisk_var_run_t, asterisk_var_run_t)
- manage_sock_files_pattern(asterisk_t, asterisk_var_run_t, asterisk_var_run_t)
--files_pid_filetrans(asterisk_t, asterisk_var_run_t, file)
--
-+files_pid_filetrans(asterisk_t, asterisk_var_run_t, { dir file sock_file fifo_file })
- can_exec(asterisk_t, asterisk_exec_t)
-
- kernel_read_kernel_sysctls(asterisk_t)
-@@ -88,7 +88,6 @@ kernel_request_load_module(asterisk_t)
- corecmd_exec_bin(asterisk_t)
- corecmd_exec_shell(asterisk_t)
-
--corenet_all_recvfrom_unlabeled(asterisk_t)
- corenet_all_recvfrom_netlabel(asterisk_t)
- corenet_tcp_sendrecv_generic_if(asterisk_t)
- corenet_udp_sendrecv_generic_if(asterisk_t)
-@@ -126,6 +125,7 @@ corenet_tcp_connect_pktcable_cops_port(asterisk_t)
-
- corenet_sendrecv_sip_client_packets(asterisk_t)
- corenet_tcp_connect_sip_port(asterisk_t)
-+corenet_tcp_connect_http_port(asterisk_t)
-
- dev_rw_generic_usb_dev(asterisk_t)
- dev_read_sysfs(asterisk_t)
-@@ -136,7 +136,6 @@ dev_read_urand(asterisk_t)
-
- domain_use_interactive_fds(asterisk_t)
-
--files_read_usr_files(asterisk_t)
- files_search_spool(asterisk_t)
- files_dontaudit_search_home(asterisk_t)
-
-@@ -150,8 +149,6 @@ auth_use_nsswitch(asterisk_t)
- logging_search_logs(asterisk_t)
- logging_send_syslog_msg(asterisk_t)
-
--miscfiles_read_localization(asterisk_t)
--
- userdom_dontaudit_use_unpriv_user_fds(asterisk_t)
- userdom_dontaudit_search_user_home_dirs(asterisk_t)
-
-diff --git a/authconfig.fc b/authconfig.fc
-new file mode 100644
-index 000000000..4579cfe17
---- /dev/null
-+++ b/authconfig.fc
-@@ -0,0 +1,3 @@
-+/usr/share/authconfig/authconfig\.py -- gen_context(system_u:object_r:authconfig_exec_t,s0)
-+
-+/var/lib/authconfig(/.*)? gen_context(system_u:object_r:authconfig_var_lib_t,s0)
-diff --git a/authconfig.if b/authconfig.if
-new file mode 100644
-index 000000000..316c324f2
---- /dev/null
-+++ b/authconfig.if
-@@ -0,0 +1,127 @@
-+
-+## policy for authconfig
-+
-+########################################
-+##
-+## Execute TEMPLATE in the authconfig domin.
-+##
-+##
-+##
-+## Domain allowed to transition.
-+##
-+##
-+#
-+interface(`authconfig_domtrans',`
-+ gen_require(`
-+ type authconfig_t, authconfig_exec_t;
-+ ')
-+
-+ corecmd_search_bin($1)
-+ domtrans_pattern($1, authconfig_exec_t, authconfig_t)
-+')
-+
-+########################################
-+##
-+## Search authconfig lib directories.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`authconfig_search_lib',`
-+ gen_require(`
-+ type authconfig_var_lib_t;
-+ ')
-+
-+ allow $1 authconfig_var_lib_t:dir search_dir_perms;
-+ files_search_var_lib($1)
-+')
-+
-+########################################
-+##
-+## Read authconfig lib files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`authconfig_read_lib_files',`
-+ gen_require(`
-+ type authconfig_var_lib_t;
-+ ')
-+
-+ files_search_var_lib($1)
-+ read_files_pattern($1, authconfig_var_lib_t, authconfig_var_lib_t)
-+')
-+
-+########################################
-+##
-+## Manage authconfig lib files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`authconfig_manage_lib_files',`
-+ gen_require(`
-+ type authconfig_var_lib_t;
-+ ')
-+
-+ files_search_var_lib($1)
-+ manage_files_pattern($1, authconfig_var_lib_t, authconfig_var_lib_t)
-+')
-+
-+########################################
-+##
-+## Manage authconfig lib directories.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`authconfig_manage_lib_dirs',`
-+ gen_require(`
-+ type authconfig_var_lib_t;
-+ ')
-+
-+ files_search_var_lib($1)
-+ manage_dirs_pattern($1, authconfig_var_lib_t, authconfig_var_lib_t)
-+')
-+
-+
-+########################################
-+##
-+## All of the rules required to administrate
-+## an authconfig environment
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`authconfig_admin',`
-+ gen_require(`
-+ type authconfig_t;
-+ type authconfig_var_lib_t;
-+ ')
-+
-+ allow $1 authconfig_t:process { ptrace signal_perms };
-+ ps_process_pattern($1, authconfig_t)
-+
-+ files_search_var_lib($1)
-+ admin_pattern($1, authconfig_var_lib_t)
-+
-+ optional_policy(`
-+ systemd_passwd_agent_exec($1)
-+ systemd_read_fifo_file_passwd_run($1)
-+ ')
-+')
-diff --git a/authconfig.te b/authconfig.te
-new file mode 100644
-index 000000000..362a049e9
---- /dev/null
-+++ b/authconfig.te
-@@ -0,0 +1,33 @@
-+policy_module(authconfig, 1.0.0)
-+
-+########################################
-+#
-+# Declarations
-+#
-+
-+type authconfig_t;
-+type authconfig_exec_t;
-+application_domain(authconfig_t, authconfig_exec_t)
-+role system_r types authconfig_t;
-+
-+type authconfig_var_lib_t;
-+files_type(authconfig_var_lib_t)
-+
-+########################################
-+#
-+# authconfig local policy
-+#
-+allow authconfig_t self:fifo_file rw_fifo_file_perms;
-+allow authconfig_t self:unix_stream_socket create_stream_socket_perms;
-+
-+manage_dirs_pattern(authconfig_t, authconfig_var_lib_t, authconfig_var_lib_t)
-+manage_files_pattern(authconfig_t, authconfig_var_lib_t, authconfig_var_lib_t)
-+manage_lnk_files_pattern(authconfig_t, authconfig_var_lib_t, authconfig_var_lib_t)
-+files_var_lib_filetrans(authconfig_t, authconfig_var_lib_t, { dir file lnk_file })
-+
-+domain_use_interactive_fds(authconfig_t)
-+domain_named_filetrans(authconfig_t)
-+
-+init_domtrans_script(authconfig_t)
-+
-+unconfined_domain_noaudit(authconfig_t)
-diff --git a/automount.fc b/automount.fc
-index 92adb37e1..0a2ffc62d 100644
---- a/automount.fc
-+++ b/automount.fc
-@@ -1,6 +1,8 @@
- /etc/apm/event\.d/autofs -- gen_context(system_u:object_r:automount_exec_t,s0)
- /etc/rc\.d/init\.d/autofs -- gen_context(system_u:object_r:automount_initrc_exec_t,s0)
-
-+/usr/lib/systemd/system/autofs.* -- gen_context(system_u:object_r:automount_unit_file_t,s0)
-+
- /usr/sbin/automount -- gen_context(system_u:object_r:automount_exec_t,s0)
-
- /var/lock/subsys/autofs -- gen_context(system_u:object_r:automount_lock_t,s0)
-diff --git a/automount.if b/automount.if
-index f24e36960..4484a98da 100644
---- a/automount.if
-+++ b/automount.if
-@@ -29,7 +29,6 @@ interface(`automount_domtrans',`
- ##
- ##
- #
--#
- interface(`automount_signal',`
- gen_require(`
- type automount_t;
-@@ -114,6 +113,25 @@ interface(`automount_dontaudit_write_pipes',`
-
- ########################################
- ##
-+## Allow domain to search of automount temporary
-+## directories.
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`automount_search_tmp_dirs',`
-+ gen_require(`
-+ type automount_tmp_t;
-+ ')
-+
-+ search_dirs_pattern($1, automount_tmp_t, automount_tmp_t)
-+')
-+
-+########################################
-+##
- ## Do not audit attempts to get
- ## attributes of automount temporary
- ## directories.
-@@ -134,6 +152,30 @@ interface(`automount_dontaudit_getattr_tmp_dirs',`
-
- ########################################
- ##
-+## Execute automount server in the automount domain.
-+##
-+##
-+##
-+## Domain allowed to transition.
-+##
-+##
-+#
-+interface(`automount_systemctl',`
-+ gen_require(`
-+ type automount_t;
-+ type automount_unit_file_t;
-+ ')
-+
-+ systemd_exec_systemctl($1)
-+ init_reload_services($1)
-+ allow $1 automount_unit_file_t:file read_file_perms;
-+ allow $1 automount_unit_file_t:service manage_service_perms;
-+
-+ ps_process_pattern($1, automount_t)
-+')
-+
-+########################################
-+##
- ## All of the rules required to
- ## administrate an automount environment.
- ##
-@@ -153,12 +195,16 @@ interface(`automount_admin',`
- gen_require(`
- type automount_t, automount_lock_t, automount_tmp_t;
- type automount_var_run_t, automount_initrc_exec_t;
-- type automount_keytab_t;
-+ type automount_unit_file_t, automount_keytab_t;
- ')
-
-- allow $1 automount_t:process { ptrace signal_perms };
-+ allow $1 automount_t:process signal_perms;
- ps_process_pattern($1, automount_t)
-
-+ tunable_policy(`deny_ptrace',`',`
-+ allow $1 automount_t:process ptrace;
-+ ')
-+
- init_labeled_script_domtrans($1, automount_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 automount_initrc_exec_t system_r;
-@@ -175,4 +221,8 @@ interface(`automount_admin',`
-
- files_list_pids($1)
- admin_pattern($1, automount_var_run_t)
-+
-+ automount_systemctl($1)
-+ admin_pattern($1, automount_unit_file_t)
-+ allow $1 automount_unit_file_t:service all_service_perms;
- ')
-diff --git a/automount.te b/automount.te
-index 27d2f400b..bc3619c20 100644
---- a/automount.te
-+++ b/automount.te
-@@ -22,6 +22,9 @@ type automount_tmp_t;
- files_tmp_file(automount_tmp_t)
- files_mountpoint(automount_tmp_t)
-
-+type automount_unit_file_t;
-+systemd_unit_file(automount_unit_file_t)
-+
- type automount_var_run_t;
- files_pid_file(automount_var_run_t)
-
-@@ -30,7 +33,8 @@ files_pid_file(automount_var_run_t)
- # Local policy
- #
-
--allow automount_t self:capability { setgid setuid sys_nice sys_resource dac_override sys_admin };
-+allow automount_t self:capability { setgid setuid sys_nice sys_resource dac_read_search sys_admin };
-+allow automount_t self:capability2 block_suspend;
- dontaudit automount_t self:capability sys_tty_config;
- allow automount_t self:process { signal_perms getpgid setpgid setsched setrlimit };
- allow automount_t self:fifo_file rw_fifo_file_perms;
-@@ -67,7 +71,6 @@ kernel_dontaudit_search_xen_state(automount_t)
- corecmd_exec_bin(automount_t)
- corecmd_exec_shell(automount_t)
-
--corenet_all_recvfrom_unlabeled(automount_t)
- corenet_all_recvfrom_netlabel(automount_t)
- corenet_tcp_sendrecv_generic_if(automount_t)
- corenet_udp_sendrecv_generic_if(automount_t)
-@@ -91,6 +94,7 @@ corenet_udp_bind_all_rpc_ports(automount_t)
-
- files_dontaudit_write_var_dirs(automount_t)
- files_getattr_all_dirs(automount_t)
-+files_getattr_all_files(automount_t)
- files_getattr_default_dirs(automount_t)
- files_getattr_home_dir(automount_t)
- files_getattr_isid_type_dirs(automount_t)
-@@ -101,7 +105,6 @@ files_mount_all_file_type_fs(automount_t)
- files_mounton_all_mountpoints(automount_t)
- files_mounton_mnt(automount_t)
- files_read_etc_runtime_files(automount_t)
--files_read_usr_files(automount_t)
- files_search_boot(automount_t)
- files_search_all(automount_t)
- files_unmount_all_file_type_fs(automount_t)
-@@ -113,6 +116,7 @@ fs_manage_autofs_symlinks(automount_t)
- fs_mount_all_fs(automount_t)
- fs_mount_autofs(automount_t)
- fs_read_nfs_files(automount_t)
-+fs_read_nfs_symlinks(automount_t)
- fs_search_all(automount_t)
- fs_search_auto_mountpoints(automount_t)
- fs_unmount_all_fs(automount_t)
-@@ -135,15 +139,19 @@ auth_use_nsswitch(automount_t)
- logging_send_syslog_msg(automount_t)
- logging_search_logs(automount_t)
-
--miscfiles_read_localization(automount_t)
- miscfiles_read_generic_certs(automount_t)
-
--mount_domtrans(automount_t)
--mount_signal(automount_t)
--
- userdom_dontaudit_use_unpriv_user_fds(automount_t)
-
- optional_policy(`
-+ # Run mount in the mount_t domain.
-+ mount_domtrans(automount_t)
-+ mount_domtrans_showmount(automount_t)
-+ mount_signal(automount_t)
-+ mount_rw_pid_files(automount_t)
-+')
-+
-+optional_policy(`
- fstools_domtrans(automount_t)
- ')
-
-@@ -166,3 +174,8 @@ optional_policy(`
- optional_policy(`
- udev_read_db(automount_t)
- ')
-+
-+tunable_policy(`mount_anyfile',`
-+ files_mounton_non_security(automount_t)
-+')
-+
-diff --git a/avahi.fc b/avahi.fc
-index e9fe2cac1..4c2d0769e 100644
---- a/avahi.fc
-+++ b/avahi.fc
-@@ -1,5 +1,7 @@
- /etc/rc\.d/init\.d/avahi.* -- gen_context(system_u:object_r:avahi_initrc_exec_t,s0)
-
-+/usr/lib/systemd/system/avahi.* -- gen_context(system_u:object_r:avahi_unit_file_t,s0)
-+
- /usr/sbin/avahi-daemon -- gen_context(system_u:object_r:avahi_exec_t,s0)
- /usr/sbin/avahi-dnsconfd -- gen_context(system_u:object_r:avahi_exec_t,s0)
- /usr/sbin/avahi-autoipd -- gen_context(system_u:object_r:avahi_exec_t,s0)
-diff --git a/avahi.if b/avahi.if
-index 9078c3d85..2f6b2503e 100644
---- a/avahi.if
-+++ b/avahi.if
-@@ -211,6 +211,30 @@ interface(`avahi_dontaudit_search_pid',`
-
- ########################################
- ##
-+## Execute avahi server in the avahi domain.
-+##
-+##
-+##
-+## Domain allowed to transition.
-+##
-+##
-+#
-+interface(`avahi_systemctl',`
-+ gen_require(`
-+ type avahi_t;
-+ type avahi_unit_file_t;
-+ ')
-+
-+ systemd_exec_systemctl($1)
-+ init_reload_services($1)
-+ allow $1 avahi_unit_file_t:file read_file_perms;
-+ allow $1 avahi_unit_file_t:service manage_service_perms;
-+
-+ ps_process_pattern($1, avahi_t)
-+')
-+
-+########################################
-+##
- ## Create specified objects in generic
- ## pid directories with the avahi pid file type.
- ##
-@@ -258,12 +282,17 @@ interface(`avahi_filetrans_pid',`
- interface(`avahi_admin',`
- gen_require(`
- type avahi_t, avahi_var_run_t, avahi_initrc_exec_t;
-+ type avahi_unit_file_t;
- type avahi_var_lib_t;
- ')
-
-- allow $1 avahi_t:process { ptrace signal_perms };
-+ allow $1 avahi_t:process signal_perms;
- ps_process_pattern($1, avahi_t)
-
-+ tunable_policy(`deny_ptrace',`',`
-+ allow $1 avahi_t:process ptrace;
-+ ')
-+
- avahi_initrc_domtrans($1)
- domain_system_change_exemption($1)
- role_transition $2 avahi_initrc_exec_t system_r;
-@@ -274,4 +303,8 @@ interface(`avahi_admin',`
-
- files_search_var_lib($1)
- admin_pattern($1, avahi_var_lib_t)
-+
-+ avahi_systemctl($1)
-+ admin_pattern($1, avahi_unit_file_t)
-+ allow $1 avahi_unit_file_t:service all_service_perms;
- ')
-diff --git a/avahi.te b/avahi.te
-index b8355b32f..51ce1b60f 100644
---- a/avahi.te
-+++ b/avahi.te
-@@ -13,17 +13,21 @@ type avahi_initrc_exec_t;
- init_script_file(avahi_initrc_exec_t)
-
- type avahi_var_lib_t;
--files_pid_file(avahi_var_lib_t)
-+files_type(avahi_var_lib_t)
-
- type avahi_var_run_t;
- files_pid_file(avahi_var_run_t)
-+init_sock_file(avahi_var_run_t)
-+
-+type avahi_unit_file_t;
-+systemd_unit_file(avahi_unit_file_t)
-
- ########################################
- #
- # Local policy
- #
-
--allow avahi_t self:capability { dac_override setgid chown fowner kill net_admin net_raw setuid sys_chroot };
-+allow avahi_t self:capability { dac_read_search dac_override setgid chown fowner kill net_admin net_raw setuid sys_chroot };
- dontaudit avahi_t self:capability sys_tty_config;
- allow avahi_t self:process { setrlimit signal_perms getcap setcap };
- allow avahi_t self:fifo_file rw_fifo_file_perms;
-@@ -49,7 +53,6 @@ kernel_request_load_module(avahi_t)
- corecmd_exec_bin(avahi_t)
- corecmd_exec_shell(avahi_t)
-
--corenet_all_recvfrom_unlabeled(avahi_t)
- corenet_all_recvfrom_netlabel(avahi_t)
- corenet_tcp_sendrecv_generic_if(avahi_t)
- corenet_udp_sendrecv_generic_if(avahi_t)
-@@ -72,9 +75,9 @@ fs_search_auto_mountpoints(avahi_t)
- fs_list_inotifyfs(avahi_t)
-
- domain_use_interactive_fds(avahi_t)
-+domain_dontaudit_signull_all_domains(avahi_t)
-
- files_read_etc_runtime_files(avahi_t)
--files_read_usr_files(avahi_t)
-
- auth_use_nsswitch(avahi_t)
-
-@@ -83,13 +86,14 @@ init_signull_script(avahi_t)
-
- logging_send_syslog_msg(avahi_t)
-
--miscfiles_read_localization(avahi_t)
- miscfiles_read_generic_certs(avahi_t)
-
- sysnet_domtrans_ifconfig(avahi_t)
- sysnet_manage_config(avahi_t)
- sysnet_etc_filetrans_config(avahi_t)
-
-+systemd_login_signull(avahi_t)
-+
- userdom_dontaudit_use_unpriv_user_fds(avahi_t)
- userdom_dontaudit_search_user_home_dirs(avahi_t)
-
-diff --git a/awstats.fc b/awstats.fc
-index 11e6d5ffe..73b4ea47c 100644
---- a/awstats.fc
-+++ b/awstats.fc
-@@ -1,5 +1,5 @@
- /usr/share/awstats/tools/.+\.pl -- gen_context(system_u:object_r:awstats_exec_t,s0)
--/usr/share/awstats/wwwroot(/.*)? gen_context(system_u:object_r:httpd_awstats_content_t,s0)
--/usr/share/awstats/wwwroot/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_awstats_script_exec_t,s0)
-+/usr/share/awstats/wwwroot(/.*)? gen_context(system_u:object_r:awstats_content_t,s0)
-+/usr/share/awstats/wwwroot/cgi-bin(/.*)? gen_context(system_u:object_r:awstats_script_exec_t,s0)
-
- /var/lib/awstats(/.*)? gen_context(system_u:object_r:awstats_var_lib_t,s0)
-diff --git a/awstats.te b/awstats.te
-index c1b16c392..ffbf2cb8f 100644
---- a/awstats.te
-+++ b/awstats.te
-@@ -26,6 +26,7 @@ type awstats_var_lib_t;
- files_type(awstats_var_lib_t)
-
- apache_content_template(awstats)
-+apache_content_alias_template(awstats, awstats)
-
- ########################################
- #
-@@ -40,9 +41,9 @@ files_tmp_filetrans(awstats_t, awstats_tmp_t, { dir file })
-
- manage_files_pattern(awstats_t, awstats_var_lib_t, awstats_var_lib_t)
-
--allow awstats_t { httpd_awstats_content_t httpd_awstats_script_exec_t }:dir search_dir_perms;
-+allow awstats_t { awstats_content_t awstats_script_exec_t }:dir search_dir_perms;
-
--can_exec(awstats_t, { awstats_exec_t httpd_awstats_script_exec_t })
-+can_exec(awstats_t, { awstats_exec_t awstats_script_exec_t })
-
- kernel_dontaudit_read_system_state(awstats_t)
-
-@@ -52,8 +53,6 @@ corecmd_exec_shell(awstats_t)
- dev_read_urand(awstats_t)
-
- files_dontaudit_search_all_mountpoints(awstats_t)
--files_read_etc_files(awstats_t)
--files_read_usr_files(awstats_t)
-
- fs_list_inotifyfs(awstats_t)
-
-@@ -61,8 +60,6 @@ libs_read_lib_files(awstats_t)
-
- logging_read_generic_logs(awstats_t)
-
--miscfiles_read_localization(awstats_t)
--
- sysnet_dns_name_resolve(awstats_t)
-
- tunable_policy(`awstats_purge_apache_log_files',`
-@@ -90,9 +87,13 @@ optional_policy(`
- # CGI local policy
- #
-
--allow httpd_awstats_script_t awstats_var_lib_t:dir list_dir_perms;
-+apache_read_log(awstats_script_t)
-+
-+manage_dirs_pattern(awstats_script_t, awstats_tmp_t, awstats_tmp_t)
-+manage_files_pattern(awstats_script_t, awstats_tmp_t, awstats_tmp_t)
-+files_tmp_filetrans(awstats_script_t, awstats_tmp_t, { dir file })
-
--read_files_pattern(httpd_awstats_script_t, awstats_var_lib_t, awstats_var_lib_t)
--files_search_var_lib(httpd_awstats_script_t)
-+allow awstats_script_t awstats_var_lib_t:dir list_dir_perms;
-
--apache_read_log(httpd_awstats_script_t)
-+read_files_pattern(awstats_script_t, awstats_var_lib_t, awstats_var_lib_t)
-+files_search_var_lib(awstats_script_t)
-diff --git a/backup.te b/backup.te
-index 7811450b6..c9da8d3d0 100644
---- a/backup.te
-+++ b/backup.te
-@@ -21,7 +21,7 @@ files_type(backup_store_t)
- # Local policy
- #
-
--allow backup_t self:capability dac_override;
-+allow backup_t self:capability { dac_read_search };
- allow backup_t self:process signal;
- allow backup_t self:fifo_file rw_fifo_file_perms;
- allow backup_t self:tcp_socket create_socket_perms;
-@@ -38,7 +38,6 @@ kernel_read_kernel_sysctls(backup_t)
- corecmd_exec_bin(backup_t)
- corecmd_exec_shell(backup_t)
-
--corenet_all_recvfrom_unlabeled(backup_t)
- corenet_all_recvfrom_netlabel(backup_t)
- corenet_tcp_sendrecv_generic_if(backup_t)
- corenet_tcp_sendrecv_generic_node(backup_t)
-@@ -67,7 +66,7 @@ logging_send_syslog_msg(backup_t)
-
- sysnet_read_config(backup_t)
-
--userdom_use_user_terminals(backup_t)
-+userdom_use_inherited_user_terminals(backup_t)
-
- optional_policy(`
- cron_system_entry(backup_t, backup_exec_t)
-diff --git a/bacula.fc b/bacula.fc
-index 27ec3d519..65aa71bf6 100644
---- a/bacula.fc
-+++ b/bacula.fc
-@@ -8,6 +8,8 @@
- /usr/sbin/bat -- gen_context(system_u:object_r:bacula_admin_exec_t,s0)
- /usr/sbin/bconsole -- gen_context(system_u:object_r:bacula_admin_exec_t,s0)
-
-+/var/bacula(/.*)? gen_context(system_u:object_r:bacula_store_t,s0)
-+
- /var/lib/bacula.* gen_context(system_u:object_r:bacula_var_lib_t,s0)
-
- /var/log/bacula.* gen_context(system_u:object_r:bacula_log_t,s0)
-diff --git a/bacula.if b/bacula.if
-index dcd774ee4..c240ffaf6 100644
---- a/bacula.if
-+++ b/bacula.if
-@@ -69,6 +69,7 @@ interface(`bacula_admin',`
- type bacula_t, bacula_etc_t, bacula_log_t;
- type bacula_spool_t, bacula_var_lib_t;
- type bacula_var_run_t, bacula_initrc_exec_t;
-+ attribute_role bacula_admin_roles;
- ')
-
- allow $1 bacula_t:process { ptrace signal_perms };
-diff --git a/bacula.te b/bacula.te
-index f16b00008..db82cfb6a 100644
---- a/bacula.te
-+++ b/bacula.te
-@@ -27,6 +27,9 @@ type bacula_store_t;
- files_type(bacula_store_t)
- files_mountpoint(bacula_store_t)
-
-+type bacula_tmp_t;
-+files_tmp_file(bacula_tmp_t)
-+
- type bacula_var_lib_t;
- files_type(bacula_var_lib_t)
-
-@@ -38,21 +41,30 @@ type bacula_admin_exec_t;
- application_domain(bacula_admin_t, bacula_admin_exec_t)
- role bacula_admin_roles types bacula_admin_t;
-
-+type bacula_unconfined_script_exec_t;
-+application_executable_file(bacula_unconfined_script_exec_t)
-+
- ########################################
- #
- # Local policy
- #
-
--allow bacula_t self:capability { dac_read_search dac_override chown fowner fsetid};
-+allow bacula_t self:capability { dac_read_search chown fowner fsetid setgid setuid};
- allow bacula_t self:process signal;
- allow bacula_t self:fifo_file rw_fifo_file_perms;
- allow bacula_t self:tcp_socket { accept listen };
-
- read_files_pattern(bacula_t, bacula_etc_t, bacula_etc_t)
-
-+manage_files_pattern(bacula_t, bacula_tmp_t, bacula_tmp_t)
-+manage_dirs_pattern(bacula_t, bacula_tmp_t, bacula_tmp_t)
-+files_tmp_filetrans(bacula_t, bacula_tmp_t, { dir file })
-+
-+manage_dirs_pattern(bacula_t,bacula_log_t, bacula_log_t)
- append_files_pattern(bacula_t, bacula_log_t, bacula_log_t)
- create_files_pattern(bacula_t, bacula_log_t, bacula_log_t)
- setattr_files_pattern(bacula_t, bacula_log_t, bacula_log_t)
-+logging_log_filetrans(bacula_t, bacula_log_t, { file dir })
-
- manage_dirs_pattern(bacula_t, bacula_spool_t, bacula_spool_t)
- manage_files_pattern(bacula_t, bacula_spool_t, bacula_spool_t)
-@@ -88,6 +100,10 @@ corenet_udp_bind_generic_node(bacula_t)
- corenet_sendrecv_generic_server_packets(bacula_t)
- corenet_udp_bind_generic_port(bacula_t)
-
-+
-+#TODO: check port labels for hplip a bacula
-+corenet_tcp_bind_bacula_port(bacula_t)
-+
- corenet_sendrecv_hplip_server_packets(bacula_t)
- corenet_tcp_bind_hplip_port(bacula_t)
- corenet_udp_bind_hplip_port(bacula_t)
-@@ -98,19 +114,30 @@ corenet_tcp_connect_all_ports(bacula_t)
- dev_getattr_all_blk_files(bacula_t)
- dev_getattr_all_chr_files(bacula_t)
-
-+files_getattr_all_pipes(bacula_t)
-+files_getattr_all_sockets(bacula_t)
-+
- files_dontaudit_getattr_all_sockets(bacula_t)
-+files_dontaudit_getattr_all_pipes(bacula_t)
- files_read_all_files(bacula_t)
- files_read_all_symlinks(bacula_t)
-
- fs_getattr_xattr_fs(bacula_t)
- fs_list_all(bacula_t)
-
-+storage_raw_read_fixed_disk(bacula_t)
-+storage_read_tape(bacula_t)
-+storage_write_tape(bacula_t)
-+
-+auth_use_nsswitch(bacula_t)
- auth_read_shadow(bacula_t)
-
- logging_send_syslog_msg(bacula_t)
-
- sysnet_dns_name_resolve(bacula_t)
-
-+userdom_home_manager(bacula_t)
-+
- optional_policy(`
- mysql_stream_connect(bacula_t)
- mysql_tcp_connect(bacula_t)
-@@ -125,6 +152,12 @@ optional_policy(`
- ldap_stream_connect(bacula_t)
- ')
-
-+optional_policy(`
-+ postgresql_tcp_connect(bacula_t)
-+ postgresql_stream_connect(bacula_t)
-+')
-+
-+
- ########################################
- #
- # Client local policy
-@@ -148,11 +181,32 @@ corenet_tcp_connect_hplip_port(bacula_admin_t)
-
- domain_use_interactive_fds(bacula_admin_t)
-
--files_read_etc_files(bacula_admin_t)
--
--miscfiles_read_localization(bacula_admin_t)
--
- sysnet_dns_name_resolve(bacula_admin_t)
-
- userdom_dontaudit_search_user_home_dirs(bacula_admin_t)
- userdom_use_user_ptys(bacula_admin_t)
-+
-+########################################
-+#
-+# Unconfined script local policy
-+#
-+
-+optional_policy(`
-+ type bacula_unconfined_script_t;
-+ domain_type(bacula_unconfined_script_t)
-+
-+ domain_entry_file(bacula_unconfined_script_t, bacula_unconfined_script_exec_t)
-+ role system_r types bacula_unconfined_script_t;
-+
-+ allow bacula_t bacula_unconfined_script_t:process signal_perms;
-+
-+ domtrans_pattern(bacula_t, bacula_unconfined_script_exec_t, bacula_unconfined_script_t)
-+
-+ allow bacula_unconfined_script_t bacula_unconfined_script_exec_t:dir search_dir_perms;
-+ allow bacula_unconfined_script_t bacula_unconfined_script_exec_t:dir read_file_perms;
-+ allow bacula_unconfined_script_t bacula_unconfined_script_exec_t:file ioctl;
-+
-+ optional_policy(`
-+ unconfined_domain(bacula_unconfined_script_t)
-+ ')
-+')
-diff --git a/bcfg2.fc b/bcfg2.fc
-index fb42e352b..8af0e14ce 100644
---- a/bcfg2.fc
-+++ b/bcfg2.fc
-@@ -1,5 +1,7 @@
- /etc/rc\.d/init\.d/bcfg2-server -- gen_context(system_u:object_r:bcfg2_initrc_exec_t,s0)
-
-+/usr/lib/systemd/system/bcfg2-server.* -- gen_context(system_u:object_r:bcfg2_unit_file_t,s0)
-+
- /usr/sbin/bcfg2-server -- gen_context(system_u:object_r:bcfg2_exec_t,s0)
-
- /var/lib/bcfg2(/.*)? gen_context(system_u:object_r:bcfg2_var_lib_t,s0)
-diff --git a/bcfg2.if b/bcfg2.if
-index ec95d361e..186271b74 100644
---- a/bcfg2.if
-+++ b/bcfg2.if
-@@ -117,6 +117,32 @@ interface(`bcfg2_manage_lib_dirs',`
-
- ########################################
- ##
-+## Execute bcfg2 server in the bcfg2 domain.
-+##
-+##
-+##
-+## Domain allowed to transition.
-+##
-+##
-+#
-+interface(`bcfg2_systemctl',`
-+ gen_require(`
-+ type bcfg2_t;
-+ type bcfg2_unit_file_t;
-+ ')
-+
-+ systemd_exec_systemctl($1)
-+ init_reload_services($1)
-+ systemd_read_fifo_file_passwd_run($1)
-+ allow $1 bcfg2_unit_file_t:file read_file_perms;
-+ allow $1 bcfg2_unit_file_t:service manage_service_perms;
-+
-+ ps_process_pattern($1, bcfg2_t)
-+')
-+
-+
-+########################################
-+##
- ## All of the rules required to
- ## administrate an bcfg2 environment.
- ##
-@@ -136,11 +162,16 @@ interface(`bcfg2_admin',`
- gen_require(`
- type bcfg2_t, bcfg2_initrc_exec_t, bcfg2_var_lib_t;
- type bcfg2_var_run_t;
-+ type bcfg2_unit_file_t;
- ')
-
-- allow $1 bcfg2_t:process { ptrace signal_perms };
-+ allow $1 bcfg2_t:process { signal_perms };
- ps_process_pattern($1, bcfg2_t)
-
-+ tunable_policy(`deny_ptrace',`',`
-+ allow $1 bcfg2_t:process ptrace;
-+ ')
-+
- bcfg2_initrc_domtrans($1)
- domain_system_change_exemption($1)
- role_transition $2 bcfg2_initrc_exec_t system_r;
-@@ -151,4 +182,13 @@ interface(`bcfg2_admin',`
-
- files_search_var_lib($1)
- admin_pattern($1, bcfg2_var_lib_t)
-+
-+ bcfg2_systemctl($1)
-+ admin_pattern($1, bcfg2_unit_file_t)
-+ allow $1 bcfg2_unit_file_t:service all_service_perms;
-+
-+ optional_policy(`
-+ systemd_passwd_agent_exec($1)
-+ systemd_read_fifo_file_passwd_run($1)
-+ ')
- ')
-diff --git a/bcfg2.te b/bcfg2.te
-index c3fd7b148..e18959384 100644
---- a/bcfg2.te
-+++ b/bcfg2.te
-@@ -15,6 +15,9 @@ init_script_file(bcfg2_initrc_exec_t)
- type bcfg2_var_lib_t;
- files_type(bcfg2_var_lib_t)
-
-+type bcfg2_unit_file_t;
-+systemd_unit_file(bcfg2_unit_file_t)
-+
- type bcfg2_var_run_t;
- files_pid_file(bcfg2_var_run_t)
-
-@@ -52,10 +55,7 @@ dev_read_urand(bcfg2_t)
-
- domain_use_interactive_fds(bcfg2_t)
-
--files_read_usr_files(bcfg2_t)
-
- auth_use_nsswitch(bcfg2_t)
-
- logging_send_syslog_msg(bcfg2_t)
--
--miscfiles_read_localization(bcfg2_t)
-diff --git a/bind.fc b/bind.fc
-index 2b9a3a10d..982ce9b71 100644
---- a/bind.fc
-+++ b/bind.fc
-@@ -1,54 +1,78 @@
--/etc/rc\.d/init\.d/named -- gen_context(system_u:object_r:named_initrc_exec_t,s0)
--/etc/rc\.d/init\.d/unbound -- gen_context(system_u:object_r:named_initrc_exec_t,s0)
-+/etc/rc\.d/init\.d/named -- gen_context(system_u:object_r:named_initrc_exec_t,s0)
-+/etc/rc\.d/init\.d/named-sdb -- gen_context(system_u:object_r:named_initrc_exec_t,s0)
-+/etc/rc\.d/init\.d/unbound -- gen_context(system_u:object_r:named_initrc_exec_t,s0)
-
--/etc/bind(/.*)? gen_context(system_u:object_r:named_zone_t,s0)
--/etc/bind/named\.conf.* -- gen_context(system_u:object_r:named_conf_t,s0)
--/etc/bind/rndc\.key -- gen_context(system_u:object_r:dnssec_t,s0)
--/etc/dnssec-trigger/dnssec_trigger_server\.key -- gen_context(system_u:object_r:dnssec_t,s0)
--/etc/named\.rfc1912\.zones -- gen_context(system_u:object_r:named_conf_t,s0)
--/etc/named\.root\.hints -- gen_context(system_u:object_r:named_conf_t,s0)
--/etc/named\.conf -- gen_context(system_u:object_r:named_conf_t,s0)
--/etc/named\.caching-nameserver\.conf -- gen_context(system_u:object_r:named_conf_t,s0)
--/etc/rndc.* -- gen_context(system_u:object_r:named_conf_t,s0)
--/etc/rndc\.key -- gen_context(system_u:object_r:dnssec_t,s0)
--/etc/unbound(/.*)? gen_context(system_u:object_r:named_conf_t,s0)
--/etc/unbound/.*\.key -- gen_context(system_u:object_r:dnssec_t,s0)
-+/etc/rndc.* -- gen_context(system_u:object_r:named_conf_t,s0)
-+/etc/rndc\.key -- gen_context(system_u:object_r:dnssec_t,s0)
-+/etc/unbound(/.*)? gen_context(system_u:object_r:named_conf_t,s0)
-+/etc/unbound/.*\.key -- gen_context(system_u:object_r:dnssec_t,s0)
-+/etc/dnssec-trigger/dnssec_trigger_server\.key -- gen_context(system_u:object_r:dnssec_t,s0)
-+
-+/usr/lib/systemd/system/unbound.* -- gen_context(system_u:object_r:named_unit_file_t,s0)
-+/usr/lib/systemd/system/named.* -- gen_context(system_u:object_r:named_unit_file_t,s0)
-+/usr/lib/systemd/system/named-sdb.* -- gen_context(system_u:object_r:named_unit_file_t,s0)
-
- /usr/sbin/lwresd -- gen_context(system_u:object_r:named_exec_t,s0)
--/usr/sbin/named -- gen_context(system_u:object_r:named_exec_t,s0)
--/usr/sbin/named-checkconf -- gen_context(system_u:object_r:named_checkconf_exec_t,s0)
--/usr/sbin/r?ndc -- gen_context(system_u:object_r:ndc_exec_t,s0)
-+/usr/sbin/named -- gen_context(system_u:object_r:named_exec_t,s0)
-+/usr/sbin/named-sdb -- gen_context(system_u:object_r:named_exec_t,s0)
-+/usr/sbin/named-pkcs11 -- gen_context(system_u:object_r:named_exec_t,s0)
-+/usr/sbin/named-checkconf -- gen_context(system_u:object_r:named_checkconf_exec_t,s0)
-+/usr/sbin/r?ndc -- gen_context(system_u:object_r:ndc_exec_t,s0)
- /usr/sbin/unbound -- gen_context(system_u:object_r:named_exec_t,s0)
-+/usr/sbin/unbound-anchor -- gen_context(system_u:object_r:named_exec_t,s0)
-+/usr/sbin/unbound-checkconf -- gen_context(system_u:object_r:named_exec_t,s0)
-+/usr/sbin/unbound-control -- gen_context(system_u:object_r:named_exec_t,s0)
-
--/var/bind(/.*)? gen_context(system_u:object_r:named_cache_t,s0)
--/var/bind/pri(/.*)? gen_context(system_u:object_r:named_zone_t,s0)
-+/var/log/named.* -- gen_context(system_u:object_r:named_log_t,s0)
-
--/var/cache/bind(/.*)? gen_context(system_u:object_r:named_cache_t,s0)
-+/var/run/ndc -s gen_context(system_u:object_r:named_var_run_t,s0)
-+/var/run/bind(/.*)? gen_context(system_u:object_r:named_var_run_t,s0)
-+/var/run/named(/.*)? gen_context(system_u:object_r:named_var_run_t,s0)
-+/var/run/unbound(/.*)? gen_context(system_u:object_r:named_var_run_t,s0)
-
--/var/log/named.* -- gen_context(system_u:object_r:named_log_t,s0)
-+ifdef(`distro_debian',`
-+/etc/bind(/.*)? gen_context(system_u:object_r:named_zone_t,s0)
-+/etc/bind/named\.conf -- gen_context(system_u:object_r:named_conf_t,s0)
-+/etc/bind/named\.conf\.local -- gen_context(system_u:object_r:named_conf_t,s0)
-+/etc/bind/named\.conf\.options -- gen_context(system_u:object_r:named_conf_t,s0)
-+/etc/bind/rndc\.key -- gen_context(system_u:object_r:dnssec_t,s0)
-+/var/cache/bind(/.*)? gen_context(system_u:object_r:named_cache_t,s0)
-+')
-+
-+ifdef(`distro_gentoo',`
-+/etc/bind(/.*)? gen_context(system_u:object_r:named_zone_t,s0)
-+/etc/bind/named\.conf -- gen_context(system_u:object_r:named_conf_t,s0)
-+/etc/bind/rndc\.key -- gen_context(system_u:object_r:dnssec_t,s0)
-+/var/bind(/.*)? gen_context(system_u:object_r:named_cache_t,s0)
-+/var/bind/pri(/.*)? gen_context(system_u:object_r:named_zone_t,s0)
-+')
-
--/var/named(/.*)? gen_context(system_u:object_r:named_zone_t,s0)
--/var/named/slaves(/.*)? gen_context(system_u:object_r:named_cache_t,s0)
--/var/named/data(/.*)? gen_context(system_u:object_r:named_cache_t,s0)
-+ifdef(`distro_redhat',`
-+/etc/named\.rfc1912.zones -- gen_context(system_u:object_r:named_conf_t,s0)
-+/etc/named\.root\.hints -- gen_context(system_u:object_r:named_conf_t,s0)
-+/etc/named\.conf -- gen_context(system_u:object_r:named_conf_t,s0)
-+/etc/named\.caching-nameserver\.conf -- gen_context(system_u:object_r:named_conf_t,s0)
-+/var/lib/softhsm(/.*)? gen_context(system_u:object_r:named_cache_t,s0)
-+/var/lib/unbound(/.*)? gen_context(system_u:object_r:named_cache_t,s0)
-+/var/named(/.*)? gen_context(system_u:object_r:named_zone_t,s0)
-+/var/named/slaves(/.*)? gen_context(system_u:object_r:named_cache_t,s0)
-+/var/named/data(/.*)? gen_context(system_u:object_r:named_cache_t,s0)
- /var/named/named\.ca -- gen_context(system_u:object_r:named_conf_t,s0)
--/var/named/chroot(/.*)? gen_context(system_u:object_r:named_conf_t,s0)
--/var/named/chroot/etc/rndc\.key -- gen_context(system_u:object_r:dnssec_t,s0)
--/var/named/chroot/etc/named\.conf -- gen_context(system_u:object_r:named_conf_t,s0)
--/var/named/chroot/etc/named\.rfc1912\.zones -- gen_context(system_u:object_r:named_conf_t,s0)
--/var/named/chroot/etc/named\.root\.hints -- gen_context(system_u:object_r:named_conf_t,s0)
--/var/named/chroot/etc/named\.caching-nameserver\.conf -- gen_context(system_u:object_r:named_conf_t,s0)
-+/var/named/chroot(/.*)? gen_context(system_u:object_r:named_conf_t,s0)
-+/var/named/chroot/etc/rndc\.key -- gen_context(system_u:object_r:dnssec_t,s0)
-+/var/named/chroot/etc/named\.conf -- gen_context(system_u:object_r:named_conf_t,s0)
-+/var/named/chroot/etc/named\.rfc1912.zones -- gen_context(system_u:object_r:named_conf_t,s0)
-+/var/named/chroot/etc/named\.root\.hints -- gen_context(system_u:object_r:named_conf_t,s0)
-+/var/named/chroot/etc/named\.caching-nameserver\.conf -- gen_context(system_u:object_r:named_conf_t,s0)
- /var/named/chroot/proc(/.*)? <>
--/var/named/chroot/var/run/named.* gen_context(system_u:object_r:named_var_run_t,s0)
--/var/named/chroot/var/tmp(/.*)? gen_context(system_u:object_r:named_cache_t,s0)
--/var/named/chroot/var/named(/.*)? gen_context(system_u:object_r:named_zone_t,s0)
--/var/named/chroot/var/named/slaves(/.*)? gen_context(system_u:object_r:named_cache_t,s0)
--/var/named/chroot/var/named/data(/.*)? gen_context(system_u:object_r:named_cache_t,s0)
-+/var/named/chroot/var/run/named.* gen_context(system_u:object_r:named_var_run_t,s0)
-+/var/named/chroot/run/named.* gen_context(system_u:object_r:named_var_run_t,s0)
-+/var/named/chroot/var/tmp(/.*)? gen_context(system_u:object_r:named_cache_t,s0)
-+/var/named/chroot/var/named(/.*)? gen_context(system_u:object_r:named_zone_t,s0)
-+/var/named/chroot/var/named/slaves(/.*)? gen_context(system_u:object_r:named_cache_t,s0)
-+/var/named/chroot/var/named/data(/.*)? gen_context(system_u:object_r:named_cache_t,s0)
- /var/named/chroot/var/named/dynamic(/.*)? gen_context(system_u:object_r:named_cache_t,s0)
--/var/named/chroot/var/named/named\.ca -- gen_context(system_u:object_r:named_conf_t,s0)
-+/var/named/chroot/var/named/named\.ca -- gen_context(system_u:object_r:named_conf_t,s0)
- /var/named/chroot/var/log/named.* -- gen_context(system_u:object_r:named_log_t,s0)
--/var/named/dynamic(/.*)? gen_context(system_u:object_r:named_cache_t,s0)
--
--/var/run/ndc -s gen_context(system_u:object_r:named_var_run_t,s0)
--/var/run/bind(/.*)? gen_context(system_u:object_r:named_var_run_t,s0)
--/var/run/named(/.*)? gen_context(system_u:object_r:named_var_run_t,s0)
--/var/run/unbound(/.*)? gen_context(system_u:object_r:named_var_run_t,s0)
-+/var/named/dynamic(/.*)? gen_context(system_u:object_r:named_cache_t,s0)
-+')
-diff --git a/bind.if b/bind.if
-index 531a8f244..3fcf18722 100644
---- a/bind.if
-+++ b/bind.if
-@@ -20,6 +20,30 @@ interface(`bind_initrc_domtrans',`
-
- ########################################
- ##
-+## Execute bind server in the bind domain.
-+##
-+##
-+##
-+## Domain allowed to transition.
-+##
-+##
-+#
-+interface(`bind_systemctl',`
-+ gen_require(`
-+ type named_unit_file_t;
-+ type named_t;
-+ ')
-+
-+ systemd_exec_systemctl($1)
-+ init_reload_services($1)
-+ allow $1 named_unit_file_t:file read_file_perms;
-+ allow $1 named_unit_file_t:service manage_service_perms;
-+
-+ ps_process_pattern($1, named_t)
-+')
-+
-+########################################
-+##
- ## Execute ndc in the ndc domain.
- ##
- ##
-@@ -169,6 +193,7 @@ interface(`bind_read_config',`
- type named_conf_t;
- ')
-
-+ allow $1 named_conf_t:dir list_dir_perms;
- read_files_pattern($1, named_conf_t, named_conf_t)
- ')
-
-@@ -212,6 +237,25 @@ interface(`bind_manage_config_dirs',`
-
- ########################################
- ##
-+## Create, read, write, and delete
-+## BIND configuration files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`bind_manage_config',`
-+ gen_require(`
-+ type named_conf_t;
-+ ')
-+
-+ manage_files_pattern($1, named_conf_t, named_conf_t)
-+')
-+
-+########################################
-+##
- ## Search bind cache directories.
- ##
- ##
-@@ -310,6 +354,47 @@ interface(`bind_read_zone',`
-
- ########################################
- ##
-+## Read BIND zone files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`bind_read_log',`
-+ gen_require(`
-+ type named_zone_t;
-+ type named_log_t;
-+ ')
-+
-+ files_search_var($1)
-+ allow $1 named_zone_t:dir search_dir_perms;
-+ read_files_pattern($1, named_log_t, named_log_t)
-+')
-+
-+########################################
-+##
-+## Create, read, write, and delete
-+## bind zone files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`bind_manage_zone_dirs',`
-+ gen_require(`
-+ type named_zone_t;
-+ ')
-+
-+ files_search_var($1)
-+ allow $1 named_zone_t:dir manage_dir_perms;
-+')
-+
-+########################################
-+##
- ## Create, read, write, and delete
- ## bind zone files.
- ##
-@@ -344,6 +429,25 @@ interface(`bind_udp_chat_named',`
-
- ########################################
- ##
-+## Allow the domain to read bind state files in /proc.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`bind_read_state',`
-+ gen_require(`
-+ type named_t;
-+ ')
-+
-+ kernel_search_proc($1)
-+ ps_process_pattern($1, named_t)
-+')
-+
-+########################################
-+##
- ## All of the rules required to
- ## administrate an bind environment.
- ##
-@@ -364,11 +468,17 @@ interface(`bind_admin',`
- type named_t, named_tmp_t, named_log_t;
- type named_cache_t, named_zone_t, named_initrc_exec_t;
- type dnssec_t, ndc_t, named_conf_t, named_var_run_t;
-- type named_keytab_t;
-+ type named_keytab_t, named_unit_file_t;
- ')
-
-- allow $1 { named_t ndc_t }:process { ptrace signal_perms };
-- ps_process_pattern($1, { named_t ndc_t })
-+ allow $1 named_t:process signal_perms;
-+ ps_process_pattern($1, named_t)
-+
-+ tunable_policy(`deny_ptrace',`',`
-+ allow $1 named_t:process ptrace;
-+ ')
-+
-+ bind_run_ndc($1, $2)
-
- init_labeled_script_domtrans($1, named_initrc_exec_t)
- domain_system_change_exemption($1)
-@@ -384,11 +494,15 @@ interface(`bind_admin',`
- files_list_etc($1)
- admin_pattern($1, { named_keytab_t named_conf_t })
-
-+ admin_pattern($1, named_keytab_t)
-+
- files_list_var($1)
- admin_pattern($1, { dnssec_t named_cache_t named_zone_t })
-
- files_list_pids($1)
- admin_pattern($1, named_var_run_t)
-
-- bind_run_ndc($1, $2)
-+ admin_pattern($1, named_unit_file_t)
-+ bind_systemctl($1)
-+ allow $1 named_unit_file_t:service all_service_perms;
- ')
-diff --git a/bind.te b/bind.te
-index 124112346..6a704537e 100644
---- a/bind.te
-+++ b/bind.te
-@@ -34,7 +34,7 @@ type named_checkconf_exec_t;
- init_system_domain(named_t, named_checkconf_exec_t)
-
- type named_conf_t;
--files_type(named_conf_t)
-+files_config_file(named_conf_t)
- files_mountpoint(named_conf_t)
-
- # for secondary zone files
-@@ -44,6 +44,9 @@ files_type(named_cache_t)
- type named_initrc_exec_t;
- init_script_file(named_initrc_exec_t)
-
-+type named_unit_file_t;
-+systemd_unit_file(named_unit_file_t)
-+
- type named_keytab_t;
- files_type(named_keytab_t)
-
-@@ -71,8 +74,9 @@ role ndc_roles types ndc_t;
- # Local policy
- #
-
--allow named_t self:capability { chown dac_override fowner setgid setuid sys_chroot sys_nice sys_resource };
-+allow named_t self:capability { chown dac_read_search dac_override fowner net_admin net_raw setgid setuid sys_chroot sys_nice sys_resource };
- dontaudit named_t self:capability sys_tty_config;
-+allow named_t self:capability2 block_suspend;
- allow named_t self:process { setsched getcap setcap setrlimit signal_perms };
- allow named_t self:fifo_file rw_fifo_file_perms;
- allow named_t self:unix_stream_socket { accept listen };
-@@ -84,14 +88,13 @@ allow named_t named_conf_t:dir list_dir_perms;
- read_files_pattern(named_t, named_conf_t, named_conf_t)
- read_lnk_files_pattern(named_t, named_conf_t, named_conf_t)
-
-+manage_dirs_pattern(named_t, named_cache_t, named_cache_t)
- manage_files_pattern(named_t, named_cache_t, named_cache_t)
- manage_lnk_files_pattern(named_t, named_cache_t, named_cache_t)
-
- allow named_t named_keytab_t:file read_file_perms;
-
--append_files_pattern(named_t, named_log_t, named_log_t)
--create_files_pattern(named_t, named_log_t, named_log_t)
--setattr_files_pattern(named_t, named_log_t, named_log_t)
-+manage_files_pattern(named_t, named_log_t, named_log_t)
- logging_log_filetrans(named_t, named_log_t, file)
-
- manage_dirs_pattern(named_t, named_tmp_t, named_tmp_t)
-@@ -112,10 +115,10 @@ read_lnk_files_pattern(named_t, named_zone_t, named_zone_t)
- kernel_read_kernel_sysctls(named_t)
- kernel_read_system_state(named_t)
- kernel_read_network_state(named_t)
-+kernel_read_net_sysctls(named_t)
-
- corecmd_search_bin(named_t)
-
--corenet_all_recvfrom_unlabeled(named_t)
- corenet_all_recvfrom_netlabel(named_t)
- corenet_tcp_sendrecv_generic_if(named_t)
- corenet_udp_sendrecv_generic_if(named_t)
-@@ -127,9 +130,15 @@ corenet_udp_bind_generic_node(named_t)
- corenet_sendrecv_all_server_packets(named_t)
- corenet_tcp_bind_dns_port(named_t)
- corenet_udp_bind_dns_port(named_t)
-+corenet_udp_bind_ipp_port(named_t)
-+corenet_udp_bind_rtsp_port(named_t)
-+corenet_udp_bind_dhcpc_port(named_t)
-+corenet_udp_bind_kerberos_port(named_t)
-+corenet_udp_bind_flash_port(named_t)
-+corenet_udp_bind_bgp_port(named_t)
- corenet_tcp_sendrecv_dns_port(named_t)
- corenet_udp_sendrecv_dns_port(named_t)
--
-+corenet_udp_bind_whois_port(named_t)
- corenet_tcp_bind_rndc_port(named_t)
- corenet_tcp_sendrecv_rndc_port(named_t)
-
-@@ -141,13 +150,18 @@ corenet_sendrecv_all_client_packets(named_t)
- corenet_tcp_connect_all_ports(named_t)
- corenet_tcp_sendrecv_all_ports(named_t)
-
-+corenet_tcp_bind_all_ephemeral_ports(named_t)
-+corenet_udp_bind_all_ephemeral_ports(named_t)
-+
- dev_read_sysfs(named_t)
- dev_read_rand(named_t)
- dev_read_urand(named_t)
-+dev_dontaudit_write_urand(named_t)
-
- domain_use_interactive_fds(named_t)
-
- files_read_etc_runtime_files(named_t)
-+files_mmap_usr_files(named_t)
-
- fs_getattr_all_fs(named_t)
- fs_search_auto_mountpoints(named_t)
-@@ -175,6 +189,19 @@ tunable_policy(`named_write_master_zones',`
- ')
-
- optional_policy(`
-+ cron_system_entry(named_t, named_exec_t)
-+')
-+
-+optional_policy(`
-+ # needed by FreeIPA with DNS support
-+ dirsrv_stream_connect(named_t)
-+')
-+
-+optional_policy(`
-+ dnssec_trigger_manage_pid_files(named_t)
-+')
-+
-+optional_policy(`
- dbus_system_domain(named_t, named_exec_t)
-
- init_dbus_chat_script(named_t)
-@@ -187,7 +214,17 @@ optional_policy(`
- ')
-
- optional_policy(`
-+ ipa_manage_lib(named_t)
-+')
-+
-+optional_policy(`
-+ ipsec_rw_inherited_pipes(named_t)
-+')
-+
-+optional_policy(`
-+ kerberos_filetrans_named_content(named_t)
- kerberos_read_keytab(named_t)
-+ kerberos_read_host_rcache(named_t)
- kerberos_use(named_t)
- ')
-
-@@ -214,8 +251,9 @@ optional_policy(`
- # NDC local policy
- #
-
--allow ndc_t self:capability { dac_override net_admin };
--allow ndc_t self:process signal_perms;
-+allow ndc_t self:capability { dac_read_search net_admin };
-+allow ndc_t self:capability2 block_suspend;
-+allow ndc_t self:process { fork signal_perms };
- allow ndc_t self:fifo_file rw_fifo_file_perms;
- allow ndc_t self:unix_stream_socket { accept listen };
-
-@@ -229,10 +267,9 @@ allow ndc_t named_conf_t:lnk_file read_lnk_file_perms;
-
- allow ndc_t named_zone_t:dir search_dir_perms;
-
--kernel_read_kernel_sysctls(ndc_t)
- kernel_read_system_state(ndc_t)
-+kernel_read_kernel_sysctls(ndc_t)
-
--corenet_all_recvfrom_unlabeled(ndc_t)
- corenet_all_recvfrom_netlabel(ndc_t)
- corenet_tcp_sendrecv_generic_if(ndc_t)
- corenet_tcp_sendrecv_generic_node(ndc_t)
-@@ -242,6 +279,9 @@ corenet_tcp_bind_generic_node(ndc_t)
- corenet_tcp_connect_rndc_port(ndc_t)
- corenet_sendrecv_rndc_client_packets(ndc_t)
-
-+dev_read_rand(ndc_t)
-+dev_read_urand(ndc_t)
-+
- domain_use_interactive_fds(ndc_t)
-
- files_search_pids(ndc_t)
-@@ -257,7 +297,7 @@ init_use_script_ptys(ndc_t)
-
- logging_send_syslog_msg(ndc_t)
-
--miscfiles_read_localization(ndc_t)
-+userdom_use_inherited_user_terminals(ndc_t)
-
- userdom_use_user_terminals(ndc_t)
-
-diff --git a/bird.te b/bird.te
-index 1d60c2730..f8bb70055 100644
---- a/bird.te
-+++ b/bird.te
-@@ -51,7 +51,6 @@ corenet_tcp_connect_bgp_port(bird_t)
- corenet_tcp_sendrecv_bgp_port(bird_t)
-
- # /etc/iproute2/rt_realms
--files_read_etc_files(bird_t)
-
- logging_send_syslog_msg(bird_t)
-
-diff --git a/bitlbee.fc b/bitlbee.fc
-index e9708d6cc..61362d088 100644
---- a/bitlbee.fc
-+++ b/bitlbee.fc
-@@ -7,7 +7,7 @@
-
- /var/lib/bitlbee(/.*)? gen_context(system_u:object_r:bitlbee_var_t,s0)
-
--/var/log/bip(/.*)? gen_context(system_u:object_r:bitlbee_log_t,s0)
-+/var/log/bip.* gen_context(system_u:object_r:bitlbee_log_t,s0)
-
- /var/run/bitlbee\.pid -- gen_context(system_u:object_r:bitlbee_var_run_t,s0)
- /var/run/bitlbee\.sock -s gen_context(system_u:object_r:bitlbee_var_run_t,s0)
-diff --git a/bitlbee.if b/bitlbee.if
-index e73fb799e..2badfc0d9 100644
---- a/bitlbee.if
-+++ b/bitlbee.if
-@@ -44,9 +44,13 @@ interface(`bitlbee_admin',`
- type bitlbee_log_t, bitlbee_tmp_t;
- ')
-
-- allow $1 bitlbee_t:process { ptrace signal_perms };
-+ allow $1 bitlbee_t:process signal_perms;
- ps_process_pattern($1, bitlbee_t)
-
-+ tunable_policy(`deny_ptrace',`',`
-+ allow $1 bitlbee_t:process ptrace;
-+ ')
-+
- init_labeled_script_domtrans($1, bitlbee_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 bitlbee_initrc_exec_t system_r;
-diff --git a/bitlbee.te b/bitlbee.te
-index f5c1a48b6..dbc347918 100644
---- a/bitlbee.te
-+++ b/bitlbee.te
-@@ -33,11 +33,14 @@ files_pid_file(bitlbee_var_run_t)
- # Local policy
- #
-
--allow bitlbee_t self:capability { dac_override kill setgid setuid sys_nice };
-+allow bitlbee_t self:capability { dac_read_search kill setgid setuid sys_nice };
- allow bitlbee_t self:process { setsched signal };
-+
- allow bitlbee_t self:fifo_file rw_fifo_file_perms;
--allow bitlbee_t self:tcp_socket { accept listen };
--allow bitlbee_t self:unix_stream_socket { accept listen };
-+allow bitlbee_t self:udp_socket create_socket_perms;
-+allow bitlbee_t self:tcp_socket { create_stream_socket_perms connected_stream_socket_perms };
-+allow bitlbee_t self:unix_stream_socket create_stream_socket_perms;
-+allow bitlbee_t self:netlink_route_socket r_netlink_socket_perms;
-
- allow bitlbee_t bitlbee_conf_t:dir list_dir_perms;
- allow bitlbee_t bitlbee_conf_t:file read_file_perms;
-@@ -45,22 +48,25 @@ allow bitlbee_t bitlbee_conf_t:file read_file_perms;
- manage_dirs_pattern(bitlbee_t, bitlbee_log_t, bitlbee_log_t)
- append_files_pattern(bitlbee_t, bitlbee_log_t, bitlbee_log_t)
- create_files_pattern(bitlbee_t, bitlbee_log_t, bitlbee_log_t)
-+read_files_pattern(bitlbee_t, bitlbee_log_t, bitlbee_log_t)
- setattr_files_pattern(bitlbee_t, bitlbee_log_t, bitlbee_log_t)
-+logging_log_filetrans(bitlbee_t, bitlbee_log_t, { dir file })
-
- manage_files_pattern(bitlbee_t, bitlbee_tmp_t, bitlbee_tmp_t)
- manage_dirs_pattern(bitlbee_t, bitlbee_tmp_t, bitlbee_tmp_t)
- files_tmp_filetrans(bitlbee_t, bitlbee_tmp_t, { dir file })
-
- manage_files_pattern(bitlbee_t, bitlbee_var_t, bitlbee_var_t)
--files_var_lib_filetrans(bitlbee_t, bitlbee_var_t, file)
-+manage_dirs_pattern(bitlbee_t, bitlbee_var_t, bitlbee_var_t)
-+files_var_lib_filetrans(bitlbee_t, bitlbee_var_t,{dir file})
-
- manage_dirs_pattern(bitlbee_t, bitlbee_var_run_t, bitlbee_var_run_t)
- manage_files_pattern(bitlbee_t, bitlbee_var_run_t, bitlbee_var_run_t)
- manage_sock_files_pattern(bitlbee_t, bitlbee_var_run_t, bitlbee_var_run_t)
- files_pid_filetrans(bitlbee_t, bitlbee_var_run_t, { dir file sock_file })
-
--kernel_read_kernel_sysctls(bitlbee_t)
- kernel_read_system_state(bitlbee_t)
-+kernel_read_kernel_sysctls(bitlbee_t)
-
- corenet_all_recvfrom_unlabeled(bitlbee_t)
- corenet_all_recvfrom_netlabel(bitlbee_t)
-@@ -98,7 +104,9 @@ corenet_tcp_sendrecv_http_cache_port(bitlbee_t)
-
- corenet_sendrecv_ircd_server_packets(bitlbee_t)
- corenet_tcp_bind_ircd_port(bitlbee_t)
-+corenet_tcp_bind_interwise_port(bitlbee_t)
- corenet_sendrecv_ircd_client_packets(bitlbee_t)
-+corenet_tcp_connect_interwise_port(bitlbee_t)
- corenet_tcp_connect_ircd_port(bitlbee_t)
- corenet_tcp_sendrecv_ircd_port(bitlbee_t)
-
-@@ -109,16 +117,17 @@ corenet_tcp_sendrecv_interwise_port(bitlbee_t)
- dev_read_rand(bitlbee_t)
- dev_read_urand(bitlbee_t)
-
--files_read_usr_files(bitlbee_t)
--
- libs_legacy_use_shared_libs(bitlbee_t)
-
- auth_use_nsswitch(bitlbee_t)
-
- logging_send_syslog_msg(bitlbee_t)
-
--miscfiles_read_localization(bitlbee_t)
-+optional_policy(`
-+ dbus_system_bus_client(bitlbee_t)
-+')
-
- optional_policy(`
- tcpd_wrapped_domain(bitlbee_t, bitlbee_exec_t)
- ')
-+
-diff --git a/blkmapd.fc b/blkmapd.fc
-new file mode 100644
-index 000000000..5e59fb414
---- /dev/null
-+++ b/blkmapd.fc
-@@ -0,0 +1,6 @@
-+
-+/etc/rc\.d/init\.d/blkmapd -- gen_context(system_u:object_r:blkmapd_initrc_exec_t,s0)
-+
-+/usr/sbin/blkmapd -- gen_context(system_u:object_r:blkmapd_exec_t,s0)
-+
-+/var/run/blkmapd\.pid -- gen_context(system_u:object_r:blkmapd_var_run_t,s0)
-diff --git a/blkmapd.if b/blkmapd.if
-new file mode 100644
-index 000000000..76663796f
---- /dev/null
-+++ b/blkmapd.if
-@@ -0,0 +1,121 @@
-+
-+## The blkmapd daemon performs device discovery and mapping for pNFS block layout client.
-+
-+########################################
-+##
-+## Execute blkmapd_exec_t in the blkmapd domain.
-+##
-+##
-+##
-+## Domain allowed to transition.
-+##
-+##
-+#
-+interface(`blkmapd_domtrans',`
-+ gen_require(`
-+ type blkmapd_t, blkmapd_exec_t;
-+ ')
-+
-+ corecmd_search_bin($1)
-+ domtrans_pattern($1, blkmapd_exec_t, blkmapd_t)
-+')
-+
-+######################################
-+##
-+## Execute blkmapd in the caller domain.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`blkmapd_exec',`
-+ gen_require(`
-+ type blkmapd_exec_t;
-+ ')
-+
-+ corecmd_search_bin($1)
-+ can_exec($1, blkmapd_exec_t)
-+')
-+
-+########################################
-+##
-+## Execute blkmapd server in the blkmapd domain.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`blkmapd_initrc_domtrans',`
-+ gen_require(`
-+ type blkmapd_initrc_exec_t;
-+ ')
-+
-+ init_labeled_script_domtrans($1, blkmapd_initrc_exec_t)
-+')
-+########################################
-+##
-+## Read blkmapd PID files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`blkmapd_read_pid_files',`
-+ gen_require(`
-+ type blkmapd_var_run_t;
-+ ')
-+
-+ files_search_pids($1)
-+ read_files_pattern($1, blkmapd_var_run_t, blkmapd_var_run_t)
-+')
-+
-+
-+########################################
-+##
-+## All of the rules required to administrate
-+## an blkmapd environment
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+##
-+## Role allowed access.
-+##
-+##
-+##
-+#
-+interface(`blkmapd_admin',`
-+ gen_require(`
-+ type blkmapd_t;
-+ type blkmapd_initrc_exec_t;
-+ type blkmapd_var_run_t;
-+ ')
-+
-+ allow $1 blkmapd_t:process { signal_perms };
-+ ps_process_pattern($1, blkmapd_t)
-+
-+ tunable_policy(`deny_ptrace',`',`
-+ allow $1 blkmapd_t:process ptrace;
-+ ')
-+
-+ blkmapd_initrc_domtrans($1)
-+ domain_system_change_exemption($1)
-+ role_transition $2 blkmapd_initrc_exec_t system_r;
-+ allow $2 system_r;
-+
-+ files_search_pids($1)
-+ admin_pattern($1, blkmapd_var_run_t)
-+ optional_policy(`
-+ systemd_passwd_agent_exec($1)
-+ systemd_read_fifo_file_passwd_run($1)
-+ ')
-+')
-diff --git a/blkmapd.te b/blkmapd.te
-new file mode 100644
-index 000000000..6cfb35592
---- /dev/null
-+++ b/blkmapd.te
-@@ -0,0 +1,44 @@
-+policy_module(blkmapd, 1.0.0)
-+
-+########################################
-+#
-+# Declarations
-+#
-+
-+type blkmapd_t;
-+type blkmapd_exec_t;
-+init_daemon_domain(blkmapd_t, blkmapd_exec_t)
-+
-+type blkmapd_initrc_exec_t;
-+init_script_file(blkmapd_initrc_exec_t)
-+
-+type blkmapd_var_run_t;
-+files_pid_file(blkmapd_var_run_t)
-+
-+
-+########################################
-+#
-+# blkmapd local policy
-+#
-+
-+allow blkmapd_t self:capability sys_rawio;
-+
-+manage_files_pattern(blkmapd_t, blkmapd_var_run_t, blkmapd_var_run_t)
-+files_pid_filetrans(blkmapd_t, blkmapd_var_run_t, file)
-+
-+kernel_read_system_state(blkmapd_t)
-+
-+dev_list_sysfs(blkmapd_t)
-+
-+fs_list_rpc(blkmapd_t)
-+fs_rw_rpc_named_pipes(blkmapd_t)
-+
-+storage_raw_read_fixed_disk(blkmapd_t)
-+storage_raw_read_removable_device(blkmapd_t)
-+
-+
-+logging_send_syslog_msg(blkmapd_t)
-+
-+optional_policy(`
-+ rpc_read_nfs_state_data(blkmapd_t)
-+')
-diff --git a/blueman.fc b/blueman.fc
-index c295d2e01..4f84e9c14 100644
---- a/blueman.fc
-+++ b/blueman.fc
-@@ -1,3 +1,4 @@
-+
- /usr/libexec/blueman-mechanism -- gen_context(system_u:object_r:blueman_exec_t,s0)
-
- /var/lib/blueman(/.*)? gen_context(system_u:object_r:blueman_var_lib_t,s0)
-diff --git a/blueman.if b/blueman.if
-index 16ec52526..1dd40595c 100644
---- a/blueman.if
-+++ b/blueman.if
-@@ -38,6 +38,7 @@ interface(`blueman_dbus_chat',`
-
- allow $1 blueman_t:dbus send_msg;
- allow blueman_t $1:dbus send_msg;
-+ ps_process_pattern(blueman_t, $1)
- ')
-
- ########################################
-diff --git a/blueman.te b/blueman.te
-index 3a5032e06..3facb7156 100644
---- a/blueman.te
-+++ b/blueman.te
-@@ -7,7 +7,7 @@ policy_module(blueman, 1.1.0)
-
- type blueman_t;
- type blueman_exec_t;
--dbus_system_domain(blueman_t, blueman_exec_t)
-+init_daemon_domain(blueman_t, blueman_exec_t)
-
- type blueman_var_lib_t;
- files_type(blueman_var_lib_t)
-@@ -15,13 +15,17 @@ files_type(blueman_var_lib_t)
- type blueman_var_run_t;
- files_pid_file(blueman_var_run_t)
-
-+type blueman_tmp_t;
-+files_tmp_file(blueman_tmp_t)
-+
- ########################################
- #
- # Local policy
- #
-
- allow blueman_t self:capability { net_admin sys_nice };
--allow blueman_t self:process { signal_perms setsched };
-+allow blueman_t self:process { execmem signal_perms setsched };
-+
- allow blueman_t self:fifo_file rw_fifo_file_perms;
-
- manage_dirs_pattern(blueman_t, blueman_var_lib_t, blueman_var_lib_t)
-@@ -32,7 +36,12 @@ manage_dirs_pattern(blueman_t, blueman_var_run_t, blueman_var_run_t)
- manage_files_pattern(blueman_t, blueman_var_run_t, blueman_var_run_t)
- files_pid_filetrans(blueman_t, blueman_var_run_t, { dir file })
-
--kernel_read_net_sysctls(blueman_t)
-+manage_dirs_pattern(blueman_t, blueman_tmp_t, blueman_tmp_t)
-+manage_files_pattern(blueman_t, blueman_tmp_t, blueman_tmp_t)
-+exec_files_pattern(blueman_t, blueman_tmp_t, blueman_tmp_t)
-+files_tmp_filetrans(blueman_t, blueman_tmp_t, { file dir })
-+
-+kernel_rw_net_sysctls(blueman_t)
- kernel_read_system_state(blueman_t)
- kernel_request_load_module(blueman_t)
-
-@@ -41,29 +50,45 @@ corecmd_exec_bin(blueman_t)
- dev_read_rand(blueman_t)
- dev_read_urand(blueman_t)
- dev_rw_wireless(blueman_t)
-+dev_rwx_zero(blueman_t)
-
- domain_use_interactive_fds(blueman_t)
-
- files_list_tmp(blueman_t)
--files_read_usr_files(blueman_t)
-+files_dontaudit_write_all_mountpoints(blueman_t)
-
- auth_use_nsswitch(blueman_t)
-
- logging_send_syslog_msg(blueman_t)
-
--miscfiles_read_localization(blueman_t)
--
- sysnet_domtrans_ifconfig(blueman_t)
-+sysnet_dns_name_resolve(blueman_t)
-
- optional_policy(`
- avahi_domtrans(blueman_t)
- ')
-
- optional_policy(`
-+ bluetooth_read_config(blueman_t)
-+')
-+
-+optional_policy(`
-+ dbus_system_domain(blueman_t, blueman_exec_t)
-+')
-+
-+optional_policy(`
- dnsmasq_domtrans(blueman_t)
- dnsmasq_read_pid_files(blueman_t)
- ')
-
- optional_policy(`
-+ gnome_search_gconf(blueman_t)
-+')
-+
-+optional_policy(`
- iptables_domtrans(blueman_t)
- ')
-+
-+optional_policy(`
-+ xserver_read_state_xdm(blueman_t)
-+')
-diff --git a/bluetooth.fc b/bluetooth.fc
-index 2b9c7f329..6ae8a62c9 100644
---- a/bluetooth.fc
-+++ b/bluetooth.fc
-@@ -5,10 +5,15 @@
- /etc/rc\.d/init\.d/dund -- gen_context(system_u:object_r:bluetooth_initrc_exec_t,s0)
- /etc/rc\.d/init\.d/pand -- gen_context(system_u:object_r:bluetooth_initrc_exec_t,s0)
-
-+/usr/lib/systemd/system/bluetooth.* -- gen_context(system_u:object_r:bluetooth_unit_file_t,s0)
-+
- /usr/bin/blue.*pin -- gen_context(system_u:object_r:bluetooth_helper_exec_t,s0)
- /usr/bin/dund -- gen_context(system_u:object_r:bluetooth_exec_t,s0)
- /usr/bin/hidd -- gen_context(system_u:object_r:bluetooth_exec_t,s0)
- /usr/bin/rfcomm -- gen_context(system_u:object_r:bluetooth_exec_t,s0)
-+/usr/bin/pand -- gen_context(system_u:object_r:bluetooth_exec_t,s0)
-+/usr/libexec/bluetooth/bluetoothd -- gen_context(system_u:object_r:bluetooth_exec_t,s0)
-+/usr/libexec/bluetooth/obexd -- gen_context(system_u:object_r:bluetooth_exec_t,s0)
-
- /usr/sbin/bluetoothd -- gen_context(system_u:object_r:bluetooth_exec_t,s0)
- /usr/sbin/hciattach -- gen_context(system_u:object_r:bluetooth_exec_t,s0)
-diff --git a/bluetooth.if b/bluetooth.if
-index c723a0ae0..1c29d21e7 100644
---- a/bluetooth.if
-+++ b/bluetooth.if
-@@ -37,7 +37,12 @@ interface(`bluetooth_role',`
- domtrans_pattern($2, bluetooth_helper_exec_t, bluetooth_helper_t)
-
- ps_process_pattern($2, bluetooth_helper_t)
-- allow $2 bluetooth_helper_t:process { ptrace signal_perms };
-+
-+ allow $2 bluetooth_helper_t:process signal_perms;
-+
-+ tunable_policy(`deny_ptrace',`',`
-+ allow $2 bluetooth_helper_t:process ptrace;
-+ ')
-
- allow $2 bluetooth_t:socket rw_socket_perms;
-
-@@ -45,8 +50,10 @@ interface(`bluetooth_role',`
- allow $2 { bluetooth_helper_tmp_t bluetooth_helper_tmpfs_t }:file { manage_file_perms relabel_file_perms };
- allow $2 bluetooth_helper_tmp_t:sock_file { manage_sock_file_perms relabel_sock_file_perms };
-
-+ manage_dirs_pattern($2, bluetooth_helper_tmpfs_t, bluetooth_helper_tmpfs_t)
-+ manage_files_pattern($2, bluetooth_helper_tmpfs_t, bluetooth_helper_tmpfs_t)
-+ bluetooth_stream_connect($2)
- stream_connect_pattern($2, bluetooth_var_run_t, bluetooth_var_run_t, bluetooth_t)
-- files_search_pids($2)
- ')
-
- #####################################
-@@ -63,11 +70,13 @@ interface(`bluetooth_role',`
- interface(`bluetooth_stream_connect',`
- gen_require(`
- type bluetooth_t, bluetooth_var_run_t;
-+ type bluetooth_tmp_t;
- ')
-
- files_search_pids($1)
- allow $1 bluetooth_t:socket rw_socket_perms;
- stream_connect_pattern($1, bluetooth_var_run_t, bluetooth_var_run_t, bluetooth_t)
-+ stream_connect_pattern($1, bluetooth_tmp_t, bluetooth_tmp_t, bluetooth_t)
- ')
-
- ########################################
-@@ -130,6 +139,27 @@ interface(`bluetooth_dbus_chat',`
-
- ########################################
- ##
-+## dontaudit Send and receive messages from
-+## bluetooth over dbus.
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`bluetooth_dontaudit_dbus_chat',`
-+ gen_require(`
-+ type bluetooth_t;
-+ class dbus send_msg;
-+ ')
-+
-+ dontaudit $1 bluetooth_t:dbus send_msg;
-+ dontaudit bluetooth_t $1:dbus send_msg;
-+')
-+
-+########################################
-+##
- ## Execute bluetooth_helper in the bluetooth_helper domain. (Deprecated)
- ##
- ##
-@@ -190,6 +220,30 @@ interface(`bluetooth_dontaudit_read_helper_state',`
-
- ########################################
- ##
-+## Execute bluetooth server in the bluetooth domain.
-+##
-+##
-+##
-+## Domain allowed to transition.
-+##
-+##
-+#
-+interface(`bluetooth_systemctl',`
-+ gen_require(`
-+ type bluetooth_t;
-+ type bluetooth_unit_file_t;
-+ ')
-+
-+ systemd_exec_systemctl($1)
-+ init_reload_services($1)
-+ allow $1 bluetooth_unit_file_t:file read_file_perms;
-+ allow $1 bluetooth_unit_file_t:service manage_service_perms;
-+
-+ ps_process_pattern($1, bluetooth_t)
-+')
-+
-+########################################
-+##
- ## All of the rules required to
- ## administrate an bluetooth environment.
- ##
-@@ -210,12 +264,16 @@ interface(`bluetooth_admin',`
- type bluetooth_t, bluetooth_tmp_t, bluetooth_lock_t;
- type bluetooth_var_lib_t, bluetooth_var_run_t;
- type bluetooth_conf_t, bluetooth_conf_rw_t, bluetooth_var_lib_t;
-- type bluetooth_initrc_exec_t;
-+ type bluetooth_unit_file_t, bluetooth_initrc_exec_t;
- ')
-
-- allow $1 bluetooth_t:process { ptrace signal_perms };
-+ allow $1 bluetooth_t:process signal_perms;
- ps_process_pattern($1, bluetooth_t)
-
-+ tunable_policy(`deny_ptrace',`',`
-+ allow $1 bluetooth_t:process ptrace;
-+ ')
-+
- init_labeled_script_domtrans($1, bluetooth_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 bluetooth_initrc_exec_t system_r;
-@@ -235,4 +293,8 @@ interface(`bluetooth_admin',`
-
- files_list_pids($1)
- admin_pattern($1, bluetooth_var_run_t)
-+
-+ bluetooth_systemctl($1)
-+ admin_pattern($1, bluetooth_unit_file_t)
-+ allow $1 bluetooth_unit_file_t:service all_service_perms;
- ')
-diff --git a/bluetooth.te b/bluetooth.te
-index 851769e55..53e2283cb 100644
---- a/bluetooth.te
-+++ b/bluetooth.te
-@@ -10,6 +10,7 @@ attribute_role bluetooth_helper_roles;
- type bluetooth_t;
- type bluetooth_exec_t;
- init_daemon_domain(bluetooth_t, bluetooth_exec_t)
-+init_nnp_daemon_domain(bluetooth_t)
-
- type bluetooth_conf_t;
- files_config_file(bluetooth_conf_t)
-@@ -49,12 +50,15 @@ files_type(bluetooth_var_lib_t)
- type bluetooth_var_run_t;
- files_pid_file(bluetooth_var_run_t)
-
-+type bluetooth_unit_file_t;
-+systemd_unit_file(bluetooth_unit_file_t)
-+
- ########################################
- #
- # Local policy
- #
-
--allow bluetooth_t self:capability { dac_override net_bind_service net_admin net_raw setpcap sys_admin sys_tty_config ipc_lock };
-+allow bluetooth_t self:capability { dac_read_search net_bind_service net_admin net_raw setpcap sys_admin sys_tty_config ipc_lock };
- dontaudit bluetooth_t self:capability sys_tty_config;
- allow bluetooth_t self:process { getcap setcap getsched signal_perms };
- allow bluetooth_t self:fifo_file rw_fifo_file_perms;
-@@ -78,10 +82,12 @@ files_lock_filetrans(bluetooth_t, bluetooth_lock_t, file)
-
- manage_dirs_pattern(bluetooth_t, bluetooth_tmp_t, bluetooth_tmp_t)
- manage_files_pattern(bluetooth_t, bluetooth_tmp_t, bluetooth_tmp_t)
--files_tmp_filetrans(bluetooth_t, bluetooth_tmp_t, { dir file })
-+manage_fifo_files_pattern(bluetooth_t, bluetooth_tmp_t, bluetooth_tmp_t)
-+files_tmp_filetrans(bluetooth_t, bluetooth_tmp_t, { dir file fifo_file })
-
- manage_dirs_pattern(bluetooth_t, bluetooth_var_lib_t, bluetooth_var_lib_t)
- manage_files_pattern(bluetooth_t, bluetooth_var_lib_t, bluetooth_var_lib_t)
-+allow bluetooth_t bluetooth_var_lib_t:file map;
- files_var_lib_filetrans(bluetooth_t, bluetooth_var_lib_t, { dir file } )
-
- manage_files_pattern(bluetooth_t, bluetooth_var_run_t, bluetooth_var_run_t)
-@@ -90,27 +96,37 @@ files_pid_filetrans(bluetooth_t, bluetooth_var_run_t, { file sock_file })
-
- can_exec(bluetooth_t, bluetooth_helper_exec_t)
-
-+corecmd_exec_bin(bluetooth_t)
-+corecmd_exec_shell(bluetooth_t)
-+
- kernel_read_kernel_sysctls(bluetooth_t)
- kernel_read_system_state(bluetooth_t)
- kernel_read_network_state(bluetooth_t)
- kernel_request_load_module(bluetooth_t)
- kernel_search_debugfs(bluetooth_t)
-
--corecmd_exec_bin(bluetooth_t)
--corecmd_exec_shell(bluetooth_t)
--
--dev_read_sysfs(bluetooth_t)
-+corenet_all_recvfrom_netlabel(bluetooth_t)
-+corenet_tcp_sendrecv_generic_if(bluetooth_t)
-+corenet_udp_sendrecv_generic_if(bluetooth_t)
-+corenet_raw_sendrecv_generic_if(bluetooth_t)
-+corenet_tcp_sendrecv_generic_node(bluetooth_t)
-+corenet_udp_sendrecv_generic_node(bluetooth_t)
-+corenet_raw_sendrecv_generic_node(bluetooth_t)
-+corenet_tcp_sendrecv_all_ports(bluetooth_t)
-+corenet_udp_sendrecv_all_ports(bluetooth_t)
-+
-+dev_rw_sysfs(bluetooth_t)
- dev_rw_usbfs(bluetooth_t)
- dev_rw_generic_usb_dev(bluetooth_t)
- dev_read_urand(bluetooth_t)
- dev_rw_input_dev(bluetooth_t)
- dev_rw_wireless(bluetooth_t)
-+dev_rw_uhid_dev(bluetooth_t)
-
- domain_use_interactive_fds(bluetooth_t)
- domain_dontaudit_search_all_domains_state(bluetooth_t)
-
- files_read_etc_runtime_files(bluetooth_t)
--files_read_usr_files(bluetooth_t)
-
- fs_getattr_all_fs(bluetooth_t)
- fs_search_auto_mountpoints(bluetooth_t)
-@@ -122,7 +138,6 @@ auth_use_nsswitch(bluetooth_t)
-
- logging_send_syslog_msg(bluetooth_t)
-
--miscfiles_read_localization(bluetooth_t)
- miscfiles_read_fonts(bluetooth_t)
- miscfiles_read_hwdata(bluetooth_t)
-
-@@ -130,6 +145,10 @@ userdom_dontaudit_use_unpriv_user_fds(bluetooth_t)
- userdom_dontaudit_use_user_terminals(bluetooth_t)
- userdom_dontaudit_search_user_home_dirs(bluetooth_t)
-
-+# machine-info
-+systemd_hostnamed_read_config(bluetooth_t)
-+systemd_dbus_chat_hostnamed(bluetooth_t)
-+
- optional_policy(`
- dbus_system_bus_client(bluetooth_t)
- dbus_connect_system_bus(bluetooth_t)
-@@ -200,7 +219,6 @@ dev_read_urand(bluetooth_helper_t)
- domain_read_all_domains_state(bluetooth_helper_t)
-
- files_read_etc_runtime_files(bluetooth_helper_t)
--files_read_usr_files(bluetooth_helper_t)
- files_dontaudit_list_default(bluetooth_helper_t)
-
- term_dontaudit_use_all_ttys(bluetooth_helper_t)
-diff --git a/boinc.fc b/boinc.fc
-index 6d3ccad60..9c69f28ab 100644
---- a/boinc.fc
-+++ b/boinc.fc
-@@ -1,9 +1,15 @@
--/etc/rc\.d/init\.d/boinc-client -- gen_context(system_u:object_r:boinc_initrc_exec_t,s0)
-+/etc/boinc-client/global_prefs_override.xml -- gen_context(system_u:object_r:boinc_var_lib_t,s0)
-+/etc/rc\.d/init\.d/boinc-client -- gen_context(system_u:object_r:boinc_initrc_exec_t,s0)
-
--/usr/bin/boinc_client -- gen_context(system_u:object_r:boinc_exec_t,s0)
-+/usr/bin/boinc -- gen_context(system_u:object_r:boinc_exec_t,s0)
-+/usr/bin/boinc_client -- gen_context(system_u:object_r:boinc_exec_t,s0)
-
--/var/lib/boinc(/.*)? gen_context(system_u:object_r:boinc_var_lib_t,s0)
--/var/lib/boinc/projects(/.*)? gen_context(system_u:object_r:boinc_project_var_lib_t,s0)
--/var/lib/boinc/slots(/.*)? gen_context(system_u:object_r:boinc_project_var_lib_t,s0)
-+/usr/lib/systemd/system/boinc-client\.service -- gen_context(system_u:object_r:boinc_unit_file_t,s0)
-
--/var/log/boinc\.log.* -- gen_context(system_u:object_r:boinc_log_t,s0)
-+/var/lib/boinc(/.*)? gen_context(system_u:object_r:boinc_var_lib_t,s0)
-+/var/lib/boinc-client(/.*)? gen_context(system_u:object_r:boinc_var_lib_t,s0)
-+/var/lib/boinc/projects(/.*)? gen_context(system_u:object_r:boinc_project_var_lib_t,s0)
-+/var/lib/boinc/slots(/.*)? gen_context(system_u:object_r:boinc_project_var_lib_t,s0)
-+
-+/var/log/boinc\.log.* -- gen_context(system_u:object_r:boinc_log_t,s0)
-+/var/log/boincerr\.log.* -- gen_context(system_u:object_r:boinc_log_t,s0)
-diff --git a/boinc.if b/boinc.if
-index 02fefaaf7..308616e8d 100644
---- a/boinc.if
-+++ b/boinc.if
-@@ -1,9 +1,166 @@
--## Platform for computing using volunteered resources.
-+## policy for boinc
-
- ########################################
- ##
--## All of the rules required to
--## administrate an boinc environment.
-+## Execute a domain transition to run boinc.
-+##
-+##
-+##
-+## Domain allowed to transition.
-+##
-+##
-+#
-+interface(`boinc_domtrans',`
-+ gen_require(`
-+ type boinc_t, boinc_exec_t;
-+ ')
-+
-+ domtrans_pattern($1, boinc_exec_t, boinc_t)
-+')
-+
-+#######################################
-+##
-+## Execute boinc server in the boinc domain.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`boinc_initrc_domtrans',`
-+ gen_require(`
-+ type boinc_initrc_exec_t;
-+ ')
-+
-+ init_labeled_script_domtrans($1, boinc_initrc_exec_t)
-+')
-+
-+#######################################
-+##
-+## Dontaudit getattr on boinc lib files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`boinc_dontaudit_getattr_lib',`
-+ gen_require(`
-+ type boinc_var_lib_t;
-+ ')
-+
-+ dontaudit $1 boinc_var_lib_t:file getattr;
-+')
-+
-+########################################
-+##
-+## Search boinc lib directories.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`boinc_search_lib',`
-+ gen_require(`
-+ type boinc_var_lib_t;
-+ ')
-+
-+ allow $1 boinc_var_lib_t:dir search_dir_perms;
-+ files_search_var_lib($1)
-+')
-+
-+########################################
-+##
-+## Read boinc lib files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`boinc_read_lib_files',`
-+ gen_require(`
-+ type boinc_var_lib_t;
-+ ')
-+
-+ files_search_var_lib($1)
-+ read_files_pattern($1, boinc_var_lib_t, boinc_var_lib_t)
-+')
-+
-+########################################
-+##
-+## Create, read, write, and delete
-+## boinc lib files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`boinc_manage_lib_files',`
-+ gen_require(`
-+ type boinc_var_lib_t;
-+ ')
-+
-+ files_search_var_lib($1)
-+ manage_files_pattern($1, boinc_var_lib_t, boinc_var_lib_t)
-+')
-+
-+########################################
-+##
-+## Manage boinc var_lib files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`boinc_manage_var_lib',`
-+ gen_require(`
-+ type boinc_var_lib_t;
-+ ')
-+
-+ files_search_var_lib($1)
-+ manage_dirs_pattern($1, boinc_var_lib_t, boinc_var_lib_t)
-+ manage_files_pattern($1, boinc_var_lib_t, boinc_var_lib_t)
-+ manage_lnk_files_pattern($1, boinc_var_lib_t, boinc_var_lib_t)
-+')
-+
-+#######################################
-+##
-+## Execute boinc server in the boinc domain.
-+##
-+##
-+##
-+## Domain allowed to transition.
-+##
-+##
-+#
-+interface(`boinc_systemctl',`
-+ gen_require(`
-+ type boinc_t;
-+ type boinc_unit_file_t;
-+ ')
-+
-+ systemd_exec_systemctl($1)
-+ init_reload_services($1)
-+ allow $1 boinc_unit_file_t:file read_file_perms;
-+ allow $1 boinc_unit_file_t:service manage_service_perms;
-+
-+ ps_process_pattern($1, boinc_t)
-+')
-+
-+########################################
-+##
-+## All of the rules required to administrate
-+## an boinc environment.
- ##
- ##
- ##
-@@ -19,26 +176,32 @@
- #
- interface(`boinc_admin',`
- gen_require(`
--
-- type boinc_t, boinc_project_t, boinc_log_t;
-- type boinc_var_lib_t, boinc_tmp_t, boinc_initrc_exec_t;
-- type boinc_project_var_lib_t, boinc_project_tmp_t;
-+ type boinc_t, boinc_initrc_exec_t, boinc_var_lib_t;
-+ type boinc_unit_file_t;
- ')
-
-- allow $1 { boinc_t boinc_project_t }:process { ptrace signal_perms };
-- ps_process_pattern($1, { boinc_t boinc_project_t })
-+ allow $1 boinc_t:process signal_perms;
-+ ps_process_pattern($1, boinc_t)
-
-- init_labeled_script_domtrans($1, boinc_initrc_exec_t)
-+ tunable_policy(`deny_ptrace',`',`
-+ allow $1 boinc_t:process ptrace;
-+ ')
-+
-+ boinc_initrc_domtrans($1)
- domain_system_change_exemption($1)
- role_transition $2 boinc_initrc_exec_t system_r;
- allow $2 system_r;
-
-- logging_search_logs($1)
-- admin_pattern($1, boinc_log_t)
-+ files_list_var_lib($1)
-+ admin_pattern($1, boinc_var_lib_t)
-
-- files_search_tmp($1)
-- admin_pattern($1, { boinc_project_tmp_t boinc_tmp_t })
-+ boinc_systemctl($1)
-+ admin_pattern($1, boinc_unit_file_t)
-
-- files_search_var_lib($1)
-- admin_pattern($1, { boinc_project_var_lib_t boinc_var_lib_t })
-+ allow $1 boinc_unit_file_t:service all_service_perms;
-+
-+ optional_policy(`
-+ systemd_passwd_agent_exec($1)
-+ systemd_read_fifo_file_passwd_run($1)
-+ ')
- ')
-diff --git a/boinc.te b/boinc.te
-index 687d4c48d..7ee6d41fd 100644
---- a/boinc.te
-+++ b/boinc.te
-@@ -1,4 +1,4 @@
--policy_module(boinc, 1.1.1)
-+policy_module(boinc, 1.3.1)
-
- ########################################
- #
-@@ -12,7 +12,9 @@ policy_module(boinc, 1.1.1)
- ##
- gen_tunable(boinc_execmem, true)
-
--type boinc_t;
-+attribute boinc_domain;
-+
-+type boinc_t, boinc_domain;
- type boinc_exec_t;
- init_daemon_domain(boinc_t, boinc_exec_t)
-
-@@ -28,31 +30,71 @@ files_tmpfs_file(boinc_tmpfs_t)
- type boinc_var_lib_t;
- files_type(boinc_var_lib_t)
-
--type boinc_project_var_lib_t;
--files_type(boinc_project_var_lib_t)
--
- type boinc_log_t;
- logging_log_file(boinc_log_t)
-
-+type boinc_unit_file_t;
-+systemd_unit_file(boinc_unit_file_t)
-+
- type boinc_project_t;
- domain_type(boinc_project_t)
--domain_entry_file(boinc_project_t, boinc_project_var_lib_t)
- role system_r types boinc_project_t;
-
- type boinc_project_tmp_t;
- files_tmp_file(boinc_project_tmp_t)
-
-+type boinc_project_var_lib_t;
-+files_type(boinc_project_var_lib_t)
-+
-+#######################################
-+#
-+# boinc domain local policy
-+#
-+
-+allow boinc_domain self:fifo_file rw_fifo_file_perms;
-+allow boinc_domain self:process signal;
-+allow boinc_domain self:sem create_sem_perms;
-+
-+manage_dirs_pattern(boinc_domain, boinc_var_lib_t, boinc_var_lib_t)
-+manage_files_pattern(boinc_domain, boinc_var_lib_t, boinc_var_lib_t)
-+manage_lnk_files_pattern(boinc_domain, boinc_var_lib_t, boinc_var_lib_t)
-+
-+corecmd_exec_bin(boinc_domain)
-+corecmd_exec_shell(boinc_domain)
-+
-+dev_read_rand(boinc_domain)
-+dev_read_urand(boinc_domain)
-+dev_read_sysfs(boinc_domain)
-+dev_rw_xserver_misc(boinc_domain)
-+
-+domain_read_all_domains_state(boinc_domain)
-+
-+files_read_etc_runtime_files(boinc_domain)
-+
-+fs_getattr_all_fs(boinc_domain)
-+
-+miscfiles_read_fonts(boinc_domain)
-+
-+tunable_policy(`boinc_execmem',`
-+ allow boinc_domain self:process { execstack execmem };
-+')
-+
-+optional_policy(`
-+ sysnet_dns_name_resolve(boinc_domain)
-+')
-+
- ########################################
- #
--# Local policy
-+# boinc local policy
- #
-
- allow boinc_t self:process { setsched setpgid signull sigkill };
--allow boinc_t self:unix_stream_socket { accept listen };
--allow boinc_t self:tcp_socket { accept listen };
-+
-+allow boinc_t self:unix_stream_socket create_stream_socket_perms;
-+allow boinc_t self:tcp_socket create_stream_socket_perms;
- allow boinc_t self:shm create_shm_perms;
--allow boinc_t self:fifo_file rw_fifo_file_perms;
--allow boinc_t self:sem create_sem_perms;
-+
-+can_exec(boinc_t, boinc_exec_t)
-
- manage_dirs_pattern(boinc_t, boinc_tmp_t, boinc_tmp_t)
- manage_files_pattern(boinc_t, boinc_tmp_t, boinc_tmp_t)
-@@ -61,84 +103,63 @@ files_tmp_filetrans(boinc_t, boinc_tmp_t, { dir file })
- manage_files_pattern(boinc_t, boinc_tmpfs_t, boinc_tmpfs_t)
- fs_tmpfs_filetrans(boinc_t, boinc_tmpfs_t, file)
-
--manage_dirs_pattern(boinc_t, boinc_var_lib_t, boinc_var_lib_t)
--manage_files_pattern(boinc_t, boinc_var_lib_t, boinc_var_lib_t)
--manage_lnk_files_pattern(boinc_t, boinc_var_lib_t, boinc_var_lib_t)
--
--# entry files to the boinc_project_t domain
--manage_dirs_pattern(boinc_t, boinc_project_var_lib_t, boinc_project_var_lib_t)
--manage_files_pattern(boinc_t, boinc_project_var_lib_t, boinc_project_var_lib_t)
-+exec_files_pattern(boinc_t, boinc_var_lib_t, boinc_var_lib_t)
-+# this should be created by default by boinc
-+# we need this label for transition to boinc_project_t
-+# other boinc lib files will end up with boinc_var_lib_t
- filetrans_pattern(boinc_t, boinc_var_lib_t, boinc_project_var_lib_t, dir, "slots")
- filetrans_pattern(boinc_t, boinc_var_lib_t, boinc_project_var_lib_t, dir, "projects")
-
--append_files_pattern(boinc_t, boinc_log_t, boinc_log_t)
--create_files_pattern(boinc_t, boinc_log_t, boinc_log_t)
--setattr_files_pattern(boinc_t, boinc_log_t, boinc_log_t)
--logging_log_filetrans(boinc_t, boinc_log_t, file)
-+manage_dirs_pattern(boinc_t, boinc_project_var_lib_t, boinc_project_var_lib_t)
-+manage_files_pattern(boinc_t, boinc_project_var_lib_t, boinc_project_var_lib_t)
-+allow boinc_t boinc_project_var_lib_t:file map;
-
--can_exec(boinc_t, boinc_var_lib_t)
--
--domtrans_pattern(boinc_t, boinc_project_var_lib_t, boinc_project_t)
-+manage_files_pattern(boinc_t, boinc_log_t, boinc_log_t)
-+logging_log_filetrans(boinc_t, boinc_log_t, { file })
-
-+# needs read /proc/interrupts
- kernel_read_system_state(boinc_t)
-+kernel_read_network_state(boinc_t)
- kernel_search_vm_sysctl(boinc_t)
-
--corenet_all_recvfrom_unlabeled(boinc_t)
-+dev_getattr_mouse_dev(boinc_t)
-+dev_rw_dri(boinc_t)
-+
-+files_getattr_all_dirs(boinc_t)
-+files_getattr_all_files(boinc_t)
-+
- corenet_all_recvfrom_netlabel(boinc_t)
- corenet_tcp_sendrecv_generic_if(boinc_t)
-+corenet_udp_sendrecv_generic_if(boinc_t)
- corenet_tcp_sendrecv_generic_node(boinc_t)
-+corenet_udp_sendrecv_generic_node(boinc_t)
-+corenet_tcp_sendrecv_all_ports(boinc_t)
-+corenet_udp_sendrecv_all_ports(boinc_t)
- corenet_tcp_bind_generic_node(boinc_t)
--
--corenet_sendrecv_boinc_client_packets(boinc_t)
--corenet_sendrecv_boinc_server_packets(boinc_t)
-+corenet_udp_bind_generic_node(boinc_t)
- corenet_tcp_bind_boinc_port(boinc_t)
--corenet_tcp_connect_boinc_port(boinc_t)
--corenet_tcp_sendrecv_boinc_port(boinc_t)
--
--corenet_sendrecv_boinc_client_server_packets(boinc_t)
- corenet_tcp_bind_boinc_client_port(boinc_t)
--corenet_tcp_sendrecv_boinc_client_port(boinc_t)
--
--corenet_sendrecv_http_client_packets(boinc_t)
-+corenet_tcp_connect_boinc_port(boinc_t)
- corenet_tcp_connect_http_port(boinc_t)
--corenet_tcp_sendrecv_http_port(boinc_t)
--
--corenet_sendrecv_http_cache_client_packets(boinc_t)
- corenet_tcp_connect_http_cache_port(boinc_t)
--corenet_tcp_sendrecv_http_cache_port(boinc_t)
--
--corenet_sendrecv_squid_client_packets(boinc_t)
- corenet_tcp_connect_squid_port(boinc_t)
--corenet_tcp_sendrecv_squid_port(boinc_t)
--
--corecmd_exec_bin(boinc_t)
--corecmd_exec_shell(boinc_t)
--
--dev_read_rand(boinc_t)
--dev_read_urand(boinc_t)
--dev_read_sysfs(boinc_t)
--dev_rw_xserver_misc(boinc_t)
--
--domain_read_all_domains_state(boinc_t)
-
- files_dontaudit_getattr_boot_dirs(boinc_t)
--files_getattr_all_dirs(boinc_t)
--files_getattr_all_files(boinc_t)
--files_read_etc_files(boinc_t)
--files_read_etc_runtime_files(boinc_t)
--files_read_usr_files(boinc_t)
-
--fs_getattr_all_fs(boinc_t)
-+auth_use_nsswitch(boinc_t)
-
- term_getattr_all_ptys(boinc_t)
- term_getattr_unallocated_ttys(boinc_t)
-
- init_read_utmp(boinc_t)
-
-+libs_exec_lib_files(boinc_t)
-+
- logging_send_syslog_msg(boinc_t)
-
--miscfiles_read_fonts(boinc_t)
--miscfiles_read_localization(boinc_t)
-+modutils_dontaudit_exec_insmod(boinc_t)
-+
-+xserver_stream_connect(boinc_t)
-
- tunable_policy(`boinc_execmem',`
- allow boinc_t self:process { execstack execmem };
-@@ -148,48 +169,69 @@ optional_policy(`
- mta_send_mail(boinc_t)
- ')
-
--optional_policy(`
-- sysnet_dns_name_resolve(boinc_t)
--')
--
- ########################################
- #
--# Project local policy
-+# boinc-projects local policy
- #
-
- allow boinc_project_t self:capability { setuid setgid };
--allow boinc_project_t self:process { execmem execstack noatsecure ptrace setcap getcap setpgid setsched signal_perms };
-+
-+domtrans_pattern(boinc_t, boinc_project_var_lib_t, boinc_project_t)
-+allow boinc_t boinc_project_t:process sigkill;
-+allow boinc_t boinc_project_t:process noatsecure;
-+
-+allow boinc_project_t self:process { setcap getcap setpgid setsched signal signull sigkill sigstop };
-+tunable_policy(`deny_ptrace',`',`
-+ allow boinc_project_t self:process ptrace;
-+')
-+
-+allow boinc_project_t self:process { execstack };
-
- manage_dirs_pattern(boinc_project_t, boinc_project_tmp_t, boinc_project_tmp_t)
- manage_files_pattern(boinc_project_t, boinc_project_tmp_t, boinc_project_tmp_t)
- manage_sock_files_pattern(boinc_project_t, boinc_project_tmp_t, boinc_project_tmp_t)
- files_tmp_filetrans(boinc_project_t, boinc_project_tmp_t, { dir file sock_file})
-
-+allow boinc_project_t boinc_project_var_lib_t:file entrypoint;
-+exec_files_pattern(boinc_project_t, boinc_project_var_lib_t, boinc_project_var_lib_t)
- manage_dirs_pattern(boinc_project_t, boinc_project_var_lib_t, boinc_project_var_lib_t)
- manage_files_pattern(boinc_project_t, boinc_project_var_lib_t, boinc_project_var_lib_t)
-+files_var_lib_filetrans(boinc_project_t, boinc_project_var_lib_t, dir, "projects")
-+files_var_lib_filetrans(boinc_project_t, boinc_project_var_lib_t, dir, "slots" )
-
- allow boinc_project_t boinc_project_var_lib_t:file execmod;
--can_exec(boinc_project_t, boinc_project_var_lib_t)
-
- allow boinc_project_t boinc_t:shm rw_shm_perms;
--allow boinc_project_t boinc_tmpfs_t:file { read write };
-+allow boinc_project_t boinc_tmpfs_t:file rw_inherited_file_perms;
-
- kernel_read_kernel_sysctls(boinc_project_t)
--kernel_read_network_state(boinc_project_t)
- kernel_search_vm_sysctl(boinc_project_t)
-+kernel_read_network_state(boinc_project_t)
-
--corenet_all_recvfrom_unlabeled(boinc_project_t)
--corenet_all_recvfrom_netlabel(boinc_project_t)
--corenet_tcp_sendrecv_generic_if(boinc_project_t)
--corenet_tcp_sendrecv_generic_node(boinc_project_t)
--corenet_tcp_bind_generic_node(boinc_project_t)
--
--corenet_sendrecv_boinc_client_packets(boinc_project_t)
- corenet_tcp_connect_boinc_port(boinc_project_t)
--corenet_tcp_sendrecv_boinc_port(boinc_project_t)
-+
-+dev_getattr_input_dev(boinc_t)
-+dev_getattr_mouse_dev(boinc_t)
-
- files_dontaudit_search_home(boinc_project_t)
-
-+term_getattr_ptmx(boinc_t)
-+term_getattr_generic_ptys(boinc_t)
-+
-+userdom_getattr_user_ttys(boinc_t)
-+
-+# needed by java
-+fs_read_hugetlbfs_files(boinc_project_t)
-+
-+optional_policy(`
-+ gnome_read_gconf_config(boinc_project_t)
-+')
-+
- optional_policy(`
- java_exec(boinc_project_t)
- ')
-+
-+# until solution for VirtualBox, java ..
-+optional_policy(`
-+ unconfined_domain(boinc_project_t)
-+')
-diff --git a/brctl.te b/brctl.te
-index c5a91138c..1919abdd8 100644
---- a/brctl.te
-+++ b/brctl.te
-@@ -24,6 +24,7 @@ allow brctl_t self:unix_dgram_socket create_socket_perms;
- allow brctl_t self:tcp_socket create_socket_perms;
-
- kernel_request_load_module(brctl_t)
-+kernel_read_system_state(brctl_t)
- kernel_read_network_state(brctl_t)
- kernel_read_sysctl(brctl_t)
-
-@@ -34,12 +35,8 @@ dev_write_sysfs_dirs(brctl_t)
-
- domain_use_interactive_fds(brctl_t)
-
--files_read_etc_files(brctl_t)
--
- term_dontaudit_use_console(brctl_t)
-
--miscfiles_read_localization(brctl_t)
--
- optional_policy(`
- xen_append_log(brctl_t)
- xen_dontaudit_rw_unix_stream_sockets(brctl_t)
-diff --git a/brltty.fc b/brltty.fc
-new file mode 100644
-index 000000000..05e352897
---- /dev/null
-+++ b/brltty.fc
-@@ -0,0 +1,10 @@
-+/tmp/brltty\.log.* -- gen_context(system_u:object_r:brltty_log_t,s0)
-+
-+/usr/lib/systemd/system/brltty.* -- gen_context(system_u:object_r:brltty_unit_file_t,s0)
-+
-+/usr/bin/brltty -- gen_context(system_u:object_r:brltty_exec_t,s0)
-+
-+/var/lib/BrlAPI(/.*)? gen_context(system_u:object_r:brltty_var_lib_t,s0)
-+
-+/var/run/brltty(/.*)? gen_context(system_u:object_r:brltty_var_run_t,s0)
-+
-diff --git a/brltty.if b/brltty.if
-new file mode 100644
-index 000000000..968c957ab
---- /dev/null
-+++ b/brltty.if
-@@ -0,0 +1,80 @@
-+
-+## brltty is refreshable braille display driver for Linux/Unix
-+
-+########################################
-+##
-+## Execute brltty in the brltty domin.
-+##
-+##
-+##
-+## Domain allowed to transition.
-+##
-+##
-+#
-+interface(`brltty_domtrans',`
-+ gen_require(`
-+ type brltty_t, brltty_exec_t;
-+ ')
-+
-+ corecmd_search_bin($1)
-+ domtrans_pattern($1, brltty_exec_t, brltty_t)
-+')
-+########################################
-+##
-+## Execute brltty server in the brltty domain.
-+##
-+##
-+##
-+## Domain allowed to transition.
-+##
-+##
-+#
-+interface(`brltty_systemctl',`
-+ gen_require(`
-+ type brltty_t;
-+ type brltty_unit_file_t;
-+ ')
-+
-+ systemd_exec_systemctl($1)
-+ init_reload_services($1)
-+ systemd_read_fifo_file_passwd_run($1)
-+ allow $1 brltty_unit_file_t:file read_file_perms;
-+ allow $1 brltty_unit_file_t:service manage_service_perms;
-+
-+ ps_process_pattern($1, brltty_t)
-+')
-+
-+
-+########################################
-+##
-+## All of the rules required to administrate
-+## an brltty environment
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+#
-+interface(`brltty_admin',`
-+ gen_require(`
-+ type brltty_t;
-+ type brltty_unit_file_t;
-+ ')
-+
-+ allow $1 brltty_t:process { signal_perms };
-+ ps_process_pattern($1, brltty_t)
-+
-+ tunable_policy(`deny_ptrace',`',`
-+ allow $1 brltty_t:process ptrace;
-+ ')
-+
-+ brltty_systemctl($1)
-+ admin_pattern($1, brltty_unit_file_t)
-+ allow $1 brltty_unit_file_t:service all_service_perms;
-+ optional_policy(`
-+ systemd_passwd_agent_exec($1)
-+ systemd_read_fifo_file_passwd_run($1)
-+ ')
-+')
-diff --git a/brltty.te b/brltty.te
-new file mode 100644
-index 000000000..c167267f8
---- /dev/null
-+++ b/brltty.te
-@@ -0,0 +1,70 @@
-+policy_module(brltty, 1.0.0)
-+
-+########################################
-+#
-+# Declarations
-+#
-+
-+type brltty_t;
-+type brltty_exec_t;
-+init_daemon_domain(brltty_t, brltty_exec_t)
-+
-+type brltty_var_lib_t;
-+files_type(brltty_var_lib_t)
-+
-+type brltty_var_run_t;
-+files_pid_file(brltty_var_run_t)
-+
-+type brltty_log_t;
-+logging_log_file(brltty_log_t)
-+
-+type brltty_unit_file_t;
-+systemd_unit_file(brltty_unit_file_t)
-+
-+########################################
-+#
-+# brltty local policy
-+#
-+allow brltty_t self:capability { sys_admin sys_tty_config mknod };
-+allow brltty_t self:process { fork signal_perms };
-+
-+allow brltty_t self:fifo_file rw_fifo_file_perms;
-+allow brltty_t self:unix_stream_socket create_stream_socket_perms;
-+allow brltty_t self:tcp_socket listen;
-+
-+manage_files_pattern(brltty_t, brltty_log_t, brltty_log_t)
-+manage_sock_files_pattern(brltty_t, brltty_log_t, brltty_log_t)
-+manage_lnk_files_pattern(brltty_t, brltty_log_t, brltty_log_t)
-+files_tmp_filetrans(brltty_t, brltty_log_t, { file dir })
-+
-+manage_dirs_pattern(brltty_t, brltty_var_lib_t, brltty_var_lib_t)
-+manage_files_pattern(brltty_t, brltty_var_lib_t, brltty_var_lib_t)
-+manage_sock_files_pattern(brltty_t,brltty_var_lib_t, brltty_var_lib_t)
-+files_var_lib_filetrans(brltty_t, brltty_var_lib_t, {file sock_file dir})
-+
-+manage_dirs_pattern(brltty_t, brltty_var_run_t, brltty_var_run_t)
-+manage_files_pattern(brltty_t, brltty_var_run_t, brltty_var_run_t)
-+manage_chr_files_pattern(brltty_t, brltty_var_run_t, brltty_var_run_t)
-+files_pid_filetrans(brltty_t, brltty_var_run_t, { dir file chr_file })
-+allow brltty_t brltty_var_run_t:dir mounton;
-+
-+kernel_read_system_state(brltty_t)
-+kernel_read_usermodehelper_state(brltty_t)
-+
-+auth_use_nsswitch(brltty_t)
-+
-+corenet_tcp_bind_brlp_port(brltty_t)
-+
-+dev_read_sysfs(brltty_t)
-+dev_rw_generic_usb_dev(brltty_t)
-+dev_rw_input_dev(brltty_t)
-+
-+fs_getattr_all_fs(brltty_t)
-+
-+logging_send_syslog_msg(brltty_t)
-+
-+modutils_domtrans_insmod(brltty_t)
-+
-+sysnet_dns_name_resolve(brltty_t)
-+
-+term_use_unallocated_ttys(brltty_t)
-diff --git a/bugzilla.fc b/bugzilla.fc
-index fce0b6ebf..9efceac4e 100644
---- a/bugzilla.fc
-+++ b/bugzilla.fc
-@@ -1,4 +1,4 @@
--/usr/share/bugzilla(/.*)? -d gen_context(system_u:object_r:httpd_bugzilla_content_t,s0)
--/usr/share/bugzilla(/.*)? -- gen_context(system_u:object_r:httpd_bugzilla_script_exec_t,s0)
-+/usr/share/bugzilla(/.*)? gen_context(system_u:object_r:bugzilla_content_t,s0)
-+/usr/share/bugzilla/.*\.cgi -- gen_context(system_u:object_r:bugzilla_script_exec_t,s0)
-
--/var/lib/bugzilla(/.*)? gen_context(system_u:object_r:httpd_bugzilla_rw_content_t,s0)
-+/var/lib/bugzilla(/.*)? gen_context(system_u:object_r:bugzilla_rw_content_t,s0)
-diff --git a/bugzilla.if b/bugzilla.if
-index 1b22262d5..d9ea246a1 100644
---- a/bugzilla.if
-+++ b/bugzilla.if
-@@ -12,10 +12,10 @@
- #
- interface(`bugzilla_search_content',`
- gen_require(`
-- type httpd_bugzilla_content_t;
-+ type bugzilla_content_t;
- ')
-
-- allow $1 httpd_bugzilla_content_t:dir search_dir_perms;
-+ allow $1 bugzilla_content_t:dir search_dir_perms;
- ')
-
- ########################################
-@@ -32,10 +32,10 @@ interface(`bugzilla_search_content',`
- #
- interface(`bugzilla_dontaudit_rw_stream_sockets',`
- gen_require(`
-- type httpd_bugzilla_script_t;
-+ type bugzilla_script_t;
- ')
-
-- dontaudit $1 httpd_bugzilla_script_t:unix_stream_socket { read write };
-+ dontaudit $1 bugzilla_script_t:unix_stream_socket { read write };
- ')
-
- ########################################
-@@ -48,33 +48,37 @@ interface(`bugzilla_dontaudit_rw_stream_sockets',`
- ## Domain allowed access.
- ##
- ##
--##
--##
--## Role allowed access.
--##
--##
--##
- #
- interface(`bugzilla_admin',`
- gen_require(`
-- type httpd_bugzilla_script_t, httpd_bugzilla_content_t, httpd_bugzilla_ra_content_t;
-- type httpd_bugzilla_rw_content_t, httpd_bugzilla_script_exec_t;
-- type httpd_bugzilla_htaccess_t;
-+ type bugzilla_script_t, bugzilla_content_t, bugzilla_ra_content_t;
-+ type bugzilla_rw_content_t, bugzilla_script_exec_t;
-+ type bugzilla_htaccess_t, bugzilla_tmp_t;
-+ ')
-+
-+ allow $1 bugzilla_script_t:process signal_perms;
-+ ps_process_pattern($1, bugzilla_script_t)
-+
-+ tunable_policy(`deny_ptrace',`',`
-+ allow $1 bugzilla_script_t:process ptrace;
- ')
-
-- allow $1 httpd_bugzilla_script_t:process { ptrace signal_perms };
-- ps_process_pattern($1, httpd_bugzilla_script_t)
-+ files_list_tmp($1)
-+ admin_pattern($1, bugzilla_tmp_t)
-
-- files_search_usr($1)
-- admin_pattern($1, httpd_bugzilla_script_exec_t)
-- admin_pattern($1, httpd_bugzilla_script_t)
-- admin_pattern($1, httpd_bugzilla_content_t)
-- admin_pattern($1, httpd_bugzilla_htaccess_t)
-- admin_pattern($1, httpd_bugzilla_ra_content_t)
-+ files_list_var_lib(bugzilla_script_t)
-+
-+ admin_pattern($1, bugzilla_script_exec_t)
-+ admin_pattern($1, bugzilla_script_t)
-+ admin_pattern($1, bugzilla_content_t)
-+ admin_pattern($1, bugzilla_htaccess_t)
-+ admin_pattern($1, bugzilla_ra_content_t)
-
- files_search_tmp($1)
- files_search_var_lib($1)
-- admin_pattern($1, httpd_bugzilla_rw_content_t)
-+ admin_pattern($1, bugzilla_rw_content_t)
-
-- apache_list_sys_content($1)
-+ optional_policy(`
-+ apache_list_sys_content($1)
-+ ')
- ')
-diff --git a/bugzilla.te b/bugzilla.te
-index 18623e39e..300b2b0c0 100644
---- a/bugzilla.te
-+++ b/bugzilla.te
-@@ -6,42 +6,57 @@ policy_module(bugzilla, 1.1.0)
- #
-
- apache_content_template(bugzilla)
-+apache_content_alias_template(bugzilla, bugzilla)
-+
-+type bugzilla_tmp_t alias httpd_bugzilla_tmp_t;
-+files_tmp_file(bugzilla_tmp_t)
-
- ########################################
- #
- # Local policy
- #
-
--allow httpd_bugzilla_script_t self:tcp_socket { accept listen };
-+allow bugzilla_script_t self:netlink_route_socket create_netlink_socket_perms;
-+allow bugzilla_script_t self:tcp_socket { accept listen };
-+allow bugzilla_script_t self:udp_socket create_socket_perms;
-+
-+corenet_all_recvfrom_netlabel(bugzilla_script_t)
-+corenet_tcp_sendrecv_generic_if(bugzilla_script_t)
-+corenet_tcp_sendrecv_generic_node(bugzilla_script_t)
-+
-+corenet_sendrecv_http_client_packets(bugzilla_script_t)
-+corenet_tcp_connect_http_port(bugzilla_script_t)
-+corenet_tcp_sendrecv_http_port(bugzilla_script_t)
-+
-+corenet_sendrecv_smtp_client_packets(bugzilla_script_t)
-+corenet_tcp_connect_smtp_port(bugzilla_script_t)
-+corenet_tcp_sendrecv_smtp_port(bugzilla_script_t)
-+
-+manage_dirs_pattern(bugzilla_script_t, bugzilla_tmp_t, bugzilla_tmp_t)
-+manage_files_pattern(bugzilla_script_t, bugzilla_tmp_t, bugzilla_tmp_t)
-+files_tmp_filetrans(bugzilla_script_t, bugzilla_tmp_t, { file dir })
-
--corenet_all_recvfrom_unlabeled(httpd_bugzilla_script_t)
--corenet_all_recvfrom_netlabel(httpd_bugzilla_script_t)
--corenet_tcp_sendrecv_generic_if(httpd_bugzilla_script_t)
--corenet_tcp_sendrecv_generic_node(httpd_bugzilla_script_t)
-+files_search_var_lib(bugzilla_script_t)
-
--corenet_sendrecv_http_client_packets(httpd_bugzilla_script_t)
--corenet_tcp_connect_http_port(httpd_bugzilla_script_t)
--corenet_tcp_sendrecv_http_port(httpd_bugzilla_script_t)
-+auth_read_passwd(bugzilla_script_t)
-
--corenet_sendrecv_smtp_client_packets(httpd_bugzilla_script_t)
--corenet_tcp_connect_smtp_port(httpd_bugzilla_script_t)
--corenet_tcp_sendrecv_smtp_port(httpd_bugzilla_script_t)
-+dev_read_sysfs(bugzilla_script_t)
-
--files_search_var_lib(httpd_bugzilla_script_t)
-+sysnet_read_config(bugzilla_script_t)
-+sysnet_use_ldap(bugzilla_script_t)
-
--sysnet_dns_name_resolve(httpd_bugzilla_script_t)
--sysnet_use_ldap(httpd_bugzilla_script_t)
-+miscfiles_read_certs(bugzilla_script_t)
-
- optional_policy(`
-- mta_send_mail(httpd_bugzilla_script_t)
-+ mta_send_mail(bugzilla_script_t)
- ')
-
- optional_policy(`
-- mysql_stream_connect(httpd_bugzilla_script_t)
-- mysql_tcp_connect(httpd_bugzilla_script_t)
-+ mysql_stream_connect(bugzilla_script_t)
-+ mysql_tcp_connect(bugzilla_script_t)
- ')
-
- optional_policy(`
-- postgresql_stream_connect(httpd_bugzilla_script_t)
-- postgresql_tcp_connect(httpd_bugzilla_script_t)
-+ postgresql_stream_connect(bugzilla_script_t)
-+ postgresql_tcp_connect(bugzilla_script_t)
- ')
-diff --git a/bumblebee.fc b/bumblebee.fc
-new file mode 100644
-index 000000000..b5ee23be7
---- /dev/null
-+++ b/bumblebee.fc
-@@ -0,0 +1,7 @@
-+/etc/systemd/system/bumblebeed.* -- gen_context(system_u:object_r:bumblebee_unit_file_t,s0)
-+
-+/usr/lib/systemd/system/bumblebeed.* -- gen_context(system_u:object_r:bumblebee_unit_file_t,s0)
-+
-+/usr/sbin/bumblebeed -- gen_context(system_u:object_r:bumblebee_exec_t,s0)
-+
-+/var/run/bumblebee.* gen_context(system_u:object_r:bumblebee_var_run_t,s0)
-diff --git a/bumblebee.if b/bumblebee.if
-new file mode 100644
-index 000000000..2d2e60c19
---- /dev/null
-+++ b/bumblebee.if
-@@ -0,0 +1,122 @@
-+## policy for bumblebee
-+
-+########################################
-+##
-+## Execute bumblebee in the bumblebee domin.
-+##
-+##
-+##
-+## Domain allowed to transition.
-+##
-+##
-+#
-+interface(`bumblebee_domtrans',`
-+ gen_require(`
-+ type bumblebee_t, bumblebee_exec_t;
-+ ')
-+
-+ corecmd_search_bin($1)
-+ domtrans_pattern($1, bumblebee_exec_t, bumblebee_t)
-+')
-+
-+########################################
-+##
-+## Read bumblebee PID files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`bumblebee_read_pid_files',`
-+ gen_require(`
-+ type bumblebee_var_run_t;
-+ ')
-+
-+ files_search_pids($1)
-+ read_files_pattern($1, bumblebee_var_run_t, bumblebee_var_run_t)
-+')
-+
-+########################################
-+##
-+## Execute bumblebee server in the bumblebee domain.
-+##
-+##
-+##
-+## Domain allowed to transition.
-+##
-+##
-+#
-+interface(`bumblebee_systemctl',`
-+ gen_require(`
-+ type bumblebee_t;
-+ type bumblebee_unit_file_t;
-+ ')
-+
-+ systemd_exec_systemctl($1)
-+ init_reload_services($1)
-+ systemd_read_fifo_file_passwd_run($1)
-+ allow $1 bumblebee_unit_file_t:file read_file_perms;
-+ allow $1 bumblebee_unit_file_t:service manage_service_perms;
-+
-+ ps_process_pattern($1, bumblebee_t)
-+')
-+
-+########################################
-+##
-+## Connect to bumblebee over a unix stream socket.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`bumblebee_stream_connect',`
-+ gen_require(`
-+ type bumblebee_t, bumblebee_var_run_t;
-+ ')
-+
-+ files_search_pids($1)
-+ stream_connect_pattern($1, bumblebee_var_run_t, bumblebee_var_run_t, bumblebee_t)
-+')
-+
-+########################################
-+##
-+## All of the rules required to administrate
-+## an bumblebee environment
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+#
-+interface(`bumblebee_admin',`
-+ gen_require(`
-+ type bumblebee_t;
-+ type bumblebee_var_run_t;
-+ type bumblebee_unit_file_t;
-+ ')
-+
-+ allow $1 bumblebee_t:process { signal_perms };
-+ ps_process_pattern($1, bumblebee_t)
-+
-+ tunable_policy(`deny_ptrace',`',`
-+ allow $1 bumblebee_t:process ptrace;
-+ ')
-+
-+ files_search_pids($1)
-+ admin_pattern($1, bumblebee_var_run_t)
-+
-+ bumblebee_systemctl($1)
-+ admin_pattern($1, bumblebee_unit_file_t)
-+ allow $1 bumblebee_unit_file_t:service all_service_perms;
-+
-+ optional_policy(`
-+ systemd_passwd_agent_exec($1)
-+ systemd_read_fifo_file_passwd_run($1)
-+ ')
-+')
-diff --git a/bumblebee.te b/bumblebee.te
-new file mode 100644
-index 000000000..9aee6f327
---- /dev/null
-+++ b/bumblebee.te
-@@ -0,0 +1,63 @@
-+policy_module(bumblebee, 1.0.0)
-+
-+########################################
-+#
-+# Declarations
-+#
-+
-+type bumblebee_t;
-+type bumblebee_exec_t;
-+init_daemon_domain(bumblebee_t, bumblebee_exec_t)
-+
-+type bumblebee_var_run_t;
-+files_pid_file(bumblebee_var_run_t)
-+
-+type bumblebee_unit_file_t;
-+systemd_unit_file(bumblebee_unit_file_t)
-+
-+########################################
-+#
-+# bumblebee local policy
-+#
-+
-+allow bumblebee_t self:capability { setgid };
-+allow bumblebee_t self:process { fork signal_perms };
-+allow bumblebee_t self:fifo_file rw_fifo_file_perms;
-+allow bumblebee_t self:unix_stream_socket create_stream_socket_perms;
-+
-+manage_dirs_pattern(bumblebee_t, bumblebee_var_run_t, bumblebee_var_run_t)
-+manage_files_pattern(bumblebee_t, bumblebee_var_run_t, bumblebee_var_run_t)
-+manage_sock_files_pattern(bumblebee_t, bumblebee_var_run_t, bumblebee_var_run_t)
-+manage_lnk_files_pattern(bumblebee_t, bumblebee_var_run_t, bumblebee_var_run_t)
-+files_pid_filetrans(bumblebee_t, bumblebee_var_run_t, { dir file lnk_file sock_file })
-+
-+kernel_read_system_state(bumblebee_t)
-+kernel_read_network_state(bumblebee_t)
-+kernel_dontaudit_access_check_proc(bumblebee_t)
-+kernel_dontaudit_write_proc_files(bumblebee_t)
-+kernel_manage_debugfs(bumblebee_t)
-+
-+corecmd_exec_shell(bumblebee_t)
-+corecmd_exec_bin(bumblebee_t)
-+
-+dev_read_sysfs(bumblebee_t)
-+
-+auth_use_nsswitch(bumblebee_t)
-+
-+logging_send_syslog_msg(bumblebee_t)
-+
-+modutils_domtrans_insmod(bumblebee_t)
-+modutils_signal_insmod(bumblebee_t)
-+
-+sysnet_dns_name_resolve(bumblebee_t)
-+
-+xserver_domtrans(bumblebee_t)
-+xserver_kill(bumblebee_t)
-+xserver_signal(bumblebee_t)
-+xserver_stream_connect(bumblebee_t)
-+xserver_manage_xkb_libs(bumblebee_t)
-+corenet_tcp_connect_xserver_port(bumblebee_t)
-+
-+optional_policy(`
-+ apm_stream_connect(bumblebee_t)
-+')
-diff --git a/cachefilesd.fc b/cachefilesd.fc
-index 648c7902b..aa03fc8ae 100644
---- a/cachefilesd.fc
-+++ b/cachefilesd.fc
-@@ -1,9 +1,34 @@
--/etc/rc\.d/init\.d/cachefilesd -- gen_context(system_u:object_r:cachefilesd_initrc_exec_t,s0)
-+###############################################################################
-+#
-+# Copyright (C) 2006 Red Hat, Inc. All Rights Reserved.
-+# Written by David Howells (dhowells@redhat.com)
-+# Karl MacMillan (kmacmill@redhat.com)
-+#
-+# This program is free software; you can redistribute it and/or
-+# modify it under the terms of the GNU General Public License
-+# as published by the Free Software Foundation; either version
-+# 2 of the License, or (at your option) any later version.
-+#
-+###############################################################################
-+
-+#
-+# Define the contexts to be assigned to various files and directories of
-+# importance to the CacheFiles kernel module and userspace management daemon.
-+#
-+
-+# cachefilesd executable will have:
-+# label: system_u:object_r:cachefilesd_exec_t
-+# MLS sensitivity: s0
-+# MCS categories:
-+
-+/dev/cachefiles -c gen_context(system_u:object_r:cachefiles_dev_t,s0)
-
- /sbin/cachefilesd -- gen_context(system_u:object_r:cachefilesd_exec_t,s0)
-
- /usr/sbin/cachefilesd -- gen_context(system_u:object_r:cachefilesd_exec_t,s0)
-
--/var/cache/fscache(/.*)? gen_context(system_u:object_r:cachefilesd_cache_t,s0)
-+/var/cache/fscache(/.*)? gen_context(system_u:object_r:cachefiles_var_t,s0)
-+
-+/var/fscache(/.*)? gen_context(system_u:object_r:cachefiles_var_t,s0)
-
--/var/run/cachefilesd\.pid -- gen_context(system_u:object_r:cachefilesd_var_run_t,s0)
-+/var/run/cachefilesd\.pid -- gen_context(system_u:object_r:cachefilesd_var_run_t,s0)
-diff --git a/cachefilesd.if b/cachefilesd.if
-index 8de2ab9c5..3b419455f 100644
---- a/cachefilesd.if
-+++ b/cachefilesd.if
-@@ -1,39 +1,35 @@
--## CacheFiles user-space management daemon.
-+###############################################################################
-+#
-+# Copyright (C) 2006 Red Hat, Inc. All Rights Reserved.
-+# Written by David Howells (dhowells@redhat.com)
-+# Karl MacMillan (kmacmill@redhat.com)
-+#
-+# This program is free software; you can redistribute it and/or
-+# modify it under the terms of the GNU General Public License
-+# as published by the Free Software Foundation; either version
-+# 2 of the License, or (at your option) any later version.
-+#
-+###############################################################################
-+
-+#
-+# Define the policy interface for the CacheFiles userspace management daemon.
-+#
-+## policy for cachefilesd
-
- ########################################
- ##
--## All of the rules required to
--## administrate an cachefilesd environment.
-+## Execute a domain transition to run cachefilesd.
- ##
- ##
- ##
--## Domain allowed access.
-+## Domain allowed to transition.
- ##
- ##
--##
--##
--## Role allowed access.
--##
--##
--##
- #
--interface(`cachefilesd_admin',`
-+interface(`cachefilesd_domtrans',`
- gen_require(`
-- type cachefilesd_t, cachefilesd_initrc_exec_t, cachefilesd_cache_t;
-- type cachefilesd_var_run_t;
-+ type cachefilesd_t, cachefilesd_exec_t;
- ')
-
-- allow $1 cachefilesd_t:process { ptrace signal_perms };
-- ps_process_pattern($1, cachefilesd_t)
--
-- init_labeled_script_domtrans($1, cachefilesd_initrc_exec_t)
-- domain_system_change_exemption($1)
-- role_transition $2 cachefilesd_initrc_exec_t system_r;
-- allow $2 system_r;
--
-- files_search_var($1)
-- admin_pattern($1, cachefilesd_cache_t)
--
-- files_search_pids($1)
-- admin_pattern($1, cachefilesd_var_run_t)
-+ domtrans_pattern($1, cachefilesd_exec_t, cachefilesd_t)
- ')
-diff --git a/cachefilesd.te b/cachefilesd.te
-index a3760bc92..f2fc5b2f3 100644
---- a/cachefilesd.te
-+++ b/cachefilesd.te
-@@ -1,52 +1,125 @@
- policy_module(cachefilesd, 1.1.0)
-
--########################################
-+###############################################################################
- #
- # Declarations
- #
-
-+#
-+# Files in the cache are created by the cachefiles module with security ID
-+# cachefiles_var_t
-+#
-+type cachefiles_var_t;
-+files_type(cachefiles_var_t)
-+
-+#
-+# The /dev/cachefiles character device has security ID cachefiles_dev_t
-+#
-+type cachefiles_dev_t;
-+dev_node(cachefiles_dev_t)
-+
-+#
-+# The cachefilesd daemon normally runs with security ID cachefilesd_t
-+#
- type cachefilesd_t;
- type cachefilesd_exec_t;
- init_daemon_domain(cachefilesd_t, cachefilesd_exec_t)
-
--type cachefilesd_initrc_exec_t;
--init_script_file(cachefilesd_initrc_exec_t)
--
--type cachefilesd_cache_t;
--files_type(cachefilesd_cache_t)
--
-+#
-+# The cachefilesd daemon pid file context
-+#
- type cachefilesd_var_run_t;
- files_pid_file(cachefilesd_var_run_t)
-
--########################################
- #
--# Local policy
-+# The CacheFiles kernel module causes processes accessing the cache files to do
-+# so acting as security ID cachefiles_kernel_t
-+#
-+type cachefiles_kernel_t;
-+domain_type(cachefiles_kernel_t)
-+domain_obj_id_change_exemption(cachefiles_kernel_t)
-+role system_r types cachefiles_kernel_t;
-+
-+###############################################################################
- #
-+# Permit RPM to deal with files in the cache
-+#
-+optional_policy(`
-+ rpm_use_script_fds(cachefilesd_t)
-+')
-
--allow cachefilesd_t self:capability { setuid setgid sys_admin dac_override };
-+###############################################################################
-+#
-+# cachefilesd local policy
-+#
-+# These define what cachefilesd is permitted to do. This doesn't include very
-+# much: startup stuff, logging, pid file, scanning the cache superstructure and
-+# deleting files from the cache. It is not permitted to read/write files in
-+# the cache.
-+#
-+# Check in /usr/share/selinux/devel/include/ for macros to use instead of allow
-+# rules.
-+#
-+allow cachefilesd_t self:capability { setuid setgid sys_admin dac_read_search };
-+allow cachefilesd_t self:process signal_perms;
-
-+# Allow manipulation of pid file
-+allow cachefilesd_t cachefilesd_var_run_t:file create_file_perms;
- manage_files_pattern(cachefilesd_t, cachefilesd_var_run_t, cachefilesd_var_run_t)
-+manage_dirs_pattern(cachefilesd_t, cachefilesd_var_run_t, cachefilesd_var_run_t)
- files_pid_filetrans(cachefilesd_t, cachefilesd_var_run_t, file)
-+files_create_as_is_all_files(cachefilesd_t)
-
--manage_dirs_pattern(cachefilesd_t, cachefilesd_cache_t, cachefilesd_cache_t)
--manage_files_pattern(cachefilesd_t, cachefilesd_cache_t, cachefilesd_cache_t)
--
--dev_rw_cachefiles(cachefilesd_t)
-+# Allow access to cachefiles device file
-+allow cachefilesd_t cachefiles_dev_t:chr_file rw_file_perms;
-
--files_create_all_files_as(cachefilesd_t)
--files_read_etc_files(cachefilesd_t)
-+# Allow access to cache superstructure
-+manage_dirs_pattern(cachefilesd_t, cachefiles_var_t, cachefiles_var_t)
-+manage_files_pattern(cachefilesd_t, cachefiles_var_t, cachefiles_var_t)
-
-+# Permit statfs on the backing filesystem
- fs_getattr_xattr_fs(cachefilesd_t)
-
-+# Basic access
-+logging_send_syslog_msg(cachefilesd_t)
-+init_dontaudit_use_script_ptys(cachefilesd_t)
- term_dontaudit_use_generic_ptys(cachefilesd_t)
- term_dontaudit_getattr_unallocated_ttys(cachefilesd_t)
-
--logging_send_syslog_msg(cachefilesd_t)
-+###############################################################################
-+#
-+# When cachefilesd invokes the kernel module to begin caching, it has to tell
-+# the kernel module the security context in which it should act, and this
-+# policy has to approve that.
-+#
-+# There are two parts to this:
-+#
-+# (1) the security context used by the module to access files in the cache,
-+# as set by the 'secctx' command in /etc/cachefilesd.conf, and
-+#
-+allow cachefilesd_t cachefiles_kernel_t:kernel_service { use_as_override };
-
--miscfiles_read_localization(cachefilesd_t)
-+#
-+# (2) the label that will be assigned to new files and directories created in
-+# the cache by the module, which will be the same as the label on the
-+# directory pointed to by the 'dir' command.
-+#
-+allow cachefilesd_t cachefiles_var_t:kernel_service { create_files_as };
-
--init_dontaudit_use_script_ptys(cachefilesd_t)
-+###############################################################################
-+#
-+# cachefiles kernel module local policy
-+#
-+# This governs what the kernel module is allowed to do the contents of the
-+# cache.
-+#
-+allow cachefiles_kernel_t self:capability { dac_read_search };
-
--optional_policy(`
-- rpm_use_script_fds(cachefilesd_t)
--')
-+manage_dirs_pattern(cachefiles_kernel_t, cachefiles_var_t, cachefiles_var_t)
-+manage_files_pattern(cachefiles_kernel_t, cachefiles_var_t, cachefiles_var_t)
-+
-+fs_getattr_xattr_fs(cachefiles_kernel_t)
-+
-+dev_search_sysfs(cachefiles_kernel_t)
-+
-+init_sigchld_script(cachefiles_kernel_t)
-diff --git a/calamaris.if b/calamaris.if
-index cd9c52871..ba793b748 100644
---- a/calamaris.if
-+++ b/calamaris.if
-@@ -42,7 +42,7 @@ interface(`calamaris_run',`
- attribute_role calamaris_roles;
- ')
-
-- lightsquid_domtrans($1)
-+ calamaris_domtrans($1)
- roleattribute $2 calamaris_roles;
- ')
-
-diff --git a/calamaris.te b/calamaris.te
-index 7e574604b..66915d96c 100644
---- a/calamaris.te
-+++ b/calamaris.te
-@@ -23,7 +23,7 @@ files_type(calamaris_www_t)
- # Local policy
- #
-
--allow calamaris_t self:capability dac_override;
-+allow calamaris_t self:capability { dac_read_search };
- allow calamaris_t self:process { signal_perms setsched };
- allow calamaris_t self:fifo_file rw_fifo_file_perms;
- allow calamaris_t self:unix_stream_socket { accept listen };
-@@ -41,19 +41,23 @@ kernel_read_system_state(calamaris_t)
-
- corecmd_exec_bin(calamaris_t)
-
-+corenet_all_recvfrom_netlabel(calamaris_t)
-+corenet_tcp_sendrecv_generic_if(calamaris_t)
-+corenet_udp_sendrecv_generic_if(calamaris_t)
-+corenet_tcp_sendrecv_generic_node(calamaris_t)
-+corenet_udp_sendrecv_generic_node(calamaris_t)
-+corenet_tcp_sendrecv_all_ports(calamaris_t)
-+corenet_udp_sendrecv_all_ports(calamaris_t)
-+
- dev_read_urand(calamaris_t)
-
--files_read_usr_files(calamaris_t)
-+files_search_pids(calamaris_t)
- files_read_etc_runtime_files(calamaris_t)
-
--libs_read_lib_files(calamaris_t)
--
- auth_use_nsswitch(calamaris_t)
-
- logging_send_syslog_msg(calamaris_t)
-
--miscfiles_read_localization(calamaris_t)
--
- userdom_dontaudit_list_user_home_dirs(calamaris_t)
-
- optional_policy(`
-diff --git a/callweaver.te b/callweaver.te
-index 0e5be4cdf..b9a407f90 100644
---- a/callweaver.te
-+++ b/callweaver.te
-@@ -84,4 +84,3 @@ term_use_ptmx(callweaver_t)
-
- auth_use_nsswitch(callweaver_t)
-
--miscfiles_read_localization(callweaver_t)
-diff --git a/canna.if b/canna.if
-index 400db07a2..f416e22a7 100644
---- a/canna.if
-+++ b/canna.if
-@@ -43,9 +43,13 @@ interface(`canna_admin',`
- type canna_var_run_t, canna_initrc_exec_t;
- ')
-
-- allow $1 canna_t:process { ptrace signal_perms };
-+ allow $1 canna_t:process signal_perms;
- ps_process_pattern($1, canna_t)
-
-+ tunable_policy(`deny_ptrace',`',`
-+ allow $1 canna_t:process ptrace;
-+ ')
-+
- init_labeled_script_domtrans($1, canna_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 canna_initrc_exec_t system_r;
-diff --git a/canna.te b/canna.te
-index 9fe61621f..5c505e7de 100644
---- a/canna.te
-+++ b/canna.te
-@@ -52,7 +52,6 @@ files_pid_filetrans(canna_t, canna_var_run_t, { dir sock_file })
- kernel_read_kernel_sysctls(canna_t)
- kernel_read_system_state(canna_t)
-
--corenet_all_recvfrom_unlabeled(canna_t)
- corenet_all_recvfrom_netlabel(canna_t)
- corenet_tcp_sendrecv_generic_if(canna_t)
- corenet_tcp_sendrecv_generic_node(canna_t)
-@@ -68,15 +67,13 @@ fs_search_auto_mountpoints(canna_t)
-
- domain_use_interactive_fds(canna_t)
-
--files_read_etc_files(canna_t)
- files_read_etc_runtime_files(canna_t)
--files_read_usr_files(canna_t)
- files_search_tmp(canna_t)
- files_dontaudit_read_root_files(canna_t)
-
--logging_send_syslog_msg(canna_t)
-+auth_use_nsswitch(canna_t)
-
--miscfiles_read_localization(canna_t)
-+logging_send_syslog_msg(canna_t)
-
- sysnet_read_config(canna_t)
-
-diff --git a/ccs.if b/ccs.if
-index 5ded72d37..cb94e5ea7 100644
---- a/ccs.if
-+++ b/ccs.if
-@@ -98,20 +98,24 @@ interface(`ccs_manage_config',`
- interface(`ccs_admin',`
- gen_require(`
- type ccs_t, ccs_initrc_exec_t, cluster_conf_t;
-- type ccs_var_lib_t_t, ccs_var_log_t;
-+ type ccs_var_lib_t, ccs_var_log_t;
- type ccs_var_run_t, ccs_tmp_t;
- ')
-
-- allow $1 ccs_t:process { ptrace signal_perms };
-+ allow $1 ccs_t:process { signal_perms };
- ps_process_pattern($1, ccs_t)
-
-+ tunable_policy(`deny_ptrace',`',`
-+ allow $1 ccs_t:process ptrace;
-+ ')
-+
- init_labeled_script_domtrans($1, ccs_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 ccs_initrc_exec_t system_r;
- allow $2 system_r;
-
- files_search_etc($1)
-- admin_pattern($1, ccs_conf_t)
-+ admin_pattern($1, cluster_conf_t)
-
- files_search_var_lib($1)
- admin_pattern($1, ccs_var_lib_t)
-diff --git a/ccs.te b/ccs.te
-index 658134d8a..58deeceaa 100644
---- a/ccs.te
-+++ b/ccs.te
-@@ -37,7 +37,7 @@ files_pid_file(ccs_var_run_t)
-
- allow ccs_t self:capability { ipc_owner ipc_lock sys_nice sys_resource sys_admin };
- allow ccs_t self:process { signal setrlimit setsched };
--dontaudit ccs_t self:process ptrace;
-+
- allow ccs_t self:fifo_file rw_fifo_file_perms;
- allow ccs_t self:unix_stream_socket { accept connectto listen };
- allow ccs_t self:tcp_socket { accept listen };
-@@ -75,7 +75,6 @@ kernel_read_kernel_sysctls(ccs_t)
- corecmd_list_bin(ccs_t)
- corecmd_exec_bin(ccs_t)
-
--corenet_all_recvfrom_unlabeled(ccs_t)
- corenet_all_recvfrom_netlabel(ccs_t)
- corenet_tcp_sendrecv_generic_if(ccs_t)
- corenet_udp_sendrecv_generic_if(ccs_t)
-@@ -95,15 +94,13 @@ corenet_udp_bind_netsupport_port(ccs_t)
-
- dev_read_urand(ccs_t)
-
--files_read_etc_files(ccs_t)
- files_read_etc_runtime_files(ccs_t)
-
- init_rw_script_tmp_files(ccs_t)
-+init_signal(ccs_t)
-
- logging_send_syslog_msg(ccs_t)
-
--miscfiles_read_localization(ccs_t)
--
- sysnet_dns_name_resolve(ccs_t)
-
- userdom_manage_unpriv_user_shared_mem(ccs_t)
-@@ -115,8 +112,7 @@ ifdef(`hide_broken_symptoms',`
- ')
-
- optional_policy(`
-- aisexec_stream_connect(ccs_t)
-- corosync_stream_connect(ccs_t)
-+ rhcs_stream_connect_cluster(ccs_t)
- ')
-
- optional_policy(`
-diff --git a/cdrecord.if b/cdrecord.if
-index fbc20f694..4de4a005c 100644
---- a/cdrecord.if
-+++ b/cdrecord.if
-@@ -27,6 +27,9 @@ interface(`cdrecord_role',`
-
- allow cdrecord_t $2:unix_stream_socket rw_socket_perms;
-
-- allow $2 cdrecord_t:process { ptrace signal_perms };
-+ allow $2 cdrecord_t:process signal_perms;
-+ tunable_policy(`deny_ptrace',`',`
-+ allow $2 cdrecord_t:process ptrace;
-+ ')
- ps_process_pattern($2, cdrecord_t)
- ')
-diff --git a/cdrecord.te b/cdrecord.te
-index 16883c9c3..96f86d07b 100644
---- a/cdrecord.te
-+++ b/cdrecord.te
-@@ -29,7 +29,7 @@ role cdrecord_roles types cdrecord_t;
- # Local policy
- #
-
--allow cdrecord_t self:capability { ipc_lock sys_nice setuid dac_override sys_rawio };
-+allow cdrecord_t self:capability { ipc_lock sys_nice setuid dac_read_search sys_rawio };
- allow cdrecord_t self:process { getcap getsched setrlimit setsched sigkill };
- allow cdrecord_t self:unix_stream_socket { accept listen };
-
-@@ -41,8 +41,6 @@ dev_read_sysfs(cdrecord_t)
- domain_interactive_fd(cdrecord_t)
- domain_use_interactive_fds(cdrecord_t)
-
--files_read_etc_files(cdrecord_t)
--
- term_use_controlling_term(cdrecord_t)
- term_list_ptys(cdrecord_t)
-
-@@ -52,10 +50,7 @@ storage_write_scsi_generic(cdrecord_t)
-
- logging_send_syslog_msg(cdrecord_t)
-
--miscfiles_read_localization(cdrecord_t)
--
--userdom_use_user_terminals(cdrecord_t)
--userdom_read_user_home_content_files(cdrecord_t)
-+userdom_use_inherited_user_terminals(cdrecord_t)
-
- tunable_policy(`cdrecord_read_content && use_nfs_home_dirs',`
- fs_list_auto_mountpoints(cdrecord_t)
-@@ -104,11 +99,7 @@ tunable_policy(`cdrecord_read_content',`
- userdom_dontaudit_read_user_home_content_files(cdrecord_t)
- ')
-
--tunable_policy(`use_nfs_home_dirs',`
-- files_search_mnt(cdrecord_t)
-- fs_read_nfs_files(cdrecord_t)
-- fs_read_nfs_symlinks(cdrecord_t)
--')
-+userdom_home_manager(cdrecord_t)
-
- optional_policy(`
- resmgr_stream_connect(cdrecord_t)
-diff --git a/certmaster.if b/certmaster.if
-index 0c53b189b..ef29f6e6c 100644
---- a/certmaster.if
-+++ b/certmaster.if
-@@ -117,13 +117,16 @@ interface(`certmaster_manage_log',`
- interface(`certmaster_admin',`
- gen_require(`
- type certmaster_t, certmaster_var_run_t, certmaster_var_lib_t;
-- type certmaster_etc_rw_t, certmaster_var_log_t;
-- type certmaster_initrc_exec_t;
-+ type certmaster_etc_rw_t, certmaster_var_log_t, certmaster_initrc_exec_t;
- ')
-
-- allow $1 certmaster_t:process { ptrace signal_perms };
-+ allow $1 certmaster_t:process signal_perms;
- ps_process_pattern($1, certmaster_t)
-
-+ tunable_policy(`deny_ptrace',`',`
-+ allow $1 certmaster_t:process ptrace;
-+ ')
-+
- init_labeled_script_domtrans($1, certmaster_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 certmaster_initrc_exec_t system_r;
-diff --git a/certmaster.te b/certmaster.te
-index 4a878730b..59890995f 100644
---- a/certmaster.te
-+++ b/certmaster.te
-@@ -29,7 +29,7 @@ files_pid_file(certmaster_var_run_t)
- # Local policy
- #
-
--allow certmaster_t self:capability { dac_read_search dac_override sys_tty_config };
-+allow certmaster_t self:capability { dac_read_search sys_tty_config };
- allow certmaster_t self:tcp_socket { accept listen };
-
- list_dirs_pattern(certmaster_t, certmaster_etc_rw_t, certmaster_etc_rw_t)
-@@ -65,11 +65,10 @@ corenet_tcp_sendrecv_certmaster_port(certmaster_t)
- dev_read_urand(certmaster_t)
-
- files_list_var(certmaster_t)
--files_search_etc(certmaster_t)
--files_read_usr_files(certmaster_t)
-
- auth_use_nsswitch(certmaster_t)
-
--miscfiles_read_localization(certmaster_t)
- miscfiles_manage_generic_cert_dirs(certmaster_t)
- miscfiles_manage_generic_cert_files(certmaster_t)
-+
-+mta_send_mail(certmaster_t)
-diff --git a/certmonger.fc b/certmonger.fc
-index ed298d8b6..c88764838 100644
---- a/certmonger.fc
-+++ b/certmonger.fc
-@@ -1,7 +1,12 @@
-+/etc/systemd/system/dirsrv.target.wants(/.*)? gen_context(system_u:object_r:certmonger_unit_file_t,s0)
-+/usr/lib/systemd/system/certmonger.* gen_context(system_u:object_r:certmonger_unit_file_t,s0)
-+
- /etc/rc\.d/init\.d/certmonger -- gen_context(system_u:object_r:certmonger_initrc_exec_t,s0)
-
- /usr/sbin/certmonger -- gen_context(system_u:object_r:certmonger_exec_t,s0)
-
-+/usr/lib/ipa/certmonger(/.*)? gen_context(system_u:object_r:certmonger_unconfined_exec_t,s0)
-+
- /var/lib/certmonger(/.*)? gen_context(system_u:object_r:certmonger_var_lib_t,s0)
-
- /var/run/certmonger.* gen_context(system_u:object_r:certmonger_var_run_t,s0)
-diff --git a/certmonger.if b/certmonger.if
-index 008f8ef26..144c0740a 100644
---- a/certmonger.if
-+++ b/certmonger.if
-@@ -160,16 +160,20 @@ interface(`certmonger_admin',`
- ')
-
- ps_process_pattern($1, certmonger_t)
-- allow $1 certmonger_t:process { ptrace signal_perms };
-+ allow $1 certmonger_t:process signal_perms;
-+
-+ tunable_policy(`deny_ptrace',`',`
-+ allow $1 certmonger_t:process ptrace;
-+ ')
-
- certmonger_initrc_domtrans($1)
- domain_system_change_exemption($1)
- role_transition $2 certmonger_initrc_exec_t system_r;
- allow $2 system_r;
-
-- files_search_var_lib($1)
-+ files_list_var_lib($1)
- admin_pattern($1, certmonger_var_lib_t)
-
-- files_search_pids($1)
-+ files_list_pids($1)
- admin_pattern($1, certmonger_var_run_t)
- ')
-diff --git a/certmonger.te b/certmonger.te
-index 550b287ce..36c9f99b1 100644
---- a/certmonger.te
-+++ b/certmonger.te
-@@ -18,18 +18,29 @@ files_type(certmonger_var_lib_t)
- type certmonger_var_run_t;
- files_pid_file(certmonger_var_run_t)
-
-+type certmonger_unconfined_exec_t;
-+application_executable_file(certmonger_unconfined_exec_t)
-+
-+type certmonger_unit_file_t;
-+systemd_unit_file(certmonger_unit_file_t)
-+
-+type certmonger_tmp_t;
-+files_tmp_file(certmonger_tmp_t)
-+
- ########################################
- #
- # Local policy
- #
-
--allow certmonger_t self:capability { dac_override dac_read_search setgid setuid kill sys_nice };
-+allow certmonger_t self:capability { chown dac_read_search setgid setuid kill sys_nice };
- dontaudit certmonger_t self:capability sys_tty_config;
- allow certmonger_t self:capability2 block_suspend;
-+
- allow certmonger_t self:process { getsched setsched sigkill signal };
--allow certmonger_t self:fifo_file rw_fifo_file_perms;
--allow certmonger_t self:unix_stream_socket { accept listen };
--allow certmonger_t self:tcp_socket { accept listen };
-+allow certmonger_t self:fifo_file rw_file_perms;
-+allow certmonger_t self:unix_stream_socket create_stream_socket_perms;
-+allow certmonger_t self:tcp_socket create_stream_socket_perms;
-+allow certmonger_t self:netlink_route_socket r_netlink_socket_perms;
-
- manage_dirs_pattern(certmonger_t, certmonger_var_lib_t, certmonger_var_lib_t)
- manage_files_pattern(certmonger_t, certmonger_var_lib_t, certmonger_var_lib_t)
-@@ -39,8 +50,13 @@ manage_dirs_pattern(certmonger_t, certmonger_var_run_t, certmonger_var_run_t)
- manage_files_pattern(certmonger_t, certmonger_var_run_t, certmonger_var_run_t)
- files_pid_filetrans(certmonger_t, certmonger_var_run_t, { dir file })
-
-+manage_dirs_pattern(certmonger_t, certmonger_tmp_t, certmonger_tmp_t)
-+manage_files_pattern(certmonger_t, certmonger_tmp_t, certmonger_tmp_t)
-+files_tmp_filetrans(certmonger_t, certmonger_tmp_t, { file dir })
-+
- kernel_read_kernel_sysctls(certmonger_t)
- kernel_read_system_state(certmonger_t)
-+kernel_read_network_state(certmonger_t)
-
- corenet_all_recvfrom_unlabeled(certmonger_t)
- corenet_all_recvfrom_netlabel(certmonger_t)
-@@ -49,17 +65,26 @@ corenet_tcp_sendrecv_generic_node(certmonger_t)
-
- corenet_sendrecv_certmaster_client_packets(certmonger_t)
- corenet_tcp_connect_certmaster_port(certmonger_t)
-+
-+corenet_tcp_connect_http_port(certmonger_t)
-+corenet_tcp_connect_http_cache_port(certmonger_t)
-+
-+corenet_tcp_connect_ldap_port(certmonger_t)
-+
-+corenet_tcp_connect_pki_ca_port(certmonger_t)
- corenet_tcp_sendrecv_certmaster_port(certmonger_t)
-
- corecmd_exec_bin(certmonger_t)
- corecmd_exec_shell(certmonger_t)
-
-+dev_read_rand(certmonger_t)
- dev_read_urand(certmonger_t)
-
- domain_use_interactive_fds(certmonger_t)
-
--files_read_usr_files(certmonger_t)
- files_list_tmp(certmonger_t)
-+files_list_home(certmonger_t)
-+files_dontaudit_write_etc_runtime_files(certmonger_t)
-
- fs_search_cgroup_dirs(certmonger_t)
-
-@@ -68,18 +93,24 @@ auth_rw_cache(certmonger_t)
-
- init_getattr_all_script_files(certmonger_t)
-
-+libs_exec_ldconfig(certmonger_t)
-+
- logging_send_syslog_msg(certmonger_t)
-
--miscfiles_read_localization(certmonger_t)
--miscfiles_manage_generic_cert_files(certmonger_t)
-+miscfiles_manage_all_certs(certmonger_t)
-+
-+systemd_exec_systemctl(certmonger_t)
-+systemd_manage_all_unit_files(certmonger_t)
-+systemd_start_systemd_services(certmonger_t)
-+systemd_status_all_unit_files(certmonger_t)
-
- userdom_search_user_home_content(certmonger_t)
-
- optional_policy(`
-- apache_initrc_domtrans(certmonger_t)
-- apache_search_config(certmonger_t)
-+ apache_read_config(certmonger_t)
- apache_signal(certmonger_t)
- apache_signull(certmonger_t)
-+ apache_systemctl(certmonger_t)
- ')
-
- optional_policy(`
-@@ -92,11 +123,74 @@ optional_policy(`
- ')
-
- optional_policy(`
-- kerberos_read_keytab(certmonger_t)
-+ dirsrv_manage_config(certmonger_t)
-+ dirsrv_signal(certmonger_t)
-+ dirsrv_signull(certmonger_t)
-+ dirsrv_stream_connect(certmonger_t)
-+')
-+
-+optional_policy(`
-+ ipa_manage_lib(certmonger_t)
-+ ipa_manage_log(certmonger_t)
-+ ipa_manage_pid_files(certmonger_t)
-+ ipa_filetrans_pid(certmonger_t,"renewal.lock")
-+ ipa_named_filetrans_log_dir(certmonger_t)
-+')
-+
-+optional_policy(`
- kerberos_use(certmonger_t)
-+ kerberos_read_keytab(certmonger_t)
-+ kerberos_manage_kdc_config(certmonger_t)
-+ kerberos_filetrans_named_content(certmonger_t)
- ')
-
- optional_policy(`
- pcscd_read_pid_files(certmonger_t)
- pcscd_stream_connect(certmonger_t)
- ')
-+
-+optional_policy(`
-+ pki_rw_tomcat_cert(certmonger_t)
-+ pki_read_tomcat_lib_files(certmonger_t)
-+ pki_tomcat_systemctl(certmonger_t)
-+')
-+
-+optional_policy(`
-+ rhcs_start_haproxy_services(certmonger_t)
-+')
-+
-+optional_policy(`
-+ sssd_delete_public_files(certmonger_t)
-+')
-+
-+optional_policy(`
-+ allow certmonger_t certmonger_unit_file_t:service manage_service_perms;
-+ allow certmonger_t certmonger_unit_file_t:file manage_file_perms;
-+ allow certmonger_t certmonger_unit_file_t:dir manage_dir_perms;
-+ systemd_unit_file_filetrans(certmonger_t, certmonger_unit_file_t, dir)
-+')
-+
-+########################################
-+#
-+# certmonger_unconfined_script_t local policy
-+#
-+
-+optional_policy(`
-+ type certmonger_unconfined_t;
-+ domain_type(certmonger_unconfined_t)
-+
-+ domain_entry_file(certmonger_unconfined_t, certmonger_unconfined_exec_t)
-+ role system_r types certmonger_unconfined_t;
-+
-+ domtrans_pattern(certmonger_t, certmonger_unconfined_exec_t, certmonger_unconfined_t)
-+
-+ allow certmonger_t certmonger_unconfined_exec_t:dir search_dir_perms;
-+ allow certmonger_t certmonger_unconfined_exec_t:dir read_file_perms;
-+ allow certmonger_t certmonger_unconfined_exec_t:file ioctl;
-+
-+ init_domtrans_script(certmonger_unconfined_t)
-+
-+ optional_policy(`
-+ unconfined_domain(certmonger_unconfined_t)
-+ ')
-+')
-diff --git a/certwatch.te b/certwatch.te
-index 171fafb99..6cf8b7957 100644
---- a/certwatch.te
-+++ b/certwatch.te
-@@ -18,35 +18,48 @@ role certwatch_roles types certwatch_t;
- # Local policy
- #
-
--allow certwatch_t self:capability sys_nice;
-+allow certwatch_t self:capability { dac_read_search sys_nice };
- allow certwatch_t self:process { setsched getsched };
-+allow certwatch_t self:tcp_socket create_stream_socket_perms;
-
-+kernel_read_system_state(certwatch_t)
-+
-+corecmd_exec_bin(certwatch_t)
-+
-+dev_read_rand(certwatch_t)
- dev_read_urand(certwatch_t)
-
--files_read_etc_files(certwatch_t)
--files_read_usr_files(certwatch_t)
- files_read_usr_symlinks(certwatch_t)
- files_list_tmp(certwatch_t)
-
- fs_list_inotifyfs(certwatch_t)
-
- auth_manage_cache(certwatch_t)
-+auth_read_passwd(certwatch_t)
- auth_var_filetrans_cache(certwatch_t)
-
- logging_send_syslog_msg(certwatch_t)
-
- miscfiles_read_all_certs(certwatch_t)
--miscfiles_read_localization(certwatch_t)
-+miscfiles_manage_generic_cert_dirs(certwatch_t)
-+miscfiles_map_generic_certs(certwatch_t)
-+
-+sysnet_read_config(certwatch_t)
-
--userdom_use_user_terminals(certwatch_t)
--userdom_dontaudit_list_user_home_dirs(certwatch_t)
-+userdom_use_inherited_user_terminals(certwatch_t)
-+userdom_dontaudit_list_admin_dir(certwatch_t)
-
- optional_policy(`
-+ apache_domtrans(certwatch_t)
- apache_exec_modules(certwatch_t)
- apache_read_config(certwatch_t)
- ')
-
- optional_policy(`
-+ mta_send_mail(certwatch_t)
-+')
-+
-+optional_policy(`
- cron_system_entry(certwatch_t, certwatch_exec_t)
- ')
-
-diff --git a/cfengine.if b/cfengine.if
-index a7311229f..5279d4e3a 100644
---- a/cfengine.if
-+++ b/cfengine.if
-@@ -13,7 +13,6 @@
- template(`cfengine_domain_template',`
- gen_require(`
- attribute cfengine_domain;
-- type cfengine_log_t, cfengine_var_lib_t;
- ')
-
- ########################################
-@@ -30,7 +29,29 @@ template(`cfengine_domain_template',`
- # Policy
- #
-
-+ kernel_read_system_state(cfengine_$1_t)
-+
- auth_use_nsswitch(cfengine_$1_t)
-+
-+ logging_send_syslog_msg(cfengine_$1_t)
-+')
-+
-+######################################
-+##
-+## Search cfengine lib files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`cfengine_search_lib_files',`
-+ gen_require(`
-+ type cfengine_var_lib_t;
-+ ')
-+
-+ allow $1 cfengine_var_lib_t:dir search_dir_perms;
- ')
-
- ########################################
-@@ -71,6 +92,43 @@ interface(`cfengine_dontaudit_write_log_files',`
- dontaudit $1 cfengine_var_log_t:file write_file_perms;
- ')
-
-+#####################################
-+##
-+## Allow the specified domain to append cfengine's log files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`cfengine_append_inherited_log',`
-+ gen_require(`
-+ type cfengine_var_log_t;
-+ ')
-+
-+ cfengine_search_lib_files($1)
-+ allow $1 cfengine_var_log_t:file { getattr append ioctl lock };
-+')
-+
-+####################################
-+##
-+## Dontaudit the specified domain to write cfengine's log files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`cfengine_dontaudit_write_log',`
-+ gen_require(`
-+ type cfengine_var_log_t;
-+ ')
-+
-+ dontaudit $1 cfengine_var_log_t:file write;
-+')
-+
- ########################################
- ##
- ## All of the rules required to
-@@ -94,7 +152,7 @@ interface(`cfengine_admin',`
- type cfengine_initrc_exec_t, cfengine_log_t, cfengine_var_lib_t;
- ')
-
-- allow $1 cfengine_domain:process { ptrace signal_perms };
-+ allow $1 cfengine_domain:process { signal_perms };
- ps_process_pattern($1, cfengine_domain)
-
- init_labeled_script_domtrans($1, cfengine_initrc_exec_t)
-@@ -105,3 +163,4 @@ interface(`cfengine_admin',`
- files_search_var_lib($1)
- admin_pattern($1, { cfengine_log_t cfengine_var_lib_t })
- ')
-+
-diff --git a/cfengine.te b/cfengine.te
-index fbe3ad955..21ab8e176 100644
---- a/cfengine.te
-+++ b/cfengine.te
-@@ -41,18 +41,13 @@ create_files_pattern(cfengine_domain, cfengine_log_t, cfengine_log_t)
- setattr_files_pattern(cfengine_domain, cfengine_log_t, cfengine_log_t)
- logging_log_filetrans(cfengine_domain, cfengine_log_t, dir)
-
--kernel_read_system_state(cfengine_domain)
--
- corecmd_exec_bin(cfengine_domain)
- corecmd_exec_shell(cfengine_domain)
-
- dev_read_urand(cfengine_domain)
- dev_read_sysfs(cfengine_domain)
-
--logging_send_syslog_msg(cfengine_domain)
--
--miscfiles_read_localization(cfengine_domain)
--
-+sysnet_dns_name_resolve(cfengine_domain)
- sysnet_domtrans_ifconfig(cfengine_domain)
-
- ########################################
-@@ -69,7 +64,7 @@ domain_read_all_domains_state(cfengine_execd_t)
- # Monitord local policy
- #
-
--kernel_read_hotplug_sysctls(cfengine_monitord_t)
-+kernel_read_usermodehelper_state(cfengine_monitord_t)
- kernel_read_network_state(cfengine_monitord_t)
-
- domain_read_all_domains_state(cfengine_monitord_t)
-diff --git a/cgdcbxd.fc b/cgdcbxd.fc
-new file mode 100644
-index 000000000..756703813
---- /dev/null
-+++ b/cgdcbxd.fc
-@@ -0,0 +1,5 @@
-+/usr/lib/systemd/system/cgdcbxd\.service -- gen_context(system_u:object_r:cgdcbxd_unit_file_t,s0)
-+
-+/usr/sbin/cgdcbxd -- gen_context(system_u:object_r:cgdcbxd_exec_t,s0)
-+
-+/var/run/cgdcbxd\.pid -- gen_context(system_u:object_r:cgdcbxd_var_run_t,s0)
-diff --git a/cgdcbxd.if b/cgdcbxd.if
-new file mode 100644
-index 000000000..1efacf1d1
---- /dev/null
-+++ b/cgdcbxd.if
-@@ -0,0 +1,99 @@
-+
-+## policy for cgdcbxd
-+
-+########################################
-+##
-+## Execute TEMPLATE in the cgdcbxd domin.
-+##
-+##
-+##
-+## Domain allowed to transition.
-+##
-+##
-+#
-+interface(`cgdcbxd_domtrans',`
-+ gen_require(`
-+ type cgdcbxd_t, cgdcbxd_exec_t;
-+ ')
-+
-+ corecmd_search_bin($1)
-+ domtrans_pattern($1, cgdcbxd_exec_t, cgdcbxd_t)
-+')
-+########################################
-+##
-+## Read cgdcbxd PID files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`cgdcbxd_read_pid_files',`
-+ gen_require(`
-+ type cgdcbxd_var_run_t;
-+ ')
-+
-+ files_search_pids($1)
-+ read_files_pattern($1, cgdcbxd_var_run_t, cgdcbxd_var_run_t)
-+')
-+
-+########################################
-+##
-+## Execute cgdcbxd server in the cgdcbxd domain.
-+##
-+##
-+##
-+## Domain allowed to transition.
-+##
-+##
-+#
-+interface(`cgdcbxd_systemctl',`
-+ gen_require(`
-+ type cgdcbxd_t;
-+ type cgdcbxd_unit_file_t;
-+ ')
-+
-+ systemd_exec_systemctl($1)
-+ systemd_read_fifo_file_passwd_run($1)
-+ allow $1 cgdcbxd_unit_file_t:file read_file_perms;
-+ allow $1 cgdcbxd_unit_file_t:service manage_service_perms;
-+
-+ ps_process_pattern($1, cgdcbxd_t)
-+')
-+
-+
-+########################################
-+##
-+## All of the rules required to administrate
-+## an cgdcbxd environment
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+#
-+interface(`cgdcbxd_admin',`
-+ gen_require(`
-+ type cgdcbxd_t;
-+ type cgdcbxd_var_run_t;
-+ type cgdcbxd_unit_file_t;
-+ ')
-+
-+ allow $1 cgdcbxd_t:process { signal_perms };
-+ ps_process_pattern($1, cgdcbxd_t)
-+
-+ tunable_policy(`deny_ptrace',`',`
-+ allow $1 cgdcbxd_t:process ptrace;
-+ ')
-+
-+ files_search_pids($1)
-+ admin_pattern($1, cgdcbxd_var_run_t)
-+
-+ cgdcbxd_systemctl($1)
-+ admin_pattern($1, cgdcbxd_unit_file_t)
-+ allow $1 cgdcbxd_unit_file_t:service all_service_perms;
-+
-+')
-diff --git a/cgdcbxd.te b/cgdcbxd.te
-new file mode 100644
-index 000000000..06ff1b01a
---- /dev/null
-+++ b/cgdcbxd.te
-@@ -0,0 +1,36 @@
-+policy_module(cgdcbxd, 1.0.0)
-+
-+########################################
-+#
-+# Declarations
-+#
-+
-+type cgdcbxd_t;
-+type cgdcbxd_exec_t;
-+init_daemon_domain(cgdcbxd_t, cgdcbxd_exec_t)
-+
-+type cgdcbxd_var_run_t;
-+files_pid_file(cgdcbxd_var_run_t)
-+
-+type cgdcbxd_unit_file_t;
-+systemd_unit_file(cgdcbxd_unit_file_t)
-+
-+########################################
-+#
-+# cgdcbxd local policy
-+#
-+
-+allow cgdcbxd_t self:fifo_file rw_fifo_file_perms;
-+allow cgdcbxd_t self:unix_stream_socket create_stream_socket_perms;
-+
-+dontaudit cgdcbxd_t self:capability sys_ptrace;
-+allow cgdcbxd_t self:netlink_route_socket rw_netlink_socket_perms;
-+
-+manage_files_pattern(cgdcbxd_t, cgdcbxd_var_run_t, cgdcbxd_var_run_t)
-+files_pid_filetrans(cgdcbxd_t, cgdcbxd_var_run_t, { file })
-+
-+kernel_read_system_state(cgdcbxd_t)
-+kernel_read_network_state(cgdcbxd_t)
-+kernel_search_network_sysctl(cgdcbxd_t)
-+
-+domain_dontaudit_read_all_domains_state(cgdcbxd_t)
-diff --git a/cgroup.if b/cgroup.if
-index 85ca63f9a..1d1c99c8f 100644
---- a/cgroup.if
-+++ b/cgroup.if
-@@ -171,8 +171,26 @@ interface(`cgroup_admin',`
- type cgrules_etc_t, cgclear_t;
- ')
-
-- allow $1 { cgclear_t cgconfig_t cgred_t }:process { ptrace signal_perms };
-- ps_process_pattern($1, { cgclear_t cgconfig_t cgred_t })
-+ allow $1 cgclear_t:process signal_perms;
-+ ps_process_pattern($1, cgclear_t)
-+
-+ tunable_policy(`deny_ptrace',`',`
-+ allow $1 cgclear_t:process ptrace;
-+ ')
-+
-+ allow $1 cgconfig_t:process signal_perms;
-+ ps_process_pattern($1, cgconfig_t)
-+
-+ tunable_policy(`deny_ptrace',`',`
-+ allow $1 cgconfig_t:process ptrace;
-+ ')
-+
-+ allow $1 cgred_t:process signal_perms;
-+ ps_process_pattern($1, cgred_t)
-+
-+ tunable_policy(`deny_ptrace',`',`
-+ allow $1 cgred_t:process ptrace;
-+ ')
-
- admin_pattern($1, { cgconfig_etc_t cgrules_etc_t })
- files_list_etc($1)
-diff --git a/cgroup.te b/cgroup.te
-index 80a88a27a..9d59bfa0e 100644
---- a/cgroup.te
-+++ b/cgroup.te
-@@ -25,8 +25,8 @@ files_pid_file(cgred_var_run_t)
- type cgrules_etc_t;
- files_config_file(cgrules_etc_t)
-
--type cgconfig_t;
--type cgconfig_exec_t;
-+type cgconfig_t alias cgconfigparser_t;
-+type cgconfig_exec_t alias cgconfigparser_exec_t;
- init_daemon_domain(cgconfig_t, cgconfig_exec_t)
-
- type cgconfig_initrc_exec_t;
-@@ -40,12 +40,14 @@ files_config_file(cgconfig_etc_t)
- # cgclear local policy
- #
-
--allow cgclear_t self:capability { dac_read_search dac_override sys_admin };
-+allow cgclear_t self:capability { dac_read_search sys_admin };
-
--allow cgclear_t cgconfig_etc_t:file read_file_perms;
-+read_files_pattern(cgclear_t, cgconfig_etc_t, cgconfig_etc_t)
-
- kernel_read_system_state(cgclear_t)
-
-+auth_use_nsswitch(cgclear_t)
-+
- domain_setpriority_all_domains(cgclear_t)
-
- fs_manage_cgroup_dirs(cgclear_t)
-@@ -57,30 +59,33 @@ fs_unmount_cgroup(cgclear_t)
- # cgconfig local policy
- #
-
--allow cgconfig_t self:capability { dac_override fowner fsetid chown sys_admin sys_tty_config };
-+allow cgconfig_t self:capability { dac_read_search fowner fsetid chown sys_admin sys_tty_config };
-
- allow cgconfig_t cgconfig_etc_t:file read_file_perms;
-
- kernel_list_unlabeled(cgconfig_t)
- kernel_read_system_state(cgconfig_t)
-
--files_read_etc_files(cgconfig_t)
--
- fs_manage_cgroup_dirs(cgconfig_t)
- fs_manage_cgroup_files(cgconfig_t)
- fs_mount_cgroup(cgconfig_t)
- fs_mounton_cgroup(cgconfig_t)
- fs_unmount_cgroup(cgconfig_t)
-
-+auth_use_nsswitch(cgconfig_t)
-+
- ########################################
- #
- # cgred local policy
- #
-+allow cgred_t self:capability { chown fsetid net_admin sys_admin dac_read_search sys_ptrace };
-+allow cgred_t self:process signal_perms;
-
--allow cgred_t self:capability { chown fsetid net_admin sys_admin sys_ptrace dac_override };
- allow cgred_t self:netlink_socket { write bind create read };
- allow cgred_t self:unix_dgram_socket { write create connect };
-+allow cgred_t self:netlink_connector_socket create_socket_perms;
-
-+allow cgred_t cgconfig_etc_t:file read_file_perms;
- allow cgred_t cgrules_etc_t:file read_file_perms;
-
- allow cgred_t cgred_log_t:file { append_file_perms create_file_perms setattr_file_perms };
-@@ -99,10 +104,11 @@ domain_setpriority_all_domains(cgred_t)
- files_getattr_all_files(cgred_t)
- files_getattr_all_sockets(cgred_t)
- files_read_all_symlinks(cgred_t)
--files_read_etc_files(cgred_t)
-
--fs_write_cgroup_files(cgred_t)
-+fs_manage_cgroup_dirs(cgred_t)
-+fs_manage_cgroup_files(cgred_t)
-+fs_list_inotifyfs(cgred_t)
-
--logging_send_syslog_msg(cgred_t)
-+auth_use_nsswitch(cgred_t)
-
--miscfiles_read_localization(cgred_t)
-+logging_send_syslog_msg(cgred_t)
-diff --git a/chrome.fc b/chrome.fc
-new file mode 100644
-index 000000000..5c6bdb68d
---- /dev/null
-+++ b/chrome.fc
-@@ -0,0 +1,11 @@
-+/opt/google/chrome[^/]*/chrome-sandbox -- gen_context(system_u:object_r:chrome_sandbox_exec_t,s0)
-+
-+/usr/lib/chromium-browser/chrome-sandbox -- gen_context(system_u:object_r:chrome_sandbox_exec_t,s0)
-+
-+/opt/google/chrome/nacl_helper_bootstrap -- gen_context(system_u:object_r:chrome_sandbox_nacl_exec_t,s0)
-+/opt/google/chrome[^/]*/nacl_helper_bootstrap -- gen_context(system_u:object_r:chrome_sandbox_nacl_exec_t,s0)
-+/usr/lib/chromium-browser/nacl_helper_bootstrap -- gen_context(system_u:object_r:chrome_sandbox_nacl_exec_t,s0)
-+
-+HOME_DIR/\.cache/google-chrome(/.*)? gen_context(system_u:object_r:chrome_sandbox_home_t,s0)
-+HOME_DIR/\.cache/google-chrome-unstable(/.*)? gen_context(system_u:object_r:chrome_sandbox_home_t,s0)
-+HOME_DIR/\.cache/chromium(/.*)? gen_context(system_u:object_r:chrome_sandbox_home_t,s0)
-diff --git a/chrome.if b/chrome.if
-new file mode 100644
-index 000000000..aa308eba6
---- /dev/null
-+++ b/chrome.if
-@@ -0,0 +1,137 @@
-+
-+## policy for chrome
-+
-+########################################
-+##
-+## Execute a domain transition to run chrome_sandbox.
-+##
-+##
-+##
-+## Domain allowed to transition.
-+##
-+##
-+#
-+interface(`chrome_domtrans_sandbox',`
-+ gen_require(`
-+ type chrome_sandbox_t, chrome_sandbox_exec_t;
-+ ')
-+
-+ domtrans_pattern($1, chrome_sandbox_exec_t, chrome_sandbox_t)
-+ ps_process_pattern(chrome_sandbox_t, $1)
-+
-+ allow $1 chrome_sandbox_t:fd use;
-+
-+ dontaudit chrome_sandbox_t $1:socket_class_set getattr;
-+ allow chrome_sandbox_t $1:unix_stream_socket rw_socket_perms;
-+
-+ ifdef(`hide_broken_symptoms',`
-+ fs_dontaudit_rw_anon_inodefs_files(chrome_sandbox_t)
-+ ')
-+')
-+
-+
-+########################################
-+##
-+## Execute chrome_sandbox in the chrome_sandbox domain, and
-+## allow the specified role the chrome_sandbox domain.
-+##
-+##
-+##
-+## Domain allowed access
-+##
-+##
-+##
-+##
-+## The role to be allowed the chrome_sandbox domain.
-+##
-+##
-+#
-+interface(`chrome_run_sandbox',`
-+ gen_require(`
-+ type chrome_sandbox_t;
-+ type chrome_sandbox_nacl_t;
-+ ')
-+
-+ chrome_domtrans_sandbox($1)
-+ role $2 types chrome_sandbox_t;
-+ role $2 types chrome_sandbox_nacl_t;
-+')
-+
-+########################################
-+##
-+## Role access for chrome sandbox
-+##
-+##
-+##
-+## Role allowed access
-+##
-+##
-+##
-+##
-+## User domain for the role
-+##
-+##
-+#
-+interface(`chrome_role_notrans',`
-+ gen_require(`
-+ type chrome_sandbox_t;
-+ type chrome_sandbox_tmpfs_t;
-+ type chrome_sandbox_nacl_t;
-+ ')
-+
-+ role $1 types chrome_sandbox_t;
-+ role $1 types chrome_sandbox_nacl_t;
-+
-+ ps_process_pattern($2, chrome_sandbox_t)
-+ allow $2 chrome_sandbox_t:process signal_perms;
-+
-+ allow chrome_sandbox_t $2:unix_dgram_socket { read write };
-+ allow $2 chrome_sandbox_t:unix_dgram_socket { read write };
-+ allow chrome_sandbox_t $2:unix_stream_socket rw_socket_perms;
-+ allow chrome_sandbox_t $2:udp_socket rw_socket_perms;;
-+ allow chrome_sandbox_nacl_t $2:unix_stream_socket rw_socket_perms;
-+ allow $2 chrome_sandbox_nacl_t:unix_stream_socket { getattr read write };
-+ allow $2 chrome_sandbox_t:unix_stream_socket { getattr read write };
-+
-+ allow $2 chrome_sandbox_t:shm rw_shm_perms;
-+
-+ allow $2 chrome_sandbox_tmpfs_t:file rw_file_perms;
-+')
-+
-+########################################
-+##
-+## Role access for chrome sandbox
-+##
-+##
-+##
-+## Role allowed access
-+##
-+##
-+##
-+##
-+## User domain for the role
-+##
-+##
-+#
-+interface(`chrome_role',`
-+ chrome_role_notrans($1, $2)
-+ chrome_domtrans_sandbox($2)
-+')
-+
-+########################################
-+##
-+## Dontaudit read/write to a chrome_sandbox leaks
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`chrome_dontaudit_sandbox_leaks',`
-+ gen_require(`
-+ type chrome_sandbox_t;
-+ ')
-+
-+ dontaudit $1 chrome_sandbox_t:unix_stream_socket { read write };
-+')
-diff --git a/chrome.te b/chrome.te
-new file mode 100644
-index 000000000..ca526f823
---- /dev/null
-+++ b/chrome.te
-@@ -0,0 +1,256 @@
-+policy_module(chrome,1.0.0)
-+
-+########################################
-+#
-+# Declarations
-+#
-+
-+type chrome_sandbox_t;
-+type chrome_sandbox_exec_t;
-+application_domain(chrome_sandbox_t, chrome_sandbox_exec_t)
-+role system_r types chrome_sandbox_t;
-+ubac_constrained(chrome_sandbox_t)
-+
-+type chrome_sandbox_tmp_t;
-+files_tmp_file(chrome_sandbox_tmp_t)
-+
-+type chrome_sandbox_tmpfs_t;
-+files_tmpfs_file(chrome_sandbox_tmpfs_t)
-+ubac_constrained(chrome_sandbox_tmpfs_t)
-+
-+type chrome_sandbox_nacl_t;
-+type chrome_sandbox_nacl_exec_t;
-+application_domain(chrome_sandbox_nacl_t, chrome_sandbox_nacl_exec_t)
-+role system_r types chrome_sandbox_nacl_t;
-+ubac_constrained(chrome_sandbox_nacl_t)
-+
-+type chrome_sandbox_home_t;
-+userdom_user_home_content(chrome_sandbox_home_t)
-+
-+########################################
-+#
-+# chrome_sandbox local policy
-+#
-+allow chrome_sandbox_t self:capability2 block_suspend;
-+allow chrome_sandbox_t self:capability { chown dac_read_search fsetid setgid setuid sys_admin sys_chroot sys_ptrace };
-+dontaudit chrome_sandbox_t self:capability sys_nice;
-+allow chrome_sandbox_t self:process { signal_perms setrlimit execmem execstack };
-+allow chrome_sandbox_t self:process setsched;
-+allow chrome_sandbox_t self:fifo_file manage_fifo_file_perms;
-+allow chrome_sandbox_t self:unix_stream_socket create_stream_socket_perms;
-+allow chrome_sandbox_t self:unix_dgram_socket { create_socket_perms sendto };
-+allow chrome_sandbox_t self:shm create_shm_perms;
-+allow chrome_sandbox_t self:sem create_sem_perms;
-+allow chrome_sandbox_t self:msgq create_msgq_perms;
-+allow chrome_sandbox_t self:netlink_route_socket r_netlink_socket_perms;
-+dontaudit chrome_sandbox_t self:memprotect mmap_zero;
-+
-+manage_dirs_pattern(chrome_sandbox_t, chrome_sandbox_home_t, chrome_sandbox_home_t)
-+manage_files_pattern(chrome_sandbox_t, chrome_sandbox_home_t, chrome_sandbox_home_t)
-+manage_lnk_files_pattern(chrome_sandbox_t, chrome_sandbox_home_t, chrome_sandbox_home_t)
-+
-+manage_dirs_pattern(chrome_sandbox_t, chrome_sandbox_tmp_t, chrome_sandbox_tmp_t)
-+manage_files_pattern(chrome_sandbox_t, chrome_sandbox_tmp_t, chrome_sandbox_tmp_t)
-+files_tmp_filetrans(chrome_sandbox_t, chrome_sandbox_tmp_t, { dir file })
-+userdom_user_tmp_filetrans(chrome_sandbox_t, chrome_sandbox_tmp_t, { dir file })
-+
-+manage_files_pattern(chrome_sandbox_t, chrome_sandbox_tmpfs_t, chrome_sandbox_tmpfs_t)
-+fs_tmpfs_filetrans(chrome_sandbox_t, chrome_sandbox_tmpfs_t, { file dir })
-+
-+kernel_read_system_state(chrome_sandbox_t)
-+kernel_read_kernel_sysctls(chrome_sandbox_t)
-+
-+auth_dontaudit_read_passwd(chrome_sandbox_t)
-+
-+fs_manage_cgroup_dirs(chrome_sandbox_t)
-+fs_manage_cgroup_files(chrome_sandbox_t)
-+fs_read_dos_files(chrome_sandbox_t)
-+fs_read_hugetlbfs_files(chrome_sandbox_t)
-+
-+corecmd_exec_bin(chrome_sandbox_t)
-+
-+corenet_all_recvfrom_netlabel(chrome_sandbox_t)
-+corenet_tcp_connect_all_ephemeral_ports(chrome_sandbox_t)
-+corenet_tcp_connect_aol_port(chrome_sandbox_t)
-+corenet_tcp_connect_asterisk_port(chrome_sandbox_t)
-+corenet_tcp_connect_commplex_link_port(chrome_sandbox_t)
-+corenet_tcp_connect_couchdb_port(chrome_sandbox_t)
-+corenet_tcp_connect_flash_port(chrome_sandbox_t)
-+corenet_tcp_connect_ftp_port(chrome_sandbox_t)
-+corenet_tcp_connect_gatekeeper_port(chrome_sandbox_t)
-+corenet_tcp_connect_generic_port(chrome_sandbox_t)
-+corenet_tcp_connect_http_cache_port(chrome_sandbox_t)
-+corenet_tcp_connect_http_port(chrome_sandbox_t)
-+corenet_tcp_connect_ipp_port(chrome_sandbox_t)
-+corenet_tcp_connect_ipsecnat_port(chrome_sandbox_t)
-+corenet_tcp_connect_jabber_client_port(chrome_sandbox_t)
-+corenet_tcp_connect_jboss_management_port(chrome_sandbox_t)
-+corenet_tcp_connect_mmcc_port(chrome_sandbox_t)
-+corenet_tcp_connect_monopd_port(chrome_sandbox_t)
-+corenet_tcp_connect_msnp_port(chrome_sandbox_t)
-+corenet_tcp_connect_ms_streaming_port(chrome_sandbox_t)
-+corenet_tcp_connect_pulseaudio_port(chrome_sandbox_t)
-+corenet_tcp_connect_rtsp_port(chrome_sandbox_t)
-+corenet_tcp_connect_soundd_port(chrome_sandbox_t)
-+corenet_tcp_connect_speech_port(chrome_sandbox_t)
-+corenet_tcp_connect_squid_port(chrome_sandbox_t)
-+corenet_tcp_connect_tor_port(chrome_sandbox_t)
-+corenet_tcp_connect_transproxy_port(chrome_sandbox_t)
-+corenet_tcp_connect_vnc_port(chrome_sandbox_t)
-+corenet_tcp_connect_whois_port(chrome_sandbox_t)
-+corenet_tcp_sendrecv_generic_if(chrome_sandbox_t)
-+corenet_tcp_sendrecv_generic_node(chrome_sandbox_t)
-+
-+domain_dontaudit_read_all_domains_state(chrome_sandbox_t)
-+
-+dev_read_urand(chrome_sandbox_t)
-+dev_read_sysfs(chrome_sandbox_t)
-+dev_rwx_zero(chrome_sandbox_t)
-+dev_dontaudit_getattr_all_chr_files(chrome_sandbox_t)
-+
-+fs_dontaudit_getattr_all_fs(chrome_sandbox_t)
-+
-+libs_legacy_use_shared_libs(chrome_sandbox_t)
-+
-+term_dontaudit_use_console(chrome_sandbox_t)
-+
-+miscfiles_read_fonts(chrome_sandbox_t)
-+
-+sysnet_dns_name_resolve(chrome_sandbox_t)
-+
-+userdom_rw_inherited_user_tmp_files(chrome_sandbox_t)
-+userdom_execute_user_tmp_files(chrome_sandbox_t)
-+
-+userdom_use_user_ptys(chrome_sandbox_t)
-+userdom_write_inherited_user_tmp_files(chrome_sandbox_t)
-+userdom_read_inherited_user_home_content_files(chrome_sandbox_t)
-+userdom_dontaudit_use_user_terminals(chrome_sandbox_t)
-+userdom_search_user_home_content(chrome_sandbox_t)
-+# This one we should figure a way to make it more secure
-+userdom_manage_home_certs(chrome_sandbox_t)
-+
-+optional_policy(`
-+ gnome_exec_config_home_files(chrome_sandbox_t)
-+ gnome_read_generic_cache_files(chrome_sandbox_t)
-+ gnome_rw_inherited_config(chrome_sandbox_t)
-+ gnome_read_home_config(chrome_sandbox_t)
-+ gnome_cache_filetrans(chrome_sandbox_t, chrome_sandbox_home_t, dir, "chromium")
-+ gnome_cache_filetrans(chrome_sandbox_t, chrome_sandbox_home_t, dir, "chrome")
-+ gnome_cache_filetrans(chrome_sandbox_t, chrome_sandbox_home_t, dir, "google-chrome")
-+ gnome_cache_filetrans(chrome_sandbox_t, chrome_sandbox_home_t, dir, "google-chrome-unstable")
-+')
-+
-+optional_policy(`
-+ mozilla_write_user_home_files(chrome_sandbox_t)
-+')
-+
-+optional_policy(`
-+ xserver_use_user_fonts(chrome_sandbox_t)
-+ xserver_user_x_domain_template(chrome_sandbox, chrome_sandbox_t, chrome_sandbox_tmpfs_t)
-+')
-+
-+tunable_policy(`use_nfs_home_dirs',`
-+ fs_search_nfs(chrome_sandbox_t)
-+ fs_exec_nfs_files(chrome_sandbox_t)
-+ fs_read_nfs_files(chrome_sandbox_t)
-+ fs_rw_inherited_nfs_files(chrome_sandbox_t)
-+ fs_read_nfs_symlinks(chrome_sandbox_t)
-+ fs_dontaudit_append_nfs_files(chrome_sandbox_t)
-+')
-+
-+tunable_policy(`use_samba_home_dirs',`
-+ fs_search_cifs(chrome_sandbox_t)
-+ fs_exec_cifs_files(chrome_sandbox_t)
-+ fs_rw_inherited_cifs_files(chrome_sandbox_t)
-+ fs_read_cifs_files(chrome_sandbox_t)
-+ fs_read_cifs_symlinks(chrome_sandbox_t)
-+ fs_dontaudit_append_cifs_files(chrome_sandbox_t)
-+')
-+
-+tunable_policy(`use_fusefs_home_dirs',`
-+ fs_search_fusefs(chrome_sandbox_t)
-+ fs_read_fusefs_files(chrome_sandbox_t)
-+ fs_exec_fusefs_files(chrome_sandbox_t)
-+ fs_read_fusefs_symlinks(chrome_sandbox_t)
-+')
-+
-+tunable_policy(`use_ecryptfs_home_dirs',`
-+ fs_read_ecryptfs_files(chrome_sandbox_t)
-+ fs_dontaudit_append_ecryptfs_files(chrome_sandbox_t)
-+ fs_read_ecryptfs_symlinks(chrome_sandbox_t)
-+')
-+
-+optional_policy(`
-+ bumblebee_stream_connect(chrome_sandbox_t)
-+')
-+
-+optional_policy(`
-+ cups_stream_connect(chrome_sandbox_t)
-+')
-+
-+optional_policy(`
-+ sandbox_use_ptys(chrome_sandbox_t)
-+')
-+
-+optional_policy(`
-+ unconfined_dontaudit_write_state(chrome_sandbox_t)
-+')
-+
-+########################################
-+#
-+# chrome_sandbox_nacl local policy
-+#
-+
-+allow chrome_sandbox_nacl_t self:process { execmem setsched sigkill sigstop signull signal };
-+
-+allow chrome_sandbox_nacl_t self:fifo_file manage_fifo_file_perms;
-+allow chrome_sandbox_nacl_t self:unix_stream_socket create_stream_socket_perms;
-+allow chrome_sandbox_nacl_t self:shm create_shm_perms;
-+allow chrome_sandbox_nacl_t self:unix_dgram_socket { create_socket_perms sendto };
-+allow chrome_sandbox_nacl_t chrome_sandbox_t:unix_stream_socket { getattr write read };
-+allow chrome_sandbox_t chrome_sandbox_nacl_t:unix_stream_socket { getattr write read };
-+allow chrome_sandbox_nacl_t chrome_sandbox_t:unix_dgram_socket { read write };
-+
-+allow chrome_sandbox_nacl_t chrome_sandbox_t:shm rw_shm_perms;
-+allow chrome_sandbox_nacl_t chrome_sandbox_tmpfs_t:file rw_inherited_file_perms;
-+allow chrome_sandbox_t chrome_sandbox_nacl_t:process { sigkill sigstop signull signal sigchld share };
-+
-+manage_files_pattern(chrome_sandbox_nacl_t, chrome_sandbox_tmpfs_t, chrome_sandbox_tmpfs_t)
-+fs_tmpfs_filetrans(chrome_sandbox_nacl_t, chrome_sandbox_tmpfs_t, file)
-+
-+domain_use_interactive_fds(chrome_sandbox_nacl_t)
-+
-+dontaudit chrome_sandbox_nacl_t self:memprotect mmap_zero;
-+
-+domtrans_pattern(chrome_sandbox_t, chrome_sandbox_nacl_exec_t, chrome_sandbox_nacl_t)
-+ps_process_pattern(chrome_sandbox_t, chrome_sandbox_nacl_t)
-+ps_process_pattern(chrome_sandbox_nacl_t, chrome_sandbox_t)
-+
-+manage_dirs_pattern(chrome_sandbox_nacl_t, chrome_sandbox_home_t, chrome_sandbox_home_t)
-+manage_files_pattern(chrome_sandbox_nacl_t, chrome_sandbox_home_t, chrome_sandbox_home_t)
-+manage_lnk_files_pattern(chrome_sandbox_nacl_t, chrome_sandbox_home_t, chrome_sandbox_home_t)
-+
-+kernel_read_state(chrome_sandbox_nacl_t)
-+kernel_read_system_state(chrome_sandbox_nacl_t)
-+
-+corecmd_bin_entry_type(chrome_sandbox_nacl_t)
-+
-+dev_read_urand(chrome_sandbox_nacl_t)
-+dev_read_sysfs(chrome_sandbox_nacl_t)
-+dev_rwx_zero(chrome_sandbox_nacl_t)
-+
-+init_read_state(chrome_sandbox_nacl_t)
-+
-+libs_legacy_use_shared_libs(chrome_sandbox_nacl_t)
-+
-+userdom_use_inherited_user_ptys(chrome_sandbox_nacl_t)
-+userdom_rw_inherited_user_tmp_files(chrome_sandbox_nacl_t)
-+userdom_execute_user_tmp_files(chrome_sandbox_nacl_t)
-+userdom_rw_inherited_user_tmp_files(chrome_sandbox_nacl_t)
-+userdom_dontaudit_read_user_home_content_files(chrome_sandbox_nacl_t)
-+userdom_dontaudit_use_user_terminals(chrome_sandbox_nacl_t)
-+
-+optional_policy(`
-+ gnome_dontaudit_append_config_files(chrome_sandbox_nacl_t)
-+ gnome_dontaudit_write_config_files(chrome_sandbox_nacl_t)
-+')
-diff --git a/chronyd.fc b/chronyd.fc
-index 4e4143ed8..9c06350c2 100644
---- a/chronyd.fc
-+++ b/chronyd.fc
-@@ -1,13 +1,20 @@
--/etc/chrony\.keys -- gen_context(system_u:object_r:chronyd_keys_t,s0)
-+/etc/chrony\.keys.* -- gen_context(system_u:object_r:chronyd_keys_t,s0)
-
- /etc/rc\.d/init\.d/chronyd -- gen_context(system_u:object_r:chronyd_initrc_exec_t,s0)
-
-+/usr/lib/systemd/system/chrony.* -- gen_context(system_u:object_r:chronyd_unit_file_t,s0)
-+
- /usr/sbin/chronyd -- gen_context(system_u:object_r:chronyd_exec_t,s0)
-+/usr/libexec/chrony-helper -- gen_context(system_u:object_r:chronyd_exec_t,s0)
-+
-+/usr/bin/chronyc -- gen_context(system_u:object_r:chronyc_exec_t,s0)
-
- /var/lib/chrony(/.*)? gen_context(system_u:object_r:chronyd_var_lib_t,s0)
-
- /var/log/chrony(/.*)? gen_context(system_u:object_r:chronyd_var_log_t,s0)
-
--/var/run/chronyd(/.*) gen_context(system_u:object_r:chronyd_var_run_t,s0)
-+/var/run/chrony(/.*)? gen_context(system_u:object_r:chronyd_var_run_t,s0)
-+/var/run/chronyd(/.*)? gen_context(system_u:object_r:chronyd_var_run_t,s0)
-+/var/run/chrony-helper(/.*)? gen_context(system_u:object_r:chronyd_var_run_t,s0)
- /var/run/chronyd\.pid -- gen_context(system_u:object_r:chronyd_var_run_t,s0)
- /var/run/chronyd\.sock -s gen_context(system_u:object_r:chronyd_var_run_t,s0)
-diff --git a/chronyd.if b/chronyd.if
-index 32e8265c2..508f3b84f 100644
---- a/chronyd.if
-+++ b/chronyd.if
-@@ -57,6 +57,24 @@ interface(`chronyd_exec',`
- can_exec($1, chronyd_exec_t)
- ')
-
-+########################################
-+##
-+## Send generic signals to chronyd.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`chronyd_signal',`
-+ gen_require(`
-+ type chronyd_t;
-+ ')
-+
-+ allow $1 chronyd_t:process signal;
-+')
-+
- #####################################
- ##
- ## Read chronyd log files.
-@@ -100,8 +118,25 @@ interface(`chronyd_rw_shm',`
-
- ########################################
- ##
--## Connect to chronyd using a unix
--## domain stream socket.
-+## Read chronyd keys files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`chronyd_read_keys',`
-+ gen_require(`
-+ type chronyd_keys_t;
-+ ')
-+
-+ read_files_pattern($1, chronyd_keys_t, chronyd_keys_t)
-+')
-+
-+########################################
-+##
-+## Append chronyd keys files.
- ##
- ##
- ##
-@@ -109,6 +144,49 @@ interface(`chronyd_rw_shm',`
- ##
- ##
- #
-+interface(`chronyd_append_keys',`
-+ gen_require(`
-+ type chronyd_keys_t;
-+ ')
-+
-+ append_files_pattern($1, chronyd_keys_t, chronyd_keys_t)
-+')
-+
-+########################################
-+##
-+## Execute chronyd server in the chronyd domain.
-+##
-+##
-+##
-+## Domain allowed to transition.
-+##
-+##
-+#
-+interface(`chronyd_systemctl',`
-+ gen_require(`
-+ type chronyd_t;
-+ type chronyd_unit_file_t;
-+ ')
-+
-+ systemd_exec_systemctl($1)
-+ init_reload_services($1)
-+ allow $1 chronyd_unit_file_t:file read_file_perms;
-+ allow $1 chronyd_unit_file_t:service manage_service_perms;
-+
-+ ps_process_pattern($1, chronyd_t)
-+')
-+
-+#######################################
-+##
-+## Connect to chronyd using a unix
-+## domain stream socket.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
- interface(`chronyd_stream_connect',`
- gen_require(`
- type chronyd_t, chronyd_var_run_t;
-@@ -140,7 +218,7 @@ interface(`chronyd_dgram_send',`
-
- ########################################
- ##
--## Read chronyd key files.
-+## Manage pid files used by chronyd
- ##
- ##
- ##
-@@ -148,13 +226,14 @@ interface(`chronyd_dgram_send',`
- ##
- ##
- #
--interface(`chronyd_read_key_files',`
-+interface(`chronyd_manage_pid',`
- gen_require(`
-- type chronyd_keys_t;
-+ type chronyd_var_run_t;
- ')
-
-- files_search_etc($1)
-- read_files_pattern($1, chronyd_keys_t, chronyd_keys_t)
-+ files_search_pids($1)
-+ manage_files_pattern($1, chronyd_var_run_t, chronyd_var_run_t)
-+ manage_dirs_pattern($1, chronyd_var_run_t, chronyd_var_run_t)
- ')
-
- ####################################
-@@ -176,28 +255,81 @@ interface(`chronyd_read_key_files',`
- #
- interface(`chronyd_admin',`
- gen_require(`
-- type chronyd_t, chronyd_var_log_t;
-- type chronyd_var_run_t, chronyd_var_lib_t;
-- type chronyd_initrc_exec_t, chronyd_keys_t;
-+ type chronyd_t, chronyd_var_log_t, chronyd_var_run_t;
-+ type chronyd_var_lib_t, chronyd_tmpfs_t, chronyd_initrc_exec_t;
-+ type chronyd_keys_t, chronyd_unit_file_t;
- ')
-
-- allow $1 chronyd_t:process { ptrace signal_perms };
-+ allow $1 chronyd_t:process signal_perms;
- ps_process_pattern($1, chronyd_t)
-
-- chronyd_initrc_domtrans($1)
-+ tunable_policy(`deny_ptrace',`',`
-+ allow $1 chronyd_t:process ptrace;
-+ ')
-+
-+ init_labeled_script_domtrans($1, chronyd_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 chronyd_initrc_exec_t system_r;
- allow $2 system_r;
-
-- files_search_etc($1)
-+ files_list_etc($1)
- admin_pattern($1, chronyd_keys_t)
-
-- logging_search_logs($1)
-+ logging_list_logs($1)
- admin_pattern($1, chronyd_var_log_t)
-
-- files_search_var_lib($1)
-+ files_list_var_lib($1)
- admin_pattern($1, chronyd_var_lib_t)
-
-- files_search_pids($1)
-+ files_list_pids($1)
- admin_pattern($1, chronyd_var_run_t)
-+
-+ admin_pattern($1, chronyd_tmpfs_t)
-+
-+ admin_pattern($1, chronyd_unit_file_t)
-+ chronyd_systemctl($1)
-+ allow $1 chronyd_unit_file_t:service all_service_perms;
-+')
-+
-+########################################
-+##
-+## Execute chronyc in the chronyc domain.
-+##
-+##
-+##
-+## Domain allowed to transition.
-+##
-+##
-+#
-+interface(`chronyd_domtrans_chronyc',`
-+ gen_require(`
-+ type chronyc_t, chronyc_exec_t;
-+ ')
-+
-+ domtrans_pattern($1, chronyc_exec_t, chronyc_t)
-+')
-+
-+########################################
-+##
-+## Execute chronyc in the chronyc domain.
-+##
-+##
-+##
-+## Domain allowed to transition.
-+##
-+##
-+##
-+##
-+## Role allowed access.
-+##
-+##
-+#
-+interface(`chronyd_run_chronyc',`
-+ gen_require(`
-+ type chronyc_t;
-+ attribute_role chronyc_roles;
-+ ')
-+
-+ chronyd_domtrans_chronyc($1)
-+ roleattribute $2 chronyc_roles;
- ')
-diff --git a/chronyd.te b/chronyd.te
-index e5b621c29..98e3ce0ab 100644
---- a/chronyd.te
-+++ b/chronyd.te
-@@ -5,6 +5,9 @@ policy_module(chronyd, 1.2.0)
- # Declarations
- #
-
-+attribute_role chronyc_roles;
-+roleattribute system_r chronyc_roles;
-+
- type chronyd_t;
- type chronyd_exec_t;
- init_daemon_domain(chronyd_t, chronyd_exec_t)
-@@ -18,6 +21,9 @@ files_type(chronyd_keys_t)
- type chronyd_tmpfs_t;
- files_tmpfs_file(chronyd_tmpfs_t)
-
-+type chronyd_unit_file_t;
-+systemd_unit_file(chronyd_unit_file_t)
-+
- type chronyd_var_lib_t;
- files_type(chronyd_var_lib_t)
-
-@@ -27,18 +33,33 @@ logging_log_file(chronyd_var_log_t)
- type chronyd_var_run_t;
- files_pid_file(chronyd_var_run_t)
-
-+type chronyc_t;
-+type chronyc_exec_t;
-+domain_type(chronyc_t, chronyc_exec_t)
-+init_system_domain(chronyc_t, chronyc_exec_t)
-+role chronyc_roles types chronyc_t;
-+
- ########################################
- #
- # Local policy
- #
-
--allow chronyd_t self:capability { dac_override ipc_lock setuid setgid sys_resource sys_time };
--allow chronyd_t self:process { getcap setcap setrlimit signal };
-+allow chronyd_t self:capability { dac_read_search dac_override ipc_lock fsetid setuid setgid sys_nice sys_resource sys_time chown net_admin };
-+allow chronyd_t self:capability2 block_suspend;
-+allow chronyd_t self:process { getsched setsched getcap setcap setrlimit signal };
- allow chronyd_t self:shm create_shm_perms;
-+allow chronyd_t self:udp_socket create_socket_perms;
-+allow chronyd_t self:unix_dgram_socket { create_socket_perms sendto };
- allow chronyd_t self:fifo_file rw_fifo_file_perms;
-
-+allow chronyd_t chronyd_keys_t:file append_file_perms;
-+allow chronyd_t chronyd_keys_t:file setattr_file_perms;
- allow chronyd_t chronyd_keys_t:file read_file_perms;
-
-+allow chronyd_t chronyc_t:unix_dgram_socket sendto;
-+
-+allow chronyd_t chronyc_exec_t:file mmap_file_perms;
-+
- manage_dirs_pattern(chronyd_t, chronyd_tmpfs_t, chronyd_tmpfs_t)
- manage_files_pattern(chronyd_t, chronyd_tmpfs_t, chronyd_tmpfs_t)
- fs_tmpfs_filetrans(chronyd_t, chronyd_tmpfs_t, { dir file })
-@@ -61,6 +82,11 @@ files_pid_filetrans(chronyd_t, chronyd_var_run_t, { dir file sock_file })
-
- kernel_read_system_state(chronyd_t)
- kernel_read_network_state(chronyd_t)
-+kernel_request_load_module(chronyd_t)
-+
-+can_exec(chronyd_t,chronyc_exec_t)
-+
-+clock_read_adjtime(chronyd_t)
-
- corenet_all_recvfrom_unlabeled(chronyd_t)
- corenet_all_recvfrom_netlabel(chronyd_t)
-@@ -76,18 +102,64 @@ corenet_sendrecv_chronyd_server_packets(chronyd_t)
- corenet_udp_bind_chronyd_port(chronyd_t)
- corenet_udp_sendrecv_chronyd_port(chronyd_t)
-
-+domain_dontaudit_getsession_all_domains(chronyd_t)
-+
-+dev_read_rand(chronyd_t)
-+dev_read_urand(chronyd_t)
-+dev_read_sysfs(chronyd_t)
-+
- dev_rw_realtime_clock(chronyd_t)
-
- auth_use_nsswitch(chronyd_t)
-
-+corecmd_exec_bin(chronyd_t)
-+
- logging_send_syslog_msg(chronyd_t)
-
--miscfiles_read_localization(chronyd_t)
-+mta_send_mail(chronyd_t)
-+
-+sysnet_read_dhcpc_state(chronyd_t)
-+
-+systemd_exec_systemctl(chronyd_t)
-+
-+userdom_dgram_send(chronyd_t)
-+
-+optional_policy(`
-+ dbus_system_bus_client(chronyd_t)
-+')
-
- optional_policy(`
- gpsd_rw_shm(chronyd_t)
- ')
-
- optional_policy(`
-- mta_send_mail(chronyd_t)
-+ timemaster_stream_connect(chronyd_t)
-+ timemaster_read_pid_files(chronyd_t)
-+ timemaster_rw_shm(chronyd_t)
-+')
-+
-+optional_policy(`
-+ ptp4l_rw_shm(chronyd_t)
- ')
-+
-+########################################
-+#
-+# Local policy
-+#
-+
-+allow chronyc_t self:capability { dac_read_search dac_override };
-+allow chronyc_t self:udp_socket create_socket_perms;
-+allow chronyc_t self:unix_dgram_socket create_socket_perms;
-+allow chronyc_t self:netlink_route_socket create_netlink_socket_perms;
-+
-+allow chronyc_t chronyd_t:unix_dgram_socket sendto;
-+
-+manage_dirs_pattern(chronyc_t, chronyd_var_run_t, chronyd_var_run_t)
-+manage_files_pattern(chronyc_t, chronyd_var_run_t, chronyd_var_run_t)
-+manage_sock_files_pattern(chronyc_t, chronyd_var_run_t, chronyd_var_run_t)
-+
-+corecmd_exec_bin(chronyc_t)
-+
-+sysnet_read_config(chronyc_t)
-+
-+userdom_use_user_ptys(chronyc_t)
-diff --git a/cinder.fc b/cinder.fc
-new file mode 100644
-index 000000000..4b318b783
---- /dev/null
-+++ b/cinder.fc
-@@ -0,0 +1,16 @@
-+
-+/usr/bin/cinder-api -- gen_context(system_u:object_r:cinder_api_exec_t,s0)
-+/usr/bin/cinder-backup -- gen_context(system_u:object_r:cinder_backup_exec_t,s0)
-+/usr/bin/cinder-scheduler -- gen_context(system_u:object_r:cinder_scheduler_exec_t,s0)
-+/usr/bin/cinder-volume -- gen_context(system_u:object_r:cinder_volume_exec_t,s0)
-+
-+/usr/lib/systemd/system/openstack-cinder-api.* -- gen_context(system_u:object_r:cinder_api_unit_file_t,s0)
-+/usr/lib/systemd/system/openstack-cinder-backup.* -- gen_context(system_u:object_r:cinder_backup_unit_file_t,s0)
-+/usr/lib/systemd/system/openstack-cinder-scheduler.* -- gen_context(system_u:object_r:cinder_scheduler_unit_file_t,s0)
-+/usr/lib/systemd/system/openstack-cinder-volume.* -- gen_context(system_u:object_r:cinder_volume_unit_file_t,s0)
-+
-+/var/lib/cinder(/.*)? gen_context(system_u:object_r:cinder_var_lib_t,s0)
-+
-+/var/log/cinder(/.*)? gen_context(system_u:object_r:cinder_log_t,s0)
-+
-+/var/run/cinder(/.*)? gen_context(system_u:object_r:cinder_var_run_t,s0)
-diff --git a/cinder.if b/cinder.if
-new file mode 100644
-index 000000000..fc9cae7c7
---- /dev/null
-+++ b/cinder.if
-@@ -0,0 +1,57 @@
-+## openstack-cinder
-+
-+######################################
-+##
-+## Manage cinder lib files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`cinder_manage_lib_files',`
-+ gen_require(`
-+ type cinder_var_lib_t;
-+ ')
-+
-+ files_search_var_lib($1)
-+ manage_files_pattern($1, cinder_var_lib_t, cinder_var_lib_t)
-+')
-+
-+#######################################
-+##
-+## Creates types and rules for a basic
-+## openstack-cinder systemd daemon domain.
-+##
-+##
-+##
-+## Prefix for the domain.
-+##
-+##
-+#
-+template(`cinder_domain_template',`
-+ gen_require(`
-+ attribute cinder_domain;
-+ ')
-+
-+ type cinder_$1_t, cinder_domain;
-+ type cinder_$1_exec_t;
-+ init_daemon_domain(cinder_$1_t, cinder_$1_exec_t)
-+
-+ type cinder_$1_unit_file_t;
-+ systemd_unit_file(cinder_$1_unit_file_t)
-+
-+ type cinder_$1_tmp_t;
-+ files_tmp_file(cinder_$1_tmp_t)
-+
-+ manage_dirs_pattern(cinder_$1_t, cinder_$1_tmp_t, cinder_$1_tmp_t)
-+ manage_files_pattern(cinder_$1_t, cinder_$1_tmp_t, cinder_$1_tmp_t)
-+ files_tmp_filetrans(cinder_$1_t, cinder_$1_tmp_t, { file dir })
-+ can_exec(cinder_$1_t, cinder_$1_tmp_t)
-+
-+ kernel_read_system_state(cinder_$1_t)
-+
-+ logging_send_syslog_msg(cinder_$1_t)
-+
-+')
-diff --git a/cinder.te b/cinder.te
-new file mode 100644
-index 000000000..488a7a659
---- /dev/null
-+++ b/cinder.te
-@@ -0,0 +1,169 @@
-+policy_module(cinder, 1.0.0)
-+
-+########################################
-+#
-+# Declarations
-+#
-+
-+#
-+# cinder-stack daemons contain security issue with using sudo in the code
-+# we make this policy as unconfined until this issue is fixed
-+#
-+
-+attribute cinder_domain;
-+
-+cinder_domain_template(api)
-+cinder_domain_template(backup)
-+cinder_domain_template(scheduler)
-+cinder_domain_template(volume)
-+
-+type cinder_log_t;
-+logging_log_file(cinder_log_t)
-+
-+type cinder_var_lib_t;
-+files_type(cinder_var_lib_t)
-+
-+type cinder_var_run_t;
-+files_pid_file(cinder_var_run_t)
-+
-+######################################
-+#
-+# cinder general domain local policy
-+#
-+
-+allow cinder_domain self:process signal_perms;
-+allow cinder_domain self:fifo_file rw_fifo_file_perms;
-+allow cinder_domain self:tcp_socket create_stream_socket_perms;
-+allow cinder_domain self:unix_stream_socket create_stream_socket_perms;
-+
-+manage_dirs_pattern(cinder_domain, cinder_log_t, cinder_log_t)
-+manage_files_pattern(cinder_domain, cinder_log_t, cinder_log_t)
-+
-+manage_dirs_pattern(cinder_domain, cinder_var_lib_t, cinder_var_lib_t)
-+manage_files_pattern(cinder_domain, cinder_var_lib_t, cinder_var_lib_t)
-+
-+manage_dirs_pattern(cinder_domain, cinder_var_run_t, cinder_var_run_t)
-+manage_files_pattern(cinder_domain, cinder_var_run_t, cinder_var_run_t)
-+
-+corenet_tcp_connect_amqp_port(cinder_domain)
-+corenet_tcp_connect_mysqld_port(cinder_domain)
-+
-+kernel_read_network_state(cinder_domain)
-+
-+corecmd_exec_bin(cinder_domain)
-+corecmd_exec_shell(cinder_domain)
-+corenet_tcp_connect_mysqld_port(cinder_domain)
-+
-+auth_read_passwd(cinder_domain)
-+
-+dev_read_sysfs(cinder_domain)
-+dev_read_urand(cinder_domain)
-+
-+fs_getattr_xattr_fs(cinder_domain)
-+
-+init_read_utmp(cinder_domain)
-+
-+libs_exec_ldconfig(cinder_domain)
-+
-+optional_policy(`
-+ mysql_stream_connect(cinder_domain)
-+ mysql_read_db_lnk_files(cinder_domain)
-+')
-+
-+optional_policy(`
-+ sysnet_read_config(cinder_domain)
-+ sysnet_exec_ifconfig(cinder_domain)
-+')
-+
-+#######################################
-+#
-+# cinder api local policy
-+#
-+
-+allow cinder_api_t self:process setfscreate;
-+allow cinder_api_t self:key write;
-+allow cinder_api_t self:netlink_route_socket r_netlink_socket_perms;
-+allow cinder_api_t self:udp_socket create_socket_perms;
-+
-+kernel_read_kernel_sysctls(cinder_api_t)
-+
-+corenet_tcp_bind_generic_node(cinder_api_t)
-+corenet_udp_bind_generic_node(cinder_api_t)
-+# should be add to booleans
-+corenet_tcp_connect_all_ports(cinder_api_t)
-+corenet_tcp_bind_all_unreserved_ports(cinder_api_t)
-+
-+auth_read_passwd(cinder_api_t)
-+
-+logging_send_syslog_msg(cinder_api_t)
-+
-+miscfiles_read_certs(cinder_api_t)
-+
-+optional_policy(`
-+ iptables_domtrans(cinder_api_t)
-+')
-+
-+optional_policy(`
-+ ssh_exec_keygen(cinder_api_t)
-+')
-+
-+optional_policy(`
-+ gnome_dontaudit_search_config(cinder_api_t)
-+')
-+
-+optional_policy(`
-+ unconfined_domain(cinder_api_t)
-+')
-+
-+#######################################
-+#
-+# cinder backup local policy
-+#
-+
-+allow cinder_backup_t self:udp_socket create_socket_perms;
-+
-+auth_use_nsswitch(cinder_backup_t)
-+
-+systemd_dbus_chat_logind(cinder_backup_t)
-+
-+optional_policy(`
-+ unconfined_domain(cinder_backup_t)
-+')
-+
-+#######################################
-+#
-+# cinder scheduler local policy
-+#
-+
-+allow cinder_scheduler_t self:netlink_route_socket r_netlink_socket_perms;
-+allow cinder_scheduler_t self:udp_socket create_socket_perms;
-+
-+auth_read_passwd(cinder_scheduler_t)
-+
-+init_read_utmp(cinder_scheduler_t)
-+
-+optional_policy(`
-+ unconfined_domain(cinder_scheduler_t)
-+')
-+
-+#######################################
-+#
-+# cinder volume local policy
-+#
-+
-+allow cinder_volume_t self:netlink_route_socket r_netlink_socket_perms;
-+
-+allow cinder_volume_t self:udp_socket create_socket_perms;
-+
-+kernel_read_kernel_sysctls(cinder_volume_t)
-+
-+logging_send_syslog_msg(cinder_volume_t)
-+
-+optional_policy(`
-+ lvm_domtrans(cinder_volume_t)
-+')
-+
-+optional_policy(`
-+ unconfined_domain(cinder_volume_t)
-+')
-+
-diff --git a/cipe.te b/cipe.te
-index a0aa693d1..af571edbb 100644
---- a/cipe.te
-+++ b/cipe.te
-@@ -29,7 +29,6 @@ kernel_read_system_state(ciped_t)
- corecmd_exec_shell(ciped_t)
- corecmd_exec_bin(ciped_t)
-
--corenet_all_recvfrom_unlabeled(ciped_t)
- corenet_all_recvfrom_netlabel(ciped_t)
- corenet_udp_sendrecv_generic_if(ciped_t)
- corenet_udp_sendrecv_generic_node(ciped_t)
-@@ -45,7 +44,6 @@ dev_read_urand(ciped_t)
-
- domain_use_interactive_fds(ciped_t)
-
--files_read_etc_files(ciped_t)
- files_read_etc_runtime_files(ciped_t)
- files_dontaudit_search_var(ciped_t)
-
-@@ -53,8 +51,6 @@ fs_search_auto_mountpoints(ciped_t)
-
- logging_send_syslog_msg(ciped_t)
-
--miscfiles_read_localization(ciped_t)
--
- sysnet_read_config(ciped_t)
-
- userdom_dontaudit_use_unpriv_user_fds(ciped_t)
-diff --git a/clamav.fc b/clamav.fc
-index d72afcc31..c53b80dcd 100644
---- a/clamav.fc
-+++ b/clamav.fc
-@@ -6,6 +6,8 @@
- /usr/bin/clamdscan -- gen_context(system_u:object_r:clamscan_exec_t,s0)
- /usr/bin/freshclam -- gen_context(system_u:object_r:freshclam_exec_t,s0)
-
-+/usr/lib/systemd/system/clamd.* -- gen_context(system_u:object_r:clamd_unit_file_t,s0)
-+
- /usr/sbin/clamd -- gen_context(system_u:object_r:clamd_exec_t,s0)
- /usr/sbin/clamav-milter -- gen_context(system_u:object_r:clamd_exec_t,s0)
-
-diff --git a/clamav.if b/clamav.if
-index 4cc4a5cd0..a6c632290 100644
---- a/clamav.if
-+++ b/clamav.if
-@@ -1,4 +1,4 @@
--## ClamAV Virus Scanner.
-+## ClamAV Virus Scanner
-
- ########################################
- ##
-@@ -15,14 +15,12 @@ interface(`clamav_domtrans',`
- type clamd_t, clamd_exec_t;
- ')
-
-- corecmd_search_bin($1)
- domtrans_pattern($1, clamd_exec_t, clamd_t)
- ')
-
- ########################################
- ##
--## Connect to clamd using a unix
--## domain stream socket.
-+## Connect to run clamd.
- ##
- ##
- ##
-@@ -41,7 +39,8 @@ interface(`clamav_stream_connect',`
-
- ########################################
- ##
--## Append clamav log files.
-+## Allow the specified domain to append
-+## to clamav log files.
- ##
- ##
- ##
-@@ -61,27 +60,6 @@ interface(`clamav_append_log',`
-
- ########################################
- ##
--## Create, read, write, and delete
--## clamav pid content.
--##
--##
--##
--## Domain allowed access.
--##
--##
--#
--interface(`clamav_manage_pid_content',`
-- gen_require(`
-- type clamd_var_run_t;
-- ')
--
-- files_search_pids($1)
-- manage_dirs_pattern($1, clamd_var_run_t, clamd_var_run_t)
-- manage_files_pattern($1, clamd_var_run_t, clamd_var_run_t)
--')
--
--########################################
--##
- ## Read clamav configuration files.
- ##
- ##
-@@ -101,7 +79,7 @@ interface(`clamav_read_config',`
-
- ########################################
- ##
--## Search clamav library directories.
-+## Search clamav libraries directories.
- ##
- ##
- ##
-@@ -133,13 +111,12 @@ interface(`clamav_domtrans_clamscan',`
- type clamscan_t, clamscan_exec_t;
- ')
-
-- corecmd_search_bin($1)
- domtrans_pattern($1, clamscan_exec_t, clamscan_t)
- ')
-
- ########################################
- ##
--## Execute clamscan in the caller domain.
-+## Execute clamscan without a transition.
- ##
- ##
- ##
-@@ -152,13 +129,12 @@ interface(`clamav_exec_clamscan',`
- type clamscan_exec_t;
- ')
-
-- corecmd_search_bin($1)
- can_exec($1, clamscan_exec_t)
- ')
-
--#######################################
-+########################################
- ##
--## Read clamd process state files.
-+## Manage clamd pid content.
- ##
- ##
- ##
-@@ -166,21 +142,63 @@ interface(`clamav_exec_clamscan',`
- ##
- ##
- #
--interface(`clamav_read_state_clamd',`
-+interface(`clamav_manage_clamd_pid',`
- gen_require(`
-- type clamd_t;
-+ type clamd_var_run_t;
- ')
-
-- kernel_search_proc($1)
-- allow $1 clamd_t:dir list_dir_perms;
-- read_files_pattern($1, clamd_t, clamd_t)
-- read_lnk_files_pattern($1, clamd_t, clamd_t)
-+ manage_dirs_pattern($1, clamd_var_run_t, clamd_var_run_t)
-+ manage_files_pattern($1, clamd_var_run_t, clamd_var_run_t)
-+')
-+
-+#######################################
-+##
-+## Read clamd state files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`clamav_read_state_clamd',`
-+ gen_require(`
-+ type clamd_t;
-+ ')
-+
-+ kernel_search_proc($1)
-+ ps_process_pattern($1, clamd_t)
-+')
-+
-+#######################################
-+##
-+## Execute clamd server in the clamd domain.
-+##
-+##
-+##
-+## Domain allowed to transition.
-+##
-+##
-+#
-+interface(`clamd_systemctl',`
-+ gen_require(`
-+ type clamd_t;
-+ type clamd_unit_file_t;
-+ ')
-+
-+ systemd_exec_systemctl($1)
-+ init_reload_services($1)
-+ systemd_read_fifo_file_passwd_run($1)
-+ allow $1 clamd_unit_file_t:file read_file_perms;
-+ allow $1 clamd_unit_file_t:service manage_service_perms;
-+
-+ ps_process_pattern($1, clamd_t)
- ')
-
- ########################################
- ##
--## All of the rules required to
--## administrate an clamav environment.
-+## All of the rules required to administrate
-+## an clamav environment
- ##
- ##
- ##
-@@ -189,7 +207,7 @@ interface(`clamav_read_state_clamd',`
- ##
- ##
- ##
--## Role allowed access.
-+## The role to be allowed to manage the clamav domain.
- ##
- ##
- ##
-@@ -197,19 +215,36 @@ interface(`clamav_read_state_clamd',`
- interface(`clamav_admin',`
- gen_require(`
- type clamd_t, clamd_etc_t, clamd_tmp_t;
-- type clamd_var_log_t, clamd_var_lib_t, clamd_initrc_exec_t;
-- type clamd_var_run_t, clamscan_t, clamscan_tmp_t;
-+ type clamd_var_log_t, clamd_var_lib_t, clamd_var_run_t;
-+ type clamscan_t, clamscan_tmp_t, clamd_initrc_exec_t;
- type freshclam_t, freshclam_var_log_t;
-+ type clamd_unit_file_t;
- ')
-
-- allow $1 { clamd_t clamscan_t freshclam_t }:process { ptrace signal_perms };
-- ps_process_pattern($1, { clamd_t clamscan_t freshclam_t })
-+ allow $1 clamd_t:process signal_perms;
-+ ps_process_pattern($1, clamd_t)
-+
-+ tunable_policy(`deny_ptrace',`',`
-+ allow $1 clamd_t:process ptrace;
-+ allow $1 clamscan_t:process ptrace;
-+ allow $1 freshclam_t:process ptrace;
-+ ')
-+
-+ allow $1 clamscan_t:process signal_perms;
-+ ps_process_pattern($1, clamscan_t)
-+
-+ allow $1 freshclam_t:process signal_perms;
-+ ps_process_pattern($1, freshclam_t)
-
- init_labeled_script_domtrans($1, clamd_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 clamd_initrc_exec_t system_r;
- allow $2 system_r;
-
-+ clamd_systemctl($1)
-+ admin_pattern($1, clamd_unit_file_t)
-+ allow $1 clamd_unit_file_t:service all_service_perms;
-+
- files_list_etc($1)
- admin_pattern($1, clamd_etc_t)
-
-@@ -217,11 +252,21 @@ interface(`clamav_admin',`
- admin_pattern($1, clamd_var_lib_t)
-
- logging_list_logs($1)
-- admin_pattern($1, { clamd_var_log_t freshclam_var_log_t })
-+ admin_pattern($1, clamd_var_log_t)
-
- files_list_pids($1)
- admin_pattern($1, clamd_var_run_t)
-
- files_list_tmp($1)
-- admin_pattern($1, { clamd_tmp_t clamscan_tmp_t })
-+ admin_pattern($1, clamd_tmp_t)
-+
-+ admin_pattern($1, clamscan_tmp_t)
-+
-+ admin_pattern($1, freshclam_var_log_t)
-+
-+ optional_policy(`
-+ systemd_passwd_agent_exec($1)
-+ systemd_read_fifo_file_passwd_run($1)
-+ ')
-+
- ')
-diff --git a/clamav.te b/clamav.te
-index ce3836acd..237fc8bf0 100644
---- a/clamav.te
-+++ b/clamav.te
-@@ -18,7 +18,7 @@ gen_tunable(clamav_read_all_non_security_files_clamscan, false)
-
- ##
- ##
--## Determine whether can clamd use JIT compiler.
-+## Determine whether clamd can use JIT compiler.
- ##
- ##
- gen_tunable(clamd_use_jit, false)
-@@ -38,6 +38,9 @@ files_config_file(clamd_etc_t)
- type clamd_initrc_exec_t;
- init_script_file(clamd_initrc_exec_t)
-
-+type clamd_unit_file_t;
-+systemd_unit_file(clamd_unit_file_t)
-+
- type clamd_tmp_t;
- files_tmp_file(clamd_tmp_t)
-
-@@ -70,9 +73,10 @@ logging_log_file(freshclam_var_log_t)
- # Clamd local policy
- #
-
--allow clamd_t self:capability { kill setgid setuid dac_override };
-+allow clamd_t self:capability { kill setgid setuid dac_read_search };
- dontaudit clamd_t self:capability sys_tty_config;
- allow clamd_t self:process signal;
-+
- allow clamd_t self:fifo_file rw_fifo_file_perms;
- allow clamd_t self:unix_stream_socket { accept connectto listen };
- allow clamd_t self:tcp_socket { listen accept };
-@@ -107,7 +111,6 @@ kernel_read_system_state(clamd_t)
-
- corecmd_exec_shell(clamd_t)
-
--corenet_all_recvfrom_unlabeled(clamd_t)
- corenet_all_recvfrom_netlabel(clamd_t)
- corenet_tcp_sendrecv_generic_if(clamd_t)
- corenet_tcp_sendrecv_generic_node(clamd_t)
-@@ -119,6 +122,7 @@ corenet_tcp_bind_generic_port(clamd_t)
-
- corenet_sendrecv_generic_client_packets(clamd_t)
- corenet_tcp_connect_generic_port(clamd_t)
-+corenet_tcp_connect_clamd_port(clamd_t)
-
- corenet_sendrecv_clamd_server_packets(clamd_t)
- corenet_tcp_bind_clamd_port(clamd_t)
-@@ -135,18 +139,10 @@ auth_use_nsswitch(clamd_t)
-
- logging_send_syslog_msg(clamd_t)
-
--miscfiles_read_localization(clamd_t)
--
--tunable_policy(`clamd_use_jit',`
-- allow clamd_t self:process execmem;
--',`
-- dontaudit clamd_t self:process execmem;
--')
--
- optional_policy(`
- amavis_read_lib_files(clamd_t)
- amavis_read_spool_files(clamd_t)
-- amavis_spool_filetrans(clamd_t, clamd_var_run_t, sock_file)
-+ amavis_spool_filetrans(clamd_t, clamd_var_run_t, { file dir sock_file })
- amavis_create_pid_files(clamd_t)
- ')
-
-@@ -165,12 +161,37 @@ optional_policy(`
- mta_send_mail(clamd_t)
- ')
-
-+optional_policy(`
-+ spamd_stream_connect(clamd_t)
-+ spamassassin_read_pid_files(clamd_t)
-+')
-+
-+tunable_policy(`clamd_use_jit',`
-+ allow clamd_t self:process execmem;
-+ allow clamscan_t self:process execmem;
-+',`
-+ dontaudit clamd_t self:process execmem;
-+ dontaudit clamscan_t self:process execmem;
-+')
-+
-+optional_policy(`
-+ antivirus_domain_template(clamd_t)
-+')
-+
-+optional_policy(`
-+ antivirus_domain_template(clamscan_t)
-+')
-+
-+optional_policy(`
-+ antivirus_domain_template(freshclam_t)
-+')
-+
- ########################################
- #
- # Freshclam local policy
- #
-
--allow freshclam_t self:capability { setgid setuid dac_override };
-+allow freshclam_t self:capability { setgid setuid dac_read_search };
- allow freshclam_t self:fifo_file rw_fifo_file_perms;
- allow freshclam_t self:unix_stream_socket { accept listen };
- allow freshclam_t self:tcp_socket { accept listen };
-@@ -228,7 +249,6 @@ auth_use_nsswitch(freshclam_t)
-
- logging_send_syslog_msg(freshclam_t)
-
--miscfiles_read_localization(freshclam_t)
-
- tunable_policy(`clamd_use_jit',`
- allow freshclam_t self:process execmem;
-@@ -241,6 +261,10 @@ optional_policy(`
- ')
-
- optional_policy(`
-+ clamd_systemctl(freshclam_t)
-+')
-+
-+optional_policy(`
- cron_system_entry(freshclam_t, freshclam_exec_t)
- ')
-
-@@ -249,7 +273,7 @@ optional_policy(`
- # Clamscam local policy
- #
-
--allow clamscan_t self:capability { setgid setuid dac_override };
-+allow clamscan_t self:capability { setgid setuid dac_read_search };
- allow clamscan_t self:fifo_file rw_fifo_file_perms;
- allow clamscan_t self:unix_stream_socket create_stream_socket_perms;
- allow clamscan_t self:unix_dgram_socket create_socket_perms;
-@@ -275,7 +299,6 @@ kernel_dontaudit_list_proc(clamscan_t)
- kernel_read_kernel_sysctls(clamscan_t)
- kernel_read_system_state(clamscan_t)
-
--corenet_all_recvfrom_unlabeled(clamscan_t)
- corenet_all_recvfrom_netlabel(clamscan_t)
- corenet_tcp_sendrecv_generic_if(clamscan_t)
- corenet_tcp_sendrecv_generic_node(clamscan_t)
-@@ -286,14 +309,12 @@ corenet_tcp_sendrecv_clamd_port(clamscan_t)
-
- corecmd_read_all_executables(clamscan_t)
-
--files_read_etc_files(clamscan_t)
- files_read_etc_runtime_files(clamscan_t)
- files_search_var_lib(clamscan_t)
-
- init_read_utmp(clamscan_t)
- init_dontaudit_write_utmp(clamscan_t)
-
--miscfiles_read_localization(clamscan_t)
- miscfiles_read_public_files(clamscan_t)
-
- sysnet_dns_name_resolve(clamscan_t)
-@@ -310,10 +331,6 @@ tunable_policy(`clamav_read_all_non_security_files_clamscan',`
- ')
-
- optional_policy(`
-- amavis_read_spool_files(clamscan_t)
--')
--
--optional_policy(`
- apache_read_sys_content(clamscan_t)
- ')
-
-diff --git a/clockspeed.te b/clockspeed.te
-index d3e2a67e5..f5b330c08 100644
---- a/clockspeed.te
-+++ b/clockspeed.te
-@@ -29,7 +29,6 @@ allow clockspeed_cli_t self:udp_socket create_socket_perms;
-
- read_files_pattern(clockspeed_cli_t, clockspeed_var_lib_t, clockspeed_var_lib_t)
-
--corenet_all_recvfrom_unlabeled(clockspeed_cli_t)
- corenet_all_recvfrom_netlabel(clockspeed_cli_t)
- corenet_udp_sendrecv_generic_if(clockspeed_cli_t)
- corenet_udp_sendrecv_generic_node(clockspeed_cli_t)
-@@ -38,11 +37,9 @@ corenet_sendrecv_ntp_client_packets(clockspeed_cli_t)
- corenet_udp_sendrecv_ntp_port(clockspeed_cli_t)
-
- files_list_var_lib(clockspeed_cli_t)
--files_read_etc_files(clockspeed_cli_t)
-
--miscfiles_read_localization(clockspeed_cli_t)
-
--userdom_use_user_terminals(clockspeed_cli_t)
-+userdom_use_inherited_user_terminals(clockspeed_cli_t)
-
- ########################################
- #
-@@ -57,7 +54,6 @@ allow clockspeed_srv_t self:unix_stream_socket create_socket_perms;
- manage_files_pattern(clockspeed_srv_t, clockspeed_var_lib_t, clockspeed_var_lib_t)
- manage_fifo_files_pattern(clockspeed_srv_t, clockspeed_var_lib_t, clockspeed_var_lib_t)
-
--corenet_all_recvfrom_unlabeled(clockspeed_srv_t)
- corenet_all_recvfrom_netlabel(clockspeed_srv_t)
- corenet_udp_sendrecv_generic_if(clockspeed_srv_t)
- corenet_udp_sendrecv_generic_node(clockspeed_srv_t)
-@@ -68,9 +64,7 @@ corenet_udp_bind_clockspeed_port(clockspeed_srv_t)
- corenet_udp_sendrecv_clockspeed_port(clockspeed_srv_t)
-
- files_list_var_lib(clockspeed_srv_t)
--files_read_etc_files(clockspeed_srv_t)
-
--miscfiles_read_localization(clockspeed_srv_t)
-
- optional_policy(`
- daemontools_service_domain(clockspeed_srv_t, clockspeed_srv_exec_t)
-diff --git a/clogd.te b/clogd.te
-index 4a5b3d1a5..cd146bd5a 100644
---- a/clogd.te
-+++ b/clogd.te
-@@ -41,9 +41,6 @@ storage_raw_write_fixed_disk(clogd_t)
-
- logging_send_syslog_msg(clogd_t)
-
--miscfiles_read_localization(clogd_t)
--
- optional_policy(`
-- aisexec_stream_connect(clogd_t)
-- corosync_stream_connect(clogd_t)
-+ rhcs_stream_connect_cluster(clogd_t)
- ')
-diff --git a/cloudform.fc b/cloudform.fc
-new file mode 100644
-index 000000000..e07f85124
---- /dev/null
-+++ b/cloudform.fc
-@@ -0,0 +1,22 @@
-+/etc/rc\.d/init\.d/iwhd -- gen_context(system_u:object_r:iwhd_initrc_exec_t,s0)
-+
-+/usr/bin/cloud-init -- gen_context(system_u:object_r:cloud_init_exec_t,s0)
-+/usr/libexec/min-metadata-service -- gen_context(system_u:object_r:cloud_init_exec_t,s0)
-+/usr/libexec/min-cloud-agent -- gen_context(system_u:object_r:cloud_init_exec_t,s0)
-+/usr/bin/deltacloudd -- gen_context(system_u:object_r:deltacloudd_exec_t,s0)
-+/usr/bin/iwhd -- gen_context(system_u:object_r:iwhd_exec_t,s0)
-+/usr/lib/systemd/system-generators/cloud-init.* gen_context(system_u:object_r:cloud_init_exec_t,s0)
-+
-+/usr/lib/systemd/system/cloud-config.* -- gen_context(system_u:object_r:cloud_init_unit_file_t,s0)
-+
-+/usr/lib/systemd/system/cloud-init.* -- gen_context(system_u:object_r:cloud_init_unit_file_t,s0)
-+
-+/var/lib/cloud(/.*)? gen_context(system_u:object_r:cloud_var_lib_t,s0)
-+/var/lib/min-cloud-agent(/.*)? gen_context(system_u:object_r:cloud_var_lib_t,s0)
-+/var/log/cloud-init.*\.log.* -- gen_context(system_u:object_r:cloud_log_t,s0)
-+/var/lib/iwhd(/.*)? gen_context(system_u:object_r:iwhd_var_lib_t,s0)
-+
-+/var/log/deltacloud-core(/.*)? gen_context(system_u:object_r:deltacloudd_log_t,s0)
-+/var/log/iwhd\.log.* -- gen_context(system_u:object_r:iwhd_log_t,s0)
-+
-+/var/run/iwhd\.pid -- gen_context(system_u:object_r:iwhd_var_run_t,s0)
-diff --git a/cloudform.if b/cloudform.if
-new file mode 100644
-index 000000000..55fe0d668
---- /dev/null
-+++ b/cloudform.if
-@@ -0,0 +1,116 @@
-+## cloudform policy
-+
-+#######################################
-+##
-+## Creates types and rules for a basic
-+## cloudform daemon domain.
-+##
-+##
-+##
-+## Prefix for the domain.
-+##
-+##
-+#
-+template(`cloudform_domain_template',`
-+ gen_require(`
-+ attribute cloudform_domain;
-+ ')
-+
-+ type $1_t, cloudform_domain;
-+ type $1_exec_t;
-+ init_daemon_domain($1_t, $1_exec_t)
-+
-+ kernel_read_system_state($1_t)
-+')
-+
-+########################################
-+##
-+## Execute a domain transition to run cloud_init.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`cloudform_init_domtrans',`
-+ gen_require(`
-+ type cloud_init_t, cloud_init_exec_t;
-+ ')
-+
-+ domtrans_pattern($1, cloud_init_exec_t, cloud_init_t)
-+')
-+
-+######################################
-+##
-+## Execute mongod in the caller domain.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`cloudform_exec_mongod',`
-+ gen_require(`
-+ type mongod_exec_t;
-+ ')
-+
-+ can_exec($1, mongod_exec_t)
-+')
-+
-+#######################################
-+##
-+## Allow read to cloud lib files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`cloudform_read_lib_files',`
-+ gen_require(`
-+ type cloud_var_lib_t;
-+ ')
-+
-+ files_search_var_lib($1)
-+ read_files_pattern($1, cloud_var_lib_t, cloud_var_lib_t)
-+')
-+
-+#######################################
-+##
-+## Allow read to cloud lib files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`cloudform_read_lib_lnk_files',`
-+ gen_require(`
-+ type cloud_var_lib_t;
-+ ')
-+
-+ files_search_var_lib($1)
-+ read_lnk_files_pattern($1, cloud_var_lib_t, cloud_var_lib_t)
-+')
-+
-+######################################
-+##
-+## Execute mongod in the caller domain.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`cloudform_dontaudit_write_cloud_log',`
-+ gen_require(`
-+ type cloud_log_t;
-+ ')
-+
-+ dontaudit $1 cloud_log_t:file write_inherited_file_perms;
-+')
-diff --git a/cloudform.te b/cloudform.te
-new file mode 100644
-index 000000000..2f19544f0
---- /dev/null
-+++ b/cloudform.te
-@@ -0,0 +1,251 @@
-+policy_module(cloudform, 1.0)
-+########################################
-+#
-+# Declarations
-+#
-+
-+attribute cloudform_domain;
-+
-+cloudform_domain_template(deltacloudd)
-+cloudform_domain_template(iwhd)
-+cloudform_domain_template(cloud_init)
-+
-+type cloud_init_tmp_t;
-+files_tmp_file(cloud_init_tmp_t)
-+
-+type cloud_init_unit_file_t;
-+systemd_unit_file(cloud_init_unit_file_t)
-+
-+type cloud_var_lib_t;
-+files_type(cloud_var_lib_t)
-+
-+type cloud_log_t;
-+logging_log_file(cloud_log_t)
-+
-+type deltacloudd_log_t;
-+logging_log_file(deltacloudd_log_t)
-+
-+type deltacloudd_var_run_t;
-+files_pid_file(deltacloudd_var_run_t)
-+
-+type deltacloudd_tmp_t;
-+files_tmp_file(deltacloudd_tmp_t)
-+
-+type iwhd_initrc_exec_t;
-+init_script_file(iwhd_initrc_exec_t)
-+
-+type iwhd_var_lib_t;
-+files_type(iwhd_var_lib_t)
-+
-+type iwhd_var_run_t;
-+files_pid_file(iwhd_var_run_t)
-+
-+type iwhd_log_t;
-+logging_log_file(iwhd_log_t)
-+
-+########################################
-+#
-+# cloudform_domain local policy
-+#
-+
-+allow cloudform_domain self:fifo_file rw_fifo_file_perms;
-+allow cloudform_domain self:tcp_socket create_stream_socket_perms;
-+
-+dev_read_rand(cloudform_domain)
-+dev_read_urand(cloudform_domain)
-+dev_read_sysfs(cloudform_domain)
-+
-+auth_read_passwd(cloudform_domain)
-+
-+miscfiles_read_certs(cloudform_domain)
-+
-+#################################
-+#
-+# cloud-init local policy
-+#
-+
-+allow cloud_init_t self:capability { fowner chown fsetid dac_read_search };
-+
-+allow cloud_init_t self:udp_socket create_socket_perms;
-+
-+manage_files_pattern(cloud_init_t, cloud_init_tmp_t, cloud_init_tmp_t)
-+manage_dirs_pattern(cloud_init_t, cloud_init_tmp_t, cloud_init_tmp_t)
-+files_tmp_filetrans(cloud_init_t, cloud_init_tmp_t, { file dir })
-+
-+manage_dirs_pattern(cloud_init_t, cloud_var_lib_t, cloud_var_lib_t)
-+manage_files_pattern(cloud_init_t, cloud_var_lib_t, cloud_var_lib_t)
-+manage_lnk_files_pattern(cloud_init_t, cloud_var_lib_t, cloud_var_lib_t)
-+
-+manage_files_pattern(cloud_init_t, cloud_log_t, cloud_log_t)
-+logging_log_filetrans(cloud_init_t, cloud_log_t, { file })
-+
-+init_dbus_chat(cloud_init_t)
-+
-+kernel_read_network_state(cloud_init_t)
-+
-+corenet_tcp_connect_http_port(cloud_init_t)
-+
-+corecmd_exec_bin(cloud_init_t)
-+corecmd_exec_shell(cloud_init_t)
-+
-+domain_read_all_domains_state(cloud_init_t)
-+
-+fs_getattr_all_fs(cloud_init_t)
-+
-+storage_raw_read_fixed_disk(cloud_init_t)
-+
-+auth_use_nsswitch(cloud_init_t)
-+
-+libs_exec_ldconfig(cloud_init_t)
-+
-+logging_send_syslog_msg(cloud_init_t)
-+
-+miscfiles_read_localization(cloud_init_t)
-+
-+selinux_validate_context(cloud_init_t)
-+
-+systemd_dbus_chat_hostnamed(cloud_init_t)
-+systemd_dbus_chat_timedated(cloud_init_t)
-+systemd_exec_systemctl(cloud_init_t)
-+systemd_start_all_services(cloud_init_t)
-+
-+usermanage_domtrans_passwd(cloud_init_t)
-+
-+optional_policy(`
-+ certmonger_dbus_chat(cloud_init_t)
-+')
-+
-+optional_policy(`
-+ dbus_system_bus_client(cloud_init_t)
-+')
-+
-+optional_policy(`
-+ rhsmcertd_dbus_chat(cloud_init_t)
-+')
-+
-+optional_policy(`
-+ networkmanager_dbus_chat(cloud_init_t)
-+')
-+
-+optional_policy(`
-+ dmidecode_domtrans(cloud_init_t)
-+')
-+
-+optional_policy(`
-+ fstools_domtrans(cloud_init_t)
-+')
-+
-+optional_policy(`
-+ hostname_exec(cloud_init_t)
-+')
-+
-+optional_policy(`
-+ mount_domtrans(cloud_init_t)
-+')
-+
-+optional_policy(`
-+ # it check file context and run restorecon
-+ seutil_read_file_contexts(cloud_init_t)
-+ seutil_domtrans_setfiles(cloud_init_t)
-+')
-+
-+optional_policy(`
-+ ssh_exec_keygen(cloud_init_t)
-+ ssh_read_user_home_files(cloud_init_t)
-+')
-+
-+optional_policy(`
-+ sysnet_domtrans_ifconfig(cloud_init_t)
-+ sysnet_read_dhcpc_state(cloud_init_t)
-+ sysnet_dns_name_resolve(cloud_init_t)
-+ sysnet_filetrans_cloud_net_conf(cloud_init_t)
-+')
-+
-+optional_policy(`
-+ rpm_run(cloud_init_t, system_r)
-+')
-+
-+optional_policy(`
-+ unconfined_domain(cloud_init_t)
-+')
-+
-+########################################
-+#
-+# deltacloudd local policy
-+#
-+
-+allow deltacloudd_t self:capability { dac_read_search setuid setgid };
-+
-+allow deltacloudd_t self:netlink_route_socket r_netlink_socket_perms;
-+allow deltacloudd_t self:udp_socket create_socket_perms;
-+
-+allow deltacloudd_t self:process signal;
-+
-+allow deltacloudd_t self:fifo_file rw_fifo_file_perms;
-+allow deltacloudd_t self:tcp_socket create_stream_socket_perms;
-+allow deltacloudd_t self:unix_stream_socket create_stream_socket_perms;
-+
-+manage_dirs_pattern(deltacloudd_t, deltacloudd_tmp_t, deltacloudd_tmp_t)
-+manage_files_pattern(deltacloudd_t, deltacloudd_tmp_t, deltacloudd_tmp_t)
-+files_tmp_filetrans(deltacloudd_t, deltacloudd_tmp_t, { file dir })
-+
-+manage_files_pattern(deltacloudd_t, deltacloudd_var_run_t, deltacloudd_var_run_t)
-+manage_dirs_pattern(deltacloudd_t, deltacloudd_var_run_t, deltacloudd_var_run_t)
-+manage_lnk_files_pattern(deltacloudd_t, deltacloudd_var_run_t, deltacloudd_var_run_t)
-+files_pid_filetrans(deltacloudd_t, deltacloudd_var_run_t, { file dir })
-+
-+manage_files_pattern(deltacloudd_t, deltacloudd_log_t, deltacloudd_log_t)
-+manage_dirs_pattern(deltacloudd_t, deltacloudd_log_t, deltacloudd_log_t)
-+logging_log_filetrans(deltacloudd_t, deltacloudd_log_t, { file dir })
-+
-+kernel_read_kernel_sysctls(deltacloudd_t)
-+kernel_read_system_state(deltacloudd_t)
-+kernel_read_network_state(deltacloudd_t)
-+
-+corecmd_exec_bin(deltacloudd_t)
-+
-+corenet_tcp_bind_generic_node(deltacloudd_t)
-+corenet_tcp_bind_generic_port(deltacloudd_t)
-+corenet_tcp_connect_http_port(deltacloudd_t)
-+corenet_tcp_connect_keystone_port(deltacloudd_t)
-+
-+auth_use_nsswitch(deltacloudd_t)
-+
-+logging_send_syslog_msg(deltacloudd_t)
-+
-+optional_policy(`
-+ sysnet_read_config(deltacloudd_t)
-+')
-+
-+########################################
-+#
-+# iwhd local policy
-+#
-+
-+allow iwhd_t self:capability { chown kill };
-+allow iwhd_t self:process { fork };
-+
-+allow iwhd_t self:netlink_route_socket r_netlink_socket_perms;
-+allow iwhd_t self:unix_stream_socket create_stream_socket_perms;
-+
-+manage_dirs_pattern(iwhd_t, iwhd_var_lib_t, iwhd_var_lib_t)
-+manage_files_pattern(iwhd_t, iwhd_var_lib_t, iwhd_var_lib_t)
-+
-+manage_files_pattern(iwhd_t, iwhd_log_t, iwhd_log_t)
-+logging_log_filetrans(iwhd_t, iwhd_log_t, { file })
-+
-+manage_dirs_pattern(iwhd_t, iwhd_var_run_t, iwhd_var_run_t)
-+manage_files_pattern(iwhd_t, iwhd_var_run_t, iwhd_var_run_t)
-+files_pid_filetrans(iwhd_t, iwhd_var_run_t, { dir file })
-+
-+kernel_read_system_state(iwhd_t)
-+
-+corenet_tcp_bind_generic_node(iwhd_t)
-+corenet_tcp_bind_websm_port(iwhd_t)
-+corenet_tcp_connect_all_ports(iwhd_t)
-+
-+dev_read_rand(iwhd_t)
-+dev_read_urand(iwhd_t)
-+
-+userdom_home_manager(iwhd_t)
-+
-diff --git a/cmirrord.if b/cmirrord.if
-index cc4e7cb96..f348d2746 100644
---- a/cmirrord.if
-+++ b/cmirrord.if
-@@ -73,10 +73,11 @@ interface(`cmirrord_rw_shm',`
- type cmirrord_t, cmirrord_tmpfs_t;
- ')
-
-- allow $1 cmirrord_t:shm rw_shm_perms;
-+ allow $1 cmirrord_t:shm { rw_shm_perms destroy };
-
- allow $1 cmirrord_tmpfs_t:dir list_dir_perms;
- rw_files_pattern($1, cmirrord_tmpfs_t, cmirrord_tmpfs_t)
-+ delete_files_pattern($1, cmirrord_tmpfs_t, cmirrord_tmpfs_t)
- read_lnk_files_pattern($1, cmirrord_tmpfs_t, cmirrord_tmpfs_t)
- fs_search_tmpfs($1)
- ')
-@@ -103,9 +104,13 @@ interface(`cmirrord_admin',`
- type cmirrord_t, cmirrord_initrc_exec_t, cmirrord_var_run_t;
- ')
-
-- allow $1 cmirrord_t:process { ptrace signal_perms };
-+ allow $1 cmirrord_t:process signal_perms;
- ps_process_pattern($1, cmirrord_t)
-
-+ tunable_policy(`deny_ptrace',`',`
-+ allow $1 cmirrord_t:process ptrace;
-+ ')
-+
- cmirrord_initrc_domtrans($1)
- domain_system_change_exemption($1)
- role_transition $2 cmirrord_initrc_exec_t system_r;
-diff --git a/cmirrord.te b/cmirrord.te
-index bbdd3960e..28b176182 100644
---- a/cmirrord.te
-+++ b/cmirrord.te
-@@ -23,13 +23,14 @@ files_pid_file(cmirrord_var_run_t)
- # Local policy
- #
-
--allow cmirrord_t self:capability { net_admin kill };
-+allow cmirrord_t self:capability { sys_admin net_admin kill };
- dontaudit cmirrord_t self:capability sys_tty_config;
- allow cmirrord_t self:process { setfscreate signal };
- allow cmirrord_t self:fifo_file rw_fifo_file_perms;
- allow cmirrord_t self:sem create_sem_perms;
- allow cmirrord_t self:shm create_shm_perms;
- allow cmirrord_t self:netlink_socket create_socket_perms;
-+allow cmirrord_t self:netlink_connector_socket create_socket_perms;
- allow cmirrord_t self:unix_stream_socket { accept listen };
-
- manage_dirs_pattern(cmirrord_t, cmirrord_tmpfs_t, cmirrord_tmpfs_t)
-@@ -42,16 +43,18 @@ files_pid_filetrans(cmirrord_t, cmirrord_var_run_t, file)
- domain_use_interactive_fds(cmirrord_t)
- domain_obj_id_change_exemption(cmirrord_t)
-
--files_read_etc_files(cmirrord_t)
--
- storage_create_fixed_disk_dev(cmirrord_t)
-+storage_raw_read_fixed_disk(cmirrord_t)
-+storage_rw_inherited_fixed_disk_dev(cmirrord_t)
-
- seutil_read_file_contexts(cmirrord_t)
-
- logging_send_syslog_msg(cmirrord_t)
-
--miscfiles_read_localization(cmirrord_t)
--
- optional_policy(`
- corosync_stream_connect(cmirrord_t)
- ')
-+
-+optional_policy(`
-+ rhcs_rw_cluster_tmpfs(cmirrord_t)
-+')
-diff --git a/cobbler.fc b/cobbler.fc
-index 973d208ff..6ce88039f 100644
---- a/cobbler.fc
-+++ b/cobbler.fc
-@@ -4,11 +4,15 @@
-
- /usr/bin/cobblerd -- gen_context(system_u:object_r:cobblerd_exec_t,s0)
-
-+/var/cache/cobbler(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0)
- /var/lib/cobbler(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0)
-
-+/var/lib/tftpboot/aarch64(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0)
-+/var/lib/tftpboot/boot(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0)
- /var/lib/tftpboot/etc(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0)
- /var/lib/tftpboot/grub(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0)
- /var/lib/tftpboot/images(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0)
-+/var/lib/tftpboot/images2(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0)
- /var/lib/tftpboot/memdisk -- gen_context(system_u:object_r:cobbler_var_lib_t,s0)
- /var/lib/tftpboot/menu\.c32 -- gen_context(system_u:object_r:cobbler_var_lib_t,s0)
- /var/lib/tftpboot/ppc(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0)
-diff --git a/cobbler.if b/cobbler.if
-index c223f8132..8b567c191 100644
---- a/cobbler.if
-+++ b/cobbler.if
-@@ -38,6 +38,28 @@ interface(`cobblerd_initrc_domtrans',`
- init_labeled_script_domtrans($1, cobblerd_initrc_exec_t)
- ')
-
-+
-+
-+########################################
-+##
-+## Read cobbler configuration dirs.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`cobbler_list_config',`
-+ gen_require(`
-+ type cobbler_etc_t;
-+ ')
-+
-+ list_dirs_pattern($1, cobbler_etc_t, cobbler_etc_t)
-+ files_search_etc($1)
-+')
-+
-+
- ########################################
- ##
- ## Read cobbler configuration files.
-@@ -112,6 +134,7 @@ interface(`cobbler_read_lib_files',`
-
- files_search_var_lib($1)
- read_files_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t)
-+ read_lnk_files_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t)
- ')
-
- ########################################
-@@ -132,6 +155,8 @@ interface(`cobbler_manage_lib_files',`
-
- files_search_var_lib($1)
- manage_files_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t)
-+ manage_lnk_files_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t)
-+ manage_dirs_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t)
- ')
-
- ########################################
-@@ -176,8 +201,8 @@ interface(`cobblerd_admin',`
- interface(`cobbler_admin',`
- gen_require(`
- type cobblerd_t, cobbler_var_lib_t, cobbler_var_log_t;
-- type cobbler_etc_t, cobblerd_initrc_exec_t, httpd_cobbler_content_t;
-- type httpd_cobbler_content_ra_t, httpd_cobbler_content_rw_t, cobbler_tmp_t;
-+ type cobbler_etc_t, cobblerd_initrc_exec_t;
-+ type cobbler_tmp_t;
- ')
-
- allow $1 cobblerd_t:process { ptrace signal_perms };
-@@ -199,7 +224,4 @@ interface(`cobbler_admin',`
-
- logging_search_logs($1)
- admin_pattern($1, cobbler_var_log_t)
--
-- apache_search_sys_content($1)
-- admin_pattern($1, { httpd_cobbler_content_t httpd_cobbler_content_ra_t httpd_cobbler_content_rw_t })
- ')
-diff --git a/cobbler.te b/cobbler.te
-index 5f306dd44..0a4711b5d 100644
---- a/cobbler.te
-+++ b/cobbler.te
-@@ -62,11 +62,12 @@ files_tmp_file(cobbler_tmp_t)
- # Local policy
- #
-
--allow cobblerd_t self:capability { chown dac_override fowner fsetid sys_nice };
-+allow cobblerd_t self:capability { chown dac_read_search fowner fsetid sys_nice };
- dontaudit cobblerd_t self:capability sys_tty_config;
- allow cobblerd_t self:process { getsched setsched signal };
- allow cobblerd_t self:fifo_file rw_fifo_file_perms;
- allow cobblerd_t self:tcp_socket { accept listen };
-+allow cobblerd_t self:netlink_audit_socket create_socket_perms;
-
- allow cobblerd_t cobbler_etc_t:dir list_dir_perms;
- allow cobblerd_t cobbler_etc_t:file read_file_perms;
-@@ -81,6 +82,7 @@ manage_dirs_pattern(cobblerd_t, cobbler_var_lib_t, cobbler_var_lib_t)
- manage_files_pattern(cobblerd_t, cobbler_var_lib_t, cobbler_var_lib_t)
- manage_lnk_files_pattern(cobblerd_t, cobbler_var_lib_t, cobbler_var_lib_t)
- files_var_lib_filetrans(cobblerd_t, cobbler_var_lib_t, dir)
-+files_var_filetrans(cobblerd_t, cobbler_var_lib_t, dir, "cobbler")
-
- append_files_pattern(cobblerd_t, cobbler_var_log_t, cobbler_var_log_t)
- create_files_pattern(cobblerd_t, cobbler_var_log_t, cobbler_var_log_t)
-@@ -89,7 +91,7 @@ setattr_files_pattern(cobblerd_t, cobbler_var_log_t, cobbler_var_log_t)
- logging_log_filetrans(cobblerd_t, cobbler_var_log_t, file)
-
- kernel_read_system_state(cobblerd_t)
--kernel_dontaudit_search_network_state(cobblerd_t)
-+kernel_read_network_state(cobblerd_t)
-
- corecmd_exec_bin(cobblerd_t)
- corecmd_exec_shell(cobblerd_t)
-@@ -112,14 +114,13 @@ corenet_tcp_sendrecv_http_port(cobblerd_t)
- corenet_tcp_connect_http_port(cobblerd_t)
- corenet_sendrecv_http_client_packets(cobblerd_t)
-
-+dev_read_sysfs(cobblerd_t)
- dev_read_urand(cobblerd_t)
-
- files_list_boot(cobblerd_t)
- files_list_tmp(cobblerd_t)
- files_read_boot_files(cobblerd_t)
--files_read_etc_files(cobblerd_t)
- files_read_etc_runtime_files(cobblerd_t)
--files_read_usr_files(cobblerd_t)
-
- fs_getattr_all_fs(cobblerd_t)
- fs_read_iso9660_files(cobblerd_t)
-@@ -128,6 +129,8 @@ selinux_get_enforce_mode(cobblerd_t)
-
- term_use_console(cobblerd_t)
-
-+auth_use_nsswitch(cobblerd_t)
-+
- logging_send_syslog_msg(cobblerd_t)
-
- miscfiles_read_localization(cobblerd_t)
-@@ -160,6 +163,7 @@ tunable_policy(`cobbler_use_nfs',`
- ')
-
- optional_policy(`
-+ apache_domtrans(cobblerd_t)
- apache_search_sys_content(cobblerd_t)
- ')
-
-@@ -170,6 +174,7 @@ optional_policy(`
- bind_domtrans(cobblerd_t)
- bind_initrc_domtrans(cobblerd_t)
- bind_manage_zone(cobblerd_t)
-+ bind_systemctl(cobblerd_t)
- ')
-
- optional_policy(`
-@@ -179,12 +184,22 @@ optional_policy(`
- optional_policy(`
- dhcpd_domtrans(cobblerd_t)
- dhcpd_initrc_domtrans(cobblerd_t)
-+ dhcpd_systemctl(cobblerd_t)
- ')
-
- optional_policy(`
- dnsmasq_domtrans(cobblerd_t)
- dnsmasq_initrc_domtrans(cobblerd_t)
- dnsmasq_write_config(cobblerd_t)
-+ dnsmasq_systemctl(cobblerd_t)
-+')
-+
-+optional_policy(`
-+ libs_exec_ldconfig(cobblerd_t)
-+')
-+
-+optional_policy(`
-+ mysql_stream_connect(cobblerd_t)
- ')
-
- optional_policy(`
-@@ -192,13 +207,14 @@ optional_policy(`
- ')
-
- optional_policy(`
-+ rsync_exec(cobblerd_t)
- rsync_read_config(cobblerd_t)
-- rsync_manage_config_files(cobblerd_t)
-+ rsync_manage_config(cobblerd_t)
- rsync_etc_filetrans_config(cobblerd_t, file, "rsync.conf")
- ')
-
- optional_policy(`
-- tftp_manage_config_files(cobblerd_t)
-- tftp_etc_filetrans_config(cobblerd_t, file, "tftp")
-+ tftp_manage_config(cobblerd_t)
-+ tftp_delete_content_dirs(cobblerd_t)
- tftp_filetrans_tftpdir(cobblerd_t, cobbler_var_lib_t, { dir file })
- ')
-diff --git a/cockpit.fc b/cockpit.fc
-new file mode 100644
-index 000000000..bf801737d
---- /dev/null
-+++ b/cockpit.fc
-@@ -0,0 +1,13 @@
-+# cockpit stuff
-+
-+/usr/lib/systemd/system/cockpit.* -- gen_context(system_u:object_r:cockpit_unit_file_t,s0)
-+/etc/systemd/system/cockpit.* -- gen_context(system_u:object_r:cockpit_unit_file_t,s0)
-+
-+/usr/libexec/cockpit-ws -- gen_context(system_u:object_r:cockpit_ws_exec_t,s0)
-+
-+/usr/libexec/cockpit-session -- gen_context(system_u:object_r:cockpit_session_exec_t,s0)
-+/usr/libexec/cockpit-ssh -- gen_context(system_u:object_r:cockpit_session_exec_t,s0)
-+
-+/var/lib/cockpit(/.*)? gen_context(system_u:object_r:cockpit_var_lib_t,s0)
-+
-+/var/run/cockpit-ws(/.*)? gen_context(system_u:object_r:cockpit_var_run_t,s0)
-diff --git a/cockpit.if b/cockpit.if
-new file mode 100644
-index 000000000..d5920c061
---- /dev/null
-+++ b/cockpit.if
-@@ -0,0 +1,188 @@
-+## policy for cockpit
-+
-+########################################
-+##
-+## Execute TEMPLATE in the cockpit domin.
-+##
-+##
-+##
-+## Domain allowed to transition.
-+##
-+##
-+#
-+interface(`cockpit_ws_domtrans',`
-+ gen_require(`
-+ type cockpit_ws_t, cockpit_ws_exec_t;
-+ ')
-+
-+ corecmd_search_bin($1)
-+ domtrans_pattern($1, cockpit_ws_exec_t, cockpit_ws_t)
-+')
-+
-+########################################
-+##
-+## Execute TEMPLATE in the cockpit domin.
-+##
-+##
-+##
-+## Domain allowed to transition.
-+##
-+##
-+#
-+interface(`cockpit_session_domtrans',`
-+ gen_require(`
-+ type cockpit_session_t, cockpit_session_exec_t;
-+ ')
-+
-+ corecmd_search_bin($1)
-+ domtrans_pattern($1, cockpit_session_exec_t, cockpit_session_t)
-+')
-+
-+########################################
-+##
-+## Search cockpit lib directories.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`cockpit_search_lib',`
-+ gen_require(`
-+ type cockpit_var_lib_t;
-+ ')
-+
-+ allow $1 cockpit_var_lib_t:dir search_dir_perms;
-+ files_search_var_lib($1)
-+')
-+
-+########################################
-+##
-+## Read cockpit lib files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`cockpit_read_lib_files',`
-+ gen_require(`
-+ type cockpit_var_lib_t;
-+ ')
-+
-+ files_search_var_lib($1)
-+ read_files_pattern($1, cockpit_var_lib_t, cockpit_var_lib_t)
-+')
-+
-+########################################
-+##
-+## Manage cockpit lib files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`cockpit_manage_lib_files',`
-+ gen_require(`
-+ type cockpit_var_lib_t;
-+ ')
-+
-+ files_search_var_lib($1)
-+ manage_files_pattern($1, cockpit_var_lib_t, cockpit_var_lib_t)
-+')
-+
-+########################################
-+##
-+## Manage cockpit lib directories.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`cockpit_manage_lib_dirs',`
-+ gen_require(`
-+ type cockpit_var_lib_t;
-+ ')
-+
-+ files_search_var_lib($1)
-+ manage_dirs_pattern($1, cockpit_var_lib_t, cockpit_var_lib_t)
-+')
-+
-+########################################
-+##
-+## Execute cockpit server in the cockpit domain.
-+##
-+##
-+##
-+## Domain allowed to transition.
-+##
-+##
-+#
-+interface(`cockpit_systemctl',`
-+ gen_require(`
-+ type cockpit_ws_t;
-+ type cockpit_unit_file_t;
-+ ')
-+
-+ systemd_exec_systemctl($1)
-+ init_reload_services($1)
-+ systemd_read_fifo_file_passwd_run($1)
-+ allow $1 cockpit_unit_file_t:file read_file_perms;
-+ allow $1 cockpit_unit_file_t:service manage_service_perms;
-+
-+ ps_process_pattern($1, cockpit_ws_t)
-+')
-+
-+
-+########################################
-+##
-+## All of the rules required to administrate
-+## an cockpit environment
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+#
-+interface(`cockpit_admin',`
-+ gen_require(`
-+ type cockpit_ws_t;
-+ type cockpit_session_t;
-+ type cockpit_var_lib_t;
-+ type cockpit_var_run_t;
-+ type cockpit_unit_file_t;
-+ ')
-+
-+ allow $1 cockpit_ws_t:process { signal_perms };
-+ ps_process_pattern($1, cockpit_ws_t)
-+
-+ allow $1 cockpit_session_t:process { signal_perms };
-+ ps_process_pattern($1, cockpit_session_t)
-+
-+ tunable_policy(`deny_ptrace',`',`
-+ allow $1 cockpit_ws_t:process ptrace;
-+ allow $1 cockpit_session_t:process ptrace;
-+ ')
-+
-+ files_search_var_lib($1)
-+ admin_pattern($1, cockpit_var_lib_t)
-+
-+ files_search_pids($1)
-+ admin_pattern($1, cockpit_var_run_t)
-+
-+ cockpit_systemctl($1)
-+ admin_pattern($1, cockpit_unit_file_t)
-+ allow $1 cockpit_unit_file_t:service all_service_perms;
-+ optional_policy(`
-+ systemd_passwd_agent_exec($1)
-+ systemd_read_fifo_file_passwd_run($1)
-+ ')
-+')
-diff --git a/cockpit.te b/cockpit.te
-new file mode 100644
-index 000000000..a830e90b5
---- /dev/null
-+++ b/cockpit.te
-@@ -0,0 +1,123 @@
-+policy_module(cockpit, 1.0.0)
-+
-+########################################
-+#
-+# Declarations
-+#
-+
-+type cockpit_ws_t;
-+type cockpit_ws_exec_t;
-+init_daemon_domain(cockpit_ws_t,cockpit_ws_exec_t)
-+
-+type cockpit_tmp_t;
-+files_tmp_file(cockpit_tmp_t)
-+
-+type cockpit_var_run_t;
-+files_pid_file(cockpit_var_run_t)
-+
-+type cockpit_unit_file_t;
-+systemd_unit_file(cockpit_unit_file_t)
-+
-+type cockpit_var_lib_t;
-+files_type(cockpit_var_lib_t)
-+
-+type cockpit_session_t;
-+type cockpit_session_exec_t;
-+domain_type(cockpit_session_t)
-+domain_entry_file(cockpit_session_t,cockpit_session_exec_t)
-+
-+########################################
-+#
-+# cockpit_ws_t local policy
-+#
-+
-+allow cockpit_ws_t self:capability net_admin;
-+allow cockpit_ws_t self:tcp_socket create_stream_socket_perms;
-+
-+# cockpit-ws can execute cockpit-session
-+can_exec(cockpit_ws_t,cockpit_session_exec_t)
-+
-+# cockpit-ws can read from /dev/urandom
-+dev_read_urand(cockpit_ws_t) # for authkey
-+dev_read_rand(cockpit_ws_t) # for libssh
-+
-+corenet_tcp_bind_websm_port(cockpit_ws_t)
-+
-+# cockpit-ws can connect to other hosts via ssh
-+corenet_tcp_connect_ssh_port(cockpit_ws_t)
-+
-+# cockpit-ws can write to its temp files
-+manage_dirs_pattern(cockpit_ws_t, cockpit_tmp_t, cockpit_tmp_t)
-+manage_files_pattern(cockpit_ws_t, cockpit_tmp_t, cockpit_tmp_t)
-+files_tmp_filetrans(cockpit_ws_t, cockpit_tmp_t, { dir file })
-+
-+manage_dirs_pattern(cockpit_ws_t, cockpit_var_run_t, cockpit_var_run_t)
-+manage_files_pattern(cockpit_ws_t, cockpit_var_run_t, cockpit_var_run_t)
-+manage_lnk_files_pattern(cockpit_ws_t, cockpit_var_run_t, cockpit_var_run_t)
-+manage_sock_files_pattern(cockpit_ws_t, cockpit_var_run_t, cockpit_var_run_t)
-+files_pid_filetrans(cockpit_ws_t, cockpit_var_run_t, { file dir sock_file })
-+
-+manage_files_pattern(cockpit_ws_t, cockpit_var_lib_t, cockpit_var_lib_t)
-+manage_dirs_pattern(cockpit_ws_t, cockpit_var_lib_t, cockpit_var_lib_t)
-+
-+auth_use_nsswitch(cockpit_ws_t)
-+
-+files_mmap_usr_files(cockpit_ws_t)
-+
-+init_stream_connect(cockpit_ws_t)
-+
-+logging_send_syslog_msg(cockpit_ws_t)
-+
-+# cockpit-ws launches cockpit-session
-+cockpit_session_domtrans(cockpit_ws_t)
-+allow cockpit_ws_t cockpit_session_t:process signal_perms;
-+
-+# cockpit-session communicates back with cockpit-ws
-+allow cockpit_session_t cockpit_ws_t:unix_stream_socket rw_stream_socket_perms;
-+
-+optional_policy(`
-+ kerberos_use(cockpit_ws_t)
-+ kerberos_etc_filetrans_keytab(cockpit_ws_t)
-+')
-+
-+optional_policy(`
-+ ssh_read_user_home_files(cockpit_ws_t)
-+')
-+
-+#########################################################
-+#
-+# cockpit-session local policy
-+#
-+
-+# cockpit-session changes to the actual logged in user
-+allow cockpit_session_t self:capability { sys_admin dac_read_search setuid setgid sys_resource};
-+allow cockpit_session_t self:process { setexec setsched signal_perms setrlimit };
-+
-+read_files_pattern(cockpit_session_t, cockpit_var_lib_t, cockpit_var_lib_t)
-+list_dirs_pattern(cockpit_session_t, cockpit_var_lib_t, cockpit_var_lib_t)
-+
-+manage_dirs_pattern(cockpit_session_t, cockpit_tmp_t, cockpit_tmp_t)
-+manage_files_pattern(cockpit_session_t, cockpit_tmp_t, cockpit_tmp_t)
-+files_tmp_filetrans(cockpit_session_t, cockpit_tmp_t, { dir file })
-+
-+# cockpit-session runs a full pam stack, including pam_selinux.so
-+auth_login_pgm_domain(cockpit_session_t)
-+# cockpit-session resseting expired passwords
-+auth_manage_passwd(cockpit_session_t)
-+auth_manage_shadow(cockpit_session_t)
-+auth_write_login_records(cockpit_session_t)
-+
-+corenet_tcp_bind_ssh_port(cockpit_session_t)
-+corenet_tcp_connect_ssh_port(cockpit_session_t)
-+
-+# cockpit-session can execute cockpit-agent as the user
-+userdom_spec_domtrans_all_users(cockpit_session_t)
-+usermanage_read_crack_db(cockpit_session_t)
-+
-+optional_policy(`
-+ userdom_signal_all_users(cockpit_session_t)
-+')
-+
-+optional_policy(`
-+ unconfined_domtrans(cockpit_session_t)
-+')
-diff --git a/collectd.fc b/collectd.fc
-index 79a3abe3a..3ee73d17d 100644
---- a/collectd.fc
-+++ b/collectd.fc
-@@ -1,9 +1,13 @@
- /etc/rc\.d/init\.d/collectd -- gen_context(system_u:object_r:collectd_initrc_exec_t,s0)
-
-+/usr/lib/systemd/system/collectd.* -- gen_context(system_u:object_r:collectd_unit_file_t,s0)
-+
- /usr/sbin/collectd -- gen_context(system_u:object_r:collectd_exec_t,s0)
-
- /var/lib/collectd(/.*)? gen_context(system_u:object_r:collectd_var_lib_t,s0)
-
- /var/run/collectd\.pid -- gen_context(system_u:object_r:collectd_var_run_t,s0)
-+/var/run/collectd(/.*)? gen_context(system_u:object_r:collectd_var_run_t,s0)
-+/var/run/collectd-unixsock -s gen_context(system_u:object_r:collectd_var_run_t,s0)
-
--/usr/share/collectd/collection3/bin/.*\.cgi -- gen_context(system_u:object_r:httpd_collectd_script_exec_t,s0)
-+/usr/share/collectd/collection3/bin/.*\.cgi -- gen_context(system_u:object_r:collectd_script_exec_t,s0)
-diff --git a/collectd.if b/collectd.if
-index 954309e64..67801421b 100644
---- a/collectd.if
-+++ b/collectd.if
-@@ -2,8 +2,145 @@
-
- ########################################
- ##
--## All of the rules required to
--## administrate an collectd environment.
-+## Transition to collectd.
-+##
-+##
-+##
-+## Domain allowed to transition.
-+##
-+##
-+#
-+interface(`collectd_domtrans',`
-+ gen_require(`
-+ type collectd_t, collectd_exec_t;
-+ ')
-+
-+ corecmd_search_bin($1)
-+ domtrans_pattern($1, collectd_exec_t, collectd_t)
-+')
-+
-+########################################
-+##
-+## Execute collectd server in the collectd domain.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`collectd_initrc_domtrans',`
-+ gen_require(`
-+ type collectd_initrc_exec_t;
-+ ')
-+
-+ init_labeled_script_domtrans($1, collectd_initrc_exec_t)
-+')
-+
-+########################################
-+##
-+## Search collectd lib directories.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`collectd_search_lib',`
-+ gen_require(`
-+ type collectd_var_lib_t;
-+ ')
-+
-+ allow $1 collectd_var_lib_t:dir search_dir_perms;
-+ files_search_var_lib($1)
-+')
-+
-+########################################
-+##
-+## Read collectd lib files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`collectd_read_lib_files',`
-+ gen_require(`
-+ type collectd_var_lib_t;
-+ ')
-+
-+ files_search_var_lib($1)
-+ read_files_pattern($1, collectd_var_lib_t, collectd_var_lib_t)
-+')
-+
-+########################################
-+##
-+## Manage collectd lib files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`collectd_manage_lib_files',`
-+ gen_require(`
-+ type collectd_var_lib_t;
-+ ')
-+
-+ files_search_var_lib($1)
-+ manage_files_pattern($1, collectd_var_lib_t, collectd_var_lib_t)
-+')
-+
-+########################################
-+##
-+## Manage collectd lib directories.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`collectd_manage_lib_dirs',`
-+ gen_require(`
-+ type collectd_var_lib_t;
-+ ')
-+
-+ files_search_var_lib($1)
-+ manage_dirs_pattern($1, collectd_var_lib_t, collectd_var_lib_t)
-+')
-+
-+########################################
-+##
-+## Execute collectd server in the collectd domain.
-+##
-+##
-+##
-+## Domain allowed to transition.
-+##
-+##
-+#
-+interface(`collectd_systemctl',`
-+ gen_require(`
-+ type collectd_t;
-+ type collectd_unit_file_t;
-+ ')
-+
-+ systemd_exec_systemctl($1)
-+ init_reload_services($1)
-+ allow $1 collectd_unit_file_t:file read_file_perms;
-+ allow $1 collectd_unit_file_t:service manage_service_perms;
-+
-+ ps_process_pattern($1, collectd_t)
-+')
-+
-+########################################
-+##
-+## All of the rules required to administrate
-+## an collectd environment
- ##
- ##
- ##
-@@ -20,13 +157,17 @@
- interface(`collectd_admin',`
- gen_require(`
- type collectd_t, collectd_initrc_exec_t, collectd_var_run_t;
-- type collectd_var_lib_t;
-+ type collectd_var_lib_t, collectd_unit_file_t;
- ')
-
-- allow $1 collectd_t:process { ptrace signal_perms };
-+ allow $1 collectd_t:process signal_perms;
- ps_process_pattern($1, collectd_t)
-
-- init_labeled_script_domtrans($1, collectd_initrc_exec_t)
-+ tunable_policy(`deny_ptrace',`',`
-+ allow $1 collectd_t:process ptrace;
-+ ')
-+
-+ collectd_initrc_domtrans($1)
- domain_system_change_exemption($1)
- role_transition $2 collectd_initrc_exec_t system_r;
- allow $2 system_r;
-@@ -36,4 +177,9 @@ interface(`collectd_admin',`
-
- files_search_var_lib($1)
- admin_pattern($1, collectd_var_lib_t)
-+
-+ collectd_systemctl($1)
-+ admin_pattern($1, collectd_unit_file_t)
-+ allow $1 collectd_unit_file_t:service all_service_perms;
- ')
-+
-diff --git a/collectd.te b/collectd.te
-index 6471fa8c4..00a1f00ef 100644
---- a/collectd.te
-+++ b/collectd.te
-@@ -26,43 +26,62 @@ files_type(collectd_var_lib_t)
- type collectd_var_run_t;
- files_pid_file(collectd_var_run_t)
-
-+type collectd_unit_file_t;
-+systemd_unit_file(collectd_unit_file_t)
-+
- apache_content_template(collectd)
-+apache_content_alias_template(collectd, collectd)
-+
-+type collectd_script_tmp_t alias httpd_collectd_script_tmp_t;
-+files_tmp_file(collectd_script_tmp_t)
-
- ########################################
- #
- # Local policy
- #
-
--allow collectd_t self:capability { ipc_lock sys_nice };
-+allow collectd_t self:capability { ipc_lock net_raw net_admin sys_nice sys_ptrace dac_read_search setuid setgid };
- allow collectd_t self:process { getsched setsched signal };
- allow collectd_t self:fifo_file rw_fifo_file_perms;
- allow collectd_t self:packet_socket create_socket_perms;
--allow collectd_t self:unix_stream_socket { accept listen };
-+allow collectd_t self:rawip_socket create_socket_perms;
-+allow collectd_t self:unix_stream_socket { accept listen connectto };
-+allow collectd_t self:netlink_tcpdiag_socket create_netlink_socket_perms;
-+allow collectd_t self:udp_socket create_socket_perms;
-+allow collectd_t self:rawip_socket create_socket_perms;
-
- manage_dirs_pattern(collectd_t, collectd_var_lib_t, collectd_var_lib_t)
- manage_files_pattern(collectd_t, collectd_var_lib_t, collectd_var_lib_t)
- files_var_lib_filetrans(collectd_t, collectd_var_lib_t, dir)
-
- manage_files_pattern(collectd_t, collectd_var_run_t, collectd_var_run_t)
--files_pid_filetrans(collectd_t, collectd_var_run_t, file)
-+manage_dirs_pattern(collectd_t, collectd_var_run_t, collectd_var_run_t)
-+manage_sock_files_pattern(collectd_t, collectd_var_run_t, collectd_var_run_t)
-+files_pid_filetrans(collectd_t, collectd_var_run_t, { dir file sock_file})
-
--domain_use_interactive_fds(collectd_t)
-+kernel_read_all_sysctls(collectd_t)
-+kernel_read_all_proc(collectd_t)
-+kernel_list_all_proc(collectd_t)
-+
-+auth_use_nsswitch(collectd_t)
-
--kernel_read_network_state(collectd_t)
--kernel_read_net_sysctls(collectd_t)
--kernel_read_system_state(collectd_t)
-+corenet_udp_bind_generic_node(collectd_t)
-+corenet_udp_bind_collectd_port(collectd_t)
-+corenet_tcp_connect_lmtp_port(collectd_t)
-
- dev_read_rand(collectd_t)
- dev_read_sysfs(collectd_t)
- dev_read_urand(collectd_t)
-
-+domain_use_interactive_fds(collectd_t)
-+domain_read_all_domains_state(collectd_t)
-+
- files_getattr_all_dirs(collectd_t)
--files_read_etc_files(collectd_t)
--files_read_usr_files(collectd_t)
-
- fs_getattr_all_fs(collectd_t)
-+fs_getattr_all_dirs(collectd_t)
-
--miscfiles_read_localization(collectd_t)
-+init_read_utmp(collectd_t)
-
- logging_send_syslog_msg(collectd_t)
-
-@@ -75,16 +94,47 @@ tunable_policy(`collectd_tcp_network_connect',`
- ')
-
- optional_policy(`
-+ lvm_read_config(collectd_t)
-+')
-+
-+optional_policy(`
-+ pdns_stream_connect(collectd_t)
-+')
-+
-+optional_policy(`
-+ mysql_stream_connect(collectd_t)
-+')
-+
-+optional_policy(`
-+ netutils_domtrans_ping(collectd_t)
-+')
-+
-+optional_policy(`
-+ postgresql_stream_connect(collectd_t)
-+')
-+
-+optional_policy(`
-+ snmp_read_snmp_var_lib_dirs(collectd_t)
-+')
-+
-+optional_policy(`
- virt_read_config(collectd_t)
-+ virt_stream_connect(collectd_t)
- ')
-
- ########################################
- #
--# Web local policy
-+# Web collectd local policy
- #
-
--optional_policy(`
-- read_files_pattern(httpd_collectd_script_t, collectd_var_lib_t, collectd_var_lib_t)
-- list_dirs_pattern(httpd_collectd_script_t, collectd_var_lib_t, collectd_var_lib_t)
-- miscfiles_setattr_fonts_cache_dirs(httpd_collectd_script_t)
--')
-+
-+files_search_var_lib(collectd_script_t)
-+read_files_pattern(collectd_script_t, collectd_var_lib_t, collectd_var_lib_t)
-+list_dirs_pattern(collectd_script_t, collectd_var_lib_t, collectd_var_lib_t)
-+miscfiles_setattr_fonts_cache_dirs(collectd_script_t)
-+
-+manage_dirs_pattern(collectd_script_t, collectd_script_tmp_t, collectd_script_tmp_t)
-+manage_files_pattern(collectd_script_t, collectd_script_tmp_t, collectd_script_tmp_t)
-+files_tmp_filetrans(collectd_script_t, collectd_script_tmp_t, { file dir })
-+
-+auth_read_passwd(collectd_script_t)
-diff --git a/colord.fc b/colord.fc
-index 71639eb54..08ab89171 100644
---- a/colord.fc
-+++ b/colord.fc
-@@ -7,5 +7,7 @@
- /usr/libexec/colord -- gen_context(system_u:object_r:colord_exec_t,s0)
- /usr/libexec/colord-sane -- gen_context(system_u:object_r:colord_exec_t,s0)
-
-+/usr/lib/systemd/system/colord.* -- gen_context(system_u:object_r:colord_unit_file_t,s0)
-+
- /var/lib/color(/.*)? gen_context(system_u:object_r:colord_var_lib_t,s0)
- /var/lib/colord(/.*)? gen_context(system_u:object_r:colord_var_lib_t,s0)
-diff --git a/colord.if b/colord.if
-index 8e27a37c1..c69be28b9 100644
---- a/colord.if
-+++ b/colord.if
-@@ -1,4 +1,4 @@
--## GNOME color manager.
-+## GNOME color manager
-
- ########################################
- ##
-@@ -15,7 +15,6 @@ interface(`colord_domtrans',`
- type colord_t, colord_exec_t;
- ')
-
-- corecmd_search_bin($1)
- domtrans_pattern($1, colord_exec_t, colord_t)
- ')
-
-@@ -38,6 +37,7 @@ interface(`colord_dbus_chat',`
-
- allow $1 colord_t:dbus send_msg;
- allow colord_t $1:dbus send_msg;
-+ ps_process_pattern(colord_t, $1)
- ')
-
- ######################################
-@@ -58,3 +58,27 @@ interface(`colord_read_lib_files',`
- files_search_var_lib($1)
- read_files_pattern($1, colord_var_lib_t, colord_var_lib_t)
- ')
-+
-+########################################
-+##
-+## Execute colord server in the colord domain.
-+##
-+##
-+##
-+## Domain allowed to transition.
-+##
-+##
-+#
-+interface(`colord_systemctl',`
-+ gen_require(`
-+ type colord_t;
-+ type colord_unit_file_t;
-+ ')
-+
-+ systemd_exec_systemctl($1)
-+ init_reload_services($1)
-+ allow $1 colord_unit_file_t:file read_file_perms;
-+ allow $1 colord_unit_file_t:service manage_service_perms;
-+
-+ ps_process_pattern($1, colord_t)
-+')
-diff --git a/colord.te b/colord.te
-index 9f2dfb233..e8a9f990a 100644
---- a/colord.te
-+++ b/colord.te
-@@ -8,6 +8,7 @@ policy_module(colord, 1.1.0)
- type colord_t;
- type colord_exec_t;
- dbus_system_domain(colord_t, colord_exec_t)
-+init_daemon_domain(colord_t, colord_exec_t)
-
- type colord_tmp_t;
- files_tmp_file(colord_tmp_t)
-@@ -18,18 +19,24 @@ files_tmpfs_file(colord_tmpfs_t)
- type colord_var_lib_t;
- files_type(colord_var_lib_t)
-
-+type colord_unit_file_t;
-+systemd_unit_file(colord_unit_file_t)
-+
- ########################################
- #
- # Local policy
- #
-
--allow colord_t self:capability { dac_read_search dac_override };
-+allow colord_t self:capability { dac_read_search };
- dontaudit colord_t self:capability sys_admin;
- allow colord_t self:process signal;
-+
- allow colord_t self:fifo_file rw_fifo_file_perms;
- allow colord_t self:netlink_kobject_uevent_socket create_socket_perms;
--allow colord_t self:tcp_socket { accept listen };
-+allow colord_t self:tcp_socket create_stream_socket_perms;
- allow colord_t self:shm create_shm_perms;
-+allow colord_t self:udp_socket create_socket_perms;
-+allow colord_t self:unix_dgram_socket create_socket_perms;
-
- manage_dirs_pattern(colord_t, colord_tmp_t, colord_tmp_t)
- manage_files_pattern(colord_t, colord_tmp_t, colord_tmp_t)
-@@ -74,22 +81,21 @@ dev_read_video_dev(colord_t)
- dev_write_video_dev(colord_t)
- dev_rw_printer(colord_t)
- dev_read_rand(colord_t)
--dev_read_sysfs(colord_t)
- dev_read_urand(colord_t)
--dev_list_sysfs(colord_t)
-+dev_read_sysfs(colord_t)
- dev_rw_generic_usb_dev(colord_t)
-
- domain_use_interactive_fds(colord_t)
-
- files_list_mnt(colord_t)
--files_read_usr_files(colord_t)
-
--fs_getattr_noxattr_fs(colord_t)
--fs_getattr_tmpfs(colord_t)
-+fs_getattr_all_fs(colord_t)
- fs_list_noxattr_fs(colord_t)
- fs_read_noxattr_fs_files(colord_t)
- fs_search_all(colord_t)
- fs_dontaudit_getattr_all_fs(colord_t)
-+fs_getattr_tmpfs(colord_t)
-+fs_read_cgroup_files(colord_t)
-
- storage_getattr_fixed_disk_dev(colord_t)
- storage_getattr_removable_dev(colord_t)
-@@ -100,19 +106,17 @@ init_read_state(colord_t)
-
- auth_use_nsswitch(colord_t)
-
--logging_send_syslog_msg(colord_t)
-+init_read_state(colord_t)
-
--miscfiles_read_localization(colord_t)
-+logging_send_syslog_msg(colord_t)
-
--tunable_policy(`use_nfs_home_dirs',`
-- fs_getattr_nfs(colord_t)
-- fs_read_nfs_files(colord_t)
--')
-+systemd_read_logind_sessions_files(colord_t)
-+systemd_hwdb_manage_config(colord_t)
-
--tunable_policy(`use_samba_home_dirs',`
-- fs_getattr_cifs(colord_t)
-- fs_read_cifs_files(colord_t)
--')
-+userdom_rw_user_tmp_files(colord_t)
-+userdom_home_reader(colord_t)
-+userdom_list_user_home_content(colord_t)
-+userdom_read_inherited_user_home_content_files(colord_t)
-
- optional_policy(`
- cups_read_config(colord_t)
-@@ -120,6 +124,13 @@ optional_policy(`
- cups_read_state(colord_t)
- cups_stream_connect(colord_t)
- cups_dbus_chat(colord_t)
-+ cups_read_state(colord_t)
-+')
-+
-+optional_policy(`
-+ gnome_read_home_icc_data_content(colord_t)
-+ # Fixes lots of breakage in F16 on upgrade
-+ gnome_read_generic_data_home_files(colord_t)
- ')
-
- optional_policy(`
-@@ -134,6 +145,24 @@ optional_policy(`
- ')
-
- optional_policy(`
-+ systemd_hwdb_read_config(colord_t)
-+')
-+
-+optional_policy(`
- udev_read_db(colord_t)
- udev_read_pid_files(colord_t)
- ')
-+
-+optional_policy(`
-+ xserver_dbus_chat_xdm(colord_t)
-+ xserver_read_xdm_state(colord_t)
-+ # /var/lib/gdm/.local/share/icc/edid-0a027915105823af34f99b1704e80336.icc
-+ xserver_read_inherited_xdm_lib_files(colord_t)
-+ # allow to read /run/initial-setup-$username
-+ xserver_read_xdm_pid(colord_t)
-+ xserver_map_xdm_pid(colord_t)
-+')
-+
-+optional_policy(`
-+ zoneminder_rw_tmpfs_files(colord_t)
-+')
-diff --git a/comsat.te b/comsat.te
-index c63cf8556..dc6998b60 100644
---- a/comsat.te
-+++ b/comsat.te
-@@ -37,6 +37,13 @@ kernel_read_kernel_sysctls(comsat_t)
- kernel_read_network_state(comsat_t)
- kernel_read_system_state(comsat_t)
-
-+corenet_all_recvfrom_netlabel(comsat_t)
-+corenet_tcp_sendrecv_generic_if(comsat_t)
-+corenet_udp_sendrecv_generic_if(comsat_t)
-+corenet_tcp_sendrecv_generic_node(comsat_t)
-+corenet_udp_sendrecv_generic_node(comsat_t)
-+corenet_udp_sendrecv_all_ports(comsat_t)
-+
- dev_read_urand(comsat_t)
-
- fs_getattr_xattr_fs(comsat_t)
-@@ -52,8 +59,6 @@ init_dontaudit_write_utmp(comsat_t)
-
- logging_send_syslog_msg(comsat_t)
-
--miscfiles_read_localization(comsat_t)
--
- userdom_dontaudit_getattr_user_ttys(comsat_t)
-
- mta_getattr_spool(comsat_t)
-diff --git a/condor.fc b/condor.fc
-index ad2b69606..28d1af020 100644
---- a/condor.fc
-+++ b/condor.fc
-@@ -1,6 +1,7 @@
- /etc/condor(/.*)? gen_context(system_u:object_r:condor_conf_t,s0)
-
- /etc/rc\.d/init\.d/condor -- gen_context(system_u:object_r:condor_initrc_exec_t,s0)
-+/usr/lib/systemd/system/condor.* -- gen_context(system_u:object_r:condor_unit_file_t,s0)
-
- /usr/sbin/condor_collector -- gen_context(system_u:object_r:condor_collector_exec_t,s0)
- /usr/sbin/condor_master -- gen_context(system_u:object_r:condor_master_exec_t,s0)
-diff --git a/condor.if b/condor.if
-index 881d92f35..a2d588a51 100644
---- a/condor.if
-+++ b/condor.if
-@@ -1,75 +1,391 @@
--## High-Throughput Computing System.
-+
-+## policy for condor
-+
-+#####################################
-+##
-+## Creates types and rules for a basic
-+## condor init daemon domain.
-+##
-+##
-+##
-+## Prefix for the domain.
-+##
-+##
-+#
-+template(`condor_domain_template',`
-+ gen_require(`
-+ type condor_master_t;
-+ attribute condor_domain;
-+ ')
-+
-+ #############################
-+ #
-+ # Declarations
-+ #
-+
-+ type condor_$1_t, condor_domain;
-+ type condor_$1_exec_t;
-+ init_daemon_domain(condor_$1_t, condor_$1_exec_t)
-+ role system_r types condor_$1_t;
-+
-+ domtrans_pattern(condor_master_t, condor_$1_exec_t, condor_$1_t)
-+ allow condor_master_t condor_$1_exec_t:file ioctl;
-+
-+ kernel_read_system_state(condor_$1_t)
-+
-+ corenet_all_recvfrom_netlabel(condor_$1_t)
-+ corenet_all_recvfrom_unlabeled(condor_$1_t)
-+
-+ auth_use_nsswitch(condor_$1_t)
-+
-+ logging_send_syslog_msg(condor_$1_t)
-+')
-+
-+########################################
-+##
-+## Transition to condor.
-+##
-+##
-+##
-+## Domain allowed to transition.
-+##
-+##
-+#
-+interface(`condor_domtrans_master',`
-+ gen_require(`
-+ type condor_master_t, condor_master_exec_t;
-+ ')
-+
-+ corecmd_search_bin($1)
-+ domtrans_pattern($1, condor_master_exec_t, condor_master_t)
-+')
-+
-+#######################################
-+##
-+## Allows to start userland processes
-+## by transitioning to the specified domain,
-+## with a range transition.
-+##
-+##
-+##
-+## The process type entered by condor_startd.
-+##
-+##
-+##
-+##
-+## The executable type for the entrypoint.
-+##
-+##
-+##
-+##
-+## Range for the domain.
-+##
-+##
-+#
-+interface(`condor_startd_ranged_domtrans_to',`
-+ gen_require(`
-+ type sshd_t;
-+ ')
-+ condor_startd_domtrans_to($1, $2)
-+
-+
-+ ifdef(`enable_mcs',`
-+ range_transition condor_startd_t $2:process $3;
-+ ')
-+
-+')
-
- #######################################
- ##
--## The template to define a condor domain.
-+## Allows to start userlandprocesses
-+## by transitioning to the specified domain.
- ##
--##
-+##
-+##
-+## The process type entered by condor_startd.
-+##
-+##
-+##
-+##
-+## The executable type for the entrypoint.
-+##
-+##
-+#
-+interface(`condor_startd_domtrans_to',`
-+ gen_require(`
-+ type condor_startd_t;
-+ ')
-+
-+ domtrans_pattern(condor_startd_t, $2, $1)
-+')
-+
-+########################################
-+##
-+## Read condor's log files.
-+##
-+##
- ##
--## Domain prefix to be used.
-+## Domain allowed access.
- ##
- ##
-+##
- #
--template(`condor_domain_template',`
-+interface(`condor_read_log',`
- gen_require(`
-- attribute condor_domain;
-- type condor_master_t;
-+ type condor_log_t;
- ')
-
-- #############################
-- #
-- # Declarations
-- #
-+ logging_search_logs($1)
-+ read_files_pattern($1, condor_log_t, condor_log_t)
-+')
-
-- type condor_$1_t, condor_domain;
-- type condor_$1_exec_t;
-- domain_type(condor_$1_t)
-- domain_entry_file(condor_$1_t, condor_$1_exec_t)
-- role system_r types condor_$1_t;
-+########################################
-+##
-+## Append to condor log files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`condor_append_log',`
-+ gen_require(`
-+ type condor_log_t;
-+ ')
-
-- #############################
-- #
-- # Policy
-- #
-+ logging_search_logs($1)
-+ append_files_pattern($1, condor_log_t, condor_log_t)
-+')
-
-- domtrans_pattern(condor_master_t, condor_$1_exec_t, condor_$1_t)
-- allow condor_master_t condor_$1_exec_t:file ioctl;
-+########################################
-+##
-+## Manage condor log files
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`condor_manage_log',`
-+ gen_require(`
-+ type condor_log_t;
-+ ')
-
-- auth_use_nsswitch(condor_$1_t)
-+ logging_search_logs($1)
-+ manage_dirs_pattern($1, condor_log_t, condor_log_t)
-+ manage_files_pattern($1, condor_log_t, condor_log_t)
-+ manage_lnk_files_pattern($1, condor_log_t, condor_log_t)
- ')
-
- ########################################
- ##
--## All of the rules required to
--## administrate an condor environment.
-+## Search condor lib directories.
- ##
- ##
- ##
- ## Domain allowed access.
- ##
- ##
--##
-+#
-+interface(`condor_search_lib',`
-+ gen_require(`
-+ type condor_var_lib_t;
-+ ')
-+
-+ allow $1 condor_var_lib_t:dir search_dir_perms;
-+ files_search_var_lib($1)
-+')
-+
-+########################################
-+##
-+## Read condor lib files.
-+##
-+##
- ##
--## Role allowed access.
-+## Domain allowed access.
- ##
- ##
--##
- #
--interface(`condor_admin',`
-+interface(`condor_read_lib_files',`
-+ gen_require(`
-+ type condor_var_lib_t;
-+ ')
-+
-+ files_search_var_lib($1)
-+ read_files_pattern($1, condor_var_lib_t, condor_var_lib_t)
-+')
-+
-+######################################
-+##
-+## Read and write condor lib files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`condor_rw_lib_files',`
-+ gen_require(`
-+ type condor_var_lib_t;
-+ ')
-+
-+ files_search_var_lib($1)
-+ rw_files_pattern($1, condor_var_lib_t, condor_var_lib_t)
-+')
-+
-+########################################
-+##
-+## Manage condor lib files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`condor_manage_lib_files',`
-+ gen_require(`
-+ type condor_var_lib_t;
-+ ')
-+
-+ files_search_var_lib($1)
-+ manage_files_pattern($1, condor_var_lib_t, condor_var_lib_t)
-+')
-+
-+########################################
-+##
-+## Manage condor lib directories.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`condor_manage_lib_dirs',`
-+ gen_require(`
-+ type condor_var_lib_t;
-+ ')
-+
-+ files_search_var_lib($1)
-+ manage_dirs_pattern($1, condor_var_lib_t, condor_var_lib_t)
-+')
-+
-+########################################
-+##
-+## Read condor PID files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`condor_read_pid_files',`
- gen_require(`
-- attribute condor_domain;
-- type condor_initrc_exec_config_t, condor_log_t;
-- type condor_var_lib_t, condor_var_lock_t, condor_schedd_tmp_t;
-- type condor_var_run_t, condor_startd_tmp_t, condor_conf_t;
-+ type condor_var_run_t;
- ')
-
-- allow $1 condor_domain:process { ptrace signal_perms };
-+ files_search_pids($1)
-+ allow $1 condor_var_run_t:file read_file_perms;
-+')
-+
-+########################################
-+##
-+## Execute condor server in the condor domain.
-+##
-+##
-+##
-+## Domain allowed to transition.
-+##
-+##
-+#
-+interface(`condor_systemctl',`
-+ gen_require(`
-+ type condor_domain;
-+ type condor_unit_file_t;
-+ ')
-+
-+ systemd_exec_systemctl($1)
-+ init_reload_services($1)
-+ systemd_read_fifo_file_passwd_run($1)
-+ allow $1 condor_unit_file_t:file read_file_perms;
-+ allow $1 condor_unit_file_t:service manage_service_perms;
-+
- ps_process_pattern($1, condor_domain)
-+')
-+
-+#######################################
-+##
-+## Read and write condor_startd server TCP sockets.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`condor_rw_tcp_sockets_startd',`
-+ gen_require(`
-+ type condor_startd_t;
-+ ')
-
-- init_labeled_script_domtrans($1, condor_initrc_exec_t)
-- domain_system_change_exemption($1)
-- role_transition $2 condor_initrc_exec_t system_r;
-- allow $2 system_r;
-+ allow $1 condor_startd_t:tcp_socket rw_socket_perms;
-+')
-+
-+######################################
-+##
-+## Read and write condor_schedd server TCP sockets.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`condor_rw_tcp_sockets_schedd',`
-+ gen_require(`
-+ type condor_schedd_t;
-+ ')
-+
-+ allow $1 condor_schedd_t:tcp_socket rw_socket_perms;
-+')
-+
-+########################################
-+##
-+## All of the rules required to administrate
-+## an condor environment
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`condor_admin',`
-+ gen_require(`
-+ attribute condor_domain;
-+ type condor_initrc_exec_t, condor_log_t, condor_conf_t;
-+ type condor_var_lib_t, condor_var_lock_t, condor_schedd_tmp_t;
-+ type condor_var_run_t, condor_startd_tmp_t;
-+ type condor_unit_file_t;
-+ ')
-+
-+ allow $1 condor_domain:process { signal_perms };
-+ ps_process_pattern($1, condor_domain)
-+
-+ init_labeled_script_domtrans($1, condor_initrc_exec_t)
-+ domain_system_change_exemption($1)
-+ role_transition $2 condor_initrc_exec_t system_r;
-+ allow $2 system_r;
-
- files_search_etc($1)
- admin_pattern($1, condor_conf_t)
-@@ -77,8 +393,8 @@ interface(`condor_admin',`
- logging_search_logs($1)
- admin_pattern($1, condor_log_t)
-
-- files_search_locks($1)
-- admin_pattern($1, condor_var_lock_t)
-+ files_search_locks($1)
-+ admin_pattern($1, condor_var_lock_t)
-
- files_search_var_lib($1)
- admin_pattern($1, condor_var_lib_t)
-@@ -88,4 +404,13 @@ interface(`condor_admin',`
-
- files_search_tmp($1)
- admin_pattern($1, { condor_schedd_tmp_t condor_startd_tmp_t })
-+
-+ condor_systemctl($1)
-+ admin_pattern($1, condor_unit_file_t)
-+ allow $1 condor_unit_file_t:service all_service_perms;
-+
-+ optional_policy(`
-+ systemd_passwd_agent_exec($1)
-+ systemd_read_fifo_file_passwd_run($1)
-+ ')
- ')
-diff --git a/condor.te b/condor.te
-index ce9f040e2..7c90ce13c 100644
---- a/condor.te
-+++ b/condor.te
-@@ -34,7 +34,7 @@ files_tmp_file(condor_startd_tmp_t)
- type condor_startd_tmpfs_t;
- files_tmpfs_file(condor_startd_tmpfs_t)
-
--type condor_conf_t;
-+type condor_conf_t alias condor_etc_rw_t;
- files_config_file(condor_conf_t)
-
- type condor_log_t;
-@@ -49,6 +49,9 @@ files_lock_file(condor_var_lock_t)
- type condor_var_run_t;
- files_pid_file(condor_var_run_t)
-
-+type condor_unit_file_t;
-+systemd_unit_file(condor_unit_file_t)
-+
- condor_domain_template(collector)
- condor_domain_template(negotiator)
- condor_domain_template(procd)
-@@ -60,10 +63,18 @@ condor_domain_template(startd)
- # Global local policy
- #
-
-+allow condor_domain self:capability { dac_read_search };
-+allow condor_domain self:capability2 block_suspend;
-+
- allow condor_domain self:process signal_perms;
- allow condor_domain self:fifo_file rw_fifo_file_perms;
--allow condor_domain self:tcp_socket { accept listen };
--allow condor_domain self:unix_stream_socket { accept listen };
-+allow condor_domain self:tcp_socket create_stream_socket_perms;
-+allow condor_domain self:udp_socket create_socket_perms;
-+allow condor_domain self:unix_stream_socket create_stream_socket_perms;
-+allow condor_domain self:netlink_route_socket r_netlink_socket_perms;
-+
-+allow condor_domain condor_etc_rw_t:dir list_dir_perms;
-+rw_files_pattern(condor_domain, condor_etc_rw_t, condor_etc_rw_t)
-
- rw_files_pattern(condor_domain, condor_conf_t, condor_conf_t)
-
-@@ -86,16 +97,16 @@ files_pid_filetrans(condor_domain, condor_var_run_t, { dir file fifo_file })
-
- allow condor_domain condor_master_t:process signull;
- allow condor_domain condor_master_t:tcp_socket getattr;
-+allow condor_domain condor_master_t:udp_socket { read write };
-
--kernel_read_kernel_sysctls(condor_domain)
- kernel_read_network_state(condor_domain)
--kernel_read_system_state(condor_domain)
-+kernel_rw_kernel_sysctl(condor_domain)
-+kernel_search_network_sysctl(condor_domain)
-+kernel_read_vm_sysctls(condor_domain)
-
- corecmd_exec_bin(condor_domain)
- corecmd_exec_shell(condor_domain)
-
--corenet_all_recvfrom_netlabel(condor_domain)
--corenet_all_recvfrom_unlabeled(condor_domain)
- corenet_tcp_sendrecv_generic_if(condor_domain)
- corenet_tcp_sendrecv_generic_node(condor_domain)
-
-@@ -109,9 +120,9 @@ dev_read_rand(condor_domain)
- dev_read_sysfs(condor_domain)
- dev_read_urand(condor_domain)
-
--logging_send_syslog_msg(condor_domain)
-+auth_read_passwd(condor_domain)
-
--miscfiles_read_localization(condor_domain)
-+sysnet_dns_name_resolve(condor_domain)
-
- sysnet_dns_name_resolve(condor_domain)
-
-@@ -130,7 +141,7 @@ optional_policy(`
- # Master local policy
- #
-
--allow condor_master_t self:capability { setuid setgid dac_override sys_ptrace };
-+allow condor_master_t self:capability { chown setuid setgid sys_ptrace net_admin };
-
- allow condor_master_t condor_domain:process { sigkill signal };
-
-@@ -138,6 +149,12 @@ manage_dirs_pattern(condor_master_t, condor_master_tmp_t, condor_master_tmp_t)
- manage_files_pattern(condor_master_t, condor_master_tmp_t, condor_master_tmp_t)
- files_tmp_filetrans(condor_master_t, condor_master_tmp_t, { file dir })
-
-+can_exec(condor_master_t, condor_master_exec_t)
-+
-+kernel_read_system_state(condor_master_t)
-+kernel_read_fs_sysctls(condor_master_t)
-+kernel_rw_net_sysctls(condor_master_t)
-+
- corenet_udp_sendrecv_generic_if(condor_master_t)
- corenet_udp_sendrecv_generic_node(condor_master_t)
- corenet_tcp_bind_generic_node(condor_master_t)
-@@ -157,6 +174,8 @@ domain_read_all_domains_state(condor_master_t)
-
- auth_use_nsswitch(condor_master_t)
-
-+logging_send_syslog_msg(condor_master_t)
-+
- optional_policy(`
- mta_send_mail(condor_master_t)
- mta_read_config(condor_master_t)
-@@ -174,6 +193,8 @@ allow condor_collector_t condor_master_t:udp_socket rw_socket_perms;
-
- kernel_read_network_state(condor_collector_t)
-
-+corenet_tcp_bind_http_port(condor_collector_t)
-+
- #####################################
- #
- # Negotiator local policy
-@@ -183,12 +204,15 @@ allow condor_negotiator_t self:capability { setuid setgid };
- allow condor_negotiator_t condor_master_t:tcp_socket rw_stream_socket_perms;
- allow condor_negotiator_t condor_master_t:udp_socket getattr;
-
-+corenet_tcp_connect_all_ephemeral_ports(condor_negotiator_t)
-+
- ######################################
- #
- # Procd local policy
- #
-
--allow condor_procd_t self:capability { fowner chown kill dac_override sys_ptrace };
-+allow condor_procd_t self:capability { fowner chown kill dac_read_search sys_ptrace };
-+allow condor_procd_t self:cap_userns { sys_ptrace };
-
- allow condor_procd_t condor_domain:process sigkill;
-
-@@ -199,13 +223,15 @@ domain_read_all_domains_state(condor_procd_t)
- # Schedd local policy
- #
-
--allow condor_schedd_t self:capability { setuid chown setgid dac_override };
-+allow condor_schedd_t self:capability { setuid chown setgid dac_read_search };
-
- allow condor_schedd_t condor_master_t:tcp_socket rw_stream_socket_perms;
- allow condor_schedd_t condor_master_t:udp_socket getattr;
-
- allow condor_schedd_t condor_var_lock_t:dir manage_file_perms;
-
-+allow condor_schedd_t condor_master_tmp_t:dir getattr;
-+
- domtrans_pattern(condor_schedd_t, condor_procd_exec_t, condor_procd_t)
- domtrans_pattern(condor_schedd_t, condor_startd_exec_t, condor_startd_t)
-
-@@ -214,12 +240,19 @@ manage_files_pattern(condor_schedd_t, condor_schedd_tmp_t, condor_schedd_tmp_t)
- relabel_files_pattern(condor_schedd_t, condor_schedd_tmp_t, condor_schedd_tmp_t)
- files_tmp_filetrans(condor_schedd_t, condor_schedd_tmp_t, { file dir })
-
-+corenet_tcp_connect_all_ephemeral_ports(condor_schedd_t)
-+
-+optional_policy(`
-+ mta_send_mail(condor_schedd_t)
-+ mta_read_config(condor_schedd_t)
-+')
-+
- #####################################
- #
- # Startd local policy
- #
-
--allow condor_startd_t self:capability { setuid net_admin setgid dac_override };
-+allow condor_startd_t self:capability { setuid net_admin setgid dac_read_search };
- allow condor_startd_t self:process execmem;
-
- manage_dirs_pattern(condor_startd_t, condor_startd_tmp_t, condor_startd_tmp_t)
-@@ -238,11 +271,10 @@ domain_read_all_domains_state(condor_startd_t)
- mcs_process_set_categories(condor_startd_t)
-
- init_domtrans_script(condor_startd_t)
-+init_initrc_domain(condor_startd_t)
-
- libs_exec_lib_files(condor_startd_t)
-
--files_read_usr_files(condor_startd_t)
--
- optional_policy(`
- ssh_basic_client_template(condor_startd, condor_startd_t, system_r)
- ssh_domtrans(condor_startd_t)
-@@ -254,3 +286,7 @@ optional_policy(`
- kerberos_use(condor_startd_ssh_t)
- ')
- ')
-+
-+optional_policy(`
-+ unconfined_domain(condor_startd_t)
-+')
-diff --git a/conman.fc b/conman.fc
-new file mode 100644
-index 000000000..b13a6f6db
---- /dev/null
-+++ b/conman.fc
-@@ -0,0 +1,10 @@
-+/usr/lib/systemd/system/conman.* -- gen_context(system_u:object_r:conman_unit_file_t,s0)
-+
-+/usr/sbin/conmand -- gen_context(system_u:object_r:conman_exec_t,s0)
-+
-+/usr/share/conman/exec(/.*)? gen_context(system_u:object_r:conman_unconfined_script_exec_t,s0)
-+
-+/var/log/conman(/.*)? gen_context(system_u:object_r:conman_log_t,s0)
-+/var/log/conman\.old(/.*)? gen_context(system_u:object_r:conman_log_t,s0)
-+
-+/var/run/conmand.* -- gen_context(system_u:object_r:conman_var_run_t,s0)
-diff --git a/conman.if b/conman.if
-new file mode 100644
-index 000000000..1cc5fa464
---- /dev/null
-+++ b/conman.if
-@@ -0,0 +1,143 @@
-+## Conman is a program for connecting to remote consoles being managed by conmand
-+
-+########################################
-+##
-+## Execute conman in the conman domin.
-+##
-+##
-+##
-+## Domain allowed to transition.
-+##
-+##
-+#
-+interface(`conman_domtrans',`
-+ gen_require(`
-+ type conman_t, conman_exec_t;
-+ ')
-+
-+ corecmd_search_bin($1)
-+ domtrans_pattern($1, conman_exec_t, conman_t)
-+')
-+
-+########################################
-+##
-+## Read conman's log files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`conman_read_log',`
-+ gen_require(`
-+ type conman_log_t;
-+ ')
-+
-+ logging_search_logs($1)
-+ read_files_pattern($1, conman_log_t, conman_log_t)
-+')
-+
-+########################################
-+##
-+## Append to conman log files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`conman_append_log',`
-+ gen_require(`
-+ type conman_log_t;
-+ ')
-+
-+ logging_search_logs($1)
-+ append_files_pattern($1, conman_log_t, conman_log_t)
-+')
-+
-+########################################
-+##
-+## Manage conman log files
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`conman_manage_log',`
-+ gen_require(`
-+ type conman_log_t;
-+ ')
-+
-+ logging_search_logs($1)
-+ manage_dirs_pattern($1, conman_log_t, conman_log_t)
-+ manage_files_pattern($1, conman_log_t, conman_log_t)
-+')
-+
-+########################################
-+##
-+## Execute conman server in the conman domain.
-+##
-+##
-+##
-+## Domain allowed to transition.
-+##
-+##
-+#
-+interface(`conman_systemctl',`
-+ gen_require(`
-+ type conman_t;
-+ type conman_unit_file_t;
-+ ')
-+
-+ systemd_exec_systemctl($1)
-+ init_reload_services($1)
-+ systemd_read_fifo_file_passwd_run($1)
-+ allow $1 conman_unit_file_t:file read_file_perms;
-+ allow $1 conman_unit_file_t:service manage_service_perms;
-+
-+ ps_process_pattern($1, conman_t)
-+')
-+
-+
-+########################################
-+##
-+## All of the rules required to administrate
-+## an conman environment
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+#
-+interface(`conman_admin',`
-+ gen_require(`
-+ type conman_t;
-+ type conman_log_t;
-+ type conman_unit_file_t;
-+ ')
-+
-+ allow $1 conman_t:process { signal_perms };
-+ ps_process_pattern($1, conman_t)
-+
-+ tunable_policy(`deny_ptrace',`',`
-+ allow $1 conman_t:process ptrace;
-+ ')
-+
-+ logging_search_logs($1)
-+ admin_pattern($1, conman_log_t)
-+
-+ conman_systemctl($1)
-+ admin_pattern($1, conman_unit_file_t)
-+ allow $1 conman_unit_file_t:service all_service_perms;
-+
-+ optional_policy(`
-+ systemd_passwd_agent_exec($1)
-+ systemd_read_fifo_file_passwd_run($1)
-+ ')
-+')
-diff --git a/conman.te b/conman.te
-new file mode 100644
-index 000000000..246420052
---- /dev/null
-+++ b/conman.te
-@@ -0,0 +1,114 @@
-+policy_module(conman, 1.0.0)
-+
-+########################################
-+#
-+# Declarations
-+#
-+
-+##
-+##
-+## Determine whether conman can
-+## connect to all TCP ports
-+##
-+##
-+gen_tunable(conman_can_network, false)
-+
-+##
-+##
-+## Allow conman to manage nfs files
-+##
-+##
-+gen_tunable(conman_use_nfs, false)
-+
-+type conman_t;
-+type conman_exec_t;
-+init_daemon_domain(conman_t, conman_exec_t)
-+
-+type conman_log_t;
-+logging_log_file(conman_log_t)
-+
-+type conman_tmp_t;
-+files_tmp_file(conman_tmp_t)
-+
-+type conman_var_run_t;
-+files_pid_file(conman_var_run_t)
-+
-+type conman_unit_file_t;
-+systemd_unit_file(conman_unit_file_t)
-+
-+type conman_unconfined_script_t;
-+type conman_unconfined_script_exec_t;
-+application_domain(conman_unconfined_script_t, conman_unconfined_script_exec_t)
-+init_system_domain(conman_unconfined_script_t, conman_unconfined_script_exec_t)
-+
-+########################################
-+#
-+# conman local policy
-+#
-+
-+allow conman_t self:capability { sys_tty_config };
-+allow conman_t self:process { setrlimit signal_perms };
-+
-+allow conman_t self:fifo_file rw_fifo_file_perms;
-+allow conman_t self:unix_stream_socket create_stream_socket_perms;
-+allow conman_t self:tcp_socket { accept listen create_socket_perms };
-+
-+allow conman_t conman_unconfined_script_t:process sigkill;
-+allow conman_t conman_unconfined_script_exec_t:dir list_dir_perms;
-+
-+manage_dirs_pattern(conman_t, conman_log_t, conman_log_t)
-+manage_files_pattern(conman_t, conman_log_t, conman_log_t)
-+logging_log_filetrans(conman_t, conman_log_t, { dir })
-+
-+manage_files_pattern(conman_t, conman_tmp_t, conman_tmp_t)
-+manage_dirs_pattern(conman_t, conman_tmp_t, conman_tmp_t)
-+files_tmp_filetrans(conman_t, conman_tmp_t, { file dir })
-+
-+manage_files_pattern(conman_t, conman_var_run_t, conman_var_run_t)
-+files_pid_filetrans(conman_t, conman_var_run_t, file)
-+
-+auth_use_nsswitch(conman_t)
-+
-+corenet_tcp_bind_generic_node(conman_t)
-+corenet_tcp_bind_conman_port(conman_t)
-+
-+corenet_tcp_connect_all_ephemeral_ports(conman_t)
-+
-+corecmd_exec_bin(conman_t)
-+
-+dev_read_urand(conman_t)
-+
-+logging_send_syslog_msg(conman_t)
-+
-+sysnet_dns_name_resolve(conman_t)
-+
-+userdom_use_user_ptys(conman_t)
-+
-+term_use_usb_ttys(conman_t)
-+term_use_ptmx(conman_t)
-+
-+tunable_policy(`conman_can_network',`
-+ corenet_sendrecv_all_client_packets(conman_t)
-+ corenet_tcp_connect_all_ports(conman_t)
-+ corenet_tcp_sendrecv_all_ports(conman_t)
-+')
-+
-+tunable_policy(`conman_use_nfs',`
-+ fs_manage_nfs_files(conman_t)
-+ fs_read_nfs_symlinks(conman_t)
-+')
-+
-+optional_policy(`
-+ freeipmi_stream_connect(conman_t)
-+')
-+
-+########################################
-+#
-+# conman script local policy
-+#
-+
-+domtrans_pattern(conman_t, conman_unconfined_script_exec_t, conman_unconfined_script_t)
-+
-+optional_policy(`
-+ unconfined_domain(conman_unconfined_script_t)
-+')
-diff --git a/conntrackd.fc b/conntrackd.fc
-new file mode 100644
-index 000000000..c743543cc
---- /dev/null
-+++ b/conntrackd.fc
-@@ -0,0 +1,11 @@
-+/usr/lib/systemd/system/conntrackd.* -- gen_context(system_u:object_r:conntrackd_unit_file_t,s0)
-+
-+/usr/sbin/conntrackd -- gen_context(system_u:object_r:conntrackd_exec_t,s0)
-+
-+/etc/conntrackd(/.*)? gen_context(system_u:object_r:conntrackd_conf_t,s0)
-+
-+/var/log/conntrackd.log gen_context(system_u:object_r:conntrackd_log_t,s0)
-+
-+/var/lock/conntrack.lock gen_context(system_u:object_r:conntrackd_var_lock_t,s0)
-+
-+/run/conntrackd.ctl -s gen_context(system_u:object_r:conntrackd_var_run_t,s0)
-diff --git a/conntrackd.if b/conntrackd.if
-new file mode 100644
-index 000000000..601b56a46
---- /dev/null
-+++ b/conntrackd.if
-@@ -0,0 +1,118 @@
-+## Conntrackd connection tracking service
-+
-+########################################
-+##
-+## Read the configuration files for conntrackd.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+#
-+interface(`conntrackd_read_config',`
-+ gen_require(`
-+ type conntrackd_conf_t;
-+ ')
-+
-+ files_search_etc($1)
-+ allow $1 conntrackd_conf_t:dir list_dir_perms;
-+ read_files_pattern($1, conntrackd_conf_t, conntrackd_conf_t)
-+ read_lnk_files_pattern($1, conntrackd_conf_t, conntrackd_conf_t)
-+')
-+
-+########################################
-+##
-+## Connect to conntrackd over an unix stream socket.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`conntrackd_stream_connect',`
-+ gen_require(`
-+ type conntrackd_t, conntrackd_var_run_t;
-+ ')
-+
-+ files_search_pids($1)
-+ stream_connect_pattern($1, conntrackd_var_run_t, conntrackd_var_run_t, conntrackd_t)
-+')
-+
-+#######################################
-+##
-+## Execute conntrackd services in the conntrackd domain.
-+##
-+##
-+##
-+## Domain allowed to transition.
-+##
-+##
-+#
-+interface(`conntrackd_systemctl',`
-+ gen_require(`
-+ type conntrackd_t;
-+ type conntrackd_unit_file_t;
-+ ')
-+
-+ systemd_exec_systemctl($1)
-+ init_reload_services($1)
-+ allow $1 conntrackd_unit_file_t:file read_file_perms;
-+ allow $1 conntrackd_unit_file_t:service manage_service_perms;
-+
-+ ps_process_pattern($1, conntrackd_t)
-+')
-+
-+########################################
-+##
-+## All of the rules required to administrate
-+## an conntrackd environment
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+##
-+## The role to be allowed to manage the conntrackd domain.
-+##
-+##
-+##
-+#
-+interface(`conntrackd_admin',`
-+ gen_require(`
-+ type conntrackd_t, conntrackd_tmp_t, conntrackd_log_t;
-+ type conntrackd_conf_t, conntrackd_var_run_t, conntrackd_initrc_exec_t;
-+ ')
-+
-+ allow $1 conntrackd_t:process signal_perms;
-+ ps_process_pattern($1, conntrackd_t)
-+
-+ tunable_policy(`deny_ptrace',`',`
-+ allow $1 conntrackd_t:process ptrace;
-+ ')
-+
-+ init_labeled_script_domtrans($1, conntrackd_initrc_exec_t)
-+ domain_system_change_exemption($1)
-+ role_transition $2 conntrackd_initrc_exec_t system_r;
-+ allow $2 system_r;
-+
-+ files_list_etc($1)
-+ admin_pattern($1, conntrackd_conf_t)
-+
-+ logging_list_logs($1)
-+ admin_pattern($1, conntrackd_log_t)
-+
-+ files_list_tmp($1)
-+ admin_pattern($1, conntrackd_tmp_t)
-+
-+ files_list_pids($1)
-+ admin_pattern($1, conntrackd_var_run_t)
-+
-+ conntrackd_systemctl($1)
-+ admin_pattern($1, conntrackd_unit_file_t)
-+ allow $1 conntrackd_unit_file_t:service all_service_perms;
-+')
-diff --git a/conntrackd.te b/conntrackd.te
-new file mode 100644
-index 000000000..72e0d23db
---- /dev/null
-+++ b/conntrackd.te
-@@ -0,0 +1,69 @@
-+policy_module(conntrackd, 1.0.0)
-+
-+########################################
-+#
-+# Declarations
-+#
-+
-+type conntrackd_t;
-+type conntrackd_exec_t;
-+init_daemon_domain(conntrackd_t, conntrackd_exec_t)
-+
-+type conntrackd_conf_t;
-+files_config_file(conntrackd_conf_t)
-+
-+type conntrackd_initrc_exec_t;
-+init_script_file(conntrackd_initrc_exec_t)
-+
-+type conntrackd_unit_file_t;
-+systemd_unit_file(conntrackd_unit_file_t)
-+
-+type conntrackd_log_t;
-+logging_log_file(conntrackd_log_t)
-+
-+type conntrackd_var_run_t;
-+files_pid_file(conntrackd_var_run_t)
-+
-+type conntrackd_var_lock_t;
-+files_lock_file(conntrackd_var_lock_t)
-+
-+########################################
-+#
-+# Local policy
-+#
-+#
-+
-+allow conntrackd_t self:capability { sys_nice };
-+allow conntrackd_t self:netlink_route_socket rw_netlink_socket_perms;
-+allow conntrackd_t self:netlink_netfilter_socket create_socket_perms;
-+allow conntrackd_t self:udp_socket create_socket_perms;
-+allow conntrackd_t self:unix_dgram_socket create_socket_perms;
-+allow conntrackd_t self:process { setsched signal };
-+
-+allow conntrackd_t conntrackd_conf_t:dir list_dir_perms;
-+read_files_pattern(conntrackd_t, conntrackd_conf_t, conntrackd_conf_t)
-+read_lnk_files_pattern(conntrackd_t, conntrackd_conf_t, conntrackd_conf_t)
-+
-+allow conntrackd_t conntrackd_log_t:dir setattr_dir_perms;
-+manage_files_pattern(conntrackd_t, conntrackd_log_t, conntrackd_log_t)
-+manage_sock_files_pattern(conntrackd_t, conntrackd_log_t, conntrackd_log_t)
-+logging_log_filetrans(conntrackd_t, conntrackd_log_t, { sock_file file dir })
-+
-+manage_dirs_pattern(conntrackd_t, conntrackd_var_run_t, conntrackd_var_run_t)
-+manage_files_pattern(conntrackd_t, conntrackd_var_run_t, conntrackd_var_run_t)
-+manage_sock_files_pattern(conntrackd_t, conntrackd_var_run_t, conntrackd_var_run_t)
-+files_pid_filetrans(conntrackd_t, conntrackd_var_run_t, { dir file sock_file })
-+
-+manage_dirs_pattern(conntrackd_t, conntrackd_var_lock_t, conntrackd_var_lock_t)
-+manage_files_pattern(conntrackd_t, conntrackd_var_lock_t, conntrackd_var_lock_t)
-+
-+files_lock_filetrans(conntrackd_t, conntrackd_var_lock_t, { dir file sock_file })
-+
-+kernel_read_network_state(conntrackd_t)
-+corenet_udp_sendrecv_generic_if(conntrackd_t)
-+corenet_udp_sendrecv_generic_node(conntrackd_t)
-+corenet_udp_sendrecv_all_ports(conntrackd_t)
-+corenet_udp_bind_generic_node(conntrackd_t)
-+
-+corenet_udp_bind_conntrackd_port(conntrackd_t)
-+corenet_udp_sendrecv_conntrackd_port(conntrackd_t)
-diff --git a/consolekit.fc b/consolekit.fc
-index 23c95582f..29e5fd38d 100644
---- a/consolekit.fc
-+++ b/consolekit.fc
-@@ -1,3 +1,5 @@
-+/usr/lib/systemd/system/console-kit.* -- gen_context(system_u:object_r:consolekit_unit_file_t,s0)
-+
- /usr/sbin/console-kit-daemon -- gen_context(system_u:object_r:consolekit_exec_t,s0)
-
- /var/log/ConsoleKit(/.*)? gen_context(system_u:object_r:consolekit_log_t,s0)
-diff --git a/consolekit.if b/consolekit.if
-index 5b830ec9c..78025c5e7 100644
---- a/consolekit.if
-+++ b/consolekit.if
-@@ -21,6 +21,27 @@ interface(`consolekit_domtrans',`
-
- ########################################
- ##
-+## dontaudit Send and receive messages from
-+## consolekit over dbus.
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`consolekit_dontaudit_dbus_chat',`
-+ gen_require(`
-+ type consolekit_t;
-+ class dbus send_msg;
-+ ')
-+
-+ dontaudit $1 consolekit_t:dbus send_msg;
-+ dontaudit consolekit_t $1:dbus send_msg;
-+')
-+
-+########################################
-+##
- ## Send and receive messages from
- ## consolekit over dbus.
- ##
-@@ -42,6 +63,24 @@ interface(`consolekit_dbus_chat',`
-
- ########################################
- ##
-+## Dontaudit attempts to read consolekit log files.
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`consolekit_dontaudit_read_log',`
-+ gen_require(`
-+ type consolekit_log_t;
-+ ')
-+
-+ dontaudit $1 consolekit_log_t:file read_file_perms;
-+')
-+
-+########################################
-+##
- ## Read consolekit log files.
- ##
- ##
-@@ -98,3 +137,65 @@ interface(`consolekit_read_pid_files',`
- allow $1 consolekit_var_run_t:dir list_dir_perms;
- read_files_pattern($1, consolekit_var_run_t, consolekit_var_run_t)
- ')
-+
-+########################################
-+##
-+## List consolekit PID files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`consolekit_list_pid_files',`
-+ gen_require(`
-+ type consolekit_var_run_t;
-+ ')
-+
-+ files_search_pids($1)
-+ list_dirs_pattern($1, consolekit_var_run_t, consolekit_var_run_t)
-+')
-+
-+########################################
-+##
-+## Allow the domain to read consolekit state files in /proc.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`consolekit_read_state',`
-+ gen_require(`
-+ type consolekit_t;
-+ ')
-+
-+ kernel_search_proc($1)
-+ ps_process_pattern($1, consolekit_t)
-+')
-+
-+########################################
-+##
-+## Execute consolekit server in the consolekit domain.
-+##
-+##
-+##
-+## Domain allowed to transition.
-+##
-+##
-+#
-+interface(`consolekit_systemctl',`
-+ gen_require(`
-+ type consolekit_t;
-+ type consolekit_unit_file_t;
-+ ')
-+
-+ systemd_exec_systemctl($1)
-+ init_reload_services($1)
-+ allow $1 consolekit_unit_file_t:file read_file_perms;
-+ allow $1 consolekit_unit_file_t:service manage_service_perms;
-+
-+ ps_process_pattern($1, consolekit_t)
-+')
-diff --git a/consolekit.te b/consolekit.te
-index bd18063f6..efa99d8f4 100644
---- a/consolekit.te
-+++ b/consolekit.te
-@@ -19,21 +19,23 @@ type consolekit_var_run_t;
- files_pid_file(consolekit_var_run_t)
- init_daemon_run_dir(consolekit_var_run_t, "ConsoleKit")
-
-+type consolekit_unit_file_t;
-+systemd_unit_file(consolekit_unit_file_t)
-+
- ########################################
- #
- # Local policy
- #
-
--allow consolekit_t self:capability { chown setuid setgid sys_tty_config dac_override sys_nice sys_ptrace };
-+allow consolekit_t self:capability { chown setuid setgid sys_tty_config dac_read_search sys_nice sys_ptrace };
-+
- allow consolekit_t self:process { getsched signal };
- allow consolekit_t self:fifo_file rw_fifo_file_perms;
- allow consolekit_t self:unix_stream_socket { accept listen };
-
--create_files_pattern(consolekit_t, consolekit_log_t, consolekit_log_t)
--append_files_pattern(consolekit_t, consolekit_log_t, consolekit_log_t)
--read_files_pattern(consolekit_t, consolekit_log_t, consolekit_log_t)
--setattr_files_pattern(consolekit_t, consolekit_log_t, consolekit_log_t)
--logging_log_filetrans(consolekit_t, consolekit_log_t, file)
-+manage_dirs_pattern(consolekit_t, consolekit_log_t, consolekit_log_t)
-+manage_files_pattern(consolekit_t, consolekit_log_t, consolekit_log_t)
-+logging_log_filetrans(consolekit_t, consolekit_log_t, { dir file })
-
- manage_dirs_pattern(consolekit_t, consolekit_var_run_t, consolekit_var_run_t)
- manage_files_pattern(consolekit_t, consolekit_var_run_t, consolekit_var_run_t)
-@@ -54,38 +56,37 @@ dev_read_sysfs(consolekit_t)
-
- domain_read_all_domains_state(consolekit_t)
- domain_use_interactive_fds(consolekit_t)
--domain_dontaudit_ptrace_all_domains(consolekit_t)
-
--files_read_usr_files(consolekit_t)
-+# needs to read /var/lib/dbus/machine-id
- files_read_var_lib_files(consolekit_t)
- files_search_all_mountpoints(consolekit_t)
-
- fs_list_inotifyfs(consolekit_t)
-
--mcs_ptrace_all(consolekit_t)
--
- term_use_all_terms(consolekit_t)
-
- auth_use_nsswitch(consolekit_t)
- auth_manage_pam_console_data(consolekit_t)
- auth_write_login_records(consolekit_t)
- auth_create_pam_console_data_dirs(consolekit_t)
--auth_pid_filetrans_pam_var_console(consolekit_t, dir, "console")
-+
-+init_read_utmp(consolekit_t)
-
- logging_send_syslog_msg(consolekit_t)
- logging_send_audit_msgs(consolekit_t)
-
--miscfiles_read_localization(consolekit_t)
-+systemd_exec_systemctl(consolekit_t)
-+systemd_start_power_services(consolekit_t)
-
-+userdom_read_all_users_state(consolekit_t)
- userdom_dontaudit_read_user_home_content_files(consolekit_t)
-+userdom_dontaudit_getattr_admin_home_files(consolekit_t)
- userdom_read_user_tmp_files(consolekit_t)
-
--tunable_policy(`use_nfs_home_dirs',`
-- fs_read_nfs_files(consolekit_t)
--')
-+userdom_home_reader(consolekit_t)
-
--tunable_policy(`use_samba_home_dirs',`
-- fs_read_cifs_files(consolekit_t)
-+optional_policy(`
-+ cron_read_system_job_lib_files(consolekit_t)
- ')
-
- optional_policy(`
-@@ -109,13 +110,6 @@ optional_policy(`
- ')
- ')
-
--optional_policy(`
-- hal_ptrace(consolekit_t)
--')
--
--optional_policy(`
-- networkmanager_append_log_files(consolekit_t)
--')
-
- optional_policy(`
- policykit_domtrans_auth(consolekit_t)
-diff --git a/corosync.fc b/corosync.fc
-index da39f0fcc..b26d3e0a4 100644
---- a/corosync.fc
-+++ b/corosync.fc
-@@ -1,5 +1,7 @@
- /etc/rc\.d/init\.d/corosync -- gen_context(system_u:object_r:corosync_initrc_exec_t,s0)
-
-+/usr/lib/systemd/system/corosync.* -- gen_context(system_u:object_r:corosync_unit_file_t,s0)
-+
- /usr/sbin/corosync -- gen_context(system_u:object_r:corosync_exec_t,s0)
- /usr/sbin/corosync-notifyd -- gen_context(system_u:object_r:corosync_exec_t,s0)
-
-@@ -10,3 +12,5 @@
- /var/run/cman_.* -s gen_context(system_u:object_r:corosync_var_run_t,s0)
- /var/run/corosync\.pid -- gen_context(system_u:object_r:corosync_var_run_t,s0)
- /var/run/rsctmp(/.*)? gen_context(system_u:object_r:corosync_var_run_t,s0)
-+/var/run/corosync-qdevice(/.*)? gen_context(system_u:object_r:corosync_var_run_t,s0)
-+/var/run/corosync-qnetd(/.*)? gen_context(system_u:object_r:corosync_var_run_t,s0)
-diff --git a/corosync.if b/corosync.if
-index 694a037da..d8596812d 100644
---- a/corosync.if
-+++ b/corosync.if
-@@ -77,6 +77,25 @@ interface(`corosync_read_log',`
- read_files_pattern($1, corosync_var_log_t, corosync_var_log_t)
- ')
-
-+#######################################
-+##
-+## Setattr corosync log files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`corosync_setattr_log',`
-+ gen_require(`
-+ type corosync_var_log_t;
-+ ')
-+
-+ setattr_files_pattern($1, corosync_var_log_t, corosync_var_log_t)
-+')
-+
-+
- #####################################
- ##
- ## Connect to corosync over a unix
-@@ -91,29 +110,55 @@ interface(`corosync_read_log',`
- interface(`corosync_stream_connect',`
- gen_require(`
- type corosync_t, corosync_var_run_t;
-+ type corosync_var_lib_t;
- ')
-
- files_search_pids($1)
-+ stream_connect_pattern($1, corosync_var_lib_t, corosync_var_lib_t, corosync_t)
- stream_connect_pattern($1, corosync_var_run_t, corosync_var_run_t, corosync_t)
- ')
-
- ######################################
- ##
--## Read and write corosync tmpfs files.
-+## Allow the specified domain to read/write corosync's tmpfs files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`corosync_rw_tmpfs',`
-+ gen_require(`
-+ type corosync_tmpfs_t;
-+ ')
-+
-+ rw_files_pattern($1, corosync_tmpfs_t, corosync_tmpfs_t)
-+
-+')
-+
-+########################################
-+##
-+## Execute corosync server in the corosync domain.
- ##
- ##
- ##
--## Domain allowed access.
-+## Domain allowed to transition.
- ##
- ##
- #
--interface(`corosync_rw_tmpfs',`
-+interface(`corosync_systemctl',`
- gen_require(`
-- type corosync_tmpfs_t;
-+ type corosync_t;
-+ type corosync_unit_file_t;
- ')
-
-- fs_search_tmpfs($1)
-- rw_files_pattern($1, corosync_tmpfs_t, corosync_tmpfs_t)
-+ systemd_exec_systemctl($1)
-+ init_reload_services($1)
-+ allow $1 corosync_unit_file_t:file read_file_perms;
-+ allow $1 corosync_unit_file_t:service manage_service_perms;
-+
-+ ps_process_pattern($1, corosync_t)
- ')
-
- ######################################
-@@ -160,12 +205,17 @@ interface(`corosync_admin',`
- type corosync_t, corosync_var_lib_t, corosync_var_log_t;
- type corosync_var_run_t, corosync_tmp_t, corosync_tmpfs_t;
- type corosync_initrc_exec_t;
-+ type corosync_unit_file_t;
- ')
-
-- allow $1 corosync_t:process { ptrace signal_perms };
-+ allow $1 corosync_t:process signal_perms;
- ps_process_pattern($1, corosync_t)
-
-- corosync_initrc_domtrans($1)
-+ tunable_policy(`deny_ptrace',`',`
-+ allow $1 corosync_t:process ptrace;
-+ ')
-+
-+ init_labeled_script_domtrans($1, corosync_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 corosync_initrc_exec_t system_r;
- allow $2 system_r;
-@@ -183,4 +233,8 @@ interface(`corosync_admin',`
-
- files_list_pids($1)
- admin_pattern($1, corosync_var_run_t)
-+
-+ corosync_systemctl($1)
-+ admin_pattern($1, corosync_unit_file_t)
-+ allow $1 corosync_unit_file_t:service all_service_perms;
- ')
-diff --git a/corosync.te b/corosync.te
-index d5aa1e446..94ca2cd02 100644
---- a/corosync.te
-+++ b/corosync.te
-@@ -28,12 +28,15 @@ logging_log_file(corosync_var_log_t)
- type corosync_var_run_t;
- files_pid_file(corosync_var_run_t)
-
-+type corosync_unit_file_t;
-+systemd_unit_file(corosync_unit_file_t)
-+
- ########################################
- #
- # Local policy
- #
-
--allow corosync_t self:capability { dac_override fowner setuid setgid sys_nice sys_admin sys_resource ipc_lock };
-+allow corosync_t self:capability { dac_read_search fowner setuid setgid sys_nice sys_admin sys_resource ipc_lock };
- # for hearbeat
- allow corosync_t self:capability { net_raw chown };
- allow corosync_t self:process { setpgid setrlimit setsched signal signull };
-@@ -93,7 +96,6 @@ dev_read_urand(corosync_t)
- domain_read_all_domains_state(corosync_t)
-
- files_manage_mounttab(corosync_t)
--files_read_usr_files(corosync_t)
-
- auth_use_nsswitch(corosync_t)
-
-@@ -106,7 +108,13 @@ logging_send_syslog_msg(corosync_t)
- miscfiles_read_localization(corosync_t)
-
- userdom_read_user_tmp_files(corosync_t)
--userdom_manage_user_tmpfs_files(corosync_t)
-+userdom_delete_user_tmp_files(corosync_t)
-+userdom_rw_user_tmp_files(corosync_t)
-+
-+optional_policy(`
-+ fs_manage_tmpfs_files(corosync_t)
-+ init_manage_script_status_files(corosync_t)
-+')
-
- optional_policy(`
- ccs_read_config(corosync_t)
-@@ -129,20 +137,29 @@ optional_policy(`
- ')
-
- optional_policy(`
-+ lvm_rw_clvmd_tmpfs_files(corosync_t)
-+ lvm_delete_clvmd_tmpfs_files(corosync_t)
-+')
-+
-+optional_policy(`
- qpidd_rw_shm(corosync_t)
- ')
-
- optional_policy(`
-- rhcs_getattr_fenced_exec_files(corosync_t)
-+ rhcs_getattr_fenced(corosync_t)
-+ # to communication with RHCS
- rhcs_rw_cluster_shm(corosync_t)
- rhcs_rw_cluster_semaphores(corosync_t)
- rhcs_stream_connect_cluster(corosync_t)
-+ rhcs_read_cluster_lib_files(corosync_t)
-+ rhcs_manage_cluster_lib_files(corosync_t)
-+ rhcs_relabel_cluster_lib_files(corosync_t)
- ')
-
- optional_policy(`
-- rgmanager_manage_tmpfs_files(corosync_t)
-+ rpc_search_nfs_state_data(corosync_t)
- ')
-
- optional_policy(`
-- rpc_search_nfs_state_data(corosync_t)
--')
-\ No newline at end of file
-+ wdmd_rw_tmpfs(corosync_t)
-+')
-diff --git a/couchdb.fc b/couchdb.fc
-index c0863022d..5380ab641 100644
---- a/couchdb.fc
-+++ b/couchdb.fc
-@@ -1,8 +1,10 @@
--/etc/couchdb(/.*)? gen_context(system_u:object_r:couchdb_conf_t,s0)
--
- /etc/rc\.d/init\.d/couchdb -- gen_context(system_u:object_r:couchdb_initrc_exec_t,s0)
-
--/usr/bin/couchdb -- gen_context(system_u:object_r:couchdb_exec_t,s0)
-+/usr/lib/systemd/system/couchdb.* -- gen_context(system_u:object_r:couchdb_unit_file_t,s0)
-+
-+/etc/couchdb(/.*)? gen_context(system_u:object_r:couchdb_conf_t,s0)
-+
-+/usr/libexec/couchdb -- gen_context(system_u:object_r:couchdb_exec_t,s0)
-
- /var/lib/couchdb(/.*)? gen_context(system_u:object_r:couchdb_var_lib_t,s0)
-
-diff --git a/couchdb.if b/couchdb.if
-index 715a826f1..a1cbdb29e 100644
---- a/couchdb.if
-+++ b/couchdb.if
-@@ -2,7 +2,7 @@
-
- ########################################
- ##
--## Read couchdb log files.
-+## Allow to read couchdb log files.
- ##
- ##
- ##
-@@ -15,13 +15,13 @@ interface(`couchdb_read_log_files',`
- type couchdb_log_t;
- ')
-
-- logging_search_logs($1)
-+ files_search_var_lib($1)
- read_files_pattern($1, couchdb_log_t, couchdb_log_t)
- ')
-
- ########################################
- ##
--## Read, write, and create couchdb lib files.
-+## Allow to read couchdb lib files.
- ##
- ##
- ##
-@@ -29,7 +29,7 @@ interface(`couchdb_read_log_files',`
- ##
- ##
- #
--interface(`couchdb_manage_lib_files',`
-+interface(`couchdb_read_lib_files',`
- gen_require(`
- type couchdb_var_lib_t;
- ')
-@@ -40,7 +40,46 @@ interface(`couchdb_manage_lib_files',`
-
- ########################################
- ##
--## Read couchdb config files.
-+## All of the rules required to
-+## administrate an couchdb environment.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`couchdb_manage_lib_files',`
-+ gen_require(`
-+ type couchdb_var_lib_t;
-+ ')
-+
-+ files_search_var_lib($1)
-+ manage_files_pattern($1, couchdb_var_lib_t, couchdb_var_lib_t)
-+')
-+
-+########################################
-+##
-+## Manage couchdb lib directories.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`couchdb_manage_lib_dirs',`
-+ gen_require(`
-+ type couchdb_var_lib_t;
-+ ')
-+
-+ files_search_var_lib($1)
-+ manage_dirs_pattern($1, couchdb_var_lib_t, couchdb_var_lib_t)
-+')
-+
-+########################################
-+##
-+## Allow to read couchdb conf files.
- ##
- ##
- ##
-@@ -53,13 +92,13 @@ interface(`couchdb_read_conf_files',`
- type couchdb_conf_t;
- ')
-
-- files_search_etc($1)
-+ files_search_var_lib($1)
- read_files_pattern($1, couchdb_conf_t, couchdb_conf_t)
- ')
-
- ########################################
- ##
--## Read couchdb pid files.
-+## Read couchdb PID files.
- ##
- ##
- ##
-@@ -73,19 +112,88 @@ interface(`couchdb_read_pid_files',`
- ')
-
- files_search_pids($1)
-- read_files_pattern($1, couchdb_var_run_t, couchdb_var_run_t)
-+ allow $1 couchdb_var_run_t:file read_file_perms;
-+')
-+
-+#######################################
-+##
-+## Search couchdb PID dirs.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`couchdb_search_pid_dirs',`
-+ gen_require(`
-+ type couchdb_var_run_t;
-+ ')
-+
-+ files_search_pids($1)
-+ allow $1 couchdb_var_run_t:dir search_dir_perms;
-+')
-+
-+#######################################
-+##
-+## Allow domain to manage couchdb content.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`couchdb_manage_files',`
-+ gen_require(`
-+ type couchdb_var_run_t;
-+ type couchdb_log_t;
-+ type couchdb_var_lib_t;
-+ type couchdb_conf_t;
-+ ')
-+
-+ manage_files_pattern($1, couchdb_log_t, couchdb_log_t)
-+ manage_files_pattern($1, couchdb_var_lib_t, couchdb_var_lib_t)
-+ manage_files_pattern($1, couchdb_var_run_t, couchdb_var_run_t)
-+ manage_files_pattern($1, couchdb_conf_t, couchdb_conf_t)
- ')
-
- ########################################
- ##
--## All of the rules required to
--## administrate an couchdb environment.
-+## Execute couchdb server in the couchdb domain.
- ##
- ##
- ##
--## Domain allowed access.
-+## Domain allowed to transition.
- ##
- ##
-+#
-+interface(`couchdb_systemctl',`
-+ gen_require(`
-+ type couchdb_t;
-+ type couchdb_unit_file_t;
-+ ')
-+
-+ systemd_exec_systemctl($1)
-+ init_reload_services($1)
-+ systemd_read_fifo_file_passwd_run($1)
-+ allow $1 couchdb_unit_file_t:file read_file_perms;
-+ allow $1 couchdb_unit_file_t:service manage_service_perms;
-+
-+ ps_process_pattern($1, couchdb_t)
-+')
-+
-+
-+########################################
-+##
-+## All of the rules required to administrate
-+## an couchdb environment
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
- ##
- ##
- ## Role allowed access.
-@@ -95,14 +203,19 @@ interface(`couchdb_read_pid_files',`
- #
- interface(`couchdb_admin',`
- gen_require(`
-+ type couchdb_unit_file_t;
- type couchdb_t, couchdb_conf_t, couchdb_initrc_exec_t;
- type couchdb_log_t, couchdb_var_lib_t, couchdb_var_run_t;
- type couchdb_tmp_t;
- ')
-
-- allow $1 couchdb_t:process { ptrace signal_perms };
-+ allow $1 couchdb_t:process { signal_perms };
- ps_process_pattern($1, couchdb_t)
-
-+ tunable_policy(`deny_ptrace',`',`
-+ allow $1 couchdb_t:process ptrace;
-+ ')
-+
- init_labeled_script_domtrans($1, couchdb_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 couchdb_initrc_exec_t system_r;
-@@ -122,4 +235,13 @@ interface(`couchdb_admin',`
-
- files_search_pids($1)
- admin_pattern($1, couchdb_var_run_t)
-+
-+ admin_pattern($1, couchdb_unit_file_t)
-+ couchdb_systemctl($1)
-+ allow $1 couchdb_unit_file_t:service all_service_perms;
-+
-+ optional_policy(`
-+ systemd_passwd_agent_exec($1)
-+ systemd_read_fifo_file_passwd_run($1)
-+ ')
- ')
-diff --git a/couchdb.te b/couchdb.te
-index ae1c1b12a..9b3a328c2 100644
---- a/couchdb.te
-+++ b/couchdb.te
-@@ -27,18 +27,21 @@ files_type(couchdb_var_lib_t)
- type couchdb_var_run_t;
- files_pid_file(couchdb_var_run_t)
-
-+type couchdb_unit_file_t;
-+systemd_unit_file(couchdb_unit_file_t)
-+
- ########################################
- #
- # Local policy
- #
-
--allow couchdb_t self:process { setsched signal signull sigkill };
-+allow couchdb_t self:process { execmem setsched signal signull sigkill };
- allow couchdb_t self:fifo_file rw_fifo_file_perms;
- allow couchdb_t self:unix_stream_socket create_stream_socket_perms;
-+allow couchdb_t self:unix_dgram_socket create_socket_perms;
- allow couchdb_t self:tcp_socket { accept listen };
-
--allow couchdb_t couchdb_conf_t:dir list_dir_perms;
--allow couchdb_t couchdb_conf_t:file read_file_perms;
-+manage_files_pattern(couchdb_t, couchdb_conf_t, couchdb_conf_t)
-
- manage_dirs_pattern(couchdb_t, couchdb_log_t, couchdb_log_t)
- append_files_pattern(couchdb_t, couchdb_log_t, couchdb_log_t)
-@@ -56,11 +59,14 @@ files_var_lib_filetrans(couchdb_t, couchdb_var_lib_t, dir)
-
- manage_dirs_pattern(couchdb_t, couchdb_var_run_t, couchdb_var_run_t)
- manage_files_pattern(couchdb_t, couchdb_var_run_t, couchdb_var_run_t)
--files_pid_filetrans(couchdb_t, couchdb_var_run_t, dir)
-+files_pid_filetrans(couchdb_t, couchdb_var_run_t, {file dir })
-
- can_exec(couchdb_t, couchdb_exec_t)
-
-+kernel_read_network_state(couchdb_t)
- kernel_read_system_state(couchdb_t)
-+kernel_read_fs_sysctls(couchdb_t)
-+kernel_dgram_send(couchdb_t)
-
- corecmd_exec_bin(couchdb_t)
- corecmd_exec_shell(couchdb_t)
-@@ -75,14 +81,27 @@ corenet_sendrecv_couchdb_server_packets(couchdb_t)
- corenet_tcp_bind_couchdb_port(couchdb_t)
- corenet_tcp_sendrecv_couchdb_port(couchdb_t)
-
-+# disksup tries to monitor the local disks
-+fs_getattr_all_files(couchdb_t)
-+fs_getattr_all_dirs(couchdb_t)
-+fs_getattr_all_fs(couchdb_t)
-+files_getattr_all_mountpoints(couchdb_t)
-+files_search_all_mountpoints(couchdb_t)
-+files_getattr_lost_found_dirs(couchdb_t)
-+files_dontaudit_list_var(couchdb_t)
-+
- dev_list_sysfs(couchdb_t)
- dev_read_sysfs(couchdb_t)
- dev_read_urand(couchdb_t)
-
--files_read_usr_files(couchdb_t)
-+auth_use_nsswitch(couchdb_t)
-
--fs_getattr_xattr_fs(couchdb_t)
-+optional_policy(`
-+ gnome_dontaudit_search_config(couchdb_t)
-+')
-+
-+optional_policy(`
-+ rpc_read_nfs_state_data(couchdb_t)
-+')
-
--auth_use_nsswitch(couchdb_t)
-
--miscfiles_read_localization(couchdb_t)
-diff --git a/courier.fc b/courier.fc
-index 2f017a076..defdc871e 100644
---- a/courier.fc
-+++ b/courier.fc
-@@ -11,17 +11,18 @@
- /usr/sbin/imaplogin -- gen_context(system_u:object_r:courier_pop_exec_t,s0)
-
- /usr/lib/courier/authlib/.* -- gen_context(system_u:object_r:courier_authdaemon_exec_t,s0)
--/usr/lib/courier/courier-authlib/.* -- gen_context(system_u:object_r:courier_authdaemon_exec_t,s0)
- /usr/lib/courier/courier/.* -- gen_context(system_u:object_r:courier_exec_t,s0)
--/usr/lib/courier/courier/courierpop.* -- gen_context(system_u:object_r:courier_pop_exec_t,s0)
--/usr/lib/courier/courier/imaplogin -- gen_context(system_u:object_r:courier_pop_exec_t,s0)
-+/usr/lib/courier/courier/courierpop.* -- gen_context(system_u:object_r:courier_pop_exec_t,s0)
-+/usr/lib/courier/courier/imaplogin -- gen_context(system_u:object_r:courier_pop_exec_t,s0)
- /usr/lib/courier/courier/pcpd -- gen_context(system_u:object_r:courier_pcp_exec_t,s0)
--/usr/lib/courier/imapd -- gen_context(system_u:object_r:courier_pop_exec_t,s0)
--/usr/lib/courier/pop3d -- gen_context(system_u:object_r:courier_pop_exec_t,s0)
--/usr/lib/courier/rootcerts(/.*)? gen_context(system_u:object_r:courier_etc_t,s0)
--/usr/lib/courier/sqwebmail/cleancache\.pl -- gen_context(system_u:object_r:sqwebmail_cron_exec_t,s0)
--/usr/lib/courier-imap/couriertcpd -- gen_context(system_u:object_r:courier_tcpd_exec_t,s0)
-+/usr/lib/courier/imapd -- gen_context(system_u:object_r:courier_pop_exec_t,s0)
-+/usr/lib/courier/pop3d -- gen_context(system_u:object_r:courier_pop_exec_t,s0)
-+/usr/lib/courier/rootcerts(/.*)? gen_context(system_u:object_r:courier_etc_t,s0)
-+/usr/lib/courier/sqwebmail/cleancache\.pl -- gen_context(system_u:object_r:sqwebmail_cron_exec_t,s0)
-
-+ifdef(`distro_gentoo',`
-+/usr/lib/courier-imap/couriertcpd -- gen_context(system_u:object_r:courier_tcpd_exec_t,s0)
-+')
-
- /var/lib/courier(/.*)? gen_context(system_u:object_r:courier_var_lib_t,s0)
- /var/lib/courier-imap(/.*)? gen_context(system_u:object_r:courier_var_lib_t,s0)
-diff --git a/courier.if b/courier.if
-index 10f820fc7..acdb179e8 100644
---- a/courier.if
-+++ b/courier.if
-@@ -1,12 +1,12 @@
--## Courier IMAP and POP3 email servers.
-+## Courier IMAP and POP3 email servers
-
--#######################################
-+########################################
- ##
--## The template to define a courier domain.
-+## Template for creating courier server processes.
- ##
--##
-+##
- ##
--## Domain prefix to be used.
-+## Prefix name of the server process.
- ##
- ##
- #
-@@ -15,7 +15,7 @@ template(`courier_domain_template',`
- attribute courier_domain;
- ')
-
-- ########################################
-+ ##############################
- #
- # Declarations
- #
-@@ -24,18 +24,30 @@ template(`courier_domain_template',`
- type courier_$1_exec_t;
- init_daemon_domain(courier_$1_t, courier_$1_exec_t)
-
-- ########################################
-+ ##############################
- #
-- # Policy
-+ # Declarations
- #
-
- can_exec(courier_$1_t, courier_$1_exec_t)
-+
-+ kernel_read_system_state(courier_$1_t)
-+
-+ corenet_all_recvfrom_netlabel(courier_$1_t)
-+ corenet_tcp_sendrecv_generic_if(courier_$1_t)
-+ corenet_udp_sendrecv_generic_if(courier_$1_t)
-+ corenet_tcp_sendrecv_generic_node(courier_$1_t)
-+ corenet_udp_sendrecv_generic_node(courier_$1_t)
-+ corenet_tcp_sendrecv_all_ports(courier_$1_t)
-+ corenet_udp_sendrecv_all_ports(courier_$1_t)
-+
-+ logging_send_syslog_msg(courier_$1_t)
- ')
-
- ########################################
- ##
--## Execute the courier authentication
--## daemon with a domain transition.
-+## Execute the courier authentication daemon with
-+## a domain transition.
- ##
- ##
- ##
-@@ -48,34 +60,32 @@ interface(`courier_domtrans_authdaemon',`
- type courier_authdaemon_t, courier_authdaemon_exec_t;
- ')
-
-- corecmd_search_bin($1)
- domtrans_pattern($1, courier_authdaemon_exec_t, courier_authdaemon_t)
- ')
-
- #######################################
- ##
--## Connect to courier-authdaemon over
--## a unix stream socket.
-+## Connect to courier-authdaemon over a unix stream socket.
- ##
- ##
--##
--## Domain allowed access.
--##
-+##
-+## Domain allowed access.
-+##
- ##
- #
- interface(`courier_stream_connect_authdaemon',`
-- gen_require(`
-- type courier_authdaemon_t, courier_spool_t;
-- ')
-+ gen_require(`
-+ type courier_authdaemon_t, courier_spool_t;
-+ ')
-
- files_search_spool($1)
-- stream_connect_pattern($1, courier_spool_t, courier_spool_t, courier_authdaemon_t)
-+ stream_connect_pattern($1, courier_spool_t, courier_spool_t, courier_authdaemon_t)
- ')
-
- ########################################
- ##
--## Execute the courier POP3 and IMAP
--## server with a domain transition.
-+## Execute the courier POP3 and IMAP server with
-+## a domain transition.
- ##
- ##
- ##
-@@ -88,13 +98,12 @@ interface(`courier_domtrans_pop',`
- type courier_pop_t, courier_pop_exec_t;
- ')
-
-- corecmd_search_bin($1)
- domtrans_pattern($1, courier_pop_exec_t, courier_pop_t)
- ')
-
- ########################################
- ##
--## Read courier config files.
-+## Read courier config files
- ##
- ##
- ##
-@@ -127,7 +136,7 @@ interface(`courier_manage_spool_dirs',`
- type courier_spool_t;
- ')
-
-- files_search_var($1)
-+ files_search_spool($1)
- manage_dirs_pattern($1, courier_spool_t, courier_spool_t)
- ')
-
-@@ -136,7 +145,7 @@ interface(`courier_manage_spool_dirs',`
- ## Create, read, write, and delete courier
- ## spool files.
- ##
--##
-+##
- ##
- ## Domain allowed access.
- ##
-@@ -147,7 +156,7 @@ interface(`courier_manage_spool_files',`
- type courier_spool_t;
- ')
-
-- files_search_var($1)
-+ files_search_spool($1)
- manage_files_pattern($1, courier_spool_t, courier_spool_t)
- ')
-
-@@ -166,13 +175,13 @@ interface(`courier_read_spool',`
- type courier_spool_t;
- ')
-
-- files_search_var($1)
-+ files_search_spool($1)
- read_files_pattern($1, courier_spool_t, courier_spool_t)
- ')
-
- ########################################
- ##
--## Read and write courier spool pipes.
-+## Read and write to courier spool pipes.
- ##
- ##
- ##
-@@ -185,6 +194,5 @@ interface(`courier_rw_spool_pipes',`
- type courier_spool_t;
- ')
-
-- files_search_var($1)
- allow $1 courier_spool_t:fifo_file rw_fifo_file_perms;
- ')
-diff --git a/courier.te b/courier.te
-index ae3bc70e9..3fe942539 100644
---- a/courier.te
-+++ b/courier.te
-@@ -18,7 +18,7 @@ type courier_etc_t;
- files_config_file(courier_etc_t)
-
- type courier_spool_t;
--files_type(courier_spool_t)
-+files_spool_file(courier_spool_t)
-
- type courier_var_lib_t;
- files_type(courier_var_lib_t)
-@@ -34,7 +34,7 @@ mta_agent_executable(courier_exec_t)
- # Common local policy
- #
-
--allow courier_domain self:capability dac_override;
-+allow courier_domain self:capability { dac_read_search };
- dontaudit courier_domain self:capability sys_tty_config;
- allow courier_domain self:process { setpgid signal_perms };
- allow courier_domain self:fifo_file rw_fifo_file_perms;
-@@ -51,7 +51,6 @@ manage_sock_files_pattern(courier_domain, courier_var_run_t, courier_var_run_t)
- files_pid_filetrans(courier_domain, courier_var_run_t, dir)
-
- kernel_read_kernel_sysctls(courier_domain)
--kernel_read_system_state(courier_domain)
-
- corecmd_exec_bin(courier_domain)
-
-@@ -59,15 +58,11 @@ dev_read_sysfs(courier_domain)
-
- domain_use_interactive_fds(courier_domain)
-
--files_read_etc_files(courier_domain)
- files_read_etc_runtime_files(courier_domain)
--files_read_usr_files(courier_domain)
-
- fs_getattr_xattr_fs(courier_domain)
- fs_search_auto_mountpoints(courier_domain)
-
--logging_send_syslog_msg(courier_domain)
--
- sysnet_read_config(courier_domain)
-
- userdom_dontaudit_use_unpriv_user_fds(courier_domain)
-@@ -77,6 +72,10 @@ optional_policy(`
- ')
-
- optional_policy(`
-+ mysql_stream_connect(courier_domain)
-+')
-+
-+optional_policy(`
- udev_read_db(courier_domain)
- ')
-
-@@ -91,6 +90,7 @@ allow courier_authdaemon_t self:unix_stream_socket { accept connectto listen };
- create_dirs_pattern(courier_authdaemon_t, courier_var_lib_t, courier_var_lib_t)
- manage_sock_files_pattern(courier_authdaemon_t, courier_var_lib_t, courier_var_lib_t)
-
-+manage_files_pattern(courier_authdaemon_t, courier_spool_t, courier_spool_t)
- manage_sock_files_pattern(courier_authdaemon_t, courier_spool_t, courier_spool_t)
-
- allow courier_authdaemon_t courier_tcpd_t:process sigchld;
-@@ -112,7 +112,6 @@ auth_domtrans_chk_passwd(courier_authdaemon_t)
-
- libs_read_lib_files(courier_authdaemon_t)
-
--miscfiles_read_localization(courier_authdaemon_t)
-
- userdom_dontaudit_search_user_home_dirs(courier_authdaemon_t)
-
-@@ -135,7 +134,7 @@ allow courier_pop_t courier_authdaemon_t:process sigchld;
-
- allow courier_pop_t courier_tcpd_t:{ unix_stream_socket tcp_socket } rw_stream_socket_perms;
-
--allow courier_pop_t courier_var_lib_t:file { read write };
-+allow courier_pop_t courier_var_lib_t:file rw_inherited_file_perms;
-
- domtrans_pattern(courier_pop_t, courier_authdaemon_exec_t, courier_authdaemon_t)
-
-@@ -172,7 +171,6 @@ corenet_tcp_sendrecv_pop_port(courier_tcpd_t)
- dev_read_rand(courier_tcpd_t)
- dev_read_urand(courier_tcpd_t)
-
--miscfiles_read_localization(courier_tcpd_t)
-
- ########################################
- #
-diff --git a/cpucontrol.te b/cpucontrol.te
-index af72c4e55..afab0367f 100644
---- a/cpucontrol.te
-+++ b/cpucontrol.te
-@@ -42,8 +42,6 @@ term_dontaudit_use_console(cpucontrol_domain)
- init_use_fds(cpucontrol_domain)
- init_use_script_ptys(cpucontrol_domain)
-
--logging_send_syslog_msg(cpucontrol_domain)
--
- userdom_dontaudit_use_unpriv_user_fds(cpucontrol_domain)
-
- optional_policy(`
-@@ -69,12 +67,13 @@ allow cpucontrol_t cpucontrol_conf_t:dir list_dir_perms;
- read_files_pattern(cpucontrol_t, cpucontrol_conf_t, cpucontrol_conf_t)
- read_lnk_files_pattern(cpucontrol_t, cpucontrol_conf_t, cpucontrol_conf_t)
-
--kernel_list_proc(cpucontrol_t)
- kernel_read_proc_symlinks(cpucontrol_t)
-
- dev_read_sysfs(cpucontrol_t)
- dev_rw_cpu_microcode(cpucontrol_t)
-
-+logging_send_syslog_msg(cpucontrol_t)
-+
- optional_policy(`
- rhgb_use_ptys(cpucontrol_t)
- ')
-@@ -98,7 +97,6 @@ dev_rw_sysfs(cpuspeed_t)
-
- domain_read_all_domains_state(cpuspeed_t)
-
--files_read_etc_files(cpuspeed_t)
- files_read_etc_runtime_files(cpuspeed_t)
-
--miscfiles_read_localization(cpuspeed_t)
-+logging_send_syslog_msg(cpuspeed_t)
-diff --git a/cpufreqselector.te b/cpufreqselector.te
-index 6cedb8724..530e250e5 100644
---- a/cpufreqselector.te
-+++ b/cpufreqselector.te
-@@ -14,21 +14,17 @@ init_daemon_domain(cpufreqselector_t, cpufreqselector_exec_t)
- # Local policy
- #
-
--allow cpufreqselector_t self:capability { sys_nice sys_ptrace };
-+allow cpufreqselector_t self:capability sys_nice;
- allow cpufreqselector_t self:process getsched;
- allow cpufreqselector_t self:fifo_file rw_fifo_file_perms;
-+allow cpufreqselector_t self:process getsched;
-
- kernel_read_system_state(cpufreqselector_t)
-
--files_read_etc_files(cpufreqselector_t)
--files_read_usr_files(cpufreqselector_t)
--
- dev_rw_sysfs(cpufreqselector_t)
-
--miscfiles_read_localization(cpufreqselector_t)
--
- userdom_read_all_users_state(cpufreqselector_t)
--userdom_dontaudit_search_user_home_dirs(cpufreqselector_t)
-+userdom_dontaudit_search_admin_dir(cpufreqselector_t)
-
- optional_policy(`
- dbus_system_domain(cpufreqselector_t, cpufreqselector_exec_t)
-@@ -51,3 +47,7 @@ optional_policy(`
- policykit_read_lib(cpufreqselector_t)
- policykit_read_reload(cpufreqselector_t)
- ')
-+
-+optional_policy(`
-+ xserver_dbus_chat_xdm(cpufreqselector_t)
-+')
-diff --git a/cpuplug.fc b/cpuplug.fc
-new file mode 100644
-index 000000000..be203ff49
---- /dev/null
-+++ b/cpuplug.fc
-@@ -0,0 +1,3 @@
-+/etc/rc.d/init.d/cpuplugd -- gen_context(system_u:object_r:cpuplug_initrc_exec_t,s0)
-+
-+/usr/sbin/cpuplugd -- gen_context(system_u:object_r:cpuplug_exec_t,s0)
-diff --git a/cpuplug.if b/cpuplug.if
-new file mode 100644
-index 000000000..c68d1d3cf
---- /dev/null
-+++ b/cpuplug.if
-@@ -0,0 +1,20 @@
-+## cpuplugd - Linux on System z CPU and memory hotplug daemon
-+
-+########################################
-+##
-+## Execute cpuplug in the cpuplug domin.
-+##
-+##
-+##
-+## Domain allowed to transition.
-+##
-+##
-+#
-+interface(`cpuplug_domtrans',`
-+ gen_require(`
-+ type cpuplug_t, cpuplug_exec_t;
-+ ')
-+
-+ corecmd_search_bin($1)
-+ domtrans_pattern($1, cpuplug_exec_t, cpuplug_t)
-+')
-diff --git a/cpuplug.te b/cpuplug.te
-new file mode 100644
-index 000000000..074f3e04d
---- /dev/null
-+++ b/cpuplug.te
-@@ -0,0 +1,40 @@
-+policy_module(cpuplug, 1.0.0)
-+
-+########################################
-+#
-+# Declarations
-+#
-+
-+type cpuplug_t;
-+type cpuplug_exec_t;
-+init_daemon_domain(cpuplug_t, cpuplug_exec_t)
-+
-+type cpuplug_initrc_exec_t;
-+init_script_file(cpuplug_initrc_exec_t)
-+
-+type cpuplug_lock_t;
-+files_lock_file(cpuplug_lock_t)
-+
-+type cpuplug_var_run_t;
-+files_pid_file(cpuplug_var_run_t)
-+
-+########################################
-+#
-+# cpuplug local policy
-+#
-+allow cpuplug_t self:fifo_file rw_fifo_file_perms;
-+allow cpuplug_t self:unix_stream_socket create_stream_socket_perms;
-+
-+manage_files_pattern(cpuplug_t, cpuplug_lock_t, cpuplug_lock_t)
-+files_lock_filetrans(cpuplug_t, cpuplug_lock_t, { file })
-+
-+manage_files_pattern(cpuplug_t, cpuplug_var_run_t, cpuplug_var_run_t)
-+files_pid_filetrans(cpuplug_t, cpuplug_var_run_t, { file })
-+
-+kernel_read_system_state(cpuplug_t)
-+kernel_rw_vm_sysctls(cpuplug_t)
-+
-+dev_rw_sysfs(cpuplug_t)
-+
-+logging_send_syslog_msg(cpuplug_t)
-+
-diff --git a/cron.fc b/cron.fc
-index ad0bae948..615a947aa 100644
---- a/cron.fc
-+++ b/cron.fc
-@@ -1,66 +1,77 @@
--/etc/rc\.d/init\.d/(anacron|atd) -- gen_context(system_u:object_r:crond_initrc_exec_t,s0)
-+/etc/rc\.d/init\.d/atd -- gen_context(system_u:object_r:crond_initrc_exec_t,s0)
-
--/etc/cron\.d(/.*)? gen_context(system_u:object_r:system_cron_spool_t,s0)
--/etc/crontab -- gen_context(system_u:object_r:system_cron_spool_t,s0)
-+/etc/cron\.d(/.*)? gen_context(system_u:object_r:system_cron_spool_t,s0)
-+/etc/crontab -- gen_context(system_u:object_r:system_cron_spool_t,s0)
-
--/usr/bin/at -- gen_context(system_u:object_r:crontab_exec_t,s0)
--/usr/bin/(f)?crontab -- gen_context(system_u:object_r:crontab_exec_t,s0)
-+/usr/lib/systemd/system/atd.* -- gen_context(system_u:object_r:crond_unit_file_t,s0)
-+/usr/lib/systemd/system/crond.* -- gen_context(system_u:object_r:crond_unit_file_t,s0)
-
--/usr/libexec/fcron -- gen_context(system_u:object_r:crond_exec_t,s0)
--/usr/libexec/fcronsighup -- gen_context(system_u:object_r:crontab_exec_t,s0)
-+/usr/bin/at -- gen_context(system_u:object_r:crontab_exec_t,s0)
-+/usr/bin/(f)?crontab -- gen_context(system_u:object_r:crontab_exec_t,s0)
-
--/usr/sbin/anacron -- gen_context(system_u:object_r:anacron_exec_t,s0)
--/usr/sbin/atd -- gen_context(system_u:object_r:crond_exec_t,s0)
--/usr/sbin/cron(d)? -- gen_context(system_u:object_r:crond_exec_t,s0)
--/usr/sbin/fcron -- gen_context(system_u:object_r:crond_exec_t,s0)
--/usr/sbin/fcronsighup -- gen_context(system_u:object_r:crontab_exec_t,s0)
-+/usr/libexec/fcron -- gen_context(system_u:object_r:crond_exec_t,s0)
-+/usr/libexec/fcronsighup -- gen_context(system_u:object_r:crontab_exec_t,s0)
-
--/var/lib/glpi/files(/.*)? gen_context(system_u:object_r:cron_var_lib_t,s0)
-+/usr/sbin/anacron -- gen_context(system_u:object_r:anacron_exec_t,s0)
-+/usr/sbin/atd -- gen_context(system_u:object_r:crond_exec_t,s0)
-+/usr/sbin/cron(d)? -- gen_context(system_u:object_r:crond_exec_t,s0)
-+/usr/sbin/fcron -- gen_context(system_u:object_r:crond_exec_t,s0)
-+/usr/sbin/fcronsighup -- gen_context(system_u:object_r:crontab_exec_t,s0)
-
--/var/log/cron.* gen_context(system_u:object_r:cron_log_t,s0)
--/var/log/rpmpkgs.* -- gen_context(system_u:object_r:cron_log_t,s0)
-+/var/log/cron.* gen_context(system_u:object_r:cron_log_t,s0)
-+/var/log/rpmpkgs.* -- gen_context(system_u:object_r:cron_log_t,s0)
-
--/var/run/anacron\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0)
--/var/run/atd\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0)
--/var/run/cron(d)?\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0)
--/var/run/cron(d)?\.reboot -- gen_context(system_u:object_r:crond_var_run_t,s0)
--/var/run/fcron\.fifo -s gen_context(system_u:object_r:crond_var_run_t,s0)
--/var/run/fcron\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0)
--/var/run/.*cron.* -- gen_context(system_u:object_r:crond_var_run_t,s0)
-+/var/run/anacron\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0)
-+/var/run/atd\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0)
-+/var/run/crond?\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0)
-+/var/run/crond?\.reboot -- gen_context(system_u:object_r:crond_var_run_t,s0)
-+/var/run/fcron\.fifo -s gen_context(system_u:object_r:crond_var_run_t,s0)
-+/var/run/fcron\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0)
-+/var/run/.*cron.* -- gen_context(system_u:object_r:crond_var_run_t,s0)
-
--/var/spool/anacron(/.*)? gen_context(system_u:object_r:system_cron_spool_t,s0)
--/var/spool/at(/.*)? gen_context(system_u:object_r:user_cron_spool_t,s0)
--/var/spool/at/atspool(/.*)? gen_context(system_u:object_r:user_cron_spool_log_t,s0)
-+/var/spool/anacron(/.*)? gen_context(system_u:object_r:system_cron_spool_t,s0)
-+/var/spool/at(/.*)? gen_context(system_u:object_r:user_cron_spool_t,s0)
-
--/var/spool/cron -d gen_context(system_u:object_r:cron_spool_t,s0)
--#/var/spool/cron/root -- gen_context(system_u:object_r:sysadm_cron_spool_t,s0)
--/var/spool/cron/[^/]* -- <>
-+/var/spool/cron -d gen_context(system_u:object_r:user_cron_spool_t,s0)
-+#/var/spool/cron/root -- gen_context(system_u:object_r:sysadm_cron_spool_t,s0)
-+/var/spool/cron/[^/]* -- <>
-
--/var/spool/cron/crontabs -d gen_context(system_u:object_r:cron_spool_t,s0)
-+/var/spool/cron/crontabs -d gen_context(system_u:object_r:cron_spool_t,s0)
- /var/spool/cron/crontabs/.* -- <>
- #/var/spool/cron/crontabs/root -- gen_context(system_u:object_r:sysadm_cron_spool_t,s0)
-
--/var/spool/fcron -d gen_context(system_u:object_r:cron_spool_t,s0)
--/var/spool/fcron/.* <>
-+/var/spool/fcron -d gen_context(system_u:object_r:cron_spool_t,s0)
-+/var/spool/fcron/.* <>
- /var/spool/fcron/systab\.orig -- gen_context(system_u:object_r:system_cron_spool_t,s0)
--/var/spool/fcron/systab -- gen_context(system_u:object_r:system_cron_spool_t,s0)
--/var/spool/fcron/systab\.tmp -- gen_context(system_u:object_r:system_cron_spool_t,s0)
-+/var/spool/fcron/systab -- gen_context(system_u:object_r:system_cron_spool_t,s0)
- /var/spool/fcron/new\.systab -- gen_context(system_u:object_r:system_cron_spool_t,s0)
--/var/spool/fcron/rm\.systab -- gen_context(system_u:object_r:system_cron_spool_t,s0)
-+
-+ifdef(`distro_gentoo',`
-+/var/spool/cron/lastrun -d gen_context(system_u:object_r:crond_tmp_t,s0)
-+/var/spool/cron/lastrun/[^/]* -- <>
-+')
-+
-+ifdef(`distro_suse', `
-+/var/spool/cron/lastrun -d gen_context(system_u:object_r:crond_tmp_t,s0)
-+/var/spool/cron/lastrun/[^/]* -- <>
-+/var/spool/cron/tabs -d gen_context(system_u:object_r:cron_spool_t,s0)
-+')
-
- ifdef(`distro_debian',`
--/var/spool/cron/atjobs -d gen_context(system_u:object_r:cron_spool_t,s0)
-+/var/log/prelink.log.* -- gen_context(system_u:object_r:cron_log_t,s0)
-+
-+/var/spool/cron/atjobs -d gen_context(system_u:object_r:cron_spool_t,s0)
- /var/spool/cron/atjobs/[^/]* -- <>
--/var/spool/cron/atspool -d gen_context(system_u:object_r:cron_spool_t,s0)
-+/var/spool/cron/atspool -d gen_context(system_u:object_r:cron_spool_t,s0)
- ')
-
- ifdef(`distro_gentoo',`
--/var/spool/cron/lastrun -d gen_context(system_u:object_r:crond_tmp_t,s0)
-+/var/spool/cron/lastrun -d gen_context(system_u:object_r:crond_tmp_t,s0)
- /var/spool/cron/lastrun/[^/]* -- <>
- ')
-
--ifdef(`distro_suse',`
--/var/spool/cron/lastrun -d gen_context(system_u:object_r:crond_tmp_t,s0)
-+ifdef(`distro_suse', `
-+/var/spool/cron/lastrun -d gen_context(system_u:object_r:crond_tmp_t,s0)
- /var/spool/cron/lastrun/[^/]* -- <>
--/var/spool/cron/tabs -d gen_context(system_u:object_r:cron_spool_t,s0)
-+/var/spool/cron/tabs -d gen_context(system_u:object_r:cron_spool_t,s0)
- ')
-diff --git a/cron.if b/cron.if
-index 1303b3036..f5bd4aee8 100644
---- a/cron.if
-+++ b/cron.if
-@@ -2,11 +2,12 @@
-
- #######################################
- ##
--## The template to define a crontab domain.
-+## The common rules for a crontab domain.
- ##
--##
-+##
- ##
--## Domain prefix to be used.
-+## The prefix of the user domain (e.g., user
-+## is the prefix for user_t).
- ##
- ##
- #
-@@ -36,22 +37,29 @@ template(`cron_common_crontab_template',`
- manage_files_pattern($1_t, $1_tmp_t, $1_tmp_t)
- files_tmp_filetrans($1_t, $1_tmp_t, { dir file })
-
-+ kernel_read_system_state($1_t)
-+
- auth_domtrans_chk_passwd($1_t)
- auth_use_nsswitch($1_t)
-+
-+ logging_send_syslog_msg($1_t)
-+
-+ userdom_home_reader($1_t)
-+
- ')
-
- ########################################
- ##
--## Role access for cron.
-+## Role access for cron
- ##
- ##
- ##
--## Role allowed access.
-+## Role allowed access
- ##
- ##
- ##
- ##
--## User domain for the role.
-+## User domain for the role
- ##
- ##
- ##
-@@ -60,56 +68,66 @@ interface(`cron_role',`
- gen_require(`
- type cronjob_t, crontab_t, crontab_exec_t;
- type user_cron_spool_t, crond_t;
-- bool cron_userdomain_transition;
-+ bool cron_userdomain_transition;
- ')
-
-- ##############################
-- #
-- # Declarations
-- #
-+ ##############################
-+ #
-+ # Declarations
-+ #
-
- role $1 types { cronjob_t crontab_t };
-
-- ##############################
-- #
-- # Local policy
-- #
-+ ##############################
-+ #
-+ # Local policy
-+ #
-
-+ # Transition from the user domain to the derived domain.
- domtrans_pattern($2, crontab_exec_t, crontab_t)
-
- dontaudit crond_t $2:process { noatsecure siginh rlimitinh };
- allow $2 crond_t:process sigchld;
-
-- allow $2 user_cron_spool_t:file { getattr read write ioctl };
-+ allow $2 user_cron_spool_t:file { getattr read write ioctl };
-
-- allow $2 crontab_t:process { ptrace signal_perms };
-+ # crontab shows up in user ps
-+ allow $2 crontab_t:process signal_perms;
- ps_process_pattern($2, crontab_t)
-
-+ tunable_policy(`deny_ptrace',`',`
-+ allow $2 crontab_t:process ptrace;
-+ ')
-+
-+ # Run helper programs as the user domain
-+ #corecmd_bin_domtrans(crontab_t, $2)
-+ #corecmd_shell_domtrans(crontab_t, $2)
- corecmd_exec_bin(crontab_t)
- corecmd_exec_shell(crontab_t)
-
-- tunable_policy(`cron_userdomain_transition',`
-- allow crond_t $2:process transition;
-- allow crond_t $2:fd use;
-- allow crond_t $2:key manage_key_perms;
-+ tunable_policy(`cron_userdomain_transition',`
-+ allow crond_t $2:process transition;
-+ allow crond_t $2:fd use;
-+ allow crond_t $2:key manage_key_perms;
-
-- allow $2 user_cron_spool_t:file entrypoint;
-+ # needs to be authorized SELinux context for cron
-+ allow $2 user_cron_spool_t:file entrypoint;
-+ allow $2 crond_t:fifo_file rw_fifo_file_perms;
-
-- allow $2 crond_t:fifo_file rw_fifo_file_perms;
-+ allow $2 cronjob_t:process { signal_perms };
-
-- allow $2 cronjob_t:process { ptrace signal_perms };
-- ps_process_pattern($2, cronjob_t)
-- ',`
-- dontaudit crond_t $2:process transition;
-- dontaudit crond_t $2:fd use;
-- dontaudit crond_t $2:key manage_key_perms;
-+ ps_process_pattern($2, cronjob_t)
-+ ',`
-+ dontaudit crond_t $2:process transition;
-+ dontaudit crond_t $2:fd use;
-+ dontaudit crond_t $2:key manage_key_perms;
-
-- dontaudit $2 user_cron_spool_t:file entrypoint;
-+ dontaudit $2 user_cron_spool_t:file entrypoint;
-
-- dontaudit $2 crond_t:fifo_file rw_fifo_file_perms;
-+ dontaudit $2 crond_t:fifo_file rw_fifo_file_perms;
-
-- dontaudit $2 cronjob_t:process { ptrace signal_perms };
-- ')
-+ dontaudit $2 cronjob_t:process { signal_perms };
-+ ')
-
- optional_policy(`
- gen_require(`
-@@ -119,78 +137,75 @@ interface(`cron_role',`
- dbus_stub(cronjob_t)
-
- allow cronjob_t $2:dbus send_msg;
-- ')
-+ ')
- ')
-
- ########################################
- ##
--## Role access for unconfined cron.
-+## Role access for unconfined cronjobs
- ##
- ##
- ##
--## Role allowed access.
-+## Role allowed access
- ##
- ##
- ##
- ##
--## User domain for the role.
-+## User domain for the role
- ##
- ##
-+##
- #
- interface(`cron_unconfined_role',`
- gen_require(`
- type unconfined_cronjob_t, crontab_t, crontab_exec_t;
-- type crond_t, user_cron_spool_t;
-- bool cron_userdomain_transition;
-+ type crond_t, user_cron_spool_t;
-+ bool cron_userdomain_transition;
- ')
-
-- ##############################
-- #
-- # Declarations
-- #
--
-- role $1 types { unconfined_cronjob_t crontab_t };
--
-- ##############################
-- #
-- # Local policy
-- #
--
-- domtrans_pattern($2, crontab_exec_t, crontab_t)
-+ ##############################
-+ #
-+ # Declarations
-+ #
-+
-+ role $1 types unconfined_cronjob_t;
-
-- dontaudit crond_t $2:process { noatsecure siginh rlimitinh };
-- allow $2 crond_t:process sigchld;
-+ ##############################
-+ #
-+ # Local policy
-+ #
-
-- allow $2 user_cron_spool_t:file { getattr read write ioctl };
-+ dontaudit crond_t $2:process { noatsecure siginh rlimitinh };
-
-- allow $2 crontab_t:process { ptrace signal_perms };
-- ps_process_pattern($2, crontab_t)
-+ allow $2 crond_t:process sigchld;
-
-- corecmd_exec_bin(crontab_t)
-- corecmd_exec_shell(crontab_t)
-+ allow $2 user_cron_spool_t:file { getattr read write ioctl };
-
-- tunable_policy(`cron_userdomain_transition',`
-- allow crond_t $2:process transition;
-- allow crond_t $2:fd use;
-- allow crond_t $2:key manage_key_perms;
-+ # cronjob shows up in user ps
-+ ps_process_pattern($2, unconfined_cronjob_t)
-+ allow $2 unconfined_cronjob_t:process signal_perms;
-
-- allow $2 user_cron_spool_t:file entrypoint;
-+ tunable_policy(`deny_ptrace',`',`
-+ allow $2 unconfined_cronjob_t:process ptrace;
-+ ')
-
-- allow $2 crond_t:fifo_file rw_fifo_file_perms;
-+ tunable_policy(`cron_userdomain_transition',`
-+ allow crond_t $2:process transition;
-+ allow crond_t $2:fd use;
-+ allow crond_t $2:key manage_key_perms;
-
-- allow $2 unconfined_cronjob_t:process { ptrace signal_perms };
-- ps_process_pattern($2, unconfined_cronjob_t)
-- ',`
-- dontaudit crond_t $2:process transition;
-- dontaudit crond_t $2:fd use;
-- dontaudit crond_t $2:key manage_key_perms;
-+ allow $2 user_cron_spool_t:file entrypoint;
-
-- dontaudit $2 user_cron_spool_t:file entrypoint;
-+ allow $2 crond_t:fifo_file rw_fifo_file_perms;
-+ ',`
-+ dontaudit crond_t $2:process transition;
-+ dontaudit crond_t $2:fd use;
-+ dontaudit crond_t $2:key manage_key_perms;
-
-- dontaudit $2 crond_t:fifo_file rw_fifo_file_perms;
-+ dontaudit $2 user_cron_spool_t:file entrypoint;
-
-- dontaudit $2 unconfined_cronjob_t:process { ptrace signal_perms };
--')
-+ dontaudit $2 crond_t:fifo_file rw_fifo_file_perms;
-+ ')
-
- optional_policy(`
- gen_require(`
-@@ -198,55 +213,60 @@ interface(`cron_unconfined_role',`
- ')
-
- dbus_stub(unconfined_cronjob_t)
--
- allow unconfined_cronjob_t $2:dbus send_msg;
- ')
- ')
-
- ########################################
- ##
--## Role access for admin cron.
-+## Role access for cron
- ##
- ##
- ##
--## Role allowed access.
-+## Role allowed access
- ##
- ##
- ##
- ##
--## User domain for the role.
-+## User domain for the role
- ##
- ##
-+##
- #
- interface(`cron_admin_role',`
- gen_require(`
-- type cronjob_t, crontab_exec_t, admin_crontab_t;
-+ type cronjob_t, crontab_exec_t, admin_crontab_t, admin_crontab_tmp_t;
-+ type user_cron_spool_t, crond_t;
- class passwd crontab;
-- type crond_t, user_cron_spool_t;
-- bool cron_userdomain_transition;
-+ bool cron_userdomain_transition;
- ')
-
-- ##############################
-- #
-- # Declarations
-- #
-+ ##############################
-+ #
-+ # Declarations
-+ #
-
-- role $1 types { cronjob_t admin_crontab_t };
-+ role $1 types { cronjob_t admin_crontab_t admin_crontab_tmp_t };
-
-- ##############################
-- #
-- # Local policy
-- #
-+ ##############################
-+ #
-+ # Local policy
-+ #
-
-+ # Transition from the user domain to the derived domain.
- domtrans_pattern($2, crontab_exec_t, admin_crontab_t)
-
- dontaudit crond_t $2:process { noatsecure siginh rlimitinh };
-- allow $2 crond_t:process sigchld;
-
-- allow $2 user_cron_spool_t:file { getattr read write ioctl };
-+ allow $2 crond_t:process sigchld;
-
-- allow $2 admin_crontab_t:process { ptrace signal_perms };
-+ # crontab shows up in user ps
- ps_process_pattern($2, admin_crontab_t)
-+ allow $2 admin_crontab_t:process signal_perms;
-+
-+ tunable_policy(`deny_ptrace',`',`
-+ allow $2 admin_crontab_t:process ptrace;
-+ ')
-
- # Manipulate other users crontab.
- allow $2 self:passwd crontab;
-@@ -254,28 +274,26 @@ interface(`cron_admin_role',`
- corecmd_exec_bin(admin_crontab_t)
- corecmd_exec_shell(admin_crontab_t)
-
-- tunable_policy(`cron_userdomain_transition',`
-- allow crond_t $2:process transition;
-- allow crond_t $2:fd use;
-- allow crond_t $2:key manage_key_perms;
-+ tunable_policy(`cron_userdomain_transition',`
-+ allow crond_t $2:process transition;
-+ allow crond_t $2:fd use;
-+ allow crond_t $2:key manage_key_perms;
-
-- allow $2 user_cron_spool_t:file entrypoint;
-+ allow $2 user_cron_spool_t:file entrypoint;
-
-- allow $2 crond_t:fifo_file rw_fifo_file_perms;
-+ allow $2 crond_t:fifo_file rw_fifo_file_perms;
-
-- allow $2 cronjob_t:process { ptrace signal_perms };
-- ps_process_pattern($2, cronjob_t)
-- ',`
-- dontaudit crond_t $2:process transition;
-- dontaudit crond_t $2:fd use;
-- dontaudit crond_t $2:key manage_key_perms;
-+ allow $2 cronjob_t:process { signal_perms };
-+ ps_process_pattern($2, cronjob_t)
-+ ',`
-+ dontaudit crond_t $2:process transition;
-+ dontaudit crond_t $2:fd use;
-+ dontaudit crond_t $2:key manage_key_perms;
-
-- dontaudit $2 user_cron_spool_t:file entrypoint;
--
-- dontaudit $2 crond_t:fifo_file rw_fifo_file_perms;
--
-- dontaudit $2 cronjob_t:process { ptrace signal_perms };
-- ')
-+ dontaudit $2 user_cron_spool_t:file entrypoint;
-+ dontaudit $2 crond_t:fifo_file rw_fifo_file_perms;
-+ dontaudit $2 cronjob_t:process { signal_perms };
-+ ')
-
- optional_policy(`
- gen_require(`
-@@ -285,13 +303,13 @@ interface(`cron_admin_role',`
- dbus_stub(admin_cronjob_t)
-
- allow cronjob_t $2:dbus send_msg;
-- ')
-+ ')
- ')
-
- ########################################
- ##
--## Make the specified program domain
--## accessable from the system cron jobs.
-+## Make the specified program domain accessable
-+## from the system cron jobs.
- ##
- ##
- ##
-@@ -307,15 +325,15 @@ interface(`cron_admin_role',`
- interface(`cron_system_entry',`
- gen_require(`
- type crond_t, system_cronjob_t;
-- type user_cron_spool_log_t;
- ')
-
-- rw_files_pattern($1, user_cron_spool_log_t, user_cron_spool_log_t)
--
- domtrans_pattern(system_cronjob_t, $2, $1)
- domtrans_pattern(crond_t, $2, $1)
-
- role system_r types $1;
-+
-+ allow $1 crond_t:fifo_file rw_fifo_file_perms;
-+ allow $1 system_cronjob_t:fifo_file rw_fifo_file_perms;
- ')
-
- ########################################
-@@ -333,13 +351,12 @@ interface(`cron_domtrans',`
- type system_cronjob_t, crond_exec_t;
- ')
-
-- corecmd_search_bin($1)
- domtrans_pattern($1, crond_exec_t, system_cronjob_t)
- ')
-
- ########################################
- ##
--## Execute crond in the caller domain.
-+## Execute crond_exec_t
- ##
- ##
- ##
-@@ -352,7 +369,6 @@ interface(`cron_exec',`
- type crond_exec_t;
- ')
-
-- corecmd_search_bin($1)
- can_exec($1, crond_exec_t)
- ')
-
-@@ -376,7 +392,32 @@ interface(`cron_initrc_domtrans',`
-
- ########################################
- ##
--## Use crond file descriptors.
-+## Execute crond server in the crond domain.
-+##
-+##
-+##
-+## Domain allowed to transition.
-+##
-+##
-+#
-+interface(`cron_systemctl',`
-+ gen_require(`
-+ type crond_unit_file_t;
-+ type crond_t;
-+ ')
-+
-+ systemd_exec_systemctl($1)
-+ init_reload_services($1)
-+ allow $1 crond_unit_file_t:file read_file_perms;
-+ allow $1 crond_unit_file_t:service manage_service_perms;
-+
-+ ps_process_pattern($1, crond_t)
-+')
-+
-+########################################
-+##
-+## Inherit and use a file descriptor
-+## from the cron daemon.
- ##
- ##
- ##
-@@ -394,7 +435,7 @@ interface(`cron_use_fds',`
-
- ########################################
- ##
--## Send child terminated signals to crond.
-+## Send a SIGCHLD signal to the cron daemon.
- ##
- ##
- ##
-@@ -412,7 +453,7 @@ interface(`cron_sigchld',`
-
- ########################################
- ##
--## Set the attributes of cron log files.
-+## Send a generic signal to cron daemon.
- ##
- ##
- ##
-@@ -420,17 +461,17 @@ interface(`cron_sigchld',`
- ##
- ##
- #
--interface(`cron_setattr_log_files',`
-+interface(`cron_signal',`
- gen_require(`
-- type cron_log_t;
-+ type crond_t;
- ')
-
-- allow $1 cron_log_t:file setattr_file_perms;
-+ allow $1 crond_t:process signal;
- ')
-
- ########################################
- ##
--## Create cron log files.
-+## Read a cron daemon unnamed pipe.
- ##
- ##
- ##
-@@ -438,17 +479,17 @@ interface(`cron_setattr_log_files',`
- ##
- ##
- #
--interface(`cron_create_log_files',`
-+interface(`cron_read_pipes',`
- gen_require(`
-- type cron_log_t;
-+ type crond_t;
- ')
-
-- create_files_pattern($1, cron_log_t, cron_log_t)
-+ allow $1 crond_t:fifo_file read_fifo_file_perms;
- ')
-
- ########################################
- ##
--## Write to cron log files.
-+## Read crond state files.
- ##
- ##
- ##
-@@ -456,18 +497,20 @@ interface(`cron_create_log_files',`
- ##
- ##
- #
--interface(`cron_write_log_files',`
-+interface(`cron_read_state_crond',`
- gen_require(`
-- type cron_log_t;
-+ type crond_t;
- ')
-
-- allow $1 cron_log_t:file write_file_perms;
-+ kernel_search_proc($1)
-+ ps_process_pattern($1, crond_t)
- ')
-
-+
- ########################################
- ##
--## Create, read, write and delete
--## cron log files.
-+## Send and receive messages from
-+## crond over dbus.
- ##
- ##
- ##
-@@ -475,48 +518,37 @@ interface(`cron_write_log_files',`
- ##
- ##
- #
--interface(`cron_manage_log_files',`
-+interface(`cron_dbus_chat_crond',`
- gen_require(`
-- type cron_log_t;
-+ type crond_t;
-+ class dbus send_msg;
- ')
-
-- manage_files_pattern($1, cron_log_t, cron_log_t)
--
-- logging_search_logs($1)
-+ allow $1 crond_t:dbus send_msg;
-+ allow crond_t $1:dbus send_msg;
- ')
-
- ########################################
- ##
--## Create specified objects in generic
--## log directories with the cron log file type.
-+## Do not audit attempts to write cron daemon unnamed pipes.
- ##
- ##
- ##
--## Domain allowed access.
--##
--##
--##
--##
--## Class of the object being created.
--##
--##
--##
--##
--## The name of the object being created.
-+## Domain to not audit.
- ##
- ##
- #
--interface(`cron_generic_log_filetrans_log',`
-+interface(`cron_dontaudit_write_pipes',`
- gen_require(`
-- type cron_log_t;
-+ type crond_t;
- ')
-
-- logging_log_filetrans($1, cron_log_t, $2, $3)
-+ dontaudit $1 crond_t:fifo_file write;
- ')
-
- ########################################
- ##
--## Read cron daemon unnamed pipes.
-+## Read and write a cron daemon unnamed pipe.
- ##
- ##
- ##
-@@ -524,18 +556,17 @@ interface(`cron_generic_log_filetrans_log',`
- ##
- ##
- #
--interface(`cron_read_pipes',`
-+interface(`cron_rw_pipes',`
- gen_require(`
- type crond_t;
- ')
-
-- allow $1 crond_t:fifo_file read_fifo_file_perms;
-+ allow $1 crond_t:fifo_file rw_inherited_fifo_file_perms;
- ')
-
- ########################################
- ##
--## Do not audit attempts to write
--## cron daemon unnamed pipes.
-+## Do not audit attempts to setattr cron daemon unnamed pipes.
- ##
- ##
- ##
-@@ -543,17 +574,17 @@ interface(`cron_read_pipes',`
- ##
- ##
- #
--interface(`cron_dontaudit_write_pipes',`
-+interface(`cron_dontaudit_setattr_pipes',`
- gen_require(`
- type crond_t;
- ')
-
-- dontaudit $1 crond_t:fifo_file write;
-+ dontaudit $1 crond_t:fifo_file setattr;
- ')
-
- ########################################
- ##
--## Read and write crond unnamed pipes.
-+## Read and write inherited user spool files.
- ##
- ##
- ##
-@@ -561,17 +592,35 @@ interface(`cron_dontaudit_write_pipes',`
- ##
- ##
- #
--interface(`cron_rw_pipes',`
-+interface(`cron_rw_inherited_user_spool_files',`
- gen_require(`
-- type crond_t;
-+ type user_cron_spool_t;
- ')
-
-- allow $1 crond_t:fifo_file rw_fifo_file_perms;
-+ allow $1 user_cron_spool_t:file rw_inherited_file_perms;
- ')
-
- ########################################
- ##
--## Read and write crond TCP sockets.
-+## Read and write inherited spool files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`cron_rw_inherited_spool_files',`
-+ gen_require(`
-+ type cron_spool_t;
-+ ')
-+
-+ allow $1 cron_spool_t:file rw_inherited_file_perms;
-+')
-+
-+########################################
-+##
-+## Read, and write cron daemon TCP sockets.
- ##
- ##
- ##
-@@ -589,8 +638,7 @@ interface(`cron_rw_tcp_sockets',`
-
- ########################################
- ##
--## Do not audit attempts to read and
--## write cron daemon TCP sockets.
-+## Dontaudit Read, and write cron daemon TCP sockets.
- ##
- ##
- ##
-@@ -608,7 +656,7 @@ interface(`cron_dontaudit_rw_tcp_sockets',`
-
- ########################################
- ##
--## Search cron spool directories.
-+## Search the directory containing user cron tables.
- ##
- ##
- ##
-@@ -627,8 +675,7 @@ interface(`cron_search_spool',`
-
- ########################################
- ##
--## Create, read, write, and delete
--## crond pid files.
-+## Search the directory containing user cron tables.
- ##
- ##
- ##
-@@ -636,37 +683,37 @@ interface(`cron_search_spool',`
- ##
- ##
- #
--interface(`cron_manage_pid_files',`
-+interface(`cron_manage_system_spool',`
- gen_require(`
-- type crond_var_run_t;
-+ type cron_system_spool_t;
- ')
-
-- manage_files_pattern($1, crond_var_run_t, crond_var_run_t)
-+ files_search_spool($1)
-+ manage_files_pattern($1, cron_system_spool_t, cron_system_spool_t)
- ')
-
- ########################################
- ##
--## Execute anacron in the cron
--## system domain.
-+## Manage pid files used by cron
- ##
- ##
- ##
--## Domain allowed to transition.
-+## Domain allowed access.
- ##
- ##
- #
--interface(`cron_anacron_domtrans_system_job',`
-+interface(`cron_manage_pid_files',`
- gen_require(`
-- type system_cronjob_t, anacron_exec_t;
-+ type crond_var_run_t;
- ')
-
-- corecmd_search_bin($1)
-- domtrans_pattern($1, anacron_exec_t, system_cronjob_t)
-+ files_search_pids($1)
-+ manage_files_pattern($1, crond_var_run_t, crond_var_run_t)
- ')
-
- ########################################
- ##
--## Use system cron job file descriptors.
-+## Read pid files used by cron
- ##
- ##
- ##
-@@ -674,37 +721,37 @@ interface(`cron_anacron_domtrans_system_job',`
- ##
- ##
- #
--interface(`cron_use_system_job_fds',`
-+interface(`cron_read_pid_files',`
- gen_require(`
-- type system_cronjob_t;
-+ type crond_var_run_t;
- ')
-
-- allow $1 system_cronjob_t:fd use;
-+ files_search_pids($1)
-+ read_files_pattern($1, crond_var_run_t, crond_var_run_t)
- ')
-
- ########################################
- ##
--## Read system cron job lib files.
-+## Execute anacron in the cron system domain.
- ##
- ##
- ##
--## Domain allowed access.
-+## Domain allowed to transition.
- ##
- ##
- #
--interface(`cron_read_system_job_lib_files',`
-+interface(`cron_anacron_domtrans_system_job',`
- gen_require(`
-- type system_cronjob_var_lib_t;
-+ type system_cronjob_t, anacron_exec_t;
- ')
-
-- files_search_var_lib($1)
-- read_files_pattern($1, system_cronjob_var_lib_t, system_cronjob_var_lib_t)
-+ domtrans_pattern($1, anacron_exec_t, system_cronjob_t)
- ')
-
- ########################################
- ##
--## Create, read, write, and delete
--## system cron job lib files.
-+## Inherit and use a file descriptor
-+## from system cron jobs.
- ##
- ##
- ##
-@@ -712,18 +759,17 @@ interface(`cron_read_system_job_lib_files',`
- ##
- ##
- #
--interface(`cron_manage_system_job_lib_files',`
-+interface(`cron_use_system_job_fds',`
- gen_require(`
-- type system_cronjob_var_lib_t;
-+ type system_cronjob_t;
- ')
-
-- files_search_var_lib($1)
-- manage_files_pattern($1, system_cronjob_var_lib_t, system_cronjob_var_lib_t)
-+ allow $1 system_cronjob_t:fd use;
- ')
-
- ########################################
- ##
--## Write system cron job unnamed pipes.
-+## Write a system cron job unnamed pipe.
- ##
- ##
- ##
-@@ -736,13 +782,12 @@ interface(`cron_write_system_job_pipes',`
- type system_cronjob_t;
- ')
-
-- allow $1 system_cronjob_t:file write;
-+ allow $1 system_cronjob_t:fifo_file write;
- ')
-
- ########################################
- ##
--## Read and write system cron job
--## unnamed pipes.
-+## Read and write a system cron job unnamed pipe.
- ##
- ##
- ##
-@@ -755,13 +800,12 @@ interface(`cron_rw_system_job_pipes',`
- type system_cronjob_t;
- ')
-
-- allow $1 system_cronjob_t:fifo_file rw_fifo_file_perms;
-+ allow $1 system_cronjob_t:fifo_file rw_inherited_fifo_file_perms;
- ')
-
- ########################################
- ##
--## Read and write inherited system cron
--## job unix domain stream sockets.
-+## Allow read/write unix stream sockets from the system cron jobs.
- ##
- ##
- ##
-@@ -779,7 +823,7 @@ interface(`cron_rw_system_job_stream_sockets',`
-
- ########################################
- ##
--## Read system cron job temporary files.
-+## Read temporary files from the system cron jobs.
- ##
- ##
- ##
-@@ -789,17 +833,20 @@ interface(`cron_rw_system_job_stream_sockets',`
- #
- interface(`cron_read_system_job_tmp_files',`
- gen_require(`
-- type system_cronjob_tmp_t;
-+ type system_cronjob_tmp_t, cron_var_run_t;
- ')
-
- files_search_tmp($1)
- allow $1 system_cronjob_tmp_t:file read_file_perms;
-+
-+ files_search_pids($1)
-+ allow $1 cron_var_run_t:file read_file_perms;
- ')
-
- ########################################
- ##
- ## Do not audit attempts to append temporary
--## system cron job files.
-+## files from the system cron jobs.
- ##
- ##
- ##
-@@ -818,7 +865,7 @@ interface(`cron_dontaudit_append_system_job_tmp_files',`
- ########################################
- ##
- ## Do not audit attempts to write temporary
--## system cron job files.
-+## files from the system cron jobs.
- ##
- ##
- ##
-@@ -829,7 +876,126 @@ interface(`cron_dontaudit_append_system_job_tmp_files',`
- interface(`cron_dontaudit_write_system_job_tmp_files',`
- gen_require(`
- type system_cronjob_tmp_t;
-+ type cron_var_run_t;
- ')
-
- dontaudit $1 system_cronjob_tmp_t:file write_file_perms;
-+ dontaudit $1 cron_var_run_t:file write_file_perms;
-+')
-+
-+########################################
-+##
-+## Read temporary files from the system cron jobs.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`cron_read_system_job_lib_files',`
-+ gen_require(`
-+ type system_cronjob_var_lib_t;
-+ ')
-+
-+ files_search_var_lib($1)
-+ read_files_pattern($1, system_cronjob_var_lib_t, system_cronjob_var_lib_t)
-+')
-+
-+########################################
-+##
-+## Manage files from the system cron jobs.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`cron_manage_system_job_lib_files',`
-+ gen_require(`
-+ type system_cronjob_var_lib_t;
-+ ')
-+
-+ files_search_var_lib($1)
-+ manage_files_pattern($1, system_cronjob_var_lib_t, system_cronjob_var_lib_t)
-+')
-+
-+#######################################
-+##
-+## Create, read, write and delete
-+## cron log files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`cron_manage_log_files',`
-+ gen_require(`
-+ type cron_log_t;
-+ ')
-+
-+ manage_files_pattern($1, cron_log_t, cron_log_t)
-+
-+ logging_search_logs($1)
-+')
-+
-+#######################################
-+##
-+## Create specified objects in generic
-+## log directories with the cron log file type.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+##
-+## Class of the object being created.
-+##
-+##
-+##
-+##
-+## The name of the object being created.
-+##
-+##
-+#
-+interface(`cron_generic_log_filetrans_log',`
-+ gen_require(`
-+ type cron_log_t;
-+ ')
-+
-+ logging_log_filetrans($1, cron_log_t, $2, $3)
-+')
-+
-+#######################################
-+##
-+## Create specified objects in generic
-+## log directories with the cron log file type.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+##
-+## Class of the object being created.
-+##
-+##
-+##
-+##
-+## The name of the object being created.
-+##
-+##
-+#
-+interface(`cron_generic_log_filetrans_log_insights',`
-+ gen_require(`
-+ type var_log_t;
-+ ')
-+
-+ logging_log_filetrans($1, var_log_t, file, "redhat-access-insights.log")
- ')
-diff --git a/cron.te b/cron.te
-index 7de385956..31053c2a9 100644
---- a/cron.te
-+++ b/cron.te
-@@ -11,46 +11,54 @@ gen_require(`
-
- ##
- ##
--## Determine whether system cron jobs
--## can relabel filesystem for
--## restoring file contexts.
-+## Allow system cron jobs to relabel filesystem
-+## for restoring file contexts.
- ##
- ##
- gen_tunable(cron_can_relabel, false)
-
- ##
--##
--## Determine whether crond can execute jobs
--## in the user domain as opposed to the
--## the generic cronjob domain.
--##
-+##
-+## Determine whether crond can execute jobs
-+## in the user domain as opposed to the
-+## the generic cronjob domain.
-+##
-+##
-+gen_tunable(cron_userdomain_transition, true)
-+
-+##
-+##
-+## Allow system cronjob to be executed on
-+## on NFS, CIFS or FUSE filesystem.
-+##
- ##
--gen_tunable(cron_userdomain_transition, false)
-+gen_tunable(cron_system_cronjob_use_shares, false)
-
- ##
- ##
--## Determine whether extra rules
--## should be enabled to support fcron.
-+## Enable extra rules in the cron domain
-+## to support fcron.
- ##
- ##
- gen_tunable(fcron_crond, false)
-
--attribute cron_spool_type;
- attribute crontab_domain;
-+attribute cron_spool_type;
-
- type anacron_exec_t;
- application_executable_file(anacron_exec_t)
-
- type cron_spool_t;
--files_type(cron_spool_t)
--mta_system_content(cron_spool_t)
-+files_spool_file(cron_spool_t)
-
-+# var/lib files
- type cron_var_lib_t;
- files_type(cron_var_lib_t)
-
- type cron_var_run_t;
- files_pid_file(cron_var_run_t)
-
-+# var/log files
- type cron_log_t;
- logging_log_file(cron_log_t)
-
-@@ -71,6 +79,9 @@ domain_cron_exemption_source(crond_t)
- type crond_initrc_exec_t;
- init_script_file(crond_initrc_exec_t)
-
-+type crond_unit_file_t;
-+systemd_unit_file(crond_unit_file_t)
-+
- type crond_tmp_t;
- files_tmp_file(crond_tmp_t)
- files_poly_parent(crond_tmp_t)
-@@ -92,15 +103,17 @@ typealias crontab_t alias { user_crontab_t staff_crontab_t };
- typealias crontab_t alias { auditadm_crontab_t secadm_crontab_t };
- typealias crontab_tmp_t alias { user_crontab_tmp_t staff_crontab_tmp_t };
- typealias crontab_tmp_t alias { auditadm_crontab_tmp_t secadm_crontab_tmp_t };
-+allow admin_crontab_t crond_t:process signal;
-
- type system_cron_spool_t, cron_spool_type;
--files_type(system_cron_spool_t)
--mta_system_content(system_cron_spool_t)
-+files_spool_file(system_cron_spool_t)
-
- type system_cronjob_t alias system_crond_t;
- init_daemon_domain(system_cronjob_t, anacron_exec_t)
- corecmd_shell_entry_type(system_cronjob_t)
--domain_entry_file(system_cronjob_t, system_cron_spool_t)
-+corecmd_bin_entry_type(system_cronjob_t)
-+role system_r types system_cronjob_t;
-+domtrans_pattern(crond_t, anacron_exec_t, system_cronjob_t)
-
- type system_cronjob_lock_t alias system_crond_lock_t;
- files_lock_file(system_cronjob_lock_t)
-@@ -108,94 +121,34 @@ files_lock_file(system_cronjob_lock_t)
- type system_cronjob_tmp_t alias system_crond_tmp_t;
- files_tmp_file(system_cronjob_tmp_t)
-
--type system_cronjob_var_lib_t;
--files_type(system_cronjob_var_lib_t)
--
--type system_cronjob_var_run_t;
--files_pid_file(system_cronjob_var_run_t)
--
-+# Type of user crontabs once moved to cron spool.
- type user_cron_spool_t, cron_spool_type;
- typealias user_cron_spool_t alias { staff_cron_spool_t sysadm_cron_spool_t unconfined_cron_spool_t };
- typealias user_cron_spool_t alias { auditadm_cron_spool_t secadm_cron_spool_t };
--files_type(user_cron_spool_t)
-+files_spool_file(user_cron_spool_t)
- ubac_constrained(user_cron_spool_t)
- mta_system_content(user_cron_spool_t)
-
--type user_cron_spool_log_t;
--logging_log_file(user_cron_spool_log_t)
--ubac_constrained(user_cron_spool_log_t)
--mta_system_content(user_cron_spool_log_t)
-+type system_cronjob_var_lib_t;
-+files_type(system_cronjob_var_lib_t)
-+typealias system_cronjob_var_lib_t alias system_crond_var_lib_t;
-+
-+type system_cronjob_var_run_t;
-+files_pid_file(system_cronjob_var_run_t)
-
- ifdef(`enable_mcs',`
- init_ranged_daemon_domain(crond_t, crond_exec_t, s0 - mcs_systemhigh)
- ')
-
--##############################
--#
--# Common crontab local policy
--#
--
--allow crontab_domain self:capability { fowner setuid setgid chown dac_override };
--allow crontab_domain self:process { getcap setsched signal_perms };
--allow crontab_domain self:fifo_file rw_fifo_file_perms;
--
--manage_files_pattern(crontab_domain, { cron_spool_t user_cron_spool_t }, user_cron_spool_t)
--filetrans_pattern(crontab_domain, cron_spool_t, user_cron_spool_t, file)
--
--allow crontab_domain cron_spool_t:dir setattr_dir_perms;
--
--allow crontab_domain crond_t:process signal;
--allow crontab_domain crond_var_run_t:file read_file_perms;
--
--kernel_read_system_state(crontab_domain)
--
--selinux_dontaudit_search_fs(crontab_domain)
--
--files_list_spool(crontab_domain)
--files_read_etc_files(crontab_domain)
--files_read_usr_files(crontab_domain)
--files_search_pids(crontab_domain)
--
--fs_getattr_xattr_fs(crontab_domain)
--fs_manage_cgroup_dirs(crontab_domain)
--fs_rw_cgroup_files(crontab_domain)
--
--domain_use_interactive_fds(crontab_domain)
--
--fs_dontaudit_rw_anon_inodefs_files(crontab_domain)
--
--auth_rw_var_auth(crontab_domain)
--
--logging_send_syslog_msg(crontab_domain)
--logging_send_audit_msgs(crontab_domain)
--logging_set_loginuid(crontab_domain)
--
--init_dontaudit_write_utmp(crontab_domain)
--init_read_utmp(crontab_domain)
--init_read_state(crontab_domain)
--
--miscfiles_read_localization(crontab_domain)
--
--seutil_read_config(crontab_domain)
--
--userdom_manage_user_tmp_dirs(crontab_domain)
--userdom_manage_user_tmp_files(crontab_domain)
--userdom_use_user_terminals(crontab_domain)
--userdom_read_user_home_content_files(crontab_domain)
--userdom_read_user_home_content_symlinks(crontab_domain)
--
--tunable_policy(`fcron_crond',`
-- dontaudit crontab_domain crond_t:process signal;
--')
--
- ########################################
- #
--# Admin local policy
-+# Admin crontab local policy
- #
-
--allow admin_crontab_t self:capability fsetid;
--allow admin_crontab_t crond_t:process signal;
-+# Allow our crontab domain to unlink a user cron spool file.
-+allow admin_crontab_t user_cron_spool_t:file { read_file_perms delete_file_perms };
-
-+# Manipulate other users crontab.
- selinux_get_fs_mount(admin_crontab_t)
- selinux_validate_context(admin_crontab_t)
- selinux_compute_access_vector(admin_crontab_t)
-@@ -204,22 +157,26 @@ selinux_compute_relabel_context(admin_crontab_t)
- selinux_compute_user_contexts(admin_crontab_t)
-
- tunable_policy(`fcron_crond',`
-+ # fcron wants an instant update of a crontab change for the administrator
-+ # also crontab does a security check for crontab -u
- allow admin_crontab_t self:process setfscreate;
- ')
-
- ########################################
- #
--# Daemon local policy
-+# Cron daemon local policy
- #
-
--allow crond_t self:capability { dac_override chown fowner setgid setuid sys_nice dac_read_search };
--dontaudit crond_t self:capability { sys_resource sys_tty_config };
-+allow crond_t self:capability { chown fowner setgid setuid sys_nice dac_read_search };
-+dontaudit crond_t self:capability { net_admin sys_resource sys_tty_config };
- allow crond_t self:process ~{ ptrace setcurrent setexec setfscreate execmem execstack execheap };
- allow crond_t self:process { setexec setfscreate };
- allow crond_t self:fd use;
- allow crond_t self:fifo_file rw_fifo_file_perms;
-+allow crond_t self:unix_dgram_socket create_socket_perms;
-+allow crond_t self:unix_stream_socket create_stream_socket_perms;
- allow crond_t self:unix_dgram_socket sendto;
--allow crond_t self:unix_stream_socket { accept connectto listen };
-+allow crond_t self:unix_stream_socket connectto;
- allow crond_t self:shm create_shm_perms;
- allow crond_t self:sem create_sem_perms;
- allow crond_t self:msgq create_msgq_perms;
-@@ -227,7 +184,7 @@ allow crond_t self:msg { send receive };
- allow crond_t self:key { search write link };
- dontaudit crond_t self:netlink_audit_socket nlmsg_tty_audit;
-
--allow crond_t cron_log_t:file { append_file_perms create_file_perms setattr_file_perms };
-+manage_files_pattern(crond_t, cron_log_t, cron_log_t)
- logging_log_filetrans(crond_t, cron_log_t, file)
-
- manage_files_pattern(crond_t, crond_var_run_t, crond_var_run_t)
-@@ -237,73 +194,68 @@ manage_files_pattern(crond_t, cron_spool_t, cron_spool_t)
-
- manage_dirs_pattern(crond_t, crond_tmp_t, crond_tmp_t)
- manage_files_pattern(crond_t, crond_tmp_t, crond_tmp_t)
--files_tmp_filetrans(crond_t, crond_tmp_t, { dir file })
-+files_tmp_filetrans(crond_t, crond_tmp_t, { file dir })
-
- list_dirs_pattern(crond_t, system_cron_spool_t, system_cron_spool_t)
- read_files_pattern(crond_t, system_cron_spool_t, system_cron_spool_t)
-
--rw_dirs_pattern(crond_t, user_cron_spool_t, user_cron_spool_t)
--manage_files_pattern(crond_t, user_cron_spool_t, user_cron_spool_t)
--manage_lnk_files_pattern(crond_t, user_cron_spool_t, user_cron_spool_t)
--
--manage_files_pattern(crond_t, user_cron_spool_log_t, user_cron_spool_log_t)
-+kernel_read_kernel_sysctls(crond_t)
-+kernel_read_fs_sysctls(crond_t)
-+kernel_search_key(crond_t)
-
--allow crond_t system_cronjob_t:process transition;
--allow crond_t system_cronjob_t:fd use;
--allow crond_t system_cronjob_t:key manage_key_perms;
-+dev_read_sysfs(crond_t)
-+selinux_get_fs_mount(crond_t)
-+selinux_validate_context(crond_t)
-+selinux_compute_access_vector(crond_t)
-+selinux_compute_create_context(crond_t)
-+selinux_compute_relabel_context(crond_t)
-+selinux_compute_user_contexts(crond_t)
-
--dontaudit crond_t { cronjob_t system_cronjob_t }:process { noatsecure siginh rlimitinh };
-+dev_read_urand(crond_t)
-
--domtrans_pattern(crond_t, anacron_exec_t, system_cronjob_t)
-+fs_getattr_all_fs(crond_t)
-+fs_search_auto_mountpoints(crond_t)
-+fs_list_inotifyfs(crond_t)
-
--kernel_read_kernel_sysctls(crond_t)
--kernel_read_fs_sysctls(crond_t)
--kernel_search_key(crond_t)
-+# need auth_chkpwd to check for locked accounts.
-+auth_domtrans_chk_passwd(crond_t)
-+auth_manage_var_auth(crond_t)
-
- corecmd_exec_shell(crond_t)
--corecmd_exec_bin(crond_t)
- corecmd_list_bin(crond_t)
--
--dev_read_sysfs(crond_t)
--dev_read_urand(crond_t)
-+corecmd_exec_bin(crond_t)
-+corecmd_read_bin_symlinks(crond_t)
-
- domain_use_interactive_fds(crond_t)
- domain_subj_id_change_exemption(crond_t)
- domain_role_change_exemption(crond_t)
-
--fs_getattr_all_fs(crond_t)
--fs_list_inotifyfs(crond_t)
--fs_manage_cgroup_dirs(crond_t)
--fs_rw_cgroup_files(crond_t)
--fs_search_auto_mountpoints(crond_t)
--
--files_read_usr_files(crond_t)
- files_read_etc_runtime_files(crond_t)
- files_read_generic_spool(crond_t)
- files_list_usr(crond_t)
-+# Read from /var/spool/cron.
- files_search_var_lib(crond_t)
- files_search_default(crond_t)
- files_read_all_locks(crond_t)
-
--mls_fd_share_all_levels(crond_t)
-+fs_manage_cgroup_dirs(crond_t)
-+fs_manage_cgroup_files(crond_t)
-+
-+# needed by "crontab -e"
- mls_file_read_all_levels(crond_t)
- mls_file_write_all_levels(crond_t)
-+
-+# needed because of kernel check of transition
- mls_process_set_level(crond_t)
--mls_trusted_object(crond_t)
-
--selinux_get_fs_mount(crond_t)
--selinux_validate_context(crond_t)
--selinux_compute_access_vector(crond_t)
--selinux_compute_create_context(crond_t)
--selinux_compute_relabel_context(crond_t)
--selinux_compute_user_contexts(crond_t)
-+# to make cronjob working
-+mls_fd_share_all_levels(crond_t)
-+mls_trusted_object(crond_t)
-
- init_read_state(crond_t)
- init_rw_utmp(crond_t)
- init_spec_domtrans_script(crond_t)
-
--auth_domtrans_chk_passwd(crond_t)
--auth_manage_var_auth(crond_t)
- auth_use_nsswitch(crond_t)
-
- logging_send_audit_msgs(crond_t)
-@@ -312,41 +264,49 @@ logging_set_loginuid(crond_t)
-
- seutil_read_config(crond_t)
- seutil_read_default_contexts(crond_t)
-+seutil_sigchld_newrole(crond_t)
-
--miscfiles_read_localization(crond_t)
-
-+userdom_use_unpriv_users_fds(crond_t)
-+# Not sure why this is needed
- userdom_list_user_home_dirs(crond_t)
-+userdom_list_admin_dir(crond_t)
-+userdom_manage_all_users_keys(crond_t)
-
--tunable_policy(`cron_userdomain_transition',`
-- dontaudit crond_t cronjob_t:process transition;
-- dontaudit crond_t cronjob_t:fd use;
-- dontaudit crond_t cronjob_t:key manage_key_perms;
--',`
-- allow crond_t cronjob_t:process transition;
-- allow crond_t cronjob_t:fd use;
-- allow crond_t cronjob_t:key manage_key_perms;
-+optional_policy(`
-+ mta_send_mail(crond_t)
-+ mta_filetrans_admin_home_content(crond_t)
-+ mta_system_content(cron_spool_t)
- ')
-
- ifdef(`distro_debian',`
-+ # pam_limits is used
- allow crond_t self:process setrlimit;
-
-- optional_policy(`
-- logwatch_search_cache_dir(crond_t)
-- ')
-+')
-+
-+optional_policy(`
-+ logwatch_search_cache_dir(crond_t)
-+')
-+
-+optional_policy(`
-+ bind_read_config(crond_t)
- ')
-
- ifdef(`distro_redhat',`
-+ # Run the rpm program in the rpm_t domain. Allow creation of RPM log files
-+ # via redirection of standard out.
- optional_policy(`
- rpm_manage_log(crond_t)
- ')
- ')
-
--tunable_policy(`allow_polyinstantiation',`
-+tunable_policy(`polyinstantiation_enabled',`
- files_polyinstantiate_all(crond_t)
- ')
-
--tunable_policy(`fcron_crond',`
-- allow crond_t { system_cron_spool_t user_cron_spool_t }:file manage_file_perms;
-+tunable_policy(`fcron_crond', `
-+ allow crond_t system_cron_spool_t:file manage_file_perms;
- ')
-
- optional_policy(`
-@@ -354,103 +314,145 @@ optional_policy(`
- ')
-
- optional_policy(`
-- dbus_system_bus_client(crond_t)
--
-- optional_policy(`
-- hal_dbus_chat(crond_t)
-- ')
-+ djbdns_search_tinydns_keys(crond_t)
-+ djbdns_link_tinydns_keys(crond_t)
-+')
-
-- optional_policy(`
-- unconfined_dbus_send(crond_t)
-- ')
-+optional_policy(`
-+ locallogin_search_keys(crond_t)
-+ locallogin_link_keys(crond_t)
- ')
-
- optional_policy(`
-- amanda_search_var_lib(crond_t)
-+ # these should probably be unconfined_crond_t
-+ dbus_system_bus_client(crond_t)
-+ init_dbus_send_script(crond_t)
-+ init_dbus_chat(crond_t)
- ')
-
- optional_policy(`
-- amavis_search_lib(crond_t)
-+ amanda_search_var_lib(crond_t)
- ')
-
- optional_policy(`
-- djbdns_search_tinydns_keys(crond_t)
-- djbdns_link_tinydns_keys(crond_t)
-+ antivirus_search_db(crond_t)
- ')
-
- optional_policy(`
-+ hal_dbus_chat(crond_t)
- hal_write_log(crond_t)
-+ hal_dbus_chat(system_cronjob_t)
- ')
-
- optional_policy(`
-- locallogin_search_keys(crond_t)
-- locallogin_link_keys(crond_t)
-+ # cjp: why?
-+ munin_search_lib(crond_t)
- ')
-
- optional_policy(`
-- mta_send_mail(crond_t)
-+ pcp_read_lib_files(crond_t)
- ')
-
- optional_policy(`
-- munin_search_lib(crond_t)
-+ rpc_search_nfs_state_data(crond_t)
- ')
-
- optional_policy(`
-- postgresql_search_db(crond_t)
-+ # Commonly used from postinst scripts
-+ rpm_read_pipes(crond_t)
- ')
-
- optional_policy(`
-- rpc_search_nfs_state_data(crond_t)
-+ # allow crond to find /usr/lib/postgresql/bin/do.maintenance
-+ postgresql_search_db(crond_t)
- ')
-
- optional_policy(`
-- rpm_read_pipes(crond_t)
-+ systemd_use_fds_logind(crond_t)
-+ systemd_write_inherited_logind_sessions_pipes(crond_t)
- ')
-
- optional_policy(`
-- seutil_sigchld_newrole(crond_t)
-+ udev_read_db(crond_t)
- ')
-
- optional_policy(`
-- udev_read_db(crond_t)
-+ vnstatd_search_lib(crond_t)
- ')
-
- ########################################
- #
--# System local policy
-+# System cron process domain
- #
-
--allow system_cronjob_t self:capability { dac_override dac_read_search chown setgid setuid fowner net_bind_service fsetid sys_nice };
-+allow system_cronjob_t self:capability { dac_read_search chown setgid setuid fowner net_bind_service fsetid sys_nice };
-+
- allow system_cronjob_t self:process { signal_perms getsched setsched };
- allow system_cronjob_t self:fd use;
- allow system_cronjob_t self:fifo_file rw_fifo_file_perms;
- allow system_cronjob_t self:passwd rootok;
-
--allow system_cronjob_t cron_log_t:file { append_file_perms create_file_perms setattr_file_perms };
-+# This is to handle creation of files in /var/log directory.
-+# Used currently by rpm script log files
-+allow system_cronjob_t cron_log_t:file manage_file_perms;
- logging_log_filetrans(system_cronjob_t, cron_log_t, file)
-
-+# This is to handle /var/lib/misc directory. Used currently
-+# by prelink var/lib files for cron
- allow system_cronjob_t cron_var_lib_t:file { manage_file_perms relabel_file_perms };
- files_var_lib_filetrans(system_cronjob_t, cron_var_lib_t, file)
-
- allow system_cronjob_t cron_var_run_t:file manage_file_perms;
- files_pid_filetrans(system_cronjob_t, cron_var_run_t, file)
-
-+allow system_cronjob_t system_cron_spool_t:file read_file_perms;
-+
-+# anacron forces the following
- manage_files_pattern(system_cronjob_t, system_cron_spool_t, system_cron_spool_t)
-
-+# The entrypoint interface is not used as this is not
-+# a regular entrypoint. Since crontab files are
-+# not directly executed, crond must ensure that
-+# the crontab file has a type that is appropriate
-+# for the domain of the user cron job. It
-+# performs an entrypoint permission check
-+# for this purpose.
-+allow system_cronjob_t system_cron_spool_t:file entrypoint;
-+
-+tunable_policy(`cron_system_cronjob_use_shares',`
-+ fs_fusefs_entrypoint(system_cronjob_t)
-+ fs_nfs_entrypoint(system_cronjob_t)
-+ fs_cifs_entrypoint(system_cronjob_t)
-+')
-+
-+# Permit a transition from the crond_t domain to this domain.
-+# The transition is requested explicitly by the modified crond
-+# via setexeccon. There is no way to set up an automatic
-+# transition, since crontabs are configuration files, not executables.
-+allow crond_t system_cronjob_t:process transition;
-+dontaudit crond_t system_cronjob_t:process { noatsecure siginh rlimitinh };
-+allow crond_t system_cronjob_t:fd use;
-+allow system_cronjob_t crond_t:fd use;
-+allow system_cronjob_t crond_t:fifo_file rw_file_perms;
-+allow system_cronjob_t crond_t:process sigchld;
-+allow crond_t system_cronjob_t:key manage_key_perms;
-+
-+# Write /var/lock/makewhatis.lock.
- allow system_cronjob_t system_cronjob_lock_t:file manage_file_perms;
- files_lock_filetrans(system_cronjob_t, system_cronjob_lock_t, file)
-
-+# write temporary files
-+manage_dirs_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t)
- manage_files_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t)
- manage_lnk_files_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t)
--filetrans_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t, { file lnk_file })
--files_tmp_filetrans(system_cronjob_t, system_cronjob_tmp_t, file)
-+filetrans_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t, { dir file lnk_file })
-+files_tmp_filetrans(system_cronjob_t, system_cronjob_tmp_t, { dir file })
-
-+# var/lib files for system_crond
-+files_search_var_lib(system_cronjob_t)
- manage_files_pattern(system_cronjob_t, system_cronjob_var_lib_t, system_cronjob_var_lib_t)
-
--allow system_cronjob_t crond_t:fd use;
--allow system_cronjob_t crond_t:fifo_file rw_fifo_file_perms;
--allow system_cronjob_t crond_t:process sigchld;
--
-+# Read from /var/spool/cron.
- allow system_cronjob_t cron_spool_t:dir list_dir_perms;
- allow system_cronjob_t cron_spool_t:file rw_file_perms;
-
-@@ -461,11 +463,11 @@ kernel_read_network_state(system_cronjob_t)
- kernel_read_system_state(system_cronjob_t)
- kernel_read_software_raid_state(system_cronjob_t)
-
-+# ps does not need to access /boot when run from cron
- files_dontaudit_search_boot(system_cronjob_t)
-
- corecmd_exec_all_executables(system_cronjob_t)
-
--corenet_all_recvfrom_unlabeled(system_cronjob_t)
- corenet_all_recvfrom_netlabel(system_cronjob_t)
- corenet_tcp_sendrecv_generic_if(system_cronjob_t)
- corenet_udp_sendrecv_generic_if(system_cronjob_t)
-@@ -485,6 +487,7 @@ fs_getattr_all_symlinks(system_cronjob_t)
- fs_getattr_all_pipes(system_cronjob_t)
- fs_getattr_all_sockets(system_cronjob_t)
-
-+# quiet other ps operations
- domain_dontaudit_read_all_domains_state(system_cronjob_t)
-
- files_exec_etc_files(system_cronjob_t)
-@@ -495,17 +498,22 @@ files_getattr_all_files(system_cronjob_t)
- files_getattr_all_symlinks(system_cronjob_t)
- files_getattr_all_pipes(system_cronjob_t)
- files_getattr_all_sockets(system_cronjob_t)
--files_read_usr_files(system_cronjob_t)
- files_read_var_files(system_cronjob_t)
-+# for nscd:
- files_dontaudit_search_pids(system_cronjob_t)
-+# Access other spool directories like
-+# /var/spool/anacron and /var/spool/slrnpull.
- files_manage_generic_spool(system_cronjob_t)
- files_create_boot_flag(system_cronjob_t)
-
- mls_file_read_to_clearance(system_cronjob_t)
-
- init_domtrans_script(system_cronjob_t)
--init_read_utmp(system_cronjob_t)
- init_use_script_fds(system_cronjob_t)
-+init_read_utmp(system_cronjob_t)
-+init_dontaudit_rw_utmp(system_cronjob_t)
-+# prelink tells init to restart it self, we either need to allow or dontaudit
-+init_telinit(system_cronjob_t)
-
- auth_use_nsswitch(system_cronjob_t)
-
-@@ -516,20 +524,28 @@ logging_read_generic_logs(system_cronjob_t)
- logging_send_audit_msgs(system_cronjob_t)
- logging_send_syslog_msg(system_cronjob_t)
-
--miscfiles_read_localization(system_cronjob_t)
-+miscfiles_filetrans_named_content_letsencrypt(system_cronjob_t)
-
- seutil_read_config(system_cronjob_t)
-
-+userdom_manage_tmpfs_files(system_cronjob_t, file)
-+userdom_tmpfs_filetrans(system_cronjob_t, file)
-+
- ifdef(`distro_redhat',`
-+ # Run the rpm program in the rpm_t domain. Allow creation of RPM log files
-+ allow crond_t system_cron_spool_t:file manage_file_perms;
-+
-+ # via redirection of standard out.
- optional_policy(`
- rpm_manage_log(system_cronjob_t)
- ')
- ')
-
-+selinux_get_fs_mount(system_cronjob_t)
-+
- tunable_policy(`cron_can_relabel',`
- seutil_domtrans_setfiles(system_cronjob_t)
- ',`
-- selinux_get_fs_mount(system_cronjob_t)
- selinux_validate_context(system_cronjob_t)
- selinux_compute_access_vector(system_cronjob_t)
- selinux_compute_create_context(system_cronjob_t)
-@@ -539,10 +555,26 @@ tunable_policy(`cron_can_relabel',`
- ')
-
- optional_policy(`
-+ # Needed for certwatch
- apache_exec_modules(system_cronjob_t)
- apache_read_config(system_cronjob_t)
- apache_read_log(system_cronjob_t)
- apache_read_sys_content(system_cronjob_t)
-+ apache_manage_lib(system_cronjob_t)
-+ apache_delete_cache_dirs(system_cronjob_t)
-+ apache_delete_cache_files(system_cronjob_t)
-+')
-+
-+optional_policy(`
-+ bind_read_config(system_cronjob_t)
-+')
-+
-+optional_policy(`
-+ cron_generic_log_filetrans_log_insights(system_cronjob_t)
-+')
-+
-+optional_policy(`
-+ chronyd_run_chronyc(system_cronjob_t,system_r)
- ')
-
- optional_policy(`
-@@ -551,10 +583,6 @@ optional_policy(`
-
- optional_policy(`
- dbus_system_bus_client(system_cronjob_t)
--
-- optional_policy(`
-- networkmanager_dbus_chat(system_cronjob_t)
-- ')
- ')
-
- optional_policy(`
-@@ -567,6 +595,10 @@ optional_policy(`
- ')
-
- optional_policy(`
-+ firewalld_dbus_chat(system_cronjob_t)
-+')
-+
-+optional_policy(`
- ftp_read_log(system_cronjob_t)
- ')
-
-@@ -591,6 +623,8 @@ optional_policy(`
- optional_policy(`
- mta_read_config(system_cronjob_t)
- mta_send_mail(system_cronjob_t)
-+ mta_filetrans_admin_home_content(system_cronjob_t)
-+ mta_system_content(system_cron_spool_t)
- ')
-
- optional_policy(`
-@@ -598,7 +632,31 @@ optional_policy(`
- ')
-
- optional_policy(`
-+ networkmanager_dbus_chat(system_cronjob_t)
-+')
-+
-+optional_policy(`
-+ pcp_filetrans_named_content(system_cronjob_t)
-+')
-+
-+optional_policy(`
- postfix_read_config(system_cronjob_t)
-+')
-+
-+optional_policy(`
-+ prelink_delete_cache(system_cronjob_t)
-+ prelink_manage_lib(system_cronjob_t)
-+ prelink_manage_log(system_cronjob_t)
-+ prelink_read_cache(system_cronjob_t)
-+ prelink_relabel_lib(system_cronjob_t)
-+')
-+
-+optional_policy(`
-+ rkhunter_manage_lib_files(system_cronjob_t)
-+')
-+
-+optional_policy(`
-+ rhsmcertd_dbus_chat(system_cronjob_t)
- ')
-
- optional_policy(`
-@@ -607,7 +665,12 @@ optional_policy(`
- ')
-
- optional_policy(`
-+ snapper_dbus_chat(system_cronjob_t)
-+')
-+
-+optional_policy(`
- spamassassin_manage_lib_files(system_cronjob_t)
-+ spamassassin_manage_home_client(system_cronjob_t)
- ')
-
- optional_policy(`
-@@ -615,12 +678,27 @@ optional_policy(`
- ')
-
- optional_policy(`
-- userdom_user_home_dir_filetrans_user_home_content(system_cronjob_t, { dir file lnk_file fifo_file sock_file })
-+ systemd_dbus_chat_logind(system_cronjob_t)
-+ systemd_dbus_chat_timedated(system_cronjob_t)
-+ systemd_dbus_chat_hostnamed(system_cronjob_t)
-+ systemd_dbus_chat_localed(system_cronjob_t)
-+ systemd_write_inherited_logind_sessions_pipes(system_cronjob_t)
-+')
-+
-+optional_policy(`
-+ unconfined_domain(crond_t)
-+ unconfined_domain(system_cronjob_t)
-+')
-+
-+optional_policy(`
-+ unconfined_shell_domtrans(crond_t)
-+ unconfined_dbus_send(crond_t)
-+ userdom_filetrans_home_content(crond_t)
- ')
-
- ########################################
- #
--# Cronjob local policy
-+# User cronjobs local policy
- #
-
- allow cronjob_t self:process { signal_perms setsched };
-@@ -628,12 +706,32 @@ allow cronjob_t self:fifo_file rw_fifo_file_perms;
- allow cronjob_t self:unix_stream_socket create_stream_socket_perms;
- allow cronjob_t self:unix_dgram_socket create_socket_perms;
-
-+# The entrypoint interface is not used as this is not
-+# a regular entrypoint. Since crontab files are
-+# not directly executed, crond must ensure that
-+# the crontab file has a type that is appropriate
-+# for the domain of the user cron job. It
-+# performs an entrypoint permission check
-+# for this purpose.
-+allow cronjob_t user_cron_spool_t:file entrypoint;
-+
-+# Permit a transition from the crond_t domain to this domain.
-+# The transition is requested explicitly by the modified crond
-+# via setexeccon. There is no way to set up an automatic
-+# transition, since crontabs are configuration files, not executables.
-+allow crond_t cronjob_t:process transition;
-+dontaudit crond_t cronjob_t:process { noatsecure siginh rlimitinh };
-+allow crond_t cronjob_t:fd use;
-+allow cronjob_t crond_t:fd use;
-+allow cronjob_t crond_t:fifo_file rw_file_perms;
-+allow cronjob_t crond_t:process sigchld;
-+
- kernel_read_system_state(cronjob_t)
- kernel_read_kernel_sysctls(cronjob_t)
-
-+# ps does not need to access /boot when run from cron
- files_dontaudit_search_boot(cronjob_t)
-
--corenet_all_recvfrom_unlabeled(cronjob_t)
- corenet_all_recvfrom_netlabel(cronjob_t)
- corenet_tcp_sendrecv_generic_if(cronjob_t)
- corenet_udp_sendrecv_generic_if(cronjob_t)
-@@ -641,66 +739,141 @@ corenet_tcp_sendrecv_generic_node(cronjob_t)
- corenet_udp_sendrecv_generic_node(cronjob_t)
- corenet_tcp_sendrecv_all_ports(cronjob_t)
- corenet_udp_sendrecv_all_ports(cronjob_t)
--
--corenet_sendrecv_all_client_packets(cronjob_t)
- corenet_tcp_connect_all_ports(cronjob_t)
--
--corecmd_exec_all_executables(cronjob_t)
-+corenet_sendrecv_all_client_packets(cronjob_t)
-
- dev_read_urand(cronjob_t)
-
- fs_getattr_all_fs(cronjob_t)
-
-+corecmd_exec_all_executables(cronjob_t)
-+
-+# quiet other ps operations
- domain_dontaudit_read_all_domains_state(cronjob_t)
- domain_dontaudit_getattr_all_domains(cronjob_t)
-
- files_exec_etc_files(cronjob_t)
--files_read_etc_runtime_files(cronjob_t)
--files_read_var_files(cronjob_t)
--files_read_usr_files(cronjob_t)
--files_search_spool(cronjob_t)
-+# for nscd:
- files_dontaudit_search_pids(cronjob_t)
-
- libs_exec_lib_files(cronjob_t)
- libs_exec_ld_so(cronjob_t)
-
-+files_read_etc_runtime_files(cronjob_t)
-+files_read_var_files(cronjob_t)
-+files_search_spool(cronjob_t)
-+
- logging_search_logs(cronjob_t)
-
- seutil_read_config(cronjob_t)
-
--miscfiles_read_localization(cronjob_t)
-
- userdom_manage_user_tmp_files(cronjob_t)
- userdom_manage_user_tmp_symlinks(cronjob_t)
- userdom_manage_user_tmp_pipes(cronjob_t)
- userdom_manage_user_tmp_sockets(cronjob_t)
-+# Run scripts in user home directory and access shared libs.
- userdom_exec_user_home_content_files(cronjob_t)
-+# Access user files and dirs.
- userdom_manage_user_home_content_files(cronjob_t)
- userdom_manage_user_home_content_symlinks(cronjob_t)
- userdom_manage_user_home_content_pipes(cronjob_t)
- userdom_manage_user_home_content_sockets(cronjob_t)
-
--tunable_policy(`cron_userdomain_transition',`
-- dontaudit cronjob_t crond_t:fd use;
-- dontaudit cronjob_t crond_t:fifo_file rw_fifo_file_perms;
-- dontaudit cronjob_t crond_t:process sigchld;
--
-- dontaudit cronjob_t user_cron_spool_t:file entrypoint;
--',`
-- allow cronjob_t crond_t:fd use;
-- allow cronjob_t crond_t:fifo_file rw_fifo_file_perms;
-- allow cronjob_t crond_t:process sigchld;
-+list_dirs_pattern(crond_t, user_cron_spool_t, user_cron_spool_t)
-+rw_dirs_pattern(crond_t, user_cron_spool_t, user_cron_spool_t)
-+read_files_pattern(crond_t, user_cron_spool_t, user_cron_spool_t)
-+read_lnk_files_pattern(crond_t, user_cron_spool_t, user_cron_spool_t)
-+allow crond_t user_cron_spool_t:file manage_lnk_file_perms;
-
-- allow cronjob_t user_cron_spool_t:file entrypoint;
-+tunable_policy(`fcron_crond',`
-+ allow crond_t user_cron_spool_t:file manage_file_perms;
- ')
-
-+# need a per-role version of this:
-+#optional_policy(`
-+# mono_domtrans(cronjob_t)
-+#')
-+
- optional_policy(`
- nis_use_ypbind(cronjob_t)
- ')
-
-+##############################
-+#
-+# crontab common policy
-+#
-+
-+# is to create the file in the directory under /tmp
-+allow crontab_domain self:capability { fowner setuid setgid chown dac_read_search };
-+allow crontab_domain self:process { getcap setsched signal_perms };
-+allow crontab_domain self:fifo_file rw_fifo_file_perms;
-+
-+allow crontab_domain crond_t:process signal;
-+allow crontab_domain crond_var_run_t:file read_file_perms;
-+
-+corecmd_exec_bin(crontab_domain)
-+corecmd_exec_shell(crontab_domain)
-+
-+# create files in /var/spool/cron
-+manage_files_pattern(crontab_domain, { cron_spool_t user_cron_spool_t }, user_cron_spool_t)
-+filetrans_pattern(crontab_domain, cron_spool_t, user_cron_spool_t, file)
-+files_list_spool(crontab_domain)
-+
-+# crontab signals crond by updating the mtime on the spooldir
-+allow crontab_domain cron_spool_t:dir setattr_dir_perms;
-+
-+# for the checks used by crontab -u
-+selinux_dontaudit_search_fs(crontab_domain)
-+
-+fs_getattr_xattr_fs(crontab_domain)
-+fs_manage_cgroup_dirs(crontab_domain)
-+fs_manage_cgroup_files(crontab_domain)
-+
-+domain_use_interactive_fds(crontab_domain)
-+
-+files_dontaudit_search_pids(crontab_domain)
-+
-+fs_dontaudit_rw_anon_inodefs_files(crontab_domain)
-+
-+auth_rw_var_auth(crontab_domain)
-+
-+logging_send_audit_msgs(crontab_domain)
-+logging_set_loginuid(crontab_domain)
-+
-+init_dontaudit_write_utmp(crontab_domain)
-+init_read_utmp(crontab_domain)
-+init_read_state(crontab_domain)
-+
-+
-+seutil_read_config(crontab_domain)
-+
-+userdom_manage_user_tmp_dirs(crontab_domain)
-+userdom_manage_user_tmp_files(crontab_domain)
-+# Access terminals.
-+userdom_use_inherited_user_terminals(crontab_domain)
-+# Read user crontabs
-+userdom_read_user_home_content_files(crontab_domain)
-+userdom_read_user_home_content_symlinks(crontab_domain)
-+
-+tunable_policy(`fcron_crond',`
-+ # fcron wants an instant update of a crontab change for the administrator
-+ # also crontab does a security check for crontab -u
-+ dontaudit crontab_domain crond_t:process signal;
-+')
-+
-+optional_policy(`
-+ ssh_dontaudit_use_ptys(crontab_domain)
-+')
-+
-+optional_policy(`
-+ openshift_dontaudit_rw_inherited_fifo_files(crontab_domain)
-+ openshift_transition(system_cronjob_t)
-+')
-+
- ########################################
- #
--# Unconfined local policy
-+# Unconfined cronjobs local policy
- #
-
- type unconfined_cronjob_t;
-diff --git a/ctdb.fc b/ctdb.fc
-index 8401fe6f3..84ece3e4a 100644
---- a/ctdb.fc
-+++ b/ctdb.fc
-@@ -1,12 +1,20 @@
- /etc/rc\.d/init\.d/ctdb -- gen_context(system_u:object_r:ctdbd_initrc_exec_t,s0)
-
-+/etc/ctdb/events\.d/.* -- gen_context(system_u:object_r:ctdbd_exec_t,s0)
-+
- /usr/sbin/ctdbd -- gen_context(system_u:object_r:ctdbd_exec_t,s0)
-+/usr/sbin/ctdbd_wrapper -- gen_context(system_u:object_r:ctdbd_exec_t,s0)
-+
-+/var/ctdb(/.*)? gen_context(system_u:object_r:ctdbd_var_t,s0)
-
-+/var/lib/ctdb(/.*)? gen_context(system_u:object_r:ctdbd_var_lib_t,s0)
- /var/lib/ctdbd(/.*)? gen_context(system_u:object_r:ctdbd_var_lib_t,s0)
-
- /var/log/ctdb\.log.* -- gen_context(system_u:object_r:ctdbd_log_t,s0)
- /var/log/log\.ctdb.* -- gen_context(system_u:object_r:ctdbd_log_t,s0)
-
-+
-+/var/run/ctdb(/.*)? gen_context(system_u:object_r:ctdbd_var_run_t,s0)
- /var/run/ctdbd(/.*)? gen_context(system_u:object_r:ctdbd_var_run_t,s0)
-
- /var/spool/ctdb(/.*)? gen_context(system_u:object_r:ctdbd_spool_t,s0)
-diff --git a/ctdb.if b/ctdb.if
-index b25b01d12..06895f39a 100644
---- a/ctdb.if
-+++ b/ctdb.if
-@@ -1,9 +1,178 @@
--## Clustered Database based on Samba Trivial Database.
-+
-+## policy for ctdbd
-+
-+########################################
-+##
-+## Transition to ctdbd.
-+##
-+##
-+##
-+## Domain allowed to transition.
-+##
-+##
-+#
-+interface(`ctdbd_domtrans',`
-+ gen_require(`
-+ type ctdbd_t, ctdbd_exec_t;
-+ ')
-+
-+ corecmd_search_bin($1)
-+ domtrans_pattern($1, ctdbd_exec_t, ctdbd_t)
-+')
-+
-+########################################
-+##
-+## Execute ctdbd server in the ctdbd domain.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`ctdbd_initrc_domtrans',`
-+ gen_require(`
-+ type ctdbd_initrc_exec_t;
-+ ')
-+
-+ init_labeled_script_domtrans($1, ctdbd_initrc_exec_t)
-+')
-+
-+#######################################
-+##
-+## Allow domain to signal ctdbd.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`ctdbd_signal',`
-+ gen_require(`
-+ type ctdbd_t;
-+ ')
-+ allow $1 ctdbd_t:process signal;
-+')
-+
-+#######################################
-+##
-+## Allow domain to sigchld ctdbd.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`ctdbd_sigchld',`
-+ gen_require(`
-+ type ctdbd_t;
-+ ')
-+ allow $1 ctdbd_t:process sigchld;
-+')
-+
-+########################################
-+##
-+## Read ctdbd's log files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+#
-+interface(`ctdbd_read_log',`
-+ gen_require(`
-+ type ctdbd_log_t;
-+ ')
-+
-+ logging_search_logs($1)
-+ read_files_pattern($1, ctdbd_log_t, ctdbd_log_t)
-+')
-+
-+########################################
-+##
-+## Append to ctdbd log files.
-+##
-+##
-+##
-+## Domain allowed to transition.
-+##
-+##
-+#
-+interface(`ctdbd_append_log',`
-+ gen_require(`
-+ type ctdbd_log_t;
-+ ')
-+
-+ logging_search_logs($1)
-+ append_files_pattern($1, ctdbd_log_t, ctdbd_log_t)
-+')
-+
-+########################################
-+##
-+## Manage ctdbd log files
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`ctdbd_manage_log',`
-+ gen_require(`
-+ type ctdbd_log_t;
-+ ')
-+
-+ logging_search_logs($1)
-+ manage_dirs_pattern($1, ctdbd_log_t, ctdbd_log_t)
-+ manage_files_pattern($1, ctdbd_log_t, ctdbd_log_t)
-+ manage_lnk_files_pattern($1, ctdbd_log_t, ctdbd_log_t)
-+')
-+
-+########################################
-+##
-+## Search ctdbd lib directories.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`ctdbd_search_lib',`
-+ gen_require(`
-+ type ctdbd_var_lib_t;
-+ ')
-+
-+ allow $1 ctdbd_var_lib_t:dir search_dir_perms;
-+ files_search_var_lib($1)
-+')
-+
-+########################################
-+##
-+## Read ctdbd lib files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`ctdbd_read_lib_files',`
-+ gen_require(`
-+ type ctdbd_var_lib_t;
-+ ')
-+
-+ files_search_var_lib($1)
-+ read_files_pattern($1, ctdbd_var_lib_t, ctdbd_var_lib_t)
-+')
-
- ########################################
- ##
--## Create, read, write, and delete
--## ctdbd lib files.
-+## Manage ctdbd lib files.
- ##
- ##
- ##
-@@ -17,13 +186,12 @@ interface(`ctdbd_manage_lib_files',`
- ')
-
- files_search_var_lib($1)
-- manage_files_pattern($1, ctdbd_var_lib_t, ctdbd_var_lib_t)
-+ manage_files_pattern($1, ctdbd_var_lib_t, ctdbd_var_lib_t)
- ')
-
--#######################################
-+########################################
- ##
--## Connect to ctdbd with a unix
--## domain stream socket.
-+## Manage ctdbd lib directories.
- ##
- ##
- ##
-@@ -31,19 +199,58 @@ interface(`ctdbd_manage_lib_files',`
- ##
- ##
- #
--interface(`ctdbd_stream_connect',`
-+interface(`ctdbd_manage_lib_dirs',`
-+ gen_require(`
-+ type ctdbd_var_lib_t;
-+ ')
-+
-+ files_search_var_lib($1)
-+ manage_dirs_pattern($1, ctdbd_var_lib_t, ctdbd_var_lib_t)
-+')
-+
-+########################################
-+##
-+## Read ctdbd PID files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`ctdbd_read_pid_files',`
- gen_require(`
-- type ctdbd_t, ctdbd_var_run_t, ctdbd_tmp_t;
-+ type ctdbd_var_run_t;
- ')
-
- files_search_pids($1)
-- stream_connect_pattern($1, { ctdbd_tmp_t ctdbd_var_run_t }, { ctdbd_tmp_t ctdbd_var_run_t }, ctdbd_t)
-+ allow $1 ctdbd_var_run_t:file read_file_perms;
-+')
-+
-+#######################################
-+##
-+## Connect to ctdbd over a unix stream socket.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`ctdbd_stream_connect',`
-+ gen_require(`
-+ type ctdbd_t, ctdbd_var_run_t, ctdbd_tmp_t;
-+ ')
-+
-+ files_search_pids($1)
-+ stream_connect_pattern($1, ctdbd_var_run_t, ctdbd_var_run_t, ctdbd_t)
-+ stream_connect_pattern($1, ctdbd_tmp_t, ctdbd_tmp_t, ctdbd_t)
- ')
-
- ########################################
- ##
--## All of the rules required to
--## administrate an ctdb environment.
-+## All of the rules required to administrate
-+## an ctdbd environment
- ##
- ##
- ##
-@@ -57,16 +264,19 @@ interface(`ctdbd_stream_connect',`
- ##
- ##
- #
--interface(`ctdb_admin',`
-+interface(`ctdbd_admin',`
- gen_require(`
-- type ctdbd_t, ctdbd_initrc_exec_t, ctdbd_tmp_t;
-+ type ctdbd_t, ctdbd_initrc_exec_t;
- type ctdbd_log_t, ctdbd_var_lib_t, ctdbd_var_run_t;
- ')
-
-- allow $1 ctdbd_t:process { ptrace signal_perms };
-+ allow $1 ctdbd_t:process signal_perms;
- ps_process_pattern($1, ctdbd_t)
-+ tunable_policy(`deny_ptrace',`',`
-+ allow $1 ctdbd_t:process ptrace;
-+ ')
-
-- init_labeled_script_domtrans($1, ctdbd_initrc_exec_t)
-+ ctdbd_initrc_domtrans($1)
- domain_system_change_exemption($1)
- role_transition $2 ctdbd_initrc_exec_t system_r;
- allow $2 system_r;
-@@ -74,12 +284,10 @@ interface(`ctdb_admin',`
- logging_search_logs($1)
- admin_pattern($1, ctdbd_log_t)
-
-- files_search_tmp($1)
-- admin_pattern($1, ctdbd_tmp_t)
--
- files_search_var_lib($1)
- admin_pattern($1, ctdbd_var_lib_t)
-
- files_search_pids($1)
- admin_pattern($1, ctdbd_var_run_t)
- ')
-+
-diff --git a/ctdb.te b/ctdb.te
-index 001b502e6..8f9d0e50f 100644
---- a/ctdb.te
-+++ b/ctdb.te
-@@ -24,6 +24,9 @@ files_tmp_file(ctdbd_tmp_t)
- type ctdbd_var_lib_t;
- files_type(ctdbd_var_lib_t)
-
-+type ctdbd_var_t;
-+files_type(ctdbd_var_t)
-+
- type ctdbd_var_run_t;
- files_pid_file(ctdbd_var_run_t)
-
-@@ -32,13 +35,16 @@ files_pid_file(ctdbd_var_run_t)
- # Local policy
- #
-
--allow ctdbd_t self:capability { chown ipc_lock net_admin net_raw sys_nice };
--allow ctdbd_t self:process { setpgid signal_perms setsched };
-+allow ctdbd_t self:capability { chown dac_read_search ipc_lock net_admin net_raw sys_nice sys_resource };
-+allow ctdbd_t self:capability2 block_suspend;
-+allow ctdbd_t self:process { setpgid setrlimit signal_perms setsched };
- allow ctdbd_t self:fifo_file rw_fifo_file_perms;
- allow ctdbd_t self:unix_stream_socket { accept connectto listen };
- allow ctdbd_t self:netlink_route_socket r_netlink_socket_perms;
- allow ctdbd_t self:packet_socket create_socket_perms;
- allow ctdbd_t self:tcp_socket create_stream_socket_perms;
-+allow ctdbd_t self:udp_socket create_socket_perms;
-+allow ctdbd_t self:rawip_socket create_socket_perms;
-
- append_files_pattern(ctdbd_t, ctdbd_log_t, ctdbd_log_t)
- create_files_pattern(ctdbd_t, ctdbd_log_t, ctdbd_log_t)
-@@ -57,12 +63,23 @@ files_spool_filetrans(ctdbd_t, ctdbd_spool_t, dir)
- exec_files_pattern(ctdbd_t, ctdbd_var_lib_t, ctdbd_var_lib_t)
- manage_dirs_pattern(ctdbd_t, ctdbd_var_lib_t, ctdbd_var_lib_t)
- manage_files_pattern(ctdbd_t, ctdbd_var_lib_t, ctdbd_var_lib_t)
--files_var_lib_filetrans(ctdbd_t, ctdbd_var_lib_t, dir)
-+files_var_lib_filetrans(ctdbd_t, ctdbd_var_lib_t, dir, "ctdb")
-+
-+manage_dirs_pattern(ctdbd_t, ctdbd_var_t, ctdbd_var_t)
-+manage_files_pattern(ctdbd_t, ctdbd_var_t, ctdbd_var_t)
-+manage_lnk_files_pattern(ctdbd_t, ctdbd_var_t, ctdbd_var_t)
-+files_var_filetrans(ctdbd_t, ctdbd_var_t, dir, "ctdbd")
-+files_var_filetrans(ctdbd_t, ctdbd_var_t, dir, "ctdb")
-
- manage_dirs_pattern(ctdbd_t, ctdbd_var_run_t, ctdbd_var_run_t)
- manage_files_pattern(ctdbd_t, ctdbd_var_run_t, ctdbd_var_run_t)
-+manage_sock_files_pattern(ctdbd_t, ctdbd_var_run_t, ctdbd_var_run_t)
- files_pid_filetrans(ctdbd_t, ctdbd_var_run_t, dir)
-
-+setattr_files_pattern(ctdbd_t, ctdbd_exec_t, ctdbd_exec_t)
-+
-+can_exec(ctdbd_t, ctdbd_exec_t)
-+
- kernel_read_network_state(ctdbd_t)
- kernel_read_system_state(ctdbd_t)
- kernel_rw_net_sysctls(ctdbd_t)
-@@ -72,27 +89,38 @@ corenet_all_recvfrom_netlabel(ctdbd_t)
- corenet_tcp_sendrecv_generic_if(ctdbd_t)
- corenet_tcp_sendrecv_generic_node(ctdbd_t)
- corenet_tcp_bind_generic_node(ctdbd_t)
-+corenet_udp_bind_generic_node(ctdbd_t)
-
- corenet_sendrecv_ctdb_server_packets(ctdbd_t)
- corenet_tcp_bind_ctdb_port(ctdbd_t)
-+corenet_udp_bind_ctdb_port(ctdbd_t)
-+corenet_tcp_bind_smbd_port(ctdbd_t)
-+corenet_tcp_connect_ctdb_port(ctdbd_t)
- corenet_tcp_sendrecv_ctdb_port(ctdbd_t)
-+corenet_tcp_connect_gluster_port(ctdbd_t)
-+corenet_tcp_connect_nfs_port(ctdbd_t)
-
- corecmd_exec_bin(ctdbd_t)
- corecmd_exec_shell(ctdbd_t)
-+corecmd_getattr_all_executables(ctdbd_t)
-
- dev_read_sysfs(ctdbd_t)
- dev_read_urand(ctdbd_t)
-
- domain_dontaudit_read_all_domains_state(ctdbd_t)
-
--files_read_etc_files(ctdbd_t)
- files_search_all_mountpoints(ctdbd_t)
-
-+fs_getattr_all_fs(ctdbd_t)
-+
-+auth_use_nsswitch(ctdbd_t)
-+
- logging_send_syslog_msg(ctdbd_t)
-
--miscfiles_read_localization(ctdbd_t)
- miscfiles_read_public_files(ctdbd_t)
-
-+userdom_home_manager(ctdbd_t)
-+
- optional_policy(`
- consoletype_exec(ctdbd_t)
- ')
-@@ -106,9 +134,22 @@ optional_policy(`
- ')
-
- optional_policy(`
-+ rpc_domtrans_rpcd(ctdbd_t)
-+ rpc_manage_nfs_state_data_dir(ctdbd_t)
-+ rpc_read_nfs_state_data(ctdbd_t)
-+')
-+
-+optional_policy(`
-+ samba_signull_smbd(ctdbd_t)
- samba_initrc_domtrans(ctdbd_t)
- samba_domtrans_net(ctdbd_t)
- samba_rw_var_files(ctdbd_t)
-+ samba_systemctl(ctdbd_t)
-+')
-+
-+optional_policy(`
-+ samba_signull_winbind(ctdbd_t)
-+ samba_signull_unconfined_net(ctdbd_t)
- ')
-
- optional_policy(`
-diff --git a/cups.fc b/cups.fc
-index 949011ec8..8f8bc200a 100644
---- a/cups.fc
-+++ b/cups.fc
-@@ -1,77 +1,92 @@
--/etc/alchemist/namespace/printconf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
-
--/etc/cups(/.*)? gen_context(system_u:object_r:cupsd_etc_t,s0)
--/etc/cups/classes\.conf.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
--/etc/cups/cupsd\.conf.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
--/etc/cups/lpoptions.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
--/etc/cups/ppd(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
-+/etc/alchemist/namespace/printconf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
-+
-+/etc/cups(/.*)? gen_context(system_u:object_r:cupsd_etc_t,s0)
-+/etc/cups/classes\.conf.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
-+/etc/cups/cupsd\.conf.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
-+/etc/cups/lpoptions.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
-+/etc/cups/ppd(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
- /etc/cups/ppds\.dat -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
--/etc/cups/printers\.conf.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
--/etc/cups/subscriptions.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
--/etc/cups/certs -d gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
-+/etc/cups/printers\.conf.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
-+/etc/cups/subscriptions.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
-+/etc/cups/certs -d gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
- /etc/cups/certs/.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
- /etc/rc\.d/init\.d/cups -- gen_context(system_u:object_r:cupsd_initrc_exec_t,s0)
-
- /etc/cups/interfaces(/.*)? gen_context(system_u:object_r:cupsd_interface_t,s0)
-
--/etc/hp(/.*)? gen_context(system_u:object_r:hplip_etc_t,s0)
--
--/etc/printcap.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
-+/etc/hp(/.*)? gen_context(system_u:object_r:cupsd_etc_t,s0)
-
--/lib/udev/udev-configure-printer -- gen_context(system_u:object_r:cupsd_config_exec_t,s0)
-+/etc/printcap.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
-
--/opt/brother/Printers(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
--/opt/gutenprint/ppds(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
-+/usr/lib/systemd/system/cups.* -- gen_context(system_u:object_r:cupsd_unit_file_t,s0)
-
--/usr/bin/cups-config-daemon -- gen_context(system_u:object_r:cupsd_config_exec_t,s0)
--/usr/bin/hpijs -- gen_context(system_u:object_r:hplip_exec_t,s0)
-+/usr/lib/udev/udev-configure-printer -- gen_context(system_u:object_r:cupsd_config_exec_t,s0)
-
--/usr/Brother/fax/.*\.log.* gen_context(system_u:object_r:cupsd_log_t,s0)
--/usr/Brother/(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
--/usr/Printer/(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
-+/opt/gutenprint/ppds(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
-
--/usr/lib/cups-pk-helper/cups-pk-helper-mechanism -- gen_context(system_u:object_r:cupsd_config_exec_t,s0)
--/usr/lib/cups/daemon/cups-lpd -- gen_context(system_u:object_r:cupsd_lpd_exec_t,s0)
--/usr/lib/cups/backend/cups-pdf -- gen_context(system_u:object_r:cups_pdf_exec_t,s0)
--/usr/lib/cups/backend/hp.* -- gen_context(system_u:object_r:hplip_exec_t,s0)
--/usr/lib/udev/udev-configure-printer -- gen_context(system_u:object_r:cupsd_config_exec_t,s0)
-+/usr/bin/cups-config-daemon -- gen_context(system_u:object_r:cupsd_config_exec_t,s0)
-+/usr/bin/hpijs -- gen_context(system_u:object_r:cupsd_exec_t,s0)
-
--/usr/libexec/cups-pk-helper-mechanism -- gen_context(system_u:object_r:cupsd_config_exec_t,s0)
--/usr/libexec/hal_lpadmin -- gen_context(system_u:object_r:cupsd_config_exec_t,s0)
-+/usr/lib/cups/daemon/cups-lpd -- gen_context(system_u:object_r:cupsd_lpd_exec_t,s0)
-+/usr/lib/cups/backend/cups-pdf -- gen_context(system_u:object_r:cups_pdf_exec_t,s0)
-+/usr/lib/cups/backend/hp.* -- gen_context(system_u:object_r:cupsd_exec_t,s0)
-
--/usr/local/linuxprinter/ppd(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
-+/usr/libexec/cups-pk-helper-mechanism -- gen_context(system_u:object_r:cupsd_config_exec_t,s0)
-+/usr/libexec/hal_lpadmin -- gen_context(system_u:object_r:cupsd_config_exec_t,s0)
-
--/usr/sbin/hp-[^/]+ -- gen_context(system_u:object_r:hplip_exec_t,s0)
--/usr/sbin/cupsd -- gen_context(system_u:object_r:cupsd_exec_t,s0)
--/usr/sbin/hal_lpadmin -- gen_context(system_u:object_r:cupsd_config_exec_t,s0)
--/usr/sbin/hpiod -- gen_context(system_u:object_r:hplip_exec_t,s0)
--/usr/sbin/printconf-backend -- gen_context(system_u:object_r:cupsd_config_exec_t,s0)
-+/usr/sbin/hp-[^/]+ -- gen_context(system_u:object_r:cupsd_exec_t,s0)
-+/usr/sbin/cupsd -- gen_context(system_u:object_r:cupsd_exec_t,s0)
-+/usr/sbin/cups-browsed -- gen_context(system_u:object_r:cupsd_exec_t,s0)
-+/usr/sbin/hal_lpadmin -- gen_context(system_u:object_r:cupsd_config_exec_t,s0)
-+/usr/sbin/hpiod -- gen_context(system_u:object_r:cupsd_exec_t,s0)
-+/usr/sbin/printconf-backend -- gen_context(system_u:object_r:cupsd_config_exec_t,s0)
- /usr/sbin/ptal-printd -- gen_context(system_u:object_r:ptal_exec_t,s0)
- /usr/sbin/ptal-mlcd -- gen_context(system_u:object_r:ptal_exec_t,s0)
- /usr/sbin/ptal-photod -- gen_context(system_u:object_r:ptal_exec_t,s0)
-
--/usr/share/cups(/.*)? gen_context(system_u:object_r:cupsd_etc_t,s0)
--/usr/share/foomatic/db/oldprinterids -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
--/usr/share/hplip/.*\.py -- gen_context(system_u:object_r:hplip_exec_t,s0)
-+/usr/share/cups(/.*)? gen_context(system_u:object_r:cupsd_etc_t,s0)
-+/usr/share/foomatic/db/oldprinterids -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
-+/usr/share/hplip/.*\.py -- gen_context(system_u:object_r:cupsd_exec_t,s0)
-
--/var/cache/alchemist/printconf.* gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
--/var/cache/foomatic(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
--/var/cache/cups(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,mls_systemhigh)
-+/var/cache/alchemist/printconf.* gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
-+/var/cache/foomatic(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
-+/var/cache/cups(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,mls_systemhigh)
-
- /var/lib/cups/certs -d gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
- /var/lib/cups/certs/.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
-+/usr/lib/bjlib(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,mls_systemhigh)
-
--/var/lib/hp(/.*)? gen_context(system_u:object_r:hplip_var_lib_t,s0)
-+/var/lib/hp(/.*)? gen_context(system_u:object_r:cupsd_var_lib_t,s0)
-+/var/lib/iscan(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
-
--/var/log/cups(/.*)? gen_context(system_u:object_r:cupsd_log_t,s0)
--/var/log/turboprint.* gen_context(system_u:object_r:cupsd_log_t,s0)
-+/var/log/cups(/.*)? gen_context(system_u:object_r:cupsd_log_t,s0)
-+/var/log/turboprint.* gen_context(system_u:object_r:cupsd_log_t,s0)
-
--/var/ccpd(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0)
--/var/ekpd(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0)
--/var/run/cups(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0)
--/var/run/hp.*\.pid -- gen_context(system_u:object_r:hplip_var_run_t,s0)
--/var/run/hp.*\.port -- gen_context(system_u:object_r:hplip_var_run_t,s0)
-+/var/log/hp(/.*)? gen_context(system_u:object_r:cupsd_log_t,s0)
-+
-+/var/ccpd(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0)
-+/var/ekpd(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0)
-+/var/run/cups(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,mls_systemhigh)
-+/var/run/hplip(/.*) gen_context(system_u:object_r:cupsd_var_run_t,s0)
-+/var/run/ecblp0 -- gen_context(system_u:object_r:cupsd_var_run_t,s0)
-+/var/run/hp.*\.pid -- gen_context(system_u:object_r:cupsd_var_run_t,s0)
-+/var/run/hp.*\.port -- gen_context(system_u:object_r:cupsd_var_run_t,s0)
- /var/run/ptal-printd(/.*)? gen_context(system_u:object_r:ptal_var_run_t,s0)
- /var/run/ptal-mlcd(/.*)? gen_context(system_u:object_r:ptal_var_run_t,s0)
--/var/run/udev-configure-printer(/.*)? gen_context(system_u:object_r:cupsd_config_var_run_t,s0)
--/var/turboprint(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0)
-+/var/run/udev-configure-printer(/.*)? gen_context(system_u:object_r:cupsd_config_var_run_t,s0)
-+/var/turboprint(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0)
-+
-+/etc/opt/Brother/(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
-+/usr/Brother/fax/.*\.log.* gen_context(system_u:object_r:cupsd_log_t,s0)
-+/usr/Brother/(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
-+/usr/Printer/(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
-+/usr/local/Brother/fax/.*\.log.* gen_context(system_u:object_r:cupsd_log_t,s0)
-+/usr/local/Brother/(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
-+/usr/local/Printer/(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
-+
-+
-+/usr/local/linuxprinter/ppd(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
-+
-+/etc/opt/brother/Printers/(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
-+/opt/brother/Printers(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
-diff --git a/cups.if b/cups.if
-index 3023be7f6..5afde8039 100644
---- a/cups.if
-+++ b/cups.if
-@@ -70,6 +70,7 @@ interface(`cups_stream_connect',`
-
- files_search_pids($1)
- stream_connect_pattern($1, cupsd_var_run_t, cupsd_var_run_t, cupsd_t)
-+ allow $1 cupsd_var_run_t:sock_file read_sock_file_perms;
- ')
-
- ########################################
-@@ -200,10 +201,13 @@ interface(`cups_dbus_chat_config',`
- interface(`cups_read_config',`
- gen_require(`
- type cupsd_etc_t, cupsd_rw_etc_t;
-+ type hplip_etc_t;
- ')
-
- files_search_etc($1)
-- read_files_pattern($1, cupsd_etc_t, { cupsd_etc_t cupsd_rw_etc_t })
-+ read_files_pattern($1, cupsd_etc_t, cupsd_etc_t)
-+ read_files_pattern($1, hplip_etc_t, hplip_etc_t)
-+ read_files_pattern($1, cupsd_etc_t, cupsd_rw_etc_t)
- ')
-
- ########################################
-@@ -306,6 +310,30 @@ interface(`cups_stream_connect_ptal',`
-
- ########################################
- ##
-+## Execute cupsd server in the cupsd domain.
-+##
-+##
-+##
-+## Domain allowed to transition.
-+##
-+##
-+#
-+interface(`cupsd_systemctl',`
-+ gen_require(`
-+ type cupsd_t;
-+ type cupsd_unit_file_t;
-+ ')
-+
-+ systemd_exec_systemctl($1)
-+ init_reload_services($1)
-+ allow $1 cupsd_unit_file_t:file read_file_perms;
-+ allow $1 cupsd_unit_file_t:service manage_service_perms;
-+
-+ ps_process_pattern($1, cupsd_t)
-+')
-+
-+########################################
-+##
- ## Read the process state (/proc/pid) of cupsd.
- ##
- ##
-@@ -344,18 +372,23 @@ interface(`cups_read_state',`
- interface(`cups_admin',`
- gen_require(`
- type cupsd_t, cupsd_tmp_t, cupsd_lpd_tmp_t;
-- type cupsd_etc_t, cupsd_log_t, cupsd_spool_t;
-+ type cupsd_etc_t, cupsd_log_t;
- type cupsd_config_var_run_t, cupsd_lpd_var_run_t;
- type cupsd_var_run_t, ptal_etc_t, cupsd_rw_etc_t;
- type ptal_var_run_t, hplip_var_run_t, cupsd_initrc_exec_t;
- type cupsd_config_t, cupsd_lpd_t, cups_pdf_t;
-- type hplip_t, ptal_t;
-+ type ptal_t;
-+ type cupsd_unit_file_t;
- ')
-
-- allow $1 { cupsd_t cupsd_config_t cupsd_lpd_t }:process { ptrace signal_perms };
-- allow $1 { cups_pdf_t hplip_t ptal_t }:process { ptrace signal_perms };
-+ allow $1 { cupsd_t cupsd_config_t cupsd_lpd_t }:process { signal_perms };
-+ allow $1 { cups_pdf_t ptal_t }:process { signal_perms };
- ps_process_pattern($1, { cupsd_t cupsd_config_t cupsd_lpd_t })
-- ps_process_pattern($1, { cups_pdf_t hplip_t ptal_t })
-+ ps_process_pattern($1, { cups_pdf_t ptal_t })
-+
-+ tunable_policy(`deny_ptrace',`',`
-+ allow $1 { cupsd_t cupsd_config_t cupsd_lpd_t }:process ptrace;
-+ ')
-
- init_labeled_script_domtrans($1, cupsd_initrc_exec_t)
- domain_system_change_exemption($1)
-@@ -368,13 +401,46 @@ interface(`cups_admin',`
- logging_list_logs($1)
- admin_pattern($1, cupsd_log_t)
-
-- files_list_spool($1)
-- admin_pattern($1, cupsd_spool_t)
--
- files_list_tmp($1)
- admin_pattern($1, { cupsd_tmp_t cupsd_lpd_tmp_t })
--
-- files_list_pids($1)
- admin_pattern($1, { cupsd_config_var_run_t cupsd_var_run_t hplip_var_run_t })
- admin_pattern($1, { ptal_var_run_t cupsd_lpd_var_run_t })
-+
-+ cupsd_systemctl($1)
-+ admin_pattern($1, cupsd_unit_file_t)
-+ allow $1 cupsd_unit_file_t:service all_service_perms;
-+')
-+
-+########################################
-+##
-+## Transition to cups named content
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`cups_filetrans_named_content',`
-+ gen_require(`
-+ type cupsd_rw_etc_t;
-+ type cupsd_etc_t;
-+ ')
-+
-+ filetrans_pattern($1, cupsd_etc_t, cupsd_rw_etc_t, file, "classes.conf")
-+ filetrans_pattern($1, cupsd_etc_t, cupsd_rw_etc_t, file, "printers.conf")
-+ filetrans_pattern($1, cupsd_etc_t, cupsd_rw_etc_t, file, "printers.conf.O")
-+ filetrans_pattern($1, cupsd_etc_t, cupsd_rw_etc_t, file, "cupsd.conf")
-+ filetrans_pattern($1, cupsd_etc_t, cupsd_rw_etc_t, file, "cupsd.conf.default")
-+ filetrans_pattern($1, cupsd_etc_t, cupsd_rw_etc_t, file, "lpoptions")
-+ filetrans_pattern($1, cupsd_etc_t, cupsd_rw_etc_t, file, "subscriptions.conf")
-+ filetrans_pattern($1, cupsd_etc_t, cupsd_rw_etc_t, file, "subscriptions.conf.O")
-+ filetrans_pattern($1, cupsd_etc_t, cupsd_rw_etc_t, file, "subscriptions.conf.N")
-+ filetrans_pattern($1, cupsd_etc_t, cupsd_rw_etc_t, file, "ppds.dat")
-+ files_etc_filetrans($1, cupsd_rw_etc_t, file, "printcap")
-+ files_etc_filetrans($1, cupsd_rw_etc_t, file, "ppds.dat")
-+ files_etc_filetrans($1, cupsd_rw_etc_t, dir, "inf")
-+ files_usr_filetrans($1, cupsd_rw_etc_t, dir, "inf")
-+ corecmd_bin_filetrans($1, cupsd_rw_etc_t, dir, "inf")
-+ files_var_filetrans($1, cupsd_rw_etc_t, dir, "cups")
- ')
-diff --git a/cups.te b/cups.te
-index c91813ccb..a4f635cb9 100644
---- a/cups.te
-+++ b/cups.te
-@@ -5,19 +5,31 @@ policy_module(cups, 1.16.2)
- # Declarations
- #
-
--type cupsd_config_t;
-+##
-+##
-+## Allow cups execmem/execstack
-+##
-+##
-+gen_tunable(cups_execmem, false)
-+
-+attribute cups_domain;
-+
-+type cupsd_config_t, cups_domain;
- type cupsd_config_exec_t;
- init_daemon_domain(cupsd_config_t, cupsd_config_exec_t)
-
- type cupsd_config_var_run_t;
- files_pid_file(cupsd_config_var_run_t)
-
--type cupsd_t;
-+type cupsd_t, cups_domain;
- type cupsd_exec_t;
-+typealias cupsd_t alias hplip_t;
-+typealias cupsd_exec_t alias hplip_exec_t;
- init_daemon_domain(cupsd_t, cupsd_exec_t)
- mls_trusted_object(cupsd_t)
-
- type cupsd_etc_t;
-+typealias cupsd_etc_t alias hplip_etc_t;
- files_config_file(cupsd_etc_t)
-
- type cupsd_initrc_exec_t;
-@@ -33,13 +45,15 @@ type cupsd_lock_t;
- files_lock_file(cupsd_lock_t)
-
- type cupsd_log_t;
-+typealias cupsd_log_t alias hplip_var_log_t;
- logging_log_file(cupsd_log_t)
-
--type cupsd_lpd_t;
-+type cupsd_var_lib_t alias hplip_var_lib_t;
-+files_type(cupsd_var_lib_t)
-+
-+type cupsd_lpd_t, cups_domain;
- type cupsd_lpd_exec_t;
--domain_type(cupsd_lpd_t)
--domain_entry_file(cupsd_lpd_t, cupsd_lpd_exec_t)
--role system_r types cupsd_lpd_t;
-+init_domain(cupsd_lpd_t, cupsd_lpd_exec_t)
-
- type cupsd_lpd_tmp_t;
- files_tmp_file(cupsd_lpd_tmp_t)
-@@ -47,7 +61,7 @@ files_tmp_file(cupsd_lpd_tmp_t)
- type cupsd_lpd_var_run_t;
- files_pid_file(cupsd_lpd_var_run_t)
-
--type cups_pdf_t;
-+type cups_pdf_t, cups_domain;
- type cups_pdf_exec_t;
- cups_backend(cups_pdf_t, cups_pdf_exec_t)
-
-@@ -55,29 +69,17 @@ type cups_pdf_tmp_t;
- files_tmp_file(cups_pdf_tmp_t)
-
- type cupsd_tmp_t;
-+typealias cupsd_tmp_t alias hplip_tmp_t;
- files_tmp_file(cupsd_tmp_t)
-
- type cupsd_var_run_t;
-+typealias cupsd_var_run_t alias hplip_var_run_t;
- files_pid_file(cupsd_var_run_t)
- init_daemon_run_dir(cupsd_var_run_t, "cups")
- mls_trusted_object(cupsd_var_run_t)
-
--type hplip_t;
--type hplip_exec_t;
--init_daemon_domain(hplip_t, hplip_exec_t)
--cups_backend(hplip_t, hplip_exec_t)
--
--type hplip_etc_t;
--files_config_file(hplip_etc_t)
--
--type hplip_tmp_t;
--files_tmp_file(hplip_tmp_t)
--
--type hplip_var_lib_t;
--files_type(hplip_var_lib_t)
--
--type hplip_var_run_t;
--files_pid_file(hplip_var_run_t)
-+type cupsd_unit_file_t;
-+systemd_unit_file(cupsd_unit_file_t)
-
- type ptal_t;
- type ptal_exec_t;
-@@ -97,21 +99,50 @@ ifdef(`enable_mls',`
- init_ranged_daemon_domain(cupsd_t, cupsd_exec_t, mls_systemhigh)
- ')
-
-+#######################################
-+#
-+# Cups general local policy
-+#
-+
-+allow cups_domain self:capability { setuid setgid sys_nice };
-+allow cups_domain self:process { getsched setsched signal_perms };
-+allow cups_domain self:fifo_file rw_fifo_file_perms;
-+allow cups_domain self:tcp_socket { accept listen };
-+allow cups_domain self:netlink_kobject_uevent_socket create_socket_perms;
-+
-+kernel_read_kernel_sysctls(cups_domain)
-+kernel_read_network_state(cups_domain)
-+
-+corecmd_exec_bin(cups_domain)
-+corecmd_exec_shell(cups_domain)
-+
-+dev_read_urand(cups_domain)
-+dev_read_rand(cups_domain)
-+dev_read_sysfs(cups_domain)
-+
-+fs_getattr_all_fs(cups_domain)
-+
-+miscfiles_read_fonts(cups_domain)
-+miscfiles_setattr_fonts_cache_dirs(cups_domain)
-+
-+optional_policy(`
-+ lpd_manage_spool(cups_domain)
-+')
-+
- ########################################
- #
- # Cups local policy
- #
-
--allow cupsd_t self:capability { ipc_lock sys_admin dac_override dac_read_search kill setgid setuid fsetid fowner chown dac_override sys_rawio sys_resource sys_tty_config };
-+allow cupsd_t self:capability { ipc_lock sys_admin dac_read_search dac_override kill fsetid fowner chown sys_resource sys_tty_config };
- dontaudit cupsd_t self:capability { sys_tty_config net_admin };
--allow cupsd_t self:capability2 block_suspend;
--allow cupsd_t self:process { getpgid setpgid setsched signal_perms };
--allow cupsd_t self:fifo_file rw_fifo_file_perms;
-+allow cupsd_t self:capability2 { block_suspend wake_alarm };
-+allow cupsd_t self:process { getpgid setpgid setsched };
- allow cupsd_t self:unix_stream_socket { accept connectto listen };
- allow cupsd_t self:netlink_selinux_socket create_socket_perms;
-+allow cupsd_t self:socket connect;
- allow cupsd_t self:shm create_shm_perms;
- allow cupsd_t self:sem create_sem_perms;
--allow cupsd_t self:tcp_socket { accept listen };
- allow cupsd_t self:appletalk_socket create_socket_perms;
-
- allow cupsd_t cupsd_etc_t:dir setattr_dir_perms;
-@@ -120,11 +151,14 @@ read_files_pattern(cupsd_t, cupsd_etc_t, cupsd_etc_t)
- read_lnk_files_pattern(cupsd_t, cupsd_etc_t, cupsd_etc_t)
-
- manage_files_pattern(cupsd_t, cupsd_interface_t, cupsd_interface_t)
-+can_exec(cupsd_t, cupsd_interface_t)
-
- manage_dirs_pattern(cupsd_t, cupsd_etc_t, cupsd_rw_etc_t)
- manage_files_pattern(cupsd_t, cupsd_etc_t, cupsd_rw_etc_t)
- filetrans_pattern(cupsd_t, cupsd_etc_t, cupsd_rw_etc_t, file)
- files_var_filetrans(cupsd_t, cupsd_rw_etc_t, { dir file })
-+cups_filetrans_named_content(cupsd_t)
-+can_exec(cupsd_t, cupsd_rw_etc_t)
-
- allow cupsd_t cupsd_exec_t:dir search_dir_perms;
- allow cupsd_t cupsd_exec_t:lnk_file read_lnk_file_perms;
-@@ -136,22 +170,24 @@ manage_dirs_pattern(cupsd_t, cupsd_log_t, cupsd_log_t)
- manage_files_pattern(cupsd_t, cupsd_log_t, cupsd_log_t)
- logging_log_filetrans(cupsd_t, cupsd_log_t, { file dir })
-
-+manage_files_pattern(cupsd_t, cupsd_var_lib_t, cupsd_var_lib_t)
-+manage_lnk_files_pattern(cupsd_t, cupsd_var_lib_t, cupsd_var_lib_t)
-+
- manage_dirs_pattern(cupsd_t, cupsd_tmp_t, cupsd_tmp_t)
- manage_files_pattern(cupsd_t, cupsd_tmp_t, cupsd_tmp_t)
-+manage_lnk_files_pattern(cupsd_t, cupsd_tmp_t, cupsd_tmp_t)
- manage_fifo_files_pattern(cupsd_t, cupsd_tmp_t, cupsd_tmp_t)
--files_tmp_filetrans(cupsd_t, cupsd_tmp_t, { dir fifo_file file })
-+files_tmp_filetrans(cupsd_t, cupsd_tmp_t, { dir fifo_file file lnk_file })
-
-+allow cupsd_t cupsd_var_run_t:dir setattr_dir_perms;
- manage_dirs_pattern(cupsd_t, cupsd_var_run_t, cupsd_var_run_t)
- manage_files_pattern(cupsd_t, cupsd_var_run_t, cupsd_var_run_t)
- manage_sock_files_pattern(cupsd_t, cupsd_var_run_t, cupsd_var_run_t)
- manage_fifo_files_pattern(cupsd_t, cupsd_var_run_t, cupsd_var_run_t)
- files_pid_filetrans(cupsd_t, cupsd_var_run_t, { dir fifo_file file })
-
--allow cupsd_t hplip_t:process { signal sigkill };
--
--read_files_pattern(cupsd_t, hplip_etc_t, hplip_etc_t)
-+allow cupsd_t cupsd_unit_file_t:file read_file_perms;
-
--allow cupsd_t hplip_var_run_t:file read_file_perms;
-
- stream_connect_pattern(cupsd_t, ptal_var_run_t, ptal_var_run_t, ptal_t)
- allow cupsd_t ptal_var_run_t:sock_file setattr_sock_file_perms;
-@@ -159,11 +195,9 @@ allow cupsd_t ptal_var_run_t:sock_file setattr_sock_file_perms;
- can_exec(cupsd_t, { cupsd_exec_t cupsd_interface_t })
-
- kernel_read_system_state(cupsd_t)
--kernel_read_network_state(cupsd_t)
- kernel_read_all_sysctls(cupsd_t)
- kernel_request_load_module(cupsd_t)
-
--corenet_all_recvfrom_unlabeled(cupsd_t)
- corenet_all_recvfrom_netlabel(cupsd_t)
- corenet_tcp_sendrecv_generic_if(cupsd_t)
- corenet_udp_sendrecv_generic_if(cupsd_t)
-@@ -186,12 +220,20 @@ corenet_dontaudit_tcp_bind_all_reserved_ports(cupsd_t)
- corenet_tcp_bind_all_rpc_ports(cupsd_t)
- corenet_tcp_connect_all_ports(cupsd_t)
-
--corecmd_exec_bin(cupsd_t)
--corecmd_exec_shell(cupsd_t)
-+corenet_sendrecv_hplip_client_packets(cupsd_t)
-+corenet_receive_hplip_server_packets(cupsd_t)
-+corenet_tcp_bind_hplip_port(cupsd_t)
-+corenet_tcp_connect_hplip_port(cupsd_t)
-+corenet_tcp_bind_glance_port(cupsd_t)
-+corenet_tcp_connect_glance_port(cupsd_t)
-+
-+corenet_sendrecv_ipp_client_packets(cupsd_t)
-+corenet_tcp_connect_ipp_port(cupsd_t)
-+
-+corenet_sendrecv_howl_server_packets(cupsd_t)
-+corenet_udp_bind_howl_port(cupsd_t)
-
- dev_rw_printer(cupsd_t)
--dev_read_urand(cupsd_t)
--dev_read_sysfs(cupsd_t)
- dev_rw_input_dev(cupsd_t)
- dev_rw_generic_usb_dev(cupsd_t)
- dev_rw_usbfs(cupsd_t)
-@@ -203,7 +245,6 @@ domain_use_interactive_fds(cupsd_t)
- files_getattr_boot_dirs(cupsd_t)
- files_list_spool(cupsd_t)
- files_read_etc_runtime_files(cupsd_t)
--files_read_usr_files(cupsd_t)
- files_exec_usr_files(cupsd_t)
- # for /var/lib/defoma
- files_read_var_lib_files(cupsd_t)
-@@ -212,17 +253,19 @@ files_read_world_readable_files(cupsd_t)
- files_read_world_readable_symlinks(cupsd_t)
- files_read_var_files(cupsd_t)
- files_read_var_symlinks(cupsd_t)
--files_write_generic_pid_pipes(cupsd_t)
- files_dontaudit_getattr_all_tmp_files(cupsd_t)
- files_dontaudit_list_home(cupsd_t)
- # for /etc/printcap
- files_dontaudit_write_etc_files(cupsd_t)
-+files_dontaudit_write_usr_dirs(cupsd_t)
-
--fs_getattr_all_fs(cupsd_t)
- fs_search_auto_mountpoints(cupsd_t)
- fs_search_fusefs(cupsd_t)
- fs_read_anon_inodefs_files(cupsd_t)
-+fs_rw_anon_inodefs_files(cupsd_t)
-+fs_rw_inherited_tmpfs_files(cupsd_t)
-
-+mls_dbus_send_all_levels(cupsd_t)
- mls_fd_use_all_levels(cupsd_t)
- mls_file_downgrade(cupsd_t)
- mls_file_write_all_levels(cupsd_t)
-@@ -232,6 +275,8 @@ mls_socket_write_all_levels(cupsd_t)
-
- term_search_ptys(cupsd_t)
- term_use_unallocated_ttys(cupsd_t)
-+term_use_ptmx(cupsd_t)
-+term_use_usb_ttys(cupsd_t)
-
- selinux_compute_access_vector(cupsd_t)
- selinux_validate_context(cupsd_t)
-@@ -244,23 +289,33 @@ auth_dontaudit_read_pam_pid(cupsd_t)
- auth_rw_faillog(cupsd_t)
- auth_use_nsswitch(cupsd_t)
-
--libs_read_lib_files(cupsd_t)
- libs_exec_lib_files(cupsd_t)
-+libs_exec_ldconfig(cupsd_t)
-+libs_exec_ld_so(cupsd_t)
-+libs_use_ld_so(cupsd_t)
-+libs_legacy_use_ld_so(cupsd_t)
-
- logging_send_audit_msgs(cupsd_t)
- logging_send_syslog_msg(cupsd_t)
-
--miscfiles_read_localization(cupsd_t)
--miscfiles_read_fonts(cupsd_t)
--miscfiles_setattr_fonts_cache_dirs(cupsd_t)
-+miscfiles_legacy_read_localization(cupsd_t)
-
- seutil_read_config(cupsd_t)
-
- sysnet_exec_ifconfig(cupsd_t)
-+sysnet_dns_name_resolve(cupsd_t)
-
- userdom_dontaudit_use_unpriv_user_fds(cupsd_t)
-+userdom_dontaudit_search_user_home_dirs(cupsd_t)
-+userdom_dontaudit_search_user_home_content(cupsd_t)
-+userdom_dontaudit_use_unpriv_user_fds(cupsd_t)
- userdom_dontaudit_search_user_home_content(cupsd_t)
-
-+tunable_policy(`cups_execmem',`
-+ allow cupsd_t self:process { execmem execstack };
-+')
-+
-+
- optional_policy(`
- apm_domtrans_client(cupsd_t)
- ')
-@@ -272,6 +327,8 @@ optional_policy(`
- optional_policy(`
- dbus_system_bus_client(cupsd_t)
-
-+ init_dbus_chat(cupsd_t)
-+
- userdom_dbus_send_all_users(cupsd_t)
-
- optional_policy(`
-@@ -279,11 +336,17 @@ optional_policy(`
- ')
-
- optional_policy(`
-+ colord_read_lib_files(cupsd_t)
-+ ')
-+
-+ optional_policy(`
- hal_dbus_chat(cupsd_t)
- ')
-
-+ # talk to processes that do not have policy
- optional_policy(`
- unconfined_dbus_chat(cupsd_t)
-+ files_write_generic_pid_pipes(cupsd_t)
- ')
- ')
-
-@@ -296,8 +359,8 @@ optional_policy(`
- ')
-
- optional_policy(`
-+ kerberos_tmp_filetrans_host_rcache(cupsd_t, "host_0")
- kerberos_manage_host_rcache(cupsd_t)
-- kerberos_tmp_filetrans_host_rcache(cupsd_t, file, "host_0")
- ')
-
- optional_policy(`
-@@ -306,7 +369,6 @@ optional_policy(`
-
- optional_policy(`
- lpd_exec_lpr(cupsd_t)
-- lpd_manage_spool(cupsd_t)
- lpd_read_config(cupsd_t)
- lpd_relabel_spool(cupsd_t)
- ')
-@@ -316,6 +378,10 @@ optional_policy(`
- ')
-
- optional_policy(`
-+ networkmanager_dbus_chat(cupsd_t)
-+')
-+
-+optional_policy(`
- samba_read_config(cupsd_t)
- samba_rw_var_files(cupsd_t)
- samba_stream_connect_nmbd(cupsd_t)
-@@ -326,7 +392,7 @@ optional_policy(`
- ')
-
- optional_policy(`
-- snmp_read_snmp_var_lib_files(cupsd_t)
-+ snmp_manage_var_lib_files(cupsd_t)
- ')
-
- optional_policy(`
-@@ -334,7 +400,11 @@ optional_policy(`
- ')
-
- optional_policy(`
-- virt_rw_all_image_chr_files(cupsd_t)
-+ virt_rw_chr_files(cupsd_t)
-+')
-+
-+optional_policy(`
-+ vmware_read_system_config(cupsd_t)
- ')
-
- ########################################
-@@ -342,12 +412,11 @@ optional_policy(`
- # Configuration daemon local policy
- #
-
--allow cupsd_config_t self:capability { chown dac_override sys_tty_config setuid setgid };
-+allow cupsd_config_t self:capability { chown dac_read_search sys_tty_config };
- dontaudit cupsd_config_t self:capability sys_tty_config;
--allow cupsd_config_t self:process { getsched signal_perms };
--allow cupsd_config_t self:fifo_file rw_fifo_file_perms;
--allow cupsd_config_t self:tcp_socket { accept listen };
-+allow cupsd_config_t self:process { getsched };
-
-+domtrans_pattern(cupsd_config_t, cupsd_exec_t, cupsd_t)
- allow cupsd_config_t cupsd_t:process signal;
- ps_process_pattern(cupsd_config_t, cupsd_t)
-
-@@ -367,23 +436,23 @@ manage_dirs_pattern(cupsd_config_t, cupsd_tmp_t, cupsd_tmp_t)
- files_tmp_filetrans(cupsd_config_t, cupsd_tmp_t, { lnk_file file dir })
-
- allow cupsd_config_t cupsd_var_run_t:file read_file_perms;
-+allow cupsd_config_t cupsd_var_run_t:sock_file read_file_perms;
-
- manage_dirs_pattern(cupsd_config_t, cupsd_config_var_run_t, cupsd_config_var_run_t)
- manage_files_pattern(cupsd_config_t, cupsd_config_var_run_t, cupsd_config_var_run_t)
-+manage_sock_files_pattern(cupsd_config_t, cupsd_config_var_run_t, cupsd_config_var_run_t)
- files_pid_filetrans(cupsd_config_t, cupsd_config_var_run_t, { dir file })
-
--read_files_pattern(cupsd_config_t, hplip_etc_t, hplip_etc_t)
-+read_files_pattern(cupsd_config_t, cupsd_etc_t, cupsd_etc_t)
-
- stream_connect_pattern(cupsd_config_t, cupsd_var_run_t, cupsd_var_run_t, cupsd_t)
-
- can_exec(cupsd_config_t, cupsd_config_exec_t)
--
--domtrans_pattern(cupsd_config_t, hplip_exec_t, hplip_t)
-+can_exec(cupsd_config_t, cupsd_exec_t)
-
- kernel_read_system_state(cupsd_config_t)
- kernel_read_all_sysctls(cupsd_config_t)
-
--corenet_all_recvfrom_unlabeled(cupsd_config_t)
- corenet_all_recvfrom_netlabel(cupsd_config_t)
- corenet_tcp_sendrecv_generic_if(cupsd_config_t)
- corenet_tcp_sendrecv_generic_node(cupsd_config_t)
-@@ -392,20 +461,12 @@ corenet_tcp_sendrecv_all_ports(cupsd_config_t)
- corenet_sendrecv_all_client_packets(cupsd_config_t)
- corenet_tcp_connect_all_ports(cupsd_config_t)
-
--corecmd_exec_bin(cupsd_config_t)
--corecmd_exec_shell(cupsd_config_t)
--
--dev_read_sysfs(cupsd_config_t)
--dev_read_urand(cupsd_config_t)
--dev_read_rand(cupsd_config_t)
- dev_rw_generic_usb_dev(cupsd_config_t)
-
- files_read_etc_runtime_files(cupsd_config_t)
--files_read_usr_files(cupsd_config_t)
- files_read_var_symlinks(cupsd_config_t)
- files_search_all_mountpoints(cupsd_config_t)
-
--fs_getattr_all_fs(cupsd_config_t)
- fs_search_auto_mountpoints(cupsd_config_t)
-
- domain_use_interactive_fds(cupsd_config_t)
-@@ -417,17 +478,16 @@ auth_use_nsswitch(cupsd_config_t)
-
- logging_send_syslog_msg(cupsd_config_t)
-
--miscfiles_read_localization(cupsd_config_t)
--miscfiles_read_hwdata(cupsd_config_t)
--
--seutil_dontaudit_search_config(cupsd_config_t)
--
- userdom_dontaudit_use_unpriv_user_fds(cupsd_config_t)
- userdom_dontaudit_search_user_home_dirs(cupsd_config_t)
- userdom_read_all_users_state(cupsd_config_t)
- userdom_read_user_tmp_symlinks(cupsd_config_t)
- userdom_rw_user_tmp_files(cupsd_config_t)
-
-+tunable_policy(`cups_execmem',`
-+ allow cupsd_config_t self:process { execmem execstack };
-+')
-+
- optional_policy(`
- term_use_generic_ptys(cupsd_config_t)
- ')
-@@ -449,9 +509,12 @@ optional_policy(`
- ')
-
- optional_policy(`
-+ gnome_dontaudit_read_config(cupsd_config_t)
-+')
-+
-+optional_policy(`
- hal_domtrans(cupsd_config_t)
- hal_read_tmp_files(cupsd_config_t)
-- hal_dontaudit_use_fds(hplip_t)
- ')
-
- optional_policy(`
-@@ -467,6 +530,10 @@ optional_policy(`
- ')
-
- optional_policy(`
-+ libs_exec_ldconfig(cupsd_config_t)
-+')
-+
-+optional_policy(`
- rpm_read_db(cupsd_config_t)
- ')
-
-@@ -487,10 +554,6 @@ optional_policy(`
- # Lpd local policy
- #
-
--allow cupsd_lpd_t self:capability { setuid setgid };
--allow cupsd_lpd_t self:process signal_perms;
--allow cupsd_lpd_t self:fifo_file rw_fifo_file_perms;
--allow cupsd_lpd_t self:tcp_socket { accept listen };
- allow cupsd_lpd_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
-
- allow cupsd_lpd_t { cupsd_etc_t cupsd_rw_etc_t }:dir list_dir_perms;
-@@ -508,15 +571,15 @@ stream_connect_pattern(cupsd_lpd_t, cupsd_var_run_t, cupsd_var_run_t, cupsd_t)
-
- kernel_read_kernel_sysctls(cupsd_lpd_t)
- kernel_read_system_state(cupsd_lpd_t)
--kernel_read_network_state(cupsd_lpd_t)
-
--corenet_all_recvfrom_unlabeled(cupsd_lpd_t)
- corenet_all_recvfrom_netlabel(cupsd_lpd_t)
- corenet_tcp_sendrecv_generic_if(cupsd_lpd_t)
- corenet_tcp_sendrecv_generic_node(cupsd_lpd_t)
-
- corenet_sendrecv_ipp_client_packets(cupsd_lpd_t)
- corenet_tcp_connect_ipp_port(cupsd_lpd_t)
-+corenet_tcp_bind_printer_port(cupsd_lpd_t)
-+corenet_tcp_connect_printer_port(cupsd_lpd_t)
- corenet_tcp_sendrecv_ipp_port(cupsd_lpd_t)
-
- corenet_sendrecv_printer_server_packets(cupsd_lpd_t)
-@@ -537,9 +600,6 @@ auth_use_nsswitch(cupsd_lpd_t)
-
- logging_send_syslog_msg(cupsd_lpd_t)
-
--miscfiles_read_localization(cupsd_lpd_t)
--miscfiles_setattr_fonts_cache_dirs(cupsd_lpd_t)
--
- optional_policy(`
- inetd_service_domain(cupsd_lpd_t, cupsd_lpd_exec_t)
- ')
-@@ -549,9 +609,12 @@ optional_policy(`
- # Pdf local policy
- #
-
--allow cups_pdf_t self:capability { chown fowner fsetid setuid setgid dac_override };
--allow cups_pdf_t self:fifo_file rw_fifo_file_perms;
-+allow cups_pdf_t self:capability { chown fowner fsetid setuid setgid dac_read_search };
- allow cups_pdf_t self:unix_stream_socket create_stream_socket_perms;
-+allow cups_pdf_t cupsd_rw_etc_t:dir search;
-+
-+
-+allow cups_pdf_t cupsd_etc_t:dir list_dir_perms;
-
- append_files_pattern(cups_pdf_t, cupsd_log_t, cupsd_log_t)
- create_files_pattern(cups_pdf_t, cupsd_log_t, cupsd_log_t)
-@@ -566,148 +629,23 @@ fs_search_auto_mountpoints(cups_pdf_t)
-
- kernel_read_system_state(cups_pdf_t)
-
--files_read_usr_files(cups_pdf_t)
--
--corecmd_exec_bin(cups_pdf_t)
--corecmd_exec_shell(cups_pdf_t)
--
- auth_use_nsswitch(cups_pdf_t)
-
--miscfiles_read_localization(cups_pdf_t)
--miscfiles_read_fonts(cups_pdf_t)
--miscfiles_setattr_fonts_cache_dirs(cups_pdf_t)
--
- userdom_manage_user_home_content_dirs(cups_pdf_t)
- userdom_manage_user_home_content_files(cups_pdf_t)
--userdom_home_filetrans_user_home_dir(cups_pdf_t)
-+userdom_filetrans_home_content(cups_pdf_t)
-
- tunable_policy(`use_nfs_home_dirs',`
- fs_manage_nfs_dirs(cups_pdf_t)
- fs_manage_nfs_files(cups_pdf_t)
- ')
-
--tunable_policy(`use_samba_home_dirs',`
-- fs_manage_cifs_dirs(cups_pdf_t)
-- fs_manage_cifs_files(cups_pdf_t)
--')
--
--optional_policy(`
-- lpd_manage_spool(cups_pdf_t)
--')
--
--########################################
--#
--# HPLIP local policy
--#
--
--allow hplip_t self:capability { dac_override dac_read_search net_raw };
--dontaudit hplip_t self:capability sys_tty_config;
--allow hplip_t self:fifo_file rw_fifo_file_perms;
--allow hplip_t self:process signal_perms;
--allow hplip_t self:tcp_socket { accept listen };
--allow hplip_t self:rawip_socket create_socket_perms;
--
--allow hplip_t cupsd_etc_t:dir search_dir_perms;
--
--manage_dirs_pattern(hplip_t, cupsd_tmp_t, cupsd_tmp_t)
--manage_files_pattern(hplip_t, cupsd_tmp_t, cupsd_tmp_t)
--files_tmp_filetrans(hplip_t, cupsd_tmp_t, { dir file })
--
--allow hplip_t hplip_etc_t:dir list_dir_perms;
--allow hplip_t hplip_etc_t:file read_file_perms;
--allow hplip_t hplip_etc_t:lnk_file read_lnk_file_perms;
--
--manage_files_pattern(hplip_t, hplip_var_lib_t, hplip_var_lib_t)
--manage_lnk_files_pattern(hplip_t, hplip_var_lib_t, hplip_var_lib_t)
--
--manage_fifo_files_pattern(hplip_t, hplip_tmp_t, hplip_tmp_t)
--files_tmp_filetrans(hplip_t, hplip_tmp_t, fifo_file)
--
--manage_files_pattern(hplip_t, hplip_var_run_t, hplip_var_run_t)
--files_pid_filetrans(hplip_t, hplip_var_run_t, file)
--
--stream_connect_pattern(hplip_t, cupsd_var_run_t, cupsd_var_run_t, cupsd_t)
--
--kernel_read_system_state(hplip_t)
--kernel_read_kernel_sysctls(hplip_t)
--
--corenet_all_recvfrom_unlabeled(hplip_t)
--corenet_all_recvfrom_netlabel(hplip_t)
--corenet_tcp_sendrecv_generic_if(hplip_t)
--corenet_udp_sendrecv_generic_if(hplip_t)
--corenet_raw_sendrecv_generic_if(hplip_t)
--corenet_tcp_sendrecv_generic_node(hplip_t)
--corenet_udp_sendrecv_generic_node(hplip_t)
--corenet_raw_sendrecv_generic_node(hplip_t)
--corenet_tcp_sendrecv_all_ports(hplip_t)
--corenet_udp_sendrecv_all_ports(hplip_t)
--corenet_tcp_bind_generic_node(hplip_t)
--corenet_udp_bind_generic_node(hplip_t)
--
--corenet_sendrecv_hplip_client_packets(hplip_t)
--corenet_receive_hplip_server_packets(hplip_t)
--corenet_tcp_bind_hplip_port(hplip_t)
--corenet_tcp_connect_hplip_port(hplip_t)
--
--corenet_sendrecv_ipp_client_packets(hplip_t)
--corenet_tcp_connect_ipp_port(hplip_t)
--
--corenet_sendrecv_howl_server_packets(hplip_t)
--corenet_udp_bind_howl_port(hplip_t)
--
--corecmd_exec_bin(hplip_t)
--
--dev_read_sysfs(hplip_t)
--dev_rw_printer(hplip_t)
--dev_read_urand(hplip_t)
--dev_read_rand(hplip_t)
--dev_rw_generic_usb_dev(hplip_t)
--dev_rw_usbfs(hplip_t)
--
--domain_use_interactive_fds(hplip_t)
--
--files_read_etc_files(hplip_t)
--files_read_etc_runtime_files(hplip_t)
--files_read_usr_files(hplip_t)
--
--fs_getattr_all_fs(hplip_t)
--fs_search_auto_mountpoints(hplip_t)
--fs_rw_anon_inodefs_files(hplip_t)
--
--logging_send_syslog_msg(hplip_t)
--
--miscfiles_read_localization(hplip_t)
--
--sysnet_dns_name_resolve(hplip_t)
--
--userdom_dontaudit_use_unpriv_user_fds(hplip_t)
--userdom_dontaudit_search_user_home_dirs(hplip_t)
--userdom_dontaudit_search_user_home_content(hplip_t)
--
--optional_policy(`
-- dbus_system_bus_client(hplip_t)
--
-- optional_policy(`
-- userdom_dbus_send_all_users(hplip_t)
-- ')
--')
--
--optional_policy(`
-- lpd_read_config(hplip_t)
-- lpd_manage_spool(hplip_t)
--')
-+userdom_home_manager(cups_pdf_t)
-
- optional_policy(`
-- seutil_sigchld_newrole(hplip_t)
-+ gnome_read_config(cups_pdf_t)
- ')
-
--optional_policy(`
-- snmp_read_snmp_var_lib_files(hplip_t)
--')
--
--optional_policy(`
-- udev_read_db(hplip_t)
--')
-
- ########################################
- #
-@@ -735,7 +673,6 @@ kernel_read_kernel_sysctls(ptal_t)
- kernel_list_proc(ptal_t)
- kernel_read_proc_symlinks(ptal_t)
-
--corenet_all_recvfrom_unlabeled(ptal_t)
- corenet_all_recvfrom_netlabel(ptal_t)
- corenet_tcp_sendrecv_generic_if(ptal_t)
- corenet_tcp_sendrecv_generic_node(ptal_t)
-@@ -745,13 +682,11 @@ corenet_sendrecv_ptal_server_packets(ptal_t)
- corenet_tcp_bind_ptal_port(ptal_t)
- corenet_tcp_sendrecv_ptal_port(ptal_t)
-
--dev_read_sysfs(ptal_t)
- dev_read_usbfs(ptal_t)
- dev_rw_printer(ptal_t)
-
- domain_use_interactive_fds(ptal_t)
-
--files_read_etc_files(ptal_t)
- files_read_etc_runtime_files(ptal_t)
-
- fs_getattr_all_fs(ptal_t)
-@@ -759,8 +694,6 @@ fs_search_auto_mountpoints(ptal_t)
-
- logging_send_syslog_msg(ptal_t)
-
--miscfiles_read_localization(ptal_t)
--
- sysnet_read_config(ptal_t)
-
- userdom_dontaudit_use_unpriv_user_fds(ptal_t)
-@@ -773,3 +706,4 @@ optional_policy(`
- optional_policy(`
- udev_read_db(ptal_t)
- ')
-+
-diff --git a/cvs.fc b/cvs.fc
-index 75c8be90c..4c1a965c0 100644
---- a/cvs.fc
-+++ b/cvs.fc
-@@ -1,13 +1,16 @@
-+HOME_DIR/\.cvsignore -- gen_context(system_u:object_r:cvs_home_t,s0)
-+/root/\.cvsignore -- gen_context(system_u:object_r:cvs_home_t,s0)
-+
- /etc/rc\.d/init\.d/cvs -- gen_context(system_u:object_r:cvs_initrc_exec_t,s0)
-
- /opt/cvs(/.*)? gen_context(system_u:object_r:cvs_data_t,s0)
-
- /usr/bin/cvs -- gen_context(system_u:object_r:cvs_exec_t,s0)
-
--/usr/share/cvsweb/cvsweb\.cgi -- gen_context(system_u:object_r:httpd_cvs_script_exec_t,s0)
-+/usr/share/cvsweb/cvsweb\.cgi -- gen_context(system_u:object_r:cvs_script_exec_t,s0)
-
- /var/cvs(/.*)? gen_context(system_u:object_r:cvs_data_t,s0)
-
- /var/run/cvs\.pid -- gen_context(system_u:object_r:cvs_var_run_t,s0)
-
--/var/www/cgi-bin/cvsweb\.cgi -- gen_context(system_u:object_r:httpd_cvs_script_exec_t,s0)
-+/var/www/cgi-bin/cvsweb\.cgi -- gen_context(system_u:object_r:cvs_script_exec_t,s0)
-diff --git a/cvs.if b/cvs.if
-index 64775fd37..91a60569c 100644
---- a/cvs.if
-+++ b/cvs.if
-@@ -1,5 +1,23 @@
- ## Concurrent versions system.
-
-+######################################
-+##
-+## Dontaudit Attempts to list the CVS data and metadata.
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`cvs_dontaudit_list_data',`
-+ gen_require(`
-+ type cvs_data_t;
-+ ')
-+
-+ dontaudit $1 cvs_data_t:dir list_dir_perms;
-+')
-+
- ########################################
- ##
- ## Read CVS data and metadata content.
-@@ -41,6 +59,24 @@ interface(`cvs_exec',`
-
- ########################################
- ##
-+## Transition to cvs named content
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`cvs_filetrans_home_content',`
-+ gen_require(`
-+ type cvs_home_t;
-+ ')
-+
-+ userdom_user_home_dir_filetrans($1, cvs_home_t, file, ".cvsignore")
-+')
-+
-+########################################
-+##
- ## All of the rules required to
- ## administrate an cvs environment
- ##
-@@ -60,11 +96,17 @@ interface(`cvs_admin',`
- gen_require(`
- type cvs_t, cvs_tmp_t, cvs_initrc_exec_t;
- type cvs_data_t, cvs_var_run_t, cvs_keytab_t;
-+ type cvs_home_t;
- ')
-
-- allow $1 cvs_t:process { ptrace signal_perms };
-+ allow $1 cvs_t:process signal_perms;
- ps_process_pattern($1, cvs_t)
-
-+ tunable_policy(`deny_ptrace',`',`
-+ allow $1 cvs_t:process ptrace;
-+ ')
-+
-+ # Allow cvs_t to restart the apache service
- init_labeled_script_domtrans($1, cvs_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 cvs_initrc_exec_t system_r;
-@@ -81,4 +123,7 @@ interface(`cvs_admin',`
-
- files_list_pids($1)
- admin_pattern($1, cvs_var_run_t)
-+
-+ userdom_search_user_home_dirs($1)
-+ admin_pattern($1, cvs_home_t)
- ')
-diff --git a/cvs.te b/cvs.te
-index 0f7755005..3e3f3cd61 100644
---- a/cvs.te
-+++ b/cvs.te
-@@ -11,7 +11,7 @@ policy_module(cvs, 1.10.2)
- ## password files.
- ##
- ##
--gen_tunable(allow_cvs_read_shadow, false)
-+gen_tunable(cvs_read_shadow, false)
-
- type cvs_t;
- type cvs_exec_t;
-@@ -34,17 +34,23 @@ files_tmp_file(cvs_tmp_t)
- type cvs_var_run_t;
- files_pid_file(cvs_var_run_t)
-
-+type cvs_home_t;
-+userdom_user_home_content(cvs_home_t)
-+
- ########################################
- #
- # Local policy
- #
-
--allow cvs_t self:capability { setuid setgid };
-+allow cvs_t self:capability { dac_read_search setuid setgid };
- allow cvs_t self:process signal_perms;
- allow cvs_t self:fifo_file rw_fifo_file_perms;
- allow cvs_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
- allow cvs_t self:tcp_socket { accept listen };
-
-+userdom_search_user_home_dirs(cvs_t)
-+allow cvs_t cvs_home_t:file read_file_perms;
-+
- manage_dirs_pattern(cvs_t, cvs_data_t, cvs_data_t)
- manage_files_pattern(cvs_t, cvs_data_t, cvs_data_t)
- manage_lnk_files_pattern(cvs_t, cvs_data_t, cvs_data_t)
-@@ -74,6 +80,15 @@ corenet_tcp_sendrecv_cvs_port(cvs_t)
- corecmd_exec_bin(cvs_t)
- corecmd_exec_shell(cvs_t)
-
-+corenet_all_recvfrom_netlabel(cvs_t)
-+corenet_tcp_sendrecv_generic_if(cvs_t)
-+corenet_udp_sendrecv_generic_if(cvs_t)
-+corenet_tcp_sendrecv_generic_node(cvs_t)
-+corenet_udp_sendrecv_generic_node(cvs_t)
-+corenet_tcp_sendrecv_all_ports(cvs_t)
-+corenet_udp_sendrecv_all_ports(cvs_t)
-+corenet_tcp_bind_cvs_port(cvs_t)
-+
- dev_read_urand(cvs_t)
-
- files_read_etc_runtime_files(cvs_t)
-@@ -86,19 +101,17 @@ auth_use_nsswitch(cvs_t)
-
- init_read_utmp(cvs_t)
-
-+init_dontaudit_read_utmp(cvs_t)
-+
- logging_send_syslog_msg(cvs_t)
- logging_send_audit_msgs(cvs_t)
-
--miscfiles_read_localization(cvs_t)
--
- mta_send_mail(cvs_t)
-
--userdom_dontaudit_search_user_home_dirs(cvs_t)
--
- # cjp: typeattribute doesnt work in conditionals yet
- auth_can_read_shadow_passwords(cvs_t)
--tunable_policy(`allow_cvs_read_shadow',`
-- allow cvs_t self:capability dac_override;
-+tunable_policy(`cvs_read_shadow',`
-+ allow cvs_t self:capability { dac_read_search };
- auth_tunable_read_shadow(cvs_t)
- ')
-
-@@ -116,8 +129,10 @@ optional_policy(`
-
- optional_policy(`
- apache_content_template(cvs)
-+ apache_content_alias_template(cvs, cvs)
-
-- read_files_pattern(httpd_cvs_script_t, cvs_data_t, cvs_data_t)
-- manage_dirs_pattern(httpd_cvs_script_t, cvs_tmp_t, cvs_tmp_t)
-- manage_files_pattern(httpd_cvs_script_t, cvs_tmp_t, cvs_tmp_t)
-+ read_files_pattern(cvs_script_t, cvs_data_t, cvs_data_t)
-+ manage_dirs_pattern(cvs_script_t, cvs_tmp_t, cvs_tmp_t)
-+ manage_files_pattern(cvs_script_t, cvs_tmp_t, cvs_tmp_t)
-+ files_tmp_filetrans(cvs_script_t, cvs_tmp_t, { file dir })
- ')
-diff --git a/cyphesis.te b/cyphesis.te
-index 77ffc7355..86e11f5e3 100644
---- a/cyphesis.te
-+++ b/cyphesis.te
-@@ -48,7 +48,6 @@ kernel_read_kernel_sysctls(cyphesis_t)
- corecmd_search_bin(cyphesis_t)
- corecmd_getattr_bin_files(cyphesis_t)
-
--corenet_all_recvfrom_unlabeled(cyphesis_t)
- corenet_tcp_sendrecv_generic_if(cyphesis_t)
- corenet_tcp_sendrecv_generic_node(cyphesis_t)
- corenet_tcp_bind_generic_node(cyphesis_t)
-@@ -61,13 +60,9 @@ dev_read_urand(cyphesis_t)
-
- domain_use_interactive_fds(cyphesis_t)
-
--files_read_etc_files(cyphesis_t)
--files_read_usr_files(cyphesis_t)
-
- logging_send_syslog_msg(cyphesis_t)
-
--miscfiles_read_localization(cyphesis_t)
--
- sysnet_dns_name_resolve(cyphesis_t)
-
- optional_policy(`
-diff --git a/cyrus.if b/cyrus.if
-index 83bfda6ed..92d9fb2e7 100644
---- a/cyrus.if
-+++ b/cyrus.if
-@@ -20,6 +20,25 @@ interface(`cyrus_manage_data',`
- manage_files_pattern($1, cyrus_var_lib_t, cyrus_var_lib_t)
- ')
-
-+#######################################
-+##