From 520d6f23fc5f05827f125d2dc69da846c9499e83 Mon Sep 17 00:00:00 2001
From: Miroslav Grepl
Date: Wed, 29 May 2013 16:10:13 +0200
Subject: [PATCH] Update to the latest f19
---
policy-rawhide-base.patch | 1619 +++++++++++++++++++++++-----------
policy-rawhide-contrib.patch | 1211 +++++++++++++++----------
selinux-policy.spec | 60 +-
3 files changed, 1917 insertions(+), 973 deletions(-)
diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch
index 7e6a5788..33979395 100644
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@@ -5548,7 +5548,7 @@ index b31c054..3035b45 100644
+/usr/lib/udev/devices/null -c gen_context(system_u:object_r:null_device_t,s0)
+/usr/lib/udev/devices/zero -c gen_context(system_u:object_r:zero_device_t,s0)
diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
-index 76f285e..09ccba4 100644
+index 76f285e..e26dfc3 100644
--- a/policy/modules/kernel/devices.if
+++ b/policy/modules/kernel/devices.if
@@ -143,13 +143,32 @@ interface(`dev_relabel_all_dev_nodes',`
@@ -6339,175 +6339,223 @@ index 76f285e..09ccba4 100644
')
########################################
-@@ -3855,6 +4185,78 @@ interface(`dev_getattr_sysfs_dirs',`
+@@ -3855,7 +4185,7 @@ interface(`dev_getattr_sysfs_dirs',`
########################################
##
+-## Search the sysfs directories.
+## Set the attributes of sysfs directories.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`dev_setattr_sysfs_dirs',`
-+ gen_require(`
-+ type sysfs_t;
-+ ')
-+
-+ allow $1 sysfs_t:dir setattr_dir_perms;
-+')
-+
-+########################################
-+##
-+## Get attributes of sysfs filesystems.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`dev_getattr_sysfs_fs',`
-+ gen_require(`
-+ type sysfs_t;
-+ ')
-+
-+ allow $1 sysfs_t:filesystem getattr;
-+')
-+
-+########################################
-+##
-+## Mount sysfs filesystems.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`dev_mount_sysfs_fs',`
-+ gen_require(`
-+ type sysfs_t;
-+ ')
-+
-+ allow $1 sysfs_t:filesystem mount;
-+')
-+
-+########################################
-+##
-+## Unmount sysfs filesystems.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`dev_unmount_sysfs_fs',`
-+ gen_require(`
-+ type sysfs_t;
-+ ')
-+
-+ allow $1 sysfs_t:filesystem unmount;
-+')
-+
-+########################################
-+##
- ## Search the sysfs directories.
##
##
-@@ -3904,6 +4306,7 @@ interface(`dev_list_sysfs',`
+ ##
+@@ -3863,53 +4193,53 @@ interface(`dev_getattr_sysfs_dirs',`
+ ##
+ ##
+ #
+-interface(`dev_search_sysfs',`
++interface(`dev_setattr_sysfs_dirs',`
+ gen_require(`
type sysfs_t;
')
-+ read_lnk_files_pattern($1, sysfs_t, sysfs_t)
- list_dirs_pattern($1, sysfs_t, sysfs_t)
+- search_dirs_pattern($1, sysfs_t, sysfs_t)
++ allow $1 sysfs_t:dir setattr_dir_perms;
')
-@@ -3946,23 +4349,49 @@ interface(`dev_dontaudit_write_sysfs_dirs',`
+ ########################################
+ ##
+-## Do not audit attempts to search sysfs.
++## Get attributes of sysfs filesystems.
+ ##
+ ##
+ ##
+-## Domain to not audit.
++## Domain allowed access.
+ ##
+ ##
+ #
+-interface(`dev_dontaudit_search_sysfs',`
++interface(`dev_getattr_sysfs_fs',`
+ gen_require(`
+ type sysfs_t;
+ ')
+
+- dontaudit $1 sysfs_t:dir search_dir_perms;
++ allow $1 sysfs_t:filesystem getattr;
+ ')
+
+ ########################################
+ ##
+-## List the contents of the sysfs directories.
++## Mount a filesystem on /sys
+ ##
+ ##
+ ##
+-## Domain allowed access.
++## Domain allow access.
+ ##
+ ##
+ #
+-interface(`dev_list_sysfs',`
++interface(`dev_mounton_sysfs',`
+ gen_require(`
+ type sysfs_t;
+ ')
+
+- list_dirs_pattern($1, sysfs_t, sysfs_t)
++ allow $1 sysfs_t:dir mounton;
+ ')
+
+ ########################################
+ ##
+-## Write in a sysfs directories.
++## Mount sysfs filesystems.
+ ##
+ ##
+ ##
+@@ -3917,37 +4247,35 @@ interface(`dev_list_sysfs',`
+ ##
+ ##
+ #
+-# cjp: added for cpuspeed
+-interface(`dev_write_sysfs_dirs',`
++interface(`dev_mount_sysfs_fs',`
+ gen_require(`
+ type sysfs_t;
+ ')
+
+- allow $1 sysfs_t:dir write;
++ allow $1 sysfs_t:filesystem mount;
+ ')
+
+ ########################################
+ ##
+-## Do not audit attempts to write in a sysfs directory.
++## Unmount sysfs filesystems.
+ ##
+ ##
+ ##
+-## Domain to not audit.
++## Domain allowed access.
+ ##
+ ##
+ #
+-interface(`dev_dontaudit_write_sysfs_dirs',`
++interface(`dev_unmount_sysfs_fs',`
+ gen_require(`
+ type sysfs_t;
+ ')
+
+- dontaudit $1 sysfs_t:dir write;
++ allow $1 sysfs_t:filesystem unmount;
+ ')
########################################
##
-## Create, read, write, and delete sysfs
-## directories.
-+## Read cpu online hardware state information.
++## Search the sysfs directories.
##
-+##
-+##
-+## Allow the specified domain to read /sys/devices/system/cpu/online file.
-+##
-+##
##
##
- ## Domain allowed access.
+@@ -3955,47 +4283,35 @@ interface(`dev_dontaudit_write_sysfs_dirs',`
##
##
#
-interface(`dev_manage_sysfs_dirs',`
-+interface(`dev_read_cpu_online',`
-+ gen_require(`
-+ type cpu_online_t;
-+ ')
-+
-+ dev_search_sysfs($1)
-+ read_files_pattern($1, cpu_online_t, cpu_online_t)
-+')
-+
-+########################################
-+##
-+## Relabel cpu online hardware state information.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`dev_relabel_cpu_online',`
++interface(`dev_search_sysfs',`
gen_require(`
-+ type cpu_online_t;
type sysfs_t;
')
- manage_dirs_pattern($1, sysfs_t, sysfs_t)
-+ dev_search_sysfs($1)
-+ allow $1 cpu_online_t:file relabel_file_perms;
++ search_dirs_pattern($1, sysfs_t, sysfs_t)
')
-+
########################################
##
- ## Read hardware state information.
-@@ -4016,7 +4445,7 @@ interface(`dev_rw_sysfs',`
+-## Read hardware state information.
++## Do not audit attempts to search sysfs.
+ ##
+-##
+-##
+-## Allow the specified domain to read the contents of
+-## the sysfs filesystem. This filesystem contains
+-## information, parameters, and other settings on the
+-## hardware installed on the system.
+-##
+-##
+ ##
+ ##
+-## Domain allowed access.
++## Domain to not audit.
+ ##
+ ##
+-##
+ #
+-interface(`dev_read_sysfs',`
++interface(`dev_dontaudit_search_sysfs',`
+ gen_require(`
+ type sysfs_t;
+ ')
+
+- read_files_pattern($1, sysfs_t, sysfs_t)
+- read_lnk_files_pattern($1, sysfs_t, sysfs_t)
+-
+- list_dirs_pattern($1, sysfs_t, sysfs_t)
++ dontaudit $1 sysfs_t:dir search_dir_perms;
+ ')
+
+ ########################################
+ ##
+-## Allow caller to modify hardware state information.
++## List the contents of the sysfs directories.
+ ##
+ ##
+ ##
+@@ -4003,20 +4319,18 @@ interface(`dev_read_sysfs',`
+ ##
+ ##
+ #
+-interface(`dev_rw_sysfs',`
++interface(`dev_list_sysfs',`
+ gen_require(`
+ type sysfs_t;
+ ')
+
+- rw_files_pattern($1, sysfs_t, sysfs_t)
+ read_lnk_files_pattern($1, sysfs_t, sysfs_t)
+-
+ list_dirs_pattern($1, sysfs_t, sysfs_t)
+ ')
########################################
##
-## Read and write the TPM device.
-+## Relabel hardware state directories.
++## Write in a sysfs directories.
##
##
##
-@@ -4024,58 +4453,114 @@ interface(`dev_rw_sysfs',`
+@@ -4024,78 +4338,60 @@ interface(`dev_rw_sysfs',`
##
##
#
-interface(`dev_rw_tpm',`
-+interface(`dev_relabel_sysfs_dirs',`
++# cjp: added for cpuspeed
++interface(`dev_write_sysfs_dirs',`
gen_require(`
- type device_t, tpm_device_t;
+ type sysfs_t;
')
- rw_chr_files_pattern($1, device_t, tpm_device_t)
-+ relabel_dirs_pattern($1, sysfs_t, sysfs_t)
++ allow $1 sysfs_t:dir write;
')
########################################
##
-## Read from pseudo random number generator devices (e.g., /dev/urandom).
-+## Relabel hardware state files
++## Do not audit attempts to write in a sysfs directory.
##
-##
-##
@@ -6533,27 +6581,172 @@ index 76f285e..09ccba4 100644
-##
##
##
- ## Domain allowed access.
+-## Domain allowed access.
++## Domain to not audit.
##
##
-##
#
-interface(`dev_read_urand',`
-+interface(`dev_relabel_all_sysfs',`
++interface(`dev_dontaudit_write_sysfs_dirs',`
gen_require(`
- type device_t, urandom_device_t;
+ type sysfs_t;
')
- read_chr_files_pattern($1, device_t, urandom_device_t)
-+ relabel_dirs_pattern($1, sysfs_t, sysfs_t)
-+ relabel_files_pattern($1, sysfs_t, sysfs_t)
-+ relabel_lnk_files_pattern($1, sysfs_t, sysfs_t)
++ dontaudit $1 sysfs_t:dir write;
')
########################################
##
-## Do not audit attempts to read from pseudo
+-## random devices (e.g., /dev/urandom)
++## Read cpu online hardware state information.
+ ##
++##
++##
++## Allow the specified domain to read /sys/devices/system/cpu/online file.
++##
++##
+ ##
+ ##
+-## Domain to not audit.
++## Domain allowed access.
+ ##
+ ##
+ #
+-interface(`dev_dontaudit_read_urand',`
++interface(`dev_read_cpu_online',`
+ gen_require(`
+- type urandom_device_t;
++ type cpu_online_t;
+ ')
+
+- dontaudit $1 urandom_device_t:chr_file { getattr read };
++ dev_search_sysfs($1)
++ read_files_pattern($1, cpu_online_t, cpu_online_t)
+ ')
+
+ ########################################
+ ##
+-## Write to the pseudo random device (e.g., /dev/urandom). This
+-## sets the random number generator seed.
++## Relabel cpu online hardware state information.
+ ##
+ ##
+ ##
+@@ -4103,19 +4399,245 @@ interface(`dev_dontaudit_read_urand',`
+ ##
+ ##
+ #
+-interface(`dev_write_urand',`
++interface(`dev_relabel_cpu_online',`
+ gen_require(`
+- type device_t, urandom_device_t;
++ type cpu_online_t;
++ type sysfs_t;
+ ')
+
+- write_chr_files_pattern($1, device_t, urandom_device_t)
++ dev_search_sysfs($1)
++ allow $1 cpu_online_t:file relabel_file_perms;
+ ')
+
++
+ ########################################
+ ##
+-## Getattr generic the USB devices.
++## Read hardware state information.
+ ##
+-##
++##
++##
++## Allow the specified domain to read the contents of
++## the sysfs filesystem. This filesystem contains
++## information, parameters, and other settings on the
++## hardware installed on the system.
++##
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++#
++interface(`dev_read_sysfs',`
++ gen_require(`
++ type sysfs_t;
++ ')
++
++ read_files_pattern($1, sysfs_t, sysfs_t)
++ read_lnk_files_pattern($1, sysfs_t, sysfs_t)
++
++ list_dirs_pattern($1, sysfs_t, sysfs_t)
++')
++
++########################################
++##
++## Allow caller to modify hardware state information.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`dev_rw_sysfs',`
++ gen_require(`
++ type sysfs_t;
++ ')
++
++ rw_files_pattern($1, sysfs_t, sysfs_t)
++ read_lnk_files_pattern($1, sysfs_t, sysfs_t)
++
++ list_dirs_pattern($1, sysfs_t, sysfs_t)
++')
++
++########################################
++##
++## Relabel hardware state directories.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`dev_relabel_sysfs_dirs',`
++ gen_require(`
++ type sysfs_t;
++ ')
++
++ relabel_dirs_pattern($1, sysfs_t, sysfs_t)
++')
++
++########################################
++##
++## Relabel hardware state files
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`dev_relabel_all_sysfs',`
++ gen_require(`
++ type sysfs_t;
++ ')
++
++ relabel_dirs_pattern($1, sysfs_t, sysfs_t)
++ relabel_files_pattern($1, sysfs_t, sysfs_t)
++ relabel_lnk_files_pattern($1, sysfs_t, sysfs_t)
++')
++
++########################################
++##
+## Allow caller to modify hardware state information.
+##
+##
@@ -6632,13 +6825,43 @@ index 76f285e..09ccba4 100644
+########################################
+##
+## Do not audit attempts to read from pseudo
- ## random devices (e.g., /dev/urandom)
- ##
- ##
-@@ -4113,6 +4598,25 @@ interface(`dev_write_urand',`
-
- ########################################
- ##
++## random devices (e.g., /dev/urandom)
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`dev_dontaudit_read_urand',`
++ gen_require(`
++ type urandom_device_t;
++ ')
++
++ dontaudit $1 urandom_device_t:chr_file { getattr read };
++')
++
++########################################
++##
++## Write to the pseudo random device (e.g., /dev/urandom). This
++## sets the random number generator seed.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`dev_write_urand',`
++ gen_require(`
++ type device_t, urandom_device_t;
++ ')
++
++ write_chr_files_pattern($1, device_t, urandom_device_t)
++')
++
++########################################
++##
+## Do not audit attempts to write to pseudo
+## random devices (e.g., /dev/urandom)
+##
@@ -6658,10 +6881,13 @@ index 76f285e..09ccba4 100644
+
+########################################
+##
- ## Getattr generic the USB devices.
- ##
- ##
-@@ -4409,9 +4913,9 @@ interface(`dev_rw_usbfs',`
++## Getattr generic the USB devices.
++##
++##
+ ##
+ ## Domain allowed access.
+ ##
+@@ -4409,9 +4931,9 @@ interface(`dev_rw_usbfs',`
read_lnk_files_pattern($1, usbfs_t, usbfs_t)
')
@@ -6673,7 +6899,7 @@ index 76f285e..09ccba4 100644
##
##
##
-@@ -4419,17 +4923,17 @@ interface(`dev_rw_usbfs',`
+@@ -4419,17 +4941,17 @@ interface(`dev_rw_usbfs',`
##
##
#
@@ -6696,7 +6922,7 @@ index 76f285e..09ccba4 100644
##
##
##
-@@ -4437,12 +4941,12 @@ interface(`dev_getattr_video_dev',`
+@@ -4437,12 +4959,12 @@ interface(`dev_getattr_video_dev',`
##
##
#
@@ -6712,7 +6938,7 @@ index 76f285e..09ccba4 100644
')
########################################
-@@ -4539,6 +5043,134 @@ interface(`dev_write_video_dev',`
+@@ -4539,6 +5061,134 @@ interface(`dev_write_video_dev',`
########################################
##
@@ -6847,7 +7073,7 @@ index 76f285e..09ccba4 100644
## Allow read/write the vhost net device
##
##
-@@ -4557,6 +5189,24 @@ interface(`dev_rw_vhost',`
+@@ -4557,6 +5207,24 @@ interface(`dev_rw_vhost',`
########################################
##
@@ -6872,7 +7098,7 @@ index 76f285e..09ccba4 100644
## Read and write VMWare devices.
##
##
-@@ -4762,6 +5412,26 @@ interface(`dev_rw_xserver_misc',`
+@@ -4762,6 +5430,26 @@ interface(`dev_rw_xserver_misc',`
########################################
##
@@ -6899,7 +7125,7 @@ index 76f285e..09ccba4 100644
## Read and write to the zero device (/dev/zero).
##
##
-@@ -4851,3 +5521,943 @@ interface(`dev_unconfined',`
+@@ -4851,3 +5539,943 @@ interface(`dev_unconfined',`
typeattribute $1 devices_unconfined_type;
')
@@ -8074,7 +8300,7 @@ index 6a1e4d1..adafd25 100644
+ dontaudit $1 domain:socket_class_set { read write };
')
diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te
-index cf04cb5..8542b3d 100644
+index cf04cb5..5376a48 100644
--- a/policy/modules/kernel/domain.te
+++ b/policy/modules/kernel/domain.te
@@ -4,6 +4,29 @@ policy_module(domain, 1.11.0)
@@ -8202,7 +8428,7 @@ index cf04cb5..8542b3d 100644
# Create/access any System V IPC objects.
allow unconfined_domain_type domain:{ sem msgq shm } *;
-@@ -166,5 +229,271 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock };
+@@ -166,5 +229,275 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock };
# act on all domains keys
allow unconfined_domain_type domain:key *;
@@ -8272,6 +8498,10 @@ index cf04cb5..8542b3d 100644
+')
+
+optional_policy(`
++ clock_filetrans_named_content(unconfined_domain_type)
++')
++
++optional_policy(`
+ cups_filetrans_named_content(unconfined_domain_type)
+')
+
@@ -8348,7 +8578,7 @@ index cf04cb5..8542b3d 100644
+ systemd_login_reboot(unconfined_domain_type)
+ systemd_login_halt(unconfined_domain_type)
+ systemd_login_undefined(unconfined_domain_type)
-+ systemd_filetrans_named_hostname(unconfined_domain_type)
++ systemd_filetrans_named_hostname(unconfined_domain_type)
+')
+
+optional_policy(`
@@ -8360,11 +8590,11 @@ index cf04cb5..8542b3d 100644
+')
+
+optional_policy(`
-+ virt_filetrans_named_content(unconfined_domain_type)
++ ssh_filetrans_admin_home_content(unconfined_domain_type)
+')
+
+optional_policy(`
-+ ssh_filetrans_admin_home_content(unconfined_domain_type)
++ virt_filetrans_named_content(unconfined_domain_type)
+')
+
+selinux_getattr_fs(domain)
@@ -8718,7 +8948,7 @@ index c2c6e05..be423a7 100644
+/nsr(/.*)? gen_context(system_u:object_r:var_t,s0)
+/nsr/logs(/.*)? gen_context(system_u:object_r:var_log_t,s0)
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
-index 64ff4d7..92d80ef 100644
+index 64ff4d7..455cc6c 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -19,6 +19,136 @@
@@ -9147,7 +9377,7 @@ index 64ff4d7..92d80ef 100644
## Get the attributes of all named sockets.
##
##
-@@ -991,6 +1303,25 @@ interface(`files_dontaudit_getattr_all_sockets',`
+@@ -991,6 +1303,44 @@ interface(`files_dontaudit_getattr_all_sockets',`
########################################
##
@@ -9169,11 +9399,30 @@ index 64ff4d7..92d80ef 100644
+')
+
+########################################
++##
++## Do not audit attempts to read
++## of all security file types.
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`files_dontaudit_read_all_non_security_files',`
++ gen_require(`
++ attribute non_security_file_type;
++ ')
++
++ dontaudit $1 non_security_file_type:file read_file_perms;
++')
++
++########################################
+##
## Do not audit attempts to get the attributes
## of non security named sockets.
##
-@@ -1073,10 +1404,8 @@ interface(`files_relabel_all_files',`
+@@ -1073,10 +1423,8 @@ interface(`files_relabel_all_files',`
relabel_lnk_files_pattern($1, { file_type $2 }, { file_type $2 })
relabel_fifo_files_pattern($1, { file_type $2 }, { file_type $2 })
relabel_sock_files_pattern($1, { file_type $2 }, { file_type $2 })
@@ -9186,7 +9435,7 @@ index 64ff4d7..92d80ef 100644
# satisfy the assertions:
seutil_relabelto_bin_policy($1)
-@@ -1182,24 +1511,6 @@ interface(`files_list_all',`
+@@ -1182,24 +1530,6 @@ interface(`files_list_all',`
########################################
##
@@ -9211,19 +9460,17 @@ index 64ff4d7..92d80ef 100644
## Do not audit attempts to search the
## contents of any directories on extended
## attribute filesystems.
-@@ -1443,10 +1754,7 @@ interface(`files_relabel_non_auth_files',`
+@@ -1443,9 +1773,6 @@ interface(`files_relabel_non_auth_files',`
# device nodes with file types.
relabelfrom_blk_files_pattern($1, non_auth_file_type, non_auth_file_type)
relabelfrom_chr_files_pattern($1, non_auth_file_type, non_auth_file_type)
-
- # satisfy the assertions:
- seutil_relabelto_bin_policy($1)
--')
-+')
+ ')
#############################################
- ##
-@@ -1583,6 +1891,24 @@ interface(`files_getattr_all_mountpoints',`
+@@ -1583,6 +1910,24 @@ interface(`files_getattr_all_mountpoints',`
########################################
##
@@ -9248,7 +9495,7 @@ index 64ff4d7..92d80ef 100644
## Set the attributes of all mount points.
##
##
-@@ -1673,6 +1999,24 @@ interface(`files_dontaudit_list_all_mountpoints',`
+@@ -1673,6 +2018,24 @@ interface(`files_dontaudit_list_all_mountpoints',`
########################################
##
@@ -9273,7 +9520,7 @@ index 64ff4d7..92d80ef 100644
## Do not audit attempts to write to mount points.
##
##
-@@ -1691,6 +2035,24 @@ interface(`files_dontaudit_write_all_mountpoints',`
+@@ -1691,6 +2054,24 @@ interface(`files_dontaudit_write_all_mountpoints',`
########################################
##
@@ -9298,7 +9545,7 @@ index 64ff4d7..92d80ef 100644
## List the contents of the root directory.
##
##
-@@ -1874,25 +2236,25 @@ interface(`files_delete_root_dir_entry',`
+@@ -1874,25 +2255,25 @@ interface(`files_delete_root_dir_entry',`
########################################
##
@@ -9330,7 +9577,7 @@ index 64ff4d7..92d80ef 100644
##
##
##
-@@ -1905,7 +2267,7 @@ interface(`files_relabel_rootfs',`
+@@ -1905,7 +2286,7 @@ interface(`files_relabel_rootfs',`
type root_t;
')
@@ -9339,7 +9586,7 @@ index 64ff4d7..92d80ef 100644
')
########################################
-@@ -1928,6 +2290,24 @@ interface(`files_unmount_rootfs',`
+@@ -1928,6 +2309,24 @@ interface(`files_unmount_rootfs',`
########################################
##
@@ -9364,7 +9611,7 @@ index 64ff4d7..92d80ef 100644
## Get attributes of the /boot directory.
##
##
-@@ -2627,6 +3007,24 @@ interface(`files_rw_etc_dirs',`
+@@ -2627,6 +3026,24 @@ interface(`files_rw_etc_dirs',`
allow $1 etc_t:dir rw_dir_perms;
')
@@ -9389,7 +9636,7 @@ index 64ff4d7..92d80ef 100644
##########################################
##
## Manage generic directories in /etc
-@@ -2698,6 +3096,7 @@ interface(`files_read_etc_files',`
+@@ -2698,6 +3115,7 @@ interface(`files_read_etc_files',`
allow $1 etc_t:dir list_dir_perms;
read_files_pattern($1, etc_t, etc_t)
read_lnk_files_pattern($1, etc_t, etc_t)
@@ -9397,7 +9644,7 @@ index 64ff4d7..92d80ef 100644
')
########################################
-@@ -2706,7 +3105,7 @@ interface(`files_read_etc_files',`
+@@ -2706,7 +3124,7 @@ interface(`files_read_etc_files',`
##
##
##
@@ -9406,7 +9653,7 @@ index 64ff4d7..92d80ef 100644
##
##
#
-@@ -2762,6 +3161,25 @@ interface(`files_manage_etc_files',`
+@@ -2762,6 +3180,25 @@ interface(`files_manage_etc_files',`
########################################
##
@@ -9432,7 +9679,7 @@ index 64ff4d7..92d80ef 100644
## Delete system configuration files in /etc.
##
##
-@@ -2780,6 +3198,24 @@ interface(`files_delete_etc_files',`
+@@ -2780,6 +3217,24 @@ interface(`files_delete_etc_files',`
########################################
##
@@ -9457,7 +9704,7 @@ index 64ff4d7..92d80ef 100644
## Execute generic files in /etc.
##
##
-@@ -2945,24 +3381,6 @@ interface(`files_delete_boot_flag',`
+@@ -2945,24 +3400,6 @@ interface(`files_delete_boot_flag',`
########################################
##
@@ -9482,7 +9729,7 @@ index 64ff4d7..92d80ef 100644
## Read files in /etc that are dynamically
## created on boot, such as mtab.
##
-@@ -3003,9 +3421,7 @@ interface(`files_read_etc_runtime_files',`
+@@ -3003,9 +3440,7 @@ interface(`files_read_etc_runtime_files',`
########################################
##
@@ -9493,7 +9740,7 @@ index 64ff4d7..92d80ef 100644
##
##
##
-@@ -3013,18 +3429,17 @@ interface(`files_read_etc_runtime_files',`
+@@ -3013,18 +3448,17 @@ interface(`files_read_etc_runtime_files',`
##
##
#
@@ -9515,7 +9762,7 @@ index 64ff4d7..92d80ef 100644
##
##
##
-@@ -3042,6 +3457,26 @@ interface(`files_dontaudit_write_etc_runtime_files',`
+@@ -3042,6 +3476,26 @@ interface(`files_dontaudit_write_etc_runtime_files',`
########################################
##
@@ -9542,7 +9789,7 @@ index 64ff4d7..92d80ef 100644
## Read and write files in /etc that are dynamically
## created on boot, such as mtab.
##
-@@ -3059,6 +3494,7 @@ interface(`files_rw_etc_runtime_files',`
+@@ -3059,6 +3513,7 @@ interface(`files_rw_etc_runtime_files',`
allow $1 etc_t:dir list_dir_perms;
rw_files_pattern($1, etc_t, etc_runtime_t)
@@ -9550,7 +9797,7 @@ index 64ff4d7..92d80ef 100644
')
########################################
-@@ -3080,6 +3516,7 @@ interface(`files_manage_etc_runtime_files',`
+@@ -3080,6 +3535,7 @@ interface(`files_manage_etc_runtime_files',`
')
manage_files_pattern($1, { etc_t etc_runtime_t }, etc_runtime_t)
@@ -9558,7 +9805,7 @@ index 64ff4d7..92d80ef 100644
')
########################################
-@@ -3132,6 +3569,25 @@ interface(`files_getattr_isid_type_dirs',`
+@@ -3132,6 +3588,25 @@ interface(`files_getattr_isid_type_dirs',`
########################################
##
@@ -9584,7 +9831,7 @@ index 64ff4d7..92d80ef 100644
## Do not audit attempts to search directories on new filesystems
## that have not yet been labeled.
##
-@@ -3208,6 +3664,25 @@ interface(`files_delete_isid_type_dirs',`
+@@ -3208,6 +3683,25 @@ interface(`files_delete_isid_type_dirs',`
########################################
##
@@ -9610,7 +9857,7 @@ index 64ff4d7..92d80ef 100644
## Create, read, write, and delete directories
## on new filesystems that have not yet been labeled.
##
-@@ -3455,6 +3930,25 @@ interface(`files_rw_isid_type_blk_files',`
+@@ -3455,6 +3949,25 @@ interface(`files_rw_isid_type_blk_files',`
########################################
##
@@ -9636,7 +9883,7 @@ index 64ff4d7..92d80ef 100644
## Create, read, write, and delete block device nodes
## on new filesystems that have not yet been labeled.
##
-@@ -3796,20 +4290,38 @@ interface(`files_list_mnt',`
+@@ -3796,20 +4309,38 @@ interface(`files_list_mnt',`
######################################
##
@@ -9680,7 +9927,7 @@ index 64ff4d7..92d80ef 100644
')
########################################
-@@ -4199,58 +4711,225 @@ interface(`files_read_world_readable_sockets',`
+@@ -4199,52 +4730,219 @@ interface(`files_read_world_readable_sockets',`
allow $1 readable_t:sock_file read_sock_file_perms;
')
@@ -9733,38 +9980,25 @@ index 64ff4d7..92d80ef 100644
##
#
-interface(`files_getattr_tmp_dirs',`
-- gen_require(`
-- type tmp_t;
-- ')
+interface(`files_manage_system_conf_files',`
+ gen_require(`
+ type etc_t, system_conf_t;
+ ')
-
-- allow $1 tmp_t:dir getattr;
++
+ manage_files_pattern($1, { etc_t system_conf_t }, system_conf_t)
+ files_filetrans_system_conf_named_files($1)
- ')
-
--########################################
++')
++
+#####################################
- ##
--## Do not audit attempts to get the
--## attributes of the tmp directory (/tmp).
++##
+## File name transition for system configuration files in /etc.
- ##
- ##
--##
--## Domain allowed access.
--##
++##
++##
+##
+## Domain allowed access.
+##
- ##
- #
--interface(`files_dontaudit_getattr_tmp_dirs',`
-- gen_require(`
-- type tmp_t;
++##
++#
+interface(`files_filetrans_system_conf_named_files',`
+ gen_require(`
+ type etc_t, system_conf_t;
@@ -9894,16 +10128,16 @@ index 64ff4d7..92d80ef 100644
+##
+#
+interface(`files_getattr_tmp_dirs',`
-+ gen_require(`
-+ type tmp_t;
-+ ')
-+
+ gen_require(`
+ type tmp_t;
+ ')
+
+ read_lnk_files_pattern($1, tmp_t, tmp_t)
-+ allow $1 tmp_t:dir getattr;
-+')
-+
-+########################################
-+##
+ allow $1 tmp_t:dir getattr;
+ ')
+
+ ########################################
+ ##
+## Do not audit attempts to check the
+## access on tmp files
+##
@@ -9923,22 +10157,17 @@ index 64ff4d7..92d80ef 100644
+
+########################################
+##
-+## Do not audit attempts to get the
-+## attributes of the tmp directory (/tmp).
-+##
-+##
-+##
+ ## Do not audit attempts to get the
+ ## attributes of the tmp directory (/tmp).
+ ##
+ ##
+ ##
+-## Domain allowed access.
+## Domain to not audit.
-+##
-+##
-+#
-+interface(`files_dontaudit_getattr_tmp_dirs',`
-+ gen_require(`
-+ type tmp_t;
- ')
-
- dontaudit $1 tmp_t:dir getattr;
-@@ -4271,6 +4950,7 @@ interface(`files_search_tmp',`
+ ##
+ ##
+ #
+@@ -4271,6 +4969,7 @@ interface(`files_search_tmp',`
type tmp_t;
')
@@ -9946,7 +10175,7 @@ index 64ff4d7..92d80ef 100644
allow $1 tmp_t:dir search_dir_perms;
')
-@@ -4307,6 +4987,7 @@ interface(`files_list_tmp',`
+@@ -4307,6 +5006,7 @@ interface(`files_list_tmp',`
type tmp_t;
')
@@ -9954,7 +10183,7 @@ index 64ff4d7..92d80ef 100644
allow $1 tmp_t:dir list_dir_perms;
')
-@@ -4316,7 +4997,7 @@ interface(`files_list_tmp',`
+@@ -4316,7 +5016,7 @@ interface(`files_list_tmp',`
##
##
##
@@ -9963,7 +10192,7 @@ index 64ff4d7..92d80ef 100644
##
##
#
-@@ -4328,6 +5009,25 @@ interface(`files_dontaudit_list_tmp',`
+@@ -4328,6 +5028,25 @@ interface(`files_dontaudit_list_tmp',`
dontaudit $1 tmp_t:dir list_dir_perms;
')
@@ -9989,7 +10218,7 @@ index 64ff4d7..92d80ef 100644
########################################
##
## Remove entries from the tmp directory.
-@@ -4343,6 +5043,7 @@ interface(`files_delete_tmp_dir_entry',`
+@@ -4343,6 +5062,7 @@ interface(`files_delete_tmp_dir_entry',`
type tmp_t;
')
@@ -9997,7 +10226,7 @@ index 64ff4d7..92d80ef 100644
allow $1 tmp_t:dir del_entry_dir_perms;
')
-@@ -4384,6 +5085,32 @@ interface(`files_manage_generic_tmp_dirs',`
+@@ -4384,6 +5104,32 @@ interface(`files_manage_generic_tmp_dirs',`
########################################
##
@@ -10030,7 +10259,7 @@ index 64ff4d7..92d80ef 100644
## Manage temporary files and directories in /tmp.
##
##
-@@ -4438,6 +5165,42 @@ interface(`files_rw_generic_tmp_sockets',`
+@@ -4438,6 +5184,42 @@ interface(`files_rw_generic_tmp_sockets',`
########################################
##
@@ -10073,7 +10302,7 @@ index 64ff4d7..92d80ef 100644
## Set the attributes of all tmp directories.
##
##
-@@ -4456,6 +5219,60 @@ interface(`files_setattr_all_tmp_dirs',`
+@@ -4456,6 +5238,60 @@ interface(`files_setattr_all_tmp_dirs',`
########################################
##
@@ -10134,7 +10363,7 @@ index 64ff4d7..92d80ef 100644
## List all tmp directories.
##
##
-@@ -4501,7 +5318,7 @@ interface(`files_relabel_all_tmp_dirs',`
+@@ -4501,7 +5337,7 @@ interface(`files_relabel_all_tmp_dirs',`
##
##
##
@@ -10143,7 +10372,7 @@ index 64ff4d7..92d80ef 100644
##
##
#
-@@ -4561,7 +5378,7 @@ interface(`files_relabel_all_tmp_files',`
+@@ -4561,7 +5397,7 @@ interface(`files_relabel_all_tmp_files',`
##
##
##
@@ -10152,124 +10381,52 @@ index 64ff4d7..92d80ef 100644
##
##
#
-@@ -4593,59 +5410,107 @@ interface(`files_read_all_tmp_files',`
+@@ -4593,6 +5429,44 @@ interface(`files_read_all_tmp_files',`
########################################
##
--## Create an object in the tmp directories, with a private
--## type using a type transition.
+## Do not audit attempts to read or write
+## all leaked tmpfiles files.
- ##
- ##
- ##
--## Domain allowed access.
--##
--##
--##
--##
--## The type of the object to be created.
--##
--##
--##
--##
--## The object class of the object being created.
--##
--##
--##
--##
--## The name of the object being created.
++##
++##
++##
+## Domain to not audit.
- ##
- ##
- #
--interface(`files_tmp_filetrans',`
++##
++##
++#
+interface(`files_dontaudit_tmp_file_leaks',`
- gen_require(`
-- type tmp_t;
++ gen_require(`
+ attribute tmpfile;
- ')
-
-- filetrans_pattern($1, tmp_t, $2, $3, $4)
++ ')
++
+ dontaudit $1 tmpfile:file rw_inherited_file_perms;
- ')
-
- ########################################
- ##
--## Delete the contents of /tmp.
++')
++
++########################################
++##
+## Do allow attempts to read or write
+## all leaked tmpfiles files.
- ##
- ##
- ##
--## Domain allowed access.
++##
++##
++##
+## Domain to not audit.
- ##
- ##
- #
--interface(`files_purge_tmp',`
++##
++##
++#
+interface(`files_rw_tmp_file_leaks',`
- gen_require(`
- attribute tmpfile;
- ')
-
-- allow $1 tmpfile:dir list_dir_perms;
-- delete_dirs_pattern($1, tmpfile, tmpfile)
++ gen_require(`
++ attribute tmpfile;
++ ')
++
+ allow $1 tmpfile:file rw_inherited_file_perms;
+')
+
+########################################
+##
-+## Create an object in the tmp directories, with a private
-+## type using a type transition.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+##
-+## The type of the object to be created.
-+##
-+##
-+##
-+##
-+## The object class of the object being created.
-+##
-+##
-+##
-+##
-+## The name of the object being created.
-+##
-+##
-+#
-+interface(`files_tmp_filetrans',`
-+ gen_require(`
-+ type tmp_t;
-+ ')
-+
-+ filetrans_pattern($1, tmp_t, $2, $3, $4)
-+')
-+
-+########################################
-+##
-+## Delete the contents of /tmp.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`files_purge_tmp',`
-+ gen_require(`
-+ attribute tmpfile;
-+ ')
-+
-+ allow $1 tmpfile:dir list_dir_perms;
-+ delete_dirs_pattern($1, tmpfile, tmpfile)
- delete_files_pattern($1, tmpfile, tmpfile)
+ ## Create an object in the tmp directories, with a private
+ ## type using a type transition.
+ ##
+@@ -4646,6 +5520,16 @@ interface(`files_purge_tmp',`
delete_lnk_files_pattern($1, tmpfile, tmpfile)
delete_fifo_files_pattern($1, tmpfile, tmpfile)
delete_sock_files_pattern($1, tmpfile, tmpfile)
@@ -10286,32 +10443,67 @@ index 64ff4d7..92d80ef 100644
')
########################################
-@@ -5223,6 +6088,24 @@ interface(`files_list_var',`
+@@ -5223,26 +6107,26 @@ interface(`files_list_var',`
########################################
##
+-## Create, read, write, and delete directories
+-## in the /var directory.
+## Do not audit listing of the var directory (/var).
-+##
-+##
-+##
+ ##
+ ##
+ ##
+-## Domain allowed access.
+## Domain to not audit.
-+##
-+##
-+#
+ ##
+ ##
+ #
+-interface(`files_manage_var_dirs',`
+interface(`files_dontaudit_list_var',`
+ gen_require(`
+ type var_t;
+ ')
+
+- allow $1 var_t:dir manage_dir_perms;
++ dontaudit $1 var_t:dir list_dir_perms;
+ ')
+
+ ########################################
+ ##
+-## Read files in the /var directory.
++## Create, read, write, and delete directories
++## in the /var directory.
+ ##
+ ##
+ ##
+@@ -5250,7 +6134,25 @@ interface(`files_manage_var_dirs',`
+ ##
+ ##
+ #
+-interface(`files_read_var_files',`
++interface(`files_manage_var_dirs',`
+ gen_require(`
+ type var_t;
+ ')
+
-+ dontaudit $1 var_t:dir list_dir_perms;
++ allow $1 var_t:dir manage_dir_perms;
+')
+
+########################################
+##
- ## Create, read, write, and delete directories
- ## in the /var directory.
- ##
-@@ -5578,6 +6461,25 @@ interface(`files_read_var_lib_symlinks',`
++## Read files in the /var directory.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`files_read_var_files',`
+ gen_require(`
+ type var_t;
+ ')
+@@ -5578,6 +6480,25 @@ interface(`files_read_var_lib_symlinks',`
read_lnk_files_pattern($1, { var_t var_lib_t }, var_lib_t)
')
@@ -10337,7 +10529,7 @@ index 64ff4d7..92d80ef 100644
# cjp: the next two interfaces really need to be fixed
# in some way. They really neeed their own types.
-@@ -5623,7 +6525,7 @@ interface(`files_manage_mounttab',`
+@@ -5623,7 +6544,7 @@ interface(`files_manage_mounttab',`
########################################
##
@@ -10346,7 +10538,7 @@ index 64ff4d7..92d80ef 100644
##
##
##
-@@ -5631,12 +6533,13 @@ interface(`files_manage_mounttab',`
+@@ -5631,12 +6552,13 @@ interface(`files_manage_mounttab',`
##
##
#
@@ -10362,7 +10554,7 @@ index 64ff4d7..92d80ef 100644
')
########################################
-@@ -5654,6 +6557,7 @@ interface(`files_search_locks',`
+@@ -5654,6 +6576,7 @@ interface(`files_search_locks',`
type var_t, var_lock_t;
')
@@ -10370,7 +10562,7 @@ index 64ff4d7..92d80ef 100644
allow $1 var_lock_t:lnk_file read_lnk_file_perms;
search_dirs_pattern($1, var_t, var_lock_t)
')
-@@ -5680,7 +6584,26 @@ interface(`files_dontaudit_search_locks',`
+@@ -5680,7 +6603,26 @@ interface(`files_dontaudit_search_locks',`
########################################
##
@@ -10398,7 +10590,7 @@ index 64ff4d7..92d80ef 100644
##
##
##
-@@ -5688,13 +6611,12 @@ interface(`files_dontaudit_search_locks',`
+@@ -5688,13 +6630,12 @@ interface(`files_dontaudit_search_locks',`
##
##
#
@@ -10415,7 +10607,7 @@ index 64ff4d7..92d80ef 100644
')
########################################
-@@ -5713,7 +6635,7 @@ interface(`files_rw_lock_dirs',`
+@@ -5713,7 +6654,7 @@ interface(`files_rw_lock_dirs',`
type var_t, var_lock_t;
')
@@ -10424,7 +10616,7 @@ index 64ff4d7..92d80ef 100644
rw_dirs_pattern($1, var_t, var_lock_t)
')
-@@ -5746,7 +6668,6 @@ interface(`files_create_lock_dirs',`
+@@ -5746,7 +6687,6 @@ interface(`files_create_lock_dirs',`
## Domain allowed access.
##
##
@@ -10432,7 +10624,7 @@ index 64ff4d7..92d80ef 100644
#
interface(`files_relabel_all_lock_dirs',`
gen_require(`
-@@ -5774,8 +6695,7 @@ interface(`files_getattr_generic_locks',`
+@@ -5774,8 +6714,7 @@ interface(`files_getattr_generic_locks',`
type var_t, var_lock_t;
')
@@ -10442,7 +10634,7 @@ index 64ff4d7..92d80ef 100644
allow $1 var_lock_t:dir list_dir_perms;
getattr_files_pattern($1, var_lock_t, var_lock_t)
')
-@@ -5791,13 +6711,12 @@ interface(`files_getattr_generic_locks',`
+@@ -5791,13 +6730,12 @@ interface(`files_getattr_generic_locks',`
##
#
interface(`files_delete_generic_locks',`
@@ -10460,7 +10652,7 @@ index 64ff4d7..92d80ef 100644
')
########################################
-@@ -5816,9 +6735,7 @@ interface(`files_manage_generic_locks',`
+@@ -5816,9 +6754,7 @@ interface(`files_manage_generic_locks',`
type var_t, var_lock_t;
')
@@ -10471,7 +10663,7 @@ index 64ff4d7..92d80ef 100644
manage_files_pattern($1, var_lock_t, var_lock_t)
')
-@@ -5860,8 +6777,7 @@ interface(`files_read_all_locks',`
+@@ -5860,8 +6796,7 @@ interface(`files_read_all_locks',`
type var_t, var_lock_t;
')
@@ -10481,7 +10673,7 @@ index 64ff4d7..92d80ef 100644
allow $1 lockfile:dir list_dir_perms;
read_files_pattern($1, lockfile, lockfile)
read_lnk_files_pattern($1, lockfile, lockfile)
-@@ -5883,8 +6799,7 @@ interface(`files_manage_all_locks',`
+@@ -5883,8 +6818,7 @@ interface(`files_manage_all_locks',`
type var_t, var_lock_t;
')
@@ -10491,7 +10683,7 @@ index 64ff4d7..92d80ef 100644
manage_dirs_pattern($1, lockfile, lockfile)
manage_files_pattern($1, lockfile, lockfile)
manage_lnk_files_pattern($1, lockfile, lockfile)
-@@ -5921,8 +6836,7 @@ interface(`files_lock_filetrans',`
+@@ -5921,8 +6855,7 @@ interface(`files_lock_filetrans',`
type var_t, var_lock_t;
')
@@ -10501,7 +10693,7 @@ index 64ff4d7..92d80ef 100644
filetrans_pattern($1, var_lock_t, $2, $3, $4)
')
-@@ -5961,7 +6875,7 @@ interface(`files_setattr_pid_dirs',`
+@@ -5961,7 +6894,7 @@ interface(`files_setattr_pid_dirs',`
type var_run_t;
')
@@ -10510,7 +10702,7 @@ index 64ff4d7..92d80ef 100644
allow $1 var_run_t:dir setattr;
')
-@@ -5981,10 +6895,48 @@ interface(`files_search_pids',`
+@@ -5981,10 +6914,48 @@ interface(`files_search_pids',`
type var_t, var_run_t;
')
@@ -10559,7 +10751,7 @@ index 64ff4d7..92d80ef 100644
########################################
##
## Do not audit attempts to search
-@@ -6007,6 +6959,25 @@ interface(`files_dontaudit_search_pids',`
+@@ -6007,6 +6978,25 @@ interface(`files_dontaudit_search_pids',`
########################################
##
@@ -10585,7 +10777,7 @@ index 64ff4d7..92d80ef 100644
## List the contents of the runtime process
## ID directories (/var/run).
##
-@@ -6021,7 +6992,7 @@ interface(`files_list_pids',`
+@@ -6021,7 +7011,7 @@ interface(`files_list_pids',`
type var_t, var_run_t;
')
@@ -10594,7 +10786,7 @@ index 64ff4d7..92d80ef 100644
list_dirs_pattern($1, var_t, var_run_t)
')
-@@ -6040,7 +7011,7 @@ interface(`files_read_generic_pids',`
+@@ -6040,7 +7030,7 @@ interface(`files_read_generic_pids',`
type var_t, var_run_t;
')
@@ -10603,7 +10795,7 @@ index 64ff4d7..92d80ef 100644
list_dirs_pattern($1, var_t, var_run_t)
read_files_pattern($1, var_run_t, var_run_t)
')
-@@ -6060,7 +7031,7 @@ interface(`files_write_generic_pid_pipes',`
+@@ -6060,7 +7050,7 @@ interface(`files_write_generic_pid_pipes',`
type var_run_t;
')
@@ -10612,7 +10804,7 @@ index 64ff4d7..92d80ef 100644
allow $1 var_run_t:fifo_file write;
')
-@@ -6122,7 +7093,6 @@ interface(`files_pid_filetrans',`
+@@ -6122,7 +7112,6 @@ interface(`files_pid_filetrans',`
')
allow $1 var_t:dir search_dir_perms;
@@ -10620,7 +10812,7 @@ index 64ff4d7..92d80ef 100644
filetrans_pattern($1, var_run_t, $2, $3, $4)
')
-@@ -6164,7 +7134,7 @@ interface(`files_rw_generic_pids',`
+@@ -6164,7 +7153,7 @@ interface(`files_rw_generic_pids',`
type var_t, var_run_t;
')
@@ -10629,7 +10821,7 @@ index 64ff4d7..92d80ef 100644
list_dirs_pattern($1, var_t, var_run_t)
rw_files_pattern($1, var_run_t, var_run_t)
')
-@@ -6231,55 +7201,43 @@ interface(`files_dontaudit_ioctl_all_pids',`
+@@ -6231,55 +7220,43 @@ interface(`files_dontaudit_ioctl_all_pids',`
########################################
##
@@ -10692,7 +10884,7 @@ index 64ff4d7..92d80ef 100644
##
##
##
-@@ -6287,42 +7245,35 @@ interface(`files_delete_all_pids',`
+@@ -6287,42 +7264,35 @@ interface(`files_delete_all_pids',`
##
##
#
@@ -10742,7 +10934,7 @@ index 64ff4d7..92d80ef 100644
##
##
##
-@@ -6330,18 +7281,18 @@ interface(`files_manage_all_pids',`
+@@ -6330,18 +7300,18 @@ interface(`files_manage_all_pids',`
##
##
#
@@ -10766,7 +10958,7 @@ index 64ff4d7..92d80ef 100644
##
##
##
-@@ -6349,37 +7300,40 @@ interface(`files_mounton_all_poly_members',`
+@@ -6349,37 +7319,40 @@ interface(`files_mounton_all_poly_members',`
##
##
#
@@ -10818,7 +11010,7 @@ index 64ff4d7..92d80ef 100644
##
##
##
-@@ -6387,18 +7341,17 @@ interface(`files_dontaudit_search_spool',`
+@@ -6387,18 +7360,17 @@ interface(`files_dontaudit_search_spool',`
##
##
#
@@ -10841,7 +11033,7 @@ index 64ff4d7..92d80ef 100644
##
##
##
-@@ -6406,18 +7359,18 @@ interface(`files_list_spool',`
+@@ -6406,18 +7378,18 @@ interface(`files_list_spool',`
##
##
#
@@ -10865,7 +11057,7 @@ index 64ff4d7..92d80ef 100644
##
##
##
-@@ -6425,19 +7378,18 @@ interface(`files_manage_generic_spool_dirs',`
+@@ -6425,19 +7397,18 @@ interface(`files_manage_generic_spool_dirs',`
##
##
#
@@ -10890,7 +11082,7 @@ index 64ff4d7..92d80ef 100644
##
##
##
-@@ -6445,29 +7397,296 @@ interface(`files_read_generic_spool',`
+@@ -6445,55 +7416,43 @@ interface(`files_read_generic_spool',`
##
##
#
@@ -10921,44 +11113,77 @@ index 64ff4d7..92d80ef 100644
-##
-## Type to which the created node will be transitioned.
-##
+-##
+-##
+-##
+-## Object class(es) (single or set including {}) for which this
+-## the transition will occur.
+-##
+-##
+-##
+-##
+-## The name of the object being created.
+-##
+-##
+##
-+#
+ #
+-interface(`files_spool_filetrans',`
+interface(`files_delete_all_pids',`
-+ gen_require(`
+ gen_require(`
+- type var_t, var_spool_t;
+ attribute pidfile;
+ type var_t, var_run_t;
-+ ')
-+
+ ')
+
+ files_search_pids($1)
-+ allow $1 var_t:dir search_dir_perms;
+ allow $1 var_t:dir search_dir_perms;
+- filetrans_pattern($1, var_spool_t, $2, $3, $4)
+ allow $1 var_run_t:dir rmdir;
+ allow $1 var_run_t:lnk_file delete_lnk_file_perms;
+ delete_files_pattern($1, pidfile, pidfile)
+ delete_fifo_files_pattern($1, pidfile, pidfile)
+ delete_sock_files_pattern($1, pidfile, { pidfile var_run_t })
-+')
-+
-+########################################
-+##
+ ')
+
+ ########################################
+ ##
+-## Allow access to manage all polyinstantiated
+-## directories on the system.
+## Delete all process ID directories.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
+ ##
+ ##
+ ##
+@@ -6501,64 +7460,814 @@ interface(`files_spool_filetrans',`
+ ##
+ ##
+ #
+-interface(`files_polyinstantiate_all',`
+interface(`files_delete_all_pid_dirs',`
-+ gen_require(`
+ gen_require(`
+- attribute polydir, polymember, polyparent;
+- type poly_t;
+ attribute pidfile;
+ type var_t, var_run_t;
-+ ')
-+
+ ')
+
+- # Need to give access to /selinux/member
+- selinux_compute_member($1)
+-
+- # Need sys_admin capability for mounting
+- allow $1 self:capability { chown fsetid sys_admin fowner };
+-
+- # Need to give access to the directories to be polyinstantiated
+- allow $1 polydir:dir { create open getattr search write add_name setattr mounton rmdir };
+-
+- # Need to give access to the polyinstantiated subdirectories
+- allow $1 polymember:dir search_dir_perms;
+ files_search_pids($1)
+ allow $1 var_t:dir search_dir_perms;
+ delete_dirs_pattern($1, pidfile, pidfile)
+')
-+
+
+- # Need to give access to parent directories where original
+- # is remounted for polyinstantiation aware programs (like gdm)
+########################################
+##
+## Make the specified type a file
@@ -11194,13 +11419,105 @@ index 64ff4d7..92d80ef 100644
+##
+## Type to which the created node will be transitioned.
+##
- ##
- ##
- ##
-@@ -6562,3 +7781,467 @@ interface(`files_unconfined',`
++##
++##
++##
++## Object class(es) (single or set including {}) for which this
++## the transition will occur.
++##
++##
++##
++##
++## The name of the object being created.
++##
++##
++#
++interface(`files_spool_filetrans',`
++ gen_require(`
++ type var_t, var_spool_t;
++ ')
++
++ allow $1 var_t:dir search_dir_perms;
++ filetrans_pattern($1, var_spool_t, $2, $3, $4)
++')
++
++########################################
++##
++## Allow access to manage all polyinstantiated
++## directories on the system.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`files_polyinstantiate_all',`
++ gen_require(`
++ attribute polydir, polymember, polyparent;
++ type poly_t;
++ ')
++
++ # Need to give access to /selinux/member
++ selinux_compute_member($1)
++
++ # Need sys_admin capability for mounting
++ allow $1 self:capability { chown fsetid sys_admin fowner };
++
++ # Need to give access to the directories to be polyinstantiated
++ allow $1 polydir:dir { create open getattr search write add_name setattr mounton rmdir };
++
++ # Need to give access to the polyinstantiated subdirectories
++ allow $1 polymember:dir search_dir_perms;
++
++ # Need to give access to parent directories where original
++ # is remounted for polyinstantiation aware programs (like gdm)
+ allow $1 polyparent:dir { getattr mounton };
- typeattribute $1 files_unconfined_type;
- ')
+- # Need to give permission to create directories where applicable
+- allow $1 self:process setfscreate;
+- allow $1 polymember: dir { create setattr relabelto };
+- allow $1 polydir: dir { write add_name open };
+- allow $1 polyparent:dir { open read write remove_name add_name relabelfrom relabelto };
++ # Need to give permission to create directories where applicable
++ allow $1 self:process setfscreate;
++ allow $1 polymember: dir { create setattr relabelto };
++ allow $1 polydir: dir { write add_name open };
++ allow $1 polyparent:dir { open read write remove_name add_name relabelfrom relabelto };
++
++ # Default type for mountpoints
++ allow $1 poly_t:dir { create mounton };
++ fs_unmount_xattr_fs($1)
++
++ fs_mount_tmpfs($1)
++ fs_unmount_tmpfs($1)
++
++ ifdef(`distro_redhat',`
++ # namespace.init
++ files_search_tmp($1)
++ files_search_home($1)
++ corecmd_exec_bin($1)
++ seutil_domtrans_setfiles($1)
++ ')
++')
++
++########################################
++##
++## Unconfined access to files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`files_unconfined',`
++ gen_require(`
++ attribute files_unconfined_type;
++ ')
++
++ typeattribute $1 files_unconfined_type;
++')
+
+########################################
+##
@@ -11326,10 +11643,15 @@ index 64ff4d7..92d80ef 100644
+ gen_require(`
+ attribute tmpfsfile;
+ ')
-+
+
+- # Default type for mountpoints
+- allow $1 poly_t:dir { create mounton };
+- fs_unmount_xattr_fs($1)
+ allow $1 tmpfsfile:file { read write };
+')
-+
+
+- fs_mount_tmpfs($1)
+- fs_unmount_tmpfs($1)
+########################################
+##
+## Do not audit attempts to read security files
@@ -11344,7 +11666,13 @@ index 64ff4d7..92d80ef 100644
+ gen_require(`
+ attribute security_file_type;
+ ')
-+
+
+- ifdef(`distro_redhat',`
+- # namespace.init
+- files_search_tmp($1)
+- files_search_home($1)
+- corecmd_exec_bin($1)
+- seutil_domtrans_setfiles($1)
+ dontaudit $1 security_file_type:file read_file_perms;
+')
+
@@ -11366,32 +11694,36 @@ index 64ff4d7..92d80ef 100644
+interface(`files_rw_all_inherited_files',`
+ gen_require(`
+ attribute file_type;
-+ ')
+ ')
+
+ allow $1 { file_type $2 }:file rw_inherited_file_perms;
+ allow $1 { file_type $2 }:fifo_file rw_inherited_fifo_file_perms;
+ allow $1 { file_type $2 }:sock_file rw_inherited_sock_file_perms;
+ allow $1 { file_type $2 }:chr_file rw_inherited_chr_file_perms;
-+')
-+
-+########################################
-+##
+ ')
+
+ ########################################
+ ##
+-## Unconfined access to files.
+## Allow any file point to be the entrypoint of this domain
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
+ ##
+ ##
+ ##
+ ## Domain allowed access.
+ ##
+ ##
+##
-+#
+ #
+-interface(`files_unconfined',`
+interface(`files_entrypoint_all_files',`
-+ gen_require(`
+ gen_require(`
+- attribute files_unconfined_type;
+ attribute file_type;
-+ ')
+ ')
+ allow $1 file_type:file entrypoint;
+')
-+
+
+- typeattribute $1 files_unconfined_type;
+########################################
+##
+## Do not audit attempts to rw inherited file perms
@@ -11518,6 +11850,7 @@ index 64ff4d7..92d80ef 100644
+#
+interface(`files_filetrans_named_content',`
+ gen_require(`
++ type etc_t;
+ type mnt_t;
+ type usr_t;
+ type tmp_t;
@@ -11540,6 +11873,12 @@ index 64ff4d7..92d80ef 100644
+ files_root_filetrans($1, tmp_t, dir, "sandbox")
+ files_root_filetrans($1, tmp_t, dir, "tmp")
+ files_root_filetrans($1, var_t, dir, "nsr")
++ files_etc_filetrans($1, etc_t, file, "system-auth-ac")
++ files_etc_filetrans($1, etc_t, file, "postlogin-ac")
++ files_etc_filetrans($1, etc_t, file, "password-auth-ac")
++ files_etc_filetrans($1, etc_t, file, "fingerprint-auth-ac")
++ files_etc_filetrans($1, etc_t, file, "smartcard-auth-ac")
++ files_etc_filetrans($1, etc_t, file, "hwdb.bin")
+ files_etc_filetrans_etc_runtime($1, file, "runtime")
+ files_etc_filetrans_etc_runtime($1, dir, "blkid")
+ files_etc_filetrans_etc_runtime($1, dir, "cmtab")
@@ -11579,7 +11918,7 @@ index 64ff4d7..92d80ef 100644
+ ')
+ files_type($1)
+ typeattribute $1 base_file_type;
-+')
+ ')
+
+########################################
+##
@@ -13176,7 +13515,7 @@ index 8416beb..0776923 100644
+ fs_tmpfs_filetrans($1, cgroup_t, lnk_file, "cpuacct")
+')
diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te
-index 9e603f5..698aaee 100644
+index 9e603f5..e0209df 100644
--- a/policy/modules/kernel/filesystem.te
+++ b/policy/modules/kernel/filesystem.te
@@ -32,7 +32,9 @@ fs_use_xattr gpfs gen_context(system_u:object_r:fs_t,s0);
@@ -13236,7 +13575,14 @@ index 9e603f5..698aaee 100644
type ibmasmfs_t;
fs_type(ibmasmfs_t)
-@@ -125,6 +139,10 @@ type oprofilefs_t;
+@@ -119,12 +133,17 @@ genfscon mvfs / gen_context(system_u:object_r:mvfs_t,s0)
+
+ type nfsd_fs_t;
+ fs_type(nfsd_fs_t)
++files_mountpoint(nfsd_fs_t)
+ genfscon nfsd / gen_context(system_u:object_r:nfsd_fs_t,s0)
+
+ type oprofilefs_t;
fs_type(oprofilefs_t)
genfscon oprofilefs / gen_context(system_u:object_r:oprofilefs_t,s0)
@@ -13247,7 +13593,7 @@ index 9e603f5..698aaee 100644
type ramfs_t;
fs_type(ramfs_t)
files_mountpoint(ramfs_t)
-@@ -145,11 +163,6 @@ fs_type(spufs_t)
+@@ -145,11 +164,6 @@ fs_type(spufs_t)
genfscon spufs / gen_context(system_u:object_r:spufs_t,s0)
files_mountpoint(spufs_t)
@@ -13259,7 +13605,7 @@ index 9e603f5..698aaee 100644
type sysv_t;
fs_noxattr_type(sysv_t)
files_mountpoint(sysv_t)
-@@ -167,6 +180,8 @@ type vxfs_t;
+@@ -167,6 +181,8 @@ type vxfs_t;
fs_noxattr_type(vxfs_t)
files_mountpoint(vxfs_t)
genfscon vxfs / gen_context(system_u:object_r:vxfs_t,s0)
@@ -13268,7 +13614,7 @@ index 9e603f5..698aaee 100644
#
# tmpfs_t is the type for tmpfs filesystems
-@@ -176,6 +191,8 @@ fs_type(tmpfs_t)
+@@ -176,6 +192,8 @@ fs_type(tmpfs_t)
files_type(tmpfs_t)
files_mountpoint(tmpfs_t)
files_poly_parent(tmpfs_t)
@@ -13277,7 +13623,7 @@ index 9e603f5..698aaee 100644
# Use a transition SID based on the allocating task SID and the
# filesystem SID to label inodes in the following filesystem types,
-@@ -255,6 +272,8 @@ genfscon udf / gen_context(system_u:object_r:iso9660_t,s0)
+@@ -255,6 +273,8 @@ genfscon udf / gen_context(system_u:object_r:iso9660_t,s0)
type removable_t;
allow removable_t noxattrfs:filesystem associate;
fs_noxattr_type(removable_t)
@@ -13286,7 +13632,7 @@ index 9e603f5..698aaee 100644
files_mountpoint(removable_t)
#
-@@ -274,6 +293,7 @@ genfscon ncpfs / gen_context(system_u:object_r:nfs_t,s0)
+@@ -274,6 +294,7 @@ genfscon ncpfs / gen_context(system_u:object_r:nfs_t,s0)
genfscon reiserfs / gen_context(system_u:object_r:nfs_t,s0)
genfscon panfs / gen_context(system_u:object_r:nfs_t,s0)
genfscon gadgetfs / gen_context(system_u:object_r:nfs_t,s0)
@@ -13921,7 +14267,7 @@ index 649e458..cc924ae 100644
+ list_dirs_pattern($1, sysctl_vm_overcommit_t, sysctl_vm_overcommit_t)
')
diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
-index 6fac350..b5b2f00 100644
+index 6fac350..1470f08 100644
--- a/policy/modules/kernel/kernel.te
+++ b/policy/modules/kernel/kernel.te
@@ -25,6 +25,9 @@ attribute kern_unconfined;
@@ -14102,7 +14448,18 @@ index 6fac350..b5b2f00 100644
')
optional_policy(`
-@@ -334,7 +390,6 @@ optional_policy(`
+@@ -312,6 +368,10 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ plymouthd_create_log(kernel_t)
++')
++
++optional_policy(`
+ # nfs kernel server needs kernel UDP access. It is less risky and painful
+ # to just give it everything.
+ allow kernel_t self:tcp_socket create_stream_socket_perms;
+@@ -334,7 +394,6 @@ optional_policy(`
rpc_manage_nfs_ro_content(kernel_t)
rpc_manage_nfs_rw_content(kernel_t)
@@ -14110,7 +14467,7 @@ index 6fac350..b5b2f00 100644
rpc_udp_rw_nfs_sockets(kernel_t)
tunable_policy(`nfs_export_all_ro',`
-@@ -343,9 +398,7 @@ optional_policy(`
+@@ -343,9 +402,7 @@ optional_policy(`
fs_read_noxattr_fs_files(kernel_t)
fs_read_noxattr_fs_symlinks(kernel_t)
@@ -14121,7 +14478,7 @@ index 6fac350..b5b2f00 100644
')
tunable_policy(`nfs_export_all_rw',`
-@@ -354,7 +407,7 @@ optional_policy(`
+@@ -354,7 +411,7 @@ optional_policy(`
fs_read_noxattr_fs_files(kernel_t)
fs_read_noxattr_fs_symlinks(kernel_t)
@@ -14130,7 +14487,7 @@ index 6fac350..b5b2f00 100644
')
')
-@@ -367,6 +420,15 @@ optional_policy(`
+@@ -367,6 +424,15 @@ optional_policy(`
unconfined_domain_noaudit(kernel_t)
')
@@ -14146,7 +14503,7 @@ index 6fac350..b5b2f00 100644
########################################
#
# Unlabeled process local policy
-@@ -409,4 +471,26 @@ allow kern_unconfined unlabeled_t:dir_file_class_set *;
+@@ -409,4 +475,26 @@ allow kern_unconfined unlabeled_t:dir_file_class_set *;
allow kern_unconfined unlabeled_t:filesystem *;
allow kern_unconfined unlabeled_t:association *;
allow kern_unconfined unlabeled_t:packet *;
@@ -16500,7 +16857,7 @@ index ff92430..36740ea 100644
##
## Execute a generic bin program in the sysadm domain.
diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
-index 88d0028..4cc476f 100644
+index 88d0028..45f4d0a 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
@@ -5,39 +5,79 @@ policy_module(sysadm, 2.5.1)
@@ -16628,7 +16985,7 @@ index 88d0028..4cc476f 100644
')
optional_policy(`
-@@ -110,6 +145,10 @@ optional_policy(`
+@@ -110,11 +145,17 @@ optional_policy(`
')
optional_policy(`
@@ -16639,7 +16996,14 @@ index 88d0028..4cc476f 100644
certwatch_run(sysadm_t, sysadm_r)
')
-@@ -122,11 +161,19 @@ optional_policy(`
+ optional_policy(`
+ clock_run(sysadm_t, sysadm_r)
++ clock_manage_adjtime(sysadm_t)
++ clock_filetrans_named_content(sysadm_t)
+ ')
+
+ optional_policy(`
+@@ -122,11 +163,19 @@ optional_policy(`
')
optional_policy(`
@@ -16661,7 +17025,7 @@ index 88d0028..4cc476f 100644
')
optional_policy(`
-@@ -140,6 +187,10 @@ optional_policy(`
+@@ -140,6 +189,10 @@ optional_policy(`
')
optional_policy(`
@@ -16672,7 +17036,7 @@ index 88d0028..4cc476f 100644
dmesg_exec(sysadm_t)
')
-@@ -156,11 +207,11 @@ optional_policy(`
+@@ -156,11 +209,11 @@ optional_policy(`
')
optional_policy(`
@@ -16686,7 +17050,7 @@ index 88d0028..4cc476f 100644
')
optional_policy(`
-@@ -179,6 +230,13 @@ optional_policy(`
+@@ -179,6 +232,13 @@ optional_policy(`
ipsec_stream_connect(sysadm_t)
# for lsof
ipsec_getattr_key_sockets(sysadm_t)
@@ -16700,7 +17064,7 @@ index 88d0028..4cc476f 100644
')
optional_policy(`
-@@ -186,15 +244,20 @@ optional_policy(`
+@@ -186,15 +246,20 @@ optional_policy(`
')
optional_policy(`
@@ -16724,7 +17088,7 @@ index 88d0028..4cc476f 100644
')
optional_policy(`
-@@ -214,22 +277,20 @@ optional_policy(`
+@@ -214,22 +279,20 @@ optional_policy(`
modutils_run_depmod(sysadm_t, sysadm_r)
modutils_run_insmod(sysadm_t, sysadm_r)
modutils_run_update_mods(sysadm_t, sysadm_r)
@@ -16753,7 +17117,7 @@ index 88d0028..4cc476f 100644
')
optional_policy(`
-@@ -241,14 +302,27 @@ optional_policy(`
+@@ -241,14 +304,27 @@ optional_policy(`
')
optional_policy(`
@@ -16781,7 +17145,7 @@ index 88d0028..4cc476f 100644
')
optional_policy(`
-@@ -256,10 +330,20 @@ optional_policy(`
+@@ -256,10 +332,20 @@ optional_policy(`
')
optional_policy(`
@@ -16802,7 +17166,7 @@ index 88d0028..4cc476f 100644
portage_run(sysadm_t, sysadm_r)
portage_run_fetch(sysadm_t, sysadm_r)
portage_run_gcc_config(sysadm_t, sysadm_r)
-@@ -270,31 +354,36 @@ optional_policy(`
+@@ -270,31 +356,36 @@ optional_policy(`
')
optional_policy(`
@@ -16846,7 +17210,7 @@ index 88d0028..4cc476f 100644
')
optional_policy(`
-@@ -319,12 +408,18 @@ optional_policy(`
+@@ -319,12 +410,18 @@ optional_policy(`
')
optional_policy(`
@@ -16866,7 +17230,7 @@ index 88d0028..4cc476f 100644
')
optional_policy(`
-@@ -349,7 +444,18 @@ optional_policy(`
+@@ -349,7 +446,18 @@ optional_policy(`
')
optional_policy(`
@@ -16886,7 +17250,7 @@ index 88d0028..4cc476f 100644
')
optional_policy(`
-@@ -360,19 +466,15 @@ optional_policy(`
+@@ -360,19 +468,15 @@ optional_policy(`
')
optional_policy(`
@@ -16908,7 +17272,7 @@ index 88d0028..4cc476f 100644
')
optional_policy(`
-@@ -384,10 +486,6 @@ optional_policy(`
+@@ -384,10 +488,6 @@ optional_policy(`
')
optional_policy(`
@@ -16919,7 +17283,7 @@ index 88d0028..4cc476f 100644
usermanage_run_admin_passwd(sysadm_t, sysadm_r)
usermanage_run_groupadd(sysadm_t, sysadm_r)
usermanage_run_useradd(sysadm_t, sysadm_r)
-@@ -395,6 +493,9 @@ optional_policy(`
+@@ -395,6 +495,9 @@ optional_policy(`
optional_policy(`
virt_stream_connect(sysadm_t)
@@ -16929,7 +17293,7 @@ index 88d0028..4cc476f 100644
')
optional_policy(`
-@@ -402,31 +503,34 @@ optional_policy(`
+@@ -402,31 +505,34 @@ optional_policy(`
')
optional_policy(`
@@ -16970,7 +17334,7 @@ index 88d0028..4cc476f 100644
auth_role(sysadm_r, sysadm_t)
')
-@@ -439,10 +543,6 @@ ifndef(`distro_redhat',`
+@@ -439,10 +545,6 @@ ifndef(`distro_redhat',`
')
optional_policy(`
@@ -16981,7 +17345,7 @@ index 88d0028..4cc476f 100644
dbus_role_template(sysadm, sysadm_r, sysadm_t)
optional_policy(`
-@@ -463,15 +563,75 @@ ifndef(`distro_redhat',`
+@@ -463,15 +565,75 @@ ifndef(`distro_redhat',`
')
optional_policy(`
@@ -17740,10 +18104,10 @@ index 0000000..cf6582f
+
diff --git a/policy/modules/roles/unconfineduser.te b/policy/modules/roles/unconfineduser.te
new file mode 100644
-index 0000000..699d0dd
+index 0000000..c8f13da
--- /dev/null
+++ b/policy/modules/roles/unconfineduser.te
-@@ -0,0 +1,336 @@
+@@ -0,0 +1,329 @@
+policy_module(unconfineduser, 1.0.0)
+
+########################################
@@ -17768,13 +18132,6 @@ index 0000000..699d0dd
+
+##
+##
-+## Allow video playing tools to run unconfined
-+##
-+##
-+gen_tunable(unconfined_mplayer, false)
-+
-+##
-+##
+## Allow a user to login as an unconfined domain
+##
+##
@@ -20120,7 +20477,7 @@ index 5fc0391..b87b076 100644
+ xserver_rw_xdm_pipes(ssh_agent_type)
+')
diff --git a/policy/modules/services/xserver.fc b/policy/modules/services/xserver.fc
-index d1f64a0..3be3d00 100644
+index d1f64a0..97140ee 100644
--- a/policy/modules/services/xserver.fc
+++ b/policy/modules/services/xserver.fc
@@ -2,13 +2,35 @@
@@ -20182,7 +20539,7 @@ index d1f64a0..3be3d00 100644
/etc/X11/[wx]dm/Xreset.* -- gen_context(system_u:object_r:xsession_exec_t,s0)
/etc/X11/[wxg]dm/Xsession -- gen_context(system_u:object_r:xsession_exec_t,s0)
/etc/X11/wdm(/.*)? gen_context(system_u:object_r:xdm_rw_etc_t,s0)
-@@ -46,26 +76,31 @@ HOME_DIR/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0)
+@@ -46,26 +76,32 @@ HOME_DIR/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0)
# /tmp
#
@@ -20210,6 +20567,7 @@ index d1f64a0..3be3d00 100644
+
/usr/bin/gpe-dm -- gen_context(system_u:object_r:xdm_exec_t,s0)
/usr/bin/iceauth -- gen_context(system_u:object_r:iceauth_exec_t,s0)
++/usr/bin/razor-lightdm-greeter -- gen_context(system_u:object_r:xdm_exec_t,s0)
/usr/bin/slim -- gen_context(system_u:object_r:xdm_exec_t,s0)
/usr/bin/Xair -- gen_context(system_u:object_r:xserver_exec_t,s0)
+/usr/bin/Xephyr -- gen_context(system_u:object_r:xserver_exec_t,s0)
@@ -20220,7 +20578,7 @@ index d1f64a0..3be3d00 100644
/usr/lib/qt-.*/etc/settings(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0)
-@@ -92,25 +127,49 @@ ifndef(`distro_debian',`
+@@ -92,25 +128,49 @@ ifndef(`distro_debian',`
/var/lib/gdm(3)?(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0)
/var/lib/lxdm(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0)
@@ -23407,7 +23765,7 @@ index 28ad538..ebe81bf 100644
-/var/run/user(/.*)? gen_context(system_u:object_r:var_auth_t,s0)
/var/(db|lib|adm)/sudo(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0)
diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if
-index 3efd5b6..5188076 100644
+index 3efd5b6..c7f52c2 100644
--- a/policy/modules/system/authlogin.if
+++ b/policy/modules/system/authlogin.if
@@ -23,11 +23,17 @@ interface(`auth_role',`
@@ -23429,11 +23787,12 @@ index 3efd5b6..5188076 100644
')
########################################
-@@ -53,10 +59,12 @@ interface(`auth_use_pam',`
+@@ -53,10 +59,13 @@ interface(`auth_use_pam',`
auth_read_login_records($1)
auth_append_login_records($1)
auth_rw_lastlog($1)
- auth_rw_faillog($1)
++ auth_create_lastlog($1)
+ auth_manage_faillog($1)
auth_exec_pam($1)
auth_use_nsswitch($1)
@@ -23443,7 +23802,7 @@ index 3efd5b6..5188076 100644
logging_send_audit_msgs($1)
logging_send_syslog_msg($1)
-@@ -78,8 +86,19 @@ interface(`auth_use_pam',`
+@@ -78,8 +87,19 @@ interface(`auth_use_pam',`
')
optional_policy(`
@@ -23463,7 +23822,7 @@ index 3efd5b6..5188076 100644
')
########################################
-@@ -95,48 +114,21 @@ interface(`auth_use_pam',`
+@@ -95,48 +115,21 @@ interface(`auth_use_pam',`
interface(`auth_login_pgm_domain',`
gen_require(`
type var_auth_t, auth_cache_t;
@@ -23518,7 +23877,7 @@ index 3efd5b6..5188076 100644
mls_file_read_all_levels($1)
mls_file_write_all_levels($1)
-@@ -146,18 +138,43 @@ interface(`auth_login_pgm_domain',`
+@@ -146,18 +139,43 @@ interface(`auth_login_pgm_domain',`
mls_fd_share_all_levels($1)
auth_use_pam($1)
@@ -23570,7 +23929,7 @@ index 3efd5b6..5188076 100644
')
########################################
-@@ -231,6 +248,25 @@ interface(`auth_domtrans_login_program',`
+@@ -231,6 +249,25 @@ interface(`auth_domtrans_login_program',`
########################################
##
@@ -23596,7 +23955,7 @@ index 3efd5b6..5188076 100644
## Execute a login_program in the target domain,
## with a range transition.
##
-@@ -395,6 +431,8 @@ interface(`auth_domtrans_chk_passwd',`
+@@ -395,6 +432,8 @@ interface(`auth_domtrans_chk_passwd',`
')
optional_policy(`
@@ -23605,7 +23964,7 @@ index 3efd5b6..5188076 100644
pcscd_read_pid_files($1)
pcscd_stream_connect($1)
')
-@@ -402,6 +440,8 @@ interface(`auth_domtrans_chk_passwd',`
+@@ -402,6 +441,8 @@ interface(`auth_domtrans_chk_passwd',`
optional_policy(`
samba_stream_connect_winbind($1)
')
@@ -23614,7 +23973,7 @@ index 3efd5b6..5188076 100644
')
########################################
-@@ -448,6 +488,25 @@ interface(`auth_run_chk_passwd',`
+@@ -448,6 +489,25 @@ interface(`auth_run_chk_passwd',`
auth_domtrans_chk_passwd($1)
role $2 types chkpwd_t;
@@ -23640,7 +23999,7 @@ index 3efd5b6..5188076 100644
')
########################################
-@@ -467,7 +526,6 @@ interface(`auth_domtrans_upd_passwd',`
+@@ -467,7 +527,6 @@ interface(`auth_domtrans_upd_passwd',`
domtrans_pattern($1, updpwd_exec_t, updpwd_t)
auth_dontaudit_read_shadow($1)
@@ -23648,7 +24007,7 @@ index 3efd5b6..5188076 100644
')
########################################
-@@ -664,6 +722,10 @@ interface(`auth_manage_shadow',`
+@@ -664,6 +723,10 @@ interface(`auth_manage_shadow',`
allow $1 shadow_t:file manage_file_perms;
typeattribute $1 can_read_shadow_passwords, can_write_shadow_passwords;
@@ -23659,7 +24018,7 @@ index 3efd5b6..5188076 100644
')
#######################################
-@@ -763,7 +825,50 @@ interface(`auth_rw_faillog',`
+@@ -763,7 +826,50 @@ interface(`auth_rw_faillog',`
')
logging_search_logs($1)
@@ -23711,8 +24070,30 @@ index 3efd5b6..5188076 100644
')
#######################################
-@@ -826,7 +931,7 @@ interface(`auth_rw_lastlog',`
+@@ -824,9 +930,29 @@ interface(`auth_rw_lastlog',`
+ allow $1 lastlog_t:file { rw_file_perms lock setattr };
+ ')
++#######################################
++##
++## Manage create logins log.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`auth_create_lastlog',`
++ gen_require(`
++ type lastlog_t;
++ ')
++
++ logging_search_logs($1)
++ allow $1 lastlog_t:file create;
++ logging_log_named_filetrans($1, lastlog_t, file, "lastlog")
++')
++
########################################
##
-## Execute pam programs in the pam domain.
@@ -23720,7 +24101,7 @@ index 3efd5b6..5188076 100644
##
##
##
-@@ -834,12 +939,27 @@ interface(`auth_rw_lastlog',`
+@@ -834,12 +960,27 @@ interface(`auth_rw_lastlog',`
##
##
#
@@ -23751,7 +24132,7 @@ index 3efd5b6..5188076 100644
')
########################################
-@@ -854,15 +974,15 @@ interface(`auth_domtrans_pam',`
+@@ -854,15 +995,15 @@ interface(`auth_domtrans_pam',`
#
interface(`auth_signal_pam',`
gen_require(`
@@ -23770,7 +24151,7 @@ index 3efd5b6..5188076 100644
##
##
##
-@@ -875,13 +995,33 @@ interface(`auth_signal_pam',`
+@@ -875,13 +1016,33 @@ interface(`auth_signal_pam',`
##
##
#
@@ -23808,7 +24189,7 @@ index 3efd5b6..5188076 100644
')
########################################
-@@ -959,9 +1099,30 @@ interface(`auth_manage_var_auth',`
+@@ -959,9 +1120,30 @@ interface(`auth_manage_var_auth',`
')
files_search_var($1)
@@ -23842,7 +24223,7 @@ index 3efd5b6..5188076 100644
')
########################################
-@@ -1040,6 +1201,10 @@ interface(`auth_manage_pam_pid',`
+@@ -1040,6 +1222,10 @@ interface(`auth_manage_pam_pid',`
files_search_pids($1)
allow $1 pam_var_run_t:dir manage_dir_perms;
allow $1 pam_var_run_t:file manage_file_perms;
@@ -23853,7 +24234,7 @@ index 3efd5b6..5188076 100644
')
########################################
-@@ -1176,6 +1341,7 @@ interface(`auth_manage_pam_console_data',`
+@@ -1176,6 +1362,7 @@ interface(`auth_manage_pam_console_data',`
files_search_pids($1)
manage_files_pattern($1, pam_var_console_t, pam_var_console_t)
manage_lnk_files_pattern($1, pam_var_console_t, pam_var_console_t)
@@ -23861,7 +24242,7 @@ index 3efd5b6..5188076 100644
')
#######################################
-@@ -1576,6 +1742,25 @@ interface(`auth_setattr_login_records',`
+@@ -1576,6 +1763,25 @@ interface(`auth_setattr_login_records',`
########################################
##
@@ -23887,7 +24268,7 @@ index 3efd5b6..5188076 100644
## Read login records files (/var/log/wtmp).
##
##
-@@ -1726,24 +1911,7 @@ interface(`auth_manage_login_records',`
+@@ -1726,24 +1932,7 @@ interface(`auth_manage_login_records',`
logging_rw_generic_log_dirs($1)
allow $1 wtmp_t:file manage_file_perms;
@@ -23913,7 +24294,7 @@ index 3efd5b6..5188076 100644
')
########################################
-@@ -1767,11 +1935,13 @@ interface(`auth_relabel_login_records',`
+@@ -1767,11 +1956,13 @@ interface(`auth_relabel_login_records',`
##
#
interface(`auth_use_nsswitch',`
@@ -23930,7 +24311,7 @@ index 3efd5b6..5188076 100644
')
########################################
-@@ -1805,3 +1975,219 @@ interface(`auth_unconfined',`
+@@ -1805,3 +1996,219 @@ interface(`auth_unconfined',`
typeattribute $1 can_write_shadow_passwords;
typeattribute $1 can_relabelto_shadow_passwords;
')
@@ -24600,6 +24981,51 @@ index c5e05ca..c9ddbee 100644
+/usr/sbin/hwclock -- gen_context(system_u:object_r:hwclock_exec_t,s0)
+
+diff --git a/policy/modules/system/clock.if b/policy/modules/system/clock.if
+index d475c2d..55305d5 100644
+--- a/policy/modules/system/clock.if
++++ b/policy/modules/system/clock.if
+@@ -117,3 +117,40 @@ interface(`clock_rw_adjtime',`
+ allow $1 adjtime_t:file rw_file_perms;
+ files_list_etc($1)
+ ')
++
++########################################
++##
++## Manage clock drift adjustments.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`clock_manage_adjtime',`
++ gen_require(`
++ type adjtime_t;
++ ')
++
++ allow $1 adjtime_t:file manage_file_perms;
++ files_list_etc($1)
++')
++
++########################################
++##
++## Transition to systemd clock content
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`clock_filetrans_named_content',`
++ gen_require(`
++ type adjtime_t;
++ ')
++
++ files_etc_filetrans($1, adjtime_t, file, "adjtime" )
++')
diff --git a/policy/modules/system/clock.te b/policy/modules/system/clock.te
index 3694bfe..7fcd27a 100644
--- a/policy/modules/system/clock.te
@@ -27639,19 +28065,20 @@ index dd3be8d..969bda2 100644
+ allow direct_run_init direct_init_entry:file { getattr open read execute };
+')
diff --git a/policy/modules/system/ipsec.fc b/policy/modules/system/ipsec.fc
-index 662e79b..626a689 100644
+index 662e79b..93aad6f 100644
--- a/policy/modules/system/ipsec.fc
+++ b/policy/modules/system/ipsec.fc
-@@ -1,6 +1,8 @@
+@@ -1,13 +1,17 @@
/etc/rc\.d/init\.d/ipsec -- gen_context(system_u:object_r:ipsec_initrc_exec_t,s0)
/etc/rc\.d/init\.d/racoon -- gen_context(system_u:object_r:ipsec_initrc_exec_t,s0)
+-/etc/ipsec\.secrets -- gen_context(system_u:object_r:ipsec_key_file_t,s0)
+/usr/lib/systemd/system/strongswan.* -- gen_context(system_u:object_r:ipsec_mgmt_unit_file_t,s0)
+
- /etc/ipsec\.secrets -- gen_context(system_u:object_r:ipsec_key_file_t,s0)
++/etc/ipsec\.secrets.* -- gen_context(system_u:object_r:ipsec_key_file_t,s0)
/etc/ipsec\.conf -- gen_context(system_u:object_r:ipsec_conf_file_t,s0)
/etc/racoon/psk\.txt -- gen_context(system_u:object_r:ipsec_key_file_t,s0)
-@@ -8,6 +10,8 @@
+
/etc/racoon(/.*)? gen_context(system_u:object_r:ipsec_conf_file_t,s0)
/etc/racoon/certs(/.*)? gen_context(system_u:object_r:ipsec_key_file_t,s0)
@@ -27673,11 +28100,80 @@ index 662e79b..626a689 100644
/var/lock/subsys/ipsec -- gen_context(system_u:object_r:ipsec_mgmt_lock_t,s0)
+@@ -39,3 +45,5 @@
+
+ /var/run/pluto(/.*)? gen_context(system_u:object_r:ipsec_var_run_t,s0)
+ /var/run/racoon\.pid -- gen_context(system_u:object_r:ipsec_var_run_t,s0)
++/var/run/pluto/ipsec\.info -- gen_context(system_u:object_r:ipsec_mgmt_var_run_t, s0)
++/var/run/pluto/ipsec_setup\.pid -- gen_context(system_u:object_r:ipsec_mgmt_var_run_t, s0)
diff --git a/policy/modules/system/ipsec.if b/policy/modules/system/ipsec.if
-index 0d4c8d3..3375525 100644
+index 0d4c8d3..a89c4a2 100644
--- a/policy/modules/system/ipsec.if
+++ b/policy/modules/system/ipsec.if
-@@ -120,7 +120,6 @@ interface(`ipsec_exec_mgmt',`
+@@ -55,6 +55,62 @@ interface(`ipsec_domtrans_mgmt',`
+ domtrans_pattern($1, ipsec_mgmt_exec_t, ipsec_mgmt_t)
+ ')
+
++#######################################
++##
++## Allow to create OBJECT in /etc with ipsec_key_file_t.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`ipsec_filetrans_key_file',`
++ gen_require(`
++ type ipsec_key_file_t;
++ ')
++
++ files_etc_filetrans($1, ipsec_key_file_t, file)
++')
++
++#######################################
++##
++## Allow to manage ipsec key files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`ipsec_manage_key_file',`
++ gen_require(`
++ type ipsec_key_file_t;
++ ')
++
++ manage_files_pattern($1, ipsec_key_file_t, ipsec_key_file_t)
++')
++
++########################################
++##
++## Read the ipsec_mgmt_var_run_t files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`ipsec_mgmt_read_pid',`
++ gen_require(`
++ type ipsec_mgmt_var_run_t;
++ ')
++
++ files_search_pids($1)
++ read_files_pattern($1, ipsec_mgmt_var_run_t, ipsec_mgmt_var_run_t)
++')
++
++
+ ########################################
+ ##
+ ## Connect to racoon using a unix domain stream socket.
+@@ -120,7 +176,6 @@ interface(`ipsec_exec_mgmt',`
##
##
#
@@ -27685,7 +28181,7 @@ index 0d4c8d3..3375525 100644
interface(`ipsec_signal_mgmt',`
gen_require(`
type ipsec_mgmt_t;
-@@ -139,7 +138,6 @@ interface(`ipsec_signal_mgmt',`
+@@ -139,7 +194,6 @@ interface(`ipsec_signal_mgmt',`
##
##
#
@@ -27693,7 +28189,7 @@ index 0d4c8d3..3375525 100644
interface(`ipsec_signull_mgmt',`
gen_require(`
type ipsec_mgmt_t;
-@@ -158,7 +156,6 @@ interface(`ipsec_signull_mgmt',`
+@@ -158,7 +212,6 @@ interface(`ipsec_signull_mgmt',`
##
##
#
@@ -27701,7 +28197,7 @@ index 0d4c8d3..3375525 100644
interface(`ipsec_kill_mgmt',`
gen_require(`
type ipsec_mgmt_t;
-@@ -167,6 +164,60 @@ interface(`ipsec_kill_mgmt',`
+@@ -167,6 +220,60 @@ interface(`ipsec_kill_mgmt',`
allow $1 ipsec_mgmt_t:process sigkill;
')
@@ -27762,7 +28258,7 @@ index 0d4c8d3..3375525 100644
######################################
##
## Send and receive messages from
-@@ -225,6 +276,7 @@ interface(`ipsec_match_default_spd',`
+@@ -225,6 +332,7 @@ interface(`ipsec_match_default_spd',`
allow $1 ipsec_spd_t:association polmatch;
allow $1 self:association sendto;
@@ -27770,7 +28266,7 @@ index 0d4c8d3..3375525 100644
')
########################################
-@@ -369,3 +421,26 @@ interface(`ipsec_run_setkey',`
+@@ -369,3 +477,26 @@ interface(`ipsec_run_setkey',`
ipsec_domtrans_setkey($1)
role $2 types setkey_t;
')
@@ -29058,7 +29554,7 @@ index c04ac46..e06286c 100644
- nscd_use(sulogin_t)
-')
diff --git a/policy/modules/system/logging.fc b/policy/modules/system/logging.fc
-index b50c5fe..286351e 100644
+index b50c5fe..2faaaf2 100644
--- a/policy/modules/system/logging.fc
+++ b/policy/modules/system/logging.fc
@@ -2,10 +2,13 @@
@@ -29102,7 +29598,7 @@ index b50c5fe..286351e 100644
/var/lib/misc/syslog-ng.persist-? -- gen_context(system_u:object_r:syslogd_var_lib_t,s0)
/var/lib/syslog-ng(/.*)? gen_context(system_u:object_r:syslogd_var_lib_t,s0)
-@@ -38,13 +54,14 @@ ifdef(`distro_suse', `
+@@ -38,13 +54,13 @@ ifdef(`distro_suse', `
/var/log -d gen_context(system_u:object_r:var_log_t,s0-mls_systemhigh)
/var/log/.* gen_context(system_u:object_r:var_log_t,s0)
@@ -29112,13 +29608,13 @@ index b50c5fe..286351e 100644
/var/log/maillog[^/]* gen_context(system_u:object_r:var_log_t,mls_systemhigh)
/var/log/spooler[^/]* gen_context(system_u:object_r:var_log_t,mls_systemhigh)
/var/log/audit(/.*)? gen_context(system_u:object_r:auditd_log_t,mls_systemhigh)
- /var/log/syslog-ng(/.*)? gen_context(system_u:object_r:syslogd_var_run_t,mls_systemhigh)
+-/var/log/syslog-ng(/.*)? gen_context(system_u:object_r:syslogd_var_run_t,mls_systemhigh)
+/var/run/log(/.*)? gen_context(system_u:object_r:syslogd_var_run_t,mls_systemhigh)
+/var/run/systemd/journal(/.*)? gen_context(system_u:object_r:syslogd_var_run_t,mls_systemhigh)
ifndef(`distro_gentoo',`
/var/log/audit\.log -- gen_context(system_u:object_r:auditd_log_t,mls_systemhigh)
-@@ -53,6 +70,7 @@ ifndef(`distro_gentoo',`
+@@ -53,6 +69,7 @@ ifndef(`distro_gentoo',`
ifdef(`distro_redhat',`
/var/named/chroot/var/log -d gen_context(system_u:object_r:var_log_t,s0)
/var/named/chroot/dev/log -s gen_context(system_u:object_r:devlog_t,s0)
@@ -29126,7 +29622,7 @@ index b50c5fe..286351e 100644
')
/var/run/audit_events -s gen_context(system_u:object_r:auditd_var_run_t,mls_systemhigh)
-@@ -65,11 +83,16 @@ ifdef(`distro_redhat',`
+@@ -65,11 +82,16 @@ ifdef(`distro_redhat',`
/var/run/syslogd\.pid -- gen_context(system_u:object_r:syslogd_var_run_t,mls_systemhigh)
/var/run/syslog-ng.ctl -- gen_context(system_u:object_r:syslogd_var_run_t,s0)
/var/run/syslog-ng(/.*)? gen_context(system_u:object_r:syslogd_var_run_t,s0)
@@ -29145,7 +29641,7 @@ index b50c5fe..286351e 100644
+/var/webmin(/.*)? gen_context(system_u:object_r:var_log_t,s0)
+
diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if
-index 4e94884..23894f4 100644
+index 4e94884..5481f47 100644
--- a/policy/modules/system/logging.if
+++ b/policy/modules/system/logging.if
@@ -233,7 +233,7 @@ interface(`logging_run_auditd',`
@@ -29518,7 +30014,7 @@ index 4e94884..23894f4 100644
init_labeled_script_domtrans($1, syslogd_initrc_exec_t)
domain_system_change_exemption($1)
-@@ -1085,3 +1323,29 @@ interface(`logging_admin',`
+@@ -1085,3 +1323,33 @@ interface(`logging_admin',`
logging_admin_audit($1, $2)
logging_admin_syslog($1, $2)
')
@@ -29538,6 +30034,7 @@ index 4e94884..23894f4 100644
+ type var_log_t;
+ type audit_spool_t;
+ type syslogd_var_run_t;
++ type syslog_conf_t;
+ ')
+
+ files_pid_filetrans($1, syslogd_var_run_t, dir, "log")
@@ -29546,6 +30043,9 @@ index 4e94884..23894f4 100644
+ files_spool_filetrans($1, audit_spool_t, dir, "audit")
+ files_var_filetrans($1, var_log_t, dir, "webmin")
+
++ files_etc_filetrans($1, syslog_conf_t, file, "syslog.conf")
++ files_etc_filetrans($1, syslog_conf_t, file, "rsyslog.conf")
++
+ init_named_pid_filetrans($1, syslogd_var_run_t, dir, "journal")
+')
diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
@@ -33326,7 +33826,7 @@ index 1447687..d5e6fb9 100644
seutil_read_config(setrans_t)
diff --git a/policy/modules/system/sysnetwork.fc b/policy/modules/system/sysnetwork.fc
-index 346a7cc..b44bb0c 100644
+index 346a7cc..42a48b6 100644
--- a/policy/modules/system/sysnetwork.fc
+++ b/policy/modules/system/sysnetwork.fc
@@ -17,16 +17,17 @@ ifdef(`distro_debian',`
@@ -33372,11 +33872,12 @@ index 346a7cc..b44bb0c 100644
/usr/sbin/tc -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
#
-@@ -72,3 +87,5 @@ ifdef(`distro_redhat',`
+@@ -72,3 +87,6 @@ ifdef(`distro_redhat',`
ifdef(`distro_gentoo',`
/var/lib/dhcpc(/.*)? gen_context(system_u:object_r:dhcpc_state_t,s0)
')
+
++/var/run/netns(/.*)? gen_context(system_u:object_r:ifconfig_var_run_t,s0)
+/etc/firestarter/firestarter\.sh gen_context(system_u:object_r:dhcpc_helper_exec_t,s0)
diff --git a/policy/modules/system/sysnetwork.if b/policy/modules/system/sysnetwork.if
index 6944526..ec17624 100644
@@ -33681,7 +34182,7 @@ index 6944526..ec17624 100644
+ files_etc_filetrans($1, net_conf_t, file, "ntp.conf")
+')
diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
-index b7686d5..50102d0 100644
+index b7686d5..fda9b8a 100644
--- a/policy/modules/system/sysnetwork.te
+++ b/policy/modules/system/sysnetwork.te
@@ -5,6 +5,13 @@ policy_module(sysnetwork, 1.14.6)
@@ -33709,9 +34210,14 @@ index b7686d5..50102d0 100644
type dhcpc_state_t;
files_type(dhcpc_state_t)
-@@ -37,17 +46,17 @@ init_system_domain(ifconfig_t, ifconfig_exec_t)
+@@ -36,18 +45,22 @@ type ifconfig_exec_t;
+ init_system_domain(ifconfig_t, ifconfig_exec_t)
role system_r types ifconfig_t;
++type ifconfig_var_run_t;
++files_pid_file(ifconfig_var_run_t)
++files_mountpoint(ifconfig_var_run_t)
++
type net_conf_t alias resolv_conf_t;
-files_type(net_conf_t)
+files_config_file(net_conf_t)
@@ -33730,7 +34236,7 @@ index b7686d5..50102d0 100644
allow dhcpc_t self:fifo_file rw_fifo_file_perms;
allow dhcpc_t self:tcp_socket create_stream_socket_perms;
-@@ -60,8 +69,11 @@ read_lnk_files_pattern(dhcpc_t, dhcp_etc_t, dhcp_etc_t)
+@@ -60,8 +73,11 @@ read_lnk_files_pattern(dhcpc_t, dhcp_etc_t, dhcp_etc_t)
exec_files_pattern(dhcpc_t, dhcp_etc_t, dhcp_etc_t)
allow dhcpc_t dhcp_state_t:file read_file_perms;
@@ -33742,7 +34248,7 @@ index b7686d5..50102d0 100644
# create pid file
manage_files_pattern(dhcpc_t, dhcpc_var_run_t, dhcpc_var_run_t)
-@@ -70,6 +82,8 @@ files_pid_filetrans(dhcpc_t, dhcpc_var_run_t, { file dir })
+@@ -70,6 +86,8 @@ files_pid_filetrans(dhcpc_t, dhcpc_var_run_t, { file dir })
# Allow read/write to /etc/resolv.conf and /etc/ntp.conf. Note that any files
# in /etc created by dhcpcd will be labelled net_conf_t.
@@ -33751,7 +34257,7 @@ index b7686d5..50102d0 100644
sysnet_manage_config(dhcpc_t)
files_etc_filetrans(dhcpc_t, net_conf_t, file)
-@@ -91,14 +105,13 @@ kernel_rw_net_sysctls(dhcpc_t)
+@@ -91,14 +109,13 @@ kernel_rw_net_sysctls(dhcpc_t)
corecmd_exec_bin(dhcpc_t)
corecmd_exec_shell(dhcpc_t)
@@ -33772,7 +34278,7 @@ index b7686d5..50102d0 100644
corenet_tcp_sendrecv_all_ports(dhcpc_t)
corenet_udp_sendrecv_all_ports(dhcpc_t)
corenet_tcp_bind_all_nodes(dhcpc_t)
-@@ -108,21 +121,23 @@ corenet_udp_bind_dhcpc_port(dhcpc_t)
+@@ -108,21 +125,23 @@ corenet_udp_bind_dhcpc_port(dhcpc_t)
corenet_tcp_connect_all_ports(dhcpc_t)
corenet_sendrecv_dhcpd_client_packets(dhcpc_t)
corenet_sendrecv_dhcpc_server_packets(dhcpc_t)
@@ -33798,7 +34304,7 @@ index b7686d5..50102d0 100644
fs_getattr_all_fs(dhcpc_t)
fs_search_auto_mountpoints(dhcpc_t)
-@@ -132,11 +147,15 @@ term_dontaudit_use_all_ptys(dhcpc_t)
+@@ -132,11 +151,15 @@ term_dontaudit_use_all_ptys(dhcpc_t)
term_dontaudit_use_unallocated_ttys(dhcpc_t)
term_dontaudit_use_generic_ptys(dhcpc_t)
@@ -33815,7 +34321,7 @@ index b7686d5..50102d0 100644
modutils_run_insmod(dhcpc_t, dhcpc_roles)
-@@ -156,7 +175,14 @@ ifdef(`distro_ubuntu',`
+@@ -156,7 +179,14 @@ ifdef(`distro_ubuntu',`
')
optional_policy(`
@@ -33831,7 +34337,7 @@ index b7686d5..50102d0 100644
')
optional_policy(`
-@@ -174,10 +200,6 @@ optional_policy(`
+@@ -174,10 +204,6 @@ optional_policy(`
')
optional_policy(`
@@ -33842,7 +34348,7 @@ index b7686d5..50102d0 100644
hotplug_getattr_config_dirs(dhcpc_t)
hotplug_search_config(dhcpc_t)
-@@ -190,23 +212,36 @@ optional_policy(`
+@@ -190,23 +216,36 @@ optional_policy(`
optional_policy(`
netutils_run_ping(dhcpc_t, dhcpc_roles)
netutils_run(dhcpc_t, dhcpc_roles)
@@ -33879,7 +34385,7 @@ index b7686d5..50102d0 100644
')
optional_policy(`
-@@ -216,7 +251,11 @@ optional_policy(`
+@@ -216,7 +255,11 @@ optional_policy(`
optional_policy(`
seutil_sigchld_newrole(dhcpc_t)
@@ -33892,7 +34398,7 @@ index b7686d5..50102d0 100644
')
optional_policy(`
-@@ -259,6 +298,7 @@ allow ifconfig_t self:msgq create_msgq_perms;
+@@ -259,12 +302,20 @@ allow ifconfig_t self:msgq create_msgq_perms;
allow ifconfig_t self:msg { send receive };
# Create UDP sockets, necessary when called from dhcpc
allow ifconfig_t self:udp_socket create_socket_perms;
@@ -33900,12 +34406,34 @@ index b7686d5..50102d0 100644
# for /sbin/ip
allow ifconfig_t self:packet_socket create_socket_perms;
allow ifconfig_t self:netlink_route_socket create_netlink_socket_perms;
-@@ -277,11 +317,20 @@ corenet_rw_tun_tap_dev(ifconfig_t)
+ allow ifconfig_t self:netlink_xfrm_socket { create_netlink_socket_perms nlmsg_read };
+ allow ifconfig_t self:tcp_socket { create ioctl };
+
++can_exec(ifconfig_t, ifconfig_exec_t)
++
++manage_files_pattern(ifconfig_t, ifconfig_var_run_t, ifconfig_var_run_t)
++create_dirs_pattern(ifconfig_t, ifconfig_var_run_t, ifconfig_var_run_t)
++files_pid_filetrans(ifconfig_t, ifconfig_var_run_t, { file dir })
++allow ifconfig_t ifconfig_var_run_t:file mounton;
++
+ kernel_use_fds(ifconfig_t)
+ kernel_read_system_state(ifconfig_t)
+ kernel_read_network_state(ifconfig_t)
+@@ -274,14 +325,29 @@ kernel_rw_net_sysctls(ifconfig_t)
+
+ corenet_rw_tun_tap_dev(ifconfig_t)
+
++corecmd_exec_bin(ifconfig_t)
++corecmd_exec_shell(ifconfig_t)
++
dev_read_sysfs(ifconfig_t)
# for IPSEC setup:
dev_read_urand(ifconfig_t)
+# needed by tuned
+dev_rw_netcontrol(ifconfig_t)
++dev_mounton_sysfs(ifconfig_t)
++dev_mount_sysfs_fs(ifconfig_t)
++dev_unmount_sysfs_fs(ifconfig_t)
domain_use_interactive_fds(ifconfig_t)
@@ -33921,7 +34449,7 @@ index b7686d5..50102d0 100644
fs_getattr_xattr_fs(ifconfig_t)
fs_search_auto_mountpoints(ifconfig_t)
-@@ -294,22 +343,22 @@ term_dontaudit_use_all_ptys(ifconfig_t)
+@@ -294,22 +360,22 @@ term_dontaudit_use_all_ptys(ifconfig_t)
term_dontaudit_use_ptmx(ifconfig_t)
term_dontaudit_use_generic_ptys(ifconfig_t)
@@ -33949,7 +34477,7 @@ index b7686d5..50102d0 100644
userdom_use_all_users_fds(ifconfig_t)
ifdef(`distro_ubuntu',`
-@@ -318,7 +367,22 @@ ifdef(`distro_ubuntu',`
+@@ -318,7 +384,22 @@ ifdef(`distro_ubuntu',`
')
')
@@ -33972,17 +34500,21 @@ index b7686d5..50102d0 100644
optional_policy(`
dev_dontaudit_rw_cardmgr(ifconfig_t)
')
-@@ -329,8 +393,7 @@ ifdef(`hide_broken_symptoms',`
+@@ -329,8 +410,11 @@ ifdef(`hide_broken_symptoms',`
')
optional_policy(`
- hal_dontaudit_rw_pipes(ifconfig_t)
- hal_dontaudit_rw_dgram_sockets(ifconfig_t)
++ dnsmasq_domtrans(ifconfig_t)
++')
++
++optional_policy(`
+ devicekit_dontaudit_read_pid_files(ifconfig_t)
')
optional_policy(`
-@@ -339,7 +402,11 @@ optional_policy(`
+@@ -339,7 +423,11 @@ optional_policy(`
')
optional_policy(`
@@ -33995,7 +34527,7 @@ index b7686d5..50102d0 100644
')
optional_policy(`
-@@ -360,3 +427,9 @@ optional_policy(`
+@@ -360,3 +448,9 @@ optional_policy(`
xen_append_log(ifconfig_t)
xen_dontaudit_rw_unix_stream_sockets(ifconfig_t)
')
@@ -35256,10 +35788,10 @@ index 0000000..2e5b822
+')
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
new file mode 100644
-index 0000000..3916463
+index 0000000..35c1a7d
--- /dev/null
+++ b/policy/modules/system/systemd.te
-@@ -0,0 +1,644 @@
+@@ -0,0 +1,645 @@
+policy_module(systemd, 1.0.0)
+
+#######################################
@@ -35824,7 +36356,8 @@ index 0000000..3916463
+')
+
+optional_policy(`
-+ clock_read_adjtime(systemd_timedated_t)
++ clock_manage_adjtime(systemd_timedated_t)
++ clock_filetrans_named_content(systemd_timedated_t)
+ clock_domtrans(systemd_timedated_t)
+')
+
@@ -37276,7 +37809,7 @@ index db75976..65191bd 100644
+
+/var/run/user(/.*)? gen_context(system_u:object_r:user_tmp_t,s0)
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
-index 3c5dba7..e27d755 100644
+index 3c5dba7..08ce1e5 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -30,9 +30,11 @@ template(`userdom_base_user_template',`
@@ -39943,7 +40476,7 @@ index 3c5dba7..e27d755 100644
## Create keys for all user domains.
##
##
-@@ -3438,4 +4197,1415 @@ interface(`userdom_dbus_send_all_users',`
+@@ -3438,4 +4197,1455 @@ interface(`userdom_dbus_send_all_users',`
')
allow $1 userdomain:dbus send_msg;
@@ -40308,6 +40841,46 @@ index 3c5dba7..e27d755 100644
+
+')
+
++######################################
++##
++## Manage all dirs in the homedir
++##
++##
++##
++## The user domain
++##
++##
++#
++interface(`userdom_manage_all_user_home_type_dirs',`
++ gen_require(`
++ type user_home_dir_t, user_home_t;
++ attribute user_home_type;
++ ')
++
++ files_list_home($1)
++ manage_dirs_pattern($1, { user_home_dir_t user_home_type }, user_home_type)
++')
++
++######################################
++##
++## Manage all files in the homedir
++##
++##
++##
++## The user domain
++##
++##
++#
++interface(`userdom_manage_all_user_home_type_files',`
++ gen_require(`
++ type user_home_dir_t, user_home_t;
++ attribute user_home_type;
++ ')
++
++ files_list_home($1)
++ manage_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type)
++ manage_lnk_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type)
++')
+
+########################################
+##
diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch
index 1038f5b2..407bc60e 100644
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@@ -1,8 +1,8 @@
diff --git a/abrt.fc b/abrt.fc
-index e4f84de..94697ea 100644
+index e4f84de..ad5a65f 100644
--- a/abrt.fc
+++ b/abrt.fc
-@@ -1,30 +1,38 @@
+@@ -1,30 +1,39 @@
-/etc/abrt(/.*)? gen_context(system_u:object_r:abrt_etc_t,s0)
-/etc/rc\.d/init\.d/abrt -- gen_context(system_u:object_r:abrt_initrc_exec_t,s0)
+/etc/abrt(/.*)? gen_context(system_u:object_r:abrt_etc_t,s0)
@@ -20,6 +20,7 @@ index e4f84de..94697ea 100644
+
+/usr/sbin/abrtd -- gen_context(system_u:object_r:abrt_exec_t,s0)
+/usr/sbin/abrt-dbus -- gen_context(system_u:object_r:abrt_exec_t,s0)
++/usr/sbin/abrt-harvest.* -- gen_context(system_u:object_r:abrt_exec_t,s0)
-/usr/libexec/abrt-pyhook-helper -- gen_context(system_u:object_r:abrt_helper_exec_t,s0)
/usr/libexec/abrt-handle-event -- gen_context(system_u:object_r:abrt_handle_event_exec_t,s0)
@@ -516,7 +517,7 @@ index 058d908..702b716 100644
+')
+
diff --git a/abrt.te b/abrt.te
-index cc43d25..a19d427 100644
+index cc43d25..ffbe9e5 100644
--- a/abrt.te
+++ b/abrt.te
@@ -1,4 +1,4 @@
@@ -733,7 +734,7 @@ index cc43d25..a19d427 100644
dev_getattr_all_chr_files(abrt_t)
dev_getattr_all_blk_files(abrt_t)
-@@ -163,29 +174,36 @@ files_getattr_all_files(abrt_t)
+@@ -163,29 +174,37 @@ files_getattr_all_files(abrt_t)
files_read_config_files(abrt_t)
files_read_etc_runtime_files(abrt_t)
files_read_var_symlinks(abrt_t)
@@ -746,6 +747,7 @@ index cc43d25..a19d427 100644
files_dontaudit_read_all_symlinks(abrt_t)
files_dontaudit_getattr_all_sockets(abrt_t)
files_list_mnt(abrt_t)
++fs_list_all(abrt_t)
+fs_list_inotifyfs(abrt_t)
fs_getattr_all_fs(abrt_t)
@@ -773,7 +775,7 @@ index cc43d25..a19d427 100644
tunable_policy(`abrt_anon_write',`
miscfiles_manage_public_files(abrt_t)
-@@ -193,15 +211,11 @@ tunable_policy(`abrt_anon_write',`
+@@ -193,15 +212,11 @@ tunable_policy(`abrt_anon_write',`
optional_policy(`
apache_list_modules(abrt_t)
@@ -790,7 +792,7 @@ index cc43d25..a19d427 100644
')
optional_policy(`
-@@ -209,6 +223,12 @@ optional_policy(`
+@@ -209,6 +224,12 @@ optional_policy(`
')
optional_policy(`
@@ -803,7 +805,7 @@ index cc43d25..a19d427 100644
policykit_domtrans_auth(abrt_t)
policykit_read_lib(abrt_t)
policykit_read_reload(abrt_t)
-@@ -220,6 +240,7 @@ optional_policy(`
+@@ -220,6 +241,7 @@ optional_policy(`
corecmd_exec_all_executables(abrt_t)
')
@@ -811,7 +813,7 @@ index cc43d25..a19d427 100644
optional_policy(`
rpm_exec(abrt_t)
rpm_dontaudit_manage_db(abrt_t)
-@@ -230,6 +251,7 @@ optional_policy(`
+@@ -230,6 +252,7 @@ optional_policy(`
rpm_signull(abrt_t)
')
@@ -819,7 +821,7 @@ index cc43d25..a19d427 100644
optional_policy(`
sendmail_domtrans(abrt_t)
')
-@@ -240,9 +262,17 @@ optional_policy(`
+@@ -240,9 +263,17 @@ optional_policy(`
sosreport_delete_tmp_files(abrt_t)
')
@@ -838,7 +840,7 @@ index cc43d25..a19d427 100644
#
allow abrt_handle_event_t self:fifo_file rw_fifo_file_perms;
-@@ -253,9 +283,13 @@ tunable_policy(`abrt_handle_event',`
+@@ -253,9 +284,13 @@ tunable_policy(`abrt_handle_event',`
can_exec(abrt_t, abrt_handle_event_exec_t)
')
@@ -853,7 +855,7 @@ index cc43d25..a19d427 100644
#
allow abrt_helper_t self:capability { chown setgid sys_nice };
-@@ -268,6 +302,7 @@ manage_dirs_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
+@@ -268,6 +303,7 @@ manage_dirs_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
manage_files_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
manage_lnk_files_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
files_var_filetrans(abrt_helper_t, abrt_var_cache_t, { file dir })
@@ -861,7 +863,7 @@ index cc43d25..a19d427 100644
read_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t)
read_lnk_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t)
-@@ -276,15 +311,20 @@ corecmd_read_all_executables(abrt_helper_t)
+@@ -276,15 +312,20 @@ corecmd_read_all_executables(abrt_helper_t)
domain_read_all_domains_state(abrt_helper_t)
@@ -882,7 +884,7 @@ index cc43d25..a19d427 100644
userdom_dontaudit_read_user_home_content_files(abrt_helper_t)
userdom_dontaudit_read_user_tmp_files(abrt_helper_t)
dev_dontaudit_read_all_blk_files(abrt_helper_t)
-@@ -292,11 +332,25 @@ ifdef(`hide_broken_symptoms',`
+@@ -292,11 +333,25 @@ ifdef(`hide_broken_symptoms',`
dev_dontaudit_write_all_chr_files(abrt_helper_t)
dev_dontaudit_write_all_blk_files(abrt_helper_t)
fs_dontaudit_rw_anon_inodefs_files(abrt_helper_t)
@@ -909,7 +911,7 @@ index cc43d25..a19d427 100644
#
allow abrt_retrace_coredump_t self:fifo_file rw_fifo_file_perms;
-@@ -314,10 +368,12 @@ corecmd_exec_shell(abrt_retrace_coredump_t)
+@@ -314,10 +369,12 @@ corecmd_exec_shell(abrt_retrace_coredump_t)
dev_read_urand(abrt_retrace_coredump_t)
@@ -923,7 +925,7 @@ index cc43d25..a19d427 100644
optional_policy(`
rpm_exec(abrt_retrace_coredump_t)
rpm_dontaudit_manage_db(abrt_retrace_coredump_t)
-@@ -330,10 +386,11 @@ optional_policy(`
+@@ -330,10 +387,11 @@ optional_policy(`
#######################################
#
@@ -937,7 +939,7 @@ index cc43d25..a19d427 100644
allow abrt_retrace_worker_t self:fifo_file rw_fifo_file_perms;
domtrans_pattern(abrt_retrace_worker_t, abrt_retrace_coredump_exec_t, abrt_retrace_coredump_t)
-@@ -352,30 +409,38 @@ corecmd_exec_shell(abrt_retrace_worker_t)
+@@ -352,30 +410,38 @@ corecmd_exec_shell(abrt_retrace_worker_t)
dev_read_urand(abrt_retrace_worker_t)
@@ -979,7 +981,7 @@ index cc43d25..a19d427 100644
kernel_read_kernel_sysctls(abrt_dump_oops_t)
kernel_read_ring_buffer(abrt_dump_oops_t)
-@@ -384,14 +449,15 @@ domain_use_interactive_fds(abrt_dump_oops_t)
+@@ -384,14 +450,15 @@ domain_use_interactive_fds(abrt_dump_oops_t)
fs_list_inotifyfs(abrt_dump_oops_t)
logging_read_generic_logs(abrt_dump_oops_t)
@@ -997,7 +999,7 @@ index cc43d25..a19d427 100644
read_files_pattern(abrt_watch_log_t, abrt_etc_t, abrt_etc_t)
-@@ -400,16 +466,14 @@ domtrans_pattern(abrt_watch_log_t, abrt_dump_oops_exec_t, abrt_dump_oops_t)
+@@ -400,16 +467,14 @@ domtrans_pattern(abrt_watch_log_t, abrt_dump_oops_exec_t, abrt_dump_oops_t)
corecmd_exec_bin(abrt_watch_log_t)
logging_read_all_logs(abrt_watch_log_t)
@@ -1878,10 +1880,23 @@ index cda6d20..fbe259e 100644
userdom_manage_unpriv_user_shared_mem(alsa_t)
userdom_search_user_home_dirs(alsa_t)
diff --git a/amanda.te b/amanda.te
-index ed45974..b09436e 100644
+index ed45974..46e2c0d 100644
--- a/amanda.te
+++ b/amanda.te
-@@ -60,7 +60,7 @@ optional_policy(`
+@@ -9,11 +9,10 @@ attribute_role amanda_recover_roles;
+ roleattribute system_r amanda_recover_roles;
+
+ type amanda_t;
++type amanda_exec_t;
+ type amanda_inetd_exec_t;
+ inetd_service_domain(amanda_t, amanda_inetd_exec_t)
+
+-type amanda_exec_t;
+-domain_entry_file(amanda_t, amanda_exec_t)
+
+ type amanda_log_t;
+ logging_log_file(amanda_log_t)
+@@ -60,7 +59,7 @@ optional_policy(`
#
allow amanda_t self:capability { chown dac_override setuid kill };
@@ -1890,7 +1905,7 @@ index ed45974..b09436e 100644
allow amanda_t self:fifo_file rw_fifo_file_perms;
allow amanda_t self:unix_stream_socket { accept listen };
allow amanda_t self:tcp_socket { accept listen };
-@@ -71,6 +71,7 @@ allow amanda_t amanda_config_t:file read_file_perms;
+@@ -71,6 +70,7 @@ allow amanda_t amanda_config_t:file read_file_perms;
manage_dirs_pattern(amanda_t, amanda_data_t, amanda_data_t)
manage_files_pattern(amanda_t, amanda_data_t, amanda_data_t)
@@ -1898,7 +1913,7 @@ index ed45974..b09436e 100644
filetrans_pattern(amanda_t, amanda_config_t, amanda_data_t, { file dir })
allow amanda_t amanda_dumpdates_t:file rw_file_perms;
-@@ -100,7 +101,6 @@ kernel_dontaudit_read_proc_symlinks(amanda_t)
+@@ -100,7 +100,6 @@ kernel_dontaudit_read_proc_symlinks(amanda_t)
corecmd_exec_shell(amanda_t)
corecmd_exec_bin(amanda_t)
@@ -1906,7 +1921,7 @@ index ed45974..b09436e 100644
corenet_all_recvfrom_netlabel(amanda_t)
corenet_tcp_sendrecv_generic_if(amanda_t)
corenet_tcp_sendrecv_generic_node(amanda_t)
-@@ -170,7 +170,6 @@ kernel_read_system_state(amanda_recover_t)
+@@ -170,7 +169,6 @@ kernel_read_system_state(amanda_recover_t)
corecmd_exec_shell(amanda_recover_t)
corecmd_exec_bin(amanda_recover_t)
@@ -1914,7 +1929,7 @@ index ed45974..b09436e 100644
corenet_all_recvfrom_netlabel(amanda_recover_t)
corenet_tcp_sendrecv_generic_if(amanda_recover_t)
corenet_udp_sendrecv_generic_if(amanda_recover_t)
-@@ -195,12 +194,12 @@ files_search_tmp(amanda_recover_t)
+@@ -195,12 +193,12 @@ files_search_tmp(amanda_recover_t)
auth_use_nsswitch(amanda_recover_t)
@@ -2508,10 +2523,10 @@ index 0000000..df5b3be
+')
diff --git a/antivirus.te b/antivirus.te
new file mode 100644
-index 0000000..b334e9a
+index 0000000..1a35e88
--- /dev/null
+++ b/antivirus.te
-@@ -0,0 +1,245 @@
+@@ -0,0 +1,248 @@
+policy_module(antivirus, 1.0.0)
+
+########################################
@@ -2684,8 +2699,11 @@ index 0000000..b334e9a
+
+tunable_policy(`antivirus_can_scan_system',`
+ files_read_non_security_files(antivirus_domain)
++ files_dontaudit_read_all_non_security_files(antivirus_domain)
+ files_getattr_all_pipes(antivirus_domain)
+ files_getattr_all_sockets(antivirus_domain)
++ dev_getattr_all_blk_files(antivirus_domain)
++ dev_getattr_all_chr_files(antivirus_domain)
+')
+
+tunable_policy(`antivirus_use_jit',`
@@ -4453,10 +4471,10 @@ index 83e899c..c5be77c 100644
+ filetrans_pattern($1, { httpd_user_content_t httpd_user_script_exec_t }, httpd_user_htaccess_t, file, ".htaccess")
')
diff --git a/apache.te b/apache.te
-index 1a82e29..6893a8e 100644
+index 1a82e29..3a12c26 100644
--- a/apache.te
+++ b/apache.te
-@@ -1,297 +1,367 @@
+@@ -1,297 +1,360 @@
-policy_module(apache, 2.6.10)
+policy_module(apache, 2.4.0)
+
@@ -4884,13 +4902,6 @@ index 1a82e29..6893a8e 100644
+##
+##
+gen_tunable(httpd_sys_script_anon_write, false)
-+
-+##
-+##
-+## Allow httpd to communicate with oddjob to start up a service
-+##
-+##
-+gen_tunable(httpd_use_oddjob, false)
+
attribute httpdcontent;
-attribute httpd_htaccess_type;
@@ -4973,7 +4984,7 @@ index 1a82e29..6893a8e 100644
type httpd_rotatelogs_t;
type httpd_rotatelogs_exec_t;
init_daemon_domain(httpd_rotatelogs_t, httpd_rotatelogs_exec_t)
-@@ -299,10 +369,8 @@ init_daemon_domain(httpd_rotatelogs_t, httpd_rotatelogs_exec_t)
+@@ -299,10 +362,8 @@ init_daemon_domain(httpd_rotatelogs_t, httpd_rotatelogs_exec_t)
type httpd_squirrelmail_t;
files_type(httpd_squirrelmail_t)
@@ -4986,7 +4997,7 @@ index 1a82e29..6893a8e 100644
type httpd_suexec_exec_t;
domain_type(httpd_suexec_t)
domain_entry_file(httpd_suexec_t, httpd_suexec_exec_t)
-@@ -311,9 +379,19 @@ role system_r types httpd_suexec_t;
+@@ -311,9 +372,19 @@ role system_r types httpd_suexec_t;
type httpd_suexec_tmp_t;
files_tmp_file(httpd_suexec_tmp_t)
@@ -5008,7 +5019,7 @@ index 1a82e29..6893a8e 100644
type httpd_tmp_t;
files_tmp_file(httpd_tmp_t)
-@@ -323,12 +401,19 @@ files_tmpfs_file(httpd_tmpfs_t)
+@@ -323,12 +394,19 @@ files_tmpfs_file(httpd_tmpfs_t)
apache_content_template(user)
ubac_constrained(httpd_user_script_t)
@@ -5028,7 +5039,7 @@ index 1a82e29..6893a8e 100644
typealias httpd_user_content_t alias { httpd_auditadm_content_t httpd_secadm_content_t };
typealias httpd_user_content_t alias { httpd_staff_script_ro_t httpd_sysadm_script_ro_t };
typealias httpd_user_content_t alias { httpd_auditadm_script_ro_t httpd_secadm_script_ro_t };
-@@ -343,33 +428,40 @@ typealias httpd_user_rw_content_t alias { httpd_auditadm_script_rw_t httpd_secad
+@@ -343,33 +421,40 @@ typealias httpd_user_rw_content_t alias { httpd_auditadm_script_rw_t httpd_secad
typealias httpd_user_ra_content_t alias { httpd_staff_script_ra_t httpd_sysadm_script_ra_t };
typealias httpd_user_ra_content_t alias { httpd_auditadm_script_ra_t httpd_secadm_script_ra_t };
@@ -5079,7 +5090,7 @@ index 1a82e29..6893a8e 100644
allow httpd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow httpd_t self:fd use;
allow httpd_t self:sock_file read_sock_file_perms;
-@@ -378,28 +470,36 @@ allow httpd_t self:shm create_shm_perms;
+@@ -378,28 +463,36 @@ allow httpd_t self:shm create_shm_perms;
allow httpd_t self:sem create_sem_perms;
allow httpd_t self:msgq create_msgq_perms;
allow httpd_t self:msg { send receive };
@@ -5121,7 +5132,7 @@ index 1a82e29..6893a8e 100644
logging_log_filetrans(httpd_t, httpd_log_t, file)
allow httpd_t httpd_modules_t:dir list_dir_perms;
-@@ -407,6 +507,8 @@ mmap_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t)
+@@ -407,6 +500,8 @@ mmap_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t)
read_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t)
read_lnk_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t)
@@ -5130,7 +5141,7 @@ index 1a82e29..6893a8e 100644
allow httpd_t httpd_rotatelogs_t:process signal_perms;
manage_dirs_pattern(httpd_t, httpd_squirrelmail_t, httpd_squirrelmail_t)
-@@ -415,6 +517,10 @@ manage_lnk_files_pattern(httpd_t, httpd_squirrelmail_t, httpd_squirrelmail_t)
+@@ -415,6 +510,10 @@ manage_lnk_files_pattern(httpd_t, httpd_squirrelmail_t, httpd_squirrelmail_t)
allow httpd_t httpd_suexec_exec_t:file read_file_perms;
@@ -5141,7 +5152,7 @@ index 1a82e29..6893a8e 100644
allow httpd_t httpd_sys_script_t:unix_stream_socket connectto;
manage_dirs_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
-@@ -445,140 +551,162 @@ manage_dirs_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
+@@ -445,140 +544,162 @@ manage_dirs_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
manage_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
manage_lnk_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
@@ -5369,7 +5380,7 @@ index 1a82e29..6893a8e 100644
')
tunable_policy(`httpd_enable_cgi && httpd_use_nfs',`
-@@ -589,28 +717,50 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',`
+@@ -589,28 +710,50 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',`
fs_cifs_domtrans(httpd_t, httpd_sys_script_t)
')
@@ -5429,7 +5440,7 @@ index 1a82e29..6893a8e 100644
')
tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
-@@ -619,68 +769,38 @@ tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
+@@ -619,68 +762,38 @@ tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
fs_read_nfs_symlinks(httpd_t)
')
@@ -5475,18 +5486,18 @@ index 1a82e29..6893a8e 100644
- tunable_policy(`httpd_can_network_connect_zabbix',`
- zabbix_tcp_connect(httpd_t)
- ')
+-')
+-
+-optional_policy(`
+- tunable_policy(`httpd_can_sendmail && httpd_can_check_spam',`
+- spamassassin_domtrans_client(httpd_t)
+- ')
+tunable_policy(`httpd_use_cifs',`
+ fs_manage_cifs_dirs(httpd_t)
+ fs_manage_cifs_files(httpd_t)
+ fs_manage_cifs_symlinks(httpd_t)
')
--optional_policy(`
-- tunable_policy(`httpd_can_sendmail && httpd_can_check_spam',`
-- spamassassin_domtrans_client(httpd_t)
-- ')
--')
--
-tunable_policy(`httpd_graceful_shutdown',`
- corenet_sendrecv_http_client_packets(httpd_t)
- corenet_tcp_connect_http_port(httpd_t)
@@ -5514,7 +5525,7 @@ index 1a82e29..6893a8e 100644
')
tunable_policy(`httpd_setrlimit',`
-@@ -690,49 +810,38 @@ tunable_policy(`httpd_setrlimit',`
+@@ -690,49 +803,42 @@ tunable_policy(`httpd_setrlimit',`
tunable_policy(`httpd_ssi_exec',`
corecmd_shell_domtrans(httpd_t, httpd_sys_script_t)
@@ -5546,34 +5557,37 @@ index 1a82e29..6893a8e 100644
-
-tunable_policy(`httpd_use_cifs && httpd_builtin_scripting',`
- fs_exec_cifs_files(httpd_t)
--')
--
++ userdom_use_inherited_user_terminals(httpd_t)
++ userdom_use_inherited_user_terminals(httpd_suexec_t)
+ ')
+
-tunable_policy(`httpd_use_fusefs',`
- fs_list_auto_mountpoints(httpd_t)
- fs_manage_fusefs_dirs(httpd_t)
- fs_manage_fusefs_files(httpd_t)
- fs_read_fusefs_symlinks(httpd_t)
-+ userdom_use_inherited_user_terminals(httpd_t)
-+ userdom_use_inherited_user_terminals(httpd_suexec_t)
- ')
-
--tunable_policy(`httpd_use_fusefs && httpd_builtin_scripting',`
-- fs_exec_fusefs_files(httpd_t)
-')
+optional_policy(`
+ cobbler_list_config(httpd_t)
+ cobbler_read_config(httpd_t)
+-tunable_policy(`httpd_use_fusefs && httpd_builtin_scripting',`
+- fs_exec_fusefs_files(httpd_t)
+-')
++ tunable_policy(`httpd_serve_cobbler_files',`
++ cobbler_manage_lib_files(httpd_t)
++',`
++ cobbler_read_lib_files(httpd_t)
++ cobbler_search_lib(httpd_t)
++ ')
+
-tunable_policy(`httpd_use_nfs',`
- fs_list_auto_mountpoints(httpd_t)
- fs_manage_nfs_dirs(httpd_t)
- fs_manage_nfs_files(httpd_t)
- fs_manage_nfs_symlinks(httpd_t)
-+ tunable_policy(`httpd_serve_cobbler_files',`
-+ cobbler_manage_lib_files(httpd_t)
-+',`
-+ cobbler_read_lib_files(httpd_t)
-+ cobbler_search_lib(httpd_t)
++ tunable_policy(`httpd_can_network_connect_cobbler',`
++ corenet_tcp_connect_cobbler_port(httpd_t)
+ ')
')
@@ -5588,7 +5602,7 @@ index 1a82e29..6893a8e 100644
')
optional_policy(`
-@@ -743,14 +852,6 @@ optional_policy(`
+@@ -743,14 +849,6 @@ optional_policy(`
ccs_read_config(httpd_t)
')
@@ -5603,7 +5617,7 @@ index 1a82e29..6893a8e 100644
optional_policy(`
cron_system_entry(httpd_t, httpd_exec_t)
-@@ -765,6 +866,23 @@ optional_policy(`
+@@ -765,6 +863,23 @@ optional_policy(`
')
optional_policy(`
@@ -5627,7 +5641,7 @@ index 1a82e29..6893a8e 100644
dbus_system_bus_client(httpd_t)
tunable_policy(`httpd_dbus_avahi',`
-@@ -781,34 +899,42 @@ optional_policy(`
+@@ -781,34 +896,42 @@ optional_policy(`
')
optional_policy(`
@@ -5681,7 +5695,7 @@ index 1a82e29..6893a8e 100644
tunable_policy(`httpd_manage_ipa',`
memcached_manage_pid_files(httpd_t)
-@@ -816,8 +942,18 @@ optional_policy(`
+@@ -816,8 +939,18 @@ optional_policy(`
')
optional_policy(`
@@ -5700,7 +5714,7 @@ index 1a82e29..6893a8e 100644
tunable_policy(`httpd_can_network_connect_db',`
mysql_tcp_connect(httpd_t)
-@@ -826,6 +962,7 @@ optional_policy(`
+@@ -826,6 +959,7 @@ optional_policy(`
optional_policy(`
nagios_read_config(httpd_t)
@@ -5708,7 +5722,7 @@ index 1a82e29..6893a8e 100644
')
optional_policy(`
-@@ -836,20 +973,38 @@ optional_policy(`
+@@ -836,20 +970,38 @@ optional_policy(`
')
optional_policy(`
@@ -5741,19 +5755,19 @@ index 1a82e29..6893a8e 100644
- ')
+optional_policy(`
+ puppet_read_lib(httpd_t)
++')
++
++optional_policy(`
++ pwauth_domtrans(httpd_t)
')
optional_policy(`
- puppet_read_lib_files(httpd_t)
-+ pwauth_domtrans(httpd_t)
-+')
-+
-+optional_policy(`
+ rpm_dontaudit_read_db(httpd_t)
')
optional_policy(`
-@@ -857,6 +1012,16 @@ optional_policy(`
+@@ -857,6 +1009,16 @@ optional_policy(`
')
optional_policy(`
@@ -5770,7 +5784,7 @@ index 1a82e29..6893a8e 100644
seutil_sigchld_newrole(httpd_t)
')
-@@ -865,6 +1030,7 @@ optional_policy(`
+@@ -865,6 +1027,7 @@ optional_policy(`
')
optional_policy(`
@@ -5778,7 +5792,7 @@ index 1a82e29..6893a8e 100644
snmp_dontaudit_read_snmp_var_lib_files(httpd_t)
snmp_dontaudit_write_snmp_var_lib_files(httpd_t)
')
-@@ -877,65 +1043,166 @@ optional_policy(`
+@@ -877,65 +1040,166 @@ optional_policy(`
yam_read_content(httpd_t)
')
@@ -5844,11 +5858,10 @@ index 1a82e29..6893a8e 100644
-',`
- userdom_dontaudit_use_user_terminals(httpd_helper_t)
+ userdom_use_inherited_user_terminals(httpd_helper_t)
- ')
-
- ########################################
- #
--# Suexec local policy
++')
++
++########################################
++#
+# Apache PHP script local policy
+#
+
@@ -5907,10 +5920,11 @@ index 1a82e29..6893a8e 100644
+ tunable_policy(`httpd_can_network_connect_db',`
+ postgresql_tcp_connect(httpd_php_t)
+ ')
-+')
-+
-+########################################
-+#
+ ')
+
+ ########################################
+ #
+-# Suexec local policy
+# Apache suexec local policy
#
@@ -5967,7 +5981,7 @@ index 1a82e29..6893a8e 100644
files_dontaudit_search_pids(httpd_suexec_t)
files_search_home(httpd_suexec_t)
-@@ -944,123 +1211,74 @@ auth_use_nsswitch(httpd_suexec_t)
+@@ -944,123 +1208,74 @@ auth_use_nsswitch(httpd_suexec_t)
logging_search_logs(httpd_suexec_t)
logging_send_syslog_msg(httpd_suexec_t)
@@ -6122,7 +6136,7 @@ index 1a82e29..6893a8e 100644
mysql_read_config(httpd_suexec_t)
tunable_policy(`httpd_can_network_connect_db',`
-@@ -1077,172 +1295,104 @@ optional_policy(`
+@@ -1077,172 +1292,104 @@ optional_policy(`
')
')
@@ -6144,11 +6158,11 @@ index 1a82e29..6893a8e 100644
-allow httpd_script_domains self:unix_stream_socket connectto;
-
-allow httpd_script_domains httpd_sys_content_t:dir search_dir_perms;
--
--append_files_pattern(httpd_script_domains, httpd_log_t, httpd_log_t)
--read_lnk_files_pattern(httpd_script_domains, httpd_log_t, httpd_log_t)
+allow httpd_sys_script_t self:process getsched;
+-append_files_pattern(httpd_script_domains, httpd_log_t, httpd_log_t)
+-read_lnk_files_pattern(httpd_script_domains, httpd_log_t, httpd_log_t)
+-
-kernel_dontaudit_search_sysctl(httpd_script_domains)
-kernel_dontaudit_search_kernel_sysctl(httpd_script_domains)
-
@@ -6303,12 +6317,12 @@ index 1a82e29..6893a8e 100644
-kernel_read_kernel_sysctls(httpd_sys_script_t)
-
-fs_search_auto_mountpoints(httpd_sys_script_t)
--
++corenet_all_recvfrom_netlabel(httpd_sys_script_t)
+
-files_read_var_symlinks(httpd_sys_script_t)
-files_search_var_lib(httpd_sys_script_t)
-files_search_spool(httpd_sys_script_t)
-+corenet_all_recvfrom_netlabel(httpd_sys_script_t)
-
+-
-apache_domtrans_rotatelogs(httpd_sys_script_t)
-
-auth_use_nsswitch(httpd_sys_script_t)
@@ -6358,7 +6372,7 @@ index 1a82e29..6893a8e 100644
')
tunable_policy(`httpd_read_user_content',`
-@@ -1250,64 +1400,70 @@ tunable_policy(`httpd_read_user_content',`
+@@ -1250,64 +1397,74 @@ tunable_policy(`httpd_read_user_content',`
')
tunable_policy(`httpd_use_cifs',`
@@ -6381,10 +6395,6 @@ index 1a82e29..6893a8e 100644
fs_manage_fusefs_dirs(httpd_sys_script_t)
fs_manage_fusefs_files(httpd_sys_script_t)
- fs_read_fusefs_symlinks(httpd_sys_script_t)
--')
--
--tunable_policy(`httpd_use_fusefs && httpd_builtin_scripting',`
-- fs_exec_fusefs_files(httpd_sys_script_t)
+ fs_manage_fusefs_symlinks(httpd_sys_script_t)
+ fs_manage_fusefs_dirs(httpd_suexec_t)
+ fs_manage_fusefs_files(httpd_suexec_t)
@@ -6392,25 +6402,26 @@ index 1a82e29..6893a8e 100644
+ fs_exec_fusefs_files(httpd_suexec_t)
')
--tunable_policy(`httpd_use_nfs',`
-- fs_list_auto_mountpoints(httpd_sys_script_t)
-- fs_manage_nfs_dirs(httpd_sys_script_t)
-- fs_manage_nfs_files(httpd_sys_script_t)
-- fs_manage_nfs_symlinks(httpd_sys_script_t)
+-tunable_policy(`httpd_use_fusefs && httpd_builtin_scripting',`
+- fs_exec_fusefs_files(httpd_sys_script_t)
+tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
+ fs_read_cifs_files(httpd_sys_script_t)
+ fs_read_cifs_symlinks(httpd_sys_script_t)
')
--tunable_policy(`httpd_use_nfs && httpd_builtin_scripting',`
-- fs_exec_nfs_files(httpd_sys_script_t)
+-tunable_policy(`httpd_use_nfs',`
+- fs_list_auto_mountpoints(httpd_sys_script_t)
+- fs_manage_nfs_dirs(httpd_sys_script_t)
+- fs_manage_nfs_files(httpd_sys_script_t)
+- fs_manage_nfs_symlinks(httpd_sys_script_t)
+optional_policy(`
+ clamav_domtrans_clamscan(httpd_sys_script_t)
+ clamav_domtrans_clamscan(httpd_t)
')
- optional_policy(`
-- clamav_domtrans_clamscan(httpd_sys_script_t)
+-tunable_policy(`httpd_use_nfs && httpd_builtin_scripting',`
+- fs_exec_nfs_files(httpd_sys_script_t)
++optional_policy(`
+ mysql_stream_connect(httpd_sys_script_t)
+ mysql_rw_db_sockets(httpd_sys_script_t)
+ mysql_read_config(httpd_sys_script_t)
@@ -6421,14 +6432,20 @@ index 1a82e29..6893a8e 100644
')
optional_policy(`
+- clamav_domtrans_clamscan(httpd_sys_script_t)
+ postgresql_stream_connect(httpd_sys_script_t)
- postgresql_unpriv_client(httpd_sys_script_t)
++ postgresql_unpriv_client(httpd_sys_script_t)
+
+ tunable_policy(`httpd_can_network_connect_db',`
+ postgresql_tcp_connect(httpd_sys_script_t)
+ ')
')
+ optional_policy(`
+- postgresql_unpriv_client(httpd_sys_script_t)
++ snmp_read_snmp_var_lib_files(httpd_sys_script_t)
+ ')
+
########################################
#
-# Rotatelogs local policy
@@ -6452,7 +6469,7 @@ index 1a82e29..6893a8e 100644
########################################
#
-@@ -1315,8 +1471,15 @@ miscfiles_read_localization(httpd_rotatelogs_t)
+@@ -1315,8 +1472,15 @@ miscfiles_read_localization(httpd_rotatelogs_t)
#
optional_policy(`
@@ -6469,7 +6486,7 @@ index 1a82e29..6893a8e 100644
')
########################################
-@@ -1324,49 +1487,36 @@ optional_policy(`
+@@ -1324,49 +1488,36 @@ optional_policy(`
# User content local policy
#
@@ -6533,7 +6550,7 @@ index 1a82e29..6893a8e 100644
kernel_read_system_state(httpd_passwd_t)
corecmd_exec_bin(httpd_passwd_t)
-@@ -1376,38 +1526,99 @@ dev_read_urand(httpd_passwd_t)
+@@ -1376,38 +1527,99 @@ dev_read_urand(httpd_passwd_t)
domain_use_interactive_fds(httpd_passwd_t)
@@ -10368,10 +10385,10 @@ index 0000000..5977d96
+')
diff --git a/chrome.te b/chrome.te
new file mode 100644
-index 0000000..7267a85
+index 0000000..ba0a059
--- /dev/null
+++ b/chrome.te
-@@ -0,0 +1,222 @@
+@@ -0,0 +1,236 @@
+policy_module(chrome,1.0.0)
+
+########################################
@@ -10442,21 +10459,35 @@ index 0000000..7267a85
+corecmd_exec_bin(chrome_sandbox_t)
+
+corenet_all_recvfrom_netlabel(chrome_sandbox_t)
++corenet_tcp_connect_all_ephemeral_ports(chrome_sandbox_t)
+corenet_tcp_connect_aol_port(chrome_sandbox_t)
+corenet_tcp_connect_asterisk_port(chrome_sandbox_t)
++corenet_tcp_connect_commplex_link_port(chrome_sandbox_t)
++corenet_tcp_connect_couchdb_port(chrome_sandbox_t)
+corenet_tcp_connect_flash_port(chrome_sandbox_t)
-+corenet_tcp_connect_ms_streaming_port(chrome_sandbox_t)
-+corenet_tcp_connect_rtsp_port(chrome_sandbox_t)
-+corenet_tcp_connect_pulseaudio_port(chrome_sandbox_t)
-+corenet_tcp_connect_http_port(chrome_sandbox_t)
++corenet_tcp_connect_ftp_port(chrome_sandbox_t)
++corenet_tcp_connect_gatekeeper_port(chrome_sandbox_t)
++corenet_tcp_connect_generic_port(chrome_sandbox_t)
+corenet_tcp_connect_http_cache_port(chrome_sandbox_t)
++corenet_tcp_connect_http_port(chrome_sandbox_t)
++corenet_tcp_connect_ipp_port(chrome_sandbox_t)
++corenet_tcp_connect_ipsecnat_port(chrome_sandbox_t)
++corenet_tcp_connect_jabber_client_port(chrome_sandbox_t)
++corenet_tcp_connect_jboss_management_port(chrome_sandbox_t)
++corenet_tcp_connect_mmcc_port(chrome_sandbox_t)
++corenet_tcp_connect_monopd_port(chrome_sandbox_t)
+corenet_tcp_connect_msnp_port(chrome_sandbox_t)
++corenet_tcp_connect_ms_streaming_port(chrome_sandbox_t)
++corenet_tcp_connect_pulseaudio_port(chrome_sandbox_t)
++corenet_tcp_connect_rtsp_port(chrome_sandbox_t)
++corenet_tcp_connect_soundd_port(chrome_sandbox_t)
++corenet_tcp_connect_speech_port(chrome_sandbox_t)
+corenet_tcp_connect_squid_port(chrome_sandbox_t)
+corenet_tcp_connect_tor_port(chrome_sandbox_t)
++corenet_tcp_connect_transproxy_port(chrome_sandbox_t)
++corenet_tcp_connect_vnc_port(chrome_sandbox_t)
+corenet_tcp_sendrecv_generic_if(chrome_sandbox_t)
+corenet_tcp_sendrecv_generic_node(chrome_sandbox_t)
-+corenet_tcp_connect_ipp_port(chrome_sandbox_t)
-+corenet_tcp_connect_speech_port(chrome_sandbox_t)
+
+domain_dontaudit_read_all_domains_state(chrome_sandbox_t)
+
@@ -11680,7 +11711,7 @@ index 973d208..2b650a7 100644
/var/lib/tftpboot/etc(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0)
diff --git a/cobbler.if b/cobbler.if
-index c223f81..83d5104 100644
+index c223f81..3bcdf6a 100644
--- a/cobbler.if
+++ b/cobbler.if
@@ -38,6 +38,28 @@ interface(`cobblerd_initrc_domtrans',`
@@ -11712,15 +11743,24 @@ index c223f81..83d5104 100644
########################################
##
## Read cobbler configuration files.
-@@ -132,6 +154,7 @@ interface(`cobbler_manage_lib_files',`
+@@ -112,6 +134,7 @@ interface(`cobbler_read_lib_files',`
+
+ files_search_var_lib($1)
+ read_files_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t)
++ read_lnk_files_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t)
+ ')
+
+ ########################################
+@@ -132,6 +155,8 @@ interface(`cobbler_manage_lib_files',`
files_search_var_lib($1)
manage_files_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t)
++ manage_lnk_files_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t)
+ manage_dirs_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t)
')
########################################
-@@ -199,7 +222,4 @@ interface(`cobbler_admin',`
+@@ -199,7 +224,4 @@ interface(`cobbler_admin',`
logging_search_logs($1)
admin_pattern($1, cobbler_var_log_t)
@@ -16390,7 +16430,7 @@ index 06da9a0..ca832e1 100644
+ ps_process_pattern($1, cupsd_t)
')
diff --git a/cups.te b/cups.te
-index 9f34c2e..52c170f 100644
+index 9f34c2e..c7268a7 100644
--- a/cups.te
+++ b/cups.te
@@ -5,19 +5,24 @@ policy_module(cups, 1.15.9)
@@ -16478,7 +16518,7 @@ index 9f34c2e..52c170f 100644
type ptal_t;
type ptal_exec_t;
-@@ -97,21 +94,48 @@ ifdef(`enable_mls',`
+@@ -97,21 +94,49 @@ ifdef(`enable_mls',`
init_ranged_daemon_domain(cupsd_t, cupsd_exec_t, mls_systemhigh)
')
@@ -16491,6 +16531,7 @@ index 9f34c2e..52c170f 100644
+allow cups_domain self:process { getsched setsched signal_perms };
+allow cups_domain self:fifo_file rw_fifo_file_perms;
+allow cups_domain self:tcp_socket { accept listen };
++allow cups_domain self:netlink_kobject_uevent_socket create_socket_perms;
+
+kernel_read_kernel_sysctls(cups_domain)
+kernel_read_network_state(cups_domain)
@@ -16531,7 +16572,7 @@ index 9f34c2e..52c170f 100644
allow cupsd_t self:appletalk_socket create_socket_perms;
allow cupsd_t cupsd_etc_t:dir setattr_dir_perms;
-@@ -120,6 +144,7 @@ read_files_pattern(cupsd_t, cupsd_etc_t, cupsd_etc_t)
+@@ -120,6 +145,7 @@ read_files_pattern(cupsd_t, cupsd_etc_t, cupsd_etc_t)
read_lnk_files_pattern(cupsd_t, cupsd_etc_t, cupsd_etc_t)
manage_files_pattern(cupsd_t, cupsd_interface_t, cupsd_interface_t)
@@ -16539,7 +16580,7 @@ index 9f34c2e..52c170f 100644
manage_dirs_pattern(cupsd_t, cupsd_etc_t, cupsd_rw_etc_t)
manage_files_pattern(cupsd_t, cupsd_etc_t, cupsd_rw_etc_t)
-@@ -139,22 +164,23 @@ read_files_pattern(cupsd_t, cupsd_log_t, cupsd_log_t)
+@@ -139,22 +165,23 @@ read_files_pattern(cupsd_t, cupsd_log_t, cupsd_log_t)
setattr_files_pattern(cupsd_t, cupsd_log_t, cupsd_log_t)
logging_log_filetrans(cupsd_t, cupsd_log_t, { file dir })
@@ -16567,7 +16608,7 @@ index 9f34c2e..52c170f 100644
stream_connect_pattern(cupsd_t, ptal_var_run_t, ptal_var_run_t, ptal_t)
allow cupsd_t ptal_var_run_t:sock_file setattr_sock_file_perms;
-@@ -162,11 +188,9 @@ allow cupsd_t ptal_var_run_t:sock_file setattr_sock_file_perms;
+@@ -162,11 +189,9 @@ allow cupsd_t ptal_var_run_t:sock_file setattr_sock_file_perms;
can_exec(cupsd_t, { cupsd_exec_t cupsd_interface_t })
kernel_read_system_state(cupsd_t)
@@ -16579,7 +16620,7 @@ index 9f34c2e..52c170f 100644
corenet_all_recvfrom_netlabel(cupsd_t)
corenet_tcp_sendrecv_generic_if(cupsd_t)
corenet_udp_sendrecv_generic_if(cupsd_t)
-@@ -189,12 +213,20 @@ corenet_dontaudit_tcp_bind_all_reserved_ports(cupsd_t)
+@@ -189,12 +214,20 @@ corenet_dontaudit_tcp_bind_all_reserved_ports(cupsd_t)
corenet_tcp_bind_all_rpc_ports(cupsd_t)
corenet_tcp_connect_all_ports(cupsd_t)
@@ -16604,7 +16645,7 @@ index 9f34c2e..52c170f 100644
dev_rw_input_dev(cupsd_t)
dev_rw_generic_usb_dev(cupsd_t)
dev_rw_usbfs(cupsd_t)
-@@ -206,7 +238,6 @@ domain_use_interactive_fds(cupsd_t)
+@@ -206,7 +239,6 @@ domain_use_interactive_fds(cupsd_t)
files_getattr_boot_dirs(cupsd_t)
files_list_spool(cupsd_t)
files_read_etc_runtime_files(cupsd_t)
@@ -16612,7 +16653,7 @@ index 9f34c2e..52c170f 100644
files_exec_usr_files(cupsd_t)
# for /var/lib/defoma
files_read_var_lib_files(cupsd_t)
-@@ -215,16 +246,17 @@ files_read_world_readable_files(cupsd_t)
+@@ -215,16 +247,17 @@ files_read_world_readable_files(cupsd_t)
files_read_world_readable_symlinks(cupsd_t)
files_read_var_files(cupsd_t)
files_read_var_symlinks(cupsd_t)
@@ -16632,7 +16673,7 @@ index 9f34c2e..52c170f 100644
mls_fd_use_all_levels(cupsd_t)
mls_file_downgrade(cupsd_t)
-@@ -235,6 +267,8 @@ mls_socket_write_all_levels(cupsd_t)
+@@ -235,6 +268,8 @@ mls_socket_write_all_levels(cupsd_t)
term_search_ptys(cupsd_t)
term_use_unallocated_ttys(cupsd_t)
@@ -16641,7 +16682,7 @@ index 9f34c2e..52c170f 100644
selinux_compute_access_vector(cupsd_t)
selinux_validate_context(cupsd_t)
-@@ -247,21 +281,20 @@ auth_dontaudit_read_pam_pid(cupsd_t)
+@@ -247,21 +282,20 @@ auth_dontaudit_read_pam_pid(cupsd_t)
auth_rw_faillog(cupsd_t)
auth_use_nsswitch(cupsd_t)
@@ -16667,7 +16708,7 @@ index 9f34c2e..52c170f 100644
userdom_dontaudit_search_user_home_content(cupsd_t)
optional_policy(`
-@@ -275,6 +308,8 @@ optional_policy(`
+@@ -275,6 +309,8 @@ optional_policy(`
optional_policy(`
dbus_system_bus_client(cupsd_t)
@@ -16676,7 +16717,7 @@ index 9f34c2e..52c170f 100644
userdom_dbus_send_all_users(cupsd_t)
optional_policy(`
-@@ -285,8 +320,10 @@ optional_policy(`
+@@ -285,8 +321,10 @@ optional_policy(`
hal_dbus_chat(cupsd_t)
')
@@ -16687,7 +16728,7 @@ index 9f34c2e..52c170f 100644
')
')
-@@ -299,8 +336,8 @@ optional_policy(`
+@@ -299,8 +337,8 @@ optional_policy(`
')
optional_policy(`
@@ -16697,7 +16738,7 @@ index 9f34c2e..52c170f 100644
')
optional_policy(`
-@@ -309,7 +346,6 @@ optional_policy(`
+@@ -309,7 +347,6 @@ optional_policy(`
optional_policy(`
lpd_exec_lpr(cupsd_t)
@@ -16705,16 +16746,20 @@ index 9f34c2e..52c170f 100644
lpd_read_config(cupsd_t)
lpd_relabel_spool(cupsd_t)
')
-@@ -337,7 +373,7 @@ optional_policy(`
+@@ -337,7 +374,11 @@ optional_policy(`
')
optional_policy(`
- virt_rw_all_image_chr_files(cupsd_t)
+ virt_rw_chr_files(cupsd_t)
++')
++
++optional_policy(`
++ vmware_read_system_config(cupsd_t)
')
########################################
-@@ -345,12 +381,11 @@ optional_policy(`
+@@ -345,12 +386,11 @@ optional_policy(`
# Configuration daemon local policy
#
@@ -16730,7 +16775,7 @@ index 9f34c2e..52c170f 100644
allow cupsd_config_t cupsd_t:process signal;
ps_process_pattern(cupsd_config_t, cupsd_t)
-@@ -375,18 +410,16 @@ manage_dirs_pattern(cupsd_config_t, cupsd_config_var_run_t, cupsd_config_var_run
+@@ -375,18 +415,16 @@ manage_dirs_pattern(cupsd_config_t, cupsd_config_var_run_t, cupsd_config_var_run
manage_files_pattern(cupsd_config_t, cupsd_config_var_run_t, cupsd_config_var_run_t)
files_pid_filetrans(cupsd_config_t, cupsd_config_var_run_t, { dir file })
@@ -16751,7 +16796,7 @@ index 9f34c2e..52c170f 100644
corenet_all_recvfrom_netlabel(cupsd_config_t)
corenet_tcp_sendrecv_generic_if(cupsd_config_t)
corenet_tcp_sendrecv_generic_node(cupsd_config_t)
-@@ -395,20 +428,12 @@ corenet_tcp_sendrecv_all_ports(cupsd_config_t)
+@@ -395,20 +433,12 @@ corenet_tcp_sendrecv_all_ports(cupsd_config_t)
corenet_sendrecv_all_client_packets(cupsd_config_t)
corenet_tcp_connect_all_ports(cupsd_config_t)
@@ -16772,7 +16817,7 @@ index 9f34c2e..52c170f 100644
fs_search_auto_mountpoints(cupsd_config_t)
domain_use_interactive_fds(cupsd_config_t)
-@@ -420,11 +445,6 @@ auth_use_nsswitch(cupsd_config_t)
+@@ -420,11 +450,6 @@ auth_use_nsswitch(cupsd_config_t)
logging_send_syslog_msg(cupsd_config_t)
@@ -16784,7 +16829,7 @@ index 9f34c2e..52c170f 100644
userdom_dontaudit_use_unpriv_user_fds(cupsd_config_t)
userdom_dontaudit_search_user_home_dirs(cupsd_config_t)
userdom_read_all_users_state(cupsd_config_t)
-@@ -452,9 +472,12 @@ optional_policy(`
+@@ -452,9 +477,12 @@ optional_policy(`
')
optional_policy(`
@@ -16798,7 +16843,7 @@ index 9f34c2e..52c170f 100644
')
optional_policy(`
-@@ -490,10 +513,6 @@ optional_policy(`
+@@ -490,10 +518,6 @@ optional_policy(`
# Lpd local policy
#
@@ -16809,7 +16854,7 @@ index 9f34c2e..52c170f 100644
allow cupsd_lpd_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
allow cupsd_lpd_t { cupsd_etc_t cupsd_rw_etc_t }:dir list_dir_perms;
-@@ -511,31 +530,22 @@ stream_connect_pattern(cupsd_lpd_t, cupsd_var_run_t, cupsd_var_run_t, cupsd_t)
+@@ -511,31 +535,22 @@ stream_connect_pattern(cupsd_lpd_t, cupsd_var_run_t, cupsd_var_run_t, cupsd_t)
kernel_read_kernel_sysctls(cupsd_lpd_t)
kernel_read_system_state(cupsd_lpd_t)
@@ -16842,7 +16887,7 @@ index 9f34c2e..52c170f 100644
optional_policy(`
inetd_service_domain(cupsd_lpd_t, cupsd_lpd_exec_t)
')
-@@ -546,7 +556,6 @@ optional_policy(`
+@@ -546,7 +561,6 @@ optional_policy(`
#
allow cups_pdf_t self:capability { chown fowner fsetid setuid setgid dac_override };
@@ -16850,7 +16895,7 @@ index 9f34c2e..52c170f 100644
allow cups_pdf_t self:unix_stream_socket create_stream_socket_perms;
append_files_pattern(cups_pdf_t, cupsd_log_t, cupsd_log_t)
-@@ -562,148 +571,23 @@ fs_search_auto_mountpoints(cups_pdf_t)
+@@ -562,148 +576,23 @@ fs_search_auto_mountpoints(cups_pdf_t)
kernel_read_system_state(cups_pdf_t)
@@ -17002,7 +17047,7 @@ index 9f34c2e..52c170f 100644
########################################
#
-@@ -731,7 +615,6 @@ kernel_read_kernel_sysctls(ptal_t)
+@@ -731,7 +620,6 @@ kernel_read_kernel_sysctls(ptal_t)
kernel_list_proc(ptal_t)
kernel_read_proc_symlinks(ptal_t)
@@ -17010,7 +17055,7 @@ index 9f34c2e..52c170f 100644
corenet_all_recvfrom_netlabel(ptal_t)
corenet_tcp_sendrecv_generic_if(ptal_t)
corenet_tcp_sendrecv_generic_node(ptal_t)
-@@ -741,13 +624,11 @@ corenet_sendrecv_ptal_server_packets(ptal_t)
+@@ -741,13 +629,11 @@ corenet_sendrecv_ptal_server_packets(ptal_t)
corenet_tcp_bind_ptal_port(ptal_t)
corenet_tcp_sendrecv_ptal_port(ptal_t)
@@ -17024,7 +17069,7 @@ index 9f34c2e..52c170f 100644
files_read_etc_runtime_files(ptal_t)
fs_getattr_all_fs(ptal_t)
-@@ -755,8 +636,6 @@ fs_search_auto_mountpoints(ptal_t)
+@@ -755,8 +641,6 @@ fs_search_auto_mountpoints(ptal_t)
logging_send_syslog_msg(ptal_t)
@@ -17033,6 +17078,11 @@ index 9f34c2e..52c170f 100644
sysnet_read_config(ptal_t)
userdom_dontaudit_use_unpriv_user_fds(ptal_t)
+@@ -769,3 +653,4 @@ optional_policy(`
+ optional_policy(`
+ udev_read_db(ptal_t)
+ ')
++
diff --git a/cvs.if b/cvs.if
index 9fa7ffb..fd3262c 100644
--- a/cvs.if
@@ -17205,7 +17255,7 @@ index 6508280..a2860e3 100644
domain_system_change_exemption($1)
role_transition $2 cyrus_initrc_exec_t system_r;
diff --git a/cyrus.te b/cyrus.te
-index 395f97c..e157463 100644
+index 395f97c..bf8db3c 100644
--- a/cyrus.te
+++ b/cyrus.te
@@ -26,7 +26,7 @@ files_pid_file(cyrus_var_run_t)
@@ -17263,14 +17313,17 @@ index 395f97c..e157463 100644
kerberos_keytab_template(cyrus, cyrus_t)
')
-@@ -128,6 +131,7 @@ optional_policy(`
+@@ -128,8 +131,8 @@ optional_policy(`
')
optional_policy(`
+- snmp_read_snmp_var_lib_files(cyrus_t)
+- snmp_dontaudit_write_snmp_var_lib_files(cyrus_t)
+ files_dontaudit_write_usr_dirs(cyrus_t)
- snmp_read_snmp_var_lib_files(cyrus_t)
- snmp_dontaudit_write_snmp_var_lib_files(cyrus_t)
++ snmp_manage_var_lib_files(cyrus_t)
snmp_stream_connect(cyrus_t)
+ ')
+
diff --git a/daemontools.if b/daemontools.if
index 3b3d9a0..6c8106a 100644
--- a/daemontools.if
@@ -19111,7 +19164,7 @@ index d294865..3b4f593 100644
+ logging_log_filetrans($1, devicekit_var_log_t, file, "pm-suspend.log")
')
diff --git a/devicekit.te b/devicekit.te
-index ff933af..fc9d3f4 100644
+index ff933af..101bc81 100644
--- a/devicekit.te
+++ b/devicekit.te
@@ -7,15 +7,15 @@ policy_module(devicekit, 1.2.1)
@@ -19151,7 +19204,7 @@ index ff933af..fc9d3f4 100644
#
-allow devicekit_disk_t self:capability { chown setuid setgid dac_override fowner fsetid net_admin sys_admin sys_nice sys_ptrace sys_rawio };
-+allow devicekit_disk_t self:capability { chown setuid setgid dac_override fowner fsetid net_admin sys_admin sys_nice sys_rawio };
++allow devicekit_disk_t self:capability { chown setuid setgid dac_override fowner fsetid net_admin sys_admin sys_nice sys_tty_config sys_rawio };
+
allow devicekit_disk_t self:process { getsched signal_perms };
allow devicekit_disk_t self:fifo_file rw_fifo_file_perms;
@@ -20617,7 +20670,7 @@ index 19aa0b8..b303b37 100644
+ allow $1 dnsmasq_unit_file_t:service all_service_perms;
')
diff --git a/dnsmasq.te b/dnsmasq.te
-index ba14bcf..07bcb8e 100644
+index ba14bcf..869bba7 100644
--- a/dnsmasq.te
+++ b/dnsmasq.te
@@ -24,6 +24,9 @@ logging_log_file(dnsmasq_var_log_t)
@@ -20641,16 +20694,19 @@ index ba14bcf..07bcb8e 100644
corenet_all_recvfrom_netlabel(dnsmasq_t)
corenet_tcp_sendrecv_generic_if(dnsmasq_t)
corenet_udp_sendrecv_generic_if(dnsmasq_t)
-@@ -88,8 +93,6 @@ auth_use_nsswitch(dnsmasq_t)
+@@ -86,9 +91,9 @@ fs_search_auto_mountpoints(dnsmasq_t)
- logging_send_syslog_msg(dnsmasq_t)
+ auth_use_nsswitch(dnsmasq_t)
+
+-logging_send_syslog_msg(dnsmasq_t)
++libs_exec_ldconfig(dnsmasq_t)
-miscfiles_read_localization(dnsmasq_t)
--
++logging_send_syslog_msg(dnsmasq_t)
+
userdom_dontaudit_use_unpriv_user_fds(dnsmasq_t)
userdom_dontaudit_search_user_home_dirs(dnsmasq_t)
-
-@@ -98,12 +101,21 @@ optional_policy(`
+@@ -98,12 +103,21 @@ optional_policy(`
')
optional_policy(`
@@ -20673,7 +20729,7 @@ index ba14bcf..07bcb8e 100644
')
optional_policy(`
-@@ -124,6 +136,7 @@ optional_policy(`
+@@ -124,6 +138,13 @@ optional_policy(`
optional_policy(`
virt_manage_lib_files(dnsmasq_t)
@@ -20681,6 +20737,12 @@ index ba14bcf..07bcb8e 100644
virt_read_pid_files(dnsmasq_t)
virt_pid_filetrans(dnsmasq_t, dnsmasq_var_run_t, { dir file })
')
++
++optional_policy(`
++ quantum_manage_lib_files(dnsmasq_t)
++ quantum_rw_fifo_file(dnsmasq_t)
++ quantum_sigchld(dnsmasq_t)
++')
diff --git a/dnssec.fc b/dnssec.fc
new file mode 100644
index 0000000..9e231a8
@@ -23351,10 +23413,18 @@ index c12c067..a415012 100644
optional_policy(`
diff --git a/fprintd.te b/fprintd.te
-index c81b6e8..7575a9b 100644
+index c81b6e8..fcb022d 100644
--- a/fprintd.te
+++ b/fprintd.te
-@@ -30,14 +30,10 @@ dev_list_usbfs(fprintd_t)
+@@ -20,6 +20,7 @@ files_type(fprintd_var_lib_t)
+ allow fprintd_t self:capability sys_nice;
+ allow fprintd_t self:process { getsched setsched signal sigkill };
+ allow fprintd_t self:fifo_file rw_fifo_file_perms;
++allow fprintd_t self:netlink_kobject_uevent_socket create_socket_perms;
+
+ manage_dirs_pattern(fprintd_t, fprintd_var_lib_t, fprintd_var_lib_t)
+ manage_files_pattern(fprintd_t, fprintd_var_lib_t, fprintd_var_lib_t)
+@@ -30,14 +31,10 @@ dev_list_usbfs(fprintd_t)
dev_read_sysfs(fprintd_t)
dev_rw_generic_usb_dev(fprintd_t)
@@ -23369,7 +23439,7 @@ index c81b6e8..7575a9b 100644
userdom_use_user_ptys(fprintd_t)
userdom_read_all_users_state(fprintd_t)
-@@ -54,8 +50,13 @@ optional_policy(`
+@@ -54,8 +51,13 @@ optional_policy(`
')
')
@@ -23492,7 +23562,7 @@ index d062080..97fb494 100644
ftp_run_ftpdctl($1, $2)
')
diff --git a/ftp.te b/ftp.te
-index e50f33c..5e6cdb8 100644
+index e50f33c..d9dca45 100644
--- a/ftp.te
+++ b/ftp.te
@@ -13,7 +13,7 @@ policy_module(ftp, 1.14.1)
@@ -23653,7 +23723,7 @@ index e50f33c..5e6cdb8 100644
')
tunable_policy(`ftpd_use_passive_mode',`
-@@ -299,9 +330,9 @@ tunable_policy(`ftpd_connect_db',`
+@@ -299,22 +330,19 @@ tunable_policy(`ftpd_connect_db',`
corenet_sendrecv_mssql_client_packets(ftpd_t)
corenet_tcp_connect_mssql_port(ftpd_t)
corenet_tcp_sendrecv_mssql_port(ftpd_t)
@@ -23666,11 +23736,13 @@ index e50f33c..5e6cdb8 100644
')
tunable_policy(`ftp_home_dir',`
-@@ -309,12 +340,9 @@ tunable_policy(`ftp_home_dir',`
+ allow ftpd_t self:capability { dac_override dac_read_search };
- userdom_manage_user_home_content_dirs(ftpd_t)
- userdom_manage_user_home_content_files(ftpd_t)
+- userdom_manage_user_home_content_dirs(ftpd_t)
+- userdom_manage_user_home_content_files(ftpd_t)
- userdom_user_home_dir_filetrans_user_home_content(ftpd_t, { dir file })
++ userdom_manage_all_user_home_type_dirs(ftpd_t)
++ userdom_manage_all_user_home_type_files(ftpd_t)
userdom_manage_user_tmp_dirs(ftpd_t)
userdom_manage_user_tmp_files(ftpd_t)
- userdom_tmp_filetrans_user_tmp(ftpd_t, { dir file })
@@ -28097,10 +28169,10 @@ index 3226f52..68b2eb8 100644
optional_policy(`
seutil_sigchld_newrole(gpm_t)
diff --git a/gpsd.te b/gpsd.te
-index 25f09ae..aa94571 100644
+index 25f09ae..3085534 100644
--- a/gpsd.te
+++ b/gpsd.te
-@@ -28,7 +28,7 @@ files_pid_file(gpsd_var_run_t)
+@@ -28,11 +28,12 @@ files_pid_file(gpsd_var_run_t)
#
allow gpsd_t self:capability { fowner fsetid setuid setgid sys_nice sys_time sys_tty_config };
@@ -28109,7 +28181,12 @@ index 25f09ae..aa94571 100644
allow gpsd_t self:process { setsched signal_perms };
allow gpsd_t self:shm create_shm_perms;
allow gpsd_t self:unix_dgram_socket sendto;
-@@ -62,13 +62,13 @@ domain_dontaudit_read_all_domains_state(gpsd_t)
+ allow gpsd_t self:tcp_socket { accept listen };
++allow gpsd_t self:netlink_kobject_uevent_socket create_socket_perms;
+
+ manage_dirs_pattern(gpsd_t, gpsd_tmpfs_t, gpsd_tmpfs_t)
+ manage_files_pattern(gpsd_t, gpsd_tmpfs_t, gpsd_tmpfs_t)
+@@ -62,13 +63,13 @@ domain_dontaudit_read_all_domains_state(gpsd_t)
term_use_unallocated_ttys(gpsd_t)
term_setattr_unallocated_ttys(gpsd_t)
@@ -32392,7 +32469,7 @@ index d5d1572..82267a7 100644
/var/run/.*l2tpd(/.*)? gen_context(system_u:object_r:l2tpd_var_run_t,s0)
/var/run/prol2tpd\.ctl -s gen_context(system_u:object_r:l2tpd_var_run_t,s0)
diff --git a/l2tp.if b/l2tp.if
-index 73e2803..562d25b 100644
+index 73e2803..2fc7570 100644
--- a/l2tp.if
+++ b/l2tp.if
@@ -1,9 +1,45 @@
@@ -32484,7 +32561,7 @@ index 73e2803..562d25b 100644
##
##
##
-@@ -56,14 +110,32 @@ interface(`l2tpd_stream_connect',`
+@@ -56,14 +110,107 @@ interface(`l2tpd_stream_connect',`
')
files_search_pids($1)
@@ -32516,12 +32593,87 @@ index 73e2803..562d25b 100644
+
+########################################
+##
++## Allow send a signal to l2tpd.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`l2tpd_signal',`
++ gen_require(`
++ type l2tpd_t;
++ ')
++
++ allow $1 l2tpd_t:process signal;
++')
++
++########################################
++##
++## Allow send signull to l2tpd.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`l2tpd_signull',`
++ gen_require(`
++ type l2tpd_t;
++ ')
++
++ allow $1 l2tpd_t:process signull;
++')
++
++########################################
++##
++## Allow send sigkill to l2tpd.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`l2tpd_sigkill',`
++ gen_require(`
++ type l2tpd_t;
++ ')
++
++ allow $1 l2tpd_t:process sigkill;
++')
++
++########################################
++##
++## Send and receive messages from
++## l2tpd over dbus.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`l2tpd_dbus_chat',`
++ gen_require(`
++ type l2tpd_t;
++ class dbus send_msg;
++ ')
++
++ allow $1 l2tpd_t:dbus send_msg;
++ allow l2tpd_t $1:dbus send_msg;
++')
++
++########################################
++##
+## All of the rules required to administrate
+## an l2tpd environment
##
##
##
-@@ -77,22 +149,26 @@ interface(`l2tpd_stream_connect',`
+@@ -77,22 +224,26 @@ interface(`l2tpd_stream_connect',`
##
##
#
@@ -32554,7 +32706,7 @@ index 73e2803..562d25b 100644
files_search_pids($1)
admin_pattern($1, l2tpd_var_run_t)
diff --git a/l2tp.te b/l2tp.te
-index 19f2b97..23321e4 100644
+index 19f2b97..fbc0e48 100644
--- a/l2tp.te
+++ b/l2tp.te
@@ -27,7 +27,7 @@ files_pid_file(l2tpd_var_run_t)
@@ -32566,7 +32718,16 @@ index 19f2b97..23321e4 100644
allow l2tpd_t self:fifo_file rw_fifo_file_perms;
allow l2tpd_t self:netlink_socket create_socket_perms;
allow l2tpd_t self:rawip_socket create_socket_perms;
-@@ -75,19 +75,19 @@ corecmd_exec_bin(l2tpd_t)
+@@ -47,6 +47,8 @@ files_pid_filetrans(l2tpd_t, l2tpd_var_run_t, { dir file sock_file })
+ manage_sock_files_pattern(l2tpd_t, l2tpd_tmp_t, l2tpd_tmp_t)
+ files_tmp_filetrans(l2tpd_t, l2tpd_tmp_t, sock_file)
+
++can_exec(l2tpd_t, l2tpd_exec_t)
++
+ corenet_all_recvfrom_unlabeled(l2tpd_t)
+ corenet_all_recvfrom_netlabel(l2tpd_t)
+ corenet_raw_sendrecv_generic_if(l2tpd_t)
+@@ -75,19 +77,35 @@ corecmd_exec_bin(l2tpd_t)
dev_read_urand(l2tpd_t)
@@ -32583,6 +32744,22 @@ index 19f2b97..23321e4 100644
sysnet_dns_name_resolve(l2tpd_t)
optional_policy(`
++ dbus_system_bus_client(l2tpd_t)
++ dbus_connect_system_bus(l2tpd_t)
++
++ optional_policy(`
++ networkmanager_dbus_chat(l2tpd_t)
++ ')
++')
++
++optional_policy(`
++ ipsec_domtrans_mgmt(l2tpd_t)
++ ipsec_mgmt_read_pid(l2tpd_t)
++ ipsec_filetrans_key_file(l2tpd_t)
++ ipsec_manage_key_file(l2tpd_t)
++')
++
++optional_policy(`
+ networkmanager_read_pid_files(l2tpd_t)
+')
+
@@ -33119,7 +33296,7 @@ index dff21a7..b6981c8 100644
init_labeled_script_domtrans($1, lircd_initrc_exec_t)
domain_system_change_exemption($1)
diff --git a/lircd.te b/lircd.te
-index 98b5405..b1d3cdf 100644
+index 98b5405..7d982bb 100644
--- a/lircd.te
+++ b/lircd.te
@@ -13,7 +13,7 @@ type lircd_initrc_exec_t;
@@ -33131,7 +33308,15 @@ index 98b5405..b1d3cdf 100644
type lircd_var_run_t alias lircd_sock_t;
files_pid_file(lircd_var_run_t)
-@@ -64,9 +64,8 @@ files_manage_generic_locks(lircd_t)
+@@ -27,6 +27,7 @@ allow lircd_t self:capability { chown kill sys_admin };
+ allow lircd_t self:process signal;
+ allow lircd_t self:fifo_file rw_fifo_file_perms;
+ allow lircd_t self:tcp_socket { accept listen };
++allow lircd_t self:netlink_kobject_uevent_socket create_socket_perms;
+
+ read_files_pattern(lircd_t, lircd_etc_t, lircd_etc_t)
+
+@@ -64,9 +65,8 @@ files_manage_generic_locks(lircd_t)
files_read_all_locks(lircd_t)
term_use_ptmx(lircd_t)
@@ -37440,7 +37625,7 @@ index 6194b80..879f5db 100644
')
+
diff --git a/mozilla.te b/mozilla.te
-index 6a306ee..8f6c0ba 100644
+index 6a306ee..30005c3 100644
--- a/mozilla.te
+++ b/mozilla.te
@@ -1,4 +1,4 @@
@@ -37449,7 +37634,7 @@ index 6a306ee..8f6c0ba 100644
########################################
#
-@@ -6,17 +6,34 @@ policy_module(mozilla, 2.7.4)
+@@ -6,17 +6,41 @@ policy_module(mozilla, 2.7.4)
#
##
@@ -37473,6 +37658,13 @@ index 6a306ee..8f6c0ba 100644
+
+##
+##
++## Allow mozilla plugin to support GPS.
++##
++##
++gen_tunable(mozilla_plugin_use_gps, false)
++
++##
++##
+## Allow confined web browsers to read home directory content
+##
+##
@@ -37489,7 +37681,7 @@ index 6a306ee..8f6c0ba 100644
type mozilla_t;
type mozilla_exec_t;
typealias mozilla_t alias { user_mozilla_t staff_mozilla_t sysadm_mozilla_t };
-@@ -24,6 +41,9 @@ typealias mozilla_t alias { auditadm_mozilla_t secadm_mozilla_t };
+@@ -24,6 +48,9 @@ typealias mozilla_t alias { auditadm_mozilla_t secadm_mozilla_t };
userdom_user_application_domain(mozilla_t, mozilla_exec_t)
role mozilla_roles types mozilla_t;
@@ -37499,7 +37691,7 @@ index 6a306ee..8f6c0ba 100644
type mozilla_home_t;
typealias mozilla_home_t alias { user_mozilla_home_t staff_mozilla_home_t sysadm_mozilla_home_t };
typealias mozilla_home_t alias { auditadm_mozilla_home_t secadm_mozilla_home_t };
-@@ -31,29 +51,24 @@ userdom_user_home_content(mozilla_home_t)
+@@ -31,29 +58,24 @@ userdom_user_home_content(mozilla_home_t)
type mozilla_plugin_t;
type mozilla_plugin_exec_t;
@@ -37534,7 +37726,7 @@ index 6a306ee..8f6c0ba 100644
type mozilla_tmp_t;
userdom_user_tmp_file(mozilla_tmp_t)
-@@ -63,10 +78,6 @@ typealias mozilla_tmpfs_t alias { user_mozilla_tmpfs_t staff_mozilla_tmpfs_t sys
+@@ -63,10 +85,6 @@ typealias mozilla_tmpfs_t alias { user_mozilla_tmpfs_t staff_mozilla_tmpfs_t sys
typealias mozilla_tmpfs_t alias { auditadm_mozilla_tmpfs_t secadm_mozilla_tmpfs_t };
userdom_user_tmpfs_file(mozilla_tmpfs_t)
@@ -37545,7 +37737,7 @@ index 6a306ee..8f6c0ba 100644
########################################
#
# Local policy
-@@ -75,27 +86,30 @@ optional_policy(`
+@@ -75,27 +93,30 @@ optional_policy(`
allow mozilla_t self:capability { sys_nice setgid setuid };
allow mozilla_t self:process { sigkill signal setsched getsched setrlimit };
allow mozilla_t self:fifo_file rw_fifo_file_perms;
@@ -37589,7 +37781,7 @@ index 6a306ee..8f6c0ba 100644
manage_files_pattern(mozilla_t, mozilla_tmpfs_t, mozilla_tmpfs_t)
manage_lnk_files_pattern(mozilla_t, mozilla_tmpfs_t, mozilla_tmpfs_t)
-@@ -103,76 +117,69 @@ manage_fifo_files_pattern(mozilla_t, mozilla_tmpfs_t, mozilla_tmpfs_t)
+@@ -103,76 +124,69 @@ manage_fifo_files_pattern(mozilla_t, mozilla_tmpfs_t, mozilla_tmpfs_t)
manage_sock_files_pattern(mozilla_t, mozilla_tmpfs_t, mozilla_tmpfs_t)
fs_tmpfs_filetrans(mozilla_t, mozilla_tmpfs_t, { file lnk_file sock_file fifo_file })
@@ -37697,7 +37889,7 @@ index 6a306ee..8f6c0ba 100644
term_dontaudit_getattr_pty_dirs(mozilla_t)
-@@ -181,56 +188,73 @@ auth_use_nsswitch(mozilla_t)
+@@ -181,56 +195,73 @@ auth_use_nsswitch(mozilla_t)
logging_send_syslog_msg(mozilla_t)
miscfiles_read_fonts(mozilla_t)
@@ -37705,15 +37897,15 @@ index 6a306ee..8f6c0ba 100644
miscfiles_dontaudit_setattr_fonts_dirs(mozilla_t)
-userdom_use_user_ptys(mozilla_t)
-+userdom_use_inherited_user_ptys(mozilla_t)
-
+-
-userdom_manage_user_tmp_dirs(mozilla_t)
-userdom_manage_user_tmp_files(mozilla_t)
-
-userdom_manage_user_home_content_dirs(mozilla_t)
-userdom_manage_user_home_content_files(mozilla_t)
-userdom_user_home_dir_filetrans_user_home_content(mozilla_t, { dir file })
--
++userdom_use_inherited_user_ptys(mozilla_t)
+
-userdom_write_user_tmp_sockets(mozilla_t)
-
-mozilla_run_plugin(mozilla_t, mozilla_roles)
@@ -37808,7 +38000,7 @@ index 6a306ee..8f6c0ba 100644
')
optional_policy(`
-@@ -244,19 +268,12 @@ optional_policy(`
+@@ -244,19 +275,12 @@ optional_policy(`
optional_policy(`
cups_read_rw_config(mozilla_t)
@@ -37830,7 +38022,7 @@ index 6a306ee..8f6c0ba 100644
optional_policy(`
networkmanager_dbus_chat(mozilla_t)
-@@ -265,33 +282,32 @@ optional_policy(`
+@@ -265,33 +289,32 @@ optional_policy(`
optional_policy(`
gnome_stream_connect_gconf(mozilla_t)
@@ -37843,34 +38035,34 @@ index 6a306ee..8f6c0ba 100644
- gnome_home_filetrans_gnome_home(mozilla_t, dir, ".gnome2_private")
+ gnome_manage_config(mozilla_t)
+ gnome_manage_gconf_home_files(mozilla_t)
++')
++
++optional_policy(`
++ java_domtrans(mozilla_t)
')
optional_policy(`
- java_exec(mozilla_t)
- java_manage_generic_home_content(mozilla_t)
- java_home_filetrans_java_home(mozilla_t, dir, ".java")
-+ java_domtrans(mozilla_t)
++ lpd_domtrans_lpr(mozilla_t)
')
optional_policy(`
- lpd_run_lpr(mozilla_t, mozilla_roles)
-+ lpd_domtrans_lpr(mozilla_t)
++ mplayer_domtrans(mozilla_t)
++ mplayer_read_user_home_files(mozilla_t)
')
optional_policy(`
- mplayer_exec(mozilla_t)
- mplayer_manage_generic_home_content(mozilla_t)
- mplayer_home_filetrans_mplayer_home(mozilla_t, dir, ".mplayer")
-+ mplayer_domtrans(mozilla_t)
-+ mplayer_read_user_home_files(mozilla_t)
++ nscd_socket_use(mozilla_t)
')
optional_policy(`
- pulseaudio_run(mozilla_t, mozilla_roles)
-+ nscd_socket_use(mozilla_t)
-+')
-+
-+optional_policy(`
+ #pulseaudio_role(mozilla_roles, mozilla_t)
+ pulseaudio_exec(mozilla_t)
+ pulseaudio_stream_connect(mozilla_t)
@@ -37878,7 +38070,7 @@ index 6a306ee..8f6c0ba 100644
')
optional_policy(`
-@@ -300,221 +316,175 @@ optional_policy(`
+@@ -300,221 +323,177 @@ optional_policy(`
########################################
#
@@ -37960,12 +38152,12 @@ index 6a306ee..8f6c0ba 100644
allow mozilla_plugin_t mozilla_plugin_rw_t:dir list_dir_perms;
-allow mozilla_plugin_t mozilla_plugin_rw_t:file read_file_perms;
-allow mozilla_plugin_t mozilla_plugin_rw_t:lnk_file read_lnk_file_perms;
+-
+-dgram_send_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t, mozilla_t)
+-stream_connect_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t, mozilla_t)
+read_lnk_files_pattern(mozilla_plugin_t, mozilla_plugin_rw_t, mozilla_plugin_rw_t)
+read_files_pattern(mozilla_plugin_t, mozilla_plugin_rw_t, mozilla_plugin_rw_t)
--dgram_send_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t, mozilla_t)
--stream_connect_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t, mozilla_t)
--
-can_exec(mozilla_plugin_t, { mozilla_exec_t mozilla_plugin_home_t mozilla_plugin_tmp_t })
+can_exec(mozilla_plugin_t, mozilla_exec_t)
@@ -37986,35 +38178,39 @@ index 6a306ee..8f6c0ba 100644
-corenet_tcp_sendrecv_generic_node(mozilla_plugin_t)
-
-corenet_sendrecv_asterisk_client_packets(mozilla_plugin_t)
++corenet_tcp_bind_generic_node(mozilla_plugin_t)
++corenet_tcp_connect_all_ephemeral_ports(mozilla_plugin_t)
+corenet_tcp_connect_aol_port(mozilla_plugin_t)
corenet_tcp_connect_asterisk_port(mozilla_plugin_t)
-corenet_tcp_sendrecv_asterisk_port(mozilla_plugin_t)
-
-corenet_sendrecv_ftp_client_packets(mozilla_plugin_t)
-+corenet_tcp_connect_generic_port(mozilla_plugin_t)
++corenet_tcp_connect_commplex_link_port(mozilla_plugin_t)
++corenet_tcp_connect_couchdb_port(mozilla_plugin_t)
+corenet_tcp_connect_flash_port(mozilla_plugin_t)
corenet_tcp_connect_ftp_port(mozilla_plugin_t)
-corenet_tcp_sendrecv_ftp_port(mozilla_plugin_t)
-
-corenet_sendrecv_gatekeeper_client_packets(mozilla_plugin_t)
--corenet_tcp_connect_gatekeeper_port(mozilla_plugin_t)
+ corenet_tcp_connect_gatekeeper_port(mozilla_plugin_t)
-corenet_tcp_sendrecv_gatekeeper_port(mozilla_plugin_t)
-
-corenet_sendrecv_http_client_packets(mozilla_plugin_t)
- corenet_tcp_connect_http_port(mozilla_plugin_t)
+-corenet_tcp_connect_http_port(mozilla_plugin_t)
-corenet_tcp_sendrecv_http_port(mozilla_plugin_t)
-
-corenet_sendrecv_http_cache_client_packets(mozilla_plugin_t)
-+corenet_tcp_connect_gatekeeper_port(mozilla_plugin_t)
++corenet_tcp_connect_generic_port(mozilla_plugin_t)
corenet_tcp_connect_http_cache_port(mozilla_plugin_t)
-corenet_tcp_sendrecv_http_cache_port(mozilla_plugin_t)
-
-corenet_sendrecv_ipp_client_packets(mozilla_plugin_t)
-+corenet_tcp_connect_ipsecnat_port(mozilla_plugin_t)
++corenet_tcp_connect_http_port(mozilla_plugin_t)
corenet_tcp_connect_ipp_port(mozilla_plugin_t)
-corenet_tcp_sendrecv_ipp_port(mozilla_plugin_t)
-
-corenet_sendrecv_ircd_client_packets(mozilla_plugin_t)
++corenet_tcp_connect_ipsecnat_port(mozilla_plugin_t)
corenet_tcp_connect_ircd_port(mozilla_plugin_t)
-corenet_tcp_sendrecv_ircd_port(mozilla_plugin_t)
-
@@ -38023,20 +38219,23 @@ index 6a306ee..8f6c0ba 100644
-corenet_tcp_sendrecv_jabber_client_port(mozilla_plugin_t)
-
-corenet_sendrecv_mmcc_client_packets(mozilla_plugin_t)
++corenet_tcp_connect_jboss_management_port(mozilla_plugin_t)
corenet_tcp_connect_mmcc_port(mozilla_plugin_t)
-corenet_tcp_sendrecv_mmcc_port(mozilla_plugin_t)
-
-corenet_sendrecv_monopd_client_packets(mozilla_plugin_t)
--corenet_tcp_connect_monopd_port(mozilla_plugin_t)
+ corenet_tcp_connect_monopd_port(mozilla_plugin_t)
-corenet_tcp_sendrecv_monopd_port(mozilla_plugin_t)
-
-corenet_sendrecv_soundd_client_packets(mozilla_plugin_t)
--corenet_tcp_connect_soundd_port(mozilla_plugin_t)
++corenet_tcp_connect_msnp_port(mozilla_plugin_t)
++corenet_tcp_connect_ms_streaming_port(mozilla_plugin_t)
++corenet_tcp_connect_pulseaudio_port(mozilla_plugin_t)
++corenet_tcp_connect_rtsp_port(mozilla_plugin_t)
+ corenet_tcp_connect_soundd_port(mozilla_plugin_t)
-corenet_tcp_sendrecv_soundd_port(mozilla_plugin_t)
-
-corenet_sendrecv_speech_client_packets(mozilla_plugin_t)
-+corenet_tcp_connect_msnp_port(mozilla_plugin_t)
-+corenet_tcp_connect_pulseaudio_port(mozilla_plugin_t)
corenet_tcp_connect_speech_port(mozilla_plugin_t)
-corenet_tcp_sendrecv_speech_port(mozilla_plugin_t)
-
@@ -38045,17 +38244,10 @@ index 6a306ee..8f6c0ba 100644
-corenet_tcp_sendrecv_squid_port(mozilla_plugin_t)
-
-corenet_sendrecv_vnc_client_packets(mozilla_plugin_t)
-+corenet_tcp_connect_ms_streaming_port(mozilla_plugin_t)
-+corenet_tcp_connect_rtsp_port(mozilla_plugin_t)
-+corenet_tcp_connect_soundd_port(mozilla_plugin_t)
+corenet_tcp_connect_tor_port(mozilla_plugin_t)
++corenet_tcp_connect_transproxy_port(mozilla_plugin_t)
corenet_tcp_connect_vnc_port(mozilla_plugin_t)
-corenet_tcp_sendrecv_vnc_port(mozilla_plugin_t)
-+corenet_tcp_connect_commplex_link_port(mozilla_plugin_t)
-+corenet_tcp_connect_couchdb_port(mozilla_plugin_t)
-+corenet_tcp_connect_monopd_port(mozilla_plugin_t)
-+corenet_tcp_connect_transproxy_port(mozilla_plugin_t)
-+corenet_tcp_connect_all_ephemeral_ports(mozilla_plugin_t)
+corenet_tcp_bind_generic_node(mozilla_plugin_t)
+corenet_udp_bind_generic_node(mozilla_plugin_t)
+corenet_dontaudit_udp_bind_ssdp_port(mozilla_plugin_t)
@@ -38196,7 +38388,7 @@ index 6a306ee..8f6c0ba 100644
')
optional_policy(`
-@@ -523,36 +493,48 @@ optional_policy(`
+@@ -523,36 +502,48 @@ optional_policy(`
')
optional_policy(`
@@ -38258,7 +38450,7 @@ index 6a306ee..8f6c0ba 100644
')
optional_policy(`
-@@ -560,7 +542,7 @@ optional_policy(`
+@@ -560,7 +551,7 @@ optional_policy(`
')
optional_policy(`
@@ -38267,7 +38459,7 @@ index 6a306ee..8f6c0ba 100644
')
optional_policy(`
-@@ -568,108 +550,113 @@ optional_policy(`
+@@ -568,108 +559,118 @@ optional_policy(`
')
optional_policy(`
@@ -38383,34 +38575,29 @@ index 6a306ee..8f6c0ba 100644
+userdom_dontaudit_write_all_user_tmp_content_files(mozilla_plugin_config_t)
-userdom_use_user_ptys(mozilla_plugin_config_t)
--
--mozilla_run_plugin(mozilla_plugin_config_t, mozilla_plugin_config_roles)
+domtrans_pattern(mozilla_plugin_config_t, mozilla_plugin_exec_t, mozilla_plugin_t)
+-mozilla_run_plugin(mozilla_plugin_config_t, mozilla_plugin_config_roles)
++tunable_policy(`use_ecryptfs_home_dirs',`
++ fs_read_ecryptfs_files(mozilla_plugin_config_t)
++')
+
-tunable_policy(`allow_execmem',`
- allow mozilla_plugin_config_t self:process execmem;
-+tunable_policy(`use_ecryptfs_home_dirs',`
-+ fs_read_ecryptfs_files(mozilla_plugin_config_t)
++optional_policy(`
++ gnome_dontaudit_rw_inherited_config(mozilla_plugin_config_t)
')
-tunable_policy(`mozilla_execstack',`
- allow mozilla_plugin_config_t self:process { execmem execstack };
+optional_policy(`
-+ gnome_dontaudit_rw_inherited_config(mozilla_plugin_config_t)
++ xserver_use_user_fonts(mozilla_plugin_config_t)
')
-tunable_policy(`use_nfs_home_dirs',`
- fs_manage_nfs_dirs(mozilla_plugin_config_t)
- fs_manage_nfs_files(mozilla_plugin_config_t)
- fs_manage_nfs_symlinks(mozilla_plugin_config_t)
-+optional_policy(`
-+ xserver_use_user_fonts(mozilla_plugin_config_t)
- ')
-
--tunable_policy(`use_samba_home_dirs',`
-- fs_manage_cifs_dirs(mozilla_plugin_config_t)
-- fs_manage_cifs_files(mozilla_plugin_config_t)
-- fs_manage_cifs_symlinks(mozilla_plugin_config_t)
+ifdef(`distro_redhat',`
+ typealias mozilla_plugin_t alias nsplugin_t;
+ typealias mozilla_plugin_exec_t alias nsplugin_exec_t;
@@ -38421,8 +38608,10 @@ index 6a306ee..8f6c0ba 100644
+ typealias mozilla_plugin_config_exec_t alias nsplugin_config_exec_t;
')
--optional_policy(`
-- automount_dontaudit_getattr_tmp_dirs(mozilla_plugin_config_t)
+-tunable_policy(`use_samba_home_dirs',`
+- fs_manage_cifs_dirs(mozilla_plugin_config_t)
+- fs_manage_cifs_files(mozilla_plugin_config_t)
+- fs_manage_cifs_symlinks(mozilla_plugin_config_t)
+#tunable_policy(`mozilla_plugin_enable_homedirs',`
+# userdom_user_home_dir_filetrans(mozilla_plugin_t, mozilla_home_t, { dir file })
+#', `
@@ -38436,10 +38625,17 @@ index 6a306ee..8f6c0ba 100644
')
-optional_policy(`
-- xserver_use_user_fonts(mozilla_plugin_config_t)
+- automount_dontaudit_getattr_tmp_dirs(mozilla_plugin_config_t)
+tunable_policy(`mozilla_plugin_use_spice',`
+ dev_rw_generic_usb_dev(mozilla_plugin_t)
')
+
+-optional_policy(`
+- xserver_use_user_fonts(mozilla_plugin_config_t)
++tunable_policy(`mozilla_plugin_use_gps',`
++ fs_manage_dos_dirs(mozilla_plugin_t)
++ fs_manage_dos_files(mozilla_plugin_t)
+ ')
diff --git a/mpd.fc b/mpd.fc
index 313ce52..6aa46d2 100644
--- a/mpd.fc
@@ -42948,7 +43144,7 @@ index a1fb3c3..8fe1d63 100644
+/var/run/wpa_supplicant(/.*)? gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
/var/run/wpa_supplicant-global -s gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
diff --git a/networkmanager.if b/networkmanager.if
-index 0e8508c..2669fe1 100644
+index 0e8508c..0b68b86 100644
--- a/networkmanager.if
+++ b/networkmanager.if
@@ -2,7 +2,7 @@
@@ -43195,7 +43391,7 @@ index 0e8508c..2669fe1 100644
##
##
##
-@@ -227,33 +292,111 @@ interface(`networkmanager_read_pid_files',`
+@@ -227,33 +292,112 @@ interface(`networkmanager_read_pid_files',`
##
##
#
@@ -43325,10 +43521,11 @@ index 0e8508c..2669fe1 100644
+ files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient-em8.conf")
+ files_etc_filetrans($1, NetworkManager_var_lib_t, file, "manager-settings.conf")
+ files_etc_filetrans($1, NetworkManager_var_lib_t, file, "wireless-settings.conf")
-+ files_etc_filetrans($1, NetworkManager_var_lib_t, file, "wireed-settings.conf")
++ files_etc_filetrans($1, NetworkManager_var_lib_t, file, "wired-settings.conf")
++ logging_log_filetrans($1, NetworkManager_var_lib_t, file, "wpa_supplicant.log")
')
diff --git a/networkmanager.te b/networkmanager.te
-index 0b48a30..57fe60f 100644
+index 0b48a30..f3320a3 100644
--- a/networkmanager.te
+++ b/networkmanager.te
@@ -1,4 +1,4 @@
@@ -43608,7 +43805,7 @@ index 0b48a30..57fe60f 100644
')
optional_policy(`
-@@ -257,11 +279,7 @@ optional_policy(`
+@@ -257,11 +279,10 @@ optional_policy(`
')
optional_policy(`
@@ -43618,10 +43815,13 @@ index 0b48a30..57fe60f 100644
-optional_policy(`
- modutils_domtrans_insmod(NetworkManager_t)
+ l2tpd_domtrans(NetworkManager_t)
++ l2tpd_sigkill(NetworkManager_t)
++ l2tpd_signal(NetworkManager_t)
++ l2tpd_signull(NetworkManager_t)
')
optional_policy(`
-@@ -274,10 +292,17 @@ optional_policy(`
+@@ -274,10 +295,17 @@ optional_policy(`
nscd_signull(NetworkManager_t)
nscd_kill(NetworkManager_t)
nscd_initrc_domtrans(NetworkManager_t)
@@ -43639,7 +43839,7 @@ index 0b48a30..57fe60f 100644
')
optional_policy(`
-@@ -289,6 +314,7 @@ optional_policy(`
+@@ -289,6 +317,7 @@ optional_policy(`
')
optional_policy(`
@@ -43647,7 +43847,7 @@ index 0b48a30..57fe60f 100644
policykit_domtrans_auth(NetworkManager_t)
policykit_read_lib(NetworkManager_t)
policykit_read_reload(NetworkManager_t)
-@@ -296,7 +322,7 @@ optional_policy(`
+@@ -296,7 +325,7 @@ optional_policy(`
')
optional_policy(`
@@ -43656,7 +43856,7 @@ index 0b48a30..57fe60f 100644
')
optional_policy(`
-@@ -307,6 +333,7 @@ optional_policy(`
+@@ -307,6 +336,7 @@ optional_policy(`
ppp_signal(NetworkManager_t)
ppp_signull(NetworkManager_t)
ppp_read_config(NetworkManager_t)
@@ -43664,7 +43864,7 @@ index 0b48a30..57fe60f 100644
')
optional_policy(`
-@@ -320,13 +347,15 @@ optional_policy(`
+@@ -320,13 +350,15 @@ optional_policy(`
')
optional_policy(`
@@ -43684,7 +43884,7 @@ index 0b48a30..57fe60f 100644
')
optional_policy(`
-@@ -356,6 +385,5 @@ rw_sock_files_pattern(wpa_cli_t, NetworkManager_var_run_t, NetworkManager_var_ru
+@@ -356,6 +388,5 @@ rw_sock_files_pattern(wpa_cli_t, NetworkManager_var_run_t, NetworkManager_var_ru
init_dontaudit_use_fds(wpa_cli_t)
init_use_script_ptys(wpa_cli_t)
@@ -47105,35 +47305,16 @@ index 57c0161..54bd4d7 100644
+ ps_process_pattern($1, swift_t)
')
diff --git a/nut.te b/nut.te
-index 0c9deb7..ea0ba5c 100644
+index 0c9deb7..98a02f8 100644
--- a/nut.te
+++ b/nut.te
-@@ -1,121 +1,108 @@
+@@ -1,4 +1,4 @@
-policy_module(nut, 1.2.4)
+policy_module(nut, 1.2.0)
########################################
#
- # Declarations
- #
-
--attribute nut_domain;
--
- type nut_conf_t;
- files_config_file(nut_conf_t)
-
--type nut_upsd_t, nut_domain;
-+type nut_upsd_t;
- type nut_upsd_exec_t;
- init_daemon_domain(nut_upsd_t, nut_upsd_exec_t)
-
--type nut_upsmon_t, nut_domain;
-+type nut_upsmon_t;
- type nut_upsmon_exec_t;
- init_daemon_domain(nut_upsmon_t, nut_upsmon_exec_t)
-
--type nut_upsdrvctl_t, nut_domain;
-+type nut_upsdrvctl_t;
+@@ -22,100 +22,94 @@ type nut_upsdrvctl_t, nut_domain;
type nut_upsdrvctl_exec_t;
init_daemon_domain(nut_upsdrvctl_t, nut_upsdrvctl_exec_t)
@@ -47143,11 +47324,12 @@ index 0c9deb7..ea0ba5c 100644
type nut_var_run_t;
files_pid_file(nut_var_run_t)
-init_daemon_run_dir(nut_var_run_t, "nut")
-+
+
+-########################################
+type nut_unit_file_t;
+systemd_unit_file(nut_unit_file_t)
-
- ########################################
++
++#######################################
#
-# Common nut domain local policy
+# Local policy for upsd
@@ -47161,39 +47343,35 @@ index 0c9deb7..ea0ba5c 100644
-allow nut_domain nut_conf_t:dir list_dir_perms;
-allow nut_domain nut_conf_t:file read_file_perms;
-allow nut_domain nut_conf_t:lnk_file read_lnk_file_perms;
-+allow nut_upsd_t self:capability { setgid setuid dac_override };
-+allow nut_upsd_t self:process signal_perms;
-
+-
-manage_files_pattern(nut_domain, nut_var_run_t, nut_var_run_t)
-manage_dirs_pattern(nut_domain, nut_var_run_t, nut_var_run_t)
-files_pid_filetrans(nut_domain, nut_var_run_t, { dir file })
-+allow nut_upsd_t self:unix_dgram_socket { create_socket_perms sendto };
-+allow nut_upsd_t self:tcp_socket connected_stream_socket_perms;
-
+-
-kernel_read_kernel_sysctls(nut_domain)
-+allow nut_upsd_t nut_upsdrvctl_t:unix_stream_socket connectto;
-
+-
-logging_send_syslog_msg(nut_domain)
-
-miscfiles_read_localization(nut_domain)
--
--########################################
--#
--# Upsd local policy
--#
--
--allow nut_upsd_t self:tcp_socket { accept listen };
-+read_files_pattern(nut_upsd_t, nut_conf_t, nut_conf_t)
++allow nut_domain self:netlink_kobject_uevent_socket create_socket_perms;
-+# pid file
-+manage_files_pattern(nut_upsd_t, nut_var_run_t, nut_var_run_t)
-+manage_dirs_pattern(nut_upsd_t, nut_var_run_t, nut_var_run_t)
- manage_sock_files_pattern(nut_upsd_t, nut_var_run_t, nut_var_run_t)
+ ########################################
+ #
+-# Upsd local policy
++# Local policy for upsd
+ #
+
+-allow nut_upsd_t self:tcp_socket { accept listen };
++allow nut_upsd_t self:capability { setgid setuid dac_override };
++allow nut_upsd_t self:process signal_perms;
+
+-manage_sock_files_pattern(nut_upsd_t, nut_var_run_t, nut_var_run_t)
-files_pid_filetrans(nut_upsd_t, nut_var_run_t, sock_file)
-+files_pid_filetrans(nut_upsd_t, nut_var_run_t, { dir file sock_file })
++allow nut_upsd_t self:unix_dgram_socket { create_socket_perms sendto };
++allow nut_upsd_t self:tcp_socket connected_stream_socket_perms;
-stream_connect_pattern(nut_upsd_t, nut_var_run_t, nut_var_run_t, nut_upsdrvctl_t)
-+kernel_read_kernel_sysctls(nut_upsd_t)
++allow nut_upsd_t nut_upsdrvctl_t:unix_stream_socket connectto;
-corenet_all_recvfrom_unlabeled(nut_upsd_t)
-corenet_all_recvfrom_netlabel(nut_upsd_t)
@@ -47201,20 +47379,28 @@ index 0c9deb7..ea0ba5c 100644
-corenet_tcp_sendrecv_generic_node(nut_upsd_t)
-corenet_tcp_sendrecv_all_ports(nut_upsd_t)
-corenet_tcp_bind_generic_node(nut_upsd_t)
--
++read_files_pattern(nut_upsd_t, nut_conf_t, nut_conf_t)
+
-corenet_sendrecv_ups_server_packets(nut_upsd_t)
- corenet_tcp_bind_ups_port(nut_upsd_t)
--
+-corenet_tcp_bind_ups_port(nut_upsd_t)
++# pid file
++manage_files_pattern(nut_upsd_t, nut_var_run_t, nut_var_run_t)
++manage_dirs_pattern(nut_upsd_t, nut_var_run_t, nut_var_run_t)
++manage_sock_files_pattern(nut_upsd_t, nut_var_run_t, nut_var_run_t)
++files_pid_filetrans(nut_upsd_t, nut_var_run_t, { dir file sock_file })
+
-corenet_sendrecv_generic_server_packets(nut_upsd_t)
- corenet_tcp_bind_generic_port(nut_upsd_t)
-+corenet_tcp_bind_all_nodes(nut_upsd_t)
+-corenet_tcp_bind_generic_port(nut_upsd_t)
++kernel_read_kernel_sysctls(nut_upsd_t)
-files_read_usr_files(nut_upsd_t)
++corenet_tcp_bind_ups_port(nut_upsd_t)
++corenet_tcp_bind_generic_port(nut_upsd_t)
++corenet_tcp_bind_all_nodes(nut_upsd_t)
auth_use_nsswitch(nut_upsd_t)
+logging_send_syslog_msg(nut_upsd_t)
-+
+
########################################
#
@@ -47231,12 +47417,12 @@ index 0c9deb7..ea0ba5c 100644
+allow nut_upsmon_t self:tcp_socket create_socket_perms;
+
+read_files_pattern(nut_upsmon_t, nut_conf_t, nut_conf_t)
-
++
+# pid file
+manage_files_pattern(nut_upsmon_t, nut_var_run_t, nut_var_run_t)
+manage_dirs_pattern(nut_upsmon_t, nut_var_run_t, nut_var_run_t)
+files_pid_filetrans(nut_upsmon_t, nut_var_run_t, file)
-+
+
+kernel_read_kernel_sysctls(nut_upsmon_t)
kernel_read_system_state(nut_upsmon_t)
@@ -47276,7 +47462,7 @@ index 0c9deb7..ea0ba5c 100644
mta_send_mail(nut_upsmon_t)
optional_policy(`
-@@ -124,14 +111,27 @@ optional_policy(`
+@@ -124,14 +118,27 @@ optional_policy(`
########################################
#
@@ -47290,9 +47476,9 @@ index 0c9deb7..ea0ba5c 100644
+allow nut_upsdrvctl_t self:fifo_file rw_fifo_file_perms;
+allow nut_upsdrvctl_t self:unix_dgram_socket { create_socket_perms sendto };
+allow nut_upsdrvctl_t self:udp_socket create_socket_perms;
-+
-+read_files_pattern(nut_upsdrvctl_t, nut_conf_t, nut_conf_t)
++read_files_pattern(nut_upsdrvctl_t, nut_conf_t, nut_conf_t)
++
+# pid file
+manage_files_pattern(nut_upsdrvctl_t, nut_var_run_t, nut_var_run_t)
+manage_dirs_pattern(nut_upsdrvctl_t, nut_var_run_t, nut_var_run_t)
@@ -47306,7 +47492,7 @@ index 0c9deb7..ea0ba5c 100644
corecmd_exec_bin(nut_upsdrvctl_t)
dev_read_sysfs(nut_upsdrvctl_t)
-@@ -139,22 +139,34 @@ dev_read_urand(nut_upsdrvctl_t)
+@@ -139,22 +146,34 @@ dev_read_urand(nut_upsdrvctl_t)
dev_rw_generic_usb_dev(nut_upsdrvctl_t)
term_use_unallocated_ttys(nut_upsdrvctl_t)
@@ -47594,7 +47780,7 @@ index 8635ea2..eec20b4 100644
+ obex_dbus_chat($2)
')
diff --git a/obex.te b/obex.te
-index cd29ea8..efbf8f8 100644
+index cd29ea8..d01d2c8 100644
--- a/obex.te
+++ b/obex.te
@@ -1,4 +1,4 @@
@@ -47603,7 +47789,7 @@ index cd29ea8..efbf8f8 100644
########################################
#
-@@ -14,30 +14,25 @@ role obex_roles types obex_t;
+@@ -14,30 +14,26 @@ role obex_roles types obex_t;
########################################
#
@@ -47613,6 +47799,7 @@ index cd29ea8..efbf8f8 100644
allow obex_t self:fifo_file rw_fifo_file_perms;
allow obex_t self:socket create_stream_socket_perms;
++allow obex_t self:netlink_kobject_uevent_socket create_socket_perms;
-dev_read_urand(obex_t)
+kernel_request_load_module(obex_t)
@@ -52758,7 +52945,7 @@ index 735500f..ef1dd7a 100644
-/var/spool/plymouth(/.*)? gen_context(system_u:object_r:plymouthd_spool_t,s0)
diff --git a/plymouthd.if b/plymouthd.if
-index 30e751f..17c097d 100644
+index 30e751f..3985ff9 100644
--- a/plymouthd.if
+++ b/plymouthd.if
@@ -1,4 +1,4 @@
@@ -52946,7 +53133,7 @@ index 30e751f..17c097d 100644
gen_require(`
type plymouthd_var_run_t;
')
-@@ -233,36 +228,74 @@ interface(`plymouthd_read_pid_files',`
+@@ -233,36 +228,93 @@ interface(`plymouthd_read_pid_files',`
########################################
##
@@ -52977,14 +53164,11 @@ index 30e751f..17c097d 100644
+## to plymouthd log files.
+##
+##
- ##
--## Role allowed access.
++##
+## Domain allowed access.
- ##
- ##
--##
- #
--interface(`plymouthd_admin',`
++##
++##
++#
+interface(`plymouthd_manage_log',`
+ gen_require(`
+ type plymouthd_var_log_t;
@@ -52996,17 +53180,39 @@ index 30e751f..17c097d 100644
+ read_lnk_files_pattern($1, plymouthd_var_log_t, plymouthd_var_log_t)
+')
+
++#######################################
++##
++## Allow domain to create boot.log
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`plymouthd_create_log',`
++ gen_require(`
++ type plymouthd_var_log_t;
++ ')
++
++ logging_rw_generic_log_dirs($1)
++ logging_log_named_filetrans($1, plymouthd_var_log_t, file, "boot.log")
++')
++
+########################################
+##
+## All of the rules required to administrate
+## an plymouthd environment
+##
+##
-+##
+ ##
+-## Role allowed access.
+## Domain allowed access.
-+##
-+##
-+#
+ ##
+ ##
+-##
+ #
+-interface(`plymouthd_admin',`
+interface(`plymouthd_admin', `
gen_require(`
type plymouthd_t, plymouthd_spool_t, plymouthd_var_lib_t;
@@ -57005,7 +57211,7 @@ index cd8b8b9..cde0d62 100644
+ allow $1 pppd_unit_file_t:service all_service_perms;
')
diff --git a/ppp.te b/ppp.te
-index b2b5dba..89ded87 100644
+index b2b5dba..49bdf0d 100644
--- a/ppp.te
+++ b/ppp.te
@@ -1,4 +1,4 @@
@@ -57235,7 +57441,13 @@ index b2b5dba..89ded87 100644
optional_policy(`
ddclient_run(pppd_t, pppd_roles)
-@@ -190,7 +206,7 @@ optional_policy(`
+@@ -186,11 +202,13 @@ optional_policy(`
+ l2tpd_dgram_send(pppd_t)
+ l2tpd_rw_socket(pppd_t)
+ l2tpd_stream_connect(pppd_t)
++ l2tpd_read_pid_files(pppd_t)
++ l2tpd_dbus_chat(pppd_t)
+ ')
optional_policy(`
tunable_policy(`pppd_can_insmod',`
@@ -57244,7 +57456,7 @@ index b2b5dba..89ded87 100644
')
')
-@@ -218,16 +234,19 @@ optional_policy(`
+@@ -218,16 +236,19 @@ optional_policy(`
########################################
#
@@ -57267,7 +57479,7 @@ index b2b5dba..89ded87 100644
allow pptp_t pppd_etc_t:dir list_dir_perms;
allow pptp_t pppd_etc_t:file read_file_perms;
-@@ -236,45 +255,43 @@ allow pptp_t pppd_etc_t:lnk_file read_lnk_file_perms;
+@@ -236,45 +257,43 @@ allow pptp_t pppd_etc_t:lnk_file read_lnk_file_perms;
allow pptp_t pppd_etc_rw_t:dir list_dir_perms;
allow pptp_t pppd_etc_rw_t:file read_file_perms;
allow pptp_t pppd_etc_rw_t:lnk_file read_lnk_file_perms;
@@ -57324,7 +57536,7 @@ index b2b5dba..89ded87 100644
fs_getattr_all_fs(pptp_t)
fs_search_auto_mountpoints(pptp_t)
-@@ -282,12 +299,12 @@ term_ioctl_generic_ptys(pptp_t)
+@@ -282,12 +301,12 @@ term_ioctl_generic_ptys(pptp_t)
term_search_ptys(pptp_t)
term_use_ptmx(pptp_t)
@@ -62300,10 +62512,10 @@ index 70ab68b..e97da31 100644
/var/lib/quantum(/.*)? gen_context(system_u:object_r:quantum_var_lib_t,s0)
diff --git a/quantum.if b/quantum.if
-index afc0068..7616aa4 100644
+index afc0068..b25d41e 100644
--- a/quantum.if
+++ b/quantum.if
-@@ -2,41 +2,217 @@
+@@ -2,41 +2,252 @@
########################################
##
@@ -62466,6 +62678,41 @@ index afc0068..7616aa4 100644
+
+########################################
+##
++## Read and write quantum fifo files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`quantum_rw_fifo_file',`
++ gen_require(`
++ type quantum_t;
++ ')
++
++ allow $1 quantum_t:fifo_file rw_inherited_fifo_file_perms;
++')
++
++########################################
++##
++## Allow domain to send sigchld to quantum process.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`quantum_sigchld',`
++ gen_require(`
++ type quantum_t;
++ ')
++
++ allow $1 quantum_t:process sigchld;
++')
++########################################
++##
+## Execute quantum server in the quantum domain.
+##
+##
@@ -62995,22 +63242,51 @@ index 4b2c272..1aee969 100644
+ dbus_system_bus_client(quota_nld_t)
+ dbus_connect_system_bus(quota_nld_t)
')
+diff --git a/rabbitmq.fc b/rabbitmq.fc
+index c5ad6de..c67dbef 100644
+--- a/rabbitmq.fc
++++ b/rabbitmq.fc
+@@ -4,7 +4,9 @@
+ /usr/lib/erlang/erts.*/bin/epmd -- gen_context(system_u:object_r:rabbitmq_epmd_exec_t,s0)
+
+ /var/lib/rabbitmq(/.*)? gen_context(system_u:object_r:rabbitmq_var_lib_t,s0)
++/var/lib/ejabberd(/.*)? gen_context(system_u:object_r:rabbitmq_var_lib_t,s0)
+
+ /var/log/rabbitmq(/.*)? gen_context(system_u:object_r:rabbitmq_var_log_t,s0)
++/var/log/ejabberd(/.*)? gen_context(system_u:object_r:rabbitmq_var_log_t,s0)
+
+ /var/run/rabbitmq(/.*)? gen_context(system_u:object_r:rabbitmq_var_run_t,s0)
diff --git a/rabbitmq.te b/rabbitmq.te
-index 3698b51..62a5977 100644
+index 3698b51..a68f9f1 100644
--- a/rabbitmq.te
+++ b/rabbitmq.te
-@@ -70,10 +70,6 @@ corenet_tcp_sendrecv_epmd_port(rabbitmq_beam_t)
+@@ -54,6 +54,8 @@ kernel_read_system_state(rabbitmq_beam_t)
+ corecmd_exec_bin(rabbitmq_beam_t)
+ corecmd_exec_shell(rabbitmq_beam_t)
- dev_read_sysfs(rabbitmq_beam_t)
++corenet_tcp_bind_generic_node(rabbitmq_beam_t)
++corenet_udp_bind_generic_node(rabbitmq_beam_t)
+ corenet_all_recvfrom_unlabeled(rabbitmq_beam_t)
+ corenet_all_recvfrom_netlabel(rabbitmq_beam_t)
+ corenet_tcp_sendrecv_generic_if(rabbitmq_beam_t)
+@@ -68,11 +70,13 @@ corenet_sendrecv_epmd_client_packets(rabbitmq_beam_t)
+ corenet_tcp_connect_epmd_port(rabbitmq_beam_t)
+ corenet_tcp_sendrecv_epmd_port(rabbitmq_beam_t)
+
+-dev_read_sysfs(rabbitmq_beam_t)
++corenet_tcp_bind_jabber_client_port(rabbitmq_beam_t)
++corenet_tcp_bind_jabber_interserver_port(rabbitmq_beam_t)
-files_read_etc_files(rabbitmq_beam_t)
--
++auth_read_passwd(rabbitmq_beam_t)
+
-miscfiles_read_localization(rabbitmq_beam_t)
--
++dev_read_sysfs(rabbitmq_beam_t)
++dev_read_urand(rabbitmq_beam_t)
+
sysnet_dns_name_resolve(rabbitmq_beam_t)
- ########################################
-@@ -81,7 +77,6 @@ sysnet_dns_name_resolve(rabbitmq_beam_t)
+@@ -81,7 +85,6 @@ sysnet_dns_name_resolve(rabbitmq_beam_t)
# Epmd local policy
#
@@ -63018,7 +63294,7 @@ index 3698b51..62a5977 100644
allow rabbitmq_epmd_t self:process signal;
allow rabbitmq_epmd_t self:fifo_file rw_fifo_file_perms;
allow rabbitmq_epmd_t self:tcp_socket create_stream_socket_perms;
-@@ -99,8 +94,5 @@ corenet_sendrecv_epmd_server_packets(rabbitmq_epmd_t)
+@@ -99,8 +102,5 @@ corenet_sendrecv_epmd_server_packets(rabbitmq_epmd_t)
corenet_tcp_bind_epmd_port(rabbitmq_epmd_t)
corenet_tcp_sendrecv_epmd_port(rabbitmq_epmd_t)
@@ -65925,7 +66201,7 @@ index 56bc01f..895e16e 100644
+ allow $1 cluster_unit_file_t:service all_service_perms;
')
diff --git a/rhcs.te b/rhcs.te
-index 2c2de9a..38a33d7 100644
+index 2c2de9a..2bf6984 100644
--- a/rhcs.te
+++ b/rhcs.te
@@ -20,6 +20,27 @@ gen_tunable(fenced_can_network_connect, false)
@@ -65956,7 +66232,7 @@ index 2c2de9a..38a33d7 100644
attribute cluster_domain;
attribute cluster_log;
attribute cluster_pid;
-@@ -50,28 +71,263 @@ rhcs_domain_template(qdiskd)
+@@ -50,28 +71,267 @@ rhcs_domain_template(qdiskd)
type qdiskd_var_lib_t;
files_type(qdiskd_var_lib_t)
@@ -66000,12 +66276,15 @@ index 2c2de9a..38a33d7 100644
allow cluster_domain self:unix_dgram_socket create_socket_perms;
-logging_send_syslog_msg(cluster_domain)
--
--miscfiles_read_localization(cluster_domain)
+manage_dirs_pattern(cluster_domain, cluster_log, cluster_log)
+manage_files_pattern(cluster_domain, cluster_log, cluster_log)
+manage_sock_files_pattern(cluster_domain, cluster_log, cluster_log)
+-miscfiles_read_localization(cluster_domain)
++tunable_policy(`cluster_use_execmem',`
++ allow cluster_domain self:process execmem;
++')
+
optional_policy(`
ccs_stream_connect(cluster_domain)
')
@@ -66225,7 +66504,7 @@ index 2c2de9a..38a33d7 100644
')
#####################################
-@@ -79,7 +335,7 @@ optional_policy(`
+@@ -79,7 +339,7 @@ optional_policy(`
# dlm_controld local policy
#
@@ -66234,7 +66513,7 @@ index 2c2de9a..38a33d7 100644
allow dlm_controld_t self:netlink_kobject_uevent_socket create_socket_perms;
stream_connect_pattern(dlm_controld_t, fenced_var_run_t, fenced_var_run_t, fenced_t)
-@@ -98,6 +354,16 @@ fs_manage_configfs_dirs(dlm_controld_t)
+@@ -98,6 +358,16 @@ fs_manage_configfs_dirs(dlm_controld_t)
init_rw_script_tmp_files(dlm_controld_t)
@@ -66251,7 +66530,7 @@ index 2c2de9a..38a33d7 100644
#######################################
#
# fenced local policy
-@@ -105,9 +371,13 @@ init_rw_script_tmp_files(dlm_controld_t)
+@@ -105,9 +375,13 @@ init_rw_script_tmp_files(dlm_controld_t)
allow fenced_t self:capability { sys_rawio sys_resource };
allow fenced_t self:process { getsched signal_perms };
@@ -66266,7 +66545,7 @@ index 2c2de9a..38a33d7 100644
manage_files_pattern(fenced_t, fenced_lock_t, fenced_lock_t)
files_lock_filetrans(fenced_t, fenced_lock_t, file)
-@@ -118,9 +388,8 @@ files_tmp_filetrans(fenced_t, fenced_tmp_t, { file fifo_file dir })
+@@ -118,9 +392,8 @@ files_tmp_filetrans(fenced_t, fenced_tmp_t, { file fifo_file dir })
stream_connect_pattern(fenced_t, groupd_var_run_t, groupd_var_run_t, groupd_t)
@@ -66277,7 +66556,7 @@ index 2c2de9a..38a33d7 100644
corecmd_exec_bin(fenced_t)
corecmd_exec_shell(fenced_t)
-@@ -148,9 +417,7 @@ corenet_tcp_sendrecv_http_port(fenced_t)
+@@ -148,9 +421,7 @@ corenet_tcp_sendrecv_http_port(fenced_t)
dev_read_sysfs(fenced_t)
dev_read_urand(fenced_t)
@@ -66288,7 +66567,7 @@ index 2c2de9a..38a33d7 100644
storage_raw_read_fixed_disk(fenced_t)
storage_raw_write_fixed_disk(fenced_t)
-@@ -160,7 +427,7 @@ term_getattr_pty_fs(fenced_t)
+@@ -160,7 +431,7 @@ term_getattr_pty_fs(fenced_t)
term_use_generic_ptys(fenced_t)
term_use_ptmx(fenced_t)
@@ -66297,7 +66576,7 @@ index 2c2de9a..38a33d7 100644
tunable_policy(`fenced_can_network_connect',`
corenet_sendrecv_all_client_packets(fenced_t)
-@@ -190,10 +457,6 @@ optional_policy(`
+@@ -190,10 +461,6 @@ optional_policy(`
')
optional_policy(`
@@ -66308,7 +66587,7 @@ index 2c2de9a..38a33d7 100644
lvm_domtrans(fenced_t)
lvm_read_config(fenced_t)
')
-@@ -203,6 +466,13 @@ optional_policy(`
+@@ -203,6 +470,13 @@ optional_policy(`
snmp_manage_var_lib_dirs(fenced_t)
')
@@ -66322,7 +66601,7 @@ index 2c2de9a..38a33d7 100644
#######################################
#
# foghorn local policy
-@@ -223,14 +493,16 @@ corenet_tcp_sendrecv_agentx_port(foghorn_t)
+@@ -223,14 +497,16 @@ corenet_tcp_sendrecv_agentx_port(foghorn_t)
dev_read_urand(foghorn_t)
@@ -66341,7 +66620,7 @@ index 2c2de9a..38a33d7 100644
snmp_stream_connect(foghorn_t)
')
-@@ -257,6 +529,8 @@ storage_getattr_removable_dev(gfs_controld_t)
+@@ -257,6 +533,8 @@ storage_getattr_removable_dev(gfs_controld_t)
init_rw_script_tmp_files(gfs_controld_t)
@@ -66350,7 +66629,7 @@ index 2c2de9a..38a33d7 100644
optional_policy(`
lvm_exec(gfs_controld_t)
dev_rw_lvm_control(gfs_controld_t)
-@@ -275,10 +549,10 @@ domtrans_pattern(groupd_t, fenced_exec_t, fenced_t)
+@@ -275,10 +553,10 @@ domtrans_pattern(groupd_t, fenced_exec_t, fenced_t)
dev_list_sysfs(groupd_t)
@@ -66363,7 +66642,7 @@ index 2c2de9a..38a33d7 100644
######################################
#
# qdiskd local policy
-@@ -321,6 +595,8 @@ storage_raw_write_fixed_disk(qdiskd_t)
+@@ -321,6 +599,8 @@ storage_raw_write_fixed_disk(qdiskd_t)
auth_use_nsswitch(qdiskd_t)
@@ -79151,7 +79430,7 @@ index 5e1f053..e7820bc 100644
domain_system_change_exemption($1)
role_transition $2 squid_initrc_exec_t system_r;
diff --git a/squid.te b/squid.te
-index 221c560..4966b22 100644
+index 221c560..fcf6da0 100644
--- a/squid.te
+++ b/squid.te
@@ -29,7 +29,7 @@ type squid_cache_t;
@@ -79220,7 +79499,15 @@ index 221c560..4966b22 100644
corenet_all_recvfrom_netlabel(squid_t)
corenet_tcp_sendrecv_generic_if(squid_t)
corenet_udp_sendrecv_generic_if(squid_t)
-@@ -156,7 +159,6 @@ dev_read_urand(squid_t)
+@@ -134,6 +137,7 @@ corenet_tcp_sendrecv_gopher_port(squid_t)
+ corenet_udp_sendrecv_gopher_port(squid_t)
+
+ corenet_sendrecv_squid_server_packets(squid_t)
++corenet_sendrecv_squid_client_packets(squid_t)
+ corenet_tcp_bind_squid_port(squid_t)
+ corenet_udp_bind_squid_port(squid_t)
+ corenet_tcp_sendrecv_squid_port(squid_t)
+@@ -156,7 +160,6 @@ dev_read_urand(squid_t)
domain_use_interactive_fds(squid_t)
files_read_etc_runtime_files(squid_t)
@@ -79228,7 +79515,7 @@ index 221c560..4966b22 100644
files_search_spool(squid_t)
files_dontaudit_getattr_tmp_dirs(squid_t)
files_getattr_home_dir(squid_t)
-@@ -178,7 +180,6 @@ libs_exec_lib_files(squid_t)
+@@ -178,7 +181,6 @@ libs_exec_lib_files(squid_t)
logging_send_syslog_msg(squid_t)
miscfiles_read_generic_certs(squid_t)
@@ -79236,7 +79523,7 @@ index 221c560..4966b22 100644
userdom_use_unpriv_users_fds(squid_t)
userdom_dontaudit_search_user_home_dirs(squid_t)
-@@ -200,6 +201,8 @@ tunable_policy(`squid_use_tproxy',`
+@@ -200,6 +202,8 @@ tunable_policy(`squid_use_tproxy',`
optional_policy(`
apache_content_template(squid)
@@ -79245,7 +79532,7 @@ index 221c560..4966b22 100644
corenet_all_recvfrom_unlabeled(httpd_squid_script_t)
corenet_all_recvfrom_netlabel(httpd_squid_script_t)
corenet_tcp_sendrecv_generic_if(httpd_squid_script_t)
-@@ -209,18 +212,18 @@ optional_policy(`
+@@ -209,18 +213,18 @@ optional_policy(`
corenet_tcp_connect_http_cache_port(httpd_squid_script_t)
corenet_tcp_sendrecv_http_cache_port(httpd_squid_script_t)
@@ -79271,7 +79558,7 @@ index 221c560..4966b22 100644
')
optional_policy(`
-@@ -238,3 +241,24 @@ optional_policy(`
+@@ -238,3 +242,24 @@ optional_policy(`
optional_policy(`
udev_read_db(squid_t)
')
@@ -85425,10 +85712,10 @@ index 0be8535..b96e329 100644
optional_policy(`
diff --git a/virt.fc b/virt.fc
-index c30da4c..76e4399 100644
+index c30da4c..f3e9b6d 100644
--- a/virt.fc
+++ b/virt.fc
-@@ -1,52 +1,83 @@
+@@ -1,52 +1,85 @@
-HOME_DIR/\.libvirt(/.*)? gen_context(system_u:object_r:virt_home_t,s0)
-HOME_DIR/\.libvirt/qemu(/.*)? gen_context(system_u:object_r:svirt_home_t,s0)
-HOME_DIR/\.virtinst(/.*)? gen_context(system_u:object_r:virt_home_t,s0)
@@ -85541,7 +85828,9 @@ index c30da4c..76e4399 100644
+/usr/bin/qemu-system-.* -- gen_context(system_u:object_r:qemu_exec_t,s0)
+/usr/bin/qemu-kvm -- gen_context(system_u:object_r:qemu_exec_t,s0)
+/usr/libexec/qemu.* -- gen_context(system_u:object_r:qemu_exec_t,s0)
++
+/usr/libexec/qemu-ga(/.*)? gen_context(system_u:object_r:virt_qemu_ga_exec_t,s0)
++/usr/libexec/qemu-ga/fsfreeze-hook.d(/.*)? gen_context(system_u:object_r:virt_qemu_ga_unconfined_exec_t,s0)
+
+/usr/lib/systemd/system/virt.*\.service -- gen_context(system_u:object_r:virtd_unit_file_t,s0)
+/usr/lib/systemd/system/libvirt.*\.service -- gen_context(system_u:object_r:virtd_unit_file_t,s0)
@@ -87230,7 +87519,7 @@ index 9dec06c..7877729 100644
+ allow $1 svirt_image_t:chr_file rw_file_perms;
')
diff --git a/virt.te b/virt.te
-index 1f22fba..b70a2de 100644
+index 1f22fba..4d026c1 100644
--- a/virt.te
+++ b/virt.te
@@ -1,94 +1,98 @@
@@ -87436,45 +87725,50 @@ index 1f22fba..b70a2de 100644
ifdef(`enable_mcs',`
init_ranged_daemon_domain(virtd_t, virtd_exec_t, s0 - mcs_systemhigh)
')
-@@ -155,290 +165,124 @@ type virt_qmf_exec_t;
+@@ -155,290 +165,130 @@ type virt_qmf_exec_t;
init_daemon_domain(virt_qmf_t, virt_qmf_exec_t)
type virt_bridgehelper_t;
-type virt_bridgehelper_exec_t;
domain_type(virt_bridgehelper_t)
--domain_entry_file(virt_bridgehelper_t, virt_bridgehelper_exec_t)
++
++type virt_bridgehelper_exec_t;
+ domain_entry_file(virt_bridgehelper_t, virt_bridgehelper_exec_t)
-role virt_bridgehelper_roles types virt_bridgehelper_t;
++role system_r types virt_bridgehelper_t;
-type virtd_lxc_t;
-type virtd_lxc_exec_t;
-init_system_domain(virtd_lxc_t, virtd_lxc_exec_t)
-+type virt_bridgehelper_exec_t;
-+domain_entry_file(virt_bridgehelper_t, virt_bridgehelper_exec_t)
-+role system_r types virt_bridgehelper_t;
-
--type virtd_lxc_var_run_t;
--files_pid_file(virtd_lxc_var_run_t)
+# policy for qemu_ga
+type virt_qemu_ga_t;
+type virt_qemu_ga_exec_t;
+init_daemon_domain(virt_qemu_ga_t, virt_qemu_ga_exec_t)
+-type virtd_lxc_var_run_t;
+-files_pid_file(virtd_lxc_var_run_t)
++type virt_qemu_ga_var_run_t;
++files_pid_file(virt_qemu_ga_var_run_t)
+
-type svirt_lxc_file_t;
-files_mountpoint(svirt_lxc_file_t)
-fs_noxattr_type(svirt_lxc_file_t)
-term_pty(svirt_lxc_file_t)
-+type virt_qemu_ga_var_run_t;
-+files_pid_file(virt_qemu_ga_var_run_t)
-
--virt_lxc_domain_template(svirt_lxc_net)
+type virt_qemu_ga_log_t;
+logging_log_file(virt_qemu_ga_log_t)
+-virt_lxc_domain_template(svirt_lxc_net)
++type virt_qemu_ga_tmp_t;
++files_tmp_file(virt_qemu_ga_tmp_t)
+
-type virsh_t;
-type virsh_exec_t;
-init_system_domain(virsh_t, virsh_exec_t)
-+type virt_qemu_ga_tmp_t;
-+files_tmp_file(virt_qemu_ga_tmp_t)
++type virt_qemu_ga_data_t;
++files_type(virt_qemu_ga_data_t)
++
++type virt_qemu_ga_unconfined_exec_t;
++application_executable_file(virt_qemu_ga_unconfined_exec_t)
########################################
#
@@ -87686,24 +87980,24 @@ index 1f22fba..b70a2de 100644
-filetrans_pattern(svirt_t, virt_home_t, svirt_home_t, dir, "qemu")
-
-stream_connect_pattern(svirt_t, svirt_home_t, svirt_home_t, virtd_t)
--
--corenet_udp_sendrecv_generic_if(svirt_t)
--corenet_udp_sendrecv_generic_node(svirt_t)
--corenet_udp_sendrecv_all_ports(svirt_t)
--corenet_udp_bind_generic_node(svirt_t)
+# it was a part of auth_use_nsswitch
+allow svirt_t self:netlink_route_socket r_netlink_socket_perms;
+ corenet_udp_sendrecv_generic_if(svirt_t)
+ corenet_udp_sendrecv_generic_node(svirt_t)
+ corenet_udp_sendrecv_all_ports(svirt_t)
+ corenet_udp_bind_generic_node(svirt_t)
+-
-corenet_all_recvfrom_unlabeled(svirt_t)
-corenet_all_recvfrom_netlabel(svirt_t)
-corenet_tcp_sendrecv_generic_if(svirt_t)
- corenet_udp_sendrecv_generic_if(svirt_t)
+-corenet_udp_sendrecv_generic_if(svirt_t)
-corenet_tcp_sendrecv_generic_node(svirt_t)
- corenet_udp_sendrecv_generic_node(svirt_t)
+-corenet_udp_sendrecv_generic_node(svirt_t)
-corenet_tcp_sendrecv_all_ports(svirt_t)
- corenet_udp_sendrecv_all_ports(svirt_t)
+-corenet_udp_sendrecv_all_ports(svirt_t)
-corenet_tcp_bind_generic_node(svirt_t)
- corenet_udp_bind_generic_node(svirt_t)
+-corenet_udp_bind_generic_node(svirt_t)
-
-corenet_sendrecv_all_server_packets(svirt_t)
corenet_udp_bind_all_ports(svirt_t)
@@ -87799,7 +88093,7 @@ index 1f22fba..b70a2de 100644
read_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
read_lnk_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
-@@ -448,42 +292,28 @@ manage_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t)
+@@ -448,42 +298,28 @@ manage_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t)
manage_lnk_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t)
filetrans_pattern(virtd_t, virt_etc_t, virt_etc_rw_t, dir)
@@ -87845,7 +88139,7 @@ index 1f22fba..b70a2de 100644
logging_log_filetrans(virtd_t, virt_log_t, { file dir })
manage_dirs_pattern(virtd_t, virt_var_lib_t, virt_var_lib_t)
-@@ -496,16 +326,11 @@ manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
+@@ -496,16 +332,11 @@ manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
manage_sock_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
files_pid_filetrans(virtd_t, virt_var_run_t, { file dir })
@@ -87855,18 +88149,18 @@ index 1f22fba..b70a2de 100644
-
-stream_connect_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t, virtd_lxc_t)
-stream_connect_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t, virt_domain)
--
--can_exec(virtd_t, virt_tmp_t)
+manage_dirs_pattern(virtd_t, virt_lxc_var_run_t, virt_lxc_var_run_t)
+manage_files_pattern(virtd_t, virt_lxc_var_run_t, virt_lxc_var_run_t)
+filetrans_pattern(virtd_t, virt_var_run_t, virt_lxc_var_run_t, dir, "lxc")
+stream_connect_pattern(virtd_t, virt_lxc_var_run_t, virt_lxc_var_run_t, virtd_lxc_t)
+-can_exec(virtd_t, virt_tmp_t)
+-
-kernel_read_crypto_sysctls(virtd_t)
kernel_read_system_state(virtd_t)
kernel_read_network_state(virtd_t)
kernel_rw_net_sysctls(virtd_t)
-@@ -513,6 +338,7 @@ kernel_read_kernel_sysctls(virtd_t)
+@@ -513,6 +344,7 @@ kernel_read_kernel_sysctls(virtd_t)
kernel_request_load_module(virtd_t)
kernel_search_debugfs(virtd_t)
kernel_setsched(virtd_t)
@@ -87874,7 +88168,7 @@ index 1f22fba..b70a2de 100644
corecmd_exec_bin(virtd_t)
corecmd_exec_shell(virtd_t)
-@@ -520,24 +346,15 @@ corecmd_exec_shell(virtd_t)
+@@ -520,24 +352,15 @@ corecmd_exec_shell(virtd_t)
corenet_all_recvfrom_netlabel(virtd_t)
corenet_tcp_sendrecv_generic_if(virtd_t)
corenet_tcp_sendrecv_generic_node(virtd_t)
@@ -87901,7 +88195,7 @@ index 1f22fba..b70a2de 100644
dev_rw_sysfs(virtd_t)
dev_read_urand(virtd_t)
dev_read_rand(virtd_t)
-@@ -548,22 +365,23 @@ dev_rw_vhost(virtd_t)
+@@ -548,22 +371,23 @@ dev_rw_vhost(virtd_t)
dev_setattr_generic_usb_dev(virtd_t)
dev_relabel_generic_usb_dev(virtd_t)
@@ -87930,7 +88224,7 @@ index 1f22fba..b70a2de 100644
fs_rw_anon_inodefs_files(virtd_t)
fs_list_inotifyfs(virtd_t)
fs_manage_cgroup_dirs(virtd_t)
-@@ -594,15 +412,18 @@ term_use_ptmx(virtd_t)
+@@ -594,15 +418,18 @@ term_use_ptmx(virtd_t)
auth_use_nsswitch(virtd_t)
@@ -87950,20 +88244,20 @@ index 1f22fba..b70a2de 100644
selinux_validate_context(virtd_t)
-@@ -613,18 +434,24 @@ seutil_read_file_contexts(virtd_t)
+@@ -613,18 +440,24 @@ seutil_read_file_contexts(virtd_t)
sysnet_signull_ifconfig(virtd_t)
sysnet_signal_ifconfig(virtd_t)
sysnet_domtrans_ifconfig(virtd_t)
+sysnet_read_config(virtd_t)
-userdom_read_all_users_state(virtd_t)
-+systemd_dbus_chat_logind(virtd_t)
-+systemd_write_inhibit_pipes(virtd_t)
-
+-
-ifdef(`hide_broken_symptoms',`
- dontaudit virtd_t self:capability { sys_module sys_ptrace };
-')
--
++systemd_dbus_chat_logind(virtd_t)
++systemd_write_inhibit_pipes(virtd_t)
+
-tunable_policy(`virt_use_fusefs',`
- fs_manage_fusefs_dirs(virtd_t)
- fs_manage_fusefs_files(virtd_t)
@@ -87985,7 +88279,7 @@ index 1f22fba..b70a2de 100644
tunable_policy(`virt_use_nfs',`
fs_manage_nfs_dirs(virtd_t)
-@@ -633,7 +460,7 @@ tunable_policy(`virt_use_nfs',`
+@@ -633,7 +466,7 @@ tunable_policy(`virt_use_nfs',`
')
tunable_policy(`virt_use_samba',`
@@ -87994,24 +88288,17 @@ index 1f22fba..b70a2de 100644
fs_manage_cifs_files(virtd_t)
fs_read_cifs_symlinks(virtd_t)
')
-@@ -653,100 +480,326 @@ optional_policy(`
- avahi_dbus_chat(virtd_t)
+@@ -658,95 +491,321 @@ optional_policy(`
')
-- optional_policy(`
-- consolekit_dbus_chat(virtd_t)
-- ')
-+ optional_policy(`
-+ consolekit_dbus_chat(virtd_t)
-+ ')
-+
-+ optional_policy(`
+ optional_policy(`
+- firewalld_dbus_chat(virtd_t)
+ hal_dbus_chat(virtd_t)
+ ')
+
+ optional_policy(`
+ networkmanager_dbus_chat(virtd_t)
-+ ')
+ ')
+')
+
+optional_policy(`
@@ -88193,10 +88480,7 @@ index 1f22fba..b70a2de 100644
+files_read_mnt_symlinks(virt_domain)
+files_read_var_files(virt_domain)
+files_search_all(virt_domain)
-
-- optional_policy(`
-- firewalld_dbus_chat(virtd_t)
-- ')
++
+fs_getattr_xattr_fs(virt_domain)
+fs_getattr_tmpfs(virt_domain)
+fs_rw_anon_inodefs_files(virt_domain)
@@ -88205,27 +88489,27 @@ index 1f22fba..b70a2de 100644
+fs_rw_inherited_nfs_files(virt_domain)
+fs_rw_inherited_cifs_files(virt_domain)
+fs_rw_inherited_noxattr_fs_files(virt_domain)
-
-- optional_policy(`
-- hal_dbus_chat(virtd_t)
-- ')
++
+# I think we need these for now.
+miscfiles_read_public_files(virt_domain)
+storage_raw_read_removable_device(virt_domain)
- optional_policy(`
-- networkmanager_dbus_chat(virtd_t)
+- hal_dbus_chat(virtd_t)
- ')
+sysnet_read_config(virt_domain)
- optional_policy(`
-- policykit_dbus_chat(virtd_t)
+- networkmanager_dbus_chat(virtd_t)
- ')
+term_use_all_inherited_terms(virt_domain)
+term_getattr_pty_fs(virt_domain)
+term_use_generic_ptys(virt_domain)
+term_use_ptmx(virt_domain)
-+
+
+- optional_policy(`
+- policykit_dbus_chat(virtd_t)
+- ')
+tunable_policy(`virt_use_execmem',`
+ allow virt_domain self:process { execmem execstack };
')
@@ -88374,7 +88658,7 @@ index 1f22fba..b70a2de 100644
manage_files_pattern(virsh_t, virt_image_type, virt_image_type)
manage_blk_files_pattern(virsh_t, virt_image_type, virt_image_type)
-@@ -758,23 +811,15 @@ manage_chr_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
+@@ -758,23 +817,15 @@ manage_chr_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
manage_lnk_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
manage_sock_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
manage_fifo_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
@@ -88387,12 +88671,12 @@ index 1f22fba..b70a2de 100644
-dontaudit virsh_t virt_var_lib_t:file read_file_perms;
-
-allow virsh_t svirt_lxc_domain:process transition;
+-
+-can_exec(virsh_t, virsh_exec_t)
+manage_dirs_pattern(virsh_t, virt_lxc_var_run_t, virt_lxc_var_run_t)
+manage_files_pattern(virsh_t, virt_lxc_var_run_t, virt_lxc_var_run_t)
+virt_filetrans_named_content(virsh_t)
--can_exec(virsh_t, virsh_exec_t)
--
-virt_domtrans(virsh_t)
-virt_manage_images(virsh_t)
-virt_manage_config(virsh_t)
@@ -88404,7 +88688,7 @@ index 1f22fba..b70a2de 100644
kernel_read_system_state(virsh_t)
kernel_read_network_state(virsh_t)
kernel_read_kernel_sysctls(virsh_t)
-@@ -785,25 +830,18 @@ kernel_write_xen_state(virsh_t)
+@@ -785,25 +836,18 @@ kernel_write_xen_state(virsh_t)
corecmd_exec_bin(virsh_t)
corecmd_exec_shell(virsh_t)
@@ -88431,7 +88715,7 @@ index 1f22fba..b70a2de 100644
fs_getattr_all_fs(virsh_t)
fs_manage_xenfs_dirs(virsh_t)
-@@ -812,24 +850,22 @@ fs_search_auto_mountpoints(virsh_t)
+@@ -812,24 +856,22 @@ fs_search_auto_mountpoints(virsh_t)
storage_raw_read_fixed_disk(virsh_t)
@@ -88463,7 +88747,7 @@ index 1f22fba..b70a2de 100644
tunable_policy(`virt_use_nfs',`
fs_manage_nfs_dirs(virsh_t)
fs_manage_nfs_files(virsh_t)
-@@ -847,14 +883,20 @@ optional_policy(`
+@@ -847,14 +889,20 @@ optional_policy(`
')
optional_policy(`
@@ -88485,7 +88769,7 @@ index 1f22fba..b70a2de 100644
xen_stream_connect(virsh_t)
xen_stream_connect_xenstore(virsh_t)
')
-@@ -879,34 +921,44 @@ optional_policy(`
+@@ -879,34 +927,44 @@ optional_policy(`
kernel_read_xen_state(virsh_ssh_t)
kernel_write_xen_state(virsh_ssh_t)
@@ -88539,7 +88823,7 @@ index 1f22fba..b70a2de 100644
manage_dirs_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t)
manage_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t)
-@@ -916,12 +968,17 @@ manage_sock_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t)
+@@ -916,12 +974,17 @@ manage_sock_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t)
manage_fifo_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t)
allow virtd_lxc_t svirt_lxc_file_t:dir_file_class_set { relabelto relabelfrom };
allow virtd_lxc_t svirt_lxc_file_t:filesystem { relabelto relabelfrom };
@@ -88557,7 +88841,7 @@ index 1f22fba..b70a2de 100644
corecmd_exec_bin(virtd_lxc_t)
corecmd_exec_shell(virtd_lxc_t)
-@@ -933,10 +990,8 @@ dev_read_urand(virtd_lxc_t)
+@@ -933,10 +996,8 @@ dev_read_urand(virtd_lxc_t)
domain_use_interactive_fds(virtd_lxc_t)
@@ -88568,7 +88852,7 @@ index 1f22fba..b70a2de 100644
files_relabel_rootfs(virtd_lxc_t)
files_mounton_non_security(virtd_lxc_t)
files_mount_all_file_type_fs(virtd_lxc_t)
-@@ -944,6 +999,7 @@ files_unmount_all_file_type_fs(virtd_lxc_t)
+@@ -944,6 +1005,7 @@ files_unmount_all_file_type_fs(virtd_lxc_t)
files_list_isid_type_dirs(virtd_lxc_t)
files_root_filetrans(virtd_lxc_t, svirt_lxc_file_t, dir_file_class_set)
@@ -88576,7 +88860,7 @@ index 1f22fba..b70a2de 100644
fs_getattr_all_fs(virtd_lxc_t)
fs_manage_tmpfs_dirs(virtd_lxc_t)
fs_manage_tmpfs_chr_files(virtd_lxc_t)
-@@ -955,15 +1011,11 @@ fs_rw_cgroup_files(virtd_lxc_t)
+@@ -955,15 +1017,11 @@ fs_rw_cgroup_files(virtd_lxc_t)
fs_unmount_all_fs(virtd_lxc_t)
fs_relabelfrom_tmpfs(virtd_lxc_t)
@@ -88595,7 +88879,7 @@ index 1f22fba..b70a2de 100644
term_use_generic_ptys(virtd_lxc_t)
term_use_ptmx(virtd_lxc_t)
-@@ -973,21 +1025,36 @@ auth_use_nsswitch(virtd_lxc_t)
+@@ -973,21 +1031,36 @@ auth_use_nsswitch(virtd_lxc_t)
logging_send_syslog_msg(virtd_lxc_t)
@@ -88640,7 +88924,7 @@ index 1f22fba..b70a2de 100644
allow svirt_lxc_domain self:fifo_file manage_file_perms;
allow svirt_lxc_domain self:sem create_sem_perms;
allow svirt_lxc_domain self:shm create_shm_perms;
-@@ -995,18 +1062,16 @@ allow svirt_lxc_domain self:msgq create_msgq_perms;
+@@ -995,18 +1068,16 @@ allow svirt_lxc_domain self:msgq create_msgq_perms;
allow svirt_lxc_domain self:unix_stream_socket { create_stream_socket_perms connectto };
allow svirt_lxc_domain self:unix_dgram_socket { sendto create_socket_perms };
@@ -88667,7 +88951,7 @@ index 1f22fba..b70a2de 100644
manage_dirs_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
manage_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
-@@ -1015,17 +1080,14 @@ manage_sock_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
+@@ -1015,17 +1086,14 @@ manage_sock_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
manage_fifo_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
rw_chr_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
rw_blk_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
@@ -88686,7 +88970,7 @@ index 1f22fba..b70a2de 100644
kernel_dontaudit_search_kernel_sysctl(svirt_lxc_domain)
corecmd_exec_all_executables(svirt_lxc_domain)
-@@ -1037,21 +1099,20 @@ files_dontaudit_getattr_all_pipes(svirt_lxc_domain)
+@@ -1037,21 +1105,20 @@ files_dontaudit_getattr_all_pipes(svirt_lxc_domain)
files_dontaudit_getattr_all_sockets(svirt_lxc_domain)
files_dontaudit_list_all_mountpoints(svirt_lxc_domain)
files_dontaudit_write_etc_runtime_files(svirt_lxc_domain)
@@ -88713,7 +88997,7 @@ index 1f22fba..b70a2de 100644
auth_dontaudit_read_login_records(svirt_lxc_domain)
auth_dontaudit_write_login_records(svirt_lxc_domain)
auth_search_pam_console_data(svirt_lxc_domain)
-@@ -1063,96 +1124,92 @@ init_dontaudit_write_utmp(svirt_lxc_domain)
+@@ -1063,96 +1130,92 @@ init_dontaudit_write_utmp(svirt_lxc_domain)
libs_dontaudit_setattr_lib_files(svirt_lxc_domain)
@@ -88732,12 +89016,12 @@ index 1f22fba..b70a2de 100644
+ apache_exec_modules(svirt_lxc_domain)
+ apache_read_sys_content(svirt_lxc_domain)
+')
-+
+
+-mta_dontaudit_read_spool_symlinks(svirt_lxc_domain)
+optional_policy(`
+ mta_dontaudit_read_spool_symlinks(svirt_lxc_domain)
+')
-
--mta_dontaudit_read_spool_symlinks(svirt_lxc_domain)
++
+optional_policy(`
+ ssh_use_ptys(svirt_lxc_net_t)
+')
@@ -88852,7 +89136,7 @@ index 1f22fba..b70a2de 100644
allow virt_qmf_t self:tcp_socket create_stream_socket_perms;
allow virt_qmf_t self:netlink_route_socket create_netlink_socket_perms;
-@@ -1165,12 +1222,12 @@ dev_read_sysfs(virt_qmf_t)
+@@ -1165,12 +1228,12 @@ dev_read_sysfs(virt_qmf_t)
dev_read_rand(virt_qmf_t)
dev_read_urand(virt_qmf_t)
@@ -88867,7 +89151,7 @@ index 1f22fba..b70a2de 100644
sysnet_read_config(virt_qmf_t)
optional_policy(`
-@@ -1183,9 +1240,8 @@ optional_policy(`
+@@ -1183,9 +1246,8 @@ optional_policy(`
########################################
#
@@ -88878,7 +89162,7 @@ index 1f22fba..b70a2de 100644
allow virt_bridgehelper_t self:process { setcap getcap };
allow virt_bridgehelper_t self:capability { setpcap setgid setuid net_admin };
allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms;
-@@ -1198,5 +1254,85 @@ kernel_read_network_state(virt_bridgehelper_t)
+@@ -1198,5 +1260,114 @@ kernel_read_network_state(virt_bridgehelper_t)
corenet_rw_tun_tap_dev(virt_bridgehelper_t)
@@ -88896,6 +89180,7 @@ index 1f22fba..b70a2de 100644
+allow virt_qemu_ga_t self:fifo_file rw_fifo_file_perms;
+allow virt_qemu_ga_t self:unix_stream_socket create_stream_socket_perms;
+
++allow virt_qemu_ga_t virt_qemu_ga_exec_t:dir search_dir_perms;
+can_exec(virt_qemu_ga_t, virt_qemu_ga_exec_t)
+
+manage_dirs_pattern(virt_qemu_ga_t, virt_qemu_ga_tmp_t, virt_qemu_ga_tmp_t)
@@ -88906,6 +89191,9 @@ index 1f22fba..b70a2de 100644
+manage_dirs_pattern(virt_qemu_ga_t, virt_qemu_ga_var_run_t, virt_qemu_ga_var_run_t)
+files_pid_filetrans(virt_qemu_ga_t, virt_qemu_ga_var_run_t, { dir file } )
+
++manage_files_pattern(virt_qemu_ga_t, virt_qemu_ga_data_t, virt_qemu_ga_data_t)
++manage_dirs_pattern(virt_qemu_ga_t, virt_qemu_ga_data_t, virt_qemu_ga_data_t)
++
+manage_files_pattern(virt_qemu_ga_t, virt_qemu_ga_log_t, virt_qemu_ga_log_t)
+logging_log_filetrans(virt_qemu_ga_t, virt_qemu_ga_log_t, file )
+
@@ -88959,6 +89247,31 @@ index 1f22fba..b70a2de 100644
+
+#######################################
+#
++# qemu-ga unconfined hook script local policy
++#
++
++optional_policy(`
++ type virt_qemu_ga_unconfined_t;
++ domain_type(virt_qemu_ga_unconfined_t)
++
++ domain_entry_file(virt_qemu_ga_unconfined_t, virt_qemu_ga_unconfined_exec_t)
++ role system_r types virt_qemu_ga_unconfined_t;
++
++ domtrans_pattern(virt_qemu_ga_t, virt_qemu_ga_unconfined_exec_t, virt_qemu_ga_unconfined_t)
++
++ allow virt_qemu_ga_t virt_qemu_ga_unconfined_exec_t:dir search_dir_perms;
++ allow virt_qemu_ga_t virt_qemu_ga_unconfined_exec_t:dir read_file_perms;
++ allow virt_qemu_ga_t virt_qemu_ga_unconfined_exec_t:file ioctl;
++
++ init_domtrans_script(virt_qemu_ga_unconfined_t)
++
++ optional_policy(`
++ unconfined_domain(virt_qemu_ga_unconfined_t)
++ ')
++')
++
++#######################################
++#
+# tye for svirt sockets
+#
+
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 27a30bda..24da2369 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.12.1
-Release: 46%{?dist}
+Release: 47%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -530,6 +530,64 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Wed May 29 2013 Miroslav Grepl 3.12.1-47
+- Add transition rules to unconfined domains and to sysadm_t to create /etc/adjtime
+- with the proper label.
+- Update files_filetrans_named_content() interface to get right labeling for pam.d conf files
+- Allow systemd-timedated to create adjtime
+- Add clock_create_adjtime()
+- Additional fix ifconfing for #966106
+- Allow kernel_t to create boot.log with correct labeling
+- Remove unconfined_mplayer for which we don't have rules
+- Rename interfaces
+- Add userdom_manage_user_home_files/dirs interfaces
+- Fix files_dontaudit_read_all_non_security_files
+- Fix ipsec_manage_key_file()
+- Fix ipsec_filetrans_key_file()
+- Label /usr/bin/razor-lightdm-greeter as xdm_exec_t instead of spamc_exec_t
+- Fix labeling for ipse.secrets
+- Add interfaces for ipsec and labeling for ipsec.info and ipsec_setup.pid
+- Add files_dontaudit_read_all_non_security_files() interface
+- /var/log/syslog-ng should be labeled var_log_t
+- Make ifconfig_var_run_t a mountpoint
+- Add transition from ifconfig to dnsmasq
+- Allow ifconfig to execute bin_t/shell_exec_t
+- We want to have hwdb.bin labeled as etc_t
+- update logging_filetrans_named_content() interface
+- Allow systemd_timedate_t to manage /etc/adjtime
+- Allow NM to send signals to l2tpd
+- Update antivirus_can_scan_system boolean
+- Allow devicekit_disk_t to sys_config_tty
+- Run abrt-harvest programs as abrt_t, and allow abrt_t to list all filesystem directories
+- Make printing from vmware working
+- Allow php-cgi from php54 collection to access /var/lib/net-snmp/mib_indexes
+- Add virt_qemu_ga_data_t for qemu-ga
+- Make chrome and mozilla able to connect to same ports, add jboss_management_port_t to both
+- Fix typo in virt.te
+- Add virt_qemu_ga_unconfined_t for hook scripts
+- Make sure NetworkManager files get created with the correct label
+- Add mozilla_plugin_use_gps boolean
+- Fix cyrus to have support for net-snmp
+- Additional fixes for dnsmasq and quantum for #966106
+- Add plymouthd_create_log()
+- remove httpd_use_oddjob for which we don't have rules
+- Add missing rules for httpd_can_network_connect_cobbler
+- Add missing cluster_use_execmem boolean
+- Call userdom_manage_all_user_home_type_files/dirs
+- Additional fix for ftp_home_dir
+- Fix ftp_home_dir boolean
+- Allow squit to recv/send client squid packet
+- Fix nut.te to have nut_domain attribute
+- Add support for ejabberd; TODO: revisit jabberd and rabbit policy
+- Fix amanda policy
+- Add more fixes for domains which use libusb
+- Make domains which use libusb working correctly
+- Allow l2tpd to create ipsec key files with correct labeling and manage them
+- Fix cobbler_manage_lib_files/cobbler_read_lib_files to cover also lnk files
+- Allow rabbitmq-beam to bind generic node
+- Allow l2tpd to read ipse-mgmt pid files
+- more fixes for l2tpd, NM and pppd from #967072
+
* Wed May 22 2013 Miroslav Grepl 3.12.1-46
- Dontaudit to getattr on dirs for dovecot-deliver
- Allow raiudusd server connect to postgresql socket