- Allow collectd to talk to libvirt

- Allow chrome_sandbox to use leaked unix_stream_sockets - Dontaudit leaks of sockets into chrome_sandbox_t - If you create a cups directory in /var/cache then it should be labeled cups_rw_etc_t - Run vmtools as unconfined domains - Allow snort to manage its log files - Allow systemd_cronjob_t to be entered via bin_t - Allow procman to list doveconf_etc_t - allow keyring daemon to create content in tmpfs directories - Add proper labelling for icedtea-web - vpnc is creating content in networkmanager var run directory - unconfined_service should be allowed to transition to rpm_script_t - Allow couchdb to listen on port 6984 - Dontaudit attempts by unpriv user domain to write to /run/mount directory, caused by running mount command - Allow systemd-logind to setup user tmpfs directories - Add additional fixes for systemd_networkd_t - Allow systemd-logind to manage user_tmpfs_t - Allow systemd-logind to mount /run/user/1000 to get gdm working
2014-03-17 08:59:51 +01:00 · 2014-03-17 08:59:51 +01:00 · 6337678e76
parent 3f9fe17186
commit 6337678e76
3 changed files with 275 additions and 198 deletions
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@ -5410,7 +5410,7 @@ index 8e0f9cd..b9f45b9 100644
 
 define(`create_packet_interfaces',``
 diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
-index b191055..136b78e 100644
+index b191055..11bfc30 100644
 --- a/policy/modules/kernel/corenetwork.te.in
 +++ b/policy/modules/kernel/corenetwork.te.in
@@ -5,6 +5,7 @@ policy_module(corenetwork, 1.19.2)
@ -5515,11 +5515,12 @@ index b191055..136b78e 100644
 network_port(commplex_main, tcp,5000,s0, udp,5000,s0)
 network_port(comsat, udp,512,s0)
 network_port(condor, tcp,9618,s0, udp,9618,s0)
-+network_port(conman, tcp,7890,s0, udp,7890,s0)
-+network_port(connlcli, tcp,1358,s0, udp,1358,s0)
- network_port(couchdb, tcp,5984,s0, udp,5984,s0)
+-network_port(couchdb, tcp,5984,s0, udp,5984,s0)
 -network_port(cslistener, tcp,9000,s0, udp,9000,s0)
 -network_port(ctdb, tcp,4379,s0, udp,4397,s0)
+network_port(conman, tcp,7890,s0, udp,7890,s0)
+network_port(connlcli, tcp,1358,s0, udp,1358,s0)
+network_port(couchdb, tcp,5984,s0, udp,5984,s0, tcp,6984,s0, udp,6984,s0)
 +network_port(ctdb, tcp,4379,s0, udp,4379,s0)
 network_port(cvs, tcp,2401,s0, udp,2401,s0)
 network_port(cyphesis, tcp,6767,s0, tcp,6769,s0, tcp,6780-6799,s0, udp,32771,s0)
@ -13159,7 +13160,7 @@ index f962f76..ae94e80 100644
 +	allow $1 etc_t:service status;
 +')
 diff --git a/policy/modules/kernel/files.te b/policy/modules/kernel/files.te
-index 1a03abd..dfcd2ad 100644
+index 1a03abd..32a40f8 100644
 --- a/policy/modules/kernel/files.te
 +++ b/policy/modules/kernel/files.te
@@ -5,12 +5,16 @@ policy_module(files, 1.18.1)
@ -13179,7 +13180,7 @@ index 1a03abd..dfcd2ad 100644
 
 # For labeling types that are to be polyinstantiated
 attribute polydir;
-@@ -48,47 +52,55 @@ attribute usercanread;
+@@ -48,47 +52,53 @@ attribute usercanread;
 #
 type boot_t;
 files_mountpoint(boot_t)
@ -13223,12 +13224,11 @@ index 1a03abd..dfcd2ad 100644
 # generated during initialization.
 #
 -type etc_runtime_t;
-+type etc_runtime_t, configfile;
- files_type(etc_runtime_t)
- #Temporarily in policy until FC5 dissappears
- typealias etc_runtime_t alias firstboot_rw_t;
- 
- #
+-files_type(etc_runtime_t)
+-#Temporarily in policy until FC5 dissappears
+-typealias etc_runtime_t alias firstboot_rw_t;
+-
+-#
 -# file_t is the default type of a file that has not yet been
 -# assigned an extended attribute (EA) value (when using a filesystem
 -# that supports EAs).
@ -13237,8 +13237,10 @@ index 1a03abd..dfcd2ad 100644
 -files_mountpoint(file_t)
 -kernel_rootfs_mountpoint(file_t)
 -sid file gen_context(system_u:object_r:file_t,s0)
-
-#
+type etc_runtime_t, configfile;
+files_ro_base_file(etc_runtime_t)
+ 
+ #
 # home_root_t is the type for the directory where user home directories
 # are created
 #
@ -13247,7 +13249,7 @@ index 1a03abd..dfcd2ad 100644
 files_mountpoint(home_root_t)
 files_poly_parent(home_root_t)
 
-@@ -96,12 +108,13 @@ files_poly_parent(home_root_t)
+@@ -96,12 +106,13 @@ files_poly_parent(home_root_t)
 # lost_found_t is the type for the lost+found directories.
 #
 type lost_found_t;
@ -13262,7 +13264,7 @@ index 1a03abd..dfcd2ad 100644
 files_mountpoint(mnt_t)
 
 #
-@@ -123,6 +136,7 @@ files_type(readable_t)
+@@ -123,6 +134,7 @@ files_type(readable_t)
 # root_t is the type for rootfs and the root directory.
 #
 type root_t;
@ -13270,7 +13272,7 @@ index 1a03abd..dfcd2ad 100644
 files_mountpoint(root_t)
 files_poly_parent(root_t)
 kernel_rootfs_mountpoint(root_t)
-@@ -133,45 +147,54 @@ genfscon rootfs / gen_context(system_u:object_r:root_t,s0)
+@@ -133,45 +145,54 @@ genfscon rootfs / gen_context(system_u:object_r:root_t,s0)
 #
 type src_t;
 files_mountpoint(src_t)
@ -13325,7 +13327,7 @@ index 1a03abd..dfcd2ad 100644
 files_lock_file(var_lock_t)
 files_mountpoint(var_lock_t)
 
-@@ -180,6 +203,7 @@ files_mountpoint(var_lock_t)
+@@ -180,6 +201,7 @@ files_mountpoint(var_lock_t)
 # used for pid and other runtime files.
 #
 type var_run_t;
@ -13333,7 +13335,7 @@ index 1a03abd..dfcd2ad 100644
 files_pid_file(var_run_t)
 files_mountpoint(var_run_t)
 
-@@ -187,7 +211,9 @@ files_mountpoint(var_run_t)
+@@ -187,7 +209,9 @@ files_mountpoint(var_run_t)
 # var_spool_t is the type of /var/spool
 #
 type var_spool_t;
@ -13343,7 +13345,7 @@ index 1a03abd..dfcd2ad 100644
 
 ########################################
 #
-@@ -224,12 +250,13 @@ fs_associate_tmpfs(tmpfsfile)
+@@ -224,12 +248,13 @@ fs_associate_tmpfs(tmpfsfile)
 #
 
 # Create/access any file in a labeled filesystem;
@ -24413,7 +24415,7 @@ index 6bf0ecc..bf98136 100644
 +')
 +
 diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
-index 8b40377..c52fbe6 100644
+index 8b40377..95dde04 100644
 --- a/policy/modules/services/xserver.te
 +++ b/policy/modules/services/xserver.te
@@ -26,28 +26,59 @@ gen_require(`
@ -24621,7 +24623,7 @@ index 8b40377..c52fbe6 100644
 userdom_user_tmpfs_file(xserver_tmpfs_t)
 
 type xsession_exec_t;
-@@ -226,21 +288,33 @@ optional_policy(`
+@@ -226,21 +288,35 @@ optional_policy(`
 #
 
 allow iceauth_t iceauth_home_t:file manage_file_perms;
@ -24642,6 +24644,10 @@ index 8b40377..c52fbe6 100644
 -tunable_policy(`use_nfs_home_dirs',`
 -	fs_manage_nfs_files(iceauth_t)
 -')
+xserver_filetrans_home_content(iceauth_t)
+ 
+-tunable_policy(`use_samba_home_dirs',`
+-	fs_manage_cifs_files(iceauth_t)
 +ifdef(`hide_broken_symptoms',`
 +	dev_dontaudit_read_urand(iceauth_t)
 +	dev_dontaudit_rw_dri(iceauth_t)
@ -24649,9 +24655,7 @@ index 8b40377..c52fbe6 100644
 +	fs_dontaudit_list_inotifyfs(iceauth_t)
 +	fs_dontaudit_rw_anon_inodefs_files(iceauth_t)
 +	term_dontaudit_use_unallocated_ttys(iceauth_t)
- 
-tunable_policy(`use_samba_home_dirs',`
-	fs_manage_cifs_files(iceauth_t)
+
 +	userdom_dontaudit_read_user_home_content_files(iceauth_t)
 +	userdom_dontaudit_write_user_home_content_files(iceauth_t)
 +	userdom_dontaudit_write_user_tmp_files(iceauth_t)
@ -24662,7 +24666,7 @@ index 8b40377..c52fbe6 100644
 ')
 
 ########################################
-@@ -248,48 +322,89 @@ tunable_policy(`use_samba_home_dirs',`
+@@ -248,48 +324,90 @@ tunable_policy(`use_samba_home_dirs',`
 # Xauth local policy
 #
 
@ -24725,6 +24729,7 @@ index 8b40377..c52fbe6 100644
 +userdom_use_inherited_user_terminals(xauth_t)
 userdom_read_user_tmp_files(xauth_t)
 +userdom_read_all_users_state(xauth_t)
+userdom_user_home_dir_filetrans(xauth_t, xauth_home_t, file)
 +userdom_user_home_dir_filetrans(xauth_t, xauth_home_t, file, ".Xauthority")
 +userdom_user_home_dir_filetrans(xauth_t, xauth_home_t, file, ".Xauthority-l")
 +userdom_user_home_dir_filetrans(xauth_t, xauth_home_t, file, ".Xauthority-c")
@ -24763,7 +24768,7 @@ index 8b40377..c52fbe6 100644
 	ssh_sigchld(xauth_t)
 	ssh_read_pipes(xauth_t)
 	ssh_dontaudit_rw_tcp_sockets(xauth_t)
-@@ -300,64 +415,109 @@ optional_policy(`
+@@ -300,64 +418,109 @@ optional_policy(`
 # XDM Local policy
 #
 
@ -24791,10 +24796,10 @@ index 8b40377..c52fbe6 100644
 allow xdm_t self:appletalk_socket create_socket_perms;
 allow xdm_t self:key { search link write };
 +allow xdm_t self:dbus { send_msg acquire_svc };
-+
-+allow xdm_t xauth_home_t:file manage_file_perms;
 
 -allow xdm_t xconsole_device_t:fifo_file { getattr setattr };
+allow xdm_t xauth_home_t:file manage_file_perms;
+
 +allow xdm_t xconsole_device_t:fifo_file { getattr_fifo_file_perms setattr_fifo_file_perms };
 +manage_dirs_pattern(xdm_t, xkb_var_lib_t, xkb_var_lib_t)
 +manage_files_pattern(xdm_t, xkb_var_lib_t, xkb_var_lib_t)
@ -24883,7 +24888,7 @@ index 8b40377..c52fbe6 100644
 
 # connect to xdm xserver over stream socket
 stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t)
-@@ -366,20 +526,30 @@ stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t)
+@@ -366,20 +529,30 @@ stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t)
 delete_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t)
 delete_sock_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t)
 
@ -24916,7 +24921,7 @@ index 8b40377..c52fbe6 100644
 corenet_all_recvfrom_netlabel(xdm_t)
 corenet_tcp_sendrecv_generic_if(xdm_t)
 corenet_udp_sendrecv_generic_if(xdm_t)
-@@ -389,38 +559,49 @@ corenet_tcp_sendrecv_all_ports(xdm_t)
+@@ -389,38 +562,49 @@ corenet_tcp_sendrecv_all_ports(xdm_t)
 corenet_udp_sendrecv_all_ports(xdm_t)
 corenet_tcp_bind_generic_node(xdm_t)
 corenet_udp_bind_generic_node(xdm_t)
@ -24970,7 +24975,7 @@ index 8b40377..c52fbe6 100644
 
 files_read_etc_files(xdm_t)
 files_read_var_files(xdm_t)
-@@ -431,9 +612,28 @@ files_list_mnt(xdm_t)
+@@ -431,9 +615,28 @@ files_list_mnt(xdm_t)
 files_read_usr_files(xdm_t)
 # Poweroff wants to create the /poweroff file when run from xdm
 files_create_boot_flag(xdm_t)
@ -24999,7 +25004,7 @@ index 8b40377..c52fbe6 100644
 
 storage_dontaudit_read_fixed_disk(xdm_t)
 storage_dontaudit_write_fixed_disk(xdm_t)
-@@ -442,28 +642,45 @@ storage_dontaudit_raw_read_removable_device(xdm_t)
+@@ -442,28 +645,45 @@ storage_dontaudit_raw_read_removable_device(xdm_t)
 storage_dontaudit_raw_write_removable_device(xdm_t)
 storage_dontaudit_setattr_removable_dev(xdm_t)
 storage_dontaudit_rw_scsi_generic(xdm_t)
@ -25048,7 +25053,7 @@ index 8b40377..c52fbe6 100644
 
 userdom_dontaudit_use_unpriv_user_fds(xdm_t)
 userdom_create_all_users_keys(xdm_t)
-@@ -472,24 +689,149 @@ userdom_read_user_home_content_files(xdm_t)
+@@ -472,24 +692,149 @@ userdom_read_user_home_content_files(xdm_t)
 # Search /proc for any user domain processes.
 userdom_read_all_users_state(xdm_t)
 userdom_signal_all_users(xdm_t)
@ -25204,7 +25209,7 @@ index 8b40377..c52fbe6 100644
 tunable_policy(`xdm_sysadm_login',`
 	userdom_xsession_spec_domtrans_all_users(xdm_t)
 	# FIXME:
-@@ -503,11 +845,26 @@ tunable_policy(`xdm_sysadm_login',`
+@@ -503,11 +848,26 @@ tunable_policy(`xdm_sysadm_login',`
 ')
 
 optional_policy(`
@ -25231,7 +25236,7 @@ index 8b40377..c52fbe6 100644
 ')
 
 optional_policy(`
-@@ -517,9 +874,34 @@ optional_policy(`
+@@ -517,9 +877,34 @@ optional_policy(`
 optional_policy(`
 	dbus_system_bus_client(xdm_t)
 	dbus_connect_system_bus(xdm_t)
@ -25239,17 +25244,17 @@ index 8b40377..c52fbe6 100644
 +    optional_policy(`
 +        accountsd_dbus_chat(xdm_t)
 +    ')
-+
-+	optional_policy(`
+ 
+ 	optional_policy(`
+-		accountsd_dbus_chat(xdm_t)
 +		bluetooth_dbus_chat(xdm_t)
 +	')
 +
 +	 optional_policy(`
 +		cpufreqselector_dbus_chat(xdm_t)
 +	')
- 
- 	optional_policy(`
-		accountsd_dbus_chat(xdm_t)
+
+	optional_policy(`
 +		devicekit_dbus_chat_disk(xdm_t)
 +		devicekit_dbus_chat_power(xdm_t)
 +	')
@ -25267,7 +25272,7 @@ index 8b40377..c52fbe6 100644
 	')
 ')
 
-@@ -530,6 +912,20 @@ optional_policy(`
+@@ -530,6 +915,20 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -25288,7 +25293,7 @@ index 8b40377..c52fbe6 100644
 	hostname_exec(xdm_t)
 ')
 
-@@ -547,28 +943,78 @@ optional_policy(`
+@@ -547,28 +946,78 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -25376,7 +25381,7 @@ index 8b40377..c52fbe6 100644
 ')
 
 optional_policy(`
-@@ -580,6 +1026,14 @@ optional_policy(`
+@@ -580,6 +1029,14 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -25391,7 +25396,7 @@ index 8b40377..c52fbe6 100644
 	xfs_stream_connect(xdm_t)
 ')
 
-@@ -594,7 +1048,7 @@ type_transition xserver_t xserver_t:x_colormap root_xcolormap_t;
+@@ -594,7 +1051,7 @@ type_transition xserver_t xserver_t:x_colormap root_xcolormap_t;
 type_transition root_xdrawable_t input_xevent_t:x_event root_input_xevent_t;
 
 allow xserver_t { root_xdrawable_t x_domain }:x_drawable send;
@ -25400,7 +25405,7 @@ index 8b40377..c52fbe6 100644
 
 # setuid/setgid for the wrapper program to change UID
 # sys_rawio is for iopl access - should not be needed for frame-buffer
-@@ -604,8 +1058,11 @@ allow xserver_t input_xevent_t:x_event send;
+@@ -604,8 +1061,11 @@ allow xserver_t input_xevent_t:x_event send;
 # execheap needed until the X module loader is fixed.
 # NVIDIA Needs execstack
 
@ -25413,7 +25418,7 @@ index 8b40377..c52fbe6 100644
 allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
 allow xserver_t self:fd use;
 allow xserver_t self:fifo_file rw_fifo_file_perms;
-@@ -618,8 +1075,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
+@@ -618,8 +1078,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
 allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto };
 allow xserver_t self:tcp_socket create_stream_socket_perms;
 allow xserver_t self:udp_socket create_socket_perms;
@ -25429,7 +25434,7 @@ index 8b40377..c52fbe6 100644
 manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
 manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
 manage_sock_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
-@@ -627,6 +1091,10 @@ files_tmp_filetrans(xserver_t, xserver_tmp_t, { file dir sock_file })
+@@ -627,6 +1094,10 @@ files_tmp_filetrans(xserver_t, xserver_tmp_t, { file dir sock_file })
 
 filetrans_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t, sock_file)
 
@ -25440,7 +25445,7 @@ index 8b40377..c52fbe6 100644
 manage_dirs_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
 manage_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
 manage_lnk_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
-@@ -638,25 +1106,32 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
+@@ -638,25 +1109,32 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
 manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
 files_search_var_lib(xserver_t)
 
@ -25477,7 +25482,7 @@ index 8b40377..c52fbe6 100644
 corenet_all_recvfrom_netlabel(xserver_t)
 corenet_tcp_sendrecv_generic_if(xserver_t)
 corenet_udp_sendrecv_generic_if(xserver_t)
-@@ -677,23 +1152,28 @@ dev_rw_apm_bios(xserver_t)
+@@ -677,23 +1155,28 @@ dev_rw_apm_bios(xserver_t)
 dev_rw_agp(xserver_t)
 dev_rw_framebuffer(xserver_t)
 dev_manage_dri_dev(xserver_t)
@ -25509,7 +25514,7 @@ index 8b40377..c52fbe6 100644
 
 # brought on by rhgb
 files_search_mnt(xserver_t)
-@@ -705,6 +1185,14 @@ fs_search_nfs(xserver_t)
+@@ -705,6 +1188,14 @@ fs_search_nfs(xserver_t)
 fs_search_auto_mountpoints(xserver_t)
 fs_search_ramfs(xserver_t)
 
@ -25524,7 +25529,7 @@ index 8b40377..c52fbe6 100644
 mls_xwin_read_to_clearance(xserver_t)
 
 selinux_validate_context(xserver_t)
-@@ -718,20 +1206,18 @@ init_getpgid(xserver_t)
+@@ -718,20 +1209,18 @@ init_getpgid(xserver_t)
 term_setattr_unallocated_ttys(xserver_t)
 term_use_unallocated_ttys(xserver_t)
 
@ -25548,7 +25553,7 @@ index 8b40377..c52fbe6 100644
 
 userdom_search_user_home_dirs(xserver_t)
 userdom_use_user_ttys(xserver_t)
-@@ -739,8 +1225,6 @@ userdom_setattr_user_ttys(xserver_t)
+@@ -739,8 +1228,6 @@ userdom_setattr_user_ttys(xserver_t)
 userdom_read_user_tmp_files(xserver_t)
 userdom_rw_user_tmpfs_files(xserver_t)
 
@ -25557,7 +25562,7 @@ index 8b40377..c52fbe6 100644
 ifndef(`distro_redhat',`
 	allow xserver_t self:process { execmem execheap execstack };
 	domain_mmap_low_uncond(xserver_t)
-@@ -785,17 +1269,44 @@ optional_policy(`
+@@ -785,17 +1272,44 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -25604,7 +25609,7 @@ index 8b40377..c52fbe6 100644
 ')
 
 optional_policy(`
-@@ -803,6 +1314,10 @@ optional_policy(`
+@@ -803,6 +1317,10 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -25615,7 +25620,7 @@ index 8b40377..c52fbe6 100644
 	xfs_stream_connect(xserver_t)
 ')
 
-@@ -818,10 +1333,10 @@ allow xserver_t xdm_t:shm rw_shm_perms;
+@@ -818,10 +1336,10 @@ allow xserver_t xdm_t:shm rw_shm_perms;
 
 # NB we do NOT allow xserver_t xdm_var_lib_t:dir, only access to an open
 # handle of a file inside the dir!!!
@ -25629,7 +25634,7 @@ index 8b40377..c52fbe6 100644
 
 # Label pid and temporary files with derived types.
 manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
-@@ -829,7 +1344,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
+@@ -829,7 +1347,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
 manage_sock_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
 
 # Run xkbcomp.
@ -25638,7 +25643,7 @@ index 8b40377..c52fbe6 100644
 can_exec(xserver_t, xkb_var_lib_t)
 
 # VNC v4 module in X server
-@@ -842,26 +1357,21 @@ init_use_fds(xserver_t)
+@@ -842,26 +1360,21 @@ init_use_fds(xserver_t)
 # to read ROLE_home_t - examine this in more detail
 # (xauth?)
 userdom_read_user_home_content_files(xserver_t)
@ -25673,7 +25678,7 @@ index 8b40377..c52fbe6 100644
 ')
 
 optional_policy(`
-@@ -912,7 +1422,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
+@@ -912,7 +1425,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
 allow x_domain root_xdrawable_t:x_drawable { getattr setattr list_child add_child remove_child send receive hide show };
 # operations allowed on my windows
 allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive };
@ -25682,7 +25687,7 @@ index 8b40377..c52fbe6 100644
 # operations allowed on all windows
 allow x_domain x_domain:x_drawable { getattr get_property set_property remove_child };
 
-@@ -966,11 +1476,31 @@ allow x_domain self:x_resource { read write };
+@@ -966,11 +1479,31 @@ allow x_domain self:x_resource { read write };
 # can mess with the screensaver
 allow x_domain xserver_t:x_screen { getattr saver_getattr };
 
@ -25714,7 +25719,7 @@ index 8b40377..c52fbe6 100644
 tunable_policy(`! xserver_object_manager',`
 	# should be xserver_unconfined(x_domain),
 	# but typeattribute doesnt work in conditionals
-@@ -992,18 +1522,150 @@ tunable_policy(`! xserver_object_manager',`
+@@ -992,18 +1525,150 @@ tunable_policy(`! xserver_object_manager',`
 	allow x_domain xevent_type:{ x_event x_synthetic_event } *;
 ')
 
@ -34949,7 +34954,7 @@ index a38605e..f035d9f 100644
 +/usr/sbin/umount\.ecryptfs_private	--	gen_context(system_u:object_r:mount_ecryptfs_exec_t,s0)
 +/usr/sbin/umount\.ecryptfs	--	gen_context(system_u:object_r:mount_ecryptfs_exec_t,s0)
 diff --git a/policy/modules/system/mount.if b/policy/modules/system/mount.if
-index 4584457..fb1c881 100644
+index 4584457..c2ae1ea 100644
 --- a/policy/modules/system/mount.if
 +++ b/policy/modules/system/mount.if
@@ -16,6 +16,13 @@ interface(`mount_domtrans',`
@ -34974,7 +34979,7 @@ index 4584457..fb1c881 100644
 	')
 
 	mount_domtrans($1)
-@@ -47,6 +55,92 @@ interface(`mount_run',`
+@@ -47,6 +55,110 @@ interface(`mount_run',`
 
 ########################################
 ## <summary>
@ -35043,6 +35048,24 @@ index 4584457..fb1c881 100644
 +	files_search_pids($1)
 +')
 +
+#######################################
+## <summary>
+##	Do not audit attemps to write mount PID files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`mount_dontaudit_write_mount_pid',`
+	gen_require(`
+		type mount_var_run_t;
+	')
+
+	dontaudit $1 mount_var_run_t:file write;
+')
+
 +########################################
 +## <summary>
 +##	Manage mount PID files.
@ -35067,7 +35090,7 @@ index 4584457..fb1c881 100644
 ##	Execute mount in the caller domain.
 ## </summary>
 ## <param name="domain">
-@@ -91,7 +185,7 @@ interface(`mount_signal',`
+@@ -91,7 +203,7 @@ interface(`mount_signal',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@ -35076,7 +35099,7 @@ index 4584457..fb1c881 100644
 ##	</summary>
 ## </param>
 #
-@@ -131,45 +225,184 @@ interface(`mount_send_nfs_client_request',`
+@@ -131,45 +243,184 @@ interface(`mount_send_nfs_client_request',`
 
 ########################################
 ## <summary>
@ -35142,15 +35165,12 @@ index 4584457..fb1c881 100644
 #
 -interface(`mount_run_unconfined',`
 +interface(`mount_exec_fusermount',`
- 	gen_require(`
-		type unconfined_mount_t;
+	gen_require(`
 +		type fusermount_exec_t;
- 	')
- 
-	mount_domtrans_unconfined($1)
-	role $2 types unconfined_mount_t;
+	')
+
 +	can_exec($1, fusermount_exec_t)
- ')
+')
 +
 +########################################
 +## <summary>
@ -35163,12 +35183,15 @@ index 4584457..fb1c881 100644
 +## </param>
 +#
 +interface(`mount_dontaudit_exec_fusermount',`
-+	gen_require(`
+ 	gen_require(`
+-		type unconfined_mount_t;
 +		type fusermount_exec_t;
-+	')
-+
+ 	')
+ 
+-	mount_domtrans_unconfined($1)
+-	role $2 types unconfined_mount_t;
 +	dontaudit $1 fusermount_exec_t:file exec_file_perms;
-+')
+ ')
 +
 +######################################
 +## <summary>
@ -39676,10 +39699,10 @@ index 0000000..8bca1d7
 +')
 diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
 new file mode 100644
-index 0000000..188a153
+index 0000000..ca13b14
 --- /dev/null
 +++ b/policy/modules/system/systemd.te
-@@ -0,0 +1,677 @@
+@@ -0,0 +1,680 @@
 +policy_module(systemd, 1.0.0)
 +
 +#######################################
@ -39776,6 +39799,9 @@ index 0000000..188a153
 +mls_file_read_all_levels(systemd_logind_t)
 +mls_file_write_all_levels(systemd_logind_t)
 +
+fs_mount_tmpfs(systemd_logind_t)
+fs_unmount_tmpfs(systemd_logind_t)
+
 +manage_dirs_pattern(systemd_logind_t, systemd_logind_var_lib_t, systemd_logind_var_lib_t)
 +manage_files_pattern(systemd_logind_t, systemd_logind_var_lib_t, systemd_logind_var_lib_t)
 +init_var_lib_filetrans(systemd_logind_t, systemd_logind_var_lib_t, dir, "linger")
@ -39861,8 +39887,8 @@ index 0000000..188a153
 +
 +userdom_read_all_users_state(systemd_logind_t)
 +userdom_use_user_ttys(systemd_logind_t)
-+userdom_manage_all_user_tmp_content(systemd_logind_t)
-+userdom_manage_all_user_tmpfs_content(systemd_logind_t)
+userdom_manage_tmp_role(system_r, systemd_logind_t)
+userdom_manage_tmpfs_role(system_r, systemd_logind_t)
 +
 +xserver_dbus_chat(systemd_logind_t)
 +
@ -41487,10 +41513,10 @@ index 5ca20a9..e749152 100644
 +	corecmd_bin_domtrans($1, unconfined_service_t)
 ')
 diff --git a/policy/modules/system/unconfined.te b/policy/modules/system/unconfined.te
-index 5fe902d..9382e97 100644
+index 5fe902d..fcc9efe 100644
 --- a/policy/modules/system/unconfined.te
 +++ b/policy/modules/system/unconfined.te
-@@ -1,207 +1,16 @@
+@@ -1,207 +1,20 @@
 -policy_module(unconfined, 3.5.1)
 +policy_module(unconfined, 3.5.0)
 
@ -41700,12 +41726,13 @@ index 5fe902d..9382e97 100644
 -
 -allow unconfined_execmem_t self:process { execstack execmem };
 -unconfined_domain_noaudit(unconfined_execmem_t)
-
-optional_policy(`
-	unconfined_dbus_chat(unconfined_execmem_t)
-')
 +corecmd_bin_entry_type(unconfined_service_t)
 +corecmd_shell_entry_type(unconfined_service_t)
+ 
+ optional_policy(`
+-	unconfined_dbus_chat(unconfined_execmem_t)
+	rpm_transition_script(unconfined_service_t, system_r)
+ ')
 diff --git a/policy/modules/system/userdomain.fc b/policy/modules/system/userdomain.fc
 index db75976..e4eb903 100644
 --- a/policy/modules/system/userdomain.fc
@ -41737,7 +41764,7 @@ index db75976..e4eb903 100644
 +
 +/var/run/user(/.*)?	gen_context(system_u:object_r:user_tmp_t,s0)
 diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
-index 9dc60c6..428fe58 100644
+index 9dc60c6..858bd7a 100644
 --- a/policy/modules/system/userdomain.if
 +++ b/policy/modules/system/userdomain.if
@@ -30,9 +30,11 @@ template(`userdom_base_user_template',`
@ -42230,7 +42257,7 @@ index 9dc60c6..428fe58 100644
 +		type user_tmpfs_t;
 +	')
 +
-+	allow $1 user_tmpfs_t:file manage_file_perms;
+	manage_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
 +')
 +
 +#######################################
@ -42286,11 +42313,11 @@ index 9dc60c6..428fe58 100644
 -	gen_require(`
 -		type $1_t;
 -	')
-+interface(`userdom_basic_networking',`
- 
+-
 -	allow $1_t self:tcp_socket create_stream_socket_perms;
 -	allow $1_t self:udp_socket create_socket_perms;
-
+interface(`userdom_basic_networking',`
+ 
 -	corenet_all_recvfrom_unlabeled($1_t)
 -	corenet_all_recvfrom_netlabel($1_t)
 -	corenet_tcp_sendrecv_generic_if($1_t)
@ -42382,27 +42409,27 @@ index 9dc60c6..428fe58 100644
 +	kernel_get_sysvipc_info($1_usertype)
 	# Find CDROM devices:
 -	kernel_read_device_sysctls($1_t)
-
-	corecmd_exec_bin($1_t)
 +	kernel_read_device_sysctls($1_usertype)
 +	kernel_request_load_module($1_usertype)
 
-	corenet_udp_bind_generic_node($1_t)
-	corenet_udp_bind_generic_port($1_t)
+-	corecmd_exec_bin($1_t)
 +	corenet_udp_bind_generic_node($1_usertype)
 +	corenet_udp_bind_generic_port($1_usertype)
 
-	dev_read_rand($1_t)
-	dev_write_sound($1_t)
-	dev_read_sound($1_t)
-	dev_read_sound_mixer($1_t)
-	dev_write_sound_mixer($1_t)
+-	corenet_udp_bind_generic_node($1_t)
+-	corenet_udp_bind_generic_port($1_t)
 +	dev_read_rand($1_usertype)
 +	dev_write_sound($1_usertype)
 +	dev_read_sound($1_usertype)
 +	dev_read_sound_mixer($1_usertype)
 +	dev_write_sound_mixer($1_usertype)
 
+-	dev_read_rand($1_t)
+-	dev_write_sound($1_t)
+-	dev_read_sound($1_t)
+-	dev_read_sound_mixer($1_t)
+-	dev_write_sound_mixer($1_t)
+-
 -	files_exec_etc_files($1_t)
 -	files_search_locks($1_t)
 +	files_exec_etc_files($1_usertype)
@ -42426,12 +42453,12 @@ index 9dc60c6..428fe58 100644
 +	fs_read_noxattr_fs_files($1_usertype)
 +	fs_read_noxattr_fs_symlinks($1_usertype)
 +	fs_rw_cgroup_files($1_usertype)
- 
-	fs_rw_cgroup_files($1_t)
+
 +	application_getattr_socket($1_usertype)
 +
 +	logging_send_syslog_msg($1_t)
-+
+ 
+-	fs_rw_cgroup_files($1_t)
 +	selinux_get_enforce_mode($1_t)
 
 	# cjp: some of this probably can be removed
@ -42537,68 +42564,68 @@ index 9dc60c6..428fe58 100644
 +
 +		optional_policy(`
 +			geoclue_dbus_chat($1_usertype)
+		')
+
+		optional_policy(`
+			gnome_dbus_chat_gconfdefault($1_usertype)
 +		')
 
 		optional_policy(`
 -			bluetooth_dbus_chat($1_t)
-+			gnome_dbus_chat_gconfdefault($1_usertype)
- 		')
- 
- 		optional_policy(`
-			consolekit_dbus_chat($1_t)
 +			hal_dbus_chat($1_usertype)
 		')
 
 		optional_policy(`
-			cups_dbus_chat_config($1_t)
+-			consolekit_dbus_chat($1_t)
 +			kde_dbus_chat_backlighthelper($1_usertype)
 		')
 
 		optional_policy(`
-			hal_dbus_chat($1_t)
+-			cups_dbus_chat_config($1_t)
 +			modemmanager_dbus_chat($1_usertype)
 		')
 
 		optional_policy(`
-			networkmanager_dbus_chat($1_t)
+-			hal_dbus_chat($1_t)
 +			networkmanager_dbus_chat($1_usertype)
 +			networkmanager_read_lib_files($1_usertype)
 		')
 
 		optional_policy(`
-			policykit_dbus_chat($1_t)
+-			networkmanager_dbus_chat($1_t)
 +			policykit_dbus_chat($1_usertype)
 		')
-+
-+		optional_policy(`
+ 
+ 		optional_policy(`
+-			policykit_dbus_chat($1_t)
 +			vpn_dbus_chat($1_usertype)
-+		')
-+	')
-+
-+	optional_policy(`
-+		git_role($1_r, $1_t)
+ 		')
 	')
 
 	optional_policy(`
 -		inetd_use_fds($1_t)
 -		inetd_rw_tcp_sockets($1_t)
-+		inetd_use_fds($1_usertype)
-+		inetd_rw_tcp_sockets($1_usertype)
+		git_role($1_r, $1_t)
 	')
 
 	optional_policy(`
 -		inn_read_config($1_t)
 -		inn_read_news_lib($1_t)
 -		inn_read_news_spool($1_t)
-+		inn_read_config($1_usertype)
-+		inn_read_news_lib($1_usertype)
-+		inn_read_news_spool($1_usertype)
+		inetd_use_fds($1_usertype)
+		inetd_rw_tcp_sockets($1_usertype)
 	')
 
 	optional_policy(`
 -		kerberos_manage_krb5_home_files($1_t)
 -		kerberos_relabel_krb5_home_files($1_t)
 -		kerberos_home_filetrans_krb5_home($1_t, file, ".k5login")
+		inn_read_config($1_usertype)
+		inn_read_news_lib($1_usertype)
+		inn_read_news_spool($1_usertype)
+	')
+
+	optional_policy(`
 +		lircd_stream_connect($1_usertype)
 	')
 
@ -42660,35 +42687,27 @@ index 9dc60c6..428fe58 100644
 	optional_policy(`
 -		resmgr_stream_connect($1_t)
 +		resmgr_stream_connect($1_usertype)
-+	')
-+
-+	optional_policy(`
-+		rpc_dontaudit_getattr_exports($1_usertype)
-+	')
-+
-+	optional_policy(`
-+		rpcbind_stream_connect($1_usertype)
 	')
 
 	optional_policy(`
 -		rpc_dontaudit_getattr_exports($1_t)
 -		rpc_manage_nfs_rw_content($1_t)
-+		samba_stream_connect_winbind($1_usertype)
+		rpc_dontaudit_getattr_exports($1_usertype)
 	')
 
 	optional_policy(`
 -		samba_stream_connect_winbind($1_t)
-+		sandbox_transition($1_usertype, $1_r)
+		rpcbind_stream_connect($1_usertype)
 	')
 
 	optional_policy(`
 -		slrnpull_search_spool($1_t)
-+		seunshare_role_template($1, $1_r, $1_t)
+		samba_stream_connect_winbind($1_usertype)
 	')
 
 	optional_policy(`
 -		usernetctl_run($1_t, $1_r)
-+		slrnpull_search_spool($1_usertype)
+		sandbox_transition($1_usertype, $1_r)
 	')
 
 	optional_policy(`
@ -42697,6 +42716,14 @@ index 9dc60c6..428fe58 100644
 -		virt_home_filetrans_virt_content($1_t, dir, "isos")
 -		virt_home_filetrans_svirt_home($1_t, dir, "qemu")
 -		virt_home_filetrans_virt_home($1_t, dir, "VirtualMachines")	
+		seunshare_role_template($1, $1_r, $1_t)
+	')
+
+	optional_policy(`
+		slrnpull_search_spool($1_usertype)
+	')
+
+	optional_policy(`
 +		thumb_role($1_r, $1_usertype)
 	')
 ')
@ -42721,7 +42748,9 @@ index 9dc60c6..428fe58 100644
 +
 +	ifelse(`$1',`unconfined',`',`
 +		gen_tunable($1_exec_content, true)
-+
+ 
+-	userdom_exec_user_tmp_files($1_t)
+-	userdom_exec_user_home_content_files($1_t)
 +		tunable_policy(`$1_exec_content',`
 +			userdom_exec_user_tmp_files($1_usertype)
 +			userdom_exec_user_home_content_files($1_usertype)
@ -42729,9 +42758,7 @@ index 9dc60c6..428fe58 100644
 +		tunable_policy(`$1_exec_content && use_nfs_home_dirs',`
 +                        fs_exec_nfs_files($1_usertype)
 +		')
- 
-	userdom_exec_user_tmp_files($1_t)
-	userdom_exec_user_home_content_files($1_t)
+
 +		tunable_policy(`$1_exec_content && use_samba_home_dirs',`
 +			fs_exec_cifs_files($1_usertype)
 +		')
@ -43138,16 +43165,16 @@ index 9dc60c6..428fe58 100644
 +
 +	optional_policy(`
 +		gpm_stream_connect($1_usertype)
+	')
+
+	optional_policy(`
+		mount_run_fusermount($1_t, $1_r)
+		mount_read_pid_files($1_t)
 	')
 
 	optional_policy(`
 -		netutils_run_ping_cond($1_t, $1_r)
 -		netutils_run_traceroute_cond($1_t, $1_r)
-+		mount_run_fusermount($1_t, $1_r)
-+		mount_read_pid_files($1_t)
-+	')
-+
-+	optional_policy(`
 +		wine_role_template($1, $1_r, $1_t)
 +	')
 +
@ -44391,7 +44418,7 @@ index 9dc60c6..428fe58 100644
 ')
 
 ########################################
-@@ -3214,31 +3977,49 @@ interface(`userdom_dontaudit_use_user_ptys',`
+@@ -3214,30 +3977,48 @@ interface(`userdom_dontaudit_use_user_ptys',`
 		type user_devpts_t;
 	')
 
@ -44424,7 +44451,6 @@ index 9dc60c6..428fe58 100644
 ########################################
 ## <summary>
 -##	Do not audit attempts to relabel files from
-##	user pty types.
 +##	Relabel files to unprivileged user pty types.
 +## </summary>
 +## <param name="domain">
@ -44444,10 +44470,9 @@ index 9dc60c6..428fe58 100644
 +########################################
 +## <summary>
 +##	Do not audit attempts to relabel files from
-+##	user pty types.
+ ##	user pty types.
 ## </summary>
 ## <param name="domain">
- ##	<summary>
@@ -3269,7 +4050,83 @@ interface(`userdom_write_user_tmp_files',`
 		type user_tmp_t;
 	')
@ -46300,7 +46325,7 @@ index 9dc60c6..428fe58 100644
 +')
 +
 diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te
-index f4ac38d..711759c 100644
+index f4ac38d..7283238 100644
 --- a/policy/modules/system/userdomain.te
 +++ b/policy/modules/system/userdomain.te
@@ -7,48 +7,43 @@ policy_module(userdomain, 4.9.1)
@ -46389,7 +46414,7 @@ index f4ac38d..711759c 100644
 type user_home_dir_t alias { staff_home_dir_t sysadm_home_dir_t secadm_home_dir_t auditadm_home_dir_t unconfined_home_dir_t };
 fs_associate_tmpfs(user_home_dir_t)
 files_type(user_home_dir_t)
-@@ -70,26 +83,384 @@ ubac_constrained(user_home_dir_t)
+@@ -70,26 +83,386 @@ ubac_constrained(user_home_dir_t)
 
 type user_home_t alias { staff_home_t sysadm_home_t secadm_home_t auditadm_home_t unconfined_home_t };
 typealias user_home_t alias { staff_untrusted_content_t sysadm_untrusted_content_t secadm_untrusted_content_t auditadm_untrusted_content_t unconfined_untrusted_content_t };
@ -46456,6 +46481,8 @@ index f4ac38d..711759c 100644
 +dontaudit unpriv_userdomain self:dir setattr;
 +allow unpriv_userdomain self:key manage_key_perms;
 +
+mount_dontaudit_write_mount_pid(unpriv_userdomain)
+
 +optional_policy(`
 +	alsa_read_rw_config(unpriv_userdomain)
 +	alsa_manage_home_files(unpriv_userdomain)
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@ -11316,10 +11316,10 @@ index 0000000..57866f6
 +HOME_DIR/\.cache/chromium(/.*)?		gen_context(system_u:object_r:chrome_sandbox_home_t,s0)
 diff --git a/chrome.if b/chrome.if
 new file mode 100644
-index 0000000..8ea5b7c
+index 0000000..a0fdbcb
 --- /dev/null
 +++ b/chrome.if
-@@ -0,0 +1,133 @@
+@@ -0,0 +1,136 @@
 +
 +## <summary>policy for chrome</summary>
 +
@ -11343,6 +11343,9 @@ index 0000000..8ea5b7c
 +
 +	allow $1 chrome_sandbox_t:fd use;
 +
+	dontaudit chrome_sandbox_t $1:socket_class_set getattr;
+	allow chrome_sandbox_t $1:unix_stream_socket rw_socket_perms;
+
 +	ifdef(`hide_broken_symptoms',`
 +		fs_dontaudit_rw_anon_inodefs_files(chrome_sandbox_t)
 +	')
@ -13273,7 +13276,7 @@ index 954309e..f4db2ca 100644
 ')
 +
 diff --git a/collectd.te b/collectd.te
-index 6471fa8..26584f2 100644
+index 6471fa8..36c3464 100644
 --- a/collectd.te
 +++ b/collectd.te
@@ -26,18 +26,28 @@ files_type(collectd_var_lib_t)
@ -13342,7 +13345,7 @@ index 6471fa8..26584f2 100644
 
 logging_send_syslog_msg(collectd_t)
 
-@@ -75,16 +90,30 @@ tunable_policy(`collectd_tcp_network_connect',`
+@@ -75,16 +90,31 @@ tunable_policy(`collectd_tcp_network_connect',`
 ')
 
 optional_policy(`
@ -13355,6 +13358,7 @@ index 6471fa8..26584f2 100644
 +
 +optional_policy(`
 	virt_read_config(collectd_t)
+	virt_stream_connect(collectd_t)
 ')
 
 ########################################
@ -16650,7 +16654,7 @@ index 1303b30..72481a7 100644
 +    logging_log_filetrans($1, cron_log_t, $2, $3)
 ')
 diff --git a/cron.te b/cron.te
-index 7de3859..23baf47 100644
+index 7de3859..24f2712 100644
 --- a/cron.te
 +++ b/cron.te
@@ -11,46 +11,46 @@ gen_require(`
@ -16724,7 +16728,7 @@ index 7de3859..23baf47 100644
 type crond_tmp_t;
 files_tmp_file(crond_tmp_t)
 files_poly_parent(crond_tmp_t)
-@@ -92,15 +95,16 @@ typealias crontab_t alias { user_crontab_t staff_crontab_t };
+@@ -92,15 +95,17 @@ typealias crontab_t alias { user_crontab_t staff_crontab_t };
 typealias crontab_t alias { auditadm_crontab_t secadm_crontab_t };
 typealias crontab_tmp_t alias { user_crontab_tmp_t staff_crontab_tmp_t };
 typealias crontab_tmp_t alias { auditadm_crontab_tmp_t secadm_crontab_tmp_t };
@ -16739,12 +16743,13 @@ index 7de3859..23baf47 100644
 init_daemon_domain(system_cronjob_t, anacron_exec_t)
 corecmd_shell_entry_type(system_cronjob_t)
 -domain_entry_file(system_cronjob_t, system_cron_spool_t)
+corecmd_bin_entry_type(system_cronjob_t)
 +role system_r types system_cronjob_t;
 +domtrans_pattern(crond_t, anacron_exec_t, system_cronjob_t)
 
 type system_cronjob_lock_t alias system_crond_lock_t;
 files_lock_file(system_cronjob_lock_t)
-@@ -108,94 +112,34 @@ files_lock_file(system_cronjob_lock_t)
+@@ -108,94 +113,34 @@ files_lock_file(system_cronjob_lock_t)
 type system_cronjob_tmp_t alias system_crond_tmp_t;
 files_tmp_file(system_cronjob_tmp_t)
 
@ -16851,7 +16856,7 @@ index 7de3859..23baf47 100644
 selinux_get_fs_mount(admin_crontab_t)
 selinux_validate_context(admin_crontab_t)
 selinux_compute_access_vector(admin_crontab_t)
-@@ -204,22 +148,26 @@ selinux_compute_relabel_context(admin_crontab_t)
+@@ -204,22 +149,26 @@ selinux_compute_relabel_context(admin_crontab_t)
 selinux_compute_user_contexts(admin_crontab_t)
 
 tunable_policy(`fcron_crond',`
@ -16881,7 +16886,7 @@ index 7de3859..23baf47 100644
 allow crond_t self:shm create_shm_perms;
 allow crond_t self:sem create_sem_perms;
 allow crond_t self:msgq create_msgq_perms;
-@@ -227,7 +175,7 @@ allow crond_t self:msg { send receive };
+@@ -227,7 +176,7 @@ allow crond_t self:msg { send receive };
 allow crond_t self:key { search write link };
 dontaudit crond_t self:netlink_audit_socket nlmsg_tty_audit;
 
@ -16890,7 +16895,7 @@ index 7de3859..23baf47 100644
 logging_log_filetrans(crond_t, cron_log_t, file)
 
 manage_files_pattern(crond_t, crond_var_run_t, crond_var_run_t)
-@@ -237,73 +185,68 @@ manage_files_pattern(crond_t, cron_spool_t, cron_spool_t)
+@@ -237,73 +186,68 @@ manage_files_pattern(crond_t, cron_spool_t, cron_spool_t)
 
 manage_dirs_pattern(crond_t, crond_tmp_t, crond_tmp_t)
 manage_files_pattern(crond_t, crond_tmp_t, crond_tmp_t)
@ -16994,7 +16999,7 @@ index 7de3859..23baf47 100644
 auth_use_nsswitch(crond_t)
 
 logging_send_audit_msgs(crond_t)
-@@ -312,41 +255,46 @@ logging_set_loginuid(crond_t)
+@@ -312,41 +256,46 @@ logging_set_loginuid(crond_t)
 
 seutil_read_config(crond_t)
 seutil_read_default_contexts(crond_t)
@ -17057,7 +17062,7 @@ index 7de3859..23baf47 100644
 ')
 
 optional_policy(`
-@@ -354,103 +302,135 @@ optional_policy(`
+@@ -354,103 +303,135 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -17224,7 +17229,7 @@ index 7de3859..23baf47 100644
 allow system_cronjob_t cron_spool_t:dir list_dir_perms;
 allow system_cronjob_t cron_spool_t:file rw_file_perms;
 
-@@ -461,11 +441,11 @@ kernel_read_network_state(system_cronjob_t)
+@@ -461,11 +442,11 @@ kernel_read_network_state(system_cronjob_t)
 kernel_read_system_state(system_cronjob_t)
 kernel_read_software_raid_state(system_cronjob_t)
 
@ -17237,7 +17242,7 @@ index 7de3859..23baf47 100644
 corenet_all_recvfrom_netlabel(system_cronjob_t)
 corenet_tcp_sendrecv_generic_if(system_cronjob_t)
 corenet_udp_sendrecv_generic_if(system_cronjob_t)
-@@ -485,6 +465,7 @@ fs_getattr_all_symlinks(system_cronjob_t)
+@@ -485,6 +466,7 @@ fs_getattr_all_symlinks(system_cronjob_t)
 fs_getattr_all_pipes(system_cronjob_t)
 fs_getattr_all_sockets(system_cronjob_t)
 
@ -17245,7 +17250,7 @@ index 7de3859..23baf47 100644
 domain_dontaudit_read_all_domains_state(system_cronjob_t)
 
 files_exec_etc_files(system_cronjob_t)
-@@ -495,17 +476,22 @@ files_getattr_all_files(system_cronjob_t)
+@@ -495,17 +477,22 @@ files_getattr_all_files(system_cronjob_t)
 files_getattr_all_symlinks(system_cronjob_t)
 files_getattr_all_pipes(system_cronjob_t)
 files_getattr_all_sockets(system_cronjob_t)
@ -17270,7 +17275,7 @@ index 7de3859..23baf47 100644
 
 auth_use_nsswitch(system_cronjob_t)
 
-@@ -516,20 +502,26 @@ logging_read_generic_logs(system_cronjob_t)
+@@ -516,20 +503,26 @@ logging_read_generic_logs(system_cronjob_t)
 logging_send_audit_msgs(system_cronjob_t)
 logging_send_syslog_msg(system_cronjob_t)
 
@ -17300,7 +17305,7 @@ index 7de3859..23baf47 100644
 	selinux_validate_context(system_cronjob_t)
 	selinux_compute_access_vector(system_cronjob_t)
 	selinux_compute_create_context(system_cronjob_t)
-@@ -539,10 +531,18 @@ tunable_policy(`cron_can_relabel',`
+@@ -539,10 +532,18 @@ tunable_policy(`cron_can_relabel',`
 ')
 
 optional_policy(`
@ -17319,7 +17324,7 @@ index 7de3859..23baf47 100644
 ')
 
 optional_policy(`
-@@ -551,10 +551,6 @@ optional_policy(`
+@@ -551,10 +552,6 @@ optional_policy(`
 
 optional_policy(`
 	dbus_system_bus_client(system_cronjob_t)
@ -17330,7 +17335,7 @@ index 7de3859..23baf47 100644
 ')
 
 optional_policy(`
-@@ -591,6 +587,7 @@ optional_policy(`
+@@ -591,6 +588,7 @@ optional_policy(`
 optional_policy(`
 	mta_read_config(system_cronjob_t)
 	mta_send_mail(system_cronjob_t)
@ -17338,7 +17343,7 @@ index 7de3859..23baf47 100644
 ')
 
 optional_policy(`
-@@ -598,7 +595,23 @@ optional_policy(`
+@@ -598,7 +596,23 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -17362,7 +17367,7 @@ index 7de3859..23baf47 100644
 ')
 
 optional_policy(`
-@@ -608,6 +621,7 @@ optional_policy(`
+@@ -608,6 +622,7 @@ optional_policy(`
 
 optional_policy(`
 	spamassassin_manage_lib_files(system_cronjob_t)
@ -17370,7 +17375,7 @@ index 7de3859..23baf47 100644
 ')
 
 optional_policy(`
-@@ -615,12 +629,24 @@ optional_policy(`
+@@ -615,12 +630,24 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -17397,7 +17402,7 @@ index 7de3859..23baf47 100644
 #
 
 allow cronjob_t self:process { signal_perms setsched };
-@@ -628,12 +654,32 @@ allow cronjob_t self:fifo_file rw_fifo_file_perms;
+@@ -628,12 +655,32 @@ allow cronjob_t self:fifo_file rw_fifo_file_perms;
 allow cronjob_t self:unix_stream_socket create_stream_socket_perms;
 allow cronjob_t self:unix_dgram_socket create_socket_perms;
 
@ -17431,7 +17436,7 @@ index 7de3859..23baf47 100644
 corenet_all_recvfrom_netlabel(cronjob_t)
 corenet_tcp_sendrecv_generic_if(cronjob_t)
 corenet_udp_sendrecv_generic_if(cronjob_t)
-@@ -641,66 +687,138 @@ corenet_tcp_sendrecv_generic_node(cronjob_t)
+@@ -641,66 +688,138 @@ corenet_tcp_sendrecv_generic_node(cronjob_t)
 corenet_udp_sendrecv_generic_node(cronjob_t)
 corenet_tcp_sendrecv_all_ports(cronjob_t)
 corenet_udp_sendrecv_all_ports(cronjob_t)
@ -18130,7 +18135,7 @@ index 949011e..afe482b 100644
 +/etc/opt/brother/Printers/(.*/)?inf(/.*)?        gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
 +/opt/brother/Printers(.*/)?inf(/.*)?      gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
 diff --git a/cups.if b/cups.if
-index 3023be7..20e370b 100644
+index 3023be7..303af85 100644
 --- a/cups.if
 +++ b/cups.if
@@ -200,10 +200,13 @@ interface(`cups_dbus_chat_config',`
@ -18207,7 +18212,7 @@ index 3023be7..20e370b 100644
 
 	init_labeled_script_domtrans($1, cupsd_initrc_exec_t)
 	domain_system_change_exemption($1)
-@@ -368,13 +399,44 @@ interface(`cups_admin',`
+@@ -368,13 +399,45 @@ interface(`cups_admin',`
 	logging_list_logs($1)
 	admin_pattern($1, cupsd_log_t)
 
@ -18256,6 +18261,7 @@ index 3023be7..20e370b 100644
 +	files_etc_filetrans($1, cupsd_rw_etc_t, dir, "inf")
 +	files_usr_filetrans($1, cupsd_rw_etc_t, dir, "inf")
 +	corecmd_bin_filetrans($1, cupsd_rw_etc_t, dir, "inf")
+	files_var_filetrans($1, cupsd_rw_etc_t, dir, "cups")
 ')
 diff --git a/cups.te b/cups.te
 index c91813c..2230476 100644
@ -23932,7 +23938,7 @@ index c880070..4448055 100644
 -/var/spool/dovecot(/.*)?	gen_context(system_u:object_r:dovecot_spool_t,s0)
 +/var/spool/dovecot(/.*)?		gen_context(system_u:object_r:dovecot_spool_t,s0)
 diff --git a/dovecot.if b/dovecot.if
-index d5badb7..f439164 100644
+index d5badb7..c2431fc 100644
 --- a/dovecot.if
 +++ b/dovecot.if
@@ -1,29 +1,49 @@
@ -24059,7 +24065,7 @@ index d5badb7..f439164 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -120,10 +136,29 @@ interface(`dovecot_write_inherited_tmp_files',`
+@@ -120,10 +136,30 @@ interface(`dovecot_write_inherited_tmp_files',`
 	allow $1 dovecot_tmp_t:file write;
 ')
 
@ -24079,6 +24085,7 @@ index d5badb7..f439164 100644
 +	')
 +
 +	files_search_etc($1)
+	list_dirs_pattern($1, dovecot_etc_t, dovecot_etc_t)
 +	read_files_pattern($1, dovecot_etc_t, dovecot_etc_t)
 +')
 +
@ -24091,7 +24098,7 @@ index d5badb7..f439164 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -132,7 +167,7 @@ interface(`dovecot_write_inherited_tmp_files',`
+@@ -132,7 +168,7 @@ interface(`dovecot_write_inherited_tmp_files',`
 ## </param>
 ## <param name="role">
 ##	<summary>
@ -24100,7 +24107,7 @@ index d5badb7..f439164 100644
 ##	</summary>
 ## </param>
 ## <rolecap/>
-@@ -146,9 +181,13 @@ interface(`dovecot_admin',`
+@@ -146,9 +182,13 @@ interface(`dovecot_admin',`
 		type dovecot_keytab_t;
 	')
 
@ -24115,7 +24122,7 @@ index d5badb7..f439164 100644
 	init_labeled_script_domtrans($1, dovecot_initrc_exec_t)
 	domain_system_change_exemption($1)
 	role_transition $2 dovecot_initrc_exec_t system_r;
-@@ -157,20 +196,25 @@ interface(`dovecot_admin',`
+@@ -157,20 +197,25 @@ interface(`dovecot_admin',`
 	files_list_etc($1)
 	admin_pattern($1, { dovecot_keytab_t dovecot_etc_t })
 
@ -30767,7 +30774,7 @@ index ab09d61..d0bfef0 100644
 +    type_transition $1 gkeyringd_exec_t:process $2;
 ')
 diff --git a/gnome.te b/gnome.te
-index 63893eb..e9adc23 100644
+index 63893eb..8720f49 100644
 --- a/gnome.te
 +++ b/gnome.te
@@ -5,14 +5,33 @@ policy_module(gnome, 2.3.0)
@ -30806,7 +30813,7 @@ index 63893eb..e9adc23 100644
 typealias gconf_home_t alias { user_gconf_home_t staff_gconf_home_t sysadm_gconf_home_t };
 typealias gconf_home_t alias { auditadm_gconf_home_t secadm_gconf_home_t };
 typealias gconf_home_t alias unconfined_gconf_home_t;
-@@ -31,105 +50,225 @@ typealias gconfd_t alias { auditadm_gconfd_t secadm_gconfd_t };
+@@ -31,105 +50,226 @@ typealias gconfd_t alias { auditadm_gconfd_t secadm_gconfd_t };
 userdom_user_application_domain(gconfd_t, gconfd_exec_t)
 role gconfd_roles types gconfd_t;
 
@ -31034,6 +31041,7 @@ index 63893eb..e9adc23 100644
 +manage_dirs_pattern(gkeyringd_domain, gkeyringd_tmp_t, gkeyringd_tmp_t)
 +manage_sock_files_pattern(gkeyringd_domain, gkeyringd_tmp_t, gkeyringd_tmp_t)
 +files_tmp_filetrans(gkeyringd_domain, gkeyringd_tmp_t, dir)
+fs_tmpfs_filetrans(gkeyringd_domain, gkeyringd_tmp_t, dir)
 +userdom_user_tmp_filetrans(gkeyringd_domain, gkeyringd_tmp_t, { sock_file dir })
 
 -kernel_read_system_state(gkeyringd_domain)
@ -43487,10 +43495,10 @@ index 0000000..b694afc
 +')
 +
 diff --git a/mozilla.fc b/mozilla.fc
-index 6ffaba2..7128926 100644
+index 6ffaba2..549fb8c 100644
 --- a/mozilla.fc
 +++ b/mozilla.fc
-@@ -1,38 +1,71 @@
+@@ -1,38 +1,72 @@
 -HOME_DIR/\.galeon(/.*)?	gen_context(system_u:object_r:mozilla_home_t,s0)
 -HOME_DIR/\.mozilla(/.*)?	gen_context(system_u:object_r:mozilla_home_t,s0)
 -HOME_DIR/\.mozilla/plugins(/.*)?	gen_context(system_u:object_r:mozilla_plugin_home_t,s0)
@ -43514,6 +43522,7 @@ index 6ffaba2..7128926 100644
 +HOME_DIR/\.java(/.*)?			gen_context(system_u:object_r:mozilla_home_t,s0)
 +HOME_DIR/\.mozilla(/.*)?		gen_context(system_u:object_r:mozilla_home_t,s0)
 +HOME_DIR/\.cache/mozilla(/.*)?		gen_context(system_u:object_r:mozilla_home_t,s0)
+HOME_DIR/\.cache/icedtea-web(/.*)?	gen_context(system_u:object_r:mozilla_home_t,s0)
 +HOME_DIR/\.thunderbird(/.*)?		gen_context(system_u:object_r:mozilla_home_t,s0)
 +HOME_DIR/POkemon.*(/.*)?		gen_context(system_u:object_r:mozilla_home_t,s0)
 +HOME_DIR/\.netscape(/.*)?		gen_context(system_u:object_r:mozilla_home_t,s0)
@ -43597,7 +43606,7 @@ index 6ffaba2..7128926 100644
 +/usr/lib/nspluginwrapper/plugin-config			--	gen_context(system_u:object_r:mozilla_plugin_config_exec_t,s0)
 +')
 diff --git a/mozilla.if b/mozilla.if
-index 6194b80..03c6414 100644
+index 6194b80..cafb2b0 100644
 --- a/mozilla.if
 +++ b/mozilla.if
@@ -1,146 +1,75 @@
@ -44308,7 +44317,7 @@ index 6194b80..03c6414 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -530,45 +519,56 @@ interface(`mozilla_plugin_delete_tmpfs_files',`
+@@ -530,45 +519,57 @@ interface(`mozilla_plugin_delete_tmpfs_files',`
 ##	</summary>
 ## </param>
 #
@ -44386,6 +44395,7 @@ index 6194b80..03c6414 100644
 +	userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".webex")
 +	optional_policy(`
 +		gnome_cache_filetrans($1, mozilla_home_t, dir, "mozilla")
+		gnome_cache_filetrans($1, mozilla_home_t, dir, "icedtea-web")
 +	')
 ')
 +
@ -84729,10 +84739,10 @@ index 0000000..3258f45
 +')
 diff --git a/sandboxX.te b/sandboxX.te
 new file mode 100644
-index 0000000..01ff0ea
+index 0000000..956922c
 --- /dev/null
 +++ b/sandboxX.te
-@@ -0,0 +1,496 @@
+@@ -0,0 +1,500 @@
 +policy_module(sandboxX,1.0.0)
 +
 +dbus_stub()
@ -84947,6 +84957,10 @@ index 0000000..01ff0ea
 +storage_dontaudit_rw_fuse(sandbox_x_domain)
 +
 +optional_policy(`
+	bluetooth_dbus_chat(sandbox_x_domain)
+')
+
+optional_policy(`
 +	consolekit_dbus_chat(sandbox_x_domain)
 +')
 +
@ -89257,7 +89271,7 @@ index 7d86b34..5f58180 100644
 +	files_list_pids($1)
 ')
 diff --git a/snort.te b/snort.te
-index 1af72df..f63015b 100644
+index 1af72df..7e55b50 100644
 --- a/snort.te
 +++ b/snort.te
@@ -32,10 +32,13 @@ files_pid_file(snort_var_run_t)
@ -89275,7 +89289,18 @@ index 1af72df..f63015b 100644
 allow snort_t self:netlink_firewall_socket create_socket_perms;
 
 allow snort_t snort_etc_t:dir list_dir_perms;
-@@ -63,7 +66,6 @@ kernel_request_load_module(snort_t)
+@@ -43,9 +46,7 @@ allow snort_t snort_etc_t:file read_file_perms;
+ allow snort_t snort_etc_t:lnk_file read_lnk_file_perms;
+ 
+ manage_dirs_pattern(snort_t, snort_log_t, snort_log_t)
+-append_files_pattern(snort_t, snort_log_t, snort_log_t)
+-create_files_pattern(snort_t, snort_log_t, snort_log_t)
+-setattr_files_pattern(snort_t, snort_log_t, snort_log_t)
+manage_files_pattern(snort_t, snort_log_t, snort_log_t)
+ logging_log_filetrans(snort_t, snort_log_t, { file dir })
+ 
+ manage_dirs_pattern(snort_t, snort_tmp_t, snort_tmp_t)
+@@ -63,7 +64,6 @@ kernel_request_load_module(snort_t)
 kernel_dontaudit_read_system_state(snort_t)
 kernel_read_network_state(snort_t)
 
@ -89283,7 +89308,7 @@ index 1af72df..f63015b 100644
 corenet_all_recvfrom_netlabel(snort_t)
 corenet_tcp_sendrecv_generic_if(snort_t)
 corenet_udp_sendrecv_generic_if(snort_t)
-@@ -86,18 +88,17 @@ dev_rw_generic_usb_dev(snort_t)
+@@ -86,18 +86,17 @@ dev_rw_generic_usb_dev(snort_t)
 
 domain_use_interactive_fds(snort_t)
 
@ -101913,10 +101938,10 @@ index 0000000..7933d80
 +')
 diff --git a/vmtools.te b/vmtools.te
 new file mode 100644
-index 0000000..5ce7d9c
+index 0000000..d59b917
 --- /dev/null
 +++ b/vmtools.te
-@@ -0,0 +1,89 @@
+@@ -0,0 +1,94 @@
 +policy_module(vmtools, 1.0.0)
 +
 +########################################
@ -102006,6 +102031,11 @@ index 0000000..5ce7d9c
 +corecmd_exec_bin(vmtools_helper_t)
 +
 +userdom_stream_connect(vmtools_helper_t)
+
+optional_policy(`
+    unconfined_domain(vmtools_helper_t)
+')
+
 diff --git a/vmware.if b/vmware.if
 index 20a1fb2..470ea95 100644
 --- a/vmware.if
@ -102295,7 +102325,7 @@ index 7a7f342..afedcba 100644
 ## <param name="domain">
 ##	<summary>
 diff --git a/vpn.te b/vpn.te
-index 95b26d1..28e0030 100644
+index 95b26d1..3d74e70 100644
 --- a/vpn.te
 +++ b/vpn.te
@@ -6,6 +6,7 @@ policy_module(vpn, 1.16.0)
@ -102407,7 +102437,7 @@ index 95b26d1..28e0030 100644
 -
 -optional_policy(`
 -	seutil_use_newrole_fds(vpnc_t)
-+    networkmanager_delete_pid_files(vpnc_t)
+	networkmanager_manage_pid_files(vpnc_t)
 ')
 diff --git a/w3c.fc b/w3c.fc
 index 463c799..227feaf 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@ -19,7 +19,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.13.1
-Release: 36%{?dist}
+Release: 37%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@ -580,6 +580,26 @@ SELinux Reference policy mls base module.
 %endif

 %changelog
+* Mon Mar 17 2014 Miroslav Grepl<mgrepl@redhat.com> 3.13.1-37
+- Allow collectd to talk to libvirt
+- Allow chrome_sandbox to use leaked unix_stream_sockets
+- Dontaudit leaks of sockets into chrome_sandbox_t
+- If you create a cups directory in /var/cache then it should be labeled cups_rw_etc_t
+- Run vmtools as unconfined domains
+- Allow snort to manage its log files
+- Allow systemd_cronjob_t to be entered via bin_t
+- Allow procman to list doveconf_etc_t
+- allow keyring daemon to create content in tmpfs directories
+- Add proper labelling for icedtea-web
+- vpnc is creating content in networkmanager var run directory
+- unconfined_service should be allowed to transition to rpm_script_t
+- Allow couchdb to listen on port 6984
+- Dontaudit attempts by unpriv user domain to write to /run/mount directory, caused by running mount command
+- Allow systemd-logind to setup user tmpfs directories
+- Add additional fixes for systemd_networkd_t
+- Allow systemd-logind to manage user_tmpfs_t
+- Allow systemd-logind to mount /run/user/1000 to get gdm working
+
 * Fri Mar 14 2014 Miroslav Grepl<mgrepl@redhat.com> 3.13.1-36
 - Add additional fixes for systemd_networkd_t
 - Allow systemd-logind to manage user_tmpfs_t