- Allow lvm_t to create default targets for filesystem handling

- Fix labeling for razor-lightdm binaries - Allow insmod_t to read any file labeled var_lib_t - Add policy for pesign - Activate policy for cmpiLMI_Account-cimprovagt - Allow isnsd syscall=listen - /usr/libexec/pegasus/cimprovagt needs setsched caused by sched_setschedule - Allow ctdbd to use udp/4379 - gatherd wants sys_nice and setsched - Add support for texlive2012 - Allow NM to read file_t (usb stick with no labels used to transfer keys fo - Allow cobbler to execute apache with domain transition
2013-06-24 23:12:23 +02:00 · 2013-06-24 23:12:23 +02:00 · 634d39b171
commit 634d39b171
parent 82acdf3079
4 changed files with 648 additions and 176 deletions
--- a/modules-targeted-contrib.conf
+++ b/modules-targeted-contrib.conf
@ -2236,3 +2236,10 @@ pki = module
 # policy for smsd
 #
 smsd = module
+
+# Layer: contrib
+# Module: pesign
+#
+# policy for pesign
+#
+pesign = module
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@ -2373,7 +2373,7 @@ index 99e3903..7270808 100644
 
 ########################################
 diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te
-index d555767..4065a9a 100644
+index d555767..ce0c1b4 100644
 --- a/policy/modules/admin/usermanage.te
 +++ b/policy/modules/admin/usermanage.te
@@ -5,18 +5,18 @@ policy_module(usermanage, 1.18.1)
@ -2413,7 +2413,7 @@ index d555767..4065a9a 100644
 
 type crack_t;
 type crack_exec_t;
-@@ -42,18 +43,21 @@ type groupadd_t;
+@@ -42,18 +43,22 @@ type groupadd_t;
 type groupadd_exec_t;
 domain_obj_id_change_exemption(groupadd_t)
 init_system_domain(groupadd_t, groupadd_exec_t)
@ -2424,6 +2424,7 @@ index d555767..4065a9a 100644
 type passwd_t;
 type passwd_exec_t;
 domain_obj_id_change_exemption(passwd_t)
+domain_system_change_exemption(passwd_t)
 application_domain(passwd_t, passwd_exec_t)
 -role passwd_roles types passwd_t;
 +#role passwd_roles types passwd_t;
@ -2438,7 +2439,7 @@ index d555767..4065a9a 100644
 
 type sysadm_passwd_tmp_t;
 files_tmp_file(sysadm_passwd_tmp_t)
-@@ -61,8 +65,13 @@ files_tmp_file(sysadm_passwd_tmp_t)
+@@ -61,8 +66,13 @@ files_tmp_file(sysadm_passwd_tmp_t)
 type useradd_t;
 type useradd_exec_t;
 domain_obj_id_change_exemption(useradd_t)
@ -2453,7 +2454,7 @@ index d555767..4065a9a 100644
 
 ########################################
 #
-@@ -86,6 +95,7 @@ allow chfn_t self:unix_stream_socket connectto;
+@@ -86,6 +96,7 @@ allow chfn_t self:unix_stream_socket connectto;
 
 kernel_read_system_state(chfn_t)
 kernel_read_kernel_sysctls(chfn_t)
@ -2461,7 +2462,7 @@ index d555767..4065a9a 100644
 
 selinux_get_fs_mount(chfn_t)
 selinux_validate_context(chfn_t)
-@@ -94,25 +104,29 @@ selinux_compute_create_context(chfn_t)
+@@ -94,25 +105,29 @@ selinux_compute_create_context(chfn_t)
 selinux_compute_relabel_context(chfn_t)
 selinux_compute_user_contexts(chfn_t)
 
@ -2497,7 +2498,7 @@ index d555767..4065a9a 100644
 files_read_etc_runtime_files(chfn_t)
 files_dontaudit_search_var(chfn_t)
 files_dontaudit_search_home(chfn_t)
-@@ -120,19 +134,29 @@ files_dontaudit_search_home(chfn_t)
+@@ -120,19 +135,29 @@ files_dontaudit_search_home(chfn_t)
 # /usr/bin/passwd asks for w access to utmp, but it will operate
 # correctly without it.  Do not audit write denials to utmp.
 init_dontaudit_rw_utmp(chfn_t)
@ -2530,7 +2531,7 @@ index d555767..4065a9a 100644
 ########################################
 #
 # Crack local policy
-@@ -209,8 +233,8 @@ selinux_compute_create_context(groupadd_t)
+@@ -209,8 +234,8 @@ selinux_compute_create_context(groupadd_t)
 selinux_compute_relabel_context(groupadd_t)
 selinux_compute_user_contexts(groupadd_t)
 
@ -2541,7 +2542,7 @@ index d555767..4065a9a 100644
 
 init_use_fds(groupadd_t)
 init_read_utmp(groupadd_t)
-@@ -218,8 +242,8 @@ init_dontaudit_write_utmp(groupadd_t)
+@@ -218,8 +243,8 @@ init_dontaudit_write_utmp(groupadd_t)
 
 domain_use_interactive_fds(groupadd_t)
 
@ -2551,7 +2552,7 @@ index d555767..4065a9a 100644
 files_read_etc_runtime_files(groupadd_t)
 files_read_usr_symlinks(groupadd_t)
 
-@@ -229,14 +253,15 @@ corecmd_exec_bin(groupadd_t)
+@@ -229,14 +254,15 @@ corecmd_exec_bin(groupadd_t)
 logging_send_audit_msgs(groupadd_t)
 logging_send_syslog_msg(groupadd_t)
 
@ -2570,7 +2571,7 @@ index d555767..4065a9a 100644
 auth_relabel_shadow(groupadd_t)
 auth_etc_filetrans_shadow(groupadd_t)
 
-@@ -253,7 +278,8 @@ optional_policy(`
+@@ -253,7 +279,8 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -2580,7 +2581,7 @@ index d555767..4065a9a 100644
 ')
 
 optional_policy(`
-@@ -285,6 +311,7 @@ allow passwd_t self:shm create_shm_perms;
+@@ -285,6 +312,7 @@ allow passwd_t self:shm create_shm_perms;
 allow passwd_t self:sem create_sem_perms;
 allow passwd_t self:msgq create_msgq_perms;
 allow passwd_t self:msg { send receive };
@ -2588,7 +2589,7 @@ index d555767..4065a9a 100644
 
 allow passwd_t crack_db_t:dir list_dir_perms;
 read_files_pattern(passwd_t, crack_db_t, crack_db_t)
-@@ -293,6 +320,7 @@ kernel_read_kernel_sysctls(passwd_t)
+@@ -293,6 +321,7 @@ kernel_read_kernel_sysctls(passwd_t)
 
 # for SSP
 dev_read_urand(passwd_t)
@ -2596,7 +2597,7 @@ index d555767..4065a9a 100644
 
 fs_getattr_xattr_fs(passwd_t)
 fs_search_auto_mountpoints(passwd_t)
-@@ -307,26 +335,38 @@ selinux_compute_create_context(passwd_t)
+@@ -307,26 +336,38 @@ selinux_compute_create_context(passwd_t)
 selinux_compute_relabel_context(passwd_t)
 selinux_compute_user_contexts(passwd_t)
 
@ -2640,7 +2641,7 @@ index d555767..4065a9a 100644
 # /usr/bin/passwd asks for w access to utmp, but it will operate
 # correctly without it.  Do not audit write denials to utmp.
 init_dontaudit_rw_utmp(passwd_t)
-@@ -335,12 +375,11 @@ init_use_fds(passwd_t)
+@@ -335,12 +376,11 @@ init_use_fds(passwd_t)
 logging_send_audit_msgs(passwd_t)
 logging_send_syslog_msg(passwd_t)
 
@ -2654,7 +2655,7 @@ index d555767..4065a9a 100644
 userdom_use_unpriv_users_fds(passwd_t)
 # make sure that getcon succeeds
 userdom_getattr_all_users(passwd_t)
-@@ -349,9 +388,15 @@ userdom_read_user_tmp_files(passwd_t)
+@@ -349,9 +389,15 @@ userdom_read_user_tmp_files(passwd_t)
 # user generally runs this from their home directory, so do not audit a search
 # on user home dir
 userdom_dontaudit_search_user_home_content(passwd_t)
@ -2671,7 +2672,7 @@ index d555767..4065a9a 100644
 ')
 
 ########################################
-@@ -398,9 +443,10 @@ dev_read_urand(sysadm_passwd_t)
+@@ -398,9 +444,10 @@ dev_read_urand(sysadm_passwd_t)
 fs_getattr_xattr_fs(sysadm_passwd_t)
 fs_search_auto_mountpoints(sysadm_passwd_t)
 
@ -2684,7 +2685,7 @@ index d555767..4065a9a 100644
 auth_manage_shadow(sysadm_passwd_t)
 auth_relabel_shadow(sysadm_passwd_t)
 auth_etc_filetrans_shadow(sysadm_passwd_t)
-@@ -413,7 +459,6 @@ files_read_usr_files(sysadm_passwd_t)
+@@ -413,7 +460,6 @@ files_read_usr_files(sysadm_passwd_t)
 
 domain_use_interactive_fds(sysadm_passwd_t)
 
@ -2692,7 +2693,7 @@ index d555767..4065a9a 100644
 files_relabel_etc_files(sysadm_passwd_t)
 files_read_etc_runtime_files(sysadm_passwd_t)
 # for nscd lookups
-@@ -423,19 +468,17 @@ files_dontaudit_search_pids(sysadm_passwd_t)
+@@ -423,19 +469,17 @@ files_dontaudit_search_pids(sysadm_passwd_t)
 # correctly without it.  Do not audit write denials to utmp.
 init_dontaudit_rw_utmp(sysadm_passwd_t)
 
@ -2714,7 +2715,7 @@ index d555767..4065a9a 100644
 ')
 
 ########################################
-@@ -443,7 +486,8 @@ optional_policy(`
+@@ -443,7 +487,8 @@ optional_policy(`
 # Useradd local policy
 #
 
@ -2724,7 +2725,7 @@ index d555767..4065a9a 100644
 dontaudit useradd_t self:capability sys_tty_config;
 allow useradd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
 allow useradd_t self:process setfscreate;
-@@ -458,6 +502,10 @@ allow useradd_t self:unix_stream_socket create_stream_socket_perms;
+@@ -458,6 +503,10 @@ allow useradd_t self:unix_stream_socket create_stream_socket_perms;
 allow useradd_t self:unix_dgram_socket sendto;
 allow useradd_t self:unix_stream_socket connectto;
 
@ -2735,7 +2736,7 @@ index d555767..4065a9a 100644
 # for getting the number of groups
 kernel_read_kernel_sysctls(useradd_t)
 
-@@ -465,36 +513,36 @@ corecmd_exec_shell(useradd_t)
+@@ -465,36 +514,36 @@ corecmd_exec_shell(useradd_t)
 # Execute /usr/bin/{passwd,chfn,chsh} and /usr/sbin/{useradd,vipw}.
 corecmd_exec_bin(useradd_t)
 
@ -2784,7 +2785,7 @@ index d555767..4065a9a 100644
 auth_manage_shadow(useradd_t)
 auth_relabel_shadow(useradd_t)
 auth_etc_filetrans_shadow(useradd_t)
-@@ -505,33 +553,36 @@ init_rw_utmp(useradd_t)
+@@ -505,33 +554,36 @@ init_rw_utmp(useradd_t)
 logging_send_audit_msgs(useradd_t)
 logging_send_syslog_msg(useradd_t)
 
@ -2835,7 +2836,7 @@ index d555767..4065a9a 100644
 optional_policy(`
 	apache_manage_all_user_content(useradd_t)
 ')
-@@ -542,7 +593,12 @@ optional_policy(`
+@@ -542,7 +594,12 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -2849,7 +2850,7 @@ index d555767..4065a9a 100644
 ')
 
 optional_policy(`
-@@ -550,6 +606,11 @@ optional_policy(`
+@@ -550,6 +607,11 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -2861,7 +2862,7 @@ index d555767..4065a9a 100644
 	tunable_policy(`samba_domain_controller',`
 		samba_append_log(useradd_t)
 	')
-@@ -559,3 +620,12 @@ optional_policy(`
+@@ -559,3 +621,12 @@ optional_policy(`
 	rpm_use_fds(useradd_t)
 	rpm_rw_pipes(useradd_t)
 ')
@ -12254,16 +12255,17 @@ index 148d87a..822f6be 100644
 	allow files_unconfined_type file_type:file execmod;
 ')
 diff --git a/policy/modules/kernel/filesystem.fc b/policy/modules/kernel/filesystem.fc
-index cda5588..3035829 100644
+index cda5588..924f856 100644
 --- a/policy/modules/kernel/filesystem.fc
 +++ b/policy/modules/kernel/filesystem.fc
-@@ -1,9 +1,13 @@
+@@ -1,9 +1,12 @@
+-/cgroup			-d	gen_context(system_u:object_r:cgroup_t,s0)
+-/cgroup/.*			<<none>>
 +# ecryptfs does not support xattr
 +HOME_DIR/\.ecryptfs(/.*)?	gen_context(system_u:object_r:ecryptfs_t,s0)
 +HOME_DIR/\.Private(/.*)?	gen_context(system_u:object_r:ecryptfs_t,s0)
 +
- /cgroup			-d	gen_context(system_u:object_r:cgroup_t,s0)
- /cgroup/.*			<<none>>
+/cgroup(/.*)?			gen_context(system_u:object_r:cgroup_t,s0)
 
 /dev/hugepages		-d	gen_context(system_u:object_r:hugetlbfs_t,s0)
 /dev/hugepages(/.*)?		<<none>>
@ -12272,10 +12274,13 @@ index cda5588..3035829 100644
 /dev/shm/.*			<<none>>
 
 /lib/udev/devices/hugepages -d	gen_context(system_u:object_r:hugetlbfs_t,s0)
-@@ -14,3 +18,10 @@
+@@ -12,5 +15,11 @@
+ /lib/udev/devices/shm/.*	<<none>>
+ 
 # for systemd systems:
- /sys/fs/cgroup		-d	gen_context(system_u:object_r:cgroup_t,s0)
- /sys/fs/cgroup/.*		<<none>>
+-/sys/fs/cgroup		-d	gen_context(system_u:object_r:cgroup_t,s0)
+-/sys/fs/cgroup/.*		<<none>>
+/sys/fs/cgroup(/.*)?		gen_context(system_u:object_r:cgroup_t,s0)
 +
 +/usr/lib/udev/devices/hugepages -d	gen_context(system_u:object_r:hugetlbfs_t,s0)
 +/usr/lib/udev/devices/hugepages/.*	<<none>>
@ -12284,7 +12289,7 @@ index cda5588..3035829 100644
 +/var/run/[^/]*/gvfs		-d	gen_context(system_u:object_r:fusefs_t,s0)
 +/var/run/[^/]*/gvfs/.*	<<none>>
 diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
-index 8416beb..7170125 100644
+index 8416beb..2216778 100644
 --- a/policy/modules/kernel/filesystem.if
 +++ b/policy/modules/kernel/filesystem.if
@@ -631,6 +631,27 @@ interface(`fs_getattr_cgroup',`
@ -13087,7 +13092,32 @@ index 8416beb..7170125 100644
 	manage_lnk_files_pattern($1, nfs_t, nfs_t)
 ')
 
-@@ -3263,6 +3803,24 @@ interface(`fs_getattr_nfsd_files',`
+@@ -3137,6 +3677,24 @@ interface(`fs_nfs_domtrans',`
+ 
+ ########################################
+ ## <summary>
+##	Mount on nfsd_fs directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_mounton_nfsd_fs', `
+	gen_require(`
+		type nfsd_fs_t;
+	')
+
+	allow $1 nfsd_fs_t:dir mounton;
+')
+
+########################################
+## <summary>
+ ##	Mount a NFS server pseudo filesystem.
+ ## </summary>
+ ## <param name="domain">
+@@ -3263,6 +3821,24 @@ interface(`fs_getattr_nfsd_files',`
 	getattr_files_pattern($1, nfsd_fs_t, nfsd_fs_t)
 ')
 
@ -13112,7 +13142,7 @@ index 8416beb..7170125 100644
 ########################################
 ## <summary>
 ##	Read and write NFS server files.
-@@ -3283,6 +3841,24 @@ interface(`fs_rw_nfsd_fs',`
+@@ -3283,6 +3859,24 @@ interface(`fs_rw_nfsd_fs',`
 
 ########################################
 ## <summary>
@ -13137,7 +13167,7 @@ index 8416beb..7170125 100644
 ##	Allow the type to associate to ramfs filesystems.
 ## </summary>
 ## <param name="type">
-@@ -3392,7 +3968,7 @@ interface(`fs_search_ramfs',`
+@@ -3392,7 +3986,7 @@ interface(`fs_search_ramfs',`
 
 ########################################
 ## <summary>
@ -13146,7 +13176,7 @@ index 8416beb..7170125 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -3429,7 +4005,7 @@ interface(`fs_manage_ramfs_dirs',`
+@@ -3429,7 +4023,7 @@ interface(`fs_manage_ramfs_dirs',`
 
 ########################################
 ## <summary>
@ -13155,7 +13185,7 @@ index 8416beb..7170125 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -3447,7 +4023,7 @@ interface(`fs_dontaudit_read_ramfs_files',`
+@@ -3447,7 +4041,7 @@ interface(`fs_dontaudit_read_ramfs_files',`
 
 ########################################
 ## <summary>
@ -13164,7 +13194,7 @@ index 8416beb..7170125 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -3815,6 +4391,24 @@ interface(`fs_unmount_tmpfs',`
+@@ -3815,6 +4409,24 @@ interface(`fs_unmount_tmpfs',`
 
 ########################################
 ## <summary>
@ -13189,7 +13219,7 @@ index 8416beb..7170125 100644
 ##	Get the attributes of a tmpfs
 ##	filesystem.
 ## </summary>
-@@ -3908,7 +4502,7 @@ interface(`fs_dontaudit_getattr_tmpfs_dirs',`
+@@ -3908,7 +4520,7 @@ interface(`fs_dontaudit_getattr_tmpfs_dirs',`
 
 ########################################
 ## <summary>
@ -13198,7 +13228,7 @@ index 8416beb..7170125 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -3916,17 +4510,17 @@ interface(`fs_dontaudit_getattr_tmpfs_dirs',`
+@@ -3916,17 +4528,17 @@ interface(`fs_dontaudit_getattr_tmpfs_dirs',`
 ##	</summary>
 ## </param>
 #
@ -13219,7 +13249,7 @@ index 8416beb..7170125 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -3934,17 +4528,17 @@ interface(`fs_mounton_tmpfs',`
+@@ -3934,17 +4546,17 @@ interface(`fs_mounton_tmpfs',`
 ##	</summary>
 ## </param>
 #
@ -13240,7 +13270,7 @@ index 8416beb..7170125 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -3952,17 +4546,36 @@ interface(`fs_setattr_tmpfs_dirs',`
+@@ -3952,17 +4564,36 @@ interface(`fs_setattr_tmpfs_dirs',`
 ##	</summary>
 ## </param>
 #
@ -13280,7 +13310,7 @@ index 8416beb..7170125 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -3970,31 +4583,48 @@ interface(`fs_search_tmpfs',`
+@@ -3970,31 +4601,48 @@ interface(`fs_search_tmpfs',`
 ##	</summary>
 ## </param>
 #
@ -13336,7 +13366,7 @@ index 8416beb..7170125 100644
 ')
 
 ########################################
-@@ -4105,7 +4735,7 @@ interface(`fs_dontaudit_rw_tmpfs_files',`
+@@ -4105,7 +4753,7 @@ interface(`fs_dontaudit_rw_tmpfs_files',`
 		type tmpfs_t;
 	')
 
@ -13345,7 +13375,7 @@ index 8416beb..7170125 100644
 ')
 
 ########################################
-@@ -4165,6 +4795,24 @@ interface(`fs_rw_tmpfs_files',`
+@@ -4165,6 +4813,24 @@ interface(`fs_rw_tmpfs_files',`
 
 ########################################
 ## <summary>
@ -13370,7 +13400,7 @@ index 8416beb..7170125 100644
 ##	Read tmpfs link files.
 ## </summary>
 ## <param name="domain">
-@@ -4202,7 +4850,7 @@ interface(`fs_rw_tmpfs_chr_files',`
+@@ -4202,7 +4868,7 @@ interface(`fs_rw_tmpfs_chr_files',`
 
 ########################################
 ## <summary>
@ -13379,7 +13409,7 @@ index 8416beb..7170125 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -4221,6 +4869,60 @@ interface(`fs_dontaudit_use_tmpfs_chr_dev',`
+@@ -4221,6 +4887,60 @@ interface(`fs_dontaudit_use_tmpfs_chr_dev',`
 
 ########################################
 ## <summary>
@ -13440,7 +13470,7 @@ index 8416beb..7170125 100644
 ##	Relabel character nodes on tmpfs filesystems.
 ## </summary>
 ## <param name="domain">
-@@ -4278,6 +4980,44 @@ interface(`fs_relabel_tmpfs_blk_file',`
+@@ -4278,6 +4998,44 @@ interface(`fs_relabel_tmpfs_blk_file',`
 
 ########################################
 ## <summary>
@ -13485,7 +13515,7 @@ index 8416beb..7170125 100644
 ##	Read and write, create and delete generic
 ##	files on tmpfs filesystems.
 ## </summary>
-@@ -4297,6 +5037,25 @@ interface(`fs_manage_tmpfs_files',`
+@@ -4297,6 +5055,25 @@ interface(`fs_manage_tmpfs_files',`
 
 ########################################
 ## <summary>
@ -13511,7 +13541,7 @@ index 8416beb..7170125 100644
 ##	Read and write, create and delete symbolic
 ##	links on tmpfs filesystems.
 ## </summary>
-@@ -4503,6 +5262,8 @@ interface(`fs_mount_all_fs',`
+@@ -4503,6 +5280,8 @@ interface(`fs_mount_all_fs',`
 	')
 
 	allow $1 filesystem_type:filesystem mount;
@ -13520,7 +13550,7 @@ index 8416beb..7170125 100644
 ')
 
 ########################################
-@@ -4549,7 +5310,7 @@ interface(`fs_unmount_all_fs',`
+@@ -4549,7 +5328,7 @@ interface(`fs_unmount_all_fs',`
 ## <desc>
 ##	<p>
 ##	Allow the specified domain to
@ -13529,7 +13559,7 @@ index 8416beb..7170125 100644
 ##	Example attributes:
 ##	</p>
 ##	<ul>
-@@ -4596,6 +5357,26 @@ interface(`fs_dontaudit_getattr_all_fs',`
+@@ -4596,6 +5375,26 @@ interface(`fs_dontaudit_getattr_all_fs',`
 
 ########################################
 ## <summary>
@ -13556,7 +13586,7 @@ index 8416beb..7170125 100644
 ##	Get the quotas of all filesystems.
 ## </summary>
 ## <param name="domain">
-@@ -4912,3 +5693,43 @@ interface(`fs_unconfined',`
+@@ -4912,3 +5711,43 @@ interface(`fs_unconfined',`
 
 	typeattribute $1 filesystem_unconfined_type;
 ')
@ -19310,7 +19340,7 @@ index 346d011..3e23acb 100644
 +	')
 +')
 diff --git a/policy/modules/services/ssh.fc b/policy/modules/services/ssh.fc
-index 76d9f66..3063a17 100644
+index 76d9f66..5cb2095 100644
 --- a/policy/modules/services/ssh.fc
 +++ b/policy/modules/services/ssh.fc
@@ -1,4 +1,15 @@
@ -19329,12 +19359,13 @@ index 76d9f66..3063a17 100644
 
 /etc/ssh/primes			--	gen_context(system_u:object_r:sshd_key_t,s0)
 /etc/ssh/ssh_host.*_key		--	gen_context(system_u:object_r:sshd_key_t,s0)
-@@ -8,9 +19,15 @@ HOME_DIR/\.ssh(/.*)?			gen_context(system_u:object_r:ssh_home_t,s0)
+@@ -8,9 +19,16 @@ HOME_DIR/\.ssh(/.*)?			gen_context(system_u:object_r:ssh_home_t,s0)
 /usr/bin/ssh-keygen		--	gen_context(system_u:object_r:ssh_keygen_exec_t,s0)
 
 /usr/lib/openssh/ssh-keysign	 --	gen_context(system_u:object_r:ssh_keysign_exec_t,s0)
 +/usr/lib/systemd/system/sshd.*	--	gen_context(system_u:object_r:sshd_unit_file_t,s0)
 
+/usr/libexec/nm-ssh-service     --  gen_context(system_u:object_r:ssh_exec_t,s0)
 /usr/libexec/openssh/ssh-keysign --	gen_context(system_u:object_r:ssh_keysign_exec_t,s0)
 
 /usr/sbin/sshd			--	gen_context(system_u:object_r:sshd_exec_t,s0)
@ -20604,7 +20635,7 @@ index 5fc0391..994eec2 100644
 +	xserver_rw_xdm_pipes(ssh_agent_type)
 +')
 diff --git a/policy/modules/services/xserver.fc b/policy/modules/services/xserver.fc
-index d1f64a0..156a29f 100644
+index d1f64a0..8f50bb9 100644
 --- a/policy/modules/services/xserver.fc
 +++ b/policy/modules/services/xserver.fc
@@ -2,13 +2,35 @@
@ -20694,7 +20725,7 @@ index d1f64a0..156a29f 100644
 +
 /usr/bin/gpe-dm		--	gen_context(system_u:object_r:xdm_exec_t,s0)
 /usr/bin/iceauth	--	gen_context(system_u:object_r:iceauth_exec_t,s0)
-+/usr/bin/razor-lightdm-*    --  gen_context(system_u:object_r:xdm_exec_t,s0)
+/usr/bin/razor-lightdm-.*    --  gen_context(system_u:object_r:xdm_exec_t,s0)
 /usr/bin/slim		--	gen_context(system_u:object_r:xdm_exec_t,s0)
 /usr/bin/Xair		--	gen_context(system_u:object_r:xserver_exec_t,s0)
 +/usr/bin/Xephyr		--	gen_context(system_u:object_r:xserver_exec_t,s0)
@ -30891,7 +30922,7 @@ index 58bc27f..51e9872 100644
 +	allow $1 lvm_var_run_t:fifo_file rw_inherited_fifo_file_perms;
 +')
 diff --git a/policy/modules/system/lvm.te b/policy/modules/system/lvm.te
-index e8c59a5..5c935e3 100644
+index e8c59a5..d2df072 100644
 --- a/policy/modules/system/lvm.te
 +++ b/policy/modules/system/lvm.te
@@ -12,6 +12,9 @@ init_daemon_domain(clvmd_t, clvmd_exec_t)
@ -30953,17 +30984,17 @@ index e8c59a5..5c935e3 100644
 corenet_all_recvfrom_netlabel(clvmd_t)
 corenet_tcp_sendrecv_generic_if(clvmd_t)
 corenet_udp_sendrecv_generic_if(clvmd_t)
-@@ -120,9 +129,7 @@ init_dontaudit_getattr_initctl(clvmd_t)
+@@ -120,9 +129,6 @@ init_dontaudit_getattr_initctl(clvmd_t)
 
 logging_send_syslog_msg(clvmd_t)
 
 -miscfiles_read_localization(clvmd_t)
- 
+-
 -seutil_dontaudit_search_config(clvmd_t)
 seutil_sigchld_newrole(clvmd_t)
 seutil_read_config(clvmd_t)
 seutil_read_file_contexts(clvmd_t)
-@@ -141,6 +148,11 @@ ifdef(`distro_redhat',`
+@@ -141,6 +147,11 @@ ifdef(`distro_redhat',`
 ')
 
 optional_policy(`
@ -30975,7 +31006,7 @@ index e8c59a5..5c935e3 100644
 	ccs_stream_connect(clvmd_t)
 ')
 
-@@ -170,6 +182,7 @@ dontaudit lvm_t self:capability sys_tty_config;
+@@ -170,6 +181,7 @@ dontaudit lvm_t self:capability sys_tty_config;
 allow lvm_t self:process { sigchld sigkill sigstop signull signal setfscreate };
 # LVM will complain a lot if it cannot set its priority.
 allow lvm_t self:process setsched;
@ -30983,17 +31014,19 @@ index e8c59a5..5c935e3 100644
 allow lvm_t self:file rw_file_perms;
 allow lvm_t self:fifo_file manage_fifo_file_perms;
 allow lvm_t self:unix_dgram_socket create_socket_perms;
-@@ -179,6 +192,9 @@ allow lvm_t self:sem create_sem_perms;
+@@ -179,6 +191,11 @@ allow lvm_t self:sem create_sem_perms;
 allow lvm_t self:unix_stream_socket { connectto create_stream_socket_perms };
 allow lvm_t clvmd_t:unix_stream_socket { connectto rw_socket_perms };
 
 +allow lvm_t lvm_unit_file_t:file manage_file_perms;
 +systemd_unit_file_filetrans(lvm_t, lvm_unit_file_t, file)
+systemd_create_unit_file_dirs(lvm_t)
+systemd_create_unit_file_lnk(lvm_t)
 +
 manage_dirs_pattern(lvm_t, lvm_tmp_t, lvm_tmp_t)
 manage_files_pattern(lvm_t, lvm_tmp_t, lvm_tmp_t)
 files_tmp_filetrans(lvm_t, lvm_tmp_t, { file dir })
-@@ -191,10 +207,12 @@ read_lnk_files_pattern(lvm_t, lvm_exec_t, lvm_exec_t)
+@@ -191,10 +208,12 @@ read_lnk_files_pattern(lvm_t, lvm_exec_t, lvm_exec_t)
 can_exec(lvm_t, lvm_exec_t)
 
 # Creating lock files
@ -31006,7 +31039,7 @@ index e8c59a5..5c935e3 100644
 
 manage_dirs_pattern(lvm_t, lvm_var_lib_t, lvm_var_lib_t)
 manage_files_pattern(lvm_t, lvm_var_lib_t, lvm_var_lib_t)
-@@ -202,8 +220,10 @@ files_var_lib_filetrans(lvm_t, lvm_var_lib_t, { dir file })
+@@ -202,8 +221,10 @@ files_var_lib_filetrans(lvm_t, lvm_var_lib_t, { dir file })
 
 manage_dirs_pattern(lvm_t, lvm_var_run_t, lvm_var_run_t)
 manage_files_pattern(lvm_t, lvm_var_run_t, lvm_var_run_t)
@ -31018,7 +31051,7 @@ index e8c59a5..5c935e3 100644
 
 read_files_pattern(lvm_t, lvm_etc_t, lvm_etc_t)
 read_lnk_files_pattern(lvm_t, lvm_etc_t, lvm_etc_t)
-@@ -220,6 +240,7 @@ kernel_read_kernel_sysctls(lvm_t)
+@@ -220,6 +241,7 @@ kernel_read_kernel_sysctls(lvm_t)
 # it has no reason to need this
 kernel_dontaudit_getattr_core_if(lvm_t)
 kernel_use_fds(lvm_t)
@ -31026,7 +31059,7 @@ index e8c59a5..5c935e3 100644
 kernel_search_debugfs(lvm_t)
 
 corecmd_exec_bin(lvm_t)
-@@ -230,11 +251,13 @@ dev_delete_generic_dirs(lvm_t)
+@@ -230,11 +252,13 @@ dev_delete_generic_dirs(lvm_t)
 dev_read_rand(lvm_t)
 dev_read_urand(lvm_t)
 dev_rw_lvm_control(lvm_t)
@ -31041,7 +31074,7 @@ index e8c59a5..5c935e3 100644
 # cjp: this has no effect since LVM does not
 # have lnk_file relabelto for anything else.
 # perhaps this should be blk_files?
-@@ -246,6 +269,7 @@ dev_dontaudit_getattr_generic_chr_files(lvm_t)
+@@ -246,6 +270,7 @@ dev_dontaudit_getattr_generic_chr_files(lvm_t)
 dev_dontaudit_getattr_generic_blk_files(lvm_t)
 dev_dontaudit_getattr_generic_pipes(lvm_t)
 dev_create_generic_dirs(lvm_t)
@ -31049,7 +31082,7 @@ index e8c59a5..5c935e3 100644
 
 domain_use_interactive_fds(lvm_t)
 domain_read_all_domains_state(lvm_t)
-@@ -255,17 +279,21 @@ files_read_etc_files(lvm_t)
+@@ -255,17 +280,21 @@ files_read_etc_files(lvm_t)
 files_read_etc_runtime_files(lvm_t)
 # for when /usr is not mounted:
 files_dontaudit_search_isid_type_dirs(lvm_t)
@ -31072,7 +31105,7 @@ index e8c59a5..5c935e3 100644
 
 selinux_get_fs_mount(lvm_t)
 selinux_validate_context(lvm_t)
-@@ -285,7 +313,7 @@ storage_dev_filetrans_fixed_disk(lvm_t)
+@@ -285,7 +314,7 @@ storage_dev_filetrans_fixed_disk(lvm_t)
 # Access raw devices and old /dev/lvm (c 109,0).  Is this needed?
 storage_manage_fixed_disk(lvm_t)
 
@ -31081,7 +31114,7 @@ index e8c59a5..5c935e3 100644
 
 init_use_fds(lvm_t)
 init_dontaudit_getattr_initctl(lvm_t)
-@@ -293,15 +321,22 @@ init_use_script_ptys(lvm_t)
+@@ -293,15 +322,22 @@ init_use_script_ptys(lvm_t)
 init_read_script_state(lvm_t)
 
 logging_send_syslog_msg(lvm_t)
@ -31105,7 +31138,7 @@ index e8c59a5..5c935e3 100644
 
 ifdef(`distro_redhat',`
 	# this is from the initrd:
-@@ -313,6 +348,11 @@ ifdef(`distro_redhat',`
+@@ -313,6 +349,11 @@ ifdef(`distro_redhat',`
 ')
 
 optional_policy(`
@ -31117,7 +31150,7 @@ index e8c59a5..5c935e3 100644
 	bootloader_rw_tmp_files(lvm_t)
 ')
 
-@@ -333,14 +373,26 @@ optional_policy(`
+@@ -333,14 +374,26 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -31145,7 +31178,7 @@ index e8c59a5..5c935e3 100644
 ')
 
 diff --git a/policy/modules/system/miscfiles.fc b/policy/modules/system/miscfiles.fc
-index 9fe8e01..a70c055 100644
+index 9fe8e01..5985e0f 100644
 --- a/policy/modules/system/miscfiles.fc
 +++ b/policy/modules/system/miscfiles.fc
@@ -9,11 +9,13 @@ ifdef(`distro_gentoo',`
@ -31188,8 +31221,12 @@ index 9fe8e01..a70c055 100644
 /usr/share/ssl/certs(/.*)?	gen_context(system_u:object_r:cert_t,s0)
 /usr/share/ssl/private(/.*)?	gen_context(system_u:object_r:cert_t,s0)
 
-@@ -77,7 +76,7 @@ ifdef(`distro_redhat',`
+@@ -75,9 +74,11 @@ ifdef(`distro_redhat',`
 
+ /var/lib/texmf(/.*)?		gen_context(system_u:object_r:tetex_data_t,s0)
+ 
+/var/lib/ipa/pki-ca/publish(/.*)?        gen_context(system_u:object_r:cert_t,s0)
+
 /var/cache/fontconfig(/.*)?	gen_context(system_u:object_r:fonts_cache_t,s0)
 /var/cache/fonts(/.*)?		gen_context(system_u:object_r:tetex_data_t,s0)
 -/var/cache/man(/.*)?		gen_context(system_u:object_r:man_cache_t,s0)
@ -31197,7 +31234,7 @@ index 9fe8e01..a70c055 100644
 
 /var/named/chroot/etc/pki(/.*)? gen_context(system_u:object_r:cert_t,s0)
 
-@@ -90,6 +89,7 @@ ifdef(`distro_debian',`
+@@ -90,6 +91,7 @@ ifdef(`distro_debian',`
 ')
 
 ifdef(`distro_redhat',`
@ -31555,7 +31592,7 @@ index 7449974..6375786 100644
 +	files_kernel_modules_filetrans($1, modules_dep_t, file, "modules.dep.bin")
 +')
 diff --git a/policy/modules/system/modutils.te b/policy/modules/system/modutils.te
-index 7a49e28..1d374a0 100644
+index 7a49e28..de1dcdd 100644
 --- a/policy/modules/system/modutils.te
 +++ b/policy/modules/system/modutils.te
@@ -5,7 +5,7 @@ policy_module(modutils, 1.13.3)
@ -31695,10 +31732,12 @@ index 7a49e28..1d374a0 100644
 
 domain_signal_all_domains(insmod_t)
 domain_use_interactive_fds(insmod_t)
-@@ -151,30 +162,37 @@ files_read_etc_runtime_files(insmod_t)
+@@ -151,30 +162,38 @@ files_read_etc_runtime_files(insmod_t)
 files_read_etc_files(insmod_t)
 files_read_usr_files(insmod_t)
 files_exec_etc_files(insmod_t)
+# users installing vbox put kernel modules in /var/lib
+files_read_var_lib_files(insmod_t)
 +files_read_kernel_symbol_table(insmod_t)
 # for nscd:
 files_dontaudit_search_pids(insmod_t)
@ -31727,7 +31766,7 @@ index 7a49e28..1d374a0 100644
 logging_search_logs(insmod_t)
 
 -miscfiles_read_localization(insmod_t)
- 
+-
 seutil_read_file_contexts(insmod_t)
 
 -userdom_use_user_terminals(insmod_t)
@ -31736,7 +31775,7 @@ index 7a49e28..1d374a0 100644
 userdom_dontaudit_search_user_home_dirs(insmod_t)
 
 kernel_domtrans_to(insmod_t, insmod_exec_t)
-@@ -184,28 +202,33 @@ optional_policy(`
+@@ -184,28 +203,33 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -31760,24 +31799,24 @@ index 7a49e28..1d374a0 100644
 optional_policy(`
 -	mount_domtrans(insmod_t)
 +	hal_write_log(insmod_t)
-+')
-+
-+optional_policy(`
-+	hotplug_search_config(insmod_t)
 ')
 
 optional_policy(`
 -	nis_use_ypbind(insmod_t)
-+	kdump_manage_kdumpctl_tmp_files(insmod_t)
+	hotplug_search_config(insmod_t)
 ')
 
 optional_policy(`
 -	nscd_use(insmod_t)
+	kdump_manage_kdumpctl_tmp_files(insmod_t)
+')
+
+optional_policy(`
 +	mount_domtrans(insmod_t)
 ')
 
 optional_policy(`
-@@ -225,6 +248,7 @@ optional_policy(`
+@@ -225,6 +249,7 @@ optional_policy(`
 
 optional_policy(`
 	rpm_rw_pipes(insmod_t)
@ -31785,7 +31824,7 @@ index 7a49e28..1d374a0 100644
 ')
 
 optional_policy(`
-@@ -233,6 +257,10 @@ optional_policy(`
+@@ -233,6 +258,10 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -31796,7 +31835,7 @@ index 7a49e28..1d374a0 100644
 	# cjp: why is this needed:
 	dev_rw_xserver_misc(insmod_t)
 
-@@ -291,11 +319,10 @@ init_use_script_ptys(update_modules_t)
+@@ -291,11 +320,10 @@ init_use_script_ptys(update_modules_t)
 
 logging_send_syslog_msg(update_modules_t)
 
@ -34862,10 +34901,10 @@ index 0000000..4e12420
 +/var/run/initramfs(/.*)?	<<none>>
 diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
 new file mode 100644
-index 0000000..2e5b822
+index 0000000..6862d53
 --- /dev/null
 +++ b/policy/modules/system/systemd.if
-@@ -0,0 +1,1195 @@
+@@ -0,0 +1,1231 @@
 +## <summary>SELinux policy for systemd components</summary>
 +
 +######################################
@ -35747,6 +35786,42 @@ index 0000000..2e5b822
 +	filetrans_pattern($1, systemd_unit_file_t, $2, $3, $4)
 +')
 +
+#######################################
+## <summary>
+##  Create a directory in the /usr/lib/systemd/system directory.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+#
+interface(`systemd_create_unit_file_dirs',`
+    gen_require(`
+        type systemd_unit_file_t;
+    ')
+
+    create_dirs_pattern($1, systemd_unit_file_t, systemd_unit_file_t)
+')
+
+#######################################
+## <summary>
+##  Create a link in the /usr/lib/systemd/system directory.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+#
+interface(`systemd_create_unit_file_lnk',`
+    gen_require(`
+        type systemd_unit_file_t;
+    ')
+
+    create_lnk_files_pattern($1, systemd_unit_file_t, systemd_unit_file_t)
+')
+
 +########################################
 +## <summary>
 +##	Transition to systemd named content
@ -38094,7 +38169,7 @@ index db75976..65191bd 100644
 +
 +/var/run/user(/.*)?	gen_context(system_u:object_r:user_tmp_t,s0)
 diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
-index 3c5dba7..08ce1e5 100644
+index 3c5dba7..4f43578 100644
 --- a/policy/modules/system/userdomain.if
 +++ b/policy/modules/system/userdomain.if
@@ -30,9 +30,11 @@ template(`userdom_base_user_template',`
@ -40601,16 +40676,34 @@ index 3c5dba7..08ce1e5 100644
 ')
 
 ########################################
-@@ -3217,7 +3864,7 @@ interface(`userdom_dontaudit_use_user_ptys',`
+@@ -3217,7 +3864,25 @@ interface(`userdom_dontaudit_use_user_ptys',`
 		type user_devpts_t;
 	')
 
 -	dontaudit $1 user_devpts_t:chr_file rw_file_perms;
 +	dontaudit $1 user_devpts_t:chr_file rw_inherited_file_perms;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to open user ptys.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`userdom_dontaudit_open_user_ptys',`
+	gen_require(`
+		type user_devpts_t;
+	')
+
+	dontaudit $1 user_devpts_t:chr_file open;
 ')
 
 ########################################
-@@ -3272,7 +3919,64 @@ interface(`userdom_write_user_tmp_files',`
+@@ -3272,7 +3937,64 @@ interface(`userdom_write_user_tmp_files',`
 		type user_tmp_t;
 	')
 
@ -40676,7 +40769,7 @@ index 3c5dba7..08ce1e5 100644
 ')
 
 ########################################
-@@ -3290,7 +3994,7 @@ interface(`userdom_dontaudit_use_user_ttys',`
+@@ -3290,7 +4012,7 @@ interface(`userdom_dontaudit_use_user_ttys',`
 		type user_tty_device_t;
 	')
 
@ -40685,7 +40778,7 @@ index 3c5dba7..08ce1e5 100644
 ')
 
 ########################################
-@@ -3309,6 +4013,7 @@ interface(`userdom_read_all_users_state',`
+@@ -3309,6 +4031,7 @@ interface(`userdom_read_all_users_state',`
 	')
 
 	read_files_pattern($1, userdomain, userdomain)
@ -40693,7 +40786,7 @@ index 3c5dba7..08ce1e5 100644
 	kernel_search_proc($1)
 ')
 
-@@ -3385,6 +4090,42 @@ interface(`userdom_signal_all_users',`
+@@ -3385,6 +4108,42 @@ interface(`userdom_signal_all_users',`
 	allow $1 userdomain:process signal;
 ')
 
@ -40736,7 +40829,7 @@ index 3c5dba7..08ce1e5 100644
 ########################################
 ## <summary>
 ##	Send a SIGCHLD signal to all user domains.
-@@ -3405,6 +4146,24 @@ interface(`userdom_sigchld_all_users',`
+@@ -3405,6 +4164,24 @@ interface(`userdom_sigchld_all_users',`
 
 ########################################
 ## <summary>
@ -40761,7 +40854,7 @@ index 3c5dba7..08ce1e5 100644
 ##	Create keys for all user domains.
 ## </summary>
 ## <param name="domain">
-@@ -3438,4 +4197,1455 @@ interface(`userdom_dbus_send_all_users',`
+@@ -3438,4 +4215,1455 @@ interface(`userdom_dbus_send_all_users',`
 	')
 
 	allow $1 userdomain:dbus send_msg;
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@ -2572,10 +2572,10 @@ index 0000000..df5b3be
 +')
 diff --git a/antivirus.te b/antivirus.te
 new file mode 100644
-index 0000000..36cb011
+index 0000000..badbc17
 --- /dev/null
 +++ b/antivirus.te
-@@ -0,0 +1,252 @@
+@@ -0,0 +1,256 @@
 +policy_module(antivirus, 1.0.0)
 +
 +########################################
@ -2669,6 +2669,7 @@ index 0000000..36cb011
 +manage_dirs_pattern(antivirus_domain, antivirus_var_run_t, antivirus_var_run_t)
 +manage_files_pattern(antivirus_domain, antivirus_var_run_t, antivirus_var_run_t)
 +manage_sock_files_pattern(antivirus_domain, antivirus_var_run_t, antivirus_var_run_t)
+files_pid_filetrans(antivirus_domain, antivirus_var_run_t, {file})
 +
 +can_exec(antivirus_domain, antivirus_exec_t)
 +
@ -2716,6 +2717,9 @@ index 0000000..36cb011
 +corenet_tcp_connect_http_port(antivirus_domain)
 +corenet_tcp_sendrecv_http_port(antivirus_domain)
 +
+corenet_sendrecv_snmp_client_packets(antivirus_domain)
+corenet_tcp_connect_snmp_port(antivirus_domain)
+
 +corenet_sendrecv_squid_client_packets(antivirus_domain)
 +corenet_tcp_connect_squid_port(antivirus_domain)
 +corenet_tcp_sendrecv_squid_port(antivirus_domain)
@ -11974,7 +11978,7 @@ index c223f81..3bcdf6a 100644
 -	admin_pattern($1, { httpd_cobbler_content_t httpd_cobbler_content_ra_t httpd_cobbler_content_rw_t })
 ')
 diff --git a/cobbler.te b/cobbler.te
-index 2a71346..c1eef8d 100644
+index 2a71346..9f877a1 100644
 --- a/cobbler.te
 +++ b/cobbler.te
@@ -81,6 +81,7 @@ manage_dirs_pattern(cobblerd_t, cobbler_var_lib_t, cobbler_var_lib_t)
@ -11994,7 +11998,13 @@ index 2a71346..c1eef8d 100644
 
 corecmd_exec_bin(cobblerd_t)
 corecmd_exec_shell(cobblerd_t)
-@@ -117,9 +118,7 @@ dev_read_urand(cobblerd_t)
+@@ -112,14 +113,13 @@ corenet_tcp_sendrecv_http_port(cobblerd_t)
+ corenet_tcp_connect_http_port(cobblerd_t)
+ corenet_sendrecv_http_client_packets(cobblerd_t)
+ 
+dev_read_sysfs(cobblerd_t)
+ dev_read_urand(cobblerd_t)
+ 
 files_list_boot(cobblerd_t)
 files_list_tmp(cobblerd_t)
 files_read_boot_files(cobblerd_t)
@ -12004,7 +12014,7 @@ index 2a71346..c1eef8d 100644
 
 fs_getattr_all_fs(cobblerd_t)
 fs_read_iso9660_files(cobblerd_t)
-@@ -128,6 +127,8 @@ selinux_get_enforce_mode(cobblerd_t)
+@@ -128,6 +128,8 @@ selinux_get_enforce_mode(cobblerd_t)
 
 term_use_console(cobblerd_t)
 
@ -12013,7 +12023,24 @@ index 2a71346..c1eef8d 100644
 logging_send_syslog_msg(cobblerd_t)
 
 miscfiles_read_localization(cobblerd_t)
-@@ -193,12 +194,11 @@ optional_policy(`
+@@ -160,6 +162,7 @@ tunable_policy(`cobbler_use_nfs',`
+ ')
+ 
+ optional_policy(`
+    apache_domtrans(cobblerd_t)
+ 	apache_search_sys_content(cobblerd_t)
+ ')
+ 
+@@ -188,17 +191,20 @@ optional_policy(`
+ ')
+ 
+ optional_policy(`
+    libs_exec_ldconfig(cobblerd_t)
+')
+
+optional_policy(`
+ 	rpm_exec(cobblerd_t)
+ ')
 
 optional_policy(`
 	rsync_read_config(cobblerd_t)
@ -12987,7 +13014,7 @@ index 3fe3cb8..b8e08c6 100644
 +	')
 ')
 diff --git a/condor.te b/condor.te
-index 3f2b672..2af6e1e 100644
+index 3f2b672..c0501e0 100644
 --- a/condor.te
 +++ b/condor.te
@@ -46,6 +46,9 @@ files_lock_file(condor_var_lock_t)
@ -13071,7 +13098,16 @@ index 3f2b672..2af6e1e 100644
 
 optional_policy(`
 	mta_send_mail(condor_master_t)
-@@ -178,6 +184,8 @@ allow condor_negotiator_t self:capability { setuid setgid };
+@@ -169,6 +175,8 @@ allow condor_collector_t condor_master_t:udp_socket rw_socket_perms;
+ 
+ kernel_read_network_state(condor_collector_t)
+ 
+corenet_tcp_bind_http_port(condor_collector_t)
+
+ #####################################
+ #
+ # Negotiator local policy
+@@ -178,6 +186,8 @@ allow condor_negotiator_t self:capability { setuid setgid };
 allow condor_negotiator_t condor_master_t:tcp_socket rw_stream_socket_perms;
 allow condor_negotiator_t condor_master_t:udp_socket getattr;
 
@ -13080,7 +13116,7 @@ index 3f2b672..2af6e1e 100644
 ######################################
 #
 # Procd local policy
-@@ -201,6 +209,8 @@ allow condor_schedd_t condor_master_t:udp_socket getattr;
+@@ -201,6 +211,8 @@ allow condor_schedd_t condor_master_t:udp_socket getattr;
 
 allow condor_schedd_t condor_var_lock_t:dir manage_file_perms;
 
@ -13089,7 +13125,7 @@ index 3f2b672..2af6e1e 100644
 domtrans_pattern(condor_schedd_t, condor_procd_exec_t, condor_procd_t)
 domtrans_pattern(condor_schedd_t, condor_startd_exec_t, condor_startd_t)
 
-@@ -209,6 +219,8 @@ manage_files_pattern(condor_schedd_t, condor_schedd_tmp_t, condor_schedd_tmp_t)
+@@ -209,6 +221,8 @@ manage_files_pattern(condor_schedd_t, condor_schedd_tmp_t, condor_schedd_tmp_t)
 relabel_files_pattern(condor_schedd_t, condor_schedd_tmp_t, condor_schedd_tmp_t)
 files_tmp_filetrans(condor_schedd_t, condor_schedd_tmp_t, { file dir })
 
@ -13098,7 +13134,7 @@ index 3f2b672..2af6e1e 100644
 #####################################
 #
 # Startd local policy
-@@ -233,11 +245,10 @@ domain_read_all_domains_state(condor_startd_t)
+@@ -233,11 +247,10 @@ domain_read_all_domains_state(condor_startd_t)
 mcs_process_set_categories(condor_startd_t)
 
 init_domtrans_script(condor_startd_t)
@ -13111,7 +13147,7 @@ index 3f2b672..2af6e1e 100644
 optional_policy(`
 	ssh_basic_client_template(condor_startd, condor_startd_t, system_r)
 	ssh_domtrans(condor_startd_t)
-@@ -249,3 +260,7 @@ optional_policy(`
+@@ -249,3 +262,7 @@ optional_policy(`
 		kerberos_use(condor_startd_ssh_t)
 	')
 ')
@ -13120,24 +13156,15 @@ index 3f2b672..2af6e1e 100644
 +    unconfined_domain(condor_startd_t)
 +')
 diff --git a/consolekit.fc b/consolekit.fc
-index 23c9558..ee585a7 100644
+index 23c9558..29e5fd3 100644
 --- a/consolekit.fc
 +++ b/consolekit.fc
-@@ -1,7 +1,9 @@
-/usr/sbin/console-kit-daemon	--	gen_context(system_u:object_r:consolekit_exec_t,s0)
-+#/usr/lib/systemd/system/console-kit.*  -- gen_context(system_u:object_r:consolekit_unit_file_t,s0)
- 
-/var/log/ConsoleKit(/.*)?	gen_context(system_u:object_r:consolekit_log_t,s0)
-+#/usr/sbin/console-kit-daemon	--	gen_context(system_u:object_r:consolekit_exec_t,s0)
- 
-/var/run/ConsoleKit(/.*)?	gen_context(system_u:object_r:consolekit_var_run_t,s0)
-/var/run/consolekit\.pid	--	gen_context(system_u:object_r:consolekit_var_run_t,s0)
-/var/run/console-kit-daemon\.pid	--	gen_context(system_u:object_r:consolekit_var_run_t,s0)
-+#/var/log/ConsoleKit(/.*)?	gen_context(system_u:object_r:consolekit_log_t,s0)
+@@ -1,3 +1,5 @@
+/usr/lib/systemd/system/console-kit.*  -- gen_context(system_u:object_r:consolekit_unit_file_t,s0)
 +
-+#/var/run/ConsoleKit(/.*)?	gen_context(system_u:object_r:consolekit_var_run_t,s0)
-+#/var/run/consolekit\.pid	--	gen_context(system_u:object_r:consolekit_var_run_t,s0)
-+#/var/run/console-kit-daemon\.pid	--	gen_context(system_u:object_r:consolekit_var_run_t,s0)
+ /usr/sbin/console-kit-daemon	--	gen_context(system_u:object_r:consolekit_exec_t,s0)
+ 
+ /var/log/ConsoleKit(/.*)?	gen_context(system_u:object_r:consolekit_log_t,s0)
 diff --git a/consolekit.if b/consolekit.if
 index 5b830ec..0647a3b 100644
 --- a/consolekit.if
@ -16384,10 +16411,18 @@ index b25b01d..4f7d237 100644
 ')
 +
 diff --git a/ctdb.te b/ctdb.te
-index 6ce66e7..1d0337a 100644
+index 6ce66e7..f2a7a61 100644
 --- a/ctdb.te
 +++ b/ctdb.te
-@@ -85,12 +85,10 @@ dev_read_urand(ctdbd_t)
+@@ -75,6 +75,7 @@ corenet_tcp_bind_generic_node(ctdbd_t)
+ 
+ corenet_sendrecv_ctdb_server_packets(ctdbd_t)
+ corenet_tcp_bind_ctdb_port(ctdbd_t)
+corenet_udp_bind_ctdb_port(ctdbd_t)
+ corenet_tcp_sendrecv_ctdb_port(ctdbd_t)
+ 
+ corecmd_exec_bin(ctdbd_t)
+@@ -85,12 +86,10 @@ dev_read_urand(ctdbd_t)
 
 domain_dontaudit_read_all_domains_state(ctdbd_t)
 
@ -16400,7 +16435,7 @@ index 6ce66e7..1d0337a 100644
 miscfiles_read_public_files(ctdbd_t)
 
 optional_policy(`
-@@ -109,6 +107,7 @@ optional_policy(`
+@@ -109,6 +108,7 @@ optional_policy(`
 	samba_initrc_domtrans(ctdbd_t)
 	samba_domtrans_net(ctdbd_t)
 	samba_rw_var_files(ctdbd_t)
@ -20417,10 +20452,10 @@ index 0000000..b214253
 +')
 diff --git a/dirsrv.te b/dirsrv.te
 new file mode 100644
-index 0000000..1a57396
+index 0000000..05c070d
 --- /dev/null
 +++ b/dirsrv.te
-@@ -0,0 +1,193 @@
+@@ -0,0 +1,194 @@
 +policy_module(dirsrv,1.0.0)
 +
 +########################################
@ -20512,6 +20547,7 @@ index 0000000..1a57396
 +files_tmp_filetrans(dirsrv_t, dirsrv_tmp_t, { file dir })
 +allow dirsrv_t dirsrv_tmp_t:file relabel_file_perms;
 +
+kernel_read_network_state(dirsrv_t)
 +kernel_read_system_state(dirsrv_t)
 +kernel_read_kernel_sysctls(dirsrv_t)
 +
@ -29820,10 +29856,18 @@ index 57304e4..46e5e3d 100644
 optional_policy(`
 	tgtd_manage_semaphores(iscsid_t)
 diff --git a/isns.te b/isns.te
-index bc11034..e393434 100644
+index bc11034..107ed2f 100644
 --- a/isns.te
 +++ b/isns.te
-@@ -46,8 +46,6 @@ corenet_tcp_bind_generic_node(isnsd_t)
+@@ -26,6 +26,7 @@ files_pid_file(isnsd_var_run_t)
+ allow isnsd_t self:capability kill;
+ allow isnsd_t self:process signal;
+ allow isnsd_t self:fifo_file rw_fifo_file_perms;
+allow isnsd_t self:tcp_socket { listen };
+ allow isnsd_t self:udp_socket { accept listen };
+ allow isnsd_t self:unix_stream_socket { accept listen };
+ 
+@@ -46,8 +47,6 @@ corenet_tcp_bind_generic_node(isnsd_t)
 corenet_sendrecv_isns_server_packets(isnsd_t)
 corenet_tcp_bind_isns_port(isnsd_t)
 
@ -37645,10 +37689,10 @@ index 4462c0e..84944d1 100644
 
 userdom_dontaudit_use_unpriv_user_fds(monopd_t)
 diff --git a/mozilla.fc b/mozilla.fc
-index 6ffaba2..bb33a48 100644
+index 6ffaba2..99d4eeb 100644
 --- a/mozilla.fc
 +++ b/mozilla.fc
-@@ -1,38 +1,65 @@
+@@ -1,38 +1,66 @@
 -HOME_DIR/\.galeon(/.*)?	gen_context(system_u:object_r:mozilla_home_t,s0)
 -HOME_DIR/\.mozilla(/.*)?	gen_context(system_u:object_r:mozilla_home_t,s0)
 -HOME_DIR/\.mozilla/plugins(/.*)?	gen_context(system_u:object_r:mozilla_plugin_home_t,s0)
@ -37688,6 +37732,7 @@ index 6ffaba2..bb33a48 100644
 +HOME_DIR/\.lyx(/.*)?                   gen_context(system_u:object_r:mozilla_home_t,s0)
 +HOME_DIR/\.quakelive(/.*)?		gen_context(system_u:object_r:mozilla_home_t,s0)
 +HOME_DIR/\.spicec(/.*)?			gen_context(system_u:object_r:mozilla_home_t,s0)
+HOME_DIR/\.texlive2012(/.*)?			gen_context(system_u:object_r:mozilla_home_t,s0)
 +HOME_DIR/\.ICAClient(/.*)?		gen_context(system_u:object_r:mozilla_home_t,s0)
 +HOME_DIR/zimbrauserdata(/.*)?		gen_context(system_u:object_r:mozilla_home_t,s0)
 +
@ -37749,7 +37794,7 @@ index 6ffaba2..bb33a48 100644
 +/usr/lib/nspluginwrapper/plugin-config			--	gen_context(system_u:object_r:mozilla_plugin_config_exec_t,s0)
 +')
 diff --git a/mozilla.if b/mozilla.if
-index 6194b80..af1201e 100644
+index 6194b80..5fe7031 100644
 --- a/mozilla.if
 +++ b/mozilla.if
@@ -1,146 +1,75 @@
@ -38388,7 +38433,7 @@ index 6194b80..af1201e 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -530,45 +448,52 @@ interface(`mozilla_plugin_delete_tmpfs_files',`
+@@ -530,45 +448,53 @@ interface(`mozilla_plugin_delete_tmpfs_files',`
 ##	</summary>
 ## </param>
 #
@ -38457,6 +38502,7 @@ index 6194b80..af1201e 100644
 +	userdom_user_home_dir_filetrans($1, mozilla_home_t, file, "abc")
 +	userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".quakelive")
 +	userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".spicec")
+	userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".texlive2012")
 +	userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".ICAClient")
 +	userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, "zimbrauserdata")
 +	userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".lyx")
@ -44418,7 +44464,7 @@ index 0e8508c..0b68b86 100644
 +	logging_log_filetrans($1, NetworkManager_var_lib_t, file, "wpa_supplicant.log")
 ')
 diff --git a/networkmanager.te b/networkmanager.te
-index 0b48a30..f3320a3 100644
+index 0b48a30..c71f8e5 100644
 --- a/networkmanager.te
 +++ b/networkmanager.te
@@ -1,4 +1,4 @@
@ -44567,7 +44613,7 @@ index 0b48a30..f3320a3 100644
 fs_getattr_all_fs(NetworkManager_t)
 fs_search_auto_mountpoints(NetworkManager_t)
 fs_list_inotifyfs(NetworkManager_t)
-@@ -140,6 +144,16 @@ mls_file_read_all_levels(NetworkManager_t)
+@@ -140,6 +144,17 @@ mls_file_read_all_levels(NetworkManager_t)
 
 selinux_dontaudit_search_fs(NetworkManager_t)
 
@ -44580,11 +44626,12 @@ index 0b48a30..f3320a3 100644
 +files_read_etc_runtime_files(NetworkManager_t)
 +files_read_system_conf_files(NetworkManager_t)
 +files_read_usr_src_files(NetworkManager_t)
+files_read_isid_type_files(NetworkManager_t)
 +
 storage_getattr_fixed_disk_dev(NetworkManager_t)
 
 init_read_utmp(NetworkManager_t)
-@@ -148,10 +162,11 @@ init_domtrans_script(NetworkManager_t)
+@@ -148,10 +163,11 @@ init_domtrans_script(NetworkManager_t)
 
 auth_use_nsswitch(NetworkManager_t)
 
@ -44597,7 +44644,7 @@ index 0b48a30..f3320a3 100644
 
 seutil_read_config(NetworkManager_t)
 
-@@ -166,21 +181,32 @@ sysnet_kill_dhcpc(NetworkManager_t)
+@@ -166,21 +182,32 @@ sysnet_kill_dhcpc(NetworkManager_t)
 sysnet_read_dhcpc_state(NetworkManager_t)
 sysnet_delete_dhcpc_state(NetworkManager_t)
 sysnet_search_dhcp_state(NetworkManager_t)
@ -44634,7 +44681,7 @@ index 0b48a30..f3320a3 100644
 ')
 
 optional_policy(`
-@@ -196,10 +222,6 @@ optional_policy(`
+@@ -196,10 +223,6 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -44645,7 +44692,7 @@ index 0b48a30..f3320a3 100644
 	consoletype_exec(NetworkManager_t)
 ')
 
-@@ -210,16 +232,11 @@ optional_policy(`
+@@ -210,16 +233,11 @@ optional_policy(`
 optional_policy(`
 	dbus_system_domain(NetworkManager_t, NetworkManager_exec_t)
 
@ -44664,7 +44711,7 @@ index 0b48a30..f3320a3 100644
 	')
 ')
 
-@@ -231,18 +248,19 @@ optional_policy(`
+@@ -231,18 +249,19 @@ optional_policy(`
 	dnsmasq_kill(NetworkManager_t)
 	dnsmasq_signal(NetworkManager_t)
 	dnsmasq_signull(NetworkManager_t)
@ -44687,7 +44734,7 @@ index 0b48a30..f3320a3 100644
 ')
 
 optional_policy(`
-@@ -250,6 +268,10 @@ optional_policy(`
+@@ -250,6 +269,10 @@ optional_policy(`
 	ipsec_kill_mgmt(NetworkManager_t)
 	ipsec_signal_mgmt(NetworkManager_t)
 	ipsec_signull_mgmt(NetworkManager_t)
@ -44698,7 +44745,7 @@ index 0b48a30..f3320a3 100644
 ')
 
 optional_policy(`
-@@ -257,11 +279,10 @@ optional_policy(`
+@@ -257,11 +280,10 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -44714,7 +44761,7 @@ index 0b48a30..f3320a3 100644
 ')
 
 optional_policy(`
-@@ -274,10 +295,17 @@ optional_policy(`
+@@ -274,10 +296,17 @@ optional_policy(`
 	nscd_signull(NetworkManager_t)
 	nscd_kill(NetworkManager_t)
 	nscd_initrc_domtrans(NetworkManager_t)
@ -44732,7 +44779,7 @@ index 0b48a30..f3320a3 100644
 ')
 
 optional_policy(`
-@@ -289,6 +317,7 @@ optional_policy(`
+@@ -289,6 +318,7 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -44740,7 +44787,7 @@ index 0b48a30..f3320a3 100644
 	policykit_domtrans_auth(NetworkManager_t)
 	policykit_read_lib(NetworkManager_t)
 	policykit_read_reload(NetworkManager_t)
-@@ -296,7 +325,7 @@ optional_policy(`
+@@ -296,7 +326,7 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -44749,7 +44796,7 @@ index 0b48a30..f3320a3 100644
 ')
 
 optional_policy(`
-@@ -307,6 +336,7 @@ optional_policy(`
+@@ -307,6 +337,7 @@ optional_policy(`
 	ppp_signal(NetworkManager_t)
 	ppp_signull(NetworkManager_t)
 	ppp_read_config(NetworkManager_t)
@ -44757,7 +44804,7 @@ index 0b48a30..f3320a3 100644
 ')
 
 optional_policy(`
-@@ -320,13 +350,15 @@ optional_policy(`
+@@ -320,13 +351,19 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -44772,17 +44819,21 @@ index 0b48a30..f3320a3 100644
 optional_policy(`
 -	# unconfined_dgram_send(NetworkManager_t)
 -	unconfined_stream_connect(NetworkManager_t)
+    ssh_exec(NetworkManager_t)
+')
+
+optional_policy(`
 +	udev_exec(NetworkManager_t)
 +	udev_read_db(NetworkManager_t)
 ')
 
 optional_policy(`
-@@ -356,6 +388,5 @@ rw_sock_files_pattern(wpa_cli_t, NetworkManager_var_run_t, NetworkManager_var_ru
+@@ -356,6 +393,4 @@ rw_sock_files_pattern(wpa_cli_t, NetworkManager_var_run_t, NetworkManager_var_ru
 init_dontaudit_use_fds(wpa_cli_t)
 init_use_script_ptys(wpa_cli_t)
 
 -miscfiles_read_localization(wpa_cli_t)
- 
+-
 term_dontaudit_use_console(wpa_cli_t)
 diff --git a/nis.fc b/nis.fc
 index 8aa1bfa..cd0e015 100644
@ -51929,10 +51980,10 @@ index 96db654..ff3aadd 100644
 +	virt_rw_svirt_dev(pcscd_t)
 +')
 diff --git a/pegasus.fc b/pegasus.fc
-index dfd46e4..9515043 100644
+index dfd46e4..173813f 100644
 --- a/pegasus.fc
 +++ b/pegasus.fc
-@@ -1,15 +1,12 @@
+@@ -1,15 +1,15 @@
 -/etc/Pegasus(/.*)?	gen_context(system_u:object_r:pegasus_conf_t,s0)
 -/etc/Pegasus/pegasus_current\.conf	gen_context(system_u:object_r:pegasus_data_t,s0)
 -
@ -51954,6 +52005,9 @@ index dfd46e4..9515043 100644
 +/var/run/tog-pegasus(/.*)?		gen_context(system_u:object_r:pegasus_var_run_t,s0)
 
 /usr/share/Pegasus/mof(/.*)?/.*\.mof	gen_context(system_u:object_r:pegasus_mof_t,s0)
+
+#openlmi agents
+/usr/libexec/pegasus/cmpiLMI_Account-cimprovagt --  gen_context(system_u:object_r:pegasus_openlmi_account_exec_t,s0)
 diff --git a/pegasus.if b/pegasus.if
 index d2fc677..ded726f 100644
 --- a/pegasus.if
@ -52055,7 +52109,7 @@ index d2fc677..ded726f 100644
 ')
 +
 diff --git a/pegasus.te b/pegasus.te
-index 7bcf327..ebc50dc 100644
+index 7bcf327..fa856e9 100644
 --- a/pegasus.te
 +++ b/pegasus.te
@@ -1,17 +1,16 @@
@ -52143,7 +52197,8 @@ index 7bcf327..ebc50dc 100644
 
 allow pegasus_t self:capability { chown kill ipc_lock sys_nice setuid setgid dac_override net_admin net_bind_service };
 dontaudit pegasus_t self:capability sys_tty_config;
- allow pegasus_t self:process signal;
+-allow pegasus_t self:process signal;
+allow pegasus_t self:process { setsched signal };
 allow pegasus_t self:fifo_file rw_fifo_file_perms;
 -allow pegasus_t self:unix_stream_socket { connectto accept listen };
 -allow pegasus_t self:tcp_socket { accept listen };
@ -52298,6 +52353,176 @@ index 7bcf327..ebc50dc 100644
 ')
 
 optional_policy(`
+diff --git a/pesign.fc b/pesign.fc
+new file mode 100644
+index 0000000..7b54c39
+--- /dev/null
+++ b/pesign.fc
+@@ -0,0 +1,6 @@
+/usr/bin/pesign		--	gen_context(system_u:object_r:pesign_exec_t,s0)
+
+/usr/lib/systemd/system/pesign.service		--	gen_context(system_u:object_r:pesign_unit_file_t,s0)
+
+/var/run/pesign(/.*)?		gen_context(system_u:object_r:pesign_var_run_t,s0)
+/var/run/pesign\.pid    --  gen_context(system_u:object_r:pesign_var_run_t,s0)
+diff --git a/pesign.if b/pesign.if
+new file mode 100644
+index 0000000..c20674c
+--- /dev/null
+++ b/pesign.if
+@@ -0,0 +1,103 @@
+
+## <summary>pesign utility for signing UEFI binaries as well as other associated tools</summary>
+
+########################################
+## <summary>
+##	Execute TEMPLATE in the pesign domin.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`pesign_domtrans',`
+	gen_require(`
+		type pesign_t, pesign_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, pesign_exec_t, pesign_t)
+')
+########################################
+## <summary>
+##	Read pesign PID files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`pesign_read_pid_files',`
+	gen_require(`
+		type pesign_var_run_t;
+	')
+
+	files_search_pids($1)
+	read_files_pattern($1, pesign_var_run_t, pesign_var_run_t)
+')
+
+########################################
+## <summary>
+##	Execute pesign server in the pesign domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`pesign_systemctl',`
+	gen_require(`
+		type pesign_t;
+		type pesign_unit_file_t;
+	')
+
+	systemd_exec_systemctl($1)
+        systemd_read_fifo_file_password_run($1)
+	allow $1 pesign_unit_file_t:file read_file_perms;
+	allow $1 pesign_unit_file_t:service manage_service_perms;
+
+	ps_process_pattern($1, pesign_t)
+')
+
+
+########################################
+## <summary>
+##	All of the rules required to administrate
+##	an pesign environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`pesign_admin',`
+	gen_require(`
+		type pesign_t;
+		type pesign_var_run_t;
+	type pesign_unit_file_t;
+	')
+
+	allow $1 pesign_t:process { ptrace signal_perms };
+	ps_process_pattern($1, pesign_t)
+
+	files_search_pids($1)
+	admin_pattern($1, pesign_var_run_t)
+
+	pesign_systemctl($1)
+	admin_pattern($1, pesign_unit_file_t)
+	allow $1 pesign_unit_file_t:service all_service_perms;
+	optional_policy(`
+		systemd_passwd_agent_exec($1)
+		systemd_read_fifo_file_passwd_run($1)
+	')
+')
+diff --git a/pesign.te b/pesign.te
+new file mode 100644
+index 0000000..513887d
+--- /dev/null
+++ b/pesign.te
+@@ -0,0 +1,43 @@
+policy_module(pesign, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type pesign_t;
+type pesign_exec_t;
+init_daemon_domain(pesign_t, pesign_exec_t)
+
+type pesign_var_run_t;
+files_pid_file(pesign_var_run_t)
+
+type pesign_unit_file_t;
+systemd_unit_file(pesign_unit_file_t)
+
+########################################
+#
+# pesign local policy
+#
+
+allow pesign_t self:capability { setgid setuid };
+allow pesign_t self:process setsched;
+allow pesign_t self:fifo_file rw_fifo_file_perms;
+allow pesign_t self:unix_stream_socket create_stream_socket_perms;
+
+manage_dirs_pattern(pesign_t, pesign_var_run_t, pesign_var_run_t)
+manage_files_pattern(pesign_t, pesign_var_run_t, pesign_var_run_t)
+manage_lnk_files_pattern(pesign_t, pesign_var_run_t, pesign_var_run_t)
+manage_sock_files_pattern(pesign_t, pesign_var_run_t, pesign_var_run_t)
+files_pid_filetrans(pesign_t, pesign_var_run_t, { file dir })
+
+dev_read_urand(pesign_t)
+
+files_dontaudit_list_tmp(pesign_t)
+
+auth_use_nsswitch(pesign_t)
+
+logging_send_syslog_msg(pesign_t)
+
+miscfiles_read_certs(pesign_t)
+miscfiles_read_localization(pesign_t)
 diff --git a/pingd.if b/pingd.if
 index 21a6ecb..b99e4cb 100644
 --- a/pingd.if
@ -53297,10 +53522,10 @@ index 0000000..0c167b7
 +/usr/lib/systemd/system/pki-tomcat.*	gen_context(system_u:object_r:pki_tomcat_unit_file_t,s0)
 diff --git a/pki.if b/pki.if
 new file mode 100644
-index 0000000..e1d3320
+index 0000000..6329c9c
 --- /dev/null
 +++ b/pki.if
-@@ -0,0 +1,272 @@
+@@ -0,0 +1,273 @@
 +
 +## <summary>policy for pki</summary>
 +########################################
@ -53572,6 +53797,7 @@ index 0000000..e1d3320
 +    ')
 +    
 +    read_files_pattern($1, pki_tomcat_var_lib_t, pki_tomcat_var_lib_t)
+    read_lnk_files_pattern($1, pki_tomcat_var_lib_t, pki_tomcat_var_lib_t)
 +')
 diff --git a/pki.te b/pki.te
 new file mode 100644
@ -64656,7 +64882,7 @@ index 951db7f..6d6ec1d 100644
 +	allow $1 mdadm_exec_t:file { getattr_file_perms execute };
 ')
 diff --git a/raid.te b/raid.te
-index 2c1730b..e67ea1b 100644
+index 2c1730b..0e15502 100644
 --- a/raid.te
 +++ b/raid.te
@@ -15,6 +15,9 @@ role mdadm_roles types mdadm_t;
@ -64702,8 +64928,11 @@ index 2c1730b..e67ea1b 100644
 
 corecmd_exec_bin(mdadm_t)
 corecmd_exec_shell(mdadm_t)
-@@ -51,17 +59,20 @@ dev_dontaudit_getattr_all_blk_files(mdadm_t)
+@@ -49,19 +57,23 @@ corecmd_exec_shell(mdadm_t)
+ dev_rw_sysfs(mdadm_t)
+ dev_dontaudit_getattr_all_blk_files(mdadm_t)
 dev_dontaudit_getattr_all_chr_files(mdadm_t)
+dev_read_crash(mdadm_t)
 dev_read_realtime_clock(mdadm_t)
 dev_read_raw_memory(mdadm_t)
 +dev_read_nvram(mdadm_t)
@ -64725,7 +64954,7 @@ index 2c1730b..e67ea1b 100644
 
 mls_file_read_all_levels(mdadm_t)
 mls_file_write_all_levels(mdadm_t)
-@@ -70,16 +81,18 @@ storage_dev_filetrans_fixed_disk(mdadm_t)
+@@ -70,16 +82,18 @@ storage_dev_filetrans_fixed_disk(mdadm_t)
 storage_manage_fixed_disk(mdadm_t)
 storage_read_scsi_generic(mdadm_t)
 storage_write_scsi_generic(mdadm_t)
@ -69574,7 +69803,7 @@ index 3bd6446..a61764b 100644
 +	allow $1 var_lib_nfs_t:file relabel_file_perms;
 ')
 diff --git a/rpc.te b/rpc.te
-index e5212e6..74f3e1b 100644
+index e5212e6..df782bf 100644
 --- a/rpc.te
 +++ b/rpc.te
@@ -1,4 +1,4 @@
@ -69785,7 +70014,7 @@ index e5212e6..74f3e1b 100644
 ')
 
 ########################################
-@@ -195,41 +141,55 @@ optional_policy(`
+@@ -195,41 +141,56 @@ optional_policy(`
 #
 
 allow nfsd_t self:capability { dac_override dac_read_search sys_admin sys_resource };
@ -69826,6 +70055,7 @@ index e5212e6..74f3e1b 100644
 files_manage_mounttab(nfsd_t)
 +files_read_etc_runtime_files(nfsd_t)
 
+fs_mounton_nfsd_fs(nfsd_t)
 fs_mount_nfsd_fs(nfsd_t)
 fs_getattr_all_fs(nfsd_t)
 fs_getattr_all_dirs(nfsd_t)
@ -69848,7 +70078,7 @@ index e5212e6..74f3e1b 100644
 	miscfiles_manage_public_files(nfsd_t)
 ')
 
-@@ -238,7 +198,6 @@ tunable_policy(`nfs_export_all_rw',`
+@@ -238,7 +199,6 @@ tunable_policy(`nfs_export_all_rw',`
 	dev_getattr_all_chr_files(nfsd_t)
 
 	fs_read_noxattr_fs_files(nfsd_t)
@ -69856,7 +70086,7 @@ index e5212e6..74f3e1b 100644
 ')
 
 tunable_policy(`nfs_export_all_ro',`
-@@ -250,12 +209,12 @@ tunable_policy(`nfs_export_all_ro',`
+@@ -250,12 +210,12 @@ tunable_policy(`nfs_export_all_ro',`
 
 	fs_read_noxattr_fs_files(nfsd_t)
 
@ -69871,7 +70101,7 @@ index e5212e6..74f3e1b 100644
 ')
 
 ########################################
-@@ -271,6 +230,7 @@ manage_dirs_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t)
+@@ -271,6 +231,7 @@ manage_dirs_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t)
 manage_files_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t)
 files_tmp_filetrans(gssd_t, gssd_tmp_t, { file dir })
 
@ -69879,7 +70109,7 @@ index e5212e6..74f3e1b 100644
 kernel_read_network_state(gssd_t)
 kernel_read_network_state_symlinks(gssd_t)
 kernel_request_load_module(gssd_t)
-@@ -279,25 +239,29 @@ kernel_signal(gssd_t)
+@@ -279,25 +240,29 @@ kernel_signal(gssd_t)
 
 corecmd_exec_bin(gssd_t)
 
@ -69912,7 +70142,7 @@ index e5212e6..74f3e1b 100644
 ')
 
 optional_policy(`
-@@ -306,8 +270,11 @@ optional_policy(`
+@@ -306,8 +271,11 @@ optional_policy(`
 
 optional_policy(`
 	kerberos_keytab_template(gssd, gssd_t)
@ -74773,10 +75003,10 @@ index 0000000..5da5bff
 +')
 diff --git a/sandboxX.te b/sandboxX.te
 new file mode 100644
-index 0000000..cb720ee
+index 0000000..5021551
 --- /dev/null
 +++ b/sandboxX.te
-@@ -0,0 +1,465 @@
+@@ -0,0 +1,467 @@
 +policy_module(sandboxX,1.0.0)
 +
 +dbus_stub()
@ -75146,6 +75376,7 @@ index 0000000..cb720ee
 +corenet_sendrecv_ftp_client_packets(sandbox_web_type)
 +corenet_sendrecv_ipp_client_packets(sandbox_web_type)
 +corenet_sendrecv_generic_client_packets(sandbox_web_type)
+corenet_dontaudit_tcp_connect_xserver_port(sandbox_web_type)
 +
 +corenet_dontaudit_tcp_sendrecv_generic_port(sandbox_web_type)
 +corenet_dontaudit_tcp_bind_generic_port(sandbox_web_type)
@ -75242,6 +75473,7 @@ index 0000000..cb720ee
 +        mozilla_plugin_dontaudit_rw_sem(sandbox_x_domain)
 +	mozilla_plugin_dontaudit_leaks(sandbox_x_domain)
 +')
+userdom_dontaudit_open_user_ptys(sandbox_x_domain)
 diff --git a/sanlock.fc b/sanlock.fc
 index 3df2a0f..9059165 100644
 --- a/sanlock.fc
@ -75820,7 +76052,7 @@ index 98c9e0a..df51942 100644
 	files_search_pids($1)
 	admin_pattern($1, sblim_var_run_t)
 diff --git a/sblim.te b/sblim.te
-index 4a23d84..bc26091 100644
+index 4a23d84..49c7362 100644
 --- a/sblim.te
 +++ b/sblim.te
@@ -7,13 +7,9 @@ policy_module(sblim, 1.0.3)
@ -75850,7 +76082,7 @@ index 4a23d84..bc26091 100644
 corenet_tcp_sendrecv_generic_if(sblim_domain)
 corenet_tcp_sendrecv_generic_node(sblim_domain)
 
-@@ -44,12 +37,6 @@ corenet_tcp_sendrecv_repository_port(sblim_domain)
+@@ -44,19 +37,13 @@ corenet_tcp_sendrecv_repository_port(sblim_domain)
 
 dev_read_sysfs(sblim_domain)
 
@ -75863,6 +76095,15 @@ index 4a23d84..bc26091 100644
 ########################################
 #
 # Gatherd local policy
+ #
+ 
+-allow sblim_gatherd_t self:capability dac_override;
+-allow sblim_gatherd_t self:process signal;
+allow sblim_gatherd_t self:capability { dac_override sys_nice };
+allow sblim_gatherd_t self:process { setsched signal };
+ allow sblim_gatherd_t self:fifo_file rw_fifo_file_perms;
+ allow sblim_gatherd_t self:unix_stream_socket { accept listen };
+ 
@@ -84,6 +71,8 @@ storage_raw_read_removable_device(sblim_gatherd_t)
 
 init_read_utmp(sblim_gatherd_t)
@ -78661,6 +78902,100 @@ index cbfe369..085ac13 100644
 ########################################
 ## <summary>
 ##	All of the rules required to
+diff --git a/snapper.fc b/snapper.fc
+new file mode 100644
+index 0000000..3f412d5
+--- /dev/null
+++ b/snapper.fc
+@@ -0,0 +1 @@
+/usr/sbin/snapperd		--	gen_context(system_u:object_r:snapperd_exec_t,s0)
+diff --git a/snapper.if b/snapper.if
+new file mode 100644
+index 0000000..94105ee
+--- /dev/null
+++ b/snapper.if
+@@ -0,0 +1,42 @@
+
+## <summary>policy for snapperd</summary>
+
+########################################
+## <summary>
+##	Execute TEMPLATE in the snapperd domin.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`snapper_domtrans',`
+	gen_require(`
+		type snapperd_t, snapperd_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, snapperd_exec_t, snapperd_t)
+')
+
+########################################
+## <summary>
+##	Send and receive messages from
+##	snapperd over dbus.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`snapper_dbus_chat',`
+	gen_require(`
+		type snapperd_t;
+		class dbus send_msg;
+	')
+
+	allow $1 snapperd_t:dbus send_msg;
+	allow snapperd_t $1:dbus send_msg;
+')
+diff --git a/snapper.te b/snapper.te
+new file mode 100644
+index 0000000..ad232be
+--- /dev/null
+++ b/snapper.te
+@@ -0,0 +1,33 @@
+policy_module(snapper, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type snapperd_t;
+type snapperd_exec_t;
+init_daemon_domain(snapperd_t, snapperd_exec_t)
+
+########################################
+#
+# snapperd local policy
+#
+
+allow snapperd_t self:fifo_file rw_fifo_file_perms;
+allow snapperd_t self:unix_stream_socket create_stream_socket_perms;
+
+storage_raw_read_fixed_disk(snapperd_t)
+
+auth_use_nsswitch(snapperd_t)
+
+miscfiles_read_localization(snapperd_t)
+
+optional_policy(`
+	dbus_system_bus_client(snapperd_t)
+	dbus_connect_system_bus(snapperd_t)
+')
+
+optional_policy(`
+    mount_domtrans(snapperd_t)
+')
 diff --git a/snmp.fc b/snmp.fc
 index c73fa24..408ff61 100644
 --- a/snmp.fc
@ -86781,10 +87116,10 @@ index 0be8535..b96e329 100644
 
 optional_policy(`
 diff --git a/virt.fc b/virt.fc
-index c30da4c..f3e9b6d 100644
+index c30da4c..e97572f 100644
 --- a/virt.fc
 +++ b/virt.fc
-@@ -1,52 +1,85 @@
+@@ -1,52 +1,86 @@
 -HOME_DIR/\.libvirt(/.*)?	gen_context(system_u:object_r:virt_home_t,s0)
 -HOME_DIR/\.libvirt/qemu(/.*)?	gen_context(system_u:object_r:svirt_home_t,s0)
 -HOME_DIR/\.virtinst(/.*)?	gen_context(system_u:object_r:virt_home_t,s0)
@ -86834,6 +87169,7 @@ index c30da4c..f3e9b6d 100644
 -/usr/sbin/fence_virtd	--	gen_context(system_u:object_r:virsh_exec_t,s0)
 /usr/sbin/libvirt-qmf	--	gen_context(system_u:object_r:virt_qmf_exec_t,s0)
 /usr/sbin/libvirtd	--	gen_context(system_u:object_r:virtd_exec_t,s0)
+/usr/sbin/virtlockd --  gen_context(system_u:object_r:virtd_exec_t,s0)
 +/usr/bin/virsh		--	gen_context(system_u:object_r:virsh_exec_t,s0)
 +/usr/bin/virt-sandbox-service.*	--	gen_context(system_u:object_r:virsh_exec_t,s0)
 +/usr/sbin/condor_vm-gahp	--	gen_context(system_u:object_r:virtd_exec_t,s0)
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@ -19,7 +19,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.12.1
-Release: 54%{?dist}
+Release: 56%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@ -535,6 +535,42 @@ SELinux Reference policy mls base module.
 %endif

 %changelog
+* Mon Jun 24 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-56
+- Allow lvm_t to create default targets for filesystem handling
+- Fix labeling for razor-lightdm binaries
+- Allow insmod_t to read any file labeled var_lib_t
+- Add policy for pesign
+- Activate policy for cmpiLMI_Account-cimprovagt
+- Allow isnsd syscall=listen
+- /usr/libexec/pegasus/cimprovagt needs setsched caused by sched_setscheduler
+- Allow ctdbd to use udp/4379
+- gatherd wants sys_nice and setsched
+- Add support for texlive2012
+- Allow NM to read file_t (usb stick with no labels used to transfer keys for example)
+- Allow cobbler to execute apache with domain transition
+
+* Fri Jun 21 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-55
+- condor_collector uses tcp/9000
+- Label /usr/sbin/virtlockd as virtd_exec_t for now
+- Allow cobbler to execute ldconfig
+- Allow NM to execute ssh
+- Allow mdadm to read /dev/crash
+- Allow antivirus domains to connect to snmp port
+- Make amavisd-snmp working correctly
+- Allow nfsd_t to mounton nfsd_fs_t
+- Add initial snapper policy
+- We still need to have consolekit policy
+- Dontaudit firefox attempting to connect to the xserver_port_t if run within sandbox_web_t
+- Dontaudit sandbox apps attempting to open user_devpts_t
+- Allow dirsrv to read network state
+- Fix pki_read_tomcat_lib_files
+- Add labeling for /usr/libexec/nm-ssh-service
+- Add label cert_t for /var/lib/ipa/pki-ca/publish
+- Lets label /sys/fs/cgroup as cgroup_t for now, to keep labels consistant
+- Allow nfsd_t to mounton nfsd_fs_t
+- Dontaudit sandbox apps attempting to open user_devpts_t
+- Allow passwd_t to change role to system_r from unconfined_r
+
 * Wed Jun 19 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-54
 - Don't audit access checks by sandbox xserver on xdb var_lib
 - Allow ntop to read usbmon devices