##
## Allow the specified domain to
@@ -214903,7 +214858,7 @@ index 8416beb..c0c1175 100644
## Example attributes:
##
##
-@@ -4596,6 +5320,26 @@ interface(`fs_dontaudit_getattr_all_fs',`
+@@ -4596,6 +5337,26 @@ interface(`fs_dontaudit_getattr_all_fs',`
########################################
##
@@ -214930,7 +214885,7 @@ index 8416beb..c0c1175 100644
## Get the quotas of all filesystems.
##
##
-@@ -4912,3 +5656,43 @@ interface(`fs_unconfined',`
+@@ -4912,3 +5673,43 @@ interface(`fs_unconfined',`
typeattribute $1 filesystem_unconfined_type;
')
@@ -225250,7 +225205,7 @@ index 3efd5b6..792df83 100644
+')
+
diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te
-index 104037e..d10bb17 100644
+index 104037e..fbe9b26 100644
--- a/policy/modules/system/authlogin.te
+++ b/policy/modules/system/authlogin.te
@@ -5,6 +5,19 @@ policy_module(authlogin, 2.4.2)
@@ -225455,18 +225410,18 @@ index 104037e..d10bb17 100644
term_dontaudit_use_console(updpwd_t)
term_dontaudit_use_unallocated_ttys(updpwd_t)
-@@ -350,9 +372,8 @@ auth_use_nsswitch(updpwd_t)
+@@ -350,9 +372,7 @@ auth_use_nsswitch(updpwd_t)
logging_send_syslog_msg(updpwd_t)
-miscfiles_read_localization(updpwd_t)
-
+-
-userdom_use_user_terminals(updpwd_t)
+userdom_use_inherited_user_terminals(updpwd_t)
ifdef(`distro_ubuntu',`
optional_policy(`
-@@ -380,13 +401,15 @@ term_dontaudit_use_all_ttys(utempter_t)
+@@ -380,13 +400,15 @@ term_dontaudit_use_all_ttys(utempter_t)
term_dontaudit_use_all_ptys(utempter_t)
term_dontaudit_use_ptmx(utempter_t)
@@ -225483,7 +225438,7 @@ index 104037e..d10bb17 100644
# Allow utemper to write to /tmp/.xses-*
userdom_write_user_tmp_files(utempter_t)
-@@ -397,19 +420,27 @@ ifdef(`distro_ubuntu',`
+@@ -397,19 +419,27 @@ ifdef(`distro_ubuntu',`
')
optional_policy(`
@@ -225515,7 +225470,7 @@ index 104037e..d10bb17 100644
files_list_var_lib(nsswitch_domain)
# read /etc/nsswitch.conf
-@@ -418,14 +449,18 @@ files_read_etc_files(nsswitch_domain)
+@@ -418,14 +448,18 @@ files_read_etc_files(nsswitch_domain)
sysnet_dns_name_resolve(nsswitch_domain)
tunable_policy(`authlogin_nsswitch_use_ldap',`
@@ -225536,7 +225491,7 @@ index 104037e..d10bb17 100644
ldap_stream_connect(nsswitch_domain)
')
')
-@@ -438,6 +473,7 @@ optional_policy(`
+@@ -438,6 +472,7 @@ optional_policy(`
likewise_stream_connect_lsassd(nsswitch_domain)
')
@@ -225544,7 +225499,7 @@ index 104037e..d10bb17 100644
optional_policy(`
kerberos_use(nsswitch_domain)
')
-@@ -456,6 +492,7 @@ optional_policy(`
+@@ -456,6 +491,7 @@ optional_policy(`
optional_policy(`
sssd_stream_connect(nsswitch_domain)
@@ -225552,7 +225507,7 @@ index 104037e..d10bb17 100644
')
optional_policy(`
-@@ -463,3 +500,132 @@ optional_policy(`
+@@ -463,3 +499,132 @@ optional_policy(`
samba_read_var_files(nsswitch_domain)
samba_dontaudit_write_var_files(nsswitch_domain)
')
@@ -227358,7 +227313,7 @@ index 24e7804..386109d 100644
+ allow $1 init_t:system undefined;
+')
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
-index dd3be8d..6114976 100644
+index dd3be8d..b8592b4 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -11,10 +11,24 @@ gen_require(`
@@ -228532,7 +228487,7 @@ index dd3be8d..6114976 100644
+allow systemprocess init_t:unix_stream_socket { append write read getattr ioctl };
+
+files_dontaudit_rw_inherited_locks(systemprocess)
-+
++files_dontaudit_tmp_file_leaks(systemprocess)
+init_rw_inherited_script_tmp_files(systemprocess)
+
+logging_dontaudit_rw_inherited_generic_logs(systemprocess)
@@ -228985,7 +228940,7 @@ index c42fbc3..174cfdb 100644
##
## Set the attributes of iptables config files.
diff --git a/policy/modules/system/iptables.te b/policy/modules/system/iptables.te
-index 5dfa44b..938e2ec 100644
+index 5dfa44b..aa4d8fc 100644
--- a/policy/modules/system/iptables.te
+++ b/policy/modules/system/iptables.te
@@ -16,15 +16,15 @@ role iptables_roles types iptables_t;
@@ -229034,7 +228989,7 @@ index 5dfa44b..938e2ec 100644
fs_getattr_xattr_fs(iptables_t)
fs_search_auto_mountpoints(iptables_t)
-@@ -72,11 +74,11 @@ fs_list_inotifyfs(iptables_t)
+@@ -72,11 +74,12 @@ fs_list_inotifyfs(iptables_t)
mls_file_read_all_levels(iptables_t)
term_dontaudit_use_console(iptables_t)
@@ -229045,10 +229000,11 @@ index 5dfa44b..938e2ec 100644
-files_read_etc_files(iptables_t)
-files_read_etc_runtime_files(iptables_t)
+files_rw_etc_runtime_files(iptables_t)
++files_rw_inherited_tmp_file(iptables_t)
auth_use_nsswitch(iptables_t)
-@@ -85,15 +87,14 @@ init_use_script_ptys(iptables_t)
+@@ -85,15 +88,14 @@ init_use_script_ptys(iptables_t)
# to allow rules to be saved on reboot:
init_rw_script_tmp_files(iptables_t)
init_rw_script_stream_sockets(iptables_t)
@@ -229066,7 +229022,7 @@ index 5dfa44b..938e2ec 100644
userdom_use_all_users_fds(iptables_t)
ifdef(`hide_broken_symptoms',`
-@@ -102,6 +103,8 @@ ifdef(`hide_broken_symptoms',`
+@@ -102,6 +104,8 @@ ifdef(`hide_broken_symptoms',`
optional_policy(`
fail2ban_append_log(iptables_t)
@@ -229075,7 +229031,7 @@ index 5dfa44b..938e2ec 100644
')
optional_policy(`
-@@ -124,6 +127,7 @@ optional_policy(`
+@@ -124,6 +128,7 @@ optional_policy(`
optional_policy(`
psad_rw_tmp_files(iptables_t)
@@ -229083,7 +229039,7 @@ index 5dfa44b..938e2ec 100644
')
optional_policy(`
-@@ -135,9 +139,9 @@ optional_policy(`
+@@ -135,9 +140,9 @@ optional_policy(`
')
optional_policy(`
@@ -230442,7 +230398,7 @@ index 4e94884..23894f4 100644
+ init_named_pid_filetrans($1, syslogd_var_run_t, dir, "journal")
+')
diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
-index 39ea221..9437d6f 100644
+index 39ea221..4dd92d4 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
@@ -4,6 +4,21 @@ policy_module(logging, 1.19.6)
@@ -230740,13 +230696,13 @@ index 39ea221..9437d6f 100644
# for sending messages to logged in users
init_read_utmp(syslogd_t)
init_dontaudit_write_utmp(syslogd_t)
-@@ -461,11 +531,11 @@ init_use_fds(syslogd_t)
+@@ -461,11 +531,10 @@ init_use_fds(syslogd_t)
# cjp: this doesnt make sense
logging_send_syslog_msg(syslogd_t)
-+logging_manage_all_logs(syslogd_t)
-
+-
-miscfiles_read_localization(syslogd_t)
++logging_manage_all_logs(syslogd_t)
userdom_dontaudit_use_unpriv_user_fds(syslogd_t)
-userdom_dontaudit_search_user_home_dirs(syslogd_t)
@@ -230754,7 +230710,7 @@ index 39ea221..9437d6f 100644
ifdef(`distro_gentoo',`
# default gentoo syslog-ng config appends kernel
-@@ -502,15 +572,36 @@ optional_policy(`
+@@ -502,15 +571,36 @@ optional_policy(`
')
optional_policy(`
@@ -230791,7 +230747,7 @@ index 39ea221..9437d6f 100644
')
optional_policy(`
-@@ -521,3 +612,24 @@ optional_policy(`
+@@ -521,3 +611,26 @@ optional_policy(`
# log to the xconsole
xserver_rw_console(syslogd_t)
')
@@ -230816,6 +230772,8 @@ index 39ea221..9437d6f 100644
+ifdef(`hide_broken_symptoms',`
+ kernel_dgram_send(syslog_client_type)
+')
++
++logging_stream_connect_syslog(syslog_client_type)
diff --git a/policy/modules/system/lvm.fc b/policy/modules/system/lvm.fc
index 879bb1e..c11d48b 100644
--- a/policy/modules/system/lvm.fc
@@ -234454,7 +234412,7 @@ index 6944526..ec17624 100644
+ files_etc_filetrans($1, net_conf_t, file, "ntp.conf")
+')
diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
-index b7686d5..7f2928d 100644
+index b7686d5..9a50b11 100644
--- a/policy/modules/system/sysnetwork.te
+++ b/policy/modules/system/sysnetwork.te
@@ -5,6 +5,13 @@ policy_module(sysnetwork, 1.14.6)
@@ -234545,7 +234503,7 @@ index b7686d5..7f2928d 100644
corenet_tcp_sendrecv_all_ports(dhcpc_t)
corenet_udp_sendrecv_all_ports(dhcpc_t)
corenet_tcp_bind_all_nodes(dhcpc_t)
-@@ -108,17 +121,18 @@ corenet_udp_bind_dhcpc_port(dhcpc_t)
+@@ -108,21 +121,23 @@ corenet_udp_bind_dhcpc_port(dhcpc_t)
corenet_tcp_connect_all_ports(dhcpc_t)
corenet_sendrecv_dhcpd_client_packets(dhcpc_t)
corenet_sendrecv_dhcpc_server_packets(dhcpc_t)
@@ -234566,7 +234524,12 @@ index b7686d5..7f2928d 100644
files_search_home(dhcpc_t)
files_search_var_lib(dhcpc_t)
files_dontaudit_search_locks(dhcpc_t)
-@@ -132,11 +146,15 @@ term_dontaudit_use_all_ptys(dhcpc_t)
+ files_getattr_generic_locks(dhcpc_t)
++files_rw_inherited_tmp_file(dhcpc_t)
+
+ fs_getattr_all_fs(dhcpc_t)
+ fs_search_auto_mountpoints(dhcpc_t)
+@@ -132,11 +147,15 @@ term_dontaudit_use_all_ptys(dhcpc_t)
term_dontaudit_use_unallocated_ttys(dhcpc_t)
term_dontaudit_use_generic_ptys(dhcpc_t)
@@ -234583,7 +234546,7 @@ index b7686d5..7f2928d 100644
modutils_run_insmod(dhcpc_t, dhcpc_roles)
-@@ -156,7 +174,14 @@ ifdef(`distro_ubuntu',`
+@@ -156,7 +175,14 @@ ifdef(`distro_ubuntu',`
')
optional_policy(`
@@ -234599,7 +234562,7 @@ index b7686d5..7f2928d 100644
')
optional_policy(`
-@@ -174,10 +199,6 @@ optional_policy(`
+@@ -174,10 +200,6 @@ optional_policy(`
')
optional_policy(`
@@ -234610,7 +234573,7 @@ index b7686d5..7f2928d 100644
hotplug_getattr_config_dirs(dhcpc_t)
hotplug_search_config(dhcpc_t)
-@@ -190,23 +211,35 @@ optional_policy(`
+@@ -190,23 +212,35 @@ optional_policy(`
optional_policy(`
netutils_run_ping(dhcpc_t, dhcpc_roles)
netutils_run(dhcpc_t, dhcpc_roles)
@@ -234646,7 +234609,7 @@ index b7686d5..7f2928d 100644
')
optional_policy(`
-@@ -216,7 +249,11 @@ optional_policy(`
+@@ -216,7 +250,11 @@ optional_policy(`
optional_policy(`
seutil_sigchld_newrole(dhcpc_t)
@@ -234659,7 +234622,7 @@ index b7686d5..7f2928d 100644
')
optional_policy(`
-@@ -259,6 +296,7 @@ allow ifconfig_t self:msgq create_msgq_perms;
+@@ -259,6 +297,7 @@ allow ifconfig_t self:msgq create_msgq_perms;
allow ifconfig_t self:msg { send receive };
# Create UDP sockets, necessary when called from dhcpc
allow ifconfig_t self:udp_socket create_socket_perms;
@@ -234667,7 +234630,7 @@ index b7686d5..7f2928d 100644
# for /sbin/ip
allow ifconfig_t self:packet_socket create_socket_perms;
allow ifconfig_t self:netlink_route_socket create_netlink_socket_perms;
-@@ -277,11 +315,18 @@ corenet_rw_tun_tap_dev(ifconfig_t)
+@@ -277,11 +316,20 @@ corenet_rw_tun_tap_dev(ifconfig_t)
dev_read_sysfs(ifconfig_t)
# for IPSEC setup:
dev_read_urand(ifconfig_t)
@@ -234680,13 +234643,15 @@ index b7686d5..7f2928d 100644
+
+files_dontaudit_rw_inherited_pipes(ifconfig_t)
+files_dontaudit_read_root_files(ifconfig_t)
++files_rw_inherited_tmp_file(ifconfig_t)
++
files_read_etc_files(ifconfig_t)
files_read_etc_runtime_files(ifconfig_t)
+files_read_usr_files(ifconfig_t)
fs_getattr_xattr_fs(ifconfig_t)
fs_search_auto_mountpoints(ifconfig_t)
-@@ -294,22 +339,22 @@ term_dontaudit_use_all_ptys(ifconfig_t)
+@@ -294,22 +342,22 @@ term_dontaudit_use_all_ptys(ifconfig_t)
term_dontaudit_use_ptmx(ifconfig_t)
term_dontaudit_use_generic_ptys(ifconfig_t)
@@ -234714,7 +234679,7 @@ index b7686d5..7f2928d 100644
userdom_use_all_users_fds(ifconfig_t)
ifdef(`distro_ubuntu',`
-@@ -318,7 +363,22 @@ ifdef(`distro_ubuntu',`
+@@ -318,7 +366,22 @@ ifdef(`distro_ubuntu',`
')
')
@@ -234737,7 +234702,7 @@ index b7686d5..7f2928d 100644
optional_policy(`
dev_dontaudit_rw_cardmgr(ifconfig_t)
')
-@@ -329,8 +389,7 @@ ifdef(`hide_broken_symptoms',`
+@@ -329,8 +392,7 @@ ifdef(`hide_broken_symptoms',`
')
optional_policy(`
@@ -234747,7 +234712,7 @@ index b7686d5..7f2928d 100644
')
optional_policy(`
-@@ -339,7 +398,11 @@ optional_policy(`
+@@ -339,7 +401,11 @@ optional_policy(`
')
optional_policy(`
@@ -234760,7 +234725,7 @@ index b7686d5..7f2928d 100644
')
optional_policy(`
-@@ -360,3 +423,9 @@ optional_policy(`
+@@ -360,3 +426,9 @@ optional_policy(`
xen_append_log(ifconfig_t)
xen_dontaudit_rw_unix_stream_sockets(ifconfig_t)
')
diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch
index c640e4cb..99e56176 100644
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@@ -4303,7 +4303,7 @@ index 83e899c..7b2ad39 100644
+ filetrans_pattern($1, { httpd_user_content_t httpd_user_script_exec_t }, httpd_user_htaccess_t, file, ".htaccess")
')
diff --git a/apache.te b/apache.te
-index 1a82e29..8f88bc2 100644
+index 1a82e29..c388418 100644
--- a/apache.te
+++ b/apache.te
@@ -1,297 +1,353 @@
@@ -5505,7 +5505,7 @@ index 1a82e29..8f88bc2 100644
tunable_policy(`httpd_manage_ipa',`
memcached_manage_pid_files(httpd_t)
-@@ -816,8 +921,14 @@ optional_policy(`
+@@ -816,8 +921,18 @@ optional_policy(`
')
optional_policy(`
@@ -5517,10 +5517,14 @@ index 1a82e29..8f88bc2 100644
mysql_read_config(httpd_t)
mysql_stream_connect(httpd_t)
+ mysql_rw_db_sockets(httpd_t)
++
++ optional_policy(`
++ postgresql_stream_connect(httpd_t)
++ ')
tunable_policy(`httpd_can_network_connect_db',`
mysql_tcp_connect(httpd_t)
-@@ -826,6 +937,7 @@ optional_policy(`
+@@ -826,6 +941,7 @@ optional_policy(`
optional_policy(`
nagios_read_config(httpd_t)
@@ -5528,7 +5532,7 @@ index 1a82e29..8f88bc2 100644
')
optional_policy(`
-@@ -836,20 +948,34 @@ optional_policy(`
+@@ -836,20 +952,34 @@ optional_policy(`
')
optional_policy(`
@@ -5569,7 +5573,7 @@ index 1a82e29..8f88bc2 100644
')
optional_policy(`
-@@ -857,6 +983,16 @@ optional_policy(`
+@@ -857,6 +987,16 @@ optional_policy(`
')
optional_policy(`
@@ -5586,7 +5590,7 @@ index 1a82e29..8f88bc2 100644
seutil_sigchld_newrole(httpd_t)
')
-@@ -865,6 +1001,7 @@ optional_policy(`
+@@ -865,6 +1005,7 @@ optional_policy(`
')
optional_policy(`
@@ -5594,7 +5598,7 @@ index 1a82e29..8f88bc2 100644
snmp_dontaudit_read_snmp_var_lib_files(httpd_t)
snmp_dontaudit_write_snmp_var_lib_files(httpd_t)
')
-@@ -877,65 +1014,166 @@ optional_policy(`
+@@ -877,65 +1018,166 @@ optional_policy(`
yam_read_content(httpd_t)
')
@@ -5660,11 +5664,10 @@ index 1a82e29..8f88bc2 100644
-',`
- userdom_dontaudit_use_user_terminals(httpd_helper_t)
+ userdom_use_inherited_user_terminals(httpd_helper_t)
- ')
-
- ########################################
- #
--# Suexec local policy
++')
++
++########################################
++#
+# Apache PHP script local policy
+#
+
@@ -5723,10 +5726,11 @@ index 1a82e29..8f88bc2 100644
+ tunable_policy(`httpd_can_network_connect_db',`
+ postgresql_tcp_connect(httpd_php_t)
+ ')
-+')
-+
-+########################################
-+#
+ ')
+
+ ########################################
+ #
+-# Suexec local policy
+# Apache suexec local policy
#
@@ -5783,7 +5787,7 @@ index 1a82e29..8f88bc2 100644
files_dontaudit_search_pids(httpd_suexec_t)
files_search_home(httpd_suexec_t)
-@@ -944,123 +1182,74 @@ auth_use_nsswitch(httpd_suexec_t)
+@@ -944,123 +1186,74 @@ auth_use_nsswitch(httpd_suexec_t)
logging_search_logs(httpd_suexec_t)
logging_send_syslog_msg(httpd_suexec_t)
@@ -5938,7 +5942,7 @@ index 1a82e29..8f88bc2 100644
mysql_read_config(httpd_suexec_t)
tunable_policy(`httpd_can_network_connect_db',`
-@@ -1077,172 +1266,103 @@ optional_policy(`
+@@ -1077,172 +1270,103 @@ optional_policy(`
')
')
@@ -5963,11 +5967,11 @@ index 1a82e29..8f88bc2 100644
-
-append_files_pattern(httpd_script_domains, httpd_log_t, httpd_log_t)
-read_lnk_files_pattern(httpd_script_domains, httpd_log_t, httpd_log_t)
--
--kernel_dontaudit_search_sysctl(httpd_script_domains)
--kernel_dontaudit_search_kernel_sysctl(httpd_script_domains)
+allow httpd_sys_script_t self:process getsched;
+-kernel_dontaudit_search_sysctl(httpd_script_domains)
+-kernel_dontaudit_search_kernel_sysctl(httpd_script_domains)
+-
-corenet_all_recvfrom_unlabeled(httpd_script_domains)
-corenet_all_recvfrom_netlabel(httpd_script_domains)
-corenet_tcp_sendrecv_generic_if(httpd_script_domains)
@@ -6104,8 +6108,7 @@ index 1a82e29..8f88bc2 100644
-#
-
-allow httpd_sys_script_t self:tcp_socket { accept listen };
-+corenet_all_recvfrom_netlabel(httpd_sys_script_t)
-
+-
-allow httpd_sys_script_t httpd_t:tcp_socket { read write };
-
-dontaudit httpd_sys_script_t httpd_config_t:dir search;
@@ -6135,7 +6138,8 @@ index 1a82e29..8f88bc2 100644
- corenet_sendrecv_pop_client_packets(httpd_sys_script_t)
- corenet_tcp_connect_pop_port(httpd_sys_script_t)
- corenet_tcp_sendrecv_pop_port(httpd_sys_script_t)
--
++corenet_all_recvfrom_netlabel(httpd_sys_script_t)
+
- mta_send_mail(httpd_sys_script_t)
- mta_signal_system_mail(httpd_sys_script_t)
+tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
@@ -6173,7 +6177,7 @@ index 1a82e29..8f88bc2 100644
')
tunable_policy(`httpd_read_user_content',`
-@@ -1250,64 +1370,70 @@ tunable_policy(`httpd_read_user_content',`
+@@ -1250,64 +1374,70 @@ tunable_policy(`httpd_read_user_content',`
')
tunable_policy(`httpd_use_cifs',`
@@ -6267,7 +6271,7 @@ index 1a82e29..8f88bc2 100644
########################################
#
-@@ -1315,8 +1441,15 @@ miscfiles_read_localization(httpd_rotatelogs_t)
+@@ -1315,8 +1445,15 @@ miscfiles_read_localization(httpd_rotatelogs_t)
#
optional_policy(`
@@ -6284,7 +6288,7 @@ index 1a82e29..8f88bc2 100644
')
########################################
-@@ -1324,49 +1457,36 @@ optional_policy(`
+@@ -1324,49 +1461,36 @@ optional_policy(`
# User content local policy
#
@@ -6348,7 +6352,7 @@ index 1a82e29..8f88bc2 100644
kernel_read_system_state(httpd_passwd_t)
corecmd_exec_bin(httpd_passwd_t)
-@@ -1376,38 +1496,94 @@ dev_read_urand(httpd_passwd_t)
+@@ -1376,38 +1500,94 @@ dev_read_urand(httpd_passwd_t)
domain_use_interactive_fds(httpd_passwd_t)
@@ -10063,10 +10067,10 @@ index 0000000..efebae7
+')
diff --git a/chrome.te b/chrome.te
new file mode 100644
-index 0000000..8f6ba6b
+index 0000000..11c8537
--- /dev/null
+++ b/chrome.te
-@@ -0,0 +1,194 @@
+@@ -0,0 +1,200 @@
+policy_module(chrome,1.0.0)
+
+########################################
@@ -10206,6 +10210,12 @@ index 0000000..8f6ba6b
+ fs_read_fusefs_symlinks(chrome_sandbox_t)
+')
+
++tunable_policy(`use_ecryptfs_home_dirs',`
++ fs_read_ecryptfs_files(chrome_sandbox_t)
++ fs_dontaudit_append_ecryptfs_files(chrome_sandbox_t)
++ fs_read_ecryptfs_symlinks(chrome_sandbox_t)
++')
++
+optional_policy(`
+ sandbox_use_ptys(chrome_sandbox_t)
+')
@@ -15874,7 +15884,7 @@ index 06da9a0..ca832e1 100644
+ ps_process_pattern($1, cupsd_t)
')
diff --git a/cups.te b/cups.te
-index 9f34c2e..f3e4a3e 100644
+index 9f34c2e..c8d914e 100644
--- a/cups.te
+++ b/cups.te
@@ -5,19 +5,24 @@ policy_module(cups, 1.15.9)
@@ -15912,7 +15922,7 @@ index 9f34c2e..f3e4a3e 100644
logging_log_file(cupsd_log_t)
-type cupsd_lpd_t;
-+type cupsd_var_lib_t;
++type cupsd_var_lib_t alias hplip_var_lib_t;
+files_type(cupsd_var_lib_t)
+
+type cupsd_lpd_t, cups_domain;
@@ -15962,7 +15972,7 @@ index 9f34c2e..f3e4a3e 100644
type ptal_t;
type ptal_exec_t;
-@@ -97,21 +94,46 @@ ifdef(`enable_mls',`
+@@ -97,21 +94,48 @@ ifdef(`enable_mls',`
init_ranged_daemon_domain(cupsd_t, cupsd_exec_t, mls_systemhigh)
')
@@ -15986,6 +15996,8 @@ index 9f34c2e..f3e4a3e 100644
+dev_read_rand(cups_domain)
+dev_read_sysfs(cups_domain)
+
++fs_getattr_all_fs(cups_domain)
++
+miscfiles_read_fonts(cups_domain)
+miscfiles_setattr_fonts_cache_dirs(cups_domain)
+
@@ -16013,7 +16025,7 @@ index 9f34c2e..f3e4a3e 100644
allow cupsd_t self:appletalk_socket create_socket_perms;
allow cupsd_t cupsd_etc_t:dir setattr_dir_perms;
-@@ -120,6 +142,7 @@ read_files_pattern(cupsd_t, cupsd_etc_t, cupsd_etc_t)
+@@ -120,6 +144,7 @@ read_files_pattern(cupsd_t, cupsd_etc_t, cupsd_etc_t)
read_lnk_files_pattern(cupsd_t, cupsd_etc_t, cupsd_etc_t)
manage_files_pattern(cupsd_t, cupsd_interface_t, cupsd_interface_t)
@@ -16021,7 +16033,7 @@ index 9f34c2e..f3e4a3e 100644
manage_dirs_pattern(cupsd_t, cupsd_etc_t, cupsd_rw_etc_t)
manage_files_pattern(cupsd_t, cupsd_etc_t, cupsd_rw_etc_t)
-@@ -139,22 +162,23 @@ read_files_pattern(cupsd_t, cupsd_log_t, cupsd_log_t)
+@@ -139,22 +164,23 @@ read_files_pattern(cupsd_t, cupsd_log_t, cupsd_log_t)
setattr_files_pattern(cupsd_t, cupsd_log_t, cupsd_log_t)
logging_log_filetrans(cupsd_t, cupsd_log_t, { file dir })
@@ -16049,7 +16061,7 @@ index 9f34c2e..f3e4a3e 100644
stream_connect_pattern(cupsd_t, ptal_var_run_t, ptal_var_run_t, ptal_t)
allow cupsd_t ptal_var_run_t:sock_file setattr_sock_file_perms;
-@@ -162,11 +186,9 @@ allow cupsd_t ptal_var_run_t:sock_file setattr_sock_file_perms;
+@@ -162,11 +188,9 @@ allow cupsd_t ptal_var_run_t:sock_file setattr_sock_file_perms;
can_exec(cupsd_t, { cupsd_exec_t cupsd_interface_t })
kernel_read_system_state(cupsd_t)
@@ -16061,7 +16073,7 @@ index 9f34c2e..f3e4a3e 100644
corenet_all_recvfrom_netlabel(cupsd_t)
corenet_tcp_sendrecv_generic_if(cupsd_t)
corenet_udp_sendrecv_generic_if(cupsd_t)
-@@ -189,12 +211,20 @@ corenet_dontaudit_tcp_bind_all_reserved_ports(cupsd_t)
+@@ -189,12 +213,20 @@ corenet_dontaudit_tcp_bind_all_reserved_ports(cupsd_t)
corenet_tcp_bind_all_rpc_ports(cupsd_t)
corenet_tcp_connect_all_ports(cupsd_t)
@@ -16086,7 +16098,7 @@ index 9f34c2e..f3e4a3e 100644
dev_rw_input_dev(cupsd_t)
dev_rw_generic_usb_dev(cupsd_t)
dev_rw_usbfs(cupsd_t)
-@@ -206,7 +236,6 @@ domain_use_interactive_fds(cupsd_t)
+@@ -206,7 +238,6 @@ domain_use_interactive_fds(cupsd_t)
files_getattr_boot_dirs(cupsd_t)
files_list_spool(cupsd_t)
files_read_etc_runtime_files(cupsd_t)
@@ -16094,7 +16106,7 @@ index 9f34c2e..f3e4a3e 100644
files_exec_usr_files(cupsd_t)
# for /var/lib/defoma
files_read_var_lib_files(cupsd_t)
-@@ -215,16 +244,17 @@ files_read_world_readable_files(cupsd_t)
+@@ -215,16 +246,16 @@ files_read_world_readable_files(cupsd_t)
files_read_world_readable_symlinks(cupsd_t)
files_read_var_files(cupsd_t)
files_read_var_symlinks(cupsd_t)
@@ -16105,7 +16117,7 @@ index 9f34c2e..f3e4a3e 100644
files_dontaudit_write_etc_files(cupsd_t)
+files_dontaudit_write_usr_dirs(cupsd_t)
- fs_getattr_all_fs(cupsd_t)
+-fs_getattr_all_fs(cupsd_t)
fs_search_auto_mountpoints(cupsd_t)
fs_search_fusefs(cupsd_t)
fs_read_anon_inodefs_files(cupsd_t)
@@ -16113,7 +16125,7 @@ index 9f34c2e..f3e4a3e 100644
mls_fd_use_all_levels(cupsd_t)
mls_file_downgrade(cupsd_t)
-@@ -235,6 +265,7 @@ mls_socket_write_all_levels(cupsd_t)
+@@ -235,6 +266,7 @@ mls_socket_write_all_levels(cupsd_t)
term_search_ptys(cupsd_t)
term_use_unallocated_ttys(cupsd_t)
@@ -16121,7 +16133,7 @@ index 9f34c2e..f3e4a3e 100644
selinux_compute_access_vector(cupsd_t)
selinux_validate_context(cupsd_t)
-@@ -247,21 +278,20 @@ auth_dontaudit_read_pam_pid(cupsd_t)
+@@ -247,21 +279,20 @@ auth_dontaudit_read_pam_pid(cupsd_t)
auth_rw_faillog(cupsd_t)
auth_use_nsswitch(cupsd_t)
@@ -16147,7 +16159,7 @@ index 9f34c2e..f3e4a3e 100644
userdom_dontaudit_search_user_home_content(cupsd_t)
optional_policy(`
-@@ -275,6 +305,8 @@ optional_policy(`
+@@ -275,6 +306,8 @@ optional_policy(`
optional_policy(`
dbus_system_bus_client(cupsd_t)
@@ -16156,7 +16168,7 @@ index 9f34c2e..f3e4a3e 100644
userdom_dbus_send_all_users(cupsd_t)
optional_policy(`
-@@ -285,8 +317,10 @@ optional_policy(`
+@@ -285,8 +318,10 @@ optional_policy(`
hal_dbus_chat(cupsd_t)
')
@@ -16167,7 +16179,7 @@ index 9f34c2e..f3e4a3e 100644
')
')
-@@ -299,8 +333,8 @@ optional_policy(`
+@@ -299,8 +334,8 @@ optional_policy(`
')
optional_policy(`
@@ -16177,7 +16189,7 @@ index 9f34c2e..f3e4a3e 100644
')
optional_policy(`
-@@ -309,7 +343,6 @@ optional_policy(`
+@@ -309,7 +344,6 @@ optional_policy(`
optional_policy(`
lpd_exec_lpr(cupsd_t)
@@ -16185,7 +16197,7 @@ index 9f34c2e..f3e4a3e 100644
lpd_read_config(cupsd_t)
lpd_relabel_spool(cupsd_t)
')
-@@ -337,7 +370,7 @@ optional_policy(`
+@@ -337,7 +371,7 @@ optional_policy(`
')
optional_policy(`
@@ -16194,7 +16206,7 @@ index 9f34c2e..f3e4a3e 100644
')
########################################
-@@ -345,11 +378,9 @@ optional_policy(`
+@@ -345,11 +379,9 @@ optional_policy(`
# Configuration daemon local policy
#
@@ -16208,7 +16220,7 @@ index 9f34c2e..f3e4a3e 100644
allow cupsd_config_t cupsd_t:process signal;
ps_process_pattern(cupsd_config_t, cupsd_t)
-@@ -375,18 +406,15 @@ manage_dirs_pattern(cupsd_config_t, cupsd_config_var_run_t, cupsd_config_var_run
+@@ -375,18 +407,15 @@ manage_dirs_pattern(cupsd_config_t, cupsd_config_var_run_t, cupsd_config_var_run
manage_files_pattern(cupsd_config_t, cupsd_config_var_run_t, cupsd_config_var_run_t)
files_pid_filetrans(cupsd_config_t, cupsd_config_var_run_t, { dir file })
@@ -16228,7 +16240,7 @@ index 9f34c2e..f3e4a3e 100644
corenet_all_recvfrom_netlabel(cupsd_config_t)
corenet_tcp_sendrecv_generic_if(cupsd_config_t)
corenet_tcp_sendrecv_generic_node(cupsd_config_t)
-@@ -395,16 +423,9 @@ corenet_tcp_sendrecv_all_ports(cupsd_config_t)
+@@ -395,20 +424,12 @@ corenet_tcp_sendrecv_all_ports(cupsd_config_t)
corenet_sendrecv_all_client_packets(cupsd_config_t)
corenet_tcp_connect_all_ports(cupsd_config_t)
@@ -16245,6 +16257,10 @@ index 9f34c2e..f3e4a3e 100644
files_read_var_symlinks(cupsd_config_t)
files_search_all_mountpoints(cupsd_config_t)
+-fs_getattr_all_fs(cupsd_config_t)
+ fs_search_auto_mountpoints(cupsd_config_t)
+
+ domain_use_interactive_fds(cupsd_config_t)
@@ -420,11 +441,6 @@ auth_use_nsswitch(cupsd_config_t)
logging_send_syslog_msg(cupsd_config_t)
@@ -16282,7 +16298,7 @@ index 9f34c2e..f3e4a3e 100644
allow cupsd_lpd_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
allow cupsd_lpd_t { cupsd_etc_t cupsd_rw_etc_t }:dir list_dir_perms;
-@@ -511,20 +526,16 @@ stream_connect_pattern(cupsd_lpd_t, cupsd_var_run_t, cupsd_var_run_t, cupsd_t)
+@@ -511,31 +526,22 @@ stream_connect_pattern(cupsd_lpd_t, cupsd_var_run_t, cupsd_var_run_t, cupsd_t)
kernel_read_kernel_sysctls(cupsd_lpd_t)
kernel_read_system_state(cupsd_lpd_t)
@@ -16301,10 +16317,11 @@ index 9f34c2e..f3e4a3e 100644
-dev_read_urand(cupsd_lpd_t)
-dev_read_rand(cupsd_lpd_t)
-
- fs_getattr_xattr_fs(cupsd_lpd_t)
-
+-fs_getattr_xattr_fs(cupsd_lpd_t)
+-
files_search_home(cupsd_lpd_t)
-@@ -533,9 +544,6 @@ auth_use_nsswitch(cupsd_lpd_t)
+
+ auth_use_nsswitch(cupsd_lpd_t)
logging_send_syslog_msg(cupsd_lpd_t)
@@ -16314,7 +16331,7 @@ index 9f34c2e..f3e4a3e 100644
optional_policy(`
inetd_service_domain(cupsd_lpd_t, cupsd_lpd_exec_t)
')
-@@ -546,7 +554,6 @@ optional_policy(`
+@@ -546,7 +552,6 @@ optional_policy(`
#
allow cups_pdf_t self:capability { chown fowner fsetid setuid setgid dac_override };
@@ -16322,7 +16339,7 @@ index 9f34c2e..f3e4a3e 100644
allow cups_pdf_t self:unix_stream_socket create_stream_socket_perms;
append_files_pattern(cups_pdf_t, cupsd_log_t, cupsd_log_t)
-@@ -562,17 +569,8 @@ fs_search_auto_mountpoints(cups_pdf_t)
+@@ -562,17 +567,8 @@ fs_search_auto_mountpoints(cups_pdf_t)
kernel_read_system_state(cups_pdf_t)
@@ -16340,7 +16357,7 @@ index 9f34c2e..f3e4a3e 100644
userdom_manage_user_home_content_dirs(cups_pdf_t)
userdom_manage_user_home_content_files(cups_pdf_t)
userdom_home_filetrans_user_home_dir(cups_pdf_t)
-@@ -582,128 +580,12 @@ tunable_policy(`use_nfs_home_dirs',`
+@@ -582,128 +578,12 @@ tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_files(cups_pdf_t)
')
@@ -16471,7 +16488,7 @@ index 9f34c2e..f3e4a3e 100644
########################################
#
-@@ -731,7 +613,6 @@ kernel_read_kernel_sysctls(ptal_t)
+@@ -731,7 +611,6 @@ kernel_read_kernel_sysctls(ptal_t)
kernel_list_proc(ptal_t)
kernel_read_proc_symlinks(ptal_t)
@@ -16479,7 +16496,7 @@ index 9f34c2e..f3e4a3e 100644
corenet_all_recvfrom_netlabel(ptal_t)
corenet_tcp_sendrecv_generic_if(ptal_t)
corenet_tcp_sendrecv_generic_node(ptal_t)
-@@ -741,13 +622,11 @@ corenet_sendrecv_ptal_server_packets(ptal_t)
+@@ -741,13 +620,11 @@ corenet_sendrecv_ptal_server_packets(ptal_t)
corenet_tcp_bind_ptal_port(ptal_t)
corenet_tcp_sendrecv_ptal_port(ptal_t)
@@ -16493,7 +16510,7 @@ index 9f34c2e..f3e4a3e 100644
files_read_etc_runtime_files(ptal_t)
fs_getattr_all_fs(ptal_t)
-@@ -755,8 +634,6 @@ fs_search_auto_mountpoints(ptal_t)
+@@ -755,8 +632,6 @@ fs_search_auto_mountpoints(ptal_t)
logging_send_syslog_msg(ptal_t)
@@ -31137,10 +31154,10 @@ index d3e7fc9..f20248c 100644
+ ')
')
diff --git a/keystone.te b/keystone.te
-index 3494d9b..4c4fe02 100644
+index 3494d9b..343535a 100644
--- a/keystone.te
+++ b/keystone.te
-@@ -21,6 +21,9 @@ files_type(keystone_var_lib_t)
+@@ -21,10 +21,14 @@ files_type(keystone_var_lib_t)
type keystone_tmp_t;
files_tmp_file(keystone_tmp_t)
@@ -31150,7 +31167,12 @@ index 3494d9b..4c4fe02 100644
########################################
#
# Local policy
-@@ -62,14 +65,12 @@ corenet_sendrecv_commplex_main_server_packets(keystone_t)
+ #
++allow keystone_t self:process { getsched setsched };
+
+ allow keystone_t self:fifo_file rw_fifo_file_perms;
+ allow keystone_t self:unix_stream_socket { accept listen };
+@@ -62,15 +66,17 @@ corenet_sendrecv_commplex_main_server_packets(keystone_t)
corenet_tcp_bind_commplex_main_port(keystone_t)
corenet_tcp_sendrecv_commplex_main_port(keystone_t)
@@ -31166,6 +31188,11 @@ index 3494d9b..4c4fe02 100644
optional_policy(`
mysql_stream_connect(keystone_t)
mysql_tcp_connect(keystone_t)
+ ')
++
++optional_policy(`
++ postgresql_stream_connect(keystone_t)
++')
diff --git a/kismet.if b/kismet.if
index aa2a337..bb09e3c 100644
--- a/kismet.if
@@ -36364,7 +36391,7 @@ index 6194b80..60bb004 100644
')
+
diff --git a/mozilla.te b/mozilla.te
-index 6a306ee..5f21325 100644
+index 6a306ee..046b1af 100644
--- a/mozilla.te
+++ b/mozilla.te
@@ -1,4 +1,4 @@
@@ -37176,7 +37203,7 @@ index 6a306ee..5f21325 100644
')
optional_policy(`
-@@ -568,108 +540,104 @@ optional_policy(`
+@@ -568,108 +540,108 @@ optional_policy(`
')
optional_policy(`
@@ -37297,20 +37324,28 @@ index 6a306ee..5f21325 100644
-tunable_policy(`allow_execmem',`
- allow mozilla_plugin_config_t self:process execmem;
-+optional_policy(`
-+ gnome_dontaudit_rw_inherited_config(mozilla_plugin_config_t)
++tunable_policy(`use_ecryptfs_home_dirs',`
++ fs_read_ecryptfs_files(mozilla_plugin_config_t)
')
-tunable_policy(`mozilla_execstack',`
- allow mozilla_plugin_config_t self:process { execmem execstack };
+optional_policy(`
-+ xserver_use_user_fonts(mozilla_plugin_config_t)
++ gnome_dontaudit_rw_inherited_config(mozilla_plugin_config_t)
')
-tunable_policy(`use_nfs_home_dirs',`
- fs_manage_nfs_dirs(mozilla_plugin_config_t)
- fs_manage_nfs_files(mozilla_plugin_config_t)
- fs_manage_nfs_symlinks(mozilla_plugin_config_t)
++optional_policy(`
++ xserver_use_user_fonts(mozilla_plugin_config_t)
+ ')
+
+-tunable_policy(`use_samba_home_dirs',`
+- fs_manage_cifs_dirs(mozilla_plugin_config_t)
+- fs_manage_cifs_files(mozilla_plugin_config_t)
+- fs_manage_cifs_symlinks(mozilla_plugin_config_t)
+ifdef(`distro_redhat',`
+ typealias mozilla_plugin_t alias nsplugin_t;
+ typealias mozilla_plugin_exec_t alias nsplugin_exec_t;
@@ -37321,17 +37356,12 @@ index 6a306ee..5f21325 100644
+ typealias mozilla_plugin_config_exec_t alias nsplugin_config_exec_t;
')
--tunable_policy(`use_samba_home_dirs',`
-- fs_manage_cifs_dirs(mozilla_plugin_config_t)
-- fs_manage_cifs_files(mozilla_plugin_config_t)
-- fs_manage_cifs_symlinks(mozilla_plugin_config_t)
--')
+-optional_policy(`
+- automount_dontaudit_getattr_tmp_dirs(mozilla_plugin_config_t)
+tunable_policy(`mozilla_plugin_enable_homedirs',`
+ userdom_user_home_dir_filetrans(mozilla_plugin_t, mozilla_home_t, { dir file })
+', `
-
--optional_policy(`
-- automount_dontaudit_getattr_tmp_dirs(mozilla_plugin_config_t)
++
+ userdom_user_home_dir_filetrans_pattern(mozilla_plugin_t, file)
+ userdom_user_home_dir_filetrans_pattern(mozilla_plugin_t, dir)
')
@@ -43075,10 +43105,10 @@ index 0000000..7d11148
+')
diff --git a/nova.te b/nova.te
new file mode 100644
-index 0000000..28b535e
+index 0000000..7ce9e62
--- /dev/null
+++ b/nova.te
-@@ -0,0 +1,322 @@
+@@ -0,0 +1,326 @@
+policy_module(nova, 1.0.0)
+
+########################################
@@ -43225,6 +43255,10 @@ index 0000000..28b535e
+ mysql_stream_connect(nova_cert_t)
+')
+
++optional_policy(`
++ postgresql_stream_connect(nova_cert_t)
++')
++
+#######################################
+#
+# nova compute local policy
@@ -55349,7 +55383,7 @@ index cd8b8b9..cde0d62 100644
+ allow $1 pppd_unit_file_t:service all_service_perms;
')
diff --git a/ppp.te b/ppp.te
-index b2b5dba..91e0a7a 100644
+index b2b5dba..89ded87 100644
--- a/ppp.te
+++ b/ppp.te
@@ -1,4 +1,4 @@
@@ -55425,7 +55459,7 @@ index b2b5dba..91e0a7a 100644
type pptp_log_t;
logging_log_file(pptp_log_t)
-@@ -67,12 +74,9 @@ logging_log_file(pptp_log_t)
+@@ -67,54 +74,57 @@ logging_log_file(pptp_log_t)
type pptp_var_run_t;
files_pid_file(pptp_var_run_t)
@@ -55439,8 +55473,9 @@ index b2b5dba..91e0a7a 100644
#
allow pppd_t self:capability { kill net_admin setuid setgid sys_admin fsetid fowner net_raw dac_override sys_nice };
-@@ -80,41 +84,47 @@ dontaudit pppd_t self:capability sys_tty_config;
- allow pppd_t self:process { getsched setsched signal };
+ dontaudit pppd_t self:capability sys_tty_config;
+-allow pppd_t self:process { getsched setsched signal };
++allow pppd_t self:process { getsched setsched signal_perms };
allow pppd_t self:fifo_file rw_fifo_file_perms;
allow pppd_t self:socket create_socket_perms;
-allow pppd_t self:netlink_route_socket nlmsg_write;
@@ -80792,7 +80827,7 @@ index e29db63..061fb98 100644
domain_system_change_exemption($1)
role_transition $2 tuned_initrc_exec_t system_r;
diff --git a/tuned.te b/tuned.te
-index 7116181..cf4f528 100644
+index 7116181..ffc2e44 100644
--- a/tuned.te
+++ b/tuned.te
@@ -31,8 +31,9 @@ files_pid_file(tuned_var_run_t)
@@ -80823,7 +80858,7 @@ index 7116181..cf4f528 100644
corecmd_exec_bin(tuned_t)
corecmd_exec_shell(tuned_t)
-@@ -67,28 +69,40 @@ dev_read_urand(tuned_t)
+@@ -67,28 +69,44 @@ dev_read_urand(tuned_t)
dev_rw_sysfs(tuned_t)
dev_rw_netcontrol(tuned_t)
@@ -80860,6 +80895,10 @@ index 7116181..cf4f528 100644
+ gnome_dontaudit_search_config(tuned_t)
+')
+
++optional_policy(`
++ libs_exec_ldconfig(tuned_t)
++')
++
+optional_policy(`
mount_domtrans(tuned_t)
')
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 92da6803..3e09d9e3 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.12.1
-Release: 11%{?dist}
+Release: 12%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -521,6 +521,20 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Mon Feb 11 2013 Miroslav Grepl 3.12.1-12
+- Rename files_rw_inherited_tmp_files to files_rw_inherited_tmp_file
+- Add missing files_rw_inherited_tmp_files interface
+- Add additional interface for ecryptfs
+- ALlow nova-cert to connect to postgresql
+- Allow keystone to connect to postgresql
+- Allow all cups domains to getattr on filesystems
+- Allow pppd to send signull
+- Allow tuned to execute ldconfig
+- Allow gpg to read fips_enabled
+- Add additional fixes for ecryptfs
+- Allow httpd to work with posgresql
+- Allow keystone getsched and setsched
+
* Fri Feb 8 2013 Miroslav Grepl 3.12.1-11
- Allow gpg to read fips_enabled
- Add support for /var/cache/realmd