ysctl_modprobe_t and sysctl_hotplug_t are now obsoleted by usermodhelper_t

2014-01-17 21:26:23 +01:00 · 2014-01-17 21:26:23 +01:00 · 912db9180b
commit 912db9180b
parent 438fa3b5de
2 changed files with 234 additions and 58 deletions
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@ -14897,7 +14897,7 @@ index 7be4ddf..d5ef507 100644
 +/sys/class/net/ib.* 		gen_context(system_u:object_r:sysctl_net_t,s0)
 +/sys/kernel/uevent_helper --	gen_context(system_u:object_r:usermodehelper_t,s0)
 diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
-index e100d88..d3b9fb4 100644
+index e100d88..7463ed0 100644
 --- a/policy/modules/kernel/kernel.if
 +++ b/policy/modules/kernel/kernel.if
@@ -286,7 +286,7 @@ interface(`kernel_rw_unix_dgram_sockets',`
@ -15036,7 +15036,116 @@ index e100d88..d3b9fb4 100644
 ##	Do not audit attempts by caller to search
 ##	the base directory of sysctls.
 ## </summary>
-@@ -2085,7 +2155,7 @@ interface(`kernel_dontaudit_list_all_sysctls',`
+@@ -1750,16 +1820,9 @@ interface(`kernel_rw_unix_sysctls',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
 -## <rolecap/>
 #
 interface(`kernel_read_hotplug_sysctls',`
 -	gen_require(`
 -		type proc_t, sysctl_t, sysctl_kernel_t, sysctl_hotplug_t;
 -	')
 -
 -	read_files_pattern($1, { proc_t sysctl_t sysctl_kernel_t }, sysctl_hotplug_t)
 -
 -	list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_kernel_t)
 +    refpolicywarn(`$0($*) has been deprecated.')
 ')
 ########################################
@@ -1771,21 +1834,42 @@ interface(`kernel_read_hotplug_sysctls',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
 -## <rolecap/>
 #
 interface(`kernel_rw_hotplug_sysctls',`
 -	gen_require(`
 -		type proc_t, sysctl_t, sysctl_kernel_t, sysctl_hotplug_t;
 -	')
 +    refpolicywarn(`$0($*) has been deprecated.')
 +')
 -	rw_files_pattern($1, { proc_t sysctl_t sysctl_kernel_t }, sysctl_hotplug_t)
 +########################################
 +## <summary>
 +##	Read the modprobe sysctl.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
 +##	Domain allowed access.
 +##	</summary>
 +## </param>
 +#
 +interface(`kernel_read_modprobe_sysctls',`
 +    refpolicywarn(`$0($*) has been deprecated.')
 +')
 -	list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_kernel_t)
 +########################################
 +## <summary>
 +##	Read and write the modprobe sysctl.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
 +##	Domain allowed access.
 +##	</summary>
 +## </param>
 +#
 +interface(`kernel_rw_modprobe_sysctls',`
 +    refpolicywarn(`$0($*) has been deprecated.')
 ')
 ########################################
 ## <summary>
 -##	Read the modprobe sysctl.
 +##	Read the hotplug sysctl.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -1794,33 +1878,32 @@ interface(`kernel_rw_hotplug_sysctls',`
 ## </param>
 ## <rolecap/>
 #
 -interface(`kernel_read_modprobe_sysctls',`
 +interface(`kernel_read_usermodehelper',`
 	gen_require(`
 -		type proc_t, sysctl_t, sysctl_kernel_t, sysctl_modprobe_t;
 +		type proc_t, sysctl_t, sysctl_kernel_t, usermodehelper_t;
 	')
 -	read_files_pattern($1, { proc_t sysctl_t sysctl_kernel_t }, sysctl_modprobe_t)
 +	read_files_pattern($1, { proc_t sysctl_t sysctl_kernel_t }, usermodehelper)
 	list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_kernel_t)
 ')
 ########################################
 ## <summary>
 -##	Read and write the modprobe sysctl.
 +##	Read and write the hotplug sysctl.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
 -## <rolecap/>
 #
 -interface(`kernel_rw_modprobe_sysctls',`
 +interface(`kernel_rw_usermodehelper',`
 	gen_require(`
 -		type proc_t, sysctl_t, sysctl_kernel_t, sysctl_modprobe_t;
 +		type proc_t, sysctl_t, sysctl_kernel_t, usermodehelper_t;
 	')
 -	rw_files_pattern($1, { proc_t sysctl_t sysctl_kernel_t }, sysctl_modprobe_t)
 +	rw_files_pattern($1, { proc_t sysctl_t sysctl_kernel_t }, usermodehelper_t)
 	list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_kernel_t)
 ')
@@ -2085,7 +2168,7 @@ interface(`kernel_dontaudit_list_all_sysctls',`
 	')
 	dontaudit $1 sysctl_type:dir list_dir_perms;
@ -15045,7 +15154,7 @@ index e100d88..d3b9fb4 100644
 ')
 ########################################
-@@ -2282,6 +2352,25 @@ interface(`kernel_list_unlabeled',`
+@@ -2282,6 +2365,25 @@ interface(`kernel_list_unlabeled',`
 ########################################
 ## <summary>
@ -15071,7 +15180,7 @@ index e100d88..d3b9fb4 100644
 ##	Read the process state (/proc/pid) of all unlabeled_t.
 ## </summary>
 ## <param name="domain">
-@@ -2306,7 +2395,7 @@ interface(`kernel_read_unlabeled_state',`
+@@ -2306,7 +2408,7 @@ interface(`kernel_read_unlabeled_state',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@ -15080,7 +15189,7 @@ index e100d88..d3b9fb4 100644
 ##	</summary>
 ## </param>
 #
-@@ -2488,6 +2577,24 @@ interface(`kernel_rw_unlabeled_blk_files',`
+@@ -2488,6 +2590,24 @@ interface(`kernel_rw_unlabeled_blk_files',`
 ########################################
 ## <summary>
@ -15105,7 +15214,7 @@ index e100d88..d3b9fb4 100644
 ##	Do not audit attempts by caller to get attributes for
 ##	unlabeled character devices.
 ## </summary>
-@@ -2525,6 +2632,24 @@ interface(`kernel_relabelfrom_unlabeled_dirs',`
+@@ -2525,6 +2645,24 @@ interface(`kernel_relabelfrom_unlabeled_dirs',`
 ########################################
 ## <summary>
@ -15130,7 +15239,7 @@ index e100d88..d3b9fb4 100644
 ##	Allow caller to relabel unlabeled files.
 ## </summary>
 ## <param name="domain">
-@@ -2667,6 +2792,24 @@ interface(`kernel_dontaudit_sendrecv_unlabeled_association',`
+@@ -2667,6 +2805,24 @@ interface(`kernel_dontaudit_sendrecv_unlabeled_association',`
 ########################################
 ## <summary>
@ -15155,7 +15264,7 @@ index e100d88..d3b9fb4 100644
 ##	Receive TCP packets from an unlabeled connection.
 ## </summary>
 ## <desc>
-@@ -2694,6 +2837,25 @@ interface(`kernel_tcp_recvfrom_unlabeled',`
+@@ -2694,6 +2850,25 @@ interface(`kernel_tcp_recvfrom_unlabeled',`
 ########################################
 ## <summary>
@ -15181,7 +15290,7 @@ index e100d88..d3b9fb4 100644
 ##	Do not audit attempts to receive TCP packets from an unlabeled
 ##	connection.
 ## </summary>
-@@ -2803,6 +2965,33 @@ interface(`kernel_raw_recvfrom_unlabeled',`
+@@ -2803,6 +2978,33 @@ interface(`kernel_raw_recvfrom_unlabeled',`
 	allow $1 unlabeled_t:rawip_socket recvfrom;
 ')
@ -15215,7 +15324,7 @@ index e100d88..d3b9fb4 100644
 ########################################
 ## <summary>
-@@ -2958,6 +3147,24 @@ interface(`kernel_relabelfrom_unlabeled_database',`
+@@ -2958,6 +3160,24 @@ interface(`kernel_relabelfrom_unlabeled_database',`
 ########################################
 ## <summary>
@ -15240,7 +15349,7 @@ index e100d88..d3b9fb4 100644
 ##	Unconfined access to kernel module resources.
 ## </summary>
 ## <param name="domain">
-@@ -2972,5 +3179,505 @@ interface(`kernel_unconfined',`
+@@ -2972,5 +3192,505 @@ interface(`kernel_unconfined',`
 	')
 	typeattribute $1 kern_unconfined;
@ -15748,7 +15857,7 @@ index e100d88..d3b9fb4 100644
 +	list_dirs_pattern($1, proc_t, userhelper_t)
 ')
 diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
-index 8dbab4c..e387939 100644
+index 8dbab4c..4b6c9ad 100644
 --- a/policy/modules/kernel/kernel.te
 +++ b/policy/modules/kernel/kernel.te
@@ -25,6 +25,9 @@ attribute kern_unconfined;
@ -15777,7 +15886,7 @@ index 8dbab4c..e387939 100644
 allow debugfs_t self:filesystem associate;
 genfscon debugfs / gen_context(system_u:object_r:debugfs_t,s0)
-@@ -95,9 +100,29 @@ genfscon proc /kcore gen_context(system_u:object_r:proc_kcore_t,mls_systemhigh)
+@@ -95,9 +100,31 @@ genfscon proc /kcore gen_context(system_u:object_r:proc_kcore_t,mls_systemhigh)
 type proc_mdstat_t, proc_type;
 genfscon proc /mdstat gen_context(system_u:object_r:proc_mdstat_t,s0)
@ -15798,6 +15907,8 @@ index 8dbab4c..e387939 100644
 +genfscon proc /sys/kernel/randomize_va_space gen_context(system_u:object_r:proc_security_t,s0)
 +
 +type usermodehelper_t, proc_type;
 +typealias usermodehelper_t alias sysctl_hotplug_t;
 +typealias usermodehelper_t alias sysctl_modprobe_t;
 +genfscon proc /sys/kernel/core_pattern gen_context(system_u:object_r:usermodehelper_t,s0)
 +genfscon proc /sys/kernel/hotplug gen_context(system_u:object_r:usermodehelper_t,s0)
 +genfscon proc /sys/kernel/modprobe gen_context(system_u:object_r:usermodehelper_t,s0)
@ -15807,7 +15918,22 @@ index 8dbab4c..e387939 100644
 type proc_xen_t, proc_type;
 files_mountpoint(proc_xen_t)
 genfscon proc /xen gen_context(system_u:object_r:proc_xen_t,s0)
-@@ -153,6 +178,10 @@ genfscon proc /sys/net/unix gen_context(system_u:object_r:sysctl_net_unix_t,s0)
+@@ -133,14 +160,6 @@ genfscon proc /sys/fs gen_context(system_u:object_r:sysctl_fs_t,s0)
 type sysctl_kernel_t, sysctl_type;
 genfscon proc /sys/kernel gen_context(system_u:object_r:sysctl_kernel_t,s0)
 -# /proc/sys/kernel/modprobe file
 -type sysctl_modprobe_t, sysctl_type;
 -genfscon proc /sys/kernel/modprobe gen_context(system_u:object_r:sysctl_modprobe_t,s0)
 -
 -# /proc/sys/kernel/hotplug file
 -type sysctl_hotplug_t, sysctl_type;
 -genfscon proc /sys/kernel/hotplug gen_context(system_u:object_r:sysctl_hotplug_t,s0)
 -
 # /proc/sys/net directory and files
 type sysctl_net_t, sysctl_type;
 genfscon proc /sys/net gen_context(system_u:object_r:sysctl_net_t,s0)
@@ -153,6 +172,10 @@ genfscon proc /sys/net/unix gen_context(system_u:object_r:sysctl_net_unix_t,s0)
 type sysctl_vm_t, sysctl_type;
 genfscon proc /sys/vm gen_context(system_u:object_r:sysctl_vm_t,s0)
@ -15818,7 +15944,7 @@ index 8dbab4c..e387939 100644
 # /proc/sys/dev directory and files
 type sysctl_dev_t, sysctl_type;
 genfscon proc /sys/dev gen_context(system_u:object_r:sysctl_dev_t,s0)
-@@ -165,6 +194,14 @@ genfscon proc /sys/dev gen_context(system_u:object_r:sysctl_dev_t,s0)
+@@ -165,6 +188,14 @@ genfscon proc /sys/dev gen_context(system_u:object_r:sysctl_dev_t,s0)
 type unlabeled_t;
 fs_associate(unlabeled_t)
 sid unlabeled gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
@ -15833,7 +15959,7 @@ index 8dbab4c..e387939 100644
 # These initial sids are no longer used, and can be removed:
 sid any_socket		gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
-@@ -189,6 +226,7 @@ sid tcp_socket		gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
+@@ -189,6 +220,7 @@ sid tcp_socket		gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
 # kernel local policy
 #
@ -15841,7 +15967,7 @@ index 8dbab4c..e387939 100644
 allow kernel_t self:capability ~sys_module;
 allow kernel_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
 allow kernel_t self:shm create_shm_perms;
-@@ -233,7 +271,6 @@ allow unlabeled_t unlabeled_t:packet { forward_in forward_out };
+@@ -233,7 +265,6 @@ allow unlabeled_t unlabeled_t:packet { forward_in forward_out };
 corenet_in_generic_if(unlabeled_t)
 corenet_in_generic_node(unlabeled_t)
@ -15849,7 +15975,7 @@ index 8dbab4c..e387939 100644
 corenet_all_recvfrom_netlabel(kernel_t)
 # Kernel-generated traffic e.g., ICMP replies:
 corenet_raw_sendrecv_all_if(kernel_t)
-@@ -244,17 +281,21 @@ corenet_tcp_sendrecv_all_if(kernel_t)
+@@ -244,17 +275,21 @@ corenet_tcp_sendrecv_all_if(kernel_t)
 corenet_tcp_sendrecv_all_nodes(kernel_t)
 corenet_raw_send_generic_node(kernel_t)
 corenet_send_all_packets(kernel_t)
@ -15875,7 +16001,7 @@ index 8dbab4c..e387939 100644
 # Mount root file system. Used when loading a policy
 # from initrd, then mounting the root filesystem
-@@ -263,7 +304,8 @@ fs_unmount_all_fs(kernel_t)
+@@ -263,7 +298,8 @@ fs_unmount_all_fs(kernel_t)
 selinux_load_policy(kernel_t)
@ -15885,7 +16011,7 @@ index 8dbab4c..e387939 100644
 corecmd_exec_shell(kernel_t)
 corecmd_list_bin(kernel_t)
-@@ -277,25 +319,49 @@ files_list_root(kernel_t)
+@@ -277,25 +313,49 @@ files_list_root(kernel_t)
 files_list_etc(kernel_t)
 files_list_home(kernel_t)
 files_read_usr_files(kernel_t)
@ -15935,7 +16061,7 @@ index 8dbab4c..e387939 100644
 ')
 optional_policy(`
-@@ -305,6 +371,19 @@ optional_policy(`
+@@ -305,6 +365,19 @@ optional_policy(`
 optional_policy(`
 	logging_send_syslog_msg(kernel_t)
@ -15955,7 +16081,7 @@ index 8dbab4c..e387939 100644
 ')
 optional_policy(`
-@@ -312,6 +391,11 @@ optional_policy(`
+@@ -312,6 +385,11 @@ optional_policy(`
 ')
 optional_policy(`
@ -15967,7 +16093,7 @@ index 8dbab4c..e387939 100644
 	# nfs kernel server needs kernel UDP access. It is less risky and painful
 	# to just give it everything.
 	allow kernel_t self:tcp_socket create_stream_socket_perms;
-@@ -332,9 +416,6 @@ optional_policy(`
+@@ -332,9 +410,6 @@ optional_policy(`
 	sysnet_read_config(kernel_t)
@ -15977,7 +16103,7 @@ index 8dbab4c..e387939 100644
 	rpc_udp_rw_nfs_sockets(kernel_t)
 	tunable_policy(`nfs_export_all_ro',`
-@@ -343,9 +424,7 @@ optional_policy(`
+@@ -343,9 +418,7 @@ optional_policy(`
 		fs_read_noxattr_fs_files(kernel_t)
 		fs_read_noxattr_fs_symlinks(kernel_t)
@ -15988,7 +16114,7 @@ index 8dbab4c..e387939 100644
 	')
 	tunable_policy(`nfs_export_all_rw',`
-@@ -354,7 +433,7 @@ optional_policy(`
+@@ -354,7 +427,7 @@ optional_policy(`
 		fs_read_noxattr_fs_files(kernel_t)
 		fs_read_noxattr_fs_symlinks(kernel_t)
@ -15997,7 +16123,7 @@ index 8dbab4c..e387939 100644
 	')
 ')
-@@ -367,6 +446,15 @@ optional_policy(`
+@@ -367,6 +440,15 @@ optional_policy(`
 	unconfined_domain_noaudit(kernel_t)
 ')
@ -16013,7 +16139,7 @@ index 8dbab4c..e387939 100644
 ########################################
 #
 # Unlabeled process local policy
-@@ -409,4 +497,26 @@ allow kern_unconfined unlabeled_t:dir_file_class_set *;
+@@ -409,4 +491,26 @@ allow kern_unconfined unlabeled_t:dir_file_class_set *;
 allow kern_unconfined unlabeled_t:filesystem *;
 allow kern_unconfined unlabeled_t:association *;
 allow kern_unconfined unlabeled_t:packet *;
@ -23981,7 +24107,7 @@ index 6bf0ecc..115c533 100644
 +	dontaudit $1 xserver_log_t:dir search_dir_perms;
 +')
 diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
-index 8b40377..326b206 100644
+index 8b40377..d57efee 100644
 --- a/policy/modules/services/xserver.te
 +++ b/policy/modules/services/xserver.te
@@ -26,28 +26,59 @@ gen_require(`
@ -25002,7 +25128,7 @@ index 8b40377..326b206 100644
 manage_dirs_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
 manage_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
 manage_lnk_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
-@@ -638,12 +1100,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
+@@ -638,25 +1100,32 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
 manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
 files_search_var_lib(xserver_t)
@ -25024,7 +25150,8 @@ index 8b40377..326b206 100644
 kernel_read_system_state(xserver_t)
 kernel_read_device_sysctls(xserver_t)
-@@ -651,12 +1120,12 @@ kernel_read_modprobe_sysctls(xserver_t)
+-kernel_read_modprobe_sysctls(xserver_t)
 +kernel_read_usermodhelper(xserver_t)
 # Xorg wants to check if kernel is tainted
 kernel_read_kernel_sysctls(xserver_t)
 kernel_write_proc_files(xserver_t)
@ -30944,7 +31071,7 @@ index c42fbc3..174cfdb 100644
 ## <summary>
 ##	Set the attributes of iptables config files.
 diff --git a/policy/modules/system/iptables.te b/policy/modules/system/iptables.te
-index be8ed1e..8fc86ce 100644
+index be8ed1e..271dc71 100644
 --- a/policy/modules/system/iptables.te
 +++ b/policy/modules/system/iptables.te
@@ -16,15 +16,15 @@ role iptables_roles types iptables_t;
@ -30977,7 +31104,7 @@ index be8ed1e..8fc86ce 100644
 manage_files_pattern(iptables_t, iptables_var_run_t, iptables_var_run_t)
 files_pid_filetrans(iptables_t, iptables_var_run_t, file)
-@@ -49,6 +49,7 @@ allow iptables_t iptables_tmp_t:dir manage_dir_perms;
+@@ -49,11 +49,12 @@ allow iptables_t iptables_tmp_t:dir manage_dir_perms;
 allow iptables_t iptables_tmp_t:file manage_file_perms;
 files_tmp_filetrans(iptables_t, iptables_tmp_t, { file dir })
@ -30985,6 +31112,12 @@ index be8ed1e..8fc86ce 100644
 kernel_request_load_module(iptables_t)
 kernel_read_system_state(iptables_t)
 kernel_read_network_state(iptables_t)
 kernel_read_kernel_sysctls(iptables_t)
 -kernel_read_modprobe_sysctls(iptables_t)
 +kernel_read_usermodhelper(iptables_t)
 kernel_use_fds(iptables_t)
 # needed by ipvsadm
@@ -64,6 +65,8 @@ corenet_relabelto_all_packets(iptables_t)
 corenet_dontaudit_rw_tun_tap_dev(iptables_t)
@ -33898,7 +34031,7 @@ index 7449974..28cb8a3 100644
 +	files_kernel_modules_filetrans($1, modules_dep_t, file, "modules.dep.bin")
 +')
 diff --git a/policy/modules/system/modutils.te b/policy/modules/system/modutils.te
-index 7a363b8..6f9d5d5 100644
+index 7a363b8..70c672e 100644
 --- a/policy/modules/system/modutils.te
 +++ b/policy/modules/system/modutils.te
@@ -5,7 +5,7 @@ policy_module(modutils, 1.14.0)
@ -34013,7 +34146,7 @@ index 7a363b8..6f9d5d5 100644
 # Read module config and dependency information
 list_dirs_pattern(insmod_t, modules_conf_t, modules_conf_t)
-@@ -115,16 +124,24 @@ read_files_pattern(insmod_t, modules_conf_t, modules_conf_t)
+@@ -115,20 +124,28 @@ read_files_pattern(insmod_t, modules_conf_t, modules_conf_t)
 list_dirs_pattern(insmod_t, modules_dep_t, modules_dep_t)
 read_files_pattern(insmod_t, modules_dep_t, modules_dep_t)
@ -34039,6 +34172,11 @@ index 7a363b8..6f9d5d5 100644
 # Rules for /proc/sys/kernel/tainted
 kernel_read_kernel_sysctls(insmod_t)
 kernel_rw_kernel_sysctl(insmod_t)
 -kernel_read_hotplug_sysctls(insmod_t)
 +kernel_read_usermodehelper(insmod_t)
 kernel_setsched(insmod_t)
 corecmd_exec_bin(insmod_t)
@@ -142,6 +159,7 @@ dev_rw_agp(insmod_t)
 dev_read_sound(insmod_t)
 dev_write_sound(insmod_t)
@ -39789,7 +39927,7 @@ index 9a1650d..d7e8a01 100644
 ########################################
 diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
-index 39f185f..d3c9fcc 100644
+index 39f185f..e17ab92 100644
 --- a/policy/modules/system/udev.te
 +++ b/policy/modules/system/udev.te
@@ -17,16 +17,17 @@ init_daemon_domain(udev_t, udev_exec_t)
@ -39835,7 +39973,7 @@ index 39f185f..d3c9fcc 100644
 allow udev_t udev_exec_t:file write;
 can_exec(udev_t, udev_exec_t)
-@@ -64,31 +66,40 @@ can_exec(udev_t, udev_helper_exec_t)
+@@ -64,31 +66,38 @@ can_exec(udev_t, udev_helper_exec_t)
 # read udev config
 allow udev_t udev_etc_t:file read_file_perms;
@ -39865,11 +40003,12 @@ index 39f185f..d3c9fcc 100644
 kernel_getattr_core_if(udev_t)
 kernel_use_fds(udev_t)
 kernel_read_device_sysctls(udev_t)
 -kernel_read_hotplug_sysctls(udev_t)
 -kernel_read_modprobe_sysctls(udev_t)
 +kernel_read_fs_sysctls(udev_t)
 kernel_read_hotplug_sysctls(udev_t)
 kernel_read_modprobe_sysctls(udev_t)
 kernel_read_kernel_sysctls(udev_t)
- kernel_rw_hotplug_sysctls(udev_t)
+-kernel_rw_hotplug_sysctls(udev_t)
 +kernel_rw_usermodhelper(udev_t)
 kernel_rw_unix_dgram_sockets(udev_t)
 kernel_dgram_send(udev_t)
 -kernel_signal(udev_t)
@ -39880,7 +40019,7 @@ index 39f185f..d3c9fcc 100644
 #https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=235182
 kernel_rw_net_sysctls(udev_t)
-@@ -99,6 +110,7 @@ corecmd_exec_all_executables(udev_t)
+@@ -99,6 +108,7 @@ corecmd_exec_all_executables(udev_t)
 dev_rw_sysfs(udev_t)
 dev_manage_all_dev_nodes(udev_t)
@ -39888,7 +40027,7 @@ index 39f185f..d3c9fcc 100644
 dev_rw_generic_files(udev_t)
 dev_delete_generic_files(udev_t)
 dev_search_usbfs(udev_t)
-@@ -107,23 +119,31 @@ dev_relabel_all_dev_nodes(udev_t)
+@@ -107,23 +117,31 @@ dev_relabel_all_dev_nodes(udev_t)
 # preserved, instead of short circuiting the relabel
 dev_relabel_generic_symlinks(udev_t)
 dev_manage_generic_symlinks(udev_t)
@ -39924,7 +40063,7 @@ index 39f185f..d3c9fcc 100644
 mls_file_read_all_levels(udev_t)
 mls_file_write_all_levels(udev_t)
-@@ -145,17 +165,20 @@ auth_use_nsswitch(udev_t)
+@@ -145,17 +163,20 @@ auth_use_nsswitch(udev_t)
 init_read_utmp(udev_t)
 init_dontaudit_write_utmp(udev_t)
 init_getattr_initctl(udev_t)
@ -39946,7 +40085,7 @@ index 39f185f..d3c9fcc 100644
 seutil_read_config(udev_t)
 seutil_read_default_contexts(udev_t)
-@@ -169,7 +192,11 @@ sysnet_read_dhcpc_pid(udev_t)
+@@ -169,7 +190,11 @@ sysnet_read_dhcpc_pid(udev_t)
 sysnet_delete_dhcpc_pid(udev_t)
 sysnet_signal_dhcpc(udev_t)
 sysnet_manage_config(udev_t)
@ -39959,7 +40098,7 @@ index 39f185f..d3c9fcc 100644
 userdom_dontaudit_search_user_home_content(udev_t)
-@@ -195,16 +222,9 @@ ifdef(`distro_gentoo',`
+@@ -195,16 +220,9 @@ ifdef(`distro_gentoo',`
 ')
 ifdef(`distro_redhat',`
@ -39978,7 +40117,7 @@ index 39f185f..d3c9fcc 100644
 	# for arping used for static IP addresses on PCMCIA ethernet
 	netutils_domtrans(udev_t)
-@@ -242,6 +262,7 @@ optional_policy(`
+@@ -242,6 +260,7 @@ optional_policy(`
 optional_policy(`
 	cups_domtrans_config(udev_t)
@ -39986,7 +40125,7 @@ index 39f185f..d3c9fcc 100644
 ')
 optional_policy(`
-@@ -249,17 +270,31 @@ optional_policy(`
+@@ -249,17 +268,31 @@ optional_policy(`
 	dbus_use_system_bus_fds(udev_t)
 	optional_policy(`
@ -40020,7 +40159,7 @@ index 39f185f..d3c9fcc 100644
 ')
 optional_policy(`
-@@ -289,6 +324,10 @@ optional_policy(`
+@@ -289,6 +322,10 @@ optional_policy(`
 ')
 optional_policy(`
@ -40031,7 +40170,7 @@ index 39f185f..d3c9fcc 100644
 	openct_read_pid_files(udev_t)
 	openct_domtrans(udev_t)
 ')
-@@ -303,6 +342,15 @@ optional_policy(`
+@@ -303,6 +340,15 @@ optional_policy(`
 ')
 optional_policy(`
@ -40047,7 +40186,7 @@ index 39f185f..d3c9fcc 100644
 	unconfined_signal(udev_t)
 ')
-@@ -315,6 +363,7 @@ optional_policy(`
+@@ -315,6 +361,7 @@ optional_policy(`
 	kernel_read_xen_state(udev_t)
 	xen_manage_log(udev_t)
 	xen_read_image_files(udev_t)
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@ -10965,7 +10965,7 @@ index a731122..5279d4e 100644
 ')
 +
 diff --git a/cfengine.te b/cfengine.te
-index fbe3ad9..ffde263 100644
+index fbe3ad9..7cb4f72 100644
 --- a/cfengine.te
 +++ b/cfengine.te
@@ -41,18 +41,13 @@ create_files_pattern(cfengine_domain, cfengine_log_t, cfengine_log_t)
@ -10988,6 +10988,15 @@ index fbe3ad9..ffde263 100644
 sysnet_domtrans_ifconfig(cfengine_domain)
 ########################################
@@ -69,7 +64,7 @@ domain_read_all_domains_state(cfengine_execd_t)
 # Monitord local policy
 #
 -kernel_read_hotplug_sysctls(cfengine_monitord_t)
 +kernel_read_usermodhelper(cfengine_monitord_t)
 kernel_read_network_state(cfengine_monitord_t)
 domain_read_all_domains_state(cfengine_monitord_t)
 diff --git a/cgroup.if b/cgroup.if
 index 85ca63f..1d1c99c 100644
 --- a/cgroup.if
@ -20954,7 +20963,7 @@ index 8ce99ff..0819898 100644
 +	logging_log_filetrans($1, devicekit_var_log_t, file, "pm-suspend.log")
 ')
 diff --git a/devicekit.te b/devicekit.te
-index 77a5003..2728ee6 100644
+index 77a5003..75da3e4 100644
 --- a/devicekit.te
 +++ b/devicekit.te
@@ -7,15 +7,15 @@ policy_module(devicekit, 1.3.1)
@ -21105,6 +21114,15 @@ index 77a5003..2728ee6 100644
 logging_log_filetrans(devicekit_power_t, devicekit_var_log_t, file)
 manage_dirs_pattern(devicekit_power_t, devicekit_var_run_t, devicekit_var_run_t)
@@ -224,7 +236,7 @@ files_pid_filetrans(devicekit_power_t, devicekit_var_run_t, { dir file })
 kernel_read_fs_sysctls(devicekit_power_t)
 kernel_read_network_state(devicekit_power_t)
 kernel_read_system_state(devicekit_power_t)
 -kernel_rw_hotplug_sysctls(devicekit_power_t)
 +kernel_rw_usermodhelper(devicekit_power_t)
 kernel_rw_kernel_sysctl(devicekit_power_t)
 kernel_rw_vm_sysctls(devicekit_power_t)
 kernel_search_debugfs(devicekit_power_t)
@@ -248,21 +260,18 @@ domain_read_all_domains_state(devicekit_power_t)
 files_read_kernel_img(devicekit_power_t)
@ -36526,9 +36544,18 @@ index 5297064..6ba8108 100644
 	domain_system_change_exemption($1)
 	role_transition $2 kudzu_initrc_exec_t system_r;
 diff --git a/kudzu.te b/kudzu.te
-index 1664036..d10ed5a 100644
+index 1664036..b67a112 100644
 --- a/kudzu.te
 +++ b/kudzu.te
@@ -47,7 +47,7 @@ kernel_read_device_sysctls(kudzu_t)
 kernel_read_kernel_sysctls(kudzu_t)
 kernel_read_network_state(kudzu_t)
 kernel_read_system_state(kudzu_t)
 -kernel_rw_hotplug_sysctls(kudzu_t)
 +kernel_rw_usermodhelper(kudzu_t)
 kernel_rw_kernel_sysctl(kudzu_t)
 corecmd_exec_all_executables(kudzu_t)
@@ -63,7 +63,6 @@ dev_rwx_zero(kudzu_t)
 domain_use_interactive_fds(kudzu_t)
@ -48695,10 +48722,10 @@ index db9578f..4309e3d 100644
 ')
 +
 diff --git a/ncftool.te b/ncftool.te
-index 71f30ba..d20f048 100644
+index 71f30ba..4976452 100644
 --- a/ncftool.te
 +++ b/ncftool.te
-@@ -22,6 +22,7 @@ role ncftool_roles types ncftool_t;
+@@ -22,13 +22,14 @@ role ncftool_roles types ncftool_t;
 allow ncftool_t self:capability net_admin;
 allow ncftool_t self:process signal;
@ -48706,6 +48733,14 @@ index 71f30ba..d20f048 100644
 allow ncftool_t self:fifo_file manage_fifo_file_perms;
 allow ncftool_t self:unix_stream_socket create_stream_socket_perms;
 allow ncftool_t self:netlink_route_socket create_netlink_socket_perms;
 allow ncftool_t self:tcp_socket create_stream_socket_perms;
 kernel_read_kernel_sysctls(ncftool_t)
 -kernel_read_modprobe_sysctls(ncftool_t)
 +kernel_read_usermodhelper(ncftool_t)
 kernel_read_network_state(ncftool_t)
 kernel_read_system_state(ncftool_t)
 kernel_request_load_module(ncftool_t)
@@ -41,11 +42,11 @@ domain_read_all_domains_state(ncftool_t)
 dev_read_sysfs(ncftool_t)
@ -93900,7 +93935,7 @@ index e29db63..061fb98 100644
 	domain_system_change_exemption($1)
 	role_transition $2 tuned_initrc_exec_t system_r;
 diff --git a/tuned.te b/tuned.te
-index 393a330..0075849 100644
+index 393a330..6ce4613 100644
 --- a/tuned.te
 +++ b/tuned.te
@@ -21,6 +21,9 @@ files_config_file(tuned_rw_etc_t)
@ -93930,7 +93965,7 @@ index 393a330..0075849 100644
 read_files_pattern(tuned_t, tuned_etc_t, tuned_etc_t)
 exec_files_pattern(tuned_t, tuned_etc_t, tuned_etc_t)
-@@ -41,14 +48,19 @@ manage_files_pattern(tuned_t, tuned_etc_t, tuned_rw_etc_t)
+@@ -41,22 +48,29 @@ manage_files_pattern(tuned_t, tuned_etc_t, tuned_rw_etc_t)
 files_etc_filetrans(tuned_t, tuned_rw_etc_t, file, "active_profile")
 manage_dirs_pattern(tuned_t, tuned_log_t, tuned_log_t)
@ -93954,9 +93989,11 @@ index 393a330..0075849 100644
 kernel_read_system_state(tuned_t)
 kernel_read_network_state(tuned_t)
-@@ -57,6 +69,8 @@ kernel_request_load_module(tuned_t)
+ kernel_read_kernel_sysctls(tuned_t)
 kernel_request_load_module(tuned_t)
 kernel_rw_kernel_sysctl(tuned_t)
- kernel_rw_hotplug_sysctls(tuned_t)
+-kernel_rw_hotplug_sysctls(tuned_t)
 +kernel_rw_usermodhelper(tuned_t)
 kernel_rw_vm_sysctls(tuned_t)
 +kernel_setsched(tuned_t)
 +kernel_rw_all_sysctls(tuned_t)