Rename badly used userhelper_t in kernel.if to usermodehelper

2014-01-19 22:18:55 +01:00 · 2014-01-19 22:18:55 +01:00 · 93e99e4693
commit 93e99e4693
parent fa5dd278c2
2 changed files with 97 additions and 132 deletions
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@ -14897,7 +14897,7 @@ index 7be4ddf..d5ef507 100644
 +/sys/class/net/ib.* 		gen_context(system_u:object_r:sysctl_net_t,s0)
 +/sys/kernel/uevent_helper --	gen_context(system_u:object_r:usermodehelper_t,s0)
 diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
-index e100d88..854e39d 100644
+index e100d88..3910ec4 100644
 --- a/policy/modules/kernel/kernel.if
 +++ b/policy/modules/kernel/kernel.if
@@ -286,7 +286,7 @@ interface(`kernel_rw_unix_dgram_sockets',`
@ -15054,7 +15054,7 @@ index e100d88..854e39d 100644
 ')
 
 ########################################
-@@ -1771,21 +1834,42 @@ interface(`kernel_read_hotplug_sysctls',`
+@@ -1771,16 +1834,9 @@ interface(`kernel_read_hotplug_sysctls',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
@ -15064,88 +15064,51 @@ index e100d88..854e39d 100644
 -	gen_require(`
 -		type proc_t, sysctl_t, sysctl_kernel_t, sysctl_hotplug_t;
 -	')
-+    refpolicywarn(`$0($*) has been deprecated.')
-+')
- 
+-
 -	rw_files_pattern($1, { proc_t sysctl_t sysctl_kernel_t }, sysctl_hotplug_t)
-+########################################
-+## <summary>
-+##	Read the modprobe sysctl.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
-+interface(`kernel_read_modprobe_sysctls',`
-+    refpolicywarn(`$0($*) has been deprecated.')
-+')
- 
+-
 -	list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_kernel_t)
-+########################################
-+## <summary>
-+##	Read and write the modprobe sysctl.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
-+interface(`kernel_rw_modprobe_sysctls',`
 +    refpolicywarn(`$0($*) has been deprecated.')
 ')
 
 ########################################
- ## <summary>
-##	Read the modprobe sysctl.
-+##	Read the hotplug sysctl.
- ## </summary>
- ## <param name="domain">
- ##	<summary>
-@@ -1794,33 +1878,32 @@ interface(`kernel_rw_hotplug_sysctls',`
- ## </param>
- ## <rolecap/>
- #
-interface(`kernel_read_modprobe_sysctls',`
-+interface(`kernel_read_usermodehelper',`
- 	gen_require(`
-		type proc_t, sysctl_t, sysctl_kernel_t, sysctl_modprobe_t;
-+		type proc_t, sysctl_t, sysctl_kernel_t, usermodehelper_t;
- 	')
- 
-	read_files_pattern($1, { proc_t sysctl_t sysctl_kernel_t }, sysctl_modprobe_t)
-+	read_files_pattern($1, { proc_t sysctl_t sysctl_kernel_t }, usermodehelper_t)
- 
- 	list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_kernel_t)
- ')
- 
- ########################################
- ## <summary>
-##	Read and write the modprobe sysctl.
-+##	Read and write the hotplug sysctl.
- ## </summary>
- ## <param name="domain">
- ##	<summary>
+@@ -1792,16 +1848,9 @@ interface(`kernel_rw_hotplug_sysctls',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
 -## <rolecap/>
 #
-interface(`kernel_rw_modprobe_sysctls',`
-+interface(`kernel_rw_usermodehelper',`
- 	gen_require(`
+ interface(`kernel_read_modprobe_sysctls',`
+-	gen_require(`
 -		type proc_t, sysctl_t, sysctl_kernel_t, sysctl_modprobe_t;
-+		type proc_t, sysctl_t, sysctl_kernel_t, usermodehelper_t;
- 	')
- 
-	rw_files_pattern($1, { proc_t sysctl_t sysctl_kernel_t }, sysctl_modprobe_t)
-+	rw_files_pattern($1, { proc_t sysctl_t sysctl_kernel_t }, usermodehelper_t)
- 
- 	list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_kernel_t)
+-	')
+-
+-	read_files_pattern($1, { proc_t sysctl_t sysctl_kernel_t }, sysctl_modprobe_t)
+-
+-	list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_kernel_t)
+    refpolicywarn(`$0($*) has been deprecated.')
 ')
-@@ -2085,7 +2168,7 @@ interface(`kernel_dontaudit_list_all_sysctls',`
+ 
+ ########################################
+@@ -1813,16 +1862,9 @@ interface(`kernel_read_modprobe_sysctls',`
+ ##	Domain allowed access.
+ ##	</summary>
+ ## </param>
+-## <rolecap/>
+ #
+ interface(`kernel_rw_modprobe_sysctls',`
+-	gen_require(`
+-		type proc_t, sysctl_t, sysctl_kernel_t, sysctl_modprobe_t;
+-	')
+-
+-	rw_files_pattern($1, { proc_t sysctl_t sysctl_kernel_t }, sysctl_modprobe_t)
+-
+-	list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_kernel_t)
+    refpolicywarn(`$0($*) has been deprecated.')
+ ')
+ 
+ ########################################
+@@ -2085,7 +2127,7 @@ interface(`kernel_dontaudit_list_all_sysctls',`
 	')
 
 	dontaudit $1 sysctl_type:dir list_dir_perms;
@ -15154,7 +15117,7 @@ index e100d88..854e39d 100644
 ')
 
 ########################################
-@@ -2282,6 +2365,25 @@ interface(`kernel_list_unlabeled',`
+@@ -2282,6 +2324,25 @@ interface(`kernel_list_unlabeled',`
 
 ########################################
 ## <summary>
@ -15180,7 +15143,7 @@ index e100d88..854e39d 100644
 ##	Read the process state (/proc/pid) of all unlabeled_t.
 ## </summary>
 ## <param name="domain">
-@@ -2306,7 +2408,7 @@ interface(`kernel_read_unlabeled_state',`
+@@ -2306,7 +2367,7 @@ interface(`kernel_read_unlabeled_state',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@ -15189,7 +15152,7 @@ index e100d88..854e39d 100644
 ##	</summary>
 ## </param>
 #
-@@ -2488,6 +2590,24 @@ interface(`kernel_rw_unlabeled_blk_files',`
+@@ -2488,6 +2549,24 @@ interface(`kernel_rw_unlabeled_blk_files',`
 
 ########################################
 ## <summary>
@ -15214,7 +15177,7 @@ index e100d88..854e39d 100644
 ##	Do not audit attempts by caller to get attributes for
 ##	unlabeled character devices.
 ## </summary>
-@@ -2525,6 +2645,24 @@ interface(`kernel_relabelfrom_unlabeled_dirs',`
+@@ -2525,6 +2604,24 @@ interface(`kernel_relabelfrom_unlabeled_dirs',`
 
 ########################################
 ## <summary>
@ -15239,7 +15202,7 @@ index e100d88..854e39d 100644
 ##	Allow caller to relabel unlabeled files.
 ## </summary>
 ## <param name="domain">
-@@ -2667,6 +2805,24 @@ interface(`kernel_dontaudit_sendrecv_unlabeled_association',`
+@@ -2667,6 +2764,24 @@ interface(`kernel_dontaudit_sendrecv_unlabeled_association',`
 
 ########################################
 ## <summary>
@ -15264,7 +15227,7 @@ index e100d88..854e39d 100644
 ##	Receive TCP packets from an unlabeled connection.
 ## </summary>
 ## <desc>
-@@ -2694,6 +2850,25 @@ interface(`kernel_tcp_recvfrom_unlabeled',`
+@@ -2694,6 +2809,25 @@ interface(`kernel_tcp_recvfrom_unlabeled',`
 
 ########################################
 ## <summary>
@ -15290,7 +15253,7 @@ index e100d88..854e39d 100644
 ##	Do not audit attempts to receive TCP packets from an unlabeled
 ##	connection.
 ## </summary>
-@@ -2803,6 +2978,33 @@ interface(`kernel_raw_recvfrom_unlabeled',`
+@@ -2803,6 +2937,33 @@ interface(`kernel_raw_recvfrom_unlabeled',`
 
 	allow $1 unlabeled_t:rawip_socket recvfrom;
 ')
@ -15324,7 +15287,7 @@ index e100d88..854e39d 100644
 
 ########################################
 ## <summary>
-@@ -2958,6 +3160,24 @@ interface(`kernel_relabelfrom_unlabeled_database',`
+@@ -2958,6 +3119,24 @@ interface(`kernel_relabelfrom_unlabeled_database',`
 
 ########################################
 ## <summary>
@ -15349,7 +15312,7 @@ index e100d88..854e39d 100644
 ##	Unconfined access to kernel module resources.
 ## </summary>
 ## <param name="domain">
-@@ -2972,5 +3192,525 @@ interface(`kernel_unconfined',`
+@@ -2972,5 +3151,525 @@ interface(`kernel_unconfined',`
 	')
 
 	typeattribute $1 kern_unconfined;
@ -15766,7 +15729,7 @@ index e100d88..854e39d 100644
 +
 +########################################
 +## <summary>
-+##	Read and write userhelper state
+##	Read and write usermodehelper state
 +## </summary>
 +## <param name="domain">
 +##	<summary>
@ -15775,19 +15738,19 @@ index e100d88..854e39d 100644
 +## </param>
 +## <rolecap/>
 +#
-+interface(`kernel_rw_userhelper_state',`
+interface(`kernel_rw_usermodehelper_state',`
 +	gen_require(`
-+		type proc_t, userhelper_t;
+		type proc_t, usermodehelper_t;
 +	')
 +
 +	dev_search_sysfs($1)
-+	rw_files_pattern($1, proc_t, userhelper_t)
-+	list_dirs_pattern($1, proc_t, userhelper_t)
+	rw_files_pattern($1, proc_t, usermodehelper_t)
+	list_dirs_pattern($1, proc_t, usermodehelper_t)
 +')
 +
 +########################################
 +## <summary>
-+##	Do not audit attempts to search the userhelper
+##	Do not audit attempts to search the usermodehelper
 +##	state directory.
 +## </summary>
 +## <param name="domain">
@ -15797,17 +15760,17 @@ index e100d88..854e39d 100644
 +## </param>
 +##
 +#
-+interface(`kernel_dontaudit_search_userhelper_state',`
+interface(`kernel_dontaudit_search_usermodehelper_state',`
 +	gen_require(`
-+		type userhelper_t;
+		type usermodehelper_t;
 +	')
 +
-+	dontaudit $1 userhelper_t:dir search;
+	dontaudit $1 usermodehelper_t:dir search;
 +')
 +
 +########################################
 +## <summary>
-+##	Allow searching of userhelper state directory.
+##	Allow searching of usermodehelper state directory.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
@ -15816,24 +15779,24 @@ index e100d88..854e39d 100644
 +## </param>
 +##
 +#
-+interface(`kernel_search_userhelper_state',`
+interface(`kernel_search_usermodehelper_state',`
 +	gen_require(`
-+		type userhelper_t;
+		type usermodehelper_t;
 +	')
 +
-+	search_dirs_pattern($1, proc_t, userhelper_t)
+	search_dirs_pattern($1, proc_t, usermodehelper_t)
 +')
 +
 +########################################
 +## <summary>
-+##	Read the userhelper state information.
+##	Read the usermodehelper state information.
 +## </summary>
 +## <desc>
 +##	<p>
-+##	Allow the specified domain to read the userhelpering
+##	Allow the specified domain to read the usermodehelpering
 +##	state information. This includes several pieces
-+##	of userhelpering information, such as userhelper interface
-+##	names, userhelperfilter (iptables) statistics, protocol
+##	of usermodehelpering information, such as usermodehelper interface
+##	names, usermodehelperfilter (iptables) statistics, protocol
 +##	information, routes, and remote procedure call (RPC)
 +##	information.
 +##	</p>
@ -15846,20 +15809,20 @@ index e100d88..854e39d 100644
 +## <infoflow type="read" weight="10"/>
 +## <rolecap/>
 +#
-+interface(`kernel_read_userhelper_state',`
+interface(`kernel_read_usermodehelper_state',`
 +	gen_require(`
-+		type proc_t, userhelper_t;
+		type proc_t, usermodehelper_t;
 +	')
 +
-+	read_files_pattern($1, { proc_t userhelper_t }, userhelper_t)
-+	read_lnk_files_pattern($1, { proc_t userhelper_t }, userhelper_t)
+	read_files_pattern($1, { proc_t usermodehelper_t }, usermodehelper_t)
+	read_lnk_files_pattern($1, { proc_t usermodehelper_t }, usermodehelper_t)
 +
-+	list_dirs_pattern($1, proc_t, userhelper_t)
+	list_dirs_pattern($1, proc_t, usermodehelper_t)
 +')
 +
 +########################################
 +## <summary>
-+##	Allow caller to read the userhelper state symbolic links.
+##	Allow caller to read the usermodehelper state symbolic links.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
@ -15867,14 +15830,14 @@ index e100d88..854e39d 100644
 +##	</summary>
 +## </param>
 +#
-+interface(`kernel_read_userhelper_state_symlinks',`
+interface(`kernel_read_usermodehelper_state_symlinks',`
 +	gen_require(`
-+		type proc_t, userhelper_t;
+		type proc_t, usermodehelper_t;
 +	')
 +
-+	read_lnk_files_pattern($1, { proc_t userhelper_t }, userhelper_t)
+	read_lnk_files_pattern($1, { proc_t usermodehelper_t }, usermodehelper_t)
 +
-+	list_dirs_pattern($1, proc_t, userhelper_t)
+	list_dirs_pattern($1, proc_t, usermodehelper_t)
 ')
 diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
 index 8dbab4c..4b6c9ad 100644
@ -24130,7 +24093,7 @@ index 6bf0ecc..115c533 100644
 +	dontaudit $1 xserver_log_t:dir search_dir_perms;
 +')
 diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
-index 8b40377..ea6dc13 100644
+index 8b40377..ef809dd 100644
 --- a/policy/modules/services/xserver.te
 +++ b/policy/modules/services/xserver.te
@@ -26,28 +26,59 @@ gen_require(`
@ -25174,7 +25137,7 @@ index 8b40377..ea6dc13 100644
 kernel_read_system_state(xserver_t)
 kernel_read_device_sysctls(xserver_t)
 -kernel_read_modprobe_sysctls(xserver_t)
-+kernel_read_usermodehelper(xserver_t)
+kernel_read_usermodehelper_state(xserver_t)
 # Xorg wants to check if kernel is tainted
 kernel_read_kernel_sysctls(xserver_t)
 kernel_write_proc_files(xserver_t)
@ -29131,7 +29094,7 @@ index 79a45f6..e1589ac 100644
 +	files_etc_filetrans($1, machineid_t, file, "machine-id" )
 +')
 diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
-index 17eda24..b4a2519 100644
+index 17eda24..a627baf 100644
 --- a/policy/modules/system/init.te
 +++ b/policy/modules/system/init.te
@@ -11,10 +11,31 @@ gen_require(`
@ -29456,7 +29419,7 @@ index 17eda24..b4a2519 100644
 +kernel_read_network_state(init_t)
 +kernel_rw_all_sysctls(init_t)
 +kernel_rw_security_state(init_t)
-+kernel_rw_userhelper_state(init_t)
+kernel_rw_usermodehelper_state(init_t)
 +kernel_read_software_raid_state(init_t)
 +kernel_unmount_debugfs(init_t)
 +kernel_setsched(init_t)
@ -31094,7 +31057,7 @@ index c42fbc3..174cfdb 100644
 ## <summary>
 ##	Set the attributes of iptables config files.
 diff --git a/policy/modules/system/iptables.te b/policy/modules/system/iptables.te
-index be8ed1e..50b3d56 100644
+index be8ed1e..5e28da7 100644
 --- a/policy/modules/system/iptables.te
 +++ b/policy/modules/system/iptables.te
@@ -16,15 +16,15 @@ role iptables_roles types iptables_t;
@ -31137,7 +31100,7 @@ index be8ed1e..50b3d56 100644
 kernel_read_network_state(iptables_t)
 kernel_read_kernel_sysctls(iptables_t)
 -kernel_read_modprobe_sysctls(iptables_t)
-+kernel_read_usermodehelper(iptables_t)
+kernel_read_usermodehelper_state(iptables_t)
 kernel_use_fds(iptables_t)
 
 # needed by ipvsadm
@ -34054,7 +34017,7 @@ index 7449974..28cb8a3 100644
 +	files_kernel_modules_filetrans($1, modules_dep_t, file, "modules.dep.bin")
 +')
 diff --git a/policy/modules/system/modutils.te b/policy/modules/system/modutils.te
-index 7a363b8..70c672e 100644
+index 7a363b8..ba534ac 100644
 --- a/policy/modules/system/modutils.te
 +++ b/policy/modules/system/modutils.te
@@ -5,7 +5,7 @@ policy_module(modutils, 1.14.0)
@ -34196,7 +34159,7 @@ index 7a363b8..70c672e 100644
 kernel_read_kernel_sysctls(insmod_t)
 kernel_rw_kernel_sysctl(insmod_t)
 -kernel_read_hotplug_sysctls(insmod_t)
-+kernel_read_usermodehelper(insmod_t)
+kernel_read_usermodehelper_state(insmod_t)
 kernel_setsched(insmod_t)
 
 corecmd_exec_bin(insmod_t)
@ -39950,7 +39913,7 @@ index 9a1650d..d7e8a01 100644
 
 ########################################
 diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
-index 39f185f..5aa688d 100644
+index 39f185f..f5aa25f 100644
 --- a/policy/modules/system/udev.te
 +++ b/policy/modules/system/udev.te
@@ -17,16 +17,17 @@ init_daemon_domain(udev_t, udev_exec_t)
@ -40031,7 +39994,7 @@ index 39f185f..5aa688d 100644
 +kernel_read_fs_sysctls(udev_t)
 kernel_read_kernel_sysctls(udev_t)
 -kernel_rw_hotplug_sysctls(udev_t)
-+kernel_rw_usermodehelper(udev_t)
+kernel_rw_usermodehelper_state(udev_t)
 kernel_rw_unix_dgram_sockets(udev_t)
 kernel_dgram_send(udev_t)
 -kernel_signal(udev_t)
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@ -10053,10 +10053,10 @@ index 0000000..de66654
 +')
 diff --git a/bumblebee.te b/bumblebee.te
 new file mode 100644
-index 0000000..3de0f69
+index 0000000..92e9d8b
 --- /dev/null
 +++ b/bumblebee.te
-@@ -0,0 +1,55 @@
+@@ -0,0 +1,56 @@
 +policy_module(bumblebee, 1.0.0)
 +
 +########################################
@ -10094,6 +10094,7 @@ index 0000000..3de0f69
 +kernel_dontaudit_access_check_proc(bumblebee_t)
 +
 +corecmd_exec_shell(bumblebee_t)
+corecmd_exec_bin(bumblebee_t)
 +
 +dev_read_sysfs(bumblebee_t)
 +
@ -10965,7 +10966,7 @@ index a731122..5279d4e 100644
 ')
 +
 diff --git a/cfengine.te b/cfengine.te
-index fbe3ad9..5fe3fdb 100644
+index fbe3ad9..21ab8e1 100644
 --- a/cfengine.te
 +++ b/cfengine.te
@@ -41,18 +41,13 @@ create_files_pattern(cfengine_domain, cfengine_log_t, cfengine_log_t)
@ -10993,7 +10994,7 @@ index fbe3ad9..5fe3fdb 100644
 #
 
 -kernel_read_hotplug_sysctls(cfengine_monitord_t)
-+kernel_read_usermodehelper(cfengine_monitord_t)
+kernel_read_usermodehelper_state(cfengine_monitord_t)
 kernel_read_network_state(cfengine_monitord_t)
 
 domain_read_all_domains_state(cfengine_monitord_t)
@ -20963,7 +20964,7 @@ index 8ce99ff..0819898 100644
 +	logging_log_filetrans($1, devicekit_var_log_t, file, "pm-suspend.log")
 ')
 diff --git a/devicekit.te b/devicekit.te
-index 77a5003..df3d66e 100644
+index 77a5003..73f2867 100644
 --- a/devicekit.te
 +++ b/devicekit.te
@@ -7,15 +7,15 @@ policy_module(devicekit, 1.3.1)
@ -21119,7 +21120,7 @@ index 77a5003..df3d66e 100644
 kernel_read_network_state(devicekit_power_t)
 kernel_read_system_state(devicekit_power_t)
 -kernel_rw_hotplug_sysctls(devicekit_power_t)
-+kernel_rw_usermodehelper(devicekit_power_t)
+kernel_rw_usermodehelper_state(devicekit_power_t)
 kernel_rw_kernel_sysctl(devicekit_power_t)
 kernel_rw_vm_sysctls(devicekit_power_t)
 kernel_search_debugfs(devicekit_power_t)
@ -36544,7 +36545,7 @@ index 5297064..6ba8108 100644
 	domain_system_change_exemption($1)
 	role_transition $2 kudzu_initrc_exec_t system_r;
 diff --git a/kudzu.te b/kudzu.te
-index 1664036..b7b07a3 100644
+index 1664036..51dd14f 100644
 --- a/kudzu.te
 +++ b/kudzu.te
@@ -47,7 +47,7 @@ kernel_read_device_sysctls(kudzu_t)
@ -36552,7 +36553,7 @@ index 1664036..b7b07a3 100644
 kernel_read_network_state(kudzu_t)
 kernel_read_system_state(kudzu_t)
 -kernel_rw_hotplug_sysctls(kudzu_t)
-+kernel_rw_usermodehelper(kudzu_t)
+kernel_rw_usermodehelper_state(kudzu_t)
 kernel_rw_kernel_sysctl(kudzu_t)
 
 corecmd_exec_all_executables(kudzu_t)
@ -37857,7 +37858,7 @@ index dd8e01a..9cd6b0b 100644
 ## <param name="domain">
 ##	<summary>
 diff --git a/logrotate.te b/logrotate.te
-index be0ab84..8c532a6 100644
+index be0ab84..e4d6e6f 100644
 --- a/logrotate.te
 +++ b/logrotate.te
@@ -5,16 +5,14 @@ policy_module(logrotate, 1.15.0)
@ -38085,7 +38086,7 @@ index be0ab84..8c532a6 100644
 ')
 
 optional_policy(`
-@@ -228,10 +268,20 @@ optional_policy(`
+@@ -228,10 +268,21 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -38099,6 +38100,7 @@ index be0ab84..8c532a6 100644
 +
 +optional_policy(`
 	squid_domtrans(logrotate_t)
+    squid_read_config(logrotate_t)
 ')
 
 optional_policy(`
@ -38106,7 +38108,7 @@ index be0ab84..8c532a6 100644
 	su_exec(logrotate_t)
 ')
 
-@@ -241,13 +291,11 @@ optional_policy(`
+@@ -241,13 +292,11 @@ optional_policy(`
 
 #######################################
 #
@ -48722,7 +48724,7 @@ index db9578f..4309e3d 100644
 ')
 +
 diff --git a/ncftool.te b/ncftool.te
-index 71f30ba..d177ab5 100644
+index 71f30ba..d616860 100644
 --- a/ncftool.te
 +++ b/ncftool.te
@@ -22,13 +22,14 @@ role ncftool_roles types ncftool_t;
@ -48737,7 +48739,7 @@ index 71f30ba..d177ab5 100644
 
 kernel_read_kernel_sysctls(ncftool_t)
 -kernel_read_modprobe_sysctls(ncftool_t)
-+kernel_read_usermodehelper(ncftool_t)
+kernel_read_usermodehelper_state(ncftool_t)
 kernel_read_network_state(ncftool_t)
 kernel_read_system_state(ncftool_t)
 kernel_request_load_module(ncftool_t)
@ -93935,7 +93937,7 @@ index e29db63..061fb98 100644
 	domain_system_change_exemption($1)
 	role_transition $2 tuned_initrc_exec_t system_r;
 diff --git a/tuned.te b/tuned.te
-index 393a330..f30d191 100644
+index 393a330..fc018c1 100644
 --- a/tuned.te
 +++ b/tuned.te
@@ -21,6 +21,9 @@ files_config_file(tuned_rw_etc_t)
@ -93993,7 +93995,7 @@ index 393a330..f30d191 100644
 kernel_request_load_module(tuned_t)
 kernel_rw_kernel_sysctl(tuned_t)
 -kernel_rw_hotplug_sysctls(tuned_t)
-+kernel_rw_usermodehelper(tuned_t)
+kernel_rw_usermodehelper_state(tuned_t)
 kernel_rw_vm_sysctls(tuned_t)
 +kernel_setsched(tuned_t)
 +kernel_rw_all_sysctls(tuned_t)