From 941d5af493e49a429946f4b4b8059f13a10a2480 Mon Sep 17 00:00:00 2001
From: Lukas Vrabec
Date: Mon, 5 Jun 2017 13:25:12 +0200
Subject: [PATCH] * Mon Jun 05 2017 Lukas Vrabec -
3.13.1-256 - Allow keepalived domain connect to squid tcp port - Allow
krb5kdc_t domain read realmd lib files. - Allow tomcat to connect on all
unreserved ports - Allow keepalived domain connect to squid tcp port - Allow
krb5kdc_t domain read realmd lib files. - Allow tomcat to connect on all
unreserved ports - Allow ganesha to connect to all rpc ports - Update ganesha
with few allow rules - Update rpc_read_nfs_state_data() interface to allow
read also lnk_files. - virt_use_glusterd boolean should be in optional block
- Add new boolean virt_use_glusterd - Add capability sys_boot for sbd_t
domain Allow sbd_t domain to create rpc sysctls. - Allow ganesha_t domain to
manage glusterd_var_run_t pid files. - Create new interface:
glusterd_read_lib_files() Allow ganesha read glusterd lib files. Allow
ganesha read network sysctls - Add few allow rules to ganesha module - Allow
condor_master_t to read sysctls. - Add dac_override cap to ctdbd_t domain -
Add ganesha_use_fusefs boolean. - Allow httpd_t reading kerberos kdc config
files - Allow tomcat_t domain connect to ibm_dt_2 tcp port. - Allow stream
connect to initrc_t domains - Add pki_exec_common_files() interface - Allow
dnsmasq_t domain to read systemd-resolved pid files. - Allow tomcat domain
name_bind on tcp bctp_port_t - Allow smbd_t domain generate debugging files
under /var/run/gluster. These files are created through the libgfapi.so
library that provides integration of a GlusterFS client in the Samba
(vfs_glusterfs) process. - Allow condor_master_t write to sysctl_net_t -
Allow nagios check disk plugin read /sys/kernel/config/ - Allow pcp_pmie_t
domain execute systemctl binary - Allow nagios to connect to stream sockets.
Allow nagios start httpd via systemctl - xdm_t should view kernel keys - Hide
broken symptoms when machine is configured with network bounding. - Label
8750 tcp/udp port as dey_keyneg_port_t - Label tcp/udp port 1792 as
ibm_dt_2_port_t - Add interface fs_read_configfs_dirs() - Add interface
fs_read_configfs_files() - Fix systemd_resolved_read_pid interface - Add
interface systemd_resolved_read_pid() - Allow sshd_net_t domain read/write
into crypto devices - Label 8999 tcp/udp as bctp_port_t
---
container-selinux.tgz | Bin 6776 -> 6800 bytes
policy-rawhide-base.patch | 937 +++++++++++++++++++++++++----------
policy-rawhide-contrib.patch | 595 ++++++++++++++--------
selinux-policy.spec | 43 +-
4 files changed, 1092 insertions(+), 483 deletions(-)
diff --git a/container-selinux.tgz b/container-selinux.tgz
index 5803b5601ebb4b072014f589595c2aff49582b34..be53f4f82f6244047d564cba870b2bc77a92005b 100644
GIT binary patch
literal 6800
zcmV;B8gJzviwFQZKQ&nZ1MOXHZ{#+T&R6%Z5M~059gOX>d`$0e2q`2zD2^
z50|@+T2gl_)>|aCU(T5Q?N?QN5k-*{rIs_ZI5&{=xK;I#ERw}yu~>@Aq7Bm`sV~y)
zSI_i$2cHigzQymW@4tJee#7Vex7SzKUtPVwy87<={rBH~fBn_FtM}LMzW*wC_gocH
zKZm9b>mc|lyQ{-Z5?SfSp8u16RJM?5!#^&F^-|#teyGAa
z%!4A#lRv#;RImO#DB&l15QJG)-Y0R;mO)#GMU!HqOrV#93jbcEMVr*yFiK8;m9<&d
zhoVjMWDVsJ&YQQtu1DO0hs}oV7brrTyZ~WC>oasq>w!#7y>`IQTbm>le!g|fW
zYfmP1?TM{xwF2rgOAPRTg`XvO7)43bjG-b@6jqm`!w0@6jhwFc#Us(*toN~C==VC^
zU>AISZN@-|=a{P?q%U@&;((tbYB?XBvn>h>qIAx(BPZ0~s7yuNS-J^gsD9Lzb(%C2
zB<-9x9z)wKVlEV@mXCn%!Wv0C*;4tz*HG5iRs?IENTgT`LfwRZvRa#>G0Wxp)
zVV!(QQl|>}%bk&XNIgrN7RRLFoSx7U51`NWP3YmQ&T9O}BCQW3-#V
z7@IK9swIs*_$8SFNfrDrm+-7&xU1f5?)+9r9AxqtDvk<{$ci~S8aW;H4#a*VmC=z?7WIKPZ6Qx
zygf9=3F306D3jppYxwUy{P*p$_Sw(>{?iw-a*!2MrSY_N1NOoeg#%E{1cR7>j6W{E
z?Q4?yZV?~kLXIlSzWcFhlRRp(sV*e_*`Y{V5`WiG3_IqAmMDnzR*K|xl9gzzgQQXz
zPxK_I?IWp2oC|%SiW#DbHcsxUmYn92cMCO^AFp{Wu^0TiL0SGS6mk!V
z&-4kBl{*KkvKCq>_GO;vV}LJ;e9;x2e#_E`ByWRP^4SIOy*itX6PMBLe2@mX*Ml12
zuXE7A)K_uNqb!B)osY!Ywm?m0$%bK+(LBj&HE1{n48I-N%QOsaC^SR`LiP~#iWkG*
zRRwPBTB*A~RA
zlcvn>E>HrCz_Oldz!2D!56LpkXP9WzE(lk`{vit=mq)x_5Hf7bJQX?s43`>K?R6OE
zX~EVaJP5K)AGTNtqzm}~(2jKdltm%@8`9{s^^lhWY`zp&yn_biXFEHqw@TkRP;G+o_Mt8$ylqqwom_y(5(w)~|Em{q5%;yE-&q
z^60A~?-7W!XqUm4uV04!Ok1us)Rhbr*78Q%!V~yMl#r+oqYHSo+VaTWfqjYa4%P>#
zRlwUvZWPj4DHIHAH~Dz`acXyIT^9MIP0RCi7uEAvZ;jRQE_&4M-Wl#%z)m+m*cpFk
z=8UHsfcsj4C)lLdAdR3&cSV@72^)O6ndXpz!f16e6N-wtPc~c#%JGGDPK@z$kEF(r
zQuY8~oq^oKnwR`LFLvI1gOhNaTNx+g-Z|lCL$xq)vI&R(x+=3YdZZC9oPyj77{Ux_
z#R2S@@_fW;_-1Km?>aoRdmgDZ@c7chFD#;s>N_Rwlo)#2LTU1m@uUjU;OFDw7R()W
zY^>ok>2)Cm@9sD%yih?n_MFvVY%@83xi$~Ae!AH`oCQ^O02S+P40##BI;QWl=@Z7#
zoBBZ&IT$zPp@<7xZJLav(6yY77nRk`8wY0gjFys9u4q(&0w+s
zlM@!S`mrjZxy({cn`Hyr7mhvesyjC>+GYANI(CTHmBe~OsTOm(_2XJQF!8et?HzI&
zLk5-VXpbF8#+Wj#E`CVH5UUPJe=L#QP%_HLh=flaRT_puC|2XZORC2*Sj66s1<-^p
zA3AE)Kf$&ct!7^JpiN;FKf6jDt{paijtj-S^>*#ekB?BNV^Fkz#J;L&DNbsO8*s&C
z@wwM%Y&)BJSicdUgwW-dogmRH5>M99iq+6LGIJtqOEhveVUtGv1ysn_Z@H}MWSc%1
zo%-+Nh@gbtXYHJ*l}mH_AqL2?4x4_3X8?hxJ2+aQ_#6db$7m2Yi^LW}TNY=*3ex8r}xi7grxH-kq&9b;F`W
znR6zn%d#zRr&`*p*TGK-;M8=n7?!LRX~H;ZA|9br@z|UMBV3?5!Tmk~HCn6DC?Q$b
z!p%(1;4BON{^QRjyla;8;@*NANj_$j1%
zPynUpJZ^kfmxn4iKCV1?@Vcz;@{|pnVj~X4#$}EhWD$eL`g9`5|`PD
zZj5m1!-=RTasEu!2K|V9uys7u`G>f|^WR7A4k}nZ`QOxZbKCSsgU
zbuJUypo08_MGxFL)tDT!Kd%NF0DqD_1Al0UJys_&p0^IL**UaChd=H3NNXNdG~kA#
z$~;QV$157D?py1F4?TU>GIY{mQOYSuzm(oNn>fypKb{&9hVUZ9vya_Hh_YzU_VIMc
zG6drRAAKwt#K?q@m(XS8ojDya8Uzii>Oj2o+sz8y*hSLP-={hYZlbqwvOWDZp(Sq(
zn*-X&uyArz|M4-45Ns6R1?K^7IhgGC>2A+A@BMPKh0Db)kY3~@GpI9XKzW2&z>G0?
z#QbZfRliBH?Z+sr!cCf`?PKs1MEml-2yRobezx#00NXZ6o5n$YTawy?gOa8|iPpdNIiyvK~9#vRe(BUnM@q)YS}sIM$7Zr8W`a^oSn!_a~w
zY9`@Kg+?X}=Q@e*
zSU?!=vBzsRhli@>NiPL9fnM(R-7G6@f2Dc!%{*McZ!-M?`-o-1Y{KC$X97`Ps#pNh
zMxK@1Ps2!z*TG-nn8hRJ;ce0j
z7TPD#ZE#=Kw--S6Z)KHi4_Wqz-gb~cUfz)_z6kD4(QysEIQ`CJY+F19RJQ?c?NR{_JaukI7555@05K3;f*Il=j;&fk4_|H
z3K+d1nhAlSdKw$cqlEqin;kJ@`u2Qv)(7*Z^F-{))7uxn@2K>e>>9LX(jO`Ckt-}m
z3*8t07{U9ufjcIivk-A({W;5+Y;aF0!)F!In8(
zX&MHy?KB{KhVd{%ls0znrJmuJaAAC7fRz68Cmw3Rk1F~R2gbH^VF<*Ck@&bZZZR6)
zteu7tvmTd|ern}rRB6YD;b@ig
zP}DBEPsH@San2P+HTx)Eu=DVO&LM;jrj0pzp!0Jq9dT;dJI@nr>2?Ow
z%(Apdp@on3_HA2v79m)oGS90ld05k!9OvzwZu&~l$mDm%JNqPc#!>Rv$tYXyXsUB{
z$HK=g^a^>@MPfRMI~~{44tUjVGS_Hf{3O$lnBNW#ZSz=Z?4iL6Z8;wQ`#`cx5njzZ
z6y%4|{MNSaLKhN~K82P$+sG-I-)E%q9>Qq)J>e+zeq9zUu`EwBV{S{+mNlAi7{fs7
z`vHUa(&pAePe=E-h!st9pSIE7Ovh6z=)(s#rg3?1f#%t8#a%Zu6%pa{gQZ2Bpsd{d
zHg!bL#Ws?km{N`jjD&G?^r}lUf)k!voi{rRb&nWqBs{qSYTM>JZ6akFP-tWNzo9+4
zzhmgSfZae`(}C1FN^I>nu?o9(3%>wD2pA64q1Bd{yeRkgaoC2Ac|^9im~{3Eybgxc
zj-GSu1sJbPpsaYGS4>~XcZOLeS8`}mZo9_GHaui4^RqnIM51!A;b((>Y;cK*x&LO(
z@&j5X4JRg3DBU`74GCwOX5U=~Hgdf&GuBmZb#9)q$4oRE2ZbHLQtB2af0;ESePdxx
zD`p|in<`$*8xpxYgcUGRJ)yJLVv{ODj;z#kL%Afc$<)ns!Y#oqoI2K+oH=
z&S92-G2?c@2x7N`#X#)i-=Wuqc_BZShY3j8aP**6`;d%r;iV#8Pu8BXHQMZQzq$I7{{J}vYBo9bd$rGXQ
z1B?=id2uMvfQ&-w1p9#-T41nK?>36icMbe#->%aoX6Ct~0VD4&+gt%1OWm&JU*a`U
zPM&ykK1@>!9v4_aX1OZNb?{i0ghMN?B+uZgl9{7*qLyT
z)NzT$nC;TcToxZ}Skd_eN!WRcDkw$FjC&!ol(wrnTLk`X^$=LtX`SZrI<#cd%eXA{
zWl4<0%I+d!CPQ~_g{FpOU2;xRtdX1R+EaNsW5sx#K;_HFKkA6n0+QnF%`$k
zmQ&WXvJ$ljQ1qo2Hd~K@2BC%PHDwOX9wH9Vy*FUp(=KMGugF>^6E&MOlF8*PgPV9W
zg<4apZ5t}Y0D2|Fvm{QB31U*p5NpwBc9*=N!iIb^>~Qm>N8H`dbB~b2W)1Q^byfpO
zVo3xqXJe{dyr!#D-Zs4^>ZvP9N8tIaT-s`eGWK$iku+sI5$24HSt{qm{7}*i
zx4)GhtjD_Hxw<#7X!*#LZ*dp9_EPT+%?^#&h
z^fIFMkA3wE`P-*l_L(L)zfgWT*0swP2G5lwbp=;SA|+x@nsa5swZB*lXf(;=uo2?ohH1gzMd=F$%cN;u
zW6UhqK|cXtaMPbsY5lulN(m=X&t*@JdhP5<5{}p!z29h}=o|f34+1vE_42ddqGTtV
zTE=JQwc{bIGW#GuTZSWZ(P(Ono*%P-I^MNEuw>@f!+NrOZ=APrkJ{6
zF|iUcdBaDo3@sLQPjzV<=CjHD)T$9vHTrx96RRDMziRvOT!sL&*6#`;pDV7b7IePs
zdvB}tzs=M7XLoETWOZyO+(9zcc7)D(#jEwt+Gv`eGxNG0msHjji#sXWb$*)G8R=P%
zP0PAmI@YD4kB53lq{&wGkw}+Ksk33B=keDE_ElkcwmoGw9>DA|BQ;O6t;8qFeA-HG
zOjnABp8YNk!iEcmM^Xn*q@lQU8g)5)VzI^nKN_P}8LwS5v3)CTcba${-dIkDJAz(N
zmwr}m3<}fEv8~$r8BV2rPopQCLXVz4dz?D^oi_W5gwIo#>Ee?ad5m{TqUJHI33}_z
z+u+ykP2Fl(v+XjSuiS{4q&9v*&l?k#Oi)LSryV)CBQwr3azDqz9Gz0A-;EqE(U9);
zlnc>%HHK6EQ@qnow&P;^Z0|O6zyIy(-PQYd`upFm;Opi6Z-2n&5^b2vUoO}iUFhYK
zI3$vXmcPPmefY=~WBsuk^gN4o^A2X&<)NuBvvh;wEkKy!hti{M;K&?DF`FRS?w#
z%D$F?2CJ^aTM96Hh|Upi$+iRL<$_g&XVEehL^MhDU;lIY-`_Cb^Rm5jj$YHIU983&
zmA`ssY1pE?E3-qMoKF{p@)EZWx*;LgX}Q#>dJeoYO5>&Q8WnJvS=84ai+7Py!g7M1Cfvwu19#)?E*eiA^3!{_Poa5y@TLRnqjg-muB-@}l6
zfw~9|s*eEbiE0rnfVyP0{snV&dV`7(6%(YSY7qV6n_n=AyuT1xI{I;7k^a*k*}u}1
z`Ewayj9r;Jj$C*=bL+%G;DLC31Z0QV$#I!ss`N|PmU%jLCK(%!ihY^tA<`w^$t6>p
zY?k0rddxZ5Ip#CWd4X)6`bW=vGyI|oz+S{MdO+YWtPTY1;#xriK3+M1bun|P@8U~j
zJrPV2%$dptJXX11E~+%1WYvtop~nvJnq~0L`BjHyM93EaW-2yQK?mVKiXH=C#q61&
y0q6xpD$s5oj?g5Z+pqERdHKA2UOq3Mm(R=R<@54+`Mi9FpZ^1spwMps$N&J0Id4k<
literal 6776
zcmV-;8i(Z{iwFQ4u^m|e1MOYwkK8tr&)4a{La+mPCh$BwPGZ25-NPa|;O@f#!R`Y0
z;d0keOX_ZA^opdO#|^xH`&AVmq9~H0)SB3bod%Njw5on2i)67_ES93OXv4Hf>Wg&y
z)iZsr;Pd_W-{SYX58qv>-|%_=?e)9suim|XclF`@`>Su?Uw?H4e|-4*j51I_vw`ef1Ld5LlPa@L_trBpxvuK#AOcuxFFU`g*W)23hOWr
ziZD<9^omiv`tzWKpXfmlW?6Zk#6epIZ5P0u@e;s{1j2k`RJT&QCJYAbCw-Bq5ei?D&o%4O%Ox%qqeNmq?sUT
z=e+S4+GY`Rp+L2K1bi3PNZQGk$`8JNXQKHC?F=|R{BvC;b>0BuHqDYo6wIlqM;2CH
zUz(_CK>d+|whVB|ccjGsnuM_?ZtB|4F6bI6MlGc3%o4YCjGhoUdu(2%CDtDx^JX8`
z$(JN`s*u0j8M%klv$Sb(Y}zP
zLt~sEE_aGD3BJCD|K7uY-!5yP{rvAgeIY9cSus@_Pg^%&FKkgb0M$$|hzZE}>{*NM0vdiN-oeDuwYx
zPXhiC%)DE-B?GTOvE0X46NY2hk193!h+lym8FEKD!o@2T@CA(jDY#cB6%4Vu#2GN+
zAzfsf6&7)DU#BJmJ5O?0xjz4-z6TlQvz(BIo{%)q4|%|_h3qFtQx|3sXwvLY%c^~x
zx`YQBzEzyTM1SL#&!v)MRt8QsnYX@Gk@s1g1;
z2MtVp73Vz4Qt00KNUUuO)MS=y7)BY*ldM*QhGW3++kw4I!_bC8LsTGS4^gjpG5lRs
z;Kr_{3NvvAf|!h8=+2oK=NYKGMjct6_P@cA*Ny&dy1Ph!}6|flc|4EYp03iAL>$a3$;?vhZ@X1H2GItSk0e*UqmL-Qq%
zzAEw_fk=yX8GQNrW!TTO%!LW9dkGCJEc9+&=kx$yRJWqE~J&*O)SRL=8N8Rq7;jRVjbn}Cq@pop<
zc)9_&uO)bbO?nN|2%2BI
z8a|U=7gF%DvEIgzml3RE`aYXJVGO;g
zA5@WpaZ?_OxSV>6GIk&=;g5*R?W#EI3_@+;kP4QsaEY-AGHn4r+*z>NsbK|02rXQnYhj?8{tT&WuF{fKUuC)UbKg-bGA*V59
zP^pgg*nwn>DbwoWhhz+~>X7uu63GoEqkN1=_|#FQVJL)RH4eO_dMtxQ?EP2(P3ZEW
zqgMSBY@5+)=2Z{c6jt%GtJLAzVe{v>P|RCz*WUd22z5FJMf*qWtD2VLq_(&LS6mjK
zdyU4nv#E#m8}Ug9U2fS463rs4QO@
zKhpy$279eTv&$0(euZZcsyG?nT0An!v%B`A^QmhkDC@rAAxT6TKy->kXYwcX45RwX
zX;-&y!+Mvrf+o+JHRz2UcSdUuqXx%5I%c4-Sp1Aj6b}+v*St^g5v>lN`zGW+=SL2R
zi#B<#GTirnzyI$2w;%NTzt`8_z1;u(BRY7grZoXDdzHupm+9
zn+fW&Y|GoJhW6@p@KXXfHQg(Q6>CL`Fix6?2k2BhG$+9T7pP5ezfVAm)@m?HNXE7B
zGLtVj%YwiE_;XN|bt@xyDz0T2IyR;~6yZi~s@&LtvHv#MhFO!GX;tDiVtWF92&tYE
zKLQ`)7tH~LW~r@g1cF(#ei{VFO!QVfs8W%i*P
z1DyJBBIrpRKa;URKO!IO98Y!rA+B)z_mR7E3RX}4H#OaOXka`T>0^q+5{8(G5T{d}
z%Y-(lAU|Ny<91FpCdcg0tAPf&Pdh%+nnx84xZ$WW
zk5cpLiiWDY*81Q>N1wF}ope}~atP8drFYCGPBY|>r$&S!yom7ZV|M|fEZDPsJRPzO
z!Faq!A4|qCG9lz8bQw8kP6vzzLBpy#5HJ09vqCR+k+k&psm_9X=xv;APk&8l$y>wT
zfc7ygnjF=Ce9R&Q`^2l@Jir|Xll?y3?fKrlUv9Q=xwr$;i=1Qzb><8xk1z|EEe4O6
zd(E`!H%Yer7==~1Nwc(l44#5$U)~qNZ3@=U7XAfb+a_t#ILL2{G7hj`=?qTlS-JM;$(uJjIy{AMPYw*JXW`gtSp68&zGK?^
zGC`ew7hL#nPc~Ed2QOOv(G#tWss&IE@c?BCdpF0fgAJ|i&7rB1B6e}=x=(EiI*e%k
zc?>R4&!krZ82M$CLghUs2{rDB79YV1S|nYf&p;z(X>q&0<<}Jt$sGm@98oiY2ptip
z;ZB1RPiH~8Y9*IM8~~(rVbhn?X|x8NY&4tBBnuAQi7X)hsVp=yVK~=GbjL!xaN9gy
zvpGCeHBWjeunF{X1Mg;8IggSpJY2tTGW|;Wh_S%Tyx}ir0#RO*SOC&TBk}MZO!xA{
z*XwOv=H1#&DIxMQhLwM1yv#pRJrNi@+_stSlphN=%n>jfaWnwh6WI_EEueX&U3*-^
zpqnBvv7I%?#m(tYHzI=qBhFt=9iVoLa
zNHvYYxV-NA<+tcrv=+hI{%?!`O<~!C&H-MHuGcZPE+>*(cF$a9`H9
z7eMxJWtD6XS@wtybdW$^-jR2`2=0?$AHpADut`t=K~rW2^vD9&e{urkiAy@r+?Lo5
z=-js~-sQeLWHB!s|IT4~26G9vcnJVFgLSw&lzjo=jVD9rzYrdcP9$Us7#$p%34y_P
z8XL=ugf0V{9Wi72_S|pQ2lJ-$MC{4a+ZVs@d-R&@8nk87A1UyWODRVS-538D!TYy?
zJ0_m95OD|nIm?)Aa8D`2XBE+y$Z%Gcj~n-)l&kcu>O!A7O<3DhvtnLzWF7(1l4Wr-
zYnHiE*UcR)9+;B{hX>};c#~(l3)82EIq^ip$9ELVsw`tEnJ?i!3wC!S_c`IOm&Z5V
zB7dGDlpEmBR{&nxUcK&Ux{`XCJC?J##uC-dnfRWVla-z)?qtR1i96jHsM*J@#WW6YEO^CuoXz>g~WK?KIObdd$bh_Us!HEuD!-mIT*LFh@w
zW4~G06or7B$yMqiY0*95OHTJrADgJnEL9Q2_lWF83Sw)beG>Z>jz`!QA#`!mYl@B!
zqc**R`4n5q=kzf?JH(V+j~Bw8G%lft*t>KW?Xw=2lYVODW>jg%hv8_I^ytzqU{8eU
zy>ZSJMm75=U$Bda0qGDz2h+wJ5OUV1YW7K%dC>VemX0_z?49Qcwsbp#X=Yhk@Xx|W
zd;7MnJc|%4QJLpemOQL!Opf#RPB(oeXk_v`|~TJcQnVhks#GQ`oX$QQ#HkoU*Fn*HhN6hd0hPHXEH1^Qo6}23X|9v1??gy{t9SZWpXnt#3
zccBZ3NuQ#{oo(cl%HnP67=B%8`HSFw?Om!w&M1hnTm+;`N7g6PEb~Eew#X?=VBYl
zPfRIm1V+L*I(pS54#5detp&4JcYM{ol|Yu-`FsUBK=X
zuIWH(9VNE*n^=WiyMAp{JE>dKITw>me^*kdM|jf27tU@3JAlfTTGk-o7orxmjh=W*l9
z8}FD}^a^jHkYyOJ*+axG#^P-(|LEg?JWt
zP%KT+%&Ee)!fUUBZzS_m0BZ|{Ps=YHG5B5W(l`*C%RvGx-#9~10W!WYV7uC3(4u$L
z;={JqV|0&-g5(PNctDCFj(2qzLi}WktqgF*V(z->LCH^!;M5=z3F}5W$Kq$~4$`Kv
z4iDmdk7U#fSKMmvEt%s!jU984+@%$$}n@+zkYM|%sS?4fIz?gBn
zU<9$-!D1lx@$b+Jz`T&3%fkeuY&d$*s(nbtxbRXDuP1BI*cxs2(9%K{m(Aj4w3|i)
zK9*w=6*3H|WS?X(8C~Z0Y85AU>K?@6iBgC_aCq2mb8`VDbvrD!mf0dn4jwew9j&=-
zT{^0UFG#>zIVrNTth}K7ip0u+Nl`mp077PIlg1Q{HM<Ta_aiMtA4~4xc^vfJvUo
zP2!R#Ze#ui#xq_3*Ih{MLs!6m6i1huz4j*DetT{G&3VT5@v3LSwcSrV$b2Qx^l!tv
zhLlb^;tBzk-SEg8S6k#pYyH4Bo_@sSWLd-yLrd2F0MjwsI3PWJF@%;DWt(mv-7cH7
z*e9rwV9zL>5O@*o5PfU;}Uoi=9^Fxd6asKl1RO}hbX5>omj@jPU0G?vsDN@gANH}
z3;)~7mu7VpVZS@tX(V^l#z^mOsbHbu!#JFTVx)PHk^sjmZFch^hC;4qx@>wvW{2Eo
z8q*-Dr4Lg-D$2y6B;%nY_*Quxl#V7nx;{l4aw^){woNajf^`bBCG1SNN9wr5V$61F
zW-f~lHmvA;f+XxbMHQ4HX2!jcSxVbgoh<_Ywt5IG?6gkvcpX}@>GfKc`m(%4Vr6#`
zF_WP?w?b3HvMxDu#`~EOCi)yin-(_z7t4!iDtVjM$vxN!@n}QeScQuF@mcQsgWRaw
zP9$uMMTBQ61sk+T3Lx&
z1StB_3!AOSK!ec2^_p^lW)Beu=-vdd?r9gZ(^n)Slc|?Y8p-5xmcdQDnL@28)wT^4
zVgS7o;#m@>$DA)I<$SehG`maQP+>y~8FsjN(j)Hf=ebA7VY3GLo;s_6q%o42Ut04-
zuPz-u957inU1?F5Pf*x3GqM$^Z2eH7&|%8yh4}^ZHV2V+hKIyd9)f^SJt|LqSHE>pk{Q>bvY*+jh_$!RVzn#8+crinWQ@Nu#Pw|SZpK3J&f63VmEpQracmLpI~G3Zx7kZlo_lk5q636gc83TyYedRvD)#lskR@6Wr!PV{caBOx#GGZLC3d
zGRAho)ge=DN9de4vs(XTi>CQGGac)3xnNx(w3C8V=Vw=)kyZ8BY^uv;QC%u%c&LX&
z!fI6?iNw{E#2OZQ9yWboUlm4G+ml!0xyc@LL-T~!N?4)HY^|iUbY*7fncd?2YPeu{
zMGA+fJW_&jx)Em
z%8i&wYUB6nyfI(J6)cU8M064e4%Axe%>aV>so@%jN7J
zDZY#Cv%TBQ{ribDCQ$aZ3^W*%9o|xa
z*+X=Wa7(rwFfSLZB0P(hsUV_Bs{i_*%m4m{d8(J~opbcDHtk|H=BWJLGfTr3|aj2u_BQpp9Ik1@M&-q-0Jc!WUa<98HVHw)CEFN#RO2Vk&9pf)FrF+FPQSu8&pJk
zm>?xpgXkCE{DQgI{e{S~x{m{kESmnv{*|T#n#%xV2*}iN`;FrC-9f%+ske$=GmI$;(s^kuLepDw*13vjmUQK+eg|F`r@13uN=uKYHey;TKf^
z_9B+i0|I|xbs%6D*9sc&@yY@0f|-kS7p5WWiC~go&QvzwvC92&QKj)Ddt?L-J!pW}
zEQ5E>ZwxFWLcRbnBd?hXI*6iC^cVmuX3qo-K=1KUfp+t7geLji8~&Hi%jf0u@_G5Z
ad|o~;pO??e=jHQH`}sdmnKZuu$N&HnJ4A8-
diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch
index 08e0d0d1..51820512 100644
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@@ -6003,7 +6003,7 @@ index 8e0f9cd..b9f45b9 100644
define(`create_packet_interfaces',``
diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
-index b191055..4d57db3 100644
+index b191055..61c55fd 100644
--- a/policy/modules/kernel/corenetwork.te.in
+++ b/policy/modules/kernel/corenetwork.te.in
@@ -5,6 +5,7 @@ policy_module(corenetwork, 1.19.2)
@@ -6077,7 +6077,7 @@ index b191055..4d57db3 100644
# reserved_port_t is the type of INET port numbers below 1024.
#
type reserved_port_t, port_type, reserved_port_type;
-@@ -76,63 +99,80 @@ type server_packet_t, packet_type, server_packet_type;
+@@ -76,63 +99,82 @@ type server_packet_t, packet_type, server_packet_type;
network_port(afs_bos, udp,7007,s0)
network_port(afs_fs, tcp,2040,s0, udp,7000,s0, udp,7005,s0)
network_port(afs_ka, udp,7004,s0)
@@ -6101,6 +6101,7 @@ index b191055..4d57db3 100644
network_port(audit, tcp,60,s0)
network_port(auth, tcp,113,s0)
+network_port(bacula, tcp,9103,s0, udp,9103,s0)
++network_port(bctp, tcp,8999,s0, udp,8999,s0)
network_port(bgp, tcp,179,s0, udp,179,s0, tcp,2605,s0, udp,2605,s0)
network_port(boinc, tcp,31416,s0)
network_port(boinc_client, tcp,1043,s0, udp,1034,s0)
@@ -6133,6 +6134,7 @@ index b191055..4d57db3 100644
network_port(dbskkd, tcp,1178,s0)
network_port(dcc, udp,6276,s0, udp,6277,s0)
network_port(dccm, tcp,5679,s0, udp,5679,s0)
++network_port(dey_keyneg, tcp,8750,s0, udp,8750,s0)
+network_port(dey_sapi, tcp,4330,s0)
network_port(dhcpc, udp,68,s0, tcp,68,s0, udp,546,s0, tcp, 546,s0, udp,5546,s0, tcp,5546,s0)
network_port(dhcpd, udp,67,s0, udp,547,s0, tcp, 547,s0, udp,548,s0, tcp, 548,s0, tcp,647,s0, udp,647,s0, tcp,847,s0, udp,847,s0, tcp,7911,s0)
@@ -6168,7 +6170,7 @@ index b191055..4d57db3 100644
network_port(gopher, tcp,70,s0, udp,70,s0)
network_port(gpsd, tcp,2947,s0)
network_port(hadoop_datanode, tcp,50010,s0)
-@@ -140,45 +180,60 @@ network_port(hadoop_namenode, tcp,8020,s0)
+@@ -140,45 +182,61 @@ network_port(hadoop_namenode, tcp,8020,s0)
network_port(hddtemp, tcp,7634,s0)
network_port(howl, tcp,5335,s0, udp,5353,s0)
network_port(hplip, tcp,1782,s0, tcp,2207,s0, tcp,2208,s0, tcp, 8290,s0, tcp,50000,s0, tcp,50002,s0, tcp,8292,s0, tcp,9100,s0, tcp,9101,s0, tcp,9102,s0, tcp,9220,s0, tcp,9221,s0, tcp,9222,s0, tcp,9280,s0, tcp,9281,s0, tcp,9282,s0, tcp,9290,s0, tcp,9291,s0)
@@ -6176,6 +6178,7 @@ index b191055..4d57db3 100644
-network_port(http_cache, tcp,3128,s0, udp,3130,s0, tcp,8080,s0, tcp,8118,s0, tcp,10001-10010,s0) # 8118 is for privoxy
+network_port(http, tcp,80,s0, tcp,81,s0, tcp,443,s0, tcp,488,s0, tcp,8008,s0, tcp,8009,s0, tcp,8443,s0,tcp,9000, s0) #8443 is mod_nss default port
+network_port(http_cache, udp,3130,s0, tcp,8080,s0, tcp,8118,s0, tcp,8123,s0, tcp,10001-10010,s0) # 8118 is for privoxy
++network_port(ibm_dt_2, tcp,1792,s0, udp,1792,s0)
+network_port(intermapper, tcp,8181,s0)
network_port(i18n_input, tcp,9010,s0)
network_port(imaze, tcp,5323,s0, udp,5323,s0)
@@ -6245,7 +6248,7 @@ index b191055..4d57db3 100644
network_port(msnp, tcp,1863,s0, udp,1863,s0)
network_port(mssql, tcp,1433-1434,s0, udp,1433-1434,s0)
network_port(ms_streaming, tcp,1755,s0, udp,1755,s0)
-@@ -186,101 +241,130 @@ network_port(munin, tcp,4949,s0, udp,4949,s0)
+@@ -186,101 +244,130 @@ network_port(munin, tcp,4949,s0, udp,4949,s0)
network_port(mxi, tcp,8005,s0, udp,8005,s0)
network_port(mysqld, tcp,1186,s0, tcp,3306,s0, tcp,63132-63164,s0)
network_port(mysqlmanagerd, tcp,2273,s0)
@@ -6396,7 +6399,7 @@ index b191055..4d57db3 100644
network_port(xserver, tcp,6000-6020,s0)
network_port(zarafa, tcp,236,s0, tcp,237,s0)
network_port(zabbix, tcp,10051,s0)
-@@ -288,19 +372,23 @@ network_port(zabbix_agent, tcp,10050,s0)
+@@ -288,19 +375,23 @@ network_port(zabbix_agent, tcp,10050,s0)
network_port(zookeeper_client, tcp,2181,s0)
network_port(zookeeper_election, tcp,3888,s0)
network_port(zookeeper_leader, tcp,2888,s0)
@@ -6423,7 +6426,7 @@ index b191055..4d57db3 100644
########################################
#
-@@ -333,6 +421,8 @@ sid netif gen_context(system_u:object_r:netif_t,s0 - mls_systemhigh)
+@@ -333,6 +424,8 @@ sid netif gen_context(system_u:object_r:netif_t,s0 - mls_systemhigh)
build_option(`enable_mls',`
network_interface(lo, lo, s0 - mls_systemhigh)
@@ -6432,7 +6435,7 @@ index b191055..4d57db3 100644
',`
typealias netif_t alias { lo_netif_t netif_lo_t };
')
-@@ -345,9 +435,28 @@ typealias netif_t alias { lo_netif_t netif_lo_t };
+@@ -345,9 +438,28 @@ typealias netif_t alias { lo_netif_t netif_lo_t };
allow corenet_unconfined_type node_type:node *;
allow corenet_unconfined_type netif_type:netif *;
allow corenet_unconfined_type packet_type:packet *;
@@ -10276,7 +10279,7 @@ index 6a1e4d1..4b87be8 100644
+ allow $1 domain:process rlimitinh;
')
diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te
-index cf04cb5..ac8eab0 100644
+index cf04cb5..5831355 100644
--- a/policy/modules/kernel/domain.te
+++ b/policy/modules/kernel/domain.te
@@ -4,17 +4,49 @@ policy_module(domain, 1.11.0)
@@ -10444,7 +10447,7 @@ index cf04cb5..ac8eab0 100644
# Create/access any System V IPC objects.
allow unconfined_domain_type domain:{ sem msgq shm } *;
-@@ -160,11 +249,392 @@ allow unconfined_domain_type domain:msg { send receive };
+@@ -160,11 +249,393 @@ allow unconfined_domain_type domain:msg { send receive };
# For /proc/pid
allow unconfined_domain_type domain:dir list_dir_perms;
@@ -10757,6 +10760,7 @@ index cf04cb5..ac8eab0 100644
+')
+
+ifdef(`hide_broken_symptoms',`
++ dontaudit domain self:capability { net_admin };
+ dontaudit domain self:udp_socket listen;
+ allow domain domain:key { link search };
+ dontaudit domain domain:socket_class_set { read write };
@@ -15499,7 +15503,7 @@ index d7c11a0..f521a50 100644
/var/run/shm/.* <>
-')
diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
-index 8416beb..5a4a6f0 100644
+index 8416beb..b5b7a0a 100644
--- a/policy/modules/kernel/filesystem.if
+++ b/policy/modules/kernel/filesystem.if
@@ -577,6 +577,24 @@ interface(`fs_mount_cgroup', `
@@ -15839,151 +15843,457 @@ index 8416beb..5a4a6f0 100644
')
########################################
-@@ -1542,6 +1740,63 @@ interface(`fs_cifs_domtrans',`
+@@ -1542,48 +1740,48 @@ interface(`fs_cifs_domtrans',`
domain_auto_transition_pattern($1, cifs_t, $2)
')
+-#######################################
+########################################
-+##
+ ##
+-## Create, read, write, and delete dirs
+-## on a configfs filesystem.
+## Make general progams in cifs an entrypoint for
+## the specified domain.
-+##
-+##
-+##
+ ##
+ ##
+ ##
+-## Domain allowed access.
+## The domain for which cifs_t is an entrypoint.
-+##
-+##
-+#
+ ##
+ ##
+ #
+-interface(`fs_manage_configfs_dirs',`
+interface(`fs_cifs_entry_type',`
-+ gen_require(`
+ gen_require(`
+- type configfs_t;
+ type cifs_t;
-+ ')
-+
+ ')
+
+- manage_dirs_pattern($1, configfs_t, configfs_t)
+ domain_entry_file($1, cifs_t)
-+')
-+
-+########################################
-+##
-+## Make general progams in CIFS an entrypoint for
-+## the specified domain.
-+##
-+##
-+##
-+## The domain for which cifs_t is an entrypoint.
-+##
-+##
-+#
-+interface(`fs_cifs_entrypoint',`
-+ gen_require(`
-+ type cifs_t;
-+ ')
-+
-+ allow $1 cifs_t:file entrypoint;
-+')
-+
-+#######################################
-+##
-+## dontaudit write dirs
-+## on a configfs filesystem.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`fs_dontaudit_write_configfs_dirs',`
-+ gen_require(`
-+ type configfs_t;
-+ ')
-+
-+ dontaudit $1 configfs_t:dir write;
-+')
-+
- #######################################
- ##
- ## Create, read, write, and delete dirs
-@@ -1580,6 +1835,43 @@ interface(`fs_manage_configfs_files',`
- manage_files_pattern($1, configfs_t, configfs_t)
')
-+#######################################
-+##
-+## Create, read, write, and delete files
-+## on a configfs filesystem.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`fs_manage_configfs_lnk_files',`
-+ gen_require(`
-+ type configfs_t;
-+ ')
-+
-+ manage_lnk_files_pattern($1, configfs_t, configfs_t)
-+')
-+
+-#######################################
+########################################
-+##
-+## Unmount a configfs filesystem
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`fs_unmount_configfs',`
-+ gen_require(`
-+ type configfs_t;
-+ ')
-+
-+ allow $1 configfs_t:filesystem unmount;
-+')
-+
- ########################################
##
- ## Mount a DOS filesystem, such as
-@@ -1793,58 +2085,257 @@ interface(`fs_read_eventpollfs',`
- refpolicywarn(`$0($*) has been deprecated.')
+-## Create, read, write, and delete files
+-## on a configfs filesystem.
++## Make general progams in CIFS an entrypoint for
++## the specified domain.
+ ##
+ ##
+ ##
+-## Domain allowed access.
++## The domain for which cifs_t is an entrypoint.
+ ##
+ ##
+ #
+-interface(`fs_manage_configfs_files',`
++interface(`fs_cifs_entrypoint',`
+ gen_require(`
+- type configfs_t;
++ type cifs_t;
+ ')
+
+- manage_files_pattern($1, configfs_t, configfs_t)
++ allow $1 cifs_t:file entrypoint;
')
-########################################
-+
+#######################################
##
--## Mount a FUSE filesystem.
-+## Search directories
-+## on a ecrypt filesystem.
+-## Mount a DOS filesystem, such as
+-## FAT32 or NTFS.
++## dontaudit write dirs
++## on a configfs filesystem.
##
##
--##
--## Domain allowed access.
--##
+ ##
+@@ -1591,19 +1789,18 @@ interface(`fs_manage_configfs_files',`
+ ##
+ ##
+ #
+-interface(`fs_mount_dos_fs',`
++interface(`fs_dontaudit_write_configfs_dirs',`
+ gen_require(`
+- type dosfs_t;
++ type configfs_t;
+ ')
+
+- allow $1 dosfs_t:filesystem mount;
++ dontaudit $1 configfs_t:dir write;
+ ')
+
+-########################################
++#######################################
+ ##
+-## Remount a DOS filesystem, such as
+-## FAT32 or NTFS. This allows
+-## some mount options to be changed.
++## Read dirs
++## on a configfs filesystem.
+ ##
+ ##
+ ##
+@@ -1611,18 +1808,18 @@ interface(`fs_mount_dos_fs',`
+ ##
+ ##
+ #
+-interface(`fs_remount_dos_fs',`
++interface(`fs_read_configfs_dirs',`
+ gen_require(`
+- type dosfs_t;
++ type configfs_t;
+ ')
+
+- allow $1 dosfs_t:filesystem remount;
++ list_dirs_pattern($1, configfs_t, configfs_t)
+ ')
+
+-########################################
++#######################################
+ ##
+-## Unmount a DOS filesystem, such as
+-## FAT32 or NTFS.
++## Create, read, write, and delete dirs
++## on a configfs filesystem.
+ ##
+ ##
+ ##
+@@ -1630,38 +1827,37 @@ interface(`fs_remount_dos_fs',`
+ ##
+ ##
+ #
+-interface(`fs_unmount_dos_fs',`
++interface(`fs_manage_configfs_dirs',`
+ gen_require(`
+- type dosfs_t;
++ type configfs_t;
+ ')
+
+- allow $1 dosfs_t:filesystem unmount;
++ manage_dirs_pattern($1, configfs_t, configfs_t)
+ ')
+
+-########################################
++#######################################
+ ##
+-## Get the attributes of a DOS
+-## filesystem, such as FAT32 or NTFS.
++## Read files
++## on a configfs filesystem.
+ ##
+ ##
+ ##
+ ## Domain allowed access.
+ ##
+ ##
+-##
+ #
+-interface(`fs_getattr_dos_fs',`
++interface(`fs_read_configfs_files',`
+ gen_require(`
+- type dosfs_t;
++ type configfs_t;
+ ')
+
+- allow $1 dosfs_t:filesystem getattr;
++ read_files_pattern($1, configfs_t, configfs_t)
+ ')
+
+-########################################
++#######################################
+ ##
+-## Allow changing of the label of a
+-## DOS filesystem using the context= mount option.
++## Create, read, write, and delete files
++## on a configfs filesystem.
+ ##
+ ##
+ ##
+@@ -1669,17 +1865,18 @@ interface(`fs_getattr_dos_fs',`
+ ##
+ ##
+ #
+-interface(`fs_relabelfrom_dos_fs',`
++interface(`fs_manage_configfs_files',`
+ gen_require(`
+- type dosfs_t;
++ type configfs_t;
+ ')
+
+- allow $1 dosfs_t:filesystem relabelfrom;
++ manage_files_pattern($1, configfs_t, configfs_t)
+ ')
+
+-########################################
++#######################################
+ ##
+-## Search dosfs filesystem.
++## Create, read, write, and delete files
++## on a configfs filesystem.
+ ##
+ ##
+ ##
+@@ -1687,17 +1884,17 @@ interface(`fs_relabelfrom_dos_fs',`
+ ##
+ ##
+ #
+-interface(`fs_search_dos',`
++interface(`fs_manage_configfs_lnk_files',`
+ gen_require(`
+- type dosfs_t;
++ type configfs_t;
+ ')
+
+- allow $1 dosfs_t:dir search_dir_perms;
++ manage_lnk_files_pattern($1, configfs_t, configfs_t)
+ ')
+
+ ########################################
+ ##
+-## List dirs DOS filesystem.
++## Unmount a configfs filesystem
+ ##
+ ##
+ ##
+@@ -1705,18 +1902,18 @@ interface(`fs_search_dos',`
+ ##
+ ##
+ #
+-interface(`fs_list_dos',`
++interface(`fs_unmount_configfs',`
+ gen_require(`
+- type dosfs_t;
++ type configfs_t;
+ ')
+
+- list_dirs_pattern($1, dosfs_t, dosfs_t)
++ allow $1 configfs_t:filesystem unmount;
+ ')
+
+ ########################################
+ ##
+-## Create, read, write, and delete dirs
+-## on a DOS filesystem.
++## Mount a DOS filesystem, such as
++## FAT32 or NTFS.
+ ##
+ ##
+ ##
+@@ -1724,17 +1921,19 @@ interface(`fs_list_dos',`
+ ##
+ ##
+ #
+-interface(`fs_manage_dos_dirs',`
++interface(`fs_mount_dos_fs',`
+ gen_require(`
+ type dosfs_t;
+ ')
+
+- manage_dirs_pattern($1, dosfs_t, dosfs_t)
++ allow $1 dosfs_t:filesystem mount;
+ ')
+
+ ########################################
+ ##
+-## Read files on a DOS filesystem.
++## Remount a DOS filesystem, such as
++## FAT32 or NTFS. This allows
++## some mount options to be changed.
+ ##
+ ##
+ ##
+@@ -1742,18 +1941,18 @@ interface(`fs_manage_dos_dirs',`
+ ##
+ ##
+ #
+-interface(`fs_read_dos_files',`
++interface(`fs_remount_dos_fs',`
+ gen_require(`
+ type dosfs_t;
+ ')
+
+- read_files_pattern($1, dosfs_t, dosfs_t)
++ allow $1 dosfs_t:filesystem remount;
+ ')
+
+ ########################################
+ ##
+-## Create, read, write, and delete files
+-## on a DOS filesystem.
++## Unmount a DOS filesystem, such as
++## FAT32 or NTFS.
+ ##
+ ##
+ ##
+@@ -1761,7 +1960,138 @@ interface(`fs_read_dos_files',`
+ ##
+ ##
+ #
+-interface(`fs_manage_dos_files',`
++interface(`fs_unmount_dos_fs',`
++ gen_require(`
++ type dosfs_t;
++ ')
++
++ allow $1 dosfs_t:filesystem unmount;
++')
++
++########################################
++##
++## Get the attributes of a DOS
++## filesystem, such as FAT32 or NTFS.
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++#
++interface(`fs_getattr_dos_fs',`
++ gen_require(`
++ type dosfs_t;
++ ')
++
++ allow $1 dosfs_t:filesystem getattr;
++')
++
++########################################
++##
++## Allow changing of the label of a
++## DOS filesystem using the context= mount option.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`fs_relabelfrom_dos_fs',`
++ gen_require(`
++ type dosfs_t;
++ ')
++
++ allow $1 dosfs_t:filesystem relabelfrom;
++')
++
++########################################
++##
++## Search dosfs filesystem.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`fs_search_dos',`
++ gen_require(`
++ type dosfs_t;
++ ')
++
++ allow $1 dosfs_t:dir search_dir_perms;
++')
++
++########################################
++##
++## List dirs DOS filesystem.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`fs_list_dos',`
++ gen_require(`
++ type dosfs_t;
++ ')
++
++ list_dirs_pattern($1, dosfs_t, dosfs_t)
++')
++
++########################################
++##
++## Create, read, write, and delete dirs
++## on a DOS filesystem.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`fs_manage_dos_dirs',`
++ gen_require(`
++ type dosfs_t;
++ ')
++
++ manage_dirs_pattern($1, dosfs_t, dosfs_t)
++')
++
++########################################
++##
++## Read files on a DOS filesystem.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`fs_read_dos_files',`
++ gen_require(`
++ type dosfs_t;
++ ')
++
++ read_files_pattern($1, dosfs_t, dosfs_t)
++')
++
++########################################
++##
++## Create, read, write, and delete files
++## on a DOS filesystem.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`fs_manage_dos_files',`
+ gen_require(`
+ type dosfs_t;
+ ')
+@@ -1793,45 +2123,110 @@ interface(`fs_read_eventpollfs',`
+ refpolicywarn(`$0($*) has been deprecated.')
+ ')
+
++
++#######################################
++##
++## Search directories
++## on a ecrypt filesystem.
++##
++##
+##
+## Domain allowed access.
+##
- ##
- #
--interface(`fs_mount_fusefs',`
-- gen_require(`
-- type fusefs_t;
-- ')
++##
++#
+interface(`fs_search_ecryptfs',`
+ gen_require(`
+ type ecryptfs_t;
+ ')
-
-- allow $1 fusefs_t:filesystem mount;
++
+ allow $1 ecryptfs_t:dir search_dir_perms;
- ')
-
++')
++
########################################
##
--## Unmount a FUSE filesystem.
+-## Mount a FUSE filesystem.
+## Create, read, write, and delete directories
+## on a FUSEFS filesystem.
##
@@ -15994,70 +16304,65 @@ index 8416beb..5a4a6f0 100644
##
+##
#
--interface(`fs_unmount_fusefs',`
+-interface(`fs_mount_fusefs',`
+interface(`fs_manage_ecryptfs_dirs',`
gen_require(`
- type fusefs_t;
+ type ecryptfs_t;
')
-- allow $1 fusefs_t:filesystem unmount;
+- allow $1 fusefs_t:filesystem mount;
+ manage_dirs_pattern($1, ecryptfs_t, ecryptfs_t)
+ allow $1 ecryptfs_t:dir manage_dir_perms;
- ')
-
--########################################
++')
++
+#######################################
- ##
--## Mounton a FUSEFS filesystem.
++##
+## Create, read, write, and delete files
+## on a FUSEFS filesystem.
- ##
- ##
--##
--## Domain allowed access.
--##
++##
++##
+##
+## Domain allowed access.
+##
- ##
++##
+##
- #
--interface(`fs_mounton_fusefs',`
-- gen_require(`
-- type fusefs_t;
-- ')
++#
+interface(`fs_read_ecryptfs_files',`
+ gen_require(`
+ type ecryptfs_t;
+ ')
-
-- allow $1 fusefs_t:dir mounton;
-+ read_files_pattern($1, ecryptfs_t, ecryptfs_t)
-+')
+
-+########################################
-+##
++ read_files_pattern($1, ecryptfs_t, ecryptfs_t)
+ ')
+
+ ########################################
+ ##
+-## Unmount a FUSE filesystem.
+## Create, read, write, and delete files
+## on a FUSEFS filesystem.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
+ ##
+ ##
+ ##
+ ## Domain allowed access.
+ ##
+ ##
+##
-+#
+ #
+-interface(`fs_unmount_fusefs',`
+interface(`fs_manage_ecryptfs_files',`
-+ gen_require(`
+ gen_require(`
+- type fusefs_t;
+ type ecryptfs_t;
-+ ')
-+
+ ')
+
+- allow $1 fusefs_t:filesystem unmount;
+ manage_files_pattern($1, ecryptfs_t, ecryptfs_t)
-+')
-+
-+########################################
-+##
+ ')
+
+ ########################################
+ ##
+-## Mounton a FUSEFS filesystem.
+## Do not audit attempts to create,
+## read, write, and delete files
+## on a FUSEFS filesystem.
@@ -16079,18 +16384,21 @@ index 8416beb..5a4a6f0 100644
+########################################
+##
+## Read symbolic links on a FUSEFS filesystem.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
+ ##
+ ##
+ ##
+@@ -1839,174 +2234,988 @@ interface(`fs_unmount_fusefs',`
+ ##
+ ##
+ #
+-interface(`fs_mounton_fusefs',`
+interface(`fs_read_ecryptfs_symlinks',`
-+ gen_require(`
+ gen_require(`
+- type fusefs_t;
+ type ecryptfs_t;
-+ ')
-+
+ ')
+
+- allow $1 fusefs_t:dir mounton;
+ allow $1 ecryptfs_t:dir list_dir_perms;
+ read_lnk_files_pattern($1, ecryptfs_t, ecryptfs_t)
+')
@@ -16110,31 +16418,39 @@ index 8416beb..5a4a6f0 100644
+ type ecryptfs_t;
+ ')
+ dontaudit $1 ecryptfs_t:file append;
-+')
-+
-+########################################
-+##
+ ')
+
+ ########################################
+ ##
+-## Search directories
+-## on a FUSEFS filesystem.
+## Manage symbolic links on a FUSEFS filesystem.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
+ ##
+ ##
+ ##
+ ## Domain allowed access.
+ ##
+ ##
+-##
+ #
+-interface(`fs_search_fusefs',`
+interface(`fs_manage_ecryptfs_symlinks',`
-+ gen_require(`
+ gen_require(`
+- type fusefs_t;
+ type ecryptfs_t;
-+ ')
-+
+ ')
+
+- allow $1 fusefs_t:dir search_dir_perms;
+ manage_lnk_files_pattern($1, ecryptfs_t, ecryptfs_t)
-+')
-+
-+########################################
-+##
+ ')
+
+ ########################################
+ ##
+-## Do not audit attempts to list the contents
+-## of directories on a FUSEFS filesystem.
+## Execute a file on a FUSE filesystem
+## in the specified domain.
-+##
+ ##
+##
+##
+## Execute a file on a FUSE filesystem
@@ -16154,17 +16470,19 @@ index 8416beb..5a4a6f0 100644
+## in particular used by the ssh-agent policy.
+##
+##
-+##
-+##
+ ##
+ ##
+-## Domain to not audit.
+## Domain allowed to transition.
+##
+##
+##
+##
+## The type of the new process.
-+##
-+##
-+#
+ ##
+ ##
+ #
+-interface(`fs_dontaudit_list_fusefs',`
+interface(`fs_ecryptfs_domtrans',`
+ gen_require(`
+ type ecryptfs_t;
@@ -16185,15 +16503,18 @@ index 8416beb..5a4a6f0 100644
+##
+#
+interface(`fs_mount_fusefs',`
-+ gen_require(`
-+ type fusefs_t;
-+ ')
-+
+ gen_require(`
+ type fusefs_t;
+ ')
+
+- dontaudit $1 fusefs_t:dir list_dir_perms;
+ allow $1 fusefs_t:filesystem mount;
-+')
-+
-+########################################
-+##
+ ')
+
+ ########################################
+ ##
+-## Create, read, write, and delete directories
+-## on a FUSEFS filesystem.
+## Unmount a FUSE filesystem.
+##
+##
@@ -16226,14 +16547,57 @@ index 8416beb..5a4a6f0 100644
+ ')
+
+ allow $1 fusefs_t:dir mounton;
- ')
-
- ########################################
-@@ -1896,117 +2387,797 @@ interface(`fs_dontaudit_list_fusefs',`
- ## Domain allowed access.
- ##
- ##
--##
++')
++
++########################################
++##
++## Search directories
++## on a FUSEFS filesystem.
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++#
++interface(`fs_search_fusefs',`
++ gen_require(`
++ type fusefs_t;
++ ')
++
++ allow $1 fusefs_t:dir search_dir_perms;
++')
++
++########################################
++##
++## Do not audit attempts to list the contents
++## of directories on a FUSEFS filesystem.
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`fs_dontaudit_list_fusefs',`
++ gen_require(`
++ type fusefs_t;
++ ')
++
++ dontaudit $1 fusefs_t:dir list_dir_perms;
++')
++
++########################################
++##
++## Create, read, write, and delete directories
++## on a FUSEFS filesystem.
++##
++##
++##
++## Domain allowed access.
++##
++##
+##
+#
+interface(`fs_manage_fusefs_dirs',`
@@ -16912,12 +17276,13 @@ index 8416beb..5a4a6f0 100644
+##
+## Read files on an iso9660 filesystem, which
+## is usually used on CDs.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
+ ##
+ ##
+ ##
+ ## Domain allowed access.
+ ##
+ ##
+-##
#
-interface(`fs_manage_fusefs_dirs',`
+interface(`fs_getattr_iso9660_files',`
@@ -17062,7 +17427,7 @@ index 8416beb..5a4a6f0 100644
##
##
##
-@@ -2014,19 +3185,20 @@ interface(`fs_dontaudit_manage_fusefs_files',`
+@@ -2014,19 +3223,20 @@ interface(`fs_dontaudit_manage_fusefs_files',`
##
##
#
@@ -17089,7 +17454,7 @@ index 8416beb..5a4a6f0 100644
##
##
##
-@@ -2034,17 +3206,18 @@ interface(`fs_read_fusefs_symlinks',`
+@@ -2034,17 +3244,18 @@ interface(`fs_read_fusefs_symlinks',`
##
##
#
@@ -17112,7 +17477,7 @@ index 8416beb..5a4a6f0 100644
##
##
##
-@@ -2052,17 +3225,38 @@ interface(`fs_getattr_hugetlbfs',`
+@@ -2052,17 +3263,38 @@ interface(`fs_getattr_hugetlbfs',`
##
##
#
@@ -17155,7 +17520,7 @@ index 8416beb..5a4a6f0 100644
##
##
##
-@@ -2070,17 +3264,19 @@ interface(`fs_list_hugetlbfs',`
+@@ -2070,17 +3302,19 @@ interface(`fs_list_hugetlbfs',`
##
##
#
@@ -17179,7 +17544,7 @@ index 8416beb..5a4a6f0 100644
##
##
##
-@@ -2088,35 +3284,41 @@ interface(`fs_manage_hugetlbfs_dirs',`
+@@ -2088,35 +3322,41 @@ interface(`fs_manage_hugetlbfs_dirs',`
##
##
#
@@ -17232,7 +17597,7 @@ index 8416beb..5a4a6f0 100644
##
##
##
-@@ -2124,17 +3326,19 @@ interface(`fs_associate_hugetlbfs',`
+@@ -2124,17 +3364,19 @@ interface(`fs_associate_hugetlbfs',`
##
##
#
@@ -17256,7 +17621,7 @@ index 8416beb..5a4a6f0 100644
##
##
##
-@@ -2142,17 +3346,23 @@ interface(`fs_search_inotifyfs',`
+@@ -2142,17 +3384,23 @@ interface(`fs_search_inotifyfs',`
##
##
#
@@ -17284,7 +17649,7 @@ index 8416beb..5a4a6f0 100644
##
##
##
-@@ -2160,53 +3370,39 @@ interface(`fs_list_inotifyfs',`
+@@ -2160,53 +3408,39 @@ interface(`fs_list_inotifyfs',`
##
##
#
@@ -17350,7 +17715,7 @@ index 8416beb..5a4a6f0 100644
##
##
##
-@@ -2214,19 +3410,18 @@ interface(`fs_hugetlbfs_filetrans',`
+@@ -2214,19 +3448,18 @@ interface(`fs_hugetlbfs_filetrans',`
##
##
#
@@ -17375,7 +17740,7 @@ index 8416beb..5a4a6f0 100644
##
##
##
-@@ -2234,18 +3429,18 @@ interface(`fs_mount_iso9660_fs',`
+@@ -2234,18 +3467,18 @@ interface(`fs_mount_iso9660_fs',`
##
##
#
@@ -17399,7 +17764,7 @@ index 8416beb..5a4a6f0 100644
##
##
##
-@@ -2253,58 +3448,54 @@ interface(`fs_remount_iso9660_fs',`
+@@ -2253,58 +3486,54 @@ interface(`fs_remount_iso9660_fs',`
##
##
#
@@ -17471,7 +17836,7 @@ index 8416beb..5a4a6f0 100644
##
##
##
-@@ -2312,19 +3503,17 @@ interface(`fs_getattr_iso9660_files',`
+@@ -2312,19 +3541,17 @@ interface(`fs_getattr_iso9660_files',`
##
##
#
@@ -17495,7 +17860,7 @@ index 8416beb..5a4a6f0 100644
##
##
##
-@@ -2332,18 +3521,17 @@ interface(`fs_read_iso9660_files',`
+@@ -2332,18 +3559,17 @@ interface(`fs_read_iso9660_files',`
##
##
#
@@ -17517,7 +17882,7 @@ index 8416beb..5a4a6f0 100644
##
##
##
-@@ -2351,240 +3539,243 @@ interface(`fs_mount_nfs',`
+@@ -2351,240 +3577,243 @@ interface(`fs_mount_nfs',`
##
##
#
@@ -17817,7 +18182,7 @@ index 8416beb..5a4a6f0 100644
')
########################################
-@@ -2603,7 +3794,7 @@ interface(`fs_dontaudit_rw_nfs_files',`
+@@ -2603,7 +3832,7 @@ interface(`fs_dontaudit_rw_nfs_files',`
type nfs_t;
')
@@ -17826,7 +18191,7 @@ index 8416beb..5a4a6f0 100644
')
########################################
-@@ -2627,7 +3818,7 @@ interface(`fs_read_nfs_symlinks',`
+@@ -2627,7 +3856,7 @@ interface(`fs_read_nfs_symlinks',`
########################################
##
@@ -17835,7 +18200,7 @@ index 8416beb..5a4a6f0 100644
##
##
##
-@@ -2719,6 +3910,65 @@ interface(`fs_search_rpc',`
+@@ -2719,6 +3948,65 @@ interface(`fs_search_rpc',`
########################################
##
@@ -17901,7 +18266,7 @@ index 8416beb..5a4a6f0 100644
## Search removable storage directories.
##
##
-@@ -2741,7 +3991,7 @@ interface(`fs_search_removable',`
+@@ -2741,7 +4029,7 @@ interface(`fs_search_removable',`
##
##
##
@@ -17910,7 +18275,7 @@ index 8416beb..5a4a6f0 100644
##
##
#
-@@ -2777,7 +4027,7 @@ interface(`fs_read_removable_files',`
+@@ -2777,7 +4065,7 @@ interface(`fs_read_removable_files',`
##
##
##
@@ -17919,7 +18284,7 @@ index 8416beb..5a4a6f0 100644
##
##
#
-@@ -2970,6 +4220,7 @@ interface(`fs_manage_nfs_dirs',`
+@@ -2970,6 +4258,7 @@ interface(`fs_manage_nfs_dirs',`
type nfs_t;
')
@@ -17927,7 +18292,7 @@ index 8416beb..5a4a6f0 100644
allow $1 nfs_t:dir manage_dir_perms;
')
-@@ -3010,6 +4261,7 @@ interface(`fs_manage_nfs_files',`
+@@ -3010,6 +4299,7 @@ interface(`fs_manage_nfs_files',`
type nfs_t;
')
@@ -17935,7 +18300,7 @@ index 8416beb..5a4a6f0 100644
manage_files_pattern($1, nfs_t, nfs_t)
')
-@@ -3050,6 +4302,7 @@ interface(`fs_manage_nfs_symlinks',`
+@@ -3050,6 +4340,7 @@ interface(`fs_manage_nfs_symlinks',`
type nfs_t;
')
@@ -17943,7 +18308,7 @@ index 8416beb..5a4a6f0 100644
manage_lnk_files_pattern($1, nfs_t, nfs_t)
')
-@@ -3137,6 +4390,24 @@ interface(`fs_nfs_domtrans',`
+@@ -3137,6 +4428,24 @@ interface(`fs_nfs_domtrans',`
########################################
##
@@ -17968,7 +18333,7 @@ index 8416beb..5a4a6f0 100644
## Mount a NFS server pseudo filesystem.
##
##
-@@ -3239,15 +4510,198 @@ interface(`fs_search_nfsd_fs',`
+@@ -3239,15 +4548,198 @@ interface(`fs_search_nfsd_fs',`
#
interface(`fs_list_nfsd_fs',`
gen_require(`
@@ -18170,7 +18535,7 @@ index 8416beb..5a4a6f0 100644
##
##
##
-@@ -3255,35 +4709,35 @@ interface(`fs_list_nfsd_fs',`
+@@ -3255,35 +4747,35 @@ interface(`fs_list_nfsd_fs',`
##
##
#
@@ -18215,7 +18580,7 @@ index 8416beb..5a4a6f0 100644
##
##
##
-@@ -3291,12 +4745,12 @@ interface(`fs_rw_nfsd_fs',`
+@@ -3291,12 +4783,12 @@ interface(`fs_rw_nfsd_fs',`
##
##
#
@@ -18231,7 +18596,7 @@ index 8416beb..5a4a6f0 100644
')
########################################
-@@ -3392,7 +4846,7 @@ interface(`fs_search_ramfs',`
+@@ -3392,7 +4884,7 @@ interface(`fs_search_ramfs',`
########################################
##
@@ -18240,7 +18605,7 @@ index 8416beb..5a4a6f0 100644
##
##
##
-@@ -3429,7 +4883,7 @@ interface(`fs_manage_ramfs_dirs',`
+@@ -3429,7 +4921,7 @@ interface(`fs_manage_ramfs_dirs',`
########################################
##
@@ -18249,7 +18614,7 @@ index 8416beb..5a4a6f0 100644
##
##
##
-@@ -3447,7 +4901,7 @@ interface(`fs_dontaudit_read_ramfs_files',`
+@@ -3447,7 +4939,7 @@ interface(`fs_dontaudit_read_ramfs_files',`
########################################
##
@@ -18258,7 +18623,7 @@ index 8416beb..5a4a6f0 100644
##
##
##
-@@ -3779,6 +5233,24 @@ interface(`fs_mount_tmpfs',`
+@@ -3779,6 +5271,24 @@ interface(`fs_mount_tmpfs',`
########################################
##
@@ -18283,7 +18648,7 @@ index 8416beb..5a4a6f0 100644
## Remount a tmpfs filesystem.
##
##
-@@ -3815,6 +5287,24 @@ interface(`fs_unmount_tmpfs',`
+@@ -3815,6 +5325,24 @@ interface(`fs_unmount_tmpfs',`
########################################
##
@@ -18308,7 +18673,7 @@ index 8416beb..5a4a6f0 100644
## Get the attributes of a tmpfs
## filesystem.
##
-@@ -3908,7 +5398,7 @@ interface(`fs_dontaudit_getattr_tmpfs_dirs',`
+@@ -3908,7 +5436,7 @@ interface(`fs_dontaudit_getattr_tmpfs_dirs',`
########################################
##
@@ -18317,7 +18682,7 @@ index 8416beb..5a4a6f0 100644
##
##
##
-@@ -3916,17 +5406,17 @@ interface(`fs_dontaudit_getattr_tmpfs_dirs',`
+@@ -3916,17 +5444,17 @@ interface(`fs_dontaudit_getattr_tmpfs_dirs',`
##
##
#
@@ -18338,7 +18703,7 @@ index 8416beb..5a4a6f0 100644
##
##
##
-@@ -3934,17 +5424,17 @@ interface(`fs_mounton_tmpfs',`
+@@ -3934,17 +5462,17 @@ interface(`fs_mounton_tmpfs',`
##
##
#
@@ -18359,7 +18724,7 @@ index 8416beb..5a4a6f0 100644
##
##
##
-@@ -3952,17 +5442,36 @@ interface(`fs_setattr_tmpfs_dirs',`
+@@ -3952,17 +5480,36 @@ interface(`fs_setattr_tmpfs_dirs',`
##
##
#
@@ -18399,7 +18764,7 @@ index 8416beb..5a4a6f0 100644
##
##
##
-@@ -3970,31 +5479,48 @@ interface(`fs_search_tmpfs',`
+@@ -3970,31 +5517,48 @@ interface(`fs_search_tmpfs',`
##
##
#
@@ -18455,7 +18820,7 @@ index 8416beb..5a4a6f0 100644
')
########################################
-@@ -4057,23 +5583,170 @@ interface(`fs_dontaudit_write_tmpfs_dirs',`
+@@ -4057,23 +5621,170 @@ interface(`fs_dontaudit_write_tmpfs_dirs',`
##
##
##
@@ -18632,7 +18997,7 @@ index 8416beb..5a4a6f0 100644
##
##
##
-@@ -4081,18 +5754,18 @@ interface(`fs_tmpfs_filetrans',`
+@@ -4081,18 +5792,18 @@ interface(`fs_tmpfs_filetrans',`
##
##
#
@@ -18655,7 +19020,7 @@ index 8416beb..5a4a6f0 100644
##
##
##
-@@ -4100,54 +5773,53 @@ interface(`fs_dontaudit_getattr_tmpfs_files',`
+@@ -4100,54 +5811,53 @@ interface(`fs_dontaudit_getattr_tmpfs_files',`
##
##
#
@@ -18722,7 +19087,7 @@ index 8416beb..5a4a6f0 100644
##
##
##
-@@ -4155,17 +5827,18 @@ interface(`fs_read_tmpfs_files',`
+@@ -4155,17 +5865,18 @@ interface(`fs_read_tmpfs_files',`
##
##
#
@@ -18744,7 +19109,7 @@ index 8416beb..5a4a6f0 100644
##
##
##
-@@ -4173,17 +5846,18 @@ interface(`fs_rw_tmpfs_files',`
+@@ -4173,17 +5884,18 @@ interface(`fs_rw_tmpfs_files',`
##
##
#
@@ -18766,7 +19131,7 @@ index 8416beb..5a4a6f0 100644
##
##
##
-@@ -4191,37 +5865,36 @@ interface(`fs_read_tmpfs_symlinks',`
+@@ -4191,37 +5903,36 @@ interface(`fs_read_tmpfs_symlinks',`
##
##
#
@@ -18812,7 +19177,7 @@ index 8416beb..5a4a6f0 100644
##
##
##
-@@ -4229,18 +5902,18 @@ interface(`fs_dontaudit_use_tmpfs_chr_dev',`
+@@ -4229,18 +5940,18 @@ interface(`fs_dontaudit_use_tmpfs_chr_dev',`
##
##
#
@@ -18834,7 +19199,7 @@ index 8416beb..5a4a6f0 100644
##
##
##
-@@ -4248,18 +5921,19 @@ interface(`fs_relabel_tmpfs_chr_file',`
+@@ -4248,18 +5959,19 @@ interface(`fs_relabel_tmpfs_chr_file',`
##
##
#
@@ -18858,7 +19223,7 @@ index 8416beb..5a4a6f0 100644
##
##
##
-@@ -4267,32 +5941,31 @@ interface(`fs_rw_tmpfs_blk_files',`
+@@ -4267,32 +5979,31 @@ interface(`fs_rw_tmpfs_blk_files',`
##
##
#
@@ -18897,7 +19262,7 @@ index 8416beb..5a4a6f0 100644
')
########################################
-@@ -4407,6 +6080,25 @@ interface(`fs_search_xenfs',`
+@@ -4407,6 +6118,25 @@ interface(`fs_search_xenfs',`
allow $1 xenfs_t:dir search_dir_perms;
')
@@ -18923,7 +19288,7 @@ index 8416beb..5a4a6f0 100644
########################################
##
## Create, read, write, and delete directories
-@@ -4503,6 +6195,8 @@ interface(`fs_mount_all_fs',`
+@@ -4503,6 +6233,8 @@ interface(`fs_mount_all_fs',`
')
allow $1 filesystem_type:filesystem mount;
@@ -18932,7 +19297,7 @@ index 8416beb..5a4a6f0 100644
')
########################################
-@@ -4549,7 +6243,7 @@ interface(`fs_unmount_all_fs',`
+@@ -4549,7 +6281,7 @@ interface(`fs_unmount_all_fs',`
##
##
## Allow the specified domain to
@@ -18941,7 +19306,7 @@ index 8416beb..5a4a6f0 100644
## Example attributes:
##
##
-@@ -4596,6 +6290,26 @@ interface(`fs_dontaudit_getattr_all_fs',`
+@@ -4596,6 +6328,26 @@ interface(`fs_dontaudit_getattr_all_fs',`
########################################
##
@@ -18968,7 +19333,7 @@ index 8416beb..5a4a6f0 100644
## Get the quotas of all filesystems.
##
##
-@@ -4671,6 +6385,25 @@ interface(`fs_getattr_all_dirs',`
+@@ -4671,6 +6423,25 @@ interface(`fs_getattr_all_dirs',`
########################################
##
@@ -18994,7 +19359,7 @@ index 8416beb..5a4a6f0 100644
## Search all directories with a filesystem type.
##
##
-@@ -4912,3 +6645,176 @@ interface(`fs_unconfined',`
+@@ -4912,3 +6683,176 @@ interface(`fs_unconfined',`
typeattribute $1 filesystem_unconfined_type;
')
@@ -27424,7 +27789,7 @@ index fe0c682..20f3ba4 100644
+ ps_process_pattern($1, sshd_t)
+')
diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
-index cc877c7..b8e6e98 100644
+index cc877c7..92de2d7 100644
--- a/policy/modules/services/ssh.te
+++ b/policy/modules/services/ssh.te
@@ -6,43 +6,69 @@ policy_module(ssh, 2.4.2)
@@ -27946,7 +28311,7 @@ index cc877c7..b8e6e98 100644
optional_policy(`
seutil_sigchld_newrole(ssh_keygen_t)
-@@ -341,3 +527,148 @@ optional_policy(`
+@@ -341,3 +527,150 @@ optional_policy(`
optional_policy(`
udev_read_db(ssh_keygen_t)
')
@@ -27987,6 +28352,8 @@ index cc877c7..b8e6e98 100644
+
+allow sshd_net_t self:process setrlimit;
+
++dev_rw_crypto(sshd_net_t)
++
+init_ioctl_stream_sockets(sshd_net_t)
+init_rw_tcp_sockets(sshd_net_t)
+
@@ -30025,7 +30392,7 @@ index 6bf0ecc..e6be63a 100644
+')
+
diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
-index 8b40377..da86a8e 100644
+index 8b40377..4758042 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -26,28 +26,66 @@ gen_require(`
@@ -30529,7 +30896,7 @@ index 8b40377..da86a8e 100644
kernel_read_network_state(xdm_t)
+kernel_request_load_module(xdm_t)
+kernel_stream_connect(xdm_t)
-+kernel_dontaudit_view_key(xdm_t)
++kernel_view_key(xdm_t)
corecmd_exec_shell(xdm_t)
corecmd_exec_bin(xdm_t)
@@ -45734,10 +46101,10 @@ index 0000000..121b422
+/var/run/initramfs(/.*)? <>
diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
new file mode 100644
-index 0000000..86e3d01
+index 0000000..3303edd
--- /dev/null
+++ b/policy/modules/system/systemd.if
-@@ -0,0 +1,1803 @@
+@@ -0,0 +1,1823 @@
+## SELinux policy for systemd components
+
+######################################
@@ -46015,6 +46382,26 @@ index 0000000..86e3d01
+
+######################################
+##
++## Read systemd_resolved PID files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`systemd_resolved_read_pid',`
++ gen_require(`
++ type systemd_resolved_var_run_t;
++ ')
++
++ files_search_pids($1)
++ list_dirs_pattern($1, systemd_resolved_var_run_t, systemd_resolved_var_run_t)
++ read_files_pattern($1, systemd_resolved_var_run_t, systemd_resolved_var_run_t)
++')
++
++######################################
++##
+## Read systemd_login PID files.
+##
+##
diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch
index 5c3fa781..24ad5d32 100644
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@@ -5537,7 +5537,7 @@ index f6eb485..fe461a3 100644
+ ps_process_pattern(httpd_t, $1)
')
diff --git a/apache.te b/apache.te
-index 6649962..371039c 100644
+index 6649962..24e7705 100644
--- a/apache.te
+++ b/apache.te
@@ -5,280 +5,346 @@ policy_module(apache, 2.7.2)
@@ -6791,7 +6791,7 @@ index 6649962..371039c 100644
')
optional_policy(`
-@@ -786,35 +964,61 @@ optional_policy(`
+@@ -786,35 +964,62 @@ optional_policy(`
')
optional_policy(`
@@ -6832,6 +6832,7 @@ index 6649962..371039c 100644
+optional_policy(`
+ kerberos_manage_host_rcache(httpd_t)
+ kerberos_read_keytab(httpd_t)
++ kerberos_read_kdc_config(httpd_t)
+ kerberos_tmp_filetrans_host_rcache(httpd_t, "HTTP_23")
+ kerberos_tmp_filetrans_host_rcache(httpd_t, "HTTP_48")
+ kerberos_use(httpd_t)
@@ -6866,7 +6867,7 @@ index 6649962..371039c 100644
tunable_policy(`httpd_manage_ipa',`
memcached_manage_pid_files(httpd_t)
-@@ -822,8 +1026,31 @@ optional_policy(`
+@@ -822,8 +1027,31 @@ optional_policy(`
')
optional_policy(`
@@ -6898,7 +6899,7 @@ index 6649962..371039c 100644
tunable_policy(`httpd_can_network_connect_db',`
mysql_tcp_connect(httpd_t)
-@@ -832,6 +1059,8 @@ optional_policy(`
+@@ -832,6 +1060,8 @@ optional_policy(`
optional_policy(`
nagios_read_config(httpd_t)
@@ -6907,7 +6908,7 @@ index 6649962..371039c 100644
')
optional_policy(`
-@@ -842,20 +1071,44 @@ optional_policy(`
+@@ -842,20 +1072,44 @@ optional_policy(`
')
optional_policy(`
@@ -6958,7 +6959,7 @@ index 6649962..371039c 100644
')
optional_policy(`
-@@ -863,16 +1116,31 @@ optional_policy(`
+@@ -863,16 +1117,31 @@ optional_policy(`
')
optional_policy(`
@@ -6992,7 +6993,7 @@ index 6649962..371039c 100644
')
optional_policy(`
-@@ -883,65 +1151,189 @@ optional_policy(`
+@@ -883,65 +1152,189 @@ optional_policy(`
yam_read_content(httpd_t)
')
@@ -7204,7 +7205,7 @@ index 6649962..371039c 100644
files_dontaudit_search_pids(httpd_suexec_t)
files_search_home(httpd_suexec_t)
-@@ -950,123 +1342,75 @@ auth_use_nsswitch(httpd_suexec_t)
+@@ -950,123 +1343,75 @@ auth_use_nsswitch(httpd_suexec_t)
logging_search_logs(httpd_suexec_t)
logging_send_syslog_msg(httpd_suexec_t)
@@ -7358,7 +7359,7 @@ index 6649962..371039c 100644
mysql_read_config(httpd_suexec_t)
tunable_policy(`httpd_can_network_connect_db',`
-@@ -1083,172 +1427,107 @@ optional_policy(`
+@@ -1083,172 +1428,107 @@ optional_policy(`
')
')
@@ -7596,7 +7597,7 @@ index 6649962..371039c 100644
')
tunable_policy(`httpd_read_user_content',`
-@@ -1256,64 +1535,74 @@ tunable_policy(`httpd_read_user_content',`
+@@ -1256,64 +1536,74 @@ tunable_policy(`httpd_read_user_content',`
')
tunable_policy(`httpd_use_cifs',`
@@ -7693,7 +7694,7 @@ index 6649962..371039c 100644
########################################
#
-@@ -1321,8 +1610,15 @@ miscfiles_read_localization(httpd_rotatelogs_t)
+@@ -1321,8 +1611,15 @@ miscfiles_read_localization(httpd_rotatelogs_t)
#
optional_policy(`
@@ -7710,7 +7711,7 @@ index 6649962..371039c 100644
')
########################################
-@@ -1330,49 +1626,41 @@ optional_policy(`
+@@ -1330,49 +1627,41 @@ optional_policy(`
# User content local policy
#
@@ -7777,7 +7778,7 @@ index 6649962..371039c 100644
kernel_read_system_state(httpd_passwd_t)
corecmd_exec_bin(httpd_passwd_t)
-@@ -1382,38 +1670,109 @@ dev_read_urand(httpd_passwd_t)
+@@ -1382,38 +1671,109 @@ dev_read_urand(httpd_passwd_t)
domain_use_interactive_fds(httpd_passwd_t)
@@ -16534,7 +16535,7 @@ index 881d92f..a2d588a 100644
+ ')
')
diff --git a/condor.te b/condor.te
-index ce9f040..bd8d855 100644
+index ce9f040..e1e84a5 100644
--- a/condor.te
+++ b/condor.te
@@ -34,7 +34,7 @@ files_tmp_file(condor_startd_tmp_t)
@@ -16614,22 +16615,24 @@ index ce9f040..bd8d855 100644
#
-allow condor_master_t self:capability { setuid setgid dac_override sys_ptrace };
-+allow condor_master_t self:capability { chown setuid setgid sys_ptrace };
++allow condor_master_t self:capability { chown setuid setgid sys_ptrace net_admin };
allow condor_master_t condor_domain:process { sigkill signal };
-@@ -138,6 +148,10 @@ manage_dirs_pattern(condor_master_t, condor_master_tmp_t, condor_master_tmp_t)
+@@ -138,6 +148,12 @@ manage_dirs_pattern(condor_master_t, condor_master_tmp_t, condor_master_tmp_t)
manage_files_pattern(condor_master_t, condor_master_tmp_t, condor_master_tmp_t)
files_tmp_filetrans(condor_master_t, condor_master_tmp_t, { file dir })
+can_exec(condor_master_t, condor_master_exec_t)
+
+kernel_read_system_state(condor_master_t)
++kernel_read_fs_sysctls(condor_master_t)
++kernel_rw_net_sysctls(condor_master_t)
+
corenet_udp_sendrecv_generic_if(condor_master_t)
corenet_udp_sendrecv_generic_node(condor_master_t)
corenet_tcp_bind_generic_node(condor_master_t)
-@@ -157,6 +171,8 @@ domain_read_all_domains_state(condor_master_t)
+@@ -157,6 +173,8 @@ domain_read_all_domains_state(condor_master_t)
auth_use_nsswitch(condor_master_t)
@@ -16638,7 +16641,7 @@ index ce9f040..bd8d855 100644
optional_policy(`
mta_send_mail(condor_master_t)
mta_read_config(condor_master_t)
-@@ -174,6 +190,8 @@ allow condor_collector_t condor_master_t:udp_socket rw_socket_perms;
+@@ -174,6 +192,8 @@ allow condor_collector_t condor_master_t:udp_socket rw_socket_perms;
kernel_read_network_state(condor_collector_t)
@@ -16647,7 +16650,7 @@ index ce9f040..bd8d855 100644
#####################################
#
# Negotiator local policy
-@@ -183,12 +201,15 @@ allow condor_negotiator_t self:capability { setuid setgid };
+@@ -183,12 +203,15 @@ allow condor_negotiator_t self:capability { setuid setgid };
allow condor_negotiator_t condor_master_t:tcp_socket rw_stream_socket_perms;
allow condor_negotiator_t condor_master_t:udp_socket getattr;
@@ -16663,7 +16666,7 @@ index ce9f040..bd8d855 100644
allow condor_procd_t condor_domain:process sigkill;
-@@ -206,6 +227,8 @@ allow condor_schedd_t condor_master_t:udp_socket getattr;
+@@ -206,6 +229,8 @@ allow condor_schedd_t condor_master_t:udp_socket getattr;
allow condor_schedd_t condor_var_lock_t:dir manage_file_perms;
@@ -16672,7 +16675,7 @@ index ce9f040..bd8d855 100644
domtrans_pattern(condor_schedd_t, condor_procd_exec_t, condor_procd_t)
domtrans_pattern(condor_schedd_t, condor_startd_exec_t, condor_startd_t)
-@@ -214,6 +237,13 @@ manage_files_pattern(condor_schedd_t, condor_schedd_tmp_t, condor_schedd_tmp_t)
+@@ -214,6 +239,13 @@ manage_files_pattern(condor_schedd_t, condor_schedd_tmp_t, condor_schedd_tmp_t)
relabel_files_pattern(condor_schedd_t, condor_schedd_tmp_t, condor_schedd_tmp_t)
files_tmp_filetrans(condor_schedd_t, condor_schedd_tmp_t, { file dir })
@@ -16686,7 +16689,7 @@ index ce9f040..bd8d855 100644
#####################################
#
# Startd local policy
-@@ -238,11 +268,10 @@ domain_read_all_domains_state(condor_startd_t)
+@@ -238,11 +270,10 @@ domain_read_all_domains_state(condor_startd_t)
mcs_process_set_categories(condor_startd_t)
init_domtrans_script(condor_startd_t)
@@ -16699,7 +16702,7 @@ index ce9f040..bd8d855 100644
optional_policy(`
ssh_basic_client_template(condor_startd, condor_startd_t, system_r)
ssh_domtrans(condor_startd_t)
-@@ -254,3 +283,7 @@ optional_policy(`
+@@ -254,3 +285,7 @@ optional_policy(`
kerberos_use(condor_startd_ssh_t)
')
')
@@ -20661,7 +20664,7 @@ index b25b01d..06895f3 100644
')
+
diff --git a/ctdb.te b/ctdb.te
-index 001b502..ac0508e 100644
+index 001b502..73da04a 100644
--- a/ctdb.te
+++ b/ctdb.te
@@ -24,6 +24,9 @@ files_tmp_file(ctdbd_tmp_t)
@@ -20674,10 +20677,12 @@ index 001b502..ac0508e 100644
type ctdbd_var_run_t;
files_pid_file(ctdbd_var_run_t)
-@@ -33,12 +36,15 @@ files_pid_file(ctdbd_var_run_t)
+@@ -32,13 +35,16 @@ files_pid_file(ctdbd_var_run_t)
+ # Local policy
#
- allow ctdbd_t self:capability { chown ipc_lock net_admin net_raw sys_nice };
+-allow ctdbd_t self:capability { chown ipc_lock net_admin net_raw sys_nice };
++allow ctdbd_t self:capability { chown dac_override dac_read_search ipc_lock net_admin net_raw sys_nice };
+allow ctdbd_t self:capability2 block_suspend;
allow ctdbd_t self:process { setpgid signal_perms setsched };
allow ctdbd_t self:fifo_file rw_fifo_file_perms;
@@ -26190,7 +26195,7 @@ index 19aa0b8..a79982c 100644
+
+
diff --git a/dnsmasq.te b/dnsmasq.te
-index 37a3b7b..0a64088 100644
+index 37a3b7b..9af09cc 100644
--- a/dnsmasq.te
+++ b/dnsmasq.te
@@ -24,6 +24,9 @@ logging_log_file(dnsmasq_var_log_t)
@@ -26253,20 +26258,20 @@ index 37a3b7b..0a64088 100644
+ optional_policy(`
+ networkmanager_dbus_chat(dnsmasq_t)
+ ')
-+')
-+
-+optional_policy(`
-+ dnsmasq_domtrans(dnsmasq_t)
')
optional_policy(`
- networkmanager_read_pid_files(dnsmasq_t)
++ dnsmasq_domtrans(dnsmasq_t)
++')
++
++optional_policy(`
+ networkmanager_read_conf(dnsmasq_t)
+ networkmanager_manage_pid_files(dnsmasq_t)
')
optional_policy(`
-@@ -124,6 +144,14 @@ optional_policy(`
+@@ -124,6 +144,18 @@ optional_policy(`
optional_policy(`
virt_manage_lib_files(dnsmasq_t)
@@ -26281,6 +26286,10 @@ index 37a3b7b..0a64088 100644
+ neutron_rw_fifo_file(dnsmasq_t)
+ neutron_sigchld(dnsmasq_t)
+')
++
++optional_policy(`
++ systemd_resolved_read_pid(dnsmasq_t)
++')
diff --git a/dnssec.fc b/dnssec.fc
new file mode 100644
index 0000000..1714fa6
@@ -31099,10 +31108,10 @@ index e5b15fb..220622e 100644
diff --git a/ganesha.fc b/ganesha.fc
new file mode 100644
-index 0000000..c5982d5
+index 0000000..855f58e
--- /dev/null
+++ b/ganesha.fc
-@@ -0,0 +1,11 @@
+@@ -0,0 +1,12 @@
+/usr/bin/ganesha.nfsd -- gen_context(system_u:object_r:ganesha_exec_t,s0)
+
+/usr/lib/systemd/system/nfs-ganesha-config.* -- gen_context(system_u:object_r:ganesha_unit_file_t,s0)
@@ -31112,6 +31121,7 @@ index 0000000..c5982d5
+/usr/lib/systemd/system/nfs-ganesha.*e -- gen_context(system_u:object_r:ganesha_unit_file_t,s0)
+
+/var/log/ganesha.log -- gen_context(system_u:object_r:ganesha_var_log_t,s0)
++/var/log/ganesha-gfapi.log -- gen_context(system_u:object_r:ganesha_var_log_t,s0)
+
+/var/run/ganesha(/.*)? gen_context(system_u:object_r:ganesha_var_run_t,s0)
diff --git a/ganesha.if b/ganesha.if
@@ -31269,10 +31279,10 @@ index 0000000..d9ba5fa
+')
diff --git a/ganesha.te b/ganesha.te
new file mode 100644
-index 0000000..9542305
+index 0000000..3cf186e
--- /dev/null
+++ b/ganesha.te
-@@ -0,0 +1,72 @@
+@@ -0,0 +1,109 @@
+policy_module(ganesha, 1.0.0)
+
+########################################
@@ -31280,18 +31290,26 @@ index 0000000..9542305
+# Declarations
+#
+
++##
++##
++## Allow ganesha to read/write fuse files
++##
++##
++gen_tunable(ganesha_use_fusefs, false)
++
+type ganesha_t;
+type ganesha_exec_t;
+init_daemon_domain(ganesha_t, ganesha_exec_t)
+
-+permissive ganesha_t;
-+
+type ganesha_var_log_t;
+logging_log_file(ganesha_var_log_t)
+
+type ganesha_var_run_t;
+files_pid_file(ganesha_var_run_t)
+
++type ganesha_tmp_t;
++files_tmp_file(ganesha_tmp_t)
++
+type ganesha_unit_file_t;
+systemd_unit_file(ganesha_unit_file_t)
+
@@ -31299,6 +31317,9 @@ index 0000000..9542305
+#
+# ganesha local policy
+#
++dontaudit ganesha_t self:capability net_admin;
++
++allow ganesha_t self:capability2 block_suspend;
+allow ganesha_t self:process { setcap setrlimit };
+allow ganesha_t self:fifo_file rw_fifo_file_perms;
+allow ganesha_t self:unix_stream_socket create_stream_socket_perms;
@@ -31313,15 +31334,28 @@ index 0000000..9542305
+manage_files_pattern(ganesha_t, ganesha_var_log_t, ganesha_var_log_t)
+logging_log_filetrans(ganesha_t, ganesha_var_log_t, { file dir })
+
++manage_dirs_pattern(ganesha_t, ganesha_tmp_t, ganesha_tmp_t)
++manage_files_pattern(ganesha_t, ganesha_tmp_t, ganesha_tmp_t)
++files_tmp_filetrans(ganesha_t, ganesha_tmp_t, { file dir })
++
++kernel_read_system_state(ganesha_t)
++kernel_search_network_sysctl(ganesha_t)
++kernel_read_net_sysctls(ganesha_t)
++
+auth_use_nsswitch(ganesha_t)
+
+corenet_tcp_bind_nfs_port(ganesha_t)
+corenet_tcp_connect_generic_port(ganesha_t)
++corenet_tcp_connect_gluster_port(ganesha_t)
++corenet_udp_bind_dey_keyneg_port(ganesha_t)
++corenet_tcp_bind_dey_keyneg_port(ganesha_t)
+corenet_udp_bind_nfs_port(ganesha_t)
+corenet_udp_bind_all_rpc_ports(ganesha_t)
+corenet_tcp_bind_all_rpc_ports(ganesha_t)
+corenet_tcp_bind_mountd_port(ganesha_t)
+corenet_udp_bind_mountd_port(ganesha_t)
++corenet_tcp_connect_virt_migration_port(ganesha_t)
++corenet_tcp_connect_all_rpc_ports(ganesha_t)
+
+dev_rw_infiniband_dev(ganesha_t)
+dev_read_gpfs(ganesha_t)
@@ -31336,6 +31370,11 @@ index 0000000..9542305
+ unconfined_dbus_chat(ganesha_t)
+')
+
++optional_policy(`
++ glusterd_read_conf(ganesha_t)
++ glusterd_read_lib_files(ganesha_t)
++ glusterd_manage_pid(ganesha_t)
++')
+
+optional_policy(`
+ kerberos_read_keytab(ganesha_t)
@@ -31343,8 +31382,16 @@ index 0000000..9542305
+
+optional_policy(`
+ rpc_manage_nfs_state_data_dir(ganesha_t)
++ rpc_read_nfs_state_data(ganesha_t)
+ rpcbind_stream_connect(ganesha_t)
+')
++
++tunable_policy(`ganesha_use_fusefs',`
++ fs_manage_fusefs_dirs(ganesha_t)
++ fs_manage_fusefs_files(ganesha_t)
++ fs_read_fusefs_symlinks(ganesha_t)
++ fs_getattr_fusefs(ganesha_t)
++')
diff --git a/gatekeeper.te b/gatekeeper.te
index 2820368..88c98f4 100644
--- a/gatekeeper.te
@@ -32683,10 +32730,10 @@ index 0000000..9806f50
+/var/run/glusterd.* -s gen_context(system_u:object_r:glusterd_var_run_t,s0)
diff --git a/glusterd.if b/glusterd.if
new file mode 100644
-index 0000000..764ae00
+index 0000000..4501460
--- /dev/null
+++ b/glusterd.if
-@@ -0,0 +1,261 @@
+@@ -0,0 +1,302 @@
+
+## policy for glusterd
+
@@ -32787,6 +32834,26 @@ index 0000000..764ae00
+
+########################################
+##
++## Manage glusterd PID files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`glusterd_manage_pid',`
++ gen_require(`
++ type glusterd_var_run_t;
++ ')
++
++ files_search_pids($1)
++ manage_dirs_pattern($1, glusterd_var_run_t, glusterd_var_run_t)
++ manage_files_pattern($1, glusterd_var_run_t, glusterd_var_run_t)
++')
++
++########################################
++##
+## Manage glusterd log files
+##
+##
@@ -32884,6 +32951,26 @@ index 0000000..764ae00
+
+######################################
+##
++## Read /var/lib/glusterd files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`glusterd_read_lib_files',`
++ gen_require(`
++ type glusterd_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ allow $1 glusterd_var_lib_t:dir search_dir_perms;
++ read_files_pattern($1, glusterd_var_lib_t, glusterd_var_lib_t)
++')
++
++######################################
++##
+## Read and write /var/lib/glusterd files.
+##
+##
@@ -32898,6 +32985,7 @@ index 0000000..764ae00
+ ')
+
+ files_search_var_lib($1)
++ allow $1 glusterd_var_lib_t:dir search_dir_perms;
+ manage_files_pattern($1, glusterd_var_lib_t, glusterd_var_lib_t)
+')
+
@@ -42853,10 +42941,10 @@ index 0000000..bd7e7fa
+')
diff --git a/keepalived.te b/keepalived.te
new file mode 100644
-index 0000000..c07a3fe
+index 0000000..c4f0c32
--- /dev/null
+++ b/keepalived.te
-@@ -0,0 +1,94 @@
+@@ -0,0 +1,95 @@
+policy_module(keepalived, 1.0.0)
+
+########################################
@@ -42910,6 +42998,7 @@ index 0000000..c07a3fe
+corenet_tcp_connect_smtp_port(keepalived_t)
+corenet_tcp_connect_snmp_port(keepalived_t)
+corenet_tcp_connect_agentx_port(keepalived_t)
++corenet_tcp_connect_squid_port(keepalived_t)
+
+domain_read_all_domains_state(keepalived_t)
+
@@ -43794,7 +43883,7 @@ index f6c00d8..79ea4d8 100644
+ kerberos_tmp_filetrans_host_rcache($1, "ldap_55")
')
diff --git a/kerberos.te b/kerberos.te
-index 8833d59..3fde8ee 100644
+index 8833d59..ac3f3ee 100644
--- a/kerberos.te
+++ b/kerberos.te
@@ -6,11 +6,11 @@ policy_module(kerberos, 1.12.0)
@@ -44004,7 +44093,7 @@ index 8833d59..3fde8ee 100644
logging_log_filetrans(krb5kdc_t, krb5kdc_log_t, file)
allow krb5kdc_t krb5kdc_principal_t:file rw_file_perms;
-@@ -201,71 +236,79 @@ manage_files_pattern(krb5kdc_t, krb5kdc_tmp_t, krb5kdc_tmp_t)
+@@ -201,71 +236,83 @@ manage_files_pattern(krb5kdc_t, krb5kdc_tmp_t, krb5kdc_tmp_t)
files_tmp_filetrans(krb5kdc_t, krb5kdc_tmp_t, { file dir })
manage_files_pattern(krb5kdc_t, krb5kdc_var_run_t, krb5kdc_var_run_t)
@@ -44088,17 +44177,20 @@ index 8833d59..3fde8ee 100644
')
optional_policy(`
-- nis_use_ypbind(krb5kdc_t)
+ dirsrv_stream_connect(krb5kdc_t)
++')
++
++optional_policy(`
+ nis_use_ypbind(krb5kdc_t)
')
optional_policy(`
- sssd_read_public_files(krb5kdc_t)
-+ nis_use_ypbind(krb5kdc_t)
++ realmd_read_var_lib(krb5kdc_t)
')
optional_policy(`
-@@ -273,6 +316,10 @@ optional_policy(`
+@@ -273,6 +320,10 @@ optional_policy(`
')
optional_policy(`
@@ -44109,7 +44201,7 @@ index 8833d59..3fde8ee 100644
udev_read_db(krb5kdc_t)
')
-@@ -281,10 +328,12 @@ optional_policy(`
+@@ -281,10 +332,12 @@ optional_policy(`
# kpropd local policy
#
@@ -44125,7 +44217,7 @@ index 8833d59..3fde8ee 100644
allow kpropd_t krb5_host_rcache_t:file manage_file_perms;
-@@ -301,27 +350,26 @@ manage_dirs_pattern(kpropd_t, krb5kdc_tmp_t, krb5kdc_tmp_t)
+@@ -301,27 +354,26 @@ manage_dirs_pattern(kpropd_t, krb5kdc_tmp_t, krb5kdc_tmp_t)
manage_files_pattern(kpropd_t, krb5kdc_tmp_t, krb5kdc_tmp_t)
files_tmp_filetrans(kpropd_t, krb5kdc_tmp_t, { file dir })
@@ -58853,7 +58945,7 @@ index 0641e97..f3b1111 100644
+ admin_pattern($1, nrpe_etc_t)
')
diff --git a/nagios.te b/nagios.te
-index 7b3e682..d1e103e 100644
+index 7b3e682..c1f487c 100644
--- a/nagios.te
+++ b/nagios.te
@@ -5,6 +5,25 @@ policy_module(nagios, 1.13.0)
@@ -58938,7 +59030,15 @@ index 7b3e682..d1e103e 100644
########################################
#
-@@ -96,11 +121,13 @@ allow nagios_t nagios_etc_t:dir list_dir_perms;
+@@ -87,6 +112,7 @@ dontaudit nagios_t self:capability sys_tty_config;
+ allow nagios_t self:process { setpgid signal_perms };
+ allow nagios_t self:fifo_file rw_fifo_file_perms;
+ allow nagios_t self:tcp_socket { accept listen };
++allow nagios_t self:unix_stream_socket { connectto };
+
+ allow nagios_t nagios_plugin_domain:process signal_perms;
+
+@@ -96,11 +122,13 @@ allow nagios_t nagios_etc_t:dir list_dir_perms;
allow nagios_t nagios_etc_t:file read_file_perms;
allow nagios_t nagios_etc_t:lnk_file read_lnk_file_perms;
@@ -58957,7 +59057,7 @@ index 7b3e682..d1e103e 100644
manage_dirs_pattern(nagios_t, nagios_tmp_t, nagios_tmp_t)
manage_files_pattern(nagios_t, nagios_tmp_t, nagios_tmp_t)
-@@ -110,11 +137,14 @@ manage_files_pattern(nagios_t, nagios_var_run_t, nagios_var_run_t)
+@@ -110,11 +138,14 @@ manage_files_pattern(nagios_t, nagios_var_run_t, nagios_var_run_t)
files_pid_filetrans(nagios_t, nagios_var_run_t, file)
manage_fifo_files_pattern(nagios_t, nagios_spool_t, nagios_spool_t)
@@ -58974,7 +59074,7 @@ index 7b3e682..d1e103e 100644
kernel_read_system_state(nagios_t)
kernel_read_kernel_sysctls(nagios_t)
-@@ -123,7 +153,6 @@ kernel_read_software_raid_state(nagios_t)
+@@ -123,7 +154,6 @@ kernel_read_software_raid_state(nagios_t)
corecmd_exec_bin(nagios_t)
corecmd_exec_shell(nagios_t)
@@ -58982,7 +59082,7 @@ index 7b3e682..d1e103e 100644
corenet_all_recvfrom_netlabel(nagios_t)
corenet_tcp_sendrecv_generic_if(nagios_t)
corenet_tcp_sendrecv_generic_node(nagios_t)
-@@ -143,18 +172,16 @@ domain_read_all_domains_state(nagios_t)
+@@ -143,18 +173,16 @@ domain_read_all_domains_state(nagios_t)
files_read_etc_runtime_files(nagios_t)
files_read_kernel_symbol_table(nagios_t)
@@ -59002,7 +59102,7 @@ index 7b3e682..d1e103e 100644
userdom_dontaudit_use_unpriv_user_fds(nagios_t)
userdom_dontaudit_search_user_home_dirs(nagios_t)
-@@ -162,6 +189,37 @@ mta_send_mail(nagios_t)
+@@ -162,6 +190,41 @@ mta_send_mail(nagios_t)
mta_signal_system_mail(nagios_t)
mta_kill_system_mail(nagios_t)
@@ -59027,6 +59127,10 @@ index 7b3e682..d1e103e 100644
+')
+
+optional_policy(`
++ apache_systemctl(nagios_t)
++')
++
++optional_policy(`
+ tunable_policy(`nagios_run_sudo',`
+ sudo_exec(nagios_t)
+ sudo_manage_db(nagios_t)
@@ -59040,7 +59144,7 @@ index 7b3e682..d1e103e 100644
optional_policy(`
netutils_kill_ping(nagios_t)
')
-@@ -178,35 +236,37 @@ optional_policy(`
+@@ -178,35 +241,37 @@ optional_policy(`
#
# CGI local policy
#
@@ -59096,7 +59200,7 @@ index 7b3e682..d1e103e 100644
')
########################################
-@@ -214,7 +274,7 @@ optional_policy(`
+@@ -214,7 +279,7 @@ optional_policy(`
# Nrpe local policy
#
@@ -59105,7 +59209,7 @@ index 7b3e682..d1e103e 100644
dontaudit nrpe_t self:capability { sys_tty_config sys_resource };
allow nrpe_t self:process { setpgid signal_perms setsched setrlimit };
allow nrpe_t self:fifo_file rw_fifo_file_perms;
-@@ -229,9 +289,9 @@ files_pid_filetrans(nrpe_t, nrpe_var_run_t, file)
+@@ -229,9 +294,9 @@ files_pid_filetrans(nrpe_t, nrpe_var_run_t, file)
domtrans_pattern(nrpe_t, nagios_checkdisk_plugin_exec_t, nagios_checkdisk_plugin_t)
@@ -59116,7 +59220,7 @@ index 7b3e682..d1e103e 100644
corecmd_exec_bin(nrpe_t)
corecmd_exec_shell(nrpe_t)
-@@ -252,8 +312,8 @@ dev_read_urand(nrpe_t)
+@@ -252,8 +317,8 @@ dev_read_urand(nrpe_t)
domain_use_interactive_fds(nrpe_t)
domain_read_all_domains_state(nrpe_t)
@@ -59126,7 +59230,7 @@ index 7b3e682..d1e103e 100644
fs_getattr_all_fs(nrpe_t)
fs_search_auto_mountpoints(nrpe_t)
-@@ -262,10 +322,34 @@ auth_use_nsswitch(nrpe_t)
+@@ -262,10 +327,34 @@ auth_use_nsswitch(nrpe_t)
logging_send_syslog_msg(nrpe_t)
@@ -59163,7 +59267,7 @@ index 7b3e682..d1e103e 100644
optional_policy(`
inetd_tcp_service_domain(nrpe_t, nrpe_exec_t)
')
-@@ -310,15 +394,15 @@ files_getattr_all_file_type_fs(nagios_admin_plugin_t)
+@@ -310,15 +399,15 @@ files_getattr_all_file_type_fs(nagios_admin_plugin_t)
#
allow nagios_mail_plugin_t self:capability { setuid setgid dac_override };
@@ -59182,7 +59286,7 @@ index 7b3e682..d1e103e 100644
logging_send_syslog_msg(nagios_mail_plugin_t)
sysnet_dns_name_resolve(nagios_mail_plugin_t)
-@@ -345,6 +429,9 @@ allow nagios_checkdisk_plugin_t self:capability { sys_admin sys_rawio };
+@@ -345,9 +434,14 @@ allow nagios_checkdisk_plugin_t self:capability { sys_admin sys_rawio };
kernel_read_software_raid_state(nagios_checkdisk_plugin_t)
@@ -59192,7 +59296,12 @@ index 7b3e682..d1e103e 100644
files_getattr_all_mountpoints(nagios_checkdisk_plugin_t)
files_read_etc_runtime_files(nagios_checkdisk_plugin_t)
-@@ -357,9 +444,11 @@ storage_raw_read_fixed_disk(nagios_checkdisk_plugin_t)
++fs_read_configfs_files(nagios_checkdisk_plugin_t)
++fs_read_configfs_dirs(nagios_checkdisk_plugin_t)
+ fs_getattr_all_fs(nagios_checkdisk_plugin_t)
+
+ storage_raw_read_fixed_disk(nagios_checkdisk_plugin_t)
+@@ -357,9 +451,11 @@ storage_raw_read_fixed_disk(nagios_checkdisk_plugin_t)
# Services local policy
#
@@ -59206,7 +59315,7 @@ index 7b3e682..d1e103e 100644
corecmd_exec_bin(nagios_services_plugin_t)
-@@ -391,6 +480,11 @@ optional_policy(`
+@@ -391,6 +487,11 @@ optional_policy(`
optional_policy(`
mysql_stream_connect(nagios_services_plugin_t)
@@ -59218,7 +59327,7 @@ index 7b3e682..d1e103e 100644
')
optional_policy(`
-@@ -406,28 +500,36 @@ allow nagios_system_plugin_t self:capability dac_override;
+@@ -406,28 +507,36 @@ allow nagios_system_plugin_t self:capability dac_override;
dontaudit nagios_system_plugin_t self:capability { setuid setgid };
read_files_pattern(nagios_system_plugin_t, nagios_log_t, nagios_log_t)
@@ -59257,7 +59366,7 @@ index 7b3e682..d1e103e 100644
#######################################
#
# Event local policy
-@@ -442,9 +544,39 @@ corecmd_exec_shell(nagios_eventhandler_plugin_t)
+@@ -442,9 +551,39 @@ corecmd_exec_shell(nagios_eventhandler_plugin_t)
init_domtrans_script(nagios_eventhandler_plugin_t)
@@ -69954,10 +70063,10 @@ index 0000000..abb250d
+')
diff --git a/pcp.te b/pcp.te
new file mode 100644
-index 0000000..7bd521e
+index 0000000..69b47dc
--- /dev/null
+++ b/pcp.te
-@@ -0,0 +1,309 @@
+@@ -0,0 +1,313 @@
+policy_module(pcp, 1.0.0)
+
+########################################
@@ -70228,8 +70337,12 @@ index 0000000..7bd521e
+
+fs_search_cgroup_dirs(pcp_pmie_t)
+
++init_status(pcp_pmie_t)
++
+logging_send_syslog_msg(pcp_pmie_t)
+
++systemd_exec_systemctl(pcp_pmie_t)
++systemd_read_unit_files(pcp_pmie_t)
+systemd_search_unit_dirs(pcp_pmie_t)
+
+userdom_read_user_tmp_files(pcp_pmie_t)
@@ -72393,10 +72506,10 @@ index 0000000..47cd0f8
+/usr/lib/systemd/system/pki-tomcat.* gen_context(system_u:object_r:pki_tomcat_unit_file_t,s0)
diff --git a/pki.if b/pki.if
new file mode 100644
-index 0000000..d8226f9
+index 0000000..f18fcc6
--- /dev/null
+++ b/pki.if
-@@ -0,0 +1,461 @@
+@@ -0,0 +1,479 @@
+
+## policy for pki
+
@@ -72822,6 +72935,24 @@ index 0000000..d8226f9
+
+########################################
+##
++## Allow execute pki_common_t files
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`pki_exec_common_files',`
++ gen_require(`
++ type pki_common_t;
++ ')
++
++ exec_files_pattern($1, pki_common_t, pki_common_t)
++')
++
++########################################
++##
+## Allow read pki_common_t files
+##
+##
@@ -86456,7 +86587,7 @@ index 04babe3..3b92679 100644
+
+/var/lib/ipa-client(/.*)? gen_context(system_u:object_r:realmd_var_lib_t,s0)
diff --git a/realmd.if b/realmd.if
-index bff31df..3b2a829 100644
+index bff31df..1663054 100644
--- a/realmd.if
+++ b/realmd.if
@@ -1,8 +1,9 @@
@@ -86471,7 +86602,7 @@ index bff31df..3b2a829 100644
##
##
##
-@@ -39,3 +40,101 @@ interface(`realmd_dbus_chat',`
+@@ -39,3 +40,120 @@ interface(`realmd_dbus_chat',`
allow $1 realmd_t:dbus send_msg;
allow realmd_t $1:dbus send_msg;
')
@@ -86573,6 +86704,25 @@ index bff31df..3b2a829 100644
+ read_files_pattern($1, realmd_tmp_t, realmd_tmp_t)
+')
+
++#######################################
++##
++## Read realmd library files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`realmd_read_var_lib',`
++ gen_require(`
++ type realmd_var_lib_t;
++ ')
++
++ list_dirs_pattern($1, realmd_var_lib_t, realmd_var_lib_t)
++ read_files_pattern($1, realmd_var_lib_t, realmd_var_lib_t)
++
++')
diff --git a/realmd.te b/realmd.te
index 5bc878b..5736203 100644
--- a/realmd.te
@@ -91572,7 +91722,7 @@ index a6fb30c..97ef313 100644
+/var/run/rpc\.statd\.lock -- gen_context(system_u:object_r:rpcd_lock_t,s0)
+
diff --git a/rpc.if b/rpc.if
-index 0bf13c2..9572351 100644
+index 0bf13c2..79a2a9c 100644
--- a/rpc.if
+++ b/rpc.if
@@ -1,4 +1,4 @@
@@ -91937,7 +92087,12 @@ index 0bf13c2..9572351 100644
##
##
##
-@@ -350,8 +407,7 @@ interface(`rpc_read_nfs_state_data',`
+@@ -346,12 +403,12 @@ interface(`rpc_read_nfs_state_data',`
+
+ files_search_var_lib($1)
+ read_files_pattern($1, var_lib_nfs_t, var_lib_nfs_t)
++ read_lnk_files_pattern($1, var_lib_nfs_t, var_lib_nfs_t)
+ ')
########################################
##
@@ -91947,7 +92102,7 @@ index 0bf13c2..9572351 100644
##
##
##
-@@ -366,31 +422,68 @@ interface(`rpc_manage_nfs_state_data',`
+@@ -366,31 +423,68 @@ interface(`rpc_manage_nfs_state_data',`
files_search_var_lib($1)
manage_files_pattern($1, var_lib_nfs_t, var_lib_nfs_t)
@@ -92022,7 +92177,7 @@ index 0bf13c2..9572351 100644
')
allow $1 rpc_domain:process { ptrace signal_perms };
-@@ -411,10 +504,28 @@ interface(`rpc_admin',`
+@@ -411,10 +505,28 @@ interface(`rpc_admin',`
admin_pattern($1, rpcd_var_run_t)
files_list_all($1)
@@ -96030,7 +96185,7 @@ index 50d07fb..a34db48 100644
+ allow $1 samba_unit_file_t:service all_service_perms;
')
diff --git a/samba.te b/samba.te
-index 2b7c441..c3db0c7 100644
+index 2b7c441..0aaed65 100644
--- a/samba.te
+++ b/samba.te
@@ -6,99 +6,86 @@ policy_module(samba, 1.16.3)
@@ -96621,7 +96776,7 @@ index 2b7c441..c3db0c7 100644
')
optional_policy(`
-@@ -474,11 +501,30 @@ optional_policy(`
+@@ -474,11 +501,31 @@ optional_policy(`
')
optional_policy(`
@@ -96636,6 +96791,7 @@ index 2b7c441..c3db0c7 100644
+optional_policy(`
+ glusterd_read_conf(smbd_t)
+ glusterd_rw_lib(smbd_t)
++ glusterd_manage_pid(smbd_t)
+')
+
+optional_policy(`
@@ -96652,7 +96808,7 @@ index 2b7c441..c3db0c7 100644
lpd_exec_lpr(smbd_t)
')
-@@ -488,6 +534,10 @@ optional_policy(`
+@@ -488,6 +535,10 @@ optional_policy(`
')
optional_policy(`
@@ -96663,7 +96819,7 @@ index 2b7c441..c3db0c7 100644
rpc_search_nfs_state_data(smbd_t)
')
-@@ -499,12 +549,53 @@ optional_policy(`
+@@ -499,12 +550,53 @@ optional_policy(`
udev_read_db(smbd_t)
')
@@ -96718,7 +96874,7 @@ index 2b7c441..c3db0c7 100644
allow nmbd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow nmbd_t self:fd use;
allow nmbd_t self:fifo_file rw_fifo_file_perms;
-@@ -512,9 +603,11 @@ allow nmbd_t self:msg { send receive };
+@@ -512,9 +604,11 @@ allow nmbd_t self:msg { send receive };
allow nmbd_t self:msgq create_msgq_perms;
allow nmbd_t self:sem create_sem_perms;
allow nmbd_t self:shm create_shm_perms;
@@ -96733,7 +96889,7 @@ index 2b7c441..c3db0c7 100644
manage_dirs_pattern(nmbd_t, { smbd_var_run_t nmbd_var_run_t }, nmbd_var_run_t)
manage_files_pattern(nmbd_t, nmbd_var_run_t, nmbd_var_run_t)
-@@ -526,20 +619,16 @@ read_files_pattern(nmbd_t, samba_etc_t, samba_etc_t)
+@@ -526,20 +620,16 @@ read_files_pattern(nmbd_t, samba_etc_t, samba_etc_t)
read_lnk_files_pattern(nmbd_t, samba_etc_t, samba_etc_t)
manage_dirs_pattern(nmbd_t, samba_log_t, samba_log_t)
@@ -96758,7 +96914,7 @@ index 2b7c441..c3db0c7 100644
kernel_getattr_core_if(nmbd_t)
kernel_getattr_message_if(nmbd_t)
-@@ -547,53 +636,44 @@ kernel_read_kernel_sysctls(nmbd_t)
+@@ -547,53 +637,44 @@ kernel_read_kernel_sysctls(nmbd_t)
kernel_read_network_state(nmbd_t)
kernel_read_software_raid_state(nmbd_t)
kernel_read_system_state(nmbd_t)
@@ -96827,7 +96983,7 @@ index 2b7c441..c3db0c7 100644
')
optional_policy(`
-@@ -606,18 +686,29 @@ optional_policy(`
+@@ -606,18 +687,29 @@ optional_policy(`
########################################
#
@@ -96863,7 +97019,7 @@ index 2b7c441..c3db0c7 100644
samba_read_config(smbcontrol_t)
samba_search_var(smbcontrol_t)
-@@ -627,39 +718,38 @@ domain_use_interactive_fds(smbcontrol_t)
+@@ -627,39 +719,38 @@ domain_use_interactive_fds(smbcontrol_t)
dev_read_urand(smbcontrol_t)
@@ -96915,7 +97071,7 @@ index 2b7c441..c3db0c7 100644
allow smbmount_t samba_secrets_t:file manage_file_perms;
-@@ -668,26 +758,22 @@ manage_files_pattern(smbmount_t, samba_var_t, samba_var_t)
+@@ -668,26 +759,22 @@ manage_files_pattern(smbmount_t, samba_var_t, samba_var_t)
manage_lnk_files_pattern(smbmount_t, samba_var_t, samba_var_t)
files_var_filetrans(smbmount_t, samba_var_t, dir, "samba")
@@ -96951,7 +97107,7 @@ index 2b7c441..c3db0c7 100644
fs_getattr_cifs(smbmount_t)
fs_mount_cifs(smbmount_t)
-@@ -699,58 +785,77 @@ fs_read_cifs_files(smbmount_t)
+@@ -699,58 +786,77 @@ fs_read_cifs_files(smbmount_t)
storage_raw_read_fixed_disk(smbmount_t)
storage_raw_write_fixed_disk(smbmount_t)
@@ -97043,7 +97199,7 @@ index 2b7c441..c3db0c7 100644
manage_dirs_pattern(swat_t, swat_tmp_t, swat_tmp_t)
manage_files_pattern(swat_t, swat_tmp_t, swat_tmp_t)
-@@ -759,17 +864,13 @@ files_tmp_filetrans(swat_t, swat_tmp_t, { file dir })
+@@ -759,17 +865,13 @@ files_tmp_filetrans(swat_t, swat_tmp_t, { file dir })
manage_files_pattern(swat_t, swat_var_run_t, swat_var_run_t)
files_pid_filetrans(swat_t, swat_var_run_t, file)
@@ -97067,7 +97223,7 @@ index 2b7c441..c3db0c7 100644
kernel_read_kernel_sysctls(swat_t)
kernel_read_system_state(swat_t)
-@@ -777,36 +878,25 @@ kernel_read_network_state(swat_t)
+@@ -777,36 +879,25 @@ kernel_read_network_state(swat_t)
corecmd_search_bin(swat_t)
@@ -97110,7 +97266,7 @@ index 2b7c441..c3db0c7 100644
auth_domtrans_chk_passwd(swat_t)
auth_use_nsswitch(swat_t)
-@@ -818,10 +908,11 @@ logging_send_syslog_msg(swat_t)
+@@ -818,10 +909,11 @@ logging_send_syslog_msg(swat_t)
logging_send_audit_msgs(swat_t)
logging_search_logs(swat_t)
@@ -97124,7 +97280,7 @@ index 2b7c441..c3db0c7 100644
optional_policy(`
cups_read_rw_config(swat_t)
cups_stream_connect(swat_t)
-@@ -840,17 +931,20 @@ optional_policy(`
+@@ -840,17 +932,20 @@ optional_policy(`
# Winbind local policy
#
@@ -97151,7 +97307,7 @@ index 2b7c441..c3db0c7 100644
allow winbind_t samba_etc_t:dir list_dir_perms;
read_files_pattern(winbind_t, samba_etc_t, samba_etc_t)
-@@ -860,9 +954,7 @@ manage_files_pattern(winbind_t, samba_etc_t, samba_secrets_t)
+@@ -860,9 +955,7 @@ manage_files_pattern(winbind_t, samba_etc_t, samba_secrets_t)
filetrans_pattern(winbind_t, samba_etc_t, samba_secrets_t, file)
manage_dirs_pattern(winbind_t, samba_log_t, samba_log_t)
@@ -97162,7 +97318,7 @@ index 2b7c441..c3db0c7 100644
manage_lnk_files_pattern(winbind_t, samba_log_t, samba_log_t)
manage_dirs_pattern(winbind_t, samba_var_t, samba_var_t)
-@@ -873,38 +965,42 @@ files_var_filetrans(winbind_t, samba_var_t, dir, "samba")
+@@ -873,38 +966,42 @@ files_var_filetrans(winbind_t, samba_var_t, dir, "samba")
rw_files_pattern(winbind_t, smbd_tmp_t, smbd_tmp_t)
@@ -97216,7 +97372,7 @@ index 2b7c441..c3db0c7 100644
corenet_tcp_connect_smbd_port(winbind_t)
corenet_tcp_connect_epmap_port(winbind_t)
corenet_tcp_connect_all_unreserved_ports(winbind_t)
-@@ -912,38 +1008,52 @@ corenet_tcp_connect_all_unreserved_ports(winbind_t)
+@@ -912,38 +1009,52 @@ corenet_tcp_connect_all_unreserved_ports(winbind_t)
dev_read_sysfs(winbind_t)
dev_read_urand(winbind_t)
@@ -97275,7 +97431,7 @@ index 2b7c441..c3db0c7 100644
')
optional_policy(`
-@@ -959,31 +1069,36 @@ optional_policy(`
+@@ -959,31 +1070,36 @@ optional_policy(`
# Winbind helper local policy
#
@@ -97319,7 +97475,7 @@ index 2b7c441..c3db0c7 100644
optional_policy(`
apache_append_log(winbind_helper_t)
-@@ -997,25 +1112,38 @@ optional_policy(`
+@@ -997,25 +1113,38 @@ optional_policy(`
########################################
#
@@ -99326,10 +99482,10 @@ index 0000000..7a058a8
+')
diff --git a/sbd.te b/sbd.te
new file mode 100644
-index 0000000..9c44c87
+index 0000000..469868d
--- /dev/null
+++ b/sbd.te
-@@ -0,0 +1,54 @@
+@@ -0,0 +1,55 @@
+policy_module(sbd, 1.0.0)
+
+########################################
@@ -99351,7 +99507,7 @@ index 0000000..9c44c87
+#
+# sbd local policy
+#
-+allow sbd_t self:capability { dac_override ipc_lock sys_nice sys_admin};
++allow sbd_t self:capability { dac_override ipc_lock sys_boot sys_nice sys_admin};
+allow sbd_t self:process { fork setsched signal_perms };
+allow sbd_t self:fifo_file rw_fifo_file_perms;
+allow sbd_t self:unix_stream_socket create_stream_socket_perms;
@@ -99365,6 +99521,7 @@ index 0000000..9c44c87
+kernel_read_system_state(sbd_t)
+kernel_dgram_send(sbd_t)
+kernel_rw_kernel_sysctl(sbd_t)
++kernel_create_rpc_sysctls(sbd_t)
+
+dev_read_rand(sbd_t)
+dev_write_watchdog(sbd_t)
@@ -111050,10 +111207,10 @@ index 0000000..e5cec8f
+')
diff --git a/tomcat.te b/tomcat.te
new file mode 100644
-index 0000000..cf2b1a7
+index 0000000..1d0e69b
--- /dev/null
+++ b/tomcat.te
-@@ -0,0 +1,99 @@
+@@ -0,0 +1,106 @@
+policy_module(tomcat, 1.0.0)
+
+########################################
@@ -111075,6 +111232,9 @@ index 0000000..cf2b1a7
+
+auth_use_nsswitch(tomcat_t)
+
++# Temporary fix, while missing SELinux policies for HSM
++init_stream_connect_script(tomcat_t)
++
+optional_policy(`
+ pki_manage_tomcat_cert(tomcat_t)
+ pki_manage_apache_log_files(tomcat_t)
@@ -111083,6 +111243,7 @@ index 0000000..cf2b1a7
+ pki_search_log_dirs(tomcat_t)
+ pki_manage_tomcat_log(tomcat_t)
+ pki_manage_common_files(tomcat_t)
++ pki_exec_common_files(tomcat_t)
+ pki_stream_connect(tomcat_t)
+')
+
@@ -111122,6 +111283,7 @@ index 0000000..cf2b1a7
+corenet_tcp_bind_http_port(tomcat_domain)
+corenet_tcp_bind_http_cache_port(tomcat_domain)
+corenet_tcp_bind_mxi_port(tomcat_domain)
++corenet_tcp_bind_bctp_port(tomcat_domain)
+corenet_tcp_connect_http_port(tomcat_domain)
+corenet_tcp_connect_ldap_port(tomcat_domain)
+corenet_tcp_connect_mxi_port(tomcat_domain)
@@ -111129,6 +111291,8 @@ index 0000000..cf2b1a7
+corenet_tcp_connect_postgresql_port(tomcat_domain)
+corenet_tcp_connect_amqp_port(tomcat_domain)
+corenet_tcp_connect_oracle_port(tomcat_domain)
++corenet_tcp_connect_ibm_dt_2_port(tomcat_domain)
++corenet_tcp_connect_unreserved_ports(tomcat_domain)
+
+dev_read_rand(tomcat_domain)
+dev_read_urand(tomcat_domain)
@@ -115754,10 +115918,10 @@ index facdee8..b5a815a 100644
+ dontaudit $1 virtd_t:lnk_file read_lnk_file_perms;
')
diff --git a/virt.te b/virt.te
-index f03dcf5..6e0d11b 100644
+index f03dcf5..066b1c3 100644
--- a/virt.te
+++ b/virt.te
-@@ -1,451 +1,415 @@
+@@ -1,451 +1,422 @@
-policy_module(virt, 1.7.4)
+policy_module(virt, 1.5.0)
@@ -115840,6 +116004,13 @@ index f03dcf5..6e0d11b 100644
-## can use nfs file systems.
-##
+##
++## Allow confined virtual guests to use glusterd
++##
++##
++gen_tunable(virt_use_glusterd, false)
++
++##
++##
+## Allow sandbox containers to share apache content
+##
+##
@@ -115931,8 +116102,7 @@ index f03dcf5..6e0d11b 100644
+##
+##
+gen_tunable(virt_sandbox_use_audit, true)
-
--attribute svirt_lxc_domain;
++
+##
+##
+## Allow sandbox containers to use netlink system calls
@@ -115946,7 +116116,8 @@ index f03dcf5..6e0d11b 100644
+##
+##
+gen_tunable(virt_sandbox_use_sys_admin, false)
-+
+
+-attribute svirt_lxc_domain;
+##
+##
+## Allow sandbox containers to use mknod system calls
@@ -115988,10 +116159,10 @@ index f03dcf5..6e0d11b 100644
+
+virt_domain_template(svirt_tcg)
+role system_r types svirt_tcg_t;
-+
-+type qemu_exec_t, virt_file_type;
-type virt_cache_t alias svirt_cache_t;
++type qemu_exec_t, virt_file_type;
++
+type virt_cache_t alias svirt_cache_t, virt_file_type;
files_type(virt_cache_t)
@@ -116362,10 +116533,10 @@ index f03dcf5..6e0d11b 100644
-manage_sock_files_pattern(svirt_t, svirt_home_t, svirt_home_t)
-
-filetrans_pattern(svirt_t, virt_home_t, svirt_home_t, dir, "qemu")
+-
+-stream_connect_pattern(svirt_t, svirt_home_t, svirt_home_t, virtd_t)
+allow svirt_t self:process ptrace;
--stream_connect_pattern(svirt_t, svirt_home_t, svirt_home_t, virtd_t)
--
-corenet_udp_sendrecv_generic_if(svirt_t)
-corenet_udp_sendrecv_generic_node(svirt_t)
-corenet_udp_sendrecv_all_ports(svirt_t)
@@ -116483,7 +116654,7 @@ index f03dcf5..6e0d11b 100644
read_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
read_lnk_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
-@@ -455,42 +419,29 @@ manage_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t)
+@@ -455,42 +426,29 @@ manage_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t)
manage_lnk_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t)
filetrans_pattern(virtd_t, virt_etc_t, virt_etc_rw_t, dir)
@@ -116530,27 +116701,27 @@ index f03dcf5..6e0d11b 100644
logging_log_filetrans(virtd_t, virt_log_t, { file dir })
manage_dirs_pattern(virtd_t, virt_var_lib_t, virt_var_lib_t)
-@@ -503,23 +454,24 @@ manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
+@@ -503,23 +461,24 @@ manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
manage_sock_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
files_pid_filetrans(virtd_t, virt_var_run_t, { file dir })
-manage_dirs_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t)
-manage_files_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t)
-filetrans_pattern(virtd_t, virt_var_run_t, virtd_lxc_var_run_t, dir, "lxc")
+-
+-stream_connect_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t, virtd_lxc_t)
+-stream_connect_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t, virt_domain)
+manage_dirs_pattern(virtd_t, virt_lxc_var_run_t, virt_lxc_var_run_t)
+manage_files_pattern(virtd_t, virt_lxc_var_run_t, virt_lxc_var_run_t)
+filetrans_pattern(virtd_t, virt_var_run_t, virt_lxc_var_run_t, dir, "lxc")
+allow virtd_t virt_lxc_var_run_t:file { relabelfrom relabelto };
+stream_connect_pattern(virtd_t, virt_lxc_var_run_t, virt_lxc_var_run_t, virtd_lxc_t)
--stream_connect_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t, virtd_lxc_t)
--stream_connect_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t, virt_domain)
+-can_exec(virtd_t, virt_tmp_t)
+# libvirtd is permitted to talk to virtlogd
+stream_connect_pattern(virtd_t, virt_var_run_t, virtlogd_var_run_t, virtlogd_t)
+allow virtd_t virtlogd_t:fifo_file rw_inherited_fifo_file_perms;
--can_exec(virtd_t, virt_tmp_t)
--
-kernel_read_crypto_sysctls(virtd_t)
kernel_read_system_state(virtd_t)
kernel_read_network_state(virtd_t)
@@ -116564,7 +116735,7 @@ index f03dcf5..6e0d11b 100644
corecmd_exec_bin(virtd_t)
corecmd_exec_shell(virtd_t)
-@@ -527,24 +479,16 @@ corecmd_exec_shell(virtd_t)
+@@ -527,24 +486,16 @@ corecmd_exec_shell(virtd_t)
corenet_all_recvfrom_netlabel(virtd_t)
corenet_tcp_sendrecv_generic_if(virtd_t)
corenet_tcp_sendrecv_generic_node(virtd_t)
@@ -116592,7 +116763,7 @@ index f03dcf5..6e0d11b 100644
dev_rw_sysfs(virtd_t)
dev_read_urand(virtd_t)
dev_read_rand(virtd_t)
-@@ -555,20 +499,26 @@ dev_rw_vhost(virtd_t)
+@@ -555,20 +506,26 @@ dev_rw_vhost(virtd_t)
dev_setattr_generic_usb_dev(virtd_t)
dev_relabel_generic_usb_dev(virtd_t)
@@ -116623,7 +116794,7 @@ index f03dcf5..6e0d11b 100644
fs_list_auto_mountpoints(virtd_t)
fs_getattr_all_fs(virtd_t)
fs_rw_anon_inodefs_files(virtd_t)
-@@ -601,15 +551,18 @@ term_use_ptmx(virtd_t)
+@@ -601,15 +558,18 @@ term_use_ptmx(virtd_t)
auth_use_nsswitch(virtd_t)
@@ -116643,29 +116814,19 @@ index f03dcf5..6e0d11b 100644
selinux_validate_context(virtd_t)
-@@ -620,18 +573,26 @@ seutil_read_file_contexts(virtd_t)
+@@ -620,27 +580,35 @@ seutil_read_file_contexts(virtd_t)
sysnet_signull_ifconfig(virtd_t)
sysnet_signal_ifconfig(virtd_t)
sysnet_domtrans_ifconfig(virtd_t)
+sysnet_read_config(virtd_t)
--userdom_read_all_users_state(virtd_t)
--
--ifdef(`hide_broken_symptoms',`
-- dontaudit virtd_t self:capability { sys_module sys_ptrace };
--')
+systemd_dbus_chat_logind(virtd_t)
+systemd_write_inhibit_pipes(virtd_t)
-
--tunable_policy(`virt_use_fusefs',`
-- fs_manage_fusefs_dirs(virtd_t)
-- fs_manage_fusefs_files(virtd_t)
-- fs_read_fusefs_symlinks(virtd_t)
--')
++
+userdom_list_admin_dir(virtd_t)
+userdom_getattr_all_users(virtd_t)
+userdom_list_user_home_content(virtd_t)
-+userdom_read_all_users_state(virtd_t)
+ userdom_read_all_users_state(virtd_t)
+userdom_read_user_home_content_files(virtd_t)
+userdom_relabel_user_tmp_files(virtd_t)
+userdom_setattr_user_tmp_files(virtd_t)
@@ -116678,9 +116839,24 @@ index f03dcf5..6e0d11b 100644
+#userdom_user_home_dir_filetrans(virtd_t, virt_home_t, { dir file })
+virt_filetrans_home_content(virtd_t)
- tunable_policy(`virt_use_nfs',`
- fs_manage_nfs_dirs(virtd_t)
-@@ -640,7 +601,7 @@ tunable_policy(`virt_use_nfs',`
+-ifdef(`hide_broken_symptoms',`
+- dontaudit virtd_t self:capability { sys_module sys_ptrace };
+-')
+-
+-tunable_policy(`virt_use_fusefs',`
+- fs_manage_fusefs_dirs(virtd_t)
+- fs_manage_fusefs_files(virtd_t)
+- fs_read_fusefs_symlinks(virtd_t)
+-')
+-
+-tunable_policy(`virt_use_nfs',`
+- fs_manage_nfs_dirs(virtd_t)
+- fs_manage_nfs_files(virtd_t)
+- fs_read_nfs_symlinks(virtd_t)
++tunable_policy(`virt_use_nfs',`
++ fs_manage_nfs_dirs(virtd_t)
++ fs_manage_nfs_files(virtd_t)
++ fs_read_nfs_symlinks(virtd_t)
')
tunable_policy(`virt_use_samba',`
@@ -116689,7 +116865,7 @@ index f03dcf5..6e0d11b 100644
fs_manage_cifs_files(virtd_t)
fs_read_cifs_symlinks(virtd_t)
')
-@@ -665,20 +626,12 @@ optional_policy(`
+@@ -665,20 +633,12 @@ optional_policy(`
')
optional_policy(`
@@ -116697,8 +116873,7 @@ index f03dcf5..6e0d11b 100644
- ')
-
- optional_policy(`
-- hal_dbus_chat(virtd_t)
-+ hal_dbus_chat(virtd_t)
+ hal_dbus_chat(virtd_t)
')
optional_policy(`
@@ -116711,7 +116886,7 @@ index f03dcf5..6e0d11b 100644
')
optional_policy(`
-@@ -691,20 +644,26 @@ optional_policy(`
+@@ -691,20 +651,26 @@ optional_policy(`
dnsmasq_kill(virtd_t)
dnsmasq_signull(virtd_t)
dnsmasq_create_pid_dirs(virtd_t)
@@ -116742,7 +116917,7 @@ index f03dcf5..6e0d11b 100644
')
optional_policy(`
-@@ -712,11 +671,18 @@ optional_policy(`
+@@ -712,11 +678,18 @@ optional_policy(`
')
optional_policy(`
@@ -116761,7 +116936,7 @@ index f03dcf5..6e0d11b 100644
policykit_domtrans_auth(virtd_t)
policykit_domtrans_resolve(virtd_t)
policykit_read_lib(virtd_t)
-@@ -727,10 +693,18 @@ optional_policy(`
+@@ -727,10 +700,18 @@ optional_policy(`
')
optional_policy(`
@@ -116780,7 +116955,7 @@ index f03dcf5..6e0d11b 100644
kernel_read_xen_state(virtd_t)
kernel_write_xen_state(virtd_t)
-@@ -746,44 +720,344 @@ optional_policy(`
+@@ -746,44 +727,350 @@ optional_policy(`
udev_read_pid_files(virtd_t)
')
@@ -116893,7 +117068,7 @@ index f03dcf5..6e0d11b 100644
+manage_sock_files_pattern(virt_domain, svirt_home_t, svirt_home_t)
+filetrans_pattern(virt_domain, virt_home_t, svirt_home_t, { dir sock_file file })
+stream_connect_pattern(virt_domain, svirt_home_t, svirt_home_t, virtd_t)
-
++
+manage_dirs_pattern(virt_domain, virt_cache_t, virt_cache_t)
+manage_files_pattern(virt_domain, virt_cache_t, virt_cache_t)
+files_var_filetrans(virt_domain, virt_cache_t, { file dir })
@@ -116929,7 +117104,7 @@ index f03dcf5..6e0d11b 100644
+stream_connect_pattern(virt_domain, qemu_var_run_t, qemu_var_run_t, virtd_t)
+
+dontaudit virtd_t virt_domain:process { siginh noatsecure rlimitinh };
-+
+
+dontaudit virt_domain virt_tmpfs_type:file { read write };
+
+append_files_pattern(virt_domain, virt_log_t, virt_log_t)
@@ -117047,6 +117222,12 @@ index f03dcf5..6e0d11b 100644
+ fs_getattr_fusefs(virt_domain)
+')
+
++optional_policy(`
++ tunable_policy(`virt_use_glusterd',`
++ glusterd_manage_pid(virt_domain)
++ ')
++')
++
+tunable_policy(`virt_use_nfs',`
+ fs_manage_nfs_dirs(virt_domain)
+ fs_manage_nfs_files(virt_domain)
@@ -117147,7 +117328,7 @@ index f03dcf5..6e0d11b 100644
kernel_read_system_state(virsh_t)
kernel_read_network_state(virsh_t)
kernel_read_kernel_sysctls(virsh_t)
-@@ -794,25 +1068,18 @@ kernel_write_xen_state(virsh_t)
+@@ -794,25 +1081,18 @@ kernel_write_xen_state(virsh_t)
corecmd_exec_bin(virsh_t)
corecmd_exec_shell(virsh_t)
@@ -117174,7 +117355,7 @@ index f03dcf5..6e0d11b 100644
fs_getattr_all_fs(virsh_t)
fs_manage_xenfs_dirs(virsh_t)
-@@ -821,23 +1088,25 @@ fs_search_auto_mountpoints(virsh_t)
+@@ -821,23 +1101,25 @@ fs_search_auto_mountpoints(virsh_t)
storage_raw_read_fixed_disk(virsh_t)
@@ -117208,7 +117389,7 @@ index f03dcf5..6e0d11b 100644
tunable_policy(`virt_use_nfs',`
fs_manage_nfs_dirs(virsh_t)
-@@ -856,14 +1125,20 @@ optional_policy(`
+@@ -856,14 +1138,20 @@ optional_policy(`
')
optional_policy(`
@@ -117230,7 +117411,7 @@ index f03dcf5..6e0d11b 100644
xen_stream_connect(virsh_t)
xen_stream_connect_xenstore(virsh_t)
')
-@@ -888,49 +1163,66 @@ optional_policy(`
+@@ -888,49 +1176,66 @@ optional_policy(`
kernel_read_xen_state(virsh_ssh_t)
kernel_write_xen_state(virsh_ssh_t)
@@ -117315,7 +117496,7 @@ index f03dcf5..6e0d11b 100644
corecmd_exec_bin(virtd_lxc_t)
corecmd_exec_shell(virtd_lxc_t)
-@@ -942,17 +1234,16 @@ dev_read_urand(virtd_lxc_t)
+@@ -942,17 +1247,16 @@ dev_read_urand(virtd_lxc_t)
domain_use_interactive_fds(virtd_lxc_t)
@@ -117335,7 +117516,7 @@ index f03dcf5..6e0d11b 100644
fs_getattr_all_fs(virtd_lxc_t)
fs_manage_tmpfs_dirs(virtd_lxc_t)
fs_manage_tmpfs_chr_files(virtd_lxc_t)
-@@ -964,8 +1255,23 @@ fs_rw_cgroup_files(virtd_lxc_t)
+@@ -964,8 +1268,23 @@ fs_rw_cgroup_files(virtd_lxc_t)
fs_unmount_all_fs(virtd_lxc_t)
fs_relabelfrom_tmpfs(virtd_lxc_t)
@@ -117359,7 +117540,7 @@ index f03dcf5..6e0d11b 100644
selinux_get_enforce_mode(virtd_lxc_t)
selinux_get_fs_mount(virtd_lxc_t)
selinux_validate_context(virtd_lxc_t)
-@@ -974,194 +1280,296 @@ selinux_compute_create_context(virtd_lxc_t)
+@@ -974,194 +1293,296 @@ selinux_compute_create_context(virtd_lxc_t)
selinux_compute_relabel_context(virtd_lxc_t)
selinux_compute_user_contexts(virtd_lxc_t)
@@ -117390,7 +117571,8 @@ index f03dcf5..6e0d11b 100644
+optional_policy(`
+ container_exec_lib(virtd_lxc_t)
+')
-+
+
+-sysnet_domtrans_ifconfig(virtd_lxc_t)
+optional_policy(`
+ gnome_read_generic_cache_files(virtd_lxc_t)
+')
@@ -117398,8 +117580,7 @@ index f03dcf5..6e0d11b 100644
+optional_policy(`
+ setrans_manage_pid_files(virtd_lxc_t)
+')
-
--sysnet_domtrans_ifconfig(virtd_lxc_t)
++
+optional_policy(`
+ unconfined_domain(virtd_lxc_t)
+')
@@ -117610,27 +117791,27 @@ index f03dcf5..6e0d11b 100644
+ apache_exec_modules(svirt_sandbox_domain)
+ apache_read_sys_content(svirt_sandbox_domain)
+ ')
++')
++
++optional_policy(`
++ mta_dontaudit_read_spool_symlinks(svirt_sandbox_domain)
++')
++
++optional_policy(`
++ ssh_use_ptys(svirt_sandbox_domain)
+')
optional_policy(`
- udev_read_pid_files(svirt_lxc_domain)
-+ mta_dontaudit_read_spool_symlinks(svirt_sandbox_domain)
++ udev_read_pid_files(svirt_sandbox_domain)
')
optional_policy(`
- apache_exec_modules(svirt_lxc_domain)
- apache_read_sys_content(svirt_lxc_domain)
-+ ssh_use_ptys(svirt_sandbox_domain)
-+')
-+
-+optional_policy(`
-+ udev_read_pid_files(svirt_sandbox_domain)
-+')
-+
-+optional_policy(`
+ userhelper_dontaudit_write_config(svirt_sandbox_domain)
-+')
-+
+ ')
+
+tunable_policy(`virt_use_nfs',`
+ fs_manage_nfs_dirs(svirt_sandbox_domain)
+ fs_manage_nfs_files(svirt_sandbox_domain)
@@ -117667,16 +117848,23 @@ index f03dcf5..6e0d11b 100644
+ container_spc_stream_connect(svirt_sandbox_domain)
+ fs_dontaudit_remount_tmpfs(svirt_sandbox_domain)
+ dev_dontaudit_mounton_sysfs(svirt_sandbox_domain)
- ')
-
++')
++
++########################################
++#
++# container_t local policy
++#
++virt_sandbox_domain_template(container)
++typealias container_t alias svirt_lxc_net_t;
++# Policy moved to container-selinux policy package
++
########################################
#
-# Lxc net local policy
+# container_t local policy
#
-+virt_sandbox_domain_template(container)
-+typealias container_t alias svirt_lxc_net_t;
-+# Policy moved to container-selinux policy package
++virt_sandbox_domain_template(svirt_qemu_net)
++typeattribute svirt_qemu_net_t sandbox_net_domain;
-allow svirt_lxc_net_t self:capability { chown dac_read_search dac_override fowner fsetid net_raw net_admin sys_admin sys_nice sys_ptrace sys_resource setpcap };
-dontaudit svirt_lxc_net_t self:capability2 block_suspend;
@@ -117689,19 +117877,18 @@ index f03dcf5..6e0d11b 100644
-allow svirt_lxc_net_t self:netlink_socket create_socket_perms;
-allow svirt_lxc_net_t self:netlink_tcpdiag_socket create_socket_perms;
-allow svirt_lxc_net_t self:netlink_kobject_uevent_socket create_socket_perms;
-+########################################
-+#
-+# container_t local policy
-+#
-+virt_sandbox_domain_template(svirt_qemu_net)
-+typeattribute svirt_qemu_net_t sandbox_net_domain;
-
--kernel_read_network_state(svirt_lxc_net_t)
--kernel_read_irq_sysctls(svirt_lxc_net_t)
+allow svirt_qemu_net_t self:capability { kill setuid setgid sys_boot ipc_lock chown dac_read_search dac_override fowner fsetid sys_chroot sys_admin sys_nice sys_ptrace sys_resource setpcap };
+dontaudit svirt_qemu_net_t self:capability2 block_suspend;
+allow svirt_qemu_net_t self:process { execstack execmem };
+-kernel_read_network_state(svirt_lxc_net_t)
+-kernel_read_irq_sysctls(svirt_lxc_net_t)
++tunable_policy(`virt_sandbox_use_netlink',`
++ allow svirt_qemu_net_t self:netlink_socket create_socket_perms;
++ allow svirt_qemu_net_t self:netlink_tcpdiag_socket create_netlink_socket_perms;
++ allow svirt_qemu_net_t self:netlink_kobject_uevent_socket create_socket_perms;
++')
+
-corenet_all_recvfrom_unlabeled(svirt_lxc_net_t)
-corenet_all_recvfrom_netlabel(svirt_lxc_net_t)
-corenet_tcp_sendrecv_generic_if(svirt_lxc_net_t)
@@ -117712,15 +117899,6 @@ index f03dcf5..6e0d11b 100644
-corenet_udp_sendrecv_all_ports(svirt_lxc_net_t)
-corenet_tcp_bind_generic_node(svirt_lxc_net_t)
-corenet_udp_bind_generic_node(svirt_lxc_net_t)
-+tunable_policy(`virt_sandbox_use_netlink',`
-+ allow svirt_qemu_net_t self:netlink_socket create_socket_perms;
-+ allow svirt_qemu_net_t self:netlink_tcpdiag_socket create_netlink_socket_perms;
-+ allow svirt_qemu_net_t self:netlink_kobject_uevent_socket create_socket_perms;
-+')
-
--corenet_sendrecv_all_server_packets(svirt_lxc_net_t)
--corenet_udp_bind_all_ports(svirt_lxc_net_t)
--corenet_tcp_bind_all_ports(svirt_lxc_net_t)
+manage_dirs_pattern(sandbox_net_domain, svirt_home_t, svirt_home_t)
+manage_files_pattern(sandbox_net_domain, svirt_home_t, svirt_home_t)
+manage_fifo_files_pattern(sandbox_net_domain, svirt_home_t, svirt_home_t)
@@ -117728,52 +117906,55 @@ index f03dcf5..6e0d11b 100644
+manage_sock_files_pattern(sandbox_net_domain, svirt_home_t, svirt_home_t)
+filetrans_pattern(sandbox_net_domain, virt_home_t, svirt_home_t, { dir sock_file file })
--corenet_sendrecv_all_client_packets(svirt_lxc_net_t)
--corenet_tcp_connect_all_ports(svirt_lxc_net_t)
+-corenet_sendrecv_all_server_packets(svirt_lxc_net_t)
+-corenet_udp_bind_all_ports(svirt_lxc_net_t)
+-corenet_tcp_bind_all_ports(svirt_lxc_net_t)
+term_use_generic_ptys(svirt_qemu_net_t)
+term_use_ptmx(svirt_qemu_net_t)
+-corenet_sendrecv_all_client_packets(svirt_lxc_net_t)
+-corenet_tcp_connect_all_ports(svirt_lxc_net_t)
++dev_rw_kvm(svirt_qemu_net_t)
+
-dev_getattr_mtrr_dev(svirt_lxc_net_t)
-dev_read_rand(svirt_lxc_net_t)
-dev_read_sysfs(svirt_lxc_net_t)
-dev_read_urand(svirt_lxc_net_t)
-+dev_rw_kvm(svirt_qemu_net_t)
++manage_sock_files_pattern(svirt_qemu_net_t, qemu_var_run_t, qemu_var_run_t)
-files_read_kernel_modules(svirt_lxc_net_t)
-+manage_sock_files_pattern(svirt_qemu_net_t, qemu_var_run_t, qemu_var_run_t)
++list_dirs_pattern(svirt_qemu_net_t, virt_content_t, virt_content_t)
++read_files_pattern(svirt_qemu_net_t, virt_content_t, virt_content_t)
-fs_mount_cgroup(svirt_lxc_net_t)
-fs_manage_cgroup_dirs(svirt_lxc_net_t)
-fs_rw_cgroup_files(svirt_lxc_net_t)
-+list_dirs_pattern(svirt_qemu_net_t, virt_content_t, virt_content_t)
-+read_files_pattern(svirt_qemu_net_t, virt_content_t, virt_content_t)
-
--auth_use_nsswitch(svirt_lxc_net_t)
+append_files_pattern(svirt_qemu_net_t, virt_log_t, virt_log_t)
--logging_send_audit_msgs(svirt_lxc_net_t)
+-auth_use_nsswitch(svirt_lxc_net_t)
+kernel_read_irq_sysctls(svirt_qemu_net_t)
--userdom_use_user_ptys(svirt_lxc_net_t)
+-logging_send_audit_msgs(svirt_lxc_net_t)
+dev_read_sysfs(svirt_qemu_net_t)
+dev_getattr_mtrr_dev(svirt_qemu_net_t)
+dev_read_rand(svirt_qemu_net_t)
+dev_read_urand(svirt_qemu_net_t)
+-userdom_use_user_ptys(svirt_lxc_net_t)
++files_read_kernel_modules(svirt_qemu_net_t)
+
-optional_policy(`
- rpm_read_db(svirt_lxc_net_t)
-')
-+files_read_kernel_modules(svirt_qemu_net_t)
++fs_noxattr_type(container_file_t)
++fs_mount_cgroup(svirt_qemu_net_t)
++fs_manage_cgroup_dirs(svirt_qemu_net_t)
++fs_manage_cgroup_files(svirt_qemu_net_t)
-#######################################
-#
-# Prot exec local policy
-#
-+fs_noxattr_type(container_file_t)
-+fs_mount_cgroup(svirt_qemu_net_t)
-+fs_manage_cgroup_dirs(svirt_qemu_net_t)
-+fs_manage_cgroup_files(svirt_qemu_net_t)
-+
+term_pty(container_file_t)
+
+auth_use_nsswitch(svirt_qemu_net_t)
@@ -117803,7 +117984,7 @@ index f03dcf5..6e0d11b 100644
allow virt_qmf_t self:tcp_socket create_stream_socket_perms;
allow virt_qmf_t self:netlink_route_socket create_netlink_socket_perms;
-@@ -1174,12 +1582,12 @@ dev_read_sysfs(virt_qmf_t)
+@@ -1174,12 +1595,12 @@ dev_read_sysfs(virt_qmf_t)
dev_read_rand(virt_qmf_t)
dev_read_urand(virt_qmf_t)
@@ -117818,7 +117999,7 @@ index f03dcf5..6e0d11b 100644
sysnet_read_config(virt_qmf_t)
optional_policy(`
-@@ -1192,7 +1600,7 @@ optional_policy(`
+@@ -1192,7 +1613,7 @@ optional_policy(`
########################################
#
@@ -117827,7 +118008,7 @@ index f03dcf5..6e0d11b 100644
#
allow virt_bridgehelper_t self:process { setcap getcap };
-@@ -1201,11 +1609,262 @@ allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms;
+@@ -1201,11 +1622,262 @@ allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms;
allow virt_bridgehelper_t self:tun_socket create_socket_perms;
allow virt_bridgehelper_t self:unix_dgram_socket create_socket_perms;
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 69d7900d..64a3b35f 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.13.1
-Release: 255%{?dist}
+Release: 256%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -689,6 +689,47 @@ exit 0
%endif
%changelog
+* Mon Jun 05 2017 Lukas Vrabec - 3.13.1-256
+- Allow keepalived domain connect to squid tcp port
+- Allow krb5kdc_t domain read realmd lib files.
+- Allow tomcat to connect on all unreserved ports
+- Allow keepalived domain connect to squid tcp port
+- Allow krb5kdc_t domain read realmd lib files.
+- Allow tomcat to connect on all unreserved ports
+- Allow ganesha to connect to all rpc ports
+- Update ganesha with few allow rules
+- Update rpc_read_nfs_state_data() interface to allow read also lnk_files.
+- virt_use_glusterd boolean should be in optional block
+- Add new boolean virt_use_glusterd
+- Add capability sys_boot for sbd_t domain Allow sbd_t domain to create rpc sysctls.
+- Allow ganesha_t domain to manage glusterd_var_run_t pid files.
+- Create new interface: glusterd_read_lib_files() Allow ganesha read glusterd lib files. Allow ganesha read network sysctls
+- Add few allow rules to ganesha module
+- Allow condor_master_t to read sysctls.
+- Add dac_override cap to ctdbd_t domain
+- Add ganesha_use_fusefs boolean.
+- Allow httpd_t reading kerberos kdc config files
+- Allow tomcat_t domain connect to ibm_dt_2 tcp port.
+- Allow stream connect to initrc_t domains
+- Add pki_exec_common_files() interface
+- Allow dnsmasq_t domain to read systemd-resolved pid files.
+- Allow tomcat domain name_bind on tcp bctp_port_t
+- Allow smbd_t domain generate debugging files under /var/run/gluster. These files are created through the libgfapi.so library that provides integration of a GlusterFS client in the Samba (vfs_glusterfs) process.
+- Allow condor_master_t write to sysctl_net_t
+- Allow nagios check disk plugin read /sys/kernel/config/
+- Allow pcp_pmie_t domain execute systemctl binary
+- Allow nagios to connect to stream sockets. Allow nagios start httpd via systemctl
+- xdm_t should view kernel keys
+- Hide broken symptoms when machine is configured with network bounding.
+- Label 8750 tcp/udp port as dey_keyneg_port_t
+- Label tcp/udp port 1792 as ibm_dt_2_port_t
+- Add interface fs_read_configfs_dirs()
+- Add interface fs_read_configfs_files()
+- Fix systemd_resolved_read_pid interface
+- Add interface systemd_resolved_read_pid()
+- Allow sshd_net_t domain read/write into crypto devices
+- Label 8999 tcp/udp as bctp_port_t
+
* Thu May 18 2017 Lukas Vrabec - 3.13.1-255
- Dontaudit net_admin capability for domains postfix_master_t and postfix_qmgr_t
- Add interface pki_manage_common_files()