diff --git a/.gitignore b/.gitignore
index 8fea9fc8..0dd8fdf5 100644
--- a/.gitignore
+++ b/.gitignore
@@ -224,3 +224,4 @@ serefpolicy*
/serefpolicy-3.9.1.tgz
/serefpolicy-3.9.2.tgz
/serefpolicy-3.9.3.tgz
+/serefpolicy-3.9.4.tgz
diff --git a/modules-targeted.conf b/modules-targeted.conf
index 1a70e734..23d9eb77 100644
--- a/modules-targeted.conf
+++ b/modules-targeted.conf
@@ -654,6 +654,13 @@ hal = module
#
hddtemp = module
+# Layer: services
+# Module: passenger
+#
+# Passenger
+#
+passenger = module
+
# Layer: services
# Module: policykit
#
diff --git a/nsadiff b/nsadiff
index 2383e964..3865f5c3 100755
--- a/nsadiff
+++ b/nsadiff
@@ -1 +1,3 @@
-diff --exclude-from=exclude -N -u -r nsaserefpolicy serefpolicy-3.9.0 > /tmp/diff
+cd nsaserefpolicy
+git diff origin > /tmp/diff
+
diff --git a/policy-F14.patch b/policy-F14.patch
index b7ea4eb9..f47fe9a6 100644
--- a/policy-F14.patch
+++ b/policy-F14.patch
@@ -149,9 +149,34 @@ index 0000000..e9c43b1
+.SH "SEE ALSO"
+selinux(8), git(8), chcon(1), semodule(8), setsebool(8)
diff --git a/policy/global_tunables b/policy/global_tunables
-index 3316f6e..56af226 100644
+index 3316f6e..f85244d 100644
--- a/policy/global_tunables
+++ b/policy/global_tunables
+@@ -13,21 +13,21 @@ gen_tunable(allow_execheap,false)
+
+ ##
+ ##
+-## Allow unconfined executables to map a memory region as both executable and writable, this is dangerous and the executable should be reported in bugzilla")
++## Allow unconfined executables to map a memory region as both executable and writable, this is dangerous and the executable should be reported in bugzilla
+ ##
+ ##
+ gen_tunable(allow_execmem,false)
+
+ ##
+ ##
+-## Allow all unconfined executables to use libraries requiring text relocation that are not labeled textrel_shlib_t")
++## Allow all unconfined executables to use libraries requiring text relocation that are not labeled textrel_shlib_t
+ ##
+ ##
+ gen_tunable(allow_execmod,false)
+
+ ##
+ ##
+-## Allow unconfined executables to make their stack executable. This should never, ever be necessary. Probably indicates a badly coded executable, but could indicate an attack. This executable should be reported in bugzilla")
++## Allow unconfined executables to make their stack executable. This should never, ever be necessary. Probably indicates a badly coded executable, but could indicate an attack. This executable should be reported in bugzilla
+ ##
+ ##
+ gen_tunable(allow_execstack,false)
@@ -61,15 +61,6 @@ gen_tunable(global_ssp,false)
##
@@ -206,135 +231,11 @@ index af90ef2..fbd2c40 100644
(( h1 dom h2 ) or ( t1 == mcskillall ));
#
-diff --git a/policy/modules/admin/amanda.if b/policy/modules/admin/amanda.if
-index d1d035e..2cb11ea 100644
---- a/policy/modules/admin/amanda.if
-+++ b/policy/modules/admin/amanda.if
-@@ -1,8 +1,9 @@
--## Automated backup program.
-+## Advanced Maryland Automatic Network Disk Archiver.
-
- ########################################
- ##
--## Execute amrecover in the amanda_recover domain.
-+## Execute a domain transition to
-+## run Amanda Recover.
- ##
- ##
- ##
-@@ -16,12 +17,15 @@ interface(`amanda_domtrans_recover',`
- ')
-
- domtrans_pattern($1, amanda_recover_exec_t, amanda_recover_t)
-+ corecmd_search_bin($1)
- ')
-
- ########################################
- ##
--## Execute amrecover in the amanda_recover domain, and
--## allow the specified role the amanda_recover domain.
-+## Execute a domain transition to
-+## run Amanda Recover and allow the
-+## specified role the Amanda Recover
-+## domain.
- ##
- ##
- ##
-@@ -46,7 +50,7 @@ interface(`amanda_run_recover',`
-
- ########################################
- ##
--## Search amanda library directories.
-+## Search Amanda lib directories.
- ##
- ##
- ##
-@@ -61,11 +65,13 @@ interface(`amanda_search_lib',`
-
- allow $1 amanda_usr_lib_t:dir search_dir_perms;
- files_search_usr($1)
-+ libs_search_lib($1)
- ')
-
- ########################################
- ##
--## Do not audit attempts to read /etc/dumpdates.
-+## Do not audit attempts to read
-+## dumpdates files.
- ##
- ##
- ##
-@@ -78,12 +84,12 @@ interface(`amanda_dontaudit_read_dumpdates',`
- type amanda_dumpdates_t;
- ')
-
-- dontaudit $1 amanda_dumpdates_t:file { getattr read };
-+ dontaudit $1 amanda_dumpdates_t:file read_file_perms;
- ')
-
- ########################################
- ##
--## Allow read/writing /etc/dumpdates.
-+## Read and write dumpdates files.
- ##
- ##
- ##
-@@ -97,11 +103,12 @@ interface(`amanda_rw_dumpdates_files',`
- ')
-
- allow $1 amanda_dumpdates_t:file rw_file_perms;
-+ files_search_etc($1)
- ')
-
- ########################################
- ##
--## Search amanda library directories.
-+## Search Amanda lib directories.
- ##
- ##
- ##
-@@ -116,11 +123,12 @@ interface(`amanda_manage_lib',`
-
- allow $1 amanda_usr_lib_t:dir manage_dir_perms;
- files_search_usr($1)
-+ libs_search_lib($1)
- ')
-
- ########################################
- ##
--## Allow read/writing amanda logs
-+## Read and write Amanda logs.
- ##
- ##
- ##
-@@ -134,11 +142,12 @@ interface(`amanda_append_log_files',`
- ')
-
- allow $1 amanda_log_t:file { read_file_perms append_file_perms };
-+ logging_search_logs($1)
- ')
-
- #######################################
- ##
--## Search amanda var library directories.
-+## Search Amanda lib directories.
- ##
- ##
- ##
-@@ -151,7 +160,6 @@ interface(`amanda_search_var_lib',`
- type amanda_var_lib_t;
- ')
-
-- files_search_var_lib($1)
- allow $1 amanda_var_lib_t:dir search_dir_perms;
--
-+ files_search_var_lib($1)
- ')
diff --git a/policy/modules/admin/anaconda.te b/policy/modules/admin/anaconda.te
-index 96f68e9..6cf5d7a 100644
+index f76ed8a..9a9526a 100644
--- a/policy/modules/admin/anaconda.te
+++ b/policy/modules/admin/anaconda.te
-@@ -31,6 +31,7 @@ modutils_domtrans_insmod(anaconda_t)
+@@ -30,6 +30,7 @@ modutils_domtrans_insmod(anaconda_t)
modutils_domtrans_depmod(anaconda_t)
seutil_domtrans_semanage(anaconda_t)
@@ -342,7 +243,7 @@ index 96f68e9..6cf5d7a 100644
userdom_user_home_dir_filetrans_user_home_content(anaconda_t, { dir file lnk_file fifo_file sock_file })
-@@ -52,7 +53,7 @@ optional_policy(`
+@@ -51,7 +52,7 @@ optional_policy(`
')
optional_policy(`
@@ -379,10 +280,10 @@ index 5b43db5..fdb453c 100644
+ role $2 types brctl_t;
+')
diff --git a/policy/modules/admin/certwatch.te b/policy/modules/admin/certwatch.te
-index 89b9f2a..9cba75f 100644
+index e0fa983..86644f0 100644
--- a/policy/modules/admin/certwatch.te
+++ b/policy/modules/admin/certwatch.te
-@@ -35,7 +35,7 @@ miscfiles_read_certs(certwatch_t)
+@@ -35,7 +35,7 @@ miscfiles_read_generic_certs(certwatch_t)
miscfiles_read_localization(certwatch_t)
userdom_use_user_terminals(certwatch_t)
@@ -1555,7 +1456,7 @@ index 7bddc02..2b59ed0 100644
+
+/var/db/sudo(/.*)? gen_context(system_u:object_r:sudo_db_t,s0)
diff --git a/policy/modules/admin/sudo.if b/policy/modules/admin/sudo.if
-index 5f44f1b..464a11e 100644
+index 5f44f1b..2993130 100644
--- a/policy/modules/admin/sudo.if
+++ b/policy/modules/admin/sudo.if
@@ -32,6 +32,7 @@ template(`sudo_role_template',`
@@ -1593,9 +1494,11 @@ index 5f44f1b..464a11e 100644
auth_run_chk_passwd($1_sudo_t, $2)
# sudo stores a token in the pam_pid directory
-@@ -134,12 +141,16 @@ template(`sudo_role_template',`
+@@ -133,13 +140,18 @@ template(`sudo_role_template',`
+ userdom_manage_user_tmp_files($1_sudo_t)
userdom_manage_user_tmp_symlinks($1_sudo_t)
userdom_use_user_terminals($1_sudo_t)
++ userdom_signal_unpriv_users($1_sudo_t)
# for some PAM modules and for cwd
- userdom_dontaudit_search_user_home_content($1_sudo_t)
+ userdom_search_user_home_content($1_sudo_t)
@@ -1889,10 +1792,10 @@ index 0000000..5ef90cd
+
diff --git a/policy/modules/apps/chrome.te b/policy/modules/apps/chrome.te
new file mode 100644
-index 0000000..90c754f
+index 0000000..b09816f
--- /dev/null
+++ b/policy/modules/apps/chrome.te
-@@ -0,0 +1,86 @@
+@@ -0,0 +1,91 @@
+policy_module(chrome,1.0.0)
+
+########################################
@@ -1933,6 +1836,9 @@ index 0000000..90c754f
+kernel_read_system_state(chrome_sandbox_t)
+kernel_read_kernel_sysctls(chrome_sandbox_t)
+
++fs_manage_cgroup_dirs(chrome_sandbox_t)
++fs_manage_cgroup_files(chrome_sandbox_t)
++
+corecmd_exec_bin(chrome_sandbox_t)
+
+domain_dontaudit_read_all_domains_state(chrome_sandbox_t)
@@ -1955,6 +1861,8 @@ index 0000000..90c754f
+miscfiles_read_localization(chrome_sandbox_t)
+miscfiles_read_fonts(chrome_sandbox_t)
+
++sysnet_dontaudit_read_config(chrome_sandbox_t)
++
+optional_policy(`
+ execmem_exec(chrome_sandbox_t)
+')
@@ -2344,7 +2252,7 @@ index 00a19e3..46db5ff 100644
+/usr/libexec/gnome-system-monitor-mechanism -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
+
diff --git a/policy/modules/apps/gnome.if b/policy/modules/apps/gnome.if
-index f5afe78..db1a0d0 100644
+index f5afe78..250935a 100644
--- a/policy/modules/apps/gnome.if
+++ b/policy/modules/apps/gnome.if
@@ -37,8 +37,7 @@ interface(`gnome_role',`
@@ -2357,7 +2265,7 @@ index f5afe78..db1a0d0 100644
##
##
##
-@@ -46,37 +45,36 @@ interface(`gnome_role',`
+@@ -46,19 +45,276 @@ interface(`gnome_role',`
##
##
#
@@ -2380,94 +2288,73 @@ index f5afe78..db1a0d0 100644
##
-##
+##
- ##
- ## Domain allowed access.
- ##
- ##
- #
--template(`gnome_read_gconf_config',`
++##
++## Domain allowed access.
++##
++##
++#
+interface(`gnome_domtrans_gconfd',`
- gen_require(`
-- type gconf_etc_t;
++ gen_require(`
+ type gconfd_t, gconfd_exec_t;
- ')
-
-- allow $1 gconf_etc_t:dir list_dir_perms;
-- read_files_pattern($1, gconf_etc_t, gconf_etc_t)
-- files_search_etc($1)
++ ')
++
+ domtrans_pattern($1, gconfd_exec_t, gconfd_t)
- ')
-
--#######################################
++')
++
+########################################
- ##
--## Create, read, write, and delete gconf config files.
++##
+## Dontaudit search gnome homedir content (.config)
- ##
- ##
- ##
-@@ -84,37 +82,38 @@ template(`gnome_read_gconf_config',`
- ##
- ##
- #
--interface(`gnome_manage_gconf_config',`
-+interface(`gnome_dontaudit_search_config',`
- gen_require(`
-- type gconf_etc_t;
-+ attribute gnome_home_type;
- ')
-
-- manage_files_pattern($1, gconf_etc_t, gconf_etc_t)
-- files_search_etc($1)
-+ dontaudit $1 gnome_home_type:dir search_dir_perms;
- ')
-
- ########################################
- ##
--## gconf connection template.
-+## manage gnome homedir content (.config)
- ##
--##
++##
+##
- ##
- ## Domain allowed access.
- ##
- ##
- #
--interface(`gnome_stream_connect_gconf',`
-+interface(`gnome_manage_config',`
- gen_require(`
-- type gconfd_t, gconf_tmp_t;
++##
++## Domain allowed access.
++##
++##
++#
++interface(`gnome_dontaudit_search_config',`
++ gen_require(`
+ attribute gnome_home_type;
- ')
-
-- read_files_pattern($1, gconf_tmp_t, gconf_tmp_t)
-- allow $1 gconfd_t:unix_stream_socket connectto;
++ ')
++
++ dontaudit $1 gnome_home_type:dir search_dir_perms;
++')
++
++########################################
++##
++## manage gnome homedir content (.config)
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`gnome_manage_config',`
++ gen_require(`
++ attribute gnome_home_type;
++ ')
++
+ allow $1 gnome_home_type:dir manage_dir_perms;
+ allow $1 gnome_home_type:file manage_file_perms;
+ allow $1 gnome_home_type:lnk_file manage_lnk_file_perms;
+ userdom_search_user_home_dirs($1)
- ')
-
- ########################################
- ##
--## Run gconfd in gconfd domain.
++')
++
++########################################
++##
+## Send general signals to all gconf domains.
- ##
- ##
- ##
-@@ -122,12 +121,139 @@ interface(`gnome_stream_connect_gconf',`
- ##
- ##
- #
--interface(`gnome_domtrans_gconfd',`
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
+interface(`gnome_signal_all',`
- gen_require(`
-- type gconfd_t, gconfd_exec_t;
++ gen_require(`
+ attribute gnomedomain;
- ')
-
-- domtrans_pattern($1, gconfd_exec_t, gconfd_t)
++ ')
++
+ allow $1 gnomedomain:process signal;
+')
+
@@ -2596,14 +2483,10 @@ index f5afe78..db1a0d0 100644
+ list_dirs_pattern($1, gnome_home_type, gnome_home_type)
+ read_files_pattern($1, gnome_home_type, gnome_home_type)
+ read_lnk_files_pattern($1, gnome_home_type, gnome_home_type)
- ')
-
- ########################################
-@@ -151,40 +277,306 @@ interface(`gnome_setattr_config_dirs',`
-
- ########################################
- ##
--## Read gnome homedir content (.config)
++')
++
++########################################
++##
+## Create objects in a Gnome gconf home directory
+## with an automatic type transition to
+## a specified private type.
@@ -2659,24 +2542,21 @@ index f5afe78..db1a0d0 100644
+########################################
+##
+## read gconf config files
- ##
++##
+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+template(`gnome_read_gconf_config',`
-+ gen_require(`
-+ type gconf_etc_t;
-+ ')
-+
-+ allow $1 gconf_etc_t:dir list_dir_perms;
-+ read_files_pattern($1, gconf_etc_t, gconf_etc_t)
-+')
-+
-+#######################################
-+##
+ ##
+ ## Domain allowed access.
+ ##
+@@ -71,12 +327,31 @@ template(`gnome_read_gconf_config',`
+
+ allow $1 gconf_etc_t:dir list_dir_perms;
+ read_files_pattern($1, gconf_etc_t, gconf_etc_t)
+- files_search_etc($1)
+ ')
+
+ #######################################
+ ##
+-## Create, read, write, and delete gconf config files.
+## Manage gconf config files
+##
+##
@@ -2698,84 +2578,109 @@ index f5afe78..db1a0d0 100644
+##
+## Execute gconf programs in
+## in the caller domain.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
+ ##
+ ##
+ ##
+@@ -84,37 +359,39 @@ template(`gnome_read_gconf_config',`
+ ##
+ ##
+ #
+-interface(`gnome_manage_gconf_config',`
+interface(`gnome_exec_gconf',`
-+ gen_require(`
+ gen_require(`
+- type gconf_etc_t;
+ type gconfd_exec_t;
-+ ')
-+
+ ')
+
+- manage_files_pattern($1, gconf_etc_t, gconf_etc_t)
+- files_search_etc($1)
+ can_exec($1, gconfd_exec_t)
-+')
-+
-+########################################
-+##
+ ')
+
+ ########################################
+ ##
+-## gconf connection template.
+## Read gconf home files
-+##
+ ##
+-##
+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
+ ##
+ ## Domain allowed access.
+ ##
+ ##
+ #
+-interface(`gnome_stream_connect_gconf',`
+interface(`gnome_read_gconf_home_files',`
-+ gen_require(`
+ gen_require(`
+- type gconfd_t, gconf_tmp_t;
+ type gconf_home_t;
+ type data_home_t;
-+ ')
-+
+ ')
+
+- read_files_pattern($1, gconf_tmp_t, gconf_tmp_t)
+- allow $1 gconfd_t:unix_stream_socket connectto;
+ allow $1 gconf_home_t:dir list_dir_perms;
+ allow $1 data_home_t:dir list_dir_perms;
+ read_files_pattern($1, gconf_home_t, gconf_home_t)
+ read_files_pattern($1, data_home_t, data_home_t)
-+')
-+
-+########################################
-+##
+ ')
+
+ ########################################
+ ##
+-## Run gconfd in gconfd domain.
+## search gconf homedir (.local)
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
+ ##
+ ##
+ ##
+@@ -122,12 +399,13 @@ interface(`gnome_stream_connect_gconf',`
+ ##
+ ##
+ #
+-interface(`gnome_domtrans_gconfd',`
+interface(`gnome_search_gconf',`
-+ gen_require(`
+ gen_require(`
+- type gconfd_t, gconfd_exec_t;
+ type gconf_home_t;
-+ ')
-+
+ ')
+
+- domtrans_pattern($1, gconfd_exec_t, gconfd_t)
+ allow $1 gconf_home_t:dir search_dir_perms;
+ userdom_search_user_home_dirs($1)
-+')
-+
-+########################################
-+##
+ ')
+
+ ########################################
+@@ -151,40 +429,173 @@ interface(`gnome_setattr_config_dirs',`
+
+ ########################################
+ ##
+-## Read gnome homedir content (.config)
+## Append gconf home files
-+##
+ ##
+-##
+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
+ ##
+ ## Domain allowed access.
+ ##
+ ##
+ #
+-template(`gnome_read_config',`
+interface(`gnome_append_gconf_home_files',`
-+ gen_require(`
+ gen_require(`
+- type gnome_home_t;
+ type gconf_home_t;
-+ ')
-+
+ ')
+
+- list_dirs_pattern($1, gnome_home_t, gnome_home_t)
+- read_files_pattern($1, gnome_home_t, gnome_home_t)
+- read_lnk_files_pattern($1, gnome_home_t, gnome_home_t)
+ append_files_pattern($1, gconf_home_t, gconf_home_t)
-+')
-+
-+########################################
-+##
+ ')
+
+ ########################################
+ ##
+-## manage gnome homedir content (.config)
+## manage gconf home files
-+##
+ ##
+##
+##
+## Domain allowed access.
@@ -2825,21 +2730,39 @@ index f5afe78..db1a0d0 100644
##
##
#
--template(`gnome_read_config',`
+-interface(`gnome_manage_config',`
+template(`gnome_list_home_config',`
gen_require(`
- type gnome_home_t;
+ type config_home_t;
')
-- list_dirs_pattern($1, gnome_home_t, gnome_home_t)
-- read_files_pattern($1, gnome_home_t, gnome_home_t)
-- read_lnk_files_pattern($1, gnome_home_t, gnome_home_t)
+- allow $1 gnome_home_t:dir manage_dir_perms;
+- allow $1 gnome_home_t:file manage_file_perms;
+ allow $1 config_home_t:dir list_dir_perms;
+')
+
+########################################
+##
++## Set attributes of gnome homedir content (.config)
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++template(`gnome_setattr_home_config',`
++ gen_require(`
++ type config_home_t;
++ ')
++
++ setattr_dirs_pattern($1, config_home_t, config_home_t)
+ userdom_search_user_home_dirs($1)
+ ')
++
++########################################
++##
+## read gnome homedir content (.config)
+##
+##
@@ -2854,29 +2777,23 @@ index f5afe78..db1a0d0 100644
+ ')
+
+ read_files_pattern($1, config_home_t, config_home_t)
- ')
-
- ########################################
- ##
- ## manage gnome homedir content (.config)
- ##
--##
++')
++
++########################################
++##
++## manage gnome homedir content (.config)
++##
+##
- ##
- ## Domain allowed access.
- ##
- ##
- #
--interface(`gnome_manage_config',`
++##
++## Domain allowed access.
++##
++##
++#
+template(`gnome_manage_home_config',`
- gen_require(`
-- type gnome_home_t;
++ gen_require(`
+ type config_home_t;
- ')
-
-- allow $1 gnome_home_t:dir manage_dir_perms;
-- allow $1 gnome_home_t:file manage_file_perms;
-- userdom_search_user_home_dirs($1)
++ ')
++
+ manage_files_pattern($1, config_home_t, config_home_t)
+')
+
@@ -2917,7 +2834,7 @@ index f5afe78..db1a0d0 100644
+
+ allow $1 gconfdefaultsm_t:dbus send_msg;
+ allow gconfdefaultsm_t $1:dbus send_msg;
- ')
++')
diff --git a/policy/modules/apps/gnome.te b/policy/modules/apps/gnome.te
index 35f7486..26852d2 100644
--- a/policy/modules/apps/gnome.te
@@ -3777,7 +3694,7 @@ index 9a6d67d..47aa143 100644
## mozilla over dbus.
##
diff --git a/policy/modules/apps/mozilla.te b/policy/modules/apps/mozilla.te
-index cbf4bec..ec6a1ff 100644
+index cbf4bec..7c260fa 100644
--- a/policy/modules/apps/mozilla.te
+++ b/policy/modules/apps/mozilla.te
@@ -25,6 +25,7 @@ files_config_file(mozilla_conf_t)
@@ -3850,7 +3767,7 @@ index cbf4bec..ec6a1ff 100644
pulseaudio_exec(mozilla_t)
pulseaudio_stream_connect(mozilla_t)
pulseaudio_manage_home_files(mozilla_t)
-@@ -266,3 +291,79 @@ optional_policy(`
+@@ -266,3 +291,89 @@ optional_policy(`
optional_policy(`
thunderbird_domtrans(mozilla_t)
')
@@ -3878,6 +3795,8 @@ index cbf4bec..ec6a1ff 100644
+manage_sock_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t)
+fs_tmpfs_filetrans(mozilla_plugin_t, mozilla_plugin_tmpfs_t, { file lnk_file sock_file fifo_file })
+
++can_exec(mozilla_plugin_t, mozilla_exec_t)
++
+kernel_read_kernel_sysctls(mozilla_plugin_t)
+kernel_read_system_state(mozilla_plugin_t)
+kernel_request_load_module(mozilla_plugin_t)
@@ -3888,6 +3807,8 @@ index cbf4bec..ec6a1ff 100644
+dev_read_urand(mozilla_plugin_t)
+dev_read_video_dev(mozilla_plugin_t)
+dev_read_sysfs(mozilla_plugin_t)
++dev_read_sound(mozilla_plugin_t)
++dev_write_sound(mozilla_plugin_t)
+
+domain_use_interactive_fds(mozilla_plugin_t)
+domain_dontaudit_read_all_domains_state(mozilla_plugin_t)
@@ -3908,11 +3829,16 @@ index cbf4bec..ec6a1ff 100644
+userdom_dontaudit_use_user_ptys(mozilla_plugin_t)
+
+optional_policy(`
++ alsa_read_rw_config(mozilla_plugin_t)
++')
++
++optional_policy(`
+ dbus_read_lib_files(mozilla_plugin_t)
+')
+
+optional_policy(`
+ gnome_manage_home_config(mozilla_plugin_t)
++ gnome_setattr_home_config(mozilla_plugin_t)
+')
+
+optional_policy(`
@@ -3929,6 +3855,7 @@ index cbf4bec..ec6a1ff 100644
+optional_policy(`
+ xserver_read_xdm_pid(mozilla_plugin_t)
+ xserver_stream_connect(mozilla_plugin_t)
++ xserver_use_user_fonts(mozilla_plugin_t)
+')
diff --git a/policy/modules/apps/mplayer.if b/policy/modules/apps/mplayer.if
index d8ea41d..8bdc526 100644
@@ -4430,10 +4357,10 @@ index 0000000..c779d44
+')
diff --git a/policy/modules/apps/nsplugin.te b/policy/modules/apps/nsplugin.te
new file mode 100644
-index 0000000..23890a7
+index 0000000..7bc0dcf
--- /dev/null
+++ b/policy/modules/apps/nsplugin.te
-@@ -0,0 +1,308 @@
+@@ -0,0 +1,310 @@
+policy_module(nsplugin, 1.0.0)
+
+########################################
@@ -4499,6 +4426,8 @@ index 0000000..23890a7
+allow nsplugin_t self:unix_stream_socket { connectto create_stream_socket_perms };
+allow nsplugin_t self:unix_dgram_socket create_socket_perms;
+allow nsplugin_t nsplugin_rw_t:dir list_dir_perms;
++read_lnk_files_pattern(nsplugin_config_t, nsplugin_rw_t, nsplugin_rw_t)
++read_files_pattern(nsplugin_config_t, nsplugin_rw_t, nsplugin_rw_t)
+
+tunable_policy(`allow_nsplugin_execmem',`
+ allow nsplugin_t self:process { execstack execmem };
@@ -4931,7 +4860,7 @@ index 690589e..815d35d 100644
optional_policy(`
diff --git a/policy/modules/apps/pulseaudio.if b/policy/modules/apps/pulseaudio.if
-index 2ba7787..3b0d3be 100644
+index 2ba7787..15fef11 100644
--- a/policy/modules/apps/pulseaudio.if
+++ b/policy/modules/apps/pulseaudio.if
@@ -35,6 +35,10 @@ interface(`pulseaudio_role',`
@@ -4945,6 +4874,22 @@ index 2ba7787..3b0d3be 100644
allow $2 pulseaudio_t:dbus send_msg;
allow pulseaudio_t $2:dbus { acquire_svc send_msg };
')
+@@ -215,6 +219,7 @@ interface(`pulseaudio_read_home_files',`
+
+ userdom_search_user_home_dirs($1)
+ read_files_pattern($1, pulseaudio_home_t, pulseaudio_home_t)
++ read_lnk_files_pattern($1, pulseaudio_home_t, pulseaudio_home_t)
+ ')
+
+ ########################################
+@@ -233,6 +238,7 @@ interface(`pulseaudio_rw_home_files',`
+ ')
+
+ rw_files_pattern($1, pulseaudio_home_t, pulseaudio_home_t)
++ read_lnk_files_pattern($1, pulseaudio_home_t, pulseaudio_home_t)
+ userdom_search_user_home_dirs($1)
+ ')
+
diff --git a/policy/modules/apps/pulseaudio.te b/policy/modules/apps/pulseaudio.te
index 5c2680c..db96581 100644
--- a/policy/modules/apps/pulseaudio.te
@@ -5186,10 +5131,10 @@ index 0000000..15778fd
+# No types are sandbox_exec_t
diff --git a/policy/modules/apps/sandbox.if b/policy/modules/apps/sandbox.if
new file mode 100644
-index 0000000..c20d303
+index 0000000..5dd356f
--- /dev/null
+++ b/policy/modules/apps/sandbox.if
-@@ -0,0 +1,335 @@
+@@ -0,0 +1,336 @@
+
+## policy for sandbox
+
@@ -5246,6 +5191,7 @@ index 0000000..c20d303
+ allow $1 sandbox_tmpfs_type:file manage_file_perms;
+ dontaudit $1 sandbox_tmpfs_type:file manage_file_perms;
+
++ can_exec($1, sandbox_file_type)
+ manage_files_pattern($1, sandbox_file_type, sandbox_file_type);
+ manage_dirs_pattern($1, sandbox_file_type, sandbox_file_type);
+ manage_sock_files_pattern($1, sandbox_file_type, sandbox_file_type);
@@ -6269,10 +6215,10 @@ index 0000000..3d12484
+')
diff --git a/policy/modules/apps/telepathy.te b/policy/modules/apps/telepathy.te
new file mode 100644
-index 0000000..c7250ae
+index 0000000..aa34be4
--- /dev/null
+++ b/policy/modules/apps/telepathy.te
-@@ -0,0 +1,320 @@
+@@ -0,0 +1,318 @@
+
+policy_module(telepathy, 1.0.0)
+
@@ -6345,15 +6291,13 @@ index 0000000..c7250ae
+files_read_etc_files(telepathy_msn_t)
+files_read_usr_files(telepathy_msn_t)
+
-+kernel_read_system_state(telepathy_msn_t)
-+
+auth_use_nsswitch(telepathy_msn_t)
+
+libs_exec_ldconfig(telepathy_msn_t)
+
+logging_send_syslog_msg(telepathy_msn_t)
+
-+miscfiles_read_certs(telepathy_msn_t)
++miscfiles_read_all_certs(telepathy_msn_t)
+
+sysnet_read_config(telepathy_msn_t)
+
@@ -6404,7 +6348,7 @@ index 0000000..c7250ae
+files_read_config_files(telepathy_gabble_t)
+files_read_usr_files(telepathy_gabble_t)
+
-+miscfiles_read_certs(telepathy_gabble_t)
++miscfiles_read_all_certs(telepathy_gabble_t)
+
+sysnet_read_config(telepathy_gabble_t)
+
@@ -6538,8 +6482,6 @@ index 0000000..c7250ae
+files_read_etc_files(telepathy_sunshine_t)
+files_read_usr_files(telepathy_sunshine_t)
+
-+kernel_read_system_state(telepathy_sunshine_t)
-+
+optional_policy(`
+ xserver_read_xdm_pid(telepathy_sunshine_t)
+ xserver_stream_connect(telepathy_sunshine_t)
@@ -6550,7 +6492,7 @@ index 0000000..c7250ae
+# telepathy domains common policy
+#
+
-+allow telepathy_domain self:process { getsched signal };
++allow telepathy_domain self:process { getsched signal sigkill };
+allow telepathy_domain self:fifo_file rw_fifo_file_perms;
+allow telepathy_domain self:tcp_socket create_socket_perms;
+allow telepathy_domain self:udp_socket create_socket_perms;
@@ -6565,6 +6507,8 @@ index 0000000..c7250ae
+corenet_tcp_sendrecv_generic_node(telepathy_domain)
+corenet_udp_bind_generic_node(telepathy_domain)
+
++kernel_read_system_state(telepathy_domain)
++
+fs_search_auto_mountpoints(telepathy_domain)
+
+miscfiles_read_localization(telepathy_domain)
@@ -6914,7 +6858,7 @@ index 82842a0..369c3b5 100644
dbus_system_bus_client($1_wm_t)
dbus_session_bus_client($1_wm_t)
diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
-index 0eb1d97..b42af1b 100644
+index 0eb1d97..93c9ec1 100644
--- a/policy/modules/kernel/corecommands.fc
+++ b/policy/modules/kernel/corecommands.fc
@@ -9,8 +9,11 @@
@@ -6948,26 +6892,29 @@ index 0eb1d97..b42af1b 100644
#
# /lib
#
-@@ -126,6 +134,7 @@ ifdef(`distro_gentoo',`
+@@ -126,6 +134,8 @@ ifdef(`distro_gentoo',`
/lib/rcscripts/net\.modules\.d/helpers\.d/dhclient-.* -- gen_context(system_u:object_r:bin_t,s0)
/lib/rcscripts/net\.modules\.d/helpers\.d/udhcpc-.* -- gen_context(system_u:object_r:bin_t,s0)
')
++/lib/readahead(/.*)? gen_context(system_u:object_r:bin_t,s0)
+/lib/upstart(/.*)? gen_context(system_u:object_r:bin_t,s0)
#
# /sbin
-@@ -145,6 +154,10 @@ ifdef(`distro_gentoo',`
+@@ -145,6 +155,12 @@ ifdef(`distro_gentoo',`
/opt/(.*/)?sbin(/.*)? gen_context(system_u:object_r:bin_t,s0)
-+/opt/gutenprint/cups/lib/filter(/.*)? gen_context(system_u:object_r:bin_t,s0)
++/opt/google/talkplugin/cron(/.*)? gen_context(system_u:object_r:bin_t,s0)
++
++/opt/gutenprint/cups/lib/filter(/.*)? gen_context(system_u:object_r:bin_t,s0)
+
+/opt/OpenPrinting-Gutenprint/cups/lib/filter(/.*)? gen_context(system_u:object_r:bin_t,s0)
+
ifdef(`distro_gentoo',`
/opt/RealPlayer/realplay(\.bin)? gen_context(system_u:object_r:bin_t,s0)
/opt/RealPlayer/postint(/.*)? gen_context(system_u:object_r:bin_t,s0)
-@@ -169,6 +182,7 @@ ifdef(`distro_gentoo',`
+@@ -169,6 +185,7 @@ ifdef(`distro_gentoo',`
/usr/lib/fence(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/lib/pgsql/test/regress/.*\.sh -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/qt.*/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
@@ -6975,7 +6922,7 @@ index 0eb1d97..b42af1b 100644
/usr/lib(64)?/[^/]*firefox[^/]*/firefox -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib(64)?/apt/methods.+ -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib(64)?/ConsoleKit/scripts(/.*)? gen_context(system_u:object_r:bin_t,s0)
-@@ -218,8 +232,11 @@ ifdef(`distro_gentoo',`
+@@ -218,8 +235,11 @@ ifdef(`distro_gentoo',`
/usr/sbin/sesh -- gen_context(system_u:object_r:shell_exec_t,s0)
/usr/sbin/smrsh -- gen_context(system_u:object_r:shell_exec_t,s0)
@@ -6987,7 +6934,7 @@ index 0eb1d97..b42af1b 100644
/usr/share/debconf/.+ -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/denyhosts/scripts(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/share/denyhosts/plugins(/.*)? gen_context(system_u:object_r:bin_t,s0)
-@@ -228,6 +245,8 @@ ifdef(`distro_gentoo',`
+@@ -228,6 +248,8 @@ ifdef(`distro_gentoo',`
/usr/share/cluster/svclib_nfslock -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/e16/misc(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/share/gedit-2/plugins/externaltools/tools(/.*)? gen_context(system_u:object_r:bin_t,s0)
@@ -6996,7 +6943,7 @@ index 0eb1d97..b42af1b 100644
/usr/share/gnucash/finance-quote-check -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/gnucash/finance-quote-helper -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/hal/device-manager/hal-device-manager -- gen_context(system_u:object_r:bin_t,s0)
-@@ -314,6 +333,7 @@ ifdef(`distro_redhat', `
+@@ -314,6 +336,7 @@ ifdef(`distro_redhat', `
/usr/share/texmf/web2c/mktexdir -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/texmf/web2c/mktexnam -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/texmf/web2c/mktexupd -- gen_context(system_u:object_r:bin_t,s0)
@@ -7004,7 +6951,7 @@ index 0eb1d97..b42af1b 100644
')
ifdef(`distro_suse', `
-@@ -340,3 +360,27 @@ ifdef(`distro_suse', `
+@@ -340,3 +363,27 @@ ifdef(`distro_suse', `
ifdef(`distro_suse',`
/var/lib/samba/bin/.+ gen_context(system_u:object_r:bin_t,s0)
')
@@ -7585,10 +7532,36 @@ index eb9c360..20c2d34 100644
+allow devices_unconfined_type device_node:{ blk_file chr_file lnk_file } *;
allow devices_unconfined_type mtrr_device_t:file *;
diff --git a/policy/modules/kernel/domain.if b/policy/modules/kernel/domain.if
-index aad8c52..09d4b31 100644
+index aad8c52..0d8458a 100644
--- a/policy/modules/kernel/domain.if
+++ b/policy/modules/kernel/domain.if
-@@ -611,7 +611,7 @@ interface(`domain_read_all_domains_state',`
+@@ -474,6 +474,25 @@ interface(`domain_signal_all_domains',`
+
+ ########################################
+ ##
++## Dontaudit sending general signals to all domains.
++##
++##
++##
++## Domain to not audit.
++##
++##
++##
++#
++interface(`domain_dontaudit_signal_all_domains',`
++ gen_require(`
++ attribute domain;
++ ')
++
++ dontaudit $1 domain:process signal;
++')
++
++########################################
++##
+ ## Send a null signal to all domains.
+ ##
+ ##
+@@ -611,7 +630,7 @@ interface(`domain_read_all_domains_state',`
########################################
##
@@ -7597,7 +7570,7 @@ index aad8c52..09d4b31 100644
##
##
##
-@@ -630,7 +630,7 @@ interface(`domain_getattr_all_domains',`
+@@ -630,7 +649,7 @@ interface(`domain_getattr_all_domains',`
########################################
##
@@ -7606,7 +7579,7 @@ index aad8c52..09d4b31 100644
##
##
##
-@@ -1473,3 +1473,22 @@ interface(`domain_unconfined',`
+@@ -1473,3 +1492,22 @@ interface(`domain_unconfined',`
typeattribute $1 set_curr_context;
typeattribute $1 process_uncond_exempt;
')
@@ -8843,7 +8816,7 @@ index 437a42a..8d6d333 100644
+')
+
diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te
-index 0dff98e..31ebaa7 100644
+index 0dff98e..a09ab47 100644
--- a/policy/modules/kernel/filesystem.te
+++ b/policy/modules/kernel/filesystem.te
@@ -52,6 +52,7 @@ type anon_inodefs_t;
@@ -8871,7 +8844,7 @@ index 0dff98e..31ebaa7 100644
fs_type(hugetlbfs_t)
files_mountpoint(hugetlbfs_t)
fs_use_trans hugetlbfs gen_context(system_u:object_r:hugetlbfs_t,s0);
-+dev_associate_sysfs(hugetlbfs_t)
++dev_associate(hugetlbfs_t)
type ibmasmfs_t;
fs_type(ibmasmfs_t)
@@ -9369,7 +9342,7 @@ index ebe6a9c..e3a1987 100644
########################################
#
diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te
-index 0c9876c..fabc1a0 100644
+index 0c9876c..06b7974 100644
--- a/policy/modules/roles/staff.te
+++ b/policy/modules/roles/staff.te
@@ -8,17 +8,55 @@ policy_module(staff, 2.1.1)
@@ -9428,7 +9401,7 @@ index 0c9876c..fabc1a0 100644
auditadm_role_change(staff_r)
')
-@@ -27,6 +65,18 @@ optional_policy(`
+@@ -27,6 +65,23 @@ optional_policy(`
')
optional_policy(`
@@ -9443,11 +9416,16 @@ index 0c9876c..fabc1a0 100644
+ kerneloops_manage_tmp_files(staff_t)
+')
+
++optional_policy(`
++ oident_manage_user_content(staff_t)
++ oident_relabel_user_content(staff_t)
++')
++
+optional_policy(`
postgresql_role(staff_r, staff_t)
')
-@@ -35,6 +85,18 @@ optional_policy(`
+@@ -35,6 +90,18 @@ optional_policy(`
')
optional_policy(`
@@ -9466,7 +9444,7 @@ index 0c9876c..fabc1a0 100644
ssh_role_template(staff, staff_r, staff_t)
')
-@@ -48,6 +110,10 @@ optional_policy(`
+@@ -48,6 +115,10 @@ optional_policy(`
')
optional_policy(`
@@ -9477,7 +9455,18 @@ index 0c9876c..fabc1a0 100644
xserver_role(staff_r, staff_t)
')
-@@ -137,10 +203,6 @@ ifndef(`distro_redhat',`
+@@ -121,10 +192,6 @@ ifndef(`distro_redhat',`
+ ')
+
+ optional_policy(`
+- oident_manage_user_content(staff_t)
+- oident_relabel_user_content(staff_t)
+- ')
+- optional_policy(`
+ pyzor_role(staff_r, staff_t)
+ ')
+
+@@ -137,10 +204,6 @@ ifndef(`distro_redhat',`
')
optional_policy(`
@@ -9488,7 +9477,7 @@ index 0c9876c..fabc1a0 100644
spamassassin_role(staff_r, staff_t)
')
-@@ -172,3 +234,46 @@ ifndef(`distro_redhat',`
+@@ -172,3 +235,46 @@ ifndef(`distro_redhat',`
wireshark_role(staff_r, staff_t)
')
')
@@ -11365,7 +11354,7 @@ index 0b827c5..8a5d6a4 100644
##
## All of the rules required to administrate
diff --git a/policy/modules/services/abrt.te b/policy/modules/services/abrt.te
-index 93d31d5..65609e5 100644
+index 98646c4..2bd70ae 100644
--- a/policy/modules/services/abrt.te
+++ b/policy/modules/services/abrt.te
@@ -5,6 +5,14 @@ policy_module(abrt, 1.1.1)
@@ -11427,7 +11416,7 @@ index 93d31d5..65609e5 100644
logging_read_generic_logs(abrt_t)
logging_send_syslog_msg(abrt_t)
-@@ -140,6 +151,15 @@ miscfiles_read_certs(abrt_t)
+@@ -140,6 +151,15 @@ miscfiles_read_generic_certs(abrt_t)
miscfiles_read_localization(abrt_t)
userdom_dontaudit_read_user_home_content_files(abrt_t)
@@ -11944,7 +11933,7 @@ index adb3d5f..de26af5 100644
########################################
diff --git a/policy/modules/services/amavis.te b/policy/modules/services/amavis.te
-index cf34b4e..cc216a4 100644
+index 3e8002a..31f4612 100644
--- a/policy/modules/services/amavis.te
+++ b/policy/modules/services/amavis.te
@@ -92,9 +92,10 @@ manage_sock_files_pattern(amavis_t, amavis_var_log_t, amavis_var_log_t)
@@ -12488,7 +12477,7 @@ index c9e1a44..2244b11 100644
+ dontaudit $1 httpd_t:unix_stream_socket { read write };
')
diff --git a/policy/modules/services/apache.te b/policy/modules/services/apache.te
-index e33b9cd..de4388a 100644
+index 08dfa0c..86641dd 100644
--- a/policy/modules/services/apache.te
+++ b/policy/modules/services/apache.te
@@ -18,6 +18,8 @@ policy_module(apache, 2.2.0)
@@ -12521,7 +12510,15 @@ index e33b9cd..de4388a 100644
## Allow httpd to use built in scripting (usually php)
##
##
-@@ -50,6 +66,13 @@ gen_tunable(httpd_can_network_connect, false)
+@@ -43,13 +59,20 @@ gen_tunable(httpd_builtin_scripting, false)
+
+ ##
+ ##
+-## Allow HTTPD scripts and modules to connect to the network using TCP.
++## Allow HTTPD scripts and modules to connect to the network using any TCP port.
+ ##
+ ##
+ gen_tunable(httpd_can_network_connect, false)
##
##
@@ -12563,6 +12560,15 @@ index e33b9cd..de4388a 100644
## Allow Apache to communicate with avahi service via dbus
##
##
+@@ -78,7 +115,7 @@ gen_tunable(httpd_dbus_avahi, false)
+
+ ##
+ ##
+-## Allow httpd cgi support
++## Allow httpd to execute cgi scripts
+ ##
+ ##
+ gen_tunable(httpd_enable_cgi, false)
@@ -100,6 +137,13 @@ gen_tunable(httpd_enable_homedirs, false)
##
@@ -12888,10 +12894,16 @@ index e33b9cd..de4388a 100644
')
optional_policy(`
-@@ -577,12 +723,23 @@ optional_policy(`
+@@ -577,12 +723,29 @@ optional_policy(`
')
optional_policy(`
++ passenger_domtrans(httpd_t)
++ passenger_manage_pid_content(httpd_t)
++ passenger_read_lib_files(httpd_t)
++')
++
++optional_policy(`
+ rpc_search_nfs_state_data(httpd_t)
+')
+
@@ -12912,7 +12924,7 @@ index e33b9cd..de4388a 100644
')
')
-@@ -591,6 +748,11 @@ optional_policy(`
+@@ -591,6 +754,11 @@ optional_policy(`
')
optional_policy(`
@@ -12924,7 +12936,7 @@ index e33b9cd..de4388a 100644
snmp_dontaudit_read_snmp_var_lib_files(httpd_t)
snmp_dontaudit_write_snmp_var_lib_files(httpd_t)
')
-@@ -603,6 +765,10 @@ optional_policy(`
+@@ -603,6 +771,10 @@ optional_policy(`
yam_read_content(httpd_t)
')
@@ -12935,7 +12947,7 @@ index e33b9cd..de4388a 100644
########################################
#
# Apache helper local policy
-@@ -618,6 +784,10 @@ logging_send_syslog_msg(httpd_helper_t)
+@@ -618,6 +790,10 @@ logging_send_syslog_msg(httpd_helper_t)
userdom_use_user_terminals(httpd_helper_t)
@@ -12946,7 +12958,7 @@ index e33b9cd..de4388a 100644
########################################
#
# Apache PHP script local policy
-@@ -699,17 +869,18 @@ manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
+@@ -699,17 +875,18 @@ manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
manage_files_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
files_tmp_filetrans(httpd_suexec_t, httpd_suexec_tmp_t, { file dir })
@@ -12968,7 +12980,7 @@ index e33b9cd..de4388a 100644
files_read_etc_files(httpd_suexec_t)
files_read_usr_files(httpd_suexec_t)
-@@ -740,10 +911,21 @@ tunable_policy(`httpd_can_network_connect',`
+@@ -740,10 +917,21 @@ tunable_policy(`httpd_can_network_connect',`
corenet_sendrecv_all_client_packets(httpd_suexec_t)
')
@@ -12991,7 +13003,7 @@ index e33b9cd..de4388a 100644
')
tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
-@@ -769,6 +951,12 @@ optional_policy(`
+@@ -769,6 +957,12 @@ optional_policy(`
dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write };
')
@@ -13004,7 +13016,7 @@ index e33b9cd..de4388a 100644
########################################
#
# Apache system script local policy
-@@ -792,9 +980,13 @@ kernel_read_kernel_sysctls(httpd_sys_script_t)
+@@ -792,9 +986,13 @@ kernel_read_kernel_sysctls(httpd_sys_script_t)
files_search_var_lib(httpd_sys_script_t)
files_search_spool(httpd_sys_script_t)
@@ -13018,7 +13030,7 @@ index e33b9cd..de4388a 100644
ifdef(`distro_redhat',`
allow httpd_sys_script_t httpd_log_t:file append_file_perms;
')
-@@ -803,6 +995,28 @@ tunable_policy(`httpd_can_sendmail',`
+@@ -803,6 +1001,28 @@ tunable_policy(`httpd_can_sendmail',`
mta_send_mail(httpd_sys_script_t)
')
@@ -13047,7 +13059,7 @@ index e33b9cd..de4388a 100644
tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
allow httpd_sys_script_t self:tcp_socket create_stream_socket_perms;
allow httpd_sys_script_t self:udp_socket create_socket_perms;
-@@ -830,6 +1044,16 @@ tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
+@@ -830,6 +1050,16 @@ tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
fs_read_nfs_symlinks(httpd_sys_script_t)
')
@@ -13064,7 +13076,7 @@ index e33b9cd..de4388a 100644
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
fs_read_cifs_files(httpd_sys_script_t)
fs_read_cifs_symlinks(httpd_sys_script_t)
-@@ -842,6 +1066,7 @@ optional_policy(`
+@@ -842,6 +1072,7 @@ optional_policy(`
optional_policy(`
mysql_stream_connect(httpd_sys_script_t)
mysql_rw_db_sockets(httpd_sys_script_t)
@@ -13072,7 +13084,7 @@ index e33b9cd..de4388a 100644
')
optional_policy(`
-@@ -891,11 +1116,33 @@ optional_policy(`
+@@ -891,11 +1122,33 @@ optional_policy(`
tunable_policy(`httpd_enable_cgi && httpd_unified',`
allow httpd_user_script_t httpdcontent:file entrypoint;
@@ -13223,10 +13235,10 @@ index b9e94c4..608e3a1 100644
')
diff --git a/policy/modules/services/automount.te b/policy/modules/services/automount.te
-index a3eaf94..ac13727 100644
+index 39799db..6189565 100644
--- a/policy/modules/services/automount.te
+++ b/policy/modules/services/automount.te
-@@ -145,6 +145,7 @@ miscfiles_read_certs(automount_t)
+@@ -145,6 +145,7 @@ miscfiles_read_generic_certs(automount_t)
# Run mount in the mount_t domain.
mount_domtrans(automount_t)
@@ -13247,7 +13259,7 @@ index 210ca0b..e51354d 100644
allow avahi_t $1:dbus send_msg;
')
diff --git a/policy/modules/services/avahi.te b/policy/modules/services/avahi.te
-index e4c76d0..0aa1998 100644
+index b7bf6f0..803adbf 100644
--- a/policy/modules/services/avahi.te
+++ b/policy/modules/services/avahi.te
@@ -37,10 +37,11 @@ manage_dirs_pattern(avahi_t, avahi_var_lib_t, avahi_var_lib_t)
@@ -13318,7 +13330,7 @@ index 44a1e3d..71f5514 100644
files_list_pids($1)
admin_pattern($1, named_var_run_t)
diff --git a/policy/modules/services/bind.te b/policy/modules/services/bind.te
-index 2be1518..190b0bc 100644
+index 4deca04..ece1f1f 100644
--- a/policy/modules/services/bind.te
+++ b/policy/modules/services/bind.te
@@ -89,9 +89,10 @@ manage_dirs_pattern(named_t, named_tmp_t, named_tmp_t)
@@ -13580,7 +13592,7 @@ index 0000000..9f4885c
+')
diff --git a/policy/modules/services/boinc.te b/policy/modules/services/boinc.te
new file mode 100644
-index 0000000..62a48ac
+index 0000000..aaf0ba3
--- /dev/null
+++ b/policy/modules/services/boinc.te
@@ -0,0 +1,153 @@
@@ -13685,7 +13697,7 @@ index 0000000..62a48ac
+term_dontaudit_getattr_ptmx(boinc_t)
+
+miscfiles_read_localization(boinc_t)
-+miscfiles_read_certs(boinc_t)
++miscfiles_read_generic_certs(boinc_t)
+
+logging_send_syslog_msg(boinc_t)
+
@@ -14162,7 +14174,7 @@ index 4c90b57..bffe6b6 100644
unconfined_use_fds(ccs_t)
')
diff --git a/policy/modules/services/certmaster.if b/policy/modules/services/certmaster.if
-index 27fe7ca..221ea9e 100644
+index 9629d3d..f9335fb 100644
--- a/policy/modules/services/certmaster.if
+++ b/policy/modules/services/certmaster.if
@@ -18,6 +18,25 @@ interface(`certmaster_domtrans',`
@@ -14192,7 +14204,7 @@ index 27fe7ca..221ea9e 100644
##
## read certmaster logs.
diff --git a/policy/modules/services/certmaster.te b/policy/modules/services/certmaster.te
-index 1573914..6e32117 100644
+index d8b8639..da60c93 100644
--- a/policy/modules/services/certmaster.te
+++ b/policy/modules/services/certmaster.te
@@ -60,6 +60,7 @@ corenet_tcp_bind_generic_node(certmaster_t)
@@ -14219,7 +14231,7 @@ index a3728d4..7a6e5ba 100644
+ admin_pattern($1, certmonger_var_run_t)
')
diff --git a/policy/modules/services/certmonger.te b/policy/modules/services/certmonger.te
-index 9e83ed7..52312f5 100644
+index 7106981..261a37c 100644
--- a/policy/modules/services/certmonger.te
+++ b/policy/modules/services/certmonger.te
@@ -68,5 +68,5 @@ optional_policy(`
@@ -15172,24 +15184,10 @@ index 3a6d7eb..2098ee9 100644
/var/lib/corosync(/.*)? gen_context(system_u:object_r:corosync_var_lib_t,s0)
diff --git a/policy/modules/services/corosync.te b/policy/modules/services/corosync.te
-index 7d2cf85..9d97456 100644
+index 7d2cf85..fdb0dcb 100644
--- a/policy/modules/services/corosync.te
+++ b/policy/modules/services/corosync.te
-@@ -5,6 +5,13 @@ policy_module(corosync, 1.0.0)
- # Declarations
- #
-
-+##
-+##
-+## Allow corosync to read and write generic tmpfs files.
-+##
-+##
-+gen_tunable(allow_corosync_rw_tmpfs, false)
-+
- type corosync_t;
- type corosync_exec_t;
- init_daemon_domain(corosync_t, corosync_exec_t)
-@@ -32,8 +39,8 @@ files_pid_file(corosync_var_run_t)
+@@ -32,8 +32,8 @@ files_pid_file(corosync_var_run_t)
# corosync local policy
#
@@ -15200,7 +15198,7 @@ index 7d2cf85..9d97456 100644
allow corosync_t self:fifo_file rw_fifo_file_perms;
allow corosync_t self:sem create_sem_perms;
-@@ -41,6 +48,8 @@ allow corosync_t self:unix_stream_socket { create_stream_socket_perms connectto
+@@ -41,6 +41,8 @@ allow corosync_t self:unix_stream_socket { create_stream_socket_perms connectto
allow corosync_t self:unix_dgram_socket create_socket_perms;
allow corosync_t self:udp_socket create_socket_perms;
@@ -15209,7 +15207,7 @@ index 7d2cf85..9d97456 100644
manage_dirs_pattern(corosync_t, corosync_tmp_t, corosync_tmp_t)
manage_files_pattern(corosync_t, corosync_tmp_t, corosync_tmp_t)
files_tmp_filetrans(corosync_t, corosync_tmp_t, { file dir })
-@@ -63,8 +72,10 @@ manage_sock_files_pattern(corosync_t, corosync_var_run_t, corosync_var_run_t)
+@@ -63,8 +65,10 @@ manage_sock_files_pattern(corosync_t, corosync_var_run_t, corosync_var_run_t)
files_pid_filetrans(corosync_t, corosync_var_run_t, { file sock_file })
kernel_read_system_state(corosync_t)
@@ -15220,7 +15218,7 @@ index 7d2cf85..9d97456 100644
corenet_udp_bind_netsupport_port(corosync_t)
-@@ -73,6 +84,7 @@ dev_read_urand(corosync_t)
+@@ -73,6 +77,7 @@ dev_read_urand(corosync_t)
domain_read_all_domains_state(corosync_t)
files_manage_mounttab(corosync_t)
@@ -15228,18 +15226,23 @@ index 7d2cf85..9d97456 100644
auth_use_nsswitch(corosync_t)
-@@ -83,19 +95,30 @@ logging_send_syslog_msg(corosync_t)
+@@ -83,19 +88,35 @@ logging_send_syslog_msg(corosync_t)
miscfiles_read_localization(corosync_t)
+userdom_delete_user_tmpfs_files(corosync_t)
userdom_rw_user_tmpfs_files(corosync_t)
-+tunable_policy(`allow_corosync_rw_tmpfs',`
-+ fs_rw_tmpfs_files(corosync_t)
+ optional_policy(`
++ gen_require(`
++ attribute unconfined_services;
++ ')
++
++ fs_manage_tmpfs_files(corosync_t)
++ init_manage_script_status_files(corosync_t)
+')
+
- optional_policy(`
++optional_policy(`
ccs_read_config(corosync_t)
')
@@ -16023,7 +16026,7 @@ index 346f926..1f789f8 100644
kernel_read_system_state(cyphesis_t)
kernel_read_kernel_sysctls(cyphesis_t)
diff --git a/policy/modules/services/cyrus.te b/policy/modules/services/cyrus.te
-index 2a0f1c1..ab82c3c 100644
+index e182bf4..f80e725 100644
--- a/policy/modules/services/cyrus.te
+++ b/policy/modules/services/cyrus.te
@@ -26,7 +26,7 @@ files_pid_file(cyrus_var_run_t)
@@ -16162,7 +16165,7 @@ index 39e901a..87fc055 100644
+')
+
diff --git a/policy/modules/services/dbus.te b/policy/modules/services/dbus.te
-index b738e94..4b3d9c4 100644
+index b354128..c725cae 100644
--- a/policy/modules/services/dbus.te
+++ b/policy/modules/services/dbus.te
@@ -74,9 +74,10 @@ files_tmp_filetrans(system_dbusd_t, system_dbusd_tmp_t, { file dir })
@@ -16485,7 +16488,7 @@ index e1d7dc5..09f6f30 100644
admin_pattern($1, dovecot_var_run_t)
diff --git a/policy/modules/services/dovecot.te b/policy/modules/services/dovecot.te
-index 14c6a2e..c771d46 100644
+index cbe14e4..64bc566 100644
--- a/policy/modules/services/dovecot.te
+++ b/policy/modules/services/dovecot.te
@@ -18,7 +18,7 @@ type dovecot_auth_tmp_t;
@@ -16497,7 +16500,17 @@ index 14c6a2e..c771d46 100644
type dovecot_deliver_t;
type dovecot_deliver_exec_t;
-@@ -58,7 +58,7 @@ files_pid_file(dovecot_var_run_t)
+@@ -26,6 +26,9 @@ domain_type(dovecot_deliver_t)
+ domain_entry_file(dovecot_deliver_t, dovecot_deliver_exec_t)
+ role system_r types dovecot_deliver_t;
+
++type dovecot_deliver_tmp_t;
++files_tmp_file(dovecot_deliver_tmp_t)
++
+ type dovecot_etc_t;
+ files_config_file(dovecot_etc_t)
+
+@@ -58,7 +61,7 @@ files_pid_file(dovecot_var_run_t)
allow dovecot_t self:capability { dac_override dac_read_search chown kill net_bind_service setgid setuid sys_chroot };
dontaudit dovecot_t self:capability sys_tty_config;
@@ -16506,7 +16519,7 @@ index 14c6a2e..c771d46 100644
allow dovecot_t self:fifo_file rw_fifo_file_perms;
allow dovecot_t self:tcp_socket create_stream_socket_perms;
allow dovecot_t self:unix_dgram_socket create_socket_perms;
-@@ -72,7 +72,8 @@ allow dovecot_t dovecot_cert_t:dir list_dir_perms;
+@@ -72,7 +75,8 @@ allow dovecot_t dovecot_cert_t:dir list_dir_perms;
read_files_pattern(dovecot_t, dovecot_cert_t, dovecot_cert_t)
read_lnk_files_pattern(dovecot_t, dovecot_cert_t, dovecot_cert_t)
@@ -16516,7 +16529,7 @@ index 14c6a2e..c771d46 100644
files_search_etc(dovecot_t)
can_exec(dovecot_t, dovecot_exec_t)
-@@ -94,10 +95,11 @@ manage_dirs_pattern(dovecot_t, dovecot_spool_t, dovecot_spool_t)
+@@ -94,10 +98,11 @@ manage_dirs_pattern(dovecot_t, dovecot_spool_t, dovecot_spool_t)
manage_files_pattern(dovecot_t, dovecot_spool_t, dovecot_spool_t)
manage_lnk_files_pattern(dovecot_t, dovecot_spool_t, dovecot_spool_t)
@@ -16529,7 +16542,7 @@ index 14c6a2e..c771d46 100644
kernel_read_kernel_sysctls(dovecot_t)
kernel_read_system_state(dovecot_t)
-@@ -159,6 +161,11 @@ optional_policy(`
+@@ -159,6 +164,11 @@ optional_policy(`
')
optional_policy(`
@@ -16541,7 +16554,7 @@ index 14c6a2e..c771d46 100644
postgresql_stream_connect(dovecot_t)
')
-@@ -242,6 +249,7 @@ optional_policy(`
+@@ -242,6 +252,7 @@ optional_policy(`
')
optional_policy(`
@@ -16549,7 +16562,7 @@ index 14c6a2e..c771d46 100644
postfix_search_spool(dovecot_auth_t)
')
-@@ -253,19 +261,27 @@ allow dovecot_deliver_t self:unix_dgram_socket create_socket_perms;
+@@ -253,19 +264,31 @@ allow dovecot_deliver_t self:unix_dgram_socket create_socket_perms;
allow dovecot_deliver_t dovecot_t:process signull;
@@ -16561,6 +16574,10 @@ index 14c6a2e..c771d46 100644
+
+append_files_pattern(dovecot_deliver_t, dovecot_var_log_t, dovecot_var_log_t)
+
++manage_dirs_pattern(dovecot_deliver_t, dovecot_deliver_tmp_t, dovecot_deliver_tmp_t)
++manage_files_pattern(dovecot_deliver_t, dovecot_deliver_tmp_t, dovecot_deliver_tmp_t)
++files_tmp_filetrans(dovecot_deliver_t, dovecot_deliver_tmp_t, { file dir })
++
+can_exec(dovecot_deliver_t, dovecot_deliver_exec_t)
+
kernel_read_all_sysctls(dovecot_deliver_t)
@@ -16579,7 +16596,7 @@ index 14c6a2e..c771d46 100644
miscfiles_read_localization(dovecot_deliver_t)
-@@ -302,4 +318,5 @@ tunable_policy(`use_samba_home_dirs',`
+@@ -302,4 +325,5 @@ tunable_policy(`use_samba_home_dirs',`
optional_policy(`
mta_manage_spool(dovecot_deliver_t)
@@ -16673,7 +16690,7 @@ index 6bef7f8..0217906 100644
+ admin_pattern($1, exim_var_run_t)
+')
diff --git a/policy/modules/services/exim.te b/policy/modules/services/exim.te
-index db36bfa..b55c438 100644
+index f28f64b..6c819a3 100644
--- a/policy/modules/services/exim.te
+++ b/policy/modules/services/exim.te
@@ -35,6 +35,9 @@ mta_mailserver_user_agent(exim_t)
@@ -16751,7 +16768,7 @@ index 2a69e5e..fd30b02 100644
iptables_domtrans(fail2ban_t)
')
diff --git a/policy/modules/services/fetchmail.te b/policy/modules/services/fetchmail.te
-index c92403b..f50e0f1 100644
+index dc2c044..5f5b57b 100644
--- a/policy/modules/services/fetchmail.te
+++ b/policy/modules/services/fetchmail.te
@@ -37,8 +37,9 @@ allow fetchmail_t fetchmail_etc_t:file read_file_perms;
@@ -16766,9 +16783,21 @@ index c92403b..f50e0f1 100644
kernel_read_kernel_sysctls(fetchmail_t)
kernel_list_proc(fetchmail_t)
diff --git a/policy/modules/services/fprintd.te b/policy/modules/services/fprintd.te
-index 7df52c7..54fada0 100644
+index 7df52c7..899feaf 100644
--- a/policy/modules/services/fprintd.te
+++ b/policy/modules/services/fprintd.te
+@@ -17,9 +17,9 @@ files_type(fprintd_var_lib_t)
+ # Local policy
+ #
+
+-allow fprintd_t self:capability sys_ptrace;
++allow fprintd_t self:capability { sys_nice sys_ptrace };
+ allow fprintd_t self:fifo_file rw_fifo_file_perms;
+-allow fprintd_t self:process { getsched signal };
++allow fprintd_t self:process { getsched setsched signal };
+
+ manage_dirs_pattern(fprintd_t, fprintd_var_lib_t, fprintd_var_lib_t)
+ manage_files_pattern(fprintd_t, fprintd_var_lib_t, fprintd_var_lib_t)
@@ -54,4 +54,5 @@ optional_policy(`
policykit_read_lib(fprintd_t)
policykit_dbus_chat(fprintd_t)
@@ -17673,6 +17702,15 @@ index 7382f85..cf17085 100644
+git_role_template(git_shell)
+gen_user(git_shell_u, user, git_shell_r, s0, s0)
+
+diff --git a/policy/modules/services/gnomeclock.fc b/policy/modules/services/gnomeclock.fc
+index 462de63..a8ce02e 100644
+--- a/policy/modules/services/gnomeclock.fc
++++ b/policy/modules/services/gnomeclock.fc
+@@ -1,2 +1,4 @@
+ /usr/libexec/gnome-clock-applet-mechanism -- gen_context(system_u:object_r:gnomeclock_exec_t,s0)
+
++/usr/libexec/gsd-datetime-mechanism -- gen_context(system_u:object_r:gnomeclock_exec_t,s0)
++
diff --git a/policy/modules/services/gnomeclock.if b/policy/modules/services/gnomeclock.if
index 671d8fd..da0e844 100644
--- a/policy/modules/services/gnomeclock.if
@@ -18255,7 +18293,7 @@ index 3525d24..e5db539 100644
/etc/rc\.d/init\.d/krb524d -- gen_context(system_u:object_r:kerberos_initrc_exec_t,s0)
/etc/rc\.d/init\.d/krb5kdc -- gen_context(system_u:object_r:kerberos_initrc_exec_t,s0)
diff --git a/policy/modules/services/kerberos.te b/policy/modules/services/kerberos.te
-index 8edc29b..6deff48 100644
+index 8edc29b..225e33f 100644
--- a/policy/modules/services/kerberos.te
+++ b/policy/modules/services/kerberos.te
@@ -126,10 +126,13 @@ corenet_udp_sendrecv_all_ports(kadmind_t)
@@ -18276,7 +18314,7 @@ index 8edc29b..6deff48 100644
logging_send_syslog_msg(kadmind_t)
-+miscfiles_read_certs(kadmind_t)
++miscfiles_read_generic_certs(kadmind_t)
miscfiles_read_localization(kadmind_t)
seutil_read_file_contexts(kadmind_t)
@@ -18294,7 +18332,7 @@ index 8edc29b..6deff48 100644
logging_send_syslog_msg(krb5kdc_t)
-+miscfiles_read_certs(krb5kdc_t)
++miscfiles_read_generic_certs(krb5kdc_t)
miscfiles_read_localization(krb5kdc_t)
seutil_read_file_contexts(krb5kdc_t)
@@ -18487,7 +18525,7 @@ index 3aa8fa7..e5684f4 100644
########################################
diff --git a/policy/modules/services/ldap.te b/policy/modules/services/ldap.te
-index ffa96c6..a715c65 100644
+index 64fd1ff..ee5e345 100644
--- a/policy/modules/services/ldap.te
+++ b/policy/modules/services/ldap.te
@@ -10,7 +10,7 @@ type slapd_exec_t;
@@ -20477,7 +20515,7 @@ index 2324d9e..1a1bfe4 100644
+ append_files_pattern($1, NetworkManager_log_t, NetworkManager_log_t)
+')
diff --git a/policy/modules/services/networkmanager.te b/policy/modules/services/networkmanager.te
-index 442cff9..45ecee3 100644
+index 0619395..02ae4e0 100644
--- a/policy/modules/services/networkmanager.te
+++ b/policy/modules/services/networkmanager.te
@@ -35,7 +35,7 @@ init_system_domain(wpa_cli_t, wpa_cli_exec_t)
@@ -20948,7 +20986,7 @@ index 4996f62..975deca 100644
kernel_read_kernel_sysctls(openct_t)
kernel_list_proc(openct_t)
diff --git a/policy/modules/services/openvpn.te b/policy/modules/services/openvpn.te
-index f3d5790..80161cd 100644
+index 8b550f4..ba7c06b 100644
--- a/policy/modules/services/openvpn.te
+++ b/policy/modules/services/openvpn.te
@@ -24,6 +24,9 @@ files_config_file(openvpn_etc_t)
@@ -20992,7 +21030,7 @@ index f3d5790..80161cd 100644
corecmd_exec_bin(openvpn_t)
corecmd_exec_shell(openvpn_t)
-@@ -113,9 +121,11 @@ sysnet_manage_config(openvpn_t)
+@@ -113,19 +121,19 @@ sysnet_manage_config(openvpn_t)
sysnet_etc_filetrans_config(openvpn_t)
userdom_use_user_terminals(openvpn_t)
@@ -21005,7 +21043,17 @@ index f3d5790..80161cd 100644
')
tunable_policy(`openvpn_enable_homedirs && use_nfs_home_dirs',`
-@@ -138,3 +148,7 @@ optional_policy(`
+ fs_read_nfs_files(openvpn_t)
+- fs_read_nfs_symlinks(openvpn_t)
+ ')
+
+ tunable_policy(`openvpn_enable_homedirs && use_samba_home_dirs',`
+ fs_read_cifs_files(openvpn_t)
+- fs_read_cifs_symlinks(openvpn_t)
+ ')
+
+ optional_policy(`
+@@ -138,3 +146,7 @@ optional_policy(`
networkmanager_dbus_chat(openvpn_t)
')
@@ -21013,6 +21061,167 @@ index f3d5790..80161cd 100644
+optional_policy(`
+ unconfined_attach_tun_iface(openvpn_t)
+')
+diff --git a/policy/modules/services/passenger.fc b/policy/modules/services/passenger.fc
+new file mode 100644
+index 0000000..8d00972
+--- /dev/null
++++ b/policy/modules/services/passenger.fc
+@@ -0,0 +1,6 @@
++
++/usr/lib(64)?/ruby/gems/.*/passenger-.*/ext/apache2/ApplicationPoolServerExecutable -- gen_context(system_u:object_r:passenger_exec_t,s0)
++
++/var/lib/passenger(/.*)? gen_context(system_u:object_r:passenger_var_lib_t,s0)
++
++/var/run/passenger(/.*)? gen_context(system_u:object_r:passenger_var_run_t,s0)
+diff --git a/policy/modules/services/passenger.if b/policy/modules/services/passenger.if
+new file mode 100644
+index 0000000..7ca90f6
+--- /dev/null
++++ b/policy/modules/services/passenger.if
+@@ -0,0 +1,69 @@
++## Passenger policy
++
++######################################
++##
++## Execute passenger in the passenger domain.
++##
++##
++##
++## The type of the process performing this action.
++##
++##
++#
++interface(`passenger_domtrans',`
++ gen_require(`
++ type passenger_t;
++ type passenger_exec_t;
++ ')
++
++ allow $1 self:capability { fowner fsetid };
++
++ allow $1 passenger_t:process signal;
++
++ domtrans_pattern($1, passenger_exec_t, passenger_t)
++ allow $1 passenger_t:unix_stream_socket { read write shutdown };
++ allow passenger_t $1:unix_stream_socket { read write };
++')
++
++######################################
++##
++## Manage passenger var_run content.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`passenger_manage_pid_content',`
++ gen_require(`
++ type passenger_var_run_t;
++ ')
++
++ files_search_pids($1)
++ manage_dirs_pattern($1, passenger_var_run_t, passenger_var_run_t)
++ manage_files_pattern($1, passenger_var_run_t, passenger_var_run_t)
++ manage_fifo_files_pattern($1, passenger_var_run_t, passenger_var_run_t)
++ manage_sock_files_pattern($1, passenger_var_run_t, passenger_var_run_t)
++')
++
++########################################
++##
++## Read passenger lib files
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`passenger_read_lib_files',`
++ gen_require(`
++ type passenger_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ read_files_pattern($1, passenger_var_lib_t, passenger_var_lib_t)
++ read_lnk_files_pattern($1, passenger_var_lib_t, passenger_var_lib_t)
++')
++
+diff --git a/policy/modules/services/passenger.te b/policy/modules/services/passenger.te
+new file mode 100644
+index 0000000..9cb0d1c
+--- /dev/null
++++ b/policy/modules/services/passenger.te
+@@ -0,0 +1,68 @@
++
++policy_module(passanger,1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++type passenger_t;
++type passenger_exec_t;
++domain_type(passenger_t)
++domain_entry_file(passenger_t, passenger_exec_t)
++role system_r types passenger_t;
++
++type passenger_tmp_t;
++files_tmp_file(passenger_tmp_t)
++
++type passenger_var_lib_t;
++files_type(passenger_var_lib_t)
++
++type passenger_var_run_t;
++files_pid_file(passenger_var_run_t)
++
++permissive passenger_t;
++
++########################################
++#
++# passanger local policy
++#
++
++allow passenger_t self:capability { dac_override fsetid fowner chown setuid setgid };
++allow passenger_t self:process signal;
++
++allow passenger_t self:fifo_file rw_fifo_file_perms;
++allow passenger_t self:unix_stream_socket { create_stream_socket_perms connectto };
++
++files_search_var_lib(passenger_t)
++manage_dirs_pattern(passenger_t, passenger_var_lib_t, passenger_var_lib_t)
++manage_files_pattern(passenger_t, passenger_var_lib_t, passenger_var_lib_t)
++
++manage_dirs_pattern(passenger_t, passenger_var_run_t, passenger_var_run_t)
++manage_files_pattern(passenger_t, passenger_var_run_t, passenger_var_run_t)
++manage_fifo_files_pattern(passenger_t, passenger_var_run_t, passenger_var_run_t)
++manage_sock_files_pattern(passenger_t, passenger_var_run_t, passenger_var_run_t)
++files_pid_filetrans(passenger_t, passenger_var_run_t, { file dir sock_file })
++
++kernel_read_system_state(passenger_t)
++kernel_read_kernel_sysctls(passenger_t)
++
++corenet_tcp_connect_http_port(passenger_t)
++
++corecmd_exec_bin(passenger_t)
++corecmd_exec_shell(passenger_t)
++
++dev_read_urand(passenger_t)
++
++files_read_etc_files(passenger_t)
++
++auth_use_nsswitch(passenger_t)
++
++miscfiles_read_localization(passenger_t)
++
++userdom_dontaudit_use_user_terminals(passenger_t)
++
++optional_policy(`
++ apache_append_log(passenger_t)
++ apache_read_sys_content(passenger_t)
++')
diff --git a/policy/modules/services/pcscd.te b/policy/modules/services/pcscd.te
index b881672..da06e9f 100644
--- a/policy/modules/services/pcscd.te
@@ -22025,7 +22234,7 @@ index 55e62d2..c114a40 100644
/usr/sbin/postfix -- gen_context(system_u:object_r:postfix_master_exec_t,s0)
/usr/sbin/postkick -- gen_context(system_u:object_r:postfix_master_exec_t,s0)
diff --git a/policy/modules/services/postfix.if b/policy/modules/services/postfix.if
-index c48b45b..18996a5 100644
+index 46bee12..b6d763d 100644
--- a/policy/modules/services/postfix.if
+++ b/policy/modules/services/postfix.if
@@ -77,6 +77,7 @@ template(`postfix_domain_template',`
@@ -23216,7 +23425,7 @@ index 0000000..cf9a327
+
+sysnet_dns_name_resolve(qpidd_t)
diff --git a/policy/modules/services/radius.te b/policy/modules/services/radius.te
-index c53f222..df6769b 100644
+index db6296a..b3f1fd3 100644
--- a/policy/modules/services/radius.te
+++ b/policy/modules/services/radius.te
@@ -36,7 +36,7 @@ files_pid_file(radiusd_var_run_t)
@@ -24059,7 +24268,7 @@ index cda37bb..b0eac5b 100644
+ allow $1 var_lib_nfs_t:file { relabelfrom relabelto };
')
diff --git a/policy/modules/services/rpc.te b/policy/modules/services/rpc.te
-index a3b9f86..eae7d14 100644
+index 8e1ab72..9ae080e 100644
--- a/policy/modules/services/rpc.te
+++ b/policy/modules/services/rpc.te
@@ -63,8 +63,9 @@ allow rpcd_t self:process { getcap setcap };
@@ -24073,7 +24282,7 @@ index a3b9f86..eae7d14 100644
# rpc.statd executes sm-notify
can_exec(rpcd_t, rpcd_exec_t)
-@@ -97,15 +98,26 @@ miscfiles_read_certs(rpcd_t)
+@@ -97,15 +98,26 @@ miscfiles_read_generic_certs(rpcd_t)
seutil_dontaudit_search_config(rpcd_t)
@@ -24762,7 +24971,7 @@ index e30bb63..2a5981d 100644
+ can_exec(smbd_t, samba_unconfined_script_exec_t)
')
diff --git a/policy/modules/services/sasl.te b/policy/modules/services/sasl.te
-index 41d60ad..8655cb0 100644
+index 22184ad..87810ec 100644
--- a/policy/modules/services/sasl.te
+++ b/policy/modules/services/sasl.te
@@ -42,13 +42,17 @@ allow saslauthd_t saslauthd_tmp_t:dir setattr;
@@ -24876,7 +25085,7 @@ index 7e94c7c..4f7eb51 100644
+ admin_pattern($1, mail_spool_t)
+')
diff --git a/policy/modules/services/sendmail.te b/policy/modules/services/sendmail.te
-index 53dd7d0..668ce83 100644
+index 22dac1f..b6781d5 100644
--- a/policy/modules/services/sendmail.te
+++ b/policy/modules/services/sendmail.te
@@ -19,6 +19,9 @@ mta_sendmail_mailserver(sendmail_t)
@@ -24904,7 +25113,7 @@ index 53dd7d0..668ce83 100644
auth_use_nsswitch(sendmail_t)
-@@ -103,7 +108,7 @@ miscfiles_read_certs(sendmail_t)
+@@ -103,7 +108,7 @@ miscfiles_read_generic_certs(sendmail_t)
miscfiles_read_localization(sendmail_t)
userdom_dontaudit_use_unpriv_user_fds(sendmail_t)
@@ -25641,7 +25850,7 @@ index 078bcd7..dd706b0 100644
+/root/\.ssh(/.*)? gen_context(system_u:object_r:home_ssh_t,s0)
+/root/\.shosts gen_context(system_u:object_r:home_ssh_t,s0)
diff --git a/policy/modules/services/ssh.if b/policy/modules/services/ssh.if
-index 5437ffb..8dad56a 100644
+index 22adaca..3061e83 100644
--- a/policy/modules/services/ssh.if
+++ b/policy/modules/services/ssh.if
@@ -36,6 +36,7 @@ template(`ssh_basic_client_template',`
@@ -26259,10 +26468,19 @@ index aa0cc45..debff69 100644
+
+iscsi_manage_semaphores(tgtd_t)
diff --git a/policy/modules/services/tor.te b/policy/modules/services/tor.te
-index 9fa94e4..81e8d3c 100644
+index 9fa94e4..0a0074c 100644
--- a/policy/modules/services/tor.te
+++ b/policy/modules/services/tor.te
-@@ -67,9 +67,10 @@ manage_sock_files_pattern(tor_t, tor_var_log_t, tor_var_log_t)
+@@ -42,6 +42,8 @@ files_pid_file(tor_var_run_t)
+ #
+
+ allow tor_t self:capability { setgid setuid sys_tty_config };
++allow tor_t self:process signal;
++
+ allow tor_t self:fifo_file rw_fifo_file_perms;
+ allow tor_t self:unix_stream_socket create_stream_socket_perms;
+ allow tor_t self:netlink_route_socket r_netlink_socket_perms;
+@@ -67,9 +69,10 @@ manage_sock_files_pattern(tor_t, tor_var_log_t, tor_var_log_t)
logging_log_filetrans(tor_t, tor_var_log_t, { sock_file file dir })
# pid file
@@ -26274,7 +26492,7 @@ index 9fa94e4..81e8d3c 100644
kernel_read_system_state(tor_t)
-@@ -88,6 +89,7 @@ corenet_tcp_connect_all_ports(tor_t)
+@@ -88,6 +91,7 @@ corenet_tcp_connect_all_ports(tor_t)
corenet_sendrecv_all_client_packets(tor_t)
# ... especially including port 80 and other privileged ports
corenet_tcp_connect_all_reserved_ports(tor_t)
@@ -26282,7 +26500,7 @@ index 9fa94e4..81e8d3c 100644
# tor uses crypto and needs random
dev_read_urand(tor_t)
-@@ -100,6 +102,8 @@ files_read_usr_files(tor_t)
+@@ -100,6 +104,8 @@ files_read_usr_files(tor_t)
auth_use_nsswitch(tor_t)
@@ -26751,7 +26969,7 @@ index 7c5d8d8..1a0701b 100644
+')
+
diff --git a/policy/modules/services/virt.te b/policy/modules/services/virt.te
-index 3cce663..5a77c23 100644
+index 3eca020..f38e1ce 100644
--- a/policy/modules/services/virt.te
+++ b/policy/modules/services/virt.te
@@ -4,6 +4,7 @@ policy_module(virt, 1.4.0)
@@ -27201,7 +27419,7 @@ index 3cce663..5a77c23 100644
+')
+
diff --git a/policy/modules/services/w3c.te b/policy/modules/services/w3c.te
-index 2dec92e..c37d690 100644
+index 1174ad8..f4c4c1b 100644
--- a/policy/modules/services/w3c.te
+++ b/policy/modules/services/w3c.te
@@ -7,11 +7,18 @@ policy_module(w3c, 1.0.0)
@@ -27224,7 +27442,7 @@ index 2dec92e..c37d690 100644
corenet_tcp_sendrecv_ftp_port(httpd_w3c_validator_script_t)
corenet_tcp_connect_http_port(httpd_w3c_validator_script_t)
@@ -22,3 +29,5 @@ corenet_tcp_sendrecv_http_cache_port(httpd_w3c_validator_script_t)
- miscfiles_read_certs(httpd_w3c_validator_script_t)
+ miscfiles_read_generic_certs(httpd_w3c_validator_script_t)
sysnet_dns_name_resolve(httpd_w3c_validator_script_t)
+
@@ -28010,7 +28228,7 @@ index da2601a..4bc9fff 100644
+ manage_files_pattern($1, user_fonts_config_t, user_fonts_config_t)
+')
diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
-index e226da4..9b9e013 100644
+index e226da4..5fbf38f 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -35,6 +35,13 @@ gen_tunable(allow_write_xshm, false)
@@ -28451,7 +28669,7 @@ index e226da4..9b9e013 100644
dev_setattr_apm_bios_dev(xdm_t)
dev_rw_dri(xdm_t)
dev_rw_agp(xdm_t)
-@@ -410,18 +560,22 @@ dev_setattr_xserver_misc_dev(xdm_t)
+@@ -410,18 +560,23 @@ dev_setattr_xserver_misc_dev(xdm_t)
dev_getattr_misc_dev(xdm_t)
dev_setattr_misc_dev(xdm_t)
dev_dontaudit_rw_misc(xdm_t)
@@ -28474,10 +28692,11 @@ index e226da4..9b9e013 100644
# Do not audit denied probes of /proc.
domain_dontaudit_read_all_domains_state(xdm_t)
+domain_dontaudit_ptrace_all_domains(xdm_t)
++domain_dontaudit_signal_all_domains(xdm_t)
files_read_etc_files(xdm_t)
files_read_var_files(xdm_t)
-@@ -432,9 +586,17 @@ files_list_mnt(xdm_t)
+@@ -432,9 +587,17 @@ files_list_mnt(xdm_t)
files_read_usr_files(xdm_t)
# Poweroff wants to create the /poweroff file when run from xdm
files_create_boot_flag(xdm_t)
@@ -28495,7 +28714,7 @@ index e226da4..9b9e013 100644
storage_dontaudit_read_fixed_disk(xdm_t)
storage_dontaudit_write_fixed_disk(xdm_t)
-@@ -443,28 +605,36 @@ storage_dontaudit_raw_read_removable_device(xdm_t)
+@@ -443,28 +606,36 @@ storage_dontaudit_raw_read_removable_device(xdm_t)
storage_dontaudit_raw_write_removable_device(xdm_t)
storage_dontaudit_setattr_removable_dev(xdm_t)
storage_dontaudit_rw_scsi_generic(xdm_t)
@@ -28534,7 +28753,7 @@ index e226da4..9b9e013 100644
userdom_dontaudit_use_unpriv_user_fds(xdm_t)
userdom_create_all_users_keys(xdm_t)
-@@ -473,6 +643,13 @@ userdom_read_user_home_content_files(xdm_t)
+@@ -473,6 +644,13 @@ userdom_read_user_home_content_files(xdm_t)
# Search /proc for any user domain processes.
userdom_read_all_users_state(xdm_t)
userdom_signal_all_users(xdm_t)
@@ -28548,7 +28767,7 @@ index e226da4..9b9e013 100644
xserver_rw_session(xdm_t, xdm_tmpfs_t)
xserver_unconfined(xdm_t)
-@@ -504,11 +681,17 @@ tunable_policy(`xdm_sysadm_login',`
+@@ -504,11 +682,17 @@ tunable_policy(`xdm_sysadm_login',`
')
optional_policy(`
@@ -28566,7 +28785,7 @@ index e226da4..9b9e013 100644
')
optional_policy(`
-@@ -516,12 +699,51 @@ optional_policy(`
+@@ -516,12 +700,51 @@ optional_policy(`
')
optional_policy(`
@@ -28618,7 +28837,7 @@ index e226da4..9b9e013 100644
hostname_exec(xdm_t)
')
-@@ -539,20 +761,64 @@ optional_policy(`
+@@ -539,20 +762,64 @@ optional_policy(`
')
optional_policy(`
@@ -28685,7 +28904,7 @@ index e226da4..9b9e013 100644
ifndef(`distro_redhat',`
allow xdm_t self:process { execheap execmem };
-@@ -561,7 +827,6 @@ optional_policy(`
+@@ -561,7 +828,6 @@ optional_policy(`
ifdef(`distro_rhel4',`
allow xdm_t self:process { execheap execmem };
')
@@ -28693,7 +28912,7 @@ index e226da4..9b9e013 100644
optional_policy(`
userhelper_dontaudit_search_config(xdm_t)
-@@ -572,6 +837,10 @@ optional_policy(`
+@@ -572,6 +838,10 @@ optional_policy(`
')
optional_policy(`
@@ -28704,7 +28923,7 @@ index e226da4..9b9e013 100644
xfs_stream_connect(xdm_t)
')
-@@ -596,7 +865,7 @@ allow xserver_t input_xevent_t:x_event send;
+@@ -596,7 +866,7 @@ allow xserver_t input_xevent_t:x_event send;
# execheap needed until the X module loader is fixed.
# NVIDIA Needs execstack
@@ -28713,7 +28932,7 @@ index e226da4..9b9e013 100644
dontaudit xserver_t self:capability chown;
allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow xserver_t self:fd use;
-@@ -610,6 +879,18 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
+@@ -610,6 +880,18 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow xserver_t self:tcp_socket create_stream_socket_perms;
allow xserver_t self:udp_socket create_socket_perms;
@@ -28732,7 +28951,7 @@ index e226da4..9b9e013 100644
manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
-@@ -629,12 +910,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
+@@ -629,12 +911,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
files_search_var_lib(xserver_t)
@@ -28754,7 +28973,7 @@ index e226da4..9b9e013 100644
kernel_read_system_state(xserver_t)
kernel_read_device_sysctls(xserver_t)
-@@ -642,6 +930,7 @@ kernel_read_modprobe_sysctls(xserver_t)
+@@ -642,6 +931,7 @@ kernel_read_modprobe_sysctls(xserver_t)
# Xorg wants to check if kernel is tainted
kernel_read_kernel_sysctls(xserver_t)
kernel_write_proc_files(xserver_t)
@@ -28762,7 +28981,7 @@ index e226da4..9b9e013 100644
# Run helper programs in xserver_t.
corecmd_exec_bin(xserver_t)
-@@ -668,7 +957,6 @@ dev_rw_apm_bios(xserver_t)
+@@ -668,7 +958,6 @@ dev_rw_apm_bios(xserver_t)
dev_rw_agp(xserver_t)
dev_rw_framebuffer(xserver_t)
dev_manage_dri_dev(xserver_t)
@@ -28770,7 +28989,7 @@ index e226da4..9b9e013 100644
dev_create_generic_dirs(xserver_t)
dev_setattr_generic_dirs(xserver_t)
# raw memory access is needed if not using the frame buffer
-@@ -678,8 +966,13 @@ dev_wx_raw_memory(xserver_t)
+@@ -678,8 +967,13 @@ dev_wx_raw_memory(xserver_t)
dev_rw_xserver_misc(xserver_t)
# read events - the synaptics touchpad driver reads raw events
dev_rw_input_dev(xserver_t)
@@ -28784,7 +29003,7 @@ index e226da4..9b9e013 100644
files_read_etc_files(xserver_t)
files_read_etc_runtime_files(xserver_t)
files_read_usr_files(xserver_t)
-@@ -693,8 +986,13 @@ fs_getattr_xattr_fs(xserver_t)
+@@ -693,8 +987,13 @@ fs_getattr_xattr_fs(xserver_t)
fs_search_nfs(xserver_t)
fs_search_auto_mountpoints(xserver_t)
fs_search_ramfs(xserver_t)
@@ -28798,7 +29017,7 @@ index e226da4..9b9e013 100644
selinux_validate_context(xserver_t)
selinux_compute_access_vector(xserver_t)
-@@ -716,11 +1014,14 @@ logging_send_audit_msgs(xserver_t)
+@@ -716,11 +1015,14 @@ logging_send_audit_msgs(xserver_t)
miscfiles_read_localization(xserver_t)
miscfiles_read_fonts(xserver_t)
@@ -28813,7 +29032,7 @@ index e226da4..9b9e013 100644
userdom_search_user_home_dirs(xserver_t)
userdom_use_user_ttys(xserver_t)
-@@ -773,12 +1074,28 @@ optional_policy(`
+@@ -773,12 +1075,28 @@ optional_policy(`
')
optional_policy(`
@@ -28843,7 +29062,7 @@ index e226da4..9b9e013 100644
unconfined_domtrans(xserver_t)
')
-@@ -787,6 +1104,10 @@ optional_policy(`
+@@ -787,6 +1105,10 @@ optional_policy(`
')
optional_policy(`
@@ -28854,7 +29073,7 @@ index e226da4..9b9e013 100644
xfs_stream_connect(xserver_t)
')
-@@ -802,10 +1123,10 @@ allow xserver_t xdm_t:shm rw_shm_perms;
+@@ -802,10 +1124,10 @@ allow xserver_t xdm_t:shm rw_shm_perms;
# NB we do NOT allow xserver_t xdm_var_lib_t:dir, only access to an open
# handle of a file inside the dir!!!
@@ -28867,7 +29086,7 @@ index e226da4..9b9e013 100644
# Label pid and temporary files with derived types.
manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
-@@ -826,6 +1147,13 @@ init_use_fds(xserver_t)
+@@ -826,6 +1148,13 @@ init_use_fds(xserver_t)
# to read ROLE_home_t - examine this in more detail
# (xauth?)
userdom_read_user_home_content_files(xserver_t)
@@ -28881,7 +29100,7 @@ index e226da4..9b9e013 100644
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_dirs(xserver_t)
-@@ -841,11 +1169,14 @@ tunable_policy(`use_samba_home_dirs',`
+@@ -841,11 +1170,14 @@ tunable_policy(`use_samba_home_dirs',`
optional_policy(`
dbus_system_bus_client(xserver_t)
@@ -28898,7 +29117,7 @@ index e226da4..9b9e013 100644
')
optional_policy(`
-@@ -991,3 +1322,33 @@ allow xserver_unconfined_type { x_domain xserver_t }:x_keyboard *;
+@@ -991,3 +1323,33 @@ allow xserver_unconfined_type { x_domain xserver_t }:x_keyboard *;
allow xserver_unconfined_type xextension_type:x_extension *;
allow xserver_unconfined_type { x_domain xserver_t }:x_resource *;
allow xserver_unconfined_type xevent_type:{ x_event x_synthetic_event } *;
@@ -29320,7 +29539,7 @@ index 1c4b1e7..2997dd7 100644
/var/lib/pam_ssh(/.*)? gen_context(system_u:object_r:var_auth_t,s0)
diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if
-index 7fddc24..395f8f3 100644
+index bea0ade..bd3185e 100644
--- a/policy/modules/system/authlogin.if
+++ b/policy/modules/system/authlogin.if
@@ -57,6 +57,8 @@ interface(`auth_use_pam',`
@@ -29504,7 +29723,7 @@ index 7fddc24..395f8f3 100644
optional_policy(`
diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te
-index 7233a6d..bd9d529 100644
+index 54d122b..ee0fe55 100644
--- a/policy/modules/system/authlogin.te
+++ b/policy/modules/system/authlogin.te
@@ -8,6 +8,7 @@ policy_module(authlogin, 2.2.0)
@@ -29878,7 +30097,7 @@ index 9775375..b338481 100644
#
# /var
diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
-index f6aafe7..f28524b 100644
+index f6aafe7..447aaec 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -105,7 +105,11 @@ interface(`init_domain',`
@@ -30143,7 +30362,33 @@ index f6aafe7..f28524b 100644
## init scripts over dbus.
##
##
-@@ -1637,7 +1754,7 @@ interface(`init_dontaudit_rw_utmp',`
+@@ -1424,6 +1541,25 @@ interface(`init_getattr_script_status_files',`
+
+ ########################################
+ ##
++## Manage init script
++## status files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`init_manage_script_status_files',`
++ gen_require(`
++ type initrc_state_t;
++ ')
++
++ manage_files_pattern($1, initrc_state_t, initrc_state_t)
++')
++
++########################################
++##
+ ## Do not audit attempts to read init script
+ ## status files.
+ ##
+@@ -1637,7 +1773,7 @@ interface(`init_dontaudit_rw_utmp',`
type initrc_var_run_t;
')
@@ -30152,7 +30397,7 @@ index f6aafe7..f28524b 100644
')
########################################
-@@ -1712,3 +1829,94 @@ interface(`init_udp_recvfrom_all_daemons',`
+@@ -1712,3 +1848,94 @@ interface(`init_udp_recvfrom_all_daemons',`
')
corenet_udp_recvfrom_labeled($1, daemon)
')
@@ -30248,7 +30493,7 @@ index f6aafe7..f28524b 100644
+ allow $1 init_t:unix_stream_socket rw_stream_socket_perms;
+')
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
-index abab4cf..d96bf27 100644
+index 698c11e..e0dc975 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -16,6 +16,27 @@ gen_require(`
@@ -30569,7 +30814,7 @@ index abab4cf..d96bf27 100644
miscfiles_read_localization(initrc_t)
# slapd needs to read cert files from its initscript
--miscfiles_read_certs(initrc_t)
+-miscfiles_read_generic_certs(initrc_t)
+miscfiles_manage_cert_files(initrc_t)
modutils_read_module_config(initrc_t)
@@ -32162,10 +32407,18 @@ index 86ef2da..7f649d5 100644
')
diff --git a/policy/modules/system/miscfiles.fc b/policy/modules/system/miscfiles.fc
-index 7711464..63c1b2f 100644
+index 7711464..1f0ccfd 100644
--- a/policy/modules/system/miscfiles.fc
+++ b/policy/modules/system/miscfiles.fc
-@@ -75,13 +75,11 @@ ifdef(`distro_redhat',`
+@@ -11,6 +11,7 @@ ifdef(`distro_gentoo',`
+ /etc/avahi/etc/localtime -- gen_context(system_u:object_r:locale_t,s0)
+ /etc/localtime -- gen_context(system_u:object_r:locale_t,s0)
+ /etc/pki(/.*)? gen_context(system_u:object_r:cert_t,s0)
++/etc/httpd/alias/[^/]*\.db(\.[^/]*)* -- gen_context(system_u:object_r:cert_t,s0)
+
+ ifdef(`distro_redhat',`
+ /etc/sysconfig/clock -- gen_context(system_u:object_r:locale_t,s0)
+@@ -75,13 +76,11 @@ ifdef(`distro_redhat',`
/var/cache/fonts(/.*)? gen_context(system_u:object_r:tetex_data_t,s0)
/var/cache/man(/.*)? gen_context(system_u:object_r:man_t,s0)
@@ -32182,78 +32435,10 @@ index 7711464..63c1b2f 100644
ifdef(`distro_debian',`
/var/lib/msttcorefonts(/.*)? gen_context(system_u:object_r:fonts_t,s0)
diff --git a/policy/modules/system/miscfiles.if b/policy/modules/system/miscfiles.if
-index 17de283..4eeb1a5 100644
+index fe4e741..926ba65 100644
--- a/policy/modules/system/miscfiles.if
+++ b/policy/modules/system/miscfiles.if
-@@ -2,6 +2,50 @@
-
- ########################################
- ##
-+## Make the specified type usable as a cert file.
-+##
-+##
-+##
-+## Make the specified type usable for cert files.
-+## This will also make the type usable for files, making
-+## calls to files_type() redundant. Failure to use this interface
-+## for a temporary file may result in problems with
-+## cert management tools.
-+##
-+##
-+## Related interfaces:
-+##
-+##
-+##
-+## Example:
-+##
-+##
-+## type mycertfile_t;
-+## cert_type(mycertfile_t)
-+## allow mydomain_t mycertfile_t:file read_file_perms;
-+## files_search_etc(mydomain_t)
-+##
-+##
-+##
-+##
-+## Type to be used for files.
-+##
-+##
-+##
-+#
-+interface(`miscfiles_cert_type',`
-+ gen_require(`
-+ attribute cert_type;
-+ ')
-+
-+ typeattribute $1 cert_type;
-+ files_type($1)
-+')
-+
-+########################################
-+##
- ## Read system SSL certificates.
- ##
- ##
-@@ -13,12 +57,12 @@
- #
- interface(`miscfiles_read_certs',`
- gen_require(`
-- type cert_t;
-+ attribute cert_type;
- ')
-
-- allow $1 cert_t:dir list_dir_perms;
-- read_files_pattern($1, cert_t, cert_t)
-- read_lnk_files_pattern($1, cert_t, cert_t)
-+ allow $1 cert_type:dir list_dir_perms;
-+ read_files_pattern($1, cert_type, cert_type)
-+ read_lnk_files_pattern($1, cert_type, cert_type)
- ')
-
- ########################################
-@@ -305,9 +349,6 @@ interface(`miscfiles_read_localization',`
+@@ -414,9 +414,6 @@ interface(`miscfiles_read_localization',`
allow $1 locale_t:dir list_dir_perms;
read_files_pattern($1, locale_t, locale_t)
read_lnk_files_pattern($1, locale_t, locale_t)
@@ -32264,24 +32449,25 @@ index 17de283..4eeb1a5 100644
########################################
diff --git a/policy/modules/system/miscfiles.te b/policy/modules/system/miscfiles.te
-index 4ac5d56..eb75070 100644
+index c51f7f5..59c70bf 100644
--- a/policy/modules/system/miscfiles.te
+++ b/policy/modules/system/miscfiles.te
-@@ -4,12 +4,13 @@ policy_module(miscfiles, 1.8.0)
+@@ -4,7 +4,6 @@ policy_module(miscfiles, 1.8.1)
#
# Declarations
#
-+attribute cert_type;
+-
+ attribute cert_type;
#
- # cert_t is the type of files in the system certs directories.
+@@ -12,6 +11,7 @@ attribute cert_type;
#
type cert_t;
--files_type(cert_t)
-+miscfiles_cert_type(cert_t)
-
+ miscfiles_cert_type(cert_t)
++
#
# fonts_t is the type of various font
+ # files in /usr
diff --git a/policy/modules/system/modutils.if b/policy/modules/system/modutils.if
index 9c0faab..def8d5a 100644
--- a/policy/modules/system/modutils.if
@@ -32649,7 +32835,7 @@ index 8b5c196..3490497 100644
+ role $2 types showmount_t;
')
diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te
-index fca6947..a2f7102 100644
+index fca6947..1f8fee9 100644
--- a/policy/modules/system/mount.te
+++ b/policy/modules/system/mount.te
@@ -17,8 +17,15 @@ type mount_exec_t;
@@ -32758,7 +32944,7 @@ index fca6947..a2f7102 100644
files_mount_all_file_type_fs(mount_t)
files_unmount_all_file_type_fs(mount_t)
# for when /etc/mtab loses its type
-@@ -81,25 +127,32 @@ files_read_isid_type_files(mount_t)
+@@ -81,25 +127,34 @@ files_read_isid_type_files(mount_t)
files_read_usr_files(mount_t)
files_list_mnt(mount_t)
@@ -32779,6 +32965,8 @@ index fca6947..a2f7102 100644
+fs_read_fusefs_files(mount_t)
+fs_manage_nfs_dirs(mount_t)
+fs_read_nfs_symlinks(mount_t)
++fs_manage_cgroup_dirs(mount_t)
++fs_manage_cgroup_files(mount_t)
mls_file_read_all_levels(mount_t)
mls_file_write_all_levels(mount_t)
@@ -32794,7 +32982,7 @@ index fca6947..a2f7102 100644
term_use_all_terms(mount_t)
-@@ -108,6 +161,8 @@ auth_use_nsswitch(mount_t)
+@@ -108,6 +163,8 @@ auth_use_nsswitch(mount_t)
init_use_fds(mount_t)
init_use_script_ptys(mount_t)
init_dontaudit_getattr_initctl(mount_t)
@@ -32803,7 +32991,7 @@ index fca6947..a2f7102 100644
logging_send_syslog_msg(mount_t)
-@@ -118,6 +173,12 @@ sysnet_use_portmap(mount_t)
+@@ -118,6 +175,12 @@ sysnet_use_portmap(mount_t)
seutil_read_config(mount_t)
userdom_use_all_users_fds(mount_t)
@@ -32816,7 +33004,7 @@ index fca6947..a2f7102 100644
ifdef(`distro_redhat',`
optional_policy(`
-@@ -133,10 +194,17 @@ ifdef(`distro_ubuntu',`
+@@ -133,10 +196,17 @@ ifdef(`distro_ubuntu',`
')
')
@@ -32834,7 +33022,7 @@ index fca6947..a2f7102 100644
')
optional_policy(`
-@@ -166,6 +234,8 @@ optional_policy(`
+@@ -166,6 +236,8 @@ optional_policy(`
fs_search_rpc(mount_t)
rpc_stub(mount_t)
@@ -32843,7 +33031,7 @@ index fca6947..a2f7102 100644
')
optional_policy(`
-@@ -173,6 +243,25 @@ optional_policy(`
+@@ -173,6 +245,25 @@ optional_policy(`
')
optional_policy(`
@@ -32869,7 +33057,7 @@ index fca6947..a2f7102 100644
ifdef(`hide_broken_symptoms',`
# for a bug in the X server
rhgb_dontaudit_rw_stream_sockets(mount_t)
-@@ -180,6 +269,15 @@ optional_policy(`
+@@ -180,6 +271,15 @@ optional_policy(`
')
')
@@ -32885,7 +33073,7 @@ index fca6947..a2f7102 100644
# for kernel package installation
optional_policy(`
rpm_rw_pipes(mount_t)
-@@ -187,6 +285,19 @@ optional_policy(`
+@@ -187,6 +287,19 @@ optional_policy(`
optional_policy(`
samba_domtrans_smbmount(mount_t)
@@ -32905,7 +33093,7 @@ index fca6947..a2f7102 100644
')
########################################
-@@ -195,6 +306,42 @@ optional_policy(`
+@@ -195,6 +308,42 @@ optional_policy(`
#
optional_policy(`
@@ -32949,22 +33137,53 @@ index fca6947..a2f7102 100644
+sysnet_dns_name_resolve(showmount_t)
+
+userdom_use_user_terminals(showmount_t)
+diff --git a/policy/modules/system/raid.fc b/policy/modules/system/raid.fc
+index ed9c70d..42d3890 100644
+--- a/policy/modules/system/raid.fc
++++ b/policy/modules/system/raid.fc
+@@ -1,4 +1,5 @@
+-/dev/.mdadm.map -- gen_context(system_u:object_r:mdadm_map_t,s0)
++/dev/.mdadm\.map -- gen_context(system_u:object_r:mdadm_var_run_t,s0)
++/dev/md(/.*)? gen_context(system_u:object_r:mdadm_var_run_t,s0)
+
+ /sbin/mdadm -- gen_context(system_u:object_r:mdadm_exec_t,s0)
+ /sbin/mdmpd -- gen_context(system_u:object_r:mdadm_exec_t,s0)
diff --git a/policy/modules/system/raid.te b/policy/modules/system/raid.te
-index 09845c4..2fe5969 100644
+index 09845c4..6500830 100644
--- a/policy/modules/system/raid.te
+++ b/policy/modules/system/raid.te
-@@ -30,8 +30,9 @@ allow mdadm_t self:fifo_file rw_fifo_file_perms;
- allow mdadm_t mdadm_map_t:file manage_file_perms;
- dev_filetrans(mdadm_t, mdadm_map_t, file)
+@@ -10,11 +10,9 @@ type mdadm_exec_t;
+ init_daemon_domain(mdadm_t, mdadm_exec_t)
+ role system_r types mdadm_t;
+-type mdadm_map_t;
+-files_type(mdadm_map_t)
+-
+-type mdadm_var_run_t;
++type mdadm_var_run_t alias mdadm_map_t;
+ files_pid_file(mdadm_var_run_t)
++dev_associate(mdadm_var_run_t)
+
+ ########################################
+ #
+@@ -26,12 +24,11 @@ dontaudit mdadm_t self:capability sys_tty_config;
+ allow mdadm_t self:process { sigchld sigkill sigstop signull signal };
+ allow mdadm_t self:fifo_file rw_fifo_file_perms;
+
+-# create .mdadm files in /dev
+-allow mdadm_t mdadm_map_t:file manage_file_perms;
+-dev_filetrans(mdadm_t, mdadm_map_t, file)
+-
+manage_dirs_pattern(mdadm_t, mdadm_var_run_t, mdadm_var_run_t)
manage_files_pattern(mdadm_t, mdadm_var_run_t, mdadm_var_run_t)
-files_pid_filetrans(mdadm_t, mdadm_var_run_t, file)
++manage_sock_files_pattern(mdadm_t, mdadm_var_run_t, mdadm_var_run_t)
+files_pid_filetrans(mdadm_t, mdadm_var_run_t, { file dir })
++dev_filetrans(mdadm_t, mdadm_var_run_t, { file dir sock_file })
kernel_read_system_state(mdadm_t)
kernel_read_kernel_sysctls(mdadm_t)
-@@ -52,13 +53,16 @@ dev_dontaudit_getattr_generic_blk_files(mdadm_t)
+@@ -52,13 +49,16 @@ dev_dontaudit_getattr_generic_blk_files(mdadm_t)
dev_read_realtime_clock(mdadm_t)
# unfortunately needed for DMI decoding:
dev_read_raw_memory(mdadm_t)
@@ -35447,7 +35666,7 @@ index db75976..61db6da 100644
+HOME_DIR/\.pki(/.*)? gen_context(system_u:object_r:home_cert_t,s0)
+HOME_DIR/\.gvfs(/.*)? <>
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
-index 8b4f6d8..e1da594 100644
+index 2aa8928..c67c8e8 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -30,8 +30,9 @@ template(`userdom_base_user_template',`
@@ -35461,7 +35680,7 @@ index 8b4f6d8..e1da594 100644
domain_type($1_t)
corecmd_shell_entry_type($1_t)
corecmd_bin_entry_type($1_t)
-@@ -43,69 +44,92 @@ template(`userdom_base_user_template',`
+@@ -43,69 +44,95 @@ template(`userdom_base_user_template',`
term_user_pty($1_t, user_devpts_t)
term_user_tty($1_t, user_tty_device_t)
@@ -35592,20 +35811,21 @@ index 8b4f6d8..e1da594 100644
- libs_exec_ld_so($1_t)
+ init_stream_connect($1_usertype)
-
-- miscfiles_read_localization($1_t)
-- miscfiles_read_certs($1_t)
++
+ libs_exec_ld_so($1_usertype)
+ miscfiles_read_localization($1_t)
+ miscfiles_read_generic_certs($1_t)
+
- sysnet_read_config($1_t)
-+ miscfiles_read_certs($1_usertype)
++ miscfiles_read_all_certs($1_usertype)
+ miscfiles_read_localization($1_usertype)
+ miscfiles_read_man_pages($1_usertype)
+ miscfiles_read_public_files($1_usertype)
tunable_policy(`allow_execmem',`
# Allow loading DSOs that require executable stack.
-@@ -116,6 +140,16 @@ template(`userdom_base_user_template',`
+@@ -116,6 +143,16 @@ template(`userdom_base_user_template',`
# Allow making the stack executable via mprotect.
allow $1_t self:process execstack;
')
@@ -35622,7 +35842,7 @@ index 8b4f6d8..e1da594 100644
')
#######################################
-@@ -149,6 +183,8 @@ interface(`userdom_ro_home_role',`
+@@ -149,6 +186,8 @@ interface(`userdom_ro_home_role',`
type user_home_t, user_home_dir_t;
')
@@ -35631,7 +35851,7 @@ index 8b4f6d8..e1da594 100644
##############################
#
# Domain access to home dir
-@@ -166,27 +202,6 @@ interface(`userdom_ro_home_role',`
+@@ -166,27 +205,6 @@ interface(`userdom_ro_home_role',`
read_sock_files_pattern($2, { user_home_t user_home_dir_t }, user_home_t)
files_list_home($2)
@@ -35659,7 +35879,7 @@ index 8b4f6d8..e1da594 100644
')
#######################################
-@@ -218,8 +233,11 @@ interface(`userdom_ro_home_role',`
+@@ -218,8 +236,11 @@ interface(`userdom_ro_home_role',`
interface(`userdom_manage_home_role',`
gen_require(`
type user_home_t, user_home_dir_t;
@@ -35671,7 +35891,7 @@ index 8b4f6d8..e1da594 100644
##############################
#
# Domain access to home dir
-@@ -228,17 +246,21 @@ interface(`userdom_manage_home_role',`
+@@ -228,17 +249,21 @@ interface(`userdom_manage_home_role',`
type_member $2 user_home_dir_t:dir user_home_dir_t;
# full control of the home directory
@@ -35703,7 +35923,7 @@ index 8b4f6d8..e1da594 100644
filetrans_pattern($2, user_home_dir_t, user_home_t, { dir file lnk_file sock_file fifo_file })
files_list_home($2)
-@@ -246,25 +268,23 @@ interface(`userdom_manage_home_role',`
+@@ -246,25 +271,23 @@ interface(`userdom_manage_home_role',`
allow $2 user_home_dir_t:dir { manage_dir_perms relabel_dir_perms };
tunable_policy(`use_nfs_home_dirs',`
@@ -35733,7 +35953,7 @@ index 8b4f6d8..e1da594 100644
')
')
-@@ -289,6 +309,8 @@ interface(`userdom_manage_tmp_role',`
+@@ -289,6 +312,8 @@ interface(`userdom_manage_tmp_role',`
type user_tmp_t;
')
@@ -35742,7 +35962,7 @@ index 8b4f6d8..e1da594 100644
files_poly_member_tmp($2, user_tmp_t)
manage_dirs_pattern($2, user_tmp_t, user_tmp_t)
-@@ -297,6 +319,45 @@ interface(`userdom_manage_tmp_role',`
+@@ -297,6 +322,45 @@ interface(`userdom_manage_tmp_role',`
manage_sock_files_pattern($2, user_tmp_t, user_tmp_t)
manage_fifo_files_pattern($2, user_tmp_t, user_tmp_t)
files_tmp_filetrans($2, user_tmp_t, { dir file lnk_file sock_file fifo_file })
@@ -35788,7 +36008,7 @@ index 8b4f6d8..e1da594 100644
')
#######################################
-@@ -316,6 +377,7 @@ interface(`userdom_exec_user_tmp_files',`
+@@ -316,6 +380,7 @@ interface(`userdom_exec_user_tmp_files',`
')
exec_files_pattern($1, user_tmp_t, user_tmp_t)
@@ -35796,7 +36016,7 @@ index 8b4f6d8..e1da594 100644
files_search_tmp($1)
')
-@@ -350,6 +412,8 @@ interface(`userdom_manage_tmpfs_role',`
+@@ -350,6 +415,8 @@ interface(`userdom_manage_tmpfs_role',`
type user_tmpfs_t;
')
@@ -35805,7 +36025,7 @@ index 8b4f6d8..e1da594 100644
manage_dirs_pattern($2, user_tmpfs_t, user_tmpfs_t)
manage_files_pattern($2, user_tmpfs_t, user_tmpfs_t)
manage_lnk_files_pattern($2, user_tmpfs_t, user_tmpfs_t)
-@@ -360,46 +424,41 @@ interface(`userdom_manage_tmpfs_role',`
+@@ -360,46 +427,41 @@ interface(`userdom_manage_tmpfs_role',`
#######################################
##
@@ -35874,7 +36094,7 @@ index 8b4f6d8..e1da594 100644
')
#######################################
-@@ -430,6 +489,7 @@ template(`userdom_xwindows_client_template',`
+@@ -430,6 +492,7 @@ template(`userdom_xwindows_client_template',`
dev_dontaudit_rw_dri($1_t)
# GNOME checks for usb and other devices:
dev_rw_usbfs($1_t)
@@ -35882,7 +36102,7 @@ index 8b4f6d8..e1da594 100644
xserver_user_x_domain_template($1, $1_t, user_tmpfs_t)
xserver_xsession_entry_type($1_t)
-@@ -490,7 +550,7 @@ template(`userdom_common_user_template',`
+@@ -490,7 +553,7 @@ template(`userdom_common_user_template',`
attribute unpriv_userdomain;
')
@@ -35891,7 +36111,7 @@ index 8b4f6d8..e1da594 100644
##############################
#
-@@ -500,73 +560,78 @@ template(`userdom_common_user_template',`
+@@ -500,73 +563,78 @@ template(`userdom_common_user_template',`
# evolution and gnome-session try to create a netlink socket
dontaudit $1_t self:netlink_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown };
dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write };
@@ -35912,27 +36132,27 @@ index 8b4f6d8..e1da594 100644
+ kernel_get_sysvipc_info($1_usertype)
# Find CDROM devices:
- kernel_read_device_sysctls($1_t)
--
-- corecmd_exec_bin($1_t)
+ kernel_read_device_sysctls($1_usertype)
+ kernel_request_load_module($1_usertype)
-- corenet_udp_bind_generic_node($1_t)
-- corenet_udp_bind_generic_port($1_t)
+- corecmd_exec_bin($1_t)
+ corenet_udp_bind_generic_node($1_usertype)
+ corenet_udp_bind_generic_port($1_usertype)
-- dev_read_rand($1_t)
-- dev_write_sound($1_t)
-- dev_read_sound($1_t)
-- dev_read_sound_mixer($1_t)
-- dev_write_sound_mixer($1_t)
+- corenet_udp_bind_generic_node($1_t)
+- corenet_udp_bind_generic_port($1_t)
+ dev_read_rand($1_usertype)
+ dev_write_sound($1_usertype)
+ dev_read_sound($1_usertype)
+ dev_read_sound_mixer($1_usertype)
+ dev_write_sound_mixer($1_usertype)
+- dev_read_rand($1_t)
+- dev_write_sound($1_t)
+- dev_read_sound($1_t)
+- dev_read_sound_mixer($1_t)
+- dev_write_sound_mixer($1_t)
+-
- files_exec_etc_files($1_t)
- files_search_locks($1_t)
+ files_exec_etc_files($1_usertype)
@@ -36009,7 +36229,7 @@ index 8b4f6d8..e1da594 100644
')
tunable_policy(`user_ttyfile_stat',`
-@@ -574,65 +639,108 @@ template(`userdom_common_user_template',`
+@@ -574,65 +642,108 @@ template(`userdom_common_user_template',`
')
optional_policy(`
@@ -36021,19 +36241,19 @@ index 8b4f6d8..e1da594 100644
# Allow graphical boot to check battery lifespan
- apm_stream_connect($1_t)
+ apm_stream_connect($1_usertype)
- ')
-
- optional_policy(`
-- canna_stream_connect($1_t)
++ ')
++
++ optional_policy(`
+ canna_stream_connect($1_usertype)
')
optional_policy(`
-- dbus_system_bus_client($1_t)
+- canna_stream_connect($1_t)
+ chrome_role($1_r, $1_usertype)
-+ ')
-+
-+ optional_policy(`
+ ')
+
+ optional_policy(`
+- dbus_system_bus_client($1_t)
+ dbus_system_bus_client($1_usertype)
+
+ allow $1_usertype $1_usertype:dbus send_msg;
@@ -36059,48 +36279,48 @@ index 8b4f6d8..e1da594 100644
+ devicekit_dbus_chat($1_usertype)
+ devicekit_dbus_chat_power($1_usertype)
+ devicekit_dbus_chat_disk($1_usertype)
-+ ')
-+
-+ optional_policy(`
-+ evolution_dbus_chat($1_usertype)
-+ evolution_alarm_dbus_chat($1_usertype)
+ ')
optional_policy(`
- bluetooth_dbus_chat($1_t)
-+ gnome_dbus_chat_gconfdefault($1_usertype)
++ evolution_dbus_chat($1_usertype)
++ evolution_alarm_dbus_chat($1_usertype)
')
optional_policy(`
- evolution_dbus_chat($1_t)
- evolution_alarm_dbus_chat($1_t)
-+ hal_dbus_chat($1_usertype)
++ gnome_dbus_chat_gconfdefault($1_usertype)
')
optional_policy(`
- cups_dbus_chat_config($1_t)
-+ modemmanager_dbus_chat($1_usertype)
++ hal_dbus_chat($1_usertype)
')
optional_policy(`
- hal_dbus_chat($1_t)
-+ networkmanager_dbus_chat($1_usertype)
-+ networkmanager_read_lib_files($1_usertype)
++ modemmanager_dbus_chat($1_usertype)
')
optional_policy(`
- networkmanager_dbus_chat($1_t)
-+ vpn_dbus_chat($1_usertype)
++ networkmanager_dbus_chat($1_usertype)
++ networkmanager_read_lib_files($1_usertype)
')
++
++ optional_policy(`
++ vpn_dbus_chat($1_usertype)
++ ')
++ ')
++
++ optional_policy(`
++ git_session_role($1_r, $1_usertype)
')
optional_policy(`
- inetd_use_fds($1_t)
- inetd_rw_tcp_sockets($1_t)
-+ git_session_role($1_r, $1_usertype)
-+ ')
-+
-+ optional_policy(`
+ inetd_use_fds($1_usertype)
+ inetd_rw_tcp_sockets($1_usertype)
')
@@ -36136,7 +36356,7 @@ index 8b4f6d8..e1da594 100644
')
optional_policy(`
-@@ -643,41 +751,50 @@ template(`userdom_common_user_template',`
+@@ -643,41 +754,50 @@ template(`userdom_common_user_template',`
optional_policy(`
# to allow monitoring of pcmcia status
@@ -36163,33 +36383,33 @@ index 8b4f6d8..e1da594 100644
optional_policy(`
- resmgr_stream_connect($1_t)
+ resmgr_stream_connect($1_usertype)
- ')
-
- optional_policy(`
-- rpc_dontaudit_getattr_exports($1_t)
-- rpc_manage_nfs_rw_content($1_t)
++ ')
++
++ optional_policy(`
+ rpc_dontaudit_getattr_exports($1_usertype)
+ rpc_manage_nfs_rw_content($1_usertype)
')
optional_policy(`
-- samba_stream_connect_winbind($1_t)
+- rpc_dontaudit_getattr_exports($1_t)
+- rpc_manage_nfs_rw_content($1_t)
+ rpcbind_stream_connect($1_usertype)
')
optional_policy(`
-- slrnpull_search_spool($1_t)
+- samba_stream_connect_winbind($1_t)
+ samba_stream_connect_winbind($1_usertype)
')
optional_policy(`
-- usernetctl_run($1_t,$1_r)
+- slrnpull_search_spool($1_t)
+ sandbox_transition($1_usertype, $1_r)
')
-+
-+ optional_policy(`
+
+ optional_policy(`
+- usernetctl_run($1_t,$1_r)
+ seunshare_role_template($1, $1_r, $1_t)
-+ ')
+ ')
+
+ optional_policy(`
+ slrnpull_search_spool($1_usertype)
@@ -36198,23 +36418,23 @@ index 8b4f6d8..e1da594 100644
')
#######################################
-@@ -705,13 +822,26 @@ template(`userdom_login_user_template', `
+@@ -705,13 +825,26 @@ template(`userdom_login_user_template', `
userdom_base_user_template($1)
- userdom_manage_home_role($1_r, $1_t)
+ userdom_manage_home_role($1_r, $1_usertype)
-+
-+ userdom_manage_tmp_role($1_r, $1_usertype)
-+ userdom_manage_tmpfs_role($1_r, $1_usertype)
- userdom_manage_tmp_role($1_r, $1_t)
- userdom_manage_tmpfs_role($1_r, $1_t)
-+ ifelse(`$1',`unconfined',`',`
-+ gen_tunable(allow_$1_exec_content, true)
++ userdom_manage_tmp_role($1_r, $1_usertype)
++ userdom_manage_tmpfs_role($1_r, $1_usertype)
- userdom_exec_user_tmp_files($1_t)
- userdom_exec_user_home_content_files($1_t)
++ ifelse(`$1',`unconfined',`',`
++ gen_tunable(allow_$1_exec_content, true)
++
+ tunable_policy(`allow_$1_exec_content',`
+ userdom_exec_user_tmp_files($1_usertype)
+ userdom_exec_user_home_content_files($1_usertype)
@@ -36230,7 +36450,7 @@ index 8b4f6d8..e1da594 100644
userdom_change_password_template($1)
-@@ -729,72 +859,74 @@ template(`userdom_login_user_template', `
+@@ -729,72 +862,74 @@ template(`userdom_login_user_template', `
allow $1_t self:context contains;
@@ -36298,49 +36518,49 @@ index 8b4f6d8..e1da594 100644
- miscfiles_exec_tetex_data($1_t)
+ miscfiles_read_tetex_data($1_usertype)
+ miscfiles_exec_tetex_data($1_usertype)
-+
-+ seutil_read_config($1_usertype)
- seutil_read_config($1_t)
-+ optional_policy(`
-+ cups_read_config($1_usertype)
-+ cups_stream_connect($1_usertype)
-+ cups_stream_connect_ptal($1_usertype)
-+ ')
++ seutil_read_config($1_usertype)
optional_policy(`
- cups_read_config($1_t)
- cups_stream_connect($1_t)
- cups_stream_connect_ptal($1_t)
++ cups_read_config($1_usertype)
++ cups_stream_connect($1_usertype)
++ cups_stream_connect_ptal($1_usertype)
+ ')
+
+ optional_policy(`
+- kerberos_use($1_t)
+ kerberos_use($1_usertype)
+ kerberos_connect_524($1_usertype)
')
optional_policy(`
-- kerberos_use($1_t)
+- mta_dontaudit_read_spool_symlinks($1_t)
+ mta_dontaudit_read_spool_symlinks($1_usertype)
')
- optional_policy(`
-- mta_dontaudit_read_spool_symlinks($1_t)
-+ quota_dontaudit_getattr_db($1_usertype)
- ')
-
optional_policy(`
- quota_dontaudit_getattr_db($1_t)
-+ rpm_read_db($1_usertype)
-+ rpm_dontaudit_manage_db($1_usertype)
-+ rpm_read_cache($1_usertype)
++ quota_dontaudit_getattr_db($1_usertype)
')
optional_policy(`
- rpm_read_db($1_t)
- rpm_dontaudit_manage_db($1_t)
++ rpm_read_db($1_usertype)
++ rpm_dontaudit_manage_db($1_usertype)
++ rpm_read_cache($1_usertype)
++ ')
++
++ optional_policy(`
+ oddjob_run_mkhomedir($1_t, $1_r)
')
')
-@@ -826,6 +958,9 @@ template(`userdom_restricted_user_template',`
+@@ -826,6 +961,9 @@ template(`userdom_restricted_user_template',`
typeattribute $1_t unpriv_userdomain;
domain_interactive_fd($1_t)
@@ -36350,7 +36570,7 @@ index 8b4f6d8..e1da594 100644
##############################
#
# Local policy
-@@ -867,45 +1002,103 @@ template(`userdom_restricted_xwindows_user_template',`
+@@ -867,45 +1005,103 @@ template(`userdom_restricted_xwindows_user_template',`
#
auth_role($1_r, $1_t)
@@ -36465,7 +36685,7 @@ index 8b4f6d8..e1da594 100644
')
')
-@@ -940,7 +1133,7 @@ template(`userdom_unpriv_user_template', `
+@@ -940,7 +1136,7 @@ template(`userdom_unpriv_user_template', `
#
# Inherit rules for ordinary users.
@@ -36474,7 +36694,7 @@ index 8b4f6d8..e1da594 100644
userdom_common_user_template($1)
##############################
-@@ -949,54 +1142,77 @@ template(`userdom_unpriv_user_template', `
+@@ -949,54 +1145,77 @@ template(`userdom_unpriv_user_template', `
#
# port access is audited even if dac would not have allowed it, so dontaudit it here
@@ -36582,7 +36802,7 @@ index 8b4f6d8..e1da594 100644
')
')
-@@ -1032,7 +1248,7 @@ template(`userdom_unpriv_user_template', `
+@@ -1032,7 +1251,7 @@ template(`userdom_unpriv_user_template', `
template(`userdom_admin_user_template',`
gen_require(`
attribute admindomain;
@@ -36591,7 +36811,7 @@ index 8b4f6d8..e1da594 100644
')
##############################
-@@ -1067,6 +1283,9 @@ template(`userdom_admin_user_template',`
+@@ -1067,6 +1286,9 @@ template(`userdom_admin_user_template',`
# Skip authentication when pam_rootok is specified.
allow $1_t self:passwd rootok;
@@ -36601,7 +36821,7 @@ index 8b4f6d8..e1da594 100644
kernel_read_software_raid_state($1_t)
kernel_getattr_core_if($1_t)
kernel_getattr_message_if($1_t)
-@@ -1081,6 +1300,7 @@ template(`userdom_admin_user_template',`
+@@ -1081,6 +1303,7 @@ template(`userdom_admin_user_template',`
kernel_sigstop_unlabeled($1_t)
kernel_signull_unlabeled($1_t)
kernel_sigchld_unlabeled($1_t)
@@ -36609,7 +36829,7 @@ index 8b4f6d8..e1da594 100644
corenet_tcp_bind_generic_port($1_t)
# allow setting up tunnels
-@@ -1112,10 +1332,13 @@ template(`userdom_admin_user_template',`
+@@ -1112,10 +1335,13 @@ template(`userdom_admin_user_template',`
domain_sigchld_all_domains($1_t)
# for lsof
domain_getattr_all_sockets($1_t)
@@ -36623,7 +36843,7 @@ index 8b4f6d8..e1da594 100644
fs_set_all_quotas($1_t)
fs_exec_noxattr($1_t)
-@@ -1135,6 +1358,7 @@ template(`userdom_admin_user_template',`
+@@ -1135,6 +1361,7 @@ template(`userdom_admin_user_template',`
logging_send_syslog_msg($1_t)
modutils_domtrans_insmod($1_t)
@@ -36631,7 +36851,7 @@ index 8b4f6d8..e1da594 100644
# The following rule is temporary until such time that a complete
# policy management infrastructure is in place so that an administrator
-@@ -1203,6 +1427,8 @@ template(`userdom_security_admin_template',`
+@@ -1203,6 +1430,8 @@ template(`userdom_security_admin_template',`
dev_relabel_all_dev_nodes($1)
files_create_boot_flag($1)
@@ -36640,7 +36860,7 @@ index 8b4f6d8..e1da594 100644
# Necessary for managing /boot/efi
fs_manage_dos_files($1)
-@@ -1230,6 +1456,7 @@ template(`userdom_security_admin_template',`
+@@ -1230,6 +1459,7 @@ template(`userdom_security_admin_template',`
seutil_run_checkpolicy($1,$2)
seutil_run_loadpolicy($1,$2)
seutil_run_semanage($1,$2)
@@ -36648,7 +36868,7 @@ index 8b4f6d8..e1da594 100644
seutil_run_setfiles($1, $2)
optional_policy(`
-@@ -1268,12 +1495,15 @@ template(`userdom_security_admin_template',`
+@@ -1268,12 +1498,15 @@ template(`userdom_security_admin_template',`
interface(`userdom_user_home_content',`
gen_require(`
type user_home_t;
@@ -36665,7 +36885,7 @@ index 8b4f6d8..e1da594 100644
')
########################################
-@@ -1384,6 +1614,7 @@ interface(`userdom_search_user_home_dirs',`
+@@ -1384,6 +1617,7 @@ interface(`userdom_search_user_home_dirs',`
')
allow $1 user_home_dir_t:dir search_dir_perms;
@@ -36673,7 +36893,7 @@ index 8b4f6d8..e1da594 100644
files_search_home($1)
')
-@@ -1430,6 +1661,14 @@ interface(`userdom_list_user_home_dirs',`
+@@ -1430,6 +1664,14 @@ interface(`userdom_list_user_home_dirs',`
allow $1 user_home_dir_t:dir list_dir_perms;
files_search_home($1)
@@ -36688,7 +36908,7 @@ index 8b4f6d8..e1da594 100644
')
########################################
-@@ -1445,9 +1684,11 @@ interface(`userdom_list_user_home_dirs',`
+@@ -1445,9 +1687,11 @@ interface(`userdom_list_user_home_dirs',`
interface(`userdom_dontaudit_list_user_home_dirs',`
gen_require(`
type user_home_dir_t;
@@ -36700,7 +36920,7 @@ index 8b4f6d8..e1da594 100644
')
########################################
-@@ -1504,6 +1745,42 @@ interface(`userdom_relabelto_user_home_dirs',`
+@@ -1504,6 +1748,42 @@ interface(`userdom_relabelto_user_home_dirs',`
allow $1 user_home_dir_t:dir relabelto;
')
@@ -36743,7 +36963,7 @@ index 8b4f6d8..e1da594 100644
########################################
##
## Create directories in the home dir root with
-@@ -1578,6 +1855,8 @@ interface(`userdom_dontaudit_search_user_home_content',`
+@@ -1578,6 +1858,8 @@ interface(`userdom_dontaudit_search_user_home_content',`
')
dontaudit $1 user_home_t:dir search_dir_perms;
@@ -36752,7 +36972,7 @@ index 8b4f6d8..e1da594 100644
')
########################################
-@@ -1592,10 +1871,12 @@ interface(`userdom_dontaudit_search_user_home_content',`
+@@ -1592,10 +1874,12 @@ interface(`userdom_dontaudit_search_user_home_content',`
#
interface(`userdom_list_user_home_content',`
gen_require(`
@@ -36767,7 +36987,7 @@ index 8b4f6d8..e1da594 100644
')
########################################
-@@ -1638,6 +1919,25 @@ interface(`userdom_delete_user_home_content_dirs',`
+@@ -1638,6 +1922,25 @@ interface(`userdom_delete_user_home_content_dirs',`
########################################
##
@@ -36793,7 +37013,7 @@ index 8b4f6d8..e1da594 100644
## Do not audit attempts to set the
## attributes of user home files.
##
-@@ -1689,13 +1989,14 @@ interface(`userdom_read_user_home_content_files',`
+@@ -1689,13 +1992,33 @@ interface(`userdom_read_user_home_content_files',`
type user_home_dir_t, user_home_t;
')
@@ -36806,29 +37026,6 @@ index 8b4f6d8..e1da594 100644
##
-## Do not audit attempts to read user home files.
+## Do not audit attempts to getattr user home files.
- ##
- ##
- ##
-@@ -1703,13 +2004,35 @@ interface(`userdom_read_user_home_content_files',`
- ##
- ##
- #
--interface(`userdom_dontaudit_read_user_home_content_files',`
-+interface(`userdom_dontaudit_getattr_user_home_content',`
- gen_require(`
-- type user_home_t;
-+ attribute user_home_type;
- ')
-
-- dontaudit $1 user_home_t:dir list_dir_perms;
-- dontaudit $1 user_home_t:file read_file_perms;
-+ dontaudit $1 user_home_type:dir getattr;
-+ dontaudit $1 user_home_type:file getattr;
-+')
-+
-+########################################
-+##
-+## Do not audit attempts to read user home files.
+##
+##
+##
@@ -36836,12 +37033,32 @@ index 8b4f6d8..e1da594 100644
+##
+##
+#
-+interface(`userdom_dontaudit_read_user_home_content_files',`
++interface(`userdom_dontaudit_getattr_user_home_content',`
+ gen_require(`
+ attribute user_home_type;
-+ type user_home_dir_t;
+ ')
+
++ dontaudit $1 user_home_type:dir getattr;
++ dontaudit $1 user_home_type:file getattr;
++')
++
++########################################
++##
++## Do not audit attempts to read user home files.
+ ##
+ ##
+ ##
+@@ -1705,11 +2028,14 @@ interface(`userdom_read_user_home_content_files',`
+ #
+ interface(`userdom_dontaudit_read_user_home_content_files',`
+ gen_require(`
+- type user_home_t;
++ attribute user_home_type;
++ type user_home_dir_t;
+ ')
+
+- dontaudit $1 user_home_t:dir list_dir_perms;
+- dontaudit $1 user_home_t:file read_file_perms;
+ dontaudit $1 user_home_dir_t:dir list_dir_perms;
+ dontaudit $1 user_home_type:dir list_dir_perms;
+ dontaudit $1 user_home_type:file read_file_perms;
@@ -36849,7 +37066,7 @@ index 8b4f6d8..e1da594 100644
')
########################################
-@@ -1799,8 +2122,7 @@ interface(`userdom_read_user_home_content_symlinks',`
+@@ -1799,8 +2125,7 @@ interface(`userdom_read_user_home_content_symlinks',`
type user_home_dir_t, user_home_t;
')
@@ -36859,7 +37076,7 @@ index 8b4f6d8..e1da594 100644
')
########################################
-@@ -1816,20 +2138,14 @@ interface(`userdom_read_user_home_content_symlinks',`
+@@ -1816,21 +2141,15 @@ interface(`userdom_read_user_home_content_symlinks',`
#
interface(`userdom_exec_user_home_content_files',`
gen_require(`
@@ -36873,18 +37090,19 @@ index 8b4f6d8..e1da594 100644
-
- tunable_policy(`use_nfs_home_dirs',`
- fs_exec_nfs_files($1)
-- ')
--
-- tunable_policy(`use_samba_home_dirs',`
-- fs_exec_cifs_files($1)
+ exec_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type)
+ dontaudit $1 user_home_type:sock_file execute;
')
--')
+- tunable_policy(`use_samba_home_dirs',`
+- fs_exec_cifs_files($1)
+- ')
+-')
+-
########################################
##
-@@ -2171,7 +2487,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',`
+ ## Do not audit attempts to execute user home files.
+@@ -2171,7 +2490,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',`
type user_tmp_t;
')
@@ -36893,7 +37111,7 @@ index 8b4f6d8..e1da594 100644
')
########################################
-@@ -2424,13 +2740,14 @@ interface(`userdom_read_user_tmpfs_files',`
+@@ -2424,13 +2743,14 @@ interface(`userdom_read_user_tmpfs_files',`
')
read_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
@@ -36909,7 +37127,7 @@ index 8b4f6d8..e1da594 100644
##
##
##
-@@ -2451,26 +2768,6 @@ interface(`userdom_rw_user_tmpfs_files',`
+@@ -2451,26 +2771,6 @@ interface(`userdom_rw_user_tmpfs_files',`
########################################
##
@@ -36936,7 +37154,7 @@ index 8b4f6d8..e1da594 100644
## Get the attributes of a user domain tty.
##
##
-@@ -2804,7 +3101,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
+@@ -2804,7 +3104,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
domain_entry_file_spec_domtrans($1, unpriv_userdomain)
allow unpriv_userdomain $1:fd use;
@@ -36945,7 +37163,7 @@ index 8b4f6d8..e1da594 100644
allow unpriv_userdomain $1:process sigchld;
')
-@@ -2820,11 +3117,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
+@@ -2820,11 +3120,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
#
interface(`userdom_search_user_home_content',`
gen_require(`
@@ -36961,7 +37179,7 @@ index 8b4f6d8..e1da594 100644
')
########################################
-@@ -2906,7 +3205,7 @@ interface(`userdom_dontaudit_use_user_ptys',`
+@@ -2906,7 +3208,7 @@ interface(`userdom_dontaudit_use_user_ptys',`
type user_devpts_t;
')
@@ -36970,7 +37188,7 @@ index 8b4f6d8..e1da594 100644
')
########################################
-@@ -2961,7 +3260,45 @@ interface(`userdom_write_user_tmp_files',`
+@@ -2961,7 +3263,45 @@ interface(`userdom_write_user_tmp_files',`
type user_tmp_t;
')
@@ -37017,7 +37235,7 @@ index 8b4f6d8..e1da594 100644
')
########################################
-@@ -2998,6 +3335,7 @@ interface(`userdom_read_all_users_state',`
+@@ -2998,6 +3338,7 @@ interface(`userdom_read_all_users_state',`
')
read_files_pattern($1, userdomain, userdomain)
@@ -37025,7 +37243,7 @@ index 8b4f6d8..e1da594 100644
kernel_search_proc($1)
')
-@@ -3128,3 +3466,854 @@ interface(`userdom_dbus_send_all_users',`
+@@ -3128,3 +3469,854 @@ interface(`userdom_dbus_send_all_users',`
allow $1 userdomain:dbus send_msg;
')
@@ -38018,7 +38236,7 @@ index 77d41b6..4af4e6b 100644
')
diff --git a/policy/modules/system/xen.te b/policy/modules/system/xen.te
-index f661f5a..ff472d0 100644
+index f661f5a..600d43f 100644
--- a/policy/modules/system/xen.te
+++ b/policy/modules/system/xen.te
@@ -4,6 +4,7 @@ policy_module(xen, 1.10.0)
@@ -38049,7 +38267,33 @@ index f661f5a..ff472d0 100644
#######################################
#
# evtchnd local policy
-@@ -317,9 +314,10 @@ manage_dirs_pattern(xenstored_t, xenstored_tmp_t, xenstored_tmp_t)
+@@ -113,7 +110,7 @@ files_pid_filetrans(evtchnd_t, evtchnd_var_run_t, { file sock_file dir })
+ # xend local policy
+ #
+
+-allow xend_t self:capability { mknod dac_override ipc_lock net_admin setuid sys_nice sys_ptrace sys_tty_config net_raw };
++allow xend_t self:capability { mknod dac_override ipc_lock net_admin setuid sys_admin sys_nice sys_ptrace sys_tty_config net_raw };
+ dontaudit xend_t self:capability { sys_ptrace };
+ allow xend_t self:process { signal sigkill };
+ dontaudit xend_t self:process ptrace;
+@@ -228,6 +225,7 @@ logging_send_syslog_msg(xend_t)
+ lvm_domtrans(xend_t)
+
+ miscfiles_read_localization(xend_t)
++miscfiles_read_hwdata(xend_t)
+
+ mount_domtrans(xend_t)
+
+@@ -245,6 +243,8 @@ xen_stream_connect_xenstore(xend_t)
+
+ netutils_domtrans(xend_t)
+
++virt_read_config(xend_t)
++
+ optional_policy(`
+ brctl_domtrans(xend_t)
+ ')
+@@ -317,9 +317,10 @@ manage_dirs_pattern(xenstored_t, xenstored_tmp_t, xenstored_tmp_t)
files_tmp_filetrans(xenstored_t, xenstored_tmp_t, { file dir })
# pid file
@@ -38061,7 +38305,7 @@ index f661f5a..ff472d0 100644
# log files
manage_dirs_pattern(xenstored_t, xenstored_var_log_t, xenstored_var_log_t)
-@@ -346,6 +344,7 @@ dev_read_sysfs(xenstored_t)
+@@ -346,6 +347,7 @@ dev_read_sysfs(xenstored_t)
files_read_usr_files(xenstored_t)
@@ -38069,7 +38313,7 @@ index f661f5a..ff472d0 100644
fs_manage_xenfs_files(xenstored_t)
storage_raw_read_fixed_disk(xenstored_t)
-@@ -353,6 +352,7 @@ storage_raw_write_fixed_disk(xenstored_t)
+@@ -353,6 +355,7 @@ storage_raw_write_fixed_disk(xenstored_t)
storage_raw_read_removable_device(xenstored_t)
term_use_generic_ptys(xenstored_t)
@@ -38077,7 +38321,7 @@ index f661f5a..ff472d0 100644
init_use_fds(xenstored_t)
init_use_script_ptys(xenstored_t)
-@@ -365,98 +365,9 @@ xen_append_log(xenstored_t)
+@@ -365,98 +368,9 @@ xen_append_log(xenstored_t)
########################################
#
@@ -38176,7 +38420,7 @@ index f661f5a..ff472d0 100644
#Should have a boolean wrapping these
fs_list_auto_mountpoints(xend_t)
files_search_mnt(xend_t)
-@@ -469,8 +380,4 @@ optional_policy(`
+@@ -469,8 +383,4 @@ optional_policy(`
fs_manage_nfs_files(xend_t)
fs_read_nfs_symlinks(xend_t)
')
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 8974d7b3..4954b17c 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,8 +19,8 @@
%define CHECKPOLICYVER 2.0.21-1
Summary: SELinux policy configuration
Name: selinux-policy
-Version: 3.9.3
-Release: 3%{?dist}
+Version: 3.9.4
+Release: 1%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -469,6 +469,12 @@ exit 0
%endif
%changelog
+* Thu Sep 8 2010 Dan Walsh 3.9.4-1
+- Update to upstream
+
+* Thu Sep 8 2010 Dan Walsh 3.9.3-4
+- Allow mdadm_t to create files and sock files in /dev/md/
+
* Thu Sep 8 2010 Dan Walsh 3.9.3-3
- Add policy for ajaxterm
diff --git a/sources b/sources
index 3c4a5efb..11bf11dd 100644
--- a/sources
+++ b/sources
@@ -1 +1 @@
-2330fe4b7094df0e0a453856db12e3a4 serefpolicy-3.9.3.tgz
+c610a100e8448f4fdc2559d1e509494c serefpolicy-3.9.4.tgz