More fixes

policy/modules/kernel/devices.if

@@ -3824,6 +3824,24 @@ interface(`dev_rw_sysfs',`
 	list_dirs_pattern($1, sysfs_t, sysfs_t)
 ')
 
+########################################
+## <summary>
+##	Allow caller to modify hardware state information.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_manage_sysfs_dirs',`
+	gen_require(`
+		type sysfs_t;
+	')
+
+	manage_dirs_pattern($1, sysfs_t, sysfs_t)
+')
+
 ########################################
 ## <summary>
 ##	Read from pseudo random number generator devices (e.g., /dev/urandom).

policy/modules/roles/dbadm.te

@@ -21,7 +21,7 @@ gen_tunable(dbadm_read_user_files, false)
 
 role dbadm_r;
 
-userdom_unpriv_user_template(dbadm)
+userdom_base_user_template(dbadm)
 
 ########################################
 #

policy/modules/services/cobbler.if

@@ -146,24 +146,6 @@ interface(`cobbler_manage_lib_files',`
 	files_search_var_lib($1)
 ')
 
-########################################
-## <summary>
-##	dontaudit read and write Cobbler log files.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`cobbler_dontaudit_rw_log',`
-	gen_require(`
-		type cobbler_var_log_t;
-	')
-
-	dontaudit $1 cobbler_var_log_t:file rw_inherited_files_perms;
-')
-
 ########################################
 ## <summary>
 ##	Do not audit attempts to read and write

policy/modules/services/devicekit.te

@@ -228,6 +228,7 @@ dev_rw_generic_usb_dev(devicekit_power_t)
 dev_rw_generic_chr_files(devicekit_power_t)
 dev_rw_netcontrol(devicekit_power_t)
 dev_rw_sysfs(devicekit_power_t)
+dev_read_rand(devicekit_power_t)
 
 files_read_kernel_img(devicekit_power_t)
 files_read_etc_files(devicekit_power_t)

policy/modules/services/xserver.if

@@ -101,8 +101,6 @@ ifdef(`hide_broken_symptoms', `
 	dev_getattr_agp_dev($2)
 	tunable_policy(`user_direct_dri',`
 		dev_rw_dri($2)
-	',`
-		dev_dontaudit_rw_dri($2)
 	')
 
 	# GNOME checks for usb and other devices:

policy/modules/system/init.te

@@ -220,7 +220,7 @@ storage_raw_rw_fixed_disk(init_t)
 modutils_domtrans_insmod(init_t)
 
 tunable_policy(`init_systemd',`
-	allow init_t self:unix_dgram_socket create_socket_perms;
+	allow init_t self:unix_dgram_socket { create_socket_perms sendto };
 	allow init_t self:process { setsockcreate setfscreate };
 	allow init_t self:unix_stream_socket { create_stream_socket_perms connectto };
 	allow init_t self:netlink_kobject_uevent_socket create_socket_perms; 
@@ -239,6 +239,7 @@ tunable_policy(`init_systemd',`
 	dev_read_generic_chr_files(init_t)
 	dev_relabelfrom_generic_chr_files(init_t)
 	dev_relabel_autofs_dev(init_t)
+	dev_manage_sysfs_dirs(init_t)
 
 	files_mounton_all_mountpoints(init_t)
 	files_manage_all_pids_dirs(init_t)
@@ -249,16 +250,17 @@ tunable_policy(`init_systemd',`
 	fs_list_auto_mountpoints(init_t)
 	fs_read_cgroup_files(init_t)
 	fs_write_cgroup_files(init_t)
+	fs_search_cgroup_dirs(daemon)
 
 	selinux_compute_create_context(init_t)
 	selinux_validate_context(init_t)
 	selinux_unmount_fs(init_t)
 
+	storage_getattr_removable_dev(init_t)
+
 	init_read_script_state(init_t)
 
 	seutil_read_file_contexts(init_t)
-
-	storage_getattr_removable_dev(init_t)
 ')
 
 optional_policy(`
@@ -286,6 +288,11 @@ optional_policy(`
 	nscd_socket_use(init_t)
 ')
 
+optional_policy(`
+	plymouthd_stream_connect(init_t)
+	plymouthd_exec_plymouth(init_t)
+')
+
 optional_policy(`
 	sssd_stream_connect(init_t)
 ')